diff --git a/authentik/README.md b/authentik/README.md index 1eaf170..c88535d 100644 --- a/authentik/README.md +++ b/authentik/README.md @@ -36,4 +36,10 @@ https://goauthentik.io - Enable **MFA (2FA)** for improved security - Important to configure: - external URL correctly - - trusted proxies (when behind ingress) \ No newline at end of file + - trusted proxies (when behind ingress) + + + #Improvements: + HA (2x Database + 2x Pods) + Force 2FA for Admin if external + sync LDAP Thumbnail Pictures \ No newline at end of file diff --git a/graphviz/graphviz.yaml b/graphviz/graphviz.yaml new file mode 100644 index 0000000..ac102d1 --- /dev/null +++ b/graphviz/graphviz.yaml @@ -0,0 +1,84 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: graphviz +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: graphviz + namespace: graphviz +spec: + replicas: 1 + selector: + matchLabels: + app: graphviz + template: + metadata: + labels: + app: graphviz + spec: + containers: + - name: graphviz + image: vaudience/graphviz-visual-editor:0.6.5 + imagePullPolicy: IfNotPresent + ports: + - name: http + containerPort: 80 + readinessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 5 + periodSeconds: 10 + livenessProbe: + httpGet: + path: / + port: http + initialDelaySeconds: 15 + periodSeconds: 20 + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + cpu: 500m + memory: 512Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: graphviz + namespace: graphviz +spec: + selector: + app: graphviz + ports: + - name: http + port: 80 + targetPort: http +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: graphviz + namespace: graphviz + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt +spec: + tls: + - hosts: + - graphviz.apps.undercloud.dev + secretName: graphviz-tls + rules: + - host: graphviz.apps.undercloud.dev + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: graphviz + port: + number: 80 \ No newline at end of file diff --git a/stirling/stirling.yaml b/stirling/stirling.yaml new file mode 100644 index 0000000..32ec366 --- /dev/null +++ b/stirling/stirling.yaml @@ -0,0 +1,198 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: stirling +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: stirling-configs + namespace: stirling +spec: + accessModes: + - ReadWriteOnce + storageClassName: cephfs-hyper + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: stirling-customfiles + namespace: stirling +spec: + accessModes: + - ReadWriteMany + storageClassName: cephfs-hyper + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: stirling-logs + namespace: stirling +spec: + accessModes: + - ReadWriteMany + storageClassName: cephfs-hyper + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: stirling-tessdata + namespace: stirling +spec: + accessModes: + - ReadWriteMany + storageClassName: cephfs-hyper + resources: + requests: + storage: 10Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: stirling-pipeline + namespace: stirling +spec: + accessModes: + - ReadWriteMany + storageClassName: cephfs-hyper + resources: + requests: + storage: 5Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: stirling-pdf + namespace: stirling +spec: + replicas: 1 + selector: + matchLabels: + app: stirling-pdf + template: + metadata: + labels: + app: stirling-pdf + spec: + containers: + - name: stirling-pdf + image: docker.stirlingpdf.com/stirlingtools/stirling-pdf:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8080 + name: http + env: + - name: SECURITY_ENABLELOGIN + value: "true" + - name: SECURITY_INITIALLOGIN_USERNAME + value: "admin" + - name: SECURITY_INITIALLOGIN_PASSWORD + value: "change-me-now" + - name: LANGS + value: "en_GB,de_DE,fr_FR" + - name: SYSTEM_DEFAULTLOCALE + value: "en-GB" + - name: SYSTEM_GOOGLEVISIBILITY + value: "false" + - name: SYSTEM_ROOTURIPATH + value: "/" + - name: SYSTEM_MAXFILESIZE + value: "2000" + - name: SYSTEM_CUSTOMSTATICFILEPATH + value: "/customFiles/static/" + volumeMounts: + - name: configs + mountPath: /configs + - name: customfiles + mountPath: /customFiles + - name: logs + mountPath: /logs + - name: tessdata + mountPath: /usr/share/tessdata + - name: pipeline + mountPath: /pipeline + readinessProbe: + httpGet: + path: / + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 10 + timeoutSeconds: 5 + livenessProbe: + httpGet: + path: / + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 20 + timeoutSeconds: 5 + resources: + requests: + cpu: "500m" + memory: "1Gi" + limits: + cpu: "2" + memory: "4Gi" + volumes: + - name: configs + persistentVolumeClaim: + claimName: stirling-configs + - name: customfiles + persistentVolumeClaim: + claimName: stirling-customfiles + - name: logs + persistentVolumeClaim: + claimName: stirling-logs + - name: tessdata + persistentVolumeClaim: + claimName: stirling-tessdata + - name: pipeline + persistentVolumeClaim: + claimName: stirling-pipeline +--- +apiVersion: v1 +kind: Service +metadata: + name: stirling-pdf + namespace: stirling +spec: + selector: + app: stirling-pdf + ports: + - name: http + port: 8080 + targetPort: 8080 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: stirling-pdf + namespace: stirling + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt + nginx.ingress.kubernetes.io/proxy-body-size: "2000m" +spec: + tls: + - hosts: + - pdf.apps.undercloud.dev + secretName: stirling-pdf-tls + rules: + - host: pdf.apps.undercloud.dev + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: stirling-pdf + port: + number: 8080 \ No newline at end of file diff --git a/wekan/wekan.yaml b/wekan/wekan.yaml new file mode 100644 index 0000000..e5d5e63 --- /dev/null +++ b/wekan/wekan.yaml @@ -0,0 +1,177 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: wekan +--- +apiVersion: v1 +kind: Secret +metadata: + name: wekan-secrets + namespace: wekan +type: Opaque +stringData: + MONGO_INITDB_ROOT_USERNAME: wekan + MONGO_INITDB_ROOT_PASSWORD: change-me-now + MONGO_URL: mongodb://wekan:change-me-now@mongodb.wekan.svc.k8s.undercloud.local:27017/wekan?authSource=admin +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mongodb-data + namespace: wekan +spec: + accessModes: + - ReadWriteOnce + storageClassName: cephfs-hyper + resources: + requests: + storage: 10Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mongodb + namespace: wekan +spec: + replicas: 1 + selector: + matchLabels: + app: mongodb + template: + metadata: + labels: + app: mongodb + spec: + containers: + - name: mongodb + image: mongo:7 + imagePullPolicy: IfNotPresent + ports: + - containerPort: 27017 + name: mongo + env: + - name: MONGO_INITDB_ROOT_USERNAME + valueFrom: + secretKeyRef: + name: wekan-secrets + key: MONGO_INITDB_ROOT_USERNAME + - name: MONGO_INITDB_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: wekan-secrets + key: MONGO_INITDB_ROOT_PASSWORD + volumeMounts: + - name: mongodb-data + mountPath: /data/db + readinessProbe: + tcpSocket: + port: 27017 + initialDelaySeconds: 10 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 27017 + initialDelaySeconds: 30 + periodSeconds: 20 + volumes: + - name: mongodb-data + persistentVolumeClaim: + claimName: mongodb-data +--- +apiVersion: v1 +kind: Service +metadata: + name: mongodb + namespace: wekan +spec: + selector: + app: mongodb + ports: + - name: mongo + port: 27017 + targetPort: 27017 +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: wekan + namespace: wekan +spec: + replicas: 1 + selector: + matchLabels: + app: wekan + template: + metadata: + labels: + app: wekan + spec: + containers: + - name: wekan + image: ghcr.io/wekan/wekan:latest + imagePullPolicy: IfNotPresent + ports: + - containerPort: 8080 + name: http + env: + - name: ROOT_URL + value: "https://wekan.apps.undercloud.dev" + - name: PORT + value: "8080" + - name: WITH_API + value: "true" + - name: MONGO_URL + valueFrom: + secretKeyRef: + name: wekan-secrets + key: MONGO_URL + readinessProbe: + httpGet: + path: / + port: 8080 + initialDelaySeconds: 20 + periodSeconds: 10 + livenessProbe: + httpGet: + path: / + port: 8080 + initialDelaySeconds: 60 + periodSeconds: 20 +--- +apiVersion: v1 +kind: Service +metadata: + name: wekan + namespace: wekan +spec: + selector: + app: wekan + ports: + - name: http + port: 80 + targetPort: 8080 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: wekan + namespace: wekan + annotations: + kubernetes.io/ingress.class: nginx + cert-manager.io/cluster-issuer: letsencrypt +spec: + tls: + - hosts: + - wekan.apps.undercloud.dev + secretName: wekan-tls + rules: + - host: wekan.apps.undercloud.dev + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: wekan + port: + number: 80 \ No newline at end of file