admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

redeploy

Browse Source
This commit is contained in:
authentik Default Admin
2026-01-04 11:12:50 +01:00
parent bfdc1b3980
commit 9073d9f877
1 changed files with 42 additions and 60 deletions
Download Patch File Download Diff File Expand all files Collapse all files
opengist-system/opengist.yaml
+42 -60
View File
@@ -1,31 +1,3 @@
# Opengist - Git-powered pastebin/gist service
# https://github.com/thomiceli/opengist
# Domain: paste.dooplex.hu
# Auth: Native OIDC with Authentik
#
# Authentik Setup:
# 1. Create OAuth2/OIDC Provider:
# - Name: opengist
# - Client Type: Confidential
# - Redirect URIs: https://paste.dooplex.hu/oauth/oidc/callback
# - Scopes: openid, email, profile
# 2. Create Application linked to this provider
# 3. Create secret with OIDC credentials:
# kubectl create secret generic opengist-oidc \
# --from-literal=client-key=YOUR_CLIENT_ID \
# --from-literal=secret=YOUR_CLIENT_SECRET \
# -n opengist-system
#
# IMPORTANT: If migrating from broken config, delete the old PVC first:
# kubectl delete pvc opengist-data -n opengist-system
#
# Features:
# - Anyone can VIEW public gists (no login required)
# - Only authenticated users can CREATE gists
# - Each gist is a git repository (versioning, clone via git/ssh)
# - Syntax highlighting, markdown rendering
# - Public/Unlisted/Private visibility options
---
apiVersion: v1 apiVersion: v1
kind: Namespace kind: Namespace
metadata: metadata:
@@ -33,6 +5,25 @@ metadata:
labels: labels:
app.kubernetes.io/name: opengist app.kubernetes.io/name: opengist
--- ---
# 2. PVC
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: opengist-data
namespace: opengist-system
labels:
app.kubernetes.io/name: opengist
recurring-job-group.longhorn.io/needbackup: enabled
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi
---
# 3. CONFIGMAP
apiVersion: v1 apiVersion: v1
kind: ConfigMap kind: ConfigMap
metadata: metadata:
@@ -45,19 +36,15 @@ data:
log-level: info log-level: info
external-url: https://paste.dooplex.hu external-url: https://paste.dooplex.hu
# Security - OIDC only, no local accounts
disable-signup: true
disable-login-form: true
# Allow anonymous viewing of public gists
require-login: false
# Branding # Branding
custom.name: Dooplex Paste custom.name: Dooplex Paste
# Features # Features
disable-gravatar: false disable-gravatar: false
# NOTE: Security settings here are backed up by Env Vars in the Deployment below
--- ---
# 4. DEPLOYMENT
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
@@ -83,23 +70,33 @@ spec:
containers: containers:
- name: opengist - name: opengist
image: ghcr.io/thomiceli/opengist:1.11.1 image: ghcr.io/thomiceli/opengist:1.11.1
# CRITICAL FIX: Explicitly tell Opengist where the config file is
args: ["--config", "/config/config.yaml"]
env: env:
# Point to config file # --- OIDC CONFIGURATION ---
- name: OG_CONFIG
value: "/config/config.yaml"
# OIDC credentials from secret (these override config file)
- name: OG_OIDC_CLIENT_KEY - name: OG_OIDC_CLIENT_KEY
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: opengist-oidc name: opengist-oidc
key: client-key key: client-id # Updated to match your new secret key
- name: OG_OIDC_SECRET - name: OG_OIDC_SECRET
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: opengist-oidc name: opengist-oidc
key: secret key: client-secret # Updated to match your new secret key
- name: OG_OIDC_DISCOVERY_URL - name: OG_OIDC_DISCOVERY_URL
value: "https://authentik.dooplex.hu/application/o/opengist/.well-known/openid-configuration" value: "https://authentik.dooplex.hu/application/o/opengist/.well-known/openid-configuration"
# --- SECURITY OVERRIDES (Enforced via Env Vars) ---
- name: OG_DISABLE_SIGNUP
value: "true"
- name: OG_DISABLE_LOGIN_FORM
value: "true"
- name: OG_REQUIRE_LOGIN
value: "false" # Ensures public links are viewable by anon users
- name: OG_CUSTOM_NAME
value: "Dooplex Paste"
ports: ports:
- containerPort: 6157 - containerPort: 6157
name: http name: http
@@ -138,6 +135,7 @@ spec:
configMap: configMap:
name: opengist-config name: opengist-config
--- ---
# 5. SERVICE
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
@@ -158,7 +156,9 @@ spec:
selector: selector:
app.kubernetes.io/name: opengist app.kubernetes.io/name: opengist
app.kubernetes.io/instance: opengist app.kubernetes.io/instance: opengist
--- ---
# 6. INGRESS
apiVersion: networking.k8s.io/v1 apiVersion: networking.k8s.io/v1
kind: Ingress kind: Ingress
metadata: metadata:
@@ -198,22 +198,4 @@ spec:
tls: tls:
- hosts: - hosts:
- paste.dooplex.hu - paste.dooplex.hu
secretName: opengist-tls secretName: opengist-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: opengist-data
namespace: opengist-system
labels:
app.kubernetes.io/name: opengist
app.kubernetes.io/instance: opengist
recurring-job-group.longhorn.io/needbackup: enabled
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi