From c2d1117e1bd825c48e312c6b478572f460ad8318 Mon Sep 17 00:00:00 2001
From: Philip Haupt <“der.mad.mob@gmail.com”>
Date: Sun, 12 Oct 2025 22:03:30 +0200
Subject: [PATCH] nextcloud config

---
 nextcloud/main.yaml       | 334 +++++++++++++++++++++++++++++++++++++-
 nextcloud/src/values.yaml |  37 +++--
 2 files changed, 353 insertions(+), 18 deletions(-)

diff --git a/nextcloud/main.yaml b/nextcloud/main.yaml
index 8bdfd83..404f995 100644
--- a/nextcloud/main.yaml
+++ b/nextcloud/main.yaml
@@ -15,6 +15,187 @@ metadata:
   name: nextcloud-collabora
 ---
 apiVersion: v1
+data:
+  .htaccess: |-
+    # line below if for Apache 2.4
+    <ifModule mod_authz_core.c>
+    Require all denied
+    </ifModule>
+    # line below if for Apache 2.2
+    <ifModule !mod_authz_core.c>
+    deny from all
+    </ifModule>
+    # section for Apache 2.2 and 2.4
+    <ifModule mod_autoindex.c>
+    IndexIgnore *
+    </ifModule>
+  apache-pretty-urls.config.php: |-
+    <?php
+    $CONFIG = array (
+      'htaccess.RewriteBase' => '/',
+    );
+  apcu.config.php: |-
+    <?php
+    $CONFIG = array (
+      'memcache.local' => '\OC\Memcache\APCu',
+    );
+  apps.config.php: |-
+    <?php
+    $CONFIG = array (
+      'apps_paths' => array (
+          0 => array (
+                  'path'     => OC::$SERVERROOT.'/apps',
+                  'url'      => '/apps',
+                  'writable' => false,
+          ),
+          1 => array (
+                  'path'     => OC::$SERVERROOT.'/custom_apps',
+                  'url'      => '/custom_apps',
+                  'writable' => true,
+          ),
+      ),
+    );
+  autoconfig.php: |-
+    <?php
+    $autoconfig_enabled = false;
+    if (getenv('SQLITE_DATABASE')) {
+        $AUTOCONFIG["dbtype"] = "sqlite";
+        $AUTOCONFIG["dbname"] = getenv('SQLITE_DATABASE');
+        $autoconfig_enabled = true;
+    } elseif (getenv('MYSQL_DATABASE_FILE') && getenv('MYSQL_USER_FILE') && getenv('MYSQL_PASSWORD_FILE') && getenv('MYSQL_HOST')) {
+        $AUTOCONFIG['dbtype'] = 'mysql';
+        $AUTOCONFIG['dbname'] = trim(file_get_contents(getenv('MYSQL_DATABASE_FILE')));
+        $AUTOCONFIG['dbuser'] = trim(file_get_contents(getenv('MYSQL_USER_FILE')));
+        $AUTOCONFIG['dbpass'] = trim(file_get_contents(getenv('MYSQL_PASSWORD_FILE')));
+        $AUTOCONFIG['dbhost'] = getenv('MYSQL_HOST');
+        $autoconfig_enabled = true;
+    } elseif (getenv('MYSQL_DATABASE') && getenv('MYSQL_USER') && getenv('MYSQL_PASSWORD') && getenv('MYSQL_HOST')) {
+        $AUTOCONFIG["dbtype"] = "mysql";
+        $AUTOCONFIG["dbname"] = getenv('MYSQL_DATABASE');
+        $AUTOCONFIG["dbuser"] = getenv('MYSQL_USER');
+        $AUTOCONFIG["dbpass"] = getenv('MYSQL_PASSWORD');
+        $AUTOCONFIG["dbhost"] = getenv('MYSQL_HOST');
+        $autoconfig_enabled = true;
+    } elseif (getenv('POSTGRES_DB_FILE') && getenv('POSTGRES_USER_FILE') && getenv('POSTGRES_PASSWORD_FILE') && getenv('POSTGRES_HOST')) {
+        $AUTOCONFIG['dbtype'] = 'pgsql';
+        $AUTOCONFIG['dbname'] = trim(file_get_contents(getenv('POSTGRES_DB_FILE')));
+        $AUTOCONFIG['dbuser'] = trim(file_get_contents(getenv('POSTGRES_USER_FILE')));
+        $AUTOCONFIG['dbpass'] = trim(file_get_contents(getenv('POSTGRES_PASSWORD_FILE')));
+        $AUTOCONFIG['dbhost'] = getenv('POSTGRES_HOST');
+        $autoconfig_enabled = true;
+    } elseif (getenv('POSTGRES_DB') && getenv('POSTGRES_USER') && getenv('POSTGRES_PASSWORD') && getenv('POSTGRES_HOST')) {
+        $AUTOCONFIG["dbtype"] = "pgsql";
+        $AUTOCONFIG["dbname"] = getenv('POSTGRES_DB');
+        $AUTOCONFIG["dbuser"] = getenv('POSTGRES_USER');
+        $AUTOCONFIG["dbpass"] = getenv('POSTGRES_PASSWORD');
+        $AUTOCONFIG["dbhost"] = getenv('POSTGRES_HOST');
+        $autoconfig_enabled = true;
+    }
+    if ($autoconfig_enabled) {
+        $AUTOCONFIG["directory"] = getenv('NEXTCLOUD_DATA_DIR') ?: "/var/www/html/data";
+    }
+  custom.php: |-
+    <?php
+    $CONFIG = array (
+      'dbtableprefix' => 'oc_',
+      'instanceid' => 'ocb8bvdm3qvt',
+      'passwordsalt' => '5nGOEkkEwGE+suDFOxm/yp0Sw1XHhq',
+      'secret' => 'ttxARk+gXNdBBBO3AsH5Na2MPU9uy0UHzXqAKx686ykragmC',
+    );
+  redis.config.php: |-
+    <?php
+    if (getenv('REDIS_HOST')) {
+      $CONFIG = array(
+        'memcache.distributed' => '\OC\Memcache\Redis',
+        'memcache.locking' => '\OC\Memcache\Redis',
+        'redis' => array(
+          'host' => getenv('REDIS_HOST'),
+          'password' => getenv('REDIS_HOST_PASSWORD_FILE') ? trim(file_get_contents(getenv('REDIS_HOST_PASSWORD_FILE'))) : (string) getenv('REDIS_HOST_PASSWORD'),
+          'dbindex' => 1,
+        ),
+      );
+
+      if (getenv('REDIS_HOST_PORT') !== false) {
+        $CONFIG['redis']['port'] = (int) getenv('REDIS_HOST_PORT');
+      } elseif (getenv('REDIS_HOST')[0] != '/') {
+        $CONFIG['redis']['port'] = 6379;
+      }
+    }
+  reverse-proxy.config.php: |-
+    <?php
+    $overwriteHost = getenv('OVERWRITEHOST');
+    if ($overwriteHost) {
+      $CONFIG['overwritehost'] = $overwriteHost;
+    }
+
+    $overwriteProtocol = getenv('OVERWRITEPROTOCOL');
+    if ($overwriteProtocol) {
+      $CONFIG['overwriteprotocol'] = $overwriteProtocol;
+    }
+
+    $overwriteCliUrl = getenv('OVERWRITECLIURL');
+    if ($overwriteCliUrl) {
+      $CONFIG['overwrite.cli.url'] = $overwriteCliUrl;
+    }
+
+    $overwriteWebRoot = getenv('OVERWRITEWEBROOT');
+    if ($overwriteWebRoot) {
+      $CONFIG['overwritewebroot'] = $overwriteWebRoot;
+    }
+
+    $overwriteCondAddr = getenv('OVERWRITECONDADDR');
+    if ($overwriteCondAddr) {
+      $CONFIG['overwritecondaddr'] = $overwriteCondAddr;
+    }
+
+    $trustedProxies = getenv('TRUSTED_PROXIES');
+    if ($trustedProxies) {
+      $CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
+    }
+
+    $forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
+    if ($forwardedForHeaders) {
+      $CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
+    }
+  smtp.config.php: |-
+    <?php
+    if (getenv('SMTP_HOST') && getenv('MAIL_FROM_ADDRESS') && getenv('MAIL_DOMAIN')) {
+      $CONFIG = array (
+        'mail_smtpmode' => 'smtp',
+        'mail_smtphost' => getenv('SMTP_HOST'),
+        'mail_smtpport' => getenv('SMTP_PORT') ?: (getenv('SMTP_SECURE') ? 465 : 25),
+        'mail_smtpsecure' => getenv('SMTP_SECURE') ?: '',
+        'mail_smtpauth' => getenv('SMTP_NAME') && (getenv('SMTP_PASSWORD') || getenv('SMTP_PASSWORD_FILE')),
+        'mail_smtpauthtype' => getenv('SMTP_AUTHTYPE') ?: 'LOGIN',
+        'mail_smtpname' => getenv('SMTP_NAME') ?: '',
+        'mail_from_address' => getenv('MAIL_FROM_ADDRESS'),
+        'mail_domain' => getenv('MAIL_DOMAIN'),
+      );
+
+      if (getenv('SMTP_PASSWORD_FILE')) {
+          $CONFIG['mail_smtppassword'] = trim(file_get_contents(getenv('SMTP_PASSWORD_FILE')));
+      } elseif (getenv('SMTP_PASSWORD')) {
+          $CONFIG['mail_smtppassword'] = getenv('SMTP_PASSWORD');
+      } else {
+          $CONFIG['mail_smtppassword'] = '';
+      }
+    }
+  upgrade-disable-web.config.php: |-
+    <?php
+    $CONFIG = array (
+      'upgrade.disable-web' => true,
+    );
+kind: ConfigMap
+metadata:
+  labels:
+    app.kubernetes.io/instance: nextcloud
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: nextcloud
+    app.kubernetes.io/version: 32.0.0
+    helm.sh/chart: nextcloud-8.4.0
+  name: nextcloud-config
+---
+apiVersion: v1
 kind: Service
 metadata:
   labels:
@@ -105,7 +286,7 @@ spec:
     metadata:
       annotations:
         hooks-hash: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
-        nextcloud-config-hash: 8266a725d5474acb6adbf9f0609a3494dc3340a3ac306db90eac9ddb1b851960
+        nextcloud-config-hash: 5681a970550c159a349016d58d80be2fe35713759754bb0dfd631f21f38ee6bc
         php-config-hash: 44136fa355b3678a1146ad16f7e8649e94fb4fc21fe77e8310c060f61caaff8a
       labels:
         app.kubernetes.io/component: app
@@ -145,9 +326,47 @@ spec:
               key: nextcloud-password
               name: nextcloud
         - name: NEXTCLOUD_TRUSTED_DOMAINS
-          value: cloud.borninpain.de
+          value: localhost cloud.borninpain.de iam.borninpain.de
         - name: NEXTCLOUD_DATA_DIR
           value: /var/www/html/data
+        - name: MAIL_FROM_ADDRESS
+          value: noreply
+        - name: MAIL_DOMAIN
+          value: borninpain.de
+        - name: SMTP_SECURE
+          value: ""
+        - name: SMTP_PORT
+          value: "587"
+        - name: SMTP_AUTHTYPE
+          value: LOGIN
+        - name: SMTP_HOST
+          valueFrom:
+            secretKeyRef:
+              key: smtp-host
+              name: nextcloud
+        - name: SMTP_NAME
+          valueFrom:
+            secretKeyRef:
+              key: smtp-username
+              name: nextcloud
+        - name: SMTP_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: smtp-password
+              name: nextcloud
+        - name: REDIS_HOST
+          value: redis-master.redis.svc.cluster.local
+        - name: REDIS_HOST_PORT
+          value: "6379"
+        - name: REDIS_HOST_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: redis-pass
+              name: nextcloud
+        - name: TRUSTED_PROXIES
+          value: 172.19.0.0/16 10.0.0.0/16
+        - name: FORWARDED_FOR_HEADERS
+          value: HTTP_X_FORWARDED HTTP_FORWARDED_FOR
         image: nextcloud:32.0.0-apache
         imagePullPolicy: IfNotPresent
         livenessProbe:
@@ -158,8 +377,8 @@ spec:
               value: cloud.borninpain.de
             path: /status.php
             port: 80
-          initialDelaySeconds: 1000
-          periodSeconds: 1000
+          initialDelaySeconds: 10
+          periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 5
         name: nextcloud
@@ -175,8 +394,8 @@ spec:
               value: cloud.borninpain.de
             path: /status.php
             port: 80
-          initialDelaySeconds: 1000
-          periodSeconds: 1000
+          initialDelaySeconds: 10
+          periodSeconds: 10
           successThreshold: 1
           timeoutSeconds: 5
         resources: {}
@@ -202,6 +421,36 @@ spec:
         - mountPath: /var/www/html/themes
           name: nextcloud-main
           subPath: themes
+        - mountPath: /var/www/html/config/custom.php
+          name: nextcloud-config
+          subPath: custom.php
+        - mountPath: /var/www/html/config/.htaccess
+          name: nextcloud-config
+          subPath: .htaccess
+        - mountPath: /var/www/html/config/apache-pretty-urls.config.php
+          name: nextcloud-config
+          subPath: apache-pretty-urls.config.php
+        - mountPath: /var/www/html/config/apcu.config.php
+          name: nextcloud-config
+          subPath: apcu.config.php
+        - mountPath: /var/www/html/config/apps.config.php
+          name: nextcloud-config
+          subPath: apps.config.php
+        - mountPath: /var/www/html/config/autoconfig.php
+          name: nextcloud-config
+          subPath: autoconfig.php
+        - mountPath: /var/www/html/config/redis.config.php
+          name: nextcloud-config
+          subPath: redis.config.php
+        - mountPath: /var/www/html/config/reverse-proxy.config.php
+          name: nextcloud-config
+          subPath: reverse-proxy.config.php
+        - mountPath: /var/www/html/config/smtp.config.php
+          name: nextcloud-config
+          subPath: smtp.config.php
+        - mountPath: /var/www/html/config/upgrade-disable-web.config.php
+          name: nextcloud-config
+          subPath: upgrade-disable-web.config.php
       - command:
         - /cron.sh
         env:
@@ -236,9 +485,47 @@ spec:
               key: nextcloud-password
               name: nextcloud
         - name: NEXTCLOUD_TRUSTED_DOMAINS
-          value: cloud.borninpain.de
+          value: localhost cloud.borninpain.de iam.borninpain.de
         - name: NEXTCLOUD_DATA_DIR
           value: /var/www/html/data
+        - name: MAIL_FROM_ADDRESS
+          value: noreply
+        - name: MAIL_DOMAIN
+          value: borninpain.de
+        - name: SMTP_SECURE
+          value: ""
+        - name: SMTP_PORT
+          value: "587"
+        - name: SMTP_AUTHTYPE
+          value: LOGIN
+        - name: SMTP_HOST
+          valueFrom:
+            secretKeyRef:
+              key: smtp-host
+              name: nextcloud
+        - name: SMTP_NAME
+          valueFrom:
+            secretKeyRef:
+              key: smtp-username
+              name: nextcloud
+        - name: SMTP_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: smtp-password
+              name: nextcloud
+        - name: REDIS_HOST
+          value: redis-master.redis.svc.cluster.local
+        - name: REDIS_HOST_PORT
+          value: "6379"
+        - name: REDIS_HOST_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              key: redis-pass
+              name: nextcloud
+        - name: TRUSTED_PROXIES
+          value: 172.19.0.0/16 10.0.0.0/16
+        - name: FORWARDED_FOR_HEADERS
+          value: HTTP_X_FORWARDED HTTP_FORWARDED_FOR
         image: nextcloud:32.0.0-apache
         imagePullPolicy: IfNotPresent
         name: nextcloud-cron
@@ -265,12 +552,45 @@ spec:
         - mountPath: /var/www/html/themes
           name: nextcloud-main
           subPath: themes
+        - mountPath: /var/www/html/config/custom.php
+          name: nextcloud-config
+          subPath: custom.php
+        - mountPath: /var/www/html/config/.htaccess
+          name: nextcloud-config
+          subPath: .htaccess
+        - mountPath: /var/www/html/config/apache-pretty-urls.config.php
+          name: nextcloud-config
+          subPath: apache-pretty-urls.config.php
+        - mountPath: /var/www/html/config/apcu.config.php
+          name: nextcloud-config
+          subPath: apcu.config.php
+        - mountPath: /var/www/html/config/apps.config.php
+          name: nextcloud-config
+          subPath: apps.config.php
+        - mountPath: /var/www/html/config/autoconfig.php
+          name: nextcloud-config
+          subPath: autoconfig.php
+        - mountPath: /var/www/html/config/redis.config.php
+          name: nextcloud-config
+          subPath: redis.config.php
+        - mountPath: /var/www/html/config/reverse-proxy.config.php
+          name: nextcloud-config
+          subPath: reverse-proxy.config.php
+        - mountPath: /var/www/html/config/smtp.config.php
+          name: nextcloud-config
+          subPath: smtp.config.php
+        - mountPath: /var/www/html/config/upgrade-disable-web.config.php
+          name: nextcloud-config
+          subPath: upgrade-disable-web.config.php
       securityContext:
         fsGroup: 33
       volumes:
       - name: nextcloud-main
         persistentVolumeClaim:
           claimName: nextcloud-nextcloud
+      - configMap:
+          name: nextcloud-config
+        name: nextcloud-config
 ---
 apiVersion: apps/v1
 kind: Deployment
diff --git a/nextcloud/src/values.yaml b/nextcloud/src/values.yaml
index 87dbd25..426c1fb 100644
--- a/nextcloud/src/values.yaml
+++ b/nextcloud/src/values.yaml
@@ -93,18 +93,21 @@ nextcloud:
   persistence:
     subPath:
   # if set, we'll template this list to the NEXTCLOUD_TRUSTED_DOMAINS env var
-  trustedDomains: []
+  trustedDomains:
+    - localhost
+    - cloud.borninpain.de
+    - iam.borninpain.de
   ## SMTP configuration
   mail:
-    enabled: false
+    enabled: true
     # the user we send email as
-    fromAddress: user
+    fromAddress: noreply
     # the domain we send email from
-    domain: domain.com
+    domain: borninpain.de
     smtp:
-      host: domain.com
-      secure: ssl
-      port: 465
+      host: mxe965.netcup.net
+      secure: ""
+      port: 587
       authtype: LOGIN
       name: user
       password: pass
@@ -200,11 +203,11 @@ nextcloud:
     # Reverse proxy default configuration
     reverse-proxy.config.php: true
     # S3 Object Storage as primary storage
-    s3.config.php: true
+    s3.config.php: false
     # SMTP default configuration via environment variables
     smtp.config.php: true
     # Swift Object Storage as primary storage
-    swift.config.php: true
+    swift.config.php: false
     # disables the web based updater as the default nextcloud docker image does not support it
     upgrade-disable-web.config.php: true
     # -- imaginary support config
@@ -212,7 +215,15 @@ nextcloud:
 
   # Extra config files created in /var/www/html/config/
   # ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
-  configs: {}
+  configs:
+    custom.php: |-
+      <?php
+      $CONFIG = array (
+        'dbtableprefix' => 'oc_',
+        'instanceid' => 'ocb8bvdm3qvt',
+        'passwordsalt' => '5nGOEkkEwGE+suDFOxm/yp0Sw1XHhq',
+        'secret' => 'ttxARk+gXNdBBBO3AsH5Na2MPU9uy0UHzXqAKx686ykragmC',
+      );
   # For example, to enable image and text file previews:
   #  previews.config.php: |-
   #    <?php
@@ -256,6 +267,10 @@ nextcloud:
   ##
   ## Extra environment variables
   extraEnv:
+    - name: TRUSTED_PROXIES
+      value: "172.19.0.0/16 10.0.0.0/16"
+    - name: FORWARDED_FOR_HEADERS
+      value: "HTTP_X_FORWARDED HTTP_FORWARDED_FOR"
   #  - name: SOME_SECRET_ENV
   #    valueFrom:
   #      secretKeyRef:
@@ -487,7 +502,7 @@ postgresql:
 ## External Redis configuration
 ##
 externalRedis:
-  enabled: false
+  enabled: true
 
   ## Redis host
   host: redis-master.redis.svc.cluster.local