aner/homey
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

AUTHENTICATION BABYYYY

Browse Source
This commit is contained in:
Aner Zakobar
2023-09-24 15:30:29 +03:00
parent c709cea065
commit bde033a3b0
8 changed files with 429 additions and 576 deletions
Download Patch File Download Diff File Expand all files Collapse all files
files/authelia-config.yaml
+60
View File
@@ -0,0 +1,60 @@
###############################################################
# Authelia minimal configuration #
###############################################################
theme: "light"
log:
level: "debug"
jwt_secret: {{ .homey_authelia_jwt | quote }}
authentication_backend:
ldap:
implementation: "custom"
url: "ldap://openldap:389"
timeout: "5s"
start_tls: false
base_dn: "{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim}}"
users_filter: "({username_attribute}={input})"
username_attribute: "uid"
additional_users_dn: "ou=users"
groups_filter: "(&(uniquemember=uid={input},ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim}})(objectclass=groupOfUniqueNames))"
group_name_attribute: "cn"
additional_groups_dn: "ou=groups"
mail_attribute: "mail"
display_name_attribute: "uid"
permit_referrals: false
permit_unauthenticated_bind: false
user: "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}"
password: {{ .homey_openldap_ro | quote }}
totp:
issuer: "{{ .Values.homey.url }}"
disable: false
session:
name: authelia_session
secret: {{ .homey_authelia_session | quote }}
expiration: 3600 # 1 hour
inactivity: 7200 # 2 hours
domain: "{{ .Values.homey.url}}" # needs to be your root domain
storage:
local:
path: "/config/db.sqlite3"
encryption_key: {{ .homey_authelia_encryption_key | quote }}
access_control:
default_policy: "deny"
rules:
- domain:
- "auth.zakobar.com"
policy: bypass
- domain:
- "ldapadmin.{{ .Values.homey.url }}"
subject:
- 'group:admins'
policy: "two_factor"
- domain:
- "ldapadmin.{{ .Values.homey.url }}"
- "longhorn.{{ .Values.homey.url }}"
policy: "deny"
# - domain:
# - "git.{{ .Values.homey.url }}"
# policy: "one_factor"
notifier:
filesystem:
filename: "/var/lib/authelia/emails.txt"
files/gitea-app.ini
+95
View File
@@ -0,0 +1,95 @@
APP_NAME = {{ .Values.homey.organization }}
RUN_MODE = prod
RUN_USER = git
WORK_PATH = /data/gitea
[repository]
ROOT = /data/git/repositories
[repository.local]
LOCAL_COPY_PATH = /data/gitea/tmp/local-repo
[repository.upload]
TEMP_PATH = /data/gitea/uploads
[server]
APP_DATA_PATH = /data/gitea
DOMAIN = git.{{ .Values.homey.url }}
HTTP_PORT = 3000
ROOT_URL = https://git.{{ .Values.homey.url }}/
DISABLE_SSH = true
SSH_PORT = 443
SSH_LISTEN_PORT = 22
LFS_START_SERVER = true
LFS_JWT_SECRET = {{ .homey_gitea_lfs_jwt_secret | b64enc | replace "=" "" }}
OFFLINE_MODE = false
[lfs]
PATH = /data/git/lfs
[database]
PATH = /data/gitea/gitea.db
DB_TYPE = sqlite3
HOST = localhost:3306
NAME = gitea
USER = root
PASSWD =
LOG_SQL = false
SCHEMA =
SSL_MODE = disable
CHARSET = utf8
[indexer]
ISSUE_INDEXER_PATH = /data/gitea/indexers/issues.bleve
[session]
PROVIDER_CONFIG = /data/gitea/sessions
PROVIDER = file
[picture]
AVATAR_UPLOAD_PATH = /data/gitea/avatars
REPOSITORY_AVATAR_UPLOAD_PATH = /data/gitea/repo-avatars
DISABLE_GRAVATAR = false
ENABLE_FEDERATED_AVATAR = false
[attachment]
PATH = /data/gitea/attachments
[log]
MODE = console
LEVEL = info
ROUTER = console
ROOT_PATH = /data/gitea/log
[security]
INSTALL_LOCK = true
SECRET_KEY =
REVERSE_PROXY_LIMIT = 1
REVERSE_PROXY_TRUSTED_PROXIES = *
INTERNAL_TOKEN = {{ .homey_gitea_random_internal_token }}
PASSWORD_HASH_ALGO = pbkdf2
[service]
DISABLE_REGISTRATION = true
REQUIRE_SIGNIN_VIEW = false
REGISTER_EMAIL_CONFIRM = false
ENABLE_NOTIFY_MAIL = false
ALLOW_ONLY_EXTERNAL_REGISTRATION = true
ENABLE_CAPTCHA = false
DEFAULT_KEEP_EMAIL_PRIVATE = false
DEFAULT_ALLOW_CREATE_ORGANIZATION = true
DEFAULT_ENABLE_TIMETRACKING = true
NO_REPLY_ADDRESS = noreply.localhost
ENABLE_REVERSE_PROXY_AUTHENTICATION = true
ENABLE_REVERSE_PROXY_AUTO_REGISTRATION = true
[mailer]
ENABLED = false
[openid]
ENABLE_OPENID_SIGNIN = false
ENABLE_OPENID_SIGNUP = false
[oauth2]
ENABLE = false
JWT_SECRET = {{ .homey_gitea_oauth2_jwt_secret | b64enc | replace "=" "" }}
templates/_definitions.yaml
+9 -21
View File
@@ -1,32 +1,20 @@
--- ---
{{- define "homey.lookuporgensecret" -}}
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace .secretname ) | default dict -}}
{{- $secretData := (get $secretObj "data") | default dict -}}
{{- $ret := (get $secretData "password" | b64dec ) | default (randAlphaNum 32 ) -}}
{{ $ret -}}
{{- end -}}
---
{{- define "homey.randomsecret"}} {{- define "homey.randomsecret"}}
apiVersion: v1 apiVersion: v1
kind: Secret kind: Secret
metadata: metadata:
name: {{ .secretname }} name: {{ (replace "\"" "" .secretname ) }}
type: Opaque type: Opaque
data: data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (.secretname | quote)) | default dict }} password: {{ .secretval | b64enc | quote }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
password: {{ $pass | quote }}
{{- end }} {{- end }}
{{- define "homey.lookuprandomsecret" -}}
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace (.secretname | quote)) | default dict -}}
{{- $secretData := (get $secretObj "data") | default dict -}}
{{- $pass := (get $secretData "password") | default "UNDEFINED" -}}
{{- $pass | quote -}}
{{- end -}}
{{- /*
Returns given number of random Hex characters.
- randNumeric 4 | atoi generates a random number in [0, 10^4)
This is a range range evenly divisble by 16, but even if off by one,
that last partial interval offsetting randomness is only 1 part in 625.
- mod N 16 maps to the range 0-15
- printf "%x" represents a single number 0-15 as a single hex character
*/}}
--- ---
{{- define "homey.randHex"}} {{- define "homey.randHex"}}
{{- $result := "" }} {{- $result := "" }}
templates/auth.yaml
+248 -186
View File
@@ -11,34 +11,23 @@ spec:
storage: 100Mi storage: 100Mi
storageClassName: longhorn storageClassName: longhorn
--- ---
{{- define "homey.auth.ingress.annotations" }} {{- $_ := set $ "homey_openldap_admin" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-admin") $))}}
# nginx.ingress.kubernetes.io/auth-signin: "https://auth.zakobar.com" {{ include "homey.randomsecret" (merge (dict "secretname" "openldap-admin" "secretval" .homey_openldap_admin) $) }}
nginx.ingress.kubernetes.io/auth-url: "http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80" # ---
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Email {{- $_ := set $ "homey_openldap_config" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-config") $))}}
nginx.ingress.kubernetes.io/location-snippets: |- {{ include "homey.randomsecret" (merge (dict "secretname" "openldap-config" "secretval" .homey_openldap_config) $) }}
auth_request /auth # ---
nginx.ingress.kubernetes.io/configuration-snippet: |- {{- $_ := set $ "homey_openldap_ro" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-ro") $))}}
location /auth { {{ include "homey.randomsecret" (merge (dict "secretname" "openldap-ro" "secretval" .homey_openldap_ro) $) }}
# proxy_pass http://ldap-auth-internal;
proxy_pass_request_body off;
proxy_set_header X-Target http://ldap-auth-internal.{{ .Release.Namespace }}.svc.cluster.local:80;
proxy_set_header X-Ldap-URL "ldap://openldap";
proxy_set_header X-Ldap-BaseDN "ou=users,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
proxy_set_header X-Ldap-BindDN "cn=readonly,{{ .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim }}";
proxy_set_header X-Ldap-BindPass {{ (get (get (lookup "v1" "Secret" .Release.Namespace "openldap-ro") "data") "password") | b64dec | quote}};
proxy_set_header X-CookieName "homey.auth.cookie";
proxy_set_header Cookie $cookie_homey.auth.cookie;
proxy_set_header X-Remote-User $remote_user;
proxy_set_header X-Forwarded-Method $request_method;
proxy_set_header X-Ldap-Template "(uid=%(username)s)";
}
{{- end }}
--- ---
{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-admin") $) }} {{- $_ := set $ "homey_authelia_jwt" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-jwt") $))}}
# --- {{ include "homey.randomsecret" (merge (dict "secretname" "authelia-jwt" "secretval" .homey_authelia_jwt) $) }}
{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-config") $) }} ---
# --- {{- $_ := set $ "homey_authelia_session" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-session") $))}}
{{ template "homey.randomsecret" (merge (dict "secretname" "openldap-ro") $) }} {{ include "homey.randomsecret" (merge (dict "secretname" "authelia-session" "secretval" .homey_authelia_session) $) }}
---
{{- $_ := set $ "homey_authelia_encryption_key" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-encryption-key") $))}}
{{ include "homey.randomsecret" (merge (dict "secretname" "authelia-encryption-key" "secretval" .homey_authelia_encryption_key) $) }}
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
@@ -121,163 +110,236 @@ spec:
selector: selector:
app.kubernetes.io/name: openldap app.kubernetes.io/name: openldap
--- ---
# --- apiVersion: v1
# apiVersion: v1 kind: ConfigMap
# kind: ConfigMap metadata:
# metadata: name: authelia-conf
# name: keycloak-postgres-config data:
# labels: configuration.yml: |-
# app: keycloak-postgres {{ tpl (.Files.Get "files/authelia-config.yaml" | indent 4) . }}
# data: ---
# POSTGRES_DB: keycloak-db apiVersion: v1
# POSTGRES_USER: keycloak-admin kind: PersistentVolumeClaim
# --- metadata:
# apiVersion: apps/v1 name: authelia-pvc
# kind: Deployment spec:
# metadata: accessModes:
# name: keycloak-postgres - ReadWriteMany
# labels: resources:
# app: keycloak-postgres requests:
# spec: storage: 100Mi
# replicas: 1 storageClassName: longhorn
# selector: ---
# matchLabels: apiVersion: apps/v1
# app: keycloak-postgres kind: Deployment
# template: metadata:
# metadata: name: authelia
# labels: labels:
# app: keycloak-postgres app.kubernetes.io/name: authelia
# name: keycloak-postgres spec:
# spec: selector:
# containers: matchLabels:
# - name: postgres app.kubernetes.io/name: authelia
# image: postgres:10.4 replicas: 1
# imagePullPolicy: "IfNotPresent" template:
# ports: metadata:
# - containerPort: 5432 labels:
# envFrom: app.kubernetes.io/name: authelia
# - configMapRef: spec:
# name: keycloak-postgres-config enableServiceLinks: false
# env: containers:
# - name: POSTGRES_PASSWORD - name: authelia
# valueFrom: image: authelia/authelia
# secretKeyRef: imagePullPolicy: "IfNotPresent"
# name: keycloak-db-pass env:
# key: password - name: TZ
# volumeMounts: value: "Jerusalem/Israel"
# - mountPath: /var/lib/postgresql/data ports:
# subPath: keycloak/db/data - name: tcp
# name: keycloak-postgresdb containerPort: 9091
# volumes: volumeMounts:
# - name: keycloak-postgresdb - mountPath: /config/configuration.yml
# persistentVolumeClaim: name: authelia-conf
# claimName: homey-pvc-longhorn subPath: configuration.yml
# --- readOnly: true
# apiVersion: v1 - mountPath: /config
# kind: Service subPath: authelia/config
# metadata: name: authelia-volume
# name: keycloak-postgres-service volumes:
# labels: - name: authelia-conf
# app: keycloak-postgres configMap:
# spec: name: authelia-conf
# ports: items:
# - port: 5432 - key: configuration.yml
# selector: path: configuration.yml
# app: keycloak-postgres - name: authelia-volume
# --- persistentVolumeClaim:
# apiVersion: apps/v1 claimName: authelia-pvc
# kind: Deployment ---
# metadata: apiVersion: v1
# name: keycloak kind: Service
# labels: metadata:
# app: keycloak name: authelia
# spec: labels:
# replicas: 1 app.kubernetes.io/name: authelia
# selector: spec:
# matchLabels: type: ClusterIP
# app: keycloak ports:
# template: - name: tcp
# metadata: port: 9091
# labels: targetPort: tcp
# app: keycloak selector:
# spec: app.kubernetes.io/name: authelia
# containers: ---
# - name: keycloak apiVersion: networking.k8s.io/v1
# image: mihaibob/keycloak:18.0.2-legacy kind: Ingress
# env: metadata:
# - name: KEYCLOAK_USER name: authelia
# value: "admin" spec:
# - name: KEYCLOAK_PASSWORD ingressClassName: {{ .Values.homey.ingress_class }}
# valueFrom: tls:
# secretKeyRef: - hosts:
# name: keycloak-pass - auth.{{ .Values.homey.url }}
# key: password secretName: {{ .Values.homey.certname }}
# - name: PROXY_ADDRESS_FORWARDING rules:
# value: "true" - host: auth.{{ .Values.homey.url }}
# - name: DB_ADDR http:
# value: keycloak-postgres-service paths:
# - name: DB_DATABASE - path: /
# value: "keycloak-db" pathType: Prefix
# - name: DB_VENDOR backend:
# value: postgres service:
# - name: DB_USER name: authelia
# value: keycloak-admin port:
# - name: DB_PASSWORD number: 9091
# valueFrom: ---
# secretKeyRef: apiVersion: v1
# name: keycloak-db-pass kind: PersistentVolumeClaim
# key: password metadata:
# ports: name: gitea-pvc
# - name: http spec:
# containerPort: 8080 accessModes:
# readinessProbe: - ReadWriteMany
# failureThreshold: 3 resources:
# httpGet: requests:
# path: /auth/realms/master/ storage: 5Gi
# port: http storageClassName: longhorn
# initialDelaySeconds: 240 ---
# timeoutSeconds: 240 {{- $_ := set $ "homey_gitea_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-admin-pass") $))}}
# livenessProbe: {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-admin-pass" "secretval" .homey_gitea_admin_pass) $) }}
# failureThreshold: 3 ---
# httpGet: {{- $_ := set $ "homey_gitea_lfs_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-lfs-jwt-secret") $))}}
# path: /auth/ {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-lfs-jwt-secret" "secretval" .homey_gitea_lfs_jwt_secret) $) }}
# port: http ---
# initialDelaySeconds: 240 {{- $_ := set $ "homey_gitea_oauth2_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret") $))}}
# timeoutSeconds: 240 {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret" "secretval" .homey_gitea_oauth2_jwt_secret) $) }}
# ---
# apiVersion: v1 ---
# kind: Service apiVersion: v1
# metadata: kind: Secret
# name: keycloak-web metadata:
# labels: name: gitea-random-internal-token
# app: keycloak annotations:
# spec: "helm.sh/resource-policy": "keep"
# ports: type: Opaque
# - name: http data:
# port: 8080 {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-random-internal-token") | default dict -}}
# targetPort: http {{- $secretData := (get $secretObj "data") | default dict -}}
# selector: {{- $pass := (get $secretData "password") | default (randAlphaNum 100 | b64enc) -}}
# app: keycloak {{- $_ := set $ "homey_gitea_random_internal_token" ($pass | b64dec) }}
# --- password: {{ $pass | quote }}
# apiVersion: networking.k8s.io/v1 ---
# kind: Ingress apiVersion: v1
# metadata: kind: ConfigMap
# name: keycloak metadata:
# spec: name: gitea-conf
# ingressClassName: {{ .Values.homey.ingress_class }} data:
# tls: app.ini: |-
# - hosts: {{ tpl (.Files.Get "files/gitea-app.ini" | indent 4) . }}
# - keycloak.{{ .Values.homey.url }} ---
# secretName: {{ .Values.homey.certname }} apiVersion: apps/v1
# rules: kind: Deployment
# - host: keycloak.{{ .Values.homey.url }} metadata:
# http: name: gitea
# paths: spec:
# - path: / replicas: 1
# pathType: Prefix selector:
# backend: matchLabels:
# service: app: gitea
# name: keycloak-web template:
# port: metadata:
# number: 8080 labels:
app: gitea
spec:
containers:
- name: gitea
image: gitea/gitea:latest
ports:
- containerPort: 3000
name: http
volumeMounts:
- name: gitea-persistent-storage
mountPath: /data
subPath: gitea/gitea/data
- name: gitea-conf
mountPath: /data/gitea/conf/app.ini
subPath: app.ini
readOnly: true
# startProbe:
# httpGet:
# path: /
# port: 3000
# initialDelaySeconds: 15
# lifecycle:
# postStart:
# exec:
# {{- $gitea_cmd := (printf "gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host ldap --port 389 --user-search-base ou=users,%s --user-filter \\\"(&(objectClass=inetOrgPerson)(|(uid=%[1]s)(mail=%[1]s)))\\\" --email-attribute mail --bind-dn=\\\"cn=readonly,%s\\\" --bind-password=\\\"%s\\\"" ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) (.homey_openldap_ro | replace "\"" ""))}}
# command: ["/bin/sh", "-c", "{{$gitea_cmd}}"]
volumes:
- name: gitea-persistent-storage
persistentVolumeClaim:
claimName: gitea-pvc
- name: gitea-conf
configMap:
name: gitea-conf
items:
- key: app.ini
path: app.ini
---
apiVersion: v1
kind: Service
metadata:
name: gitea-svc
spec:
selector:
app: gitea
ports:
- name: http-port
protocol: TCP
port: 3000
targetPort: http
selector:
app: gitea
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-ingress
spec:
ingressClassName: {{ .Values.homey.ingress_class }}
tls:
- hosts:
- git.{{ .Values.homey.url }}
secretName: {{ .Values.homey.certname }}
rules:
- host: git.{{ .Values.homey.url }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea-svc
port:
number: 3000
--- ---
templates/gitea.yaml
-92
View File
@@ -1,92 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
storageClassName: longhorn
---
apiVersion: v1
kind: Secret
metadata:
name: gitea-admin-pass
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-admin-pass") | default dict -}}
{{- $secretData := (get $secretObj "data") | default dict -}}
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) -}}
password: {{ $pass | quote }}
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea
spec:
replicas: 1
selector:
matchLabels:
app: gitea
template:
metadata:
labels:
app: gitea
spec:
containers:
- name: gitea
image: gitea/gitea:latest
ports:
- containerPort: 3000
name: http
volumeMounts:
- name: gitea-persistent-storage
mountPath: /data
subPath: gitea/gitea/data
volumes:
- name: gitea-persistent-storage
persistentVolumeClaim:
claimName: gitea-pvc
---
apiVersion: v1
kind: Service
metadata:
name: gitea-svc
spec:
selector:
app: gitea
ports:
- name: http-port
protocol: TCP
port: 3000
targetPort: http
selector:
app: gitea
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-ingress
spec:
ingressClassName: {{ .Values.homey.ingress_class }}
tls:
- hosts:
- git.{{ .Values.homey.url }}
secretName: {{ .Values.homey.certname }}
rules:
- host: git.{{ .Values.homey.url }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea-svc
port:
number: 3000
---
templates/ldap-auth.yaml
-70
View File
@@ -1,70 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ldap-auth
labels:
app: ldap-auth
spec:
replicas: 1
selector:
matchLabels:
app: ldap-auth
template:
metadata:
labels:
app: ldap-auth
name: ldap-auth
spec:
containers:
- name: ldap-auth
image: linuxserver/ldap-auth
imagePullPolicy: Always
---
#https://stackoverflow.com/questions/51149921/how-to-authenticate-nginx-with-ldap
apiVersion: v1
kind: Service
metadata:
name: ldap-auth
spec:
selector:
app: ldap-auth
ports:
- port: 80
targetPort: 9000
---
apiVersion: v1
kind: Service
metadata:
name: ldap-auth-internal
spec:
selector:
app: ldap-auth
ports:
- port: 80
targetPort: 8888
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ldap-auth-ingress
annotations:
spec:
ingressClassName: {{ .Values.homey.ingress_class }}
tls:
- hosts:
- auth.{{ .Values.homey.url }}
secretName: {{ .Values.homey.certname }}
rules:
- host: auth.{{ .Values.homey.url }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ldap-auth
port:
number: 80
---
templates/nextcloud.yaml
-206
View File
@@ -1,206 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 30Gi
storageClassName: longhorn
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-postgres-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 5Gi
storageClassName: longhorn
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-data-pvc
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 30Gi
storageClassName: longhorn
---
apiVersion: v1
kind: Secret
metadata:
name: nextcloud-postgres-pass
annotations:
"helm.sh/resource-policy": "keep"
type: Opaque
data:
{{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "nextcloud-postgres-pass") | default dict }}
{{- $secretData := (get $secretObj "data") | default dict }}
{{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
password: {{ $pass | quote }}
---
# apiVersion: extensions/v1beta1
apiVersion: v1
kind: ConfigMap
metadata:
name: nextcloud-postgres-config
labels:
app: nextcloud-postgres
data:
POSTGRES_DB: nextcloud_db
POSTGRES_USER: postgres
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nextcloud-postgres
labels:
app: nextcloud-postgres
spec:
replicas: 1
selector:
matchLabels:
app: nextcloud-postgres
template:
metadata:
labels:
app: nextcloud-postgres
name: nextcloud-postgres
spec:
containers:
- name: nextcloud-postgres
image: postgres:10.4
imagePullPolicy: "IfNotPresent"
ports:
- containerPort: 5432
envFrom:
- configMapRef:
name: nextcloud-postgres-config
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: nextcloud-postgres-pass
key: password
volumeMounts:
- mountPath: /var/lib/postgresql/data
subPath: nextcloud/db
name: nextcloud-postgredb
volumes:
- name: nextcloud-postgredb
persistentVolumeClaim:
claimName: nextcloud-postgres-pvc
---
apiVersion: v1
kind: Service
metadata:
name: nextcloud-postgres
labels:
app: nextcloud-postgres
spec:
ports:
- port: 5432
selector:
app: nextcloud-postgres
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nextcloud
labels:
app: nextcloud
spec:
replicas: 1
selector:
matchLabels:
app: nextcloud
template:
metadata:
labels:
app: nextcloud
name: nextcloud
spec:
containers:
- name: nextcloud
image: nextcloud
imagePullPolicy: Always
volumeMounts:
- name: nextcloud-volume
mountPath: "/var/www/html"
subPath: nextcloud/html
- name: nextcloud-media
mountPath: "/var/www/html/data"
subPath: nextcloud/html/data
envFrom:
- configMapRef:
name: nextcloud-postgres-config
env:
- name: POSTGRES_HOST
value: "nextcloud-postgres"
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: nextcloud-postgres-pass
key: password
- name: OVERWRITEPROTOCOL
value: "https"
volumes:
- name: nextcloud-volume
persistentVolumeClaim:
claimName: nextcloud-pvc
- name: nextcloud-media
persistentVolumeClaim:
claimName: nextcloud-data-pvc
---
apiVersion: v1
kind: Service
metadata:
name: nextcloud
spec:
selector:
app: nextcloud
ports:
- port: 80
targetPort: 80
name: nextcloud
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nextcloud-ingress
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 5g
nginx.ingress.kubernetes.io/server-snippet: |
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location = /.well-known/carddav { return 301 https://nextcloud.zakobar.com/remote.php/dav/; }
location = /.well-known/caldav { return 301 https://nextcloud.zakobar.com/remote.php/dav/; }
spec:
ingressClassName: {{ .Values.homey.ingress_class }}
tls:
- hosts:
- nextcloud.{{ .Values.homey.url }}
secretName: {{ .Values.homey.certname }}
rules:
- host: nextcloud.{{ .Values.homey.url }}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: nextcloud
port:
number: 80
---
templates/phpldapadmin.yaml
+16
View File
@@ -43,6 +43,22 @@ apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
name: phpldapadmin name: phpldapadmin
annotations:
kubernetes.io/ingress.allow-http: "false"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/auth-method: GET
nginx.ingress.kubernetes.io/auth-url: http://authelia.{{ .Release.Namespace }}.svc.cluster.local:9091/api/verify
nginx.ingress.kubernetes.io/auth-signin: https://auth.{{ .Values.homey.url }}?rm=$request_method
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Method $request_method;
auth_request_set $user $upstream_http_remote_user;
auth_request_set $groups $upstream_http_remote_groups;
auth_request_set $name $upstream_http_remote_name;
auth_request_set $email $upstream_http_remote_email;
proxy_set_header X-Webauth-User $user;
proxy_set_header X-Webauth-Fullname $name;
proxy_set_header X-Webauth-Email $email;
spec: spec:
ingressClassName: {{ .Values.homey.ingress_class }} ingressClassName: {{ .Values.homey.ingress_class }}
tls: tls: