Add nginx configuration for nextcloud

test/nextcloud/1.3.6/ix_values.yaml

@@ -2,3 +2,8 @@ image:
   pullPolicy: IfNotPresent
   repository: nextcloud
   tag: '22.2'
+nginx:
+  image:
+    repository: nginx
+    tag: 1.21.3
+    pullPolicy: IfNotPresent

test/nextcloud/1.3.6/templates/_nginx.tpl

@@ -0,0 +1,79 @@
+{{/*
+Retrieve true/false if certificate is configured
+*/}}
+{{- define "nginx.certAvailable" -}}
+{{- if .Values.certificate -}}
+{{- $values := (. | mustDeepCopy) -}}
+{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate) -}}
+{{- template "common.resources.cert_present" $values -}}
+{{- else -}}
+{{- false -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Retrieve public key of certificate
+*/}}
+{{- define "nginx.cert.publicKey" -}}
+{{- $values := (. | mustDeepCopy) -}}
+{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate "publicKey" true) -}}
+{{ include "common.resources.cert" $values }}
+{{- end -}}
+
+
+{{/*
+Retrieve private key of certificate
+*/}}
+{{- define "nginx.cert.privateKey" -}}
+{{- $values := (. | mustDeepCopy) -}}
+{{- $_ := set $values "commonCertOptions" (dict "certKeyName" $values.Values.certificate) -}}
+{{ include "common.resources.cert" $values }}
+{{- end -}}
+
+
+{{/*
+Retrieve configured protocol scheme for nextcloud
+*/}}
+{{- define "nginx.scheme" -}}
+{{- if eq (include "nginx.certAvailable" .) "true" -}}
+{{- print "https" -}}
+{{- else -}}
+{{- print "http" -}}
+{{- end -}}
+{{- end -}}
+
+
+{{/*
+Retrieve nginx certificate secret name
+*/}}
+{{- define "nginx.secretName" -}}
+{{- print "nginx-secret" -}}
+{{- end -}}
+
+
+{{/*
+Formats volumeMount for tls keys and trusted certs
+*/}}
+{{- define "nginx.tlsKeysVolumeMount" -}}
+{{- if eq (include "nginx.certAvailable" .) "true" -}}
+- name: cert-secret-volume
+  mountPath: "/etc/nginx"
+{{- end -}}
+{{- end -}}
+
+{{/*
+Formats volume for tls keys and trusted certs
+*/}}
+{{- define "nginx.tlsKeysVolume" -}}
+{{- if eq (include "nginx.certAvailable" .) "true" -}}
+- name: cert-secret-volume
+  secret:
+    secretName: {{ include "nginx.secretName" . }}
+    items:
+    - key: certPublicKey
+      path: public.crt
+    - key: certPrivateKey
+      path: private.key
+{{- end -}}
+{{- end -}}

test/nextcloud/1.3.6/templates/nginx-configmap.yaml

@@ -0,0 +1,52 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: "nginx-configuration"
+data:
+  config: |-
+    http {
+      # redirects all http requests to https requests
+      server {
+        listen 80 default_server;
+        listen [::]:80 default_server;
+        return 301 https://$host$request_uri;
+      }
+
+      server {
+        server_name localhost;
+
+        listen 443 ssl http2;
+        listen [::]:433 ssl http2;
+
+        ssl_certificate /etc/nginx/public.crt
+        ssl_certificate_key /etc/nginx/private.key
+
+        ssl_session_timeout 120m;
+        ssl_session_cache   shared:ssl:16m;
+
+        ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3;
+        ssl_prefer_server_ciphers on;
+        ssl_ciphers EECDH+ECDSA+AESGCM:EECDH+aRSA+AESGCM:EECDH+ECDSA:EDH+aRSA:EECDH:!RC4:!aNULL:!eNULL:!LOW:!3DES:!MD5:!EXP:!PSK:!SRP:!DSS;
+
+        add_header Strict-Transport-Security max-age=31536000;
+        add_header X-Content-Type-Options nosniff;
+        add_header X-XSS-Protection "1";
+
+
+        # maximum 3GB Upload File; change to fit your needs
+        client_max_body_size 3G;
+
+        location / {
+          # We clear this as we will be adding it in our reverse proxy
+          more_clear_headers 'Strict-Transport-Security';
+          proxy_pass http://localhost:80;
+          # set proper x-forwarded-headers
+          # proxy_set_header 'X-Forwarded-Host' nextcloud.domain.tld;
+          # proxy_set_header 'X-Forwarded-Proto' https;
+          # -For and -IP:
+          # see https://stackoverflow.com/questions/19366090/what-is-the-difference-between-x-forwarded-for-and-x-forwarded-ip
+          proxy_set_header 'X-Forwarded-For' $remote_addr;
+          proxy_set_header 'X-Forwarded-IP' $remote_addr;
+        }
+      }
+    }