diff --git a/argocd-apps/homelab.yaml b/argocd-apps/homelab.yaml index c17b64b..add0414 100644 --- a/argocd-apps/homelab.yaml +++ b/argocd-apps/homelab.yaml @@ -811,4 +811,26 @@ spec: syncOptions: - CreateNamespace=true - PruneLast=true +--- +# Opengist +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: Pastes + namespace: argocd + finalizers: + - resources-finalizer.argocd.argoproj.io +spec: + project: homelab + source: + repoURL: https://gitea.dooplex.hu/admin/homelab-manifests.git + targetRevision: main + path: opengist-system + destination: + server: https://kubernetes.default.svc + namespace: opengist-system + syncPolicy: + syncOptions: + - CreateNamespace=true + - PruneLast=true --- \ No newline at end of file diff --git a/opengist-system/opengist.yaml b/opengist-system/opengist.yaml new file mode 100644 index 0000000..f7ee188 --- /dev/null +++ b/opengist-system/opengist.yaml @@ -0,0 +1,199 @@ +# Opengist - Git-powered pastebin/gist service +# https://github.com/thomiceli/opengist +# Domain: paste.dooplex.hu +# Auth: Native OIDC with Authentik +# +# Authentik Setup: +# 1. Create OAuth2/OIDC Provider: +# - Name: opengist +# - Client Type: Confidential +# - Redirect URIs: https://paste.dooplex.hu/oauth/oidc/callback +# - Scopes: openid, email, profile +# 2. Create Application linked to this provider +# 3. Create secret with OIDC credentials: +# kubectl create secret generic opengist-oidc \ +# --from-literal=client-id=YOUR_CLIENT_ID \ +# --from-literal=client-secret=YOUR_CLIENT_SECRET \ +# -n opengist-system +# +# Features: +# - Anyone can VIEW public gists (no login required) +# - Only authenticated users can CREATE gists +# - Each gist is a git repository (versioning, clone via git/ssh) +# - Syntax highlighting, markdown rendering +# - Public/Unlisted/Private visibility options +--- +apiVersion: v1 +kind: Namespace +metadata: + name: opengist-system + labels: + app.kubernetes.io/name: opengist +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: opengist + namespace: opengist-system + labels: + app.kubernetes.io/name: opengist + app.kubernetes.io/instance: opengist +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: opengist + app.kubernetes.io/instance: opengist + strategy: + type: Recreate + template: + metadata: + labels: + app.kubernetes.io/name: opengist + app.kubernetes.io/instance: opengist + spec: + containers: + - name: opengist + image: ghcr.io/thomiceli/opengist:1.11.1 + env: + # Base configuration + - name: OG_EXTERNAL_URL + value: "https://paste.dooplex.hu" + - name: OG_LOG_LEVEL + value: "info" + # Security settings + - name: OG_DISABLE_SIGNUP + value: "true" # No local registration - OIDC only + - name: OG_REQUIRE_LOGIN + value: "false" # Anyone can VIEW gists + - name: OG_DISABLE_LOGIN_FORM + value: "true" # Hide local login, show only OIDC + - name: OG_DISABLE_GRAVATAR + value: "false" + # OIDC Configuration (Authentik) + - name: OG_OIDC_CLIENT_KEY + valueFrom: + secretKeyRef: + name: opengist-oidc + key: client-id + - name: OG_OIDC_SECRET + valueFrom: + secretKeyRef: + name: opengist-oidc + key: client-secret + - name: OG_OIDC_DISCOVERY_URL + value: "https://authentik.dooplex.hu/application/o/opengist/.well-known/openid-configuration" + # Custom branding + - name: OG_CUSTOM_NAME + value: "Dooplex Paste" + ports: + - containerPort: 6157 + name: http + - containerPort: 2222 + name: ssh + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + cpu: 500m + memory: 256Mi + volumeMounts: + - name: data + mountPath: /opengist + livenessProbe: + httpGet: + path: /healthcheck + port: http + initialDelaySeconds: 10 + periodSeconds: 30 + readinessProbe: + httpGet: + path: /healthcheck + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + volumes: + - name: data + persistentVolumeClaim: + claimName: opengist-data +--- +apiVersion: v1 +kind: Service +metadata: + name: opengist + namespace: opengist-system + labels: + app.kubernetes.io/name: opengist + app.kubernetes.io/instance: opengist +spec: + type: ClusterIP + ports: + - name: http + port: 80 + targetPort: http + - name: ssh + port: 2222 + targetPort: ssh + selector: + app.kubernetes.io/name: opengist + app.kubernetes.io/instance: opengist +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: opengist + namespace: opengist-system + labels: + app.kubernetes.io/name: opengist + app.kubernetes.io/instance: opengist + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + external-dns.alpha.kubernetes.io/hostname: paste.dooplex.hu,paste.home + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "100m" +spec: + ingressClassName: nginx-internal + rules: + - host: paste.dooplex.hu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: opengist + port: + number: 80 + - host: paste.home + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: opengist + port: + number: 80 + tls: + - hosts: + - paste.dooplex.hu + secretName: opengist-tls +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: opengist-data + namespace: opengist-system + labels: + app.kubernetes.io/name: opengist + app.kubernetes.io/instance: opengist + recurring-job-group.longhorn.io/needbackup: enabled + recurring-job.longhorn.io/source: enabled +spec: + accessModes: + - ReadWriteOnce + storageClassName: longhorn + resources: + requests: + storage: 5Gi \ No newline at end of file