aner/homey
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Wow I am making way too many changes for my own good

Browse Source
This commit is contained in:
Aner Zakobar
2023-02-25 22:58:21 +02:00
parent eac370530e
commit 51336c3213
16 changed files with 295 additions and 1069 deletions
Download Patch File Download Diff File Expand all files Collapse all files
README.org
+2 -14
View File
@@ -72,18 +72,6 @@ First Name Attribute: cn
Surname Attribute: sn Surname Attribute: sn
Email Attribute: mail Email Attribute: mail
* Jackett
Go into "indexers" and add indexer * EVERYTHING
https://www.talkingquickly.co.uk/gitea-sso-with-keycloak-openldap-openid-connect
* Piwigo
Host we configure outright
User, we'll configure 'admin'
Password, it's configured as a secret
Database name...
host - piwigo-mysql
user - postgres
password - from secret
database-name - piwigo_db
piwigo_
templates/_definitions.yaml
+19
View File
@@ -0,0 +1,19 @@
{{- define "homey.randomsecret"}}
apiVersion: v1
kind: Secret
metadata:
name: {{ .secretname }}
type: Opaque
data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (.secretname | quote)) | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
password: {{ $pass | quote }}
{{- end }}
{{- define "homey.lookuprandomsecret" -}}
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (.secretname | quote)) | default dict -}}
{{- $secretData := (get $secretObj "data") | default dict -}}
{{- $pass := (get $secretData "password") | default "UNDEFINED" -}}
{{- $pass | quote -}}
{{- end -}}
templates/auth.yaml
+267
View File
@@ -0,0 +1,267 @@
---
{{- define "homey.auth.ingress.annotations" }}
nginx.ingress.kubernetes.io/auth-url: "https://git.zakobar.com/oauth/authorize"
nginx.ingress.kubernetes.io/auth-signin: "https://git.zakobar.com/login"
# nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email
# nginx.ingress.kubernetes.io/configuration-snippet: |-
# proxy_set_header X-Ldap-URL "ldap://openldap";
# proxy_set_header X-Ldap-BaseDN "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
# proxy_set_header X-Ldap-BindDN "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
# proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}};
# proxy_set_header X-CookieName "homey.auth.cookie";
# proxy_set_header Cookie $cookie_homey.auth.cookie;
# proxy_set_header X-Remote-User $remote_user;
# proxy_set_header X-Forwarded-Method $request_method;
# proxy_set_header X-Ldap-Template "(uid=%(username)s)";
{{- end }}
---
{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-admin") $) }}
# ---
{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-config") $) }}
# ---
{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-ro") $) }}
---
# {{ template "homey.randomsecret" (merge (dict "secretname" "keycloak-pass") $) }}
---
# {{ template "homey.randomsecret" (merge (dict "secretname" "keycloak-db-pass") $) }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: openldap
labels:
app.kubernetes.io/name: openldap
spec:
selector:
matchLabels:
app.kubernetes.io/name: openldap
replicas: 1
template:
metadata:
labels:
app.kubernetes.io/name: openldap
spec:
# securityContext:
# fsGroup: 0
containers:
- name: openldap
image: osixia/openldap
imagePullPolicy: "Always"
env:
- name: LDAP_ORGANISATION
value: {{ .Values.homey.organization }}
- name: LDAP_DOMAIN
value: {{ .Values.homey.url | quote}}
- name: LDAP_ADMIN_USERNAME
value: "admin"
- name: LDAP_READONLY_USER
value: "true"
- name: LDAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: openldap-admin
- name: LDAP_CONFIG_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: openldap-config
- name: LDAP_READONLY_USER_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: openldap-ro
ports:
- name: tcp-ldap
containerPort: 389
- name: ssl-ldap
containerPort: 636
volumeMounts:
- mountPath: /etc/ldap/slapd.d
subPath: openldap/etc/ldap/slapd.d
name: openldap-volume
- mountPath: /var/lib/ldap
subPath: openldap/var/lib/ldap
name: openldap-volume
volumes:
- name: openldap-volume
persistentVolumeClaim:
claimName: homey-pvc-nfs
---
apiVersion: v1
kind: Service
metadata:
name: openldap
labels:
app.kubernetes.io/name: openldap
spec:
type: ClusterIP
ports:
- name: tcp-ldap
port: 389
targetPort: tcp-ldap
- name: ssl-ldap
port: 636
targetPort: ssl-ldap
selector:
app.kubernetes.io/name: openldap
---
# ---
# apiVersion: v1
# kind: ConfigMap
# metadata:
# name: keycloak-postgres-config
# labels:
# app: keycloak-postgres
# data:
# POSTGRES_DB: keycloak-db
# POSTGRES_USER: keycloak-admin
# ---
# apiVersion: apps/v1
# kind: Deployment
# metadata:
# name: keycloak-postgres
# labels:
# app: keycloak-postgres
# spec:
# replicas: 1
# selector:
# matchLabels:
# app: keycloak-postgres
# template:
# metadata:
# labels:
# app: keycloak-postgres
# name: keycloak-postgres
# spec:
# containers:
# - name: postgres
# image: postgres:10.4
# imagePullPolicy: "IfNotPresent"
# ports:
# - containerPort: 5432
# envFrom:
# - configMapRef:
# name: keycloak-postgres-config
# env:
# - name: POSTGRES_PASSWORD
# valueFrom:
# secretKeyRef:
# name: keycloak-db-pass
# key: password
# volumeMounts:
# - mountPath: /var/lib/postgresql/data
# subPath: keycloak/db/data
# name: keycloak-postgresdb
# volumes:
# - name: keycloak-postgresdb
# persistentVolumeClaim:
# claimName: homey-pvc-nfs
# ---
# apiVersion: v1
# kind: Service
# metadata:
# name: keycloak-postgres-service
# labels:
# app: keycloak-postgres
# spec:
# ports:
# - port: 5432
# selector:
# app: keycloak-postgres
# ---
# apiVersion: apps/v1
# kind: Deployment
# metadata:
# name: keycloak
# labels:
# app: keycloak
# spec:
# replicas: 1
# selector:
# matchLabels:
# app: keycloak
# template:
# metadata:
# labels:
# app: keycloak
# spec:
# containers:
# - name: keycloak
# image: mihaibob/keycloak:18.0.2-legacy
# env:
# - name: KEYCLOAK_USER
# value: "admin"
# - name: KEYCLOAK_PASSWORD
# valueFrom:
# secretKeyRef:
# name: keycloak-pass
# key: password
# - name: PROXY_ADDRESS_FORWARDING
# value: "true"
# - name: DB_ADDR
# value: keycloak-postgres-service
# - name: DB_DATABASE
# value: "keycloak-db"
# - name: DB_VENDOR
# value: postgres
# - name: DB_USER
# value: keycloak-admin
# - name: DB_PASSWORD
# valueFrom:
# secretKeyRef:
# name: keycloak-db-pass
# key: password
# ports:
# - name: http
# containerPort: 8080
# readinessProbe:
# failureThreshold: 3
# httpGet:
# path: /auth/realms/master/
# port: http
# initialDelaySeconds: 240
# timeoutSeconds: 240
# livenessProbe:
# failureThreshold: 3
# httpGet:
# path: /auth/
# port: http
# initialDelaySeconds: 240
# timeoutSeconds: 240
# ---
# apiVersion: v1
# kind: Service
# metadata:
# name: keycloak-web
# labels:
# app: keycloak
# spec:
# ports:
# - name: http
# port: 8080
# targetPort: http
# selector:
# app: keycloak
# ---
# apiVersion: networking.k8s.io/v1
# kind: Ingress
# metadata:
# name: keycloak
# spec:
# ingressClassName: {{ .Values.homey.ingress_class }}
# tls:
# - hosts:
# - keycloak.{{ .Values.homey.url }}
# secretName: {{ .Values.homey.certname }}
# rules:
# - host: keycloak.{{ .Values.homey.url }}
# http:
# paths:
# - path: /
# pathType: Prefix
# backend:
# service:
# name: keycloak-web
# port:
# number: 8080
templates/dns.yaml
-60
View File
@@ -1,60 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: bind
labels:
app: bind
spec:
selector:
matchLabels:
app: bind
replicas: 1
template:
metadata:
labels:
app: bind
spec:
priorityClassName: system-node-critical
containers:
- name: bind
image: cytopia/bind
imagePullPolicy: "Always"
env:
- name: DNS_A
value: "*.{{ .Values.homey.url }}={{ .Values.homey.ip }}, {{ .Values.homey.url }}={{ .Values.homey.ip }}"
- name: DNS_FORWARDER
value: "8.8.8.8,8.8.4.4"
- name: ALLOW_RECURSION
value: "any"
---
apiVersion: v1
kind: Service
metadata:
name: bind-dns-udp
spec:
type: NodePort
selector:
app: bind
ports:
- port: 53
targetPort: 53
protocol: UDP
name: dns-udp
nodePort: 32053
---
apiVersion: v1
kind: Service
metadata:
name: bind-dns-tcp
spec:
type: NodePort
selector:
app: bind
ports:
- port: 53
targetPort: 53
protocol: TCP
name: dns-tcp
nodePort: 32054
---
templates/gitea.yaml
+1 -21
View File
@@ -29,15 +29,12 @@ spec:
containers: containers:
- name: gitea - name: gitea
image: gitea/gitea:latest image: gitea/gitea:latest
ports:
- containerPort: 22
name: ssh
- containerPort: 3000 - containerPort: 3000
name: http name: http
volumeMounts: volumeMounts:
- name: gitea-persistent-storage - name: gitea-persistent-storage
mountPath: /data mountPath: /data
subPath: backup/gitea/gitea/data subPath: gitea/gitea/data
volumes: volumes:
- name: gitea-persistent-storage - name: gitea-persistent-storage
persistentVolumeClaim: persistentVolumeClaim:
@@ -58,23 +55,6 @@ spec:
selector: selector:
app: gitea app: gitea
--- ---
apiVersion: v1
kind: Service
metadata:
name: gitea-svc-ssh
spec:
type: NodePort
selector:
app: gitea
ports:
- name: ssh
protocol: TCP
port: 22
targetPort: ssh
nodePort: 32222
selector:
app: gitea
---
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
templates/jackett.yaml
-68
View File
@@ -1,68 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jackett
labels:
app: jackett
spec:
replicas: 1
selector:
matchLabels:
app: jackett
template:
metadata:
labels:
app: jackett
name: jackett
spec:
containers:
- name: jackett
image: linuxserver/jackett
imagePullPolicy: Always
volumeMounts:
- name: jackett-persistent-storage
mountPath: /config
subPath: backup/jackett/config
volumes:
- name: jackett-persistent-storage
persistentVolumeClaim:
claimName: homey-pvc-nfs
---
apiVersion: v1
kind: Service
metadata:
name: jackett
spec:
selector:
app: jackett
ports:
- port: 9117
targetPort: 9117
name: jackett-web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jackett-ingress
annotations:
# ingress.kubernetes.io/auth-type: forward
# ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.138/24"
spec:
ingressClassName: {{ .Values.homey.ingress_class }}
tls:
- hosts:
- jackett.{{ .Values.homey.url }}
secretName: {{ .Values.homey.certname }}
rules:
- host: jackett.{{ .Values.homey.url }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jackett
port:
number: 9117
templates/jellyfin.yaml
-106
View File
@@ -1,106 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: jellyfin
labels:
app: jellyfin
spec:
replicas: 1
selector:
matchLabels:
app: jellyfin
template:
metadata:
labels:
app: jellyfin
name: jellyfin
spec:
containers:
- name: jellyfin
image: docker.io/jellyfin/jellyfin
imagePullPolicy: Always
volumeMounts:
- name: jellyfin-volume
mountPath: "/config"
subPath: backup/jellyfin/config
- name: jellyfin-volume
mountPath: "/data/movies"
subPath: nobackup/downloads/complete/movies
- name: jellyfin-volume
mountPath: "/data/tvshows"
subPath: nobackup/downloads/complete/tvshows
volumes:
- name: jellyfin-volume
persistentVolumeClaim:
claimName: homey-pvc-nfs
---
apiVersion: v1
kind: Service
metadata:
name: jellyfin-web
spec:
selector:
app: jellyfin
ports:
- port: 80
targetPort: 8096
name: jellyfin-web
---
apiVersion: v1
kind: Service
metadata:
name: jellyfin-web-nodeport
spec:
type: NodePort
selector:
app: jellyfin
ports:
- port: 80
targetPort: 8096
nodePort: 30096
name: jellyfin-web
---
apiVersion: v1
kind: Service
metadata:
name: jellyfin-external-ports
spec:
type: NodePort
selector:
app: jellyfin
ports:
- port: 7359
targetPort: 7359
protocol: UDP
name: jellyfin-discovery-local
nodePort: 30059
- port: 1900
targetPort: 1900
protocol: UDP
name: jellyfin-discovery-dnla
nodePort: 31900
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyfin-ingress
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
ingressClassName: {{ .Values.homey.ingress_class }}
tls:
- hosts:
- media.{{ .Values.homey.url }}
secretName: {{ .Values.homey.certname }}
rules:
- host: media.{{ .Values.homey.url }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jellyfin-web
port:
number: 80
templates/ldap-auth.yaml
-14
View File
@@ -20,20 +20,6 @@ spec:
- name: ldap-auth - name: ldap-auth
image: linuxserver/ldap-auth image: linuxserver/ldap-auth
imagePullPolicy: Always imagePullPolicy: Always
env:
- name: WERTHER_LDAP_ENDPOINTS
value: "openldap:389"
- name: WERTHER_LDAP_BINDDN
value: "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"
- name: WERTHER_LDAP_BINDPW
valueFrom:
secretKeyRef:
name: openldap-ro
key: password
- name: WERTHER_LDAP_BASEDN
value: "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"
# - name: LDAP_USER_FILTER
# value: "(objectClass=inetOrgPerson)"
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
templates/ldap.yaml
-120
View File
@@ -1,120 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: openldap-admin
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "openldap-admin") | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
password: {{ $pass | quote }}
---
apiVersion: v1
kind: Secret
metadata:
name: openldap-config
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "openldap-config") | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
password: {{ $pass | quote }}
---
apiVersion: v1
kind: Secret
metadata:
name: openldap-ro
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "openldap-ro") | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
password: {{ $pass | quote }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: openldap
labels:
app.kubernetes.io/name: openldap
spec:
selector:
matchLabels:
app.kubernetes.io/name: openldap
replicas: 1
template:
metadata:
labels:
app.kubernetes.io/name: openldap
spec:
# securityContext:
# fsGroup: 0
containers:
- name: openldap
image: osixia/openldap
imagePullPolicy: "Always"
env:
- name: LDAP_ORGANISATION
value: {{ .Values.homey.organization }}
- name: LDAP_DOMAIN
value: {{ .Values.homey.url | quote}}
- name: LDAP_ADMIN_USERNAME
value: "admin"
- name: LDAP_READONLY_USER
value: "true"
- name: LDAP_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: openldap-admin
- name: LDAP_CONFIG_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: openldap-config
- name: LDAP_READONLY_USER_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: openldap-ro
ports:
- name: tcp-ldap
containerPort: 389
- name: ssl-ldap
containerPort: 636
volumeMounts:
- mountPath: /etc/ldap/slapd.d
subPath: backup/openldap/etc/ldap/slapd.d
name: openldap-volume
- mountPath: /var/lib/ldap
subPath: backup/openldap/var/lib/ldap
name: openldap-volume
volumes:
- name: openldap-volume
persistentVolumeClaim:
claimName: homey-pvc-nfs
---
apiVersion: v1
kind: Service
metadata:
name: openldap
labels:
app.kubernetes.io/name: openldap
spec:
type: ClusterIP
ports:
- name: tcp-ldap
port: 389
targetPort: tcp-ldap
- name: ssl-ldap
port: 636
targetPort: ssl-ldap
selector:
app.kubernetes.io/name: openldap
templates/nefarious.yaml
-155
View File
@@ -1,155 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: nefarious-admin
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "nefarious-admin") | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
password: {{ $pass | quote }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nefarious
labels:
app: nefarious
spec:
replicas: 1
selector:
matchLabels:
app: nefarious
template:
metadata:
labels:
app: nefarious
name: nefarious
spec:
containers:
- name: nefarious
image: lardbit/nefarious
imagePullPolicy: Always
env:
- name: NEFARIOUS_USER
value: "admin"
- name: NEFARIOUS_PASS
valueFrom:
secretKeyRef:
key: password
name: nefarious-admin
- name: DATABASE_URL
value: "sqlite:////nefarious-db/db.sqlite3"
- name: REDIS_HOST
value: "redis"
- name: REDIS_PORT
value: "6379"
- name: HOST_DOWNLOAD_PATH
value: "/downloads/complete"
- name: CONFIG_PATH
value: "/nefarious-db"
- name: INTERNAL_DOWNLOAD_PATH
value: "/downloads/complete"
volumeMounts:
- name: nefarious-persistent-storage
mountPath: /nefarious-db
subPath: backup/nefarious/nefarious-db
- name: nefarious-persistent-storage
mountPath: /downloads/complete/movies
subPath: nobackup/downloads/complete/movies
- name: nefarious-persistent-storage
mountPath: /downloads/complete/tvshows
subPath: nobackup/downloads/complete/tvshows
volumes:
- name: nefarious-persistent-storage
persistentVolumeClaim:
claimName: homey-pvc-nfs
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: celery
labels:
app: celery
spec:
replicas: 1
selector:
matchLabels:
app: celery
template:
metadata:
labels:
app: celery
name: celery
spec:
containers:
- name: celery
image: lardbit/nefarious
imagePullPolicy: Always
command: ["/app/entrypoint-celery.sh"]
env:
- name: DATABASE_URL
value: "sqlite:////nefarious-db/db.sqlite3"
- name: REDIS_HOST
value: "redis"
- name: REDIS_URL
value: "redis://redis:6379/"
- name: REDIS_PORT
value: "6379"
- name: REDIS_DB
value: "0"
- name: HOST_DOWNLOAD_PATH
value: "/downloads"
- name: INTERNAL_DOWNLOAD_PATH
value: "/downloads"
volumeMounts:
- name: celery-persistent-storage
mountPath: /nefarious-db
subPath: backup/nefarious/nefarious-db
- name: celery-persistent-storage
mountPath: /downloads
subPath: nobackup/downloads
volumes:
- name: celery-persistent-storage
persistentVolumeClaim:
claimName: homey-pvc-nfs
---
apiVersion: v1
kind: Service
metadata:
name: nefarious
spec:
selector:
app: nefarious
ports:
- port: 80
targetPort: 80
name: nefarious
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nefarious-ingress
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
ingressClassName: {{ .Values.homey.ingress_class }}
tls:
- hosts:
- nefarious.{{ .Values.homey.url }}
secretName: {{ .Values.homey.certname }}
rules:
- host: nefarious.{{ .Values.homey.url }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nefarious
port:
number: 80
templates/nextcloud.yaml
+5 -88
View File
@@ -57,7 +57,7 @@ spec:
key: password key: password
volumeMounts: volumeMounts:
- mountPath: /var/lib/postgresql/data - mountPath: /var/lib/postgresql/data
subPath: backup/nextcloud/db subPath: nextcloud/db
name: nextcloud-postgredb name: nextcloud-postgredb
volumes: volumes:
- name: nextcloud-postgredb - name: nextcloud-postgredb
@@ -100,7 +100,7 @@ spec:
volumeMounts: volumeMounts:
- name: nextcloud-volume - name: nextcloud-volume
mountPath: "/var/www/html" mountPath: "/var/www/html"
subPath: backup/nextcloud/html subPath: nextcloud/html
envFrom: envFrom:
- configMapRef: - configMapRef:
name: nextcloud-postgres-config name: nextcloud-postgres-config
@@ -136,96 +136,13 @@ kind: Ingress
metadata: metadata:
name: nextcloud-ingress name: nextcloud-ingress
annotations: annotations:
nginx.org/server-snippets: | nginx.ingress.kubernetes.io/server-snippet: |
server_tokens off;
proxy_hide_header X-Powered-By;
proxy_hide_header Upgrade;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still # Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule # access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests # `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`. # for `/.well-known`.
location ^~ /.well-known { location = /.well-known/carddav { return 301 https://nextcloud.zakobar.com/remote.php/dav/; }
# The rules in this block are an adaptation of the rules location = /.well-known/caldav { return 301 https://nextcloud.zakobar.com/remote.php/dav/; }
# in `.htaccess` that concern `/.well-known`.
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
location /.well-known/acme-challenge { try_files $uri $uri/ =404; }
location /.well-known/pki-validation { try_files $uri $uri/ =404; }
# Let Nextcloud's API for `/.well-known` URIs handle all other
# requests by passing them to the front-end controller.
return 301 /index.php$request_uri;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
# Required for legacy support
rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS on;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
fastcgi_max_temp_file_size 0;
}
location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
try_files $uri /index.php$request_uri;
add_header Cache-Control "public, max-age=15778463, $asset_immutable";
access_log off; # Optional: Don't log access to assets
location ~ \.wasm$ {
default_type application/wasm;
}
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
# Rule borrowed from `.htaccess`
location /remote {
return 301 /remote.php$request_uri;
}
spec: spec:
ingressClassName: {{ .Values.homey.ingress_class }} ingressClassName: {{ .Values.homey.ingress_class }}
tls: tls:
templates/photoprism.yaml
-126
View File
@@ -1,126 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: photoprism-admin
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "photoprism-admin") | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
password: {{ $pass | quote }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: photoprism
spec:
replicas: 1
selector:
matchLabels:
app: photoprism
template:
metadata:
labels:
app: photoprism
spec:
containers:
- name: photoprism
image: photoprism/photoprism
env:
- name: PHOTOPRISM_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: photoprism-admin
- name: PHOTOPRISM_ORIGINALS_LIMIT
value: "50000"
- name: PHOTOPRISM_HTTP_COMPRESSION
value: "gzip"
- name: PHOTOPRISM_DEBUG
value: "false"
- name: PHOTOPRISM_PUBLIC
value: "true"
- name: PHOTOPRISM_READONLY
value: "false"
- name: PHOTOPRISM_EXPERIMENTAL
value: "false"
- name: PHOTOPRISM_DISABLE_WEBDAV
value: "false"
- name: PHOTOPRISM_DISABLE_SETTINGS
value: "false"
- name: PHOTOPRISM_DISABLE_TENSORFLOW
value: "false"
- name: PHOTOPRISM_DARKTABLE_PRESETS
value: "false"
- name: PHOTOPRISM_DETECT_NSFW
value: "false"
- name: PHOTOPRISM_UPLOAD_NSFW
value: "true"
- name: PHOTOPRISM_DATABASE_DRIVER
value: "sqlite"
- name: PHOTOPRISM_SITE_URL
value: "http://gallery.{{ .Values.homey.url }}"
- name: PHOTOPRISM_SITE_TITLE
value: "PhotoPrism"
- name: PHOTOPRISM_SITE_CAPTION
value: "Browse Your Life"
- name: PHOTOPRISM_SITE_DESCRIPTION
value: ""
- name: PHOTOPRISM_SITE_AUTHOR
value: ""
volumeMounts:
- name: photoprism-persistent-storage
mountPath: /photoprism/storage
subPath: backup/photoprism/photoprism/storage
- name: photoprism-persistent-storage
mountPath: /photoprism/originals
subPath: backup/photoprism/originals
- name: photoprism-persistent-storage
mountPath: /var/lib/mysql
subPath: backup/photoprism/var/lib/mysql
volumes:
- name: photoprism-persistent-storage
persistentVolumeClaim:
claimName: homey-pvc-nfs
---
apiVersion: v1
kind: Service
metadata:
name: photoprism-svc
spec:
ports:
- name: http
protocol: TCP
port: 2342
targetPort: 2342
selector:
app: photoprism
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: photoprism-ingress
annotations:
nginx.ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
nginx.ingress.kubernetes.io/proxy-body-size: 5g
spec:
ingressClassName: {{ .Values.homey.ingress_class }}
tls:
- hosts:
- album.{{ .Values.homey.url }}
secretName: {{ .Values.homey.certname }}
rules:
- host: album.{{ .Values.homey.url }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: photoprism-svc
port:
number: 2342
templates/piwigo.yaml
-178
View File
@@ -1,178 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: piwigo-mysql-pass
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "piwigo-mysql-pass") | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
password: {{ $pass | quote }}
---
apiVersion: v1
kind: Secret
metadata:
name: piwigo-mysql-root-pass
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "piwigo-mysql-root-pass") | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
password: {{ $pass | quote }}
---
apiVersion: v1
kind: Secret
metadata:
name: piwigo-admin
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "piwigo-admin") | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
password: {{ $pass | quote }}
---
---
# apiVersion: extensions/v1beta1
apiVersion: v1
kind: ConfigMap
metadata:
name: piwigo-mysql-config
labels:
app: piwigo-mysql
data:
MYSQL_DATABASE: piwigo_db
MYSQL_USER: piwigo
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: piwigo-mysql
labels:
app: piwigo-mysql
spec:
replicas: 1
selector:
matchLabels:
app: piwigo-mysql
template:
metadata:
labels:
app: piwigo-mysql
name: piwigo-mysql
spec:
containers:
- name: piwigo-mysql
image: mysql
imagePullPolicy: "IfNotPresent"
ports:
- containerPort: 3306
envFrom:
- configMapRef:
name: piwigo-mysql-config
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: piwigo-mysql-root-pass
key: password
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: piwigo-mysql-pass
key: password
volumeMounts:
- mountPath: /var/lib/mysql
subPath: backup/piwigo/db
name: piwigo-mysql-db
volumes:
- name: piwigo-mysql-db
persistentVolumeClaim:
claimName: homey-pvc-nfs
---
apiVersion: v1
kind: Service
metadata:
name: piwigo-mysql
labels:
app: piwigo-mysql
spec:
ports:
- port: 3306
selector:
app: piwigo-mysql
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: piwigo
spec:
replicas: 1
selector:
matchLabels:
app: piwigo
template:
metadata:
labels:
app: piwigo
spec:
containers:
- name: piwigo
image: linuxserver/piwigo
volumeMounts:
- name: piwigo-persistent-storage
mountPath: /config
subPath: backup/piwigo/config
- name: piwigo-persistent-storage
mountPath: /gallery
subPath: backup/piwigo/gallery
volumes:
- name: piwigo-persistent-storage
persistentVolumeClaim:
claimName: homey-pvc-nfs
---
apiVersion: v1
kind: Service
metadata:
name: piwigo-svc
spec:
ports:
- name: http
protocol: TCP
port: 80
targetPort: 80
selector:
app: piwigo
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: piwigo-ingress
annotations:
# nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
nginx.ingress.kubernetes.io/auth-type: forward
nginx.ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
nginx.ingress.kubernetes.io/proxy-body-size: 5g
spec:
ingressClassName: {{ .Values.homey.ingress_class }}
tls:
- hosts:
- piwigo.{{ .Values.homey.url }}
secretName: {{ .Values.homey.certname }}
rules:
- host: piwigo.{{ .Values.homey.url }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: piwigo-svc
port:
number: 80
templates/redis.yaml
-33
View File
@@ -1,33 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
labels:
app: redis
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
name: redis
spec:
containers:
- name: redis
image: redis
---
apiVersion: v1
kind: Service
metadata:
name: redis
spec:
selector:
app: redis
ports:
- port: 6379
targetPort: 6379
name: nefarious
templates/transmission.yaml
-85
View File
@@ -1,85 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: transmission
labels:
app: transmission
spec:
replicas: 1
selector:
matchLabels:
app: transmission
template:
metadata:
labels:
app: transmission
name: transmission
spec:
containers:
- name: transmission
image: linuxserver/transmission
imagePullPolicy: Always
env:
- name: PUID
value: "0"
- name: PGID
value: "0"
- name: TRANSMISSION_DOWNLOAD_DIR
value: "/downloads"
volumeMounts:
- name: transmission-persistent
mountPath: /config
subPath: backup/transmission/config
- name: transmission-persistent
mountPath: /downloads/complete/movies
subPath: nobackup/downloads/complete/movies
- name: transmission-persistent
mountPath: /downloads/complete/tvshows
subPath: nobackup/downloads/complete/tvshows
- name: transmission-persistent
mountPath: /downloads/incomplete
subPath: nobackup/downloads/incomplete
volumes:
- name: transmission-persistent
persistentVolumeClaim:
claimName: homey-pvc-nfs
---
apiVersion: v1
kind: Service
metadata:
name: transmission-web
spec:
selector:
app: transmission
ports:
- port: 80
targetPort: 9091
name: transmission-web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: transmission-ingress
annotations:
# nginx.ingress.kubernetes.io/auth-type: forward
# nginx.ingress.kubernetes.io/global-auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
# nginx.ingress.kubernetes.io/proxy_pass: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
spec:
ingressClassName: {{ .Values.homey.ingress_class }}
tls:
- hosts:
- torrent.{{ .Values.homey.url }}
secretName: {{ .Values.homey.certname }}
rules:
- host: torrent.{{ .Values.homey.url }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: transmission-web
port:
number: 80
values.yaml
+1 -1
View File
@@ -60,7 +60,7 @@ homey:
organization: "Zakobar Home Server" organization: "Zakobar Home Server"
storage: storage:
ip: "10.0.0.100" ip: "10.0.0.100"
storageCapacity: 450Gi storageCapacity: 30Gi
url: zakobar.com url: zakobar.com
ip: 10.0.0.100 ip: 10.0.0.100
certname: zakobarcert certname: zakobarcert