diff --git a/k8s/argo-apps/oxicloud.yaml b/k8s/argo-apps/oxicloud.yaml new file mode 100644 index 0000000..54553c5 --- /dev/null +++ b/k8s/argo-apps/oxicloud.yaml @@ -0,0 +1,56 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: oxicloud + namespace: argocd +spec: + destination: + name: '' + namespace: apps-roboces + server: https://kubernetes.default.svc + sources: + - path: charts/oxicloud + repoURL: https://git.roboces.dev/DioCrafts/OxiCloud.git + targetRevision: v0.5.3 + helm: + valuesObject: + image: + repository: git.roboces.dev/catalin/fukuops + pullPolicy: Always + tag: "oxicloud-0.5.3" + postgresql: + enabled: false + persistence: + enabled: true + storageClass: "truenas-nfs-csi" + accessMode: ReadWriteMany + size: 50Gi + service: + type: LoadBalancer + config: + server: + port: 8086 + host: "0.0.0.0" + baseUrl: "https://cloud.roboces.dev" + features: + enableAuth: "true" + enableSharing: "true" + mimalloc: + purgeDelay: "0" + allowLargeOsPages: "0" + secrets: + existingSecret: oxicloud + wopi: + enabled: false + ingress: + className: "traefik" + hosts: + - host: cloud.roboces.dev + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + project: roboces + syncPolicy: + automated: {} diff --git a/k8s/charts/oxicloud/.helmignore b/k8s/charts/oxicloud/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/k8s/charts/oxicloud/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/k8s/charts/oxicloud/Chart.yaml b/k8s/charts/oxicloud/Chart.yaml new file mode 100644 index 0000000..50069e2 --- /dev/null +++ b/k8s/charts/oxicloud/Chart.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v2 +name: oxicloud +description: | + Ultra-fast, secure & lightweight self-hosted cloud storage — your files, photos, calendars & contacts, all in one place. Built in Rust. +type: application +version: 0.1.0 +appVersion: "0.5.2" diff --git a/k8s/charts/oxicloud/templates/_helpers.tpl b/k8s/charts/oxicloud/templates/_helpers.tpl new file mode 100644 index 0000000..0e1d40b --- /dev/null +++ b/k8s/charts/oxicloud/templates/_helpers.tpl @@ -0,0 +1,32 @@ +{{/* Expand the name of the chart. */}} +{{- define "oxicloud.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* Create a default fully qualified app name. */}} +{{- define "oxicloud.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* Common labels */}} +{{- define "oxicloud.labels" -}} +helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{ include "oxicloud.selectorLabels" . }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* Selector labels */}} +{{- define "oxicloud.selectorLabels" -}} +app.kubernetes.io/name: {{ include "oxicloud.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/k8s/charts/oxicloud/templates/configmap.yaml b/k8s/charts/oxicloud/templates/configmap.yaml new file mode 100644 index 0000000..edd8d27 --- /dev/null +++ b/k8s/charts/oxicloud/templates/configmap.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: {{ include "oxicloud.fullname" . }}-config +data: + OXICLOUD_SERVER_PORT: {{ .Values.config.server.port | quote }} + OXICLOUD_SERVER_HOST: {{ .Values.config.server.host | quote }} + {{- if .Values.config.server.baseUrl }} + OXICLOUD_BASE_URL: {{ .Values.config.server.baseUrl | quote }} + {{- end }} + OXICLOUD_ENABLE_AUTH: {{ .Values.config.features.enableAuth | quote }} + OXICLOUD_ENABLE_FILE_SHARING: {{ .Values.config.features.enableSharing | quote }} + MIMALLOC_PURGE_DELAY: {{ .Values.config.mimalloc.purgeDelay | quote }} + MIMALLOC_ALLOW_LARGE_OS_PAGES: {{ .Values.config.mimalloc.allowLargeOsPages | quote }} + + {{- if .Values.wopi.enabled }} + OXICLOUD_WOPI_ENABLED: "true" + OXICLOUD_WOPI_DISCOVERY_URL: "{{ .Values.config.server.baseUrl }}/hosting/discovery" + {{- else }} + OXICLOUD_WOPI_ENABLED: "false" + {{- end }} diff --git a/k8s/charts/oxicloud/templates/ingress.yaml b/k8s/charts/oxicloud/templates/ingress.yaml new file mode 100644 index 0000000..ab3a14b --- /dev/null +++ b/k8s/charts/oxicloud/templates/ingress.yaml @@ -0,0 +1,64 @@ +--- +{{- if .Values.ingress.enabled -}} +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: {{ include "oxicloud.fullname" . }} + labels: + {{- include "oxicloud.labels" . | nindent 4 }} + {{- with .Values.ingress.annotations }} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + {{- if .Values.ingress.className }} + ingressClassName: {{ .Values.ingress.className }} + {{- end }} + {{- if .Values.ingress.tls }} + tls: + {{- range .Values.ingress.tls }} + - hosts: + {{- range .hosts }} + - {{ . | quote }} + {{- end }} + secretName: {{ .secretName }} + {{- end }} + {{- end }} + rules: + - host: {{ (index .Values.ingress.hosts 0).host | quote }} + http: + paths: + {{- if .Values.wopi.enabled }} + # Route Collabora traffic to the WOPI pod + - path: /browser + pathType: Prefix + backend: + service: + name: {{ include "oxicloud.fullname" $ }}-wopi + port: + number: {{ .Values.wopi.collabora.service.port }} + - path: /hosting + pathType: Prefix + backend: + service: + name: {{ include "oxicloud.fullname" $ }}-wopi + port: + number: {{ .Values.wopi.collabora.service.port }} + - path: /cool + pathType: Prefix + backend: + service: + name: {{ include "oxicloud.fullname" $ }}-wopi + port: + number: {{ .Values.wopi.collabora.service.port }} + {{- end }} + + # Default Catch-All: Route everything else to OxiCloud + - path: / + pathType: Prefix + backend: + service: + name: {{ include "oxicloud.fullname" $ }} + port: + number: {{ $.Values.service.port }} +{{- end }} diff --git a/k8s/charts/oxicloud/templates/secret.yaml b/k8s/charts/oxicloud/templates/secret.yaml new file mode 100644 index 0000000..d5aac3c --- /dev/null +++ b/k8s/charts/oxicloud/templates/secret.yaml @@ -0,0 +1,19 @@ +--- +{{- if not .Values.secrets.existingSecret }} +apiVersion: v1 +kind: Secret +metadata: + name: {{ include "oxicloud.fullname" . }}-secret + labels: + {{- include "oxicloud.labels" . | nindent 4 }} +type: Opaque +data: + {{- if .Values.secrets.jwtSecret }} + OXICLOUD_JWT_SECRET: {{ .Values.secrets.jwtSecret | b64enc | quote }} + {{- end }} + DB_PASSWORD: {{ .Values.database.password | b64enc | quote }} + {{- if .Values.wopi.enabled }} + WOPI_ADMIN_USERNAME: {{ .Values.wopi.collabora.admin.username | b64enc | quote }} + WOPI_ADMIN_PASSWORD: {{ .Values.wopi.collabora.admin.password | b64enc | quote }} + {{- end }} +{{- end }} diff --git a/k8s/charts/oxicloud/templates/service.yaml b/k8s/charts/oxicloud/templates/service.yaml new file mode 100644 index 0000000..b0a4bc8 --- /dev/null +++ b/k8s/charts/oxicloud/templates/service.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "oxicloud.fullname" . }} + labels: + {{- include "oxicloud.labels" . | nindent 4 }} +spec: + type: {{ .Values.service.type }} + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "oxicloud.selectorLabels" . | nindent 4 }} +--- +apiVersion: v1 +kind: Service +metadata: + name: {{ include "oxicloud.fullname" . }}-headless + labels: + {{- include "oxicloud.labels" . | nindent 4 }} +spec: + clusterIP: None + ports: + - port: {{ .Values.service.port }} + targetPort: http + protocol: TCP + name: http + selector: + {{- include "oxicloud.selectorLabels" . | nindent 4 }} diff --git a/k8s/charts/oxicloud/templates/statefulset.yaml b/k8s/charts/oxicloud/templates/statefulset.yaml new file mode 100644 index 0000000..2a6d68e --- /dev/null +++ b/k8s/charts/oxicloud/templates/statefulset.yaml @@ -0,0 +1,53 @@ +apiVersion: apps/v1 +kind: StatefulSet +metadata: + name: {{ include "oxicloud.fullname" . }} + labels: + {{- include "oxicloud.labels" . | nindent 4 }} +spec: + serviceName: {{ include "oxicloud.fullname" . }}-headless + replicas: {{ .Values.replicaCount }} + selector: + matchLabels: + {{- include "oxicloud.selectorLabels" . | nindent 6 }} + template: + metadata: + labels: + {{- include "oxicloud.selectorLabels" . | nindent 8 }} + spec: + containers: + - name: oxicloud + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" + imagePullPolicy: {{ .Values.image.pullPolicy }} + ports: + - name: http + containerPort: 8086 + protocol: TCP + envFrom: + - configMapRef: + name: {{ include "oxicloud.fullname" . }}-config + - secretRef: + name: {{ if .Values.secrets.existingSecret }}{{ .Values.secrets.existingSecret }}{{ else }}{{ include "oxicloud.fullname" . }}-secret{{ end }} + volumeMounts: + - name: storage-data + mountPath: /app/storage + {{- if not .Values.persistence.enabled }} + volumes: + - name: storage-data + emptyDir: {} + {{- end }} + + {{- if .Values.persistence.enabled }} + volumeClaimTemplates: + - metadata: + name: storage-data + spec: + accessModes: + - {{ .Values.persistence.accessMode }} + {{- if .Values.persistence.storageClass }} + storageClassName: {{ .Values.persistence.storageClass }} + {{- end }} + resources: + requests: + storage: {{ .Values.persistence.size }} + {{- end }} diff --git a/k8s/charts/oxicloud/templates/wopi-deployment.yaml b/k8s/charts/oxicloud/templates/wopi-deployment.yaml new file mode 100644 index 0000000..0cdc0d4 --- /dev/null +++ b/k8s/charts/oxicloud/templates/wopi-deployment.yaml @@ -0,0 +1,58 @@ +--- +{{- if .Values.wopi.enabled -}} +apiVersion: apps/v1 +kind: Deployment +metadata: + name: {{ include "oxicloud.fullname" . }}-wopi + labels: + {{- include "oxicloud.labels" . | nindent 4 }} + app.kubernetes.io/component: wopi +spec: + replicas: 1 + selector: + matchLabels: + {{- include "oxicloud.selectorLabels" . | nindent 6 }} + app.kubernetes.io/component: wopi + template: + metadata: + labels: + {{- include "oxicloud.selectorLabels" . | nindent 8 }} + app.kubernetes.io/component: wopi + spec: + containers: + - name: collabora + image: "{{ .Values.wopi.collabora.image.repository }}:{{ .Values.wopi.collabora.image.tag }}" + imagePullPolicy: {{ .Values.wopi.collabora.image.pullPolicy }} + # Required for Collabora to build chroot jails + securityContext: + capabilities: + add: + - MKNOD + ports: + - name: wopi + containerPort: 9980 + protocol: TCP + env: + - name: aliasgroup1 + value: "http://{{ .Values.wopi.collabora.domain }}" + - name: server_name + value: {{ .Values.wopi.collabora.domain | quote }} + - name: extra_params + value: {{ .Values.wopi.collabora.extraParams | quote }} + - name: username + valueFrom: + secretKeyRef: + name: {{ if .Values.secrets.existingSecret }}{{ .Values.secrets.existingSecret }}{{ else }}{{ include "oxicloud.fullname" . }}-secret{{ end }} + key: WOPI_ADMIN_USERNAME + - name: password + valueFrom: + secretKeyRef: + name: {{ if .Values.secrets.existingSecret }}{{ .Values.secrets.existingSecret }}{{ else }}{{ include "oxicloud.fullname" . }}-secret{{ end }} + key: WOPI_ADMIN_PASSWORD + readinessProbe: + httpGet: + path: /hosting/discovery + port: wopi + initialDelaySeconds: 10 + periodSeconds: 10 +{{- end }} diff --git a/k8s/charts/oxicloud/templates/wopi-service.yaml b/k8s/charts/oxicloud/templates/wopi-service.yaml new file mode 100644 index 0000000..6b27207 --- /dev/null +++ b/k8s/charts/oxicloud/templates/wopi-service.yaml @@ -0,0 +1,20 @@ +--- +{{- if .Values.wopi.enabled -}} +apiVersion: v1 +kind: Service +metadata: + name: {{ include "oxicloud.fullname" . }}-wopi + labels: + {{- include "oxicloud.labels" . | nindent 4 }} + app.kubernetes.io/component: wopi +spec: + type: ClusterIP + ports: + - port: {{ .Values.wopi.collabora.service.port }} + targetPort: wopi + protocol: TCP + name: wopi + selector: + {{- include "oxicloud.selectorLabels" . | nindent 4 }} + app.kubernetes.io/component: wopi +{{- end }} diff --git a/k8s/charts/oxicloud/values.yaml b/k8s/charts/oxicloud/values.yaml new file mode 100644 index 0000000..96ab6a9 --- /dev/null +++ b/k8s/charts/oxicloud/values.yaml @@ -0,0 +1,72 @@ +--- +replicaCount: 1 + +image: + repository: oxicloud + pullPolicy: IfNotPresent + tag: "latest" + +database: + host: "postgres.example.com" + port: 5432 + username: "postgres" + password: "change_me_in_production" + name: "oxicloud" + +config: + server: + port: 8086 + host: "0.0.0.0" + baseUrl: "http://cloud.example.com" + features: + enableAuth: "true" + enableSharing: "true" + mimalloc: + purgeDelay: "0" + allowLargeOsPages: "0" + +persistence: + enabled: true + storageClass: "" + accessMode: ReadWriteOnce + size: 50Gi + +wopi: + enabled: true + collabora: + url: "cloud.example.com" + image: + repository: collabora/code + tag: latest + pullPolicy: IfNotPresent + service: + port: 9980 + admin: + username: admin + password: "wopi_admin_password" + # In production behind an ingress, you'd likely enable SSL termination. + extraParams: "--o:ssl.enable=false --o:ssl.termination=false --o:net.frame_ancestors=http://* https://*" + +secrets: + # If existingSecret is set, the chart will NOT create a Secret and will use this one instead. + existingSecret: "" + jwtSecret: "" + oidcClientSecret: "" + +service: + type: ClusterIP + port: 8086 + +ingress: + enabled: true + className: "nginx" # Adjust to your ingress controller (e.g., traefik) + annotations: {} + hosts: + - host: cloud.example.com + paths: + - path: / + pathType: ImplementationSpecific + tls: [] + # - secretName: oxicloud-tls + # hosts: + # - cloud.example.com