admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
99548a235e942d96ec9b870273a303e1f11be5e3
homelab-manifests/code-system/code.yaml
T
admin 99548a235e fixed geoip tag
2026-01-20 18:01:32 +01:00

246 lines
6.7 KiB
YAML
Raw Blame History

# code-server - VS Code in the browser
# https://github.com/coder/code-server
# Version: v4.107.0
# Domain: code.dooplex.hu
# Auth: Authentik Forward Auth (Proxy) - no native OIDC support
#
# code-server's built-in auth is basic password-based, so we use
# Authentik forward auth for SSO and disable internal auth.
#
# Authentik Setup:
# 1. Create Proxy Provider:
# - Name: code-server
# - External Host: https://code.dooplex.hu
# - Mode: Forward auth (single application)
# 2. Create Application linked to this provider
# 3. Create Outpost (or add to existing) with this provider
---
apiVersion: v1
kind: Namespace
metadata:
name: code-system
labels:
app.kubernetes.io/name: code-server
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: code-server
namespace: code-system
labels:
app.kubernetes.io/instance: code-server
app.kubernetes.io/name: code-server
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: code-server
app.kubernetes.io/name: code-server
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/instance: code-server
app.kubernetes.io/name: code-server
annotations:
match-regex.version-checker.io/code-server: '^[0-9]+\.[0-9]+\.[0-9]+$'
spec:
securityContext:
fsGroup: 1000
containers:
- name: code-server
image: codercom/code-server:4.108.0
args:
- --bind-addr=0.0.0.0:8080
- --auth=none
- --disable-telemetry
- --disable-update-check
env:
- name: TZ
value: "Europe/Budapest"
- name: HOME
value: "/home/coder"
- name: USER
value: "coder"
# Proxy trust for headers
- name: CS_DISABLE_PROXY_TRUST
value: "false"
- name: GIT_CONFIG_GLOBAL
value: "/home/coder/.config/git/config"
lifecycle:
postStart:
exec:
command: ["/bin/sh", "-c", "mkdir -p /home/coder/.config/git"]
ports:
- containerPort: 8080
name: http
resources:
requests:
cpu: 200m
memory: 512Mi
limits:
cpu: 2000m
memory: 4Gi
volumeMounts:
- name: config
mountPath: /home/coder/.config
- name: workspace
mountPath: /home/coder/workspace
- name: local
mountPath: /home/coder/.local
- name: config
mountPath: /home/coder/.ssh
subPath: ssh
livenessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /healthz
port: http
initialDelaySeconds: 10
periodSeconds: 10
securityContext:
runAsUser: 1000
runAsGroup: 1000
volumes:
- name: config
persistentVolumeClaim:
claimName: code-server-config
- name: workspace
persistentVolumeClaim:
claimName: code-server-workspace
- name: local
persistentVolumeClaim:
claimName: code-server-local
---
apiVersion: v1
kind: Service
metadata:
name: code-server
namespace: code-system
labels:
app.kubernetes.io/instance: code-server
app.kubernetes.io/name: code-server
spec:
type: ClusterIP
ports:
- name: http
port: 8080
targetPort: http
selector:
app.kubernetes.io/instance: code-server
app.kubernetes.io/name: code-server
---
# Ingress with Authentik forward auth
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: code-server
namespace: code-system
labels:
app.kubernetes.io/instance: code-server
app.kubernetes.io/name: code-server
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
external-dns.alpha.kubernetes.io/hostname: code.dooplex.hu,code.home
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "500m"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
# WebSocket support for code-server
nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
nginx.ingress.kubernetes.io/upstream-hash-by: "$remote_addr"
# Authentik forward auth
nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-code-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
nginx.ingress.kubernetes.io/auth-signin: https://code.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
nginx.ingress.kubernetes.io/configuration-snippet: |
if ($geoip2_country_code != "HU") {
return 403 "Access restricted to Hungary";
}
spec:
ingressClassName: nginx-internal
rules:
- host: code.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: code-server
port:
number: 8080
- host: code.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: code-server
port:
number: 8080
tls:
- hosts:
- code.dooplex.hu
secretName: code-server-tls
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: code-server-config
namespace: code-system
labels:
app.kubernetes.io/instance: code-server
app.kubernetes.io/name: code-server-config
recurring-job-group.longhorn.io/default: enabled
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 2Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: code-server-workspace
namespace: code-system
labels:
app.kubernetes.io/instance: code-server
app.kubernetes.io/name: code-server-workspace
recurring-job-group.longhorn.io/default: enabled
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 20Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: code-server-local
namespace: code-system
labels:
app.kubernetes.io/instance: code-server
app.kubernetes.io/name: code-server-local
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi
Reference in New Issue View Git Blame Copy Permalink