feat: Add nextcloud

dns/zones/mnke.org.zone

@@ -1,10 +1,11 @@
 $ORIGIN mnke.org.
-@                     900       IN  SOA           dns-server. hostadmin 37 900 300 604800 900
+@                     900       IN  SOA           dns-server. hostadmin 38 900 300 604800 900
 @                     3600      IN  NS            dns-server.
 authentik             600       IN  CNAME         authentik.dolo
 blog                  600       IN  CNAME         blog.dolo
 git                   600       IN  CNAME         git.jumper
 media                 600       IN  CNAME         media.dolo
+nc                    600       IN  CNAME         nc.dolo
 panel                 600       IN  CNAME         panel.dolo
 seerr                 600       IN  CNAME         seerr.dolo
 up                    600       IN  CNAME         up.dolo

k8s/apps/cloudflared/cloudflared-mnke.yaml

@@ -124,5 +124,9 @@ data:
       service: https://wings-01_jodye.mnke.org
     - hostname: vault.mnke.org
       service: https://vault.mnke.org
+    - hostname: authentik.mnke.org
+      service: https://authentik.mnke.org
+    - hostname: nc.mnke.org
+      service: https://nc.mnke.org
     # This rule matches any traffic which didn't match a previous rule, and responds with HTTP 404.
     - service: http_status:404

k8s/apps/ingressroutes/internal/kustomization.yaml

@@ -5,3 +5,4 @@ resources:
   - blog-tonydu-me.yaml
   - up-tonydu-me.yaml
   - up-mnke-org.yaml
+  - nc-mnke-org.yaml

k8s/apps/ingressroutes/internal/nc-mnke-org.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nc-mnke-org
+  namespace: default
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`nc.mnke.org`)
+      kind: Rule
+      services:
+        - kind: Service
+          name: nextcloud
+          port: http
+          sticky:
+            cookie:
+              name: nextcloud
+  tls:
+    secretName: wildcard-mnke-org-tls

k8s/apps/ingressroutes/internal/up-mnke-org.yaml

@@ -2,7 +2,7 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: up-tonydu-me
+  name: up-mnke-org
   namespace: default
 spec:
   entryPoints:
@@ -10,7 +10,7 @@ spec:
   routes:
     - match: >-
         (Host(`up.mnke.org`) || Host(`up.dolo.mnke.org`)) &&
-        (PathRegex(`^/status/*$`) || PathRegex(`^/api/*`))
+        (PathRegexp(`^/status/*$`) || PathRegexp(`^/api/*`))
       kind: Rule
       services:
         - kind: Service

k8s/apps/ingressroutes/internal/up-tonydu-me.yaml

@@ -2,7 +2,7 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: up-mnke-org
+  name: up-tonydu-me
   namespace: default
 spec:
   entryPoints:

k8s/apps/kustomization.yaml

@@ -7,5 +7,6 @@ resources:
   - ghost
   - authentik
   - ingressroutes
+  - nextcloud
   - cloudflared
   # - twingate

k8s/apps/nextcloud/kustomization.yaml

@@ -2,7 +2,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - repository.yaml
   - secrets.yaml
+  - repository.yaml
   - release.yaml
-

k8s/apps/nextcloud/release.yaml

@@ -0,0 +1,110 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: nextcloud
+  namespace: default
+spec:
+  interval: 10m0s
+  releaseName: nextcloud
+  targetNamespace: default
+  chart:
+    spec:
+      chart: nextcloud
+      version: 6.6.3
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: nextcloud
+        namespace: flux-system
+
+  valuesFrom:
+    - kind: Secret
+      name: nextcloud-creds
+      valuesKey: nextcloud-password
+      targetPath: nextcloud.password
+
+    - kind: Secret
+      name: nextcloud-db-creds
+      valuesKey: mysql-password
+      targetPath: externalDatabase.password
+
+    - kind: Secret
+      name: nextcloud-db-creds
+      valuesKey: mysql-password
+      targetPath: mariadb.auth.password
+
+  values:
+    replicas: 3
+
+    nextcloud:
+      host: nc.mnke.org
+      username: admin
+      # password: ""
+
+    internalDatabase:
+      enabled: false
+
+    externalDatabase:
+      enabled: true
+      type: mysql
+      host: db.home.mnke.org:3306
+      database: nextcloud
+      user: nextcloud
+      # password: ""
+
+    # mariadb:
+      # enabled: true
+      # auth:
+        # database: nextcloud
+        # username: nextcloud
+        # # password: ""
+      # global:
+        # defaultStorageClass:
+
+    persistence:
+      enabled: true
+      storageClass: longhorn
+      accessMode: ReadWriteMany
+      size: 8Gi
+      nextcloudData:
+        enabled: true
+        storageClass: nfs-client
+        accessMode: ReadWriteMany
+        size: 64Gi
+
+    livenessProbe:
+      # it takes so long for nextcloud to start up
+      enabled: false
+      initialDelaySeconds: 1200
+      periodSeconds: 30
+      failureThreshold: 10
+
+    readinessProbe:
+      enabled: false
+      initialDelaySeconds: 1200
+      periodSeconds: 30
+      failureThreshold: 10
+
+    cronjob:
+      enabled: true
+      resources:
+        requests:
+          cpu: "50m"
+          memory: "64M"
+        limits:
+          cpu: "200m"
+          memory: "256M"
+
+    redis:
+      enabled: true
+      global:
+        storageClass: nfs-client
+
+    resources:
+      requests:
+        cpu: "200m"
+        memory: "512M"
+      limits:
+        cpu: "1000m"
+        memory: "1G"

k8s/apps/nextcloud/repository.yaml

@@ -2,8 +2,8 @@
 apiVersion: source.toolkit.fluxcd.io/v1
 kind: HelmRepository
 metadata:
-  name: twingate
+  name: nextcloud
   namespace: flux-system
 spec:
   interval: 10m0s
-  url: https://twingate.github.io/helm-charts
+  url: https://nextcloud.github.io/helm/

k8s/apps/nextcloud/secrets.yaml

@@ -0,0 +1,37 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: nextcloud-db-creds
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: infisical
+
+  target:
+    name: nextcloud-db-creds
+
+  data:
+    - secretKey: mysql-password
+      remoteRef:
+        key: nextcloud-mysql-password
+
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: nextcloud-creds
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: infisical
+
+  target:
+    name: nextcloud-creds
+
+  data:
+    - secretKey: nextcloud-password
+      remoteRef:
+        key: nextcloud-password

k8s/apps/twingate/release.yaml

@@ -1,32 +0,0 @@
----
-apiVersion: helm.toolkit.fluxcd.io/v2
-kind: HelmRelease
-metadata:
-  name: twingate
-  namespace: default
-spec:
-  interval: 10m0s
-  releaseName: twingate-rampant-eagle
-  targetNamespace: default
-  chart:
-    spec:
-      chart: connector
-      reconcileStrategy: ChartVersion
-      sourceRef:
-        kind: HelmRepository
-        name: twingate
-        namespace: flux-system
-  valuesFrom:
-    - kind: Secret
-      name: twingate-creds
-      valuesKey: access-token
-      targetPath: connector.accessToken
-    - kind: Secret
-      name: twingate-creds
-      valuesKey: refresh-token
-      targetPath: connector.refreshToken
-  values:
-    connector:
-      network: mnke
-      # accessToken:
-      # refreshToken:

k8s/apps/twingate/secrets.yaml

@@ -1,21 +0,0 @@
----
-apiVersion: external-secrets.io/v1beta1
-kind: ExternalSecret
-metadata:
-  name: twingate-creds
-  namespace: default
-spec:
-  secretStoreRef:
-    kind: ClusterSecretStore
-    name: infisical
-
-  target:
-    name: twingate-creds
-
-  data:
-    - secretKey: access-token
-      remoteRef:
-        key: twingate-access-token
-    - secretKey: refresh-token
-      remoteRef:
-        key: twingate-refresh-token