--- # Orsi's Applications Namespace # Dedicated namespace for girlfriend's self-hosted apps # apiVersion: v1 kind: Namespace metadata: name: orsi-system labels: app.kubernetes.io/name: orsi-system --- # ============================================ # FileBrowser - Personal File Manager for Orsi # ============================================ # https://filebrowser.org/ # # Access: https://orsi-files.dooplex.hu (Authentik login) # https://orsi-files.home (internal) # # Data: /mnt/4_hdd/orsi/ (hostPath - existing files) # # Authentik Setup: # 1. Create a Proxy Provider in Authentik: # - Name: Orsi FileBrowser # - Authorization flow: default-provider-authorization-implicit-consent # - Type: Forward auth (single application) # - External host: https://orsi-files.dooplex.hu # # 2. Create an Application: # - Name: Orsi FileBrowser # - Slug: orsi-filebrowser # - Provider: Orsi FileBrowser # - (Optional) Restrict to specific users/groups # # 3. Create an Outpost (or add to existing): # - Name: orsi-filebrowser-outpost # - Type: Proxy # - Integration: Kubernetes (auth-system namespace) # - Applications: Orsi FileBrowser # --- # PVC for FileBrowser config and database only # (actual files are on hostPath) apiVersion: v1 kind: PersistentVolumeClaim metadata: name: orsi-filebrowser-config namespace: orsi-system labels: app.kubernetes.io/instance: orsi-filebrowser app.kubernetes.io/name: filebrowser recurring-job-group.longhorn.io/backup: enabled spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 100Mi --- # FileBrowser Deployment apiVersion: apps/v1 kind: Deployment metadata: name: orsi-filebrowser namespace: orsi-system labels: app.kubernetes.io/instance: orsi-filebrowser app.kubernetes.io/name: filebrowser spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/instance: orsi-filebrowser app.kubernetes.io/name: filebrowser template: metadata: labels: app.kubernetes.io/instance: orsi-filebrowser app.kubernetes.io/name: filebrowser spec: # Run as Orsi's user (UID 1001, GID 1001) for proper file permissions securityContext: runAsUser: 1001 runAsGroup: 1001 fsGroup: 1001 initContainers: # Configure proxy auth in database before starting - name: configure-auth image: filebrowser/filebrowser:v2.63.13 command: - sh - -c - | if [ ! -f /config/filebrowser.db ]; then echo "Creating new database with proxy auth..." filebrowser config init --database /config/filebrowser.db fi echo "Setting proxy authentication..." filebrowser config set --database /config/filebrowser.db --auth.method=proxy --auth.header=X-authentik-username echo "Configuration complete" volumeMounts: - name: config mountPath: /config securityContext: runAsUser: 1001 runAsGroup: 1001 containers: - name: filebrowser image: filebrowser/filebrowser:v2.63.13 command: - filebrowser - --database=/config/filebrowser.db - --root=/srv - --port=80 - --address=0.0.0.0 ports: - containerPort: 80 name: http protocol: TCP env: - name: TZ value: "Europe/Budapest" volumeMounts: - name: data mountPath: /srv - name: config mountPath: /config resources: requests: cpu: 10m memory: 32Mi limits: cpu: 500m memory: 512Mi livenessProbe: httpGet: path: /health port: http initialDelaySeconds: 10 periodSeconds: 30 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: httpGet: path: /health port: http initialDelaySeconds: 5 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 volumes: # Orsi's actual files - hostPath to existing data - name: data hostPath: path: /mnt/4_hdd/orsi type: Directory # Config/database on Longhorn PVC - name: config persistentVolumeClaim: claimName: orsi-filebrowser-config --- # Service apiVersion: v1 kind: Service metadata: name: orsi-filebrowser namespace: orsi-system labels: app.kubernetes.io/instance: orsi-filebrowser app.kubernetes.io/name: filebrowser spec: type: ClusterIP ports: - port: 80 targetPort: http protocol: TCP name: http selector: app.kubernetes.io/instance: orsi-filebrowser app.kubernetes.io/name: filebrowser --- # Ingress with Authentik proxy auth apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: orsi-filebrowser namespace: orsi-system labels: app.kubernetes.io/instance: orsi-filebrowser app.kubernetes.io/name: filebrowser annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: orsi-files.dooplex.hu nginx.ingress.kubernetes.io/proxy-body-size: "2048m" nginx.ingress.kubernetes.io/proxy-connect-timeout: "300" nginx.ingress.kubernetes.io/proxy-send-timeout: "300" nginx.ingress.kubernetes.io/proxy-read-timeout: "300" nginx.ingress.kubernetes.io/ssl-redirect: "true" # Authentik forward auth - update outpost name after creating in Authentik! nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-orsi-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx nginx.ingress.kubernetes.io/auth-signin: https://orsi-files.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-response-headers: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; # Geo-blocking: Hungary only (plus local networks) nginx.ingress.kubernetes.io/configuration-snippet: | set $geo_allowed 0; if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; } if ($remote_addr ~ "^10\.") { set $geo_allowed 1; } if ($geoip2_country_code = "HU") { set $geo_allowed 1; } if ($geo_allowed = 0) { return 403 "Access restricted to Hungary"; } spec: ingressClassName: nginx-internal tls: - hosts: - orsi-files.dooplex.hu secretName: orsi-filebrowser-tls rules: - host: orsi-files.dooplex.hu http: paths: - path: / pathType: Prefix backend: service: name: orsi-filebrowser port: name: http - host: orsi-files.home http: paths: - path: / pathType: Prefix backend: service: name: orsi-filebrowser port: name: http