Stable before split

README.org

@@ -75,3 +75,15 @@ Email Attribute: mail
 * Jackett
 
 Go into "indexers" and add indexer
+
+* Piwigo
+Host we configure outright
+User, we'll configure 'admin'
+Password, it's configured as a secret
+Database name...
+
+host - piwigo-mysql
+user - postgres
+password - from secret
+database-name - piwigo_db
+piwigo_

templates/gitea.yaml

@@ -28,7 +28,7 @@ spec:
     spec:
       containers:
       - name: gitea
-        image: gitea/gitea
+        image: gitea/gitea:latest
         ports:
         - containerPort: 22
           name: ssh

templates/jackett.yaml

@@ -48,7 +48,7 @@ metadata:
   annotations:
     # ingress.kubernetes.io/auth-type: forward
     # ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
-    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.1.0/24"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.138/24"
 spec:
   ingressClassName: {{ .Values.homey.ingress_class }}
   tls:

templates/jellyfin.yaml

@@ -86,7 +86,7 @@ kind: Ingress
 metadata:
   name: jellyfin-ingress
   annotations:
-    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/16"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
 spec:
   ingressClassName: {{ .Values.homey.ingress_class }}
   tls:

templates/nefarious.yaml

@@ -135,7 +135,7 @@ kind: Ingress
 metadata:
   name: nefarious-ingress
   annotations:
-    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/8"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
 spec:
   ingressClassName: {{ .Values.homey.ingress_class }}
   tls:

templates/nextcloud.yaml

@@ -136,6 +136,96 @@ kind: Ingress
 metadata:
   name: nextcloud-ingress
   annotations:
+    nginx.org/server-snippets: |
+        server_tokens off;
+        proxy_hide_header X-Powered-By;
+        proxy_hide_header Upgrade;
+
+        # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+        location = / {
+            if ( $http_user_agent ~ ^DavClnt ) {
+                return 302 /remote.php/webdav/$is_args$args;
+            }
+        }
+
+        location = /robots.txt {
+            allow all;
+            log_not_found off;
+            access_log off;
+        }
+
+        # Make a regex exception for `/.well-known` so that clients can still
+        # access it despite the existence of the regex rule
+        # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+        # for `/.well-known`.
+        location ^~ /.well-known {
+            # The rules in this block are an adaptation of the rules
+            # in `.htaccess` that concern `/.well-known`.
+
+            location = /.well-known/carddav { return 301 /remote.php/dav/; }
+            location = /.well-known/caldav  { return 301 /remote.php/dav/; }
+
+            location /.well-known/acme-challenge    { try_files $uri $uri/ =404; }
+            location /.well-known/pki-validation    { try_files $uri $uri/ =404; }
+
+            # Let Nextcloud's API for `/.well-known` URIs handle all other
+            # requests by passing them to the front-end controller.
+            return 301 /index.php$request_uri;
+        }
+
+        # Rules borrowed from `.htaccess` to hide certain paths from clients
+        location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+        location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)                { return 404; }
+
+        # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+        # which handle static assets (as seen below). If this block is not declared first,
+        # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+        # to the URI, resulting in a HTTP 500 error response.
+        location ~ \.php(?:$|/) {
+            # Required for legacy support
+            rewrite ^/(?!index|remote|public|cron|core\/ajax\/update|status|ocs\/v[12]|updater\/.+|oc[ms]-provider\/.+|.+\/richdocumentscode\/proxy) /index.php$request_uri;
+
+            fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+            set $path_info $fastcgi_path_info;
+
+            try_files $fastcgi_script_name =404;
+
+            include fastcgi_params;
+            fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+            fastcgi_param PATH_INFO $path_info;
+            fastcgi_param HTTPS on;
+
+            fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+            fastcgi_param front_controller_active true;     # Enable pretty urls
+            fastcgi_pass php-handler;
+
+            fastcgi_intercept_errors on;
+            fastcgi_request_buffering off;
+
+            fastcgi_max_temp_file_size 0;
+        }
+
+        location ~ \.(?:css|js|svg|gif|png|jpg|ico|wasm|tflite|map)$ {
+            try_files $uri /index.php$request_uri;
+            add_header Cache-Control "public, max-age=15778463, $asset_immutable";
+            access_log off;     # Optional: Don't log access to assets
+
+            location ~ \.wasm$ {
+                default_type application/wasm;
+            }
+        }
+
+        location ~ \.woff2?$ {
+            try_files $uri /index.php$request_uri;
+            expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+            access_log off;     # Optional: Don't log access to assets
+        }
+
+        # Rule borrowed from `.htaccess`
+        location /remote {
+            return 301 /remote.php$request_uri;
+        }
+
 spec:
   ingressClassName: {{ .Values.homey.ingress_class }}
   tls:

templates/photoprism.yaml

@@ -104,9 +104,8 @@ kind: Ingress
 metadata:
   name: photoprism-ingress
   annotations:
-    ingress.kubernetes.io/auth-type: forward
+    nginx.ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
-    ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
+    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
-    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/16"
     nginx.ingress.kubernetes.io/proxy-body-size: 5g
 spec:
   ingressClassName: {{ .Values.homey.ingress_class }}

templates/phpldapadmin.yaml

@@ -44,7 +44,7 @@ kind: Ingress
 metadata:
   name: phpldapadmin
   annotations:
-    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/16"
+    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
 spec:
   ingressClassName: {{ .Values.homey.ingress_class }}
   tls:

templates/piwigo.yaml

@@ -0,0 +1,178 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: piwigo-mysql-pass
+  annotations:
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "piwigo-mysql-pass") | default dict }}
+  {{- $secretData := (get $secretObj "data") | default dict }}
+  {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
+  password: {{ $pass | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: piwigo-mysql-root-pass
+  annotations:
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "piwigo-mysql-root-pass") | default dict }}
+  {{- $secretData := (get $secretObj "data") | default dict }}
+  {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
+  password: {{ $pass | quote }}
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: piwigo-admin
+  annotations:
+    "helm.sh/resource-policy": "keep"
+type: Opaque
+data:
+  {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "piwigo-admin") | default dict }}
+  {{- $secretData := (get $secretObj "data") | default dict }}
+  {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }}
+  password: {{ $pass | quote }}
+---
+---
+# apiVersion: extensions/v1beta1
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: piwigo-mysql-config
+  labels:
+    app: piwigo-mysql
+data:
+  MYSQL_DATABASE: piwigo_db
+  MYSQL_USER: piwigo
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: piwigo-mysql
+  labels:
+    app: piwigo-mysql
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: piwigo-mysql
+  template:
+    metadata:
+      labels:
+        app: piwigo-mysql
+        name: piwigo-mysql
+    spec:
+      containers:
+      - name: piwigo-mysql
+        image: mysql
+        imagePullPolicy: "IfNotPresent"
+        ports:
+        - containerPort: 3306
+        envFrom:
+        - configMapRef:
+            name: piwigo-mysql-config
+        env:
+        - name: MYSQL_ROOT_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: piwigo-mysql-root-pass
+              key: password
+        - name: MYSQL_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: piwigo-mysql-pass
+              key: password
+        volumeMounts:
+        - mountPath: /var/lib/mysql
+          subPath: backup/piwigo/db
+          name: piwigo-mysql-db
+      volumes:
+      - name: piwigo-mysql-db
+        persistentVolumeClaim:
+          claimName: homey-pvc-nfs
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: piwigo-mysql
+  labels:
+    app: piwigo-mysql
+spec:
+  ports:
+   - port: 3306
+  selector:
+    app: piwigo-mysql
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: piwigo
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: piwigo
+  template:
+    metadata:
+      labels:
+        app: piwigo
+    spec:
+      containers:
+      - name: piwigo
+        image: linuxserver/piwigo
+        volumeMounts:
+        - name: piwigo-persistent-storage
+          mountPath: /config
+          subPath: backup/piwigo/config
+        - name: piwigo-persistent-storage
+          mountPath: /gallery
+          subPath: backup/piwigo/gallery
+      volumes:
+      - name: piwigo-persistent-storage
+        persistentVolumeClaim:
+          claimName: homey-pvc-nfs
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: piwigo-svc
+spec:
+  ports:
+  - name: http
+    protocol: TCP
+    port: 80
+    targetPort: 80
+  selector:
+    app: piwigo
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: piwigo-ingress
+  annotations:
+    # nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
+    nginx.ingress.kubernetes.io/auth-type: forward
+    nginx.ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
+    nginx.ingress.kubernetes.io/proxy-body-size: 5g
+spec:
+  ingressClassName: {{ .Values.homey.ingress_class }}
+  tls:
+    - hosts:
+      - piwigo.{{ .Values.homey.url }}
+      secretName: {{ .Values.homey.certname }}
+  rules:
+  - host: piwigo.{{ .Values.homey.url }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: piwigo-svc
+            port:
+              number: 80

templates/transmission.yaml

@@ -62,9 +62,10 @@ kind: Ingress
 metadata:
   name: transmission-ingress
   annotations:
-    ingress.kubernetes.io/auth-type: forward
+    # nginx.ingress.kubernetes.io/auth-type: forward
-    ingress.kubernetes.io/auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
+    # nginx.ingress.kubernetes.io/global-auth-url: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
-    nginx.ingress.kubernetes.io/whitelist-source-range: "192.168.0.0/16"
+    # nginx.ingress.kubernetes.io/proxy_pass: http://ldap-auth.{{ .Release.Namespace }}.svc.cluster.local:80
+    nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/16"
 spec:
   ingressClassName: {{ .Values.homey.ingress_class }}
   tls:

values.yaml

@@ -59,10 +59,10 @@ affinity: {}
 homey:
     organization: "Zakobar Home Server"
     storage:
-        ip: "192.168.1.2"
+        ip: "10.0.0.100"
         storageCapacity: 450Gi
     url: zakobar.com
-    ip: 192.168.1.2
+    ip: 10.0.0.100
     certname: zakobarcert
     ingress_class: nginx