---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: onlyoffice
  namespace: office-system
  labels:
    app.kubernetes.io/instance: onlyoffice
    app.kubernetes.io/name: onlyoffice
    app.kubernetes.io/version: "9.0.2"
spec:
  replicas: 1
  strategy:
    type: Recreate
  selector:
    matchLabels:
      app.kubernetes.io/instance: onlyoffice
      app.kubernetes.io/name: onlyoffice
  template:
    metadata:
      labels:
        app.kubernetes.io/instance: onlyoffice
        app.kubernetes.io/name: onlyoffice
        app.kubernetes.io/version: "9.0.2"
      annotations:
        match-regex.version-checker.io/onlyoffice: '^\d+\.\d+\.\d+$'
    spec:
      containers:
        - name: onlyoffice
          image: onlyoffice/documentserver:9.0.2
          imagePullPolicy: IfNotPresent
          env:
            - name: TZ
              value: Europe/Budapest
            - name: JWT_ENABLED
              value: "true"
            - name: JWT_SECRET
              valueFrom:
                secretKeyRef:
                  name: onlyoffice-secrets
                  key: jwt-secret
            - name: JWT_HEADER
              value: Authorization
            - name: JWT_IN_BODY
              value: "true"
          ports:
            - containerPort: 80
              name: http
              protocol: TCP
          livenessProbe:
            httpGet:
              path: /healthcheck
              port: http
            initialDelaySeconds: 120
            periodSeconds: 30
            timeoutSeconds: 10
            failureThreshold: 5
          readinessProbe:
            httpGet:
              path: /healthcheck
              port: http
            initialDelaySeconds: 60
            periodSeconds: 10
            timeoutSeconds: 5
            failureThreshold: 5
          resources:
            requests:
              cpu: 200m
              memory: 1Gi
            limits:
              cpu: 2000m
              memory: 4Gi
          volumeMounts:
            - name: data
              mountPath: /var/www/onlyoffice/Data
            - name: lib
              mountPath: /var/lib/onlyoffice
            - name: logs
              mountPath: /var/log/onlyoffice
            - name: db
              mountPath: /var/lib/postgresql
      volumes:
        - name: data
          persistentVolumeClaim:
            claimName: onlyoffice-data
        - name: lib
          persistentVolumeClaim:
            claimName: onlyoffice-lib
        - name: logs
          persistentVolumeClaim:
            claimName: onlyoffice-logs
        - name: db
          persistentVolumeClaim:
            claimName: onlyoffice-db
---
apiVersion: v1
kind: Service
metadata:
  name: onlyoffice
  namespace: office-system
  labels:
    app.kubernetes.io/instance: onlyoffice
    app.kubernetes.io/name: onlyoffice
    app.kubernetes.io/version: "9.0.2"
spec:
  type: ClusterIP
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: http
  selector:
    app.kubernetes.io/instance: onlyoffice
    app.kubernetes.io/name: onlyoffice
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: onlyoffice
  namespace: office-system
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    external-dns.alpha.kubernetes.io/hostname: office.dooplex.hu,office.home
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: 100m
    nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
    nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
    nginx.ingress.kubernetes.io/upstream-hash-by: "$arg_WOPISrc"
    nginx.ingress.kubernetes.io/configuration-snippet: |
      set $geo_allowed 0;
      if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; }
      if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
      if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
      if ($geo_allowed = 0) {
        return 403 "Access restricted to Hungary";
      }
  labels:
    app.kubernetes.io/instance: onlyoffice
    app.kubernetes.io/name: onlyoffice
spec:
  ingressClassName: nginx-internal
  rules:
    - host: office.dooplex.hu
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: onlyoffice
                port:
                  number: 80
    - host: office.home
      http:
        paths:
          - path: /
            pathType: Prefix
            backend:
              service:
                name: onlyoffice
                port:
                  number: 80
  tls:
    - hosts:
        - office.dooplex.hu
      secretName: onlyoffice-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: onlyoffice-data
  namespace: office-system
  labels:
    app.kubernetes.io/instance: onlyoffice
    app.kubernetes.io/name: onlyoffice
    recurring-job-group.longhorn.io/needbackup: enabled
    recurring-job.longhorn.io/source: enabled
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn-hdd
  resources:
    requests:
      storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: onlyoffice-lib
  namespace: office-system
  labels:
    app.kubernetes.io/instance: onlyoffice
    app.kubernetes.io/name: onlyoffice
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn-ssd2
  resources:
    requests:
      storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: onlyoffice-logs
  namespace: office-system
  labels:
    app.kubernetes.io/instance: onlyoffice
    app.kubernetes.io/name: onlyoffice
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn-ssd2
  resources:
    requests:
      storage: 2Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: onlyoffice-db
  namespace: office-system
  labels:
    app.kubernetes.io/instance: onlyoffice
    app.kubernetes.io/name: onlyoffice
    recurring-job-group.longhorn.io/needbackup: enabled
    recurring-job.longhorn.io/source: enabled
spec:
  accessModes:
    - ReadWriteOnce
  storageClassName: longhorn-ssd2
  resources:
    requests:
      storage: 5Gi