feat: add ocis

Author: layertwo

clusters/home/apps/cloud/ocis/app/ingressroute.yml

@@ -0,0 +1,24 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ocis
+  namespace: owncloud
+  annotations:
+      external-dns.alpha.kubernetes.io/enabled: "true"
+      external-dns.alpha.kubernetes.io/hostname: "oc.layertwo.dev"
+      external-dns.alpha.kubernetes.io/target: "proxy-external.layertwo.dev"
+      cert-manager.io/cluster-issuer: letsencrypt-prod-dns
+      kubernetes.io/ingress.class: external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`oc.layertwo.dev`)
+      kind: Rule
+      services:
+        - name: ocis
+          port: 9200
+      middlewares:
+        - name: secure-headers
+          namespace: traefik-external

clusters/home/apps/cloud/ocis/app/kustomization.yml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - release.yml
+  - ingressroute.yml
+  - secrets-ocis.sops.yml

clusters/home/apps/cloud/ocis/app/release.yml

@@ -0,0 +1,129 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: ocis
+  namespace: owncloud
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: charts/ocis
+      version: 0.7.0
+      sourceRef:
+        kind: GitRepository
+        name: ocis
+        namespace: flux-system
+      interval: 12h
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  values:
+    # oCIS configuration
+    externalDomain: oc.layertwo.dev
+    
+    features:
+      externalUserManagement:
+        enabled: true
+        oidc:
+          issuerURI: &oidc_isser https://authentik.layertwo.dev/application/o/owncloud/
+          webClientID: owncloud
+          userIDClaim: preferred_username
+          userIDClaimAttributeMapping: username
+    
+    # Image configuration
+    image:
+      repository: owncloud/ocis
+      tag: 5.0.0
+      pullPolicy: IfNotPresent
+    
+    # Ingress configuration (disabled - using Traefik IngressRoute)
+    ingress:
+      enabled: false
+    
+    # Service configuration
+    services:
+      proxy:
+        service:
+          type: ClusterIP
+          port: 9200
+    
+    # Environment variables
+    env:
+      OCIS_INSECURE: "false"
+      OCIS_LOG_LEVEL: "info"
+      OCIS_LOG_COLOR: "false"
+      OCIS_LOG_PRETTY: "false"
+      
+      # Admin user configuration
+      OCIS_ADMIN_USER_ID: "admin"
+      IDM_ADMIN_PASSWORD:
+        valueFrom:
+          secretKeyRef:
+            name: ocis-secrets
+            key: admin-password
+      
+      # JWT secret
+      OCIS_JWT_SECRET:
+        valueFrom:
+          secretKeyRef:
+            name: ocis-secrets
+            key: jwt-secret
+      
+      # Transfer secret
+      OCIS_TRANSFER_SECRET:
+        valueFrom:
+          secretKeyRef:
+            name: ocis-secrets
+            key: transfer-secret
+      
+      # Machine auth API key
+      OCIS_MACHINE_AUTH_API_KEY:
+        valueFrom:
+          secretKeyRef:
+            name: ocis-secrets
+            key: machine-auth-api-key
+      
+      # OIDC Configuration
+      PROXY_OIDC_ISSUER: *oidc_isser
+      WEB_OIDC_CLIENT_ID: "owncloud"
+      WEB_OIDC_CLIENT_SECRET:
+        valueFrom:
+          secretKeyRef:
+            name: ocis-secrets
+            key: oidc-client-secret
+      PROXY_OIDC_INSECURE: "false"
+      OCIS_OIDC_ISSUER: *oidc_isser
+      
+      # User management
+      PROXY_USER_OIDC_CLAIM: "preferred_username"
+      PROXY_USER_CS3_CLAIM: "username"
+      
+      # Auto provision users from OIDC
+      PROXY_AUTOPROVISION_ACCOUNTS: "true"
+      PROXY_ROLE_ASSIGNMENT_DRIVER: "oidc"
+    
+    # Persistence
+    persistence:
+      enabled: true
+      storageClassName: truenas-iscsi
+      size: 100Gi
+    
+    # Resources
+    resources:
+      requests:
+        cpu: 500m
+        memory: 1Gi
+      limits:
+        cpu: 2000m
+        memory: 4Gi
+    
+    # Security context
+    securityContext:
+      runAsUser: 1000
+      runAsGroup: 1000
+      fsGroup: 1000

clusters/home/apps/cloud/ocis/app/secrets-ocis.sops.yml

@@ -0,0 +1,25 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ocis-secrets
+  namespace: owncloud
+type: Opaque
+stringData:
+  # IMPORTANT: Replace these with actual secure values and encrypt with SOPS
+  # Run: sops -e -i clusters/home/apps/owncloud/app/secrets-ocis.sops.yml
+  
+  # Admin password for the default admin user
+  admin-password: changeme-admin-password
+  
+  # JWT secret for token signing (generate with: openssl rand -base64 32)
+  jwt-secret: changeme-jwt-secret-generate-random-32-bytes
+  
+  # Transfer secret for file transfers (generate with: openssl rand -base64 32)
+  transfer-secret: changeme-transfer-secret-generate-random-32-bytes
+  
+  # Machine auth API key (generate with: openssl rand -base64 32)
+  machine-auth-api-key: changeme-machine-auth-api-key-generate-random-32-bytes
+  
+  # OIDC client secret from Authentik
+  oidc-client-secret: changeme-get-from-authentik-provider

clusters/home/apps/cloud/ocis/kustomization.yml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yml
+  - app

clusters/home/apps/cloud/ocis/namespace.yml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: owncloud

clusters/home/charts/git/ocis.yml

@@ -0,0 +1,16 @@
+---
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: GitRepository
+metadata:
+  name: ocis
+  namespace: flux-system
+spec:
+  interval: 30m
+  url: https://github.com/owncloud/ocis-charts.git
+  ref:
+    branch: main
+  ignore: |-
+    # exclude all
+    /*
+    # include charts directory
+    !/charts/