From 7770c0705a8b9a57bd00fafd847772af98c6eb4d Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sun, 9 Jun 2024 13:38:58 +0200
Subject: [PATCH 1/3] Improve security context and configMap

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 charts/nextcloud/templates/deployment.yaml    |  9 ++++
 .../templates/metrics/deployment.yaml         |  5 +-
 charts/nextcloud/values.yaml                  | 51 +++++++++++++++----
 3 files changed, 54 insertions(+), 11 deletions(-)

diff --git a/charts/nextcloud/templates/deployment.yaml b/charts/nextcloud/templates/deployment.yaml
index 83546f42..bd237212 100644
--- a/charts/nextcloud/templates/deployment.yaml
+++ b/charts/nextcloud/templates/deployment.yaml
@@ -350,16 +350,25 @@ spec:
         - name: nextcloud-config
           configMap:
             name: {{ template "nextcloud.fullname" . }}-config
+            {{- if .Values.nextcloud.configs.defaultMode }}
+            defaultMode: .Values.nextcloud.configs.defaultMode
+            {{- end }}
         {{- end }}
         {{- if .Values.nextcloud.phpConfigs }}
         - name: nextcloud-phpconfig
           configMap:
             name: {{ template "nextcloud.fullname" . }}-phpconfig
+            {{- if .Values.nextcloud.configs.defaultMode }}
+            defaultMode: .Values.nextcloud.configs.defaultMode
+            {{- end }}
         {{- end }}
         {{- if .Values.nginx.enabled }}
         - name: nextcloud-nginx-config
           configMap:
             name: {{ template "nextcloud.fullname" . }}-nginxconfig
+          {{- if .Values.nextcloud.configs.defaultMode }}
+            defaultMode: .Values.nextcloud.configs.defaultMode
+          {{- end }}
         {{- end }}
         {{- if not (values .Values.nextcloud.hooks | compact | empty) }}
         - name: nextcloud-hooks
diff --git a/charts/nextcloud/templates/metrics/deployment.yaml b/charts/nextcloud/templates/metrics/deployment.yaml
index b52f405d..9eac4674 100644
--- a/charts/nextcloud/templates/metrics/deployment.yaml
+++ b/charts/nextcloud/templates/metrics/deployment.yaml
@@ -72,7 +72,8 @@ spec:
           resources:
             {{- toYaml . | nindent 12 }}
           {{- end }}
+          {{- with .Values.metrics.securityContext }}
           securityContext:
-            runAsUser: 1000
-            runAsNonRoot: true
+            {{- toYaml . | nindent 12 }}
+          {{- end }}
 {{- end }}
diff --git a/charts/nextcloud/values.yaml b/charts/nextcloud/values.yaml
index b2e7d28a..3082ff4a 100644
--- a/charts/nextcloud/values.yaml
+++ b/charts/nextcloud/values.yaml
@@ -128,6 +128,7 @@ nextcloud:
   # Extra config files created in /var/www/html/config/
   # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
   configs: {}
+    # defaultMode: 420
 
   # For example, to use S3 as primary storage
   # ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3
@@ -208,10 +209,15 @@ nextcloud:
   # Set securityContext parameters for the nextcloud CONTAINER only (will not affect nginx container).
   # For example, you may need to define runAsNonRoot directive
   securityContext: {}
-  #   runAsUser: 33
-  #   runAsGroup: 33
-  #   runAsNonRoot: true
-  #   readOnlyRootFilesystem: false
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #     - ALL
+    # privileged: false
+    # readOnlyRootFilesystem: true
+    # runAsGroup: 33
+    # runAsNonRoot: true
+    # runAsUser: 33
 
   # Set securityContext parameters for the entire pod. For example, you may need to define runAsNonRoot directive
   podSecurityContext: {}
@@ -239,11 +245,18 @@ nginx:
 
   # Set nginx container securityContext parameters. For example, you may need to define runAsNonRoot directive
   securityContext: {}
-  # the nginx alpine container default user is 82
-  #   runAsUser: 82
-  #   runAsGroup: 33
-  #   runAsNonRoot: true
-  #   readOnlyRootFilesystem: true
+    # the nginx alpine container default user is 82
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   add:
+    #   - NET_BIND_SERVICE
+    #   drop:
+    #     - ALL
+    # privileged: false
+    # readOnlyRootFilesystem: true
+    # runAsGroup: 33
+    # runAsNonRoot: true
+    # runAsUser: 82
 
   ## Extra environment variables
   extraEnv: []
@@ -513,6 +526,26 @@ metrics:
 
   # podLabels: {}
 
+  nginx:
+    enabled: false
+    allow: []
+    # Example
+    # - 10.233.105.0/24
+    # - 10.43.0.0/16
+    service:
+      port: 9205
+  
+  # Set metrics container securityContext parameters.
+  securityContext: {}
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #     - ALL
+    # privileged: false
+    # readOnlyRootFilesystem: true
+    # runAsUser: 1000
+    # runAsNonRoot: true
+
   service:
     type: ClusterIP
     ## Use serviceLoadBalancerIP to request a specific static IP,

From 5a8b642dfdbca8898448f3fa874c6fc8c9284eef Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sun, 9 Jun 2024 13:39:10 +0200
Subject: [PATCH 2/3] Add NGINX metrics

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 charts/nextcloud/README.md                   |  2 ++
 charts/nextcloud/templates/nginx-config.yaml | 32 +++++++++++++++++++-
 2 files changed, 33 insertions(+), 1 deletion(-)

diff --git a/charts/nextcloud/README.md b/charts/nextcloud/README.md
index 4df1a770..8d87fb93 100644
--- a/charts/nextcloud/README.md
+++ b/charts/nextcloud/README.md
@@ -291,6 +291,8 @@ We include an optional experimental Nextcloud Metrics exporter from [xperimental
 | `metrics.image.repository`             | Nextcloud metrics exporter image name                                        | `xperimental/nextcloud-exporter`                             |
 | `metrics.image.tag`                    | Nextcloud metrics exporter image tag                                         | `0.6.2`                                                      |
 | `metrics.image.pullPolicy`             | Nextcloud metrics exporter image pull policy                                 | `IfNotPresent`                                               |
+| `metrics.nginx.enabled`                | Start NGINX metrics configuration                                            | `false`                                                      |
+| `metrics.nginx.allow`                  | NGINX metrics configuration allow list                                       | not set                                                      |
 | `metrics.image.pullSecrets`            | Nextcloud metrics exporter image pull secrets                                | `nil`                                                        |
 | `metrics.podAnnotations`               | Additional annotations for metrics exporter                                  | not set                                                      |
 | `metrics.podLabels`                    | Additional labels for metrics exporter                                       | not set                                                      |
diff --git a/charts/nextcloud/templates/nginx-config.yaml b/charts/nextcloud/templates/nginx-config.yaml
index 7c0df78d..24360f15 100644
--- a/charts/nextcloud/templates/nginx-config.yaml
+++ b/charts/nextcloud/templates/nginx-config.yaml
@@ -157,8 +157,38 @@ data:
   default.conf: |-
     {{- template "default.conf" $ }}
   {{- end }}
+  {{- if .Values.metrics.nginx.enabled }}
+  metrics.conf: |
+    server {
+        listen 9205;
+
+        # Path to the root of your installation
+        root /var/www/html;
+
+        # Prevent nginx HTTP Server Detection
+        server_tokens off;
+
+        add_header Referrer-Policy                      "no-referrer"   always;
+        add_header X-Content-Type-Options               "nosniff"       always;
+        add_header X-Download-Options                   "noopen"        always;
+        add_header X-Frame-Options                      "SAMEORIGIN"    always;
+        add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+        add_header X-Robots-Tag                         "none"          always;
+        add_header X-XSS-Protection                     "1; mode=block" always;
+
+        # NGINX metrics
+        location /stub_status {
+            stub_status on;
+            allow 127.0.0.1;
+            {{- range .Values.metrics.nginx.allow }}
+                allow {{ . }};
+            {{- end }}
+            deny all;
+        }
+    }
+{{- end }}
   {{- if .Values.nginx.config.custom }}
   zz-custom.conf: |-
 {{ .Values.nginx.config.custom | indent 4 }}
   {{- end }}
-{{- end }}
+{{- end }}
\ No newline at end of file

From c64c53464ce9886f9481b9f86579cd46a1aa0b35 Mon Sep 17 00:00:00 2001
From: Jeroen Rijken <jeroen.rijken@xs4all.nl>
Date: Sun, 9 Jun 2024 15:51:46 +0200
Subject: [PATCH 3/3] Update defaultMode

Signed-off-by: Jeroen Rijken <jeroen.rijken@xs4all.nl>
---
 charts/nextcloud/templates/deployment.yaml | 14 +++++++-------
 charts/nextcloud/values.yaml               |  5 +++--
 2 files changed, 10 insertions(+), 9 deletions(-)

diff --git a/charts/nextcloud/templates/deployment.yaml b/charts/nextcloud/templates/deployment.yaml
index bd237212..cd158fe3 100644
--- a/charts/nextcloud/templates/deployment.yaml
+++ b/charts/nextcloud/templates/deployment.yaml
@@ -350,25 +350,25 @@ spec:
         - name: nextcloud-config
           configMap:
             name: {{ template "nextcloud.fullname" . }}-config
-            {{- if .Values.nextcloud.configs.defaultMode }}
-            defaultMode: .Values.nextcloud.configs.defaultMode
+            {{- with .Values.nextcloud.configs.defaultMode }}
+            defaultMode: {{ . }}
             {{- end }}
         {{- end }}
         {{- if .Values.nextcloud.phpConfigs }}
         - name: nextcloud-phpconfig
           configMap:
             name: {{ template "nextcloud.fullname" . }}-phpconfig
-            {{- if .Values.nextcloud.configs.defaultMode }}
-            defaultMode: .Values.nextcloud.configs.defaultMode
+            {{- with .Values.nextcloud.configs.defaultMode }}
+            defaultMode: {{ . }}
             {{- end }}
         {{- end }}
         {{- if .Values.nginx.enabled }}
         - name: nextcloud-nginx-config
           configMap:
             name: {{ template "nextcloud.fullname" . }}-nginxconfig
-          {{- if .Values.nextcloud.configs.defaultMode }}
-            defaultMode: .Values.nextcloud.configs.defaultMode
-          {{- end }}
+            {{- with .Values.nextcloud.configs.defaultMode }}
+            defaultMode: {{ . }}
+            {{- end }}
         {{- end }}
         {{- if not (values .Values.nextcloud.hooks | compact | empty) }}
         - name: nextcloud-hooks
diff --git a/charts/nextcloud/values.yaml b/charts/nextcloud/values.yaml
index 3082ff4a..8e238fce 100644
--- a/charts/nextcloud/values.yaml
+++ b/charts/nextcloud/values.yaml
@@ -127,8 +127,9 @@ nextcloud:
     smtp.config.php: true
   # Extra config files created in /var/www/html/config/
   # ref: https://docs.nextcloud.com/server/15/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
-  configs: {}
-    # defaultMode: 420
+  configs:
+    # set defaultMode for mounted configMaps (e.g. defaultMode: 420)
+    defaultMode: 420
 
   # For example, to use S3 as primary storage
   # ref: https://docs.nextcloud.com/server/13/admin_manual/configuration_files/primary_storage.html#simple-storage-service-s3