# ============================================================================= # Révfülöp Nyaraló Naptár - Kubernetes Deployment # ============================================================================= # Domain: revfulop.dooplex.hu # Namespace: orsi-system (shared with Orsi's Glance dashboard) # # AUTH OPTIONS (pick one): # Option A: No auth (public, geo-blocked to HU only) - DEFAULT below # Option B: Simple password auth - uncomment SIMPLE_AUTH_PASSWORD env var # Option C: Authentik proxy - use the alternate ingress at the bottom # # BUILD & PUSH: # docker build -t gitea.dooplex.hu/admin/revfulop-calendar:1.2.0 . # docker push gitea.dooplex.hu/admin/revfulop-calendar:1.2.0 # ============================================================================= --- apiVersion: apps/v1 kind: Deployment metadata: labels: app.kubernetes.io/instance: revfulop-calendar app.kubernetes.io/name: revfulop-calendar app.kubernetes.io/version: "1.6.2" name: revfulop-calendar namespace: orsi-system spec: replicas: 1 selector: matchLabels: app.kubernetes.io/instance: revfulop-calendar app.kubernetes.io/name: revfulop-calendar strategy: type: Recreate template: metadata: labels: app.kubernetes.io/instance: revfulop-calendar app.kubernetes.io/name: revfulop-calendar app.kubernetes.io/version: "1.6.2" spec: securityContext: fsGroup: 1000 containers: - name: revfulop-calendar image: gitea.dooplex.hu/admin/revfulop-calendar:1.6.2 imagePullPolicy: IfNotPresent env: - name: TZ value: Europe/Budapest - name: PORT value: "3000" - name: DB_PATH value: /data/revfulop.db # UI font sizes (in px) — change and restart pod, no rebuild needed - name: UI_FONT_SIZE value: "17" # body text (default: 15) - name: UI_TITLE_SIZE value: "34" # main title (default: 32) - name: UI_CALENDAR_SIZE value: "16" # calendar day numbers (default: 14) - name: UI_BUTTON_SIZE value: "16" # buttons, inputs, dropdowns (default: 14) # Optional: customize site branding - name: UI_SITE_NAME value: "Nyaraló Naptár" - name: UI_SITE_SUBTITLE value: "Révfülöp · Balaton" - name: UI_LOGIN_TAGLINE value: "A mi nyaralónk, a mi naptárunk." # ------------------------------------------------------------------ # Option B: Simple password auth # Uncomment the line below and set a shared family password. # Everyone uses the same password to access the site. # ------------------------------------------------------------------ - name: SIMPLE_AUTH_PASSWORD value: "nyaralo2026" # ------------------------------------------------------------------ # Optional: Override family members (JSON array) # ------------------------------------------------------------------ - name: FAMILY_MEMBERS value: '[{"id":"katinka","name":"Katinka","color":"#513EFF"},{"id":"orsi","name":"Orsi","color":"#A15DD8"},{"id":"lili","name":"Lili","color":"#FFE70C"},{"id":"bazsi","name":"Bazsi","color":"#32943E"}]' ports: - containerPort: 3000 name: http protocol: TCP livenessProbe: httpGet: path: /api/auth-status port: http initialDelaySeconds: 10 periodSeconds: 30 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: httpGet: path: /api/auth-status port: http initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 resources: limits: cpu: 200m memory: 128Mi requests: cpu: 20m memory: 32Mi volumeMounts: - name: data mountPath: /data volumes: - name: data persistentVolumeClaim: claimName: revfulop-calendar-data --- apiVersion: v1 kind: Service metadata: labels: app.kubernetes.io/instance: revfulop-calendar app.kubernetes.io/name: revfulop-calendar name: revfulop-calendar namespace: orsi-system spec: ports: - name: http port: 3000 protocol: TCP targetPort: http selector: app.kubernetes.io/instance: revfulop-calendar app.kubernetes.io/name: revfulop-calendar type: ClusterIP --- # ============================================================================= # Option A & B: Standard Ingress (geo-blocked, no Authentik) # ============================================================================= apiVersion: networking.k8s.io/v1 kind: Ingress metadata: annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: revfulop.dooplex.hu nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/configuration-snippet: | set $geo_allowed 0; if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; } if ($remote_addr ~ "^10\.") { set $geo_allowed 1; } if ($geoip2_country_code = "HU") { set $geo_allowed 1; } if ($geo_allowed = 0) { return 403 "Access restricted to Hungary"; } labels: app.kubernetes.io/instance: revfulop-calendar app.kubernetes.io/name: revfulop-calendar name: revfulop-calendar namespace: orsi-system spec: ingressClassName: nginx-internal rules: - host: revfulop.dooplex.hu http: paths: - backend: service: name: revfulop-calendar port: number: 3000 path: / pathType: Prefix tls: - hosts: - revfulop.dooplex.hu secretName: revfulop-calendar-tls --- # ============================================================================= # Option C: Authentik Proxy Ingress (ALTERNATIVE - replace the ingress above) # ============================================================================= # Authentik setup steps: # 1. Create Application: "revfulop-calendar" in Authentik # 2. Create Proxy Provider: external host = https://revfulop.dooplex.hu # 3. Create Outpost: "revfulop-outpost" (or reuse existing one) # 4. Create users for family members in Authentik # 5. Uncomment the ingress below and remove/comment the one above # ============================================================================= # apiVersion: networking.k8s.io/v1 # kind: Ingress # metadata: # annotations: # cert-manager.io/cluster-issuer: letsencrypt-prod # external-dns.alpha.kubernetes.io/hostname: revfulop.dooplex.hu # nginx.ingress.kubernetes.io/ssl-redirect: "true" # nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-revfulop-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx # nginx.ingress.kubernetes.io/auth-signin: https://revfulop.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri # nginx.ingress.kubernetes.io/auth-snippet: | # proxy_set_header X-Forwarded-Host $http_host; # nginx.ingress.kubernetes.io/configuration-snippet: | # set $geo_allowed 0; # if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; } # if ($remote_addr ~ "^10\.") { set $geo_allowed 1; } # if ($geoip2_country_code = "HU") { set $geo_allowed 1; } # if ($geo_allowed = 0) { # return 403 "Access restricted to Hungary"; # } # labels: # app.kubernetes.io/instance: revfulop-calendar # app.kubernetes.io/name: revfulop-calendar # name: revfulop-calendar # namespace: orsi-system # spec: # ingressClassName: nginx-internal # rules: # - host: revfulop.dooplex.hu # http: # paths: # - backend: # service: # name: revfulop-calendar # port: # number: 3000 # path: / # pathType: Prefix # tls: # - hosts: # - revfulop.dooplex.hu # secretName: revfulop-calendar-tls --- apiVersion: v1 kind: PersistentVolumeClaim metadata: labels: app.kubernetes.io/instance: revfulop-calendar app.kubernetes.io/name: revfulop-calendar name: revfulop-calendar-data namespace: orsi-system spec: accessModes: - ReadWriteOnce resources: requests: storage: 256Mi storageClassName: longhorn