From cedcaaf9767076062c721fe7e1f3372aef95ad1c Mon Sep 17 00:00:00 2001
From: Steffen Illium <steffen.illium@gmail.com>
Date: Thu, 28 Mar 2024 14:58:01 +0100
Subject: [PATCH] ionos webhook, nextcloud ingress

---
 apps/nextcloud/base/nextcloud-ingress.yaml    |  6 +-
 apps/nextcloud/base/values.yaml               |  4 +-
 .../05-cert-manager/base/ionos-ingress.yaml   | 12 ++++
 .../05-cert-manager/base/ionos-issuer.yaml    | 55 +++++++++++++++++++
 .../base/ionos-secret-sealed.yaml             | 11 ++++
 .../05-cert-manager/kustomization.yaml        |  8 ++-
 6 files changed, 90 insertions(+), 6 deletions(-)
 create mode 100644 infrastructure/05-cert-manager/base/ionos-ingress.yaml
 create mode 100644 infrastructure/05-cert-manager/base/ionos-issuer.yaml
 create mode 100644 infrastructure/05-cert-manager/base/ionos-secret-sealed.yaml

diff --git a/apps/nextcloud/base/nextcloud-ingress.yaml b/apps/nextcloud/base/nextcloud-ingress.yaml
index 8e84d9f..b82d170 100644
--- a/apps/nextcloud/base/nextcloud-ingress.yaml
+++ b/apps/nextcloud/base/nextcloud-ingress.yaml
@@ -1,15 +1,15 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: nextcloud
+  name: nextcloud-ingress
   namespace: nextcloud
 spec:
   entryPoints:
     - web
     - websecure
   routes:
-  - match: Host(`cloud.steffenillium.de`) || Host(`newcloud.steffenillium.de`)
+  - match: Host(`newcloud.steffenillium.de`)
     kind: Rule
     services:
-    - name: nextcloud
+    - name: lcl-nextcloud
       port: 8080
diff --git a/apps/nextcloud/base/values.yaml b/apps/nextcloud/base/values.yaml
index e3b1acd..a4953f3 100644
--- a/apps/nextcloud/base/values.yaml
+++ b/apps/nextcloud/base/values.yaml
@@ -2,8 +2,8 @@ ingress:
   enabled: false
 
 phpClientHttpsFix:
-  enabled: false
-  protocol: https
+  enabled: true
+  protocol: http
 
 nextcloud:
   host: newcloud.steffenillium.de
diff --git a/infrastructure/05-cert-manager/base/ionos-ingress.yaml b/infrastructure/05-cert-manager/base/ionos-ingress.yaml
new file mode 100644
index 0000000..2765095
--- /dev/null
+++ b/infrastructure/05-cert-manager/base/ionos-ingress.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: steffenillium-de
+  annotations:
+    sealedsecrets.bitnami.com/cluster-wide: "true"
+spec:
+  dnsNames:
+    - '*.steffenillium.de'
+  issuerRef:
+    name: letsencrypt-ionos-staging
+  secretName: default-tls
\ No newline at end of file
diff --git a/infrastructure/05-cert-manager/base/ionos-issuer.yaml b/infrastructure/05-cert-manager/base/ionos-issuer.yaml
new file mode 100644
index 0000000..f3988ac
--- /dev/null
+++ b/infrastructure/05-cert-manager/base/ionos-issuer.yaml
@@ -0,0 +1,55 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-ionos-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: mail@steffenillium.de
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-ionos-staging-key
+    # Enable the dns01 challenge provider
+    solvers:
+      - dns01:
+          webhook:
+            groupName: acme.fabmade.de
+            solverName: ionos
+            config:
+              apiUrl: https://api.hosting.ionos.com/dns/v1
+              publicKeySecretRef:
+                key: IONOS_PUBLIC_PREFIX
+                name: ionos-secret
+              secretKeySecretRef:
+                key: IONOS_SECRET
+                name: ionos-secret
+--- 
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-ionos-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: mail@steffenillium.de
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-ionos-prod
+    # Enable the dns01 challenge provider
+    solvers:
+      - dns01:
+          webhook:
+            groupName: acme.fabmade.de
+            solverName: ionos
+            config:
+              apiUrl: https://api.hosting.ionos.com/dns/v1
+              publicKeySecretRef:
+                key: IONOS_PUBLIC_PREFIX
+                name: ionos-secret
+              secretKeySecretRef:
+                key: IONOS_SECRET
+                name: ionos-secret
\ No newline at end of file
diff --git a/infrastructure/05-cert-manager/base/ionos-secret-sealed.yaml b/infrastructure/05-cert-manager/base/ionos-secret-sealed.yaml
new file mode 100644
index 0000000..b670c6b
--- /dev/null
+++ b/infrastructure/05-cert-manager/base/ionos-secret-sealed.yaml
@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ionos-secret
+  namespace: cert-manager
+  annotations:
+    sealedsecrets.bitnami.com/namespace-wide: true
+type: Opaque
+stringData:
+  IONOS_PUBLIC_PREFIX: <your-public-key>
+  IONOS_SECRET: <your-private-key>
\ No newline at end of file
diff --git a/infrastructure/05-cert-manager/kustomization.yaml b/infrastructure/05-cert-manager/kustomization.yaml
index fe788fc..c4c007b 100644
--- a/infrastructure/05-cert-manager/kustomization.yaml
+++ b/infrastructure/05-cert-manager/kustomization.yaml
@@ -5,6 +5,7 @@ namespace: cert-manager
 
 resources:
 - base/cert-manager-ui-ingress.yaml
+- base/ionos-secret-sealed.yaml
 
 helmCharts:
 - name: cert-manager
@@ -13,4 +14,9 @@ helmCharts:
   version: 1.14.4
   repo: https://charts.jetstack.io
   # valuesFile: base/values.yaml
-
+- name: cert-manager-webhook-ionos
+  includeCRDs: true
+  releaseName: lcl
+  version: 1.0.2
+  repo: https://fabmade.github.io/cert-manager-webhook-ionos
+  # valuesFile: base/ionos-values.yaml