viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/nextcloud/chart_values.yaml
Viktor Barzin cb1a34fd00
Some checks failed
ci/woodpecker/push/build-cli Pipeline failed
Details
ci/woodpecker/push/default Pipeline was successful
Details
nextcloud: expose PVE NFS roots + /anca-elements via Files External 
Mounts the Proxmox host NFS exports (/srv/nfs and /srv/nfs-ssd) into
the NC pod and surfaces them through occ files_external:create:

- /PVE NFS Pool      → /mnt/pve-nfs       (admin group only)
- /PVE NFS-SSD Pool  → /mnt/pve-nfs-ssd   (admin group only)
- /anca-elements     → /mnt/pve-nfs/anca-elements  (admin, anca users)

Mount visibility is controlled by occ files_external:applicable; no
Files Access Control. ACL state is reconciled idempotently by a
bootstrap Job that diffs desired vs current applicable_users /
applicable_groups (via files_external:list --output=json).

Bootstrap fixes vs initial design:
- Sync loop used `[ -n "$U" ] && cmd` which returns 1 on empty input,
  triggering set -e on no-op re-runs. Switched to process substitution
  `< <(jq ...)` so empty diff -> loop body never runs -> 0 exit.
- RBAC missed `watch` verb (kubectl wait spammed reflector errors).
- Manifest used display-name "viktor" instead of NC username "admin"
  for the /anca-elements applicable list.

Chart values: added two PV-backed volume mounts at /mnt/pve-nfs[+ssd]
and pinned securityContext to fsGroup=33 with fsGroupChangePolicy:
OnRootMismatch (chart default Always would recurse 600k+ files on
every pod restart).
2026-05-24 11:27:26 +00:00

173 lines
4.5 KiB
YAML
Raw Blame History

nextcloud:
host: nextcloud.viktorbarzin.me
trustedDomains:
- nextcloud.viktorbarzin.me
# mail:
# enabled: true
# # the user we send email as
# fromAddress: nextcloud@viktorbarzin.me
# # the domain we send email from
# domain: viktorbarzin.me
# smtp:
# host: mail.viktorbarzin.me
# secure: starttls
# port: 587
# authtype: LOGIN
# name: nextcloud@viktorbarzin.me
# password:
extraEnv:
- name: TRUSTED_PROXIES
value: "10.0.0.0/8"
- name: PHP_MEMORY_LIMIT
value: "512M"
- name: PHP_UPLOAD_LIMIT
value: "16G"
# - name: mail_smtpdebug
# value: "true"
# - name: loglevel
# value: "0"
configs:
zzz-redis.config.php: |
<?php
// Redis via HAProxy master-only service. HAProxy (3 replicas, PDB
// minAvailable=2) health-checks all v2 pods via `INFO replication` and
// routes to the current role:master. Sentinel failover takes <30s, and
// HAProxy detects the new master via its 1s tcp-check interval and
// starts routing within ~3s of detection. Removed the old in-process
// sentinel-query loop on 2026-04-19 after the Redis rework — see
// beads code-v2b and infra/docs/architecture/databases.md.
$CONFIG = array(
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' => array(
'host' => 'redis-master.redis.svc.cluster.local',
'port' => 6379,
'password' => '',
'timeout' => 1.5,
'read_timeout' => 1.5,
),
);
performance.config.php: |
<?php
$CONFIG = array(
'loglevel' => 2,
'mail_smtpdebug' => false,
);
zzz-mysql.config.php: |
<?php
$CONFIG = array(
'mysql.utf8mb4' => true,
);
phpConfigs:
zzz-custom.ini: |
max_execution_time = 300
max_input_time = 300
default_socket_timeout = 300
opcache.enable_file_override = 1
apc.shm_size = 128M
extraVolumes:
- name: apache-tuning
configMap:
name: nextcloud-apache-tuning
- name: db-password-sync
configMap:
name: nextcloud-db-password-sync
defaultMode: 0755
- name: pve-nfs
persistentVolumeClaim:
claimName: nextcloud-pve-nfs-root
- name: pve-nfs-ssd
persistentVolumeClaim:
claimName: nextcloud-pve-nfs-ssd-root
extraVolumeMounts:
- name: apache-tuning
mountPath: /etc/apache2/mods-available/mpm_prefork.conf
subPath: mpm_prefork.conf
- name: db-password-sync
mountPath: /docker-entrypoint-hooks.d/before-starting
- name: pve-nfs
mountPath: /mnt/pve-nfs
- name: pve-nfs-ssd
mountPath: /mnt/pve-nfs-ssd
internalDatabase:
enabled: false
externalRedis:
enabled: false
externalDatabase:
enabled: true
type: mysql
host: ${mysql_host}
user: nextcloud
database: nextcloud
existingSecret:
secretName: nextcloud-db-creds
usernameKey: db-username
passwordKey: DB_PASSWORD
persistence:
enabled: true
existingClaim: nextcloud-data-encrypted
accessMode: ReadWriteOnce
size: 20Gi
startupProbe:
enabled: true
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 30
failureThreshold: 60
successThreshold: 1
livenessProbe:
enabled: true
initialDelaySeconds: 30
periodSeconds: 60
timeoutSeconds: 30
failureThreshold: 10
successThreshold: 1
readinessProbe:
enabled: true
initialDelaySeconds: 30
periodSeconds: 60
timeoutSeconds: 30
failureThreshold: 5
successThreshold: 1
podAnnotations:
diun.enable: "true"
diun.include_tags: "^[0-9]+(?:.[0-9]+)?(?:.[0-9]+)?.*"
dependency.kyverno.io/wait-for: "mysql.dbaas:3306,redis-master.redis:6379"
secret.reloader.stakater.com/reload: "nextcloud-db-creds"
# OnRootMismatch: kubelet only recursively chowns the volume to fsGroup if the
# root dir's GID doesn't already match. Without this, every pod restart triggers
# a ~30-min recursive chown of /srv/nfs and /srv/nfs-ssd (600k+ files) — the
# default policy "Always" recurses every time. Locks fsGroup=33 explicitly so
# this block fully replaces the chart's default {fsGroup: 33}.
securityContext:
fsGroup: 33
fsGroupChangePolicy: OnRootMismatch
collabora:
enabled: false # Using onlyoffice instead
resources:
limits:
memory: 8Gi
requests:
cpu: 50m
memory: 256Mi
cronjob:
enabled: true
resources:
limits:
memory: 384Mi
requests:
cpu: 25m
memory: 384Mi
Reference in a new issue View git blame Copy permalink