Current snapshot of state with unused garbage.

2025-03-26 12:27:47 +02:00
parent 9ac576c043
commit 138d6d8a6b
20 changed files with 1965 additions and 34 deletions
@@ -96,7 +96,20 @@ Line 800 ish for auth from reverse proxy
 I ran THIS command inside
 su www-data -s /bin/bash -c php occ ldap:promote-group "admins"

+** When maintenence mode
+
+#+begin_example
+kubectl exec --tty --stdin -n homey deploy/nextcloud -- su -l www-data -s /bin/bash
+php /var/www/html/occ maintenance:mode --off
+#+end_src
+
 * I UNDERSTAND

 I need to backup Chen's stuff
 And... I need to Jellyfin
+
+* PAPERLESS
+
+https://github.com/paperless-ngx/paperless-ngx/blob/74c44fe418a91a526b5dab1a91fde4aaebd28bb1/docker/compose/docker-compose.postgres.yml
+
+For docker
@@ -59,6 +59,29 @@ access_control:
  - domain:
    - "*.admin.{{ .Values.homey.url }}"
    policy: "deny"
+  - domain:
+    - "torrent.{{ .Values.homey.url }}"
+    subject:
+    - 'group:admins'
+    policy: "two_factor"
+  - domain:
+    - "torrent.{{ .Values.homey.url }}"
+    policy: "deny"
+  - domain:
+    - "stash-dl.{{ .Values.homey.url }}"
+    policy: "one_factor"
+  - domain:
+    - "stash.{{ .Values.homey.url }}"
+    policy: "one_factor"
+  - domain:
+    - "paperless.{{ .Values.homey.url }}"
+    policy: "one_factor"
 notifier:
  filesystem:
    filename: "/var/lib/authelia/emails.txt"
+ntp:
+  address: 'udp://time.cloudflare.com:123'
+  version: 3
+  max_desync: '3s'
+  disable_startup_check: false
+  disable_failure: true
@@ -0,0 +1,30 @@
+<?php
+
+use
+    Sabre\DAV;
+
+// The autoloader
+require 'vendor/autoload.php';
+
+// Now we're creating a whole bunch of objects
+$rootDirectory = new DAV\FS\Directory('public');
+
+// The server object is responsible for making sense out of the WebDAV protocol
+$server = new DAV\Server($rootDirectory);
+
+// If your server is not on your webroot, make sure the following line has the
+// correct information
+$server->setBaseUri('server.php');
+
+// The lock manager is reponsible for making sure users don't overwrite
+// each others changes.
+$lockBackend = new DAV\Locks\Backend\File('data/locks');
+$lockPlugin = new DAV\Locks\Plugin($lockBackend);
+$server->addPlugin($lockPlugin);
+
+// This ensures that we get a pretty index in the browser, but it is
+// optional.
+$server->addPlugin(new DAV\Browser\Plugin());
+
+// All we need to do now, is to fire up the server
+$server->exec();
@@ -0,0 +1,11 @@
+[server]
+hosts = 0.0.0.0:5232
+
+[auth]
+type = http_x_remote_user
+
+[storage]
+filesystem_folder = /data/collections
+
+[web]
+type = none
@@ -0,0 +1,30 @@
+<?php
+
+use
+    Sabre\DAV;
+
+// The autoloader
+require 'vendor/autoload.php';
+
+// Now we're creating a whole bunch of objects
+$rootDirectory = new DAV\FS\Directory('public');
+
+// The server object is responsible for making sense out of the WebDAV protocol
+$server = new DAV\Server($rootDirectory);
+
+// If your server is not on your webroot, make sure the following line has the
+// correct information
+$server->setBaseUri('server.php');
+
+// The lock manager is reponsible for making sure users don't overwrite
+// each others changes.
+$lockBackend = new DAV\Locks\Backend\File('data/locks');
+$lockPlugin = new DAV\Locks\Plugin($lockBackend);
+$server->addPlugin($lockPlugin);
+
+// This ensures that we get a pretty index in the browser, but it is
+// optional.
+$server->addPlugin(new DAV\Browser\Plugin());
+
+// All we need to do now, is to fire up the server
+$server->exec();
@@ -1,40 +1,94 @@
 {
-    SOGoProfileURL =
-        "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_user_profile";
-    OCSFolderInfoURL =
-        "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_folder_info";
-    OCSSessionsFolderURL =
-        "postgresql://sogo:sogo@127.0.0.1:5432/sogo/sogo_sessions_folder";
-    SOGoAppointmentSendEMailNotifications = YES;
-    SOGoCalendarDefaultRoles = (
-        PublicViewer,
-        ConfidentialDAndTViewer
-    );
-    SOGoLanguage = English;
-    SOGoTimeZone = America/Montreal;
-    SOGoMailDomain = acme.com;
-    SOGoIMAPServer = 127.0.0.1;
+    /* *********************  Main SOGo configuration file  **********************
+    *                                                                           *
+    * Since the content of this file is a dictionary in OpenStep plist format,  *
+    * the curly braces enclosing the body of the configuration are mandatory.   *
+    * See the Installation Guide for details on the format.                     *
+    *                                                                           *
+    * C and C++ style comments are supported.                                   *
+    *                                                                           *
+    * This example configuration contains only a subset of all available        *
+    * configuration parameters. Please see the installation guide more details. *
+    *                                                                           *
+    * ~sogo/GNUstep/Defaults/.GNUstepDefaults has precedence over this file,    *
+    * make sure to move it away to avoid unwanted parameter overrides.          *
+    *                                                                           *
+    * **************************************************************************/
+
+    /* Database configuration (mysql:// or postgresql://) */
+    SOGoProfileURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_user_profile";
+    OCSFolderInfoURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_folder_info";
+    OCSSessionsFolderURL = "postgresql://sogo:sogo@sogo-postgres:5432/sogo/sogo_sessions_folder";
+
+    /* Mail */
    SOGoDraftsFolderName = Drafts;
    SOGoSentFolderName = Sent;
    SOGoTrashFolderName = Trash;
-    SOGoJunkFolderName = Junk;
-    SOGoMailingMechanism = smtp;
-    SOGoSMTPServer = "smtp://127.0.0.1";
+    //SOGoIMAPServer = localhost;
+    //SOGoSieveServer = sieve://127.0.0.1:4190;
+    //SOGoSMTPServer = smtp://domain:port/?tls=YES;
+    //SOGoMailDomain = acme.com;
+    SOGoMailingMechanis = smtp;
+    //SOGoForceExternalLoginWithEmail = NO;
+    //SOGoMailSpoolPath = /var/spool/sogo;
+    //NGImap4ConnectionStringSeparator = "/";
+
+    /* Notifications */
+    //SOGoAppointmentSendEMailNotifications = NO;
+    //SOGoACLsSendEMailNotifications = NO;
+    //SOGoFoldersSendEMailNotifications = NO;
+
+    /* Authentication */
+    SOGoPasswordChangeEnabled = YES;
+
    SOGoUserSources = (
-        {
-            type = ldap;
-            CNFieldName = cn;
-            IDFieldName = uid;
-            UIDFieldName = uid;
-            baseDN = "ou=users,dc=acme,dc=com";
-            bindDN = "uid=sogo,ou=users,dc=acme,dc=com";
-            bindPassword = qwerty;
-            canAuthenticate = YES;
-            displayName = "Shared Addresses";
-            hostname = 127.0.0.1;
-            id = public;
-            isAddressBook = YES;
-            port = 389;
-        }
+    {
+        type = ldap;
+        CNFieldName = cn;
+        UIDFieldName = uid;
+        IDFieldName = uid; // first field of the DN for direct binds
+        bindFields = (uid, mail); // array of fields to use for indirect binds
+        baseDN = "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
+        bindDN = "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
+        bindPassword = "{{ .homey_openldap_ro }}";
+        canAuthenticate = YES;
+        displayName = "Shared Addresses";
+        hostname = ldap://openldap:389;
+        id = public;
+        isAddressBook = YES;
+    }
    );
+
+    /* Web Interface */
+    //SOGoPageTitle = SOGo;
+    SOGoVacationEnabled = YES;
+    SOGoForwardEnabled = YES;
+    SOGoSieveScriptsEnabled = YES;
+    //SOGoMailAuxiliaryUserAccountsEnabled = YES;
+    //SOGoTrustProxyAuthentication = NO;
+    SOGoXSRFValidationEnabled = YES;
+
+    /* General - SOGoTimeZone *MUST* be defined */
+    SOGoLanguage = English;
+    SOGoTimeZone = Asia/Jerusalem;
+    //SOGoCalendarDefaultRoles = (
+    //  PublicDAndTViewer,
+    //  ConfidentialDAndTViewer
+    //);
+    //SOGoSuperUsernames = (sogo1, sogo2); // This is an array - keep the parens!
+    SxVMemLimit = 384;
+    //WOPidFile = "/var/run/sogo/sogo.pid";
+    SOGoMemcachedHost = "/var/run/memcached/memcached.sock";
+
+    /* Debug */
+    SOGoDebugRequests = YES;
+    SoDebugBaseURL = YES;
+    ImapDebugEnabled = YES;
+    LDAPDebugEnabled = YES;
+    PGDebugEnabled = YES;
+    MySQL4DebugEnabled = YES;
+    SOGoUIxDebugEnabled = YES;
+    WODontZipResponse = YES;
+    //WOLogFile = /var/log/sogo/sogo.log;
 }
+
@@ -0,0 +1,10 @@
+kubectl exec -it -n homey deploy/gitea -- su - git -c "/usr/local/bin/gitea admin auth update-ldap --id=1 --name ldap --security-protocol unencrypted --host openldap --port 389 --user-search-base ou=users,dc=zakobar,dc=com --user-filter \"(&(objectClass=person)(uid=%s))\" --admin-filter \"(memberOf=CN=admins,ou=groups,dc=zakobar,dc=com)\" --email-attribute mail --bind-dn=cn=readonly,dc=zakobar,dc=com --bind-password=VqxPZHwDCkFsLWaroyb880zdH1JTCvz9"
+
+kubectl exec -it -n homey deploy/gitea -- su - git -c "/usr/local/bin/gitea admin user delete --username aner"
+
+
+gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host openldap --port 389 --user-search-base ou=users,dc=zakobar,dc=com --user-filter "&(objectClass=inetOrgPerson)(uid=%s)" --email-attribute mail --bind-dn="cn=readonly,dc=zakobar,dc=com" --bind-password=VqxPZHwDCkFsLWaroyb880zdH1JTCvz9
+
+gitea admin auth update-ldap --id=1 --name ldap --security-protocol unencrypted --host openldap --port 389 --user-search-base ou=users,dc=zakobar,dc=com --user-filter "(&(objectClass=person)(uid=%s))" --email-attribute mail --bind-dn="cn=readonly,dc=zakobar,dc=com" --bind-password=VqxPZHwDCkFsLWaroyb880zdH1JTCvz9
+
+kubectl exec -it -n homey deploy/authelia -- /bin/bash -c "cat /var/lib/authelia/emails.txt"
@@ -0,0 +1,204 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-config-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-data-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 700Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: transmission-config-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jellyfin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: jellyfin
+  template:
+    metadata:
+      labels:
+        app: jellyfin
+    spec:
+      containers:
+      - name: jellyfin
+        image: docker.io/jellyfin/jellyfin
+        imagePullPolicy: "IfNotPresent"
+        volumeMounts:
+        - name: jellyfin-volume-config
+          mountPath: "/config"
+          subPath: jellyfin/config
+        - name: jellyfin-volume-data
+          mountPath: "/data/movies"
+          subPath: downloads/movies
+        - name: jellyfin-volume-data
+          mountPath: "/data/tvshows"
+          subPath: downloads/tvshows
+        env:
+        - name: JELLYFIN_PublishedServerUrl
+          value: jellyfin.{{ .Values.homey.url }}
+      volumes:
+      - name: jellyfin-volume-config
+        persistentVolumeClaim:
+          claimName: jellyfin-config-pvc
+      - name: jellyfin-volume-data
+        persistentVolumeClaim:
+          claimName: jellyfin-data-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jellyfin-web
+spec:
+  selector:
+    app: jellyfin
+  ports:
+  - port: 80
+    targetPort: 8096
+    name: jellyfin-web
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: jellyfin-ingress
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - jellyfin.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+   - host: jellyfin.{{ .Values.homey.url }}
+     http:
+       paths:
+       - path: /
+         pathType: Prefix
+         backend:
+           service:
+             name: jellyfin-web
+             port:
+               number: 80
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: transmission
+  labels:
+    app: transmission
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: transmission
+  template:
+    metadata:
+      labels:
+        app: transmission
+        name: transmission
+    spec:
+      containers:
+      - name: transmission
+        image: linuxserver/transmission
+        imagePullPolicy: Always
+        volumeMounts:
+        - name: transmission-volume-config
+          mountPath: "/config"
+          subPath: transmission/config
+        - name: transmission-volume-data
+          mountPath: "/downloads/movies"
+          subPath: downloads/movies
+        - name: transmission-volume-data
+          mountPath: "/downloads/tvshows"
+          subPath: downloads/tvshows
+        - name: transmission-volume-data
+          mountPath: "/downloads/general"
+          subPath: downloads/general
+        - name: transmission-volume-data
+          mountPath: "/downloads/complete"
+          subPath: downloads/complete
+      volumes:
+      - name: transmission-volume-config
+        persistentVolumeClaim:
+          claimName: transmission-config-pvc
+      - name: transmission-volume-data
+        persistentVolumeClaim:
+          claimName: jellyfin-data-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: transmission-web
+spec:
+  selector:
+    app: transmission
+  ports:
+  - port: 80
+    targetPort: 9091
+    name: transmission-web
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: torrent
+  annotations:
+    kubernetes.io/ingress.allow-http: "false"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Method $request_method;
+      auth_request_set $user $upstream_http_remote_user;
+      auth_request_set $groups $upstream_http_remote_groups;
+      auth_request_set $name $upstream_http_remote_name;
+      auth_request_set $email $upstream_http_remote_email;
+      proxy_set_header X-Webauth-User $user;
+      proxy_set_header X-Webauth-Fullname $name;
+      proxy_set_header X-Webauth-Email $email;
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - torrent.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+  - host: torrent.{{ .Values.homey.url }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: transmission-web
+            port:
+              number: 80
@@ -0,0 +1,24 @@
+---
+{{- define "homey.auth.ingress.annotations" }}
+    # nginx.ingress.kubernetes.io/auth-signin: "https://auth.zakobar.com"
+    nginx.ingress.kubernetes.io/auth-url: "http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80"
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email
+    nginx.ingress.kubernetes.io/location-snippets: |-
+      auth_request /auth
+    nginx.ingress.kubernetes.io/configuration-snippet: |-
+      location /auth {
+        # proxy_pass http://ldap-auth-internal;
+        proxy_pass_request_body off;
+        #THIS NEEDS TO BE SET BY ACTUAL SOMETHING LOGIN SHIT
+        # proxy_set_header X-Target http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80;
+        proxy_set_header X-Ldap-URL      "ldap://openldap";
+        proxy_set_header X-Ldap-BaseDN   "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
+        proxy_set_header X-Ldap-BindDN   "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
+        proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}};
+        proxy_set_header X-CookieName "homey.auth.cookie";
+        proxy_set_header Cookie $cookie_homey.auth.cookie;
+        proxy_set_header X-Remote-User $remote_user;
+        proxy_set_header X-Forwarded-Method $request_method;
+        proxy_set_header X-Ldap-Template "(uid=%(username)s)";
+      }
+{{- end }}
@@ -0,0 +1,117 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: baikal-data-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: baikal-config-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: baikal
+  labels:
+    app: baikal
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: baikal
+  template:
+    metadata:
+      labels:
+        app: baikal
+    spec:
+      containers:
+      - name: baikal
+        image: ckulka/baikal
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 80
+          name: dav
+        volumeMounts:
+        - name: config
+          mountPath: /var/www/baikal/config
+          subPath: config
+        - name: data
+          mountPath: /var/www/baikal/Specific
+          subPath: Specific
+      restartPolicy: Always
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: baikal-data-pvc
+      - name: config
+        persistentVolumeClaim:
+          claimName: baikal-config-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: baikal
+spec:
+  selector:
+    app: baikal
+  ports:
+  - name: dav
+    protocol: TCP
+    port: 80
+    targetPort: 80
+  selector:
+    app: baikal
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: baikal
+  annotations:
+    kubernetes.io/ingress.allow-http: "false"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Method $request_method;
+      auth_request_set $user $upstream_http_remote_user;
+      auth_request_set $groups $upstream_http_remote_groups;
+      auth_request_set $name $upstream_http_remote_name;
+      auth_request_set $email $upstream_http_remote_email;
+      proxy_set_header X-Remote-User $user;
+      proxy_set_header X-Remote-Fullname $name;
+      proxy_set_header X-Remote-Email $email;
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - dav.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+  - host: dav.{{ .Values.homey.url }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: baikal
+            port:
+              number: 80
+---
@@ -0,0 +1,71 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: baikal
+  labels:
+    app: baikal
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: baikal
+  template:
+    metadata:
+      labels:
+        app: baikal
+    spec:
+      containers:
+      - name: baikal
+        image: ckulka/baikal
+        ports:
+        - name: dav
+          containerPort: 80
+          protocol: TCP
+        volumeMounts:
+        - name: baikal-volume
+          mountPath: /var/www/baikal/Specific
+          subPath: baikal/data
+        - name: baikal-volume
+          mountPath: /var/www/baikal/config
+          subPath: baikal/config
+      restartPolicy: Always
+      volumes:
+      - name: baikal-volume
+        persistentVolumeClaim:
+          claimName: homey-pvc-longhorn
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: baikal
+spec:
+  ports:
+  - name: dav
+    targetPort: 80
+    port: 80
+  selector:
+    app: baikal
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: baikal
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - dav.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+  - host: dav.{{ .Values.homey.url }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: baikal
+            port:
+              name: dav
+---
@@ -0,0 +1,213 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: davical-postgres-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+
+---
+{{- $_ := set $ "homey_davical_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-postgres-pass") $))}}
+{{ include "homey.randomsecret" (merge (dict "secretname" "davical-postgres-pass" "secretval" .homey_davical_postgres_pass) $) }}
+---
+# apiVersion: extensions/v1beta1
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: davical-postgres-config
+  labels:
+    app: davical-postgres
+data:
+  POSTGRES_DB: postgres
+  POSTGRES_USER: postgres
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: davical-postgres
+  labels:
+    app: davical-postgres
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: davical-postgres
+  template:
+    metadata:
+      labels:
+        app: davical-postgres
+        name: davical-postgres
+    spec:
+      containers:
+      - name: davical-postgres
+        image: postgres
+        imagePullPolicy: "IfNotPresent"
+        ports:
+        - containerPort: 5432
+        envFrom:
+        - configMapRef:
+            name: davical-postgres-config
+        env:
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: davical-postgres-pass
+              key: password
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          subPath: data
+          name: davical-postgredb
+      volumes:
+      - name: davical-postgredb
+        persistentVolumeClaim:
+          claimName: davical-postgres-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: davical-postgres
+  labels:
+    app: davical-postgres
+spec:
+  ports:
+   - port: 5432
+  selector:
+    app: davical-postgres
+---
+{{- $_ := set $ "homey_davical_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "davical-admin-pass") $))}}
+{{ include "homey.randomsecret" (merge (dict "secretname" "davical-admin-pass" "secretval" .homey_davical_admin_pass) $) }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: davical-conf
+data:
+  config.php: |-
+{{ tpl (.Files.Get "files/davical-config.php" | indent 4) . }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: davical
+  labels:
+    app: davical
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: davical
+  template:
+    metadata:
+      labels:
+        app: davical
+    spec:
+      containers:
+      - name: davical
+        image: anerisgreat/davical-multiarch-docker:latest
+        imagePullPolicy: "Always"
+        ports:
+        - containerPort: 80
+          name: dav
+        env:
+        - name: PGHOST
+          value: "davical-postgres"
+        - name: PGUSER
+          value: "postgres"
+        - name: PGPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: davical-postgres-pass
+              key: password
+        - name: PGDATABASE
+          value: "davical"
+        - name: PGPORT
+          value: "5432"
+        - name: HOST_NAME
+          value:
+            "dav.{{ .Values.homey.url }}"
+        - name: DAVICAL_ADMIN_PASS
+          valueFrom:
+            secretKeyRef:
+              name: davical-admin-pass
+              key: password
+        - name: ROOT_PGUSER
+          value: "postgres"
+        - name: ROOT_PGPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: davical-postgres-pass
+              key: password
+        - name: RUN_MIGRATIONS_AT_STARTUP
+          value: "true"
+        volumeMounts:
+        - name: davical-conf
+          mountPath: /etc/davical/config.php
+          subPath: config.php
+          readOnly: true
+      volumes:
+      - name: davical-conf
+        configMap:
+          name: davical-conf
+          items:
+          - key: config.php
+            path: config.php
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: davical
+spec:
+  selector:
+    app: davical
+  ports:
+  - name: dav
+    protocol: TCP
+    port: 80
+    targetPort: 80
+  selector:
+    app: davical
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: davical
+  annotations:
+    kubernetes.io/ingress.allow-http: "false"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Method $request_method;
+      auth_request_set $user $upstream_http_remote_user;
+      auth_request_set $groups $upstream_http_remote_groups;
+      auth_request_set $name $upstream_http_remote_name;
+      auth_request_set $email $upstream_http_remote_email;
+      proxy_set_header Remote-User $user;
+      proxy_set_header Remote-Fullname $name;
+      proxy_set_header Remote-Email $email;
+      proxy_set_header Redirect-Remote-User $user;
+      proxy_set_header Redirect-Remote-Fullname $name;
+      proxy_set_header Redirect-Remote-Email $email;
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - dav.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+  - host: dav.{{ .Values.homey.url }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: davical
+            port:
+              number: 80
@@ -0,0 +1,131 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: longhorn
+---
+{{- $_ := set $ "homey_gitea_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-admin-pass") $))}}
+{{ include "homey.randomsecret" (merge (dict "secretname" "gitea-admin-pass" "secretval" .homey_gitea_admin_pass) $) }}
+---
+{{- $_ := set $ "homey_gitea_lfs_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-lfs-jwt-secret") $))}}
+{{ include "homey.randomsecret" (merge (dict "secretname" "gitea-lfs-jwt-secret" "secretval" .homey_gitea_lfs_jwt_secret) $) }}
+---
+{{- $_ := set $ "homey_gitea_oauth2_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret") $))}}
+{{ include "homey.randomsecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret" "secretval" .homey_gitea_oauth2_jwt_secret) $) }}
+
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: gitea-random-internal-token
+  annotations:
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-random-internal-token") | default dict -}}
+{{- $secretData := (get $secretObj "data") | default dict -}}
+{{- $pass := (get $secretData "password") | default (randAlphaNum 100 | b64enc) -}}
+{{- $_ := set $ "homey_gitea_random_internal_token" ($pass | b64dec) }}
+  password: {{ $pass | quote }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gitea-conf
+data:
+  app.ini: |-
+{{ tpl (.Files.Get "files/gitea-app.ini" | indent 4) . }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea
+  template:
+    metadata:
+      labels:
+        app: gitea
+    spec:
+      containers:
+      - name: gitea
+        image: gitea/gitea:latest
+        ports:
+        - containerPort: 3000
+          name: http
+        volumeMounts:
+        - name: gitea-persistent-storage
+          mountPath: /data
+          subPath: gitea/gitea/data
+        - name: gitea-conf
+          mountPath: /data/gitea/conf/app.ini
+          subPath: app.ini
+          readOnly: true
+        # startProbe:
+        #   httpGet:
+        #     path: /
+        #     port: 3000
+        #   initialDelaySeconds: 15
+        # lifecycle:
+        #   postStart:
+        #     exec:
+        #       {{- set $gitea-cmd (printf "gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host ldap --port 389 --user-search-base ou=users,%s --user-filter \\\"(&(objectClass=inetOrgPerson)(|(uid=\%[1]s)(mail=\%[1]s)))\\\" --email-attribute mail --bind-dn=\\\"cn=readonly,%s\\\" --bind-password=\\\"%s\\\"" ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) () (.homey_openldap_ro | replace "\"" ""))}}
+        #       command: ["/bin/sh", "-c", "{{cmd}}"]
+      volumes:
+      - name: gitea-persistent-storage
+        persistentVolumeClaim:
+          claimName: gitea-pvc
+      - name: gitea-conf
+        configMap:
+          name: gitea-conf
+          items:
+          - key: app.ini
+            path: app.ini
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-svc
+spec:
+  selector:
+    app: gitea
+  ports:
+  - name: http-port
+    protocol: TCP
+    port: 3000
+    targetPort: http
+  selector:
+    app: gitea
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: gitea-ingress
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - git.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+  - host: git.{{ .Values.homey.url }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: gitea-svc
+            port:
+              number: 3000
+---
@@ -0,0 +1,92 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-config-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 100Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: jellyfin-data-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 700Gi
+  storageClassName: longhorn
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: jellyfin
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: jellyfin
+  template:
+    metadata:
+      labels:
+        app: jellyfin
+    spec:
+      containers:
+      - name: jellyfin
+        image: docker.io/jellyfin/jellyfin
+        volumeMounts:
+        - name: jellyfin-volume-config
+          mountPath: "/config"
+          subPath: jellyfin/config
+        - name: jellyfin-volume-data
+          mountPath: "/data/movies"
+          subPath: downloads/movies
+        - name: jellyfin-volume-data
+          mountPath: "/data/tvshows"
+          subPath: downloads/tvshows
+      - env:
+        - name: JELLYFIN_PublishedServerUrl
+          value: jellyfin.{{ .Values.homey.url }}
+      volumes:
+      - name: jellyfin-volume-config
+        persistentVolumeClaim:
+          claimName: jellyfin-config-pvc
+      - name: jellyfin-volume-data
+        persistentVolumeClaim:
+          claimName: jellyfin-data-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: jellyfin-web
+  namespace: homecenter
+spec:
+  selector:
+    app: jellyfin
+  ports:
+  - port: 80
+    targetPort: 8096
+    name: jellyfin-web
+---
+ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - jellyfin.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+   - host: jellyfin.{{ .Values.homey.url }}
+     http:
+       paths:
+       - path: /
+         pathType: Prefix
+         backend:
+           service:
+             name: jellyfin-web
+             port:
+               number: 80
+---
@@ -0,0 +1,70 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ldap-auth
+  labels:
+    app: ldap-auth
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ldap-auth
+  template:
+    metadata:
+      labels:
+        app: ldap-auth
+        name: ldap-auth
+    spec:
+      containers:
+      - name: ldap-auth
+        image: linuxserver/ldap-auth
+        imagePullPolicy: Always
+---
+#https://stackoverflow.com/questions/51149921/how-to-authenticate-nginx-with-ldap
+apiVersion: v1
+kind: Service
+metadata:
+  name: ldap-auth
+spec:
+  selector:
+    app: ldap-auth
+  ports:
+  - port: 80
+    targetPort: 9000
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ldap-auth-internal
+spec:
+  selector:
+    app: ldap-auth
+  ports:
+  - port: 80
+    targetPort: 8888
+---
+# apiVersion: networking.k8s.io/v1
+# kind: Ingress
+# metadata:
+#   name: ldap-auth-ingress
+#   annotations:
+# spec:
+#   ingressClassName: {{ .Values.homey.ingress_class }}
+#   tls:
+#     - hosts:
+#       - auth.{{ .Values.homey.url }}
+#       secretName: {{ .Values.homey.certname }}
+#   rules:
+#   - host: auth.{{ .Values.homey.url }}
+#     http:
+#       paths:
+#       - path: /
+#         pathType: Prefix
+#         backend:
+#           service:
+#             name: ldap-auth
+#             port:
+#               number: 80
+# ---
+
@@ -0,0 +1,206 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 30Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-postgres-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 5Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: nextcloud-data-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 30Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: nextcloud-postgres-pass
+  annotations:
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "nextcloud-postgres-pass") | default dict }}
+  {{- $secretData := (get $secretObj "data") | default dict }}
+  {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
+  password: {{ $pass | quote }}
+---
+# apiVersion: extensions/v1beta1
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: nextcloud-postgres-config
+  labels:
+    app: nextcloud-postgres
+data:
+  POSTGRES_DB: nextcloud_db
+  POSTGRES_USER: postgres
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nextcloud-postgres
+  labels:
+    app: nextcloud-postgres
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nextcloud-postgres
+  template:
+    metadata:
+      labels:
+        app: nextcloud-postgres
+        name: nextcloud-postgres
+    spec:
+      containers:
+      - name: nextcloud-postgres
+        image: postgres
+        imagePullPolicy: "IfNotPresent"
+        ports:
+        - containerPort: 5432
+        envFrom:
+        - configMapRef:
+            name: nextcloud-postgres-config
+        env:
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-postgres-pass
+              key: password
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          subPath: nextcloud/db
+          name: nextcloud-postgredb
+      volumes:
+      - name: nextcloud-postgredb
+        persistentVolumeClaim:
+          claimName: nextcloud-postgres-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud-postgres
+  labels:
+    app: nextcloud-postgres
+spec:
+  ports:
+   - port: 5432
+  selector:
+    app: nextcloud-postgres
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nextcloud
+  labels:
+    app: nextcloud
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nextcloud
+  template:
+    metadata:
+      labels:
+        app: nextcloud
+        name: nextcloud
+    spec:
+      containers:
+      - name: nextcloud
+        image: nextcloud
+        imagePullPolicy: Always
+        volumeMounts:
+        - name: nextcloud-volume
+          mountPath: "/var/www/html"
+          subPath: nextcloud/html
+        - name: nextcloud-media
+          mountPath: "/var/www/html/data"
+          subPath: nextcloud/html/data
+        envFrom:
+        - configMapRef:
+            name: nextcloud-postgres-config
+        env:
+        - name: POSTGRES_HOST
+          value: "nextcloud-postgres"
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-postgres-pass
+              key: password
+        - name: OVERWRITEPROTOCOL
+          value: "https"
+      volumes:
+      - name: nextcloud-volume
+        persistentVolumeClaim:
+          claimName: nextcloud-pvc
+      - name: nextcloud-media
+        persistentVolumeClaim:
+          claimName: nextcloud-data-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud
+spec:
+  selector:
+    app: nextcloud
+  ports:
+  - port: 80
+    targetPort: 80
+    name: nextcloud
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: nextcloud-ingress
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: 5g
+    nginx.ingress.kubernetes.io/server-snippet: |
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location = /.well-known/carddav { return 301  https://nextcloud.zakobar.com/remote.php/dav/; }
+        location = /.well-known/caldav  { return 301  https://nextcloud.zakobar.com/remote.php/dav/; }
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - nextcloud.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+   - host: nextcloud.{{ .Values.homey.url }}
+     http:
+       paths:
+       - path: /
+         pathType: Prefix
+         backend:
+           service:
+             name: nextcloud
+             port:
+               number: 80
+---
@@ -0,0 +1,230 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: paperless-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 50Gi
+  storageClassName: longhorn
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: paperless-redis
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: paperless-redis
+  template:
+    metadata:
+      labels:
+        app: paperless-redis
+    spec:
+      containers:
+      - name: paperless
+        image: redis
+        imagePullPolicy: "IfNotPresent"
+        ports:
+        - containerPort: 6379
+          name: redis
+        volumeMounts:
+        - name: paperless-volume
+          mountPath: "/data"
+          subPath: paperless/redis-data
+      volumes:
+      - name: paperless-volume
+        persistentVolumeClaim:
+          claimName: paperless-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: paperless-redis
+spec:
+  selector:
+    app: paperless-redis
+  ports:
+  - port: 80
+    targetPort: 8000
+    name: paperless-web
+
+---
+{{- $_ := set $ "homey_paperless_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "paperless-postgres-pass") $))}}
+{{ include "homey.randomsecret" (merge (dict "secretname" "paperless-postgres-pass" "secretval" .homey_paperless_postgres_pass) $) }}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: paperless-postgres-config
+  labels:
+    app: paperless-postgres
+data:
+  POSTGRES_DB: paperless
+  POSTGRES_USER: paperless
+  POSTGRES_PASSWORD: paperless
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: paperless-postgres
+  labels:
+    app: paperless-postgres
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: paperless-postgres
+  template:
+    metadata:
+      labels:
+        app: paperless-postgres
+        name: paperless-postgres
+    spec:
+      containers:
+      - name: paperless-postgres
+        image: postgres
+        imagePullPolicy: "IfNotPresent"
+        ports:
+        - containerPort: 5432
+        envFrom:
+        - configMapRef:
+            name: paperless-postgres-config
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          subPath: paperless/db
+          name: paperless-volume
+      volumes:
+      - name: paperless-volume
+        persistentVolumeClaim:
+          claimName: paperless-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: paperless-postgres
+  labels:
+    app: paperless-postgres
+spec:
+  ports:
+   - port: 5432
+  selector:
+    app: paperless-postgres
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: paperless
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: paperless
+  template:
+    metadata:
+      labels:
+        app: paperless
+    spec:
+      containers:
+      - name: paperless
+        image: ghcr.io/paperless-ngx/paperless-ngx:latest
+        imagePullPolicy: "IfNotPresent"
+        ports:
+        - containerPort: 8000
+          name: paperless-web
+        volumeMounts:
+        - name: paperless-volume
+          mountPath: "/usr/src/paperless/data"
+          subPath: paperless/data
+        - name: paperless-volume
+          mountPath: "/usr/src/paperless/media"
+          subPath: paperless/media
+        - name: paperless-volume
+          mountPath: "/usr/src/paperless/export"
+          subPath: paperless/export
+        - name: paperless-volume
+          mountPath: "/usr/src/paperless/consume"
+          subPath: paperless/consume
+        env:
+        - name: PAPERLESS_REDIS
+          value: redis://paperless-redis:6379
+        - name: PAPERLESS_DBHOST
+          value: paperless-postgres
+        - name: PAPERLESS_DEBUG
+          value: "true"
+        - name: PAPERLESS_ENABLE_HTTP_REMOTE_USER
+          value: "true"
+        - name: PAPERLESS_ENABLE_HTTP_REMOTE_USER_API
+          value: "true"
+        - name: PAPERLESS_DISABLE_REGULAR_LOGIN
+          value: "true"
+        - name: PAPERLESS_LOGOUT_REDIRECT_URL
+          value: "https://auth.{{ .Values.homey.url }}/logout"
+        - name: PAPERLESS_URL
+          value: "https://paperless.{{ .Values.homey.url }}"
+        - name: PAPERLESS_DBPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: paperless-postgres-pass
+              key: password
+      volumes:
+      - name: paperless-volume
+        persistentVolumeClaim:
+          claimName: paperless-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: paperless-web
+  labels:
+    app: paperless-web
+spec:
+  selector:
+    app: paperless
+  ports:
+  - port: 80
+    targetPort: 8000
+    name: paperless-web
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: paperless-ingress
+  annotations:
+    kubernetes.io/ingress.allow-http: "false"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Method $request_method;
+      auth_request_set $user $upstream_http_remote_user;
+      auth_request_set $groups $upstream_http_remote_groups;
+      auth_request_set $name $upstream_http_remote_name;
+      auth_request_set $email $upstream_http_remote_email;
+      proxy_set_header REMOTE_USER $remote_user;
+      proxy_set_header REMOTE_EMAIL $email;
+      proxy_set_header REMOTE_NAME $name;
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - paperless.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+   - host: paperless.{{ .Values.homey.url }}
+     http:
+       paths:
+       - path: /
+         pathType: Prefix
+         backend:
+           service:
+             name: paperless-web
+             port:
+               number: 80
+---
@@ -0,0 +1,122 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: radicale-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: radicale-conf
+  labels:
+    app: radicale
+data:
+  config: |-
+{{ tpl (.Files.Get "files/radicale-configmap.ini" | indent 4) . }}
+---
+{{- $_ := set $ "homey_radicale_basic_auth" (include "homey.lookuporgensecret" (merge (dict "secretname" "radicale-basic-auth") $))}}
+{{ include "homey.randomsecret" (merge (dict "secretname" "radicale-basic-auth" "secretval" .homey_radicale_basic_auth) $) }}
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: radicale
+  labels:
+    app: radicale
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: radicale
+  template:
+    metadata:
+      labels:
+        app: radicale
+    spec:
+      containers:
+      - name: radicale
+        image: tomsquest/docker-radicale
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: dav
+          containerPort: 5232
+          protocol: TCP
+        volumeMounts:
+        - name: collections
+          mountPath: /data/collections
+        - name: config
+          mountPath: /config/config
+          subPath: config
+          readOnly: true
+      restartPolicy: Always
+      volumes:
+      - name: collections
+        persistentVolumeClaim:
+          claimName: radicale-pvc
+      - name: config
+        configMap:
+          name: radicale-conf
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: radicale
+  labels:
+    app.kubernetes.io/name: radicale
+spec:
+  type: ClusterIP
+  ports:
+    - name: dav
+      port: 5232
+      targetPort: 5232
+    - name: http
+      port:80
+      targetPort: 80
+  selector:
+    app.kubernetes.io/name: radicale
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: radicale
+  annotations:
+    kubernetes.io/ingress.allow-http: "false"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Method $request_method;
+      auth_request_set $user $upstream_http_remote_user;
+      auth_request_set $groups $upstream_http_remote_groups;
+      auth_request_set $name $upstream_http_remote_name;
+      auth_request_set $email $upstream_http_remote_email;
+      proxy_set_header X-Remote-User $user;
+      proxy_set_header X-Remote-Fullname $name;
+      proxy_set_header X-Remote-Email $email;
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - dav.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+  - host: dav.{{ .Values.homey.url }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: radicale
+            port:
+              number: 5232
+---
@@ -0,0 +1,118 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: baikal-data-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: baikal-config-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: baikal
+  labels:
+    app: baikal
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: baikal
+  template:
+    metadata:
+      labels:
+        app: baikal
+    spec:
+      containers:
+      - name: baikal
+        image: ckulka/baikal-docker
+        imagePullPolicy: IfNotPresent
+        ports:
+        - name: dav
+          containerPort: 80
+          protocol: TCP
+        volumeMounts:
+        - name: config
+          mountPath: /var/www/baikal/config
+          subPath: config
+        - name: data
+          mountPath: /var/www/baikal/Specific
+          subPath: Specific
+      restartPolicy: Always
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: baikal-data-pvc
+      - name: config
+        persistentVolumeClaim:
+          claimName: baikal-config-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: baikal
+  labels:
+    app.kubernetes.io/name: baikal
+spec:
+  type: ClusterIP
+  ports:
+    - name: dav
+      port: 80
+      targetPort: 80
+  selector:
+    app.kubernetes.io/name: baikal
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: baikal
+  annotations:
+    kubernetes.io/ingress.allow-http: "false"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/auth-method: GET
+    nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
+    nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
+    nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Method $request_method;
+      auth_request_set $user $upstream_http_remote_user;
+      auth_request_set $groups $upstream_http_remote_groups;
+      auth_request_set $name $upstream_http_remote_name;
+      auth_request_set $email $upstream_http_remote_email;
+      proxy_set_header X-Remote-User $user;
+      proxy_set_header X-Remote-Fullname $name;
+      proxy_set_header X-Remote-Email $email;
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - dav.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+  - host: dav.{{ .Values.homey.url }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: baikal
+            port:
+              number: 80
+---
@@ -0,0 +1,162 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: sogo-postgres-pvc
+spec:
+  accessModes:
+  - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: longhorn
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: sogo-db-pass
+type: Opaque
+data:
+  password: sogo
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sogo-postgres-config
+  labels:
+    app: sogo-postgres
+data:
+  POSTGRES_DB: sogo
+  POSTGRES_USER: sogo
+  POSTGRES_PASSWORD: sogo
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sogo-postgres
+  labels:
+    app: sogo-postgres
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: sogo-postgres
+  template:
+    metadata:
+      labels:
+        app: sogo-postgres
+        name: sogo-postgres
+    spec:
+      containers:
+      - name: postgres
+        image: postgres
+        imagePullPolicy: "IfNotPresent"
+        ports:
+        - containerPort: 5432
+        envFrom:
+        - configMapRef:
+            name: sogo-postgres-config
+        volumeMounts:
+        - mountPath: /var/lib/postgresql/data
+          subPath: sogo/db/data
+          name: sogo-postgresdb
+      volumes:
+      - name: sogo-postgresdb
+        persistentVolumeClaim:
+          claimName: sogo-postgres-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sogo-postgres
+  labels:
+    app: sogo-postgres
+spec:
+  ports:
+   - port: 5432
+  selector:
+    app: sogo-postgres
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: sogo-conf
+data:
+  sogo.conf: |-
+{{ tpl (.Files.Get "files/sogo.conf" | indent 4) . }}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: sogo
+  labels:
+    app: sogo
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+  selector:
+    app: sogo
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: sogo
+spec:
+  # Stop old container before starting new one.
+  # No known upgrade policy know. Save to stop and start a new one.
+  strategy:
+    type: Recreate
+    rollingUpdate: null
+  selector:
+    matchLabels:
+      app: sogo
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: sogo
+    spec:
+      containers:
+      - name: sogo
+        image: mailcow/sogo:nightly-1.119
+        resources:
+          requests:
+            cpu: 100m
+            memory: 400Mi
+        ports:
+        - containerPort: 80
+        volumeMounts:
+        - mountPath: /etc/sogo/sogo.conf
+          name: sogo-conf
+          subPath: sogo.conf
+          readOnly: true
+      volumes:
+      - name: sogo-conf
+        configMap:
+          name: sogo-conf
+          optional: false
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: sogo-ingress
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - git.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+  - host: sogo.{{ .Values.homey.url }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: soo
+            port:
+              number: 80
+
+---