diff --git a/README.org b/README.org index 69daefa..c2b0794 100644 --- a/README.org +++ b/README.org @@ -72,18 +72,6 @@ First Name Attribute: cn Surname Attribute: sn Email Attribute: mail -* Jackett -Go into "indexers" and add indexer - -* Piwigo -Host we configure outright -User, we'll configure 'admin' -Password, it's configured as a secret -Database name... - -host - piwigo-mysql -user - postgres -password - from secret -database-name - piwigo_db -piwigo_ +* EVERYTHING +https://www.talkingquickly.co.uk/gitea-sso-with-keycloak-openldap-openid-connect diff --git a/templates/_definitions.yaml b/templates/_definitions.yaml new file mode 100644 index 0000000..924c55b --- /dev/null +++ b/templates/_definitions.yaml @@ -0,0 +1,19 @@ +{{- define "homey.randomsecret"}} +apiVersion: v1 +kind: Secret +metadata: + name: {{ .secretname }} +type: Opaque +data: + {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (.secretname | quote)) | default dict }} + {{- $secretData := (get $secretObj "data") | default dict }} + {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} + password: {{ $pass | quote }} +{{- end }} + +{{- define "homey.lookuprandomsecret" -}} +{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (.secretname | quote)) | default dict -}} +{{- $secretData := (get $secretObj "data") | default dict -}} +{{- $pass := (get $secretData "password") | default "UNDEFINED" -}} +{{- $pass | quote -}} +{{- end -}} diff --git a/templates/auth.yaml b/templates/auth.yaml new file mode 100644 index 0000000..87511b4 --- /dev/null +++ b/templates/auth.yaml @@ -0,0 +1,267 @@ +--- +{{- define "homey.auth.ingress.annotations" }} + nginx.ingress.kubernetes.io/auth-url: "https://git.zakobar.com/oauth/authorize" + nginx.ingress.kubernetes.io/auth-signin: "https://git.zakobar.com/login" + # nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email + # nginx.ingress.kubernetes.io/configuration-snippet: |- + # proxy_set_header X-Ldap-URL "ldap://openldap"; + # proxy_set_header X-Ldap-BaseDN "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; + # proxy_set_header X-Ldap-BindDN "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"; + # proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}}; + # proxy_set_header X-CookieName "homey.auth.cookie"; + # proxy_set_header Cookie $cookie_homey.auth.cookie; + # proxy_set_header X-Remote-User $remote_user; + # proxy_set_header X-Forwarded-Method $request_method; + # proxy_set_header X-Ldap-Template "(uid=%(username)s)"; +{{- end }} +--- +{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-admin") $) }} +# --- +{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-config") $) }} +# --- +{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-ro") $) }} +--- +# {{ template "homey.randomsecret" (merge (dict "secretname" "keycloak-pass") $) }} +--- +# {{ template "homey.randomsecret" (merge (dict "secretname" "keycloak-db-pass") $) }} +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: openldap + labels: + app.kubernetes.io/name: openldap +spec: + selector: + matchLabels: + app.kubernetes.io/name: openldap + replicas: 1 + template: + metadata: + labels: + app.kubernetes.io/name: openldap + spec: + # securityContext: + # fsGroup: 0 + containers: + - name: openldap + image: osixia/openldap + imagePullPolicy: "Always" + env: + - name: LDAP_ORGANISATION + value: {{ .Values.homey.organization }} + - name: LDAP_DOMAIN + value: {{ .Values.homey.url | quote}} + - name: LDAP_ADMIN_USERNAME + value: "admin" + - name: LDAP_READONLY_USER + value: "true" + - name: LDAP_ADMIN_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: openldap-admin + - name: LDAP_CONFIG_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: openldap-config + - name: LDAP_READONLY_USER_PASSWORD + valueFrom: + secretKeyRef: + key: password + name: openldap-ro + ports: + - name: tcp-ldap + containerPort: 389 + - name: ssl-ldap + containerPort: 636 + volumeMounts: + - mountPath: /etc/ldap/slapd.d + subPath: openldap/etc/ldap/slapd.d + name: openldap-volume + - mountPath: /var/lib/ldap + subPath: openldap/var/lib/ldap + name: openldap-volume + volumes: + - name: openldap-volume + persistentVolumeClaim: + claimName: homey-pvc-nfs +--- +apiVersion: v1 +kind: Service +metadata: + name: openldap + labels: + app.kubernetes.io/name: openldap +spec: + type: ClusterIP + ports: + - name: tcp-ldap + port: 389 + targetPort: tcp-ldap + - name: ssl-ldap + port: 636 + targetPort: ssl-ldap + selector: + app.kubernetes.io/name: openldap +--- +# --- +# apiVersion: v1 +# kind: ConfigMap +# metadata: +# name: keycloak-postgres-config +# labels: +# app: keycloak-postgres +# data: +# POSTGRES_DB: keycloak-db +# POSTGRES_USER: keycloak-admin +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: keycloak-postgres +# labels: +# app: keycloak-postgres +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: keycloak-postgres +# template: +# metadata: +# labels: +# app: keycloak-postgres +# name: keycloak-postgres +# spec: +# containers: +# - name: postgres +# image: postgres:10.4 +# imagePullPolicy: "IfNotPresent" +# ports: +# - containerPort: 5432 +# envFrom: +# - configMapRef: +# name: keycloak-postgres-config +# env: +# - name: POSTGRES_PASSWORD +# valueFrom: +# secretKeyRef: +# name: keycloak-db-pass +# key: password +# volumeMounts: +# - mountPath: /var/lib/postgresql/data +# subPath: keycloak/db/data +# name: keycloak-postgresdb +# volumes: +# - name: keycloak-postgresdb +# persistentVolumeClaim: +# claimName: homey-pvc-nfs +# --- +# apiVersion: v1 +# kind: Service +# metadata: +# name: keycloak-postgres-service +# labels: +# app: keycloak-postgres +# spec: +# ports: +# - port: 5432 +# selector: +# app: keycloak-postgres +# --- +# apiVersion: apps/v1 +# kind: Deployment +# metadata: +# name: keycloak +# labels: +# app: keycloak +# spec: +# replicas: 1 +# selector: +# matchLabels: +# app: keycloak +# template: +# metadata: +# labels: +# app: keycloak +# spec: +# containers: +# - name: keycloak +# image: mihaibob/keycloak:18.0.2-legacy +# env: +# - name: KEYCLOAK_USER +# value: "admin" +# - name: KEYCLOAK_PASSWORD +# valueFrom: +# secretKeyRef: +# name: keycloak-pass +# key: password +# - name: PROXY_ADDRESS_FORWARDING +# value: "true" +# - name: DB_ADDR +# value: keycloak-postgres-service +# - name: DB_DATABASE +# value: "keycloak-db" +# - name: DB_VENDOR +# value: postgres +# - name: DB_USER +# value: keycloak-admin +# - name: DB_PASSWORD +# valueFrom: +# secretKeyRef: +# name: keycloak-db-pass +# key: password +# ports: +# - name: http +# containerPort: 8080 +# readinessProbe: +# failureThreshold: 3 +# httpGet: +# path: /auth/realms/master/ +# port: http +# initialDelaySeconds: 240 +# timeoutSeconds: 240 +# livenessProbe: +# failureThreshold: 3 +# httpGet: +# path: /auth/ +# port: http +# initialDelaySeconds: 240 +# timeoutSeconds: 240 +# --- +# apiVersion: v1 +# kind: Service +# metadata: +# name: keycloak-web +# labels: +# app: keycloak +# spec: +# ports: +# - name: http +# port: 8080 +# targetPort: http +# selector: +# app: keycloak +# --- +# apiVersion: networking.k8s.io/v1 +# kind: Ingress +# metadata: +# name: keycloak +# spec: +# ingressClassName: {{ .Values.homey.ingress_class }} +# tls: +# - hosts: +# - keycloak.{{ .Values.homey.url }} +# secretName: {{ .Values.homey.certname }} +# rules: +# - host: keycloak.{{ .Values.homey.url }} +# http: +# paths: +# - path: / +# pathType: Prefix +# backend: +# service: +# name: keycloak-web +# port: +# number: 8080 diff --git a/templates/dns.yaml b/templates/dns.yaml deleted file mode 100644 index 781c71d..0000000 --- a/templates/dns.yaml +++ /dev/null @@ -1,60 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: bind - labels: - app: bind -spec: - selector: - matchLabels: - app: bind - replicas: 1 - template: - metadata: - labels: - app: bind - spec: - priorityClassName: system-node-critical - containers: - - name: bind - image: cytopia/bind - imagePullPolicy: "Always" - env: - - name: DNS_A - value: "*.{{ .Values.homey.url }}={{ .Values.homey.ip }}, {{ .Values.homey.url }}={{ .Values.homey.ip }}" - - name: DNS_FORWARDER - value: "8.8.8.8,8.8.4.4" - - name: ALLOW_RECURSION - value: "any" ---- -apiVersion: v1 -kind: Service -metadata: - name: bind-dns-udp -spec: - type: NodePort - selector: - app: bind - ports: - - port: 53 - targetPort: 53 - protocol: UDP - name: dns-udp - nodePort: 32053 ---- -apiVersion: v1 -kind: Service -metadata: - name: bind-dns-tcp -spec: - type: NodePort - selector: - app: bind - ports: - - port: 53 - targetPort: 53 - protocol: TCP - name: dns-tcp - nodePort: 32054 ---- diff --git a/templates/gitea.yaml b/templates/gitea.yaml index 66a0f93..4b81ec4 100644 --- a/templates/gitea.yaml +++ b/templates/gitea.yaml @@ -29,15 +29,12 @@ spec: containers: - name: gitea image: gitea/gitea:latest - ports: - - containerPort: 22 - name: ssh - containerPort: 3000 name: http volumeMounts: - name: gitea-persistent-storage mountPath: /data - subPath: backup/gitea/gitea/data + subPath: gitea/gitea/data volumes: - name: gitea-persistent-storage persistentVolumeClaim: @@ -58,23 +55,6 @@ spec: selector: app: gitea --- -apiVersion: v1 -kind: Service -metadata: - name: gitea-svc-ssh -spec: - type: NodePort - selector: - app: gitea - ports: - - name: ssh - protocol: TCP - port: 22 - targetPort: ssh - nodePort: 32222 - selector: - app: gitea ---- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: diff --git a/templates/jackett.yaml b/templates/jackett.yaml deleted file mode 100644 index d4349ba..0000000 --- a/templates/jackett.yaml +++ /dev/null @@ -1,68 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jackett - labels: - app: jackett -spec: - replicas: 1 - selector: - matchLabels: - app: jackett - template: - metadata: - labels: - app: jackett - name: jackett - spec: - containers: - - name: jackett - image: linuxserver/jackett - imagePullPolicy: Always - volumeMounts: - - name: jackett-persistent-storage - mountPath: /config - subPath: backup/jackett/config - volumes: - - name: jackett-persistent-storage - persistentVolumeClaim: - claimName: homey-pvc-nfs ---- -apiVersion: v1 -kind: Service -metadata: - name: jackett -spec: - selector: - app: jackett - ports: - - port: 9117 - targetPort: 9117 - name: jackett-web ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: jackett-ingress - annotations: - # ingress.kubernetes.io/auth-type: forward - # ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80 - nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.138/24" -spec: - ingressClassName: {{ .Values.homey.ingress_class }} - tls: - - hosts: - - jackett.{{ .Values.homey.url }} - secretName: {{ .Values.homey.certname }} - rules: - - host: jackett.{{ .Values.homey.url }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: jackett - port: - number: 9117 diff --git a/templates/jellyfin.yaml b/templates/jellyfin.yaml deleted file mode 100644 index 1848f91..0000000 --- a/templates/jellyfin.yaml +++ /dev/null @@ -1,106 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: jellyfin - labels: - app: jellyfin -spec: - replicas: 1 - selector: - matchLabels: - app: jellyfin - template: - metadata: - labels: - app: jellyfin - name: jellyfin - spec: - containers: - - name: jellyfin - image: docker.io/jellyfin/jellyfin - imagePullPolicy: Always - volumeMounts: - - name: jellyfin-volume - mountPath: "/config" - subPath: backup/jellyfin/config - - name: jellyfin-volume - mountPath: "/data/movies" - subPath: nobackup/downloads/complete/movies - - name: jellyfin-volume - mountPath: "/data/tvshows" - subPath: nobackup/downloads/complete/tvshows - volumes: - - name: jellyfin-volume - persistentVolumeClaim: - claimName: homey-pvc-nfs ---- -apiVersion: v1 -kind: Service -metadata: - name: jellyfin-web -spec: - selector: - app: jellyfin - ports: - - port: 80 - targetPort: 8096 - name: jellyfin-web ---- -apiVersion: v1 -kind: Service -metadata: - name: jellyfin-web-nodeport -spec: - type: NodePort - selector: - app: jellyfin - ports: - - port: 80 - targetPort: 8096 - nodePort: 30096 - name: jellyfin-web ---- -apiVersion: v1 -kind: Service -metadata: - name: jellyfin-external-ports -spec: - type: NodePort - selector: - app: jellyfin - ports: - - port: 7359 - targetPort: 7359 - protocol: UDP - name: jellyfin-discovery-local - nodePort: 30059 - - port: 1900 - targetPort: 1900 - protocol: UDP - name: jellyfin-discovery-dnla - nodePort: 31900 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: jellyfin-ingress - annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" -spec: - ingressClassName: {{ .Values.homey.ingress_class }} - tls: - - hosts: - - media.{{ .Values.homey.url }} - secretName: {{ .Values.homey.certname }} - rules: - - host: media.{{ .Values.homey.url }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: jellyfin-web - port: - number: 80 diff --git a/templates/ldap-auth.yaml b/templates/ldap-auth.yaml index 5d218ef..ae77b1c 100644 --- a/templates/ldap-auth.yaml +++ b/templates/ldap-auth.yaml @@ -20,20 +20,6 @@ spec: - name: ldap-auth image: linuxserver/ldap-auth imagePullPolicy: Always - env: - - name: WERTHER_LDAP_ENDPOINTS - value: "openldap:389" - - name: WERTHER_LDAP_BINDDN - value: "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}" - - name: WERTHER_LDAP_BINDPW - valueFrom: - secretKeyRef: - name: openldap-ro - key: password - - name: WERTHER_LDAP_BASEDN - value: "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}" -# - name: LDAP_USER_FILTER -# value: "(objectClass=inetOrgPerson)" --- apiVersion: v1 kind: Service diff --git a/templates/ldap.yaml b/templates/ldap.yaml deleted file mode 100644 index 3236417..0000000 --- a/templates/ldap.yaml +++ /dev/null @@ -1,120 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: openldap-admin - annotations: - "helm.sh/resource-policy": "keep" -type: Opaque -data: - {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "openldap-admin") | default dict }} - {{- $secretData := (get $secretObj "data") | default dict }} - {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} - password: {{ $pass | quote }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: openldap-config - annotations: - "helm.sh/resource-policy": "keep" -type: Opaque -data: - {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "openldap-config") | default dict }} - {{- $secretData := (get $secretObj "data") | default dict }} - {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} - password: {{ $pass | quote }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: openldap-ro - annotations: - "helm.sh/resource-policy": "keep" -type: Opaque -data: - {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "openldap-ro") | default dict }} - {{- $secretData := (get $secretObj "data") | default dict }} - {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} - password: {{ $pass | quote }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: openldap - labels: - app.kubernetes.io/name: openldap -spec: - selector: - matchLabels: - app.kubernetes.io/name: openldap - replicas: 1 - template: - metadata: - labels: - app.kubernetes.io/name: openldap - spec: - # securityContext: - # fsGroup: 0 - containers: - - name: openldap - image: osixia/openldap - imagePullPolicy: "Always" - env: - - name: LDAP_ORGANISATION - value: {{ .Values.homey.organization }} - - name: LDAP_DOMAIN - value: {{ .Values.homey.url | quote}} - - name: LDAP_ADMIN_USERNAME - value: "admin" - - name: LDAP_READONLY_USER - value: "true" - - name: LDAP_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: openldap-admin - - name: LDAP_CONFIG_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: openldap-config - - name: LDAP_READONLY_USER_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: openldap-ro - ports: - - name: tcp-ldap - containerPort: 389 - - name: ssl-ldap - containerPort: 636 - volumeMounts: - - mountPath: /etc/ldap/slapd.d - subPath: backup/openldap/etc/ldap/slapd.d - name: openldap-volume - - mountPath: /var/lib/ldap - subPath: backup/openldap/var/lib/ldap - name: openldap-volume - volumes: - - name: openldap-volume - persistentVolumeClaim: - claimName: homey-pvc-nfs ---- -apiVersion: v1 -kind: Service -metadata: - name: openldap - labels: - app.kubernetes.io/name: openldap -spec: - type: ClusterIP - ports: - - name: tcp-ldap - port: 389 - targetPort: tcp-ldap - - name: ssl-ldap - port: 636 - targetPort: ssl-ldap - selector: - app.kubernetes.io/name: openldap diff --git a/templates/nefarious.yaml b/templates/nefarious.yaml deleted file mode 100644 index 7a9e2fd..0000000 --- a/templates/nefarious.yaml +++ /dev/null @@ -1,155 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: nefarious-admin - annotations: - "helm.sh/resource-policy": "keep" -type: Opaque -data: - {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "nefarious-admin") | default dict }} - {{- $secretData := (get $secretObj "data") | default dict }} - {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} - password: {{ $pass | quote }} - ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nefarious - labels: - app: nefarious -spec: - replicas: 1 - selector: - matchLabels: - app: nefarious - template: - metadata: - labels: - app: nefarious - name: nefarious - spec: - containers: - - name: nefarious - image: lardbit/nefarious - imagePullPolicy: Always - env: - - name: NEFARIOUS_USER - value: "admin" - - name: NEFARIOUS_PASS - valueFrom: - secretKeyRef: - key: password - name: nefarious-admin - - name: DATABASE_URL - value: "sqlite:////nefarious-db/db.sqlite3" - - name: REDIS_HOST - value: "redis" - - name: REDIS_PORT - value: "6379" - - name: HOST_DOWNLOAD_PATH - value: "/downloads/complete" - - name: CONFIG_PATH - value: "/nefarious-db" - - name: INTERNAL_DOWNLOAD_PATH - value: "/downloads/complete" - volumeMounts: - - name: nefarious-persistent-storage - mountPath: /nefarious-db - subPath: backup/nefarious/nefarious-db - - name: nefarious-persistent-storage - mountPath: /downloads/complete/movies - subPath: nobackup/downloads/complete/movies - - name: nefarious-persistent-storage - mountPath: /downloads/complete/tvshows - subPath: nobackup/downloads/complete/tvshows - volumes: - - name: nefarious-persistent-storage - persistentVolumeClaim: - claimName: homey-pvc-nfs ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: celery - labels: - app: celery -spec: - replicas: 1 - selector: - matchLabels: - app: celery - template: - metadata: - labels: - app: celery - name: celery - spec: - containers: - - name: celery - image: lardbit/nefarious - imagePullPolicy: Always - command: ["/app/entrypoint-celery.sh"] - env: - - name: DATABASE_URL - value: "sqlite:////nefarious-db/db.sqlite3" - - name: REDIS_HOST - value: "redis" - - name: REDIS_URL - value: "redis://redis:6379/" - - name: REDIS_PORT - value: "6379" - - name: REDIS_DB - value: "0" - - name: HOST_DOWNLOAD_PATH - value: "/downloads" - - name: INTERNAL_DOWNLOAD_PATH - value: "/downloads" - volumeMounts: - - name: celery-persistent-storage - mountPath: /nefarious-db - subPath: backup/nefarious/nefarious-db - - name: celery-persistent-storage - mountPath: /downloads - subPath: nobackup/downloads - volumes: - - name: celery-persistent-storage - persistentVolumeClaim: - claimName: homey-pvc-nfs ---- -apiVersion: v1 -kind: Service -metadata: - name: nefarious -spec: - selector: - app: nefarious - ports: - - port: 80 - targetPort: 80 - name: nefarious ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: nefarious-ingress - annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" -spec: - ingressClassName: {{ .Values.homey.ingress_class }} - tls: - - hosts: - - nefarious.{{ .Values.homey.url }} - secretName: {{ .Values.homey.certname }} - rules: - - host: nefarious.{{ .Values.homey.url }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: nefarious - port: - number: 80 diff --git a/templates/nextcloud.yaml b/templates/nextcloud.yaml index e6de511..dd213ee 100644 --- a/templates/nextcloud.yaml +++ b/templates/nextcloud.yaml @@ -57,7 +57,7 @@ spec: key: password volumeMounts: - mountPath: /var/lib/postgresql/data - subPath: backup/nextcloud/db + subPath: nextcloud/db name: nextcloud-postgredb volumes: - name: nextcloud-postgredb @@ -100,7 +100,7 @@ spec: volumeMounts: - name: nextcloud-volume mountPath: "/var/www/html" - subPath: backup/nextcloud/html + subPath: nextcloud/html envFrom: - configMapRef: name: nextcloud-postgres-config @@ -136,96 +136,13 @@ kind: Ingress metadata: name: nextcloud-ingress annotations: - nginx.org/server-snippets: | - server_tokens off; - proxy_hide_header X-Powered-By; - proxy_hide_header Upgrade; - - # Rule borrowed from `.htaccess` to handle Microsoft DAV clients - location = / { - if ( $http_user_agent ~ ^DavClnt ) { - return 302 /remote.php/webdav/$is_args$args; - } - } - - location = /robots.txt { - allow all; - log_not_found off; - access_log off; - } - + nginx.ingress.kubernetes.io/server-snippet: | # Make a regex exception for `/.well-known` so that clients can still # access it despite the existence of the regex rule # `location ~ /(\.|autotest|...)` which would otherwise handle requests # for `/.well-known`. - location ^~ /.well-known { - # The rules in this block are an adaptation of the rules - # in `.htaccess` that concern `/.well-known`. - - location = /.well-known/carddav { return 301 /remote.php/dav/; } - location = /.well-known/caldav { return 301 /remote.php/dav/; } - - location /.well-known/acme-challenge { try_files $uri $uri/ =404; } - location /.well-known/pki-validation { try_files $uri $uri/ =404; } - - # Let Nextcloud's API for `/.well-known` URIs handle all other - # requests by passing them to the front-end controller. - return 301 /index.php$request_uri; - } - - # Rules borrowed from `.htaccess` to hide certain paths from clients - location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } - location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } - - # Ensure this block, which passes PHP files to the PHP process, is above the blocks - # which handle static assets (as seen below). If this block is not declared first, - # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` - # to the URI, resulting in a HTTP 500 error response. - location ~ \.php(?:$|/) { - # Required for legacy support - rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; - - fastcgi_split_path_info ^(.+?\.php)(/.*)$; - set $path_info $fastcgi_path_info; - - try_files $fastcgi_script_name =404; - - include fastcgi_params; - fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; - fastcgi_param PATH_INFO $path_info; - fastcgi_param HTTPS on; - - fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice - fastcgi_param front_controller_active true; # Enable pretty urls - fastcgi_pass php-handler; - - fastcgi_intercept_errors on; - fastcgi_request_buffering off; - - fastcgi_max_temp_file_size 0; - } - - location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ { - try_files $uri /index.php$request_uri; - add_header Cache-Control "public, max-age=15778463, $asset_immutable"; - access_log off; # Optional: Don't log access to assets - - location ~ \.wasm$ { - default_type application/wasm; - } - } - - location ~ \.woff2?$ { - try_files $uri /index.php$request_uri; - expires 7d; # Cache-Control policy borrowed from `.htaccess` - access_log off; # Optional: Don't log access to assets - } - - # Rule borrowed from `.htaccess` - location /remote { - return 301 /remote.php$request_uri; - } - + location = /.well-known/carddav { return 301 https://nextcloud.zakobar.com/remote.php/dav/; } + location = /.well-known/caldav { return 301 https://nextcloud.zakobar.com/remote.php/dav/; } spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: diff --git a/templates/photoprism.yaml b/templates/photoprism.yaml deleted file mode 100644 index cd53d59..0000000 --- a/templates/photoprism.yaml +++ /dev/null @@ -1,126 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: photoprism-admin - annotations: - "helm.sh/resource-policy": "keep" -type: Opaque -data: - {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "photoprism-admin") | default dict }} - {{- $secretData := (get $secretObj "data") | default dict }} - {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} - password: {{ $pass | quote }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: photoprism -spec: - replicas: 1 - selector: - matchLabels: - app: photoprism - template: - metadata: - labels: - app: photoprism - spec: - containers: - - name: photoprism - image: photoprism/photoprism - env: - - name: PHOTOPRISM_ADMIN_PASSWORD - valueFrom: - secretKeyRef: - key: password - name: photoprism-admin - - name: PHOTOPRISM_ORIGINALS_LIMIT - value: "50000" - - name: PHOTOPRISM_HTTP_COMPRESSION - value: "gzip" - - name: PHOTOPRISM_DEBUG - value: "false" - - name: PHOTOPRISM_PUBLIC - value: "true" - - name: PHOTOPRISM_READONLY - value: "false" - - name: PHOTOPRISM_EXPERIMENTAL - value: "false" - - name: PHOTOPRISM_DISABLE_WEBDAV - value: "false" - - name: PHOTOPRISM_DISABLE_SETTINGS - value: "false" - - name: PHOTOPRISM_DISABLE_TENSORFLOW - value: "false" - - name: PHOTOPRISM_DARKTABLE_PRESETS - value: "false" - - name: PHOTOPRISM_DETECT_NSFW - value: "false" - - name: PHOTOPRISM_UPLOAD_NSFW - value: "true" - - name: PHOTOPRISM_DATABASE_DRIVER - value: "sqlite" - - name: PHOTOPRISM_SITE_URL - value: "http://gallery.{{ .Values.homey.url }}" - - name: PHOTOPRISM_SITE_TITLE - value: "PhotoPrism" - - name: PHOTOPRISM_SITE_CAPTION - value: "Browse Your Life" - - name: PHOTOPRISM_SITE_DESCRIPTION - value: "" - - name: PHOTOPRISM_SITE_AUTHOR - value: "" - volumeMounts: - - name: photoprism-persistent-storage - mountPath: /photoprism/storage - subPath: backup/photoprism/photoprism/storage - - name: photoprism-persistent-storage - mountPath: /photoprism/originals - subPath: backup/photoprism/originals - - name: photoprism-persistent-storage - mountPath: /var/lib/mysql - subPath: backup/photoprism/var/lib/mysql - volumes: - - name: photoprism-persistent-storage - persistentVolumeClaim: - claimName: homey-pvc-nfs ---- -apiVersion: v1 -kind: Service -metadata: - name: photoprism-svc -spec: - ports: - - name: http - protocol: TCP - port: 2342 - targetPort: 2342 - selector: - app: photoprism ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: photoprism-ingress - annotations: - nginx.ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80 - nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" - nginx.ingress.kubernetes.io/proxy-body-size: 5g -spec: - ingressClassName: {{ .Values.homey.ingress_class }} - tls: - - hosts: - - album.{{ .Values.homey.url }} - secretName: {{ .Values.homey.certname }} - rules: - - host: album.{{ .Values.homey.url }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: photoprism-svc - port: - number: 2342 diff --git a/templates/piwigo.yaml b/templates/piwigo.yaml deleted file mode 100644 index 0b08290..0000000 --- a/templates/piwigo.yaml +++ /dev/null @@ -1,178 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: piwigo-mysql-pass - annotations: - "helm.sh/resource-policy": "keep" -type: Opaque -data: - {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "piwigo-mysql-pass") | default dict }} - {{- $secretData := (get $secretObj "data") | default dict }} - {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} - password: {{ $pass | quote }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: piwigo-mysql-root-pass - annotations: - "helm.sh/resource-policy": "keep" -type: Opaque -data: - {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "piwigo-mysql-root-pass") | default dict }} - {{- $secretData := (get $secretObj "data") | default dict }} - {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} - password: {{ $pass | quote }} ---- -apiVersion: v1 -kind: Secret -metadata: - name: piwigo-admin - annotations: - "helm.sh/resource-policy": "keep" -type: Opaque -data: - {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "piwigo-admin") | default dict }} - {{- $secretData := (get $secretObj "data") | default dict }} - {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} - password: {{ $pass | quote }} ---- ---- -# apiVersion: extensions/v1beta1 -apiVersion: v1 -kind: ConfigMap -metadata: - name: piwigo-mysql-config - labels: - app: piwigo-mysql -data: - MYSQL_DATABASE: piwigo_db - MYSQL_USER: piwigo ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: piwigo-mysql - labels: - app: piwigo-mysql -spec: - replicas: 1 - selector: - matchLabels: - app: piwigo-mysql - template: - metadata: - labels: - app: piwigo-mysql - name: piwigo-mysql - spec: - containers: - - name: piwigo-mysql - image: mysql - imagePullPolicy: "IfNotPresent" - ports: - - containerPort: 3306 - envFrom: - - configMapRef: - name: piwigo-mysql-config - env: - - name: MYSQL_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: piwigo-mysql-root-pass - key: password - - name: MYSQL_PASSWORD - valueFrom: - secretKeyRef: - name: piwigo-mysql-pass - key: password - volumeMounts: - - mountPath: /var/lib/mysql - subPath: backup/piwigo/db - name: piwigo-mysql-db - volumes: - - name: piwigo-mysql-db - persistentVolumeClaim: - claimName: homey-pvc-nfs ---- -apiVersion: v1 -kind: Service -metadata: - name: piwigo-mysql - labels: - app: piwigo-mysql -spec: - ports: - - port: 3306 - selector: - app: piwigo-mysql ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: piwigo -spec: - replicas: 1 - selector: - matchLabels: - app: piwigo - template: - metadata: - labels: - app: piwigo - spec: - containers: - - name: piwigo - image: linuxserver/piwigo - volumeMounts: - - name: piwigo-persistent-storage - mountPath: /config - subPath: backup/piwigo/config - - name: piwigo-persistent-storage - mountPath: /gallery - subPath: backup/piwigo/gallery - volumes: - - name: piwigo-persistent-storage - persistentVolumeClaim: - claimName: homey-pvc-nfs ---- -apiVersion: v1 -kind: Service -metadata: - name: piwigo-svc -spec: - ports: - - name: http - protocol: TCP - port: 80 - targetPort: 80 - selector: - app: piwigo ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: piwigo-ingress - annotations: - # nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" - nginx.ingress.kubernetes.io/auth-type: forward - nginx.ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80 - nginx.ingress.kubernetes.io/proxy-body-size: 5g -spec: - ingressClassName: {{ .Values.homey.ingress_class }} - tls: - - hosts: - - piwigo.{{ .Values.homey.url }} - secretName: {{ .Values.homey.certname }} - rules: - - host: piwigo.{{ .Values.homey.url }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: piwigo-svc - port: - number: 80 diff --git a/templates/redis.yaml b/templates/redis.yaml deleted file mode 100644 index 24daea7..0000000 --- a/templates/redis.yaml +++ /dev/null @@ -1,33 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: redis - labels: - app: redis -spec: - replicas: 1 - selector: - matchLabels: - app: redis - template: - metadata: - labels: - app: redis - name: redis - spec: - containers: - - name: redis - image: redis ---- -apiVersion: v1 -kind: Service -metadata: - name: redis -spec: - selector: - app: redis - ports: - - port: 6379 - targetPort: 6379 - name: nefarious diff --git a/templates/transmission.yaml b/templates/transmission.yaml deleted file mode 100644 index 7c63839..0000000 --- a/templates/transmission.yaml +++ /dev/null @@ -1,85 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: transmission - labels: - app: transmission -spec: - replicas: 1 - selector: - matchLabels: - app: transmission - template: - metadata: - labels: - app: transmission - name: transmission - spec: - containers: - - name: transmission - image: linuxserver/transmission - imagePullPolicy: Always - env: - - name: PUID - value: "0" - - name: PGID - value: "0" - - name: TRANSMISSION_DOWNLOAD_DIR - value: "/downloads" - volumeMounts: - - name: transmission-persistent - mountPath: /config - subPath: backup/transmission/config - - name: transmission-persistent - mountPath: /downloads/complete/movies - subPath: nobackup/downloads/complete/movies - - name: transmission-persistent - mountPath: /downloads/complete/tvshows - subPath: nobackup/downloads/complete/tvshows - - name: transmission-persistent - mountPath: /downloads/incomplete - subPath: nobackup/downloads/incomplete - volumes: - - name: transmission-persistent - persistentVolumeClaim: - claimName: homey-pvc-nfs ---- -apiVersion: v1 -kind: Service -metadata: - name: transmission-web -spec: - selector: - app: transmission - ports: - - port: 80 - targetPort: 9091 - name: transmission-web ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: transmission-ingress - annotations: - # nginx.ingress.kubernetes.io/auth-type: forward - # nginx.ingress.kubernetes.io/global-auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80 - # nginx.ingress.kubernetes.io/proxy_pass: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80 - nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" -spec: - ingressClassName: {{ .Values.homey.ingress_class }} - tls: - - hosts: - - torrent.{{ .Values.homey.url }} - secretName: {{ .Values.homey.certname }} - rules: - - host: torrent.{{ .Values.homey.url }} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: transmission-web - port: - number: 80 diff --git a/values.yaml b/values.yaml index fd08082..8a20405 100644 --- a/values.yaml +++ b/values.yaml @@ -60,7 +60,7 @@ homey: organization: "Zakobar Home Server" storage: ip: "10.0.0.100" - storageCapacity: 450Gi + storageCapacity: 30Gi url: zakobar.com ip: 10.0.0.100 certname: zakobarcert