Merge remote-tracking branch 'refs/remotes/origin/main'

# Conflicts:
#	charts/nextcloud/Chart.lock
#	charts/nextcloud/Chart.yaml

Author: MichaelSp

CODE_OF_CONDUCT.md

@@ -4,6 +4,6 @@ Our code of conduct offers some guidance to ensure Nextcloud participants can co
 
 The Code of Conduct is shared by all contributors and users who engage with the Nextcloud team and its community services. It presents a summary of the shared values and “common sense” thinking in our community.
 
-You can find our full code of conduct on our website: https://nextcloud.com/code-of-conduct/
+You can find our full code of conduct on our website: https://nextcloud.com/contribute/code-of-conduct/
 
 Please, keep our CoC in mind when you contribute! That way, everyone can be a part of our community in a productive, positive, creative and fun way.

charts/nextcloud/CHANGELOG.md

@@ -0,0 +1,28 @@
+# Changelog
+
+This Helm-Chart increase there major version on every breaking change (or major version of Nextcloud itself) inspired by semantic releases.
+
+Here we list all major versions and their breaking changes for migration.
+
+## v7
+
+- update redis to v20 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/redis/CHANGELOG.md#2000-2024-08-09))
+- update redis to v21 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/redis/CHANGELOG.md#2100-2025-05-06)
+- update postgresql to v16 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/postgresql/CHANGELOG.md#1600-2024-10-02))
+    - maybe use [pgautoupgrade](https://github.com/pgautoupgrade/docker-pgautoupgrade) to update to v17 (helm v16), with:
+      ```yaml
+      postgresql:
+        primary:
+          initContainers:
+            - name: upgrade
+              image: "pgautoupgrade/pgautoupgrade:17-alpine"
+              env:
+                - name: "PGAUTO_ONESHOT"
+                  value: "yes"
+              volumeMounts:
+                - mountPath: "/bitnami/postgresql"
+                  name: "data"
+      ```
+- update mariadb to v19 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/mariadb/CHANGELOG.md#1900-2024-07-11))
+- update mariadb to v20 (see [CHANGELOG](https://github.com/bitnami/charts/blob/main/bitnami/mariadb/CHANGELOG.md#2000-2024-11-08))
+- update nextcloud to v31 (see [CHANGELOG](https://nextcloud.com/changelog/#31-0-0))

charts/nextcloud/Chart.lock

@@ -1,15 +1,15 @@
 dependencies:
 - name: postgresql
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 16.3.5
+  version: 16.7.4
 - name: mariadb
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 19.1.0
+  version: 20.5.5
 - name: redis
   repository: oci://registry-1.docker.io/bitnamicharts
-  version: 20.6.1
+  version: 21.1.3
 - name: collabora-online
   repository: https://collaboraonline.github.io/online
-  version: 1.1.37
-digest: sha256:86ab70cb28abb7f15d6dc12d58b39a80d5325bf9ceb0959073d0129fd7ad0205
-generated: "2025-04-11T15:44:26.237465393Z"
+  version: 1.1.20
+digest: sha256:47979e007ed8bb4a53ec00c5e457da110573a6e067f24da505144f475b26981c
+generated: "2025-05-18T15:22:37.968306345+02:00"

charts/nextcloud/Chart.yaml

@@ -1,8 +1,8 @@
 apiVersion: v2
 name: nextcloud
-version: 6.6.10
+version: 7.0.0
 # renovate: image=docker.io/library/nextcloud
-appVersion: 30.0.10
+appVersion: 31.0.7
 description: A file sharing server that puts the control and security of your own data back into your hands.
 keywords:
 - nextcloud
@@ -27,20 +27,20 @@ maintainers:
   - name: jessebot
     url: https://jessebot.work
 dependencies:
-- name: postgresql
-  version: 16.3.5
-  repository: oci://registry-1.docker.io/bitnamicharts
-  condition: postgresql.enabled
-- name: mariadb
-  version: 19.1.0
-  repository: oci://registry-1.docker.io/bitnamicharts
-  condition: mariadb.enabled
-- name: redis
-  version: 20.6.1
-  repository: oci://registry-1.docker.io/bitnamicharts
-  condition: redis.enabled
-- name: collabora-online
-  version: 1.1.37
-  repository: https://collaboraonline.github.io/online
-  condition: collabora.enabled
-  alias: collabora
+  - name: postgresql
+    version: 16.7.4
+    repository: oci://registry-1.docker.io/bitnamicharts
+    condition: postgresql.enabled
+  - name: mariadb
+    version: 20.5.5
+    repository: oci://registry-1.docker.io/bitnamicharts
+    condition: mariadb.enabled
+  - name: redis
+    version: 21.1.3
+    repository: oci://registry-1.docker.io/bitnamicharts
+    condition: redis.enabled
+  - name: collabora-online
+    version: 1.1.20
+    repository: https://collaboraonline.github.io/online
+    condition: collabora.enabled
+    alias: collabora

charts/nextcloud/README.md

@@ -15,6 +15,7 @@ helm install my-release nextcloud/nextcloud
 * [Prerequisites](#prerequisites)
 * [Installing the Chart](#installing-the-chart)
 * [Uninstalling the Chart](#uninstalling-the-chart)
+* [Upgrade / Breaking Changes](#upgrade--breaking-changes)
 * [Configuration](#configuration)
     * [Ingress](#ingress)
         * [Ingress Sticky-Sessions](#ingress-sticky-sessions)
@@ -97,6 +98,11 @@ helm delete my-release
 
 The command removes all the Kubernetes components associated with the chart and deletes the release.
 
+## Upgrade / Breaking Changes
+
+There is a Changelog of breaking changes here: [CHANGELOG.md](./CHANGELOG.md).
+You should read it bevore updating.
+
 ## Configuration
 
 The following table lists the configurable parameters of the nextcloud chart and their default values.

charts/nextcloud/files/nginx.config.tpl

@@ -1,7 +1,15 @@
+# Version 2024-07-17
+
 upstream php-handler {
     server 127.0.0.1:9000;
 }
 
+# Set the `immutable` cache control options only for assets with a cache busting `v` argument
+map $arg_v $asset_immutable {
+    "" "";
+    default ", immutable";
+}
+
 server {
     {{- if and (has "IPv4" .Values.nginx.ipFamilies) (has "IPv6" .Values.nginx.ipFamilies) }}
     # Both IPv4 and IPv6 are enabled
@@ -14,6 +22,12 @@ server {
     listen {{ .Values.nginx.containerPort }};
     {{- end }}
 
+    # Path to the root of your installation
+    root /var/www/html;
+
+    # Prevent nginx HTTP Server Detection
+    server_tokens off;
+
     # HSTS settings
     # WARNING: Only add the preload option once you read about
     # the consequences in https://hstspreload.org/. This option
@@ -26,8 +40,9 @@ server {
     {{- end }}
     {{- end }}
 
-    # set max upload size
-    client_max_body_size 10G;
+    # set max upload size and increase upload timeout:
+    client_max_body_size 512M;
+    client_body_timeout 300s;
     fastcgi_buffers 64 4K;
 
     # Enable gzip but do not remove ETag headers
@@ -36,27 +51,30 @@ server {
     gzip_comp_level 4;
     gzip_min_length 256;
     gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
-    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+    gzip_types application/atom+xml text/javascript application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/wasm application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
 
     # Pagespeed is not supported by Nextcloud, so if your server is built
     # with the `ngx_pagespeed` module, uncomment this line to disable it.
     #pagespeed off;
 
+    # The settings allows you to optimize the HTTP2 bandwidth.
+    # See https://blog.cloudflare.com/delivering-http-2-upload-speed-improvements/
+    # for tuning hints
+    client_body_buffer_size 512k;
+
     # Remove X-Powered-By, which is an information leak
     fastcgi_hide_header X-Powered-By;
 
-    # Add .mjs as a file extension for javascript
+    # Set .mjs and .wasm MIME types
     # Either include it in the default mime.types list
-    # or include you can include that list explicitly and add the file extension
+    # and include that list explicitly or add the file extension
     # only for Nextcloud like below:
     include mime.types;
     types {
         text/javascript js mjs;
+        application/wasm wasm;
     }
 
-    # Path to the root of your installation
-    root /var/www/html;
-
     # Specify how to handle directories -- specifying `/index.php$request_uri`
     # here as the fallback means that Nginx always exhibits the desired behaviour
     # when a client requests a path that corresponds to a directory that exists
@@ -91,10 +109,10 @@ server {
 
         location = /.well-known/carddav     { return 301 /remote.php/dav/; }
         location = /.well-known/caldav      { return 301 /remote.php/dav/; }
-        # Anything else is dynamically handled by Nextcloud
-        location ^~ /.well-known            { return 301 /index.php$uri; }
 
-        try_files $uri $uri/ =404;
+        # Let Nextcloud's API for `/.well-known` URIs handle all other
+        # requests by passing them to the front-end controller.
+        return 301 /index.php$request_uri;
     }
 
     # Rules borrowed from `.htaccess` to hide certain paths from clients
@@ -106,8 +124,8 @@ server {
     # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
     # to the URI, resulting in a HTTP 500 error response.
     location ~ \.php(?:$|/) {
-        # Required for legacy support
-        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
+    # Required for legacy support
+        rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|ocs-provider\/.+|.+\/richdocumentscode(_arm64)?\/proxy) /index.php$request_uri;
 
         fastcgi_split_path_info ^(.+?\.php)(/.*)$;
         set $path_info $fastcgi_path_info;
@@ -117,28 +135,35 @@ server {
         include fastcgi_params;
         fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
         fastcgi_param PATH_INFO $path_info;
-        #fastcgi_param HTTPS on;
+        fastcgi_param HTTPS on;
 
         fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
         fastcgi_param front_controller_active true;     # Enable pretty urls
         fastcgi_pass php-handler;
 
         fastcgi_intercept_errors on;
         fastcgi_request_buffering off;
+
+        fastcgi_max_temp_file_size 0;
     }
 
-    location ~ \.(?:css|js|svg|gif)$ {
+    location ~ \.(?:css|js|mjs|svg|gif|ico|jpg|png|webp|wasm|tflite|map|ogg|flac)$ {
         try_files $uri /index.php$request_uri;
         expires 6M;         # Cache-Control policy borrowed from `.htaccess`
         access_log off;     # Optional: Don't log access to assets
     }
 
-    location ~ \.woff2?$ {
+    location ~ \.(otf|woff2?)$ {
         try_files $uri /index.php$request_uri;
         expires 7d;         # Cache-Control policy borrowed from `.htaccess`
         access_log off;     # Optional: Don't log access to assets
     }
 
+    # Rule borrowed from `.htaccess`
+    location /remote {
+        return 301 /remote.php$request_uri;
+    }
+
     location / {
         try_files $uri $uri/ /index.php$request_uri;
     }

charts/nextcloud/templates/metrics/deployment.yaml

@@ -64,6 +64,8 @@ spec:
               value: {{ .Values.metrics.tlsSkipVerify | quote }}
             - name: NEXTCLOUD_INFO_APPS
               value: {{ .Values.metrics.info.apps | quote }}
+            - name: NEXTCLOUD_INFO_UPDATE
+              value: {{ .Values.metrics.info.update | quote }}
           ports:
             - name: metrics
               containerPort: 9205

charts/nextcloud/templates/metrics/prometheus-rules.yaml

@@ -0,0 +1,61 @@
+{{- if .Values.metrics.rules.enabled }}
+{{- $fullname := include "nextcloud.fullname" . }}
+apiVersion: monitoring.coreos.com/v1
+kind: PrometheusRule
+metadata:
+  name: {{ $fullname }}
+  labels:
+    {{- include "nextcloud.labels"  ( dict "rootContext" $ ) | nindent 4 }}
+    {{- with .Values.metrics.rules.labels }}
+    {{- toYaml . | nindent 4 }}
+    {{- end }}
+spec:
+  groups:
+    {{- with .Values.metrics.rules.defaults }}
+    {{- if .enabled }}
+    {{- $filter := .filter | default (printf `namespace="%s",job=~"^%s.*"` $.Release.Namespace $fullname) }}
+    - name: {{ $fullname }}-Defaults
+      rules:
+        - alert: "nextcloud: not reachable"
+          expr: 'avg(nextcloud_up{ {{ $filter }} }) without(endpoint,container,pod,instance) < 1'
+          for: 5m
+          labels:
+            severity: "critical"
+            {{- with .labels }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          annotations:
+            {{`
+            summary: "Nextcloud in {{ $labels.namespace }} is not reachable by exporter"
+            `}}
+        - alert: "nextcloud: outdated version"
+          expr: 'sum(nextcloud_system_update_available{ {{ $filter }} }) without(endpoint,container,pod,instance) > 0'
+          labels:
+            severity: "warning"
+            {{- with .labels }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          annotations:
+            {{`
+            summary: "Nextcloud in {{ $labels.namespace }} is outdated"
+            `}}
+        - alert: "nextcloud: outdated apps"
+          expr: 'sum(nextcloud_apps_updates_available_total{ {{ $filter }} }) without(endpoint,container,pod,instance) > 0'
+          labels:
+            severity: "warning"
+            {{- with .labels }}
+            {{- toYaml . | nindent 12 }}
+            {{- end }}
+          annotations:
+            {{`
+            summary: "Nextcloud in {{ $labels.namespace }} has {{ $value }} outdated Apps"
+            `}}
+    {{- end }}
+    {{- end }}{{/* end-with prometheus.rules.default */}}
+    {{- with .Values.metrics.rules.additionalRules }}
+    - name: {{ $fullname }}-Additional
+      rules:
+        {{- toYaml . | nindent 8 }}
+    {{- end }}
+{{- end }}
+

charts/nextcloud/values.yaml

@@ -347,7 +347,6 @@ nginx:
       "Strict-Transport-Security": ""
       "Referrer-Policy": "no-referrer"
       "X-Content-Type-Options": "nosniff"
-      "X-Download-Options": "noopen"
       "X-Frame-Options": "SAMEORIGIN"
       "X-Permitted-Cross-Domain-Policies": "none"
       "X-Robots-Tag": "noindex, nofollow"
@@ -778,10 +777,11 @@ metrics:
     # Optional: becomes NEXTCLOUD_INFO_APPS env var in the nextcloud-exporter container.
     # Enables gathering of apps-related metrics. Defaults to false
     apps: false
+    update: false
 
   image:
     repository: xperimental/nextcloud-exporter
-    tag: 0.6.2
+    tag: 0.8.0
     pullPolicy: IfNotPresent
     # pullSecrets:
     #   - myRegistrKeySecretName
@@ -863,6 +863,27 @@ metrics:
     ##
     labels: {}
 
+  rules:
+    # -- Deploy Prometheus Rules (Alerts) for the exporter
+    # @section -- Metrics
+    enabled: false
+    # -- Label on Prometheus Rules CRD Manifest
+    # @section -- Metrics
+    labels: {}
+    defaults:
+      # -- Add Default Rules
+      # @section -- Metrics
+      enabled: true
+      # -- Label on the rules (the severity is already set)
+      # @section -- Metrics
+      labels: {}
+      # -- Filter on metrics on alerts (default just for this helm-chart)
+      # @section -- Metrics
+      filter: ""
+    # -- Add own Rules to Prometheus Rules
+    # @section -- Metrics
+    additionalRules: []
+
 
 rbac:
   enabled: false