From 0464092af10efa5643295738e738e0d8eab375cd Mon Sep 17 00:00:00 2001
From: Aner Zakobar <anerisreat@gmail.com>
Date: Thu, 28 Sep 2023 23:12:07 +0300
Subject: [PATCH] Did things

---
 README.org                  |  11 ++
 files/authelia-config.yaml  |  16 ++-
 templates/auth.yaml         | 219 +++++++++++++++++++++++++++++++++++-
 templates/phpldapadmin.yaml |   2 +
 4 files changed, 239 insertions(+), 9 deletions(-)

diff --git a/README.org b/README.org
index 668ae68..a7ee24a 100644
--- a/README.org
+++ b/README.org
@@ -72,6 +72,11 @@ First Name Attribute: cn
 Surname Attribute: sn
 Email Attribute: mail
 
+* AUTHELIA
+
+https://github.com/authelia/authelia/blob/57d5fbd3f5c82e83296023dc1de6e4f5ff063c00/examples/compose/lite/authelia/configuration.yml
+This fucking sucks
+https://gist.github.com/james-d-elliott/5152d27c0781aee856a3383f1284998e
 
 * EVERYTHING
 https://www.talkingquickly.co.uk/gitea-sso-with-keycloak-openldap-openid-connect
@@ -79,3 +84,9 @@ https://www.talkingquickly.co.uk/gitea-sso-with-keycloak-openldap-openid-connect
 * DRONE AND GITEA
 ?
 https://dev.to/ruanbekker/self-hosted-cicd-with-gitea-and-drone-ci-200l
+
+* DAV
+
+https://gitlab.com/davical-project/davical/-/blob/master/config/example-config.php
+
+Line 800 ish for auth from reverse proxy
diff --git a/files/authelia-config.yaml b/files/authelia-config.yaml
index 8fd84f8..5774871 100644
--- a/files/authelia-config.yaml
+++ b/files/authelia-config.yaml
@@ -42,19 +42,23 @@ access_control:
   rules:
   - domain:
     - "auth.zakobar.com"
-    policy: bypass
+    policy: "bypass"
+  - domain:
+    - "dav.{{ .Values.homey.url }}"
+    policy: "one_factor"
   - domain:
     - "ldapadmin.{{ .Values.homey.url }}"
     subject:
     - 'group:admins'
     policy: "two_factor"
   - domain:
-    - "ldapadmin.{{ .Values.homey.url }}"
-    - "longhorn.{{ .Values.homey.url }}"
+    - "*.admin.{{ .Values.homey.url }}"
+    subject:
+    - 'group:admins'
+    policy: "two_factor"
+  - domain:
+    - "*.admin.{{ .Values.homey.url }}"
     policy: "deny"
-  # - domain:
-  #   - "git.{{ .Values.homey.url }}"
-  #   policy: "one_factor"
 notifier:
   filesystem:
     filename: "/var/lib/authelia/emails.txt"
diff --git a/templates/auth.yaml b/templates/auth.yaml
index e07ca6c..cbea66d 100644
--- a/templates/auth.yaml
+++ b/templates/auth.yaml
@@ -50,7 +50,6 @@ spec:
       containers:
         - name: openldap
           image: osixia/openldap
-          imagePullPolicy: "Always"
           env:
             - name: LDAP_ORGANISATION
               value: {{ .Values.homey.organization }}
@@ -233,7 +232,6 @@ spec:
 ---
 {{- $_ := set $ "homey_gitea_oauth2_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret") $))}}
 {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret" "secretval" .homey_gitea_oauth2_jwt_secret) $) }}
-
 ---
 apiVersion: v1
 kind: Secret
@@ -293,7 +291,7 @@ spec:
         # lifecycle:
         #   postStart:
         #     exec:
-        #       {{- $gitea_cmd := (printf "gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host ldap --port 389 --user-search-base ou=users,%s --user-filter \\\"(&(objectClass=inetOrgPerson)(|(uid=%[1]s)(mail=%[1]s)))\\\" --email-attribute mail --bind-dn=\\\"cn=readonly,%s\\\" --bind-password=\\\"%s\\\"" ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) (.homey_openldap_ro | replace "\"" ""))}}
+        #       {{- $gitea_cmd := (printf "gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host ldap --port 389 --user-search-base ou=users,%s --user-filter \\\"(&(objectClass=inetOrgPerson)(|(uid=%[1]s)(mail=kk[1]s)))\\\" --email-attribute mail --bind-dn=\\\"cn=readonly,%s\\\" --bind-password=\\\"%s\\\"" ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) (.homey_openldap_ro | replace "\"" ""))}}
         #       command: ["/bin/sh", "-c", "{{$gitea_cmd}}"]
       volumes:
       - name: gitea-persistent-storage
@@ -343,3 +341,218 @@ spec:
             port:
               number: 3000
 ---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: davical-postgres-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+
+---
+{{- $_ := set $ "homey_davical_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-postgres-pass") $))}}
+{{ include "homey.randomsecret" (merge (dict "secretname" "davical-postgres-pass" "secretval" .homey_davical_postgres_pass) $) }}
+---
+# apiVersion: extensions/v1beta1
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: davical-postgres-config
+  labels:
+    app: davical-postgres
+data:
+  POSTGRES_DB: postgres
+  POSTGRES_USER: postgres
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: davical-postgres
+  labels:
+    app: davical-postgres
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: davical-postgres
+  template:
+    metadata:
+      labels:
+        app: davical-postgres
+        name: davical-postgres
+    spec:
+      containers:
+      - name: davical-postgres
+        image: postgres:10.4
+        imagePullPolicy: "IfNotPresent"
+        ports:
+        - containerPort: 5432
+        envFrom:
+        - configMapRef:
+            name: davical-postgres-config
+        env:
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: davical-postgres-pass
+              key: password
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          subPath: data
+          name: davical-postgredb
+      volumes:
+      - name: davical-postgredb
+        persistentVolumeClaim:
+          claimName: davical-postgres-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: davical-postgres
+  labels:
+    app: davical-postgres
+spec:
+  ports:
+   - port: 5432
+  selector:
+    app: davical-postgres
+---
+{{- $_ := set $ "homey_davical_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-admin-pass") $))}}
+{{ include "homey.randomsecret" (merge (dict "secretname" "davical-admin-pass" "secretval" .homey_davical_admin_pass) $) }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: davical-conf
+data:
+  config.php: |-
+{{ tpl (.Files.Get "files/davical-config.php" | indent 4) . }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: davical
+  labels:
+    app: davical
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: davical
+  template:
+    metadata:
+      labels:
+        app: davical
+    spec:
+      containers:
+      - name: davical
+        image: anerisgreat/davical-multiarch-docker:latest
+        imagePullPolicy: "Always"
+        ports:
+        - containerPort: 80
+          name: dav
+        env:
+        - name: PGHOST
+          value: "davical-postgres"
+        - name: PGUSER
+          value: "postgres"
+        - name: PGPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: davical-postgres-pass
+              key: password
+        - name: PGDATABASE
+          value: "davical"
+        - name: PGPORT
+          value: "5432"
+        - name: HOST_NAME
+          value:
+            "dav.{{ .Values.homey.url }}"
+        - name: DAVICAL_ADMIN_PASS
+          valueFrom:
+            secretKeyRef:
+              name: davical-admin-pass
+              key: password
+        - name: ROOT_PGUSER
+          value: "postgres"
+        - name: ROOT_PGPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: davical-postgres-pass
+              key: password
+        - name: RUN_MIGRATIONS_AT_STARTUP
+          value: "true"
+        volumeMounts:
+        - name: davical-conf
+          mountPath: /etc/davical/config.php
+          subPath: config.php
+          readOnly: true
+      volumes:
+      - name: davical-conf
+        configMap:
+          name: davical-conf
+          items:
+          - key: config.php
+            path: config.php
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: davical
+spec:
+  selector:
+    app: davical
+  ports:
+  - name: dav
+    protocol: TCP
+    port: 80
+    targetPort: 80
+  selector:
+    app: davical
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: davical
+  annotations:
+    kubernetes.io/ingress.allow-http: "false"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Method $request_method;
+      auth_request_set $user $upstream_http_remote_user;
+      auth_request_set $groups $upstream_http_remote_groups;
+      auth_request_set $name $upstream_http_remote_name;
+      auth_request_set $email $upstream_http_remote_email;
+      proxy_set_header Remote-User $user;
+      proxy_set_header Remote-Fullname $name;
+      proxy_set_header Remote-Email $email;
+      proxy_set_header Redirect-Remote-User $user;
+      proxy_set_header Redirect-Remote-Fullname $name;
+      proxy_set_header Redirect-Remote-Email $email;
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - dav.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+  - host: dav.{{ .Values.homey.url }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: davical
+            port:
+              number: 80
+---
diff --git a/templates/phpldapadmin.yaml b/templates/phpldapadmin.yaml
index 95e40fc..108983f 100644
--- a/templates/phpldapadmin.yaml
+++ b/templates/phpldapadmin.yaml
@@ -26,6 +26,7 @@ spec:
         name: phpldapadmin
         ports:
           - containerPort: 80
+            name: http
       restartPolicy: Always
 ---
 apiVersion: v1
@@ -36,6 +37,7 @@ spec:
   ports:
   - port: 80
     targetPort: 80
+    name: http
   selector:
     app: phpldapadmin
 ---