config_is_read_only does not work

apps/nextcloud/apache-default-vhost.conf

@@ -1,150 +0,0 @@
-<VirtualHost *:80>
-	# The ServerName directive sets the request scheme, hostname and port that
-	# the server uses to identify itself. This is used when creating
-	# redirection URLs. In the context of virtual hosts, the ServerName
-	# specifies what hostname must appear in the request's Host: header to
-	# match this virtual host. For the default virtual host (this file) this
-	# value is not decisive as it is used as a last resort host regardless.
-	# However, you must set it for any further virtual host explicitly.
-	#ServerName www.example.com
-
-	ServerAdmin webmaster@localhost
-	DocumentRoot /var/www/html
-
-	# Available loglevels: trace8, ..., trace1, debug, info, notice, warn,
-	# error, crit, alert, emerg.
-	# It is also possible to configure the loglevel for particular
-	# modules, e.g.
-	#LogLevel info ssl:warn
-
-	ErrorLog ${APACHE_LOG_DIR}/error.log
-	CustomLog ${APACHE_LOG_DIR}/access.log combined
-
-	# For most configuration files from conf-available/, which are
-	# enabled or disabled at a global level, it is possible to
-	# include a line for only one particular virtual host. For example the
-	# following line enables the CGI configuration for this host only
-	# after it has been globally disabled with "a2disconf".
-	#Include conf-available/serve-cgi-bin.conf
-	<Directory /var/www/html>
-	AllowOverride None
-	<IfModule mod_headers.c>
-	<IfModule mod_setenvif.c>
-	<IfModule mod_fcgid.c>
-	SetEnvIfNoCase ^Authorization$ "(.+)" XAUTHORIZATION=$1
-	RequestHeader set XAuthorization %{XAUTHORIZATION}e env=XAUTHORIZATION
-	</IfModule>
-	<IfModule mod_proxy_fcgi.c>
-	SetEnvIfNoCase Authorization "(.+)" HTTP_AUTHORIZATION=$1
-	</IfModule>
-	</IfModule>
-
-	<IfModule mod_env.c>
-# Add security and privacy related headers
-
-# Avoid doubled headers by unsetting headers in "onsuccess" table,
-# then add headers to "always" table: https://github.com/nextcloud/server/pull/19002
-	Header onsuccess unset Referrer-Policy
-	Header always set Referrer-Policy "no-referrer"
-
-	Header onsuccess unset X-Content-Type-Options
-	Header always set X-Content-Type-Options "nosniff"
-
-	Header onsuccess unset X-Download-Options
-	Header always set X-Download-Options "noopen"
-
-	Header onsuccess unset X-Frame-Options
-	Header always set X-Frame-Options "SAMEORIGIN"
-
-	Header onsuccess unset X-Permitted-Cross-Domain-Policies
-	Header always set X-Permitted-Cross-Domain-Policies "none"
-
-	Header onsuccess unset X-Robots-Tag
-	Header always set X-Robots-Tag "none"
-
-	Header onsuccess unset X-XSS-Protection
-	Header always set X-XSS-Protection "1; mode=block"
-
-	SetEnv modHeadersAvailable true
-	</IfModule>
-
-# Add cache control for static resources
-	<FilesMatch "\.(css|js|svg|gif)$">
-	Header set Cache-Control "max-age=15778463"
-	</FilesMatch>
-
-# Let browsers cache WOFF files for a week
-	<FilesMatch "\.woff2?$">
-	Header set Cache-Control "max-age=604800"
-	</FilesMatch>
-	</IfModule>
-	<IfModule mod_php7.c>
-	php_value mbstring.func_overload 0
-	php_value default_charset 'UTF-8'
-	php_value output_buffering 0
-	<IfModule mod_env.c>
-	SetEnv htaccessWorking true
-	</IfModule>
-	</IfModule>
-	<IfModule mod_rewrite.c>
-	RewriteEngine on
-	RewriteCond %{HTTP_USER_AGENT} DavClnt
-	RewriteRule ^$ /remote.php/webdav/ [L,R=302]
-	RewriteRule .* - [env=HTTP_AUTHORIZATION:%{HTTP:Authorization}]
-	RewriteRule ^\.well-known/host-meta /public.php?service=host-meta [QSA,L]
-	RewriteRule ^\.well-known/host-meta\.json /public.php?service=host-meta-json [QSA,L]
-	RewriteRule ^\.well-known/webfinger /public.php?service=webfinger [QSA,L]
-	RewriteRule ^\.well-known/nodeinfo /public.php?service=nodeinfo [QSA,L]
-	RewriteRule ^\.well-known/carddav /remote.php/dav/ [R=301,L]
-	RewriteRule ^\.well-known/caldav /remote.php/dav/ [R=301,L]
-	RewriteRule ^remote/(.*) remote.php [QSA,L]
-	RewriteRule ^(?:build|tests|config|lib|3rdparty|templates)/.* - [R=404,L]
-	RewriteCond %{REQUEST_URI} !^/\.well-known/(acme-challenge|pki-validation)/.*
-	RewriteRule ^(?:\.|autotest|occ|issue|indie|db_|console).* - [R=404,L]
-	</IfModule>
-	<IfModule mod_mime.c>
-	AddType image/svg+xml svg svgz
-	AddEncoding gzip svgz
-	</IfModule>
-	<IfModule mod_dir.c>
-	DirectoryIndex index.php index.html
-	</IfModule>
-	AddDefaultCharset utf-8
-	Options -Indexes
-	<IfModule pagespeed_module>
-	ModPagespeed Off
-	</IfModule>
-
-	</Directory>
-
-	<Directory /var/www/html/config>
-	AllowOverride None
-# Section for Apache 2.4 to 2.6
-	<IfModule mod_authz_core.c>
-	Require all denied
-	</IfModule>
-	<IfModule mod_access_compat.c>
-	Order Allow,Deny
-	Deny from all
-	Satisfy All
-	</IfModule>
-
-# Section for Apache 2.2
-	<IfModule !mod_authz_core.c>
-	<IfModule !mod_access_compat.c>
-	<IfModule mod_authz_host.c>
-	Order Allow,Deny
-	Deny from all
-	</IfModule>
-	Satisfy All
-	</IfModule>
-	</IfModule>
-
-# Section for Apache 2.2 to 2.6
-	<IfModule mod_autoindex.c>
-	IndexIgnore *
-	</IfModule>
-	</Directory>
-</VirtualHost>
-
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet

apps/nextcloud/config.php

@@ -3,6 +3,7 @@
 // Manually deployed by yourself
 //
 $CONFIG = array(
+    'config_is_read_only' => true,
     'htaccess.RewriteBase' => '/',
     'memcache.local' => '\\OC\\Memcache\\APCu',
     'apps_paths' => array(
@@ -50,5 +51,6 @@ $CONFIG = array(
     'dbuser' => 'nextcloud',
     'dbpassword' => 'Vb7yHzmE5HIjfU4hf89aXAmEEmxAnMdB',
     'installed' => true,
-    'default_phone_region' => 'DE'
+    'default_phone_region' => 'DE',
+    'updater.release.channel' => 'stable',
 );

apps/nextcloud/deployment.yaml

@@ -52,9 +52,9 @@ spec:
           volumeMounts:
             - name: www-data
               mountPath: /var/www/html
-            - name: nextcloud-config
+            #- name: nextcloud-config
-              mountPath: /var/www/html/config/config.php
+            #  mountPath: /var/www/html/config/config.php
-              subPath: config.php
+            #  subPath: config.php
           env:
             - name: TZ
               value: "Europe/Berlin"

apps/nextcloud/nginx-site.configmap.conf

@@ -0,0 +1,146 @@
+upstream php-handler {
+    server 127.0.0.1:9000;
+    #server unix:/var/run/php/php7.4-fpm.sock;
+}
+
+#server {
+#    listen 80;
+#    listen [::]:80;
+#    server_name cloud.example.com;
+#
+#    # Enforce HTTPS
+#    return 301 https://$server_name$request_uri;
+#}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    # Use Mozilla's guidelines for SSL/TLS settings
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    #ssl_certificate     /etc/ssl/nginx/cloud.example.com.crt;
+    #ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
+
+    # HSTS settings
+    # WARNING: Only add the preload option once you read about
+    # the consequences in https://hstspreload.org/. This option
+    # will add the domain to a hardcoded list that is shipped
+    # in all major browsers and getting removed from this list
+    # could take several months.
+    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+
+    # set max upload size
+    client_max_body_size 512M;
+    fastcgi_buffers 64 4K;
+
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    # Pagespeed is not supported by Nextcloud, so if your server is built
+    # with the `ngx_pagespeed` module, uncomment this line to disable it.
+    #pagespeed off;
+
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+
+    # Remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+
+    # Path to the root of your installation
+    root /var/www/html;
+
+    # Specify how to handle directories -- specifying `/index.php$request_uri`
+    # here as the fallback means that Nginx always exhibits the desired behaviour
+    # when a client requests a path that corresponds to a directory that exists
+    # on the server. In particular, if that directory contains an index.php file,
+    # that file is correctly served; if it doesn't, then the request is passed to
+    # the front-end controller. This consistent behaviour means that we don't need
+    # to specify custom rules for certain paths (e.g. images and other assets,
+    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+    # `try_files $uri $uri/ /index.php$request_uri`
+    # always provides the desired behaviour.
+    index index.php index.html /index.php$request_uri;
+
+    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+    location = / {
+        if ( $http_user_agent ~ ^DavClnt ) {
+            return 302 /remote.php/webdav/$is_args$args;
+        }
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Make a regex exception for `/.well-known` so that clients can still
+    # access it despite the existence of the regex rule
+    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+    # for `/.well-known`.
+    location ^~ /.well-known {
+        # The following 6 rules are borrowed from `.htaccess`
+
+        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
+        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
+        # Anything else is dynamically handled by Nextcloud
+        location ^~ /.well-known            { return 301 /index.php$uri; }
+
+        try_files $uri $uri/ =404;
+    }
+
+    # Rules borrowed from `.htaccess` to hide certain paths from clients
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }
+
+    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+    # which handle static assets (as seen below). If this block is not declared first,
+    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+    # to the URI, resulting in a HTTP 500 error response.
+    location ~ \.php(?:$|/) {
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        set $path_info $fastcgi_path_info;
+
+        try_files $fastcgi_script_name =404;
+
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_param HTTPS off;
+
+        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+        fastcgi_param front_controller_active true;     # Enable pretty urls
+        fastcgi_pass php-handler;
+
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+    }
+
+    location ~ \.(?:css|js|svg|gif)$ {
+        try_files $uri /index.php$request_uri;
+        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    location ~ \.woff2?$ {
+        try_files $uri /index.php$request_uri;
+        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php$request_uri;
+    }
+}

apps/nextcloud/supervisord.conf

@@ -1,23 +0,0 @@
-[supervisord]
-nodaemon=true
-logfile=/var/log/supervisord/supervisord.log
-pidfile=/tmp/supervisord.pid
-childlogdir=/var/log/supervisord/
-logfile_maxbytes=50MB                           ; maximum size of logfile before rotation
-logfile_backups=1                              ; number of backed up logfiles
-loglevel=error
-user=www-data
-
-[program:apache2]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=apache2-foreground
-
-[program:cron]
-stdout_logfile=/dev/stdout
-stdout_logfile_maxbytes=0
-stderr_logfile=/dev/stderr
-stderr_logfile_maxbytes=0
-command=/cron.sh