diff --git a/pastefy-system/pastefy.yaml b/pastefy-system/pastefy.yaml index 69e6cc5..ce77439 100644 --- a/pastefy-system/pastefy.yaml +++ b/pastefy-system/pastefy.yaml @@ -1,17 +1,3 @@ -# Pastefy - Self-hosted Pastebin alternative -# https://github.com/interaapps/pastefy -# Version: 7.1.5 -# Domain: pastefy.dooplex.hu -# Auth: Native OAuth2/OIDC with Authentik -# -# Authentik Setup: -# 1. Create OAuth2/OIDC Provider: -# - Name: pastefy -# - Client Type: Confidential -# - Redirect URIs: https://pastefy.dooplex.hu/oauth-callback -# - Scopes: openid, email, profile -# 2. Create Application linked to this provider ---- apiVersion: v1 kind: Namespace metadata: @@ -107,7 +93,6 @@ metadata: labels: app.kubernetes.io/instance: pastefy app.kubernetes.io/name: pastefy - app.kubernetes.io/version: "7.1.5" spec: replicas: 1 selector: @@ -121,18 +106,17 @@ spec: labels: app.kubernetes.io/instance: pastefy app.kubernetes.io/name: pastefy - app.kubernetes.io/version: "7.1.5" spec: containers: - name: pastefy image: interaapps/pastefy:7.1.5 env: - name: HTTP_SERVER_PORT - value: "80" + value: '80' - name: HTTP_SERVER_CORS - value: "*" + value: '*' - name: DATABASE_DRIVER - value: "mysql" + value: mysql - name: DATABASE_NAME valueFrom: secretKeyRef: @@ -149,22 +133,21 @@ spec: name: pastefy-db key: password - name: DATABASE_HOST - value: "pastefy-db" + value: pastefy-db - name: DATABASE_PORT - value: "3306" + value: '3306' - name: SERVER_NAME - value: "https://pastefy.dooplex.hu" - # Optional settings + value: https://pastefy.dooplex.hu - name: AUTH_PROVIDER - value: "" # Disable broken OAuth + value: '' - name: PASTEFY_LOGIN_REQUIRED - value: "false" + value: 'false' - name: PASTEFY_LOGIN_REQUIRED_CREATE - value: "false" + value: 'false' - name: PASTEFY_PUBLIC_STATS - value: "false" + value: 'false' - name: PASTEFY_INFO_CUSTOM_NAME - value: "Dooplex Paste" + value: Dooplex Paste ports: - containerPort: 80 name: http @@ -224,7 +207,6 @@ spec: app.kubernetes.io/instance: pastefy app.kubernetes.io/name: pastefy --- -# Public ingress: everything is readable (UI + assets + paste pages) apiVersion: networking.k8s.io/v1 kind: Ingress metadata: @@ -233,8 +215,9 @@ metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: pastefy.dooplex.hu,pastefy.home - nginx.ingress.kubernetes.io/ssl-redirect: "true" - nginx.ingress.kubernetes.io/proxy-body-size: "50m" + nginx.ingress.kubernetes.io/ssl-redirect: 'true' + nginx.ingress.kubernetes.io/proxy-body-size: 50m + nginx.ingress.kubernetes.io/enable-global-auth: 'false' spec: ingressClassName: nginx-internal rules: @@ -263,55 +246,37 @@ spec: - pastefy.dooplex.hu secretName: pastefy-tls --- -# API ingress: require authentik ONLY for non-GET methods (POST/PUT/DELETE) apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: pastefy-api-auth + name: pastefy-write namespace: pastefy-system annotations: - nginx.ingress.kubernetes.io/server-snippet: | - # Internal endpoint NGINX will call for auth checks - location = /__ak_auth { - internal; - proxy_pass http://ak-outpost-pastefy-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx; - - proxy_pass_request_body off; - proxy_set_header Content-Length ""; - - proxy_set_header X-Original-URL $scheme://$http_host$request_uri; - proxy_set_header X-Forwarded-Host $http_host; - proxy_set_header X-Forwarded-Proto $scheme; - proxy_set_header X-Forwarded-For $remote_addr; - } - - # Where to send users when auth is required - location @ak_login { - return 302 https://pastefy.dooplex.hu/outpost.goauthentik.io/start?rd=$scheme://$http_host$request_uri; - } - nginx.ingress.kubernetes.io/configuration-snippet: | - # Allow reading without auth, but require auth for write methods - limit_except GET HEAD OPTIONS { - auth_request /__ak_auth; - error_page 401 = @ak_login; - } + cert-manager.io/cluster-issuer: letsencrypt-prod + external-dns.alpha.kubernetes.io/hostname: pastefy-write.dooplex.hu,pastefy-write.home + nginx.ingress.kubernetes.io/ssl-redirect: 'true' + nginx.ingress.kubernetes.io/proxy-body-size: 50m + nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-pastefy-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + nginx.ingress.kubernetes.io/auth-signin: https://authentik.dooplex.hu/outpost.goauthentik.io/start?rd=$scheme://$host$request_uri + nginx.ingress.kubernetes.io/auth-response-headers: Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid + nginx.ingress.kubernetes.io/auth-snippet: proxy_set_header X-Forwarded-Host $http_host; spec: ingressClassName: nginx-internal rules: - - host: pastefy.dooplex.hu + - host: pastefy-write.dooplex.hu http: paths: - - path: /api + - path: / pathType: Prefix backend: service: name: pastefy port: number: 80 - - host: pastefy.home + - host: pastefy-write.home http: paths: - - path: /api + - path: / pathType: Prefix backend: service: @@ -320,8 +285,8 @@ spec: number: 80 tls: - hosts: - - pastefy.dooplex.hu - secretName: pastefy-tls + - pastefy-write.dooplex.hu + secretName: pastefy-write-tls --- apiVersion: v1 kind: PersistentVolumeClaim