diff --git a/apps/k8s01/nextcloud/kustomization.yaml b/apps/k8s01/nextcloud/kustomization.yaml
index 5330027571d169b1fe4e9b78f608626874931a91..ec18932c67d8982ba2bda6d74b9eccda9ddd51fb 100644
--- a/apps/k8s01/nextcloud/kustomization.yaml
+++ b/apps/k8s01/nextcloud/kustomization.yaml
@@ -7,7 +7,7 @@ resources:
- nextcloud-values.yaml
- pdb.yaml
- slo.yaml
- - oauth2.yaml
+ - ../../../shared/applications/oauth2-proxy.yaml
- ../../../shared/resourcequotas/default.yaml
patchesStrategicMerge:
- database-override.yaml
diff --git a/apps/k8s01/nextcloud/oauth2.yaml b/apps/k8s01/nextcloud/oauth2.yaml
index f8197d6c7f178c3e13eb99b7fbd378dbb326186c..f2e15a5016c462c045f9527c7dab346dd00407bb 100644
--- a/apps/k8s01/nextcloud/oauth2.yaml
+++ b/apps/k8s01/nextcloud/oauth2.yaml
@@ -1,200 +1,17 @@
-apiVersion: source.toolkit.fluxcd.io/v1beta1
-kind: HelmRepository
+apiVersion: v1
+kind: Secret
metadata:
- name: oauth2-proxy
- namespace: nextcloud
-spec:
- interval: 30m
- url: https://oauth2-proxy.github.io/manifests
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age: []
- lastmodified: "2023-09-26T17:20:14Z"
- mac: ENC[AES256_GCM,data:6rg9m0ZbZhaMbq+J9DeRezkbWU8+TwkekbYeaTsYZzuGUjDZWMOwQMiZtwMYX2oDrjFqHCckIMPLXi44lO6vyXTbuRd75kVSXe/QpI9FVHaVfgejKFX/OZAbyr9vC0vVIz4teog0kMY/kaVbB4eCptabplCZiL+pGXpBkgnKGGk=,iv:lLn9Jxz1NWaEPn5GZp+DIysh+Im0x4iSyQ4gzV0ILv0=,tag:mDa3dis4zh0n8SJHyObR6g==,type:str]
- pgp:
- - created_at: "2022-01-22T04:06:16Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- wcFMA7kpg2bgzVHcARAAgt+09YMPbbkGkg+/VgMgvxC4YDoQxlcklv3OfrS29yHF
- 27d8LBexyRYUTqkKhxyFJl+1dOqoE+o2uZjg9J/WSNR4MIBMm4Whn9rly4hoyk1W
- BSKqZxt/POdP7ZtZ1Ke3hrZiV4UlDDAagToxrSWG4suXr45i0wUGICbNakrlEB9P
- 7Ub7nM6aIWjyRJpqPhtJaaq1EWsj/+2NagXOMi0cWjj4wzEy+KZMC3lMVM3db/zw
- KDxsZWfK2/gRc7qqQWrmKB5bqQPhKVwUExrzKofExaSozXq9c694mmThVyR2SFc9
- OvNLlqLpeRfBpoY9F19Wz0YhQRUxfPdYgV0ZqngxIYzx2+2DqCz1fkW/hIcMLyj9
- LBNUTHXcRP9O3ZWWx0flnjcE8Cyz4qmMq9hf0iEWtZb1cO0v5Z6+lYo9ThQvcPCp
- DMuZ2l65Sfto56y84j8FPshOS6Heo97mwbO/BmOZYnQ4RtGFc9KlFtLBMyRZfqEo
- b6O77YyzCcKYOdgrXjEORxvUq2ftHxTQFBdYUHO2Rpf0tyrZwUYnIWBXnB5fOp/y
- HjWzl8ZpQxhJQubiqteEovYdtv+1ionPBLZkzzx3EDbNvSroQijENSkQhyl7QbMj
- XURIII47j0yda/kZ4mupPz4isY4kEi/AtwCI+tumI0c7gH7iew/kjoQcgyTVMOLS
- 5gFZuhZ6ixAXhDms0RKfYq6iKAzXxslg0qcYAOcjwqq5u+cQJTfSrLjivxNs2cIo
- M/5BCddS+GzLSTCNYStLfOfkFGlrOccM7I8Fzy3PYhtc9eLwlSI/AA==
- =c/3x
- -----END PGP MESSAGE-----
- fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
- - created_at: "2022-01-22T04:06:16Z"
- enc: |
- -----BEGIN PGP MESSAGE-----
-
- hQIMA4oYbIHZIrAPARAAyGLyK65vBqTfe/5iFAuaaWg9sWRTAfnGnDEgxAPdp4EQ
- yKOT9AyRLes5yRtSz8ugRVjvQd/B9bj+VE7MosFarpjw5ckzRKjSHpanzPqGGWjI
- 2Ce9gbSljx7AhmXujK+TRhf4PbliopQWdStNWZ08p17UG2G0UiNPgun0ocHxUqVN
- 46iUl51aL5ElZUmA3bfcwpYu6lCiDCEvlrX+7ZSsKEYcg1VQ+oi0XTxfEugSFX1N
- 4QjkSHfFYWCqt5IOB2+G5HCZfwD3n3a9tTjpehnTfC61Dn3r4tAVunD3dDaVvqNK
- GOJJvvykUOGrszIInJbXd3Bvp/HGm5jp5eLiMo1GQeG7XxIuiIDV41AkAEEv5nYW
- fpkeW/a+2NI/TzM3PsOOxEmghuG4k5lnpYwrEcp/s3OmYwDRLvSQRD9rIjw33VnU
- WhgfsjwqlqLbyUTwssn8ztEUvoVXQ/lmsFJ2xrzBuWV4tSOUMX+jpA1bhJ1QCcOd
- vR/fMH2ZMppho7bnUUVjFGtRZWLAh4OPdCZ4fTkWpUbrFE9HBP1rcPxe7DqzDlbl
- tb5yfNLvHGWh/Myqm7CP04qIlWGyDT4UonAWFmPLt6mWXf6DrlOl8n+iAZbX7d+c
- w8y/mAapNcTZZHG/+M5hq0anS9mZ65yR3X2znn8ErNot8alJBcOdulM2aDrwk9HU
- aAEJAhDKMKsgECqiT3WYb8AVOHFk0O/CCKDFBTt+S+Bbjeb2vqBE8uRNMECpZPU9
- NSZGFfj97fyI1At7TgVko8Ae/2w0xdb80g/81/kVuTNTm/0z60RqOooENSxfGRJ9
- PNNoVr/LwxMQ
- =e2fo
- -----END PGP MESSAGE-----
- fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
- encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
- version: 3.7.3
----
-apiVersion: helm.toolkit.fluxcd.io/v2beta1
-kind: HelmRelease
-metadata:
- name: oauth2-proxy
- namespace: nextcloud
-spec:
- serviceAccountName: flux-reconciler
- releaseName: oauth2-proxy
- chart:
- spec:
- chart: oauth2-proxy
- sourceRef:
- kind: HelmRepository
- name: oauth2-proxy
- namespace: nextcloud
- version: 6.17.1
- interval: 5m
- install:
- remediation:
- retries: 5
- values:
- config:
- clientID: nextcloud
- clientSecret: ENC[AES256_GCM,data:FzmteRV5oYk3aWSvGU3NvsLiYZzJdwZ/JB39/yTo74MnGsVu,iv:Sq9hvdO7Xuymf0LByuOkp/JtcRB6lo9y948jCGO67y0=,tag:PkiBIrYMfFu5QXozhNBXhA==,type:str]
- cookieSecret: ENC[AES256_GCM,data:s9i5XebZ373eCpa075bZ/xb9Egq0v7A2BSKAgTF6YHs/bG2f3tT6IGGmJa4=,iv:1STc1smpQoHEjLBYQGaFueDn/o+FXCQ8pnTsxbEAZMc=,tag:PvDOn3IGWhEQfaQadVWsxg==,type:str]
- extraArgs:
- provider: keycloak-oidc
- provider-display-name: SI-Auth
- oidc-issuer-url: ENC[AES256_GCM,data:CUky0W47wOOJmY7EpNrb486hs5l5DjxkaOrzT1OOOWIYcW9bdw9Xgg7FcABOxwcMO4Vn/okDZQ==,iv:lpiXwA9KSjT9nSFeXaBiijJWkAm5FKfCtmU3XvnMPDU=,tag:cN17VOD6bUz1MQHbOQ5Hwg==,type:str]
- allowed-role: nextcloud:user
- whitelist-domain: ENC[AES256_GCM,data:chLUoWOlZsaMUbIfj8i0UTaFyztPHzwCbQ==,iv:m3zDPNaTU03cw/iILqjgl+2E7Bmg9LLKbjXLma4b/yk=,tag:tQMO48l/tRp3F403CFKW/g==,type:str]
- silence-ping-logging: "true"
- scope: openid email profile
- oidc-groups-claim: memberof
- replicaCount: 2
- securityContext:
- enabled: true
- affinity:
- podAntiAffinity:
- requiredDuringSchedulingIgnoredDuringExecution:
- - labelSelector:
- matchLabels:
- app: oauth2-proxy
- topologyKey: kubernetes.io/hostname
- ingress:
- enabled: true
- path: /oauth2
- pathType: Prefix
- hosts:
- - ENC[AES256_GCM,data:CMX2CbZgChJ5dnbcghTWph8LEe/+kUU64A==,iv:gQ88PQiSZAd+/mXH9/+wgwz1ADQie2gPwsWA3LBJTjI=,tag:JGxzLHAZ2PXYgsj0umF4iw==,type:str]
- tls:
- - hosts:
- - ENC[AES256_GCM,data:yw4WBRJ9L4Tb8yMUxJUG4hVj51XTD72REg==,iv:QT1dhq4tNLrfZj+NENiAmZiC5VVxVFnXo318a180jSc=,tag:mLVzBCXvtoAtLnPN6TSCkg==,type:str]
- secretName: ingress-nextcloud-tls
- resources:
- limits:
- cpu: 200m
- memory: 100Mi
- requests:
- cpu: 100m
- memory: 25Mi
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age: []
- lastmodified: "2023-09-26T17:20:14Z"
- mac: ENC[AES256_GCM,data:6rg9m0ZbZhaMbq+J9DeRezkbWU8+TwkekbYeaTsYZzuGUjDZWMOwQMiZtwMYX2oDrjFqHCckIMPLXi44lO6vyXTbuRd75kVSXe/QpI9FVHaVfgejKFX/OZAbyr9vC0vVIz4teog0kMY/kaVbB4eCptabplCZiL+pGXpBkgnKGGk=,iv:lLn9Jxz1NWaEPn5GZp+DIysh+Im0x4iSyQ4gzV0ILv0=,tag:mDa3dis4zh0n8SJHyObR6g==,type:str]
- pgp:
- - created_at: "2022-01-22T04:06:16Z"
- enc: |-
- -----BEGIN PGP MESSAGE-----
-
- wcFMA7kpg2bgzVHcARAAgt+09YMPbbkGkg+/VgMgvxC4YDoQxlcklv3OfrS29yHF
- 27d8LBexyRYUTqkKhxyFJl+1dOqoE+o2uZjg9J/WSNR4MIBMm4Whn9rly4hoyk1W
- BSKqZxt/POdP7ZtZ1Ke3hrZiV4UlDDAagToxrSWG4suXr45i0wUGICbNakrlEB9P
- 7Ub7nM6aIWjyRJpqPhtJaaq1EWsj/+2NagXOMi0cWjj4wzEy+KZMC3lMVM3db/zw
- KDxsZWfK2/gRc7qqQWrmKB5bqQPhKVwUExrzKofExaSozXq9c694mmThVyR2SFc9
- OvNLlqLpeRfBpoY9F19Wz0YhQRUxfPdYgV0ZqngxIYzx2+2DqCz1fkW/hIcMLyj9
- LBNUTHXcRP9O3ZWWx0flnjcE8Cyz4qmMq9hf0iEWtZb1cO0v5Z6+lYo9ThQvcPCp
- DMuZ2l65Sfto56y84j8FPshOS6Heo97mwbO/BmOZYnQ4RtGFc9KlFtLBMyRZfqEo
- b6O77YyzCcKYOdgrXjEORxvUq2ftHxTQFBdYUHO2Rpf0tyrZwUYnIWBXnB5fOp/y
- HjWzl8ZpQxhJQubiqteEovYdtv+1ionPBLZkzzx3EDbNvSroQijENSkQhyl7QbMj
- XURIII47j0yda/kZ4mupPz4isY4kEi/AtwCI+tumI0c7gH7iew/kjoQcgyTVMOLS
- 5gFZuhZ6ixAXhDms0RKfYq6iKAzXxslg0qcYAOcjwqq5u+cQJTfSrLjivxNs2cIo
- M/5BCddS+GzLSTCNYStLfOfkFGlrOccM7I8Fzy3PYhtc9eLwlSI/AA==
- =c/3x
- -----END PGP MESSAGE-----
- fp: 286791FB6648539775DB31B8FCB98C2A3EC6F601
- - created_at: "2022-01-22T04:06:16Z"
- enc: |
- -----BEGIN PGP MESSAGE-----
-
- hQIMA4oYbIHZIrAPARAAyGLyK65vBqTfe/5iFAuaaWg9sWRTAfnGnDEgxAPdp4EQ
- yKOT9AyRLes5yRtSz8ugRVjvQd/B9bj+VE7MosFarpjw5ckzRKjSHpanzPqGGWjI
- 2Ce9gbSljx7AhmXujK+TRhf4PbliopQWdStNWZ08p17UG2G0UiNPgun0ocHxUqVN
- 46iUl51aL5ElZUmA3bfcwpYu6lCiDCEvlrX+7ZSsKEYcg1VQ+oi0XTxfEugSFX1N
- 4QjkSHfFYWCqt5IOB2+G5HCZfwD3n3a9tTjpehnTfC61Dn3r4tAVunD3dDaVvqNK
- GOJJvvykUOGrszIInJbXd3Bvp/HGm5jp5eLiMo1GQeG7XxIuiIDV41AkAEEv5nYW
- fpkeW/a+2NI/TzM3PsOOxEmghuG4k5lnpYwrEcp/s3OmYwDRLvSQRD9rIjw33VnU
- WhgfsjwqlqLbyUTwssn8ztEUvoVXQ/lmsFJ2xrzBuWV4tSOUMX+jpA1bhJ1QCcOd
- vR/fMH2ZMppho7bnUUVjFGtRZWLAh4OPdCZ4fTkWpUbrFE9HBP1rcPxe7DqzDlbl
- tb5yfNLvHGWh/Myqm7CP04qIlWGyDT4UonAWFmPLt6mWXf6DrlOl8n+iAZbX7d+c
- w8y/mAapNcTZZHG/+M5hq0anS9mZ65yR3X2znn8ErNot8alJBcOdulM2aDrwk9HU
- aAEJAhDKMKsgECqiT3WYb8AVOHFk0O/CCKDFBTt+S+Bbjeb2vqBE8uRNMECpZPU9
- NSZGFfj97fyI1At7TgVko8Ae/2w0xdb80g/81/kVuTNTm/0z60RqOooENSxfGRJ9
- PNNoVr/LwxMQ
- =e2fo
- -----END PGP MESSAGE-----
- fp: B137EE1549DFAF960DD1E2B15147025FB9F09E07
- encrypted_regex: ^(data|stringData|email|dnsZones?|dnsNames?|hosts?|tang|externalURL|.*-secret|.*-url|.*Secret|.*-domain)$
- version: 3.7.3
----
-apiVersion: networking.k8s.io/v1
-kind: NetworkPolicy
-metadata:
- name: allow-ingress-to-oauth2
- namespace: monitoring-system
-spec:
- podSelector:
- matchLabels:
- app: oauth2-proxy
- ingress:
- - from:
- - namespaceSelector:
- matchLabels:
- ingress.shivering-isles.com/network-access-required: "true"
+ name: oauth2-proxy-override-values
+stringData:
+ values-overrides.yaml: ENC[AES256_GCM,data:iRVjCKBKFKVlw8hNxYtNHpN9Pg9RgalHKvoXewPdXNGJmjw4h2VOQgkH99cDAjbVD3OnaFT0Z+iqMlBXAbfMUamLDICAoqa1ABR7C4P1d492rNuCdy3Q9ffoQQVLgXSL4H26lZ9lpN3n83GOo/Zno1M+32/I40wXRztqKqquuO41BxKM0uahGL/xqc39tr8oLklTeGm2LlXYsbUITC40Npi7KFvCpTslDY/3kqB4km32cNDromcXoUie56UYgyRG94D+z3XSF1dhGREN74bXWz19e9EsA6E8EH4FtW5fh+UFKdDfD2iDxzFi8/dtJGKawH4lFRJ4eKtYsKgfIy03LjVyGfxCizkldhW4zRrCU5Mxsboneslc2GggYA4aYa0wvRTamkBP3xDDhlr+qX0u9lJk7zBFpJbt0+G7mnUUkbYy5czbwt3PcvNYkU9ZAFkIbt6CA+GDI8H9RVWAm5r8Ej7H+14yWxMftR05f9ziiJd4n7mgvy61QGp+wDwxzd3FqVWNnuzMGLcrjJpzNjaEnk12sqJlUt1qJ3avaHNsjYSpHVMIQpZEmv9g83Ls6ynhTv8a+2uF6kA9ouvpM4jEho9iYNNNpHjl/lq/GUEUx2zC,iv:kNNLN82XhRBh3sFDfTHIzg/2xEVWBges9KT20p8iAyA=,tag:m3i5PQP5pfJm65r6V/PKKA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2023-09-26T17:20:14Z"
- mac: ENC[AES256_GCM,data:6rg9m0ZbZhaMbq+J9DeRezkbWU8+TwkekbYeaTsYZzuGUjDZWMOwQMiZtwMYX2oDrjFqHCckIMPLXi44lO6vyXTbuRd75kVSXe/QpI9FVHaVfgejKFX/OZAbyr9vC0vVIz4teog0kMY/kaVbB4eCptabplCZiL+pGXpBkgnKGGk=,iv:lLn9Jxz1NWaEPn5GZp+DIysh+Im0x4iSyQ4gzV0ILv0=,tag:mDa3dis4zh0n8SJHyObR6g==,type:str]
+ lastmodified: "2023-09-26T17:24:58Z"
+ mac: ENC[AES256_GCM,data:La/BwZURdnIksyslsOxg/6g+Li6unWCkQGbk9lspDS/NEFEjvsIMZxoqzET3IXeYac2av/GAe1OcS5dyz3fUIVCK2PIDosc6wzEKeQ2QbdjlaysE+2CljDtnWP9V8d3iuoVGycVTOvFEafJNlykFRNt3JJDMvgtGupDNX8RhQAY=,iv:U3cZyX86XJPWVfYgJIAUZ1RsavOg103LyTtgBUAOLrE=,tag:7x3NSt63SQtdq0iayukYdw==,type:str]
pgp:
- created_at: "2022-01-22T04:06:16Z"
enc: |-
@@ -271,8 +88,8 @@ sops:
azure_kv: []
hc_vault: []
age: []
- lastmodified: "2023-09-26T17:20:14Z"
- mac: ENC[AES256_GCM,data:6rg9m0ZbZhaMbq+J9DeRezkbWU8+TwkekbYeaTsYZzuGUjDZWMOwQMiZtwMYX2oDrjFqHCckIMPLXi44lO6vyXTbuRd75kVSXe/QpI9FVHaVfgejKFX/OZAbyr9vC0vVIz4teog0kMY/kaVbB4eCptabplCZiL+pGXpBkgnKGGk=,iv:lLn9Jxz1NWaEPn5GZp+DIysh+Im0x4iSyQ4gzV0ILv0=,tag:mDa3dis4zh0n8SJHyObR6g==,type:str]
+ lastmodified: "2023-09-26T17:24:58Z"
+ mac: ENC[AES256_GCM,data:La/BwZURdnIksyslsOxg/6g+Li6unWCkQGbk9lspDS/NEFEjvsIMZxoqzET3IXeYac2av/GAe1OcS5dyz3fUIVCK2PIDosc6wzEKeQ2QbdjlaysE+2CljDtnWP9V8d3iuoVGycVTOvFEafJNlykFRNt3JJDMvgtGupDNX8RhQAY=,iv:U3cZyX86XJPWVfYgJIAUZ1RsavOg103LyTtgBUAOLrE=,tag:7x3NSt63SQtdq0iayukYdw==,type:str]
pgp:
- created_at: "2022-01-22T04:06:16Z"
enc: |-