From eac370530e72719b5caf8e7f7a3ec34f7a63c52e Mon Sep 17 00:00:00 2001 From: Aner Zakobar Date: Sun, 12 Feb 2023 15:40:54 +0200 Subject: [PATCH] Stable before split --- README.org | 12 +++ templates/gitea.yaml | 2 +- templates/jackett.yaml | 2 +- templates/jellyfin.yaml | 2 +- templates/nefarious.yaml | 2 +- templates/nextcloud.yaml | 90 ++++++++++++++++++ templates/photoprism.yaml | 5 +- templates/phpldapadmin.yaml | 2 +- templates/piwigo.yaml | 178 ++++++++++++++++++++++++++++++++++++ templates/transmission.yaml | 7 +- values.yaml | 4 +- 11 files changed, 293 insertions(+), 13 deletions(-) create mode 100644 templates/piwigo.yaml diff --git a/README.org b/README.org index 8966601..69daefa 100644 --- a/README.org +++ b/README.org @@ -75,3 +75,15 @@ Email Attribute: mail * Jackett Go into "indexers" and add indexer + +* Piwigo +Host we configure outright +User, we'll configure 'admin' +Password, it's configured as a secret +Database name... + +host - piwigo-mysql +user - postgres +password - from secret +database-name - piwigo_db +piwigo_ diff --git a/templates/gitea.yaml b/templates/gitea.yaml index 0ed7574..66a0f93 100644 --- a/templates/gitea.yaml +++ b/templates/gitea.yaml @@ -28,7 +28,7 @@ spec: spec: containers: - name: gitea - image: gitea/gitea + image: gitea/gitea:latest ports: - containerPort: 22 name: ssh diff --git a/templates/jackett.yaml b/templates/jackett.yaml index 435e543..d4349ba 100644 --- a/templates/jackett.yaml +++ b/templates/jackett.yaml @@ -48,7 +48,7 @@ metadata: annotations: # ingress.kubernetes.io/auth-type: forward # ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80 - nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.1.0/24" + nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.138/24" spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: diff --git a/templates/jellyfin.yaml b/templates/jellyfin.yaml index 3f3e6fb..1848f91 100644 --- a/templates/jellyfin.yaml +++ b/templates/jellyfin.yaml @@ -86,7 +86,7 @@ kind: Ingress metadata: name: jellyfin-ingress annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/16" + nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: diff --git a/templates/nefarious.yaml b/templates/nefarious.yaml index 7af8b25..7a9e2fd 100644 --- a/templates/nefarious.yaml +++ b/templates/nefarious.yaml @@ -135,7 +135,7 @@ kind: Ingress metadata: name: nefarious-ingress annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/8" + nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: diff --git a/templates/nextcloud.yaml b/templates/nextcloud.yaml index 5ada35a..e6de511 100644 --- a/templates/nextcloud.yaml +++ b/templates/nextcloud.yaml @@ -136,6 +136,96 @@ kind: Ingress metadata: name: nextcloud-ingress annotations: + nginx.org/server-snippets: | + server_tokens off; + proxy_hide_header X-Powered-By; + proxy_hide_header Upgrade; + + # Rule borrowed from `.htaccess` to handle Microsoft DAV clients + location = / { + if ( $http_user_agent ~ ^DavClnt ) { + return 302 /remote.php/webdav/$is_args$args; + } + } + + location = /robots.txt { + allow all; + log_not_found off; + access_log off; + } + + # Make a regex exception for `/.well-known` so that clients can still + # access it despite the existence of the regex rule + # `location ~ /(\.|autotest|...)` which would otherwise handle requests + # for `/.well-known`. + location ^~ /.well-known { + # The rules in this block are an adaptation of the rules + # in `.htaccess` that concern `/.well-known`. + + location = /.well-known/carddav { return 301 /remote.php/dav/; } + location = /.well-known/caldav { return 301 /remote.php/dav/; } + + location /.well-known/acme-challenge { try_files $uri $uri/ =404; } + location /.well-known/pki-validation { try_files $uri $uri/ =404; } + + # Let Nextcloud's API for `/.well-known` URIs handle all other + # requests by passing them to the front-end controller. + return 301 /index.php$request_uri; + } + + # Rules borrowed from `.htaccess` to hide certain paths from clients + location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; } + location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; } + + # Ensure this block, which passes PHP files to the PHP process, is above the blocks + # which handle static assets (as seen below). If this block is not declared first, + # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php` + # to the URI, resulting in a HTTP 500 error response. + location ~ \.php(?:$|/) { + # Required for legacy support + rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri; + + fastcgi_split_path_info ^(.+?\.php)(/.*)$; + set $path_info $fastcgi_path_info; + + try_files $fastcgi_script_name =404; + + include fastcgi_params; + fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name; + fastcgi_param PATH_INFO $path_info; + fastcgi_param HTTPS on; + + fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice + fastcgi_param front_controller_active true; # Enable pretty urls + fastcgi_pass php-handler; + + fastcgi_intercept_errors on; + fastcgi_request_buffering off; + + fastcgi_max_temp_file_size 0; + } + + location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ { + try_files $uri /index.php$request_uri; + add_header Cache-Control "public, max-age=15778463, $asset_immutable"; + access_log off; # Optional: Don't log access to assets + + location ~ \.wasm$ { + default_type application/wasm; + } + } + + location ~ \.woff2?$ { + try_files $uri /index.php$request_uri; + expires 7d; # Cache-Control policy borrowed from `.htaccess` + access_log off; # Optional: Don't log access to assets + } + + # Rule borrowed from `.htaccess` + location /remote { + return 301 /remote.php$request_uri; + } + spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: diff --git a/templates/photoprism.yaml b/templates/photoprism.yaml index 00f0db2..cd53d59 100644 --- a/templates/photoprism.yaml +++ b/templates/photoprism.yaml @@ -104,9 +104,8 @@ kind: Ingress metadata: name: photoprism-ingress annotations: - ingress.kubernetes.io/auth-type: forward - ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80 - nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/16" + nginx.ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80 + nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" nginx.ingress.kubernetes.io/proxy-body-size: 5g spec: ingressClassName: {{ .Values.homey.ingress_class }} diff --git a/templates/phpldapadmin.yaml b/templates/phpldapadmin.yaml index cfd7575..b24eccb 100644 --- a/templates/phpldapadmin.yaml +++ b/templates/phpldapadmin.yaml @@ -44,7 +44,7 @@ kind: Ingress metadata: name: phpldapadmin annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/16" + nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: diff --git a/templates/piwigo.yaml b/templates/piwigo.yaml new file mode 100644 index 0000000..0b08290 --- /dev/null +++ b/templates/piwigo.yaml @@ -0,0 +1,178 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: piwigo-mysql-pass + annotations: + "helm.sh/resource-policy": "keep" +type: Opaque +data: + {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "piwigo-mysql-pass") | default dict }} + {{- $secretData := (get $secretObj "data") | default dict }} + {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} + password: {{ $pass | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: piwigo-mysql-root-pass + annotations: + "helm.sh/resource-policy": "keep" +type: Opaque +data: + {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "piwigo-mysql-root-pass") | default dict }} + {{- $secretData := (get $secretObj "data") | default dict }} + {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} + password: {{ $pass | quote }} +--- +apiVersion: v1 +kind: Secret +metadata: + name: piwigo-admin + annotations: + "helm.sh/resource-policy": "keep" +type: Opaque +data: + {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "piwigo-admin") | default dict }} + {{- $secretData := (get $secretObj "data") | default dict }} + {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} + password: {{ $pass | quote }} +--- +--- +# apiVersion: extensions/v1beta1 +apiVersion: v1 +kind: ConfigMap +metadata: + name: piwigo-mysql-config + labels: + app: piwigo-mysql +data: + MYSQL_DATABASE: piwigo_db + MYSQL_USER: piwigo +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: piwigo-mysql + labels: + app: piwigo-mysql +spec: + replicas: 1 + selector: + matchLabels: + app: piwigo-mysql + template: + metadata: + labels: + app: piwigo-mysql + name: piwigo-mysql + spec: + containers: + - name: piwigo-mysql + image: mysql + imagePullPolicy: "IfNotPresent" + ports: + - containerPort: 3306 + envFrom: + - configMapRef: + name: piwigo-mysql-config + env: + - name: MYSQL_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: piwigo-mysql-root-pass + key: password + - name: MYSQL_PASSWORD + valueFrom: + secretKeyRef: + name: piwigo-mysql-pass + key: password + volumeMounts: + - mountPath: /var/lib/mysql + subPath: backup/piwigo/db + name: piwigo-mysql-db + volumes: + - name: piwigo-mysql-db + persistentVolumeClaim: + claimName: homey-pvc-nfs +--- +apiVersion: v1 +kind: Service +metadata: + name: piwigo-mysql + labels: + app: piwigo-mysql +spec: + ports: + - port: 3306 + selector: + app: piwigo-mysql +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: piwigo +spec: + replicas: 1 + selector: + matchLabels: + app: piwigo + template: + metadata: + labels: + app: piwigo + spec: + containers: + - name: piwigo + image: linuxserver/piwigo + volumeMounts: + - name: piwigo-persistent-storage + mountPath: /config + subPath: backup/piwigo/config + - name: piwigo-persistent-storage + mountPath: /gallery + subPath: backup/piwigo/gallery + volumes: + - name: piwigo-persistent-storage + persistentVolumeClaim: + claimName: homey-pvc-nfs +--- +apiVersion: v1 +kind: Service +metadata: + name: piwigo-svc +spec: + ports: + - name: http + protocol: TCP + port: 80 + targetPort: 80 + selector: + app: piwigo +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: piwigo-ingress + annotations: + # nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" + nginx.ingress.kubernetes.io/auth-type: forward + nginx.ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80 + nginx.ingress.kubernetes.io/proxy-body-size: 5g +spec: + ingressClassName: {{ .Values.homey.ingress_class }} + tls: + - hosts: + - piwigo.{{ .Values.homey.url }} + secretName: {{ .Values.homey.certname }} + rules: + - host: piwigo.{{ .Values.homey.url }} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: piwigo-svc + port: + number: 80 diff --git a/templates/transmission.yaml b/templates/transmission.yaml index efc903b..7c63839 100644 --- a/templates/transmission.yaml +++ b/templates/transmission.yaml @@ -62,9 +62,10 @@ kind: Ingress metadata: name: transmission-ingress annotations: - ingress.kubernetes.io/auth-type: forward - ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80 - nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/16" + # nginx.ingress.kubernetes.io/auth-type: forward + # nginx.ingress.kubernetes.io/global-auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80 + # nginx.ingress.kubernetes.io/proxy_pass: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80 + nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16" spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: diff --git a/values.yaml b/values.yaml index 3fa355f..fd08082 100644 --- a/values.yaml +++ b/values.yaml @@ -59,10 +59,10 @@ affinity: {} homey: organization: "Zakobar Home Server" storage: - ip: "192.168.1.2" + ip: "10.0.0.100" storageCapacity: 450Gi url: zakobar.com - ip: 192.168.1.2 + ip: 10.0.0.100 certname: zakobarcert ingress_class: nginx