From da1e8045d0315e9659ed63763919df706c91eddd Mon Sep 17 00:00:00 2001 From: kisfenyo Date: Fri, 5 Jun 2026 12:36:33 +0200 Subject: [PATCH] feat(office): add BentoPDF (pdf.dooplex.hu) Privacy-focused, client-side PDF toolkit deployed into the office-system namespace alongside OnlyOffice. Stateless (no DB/PVC); nginx-internal ingress with HU geo-restriction and letsencrypt-prod TLS. Auto-synced by the existing `office` ArgoCD Application. Co-Authored-By: Claude Opus 4.8 (1M context) --- office-system/bentopdf.yaml | 135 ++++++++++++++++++++++++++++++++++++ 1 file changed, 135 insertions(+) create mode 100644 office-system/bentopdf.yaml diff --git a/office-system/bentopdf.yaml b/office-system/bentopdf.yaml new file mode 100644 index 0000000..4226099 --- /dev/null +++ b/office-system/bentopdf.yaml @@ -0,0 +1,135 @@ +# BentoPDF - Privacy-focused PDF toolkit (all processing client-side, files never leave the server) +# https://www.bentopdf.com - image: ghcr.io/alam00000/bentopdf +# Domain: pdf.dooplex.hu +# Version: 2.8.5 +# Database: None | Storage: None (stateless) +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bentopdf + namespace: office-system + labels: + app.kubernetes.io/name: bentopdf + app.kubernetes.io/instance: bentopdf + app.kubernetes.io/version: "2.8.5" +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app.kubernetes.io/name: bentopdf + app.kubernetes.io/instance: bentopdf + template: + metadata: + labels: + app.kubernetes.io/name: bentopdf + app.kubernetes.io/instance: bentopdf + app.kubernetes.io/version: "2.8.5" + annotations: + match-regex.version-checker.io/bentopdf: '^v\d+\.\d+\.\d+$' + spec: + containers: + - name: bentopdf + image: ghcr.io/alam00000/bentopdf:v2.8.5 + imagePullPolicy: IfNotPresent + env: + - name: TZ + value: "Europe/Budapest" + ports: + - name: http + containerPort: 8080 + protocol: TCP + livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 15 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + readinessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + timeoutSeconds: 3 + failureThreshold: 3 + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + cpu: 500m + memory: 384Mi + restartPolicy: Always +--- +apiVersion: v1 +kind: Service +metadata: + name: bentopdf + namespace: office-system + labels: + app.kubernetes.io/name: bentopdf + app.kubernetes.io/instance: bentopdf +spec: + type: ClusterIP + ports: + - name: http + port: 8080 + targetPort: http + protocol: TCP + selector: + app.kubernetes.io/name: bentopdf + app.kubernetes.io/instance: bentopdf +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: bentopdf + namespace: office-system + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod + external-dns.alpha.kubernetes.io/hostname: pdf.dooplex.hu,pdf.home + nginx.ingress.kubernetes.io/ssl-redirect: "true" + nginx.ingress.kubernetes.io/proxy-body-size: "100m" + nginx.ingress.kubernetes.io/configuration-snippet: | + set $geo_allowed 0; + if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; } + if ($remote_addr ~ "^10\.") { set $geo_allowed 1; } + if ($geoip2_country_code = "HU") { set $geo_allowed 1; } + if ($geo_allowed = 0) { + return 403 "Access restricted to Hungary"; + } + labels: + app.kubernetes.io/name: bentopdf + app.kubernetes.io/instance: bentopdf +spec: + ingressClassName: nginx-internal + tls: + - hosts: + - pdf.dooplex.hu + secretName: bentopdf-tls + rules: + - host: pdf.dooplex.hu + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: bentopdf + port: + number: 8080 + - host: pdf.home + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: bentopdf + port: + number: 8080