modified: README.md

modified: .gitea/workflows/app-continuous-deploy.yaml
anges to be committed:
2026-04-26 20:50:49 +00:00 · 2026-04-18 21:04:15 +00:00 · 2026-04-18 20:36:54 +00:00 · 2026-04-18 19:25:30 +00:00 · 2026-04-18 19:22:54 +00:00 · 2026-04-18 15:11:24 +00:00
21 changed files with 440 additions and 88 deletions
--- a/.gitea/workflows/app-continuous-deploy.yaml
+++ b/.gitea/workflows/app-continuous-deploy.yaml
@@ -44,11 +44,13 @@ jobs:
          PBS_PASSWORD: ${{ secrets.PBS_PASSWORD }}
          PBS_FINGERPRINT: ${{ secrets.PBS_FINGERPRINT }}
          ONLYOFFICE_SECRET:  ${{ secrets.ONLYOFFICE_SECRET }}
          WHITEBOARD_JWT_SECRET_KEY: ${{ secrets.WHITEBOARD_JWT_SECRET_KEY }}
          # used only on helm set values - only required as environment variables
          NEXTCLOUD_HOST: ${{ secrets.NEXTCLOUD_HOST }}
          NEXTCLOUD_USERNAME: ${{ secrets.NEXTCLOUD_USERNAME }}
          NEXTCLOUD_PASSWORD: ${{ secrets.NEXTCLOUD_PASSWORD }}
          REDIS_PASSWORD: ${{ secrets.REDIS_PASSWORD }}
        run: |
          set -euo pipefail
@@ -57,6 +59,7 @@ jobs:
          trap '
          [ -d deploy/app/.env.d ] && rm -rf deploy/app/.env.d/*;
          [ -d deploy/app/onlyoffice/.env.d ] && rm -rf deploy/app/onlyoffice/.env.d/*;
          [ -d deploy/app/whiteboard/.env.d ] && rm -rf deploy/app/whiteboard/.env.d/*;
          ' EXIT
          # setup secrets files
@@ -72,9 +75,12 @@ jobs:
          echo "secret=${ONLYOFFICE_SECRET:?Missing ONLYOFFICE_SECRET}" >> deploy/app/onlyoffice/.env.d/onlyoffice.env
          echo "JWT_SECRET_KEY=${WHITEBOARD_JWT_SECRET_KEY:?Missing WHITEBOARD_JWT_SECRET_KEY}" >> deploy/app/whiteboard/.env.d/whiteboard.env
          # enforce secrets files security
          chmod 600 deploy/app/.env.d/*
          chmod 600 deploy/app/onlyoffice/.env.d/*
          chmod 600 deploy/app/whiteboard/.env.d/*  
          # invoke deploy script
          ops-scripts/apply-app.sh
--- a/.vscode/settings.json
+++ b/.vscode/settings.json
@@ -1,7 +1,11 @@
 {
    "cSpell.words": [
        "authentik",
        "COLLAB",
        "dbindex",
        "documentserver",
-        "onlyoffice"
+        "onlyoffice",
        "overwritehost",
        "overwriteprotocol"
    ]
 }
--- a/README.md
+++ b/README.md
@@ -6,6 +6,7 @@ Using [NextCloud](https://nextcloud.com/)
 - [Integrations](#integrations)
  - [OAuth2/OpenID Provider](#oauth2openid-provider)
  - [whiteboard](#whiteboard)
 - [cli](#cli)
  - [maintenance mode](#maintenance-mode)
  - [scan files](#scan-files)
@@ -20,6 +21,7 @@ Using [NextCloud](https://nextcloud.com/)
 - [Setup and Deploy](#setup-and-deploy)
  - [App](#app)
  - [Infra](#infra)
 - [internal logs](#internal-logs)
 - [Database](#database)
 ## Integrations
@@ -30,10 +32,23 @@ Using [NextCloud](https://nextcloud.com/)
 - <https://github.com/nextcloud/user_oidc>
 - <https://apps.nextcloud.com/apps/user_oidc>
-## cli
+### whiteboard
 ``` bash
-su -s /bin/bash www-data -c "php occ upgrade;"
+php occ config:app:set whiteboard collabBackendUrl --value="https://cloud.limbosolutions.com/whiteboard"
 php occ config:app:set whiteboard jwt_secret_key --value="?????"
 ```
 ## cli
 When on browser error:
 Please use the command line updater because updating via browser is disabled in your config.php.
 Execute:
 ``` bash
 php occ upgrade;
 ```
 ### maintenance mode
@@ -174,6 +189,13 @@ Can be executed in VS Code using the “Apply Infra” task.
 - services accounts:
  - Continuous deploy - Deployment RBAC (ServiceAccount + Role + RoleBinding)
 ## internal logs
 ``` bash
 POD_NAME=$(kubectl get pod -l 'app.kubernetes.io/name'=nextcloud -n cloud-limbosolutions-com -o jsonpath='{.items[0].metadata.name}')
 kubectl exec -it ${POD_NAME} -- cat /var/www/html/data/nextcloud.log
 ```
 ## Database
 **Connect to db:**
--- a/deploy/app/kustomization.yaml
+++ b/deploy/app/kustomization.yaml
@@ -15,6 +15,7 @@ resources:
  - ./mariadb-deploy.yaml
  - ./backups/backup-pbs-cronjob.yaml
  - ./onlyoffice
  - ./whiteboard
 generatorOptions:
  disableNameSuffixHash: true
--- a/deploy/app/nextcloud-helm-values.yaml
+++ b/deploy/app/nextcloud-helm-values.yaml
@@ -6,6 +6,9 @@ image:
 replicaCount: 1
 livenessProbe:
  initialDelaySeconds: 60
  periodSeconds: 60
@@ -77,6 +80,8 @@ resources:
    cpu: "0.5"
    memory: 512Mi
 redis:
  enabled: false
 ## Cronjob to execute Nextcloud background tasks
 ## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron
@@ -84,14 +89,65 @@ resources:
 cronjob:
  enabled: true
      # openssl.cafile = /etc/ssl/certs/ca-certificates.crt
      #openssl.capath = /etc/ssl/certs
 nextcloud:
  extraEnv:
    - name: REDIS_PASSWORD
      valueFrom:
        secretKeyRef:
          name: nextcloud-redis
          key: redis-password
  defaultConfigs:
    redis.config.php: false
  extraInitContainers: 
    - name: data-folder-structure-fix
      image: busybox
      command:
        - sh
        - -c
        - |
          # Create only parents
          mkdir -p /mnt/users
          mkdir -p /mnt/shared
          # Fix permissions on parents pvc folder data-folder-structure
          chown 33:33 /mnt/users
          chown 33:33 /mnt/shared
          chown 33:33 /mnt/users/marcio.fernandes
          chown 33:33 /mnt/users/marcio.fernandes/Documents
          chown 33:33 /mnt/users/marcio.fernandes/Photos
          chown 33:33 /mnt/shared/Gaming
          chown 33:33 /mnt/shared/Music
          chown 33:33 /mnt/shared/Videos
          chown 33:33 /mnt/shared/NerdStuff
      volumeMounts:
        - name: data-folder-structure
          mountPath: /mnt
        - name: mf-nextcloud
          mountPath: /mnt/users/marcio.fernandes
        - name: mf-documents
          mountPath: /mnt/users/marcio.fernandes/Documents
        - name: mf-photos
          mountPath: /mnt/users/marcio.fernandes/Photos
        - name: media-gaming
          mountPath: /mnt/shared/Gaming
        - name: media-music
          mountPath: /mnt/shared/Music
        - name: media-videos
          mountPath: /mnt/shared/Videos
        - name: it-storage
          mountPath: /mnt/shared/NerdStuff
  securityContext:
    runAsUser: 33
    runAsGroup: 33
    fsGroup: 33
    fsGroupChangePolicy: "OnRootMismatch"
  phpConfigs:
    php.ini: |-
-      memory_limit = 512M
+      memory_limit = 1024M
  extraVolumes:
    - name: mf-documents
      persistentVolumeClaim:
@@ -114,9 +170,14 @@ nextcloud:
    - name: mf-nextcloud
      persistentVolumeClaim:
        claimName: mf-nextcloud-limbosolutions-com
-
+    - name: data-folder-structure
      emptyDir: {}
  extraVolumeMounts:
      - name: data-folder-structure
        mountPath: /mnt
      - name: mf-nextcloud
        mountPath: /mnt/users/marcio.fernandes
@@ -139,17 +200,17 @@ nextcloud:
        mountPath: /mnt/shared/NerdStuff
  configs:
    # appstore.override.config.php: |-
    #   <?php
    #   $CONFIG = array (
    #     'appstoreenabled' => true,
    #     'appstoreurl' => 'https://apps.nextcloud.com/api/v1',
    #   );
    global.config.php: |-
     <?php
        $CONFIG = array (
-          'allow_local_remote_servers' => true
+          'allow_local_remote_servers' => true,
          'loglevel' => 1
        );
    phone.config.php: |-
      <?php
      $CONFIG = array (
        'default_phone_region' => 'PT',
      );
    https.config.php: |-
      <?php
@@ -173,10 +234,26 @@ nextcloud:
          'maintenance_window_start' => 1,
        );
    redis.config.php: |-
      <?php
        $CONFIG = array (
          'memcache.local' => '\OC\Memcache\APCu',
          'memcache.distributed' => '\OC\Memcache\Redis',
          'memcache.locking' => '\OC\Memcache\Redis',
          'redis' => array(
            'host' => 'nextcloud-redis-master',
            'port' => 6379,
            'timeout' => 1.5,
            'password' => getenv('REDIS_PASSWORD'),
            'dbindex' => 0,
          ),
        );
    onlyoffice.config.php: |-
      <?php
      $CONFIG = array (
-        'onlyoffice' =>
+       'onlyoffice' =>
        array (
          'verify_peer_off' => true,
          'allow_local_remote_servers' => true,
--- a/deploy/app/redis-helm-values.yaml
+++ b/deploy/app/redis-helm-values.yaml
@@ -0,0 +1,12 @@
 architecture: standalone
 auth:
  enabled: true
 master:
  persistence:
    enabled: false
 replica:
  replicaCount: 0
--- a/deploy/app/whiteboard/.env.d/.gitignore
+++ b/deploy/app/whiteboard/.env.d/.gitignore
@@ -0,0 +1,3 @@
 **
 !*.example
 !.gitignore
--- a/deploy/app/whiteboard/.env.d/whiteboard.env.example
+++ b/deploy/app/whiteboard/.env.d/whiteboard.env.example
@@ -0,0 +1 @@
 JWT_SECRET_KEY= ????
--- a/deploy/app/whiteboard/deployment.yaml
+++ b/deploy/app/whiteboard/deployment.yaml
@@ -0,0 +1,37 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: nextcloud-whiteboard
  labels:
    app: nextcloud-whiteboard
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: nextcloud-whiteboard
  template:
    metadata:
      labels:
        app: nextcloud-whiteboard
    spec:
      containers:
        - name: whiteboard-ws
          image: ghcr.io/nextcloud-releases/whiteboard:stable
          ports:
            - containerPort: 3002
          env:
            - name: NEXTCLOUD_URL
              value: https://cloud.limbosolutions.com
            - name: JWT_SECRET_KEY
              valueFrom:
                secretKeyRef:
                  name: nextcloud-whiteboard
                  key: JWT_SECRET_KEY
          resources:
            limits:
              memory: "256Mi"
              cpu: "200m"
            requests:
              memory: "64Mi"
              cpu: "50m"
--- a/deploy/app/whiteboard/kustomization.yaml
+++ b/deploy/app/whiteboard/kustomization.yaml
@@ -0,0 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 secretGenerator:
  - name: nextcloud-whiteboard
    envs:
      - ./.env.d/whiteboard.env
 generatorOptions:
  disableNameSuffixHash: true
 resources:
  - ./deployment.yaml
  - ./service.yaml
--- a/deploy/app/whiteboard/service.yaml
+++ b/deploy/app/whiteboard/service.yaml
@@ -0,0 +1,12 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: nextcloud-whiteboard
 spec:
  selector:
    app: nextcloud-whiteboard
  ports:
    - name: ws
      port: 3002
      targetPort: 3002
  type: ClusterIP
--- a/deploy/infra/ingress-web-public.yaml
+++ b/deploy/infra/ingress-web-public.yaml
@@ -21,7 +21,9 @@ spec:
        - name: ak-outpost-authentik-embedded-outpost
          namespace: id-limbosolutions-com
          port: 9000
-
+      middlewares:
          - name: nextcloud-security-headers
          - name: rate-limit
    # PUBLIC SHARES (NO SSO)
    - match: Host(`cloud.limbosolutions.com`) &&
@@ -36,6 +38,7 @@ spec:
      middlewares:
        - name: rate-limit
        - name: nextcloud-security-headers
        - name: nextcloud-deny-paths
    # Sync clients + mobile app (no SSO)
    - match: Host(`cloud.limbosolutions.com`) &&
@@ -55,6 +58,23 @@ spec:
      middlewares:
        - name: webdav-strip-auth
        - name: rate-limit
        - name: nextcloud-deny-paths
        - name: nextcloud-dav
    - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/whiteboard`)
      kind: Rule
      services:
        - name: nextcloud-whiteboard
          port: 3002
      middlewares:
         - name: nextcloud-security-headers
         - name: rate-limit
         - name: nextcloud-deny-paths
         - name: nextcloud-wellknown
         - name: nextcloud-hostmeta
         - name: nextcloud-dav
         - name: strip-whiteboard
    # 3) EVERYTHING ELSE (SSO REQUIRED)
    - match: Host(`cloud.limbosolutions.com`)
@@ -63,10 +83,12 @@ spec:
        - name: nextcloud
          port: 8080
      middlewares:
-         - name: authentik-forward-auth
+        # - name: authentik-forward-auth
         - name: nextcloud-security-headers
         - name: rate-limit
-
+         - name: nextcloud-deny-paths
         - name: nextcloud-wellknown
         - name: nextcloud-hostmeta
--- a/deploy/infra/ingress-web.yaml
+++ b/deploy/infra/ingress-web.yaml
@@ -14,59 +14,29 @@ spec:
      - main: cloud.limbosolutions.com
  routes:
    # AUTHENTIK OUTPOST
    - match: Host(`cloud.limbosolutions.com`)  && PathPrefix(`/outpost.goauthentik.io`)
      kind: Rule
      services:
        - name: ak-outpost-authentik-embedded-outpost
          namespace: id-limbosolutions-com
          port: 9000
    # PUBLIC SHARES (NO SSO)
    - match: Host(`cloud.limbosolutions.com`) &&
            (PathPrefix(`/s/`) ||
              PathPrefix(`/index.php/s/`) ||
              PathPrefix(`/public.php/`) ||
              PathPrefix(`/remote.php/dav/public-files/`))
      kind: Rule
      services:
        - name: nextcloud
          port: 8080
      middlewares:
        - name: rate-limit
        - name: nextcloud-security-headers
    # Sync clients + mobile app (no SSO)
    - match: Host(`cloud.limbosolutions.com`) &&
         (PathPrefix(`/remote.php/dav`) ||
          PathPrefix(`/remote.php/webdav`) ||
          PathPrefix(`/remote.php/caldav`) ||
          PathPrefix(`/remote.php/carddav`) ||
          PathPrefix(`/ocs/v1.php`) ||
          PathPrefix(`/ocs/v2.php`) ||
          PathPrefix(`/status.php`) ||
          PathPrefix(`/index.php/login/v2`) ||
          PathPrefix(`/index.php/login/v2/poll`))
      kind: Rule
      services:
        - name: nextcloud
          port: 8080
      middlewares:
        - name: webdav-strip-auth
        - name: rate-limit
    # 3) EVERYTHING ELSE (SSO REQUIRED)
    - match: Host(`cloud.limbosolutions.com`)
      kind: Rule
      services:
        - name: nextcloud
          port: 8080
      middlewares:
         #- name: authentik-forward-auth
         - name: nextcloud-security-headers
         - name: rate-limit
         - name: nextcloud-deny-paths
         - name: nextcloud-wellknown
         - name: nextcloud-hostmeta
         - name: nextcloud-dav
-
+    - match: Host(`cloud.limbosolutions.com`) && PathPrefix(`/whiteboard`)
-
+      kind: Rule
      services:
        - name: nextcloud-whiteboard
          port: 3002
      middlewares:
         - name: nextcloud-security-headers
         - name: rate-limit
         - name: nextcloud-deny-paths
         - name: nextcloud-wellknown
         - name: nextcloud-hostmeta
         - name: nextcloud-dav
         - name: strip-whiteboard
--- a/deploy/infra/kustomization.yaml
+++ b/deploy/infra/kustomization.yaml
@@ -1,13 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
  - namespace.yaml
  - cd-serviceaccount.yaml
  - network-policies.yaml
  - middlewares.yaml
  - ingress-web.yaml
  - ingress-web-public.yaml
  - storage-limbosolutions-com/pv.yaml
  - ./onlyoffice/ingress.yaml
  - ./onlyoffice/middlewares.yaml
  - ./whiteboard/middlewares.yaml
 generatorOptions:
  disableNameSuffixHash: true
--- a/deploy/infra/middlewares.yaml
+++ b/deploy/infra/middlewares.yaml
@@ -17,8 +17,8 @@ metadata:
  name: rate-limit
 spec:
  rateLimit:
-    average: 50
+    average: 100
-    burst: 100
+    burst: 500
 ---
 # Optional: security headers for UI
@@ -28,19 +28,20 @@ metadata:
  name: nextcloud-security-headers
 spec:
  headers:
    stsSeconds: 31536000
    stsIncludeSubdomains: true
    stsPreload: true
    browserXssFilter: true
    contentTypeNosniff: true
-    frameDeny: true
+    frameDeny: false
    referrerPolicy: "no-referrer"
    stsSeconds: 15552000
    stsIncludeSubdomains: true
    stsPreload: true
    customResponseHeaders:
      X-Powered-By: ""
      X-Content-Type-Options: "nosniff"
-      X-Frame-Options: "DENY"
+      X-Frame-Options: "SAMEORIGIN"
      X-XSS-Protection: "1; mode=block"
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -64,3 +65,58 @@ spec:
      - X-authentik-meta-app
      - X-authentik-meta-version
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: nextcloud-deny-paths
 spec:
  redirectRegex:
    regex: "^/(build|tests|config|lib|3rdparty|templates|data|autotest|occ|issue|indie|db_|console)"
    replacement: "/"
    permanent: false
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: nextcloud-dav
 spec:
  redirectRegex:
    regex: "^/.well-known/(carddav|caldav)$"
    replacement: "/remote.php/dav"
    permanent: true
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: nextcloud-wellknown
 spec:
  redirectRegex:
    regex: "^/.well-known/(webfinger|nodeinfo)$"
    replacement: "/index.php/.well-known/${1}"
    permanent: true
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: nextcloud-hostmeta
 spec:
  redirectRegex:
    regex: "^/.well-known/host-meta$"
    replacement: "/public.php?service=host-meta"
    permanent: true
 ---
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: nextcloud-hostmeta-json
 spec:
  redirectRegex:
    regex: "^/.well-known/host-meta.json$"
    replacement: "/public.php?service=host-meta-json"
    permanent: true
--- a/deploy/infra/namespace.yaml
+++ b/deploy/infra/namespace.yaml
@@ -1,6 +0,0 @@
 apiVersion: v1
 kind: Namespace
 metadata:
  name: cloud-limbosolutions-com
  labels:
    name: cloud-limbosolutions-com
--- a/deploy/infra/network-policies.yaml
+++ b/deploy/infra/network-policies.yaml
@@ -0,0 +1,102 @@
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-same-namespace-ingress
 spec:
  endpointSelector: {}   # All pods in this namespace
  ingress:
    - fromEndpoints:
        - matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - cloud-limbosolutions-com
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-traefik-to-nextcloud-ingress
 spec:
  endpointSelector:
    matchLabels:
      app.kubernetes.io/name: nextcloud
  ingress:
    # -------------------------------------------------------------
    # Allow Traefik (internal and public) to reach nextcloud web port
    # -------------------------------------------------------------
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: traefik
          matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - traefik
                - traefik-public
      toPorts:
        - ports:
            - port: "80"
              protocol: TCP
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-traefik-to-onlyoffice-ingress
 spec:
  endpointSelector:
    matchLabels:
      app: onlyoffice
  ingress:
    # -------------------------------------------------------------
    # Allow Traefik (internal and public) to reach onlyoffice web port
    # -------------------------------------------------------------
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: traefik
          matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - traefik
                - traefik-public
      toPorts:
        - ports:
            - port: "80"
              protocol: TCP
 ---
 apiVersion: cilium.io/v2
 kind: CiliumNetworkPolicy
 metadata:
  name: allow-traefik-to-whiteboard-ingress
 spec:
  endpointSelector:
    matchLabels:
      app: nextcloud-whiteboard
  ingress:
    # -------------------------------------------------------------
    # Allow Traefik (internal and public) to reach whiteboard ws
    # -------------------------------------------------------------
    - fromEndpoints:
        - matchLabels:
            app.kubernetes.io/name: traefik
          matchExpressions:
            - key: k8s:io.kubernetes.pod.namespace
              operator: In
              values:
                - traefik
                - traefik-public
      toPorts:
        - ports:
            - port: "3002"
              protocol: TCP
--- a/deploy/infra/onlyoffice/middlewares.yaml
+++ b/deploy/infra/onlyoffice/middlewares.yaml
@@ -29,3 +29,4 @@ spec:
      X-Forwarded-Proto: "https"
      X-Forwarded-Ssl: "on"
      X-Forwarded-Port: "443"
--- a/deploy/infra/whiteboard/middlewares.yaml
+++ b/deploy/infra/whiteboard/middlewares.yaml
@@ -0,0 +1,8 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: strip-whiteboard
 spec:
  stripPrefix:
    prefixes:
      - "/whiteboard"
--- a/ops-scripts/apply-app.sh
+++ b/ops-scripts/apply-app.sh
@@ -1,7 +1,6 @@
 #!/bin/bash
 set -e
 echo "Executing nextcloud app deploy."
 kubectl kustomize deploy/app | kubectl apply -f -
 load_env_file() {
@@ -21,9 +20,10 @@ helm repo add nextcloud https://nextcloud.github.io/helm/ --force-update
 load_env_file "deploy/app/.env.d/nextcloud-mariadb.env"
 load_env_file "deploy/app/.env.d/nextcloud-secrets.env"
 load_env_file "deploy/app/.env.d/redis.env"
-helm upgrade --install nextcloud nextcloud/nextcloud \
+helm upgrade --install nextcloud nextcloud/nextcloud --version "9.0" \
- --values ./deploy/app/helm-values.yaml \
+ --values ./deploy/app/nextcloud-helm-values.yaml \
 --set externalDatabase.user=${MARIADB_USER:?Missing MARIADB_USER} \
 --set externalDatabase.password=${MARIADB_PASSWORD:?Missing MARIADB_PASSWORD} \
 --set externalDatabase.database=${MARIADB_DATABASE:?Missing MARIADB_DATABASE} \
@@ -32,3 +32,12 @@ helm upgrade --install nextcloud nextcloud/nextcloud \
 --set nextcloud.password=${NEXTCLOUD_PASSWORD:?Missing NEXTCLOUD_PASSWORD} \
 --namespace cloud-limbosolutions-com
 helm repo add bitnami https://charts.bitnami.com/bitnami --force-update
 helm upgrade --install nextcloud-redis bitnami/redis --version "25.3" \
 --values ./deploy/app/redis-helm-values.yaml \
 --set auth.password="${REDIS_PASSWORD:?Missing REDIS_PASSWORD}" \
 --namespace cloud-limbosolutions-com
--- a/ops-scripts/apply-infra.sh
+++ b/ops-scripts/apply-infra.sh
@@ -1,5 +1,5 @@
 #!/bin/bash
 set -e
 echo "Executing infra deploy."
-
+kubectl create namespace cloud-limbosolutions-com || true
 kubectl kustomize deploy/infra | kubectl -n cloud-limbosolutions-com apply -f -
Author	SHA1	Message	Date
Márcio Fernandes	ad7c6807f7	modified: README.md Some checks failed / continuous-deploy (push) Failing after 21s Details	2026-04-26 20:50:49 +00:00
Márcio Fernandes	816e21af68	modified: .gitea/workflows/app-continuous-deploy.yaml Some checks failed / continuous-deploy (push) Failing after 24s Details	2026-04-18 21:04:15 +00:00
Márcio Fernandes	a2e8b42539	anges to be committed: Some checks failed / continuous-deploy (push) Failing after 15m38s Details modified: .gitea/workflows/app-continuous-deploy.yaml modified: ops-scripts/apply-app.sh	2026-04-18 20:36:54 +00:00
Márcio Fernandes	6b89f0f2b3	modified: ops-scripts/apply-app.sh Some checks failed / continuous-deploy (push) Failing after 15m20s Details	2026-04-18 19:25:30 +00:00
Márcio Fernandes	a3b1c230c6	add dashboard and redis Some checks failed / continuous-deploy (push) Failing after 20s Details	2026-04-18 19:22:54 +00:00
Márcio Fernandes	405763f158	add network-policies All checks were successful / continuous-deploy (push) Successful in 23s Details	2026-04-18 15:11:24 +00:00
Márcio Fernandes	75aede94ac	add middlewares (source nginx template on source helm values), and default_phone_region All checks were successful / continuous-deploy (push) Successful in 24s Details	2026-04-16 22:58:37 +00:00
Márcio Fernandes	5acca5d4c7	ingress/internal: relax security All checks were successful / continuous-deploy (push) Successful in 23s Details ingress/public: disabled authentik-forward-auth (problems with phone clients) middlewares/rate-limit: increase values middlewares/security-headers:- added sts - fix nextcloud warning Some headers are not set correctly on your instance - The Strict-Transport-Security HTTP header is not set (should be at least 15552000 seconds). For enhanced security, it is recommended to enable HSTS	2026-04-16 19:47:11 +00:00
Márcio Fernandes	663049fb89	disable middlewares on internal ingress All checks were successful / continuous-deploy (push) Successful in 25s Details	2026-04-14 16:59:52 +01:00
Márcio Fernandes	40d4c92271	init container to fix permissions on volumeMounts	2026-04-14 16:58:31 +01:00