feat(nextcloud): Add initial version of nextcloud deployment

apps/base/nextcloud/database.yaml

+apiVersion: "acid.zalan.do/v1"
+kind: postgresql
+metadata:
+  name: nextcloud-postgres
+  namespace: nextcloud
+spec:
+  teamId: "nextcloud"
+  volume:
+    size: 1Gi
+  numberOfInstances: 1
+  users:
+    nextcloud:
+    - superuser
+    - createdb
+  databases:
+    nextcloud: nextcloud
+  postgresql:
+    version: "14"

apps/base/nextcloud/kustomization.yaml

+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: nextcloud
+resources:
+  - namespace.yaml
+  - database.yaml
+  - repository.yaml
+  - release.yaml
+  - ../../../shared/networkpolicies/allow-from-same-namespace.yaml
+  - ../../../shared/networkpolicies/allow-from-ingress.yaml
+  - ../../../shared/networkpolicies/allow-from-database.yaml
+  - ../../../shared/networkpolicies/allow-from-monitoring.yaml
+patchesStrategicMerge:
+  - networkpolicy.yaml

apps/base/nextcloud/namespace.yaml

+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nextcloud
+  labels:
+    name: nextcloud
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: nextcloud-reconciler
+  namespace: nextcloud
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: nextcloud-reconciler
+  namespace: nextcloud
+rules:
+  - apiGroups: ["*"]
+    resources: ["*"]
+    verbs: ["*"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: nextcloud-reconciler
+  namespace: nextcloud
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: nextcloud-reconciler
+subjects:
+  - kind: ServiceAccount
+    name: nextcloud-reconciler
+    namespace: nextcloud

apps/base/nextcloud/networkpolicy.yaml

+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-ingress
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: nextcloud
+      app.kubernetes.io/component: app
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-monitoring
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: nextcloud
+      app.kubernetes.io/component: metrics

apps/base/nextcloud/release.yaml

+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: nextcloud
+  namespace: nextcloud
+spec:
+  serviceAccountName: nextcloud-reconciler
+  timeout: 5m
+  releaseName: nextcloud
+  chart:
+    spec:
+      chart: nextcloud
+      sourceRef:
+        kind: HelmRepository
+        name: nextcloud
+      version: 2.13.1
+  interval: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: nextcloud-base-values
+      valuesKey: values.yaml
+    - kind: Secret
+      name: nextcloud-override-values
+      valuesKey: values-overrides.yaml
+      optional: true
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-base-values
+  namespace: nextcloud
+data:
+  values.yaml: |
+    nextcloud:
+      resources:
+        limits:
+          cpu: 1500m
+          memory: 2Gi
+        requests:
+          cpu: 500m
+          memory: 1Gi
+      strategy:
+        type: Recreate
+      extraSecurityContext:
+        runAsUser: "33"
+        runAsGroup: "33"
+        runAsNonRoot: true
+        readOnlyRootFilesystem: true
+      configs:
+        proxy.config.php: |-
+          <?php
+          $CONFIG = array (
+            'trusted_proxies' => array(
+              0 => '127.0.0.1',
+              1 => '10.0.0.0/8',
+            ),
+            'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
+          );
+    internalDatabase:
+      enabled: false
+    externalDatabase:
+      enabled: true
+      type: postgresql
+      host: nextcloud-postgres
+      database: nextcloud
+      existingSecret:
+        enabled: true
+        secretName: nextcloud.nextcloud-postgres.credentials.postgresql.acid.zalan.do
+        usernameKey: username
+        passwordKey: password
+    cronjob:
+      enabled: true
+      failedJobsHistoryLimit: 1
+      successfulJobsHistoryLimit: 1
+      resources:
+        limits:
+          cpu: 100m
+          memory: 128Mi
+        requests:
+          cpu: 100m
+          memory: 128Mi
+    redis:
+      enabled: true
+    ingress:
+      annotations:
+        nginx.ingress.kubernetes.io/proxy-body-size: 4G
+        nginx.ingress.kubernetes.io/server-snippet: |-
+          server_tokens off;
+          proxy_hide_header X-Powered-By;
+
+          rewrite ^/.well-known/webfinger /public.php?service=webfinger last;
+          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
+          location = /.well-known/carddav {
+            return 301 $scheme://$host/remote.php/dav;
+          }
+          location = /.well-known/caldav {
+            return 301 $scheme://$host/remote.php/dav;
+          }
+          location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+          }
+          location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)/ {
+            deny all;
+          }
+          location ~ ^/(?:autotest|occ|issue|indie|db_|console) {
+            deny all;
+          }
+    persistence:
+      enabled: true
+    resources:
+      limits:
+        cpu: 1500m
+        memory: 2Gi
+      requests:
+        cpu: 500m
+        memory: 1Gi
+    extraSecurityContext:
+      runAsUser: "33"
+      runAsGroup: "33"
+      runAsNonRoot: true
+      readOnlyRootFilesystem: true
+    metrics:
+      enabled: true
+      resources:
+        limits:
+          cpu: 100m
+          memory: 128Mi
+        requests:
+          cpu: 100m
+          memory: 128Mi
+    rbac:
+      enabled: true
+      serviceaccount:
+        create: true
+        name: nextcloud-serviceaccount
+    startupProbe:
+      enabled: true

apps/base/nextcloud/repository.yaml

+apiVersion: source.toolkit.fluxcd.io/v1beta1
+kind: HelmRepository
+metadata:
+  name: nextcloud
+  namespace: nextcloud
+spec:
+  interval: 30m
+  url: https://nextcloud.github.io/helm/

apps/k8s01/nextcloud/certificate.yaml

+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+    name: nextcloud-tls
+    namespace: matrix
+spec:
+    dnsNames:
+        - ENC[AES256_GCM,data:RElY5ezZBbNniLIQfaYghe+52yeisRt0qA==,iv:ex3kHYJ82sf8SFXROqsRXUZ4uv9w/5Om1dgOtz6BD4E=,tag:CrhP+VkHt/e3koa1Sy9XFw==,type:str]
+    issuerRef:
+        name: letsencrypt
+        kind: ClusterIssuer
+    secretName: ingress-nextcloud-tls
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-03-22T22:25:36Z"
+    mac: ENC[AES256_GCM,data:kgqzgq6ZfWr9bEDT7DMtQzpEekwhpHiBNWH6484z1lUppL9rE6Tb0EcDPRl52B61R8JmFrQgiV7XMa+kNwNN1ra0w4M4xaxJu9Q9icMknsv6pB6VvjaLoVzRENfYNnWSrXrerHaL+nxpSgH6S8P7iVg1X15cSsU+rytXDADrAjM=,iv:s1hC2IM/PL0DkjhahGQrcmRTeOd20N+4RWVMEkB0rUA=,tag:xalgMPonrELvkSgrN4AxSw==,type:str]
+    pgp:
+        - created_at: "2022-01-21T18:13:48Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcARAAHhDshl1OJqNRUolNvbIXzOuDzssJnvyi6cIZuMmVMsxf
+            a6wAWAtYOehvtn1ODL7/h4fIpBtfp7d8VuwfJSrh3ghUeiOl3zRzQbmaFA2L5/iG
+            Jd94tFAVwIl30qjcYqGVB2RF27VF1RElzgDLQh3hiXn1hDC+WmNSnBF5hwnwCFOL
+            wM4BHuE2AB4TX3PlYSo1n71VSzcCqRzbIxelZasYLnJQVL0VE6AjEd/fHS468R8N
+            aZ3mhmHW3sWzuLHNREMD2Q3ghkguLhau0VoETlYRI9103I4k7/khFrhAj5l2/PUr
+            2SWgpXyRqXVaKPeTiQs3QR8B5jNq3BlZj6Celw5Ig/wx3LY0EhI9e9WFgtSlZxM+
+            2yk65HQGvTIgsbys/z/0skA9vqik9csFRsH9iK42E/+XLvoAT6yxyl0cv1kBEyAS
+            ggPmKOq8+CT+voHzuh8kZHq9Sa8kH5xL1DQLzX2yIruV3OhTPSK+VlDpjUbycmI2
+            qR1oCo/snOJwwwvfl9vu0B8FCwhrz8554ZQBErFfJl6GFiUV8LElRlZh5S9Jiysr
+            nYJS5gxrcvjF/0Y6EHEfWDRDxvCHoWQpWhl2hRkh5UlQKH0ab+QWLYpISyNJxjfl
+            orQJdaVX3BQwhqMLwiMLGoaNGrSpmxXveLOZmsdK0obXC67lyE6ZM/Wy6gx2dFnS
+            5gFdXCLzQmmjYK8gIlsejQdnxZI2qWavZIN9T70OZQGaDE/S+U1uxKjuGBM7HTcP
+            7f1nUa6z96A9ydWs1xHjtm7k172V16PMSrvjQ8KLhFJd9eJDq3ksAA==
+            =XgF6
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-01-21T18:13:48Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPAQ//S/9rOkbd3beNH20dxgZ7VuZxgnjiV3Hd3om717njcMm2
+            kCfTJ3AmpLtQsT2s1W221tIyCwtHOobj82ANP9KzNi4e6v3LlNTIVHTQiHXk9KJP
+            AX6JoCOLu3bAI0xcdApNBU2wAlHBVC+T4BUfhPqD5AdHpW++e1qUIsM/6TViunHj
+            BWoIA0bpXqyOhTm1GbkJrHMgczJn2qgR5lBf8wgGmASd8jlNyfA7SxoKHj8sl/Ji
+            nucP/90dmyD2eBIJYdYS3anJYa2uP96oioG5xxIyfppnL5dwozDAit3Z5vvnBZNb
+            1rrpUnN8H0cCcaj7tmDEmjGfjGwxLKegQRZX7Pg5hwaaOOPGheXf8Ip/DpDf6T0n
+            Sq24X6DC5gD1RBU+YY6ZayMt/OKpVVVwRlY4BTDIUe4M+ecK/fve5vpDW2M+KWMc
+            pOkO1B09/prsX0w5XjFh8hb/6HlDDhomiB+BszcRCUDzocRzSEIFwMf7/iTaExe8
+            2fKCCHB4kHo6GHpydlQOpnGMOvDmiNKopXxTkFQUFQjyRmHGXf/u79JNXBjHkniv
+            ZiokjTEarwMp68dyiaL4L/5Uk+4NG3MetobqSaeW2TbeBwif3G2eFleYscz7QPIR
+            5ZBBhU/CoUEz2Xge6t8rlp8PNcQ1yq/R+tZjaeqIIT4++ZxCErhA0lsxyFrgLefU
+            aAEJAhD7hR3IMDGN2zOZSiw1IBz9P8Jss/oERQiuVpe/eTv5Vqj9vuL+koKftwnF
+            vSVkNo0fLwNLtnU659Mkoj9utoUL9tAhcCMpP3NehKkBG5RjF9crnIP6zT3lvVU0
+            GYyW4Lsfrt/a
+            =FfV+
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL)$
+    version: 3.7.1

apps/k8s01/nextcloud/kustomization.yaml

+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../base/nextcloud
+  - certificate.yaml
+  - nextcloud-values.yaml

apps/k8s01/nextcloud/nextcloud-values.yaml

+apiVersion: v1
+kind: Secret
+metadata:
+    name: nextcloud-override-values
+    namespace: nextcloud
+type: Opaque
+stringData:
+    values-overrides.yaml: ENC[AES256_GCM,data:TUfQKjLFRkbbiDiMNQQ6dZcZU9li17ra6qVmplN2vAzejBfXVBSpf6hfFE0PYnpqKd4zMBJYk5wf2xfYgfORjRJjE9MiYDctbvQslx9NYXXOAw7xabFDbCh/9hx7TLWQD4ZXB0/vRUHlfMnNSNH28kKS1eUNMKlxJbv3XePhnIB3w2cT4JB9f0fXFgxnA1F4ZAQ1v1TxOC8aSMjsT2OFGNb+u8yz38PIUo87jAWTxE59K5KjSnhNM8e6y2UHef1qr1rSbJ7oQS5aVTeJmdPFXJ/V2VyGpyg1Y7ngh2K3o1B9uS7JHxcKfmhbd119kJYkUh/4rbUdUHTv2o6LYnF2gAppdWBUWslcKnbc/1/M/TjRzJ1Nc9BEYw2FWPj3CtaaBC0qsvyjN6n9FMGqvann48NP9BD+WGqf7vg1AMvQw46H7rc3B8kgJr1vEFYLIr8PDz2NhDCUKvE+TA0LDtlfcTFscAT4wgOcm4/fP+eXATxSe5XOj2GG62/IGPYfeb/BeAxn0TWpUwY80K1r2DGPVNeigASjxr+hIOClC2IIW/I0nPx0FnTuTUfhzGQN32nuh19Zb7eTH2+ABfUK4Flz18Di3ubuNjJ4PnKC9WVHCKgLHj1eeeiMCDsRS0cFNP0wIN4CnzSe9bhVCVncLgUc4YB3DBjKnIKGG+ZOMYNGXEYVUHiJpvKy0kqcCQU=,iv:Q83hx2sWHstGqAYAU8i6VByrCYFVvjm8LK4eM5Swt/Y=,tag:4XkT3tqNsfyjONY6S63Jvg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2022-03-22T22:49:31Z"
+    mac: ENC[AES256_GCM,data:dGO3FR97WkFYTKhBQIKCxc7I9Z10gweFcoFOo8jHik5s1XeE2jZtqEc2QsUGDLTun8bFoLqORBZC6c7aB+1l3nrqqHjvVbUua9ShvQnZAAnAQT5ef09fthFk5vhElFmhXEuGQRZoAImuje2jjdFHGmfr1K2SWorWEiSZFKdgLuQ=,iv:Vl+f2Kru5Pzqq+h8a7wIgLYLl1cKU3G926U6KcyHvHA=,tag:gNYEbhD5Hu/RDs9WupPMfA==,type:str]
+    pgp:
+        - created_at: "2022-03-22T22:26:35Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            wcFMA7kpg2bgzVHcARAApcdDAfEgx93xGtkm4f7xTuRhvUyl8lw85rIHbWcAveYU
+            ayU88OLaoQyeZDZkOXbtxMHpry8GbId6vPAJ7KflT2eMP0A4uQGSSCQO6+5QcaYg
+            sbO/zT4vdprN7icLbvmmoK2Dh+hOo5Z7/7YGmdJfaaATzT2BGL/cVS1bonI83vXR
+            lzlW/DglIe7oNEKGVT5vWR5uGvq/dJwSRe/34eutEnJuV30imxHOcpxy3uXJFFXJ
+            3eKTk8dNLz3UE3IeUjbFdPFZYU+grOAOOCZRK0IOYFn+SF7E3dewgiwEdaXzz3gK
+            /6aEMEmf5vyVqn9jOaqZhKRqE7tW5HnhwIIlxcMPhkLVZvYf4F2EDA5f12C2hdp0
+            s7fFhU7v5GgFaHMJuaWVPxDnWTrNIst9bgeJv/N4RVfrLifrZJcqa9lE8ou0iCr5
+            dLi9d6UjsgWAREIViz+Uz7dJQ9QeJ6PGYgg/xgf0ihJFG7sx+TBG58DKb3G3tyUV
+            8hfK8Ou9m+zYnd13mJ2mV3rY0rmXusT+NcqTG2G4bBG5NimGpJS3rO7tAjjp/8sN
+            hMM46ay0vVTUXx1FwmjUFDG1e4sc7fKxTaCBizMjeUfZpAOiy/10YQmrFHBsftpo
+            K5j0nFMoG9NeO+2ffEmLhRtxvMe3WpINk7du3F624rYIGCB0aNUP69FCeJKuUQHS
+            5gH5AwnxOAtQakDksfLxJhUG1NlaS0iAFkZkTTibvOJwsY9L/scDDQlseb5zBKaZ
+            sOPwmn6hL4KavxF9BPG33ILkZKbkcvlaTlAMMY3iBs+MZeIB4+i/AA==
+            =SQqg
+            -----END PGP MESSAGE-----
+          fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
+        - created_at: "2022-03-22T22:26:35Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA4oYbIHZIrAPAQ//fGGoDT5KfsG/o6r5xhDHSc0IFH6zT2TFIB6TuA5SwHfV
+            8t3IeKD0bE//4f8AxGAVocw+AetolwrQL/Tl+n0UV9P44Jeh5VlCAGltHcowR53o
+            zdjS3+i9K3OOvQFhF+aYrPcnc+aTn9KbptHCam0w+Lr2UkYSAPAZHsBcoMp24mHX
+            6A+5kP1kaRzFzEn4TCNeTt13W1AsJIoSagkBWfYRBkRPk1OzGOuYqX6yeqj7a0kM
+            8uiloTQgWOiBSOyRtxUJi87CTrMXyb0F2E9HMyhgRnzF0YX0ZU0UVG8MNdRL8eFD
+            WYY68OK7DQw3zlJubscYQ2jltxKcq5g9qUCw/sXaNurtohIx9UeaHtfp036EMb22
+            5StgGEnBirUzfSrQGT3kuj20lcMtQAr/d1UsmQNjB36eOZSrx0m80pO8JVYL62/O
+            HLYnAHU52aAPtE7brNEVg4yRLCbWyVY3Z3H9OaTVXwNIMFoMEgkHHnNlsb+1ZnhV
+            cStKMO3H6W8eXQi3VGIVNhuC1ltsxHQL1I22Kr41JEnuaB9Jy5bsEbrO4XGyDdte
+            hMI8Gx+0KZAMlKuZKLS6sMa4oVnQTy8w20PtVrrS0zDrQRPpxBrOgzjrNeMj9FpS
+            q/efiCAOBc8eVd8N/7j66UItwrysfmIfsHWfoPotS7F6WmUHeAyoWjfcvTZyd4bU
+            ZgEJAhAtdCnHNvUSl5O9XZuSu51pRwj+O72kZXRSJWv7GTT9dsRfuM5Dy9A/tuVI
+            BuZraI4JyAWb2KbkM6onp3Rh9IcLuzqEYm/ETktxTtO1HlcVPJ2NMcFgTCzaIGX9
+            +rtkG7tPbA==
+            =tvBa
+            -----END PGP MESSAGE-----
+          fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
+    encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secrets?|.*-domain|password|subjects|node|apiURL|.*(S|s)erverNames?|.*SecretKey)$
+    version: 3.7.1