--- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: ldap-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 100Mi storageClassName: longhorn --- {{- $_ := set $ "homey_openldap_admin" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-admin") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "openldap-admin" "secretval" .homey_openldap_admin) $) }} # --- {{- $_ := set $ "homey_openldap_config" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-config") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "openldap-config" "secretval" .homey_openldap_config) $) }} # --- {{- $_ := set $ "homey_openldap_ro" (include "homey.lookuporgensecret" (merge (dict "secretname" "openldap-ro") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "openldap-ro" "secretval" .homey_openldap_ro) $) }} --- {{- $_ := set $ "homey_authelia_jwt" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-jwt") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "authelia-jwt" "secretval" .homey_authelia_jwt) $) }} --- {{- $_ := set $ "homey_authelia_session" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-session") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "authelia-session" "secretval" .homey_authelia_session) $) }} --- {{- $_ := set $ "homey_authelia_encryption_key" (include "homey.lookuporgensecret" (merge (dict "secretname" "authelia-encryption-key") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "authelia-encryption-key" "secretval" .homey_authelia_encryption_key) $) }} --- apiVersion: apps/v1 kind: Deployment metadata: name: openldap labels: app.kubernetes.io/name: openldap spec: selector: matchLabels: app.kubernetes.io/name: openldap replicas: 1 template: metadata: labels: app.kubernetes.io/name: openldap spec: # securityContext: # fsGroup: 0 containers: - name: openldap image: osixia/openldap env: - name: LDAP_ORGANISATION value: {{ .Values.homey.organization }} - name: LDAP_DOMAIN value: {{ .Values.homey.url | quote}} - name: LDAP_ADMIN_USERNAME value: "admin" - name: LDAP_READONLY_USER value: "true" - name: LDAP_ADMIN_PASSWORD valueFrom: secretKeyRef: key: password name: openldap-admin - name: LDAP_CONFIG_PASSWORD valueFrom: secretKeyRef: key: password name: openldap-config - name: LDAP_READONLY_USER_PASSWORD valueFrom: secretKeyRef: key: password name: openldap-ro ports: - name: tcp-ldap containerPort: 389 - name: ssl-ldap containerPort: 636 volumeMounts: - mountPath: /etc/ldap/slapd.d subPath: openldap/etc/ldap/slapd.d name: openldap-volume - mountPath: /var/lib/ldap subPath: openldap/var/lib/ldap name: openldap-volume volumes: - name: openldap-volume persistentVolumeClaim: claimName: ldap-pvc --- apiVersion: v1 kind: Service metadata: name: openldap labels: app.kubernetes.io/name: openldap spec: type: ClusterIP ports: - name: tcp-ldap port: 389 targetPort: tcp-ldap - name: ssl-ldap port: 636 targetPort: ssl-ldap selector: app.kubernetes.io/name: openldap --- apiVersion: v1 kind: ConfigMap metadata: name: authelia-conf data: configuration.yml: |- {{ tpl (.Files.Get "files/authelia-config.yaml" | indent 4) . }} --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: authelia-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 100Mi storageClassName: longhorn --- apiVersion: apps/v1 kind: Deployment metadata: name: authelia labels: app.kubernetes.io/name: authelia spec: selector: matchLabels: app.kubernetes.io/name: authelia replicas: 1 template: metadata: labels: app.kubernetes.io/name: authelia spec: enableServiceLinks: false containers: - name: authelia image: authelia/authelia imagePullPolicy: "IfNotPresent" env: - name: TZ value: "Jerusalem/Israel" ports: - name: tcp containerPort: 9091 volumeMounts: - mountPath: /config/configuration.yml name: authelia-conf subPath: configuration.yml readOnly: true - mountPath: /config subPath: authelia/config name: authelia-volume volumes: - name: authelia-conf configMap: name: authelia-conf items: - key: configuration.yml path: configuration.yml - name: authelia-volume persistentVolumeClaim: claimName: authelia-pvc --- apiVersion: v1 kind: Service metadata: name: authelia labels: app.kubernetes.io/name: authelia spec: type: ClusterIP ports: - name: tcp port: 9091 targetPort: tcp selector: app.kubernetes.io/name: authelia --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: authelia spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: - hosts: - auth.{{ .Values.homey.url }} secretName: {{ .Values.homey.certname }} rules: - host: auth.{{ .Values.homey.url }} http: paths: - path: / pathType: Prefix backend: service: name: authelia port: number: 9091 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: gitea-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 5Gi storageClassName: longhorn --- {{- $_ := set $ "homey_gitea_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-admin-pass") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-admin-pass" "secretval" .homey_gitea_admin_pass) $) }} --- {{- $_ := set $ "homey_gitea_lfs_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-lfs-jwt-secret") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-lfs-jwt-secret" "secretval" .homey_gitea_lfs_jwt_secret) $) }} --- {{- $_ := set $ "homey_gitea_oauth2_jwt_secret" (include "homey.lookuporgensecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "gitea-oauth2-jwt-secret" "secretval" .homey_gitea_oauth2_jwt_secret) $) }} --- apiVersion: v1 kind: Secret metadata: name: gitea-random-internal-token annotations: "helm.sh/resource-policy": "keep" type: Opaque data: {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "gitea-random-internal-token") | default dict -}} {{- $secretData := (get $secretObj "data") | default dict -}} {{- $pass := (get $secretData "password") | default (randAlphaNum 100 | b64enc) -}} {{- $_ := set $ "homey_gitea_random_internal_token" ($pass | b64dec) }} password: {{ $pass | quote }} --- apiVersion: v1 kind: ConfigMap metadata: name: gitea-conf data: app.ini: |- {{ tpl (.Files.Get "files/gitea-app.ini" | indent 4) . }} --- apiVersion: apps/v1 kind: Deployment metadata: name: gitea spec: replicas: 1 selector: matchLabels: app: gitea template: metadata: labels: app: gitea spec: containers: - name: gitea image: gitea/gitea:latest ports: - containerPort: 3000 name: http volumeMounts: - name: gitea-persistent-storage mountPath: /data subPath: gitea/gitea/data - name: gitea-conf mountPath: /data/gitea/conf/app.ini subPath: app.ini readOnly: true # startProbe: # httpGet: # path: / # port: 3000 # initialDelaySeconds: 15 # lifecycle: # postStart: # exec: # {{- $gitea_cmd := (printf "gitea admin auth add-ldap --name ldap --security-protocol unencrypted --host ldap --port 389 --user-search-base ou=users,%s --user-filter \\\"(&(objectClass=inetOrgPerson)(|(uid=%[1]s)(mail=kk[1]s)))\\\" --email-attribute mail --bind-dn=\\\"cn=readonly,%s\\\" --bind-password=\\\"%s\\\"" ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) ( .Values.homey.url | replace "." ",dc=" | printf "dc=%s " | trim) (.homey_openldap_ro | replace "\"" ""))}} # command: ["/bin/sh", "-c", "{{$gitea_cmd}}"] volumes: - name: gitea-persistent-storage persistentVolumeClaim: claimName: gitea-pvc - name: gitea-conf configMap: name: gitea-conf items: - key: app.ini path: app.ini --- apiVersion: v1 kind: Service metadata: name: gitea-svc spec: selector: app: gitea ports: - name: http-port protocol: TCP port: 3000 targetPort: http selector: app: gitea --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: gitea-ingress spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: - hosts: - git.{{ .Values.homey.url }} secretName: {{ .Values.homey.certname }} rules: - host: git.{{ .Values.homey.url }} http: paths: - path: / pathType: Prefix backend: service: name: gitea-svc port: number: 3000 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nextcloud-postgres-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 5Gi storageClassName: longhorn --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: nextcloud-data-pvc spec: accessModes: - ReadWriteMany resources: requests: storage: 1Ti storageClassName: longhorn --- apiVersion: v1 kind: Secret metadata: name: nextcloud-postgres-pass annotations: "helm.sh/resource-policy": "keep" type: Opaque data: {{- $secretObj := (lookup "v1" "Secret" .Release.Namespace "nextcloud-postgres-pass") | default dict }} {{- $secretData := (get $secretObj "data") | default dict }} {{- $pass := (get $secretData "password") | default (randAlphaNum 32 | b64enc) }} password: {{ $pass | quote }} --- {{- $_ := set $ "homey_nextcloud_postgres_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "nextcloud-postgres-pass") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "nextcloud-postgres-pass" "secretval" .homey_nextcloud_postgres_pass) $) }} --- {{- $_ := set $ "homey_nextcloud_admin_pass" (include "homey.lookuporgensecret" (merge (dict "secretname" "nextcloud-admin-pass") $))}} {{ include "homey.randomsecret" (merge (dict "secretname" "nextcloud-admin-pass" "secretval" .homey_nextcloud_admin_pass) $) }} --- apiVersion: v1 kind: ConfigMap metadata: name: nextcloud-postgres-config labels: app: nextcloud-postgres data: POSTGRES_DB: nextcloud_db POSTGRES_USER: postgres --- apiVersion: apps/v1 kind: Deployment metadata: name: nextcloud-postgres labels: app: nextcloud-postgres spec: replicas: 1 selector: matchLabels: app: nextcloud-postgres template: metadata: labels: app: nextcloud-postgres name: nextcloud-postgres spec: containers: - name: nextcloud-postgres image: postgres imagePullPolicy: "IfNotPresent" ports: - containerPort: 5432 envFrom: - configMapRef: name: nextcloud-postgres-config env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: nextcloud-postgres-pass key: password volumeMounts: - mountPath: /var/lib/postgresql/data subPath: nextcloud/db name: nextcloud-postgredb volumes: - name: nextcloud-postgredb persistentVolumeClaim: claimName: nextcloud-postgres-pvc --- apiVersion: v1 kind: Service metadata: name: nextcloud-postgres labels: app: nextcloud-postgres spec: ports: - port: 5432 selector: app: nextcloud-postgres --- apiVersion: v1 kind: ConfigMap metadata: name: nextcloud-configmap labels: app: nextcloud data: POSTGRES_HOST: nextcloud-postgres OVERWRITEPROTOCOL: https NEXTCLOUD_ADMIN_USER: admin NEXTCLOUD_TRUSTED_DOMAINS: nextcloud.{{ .Values.homey.url }} nextcloud.admin.home --- apiVersion: apps/v1 kind: Deployment metadata: name: nextcloud labels: app: nextcloud spec: replicas: 1 selector: matchLabels: app: nextcloud template: metadata: labels: app: nextcloud name: nextcloud spec: containers: - name: nextcloud image: nextcloud imagePullPolicy: Always volumeMounts: - name: nextcloud-volume mountPath: "/var/www/html" subPath: html envFrom: - configMapRef: name: nextcloud-postgres-config - configMapRef: name: nextcloud-configmap env: - name: POSTGRES_PASSWORD valueFrom: secretKeyRef: name: nextcloud-postgres-pass key: password - name: NEXTCLOUD_ADMIN_PASSWORD valueFrom: secretKeyRef: name: nextcloud-admin-pass key: password volumes: - name: nextcloud-volume persistentVolumeClaim: claimName: nextcloud-data-pvc --- apiVersion: v1 kind: Service metadata: name: nextcloud spec: selector: app: nextcloud ports: - port: 80 targetPort: 80 name: nextcloud --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: nextcloud-ingress annotations: nginx.ingress.kubernetes.io/proxy-body-size: 5g nginx.ingress.kubernetes.io/server-snippet: | # Make a regex exception for `/.well-known` so that clients can still # access it despite the existence of the regex rule # `location ~ /(\.|autotest|...)` which would otherwise handle requests # for `/.well-known`. location = /.well-known/carddav { return 301 https://nextcloud.{{ .Values.homey.url }}/remote.php/dav/; } location = /.well-known/caldav { return 301 https://nextcloud.{{ .Values.homey.url }}/remote.php/dav/; } spec: ingressClassName: {{ .Values.homey.ingress_class }} tls: - hosts: - nextcloud.{{ .Values.homey.url }} secretName: {{ .Values.homey.certname }} rules: - host: nextcloud.{{ .Values.homey.url }} http: paths: - path: / pathType: Prefix backend: service: name: nextcloud port: number: 80 ---