admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity

fixed geoip tag

Browse Source
This commit is contained in:
authentik Default Admin
2026-01-20 18:01:32 +01:00
parent 7595cbe4ad
commit 99548a235e
33 changed files with 2864 additions and 2863 deletions
Download Patch File Download Diff File Expand all files Collapse all files
actualbudget-system/actualbudget.yaml
+68 -68
View File
@@ -29,46 +29,46 @@ spec:
app.kubernetes.io/version: 26.1.0
spec:
containers:
- name: actualbudget
image: actualbudget/actual-server:26.1.0
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: Europe/Budapest
ports:
- containerPort: 5006
name: http
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- name: data
mountPath: /data
- name: actualbudget
image: actualbudget/actual-server:26.1.0
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: Europe/Budapest
ports:
- containerPort: 5006
name: http
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
persistentVolumeClaim:
claimName: actualbudget-data
- name: data
persistentVolumeClaim:
claimName: actualbudget-data
---
apiVersion: v1
kind: Service
@@ -82,10 +82,10 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 5006
protocol: TCP
targetPort: http
- name: http
port: 5006
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/instance: actualbudget
app.kubernetes.io/name: actualbudget
@@ -99,7 +99,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-body-size: 50m
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
labels:
@@ -110,30 +110,30 @@ metadata:
spec:
ingressClassName: nginx-internal
rules:
- host: actualbudget.dooplex.hu
http:
paths:
- backend:
service:
name: actualbudget
port:
number: 5006
path: /
pathType: Prefix
- host: actualbudget.home
http:
paths:
- backend:
service:
name: actualbudget
port:
number: 5006
path: /
pathType: Prefix
- host: actualbudget.dooplex.hu
http:
paths:
- backend:
service:
name: actualbudget
port:
number: 5006
path: /
pathType: Prefix
- host: actualbudget.home
http:
paths:
- backend:
service:
name: actualbudget
port:
number: 5006
path: /
pathType: Prefix
tls:
- hosts:
- actualbudget.dooplex.hu
secretName: actualbudget-tls
- hosts:
- actualbudget.dooplex.hu
secretName: actualbudget-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
@@ -145,7 +145,7 @@ metadata:
namespace: actualbudget-system
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
resources:
requests:
storage: 5Gi
adventurelog-system/adventurelog.yaml
+1 -1
View File
@@ -374,7 +374,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
arcade-system/romm.yaml
+232 -232
View File
@@ -55,18 +55,18 @@ spec:
app.kubernetes.io/name: romm-redis
spec:
containers:
- name: redis
image: redis:7.2-alpine
ports:
- containerPort: 6379
name: redis
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
- name: redis
image: redis:7.2-alpine
ports:
- containerPort: 6379
name: redis
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
---
apiVersion: apps/v1
kind: Deployment
@@ -93,153 +93,153 @@ spec:
app.kubernetes.io/version: "4.5.0"
spec:
securityContext:
fsGroup: 1000
fsGroup: 1000
initContainers:
- name: init-config
image: busybox:1.36
command:
- sh
- -c
- |
# Copy the template to the PVC only if it doesn't exist
if [ ! -f /romm/config/config.yml ]; then
echo "Creating initial config.yml from template..."
cp /tmp/template/config.yml /romm/config/config.yml
# Ensure the ROMM user (1000) owns the file
chown 1000:1000 /romm/config/config.yml
else
echo "config.yml already exists, skipping copy."
fi
volumeMounts:
- name: config-template
mountPath: /tmp/template
- name: config-storage
mountPath: /romm/config
- name: init-config
image: busybox:1.36
command:
- sh
- -c
- |
# Copy the template to the PVC only if it doesn't exist
if [ ! -f /romm/config/config.yml ]; then
echo "Creating initial config.yml from template..."
cp /tmp/template/config.yml /romm/config/config.yml
# Ensure the ROMM user (1000) owns the file
chown 1000:1000 /romm/config/config.yml
else
echo "config.yml already exists, skipping copy."
fi
volumeMounts:
- name: config-template
mountPath: /tmp/template
- name: config-storage
mountPath: /romm/config
containers:
- name: romm
image: rommapp/romm:4.5.0
env:
# Database
- name: DB_HOST
value: "romm-db" # was postgresql-rw.database-system...
- name: DB_PORT
value: "3306" # was 5432
- name: DB_NAME
valueFrom:
secretKeyRef:
name: romm-db
key: database
- name: DB_USER
valueFrom:
secretKeyRef:
name: romm-db
key: username
- name: DB_PASSWD
valueFrom:
secretKeyRef:
name: romm-db
key: password
# Redis
- name: REDIS_HOST
value: "romm-redis"
- name: REDIS_PORT
value: "6379"
# Auth
- name: ROMM_AUTH_SECRET_KEY
valueFrom:
secretKeyRef:
name: romm-app
key: auth-secret-key
# OIDC with Authentik
- name: OIDC_ENABLED
value: "true"
- name: OIDC_PROVIDER
value: "authentik"
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: romm-oidc
key: client-id
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: romm-oidc
key: client-secret
- name: OIDC_REDIRECT_URI
value: "https://arcade.dooplex.hu/api/oauth/openid"
- name: OIDC_SERVER_APPLICATION_URL
value: "https://authentik.dooplex.hu/application/o/arcade"
- name: ROMM_PORT
value: "8080"
# API Keys (optional)
- name: IGDB_CLIENT_ID
valueFrom:
secretKeyRef:
name: romm-app
key: igdb-client-id
- name: IGDB_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: romm-app
key: igdb-client-secret
- name: STEAMGRIDDB_API_KEY
valueFrom:
secretKeyRef:
name: romm-app
key: steamgriddb-api-key
- name: SCREENSCRAPER_USER
valueFrom:
secretKeyRef:
name: romm-app
key: screenscraper-user
- name: SCREENSCRAPER_PASSWORD
valueFrom:
secretKeyRef:
name: romm-app
key: screenscraper-password
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
volumeMounts:
- name: library
mountPath: /romm/library
- name: resources
mountPath: /romm/resources
- name: config-storage
mountPath: /romm/config
livenessProbe:
httpGet:
path: /api/heartbeat
port: http
initialDelaySeconds: 60
periodSeconds: 30
readinessProbe:
httpGet:
path: /api/heartbeat
port: http
initialDelaySeconds: 30
periodSeconds: 10
- name: romm
image: rommapp/romm:4.5.0
env:
# Database
- name: DB_HOST
value: "romm-db" # was postgresql-rw.database-system...
- name: DB_PORT
value: "3306" # was 5432
- name: DB_NAME
valueFrom:
secretKeyRef:
name: romm-db
key: database
- name: DB_USER
valueFrom:
secretKeyRef:
name: romm-db
key: username
- name: DB_PASSWD
valueFrom:
secretKeyRef:
name: romm-db
key: password
# Redis
- name: REDIS_HOST
value: "romm-redis"
- name: REDIS_PORT
value: "6379"
# Auth
- name: ROMM_AUTH_SECRET_KEY
valueFrom:
secretKeyRef:
name: romm-app
key: auth-secret-key
# OIDC with Authentik
- name: OIDC_ENABLED
value: "true"
- name: OIDC_PROVIDER
value: "authentik"
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: romm-oidc
key: client-id
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: romm-oidc
key: client-secret
- name: OIDC_REDIRECT_URI
value: "https://arcade.dooplex.hu/api/oauth/openid"
- name: OIDC_SERVER_APPLICATION_URL
value: "https://authentik.dooplex.hu/application/o/arcade"
- name: ROMM_PORT
value: "8080"
# API Keys (optional)
- name: IGDB_CLIENT_ID
valueFrom:
secretKeyRef:
name: romm-app
key: igdb-client-id
- name: IGDB_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: romm-app
key: igdb-client-secret
- name: STEAMGRIDDB_API_KEY
valueFrom:
secretKeyRef:
name: romm-app
key: steamgriddb-api-key
- name: SCREENSCRAPER_USER
valueFrom:
secretKeyRef:
name: romm-app
key: screenscraper-user
- name: SCREENSCRAPER_PASSWORD
valueFrom:
secretKeyRef:
name: romm-app
key: screenscraper-password
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
volumeMounts:
- name: library
mountPath: /romm/library
- name: resources
mountPath: /romm/resources
- name: config-storage
mountPath: /romm/config
livenessProbe:
httpGet:
path: /api/heartbeat
port: http
initialDelaySeconds: 60
periodSeconds: 30
readinessProbe:
httpGet:
path: /api/heartbeat
port: http
initialDelaySeconds: 30
periodSeconds: 10
volumes:
- name: library
hostPath:
path: /mnt/4_hdd/data/roms
type: DirectoryOrCreate
- name: resources
persistentVolumeClaim:
claimName: romm-resources
- name: config-storage
persistentVolumeClaim:
claimName: romm-config
- name: config-template
configMap:
name: romm-config-template
- name: library
hostPath:
path: /mnt/4_hdd/data/roms
type: DirectoryOrCreate
- name: resources
persistentVolumeClaim:
claimName: romm-resources
- name: config-storage
persistentVolumeClaim:
claimName: romm-config
- name: config-template
configMap:
name: romm-config-template
---
apiVersion: v1
kind: Service
@@ -252,9 +252,9 @@ metadata:
spec:
type: ClusterIP
ports:
- name: redis
port: 6379
targetPort: redis
- name: redis
port: 6379
targetPort: redis
selector:
app.kubernetes.io/instance: romm
app.kubernetes.io/name: romm-redis
@@ -270,9 +270,9 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
- name: http
port: 8080
targetPort: http
selector:
app.kubernetes.io/instance: romm
app.kubernetes.io/name: romm
@@ -293,36 +293,36 @@ metadata:
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
ingressClassName: nginx-internal
rules:
- host: arcade.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: romm
port:
number: 8080
- host: arcade.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: romm
port:
number: 8080
- host: arcade.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: romm
port:
number: 8080
- host: arcade.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: romm
port:
number: 8080
tls:
- hosts:
- arcade.dooplex.hu
secretName: romm-tls
- hosts:
- arcade.dooplex.hu
secretName: romm-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
@@ -336,7 +336,7 @@ metadata:
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
@@ -354,7 +354,7 @@ metadata:
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
@@ -383,46 +383,46 @@ spec:
app.kubernetes.io/name: romm-db
spec:
containers:
- name: mariadb
image: mariadb:11
env:
- name: MARIADB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: romm-db
key: root-password
- name: MARIADB_DATABASE
valueFrom:
secretKeyRef:
name: romm-db
key: database
- name: MARIADB_USER
valueFrom:
secretKeyRef:
name: romm-db
key: username
- name: MARIADB_PASSWORD
valueFrom:
secretKeyRef:
name: romm-db
key: password
ports:
- containerPort: 3306
name: mariadb
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: data
mountPath: /var/lib/mysql
- name: mariadb
image: mariadb:11
env:
- name: MARIADB_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: romm-db
key: root-password
- name: MARIADB_DATABASE
valueFrom:
secretKeyRef:
name: romm-db
key: database
- name: MARIADB_USER
valueFrom:
secretKeyRef:
name: romm-db
key: username
- name: MARIADB_PASSWORD
valueFrom:
secretKeyRef:
name: romm-db
key: password
ports:
- containerPort: 3306
name: mariadb
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: data
mountPath: /var/lib/mysql
volumes:
- name: data
persistentVolumeClaim:
claimName: romm-db
- name: data
persistentVolumeClaim:
claimName: romm-db
---
apiVersion: v1
kind: Service
@@ -435,9 +435,9 @@ metadata:
spec:
type: ClusterIP
ports:
- name: mariadb
port: 3306
targetPort: mariadb
- name: mariadb
port: 3306
targetPort: mariadb
selector:
app.kubernetes.io/instance: romm
app.kubernetes.io/name: romm-db
@@ -454,8 +454,8 @@ metadata:
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 2Gi
storage: 2Gi
argocd-system/argocd-config.yaml
+24 -24
View File
@@ -11,36 +11,36 @@ metadata:
external-dns.alpha.kubernetes.io/hostname: argocd.dooplex.hu,argocd.home
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
ingressClassName: nginx-internal
tls:
- hosts:
- argocd.dooplex.hu
secretName: argocd-server-tls
- hosts:
- argocd.dooplex.hu
secretName: argocd-server-tls
rules:
- host: argocd.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server
port:
number: 80
- host: argocd.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server
port:
number: 80
- host: argocd.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server
port:
number: 80
- host: argocd.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server
port:
number: 80
---
# ArgoCD ConfigMap patches for your environment
apiVersion: v1
audiobookshelf-system/audiobookshelf.yaml
+1 -1
View File
@@ -137,7 +137,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
labels:
booking-system/booking.yaml
+10 -11
View File
@@ -205,7 +205,7 @@ spec:
mkdir -p /calcom/apps/web/public/app-store/googlevideo
cp /calcom/packages/app-store/googlevideo/static/logo.webp /calcom/apps/web/public/app-store/googlevideo/logo.webp
echo "Copied googlevideo logo.webp to public folder"
echo "Starting Cal.com..."
cd /calcom
exec ./scripts/start.sh
@@ -218,7 +218,7 @@ spec:
value: "false"
- name: CALCOM_TELEMETRY_DISABLED
value: "1"
# URLs
- name: NEXT_PUBLIC_WEBAPP_URL
value: "https://booking.dooplex.hu"
@@ -247,11 +247,10 @@ spec:
- name: DATABASE_DIRECT_URL
value: "postgresql://$(DB_USER):$(DB_PASS)@postgresql-rw.database-system.svc.cluster.local:5432/calcom"
# Redis
- name: REDIS_URL
value: "redis://calcom-redis:6379"
# Auth secrets
- name: NEXTAUTH_SECRET
valueFrom:
@@ -263,7 +262,7 @@ spec:
secretKeyRef:
name: calcom-app
key: calendso-encryption-key
# Email/SMTP
- name: EMAIL_FROM
valueFrom:
@@ -290,7 +289,7 @@ spec:
secretKeyRef:
name: smtp-credentials
key: password
# Stripe (optional - for payments)
- name: STRIPE_API_KEY
valueFrom:
@@ -311,7 +310,7 @@ spec:
value: "0"
- name: PAYMENT_FEE_FIXED
value: "0"
# Google Calendar (optional)
- name: GOOGLE_API_CREDENTIALS
valueFrom:
@@ -320,11 +319,11 @@ spec:
key: google-api-credentials
- name: GOOGLE_LOGIN_ENABLED
value: "false"
# Timezone
- name: TZ
value: "Europe/Budapest"
# Misc
- name: NODE_ENV
value: "production"
@@ -408,7 +407,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
nginx.ingress.kubernetes.io/proxy-set-headers: "booking-system/calcom-proxy-headers"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
@@ -496,4 +495,4 @@ data:
# targetPort: 5555
# selector:
# app.kubernetes.io/instance: calcom
# app.kubernetes.io/name: prisma-studio
# app.kubernetes.io/name: prisma-studio
bookstack-system/bookstack.yaml
+1 -1
View File
@@ -340,7 +340,7 @@ metadata:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "50m"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
labels:
calibre-system/calibre.yaml
+2 -2
View File
@@ -254,7 +254,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
@@ -302,7 +302,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
code-system/code.yaml
+97 -97
View File
@@ -49,74 +49,74 @@ spec:
securityContext:
fsGroup: 1000
containers:
- name: code-server
image: codercom/code-server:4.108.0
args:
- --bind-addr=0.0.0.0:8080
- --auth=none
- --disable-telemetry
- --disable-update-check
env:
- name: TZ
value: "Europe/Budapest"
- name: HOME
value: "/home/coder"
- name: USER
value: "coder"
# Proxy trust for headers
- name: CS_DISABLE_PROXY_TRUST
value: "false"
- name: GIT_CONFIG_GLOBAL
value: "/home/coder/.config/git/config"
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "mkdir -p /home/coder/.config/git"]
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 2000m
memory: 4Gi
volumeMounts:
- name: config
mountPath: /home/coder/.config
- name: workspace
mountPath: /home/coder/workspace
- name: local
mountPath: /home/coder/.local
- name: config
mountPath: /home/coder/.ssh
subPath: ssh
livenessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 10
periodSeconds: 10
securityContext:
runAsUser: 1000
runAsGroup: 1000
- name: code-server
image: codercom/code-server:4.108.0
args:
- --bind-addr=0.0.0.0:8080
- --auth=none
- --disable-telemetry
- --disable-update-check
env:
- name: TZ
value: "Europe/Budapest"
- name: HOME
value: "/home/coder"
- name: USER
value: "coder"
# Proxy trust for headers
- name: CS_DISABLE_PROXY_TRUST
value: "false"
- name: GIT_CONFIG_GLOBAL
value: "/home/coder/.config/git/config"
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "mkdir -p /home/coder/.config/git"]
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 2000m
memory: 4Gi
volumeMounts:
- name: config
mountPath: /home/coder/.config
- name: workspace
mountPath: /home/coder/workspace
- name: local
mountPath: /home/coder/.local
- name: config
mountPath: /home/coder/.ssh
subPath: ssh
livenessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 10
periodSeconds: 10
securityContext:
runAsUser: 1000
runAsGroup: 1000
volumes:
- name: config
persistentVolumeClaim:
claimName: code-server-config
- name: workspace
persistentVolumeClaim:
claimName: code-server-workspace
- name: local
persistentVolumeClaim:
claimName: code-server-local
- name: config
persistentVolumeClaim:
claimName: code-server-config
- name: workspace
persistentVolumeClaim:
claimName: code-server-workspace
- name: local
persistentVolumeClaim:
claimName: code-server-local
---
apiVersion: v1
kind: Service
@@ -129,9 +129,9 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
- name: http
port: 8080
targetPort: http
selector:
app.kubernetes.io/instance: code-server
app.kubernetes.io/name: code-server
@@ -161,36 +161,36 @@ metadata:
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
ingressClassName: nginx-internal
rules:
- host: code.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: code-server
port:
number: 8080
- host: code.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: code-server
port:
number: 8080
- host: code.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: code-server
port:
number: 8080
- host: code.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: code-server
port:
number: 8080
tls:
- hosts:
- code.dooplex.hu
secretName: code-server-tls
- hosts:
- code.dooplex.hu
secretName: code-server-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
@@ -204,7 +204,7 @@ metadata:
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
@@ -222,7 +222,7 @@ metadata:
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
@@ -238,7 +238,7 @@ metadata:
app.kubernetes.io/name: code-server-local
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
crafty-system/crafty.yaml
+122 -121
View File
@@ -11,7 +11,7 @@ metadata:
labels:
app.kubernetes.io/name: craftycontroller
data:
README.txt: 'Crafty Controller hostNetwork deployment.
README.txt: "Crafty Controller hostNetwork deployment.
Reserved Minecraft TCP port range on the node: 25565-25575.
@@ -23,7 +23,7 @@ data:
Port 25565 is commonly used for the primary server.
'
"
---
apiVersion: v1
kind: ServiceAccount
@@ -44,7 +44,7 @@ metadata:
app.kubernetes.io/instance: crafty
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
resources:
requests:
storage: 2Gi
@@ -60,7 +60,7 @@ metadata:
app.kubernetes.io/instance: crafty
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
resources:
requests:
storage: 50Gi
@@ -76,7 +76,7 @@ metadata:
app.kubernetes.io/instance: crafty
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
resources:
requests:
storage: 50Gi
@@ -92,7 +92,7 @@ metadata:
app.kubernetes.io/instance: crafty
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
resources:
requests:
storage: 10Gi
@@ -112,10 +112,10 @@ spec:
app.kubernetes.io/name: craftycontroller
app.kubernetes.io/instance: crafty
ports:
- name: https
port: 8443
targetPort: 8443
protocol: TCP
- name: https
port: 8443
targetPort: 8443
protocol: TCP
---
apiVersion: v1
kind: Service
@@ -131,10 +131,10 @@ spec:
app.kubernetes.io/name: craftycontroller
app.kubernetes.io/instance: crafty
ports:
- name: https
port: 8443
targetPort: 8443
protocol: TCP
- name: https
port: 8443
targetPort: 8443
protocol: TCP
---
apiVersion: networking.k8s.io/v1
kind: Ingress
@@ -149,44 +149,45 @@ metadata:
external-dns.alpha.kubernetes.io/hostname: crafty.dooplex.hu,crafty.home
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/proxy-ssl-verify: "off"
nginx.ingress.kubernetes.io/ssl-redirect: 'true'
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 200m
nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-crafty-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
nginx.ingress.kubernetes.io/auth-signin: https://crafty.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-snippet: 'proxy_set_header X-Forwarded-Host $http_host;
nginx.ingress.kubernetes.io/auth-snippet:
"proxy_set_header X-Forwarded-Host $http_host;
'
"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
ingressClassName: nginx-internal
tls:
- secretName: crafty-tls
hosts:
- crafty.dooplex.hu
- secretName: crafty-tls
hosts:
- crafty.dooplex.hu
rules:
- host: crafty.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: craftycontroller-https
port:
number: 8443
- host: crafty.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: craftycontroller-https
port:
number: 8443
- host: crafty.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: craftycontroller-https
port:
number: 8443
- host: crafty.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: craftycontroller-https
port:
number: 8443
---
apiVersion: apps/v1
kind: StatefulSet
@@ -217,84 +218,84 @@ spec:
securityContext:
fsGroup: 0
containers:
- name: craftycontroller
image: arcadiatechnology/crafty-4:4.7.0
imagePullPolicy: IfNotPresent
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
ports:
- name: https
containerPort: 8443
protocol: TCP
- name: minecraft
containerPort: 25565
protocol: TCP
- name: mc25566
containerPort: 25566
protocol: TCP
- name: mc25567
containerPort: 25567
protocol: TCP
- name: mc25568
containerPort: 25568
protocol: TCP
- name: mc25569
containerPort: 25569
protocol: TCP
- name: mc25570
containerPort: 25570
protocol: TCP
- name: mc25571
containerPort: 25571
protocol: TCP
- name: mc25572
containerPort: 25572
protocol: TCP
- name: mc25573
containerPort: 25573
protocol: TCP
- name: mc25574
containerPort: 25574
protocol: TCP
- name: mc25575
containerPort: 25575
protocol: TCP
livenessProbe:
initialDelaySeconds: 30
httpGet:
path: /
port: 8443
scheme: HTTPS
readinessProbe:
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 18
httpGet:
path: /
port: 8443
scheme: HTTPS
resources: {}
volumeMounts:
- name: crafty-app-config
mountPath: /crafty/app/config
- name: crafty-servers
mountPath: /crafty/servers
- name: crafty-backups
mountPath: /crafty/backups
- name: crafty-import
mountPath: /crafty/import
- name: craftycontroller
image: arcadiatechnology/crafty-4:4.7.0
imagePullPolicy: IfNotPresent
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 0
ports:
- name: https
containerPort: 8443
protocol: TCP
- name: minecraft
containerPort: 25565
protocol: TCP
- name: mc25566
containerPort: 25566
protocol: TCP
- name: mc25567
containerPort: 25567
protocol: TCP
- name: mc25568
containerPort: 25568
protocol: TCP
- name: mc25569
containerPort: 25569
protocol: TCP
- name: mc25570
containerPort: 25570
protocol: TCP
- name: mc25571
containerPort: 25571
protocol: TCP
- name: mc25572
containerPort: 25572
protocol: TCP
- name: mc25573
containerPort: 25573
protocol: TCP
- name: mc25574
containerPort: 25574
protocol: TCP
- name: mc25575
containerPort: 25575
protocol: TCP
livenessProbe:
initialDelaySeconds: 30
httpGet:
path: /
port: 8443
scheme: HTTPS
readinessProbe:
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 18
httpGet:
path: /
port: 8443
scheme: HTTPS
resources: {}
volumeMounts:
- name: crafty-app-config
mountPath: /crafty/app/config
- name: crafty-servers
mountPath: /crafty/servers
- name: crafty-backups
mountPath: /crafty/backups
- name: crafty-import
mountPath: /crafty/import
volumes:
- name: crafty-app-config
persistentVolumeClaim:
claimName: crafty-app-config
- name: crafty-servers
persistentVolumeClaim:
claimName: crafty-servers
- name: crafty-backups
persistentVolumeClaim:
claimName: crafty-backups
- name: crafty-import
persistentVolumeClaim:
claimName: crafty-import
- name: crafty-app-config
persistentVolumeClaim:
claimName: crafty-app-config
- name: crafty-servers
persistentVolumeClaim:
claimName: crafty-servers
- name: crafty-backups
persistentVolumeClaim:
claimName: crafty-backups
- name: crafty-import
persistentVolumeClaim:
claimName: crafty-import
fileshare-system/gokapi.yaml
+98 -98
View File
@@ -55,75 +55,75 @@ spec:
securityContext:
fsGroup: 1000
containers:
- name: gokapi
image: f0rc3/gokapi:v2.1.0
env:
- name: TZ
value: "Europe/Budapest"
- name: GOKAPI_PORT
value: "53842"
- name: GOKAPI_EXTERNAL_URL
value: "https://fileshare.dooplex.hu/"
- name: GOKAPI_LOCALHOST
value: "false"
- name: GOKAPI_USE_SSL
value: "false"
- name: GOKAPI_DATA_DIR
value: "/app/data"
- name: GOKAPI_CONFIG_DIR
value: "/app/config"
- name: GOKAPI_MAX_MEMORY_UPLOAD
value: "100"
- name: GOKAPI_LOG_STDOUT
value: "true"
# Initial admin user (only used for first setup)
- name: GOKAPI_USERNAME
valueFrom:
secretKeyRef:
name: gokapi-app
key: admin-username
- name: GOKAPI_PASSWORD
valueFrom:
secretKeyRef:
name: gokapi-app
key: admin-password
ports:
- containerPort: 53842
name: http
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 500m
memory: 256Mi
volumeMounts:
- name: config
mountPath: /app/config
- name: data
mountPath: /app/data
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 10
periodSeconds: 10
securityContext:
runAsUser: 1000
runAsGroup: 1000
- name: gokapi
image: f0rc3/gokapi:v2.1.0
env:
- name: TZ
value: "Europe/Budapest"
- name: GOKAPI_PORT
value: "53842"
- name: GOKAPI_EXTERNAL_URL
value: "https://fileshare.dooplex.hu/"
- name: GOKAPI_LOCALHOST
value: "false"
- name: GOKAPI_USE_SSL
value: "false"
- name: GOKAPI_DATA_DIR
value: "/app/data"
- name: GOKAPI_CONFIG_DIR
value: "/app/config"
- name: GOKAPI_MAX_MEMORY_UPLOAD
value: "100"
- name: GOKAPI_LOG_STDOUT
value: "true"
# Initial admin user (only used for first setup)
- name: GOKAPI_USERNAME
valueFrom:
secretKeyRef:
name: gokapi-app
key: admin-username
- name: GOKAPI_PASSWORD
valueFrom:
secretKeyRef:
name: gokapi-app
key: admin-password
ports:
- containerPort: 53842
name: http
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 500m
memory: 256Mi
volumeMounts:
- name: config
mountPath: /app/config
- name: data
mountPath: /app/data
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 10
periodSeconds: 10
securityContext:
runAsUser: 1000
runAsGroup: 1000
volumes:
- name: config
persistentVolumeClaim:
claimName: gokapi-config
- name: data
persistentVolumeClaim:
claimName: gokapi-data
- name: config
persistentVolumeClaim:
claimName: gokapi-config
- name: data
persistentVolumeClaim:
claimName: gokapi-data
---
apiVersion: v1
kind: Service
@@ -136,9 +136,9 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 53842
targetPort: http
- name: http
port: 53842
targetPort: http
selector:
app.kubernetes.io/instance: gokapi
app.kubernetes.io/name: gokapi
@@ -159,36 +159,36 @@ metadata:
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
ingressClassName: nginx-internal
rules:
- host: fileshare.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gokapi
port:
number: 53842
- host: fileshare.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gokapi
port:
number: 53842
- host: fileshare.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gokapi
port:
number: 53842
- host: fileshare.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gokapi
port:
number: 53842
tls:
- hosts:
- fileshare.dooplex.hu
secretName: gokapi-tls
- hosts:
- fileshare.dooplex.hu
secretName: gokapi-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
@@ -202,7 +202,7 @@ metadata:
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
@@ -220,8 +220,8 @@ metadata:
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 50Gi
storage: 50Gi
gitea-system/gitea.yaml
+175 -175
View File
@@ -31,152 +31,152 @@ spec:
app.kubernetes.io/name: gitea
spec:
initContainers:
- name: init-directories
image: busybox:1.36
command:
- sh
- -c
- |
mkdir -p /data/gitea/conf
chown -R 1000:1000 /data
volumeMounts:
- name: data
mountPath: /data
- name: init-directories
image: busybox:1.36
command:
- sh
- -c
- |
mkdir -p /data/gitea/conf
chown -R 1000:1000 /data
volumeMounts:
- name: data
mountPath: /data
containers:
- name: gitea
image: gitea/gitea:1.25.3
imagePullPolicy: IfNotPresent
env:
- name: USER_UID
value: "1000"
- name: USER_GID
value: "1000"
- name: GITEA__database__DB_TYPE
value: postgres
# Database - using shared PostgreSQL in database-system namespace
- name: GITEA__database__HOST
value: postgresql-rw.database-system.svc.cluster.local:5432
- name: GITEA__database__NAME
value: gitea
- name: GITEA__database__USER
valueFrom:
secretKeyRef:
name: gitea-db
key: username
- name: GITEA__database__PASSWD
valueFrom:
secretKeyRef:
name: gitea-db
key: password
- name: GITEA__server__DOMAIN
value: gitea.dooplex.hu
- name: GITEA__server__ROOT_URL
value: https://gitea.dooplex.hu/
- name: GITEA__server__HTTP_PORT
value: "3000"
- name: GITEA__server__SSH_DOMAIN
value: gitea.dooplex.hu
- name: GITEA__server__SSH_PORT
value: "22"
- name: GITEA__server__SSH_LISTEN_PORT
value: "2222"
- name: GITEA__server__LFS_START_SERVER
value: "true"
- name: GITEA__security__INSTALL_LOCK
value: "true"
- name: GITEA__security__SECRET_KEY
valueFrom:
secretKeyRef:
name: gitea-app
key: secret-key
- name: GITEA__security__INTERNAL_TOKEN
valueFrom:
secretKeyRef:
name: gitea-app
key: internal-token
- name: GITEA__server__LFS_JWT_SECRET
valueFrom:
secretKeyRef:
name: gitea-app
key: lfs-jwt-secret
- name: GITEA__service__DISABLE_REGISTRATION
value: "true"
- name: GITEA__mailer__ENABLED
value: "true"
- name: GITEA__mailer__PROTOCOL
value: smtp+starttls
- name: GITEA__mailer__SMTP_ADDR
valueFrom:
secretKeyRef:
name: smtp-credentials
key: host
- name: GITEA__mailer__SMTP_PORT
valueFrom:
secretKeyRef:
name: smtp-credentials
key: port
- name: GITEA__mailer__USER
valueFrom:
secretKeyRef:
name: smtp-credentials
key: username
- name: GITEA__mailer__PASSWD
valueFrom:
secretKeyRef:
name: smtp-credentials
key: password
- name: GITEA__mailer__FROM
valueFrom:
secretKeyRef:
name: smtp-credentials
key: from-address
- name: GITEA__time__DEFAULT_UI_LOCATION
value: Europe/Budapest
ports:
- containerPort: 3000
name: http
protocol: TCP
- containerPort: 2222
name: ssh
protocol: TCP
livenessProbe:
httpGet:
path: /api/healthz
port: http
initialDelaySeconds: 60
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /api/healthz
port: http
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- name: data
mountPath: /data
- name: repos
mountPath: /data/git/repositories
- name: gitea
image: gitea/gitea:1.25.3
imagePullPolicy: IfNotPresent
env:
- name: USER_UID
value: "1000"
- name: USER_GID
value: "1000"
- name: GITEA__database__DB_TYPE
value: postgres
# Database - using shared PostgreSQL in database-system namespace
- name: GITEA__database__HOST
value: postgresql-rw.database-system.svc.cluster.local:5432
- name: GITEA__database__NAME
value: gitea
- name: GITEA__database__USER
valueFrom:
secretKeyRef:
name: gitea-db
key: username
- name: GITEA__database__PASSWD
valueFrom:
secretKeyRef:
name: gitea-db
key: password
- name: GITEA__server__DOMAIN
value: gitea.dooplex.hu
- name: GITEA__server__ROOT_URL
value: https://gitea.dooplex.hu/
- name: GITEA__server__HTTP_PORT
value: "3000"
- name: GITEA__server__SSH_DOMAIN
value: gitea.dooplex.hu
- name: GITEA__server__SSH_PORT
value: "22"
- name: GITEA__server__SSH_LISTEN_PORT
value: "2222"
- name: GITEA__server__LFS_START_SERVER
value: "true"
- name: GITEA__security__INSTALL_LOCK
value: "true"
- name: GITEA__security__SECRET_KEY
valueFrom:
secretKeyRef:
name: gitea-app
key: secret-key
- name: GITEA__security__INTERNAL_TOKEN
valueFrom:
secretKeyRef:
name: gitea-app
key: internal-token
- name: GITEA__server__LFS_JWT_SECRET
valueFrom:
secretKeyRef:
name: gitea-app
key: lfs-jwt-secret
- name: GITEA__service__DISABLE_REGISTRATION
value: "true"
- name: GITEA__mailer__ENABLED
value: "true"
- name: GITEA__mailer__PROTOCOL
value: smtp+starttls
- name: GITEA__mailer__SMTP_ADDR
valueFrom:
secretKeyRef:
name: smtp-credentials
key: host
- name: GITEA__mailer__SMTP_PORT
valueFrom:
secretKeyRef:
name: smtp-credentials
key: port
- name: GITEA__mailer__USER
valueFrom:
secretKeyRef:
name: smtp-credentials
key: username
- name: GITEA__mailer__PASSWD
valueFrom:
secretKeyRef:
name: smtp-credentials
key: password
- name: GITEA__mailer__FROM
valueFrom:
secretKeyRef:
name: smtp-credentials
key: from-address
- name: GITEA__time__DEFAULT_UI_LOCATION
value: Europe/Budapest
ports:
- containerPort: 3000
name: http
protocol: TCP
- containerPort: 2222
name: ssh
protocol: TCP
livenessProbe:
httpGet:
path: /api/healthz
port: http
initialDelaySeconds: 60
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /api/healthz
port: http
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- name: data
mountPath: /data
- name: repos
mountPath: /data/git/repositories
securityContext:
fsGroup: 1000
volumes:
- name: data
persistentVolumeClaim:
claimName: gitea-data
- name: repos
hostPath:
path: /mnt/4_hdd/data/gitea/repositories
type: DirectoryOrCreate
- name: data
persistentVolumeClaim:
claimName: gitea-data
- name: repos
hostPath:
path: /mnt/4_hdd/data/gitea/repositories
type: DirectoryOrCreate
---
apiVersion: v1
kind: Service
@@ -190,14 +190,14 @@ spec:
type: LoadBalancer
loadBalancerIP: 192.168.0.203
ports:
- name: http
port: 3000
protocol: TCP
targetPort: http
- name: ssh
port: 2222
protocol: TCP
targetPort: 22
- name: http
port: 3000
protocol: TCP
targetPort: http
- name: ssh
port: 2222
protocol: TCP
targetPort: 22
selector:
app.kubernetes.io/instance: gitea
app.kubernetes.io/name: gitea
@@ -211,7 +211,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
labels:
@@ -222,30 +222,30 @@ metadata:
spec:
ingressClassName: nginx-internal
rules:
- host: gitea.dooplex.hu
http:
paths:
- backend:
service:
name: gitea
port:
number: 3000
path: /
pathType: Prefix
- host: gitea.home
http:
paths:
- backend:
service:
name: gitea
port:
number: 3000
path: /
pathType: Prefix
- host: gitea.dooplex.hu
http:
paths:
- backend:
service:
name: gitea
port:
number: 3000
path: /
pathType: Prefix
- host: gitea.home
http:
paths:
- backend:
service:
name: gitea
port:
number: 3000
path: /
pathType: Prefix
tls:
- hosts:
- gitea.dooplex.hu
secretName: gitea-tls
- hosts:
- gitea.dooplex.hu
secretName: gitea-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
@@ -257,7 +257,7 @@ metadata:
namespace: gitea-system
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
resources:
requests:
storage: 10Gi
glance-system/glance-kisfenyo.yaml
+1 -1
View File
@@ -2201,7 +2201,7 @@ metadata:
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
glance-system/glance-orsi.yaml
+2 -2
View File
@@ -752,7 +752,7 @@ metadata:
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
@@ -803,4 +803,4 @@ spec:
# tls:
# - hosts:
# - home.dooplex.hu
# secretName: glance-tls
# secretName: glance-tls
headlamp-system/headlamp.yaml
+1 -1
View File
@@ -347,7 +347,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-buffer-size: "16k"
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
# Homepage integration annotations
homepage-system/homepage.yaml
+4 -4
View File
@@ -487,7 +487,7 @@ data:
display: flex !important;
align-items: center !important;
}
/* Make the image fill it */
#information-widgets .information-widget-logo img {
max-height: 100px !important;
@@ -554,7 +554,7 @@ spec:
valueFrom:
secretKeyRef:
name: homepage-secrets
key: prowlarr-api-key
key: prowlarr-api-key
- name: HOMEPAGE_VAR_SONARR_API_KEY
valueFrom:
secretKeyRef:
@@ -716,7 +716,7 @@ metadata:
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
# Homepage auto-discovery annotation
@@ -752,4 +752,4 @@ spec:
- hosts:
- homepage.dooplex.hu
secretName: homepage-tls
---
---
immich-system/immich.yaml
+78 -78
View File
@@ -217,11 +217,11 @@ spec:
app.kubernetes.io/instance: immich
template:
metadata:
labels:
labels:
app.kubernetes.io/controller: main
app.kubernetes.io/instance: immich
app.kubernetes.io/name: machine-learning
spec:
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
@@ -229,18 +229,18 @@ spec:
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
containers:
- env:
- name: HF_XET_CACHE
value: /cache/huggingface-xet
- name: IMMICH_MACHINE_LEARNING_URL
value: http://immich-machine-learning:3003
- name: MPLCONFIGDIR
value: /cache/matplotlib-config
- name: REDIS_HOSTNAME
value: immich-valkey
- name: TRANSFORMERS_CACHE
value: /cache
- name: HF_XET_CACHE
value: /cache/huggingface-xet
- name: IMMICH_MACHINE_LEARNING_URL
value: http://immich-machine-learning:3003
- name: MPLCONFIGDIR
value: /cache/matplotlib-config
- name: REDIS_HOSTNAME
value: immich-valkey
- name: TRANSFORMERS_CACHE
value: /cache
image: ghcr.io/immich-app/immich-machine-learning:v2.4.1
imagePullPolicy: IfNotPresent
livenessProbe:
@@ -253,9 +253,9 @@ spec:
timeoutSeconds: 1
name: main
ports:
- containerPort: 3003
name: http
protocol: TCP
- containerPort: 3003
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
@@ -273,9 +273,9 @@ spec:
periodSeconds: 10
timeoutSeconds: 1
volumeMounts:
- mountPath: /cache
name: cache
volumes:
- mountPath: /cache
name: cache
volumes:
- name: cache
persistentVolumeClaim:
claimName: immich-machine-learning
@@ -302,11 +302,11 @@ spec:
app.kubernetes.io/instance: immich
template:
metadata:
labels:
labels:
app.kubernetes.io/controller: main
app.kubernetes.io/instance: immich
app.kubernetes.io/name: server
spec:
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
@@ -314,28 +314,28 @@ spec:
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
containers:
- env:
- name: DB_HOSTNAME
value: immich-postgres
- name: DB_PORT
value: "5432"
- name: DB_DATABASE_NAME
value: immich
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: immich-db
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: immich-db
key: password
- name: IMMICH_MACHINE_LEARNING_URL
value: http://immich-machine-learning:3003
- name: REDIS_HOSTNAME
value: immich-valkey
- name: DB_HOSTNAME
value: immich-postgres
- name: DB_PORT
value: "5432"
- name: DB_DATABASE_NAME
value: immich
- name: DB_USERNAME
valueFrom:
secretKeyRef:
name: immich-db
key: username
- name: DB_PASSWORD
valueFrom:
secretKeyRef:
name: immich-db
key: password
- name: IMMICH_MACHINE_LEARNING_URL
value: http://immich-machine-learning:3003
- name: REDIS_HOSTNAME
value: immich-valkey
image: ghcr.io/immich-app/immich-server:v2.4.1
imagePullPolicy: IfNotPresent
livenessProbe:
@@ -348,9 +348,9 @@ spec:
timeoutSeconds: 1
name: main
ports:
- containerPort: 2283
name: http
protocol: TCP
- containerPort: 2283
name: http
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
@@ -368,9 +368,9 @@ spec:
periodSeconds: 10
timeoutSeconds: 1
volumeMounts:
- mountPath: /data
name: data
volumes:
- mountPath: /data
name: data
volumes:
- name: data
hostPath:
path: /mnt/4_hdd/data/immich
@@ -398,11 +398,11 @@ spec:
app.kubernetes.io/instance: immich
template:
metadata:
labels:
labels:
app.kubernetes.io/controller: main
app.kubernetes.io/instance: immich
app.kubernetes.io/name: valkey
spec:
spec:
enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: true
@@ -410,35 +410,35 @@ spec:
hostNetwork: false
hostPID: false
dnsPolicy: ClusterFirst
containers:
containers:
- env:
- name: IMMICH_MACHINE_LEARNING_URL
value: http://immich-machine-learning:3003
- name: REDIS_HOSTNAME
value: immich-valkey
- name: IMMICH_MACHINE_LEARNING_URL
value: http://immich-machine-learning:3003
- name: REDIS_HOSTNAME
value: immich-valkey
image: docker.io/valkey/valkey:9.0-alpine@sha256:b4ee67d73e00393e712accc72cfd7003b87d0fcd63f0eba798b23251bfc9c394
imagePullPolicy: IfNotPresent
livenessProbe:
exec:
command:
- sh
- -c
- valkey-cli ping | grep PONG
- sh
- -c
- valkey-cli ping | grep PONG
failureThreshold: 3
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
name: main
ports:
- containerPort: 6379
name: redis
protocol: TCP
- containerPort: 6379
name: redis
protocol: TCP
readinessProbe:
exec:
command:
- sh
- -c
- valkey-cli ping | grep PONG
- sh
- -c
- valkey-cli ping | grep PONG
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 10
@@ -446,17 +446,17 @@ spec:
startupProbe:
exec:
command:
- sh
- -c
- valkey-cli ping | grep PONG
- sh
- -c
- valkey-cli ping | grep PONG
failureThreshold: 30
initialDelaySeconds: 0
periodSeconds: 10
timeoutSeconds: 5
volumeMounts:
- mountPath: /data
name: data
volumes:
- mountPath: /data
name: data
volumes:
- name: data
persistentVolumeClaim:
claimName: immich-valkey
@@ -478,24 +478,24 @@ metadata:
nginx.ingress.kubernetes.io/configuration-snippet: |
# GeoIP-based access control for Immich
# Allows Hungarian traffic everywhere, worldwide only for /share/* paths
set $geo_allowed 0;
# Allow all Hungarian traffic
if ($geoip2_city_country_code = "HU") {
if ($geoip2_country_code = "HU") {
set $geo_allowed 1;
}
# Allow public share paths from anywhere
if ($request_uri ~* "^/share/") {
set $geo_allowed 1;
}
# API endpoints needed for shared content
if ($request_uri ~* "^/api/shared-links") {
set $geo_allowed 1;
}
# Assets for shared albums (thumbnails and originals)
if ($request_uri ~* "^/api/assets/.*/thumbnail") {
set $geo_allowed 1;
@@ -503,7 +503,7 @@ metadata:
if ($request_uri ~* "^/api/assets/.*/original") {
set $geo_allowed 1;
}
# Static assets needed for share page rendering
if ($request_uri ~* "^/_app/") {
set $geo_allowed 1;
@@ -514,7 +514,7 @@ metadata:
if ($request_uri ~* "\.(js|css|woff2?|ttf|svg|png|ico)$") {
set $geo_allowed 1;
}
# Block non-allowed requests
if ($geo_allowed = 0) {
return 403 "Access restricted to Hungary";
mon-system/monitoring.yaml
+6 -2
View File
@@ -11,6 +11,7 @@ metadata:
labels:
name: mon-system
# =============================================================================
# PROMETHEUS CONFIGURATION
# =============================================================================
@@ -295,7 +296,7 @@ spec:
cpu: 100m
memory: 256Mi
limits:
cpu: '2'
cpu: "2"
memory: 6Gi
livenessProbe:
httpGet:
@@ -373,6 +374,7 @@ spec:
path: /
pathType: Prefix
# =============================================================================
# GRAFANA CONFIGURATION
# =============================================================================
@@ -571,7 +573,7 @@ metadata:
external-dns.alpha.kubernetes.io/hostname: grafana.dooplex.hu,grafana.home
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
@@ -602,6 +604,7 @@ spec:
- grafana.dooplex.hu
secretName: grafana-tls
# =============================================================================
# NODE EXPORTER - Host metrics (CPU, RAM, Disk, Network)
# Runs on the host network to collect host metrics
@@ -702,6 +705,7 @@ spec:
selector:
app: node-exporter
# =============================================================================
# EXPORTARR - Metrics for Sonarr, Radarr, Prowlarr
# =============================================================================
nextcloud-system/nextcloud.yaml
+54 -57
View File
@@ -112,19 +112,19 @@ data:
<ifModule mod_autoindex.c>
IndexIgnore *
</ifModule>
apache-pretty-urls.config.php: |-
<?php
$CONFIG = array (
'htaccess.RewriteBase' => '/',
);
apcu.config.php: |-
<?php
$CONFIG = array (
'memcache.local' => '\OC\Memcache\APCu',
);
apps.config.php: |-
<?php
$CONFIG = array (
@@ -141,12 +141,12 @@ data:
),
),
);
autoconfig.php: |-
<?php
$autoconfig_enabled = false;
if (getenv('SQLITE_DATABASE')) {
$AUTOCONFIG['dbtype'] = 'sqlite';
$AUTOCONFIG['dbname'] = getenv('SQLITE_DATABASE');
@@ -180,48 +180,48 @@ data:
$AUTOCONFIG['dbhost'] = getenv('POSTGRES_HOST');
$autoconfig_enabled = true;
}
if ($autoconfig_enabled) {
$AUTOCONFIG['directory'] = getenv('NEXTCLOUD_DATA_DIR') ?: '/var/www/html/data';
}
reverse-proxy.config.php: |-
<?php
$overwriteHost = getenv('OVERWRITEHOST');
if ($overwriteHost) {
$CONFIG['overwritehost'] = $overwriteHost;
}
$overwriteProtocol = getenv('OVERWRITEPROTOCOL');
if ($overwriteProtocol) {
$CONFIG['overwriteprotocol'] = $overwriteProtocol;
}
$overwriteCliUrl = getenv('OVERWRITECLIURL');
if ($overwriteCliUrl) {
$CONFIG['overwrite.cli.url'] = $overwriteCliUrl;
}
$overwriteWebRoot = getenv('OVERWRITEWEBROOT');
if ($overwriteWebRoot) {
$CONFIG['overwritewebroot'] = $overwriteWebRoot;
}
$overwriteCondAddr = getenv('OVERWRITECONDADDR');
if ($overwriteCondAddr) {
$CONFIG['overwritecondaddr'] = $overwriteCondAddr;
}
$trustedProxies = getenv('TRUSTED_PROXIES');
if ($trustedProxies) {
$CONFIG['trusted_proxies'] = array_filter(array_map('trim', explode(' ', $trustedProxies)));
}
$forwardedForHeaders = getenv('FORWARDED_FOR_HEADERS');
if ($forwardedForHeaders) {
$CONFIG['forwarded_for_headers'] = array_filter(array_map('trim', explode(' ', $forwardedForHeaders)));
}
upgrade-disable-web.config.php: |-
<?php
$CONFIG = array (
@@ -450,8 +450,7 @@ spec:
value: "https://nextcloud.dooplex.hu"
- name: NEXTCLOUD_DATA_DIR
value: "/data"
resources:
{}
resources: {}
volumeMounts:
- name: nextcloud-main
mountPath: /var/www/
@@ -515,8 +514,8 @@ spec:
path: /status.php
port: 80
httpHeaders:
- name: Host
value: localhost
- name: Host
value: localhost
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
@@ -524,10 +523,10 @@ spec:
livenessProbe:
httpGet:
path: /status.php
port: 80
port: 80
httpHeaders:
- name: Host
value: localhost
- name: Host
value: localhost
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
@@ -536,10 +535,10 @@ spec:
readinessProbe:
httpGet:
path: /status.php
port: 80
port: 80
httpHeaders:
- name: Host
value: localhost
- name: Host
value: localhost
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
@@ -548,10 +547,8 @@ spec:
initContainers:
- name: postgresql-isready
image: docker.io/bitnamilegacy/postgresql:17.5.0-debian-12-r3
resources:
{}
securityContext:
{}
resources: {}
securityContext: {}
env:
- name: POSTGRES_USER
valueFrom:
@@ -640,7 +637,7 @@ spec:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
- ALL
privileged: false
readOnlyRootFilesystem: true
runAsGroup: 1001
@@ -750,7 +747,7 @@ spec:
medium: Memory
- name: data
persistentVolumeClaim:
claimName: nextcloud-postgresql-data # NOW PERSISTENT
claimName: nextcloud-postgresql-data # NOW PERSISTENT
---
apiVersion: networking.k8s.io/v1
kind: Ingress
@@ -763,7 +760,7 @@ metadata:
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_hide_header Content-Security-Policy;
add_header Content-Security-Policy "default-src 'self'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; style-src 'self' 'unsafe-inline'; img-src 'self' data: blob: https:; font-src 'self' data:; connect-src 'self' https:; media-src 'self'; frame-ancestors 'self' https://home.dooplex.hu https://orsi.dooplex.hu https://kisfenyo.dooplex.hu;" always;
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
name: nextcloud
@@ -771,32 +768,32 @@ metadata:
spec:
ingressClassName: nginx-internal
rules:
- host: nextcloud.dooplex.hu
http:
paths:
- backend:
service:
name: nextcloud
port:
number: 80
path: /
pathType: Prefix
- host: nextcloud.home
http:
paths:
- backend:
service:
name: nextcloud
port:
number: 80
path: /
pathType: Prefix
- host: nextcloud.dooplex.hu
http:
paths:
- backend:
service:
name: nextcloud
port:
number: 80
path: /
pathType: Prefix
- host: nextcloud.home
http:
paths:
- backend:
service:
name: nextcloud
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- nextcloud.dooplex.hu
secretName: nextcloud-tls
- hosts:
- nextcloud.dooplex.hu
secretName: nextcloud-tls
status:
loadBalancer:
ingress:
- ip: 192.168.0.192
---
- ip: 192.168.0.192
---
opengist-system/opengist.yaml
+94 -94
View File
@@ -36,10 +36,10 @@ data:
config.yaml: |
log-level: info
external-url: https://paste.dooplex.hu
# Branding
custom.name: Dooplex Paste
# Security Features
# We set these here to ensure they override defaults
disable-signup: true
@@ -72,60 +72,60 @@ spec:
app.kubernetes.io/instance: opengist
spec:
containers:
- name: opengist
image: ghcr.io/thomiceli/opengist:1.11.1
args: ["--config", "/config/config.yaml"]
env:
# --- OIDC CONFIGURATION ---
- name: OG_OIDC_CLIENT_KEY
valueFrom:
secretKeyRef:
name: opengist-oidc
key: client-id
- name: OG_OIDC_SECRET
valueFrom:
secretKeyRef:
name: opengist-oidc
key: client-secret
- name: OG_OIDC_DISCOVERY_URL
value: "https://authentik.dooplex.hu/application/o/opengist/.well-known/openid-configuration"
ports:
- containerPort: 6157
name: http
- containerPort: 2222
name: ssh
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 500m
memory: 256Mi
volumeMounts:
- name: data
mountPath: /opengist
- name: config
mountPath: /config
readOnly: true
livenessProbe:
httpGet:
path: /healthcheck
port: http
initialDelaySeconds: 10
periodSeconds: 30
readinessProbe:
httpGet:
path: /healthcheck
port: http
initialDelaySeconds: 5
periodSeconds: 10
- name: opengist
image: ghcr.io/thomiceli/opengist:1.11.1
args: ["--config", "/config/config.yaml"]
env:
# --- OIDC CONFIGURATION ---
- name: OG_OIDC_CLIENT_KEY
valueFrom:
secretKeyRef:
name: opengist-oidc
key: client-id
- name: OG_OIDC_SECRET
valueFrom:
secretKeyRef:
name: opengist-oidc
key: client-secret
- name: OG_OIDC_DISCOVERY_URL
value: "https://authentik.dooplex.hu/application/o/opengist/.well-known/openid-configuration"
ports:
- containerPort: 6157
name: http
- containerPort: 2222
name: ssh
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 500m
memory: 256Mi
volumeMounts:
- name: data
mountPath: /opengist
- name: config
mountPath: /config
readOnly: true
livenessProbe:
httpGet:
path: /healthcheck
port: http
initialDelaySeconds: 10
periodSeconds: 30
readinessProbe:
httpGet:
path: /healthcheck
port: http
initialDelaySeconds: 5
periodSeconds: 10
volumes:
- name: data
persistentVolumeClaim:
claimName: opengist-data
- name: config
configMap:
name: opengist-config
- name: data
persistentVolumeClaim:
claimName: opengist-data
- name: config
configMap:
name: opengist-config
---
# 5. SERVICE
@@ -140,12 +140,12 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: http
- name: ssh
port: 2222
targetPort: ssh
- name: http
port: 80
targetPort: http
- name: ssh
port: 2222
targetPort: ssh
selector:
app.kubernetes.io/name: opengist
app.kubernetes.io/instance: opengist
@@ -169,39 +169,39 @@ metadata:
nginx.ingress.kubernetes.io/configuration-snippet: |
# GeoIP-based access control for OpenGist
# Allows Hungarian traffic everywhere, worldwide only for paste viewing
set $geo_allowed 0;
# Allow all Hungarian traffic
if ($geoip2_city_country_code = "HU") {
if ($geoip2_country_code = "HU") {
set $geo_allowed 1;
}
# Allow public gist viewing: /{username}/{32-lowercase-hex-chars}
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}$") {
set $geo_allowed 1;
}
# Allow raw view: /{username}/{32-hex}/raw/{filename}
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/raw/") {
set $geo_allowed 1;
}
# Allow download: /{username}/{32-hex}/download
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/download") {
set $geo_allowed 1;
}
# Allow revision viewing: /{username}/{32-hex}/rev/{revision}
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/rev/[a-f0-9]+") {
set $geo_allowed 1;
}
# Allow embed view
if ($request_uri ~* "^/[a-zA-Z0-9_-]+/[a-f0-9]{32}/embed") {
set $geo_allowed 1;
}
# Allow static assets
if ($request_uri ~* "^/assets/") {
set $geo_allowed 1;
@@ -212,7 +212,7 @@ metadata:
if ($request_uri ~* "\.(css|js|woff2?|ttf|svg|png|ico)$") {
set $geo_allowed 1;
}
# Block non-allowed requests
if ($geo_allowed = 0) {
return 403 "Access restricted to Hungary";
@@ -220,27 +220,27 @@ metadata:
spec:
ingressClassName: nginx-internal
rules:
- host: paste.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: opengist
port:
number: 80
- host: paste.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: opengist
port:
number: 80
- host: paste.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: opengist
port:
number: 80
- host: paste.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: opengist
port:
number: 80
tls:
- hosts:
- paste.dooplex.hu
secretName: opengist-tls
- hosts:
- paste.dooplex.hu
secretName: opengist-tls
outline-system/outline.yaml
+297 -297
View File
@@ -30,148 +30,148 @@ spec:
match-regex.version-checker.io/outline: '^\d+\.\d+\.\d+$'
spec:
containers:
- name: outline
image: outlinewiki/outline:1.2.0
imagePullPolicy: IfNotPresent
env:
- name: NODE_ENV
value: production
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: outline-app
key: secret-key
- name: UTILS_SECRET
valueFrom:
secretKeyRef:
name: outline-app
key: utils-secret
- name: DB_USER
valueFrom:
secretKeyRef:
name: outline-db
key: username
- name: DB_PASS
valueFrom:
secretKeyRef:
name: outline-db
key: password
# Database - using shared PostgreSQL in database-system namespace
- name: DATABASE_URL
value: postgres://$(DB_USER):$(DB_PASS)@postgresql-rw.database-system.svc.cluster.local:5432/outline
- name: PGSSLMODE
value: disable
- name: REDIS_URL
value: redis://outline-redis:6379
- name: URL
value: https://outline.dooplex.hu
- name: PORT
value: "3000"
- name: FILE_STORAGE
value: s3
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: outline-minio
key: root-user
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: outline-minio
key: root-password
- name: AWS_REGION
value: us-east-1
- name: AWS_S3_UPLOAD_BUCKET_URL
value: https://outline-minio.dooplex.hu/outline # Changed from http://outline-minio:9000
- name: AWS_S3_UPLOAD_BUCKET_NAME
value: outline
- name: AWS_S3_FORCE_PATH_STYLE
value: "true"
- name: AWS_S3_ACL
value: private
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: outline-oidc
key: client-id
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: outline-oidc
key: client-secret
- name: OIDC_AUTH_URI
value: "https://authentik.dooplex.hu/application/o/authorize/"
- name: OIDC_TOKEN_URI
value: "https://authentik.dooplex.hu/application/o/token/"
- name: OIDC_USERINFO_URI
value: "https://authentik.dooplex.hu/application/o/userinfo/"
- name: OIDC_LOGOUT_URI
value: "https://authentik.dooplex.hu/application/o/outline/end-session/"
- name: OIDC_USERNAME_CLAIM
value: "preferred_username"
- name: OIDC_DISPLAY_NAME
value: "authentik"
- name: OIDC_SCOPES
value: "openid profile email offline_access"
# SMTP Configuration
- name: SMTP_HOST
valueFrom:
secretKeyRef:
name: smtp-credentials
key: host
- name: SMTP_PORT
valueFrom:
secretKeyRef:
name: smtp-credentials
key: port
- name: SMTP_USERNAME
valueFrom:
secretKeyRef:
name: smtp-credentials
key: username
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: smtp-credentials
key: password
- name: SMTP_FROM_EMAIL
valueFrom:
secretKeyRef:
name: smtp-credentials
key: from-address
- name: SMTP_SECURE
value: "false"
- name: FORCE_HTTPS
value: "true"
- name: DEFAULT_LANGUAGE
value: en_US
ports:
- containerPort: 3000
name: http
protocol: TCP
livenessProbe:
httpGet:
path: /_health
port: http
initialDelaySeconds: 60
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /_health
port: http
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 100m
memory: 256Mi
- name: outline
image: outlinewiki/outline:1.2.0
imagePullPolicy: IfNotPresent
env:
- name: NODE_ENV
value: production
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: outline-app
key: secret-key
- name: UTILS_SECRET
valueFrom:
secretKeyRef:
name: outline-app
key: utils-secret
- name: DB_USER
valueFrom:
secretKeyRef:
name: outline-db
key: username
- name: DB_PASS
valueFrom:
secretKeyRef:
name: outline-db
key: password
# Database - using shared PostgreSQL in database-system namespace
- name: DATABASE_URL
value: postgres://$(DB_USER):$(DB_PASS)@postgresql-rw.database-system.svc.cluster.local:5432/outline
- name: PGSSLMODE
value: disable
- name: REDIS_URL
value: redis://outline-redis:6379
- name: URL
value: https://outline.dooplex.hu
- name: PORT
value: "3000"
- name: FILE_STORAGE
value: s3
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: outline-minio
key: root-user
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: outline-minio
key: root-password
- name: AWS_REGION
value: us-east-1
- name: AWS_S3_UPLOAD_BUCKET_URL
value: https://outline-minio.dooplex.hu/outline # Changed from http://outline-minio:9000
- name: AWS_S3_UPLOAD_BUCKET_NAME
value: outline
- name: AWS_S3_FORCE_PATH_STYLE
value: "true"
- name: AWS_S3_ACL
value: private
- name: OIDC_CLIENT_ID
valueFrom:
secretKeyRef:
name: outline-oidc
key: client-id
- name: OIDC_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: outline-oidc
key: client-secret
- name: OIDC_AUTH_URI
value: "https://authentik.dooplex.hu/application/o/authorize/"
- name: OIDC_TOKEN_URI
value: "https://authentik.dooplex.hu/application/o/token/"
- name: OIDC_USERINFO_URI
value: "https://authentik.dooplex.hu/application/o/userinfo/"
- name: OIDC_LOGOUT_URI
value: "https://authentik.dooplex.hu/application/o/outline/end-session/"
- name: OIDC_USERNAME_CLAIM
value: "preferred_username"
- name: OIDC_DISPLAY_NAME
value: "authentik"
- name: OIDC_SCOPES
value: "openid profile email offline_access"
# SMTP Configuration
- name: SMTP_HOST
valueFrom:
secretKeyRef:
name: smtp-credentials
key: host
- name: SMTP_PORT
valueFrom:
secretKeyRef:
name: smtp-credentials
key: port
- name: SMTP_USERNAME
valueFrom:
secretKeyRef:
name: smtp-credentials
key: username
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: smtp-credentials
key: password
- name: SMTP_FROM_EMAIL
valueFrom:
secretKeyRef:
name: smtp-credentials
key: from-address
- name: SMTP_SECURE
value: "false"
- name: FORCE_HTTPS
value: "true"
- name: DEFAULT_LANGUAGE
value: en_US
ports:
- containerPort: 3000
name: http
protocol: TCP
livenessProbe:
httpGet:
path: /_health
port: http
initialDelaySeconds: 60
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /_health
port: http
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 100m
memory: 256Mi
volumes: []
---
apiVersion: apps/v1
@@ -197,51 +197,51 @@ spec:
app.kubernetes.io/name: redis
spec:
containers:
- name: redis
image: redis:7-alpine
imagePullPolicy: IfNotPresent
command:
- redis-server
- --appendonly
- "yes"
ports:
- containerPort: 6379
name: redis
protocol: TCP
livenessProbe:
exec:
command:
- sh
- -c
- redis-cli ping | grep PONG
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 3
timeoutSeconds: 5
readinessProbe:
exec:
command:
- sh
- -c
- redis-cli ping | grep PONG
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 3
timeoutSeconds: 5
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts:
- name: data
mountPath: /data
- name: redis
image: redis:7-alpine
imagePullPolicy: IfNotPresent
command:
- redis-server
- --appendonly
- "yes"
ports:
- containerPort: 6379
name: redis
protocol: TCP
livenessProbe:
exec:
command:
- sh
- -c
- redis-cli ping | grep PONG
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 3
timeoutSeconds: 5
readinessProbe:
exec:
command:
- sh
- -c
- redis-cli ping | grep PONG
initialDelaySeconds: 5
periodSeconds: 10
failureThreshold: 3
timeoutSeconds: 5
resources:
limits:
cpu: 250m
memory: 256Mi
requests:
cpu: 50m
memory: 64Mi
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
persistentVolumeClaim:
claimName: outline-redis
- name: data
persistentVolumeClaim:
claimName: outline-redis
---
apiVersion: apps/v1
kind: Deployment
@@ -266,64 +266,64 @@ spec:
app.kubernetes.io/name: minio
spec:
containers:
- name: minio
image: minio/minio:latest
imagePullPolicy: IfNotPresent
command:
- minio
- server
- /data
- --console-address
- ":9001"
env:
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: outline-minio
key: root-user
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: outline-minio
key: root-password
ports:
- containerPort: 9000
name: api
protocol: TCP
- containerPort: 9001
name: console
protocol: TCP
livenessProbe:
httpGet:
path: /minio/health/live
port: api
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /minio/health/ready
port: api
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- name: data
mountPath: /data
- name: minio
image: minio/minio:latest
imagePullPolicy: IfNotPresent
command:
- minio
- server
- /data
- --console-address
- ":9001"
env:
- name: MINIO_ROOT_USER
valueFrom:
secretKeyRef:
name: outline-minio
key: root-user
- name: MINIO_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: outline-minio
key: root-password
ports:
- containerPort: 9000
name: api
protocol: TCP
- containerPort: 9001
name: console
protocol: TCP
livenessProbe:
httpGet:
path: /minio/health/live
port: api
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /minio/health/ready
port: api
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 128Mi
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
hostPath:
path: /mnt/4_hdd/data/outline/minio
type: DirectoryOrCreate
- name: data
hostPath:
path: /mnt/4_hdd/data/outline/minio
type: DirectoryOrCreate
---
apiVersion: v1
kind: Service
@@ -337,10 +337,10 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 3000
protocol: TCP
targetPort: http
- name: http
port: 3000
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/instance: outline
app.kubernetes.io/name: outline
@@ -356,10 +356,10 @@ metadata:
spec:
type: ClusterIP
ports:
- name: redis
port: 6379
protocol: TCP
targetPort: redis
- name: redis
port: 6379
protocol: TCP
targetPort: redis
selector:
app.kubernetes.io/instance: outline
app.kubernetes.io/name: redis
@@ -375,14 +375,14 @@ metadata:
spec:
type: ClusterIP
ports:
- name: api
port: 9000
protocol: TCP
targetPort: api
- name: console
port: 9001
protocol: TCP
targetPort: console
- name: api
port: 9000
protocol: TCP
targetPort: api
- name: console
port: 9001
protocol: TCP
targetPort: console
selector:
app.kubernetes.io/instance: outline
app.kubernetes.io/name: minio
@@ -399,7 +399,7 @@ metadata:
proxy_hide_header X-Frame-Options;
proxy_hide_header Content-Security-Policy;
add_header X-Frame-Options "ALLOW-FROM https://orsi.dooplex.hu" always;
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
labels:
@@ -410,30 +410,30 @@ metadata:
spec:
ingressClassName: nginx-internal
rules:
- host: outline.dooplex.hu
http:
paths:
- backend:
service:
name: outline
port:
number: 3000
path: /
pathType: Prefix
- host: outline.home
http:
paths:
- backend:
service:
name: outline
port:
number: 3000
path: /
pathType: Prefix
- host: outline.dooplex.hu
http:
paths:
- backend:
service:
name: outline
port:
number: 3000
path: /
pathType: Prefix
- host: outline.home
http:
paths:
- backend:
service:
name: outline
port:
number: 3000
path: /
pathType: Prefix
tls:
- hosts:
- outline.dooplex.hu
secretName: outline-tls
- hosts:
- outline.dooplex.hu
secretName: outline-tls
---
# Add MinIO Ingress
apiVersion: networking.k8s.io/v1
@@ -450,20 +450,20 @@ metadata:
spec:
ingressClassName: nginx-internal
rules:
- host: outline-minio.dooplex.hu
http:
paths:
- backend:
service:
name: outline-minio
port:
number: 9000
path: /
pathType: Prefix
- host: outline-minio.dooplex.hu
http:
paths:
- backend:
service:
name: outline-minio
port:
number: 9000
path: /
pathType: Prefix
tls:
- hosts:
- outline-minio.dooplex.hu
secretName: outline-minio-tls
- hosts:
- outline-minio.dooplex.hu
secretName: outline-minio-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
@@ -475,7 +475,7 @@ metadata:
namespace: outline-system
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
resources:
requests:
storage: 1Gi
paperless-system/paperless.yaml
+1 -1
View File
@@ -344,7 +344,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
labels:
plantit-system/plantit.yaml
+204 -204
View File
@@ -42,62 +42,62 @@ spec:
app.kubernetes.io/name: plantit-db
spec:
containers:
- name: mysql
image: mysql:8.0
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: plantit-db
key: root-password
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: plantit-db
key: database
- name: MYSQL_USER
valueFrom:
secretKeyRef:
name: plantit-db
key: username
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: plantit-db
key: password
ports:
- containerPort: 3306
name: mysql
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: data
mountPath: /var/lib/mysql
livenessProbe:
exec:
command:
- sh
- -c
- mysqladmin ping -u root -p$MYSQL_ROOT_PASSWORD
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command:
- sh
- -c
- mysqladmin ping -u root -p$MYSQL_ROOT_PASSWORD
initialDelaySeconds: 10
periodSeconds: 5
- name: mysql
image: mysql:8.0
env:
- name: MYSQL_ROOT_PASSWORD
valueFrom:
secretKeyRef:
name: plantit-db
key: root-password
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: plantit-db
key: database
- name: MYSQL_USER
valueFrom:
secretKeyRef:
name: plantit-db
key: username
- name: MYSQL_PASSWORD
valueFrom:
secretKeyRef:
name: plantit-db
key: password
ports:
- containerPort: 3306
name: mysql
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: data
mountPath: /var/lib/mysql
livenessProbe:
exec:
command:
- sh
- -c
- mysqladmin ping -u root -p$MYSQL_ROOT_PASSWORD
initialDelaySeconds: 30
periodSeconds: 10
readinessProbe:
exec:
command:
- sh
- -c
- mysqladmin ping -u root -p$MYSQL_ROOT_PASSWORD
initialDelaySeconds: 10
periodSeconds: 5
volumes:
- name: data
persistentVolumeClaim:
claimName: plantit-db
- name: data
persistentVolumeClaim:
claimName: plantit-db
---
apiVersion: apps/v1
kind: Deployment
@@ -120,18 +120,18 @@ spec:
app.kubernetes.io/name: plantit-cache
spec:
containers:
- name: redis
image: redis:7.2.1
ports:
- containerPort: 6379
name: redis
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
- name: redis
image: redis:7.2.1
ports:
- containerPort: 6379
name: redis
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
---
apiVersion: apps/v1
kind: Deployment
@@ -158,91 +158,91 @@ spec:
app.kubernetes.io/version: "1.0.0"
spec:
containers:
- name: plantit
image: msdeluise/plant-it-server:0.10.0
env:
# Database
- name: MYSQL_HOST
value: "plantit-db"
- name: MYSQL_PORT
value: "3306"
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: plantit-db
key: database
- name: MYSQL_USERNAME
valueFrom:
secretKeyRef:
name: plantit-db
key: username
- name: MYSQL_PSW
valueFrom:
secretKeyRef:
name: plantit-db
key: password
# JWT
- name: JWT_SECRET
valueFrom:
secretKeyRef:
name: plantit-app
key: jwt-secret
- name: JWT_EXP
value: "1"
# Server config
- name: API_PORT
value: "8080"
- name: USERS_LIMIT
value: "-1"
- name: UPLOAD_DIR
value: "/upload-dir"
- name: LOG_LEVEL
value: "INFO"
- name: ALLOWED_ORIGINS
value: "*"
# Cache
- name: CACHE_TYPE
value: "redis"
- name: CACHE_TTL
value: "86400"
- name: CACHE_HOST
value: "plantit-cache"
- name: CACHE_PORT
value: "6379"
# FloraCodex API key (optional)
- name: FLORACODEX_KEY
value: ""
ports:
- containerPort: 8080
name: api
- containerPort: 3000
name: frontend
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: uploads
mountPath: /upload-dir
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 90
periodSeconds: 10
failureThreshold: 6
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 120
periodSeconds: 30
failureThreshold: 5
- name: plantit
image: msdeluise/plant-it-server:0.10.0
env:
# Database
- name: MYSQL_HOST
value: "plantit-db"
- name: MYSQL_PORT
value: "3306"
- name: MYSQL_DATABASE
valueFrom:
secretKeyRef:
name: plantit-db
key: database
- name: MYSQL_USERNAME
valueFrom:
secretKeyRef:
name: plantit-db
key: username
- name: MYSQL_PSW
valueFrom:
secretKeyRef:
name: plantit-db
key: password
# JWT
- name: JWT_SECRET
valueFrom:
secretKeyRef:
name: plantit-app
key: jwt-secret
- name: JWT_EXP
value: "1"
# Server config
- name: API_PORT
value: "8080"
- name: USERS_LIMIT
value: "-1"
- name: UPLOAD_DIR
value: "/upload-dir"
- name: LOG_LEVEL
value: "INFO"
- name: ALLOWED_ORIGINS
value: "*"
# Cache
- name: CACHE_TYPE
value: "redis"
- name: CACHE_TTL
value: "86400"
- name: CACHE_HOST
value: "plantit-cache"
- name: CACHE_PORT
value: "6379"
# FloraCodex API key (optional)
- name: FLORACODEX_KEY
value: ""
ports:
- containerPort: 8080
name: api
- containerPort: 3000
name: frontend
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: uploads
mountPath: /upload-dir
readinessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 90
periodSeconds: 10
failureThreshold: 6
livenessProbe:
tcpSocket:
port: 8080
initialDelaySeconds: 120
periodSeconds: 30
failureThreshold: 5
volumes:
- name: uploads
persistentVolumeClaim:
claimName: plantit-uploads
- name: uploads
persistentVolumeClaim:
claimName: plantit-uploads
---
apiVersion: v1
kind: Service
@@ -255,9 +255,9 @@ metadata:
spec:
type: ClusterIP
ports:
- name: mysql
port: 3306
targetPort: mysql
- name: mysql
port: 3306
targetPort: mysql
selector:
app.kubernetes.io/instance: plantit
app.kubernetes.io/name: plantit-db
@@ -273,9 +273,9 @@ metadata:
spec:
type: ClusterIP
ports:
- name: redis
port: 6379
targetPort: redis
- name: redis
port: 6379
targetPort: redis
selector:
app.kubernetes.io/instance: plantit
app.kubernetes.io/name: plantit-cache
@@ -291,12 +291,12 @@ metadata:
spec:
type: ClusterIP
ports:
- name: frontend
port: 3000
targetPort: frontend
- name: api
port: 8080
targetPort: api
- name: frontend
port: 3000
targetPort: frontend
- name: api
port: 8080
targetPort: api
selector:
app.kubernetes.io/instance: plantit
app.kubernetes.io/name: plantit
@@ -321,50 +321,50 @@ metadata:
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
ingressClassName: nginx-internal
rules:
- host: plantit.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: plantit
port:
number: 3000
- path: /api
pathType: Prefix
backend:
service:
name: plantit
port:
number: 8080
- host: plantit.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: plantit
port:
number: 3000
- path: /api
pathType: Prefix
backend:
service:
name: plantit
port:
number: 8080
- host: plantit.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: plantit
port:
number: 3000
- path: /api
pathType: Prefix
backend:
service:
name: plantit
port:
number: 8080
- host: plantit.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: plantit
port:
number: 3000
- path: /api
pathType: Prefix
backend:
service:
name: plantit
port:
number: 8080
tls:
- hosts:
- plantit.dooplex.hu
secretName: plantit-tls
- hosts:
- plantit.dooplex.hu
secretName: plantit-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
@@ -378,7 +378,7 @@ metadata:
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
@@ -396,8 +396,8 @@ metadata:
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi
storage: 5Gi
privatebin-system/privatebin.yaml
+2 -2
View File
@@ -372,7 +372,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-buffers-number: "4"
nginx.ingress.kubernetes.io/proxy-busy-buffers-size: "32k"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
@@ -404,7 +404,7 @@ spec:
number: 80
#
# 3. ALTERNATIVE: Use existing outpost
# If you want to use an existing outpost (like arr-outpost),
# If you want to use an existing outpost (like arr-outpost),
# just add privatebin.dooplex.hu to that outpost's applications
# and update the auth-url to point to that outpost.
---
servarr-system/servarr.yaml
+451 -451
View File
File diff suppressed because it is too large Load Diff
tandoor-system/tandoor.yaml
+193 -193
View File
@@ -29,172 +29,172 @@ spec:
app.kubernetes.io/version: 2.3.6
spec:
initContainers:
- name: create-superuser
image: vabene1111/recipes:2.3.6
workingDir: /opt/recipes
command:
- /bin/sh
- -c
- |
. /opt/recipes/venv/bin/activate
echo "Waiting for database..."
while ! python -c "import socket; socket.create_connection(('postgresql-rw.database-system.svc.cluster.local', 5432), timeout=5)" 2>/dev/null; do
sleep 2
done
echo "Database is ready. Running migrations..."
python manage.py migrate --noinput
echo "Collecting static files..."
python manage.py collectstatic --noinput
echo "Creating superuser if not exists..."
python manage.py shell -c "
from django.contrib.auth import get_user_model
User = get_user_model()
import os
username = os.environ.get('DJANGO_SUPERUSER_USERNAME', 'admin')
if not User.objects.filter(username=username).exists():
User.objects.create_superuser(
username=username,
email=os.environ.get('DJANGO_SUPERUSER_EMAIL', ''),
password=os.environ.get('DJANGO_SUPERUSER_PASSWORD', 'admin')
)
print(f'Superuser {username} created successfully')
else:
print(f'Superuser {username} already exists')
"
volumeMounts:
- name: staticfiles
mountPath: /opt/recipes/staticfiles
env:
- name: DB_ENGINE
value: django.db.backends.postgresql
# Database - using shared PostgreSQL in database-system namespace
- name: POSTGRES_HOST
value: postgresql-rw.database-system.svc.cluster.local
- name: POSTGRES_PORT
value: "5432"
- name: POSTGRES_DB
value: tandoor
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: tandoor-db
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: tandoor-db
key: password
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: tandoor-app
key: secret-key
- name: DJANGO_SUPERUSER_USERNAME
valueFrom:
secretKeyRef:
name: tandoor-admin
key: username
- name: DJANGO_SUPERUSER_PASSWORD
valueFrom:
secretKeyRef:
name: tandoor-admin
key: password
- name: DJANGO_SUPERUSER_EMAIL
valueFrom:
secretKeyRef:
name: tandoor-admin
key: email
- name: create-superuser
image: vabene1111/recipes:2.3.6
workingDir: /opt/recipes
command:
- /bin/sh
- -c
- |
. /opt/recipes/venv/bin/activate
echo "Waiting for database..."
while ! python -c "import socket; socket.create_connection(('postgresql-rw.database-system.svc.cluster.local', 5432), timeout=5)" 2>/dev/null; do
sleep 2
done
echo "Database is ready. Running migrations..."
python manage.py migrate --noinput
echo "Collecting static files..."
python manage.py collectstatic --noinput
echo "Creating superuser if not exists..."
python manage.py shell -c "
from django.contrib.auth import get_user_model
User = get_user_model()
import os
username = os.environ.get('DJANGO_SUPERUSER_USERNAME', 'admin')
if not User.objects.filter(username=username).exists():
User.objects.create_superuser(
username=username,
email=os.environ.get('DJANGO_SUPERUSER_EMAIL', ''),
password=os.environ.get('DJANGO_SUPERUSER_PASSWORD', 'admin')
)
print(f'Superuser {username} created successfully')
else:
print(f'Superuser {username} already exists')
"
volumeMounts:
- name: staticfiles
mountPath: /opt/recipes/staticfiles
env:
- name: DB_ENGINE
value: django.db.backends.postgresql
# Database - using shared PostgreSQL in database-system namespace
- name: POSTGRES_HOST
value: postgresql-rw.database-system.svc.cluster.local
- name: POSTGRES_PORT
value: "5432"
- name: POSTGRES_DB
value: tandoor
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: tandoor-db
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: tandoor-db
key: password
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: tandoor-app
key: secret-key
- name: DJANGO_SUPERUSER_USERNAME
valueFrom:
secretKeyRef:
name: tandoor-admin
key: username
- name: DJANGO_SUPERUSER_PASSWORD
valueFrom:
secretKeyRef:
name: tandoor-admin
key: password
- name: DJANGO_SUPERUSER_EMAIL
valueFrom:
secretKeyRef:
name: tandoor-admin
key: email
containers:
- name: tandoor
image: vabene1111/recipes:2.3.6
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: Europe/Budapest
- name: DEBUG
value: "0"
- name: ALLOWED_HOSTS
value: "*"
- name: CSRF_TRUSTED_ORIGINS
value: "https://tandoor.dooplex.hu,https://tandoor.home"
- name: SECURE_PROXY_SSL_HEADER
value: "HTTP_X_FORWARDED_PROTO,https"
- name: DB_ENGINE
value: django.db.backends.postgresql
# Database - using shared PostgreSQL in database-system namespace
- name: POSTGRES_HOST
value: postgresql-rw.database-system.svc.cluster.local
- name: POSTGRES_PORT
value: "5432"
- name: POSTGRES_DB
value: tandoor
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: tandoor-db
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: tandoor-db
key: password
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: tandoor-app
key: secret-key
- name: GUNICORN_MEDIA
value: "1"
- name: ENABLE_SIGNUP
value: "0"
- name: ENABLE_METRICS
value: "1"
- name: TANDOOR_PORT
value: "8080"
- name: SOCIAL_PROVIDERS
value: "allauth.socialaccount.providers.openid_connect"
- name: SOCIALACCOUNT_PROVIDERS
value: '{"openid_connect":{"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"y7Mv9stcPZYAGz5QQyzFO9KBFjXHG6OWhLNWPMHL","secret":"tSbRKbfnUigzibKaJpAAwJoF8JLXazssydS6WLoAGCD3hGqZ3ceK5SUvSAEcncQCImZaMmsepO3zwfgIO3huA4GRCHS5NzLGm0L2Ifz60PGKW0htr54u12pWOUBJc6dG","settings":{"server_url":"https://authentik.dooplex.hu/application/o/tandoor/.well-known/openid-configuration"}}]}}'
ports:
- containerPort: 8080
name: http
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 60
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- name: staticfiles
mountPath: /opt/recipes/staticfiles
- name: mediafiles
mountPath: /opt/recipes/mediafiles
- name: tandoor
image: vabene1111/recipes:2.3.6
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: Europe/Budapest
- name: DEBUG
value: "0"
- name: ALLOWED_HOSTS
value: "*"
- name: CSRF_TRUSTED_ORIGINS
value: "https://tandoor.dooplex.hu,https://tandoor.home"
- name: SECURE_PROXY_SSL_HEADER
value: "HTTP_X_FORWARDED_PROTO,https"
- name: DB_ENGINE
value: django.db.backends.postgresql
# Database - using shared PostgreSQL in database-system namespace
- name: POSTGRES_HOST
value: postgresql-rw.database-system.svc.cluster.local
- name: POSTGRES_PORT
value: "5432"
- name: POSTGRES_DB
value: tandoor
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: tandoor-db
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: tandoor-db
key: password
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: tandoor-app
key: secret-key
- name: GUNICORN_MEDIA
value: "1"
- name: ENABLE_SIGNUP
value: "0"
- name: ENABLE_METRICS
value: "1"
- name: TANDOOR_PORT
value: "8080"
- name: SOCIAL_PROVIDERS
value: "allauth.socialaccount.providers.openid_connect"
- name: SOCIALACCOUNT_PROVIDERS
value: '{"openid_connect":{"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"y7Mv9stcPZYAGz5QQyzFO9KBFjXHG6OWhLNWPMHL","secret":"tSbRKbfnUigzibKaJpAAwJoF8JLXazssydS6WLoAGCD3hGqZ3ceK5SUvSAEcncQCImZaMmsepO3zwfgIO3huA4GRCHS5NzLGm0L2Ifz60PGKW0htr54u12pWOUBJc6dG","settings":{"server_url":"https://authentik.dooplex.hu/application/o/tandoor/.well-known/openid-configuration"}}]}}'
ports:
- containerPort: 8080
name: http
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 60
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 5
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: "1"
memory: 1Gi
requests:
cpu: 100m
memory: 256Mi
volumeMounts:
- name: staticfiles
mountPath: /opt/recipes/staticfiles
- name: mediafiles
mountPath: /opt/recipes/mediafiles
volumes:
- name: staticfiles
persistentVolumeClaim:
claimName: tandoor-staticfiles
- name: mediafiles
hostPath:
path: /mnt/4_hdd/data/tandoor/mediafiles
type: DirectoryOrCreate
- name: staticfiles
persistentVolumeClaim:
claimName: tandoor-staticfiles
- name: mediafiles
hostPath:
path: /mnt/4_hdd/data/tandoor/mediafiles
type: DirectoryOrCreate
---
apiVersion: v1
kind: Service
@@ -208,10 +208,10 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 8080
protocol: TCP
targetPort: http
- name: http
port: 8080
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/instance: tandoor
app.kubernetes.io/name: tandoor
@@ -225,7 +225,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-body-size: 128m
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
labels:
@@ -236,30 +236,30 @@ metadata:
spec:
ingressClassName: nginx-internal
rules:
- host: tandoor.dooplex.hu
http:
paths:
- backend:
service:
name: tandoor
port:
number: 8080
path: /
pathType: Prefix
- host: tandoor.home
http:
paths:
- backend:
service:
name: tandoor
port:
number: 8080
path: /
pathType: Prefix
- host: tandoor.dooplex.hu
http:
paths:
- backend:
service:
name: tandoor
port:
number: 8080
path: /
pathType: Prefix
- host: tandoor.home
http:
paths:
- backend:
service:
name: tandoor
port:
number: 8080
path: /
pathType: Prefix
tls:
- hosts:
- tandoor.dooplex.hu
secretName: tandoor-tls
- hosts:
- tandoor.dooplex.hu
secretName: tandoor-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
@@ -271,7 +271,7 @@ metadata:
namespace: tandoor-system
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
resources:
requests:
storage: 1Gi
termix-system/termix.yaml
+1 -1
View File
@@ -120,7 +120,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
uptimekuma-system/uptimekuma.yaml
+70 -70
View File
@@ -29,48 +29,48 @@ spec:
app.kubernetes.io/version: 2.0.2
spec:
containers:
- name: uptimekuma
image: louislam/uptime-kuma:2.0.2
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: Europe/Budapest
- name: UPTIME_KUMA_PORT
value: "3001"
ports:
- containerPort: 3001
name: http
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- name: data
mountPath: /app/data
- name: uptimekuma
image: louislam/uptime-kuma:2.0.2
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: Europe/Budapest
- name: UPTIME_KUMA_PORT
value: "3001"
ports:
- containerPort: 3001
name: http
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- name: data
mountPath: /app/data
volumes:
- name: data
persistentVolumeClaim:
claimName: uptimekuma-data
- name: data
persistentVolumeClaim:
claimName: uptimekuma-data
---
apiVersion: v1
kind: Service
@@ -84,10 +84,10 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 3001
protocol: TCP
targetPort: http
- name: http
port: 3001
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/instance: uptimekuma
app.kubernetes.io/name: uptimekuma
@@ -110,7 +110,7 @@ metadata:
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
labels:
@@ -121,30 +121,30 @@ metadata:
spec:
ingressClassName: nginx-internal
rules:
- host: uptimekuma.dooplex.hu
http:
paths:
- backend:
service:
name: uptimekuma
port:
number: 3001
path: /
pathType: Prefix
- host: uptimekuma.home
http:
paths:
- backend:
service:
name: uptimekuma
port:
number: 3001
path: /
pathType: Prefix
- host: uptimekuma.dooplex.hu
http:
paths:
- backend:
service:
name: uptimekuma
port:
number: 3001
path: /
pathType: Prefix
- host: uptimekuma.home
http:
paths:
- backend:
service:
name: uptimekuma
port:
number: 3001
path: /
pathType: Prefix
tls:
- hosts:
- uptimekuma.dooplex.hu
secretName: uptimekuma-tls
- hosts:
- uptimekuma.dooplex.hu
secretName: uptimekuma-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
@@ -156,7 +156,7 @@ metadata:
namespace: uptimekuma-system
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
resources:
requests:
storage: 5Gi
vaultwarden-system/vaultwarden.yaml
+134 -134
View File
@@ -27,112 +27,112 @@ spec:
app.kubernetes.io/name: vaultwarden
spec:
containers:
- name: vaultwarden
image: vaultwarden/server:1.35.2
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: Europe/Budapest
- name: DOMAIN
value: https://vaultwarden.dooplex.hu
- name: SIGNUPS_ALLOWED
value: "false"
- name: INVITATIONS_ALLOWED
value: "true"
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: vaultwarden-admin
key: admin-token
- name: WEBSOCKET_ENABLED
value: "true"
- name: SMTP_HOST
valueFrom:
secretKeyRef:
name: smtp-credentials
key: host
- name: SMTP_PORT
valueFrom:
secretKeyRef:
name: smtp-credentials
key: port
- name: SMTP_SECURITY
value: starttls
- name: SMTP_USERNAME
valueFrom:
secretKeyRef:
name: smtp-credentials
key: username
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: smtp-credentials
key: password
- name: SMTP_FROM
valueFrom:
secretKeyRef:
name: smtp-credentials
key: from-address
- name: SMTP_FROM_NAME
value: Vaultwarden
- name: SSO_ENABLED
value: "true"
- name: SSO_AUTHORITY
value: "https://authentik.dooplex.hu/application/o/vaultwarden/"
- name: SSO_CLIENT_ID
valueFrom:
secretKeyRef:
name: vaultwarden-oauth
key: client-id
- name: SSO_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: vaultwarden-oauth
key: client-secret
- name: SSO_SCOPES
value: "openid email profile offline_access"
- name: SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
value: "false"
- name: SSO_CLIENT_CACHE_EXPIRATION
value: "0"
- name: SSO_ONLY
value: "false" # Set to true to disable email+password login
- name: SSO_SIGNUPS_MATCH_EMAIL
value: "true"
ports:
- containerPort: 80
name: http
protocol: TCP
livenessProbe:
httpGet:
path: /alive
port: http
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /alive
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- name: data
mountPath: /data
- name: vaultwarden
image: vaultwarden/server:1.35.2
imagePullPolicy: IfNotPresent
env:
- name: TZ
value: Europe/Budapest
- name: DOMAIN
value: https://vaultwarden.dooplex.hu
- name: SIGNUPS_ALLOWED
value: "false"
- name: INVITATIONS_ALLOWED
value: "true"
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: vaultwarden-admin
key: admin-token
- name: WEBSOCKET_ENABLED
value: "true"
- name: SMTP_HOST
valueFrom:
secretKeyRef:
name: smtp-credentials
key: host
- name: SMTP_PORT
valueFrom:
secretKeyRef:
name: smtp-credentials
key: port
- name: SMTP_SECURITY
value: starttls
- name: SMTP_USERNAME
valueFrom:
secretKeyRef:
name: smtp-credentials
key: username
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: smtp-credentials
key: password
- name: SMTP_FROM
valueFrom:
secretKeyRef:
name: smtp-credentials
key: from-address
- name: SMTP_FROM_NAME
value: Vaultwarden
- name: SSO_ENABLED
value: "true"
- name: SSO_AUTHORITY
value: "https://authentik.dooplex.hu/application/o/vaultwarden/"
- name: SSO_CLIENT_ID
valueFrom:
secretKeyRef:
name: vaultwarden-oauth
key: client-id
- name: SSO_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: vaultwarden-oauth
key: client-secret
- name: SSO_SCOPES
value: "openid email profile offline_access"
- name: SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
value: "false"
- name: SSO_CLIENT_CACHE_EXPIRATION
value: "0"
- name: SSO_ONLY
value: "false" # Set to true to disable email+password login
- name: SSO_SIGNUPS_MATCH_EMAIL
value: "true"
ports:
- containerPort: 80
name: http
protocol: TCP
livenessProbe:
httpGet:
path: /alive
port: http
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /alive
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 50m
memory: 128Mi
volumeMounts:
- name: data
mountPath: /data
volumes:
- name: data
persistentVolumeClaim:
claimName: vaultwarden-data
- name: data
persistentVolumeClaim:
claimName: vaultwarden-data
---
apiVersion: v1
kind: Service
@@ -145,10 +145,10 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 80
protocol: TCP
targetPort: http
- name: http
port: 80
protocol: TCP
targetPort: http
selector:
app.kubernetes.io/instance: vaultwarden
app.kubernetes.io/name: vaultwarden
@@ -162,7 +162,7 @@ metadata:
nginx.ingress.kubernetes.io/proxy-body-size: 100m
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
labels:
@@ -173,30 +173,30 @@ metadata:
spec:
ingressClassName: nginx-internal
rules:
- host: vaultwarden.dooplex.hu
http:
paths:
- backend:
service:
name: vaultwarden
port:
number: 80
path: /
pathType: Prefix
- host: vaultwarden.home
http:
paths:
- backend:
service:
name: vaultwarden
port:
number: 80
path: /
pathType: Prefix
- host: vaultwarden.dooplex.hu
http:
paths:
- backend:
service:
name: vaultwarden
port:
number: 80
path: /
pathType: Prefix
- host: vaultwarden.home
http:
paths:
- backend:
service:
name: vaultwarden
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- vaultwarden.dooplex.hu
secretName: vaultwarden-tls
- hosts:
- vaultwarden.dooplex.hu
secretName: vaultwarden-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
@@ -208,7 +208,7 @@ metadata:
namespace: vaultwarden-system
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
resources:
requests:
storage: 5Gi
wanderer-system/wanderer.yaml
+138 -138
View File
@@ -56,47 +56,47 @@ spec:
app.kubernetes.io/name: wanderer-meilisearch
spec:
containers:
- name: meilisearch
image: getmeili/meilisearch:v1.11.3
env:
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: meili-master-key
- name: MEILI_ENV
value: "production"
- name: MEILI_NO_ANALYTICS
value: "true"
ports:
- containerPort: 7700
name: http
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: meili-data
mountPath: /meili_data
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 10
periodSeconds: 10
- name: meilisearch
image: getmeili/meilisearch:v1.11.3
env:
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: meili-master-key
- name: MEILI_ENV
value: "production"
- name: MEILI_NO_ANALYTICS
value: "true"
ports:
- containerPort: 7700
name: http
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: meili-data
mountPath: /meili_data
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 10
periodSeconds: 10
volumes:
- name: meili-data
persistentVolumeClaim:
claimName: wanderer-meilisearch
- name: meili-data
persistentVolumeClaim:
claimName: wanderer-meilisearch
---
apiVersion: apps/v1
kind: Deployment
@@ -121,52 +121,52 @@ spec:
app.kubernetes.io/name: wanderer-db
spec:
containers:
- name: pocketbase
image: flomp/wanderer-db:v0.18.3
env:
- name: ORIGIN
value: "https://wanderer.dooplex.hu"
- name: MEILI_URL
value: "http://wanderer-meilisearch:7700"
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: meili-master-key
- name: POCKETBASE_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: pocketbase-encryption-key
ports:
- containerPort: 8090
name: http
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: pb-data
mountPath: /pb_data
livenessProbe:
httpGet:
path: /api/health
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /api/health
port: http
initialDelaySeconds: 10
periodSeconds: 10
- name: pocketbase
image: flomp/wanderer-db:v0.18.3
env:
- name: ORIGIN
value: "https://wanderer.dooplex.hu"
- name: MEILI_URL
value: "http://wanderer-meilisearch:7700"
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: meili-master-key
- name: POCKETBASE_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: pocketbase-encryption-key
ports:
- containerPort: 8090
name: http
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: pb-data
mountPath: /pb_data
livenessProbe:
httpGet:
path: /api/health
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /api/health
port: http
initialDelaySeconds: 10
periodSeconds: 10
volumes:
- name: pb-data
persistentVolumeClaim:
claimName: wanderer-db
- name: pb-data
persistentVolumeClaim:
claimName: wanderer-db
---
apiVersion: apps/v1
kind: Deployment
@@ -191,46 +191,46 @@ spec:
app.kubernetes.io/name: wanderer-web
spec:
containers:
- name: wanderer-web
image: flomp/wanderer-web:v0.18.3
env:
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: "0"
- name: NODE_OPTIONS
value: "--max-old-space-size=7168"
- name: ORIGIN
value: "https://wanderer.dooplex.hu"
- name: POCKETBASE_URL
value: "http://wanderer-db:8090"
- name: PUBLIC_POCKETBASE_URL
value: "https://pb.wanderer.dooplex.hu"
- name: MEILI_URL
value: "http://wanderer-meilisearch:7700"
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: meili-master-key
- name: PUBLIC_DISABLE_SIGNUP
value: "true"
- name: BODY_SIZE_LIMIT
value: "Infinity"
ports:
- containerPort: 3000
name: http
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 8Gi
readinessProbe:
tcpSocket:
port: 3000
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
- name: wanderer-web
image: flomp/wanderer-web:v0.18.3
env:
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: "0"
- name: NODE_OPTIONS
value: "--max-old-space-size=7168"
- name: ORIGIN
value: "https://wanderer.dooplex.hu"
- name: POCKETBASE_URL
value: "http://wanderer-db:8090"
- name: PUBLIC_POCKETBASE_URL
value: "https://pb.wanderer.dooplex.hu"
- name: MEILI_URL
value: "http://wanderer-meilisearch:7700"
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: meili-master-key
- name: PUBLIC_DISABLE_SIGNUP
value: "true"
- name: BODY_SIZE_LIMIT
value: "Infinity"
ports:
- containerPort: 3000
name: http
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 8Gi
readinessProbe:
tcpSocket:
port: 3000
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
---
apiVersion: v1
kind: Service
@@ -243,9 +243,9 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 7700
targetPort: http
- name: http
port: 7700
targetPort: http
selector:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
@@ -261,9 +261,9 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 8090
targetPort: http
- name: http
port: 8090
targetPort: http
selector:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
@@ -279,9 +279,9 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 3000
targetPort: http
- name: http
port: 3000
targetPort: http
selector:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-web
@@ -298,7 +298,7 @@ metadata:
# optional, only if you actually use external-dns:
external-dns.alpha.kubernetes.io/hostname: wanderer.dooplex.hu
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
@@ -360,7 +360,7 @@ metadata:
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
@@ -378,8 +378,8 @@ metadata:
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi
storage: 5Gi
web-system/web.yaml
+4 -4
View File
@@ -245,7 +245,7 @@ metadata:
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
@@ -312,7 +312,7 @@ spec:
# Create public directory if it doesn't exist
- name: init-public-dir
image: busybox:1.36
command: ['sh', '-c', 'mkdir -p /srv/public && chmod 755 /srv/public']
command: ["sh", "-c", "mkdir -p /srv/public && chmod 755 /srv/public"]
volumeMounts:
- name: data
mountPath: /srv
@@ -474,7 +474,7 @@ metadata:
cert-manager.io/cluster-issuer: letsencrypt-prod
external-dns.alpha.kubernetes.io/hostname: web.dooplex.hu
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
@@ -503,4 +503,4 @@ spec:
service:
name: static-server
port:
name: http
name: http
workout-system/workout.yaml
+296 -296
View File
@@ -44,18 +44,18 @@ spec:
app.kubernetes.io/name: wger-redis
spec:
containers:
- name: redis
image: redis:7.2-alpine
ports:
- containerPort: 6379
name: redis
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
- name: redis
image: redis:7.2-alpine
ports:
- containerPort: 6379
name: redis
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 128Mi
---
apiVersion: apps/v1
kind: Deployment
@@ -82,158 +82,158 @@ spec:
securityContext:
fsGroup: 1000
containers:
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
name: http
volumeMounts:
- name: static
mountPath: /home/wger/static
readOnly: true
- name: media
mountPath: /home/wger/media
readOnly: true
- name: nginx-config
mountPath: /etc/nginx/conf.d/default.conf
subPath: nginx.conf
- name: wger
image: ghcr.io/kisfenyo/wger-oidc:latest
imagePullPolicy: Always
env:
# Django settings
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: wger-app
key: secret-key
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: wger-app
key: signing-key
- name: DJANGO_DEBUG
value: "False"
- name: WGER_INSTANCE
value: "https://workout.dooplex.hu"
- name: TIME_ZONE
value: "Europe/Budapest"
- name: DJANGO_SETTINGS_MODULE
value: "config.settings.production"
- name: DJANGO_CACHE_TIMEOUT
value: "120"
# Database
- name: DJANGO_DB_ENGINE
value: "django.db.backends.postgresql"
- name: DJANGO_DB_HOST
value: "postgresql-rw.database-system.svc.cluster.local"
- name: DJANGO_DB_PORT
value: "5432"
- name: DJANGO_DB_DATABASE
value: "wger"
- name: DJANGO_DB_USER
valueFrom:
secretKeyRef:
name: wger-db
key: username
- name: DJANGO_DB_PASSWORD
valueFrom:
secretKeyRef:
name: wger-db
key: password
# Cache
- name: DJANGO_CACHE_BACKEND
value: "django_redis.cache.RedisCache"
- name: DJANGO_CACHE_LOCATION
value: "redis://wger-redis:6379/1"
- name: DJANGO_CACHE_CLIENT_CLASS
value: "django_redis.client.DefaultClient"
# Celery
- name: CELERY_BROKER
value: "redis://wger-redis:6379/2"
- name: CELERY_BACKEND
value: "redis://wger-redis:6379/2"
- name: ENABLE_OIDC
value: "True"
- name: OIDC_RP_CLIENT_ID
value: "AXr6k4P1JcgKKMcvGeXOLwd69MJ1UVjz3fW80mEg"
- name: OIDC_RP_CLIENT_SECRET
value: "oaj4yWum0skWoAJVf4VvXSSnc4pdaWQbKtyPaMaG6prBN0av1b1w7bna6nUALoIXwSQWu9seFZl66XsYxaFWXVXcWyI6B63rl5saIFCifVg9hqkl6RlhxHL4X4u42pqd"
- name: OIDC_RP_SIGN_ALGO
value: "RS256"
- name: CSRF_TRUSTED_ORIGINS
value: "https://workout.dooplex.hu"
# Authentik Endpoints (Replace 'authentik.dooplex.hu' with your actual Authentik domain)
- name: OIDC_OP_LOGOUT_ENDPOINT
value: "https://authentik.dooplex.hu/application/o/workout/end-session/"
- name: OIDC_LOGIN_BUTTON_TEXT
value: "Login with Authentik"
- name: OIDC_ALLOW_CREATE_USER
value: "true"
- name: OIDC_OP_AUTHORIZATION_ENDPOINT
value: "https://authentik.dooplex.hu/application/o/authorize/"
- name: OIDC_OP_TOKEN_ENDPOINT
value: "https://authentik.dooplex.hu/application/o/token/"
- name: OIDC_OP_USER_ENDPOINT
value: "https://authentik.dooplex.hu/application/o/userinfo/"
- name: OIDC_OP_JWKS_ENDPOINT
value: "https://authentik.dooplex.hu/application/o/workout/jwks/"
# Email (disabled - no email sending)
- name: ENABLE_EMAIL
value: "False"
# Media settings
- name: DJANGO_MEDIA_ROOT
value: "/home/wger/media"
- name: DJANGO_STATIC_ROOT
value: "/home/wger/static"
# Features
- name: ALLOW_REGISTRATION
value: "False"
- name: ALLOW_GUEST_USERS
value: "False"
- name: ALLOW_UPLOAD_VIDEOS
value: "True"
- name: USE_RECAPTCHA
value: "False"
- name: DOWNLOAD_EXERCISE_IMAGES_ON_STARTUP
value: "True"
ports:
- containerPort: 8000
name: http
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
volumeMounts:
- name: media
mountPath: /home/wger/media
- name: static
mountPath: /home/wger/static
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 120
periodSeconds: 30
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 60
periodSeconds: 10
- name: nginx
image: nginx:alpine
ports:
- containerPort: 80
name: http
volumeMounts:
- name: static
mountPath: /home/wger/static
readOnly: true
- name: media
mountPath: /home/wger/media
readOnly: true
- name: nginx-config
mountPath: /etc/nginx/conf.d/default.conf
subPath: nginx.conf
- name: wger
image: ghcr.io/kisfenyo/wger-oidc:latest
imagePullPolicy: Always
env:
# Django settings
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: wger-app
key: secret-key
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: wger-app
key: signing-key
- name: DJANGO_DEBUG
value: "False"
- name: WGER_INSTANCE
value: "https://workout.dooplex.hu"
- name: TIME_ZONE
value: "Europe/Budapest"
- name: DJANGO_SETTINGS_MODULE
value: "config.settings.production"
- name: DJANGO_CACHE_TIMEOUT
value: "120"
# Database
- name: DJANGO_DB_ENGINE
value: "django.db.backends.postgresql"
- name: DJANGO_DB_HOST
value: "postgresql-rw.database-system.svc.cluster.local"
- name: DJANGO_DB_PORT
value: "5432"
- name: DJANGO_DB_DATABASE
value: "wger"
- name: DJANGO_DB_USER
valueFrom:
secretKeyRef:
name: wger-db
key: username
- name: DJANGO_DB_PASSWORD
valueFrom:
secretKeyRef:
name: wger-db
key: password
# Cache
- name: DJANGO_CACHE_BACKEND
value: "django_redis.cache.RedisCache"
- name: DJANGO_CACHE_LOCATION
value: "redis://wger-redis:6379/1"
- name: DJANGO_CACHE_CLIENT_CLASS
value: "django_redis.client.DefaultClient"
# Celery
- name: CELERY_BROKER
value: "redis://wger-redis:6379/2"
- name: CELERY_BACKEND
value: "redis://wger-redis:6379/2"
- name: ENABLE_OIDC
value: "True"
- name: OIDC_RP_CLIENT_ID
value: "AXr6k4P1JcgKKMcvGeXOLwd69MJ1UVjz3fW80mEg"
- name: OIDC_RP_CLIENT_SECRET
value: "oaj4yWum0skWoAJVf4VvXSSnc4pdaWQbKtyPaMaG6prBN0av1b1w7bna6nUALoIXwSQWu9seFZl66XsYxaFWXVXcWyI6B63rl5saIFCifVg9hqkl6RlhxHL4X4u42pqd"
- name: OIDC_RP_SIGN_ALGO
value: "RS256"
- name: CSRF_TRUSTED_ORIGINS
value: "https://workout.dooplex.hu"
# Authentik Endpoints (Replace 'authentik.dooplex.hu' with your actual Authentik domain)
- name: OIDC_OP_LOGOUT_ENDPOINT
value: "https://authentik.dooplex.hu/application/o/workout/end-session/"
- name: OIDC_LOGIN_BUTTON_TEXT
value: "Login with Authentik"
- name: OIDC_ALLOW_CREATE_USER
value: "true"
- name: OIDC_OP_AUTHORIZATION_ENDPOINT
value: "https://authentik.dooplex.hu/application/o/authorize/"
- name: OIDC_OP_TOKEN_ENDPOINT
value: "https://authentik.dooplex.hu/application/o/token/"
- name: OIDC_OP_USER_ENDPOINT
value: "https://authentik.dooplex.hu/application/o/userinfo/"
- name: OIDC_OP_JWKS_ENDPOINT
value: "https://authentik.dooplex.hu/application/o/workout/jwks/"
# Email (disabled - no email sending)
- name: ENABLE_EMAIL
value: "False"
# Media settings
- name: DJANGO_MEDIA_ROOT
value: "/home/wger/media"
- name: DJANGO_STATIC_ROOT
value: "/home/wger/static"
# Features
- name: ALLOW_REGISTRATION
value: "False"
- name: ALLOW_GUEST_USERS
value: "False"
- name: ALLOW_UPLOAD_VIDEOS
value: "True"
- name: USE_RECAPTCHA
value: "False"
- name: DOWNLOAD_EXERCISE_IMAGES_ON_STARTUP
value: "True"
ports:
- containerPort: 8000
name: http
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
volumeMounts:
- name: media
mountPath: /home/wger/media
- name: static
mountPath: /home/wger/static
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 120
periodSeconds: 30
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 60
periodSeconds: 10
volumes:
- name: nginx-config
configMap:
name: wger-nginx-config
- name: media
persistentVolumeClaim:
claimName: wger-media
- name: static
persistentVolumeClaim:
claimName: wger-static
- name: nginx-config
configMap:
name: wger-nginx-config
- name: media
persistentVolumeClaim:
claimName: wger-media
- name: static
persistentVolumeClaim:
claimName: wger-static
---
# Celery worker for background tasks
apiVersion: apps/v1
@@ -259,58 +259,58 @@ spec:
securityContext:
fsGroup: 1000
containers:
- name: celery-worker
image: ghcr.io/kisfenyo/wger-oidc:latest
imagePullPolicy: Always
command: ["/start-worker"]
env:
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: wger-app
key: secret-key
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: wger-app
key: signing-key
- name: DJANGO_DB_ENGINE
value: "django.db.backends.postgresql"
- name: DJANGO_DB_HOST
value: "postgresql-rw.database-system.svc.cluster.local"
- name: DJANGO_DB_PORT
value: "5432"
- name: DJANGO_DB_DATABASE
value: "wger"
- name: DJANGO_DB_USER
valueFrom:
secretKeyRef:
name: wger-db
key: username
- name: DJANGO_DB_PASSWORD
valueFrom:
secretKeyRef:
name: wger-db
key: password
- name: DJANGO_CACHE_TIMEOUT
value: "120"
- name: DJANGO_CACHE_CLIENT_CLASS
value: "django_redis.client.DefaultClient"
- name: CELERY_BROKER
value: "redis://wger-redis:6379/2"
- name: CELERY_BACKEND
value: "redis://wger-redis:6379/2"
- name: DJANGO_CACHE_BACKEND
value: "django_redis.cache.RedisCache"
- name: DJANGO_CACHE_LOCATION
value: "redis://wger-redis:6379/1"
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
- name: celery-worker
image: ghcr.io/kisfenyo/wger-oidc:latest
imagePullPolicy: Always
command: ["/start-worker"]
env:
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: wger-app
key: secret-key
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: wger-app
key: signing-key
- name: DJANGO_DB_ENGINE
value: "django.db.backends.postgresql"
- name: DJANGO_DB_HOST
value: "postgresql-rw.database-system.svc.cluster.local"
- name: DJANGO_DB_PORT
value: "5432"
- name: DJANGO_DB_DATABASE
value: "wger"
- name: DJANGO_DB_USER
valueFrom:
secretKeyRef:
name: wger-db
key: username
- name: DJANGO_DB_PASSWORD
valueFrom:
secretKeyRef:
name: wger-db
key: password
- name: DJANGO_CACHE_TIMEOUT
value: "120"
- name: DJANGO_CACHE_CLIENT_CLASS
value: "django_redis.client.DefaultClient"
- name: CELERY_BROKER
value: "redis://wger-redis:6379/2"
- name: CELERY_BACKEND
value: "redis://wger-redis:6379/2"
- name: DJANGO_CACHE_BACKEND
value: "django_redis.cache.RedisCache"
- name: DJANGO_CACHE_LOCATION
value: "redis://wger-redis:6379/1"
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
---
# Celery beat for scheduled tasks
apiVersion: apps/v1
@@ -336,54 +336,54 @@ spec:
securityContext:
fsGroup: 1000
containers:
- name: celery-beat
image: ghcr.io/kisfenyo/wger-oidc:latest
imagePullPolicy: Always
command: ["/start-beat"]
env:
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: wger-app
key: secret-key
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: wger-app
key: signing-key
- name: DJANGO_CACHE_TIMEOUT
value: "120"
- name: DJANGO_CACHE_CLIENT_CLASS
value: "django_redis.client.DefaultClient"
- name: DJANGO_DB_ENGINE
value: "django.db.backends.postgresql"
- name: DJANGO_DB_HOST
value: "postgresql-rw.database-system.svc.cluster.local"
- name: DJANGO_DB_PORT
value: "5432"
- name: DJANGO_DB_DATABASE
value: "wger"
- name: DJANGO_DB_USER
valueFrom:
secretKeyRef:
name: wger-db
key: username
- name: DJANGO_DB_PASSWORD
valueFrom:
secretKeyRef:
name: wger-db
key: password
- name: CELERY_BROKER
value: "redis://wger-redis:6379/2"
- name: CELERY_BACKEND
value: "redis://wger-redis:6379/2"
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 256Mi
- name: celery-beat
image: ghcr.io/kisfenyo/wger-oidc:latest
imagePullPolicy: Always
command: ["/start-beat"]
env:
- name: SECRET_KEY
valueFrom:
secretKeyRef:
name: wger-app
key: secret-key
- name: SIGNING_KEY
valueFrom:
secretKeyRef:
name: wger-app
key: signing-key
- name: DJANGO_CACHE_TIMEOUT
value: "120"
- name: DJANGO_CACHE_CLIENT_CLASS
value: "django_redis.client.DefaultClient"
- name: DJANGO_DB_ENGINE
value: "django.db.backends.postgresql"
- name: DJANGO_DB_HOST
value: "postgresql-rw.database-system.svc.cluster.local"
- name: DJANGO_DB_PORT
value: "5432"
- name: DJANGO_DB_DATABASE
value: "wger"
- name: DJANGO_DB_USER
valueFrom:
secretKeyRef:
name: wger-db
key: username
- name: DJANGO_DB_PASSWORD
valueFrom:
secretKeyRef:
name: wger-db
key: password
- name: CELERY_BROKER
value: "redis://wger-redis:6379/2"
- name: CELERY_BACKEND
value: "redis://wger-redis:6379/2"
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 200m
memory: 256Mi
---
apiVersion: v1
kind: Service
@@ -396,9 +396,9 @@ metadata:
spec:
type: ClusterIP
ports:
- name: redis
port: 6379
targetPort: redis
- name: redis
port: 6379
targetPort: redis
selector:
app.kubernetes.io/instance: wger
app.kubernetes.io/name: wger-redis
@@ -414,9 +414,9 @@ metadata:
spec:
type: ClusterIP
ports:
- name: http
port: 80
targetPort: 80
- name: http
port: 80
targetPort: 80
selector:
app.kubernetes.io/instance: wger
app.kubernetes.io/name: wger
@@ -436,36 +436,36 @@ metadata:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
ingressClassName: nginx-internal
rules:
- host: workout.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wger
port:
number: 80
- host: workout.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wger
port:
number: 80
- host: workout.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wger
port:
number: 80
- host: workout.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wger
port:
number: 80
tls:
- hosts:
- workout.dooplex.hu
secretName: wger-tls
- hosts:
- workout.dooplex.hu
secretName: wger-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
@@ -479,7 +479,7 @@ metadata:
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
@@ -495,7 +495,7 @@ metadata:
app.kubernetes.io/name: wger-static
spec:
accessModes:
- ReadWriteOnce
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
@@ -536,4 +536,4 @@ data:
proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto;
}
}
---
---
zipline-system/zipline.yaml
+2 -2
View File
@@ -131,7 +131,7 @@ metadata:
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_city_country_code != "HU") {
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
@@ -160,4 +160,4 @@ spec:
service:
name: zipline
port:
number: 80
number: 80