server/nextcloud/values.yaml

# helm repo add nextcloud https://nextcloud.github.io/helm/
# helm upgrade --install nextcloud nextcloud/nextcloud -n nextcloud -f values.yaml --version 3.5.14

# Upgrading:
# su -s /bin/bash - www-data
# cd /var/www/html
# PHP_MEMORY_LIMIT=512M ./occ upgrade

# Forwarding IPs requires:
#
#  'trusted_proxies' =>
#  array (
#    0 => '10.42.0.0/16',
#    1 => '127.0.0.1',
#  ),
#  'overwritecondaddr' => '^10\.42\.[0-9]+\.[0-9]+$',
#
# For whatever your ingress is.

## Official nextcloud image version
## ref: https://hub.docker.com/r/library/nextcloud/tags/
##
image:
  repository: nextcloud
  tag: 29.0.0-fpm
  pullPolicy: IfNotPresent
  # pullSecrets:
  #   - myRegistrKeySecretName

nameOverride: ""
fullnameOverride: ""
podAnnotations: {}
deploymentAnnotations: {}
deploymentLabels: {}

# Number of replicas to be deployed
replicaCount: 1

## Allowing use of ingress controllers
## ref: https://kubernetes.io/docs/concepts/services-networking/ingress/
##
ingress:
  enabled: false
  # className: nginx
  annotations: {}
  #  nginx.ingress.kubernetes.io/proxy-body-size: 4G
  #  kubernetes.io/tls-acme: "true"
  #  cert-manager.io/cluster-issuer: letsencrypt-prod
  #  nginx.ingress.kubernetes.io/server-snippet: |-
  #    server_tokens off;
  #    proxy_hide_header X-Powered-By;
  #    rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
  #    rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
  #    rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
  #    rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
  #    location = /.well-known/carddav {
  #      return 301 $scheme://$host/remote.php/dav;
  #    }
  #    location = /.well-known/caldav {
  #      return 301 $scheme://$host/remote.php/dav;
  #    }
  #    location = /robots.txt {
  #      allow all;
  #      log_not_found off;
  #      access_log off;
  #    }
  #    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
  #      deny all;
  #    }
  #    location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
  #      deny all;
  #    }
  # tls:
  #   - secretName: nextcloud-tls
  #     hosts:
  #       - nextcloud.kube.home
  labels: {}
  path: /
  pathType: Prefix


# Allow configuration of lifecycle hooks
# ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
lifecycle: {}
  # postStartCommand: []
  # preStopCommand: []

phpClientHttpsFix:
  enabled: false
  protocol: https

nextcloud:
  host: nextcloud.jibby.org
  username: josh
  password: ""
  ## Use an existing secret
  existingSecret:
    enabled: false
    # secretName: nameofsecret
    # usernameKey: nextcloud-username
    # passwordKey: nextcloud-password
    # tokenKey: nextcloud-token
    # smtpUsernameKey: smtp-username
    # smtpPasswordKey: smtp-password
  update: 0
  # If web server is not binding default port, you can define it
  containerPort: 80
  datadir: /var/www/html/data
  persistence:
    subPath:
  mail:
    enabled: false
    fromAddress: user
    domain: domain.com
    smtp:
      host: domain.com
      secure: ssl
      port: 465
      authtype: LOGIN
      name: user
      password: pass
  # PHP Configuration files
  # Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true
  phpConfigs:
    www.conf: |
      [www]
      user = www-data
      group = www-data
      listen = 127.0.0.1:9000
      pm = dynamic
      pm.max_children = 86
      pm.start_servers = 21
      pm.min_spare_servers = 21
      pm.max_spare_servers = 64
      ; for large file uploads
      request_terminate_timeout = 3600
  # Default config files
  # IMPORTANT: Will be used only if you put extra configs, otherwise default will come from nextcloud itself
  # Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/16.0/apache/config
  defaultConfigs:
    # To protect /var/www/html/config
    .htaccess: true
    # Redis default configuration
    redis.config.php: true
    # Apache configuration for rewrite urls
    apache-pretty-urls.config.php: true
    # Define APCu as local cache
    apcu.config.php: true
    # Apps directory configs
    apps.config.php: true
    # Used for auto configure database
    autoconfig.php: true
    # SMTP default configuration
    smtp.config.php: true
  # Extra config files created in /var/www/html/config/
  # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
  configs: {}

  # For example, to use S3 as primary storage
  # ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3
  #
  #  configs:
  #    s3.config.php: |-
  #      <?php
  #      $CONFIG = array (
  #        'objectstore' => array(
  #          'class' => '\\OC\\Files\\ObjectStore\\S3',
  #          'arguments' => array(
  #            'bucket'     => 'my-bucket',
  #            'autocreate' => true,
  #            'key'        => 'xxx',
  #            'secret'     => 'xxx',
  #            'region'     => 'us-east-1',
  #            'use_ssl'    => true
  #          )
  #        )
  #      );

  ## Strategy used to replace old pods
  ## IMPORTANT: use with care, it is suggested to leave as that for upgrade purposes
  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
  strategy:
    type: Recreate
    # type: RollingUpdate
    # rollingUpdate:
    #   maxSurge: 1
    #   maxUnavailable: 0

  ##
  ## Extra environment variables
  extraEnv:
    - name: REDIS_HOST
      valueFrom:
        secretKeyRef:
          name: redis-client-secret
          key: REDIS_HOST
    - name: REDIS_HOST_PASSWORD
      valueFrom:
        secretKeyRef:
          name: redis-client-secret
          key: REDIS_HOST_PASSWORD

  # Extra init containers that runs before pods start.
  extraInitContainers: []
  #  - name: do-something
  #    image: busybox
  #    command: ['do', 'something']

  # Extra sidecar containers.
  extraSidecarContainers: []
  #  - name: nextcloud-logger
  #    image: busybox
  #    command: [/bin/sh, -c, 'while ! test -f "/run/nextcloud/data/nextcloud.log"; do sleep 1; done; tail -n+1 -f /run/nextcloud/data/nextcloud.log']
  #    volumeMounts:
  #    - name: nextcloud-data
  #      mountPath: /run/nextcloud/data

  # Extra mounts for the pods. Example shown is for connecting a legacy NFS volume
  # to NextCloud pods in Kubernetes. This can then be configured in External Storage
  extraVolumes:
  #  - name: nfs
  #    nfs:
  #      server: "10.0.0.1"
  #      path: "/nextcloud_data"
  #      readOnly: false
  extraVolumeMounts:
  #  - name: nfs
  #    mountPath: "/legacy_data"

  # Set securityContext parameters for the nextcloud CONTAINER only (will not affect nginx container).
  # For example, you may need to define runAsNonRoot directive
  securityContext: {}
  #   runAsUser: 33
  #   runAsGroup: 33
  #   runAsNonRoot: true
  #   readOnlyRootFilesystem: false

  # Set securityContext parameters for the entire pod. For example, you may need to define runAsNonRoot directive
  podSecurityContext: {}
  #   runAsUser: 33
  #   runAsGroup: 33
  #   runAsNonRoot: true
  #   readOnlyRootFilesystem: false

nginx:
  ## You need to set an fpm version of the image for nextcloud if you want to use nginx!
  enabled: true
  image:
    repository: nginx
    tag: alpine
    pullPolicy: IfNotPresent

  config:
    # This generates the default nginx config as per the nextcloud documentation
    default: false
    # Default is below, changes marked with CHANGE
    custom: |-
      error_log  /var/log/nginx/error.log warn;
      pid        /var/run/nginx.pid;


      events {
          worker_connections  1024;
      }


      http {
          include       /etc/nginx/mime.types;
          default_type  application/octet-stream;

          log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
                            '$status $body_bytes_sent "$http_referer" '
                            '"$http_user_agent" "$http_x_forwarded_for"';

          access_log  /var/log/nginx/access.log  main;
          # CHANGE for large file uploads
          proxy_read_timeout 3600;

          sendfile        on;
          #tcp_nopush     on;

          keepalive_timeout  65;

          #gzip  on;

          upstream php-handler {
              server 127.0.0.1:9000;
          }

          server {
              listen 80;

              # HSTS settings
              # WARNING: Only add the preload option once you read about
              # the consequences in https://hstspreload.org/. This option
              # will add the domain to a hardcoded list that is shipped
              # in all major browsers and getting removed from this list
              # could take several months.
              #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;

              # set max upload size
              client_max_body_size 10G;
              fastcgi_buffers 64 4K;

              # Enable gzip but do not remove ETag headers
              gzip on;
              gzip_vary on;
              gzip_comp_level 4;
              gzip_min_length 256;
              gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
              gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;

              # Pagespeed is not supported by Nextcloud, so if your server is built
              # with the `ngx_pagespeed` module, uncomment this line to disable it.
              #pagespeed off;

              # HTTP response headers borrowed from Nextcloud `.htaccess`
              add_header Referrer-Policy                      "no-referrer"       always;
              add_header X-Content-Type-Options               "nosniff"           always;
              add_header X-Download-Options                   "noopen"            always;
              add_header X-Frame-Options                      "SAMEORIGIN"        always;
              add_header X-Permitted-Cross-Domain-Policies    "none"              always;
              add_header X-Robots-Tag                         "noindex, nofollow" always;
              add_header X-XSS-Protection                     "1; mode=block"     always;
              add_header X-Forwarded-For $proxy_add_x_forwarded_for;

              # Remove X-Powered-By, which is an information leak
              fastcgi_hide_header X-Powered-By;

              # Path to the root of your installation
              root /var/www/html;

              # Specify how to handle directories -- specifying `/index.php$request_uri`
              # here as the fallback means that Nginx always exhibits the desired behaviour
              # when a client requests a path that corresponds to a directory that exists
              # on the server. In particular, if that directory contains an index.php file,
              # that file is correctly served; if it doesn't, then the request is passed to
              # the front-end controller. This consistent behaviour means that we don't need
              # to specify custom rules for certain paths (e.g. images and other assets,
              # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
              # `try_files $uri $uri/ /index.php$request_uri`
              # always provides the desired behaviour.
              index index.php index.html /index.php$request_uri;

              # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
              location = / {
                  if ( $http_user_agent ~ ^DavClnt ) {
                      return 302 /remote.php/webdav/$is_args$args;
                  }
              }

              location = /robots.txt {
                  allow all;
                  log_not_found off;
                  access_log off;
              }

              # Make a regex exception for `/.well-known` so that clients can still
              # access it despite the existence of the regex rule
              # `location ~ /(\.|autotest|...)` which would otherwise handle requests
              # for `/.well-known`.
              location ^~ /.well-known {
                  # The following 6 rules are borrowed from `.htaccess`

                  location = /.well-known/carddav     { return 301 /remote.php/dav/; }
                  location = /.well-known/caldav      { return 301 /remote.php/dav/; }
                  # Anything else is dynamically handled by Nextcloud
                  location ^~ /.well-known            { return 301 /index.php$uri; }

                  try_files $uri $uri/ =404;
              }

              # Rules borrowed from `.htaccess` to hide certain paths from clients
              location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
              location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }

              # Ensure this block, which passes PHP files to the PHP process, is above the blocks
              # which handle static assets (as seen below). If this block is not declared first,
              # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
              # to the URI, resulting in a HTTP 500 error response.
              location ~ \.php(?:$|/) {
                  fastcgi_split_path_info ^(.+?\.php)(/.*)$;
                  set $path_info $fastcgi_path_info;

                  try_files $fastcgi_script_name =404;

                  include fastcgi_params;
                  fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
                  fastcgi_param PATH_INFO $path_info;
                  #fastcgi_param HTTPS on;

                  fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
                  fastcgi_param front_controller_active true;     # Enable pretty urls
                  fastcgi_pass php-handler;

                  fastcgi_intercept_errors on;
                  fastcgi_request_buffering off;
              }

              location ~ \.(?:css|js|svg|gif)$ {
                  try_files $uri /index.php$request_uri;
                  expires 6M;         # Cache-Control policy borrowed from `.htaccess`
                  access_log off;     # Optional: Don't log access to assets
              }

              location ~ \.woff2?$ {
                  try_files $uri /index.php$request_uri;
                  expires 7d;         # Cache-Control policy borrowed from `.htaccess`
                  access_log off;     # Optional: Don't log access to assets
              }

              location / {
                  try_files $uri $uri/ /index.php$request_uri;
              }
          }
      }


  resources: {}

  # Set nginx container securityContext parameters. For example, you may need to define runAsNonRoot directive
  securityContext: {}
  # the nginx alpine container default user is 82
  #   runAsUser: 82
  #   runAsGroup: 33
  #   runAsNonRoot: true
  #   readOnlyRootFilesystem: true

internalDatabase:
  enabled: false
  name: nextcloud

externalDatabase:
  enabled: true

  ## Supported database engines: mysql or postgresql
  type: postgresql

  ## Database host
  host: postgres-postgresql.postgres.svc.cluster.local:5432

  ## Database user
  user: nextcloud

  ## Database password
  password:

  ## Database name
  database: nextcloud

  ## Use a existing secret
  existingSecret:
    enabled: true
    secretName: postgres-secret
    usernameKey: username
    passwordKey: password

##
## MariaDB chart configuration
## ref: https://github.com/bitnami/charts/tree/main/bitnami/mariadb
##
mariadb:
  ## Whether to deploy a mariadb server from the bitnami mariab db helm chart
  # to satisfy the applications database requirements. if you want to deploy this bitnami mariadb, set this and externalDatabase to true
  # To use an ALREADY DEPLOYED mariadb database, set this to false and configure the externalDatabase parameters
  enabled: false

  auth:
    database: nextcloud
    username: nextcloud
    password: changeme
    # Use existing secret (auth.rootPassword, auth.password, and auth.replicationPassword will be ignored).
    # secret must contain the keys mariadb-root-password, mariadb-replication-password and mariadb-password
    existingSecret: ""

  architecture: standalone

  ## Enable persistence using Persistent Volume Claims
  ## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
  ##
  primary:
    persistence:
      enabled: false
      # Use an existing Persistent Volume Claim (must be created ahead of time)
      # existingClaim: ""
      # storageClass: ""
      accessMode: ReadWriteOnce
      size: 8Gi

##
## PostgreSQL chart configuration
## for more options see https://github.com/bitnami/charts/tree/main/bitnami/postgresql
##
postgresql:
  enabled: false
  global:
    postgresql:
      # global.postgresql.auth overrides postgresql.auth
      auth:
        username: nextcloud
        password: changeme
        database: nextcloud
        # Name of existing secret to use for PostgreSQL credentials.
        # auth.postgresPassword, auth.password, and auth.replicationPassword will be ignored and picked up from this secret.
        # secret might also contains the key ldap-password if LDAP is enabled.
        # ldap.bind_password will be ignored and picked from this secret in this case.
        existingSecret: ""
        # Names of keys in existing secret to use for PostgreSQL credentials
        secretKeys:
          adminPasswordKey: ""
          userPasswordKey: ""
          replicationPasswordKey: ""
  primary:
    persistence:
      enabled: false
      # Use an existing Persistent Volume Claim (must be created ahead of time)
      # existingClaim: ""
      # storageClass: ""

##
## Redis chart configuration
## for more options see https://github.com/bitnami/charts/tree/main/bitnami/redis
##

redis:
  enabled: false
  auth:
    enabled: true
    password: 'changeme'
    # name of an existing secret with Redis® credentials (instead of auth.password), must be created ahead of time
    existingSecret: ""
    # Password key to be retrieved from existing secret
    existingSecretPasswordKey: ""


## Cronjob to execute Nextcloud background tasks
## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron
##
cronjob:
  enabled: true

  ## Cronjob sidecar resource requests and limits
  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
  ##
  resources: {}

  # Allow configuration of lifecycle hooks
  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
  lifecycle: {}
    # postStartCommand: []
    # preStopCommand: []
  # Set securityContext parameters. For example, you may need to define runAsNonRoot directive
  securityContext: {}
  #   runAsUser: 33
  #   runAsGroup: 33
  #   runAsNonRoot: true
  #   readOnlyRootFilesystem: true

service:
  type: ClusterIP
  port: 8080
  loadBalancerIP: nil
  nodePort: nil

## Enable persistence using Persistent Volume Claims
## ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
##
persistence:
  # Nextcloud Data (/var/www/html)
  enabled: true
  annotations: {}
  ## nextcloud data Persistent Volume Storage Class
  ## If defined, storageClassName: <storageClass>
  ## If set to "-", storageClassName: "", which disables dynamic provisioning
  ## If undefined (the default) or set to null, no storageClassName spec is
  ##   set, choosing the default provisioner.  (gp2 on AWS, standard on
  ##   GKE, AWS & OpenStack)
  ##
  storageClass: "ceph-block"

  ## A manually managed Persistent Volume and Claim
  ## Requires persistence.enabled: true
  ## If defined, PVC must be created manually before volume will be bound
  existingClaim: nextcloud-pvc

  accessMode: ReadWriteOnce
  size: 8Gi

  ## Use an additional pvc for the data directory rather than a subpath of the default PVC
  ## Useful to store data on a different storageClass (e.g. on slower disks)
  nextcloudData:
    enabled: true
    subPath:
    annotations: {}
    storageClass: "ceph-block"
    existingClaim: nextcloud-data-pvc
    accessMode: ReadWriteOnce
    size: 200Gi

resources:
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  limits:
  #  cpu: 100m
    memory: 4Gi
  requests:
  #  cpu: 100m
    memory: 1Gi

## Liveness and readiness probe values
## Ref: https://kubernetes.io/docs/concepts/workloads/pods/pod-lifecycle/#container-probes
##
livenessProbe:
  enabled: false
  initialDelaySeconds: 10
  periodSeconds: 10
  timeoutSeconds: 5
  failureThreshold: 3
  successThreshold: 1
readinessProbe:
  enabled: false
  initialDelaySeconds: 10
  periodSeconds: 10
  timeoutSeconds: 5
  failureThreshold: 3
  successThreshold: 1
startupProbe:
  enabled: false
  initialDelaySeconds: 30
  periodSeconds: 10
  timeoutSeconds: 5
  failureThreshold: 30
  successThreshold: 1


## Enable pod autoscaling using HorizontalPodAutoscaler
## ref: https://kubernetes.io/docs/tasks/run-application/horizontal-pod-autoscale/
##
hpa:
  enabled: false
  cputhreshold: 60
  minPods: 1
  maxPods: 10

nodeSelector: {}

tolerations: []

# To speed up file transfers
affinity:
  nodeAffinity:
    requiredDuringSchedulingIgnoredDuringExecution:
      nodeSelectorTerms:
      - matchExpressions:
        - key: cluster-ingress
          operator: In
          values:
          - "true"

## Prometheus Exporter / Metrics
##
metrics:
  enabled: false

  replicaCount: 1
  # The metrics exporter needs to know how you serve Nextcloud either http or https
  https: false
  # Use API token if set, otherwise fall back to password authentication
  # https://github.com/xperimental/nextcloud-exporter#token-authentication
  # Currently you still need to set the token manually in your nextcloud install
  token: ""
  timeout: 5s
  # if set to true, exporter skips certificate verification of Nextcloud server.
  tlsSkipVerify: false

  image:
    repository: xperimental/nextcloud-exporter
    tag: 0.6.0
    pullPolicy: IfNotPresent
    # pullSecrets:
    #   - myRegistrKeySecretName

  ## Metrics exporter resource requests and limits
  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
  ##
  # resources: {}

  ## Metrics exporter pod Annotation and Labels
  # podAnnotations: {}

  # podLabels: {}

  service:
    type: ClusterIP
    ## Use serviceLoadBalancerIP to request a specific static IP,
    ## otherwise leave blank
    # loadBalancerIP:
    annotations:
      prometheus.io/scrape: "true"
      prometheus.io/port: "9205"
    labels: {}

  ## Prometheus Operator ServiceMonitor configuration
  ##
  serviceMonitor:
    ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
    ##
    enabled: false

    ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
    ##
    namespace: ""

    ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
    ##
    jobLabel: ""

    ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
    ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
    ##
    interval: 30s

    ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
    ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
    ##
    scrapeTimeout: ""

    ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
    ##
    labels: {}


rbac:
  enabled: false
  serviceaccount:
    create: true
    name: nextcloud-serviceaccount
    annotations: {}


## @param securityContext for nextcloud pod @deprecated Use `nextcloud.podSecurityContext` instead
securityContext: {}