admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
88ea6c93ad53795781519401386573370df87f9e
homelab-manifests/wanderer-system/wanderer.yaml
T

390 lines
10 KiB
YAML
Raw Blame History

# Wanderer - Self-hosted trail manager
# https://github.com/Flomp/wanderer
# Version: v0.18.13
# Domain: wanderer.dooplex.hu
# Auth: OAuth configured via PocketBase admin UI
#
# wanderer uses PocketBase as its backend, which supports OAuth2/OIDC
# configured through the PocketBase admin panel.
#
# Setup steps after deployment:
# 1. Access PocketBase admin: https://wanderer.dooplex.hu/api/_/
# 2. Create admin account on first access
# 3. Go to Settings > Auth providers
# 4. Add OpenID Connect provider:
# - Client ID: from Authentik
# - Client Secret: from Authentik
# - Auth URL: https://authentik.dooplex.hu/application/o/authorize/
# - Token URL: https://authentik.dooplex.hu/application/o/token/
# - User info URL: https://authentik.dooplex.hu/application/o/userinfo/
#
# Authentik Setup:
# 1. Create OAuth2/OIDC Provider:
# - Name: wanderer
# - Client Type: Confidential
# - Redirect URIs: https://wanderer.dooplex.hu/api/oauth2-redirect
# - Scopes: openid, email, profile
# 2. Create Application linked to this provider
---
apiVersion: v1
kind: Namespace
metadata:
name: wanderer-system
labels:
app.kubernetes.io/name: wanderer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: wanderer-meilisearch
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
spec:
containers:
- name: meilisearch
image: getmeili/meilisearch:v1.11.3
env:
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: meili-master-key
- name: MEILI_ENV
value: "production"
- name: MEILI_NO_ANALYTICS
value: "true"
ports:
- containerPort: 7700
name: http
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: meili-data
mountPath: /meili_data
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 10
periodSeconds: 10
volumes:
- name: meili-data
persistentVolumeClaim:
claimName: wanderer-meilisearch
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: wanderer-db
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
spec:
containers:
- name: pocketbase
image: flomp/wanderer-db:v0.19.1
env:
- name: ORIGIN
value: "https://wanderer.dooplex.hu"
- name: MEILI_URL
value: "http://wanderer-meilisearch:7700"
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: meili-master-key
- name: POCKETBASE_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: pocketbase-encryption-key
ports:
- containerPort: 8090
name: http
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: pb-data
mountPath: /pb_data
livenessProbe:
httpGet:
path: /api/health
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /api/health
port: http
initialDelaySeconds: 10
periodSeconds: 10
volumes:
- name: pb-data
persistentVolumeClaim:
claimName: wanderer-db
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: wanderer-web
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-web
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-web
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-web
spec:
containers:
- name: wanderer-web
image: flomp/wanderer-web:v0.19.1
env:
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: "0"
- name: NODE_OPTIONS
value: "--max-old-space-size=7168"
- name: ORIGIN
value: "https://wanderer.dooplex.hu"
- name: POCKETBASE_URL
value: "http://wanderer-db:8090"
- name: PUBLIC_POCKETBASE_URL
value: "https://pb.wanderer.dooplex.hu"
- name: MEILI_URL
value: "http://wanderer-meilisearch:7700"
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: meili-master-key
- name: PUBLIC_DISABLE_SIGNUP
value: "true"
- name: BODY_SIZE_LIMIT
value: "Infinity"
ports:
- containerPort: 3000
name: http
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 8Gi
readinessProbe:
tcpSocket:
port: 3000
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
---
apiVersion: v1
kind: Service
metadata:
name: wanderer-meilisearch
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
spec:
type: ClusterIP
ports:
- name: http
port: 7700
targetPort: http
selector:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
---
apiVersion: v1
kind: Service
metadata:
name: wanderer-db
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
spec:
type: ClusterIP
ports:
- name: http
port: 8090
targetPort: http
selector:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
---
apiVersion: v1
kind: Service
metadata:
name: wanderer-web
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-web
spec:
type: ClusterIP
ports:
- name: http
port: 3000
targetPort: http
selector:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wanderer-web
namespace: wanderer-system
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
# optional, only if you actually use external-dns:
external-dns.alpha.kubernetes.io/hostname: wanderer.dooplex.hu
nginx.ingress.kubernetes.io/configuration-snippet: |
set $geo_allowed 0;
if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; }
if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
if ($geo_allowed = 0) {
return 403 "Access restricted to Hungary";
}
spec:
ingressClassName: nginx-internal
tls:
- hosts:
- wanderer.dooplex.hu
secretName: wanderer-web-tls
rules:
- host: wanderer.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wanderer-web
port:
number: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wanderer-pocketbase
namespace: wanderer-system
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
# optional, only if you actually use external-dns:
external-dns.alpha.kubernetes.io/hostname: pb.wanderer.dooplex.hu
spec:
ingressClassName: nginx-internal
tls:
- hosts:
- pb.wanderer.dooplex.hu
secretName: wanderer-pb-tls
rules:
- host: pb.wanderer.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wanderer-db
port:
number: 8090
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wanderer-meilisearch
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
recurring-job-group.longhorn.io/needbackup: enabled
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wanderer-db
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
recurring-job-group.longhorn.io/needbackup: enabled
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi
Reference in New Issue View Git Blame Copy Permalink