Current snapshot of state with unused garbage.

2025-03-26 12:27:47 +02:00
parent 9ac576c043
commit 138d6d8a6b
20 changed files with 1965 additions and 34 deletions
@@ -96,7 +96,20 @@ Line 800 ish for auth from reverse proxy
 I ran THIS command inside
 su www-data -s /bin/bash -c php occ ldap:promote-group "admins"
 ** When maintenence mode
 #+begin_example
 kubectl exec --tty --stdin -n homey deploy/nextcloud -- su -l www-data -s /bin/bash
 php /var/www/html/occ maintenance:mode --off
 #+end_src
 * I UNDERSTAND
 I need to backup Chen's stuff
 And... I need to Jellyfin
 * PAPERLESS
 https://github.com/paperless-ngx/paperless-ngx/blob/74c44fe418a91a526b5dab1a91fde4aaebd28bb1/docker/compose/docker-compose.postgres.yml
 For docker
@@ -59,6 +59,29 @@ access_control:
  - domain:
    - "*.admin.{{ .Values.homey.url }}"
    policy: "deny"
  - domain:
    - "torrent.{{ .Values.homey.url }}"
    subject:
    - 'group:admins'
    policy: "two_factor"
  - domain:
    - "torrent.{{ .Values.homey.url }}"
    policy: "deny"
  - domain:
    - "stash-dl.{{ .Values.homey.url }}"
    policy: "one_factor"
  - domain:
    - "stash.{{ .Values.homey.url }}"
    policy: "one_factor"
  - domain:
    - "paperless.{{ .Values.homey.url }}"
    policy: "one_factor"
 notifier:
  filesystem:
    filename: "/var/lib/authelia/emails.txt"
 ntp:
  address: 'udp://time.cloudflare.com:123'
  version: 3
  max_desync: '3s'
  disable_startup_check: false
  disable_failure: true
@@ -0,0 +1,30 @@
 <?php
 use
    Sabre\DAV;
 // The autoloader
 require 'vendor/autoload.php';
 // Now we're creating a whole bunch of objects
 $rootDirectory = new DAV\FS\Directory('public');
 // The server object is responsible for making sense out of the WebDAV protocol
 $server = new DAV\Server($rootDirectory);
 // If your server is not on your webroot, make sure the following line has the
 // correct information
 $server->setBaseUri('server.php');
 // The lock manager is reponsible for making sure users don't overwrite
 // each others changes.
 $lockBackend = new DAV\Locks\Backend\File('data/locks');
 $lockPlugin = new DAV\Locks\Plugin($lockBackend);
 $server->addPlugin($lockPlugin);
 // This ensures that we get a pretty index in the browser, but it is
 // optional.
 $server->addPlugin(new DAV\Browser\Plugin());
 // All we need to do now, is to fire up the server
 $server->exec();
@@ -0,0 +1,11 @@
 [server]
 hosts = 0.0.0.0:5232
 [auth]
 type = http_x_remote_user
 [storage]
 filesystem_folder = /data/collections
 [web]
 type = none
@@ -0,0 +1,30 @@
 <?php
 use
    Sabre\DAV;
 // The autoloader
 require 'vendor/autoload.php';
 // Now we're creating a whole bunch of objects
 $rootDirectory = new DAV\FS\Directory('public');
 // The server object is responsible for making sense out of the WebDAV protocol
 $server = new DAV\Server($rootDirectory);
 // If your server is not on your webroot, make sure the following line has the
 // correct information
 $server->setBaseUri('server.php');
 // The lock manager is reponsible for making sure users don't overwrite
 // each others changes.
 $lockBackend = new DAV\Locks\Backend\File('data/locks');
 $lockPlugin = new DAV\Locks\Plugin($lockBackend);
 $server->addPlugin($lockPlugin);
 // This ensures that we get a pretty index in the browser, but it is
 // optional.
 $server->addPlugin(new DAV\Browser\Plugin());
 // All we need to do now, is to fire up the server
 $server->exec();
@@ -1,40 +1,94 @@
 {
-    SOGoProfileURL =
+    /* *********************  Main SOGo configuration file  **********************
-        "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_user_profile";
+    *                                                                           *
-    OCSFolderInfoURL =
+    * Since the content of this file is a dictionary in OpenStep plist format,  *
-        "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_folder_info";
+    * the curly braces enclosing the body of the configuration are mandatory.   *
-    OCSSessionsFolderURL =
+    * See the Installation Guide for details on the format.                     *
-        "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_sessions_folder";
+    *                                                                           *
-    SOGoAppointmentSendEMailNotifications = YES;
+    * C and C++ style comments are supported.                                   *
-    SOGoCalendarDefaultRoles = (
+    *                                                                           *
-        PublicViewer,
+    * This example configuration contains only a subset of all available        *
-        ConfidentialDAndTViewer
+    * configuration parameters. Please see the installation guide more details. *
-    );
+    *                                                                           *
-    SOGoLanguage = English;
+    * ~sogo/GNUstep/Defaults/.GNUstepDefaults has precedence over this file,    *
-    SOGoTimeZone = America/Montreal;
+    * make sure to move it away to avoid unwanted parameter overrides.          *
-    SOGoMailDomain = acme.com;
+    *                                                                           *
-    SOGoIMAPServer = 127.0.0.1;
+    * **************************************************************************/
    /* Database configuration (mysql:// or postgresql://) */
    SOGoProfileURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_user_profile";
    OCSFolderInfoURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_folder_info";
    OCSSessionsFolderURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_sessions_folder";
    /* Mail */
    SOGoDraftsFolderName = Drafts;
    SOGoSentFolderName = Sent;
    SOGoTrashFolderName = Trash;
-    SOGoJunkFolderName = Junk;
+    //SOGoIMAPServer = localhost;
-    SOGoMailingMechanism = smtp;
+    //SOGoSieveServer = sieve://127.0.0.1:4190;
-    SOGoSMTPServer = "smtp://127.0.0.1";
+    //SOGoSMTPServer = smtp://domain:port/?tls=YES;
    //SOGoMailDomain = acme.com;
    SOGoMailingMechanis = smtp;
    //SOGoForceExternalLoginWithEmail = NO;
    //SOGoMailSpoolPath = /var/spool/sogo;
    //NGImap4ConnectionStringSeparator = "/";
    /* Notifications */
    //SOGoAppointmentSendEMailNotifications = NO;
    //SOGoACLsSendEMailNotifications = NO;
    //SOGoFoldersSendEMailNotifications = NO;
    /* Authentication */
    SOGoPasswordChangeEnabled = YES;
    SOGoUserSources = (
    {
        type = ldap;
        CNFieldName = cn;
            IDFieldName = uid;
        UIDFieldName = uid;
-            baseDN = "ou=users,dc=acme,dc=com";
+        IDFieldName = uid; // first field of the DN for direct binds
-            bindDN = "uid=sogo,ou=users,dc=acme,dc=com";
+        bindFields = (uid, mail); // array of fields to use for indirect binds
-            bindPassword = qwerty;
+        baseDN = "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
        bindDN = "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
        bindPassword = "{{ .homey_openldap_ro }}";
        canAuthenticate = YES;
        displayName = "Shared Addresses";
-            hostname = 127.0.0.1;
+        hostname = ldap://openldap:389;
        id = public;
        isAddressBook = YES;
            port = 389;
    }
    );
    /* Web Interface */
    //SOGoPageTitle = SOGo;
    SOGoVacationEnabled = YES;
    SOGoForwardEnabled = YES;
    SOGoSieveScriptsEnabled = YES;
    //SOGoMailAuxiliaryUserAccountsEnabled = YES;
    //SOGoTrustProxyAuthentication = NO;
    SOGoXSRFValidationEnabled = YES;
    /* General - SOGoTimeZone *MUST* be defined */
    SOGoLanguage = English;
    SOGoTimeZone = Asia/Jerusalem;
    //SOGoCalendarDefaultRoles = (
    //  PublicDAndTViewer,
    //  ConfidentialDAndTViewer
    //);
    //SOGoSuperUsernames = (sogo1, sogo2); // This is an array - keep the parens!
    SxVMemLimit = 384;
    //WOPidFile = "/var/run/sogo/sogo.pid";
    SOGoMemcachedHost = "/var/run/memcached/memcached.sock";
    /* Debug */
    SOGoDebugRequests = YES;
    SoDebugBaseURL = YES;
    ImapDebugEnabled = YES;
    LDAPDebugEnabled = YES;
    PGDebugEnabled = YES;
    MySQL4DebugEnabled = YES;
    SOGoUIxDebugEnabled = YES;
    WODontZipResponse = YES;
    //WOLogFile = /var/log/sogo/sogo.log;
 }
@@ -0,0 +1,10 @@
 kubectl exec -it -n homey deploy/gitea -- su - git -c "/usr/local/bin/gitea admin auth update-ldap --id=1 --name ldap --security-protocol unencrypted --host openldap --port 389 --user-search-base ou=users,dc=zakobar,dc=com --user-filter \"(&(objectClass=person)(uid=%s))\" --admin-filter \"(memberOf=CN=admins,ou=groups,dc=zakobar,dc=com)\" --email-attribute mail --bind-dn=cn=readonly,dc=zakobar,dc=com --bind-password=VqxPZHwDCkFsLWaroyb880zdH1JTCvz9"
 kubectl exec -it -n homey deploy/gitea -- su - git -c "/usr/local/bin/gitea admin user delete --username aner"
 gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host openldap --port 389 --user-search-base ou=users,dc=zakobar,dc=com --user-filter "&(objectClass=inetOrgPerson)(uid=%s)" --email-attribute mail --bind-dn="cn=readonly,dc=zakobar,dc=com" --bind-password=VqxPZHwDCkFsLWaroyb880zdH1JTCvz9
 gitea admin auth update-ldap --id=1 --name ldap --security-protocol unencrypted --host openldap --port 389 --user-search-base ou=users,dc=zakobar,dc=com --user-filter "(&(objectClass=person)(uid=%s))" --email-attribute mail --bind-dn="cn=readonly,dc=zakobar,dc=com" --bind-password=VqxPZHwDCkFsLWaroyb880zdH1JTCvz9
 kubectl exec -it -n homey deploy/authelia -- /bin/bash -c "cat /var/lib/authelia/emails.txt"
@@ -0,0 +1,204 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: jellyfin-config-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: jellyfin-data-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 700Gi
  storageClassName: longhorn
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: transmission-config-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: jellyfin
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: jellyfin
  template:
    metadata:
      labels:
        app: jellyfin
    spec:
      containers:
      - name: jellyfin
        image: docker.io/jellyfin/jellyfin
        imagePullPolicy: "IfNotPresent"
        volumeMounts:
        - name: jellyfin-volume-config
          mountPath: "/config"
          subPath: jellyfin/config
        - name: jellyfin-volume-data
          mountPath: "/data/movies"
          subPath: downloads/movies
        - name: jellyfin-volume-data
          mountPath: "/data/tvshows"
          subPath: downloads/tvshows
        env:
        - name: JELLYFIN_PublishedServerUrl
          value: jellyfin.{{ .Values.homey.url }}
      volumes:
      - name: jellyfin-volume-config
        persistentVolumeClaim:
          claimName: jellyfin-config-pvc
      - name: jellyfin-volume-data
        persistentVolumeClaim:
          claimName: jellyfin-data-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: jellyfin-web
 spec:
  selector:
    app: jellyfin
  ports:
  - port: 80
    targetPort: 8096
    name: jellyfin-web
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: jellyfin-ingress
 spec:
  ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - jellyfin.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
   - host: jellyfin.{{ .Values.homey.url }}
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
             name: jellyfin-web
             port:
               number: 80
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: transmission
  labels:
    app: transmission
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: transmission
  template:
    metadata:
      labels:
        app: transmission
        name: transmission
    spec:
      containers:
      - name: transmission
        image: linuxserver/transmission
        imagePullPolicy: Always
        volumeMounts:
        - name: transmission-volume-config
          mountPath: "/config"
          subPath: transmission/config
        - name: transmission-volume-data
          mountPath: "/downloads/movies"
          subPath: downloads/movies
        - name: transmission-volume-data
          mountPath: "/downloads/tvshows"
          subPath: downloads/tvshows
        - name: transmission-volume-data
          mountPath: "/downloads/general"
          subPath: downloads/general
        - name: transmission-volume-data
          mountPath: "/downloads/complete"
          subPath: downloads/complete
      volumes:
      - name: transmission-volume-config
        persistentVolumeClaim:
          claimName: transmission-config-pvc
      - name: transmission-volume-data
        persistentVolumeClaim:
          claimName: jellyfin-data-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: transmission-web
 spec:
  selector:
    app: transmission
  ports:
  - port: 80
    targetPort: 9091
    name: transmission-web
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: torrent
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/auth-method: GET
    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Method $request_method;
      auth_request_set $user $upstream_http_remote_user;
      auth_request_set $groups $upstream_http_remote_groups;
      auth_request_set $name $upstream_http_remote_name;
      auth_request_set $email $upstream_http_remote_email;
      proxy_set_header X-Webauth-User $user;
      proxy_set_header X-Webauth-Fullname $name;
      proxy_set_header X-Webauth-Email $email;
 spec:
  ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - torrent.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
  - host: torrent.{{ .Values.homey.url }}
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: transmission-web
            port:
              number: 80
@@ -0,0 +1,24 @@
 ---
 {{- define "homey.auth.ingress.annotations" }}
    # nginx.ingress.kubernetes.io/auth-signin: "https://auth.zakobar.com"
    nginx.ingress.kubernetes.io/auth-url: "http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80"
    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email
    nginx.ingress.kubernetes.io/location-snippets: |-
      auth_request /auth
    nginx.ingress.kubernetes.io/configuration-snippet: |-
      location /auth {
        # proxy_pass http://ldap-auth-internal;
        proxy_pass_request_body off;
        #THIS NEEDS TO BE SET BY ACTUAL SOMETHING LOGIN SHIT
        # proxy_set_header X-Target http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80;
        proxy_set_header X-Ldap-URL      "ldap://openldap";
        proxy_set_header X-Ldap-BaseDN   "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
        proxy_set_header X-Ldap-BindDN   "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
        proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}};
        proxy_set_header X-CookieName "homey.auth.cookie";
        proxy_set_header Cookie $cookie_homey.auth.cookie;
        proxy_set_header X-Remote-User $remote_user;
        proxy_set_header X-Forwarded-Method $request_method;
        proxy_set_header X-Ldap-Template "(uid=%(username)s)";
      }
 {{- end }}
@@ -0,0 +1,117 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: baikal-data-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: baikal-config-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: baikal
  labels:
    app: baikal
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: baikal
  template:
    metadata:
      labels:
        app: baikal
    spec:
      containers:
      - name: baikal
        image: ckulka/baikal
        imagePullPolicy: IfNotPresent
        ports:
        - containerPort: 80
          name: dav
        volumeMounts:
        - name: config
          mountPath: /var/www/baikal/config
          subPath: config
        - name: data
          mountPath: /var/www/baikal/Specific
          subPath: Specific
      restartPolicy: Always
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: baikal-data-pvc
      - name: config
        persistentVolumeClaim:
          claimName: baikal-config-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: baikal
 spec:
  selector:
    app: baikal
  ports:
  - name: dav
    protocol: TCP
    port: 80
    targetPort: 80
  selector:
    app: baikal
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: baikal
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/auth-method: GET
    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Method $request_method;
      auth_request_set $user $upstream_http_remote_user;
      auth_request_set $groups $upstream_http_remote_groups;
      auth_request_set $name $upstream_http_remote_name;
      auth_request_set $email $upstream_http_remote_email;
      proxy_set_header X-Remote-User $user;
      proxy_set_header X-Remote-Fullname $name;
      proxy_set_header X-Remote-Email $email;
 spec:
  ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - dav.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
  - host: dav.{{ .Values.homey.url }}
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: baikal
            port:
              number: 80
 ---
@@ -0,0 +1,71 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: baikal
  labels:
    app: baikal
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: baikal
  template:
    metadata:
      labels:
        app: baikal
    spec:
      containers:
      - name: baikal
        image: ckulka/baikal
        ports:
        - name: dav
          containerPort: 80
          protocol: TCP
        volumeMounts:
        - name: baikal-volume
          mountPath: /var/www/baikal/Specific
          subPath: baikal/data
        - name: baikal-volume
          mountPath: /var/www/baikal/config
          subPath: baikal/config
      restartPolicy: Always
      volumes:
      - name: baikal-volume
        persistentVolumeClaim:
          claimName: homey-pvc-longhorn
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: baikal
 spec:
  ports:
  - name: dav
    targetPort: 80
    port: 80
  selector:
    app: baikal
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: baikal
 spec:
  ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - dav.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
  - host: dav.{{ .Values.homey.url }}
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: baikal
            port:
              name: dav
 ---
@@ -0,0 +1,213 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: davical-postgres-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
 ---
 {{- $_ := set $ "homey_davical_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-postgres-pass") $))}}
 {{ include "homey.randomsecret" (merge (dict "secretname" "davical-postgres-pass" "secretval" .homey_davical_postgres_pass) $) }}
 ---
 # apiVersion: extensions/v1beta1
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: davical-postgres-config
  labels:
    app: davical-postgres
 data:
  POSTGRES_DB: postgres
  POSTGRES_USER: postgres
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: davical-postgres
  labels:
    app: davical-postgres
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: davical-postgres
  template:
    metadata:
      labels:
        app: davical-postgres
        name: davical-postgres
    spec:
      containers:
      - name: davical-postgres
        image: postgres
        imagePullPolicy: "IfNotPresent"
        ports:
        - containerPort: 5432
        envFrom:
        - configMapRef:
            name: davical-postgres-config
        env:
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: davical-postgres-pass
              key: password
        volumeMounts:
        - mountPath: /var/lib/postgresql/data
          subPath: data
          name: davical-postgredb
      volumes:
      - name: davical-postgredb
        persistentVolumeClaim:
          claimName: davical-postgres-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: davical-postgres
  labels:
    app: davical-postgres
 spec:
  ports:
   - port: 5432
  selector:
    app: davical-postgres
 ---
 {{- $_ := set $ "homey_davical_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-admin-pass") $))}}
 {{ include "homey.randomsecret" (merge (dict "secretname" "davical-admin-pass" "secretval" .homey_davical_admin_pass) $) }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: davical-conf
 data:
  config.php: |-
 {{ tpl (.Files.Get "files/davical-config.php" | indent 4) . }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: davical
  labels:
    app: davical
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: davical
  template:
    metadata:
      labels:
        app: davical
    spec:
      containers:
      - name: davical
        image: anerisgreat/davical-multiarch-docker:latest
        imagePullPolicy: "Always"
        ports:
        - containerPort: 80
          name: dav
        env:
        - name: PGHOST
          value: "davical-postgres"
        - name: PGUSER
          value: "postgres"
        - name: PGPASSWORD
          valueFrom:
            secretKeyRef:
              name: davical-postgres-pass
              key: password
        - name: PGDATABASE
          value: "davical"
        - name: PGPORT
          value: "5432"
        - name: HOST_NAME
          value:
            "dav.{{ .Values.homey.url }}"
        - name: DAVICAL_ADMIN_PASS
          valueFrom:
            secretKeyRef:
              name: davical-admin-pass
              key: password
        - name: ROOT_PGUSER
          value: "postgres"
        - name: ROOT_PGPASSWORD
          valueFrom:
            secretKeyRef:
              name: davical-postgres-pass
              key: password
        - name: RUN_MIGRATIONS_AT_STARTUP
          value: "true"
        volumeMounts:
        - name: davical-conf
          mountPath: /etc/davical/config.php
          subPath: config.php
          readOnly: true
      volumes:
      - name: davical-conf
        configMap:
          name: davical-conf
          items:
          - key: config.php
            path: config.php
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: davical
 spec:
  selector:
    app: davical
  ports:
  - name: dav
    protocol: TCP
    port: 80
    targetPort: 80
  selector:
    app: davical
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: davical
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/auth-method: GET
    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Method $request_method;
      auth_request_set $user $upstream_http_remote_user;
      auth_request_set $groups $upstream_http_remote_groups;
      auth_request_set $name $upstream_http_remote_name;
      auth_request_set $email $upstream_http_remote_email;
      proxy_set_header Remote-User $user;
      proxy_set_header Remote-Fullname $name;
      proxy_set_header Remote-Email $email;
      proxy_set_header Redirect-Remote-User $user;
      proxy_set_header Redirect-Remote-Fullname $name;
      proxy_set_header Redirect-Remote-Email $email;
 spec:
  ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - dav.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
  - host: dav.{{ .Values.homey.url }}
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: davical
            port:
              number: 80
@@ -0,0 +1,131 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: gitea-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 5Gi
  storageClassName: longhorn
 ---
 {{- $_ := set $ "homey_gitea_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-admin-pass") $))}}
 {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-admin-pass" "secretval" .homey_gitea_admin_pass) $) }}
 ---
 {{- $_ := set $ "homey_gitea_lfs_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-lfs-jwt-secret") $))}}
 {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-lfs-jwt-secret" "secretval" .homey_gitea_lfs_jwt_secret) $) }}
 ---
 {{- $_ := set $ "homey_gitea_oauth2_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret") $))}}
 {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret" "secretval" .homey_gitea_oauth2_jwt_secret) $) }}
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: gitea-random-internal-token
  annotations:
    "helm.sh/resource-policy": "keep"
 type: Opaque
 data:
 {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-random-internal-token") | default dict -}}
 {{- $secretData := (get $secretObj "data") | default dict -}}
 {{- $pass := (get $secretData "password") | default (randAlphaNum 100 | b64enc) -}}
 {{- $_ := set $ "homey_gitea_random_internal_token" ($pass | b64dec) }}
  password: {{ $pass | quote }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: gitea-conf
 data:
  app.ini: |-
 {{ tpl (.Files.Get "files/gitea-app.ini" | indent 4) . }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: gitea
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: gitea
  template:
    metadata:
      labels:
        app: gitea
    spec:
      containers:
      - name: gitea
        image: gitea/gitea:latest
        ports:
        - containerPort: 3000
          name: http
        volumeMounts:
        - name: gitea-persistent-storage
          mountPath: /data
          subPath: gitea/gitea/data
        - name: gitea-conf
          mountPath: /data/gitea/conf/app.ini
          subPath: app.ini
          readOnly: true
        # startProbe:
        #   httpGet:
        #     path: /
        #     port: 3000
        #   initialDelaySeconds: 15
        # lifecycle:
        #   postStart:
        #     exec:
        #       {{- set $gitea-cmd (printf "gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host ldap --port 389 --user-search-base ou=users,%s --user-filter \\\"(&(objectClass=inetOrgPerson)(|(uid=\%[1]s)(mail=\%[1]s)))\\\" --email-attribute mail --bind-dn=\\\"cn=readonly,%s\\\" --bind-password=\\\"%s\\\"" ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) () (.homey_openldap_ro | replace "\"" ""))}}
        #       command: ["/bin/sh", "-c", "{{cmd}}"]
      volumes:
      - name: gitea-persistent-storage
        persistentVolumeClaim:
          claimName: gitea-pvc
      - name: gitea-conf
        configMap:
          name: gitea-conf
          items:
          - key: app.ini
            path: app.ini
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: gitea-svc
 spec:
  selector:
    app: gitea
  ports:
  - name: http-port
    protocol: TCP
    port: 3000
    targetPort: http
  selector:
    app: gitea
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: gitea-ingress
 spec:
  ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - git.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
  - host: git.{{ .Values.homey.url }}
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: gitea-svc
            port:
              number: 3000
 ---
@@ -0,0 +1,92 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: jellyfin-config-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 100Gi
  storageClassName: longhorn
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: jellyfin-data-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 700Gi
  storageClassName: longhorn
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: jellyfin
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: jellyfin
  template:
    metadata:
      labels:
        app: jellyfin
    spec:
      containers:
      - name: jellyfin
        image: docker.io/jellyfin/jellyfin
        volumeMounts:
        - name: jellyfin-volume-config
          mountPath: "/config"
          subPath: jellyfin/config
        - name: jellyfin-volume-data
          mountPath: "/data/movies"
          subPath: downloads/movies
        - name: jellyfin-volume-data
          mountPath: "/data/tvshows"
          subPath: downloads/tvshows
      - env:
        - name: JELLYFIN_PublishedServerUrl
          value: jellyfin.{{ .Values.homey.url }}
      volumes:
      - name: jellyfin-volume-config
        persistentVolumeClaim:
          claimName: jellyfin-config-pvc
      - name: jellyfin-volume-data
        persistentVolumeClaim:
          claimName: jellyfin-data-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: jellyfin-web
  namespace: homecenter
 spec:
  selector:
    app: jellyfin
  ports:
  - port: 80
    targetPort: 8096
    name: jellyfin-web
 ---
 ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - jellyfin.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
   - host: jellyfin.{{ .Values.homey.url }}
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
             name: jellyfin-web
             port:
               number: 80
 ---
@@ -0,0 +1,70 @@
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: ldap-auth
  labels:
    app: ldap-auth
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: ldap-auth
  template:
    metadata:
      labels:
        app: ldap-auth
        name: ldap-auth
    spec:
      containers:
      - name: ldap-auth
        image: linuxserver/ldap-auth
        imagePullPolicy: Always
 ---
 #https://stackoverflow.com/questions/51149921/how-to-authenticate-nginx-with-ldap
 apiVersion: v1
 kind: Service
 metadata:
  name: ldap-auth
 spec:
  selector:
    app: ldap-auth
  ports:
  - port: 80
    targetPort: 9000
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: ldap-auth-internal
 spec:
  selector:
    app: ldap-auth
  ports:
  - port: 80
    targetPort: 8888
 ---
 # apiVersion: networking.k8s.io/v1
 # kind: Ingress
 # metadata:
 #   name: ldap-auth-ingress
 #   annotations:
 # spec:
 #   ingressClassName: {{ .Values.homey.ingress_class }}
 #   tls:
 #     - hosts:
 #       - auth.{{ .Values.homey.url }}
 #       secretName: {{ .Values.homey.certname }}
 #   rules:
 #   - host: auth.{{ .Values.homey.url }}
 #     http:
 #       paths:
 #       - path: /
 #         pathType: Prefix
 #         backend:
 #           service:
 #             name: ldap-auth
 #             port:
 #               number: 80
 # ---
@@ -0,0 +1,206 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: nextcloud-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 30Gi
  storageClassName: longhorn
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: nextcloud-postgres-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 5Gi
  storageClassName: longhorn
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: nextcloud-data-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 30Gi
  storageClassName: longhorn
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: nextcloud-postgres-pass
  annotations:
    "helm.sh/resource-policy": "keep"
 type: Opaque
 data:
  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "nextcloud-postgres-pass") | default dict }}
  {{- $secretData := (get $secretObj "data") | default dict }}
  {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
  password: {{ $pass | quote }}
 ---
 # apiVersion: extensions/v1beta1
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: nextcloud-postgres-config
  labels:
    app: nextcloud-postgres
 data:
  POSTGRES_DB: nextcloud_db
  POSTGRES_USER: postgres
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: nextcloud-postgres
  labels:
    app: nextcloud-postgres
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: nextcloud-postgres
  template:
    metadata:
      labels:
        app: nextcloud-postgres
        name: nextcloud-postgres
    spec:
      containers:
      - name: nextcloud-postgres
        image: postgres
        imagePullPolicy: "IfNotPresent"
        ports:
        - containerPort: 5432
        envFrom:
        - configMapRef:
            name: nextcloud-postgres-config
        env:
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: nextcloud-postgres-pass
              key: password
        volumeMounts:
        - mountPath: /var/lib/postgresql/data
          subPath: nextcloud/db
          name: nextcloud-postgredb
      volumes:
      - name: nextcloud-postgredb
        persistentVolumeClaim:
          claimName: nextcloud-postgres-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: nextcloud-postgres
  labels:
    app: nextcloud-postgres
 spec:
  ports:
   - port: 5432
  selector:
    app: nextcloud-postgres
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: nextcloud
  labels:
    app: nextcloud
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: nextcloud
  template:
    metadata:
      labels:
        app: nextcloud
        name: nextcloud
    spec:
      containers:
      - name: nextcloud
        image: nextcloud
        imagePullPolicy: Always
        volumeMounts:
        - name: nextcloud-volume
          mountPath: "/var/www/html"
          subPath: nextcloud/html
        - name: nextcloud-media
          mountPath: "/var/www/html/data"
          subPath: nextcloud/html/data
        envFrom:
        - configMapRef:
            name: nextcloud-postgres-config
        env:
        - name: POSTGRES_HOST
          value: "nextcloud-postgres"
        - name: POSTGRES_PASSWORD
          valueFrom:
            secretKeyRef:
              name: nextcloud-postgres-pass
              key: password
        - name: OVERWRITEPROTOCOL
          value: "https"
      volumes:
      - name: nextcloud-volume
        persistentVolumeClaim:
          claimName: nextcloud-pvc
      - name: nextcloud-media
        persistentVolumeClaim:
          claimName: nextcloud-data-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: nextcloud
 spec:
  selector:
    app: nextcloud
  ports:
  - port: 80
    targetPort: 80
    name: nextcloud
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: nextcloud-ingress
  annotations:
    nginx.ingress.kubernetes.io/proxy-body-size: 5g
    nginx.ingress.kubernetes.io/server-snippet: |
        # Make a regex exception for `/.well-known` so that clients can still
        # access it despite the existence of the regex rule
        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
        # for `/.well-known`.
        location = /.well-known/carddav { return 301  https://nextcloud.zakobar.com/remote.php/dav/; }
        location = /.well-known/caldav  { return 301  https://nextcloud.zakobar.com/remote.php/dav/; }
 spec:
  ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - nextcloud.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
   - host: nextcloud.{{ .Values.homey.url }}
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
             name: nextcloud
             port:
               number: 80
 ---
@@ -0,0 +1,230 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: paperless-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 50Gi
  storageClassName: longhorn
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: paperless-redis
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: paperless-redis
  template:
    metadata:
      labels:
        app: paperless-redis
    spec:
      containers:
      - name: paperless
        image: redis
        imagePullPolicy: "IfNotPresent"
        ports:
        - containerPort: 6379
          name: redis
        volumeMounts:
        - name: paperless-volume
          mountPath: "/data"
          subPath: paperless/redis-data
      volumes:
      - name: paperless-volume
        persistentVolumeClaim:
          claimName: paperless-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: paperless-redis
 spec:
  selector:
    app: paperless-redis
  ports:
  - port: 80
    targetPort: 8000
    name: paperless-web
 ---
 {{- $_ := set $ "homey_paperless_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "paperless-postgres-pass") $))}}
 {{ include "homey.randomsecret" (merge (dict "secretname" "paperless-postgres-pass" "secretval" .homey_paperless_postgres_pass) $) }}
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: paperless-postgres-config
  labels:
    app: paperless-postgres
 data:
  POSTGRES_DB: paperless
  POSTGRES_USER: paperless
  POSTGRES_PASSWORD: paperless
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: paperless-postgres
  labels:
    app: paperless-postgres
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: paperless-postgres
  template:
    metadata:
      labels:
        app: paperless-postgres
        name: paperless-postgres
    spec:
      containers:
      - name: paperless-postgres
        image: postgres
        imagePullPolicy: "IfNotPresent"
        ports:
        - containerPort: 5432
        envFrom:
        - configMapRef:
            name: paperless-postgres-config
        volumeMounts:
        - mountPath: /var/lib/postgresql/data
          subPath: paperless/db
          name: paperless-volume
      volumes:
      - name: paperless-volume
        persistentVolumeClaim:
          claimName: paperless-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: paperless-postgres
  labels:
    app: paperless-postgres
 spec:
  ports:
   - port: 5432
  selector:
    app: paperless-postgres
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: paperless
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: paperless
  template:
    metadata:
      labels:
        app: paperless
    spec:
      containers:
      - name: paperless
        image: ghcr.io/paperless-ngx/paperless-ngx:latest
        imagePullPolicy: "IfNotPresent"
        ports:
        - containerPort: 8000
          name: paperless-web
        volumeMounts:
        - name: paperless-volume
          mountPath: "/usr/src/paperless/data"
          subPath: paperless/data
        - name: paperless-volume
          mountPath: "/usr/src/paperless/media"
          subPath: paperless/media
        - name: paperless-volume
          mountPath: "/usr/src/paperless/export"
          subPath: paperless/export
        - name: paperless-volume
          mountPath: "/usr/src/paperless/consume"
          subPath: paperless/consume
        env:
        - name: PAPERLESS_REDIS
          value: redis://paperless-redis:6379
        - name: PAPERLESS_DBHOST
          value: paperless-postgres
        - name: PAPERLESS_DEBUG
          value: "true"
        - name: PAPERLESS_ENABLE_HTTP_REMOTE_USER
          value: "true"
        - name: PAPERLESS_ENABLE_HTTP_REMOTE_USER_API
          value: "true"
        - name: PAPERLESS_DISABLE_REGULAR_LOGIN
          value: "true"
        - name: PAPERLESS_LOGOUT_REDIRECT_URL
          value: "https://auth.{{ .Values.homey.url }}/logout"
        - name: PAPERLESS_URL
          value: "https://paperless.{{ .Values.homey.url }}"
        - name: PAPERLESS_DBPASSWORD
          valueFrom:
            secretKeyRef:
              name: paperless-postgres-pass
              key: password
      volumes:
      - name: paperless-volume
        persistentVolumeClaim:
          claimName: paperless-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: paperless-web
  labels:
    app: paperless-web
 spec:
  selector:
    app: paperless
  ports:
  - port: 80
    targetPort: 8000
    name: paperless-web
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: paperless-ingress
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/auth-method: GET
    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Method $request_method;
      auth_request_set $user $upstream_http_remote_user;
      auth_request_set $groups $upstream_http_remote_groups;
      auth_request_set $name $upstream_http_remote_name;
      auth_request_set $email $upstream_http_remote_email;
      proxy_set_header REMOTE_USER $remote_user;
      proxy_set_header REMOTE_EMAIL $email;
      proxy_set_header REMOTE_NAME $name;
 spec:
  ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - paperless.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
   - host: paperless.{{ .Values.homey.url }}
     http:
       paths:
       - path: /
         pathType: Prefix
         backend:
           service:
             name: paperless-web
             port:
               number: 80
 ---
@@ -0,0 +1,122 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: radicale-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: radicale-conf
  labels:
    app: radicale
 data:
  config: |-
 {{ tpl (.Files.Get "files/radicale-configmap.ini" | indent 4) . }}
 ---
 {{- $_ := set $ "homey_radicale_basic_auth" (include "homey.lookuporgensecret" (merge (dict "secretname" "radicale-basic-auth") $))}}
 {{ include "homey.randomsecret" (merge (dict "secretname" "radicale-basic-auth" "secretval" .homey_radicale_basic_auth) $) }}
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: radicale
  labels:
    app: radicale
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: radicale
  template:
    metadata:
      labels:
        app: radicale
    spec:
      containers:
      - name: radicale
        image: tomsquest/docker-radicale
        imagePullPolicy: IfNotPresent
        ports:
        - name: dav
          containerPort: 5232
          protocol: TCP
        volumeMounts:
        - name: collections
          mountPath: /data/collections
        - name: config
          mountPath: /config/config
          subPath: config
          readOnly: true
      restartPolicy: Always
      volumes:
      - name: collections
        persistentVolumeClaim:
          claimName: radicale-pvc
      - name: config
        configMap:
          name: radicale-conf
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: radicale
  labels:
    app.kubernetes.io/name: radicale
 spec:
  type: ClusterIP
  ports:
    - name: dav
      port: 5232
      targetPort: 5232
    - name: http
      port:80
      targetPort: 80
  selector:
    app.kubernetes.io/name: radicale
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: radicale
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/auth-method: GET
    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Method $request_method;
      auth_request_set $user $upstream_http_remote_user;
      auth_request_set $groups $upstream_http_remote_groups;
      auth_request_set $name $upstream_http_remote_name;
      auth_request_set $email $upstream_http_remote_email;
      proxy_set_header X-Remote-User $user;
      proxy_set_header X-Remote-Fullname $name;
      proxy_set_header X-Remote-Email $email;
 spec:
  ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - dav.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
  - host: dav.{{ .Values.homey.url }}
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: radicale
            port:
              number: 5232
 ---
@@ -0,0 +1,118 @@
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: baikal-data-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: baikal-config-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: baikal
  labels:
    app: baikal
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: baikal
  template:
    metadata:
      labels:
        app: baikal
    spec:
      containers:
      - name: baikal
        image: ckulka/baikal-docker
        imagePullPolicy: IfNotPresent
        ports:
        - name: dav
          containerPort: 80
          protocol: TCP
        volumeMounts:
        - name: config
          mountPath: /var/www/baikal/config
          subPath: config
        - name: data
          mountPath: /var/www/baikal/Specific
          subPath: Specific
      restartPolicy: Always
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: baikal-data-pvc
      - name: config
        persistentVolumeClaim:
          claimName: baikal-config-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: baikal
  labels:
    app.kubernetes.io/name: baikal
 spec:
  type: ClusterIP
  ports:
    - name: dav
      port: 80
      targetPort: 80
  selector:
    app.kubernetes.io/name: baikal
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: baikal
  annotations:
    kubernetes.io/ingress.allow-http: "false"
    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
    nginx.ingress.kubernetes.io/auth-method: GET
    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
    nginx.ingress.kubernetes.io/auth-snippet: |
      proxy_set_header X-Forwarded-Method $request_method;
      auth_request_set $user $upstream_http_remote_user;
      auth_request_set $groups $upstream_http_remote_groups;
      auth_request_set $name $upstream_http_remote_name;
      auth_request_set $email $upstream_http_remote_email;
      proxy_set_header X-Remote-User $user;
      proxy_set_header X-Remote-Fullname $name;
      proxy_set_header X-Remote-Email $email;
 spec:
  ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - dav.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
  - host: dav.{{ .Values.homey.url }}
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: baikal
            port:
              number: 80
 ---
@@ -0,0 +1,162 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: sogo-postgres-pvc
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
  storageClassName: longhorn
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  name: sogo-db-pass
 type: Opaque
 data:
  password: sogo
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: sogo-postgres-config
  labels:
    app: sogo-postgres
 data:
  POSTGRES_DB: sogo
  POSTGRES_USER: sogo
  POSTGRES_PASSWORD: sogo
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: sogo-postgres
  labels:
    app: sogo-postgres
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: sogo-postgres
  template:
    metadata:
      labels:
        app: sogo-postgres
        name: sogo-postgres
    spec:
      containers:
      - name: postgres
        image: postgres
        imagePullPolicy: "IfNotPresent"
        ports:
        - containerPort: 5432
        envFrom:
        - configMapRef:
            name: sogo-postgres-config
        volumeMounts:
        - mountPath: /var/lib/postgresql/data
          subPath: sogo/db/data
          name: sogo-postgresdb
      volumes:
      - name: sogo-postgresdb
        persistentVolumeClaim:
          claimName: sogo-postgres-pvc
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: sogo-postgres
  labels:
    app: sogo-postgres
 spec:
  ports:
   - port: 5432
  selector:
    app: sogo-postgres
 ---
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: sogo-conf
 data:
  sogo.conf: |-
 {{ tpl (.Files.Get "files/sogo.conf" | indent 4) . }}
 ---
 apiVersion: v1
 kind: Service
 metadata:
  name: sogo
  labels:
    app: sogo
 spec:
  ports:
  - port: 80
    targetPort: 80
  selector:
    app: sogo
 ---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: sogo
 spec:
  # Stop old container before starting new one.
  # No known upgrade policy know. Save to stop and start a new one.
  strategy:
    type: Recreate
    rollingUpdate: null
  selector:
    matchLabels:
      app: sogo
  replicas: 1
  template:
    metadata:
      labels:
        app: sogo
    spec:
      containers:
      - name: sogo
        image: mailcow/sogo:nightly-1.119
        resources:
          requests:
            cpu: 100m
            memory: 400Mi
        ports:
        - containerPort: 80
        volumeMounts:
        - mountPath: /etc/sogo/sogo.conf
          name: sogo-conf
          subPath: sogo.conf
          readOnly: true
      volumes:
      - name: sogo-conf
        configMap:
          name: sogo-conf
          optional: false
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  name: sogo-ingress
 spec:
  ingressClassName: {{ .Values.homey.ingress_class }}
  tls:
    - hosts:
      - git.{{ .Values.homey.url }}
      secretName: {{ .Values.homey.certname }}
  rules:
  - host: sogo.{{ .Values.homey.url }}
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: soo
            port:
              number: 80
 ---