marcio.fernandes/nextcloud
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: marcio.fernandes:663049fb890a355fe282de90d3d7eb6687ac2033
Branches Tags
marcio.fernandes:main
..
compare: marcio.fernandes:main
Branches Tags
marcio.fernandes:main

8 Commits
663049fb89 ... main

Author SHA1 Message Date
Márcio Fernandes
ad7c6807f7 modified: README.md
Some checks failed
/ continuous-deploy (push) Failing after 21s
Details
2026-04-26 20:50:49 +00:00
Márcio Fernandes
816e21af68 modified: .gitea/workflows/app-continuous-deploy.yaml
Some checks failed
/ continuous-deploy (push) Failing after 24s
Details
2026-04-18 21:04:15 +00:00
Márcio Fernandes
a2e8b42539 anges to be committed:
Some checks failed
/ continuous-deploy (push) Failing after 15m38s
Details 
modified:   .gitea/workflows/app-continuous-deploy.yaml
modified:   ops-scripts/apply-app.sh
 2026-04-18 20:36:54 +00:00
Márcio Fernandes
6b89f0f2b3 modified: ops-scripts/apply-app.sh
Some checks failed
/ continuous-deploy (push) Failing after 15m20s
Details
2026-04-18 19:25:30 +00:00
Márcio Fernandes
a3b1c230c6 add dashboard and redis
Some checks failed
/ continuous-deploy (push) Failing after 20s
Details
2026-04-18 19:22:54 +00:00
Márcio Fernandes
405763f158 add network-policies
All checks were successful
/ continuous-deploy (push) Successful in 23s
Details
2026-04-18 15:11:24 +00:00
Márcio Fernandes
75aede94ac add middlewares (source nginx template on source helm values), and default_phone_region
All checks were successful
/ continuous-deploy (push) Successful in 24s
Details
2026-04-16 22:58:37 +00:00
Márcio Fernandes
5acca5d4c7 ingress/internal: relax security
All checks were successful
/ continuous-deploy (push) Successful in 23s
Details 
ingress/public: disabled authentik-forward-auth (problems with phone clients)
middlewares/rate-limit: increase values
middlewares/security-headers:- added sts -  fix nextcloud warning Some headers are not set correctly on your instance - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds). For enhanced security, it is recommended to enable HSTS
 2026-04-16 19:47:11 +00:00
21 changed files with 391 additions and 91 deletions
Expand all files Collapse all files

6
.gitea/workflows/app-continuous-deploy.yaml
View File

@@ -44,11 +44,13 @@ jobs:
PBS_PASSWORD: ${{ secrets.PBS_PASSWORD }}
PBS_FINGERPRINT: ${{ secrets.PBS_FINGERPRINT }}
ONLYOFFICE_SECRET: ${{ secrets.ONLYOFFICE_SECRET }}
WHITEBOARD_JWT_SECRET_KEY: ${{ secrets.WHITEBOARD_JWT_SECRET_KEY }}
# used only on helm set values - only required as environment variables
NEXTCLOUD_HOST: ${{ secrets.NEXTCLOUD_HOST }}
NEXTCLOUD_USERNAME: ${{ secrets.NEXTCLOUD_USERNAME }}
NEXTCLOUD_PASSWORD: ${{ secrets.NEXTCLOUD_PASSWORD }}
REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
run: |
set -euo pipefail
@@ -57,6 +59,7 @@ jobs:
trap '
[ -d deploy/app/.env.d ] && rm -rf deploy/app/.env.d/*;
[ -d deploy/app/onlyoffice/.env.d ] && rm -rf deploy/app/onlyoffice/.env.d/*;
[ -d deploy/app/whiteboard/.env.d ] && rm -rf deploy/app/whiteboard/.env.d/*;
' EXIT
# setup secrets files
@@ -72,9 +75,12 @@ jobs:
echo "secret=${ONLYOFFICE_SECRET:?Missing ONLYOFFICE_SECRET}" >> deploy/app/onlyoffice/.env.d/onlyoffice.env
echo "JWT_SECRET_KEY=${WHITEBOARD_JWT_SECRET_KEY:?Missing WHITEBOARD_JWT_SECRET_KEY}" >> deploy/app/whiteboard/.env.d/whiteboard.env
# enforce secrets files security
chmod 600 deploy/app/.env.d/*
chmod 600 deploy/app/onlyoffice/.env.d/*
chmod 600 deploy/app/whiteboard/.env.d/*
# invoke deploy script
ops-scripts/apply-app.sh

6
.vscode/settings.json vendored
View File

@@ -1,7 +1,11 @@
{
"cSpell.words": [
"authentik",
"COLLAB",
"dbindex",
"documentserver",
"onlyoffice"
"onlyoffice",
"overwritehost",
"overwriteprotocol"
]
}

26
README.md
View File

@@ -6,6 +6,7 @@ Using [NextCloud](https://nextcloud.com/)
- [Integrations](#integrations)
- [OAuth2/OpenID Provider](#oauth2openid-provider)
- [whiteboard](#whiteboard)
- [cli](#cli)
- [maintenance mode](#maintenance-mode)
- [scan files](#scan-files)
@@ -20,6 +21,7 @@ Using [NextCloud](https://nextcloud.com/)
- [Setup and Deploy](#setup-and-deploy)
- [App](#app)
- [Infra](#infra)
- [internal logs](#internal-logs)
- [Database](#database)
## Integrations
@@ -30,10 +32,23 @@ Using [NextCloud](https://nextcloud.com/)
- <https://github.com/nextcloud/user_oidc>
- <https://apps.nextcloud.com/apps/user_oidc>
## cli
### whiteboard
``` bash
su -s /bin/bash www-data -c "php occ upgrade;"
php occ config:app:set whiteboard collabBackendUrl --value="https://cloud.limbosolutions.com/whiteboard"
php occ config:app:set whiteboard jwt_secret_key --value="?????"
```
## cli
When on browser error:
Please use the command line updater because updating via browser is disabled in your config.php.
Execute:
``` bash
php occ upgrade;
```
### maintenance mode
@@ -174,6 +189,13 @@ Can be executed in VS Code using the “Apply Infra” task.
- services accounts:
- Continuous deploy - Deployment RBAC (ServiceAccount + Role + RoleBinding)
## internal logs
``` bash
POD_NAME=$(kubectl get pod -l 'app.kubernetes.io/name'=nextcloud -n cloud-limbosolutions-com -o jsonpath='{.items[0].metadata.name}')
kubectl exec -it ${POD_NAME} -- cat /var/www/html/data/nextcloud.log
```
## Database
**Connect to db:**

1
deploy/app/kustomization.yaml
View File

@@ -15,6 +15,7 @@ resources:
- ./mariadb-deploy.yaml
- ./backups/backup-pbs-cronjob.yaml
- ./onlyoffice
- ./whiteboard
generatorOptions:
disableNameSuffixHash: true

53
deploy/app/helm-values.yaml → deploy/app/nextcloud-helm-values.yaml
View File

@@ -6,6 +6,9 @@ image:
replicaCount: 1
livenessProbe:
initialDelaySeconds: 60
periodSeconds: 60
@@ -77,6 +80,8 @@ resources:
cpu: "0.5"
memory: 512Mi
redis:
enabled: false
## Cronjob to execute Nextcloud background tasks
## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron
@@ -84,11 +89,16 @@ resources:
cronjob:
enabled: true
# openssl.cafile = /etc/ssl/certs/ca-certificates.crt
#openssl.capath = /etc/ssl/certs
nextcloud:
extraEnv:
- name: REDIS_PASSWORD
valueFrom:
secretKeyRef:
name: nextcloud-redis
key: redis-password
defaultConfigs:
redis.config.php: false
extraInitContainers:
- name: data-folder-structure-fix
@@ -137,9 +147,8 @@ nextcloud:
phpConfigs:
php.ini: |-
memory_limit = 512M
memory_limit = 1024M
extraVolumes:
- name: mf-documents
persistentVolumeClaim:
claimName: mf-documents-limbosolutions-com
@@ -191,17 +200,17 @@ nextcloud:
mountPath: /mnt/shared/NerdStuff
configs:
# appstore.override.config.php: |-
# <?php
# $CONFIG = array (
# 'appstoreenabled' => true,
# 'appstoreurl' => 'https://apps.nextcloud.com/api/v1',
# );
global.config.php: |-
<?php
$CONFIG = array (
'allow_local_remote_servers' => true
'allow_local_remote_servers' => true,
'loglevel' => 1
);
phone.config.php: |-
<?php
$CONFIG = array (
'default_phone_region' => 'PT',
);
https.config.php: |-
<?php
@@ -225,10 +234,26 @@ nextcloud:
'maintenance_window_start' => 1,
);
redis.config.php: |-
<?php
$CONFIG = array (
'memcache.local' => '\OC\Memcache\APCu',
'memcache.distributed' => '\OC\Memcache\Redis',
'memcache.locking' => '\OC\Memcache\Redis',
'redis' => array(
'host' => 'nextcloud-redis-master',
'port' => 6379,
'timeout' => 1.5,
'password' => getenv('REDIS_PASSWORD'),
'dbindex' => 0,
),
);
onlyoffice.config.php: |-
<?php
$CONFIG = array (
'onlyoffice' =>
'onlyoffice' =>
array (
'verify_peer_off' => true,
'allow_local_remote_servers' => true,

12
deploy/app/redis-helm-values.yaml Normal file
View File

@@ -0,0 +1,12 @@
architecture: standalone
auth:
enabled: true
master:
persistence:
enabled: false
replica:
replicaCount: 0

3
deploy/app/whiteboard/.env.d/.gitignore vendored Normal file
View File

@@ -0,0 +1,3 @@
**
!*.example
!.gitignore

1
deploy/app/whiteboard/.env.d/whiteboard.env.example Normal file
View File

@@ -0,0 +1 @@
JWT_SECRET_KEY= ????

37
deploy/app/whiteboard/deployment.yaml Normal file
View File

@@ -0,0 +1,37 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nextcloud-whiteboard
labels:
app: nextcloud-whiteboard
spec:
replicas: 1
selector:
matchLabels:
app: nextcloud-whiteboard
template:
metadata:
labels:
app: nextcloud-whiteboard
spec:
containers:
- name: whiteboard-ws
image: ghcr.io/nextcloud-releases/whiteboard:stable
ports:
- containerPort: 3002
env:
- name: NEXTCLOUD_URL
value: https://cloud.limbosolutions.com
- name: JWT_SECRET_KEY
valueFrom:
secretKeyRef:
name: nextcloud-whiteboard
key: JWT_SECRET_KEY
resources:
limits:
memory: "256Mi"
cpu: "200m"
requests:
memory: "64Mi"
cpu: "50m"

14
deploy/app/whiteboard/kustomization.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
secretGenerator:
- name: nextcloud-whiteboard
envs:
- ./.env.d/whiteboard.env
generatorOptions:
disableNameSuffixHash: true
resources:
- ./deployment.yaml
- ./service.yaml

12
deploy/app/whiteboard/service.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: nextcloud-whiteboard
spec:
selector:
app: nextcloud-whiteboard
ports:
- name: ws
port: 3002
targetPort: 3002
type: ClusterIP

28
deploy/infra/ingress-web-public.yaml
View File

@@ -21,7 +21,9 @@ spec:
- name: ak-outpost-authentik-embedded-outpost
namespace: id-limbosolutions-com
port: 9000
middlewares:
- name: nextcloud-security-headers
- name: rate-limit
# PUBLIC SHARES (NO SSO)
- match: Host(`cloud.limbosolutions.com`) &&
@@ -36,6 +38,7 @@ spec:
middlewares:
- name: rate-limit
- name: nextcloud-security-headers
- name: nextcloud-deny-paths
# Sync clients + mobile app (no SSO)
- match: Host(`cloud.limbosolutions.com`) &&
@@ -55,7 +58,24 @@ spec:
middlewares:
- name: webdav-strip-auth
- name: rate-limit
- name: nextcloud-deny-paths
- name: nextcloud-dav
- match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/whiteboard`)
kind: Rule
services:
- name: nextcloud-whiteboard
port: 3002
middlewares:
- name: nextcloud-security-headers
- name: rate-limit
- name: nextcloud-deny-paths
- name: nextcloud-wellknown
- name: nextcloud-hostmeta
- name: nextcloud-dav
- name: strip-whiteboard
# 3) EVERYTHING ELSE (SSO REQUIRED)
- match: Host(`cloud.limbosolutions.com`)
kind: Rule
@@ -63,10 +83,12 @@ spec:
- name: nextcloud
port: 8080
middlewares:
- name: authentik-forward-auth
# - name: authentik-forward-auth
- name: nextcloud-security-headers
- name: rate-limit
- name: nextcloud-deny-paths
- name: nextcloud-wellknown
- name: nextcloud-hostmeta

70
deploy/infra/ingress-web.yaml
View File

@@ -14,59 +14,29 @@ spec:
- main: cloud.limbosolutions.com
routes:
# # AUTHENTIK OUTPOST
# - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/outpost.goauthentik.io`)
# kind: Rule
# services:
# - name: ak-outpost-authentik-embedded-outpost
# namespace: id-limbosolutions-com
# port: 9000
# # PUBLIC SHARES (NO SSO)
# - match: Host(`cloud.limbosolutions.com`) &&
# (PathPrefix(`/s/`) ||
# PathPrefix(`/index.php/s/`) ||
# PathPrefix(`/public.php/`) ||
# PathPrefix(`/remote.php/dav/public-files/`))
# kind: Rule
# services:
# - name: nextcloud
# port: 8080
# middlewares:
# - name: rate-limit
# - name: nextcloud-security-headers
# # Sync clients + mobile app (no SSO)
# - match: Host(`cloud.limbosolutions.com`) &&
# (PathPrefix(`/remote.php/dav`) ||
# PathPrefix(`/remote.php/webdav`) ||
# PathPrefix(`/remote.php/caldav`) ||
# PathPrefix(`/remote.php/carddav`) ||
# PathPrefix(`/ocs/v1.php`) ||
# PathPrefix(`/ocs/v2.php`) ||
# PathPrefix(`/status.php`) ||
# PathPrefix(`/index.php/login/v2`) ||
# PathPrefix(`/index.php/login/v2/poll`))
# kind: Rule
# services:
# - name: nextcloud
# port: 8080
# middlewares:
# #- name: webdav-strip-auth
# #- name: rate-limit
# 3) EVERYTHING ELSE (SSO REQUIRED)
- match: Host(`cloud.limbosolutions.com`)
kind: Rule
services:
- name: nextcloud
port: 8080
middlewares: []
#- name: authentik-forward-auth
#- name: nextcloud-security-headers
#- name: rate-limit
middlewares:
- name: nextcloud-security-headers
- name: rate-limit
- name: nextcloud-deny-paths
- name: nextcloud-wellknown
- name: nextcloud-hostmeta
- name: nextcloud-dav
- match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/whiteboard`)
kind: Rule
services:
- name: nextcloud-whiteboard
port: 3002
middlewares:
- name: nextcloud-security-headers
- name: rate-limit
- name: nextcloud-deny-paths
- name: nextcloud-wellknown
- name: nextcloud-hostmeta
- name: nextcloud-dav
- name: strip-whiteboard

3
deploy/infra/kustomization.yaml
View File

@@ -1,13 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- cd-serviceaccount.yaml
- network-policies.yaml
- middlewares.yaml
- ingress-web.yaml
- ingress-web-public.yaml
- storage-limbosolutions-com/pv.yaml
- ./onlyoffice/ingress.yaml
- ./onlyoffice/middlewares.yaml
- ./whiteboard/middlewares.yaml
generatorOptions:
disableNameSuffixHash: true

74
deploy/infra/middlewares.yaml
View File

@@ -17,8 +17,8 @@ metadata:
name: rate-limit
spec:
rateLimit:
average: 50
burst: 100
average: 100
burst: 500
---
# Optional: security headers for UI
@@ -28,19 +28,20 @@ metadata:
name: nextcloud-security-headers
spec:
headers:
stsSeconds: 31536000
stsIncludeSubdomains: true
stsPreload: true
browserXssFilter: true
contentTypeNosniff: true
frameDeny: true
frameDeny: false
referrerPolicy: "no-referrer"
stsSeconds: 15552000
stsIncludeSubdomains: true
stsPreload: true
customResponseHeaders:
X-Powered-By: ""
X-Content-Type-Options: "nosniff"
X-Frame-Options: "DENY"
X-Frame-Options: "SAMEORIGIN"
X-XSS-Protection: "1; mode=block"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
@@ -63,4 +64,59 @@ spec:
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
---
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: nextcloud-deny-paths
spec:
redirectRegex:
regex: "^/(build|tests|config|lib|3rdparty|templates|data|autotest|occ|issue|indie|db_|console)"
replacement: "/"
permanent: false
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: nextcloud-dav
spec:
redirectRegex:
regex: "^/.well-known/(carddav|caldav)$"
replacement: "/remote.php/dav"
permanent: true
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: nextcloud-wellknown
spec:
redirectRegex:
regex: "^/.well-known/(webfinger|nodeinfo)$"
replacement: "/index.php/.well-known/${1}"
permanent: true
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: nextcloud-hostmeta
spec:
redirectRegex:
regex: "^/.well-known/host-meta$"
replacement: "/public.php?service=host-meta"
permanent: true
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: nextcloud-hostmeta-json
spec:
redirectRegex:
regex: "^/.well-known/host-meta.json$"
replacement: "/public.php?service=host-meta-json"
permanent: true

6
deploy/infra/namespace.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: cloud-limbosolutions-com
labels:
name: cloud-limbosolutions-com

102
deploy/infra/network-policies.yaml Normal file
View File

@@ -0,0 +1,102 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-same-namespace-ingress
spec:
endpointSelector: {} # All pods in this namespace
ingress:
- fromEndpoints:
- matchExpressions:
- key: k8s:io.kubernetes.pod.namespace
operator: In
values:
- cloud-limbosolutions-com
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-traefik-to-nextcloud-ingress
spec:
endpointSelector:
matchLabels:
app.kubernetes.io/name: nextcloud
ingress:
# -------------------------------------------------------------
# Allow Traefik (internal and public) to reach nextcloud web port
# -------------------------------------------------------------
- fromEndpoints:
- matchLabels:
app.kubernetes.io/name: traefik
matchExpressions:
- key: k8s:io.kubernetes.pod.namespace
operator: In
values:
- traefik
- traefik-public
toPorts:
- ports:
- port: "80"
protocol: TCP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-traefik-to-onlyoffice-ingress
spec:
endpointSelector:
matchLabels:
app: onlyoffice
ingress:
# -------------------------------------------------------------
# Allow Traefik (internal and public) to reach onlyoffice web port
# -------------------------------------------------------------
- fromEndpoints:
- matchLabels:
app.kubernetes.io/name: traefik
matchExpressions:
- key: k8s:io.kubernetes.pod.namespace
operator: In
values:
- traefik
- traefik-public
toPorts:
- ports:
- port: "80"
protocol: TCP
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: allow-traefik-to-whiteboard-ingress
spec:
endpointSelector:
matchLabels:
app: nextcloud-whiteboard
ingress:
# -------------------------------------------------------------
# Allow Traefik (internal and public) to reach whiteboard ws
# -------------------------------------------------------------
- fromEndpoints:
- matchLabels:
app.kubernetes.io/name: traefik
matchExpressions:
- key: k8s:io.kubernetes.pod.namespace
operator: In
values:
- traefik
- traefik-public
toPorts:
- ports:
- port: "3002"
protocol: TCP

3
deploy/infra/onlyoffice/middlewares.yaml
View File

@@ -28,4 +28,5 @@ spec:
customRequestHeaders:
X-Forwarded-Proto: "https"
X-Forwarded-Ssl: "on"
X-Forwarded-Port: "443"
X-Forwarded-Port: "443"

8
deploy/infra/whiteboard/middlewares.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: strip-whiteboard
spec:
stripPrefix:
prefixes:
- "/whiteboard"

15
ops-scripts/apply-app.sh
View File

@@ -1,7 +1,6 @@
#!/bin/bash
set -e
echo "Executing nextcloud app deploy."
kubectl kustomize deploy/app | kubectl apply -f -
load_env_file() {
@@ -21,9 +20,10 @@ helm repo add nextcloud https://nextcloud.github.io/helm/ --force-update
load_env_file "deploy/app/.env.d/nextcloud-mariadb.env"
load_env_file "deploy/app/.env.d/nextcloud-secrets.env"
load_env_file "deploy/app/.env.d/redis.env"
helm upgrade --install nextcloud nextcloud/nextcloud \
--values ./deploy/app/helm-values.yaml \
helm upgrade --install nextcloud nextcloud/nextcloud --version "9.0" \
--values ./deploy/app/nextcloud-helm-values.yaml \
--set externalDatabase.user=${MARIADB_USER:?Missing MARIADB_USER} \
--set externalDatabase.password=${MARIADB_PASSWORD:?Missing MARIADB_PASSWORD} \
--set externalDatabase.database=${MARIADB_DATABASE:?Missing MARIADB_DATABASE} \
@@ -31,4 +31,13 @@ helm upgrade --install nextcloud nextcloud/nextcloud \
--set nextcloud.username=${NEXTCLOUD_USERNAME:?Missing NEXTCLOUD_USERNAME} \
--set nextcloud.password=${NEXTCLOUD_PASSWORD:?Missing NEXTCLOUD_PASSWORD} \
--namespace cloud-limbosolutions-com
helm repo add bitnami https://charts.bitnami.com/bitnami --force-update
helm upgrade --install nextcloud-redis bitnami/redis --version "25.3" \
--values ./deploy/app/redis-helm-values.yaml \
--set auth.password="${REDIS_PASSWORD:?Missing REDIS_PASSWORD}" \
--namespace cloud-limbosolutions-com

2
ops-scripts/apply-infra.sh
View File

@@ -1,5 +1,5 @@
#!/bin/bash
set -e
echo "Executing infra deploy."
kubectl create namespace cloud-limbosolutions-com || true
kubectl kustomize deploy/infra | kubectl -n cloud-limbosolutions-com apply -f -