apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
  name: nextcloud
  namespace: nextcloud
spec:
  chart:
    spec:
      chart: nextcloud
      version: 6.x
      sourceRef:
        kind: HelmRepository
        name: nextcloud
  interval: 15m
  releaseName: nextcloud
  values:
    image:
      pullPolicy: Always

    ingress:
      enabled: true
      className: traefik
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
      tls:
        - hosts:
            - nextcloud.michaelthomson.dev
          secretName: letsencrypt-wildcard-cert-michaelthomson.dev
      labels: {}
      path: /
      pathType: Prefix

    phpClientHttpsFix:
      enabled: true

    nextcloud:
      host: nextcloud.michaelthomson.dev
      username: admin
      password: admin
      datadir: /data

      configs:
        proxy.config.php: |-
          <?php
          $CONFIG = array (
            'trusted_proxies' => array(
              0 => '127.0.0.1',
              1 => '10.0.0.0/8',
            ),
            'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
          );
        sqlite.config.php: |-
          <?php
          $CONFIG = array (
            'sqlite.journal_mode' => 'WAL',
          );
        previews.config.php: |-
          <?php
          $CONFIG = array (
            'enable_previews' => true,
            'enabledPreviewProviders' => array (
              'OC\Preview\Movie',
              'OC\Preview\PNG',
              'OC\Preview\JPEG',
              'OC\Preview\GIF',
              'OC\Preview\BMP',
              'OC\Preview\XBitmap',
              'OC\Preview\MP3',
              'OC\Preview\MP4',
              'OC\Preview\TXT',
              'OC\Preview\MarkDown',
              'OC\Preview\PDF'
            ),
          );

    internalDatabase:
      enabled: false

    externalDatabase:
      enabled: true
      type: postgresql
      existingSecret:
        enable: true
        secretName: postgres-secret
        usernameKey: username
        passwordKey: password


    postgresql:
      enabled: true
      global:
        postgresql:
          auth:
            existingSecret: postgres-secret
            secretKeys:
              adminPasswordKey: password
              userPasswordKey: password
              replicationPasswordKey: password
      primary:
        persistence:
          enabled: true
          existingClaim: pvc-postgres

    persistence:
      enabled: true
      storageClass: longhorn
      accessMode: ReadWriteOnce
      size: 8Gi

      nextcloudData:
        enabled: true
        storageClass: nfs-client
        accessMode: ReadWriteOnce
        size: 14Ti
    redis:
      enabled: true
      auth:
        existingSecret: nextcloud-redis-secret
        existingSecretPasswordKey: password
      global:
        storageClass: longhorn

    collabora:
      enabled: true

      image:
        tag: 24.04.11.1.1

      collabora:
        extra_params: --o:ssl.enable=false --o:ssl.termination=true

        existingSecret:
          enabled: true
          secretName: "collabora-secret"
          usernameKey: "username"
          passwordKey: "password"

      # securityContext:
      #   runAsNonRoot: true
      #   privileged: true
      #   capabilities:
      #     add:
      #       - SYS_ADMIN
      #       - MKNOD

      ingress:
        enabled: true
        annotations:
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
          traefik.ingress.kubernetes.io/router.tls: "true"
        hosts:
          - host: collabora.michaelthomson.dev
            paths:
            - path: /
              pathType: ImplementationSpecific
        tls:
          - hosts:
              - collabora.michaelthomson.dev
            secretName: letsencrypt-wildcard-cert-michaelthomson.dev

    cronjob:
      enabled: true

    livenessProbe:
      enabled: false
    readinessProbe:
      enabled: false