admin/felhom.eu
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
fix/filebrowser-revert
felhom.eu/manifests/webpage.yaml
T
admin df2a1259d9 manifests: revert filebrowser v2.63.13 -> v2-alpine (PVC permission issue) 
The previous PR pinned `filebrowser/filebrowser:v2-alpine` to v2.63.13
but it crashlooped on:

  Error: open /database/filebrowser.db: permission denied

The v2.63.13 image (debian-based default) runs as a non-root UID and
can't write to files on the PVC that were created by the v2-alpine
image (which ran as root). No `v2.63.13-alpine` tag exists upstream
(filebrowser stopped publishing per-version alpine variants), so we
can't trivially preserve the same runtime.

Quick recovery: revert to v2-alpine so filebrowser is usable again.
Proper fix (deferred): either an initContainer that `chown -R 1000:1000
/database /srv` or a `securityContext.fsGroup: 1000` on the pod spec
to let the non-root UID write to the existing PVC. Both require some
care since the chown is destructive if the UID is wrong.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-06 13:45:18 +02:00

355 lines
8.4 KiB
YAML
Raw Permalink Blame History

# FileBrowser + Webpage deployment for felhom.eu
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: filebrowser-files
namespace: felhom-system
spec:
accessModes:
- ReadWriteMany
storageClassName: longhorn
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: filebrowser-db
namespace: felhom-system
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 100Mi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: filebrowser-config
namespace: felhom-system
data:
.filebrowser.json: |
{
"port": 8080,
"baseURL": "",
"address": "0.0.0.0",
"log": "stdout",
"database": "/database/filebrowser.db",
"root": "/srv"
}
---
# ===================
# NGINX CONFIG FOR CLEAN URLs
# ===================
apiVersion: v1
kind: ConfigMap
metadata:
name: nginx-config
namespace: felhom-system
data:
default.conf: |
server {
listen 80;
server_name _;
root /usr/share/nginx/html/current/website;
index index.html;
# Enable clean URLs - serve .html files without extension
location / {
try_files $uri $uri.html $uri/ =404;
}
location = /sitemap.xml {
types { application/xml xml; }
default_type application/xml;
}
# Cache static assets
location ~* \.(css|js|png|jpg|jpeg|gif|ico|svg|woff|woff2)$ {
expires 7d;
add_header Cache-Control "public, immutable";
}
# Security headers
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Content-Type-Options "nosniff" always;
# Error pages
error_page 404 /404.html;
error_page 500 502 503 504 /50x.html;
}
---
# ===================
# FILEBROWSER
# ===================
apiVersion: apps/v1
kind: Deployment
metadata:
name: filebrowser
namespace: felhom-system
labels:
app: filebrowser
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: filebrowser
template:
metadata:
labels:
app: filebrowser
spec:
containers:
- name: filebrowser
# NOTE: v2-alpine is a moving tag (Renovate can't track it).
# Pinning to v2.63.13 (debian-based default) broke the PVC permissions
# (the image runs as a non-root UID and can't write to files left
# by the alpine variant). A clean re-pin needs either an initContainer
# to chown the PVC, or a fsGroup on the pod spec. Revisit when time permits.
image: filebrowser/filebrowser:v2-alpine
ports:
- containerPort: 8080
volumeMounts:
- name: files
mountPath: /srv
- name: database
mountPath: /database
- name: config
mountPath: /.filebrowser.json
subPath: .filebrowser.json
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "256Mi"
cpu: "500m"
livenessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 10
periodSeconds: 30
readinessProbe:
httpGet:
path: /health
port: 8080
initialDelaySeconds: 5
periodSeconds: 10
volumes:
- name: files
persistentVolumeClaim:
claimName: filebrowser-files
- name: database
persistentVolumeClaim:
claimName: filebrowser-db
- name: config
configMap:
name: filebrowser-config
---
apiVersion: v1
kind: Service
metadata:
name: filebrowser
namespace: felhom-system
spec:
selector:
app: filebrowser
ports:
- port: 80
targetPort: 8080
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: filebrowser
namespace: felhom-system
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
spec:
ingressClassName: nginx-internal
tls:
- hosts:
- files.felhom.eu
secretName: filebrowser-tls
rules:
- host: files.felhom.eu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: filebrowser
port:
number: 80
---
apiVersion: v1
kind: ConfigMap
metadata:
name: git-sync-sparse-checkout
namespace: felhom-system
data:
sparse-checkout: |
/website/
---
# ===================
# WEBPAGE (nginx)
# ===================
apiVersion: apps/v1
kind: Deployment
metadata:
name: felhom-webpage
namespace: felhom-system
labels:
app: felhom-webpage
spec:
replicas: 1
selector:
matchLabels:
app: felhom-webpage
template:
metadata:
labels:
app: felhom-webpage
spec:
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
volumeMounts:
- name: git-data
mountPath: /usr/share/nginx/html
readOnly: true
- name: nginx-config
mountPath: /etc/nginx/conf.d/default.conf
subPath: default.conf
resources:
requests:
memory: "32Mi"
cpu: "10m"
limits:
memory: "128Mi"
cpu: "200m"
livenessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 5
periodSeconds: 30
readinessProbe:
httpGet:
path: /
port: 80
initialDelaySeconds: 3
periodSeconds: 10
- name: git-sync
image: registry.k8s.io/git-sync/git-sync:v4.4.0
args:
- --repo=https://gitea.dooplex.hu/admin/felhom.eu.git
- --branch=main
- --root=/git
- --link=current
- --period=30s
# Only sync the website subdirectory
- --sparse-checkout-file=/etc/git-sync/sparse-checkout
volumeMounts:
- name: git-data
mountPath: /git
- name: sparse-checkout
mountPath: /etc/git-sync
resources:
requests:
memory: "32Mi"
cpu: "10m"
limits:
memory: "128Mi"
cpu: "100m"
securityContext:
runAsUser: 65534 # nobody
# Init container: wait for first sync before nginx starts
initContainers:
- name: git-sync-init
image: registry.k8s.io/git-sync/git-sync:v4.4.0
args:
- --repo=https://gitea.dooplex.hu/admin/felhom.eu.git
- --branch=main
- --root=/git
- --link=current
- --one-time
- --sparse-checkout-file=/etc/git-sync/sparse-checkout
volumeMounts:
- name: git-data
mountPath: /git
- name: sparse-checkout
mountPath: /etc/git-sync
securityContext:
runAsUser: 65534
volumes:
- name: git-data
emptyDir: {}
- name: nginx-config
configMap:
name: nginx-config
- name: sparse-checkout
configMap:
name: git-sync-sparse-checkout
---
apiVersion: v1
kind: Service
metadata:
name: felhom-webpage
namespace: felhom-system
spec:
selector:
app: felhom-webpage
ports:
- port: 80
targetPort: 80
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: felhom-webpage
namespace: felhom-system
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
spec:
ingressClassName: nginx-internal
tls:
- hosts:
- felhom.eu
- www.felhom.eu
secretName: felhom-webpage-tls
rules:
- host: felhom.eu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: felhom-webpage
port:
number: 80
- host: www.felhom.eu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: felhom-webpage
port:
number: 80
Reference in New Issue View Git Blame Copy Permalink