diff --git a/charts/nextcloud/files/defaultConfigs/.htaccess.gotmpl b/charts/nextcloud/files/defaultConfigs/.htaccess.gotmpl
new file mode 100644
index 00000000..ede437c9
--- /dev/null
+++ b/charts/nextcloud/files/defaultConfigs/.htaccess.gotmpl
@@ -0,0 +1,12 @@
+# line below if for Apache 2.4
+
+Require all denied
+
+# line below if for Apache 2.2
+
+deny from all
+
+# section for Apache 2.2 and 2.4
+
+IndexIgnore *
+
diff --git a/charts/nextcloud/files/defaultConfigs/apache-pretty-urls.config.php.gotmpl b/charts/nextcloud/files/defaultConfigs/apache-pretty-urls.config.php.gotmpl
new file mode 100644
index 00000000..72da1d8c
--- /dev/null
+++ b/charts/nextcloud/files/defaultConfigs/apache-pretty-urls.config.php.gotmpl
@@ -0,0 +1,4 @@
+ '/',
+);
diff --git a/charts/nextcloud/files/defaultConfigs/apcu.config.php.gotmpl b/charts/nextcloud/files/defaultConfigs/apcu.config.php.gotmpl
new file mode 100644
index 00000000..69fed876
--- /dev/null
+++ b/charts/nextcloud/files/defaultConfigs/apcu.config.php.gotmpl
@@ -0,0 +1,4 @@
+ '\OC\Memcache\APCu',
+);
diff --git a/charts/nextcloud/files/defaultConfigs/apps.config.php.gotmpl b/charts/nextcloud/files/defaultConfigs/apps.config.php.gotmpl
new file mode 100644
index 00000000..a4bed833
--- /dev/null
+++ b/charts/nextcloud/files/defaultConfigs/apps.config.php.gotmpl
@@ -0,0 +1,15 @@
+ array (
+ 0 => array (
+ "path" => OC::$SERVERROOT."/apps",
+ "url" => "/apps",
+ "writable" => false,
+ ),
+ 1 => array (
+ "path" => OC::$SERVERROOT."/custom_apps",
+ "url" => "/custom_apps",
+ "writable" => true,
+ ),
+ ),
+);
diff --git a/charts/nextcloud/files/defaultConfigs/autoconfig.php.gotmpl b/charts/nextcloud/files/defaultConfigs/autoconfig.php.gotmpl
new file mode 100644
index 00000000..c9063501
--- /dev/null
+++ b/charts/nextcloud/files/defaultConfigs/autoconfig.php.gotmpl
@@ -0,0 +1,24 @@
+ '\OC\Memcache\Redis',
+ 'memcache.locking' => '\OC\Memcache\Redis',
+ 'redis' => array(
+ 'host' => getenv('REDIS_HOST'),
+ 'port' => getenv('REDIS_HOST_PORT') ?: 6379,
+ {{- if .Values.redis.auth.enabled }}
+ 'password' => getenv('REDIS_HOST_PASSWORD'),
+ {{- end }}
+ ),
+ );
+}
diff --git a/charts/nextcloud/files/defaultConfigs/smtp.config.php.gotmpl b/charts/nextcloud/files/defaultConfigs/smtp.config.php.gotmpl
new file mode 100644
index 00000000..59f1eaa1
--- /dev/null
+++ b/charts/nextcloud/files/defaultConfigs/smtp.config.php.gotmpl
@@ -0,0 +1,15 @@
+ 'smtp',
+ 'mail_smtphost' => getenv('SMTP_HOST'),
+ 'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
+ 'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
+ 'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
+ 'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
+ 'mail_smtpname' => getenv('SMTP_NAME') ?: '',
+ 'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '',
+ 'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
+ 'mail_domain' => getenv('MAIL_DOMAIN'),
+ );
+}
diff --git a/charts/nextcloud/files/nginx.config.gotmpl b/charts/nextcloud/files/nginx.config.gotmpl
new file mode 100644
index 00000000..8bb687e4
--- /dev/null
+++ b/charts/nextcloud/files/nginx.config.gotmpl
@@ -0,0 +1,161 @@
+worker_processes auto;
+
+error_log /var/log/nginx/error.log warn;
+pid /tmp/nginx.pid;
+
+
+events {
+ worker_connections 1024;
+}
+
+
+http {
+ include /etc/nginx/mime.types;
+ default_type application/octet-stream;
+
+ log_format main '$remote_addr - $remote_user [$time_local] "$request" '
+ '$status $body_bytes_sent "$http_referer" '
+ '"$http_user_agent" "$http_x_forwarded_for"';
+
+ access_log /var/log/nginx/access.log main;
+
+ sendfile on;
+ #tcp_nopush on;
+
+ keepalive_timeout 65;
+
+ #gzip on;
+
+ upstream php-handler {
+ server 127.0.0.1:9000;
+ }
+
+ server {
+ listen {{ .Values.nginx.containerPort }};
+
+ # HSTS settings
+ # WARNING: Only add the preload option once you read about
+ # the consequences in https://hstspreload.org/. This option
+ # will add the domain to a hardcoded list that is shipped
+ # in all major browsers and getting removed from this list
+ # could take several months.
+ #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+
+ # set max upload size
+ client_max_body_size 10G;
+ fastcgi_buffers 64 4K;
+
+ # Enable gzip but do not remove ETag headers
+ gzip on;
+ gzip_vary on;
+ gzip_comp_level 4;
+ gzip_min_length 256;
+ gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+ gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+ # Pagespeed is not supported by Nextcloud, so if your server is built
+ # with the `ngx_pagespeed` module, uncomment this line to disable it.
+ #pagespeed off;
+
+ # HTTP response headers borrowed from Nextcloud `.htaccess`
+ add_header Referrer-Policy "no-referrer" always;
+ add_header X-Content-Type-Options "nosniff" always;
+ add_header X-Download-Options "noopen" always;
+ add_header X-Frame-Options "SAMEORIGIN" always;
+ add_header X-Permitted-Cross-Domain-Policies "none" always;
+ add_header X-Robots-Tag "noindex, nofollow" always;
+ add_header X-XSS-Protection "1; mode=block" always;
+
+ # Remove X-Powered-By, which is an information leak
+ fastcgi_hide_header X-Powered-By;
+
+ # Path to the root of your installation
+ root /var/www/html;
+
+ # Specify how to handle directories -- specifying `/index.php$request_uri`
+ # here as the fallback means that Nginx always exhibits the desired behaviour
+ # when a client requests a path that corresponds to a directory that exists
+ # on the server. In particular, if that directory contains an index.php file,
+ # that file is correctly served; if it doesn't, then the request is passed to
+ # the front-end controller. This consistent behaviour means that we don't need
+ # to specify custom rules for certain paths (e.g. images and other assets,
+ # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+ # `try_files $uri $uri/ /index.php$request_uri`
+ # always provides the desired behaviour.
+ index index.php index.html /index.php$request_uri;
+
+ # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+ location = / {
+ if ( $http_user_agent ~ ^DavClnt ) {
+ return 302 /remote.php/webdav/$is_args$args;
+ }
+ }
+
+ location = /robots.txt {
+ allow all;
+ log_not_found off;
+ access_log off;
+ }
+
+ # Make a regex exception for `/.well-known` so that clients can still
+ # access it despite the existence of the regex rule
+ # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+ # for `/.well-known`.
+ location ^~ /.well-known {
+ # The following 6 rules are borrowed from `.htaccess`
+
+ location = /.well-known/carddav { return 301 /remote.php/dav/; }
+ location = /.well-known/caldav { return 301 /remote.php/dav/; }
+ # Anything else is dynamically handled by Nextcloud
+ location ^~ /.well-known { return 301 /index.php$uri; }
+
+ try_files $uri $uri/ =404;
+ }
+
+ # Rules borrowed from `.htaccess` to hide certain paths from clients
+ location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
+ location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
+
+ # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+ # which handle static assets (as seen below). If this block is not declared first,
+ # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+ # to the URI, resulting in a HTTP 500 error response.
+ location ~ \.php(?:$|/) {
+ # Required for legacy support
+ rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+ fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+ set $path_info $fastcgi_path_info;
+
+ try_files $fastcgi_script_name =404;
+
+ include fastcgi_params;
+ fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+ fastcgi_param PATH_INFO $path_info;
+ #fastcgi_param HTTPS on;
+
+ fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
+ fastcgi_param front_controller_active true; # Enable pretty urls
+ fastcgi_pass php-handler;
+
+ fastcgi_intercept_errors on;
+ fastcgi_request_buffering off;
+ }
+
+ location ~ \.(?:css|js|svg|gif)$ {
+ try_files $uri /index.php$request_uri;
+ expires 6M; # Cache-Control policy borrowed from `.htaccess`
+ access_log off; # Optional: Don't log access to assets
+ }
+
+ location ~ \.woff2?$ {
+ try_files $uri /index.php$request_uri;
+ expires 7d; # Cache-Control policy borrowed from `.htaccess`
+ access_log off; # Optional: Don't log access to assets
+ }
+
+ location / {
+ try_files $uri $uri/ /index.php$request_uri;
+ }
+ }
+}
diff --git a/charts/nextcloud/templates/config.yaml b/charts/nextcloud/templates/config.yaml
index a6a7cb4c..d5616f06 100644
--- a/charts/nextcloud/templates/config.yaml
+++ b/charts/nextcloud/templates/config.yaml
@@ -9,119 +9,14 @@ metadata:
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
- {{- range $key, $value := .Values.nextcloud.configs }}
- {{ $key }}: |-
- {{- $value | nindent 4 }}
+ {{- range $filename, $content := .Values.nextcloud.configs }}
+ {{ $filename }}: |-
+ {{- $content | nindent 4 }}
{{- end }}
- {{- if .Values.nextcloud.defaultConfigs }}
- {{- if index .Values.nextcloud.defaultConfigs ".htaccess" }}
- .htaccess: |-
- # line below if for Apache 2.4
-
- Require all denied
-
- # line below if for Apache 2.2
-
- deny from all
-
- # section for Apache 2.2 and 2.4
-
- IndexIgnore *
-
+ {{- range $filename, $enabled := .Values.nextcloud.defaultConfigs }}
+ {{- if $enabled }}
+ {{ $filename }}: |-
+ {{- tpl ($.Files.Get (printf "files/defaultConfigs/%s.gotmpl" $filename)) $ | nindent 4 }}
{{- end }}
- {{- if index .Values.nextcloud.defaultConfigs "redis.config.php" }}
- redis.config.php: |-
- '\OC\Memcache\Redis',
- 'memcache.locking' => '\OC\Memcache\Redis',
- 'redis' => array(
- 'host' => getenv('REDIS_HOST'),
- 'port' => getenv('REDIS_HOST_PORT') ?: 6379,
- {{- if .Values.redis.auth.enabled }}
- 'password' => getenv('REDIS_HOST_PASSWORD'),
- {{- end }}
- ),
- );
- }
{{- end }}
- {{- if index .Values.nextcloud.defaultConfigs "apache-pretty-urls.config.php" }}
- apache-pretty-urls.config.php: |-
- '/',
- );
- {{- end }}
- {{- if index .Values.nextcloud.defaultConfigs "apcu.config.php" }}
- apcu.config.php: |-
- '\OC\Memcache\APCu',
- );
- {{- end }}
- {{- if index .Values.nextcloud.defaultConfigs "apps.config.php" }}
- apps.config.php: |-
- array (
- 0 => array (
- "path" => OC::$SERVERROOT."/apps",
- "url" => "/apps",
- "writable" => false,
- ),
- 1 => array (
- "path" => OC::$SERVERROOT."/custom_apps",
- "url" => "/custom_apps",
- "writable" => true,
- ),
- ),
- );
- {{- end }}
- {{- if index .Values.nextcloud.defaultConfigs "autoconfig.php" }}
- autoconfig.php: |-
- 'smtp',
- 'mail_smtphost' => getenv('SMTP_HOST'),
- 'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
- 'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
- 'mail_smtpauth' => getenv('SMTP_NAME') && getenv('SMTP_PASSWORD'),
- 'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
- 'mail_smtpname' => getenv('SMTP_NAME') ?: '',
- 'mail_smtppassword' => getenv('SMTP_PASSWORD') ?: '',
- 'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
- 'mail_domain' => getenv('MAIL_DOMAIN'),
- );
- }
- {{- end }}
- {{- end }}{{/* end-if defaultConfigs */}}
- {{- end }}{{/* end-if configs */}}
+{{- end }}{{/* end-if configs */}}
diff --git a/charts/nextcloud/templates/nginx-config.yaml b/charts/nextcloud/templates/nginx-config.yaml
index 973aadeb..b200747f 100644
--- a/charts/nextcloud/templates/nginx-config.yaml
+++ b/charts/nextcloud/templates/nginx-config.yaml
@@ -1,168 +1,5 @@
-{{- define "nginx.conf" }}
- worker_processes auto;
-
- error_log /var/log/nginx/error.log warn;
- pid /tmp/nginx.pid;
-
-
- events {
- worker_connections 1024;
- }
-
-
- http {
- include /etc/nginx/mime.types;
- default_type application/octet-stream;
-
- log_format main '$remote_addr - $remote_user [$time_local] "$request" '
- '$status $body_bytes_sent "$http_referer" '
- '"$http_user_agent" "$http_x_forwarded_for"';
-
- access_log /var/log/nginx/access.log main;
-
- sendfile on;
- #tcp_nopush on;
-
- keepalive_timeout 65;
-
- #gzip on;
-
- upstream php-handler {
- server 127.0.0.1:9000;
- }
-
- server {
- listen {{ .Values.nginx.containerPort | default "80" }};
-
- # HSTS settings
- # WARNING: Only add the preload option once you read about
- # the consequences in https://hstspreload.org/. This option
- # will add the domain to a hardcoded list that is shipped
- # in all major browsers and getting removed from this list
- # could take several months.
- #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
-
- # set max upload size
- client_max_body_size 10G;
- fastcgi_buffers 64 4K;
-
- # Enable gzip but do not remove ETag headers
- gzip on;
- gzip_vary on;
- gzip_comp_level 4;
- gzip_min_length 256;
- gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
- gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
-
- # Pagespeed is not supported by Nextcloud, so if your server is built
- # with the `ngx_pagespeed` module, uncomment this line to disable it.
- #pagespeed off;
-
- # HTTP response headers borrowed from Nextcloud `.htaccess`
- add_header Referrer-Policy "no-referrer" always;
- add_header X-Content-Type-Options "nosniff" always;
- add_header X-Download-Options "noopen" always;
- add_header X-Frame-Options "SAMEORIGIN" always;
- add_header X-Permitted-Cross-Domain-Policies "none" always;
- add_header X-Robots-Tag "noindex, nofollow" always;
- add_header X-XSS-Protection "1; mode=block" always;
-
- # Remove X-Powered-By, which is an information leak
- fastcgi_hide_header X-Powered-By;
-
- # Path to the root of your installation
- root /var/www/html;
-
- # Specify how to handle directories -- specifying `/index.php$request_uri`
- # here as the fallback means that Nginx always exhibits the desired behaviour
- # when a client requests a path that corresponds to a directory that exists
- # on the server. In particular, if that directory contains an index.php file,
- # that file is correctly served; if it doesn't, then the request is passed to
- # the front-end controller. This consistent behaviour means that we don't need
- # to specify custom rules for certain paths (e.g. images and other assets,
- # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
- # `try_files $uri $uri/ /index.php$request_uri`
- # always provides the desired behaviour.
- index index.php index.html /index.php$request_uri;
-
- # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
- location = / {
- if ( $http_user_agent ~ ^DavClnt ) {
- return 302 /remote.php/webdav/$is_args$args;
- }
- }
-
- location = /robots.txt {
- allow all;
- log_not_found off;
- access_log off;
- }
-
- # Make a regex exception for `/.well-known` so that clients can still
- # access it despite the existence of the regex rule
- # `location ~ /(\.|autotest|...)` which would otherwise handle requests
- # for `/.well-known`.
- location ^~ /.well-known {
- # The following 6 rules are borrowed from `.htaccess`
-
- location = /.well-known/carddav { return 301 /remote.php/dav/; }
- location = /.well-known/caldav { return 301 /remote.php/dav/; }
- # Anything else is dynamically handled by Nextcloud
- location ^~ /.well-known { return 301 /index.php$uri; }
-
- try_files $uri $uri/ =404;
- }
-
- # Rules borrowed from `.htaccess` to hide certain paths from clients
- location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
- location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
-
- # Ensure this block, which passes PHP files to the PHP process, is above the blocks
- # which handle static assets (as seen below). If this block is not declared first,
- # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
- # to the URI, resulting in a HTTP 500 error response.
- location ~ \.php(?:$|/) {
- # Required for legacy support
- rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
-
- fastcgi_split_path_info ^(.+?\.php)(/.*)$;
- set $path_info $fastcgi_path_info;
-
- try_files $fastcgi_script_name =404;
-
- include fastcgi_params;
- fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
- fastcgi_param PATH_INFO $path_info;
- #fastcgi_param HTTPS on;
-
- fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
- fastcgi_param front_controller_active true; # Enable pretty urls
- fastcgi_pass php-handler;
-
- fastcgi_intercept_errors on;
- fastcgi_request_buffering off;
- }
-
- location ~ \.(?:css|js|svg|gif)$ {
- try_files $uri /index.php$request_uri;
- expires 6M; # Cache-Control policy borrowed from `.htaccess`
- access_log off; # Optional: Don't log access to assets
- }
-
- location ~ \.woff2?$ {
- try_files $uri /index.php$request_uri;
- expires 7d; # Cache-Control policy borrowed from `.htaccess`
- access_log off; # Optional: Don't log access to assets
- }
-
- location / {
- try_files $uri $uri/ /index.php$request_uri;
- }
- }
- }
-{{- end }}
-
{{- if .Values.nginx.enabled -}}
+---
apiVersion: v1
kind: ConfigMap
metadata:
@@ -174,9 +11,9 @@ metadata:
app.kubernetes.io/managed-by: {{ .Release.Service }}
data:
nginx.conf: |-
-{{- if .Values.nginx.config.default }}
- {{- template "nginx.conf" $ }}
-{{- else }}
-{{ .Values.nginx.config.custom | indent 4 }}
-{{- end }}
+ {{- if .Values.nginx.config.default }}
+ {{- tpl (.Files.Get "files/nginx.config.gotmpl") . | nindent 4 }}
+ {{- else }}
+ {{- .Values.nginx.config.custom | nindent 4 }}
+ {{- end }}
{{- end }}
diff --git a/charts/nextcloud/templates/php-config.yaml b/charts/nextcloud/templates/php-config.yaml
index 3ff9e95a..f12aac37 100644
--- a/charts/nextcloud/templates/php-config.yaml
+++ b/charts/nextcloud/templates/php-config.yaml
@@ -1,4 +1,5 @@
{{- if .Values.nextcloud.phpConfigs -}}
+---
apiVersion: v1
kind: ConfigMap
metadata:
@@ -11,6 +12,6 @@ metadata:
data:
{{- range $key, $value := .Values.nextcloud.phpConfigs }}
{{ $key }}: |-
-{{ $value | indent 4 }}
+ {{- $value | nindent 4 }}
{{- end }}
{{- end }}