# Wanderer - Self-hosted trail manager # https://github.com/Flomp/wanderer # Version: v0.18.13 # Domain: wanderer.dooplex.hu # Auth: OAuth configured via PocketBase admin UI # # wanderer uses PocketBase as its backend, which supports OAuth2/OIDC # configured through the PocketBase admin panel. # # Setup steps after deployment: # 1. Access PocketBase admin: https://wanderer.dooplex.hu/api/_/ # 2. Create admin account on first access # 3. Go to Settings > Auth providers # 4. Add OpenID Connect provider: # - Client ID: from Authentik # - Client Secret: from Authentik # - Auth URL: https://authentik.dooplex.hu/application/o/authorize/ # - Token URL: https://authentik.dooplex.hu/application/o/token/ # - User info URL: https://authentik.dooplex.hu/application/o/userinfo/ # # Authentik Setup: # 1. Create OAuth2/OIDC Provider: # - Name: wanderer # - Client Type: Confidential # - Redirect URIs: https://wanderer.dooplex.hu/api/oauth2-redirect # - Scopes: openid, email, profile # 2. Create Application linked to this provider --- apiVersion: v1 kind: Namespace metadata: name: wanderer-system labels: app.kubernetes.io/name: wanderer --- apiVersion: apps/v1 kind: Deployment metadata: name: wanderer-meilisearch namespace: wanderer-system labels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-meilisearch spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-meilisearch strategy: type: Recreate template: metadata: labels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-meilisearch spec: containers: - name: meilisearch image: getmeili/meilisearch:v1.11.3 env: - name: MEILI_MASTER_KEY valueFrom: secretKeyRef: name: wanderer-app key: meili-master-key - name: MEILI_ENV value: "production" - name: MEILI_NO_ANALYTICS value: "true" ports: - containerPort: 7700 name: http resources: requests: cpu: 100m memory: 256Mi limits: cpu: 500m memory: 512Mi volumeMounts: - name: meili-data mountPath: /meili_data livenessProbe: httpGet: path: /health port: http initialDelaySeconds: 30 periodSeconds: 30 readinessProbe: httpGet: path: /health port: http initialDelaySeconds: 10 periodSeconds: 10 volumes: - name: meili-data persistentVolumeClaim: claimName: wanderer-meilisearch --- apiVersion: apps/v1 kind: Deployment metadata: name: wanderer-db namespace: wanderer-system labels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-db spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-db strategy: type: Recreate template: metadata: labels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-db spec: containers: - name: pocketbase image: flomp/wanderer-db:v0.19.2 env: - name: ORIGIN value: "https://wanderer.dooplex.hu" - name: MEILI_URL value: "http://wanderer-meilisearch:7700" - name: MEILI_MASTER_KEY valueFrom: secretKeyRef: name: wanderer-app key: meili-master-key - name: POCKETBASE_ENCRYPTION_KEY valueFrom: secretKeyRef: name: wanderer-app key: pocketbase-encryption-key ports: - containerPort: 8090 name: http resources: requests: cpu: 100m memory: 128Mi limits: cpu: 500m memory: 512Mi volumeMounts: - name: pb-data mountPath: /pb_data livenessProbe: httpGet: path: /api/health port: http initialDelaySeconds: 30 periodSeconds: 30 readinessProbe: httpGet: path: /api/health port: http initialDelaySeconds: 10 periodSeconds: 10 volumes: - name: pb-data persistentVolumeClaim: claimName: wanderer-db --- apiVersion: apps/v1 kind: Deployment metadata: name: wanderer-web namespace: wanderer-system labels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-web spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-web strategy: type: Recreate template: metadata: labels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-web spec: containers: - name: wanderer-web image: flomp/wanderer-web:v0.19.2 env: - name: NODE_TLS_REJECT_UNAUTHORIZED value: "0" - name: NODE_OPTIONS value: "--max-old-space-size=7168" - name: ORIGIN value: "https://wanderer.dooplex.hu" - name: POCKETBASE_URL value: "http://wanderer-db:8090" - name: PUBLIC_POCKETBASE_URL value: "https://pb.wanderer.dooplex.hu" - name: MEILI_URL value: "http://wanderer-meilisearch:7700" - name: MEILI_MASTER_KEY valueFrom: secretKeyRef: name: wanderer-app key: meili-master-key - name: PUBLIC_DISABLE_SIGNUP value: "true" - name: BODY_SIZE_LIMIT value: "Infinity" ports: - containerPort: 3000 name: http resources: requests: cpu: 50m memory: 64Mi limits: memory: 8Gi readinessProbe: tcpSocket: port: 3000 initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 1 failureThreshold: 3 --- apiVersion: v1 kind: Service metadata: name: wanderer-meilisearch namespace: wanderer-system labels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-meilisearch spec: type: ClusterIP ports: - name: http port: 7700 targetPort: http selector: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-meilisearch --- apiVersion: v1 kind: Service metadata: name: wanderer-db namespace: wanderer-system labels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-db spec: type: ClusterIP ports: - name: http port: 8090 targetPort: http selector: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-db --- apiVersion: v1 kind: Service metadata: name: wanderer-web namespace: wanderer-system labels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-web spec: type: ClusterIP ports: - name: http port: 3000 targetPort: http selector: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-web --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wanderer-web namespace: wanderer-system annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "100m" # optional, only if you actually use external-dns: external-dns.alpha.kubernetes.io/hostname: wanderer.dooplex.hu nginx.ingress.kubernetes.io/configuration-snippet: | set $geo_allowed 0; if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; } if ($remote_addr ~ "^10\.") { set $geo_allowed 1; } if ($geoip2_country_code = "HU") { set $geo_allowed 1; } if ($geo_allowed = 0) { return 403 "Access restricted to Hungary"; } spec: ingressClassName: nginx-internal tls: - hosts: - wanderer.dooplex.hu secretName: wanderer-web-tls rules: - host: wanderer.dooplex.hu http: paths: - path: / pathType: Prefix backend: service: name: wanderer-web port: number: 3000 --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: wanderer-pocketbase namespace: wanderer-system annotations: cert-manager.io/cluster-issuer: letsencrypt-prod nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "100m" # optional, only if you actually use external-dns: external-dns.alpha.kubernetes.io/hostname: pb.wanderer.dooplex.hu spec: ingressClassName: nginx-internal tls: - hosts: - pb.wanderer.dooplex.hu secretName: wanderer-pb-tls rules: - host: pb.wanderer.dooplex.hu http: paths: - path: / pathType: Prefix backend: service: name: wanderer-db port: number: 8090 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: wanderer-meilisearch namespace: wanderer-system labels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-meilisearch recurring-job-group.longhorn.io/needbackup: enabled recurring-job.longhorn.io/source: enabled spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 5Gi --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: wanderer-db namespace: wanderer-system labels: app.kubernetes.io/instance: wanderer app.kubernetes.io/name: wanderer-db recurring-job-group.longhorn.io/needbackup: enabled recurring-job.longhorn.io/source: enabled spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 5Gi