# helm repo add nextcloud https://nextcloud.github.io/helm/ # helm upgrade --install nextcloud nextcloud/nextcloud -n nextcloud -f values.yaml --version 3.5.14 # Upgrading: # su -s /bin/bash - www-data # cd /var/www/html # PHP_MEMORY_LIMIT=512M ./occ upgrade # Forwarding IPs requires: # # 'trusted_proxies' => # array ( # 0 => '10.42.0.0/16', # 1 => '127.0.0.1', # ), # 'overwritecondaddr' => '^10\.42\.[0-9]+\.[0-9]+$', # # For whatever your ingress is. ## Official nextcloud image version ## ref: https://hub.docker.com/r/library/nextcloud/tags/ ## image: repository: nextcloud tag: 29.0.0-fpm pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName nameOverride: "" fullnameOverride: "" podAnnotations: {} deploymentAnnotations: {} deploymentLabels: {} # Number of replicas to be deployed replicaCount: 1 ## Allowing use of ingress controllers ## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/ ## ingress: enabled: false # className: nginx annotations: {} # nginx.ingress.kubernetes.io/proxy-body-size: 4G # kubernetes.io/tls-acme: "true" # cert-manager.io/cluster-issuer: letsencrypt-prod # nginx.ingress.kubernetes.io/server-snippet: |- # server_tokens off; # proxy_hide_header X-Powered-By; # rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last; # rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last; # rewrite ^/.well-known/host-meta /public.php?service=host-meta last; # rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json; # location = /.well-known/carddav { # return 301 $scheme://$host/remote.php/dav; # } # location = /.well-known/caldav { # return 301 $scheme://$host/remote.php/dav; # } # location = /robots.txt { # allow all; # log_not_found off; # access_log off; # } # location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ { # deny all; # } # location ~ ^/(?:autotest|occ|issue|indie|db_|console) { # deny all; # } # tls: # - secretName: nextcloud-tls # hosts: # - nextcloud.kube.home labels: {} path: / pathType: Prefix # Allow configuration of lifecycle hooks # ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ lifecycle: {} # postStartCommand: [] # preStopCommand: [] phpClientHttpsFix: enabled: false protocol: https nextcloud: host: nextcloud.jibby.org username: josh password: "" ## Use an existing secret existingSecret: enabled: false # secretName: nameofsecret # usernameKey: nextcloud-username # passwordKey: nextcloud-password # tokenKey: nextcloud-token # smtpUsernameKey: smtp-username # smtpPasswordKey: smtp-password update: 0 # If web server is not binding default port, you can define it containerPort: 80 datadir: /var/www/html/data persistence: subPath: mail: enabled: false fromAddress: user domain: domain.com smtp: host: domain.com secure: ssl port: 465 authtype: LOGIN name: user password: pass # PHP Configuration files # Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true phpConfigs: www.conf: | [www] user = www-data group = www-data listen = 127.0.0.1:9000 pm = dynamic pm.max_children = 86 pm.start_servers = 21 pm.min_spare_servers = 21 pm.max_spare_servers = 64 ; for large file uploads request_terminate_timeout = 3600 # Default config files # IMPORTANT: Will be used only if you put extra configs, otherwise default will come from nextcloud itself # Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/16.0/apache/config defaultConfigs: # To protect /var/www/html/config .htaccess: true # Redis default configuration redis.config.php: true # Apache configuration for rewrite urls apache-pretty-urls.config.php: true # Define APCu as local cache apcu.config.php: true # Apps directory configs apps.config.php: true # Used for auto configure database autoconfig.php: true # SMTP default configuration smtp.config.php: true # Extra config files created in /var/www/html/config/ # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file configs: {} # For example, to use S3 as primary storage # ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3 # # configs: # s3.config.php: |- # array( # 'class' => '\\OC\\Files\\ObjectStore\\S3', # 'arguments' => array( # 'bucket' => 'my-bucket', # 'autocreate' => true, # 'key' => 'xxx', # 'secret' => 'xxx', # 'region' => 'us-east-1', # 'use_ssl' => true # ) # ) # ); ## Strategy used to replace old pods ## IMPORTANT: use with care, it is suggested to leave as that for upgrade purposes ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy strategy: type: Recreate # type: RollingUpdate # rollingUpdate: # maxSurge: 1 # maxUnavailable: 0 ## ## Extra environment variables extraEnv: - name: REDIS_HOST valueFrom: secretKeyRef: name: redis-client-secret key: REDIS_HOST - name: REDIS_HOST_PASSWORD valueFrom: secretKeyRef: name: redis-client-secret key: REDIS_HOST_PASSWORD # Extra init containers that runs before pods start. extraInitContainers: [] # - name: do-something # image: busybox # command: ['do', 'something'] # Extra sidecar containers. extraSidecarContainers: [] # - name: nextcloud-logger # image: busybox # command: [/bin/sh, -c, 'while ! test -f "/run/nextcloud/data/nextcloud.log"; do sleep 1; done; tail -n+1 -f /run/nextcloud/data/nextcloud.log'] # volumeMounts: # - name: nextcloud-data # mountPath: /run/nextcloud/data # Extra mounts for the pods. Example shown is for connecting a legacy NFS volume # to NextCloud pods in Kubernetes. This can then be configured in External Storage extraVolumes: # - name: nfs # nfs: # server: "10.0.0.1" # path: "/nextcloud_data" # readOnly: false extraVolumeMounts: # - name: nfs # mountPath: "/legacy_data" # Set securityContext parameters for the nextcloud CONTAINER only (will not affect nginx container). # For example, you may need to define runAsNonRoot directive securityContext: {} # runAsUser: 33 # runAsGroup: 33 # runAsNonRoot: true # readOnlyRootFilesystem: false # Set securityContext parameters for the entire pod. For example, you may need to define runAsNonRoot directive podSecurityContext: {} # runAsUser: 33 # runAsGroup: 33 # runAsNonRoot: true # readOnlyRootFilesystem: false nginx: ## You need to set an fpm version of the image for nextcloud if you want to use nginx! enabled: true image: repository: nginx tag: alpine pullPolicy: IfNotPresent config: # This generates the default nginx config as per the nextcloud documentation default: false # Default is below, changes marked with CHANGE custom: |- error_log /var/log/nginx/error.log warn; pid /var/run/nginx.pid; events { worker_connections 1024; } http { include /etc/nginx/mime.types; default_type application/octet-stream; log_format main '$remote_addr - $remote_user [$time_local] "$request" ' '$status $body_bytes_sent "$http_referer" ' '"$http_user_agent" "$http_x_forwarded_for"'; access_log /var/log/nginx/access.log main; # CHANGE for large file uploads proxy_read_timeout 3600; sendfile on; #tcp_nopush on; keepalive_timeout 65; #gzip on; upstream php-handler { server 127.0.0.1:9000; } server { listen 80; # HSTS settings # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option # will add the domain to a hardcoded list that is shipped # in all major browsers and getting removed from this list # could take several months. #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always; # set max upload size client_max_body_size 10G; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers gzip on; gzip_vary on; gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Pagespeed is not supported by Nextcloud, so if your server is built # with the `ngx_pagespeed` module, uncomment this line to disable it. #pagespeed off; # HTTP response headers borrowed from Nextcloud `.htaccess` add_header Referrer-Policy "no-referrer" always; add_header X-Content-Type-Options "nosniff" always; add_header X-Download-Options "noopen" always; add_header X-Frame-Options "SAMEORIGIN" always; add_header X-Permitted-Cross-Domain-Policies "none" always; add_header X-Robots-Tag "noindex, nofollow" always; add_header X-XSS-Protection "1; mode=block" always; add_header X-Forwarded-For $proxy_add_x_forwarded_for; # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; # Path to the root of your installation root /var/www/html; # Specify how to handle directories -- specifying `/index.php$request_uri` # here as the fallback means that Nginx always exhibits the desired behaviour # when a client requests a path that corresponds to a directory that exists # on the server. In particular, if that directory contains an index.php file, # that file is correctly served; if it doesn't, then the request is passed to # the front-end controller. This consistent behaviour means that we don't need # to specify custom rules for certain paths (e.g. images and other assets, # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus # `try_files $uri $uri/ /index.php$request_uri` # always provides the desired behaviour. index index.php index.html /index.php$request_uri; # Rule borrowed from `.htaccess` to handle Microsoft DAV clients location = / { if ( $http_user_agent ~ ^DavClnt ) { return 302 /remote.php/webdav/$is_args$args; } } location = /robots.txt { allow all; log_not_found off; access_log off; } # Make a regex exception for `/.well-known` so that clients can still # access it despite the existence of the regex rule # `location ~ /(\.|autotest|...)` which would otherwise handle requests # for `/.well-known`. location ^~ /.well-known { # The following 6 rules are borrowed from `.htaccess` location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } # Anything else is dynamically handled by Nextcloud location ^~ /.well-known { return 301 /index.php$uri; } try_files $uri $uri/ =404; } # Rules borrowed from `.htaccess` to hide certain paths from clients location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } # Ensure this block, which passes PHP files to the PHP process, is above the blocks # which handle static assets (as seen below). If this block is not declared first, # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; try_files $fastcgi_script_name =404; include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; #fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty urls fastcgi_pass php-handler; fastcgi_intercept_errors on; fastcgi_request_buffering off; } location ~ \.(?:css|js|svg|gif)$ { try_files $uri /index.php$request_uri; expires 6M; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } location ~ \.woff2?$ { try_files $uri /index.php$request_uri; expires 7d; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } location / { try_files $uri $uri/ /index.php$request_uri; } } } resources: {} # Set nginx container securityContext parameters. For example, you may need to define runAsNonRoot directive securityContext: {} # the nginx alpine container default user is 82 # runAsUser: 82 # runAsGroup: 33 # runAsNonRoot: true # readOnlyRootFilesystem: true internalDatabase: enabled: false name: nextcloud externalDatabase: enabled: true ## Supported database engines: mysql or postgresql type: postgresql ## Database host host: postgres-postgresql.postgres.svc.cluster.local:5432 ## Database user user: nextcloud ## Database password password: ## Database name database: nextcloud ## Use a existing secret existingSecret: enabled: true secretName: postgres-secret usernameKey: username passwordKey: password ## ## MariaDB chart configuration ## ref: https://github.com/bitnami/charts/tree/main/bitnami/mariadb ## mariadb: ## Whether to deploy a mariadb server from the bitnami mariab db helm chart # to satisfy the applications database requirements. if you want to deploy this bitnami mariadb, set this and externalDatabase to true # To use an ALREADY DEPLOYED mariadb database, set this to false and configure the externalDatabase parameters enabled: false auth: database: nextcloud username: nextcloud password: changeme # Use existing secret (auth.rootPassword, auth.password, and auth.replicationPassword will be ignored). # secret must contain the keys mariadb-root-password, mariadb-replication-password and mariadb-password existingSecret: "" architecture: standalone ## Enable persistence using Persistent Volume Claims ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ## primary: persistence: enabled: false # Use an existing Persistent Volume Claim (must be created ahead of time) # existingClaim: "" # storageClass: "" accessMode: ReadWriteOnce size: 8Gi ## ## PostgreSQL chart configuration ## for more options see https://github.com/bitnami/charts/tree/main/bitnami/postgresql ## postgresql: enabled: false global: postgresql: # global.postgresql.auth overrides postgresql.auth auth: username: nextcloud password: changeme database: nextcloud # Name of existing secret to use for PostgreSQL credentials. # auth.postgresPassword, auth.password, and auth.replicationPassword will be ignored and picked up from this secret. # secret might also contains the key ldap-password if LDAP is enabled. # ldap.bind_password will be ignored and picked from this secret in this case. existingSecret: "" # Names of keys in existing secret to use for PostgreSQL credentials secretKeys: adminPasswordKey: "" userPasswordKey: "" replicationPasswordKey: "" primary: persistence: enabled: false # Use an existing Persistent Volume Claim (must be created ahead of time) # existingClaim: "" # storageClass: "" ## ## Redis chart configuration ## for more options see https://github.com/bitnami/charts/tree/main/bitnami/redis ## redis: enabled: false auth: enabled: true password: 'changeme' # name of an existing secret with RedisĀ® credentials (instead of auth.password), must be created ahead of time existingSecret: "" # Password key to be retrieved from existing secret existingSecretPasswordKey: "" ## Cronjob to execute Nextcloud background tasks ## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron ## cronjob: enabled: true ## Cronjob sidecar resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## resources: {} # Allow configuration of lifecycle hooks # ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/ lifecycle: {} # postStartCommand: [] # preStopCommand: [] # Set securityContext parameters. For example, you may need to define runAsNonRoot directive securityContext: {} # runAsUser: 33 # runAsGroup: 33 # runAsNonRoot: true # readOnlyRootFilesystem: true service: type: ClusterIP port: 8080 loadBalancerIP: nil nodePort: nil ## Enable persistence using Persistent Volume Claims ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/ ## persistence: # Nextcloud Data (/var/www/html) enabled: true annotations: {} ## nextcloud data Persistent Volume Storage Class ## If defined, storageClassName: ## If set to "-", storageClassName: "", which disables dynamic provisioning ## If undefined (the default) or set to null, no storageClassName spec is ## set, choosing the default provisioner. (gp2 on AWS, standard on ## GKE, AWS & OpenStack) ## storageClass: "ceph-block" ## A manually managed Persistent Volume and Claim ## Requires persistence.enabled: true ## If defined, PVC must be created manually before volume will be bound existingClaim: nextcloud-pvc accessMode: ReadWriteOnce size: 8Gi ## Use an additional pvc for the data directory rather than a subpath of the default PVC ## Useful to store data on a different storageClass (e.g. on slower disks) nextcloudData: enabled: true subPath: annotations: {} storageClass: "ceph-block" existingClaim: nextcloud-data-pvc accessMode: ReadWriteOnce size: 200Gi resources: # We usually recommend not to specify default resources and to leave this as a conscious # choice for the user. This also increases chances charts run on environments with little # resources, such as Minikube. If you do want to specify resources, uncomment the following # lines, adjust them as necessary, and remove the curly braces after 'resources:'. limits: # cpu: 100m memory: 4Gi requests: # cpu: 100m memory: 1Gi ## Liveness and readiness probe values ## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes ## livenessProbe: enabled: false initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 successThreshold: 1 readinessProbe: enabled: false initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 successThreshold: 1 startupProbe: enabled: false initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 30 successThreshold: 1 ## Enable pod autoscaling using HorizontalPodAutoscaler ## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/ ## hpa: enabled: false cputhreshold: 60 minPods: 1 maxPods: 10 nodeSelector: {} tolerations: [] # To speed up file transfers affinity: nodeAffinity: requiredDuringSchedulingIgnoredDuringExecution: nodeSelectorTerms: - matchExpressions: - key: cluster-ingress operator: In values: - "true" ## Prometheus Exporter / Metrics ## metrics: enabled: false replicaCount: 1 # The metrics exporter needs to know how you serve Nextcloud either http or https https: false # Use API token if set, otherwise fall back to password authentication # https://github.com/xperimental/nextcloud-exporter#token-authentication # Currently you still need to set the token manually in your nextcloud install token: "" timeout: 5s # if set to true, exporter skips certificate verification of Nextcloud server. tlsSkipVerify: false image: repository: xperimental/nextcloud-exporter tag: 0.6.0 pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName ## Metrics exporter resource requests and limits ## ref: http://kubernetes.io/docs/user-guide/compute-resources/ ## # resources: {} ## Metrics exporter pod Annotation and Labels # podAnnotations: {} # podLabels: {} service: type: ClusterIP ## Use serviceLoadBalancerIP to request a specific static IP, ## otherwise leave blank # loadBalancerIP: annotations: prometheus.io/scrape: "true" prometheus.io/port: "9205" labels: {} ## Prometheus Operator ServiceMonitor configuration ## serviceMonitor: ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator ## enabled: false ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running ## namespace: "" ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus. ## jobLabel: "" ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint ## interval: 30s ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint ## scrapeTimeout: "" ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor ## labels: {} rbac: enabled: false serviceaccount: create: true name: nextcloud-serviceaccount annotations: {} ## @param securityContext for nextcloud pod @deprecated Use `nextcloud.podSecurityContext` instead securityContext: {}