redeploy
This commit is contained in:
@@ -1,31 +1,3 @@
|
||||
# Opengist - Git-powered pastebin/gist service
|
||||
# https://github.com/thomiceli/opengist
|
||||
# Domain: paste.dooplex.hu
|
||||
# Auth: Native OIDC with Authentik
|
||||
#
|
||||
# Authentik Setup:
|
||||
# 1. Create OAuth2/OIDC Provider:
|
||||
# - Name: opengist
|
||||
# - Client Type: Confidential
|
||||
# - Redirect URIs: https://paste.dooplex.hu/oauth/oidc/callback
|
||||
# - Scopes: openid, email, profile
|
||||
# 2. Create Application linked to this provider
|
||||
# 3. Create secret with OIDC credentials:
|
||||
# kubectl create secret generic opengist-oidc \
|
||||
# --from-literal=client-key=YOUR_CLIENT_ID \
|
||||
# --from-literal=secret=YOUR_CLIENT_SECRET \
|
||||
# -n opengist-system
|
||||
#
|
||||
# IMPORTANT: If migrating from broken config, delete the old PVC first:
|
||||
# kubectl delete pvc opengist-data -n opengist-system
|
||||
#
|
||||
# Features:
|
||||
# - Anyone can VIEW public gists (no login required)
|
||||
# - Only authenticated users can CREATE gists
|
||||
# - Each gist is a git repository (versioning, clone via git/ssh)
|
||||
# - Syntax highlighting, markdown rendering
|
||||
# - Public/Unlisted/Private visibility options
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Namespace
|
||||
metadata:
|
||||
@@ -33,6 +5,25 @@ metadata:
|
||||
labels:
|
||||
app.kubernetes.io/name: opengist
|
||||
---
|
||||
# 2. PVC
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: opengist-data
|
||||
namespace: opengist-system
|
||||
labels:
|
||||
app.kubernetes.io/name: opengist
|
||||
recurring-job-group.longhorn.io/needbackup: enabled
|
||||
recurring-job.longhorn.io/source: enabled
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn
|
||||
resources:
|
||||
requests:
|
||||
storage: 5Gi
|
||||
---
|
||||
# 3. CONFIGMAP
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
@@ -45,19 +36,15 @@ data:
|
||||
log-level: info
|
||||
external-url: https://paste.dooplex.hu
|
||||
|
||||
# Security - OIDC only, no local accounts
|
||||
disable-signup: true
|
||||
disable-login-form: true
|
||||
|
||||
# Allow anonymous viewing of public gists
|
||||
require-login: false
|
||||
|
||||
# Branding
|
||||
custom.name: Dooplex Paste
|
||||
|
||||
# Features
|
||||
disable-gravatar: false
|
||||
|
||||
# NOTE: Security settings here are backed up by Env Vars in the Deployment below
|
||||
---
|
||||
# 4. DEPLOYMENT
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
@@ -83,23 +70,33 @@ spec:
|
||||
containers:
|
||||
- name: opengist
|
||||
image: ghcr.io/thomiceli/opengist:1.11.1
|
||||
# CRITICAL FIX: Explicitly tell Opengist where the config file is
|
||||
args: ["--config", "/config/config.yaml"]
|
||||
env:
|
||||
# Point to config file
|
||||
- name: OG_CONFIG
|
||||
value: "/config/config.yaml"
|
||||
# OIDC credentials from secret (these override config file)
|
||||
# --- OIDC CONFIGURATION ---
|
||||
- name: OG_OIDC_CLIENT_KEY
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: opengist-oidc
|
||||
key: client-key
|
||||
key: client-id # Updated to match your new secret key
|
||||
- name: OG_OIDC_SECRET
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: opengist-oidc
|
||||
key: secret
|
||||
key: client-secret # Updated to match your new secret key
|
||||
- name: OG_OIDC_DISCOVERY_URL
|
||||
value: "https://authentik.dooplex.hu/application/o/opengist/.well-known/openid-configuration"
|
||||
|
||||
# --- SECURITY OVERRIDES (Enforced via Env Vars) ---
|
||||
- name: OG_DISABLE_SIGNUP
|
||||
value: "true"
|
||||
- name: OG_DISABLE_LOGIN_FORM
|
||||
value: "true"
|
||||
- name: OG_REQUIRE_LOGIN
|
||||
value: "false" # Ensures public links are viewable by anon users
|
||||
- name: OG_CUSTOM_NAME
|
||||
value: "Dooplex Paste"
|
||||
|
||||
ports:
|
||||
- containerPort: 6157
|
||||
name: http
|
||||
@@ -138,6 +135,7 @@ spec:
|
||||
configMap:
|
||||
name: opengist-config
|
||||
---
|
||||
# 5. SERVICE
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
@@ -158,7 +156,9 @@ spec:
|
||||
selector:
|
||||
app.kubernetes.io/name: opengist
|
||||
app.kubernetes.io/instance: opengist
|
||||
|
||||
---
|
||||
# 6. INGRESS
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
@@ -198,22 +198,4 @@ spec:
|
||||
tls:
|
||||
- hosts:
|
||||
- paste.dooplex.hu
|
||||
secretName: opengist-tls
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: opengist-data
|
||||
namespace: opengist-system
|
||||
labels:
|
||||
app.kubernetes.io/name: opengist
|
||||
app.kubernetes.io/instance: opengist
|
||||
recurring-job-group.longhorn.io/needbackup: enabled
|
||||
recurring-job.longhorn.io/source: enabled
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn
|
||||
resources:
|
||||
requests:
|
||||
storage: 5Gi
|
||||
secretName: opengist-tls
|
||||
Reference in New Issue
Block a user