From 78a129bd812132e3de6208c3a2b56d4f8aeca80d Mon Sep 17 00:00:00 2001
From: kisfenyo <nagyfenyvesi.viktor@gmail.com>
Date: Wed, 28 Jan 2026 16:17:28 +0100
Subject: [PATCH] added kisfenyo-system with filebrowser

---
 argocd-apps/homelab.yaml                 |  21 ++
 kisfenyo-system/filebrowser-quantum.yaml | 269 +++++++++++++++++++++++
 2 files changed, 290 insertions(+)
 create mode 100644 kisfenyo-system/filebrowser-quantum.yaml

diff --git a/argocd-apps/homelab.yaml b/argocd-apps/homelab.yaml
index cf02652..b724f7f 100644
--- a/argocd-apps/homelab.yaml
+++ b/argocd-apps/homelab.yaml
@@ -1053,4 +1053,25 @@ spec:
     syncOptions:
       - CreateNamespace=true
       - ServerSideApply=true
+---
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kisfenyo
+  namespace: argocd
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: homelab
+  source:
+    repoURL: https://gitea.dooplex.hu/admin/homelab-manifests.git
+    targetRevision: main
+    path: kisfenyo-system
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kisfenyo-system
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ServerSideApply=true
 ---
\ No newline at end of file
diff --git a/kisfenyo-system/filebrowser-quantum.yaml b/kisfenyo-system/filebrowser-quantum.yaml
new file mode 100644
index 0000000..a396761
--- /dev/null
+++ b/kisfenyo-system/filebrowser-quantum.yaml
@@ -0,0 +1,269 @@
+---
+# Kisfenyo's Applications Namespace
+# Dedicated namespace for Viktor's self-hosted apps
+#
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kisfenyo-system
+  labels:
+    app.kubernetes.io/name: kisfenyo-system
+---
+# ============================================
+# FileBrowser Quantum - Personal File Manager for Viktor
+# ============================================
+# https://github.com/gtsteffaniak/filebrowser (Quantum fork)
+# Docs: https://filebrowserquantum.com/
+#
+# Access: https://kisfenyo-files.dooplex.hu (Authentik login)
+#         https://kisfenyo-files.home (internal)
+#
+# Data: /home/kisfenyo (hostPath - home directory)
+#       Symlinks to /mnt/4_hdd/kisfenyo also accessible
+#
+# Authentik Setup:
+# 1. Create a Proxy Provider in Authentik:
+#    - Name: Kisfenyo FileBrowser
+#    - Authorization flow: default-provider-authorization-implicit-consent
+#    - Type: Forward auth (single application)
+#    - External host: https://kisfenyo-files.dooplex.hu
+#
+# 2. Create an Application:
+#    - Name: Kisfenyo FileBrowser
+#    - Slug: kisfenyo-filebrowser
+#    - Provider: Kisfenyo FileBrowser
+#    - (Optional) Restrict to specific users/groups
+#
+# 3. Create an Outpost (or add to existing):
+#    - Name: kisfenyo-outpost
+#    - Type: Proxy
+#    - Integration: Kubernetes (auth-system namespace)
+#    - Applications: Kisfenyo FileBrowser
+#
+---
+# ConfigMap for FileBrowser Quantum config.yaml
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: kisfenyo-filebrowser-config
+  namespace: kisfenyo-system
+  labels:
+    app.kubernetes.io/instance: kisfenyo-filebrowser
+    app.kubernetes.io/name: filebrowser
+data:
+  config.yaml: |
+    server:
+      port: 80
+      address: 0.0.0.0
+      sources:
+        - path: /srv
+          name: "Home"
+          config:
+            defaultEnabled: true
+    auth:
+      adminUsername: kisfenyo
+      methods:
+        proxy:
+          enabled: true
+          header: "X-authentik-username"
+          createUser: true
+        password:
+          enabled: false
+---
+# PVC for FileBrowser database and cache
+# (actual files are on hostPath)
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: kisfenyo-filebrowser-data
+  namespace: kisfenyo-system
+  labels:
+    app.kubernetes.io/instance: kisfenyo-filebrowser
+    app.kubernetes.io/name: filebrowser
+    recurring-job-group.longhorn.io/backup: enabled
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 500Mi
+---
+# FileBrowser Deployment
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: kisfenyo-filebrowser
+  namespace: kisfenyo-system
+  labels:
+    app.kubernetes.io/instance: kisfenyo-filebrowser
+    app.kubernetes.io/name: filebrowser
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: kisfenyo-filebrowser
+      app.kubernetes.io/name: filebrowser
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/instance: kisfenyo-filebrowser
+        app.kubernetes.io/name: filebrowser
+    spec:
+      # Run as kisfenyo user (UID 1000, GID 1000) for proper file permissions
+      securityContext:
+        runAsUser: 1000
+        runAsGroup: 1000
+        fsGroup: 1000
+      containers:
+        - name: filebrowser
+          image: gtstef/filebrowser:v1.1.1-stable
+          env:
+            - name: TZ
+              value: "Europe/Budapest"
+            - name: FILEBROWSER_CONFIG
+              value: "/config/config.yaml"
+          ports:
+            - containerPort: 80
+              name: http
+              protocol: TCP
+          volumeMounts:
+            # User's home directory - main data source
+            - name: home-data
+              mountPath: /srv
+            # Mount symlink target so symlinks work
+            # /home/kisfenyo/4_hdd -> /mnt/4_hdd/kisfenyo
+            - name: hdd-data
+              mountPath: /mnt/4_hdd/kisfenyo
+            # Config from ConfigMap
+            - name: config
+              mountPath: /config
+              readOnly: true
+            # Persistent data (database, cache)
+            - name: data
+              mountPath: /home/filebrowser/data
+          resources:
+            requests:
+              cpu: 50m
+              memory: 128Mi
+            limits:
+              cpu: 1000m
+              memory: 1Gi
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 15
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+      volumes:
+        # Kisfenyo's home directory - hostPath to existing data
+        - name: home-data
+          hostPath:
+            path: /home/kisfenyo
+            type: Directory
+        # Symlink target directory - needed for symlinks to work
+        - name: hdd-data
+          hostPath:
+            path: /mnt/4_hdd/kisfenyo
+            type: Directory
+        # Config from ConfigMap
+        - name: config
+          configMap:
+            name: kisfenyo-filebrowser-config
+        # Persistent data on Longhorn PVC (database, thumbnails, etc.)
+        - name: data
+          persistentVolumeClaim:
+            claimName: kisfenyo-filebrowser-data
+---
+# Service
+apiVersion: v1
+kind: Service
+metadata:
+  name: kisfenyo-filebrowser
+  namespace: kisfenyo-system
+  labels:
+    app.kubernetes.io/instance: kisfenyo-filebrowser
+    app.kubernetes.io/name: filebrowser
+spec:
+  type: ClusterIP
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+  selector:
+    app.kubernetes.io/instance: kisfenyo-filebrowser
+    app.kubernetes.io/name: filebrowser
+---
+# Ingress with Authentik proxy auth
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: kisfenyo-filebrowser
+  namespace: kisfenyo-system
+  labels:
+    app.kubernetes.io/instance: kisfenyo-filebrowser
+    app.kubernetes.io/name: filebrowser
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    external-dns.alpha.kubernetes.io/hostname: kisfenyo-files.dooplex.hu
+    nginx.ingress.kubernetes.io/proxy-body-size: "4096m"
+    nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    # Authentik forward auth - update outpost name after creating in Authentik!
+    nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-kisfenyo-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
+    nginx.ingress.kubernetes.io/auth-signin: https://kisfenyo-files.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri
+    nginx.ingress.kubernetes.io/auth-response-headers: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
+    nginx.ingress.kubernetes.io/auth-snippet: |
+      proxy_set_header X-Forwarded-Host $http_host;
+    # Geo-blocking: Hungary AND UK (plus local networks)
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      set $geo_allowed 0;
+      if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; }
+      if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
+      if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
+      if ($geoip2_country_code = "GB") { set $geo_allowed 1; }
+      if ($geo_allowed = 0) {
+        return 403 "Access restricted to Hungary and UK";
+      }
+spec:
+  ingressClassName: nginx-internal
+  tls:
+    - hosts:
+        - kisfenyo-files.dooplex.hu
+      secretName: kisfenyo-filebrowser-tls
+  rules:
+    - host: kisfenyo-files.dooplex.hu
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: kisfenyo-filebrowser
+                port:
+                  name: http
+    - host: kisfenyo-files.home
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: kisfenyo-filebrowser
+                port:
+                  name: http
\ No newline at end of file