diff --git a/charts/nextcloud/CHANGELOG.md b/charts/nextcloud/CHANGELOG.md new file mode 100644 index 00000000..4237d071 --- /dev/null +++ b/charts/nextcloud/CHANGELOG.md @@ -0,0 +1,28 @@ +# Changelog + +This Helm-Chart increase there major version on every breaking change (or major version of Nextcloud itself) inspired by semantic releases. + +Here we list all major versions and their breaking changes for migration. + +## v7 + +- update redis to v20 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/redis/CHANGELOG.md#2000-2024-08-09)) +- update redis to v21 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/redis/CHANGELOG.md#2100-2025-05-06) +- update postgresql to v16 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/CHANGELOG.md#1600-2024-10-02)) + - maybe use [pgautoupgrade](https://github.com/pgautoupgrade/docker-pgautoupgrade) to update to v17 (helm v16), with: + ```yaml + postgresql: + primary: + initContainers: + - name: upgrade + image: "pgautoupgrade/pgautoupgrade:17-alpine" + env: + - name: "PGAUTO_ONESHOT" + value: "yes" + volumeMounts: + - mountPath: "/bitnami/postgresql" + name: "data" + ``` +- update mariadb to v19 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/mariadb/CHANGELOG.md#1900-2024-07-11)) +- update mariadb to v20 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/mariadb/CHANGELOG.md#2000-2024-11-08)) +- update nextcloud to v31 (see [CHANGELOG](https://nextcloud.com/changelog/#31-0-0)) diff --git a/charts/nextcloud/Chart.lock b/charts/nextcloud/Chart.lock index aacdcb41..ca16be0e 100644 --- a/charts/nextcloud/Chart.lock +++ b/charts/nextcloud/Chart.lock @@ -1,15 +1,15 @@ dependencies: - name: postgresql repository: oci://registry-1.docker.io/bitnamicharts - version: 15.5.0 + version: 16.7.4 - name: mariadb repository: oci://registry-1.docker.io/bitnamicharts - version: 18.2.0 + version: 20.5.5 - name: redis repository: oci://registry-1.docker.io/bitnamicharts - version: 19.6.4 + version: 21.1.3 - name: collabora-online repository: https://collaboraonline.github.io/online version: 1.1.20 -digest: sha256:00e8d82d28825fd3f46e7e7d888d1aac93ebdb5135f6a4d7e6ae0c3155881c27 -generated: "2024-12-15T19:47:53.357052+01:00" +digest: sha256:47979e007ed8bb4a53ec00c5e457da110573a6e067f24da505144f475b26981c +generated: "2025-05-18T15:22:37.968306345+02:00" diff --git a/charts/nextcloud/Chart.yaml b/charts/nextcloud/Chart.yaml index 18e222c7..147f8d4b 100644 --- a/charts/nextcloud/Chart.yaml +++ b/charts/nextcloud/Chart.yaml @@ -1,8 +1,8 @@ apiVersion: v2 name: nextcloud -version: 6.6.10 +version: 7.0.0 # renovate: image=docker.io/library/nextcloud -appVersion: 30.0.10 +appVersion: 31.0.7 description: A file sharing server that puts the control and security of your own data back into your hands. keywords: - nextcloud @@ -28,15 +28,15 @@ maintainers: url: https://jessebot.work dependencies: - name: postgresql - version: 15.5.0 + version: 16.7.4 repository: oci://registry-1.docker.io/bitnamicharts condition: postgresql.enabled - name: mariadb - version: 18.2.0 + version: 20.5.5 repository: oci://registry-1.docker.io/bitnamicharts condition: mariadb.enabled - name: redis - version: 19.6.4 + version: 21.1.3 repository: oci://registry-1.docker.io/bitnamicharts condition: redis.enabled - name: collabora-online diff --git a/charts/nextcloud/README.md b/charts/nextcloud/README.md index 7c45e1f8..30d98ef7 100644 --- a/charts/nextcloud/README.md +++ b/charts/nextcloud/README.md @@ -15,6 +15,7 @@ helm install my-release nextcloud/nextcloud * [Prerequisites](#prerequisites) * [Installing the Chart](#installing-the-chart) * [Uninstalling the Chart](#uninstalling-the-chart) +* [Upgrade / Breaking Changes](#upgrade--breaking-changes) * [Configuration](#configuration) * [Ingress](#ingress) * [Ingress Sticky-Sessions](#ingress-sticky-sessions) @@ -97,6 +98,11 @@ helm delete my-release The command removes all the Kubernetes components associated with the chart and deletes the release. +## Upgrade / Breaking Changes + +There is a Changelog of breaking changes here: [CHANGELOG.md](./CHANGELOG.md). +You should read it bevore updating. + ## Configuration The following table lists the configurable parameters of the nextcloud chart and their default values. diff --git a/charts/nextcloud/files/nginx.config.tpl b/charts/nextcloud/files/nginx.config.tpl index 93b9e906..65b59b08 100644 --- a/charts/nextcloud/files/nginx.config.tpl +++ b/charts/nextcloud/files/nginx.config.tpl @@ -1,7 +1,15 @@ +# Version 2024-07-17 + upstream php-handler { server 127.0.0.1:9000; } +# Set the `immutable` cache control options only for assets with a cache busting `v` argument +map $arg_v $asset_immutable { + "" ""; + default ", immutable"; +} + server { {{- if and (has "IPv4" .Values.nginx.ipFamilies) (has "IPv6" .Values.nginx.ipFamilies) }} # Both IPv4 and IPv6 are enabled @@ -14,6 +22,12 @@ server { listen {{ .Values.nginx.containerPort }}; {{- end }} + # Path to the root of your installation + root /var/www/html; + + # Prevent nginx HTTP Server Detection + server_tokens off; + # HSTS settings # WARNING: Only add the preload option once you read about # the consequences in https://hstspreload.org/. This option @@ -26,8 +40,9 @@ server { {{- end }} {{- end }} - # set max upload size - client_max_body_size 10G; + # set max upload size and increase upload timeout: + client_max_body_size 512M; + client_body_timeout 300s; fastcgi_buffers 64 4K; # Enable gzip but do not remove ETag headers @@ -36,27 +51,30 @@ server { gzip_comp_level 4; gzip_min_length 256; gzip_proxied expired no-cache no-store private no_last_modified no_etag auth; - gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; + gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy; # Pagespeed is not supported by Nextcloud, so if your server is built # with the `ngx_pagespeed` module, uncomment this line to disable it. #pagespeed off; + # The settings allows you to optimize the HTTP2 bandwidth. + # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/ + # for tuning hints + client_body_buffer_size 512k; + # Remove X-Powered-By, which is an information leak fastcgi_hide_header X-Powered-By; - # Add .mjs as a file extension for javascript + # Set .mjs and .wasm MIME types # Either include it in the default mime.types list - # or include you can include that list explicitly and add the file extension + # and include that list explicitly or add the file extension # only for Nextcloud like below: include mime.types; types { text/javascript js mjs; + application/wasm wasm; } - # Path to the root of your installation - root /var/www/html; - # Specify how to handle directories -- specifying `/index.php$request_uri` # here as the fallback means that Nginx always exhibits the desired behaviour # when a client requests a path that corresponds to a directory that exists @@ -91,10 +109,10 @@ server { location = /.well-known/carddav { return 301 /remote.php/dav/; } location = /.well-known/caldav { return 301 /remote.php/dav/; } - # Anything else is dynamically handled by Nextcloud - location ^~ /.well-known { return 301 /index.php$uri; } - try_files $uri $uri/ =404; + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; } # Rules borrowed from `.htaccess` to hide certain paths from clients @@ -106,8 +124,8 @@ server { # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` # to the URI, resulting in a HTTP 500 error response. location ~ \.php(?:$|/) { - # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; + # Required for legacy support + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri; fastcgi_split_path_info ^(.+?\.php)(/.*)$; set $path_info $fastcgi_path_info; @@ -117,7 +135,7 @@ server { include fastcgi_params; fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; fastcgi_param PATH_INFO $path_info; - #fastcgi_param HTTPS on; + fastcgi_param HTTPS on; fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice fastcgi_param front_controller_active true; # Enable pretty urls @@ -125,20 +143,27 @@ server { fastcgi_intercept_errors on; fastcgi_request_buffering off; + + fastcgi_max_temp_file_size 0; } - location ~ \.(?:css|js|svg|gif)$ { + location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ { try_files $uri /index.php$request_uri; expires 6M; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } - location ~ \.woff2?$ { + location ~ \.(otf|woff2?)$ { try_files $uri /index.php$request_uri; expires 7d; # Cache-Control policy borrowed from `.htaccess` access_log off; # Optional: Don't log access to assets } + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + location / { try_files $uri $uri/ /index.php$request_uri; } diff --git a/charts/nextcloud/templates/metrics/deployment.yaml b/charts/nextcloud/templates/metrics/deployment.yaml index 7b114a87..d2cde3c0 100644 --- a/charts/nextcloud/templates/metrics/deployment.yaml +++ b/charts/nextcloud/templates/metrics/deployment.yaml @@ -64,6 +64,8 @@ spec: value: {{ .Values.metrics.tlsSkipVerify | quote }} - name: NEXTCLOUD_INFO_APPS value: {{ .Values.metrics.info.apps | quote }} + - name: NEXTCLOUD_INFO_UPDATE + value: {{ .Values.metrics.info.update | quote }} ports: - name: metrics containerPort: 9205 diff --git a/charts/nextcloud/templates/metrics/prometheus-rules.yaml b/charts/nextcloud/templates/metrics/prometheus-rules.yaml new file mode 100644 index 00000000..deb56439 --- /dev/null +++ b/charts/nextcloud/templates/metrics/prometheus-rules.yaml @@ -0,0 +1,61 @@ +{{- if .Values.metrics.rules.enabled }} +{{- $fullname := include "nextcloud.fullname" . }} +apiVersion: monitoring.coreos.com/v1 +kind: PrometheusRule +metadata: + name: {{ $fullname }} + labels: + {{- include "nextcloud.labels" ( dict "rootContext" $ ) | nindent 4 }} + {{- with .Values.metrics.rules.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} +spec: + groups: + {{- with .Values.metrics.rules.defaults }} + {{- if .enabled }} + {{- $filter := .filter | default (printf `namespace="%s",job=~"^%s.*"` $.Release.Namespace $fullname) }} + - name: {{ $fullname }}-Defaults + rules: + - alert: "nextcloud: not reachable" + expr: 'avg(nextcloud_up{ {{ $filter }} }) without(endpoint,container,pod,instance) < 1' + for: 5m + labels: + severity: "critical" + {{- with .labels }} + {{- toYaml . | nindent 12 }} + {{- end }} + annotations: + {{` + summary: "Nextcloud in {{ $labels.namespace }} is not reachable by exporter" + `}} + - alert: "nextcloud: outdated version" + expr: 'sum(nextcloud_system_update_available{ {{ $filter }} }) without(endpoint,container,pod,instance) > 0' + labels: + severity: "warning" + {{- with .labels }} + {{- toYaml . | nindent 12 }} + {{- end }} + annotations: + {{` + summary: "Nextcloud in {{ $labels.namespace }} is outdated" + `}} + - alert: "nextcloud: outdated apps" + expr: 'sum(nextcloud_apps_updates_available_total{ {{ $filter }} }) without(endpoint,container,pod,instance) > 0' + labels: + severity: "warning" + {{- with .labels }} + {{- toYaml . | nindent 12 }} + {{- end }} + annotations: + {{` + summary: "Nextcloud in {{ $labels.namespace }} has {{ $value }} outdated Apps" + `}} + {{- end }} + {{- end }}{{/* end-with prometheus.rules.default */}} + {{- with .Values.metrics.rules.additionalRules }} + - name: {{ $fullname }}-Additional + rules: + {{- toYaml . | nindent 8 }} + {{- end }} +{{- end }} + diff --git a/charts/nextcloud/values.yaml b/charts/nextcloud/values.yaml index e8e374aa..931d287c 100644 --- a/charts/nextcloud/values.yaml +++ b/charts/nextcloud/values.yaml @@ -347,7 +347,6 @@ nginx: "Strict-Transport-Security": "" "Referrer-Policy": "no-referrer" "X-Content-Type-Options": "nosniff" - "X-Download-Options": "noopen" "X-Frame-Options": "SAMEORIGIN" "X-Permitted-Cross-Domain-Policies": "none" "X-Robots-Tag": "noindex, nofollow" @@ -778,10 +777,11 @@ metrics: # Optional: becomes NEXTCLOUD_INFO_APPS env var in the nextcloud-exporter container. # Enables gathering of apps-related metrics. Defaults to false apps: false + update: false image: repository: xperimental/nextcloud-exporter - tag: 0.6.2 + tag: 0.8.0 pullPolicy: IfNotPresent # pullSecrets: # - myRegistrKeySecretName @@ -863,6 +863,27 @@ metrics: ## labels: {} + rules: + # -- Deploy Prometheus Rules (Alerts) for the exporter + # @section -- Metrics + enabled: false + # -- Label on Prometheus Rules CRD Manifest + # @section -- Metrics + labels: {} + defaults: + # -- Add Default Rules + # @section -- Metrics + enabled: true + # -- Label on the rules (the severity is already set) + # @section -- Metrics + labels: {} + # -- Filter on metrics on alerts (default just for this helm-chart) + # @section -- Metrics + filter: "" + # -- Add own Rules to Prometheus Rules + # @section -- Metrics + additionalRules: [] + rbac: enabled: false