From 99548a235e942d96ec9b870273a303e1f11be5e3 Mon Sep 17 00:00:00 2001 From: kisfenyo Date: Tue, 20 Jan 2026 18:01:32 +0100 Subject: [PATCH] fixed geoip tag --- actualbudget-system/actualbudget.yaml | 136 ++-- adventurelog-system/adventurelog.yaml | 2 +- arcade-system/romm.yaml | 464 +++++------ argocd-system/argocd-config.yaml | 48 +- audiobookshelf-system/audiobookshelf.yaml | 2 +- booking-system/booking.yaml | 21 +- bookstack-system/bookstack.yaml | 2 +- calibre-system/calibre.yaml | 4 +- code-system/code.yaml | 194 ++--- crafty-system/crafty.yaml | 243 +++--- fileshare-system/gokapi.yaml | 196 ++--- gitea-system/gitea.yaml | 350 ++++----- glance-system/glance-kisfenyo.yaml | 2 +- glance-system/glance-orsi.yaml | 4 +- headlamp-system/headlamp.yaml | 2 +- homepage-system/homepage.yaml | 8 +- immich-system/immich.yaml | 156 ++-- mon-system/monitoring.yaml | 8 +- nextcloud-system/nextcloud.yaml | 111 ++- opengist-system/opengist.yaml | 188 ++--- outline-system/outline.yaml | 594 +++++++------- paperless-system/paperless.yaml | 2 +- plantit-system/plantit.yaml | 408 +++++----- privatebin-system/privatebin.yaml | 4 +- servarr-system/servarr.yaml | 902 +++++++++++----------- tandoor-system/tandoor.yaml | 386 ++++----- termix-system/termix.yaml | 2 +- uptimekuma-system/uptimekuma.yaml | 140 ++-- vaultwarden-system/vaultwarden.yaml | 268 +++---- wanderer-system/wanderer.yaml | 276 +++---- web-system/web.yaml | 8 +- workout-system/workout.yaml | 592 +++++++------- zipline-system/zipline.yaml | 4 +- 33 files changed, 2864 insertions(+), 2863 deletions(-) diff --git a/actualbudget-system/actualbudget.yaml b/actualbudget-system/actualbudget.yaml index d35b047..50c69a8 100644 --- a/actualbudget-system/actualbudget.yaml +++ b/actualbudget-system/actualbudget.yaml @@ -29,46 +29,46 @@ spec: app.kubernetes.io/version: 26.1.0 spec: containers: - - name: actualbudget - image: actualbudget/actual-server:26.1.0 - imagePullPolicy: IfNotPresent - env: - - name: TZ - value: Europe/Budapest - ports: - - containerPort: 5006 - name: http - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 10 - failureThreshold: 3 - readinessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 50m - memory: 128Mi - volumeMounts: - - name: data - mountPath: /data + - name: actualbudget + image: actualbudget/actual-server:26.1.0 + imagePullPolicy: IfNotPresent + env: + - name: TZ + value: Europe/Budapest + ports: + - containerPort: 5006 + name: http + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 10 + failureThreshold: 3 + readinessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 50m + memory: 128Mi + volumeMounts: + - name: data + mountPath: /data volumes: - - name: data - persistentVolumeClaim: - claimName: actualbudget-data + - name: data + persistentVolumeClaim: + claimName: actualbudget-data --- apiVersion: v1 kind: Service @@ -82,10 +82,10 @@ metadata: spec: type: ClusterIP ports: - - name: http - port: 5006 - protocol: TCP - targetPort: http + - name: http + port: 5006 + protocol: TCP + targetPort: http selector: app.kubernetes.io/instance: actualbudget app.kubernetes.io/name: actualbudget @@ -99,7 +99,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-body-size: 50m nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } labels: @@ -110,30 +110,30 @@ metadata: spec: ingressClassName: nginx-internal rules: - - host: actualbudget.dooplex.hu - http: - paths: - - backend: - service: - name: actualbudget - port: - number: 5006 - path: / - pathType: Prefix - - host: actualbudget.home - http: - paths: - - backend: - service: - name: actualbudget - port: - number: 5006 - path: / - pathType: Prefix + - host: actualbudget.dooplex.hu + http: + paths: + - backend: + service: + name: actualbudget + port: + number: 5006 + path: / + pathType: Prefix + - host: actualbudget.home + http: + paths: + - backend: + service: + name: actualbudget + port: + number: 5006 + path: / + pathType: Prefix tls: - - hosts: - - actualbudget.dooplex.hu - secretName: actualbudget-tls + - hosts: + - actualbudget.dooplex.hu + secretName: actualbudget-tls --- apiVersion: v1 kind: PersistentVolumeClaim @@ -145,7 +145,7 @@ metadata: namespace: actualbudget-system spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 5Gi diff --git a/adventurelog-system/adventurelog.yaml b/adventurelog-system/adventurelog.yaml index a1c1b9b..6f583ce 100644 --- a/adventurelog-system/adventurelog.yaml +++ b/adventurelog-system/adventurelog.yaml @@ -374,7 +374,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-buffers-number: "4" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: diff --git a/arcade-system/romm.yaml b/arcade-system/romm.yaml index 8e56979..e0f525d 100644 --- a/arcade-system/romm.yaml +++ b/arcade-system/romm.yaml @@ -55,18 +55,18 @@ spec: app.kubernetes.io/name: romm-redis spec: containers: - - name: redis - image: redis:7.2-alpine - ports: - - containerPort: 6379 - name: redis - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi + - name: redis + image: redis:7.2-alpine + ports: + - containerPort: 6379 + name: redis + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi --- apiVersion: apps/v1 kind: Deployment @@ -93,153 +93,153 @@ spec: app.kubernetes.io/version: "4.5.0" spec: securityContext: - fsGroup: 1000 + fsGroup: 1000 initContainers: - - name: init-config - image: busybox:1.36 - command: - - sh - - -c - - | - # Copy the template to the PVC only if it doesn't exist - if [ ! -f /romm/config/config.yml ]; then - echo "Creating initial config.yml from template..." - cp /tmp/template/config.yml /romm/config/config.yml - # Ensure the ROMM user (1000) owns the file - chown 1000:1000 /romm/config/config.yml - else - echo "config.yml already exists, skipping copy." - fi - volumeMounts: - - name: config-template - mountPath: /tmp/template - - name: config-storage - mountPath: /romm/config + - name: init-config + image: busybox:1.36 + command: + - sh + - -c + - | + # Copy the template to the PVC only if it doesn't exist + if [ ! -f /romm/config/config.yml ]; then + echo "Creating initial config.yml from template..." + cp /tmp/template/config.yml /romm/config/config.yml + # Ensure the ROMM user (1000) owns the file + chown 1000:1000 /romm/config/config.yml + else + echo "config.yml already exists, skipping copy." + fi + volumeMounts: + - name: config-template + mountPath: /tmp/template + - name: config-storage + mountPath: /romm/config containers: - - name: romm - image: rommapp/romm:4.5.0 - env: - # Database - - name: DB_HOST - value: "romm-db" # was postgresql-rw.database-system... - - name: DB_PORT - value: "3306" # was 5432 - - name: DB_NAME - valueFrom: - secretKeyRef: - name: romm-db - key: database - - name: DB_USER - valueFrom: - secretKeyRef: - name: romm-db - key: username - - name: DB_PASSWD - valueFrom: - secretKeyRef: - name: romm-db - key: password - # Redis - - name: REDIS_HOST - value: "romm-redis" - - name: REDIS_PORT - value: "6379" - # Auth - - name: ROMM_AUTH_SECRET_KEY - valueFrom: - secretKeyRef: - name: romm-app - key: auth-secret-key - # OIDC with Authentik - - name: OIDC_ENABLED - value: "true" - - name: OIDC_PROVIDER - value: "authentik" - - name: OIDC_CLIENT_ID - valueFrom: - secretKeyRef: - name: romm-oidc - key: client-id - - name: OIDC_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: romm-oidc - key: client-secret - - name: OIDC_REDIRECT_URI - value: "https://arcade.dooplex.hu/api/oauth/openid" - - name: OIDC_SERVER_APPLICATION_URL - value: "https://authentik.dooplex.hu/application/o/arcade" - - name: ROMM_PORT - value: "8080" - # API Keys (optional) - - name: IGDB_CLIENT_ID - valueFrom: - secretKeyRef: - name: romm-app - key: igdb-client-id - - name: IGDB_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: romm-app - key: igdb-client-secret - - name: STEAMGRIDDB_API_KEY - valueFrom: - secretKeyRef: - name: romm-app - key: steamgriddb-api-key - - name: SCREENSCRAPER_USER - valueFrom: - secretKeyRef: - name: romm-app - key: screenscraper-user - - name: SCREENSCRAPER_PASSWORD - valueFrom: - secretKeyRef: - name: romm-app - key: screenscraper-password - ports: - - containerPort: 8080 - name: http - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 1000m - memory: 1Gi - volumeMounts: - - name: library - mountPath: /romm/library - - name: resources - mountPath: /romm/resources - - name: config-storage - mountPath: /romm/config - livenessProbe: - httpGet: - path: /api/heartbeat - port: http - initialDelaySeconds: 60 - periodSeconds: 30 - readinessProbe: - httpGet: - path: /api/heartbeat - port: http - initialDelaySeconds: 30 - periodSeconds: 10 + - name: romm + image: rommapp/romm:4.5.0 + env: + # Database + - name: DB_HOST + value: "romm-db" # was postgresql-rw.database-system... + - name: DB_PORT + value: "3306" # was 5432 + - name: DB_NAME + valueFrom: + secretKeyRef: + name: romm-db + key: database + - name: DB_USER + valueFrom: + secretKeyRef: + name: romm-db + key: username + - name: DB_PASSWD + valueFrom: + secretKeyRef: + name: romm-db + key: password + # Redis + - name: REDIS_HOST + value: "romm-redis" + - name: REDIS_PORT + value: "6379" + # Auth + - name: ROMM_AUTH_SECRET_KEY + valueFrom: + secretKeyRef: + name: romm-app + key: auth-secret-key + # OIDC with Authentik + - name: OIDC_ENABLED + value: "true" + - name: OIDC_PROVIDER + value: "authentik" + - name: OIDC_CLIENT_ID + valueFrom: + secretKeyRef: + name: romm-oidc + key: client-id + - name: OIDC_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: romm-oidc + key: client-secret + - name: OIDC_REDIRECT_URI + value: "https://arcade.dooplex.hu/api/oauth/openid" + - name: OIDC_SERVER_APPLICATION_URL + value: "https://authentik.dooplex.hu/application/o/arcade" + - name: ROMM_PORT + value: "8080" + # API Keys (optional) + - name: IGDB_CLIENT_ID + valueFrom: + secretKeyRef: + name: romm-app + key: igdb-client-id + - name: IGDB_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: romm-app + key: igdb-client-secret + - name: STEAMGRIDDB_API_KEY + valueFrom: + secretKeyRef: + name: romm-app + key: steamgriddb-api-key + - name: SCREENSCRAPER_USER + valueFrom: + secretKeyRef: + name: romm-app + key: screenscraper-user + - name: SCREENSCRAPER_PASSWORD + valueFrom: + secretKeyRef: + name: romm-app + key: screenscraper-password + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 1000m + memory: 1Gi + volumeMounts: + - name: library + mountPath: /romm/library + - name: resources + mountPath: /romm/resources + - name: config-storage + mountPath: /romm/config + livenessProbe: + httpGet: + path: /api/heartbeat + port: http + initialDelaySeconds: 60 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /api/heartbeat + port: http + initialDelaySeconds: 30 + periodSeconds: 10 volumes: - - name: library - hostPath: - path: /mnt/4_hdd/data/roms - type: DirectoryOrCreate - - name: resources - persistentVolumeClaim: - claimName: romm-resources - - name: config-storage - persistentVolumeClaim: - claimName: romm-config - - name: config-template - configMap: - name: romm-config-template + - name: library + hostPath: + path: /mnt/4_hdd/data/roms + type: DirectoryOrCreate + - name: resources + persistentVolumeClaim: + claimName: romm-resources + - name: config-storage + persistentVolumeClaim: + claimName: romm-config + - name: config-template + configMap: + name: romm-config-template --- apiVersion: v1 kind: Service @@ -252,9 +252,9 @@ metadata: spec: type: ClusterIP ports: - - name: redis - port: 6379 - targetPort: redis + - name: redis + port: 6379 + targetPort: redis selector: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-redis @@ -270,9 +270,9 @@ metadata: spec: type: ClusterIP ports: - - name: http - port: 8080 - targetPort: http + - name: http + port: 8080 + targetPort: http selector: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm @@ -293,36 +293,36 @@ metadata: nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: ingressClassName: nginx-internal rules: - - host: arcade.dooplex.hu - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: romm - port: - number: 8080 - - host: arcade.home - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: romm - port: - number: 8080 + - host: arcade.dooplex.hu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: romm + port: + number: 8080 + - host: arcade.home + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: romm + port: + number: 8080 tls: - - hosts: - - arcade.dooplex.hu - secretName: romm-tls + - hosts: + - arcade.dooplex.hu + secretName: romm-tls --- apiVersion: v1 kind: PersistentVolumeClaim @@ -336,7 +336,7 @@ metadata: recurring-job.longhorn.io/source: enabled spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce storageClassName: longhorn resources: requests: @@ -354,7 +354,7 @@ metadata: recurring-job.longhorn.io/source: enabled spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce storageClassName: longhorn resources: requests: @@ -383,46 +383,46 @@ spec: app.kubernetes.io/name: romm-db spec: containers: - - name: mariadb - image: mariadb:11 - env: - - name: MARIADB_ROOT_PASSWORD - valueFrom: - secretKeyRef: - name: romm-db - key: root-password - - name: MARIADB_DATABASE - valueFrom: - secretKeyRef: - name: romm-db - key: database - - name: MARIADB_USER - valueFrom: - secretKeyRef: - name: romm-db - key: username - - name: MARIADB_PASSWORD - valueFrom: - secretKeyRef: - name: romm-db - key: password - ports: - - containerPort: 3306 - name: mariadb - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - volumeMounts: - - name: data - mountPath: /var/lib/mysql + - name: mariadb + image: mariadb:11 + env: + - name: MARIADB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: romm-db + key: root-password + - name: MARIADB_DATABASE + valueFrom: + secretKeyRef: + name: romm-db + key: database + - name: MARIADB_USER + valueFrom: + secretKeyRef: + name: romm-db + key: username + - name: MARIADB_PASSWORD + valueFrom: + secretKeyRef: + name: romm-db + key: password + ports: + - containerPort: 3306 + name: mariadb + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + volumeMounts: + - name: data + mountPath: /var/lib/mysql volumes: - - name: data - persistentVolumeClaim: - claimName: romm-db + - name: data + persistentVolumeClaim: + claimName: romm-db --- apiVersion: v1 kind: Service @@ -435,9 +435,9 @@ metadata: spec: type: ClusterIP ports: - - name: mariadb - port: 3306 - targetPort: mariadb + - name: mariadb + port: 3306 + targetPort: mariadb selector: app.kubernetes.io/instance: romm app.kubernetes.io/name: romm-db @@ -454,8 +454,8 @@ metadata: recurring-job.longhorn.io/source: enabled spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce storageClassName: longhorn resources: requests: - storage: 2Gi \ No newline at end of file + storage: 2Gi diff --git a/argocd-system/argocd-config.yaml b/argocd-system/argocd-config.yaml index 0808105..4477f29 100644 --- a/argocd-system/argocd-config.yaml +++ b/argocd-system/argocd-config.yaml @@ -11,36 +11,36 @@ metadata: external-dns.alpha.kubernetes.io/hostname: argocd.dooplex.hu,argocd.home nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: ingressClassName: nginx-internal tls: - - hosts: - - argocd.dooplex.hu - secretName: argocd-server-tls + - hosts: + - argocd.dooplex.hu + secretName: argocd-server-tls rules: - - host: argocd.dooplex.hu - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: argocd-server - port: - number: 80 - - host: argocd.home - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: argocd-server - port: - number: 80 + - host: argocd.dooplex.hu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: argocd-server + port: + number: 80 + - host: argocd.home + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: argocd-server + port: + number: 80 --- # ArgoCD ConfigMap patches for your environment apiVersion: v1 diff --git a/audiobookshelf-system/audiobookshelf.yaml b/audiobookshelf-system/audiobookshelf.yaml index f5ec38e..7c0e4f6 100644 --- a/audiobookshelf-system/audiobookshelf.yaml +++ b/audiobookshelf-system/audiobookshelf.yaml @@ -137,7 +137,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } labels: diff --git a/booking-system/booking.yaml b/booking-system/booking.yaml index 6b0463e..c2aca76 100644 --- a/booking-system/booking.yaml +++ b/booking-system/booking.yaml @@ -205,7 +205,7 @@ spec: mkdir -p /calcom/apps/web/public/app-store/googlevideo cp /calcom/packages/app-store/googlevideo/static/logo.webp /calcom/apps/web/public/app-store/googlevideo/logo.webp echo "Copied googlevideo logo.webp to public folder" - + echo "Starting Cal.com..." cd /calcom exec ./scripts/start.sh @@ -218,7 +218,7 @@ spec: value: "false" - name: CALCOM_TELEMETRY_DISABLED value: "1" - + # URLs - name: NEXT_PUBLIC_WEBAPP_URL value: "https://booking.dooplex.hu" @@ -247,11 +247,10 @@ spec: - name: DATABASE_DIRECT_URL value: "postgresql://$(DB_USER):$(DB_PASS)@postgresql-rw.database-system.svc.cluster.local:5432/calcom" - # Redis - name: REDIS_URL value: "redis://calcom-redis:6379" - + # Auth secrets - name: NEXTAUTH_SECRET valueFrom: @@ -263,7 +262,7 @@ spec: secretKeyRef: name: calcom-app key: calendso-encryption-key - + # Email/SMTP - name: EMAIL_FROM valueFrom: @@ -290,7 +289,7 @@ spec: secretKeyRef: name: smtp-credentials key: password - + # Stripe (optional - for payments) - name: STRIPE_API_KEY valueFrom: @@ -311,7 +310,7 @@ spec: value: "0" - name: PAYMENT_FEE_FIXED value: "0" - + # Google Calendar (optional) - name: GOOGLE_API_CREDENTIALS valueFrom: @@ -320,11 +319,11 @@ spec: key: google-api-credentials - name: GOOGLE_LOGIN_ENABLED value: "false" - + # Timezone - name: TZ value: "Europe/Budapest" - + # Misc - name: NODE_ENV value: "production" @@ -408,7 +407,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-http-version: "1.1" nginx.ingress.kubernetes.io/proxy-set-headers: "booking-system/calcom-proxy-headers" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: @@ -496,4 +495,4 @@ data: # targetPort: 5555 # selector: # app.kubernetes.io/instance: calcom -# app.kubernetes.io/name: prisma-studio \ No newline at end of file +# app.kubernetes.io/name: prisma-studio diff --git a/bookstack-system/bookstack.yaml b/bookstack-system/bookstack.yaml index 0a57e98..049f767 100644 --- a/bookstack-system/bookstack.yaml +++ b/bookstack-system/bookstack.yaml @@ -340,7 +340,7 @@ metadata: nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "50m" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } labels: diff --git a/calibre-system/calibre.yaml b/calibre-system/calibre.yaml index 7982773..28f0073 100644 --- a/calibre-system/calibre.yaml +++ b/calibre-system/calibre.yaml @@ -254,7 +254,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: @@ -302,7 +302,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-send-timeout: "600" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: diff --git a/code-system/code.yaml b/code-system/code.yaml index de2d48e..1b7fb6c 100644 --- a/code-system/code.yaml +++ b/code-system/code.yaml @@ -49,74 +49,74 @@ spec: securityContext: fsGroup: 1000 containers: - - name: code-server - image: codercom/code-server:4.108.0 - args: - - --bind-addr=0.0.0.0:8080 - - --auth=none - - --disable-telemetry - - --disable-update-check - env: - - name: TZ - value: "Europe/Budapest" - - name: HOME - value: "/home/coder" - - name: USER - value: "coder" - # Proxy trust for headers - - name: CS_DISABLE_PROXY_TRUST - value: "false" - - name: GIT_CONFIG_GLOBAL - value: "/home/coder/.config/git/config" - lifecycle: - postStart: - exec: - command: ["/bin/sh", "-c", "mkdir -p /home/coder/.config/git"] - ports: - - containerPort: 8080 - name: http - resources: - requests: - cpu: 200m - memory: 512Mi - limits: - cpu: 2000m - memory: 4Gi - volumeMounts: - - name: config - mountPath: /home/coder/.config - - name: workspace - mountPath: /home/coder/workspace - - name: local - mountPath: /home/coder/.local - - name: config - mountPath: /home/coder/.ssh - subPath: ssh - livenessProbe: - httpGet: - path: /healthz - port: http - initialDelaySeconds: 30 - periodSeconds: 30 - readinessProbe: - httpGet: - path: /healthz - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - securityContext: - runAsUser: 1000 - runAsGroup: 1000 + - name: code-server + image: codercom/code-server:4.108.0 + args: + - --bind-addr=0.0.0.0:8080 + - --auth=none + - --disable-telemetry + - --disable-update-check + env: + - name: TZ + value: "Europe/Budapest" + - name: HOME + value: "/home/coder" + - name: USER + value: "coder" + # Proxy trust for headers + - name: CS_DISABLE_PROXY_TRUST + value: "false" + - name: GIT_CONFIG_GLOBAL + value: "/home/coder/.config/git/config" + lifecycle: + postStart: + exec: + command: ["/bin/sh", "-c", "mkdir -p /home/coder/.config/git"] + ports: + - containerPort: 8080 + name: http + resources: + requests: + cpu: 200m + memory: 512Mi + limits: + cpu: 2000m + memory: 4Gi + volumeMounts: + - name: config + mountPath: /home/coder/.config + - name: workspace + mountPath: /home/coder/workspace + - name: local + mountPath: /home/coder/.local + - name: config + mountPath: /home/coder/.ssh + subPath: ssh + livenessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /healthz + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + securityContext: + runAsUser: 1000 + runAsGroup: 1000 volumes: - - name: config - persistentVolumeClaim: - claimName: code-server-config - - name: workspace - persistentVolumeClaim: - claimName: code-server-workspace - - name: local - persistentVolumeClaim: - claimName: code-server-local + - name: config + persistentVolumeClaim: + claimName: code-server-config + - name: workspace + persistentVolumeClaim: + claimName: code-server-workspace + - name: local + persistentVolumeClaim: + claimName: code-server-local --- apiVersion: v1 kind: Service @@ -129,9 +129,9 @@ metadata: spec: type: ClusterIP ports: - - name: http - port: 8080 - targetPort: http + - name: http + port: 8080 + targetPort: http selector: app.kubernetes.io/instance: code-server app.kubernetes.io/name: code-server @@ -161,36 +161,36 @@ metadata: nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: ingressClassName: nginx-internal rules: - - host: code.dooplex.hu - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: code-server - port: - number: 8080 - - host: code.home - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: code-server - port: - number: 8080 + - host: code.dooplex.hu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: code-server + port: + number: 8080 + - host: code.home + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: code-server + port: + number: 8080 tls: - - hosts: - - code.dooplex.hu - secretName: code-server-tls + - hosts: + - code.dooplex.hu + secretName: code-server-tls --- apiVersion: v1 kind: PersistentVolumeClaim @@ -204,7 +204,7 @@ metadata: recurring-job.longhorn.io/source: enabled spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce storageClassName: longhorn resources: requests: @@ -222,7 +222,7 @@ metadata: recurring-job.longhorn.io/source: enabled spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce storageClassName: longhorn resources: requests: @@ -238,7 +238,7 @@ metadata: app.kubernetes.io/name: code-server-local spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce storageClassName: longhorn resources: requests: diff --git a/crafty-system/crafty.yaml b/crafty-system/crafty.yaml index a38bb1d..b980a06 100644 --- a/crafty-system/crafty.yaml +++ b/crafty-system/crafty.yaml @@ -11,7 +11,7 @@ metadata: labels: app.kubernetes.io/name: craftycontroller data: - README.txt: 'Crafty Controller hostNetwork deployment. + README.txt: "Crafty Controller hostNetwork deployment. Reserved Minecraft TCP port range on the node: 25565-25575. @@ -23,7 +23,7 @@ data: Port 25565 is commonly used for the primary server. - ' + " --- apiVersion: v1 kind: ServiceAccount @@ -44,7 +44,7 @@ metadata: app.kubernetes.io/instance: crafty spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 2Gi @@ -60,7 +60,7 @@ metadata: app.kubernetes.io/instance: crafty spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 50Gi @@ -76,7 +76,7 @@ metadata: app.kubernetes.io/instance: crafty spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 50Gi @@ -92,7 +92,7 @@ metadata: app.kubernetes.io/instance: crafty spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 10Gi @@ -112,10 +112,10 @@ spec: app.kubernetes.io/name: craftycontroller app.kubernetes.io/instance: crafty ports: - - name: https - port: 8443 - targetPort: 8443 - protocol: TCP + - name: https + port: 8443 + targetPort: 8443 + protocol: TCP --- apiVersion: v1 kind: Service @@ -131,10 +131,10 @@ spec: app.kubernetes.io/name: craftycontroller app.kubernetes.io/instance: crafty ports: - - name: https - port: 8443 - targetPort: 8443 - protocol: TCP + - name: https + port: 8443 + targetPort: 8443 + protocol: TCP --- apiVersion: networking.k8s.io/v1 kind: Ingress @@ -149,44 +149,45 @@ metadata: external-dns.alpha.kubernetes.io/hostname: crafty.dooplex.hu,crafty.home nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" nginx.ingress.kubernetes.io/proxy-ssl-verify: "off" - nginx.ingress.kubernetes.io/ssl-redirect: 'true' + nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: 200m nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-crafty-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx nginx.ingress.kubernetes.io/auth-signin: https://crafty.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri - nginx.ingress.kubernetes.io/auth-snippet: 'proxy_set_header X-Forwarded-Host $http_host; + nginx.ingress.kubernetes.io/auth-snippet: + "proxy_set_header X-Forwarded-Host $http_host; - ' + " nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: ingressClassName: nginx-internal tls: - - secretName: crafty-tls - hosts: - - crafty.dooplex.hu + - secretName: crafty-tls + hosts: + - crafty.dooplex.hu rules: - - host: crafty.dooplex.hu - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: craftycontroller-https - port: - number: 8443 - - host: crafty.home - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: craftycontroller-https - port: - number: 8443 + - host: crafty.dooplex.hu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: craftycontroller-https + port: + number: 8443 + - host: crafty.home + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: craftycontroller-https + port: + number: 8443 --- apiVersion: apps/v1 kind: StatefulSet @@ -217,84 +218,84 @@ spec: securityContext: fsGroup: 0 containers: - - name: craftycontroller - image: arcadiatechnology/crafty-4:4.7.0 - imagePullPolicy: IfNotPresent - securityContext: - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 0 - ports: - - name: https - containerPort: 8443 - protocol: TCP - - name: minecraft - containerPort: 25565 - protocol: TCP - - name: mc25566 - containerPort: 25566 - protocol: TCP - - name: mc25567 - containerPort: 25567 - protocol: TCP - - name: mc25568 - containerPort: 25568 - protocol: TCP - - name: mc25569 - containerPort: 25569 - protocol: TCP - - name: mc25570 - containerPort: 25570 - protocol: TCP - - name: mc25571 - containerPort: 25571 - protocol: TCP - - name: mc25572 - containerPort: 25572 - protocol: TCP - - name: mc25573 - containerPort: 25573 - protocol: TCP - - name: mc25574 - containerPort: 25574 - protocol: TCP - - name: mc25575 - containerPort: 25575 - protocol: TCP - livenessProbe: - initialDelaySeconds: 30 - httpGet: - path: / - port: 8443 - scheme: HTTPS - readinessProbe: - initialDelaySeconds: 30 - periodSeconds: 10 - failureThreshold: 18 - httpGet: - path: / - port: 8443 - scheme: HTTPS - resources: {} - volumeMounts: - - name: crafty-app-config - mountPath: /crafty/app/config - - name: crafty-servers - mountPath: /crafty/servers - - name: crafty-backups - mountPath: /crafty/backups - - name: crafty-import - mountPath: /crafty/import + - name: craftycontroller + image: arcadiatechnology/crafty-4:4.7.0 + imagePullPolicy: IfNotPresent + securityContext: + runAsNonRoot: true + runAsUser: 1000 + runAsGroup: 0 + ports: + - name: https + containerPort: 8443 + protocol: TCP + - name: minecraft + containerPort: 25565 + protocol: TCP + - name: mc25566 + containerPort: 25566 + protocol: TCP + - name: mc25567 + containerPort: 25567 + protocol: TCP + - name: mc25568 + containerPort: 25568 + protocol: TCP + - name: mc25569 + containerPort: 25569 + protocol: TCP + - name: mc25570 + containerPort: 25570 + protocol: TCP + - name: mc25571 + containerPort: 25571 + protocol: TCP + - name: mc25572 + containerPort: 25572 + protocol: TCP + - name: mc25573 + containerPort: 25573 + protocol: TCP + - name: mc25574 + containerPort: 25574 + protocol: TCP + - name: mc25575 + containerPort: 25575 + protocol: TCP + livenessProbe: + initialDelaySeconds: 30 + httpGet: + path: / + port: 8443 + scheme: HTTPS + readinessProbe: + initialDelaySeconds: 30 + periodSeconds: 10 + failureThreshold: 18 + httpGet: + path: / + port: 8443 + scheme: HTTPS + resources: {} + volumeMounts: + - name: crafty-app-config + mountPath: /crafty/app/config + - name: crafty-servers + mountPath: /crafty/servers + - name: crafty-backups + mountPath: /crafty/backups + - name: crafty-import + mountPath: /crafty/import volumes: - - name: crafty-app-config - persistentVolumeClaim: - claimName: crafty-app-config - - name: crafty-servers - persistentVolumeClaim: - claimName: crafty-servers - - name: crafty-backups - persistentVolumeClaim: - claimName: crafty-backups - - name: crafty-import - persistentVolumeClaim: - claimName: crafty-import \ No newline at end of file + - name: crafty-app-config + persistentVolumeClaim: + claimName: crafty-app-config + - name: crafty-servers + persistentVolumeClaim: + claimName: crafty-servers + - name: crafty-backups + persistentVolumeClaim: + claimName: crafty-backups + - name: crafty-import + persistentVolumeClaim: + claimName: crafty-import diff --git a/fileshare-system/gokapi.yaml b/fileshare-system/gokapi.yaml index c0718a4..3844422 100644 --- a/fileshare-system/gokapi.yaml +++ b/fileshare-system/gokapi.yaml @@ -55,75 +55,75 @@ spec: securityContext: fsGroup: 1000 containers: - - name: gokapi - image: f0rc3/gokapi:v2.1.0 - env: - - name: TZ - value: "Europe/Budapest" - - name: GOKAPI_PORT - value: "53842" - - name: GOKAPI_EXTERNAL_URL - value: "https://fileshare.dooplex.hu/" - - name: GOKAPI_LOCALHOST - value: "false" - - name: GOKAPI_USE_SSL - value: "false" - - name: GOKAPI_DATA_DIR - value: "/app/data" - - name: GOKAPI_CONFIG_DIR - value: "/app/config" - - name: GOKAPI_MAX_MEMORY_UPLOAD - value: "100" - - name: GOKAPI_LOG_STDOUT - value: "true" - # Initial admin user (only used for first setup) - - name: GOKAPI_USERNAME - valueFrom: - secretKeyRef: - name: gokapi-app - key: admin-username - - name: GOKAPI_PASSWORD - valueFrom: - secretKeyRef: - name: gokapi-app - key: admin-password - ports: - - containerPort: 53842 - name: http - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: 500m - memory: 256Mi - volumeMounts: - - name: config - mountPath: /app/config - - name: data - mountPath: /app/data - livenessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 30 - periodSeconds: 30 - readinessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - securityContext: - runAsUser: 1000 - runAsGroup: 1000 + - name: gokapi + image: f0rc3/gokapi:v2.1.0 + env: + - name: TZ + value: "Europe/Budapest" + - name: GOKAPI_PORT + value: "53842" + - name: GOKAPI_EXTERNAL_URL + value: "https://fileshare.dooplex.hu/" + - name: GOKAPI_LOCALHOST + value: "false" + - name: GOKAPI_USE_SSL + value: "false" + - name: GOKAPI_DATA_DIR + value: "/app/data" + - name: GOKAPI_CONFIG_DIR + value: "/app/config" + - name: GOKAPI_MAX_MEMORY_UPLOAD + value: "100" + - name: GOKAPI_LOG_STDOUT + value: "true" + # Initial admin user (only used for first setup) + - name: GOKAPI_USERNAME + valueFrom: + secretKeyRef: + name: gokapi-app + key: admin-username + - name: GOKAPI_PASSWORD + valueFrom: + secretKeyRef: + name: gokapi-app + key: admin-password + ports: + - containerPort: 53842 + name: http + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 500m + memory: 256Mi + volumeMounts: + - name: config + mountPath: /app/config + - name: data + mountPath: /app/data + livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + readinessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + securityContext: + runAsUser: 1000 + runAsGroup: 1000 volumes: - - name: config - persistentVolumeClaim: - claimName: gokapi-config - - name: data - persistentVolumeClaim: - claimName: gokapi-data + - name: config + persistentVolumeClaim: + claimName: gokapi-config + - name: data + persistentVolumeClaim: + claimName: gokapi-data --- apiVersion: v1 kind: Service @@ -136,9 +136,9 @@ metadata: spec: type: ClusterIP ports: - - name: http - port: 53842 - targetPort: http + - name: http + port: 53842 + targetPort: http selector: app.kubernetes.io/instance: gokapi app.kubernetes.io/name: gokapi @@ -159,36 +159,36 @@ metadata: nginx.ingress.kubernetes.io/proxy-read-timeout: "600" nginx.ingress.kubernetes.io/proxy-send-timeout: "600" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: ingressClassName: nginx-internal rules: - - host: fileshare.dooplex.hu - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: gokapi - port: - number: 53842 - - host: fileshare.home - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: gokapi - port: - number: 53842 + - host: fileshare.dooplex.hu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: gokapi + port: + number: 53842 + - host: fileshare.home + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: gokapi + port: + number: 53842 tls: - - hosts: - - fileshare.dooplex.hu - secretName: gokapi-tls + - hosts: + - fileshare.dooplex.hu + secretName: gokapi-tls --- apiVersion: v1 kind: PersistentVolumeClaim @@ -202,7 +202,7 @@ metadata: recurring-job.longhorn.io/source: enabled spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce storageClassName: longhorn resources: requests: @@ -220,8 +220,8 @@ metadata: recurring-job.longhorn.io/source: enabled spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce storageClassName: longhorn resources: requests: - storage: 50Gi \ No newline at end of file + storage: 50Gi diff --git a/gitea-system/gitea.yaml b/gitea-system/gitea.yaml index 72ea300..bd92dc0 100644 --- a/gitea-system/gitea.yaml +++ b/gitea-system/gitea.yaml @@ -31,152 +31,152 @@ spec: app.kubernetes.io/name: gitea spec: initContainers: - - name: init-directories - image: busybox:1.36 - command: - - sh - - -c - - | - mkdir -p /data/gitea/conf - chown -R 1000:1000 /data - volumeMounts: - - name: data - mountPath: /data + - name: init-directories + image: busybox:1.36 + command: + - sh + - -c + - | + mkdir -p /data/gitea/conf + chown -R 1000:1000 /data + volumeMounts: + - name: data + mountPath: /data containers: - - name: gitea - image: gitea/gitea:1.25.3 - imagePullPolicy: IfNotPresent - env: - - name: USER_UID - value: "1000" - - name: USER_GID - value: "1000" - - name: GITEA__database__DB_TYPE - value: postgres - # Database - using shared PostgreSQL in database-system namespace - - name: GITEA__database__HOST - value: postgresql-rw.database-system.svc.cluster.local:5432 - - name: GITEA__database__NAME - value: gitea - - name: GITEA__database__USER - valueFrom: - secretKeyRef: - name: gitea-db - key: username - - name: GITEA__database__PASSWD - valueFrom: - secretKeyRef: - name: gitea-db - key: password - - name: GITEA__server__DOMAIN - value: gitea.dooplex.hu - - name: GITEA__server__ROOT_URL - value: https://gitea.dooplex.hu/ - - name: GITEA__server__HTTP_PORT - value: "3000" - - name: GITEA__server__SSH_DOMAIN - value: gitea.dooplex.hu - - name: GITEA__server__SSH_PORT - value: "22" - - name: GITEA__server__SSH_LISTEN_PORT - value: "2222" - - name: GITEA__server__LFS_START_SERVER - value: "true" - - name: GITEA__security__INSTALL_LOCK - value: "true" - - name: GITEA__security__SECRET_KEY - valueFrom: - secretKeyRef: - name: gitea-app - key: secret-key - - name: GITEA__security__INTERNAL_TOKEN - valueFrom: - secretKeyRef: - name: gitea-app - key: internal-token - - name: GITEA__server__LFS_JWT_SECRET - valueFrom: - secretKeyRef: - name: gitea-app - key: lfs-jwt-secret - - name: GITEA__service__DISABLE_REGISTRATION - value: "true" - - name: GITEA__mailer__ENABLED - value: "true" - - name: GITEA__mailer__PROTOCOL - value: smtp+starttls - - name: GITEA__mailer__SMTP_ADDR - valueFrom: - secretKeyRef: - name: smtp-credentials - key: host - - name: GITEA__mailer__SMTP_PORT - valueFrom: - secretKeyRef: - name: smtp-credentials - key: port - - name: GITEA__mailer__USER - valueFrom: - secretKeyRef: - name: smtp-credentials - key: username - - name: GITEA__mailer__PASSWD - valueFrom: - secretKeyRef: - name: smtp-credentials - key: password - - name: GITEA__mailer__FROM - valueFrom: - secretKeyRef: - name: smtp-credentials - key: from-address - - name: GITEA__time__DEFAULT_UI_LOCATION - value: Europe/Budapest - ports: - - containerPort: 3000 - name: http - protocol: TCP - - containerPort: 2222 - name: ssh - protocol: TCP - livenessProbe: - httpGet: - path: /api/healthz - port: http - initialDelaySeconds: 60 - periodSeconds: 30 - timeoutSeconds: 10 - failureThreshold: 5 - readinessProbe: - httpGet: - path: /api/healthz - port: http - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 100m - memory: 256Mi - volumeMounts: - - name: data - mountPath: /data - - name: repos - mountPath: /data/git/repositories + - name: gitea + image: gitea/gitea:1.25.3 + imagePullPolicy: IfNotPresent + env: + - name: USER_UID + value: "1000" + - name: USER_GID + value: "1000" + - name: GITEA__database__DB_TYPE + value: postgres + # Database - using shared PostgreSQL in database-system namespace + - name: GITEA__database__HOST + value: postgresql-rw.database-system.svc.cluster.local:5432 + - name: GITEA__database__NAME + value: gitea + - name: GITEA__database__USER + valueFrom: + secretKeyRef: + name: gitea-db + key: username + - name: GITEA__database__PASSWD + valueFrom: + secretKeyRef: + name: gitea-db + key: password + - name: GITEA__server__DOMAIN + value: gitea.dooplex.hu + - name: GITEA__server__ROOT_URL + value: https://gitea.dooplex.hu/ + - name: GITEA__server__HTTP_PORT + value: "3000" + - name: GITEA__server__SSH_DOMAIN + value: gitea.dooplex.hu + - name: GITEA__server__SSH_PORT + value: "22" + - name: GITEA__server__SSH_LISTEN_PORT + value: "2222" + - name: GITEA__server__LFS_START_SERVER + value: "true" + - name: GITEA__security__INSTALL_LOCK + value: "true" + - name: GITEA__security__SECRET_KEY + valueFrom: + secretKeyRef: + name: gitea-app + key: secret-key + - name: GITEA__security__INTERNAL_TOKEN + valueFrom: + secretKeyRef: + name: gitea-app + key: internal-token + - name: GITEA__server__LFS_JWT_SECRET + valueFrom: + secretKeyRef: + name: gitea-app + key: lfs-jwt-secret + - name: GITEA__service__DISABLE_REGISTRATION + value: "true" + - name: GITEA__mailer__ENABLED + value: "true" + - name: GITEA__mailer__PROTOCOL + value: smtp+starttls + - name: GITEA__mailer__SMTP_ADDR + valueFrom: + secretKeyRef: + name: smtp-credentials + key: host + - name: GITEA__mailer__SMTP_PORT + valueFrom: + secretKeyRef: + name: smtp-credentials + key: port + - name: GITEA__mailer__USER + valueFrom: + secretKeyRef: + name: smtp-credentials + key: username + - name: GITEA__mailer__PASSWD + valueFrom: + secretKeyRef: + name: smtp-credentials + key: password + - name: GITEA__mailer__FROM + valueFrom: + secretKeyRef: + name: smtp-credentials + key: from-address + - name: GITEA__time__DEFAULT_UI_LOCATION + value: Europe/Budapest + ports: + - containerPort: 3000 + name: http + protocol: TCP + - containerPort: 2222 + name: ssh + protocol: TCP + livenessProbe: + httpGet: + path: /api/healthz + port: http + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + path: /api/healthz + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 100m + memory: 256Mi + volumeMounts: + - name: data + mountPath: /data + - name: repos + mountPath: /data/git/repositories securityContext: fsGroup: 1000 volumes: - - name: data - persistentVolumeClaim: - claimName: gitea-data - - name: repos - hostPath: - path: /mnt/4_hdd/data/gitea/repositories - type: DirectoryOrCreate + - name: data + persistentVolumeClaim: + claimName: gitea-data + - name: repos + hostPath: + path: /mnt/4_hdd/data/gitea/repositories + type: DirectoryOrCreate --- apiVersion: v1 kind: Service @@ -190,14 +190,14 @@ spec: type: LoadBalancer loadBalancerIP: 192.168.0.203 ports: - - name: http - port: 3000 - protocol: TCP - targetPort: http - - name: ssh - port: 2222 - protocol: TCP - targetPort: 22 + - name: http + port: 3000 + protocol: TCP + targetPort: http + - name: ssh + port: 2222 + protocol: TCP + targetPort: 22 selector: app.kubernetes.io/instance: gitea app.kubernetes.io/name: gitea @@ -211,7 +211,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-body-size: "0" nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } labels: @@ -222,30 +222,30 @@ metadata: spec: ingressClassName: nginx-internal rules: - - host: gitea.dooplex.hu - http: - paths: - - backend: - service: - name: gitea - port: - number: 3000 - path: / - pathType: Prefix - - host: gitea.home - http: - paths: - - backend: - service: - name: gitea - port: - number: 3000 - path: / - pathType: Prefix + - host: gitea.dooplex.hu + http: + paths: + - backend: + service: + name: gitea + port: + number: 3000 + path: / + pathType: Prefix + - host: gitea.home + http: + paths: + - backend: + service: + name: gitea + port: + number: 3000 + path: / + pathType: Prefix tls: - - hosts: - - gitea.dooplex.hu - secretName: gitea-tls + - hosts: + - gitea.dooplex.hu + secretName: gitea-tls --- apiVersion: v1 kind: PersistentVolumeClaim @@ -257,7 +257,7 @@ metadata: namespace: gitea-system spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 10Gi diff --git a/glance-system/glance-kisfenyo.yaml b/glance-system/glance-kisfenyo.yaml index 7dc5f96..79b4f4e 100644 --- a/glance-system/glance-kisfenyo.yaml +++ b/glance-system/glance-kisfenyo.yaml @@ -2201,7 +2201,7 @@ metadata: nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: diff --git a/glance-system/glance-orsi.yaml b/glance-system/glance-orsi.yaml index 93d6f48..ce8944e 100644 --- a/glance-system/glance-orsi.yaml +++ b/glance-system/glance-orsi.yaml @@ -752,7 +752,7 @@ metadata: nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: @@ -803,4 +803,4 @@ spec: # tls: # - hosts: # - home.dooplex.hu -# secretName: glance-tls \ No newline at end of file +# secretName: glance-tls diff --git a/headlamp-system/headlamp.yaml b/headlamp-system/headlamp.yaml index d5ad81f..8c9dcb8 100644 --- a/headlamp-system/headlamp.yaml +++ b/headlamp-system/headlamp.yaml @@ -347,7 +347,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-buffer-size: "16k" nginx.ingress.kubernetes.io/proxy-buffers-number: "4" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } # Homepage integration annotations diff --git a/homepage-system/homepage.yaml b/homepage-system/homepage.yaml index 4fd4568..50797b8 100644 --- a/homepage-system/homepage.yaml +++ b/homepage-system/homepage.yaml @@ -487,7 +487,7 @@ data: display: flex !important; align-items: center !important; } - + /* Make the image fill it */ #information-widgets .information-widget-logo img { max-height: 100px !important; @@ -554,7 +554,7 @@ spec: valueFrom: secretKeyRef: name: homepage-secrets - key: prowlarr-api-key + key: prowlarr-api-key - name: HOMEPAGE_VAR_SONARR_API_KEY valueFrom: secretKeyRef: @@ -716,7 +716,7 @@ metadata: nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } # Homepage auto-discovery annotation @@ -752,4 +752,4 @@ spec: - hosts: - homepage.dooplex.hu secretName: homepage-tls ---- \ No newline at end of file +--- diff --git a/immich-system/immich.yaml b/immich-system/immich.yaml index 3ffc7ca..b9e219d 100644 --- a/immich-system/immich.yaml +++ b/immich-system/immich.yaml @@ -217,11 +217,11 @@ spec: app.kubernetes.io/instance: immich template: metadata: - labels: + labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: immich app.kubernetes.io/name: machine-learning - spec: + spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true @@ -229,18 +229,18 @@ spec: hostNetwork: false hostPID: false dnsPolicy: ClusterFirst - containers: + containers: - env: - - name: HF_XET_CACHE - value: /cache/huggingface-xet - - name: IMMICH_MACHINE_LEARNING_URL - value: http://immich-machine-learning:3003 - - name: MPLCONFIGDIR - value: /cache/matplotlib-config - - name: REDIS_HOSTNAME - value: immich-valkey - - name: TRANSFORMERS_CACHE - value: /cache + - name: HF_XET_CACHE + value: /cache/huggingface-xet + - name: IMMICH_MACHINE_LEARNING_URL + value: http://immich-machine-learning:3003 + - name: MPLCONFIGDIR + value: /cache/matplotlib-config + - name: REDIS_HOSTNAME + value: immich-valkey + - name: TRANSFORMERS_CACHE + value: /cache image: ghcr.io/immich-app/immich-machine-learning:v2.4.1 imagePullPolicy: IfNotPresent livenessProbe: @@ -253,9 +253,9 @@ spec: timeoutSeconds: 1 name: main ports: - - containerPort: 3003 - name: http - protocol: TCP + - containerPort: 3003 + name: http + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -273,9 +273,9 @@ spec: periodSeconds: 10 timeoutSeconds: 1 volumeMounts: - - mountPath: /cache - name: cache - volumes: + - mountPath: /cache + name: cache + volumes: - name: cache persistentVolumeClaim: claimName: immich-machine-learning @@ -302,11 +302,11 @@ spec: app.kubernetes.io/instance: immich template: metadata: - labels: + labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: immich app.kubernetes.io/name: server - spec: + spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true @@ -314,28 +314,28 @@ spec: hostNetwork: false hostPID: false dnsPolicy: ClusterFirst - containers: + containers: - env: - - name: DB_HOSTNAME - value: immich-postgres - - name: DB_PORT - value: "5432" - - name: DB_DATABASE_NAME - value: immich - - name: DB_USERNAME - valueFrom: - secretKeyRef: - name: immich-db - key: username - - name: DB_PASSWORD - valueFrom: - secretKeyRef: - name: immich-db - key: password - - name: IMMICH_MACHINE_LEARNING_URL - value: http://immich-machine-learning:3003 - - name: REDIS_HOSTNAME - value: immich-valkey + - name: DB_HOSTNAME + value: immich-postgres + - name: DB_PORT + value: "5432" + - name: DB_DATABASE_NAME + value: immich + - name: DB_USERNAME + valueFrom: + secretKeyRef: + name: immich-db + key: username + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: immich-db + key: password + - name: IMMICH_MACHINE_LEARNING_URL + value: http://immich-machine-learning:3003 + - name: REDIS_HOSTNAME + value: immich-valkey image: ghcr.io/immich-app/immich-server:v2.4.1 imagePullPolicy: IfNotPresent livenessProbe: @@ -348,9 +348,9 @@ spec: timeoutSeconds: 1 name: main ports: - - containerPort: 2283 - name: http - protocol: TCP + - containerPort: 2283 + name: http + protocol: TCP readinessProbe: failureThreshold: 3 httpGet: @@ -368,9 +368,9 @@ spec: periodSeconds: 10 timeoutSeconds: 1 volumeMounts: - - mountPath: /data - name: data - volumes: + - mountPath: /data + name: data + volumes: - name: data hostPath: path: /mnt/4_hdd/data/immich @@ -398,11 +398,11 @@ spec: app.kubernetes.io/instance: immich template: metadata: - labels: + labels: app.kubernetes.io/controller: main app.kubernetes.io/instance: immich app.kubernetes.io/name: valkey - spec: + spec: enableServiceLinks: false serviceAccountName: default automountServiceAccountToken: true @@ -410,35 +410,35 @@ spec: hostNetwork: false hostPID: false dnsPolicy: ClusterFirst - containers: + containers: - env: - - name: IMMICH_MACHINE_LEARNING_URL - value: http://immich-machine-learning:3003 - - name: REDIS_HOSTNAME - value: immich-valkey + - name: IMMICH_MACHINE_LEARNING_URL + value: http://immich-machine-learning:3003 + - name: REDIS_HOSTNAME + value: immich-valkey image: docker.io/valkey/valkey:9.0-alpine@sha256:b4ee67d73e00393e712accc72cfd7003b87d0fcd63f0eba798b23251bfc9c394 imagePullPolicy: IfNotPresent livenessProbe: exec: command: - - sh - - -c - - valkey-cli ping | grep PONG + - sh + - -c + - valkey-cli ping | grep PONG failureThreshold: 3 initialDelaySeconds: 30 periodSeconds: 10 timeoutSeconds: 5 name: main ports: - - containerPort: 6379 - name: redis - protocol: TCP + - containerPort: 6379 + name: redis + protocol: TCP readinessProbe: exec: command: - - sh - - -c - - valkey-cli ping | grep PONG + - sh + - -c + - valkey-cli ping | grep PONG failureThreshold: 3 initialDelaySeconds: 5 periodSeconds: 10 @@ -446,17 +446,17 @@ spec: startupProbe: exec: command: - - sh - - -c - - valkey-cli ping | grep PONG + - sh + - -c + - valkey-cli ping | grep PONG failureThreshold: 30 initialDelaySeconds: 0 periodSeconds: 10 timeoutSeconds: 5 volumeMounts: - - mountPath: /data - name: data - volumes: + - mountPath: /data + name: data + volumes: - name: data persistentVolumeClaim: claimName: immich-valkey @@ -478,24 +478,24 @@ metadata: nginx.ingress.kubernetes.io/configuration-snippet: | # GeoIP-based access control for Immich # Allows Hungarian traffic everywhere, worldwide only for /share/* paths - + set $geo_allowed 0; - + # Allow all Hungarian traffic - if ($geoip2_city_country_code = "HU") { + if ($geoip2_country_code = "HU") { set $geo_allowed 1; } - + # Allow public share paths from anywhere if ($request_uri ~* "^/share/") { set $geo_allowed 1; } - + # API endpoints needed for shared content if ($request_uri ~* "^/api/shared-links") { set $geo_allowed 1; } - + # Assets for shared albums (thumbnails and originals) if ($request_uri ~* "^/api/assets/.*/thumbnail") { set $geo_allowed 1; @@ -503,7 +503,7 @@ metadata: if ($request_uri ~* "^/api/assets/.*/original") { set $geo_allowed 1; } - + # Static assets needed for share page rendering if ($request_uri ~* "^/_app/") { set $geo_allowed 1; @@ -514,7 +514,7 @@ metadata: if ($request_uri ~* "\.(js|css|woff2?|ttf|svg|png|ico)$") { set $geo_allowed 1; } - + # Block non-allowed requests if ($geo_allowed = 0) { return 403 "Access restricted to Hungary"; diff --git a/mon-system/monitoring.yaml b/mon-system/monitoring.yaml index 10d2222..4a4a13a 100644 --- a/mon-system/monitoring.yaml +++ b/mon-system/monitoring.yaml @@ -11,6 +11,7 @@ metadata: labels: name: mon-system + # ============================================================================= # PROMETHEUS CONFIGURATION # ============================================================================= @@ -295,7 +296,7 @@ spec: cpu: 100m memory: 256Mi limits: - cpu: '2' + cpu: "2" memory: 6Gi livenessProbe: httpGet: @@ -373,6 +374,7 @@ spec: path: / pathType: Prefix + # ============================================================================= # GRAFANA CONFIGURATION # ============================================================================= @@ -571,7 +573,7 @@ metadata: external-dns.alpha.kubernetes.io/hostname: grafana.dooplex.hu,grafana.home nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: @@ -602,6 +604,7 @@ spec: - grafana.dooplex.hu secretName: grafana-tls + # ============================================================================= # NODE EXPORTER - Host metrics (CPU, RAM, Disk, Network) # Runs on the host network to collect host metrics @@ -702,6 +705,7 @@ spec: selector: app: node-exporter + # ============================================================================= # EXPORTARR - Metrics for Sonarr, Radarr, Prowlarr # ============================================================================= diff --git a/nextcloud-system/nextcloud.yaml b/nextcloud-system/nextcloud.yaml index 943abea..96bf16c 100644 --- a/nextcloud-system/nextcloud.yaml +++ b/nextcloud-system/nextcloud.yaml @@ -112,19 +112,19 @@ data: IndexIgnore * - + apache-pretty-urls.config.php: |- '/', ); - + apcu.config.php: |- '\OC\Memcache\APCu', ); - + apps.config.php: |- /dev/null; do - sleep 2 - done - echo "Database is ready. Running migrations..." - python manage.py migrate --noinput - echo "Collecting static files..." - python manage.py collectstatic --noinput - echo "Creating superuser if not exists..." - python manage.py shell -c " - from django.contrib.auth import get_user_model - User = get_user_model() - import os - username = os.environ.get('DJANGO_SUPERUSER_USERNAME', 'admin') - if not User.objects.filter(username=username).exists(): - User.objects.create_superuser( - username=username, - email=os.environ.get('DJANGO_SUPERUSER_EMAIL', ''), - password=os.environ.get('DJANGO_SUPERUSER_PASSWORD', 'admin') - ) - print(f'Superuser {username} created successfully') - else: - print(f'Superuser {username} already exists') - " - volumeMounts: - - name: staticfiles - mountPath: /opt/recipes/staticfiles - env: - - name: DB_ENGINE - value: django.db.backends.postgresql - # Database - using shared PostgreSQL in database-system namespace - - name: POSTGRES_HOST - value: postgresql-rw.database-system.svc.cluster.local - - name: POSTGRES_PORT - value: "5432" - - name: POSTGRES_DB - value: tandoor - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: tandoor-db - key: username - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: tandoor-db - key: password - - name: SECRET_KEY - valueFrom: - secretKeyRef: - name: tandoor-app - key: secret-key - - name: DJANGO_SUPERUSER_USERNAME - valueFrom: - secretKeyRef: - name: tandoor-admin - key: username - - name: DJANGO_SUPERUSER_PASSWORD - valueFrom: - secretKeyRef: - name: tandoor-admin - key: password - - name: DJANGO_SUPERUSER_EMAIL - valueFrom: - secretKeyRef: - name: tandoor-admin - key: email + - name: create-superuser + image: vabene1111/recipes:2.3.6 + workingDir: /opt/recipes + command: + - /bin/sh + - -c + - | + . /opt/recipes/venv/bin/activate + echo "Waiting for database..." + while ! python -c "import socket; socket.create_connection(('postgresql-rw.database-system.svc.cluster.local', 5432), timeout=5)" 2>/dev/null; do + sleep 2 + done + echo "Database is ready. Running migrations..." + python manage.py migrate --noinput + echo "Collecting static files..." + python manage.py collectstatic --noinput + echo "Creating superuser if not exists..." + python manage.py shell -c " + from django.contrib.auth import get_user_model + User = get_user_model() + import os + username = os.environ.get('DJANGO_SUPERUSER_USERNAME', 'admin') + if not User.objects.filter(username=username).exists(): + User.objects.create_superuser( + username=username, + email=os.environ.get('DJANGO_SUPERUSER_EMAIL', ''), + password=os.environ.get('DJANGO_SUPERUSER_PASSWORD', 'admin') + ) + print(f'Superuser {username} created successfully') + else: + print(f'Superuser {username} already exists') + " + volumeMounts: + - name: staticfiles + mountPath: /opt/recipes/staticfiles + env: + - name: DB_ENGINE + value: django.db.backends.postgresql + # Database - using shared PostgreSQL in database-system namespace + - name: POSTGRES_HOST + value: postgresql-rw.database-system.svc.cluster.local + - name: POSTGRES_PORT + value: "5432" + - name: POSTGRES_DB + value: tandoor + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: tandoor-db + key: username + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: tandoor-db + key: password + - name: SECRET_KEY + valueFrom: + secretKeyRef: + name: tandoor-app + key: secret-key + - name: DJANGO_SUPERUSER_USERNAME + valueFrom: + secretKeyRef: + name: tandoor-admin + key: username + - name: DJANGO_SUPERUSER_PASSWORD + valueFrom: + secretKeyRef: + name: tandoor-admin + key: password + - name: DJANGO_SUPERUSER_EMAIL + valueFrom: + secretKeyRef: + name: tandoor-admin + key: email containers: - - name: tandoor - image: vabene1111/recipes:2.3.6 - imagePullPolicy: IfNotPresent - env: - - name: TZ - value: Europe/Budapest - - name: DEBUG - value: "0" - - name: ALLOWED_HOSTS - value: "*" - - name: CSRF_TRUSTED_ORIGINS - value: "https://tandoor.dooplex.hu,https://tandoor.home" - - name: SECURE_PROXY_SSL_HEADER - value: "HTTP_X_FORWARDED_PROTO,https" - - name: DB_ENGINE - value: django.db.backends.postgresql - # Database - using shared PostgreSQL in database-system namespace - - name: POSTGRES_HOST - value: postgresql-rw.database-system.svc.cluster.local - - name: POSTGRES_PORT - value: "5432" - - name: POSTGRES_DB - value: tandoor - - name: POSTGRES_USER - valueFrom: - secretKeyRef: - name: tandoor-db - key: username - - name: POSTGRES_PASSWORD - valueFrom: - secretKeyRef: - name: tandoor-db - key: password - - name: SECRET_KEY - valueFrom: - secretKeyRef: - name: tandoor-app - key: secret-key - - name: GUNICORN_MEDIA - value: "1" - - name: ENABLE_SIGNUP - value: "0" - - name: ENABLE_METRICS - value: "1" - - name: TANDOOR_PORT - value: "8080" - - name: SOCIAL_PROVIDERS - value: "allauth.socialaccount.providers.openid_connect" - - name: SOCIALACCOUNT_PROVIDERS - value: '{"openid_connect":{"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"y7Mv9stcPZYAGz5QQyzFO9KBFjXHG6OWhLNWPMHL","secret":"tSbRKbfnUigzibKaJpAAwJoF8JLXazssydS6WLoAGCD3hGqZ3ceK5SUvSAEcncQCImZaMmsepO3zwfgIO3huA4GRCHS5NzLGm0L2Ifz60PGKW0htr54u12pWOUBJc6dG","settings":{"server_url":"https://authentik.dooplex.hu/application/o/tandoor/.well-known/openid-configuration"}}]}}' - ports: - - containerPort: 8080 - name: http - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 60 - periodSeconds: 30 - timeoutSeconds: 10 - failureThreshold: 5 - readinessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 30 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - resources: - limits: - cpu: "1" - memory: 1Gi - requests: - cpu: 100m - memory: 256Mi - volumeMounts: - - name: staticfiles - mountPath: /opt/recipes/staticfiles - - name: mediafiles - mountPath: /opt/recipes/mediafiles + - name: tandoor + image: vabene1111/recipes:2.3.6 + imagePullPolicy: IfNotPresent + env: + - name: TZ + value: Europe/Budapest + - name: DEBUG + value: "0" + - name: ALLOWED_HOSTS + value: "*" + - name: CSRF_TRUSTED_ORIGINS + value: "https://tandoor.dooplex.hu,https://tandoor.home" + - name: SECURE_PROXY_SSL_HEADER + value: "HTTP_X_FORWARDED_PROTO,https" + - name: DB_ENGINE + value: django.db.backends.postgresql + # Database - using shared PostgreSQL in database-system namespace + - name: POSTGRES_HOST + value: postgresql-rw.database-system.svc.cluster.local + - name: POSTGRES_PORT + value: "5432" + - name: POSTGRES_DB + value: tandoor + - name: POSTGRES_USER + valueFrom: + secretKeyRef: + name: tandoor-db + key: username + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: tandoor-db + key: password + - name: SECRET_KEY + valueFrom: + secretKeyRef: + name: tandoor-app + key: secret-key + - name: GUNICORN_MEDIA + value: "1" + - name: ENABLE_SIGNUP + value: "0" + - name: ENABLE_METRICS + value: "1" + - name: TANDOOR_PORT + value: "8080" + - name: SOCIAL_PROVIDERS + value: "allauth.socialaccount.providers.openid_connect" + - name: SOCIALACCOUNT_PROVIDERS + value: '{"openid_connect":{"APPS":[{"provider_id":"authentik","name":"authentik","client_id":"y7Mv9stcPZYAGz5QQyzFO9KBFjXHG6OWhLNWPMHL","secret":"tSbRKbfnUigzibKaJpAAwJoF8JLXazssydS6WLoAGCD3hGqZ3ceK5SUvSAEcncQCImZaMmsepO3zwfgIO3huA4GRCHS5NzLGm0L2Ifz60PGKW0htr54u12pWOUBJc6dG","settings":{"server_url":"https://authentik.dooplex.hu/application/o/tandoor/.well-known/openid-configuration"}}]}}' + ports: + - containerPort: 8080 + name: http + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 60 + periodSeconds: 30 + timeoutSeconds: 10 + failureThreshold: 5 + readinessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + resources: + limits: + cpu: "1" + memory: 1Gi + requests: + cpu: 100m + memory: 256Mi + volumeMounts: + - name: staticfiles + mountPath: /opt/recipes/staticfiles + - name: mediafiles + mountPath: /opt/recipes/mediafiles volumes: - - name: staticfiles - persistentVolumeClaim: - claimName: tandoor-staticfiles - - name: mediafiles - hostPath: - path: /mnt/4_hdd/data/tandoor/mediafiles - type: DirectoryOrCreate + - name: staticfiles + persistentVolumeClaim: + claimName: tandoor-staticfiles + - name: mediafiles + hostPath: + path: /mnt/4_hdd/data/tandoor/mediafiles + type: DirectoryOrCreate --- apiVersion: v1 kind: Service @@ -208,10 +208,10 @@ metadata: spec: type: ClusterIP ports: - - name: http - port: 8080 - protocol: TCP - targetPort: http + - name: http + port: 8080 + protocol: TCP + targetPort: http selector: app.kubernetes.io/instance: tandoor app.kubernetes.io/name: tandoor @@ -225,7 +225,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-body-size: 128m nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } labels: @@ -236,30 +236,30 @@ metadata: spec: ingressClassName: nginx-internal rules: - - host: tandoor.dooplex.hu - http: - paths: - - backend: - service: - name: tandoor - port: - number: 8080 - path: / - pathType: Prefix - - host: tandoor.home - http: - paths: - - backend: - service: - name: tandoor - port: - number: 8080 - path: / - pathType: Prefix + - host: tandoor.dooplex.hu + http: + paths: + - backend: + service: + name: tandoor + port: + number: 8080 + path: / + pathType: Prefix + - host: tandoor.home + http: + paths: + - backend: + service: + name: tandoor + port: + number: 8080 + path: / + pathType: Prefix tls: - - hosts: - - tandoor.dooplex.hu - secretName: tandoor-tls + - hosts: + - tandoor.dooplex.hu + secretName: tandoor-tls --- apiVersion: v1 kind: PersistentVolumeClaim @@ -271,7 +271,7 @@ metadata: namespace: tandoor-system spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 1Gi diff --git a/termix-system/termix.yaml b/termix-system/termix.yaml index 1e70cc9..a6c536a 100644 --- a/termix-system/termix.yaml +++ b/termix-system/termix.yaml @@ -120,7 +120,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: diff --git a/uptimekuma-system/uptimekuma.yaml b/uptimekuma-system/uptimekuma.yaml index 1ad0ef2..078a0b8 100644 --- a/uptimekuma-system/uptimekuma.yaml +++ b/uptimekuma-system/uptimekuma.yaml @@ -29,48 +29,48 @@ spec: app.kubernetes.io/version: 2.0.2 spec: containers: - - name: uptimekuma - image: louislam/uptime-kuma:2.0.2 - imagePullPolicy: IfNotPresent - env: - - name: TZ - value: Europe/Budapest - - name: UPTIME_KUMA_PORT - value: "3001" - ports: - - containerPort: 3001 - name: http - protocol: TCP - livenessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 10 - failureThreshold: 3 - readinessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 50m - memory: 128Mi - volumeMounts: - - name: data - mountPath: /app/data + - name: uptimekuma + image: louislam/uptime-kuma:2.0.2 + imagePullPolicy: IfNotPresent + env: + - name: TZ + value: Europe/Budapest + - name: UPTIME_KUMA_PORT + value: "3001" + ports: + - containerPort: 3001 + name: http + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 10 + failureThreshold: 3 + readinessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 50m + memory: 128Mi + volumeMounts: + - name: data + mountPath: /app/data volumes: - - name: data - persistentVolumeClaim: - claimName: uptimekuma-data + - name: data + persistentVolumeClaim: + claimName: uptimekuma-data --- apiVersion: v1 kind: Service @@ -84,10 +84,10 @@ metadata: spec: type: ClusterIP ports: - - name: http - port: 3001 - protocol: TCP - targetPort: http + - name: http + port: 3001 + protocol: TCP + targetPort: http selector: app.kubernetes.io/instance: uptimekuma app.kubernetes.io/name: uptimekuma @@ -110,7 +110,7 @@ metadata: nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } labels: @@ -121,30 +121,30 @@ metadata: spec: ingressClassName: nginx-internal rules: - - host: uptimekuma.dooplex.hu - http: - paths: - - backend: - service: - name: uptimekuma - port: - number: 3001 - path: / - pathType: Prefix - - host: uptimekuma.home - http: - paths: - - backend: - service: - name: uptimekuma - port: - number: 3001 - path: / - pathType: Prefix + - host: uptimekuma.dooplex.hu + http: + paths: + - backend: + service: + name: uptimekuma + port: + number: 3001 + path: / + pathType: Prefix + - host: uptimekuma.home + http: + paths: + - backend: + service: + name: uptimekuma + port: + number: 3001 + path: / + pathType: Prefix tls: - - hosts: - - uptimekuma.dooplex.hu - secretName: uptimekuma-tls + - hosts: + - uptimekuma.dooplex.hu + secretName: uptimekuma-tls --- apiVersion: v1 kind: PersistentVolumeClaim @@ -156,7 +156,7 @@ metadata: namespace: uptimekuma-system spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 5Gi diff --git a/vaultwarden-system/vaultwarden.yaml b/vaultwarden-system/vaultwarden.yaml index 1327cfb..bb21f9d 100644 --- a/vaultwarden-system/vaultwarden.yaml +++ b/vaultwarden-system/vaultwarden.yaml @@ -27,112 +27,112 @@ spec: app.kubernetes.io/name: vaultwarden spec: containers: - - name: vaultwarden - image: vaultwarden/server:1.35.2 - imagePullPolicy: IfNotPresent - env: - - name: TZ - value: Europe/Budapest - - name: DOMAIN - value: https://vaultwarden.dooplex.hu - - name: SIGNUPS_ALLOWED - value: "false" - - name: INVITATIONS_ALLOWED - value: "true" - - name: ADMIN_TOKEN - valueFrom: - secretKeyRef: - name: vaultwarden-admin - key: admin-token - - name: WEBSOCKET_ENABLED - value: "true" - - name: SMTP_HOST - valueFrom: - secretKeyRef: - name: smtp-credentials - key: host - - name: SMTP_PORT - valueFrom: - secretKeyRef: - name: smtp-credentials - key: port - - name: SMTP_SECURITY - value: starttls - - name: SMTP_USERNAME - valueFrom: - secretKeyRef: - name: smtp-credentials - key: username - - name: SMTP_PASSWORD - valueFrom: - secretKeyRef: - name: smtp-credentials - key: password - - name: SMTP_FROM - valueFrom: - secretKeyRef: - name: smtp-credentials - key: from-address - - name: SMTP_FROM_NAME - value: Vaultwarden - - name: SSO_ENABLED - value: "true" - - name: SSO_AUTHORITY - value: "https://authentik.dooplex.hu/application/o/vaultwarden/" - - name: SSO_CLIENT_ID - valueFrom: - secretKeyRef: - name: vaultwarden-oauth - key: client-id - - name: SSO_CLIENT_SECRET - valueFrom: - secretKeyRef: - name: vaultwarden-oauth - key: client-secret - - name: SSO_SCOPES - value: "openid email profile offline_access" - - name: SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION - value: "false" - - name: SSO_CLIENT_CACHE_EXPIRATION - value: "0" - - name: SSO_ONLY - value: "false" # Set to true to disable email+password login - - name: SSO_SIGNUPS_MATCH_EMAIL - value: "true" - ports: - - containerPort: 80 - name: http - protocol: TCP - livenessProbe: - httpGet: - path: /alive - port: http - initialDelaySeconds: 30 - periodSeconds: 30 - timeoutSeconds: 10 - failureThreshold: 3 - readinessProbe: - httpGet: - path: /alive - port: http - initialDelaySeconds: 10 - periodSeconds: 10 - timeoutSeconds: 5 - failureThreshold: 3 - resources: - limits: - cpu: 500m - memory: 512Mi - requests: - cpu: 50m - memory: 128Mi - volumeMounts: - - name: data - mountPath: /data + - name: vaultwarden + image: vaultwarden/server:1.35.2 + imagePullPolicy: IfNotPresent + env: + - name: TZ + value: Europe/Budapest + - name: DOMAIN + value: https://vaultwarden.dooplex.hu + - name: SIGNUPS_ALLOWED + value: "false" + - name: INVITATIONS_ALLOWED + value: "true" + - name: ADMIN_TOKEN + valueFrom: + secretKeyRef: + name: vaultwarden-admin + key: admin-token + - name: WEBSOCKET_ENABLED + value: "true" + - name: SMTP_HOST + valueFrom: + secretKeyRef: + name: smtp-credentials + key: host + - name: SMTP_PORT + valueFrom: + secretKeyRef: + name: smtp-credentials + key: port + - name: SMTP_SECURITY + value: starttls + - name: SMTP_USERNAME + valueFrom: + secretKeyRef: + name: smtp-credentials + key: username + - name: SMTP_PASSWORD + valueFrom: + secretKeyRef: + name: smtp-credentials + key: password + - name: SMTP_FROM + valueFrom: + secretKeyRef: + name: smtp-credentials + key: from-address + - name: SMTP_FROM_NAME + value: Vaultwarden + - name: SSO_ENABLED + value: "true" + - name: SSO_AUTHORITY + value: "https://authentik.dooplex.hu/application/o/vaultwarden/" + - name: SSO_CLIENT_ID + valueFrom: + secretKeyRef: + name: vaultwarden-oauth + key: client-id + - name: SSO_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: vaultwarden-oauth + key: client-secret + - name: SSO_SCOPES + value: "openid email profile offline_access" + - name: SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION + value: "false" + - name: SSO_CLIENT_CACHE_EXPIRATION + value: "0" + - name: SSO_ONLY + value: "false" # Set to true to disable email+password login + - name: SSO_SIGNUPS_MATCH_EMAIL + value: "true" + ports: + - containerPort: 80 + name: http + protocol: TCP + livenessProbe: + httpGet: + path: /alive + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 10 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /alive + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + resources: + limits: + cpu: 500m + memory: 512Mi + requests: + cpu: 50m + memory: 128Mi + volumeMounts: + - name: data + mountPath: /data volumes: - - name: data - persistentVolumeClaim: - claimName: vaultwarden-data + - name: data + persistentVolumeClaim: + claimName: vaultwarden-data --- apiVersion: v1 kind: Service @@ -145,10 +145,10 @@ metadata: spec: type: ClusterIP ports: - - name: http - port: 80 - protocol: TCP - targetPort: http + - name: http + port: 80 + protocol: TCP + targetPort: http selector: app.kubernetes.io/instance: vaultwarden app.kubernetes.io/name: vaultwarden @@ -162,7 +162,7 @@ metadata: nginx.ingress.kubernetes.io/proxy-body-size: 100m nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } labels: @@ -173,30 +173,30 @@ metadata: spec: ingressClassName: nginx-internal rules: - - host: vaultwarden.dooplex.hu - http: - paths: - - backend: - service: - name: vaultwarden - port: - number: 80 - path: / - pathType: Prefix - - host: vaultwarden.home - http: - paths: - - backend: - service: - name: vaultwarden - port: - number: 80 - path: / - pathType: Prefix + - host: vaultwarden.dooplex.hu + http: + paths: + - backend: + service: + name: vaultwarden + port: + number: 80 + path: / + pathType: Prefix + - host: vaultwarden.home + http: + paths: + - backend: + service: + name: vaultwarden + port: + number: 80 + path: / + pathType: Prefix tls: - - hosts: - - vaultwarden.dooplex.hu - secretName: vaultwarden-tls + - hosts: + - vaultwarden.dooplex.hu + secretName: vaultwarden-tls --- apiVersion: v1 kind: PersistentVolumeClaim @@ -208,7 +208,7 @@ metadata: namespace: vaultwarden-system spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 5Gi diff --git a/wanderer-system/wanderer.yaml b/wanderer-system/wanderer.yaml index ef61293..4e620bd 100644 --- a/wanderer-system/wanderer.yaml +++ b/wanderer-system/wanderer.yaml @@ -56,47 +56,47 @@ spec: app.kubernetes.io/name: wanderer-meilisearch spec: containers: - - name: meilisearch - image: getmeili/meilisearch:v1.11.3 - env: - - name: MEILI_MASTER_KEY - valueFrom: - secretKeyRef: - name: wanderer-app - key: meili-master-key - - name: MEILI_ENV - value: "production" - - name: MEILI_NO_ANALYTICS - value: "true" - ports: - - containerPort: 7700 - name: http - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - volumeMounts: - - name: meili-data - mountPath: /meili_data - livenessProbe: - httpGet: - path: /health - port: http - initialDelaySeconds: 30 - periodSeconds: 30 - readinessProbe: - httpGet: - path: /health - port: http - initialDelaySeconds: 10 - periodSeconds: 10 + - name: meilisearch + image: getmeili/meilisearch:v1.11.3 + env: + - name: MEILI_MASTER_KEY + valueFrom: + secretKeyRef: + name: wanderer-app + key: meili-master-key + - name: MEILI_ENV + value: "production" + - name: MEILI_NO_ANALYTICS + value: "true" + ports: + - containerPort: 7700 + name: http + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 500m + memory: 512Mi + volumeMounts: + - name: meili-data + mountPath: /meili_data + livenessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 volumes: - - name: meili-data - persistentVolumeClaim: - claimName: wanderer-meilisearch + - name: meili-data + persistentVolumeClaim: + claimName: wanderer-meilisearch --- apiVersion: apps/v1 kind: Deployment @@ -121,52 +121,52 @@ spec: app.kubernetes.io/name: wanderer-db spec: containers: - - name: pocketbase - image: flomp/wanderer-db:v0.18.3 - env: - - name: ORIGIN - value: "https://wanderer.dooplex.hu" - - name: MEILI_URL - value: "http://wanderer-meilisearch:7700" - - name: MEILI_MASTER_KEY - valueFrom: - secretKeyRef: - name: wanderer-app - key: meili-master-key - - name: POCKETBASE_ENCRYPTION_KEY - valueFrom: - secretKeyRef: - name: wanderer-app - key: pocketbase-encryption-key - ports: - - containerPort: 8090 - name: http - resources: - requests: - cpu: 100m - memory: 128Mi - limits: - cpu: 500m - memory: 512Mi - volumeMounts: - - name: pb-data - mountPath: /pb_data - livenessProbe: - httpGet: - path: /api/health - port: http - initialDelaySeconds: 30 - periodSeconds: 30 - readinessProbe: - httpGet: - path: /api/health - port: http - initialDelaySeconds: 10 - periodSeconds: 10 + - name: pocketbase + image: flomp/wanderer-db:v0.18.3 + env: + - name: ORIGIN + value: "https://wanderer.dooplex.hu" + - name: MEILI_URL + value: "http://wanderer-meilisearch:7700" + - name: MEILI_MASTER_KEY + valueFrom: + secretKeyRef: + name: wanderer-app + key: meili-master-key + - name: POCKETBASE_ENCRYPTION_KEY + valueFrom: + secretKeyRef: + name: wanderer-app + key: pocketbase-encryption-key + ports: + - containerPort: 8090 + name: http + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi + volumeMounts: + - name: pb-data + mountPath: /pb_data + livenessProbe: + httpGet: + path: /api/health + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /api/health + port: http + initialDelaySeconds: 10 + periodSeconds: 10 volumes: - - name: pb-data - persistentVolumeClaim: - claimName: wanderer-db + - name: pb-data + persistentVolumeClaim: + claimName: wanderer-db --- apiVersion: apps/v1 kind: Deployment @@ -191,46 +191,46 @@ spec: app.kubernetes.io/name: wanderer-web spec: containers: - - name: wanderer-web - image: flomp/wanderer-web:v0.18.3 - env: - - name: NODE_TLS_REJECT_UNAUTHORIZED - value: "0" - - name: NODE_OPTIONS - value: "--max-old-space-size=7168" - - name: ORIGIN - value: "https://wanderer.dooplex.hu" - - name: POCKETBASE_URL - value: "http://wanderer-db:8090" - - name: PUBLIC_POCKETBASE_URL - value: "https://pb.wanderer.dooplex.hu" - - name: MEILI_URL - value: "http://wanderer-meilisearch:7700" - - name: MEILI_MASTER_KEY - valueFrom: - secretKeyRef: - name: wanderer-app - key: meili-master-key - - name: PUBLIC_DISABLE_SIGNUP - value: "true" - - name: BODY_SIZE_LIMIT - value: "Infinity" - ports: - - containerPort: 3000 - name: http - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - memory: 8Gi - readinessProbe: - tcpSocket: - port: 3000 - initialDelaySeconds: 5 - periodSeconds: 10 - timeoutSeconds: 1 - failureThreshold: 3 + - name: wanderer-web + image: flomp/wanderer-web:v0.18.3 + env: + - name: NODE_TLS_REJECT_UNAUTHORIZED + value: "0" + - name: NODE_OPTIONS + value: "--max-old-space-size=7168" + - name: ORIGIN + value: "https://wanderer.dooplex.hu" + - name: POCKETBASE_URL + value: "http://wanderer-db:8090" + - name: PUBLIC_POCKETBASE_URL + value: "https://pb.wanderer.dooplex.hu" + - name: MEILI_URL + value: "http://wanderer-meilisearch:7700" + - name: MEILI_MASTER_KEY + valueFrom: + secretKeyRef: + name: wanderer-app + key: meili-master-key + - name: PUBLIC_DISABLE_SIGNUP + value: "true" + - name: BODY_SIZE_LIMIT + value: "Infinity" + ports: + - containerPort: 3000 + name: http + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + memory: 8Gi + readinessProbe: + tcpSocket: + port: 3000 + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 --- apiVersion: v1 kind: Service @@ -243,9 +243,9 @@ metadata: spec: type: ClusterIP ports: - - name: http - port: 7700 - targetPort: http + - name: http + port: 7700 + targetPort: http selector: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-meilisearch @@ -261,9 +261,9 @@ metadata: spec: type: ClusterIP ports: - - name: http - port: 8090 - targetPort: http + - name: http + port: 8090 + targetPort: http selector: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-db @@ -279,9 +279,9 @@ metadata: spec: type: ClusterIP ports: - - name: http - port: 3000 - targetPort: http + - name: http + port: 3000 + targetPort: http selector: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-web @@ -298,7 +298,7 @@ metadata: # optional, only if you actually use external-dns: external-dns.alpha.kubernetes.io/hostname: wanderer.dooplex.hu nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: @@ -360,7 +360,7 @@ metadata: recurring-job.longhorn.io/source: enabled spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce storageClassName: longhorn resources: requests: @@ -378,8 +378,8 @@ metadata: recurring-job.longhorn.io/source: enabled spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce storageClassName: longhorn resources: requests: - storage: 5Gi \ No newline at end of file + storage: 5Gi diff --git a/web-system/web.yaml b/web-system/web.yaml index 1cd7fef..718b278 100644 --- a/web-system/web.yaml +++ b/web-system/web.yaml @@ -245,7 +245,7 @@ metadata: nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: @@ -312,7 +312,7 @@ spec: # Create public directory if it doesn't exist - name: init-public-dir image: busybox:1.36 - command: ['sh', '-c', 'mkdir -p /srv/public && chmod 755 /srv/public'] + command: ["sh", "-c", "mkdir -p /srv/public && chmod 755 /srv/public"] volumeMounts: - name: data mountPath: /srv @@ -474,7 +474,7 @@ metadata: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: web.dooplex.hu nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: @@ -503,4 +503,4 @@ spec: service: name: static-server port: - name: http \ No newline at end of file + name: http diff --git a/workout-system/workout.yaml b/workout-system/workout.yaml index 55e208e..1cc6790 100644 --- a/workout-system/workout.yaml +++ b/workout-system/workout.yaml @@ -44,18 +44,18 @@ spec: app.kubernetes.io/name: wger-redis spec: containers: - - name: redis - image: redis:7.2-alpine - ports: - - containerPort: 6379 - name: redis - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: 200m - memory: 128Mi + - name: redis + image: redis:7.2-alpine + ports: + - containerPort: 6379 + name: redis + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 128Mi --- apiVersion: apps/v1 kind: Deployment @@ -82,158 +82,158 @@ spec: securityContext: fsGroup: 1000 containers: - - name: nginx - image: nginx:alpine - ports: - - containerPort: 80 - name: http - volumeMounts: - - name: static - mountPath: /home/wger/static - readOnly: true - - name: media - mountPath: /home/wger/media - readOnly: true - - name: nginx-config - mountPath: /etc/nginx/conf.d/default.conf - subPath: nginx.conf - - name: wger - image: ghcr.io/kisfenyo/wger-oidc:latest - imagePullPolicy: Always - env: - # Django settings - - name: SECRET_KEY - valueFrom: - secretKeyRef: - name: wger-app - key: secret-key - - name: SIGNING_KEY - valueFrom: - secretKeyRef: - name: wger-app - key: signing-key - - name: DJANGO_DEBUG - value: "False" - - name: WGER_INSTANCE - value: "https://workout.dooplex.hu" - - name: TIME_ZONE - value: "Europe/Budapest" - - name: DJANGO_SETTINGS_MODULE - value: "config.settings.production" - - name: DJANGO_CACHE_TIMEOUT - value: "120" - # Database - - name: DJANGO_DB_ENGINE - value: "django.db.backends.postgresql" - - name: DJANGO_DB_HOST - value: "postgresql-rw.database-system.svc.cluster.local" - - name: DJANGO_DB_PORT - value: "5432" - - name: DJANGO_DB_DATABASE - value: "wger" - - name: DJANGO_DB_USER - valueFrom: - secretKeyRef: - name: wger-db - key: username - - name: DJANGO_DB_PASSWORD - valueFrom: - secretKeyRef: - name: wger-db - key: password - # Cache - - name: DJANGO_CACHE_BACKEND - value: "django_redis.cache.RedisCache" - - name: DJANGO_CACHE_LOCATION - value: "redis://wger-redis:6379/1" - - name: DJANGO_CACHE_CLIENT_CLASS - value: "django_redis.client.DefaultClient" - # Celery - - name: CELERY_BROKER - value: "redis://wger-redis:6379/2" - - name: CELERY_BACKEND - value: "redis://wger-redis:6379/2" - - name: ENABLE_OIDC - value: "True" - - name: OIDC_RP_CLIENT_ID - value: "AXr6k4P1JcgKKMcvGeXOLwd69MJ1UVjz3fW80mEg" - - name: OIDC_RP_CLIENT_SECRET - value: "oaj4yWum0skWoAJVf4VvXSSnc4pdaWQbKtyPaMaG6prBN0av1b1w7bna6nUALoIXwSQWu9seFZl66XsYxaFWXVXcWyI6B63rl5saIFCifVg9hqkl6RlhxHL4X4u42pqd" - - name: OIDC_RP_SIGN_ALGO - value: "RS256" - - name: CSRF_TRUSTED_ORIGINS - value: "https://workout.dooplex.hu" - # Authentik Endpoints (Replace 'authentik.dooplex.hu' with your actual Authentik domain) - - name: OIDC_OP_LOGOUT_ENDPOINT - value: "https://authentik.dooplex.hu/application/o/workout/end-session/" - - name: OIDC_LOGIN_BUTTON_TEXT - value: "Login with Authentik" - - name: OIDC_ALLOW_CREATE_USER - value: "true" - - name: OIDC_OP_AUTHORIZATION_ENDPOINT - value: "https://authentik.dooplex.hu/application/o/authorize/" - - name: OIDC_OP_TOKEN_ENDPOINT - value: "https://authentik.dooplex.hu/application/o/token/" - - name: OIDC_OP_USER_ENDPOINT - value: "https://authentik.dooplex.hu/application/o/userinfo/" - - name: OIDC_OP_JWKS_ENDPOINT - value: "https://authentik.dooplex.hu/application/o/workout/jwks/" - # Email (disabled - no email sending) - - name: ENABLE_EMAIL - value: "False" - # Media settings - - name: DJANGO_MEDIA_ROOT - value: "/home/wger/media" - - name: DJANGO_STATIC_ROOT - value: "/home/wger/static" - # Features - - name: ALLOW_REGISTRATION - value: "False" - - name: ALLOW_GUEST_USERS - value: "False" - - name: ALLOW_UPLOAD_VIDEOS - value: "True" - - name: USE_RECAPTCHA - value: "False" - - name: DOWNLOAD_EXERCISE_IMAGES_ON_STARTUP - value: "True" - ports: - - containerPort: 8000 - name: http - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 1000m - memory: 1Gi - volumeMounts: - - name: media - mountPath: /home/wger/media - - name: static - mountPath: /home/wger/static - livenessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 120 - periodSeconds: 30 - readinessProbe: - httpGet: - path: / - port: http - initialDelaySeconds: 60 - periodSeconds: 10 + - name: nginx + image: nginx:alpine + ports: + - containerPort: 80 + name: http + volumeMounts: + - name: static + mountPath: /home/wger/static + readOnly: true + - name: media + mountPath: /home/wger/media + readOnly: true + - name: nginx-config + mountPath: /etc/nginx/conf.d/default.conf + subPath: nginx.conf + - name: wger + image: ghcr.io/kisfenyo/wger-oidc:latest + imagePullPolicy: Always + env: + # Django settings + - name: SECRET_KEY + valueFrom: + secretKeyRef: + name: wger-app + key: secret-key + - name: SIGNING_KEY + valueFrom: + secretKeyRef: + name: wger-app + key: signing-key + - name: DJANGO_DEBUG + value: "False" + - name: WGER_INSTANCE + value: "https://workout.dooplex.hu" + - name: TIME_ZONE + value: "Europe/Budapest" + - name: DJANGO_SETTINGS_MODULE + value: "config.settings.production" + - name: DJANGO_CACHE_TIMEOUT + value: "120" + # Database + - name: DJANGO_DB_ENGINE + value: "django.db.backends.postgresql" + - name: DJANGO_DB_HOST + value: "postgresql-rw.database-system.svc.cluster.local" + - name: DJANGO_DB_PORT + value: "5432" + - name: DJANGO_DB_DATABASE + value: "wger" + - name: DJANGO_DB_USER + valueFrom: + secretKeyRef: + name: wger-db + key: username + - name: DJANGO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: wger-db + key: password + # Cache + - name: DJANGO_CACHE_BACKEND + value: "django_redis.cache.RedisCache" + - name: DJANGO_CACHE_LOCATION + value: "redis://wger-redis:6379/1" + - name: DJANGO_CACHE_CLIENT_CLASS + value: "django_redis.client.DefaultClient" + # Celery + - name: CELERY_BROKER + value: "redis://wger-redis:6379/2" + - name: CELERY_BACKEND + value: "redis://wger-redis:6379/2" + - name: ENABLE_OIDC + value: "True" + - name: OIDC_RP_CLIENT_ID + value: "AXr6k4P1JcgKKMcvGeXOLwd69MJ1UVjz3fW80mEg" + - name: OIDC_RP_CLIENT_SECRET + value: "oaj4yWum0skWoAJVf4VvXSSnc4pdaWQbKtyPaMaG6prBN0av1b1w7bna6nUALoIXwSQWu9seFZl66XsYxaFWXVXcWyI6B63rl5saIFCifVg9hqkl6RlhxHL4X4u42pqd" + - name: OIDC_RP_SIGN_ALGO + value: "RS256" + - name: CSRF_TRUSTED_ORIGINS + value: "https://workout.dooplex.hu" + # Authentik Endpoints (Replace 'authentik.dooplex.hu' with your actual Authentik domain) + - name: OIDC_OP_LOGOUT_ENDPOINT + value: "https://authentik.dooplex.hu/application/o/workout/end-session/" + - name: OIDC_LOGIN_BUTTON_TEXT + value: "Login with Authentik" + - name: OIDC_ALLOW_CREATE_USER + value: "true" + - name: OIDC_OP_AUTHORIZATION_ENDPOINT + value: "https://authentik.dooplex.hu/application/o/authorize/" + - name: OIDC_OP_TOKEN_ENDPOINT + value: "https://authentik.dooplex.hu/application/o/token/" + - name: OIDC_OP_USER_ENDPOINT + value: "https://authentik.dooplex.hu/application/o/userinfo/" + - name: OIDC_OP_JWKS_ENDPOINT + value: "https://authentik.dooplex.hu/application/o/workout/jwks/" + # Email (disabled - no email sending) + - name: ENABLE_EMAIL + value: "False" + # Media settings + - name: DJANGO_MEDIA_ROOT + value: "/home/wger/media" + - name: DJANGO_STATIC_ROOT + value: "/home/wger/static" + # Features + - name: ALLOW_REGISTRATION + value: "False" + - name: ALLOW_GUEST_USERS + value: "False" + - name: ALLOW_UPLOAD_VIDEOS + value: "True" + - name: USE_RECAPTCHA + value: "False" + - name: DOWNLOAD_EXERCISE_IMAGES_ON_STARTUP + value: "True" + ports: + - containerPort: 8000 + name: http + resources: + requests: + cpu: 100m + memory: 256Mi + limits: + cpu: 1000m + memory: 1Gi + volumeMounts: + - name: media + mountPath: /home/wger/media + - name: static + mountPath: /home/wger/static + livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 120 + periodSeconds: 30 + readinessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 60 + periodSeconds: 10 volumes: - - name: nginx-config - configMap: - name: wger-nginx-config - - name: media - persistentVolumeClaim: - claimName: wger-media - - name: static - persistentVolumeClaim: - claimName: wger-static + - name: nginx-config + configMap: + name: wger-nginx-config + - name: media + persistentVolumeClaim: + claimName: wger-media + - name: static + persistentVolumeClaim: + claimName: wger-static --- # Celery worker for background tasks apiVersion: apps/v1 @@ -259,58 +259,58 @@ spec: securityContext: fsGroup: 1000 containers: - - name: celery-worker - image: ghcr.io/kisfenyo/wger-oidc:latest - imagePullPolicy: Always - command: ["/start-worker"] - env: - - name: SECRET_KEY - valueFrom: - secretKeyRef: - name: wger-app - key: secret-key - - name: SIGNING_KEY - valueFrom: - secretKeyRef: - name: wger-app - key: signing-key - - name: DJANGO_DB_ENGINE - value: "django.db.backends.postgresql" - - name: DJANGO_DB_HOST - value: "postgresql-rw.database-system.svc.cluster.local" - - name: DJANGO_DB_PORT - value: "5432" - - name: DJANGO_DB_DATABASE - value: "wger" - - name: DJANGO_DB_USER - valueFrom: - secretKeyRef: - name: wger-db - key: username - - name: DJANGO_DB_PASSWORD - valueFrom: - secretKeyRef: - name: wger-db - key: password - - name: DJANGO_CACHE_TIMEOUT - value: "120" - - name: DJANGO_CACHE_CLIENT_CLASS - value: "django_redis.client.DefaultClient" - - name: CELERY_BROKER - value: "redis://wger-redis:6379/2" - - name: CELERY_BACKEND - value: "redis://wger-redis:6379/2" - - name: DJANGO_CACHE_BACKEND - value: "django_redis.cache.RedisCache" - - name: DJANGO_CACHE_LOCATION - value: "redis://wger-redis:6379/1" - resources: - requests: - cpu: 50m - memory: 128Mi - limits: - cpu: 500m - memory: 512Mi + - name: celery-worker + image: ghcr.io/kisfenyo/wger-oidc:latest + imagePullPolicy: Always + command: ["/start-worker"] + env: + - name: SECRET_KEY + valueFrom: + secretKeyRef: + name: wger-app + key: secret-key + - name: SIGNING_KEY + valueFrom: + secretKeyRef: + name: wger-app + key: signing-key + - name: DJANGO_DB_ENGINE + value: "django.db.backends.postgresql" + - name: DJANGO_DB_HOST + value: "postgresql-rw.database-system.svc.cluster.local" + - name: DJANGO_DB_PORT + value: "5432" + - name: DJANGO_DB_DATABASE + value: "wger" + - name: DJANGO_DB_USER + valueFrom: + secretKeyRef: + name: wger-db + key: username + - name: DJANGO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: wger-db + key: password + - name: DJANGO_CACHE_TIMEOUT + value: "120" + - name: DJANGO_CACHE_CLIENT_CLASS + value: "django_redis.client.DefaultClient" + - name: CELERY_BROKER + value: "redis://wger-redis:6379/2" + - name: CELERY_BACKEND + value: "redis://wger-redis:6379/2" + - name: DJANGO_CACHE_BACKEND + value: "django_redis.cache.RedisCache" + - name: DJANGO_CACHE_LOCATION + value: "redis://wger-redis:6379/1" + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi --- # Celery beat for scheduled tasks apiVersion: apps/v1 @@ -336,54 +336,54 @@ spec: securityContext: fsGroup: 1000 containers: - - name: celery-beat - image: ghcr.io/kisfenyo/wger-oidc:latest - imagePullPolicy: Always - command: ["/start-beat"] - env: - - name: SECRET_KEY - valueFrom: - secretKeyRef: - name: wger-app - key: secret-key - - name: SIGNING_KEY - valueFrom: - secretKeyRef: - name: wger-app - key: signing-key - - name: DJANGO_CACHE_TIMEOUT - value: "120" - - name: DJANGO_CACHE_CLIENT_CLASS - value: "django_redis.client.DefaultClient" - - name: DJANGO_DB_ENGINE - value: "django.db.backends.postgresql" - - name: DJANGO_DB_HOST - value: "postgresql-rw.database-system.svc.cluster.local" - - name: DJANGO_DB_PORT - value: "5432" - - name: DJANGO_DB_DATABASE - value: "wger" - - name: DJANGO_DB_USER - valueFrom: - secretKeyRef: - name: wger-db - key: username - - name: DJANGO_DB_PASSWORD - valueFrom: - secretKeyRef: - name: wger-db - key: password - - name: CELERY_BROKER - value: "redis://wger-redis:6379/2" - - name: CELERY_BACKEND - value: "redis://wger-redis:6379/2" - resources: - requests: - cpu: 50m - memory: 64Mi - limits: - cpu: 200m - memory: 256Mi + - name: celery-beat + image: ghcr.io/kisfenyo/wger-oidc:latest + imagePullPolicy: Always + command: ["/start-beat"] + env: + - name: SECRET_KEY + valueFrom: + secretKeyRef: + name: wger-app + key: secret-key + - name: SIGNING_KEY + valueFrom: + secretKeyRef: + name: wger-app + key: signing-key + - name: DJANGO_CACHE_TIMEOUT + value: "120" + - name: DJANGO_CACHE_CLIENT_CLASS + value: "django_redis.client.DefaultClient" + - name: DJANGO_DB_ENGINE + value: "django.db.backends.postgresql" + - name: DJANGO_DB_HOST + value: "postgresql-rw.database-system.svc.cluster.local" + - name: DJANGO_DB_PORT + value: "5432" + - name: DJANGO_DB_DATABASE + value: "wger" + - name: DJANGO_DB_USER + valueFrom: + secretKeyRef: + name: wger-db + key: username + - name: DJANGO_DB_PASSWORD + valueFrom: + secretKeyRef: + name: wger-db + key: password + - name: CELERY_BROKER + value: "redis://wger-redis:6379/2" + - name: CELERY_BACKEND + value: "redis://wger-redis:6379/2" + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 200m + memory: 256Mi --- apiVersion: v1 kind: Service @@ -396,9 +396,9 @@ metadata: spec: type: ClusterIP ports: - - name: redis - port: 6379 - targetPort: redis + - name: redis + port: 6379 + targetPort: redis selector: app.kubernetes.io/instance: wger app.kubernetes.io/name: wger-redis @@ -414,9 +414,9 @@ metadata: spec: type: ClusterIP ports: - - name: http - port: 80 - targetPort: 80 + - name: http + port: 80 + targetPort: 80 selector: app.kubernetes.io/instance: wger app.kubernetes.io/name: wger @@ -436,36 +436,36 @@ metadata: nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "100m" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: ingressClassName: nginx-internal rules: - - host: workout.dooplex.hu - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: wger - port: - number: 80 - - host: workout.home - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: wger - port: - number: 80 + - host: workout.dooplex.hu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: wger + port: + number: 80 + - host: workout.home + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: wger + port: + number: 80 tls: - - hosts: - - workout.dooplex.hu - secretName: wger-tls + - hosts: + - workout.dooplex.hu + secretName: wger-tls --- apiVersion: v1 kind: PersistentVolumeClaim @@ -479,7 +479,7 @@ metadata: recurring-job.longhorn.io/source: enabled spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce storageClassName: longhorn resources: requests: @@ -495,7 +495,7 @@ metadata: app.kubernetes.io/name: wger-static spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce storageClassName: longhorn resources: requests: @@ -536,4 +536,4 @@ data: proxy_set_header X-Forwarded-Proto $http_x_forwarded_proto; } } ---- \ No newline at end of file +--- diff --git a/zipline-system/zipline.yaml b/zipline-system/zipline.yaml index 9e87cd8..39cdc4f 100644 --- a/zipline-system/zipline.yaml +++ b/zipline-system/zipline.yaml @@ -131,7 +131,7 @@ metadata: nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "100m" nginx.ingress.kubernetes.io/configuration-snippet: | - if ($geoip2_city_country_code != "HU") { + if ($geoip2_country_code != "HU") { return 403 "Access restricted to Hungary"; } spec: @@ -160,4 +160,4 @@ spec: service: name: zipline port: - number: 80 \ No newline at end of file + number: 80