admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
e0e40eecafffb5b5426abddc09decf2e5365b1e1
homelab-manifests/kisfenyo-system/filebrowser-quantum.yaml
T
admin e0e40eecaf added reloader annotation
2026-02-13 13:27:32 +01:00

283 lines
8.5 KiB
YAML
Raw Blame History

---
# Kisfenyo's Applications Namespace
# Dedicated namespace for Viktor's self-hosted apps
#
apiVersion: v1
kind: Namespace
metadata:
name: kisfenyo-system
labels:
app.kubernetes.io/name: kisfenyo-system
---
# ============================================
# FileBrowser Quantum - Personal File Manager for Viktor
# ============================================
# https://github.com/gtsteffaniak/filebrowser (Quantum fork)
# Docs: https://filebrowserquantum.com/
#
# Access: https://kisfenyo-files.dooplex.hu (Authentik login)
# https://kisfenyo-files.home (internal)
#
# Data Sources:
# - Home: /home/kisfenyo
# - 4_HDD: /mnt/4_hdd/kisfenyo
#
# Authentik Setup:
# 1. Create a Proxy Provider in Authentik:
# - Name: Kisfenyo FileBrowser
# - Authorization flow: default-provider-authorization-implicit-consent
# - Type: Forward auth (single application)
# - External host: https://kisfenyo-files.dooplex.hu
#
# 2. Create an Application:
# - Name: Kisfenyo FileBrowser
# - Slug: kisfenyo-filebrowser
# - Provider: Kisfenyo FileBrowser
# - (Optional) Restrict to specific users/groups
#
# 3. Create an Outpost (or add to existing):
# - Name: kisfenyo-outpost
# - Type: Proxy
# - Integration: Kubernetes (auth-system namespace)
# - Applications: Kisfenyo FileBrowser
#
---
# ConfigMap for FileBrowser Quantum config.yaml
apiVersion: v1
kind: ConfigMap
metadata:
name: kisfenyo-filebrowser-config
namespace: kisfenyo-system
labels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
data:
config.yaml: |
server:
database: /home/filebrowser/data/database.db
externalUrl: "https://kisfenyo-files.dooplex.hu" # or whatever your FB domain is
internalUrl: "http://kisfenyo-filebrowser.kisfenyo-system.svc.cluster.local" # adjust to match
port: 80
sources:
- path: /srv/home
name: "Home"
config:
defaultEnabled: true
- path: /srv/4_hdd
name: "4_HDD"
config:
defaultEnabled: true
auth:
adminUsername: kisfenyo
methods:
proxy:
enabled: true
header: "X-authentik-username"
createUser: true
password:
enabled: false
integrations:
office:
url: "https://office.dooplex.hu"
internalUrl: "http://onlyoffice.office-system.svc.cluster.local"
secret: "H918c26lI3QdcGoVFhWYjyXV1NAhELrV"
---
# PVC for FileBrowser database and cache
# (actual files are on hostPath)
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kisfenyo-filebrowser-data
namespace: kisfenyo-system
labels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
recurring-job-group.longhorn.io/backup: enabled
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 500Mi
---
# FileBrowser Deployment
apiVersion: apps/v1
kind: Deployment
metadata:
name: kisfenyo-filebrowser
namespace: kisfenyo-system
labels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
annotations:
reloader.stakater.com/auto: "true"
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
template:
metadata:
labels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
annotations:
match-regex.version-checker.io/filebrowser: '^\d+\.\d+\.\d+-stable$'
spec:
# Run as kisfenyo user (UID 1000, GID 1000) for proper file permissions
securityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
containers:
- name: filebrowser
image: gtstef/filebrowser:1.1.2-stable
env:
- name: TZ
value: "Europe/Budapest"
- name: FILEBROWSER_CONFIG
value: "/config/config.yaml"
ports:
- containerPort: 80
name: http
protocol: TCP
volumeMounts:
# User's home directory
- name: home-data
mountPath: /srv/home
# 4_HDD data
- name: hdd-data
mountPath: /srv/4_hdd
# Config from ConfigMap
- name: config
mountPath: /config
readOnly: true
# Persistent data (database, cache)
- name: data
mountPath: /home/filebrowser/data
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 1000m
memory: 1Gi
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 15
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
readinessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
volumes:
# Kisfenyo's home directory
- name: home-data
hostPath:
path: /home/kisfenyo
type: Directory
# Kisfenyo's 4_HDD data
- name: hdd-data
hostPath:
path: /mnt/4_hdd/kisfenyo
type: Directory
# Config from ConfigMap
- name: config
configMap:
name: kisfenyo-filebrowser-config
# Persistent data on Longhorn PVC (database, thumbnails, etc.)
- name: data
persistentVolumeClaim:
claimName: kisfenyo-filebrowser-data
---
# Service
apiVersion: v1
kind: Service
metadata:
name: kisfenyo-filebrowser
namespace: kisfenyo-system
labels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
spec:
type: ClusterIP
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
---
# Ingress with Authentik proxy auth
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: kisfenyo-filebrowser
namespace: kisfenyo-system
labels:
app.kubernetes.io/instance: kisfenyo-filebrowser
app.kubernetes.io/name: filebrowser
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
external-dns.alpha.kubernetes.io/hostname: kisfenyo-files.dooplex.hu
nginx.ingress.kubernetes.io/proxy-body-size: "4096m"
nginx.ingress.kubernetes.io/proxy-connect-timeout: "300"
nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
# Authentik forward auth - update outpost name after creating in Authentik!
nginx.ingress.kubernetes.io/auth-url: http://ak-outpost-kisfenyo-outpost.auth-system.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
nginx.ingress.kubernetes.io/auth-signin: https://kisfenyo-files.dooplex.hu/outpost.goauthentik.io/start?rd=$escaped_request_uri
nginx.ingress.kubernetes.io/auth-response-headers: X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
# Geo-blocking: Hungary AND UK (plus local networks)
nginx.ingress.kubernetes.io/configuration-snippet: |
set $geo_allowed 0;
if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; }
if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
if ($geo_allowed = 0) {
return 403 "Access restricted to Hungary and UK";
}
spec:
ingressClassName: nginx-internal
tls:
- hosts:
- kisfenyo-files.dooplex.hu
secretName: kisfenyo-filebrowser-tls
rules:
- host: kisfenyo-files.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kisfenyo-filebrowser
port:
name: http
- host: kisfenyo-files.home
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: kisfenyo-filebrowser
port:
name: http
Reference in New Issue View Git Blame Copy Permalink