titan-iac/services/nextcloud/deployment.yaml

# services/nextcloud/deployment.yaml
apiVersion: apps/v1
kind: Deployment
metadata:
  name: nextcloud
  namespace: nextcloud
  labels:
    app: nextcloud
spec:
  replicas: 1
  selector:
    matchLabels:
      app: nextcloud
  template:
    metadata:
      labels:
        app: nextcloud
    spec:
      nodeSelector:
        hardware: rpi5
      securityContext:
        fsGroup: 33
        runAsUser: 33
        runAsGroup: 33
      serviceAccountName: nextcloud-vault
      initContainers:
        - name: seed-nextcloud-web
          image: nextcloud:29-apache
          command: ["/bin/sh", "-c"]
          args:
            - |
              if [ ! -f /var/www/html/version.php ]; then
                echo "Seeding Nextcloud webroot..."
                tar -C /usr/src/nextcloud -cf - \
                  --exclude=./config \
                  --exclude=./data \
                  --exclude=./custom_apps \
                  . | tar -C /var/www/html -xf -
                chown -R 33:33 /var/www/html || true
              fi
          securityContext:
            runAsUser: 0
            runAsGroup: 0
          volumeMounts:
            - name: nextcloud-web
              mountPath: /var/www/html
        - name: fix-perms
          image: alpine:3.20
          command: ["/bin/sh", "-c"]
          args:
            - |
              if [ ! -s /var/www/html/config/config.php ]; then
                rm -f /var/www/html/config/config.php || true
              fi
              mkdir -p /var/www/html/config /var/www/html/data /var/www/html/custom_apps || true
              if [ ! -s /var/www/html/config/config.php ]; then
                rm -f /var/www/html/data/.ocdata || true
              fi
              if [ -s /var/www/html/config/config.php ] && [ ! -f /var/www/html/data/.ocdata ]; then
                touch /var/www/html/data/.ocdata
              fi
              chown -R 33:33 /var/www/html/config /var/www/html/data /var/www/html/custom_apps || true
          securityContext:
            runAsUser: 0
            runAsGroup: 0
          volumeMounts:
            - name: nextcloud-config-pvc
              mountPath: /var/www/html/config
            - name: nextcloud-custom-apps
              mountPath: /var/www/html/custom_apps
            - name: nextcloud-user-data
              mountPath: /var/www/html/data
            - name: nextcloud-config-extra
              mountPath: /var/www/html/config/extra.config.php
              subPath: extra.config.php
        - name: install-nextcloud
          image: nextcloud:29-apache
          securityContext:
            runAsUser: 0
            runAsGroup: 0
          command: ["/bin/sh", "-c"]
          args:
            - |
              . /vault/scripts/nextcloud_vault_env.sh
              installed="$(su -s /bin/sh www-data -c "php /var/www/html/occ status" 2>/dev/null | awk '/installed:/{print $3}' || true)"
              if [ ! -s /var/www/html/config/config.php ]; then
                su -s /bin/sh www-data -c "php /var/www/html/occ maintenance:install --database pgsql --database-host \"${POSTGRES_HOST}\" --database-name \"${POSTGRES_DB}\" --database-user \"${POSTGRES_USER}\" --database-pass \"${POSTGRES_PASSWORD}\" --admin-user \"${NEXTCLOUD_ADMIN_USER}\" --admin-pass \"${NEXTCLOUD_ADMIN_PASSWORD}\" --data-dir /var/www/html/data"
                chown 33:33 /var/www/html/config/config.php || true
                chown -R 33:33 /var/www/html/data || true
              fi
              installed="$(su -s /bin/sh www-data -c "php /var/www/html/occ status" 2>/dev/null | awk '/installed:/{print $3}' || true)"
              if [ "${installed}" = "true" ]; then
                configure_oidc() {
                  su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_provider_url --value='https://sso.bstein.dev/realms/atlas'"
                  su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_client_id --value='${OIDC_CLIENT_ID}'"
                  su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_client_secret --value='${OIDC_CLIENT_SECRET}'"
                  su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_auto_redirect --type=boolean --value=true"
                  su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_hide_password_form --type=boolean --value=true"
                  su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_disable_registration --type=boolean --value=false"
                }
                configure_office() {
                  su -s /bin/sh www-data -c "php /var/www/html/occ config:app:set richdocuments wopi_url --value='https://office.bstein.dev'"
                  su -s /bin/sh www-data -c "php /var/www/html/occ config:app:set richdocuments public_wopi_url --value='https://office.bstein.dev'"
                }
                ensure_mime_defaults() {
                  cfg_dir="/var/www/html/resources/config"
                  mkdir -p "${cfg_dir}"
                  if [ ! -s "${cfg_dir}/mimetypemapping.dist.json" ]; then
                    curl -fsSL https://raw.githubusercontent.com/nextcloud/server/v29.0.16/resources/config/mimetypemapping.dist.json -o "${cfg_dir}/mimetypemapping.dist.json" || true
                  fi
                  if [ ! -s "${cfg_dir}/mimetypealiases.dist.json" ]; then
                    curl -fsSL https://raw.githubusercontent.com/nextcloud/server/v29.0.16/resources/config/mimetypealiases.dist.json -o "${cfg_dir}/mimetypealiases.dist.json" || true
                  fi
                  chown -R 33:33 "${cfg_dir}" || true
                }
                install_app() {
                  app="$1"
                  url="$2"
                  target="/var/www/html/custom_apps/${app}"
                  rm -rf "${target}"
                  mkdir -p /tmp/nextcloud-apps
                  curl -fsSL "${url}" -o "/tmp/nextcloud-apps/${app}.tar.gz"
                  tar -xzf "/tmp/nextcloud-apps/${app}.tar.gz" -C /var/www/html/custom_apps
                  rm -f "/tmp/nextcloud-apps/${app}.tar.gz"
                  chown -R 33:33 "${target}"
                  su -s /bin/sh www-data -c "php /var/www/html/occ app:enable --force ${app}" || true
                }
                reset_external_config() {
                  su -s /bin/sh www-data -c "php /var/www/html/occ app:remove external" || true
                  su -s /bin/sh www-data -c "php /var/www/html/occ config:app:delete external jwt_token_privkey_es256" || true
                  su -s /bin/sh www-data -c "php /var/www/html/occ config:app:delete external jwt_token_pubkey_es256" || true
                  su -s /bin/sh www-data -c "php /var/www/html/occ config:app:delete external jwt_token_privkey_ed25519" || true
                  su -s /bin/sh www-data -c "php /var/www/html/occ config:app:delete external jwt_token_pubkey_ed25519" || true
                }
                ensure_app() {
                  app="$1"
                  target="/var/www/html/custom_apps/${app}"
                  rm -rf "${target}"
                  su -s /bin/sh www-data -c "php /var/www/html/occ app:remove ${app}" || true
                  su -s /bin/sh www-data -c "php /var/www/html/occ app:install --force ${app}" || true
                  su -s /bin/sh www-data -c "php /var/www/html/occ app:enable --force ${app}" || true
                }
                ensure_mime_defaults
                reset_external_config
                install_app external https://github.com/nextcloud-releases/external/releases/download/v5.4.1/external-v5.4.1.tar.gz
                install_app mail https://github.com/nextcloud-releases/mail/releases/download/v3.7.24/mail-stable3.7.tar.gz
                install_app oidc_login https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.2.2/oidc_login.tar.gz
                ensure_app richdocuments
                configure_office
                configure_oidc
              fi
          env:
            - name: POSTGRES_HOST
              value: postgres-service.postgres.svc.cluster.local
          volumeMounts:
            - name: nextcloud-web
              mountPath: /var/www/html
            - name: nextcloud-config-pvc
              mountPath: /var/www/html/config
            - name: nextcloud-custom-apps
              mountPath: /var/www/html/custom_apps
            - name: nextcloud-user-data
              mountPath: /var/www/html/data
            - name: nextcloud-config-extra
              mountPath: /var/www/html/config/extra.config.php
              subPath: extra.config.php
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
      containers:
        - name: nextcloud
          image: nextcloud:29-apache
          imagePullPolicy: IfNotPresent
          command: ["/bin/sh", "-c"]
          args:
            - >-
              . /vault/scripts/nextcloud_vault_env.sh
              && exec /entrypoint.sh apache2-foreground
          env:
            # DB (external secret required: nextcloud-db with keys username,password,database)
            - name: POSTGRES_HOST
              value: postgres-service.postgres.svc.cluster.local
            # Admin bootstrap (external secret: nextcloud-admin with keys admin-user, admin-password)
            - name: NEXTCLOUD_TRUSTED_DOMAINS
              value: cloud.bstein.dev
            - name: OVERWRITEHOST
              value: cloud.bstein.dev
            - name: OVERWRITEPROTOCOL
              value: https
            - name: OVERWRITECLIURL
              value: https://cloud.bstein.dev
            # SMTP (external secret: nextcloud-smtp with keys username, password)
            - name: SMTP_HOST
              value: mail.bstein.dev
            - name: SMTP_PORT
              value: "587"
            - name: SMTP_SECURE
              value: tls
            - name: MAIL_FROM_ADDRESS
              value: no-reply
            - name: MAIL_DOMAIN
              value: bstein.dev
            # OIDC (external secret: nextcloud-oidc with keys client-id, client-secret)
            - name: NEXTCLOUD_UPDATE
              value: "1"
            - name: APP_INSTALL
              value: "mail,oidc_login,external"
          ports:
            - containerPort: 80
              name: http
          volumeMounts:
            - name: nextcloud-web
              mountPath: /var/www/html
            - name: nextcloud-config-pvc
              mountPath: /var/www/html/config
            - name: nextcloud-custom-apps
              mountPath: /var/www/html/custom_apps
            - name: nextcloud-user-data
              mountPath: /var/www/html/data
            - name: nextcloud-config-extra
              mountPath: /var/www/html/config/extra.config.php
              subPath: extra.config.php
            - name: vault-secrets
              mountPath: /vault/secrets
              readOnly: true
            - name: vault-scripts
              mountPath: /vault/scripts
              readOnly: true
          resources:
            requests:
              cpu: 250m
              memory: 1Gi
            limits:
              cpu: 1
              memory: 3Gi
      volumes:
        - name: nextcloud-web
          persistentVolumeClaim:
            claimName: nextcloud-web-v2
        - name: nextcloud-config-pvc
          persistentVolumeClaim:
            claimName: nextcloud-config-v2
        - name: nextcloud-custom-apps
          persistentVolumeClaim:
            claimName: nextcloud-custom-apps-v2
        - name: nextcloud-user-data
          persistentVolumeClaim:
            claimName: nextcloud-user-data-v2
        - name: nextcloud-config-extra
          configMap:
            name: nextcloud-config
            defaultMode: 0444
        - name: vault-secrets
          csi:
            driver: secrets-store.csi.k8s.io
            readOnly: true
            volumeAttributes:
              secretProviderClass: nextcloud-vault
        - name: vault-scripts
          configMap:
            name: nextcloud-vault-env
            defaultMode: 0555
Extract nextcloud scripts to files 2025-12-14 13:59:16 -03:00			`# services/nextcloud/deployment.yaml`
			`apiVersion: apps/v1`
			`kind: Deployment`
			`metadata:`
			`name: nextcloud`
			`namespace: nextcloud`
			`labels:`
			`app: nextcloud`
			`spec:`
			`replicas: 1`
			`selector:`
			`matchLabels:`
			`app: nextcloud`
			`template:`
			`metadata:`
			`labels:`
			`app: nextcloud`
			`spec:`
			`nodeSelector:`
			`hardware: rpi5`
			`securityContext:`
			`fsGroup: 33`
			`runAsUser: 33`
			`runAsGroup: 33`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`serviceAccountName: nextcloud-vault`
Extract nextcloud scripts to files 2025-12-14 13:59:16 -03:00			`initContainers:`
nextcloud: persist web root in pvc 2026-01-07 09:40:25 -03:00			`- name: seed-nextcloud-web`
			`image: nextcloud:29-apache`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
			`if [ ! -f /var/www/html/version.php ]; then`
			`echo "Seeding Nextcloud webroot..."`
			`tar -C /usr/src/nextcloud -cf - \`
			`--exclude=./config \`
			`--exclude=./data \`
			`--exclude=./custom_apps \`
			`. \| tar -C /var/www/html -xf -`
			`chown -R 33:33 /var/www/html \|\| true`
			`fi`
			`securityContext:`
			`runAsUser: 0`
			`runAsGroup: 0`
			`volumeMounts:`
			`- name: nextcloud-web`
			`mountPath: /var/www/html`
Extract nextcloud scripts to files 2025-12-14 13:59:16 -03:00			`- name: fix-perms`
			`image: alpine:3.20`
			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
nextcloud: reset empty config on boot 2026-01-06 14:40:29 -03:00			`if [ ! -s /var/www/html/config/config.php ]; then`
			`rm -f /var/www/html/config/config.php \|\| true`
			`fi`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`mkdir -p /var/www/html/config /var/www/html/data /var/www/html/custom_apps \|\| true`
			`if [ ! -s /var/www/html/config/config.php ]; then`
			`rm -f /var/www/html/data/.ocdata \|\| true`
			`fi`
			`if [ -s /var/www/html/config/config.php ] && [ ! -f /var/www/html/data/.ocdata ]; then`
nextcloud: stabilize install guardrails 2026-01-07 04:49:55 -03:00			`touch /var/www/html/data/.ocdata`
			`fi`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`chown -R 33:33 /var/www/html/config /var/www/html/data /var/www/html/custom_apps \|\| true`
Extract nextcloud scripts to files 2025-12-14 13:59:16 -03:00			`securityContext:`
			`runAsUser: 0`
			`runAsGroup: 0`
			`volumeMounts:`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`- name: nextcloud-config-pvc`
			`mountPath: /var/www/html/config`
			`- name: nextcloud-custom-apps`
			`mountPath: /var/www/html/custom_apps`
nextcloud: align app/data mounts 2026-01-07 04:41:00 -03:00			`- name: nextcloud-user-data`
			`mountPath: /var/www/html/data`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`- name: nextcloud-config-extra`
Extract nextcloud scripts to files 2025-12-14 13:59:16 -03:00			`mountPath: /var/www/html/config/extra.config.php`
			`subPath: extra.config.php`
nextcloud: install when config missing 2026-01-06 14:46:16 -03:00			`- name: install-nextcloud`
			`image: nextcloud:29-apache`
nextcloud: run install init as root 2026-01-06 14:52:25 -03:00			`securityContext:`
			`runAsUser: 0`
			`runAsGroup: 0`
nextcloud: install when config missing 2026-01-06 14:46:16 -03:00			`command: ["/bin/sh", "-c"]`
			`args:`
			`- \|`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`. /vault/scripts/nextcloud_vault_env.sh`
nextcloud: fix su command quoting 2026-01-06 21:24:36 -03:00			`installed="$(su -s /bin/sh www-data -c "php /var/www/html/occ status" 2>/dev/null \| awk '/installed:/{print $3}' \|\| true)"`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`if [ ! -s /var/www/html/config/config.php ]; then`
nextcloud: fix su command quoting 2026-01-06 21:24:36 -03:00			`su -s /bin/sh www-data -c "php /var/www/html/occ maintenance:install --database pgsql --database-host \"${POSTGRES_HOST}\" --database-name \"${POSTGRES_DB}\" --database-user \"${POSTGRES_USER}\" --database-pass \"${POSTGRES_PASSWORD}\" --admin-user \"${NEXTCLOUD_ADMIN_USER}\" --admin-pass \"${NEXTCLOUD_ADMIN_PASSWORD}\" --data-dir /var/www/html/data"`
nextcloud: run install occ as www-data 2026-01-06 21:07:33 -03:00			`chown 33:33 /var/www/html/config/config.php \|\| true`
			`chown -R 33:33 /var/www/html/data \|\| true`
nextcloud: install when config missing 2026-01-06 14:46:16 -03:00			`fi`
nextcloud: ensure oidc/mail/external apps installed 2026-01-06 21:35:31 -03:00			`installed="$(su -s /bin/sh www-data -c "php /var/www/html/occ status" 2>/dev/null \| awk '/installed:/{print $3}' \|\| true)"`
			`if [ "${installed}" = "true" ]; then`
nextcloud: enforce OIDC-only config 2026-01-07 00:03:57 -03:00			`configure_oidc() {`
			`su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_provider_url --value='https://sso.bstein.dev/realms/atlas'"`
			`su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_client_id --value='${OIDC_CLIENT_ID}'"`
			`su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_client_secret --value='${OIDC_CLIENT_SECRET}'"`
			`su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_auto_redirect --type=boolean --value=true"`
			`su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_hide_password_form --type=boolean --value=true"`
nextcloud: allow OIDC auto user creation 2026-01-07 00:12:21 -03:00			`su -s /bin/sh www-data -c "php /var/www/html/occ config:system:set oidc_login_disable_registration --type=boolean --value=false"`
nextcloud: enforce OIDC-only config 2026-01-07 00:03:57 -03:00			`}`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`configure_office() {`
			`su -s /bin/sh www-data -c "php /var/www/html/occ config:app:set richdocuments wopi_url --value='https://office.bstein.dev'"`
			`su -s /bin/sh www-data -c "php /var/www/html/occ config:app:set richdocuments public_wopi_url --value='https://office.bstein.dev'"`
			`}`
nextcloud: restore mimetype defaults for external app 2026-01-06 22:16:51 -03:00			`ensure_mime_defaults() {`
			`cfg_dir="/var/www/html/resources/config"`
			`mkdir -p "${cfg_dir}"`
			`if [ ! -s "${cfg_dir}/mimetypemapping.dist.json" ]; then`
			`curl -fsSL https://raw.githubusercontent.com/nextcloud/server/v29.0.16/resources/config/mimetypemapping.dist.json -o "${cfg_dir}/mimetypemapping.dist.json" \|\| true`
			`fi`
			`if [ ! -s "${cfg_dir}/mimetypealiases.dist.json" ]; then`
			`curl -fsSL https://raw.githubusercontent.com/nextcloud/server/v29.0.16/resources/config/mimetypealiases.dist.json -o "${cfg_dir}/mimetypealiases.dist.json" \|\| true`
			`fi`
			`chown -R 33:33 "${cfg_dir}" \|\| true`
			`}`
nextcloud: install oidc/mail/external apps from releases 2026-01-06 21:39:55 -03:00			`install_app() {`
			`app="$1"`
			`url="$2"`
			`target="/var/www/html/custom_apps/${app}"`
nextcloud: reinstall custom apps with compatible mail 2026-01-06 22:09:16 -03:00			`rm -rf "${target}"`
			`mkdir -p /tmp/nextcloud-apps`
			`curl -fsSL "${url}" -o "/tmp/nextcloud-apps/${app}.tar.gz"`
			`tar -xzf "/tmp/nextcloud-apps/${app}.tar.gz" -C /var/www/html/custom_apps`
			`rm -f "/tmp/nextcloud-apps/${app}.tar.gz"`
			`chown -R 33:33 "${target}"`
			`su -s /bin/sh www-data -c "php /var/www/html/occ app:enable --force ${app}" \|\| true`
nextcloud: install oidc/mail/external apps from releases 2026-01-06 21:39:55 -03:00			`}`
nextcloud: reset external app config and force reinstall 2026-01-07 08:58:50 -03:00			`reset_external_config() {`
			`su -s /bin/sh www-data -c "php /var/www/html/occ app:remove external" \|\| true`
			`su -s /bin/sh www-data -c "php /var/www/html/occ config:app:delete external jwt_token_privkey_es256" \|\| true`
			`su -s /bin/sh www-data -c "php /var/www/html/occ config:app:delete external jwt_token_pubkey_es256" \|\| true`
			`su -s /bin/sh www-data -c "php /var/www/html/occ config:app:delete external jwt_token_privkey_ed25519" \|\| true`
			`su -s /bin/sh www-data -c "php /var/www/html/occ config:app:delete external jwt_token_pubkey_ed25519" \|\| true`
			`}`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`ensure_app() {`
			`app="$1"`
nextcloud: reset external app config and force reinstall 2026-01-07 08:58:50 -03:00			`target="/var/www/html/custom_apps/${app}"`
			`rm -rf "${target}"`
			`su -s /bin/sh www-data -c "php /var/www/html/occ app:remove ${app}" \|\| true`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`su -s /bin/sh www-data -c "php /var/www/html/occ app:install --force ${app}" \|\| true`
			`su -s /bin/sh www-data -c "php /var/www/html/occ app:enable --force ${app}" \|\| true`
			`}`
nextcloud: restore mimetype defaults for external app 2026-01-06 22:16:51 -03:00			`ensure_mime_defaults`
nextcloud: reset external app config and force reinstall 2026-01-07 08:58:50 -03:00			`reset_external_config`
nextcloud: pin mail/external app versions for 29 2026-01-06 22:03:01 -03:00			`install_app external https://github.com/nextcloud-releases/external/releases/download/v5.4.1/external-v5.4.1.tar.gz`
nextcloud: reinstall custom apps with compatible mail 2026-01-06 22:09:16 -03:00			`install_app mail https://github.com/nextcloud-releases/mail/releases/download/v3.7.24/mail-stable3.7.tar.gz`
nextcloud: install oidc app from release tarball 2026-01-07 09:02:22 -03:00			`install_app oidc_login https://github.com/pulsejet/nextcloud-oidc-login/releases/download/v3.2.2/oidc_login.tar.gz`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`ensure_app richdocuments`
			`configure_office`
nextcloud: enforce OIDC-only config 2026-01-07 00:03:57 -03:00			`configure_oidc`
nextcloud: ensure oidc/mail/external apps installed 2026-01-06 21:35:31 -03:00			`fi`
nextcloud: install when config missing 2026-01-06 14:46:16 -03:00			`env:`
			`- name: POSTGRES_HOST`
			`value: postgres-service.postgres.svc.cluster.local`
			`volumeMounts:`
nextcloud: persist web root in pvc 2026-01-07 09:40:25 -03:00			`- name: nextcloud-web`
			`mountPath: /var/www/html`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`- name: nextcloud-config-pvc`
			`mountPath: /var/www/html/config`
			`- name: nextcloud-custom-apps`
			`mountPath: /var/www/html/custom_apps`
nextcloud: align app/data mounts 2026-01-07 04:41:00 -03:00			`- name: nextcloud-user-data`
			`mountPath: /var/www/html/data`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`- name: nextcloud-config-extra`
nextcloud: install when config missing 2026-01-06 14:46:16 -03:00			`mountPath: /var/www/html/config/extra.config.php`
			`subPath: extra.config.php`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`- name: vault-secrets`
			`mountPath: /vault/secrets`
			`readOnly: true`
			`- name: vault-scripts`
			`mountPath: /vault/scripts`
			`readOnly: true`
Extract nextcloud scripts to files 2025-12-14 13:59:16 -03:00			`containers:`
			`- name: nextcloud`
			`image: nextcloud:29-apache`
			`imagePullPolicy: IfNotPresent`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`command: ["/bin/sh", "-c"]`
			`args:`
			`- >-`
			`. /vault/scripts/nextcloud_vault_env.sh`
			`&& exec /entrypoint.sh apache2-foreground`
Extract nextcloud scripts to files 2025-12-14 13:59:16 -03:00			`env:`
			`# DB (external secret required: nextcloud-db with keys username,password,database)`
			`- name: POSTGRES_HOST`
			`value: postgres-service.postgres.svc.cluster.local`
			`# Admin bootstrap (external secret: nextcloud-admin with keys admin-user, admin-password)`
			`- name: NEXTCLOUD_TRUSTED_DOMAINS`
			`value: cloud.bstein.dev`
			`- name: OVERWRITEHOST`
			`value: cloud.bstein.dev`
			`- name: OVERWRITEPROTOCOL`
			`value: https`
			`- name: OVERWRITECLIURL`
			`value: https://cloud.bstein.dev`
			`# SMTP (external secret: nextcloud-smtp with keys username, password)`
			`- name: SMTP_HOST`
			`value: mail.bstein.dev`
			`- name: SMTP_PORT`
			`value: "587"`
			`- name: SMTP_SECURE`
			`value: tls`
			`- name: MAIL_FROM_ADDRESS`
			`value: no-reply`
			`- name: MAIL_DOMAIN`
			`value: bstein.dev`
			`# OIDC (external secret: nextcloud-oidc with keys client-id, client-secret)`
			`- name: NEXTCLOUD_UPDATE`
			`value: "1"`
			`- name: APP_INSTALL`
			`value: "mail,oidc_login,external"`
			`ports:`
			`- containerPort: 80`
			`name: http`
			`volumeMounts:`
nextcloud: persist web root in pvc 2026-01-07 09:40:25 -03:00			`- name: nextcloud-web`
			`mountPath: /var/www/html`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`- name: nextcloud-config-pvc`
			`mountPath: /var/www/html/config`
			`- name: nextcloud-custom-apps`
			`mountPath: /var/www/html/custom_apps`
nextcloud: align app/data mounts 2026-01-07 04:41:00 -03:00			`- name: nextcloud-user-data`
			`mountPath: /var/www/html/data`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`- name: nextcloud-config-extra`
Extract nextcloud scripts to files 2025-12-14 13:59:16 -03:00			`mountPath: /var/www/html/config/extra.config.php`
			`subPath: extra.config.php`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`- name: vault-secrets`
			`mountPath: /vault/secrets`
			`readOnly: true`
			`- name: vault-scripts`
			`mountPath: /vault/scripts`
			`readOnly: true`
nextcloud: align app/data mounts 2026-01-07 04:41:00 -03:00			`resources:`
Extract nextcloud scripts to files 2025-12-14 13:59:16 -03:00			`requests:`
			`cpu: 250m`
			`memory: 1Gi`
			`limits:`
			`cpu: 1`
			`memory: 3Gi`
			`volumes:`
nextcloud: persist web root in pvc 2026-01-07 09:40:25 -03:00			`- name: nextcloud-web`
			`persistentVolumeClaim:`
nextcloud: reset storage claims 2026-01-07 10:13:09 -03:00			`claimName: nextcloud-web-v2`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`- name: nextcloud-config-pvc`
			`persistentVolumeClaim:`
nextcloud: reset storage claims 2026-01-07 10:13:09 -03:00			`claimName: nextcloud-config-v2`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`- name: nextcloud-custom-apps`
nextcloud: restore app and user-data volumes 2026-01-07 03:39:59 -03:00			`persistentVolumeClaim:`
nextcloud: reset storage claims 2026-01-07 10:13:09 -03:00			`claimName: nextcloud-custom-apps-v2`
nextcloud: align app/data mounts 2026-01-07 04:41:00 -03:00			`- name: nextcloud-user-data`
			`persistentVolumeClaim:`
nextcloud: reset storage claims 2026-01-07 10:13:09 -03:00			`claimName: nextcloud-user-data-v2`
nextcloud: reset storage mounts and restore office 2026-01-07 08:43:45 -03:00			`- name: nextcloud-config-extra`
Extract nextcloud scripts to files 2025-12-14 13:59:16 -03:00			`configMap:`
			`name: nextcloud-config`
			`defaultMode: 0444`
vault(consumption): sync secrets via CSI 2026-01-14 05:07:23 -03:00			`- name: vault-secrets`
			`csi:`
			`driver: secrets-store.csi.k8s.io`
			`readOnly: true`
			`volumeAttributes:`
			`secretProviderClass: nextcloud-vault`
			`- name: vault-scripts`
			`configMap:`
			`name: nextcloud-vault-env`
			`defaultMode: 0555`