# Opengist - Git-powered pastebin/gist service
# https://github.com/thomiceli/opengist
# Domain: paste.dooplex.hu
# Auth: Native OIDC with Authentik
#
# Authentik Setup:
# 1. Create OAuth2/OIDC Provider:
#    - Name: opengist
#    - Client Type: Confidential
#    - Redirect URIs: https://paste.dooplex.hu/oauth/oidc/callback
#    - Scopes: openid, email, profile
# 2. Create Application linked to this provider
# 3. Create secret with OIDC credentials:
#    kubectl create secret generic opengist-oidc \
#      --from-literal=client-id=YOUR_CLIENT_ID \
#      --from-literal=client-secret=YOUR_CLIENT_SECRET \
#      -n opengist-system
#
# Features:
# - Anyone can VIEW public gists (no login required)
# - Only authenticated users can CREATE gists
# - Each gist is a git repository (versioning, clone via git/ssh)
# - Syntax highlighting, markdown rendering
# - Public/Unlisted/Private visibility options
---
apiVersion: v1
kind: Namespace
metadata:
  name: opengist-system
  labels:
    app.kubernetes.io/name: opengist
---
apiVersion: apps/v1
kind: Deployment
metadata:
  name: opengist
  namespace: opengist-system
  labels:
    app.kubernetes.io/name: opengist
    app.kubernetes.io/instance: opengist
spec:
  replicas: 1
  selector:
    matchLabels:
      app.kubernetes.io/name: opengist
      app.kubernetes.io/instance: opengist
  strategy:
    type: Recreate
  template:
    metadata:
      labels:
        app.kubernetes.io/name: opengist
        app.kubernetes.io/instance: opengist
    spec:
      containers:
      - name: opengist
        image: ghcr.io/thomiceli/opengist:1.11.1
        env:
        # Base configuration
        - name: OG_EXTERNAL_URL
          value: "https://paste.dooplex.hu"
        - name: OG_LOG_LEVEL
          value: "info"
        # Security settings
        - name: OG_DISABLE_SIGNUP
          value: "true"           # No local registration - OIDC only
        - name: OG_REQUIRE_LOGIN
          value: "false"          # Anyone can VIEW gists
        - name: OG_DISABLE_LOGIN_FORM
          value: "true"           # Hide local login, show only OIDC
        - name: OG_DISABLE_GRAVATAR
          value: "false"
        # OIDC Configuration (Authentik)
        - name: OG_OIDC_CLIENT_KEY
          valueFrom:
            secretKeyRef:
              name: opengist-oidc
              key: client-id
        - name: OG_OIDC_SECRET
          valueFrom:
            secretKeyRef:
              name: opengist-oidc
              key: client-secret
        - name: OG_OIDC_DISCOVERY_URL
          value: "https://authentik.dooplex.hu/application/o/opengist/.well-known/openid-configuration"
        # Custom branding
        - name: OG_CUSTOM_NAME
          value: "Dooplex Paste"
        ports:
        - containerPort: 6157
          name: http
        - containerPort: 2222
          name: ssh
        resources:
          requests:
            cpu: 50m
            memory: 64Mi
          limits:
            cpu: 500m
            memory: 256Mi
        volumeMounts:
        - name: data
          mountPath: /opengist
        livenessProbe:
          httpGet:
            path: /healthcheck
            port: http
          initialDelaySeconds: 10
          periodSeconds: 30
        readinessProbe:
          httpGet:
            path: /healthcheck
            port: http
          initialDelaySeconds: 5
          periodSeconds: 10
      volumes:
      - name: data
        persistentVolumeClaim:
          claimName: opengist-data
---
apiVersion: v1
kind: Service
metadata:
  name: opengist
  namespace: opengist-system
  labels:
    app.kubernetes.io/name: opengist
    app.kubernetes.io/instance: opengist
spec:
  type: ClusterIP
  ports:
  - name: http
    port: 80
    targetPort: http
  - name: ssh
    port: 2222
    targetPort: ssh
  selector:
    app.kubernetes.io/name: opengist
    app.kubernetes.io/instance: opengist
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
  name: opengist
  namespace: opengist-system
  labels:
    app.kubernetes.io/name: opengist
    app.kubernetes.io/instance: opengist
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-prod
    external-dns.alpha.kubernetes.io/hostname: paste.dooplex.hu,paste.home
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
spec:
  ingressClassName: nginx-internal
  rules:
  - host: paste.dooplex.hu
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: opengist
            port:
              number: 80
  - host: paste.home
    http:
      paths:
      - path: /
        pathType: Prefix
        backend:
          service:
            name: opengist
            port:
              number: 80
  tls:
  - hosts:
    - paste.dooplex.hu
    secretName: opengist-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
  name: opengist-data
  namespace: opengist-system
  labels:
    app.kubernetes.io/name: opengist
    app.kubernetes.io/instance: opengist
    recurring-job-group.longhorn.io/needbackup: enabled
    recurring-job.longhorn.io/source: enabled
spec:
  accessModes:
  - ReadWriteOnce
  storageClassName: longhorn
  resources:
    requests:
      storage: 5Gi