admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

added kisfenyo-system with filebrowser

Browse Source
This commit is contained in:
authentik Default Admin
2026-01-28 16:17:28 +01:00
parent ef7e662060
commit 78a129bd81
2 changed files with 290 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
argocd-apps/homelab.yaml
+21
View File
@@ -1053,4 +1053,25 @@ spec:
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true
- ServerSideApply=true - ServerSideApply=true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kisfenyo
namespace: argocd
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: homelab
source:
repoURL: https://gitea.dooplex.hu/admin/homelab-manifests.git
targetRevision: main
path: kisfenyo-system
destination:
server: https://kubernetes.default.svc
namespace: kisfenyo-system
syncPolicy:
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
--- ---
kisfenyo-system/filebrowser-quantum.yaml
+269
View File
@@ -0,0 +1,269 @@
---
# Kisfenyo's Applications Namespace
# Dedicated namespace for Viktor's self-hosted apps
#
apiVersion: v1
kind: Namespace
metadata:
name: kisfenyo-system
labels:
app.kubernetes.io/name: kisfenyo-system
---
# ============================================
# FileBrowser Quantum - Personal File Manager for Viktor
# ============================================
# https://github.com/gtsteffaniak/filebrowser (Quantum fork)
# Docs: https://filebrowserquantum.com/
#
# Access: https://kisfenyo-files.dooplex.hu (Authentik login)
# https://kisfenyo-files.home (internal)
#
# Data: /home/kisfenyo (hostPath - home directory)
# Symlinks to /mnt/4_hdd/kisfenyo also accessible
#
# Authentik Setup:
# 1. Create a Proxy Provider in Authentik:
# - Name: Kisfenyo FileBrowser
# - Authorization flow: default-provider-authorization-implicit-consent
# - Type: Forward auth (single application)
# - External host: https://kisfenyo-files.dooplex.hu
#
# 2. Create an Application:
# - Name: Kisfenyo FileBrowser
# - Slug: kisfenyo-filebrowser
# - Provider: Kisfenyo FileBrowser
# - (Optional) Restrict to specific users/groups
#
# 3. Create an Outpost (or add to existing):
# - Name: kisfenyo-outpost
# - Type: Proxy
# - Integration: Kubernetes (auth-system namespace)
# - Applications: Kisfenyo FileBrowser
#
---
# ConfigMap for FileBrowser Quantum config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: kisfenyo-filebrowser-config
namespace: kisfenyo-system
labels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
data:
config.yaml: |
server:
port: 80
address: 0.0.0.0
sources:
- path: /srv
name: "Home"
config:
defaultEnabled: true
auth:
adminUsername: kisfenyo
methods:
proxy:
enabled: true
header: "X-authentik-username"
createUser: true
password:
enabled: false
---
# PVC for FileBrowser database and cache
# (actual files are on hostPath)
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kisfenyo-filebrowser-data
namespace: kisfenyo-system
labels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
recurring-job-group.longhorn.io/backup: enabled
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 500Mi
---
# FileBrowser Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: kisfenyo-filebrowser
namespace: kisfenyo-system
labels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
template:
metadata:
labels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
spec:
# Run as kisfenyo user (UID 1000, GID 1000) for proper file permissions
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: filebrowser
image: gtstef/filebrowser:v1.1.1-stable
env:
- name: TZ
value: "Europe/Budapest"
- name: FILEBROWSER_CONFIG
value: "/config/config.yaml"
ports:
- containerPort: 80
name: http
protocol: TCP
volumeMounts:
# User's home directory - main data source
- name: home-data
mountPath: /srv
# Mount symlink target so symlinks work
# /home/kisfenyo/4_hdd -> /mnt/4_hdd/kisfenyo
- name: hdd-data
mountPath: /mnt/4_hdd/kisfenyo
# Config from ConfigMap
- name: config
mountPath: /config
readOnly: true
# Persistent data (database, cache)
- name: data
mountPath: /home/filebrowser/data
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 1000m
memory: 1Gi
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 15
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
volumes:
# Kisfenyo's home directory - hostPath to existing data
- name: home-data
hostPath:
path: /home/kisfenyo
type: Directory
# Symlink target directory - needed for symlinks to work
- name: hdd-data
hostPath:
path: /mnt/4_hdd/kisfenyo
type: Directory
# Config from ConfigMap
- name: config
configMap:
name: kisfenyo-filebrowser-config
# Persistent data on Longhorn PVC (database, thumbnails, etc.)
- name: data
persistentVolumeClaim:
claimName: kisfenyo-filebrowser-data
---
# Service
apiVersion: v1
kind: Service
metadata:
name: kisfenyo-filebrowser
namespace: kisfenyo-system
labels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
---
# Ingress with Authentik proxy auth
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kisfenyo-filebrowser
namespace: kisfenyo-system
labels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
external-dns.alpha.kubernetes.io/hostname: kisfenyo-files.dooplex.hu
nginx.ingress.kubernetes.io/proxy-body-size: "4096m"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
# Authentik forward auth - update outpost name after creating in Authentik!
nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-kisfenyo-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
nginx.ingress.kubernetes.io/auth-signin: https://kisfenyo-files.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
# Geo-blocking: Hungary AND UK (plus local networks)
nginx.ingress.kubernetes.io/configuration-snippet: |
set $geo_allowed 0;
if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; }
if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
if ($geoip2_country_code = "GB") { set $geo_allowed 1; }
if ($geo_allowed = 0) {
return 403 "Access restricted to Hungary and UK";
}
spec:
ingressClassName: nginx-internal
tls:
- hosts:
- kisfenyo-files.dooplex.hu
secretName: kisfenyo-filebrowser-tls
rules:
- host: kisfenyo-files.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kisfenyo-filebrowser
port:
name: http
- host: kisfenyo-files.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kisfenyo-filebrowser
port:
name: http