viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

nextcloud: expose PVE NFS roots + /anca-elements via Files External
Some checks failed
ci/woodpecker/push/build-cli Pipeline failed
Details
ci/woodpecker/push/default Pipeline was successful
Details

Browse source 
Mounts the Proxmox host NFS exports (/srv/nfs and /srv/nfs-ssd) into
the NC pod and surfaces them through occ files_external:create:

- /PVE NFS Pool      → /mnt/pve-nfs       (admin group only)
- /PVE NFS-SSD Pool  → /mnt/pve-nfs-ssd   (admin group only)
- /anca-elements     → /mnt/pve-nfs/anca-elements  (admin, anca users)

Mount visibility is controlled by occ files_external:applicable; no
Files Access Control. ACL state is reconciled idempotently by a
bootstrap Job that diffs desired vs current applicable_users /
applicable_groups (via files_external:list --output=json).

Bootstrap fixes vs initial design:
- Sync loop used `[ -n "$U" ] && cmd` which returns 1 on empty input,
  triggering set -e on no-op re-runs. Switched to process substitution
  `< <(jq ...)` so empty diff -> loop body never runs -> 0 exit.
- RBAC missed `watch` verb (kubectl wait spammed reflector errors).
- Manifest used display-name "viktor" instead of NC username "admin"
  for the /anca-elements applicable list.

Chart values: added two PV-backed volume mounts at /mnt/pve-nfs[+ssd]
and pinned securityContext to fsGroup=33 with fsGroupChangePolicy:
OnRootMismatch (chart default Always would recurse 600k+ files on
every pod restart).
This commit is contained in:
Viktor Barzin 2026-05-24 11:27:26 +00:00
parent 7a649ce7eb
commit cb1a34fd00
5 changed files with 351 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

20
stacks/nextcloud/main.tf
View file

@ -30,7 +30,7 @@ resource "kubernetes_namespace" "nextcloud" {
tier = local.tiers.edge
"resource-governance/custom-limitrange" = "true"
"resource-governance/custom-quota" = "true"
"keel.sh/enrolled" = "true"
"keel.sh/enrolled" = "true"
}
}
lifecycle {
@ -226,6 +226,24 @@ module "nfs_nextcloud_backup_host" {
nfs_path = "/srv/nfs/nextcloud-backup"
}
module "nfs_pve_root_host" {
source = "../../modules/kubernetes/nfs_volume"
name = "nextcloud-pve-nfs-root"
namespace = kubernetes_namespace.nextcloud.metadata[0].name
nfs_server = "192.168.1.127"
nfs_path = "/srv/nfs"
storage = "3000Gi"
}
module "nfs_pve_ssd_root_host" {
source = "../../modules/kubernetes/nfs_volume"
name = "nextcloud-pve-nfs-ssd-root"
namespace = kubernetes_namespace.nextcloud.metadata[0].name
nfs_server = "192.168.1.127"
nfs_path = "/srv/nfs-ssd"
storage = "100Gi"
}
module "ingress" {
source = "../../modules/kubernetes/ingress_factory"
# Native WebDAV / CalDAV / CardDAV clients (Nextcloud desktop+mobile apps,