Reset git history for making manifests public

This commit is contained in:
2026-05-31 22:14:43 +02:00
commit 0140810d60
411 changed files with 42163 additions and 0 deletions

View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: argocd-ingress
namespace: argocd
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
nginx.ingress.kubernetes.io/proxy-real-ip-cidr: "0.0.0.0/0"
spec:
ingressClassName: nginx
tls:
- hosts:
- argocd.jsme.be
secretName: argocd-tls
rules:
- host: argocd.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: argocd-server
port:
number: 443

View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: bentopdf-ingress
namespace: bentopdf
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- hosts:
- pdf.jsme.be
secretName: bentopdf-tls
rules:
- host: pdf.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: bentopdf
port:
number: 8080

View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea-ingress
namespace: gitea
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/proxy-body-size: "8192m"
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- gitea.jsme.be
secretName: gitea-tls
rules:
- host: gitea.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea
port:
number: 3000

View File

@@ -0,0 +1,28 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: infisical-ingress
namespace: infisical
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/proxy-body-size: "100g"
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- infisical.jsme.be
secretName: infisical-tls
rules:
- host: infisical.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: infisical
port:
number: 8080

View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ittools-ingress
namespace: ittools
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- hosts:
- tools.jsme.be
secretName: tools-tls
rules:
- host: tools.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ittools
port:
number: 8080

View File

@@ -0,0 +1,29 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jellyseer-ingress
namespace: jellyseer
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
nginx.ingress.kubernetes.io/proxy-real-ip-cidr: "0.0.0.0/0"
spec:
ingressClassName: nginx
tls:
- hosts:
- jellyseer.jsme.be
secretName: jellyseer-tls
rules:
- host: jellyseer.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jellyseer
port:
number: 5055

View File

@@ -0,0 +1,28 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: jenkins-ingress
namespace: jenkins
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
nginx.ingress.kubernetes.io/proxy-real-ip-cidr: "0.0.0.0/0"
spec:
ingressClassName: nginx
tls:
- hosts:
- jenkins.jsme.be
secretName: jenkins-tls
rules:
- host: jenkins.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: jenkins-svc-ingress
port:
number: 8080

View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: jenkins-svc-ingress
namespace: jenkins
spec:
selector:
app: jenkins
ports:
- protocol: TCP
port: 8080
targetPort: 8080
type: ClusterIP

View File

@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: longhorn-ingress
namespace: longhorn-system
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- hosts:
- longhorn.jsme.be
secretName: longhorn-tls
rules:
- host: longhorn.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: longhorn-frontend
port:
number: 80

View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: resume-minioweb-ingress
namespace: resume
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- hosts:
- resume-minioweb.jsme.be
secretName: resume-minioweb-tls
rules:
- host: resume-minioweb.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: minio
port:
number: 9001

View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: resume-minio-ingress
namespace: resume
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- hosts:
- resume-minio.jsme.be
secretName: resume-minio-tls
rules:
- host: resume-minio.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: minio
port:
number: 9000

View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: n8n-ingress
namespace: n8n
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- hosts:
- n8n.jsme.be
secretName: n8n-tls
rules:
- host: n8n.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: n8n-svc
port:
number: 5678

View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: netbootxyz
namespace: netbootxyz
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- hosts:
- netboot.jsme.be
secretName: netbootxyz-tls
rules:
- host: netboot.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: netbootxyz
port:
number: 3000

View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: passbolt-ingress
namespace: passbolt
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
ingressClassName: nginx
tls:
- hosts:
- passbolt.jsme.be
secretName: passbolt-tls
rules:
- host: passbolt.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: passbolt
port:
number: 443

View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: proxmox-ingress
namespace: proxmox
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
ingressClassName: nginx
tls:
- hosts:
- proxmox.jsme.be
secretName: proxmox-tls
rules:
- host: proxmox.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: proxmox
port:
number: 8006

View File

@@ -0,0 +1,30 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: radarr-ingress
namespace: arrstack
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
nginx.ingress.kubernetes.io/proxy-real-ip-cidr: "0.0.0.0/0"
nginx.ingress.kubernetes.io/whitelist-source-range: "10.8.69.0/24,10.8.3.2/32,10.8.4.0/24,10.8.13.2/32"
spec:
ingressClassName: nginx
tls:
- hosts:
- radarr.jsme.be
secretName: radarr-tls
rules:
- host: radarr.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: radarr
port:
number: 7878

View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: resume-ingress
namespace: resume
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- hosts:
- resume.jsme.be
secretName: resume-tls
rules:
- host: resume.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: resume
port:
number: 3000

View File

@@ -0,0 +1,30 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: sonarr-ingress
namespace: arrstack
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
nginx.ingress.kubernetes.io/proxy-real-ip-cidr: "0.0.0.0/0"
nginx.ingress.kubernetes.io/whitelist-source-range: "10.8.69.0/24,10.8.3.2/32,10.8.4.0/24,10.8.13.2/32"
spec:
ingressClassName: nginx
tls:
- hosts:
- sonarr.jsme.be
secretName: sonarr-tls
rules:
- host: sonarr.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sonarr
port:
number: 8989

View File

@@ -0,0 +1,28 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: technitium-backup-ingress
namespace: technitium
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/proxy-body-size: "100g"
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- dns2.jsme.be
secretName: technitium-backup-tls
rules:
- host: dns2.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: technitium-backup
port:
number: 5380

View File

@@ -0,0 +1,27 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: technitium-ingress
namespace: technitium
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- hosts:
- dns1.jsme.be
secretName: technitium-tls
rules:
- host: dns1.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: technitium
port:
number: 5380

View File

@@ -0,0 +1,28 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: truenas-ingress
namespace: truenas
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/proxy-body-size: "100g"
nginx.ingress.kubernetes.io/use-forwarded-headers: "true"
spec:
ingressClassName: nginx
tls:
- hosts:
- truenas.jsme.be
secretName: truenas-tls
rules:
- host: truenas.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: truenas
port:
number: 443

View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: unifi-ingress
namespace: unifi
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
spec:
ingressClassName: nginx
tls:
- hosts:
- unifi.jsme.be
secretName: unifi-tls
rules:
- host: unifi.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: unifi
port:
number: 443

View File

@@ -0,0 +1,26 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wiki-ingress
namespace: wiki
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
# nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
spec:
ingressClassName: nginx
tls:
- hosts:
- wiki.jsme.be
secretName: wiki-tls
rules:
- host: wiki.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wiki
port:
number: 3000

View File

@@ -0,0 +1,28 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: zipline-ingress
namespace: zipline
annotations:
cert-manager.io/cluster-issuer: azure-dns
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
nginx.ingress.kubernetes.io/proxy-body-size: "0"
spec:
ingressClassName: nginx
tls:
- hosts:
- share.jsme.be
secretName: zipline-tls
rules:
- host: share.jsme.be
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: zipline
port:
number: 3000

View File

@@ -0,0 +1,14 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: psono-tls
namespace: envoy-gateway
spec:
secretName: psono-tls
privateKey:
rotationPolicy: Always
issuerRef:
name: azure-dns
kind: ClusterIssuer
dnsNames:
- psono.jsme.be

View File

@@ -0,0 +1,19 @@
- op: add
path: /spec/listeners/-
value:
name: psono
protocol: HTTPS
port: 443
hostname: "psono.jsme.be"
allowedRoutes:
namespaces:
from: Selector
selector:
matchLabels:
kubernetes.io/metadata.name: psono
tls:
mode: Terminate
certificateRefs:
- kind: Secret
name: psono-tls
namespace: envoy-gateway

View File

@@ -0,0 +1,46 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: psono-route
namespace: psono
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: psono
hostnames:
- "psono.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "psono.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: X-Frame-Options
value: SAMEORIGIN
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: psono
port: 80
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,22 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
name: psono-secrets
namespace: infisical
spec:
hostAPI: https://infisical.jsme.be
resyncInterval: 30
authentication:
universalAuth:
secretsScope:
projectSlug: "kubernetes"
envSlug: "prod"
secretsPath: "/psono"
recursive: true
credentialsRef:
secretName: infisical-universal-auth
secretNamespace: infisical
managedSecretReference:
secretName: psono-secrets
secretNamespace: psono
secretType: Opaque

View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: psono

View File

@@ -0,0 +1,46 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: postgresql
namespace: psono
spec:
replicas: 1
selector:
matchLabels:
app: postgresql
serviceName: postgresql
template:
metadata:
labels:
app: postgresql
spec:
restartPolicy: Always
terminationGracePeriodSeconds: 60
containers:
- name: postgresql
image: postgres:18
ports:
- containerPort: 5432
volumeMounts:
- name: postgresql-database
mountPath: /var/lib/postgresql/pgdata
env:
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: psono-secrets
key: db_password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: psono-secrets
key: db_user
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: psono-secrets
key: db_name
volumes:
- name: postgresql-database
persistentVolumeClaim:
claimName: postgresql-pvc

View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: postgresql-pvc
namespace: psono
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 10Gi

View File

@@ -0,0 +1,14 @@
apiVersion: v1
kind: Service
metadata:
name: postgresql
namespace: psono
spec:
selector:
app: postgresql
type: ClusterIP
ports:
- name: postgresql-port
protocol: TCP
port: 5432
targetPort: 5432

12
deprecated/psono/pvc.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: psono-data
namespace: psono
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi

View File

@@ -0,0 +1,254 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: psono-settings
namespace: psono
data:
settings.yaml: |
SECRET_KEY: 'PLACEHOLDER'
ACTIVATION_LINK_SECRET: 'PLACEHOLDER'
DB_SECRET: 'PLACEHOLDER'
EMAIL_SECRET_SALT: 'PLACEHOLDER'
PRIVATE_KEY: 'PLACEHOLDER'
PUBLIC_KEY: 'PLACEHOLDER'
WEB_CLIENT_URL: 'https://psono.jsme.be'
# The number of proxies in your environment to parse the X-Forwarded-For header. The basic setup of Psono uses 2
# reverse proxies, the regular one and one in the combo container. If you have additional Loadbalancers you may have
# adjust this parameter.
NUM_PROXIES: 2
FAVICON_SERVICE_URL: 'https://favicon.psono.com/v1/icon/'
# Switch DEBUG to false if you go into production
DEBUG: False
# Adjust this according to Django Documentation https://docs.djangoproject.com/en/5.2/ref/settings/
ALLOWED_HOSTS: ['*']
# Should be your domain without "www.". Will be the last part of the username
ALLOWED_DOMAINS: ['jsme.be', 'gmail.com']
# If you want to disable registration, you can comment in the following line
# ALLOW_REGISTRATION: False
# If you want to disable the lost password functionality, you can comment in the following line
# ALLOW_LOST_PASSWORD: False
# If you want to enforce that the email address and username needs to match upon registration
ENFORCE_MATCHING_USERNAME_AND_EMAIL: False
# If you want to restrict registration to some email addresses you can specify here a list of domains to filter
# REGISTRATION_EMAIL_FILTER: ['company1.com', 'company2.com']
# Should be the URL of the host under which the host is reachable
# If you open the url and append /info/ to it you should have a text similar to {"info":"{\"version\": \"....}
HOST_URL: 'https://psono.jsme.be/server'
# The email used to send emails, e.g. for activation
# ATTENTION: If executed in a docker container, then "localhost" will resolve to the docker container, so
# "localhost" will not work as host. Use the public IP or DNS record of the server.
EMAIL_FROM: $email_from
EMAIL_HOST: $email_host
EMAIL_HOST_USER: $email_user
EMAIL_HOST_PASSWORD: $email_password
EMAIL_PORT: $email_port
EMAIL_SUBJECT_PREFIX: ''
EMAIL_USE_TLS: True
EMAIL_TIMEOUT: 10
# Cache with Redis
# By default you should use something different than database 0 or 1, e.g. 13 (default max is 16, can be configured in
# redis.conf) possible URLS are:
# redis://[:password]@localhost:6379/0
# rediss://[:password]@localhost:6379/0
# unix://[:password]@/path/to/socket.sock?db=0
# CACHE_ENABLE: False
# CACHE_REDIS: False
# CACHE_REDIS_LOCATION: 'redis://127.0.0.1:6379/13'
# The server will automatically connect to the license server to get a license for 10 users.
# For paying customers we offer the opportunity to get an offline license code.
#
# LICENSE_CODE: |
# 0abcdefg...
# 1abcdefg...
# 2abcdefg...
# 3abcdefg...
# 4abcdefg...
# 5abcdefg...
# 6abcdefg...
# 7abcdefg...
# 8abcdefg...
# Optional: Send an email notification when remaining licenses reach a threshold.
# The threshold is checked whenever users are created or activated.
ADMIN_EMAIL: [$email_user]
# ADMIN_EMAIL_LICENSE_THRESHOLD: 1
# Enables the management API, required for the psono-admin-client / admin portal (Default is set to False)
MANAGEMENT_ENABLED: True
# Enables the fileserver API, required for the psono-fileserver
# FILESERVER_HANDLER_ENABLED: False
# Enables files for the client
# FILES_ENABLED: False
# Allows that users can search for partial usernames
ALLOW_USER_SEARCH_BY_USERNAME_PARTIAL: True
# Allows that users can search for email addresses too
ALLOW_USER_SEARCH_BY_EMAIL: True
# Disables central security reports
# DISABLE_CENTRAL_SECURITY_REPORTS: True
# If you want to use SAML, then you can configure it like this as a dictionary.
#
# About the parameters:
# idp->entityId: Thats the url to the metadata of your IDP
# idp->singleLogoutService->url: Thats the url to the logout service of your IDP
# idp->singleSignOnService->url: Thats the url to the single sign-on service of your IDP
# idp->x509cert: Thats the certificate of your IDP
# idp->groups_attribute: The attribute in the SAML response that holds your groups
# idp->username_attribute: The attribute in the SAML response that holds the username. If you put here null, then it will use the NameID
# idp->email_attribute: The attribute in the SAML response that holds the email address.
# idp->username_domain: The domain that is appended to the provided username, if the provided username is not already in email format.
# idp->required_group: A list of group names (casesensitive) in order to restrict who can use SAML login with this installation. Leave empty for no restriction.
# idp->is_adfs: If you are using ADFS.
# idp->honor_multifactors: Multifactor authentication can be bypassed with this flag for all SAML users (e.g. when you already enforce multifactor on the SAML provider).
# idp->max_session_lifetime: The time in seconds that a session created throught SAML will live
#
# sp->NameIDFormat: The normal nameformat parameter. (should only be set to transient if you have set a username attribute with username_attribute)
# sp->attributeConsumingService: Only necessary if the IDP needs to be told to send some specific attributes
# sp->x509cert: The X.509 cert
# sp->privateKey: The corresponding private key of the X.509 cert
#
# There are a couple of more options next to those required ones below.
# More information can be found here https://github.com/onelogin/python3-saml
#
# A self-signed certificate can be generated with:
# openssl req -new -newkey rsa:2048 -x509 -days 3650 -nodes -sha256 -out sp_x509cert.crt -keyout sp_private_key.key
#
# To help you setup SAML, we have created a small "testsaml" command that should make things easier. You can execute it like:
# docker run --rm \
# -v /opt/docker/psono/settings.yaml:/root/.psono_server/settings.yaml \
# -ti psono/psono-combo-enterprise:latest python3 psono/manage.py testsaml
#
# The number 1 in line 2 is the provider id. Users are matched by the constructed username.
#
# SAML_CONFIGURATIONS:
# 1:
# idp:
# entityId: "https://idp.exampple.com/metadata.php"
# singleLogoutService:
# binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
# url: "https://idp.exampple.com/SingleLogoutService.php"
# singleSignOnService:
# binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
# url: "https://idp.exampple.com/SingleSignOnService.php"
# x509cert: "ABC...=="
# groups_attribute: "groups"
# username_attribute: 'username'
# email_attribute: 'email'
# username_domain: 'example.com'
# required_group: []
# is_adfs: false
# honor_multifactors: true
# max_session_lifetime: 86400
# sp:
# NameIDFormat: "urn:oasis:names:tc:SAML:2.0:nameid-format:persistent"
# assertionConsumerService:
# binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-POST"
# attributeConsumingService:
# serviceName: "Psono"
# serviceDescription: "Psono password manager"
# requestedAttributes:
# -
# attributeValue: []
# friendlyName: ""
# isRequired: false
# name: "attribute-that-has-to-be-requested-explicitely"
# nameFormat: ""
# privateKey: "ABC...=="
# singleLogoutService:
# binding: "urn:oasis:names:tc:SAML:2.0:bindings:HTTP-Redirect"
# x509cert: "ABC...=="
# autoprovision_psono_folder: false
# autoprovision_psono_group: false
# strict: true
#
# You need a couple of urls to configure the IDP correctly. If the server is accessible under https://example.com/server
# (e.g. https://example.com/server/healthcheck/ shows some json output) and the provider id is 1 as in the example
# above the following urls are valid:
#
# for metadata : https://example.com/server/saml/1/metadata/
# for assertion consumer service : https://example.com/server/saml/1/acs/
# for single logout service : https://example.com/server/saml/1/sls/
#
#
# ATTENTION: API kays currently bypass SAML authentication, that means API keys can still access secrets even if the
# user was disabled in SAML. API keys can be disabled with COMPLIANCE_DISABLE_API_KEYS
# If you want to use OIDC, then you can configure it like this as a dictionary.
# OIDC_CONFIGURATIONS:
# 1:
# OIDC_RP_SIGN_ALGO: 'RS256'
# OIDC_RP_CLIENT_ID: 'whatever client id was provided'
# OIDC_RP_CLIENT_SECRET: 'whatever secret was provided'
# OIDC_OP_JWKS_ENDPOINT: 'https://example.com/jwks'
# OIDC_OP_AUTHORIZATION_ENDPOINT: 'https://example.com/authorize'
# OIDC_OP_TOKEN_ENDPOINT: 'https://example.com/token'
# OIDC_OP_USER_ENDPOINT: 'https://example.com/userinfo'
#
# Standard parameters explained:
# OIDC_RP_SIGN_ALGO defaults to HS256 and needs to match the algo of your IDP
# OIDC_RP_CLIENT_ID the client id that is provided by your IDP
# OIDC_RP_CLIENT_SECRET the secret that is provided by your IDP
# OIDC_OP_JWKS_ENDPOINT The JWKS endpoint of your IDP
# OIDC_OP_AUTHORIZATION_ENDPOINT The authorization endpoint of your IDP
# OIDC_OP_TOKEN_ENDPOINT The token endpoint of your IDP
#
# other parameters are:
# OIDC_VERIFY_JWT defaults to true, Controls whether Psono verifies the signature of the JWT tokens
# OIDC_USE_NONCE defaults to true, Controls whether Psono uses nonce verification
# OIDC_VERIFY_SSL defaults to true, Controls whether Psono verifies the SSL certificate of the IDP responses
# OIDC_TIMEOUT defaults to 10, Defines a timeout for all requests in seconds to the IDP (fetch JWS, retrieve JWT tokens, userinfo endpoint))
# OIDC_PROXY defaults to None, Defines a proxy for all requests to the IDP (fetch JWS, retrieve JWT tokens, Userinfo Endpoint). More infos can be found here https://requests.readthedocs.io/en/master/user/advanced/#proxies
# OIDC_RP_SCOPES defaults to 'openid email', The OpenID Connect scopes to request during login.
# OIDC_AUTH_REQUEST_EXTRA_PARAMS defaults to {}, Additional parameters to include in the initial authorization request.
# OIDC_RP_IDP_SIGN_KEY defaults to None, Sets the key the IDP uses to sign ID tokens in the case of an RSA sign algorithm. Should be the signing key in PEM or DER format.
# OIDC_ALLOW_UNSECURED_JWT defaults to False, Controls whether the Psono is going to allow unsecured JWT tokens (tokens with header {"alg":"none"}). This needs to be set to True if the IDP is returning unsecured JWT tokens and you want to accept them. See also https://tools.ietf.org/html/rfc7519#section-6
# OIDC_TOKEN_USE_BASIC_AUTH defaults to False, Use HTTP Basic Authentication instead of sending the client secret in token request POST body.
# Your Postgres Database credentials
# ATTENTION: If executed in a docker container, then "localhost" will resolve to the docker container, so
# "localhost" will not work as host. Use the public IP or DNS record of the server.
DATABASES:
default:
'ENGINE': 'django.db.backends.postgresql_psycopg2'
'NAME': $db_name
'USER': $db_user
'PASSWORD': $db_password
'HOST': $db_host
'PORT': $db_port
# The path to the template folder can be "shadowed" if required later
TEMPLATES: [
{
'BACKEND': 'django.template.backends.django.DjangoTemplates',
'DIRS': ['/root/psono/templates'],
'APP_DIRS': True,
'OPTIONS': {
'context_processors': [
'django.template.context_processors.debug',
'django.template.context_processors.request',
'django.contrib.auth.context_processors.auth',
'django.contrib.messages.context_processors.messages',
],
},
},
]

View File

@@ -0,0 +1,88 @@
apiVersion: v1
kind: Service
metadata:
name: psono
namespace: psono
spec:
clusterIP: None
selector:
app: psono
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: psono
namespace: psono
spec:
serviceName: psono
replicas: 1
selector:
matchLabels:
app: psono
template:
metadata:
labels:
app: psono
spec:
initContainers:
- name: envsubst
image: bhgedigital/envsubst:latest
command: ["sh", "-c", "envsubst < /tmp/settings-template/settings.yaml > /root/.psono_server/settings.yaml"]
envFrom:
- secretRef:
name: psono-secrets
volumeMounts:
- name: psono-settings-template
mountPath: /tmp/settings-template
- name: psono-settings-processed
mountPath: /root/.psono_server
- name: migrate
image: psono/psono-combo-enterprise:7.1.5-4.5.3-1.8.0
command: ["python3", "./psono/manage.py", "migrate"]
envFrom:
- secretRef:
name: psono-secrets
volumeMounts:
- name: psono-settings-processed
mountPath: /root/.psono_server
containers:
- name: psono
image: psono/psono-combo-enterprise:7.1.5-4.5.3-1.8.0
ports:
- name: http
containerPort: 80
envFrom:
- secretRef:
name: psono-secrets
volumeMounts:
- name: psono-settings-processed
mountPath: /root/.psono_server
- name: psono-data
mountPath: /var/log/psono
livenessProbe:
httpGet:
path: /server/healthcheck/
port: 80
initialDelaySeconds: 30
periodSeconds: 30
failureThreshold: 3
readinessProbe:
httpGet:
path: /server/healthcheck/
port: 80
initialDelaySeconds: 15
periodSeconds: 10
failureThreshold: 3
volumes:
- name: psono-settings-template
configMap:
name: psono-settings
- name: psono-settings-processed
emptyDir: {}
- name: psono-data
persistentVolumeClaim:
claimName: psono-data

View File

@@ -0,0 +1,46 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: vaultwarden-route
namespace: vaultwarden
spec:
parentRefs:
- group: gateway.networking.k8s.io
kind: Gateway
name: gateway-internal
namespace: envoy-gateway
sectionName: vaultwarden
hostnames:
- "vault.jsme.be"
rules:
- matches:
- path:
type: PathPrefix
value: /
filters:
- type: RequestHeaderModifier
requestHeaderModifier:
set:
- name: X-Forwarded-Host
value: "vault.jsme.be"
- name: X-Forwarded-Proto
value: https
- type: ResponseHeaderModifier
responseHeaderModifier:
set:
- name: Strict-Transport-Security
value: "max-age=31536000; includeSubDomains"
- name: X-Content-Type-Options
value: nosniff
- name: X-Frame-Options
value: SAMEORIGIN
- name: Referrer-Policy
value: strict-origin-when-cross-origin
- name: Permissions-Policy
value: "camera=(), microphone=(), geolocation=(), payment=()"
backendRefs:
- name: vaultwarden
port: 80
kind: Service
group: ""
weight: 1

View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: vaultwarden

View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vaultwarden-data
namespace: vaultwarden
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi

View File

@@ -0,0 +1,120 @@
apiVersion: v1
kind: Service
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
selector:
app: vaultwarden
ports:
- name: http
port: 80
targetPort: 80
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
serviceName: vaultwarden
replicas: 1
selector:
matchLabels:
app: vaultwarden
template:
metadata:
labels:
app: vaultwarden
spec:
containers:
- name: vaultwarden
image: vaultwarden/server:1.35.6-alpine
ports:
- name: http
containerPort: 80
env:
- name: DOMAIN
value: "https://vault.jsme.be"
- name: SIGNUPS_ALLOWED
value: "false"
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: vaultwarden-secrets
key: admin_token
- name: SMTP_HOST
valueFrom:
secretKeyRef:
name: vaultwarden-secrets
key: smtp_host
- name: SMTP_FROM
valueFrom:
secretKeyRef:
name: vaultwarden-secrets
key: smtp_from
- name: SMTP_PORT
valueFrom:
secretKeyRef:
name: vaultwarden-secrets
key: smtp_port
- name: SSO_ENABLED
value: "true"
- name: SSO_AUTHORITY
valueFrom:
secretKeyRef:
name: vaultwarden-secrets
key: sso_authority
- name: SSO_CLIENT_ID
valueFrom:
secretKeyRef:
name: vaultwarden-secrets
key: sso_client_id
- name: SSO_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: vaultwarden-secrets
key: sso_client_secret
- name: SSO_SCOPES
value: "email profile offline_access"
- name: SSO_ALLOW_UNKNOWN_EMAIL_VERIFICATION
value: "false"
- name: SSO_CLIENT_CACHE_EXPIRATION
value: "0"
- name: SSO_ONLY
value: "true"
- name: SSO_SIGNUPS_MATCH_EMAIL
value: "true"
- name: SMTP_SECURITY
value: "starttls"
- name: SMTP_USERNAME
valueFrom:
secretKeyRef:
name: vaultwarden-secrets
key: smtp_username
- name: SMTP_PASSWORD
valueFrom:
secretKeyRef:
name: vaultwarden-secrets
key: smtp_password
volumeMounts:
- name: vaultwarden-data
mountPath: /data
livenessProbe:
httpGet:
path: /alive
port: 80
initialDelaySeconds: 15
periodSeconds: 30
failureThreshold: 3
readinessProbe:
httpGet:
path: /alive
port: 80
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 3
volumes:
- name: vaultwarden-data
persistentVolumeClaim:
claimName: vaultwarden-data