nexcloud helm

2025-01-29 10:29:19 +01:00
41 changed files with 1211 additions and 913 deletions
--- a/applications/base/nextcloud-cert-issuer.yml
+++ b/applications/base/nextcloud-cert-issuer.yml
@ -0,0 +1,15 @@
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: drive@sunet.se
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - http01:
+          ingress:
+            class: nginx
+
--- a/applications/richir-test/richir-test.yaml
+++ b/applications/richir-test/richir-test.yaml
@ -0,0 +1,45 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: richir-test
+  namespace: argocd
+  labels:
+    name: richir-test
+spec:
+  project: default
+  sources:
+    - repoURL: 'https://nextcloud.github.io/helm/'
+      chart: nextcloud
+      targetRevision: 6.5.1
+      helm:
+        valueFiles:
+          - $values/applications/richir-test/values.yaml
+    - repoURL: 'https://platform.sunet.se/Drive/k8s-manifests'
+      targetRevision: richir-nextcloud-helm
+      path: applications/base/
+      ref: values
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: richir
+  info:
+    - name: 'Example:'
+      value: 'https://example.com'
+  syncPolicy:
+    automated:
+      prune: false
+      selfHeal: true
+      allowEmpty: false
+    syncOptions: # maybe needs FIXME
+      - Validate=true # disables resource validation (equivalent to 'kubectl apply --validate=false') ( true by default ).
+      - CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster.
+      - PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan.
+      - PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation
+      - RespectIgnoreDifferences=true # When syncing changes, respect fields ignored by the ignoreDifferences configuration
+      - ApplyOutOfSyncOnly=true # Only sync out-of-sync resources, rather than applying every object in the application
+    retry:
+      limit: 5
+      backoff:
+        duration: 5s
+        factor: 2
+        maxDuration: 3m
+  revisionHistoryLimit: 10
--- a/applications/richir-test/values.yaml
+++ b/applications/richir-test/values.yaml
@ -0,0 +1,413 @@
+# image:
+#   repository: 'docker.sunet.se/drive/nextcloud-custom'
+#   tag: '29.0.10.3-1'
+#   pullPolicy: 'Always'
+image:
+  repository: nextcloud
+  flavor: apache
+  # default is generated by flavor and appVersion
+  tag:
+  pullPolicy: IfNotPresent
+
+nameOverride: ""
+fullnameOverride: ""
+podAnnotations: {}
+deploymentAnnotations: {}
+deploymentLabels: {}
+
+replicaCount: 1
+
+ingress:
+  enabled: true
+  className: 'nginx'
+  annotations:
+    acme.cert-manager.io/http01-edit-in-place: 'true'
+    cert-manager.io/issuer: 'letsencrypt'
+  tls:
+    - secretName: 'tls-secret'
+      hosts:
+        - 'richir.drive.test.sunet.se'
+  labels:
+    app.kubernetes.io/instance: 'richir'
+  path: '/'
+  pathType: 'Prefix'
+
+lifecycle: {}
+  # postStartCommand: []
+  # preStopCommand: []
+
+phpClientHttpsFix:
+  enabled: false
+  protocol: 'https'
+
+nextcloud:
+  host: 'richir.drive.test.sunet.se'
+  existingSecret:
+    enabled: true
+    secretName: 'nc-secret'
+    passwordKey: 'nc_admin_password'
+    usernameKey: 'nc_admin_user'
+    smtpHostKey: 'smtp_host'
+    smtpPasswordKey: 'smtp_password'
+    smtpUsernameKey: 'smtp_user'
+  update: 0
+  containerPort: 80
+  datadir: '/var/www/html/data'
+  persistence:
+    subPath:
+  trustedDomains:
+    - 'customer.drive.test.sunet.se'
+  mail:
+    enabled: true
+    fromAddress: 'noreply@drive.test.sunet.se'
+    domain: 'drive.test.sunet.se'
+    smtp:
+      secure: 'tls'
+      port: 587
+      authtype: 'LOGIN'
+  objectStore:
+    s3:
+      enabled: true
+      legacyAuth: false
+      ssl: true
+      port: 443
+      region: 'us-east-1'
+      prefix: 'urn:oid:'
+      usePathStyle: true
+      autoCreate: true
+      storageClass: 'STANDARD'
+      existingSecret: 's3-secret'
+      secretKeys:
+        bucket: 's3_bucket'
+        accessKey: 's3_key'
+        host: 's3_host'
+        secretKey: 's3_secret'
+
+  ## PHP Configuration files
+  # Will be injected in /usr/local/etc/php/conf.d for apache image and in /usr/local/etc/php-fpm.d when nginx.enabled: true
+  phpConfigs: {} #FIXME?
+  ## Default config files that utilize environment variables:
+  # see: https://github.com/nextcloud/docker/tree/master#auto-configuration-via-environment-variables
+  # IMPORTANT: Will be used only if you put extra configs, otherwise default will come from nextcloud itself
+  # Default confgurations can be found here: https://github.com/nextcloud/docker/tree/master/.config
+  defaultConfigs:
+    # To protect /var/www/html/config
+    .htaccess: true
+    # Apache configuration for rewrite urls
+    apache-pretty-urls.config.php: false
+    # Define APCu as local cache
+    apcu.config.php: false
+    # Apps directory configs
+    apps.config.php: false
+    # Used for auto configure database
+    autoconfig.php: false
+    # Redis default configuration
+    redis.config.php: true
+    # Reverse proxy default configuration
+    reverse-proxy.config.php: false
+    # S3 Object Storage as primary storage
+    s3.config.php: true
+    # SMTP default configuration via environment variables
+    smtp.config.php: true
+    # Swift Object Storage as primary storage
+    swift.config.php: false
+    # disables the web based updater as the default nextcloud docker image does not support it
+    upgrade-disable-web.config.php: true
+
+  # Extra config files created in /var/www/html/config/
+  # ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/config_sample_php_parameters.html#multiple-config-php-file
+  configs: {} #FIXME?
+  # For example, to enable image and text file previews:
+  #  previews.config.php: |-
+  #    <?php
+  #    $CONFIG = array (
+  #      'enable_previews' => true,
+  #      'enabledPreviewProviders' => array (
+  #        'OC\Preview\Movie',
+  #        'OC\Preview\PNG',
+  #        'OC\Preview\JPEG',
+  #        'OC\Preview\GIF',
+  #        'OC\Preview\BMP',
+  #        'OC\Preview\XBitmap',
+  #        'OC\Preview\MP3',
+  #        'OC\Preview\MP4',
+  #        'OC\Preview\TXT',
+  #        'OC\Preview\MarkDown',
+  #        'OC\Preview\PDF'
+  #      ),
+  #    );
+
+  # Hooks for auto configuration
+  # Here you could write small scripts which are placed in `/docker-entrypoint-hooks.d/<hook-name>/helm.sh`
+  # ref: https://github.com/nextcloud/docker?tab=readme-ov-file#auto-configuration-via-hook-folders
+  hooks:
+    pre-installation:
+    post-installation:
+    pre-upgrade:
+    post-upgrade:
+    before-starting:
+
+  ## Strategy used to replace old pods
+  ## IMPORTANT: use with care, it is suggested to leave as that for upgrade purposes
+  ## ref: https://kubernetes.io/docs/concepts/workloads/controllers/deployment/#strategy
+  strategy:
+    type: Recreate
+    # type: RollingUpdate
+    # rollingUpdate:
+    #   maxSurge: 1
+    #   maxUnavailable: 0
+
+  ##
+  ## Extra environment variables
+  extraEnv:
+  #  - name: SOME_SECRET_ENV
+  #    valueFrom:
+  #      secretKeyRef:
+  #        name: nextcloud
+  #        key: secret_key
+
+  # Extra init containers that runs before pods start.
+  extraInitContainers: []
+  #  - name: do-something
+  #    image: busybox
+  #    command: ['do', 'something']
+
+  # Extra sidecar containers.
+  extraSidecarContainers: []
+  #  - name: nextcloud-logger
+  #    image: busybox
+  #    command: [/bin/sh, -c, 'while ! test -f "/run/nextcloud/data/nextcloud.log"; do sleep 1; done; tail -n+1 -f /run/nextcloud/data/nextcloud.log']
+  #    volumeMounts:
+  #    - name: nextcloud-data
+  #      mountPath: /run/nextcloud/data
+
+  # Extra mounts for the pods. Example shown is for connecting a legacy NFS volume
+  # to NextCloud pods in Kubernetes. This can then be configured in External Storage
+  extraVolumes:
+  #  - name: nfs
+  #    nfs:
+  #      server: "10.0.0.1"
+  #      path: "/nextcloud_data"
+  #      readOnly: false
+  extraVolumeMounts:
+  #  - name: nfs
+  #    mountPath: "/legacy_data"
+
+  # Set securityContext parameters for the nextcloud CONTAINER only (will not affect nginx container).
+  # For example, you may need to define runAsNonRoot directive
+  securityContext: {}
+  #   runAsUser: 33
+  #   runAsGroup: 33
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: false
+
+  # Set securityContext parameters for the entire pod. For example, you may need to define runAsNonRoot directive
+  podSecurityContext: {}
+  #   runAsUser: 33
+  #   runAsGroup: 33
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: false
+
+  # Settings for the MariaDB init container
+  mariaDbInitContainer:
+    resources: {}
+    # Set mariadb initContainer securityContext parameters. For example, you may need to define runAsNonRoot directive
+    securityContext: {}
+
+  # Settings for the PostgreSQL init container
+  postgreSqlInitContainer:
+    resources: {}
+    # Set postgresql initContainer securityContext parameters. For example, you may need to define runAsNonRoot directive
+    securityContext: {}
+
+internalDatabase:
+  enabled: false
+
+externalDatabase:
+  enabled: true
+  type: 'mysql'
+  host: 'proxysqlcluster.proxysql:6033'
+  database: 'nextcloud_richir'
+  existingSecret:
+    enabled: true
+    secretName: 'db-secret'
+    passwordKey: 'db_password'
+    usernameKey: 'db_username'
+
+redis:
+  enabled: true
+  auth:
+    enabled: false
+  global:
+    storageClass: ""
+  master:
+    persistence:
+      enabled: true
+  replica:
+    persistence:
+      enabled: true
+
+## Cronjob to execute Nextcloud background tasks
+## ref: https://docs.nextcloud.com/server/latest/admin_manual/configuration_server/background_jobs_configuration.html#cron
+##
+cronjob:
+  enabled: false
+
+  ## Cronjob sidecar resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources: {}
+
+  # Allow configuration of lifecycle hooks
+  # ref: https://kubernetes.io/docs/tasks/configure-pod-container/attach-handler-lifecycle-event/
+  lifecycle:
+    postStartCommand: ["/bin/bash", "-c", "/usr/local/bin/nc-upgrade"]
+    # preStopCommand: []
+  # Set securityContext parameters. For example, you may need to define runAsNonRoot directive
+  securityContext: {}
+  #   runAsUser: 33
+  #   runAsGroup: 33
+  #   runAsNonRoot: true
+  #   readOnlyRootFilesystem: true
+
+service:
+  type: 'ClusterIP'
+  port: 8080
+  loadBalancerIP: ""
+  nodePort:
+  # -- use additional annotation on service for nextcloud
+  annotations: {}
+
+persistence:
+  enabled: true
+  storageClass: 'csi-sc-cinderplugin'
+  accessMode: 'ReadWriteOnce'
+  size: '1Gi'
+  nextcloudData:
+    enabled: false
+
+resources:
+  limits:
+    cpu: '2'
+    memory: '2Gi'
+  requests:
+    cpu: '1'
+    memory: '512Mi'
+
+readinessProbe:
+  tcpSocket:
+    port: 80
+  initialDelaySeconds: 10
+  periodSeconds: 60
+livenessProbe:
+  tcpSocket:
+    port: 80
+  initialDelaySeconds: 20
+  periodSeconds: 180
+
+## Prometheus Exporter / Metrics
+##
+metrics:
+  enabled: false
+
+  replicaCount: 1
+  # Optional: becomes NEXTCLOUD_SERVER env var in the nextcloud-exporter container.
+  # Without it, we will use the full name of the nextcloud service
+  server: ""
+  # The metrics exporter needs to know how you serve Nextcloud either http or https
+  https: false
+  # Use API token if set, otherwise fall back to password authentication
+  # https://github.com/xperimental/nextcloud-exporter#token-authentication
+  # Currently you still need to set the token manually in your nextcloud install
+  token: ""
+  timeout: 5s
+  # if set to true, exporter skips certificate verification of Nextcloud server.
+  tlsSkipVerify: false
+  info:
+    # Optional: becomes NEXTCLOUD_INFO_APPS env var in the nextcloud-exporter container.
+    # Enables gathering of apps-related metrics. Defaults to false
+    apps: false
+
+  image:
+    repository: xperimental/nextcloud-exporter
+    tag: 0.6.2
+    pullPolicy: IfNotPresent
+    # pullSecrets:
+    #   - myRegistrKeySecretName
+
+  ## Metrics exporter resource requests and limits
+  ## ref: http://kubernetes.io/docs/user-guide/compute-resources/
+  ##
+  resources: {}
+
+  # -- Metrics exporter pod Annotation
+  podAnnotations: {}
+
+  # -- Metrics exporter pod Labels
+  podLabels: {}
+
+  # -- Metrics exporter pod nodeSelector
+  nodeSelector: {}
+
+  # -- Metrics exporter pod tolerations
+  tolerations: []
+
+  # -- Metrics exporter pod affinity
+  affinity: {}
+
+  service:
+    type: ClusterIP
+    # Use serviceLoadBalancerIP to request a specific static IP,
+    # otherwise leave blank
+    loadBalancerIP:
+    annotations:
+      prometheus.io/scrape: "true"
+      prometheus.io/port: "9205"
+    labels: {}
+
+  # -- security context for the metrics CONTAINER in the pod
+  securityContext:
+    runAsUser: 1000
+    runAsNonRoot: true
+    # allowPrivilegeEscalation: false
+    # capabilities:
+    #   drop:
+    #     - ALL
+
+  # -- security context for the metrics POD
+  podSecurityContext: {}
+  # runAsNonRoot: true
+  # seccompProfile:
+  #   type: RuntimeDefault
+
+  ## Prometheus Operator ServiceMonitor configuration
+  ##
+  serviceMonitor:
+    ## @param metrics.serviceMonitor.enabled Create ServiceMonitor Resource for scraping metrics using PrometheusOperator
+    ##
+    enabled: false
+
+    ## @param metrics.serviceMonitor.namespace Namespace in which Prometheus is running
+    ##
+    namespace: ""
+
+    ## @param metrics.serviceMonitor.namespaceSelector The selector of the namespace where the target service is located (defaults to the release namespace)
+    namespaceSelector:
+
+    ## @param metrics.serviceMonitor.jobLabel The name of the label on the target service to use as the job name in prometheus.
+    ##
+    jobLabel: ""
+
+    ## @param metrics.serviceMonitor.interval Interval at which metrics should be scraped
+    ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+    ##
+    interval: 30s
+
+    ## @param metrics.serviceMonitor.scrapeTimeout Specify the timeout after which the scrape is ended
+    ## ref: https://github.com/coreos/prometheus-operator/blob/master/Documentation/api.md#endpoint
+    ##
+    scrapeTimeout: ""
+
+    ## @param metrics.serviceMonitor.labels Extra labels for the ServiceMonitor
+    ##
+    labels: {}
--- a/applicationsets/applicationset.yaml
+++ b/applicationsets/applicationset.yaml
@ -1,45 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: customer-applications
-  namespace: argocd
-spec:
-  goTemplate: true
-  goTemplateOptions: ["missingkey=error"]
-  generators:
-    - git:
-        repoURL: 'https://platform.sunet.se/Drive/k8s-manifests'
-        revision: HEAD
-        directories:
-          - path: 'customers/overlays/*'
-  template:
-    metadata:
-      name: '{{index .path.segments 2}}'
-    spec:
-      project: default
-      source:
-        repoURL: 'https://platform.sunet.se/Drive/k8s-manifests'
-        targetRevision: HEAD
-        path: 'customers/overlays/{{index .path.segments 2}}/test'
-      destination:
-        server: https://kubernetes.default.svc
-        namespace: '{{index .path.segments 2}}'
-      syncPolicy:
-        automated:
-          prune: false
-          selfHeal: true
-          allowEmpty: false
-        syncOptions: # maybe needs FIXME
-          - Validate=true # disables resource validation (equivalent to 'kubectl apply --validate=false') ( true by default ).
-          - CreateNamespace=true # Namespace Auto-Creation ensures that namespace specified as the application destination exists in the destination cluster.
-          - PrunePropagationPolicy=foreground # Supported policies are background, foreground and orphan.
-          - PruneLast=true # Allow the ability for resource pruning to happen as a final, implicit wave of a sync operation
-          - RespectIgnoreDifferences=true # When syncing changes, respect fields ignored by the ignoreDifferences configuration
-          - ApplyOutOfSyncOnly=true # Only sync out-of-sync resources, rather than applying every object in the application
-        retry:
-          limit: 5
-          backoff:
-            duration: 5s
-            factor: 2
-            maxDuration: 3m
-      revisionHistoryLimit: 2
--- a/backups/base/backup-cronjob.yaml
+++ b/backups/base/backup-cronjob.yaml
@ -1,60 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: backup
-spec:
-  schedule: "0 0 * * *"
-  concurrencyPolicy: Forbid
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          volumes:
-            - name: backup-storage
-              emptyDir: {}
-            - name: ipc-storage
-              emptyDir: {}
-          restartPolicy: Never
-          containers:
-            - name: backup-container
-              image: docker.sunet.se/drive/duplicity:bookworm-slim-1
-              command: ["bash"]
-              args: [ "-c", "duplicity /backup_storage rclone://destination:$(BUCKET) --no-encryption --full-if-older-than 1M; touch /backup_ipc/stop" ]
-              env:
-                - name: RCLONE_CONFIG_DESTINATION_ACL
-                  value: private
-                - name: RCLONE_CONFIG_DESTINATION_TYPE
-                  value: s3
-                - name: RCLONE_CONFIG_DESTINATION_ENDPOINT
-                  value: s3.sto3.safedc.net
-                - name: RCLONE_CONFIG_DESTINATION_PROVIDER
-                  value: Ceph
-              volumeMounts:
-                - name: backup-storage
-                  mountPath: /backup_storage
-                  mountPropagation: HostToContainer
-                - name: ipc-storage
-                  mountPath: /backup_ipc
-            - name: mount-container
-              image: rclone/rclone:1.69.0
-              args: ["mount", "--allow-non-empty", "source:$(BUCKET)", "/backup_storage"]
-              securityContext:
-                privileged: true
-              env:
-                - name: RCLONE_CONFIG_SOURCE_ACL
-                  value: private
-                - name: RCLONE_CONFIG_SOURCE_TYPE
-                  value: s3
-                - name: RCLONE_CONFIG_SOURCE_ENDPOINT
-                  value: s3.sto4.safedc.net
-                - name: RCLONE_CONFIG_SOURCE_PROVIDER
-                  value: Ceph
-              volumeMounts:
-                - name: backup-storage
-                  mountPath: /backup_storage
-                  mountPropagation: Bidirectional
-                - name: ipc-storage
-                  mountPath: /backup_ipc
-              livenessProbe:
-                exec:
-                  command: ["sh", "-c", "if test -f /backup_ipc/stop; then umount /backup_storage; exit 1; fi;"]
--- a/backups/base/kustomization.yaml
+++ b/backups/base/kustomization.yaml
@ -1,4 +0,0 @@
---
-kind: Kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-resources: ['backup-cronjob.yaml']
--- a/backups/overlays/test/xrootd/backup-cronjob.yaml
+++ b/backups/overlays/test/xrootd/backup-cronjob.yaml
@ -1,40 +0,0 @@
-apiVersion: batch/v1
-kind: CronJob
-metadata:
-  name: backup
-spec:
-  schedule: "15 02 * * *"
-  jobTemplate:
-    spec:
-      template:
-        spec:
-          hostname: xrootd-test-mirror
-          containers:
-            - name: backup-container
-              env:
-                - name: BUCKET
-                  value: "xrootd-test-mirror"
-                - name: RCLONE_CONFIG_DESTINATION_ACCESS_KEY_ID
-                  valueFrom:
-                    secretKeyRef:
-                      name: xrootd-secret
-                      key: "destination-access-key-id"
-                - name: RCLONE_CONFIG_DESTINATION_SECRET_ACCESS_KEY
-                  valueFrom:
-                    secretKeyRef:
-                      name: xrootd-secret
-                      key: "destination-secret-access-key"
-            - name: mount-container
-              env:
-                - name: BUCKET
-                  value: "xrootd-test"
-                - name: RCLONE_CONFIG_SOURCE_ACCESS_KEY_ID
-                  valueFrom:
-                    secretKeyRef:
-                      name: xrootd-secret
-                      key: "source-access-key-id"
-                - name: RCLONE_CONFIG_SOURCE_SECRET_ACCESS_KEY
-                  valueFrom:
-                    secretKeyRef:
-                      name: xrootd-secret
-                      key: "source-secret-access-key"
--- a/backups/overlays/test/xrootd/kustomization.yaml
+++ b/backups/overlays/test/xrootd/kustomization.yaml
@ -1,7 +0,0 @@
---
-kind: Kustomization
-apiVersion: kustomize.config.k8s.io/v1beta1
-resources: [../../../base]
-patches: 
-  - path: backup-cronjob.yaml
-
--- a/charts/sealed-secrets/values.yaml
+++ b/charts/sealed-secrets/values.yaml
@ -1,16 +0,0 @@
-nameOverride: controller
-image:
-  registry: docker.io
-  repository: bitnami/sealed-secrets-controller
-  tag: 0.28.0
-podSecurityContext:
-  enabled: true
-  fsGroup: 65534
-containerSecurityContext:
-  enabled: true
-  readOnlyRootFilesystem: true
-  runAsNonRoot: true
-  runAsUser: 1001
-  capabilities:
-    drop:
-      - ALL
--- a/customers/base/apache-configmap.yml
+++ b/customers/base/apache-configmap.yml
@ -0,0 +1,73 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: apache-configmap
+data:
+  000-default.conf: |
+    LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so
+    LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
+    <VirtualHost *:80>
+            ServerAdmin webmaster@localhost
+            DocumentRoot /var/www/html
+            # Log format config
+            LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common
+            SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+
+            # Header config
+            RemoteIPHeader X-Forwarded-For
+            RemoteIPInternalProxy 37.156.195.14
+            RemoteIPInternalProxy 37.156.195.19
+            RemoteIPInternalProxy 37.156.195.84
+            RemoteIPInternalProxy 37.156.195.92
+            #ErrorDocument 404 /404.html
+            ErrorLog ${APACHE_LOG_DIR}/error.log
+            CustomLog ${APACHE_LOG_DIR}/access.log combined env=forwarded
+
+            ErrorLog ${APACHE_LOG_DIR}/error.log
+            CustomLog ${APACHE_LOG_DIR}/access.log combined
+            <Directory /var/www/html/>
+                    LimitRequestBody 0
+                    Require all granted
+                    AllowOverride All
+                    Options FollowSymLinks MultiViews
+
+                    <IfModule mod_dav.c>
+                        Dav off
+                    </IfModule>
+            </Directory>
+    </VirtualHost>
+    <VirtualHost *:443>
+            ServerAdmin webmaster@localhost
+            DocumentRoot /var/www/html
+            # Log format config
+            LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" common
+            SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
+
+            # Header config
+            RemoteIPHeader X-Forwarded-For
+            RemoteIPInternalProxy 37.156.195.14
+            RemoteIPInternalProxy 37.156.195.19
+            RemoteIPInternalProxy 37.156.195.84
+            RemoteIPInternalProxy 37.156.195.92
+            #ErrorDocument 404 /404.html
+            ErrorLog ${APACHE_LOG_DIR}/error.log
+            CustomLog ${APACHE_LOG_DIR}/access.log combined env=forwarded
+            SSLEngine On
+            SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
+            SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
+            <Directory /var/www/html/>
+                    LimitRequestBody 0
+                    Require all granted
+                    AllowOverride All
+                    Options FollowSymLinks MultiViews
+
+                    <IfModule mod_dav.c>
+                        Dav off
+                    </IfModule>
+            </Directory>
+            <Directory /var/www/html/data>
+                Order allow,deny
+                deny from all
+            </Directory>
+    </VirtualHost>
+    # vim: syntax=apache ts=4 sw=4 sts=4 sr noet
--- a/customers/base/apache-php-configmap.yml
+++ b/customers/base/apache-php-configmap.yml
@ -0,0 +1,162 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: apache-php-configmap
+data:
+  php.ini: |
+    [PHP]
+    allow_url_fopen = On
+    allow_url_include = Off
+    auto_append_file =
+    auto_globals_jit = On
+    auto_prepend_file =
+    default_charset = "UTF-8"
+    default_mimetype = "text/html"
+    default_socket_timeout = 60
+    disable_classes =
+    disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
+    display_errors = Off
+    display_startup_errors = Off
+    doc_root =
+    enable_dl = Off
+    engine = On
+    error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+    expose_php = Off
+    file_uploads = On
+    ignore_repeated_errors = Off
+    ignore_repeated_source = Off
+    implicit_flush = Off
+    log_errors = On
+    log_errors_max_len = 1024
+    max_execution_time = 86400
+    max_file_uploads = 20
+    max_input_time = 86400
+    memory_limit = 512M
+    output_buffering = Off
+    post_max_size = 30G
+    precision = 14
+    register_argc_argv = Off
+    report_memleaks = On
+    request_order = "GP"
+    serialize_precision = -1
+    short_open_tag = Off
+    unserialize_callback_func =
+    upload_max_filesize = 30G
+    user_dir =
+    variables_order = "GPCS"
+    zend.enable_gc = On
+    zend.exception_ignore_args = On
+    zlib.output_compression = Off
+    [CLI Server]
+    cli_server.color = On
+    [Date]
+    ; Nothing here
+    [filter]
+    ; Nothing here
+    [iconv]
+    ; Nothing here
+    [imap]
+    ; Nothing here
+    [intl]
+    ; Nothing here
+    [sqlite3]
+    ; Nothing here
+    [Pcre]
+    ; Nothing here
+    [Pdo]
+    ; Nothing here
+    [Pdo_mysql]
+    pdo_mysql.default_socket=
+    [Phar]
+    ; Nothing here
+    [mail function]
+    SMTP = localhost
+    smtp_port = 25
+    mail.add_x_header = Off
+    [ODBC]
+    odbc.allow_persistent = On
+    odbc.check_persistent = On
+    odbc.max_persistent = -1
+    odbc.max_links = -1
+    odbc.defaultlrl = 4096
+    odbc.defaultbinmode = 1
+    [MySQLi]
+    mysqli.max_persistent = -1
+    mysqli.allow_persistent = On
+    mysqli.max_links = -1
+    mysqli.default_port = 3306
+    mysqli.default_socket =
+    mysqli.default_host =
+    mysqli.default_user =
+    mysqli.default_pw =
+    mysqli.reconnect = Off
+    [mysqlnd]
+    mysqlnd.collect_statistics = On
+    mysqlnd.collect_memory_statistics = Off
+    [OCI8]
+    ; Nothing here
+    [PostgreSQL]
+    pgsql.allow_persistent = On
+    pgsql.auto_reset_persistent = Off
+    pgsql.max_persistent = -1
+    pgsql.max_links = -1
+    pgsql.ignore_notice = 0
+    pgsql.log_notice = 0
+    [bcmath]
+    bcmath.scale = 0
+    [browscap]
+    ; Nothing here
+    [Session]
+    session.save_handler = files
+    session.use_strict_mode = 0
+    session.use_cookies = 1
+    session.use_only_cookies = 1
+    session.name = PHPSESSID
+    session.auto_start = 0
+    session.cookie_lifetime = 0
+    session.cookie_path = /
+    session.cookie_domain =
+    session.cookie_httponly =
+    session.cookie_samesite =
+    session.serialize_handler = php
+    session.gc_probability = 0
+    session.gc_divisor = 1000
+    session.gc_maxlifetime = 1440
+    session.referer_check =
+    session.cache_limiter = nocache
+    session.cache_expire = 180
+    session.use_trans_sid = 0
+    session.sid_length = 26
+    session.trans_sid_tags = "a=href,area=href,frame=src,form="
+    session.sid_bits_per_character = 5
+    [Assertion]
+    zend.assertions = -1
+    [COM]
+    ; Nothing here
+    [mbstring]
+    ; Nothing here
+    [gd]
+    ; Nothing here
+    [exif]
+    ; Nothing here
+    [Tidy]
+    tidy.clean_output = Off
+    [soap]
+    soap.wsdl_cache_enabled=1
+    soap.wsdl_cache_dir="/tmp"
+    soap.wsdl_cache_ttl=86400
+    soap.wsdl_cache_limit = 5
+    [sysvshm]
+    ; Nothing here
+    [ldap]
+    ldap.max_links = -1
+    [dba]
+    ; Nothing here
+    [opcache]
+    opcache.interned_strings_buffer=64
+    [curl]
+    ; Nothing here
+    [openssl]
+    ; Nothing here
+    [ffi]
+    ; Nothing here
--- a/customers/base/apcu-configmap.yml
+++ b/customers/base/apcu-configmap.yml
@ -0,0 +1,8 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: apcu-configmap
+data:
+  apcu.ini: |
+    extension=apcu.so
+    apc.enable_cli=1
--- a/customers/base/cli-php-configmap.yml
+++ b/customers/base/cli-php-configmap.yml
@ -0,0 +1,162 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: cli-php-configmap
+data:
+  php.ini: |
+    [PHP]
+    allow_url_fopen = On
+    allow_url_include = Off
+    auto_append_file =
+    auto_globals_jit = On
+    auto_prepend_file =
+    default_charset = "UTF-8"
+    default_mimetype = "text/html"
+    default_socket_timeout = 60
+    disable_classes =
+    disable_functions =
+    display_errors = Off
+    display_startup_errors = Off
+    doc_root =
+    enable_dl = Off
+    engine = On
+    error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
+    expose_php = On
+    file_uploads = On
+    ignore_repeated_errors = Off
+    ignore_repeated_source = Off
+    implicit_flush = Off
+    log_errors = On
+    log_errors_max_len = 1024
+    max_execution_time = 86400
+    max_file_uploads = 20
+    max_input_time = 86400
+    memory_limit = -1
+    output_buffering = Off
+    post_max_size = 16G
+    precision = 14
+    register_argc_argv = Off
+    report_memleaks = On
+    request_order = "GP"
+    serialize_precision = -1
+    short_open_tag = Off
+    unserialize_callback_func =
+    upload_max_filesize = 16G
+    user_dir =
+    variables_order = "GPCS"
+    zend.enable_gc = On
+    zend.exception_ignore_args = On
+    zlib.output_compression = Off
+    [CLI Server]
+    cli_server.color = On
+    [Date]
+    ; Nothing here
+    [filter]
+    ; Nothing here
+    [iconv]
+    ; Nothing here
+    [imap]
+    ; Nothing here
+    [intl]
+    ; Nothing here
+    [sqlite3]
+    ; Nothing here
+    [Pcre]
+    ; Nothing here
+    [Pdo]
+    ; Nothing here
+    [Pdo_mysql]
+    pdo_mysql.default_socket=
+    [Phar]
+    ; Nothing here
+    [mail function]
+    SMTP = localhost
+    smtp_port = 25
+    mail.add_x_header = Off
+    [ODBC]
+    odbc.allow_persistent = On
+    odbc.check_persistent = On
+    odbc.max_persistent = -1
+    odbc.max_links = -1
+    odbc.defaultlrl = 4096
+    odbc.defaultbinmode = 1
+    [MySQLi]
+    mysqli.max_persistent = -1
+    mysqli.allow_persistent = On
+    mysqli.max_links = -1
+    mysqli.default_port = 3306
+    mysqli.default_socket =
+    mysqli.default_host =
+    mysqli.default_user =
+    mysqli.default_pw =
+    mysqli.reconnect = Off
+    [mysqlnd]
+    mysqlnd.collect_statistics = On
+    mysqlnd.collect_memory_statistics = Off
+    [OCI8]
+    ; Nothing here
+    [PostgreSQL]
+    pgsql.allow_persistent = On
+    pgsql.auto_reset_persistent = Off
+    pgsql.max_persistent = -1
+    pgsql.max_links = -1
+    pgsql.ignore_notice = 0
+    pgsql.log_notice = 0
+    [bcmath]
+    bcmath.scale = 0
+    [browscap]
+    ; Nothing here
+    [Session]
+    session.save_handler = files
+    session.use_strict_mode = 0
+    session.use_cookies = 1
+    session.use_only_cookies = 1
+    session.name = PHPSESSID
+    session.auto_start = 0
+    session.cookie_lifetime = 0
+    session.cookie_path = /
+    session.cookie_domain =
+    session.cookie_httponly =
+    session.cookie_samesite =
+    session.serialize_handler = php
+    session.gc_probability = 0
+    session.gc_divisor = 1000
+    session.gc_maxlifetime = 1440
+    session.referer_check =
+    session.cache_limiter = nocache
+    session.cache_expire = 180
+    session.use_trans_sid = 0
+    session.sid_length = 26
+    session.trans_sid_tags = "a=href,area=href,frame=src,form="
+    session.sid_bits_per_character = 5
+    [Assertion]
+    zend.assertions = -1
+    [COM]
+    ; Nothing here
+    [mbstring]
+    ; Nothing here
+    [gd]
+    ; Nothing here
+    [exif]
+    ; Nothing here
+    [Tidy]
+    tidy.clean_output = Off
+    [soap]
+    soap.wsdl_cache_enabled=1
+    soap.wsdl_cache_dir="/tmp"
+    soap.wsdl_cache_ttl=86400
+    soap.wsdl_cache_limit = 5
+    [sysvshm]
+    ; Nothing here
+    [ldap]
+    ldap.max_links = -1
+    [dba]
+    ; Nothing here
+    [opcache]
+    opcache.interned_strings_buffer=64
+    [curl]
+    ; Nothing here
+    [openssl]
+    ; Nothing here
+    [ffi]
+    ; Nothing here
--- a/customers/base/env-configmap.yml
+++ b/customers/base/env-configmap.yml
@ -1,25 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nextcloud-env
-data:
-  GSS_MASTER_URL: 'https://drive.test.sunet.se'
-  MAIL_DOMAIN: 'drive.test.sunet.se'
-  MAIL_FROM_ADDRESS: 'noreply'
-  MAIL_SMTPHOST: 'smtp.sunet.se'
-  MAIL_SMTPNAME: 'noreply@drive.test.sunet.se'
-  MYSQL_DATABASE: 'nextcloud_customer'
-  MYSQL_HOST: 'proxysqlcluster.proxysql'
-  MYSQL_PORT: '6033'
-  MYSQL_USER: 'nextcloud_customer'
-  NEXTCLOUD_ADMIN_USER: 'admin'
-  NEXTCLOUD_TRUSTED_DOMAINS: 'customer.drive.test.sunet.se'
-  NEXTCLOUD_VERSION_STRING: '30.0.5.2'
-  OBJECTSTORE_S3_AUTOCREATE: 'true'
-  OBJECTSTORE_S3_BUCKET: 'primary-customer-drive-test.sunet.se'
-  OBJECTSTORE_S3_HOST: 's3.sto4.safedc.net'
-  OBJECTSTORE_S3_REGION: 'us-east-1'
-  OBJECTSTORE_S3_SSL: 'true'
-  OBJECTSTORE_S3_USEPATH_STYLE: 'true'
-  REDIS_HOST: 'redis'
-  SITE_NAME: 'customer.drive.test.sunet.se'
--- a/customers/base/files/000-default.conf
+++ b/customers/base/files/000-default.conf
@ -1,73 +0,0 @@
-LoadModule remoteip_module /usr/lib/apache2/modules/mod_remoteip.so
-LoadModule headers_module /usr/lib/apache2/modules/mod_headers.so
-<VirtualHost *:80>
-        ServerAdmin webmaster@localhost
-        DocumentRoot /var/www/html
-        # Log format config
-        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" xforwardedfor
-        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
-
-        PassEnv HOSTNAME
-        Header append Set-Cookie "SERVERID=%{HOSTNAME}e;Path=/;SameSite=Lax;HttpOnly;Secure"
-
-        # Header config
-        RemoteIPHeader X-Forwarded-For
-        RemoteIPInternalProxy 37.156.195.14
-        RemoteIPInternalProxy 37.156.195.19
-        RemoteIPInternalProxy 37.156.195.84
-        RemoteIPInternalProxy 37.156.195.92
-        #ErrorDocument 404 /404.html
-        ErrorLog ${APACHE_LOG_DIR}/error.log
-        CustomLog ${APACHE_LOG_DIR}/access.log xforwardedfor env=forwarded
-        CustomLog ${APACHE_LOG_DIR}/access.log combined env=!forwarded
-        <Directory /var/www/html/>
-                LimitRequestBody 0
-                Require all granted
-                AllowOverride All
-                Options FollowSymLinks MultiViews
-
-                <IfModule mod_dav.c>
-                    Dav off
-                </IfModule>
-        </Directory>
-</VirtualHost>
-<VirtualHost *:443>
-        ServerAdmin webmaster@localhost
-        DocumentRoot /var/www/html
-        # Log format config
-        LogFormat "%{X-Forwarded-For}i %l %u %t \"%r\" %>s %b \"%{Referer}i\" \"%{User-Agent}i\"" xforwardedfor
-        SetEnvIf X-Forwarded-For "^.*\..*\..*\..*" forwarded
-
-        PassEnv HOSTNAME
-        Header append Set-Cookie "SERVERID=%{HOSTNAME}e;Path=/;SameSite=Lax;HttpOnly;Secure"
-
-        # Header config
-        RemoteIPHeader X-Forwarded-For
-        RemoteIPInternalProxy 37.156.195.14
-        RemoteIPInternalProxy 37.156.195.19
-        RemoteIPInternalProxy 37.156.195.84
-        RemoteIPInternalProxy 37.156.195.92
-        #ErrorDocument 404 /404.html
-        ErrorLog ${APACHE_LOG_DIR}/error.log
-        CustomLog ${APACHE_LOG_DIR}/access.log xforwardedfor env=forwarded
-        CustomLog ${APACHE_LOG_DIR}/access.log combined env=!forwarded
-        SSLEngine On
-        SSLCertificateFile /etc/ssl/certs/ssl-cert-snakeoil.pem
-        SSLCertificateKeyFile /etc/ssl/private/ssl-cert-snakeoil.key
-        <Directory /var/www/html/>
-                LimitRequestBody 0
-                Require all granted
-                AllowOverride All
-                Options FollowSymLinks MultiViews
-
-                <IfModule mod_dav.c>
-                    Dav off
-                </IfModule>
-        </Directory>
-        <Directory /var/www/html/data>
-            Order allow,deny
-            deny from all
-        </Directory>
-</VirtualHost>
-# vim: syntax=apache ts=4 sw=4 sts=4 sr noet
-
--- a/customers/base/files/apache-php.ini
+++ b/customers/base/files/apache-php.ini
@ -1,157 +0,0 @@
-[PHP]
-allow_url_fopen = On
-allow_url_include = Off
-auto_append_file =
-auto_globals_jit = On
-auto_prepend_file =
-default_charset = "UTF-8"
-default_mimetype = "text/html"
-default_socket_timeout = 60
-disable_classes =
-disable_functions = pcntl_alarm,pcntl_fork,pcntl_waitpid,pcntl_wait,pcntl_wifexited,pcntl_wifstopped,pcntl_wifsignaled,pcntl_wifcontinued,pcntl_wexitstatus,pcntl_wtermsig,pcntl_wstopsig,pcntl_signal,pcntl_signal_get_handler,pcntl_signal_dispatch,pcntl_get_last_error,pcntl_strerror,pcntl_sigprocmask,pcntl_sigwaitinfo,pcntl_sigtimedwait,pcntl_exec,pcntl_getpriority,pcntl_setpriority,pcntl_async_signals,pcntl_unshare,
-display_errors = Off
-display_startup_errors = Off
-doc_root =
-enable_dl = Off
-engine = On
-error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
-expose_php = Off
-file_uploads = On
-ignore_repeated_errors = Off
-ignore_repeated_source = Off
-implicit_flush = Off
-log_errors = On
-log_errors_max_len = 1024
-max_execution_time = 86400
-max_file_uploads = 20
-max_input_time = 86400
-memory_limit = 512M
-output_buffering = Off
-post_max_size = 30G
-precision = 14
-register_argc_argv = Off
-report_memleaks = On
-request_order = "GP"
-serialize_precision = -1
-short_open_tag = Off
-unserialize_callback_func =
-upload_max_filesize = 30G
-user_dir =
-variables_order = "GPCS"
-zend.enable_gc = On
-zend.exception_ignore_args = On
-zlib.output_compression = Off
-[CLI Server]
-cli_server.color = On
-[Date]
-; Nothing here
-[filter]
-; Nothing here
-[iconv]
-; Nothing here
-[imap]
-; Nothing here
-[intl]
-; Nothing here
-[sqlite3]
-; Nothing here
-[Pcre]
-; Nothing here
-[Pdo]
-; Nothing here
-[Pdo_mysql]
-pdo_mysql.default_socket=
-[Phar]
-; Nothing here
-[mail function]
-SMTP = localhost
-smtp_port = 25
-mail.add_x_header = Off
-[ODBC]
-odbc.allow_persistent = On
-odbc.check_persistent = On
-odbc.max_persistent = -1
-odbc.max_links = -1
-odbc.defaultlrl = 4096
-odbc.defaultbinmode = 1
-[MySQLi]
-mysqli.max_persistent = -1
-mysqli.allow_persistent = On
-mysqli.max_links = -1
-mysqli.default_port = 3306
-mysqli.default_socket =
-mysqli.default_host =
-mysqli.default_user =
-mysqli.default_pw =
-mysqli.reconnect = Off
-[mysqlnd]
-mysqlnd.collect_statistics = On
-mysqlnd.collect_memory_statistics = Off
-[OCI8]
-; Nothing here
-[PostgreSQL]
-pgsql.allow_persistent = On
-pgsql.auto_reset_persistent = Off
-pgsql.max_persistent = -1
-pgsql.max_links = -1
-pgsql.ignore_notice = 0
-pgsql.log_notice = 0
-[bcmath]
-bcmath.scale = 0
-[browscap]
-; Nothing here
-[Session]
-session.save_handler = files
-session.use_strict_mode = 0
-session.use_cookies = 1
-session.use_only_cookies = 1
-session.name = PHPSESSID
-session.auto_start = 0
-session.cookie_lifetime = 0
-session.cookie_path = /
-session.cookie_domain =
-session.cookie_httponly =
-session.cookie_samesite =
-session.serialize_handler = php
-session.gc_probability = 0
-session.gc_divisor = 1000
-session.gc_maxlifetime = 1440
-session.referer_check =
-session.cache_limiter = nocache
-session.cache_expire = 180
-session.use_trans_sid = 0
-session.sid_length = 26
-session.trans_sid_tags = "a=href,area=href,frame=src,form="
-session.sid_bits_per_character = 5
-[Assertion]
-zend.assertions = -1
-[COM]
-; Nothing here
-[mbstring]
-; Nothing here
-[gd]
-; Nothing here
-[exif]
-; Nothing here
-[Tidy]
-tidy.clean_output = Off
-[soap]
-soap.wsdl_cache_enabled=1
-soap.wsdl_cache_dir="/tmp"
-soap.wsdl_cache_ttl=86400
-soap.wsdl_cache_limit = 5
-[sysvshm]
-; Nothing here
-[ldap]
-ldap.max_links = -1
-[dba]
-; Nothing here
-[opcache]
-opcache.interned_strings_buffer=64
-[curl]
-; Nothing here
-[openssl]
-; Nothing here
-[ffi]
-; Nothing here
-
--- a/customers/base/files/apcu.ini
+++ b/customers/base/files/apcu.ini
@ -1,3 +0,0 @@
-extension=apcu.so
-apc.enable_cli=1
-
--- a/customers/base/files/cli-php.ini
+++ b/customers/base/files/cli-php.ini
@ -1,157 +0,0 @@
-[PHP]
-allow_url_fopen = On
-allow_url_include = Off
-auto_append_file =
-auto_globals_jit = On
-auto_prepend_file =
-default_charset = "UTF-8"
-default_mimetype = "text/html"
-default_socket_timeout = 60
-disable_classes =
-disable_functions =
-display_errors = Off
-display_startup_errors = Off
-doc_root =
-enable_dl = Off
-engine = On
-error_reporting = E_ALL & ~E_DEPRECATED & ~E_STRICT
-expose_php = On
-file_uploads = On
-ignore_repeated_errors = Off
-ignore_repeated_source = Off
-implicit_flush = Off
-log_errors = On
-log_errors_max_len = 1024
-max_execution_time = 86400
-max_file_uploads = 20
-max_input_time = 86400
-memory_limit = -1
-output_buffering = Off
-post_max_size = 16G
-precision = 14
-register_argc_argv = Off
-report_memleaks = On
-request_order = "GP"
-serialize_precision = -1
-short_open_tag = Off
-unserialize_callback_func =
-upload_max_filesize = 16G
-user_dir =
-variables_order = "GPCS"
-zend.enable_gc = On
-zend.exception_ignore_args = On
-zlib.output_compression = Off
-[CLI Server]
-cli_server.color = On
-[Date]
-; Nothing here
-[filter]
-; Nothing here
-[iconv]
-; Nothing here
-[imap]
-; Nothing here
-[intl]
-; Nothing here
-[sqlite3]
-; Nothing here
-[Pcre]
-; Nothing here
-[Pdo]
-; Nothing here
-[Pdo_mysql]
-pdo_mysql.default_socket=
-[Phar]
-; Nothing here
-[mail function]
-SMTP = localhost
-smtp_port = 25
-mail.add_x_header = Off
-[ODBC]
-odbc.allow_persistent = On
-odbc.check_persistent = On
-odbc.max_persistent = -1
-odbc.max_links = -1
-odbc.defaultlrl = 4096
-odbc.defaultbinmode = 1
-[MySQLi]
-mysqli.max_persistent = -1
-mysqli.allow_persistent = On
-mysqli.max_links = -1
-mysqli.default_port = 3306
-mysqli.default_socket =
-mysqli.default_host =
-mysqli.default_user =
-mysqli.default_pw =
-mysqli.reconnect = Off
-[mysqlnd]
-mysqlnd.collect_statistics = On
-mysqlnd.collect_memory_statistics = Off
-[OCI8]
-; Nothing here
-[PostgreSQL]
-pgsql.allow_persistent = On
-pgsql.auto_reset_persistent = Off
-pgsql.max_persistent = -1
-pgsql.max_links = -1
-pgsql.ignore_notice = 0
-pgsql.log_notice = 0
-[bcmath]
-bcmath.scale = 0
-[browscap]
-; Nothing here
-[Session]
-session.save_handler = files
-session.use_strict_mode = 0
-session.use_cookies = 1
-session.use_only_cookies = 1
-session.name = PHPSESSID
-session.auto_start = 0
-session.cookie_lifetime = 0
-session.cookie_path = /
-session.cookie_domain =
-session.cookie_httponly =
-session.cookie_samesite =
-session.serialize_handler = php
-session.gc_probability = 0
-session.gc_divisor = 1000
-session.gc_maxlifetime = 1440
-session.referer_check =
-session.cache_limiter = nocache
-session.cache_expire = 180
-session.use_trans_sid = 0
-session.sid_length = 26
-session.trans_sid_tags = "a=href,area=href,frame=src,form="
-session.sid_bits_per_character = 5
-[Assertion]
-zend.assertions = -1
-[COM]
-; Nothing here
-[mbstring]
-; Nothing here
-[gd]
-; Nothing here
-[exif]
-; Nothing here
-[Tidy]
-tidy.clean_output = Off
-[soap]
-soap.wsdl_cache_enabled=1
-soap.wsdl_cache_dir="/tmp"
-soap.wsdl_cache_ttl=86400
-soap.wsdl_cache_limit = 5
-[sysvshm]
-; Nothing here
-[ldap]
-ldap.max_links = -1
-[dba]
-; Nothing here
-[opcache]
-opcache.interned_strings_buffer=64
-[curl]
-; Nothing here
-[openssl]
-; Nothing here
-[ffi]
-; Nothing here
-
--- a/customers/base/files/config.php
+++ b/customers/base/files/config.php
@ -1,102 +0,0 @@
-<?php
-$CONFIG = array (
-  'apps_paths' =>
-    array (
-      0 =>
-        array (
-          'path' => '/var/www/html/apps',
-          'url' => '/apps',
-          'writable' => false,
-        ),
-      1 =>
-        array (
-          'path' => '/var/www/html/custom_apps',
-          'url' => '/custom_apps',
-          'writable' => true,
-        ),
-    ),
-  'appstoreenabled' => false,
-  'config_is_read_only' => true,
-  'csrf.disabled' => true,
-  'datadirectory' => '/var/www/html/data',
-  'dbhost' => '{{MYSQL_HOST}}:{{MYSQL_PORT}}',
-  'dbname' => '{{MYSQL_DATABASE}}',
-  'dbpassword' => '{{MYSQL_PASSWORD}}',
-  'dbport' => '{{MYSQL_PORT}}',
-  'dbtableprefix' => 'oc_',
-  'dbtype' => 'mysql',
-  'dbuser' => '{{MYSQL_USER}}',
-  'default_phone_region' => 'SE',
-  'forcessl' => true,
-  'gs.enabled' => 'true',
-  'gs.federation' => 'global',
-  'gs.trustedHosts' => ['*.sunet.se'],
-  'htaccess.RewriteBase' => '/',
-  'installed' => true,
-  'instanceid' => '{{NEXTCLOUD_INSTANCEID}}',
-  'integrity.check.disabled' => true,
-  'log_type' => 'file',
-  'loglevel' => 0,
-  'mail_domain' => '{{MAIL_DOMAIN}}',
-  'mail_from_address' => '{{MAIL_FROM_ADDRESS}}',
-  'mail_sendmailmode' => 'smtp',
-  'mail_smtpauth' => 1,
-  'mail_smtpauthtype' => 'LOGIN',
-  'mail_smtphost' => '{{MAIL_SMTPHOST}}',
-  'mail_smtpmode' => 'smtp',
-  'mail_smtpname' => '{{MAIL_SMTPNAME}}',
-  'mail_smtppassword' => '{{MAIL_SMTPPASSWORD}}',
-  'mail_smtpport' => '587',
-  'mail_smtpsecure' => 'tls',
-  'mail_template_class' => 'OCA\DriveEmailTemplate\EMailTemplate',
-  'memcache.distributed' => '\\OC\\Memcache\\Redis',
-  'memcache.local' => '\\OC\\Memcache\\APCu',
-  'memcache.locking' => '\\OC\\Memcache\\Redis',
-  'mysql.utf8mb4' => true,
-  'objectstore' =>
-    array (
-      'class' => '\\OC\\Files\\ObjectStore\\S3',
-      'arguments' =>
-        array (
-          'autocreate' => false,
-          'bucket' => '{{OBJECTSTORE_S3_BUCKET}}',
-          'hostname' => '{{OBJECTSTORE_S3_HOST}}',
-          'key' => '{{OBJECTSTORE_S3_KEY}}',
-          'legacy_auth' => false,
-          'objectPrefix' => 'urn:oid:',
-          'port' => '',
-          'region' => '{{OBJECTSTORE_S3_REGION}}',
-          'secret' => '{{OBJECTSTORE_S3_SECRET}}',
-          'use_path_style' => true,
-          'use_ssl' => true,
-        ),
-    ),
-  'overwrite.cli.url' => 'https://{{SITE_NAME}}/',
-  'overwritehost' => '{{SITE_NAME}}',
-  'overwriteprotocol' => 'https',
-  'passwordsalt' => '{{NEXTCLOUD_PASSWORDSALT}}',
-  'secret' => '{{NEXTCLOUD_SECRET}}',
-  'redis' =>
-    array (
-      'host' => '{{REDIS_HOST}}',
-      'port' => 6379,
-    ),
-  'skeletondirectory' => '',
-  'templatedirectory' => '',
-  'trusted_domains' =>
-    array (
-      0 => '{{NEXTCLOUD_TRUSTED_DOMAINS}}'
-    ),
-  'trusted_proxies' =>
-    array (
-      0 => '10.0.0.0/8'
-    ),
-  'twofactor_enforced' => 'true',
-  'twofactor_enforced_groups' =>
-    array (
-      0 => 'admin',
-    ),
-  'updatechecker' => false,
-  'version' => '{{NEXTCLOUD_VERSION_STRING}}',
-);
-
--- a/customers/base/files/nc-upgrade
+++ b/customers/base/files/nc-upgrade
@ -1,14 +0,0 @@
-#!/bin/bash
-sed "s/config_is_read_only\(.\) => true,/config_is_read_only\1 => false,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
-mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ upgrade
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:update:htaccess
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:repair
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:mode --off
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-primary-keys
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-columns
-php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-indices
-sed "s/config_is_read_only\(.\) => false,/config_is_read_only\1 => true,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
-mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php
-chown www-data:www-data /var/www/html/config/config.php
-
--- a/customers/base/kustomization.yaml
+++ b/customers/base/kustomization.yaml
@ -1,37 +1,14 @@
 resources:
-  - env-configmap.yml
+  - apache-configmap.yml
+  - apache-php-configmap.yml
+  - apcu-configmap.yml
+  - cli-php-configmap.yml
  - nextcloud-cert-issuer.yml
+  - nextcloud-configmap.yml
  - nextcloud-deployment.yml
  - nextcloud-ingress.yml
  - nextcloud-service.yml
  - redis-deployment.yml
  - redis-service.yml
  - s3-service.yml
-
-configMapGenerator:
-  - name: apache-configmap
-    files:
-      - files/000-default.conf
-  - name: apache-php-configmap
-    files:
-      - php.ini=files/apache-php.ini
-  - name: apcu-configmap
-    files:
-      - files/apcu.ini
-  - name: nextcloud-configmap
-    files:
-      - files/config.php
-  - name: cli-php-configmap
-    files:
-      - php.ini=files/cli-php.ini
-  - name: script-configmap
-    files:
-      - files/nc-upgrade
-
-generatorOptions:
-  disableNameSuffixHash: true
-
-images:
-  - name: nextcloud-custom-image
-    newName: docker.sunet.se/drive/nextcloud-custom
-    newTag: 30.0.5.2-2
+  - script-configmap.yml
--- a/customers/base/nextcloud-configmap.yml
+++ b/customers/base/nextcloud-configmap.yml
@ -0,0 +1,115 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-configmap
+data:
+  config.php: |
+    <?php
+    $CONFIG = array (
+      'app_install_overwrite' =>
+        array (
+          0 => 'globalsiteselector',
+        ),
+      'apps_paths' =>
+        array (
+          0 =>
+            array (
+              'path' => '/var/www/html/apps',
+              'url' => '/apps',
+              'writable' => false,
+            ),
+          1 =>
+            array (
+              'path' => '/var/www/html/custom_apps',
+              'url' => '/custom_apps',
+              'writable' => true,
+            ),
+        ),
+      'appstoreenabled' => false,
+      'config_is_read_only' => true,
+      'csrf.disabled' => true,
+      'datadirectory' => '/var/www/html/data',
+      'dbhost' => '{{MYSQL_HOST}}:{{MYSQL_PORT}}',
+      'dbname' => '{{MYSQL_DATABASE}}',
+      'dbpassword' => '{{MYSQL_PASSWORD}}',
+      'dbport' => '{{MYSQL_PORT}}',
+      'dbtableprefix' => 'oc_',
+      'dbtype' => 'mysql',
+      'dbuser' => '{{MYSQL_USER}}',
+      'default_phone_region' => 'SE',
+      'forcessl' => true,
+      'gs.enabled' => 'true',
+      'gs.federation' => 'global',
+      'gs.trustedHosts' => ['*.sunet.se'],
+      'gss.jwt.key' => '{{GSS_JWT_KEY}}',
+      'gss.master.url' => '{{GSS_MASTER_URL}}',
+      'gss.mode' => 'slave',
+      'gss.user.discovery.module' => '\\OCA\\GlobalSiteSelector\\UserDiscoveryModules\\ManualUserMapping',
+      'installed' => true,
+      'instanceid' => '{{NEXTCLOUD_INSTANCEID}}',
+      'integrity.check.disabled' => true,
+      'log_type' => 'file',
+      'loglevel' => 0,
+      'lookup_server' => '{{LOOKUP_SERVER}}',
+      'mail_domain' => '{{MAIL_DOMAIN}}',
+      'mail_from_address' => '{{MAIL_FROM_ADDRESS}}',
+      'mail_sendmailmode' => 'smtp',
+      'mail_smtpauth' => 1,
+      'mail_smtpauthtype' => 'LOGIN',
+      'mail_smtphost' => '{{MAIL_SMTPHOST}}',
+      'mail_smtpmode' => 'smtp',
+      'mail_smtpname' => '{{MAIL_SMTPNAME}}',
+      'mail_smtppassword' => '{{MAIL_SMTPPASSWORD}}',
+      'mail_smtpport' => '587',
+      'mail_smtpsecure' => 'tls',
+      'mail_template_class' => 'OCA\DriveEmailTemplate\EMailTemplate',
+      'memcache.distributed' => '\\OC\\Memcache\\Redis',
+      'memcache.local' => '\\OC\\Memcache\\APCu',
+      'memcache.locking' => '\\OC\\Memcache\\Redis',
+      'mysql.utf8mb4' => true,
+      'objectstore' =>
+        array (
+          'class' => '\\OC\\Files\\ObjectStore\\S3',
+          'arguments' =>
+            array (
+              'autocreate' => false,
+              'bucket' => '{{OBJECTSTORE_S3_BUCKET}}',
+              'hostname' => '{{OBJECTSTORE_S3_HOST}}',
+              'key' => '{{OBJECTSTORE_S3_KEY}}',
+              'legacy_auth' => false,
+              'objectPrefix' => 'urn:oid:',
+              'port' => '',
+              'region' => '{{OBJECTSTORE_S3_REGION}}',
+              'secret' => '{{OBJECTSTORE_S3_SECRET}}',
+              'use_path_style' => true,
+              'use_ssl' => true,
+            ),
+        ),
+      'overwrite.cli.url' => 'https://{{SITE_NAME}}',
+      'overwritehost' => '{{SITE_NAME}}',
+      'overwriteprotocol' => 'https',
+      'passwordsalt' => '{{NEXTCLOUD_PASSWORDSALT}}',
+      'secret' => '{{NEXTCLOUD_SECRET}}',
+      'redis' =>
+        array (
+          'host' => '{{REDIS_HOST}}',
+          'port' => 6379,
+        ),
+      'skeletondirectory' => '',
+      'templatedirectory' => '',
+      'trusted_domains' =>
+        array (
+          0 => '{{NEXTCLOUD_TRUSTED_DOMAINS}}'
+        ),
+      'trusted_proxies' =>
+        array (
+          0 => '10.0.0.0/8'
+        ),
+      'twofactor_enforced' => 'true',
+      'twofactor_enforced_groups' =>
+        array (
+          0 => 'admin',
+        ),
+      'updatechecker' => false,
+      'version' => '{{NEXTCLOUD_VERSION_STRING}}',
+    );
--- a/customers/base/nextcloud-deployment.yml
+++ b/customers/base/nextcloud-deployment.yml
@ -11,6 +11,16 @@ spec:
      app: customer-node
  updateStrategy:
    type: RollingUpdate
+  volumeClaimTemplates:
+    - metadata:
+        name: nextcloud-data
+      spec:
+        storageClassName: csi-sc-cinderplugin
+        accessModes:
+          - ReadWriteOnce
+        resources:
+          requests:
+            storage: 1Gi
  template:
    metadata:
      labels:
@ -18,25 +28,9 @@ spec:
        kano: micke
    spec:
      restartPolicy: Always
-      initContainers:
-        - image: docker.sunet.se/sunet/docker-jinja:latest
-          name: init-config
-          volumeMounts:
-            - name: nextcloud-config
-              mountPath: /tmp/config.php.template
-              subPath: config.php
-            - name: nextcloud-data
-              mountPath: /var/www/html/config
-              subPath: config
-          envFrom:
-            - configMapRef:
-                name: nextcloud-env
-            - secretRef:
-                name: nextcloud-secrets
-          command: ["/bin/bash", "-c", "/usr/bin/j2 -f env -o /var/www/html/config/config.php /tmp/config.php.template"]
      containers:
        - name: customer
-          image: nextcloud-custom-image
+          image: docker.sunet.se/drive/nextcloud-custom:29.0.10.3-1
          volumeMounts:
            - name: nextcloud-data
              mountPath: /var/www/html/config/
@ -82,6 +76,105 @@ spec:
            postStart:
              exec:
                command: ["/bin/bash", "-c", "/usr/local/bin/nc-upgrade"]
+      initContainers:
+        - image: docker.sunet.se/sunet/docker-jinja:latest
+          name: init-config
+          volumeMounts:
+            - name: nextcloud-config
+              mountPath: /tmp/config.php.template
+              subPath: config.php
+            - name: nextcloud-data
+              mountPath: /var/www/html/config
+              subPath: config
+          env:
+            - name: GSS_MASTER_URL
+              value: "https://drive.test.sunet.se"
+            - name: GSS_JWT_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: gss-secret
+                  key: "jwt_key"
+            - name: LOOKUP_SERVER
+              value: "https://lookup.drive.test.sunet.se"
+            - name: MAIL_DOMAIN
+              value: "drive.test.sunet.se"
+            - name: MAIL_FROM_ADDRESS
+              value: "noreply"
+            - name: MAIL_SMTPHOST
+              value: "smtp.sunet.se"
+            - name: MAIL_SMTPNAME
+              value: "noreply@drive.test.sunet.se"
+            - name: MAIL_SMTPPASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: mail-secret
+                  key: "smtp_password"
+            - name: MYSQL_DATABASE
+              value: "nextcloud_customer"
+            - name: MYSQL_USER
+              value: "nextcloud_customer"
+            - name: MYSQL_HOST
+              value: "proxysqlcluster.proxysql"
+            - name: MYSQL_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: db-secret
+                  key: "db_password"
+            - name: MYSQL_PORT
+              value: "6033"
+            - name: NEXTCLOUD_TRUSTED_DOMAINS
+              value: "customer.drive.test.sunet.se"
+            - name: NEXTCLOUD_ADMIN_USER
+              value: admin
+            - name: NEXTCLOUD_VERSION_STRING
+              value: "28.0.3.3"
+            - name: NEXTCLOUD_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: nc-secret
+                  key: "nc_admin_password"
+            - name: NEXTCLOUD_PASSWORDSALT
+              valueFrom:
+                secretKeyRef:
+                  name: nc-secret
+                  key: "nc_passwordsalt"
+            - name: NEXTCLOUD_INSTANCEID
+              valueFrom:
+                secretKeyRef:
+                  name: nc-secret
+                  key: "nc_instanceid"
+            - name: NEXTCLOUD_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: nc-secret
+                  key: "nc_secret"
+            - name: OBJECTSTORE_S3_REGION
+              value: "us-east-1"
+            - name: OBJECTSTORE_S3_HOST
+              value: "s3.sto4.safedc.net"
+            - name: OBJECTSTORE_S3_BUCKET
+              value: "primary-customer-drive-test.sunet.se"
+            - name: OBJECTSTORE_S3_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: s3-secret
+                  key: "s3_key"
+            - name: OBJECTSTORE_S3_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: s3-secret
+                  key: "s3_secret"
+            - name: OBJECTSTORE_S3_USEPATH_STYLE
+              value: "true"
+            - name: OBJECTSTORE_S3_AUTOCREATE
+              value: "true"
+            - name: OBJECTSTORE_S3_SSL
+              value: "true"
+            - name: REDIS_HOST
+              value: "redis"
+            - name: SITE_NAME
+              value: "customer.drive.test.sunet.se"
+          command: ["/bin/bash", "-c", "/usr/bin/j2 -f env -o /var/www/html/config/config.php /tmp/config.php.template"]
      volumes:
        - name: script-config
          configMap:
@ -120,5 +213,3 @@ spec:
            items:
              - key: "config.php"
                path: "config.php"
-        - name: nextcloud-data
-          emptyDir: {}
--- a/customers/base/nextcloud-ingress.yml
+++ b/customers/base/nextcloud-ingress.yml
@ -6,11 +6,6 @@ metadata:
  annotations:
    cert-manager.io/issuer: "letsencrypt"
    acme.cert-manager.io/http01-edit-in-place: "true"
-    nginx.ingress.kubernetes.io/affinity-mode: "persistent"
-    nginx.ingress.kubernetes.io/affinity: "cookie"
-    nginx.ingress.kubernetes.io/session-cookie-expires: "172800"
-    nginx.ingress.kubernetes.io/session-cookie-max-age: "172800"
-    nginx.ingress.kubernetes.io/session-cookie-name: "sticky"
 spec:
  ingressClassName: nginx
  defaultBackend:
@ -20,15 +15,16 @@ spec:
        number: 8443
  tls:
    - hosts:
-        - customer.drive.test.sunet.se
+        - customer.drive.test.sunet.se 
      secretName: tls-secret
+  
  rules:
  - host: customer.drive.test.sunet.se
    http:
      paths:
      - path: /
        pathType: Prefix
-        backend:
+        backend: 
          service:
            name: customer-node
            port:
--- a/customers/base/script-configmap.yml
+++ b/customers/base/script-configmap.yml
@ -0,0 +1,19 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: script-configmap
+data:
+  nc-upgrade: |
+    #!/bin/bash
+    sed "s/config_is_read_only\(.\) => true,/config_is_read_only\1 => false,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
+    mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ app:disable globalsiteselector
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ upgrade
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ app:enable globalsiteselector
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:repair
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ maintenance:mode --off
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-primary-keys
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-columns
+    php -d apc.enable_cli=1 -d memory_limit=-1 /var/www/html/occ db:add-missing-indices
+    sed "s/config_is_read_only\(.\) => false,/config_is_read_only\1 => true,/" /var/www/html/config/config.php > /var/www/html/config/config.php.tmp
+    mv /var/www/html/config/config.php.tmp /var/www/html/config/config.php
--- a/customers/overlays/nordunet/test/env-configmap.yml
+++ b/customers/overlays/nordunet/test/env-configmap.yml
@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nextcloud-env
-data:
-  MYSQL_DATABASE: 'nextcloud_nordunet'
-  MYSQL_USER: 'nextcloud_nordunet'
-  NEXTCLOUD_TRUSTED_DOMAINS: 'nordunet.drive.test.sunet.se'
-  OBJECTSTORE_S3_BUCKET: 'primary-nordunet-drive-test.sunet.se'
-  SITE_NAME: 'nordunet.drive.test.sunet.se'
--- a/customers/overlays/nordunet/test/kustomization.yaml
+++ b/customers/overlays/nordunet/test/kustomization.yaml
@ -1,8 +1,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - ../../../base
+- ../../../base
 patches:
-  - path: env-configmap.yml
-  - path: nextcloud-deployment.yml
-  - path: nextcloud-ingress.yml
+- path: nextcloud-deployment.yml
+- path: nextcloud-ingress.yml
--- a/customers/overlays/nordunet/test/nextcloud-deployment.yml
+++ b/customers/overlays/nordunet/test/nextcloud-deployment.yml
@ -5,4 +5,31 @@ metadata:
  labels:
    app: customer-node
 spec:
-  replicas: 2
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: customer-node
+    spec:
+      initContainers:
+        - image: docker.sunet.se/sunet/docker-jinja:latest
+          name: init-config
+          env:
+            - name: MYSQL_DATABASE
+              value: "nextcloud_nordunet"
+            - name: MYSQL_USER
+              value: "nextcloud_nordunet"
+            - name: GSS_MASTER_URL
+              value: "https://drive.test.sunet.se"
+            - name: LOOKUP_SERVER
+              value: "https://lookup.drive.test.sunet.se"
+            - name: MAIL_DOMAIN
+              value: "drive.test.sunet.se"
+            - name: MAIL_SMTPNAME
+              value: "noreply@drive.test.sunet.se"
+            - name: NEXTCLOUD_TRUSTED_DOMAINS
+              value: "nordunet.drive.test.sunet.se"
+            - name: OBJECTSTORE_S3_BUCKET
+              value: "primary-nordunet-drive-test.sunet.se"
+            - name: SITE_NAME
+              value: "nordunet.drive.test.sunet.se"
--- a/customers/overlays/nordunet/test/nextcloud-ingress.yml
+++ b/customers/overlays/nordunet/test/nextcloud-ingress.yml
@ -10,7 +10,7 @@ spec:
  ingressClassName: nginx
  tls:
    - hosts:
-        - nordunet.drive.test.sunet.se
+        - nordunet.drive.test.sunet.se 
      secretName: tls-secret
  ingressClassName: nginx
  rules:
@ -19,7 +19,7 @@ spec:
      paths:
      - path: /
        pathType: Prefix
-        backend:
+        backend: 
          service:
            name: customer-node
            port:
--- a/customers/overlays/richir/test/env-configmap.yml
+++ b/customers/overlays/richir/test/env-configmap.yml
@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nextcloud-env
-data:
-  MYSQL_DATABASE: 'nextcloud_richir'
-  MYSQL_USER: 'nextcloud_richir'
-  NEXTCLOUD_TRUSTED_DOMAINS: 'richir.drive.test.sunet.se'
-  OBJECTSTORE_S3_BUCKET: 'primary-richir-drive-test.sunet.se'
-  SITE_NAME: 'richir.drive.test.sunet.se'
--- a/customers/overlays/richir/test/kustomization.yaml
+++ b/customers/overlays/richir/test/kustomization.yaml
@ -1,9 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-resources:
-  - ../../../base
-  - nextcloud-secret-ss.yaml
-patches:
-  - path: env-configmap.yml
-  - path: nextcloud-deployment.yml
-  - path: nextcloud-ingress.yml
--- a/customers/overlays/richir/test/nextcloud-deployment.yml
+++ b/customers/overlays/richir/test/nextcloud-deployment.yml
@ -1,8 +0,0 @@
-kind: StatefulSet
-apiVersion: apps/v1
-metadata:
-  name: customer-node
-  labels:
-    app: customer-node
-spec:
-  replicas: 2
--- a/customers/overlays/richir/test/nextcloud-ingress.yml
+++ b/customers/overlays/richir/test/nextcloud-ingress.yml
@ -1,26 +0,0 @@
---
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: customer-ingress
-  annotations:
-    cert-manager.io/issuer: "letsencrypt"
-    acme.cert-manager.io/http01-edit-in-place: "true"
-spec:
-  ingressClassName: nginx
-  tls:
-    - hosts:
-        - richir.drive.test.sunet.se
-      secretName: tls-secret
-  ingressClassName: nginx
-  rules:
-  - host: richir.drive.test.sunet.se
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: customer-node
-            port:
-              number: 80
--- a/customers/overlays/richir/test/nextcloud-secret-ss.yaml
+++ b/customers/overlays/richir/test/nextcloud-secret-ss.yaml
@ -1,24 +0,0 @@
---
-apiVersion: bitnami.com/v1alpha1
-kind: SealedSecret
-metadata:
-  creationTimestamp: null
-  name: nextcloud-secrets
-  namespace: richir
-spec:
-  encryptedData:
-    GSS_JWT_KEY: AgDA5KAVQvJIsL9EhuV0WvJCAOCDejwRJ+b2vhCx0OOcbMMYSs3l2DxF0swnGnjenYyYfdnRTy/JYE8jBNh0pkpRewzOjyaW97onpZsCFbCVX8UEvDpfm6FI3XUdDgur1PBeORAnCIEZwCul+DU8Zw/L/7uOoZnlu8ywI3dbvooGUewZ+wnDdc90rghlf8/WJnTXieaGBvpdmiO6BQPD2o/DsYxgbE04SQFUAVrN/xJ+LkEvyGCxSZXwJ1D/AlEzX7bM3XY2KnifqT4zDwjPXZoGTh0KtbQ/i8CxzSgJI2e/jWAbJUDW8JITrPg7cwndkijQDblnyvH86/YmvHl8byLtKVzoYNK3B+67pEHFf4Y6xaVwS45iUW00IUbeauJoFvsYucx/2vdFXoD1apYqtbzBiig8SJvkMbZds7ywq9VOHu+Efu2nqNglj0CgQNZzxcvy7ng9zgxcdvKImQ+/5rrN8ljohXUWv2oeHysIcxhXBpp4ggFXeIZcpZwBEFi+KiHchcitmVbukleDh3+GT86vChbEyf5dNDz66PmGKa4WaBKjG5feoRB9WyW7gd+2bYQCg0ad3kK+p20wnm7f3o1QkZlhd04L6Cj6mjMrZolqkiqKHS6Ipkw44MmS8ra/ytXjF6VXzdfoVZ5Zu88ZBQ9/dTiihzbsDd+O4zM5EF8zHAyjqf3etglU86hQmhQDIxarUT4ToemixCS7dz3nFEMBXuiGA6WhkrplkT2ERvTq0MkAGbdmPB8U
-    MAIL_SMTPPASSWORD: AgAoMbUxHFUAGkLRNDVxxDuNY1vEzLU4iGbWXSctMSeCIqjudrWuum+5MCo9GWrf+TBCu8N2qj1Q4GwwOKSbrsOOE7CUdrM5QMi35cfyIsvh2CKsyVWckO2sWr6MqJr2rdhiMCJqz0jHj0iExQFxgKQda263ELj5Ud0E7nIGujYAGRvZOj6Sh/xHXFMsH2VlWuF0jrpNgc1Zm/L3LQrlxZAkTA8+eeDRiJo24pjIVqBc2PCo+ti1q1JM4iq/sta1IxQDHiv3d3+iafTeIgQr3lBpuLeaI+0nR7OG4RZj/OYu4LoqpidrM9vYg3WxZqM5ZmhRoPbK62jgycOeU3ubrZfT55hAOQ6n7L5PBHOPN6j0FlMKSiAeF+KgtvpHBso89s37kXAYG7UZ2OnaGU/8/fst6/8M9aEQm+bFAQNsNB+ZxU+GBjVNhIfAxP19dqkYPUCKnBxTlDsvnv22NB2BSKHjcEKE0kkBjsuwkG/tCeTfm1fAk4r4QqLm+Xx8ZOSzXFpJHvvTpjSVxFCdbfNICgaphbGn8/VH/YvFb1dInef9CbnOyeWgui45GTvlqU5pForKTGDzY0yyeAbtPvh472+Iu2YgR6EyhhazkJ6K2hURo3YzpebkydEVdDYi34xhjr5Zb0r3AOa2Pzpe8QivMGyFcjagYdDXPXjx6yoycKJ49ItRKKfxa+RyE0dywUPo35EFqLvEqs8jcMeTh9l3Oz4=
-    MYSQL_PASSWORD: AgAHuk9mgVfDq8ldAT5ZQnNO0wDl+eQ57EZWEVaFsU7oUcBqGqr3CLrMQR8300Dovrt+qq5U0MYEmKdrg5CDBb135nG4WE9fQZSIoAZJy80ViOXj81g9A4Y0OEWwRLbhvuKuYZ9eR8HffqkpQAZHuVBHXVjrvNkONy3K+00Vq6XlH9AZ+0p86jXGC4IMeth1RKuY6E7rEykGCWGcBUkYd9eF8MJyd/P/Ig8zuLZiGkvhPqcLs+TjI/kuX927DJCSmBFNeTw6Nz9h7D75X4hvU8IcNfAjFhZW8UJ8Y3+wLPeHvWxQa0Sqaej6g5vcTV5qZkNhkb8qBDJzgcE/UTMuZtBI2jAHWKh7Z2ws5jTiJR0QZLz6jKJyPMisXrZgGEdYXmi+Y6bdK9vZcxJBcdNLXBoYIa45Z+gFmv1acRaOcZjv7pg22dtGT20Piq67ykSlrGGkn8Gfu/Y7kOBN1rhLD/23zwaPweE3x/Ku8AQvWFB170IapvKTKBL5q6RT+bn3Jt3/vG+u+tc0e1KNG8HnLay8yuwhL3WUGRcrNodNTyKsdurJQJT6dv2UPrdnN1zqfYvaqJbEnITbmWfEDd0p6CgUlkHe3VAysg8XbIOcXoTOC1uN8T4arlXpsQXLXQolAPooUGUAx+PGZJPSPsVsgPfFQTxI5XvDwhWXJ1T/mE+DTjgLqnSCQDe1R3ID/u3c8bd5a5kWZ4c0IjN5KNRsYw==
-    NEXTCLOUD_ADMIN_PASSWORD: AgCDkQLjdAL9zLtCjDmhJgLUfa0lT6egt+UeFG6QOoDvQJdQ4h99/K+Z4RJmgqse32eb6//dTK06Tm5uwDdt4qeZRPjC2qh+kTAyILFZuC6SWawBIHH07KeewSmgLPmFyFqtVVV4UU9WTglzi9rNn554wmEnEpbJ+ytJr8l7cUJEFO/CaikpPlT3M1hEsSzGKv/l35ENGciGiTYbKF+1i6Zb+D4Fz4nVihC2Z9kVHAbo99uSnC3pWIOqCDkPbS3qLyTyCaHTggiAolnV4rguUb6+nIFShIEKPEpBSC73IdiFut8TIFZnS0wzPyjVyqdb7E+ni9qafde2BR2PjwutbdJ2CHg2duecP7bjQv9VnxjCmq7QIIVmdLD7f2nZny1V6vihSaPFEgArqsgSjLkeq2Ho3T3KtlYNSmH4bD9AbPTvsSccu9VcnKoSi90waKJlo/qXlpFLPtL0+u20e1FDbyX9zMSN7xYSqj5AYTAi0o1j8teHevqsbtgqJUureL3jAthPzj7zaHF4qEx+XqlxGnpMM4M3v2MSU3J49v5lqTtEFq88j9Q72mEASW7RX4VLT9buAeFI0+ARyFLCpQWQN3h4LExSEY+usZ930hcHANeq0Kx/q3tdO+MRjA/KfDNSAWit7IIkd7avHArPR/CEBusJQJC+tb6b15oCjW6nq0FbMQ5oo3pnL0ltDRckEHPJnlTPJ9m5YsCAWe04Lfv4Ejlt0z1scR32+xIbnMi8sSxlWZan+unLy6Lg
-    NEXTCLOUD_INSTANCEID: AgBhLjNdPn/x9fgXvk1zWbAwsrkmaqNqvka/E53/Ms4S51QosbTPspR+JA+NV3y2LgZlrIBYKJUkwZgrEcTNrwSCqeqrF6+/cBtiLn2oZLsq0uxkcBJDWDXb0DURMaZUOSBTjmeI2ezw3bucKaUlQHzoJyQoT0kNnCBYBbCTNhbXDQMZPp1uXDZrWgxQ8BBqZ+iF6Hz4JyZN12UYIgIlMqQmAuC54qfV2MRX69/fwkgLJX9lFAcUYGodRZm8xh/ePaw8EvUWvCFztXpIyg5UM1A5xQhfC8kR37AywcTuEhdX1i2frd6B68/g+SUeMYVb4WKcBkyqJr/hlMUK/cXA4w8gTTSAraiWZ1QK2tyRUI0vVeNcEMEn4hYZie0rHpj12jxBTriNH1X+5AWVlh0XasirbLy41HgCIZ+ZEDZsoVJPnrbhJoiKyu7XwhD5/rS24o3JSjjA7r2RCNQ++ZOfAGfZp/aVQi/8ZESSdzcvxghGMgQgzOaFc4mILhS/mD/hLjbabb5RqNy5xpKXr9vLXlO61pCWc1sTQnhYLucncwxDSMS0oWJ5Vt7vYsPS/1ZfEYddARj2ainN9KCbS9pcLLewslbi7+UfOKzAubygXnUpP0CZy8BNzmhZeUEU9waFHtDfqRaQiPqymevfjTN1XFe4z4mSh6USZi0vxzvanoWX8nwNaqSC7jCUeM8GvWF7kBWIsIYE64aUuU+uzYk=
-    NEXTCLOUD_PASSWORDSALT: AgAh8SvVF6Usk6TJN1UED37ou+bvWCcg98rr5ikpra7560oCjllsnfD0Yo1klbs1uutgU7MgszAjFjULBZBcH+nJZDvvuEH+/1ukdxGYp3zrWtDYjt8CoVqFAB7nG+z22lkydOK0kjSd8YX+4m3/46ICUhtP4czYUAxom7SUfQHsbVnIfESyByQA+tClmnNCVnpsqqxXe5Vx3mj1L/JivyTE9kMf6baQcwqjxmybKRnllsRX1rAtKXBeDtyDGsn00vyi9MdFsFfI9DNvpFxWQ/nDFyHVM2pt6o9b9LBuElhtmsL34Ao50Nph2W118jKadN3amtr+DH1oq4cJ0RHLx8JxTK3mqix9N2pjB7dvZcF9EDODOKlBCxBKc8kt7uSUyJyiv4FcgoC6Yit3P3ssHnGRKrgHKou8DpsPiVb8MyLdCDpub2XMR5E4IfGExTOJIj3vIG6f3lheB7OEMFlHj9eM9ya+w99tFNc9lpZOI/x9/Hd0Zz3WXWj8ufqQsB9KIOanoT0MZGi5EzCWoUwEmXQxXoZcFfJfqG/eqB/HF04ReMsgXz/lnWe+rOa0uKOqqSGXmaIkWVZ2chCMbt/9pAxmGsHS8h7sCJWhK8WMb98KeDUfDbkbZa6PTWh0ieHOUvKBf1kfgiqzcQwEb3YtOXqu4FkBfi6p8mTjIuXBztBPVLQtYb3AITxU31DBaQngTng87pvv+k8QdvhFOKAZLd5KinJY/HtomrpniMyv8ZI=
-    NEXTCLOUD_SECRET: AgBSIShwkCY6urySeLmx73kiJaeiIg+qtNFRk3aEQ+AvCq4P6CG5UufK17mQQ5mPMf1sfG9BuvA097NFe3vNN1bBdIcleavPTk/2GxsfdcLUQHZ+9bgHHSJJ/35rGV9a+ljj/PY0nIeD2zc5cyVFtAV/rtl8e/7oxTKq2Lj3nJ4Ir37rbgFRGKXMXh9fOMxyKF9c9+BT3DqafbVoGOsMuWFqx6yuaKebWl5VXtAtNj38VtS6pdmiLD/ZHyLiyDUIc3/MTdDLeZYJ2wu2HfnK/GE7sL0luudEqyR4g6/YRjq4DChf18SSRkN9lCffkT6e8cokrzGyJnj4quJ0cSfr8074ky3DMi1MyaXXYVM+ZUUE5X2nV0WQEk16agrbOAZ0BDbCENDLS8KS7gkv+8HMAhBJZbp42UBJqExO4yXz9R4eB1iTVXL3NvjxX9XA4nJ6H4aJNqB3OGUwPz7jr6tQodjWUqRDEa1jFmHN2S1Mx7+GuHABJkDkhWnVTghqqv8guvAoXC6DT9VQG3wvCQOGgUW/QurDckGBMOHHLxdj1Ujo5YxDrgWonczI/sj3RML2KnELfS/Zeqta5vYlXyIgxIqW8xv6V8X+tYw5jXxmEhdwSl90x8tAPnZiSqvCR0p7M6/7eAwbThCphVL/YU6K727hItlm/mQsZIlDBQc9YDPEX0WnLVHJFGR5/W6bgCsPO3yNNZHoP1v/+oy79ifi6ZPcXKTSLAJsOnJnneLtgzNU3+z/PtTiB6JNpG5HXRXZXyw=
-    OBJECTSTORE_S3_KEY: AgCbJwjGQBU5nkCTt/ISgezGrBqyp5Puz3djObtKiOw/lFDFYBF3yOwIublmqhoWFL+417aNPN7KFIcT9jHlhK4NCEoT/q8owJp0KW5xdUQSFD/H0OzQusKaWKVcTJARtp6oiqdZQRDc9p7RILtBFz6vSVdCrfrxLHUUdAJuMUeFMbjxARi9mnJyfm1VuaLccDacb5YWLvkq2RBIPHHLMdcA1CesguyH+VoMOymo5FFkzFTva2vpj4wjVPvi0MggDGsxbhJR/32tq6YBZg2pLwIu8MDWICbTM5ywh8xZi/JBQOeZ3xR36KGIdlqV0KVp7ktK6cPD7oPY2LoT4LAnXB3SsT/6IiIQP/Ntvx8ig6DOaK8fAV60nnWtQVgKrxu+hBQ+5tOeh/z3bNIHUvO01UY6vX0ZxS3hQIxMfHXT6ENDI3ibmg8AtKYgzG3+Z99H3/8oFseEEzsJESClSk7ELqEjc+n4vsOi5c5W/hS8IUsW27LO13ACdZRQ203xMxfR26O4kUsGV0d4MP7p5LAKnN/4Yc2KGU63+bkPfvBbRp8sjlKaDmmJGBTl3krquSwpHM+LdesnKQDpezkI/nMpXGeSRSW8BdYxA/pd0/dOxKhsLUJCc1l0p/3JYZO32ooKNLEskgto3xSNd58UHc3IQv7E6lEfXdx5iW6CBAjilAmpC41G0Y3KySnBb7RMIeA1F02iSHcZGe7Wbnoxpy+m3AwbzBC6HOPxkkb7DyI+YFy8Xw==
-    OBJECTSTORE_S3_SECRET: AgC0jWkYX+4WGDxP9h/g5JWce4PANTN4wgCFzkSG1lqyYMAtWkT2Z71uQJwCHl5vgWA4VEw89GBsynBdlkJawL7/r48jEJHjDK51xxJ6/3IG4bSvWaeE+zf6V8rov8tqLmbgjrEtuWrTWGykOUIob8Z3p16oNwSzUdXsuMm0ujOd1WwolN0jP5bc5SwjTfNJcWPvJZTr/9VKbx9cfFKuQa8Oh256odxa5v2lxryWU5YPEO49sJxVWXvvnrw4LDMlBCzZiWt1QL/XCtxJFQ9n4UeC0vZC9r28UR+qb24qX04CDmkvyZ55ho737VIvG4PpPrFmNHnDlIRH2i2gyTjBfEIgLmXzYmhzXDfxYg7I22blS5EjfEmeeIT4E6gUIznMSLVM2uyJjo8Njw2qm570rODZUXFPyp9u8NOzMnuIRrrLP/WAlY21cSGfV6Zd1vJkFhFlPyt1R1DNfDZXn59odd0mn8enB4nt7zoYKFbY1LIp2uJG7x0WvHUBhcd/vXe96C1SOqOfLY84HIy0vTV8ni9kfgeHPaI+xf8FJ+ceUTxFnyLiJU3IHvDbB9XxTmsFRmuwJS0cOM3NzBvZx5yCtocL8eUsPRsWUKdLOE4xrKW+aSpgcXUBF63vkp5pqh5BAzH+hK0DRKoJr489AkaRpmJBqRuPbyWtvElOXvVNlxsjl80S2r98wGI27/78Aa52rKyUUQ9QMnPRKJbN8zoawzlkT5hc105sq3bdPsnDD8c8Ag==
-  template:
-    metadata:
-      creationTimestamp: null
-      name: nextcloud-secrets
-      namespace: richir
-    type: Opaque
--- a/customers/overlays/vinnova/test/env-configmap.yml
+++ b/customers/overlays/vinnova/test/env-configmap.yml
@ -1,10 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: nextcloud-env
-data:
-  MYSQL_DATABASE: 'nextcloud_vinnova'
-  MYSQL_USER: 'nextcloud_vinnova'
-  NEXTCLOUD_TRUSTED_DOMAINS: 'vinnova.drive.test.sunet.se'
-  OBJECTSTORE_S3_BUCKET: 'primary-vinnova-test.sunet.se'
-  SITE_NAME: 'vinnova.drive.test.sunet.se'
--- a/customers/overlays/vinnova/test/kustomization.yaml
+++ b/customers/overlays/vinnova/test/kustomization.yaml
@ -1,8 +1,7 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
+apiVersion: 'kustomize.config.k8s.io/v1beta1'
 kind: Kustomization
-resources:
-  - ../../../base
-patches:
-  - path: env-configmap.yml
-  - path: nextcloud-deployment.yml
-  - path: nextcloud-ingress.yml
+bases:
+- ../../../base
+patchesStrategicMerge:
+  - nextcloud-deployment.yml
+  - nextcloud-ingress.yml
--- a/customers/overlays/vinnova/test/nextcloud-deployment.yml
+++ b/customers/overlays/vinnova/test/nextcloud-deployment.yml
@ -5,4 +5,30 @@ metadata:
  labels:
    app: customer-node
 spec:
-  replicas: 2
+  template:
+    metadata:
+      labels:
+        app: customer-node
+    spec:
+      initContainers:
+        - image: docker.sunet.se/sunet/docker-jinja:latest
+          name: init-config
+          env:
+            - name: MYSQL_DATABASE
+              value: "nextcloud_vinnova"
+            - name: MYSQL_USER
+              value: "nextcloud_vinnova"
+            - name: GSS_MASTER_URL
+              value: "https://drive.test.sunet.se"
+            - name: LOOKUP_SERVER
+              value: "https://lookup.drive.test.sunet.se"
+            - name: MAIL_DOMAIN
+              value: "drive.test.sunet.se"
+            - name: MAIL_SMTPNAME
+              value: "noreply@drive.test.sunet.se"
+            - name: NEXTCLOUD_TRUSTED_DOMAINS
+              value: "vinnova.drive.test.sunet.se"
+            - name: OBJECTSTORE_S3_BUCKET
+              value: "primary-vinnova-test.sunet.se"
+            - name: SITE_NAME
+              value: "vinnova.drive.test.sunet.se"
--- a/customers/overlays/vinnova/test/nextcloud-ingress.yml
+++ b/customers/overlays/vinnova/test/nextcloud-ingress.yml
@ -10,16 +10,16 @@ spec:
  ingressClassName: nginx
  tls:
    - hosts:
-        - vinnova.drive.test.sunet.se
+        - vinnova.drive.test.sunet.se 
      secretName: tls-secret
-  ingressClassName: nginx
+  ingressClassName: nginx 
  rules:
  - host: vinnova.drive.test.sunet.se
    http:
      paths:
      - path: /
        pathType: Prefix
-        backend:
+        backend: 
          service:
            name: customer-node
            port:
--- a/jupyter/overlays/test/sunet/values/values.yaml
+++ b/jupyter/overlays/test/sunet/values/values.yaml
@ -19,12 +19,10 @@ hub:
      from oauthenticator.generic import GenericOAuthenticator
      token_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/api/v1/token'
      debug = os.environ.get('NEXTCLOUD_DEBUG_OAUTH', 'false').lower() in ['true', '1', 'yes']
-      os.environ['OAUTH2_TOKEN_URL'] = token_url 
-      os.environ['OAUTH2_AUTHORIZE_URL'] = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'

      def get_nextcloud_access_token(refresh_token):
-        client_id = os.environ['OAUTH2_CLIENT_ID']
-        client_secret = os.environ['OAUTH2_CLIENT_SECRET']
+        client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+        client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']

        code = refresh_token
        data = {
@ -99,12 +97,12 @@ hub:
          return True

      c.JupyterHub.authenticator_class = NextcloudOAuthenticator
-      c.NextcloudOAuthenticator.client_id = os.environ['OAUTH2_CLIENT_ID']
-      c.NextcloudOAuthenticator.client_secret = os.environ['OAUTH2_CLIENT_SECRET']
+      c.NextcloudOAuthenticator.client_id = os.environ['NEXTCLOUD_CLIENT_ID']
+      c.NextcloudOAuthenticator.client_secret = os.environ['NEXTCLOUD_CLIENT_SECRET']
      c.NextcloudOAuthenticator.login_service = 'Sunet Drive'
-      c.NextcloudOAuthenticator.username_claim = 'kano@sunet.se' # lambda r: r.get('ocs', {}).get('data', {}).get('id')
+      c.NextcloudOAuthenticator.username_claim = lambda r: r.get('ocs', {}).get('data', {}).get('id')
      c.NextcloudOAuthenticator.userdata_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/ocs/v2.php/cloud/user?format=json'
-      c.NextcloudOAuthenticator.authorize_url = os.environ['OAUTH2_AUTHORIZE_URL']
+      c.NextcloudOAuthenticator.authorize_url = 'https://' + os.environ['NEXTCLOUD_HOST'] + '/index.php/apps/oauth2/authorize'
      c.NextcloudOAuthenticator.token_url = token_url
      c.NextcloudOAuthenticator.oauth_callback_url = 'https://' + os.environ['JUPYTER_HOST'] + '/hub/oauth_callback'
      c.NextcloudOAuthenticator.allow_all = True
@ -278,7 +276,7 @@ hub:
        targetPort: 8082
        name: refresh-token
  extraEnv:
-    NEXTCLOUD_DEBUG_OAUTH: "yes"
+    NEXTCLOUD_DEBUG_OAUTH: "no"
    NEXTCLOUD_HOST: sunet.drive.test.sunet.se
    JUPYTER_HOST: sunet-jupyter.drive.test.sunet.se
    JUPYTERHUB_API_KEY:
@ -291,12 +289,12 @@ hub:
        secretKeyRef:
          name: jupyterhub-secrets
          key: crypt-key
-    OAUTH2_CLIENT_ID:
+    NEXTCLOUD_CLIENT_ID:
      valueFrom:
        secretKeyRef:
          name: nextcloud-oauth-secrets
          key: client-id
-    OAUTH2_CLIENT_SECRET:
+    NEXTCLOUD_CLIENT_SECRET:
      valueFrom:
        secretKeyRef:
          name: nextcloud-oauth-secrets
@ -317,7 +315,7 @@ proxy:
 singleuser:
  image:
    name: docker.sunet.se/drive/jupyter-custom
-    tag: lab-4.0.10-sunet4
+    tag: lab-4.0.10-sunet5
  storage:
    dynamic:
      storageClass: csi-sc-cinderplugin
--- a/proxysql/base/proxysql-deployment.yml
+++ b/proxysql/base/proxysql-deployment.yml
@ -41,9 +41,8 @@ spec:
    spec:
      restartPolicy: Always
      containers:
-        - image: docker.sunet.se/drive/proxysql:bookworm-slim-1
+        - image: docker.sunet.se/drive/proxysql:latest
          name: proxysql
-          args: ["--reload"]
          volumeMounts:
            - name: proxysql-data
              mountPath: /var/lib/proxysql
--- a/sealedsecrets/sealedsecrets.yaml
+++ b/sealedsecrets/sealedsecrets.yaml
@ -1,26 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: sealed-secrets
-  namespace: argocd
-spec:
-  project: default
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: sealed-secrets
-  sources:
-    - repoURL: https://bitnami-labs.github.io/sealed-secrets
-      chart: sealed-secrets
-      targetRevision: 2.17.1
-      helm:
-        valueFiles:
-          - $values/charts/sealed-secrets/values.yaml
-    - repoURL: https://platform.sunet.se/Drive/k8s-manifests
-      targetRevision: main
-      ref: values
-  syncPolicy:
-    syncOptions:
-      - CreateNamespace=true
-    automated:
-      prune: true
-      selfHeal: true