added opengist

2026-01-04 10:34:47 +01:00
parent f0b14affb3
commit c159c378f0
2 changed files with 221 additions and 0 deletions
@@ -0,0 +1,199 @@
+# Opengist - Git-powered pastebin/gist service
+# https://github.com/thomiceli/opengist
+# Domain: paste.dooplex.hu
+# Auth: Native OIDC with Authentik
+#
+# Authentik Setup:
+# 1. Create OAuth2/OIDC Provider:
+#    - Name: opengist
+#    - Client Type: Confidential
+#    - Redirect URIs: https://paste.dooplex.hu/oauth/oidc/callback
+#    - Scopes: openid, email, profile
+# 2. Create Application linked to this provider
+# 3. Create secret with OIDC credentials:
+#    kubectl create secret generic opengist-oidc \
+#      --from-literal=client-id=YOUR_CLIENT_ID \
+#      --from-literal=client-secret=YOUR_CLIENT_SECRET \
+#      -n opengist-system
+#
+# Features:
+# - Anyone can VIEW public gists (no login required)
+# - Only authenticated users can CREATE gists
+# - Each gist is a git repository (versioning, clone via git/ssh)
+# - Syntax highlighting, markdown rendering
+# - Public/Unlisted/Private visibility options
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: opengist-system
+  labels:
+    app.kubernetes.io/name: opengist
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: opengist
+  namespace: opengist-system
+  labels:
+    app.kubernetes.io/name: opengist
+    app.kubernetes.io/instance: opengist
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: opengist
+      app.kubernetes.io/instance: opengist
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: opengist
+        app.kubernetes.io/instance: opengist
+    spec:
+      containers:
+      - name: opengist
+        image: ghcr.io/thomiceli/opengist:1.11.1
+        env:
+        # Base configuration
+        - name: OG_EXTERNAL_URL
+          value: "https://paste.dooplex.hu"
+        - name: OG_LOG_LEVEL
+          value: "info"
+        # Security settings
+        - name: OG_DISABLE_SIGNUP
+          value: "true"           # No local registration - OIDC only
+        - name: OG_REQUIRE_LOGIN
+          value: "false"          # Anyone can VIEW gists
+        - name: OG_DISABLE_LOGIN_FORM
+          value: "true"           # Hide local login, show only OIDC
+        - name: OG_DISABLE_GRAVATAR
+          value: "false"
+        # OIDC Configuration (Authentik)
+        - name: OG_OIDC_CLIENT_KEY
+          valueFrom:
+            secretKeyRef:
+              name: opengist-oidc
+              key: client-id
+        - name: OG_OIDC_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: opengist-oidc
+              key: client-secret
+        - name: OG_OIDC_DISCOVERY_URL
+          value: "https://authentik.dooplex.hu/application/o/opengist/.well-known/openid-configuration"
+        # Custom branding
+        - name: OG_CUSTOM_NAME
+          value: "Dooplex Paste"
+        ports:
+        - containerPort: 6157
+          name: http
+        - containerPort: 2222
+          name: ssh
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+          limits:
+            cpu: 500m
+            memory: 256Mi
+        volumeMounts:
+        - name: data
+          mountPath: /opengist
+        livenessProbe:
+          httpGet:
+            path: /healthcheck
+            port: http
+          initialDelaySeconds: 10
+          periodSeconds: 30
+        readinessProbe:
+          httpGet:
+            path: /healthcheck
+            port: http
+          initialDelaySeconds: 5
+          periodSeconds: 10
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: opengist-data
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: opengist
+  namespace: opengist-system
+  labels:
+    app.kubernetes.io/name: opengist
+    app.kubernetes.io/instance: opengist
+spec:
+  type: ClusterIP
+  ports:
+  - name: http
+    port: 80
+    targetPort: http
+  - name: ssh
+    port: 2222
+    targetPort: ssh
+  selector:
+    app.kubernetes.io/name: opengist
+    app.kubernetes.io/instance: opengist
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: opengist
+  namespace: opengist-system
+  labels:
+    app.kubernetes.io/name: opengist
+    app.kubernetes.io/instance: opengist
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    external-dns.alpha.kubernetes.io/hostname: paste.dooplex.hu,paste.home
+    nginx.ingress.kubernetes.io/ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+spec:
+  ingressClassName: nginx-internal
+  rules:
+  - host: paste.dooplex.hu
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: opengist
+            port:
+              number: 80
+  - host: paste.home
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: opengist
+            port:
+              number: 80
+  tls:
+  - hosts:
+    - paste.dooplex.hu
+    secretName: opengist-tls
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: opengist-data
+  namespace: opengist-system
+  labels:
+    app.kubernetes.io/name: opengist
+    app.kubernetes.io/instance: opengist
+    recurring-job-group.longhorn.io/needbackup: enabled
+    recurring-job.longhorn.io/source: enabled
+spec:
+  accessModes:
+  - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 5Gi