diff --git a/argocd-apps/homelab.yaml b/argocd-apps/homelab.yaml index e0d2731..7abd792 100644 --- a/argocd-apps/homelab.yaml +++ b/argocd-apps/homelab.yaml @@ -963,9 +963,6 @@ spec: server: https://kubernetes.default.svc namespace: version-checker-system syncPolicy: - automated: - prune: true - selfHeal: true syncOptions: - CreateNamespace=true - ServerSideApply=true @@ -1011,9 +1008,27 @@ spec: server: https://kubernetes.default.svc namespace: infra syncPolicy: - automated: - prune: true - selfHeal: true + syncOptions: + - CreateNamespace=true + - ServerSideApply=true +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: orsi + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: homelab + source: + repoURL: https://gitea.dooplex.hu/admin/homelab-manifests.git + targetRevision: main + path: orsi-system + destination: + server: https://kubernetes.default.svc + namespace: orsi-system + syncPolicy: syncOptions: - CreateNamespace=true - ServerSideApply=true diff --git a/orsi-system/filebrowser.yaml b/orsi-system/filebrowser.yaml new file mode 100644 index 0000000..c58a983 --- /dev/null +++ b/orsi-system/filebrowser.yaml @@ -0,0 +1,243 @@ +--- +# Orsi's Applications Namespace +# Dedicated namespace for girlfriend's self-hosted apps +# +apiVersion: v1 +kind: Namespace +metadata: + name: orsi-system + labels: + app.kubernetes.io/name: orsi-system +--- +# ============================================ +# FileBrowser - Personal File Manager for Orsi +# ============================================ +# https://filebrowser.org/ +# +# Access: https://orsi-files.dooplex.hu (Authentik login) +# https://orsi-files.home (internal) +# +# Data: /mnt/4_hdd/orsi/ (hostPath - existing files) +# +# Authentik Setup: +# 1. Create a Proxy Provider in Authentik: +# - Name: Orsi FileBrowser +# - Authorization flow: default-provider-authorization-implicit-consent +# - Type: Forward auth (single application) +# - External host: https://orsi-files.dooplex.hu +# +# 2. Create an Application: +# - Name: Orsi FileBrowser +# - Slug: orsi-filebrowser +# - Provider: Orsi FileBrowser +# - (Optional) Restrict to specific users/groups +# +# 3. Create an Outpost (or add to existing): +# - Name: orsi-filebrowser-outpost +# - Type: Proxy +# - Integration: Kubernetes (auth-system namespace) +# - Applications: Orsi FileBrowser +# +--- +# PVC for FileBrowser config and database only +# (actual files are on hostPath) +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: orsi-filebrowser-config + namespace: orsi-system + labels: + app.kubernetes.io/instance: orsi-filebrowser + app.kubernetes.io/name: filebrowser + recurring-job-group.longhorn.io/backup: enabled +spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn + resources: + requests: + storage: 100Mi +--- +# FileBrowser Deployment +apiVersion: apps/v1 +kind: Deployment +metadata: + name: orsi-filebrowser + namespace: orsi-system + labels: + app.kubernetes.io/instance: orsi-filebrowser + app.kubernetes.io/name: filebrowser +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/instance: orsi-filebrowser + app.kubernetes.io/name: filebrowser + template: + metadata: + labels: + app.kubernetes.io/instance: orsi-filebrowser + app.kubernetes.io/name: filebrowser + spec: + # Run as Orsi's user (UID 1001, GID 1001) for proper file permissions + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + fsGroup: 1001 + initContainers: + # Configure proxy auth in database before starting + - name: configure-auth + image: filebrowser/filebrowser:v2.54.0 + command: + - sh + - -c + - | + if [ ! -f /config/filebrowser.db ]; then + echo "Creating new database with proxy auth..." + filebrowser config init --database /config/filebrowser.db + fi + echo "Setting proxy authentication..." + filebrowser config set --database /config/filebrowser.db --auth.method=proxy --auth.header=X-authentik-username + echo "Configuration complete" + volumeMounts: + - name: config + mountPath: /config + securityContext: + runAsUser: 1001 + runAsGroup: 1001 + containers: + - name: filebrowser + image: filebrowser/filebrowser:v2.54.0 + command: + - filebrowser + - --database=/config/filebrowser.db + - --root=/srv + - --port=80 + - --address=0.0.0.0 + ports: + - containerPort: 80 + name: http + protocol: TCP + env: + - name: TZ + value: "Europe/Budapest" + volumeMounts: + - name: data + mountPath: /srv + - name: config + mountPath: /config + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 500m + memory: 128Mi + livenessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 10 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + volumes: + # Orsi's actual files - hostPath to existing data + - name: data + hostPath: + path: /mnt/4_hdd/orsi + type: Directory + # Config/database on Longhorn PVC + - name: config + persistentVolumeClaim: + claimName: orsi-filebrowser-config +--- +# Service +apiVersion: v1 +kind: Service +metadata: + name: orsi-filebrowser + namespace: orsi-system + labels: + app.kubernetes.io/instance: orsi-filebrowser + app.kubernetes.io/name: filebrowser +spec: + type: ClusterIP + ports: + - port: 80 + targetPort: http + protocol: TCP + name: http + selector: + app.kubernetes.io/instance: orsi-filebrowser + app.kubernetes.io/name: filebrowser +--- +# Ingress with Authentik proxy auth +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: orsi-filebrowser + namespace: orsi-system + labels: + app.kubernetes.io/instance: orsi-filebrowser + app.kubernetes.io/name: filebrowser + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + external-dns.alpha.kubernetes.io/hostname: orsi-files.dooplex.hu + nginx.ingress.kubernetes.io/proxy-body-size: "2048m" + nginx.ingress.kubernetes.io/proxy-connect-timeout: "300" + nginx.ingress.kubernetes.io/proxy-send-timeout: "300" + nginx.ingress.kubernetes.io/proxy-read-timeout: "300" + nginx.ingress.kubernetes.io/ssl-redirect: "true" + # Authentik forward auth - update outpost name after creating in Authentik! + nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-orsi-filebrowser-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + nginx.ingress.kubernetes.io/auth-signin: https://orsi-files.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri + nginx.ingress.kubernetes.io/auth-response-headers: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + nginx.ingress.kubernetes.io/auth-snippet: | + proxy_set_header X-Forwarded-Host $http_host; + # Geo-blocking: Hungary only (plus local networks) + nginx.ingress.kubernetes.io/configuration-snippet: | + set $geo_allowed 0; + if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; } + if ($remote_addr ~ "^10\.") { set $geo_allowed 1; } + if ($geoip2_country_code = "HU") { set $geo_allowed 1; } + if ($geo_allowed = 0) { + return 403 "Access restricted to Hungary"; + } +spec: + ingressClassName: nginx-internal + tls: + - hosts: + - orsi-files.dooplex.hu + secretName: orsi-filebrowser-tls + rules: + - host: orsi-files.dooplex.hu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: orsi-filebrowser + port: + name: http + - host: orsi-files.home + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: orsi-filebrowser + port: + name: http \ No newline at end of file