--- # Kisfenyo's Applications Namespace # Dedicated namespace for Viktor's self-hosted apps # apiVersion: v1 kind: Namespace metadata: name: kisfenyo-system labels: app.kubernetes.io/name: kisfenyo-system --- # ============================================ # FileBrowser Quantum - Personal File Manager for Viktor # ============================================ # https://github.com/gtsteffaniak/filebrowser (Quantum fork) # Docs: https://filebrowserquantum.com/ # # Access: https://kisfenyo-files.dooplex.hu (Authentik login) # https://kisfenyo-files.home (internal) # # Data Sources: # - Home: /home/kisfenyo # - 4_HDD: /mnt/4_hdd/kisfenyo # # Authentik Setup: # 1. Create a Proxy Provider in Authentik: # - Name: Kisfenyo FileBrowser # - Authorization flow: default-provider-authorization-implicit-consent # - Type: Forward auth (single application) # - External host: https://kisfenyo-files.dooplex.hu # # 2. Create an Application: # - Name: Kisfenyo FileBrowser # - Slug: kisfenyo-filebrowser # - Provider: Kisfenyo FileBrowser # - (Optional) Restrict to specific users/groups # # 3. Create an Outpost (or add to existing): # - Name: kisfenyo-outpost # - Type: Proxy # - Integration: Kubernetes (auth-system namespace) # - Applications: Kisfenyo FileBrowser # --- # ConfigMap for FileBrowser Quantum config.yaml apiVersion: v1 kind: ConfigMap metadata: name: kisfenyo-filebrowser-config namespace: kisfenyo-system labels: app.kubernetes.io/instance: kisfenyo-filebrowser app.kubernetes.io/name: filebrowser data: config.yaml: | server: database: /home/filebrowser/data/database.db externalUrl: "https://kisfenyo-files.dooplex.hu" # or whatever your FB domain is internalUrl: "http://kisfenyo-filebrowser.kisfenyo-system.svc.cluster.local" # adjust to match port: 80 sources: - path: /srv/home name: "Home" config: defaultEnabled: true - path: /srv/4_hdd name: "4_HDD" config: defaultEnabled: true auth: adminUsername: kisfenyo methods: proxy: enabled: true header: "X-authentik-username" createUser: true password: enabled: false integrations: office: url: "https://office.dooplex.hu" internalUrl: "http://onlyoffice.office-system.svc.cluster.local" secret: "H918c26lI3QdcGoVFhWYjyXV1NAhELrV" --- # PVC for FileBrowser database and cache # (actual files are on hostPath) apiVersion: v1 kind: PersistentVolumeClaim metadata: name: kisfenyo-filebrowser-data namespace: kisfenyo-system labels: app.kubernetes.io/instance: kisfenyo-filebrowser app.kubernetes.io/name: filebrowser recurring-job-group.longhorn.io/backup: enabled spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 500Mi --- # FileBrowser Deployment apiVersion: apps/v1 kind: Deployment metadata: name: kisfenyo-filebrowser namespace: kisfenyo-system labels: app.kubernetes.io/instance: kisfenyo-filebrowser app.kubernetes.io/name: filebrowser spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/instance: kisfenyo-filebrowser app.kubernetes.io/name: filebrowser template: metadata: labels: app.kubernetes.io/instance: kisfenyo-filebrowser app.kubernetes.io/name: filebrowser annotations: match-regex.version-checker.io/filebrowser: '^\d+\.\d+\.\d+-stable$' spec: # Run as kisfenyo user (UID 1000, GID 1000) for proper file permissions securityContext: runAsUser: 1000 runAsGroup: 1000 fsGroup: 1000 containers: - name: filebrowser image: gtstef/filebrowser:1.1.2-stable env: - name: TZ value: "Europe/Budapest" - name: FILEBROWSER_CONFIG value: "/config/config.yaml" ports: - containerPort: 80 name: http protocol: TCP volumeMounts: # User's home directory - name: home-data mountPath: /srv/home # 4_HDD data - name: hdd-data mountPath: /srv/4_hdd # Config from ConfigMap - name: config mountPath: /config readOnly: true # Persistent data (database, cache) - name: data mountPath: /home/filebrowser/data resources: requests: cpu: 50m memory: 128Mi limits: cpu: 1000m memory: 1Gi livenessProbe: httpGet: path: /health port: http initialDelaySeconds: 15 periodSeconds: 30 timeoutSeconds: 5 failureThreshold: 3 readinessProbe: httpGet: path: /health port: http initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 volumes: # Kisfenyo's home directory - name: home-data hostPath: path: /home/kisfenyo type: Directory # Kisfenyo's 4_HDD data - name: hdd-data hostPath: path: /mnt/4_hdd/kisfenyo type: Directory # Config from ConfigMap - name: config configMap: name: kisfenyo-filebrowser-config # Persistent data on Longhorn PVC (database, thumbnails, etc.) - name: data persistentVolumeClaim: claimName: kisfenyo-filebrowser-data --- # Service apiVersion: v1 kind: Service metadata: name: kisfenyo-filebrowser namespace: kisfenyo-system labels: app.kubernetes.io/instance: kisfenyo-filebrowser app.kubernetes.io/name: filebrowser spec: type: ClusterIP ports: - port: 80 targetPort: http protocol: TCP name: http selector: app.kubernetes.io/instance: kisfenyo-filebrowser app.kubernetes.io/name: filebrowser --- # Ingress with Authentik proxy auth apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: kisfenyo-filebrowser namespace: kisfenyo-system labels: app.kubernetes.io/instance: kisfenyo-filebrowser app.kubernetes.io/name: filebrowser annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: kisfenyo-files.dooplex.hu nginx.ingress.kubernetes.io/proxy-body-size: "4096m" nginx.ingress.kubernetes.io/proxy-connect-timeout: "300" nginx.ingress.kubernetes.io/proxy-send-timeout: "300" nginx.ingress.kubernetes.io/proxy-read-timeout: "300" nginx.ingress.kubernetes.io/ssl-redirect: "true" # Authentik forward auth - update outpost name after creating in Authentik! nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-kisfenyo-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx nginx.ingress.kubernetes.io/auth-signin: https://kisfenyo-files.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri nginx.ingress.kubernetes.io/auth-response-headers: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid nginx.ingress.kubernetes.io/auth-snippet: | proxy_set_header X-Forwarded-Host $http_host; # Geo-blocking: Hungary AND UK (plus local networks) nginx.ingress.kubernetes.io/configuration-snippet: | set $geo_allowed 0; if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; } if ($remote_addr ~ "^10\.") { set $geo_allowed 1; } if ($geoip2_country_code = "HU") { set $geo_allowed 1; } if ($geo_allowed = 0) { return 403 "Access restricted to Hungary and UK"; } spec: ingressClassName: nginx-internal tls: - hosts: - kisfenyo-files.dooplex.hu secretName: kisfenyo-filebrowser-tls rules: - host: kisfenyo-files.dooplex.hu http: paths: - path: / pathType: Prefix backend: service: name: kisfenyo-filebrowser port: name: http - host: kisfenyo-files.home http: paths: - path: / pathType: Prefix backend: service: name: kisfenyo-filebrowser port: name: http