From 138d6d8a6b08ed2c787d8cde39bc8b9b94184995 Mon Sep 17 00:00:00 2001 From: Aner Zakobar Date: Wed, 26 Mar 2025 12:27:47 +0200 Subject: [PATCH] Current snapshot of state with unused garbage. --- README.org | 13 ++ files/authelia-config.yaml | 23 ++++ files/baikal-server.php | 30 +++++ files/radicale-configmap.ini | 11 ++ files/sabre-server.php | 30 +++++ files/sogo.conf | 122 +++++++++++++------ gitea-commands.txt | 10 ++ templates/media.yaml | 204 +++++++++++++++++++++++++++++++ unused/auth-templates.yaml | 24 ++++ unused/baikal.yaml | 117 ++++++++++++++++++ unused/dav.yaml | 71 +++++++++++ unused/davical.yaml | 213 ++++++++++++++++++++++++++++++++ unused/gitea.yaml | 131 ++++++++++++++++++++ unused/jellyfin.yaml | 92 ++++++++++++++ unused/ldap-auth.yaml | 70 +++++++++++ unused/nextcloud.yaml | 206 +++++++++++++++++++++++++++++++ unused/paperless.yaml | 230 +++++++++++++++++++++++++++++++++++ unused/radicale.yaml | 122 +++++++++++++++++++ unused/sabre.yaml | 118 ++++++++++++++++++ unused/sogo.yaml | 162 ++++++++++++++++++++++++ 20 files changed, 1965 insertions(+), 34 deletions(-) create mode 100644 files/baikal-server.php create mode 100644 files/radicale-configmap.ini create mode 100644 files/sabre-server.php create mode 100644 gitea-commands.txt create mode 100644 templates/media.yaml create mode 100644 unused/auth-templates.yaml create mode 100644 unused/baikal.yaml create mode 100644 unused/dav.yaml create mode 100644 unused/davical.yaml create mode 100644 unused/gitea.yaml create mode 100644 unused/jellyfin.yaml create mode 100644 unused/ldap-auth.yaml create mode 100644 unused/nextcloud.yaml create mode 100644 unused/paperless.yaml create mode 100644 unused/radicale.yaml create mode 100644 unused/sabre.yaml create mode 100644 unused/sogo.yaml diff --git a/README.org b/README.org index d4b21b9..cf93173 100644 --- a/README.org +++ b/README.org @@ -96,7 +96,20 @@ Line 800 ish for auth from reverse proxy I ran THIS command inside su www-data -s /bin/bash -c php occ ldap:promote-group "admins" +** When maintenence mode + +#+begin_example +kubectl exec --tty --stdin -n homey deploy/nextcloud -- su -l www-data -s /bin/bash +php /var/www/html/occ maintenance:mode --off +#+end_src + * I UNDERSTAND I need to backup Chen's stuff And... I need to Jellyfin + +* PAPERLESS + +https://github.com/paperless-ngx/paperless-ngx/blob/74c44fe418a91a526b5dab1a91fde4aaebd28bb1/docker/compose/docker-compose.postgres.yml + +For docker diff --git a/files/authelia-config.yaml b/files/authelia-config.yaml index 5774871..ba3ee3e 100644 --- a/files/authelia-config.yaml +++ b/files/authelia-config.yaml @@ -59,6 +59,29 @@ access_control: - domain: - "*.admin.{{ .Values.homey.url }}" policy: "deny" + - domain: + - "torrent.{{ .Values.homey.url }}" + subject: + - 'group:admins' + policy: "two_factor" + - domain: + - "torrent.{{ .Values.homey.url }}" + policy: "deny" + - domain: + - "stash-dl.{{ .Values.homey.url }}" + policy: "one_factor" + - domain: + - "stash.{{ .Values.homey.url }}" + policy: "one_factor" + - domain: + - "paperless.{{ .Values.homey.url }}" + policy: "one_factor" notifier: filesystem: filename: "/var/lib/authelia/emails.txt" +ntp: + address: 'udp://time.cloudflare.com:123' + version: 3 + max_desync: '3s' + disable_startup_check: false + disable_failure: true diff --git a/files/baikal-server.php b/files/baikal-server.php new file mode 100644 index 0000000..bc2fa1c --- /dev/null +++ b/files/baikal-server.php @@ -0,0 +1,30 @@ +setBaseUri('server.php'); + +// The lock manager is reponsible for making sure users don't overwrite +// each others changes. +$lockBackend = new DAV\Locks\Backend\File('data/locks'); +$lockPlugin = new DAV\Locks\Plugin($lockBackend); +$server->addPlugin($lockPlugin); + +// This ensures that we get a pretty index in the browser, but it is +// optional. +$server->addPlugin(new DAV\Browser\Plugin()); + +// All we need to do now, is to fire up the server +$server->exec(); diff --git a/files/radicale-configmap.ini b/files/radicale-configmap.ini new file mode 100644 index 0000000..493827c --- /dev/null +++ b/files/radicale-configmap.ini @@ -0,0 +1,11 @@ +[server] +hosts = 0.0.0.0:5232 + +[auth] +type = http_x_remote_user + +[storage] +filesystem_folder = /data/collections + +[web] +type = none diff --git a/files/sabre-server.php b/files/sabre-server.php new file mode 100644 index 0000000..bc2fa1c --- /dev/null +++ b/files/sabre-server.php @@ -0,0 +1,30 @@ +setBaseUri('server.php'); + +// The lock manager is reponsible for making sure users don't overwrite +// each others changes. +$lockBackend = new DAV\Locks\Backend\File('data/locks'); +$lockPlugin = new DAV\Locks\Plugin($lockBackend); +$server->addPlugin($lockPlugin); + +// This ensures that we get a pretty index in the browser, but it is +// optional. +$server->addPlugin(new DAV\Browser\Plugin()); + +// All we need to do now, is to fire up the server +$server->exec(); diff --git a/files/sogo.conf b/files/sogo.conf index a4f810b..cab53bc 100644 --- a/files/sogo.conf +++ b/files/sogo.conf @@ -1,40 +1,94 @@ { - SOGoProfileURL = - "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_user_profile"; - OCSFolderInfoURL = - "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_folder_info"; - OCSSessionsFolderURL = - "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_sessions_folder"; - SOGoAppointmentSendEMailNotifications = YES; - SOGoCalendarDefaultRoles = ( - PublicViewer, - ConfidentialDAndTViewer - ); - SOGoLanguage = English; - SOGoTimeZone = America/Montreal; - SOGoMailDomain = acme.com; - SOGoIMAPServer = 127.0.0.1; + /* ********************* Main SOGo configuration file ********************** + * * + * Since the content of this file is a dictionary in OpenStep plist format, * + * the curly braces enclosing the body of the configuration are mandatory. * + * See the Installation Guide for details on the format. * + * * + * C and C++ style comments are supported. * + * * + * This example configuration contains only a subset of all available * + * configuration parameters. Please see the installation guide more details. * + * * + * ~sogo/GNUstep/Defaults/.GNUstepDefaults has precedence over this file, * + * make sure to move it away to avoid unwanted parameter overrides. * + * * + * **************************************************************************/ + + /* Database configuration (mysql:// or postgresql://) */ + SOGoProfileURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_user_profile"; + OCSFolderInfoURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_folder_info"; + OCSSessionsFolderURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_sessions_folder"; + + /* Mail */ SOGoDraftsFolderName = Drafts; SOGoSentFolderName = Sent; SOGoTrashFolderName = Trash; - SOGoJunkFolderName = Junk; - SOGoMailingMechanism = smtp; - SOGoSMTPServer = "smtp://127.0.0.1"; + //SOGoIMAPServer = localhost; + //SOGoSieveServer = sieve://127.0.0.1:4190; + //SOGoSMTPServer = smtp://domain:port/?tls=YES; + //SOGoMailDomain = acme.com; + SOGoMailingMechanis = smtp; + //SOGoForceExternalLoginWithEmail = NO; + //SOGoMailSpoolPath = /var/spool/sogo; + //NGImap4ConnectionStringSeparator = "/"; + + /* Notifications */ + //SOGoAppointmentSendEMailNotifications = NO; + //SOGoACLsSendEMailNotifications = NO; + //SOGoFoldersSendEMailNotifications = NO; + + /* Authentication */ + SOGoPasswordChangeEnabled = YES; + SOGoUserSources = ( - { - type = ldap; - CNFieldName = cn; - IDFieldName = uid; - UIDFieldName = uid; - baseDN = "ou=users,dc=acme,dc=com"; - bindDN = "uid=sogo,ou=users,dc=acme,dc=com"; - bindPassword = qwerty; - canAuthenticate = YES; - displayName = "Shared Addresses"; - hostname = 127.0.0.1; - id = public; - isAddressBook = YES; - port = 389; - } + { + type = ldap; + CNFieldName = cn; + UIDFieldName = uid; + IDFieldName = uid; // first field of the DN for direct binds + bindFields = (uid, mail); // array of fields to use for indirect binds + baseDN = "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; + bindDN = "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; + bindPassword = "{{ .homey_openldap_ro }}"; + canAuthenticate = YES; + displayName = "Shared Addresses"; + hostname = ldap://openldap:389; + id = public; + isAddressBook = YES; + } ); -} \ No newline at end of file + + /* Web Interface */ + //SOGoPageTitle = SOGo; + SOGoVacationEnabled = YES; + SOGoForwardEnabled = YES; + SOGoSieveScriptsEnabled = YES; + //SOGoMailAuxiliaryUserAccountsEnabled = YES; + //SOGoTrustProxyAuthentication = NO; + SOGoXSRFValidationEnabled = YES; + + /* General - SOGoTimeZone *MUST* be defined */ + SOGoLanguage = English; + SOGoTimeZone = Asia/Jerusalem; + //SOGoCalendarDefaultRoles = ( + // PublicDAndTViewer, + // ConfidentialDAndTViewer + //); + //SOGoSuperUsernames = (sogo1, sogo2); // This is an array - keep the parens! + SxVMemLimit = 384; + //WOPidFile = "/var/run/sogo/sogo.pid"; + SOGoMemcachedHost = "/var/run/memcached/memcached.sock"; + + /* Debug */ + SOGoDebugRequests = YES; + SoDebugBaseURL = YES; + ImapDebugEnabled = YES; + LDAPDebugEnabled = YES; + PGDebugEnabled = YES; + MySQL4DebugEnabled = YES; + SOGoUIxDebugEnabled = YES; + WODontZipResponse = YES; + //WOLogFile = /var/log/sogo/sogo.log; +} + diff --git a/gitea-commands.txt b/gitea-commands.txt new file mode 100644 index 0000000..3361c42 --- /dev/null +++ b/gitea-commands.txt @@ -0,0 +1,10 @@ +kubectl exec -it -n homey deploy/gitea -- su - git -c "/usr/local/bin/gitea admin auth update-ldap --id=1 --name ldap --security-protocol unencrypted --host openldap --port 389 --user-search-base ou=users,dc=zakobar,dc=com --user-filter \"(&(objectClass=person)(uid=%s))\" --admin-filter \"(memberOf=CN=admins,ou=groups,dc=zakobar,dc=com)\" --email-attribute mail --bind-dn=cn=readonly,dc=zakobar,dc=com --bind-password=VqxPZHwDCkFsLWaroyb880zdH1JTCvz9" + +kubectl exec -it -n homey deploy/gitea -- su - git -c "/usr/local/bin/gitea admin user delete --username aner" + + +gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host openldap --port 389 --user-search-base ou=users,dc=zakobar,dc=com --user-filter "&(objectClass=inetOrgPerson)(uid=%s)" --email-attribute mail --bind-dn="cn=readonly,dc=zakobar,dc=com" --bind-password=VqxPZHwDCkFsLWaroyb880zdH1JTCvz9 + +gitea admin auth update-ldap --id=1 --name ldap --security-protocol unencrypted --host openldap --port 389 --user-search-base ou=users,dc=zakobar,dc=com --user-filter "(&(objectClass=person)(uid=%s))" --email-attribute mail --bind-dn="cn=readonly,dc=zakobar,dc=com" --bind-password=VqxPZHwDCkFsLWaroyb880zdH1JTCvz9 + +kubectl exec -it -n homey deploy/authelia -- /bin/bash -c "cat /var/lib/authelia/emails.txt" diff --git a/templates/media.yaml b/templates/media.yaml new file mode 100644 index 0000000..216ee01 --- /dev/null +++ b/templates/media.yaml @@ -0,0 +1,204 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: jellyfin-config-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: longhorn +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: jellyfin-data-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 700Gi + storageClassName: longhorn +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: transmission-config-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: longhorn +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jellyfin +spec: + replicas: 1 + selector: + matchLabels: + app: jellyfin + template: + metadata: + labels: + app: jellyfin + spec: + containers: + - name: jellyfin + image: docker.io/jellyfin/jellyfin + imagePullPolicy: "IfNotPresent" + volumeMounts: + - name: jellyfin-volume-config + mountPath: "/config" + subPath: jellyfin/config + - name: jellyfin-volume-data + mountPath: "/data/movies" + subPath: downloads/movies + - name: jellyfin-volume-data + mountPath: "/data/tvshows" + subPath: downloads/tvshows + env: + - name: JELLYFIN_PublishedServerUrl + value: jellyfin.{{ .Values.homey.url }} + volumes: + - name: jellyfin-volume-config + persistentVolumeClaim: + claimName: jellyfin-config-pvc + - name: jellyfin-volume-data + persistentVolumeClaim: + claimName: jellyfin-data-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: jellyfin-web +spec: + selector: + app: jellyfin + ports: + - port: 80 + targetPort: 8096 + name: jellyfin-web +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: jellyfin-ingress +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - jellyfin.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: jellyfin.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: jellyfin-web + port: + number: 80 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: transmission + labels: + app: transmission +spec: + replicas: 1 + selector: + matchLabels: + app: transmission + template: + metadata: + labels: + app: transmission + name: transmission + spec: + containers: + - name: transmission + image: linuxserver/transmission + imagePullPolicy: Always + volumeMounts: + - name: transmission-volume-config + mountPath: "/config" + subPath: transmission/config + - name: transmission-volume-data + mountPath: "/downloads/movies" + subPath: downloads/movies + - name: transmission-volume-data + mountPath: "/downloads/tvshows" + subPath: downloads/tvshows + - name: transmission-volume-data + mountPath: "/downloads/general" + subPath: downloads/general + - name: transmission-volume-data + mountPath: "/downloads/complete" + subPath: downloads/complete + volumes: + - name: transmission-volume-config + persistentVolumeClaim: + claimName: transmission-config-pvc + - name: transmission-volume-data + persistentVolumeClaim: + claimName: jellyfin-data-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: transmission-web +spec: + selector: + app: transmission + ports: + - port: 80 + targetPort: 9091 + name: transmission-web +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: torrent + annotations: + kubernetes.io/ingress.allow-http: "false" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Method $request_method; + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + proxy_set_header X-Webauth-User $user; + proxy_set_header X-Webauth-Fullname $name; + proxy_set_header X-Webauth-Email $email; +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - torrent.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: torrent.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: transmission-web + port: + number: 80 diff --git a/unused/auth-templates.yaml b/unused/auth-templates.yaml new file mode 100644 index 0000000..a67a65b --- /dev/null +++ b/unused/auth-templates.yaml @@ -0,0 +1,24 @@ +--- +{{- define "homey.auth.ingress.annotations" }} + # nginx.ingress.kubernetes.io/auth-signin: "https://auth.zakobar.com" + nginx.ingress.kubernetes.io/auth-url: "http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80" + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email + nginx.ingress.kubernetes.io/location-snippets: |- + auth_request /auth + nginx.ingress.kubernetes.io/configuration-snippet: |- + location /auth { + # proxy_pass http://ldap-auth-internal; + proxy_pass_request_body off; + #THIS NEEDS TO BE SET BY ACTUAL SOMETHING LOGIN SHIT + # proxy_set_header X-Target http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80; + proxy_set_header X-Ldap-URL "ldap://openldap"; + proxy_set_header X-Ldap-BaseDN "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; + proxy_set_header X-Ldap-BindDN "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; + proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}}; + proxy_set_header X-CookieName "homey.auth.cookie"; + proxy_set_header Cookie $cookie_homey.auth.cookie; + proxy_set_header X-Remote-User $remote_user; + proxy_set_header X-Forwarded-Method $request_method; + proxy_set_header X-Ldap-Template "(uid=%(username)s)"; + } +{{- end }} diff --git a/unused/baikal.yaml b/unused/baikal.yaml new file mode 100644 index 0000000..6f1366c --- /dev/null +++ b/unused/baikal.yaml @@ -0,0 +1,117 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: baikal-data-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: longhorn +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: baikal-config-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: longhorn +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baikal + labels: + app: baikal +spec: + replicas: 1 + selector: + matchLabels: + app: baikal + template: + metadata: + labels: + app: baikal + spec: + containers: + - name: baikal + image: ckulka/baikal + imagePullPolicy: IfNotPresent + ports: + - containerPort: 80 + name: dav + volumeMounts: + - name: config + mountPath: /var/www/baikal/config + subPath: config + - name: data + mountPath: /var/www/baikal/Specific + subPath: Specific + restartPolicy: Always + volumes: + - name: data + persistentVolumeClaim: + claimName: baikal-data-pvc + - name: config + persistentVolumeClaim: + claimName: baikal-config-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: baikal +spec: + selector: + app: baikal + ports: + - name: dav + protocol: TCP + port: 80 + targetPort: 80 + selector: + app: baikal +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: baikal + annotations: + kubernetes.io/ingress.allow-http: "false" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Method $request_method; + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + proxy_set_header X-Remote-User $user; + proxy_set_header X-Remote-Fullname $name; + proxy_set_header X-Remote-Email $email; +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - dav.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: dav.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: baikal + port: + number: 80 +--- diff --git a/unused/dav.yaml b/unused/dav.yaml new file mode 100644 index 0000000..566a3c3 --- /dev/null +++ b/unused/dav.yaml @@ -0,0 +1,71 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baikal + labels: + app: baikal +spec: + replicas: 1 + selector: + matchLabels: + app: baikal + template: + metadata: + labels: + app: baikal + spec: + containers: + - name: baikal + image: ckulka/baikal + ports: + - name: dav + containerPort: 80 + protocol: TCP + volumeMounts: + - name: baikal-volume + mountPath: /var/www/baikal/Specific + subPath: baikal/data + - name: baikal-volume + mountPath: /var/www/baikal/config + subPath: baikal/config + restartPolicy: Always + volumes: + - name: baikal-volume + persistentVolumeClaim: + claimName: homey-pvc-longhorn +--- +apiVersion: v1 +kind: Service +metadata: + name: baikal +spec: + ports: + - name: dav + targetPort: 80 + port: 80 + selector: + app: baikal +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: baikal +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - dav.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: dav.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: baikal + port: + name: dav +--- diff --git a/unused/davical.yaml b/unused/davical.yaml new file mode 100644 index 0000000..e0affd2 --- /dev/null +++ b/unused/davical.yaml @@ -0,0 +1,213 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: davical-postgres-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: longhorn + +--- +{{- $_ := set $ "homey_davical_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-postgres-pass") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "davical-postgres-pass" "secretval" .homey_davical_postgres_pass) $) }} +--- +# apiVersion: extensions/v1beta1 +apiVersion: v1 +kind: ConfigMap +metadata: + name: davical-postgres-config + labels: + app: davical-postgres +data: + POSTGRES_DB: postgres + POSTGRES_USER: postgres +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: davical-postgres + labels: + app: davical-postgres +spec: + replicas: 1 + selector: + matchLabels: + app: davical-postgres + template: + metadata: + labels: + app: davical-postgres + name: davical-postgres + spec: + containers: + - name: davical-postgres + image: postgres + imagePullPolicy: "IfNotPresent" + ports: + - containerPort: 5432 + envFrom: + - configMapRef: + name: davical-postgres-config + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: davical-postgres-pass + key: password + volumeMounts: + - mountPath: /var/lib/postgresql/data + subPath: data + name: davical-postgredb + volumes: + - name: davical-postgredb + persistentVolumeClaim: + claimName: davical-postgres-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: davical-postgres + labels: + app: davical-postgres +spec: + ports: + - port: 5432 + selector: + app: davical-postgres +--- +{{- $_ := set $ "homey_davical_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-admin-pass") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "davical-admin-pass" "secretval" .homey_davical_admin_pass) $) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: davical-conf +data: + config.php: |- +{{ tpl (.Files.Get "files/davical-config.php" | indent 4) . }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: davical + labels: + app: davical +spec: + replicas: 1 + selector: + matchLabels: + app: davical + template: + metadata: + labels: + app: davical + spec: + containers: + - name: davical + image: anerisgreat/davical-multiarch-docker:latest + imagePullPolicy: "Always" + ports: + - containerPort: 80 + name: dav + env: + - name: PGHOST + value: "davical-postgres" + - name: PGUSER + value: "postgres" + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: davical-postgres-pass + key: password + - name: PGDATABASE + value: "davical" + - name: PGPORT + value: "5432" + - name: HOST_NAME + value: + "dav.{{ .Values.homey.url }}" + - name: DAVICAL_ADMIN_PASS + valueFrom: + secretKeyRef: + name: davical-admin-pass + key: password + - name: ROOT_PGUSER + value: "postgres" + - name: ROOT_PGPASSWORD + valueFrom: + secretKeyRef: + name: davical-postgres-pass + key: password + - name: RUN_MIGRATIONS_AT_STARTUP + value: "true" + volumeMounts: + - name: davical-conf + mountPath: /etc/davical/config.php + subPath: config.php + readOnly: true + volumes: + - name: davical-conf + configMap: + name: davical-conf + items: + - key: config.php + path: config.php +--- +apiVersion: v1 +kind: Service +metadata: + name: davical +spec: + selector: + app: davical + ports: + - name: dav + protocol: TCP + port: 80 + targetPort: 80 + selector: + app: davical +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: davical + annotations: + kubernetes.io/ingress.allow-http: "false" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Method $request_method; + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + proxy_set_header Remote-User $user; + proxy_set_header Remote-Fullname $name; + proxy_set_header Remote-Email $email; + proxy_set_header Redirect-Remote-User $user; + proxy_set_header Redirect-Remote-Fullname $name; + proxy_set_header Redirect-Remote-Email $email; +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - dav.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: dav.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: davical + port: + number: 80 diff --git a/unused/gitea.yaml b/unused/gitea.yaml new file mode 100644 index 0000000..bdd658f --- /dev/null +++ b/unused/gitea.yaml @@ -0,0 +1,131 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gitea-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5Gi + storageClassName: longhorn +--- +{{- $_ := set $ "homey_gitea_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-admin-pass") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "gitea-admin-pass" "secretval" .homey_gitea_admin_pass) $) }} +--- +{{- $_ := set $ "homey_gitea_lfs_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-lfs-jwt-secret") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "gitea-lfs-jwt-secret" "secretval" .homey_gitea_lfs_jwt_secret) $) }} +--- +{{- $_ := set $ "homey_gitea_oauth2_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret" "secretval" .homey_gitea_oauth2_jwt_secret) $) }} + +--- +apiVersion: v1 +kind: Secret +metadata: + name: gitea-random-internal-token + annotations: + "helm.sh/resource-policy": "keep" +type: Opaque +data: +{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-random-internal-token") | default dict -}} +{{- $secretData := (get $secretObj "data") | default dict -}} +{{- $pass := (get $secretData "password") | default (randAlphaNum 100 | b64enc) -}} +{{- $_ := set $ "homey_gitea_random_internal_token" ($pass | b64dec) }} + password: {{ $pass | quote }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: gitea-conf +data: + app.ini: |- +{{ tpl (.Files.Get "files/gitea-app.ini" | indent 4) . }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gitea +spec: + replicas: 1 + selector: + matchLabels: + app: gitea + template: + metadata: + labels: + app: gitea + spec: + containers: + - name: gitea + image: gitea/gitea:latest + ports: + - containerPort: 3000 + name: http + volumeMounts: + - name: gitea-persistent-storage + mountPath: /data + subPath: gitea/gitea/data + - name: gitea-conf + mountPath: /data/gitea/conf/app.ini + subPath: app.ini + readOnly: true + # startProbe: + # httpGet: + # path: / + # port: 3000 + # initialDelaySeconds: 15 + # lifecycle: + # postStart: + # exec: + # {{- set $gitea-cmd (printf "gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host ldap --port 389 --user-search-base ou=users,%s --user-filter \\\"(&(objectClass=inetOrgPerson)(|(uid=\%[1]s)(mail=\%[1]s)))\\\" --email-attribute mail --bind-dn=\\\"cn=readonly,%s\\\" --bind-password=\\\"%s\\\"" ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) () (.homey_openldap_ro | replace "\"" ""))}} + # command: ["/bin/sh", "-c", "{{cmd}}"] + volumes: + - name: gitea-persistent-storage + persistentVolumeClaim: + claimName: gitea-pvc + - name: gitea-conf + configMap: + name: gitea-conf + items: + - key: app.ini + path: app.ini +--- +apiVersion: v1 +kind: Service +metadata: + name: gitea-svc +spec: + selector: + app: gitea + ports: + - name: http-port + protocol: TCP + port: 3000 + targetPort: http + selector: + app: gitea +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: gitea-ingress +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - git.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: git.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: gitea-svc + port: + number: 3000 +--- diff --git a/unused/jellyfin.yaml b/unused/jellyfin.yaml new file mode 100644 index 0000000..53d231a --- /dev/null +++ b/unused/jellyfin.yaml @@ -0,0 +1,92 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: jellyfin-config-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 100Gi + storageClassName: longhorn +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: jellyfin-data-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 700Gi + storageClassName: longhorn +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: jellyfin +spec: + replicas: 1 + selector: + matchLabels: + app: jellyfin + template: + metadata: + labels: + app: jellyfin + spec: + containers: + - name: jellyfin + image: docker.io/jellyfin/jellyfin + volumeMounts: + - name: jellyfin-volume-config + mountPath: "/config" + subPath: jellyfin/config + - name: jellyfin-volume-data + mountPath: "/data/movies" + subPath: downloads/movies + - name: jellyfin-volume-data + mountPath: "/data/tvshows" + subPath: downloads/tvshows + - env: + - name: JELLYFIN_PublishedServerUrl + value: jellyfin.{{ .Values.homey.url }} + volumes: + - name: jellyfin-volume-config + persistentVolumeClaim: + claimName: jellyfin-config-pvc + - name: jellyfin-volume-data + persistentVolumeClaim: + claimName: jellyfin-data-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: jellyfin-web + namespace: homecenter +spec: + selector: + app: jellyfin + ports: + - port: 80 + targetPort: 8096 + name: jellyfin-web +--- +ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - jellyfin.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: jellyfin.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: jellyfin-web + port: + number: 80 +--- diff --git a/unused/ldap-auth.yaml b/unused/ldap-auth.yaml new file mode 100644 index 0000000..e9adf30 --- /dev/null +++ b/unused/ldap-auth.yaml @@ -0,0 +1,70 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ldap-auth + labels: + app: ldap-auth +spec: + replicas: 1 + selector: + matchLabels: + app: ldap-auth + template: + metadata: + labels: + app: ldap-auth + name: ldap-auth + spec: + containers: + - name: ldap-auth + image: linuxserver/ldap-auth + imagePullPolicy: Always +--- +#https://stackoverflow.com/questions/51149921/how-to-authenticate-nginx-with-ldap +apiVersion: v1 +kind: Service +metadata: + name: ldap-auth +spec: + selector: + app: ldap-auth + ports: + - port: 80 + targetPort: 9000 +--- +apiVersion: v1 +kind: Service +metadata: + name: ldap-auth-internal +spec: + selector: + app: ldap-auth + ports: + - port: 80 + targetPort: 8888 +--- +# apiVersion: networking.k8s.io/v1 +# kind: Ingress +# metadata: +# name: ldap-auth-ingress +# annotations: +# spec: +# ingressClassName: {{ .Values.homey.ingress_class }} +# tls: +# - hosts: +# - auth.{{ .Values.homey.url }} +# secretName: {{ .Values.homey.certname }} +# rules: +# - host: auth.{{ .Values.homey.url }} +# http: +# paths: +# - path: / +# pathType: Prefix +# backend: +# service: +# name: ldap-auth +# port: +# number: 80 +# --- + diff --git a/unused/nextcloud.yaml b/unused/nextcloud.yaml new file mode 100644 index 0000000..d35f048 --- /dev/null +++ b/unused/nextcloud.yaml @@ -0,0 +1,206 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 30Gi + storageClassName: longhorn +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-postgres-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5Gi + storageClassName: longhorn +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nextcloud-data-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 30Gi + storageClassName: longhorn +--- +apiVersion: v1 +kind: Secret +metadata: + name: nextcloud-postgres-pass + annotations: + "helm.sh/resource-policy": "keep" +type: Opaque +data: + {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "nextcloud-postgres-pass") | default dict }} + {{- $secretData := (get $secretObj "data") | default dict }} + {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} + password: {{ $pass | quote }} +--- +# apiVersion: extensions/v1beta1 +apiVersion: v1 +kind: ConfigMap +metadata: + name: nextcloud-postgres-config + labels: + app: nextcloud-postgres +data: + POSTGRES_DB: nextcloud_db + POSTGRES_USER: postgres +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nextcloud-postgres + labels: + app: nextcloud-postgres +spec: + replicas: 1 + selector: + matchLabels: + app: nextcloud-postgres + template: + metadata: + labels: + app: nextcloud-postgres + name: nextcloud-postgres + spec: + containers: + - name: nextcloud-postgres + image: postgres + imagePullPolicy: "IfNotPresent" + ports: + - containerPort: 5432 + envFrom: + - configMapRef: + name: nextcloud-postgres-config + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: nextcloud-postgres-pass + key: password + volumeMounts: + - mountPath: /var/lib/postgresql/data + subPath: nextcloud/db + name: nextcloud-postgredb + volumes: + - name: nextcloud-postgredb + persistentVolumeClaim: + claimName: nextcloud-postgres-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: nextcloud-postgres + labels: + app: nextcloud-postgres +spec: + ports: + - port: 5432 + selector: + app: nextcloud-postgres +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nextcloud + labels: + app: nextcloud +spec: + replicas: 1 + selector: + matchLabels: + app: nextcloud + template: + metadata: + labels: + app: nextcloud + name: nextcloud + spec: + containers: + - name: nextcloud + image: nextcloud + imagePullPolicy: Always + volumeMounts: + - name: nextcloud-volume + mountPath: "/var/www/html" + subPath: nextcloud/html + - name: nextcloud-media + mountPath: "/var/www/html/data" + subPath: nextcloud/html/data + envFrom: + - configMapRef: + name: nextcloud-postgres-config + env: + - name: POSTGRES_HOST + value: "nextcloud-postgres" + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: nextcloud-postgres-pass + key: password + - name: OVERWRITEPROTOCOL + value: "https" + volumes: + - name: nextcloud-volume + persistentVolumeClaim: + claimName: nextcloud-pvc + - name: nextcloud-media + persistentVolumeClaim: + claimName: nextcloud-data-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: nextcloud +spec: + selector: + app: nextcloud + ports: + - port: 80 + targetPort: 80 + name: nextcloud +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: nextcloud-ingress + annotations: + nginx.ingress.kubernetes.io/proxy-body-size: 5g + nginx.ingress.kubernetes.io/server-snippet: | + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location = /.well-known/carddav { return 301 https://nextcloud.zakobar.com/remote.php/dav/; } + location = /.well-known/caldav { return 301 https://nextcloud.zakobar.com/remote.php/dav/; } +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - nextcloud.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: nextcloud.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: nextcloud + port: + number: 80 +--- diff --git a/unused/paperless.yaml b/unused/paperless.yaml new file mode 100644 index 0000000..281a77a --- /dev/null +++ b/unused/paperless.yaml @@ -0,0 +1,230 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: paperless-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 50Gi + storageClassName: longhorn +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: paperless-redis +spec: + replicas: 1 + selector: + matchLabels: + app: paperless-redis + template: + metadata: + labels: + app: paperless-redis + spec: + containers: + - name: paperless + image: redis + imagePullPolicy: "IfNotPresent" + ports: + - containerPort: 6379 + name: redis + volumeMounts: + - name: paperless-volume + mountPath: "/data" + subPath: paperless/redis-data + volumes: + - name: paperless-volume + persistentVolumeClaim: + claimName: paperless-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: paperless-redis +spec: + selector: + app: paperless-redis + ports: + - port: 80 + targetPort: 8000 + name: paperless-web + +--- +{{- $_ := set $ "homey_paperless_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "paperless-postgres-pass") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "paperless-postgres-pass" "secretval" .homey_paperless_postgres_pass) $) }} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: paperless-postgres-config + labels: + app: paperless-postgres +data: + POSTGRES_DB: paperless + POSTGRES_USER: paperless + POSTGRES_PASSWORD: paperless +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: paperless-postgres + labels: + app: paperless-postgres +spec: + replicas: 1 + selector: + matchLabels: + app: paperless-postgres + template: + metadata: + labels: + app: paperless-postgres + name: paperless-postgres + spec: + containers: + - name: paperless-postgres + image: postgres + imagePullPolicy: "IfNotPresent" + ports: + - containerPort: 5432 + envFrom: + - configMapRef: + name: paperless-postgres-config + volumeMounts: + - mountPath: /var/lib/postgresql/data + subPath: paperless/db + name: paperless-volume + volumes: + - name: paperless-volume + persistentVolumeClaim: + claimName: paperless-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: paperless-postgres + labels: + app: paperless-postgres +spec: + ports: + - port: 5432 + selector: + app: paperless-postgres +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: paperless +spec: + replicas: 1 + selector: + matchLabels: + app: paperless + template: + metadata: + labels: + app: paperless + spec: + containers: + - name: paperless + image: ghcr.io/paperless-ngx/paperless-ngx:latest + imagePullPolicy: "IfNotPresent" + ports: + - containerPort: 8000 + name: paperless-web + volumeMounts: + - name: paperless-volume + mountPath: "/usr/src/paperless/data" + subPath: paperless/data + - name: paperless-volume + mountPath: "/usr/src/paperless/media" + subPath: paperless/media + - name: paperless-volume + mountPath: "/usr/src/paperless/export" + subPath: paperless/export + - name: paperless-volume + mountPath: "/usr/src/paperless/consume" + subPath: paperless/consume + env: + - name: PAPERLESS_REDIS + value: redis://paperless-redis:6379 + - name: PAPERLESS_DBHOST + value: paperless-postgres + - name: PAPERLESS_DEBUG + value: "true" + - name: PAPERLESS_ENABLE_HTTP_REMOTE_USER + value: "true" + - name: PAPERLESS_ENABLE_HTTP_REMOTE_USER_API + value: "true" + - name: PAPERLESS_DISABLE_REGULAR_LOGIN + value: "true" + - name: PAPERLESS_LOGOUT_REDIRECT_URL + value: "https://auth.{{ .Values.homey.url }}/logout" + - name: PAPERLESS_URL + value: "https://paperless.{{ .Values.homey.url }}" + - name: PAPERLESS_DBPASSWORD + valueFrom: + secretKeyRef: + name: paperless-postgres-pass + key: password + volumes: + - name: paperless-volume + persistentVolumeClaim: + claimName: paperless-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: paperless-web + labels: + app: paperless-web +spec: + selector: + app: paperless + ports: + - port: 80 + targetPort: 8000 + name: paperless-web +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: paperless-ingress + annotations: + kubernetes.io/ingress.allow-http: "false" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Method $request_method; + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + proxy_set_header REMOTE_USER $remote_user; + proxy_set_header REMOTE_EMAIL $email; + proxy_set_header REMOTE_NAME $name; +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - paperless.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: paperless.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: paperless-web + port: + number: 80 +--- diff --git a/unused/radicale.yaml b/unused/radicale.yaml new file mode 100644 index 0000000..d025145 --- /dev/null +++ b/unused/radicale.yaml @@ -0,0 +1,122 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: radicale-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: longhorn +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: radicale-conf + labels: + app: radicale +data: + config: |- +{{ tpl (.Files.Get "files/radicale-configmap.ini" | indent 4) . }} +--- +{{- $_ := set $ "homey_radicale_basic_auth" (include "homey.lookuporgensecret" (merge (dict "secretname" "radicale-basic-auth") $))}} +{{ include "homey.randomsecret" (merge (dict "secretname" "radicale-basic-auth" "secretval" .homey_radicale_basic_auth) $) }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: radicale + labels: + app: radicale +spec: + replicas: 1 + selector: + matchLabels: + app: radicale + template: + metadata: + labels: + app: radicale + spec: + containers: + - name: radicale + image: tomsquest/docker-radicale + imagePullPolicy: IfNotPresent + ports: + - name: dav + containerPort: 5232 + protocol: TCP + volumeMounts: + - name: collections + mountPath: /data/collections + - name: config + mountPath: /config/config + subPath: config + readOnly: true + restartPolicy: Always + volumes: + - name: collections + persistentVolumeClaim: + claimName: radicale-pvc + - name: config + configMap: + name: radicale-conf +--- +apiVersion: v1 +kind: Service +metadata: + name: radicale + labels: + app.kubernetes.io/name: radicale +spec: + type: ClusterIP + ports: + - name: dav + port: 5232 + targetPort: 5232 + - name: http + port:80 + targetPort: 80 + selector: + app.kubernetes.io/name: radicale +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: radicale + annotations: + kubernetes.io/ingress.allow-http: "false" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Method $request_method; + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + proxy_set_header X-Remote-User $user; + proxy_set_header X-Remote-Fullname $name; + proxy_set_header X-Remote-Email $email; +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - dav.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: dav.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: radicale + port: + number: 5232 +--- diff --git a/unused/sabre.yaml b/unused/sabre.yaml new file mode 100644 index 0000000..19d45aa --- /dev/null +++ b/unused/sabre.yaml @@ -0,0 +1,118 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: baikal-data-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: longhorn +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: baikal-config-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: longhorn +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: baikal + labels: + app: baikal +spec: + replicas: 1 + selector: + matchLabels: + app: baikal + template: + metadata: + labels: + app: baikal + spec: + containers: + - name: baikal + image: ckulka/baikal-docker + imagePullPolicy: IfNotPresent + ports: + - name: dav + containerPort: 80 + protocol: TCP + volumeMounts: + - name: config + mountPath: /var/www/baikal/config + subPath: config + - name: data + mountPath: /var/www/baikal/Specific + subPath: Specific + restartPolicy: Always + volumes: + - name: data + persistentVolumeClaim: + claimName: baikal-data-pvc + - name: config + persistentVolumeClaim: + claimName: baikal-config-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: baikal + labels: + app.kubernetes.io/name: baikal +spec: + type: ClusterIP + ports: + - name: dav + port: 80 + targetPort: 80 + selector: + app.kubernetes.io/name: baikal +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: baikal + annotations: + kubernetes.io/ingress.allow-http: "false" + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + nginx.ingress.kubernetes.io/auth-method: GET + nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify + nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method + nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Method $request_method; + auth_request_set $user $upstream_http_remote_user; + auth_request_set $groups $upstream_http_remote_groups; + auth_request_set $name $upstream_http_remote_name; + auth_request_set $email $upstream_http_remote_email; + proxy_set_header X-Remote-User $user; + proxy_set_header X-Remote-Fullname $name; + proxy_set_header X-Remote-Email $email; +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - dav.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: dav.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: baikal + port: + number: 80 +--- diff --git a/unused/sogo.yaml b/unused/sogo.yaml new file mode 100644 index 0000000..e7162df --- /dev/null +++ b/unused/sogo.yaml @@ -0,0 +1,162 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: sogo-postgres-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 1Gi + storageClassName: longhorn +--- +apiVersion: v1 +kind: Secret +metadata: + name: sogo-db-pass +type: Opaque +data: + password: sogo +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sogo-postgres-config + labels: + app: sogo-postgres +data: + POSTGRES_DB: sogo + POSTGRES_USER: sogo + POSTGRES_PASSWORD: sogo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sogo-postgres + labels: + app: sogo-postgres +spec: + replicas: 1 + selector: + matchLabels: + app: sogo-postgres + template: + metadata: + labels: + app: sogo-postgres + name: sogo-postgres + spec: + containers: + - name: postgres + image: postgres + imagePullPolicy: "IfNotPresent" + ports: + - containerPort: 5432 + envFrom: + - configMapRef: + name: sogo-postgres-config + volumeMounts: + - mountPath: /var/lib/postgresql/data + subPath: sogo/db/data + name: sogo-postgresdb + volumes: + - name: sogo-postgresdb + persistentVolumeClaim: + claimName: sogo-postgres-pvc +--- +apiVersion: v1 +kind: Service +metadata: + name: sogo-postgres + labels: + app: sogo-postgres +spec: + ports: + - port: 5432 + selector: + app: sogo-postgres +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: sogo-conf +data: + sogo.conf: |- +{{ tpl (.Files.Get "files/sogo.conf" | indent 4) . }} +--- +apiVersion: v1 +kind: Service +metadata: + name: sogo + labels: + app: sogo +spec: + ports: + - port: 80 + targetPort: 80 + selector: + app: sogo +--- + +apiVersion: apps/v1 +kind: Deployment +metadata: + name: sogo +spec: + # Stop old container before starting new one. + # No known upgrade policy know. Save to stop and start a new one. + strategy: + type: Recreate + rollingUpdate: null + selector: + matchLabels: + app: sogo + replicas: 1 + template: + metadata: + labels: + app: sogo + spec: + containers: + - name: sogo + image: mailcow/sogo:nightly-1.119 + resources: + requests: + cpu: 100m + memory: 400Mi + ports: + - containerPort: 80 + volumeMounts: + - mountPath: /etc/sogo/sogo.conf + name: sogo-conf + subPath: sogo.conf + readOnly: true + volumes: + - name: sogo-conf + configMap: + name: sogo-conf + optional: false +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: sogo-ingress +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - git.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: sogo.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: soo + port: + number: 80 + +---