# Termix - Web-based server management platform with SSH terminal # https://github.com/Termix-SSH/Termix # Version: 1.9.0 # # Post-deployment steps: # 1. Access https://termix.dooplex.hu # 2. Create initial admin account # 3. Navigate to Admin Settings > OIDC tab # 4. Configure Authentik OIDC settings (see authentik-notes.md) --- apiVersion: v1 kind: Namespace metadata: name: termix-system labels: app.kubernetes.io/name: termix --- apiVersion: apps/v1 kind: Deployment metadata: name: termix namespace: termix-system labels: app.kubernetes.io/name: termix app.kubernetes.io/instance: termix spec: replicas: 1 strategy: type: Recreate selector: matchLabels: app.kubernetes.io/name: termix app.kubernetes.io/instance: termix template: metadata: labels: app.kubernetes.io/name: termix app.kubernetes.io/instance: termix annotations: match-regex.version-checker.io/termix: '^release-\d+\.\d+\.\d+$' spec: containers: - name: termix # NOTE: termix uses a non-semver tag pattern (release-X.Y.Z). # Renovate handles it via a customManagers regex defined in # admin-system/renovate.yaml (the kubernetes manager doesn't # process inline `# renovate:` comments). image: ghcr.io/lukegus/termix:release-2.3.2 imagePullPolicy: IfNotPresent ports: - name: http containerPort: 8080 protocol: TCP env: - name: TZ value: "Europe/Budapest" - name: PORT value: "8080" volumeMounts: - name: data mountPath: /app/data resources: requests: cpu: 100m memory: 256Mi limits: cpu: "1" memory: 1Gi livenessProbe: httpGet: path: / port: http initialDelaySeconds: 30 periodSeconds: 30 timeoutSeconds: 10 failureThreshold: 3 readinessProbe: httpGet: path: / port: http initialDelaySeconds: 10 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 3 volumes: - name: data persistentVolumeClaim: claimName: termix-data restartPolicy: Always --- apiVersion: v1 kind: Service metadata: name: termix namespace: termix-system labels: app.kubernetes.io/name: termix app.kubernetes.io/instance: termix spec: type: ClusterIP ports: - name: http port: 8080 targetPort: http protocol: TCP selector: app.kubernetes.io/name: termix app.kubernetes.io/instance: termix --- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: name: termix namespace: termix-system labels: app.kubernetes.io/name: termix app.kubernetes.io/instance: termix annotations: cert-manager.io/cluster-issuer: letsencrypt-prod external-dns.alpha.kubernetes.io/hostname: termix.dooplex.hu,termix.home nginx.ingress.kubernetes.io/ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "100m" # WebSocket support for SSH terminal nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/proxy-send-timeout: "3600" nginx.ingress.kubernetes.io/configuration-snippet: | set $geo_allowed 0; if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; } if ($remote_addr ~ "^10\.") { set $geo_allowed 1; } if ($geoip2_country_code = "HU") { set $geo_allowed 1; } if ($geo_allowed = 0) { return 403 "Access restricted to Hungary"; } spec: ingressClassName: nginx-internal tls: - hosts: - termix.dooplex.hu secretName: termix-tls rules: - host: termix.dooplex.hu http: paths: - path: / pathType: Prefix backend: service: name: termix port: number: 8080 - host: termix.home http: paths: - path: / pathType: Prefix backend: service: name: termix port: number: 8080 --- apiVersion: v1 kind: PersistentVolumeClaim metadata: name: termix-data namespace: termix-system labels: app.kubernetes.io/name: termix app.kubernetes.io/instance: termix recurring-job-group.longhorn.io/needbackup: enabled recurring-job.longhorn.io/source: enabled spec: accessModes: - ReadWriteOnce storageClassName: longhorn resources: requests: storage: 5Gi ---