From 9073d9f877ccc2c7f8211e4e6aef66fb206cc062 Mon Sep 17 00:00:00 2001
From: kisfenyo <nagyfenyvesi.viktor@gmail.com>
Date: Sun, 4 Jan 2026 11:12:50 +0100
Subject: [PATCH] redeploy

---
 opengist-system/opengist.yaml | 102 ++++++++++++++--------------------
 1 file changed, 42 insertions(+), 60 deletions(-)

diff --git a/opengist-system/opengist.yaml b/opengist-system/opengist.yaml
index f6706a2..9b85f3d 100644
--- a/opengist-system/opengist.yaml
+++ b/opengist-system/opengist.yaml
@@ -1,31 +1,3 @@
-# Opengist - Git-powered pastebin/gist service
-# https://github.com/thomiceli/opengist
-# Domain: paste.dooplex.hu
-# Auth: Native OIDC with Authentik
-#
-# Authentik Setup:
-# 1. Create OAuth2/OIDC Provider:
-#    - Name: opengist
-#    - Client Type: Confidential
-#    - Redirect URIs: https://paste.dooplex.hu/oauth/oidc/callback
-#    - Scopes: openid, email, profile
-# 2. Create Application linked to this provider
-# 3. Create secret with OIDC credentials:
-#    kubectl create secret generic opengist-oidc \
-#      --from-literal=client-key=YOUR_CLIENT_ID \
-#      --from-literal=secret=YOUR_CLIENT_SECRET \
-#      -n opengist-system
-#
-# IMPORTANT: If migrating from broken config, delete the old PVC first:
-#   kubectl delete pvc opengist-data -n opengist-system
-#
-# Features:
-# - Anyone can VIEW public gists (no login required)
-# - Only authenticated users can CREATE gists
-# - Each gist is a git repository (versioning, clone via git/ssh)
-# - Syntax highlighting, markdown rendering
-# - Public/Unlisted/Private visibility options
----
 apiVersion: v1
 kind: Namespace
 metadata:
@@ -33,6 +5,25 @@ metadata:
   labels:
     app.kubernetes.io/name: opengist
 ---
+# 2. PVC
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: opengist-data
+  namespace: opengist-system
+  labels:
+    app.kubernetes.io/name: opengist
+    recurring-job-group.longhorn.io/needbackup: enabled
+    recurring-job.longhorn.io/source: enabled
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 5Gi
+---
+# 3. CONFIGMAP
 apiVersion: v1
 kind: ConfigMap
 metadata:
@@ -45,19 +36,15 @@ data:
     log-level: info
     external-url: https://paste.dooplex.hu
     
-    # Security - OIDC only, no local accounts
-    disable-signup: true
-    disable-login-form: true
-    
-    # Allow anonymous viewing of public gists
-    require-login: false
-    
     # Branding
     custom.name: Dooplex Paste
     
     # Features
     disable-gravatar: false
+    
+    # NOTE: Security settings here are backed up by Env Vars in the Deployment below
 ---
+# 4. DEPLOYMENT
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -83,23 +70,33 @@ spec:
       containers:
       - name: opengist
         image: ghcr.io/thomiceli/opengist:1.11.1
+        # CRITICAL FIX: Explicitly tell Opengist where the config file is
+        args: ["--config", "/config/config.yaml"]
         env:
-        # Point to config file
-        - name: OG_CONFIG
-          value: "/config/config.yaml"
-        # OIDC credentials from secret (these override config file)
+        # --- OIDC CONFIGURATION ---
         - name: OG_OIDC_CLIENT_KEY
           valueFrom:
             secretKeyRef:
               name: opengist-oidc
-              key: client-key
+              key: client-id     # Updated to match your new secret key
         - name: OG_OIDC_SECRET
           valueFrom:
             secretKeyRef:
               name: opengist-oidc
-              key: secret
+              key: client-secret # Updated to match your new secret key
         - name: OG_OIDC_DISCOVERY_URL
           value: "https://authentik.dooplex.hu/application/o/opengist/.well-known/openid-configuration"
+        
+        # --- SECURITY OVERRIDES (Enforced via Env Vars) ---
+        - name: OG_DISABLE_SIGNUP
+          value: "true"
+        - name: OG_DISABLE_LOGIN_FORM
+          value: "true"
+        - name: OG_REQUIRE_LOGIN
+          value: "false" # Ensures public links are viewable by anon users
+        - name: OG_CUSTOM_NAME
+          value: "Dooplex Paste"
+
         ports:
         - containerPort: 6157
           name: http
@@ -138,6 +135,7 @@ spec:
         configMap:
           name: opengist-config
 ---
+# 5. SERVICE
 apiVersion: v1
 kind: Service
 metadata:
@@ -158,7 +156,9 @@ spec:
   selector:
     app.kubernetes.io/name: opengist
     app.kubernetes.io/instance: opengist
+
 ---
+# 6. INGRESS
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
@@ -198,22 +198,4 @@ spec:
   tls:
   - hosts:
     - paste.dooplex.hu
-    secretName: opengist-tls
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: opengist-data
-  namespace: opengist-system
-  labels:
-    app.kubernetes.io/name: opengist
-    app.kubernetes.io/instance: opengist
-    recurring-job-group.longhorn.io/needbackup: enabled
-    recurring-job.longhorn.io/source: enabled
-spec:
-  accessModes:
-  - ReadWriteOnce
-  storageClassName: longhorn
-  resources:
-    requests:
-      storage: 5Gi
\ No newline at end of file
+    secretName: opengist-tls
\ No newline at end of file