chaos/docker-images
2
1
Fork 0
Code Issues 1 Pull Requests Projects Releases 1 Wiki Activity

merged
All checks were successful
continuous-integration/drone/push Build is passing
Details

Browse Source
This commit is contained in:
Udo Waechter
2024-04-21 17:02:48 +02:00
parent 7da16def78
commit 4b2f5d8c9f
67 changed files with 7 additions and 176 deletions
Download Patch File Download Diff File Expand all files Collapse all files

37
_apps/almond-cloud/Dockerfile Normal file
View File

@@ -0,0 +1,37 @@
FROM debian:stable
ENV DEBIAN_FRONTEND noninteractive
ARG DEVPKGS="git make cmake gcc g++ python-dev libsqlcipher-dev"
RUN sed -i 's@deb.debian.org@apt-cache.lan/deb.debian.org@g' /etc/apt/sources.list && \
sed -i 's@security.debian.org@apt-cache.lan/security.debian.org@g' /etc/apt/sources.list && \
apt-get update && \
apt-get -y install ${DEVPKGS} python3-pip python3-torch python3-dateutil python3-filelock python3-tqdm python3-pyparsing python3-joblib \
python3-portalocker python3-click python3-packaging python3-regex python3-docopt python3-systemd \
libsystemd-dev graphicsmagick zip unzip bubblewrap sqlcipher gettext nodejs npm && \
pip3 install tensorboardX && \
pip3 install 'git+https://github.com/stanford-oval/genienlp@0969c6ea74376b20982c0c8bea9a4732547b15cb#egg=genienlp' && \
git clone --depth=1 --branch v1.99.0 https://github.com/stanford-oval/almond-cloud.git /opt/almond-cloud
#setup
RUN useradd -ms /bin/bash -r almond-cloud && id almond-cloud
WORKDIR /opt/almond-cloud/
RUN chown -R almond-cloud:almond-cloud /opt/almond-cloud && \
echo "build_from_source = true" > ~almond-cloud/.npmrc && \
echo "sqlite = external" >> ~almond-cloud/.npmrc && \
echo "sqlite_libname = sqlcipher" >> ~almond-cloud/.npmrc && \
echo "======== package.json ============="; cat package.json && \
su almond-cloud -c 'CPLUS_INCLUDE_PATH=/usr/include/sqlcipher npm install' && \
chown -R root:root /opt/almond-cloud
COPY --chown=almond-cloud:almond-cloud start.sh /opt/almond-cloud/
# CLeanup
RUN apt-get remove -y --purge ${DEVPKGS} && \
apt-get autoremove --purge -y && \
apt-get clean -y && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /var/cache/apt/* /tmp/* /var/tmp/* /var/log/* /root/.cache
USER almond-cloud
WORKDIR /home/almond-cloud
ENTRYPOINT ["/opt/almond-cloud/start.sh"]

67
_apps/almond-cloud/deployment.yaml Normal file
View File

@@ -0,0 +1,67 @@
---
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: almond-cloud
spec:
selector:
matchLabels:
app: almond-cloud
strategy:
type: Recreate
template:
metadata:
labels:
app: almond-cloud
spec:
containers:
- image: cr.lan/almond-cloud
name: almond-cloud
imagePullPolicy: Always
ports:
- containerPort: 80
name: http
volumeMounts:
- name: almond-cloud-data
mountPath: /home/almond-cloud
volumes:
- name: almond-cloud-data
persistentVolumeClaim:
claimName: almond-cloud-data
---
apiVersion: v1
kind: Service
metadata:
name: almond-cloud
spec:
ports:
- name: http
port: 3000
selector:
app: almond-cloud
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: almond-cloud
spec:
rules:
- host: almond.lan
http:
paths:
- backend:
serviceName: almond-cloud
servicePort: http
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: almond-cloud-data
spec:
storageClassName: nfs-ssd-ebin01
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 6Gi

3
_apps/almond-cloud/start.sh Executable file
View File

@@ -0,0 +1,3 @@
#!/bin/bash
NODE_MAX_OLD_SPACE_SIZE=${NODE_MAX_OLD_SPACE_SIZE:-500}
exec node --max_old_space_size=${NODE_MAX_OLD_SPACE_SIZE} /opt/almond-cloud/main.js "$@"

77
_apps/almond-cloud/tekton-image-build.yaml Normal file
View File

@@ -0,0 +1,77 @@
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: chaos-kubernetes-git
spec:
type: git
params:
- name: revision
value: master
- name: url
value: http://git-ui.lan/chaos/kubernetes.git
- name: submodules
value: "false"
---
apiVersion: tekton.dev/v1alpha1
kind: PipelineResource
metadata:
name: img-almond-cloud
spec:
type: image
params:
- name: url
value: cr.lan/almond-cloud
---
apiVersion: tekton.dev/v1beta1
kind: Task
metadata:
name: build-almond-cloud
spec:
params:
- name: pathToDockerFile
type: string
default: $(resources.inputs.source.path)/apps/almond-cloud/Dockerfile
- name: pathToContext
type: string
default: $(resources.inputs.source.path)/apps/almond-cloud
resources:
inputs:
- name: source
type: git
outputs:
- name: builtImage
type: image
steps:
- name: build-and-push
image: gcr.io/kaniko-project/executor:arm64
command:
- /kaniko/executor
args:
- --dockerfile=$(params.pathToDockerFile)
- --destination=$(resources.outputs.builtImage.url)
- --context=$(params.pathToContext)
- --snapshotMode=redo
- --skip-tls-verify
---
apiVersion: tekton.dev/v1beta1
kind: TaskRun
metadata:
name: img-almond-cloud-taskrun
spec:
#serviceAccountName: dockerhub-service
taskRef:
name: build-almond-cloud
params:
- name: pathToDockerFile
value: Dockerfile
resources:
inputs:
- name: source
resourceRef:
name: chaos-kubernetes-git
outputs:
- name: builtImage
resourceRef:
name: img-almond-cloud

12
_apps/apt-cacher-ng/Dockerfile Normal file
View File

@@ -0,0 +1,12 @@
FROM cr.wks/debian-stable
RUN apt-get update && apt-get install -y \
apt-cacher-ng && \
apt-get clean -y && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /var/cache/apt/*
RUN echo 'PassThroughPattern: .*' >> /etc/apt-cacher-ng/acng.conf
EXPOSE 3142
CMD /usr/sbin/apt-cacher-ng -c /etc/apt-cacher-ng pidfile=/var/run/apt-cacher-ng/pid SocketPath=/var/run/apt-cacher-ng/socket foreground=1

105
_apps/apt-cacher-ng/live-deployment.yaml Normal file
View File

@@ -0,0 +1,105 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: apt-cacher-ng
labels:
app: apt-cacher-ng
spec:
replicas: 1
selector:
matchLabels:
app: apt-cacher-ng
strategy:
type: Recreate
template:
metadata:
labels:
app: apt-cacher-ng
spec:
containers:
- name: apt-cacher-ng
image: cr.lan/apt-cacher-ng:latest
ports:
- containerPort: 3142
protocol: TCP
volumeMounts:
- mountPath: /var/cache/apt-cacher-ng
name: data
resources:
requests:
memory: "64Mi"
cpu: "50m"
limits:
memory: "192Mi"
cpu: "100m"
volumes:
- name: data
persistentVolumeClaim:
claimName: apt-cacher-volume
---
apiVersion: v1
kind: Service
metadata:
name: apt-cacher-ng
labels:
app: apt-cacher-ng
spec:
ports:
- name: apt-cacher-ng
port: 3142
targetPort: 3142
protocol: TCP
selector:
app: apt-cacher-ng
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: apt-cacher-ng
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: apt-cache.lan
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: apt-cacher-ng
port:
number: 3142
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: apt-cacher-volume
spec:
storageClassName: nfs-ssd-ebin02
volumeName: apt-cacher-ng
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 40Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: apt-cacher-ng
spec:
storageClassName: "nfs-ssd-ebin02"
nfs:
path: /data/raid1-ssd/k8s-data/apt-cacher-ng
server: ebin02
capacity:
storage: 40Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
claimRef:
kind: PersistentVolumeClaim
name: apt-cacher-volume
namespace: live-infra

3
_apps/authelia/README.md Normal file
View File

@@ -0,0 +1,3 @@
### Apply new config
$ kubectl -n live-infra create configmap authelia-config --from-file=configMaps/ -o yaml --dry-run |kubectl apply -f -

678
_apps/authelia/configMaps/configuration.yml Normal file
View File

@@ -0,0 +1,678 @@
# yamllint disable rule:comments-indentation
---
###############################################################################
# Authelia Configuration #
###############################################################################
## Certificates directory specifies where Authelia will load trusted certificates (public portion) from in addition to
## the system certificates store.
## They should be in base64 format, and have one of the following extensions: *.cer, *.crt, *.pem.
certificates_directory: /etc/pki/chain
## The theme to display: light, dark, grey, auto.
theme: dark
## The secret used to generate JWT tokens when validating user identity by email confirmation. JWT Secret can also be
## set using a secret: https://www.authelia.com/docs/configuration/secrets.html
jwt_secret: hAnFzapSCusyF2W83JAg6PRqc6v7iQvN7sP3PQ70HAbPBshJzAMz
## Default redirection URL
##
## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end
## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use
## in such a case.
##
## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
default_redirection_url: http://nc.lan
##
## Server Configuration
##
server:
## The address to listen on.
host: 0.0.0.0
## The port to listen on.
port: 9091
## Set the single level path Authelia listens on.
## Must be alphanumeric chars and should not contain any slashes.
path: ""
## Buffers usually should be configured to be the same value.
## Explanation at https://www.authelia.com/docs/configuration/server.html
## Read buffer size adjusts the server's max incoming request size in bytes.
## Write buffer size does the same for outgoing responses.
read_buffer_size: 4096
write_buffer_size: 4096
## Enables the pprof endpoint.
enable_pprof: false
## Enables the expvars endpoint.
enable_expvars: false
## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0.
## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
disable_healthcheck: false
## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
tls:
## The path to the DER base64/PEM format private key.
#key: "/etc/pki/private.key"
key: ""
## The path to the DER base64/PEM format public certificate.
#certificate: "/etc/pki/auth.lan.crt"
certificate : ""
##
## Log Configuration
##
log:
## Level of verbosity for logs: info, debug, trace.
level: debug
## Format the logs are written as: json, text.
format: text
## File path where the logs will be written. If not set logs are written to stdout.
file_path: "" #/config-nfs/authelia.log
## Whether to also log to stdout when a log_file_path is defined.
# keep_stdout: false
##
## TOTP Configuration
##
## Parameters used for TOTP generation.
totp:
## The issuer name displayed in the Authenticator application of your choice
## See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
issuer: auth.lan
## The period in seconds a one-time password is current for. Changing this will require all users to register
## their TOTP applications again. Warning: before changing period read the docs link below.
period: 30
## The skew controls number of one-time passwords either side of the current one that are valid.
## Warning: before changing skew read the docs link below.
skew: 1
## See: https://www.authelia.com/docs/configuration/one-time-password.html#period-and-skew to read the documentation.
##
## Duo Push API Configuration
##
## Parameters used to contact the Duo API. Those are generated when you protect an application of type
## "Partner Auth API" in the management panel.
duo_api:
hostname: api.auth.lan
integration_key: AUTHELIA
## Secret can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
secret_key: 8Jp5e822KP
##
## Authentication Backend Provider Configuration
##
## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
##
## The available providers are: `file`, `ldap`. You must use only one of these providers.
authentication_backend:
## Disable both the HTML element and the API for reset password functionality.
disable_reset_password: false
## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
## See the below documentation for more information.
## Duration Notation docs: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
## Refresh Interval docs: https://www.authelia.com/docs/configuration/authentication/ldap.html#refresh-interval
refresh_interval: 5m
##
## LDAP (Authentication Provider)
##
## This is the recommended Authentication Provider in production
## because it allows Authelia to offload the stateful operations
## onto the LDAP service.
# ldap:
# ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
# ## Acceptable options are as follows:
# ## - 'activedirectory' - For Microsoft Active Directory.
# ## - 'custom' - For custom specifications of attributes and filters.
# ## This currently defaults to 'custom' to maintain existing behaviour.
# ##
# ## Depending on the option here certain other values in this section have a default value, notably all of the
# ## attribute mappings have a default value that this config overrides, you can read more about these default values
# ## at https://www.authelia.com/docs/configuration/authentication/ldap.html#defaults
# implementation: custom
#
# ## The url to the ldap server. Format: <scheme>://<address>[:<port>].
# ## Scheme can be ldap or ldaps in the format (port optional).
# url: ldap://127.0.0.1
#
# ## The dial timeout for LDAP.
# timeout: 5s
#
# ## Use StartTLS with the LDAP connection.
# start_tls: false
#
# tls:
# ## Server Name for certificate validation (in case it's not set correctly in the URL).
# # server_name: ldap.example.com
#
# ## Skip verifying the server certificate (to allow a self-signed certificate).
# ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
# ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
# skip_verify: false
#
# ## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
# minimum_version: TLS1.2
#
# ## The distinguished name of the container searched for objects in the directory information tree.
# ## See also: additional_users_dn, additional_groups_dn.
# base_dn: dc=example,dc=com
#
# ## The attribute holding the username of the user. This attribute is used to populate the username in the session
# ## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
# ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this
# ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database.
# ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user
# ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also
# ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above
# ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt.
# # username_attribute: uid
#
# ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
# ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
# additional_users_dn: ou=users
#
# ## The users filter used in search queries to find the user profile based on input filled in login form.
# ## Various placeholders are available in the user filter which you can read about in the documentation which can
# ## be found at: https://www.authelia.com/docs/configuration/authentication/ldap.html#users-filter-replacements
# ##
# ## Recommended settings are as follows:
# ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
# ## - OpenLDAP:
# ## - (&({username_attribute}={input})(objectClass=person))
# ## - (&({username_attribute}={input})(objectClass=inetOrgPerson))
# ##
# ## To allow sign in both with username and email, one can use a filter like
# ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
# users_filter: (&({username_attribute}={input})(objectClass=person))
#
# ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
# ## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups.
# additional_groups_dn: ou=groups
#
# ## The groups filter used in search queries to find the groups based on relevant authenticated user.
# ## Various placeholders are available in the groups filter which you can read about in the documentation which can
# ## be found at: https://www.authelia.com/docs/configuration/authentication/ldap.html#groups-filter-replacements
# ##
# ## If your groups use the `groupOfUniqueNames` structure use this instead:
# ## (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
# groups_filter: (&(member={dn})(objectClass=groupOfNames))
#
# ## The attribute holding the name of the group.
# # group_name_attribute: cn
#
# ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
# ## first one returned by the LDAP server is used.
# # mail_attribute: mail
#
# ## The attribute holding the display name of the user. This will be used to greet an authenticated user.
# # display_name_attribute: displayName
#
# ## The username and password of the admin user.
# user: cn=admin,dc=example,dc=com
# ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
# password: password
#
##
## File (Authentication Provider)
##
## With this backend, the users database is stored in a file which is updated when users reset their passwords.
## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
## implications it is highly recommended you leave the default values. Before considering changing these settings
## please read the docs page below:
## https://www.authelia.com/docs/configuration/authentication/file.html#password-hash-algorithm-tuning
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
##
file:
path: /config-nfs/users_database.yml
password:
algorithm: sha512
salt_length: 16
#algorithm: argon2id
#iterations: 1
#key_length: 32
#memory: 32
#parallelism: 4
##
## Access Control Configuration
##
## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
##
## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
## to anyone. Otherwise restrictions follow the rules defined.
##
## Note: One can use the wildcard * to match any subdomain.
## It must stand at the beginning of the pattern. (example: *.mydomain.com)
##
## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
##
## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
##
## - 'domain' defines which domain or set of domains the rule applies to.
##
## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
## provided. If provided, the parameter represents either a user or a group. It should be of the form
## 'user:<username>' or 'group:<groupname>'.
##
## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
##
## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
## is optional and matches any resource if not provided.
##
## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
access_control:
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
## resource if there is no policy to be applied to the user.
default_policy: deny
networks:
- name: internal
networks:
- 10.10.0.0/16
- 172.23.0.0/16
- 172.16.23.0/24
- 192.168.10.0/24
- name: VPN
networks: 10.14.0.0/27
rules:
## Rules applied to everyone
- domain: public.auth.lan
policy: bypass
- domain: secure.auth.lan
policy: one_factor
## Network based rule, if not provided any network matches.
networks:
- internal
- VPN
- domain:
- secure.auth.lan
- private.auth.lan
policy: two_factor
- domain: singlefactor.auth.lan
policy: one_factor
## Rules applied to 'admins' group
- domain: "mx2.mail.example.com"
subject: "group:admins"
policy: deny
- domain: "*.auth.lan"
subject:
- "group:admins"
- "group:moderators"
policy: two_factor
## Rules applied to 'dev' group
- domain: dev.auth.lan
resources:
- "^/groups/dev/.*$"
subject: "group:dev"
policy: two_factor
## Rules applied to user 'john'
- domain: dev.auth.lan
resources:
- "^/users/john/.*$"
subject: "user:john"
policy: two_factor
## Rules applied to user 'harry'
- domain: dev.auth.lan
resources:
- "^/users/harry/.*$"
subject: "user:harry"
policy: two_factor
## Rules applied to user 'bob'
- domain: "*.mail.auth.lan"
subject: "user:bob"
policy: two_factor
- domain: "dev.auth.lan"
resources:
- "^/users/bob/.*$"
subject: "user:bob"
policy: two_factor
##
## Session Provider Configuration
##
## The session cookies identify the user once logged in.
## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
session:
## The name of the session cookie.
name: authelia_session
## The domain to protect.
## Note: the authenticator must also be in that domain.
## If empty, the cookie is restricted to the subdomain of the issuer.
domain: lan
## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
## Please read https://www.authelia.com/docs/configuration/session.html#same_site
same_site: lax
## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel.
## Secret can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
secret: insecure_session_secret
## The value for expiration, inactivity, and remember_me_duration are in seconds or the duration notation format.
## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
## All three of these values affect the cookie/session validity period. Longer periods are considered less secure
## because a stolen cookie will last longer giving attackers more time to spy or attack.
## The time before the cookie expires and the session is destroyed if remember me IS NOT selected.
expiration: 1h
## The inactivity time before the session is reset. If expiration is set to 1h, and this is set to 5m, if the user
## does not select the remember me option their session will get destroyed after 1h, or after 5m since the last time
## Authelia detected user activity.
inactivity: 5m
## The time before the cookie expires and the session is destroyed if remember me IS selected.
## Value of 0 disables remember me.
remember_me_duration: 1M
##
## Redis Provider
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
##
#redis:
# host: 127.0.0.1
# port: 6379
# ## Use a unix socket instead
# # host: /var/run/redis/redis.sock
#
# ## Username used for redis authentication. This is optional and a new feature in redis 6.0.
# # username: authelia
#
# ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
# password: authelia
#
# ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
# database_index: 0
#
# ## The maximum number of concurrent active connections to Redis.
# maximum_active_connections: 8
#
# ## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
# minimum_idle_connections: 0
#
# ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
# # tls:
# ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
# # server_name: myredis.example.com
#
# ## Skip verifying the server certificate (to allow a self-signed certificate).
# ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
# ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
# # skip_verify: false
#
# ## Minimum TLS version for the connection.
# # minimum_version: TLS1.2
#
# ## The Redis HA configuration options.
# ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
# # high_availability:
# ## Sentinel Name / Master Name.
# # sentinel_name: mysentinel
#
# ## Specific password for Redis Sentinel. The node username and password is configured above.
# # sentinel_password: sentinel_specific_pass
#
# ## The additional nodes to pre-seed the redis provider with (for sentinel).
# ## If the host in the above section is defined, it will be combined with this list to connect to sentinel.
# ## For high availability to be used you must have either defined; the host above or at least one node below.
# # nodes:
# # - host: sentinel-node1
# # port: 6379
# # - host: sentinel-node2
# # port: 6379
#
# ## Choose the host with the lowest latency.
# # route_by_latency: false
#
# ## Choose the host randomly.
# # route_randomly: false
##
## Regulation Configuration
##
## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made
## in a short period of time.
regulation:
## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
max_retries: 3
## The time range during which the user can attempt login before being banned. The user is banned if the
## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation.
## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
find_time: 2m
## The length of time before a banned user can login again. Ban Time accepts duration notation.
## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
ban_time: 5m
##
## Storage Provider Configuration
##
## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
storage:
##
## Local (Storage Provider)
##
## This stores the data in a SQLite3 Database.
## This is only recommended for lightweight non-stateful installations.
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
##
# local:
# path: /config/db.sqlite3
##
## MySQL / MariaDB (Storage Provider)
##
#mysql:
# host: 127.0.0.1
# port: 3306
# database: authelia
# username: authelia
# ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
# password: mypassword
# timeout: 5s
#
##
## PostgreSQL (Storage Provider)
##
postgres:
host: postgres.live-env.svc.cluster.local
port: 5432
database: authelia
username: authelia
## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
password: auth2021
timeout: 5s
sslmode: disable
##
## Notification Provider
##
## Notifications are sent to users when they require a password reset, a U2F registration or a TOTP registration.
## The available providers are: filesystem, smtp. You must use only one of these providers.
notifier:
## You can disable the notifier startup check by setting this to true.
disable_startup_check: false
##
## File System (Notification Provider)
##
## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
##
filesystem:
filename: /config-nfs/notification.txt
##
## SMTP (Notification Provider)
##
## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate.
## [Security] By default Authelia will:
## - force all SMTP connections over TLS including unauthenticated connections
## - use the disable_require_tls boolean value to disable this requirement
## (only works for unauthenticated connections)
## - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
## (configure in tls section)
#smtp:
# ## The SMTP host to connect to.
# host: 127.0.0.1
#
# ## The port to connect to the SMTP host on.
# port: 1025
#
# ## The connection timeout.
# timeout: 5s
#
# ## The username used for SMTP authentication.
# username: test
#
# ## The password used for SMTP authentication.
# ## Can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
# password: password
#
# ## The address to send the email FROM.
# sender: admin@example.com
#
# ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
# identifier: localhost
#
# ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
# subject: "[Authelia] {title}"
#
# ## This address is used during the startup check to verify the email configuration is correct.
# ## It's not important what it is except if your email server only allows local delivery.
# startup_check_address: test@authelia.com
#
# ## By default we require some form of TLS. This disables this check though is not advised.
# disable_require_tls: false
#
# ## Disables sending HTML formatted emails.
# disable_html_emails: false
#
# tls:
# ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
# # server_name: smtp.example.com
#
# ## Skip verifying the server certificate (to allow a self-signed certificate).
# ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
# ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
# skip_verify: false
#
# ## Minimum TLS version for either StartTLS or SMTPS.
# minimum_version: TLS1.2
##
## Identity Providers
##
# identity_providers:
##
## OpenID Connect (Identity Provider)
##
## It's recommended you read the documentation before configuration of this section:
## https://www.authelia.com/docs/configuration/identity-providers/oidc.html
# oidc:
## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
## HMAC Secret can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
# hmac_secret: this_is_a_secret_abc123abc123abc
## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
## Issuer Private Key can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
# issuer_private_key: |
# --- KEY START
# --- KEY END
## The lifespans configure the expiration for these token types.
# access_token_lifespan: 1h
# authorize_code_lifespan: 1m
# id_token_lifespan: 1h
# refresh_token_lifespan: 90m
## Enables additional debug messages.
# enable_client_debug_messages: false
## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
## security reasons.
# minimum_parameter_entropy: 8
## Clients is a list of known clients and their configuration.
# clients:
# -
## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
# id: myapp
## The description to show to users when they end up on the consent screen. Defaults to the ID above.
# description: My Application
## The client secret is a shared secret between Authelia and the consumer of this client.
# secret: this_is_a_secret
## Sets the client to public. This should typically not be set, please see the documentation for usage.
# public: false
## The policy to require for this client; one_factor or two_factor.
# authorization_policy: two_factor
## Audience this client is allowed to request.
# audience: []
## Scopes this client is allowed to request.
# scopes:
# - openid
# - groups
# - email
# - profile
## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
# redirect_uris:
# - https://oidc.example.com:8080/oauth2/callback
## Grant Types configures which grants this client can obtain.
## It's not recommended to define this unless you know what you're doing.
# grant_types:
# - refresh_token
# - authorization_code
## Response Types configures which responses this client can be sent.
## It's not recommended to define this unless you know what you're doing.
# response_types:
# - code
## Response Modes configures which response modes this client supports.
# response_modes:
# - form_post
# - query
# - fragment
## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
# userinfo_signing_algorithm: none
...

172
_apps/authelia/deployment.yaml Normal file
View File

@@ -0,0 +1,172 @@
#we use postgresql:
#create database authelia;
#create user authelia with encrypted password 'secret';
#grant all privileges on database authelia to authelia;
apiVersion: apps/v1
kind: Deployment
metadata:
name: authelia
labels:
app: authelia
release: latest
spec:
replicas: 1
selector:
matchLabels:
app: authelia
release: latest
template:
metadata:
labels:
app: authelia
release: latest
spec:
containers:
- name: authelia
image: authelia/authelia:latest
env:
#- name: AUTHELIA_SERVER_PORT
# value: "9091"
- name: TZ
value: "Europe/Berlin"
volumeMounts:
- name: authelia
mountPath: /config-nfs
- name: authelia-config
mountPath: /config
- name: pki
mountPath: /etc/pki
ports:
- name: http
containerPort: 9091
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "1000Mi"
cpu: "1500m"
enableServiceLinks: false
volumes:
- name: authelia
persistentVolumeClaim:
claimName: authelia
- name: authelia-config
configMap:
name: authelia-config
items:
- key: configuration.yml
path: configuration.yml
- name: pki
hostPath:
path: /etc/pki
type: Directory
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: authelia
labels:
app: authelia
spec:
storageClassName: nfs-ssd-ebin02
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Mi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: authelia
spec:
storageClassName: "nfs-ssd-ebin02"
nfs:
path: /data/raid1-ssd/k8s-data/authelia
server: ebin02
capacity:
storage: 100Mi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
claimRef:
kind: PersistentVolumeClaim
name: authelia
namespace: live-infra
---
apiVersion: v1
kind: Service
metadata:
name: authelia
labels:
app: authelia
spec:
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
- port: 443
targetPort: http
name: https
selector:
app: authelia
release: latest
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: authelia
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/auth-url: https://authelia.live-infra.svc.cluster.local/api/verify
nginx.ingress.kubernetes.io/auth-signin: https://auth.lan
nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Method $request_method;
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_set_header X-Forwarded-Method $request_method;
spec:
rules:
- host: auth.lan
http:
paths:
- backend:
service:
name: authelia
port:
name: http
path: /
pathType: Prefix
- host: secure.auth.lan
http:
paths:
- backend:
service:
name: authelia
port:
name: http
path: /
pathType: Prefix
- host: public.auth.lan
http:
paths:
- backend:
service:
name: authelia
port:
name: http
path: /
pathType: Prefix

133
_apps/codetogether.yaml Normal file
View File

@@ -0,0 +1,133 @@
# ========================================================================
# Secret: CodeTogether License Values
# ========================================================================
apiVersion: v1
kind: Secret
metadata:
name: codetogether-license
namespace: default
type: Opaque
stringData:
# Configure as needed for your deployment, should match your SSL certificate
CT_SERVER_URL: "https://cd.lan"
CT_TRUST_ALL_CERTS: "true"
# Provided by your Genuitec Sales Representative
# *values must match exactly
CT_LICENSEE: "Werkstatt"
CT_MAXCONNECTIONS: "0"
CT_EXPIRATION: "2022/10/01"
CT_SIGNATURE: "xXM4cwzG...619bef4"
---
# ========================================================================
# Secret: SSL Key and Certificate for SSL used by Ingress
# ========================================================================
apiVersion: v1
kind: Secret
metadata:
name: codetogether-sslsecret
namespace: default
type: kubernetes.io/tls
data:
# value from "cat ssl.crt | base64 -w 0"
tls.crt: "LS0tLS1CRUdJTi...UZJQ0FURS0tLS0tDQo="
# value from "cat ssl.key | base64 -w 0"
tls.key: "LS0tLS1CRUdJTi...EUgS0VZLS0tLS0NCg=="
---
# ========================================================================
# Ingress: Expose the HTTPS service to the network
# ========================================================================
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: codetogether
spec:
tls:
- hosts:
- SERVERFQDN
secretName: codetogether-sslsecret
rules:
- host: SERVERFQDN
http:
paths:
- path: /
backend:
serviceName: codetogether
servicePort: 80
---
# ========================================================================
# Service: Map the HTTP port from the container
# ========================================================================
apiVersion: v1
kind: Service
metadata:
name: codetogether
labels:
run: codetogether
spec:
ports:
- port: 80
name: http
targetPort: 1080
protocol: TCP
selector:
run: codetogether
---
# ========================================================================
# Deployment: Configure the Container Deployment
# ========================================================================
apiVersion: apps/v1
kind: Deployment
metadata:
name: codetogether
namespace: default
spec:
selector:
matchLabels:
run: codetogether
replicas: 1
template:
metadata:
labels:
run: codetogether
spec:
containers:
- name: codetogether
image: hub.edge.codetogether.com/latest/codetogether:latest
imagePullPolicy: Always
ports:
- containerPort: 1080
env:
- name: CT_LOCATOR
value: "none"
- name: CT_SERVER_URL
valueFrom:
secretKeyRef:
name: codetogether-license
key: CT_SERVER_URL
- name: CT_TRUST_ALL_CERTS
valueFrom:
secretKeyRef:
name: codetogether-license
key: CT_TRUST_ALL_CERTS
- name: CT_LICENSEE
valueFrom:
secretKeyRef:
name: codetogether-license
key: CT_LICENSEE
- name: CT_MAXCONNECTIONS
valueFrom:
secretKeyRef:
name: codetogether-license
key: CT_MAXCONNECTIONS
- name: CT_EXPIRATION
valueFrom:
secretKeyRef:
name: codetogether-license
key: CT_EXPIRATION
- name: CT_SIGNATURE
valueFrom:
secretKeyRef:
name: codetogether-license
key: CT_SIGNATURE
imagePullSecrets:
- name: ctcreds

6
_apps/curl/Dockerfile Normal file
View File

@@ -0,0 +1,6 @@
FROM cr.wks/debian-stable
RUN apt-get update && apt-get install -y \
curl procps && \
apt-get clean -y && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /var/cache/apt/* /tmp/* /var/tmp/*

7
_apps/docker-registry/README.md Normal file
View File

@@ -0,0 +1,7 @@
Docker-ui
Build it for arm64 in docker-registry-ui
ARCH=arm64; APP=docker-registry-ui ; podman build --arch=$ARCH -t $APP:$ARCH -t cr.lan/$APP:$ARCH -f arm64v8-static.dockerfile
ARCH=arm64; APP=docker-registry-ui ; podman push cr.lan/$APP:$ARCH

92
_apps/docker-registry/docker-registry-ui.yaml Normal file
View File

@@ -0,0 +1,92 @@
#https://github.com/Joxit/docker-registry-ui
apiVersion: apps/v1
kind: Deployment
metadata:
name: docker-registry-ui
labels:
app: registry-ui
release: docker-registry-ui
spec:
replicas: 1
selector:
matchLabels:
app: registry-ui
release: docker-registry-ui
template:
metadata:
labels:
app: registry-ui
release: docker-registry-ui
spec:
containers:
- name: registry-ui
image: docker.io/joxit/docker-registry-ui:latest
imagePullPolicy: Always
env:
- name: NGINX_PROXY_PASS_URL
value: "http://cr.lan"
- name: REGISTRY_TITLE
value: "cReg"
- name: DELETE_IMAGES
value: "true"
#- name: REGISTRY_URL
# value: "http://cr.lan"
ports:
- name: http
containerPort: 80
protocol: TCP
#livenessProbe:
# httpGet:
# path: /
# port: http
#readinessProbe:
# httpGet:
# path: /
# port: http
resources:
requests:
memory: "20Mi"
cpu: "10m"
limits:
memory: "32Mi"
cpu: "50m"
---
apiVersion: v1
kind: Service
metadata:
name: docker-registry-ui
labels:
app: registry-ui
release: docker-registry-ui
spec:
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app: registry-ui
release: docker-registry-ui
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: docker-registry-ui
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/enable-cors: "true"
nginx.ingress.kubernetes.io/cors-allow-origin: "*"
nginx.ingress.kubernetes.io/cors-expose-headers: "*"
spec:
rules:
- host: cr-ui.lan
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: docker-registry-ui
port:
number: 80

131
_apps/docker-registry/registry-deployment.yaml Normal file
View File

@@ -0,0 +1,131 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: docker-registry
namespace: docker-registry
#annotations:
# volume.beta.kubernetes.io/storage-class: "managed-nfs-storage"
spec:
storageClassName: csi-s3-slow
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry
labels:
app: registry
namespace: live-env
spec:
replicas: 1
selector:
matchLabels:
app: registry
template:
metadata:
labels:
app: registry
spec:
containers:
- name: registry
image: registry:2
imagePullPolicy: Always
env:
- name: REGISTRY_HTTP_SECRET
value: "ThisIsTotallySecret"
ports:
- containerPort: 5000
volumeMounts:
- mountPath: /var/lib/registry
name: registry-data
- mountPath: /etc/docker/registry
name: config
volumes:
- name: registry-data
persistentVolumeClaim:
claimName: docker-registry
- name: config
configMap:
defaultMode: 420
name: docker-registry-config
---
apiVersion: v1
kind: ConfigMap
metadata:
name: docker-registry-config
namespace: live-env
labels:
app: registry
data:
config.yml: |-
version: 0.1
log:
fields:
service: registry
storage:
delete:
enabled: true
cache:
blobdescriptor: inmemory
filesystem:
rootdirectory: /var/lib/registry
http:
addr: :5000
headers:
X-Content-Type-Options: [nosniff]
Access-Control-Allow-Origin: ['*', 'http://cr-ui.lan']
Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
Access-Control-Allow-Headers: ['Authorization', 'Accept']
Access-Control-Max-Age: [1728000]
Access-Control-Allow-Credentials: [true]
Access-Control-Expose-Headers: ['Docker-Content-Digest']
---
kind: Service
apiVersion: v1
metadata:
name: registry
namespace: live-env
spec:
selector:
app: registry
ports:
- port: 5000
targetPort: 5000
#---
#apiVersion: v1
#data:
# proxy-connect-timeout: "30"
# proxy-read-timeout: "1801"
# proxy-send-timeout: "1801"
# proxy-body-size: "0"
# client-max-body-size: "0"
#kind: ConfigMap
#metadata:
# name: ingress-nginx-controller
# namespace: ingress-nginx
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: docker-registry
namespace: live-env
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: docker-registry.lan
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: registry
port:
number: 5000

116
_apps/dolibarr/Dockerfile Normal file
View File

@@ -0,0 +1,116 @@
FROM cr.lan/debian-stable-php-fpm
# see https://wiki.dolibarr.org/index.php/Dependencies_and_external_libraries
# Prepare folders
ENV DEBIAN_FRONTEND noninteractive
RUN set -ex; \
apt-get update -q; \
apt-get install -y --no-install-recommends \
bzip2 \
default-mysql-client \
cron \
rsync \
unzip \
zip php-soap;\
mkdir -p /var/www/documents; \
chown -R www-data:root /var/www; \
chmod -R g=u /var/www
# CLeanup
RUN apt-get autoremove --purge -y && \
apt-get clean -y && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /var/cache/apt/* /tmp/* /var/tmp/* /var/log/*
VOLUME /var/www/html /var/www/documents /var/www/scripts
# Runtime env var
ENV DOLI_AUTO_CONFIGURE=1 \
DOLI_DB_TYPE=mysqli \
DOLI_DB_HOST= \
DOLI_DB_PORT=3306 \
DOLI_DB_USER=dolibarr \
DOLI_DB_PASSWORD='' \
DOLI_DB_NAME=dolibarr \
DOLI_DB_PREFIX=llx_ \
DOLI_DB_CHARACTER_SET=utf8 \
DOLI_DB_COLLATION=utf8_unicode_ci \
DOLI_DB_ROOT_LOGIN='' \
DOLI_DB_ROOT_PASSWORD='' \
DOLI_ADMIN_LOGIN=admin \
DOLI_MODULES='' \
DOLI_URL_ROOT='http://localhost' \
DOLI_AUTH=dolibarr \
DOLI_LDAP_HOST= \
DOLI_LDAP_PORT=389 \
DOLI_LDAP_VERSION=3 \
DOLI_LDAP_SERVERTYPE=openldap \
DOLI_LDAP_LOGIN_ATTRIBUTE=uid \
DOLI_LDAP_DN='' \
DOLI_LDAP_FILTER='' \
DOLI_LDAP_ADMIN_LOGIN='' \
DOLI_LDAP_ADMIN_PASS='' \
DOLI_LDAP_DEBUG=false \
DOLI_HTTPS=0 \
DOLI_PROD=0 \
DOLI_NO_CSRF_CHECK=0 \
WWW_USER_ID=33 \
WWW_GROUP_ID=33 \
PHP_INI_DATE_TIMEZONE='UTC' \
PHP_MEMORY_LIMIT=256M \
PHP_MAX_UPLOAD=20M \
PHP_MAX_EXECUTION_TIME=300
# Build time env var
ARG DOLI_VERSION=13.0.4
# Get Dolibarr
ADD https://github.com/Dolibarr/dolibarr/archive/${DOLI_VERSION}.zip /tmp/dolibarr.zip
# Install Dolibarr from tag archive
RUN set -ex; \
mkdir -p /tmp/dolibarr; \
unzip -q /tmp/dolibarr.zip -d /tmp/dolibarr; \
rm /tmp/dolibarr.zip; \
mkdir -p /usr/src/dolibarr; \
cp -r "/tmp/dolibarr/dolibarr-${DOLI_VERSION}"/* /usr/src/dolibarr; \
rm -rf /tmp/dolibarr; \
chmod +x /usr/src/dolibarr/scripts/*; \
echo "${DOLI_VERSION}" > /usr/src/dolibarr/.docker-image-version
COPY entrypoint.sh /
RUN set -ex; \
chmod 755 /entrypoint.sh ;\
mkdir -p /run/php
ENTRYPOINT ["/entrypoint.sh"]
CMD ["php-fpm7.4", "--nodaemonize", "-c", "/etc/php/7.4/fpm/php.ini", "--fpm-config", "/etc/php/7.4/fpm/php-fpm.conf"]
# Arguments to label built container
ARG VCS_REF
ARG BUILD_DATE
# Container labels (http://label-schema.org/)
# Container annotations (https://github.com/opencontainers/image-spec)
LABEL maintainer="Monogramm maintainers <opensource at monogramm dot io>" \
product="Dolibarr" \
version=${DOLI_VERSION} \
org.label-schema.vcs-ref=${VCS_REF} \
org.label-schema.vcs-url="https://github.com/Monogramm/docker-dolibarr" \
org.label-schema.build-date=${BUILD_DATE} \
org.label-schema.name="Dolibarr" \
org.label-schema.description="Open Source ERP & CRM for Business" \
org.label-schema.url="https://www.dolibarr.org/" \
org.label-schema.vendor="Dolibarr" \
org.label-schema.version=$DOLI_VERSION \
org.label-schema.schema-version="1.0" \
org.opencontainers.image.revision=${VCS_REF} \
org.opencontainers.image.source="https://github.com/Monogramm/docker-dolibarr" \
org.opencontainers.image.created=${BUILD_DATE} \
org.opencontainers.image.title="Dolibarr" \
org.opencontainers.image.description="Open Source ERP & CRM for Business" \
org.opencontainers.image.url="https://www.dolibarr.org/" \
org.opencontainers.image.vendor="Dolibarr" \
org.opencontainers.image.version=${DOLI_VERSION} \
org.opencontainers.image.authors="Monogramm maintainers <opensource at monogramm dot io>"

3
_apps/dolibarr/README.md Normal file
View File

@@ -0,0 +1,3 @@
create nginx configmap
kubectl -n live-env create configmap dolibarr-nginx-site --from-file=nginx-site.configmap.conf

104
_apps/dolibarr/deployment.yaml Normal file
View File

@@ -0,0 +1,104 @@
#we use postgresql:
#create database dolibarr;
#create user dolibarr with encrypted password 'secret';
#grant all privileges on database dolibarr to dolibarr;
apiVersion: apps/v1
kind: Deployment
metadata:
name: dolibarr
labels:
app: dolibarr
release: latest
spec:
replicas: 1
selector:
matchLabels:
app: dolibarr
release: latest
template:
metadata:
labels:
app: dolibarr
release: latest
spec:
volumes:
- name: dolibarr-nginx-site
configMap:
name: dolibarr-nginx-site
- name: www-data
emptyDir: {}
containers:
- name: nginx-proxy
image: nginx
volumeMounts:
- name: dolibarr-nginx-site
mountPath: /etc/nginx/conf.d
- name: www-data
mountPath: /var/www/html
ports:
- name: http
containerPort: 80
protocol: TCP
- name: dolibarr
image: cr.lan/dolibarr:latest
volumeMounts:
- name: www-data
mountPath: /var/www/html
env:
- name: TZ
value: "Europe/Berlin"
- name: DOLI_DB_HOST
value: postgres.live-env.svc.cluster.local
- name: DOLI_DB_PORT
value: "5432"
- name: DOLI_DB_NAME
value: dolibarr
- name: DOLI_DB_USER
value: dolibarr
- name: DOLI_DB_PASSWORD
value: Vb7yHzmE5HIjfU4hjghjghj6AnMdB
- name: DOLI_DB_TYPE
value: pgsql
ports:
- name: php-fpm
containerPort: 9000
protocol: TCP
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "3000m"
---
apiVersion: v1
kind: Service
metadata:
name: dolibarr
spec:
ports:
- name: http
port: 80
selector:
app: dolibarr
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dolibarr
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/whitelist-x-forwarded-for: "true"
spec:
rules:
- host: dolibarr.lan
http:
paths:
- backend:
service:
name: dolibarr
port:
name: http
path: /
pathType: Prefix

271
_apps/dolibarr/entrypoint.sh Normal file
View File

@@ -0,0 +1,271 @@
#!/bin/sh
set -e
log() {
echo "[$0] [$(date +%Y-%m-%dT%H:%M:%S)] $*"
}
# version_greater A B returns whether A > B
version_greater() {
[ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
}
# return true if specified directory is empty
directory_empty() {
[ -z "$(ls -A "$1/")" ]
}
run_as() {
if [ "$(id -u)" = 0 ]; then
su - www-data -s /bin/sh -c "$1"
else
sh -c "$1"
fi
}
if [ ! -f /usr/local/etc/php/php.ini ]; then
log "Initializing PHP configuration..."
cat <<EOF > /etc/php/7.4/fpm/php.ini
date.timezone = "${PHP_INI_DATE_TIMEZONE}"
memory_limit = ${PHP_MEMORY_LIMIT}
file_uploads = On
upload_max_filesize = ${PHP_MAX_UPLOAD}
post_max_size = ${PHP_MAX_UPLOAD}
max_execution_time = ${PHP_MAX_EXECUTION_TIME}
sendmail_path = /usr/sbin/sendmail -t -i
extension = calendar.so
EOF
fi
if [ ! -d /var/www/documents ]; then
log "Initializing Dolibarr documents directory..."
mkdir -p /var/www/documents
fi
log "Updating Dolibarr users and group..."
usermod -u "$WWW_USER_ID" www-data
groupmod -g "$WWW_GROUP_ID" www-data
log "Updating Dolibarr folder ownership..."
chown -R www-data:www-data /var/www
if [ ! -d /var/www/html/conf/ ]; then
log "Initializing Dolibarr HTML configuration directory..."
mkdir -p /var/www/html/conf/
fi
# Create a default config if autoconfig enabled
if [ -n "$DOLI_AUTO_CONFIGURE" ] && [ ! -f /var/www/html/conf/conf.php ]; then
log "Initializing Dolibarr HTML configuration..."
cat <<EOF > /var/www/html/conf/conf.php
<?php
// Config file for Dolibarr ${DOLI_VERSION} ($(date +%Y-%m-%dT%H:%M:%S%:z))
// ###################
// # Main parameters #
// ###################
\$dolibarr_main_url_root='${DOLI_URL_ROOT}';
\$dolibarr_main_document_root='/var/www/html';
\$dolibarr_main_url_root_alt='/custom';
\$dolibarr_main_document_root_alt='/var/www/html/custom';
\$dolibarr_main_data_root='/var/www/documents';
\$dolibarr_main_db_host='${DOLI_DB_HOST}';
\$dolibarr_main_db_port='${DOLI_DB_PORT}';
\$dolibarr_main_db_name='${DOLI_DB_NAME}';
\$dolibarr_main_db_prefix='${DOLI_DB_PREFIX}';
\$dolibarr_main_db_user='${DOLI_DB_USER}';
\$dolibarr_main_db_pass='${DOLI_DB_PASSWORD}';
\$dolibarr_main_db_type='${DOLI_DB_TYPE}';
\$dolibarr_main_db_character_set='${DOLI_DB_CHARACTER_SET}';
\$dolibarr_main_db_collation='${DOLI_DB_COLLATION}';
// ##################
// # Login #
// ##################
\$dolibarr_main_authentication='${DOLI_AUTH}';
\$dolibarr_main_auth_ldap_host='${DOLI_LDAP_HOST}';
\$dolibarr_main_auth_ldap_port='${DOLI_LDAP_PORT}';
\$dolibarr_main_auth_ldap_version='${DOLI_LDAP_VERSION}';
\$dolibarr_main_auth_ldap_servertype='${DOLI_LDAP_SERVERTYPE}';
\$dolibarr_main_auth_ldap_login_attribute='${DOLI_LDAP_LOGIN_ATTRIBUTE}';
\$dolibarr_main_auth_ldap_dn='${DOLI_LDAP_DN}';
\$dolibarr_main_auth_ldap_filter ='${DOLI_LDAP_FILTER}';
\$dolibarr_main_auth_ldap_admin_login='${DOLI_LDAP_ADMIN_LOGIN}';
\$dolibarr_main_auth_ldap_admin_pass='${DOLI_LDAP_ADMIN_PASS}';
\$dolibarr_main_auth_ldap_debug='${DOLI_LDAP_DEBUG}';
// ##################
// # Security #
// ##################
\$dolibarr_main_prod='${DOLI_PROD}';
\$dolibarr_main_force_https='${DOLI_HTTPS}';
\$dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore';
\$dolibarr_nocsrfcheck='${DOLI_NO_CSRF_CHECK}';
\$dolibarr_main_cookie_cryptkey='$(openssl rand -hex 32)';
\$dolibarr_mailing_limit_sendbyweb='0';
EOF
chown www-data:www-data /var/www/html/conf/conf.php
chmod 766 /var/www/html/conf/conf.php
fi
# Detect Docker container version (ie. previous installed version)
installed_version="0.0.0.0"
if [ -f /var/www/documents/.docker-container-version ]; then
# shellcheck disable=SC2016
installed_version="$(cat /var/www/documents/.docker-container-version)"
fi
if [ -f /var/www/documents/install.version ]; then
# shellcheck disable=SC2016
installed_version="$(cat /var/www/documents/install.version)"
mv \
/var/www/documents/install.version \
/var/www/documents/.docker-container-version
fi
# Detect Docker image version (docker specific solution)
# shellcheck disable=SC2016
image_version="${DOLI_VERSION}"
if [ -f /usr/src/dolibarr/.docker-image-version ]; then
# shellcheck disable=SC2016
image_version="$(cat /usr/src/dolibarr/.docker-image-version)"
fi
if version_greater "$installed_version" "$image_version"; then
log "Can't start Dolibarr because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
exit 1
fi
# Initialize image
if version_greater "$image_version" "$installed_version"; then
log "Dolibarr initialization..."
if [ "$(id -u)" = 0 ]; then
rsync_options="-rvlDog --chown www-data:root"
else
rsync_options="-rvlD"
fi
mkdir -p /var/www/scripts
rsync $rsync_options /usr/src/dolibarr/scripts/ /var/www/scripts/
rsync $rsync_options --delete --exclude /conf/ --exclude /custom/ --exclude /theme/ /usr/src/dolibarr/htdocs/ /var/www/html/
for dir in conf custom; do
if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/dolibarr/htdocs/ /var/www/html/
fi
done
# The theme folder contains custom and official themes. We must copy even if folder is not empty, but not delete content either
for dir in theme; do
rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/dolibarr/htdocs/ /var/www/html/
done
if [ "$installed_version" != "0.0.0.0" ]; then
# Call upgrade if needed
# https://wiki.dolibarr.org/index.php/Installation_-_Upgrade#With_Dolibarr_.28standard_.zip_package.29
log "Dolibarr upgrade from $installed_version to $image_version..."
if [ -f /var/www/documents/install.lock ]; then
rm /var/www/documents/install.lock
fi
base_version=$(echo "${installed_version}" | sed -e 's|\(.*\..*\)\..*|\1|g')
target_version=$(echo "${image_version}" | sed -e 's|\(.*\..*\)\..*|\1|g')
run_as "cd /var/www/html/install/ && php upgrade.php ${base_version}.0 ${target_version}.0"
run_as "cd /var/www/html/install/ && php upgrade2.php ${base_version}.0 ${target_version}.0"
run_as "cd /var/www/html/install/ && php step5.php ${base_version}.0 ${target_version}.0"
log 'This is a lock file to prevent use of install pages (generated by container entrypoint)' > /var/www/documents/install.lock
chown www-data:www-data /var/www/documents/install.lock
chmod 400 /var/www/documents/install.lock
elif [ -n "$DOLI_AUTO_CONFIGURE" ] && [ ! -f /var/www/documents/install.lock ]; then
log "Create forced values for first Dolibarr install..."
cat <<EOF > /var/www/html/install/install.forced.php
<?php
// Forced install config file for Dolibarr ${DOLI_VERSION} ($(date +%Y-%m-%dT%H:%M:%S%:z))
/** @var bool Hide PHP informations */
\$force_install_nophpinfo = true;
/** @var int 1 = Lock and hide environment variables, 2 = Lock all set variables */
\$force_install_noedit = 2;
/** @var string Information message */
\$force_install_message = 'Dolibarr installation (Docker)';
/** @var string Data root absolute path (documents folder) */
\$force_install_main_data_root = '/var/www/documents';
/** @var bool Force HTTPS */
\$force_install_mainforcehttps = !empty('${DOLI_HTTPS}');
/** @var string Database name */
\$force_install_database = '${DOLI_DB_NAME}';
/** @var string Database driver (mysql|mysqli|pgsql|mssql|sqlite|sqlite3) */
\$force_install_type = '${DOLI_DB_TYPE}';
/** @var string Database server host */
\$force_install_dbserver = '${DOLI_DB_HOST}';
/** @var int Database server port */
\$force_install_port = '${DOLI_DB_PORT}';
/** @var string Database tables prefix */
\$force_install_prefix = '${DOLI_DB_PREFIX}';
/** @var string Database username */
\$force_install_databaselogin = '${DOLI_DB_USER}';
/** @var string Database password */
\$force_install_databasepass = '${DOLI_DB_PASSWORD}';
/** @var bool Force database user creation */
\$force_install_createuser = false;
/** @var bool Force database creation */
\$force_install_createdatabase = !empty('${DOLI_DB_ROOT_LOGIN}');
/** @var string Database root username */
\$force_install_databaserootlogin = '${DOLI_DB_ROOT_LOGIN}';
/** @var string Database root password */
\$force_install_databaserootpass = '${DOLI_DB_ROOT_PASSWORD}';
/** @var string Dolibarr super-administrator username */
\$force_install_dolibarrlogin = '${DOLI_ADMIN_LOGIN}';
/** @var bool Force install locking */
\$force_install_lockinstall = true;
/** @var string Enable module(s) (Comma separated class names list) */
\$force_install_module = '${DOLI_MODULES}';
EOF
log "You shall complete Dolibarr install manually at '${DOLI_URL_ROOT}/install'"
fi
fi
if [ ! -d /var/www/htdocs ]; then
log "Adding a symlink to /var/www/htdocs..."
ln -s /var/www/html /var/www/htdocs
fi
if [ ! -d /var/www/scripts ]; then
log "Initializing Dolibarr scripts directory..."
cp /usr/src/dolibarr/scripts /var/www/scripts
fi
if [ -f /var/www/documents/install.lock ]; then
log "Updating Dolibarr installed version..."
echo "$image_version" > /var/www/documents/.docker-container-version
fi
log "Serving Dolibarr...$@"
exec "$@"

60
_apps/dolibarr/nginx-site.configmap.conf Normal file
View File

@@ -0,0 +1,60 @@
server {
listen 80;
listen [::]:80;
add_header Referrer-Policy origin; # make sure outgoing links don't show the URL to the Matomo instance
root /var/www/html;
index index.php index.html;
try_files $uri $uri/ =404;
## only allow accessing the following php files
location ~ \.php$ {
# regex to split $uri to $fastcgi_script_name and $fastcgi_path
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
# Check that the PHP script exists before passing it
try_files $fastcgi_script_name =404;
proxy_connect_timeout 3600;
proxy_send_timeout 3600;
proxy_read_timeout 3600;
send_timeout 3600;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $fastcgi_path_info;
fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
fastcgi_pass 127.0.0.1:9000;
}
## disable all access to the following directories
location ~ /\.ht {
deny all;
return 403;
}
location ~ /\.git {
deny all;
}
location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
allow all;
## Cache images,CSS,JS and webfonts for an hour
## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
expires 1h;
add_header Pragma public;
add_header Cache-Control "public";
}
location ~ /(libs|vendor|plugins|misc/user) {
deny all;
return 403;
}
## properly display textfiles in root directory
location ~/(.*\.md|LEGALNOTICE|LICENSE) {
default_type text/plain;
}
}
# vim: filetype=nginx

23
_apps/dolibarr/tekton.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: img-dolibarr
spec:
pipelineRef:
name: kaniko-pipeline
params:
- name: git-url
value: http://git-ui.lan/chaos/kubernetes.git
- name: git-revision
value: master
- name: path-to-image-context
value: apps/dolibarr
- name: path-to-dockerfile
value: apps/dolibarr/Dockerfile
- name: image-name
value: cr.lan/dolibarr
workspaces:
- name: git-source
persistentVolumeClaim:
claimName: tektoncd-workspaces
subPath: tekton/dolibarr

178
_apps/gitea.yaml Normal file
View File

@@ -0,0 +1,178 @@
#we use postgresql:
#create database gitea;
#create user gitea with encrypted password 'secret';
#grant all privileges on database gitea to gitea;
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitea
labels:
app: gitea
release: latest
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: gitea
release: latest
template:
metadata:
labels:
app: gitea
release: latest
spec:
containers:
- name: gitea
image: gitea/gitea:latest
env:
- name: USER_UID
value: "1000"
- name: USER_GID
value: "1000"
- name: TZ
value: "Europe/Berlin"
- name: GITEA__lfs__PATH
value: /data/git/lfs
- name: DB_TYPE
value: postgres
- name: DB_HOST
value: postgres.live-env.svc.cluster.local:5432
- name: DB_NAME
value: gitea
- name: DB_USER
value: gitea
- name: DB_PASSWD
value: giteaEu94XSS4gKpheSBoMsIs
#- name: GITEA__indexer__ISSUE_INDEXER
#value: redis
#- name: GITEA__indexer__ISSUE_INDEXER_QUEUE_CONN_STR
#value: addrs=redis-standalone.live-env.svc.cluster.local:6379 db=1
- name: GITEA__packages__ENABLED
value: "true"
- name: GITEA__log__LEVEL
value: warn
- name: GITEA__log__MODE
value: file
- name: GITEA__log__ROUTER
value: file
- name: GITEA__log__MACARON
value: file
#- name: GITEA__queue__TYPE
#value: redis
#- name: GITEA__queue__CONN_STR
#value: redis://redis-standalone.live-env.svc.cluster.local:6397/0
- name: GITEA__server__ROOT_URL
value: http://git-ui.lan/
volumeMounts:
- name: gitea
mountPath: /data
ports:
- name: http
containerPort: 3000
protocol: TCP
- name: ssh
containerPort: 22
protocol : TCP
livenessProbe:
initialDelaySeconds: 300
periodSeconds: 10
httpGet:
path: /
port: http
readinessProbe:
initialDelaySeconds: 300
periodSeconds: 10
httpGet:
path: /
port: http
resources:
requests:
memory: "300Mi"
cpu: "150m"
limits:
memory: "512Mi"
cpu: "1000m"
volumes:
- name: gitea
persistentVolumeClaim:
claimName: gitea
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea
labels:
app: gitea
spec:
storageClassName: nfs-ssd-ebin02
volumeName: gitea
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: gitea
spec:
storageClassName: "nfs-ssd-ebin02"
nfs:
path: /data/raid1-ssd/k8s-data/gitea-data
server: ebin02
capacity:
storage: 20Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
claimRef:
kind: PersistentVolumeClaim
name: gitea
namespace: live-env
---
apiVersion: v1
kind: Service
metadata:
name: gitea
labels:
app: gitea
spec:
type: LoadBalancer
loadBalancerIP: 172.23.255.2
ports:
- port: 3000
targetPort: http
protocol: TCP
name: http
- port: 22
targetPort: 22
name: ssh
selector:
app: gitea
release: latest
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitea
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/whitelist-x-forwarded-for: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 512m
spec:
rules:
- host: git-ui.lan
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitea
port:
number: 3000

34
_apps/grav/Dockerfile Normal file
View File

@@ -0,0 +1,34 @@
FROM cr.lan/debian-stable-php-fpm
ENV DEBIAN_FRONTEND noninteractive
ARG GRAV_VERSION=1.7.34
ARG DEV_PKGS="zlib1g-dev libpng-dev libjpeg-dev libfreetype6-dev \
libcurl4-gnutls-dev libxml2-dev libonig-dev"
RUN apt-get update && \
apt-get install -y git bash procps wget unzip supervisor \
php-fpm php-gd php-json php-curl php-dom php-xml php-yaml php-apcu \
php-opcache php-simplexml php-zip php-mbstring cron \
&& mkdir /var/www \
&& chown www-data:www-data /var/www \
&& cd /var/www
# CLeanup
RUN apt-get remove -y --purge ${DEV_PKGS} exim4* && \
apt-get autoremove --purge -y && \
apt-get clean -y && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /var/cache/apt/* /tmp/* /var/tmp/* /var/log/*
RUN mkdir /run/php && \
chown www-data:www-data /var/log /run/php && \
mkdir -p /etc/php/7.4/fpm/pool.d
ADD docker-entrypoint.sh /
ADD supervisor.conf /etc/supervisor.conf
ENTRYPOINT ["/docker-entrypoint.sh"]
#USER www-data
RUN (crontab -l; echo "* * * * * cd /var/www/grav;/usr/bin/php bin/grav scheduler 1>> /dev/null 2>&1") | crontab -u www-data -
#CMD ["dumb-init", "/usr/sbin/php-fpm7.3", "--nodaemonize", "--force-stderr"]
CMD ["supervisord", "-c", "/etc/supervisor.conf"]

3
_apps/grav/README.md Normal file
View File

@@ -0,0 +1,3 @@
lighttpd is configured in etc_lighttpd
generate a configmap with:
kubectl create configmap grav-lighttpd-config --from-file etc_lighthttpd/

111
_apps/grav/deployment.yaml Normal file
View File

@@ -0,0 +1,111 @@
---
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: grav
spec:
selector:
matchLabels:
app: grav
strategy:
type: Recreate
template:
metadata:
labels:
app: grav
spec:
containers:
- image: cr.lan/grav:arm64
name: grav
imagePullPolicy: Always
ports:
- containerPort: 9000
name: php-fpm
volumeMounts:
- name: grav-pages
mountPath: /var/www/grav
- name: grav-etc-php-fpm-www-conf
mountPath: /etc/php/7.4/fpm/pool.d
- image: nginx:alpine
name: nginx
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
name: http
volumeMounts:
- name: grav-nginx-proxy-config
mountPath: /etc/nginx/nginx.conf
subPath: nginx.conf
- name: grav-pages
mountPath: /var/www/grav
initContainers:
- name: grav-install
image: busybox
command: ["/bin/sh"]
args:
- -c
- >-
wget -O /grav.zip "https://getgrav.org/download/core/grav-admin/latest" &&
unzip -q /grav.zip &&
rm -rf grav-admin/user/pages/* &&
cp -ru grav-admin/* /workdir/ &&
rm -rf /grav.zip &&
rm -rf /grav-admin &&
chown -R 33:33 /workdir/*
volumeMounts:
- name: grav-pages
mountPath: /workdir
volumes:
- name: grav-pages
persistentVolumeClaim:
claimName: grav-pages
- name: grav-nginx-proxy-config
configMap:
name: grav-nginx-proxy-config
- name: grav-etc-php-fpm-www-conf
configMap:
name: grav-etc-php-fpm-www-conf
---
apiVersion: v1
kind: Service
metadata:
name: grav
spec:
ports:
- name: http
port: 80
selector:
app: grav
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: grav
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/proxy-body-size: 512m
spec:
rules:
- host: grav.lan
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: grav
port:
name: http
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: grav-pages
spec:
storageClassName: nfs-ssd-ebin01
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 6Gi

5
_apps/grav/docker-entrypoint.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/bin/sh
set -e
exec "$@"

440
_apps/grav/etc_php-fpm/www.conf Normal file
View File

@@ -0,0 +1,440 @@
; Start a new pool named 'www'.
; the variable $pool can be used in any directive and will be replaced by the
; pool name ('www' here)
[www]
; Per pool prefix
; It only applies on the following directives:
; - 'access.log'
; - 'slowlog'
; - 'listen' (unixsocket)
; - 'chroot'
; - 'chdir'
; - 'php_values'
; - 'php_admin_values'
; When not set, the global prefix (or /usr) applies instead.
; Note: This directive can also be relative to the global prefix.
; Default Value: none
;prefix = /path/to/pools/$pool
; Unix user/group of processes
; Note: The user is mandatory. If the group is not set, the default user's group
; will be used.
user = www-data
group = www-data
; The address on which to accept FastCGI requests.
; Valid syntaxes are:
; 'ip.add.re.ss:port' - to listen on a TCP socket to a specific IPv4 address on
; a specific port;
; '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
; a specific port;
; 'port' - to listen on a TCP socket to all addresses
; (IPv6 and IPv4-mapped) on a specific port;
; '/path/to/unix/socket' - to listen on a unix socket.
; Note: This value is mandatory.
; listen = /run/php/php7.4-fpm.sock
listen = 127.0.0.1:9000
; Set listen(2) backlog.
; Default Value: 511 (-1 on FreeBSD and OpenBSD)
;listen.backlog = 511
; Set permissions for unix socket, if one is used. In Linux, read/write
; permissions must be set in order to allow connections from a web server. Many
; BSD-derived systems allow connections regardless of permissions. The owner
; and group can be specified either by name or by their numeric IDs.
; Default Values: user and group are set as the running user
; mode is set to 0660
listen.owner = www-data
listen.group = www-data
;listen.mode = 0660
; When POSIX Access Control Lists are supported you can set them using
; these options, value is a comma separated list of user/group names.
; When set, listen.owner and listen.group are ignored
;listen.acl_users =
;listen.acl_groups =
; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
; must be separated by a comma. If this value is left blank, connections will be
; accepted from any ip address.
; Default Value: any
;listen.allowed_clients = 127.0.0.1
; Specify the nice(2) priority to apply to the pool processes (only if set)
; The value can vary from -19 (highest priority) to 20 (lower priority)
; Note: - It will only work if the FPM master process is launched as root
; - The pool processes will inherit the master process priority
; unless it specified otherwise
; Default Value: no set
; process.priority = -19
; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
; or group is differrent than the master process user. It allows to create process
; core dump and ptrace the process for the pool user.
; Default Value: no
; process.dumpable = yes
; Choose how the process manager will control the number of child processes.
; Possible Values:
; static - a fixed number (pm.max_children) of child processes;
; dynamic - the number of child processes are set dynamically based on the
; following directives. With this process management, there will be
; always at least 1 children.
; pm.max_children - the maximum number of children that can
; be alive at the same time.
; pm.start_servers - the number of children created on startup.
; pm.min_spare_servers - the minimum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is less than this
; number then some children will be created.
; pm.max_spare_servers - the maximum number of children in 'idle'
; state (waiting to process). If the number
; of 'idle' processes is greater than this
; number then some children will be killed.
; ondemand - no children are created at startup. Children will be forked when
; new requests will connect. The following parameter are used:
; pm.max_children - the maximum number of children that
; can be alive at the same time.
; pm.process_idle_timeout - The number of seconds after which
; an idle process will be killed.
; Note: This value is mandatory.
pm = dynamic
; The number of child processes to be created when pm is set to 'static' and the
; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
; This value sets the limit on the number of simultaneous requests that will be
; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
; CGI. The below defaults are based on a server without much resources. Don't
; forget to tweak pm.* to fit your needs.
; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
; Note: This value is mandatory.
pm.max_children = 5
; The number of child processes created on startup.
; Note: Used only when pm is set to 'dynamic'
; Default Value: (min_spare_servers + max_spare_servers) / 2
pm.start_servers = 2
; The desired minimum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.min_spare_servers = 1
; The desired maximum number of idle server processes.
; Note: Used only when pm is set to 'dynamic'
; Note: Mandatory when pm is set to 'dynamic'
pm.max_spare_servers = 3
; The number of seconds after which an idle process will be killed.
; Note: Used only when pm is set to 'ondemand'
; Default Value: 10s
;pm.process_idle_timeout = 10s;
; The number of requests each child process should execute before respawning.
; This can be useful to work around memory leaks in 3rd party libraries. For
; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
; Default Value: 0
;pm.max_requests = 500
; The URI to view the FPM status page. If this value is not set, no URI will be
; recognized as a status page. It shows the following informations:
; pool - the name of the pool;
; process manager - static, dynamic or ondemand;
; start time - the date and time FPM has started;
; start since - number of seconds since FPM has started;
; accepted conn - the number of request accepted by the pool;
; listen queue - the number of request in the queue of pending
; connections (see backlog in listen(2));
; max listen queue - the maximum number of requests in the queue
; of pending connections since FPM has started;
; listen queue len - the size of the socket queue of pending connections;
; idle processes - the number of idle processes;
; active processes - the number of active processes;
; total processes - the number of idle + active processes;
; max active processes - the maximum number of active processes since FPM
; has started;
; max children reached - number of times, the process limit has been reached,
; when pm tries to start more children (works only for
; pm 'dynamic' and 'ondemand');
; Value are updated in real time.
; Example output:
; pool: www
; process manager: static
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 62636
; accepted conn: 190460
; listen queue: 0
; max listen queue: 1
; listen queue len: 42
; idle processes: 4
; active processes: 11
; total processes: 15
; max active processes: 12
; max children reached: 0
;
; By default the status page output is formatted as text/plain. Passing either
; 'html', 'xml' or 'json' in the query string will return the corresponding
; output syntax. Example:
; http://www.foo.bar/status
; http://www.foo.bar/status?json
; http://www.foo.bar/status?html
; http://www.foo.bar/status?xml
;
; By default the status page only outputs short status. Passing 'full' in the
; query string will also return status for each pool process.
; Example:
; http://www.foo.bar/status?full
; http://www.foo.bar/status?json&full
; http://www.foo.bar/status?html&full
; http://www.foo.bar/status?xml&full
; The Full status returns for each process:
; pid - the PID of the process;
; state - the state of the process (Idle, Running, ...);
; start time - the date and time the process has started;
; start since - the number of seconds since the process has started;
; requests - the number of requests the process has served;
; request duration - the duration in µs of the requests;
; request method - the request method (GET, POST, ...);
; request URI - the request URI with the query string;
; content length - the content length of the request (only with POST);
; user - the user (PHP_AUTH_USER) (or '-' if not set);
; script - the main script called (or '-' if not set);
; last request cpu - the %cpu the last request consumed
; it's always 0 if the process is not in Idle state
; because CPU calculation is done when the request
; processing has terminated;
; last request memory - the max amount of memory the last request consumed
; it's always 0 if the process is not in Idle state
; because memory calculation is done when the request
; processing has terminated;
; If the process is in Idle state, then informations are related to the
; last request the process has served. Otherwise informations are related to
; the current request being served.
; Example output:
; ************************
; pid: 31330
; state: Running
; start time: 01/Jul/2011:17:53:49 +0200
; start since: 63087
; requests: 12808
; request duration: 1250261
; request method: GET
; request URI: /test_mem.php?N=10000
; content length: 0
; user: -
; script: /home/fat/web/docs/php/test_mem.php
; last request cpu: 0.00
; last request memory: 0
;
; Note: There is a real-time FPM status monitoring sample web page available
; It's available in: /usr/share/php/7.4/fpm/status.html
;
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;pm.status_path = /status
; The ping URI to call the monitoring page of FPM. If this value is not set, no
; URI will be recognized as a ping page. This could be used to test from outside
; that FPM is alive and responding, or to
; - create a graph of FPM availability (rrd or such);
; - remove a server from a group if it is not responding (load balancing);
; - trigger alerts for the operating team (24/7).
; Note: The value must start with a leading slash (/). The value can be
; anything, but it may not be a good idea to use the .php extension or it
; may conflict with a real PHP file.
; Default Value: not set
;ping.path = /ping
; This directive may be used to customize the response of a ping request. The
; response is formatted as text/plain with a 200 response code.
; Default Value: pong
;ping.response = pong
; The access log file
; Default: not set
;access.log = log/$pool.access.log
; The access log format.
; The following syntax is allowed
; %%: the '%' character
; %C: %CPU used by the request
; it can accept the following format:
; - %{user}C for user CPU only
; - %{system}C for system CPU only
; - %{total}C for user + system CPU (default)
; %d: time taken to serve the request
; it can accept the following format:
; - %{seconds}d (default)
; - %{miliseconds}d
; - %{mili}d
; - %{microseconds}d
; - %{micro}d
; %e: an environment variable (same as $_ENV or $_SERVER)
; it must be associated with embraces to specify the name of the env
; variable. Some exemples:
; - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
; - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
; %f: script filename
; %l: content-length of the request (for POST request only)
; %m: request method
; %M: peak of memory allocated by PHP
; it can accept the following format:
; - %{bytes}M (default)
; - %{kilobytes}M
; - %{kilo}M
; - %{megabytes}M
; - %{mega}M
; %n: pool name
; %o: output header
; it must be associated with embraces to specify the name of the header:
; - %{Content-Type}o
; - %{X-Powered-By}o
; - %{Transfert-Encoding}o
; - ....
; %p: PID of the child that serviced the request
; %P: PID of the parent of the child that serviced the request
; %q: the query string
; %Q: the '?' character if query string exists
; %r: the request URI (without the query string, see %q and %Q)
; %R: remote IP address
; %s: status (response code)
; %t: server time the request was received
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %T: time the log has been written (the request has finished)
; it can accept a strftime(3) format:
; %d/%b/%Y:%H:%M:%S %z (default)
; The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
; e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
; %u: remote user
;
; Default: "%R - %u %t \"%m %r\" %s"
;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
; The log file for slow requests
; Default Value: not set
; Note: slowlog is mandatory if request_slowlog_timeout is set
;slowlog = log/$pool.log.slow
; The timeout for serving a single request after which a PHP backtrace will be
; dumped to the 'slowlog' file. A value of '0s' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_slowlog_timeout = 0
; Depth of slow log stack trace.
; Default Value: 20
;request_slowlog_trace_depth = 20
; The timeout for serving a single request after which the worker process will
; be killed. This option should be used when the 'max_execution_time' ini option
; does not stop script execution for some reason. A value of '0' means 'off'.
; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
; Default Value: 0
;request_terminate_timeout = 0
; The timeout set by 'request_terminate_timeout' ini option is not engaged after
; application calls 'fastcgi_finish_request' or when application has finished and
; shutdown functions are being called (registered via register_shutdown_function).
; This option will enable timeout limit to be applied unconditionally
; even in such cases.
; Default Value: no
;request_terminate_timeout_track_finished = no
; Set open file descriptor rlimit.
; Default Value: system defined value
;rlimit_files = 1024
; Set max core size rlimit.
; Possible Values: 'unlimited' or an integer greater or equal to 0
; Default Value: system defined value
;rlimit_core = 0
; Chroot to this directory at the start. This value must be defined as an
; absolute path. When this value is not set, chroot is not used.
; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
; of its subdirectories. If the pool prefix is not set, the global prefix
; will be used instead.
; Note: chrooting is a great security feature and should be used whenever
; possible. However, all PHP paths will be relative to the chroot
; (error_log, sessions.save_path, ...).
; Default Value: not set
;chroot =
; Chdir to this directory at the start.
; Note: relative path can be used.
; Default Value: current directory or / when chroot
;chdir = /var/www
; Redirect worker stdout and stderr into main error log. If not set, stdout and
; stderr will be redirected to /dev/null according to FastCGI specs.
; Note: on highloaded environement, this can cause some delay in the page
; process time (several ms).
; Default Value: no
;catch_workers_output = yes
; Decorate worker output with prefix and suffix containing information about
; the child that writes to the log and if stdout or stderr is used as well as
; log level and time. This options is used only if catch_workers_output is yes.
; Settings to "no" will output data as written to the stdout or stderr.
; Default value: yes
;decorate_workers_output = no
; Clear environment in FPM workers
; Prevents arbitrary environment variables from reaching FPM worker processes
; by clearing the environment in workers before env vars specified in this
; pool configuration are added.
; Setting to "no" will make all environment variables available to PHP code
; via getenv(), $_ENV and $_SERVER.
; Default Value: yes
;clear_env = no
; Limits the extensions of the main script FPM will allow to parse. This can
; prevent configuration mistakes on the web server side. You should only limit
; FPM to .php extensions to prevent malicious users to use other extensions to
; execute php code.
; Note: set an empty value to allow all extensions.
; Default Value: .php
;security.limit_extensions = .php .php3 .php4 .php5 .php7
; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
; the current environment.
; Default Value: clean env
;env[HOSTNAME] = $HOSTNAME
;env[PATH] = /usr/local/bin:/usr/bin:/bin
;env[TMP] = /tmp
;env[TMPDIR] = /tmp
;env[TEMP] = /tmp
; Additional php.ini defines, specific to this pool of workers. These settings
; overwrite the values previously defined in the php.ini. The directives are the
; same as the PHP SAPI:
; php_value/php_flag - you can set classic ini defines which can
; be overwritten from PHP call 'ini_set'.
; php_admin_value/php_admin_flag - these directives won't be overwritten by
; PHP call 'ini_set'
; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
; Defining 'extension' will load the corresponding shared extension from
; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
; overwrite previously defined php.ini values, but will append the new value
; instead.
; Note: path INI options can be relative and will be expanded with the prefix
; (pool, global or /usr)
; Default Value: nothing is defined by default except the values in php.ini and
; specified at startup with the -d argument
;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
;php_flag[display_errors] = off
;php_admin_value[error_log] = /var/log/fpm-php.www.log
;php_admin_flag[log_errors] = on
;php_admin_value[memory_limit] = 32M

68
_apps/grav/nginx.conf.yaml Normal file
View File

@@ -0,0 +1,68 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: grav-nginx-proxy-config
data:
nginx.conf: |-
user nginx;
worker_processes 1;
error_log /var/log/nginx/error.log warn;
pid /var/run/nginx.pid;
events {
worker_connections 64;
}
http {
include /etc/nginx/mime.types;
default_type application/octet-stream;
log_format main '$remote_addr - $remote_user [$time_local] "$request" '
'$status $body_bytes_sent "$http_referer" '
'"$http_user_agent" "$http_x_forwarded_for"';
access_log off;
#access_log /var/log/nginx/access.log main;
sendfile on;
keepalive_timeout 65;
server {
listen 80;
server_name _;
index index.html index.php;
root /var/www/grav;
## Begin - Index
# for subfolders, simply adjust:
# `location /subfolder {`
# and the rewrite to use `/subfolder/index.php`
location / {
try_files $uri $uri/ /index.php?$query_string;
}
## End - Index
## Begin - Security
# deny all direct access for these folders
location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
# deny running scripts inside core system folders
location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny running scripts inside user folder
location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
# deny access to specific files in the root folder
location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
## End - Security
## Begin - PHP
location ~ \.php$ {
# Choose either a socket or TCP/IP address
fastcgi_pass 127.0.0.1:9000;
fastcgi_split_path_info ^(.+\.php)(/.+)$;
fastcgi_index index.php;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
}
## End - PHP
}
}

14
_apps/grav/supervisor.conf Normal file
View File

@@ -0,0 +1,14 @@
[supervisord]
nodaemon=true
[program:cron]
command=/usr/sbin/cron
killasgroup=true
stopasgroup=true
redirect_stderr=true
user=root
[program:php-fpm]
command=/usr/sbin/php-fpm7.4 --nodaemonize --force-stderr
user=www-data

2
_apps/mariadb/README.md Normal file
View File

@@ -0,0 +1,2 @@
Access Mysql POD:
kubectl exec -it <PODNAME> bash

101
_apps/mariadb/mariadb-deployment.yaml Normal file
View File

@@ -0,0 +1,101 @@
apiVersion: v1
kind: Service
metadata:
name: mariadb
spec:
ports:
- name: mysql
port: 3306
- name: metrics
port: 9104
selector:
app: mariadb
type: LoadBalancer
loadBalancerIP: 172.23.255.5
---
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: mariadb
spec:
selector:
matchLabels:
app: mariadb
strategy:
type: Recreate
template:
metadata:
labels:
app: mariadb
spec:
containers:
- image: cr.lan/mariadb
name: mariadb
imagePullPolicy: Always
env:
# Use secret in real usage
- name: MYSQL_ROOT_PASSWORD
value: 54MzzfHHTA9qJX64Pvdn
ports:
- containerPort: 3306
name: mariadb
volumeMounts:
- name: mariadb-persistent-storage
mountPath: /var/lib/mysql
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "1500Mi"
cpu: "2000m"
- image: cr.lan/mariadb-prometheus-exporter
name: mariadb-prometheus-exporter
imagePullPolicy: Always
ports:
- containerPort: 9104
name: metrics
resources:
requests:
memory: "24Mi"
cpu: "50m"
limits:
memory: "128Mi"
cpu: "100m"
volumes:
- name: mariadb-persistent-storage
persistentVolumeClaim:
claimName: mariadb-data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: mariadb-data
spec:
storageClassName: nfs-ssd
volumeName: mariadb-data
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 40Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: mariadb-data
spec:
storageClassName: "nfs-ssd"
nfs:
path: /data/raid1-ssd/k8s-data/mariadb-data
server: ebin01
capacity:
storage: 40Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
claimRef:
kind: PersistentVolumeClaim
name: mariadb-data
namspace: live-env

15
_apps/mariadb/mariadb-prometheus/Dockerfile Normal file
View File

@@ -0,0 +1,15 @@
# vim:set ft=dockerfile:
FROM cr.lan/debian-stable
RUN set -ex; \
apt-get update; \
apt-get install -y --no-install-recommends \
prometheus-mysqld-exporter; \
apt-get clean -y; \
rm -rf /var/lib/apt/lists/*;
RUN set -ex; \
echo '[client]\nhost=localhost\nuser=prometheus\npassword=prom01\n' >/etc/prometheus-mysql-exporter
EXPOSE 9104
CMD ["prometheus-mysqld-exporter", "--config.my-cnf", "/etc/prometheus-mysql-exporter"]

107
_apps/mariadb/mariadb/Dockerfile Normal file
View File

@@ -0,0 +1,107 @@
# vim:set ft=dockerfile:
FROM cr.lan/debian-stable
# add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
RUN groupadd -r mysql && useradd -r -g mysql mysql
# https://bugs.debian.org/830696 (apt uses gpgv by default in newer releases, rather than gpg)
RUN set -ex; \
sed -i 's@deb.debian.org@apt-cache.lan/deb.debian.org@g' /etc/apt/sources.list; \
sed -i 's@security.debian.org@apt-cache.lan/security.debian.org@g' /etc/apt/sources.list; \
apt-get update; \
if ! which gpg; then \
apt-get install -y --no-install-recommends gnupg; \
fi; \
if ! gpg --version | grep -q '^gpg (GnuPG) 1\.'; then \
# Ubuntu includes "gnupg" (not "gnupg2", but still 2.x), but not dirmngr, and gnupg 2.x requires dirmngr
# so, if we're not running gnupg 1.x, explicitly install dirmngr too
apt-get install -y --no-install-recommends dirmngr; \
fi; \
rm -rf /var/lib/apt/lists/*;
# add gosu for easy step-down from root
# https://github.com/tianon/gosu/releases
ENV GOSU_VERSION 1.12
RUN set -eux; \
savedAptMark="$(apt-mark showmanual)"; \
apt-get update; \
apt-get install -y --no-install-recommends ca-certificates wget; \
rm -rf /var/lib/apt/lists/*; \
dpkgArch="$(dpkg --print-architecture | awk -F- '{ print $NF }')"; \
wget -O /usr/local/bin/gosu "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch"; \
wget -O /usr/local/bin/gosu.asc "https://github.com/tianon/gosu/releases/download/$GOSU_VERSION/gosu-$dpkgArch.asc"; \
export GNUPGHOME="$(mktemp -d)"; \
gpg --batch --keyserver hkps://keys.openpgp.org --recv-keys B42F6819007F00F88E364FD4036A9C25BF357DD4; \
gpg --batch --verify /usr/local/bin/gosu.asc /usr/local/bin/gosu; \
gpgconf --kill all; \
rm -rf "$GNUPGHOME" /usr/local/bin/gosu.asc; \
apt-mark auto '.*' > /dev/null; \
[ -z "$savedAptMark" ] || apt-mark manual $savedAptMark > /dev/null; \
apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
chmod +x /usr/local/bin/gosu; \
gosu --version; \
gosu nobody true
RUN mkdir /docker-entrypoint-initdb.d
# install "pwgen" for randomizing passwords
# install "tzdata" for /usr/share/zoneinfo/
# install "xz-utils" for .sql.xz docker-entrypoint-initdb.d files
RUN set -ex; \
apt-get update; \
apt-get install -y --no-install-recommends \
pwgen \
tzdata \
xz-utils \
; \
rm -rf /var/lib/apt/lists/*
# bashbrew-architectures: amd64 arm64v8 ppc64le
#ENV MARIADB_MAJOR 10.3
#ENV MARIADB_VERSION 1:10.3.22-0+deb10u1
# release-status:RC
# (https://downloads.mariadb.org/mariadb/+releases/)
# add repository pinning to make sure dependencies from this MariaDB repo are preferred over Debian dependencies
# libmariadbclient18 : Depends: libmysqlclient18 (= 5.5.42+maria-1~wheezy) but 5.5.43-0+deb7u1 is to be installed
# the "/var/lib/mysql" stuff here is because the mysql-server postinst doesn't have an explicit way to disable the mysql_install_db codepath besides having a database already "configured" (ie, stuff in /var/lib/mysql/mysql)
# also, we set debconf keys to make APT a little quieter
RUN set -ex; \
{ \
echo "mariadb-server-$MARIADB_MAJOR" mysql-server/root_password password 'unused'; \
echo "mariadb-server-$MARIADB_MAJOR" mysql-server/root_password_again password 'unused'; \
} | debconf-set-selections; \
apt-get update; \
apt-get install -y \
"mariadb-server" \
# mariadb-backup is installed at the same time so that `mysql-common` is only installed once from just mariadb repos
mariadb-backup \
socat \
; \
rm -rf /var/lib/apt/lists/*; \
# comment out any "user" entires in the MySQL config ("docker-entrypoint.sh" or "--user" will handle user switching)
sed -ri 's/^user\s/#&/' /etc/mysql/my.cnf /etc/mysql/conf.d/*; \
echo '[mysqld]\ninnodb_use_native_aio = 0\ninnodb_file_per_table = 1\n' >>/etc/mysql/conf.d/innodb_aio.cnf; \
# purge and re-create /var/lib/mysql with appropriate ownership
rm -rf /var/lib/mysql; \
mkdir -p /var/lib/mysql /var/run/mysqld; \
chown -R mysql:mysql /var/lib/mysql /var/run/mysqld; \
# ensure that /var/run/mysqld (used for socket and lock files) is writable regardless of the UID our mysqld instance ends up having at runtime
chmod 777 /var/run/mysqld; \
# comment out a few problematic configuration values
find /etc/mysql/ -name '*.cnf' -print0 \
| xargs -0 grep -lZE '^(bind-address|log)' \
| xargs -rt -0 sed -Ei 's/^(bind-address|log)/#&/'; \
# don't reverse lookup hostnames, they are usually another container
echo '[mysqld]\nskip-host-cache\nskip-name-resolve' > /etc/mysql/conf.d/docker.cnf; \
mkdir -p /run/mysqld; \
apt-get clean -y;
VOLUME /var/lib/mysql
COPY docker-entrypoint.sh /usr/local/bin/
ENTRYPOINT ["docker-entrypoint.sh"]
EXPOSE 3306
CMD ["mysqld"]

346
_apps/mariadb/mariadb/docker-entrypoint.sh Executable file
View File

@@ -0,0 +1,346 @@
#!/bin/bash
set -eo pipefail
shopt -s nullglob
# logging functions
mysql_log() {
local type="$1"; shift
printf '%s [%s] [Entrypoint]: %s\n' "$(date --rfc-3339=seconds)" "$type" "$*"
}
mysql_note() {
mysql_log Note "$@"
}
mysql_warn() {
mysql_log Warn "$@" >&2
}
mysql_error() {
mysql_log ERROR "$@" >&2
exit 1
}
# usage: file_env VAR [DEFAULT]
# ie: file_env 'XYZ_DB_PASSWORD' 'example'
# (will allow for "$XYZ_DB_PASSWORD_FILE" to fill in the value of
# "$XYZ_DB_PASSWORD" from a file, especially for Docker's secrets feature)
file_env() {
local var="$1"
local fileVar="${var}_FILE"
local def="${2:-}"
if [ "${!var:-}" ] && [ "${!fileVar:-}" ]; then
mysql_error "Both $var and $fileVar are set (but are exclusive)"
fi
local val="$def"
if [ "${!var:-}" ]; then
val="${!var}"
elif [ "${!fileVar:-}" ]; then
val="$(< "${!fileVar}")"
fi
export "$var"="$val"
unset "$fileVar"
}
# check to see if this file is being run or sourced from another script
_is_sourced() {
# https://unix.stackexchange.com/a/215279
[ "${#FUNCNAME[@]}" -ge 2 ] \
&& [ "${FUNCNAME[0]}" = '_is_sourced' ] \
&& [ "${FUNCNAME[1]}" = 'source' ]
}
# usage: docker_process_init_files [file [file [...]]]
# ie: docker_process_init_files /always-initdb.d/*
# process initializer files, based on file extensions
docker_process_init_files() {
# mysql here for backwards compatibility "${mysql[@]}"
mysql=( docker_process_sql )
echo
local f
for f; do
case "$f" in
*.sh)
# https://github.com/docker-library/postgres/issues/450#issuecomment-393167936
# https://github.com/docker-library/postgres/pull/452
if [ -x "$f" ]; then
mysql_note "$0: running $f"
"$f"
else
mysql_note "$0: sourcing $f"
. "$f"
fi
;;
*.sql) mysql_note "$0: running $f"; docker_process_sql < "$f"; echo ;;
*.sql.gz) mysql_note "$0: running $f"; gunzip -c "$f" | docker_process_sql; echo ;;
*.sql.xz) mysql_note "$0: running $f"; xzcat "$f" | docker_process_sql; echo ;;
*) mysql_warn "$0: ignoring $f" ;;
esac
echo
done
}
mysql_check_config() {
local toRun=( "$@" --verbose --help --log-bin-index="$(mktemp -u)" ) errors
if ! errors="$("${toRun[@]}" 2>&1 >/dev/null)"; then
mysql_error $'mysqld failed while attempting to check config\n\tcommand was: '"${toRun[*]}"$'\n\t'"$errors"
fi
}
# Fetch value from server config
# We use mysqld --verbose --help instead of my_print_defaults because the
# latter only show values present in config files, and not server defaults
mysql_get_config() {
local conf="$1"; shift
"$@" --verbose --help --log-bin-index="$(mktemp -u)" 2>/dev/null \
| awk -v conf="$conf" '$1 == conf && /^[^ \t]/ { sub(/^[^ \t]+[ \t]+/, ""); print; exit }'
# match "datadir /some/path with/spaces in/it here" but not "--xyz=abc\n datadir (xyz)"
}
# Do a temporary startup of the MySQL server, for init purposes
docker_temp_server_start() {
"$@" --skip-networking --socket="${SOCKET}" &
mysql_note "Waiting for server startup"
local i
for i in {30..0}; do
# only use the root password if the database has already been initializaed
# so that it won't try to fill in a password file when it hasn't been set yet
extraArgs=()
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
extraArgs+=( '--dont-use-mysql-root-password' )
fi
if docker_process_sql "${extraArgs[@]}" --database=mysql <<<'SELECT 1' &> /dev/null; then
break
fi
sleep 1
done
if [ "$i" = 0 ]; then
mysql_error "Unable to start server."
fi
}
# Stop the server. When using a local socket file mysqladmin will block until
# the shutdown is complete.
docker_temp_server_stop() {
if ! mysqladmin --defaults-extra-file=<( _mysql_passfile ) shutdown -uroot --socket="${SOCKET}"; then
mysql_error "Unable to shut down server."
fi
}
# Verify that the minimally required password settings are set for new databases.
docker_verify_minimum_env() {
if [ -z "$MYSQL_ROOT_PASSWORD" -a -z "$MYSQL_ALLOW_EMPTY_PASSWORD" -a -z "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
mysql_error $'Database is uninitialized and password option is not specified\n\tYou need to specify one of MYSQL_ROOT_PASSWORD, MYSQL_ALLOW_EMPTY_PASSWORD and MYSQL_RANDOM_ROOT_PASSWORD'
fi
}
# creates folders for the database
# also ensures permission for user mysql of run as root
docker_create_db_directories() {
local user; user="$(id -u)"
# TODO other directories that are used by default? like /var/lib/mysql-files
# see https://github.com/docker-library/mysql/issues/562
mkdir -p "$DATADIR"
if [ "$user" = "0" ]; then
# this will cause less disk access than `chown -R`
find "$DATADIR" \! -user mysql -exec chown mysql '{}' +
fi
}
# initializes the database directory
docker_init_database_dir() {
mysql_note "Initializing database files"
installArgs=( --datadir="$DATADIR" --rpm )
if { mysql_install_db --help || :; } | grep -q -- '--auth-root-authentication-method'; then
# beginning in 10.4.3, install_db uses "socket" which only allows system user root to connect, switch back to "normal" to allow mysql root without a password
# see https://github.com/MariaDB/server/commit/b9f3f06857ac6f9105dc65caae19782f09b47fb3
# (this flag doesn't exist in 10.0 and below)
installArgs+=( --auth-root-authentication-method=normal )
fi
# "Other options are passed to mysqld." (so we pass all "mysqld" arguments directly here)
mysql_install_db "${installArgs[@]}" "${@:2}"
mysql_note "Database files initialized"
}
# Loads various settings that are used elsewhere in the script
# This should be called after mysql_check_config, but before any other functions
docker_setup_env() {
# Get config
declare -g DATADIR SOCKET
DATADIR="$(mysql_get_config 'datadir' "$@")"
SOCKET="$(mysql_get_config 'socket' "$@")"
# Initialize values that might be stored in a file
file_env 'MYSQL_ROOT_HOST' '%'
file_env 'MYSQL_DATABASE'
file_env 'MYSQL_USER'
file_env 'MYSQL_PASSWORD'
file_env 'MYSQL_ROOT_PASSWORD'
declare -g DATABASE_ALREADY_EXISTS
if [ -d "$DATADIR/mysql" ]; then
DATABASE_ALREADY_EXISTS='true'
fi
}
# Execute sql script, passed via stdin
# usage: docker_process_sql [--dont-use-mysql-root-password] [mysql-cli-args]
# ie: docker_process_sql --database=mydb <<<'INSERT ...'
# ie: docker_process_sql --dont-use-mysql-root-password --database=mydb <my-file.sql
docker_process_sql() {
passfileArgs=()
if [ '--dont-use-mysql-root-password' = "$1" ]; then
passfileArgs+=( "$1" )
shift
fi
# args sent in can override this db, since they will be later in the command
if [ -n "$MYSQL_DATABASE" ]; then
set -- --database="$MYSQL_DATABASE" "$@"
fi
mysql --defaults-extra-file=<( _mysql_passfile "${passfileArgs[@]}") --protocol=socket -uroot -hlocalhost --socket="${SOCKET}" "$@"
}
# Initializes database with timezone info and root password, plus optional extra db/user
docker_setup_db() {
# Load timezone info into database
if [ -z "$MYSQL_INITDB_SKIP_TZINFO" ]; then
# sed is for https://bugs.mysql.com/bug.php?id=20545
mysql_tzinfo_to_sql /usr/share/zoneinfo \
| sed 's/Local time zone must be set--see zic manual page/FCTY/' \
| docker_process_sql --dont-use-mysql-root-password --database=mysql
# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is not set yet
fi
# Generate random root password
if [ -n "$MYSQL_RANDOM_ROOT_PASSWORD" ]; then
export MYSQL_ROOT_PASSWORD="$(pwgen -1 32)"
mysql_note "GENERATED ROOT PASSWORD: $MYSQL_ROOT_PASSWORD"
fi
# Sets root password and creates root users for non-localhost hosts
local rootCreate=
# default root to listen for connections from anywhere
if [ -n "$MYSQL_ROOT_HOST" ] && [ "$MYSQL_ROOT_HOST" != 'localhost' ]; then
# no, we don't care if read finds a terminating character in this heredoc
# https://unix.stackexchange.com/questions/265149/why-is-set-o-errexit-breaking-this-read-heredoc-expression/265151#265151
read -r -d '' rootCreate <<-EOSQL || true
CREATE USER 'root'@'${MYSQL_ROOT_HOST}' IDENTIFIED BY '${MYSQL_ROOT_PASSWORD}' ;
GRANT ALL ON *.* TO 'root'@'${MYSQL_ROOT_HOST}' WITH GRANT OPTION ;
EOSQL
fi
# tell docker_process_sql to not use MYSQL_ROOT_PASSWORD since it is just now being set
docker_process_sql --dont-use-mysql-root-password --database=mysql <<-EOSQL
-- What's done in this file shouldn't be replicated
-- or products like mysql-fabric won't work
SET @@SESSION.SQL_LOG_BIN=0;
DELETE FROM mysql.user WHERE user NOT IN ('mysql.sys', 'mariadb.sys', 'mysqlxsys', 'root') OR host NOT IN ('localhost') ;
SET PASSWORD FOR 'root'@'localhost'=PASSWORD('${MYSQL_ROOT_PASSWORD}') ;
-- 10.1: https://github.com/MariaDB/server/blob/d925aec1c10cebf6c34825a7de50afe4e630aff4/scripts/mysql_secure_installation.sh#L347-L365
-- 10.5: https://github.com/MariaDB/server/blob/00c3a28820c67c37ebbca72691f4897b57f2eed5/scripts/mysql_secure_installation.sh#L351-L369
DELETE FROM mysql.db WHERE Db='test' OR Db='test\_%' ;
GRANT ALL ON *.* TO 'root'@'localhost' WITH GRANT OPTION ;
FLUSH PRIVILEGES ;
${rootCreate}
DROP DATABASE IF EXISTS test ;
EOSQL
# Creates a custom database and user if specified
if [ -n "$MYSQL_DATABASE" ]; then
mysql_note "Creating database ${MYSQL_DATABASE}"
docker_process_sql --database=mysql <<<"CREATE DATABASE IF NOT EXISTS \`$MYSQL_DATABASE\` ;"
fi
if [ -n "$MYSQL_USER" ] && [ -n "$MYSQL_PASSWORD" ]; then
mysql_note "Creating user ${MYSQL_USER}"
docker_process_sql --database=mysql <<<"CREATE USER '$MYSQL_USER'@'%' IDENTIFIED BY '$MYSQL_PASSWORD' ;"
if [ -n "$MYSQL_DATABASE" ]; then
mysql_note "Giving user ${MYSQL_USER} access to schema ${MYSQL_DATABASE}"
docker_process_sql --database=mysql <<<"GRANT ALL ON \`${MYSQL_DATABASE//_/\\_}\`.* TO '$MYSQL_USER'@'%' ;"
fi
docker_process_sql --database=mysql <<<"FLUSH PRIVILEGES ;"
fi
}
_mysql_passfile() {
# echo the password to the "file" the client uses
# the client command will use process substitution to create a file on the fly
# ie: --defaults-extra-file=<( _mysql_passfile )
if [ '--dont-use-mysql-root-password' != "$1" ] && [ -n "$MYSQL_ROOT_PASSWORD" ]; then
cat <<-EOF
[client]
password="${MYSQL_ROOT_PASSWORD}"
EOF
fi
}
# check arguments for an option that would cause mysqld to stop
# return true if there is one
_mysql_want_help() {
local arg
for arg; do
case "$arg" in
-'?'|--help|--print-defaults|-V|--version)
return 0
;;
esac
done
return 1
}
_main() {
# if command starts with an option, prepend mysqld
if [ "${1:0:1}" = '-' ]; then
set -- mysqld "$@"
fi
# skip setup if they aren't running mysqld or want an option that stops mysqld
if [ "$1" = 'mysqld' ] && ! _mysql_want_help "$@"; then
mysql_note "Entrypoint script for MySQL Server ${MARIADB_VERSION} started."
mysql_check_config "$@"
# Load various environment variables
docker_setup_env "$@"
docker_create_db_directories
# If container is started as root user, restart as dedicated mysql user
if [ "$(id -u)" = "0" ]; then
mysql_note "Switching to dedicated user 'mysql'"
exec gosu mysql "$BASH_SOURCE" "$@"
fi
# there's no database, so it needs to be initialized
if [ -z "$DATABASE_ALREADY_EXISTS" ]; then
docker_verify_minimum_env
# check dir permissions to reduce likelihood of half-initialized database
ls /docker-entrypoint-initdb.d/ > /dev/null
docker_init_database_dir "$@"
mysql_note "Starting temporary server"
docker_temp_server_start "$@"
mysql_note "Temporary server started."
docker_setup_db
docker_process_init_files /docker-entrypoint-initdb.d/*
mysql_note "Stopping temporary server"
docker_temp_server_stop
mysql_note "Temporary server stopped"
echo
mysql_note "MySQL init process done. Ready for start up."
echo
fi
fi
exec "$@"
}
# If we are sourced from elsewhere, don't perform any further actions
if ! _is_sourced; then
_main "$@"
fi

23
_apps/mariadb/tekton-image-build-mariadb-prometheus-exporter.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: img-mariadb-prometheus-node-exporter
spec:
pipelineRef:
name: kaniko-pipeline
params:
- name: git-url
value: http://git-ui.lan/chaos/kubernetes.git
- name: git-revision
value: master
- name: path-to-image-context
value: apps/mariadb/mariadb-prometheus
- name: path-to-dockerfile
value: apps/mariadb/mariadb-prometheus/Dockerfile
- name: image-name
value: cr.lan/mariadb-prometheus-node-exporter
workspaces:
- name: git-source
persistentVolumeClaim:
claimName: tektoncd-workspaces
subPath: tekton/mariadb-prometheus-node-exporter

23
_apps/mariadb/tekton-image-build-mariadb.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: img-mariadb
spec:
pipelineRef:
name: kaniko-pipeline
params:
- name: git-url
value: http://git-ui.lan/chaos/kubernetes.git
- name: git-revision
value: master
- name: path-to-image-context
value: apps/mariadb/mariadb
- name: path-to-dockerfile
value: apps/mariadb/mariadb/Dockerfile
- name: image-name
value: cr.lan/mariadb
workspaces:
- name: git-source
persistentVolumeClaim:
claimName: tektoncd-workspaces
subPath: tekton/mariadb

19
_apps/mosquitto-prometheus-exporter/Dockerfile Normal file
View File

@@ -0,0 +1,19 @@
FROM cr.wks/debian-golang AS build
ENV GOARCH=arm64
ENV GOPATH=/usr/src/gopath
ENV GOCACHE=/usr/src/gocache
RUN go env
WORKDIR /usr/src
RUN go install github.com/sapcc/mosquitto-exporter@latest
#RUN go mod download
FROM cr.wks/debian-stable
LABEL source_repository="https://github.com/sapcc/mosquitto-exporter"
COPY --from=build /usr/src/gopath/bin/mosquitto-exporter /mosquitto-exporter
RUN chmod 0755 /mosquitto-exporter
EXPOSE 9234
ENTRYPOINT [ "/mosquitto-exporter" ]

16
_apps/mosquitto/Dockerfile Normal file
View File

@@ -0,0 +1,16 @@
FROM cr.wks/debian-stable
RUN apt-get update && \
apt-get install -y --no-install-recommends \
mosquitto procps && \
apt-get clean -y && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
# Op port
EXPOSE 1883
ADD docker-entrypoint.sh /
ENTRYPOINT ["/docker-entrypoint.sh"]
CMD ["/usr/sbin/mosquitto", "-v", "-c", "/mosquitto/config/mosquitto.conf"]

145
_apps/mosquitto/deployment.yaml Normal file
View File

@@ -0,0 +1,145 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: mosquitto
release: mqtt
name: mqtt-mosquitto
spec:
replicas: 1
selector:
matchLabels:
app: mosquitto
release: mqtt
strategy:
type: Recreate
template:
metadata:
labels:
app: mosquitto
release: mqtt
spec:
containers:
- name: mqtt-mosquitto
image: cr.lan/mosquitto
imagePullPolicy: Always
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 1
successThreshold: 1
tcpSocket:
port: 1883
timeoutSeconds: 1
ports:
- containerPort: 1883
name: mqtt
protocol: TCP
readinessProbe:
failureThreshold: 3
initialDelaySeconds: 5
periodSeconds: 3
successThreshold: 1
tcpSocket:
port: 1883
timeoutSeconds: 1
resources:
limits:
cpu: 100m
memory: 64Mi
requests:
cpu: 20m
memory: 24Mi
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /mosquitto/config/mosquitto.conf
name: mosquitto-conf
readOnly: true
subPath: mosquitto.conf
- mountPath: /mosquitto/data
name: mosquitto-data
subPath: mosquitto/data
- name: mosquitto-exporter
image: cr.lan/mosquitto-prometheus-exporter
args: ["--endpoint", "tcp://mqtt.lan:1883"]
imagePullPolicy: Always
ports:
- containerPort: 9234
name: mqtt-exporter
protocol: TCP
resources:
requests:
memory: "20Mi"
cpu: "100m"
limits:
memory: "64Mi"
cpu: "200m"
dnsPolicy: ClusterFirst
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- configMap:
defaultMode: 420
name: mqtt-mosquitto
name: mosquitto-conf
- name: mosquitto-data
persistentVolumeClaim:
claimName: mqtt-mosquitto
---
apiVersion: v1
kind: Service
metadata:
labels:
app: mosquitto
release: mqtt
name: mqtt-mosquitto
spec:
externalTrafficPolicy: Cluster
loadBalancerIP: 172.23.255.3
ports:
- name: mqtt
port: 1883
protocol: TCP
targetPort: 1883
- name: mqtt-exporter
port: 9234
protocol: TCP
targetPort: 9234
selector:
app: mosquitto
type: LoadBalancer
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app: mosquitto
release: mqtt
name: mqtt-mosquitto
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
storageClassName: nfs-ssd
volumeMode: Filesystem
---
apiVersion: v1
kind: ConfigMap
metadata:
name: mqtt-mosquitto
labels:
app: mosquitto
release: mqtt
data:
mosquitto.conf: |-
log_dest none
user root
port 1883
persistence true
persistence_location /mosquitto/data/

5
_apps/mosquitto/docker-entrypoint.sh Executable file
View File

@@ -0,0 +1,5 @@
#!/bin/sh
set -e
exec "$@"

86
_apps/nextcloud/Dockerfile Normal file
View File

@@ -0,0 +1,86 @@
FROM nextcloud:24-fpm
#needed for some reason
ENV NEXTCLOUD_UPDATE=1
RUN sed -i 's@deb.debian.org@apt-cache.lan/deb.debian.org@g' /etc/apt/sources.list && \
sed -i 's@security.debian.org@apt-cache.lan/security.debian.org@g' /etc/apt/sources.list && \
apt-get update && apt-get install -y \
procps bash iputils-ping libmagickcore-6.q16-6-extra vim-tiny
RUN apt-get clean -y && \
rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
RUN touch /usr/src/nextcloud/data/.ocdata
COPY config.php /usr/src/nextcloud/config/
#COPY htaccess-data /usr/src/nextcloud/data/.htaccess
#COPY apache-default-vhost.conf /etc/apache2/sites-available/000-default.conf
RUN mv /usr/src/nextcloud/.htaccess /usr/src/nextcloud/.htaccess.bak
RUN mv /usr/src/nextcloud/config/.htaccess /usr/src/nextcloud/config/.htaccess.bak
#install ca.crt update script to the container
COPY post-start.sh /
RUN chmod +x /post-start.sh
#RUN set -ex; \
# \
# apt-get update; \
# apt-get install -y --no-install-recommends \
# ffmpeg \
# libmagickcore-6.q16-6-extra \
# procps \
# smbclient \
# supervisor \
## libreoffice \
# ; \
# rm -rf /var/lib/apt/lists/*
#
#RUN set -ex; \
# \
# savedAptMark="$(apt-mark showmanual)"; \
# \
# apt-get update; \
# apt-get install -y --no-install-recommends \
# libbz2-dev \
# libc-client-dev \
# libkrb5-dev \
# libsmbclient-dev \
# ; \
# \
# docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \
# docker-php-ext-install \
# bz2 \
# imap \
# ; \
# pecl install smbclient; \
# docker-php-ext-enable smbclient; \
# \
## reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
# apt-mark auto '.*' > /dev/null; \
# apt-mark manual $savedAptMark; \
# ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
# | awk '/=>/ { print $3 }' \
# | sort -u \
# | xargs -r dpkg-query -S \
# | cut -d: -f1 \
# | sort -u \
# | xargs -rt apt-mark manual; \
# \
# apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
# apt-get clean -y; \
# rm -rf /var/cache/apt/*; \
# rm -rf /var/lib/apt/lists/*
#
#RUN mkdir -p \
# /var/log/supervisord \
# /var/run/supervisord \
#;
#RUN chown www-data:www-data \
# /var/log/supervisord \
# /var/run/supervisord;
#
#COPY supervisord.conf /
#
#CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

2
_apps/nextcloud/README.md Normal file
View File

@@ -0,0 +1,2 @@
# kubectl -n live-env create configmap nextcloud-config --from-file=config.php
# kubectl -n live-env create configmap nextcloud-nginx-site --from-file=nginx-site.configmap.conf

60
_apps/nextcloud/config.php Normal file
View File

@@ -0,0 +1,60 @@
<?php
//
// Manually deployed by yourself
//
$CONFIG = array(
'config_is_read_only' => false,
'htaccess.RewriteBase' => '/',
'memcache.local' => '\\OC\\Memcache\\APCu',
'apps_paths' => array(
0 => array(
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false
),
1 => array(
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true
)
),
'objectstore' => array(
'class' => '\\OC\\Files\\ObjectStore\\S3',
'arguments' => array(
'bucket' => 'nextcloud',
'key' => 'nextcloud',
'secret' => 'tWnc3zdxcDUvcX5f9uY7RRYvKLcWI1KY',
'region' => '',
'hostname' => 'minio.live-infra.svc.cluster.local',
'port' => '443',
'objectPrefix' => 'urn:oid:',
'autocreate' => false,
'use_ssl' => true,
'use_path_style' => true,
'legacy_auth' => false
)
),
'instanceid' => 'ocsxqijfvpf7',
'passwordsalt' => 'OTjmXJP0VKlw+OLja6wUxbHlZk4Txw',
'secret' => '0g94SdF7A2k/LHTKUM+8HwEDFgF1zz7I/sMauap02/d8G677',
'trusted_domains' => array(
0 => 'nc.lan'
),
'trusted_proxies' => array(
0 => '172.23.255.1',
1 => '127.0.0.1'
),
'datadirectory' => '/var/www/html/data',
'dbtype' => 'pgsql',
'version' => '24.0.0',
'overwrite.cli.url' => 'http://nc.lan',
'dbname' => 'nextcloud',
'dbhost' => 'postgres.live-env.svc.cluster.local:5432',
'dbport' => '',
'dbtableprefix' => 'oc_',
'dbuser' => 'nextcloud',
'dbpassword' => 'Vb7yHzmE5HIjfU4hf89aXAmEEmxAnMdB',
'installed' => true,
'default_phone_region' => 'DE',
'updater.release.channel' => 'stable',
);

140
_apps/nextcloud/deployment.yaml Normal file
View File

@@ -0,0 +1,140 @@
#we use postgresql:
#create database nextcloud;
#create user nextcloud with encrypted password 'secret';
#grant all privileges on database nextcloud to nextcloud;
apiVersion: apps/v1
kind: Deployment
metadata:
name: nextcloud
labels:
app: nextcloud
release: latest
spec:
replicas: 1
selector:
matchLabels:
app: nextcloud
release: latest
template:
metadata:
labels:
app: nextcloud
release: latest
spec:
volumes:
- name: nextcloud-nginx-site
configMap:
name: nextcloud-nginx-site
- name: nextcloud-config
configMap:
name: nextcloud-config
- name: www-data
emptyDir: {}
containers:
- name: nginx-proxy
image: nginx
volumeMounts:
- name: nextcloud-nginx-site
mountPath: /etc/nginx/conf.d
- name: www-data
mountPath: /var/www/html
ports:
- name: http
containerPort: 80
protocol: TCP
- name: nextcloud
image: cr.lan/nextcloud:latest
lifecycle:
postStart:
exec:
command:
- /post-start.sh
volumeMounts:
- name: www-data
mountPath: /var/www/html
#- name: nextcloud-config
# mountPath: /var/www/html/config/config.php
# subPath: config.php
env:
- name: TZ
value: "Europe/Berlin"
- name: POSTGRES_HOST
value: postgres.live-env.svc.cluster.local:5432
- name: POSTGRES_DB
value: nextcloud
- name: POSTGRES_USER
value: nextcloud
- name: POSTGRES_PASSWORD
value: Vb7yHzmE5HIjfU4hf89aXAmEEmxAnMdB
- name: NEXTCLOUD_TRUSTED_DOMAINS
value: nc nc.lan 172.23.255.1
- name: OBJECTSTORE_S3_HOST
value: minio.live-infra.svc.cluster.local
- name: OBJECTSTORE_S3_BUCKET
value: nextcloud
- name: OBJECTSTORE_S3_KEY
value: nextcloud
- name: OBJECTSTORE_S3_SECRET
value: tWnc3zdxcDUvcX5f9uY7RRYvKLcWI1KY
- name: OBJECTSTORE_S3_PORT
value: "443"
- name: OBJECTSTORE_S3_USEPATH_STYLE
value: "true"
- name: OBJECTSTORE_S3_SSL
value: "true"
ports:
- name: php-fpm
containerPort: 9000
protocol: TCP
# startupProbe:
# httpGet:
# path: /
# port: http
# livenessProbe:
# httpGet:
# path: /
# port: http
# readinessProbe:
# httpGet:
# path: /
# port: http
resources:
requests:
memory: "512Mi"
cpu: "250m"
limits:
memory: "768Mi"
cpu: "3000m"
---
apiVersion: v1
kind: Service
metadata:
name: nextcloud
spec:
ports:
- name: http
port: 80
selector:
app: nextcloud
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nextcloud
annotations:
kubernetes.io/ingress.class: nginx
ingress.kubernetes.io/whitelist-x-forwarded-for: "true"
nginx.ingress.kubernetes.io/proxy-body-size: 512m
spec:
rules:
- host: nc.lan
http:
paths:
- backend:
service:
name: nextcloud
port:
name: http
path: /
pathType: Prefix

146
_apps/nextcloud/nginx-site.configmap.conf Normal file
View File

@@ -0,0 +1,146 @@
upstream php-handler {
server 127.0.0.1:9000;
#server unix:/var/run/php/php7.4-fpm.sock;
}
#server {
# listen 80;
# listen [::]:80;
# server_name cloud.example.com;
#
# # Enforce HTTPS
# return 301 https://$server_name$request_uri;
#}
server {
listen 80;
listen [::]:80;
server_name _;
# Use Mozilla's guidelines for SSL/TLS settings
# https://mozilla.github.io/server-side-tls/ssl-config-generator/
#ssl_certificate /etc/ssl/nginx/cloud.example.com.crt;
#ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
# HSTS settings
# WARNING: Only add the preload option once you read about
# the consequences in https://hstspreload.org/. This option
# will add the domain to a hardcoded list that is shipped
# in all major browsers and getting removed from this list
# could take several months.
#add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
# set max upload size
client_max_body_size 512M;
fastcgi_buffers 64 4K;
# Enable gzip but do not remove ETag headers
gzip on;
gzip_vary on;
gzip_comp_level 4;
gzip_min_length 256;
gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
# Pagespeed is not supported by Nextcloud, so if your server is built
# with the `ngx_pagespeed` module, uncomment this line to disable it.
#pagespeed off;
# HTTP response headers borrowed from Nextcloud `.htaccess`
add_header Referrer-Policy "no-referrer" always;
add_header X-Content-Type-Options "nosniff" always;
add_header X-Download-Options "noopen" always;
add_header X-Frame-Options "SAMEORIGIN" always;
add_header X-Permitted-Cross-Domain-Policies "none" always;
add_header X-Robots-Tag "none" always;
add_header X-XSS-Protection "1; mode=block" always;
# Remove X-Powered-By, which is an information leak
fastcgi_hide_header X-Powered-By;
# Path to the root of your installation
root /var/www/html;
# Specify how to handle directories -- specifying `/index.php$request_uri`
# here as the fallback means that Nginx always exhibits the desired behaviour
# when a client requests a path that corresponds to a directory that exists
# on the server. In particular, if that directory contains an index.php file,
# that file is correctly served; if it doesn't, then the request is passed to
# the front-end controller. This consistent behaviour means that we don't need
# to specify custom rules for certain paths (e.g. images and other assets,
# `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
# `try_files $uri $uri/ /index.php$request_uri`
# always provides the desired behaviour.
index index.php index.html /index.php$request_uri;
# Rule borrowed from `.htaccess` to handle Microsoft DAV clients
location = / {
if ( $http_user_agent ~ ^DavClnt ) {
return 302 /remote.php/webdav/$is_args$args;
}
}
location = /robots.txt {
allow all;
log_not_found off;
access_log off;
}
# Make a regex exception for `/.well-known` so that clients can still
# access it despite the existence of the regex rule
# `location ~ /(\.|autotest|...)` which would otherwise handle requests
# for `/.well-known`.
location ^~ /.well-known {
# The following 6 rules are borrowed from `.htaccess`
location = /.well-known/carddav { return 301 /remote.php/dav/; }
location = /.well-known/caldav { return 301 /remote.php/dav/; }
# Anything else is dynamically handled by Nextcloud
location ^~ /.well-known { return 301 /index.php$uri; }
try_files $uri $uri/ =404;
}
# Rules borrowed from `.htaccess` to hide certain paths from clients
location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/) { return 404; }
location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console) { return 404; }
# Ensure this block, which passes PHP files to the PHP process, is above the blocks
# which handle static assets (as seen below). If this block is not declared first,
# then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
# to the URI, resulting in a HTTP 500 error response.
location ~ \.php(?:$|/) {
fastcgi_split_path_info ^(.+?\.php)(/.*)$;
set $path_info $fastcgi_path_info;
try_files $fastcgi_script_name =404;
include fastcgi_params;
fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
fastcgi_param PATH_INFO $path_info;
fastcgi_param HTTPS off;
fastcgi_param modHeadersAvailable true; # Avoid sending the security headers twice
fastcgi_param front_controller_active true; # Enable pretty urls
fastcgi_pass php-handler;
fastcgi_intercept_errors on;
fastcgi_request_buffering off;
}
location ~ \.(?:css|js|svg|gif)$ {
try_files $uri /index.php$request_uri;
expires 6M; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location ~ \.woff2?$ {
try_files $uri /index.php$request_uri;
expires 7d; # Cache-Control policy borrowed from `.htaccess`
access_log off; # Optional: Don't log access to assets
}
location / {
try_files $uri $uri/ /index.php$request_uri;
}
}

22
_apps/nextcloud/post-start.sh Executable file
View File

@@ -0,0 +1,22 @@
#!/bin/bash
ln -s /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/
/usr/sbin/update-ca-certificates
#su - www-data --shell=/bin/bash --command="cd /var/www/html && php -d memory_limit=512M ./occ upgrade"
# reinstall/activate apps
#DIS_APP=( accessibility admin_audit contactsinteraction dashboard files_external
# files_rightclick firstrunwizard logreader nextcloud_announcements
# serverinfo sharebymail survey_client systemtags ser_ldap weather_status )
#
#EN_APP=( activity cloud_federation_api comments dav encryption federatedfilesharing
# federation files files_pdfviewer files_sharing files_trashbin files_videoplayer
# lookup_server_connector notes notifications oauth2 password_policy photos
# privacy provisioning_api recommendations settings support text theming
# twofactor_backupcodes updatenotification user_status viewer workflowengine
# files_versions timetracker tasks deck files_3d )
#
#for APP in ${DIS_APP[@]}; do echo "+${APP}+"; done
#echo "ENABLED"
#
#for APP in ${EN_APP[@]}; do echo "+${APP}+"; done

23
_apps/nextcloud/tekton.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: tekton.dev/v1beta1
kind: PipelineRun
metadata:
name: img-nextcloud
spec:
pipelineRef:
name: kaniko-pipeline
params:
- name: git-url
value: http://git-ui.lan/chaos/kubernetes.git
- name: git-revision
value: master
- name: path-to-image-context
value: apps/nextcloud
- name: path-to-dockerfile
value: apps/nextcloud/Dockerfile
- name: image-name
value: cr.lan/nextcloud
workspaces:
- name: git-source
persistentVolumeClaim:
claimName: tektoncd-workspaces
subPath: tekton/nextcloud

86
_apps/nodered-deployment.yaml Normal file
View File

@@ -0,0 +1,86 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: node-red
labels:
app: node-red
spec:
replicas: 1
selector:
matchLabels:
app: node-red
strategy:
type: Recreate
template:
metadata:
labels:
app: node-red
spec:
containers:
- name: node-red
image: nodered/node-red:latest
ports:
- containerPort: 1880
protocol: TCP
volumeMounts:
- mountPath: /data
name: data
resources:
limits:
cpu: "1"
memory: "200Mi"
requests:
memory: "64Mi"
cpu: "50m"
volumes:
- name: data
persistentVolumeClaim:
claimName: node-red
---
apiVersion: v1
kind: Service
metadata:
name: node-red
labels:
app: node-redk8s
spec:
type: ClusterIP
ports:
- name: node-red
port: 1880
targetPort: 1880
protocol: TCP
selector:
app: node-red
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: node-red
annotations:
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/rewrite-target: /
spec:
rules:
- host: nodered.lan
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: node-red
port:
number: 1880
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: node-red
spec:
storageClassName: nfs-ssd-ebin01
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Gi

81
_apps/ntopng.yaml Normal file
View File

@@ -0,0 +1,81 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: ntopng
labels:
app: registry-ui
release: ntopng
app/version: "1.2.1"
spec:
replicas: 1
selector:
matchLabels:
app: registry-ui
release: ntopng
template:
metadata:
labels:
app: registry-ui
release: ntopng
spec:
containers:
- name: registry-ui
image: "docker-registry.lan/ntopng:arm64"
imagePullPolicy: Always
env:
- name: URL
value: "http://docker-registry.lan"
- name: REGISTRY_TITLE
value: "dReg"
- name: DELETE_IMAGES
value: "true"
- name: REGISTRY_URL
value: "http://ntopng.lan"
- name: PULL_URL
value: "http://docker-registry.lan"
ports:
- name: http
containerPort: 80
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
readinessProbe:
httpGet:
path: /
port: http
resources:
{}
---
apiVersion: v1
kind: Service
metadata:
name: ntopng
labels:
app: registry-ui
release: ntopng
app/version: "1.2.1"
spec:
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app: registry-ui
release: ntopng
---
apiVersion: networking.k8s.io/v1beta1
kind: Ingress
metadata:
name: ntopng
spec:
rules:
- host: ntopng.lan
http:
paths:
- backend:
serviceName: ntopng
servicePort: http
path: /

227
_apps/pihole-deployment.yaml Normal file
View File

@@ -0,0 +1,227 @@
---
apiVersion: v1
kind: Secret
metadata:
name: pihole-password
namespace: live-env
type: Opaque
data:
password: YWRtaW4yMDIw
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: pihole
name: pihole
spec:
replicas: 1
revisionHistoryLimit: 10
selector:
matchLabels:
app: pihole
strategy:
rollingUpdate:
maxSurge: 1
maxUnavailable: 1
type: RollingUpdate
template:
metadata:
annotations:
labels:
app: pihole
spec:
containers:
- env:
- name: TZ
value: Europe/Berlin
- name: WEB_PORT
value: "80"
- name: VIRTUAL_HOST
value: pihole.lan
- name: WEBPASSWORD
valueFrom:
secretKeyRef:
key: password
name: pihole-password
- name: DNS1
value: 208.67.222.222
- name: DNS2
value: 208.67.220.220
image: pihole/pihole:latest
imagePullPolicy: Always
livenessProbe:
failureThreshold: 10
httpGet:
path: /admin.index.php
port: http
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
name: pihole
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 53
name: dns
protocol: TCP
- containerPort: 53
name: dns-udp
protocol: UDP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 67
name: client-udp
protocol: UDP
readinessProbe:
failureThreshold: 3
httpGet:
path: /admin.index.php
port: http
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
resources: {}
# limits:
# cpu: 100m
# memory: 256Mi
# requests:
# cpu: 50m
# memory: 100Mi
securityContext:
privileged: false
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /etc/pihole
name: config
- mountPath: /etc/dnsmasq.d/02-custom.conf
name: custom-dnsmasq
subPath: 02-custom.conf
- mountPath: /etc/addn-hosts
name: custom-dnsmasq
subPath: addn-hosts
dnsConfig:
nameservers:
- 208.67.222.222
- 208.67.220.220
dnsPolicy: None
restartPolicy: Always
schedulerName: default-scheduler
securityContext: {}
terminationGracePeriodSeconds: 30
volumes:
- name: config
persistentVolumeClaim:
claimName: pihole-data
- configMap:
defaultMode: 420
name: pihole-custom-dnsmasq
name: custom-dnsmasq
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: pihole
spec:
rules:
- host: pihole.lan
http:
paths:
- path: /
pathType: ImplementationSpecific
backend:
service:
name: pihole-tcp
port:
name: http
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pihole-data
annotations:
volume.beta.kubernetes.io/storage-class: "nfs-ssd"
spec:
#storageClassName: csi-s3-slow
storageClassName: nfs-ssd
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
data:
02-custom.conf: |
address=/chaos/192.168.10.1
kind: ConfigMap
metadata:
name: pihole-custom-dnsmasq
---
apiVersion: v1
kind: Service
metadata:
annotations:
kube-router.io/service.scheduler: sh
metallb.universe.tf/address-pool: default
metallb.universe.tf/allow-shared-ip: pihole-svc
labels:
app: pihole
name: pihole-tcp
namespace: live-env
spec:
type: LoadBalancer
loadBalancerIP: 172.23.255.253
externalTrafficPolicy: Cluster
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 80
- name: dns
port: 53
protocol: TCP
targetPort: 53
selector:
app: pihole
sessionAffinity: None
---
apiVersion: v1
kind: Service
metadata:
annotations:
kube-router.io/service.scheduler: sh
metallb.universe.tf/address-pool: default
metallb.universe.tf/allow-shared-ip: pihole-svc
labels:
app: pihole
name: pihole-udp
namespace: live-env
spec:
type: LoadBalancer
loadBalancerIP: 172.23.255.253
externalTrafficPolicy: Cluster
ports:
- name: dns-udp
port: 53
protocol: UDP
targetPort: 53
- name: client-udp
port: 67
protocol: UDP
targetPort: 67
selector:
app: pihole
sessionAffinity: None

9
_apps/piwigo/Dockerfile Normal file
View File

@@ -0,0 +1,9 @@
FROM cr.lan/debian-stable
#RUN echo 'Acquire::http::proxy "http://172.23.255.1:3142";' >/etc/apt/apt.conf.d/proxy
RUN apt-get update && apt-get install -y \
libwww-perl && \
apt-get clean -y && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /var/cache/apt/* /tmp/* /var/tmp/*
COPY remote_sync.pl /

154
_apps/piwigo/deployment.yaml Normal file
View File

@@ -0,0 +1,154 @@
---
apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
kind: Deployment
metadata:
name: piwigo
labels:
app: piwigo
spec:
selector:
matchLabels:
app: piwigo
strategy:
type: Recreate
template:
metadata:
labels:
app: piwigo
spec:
containers:
- image: linuxserver/piwigo:latest
name: piwigo
env:
# Use secret in real usage
- name: TZ
value: Europe/Berlin
livenessProbe:
failureThreshold: 10
httpGet:
path: /index.php
port: http
scheme: HTTP
initialDelaySeconds: 60
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 5
ports:
- containerPort: 80
name: http
- containerPort: 443
name: https
volumeMounts:
- name: piwigo-persistent-storage
mountPath: /config/www/gallery/galleries
- name: piwigo-config
mountPath: /config
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "1500Mi"
cpu: "2000m"
volumes:
- name: piwigo-persistent-storage
persistentVolumeClaim:
claimName: piwigo-pv-claim
- name: piwigo-config
persistentVolumeClaim:
claimName: piwigo-config
---
apiVersion: v1
kind: Service
metadata:
name: piwigo
labels:
app: piwigo
spec:
ports:
- name: http
port: 80
- name: https
port: 443
selector:
app: piwigo
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: piwigo
labels:
app: piwigo
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: foto.lan
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: piwigo
port:
name: http
---
apiVersion: batch/v1beta1
kind: CronJob
metadata:
name: piwigo-quicksync
labels:
app: piwigo
spec:
schedule: '23 */1 * * *'
concurrencyPolicy: Forbid
jobTemplate:
spec:
template:
spec:
restartPolicy: Never
containers:
- name: piwigo-quicksync
image: docker-registry.lan/piwigo-sync:arm64
imagePullPolicy: Always
args:
- /remote_sync.pl
- --base_url=http://piwigo.default.svc.cluster.local/
- --username=api
- --password=D8Gt4P36q3457Yt
resources:
requests:
memory: "24Mi"
cpu: "20m"
limits:
memory: "100Mi"
cpu: "500m"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: piwigo-pv-claim
labels:
app: piwigo
spec:
storageClassName: nfs-ssd
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 60Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: piwigo-config
labels:
app: piwigo
spec:
storageClassName: nfs-ssd
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi

59
_apps/piwigo/remote_sync.pl Executable file
View File

@@ -0,0 +1,59 @@
#!/usr/bin/perl
# perl remote_sync.pl --base_url=http://localhost/piwigo/dev/branches/2.0 --username=plg --password=plg
use strict;
use warnings;
use LWP::UserAgent;
use Getopt::Long;
my %opt = ();
GetOptions(
\%opt,
qw/
base_url=s
username=s
password=s
/
);
our $ua = LWP::UserAgent->new;
$ua->agent('Mozilla/remote_sync.pl');
$ua->cookie_jar({});
$ua->default_headers->authorization_basic(
$opt{username},
$opt{password}
);
my $form = {
method => 'pwg.session.login',
username => $opt{username},
password => $opt{password},
};
my $result = $ua->post(
$opt{base_url}.'/ws.php?format=json',
$form
);
# perform the synchronization
$form = {
'sync' => 'files',
'display_info' => 1,
'add_to_caddie' => 1,
'privacy_level' => 0,
'sync_meta' => 1, # remove this parameter, turning to 0 is not enough
'simulate' => 0,
'subcats-included' => 1,
'submit' => 1,
};
$result = $ua->post(
$opt{base_url}.'/admin.php?page=site_update&site=1',
$form
);
use Data::Dumper;
print Dumper($result);

128
_apps/postgresql-deploy.yaml Normal file
View File

@@ -0,0 +1,128 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: postgres
labels:
app: postgres
env: live
spec:
selector:
matchLabels:
app: postgres
env: live
serviceName: postgres-service
replicas: 1
template:
metadata:
labels:
app: postgres
env: live
spec:
containers:
- name: postgres-exporter
image: quay.io/prometheuscommunity/postgres-exporter
ports:
- containerPort: 9187
protocol: TCP
env:
- name: DATA_SOURCE_NAME
value: "postgresql://postgres:pg2020@localhost:5432/postgres?sslmode=disable"
#value: "port=5432 host=127.0.0.1"
- name: postgres
image: postgres:13
ports:
- containerPort: 5432
protocol: TCP
volumeMounts:
- name: postgres-disk
mountPath: /var/lib/postgresql/data
env:
- name: POSTGRES_PASSWORD
value: pg2020
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app
operator: In
values:
- prometheus
- loki
topologyKey: kubernetes.io/hostname
# - name: prometheus-exporter
# image: wrouesnel/postgres_exporter
# env:
# - name: DATA_SOURCE_NAME
# value: postgresql://postgres:pg2020@localhost:5432/postgres?sslmode=disable
volumes:
- name: postgres-disk
persistentVolumeClaim:
claimName: postgres-data
# volumeClaimTemplates:
# - metadata:
# name: postgres-disk
# spec:
# accessModes:
# - ReadWriteOnce
# resources:
# requests:
# storage: 10Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: postgres-data
labels:
app: postgres
spec:
storageClassName: nfs-ssd
volumeName: postgres-data
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 40Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: postgres-data
spec:
storageClassName: "nfs-ssd"
nfs:
path: /data/raid1-ssd/k8s-data/postgres-data
server: ebin01
capacity:
storage: 40Gi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
claimRef:
kind: PersistentVolumeClaim
name: postgres-data
namespace: live-env
---
apiVersion: v1
kind: Service
metadata:
name: postgres
labels:
app: postgres
env: live
spec:
selector:
env: live
type: LoadBalancer
loadBalancerIP: 172.23.255.4
ports:
- name: postgres
port: 5432
targetPort: 5432
- name: exporter
port: 9187
targetPort: 9187

103
_apps/redis.yaml Normal file
View File

@@ -0,0 +1,103 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: redis-cm
namespace: live-env
data:
redis.conf: |-
bind * -::*
appendonly yes
maxmemory 5mb
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: redis-standalone
namespace: live-env
spec:
serviceName: redis-standalone
replicas: 1
selector:
matchLabels:
app: redis-standalone
template:
metadata:
labels:
app: redis-standalone
spec:
containers:
- name: redis-standalone
image: redis
command: ["redis-server"]
args: ["/usr/local/etc/redis/redis.conf"]
resources:
limits:
memory: "128Mi"
cpu: "50m"
ports:
- containerPort: 6379
volumeMounts:
- name: redis-standalone-pv
mountPath: /data
- name: config
mountPath: /usr/local/etc/redis
volumes:
- name: config
configMap:
name: redis-cm
- name: redis-standalone-pv
persistentVolumeClaim:
claimName: redis-standalone-pv
---
apiVersion: v1
kind: Service
metadata:
name: redis-standalone
labels:
app: redis-standalone
env: live-env
spec:
selector:
env: live-env
type: LoadBalancer
loadBalancerIP: 172.23.255.6
ports:
- name: redis-standalone
port: 6379
targetPort: 6379
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: redis-standalone-pv
labels:
app: redis-stndalone
spec:
storageClassName: nfs-ssd-ebin02
volumeName: redis-standalone-pv
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 100Mi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: redis-standalone-pv
spec:
storageClassName: "nfs-ssd-ebin02"
nfs:
path: /data/raid1-ssd/k8s-data/redis-standalone-pv
server: ebin02
capacity:
storage: 100Mi
accessModes:
- ReadWriteOnce
volumeMode: Filesystem
persistentVolumeReclaimPolicy: Retain
claimRef:
kind: PersistentVolumeClaim
name: redis-standalone-pv
namespace: live-env

41
_apps/rompr/Dockerfile Normal file
View File

@@ -0,0 +1,41 @@
FROM cr.wks/debian-stable-php-fpm
ARG ROMPR_VERSION=2.14
# Install packages
ENV DEBIAN_FRONTEND=noninteractive
RUN apt-get update && \
apt-get -y install \
nginx \
curl \
unzip
# CLeanup
RUN apt-get autoremove --purge -y && \
apt-get clean -y && \
rm -rf /var/lib/apt/lists/* && \
rm -rf /var/cache/apt/* /tmp/* /var/tmp/* /var/log/*
RUN curl -k -L -o rompr.zip https://github.com/fatg3erman/RompR/releases/download/${ROMPR_VERSION}/rompr-${ROMPR_VERSION}.zip
RUN mkdir -p /app /rompr
RUN unzip -d /app rompr.zip && rm rompr.zip
RUN ln -sf /rompr/prefs /app/rompr/prefs; ln -sf /rompr/albumart /app/rompr/albumart;
RUN chown -R www-data:www-data /app/rompr /rompr
RUN pwd; ls -la .;ls -la /etc/php/*/fpm
ADD files/nginx_default /etc/nginx/sites-available/default
RUN mkdir -p /run/php/
#Environment variables to configure php
RUN sed -ri -e 's/^allow_url_fopen =.*/allow_url_fopen = On/g' /etc/php/8.2/fpm/php.ini && \
sed -ri -e 's/^memory_limit =.*/memory_limit = 128M/g' /etc/php/8.2/fpm/php.ini && \
sed -ri -e 's/^max_execution_time =.*/max_execution_time = 1800/g' /etc/php/8.2/fpm/php.ini && \
sed -ri -e 's/^post_max_size =.*/post_max_size = 256M/g' /etc/php/8.2/fpm/php.ini && \
sed -ri -e 's/^upload_max_filesize =.*/upload_max_filesize = 8M/g' /etc/php/8.2/fpm/php.ini && \
sed -ri -e 's/^max_file_uploads =.*/max_file_uploads = 50/g' /etc/php/8.2/fpm/php.ini && \
sed -ri -e 's/^display_errors =.*/display_errors = On/g' /etc/php/8.2/fpm/php.ini && \
sed -ri -e 's/^display_startup_errors =.*/display_startup_errors = On/g' /etc/php/8.2/fpm/php.ini
RUN echo "<?php phpinfo(); ?>" > /app/rompr/phpinfo.php
RUN update-rc.d php8.2-fpm defaults
ADD files/run-httpd /usr/local/bin/
RUN chmod 755 /usr/local/bin/run-httpd
EXPOSE 80
VOLUME ["/rompr"]
CMD ["/usr/local/bin/run-httpd"]

5
_apps/rompr/README.md Normal file
View File

@@ -0,0 +1,5 @@
Run with:
```podman run --pull=always -d --replace -p 127.0.0.1:8081:80 \
--mount=type=bind,source=/var/lib/rompr,destination=/rompr \
--tz=Europe/Berlin --name=rompr cr.wks/rompr:latest```

36
_apps/rompr/files/nginx_default Normal file
View File

@@ -0,0 +1,36 @@
# Default server configuration
#
server {
listen 80;
listen [::]:80;
root /app/rompr;
# Add index.php to the list if you are using PHP
index index.php index.html index.htm;
server_name _;
client_max_body_size 256M;
# This section can be copied into an existing default setup
location / {
allow all;
access_log off;
index index.php;
location ~ \.php {
try_files $uri index.php =404;
fastcgi_pass unix:/run/php/php8.2-fpm.sock;
fastcgi_index index.php;
fastcgi_param SCRIPT_FILENAME $request_filename;
include /etc/nginx/fastcgi_params;
fastcgi_read_timeout 1800;
}
error_page 404 = /rompr/404.php;
try_files $uri $uri/ =404;
location ~ /albumart/* {
expires -1s;
}
}
}

8
_apps/rompr/files/run-httpd Normal file
View File

@@ -0,0 +1,8 @@
#!/bin/sh
rm -f /var/run/nginx.pid
mkdir -p /var/log/nginx
set -e
mkdir -p /rompr/albumart /rompr/prefs
chown www-data:www-data -R /rompr/albumart /rompr/prefs
/etc/init.d/php8.2-fpm restart
exec /usr/sbin/nginx -g 'daemon off;'

50
_apps/smarthome/Containerfile Normal file
View File

@@ -0,0 +1,50 @@
FROM node:current-buster
# Set the commit of Zwave2Mqtt to checkout when cloning the repo
ENV Z2M_VERSION=9cc3740740b57f1e896139b5ffdb25be7576ad58
ENV DEBIAN_FRONTEND noninteractive
#setup local apt cache
#RUN sed -i 's@http://@http://apt-cache.lan/@g' /etc/apt/sources.list
#/apt-cache
# Install required dependencies
RUN apt update -y
RUN apt full-upgrade -y
# Packages we need
RUN apt install -y \
socat libopenzwave1.5 npm git
# Clone Zwave2Mqtt build pkg files and move them to /dist/pkg
RUN npm config set unsafe-perm true && npm install -g pkg
RUN cd /root \
&& git clone https://github.com/OpenZWave/Zwave2Mqtt.git \
&& cd Zwave2Mqtt \
&& git checkout ${Z2M_VERSION} \
&& npm install \
&& npm run build
# Clean up
RUN apt autoremove -y
RUN apt clean -y
RUN rm -rf /root/*
RUN apt-get clean -y
RUN rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
COPY --from=build /dist/lib/ /lib/
COPY --from=build /dist/pkg /usr/src/app
# supervisor base configuration
ADD supervisor.conf /etc/supervisor.conf
LABEL maintainer="zoide"
# Set enviroment
ENV LD_LIBRARY_PATH /lib
EXPOSE 8091
CMD ["supervisord", "-c", "/etc/supervisor.conf"]
#CMD ["/usr/src/app/zwave2mqtt"]

179
_apps/smarthome/home-assistant.yaml Normal file
View File

@@ -0,0 +1,179 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: hassio
labels:
app: hassio
release: latest
spec:
replicas: 1
selector:
matchLabels:
app: hassio
release: latest
template:
metadata:
labels:
app: hassio
release: latest
spec:
containers:
- name: hassio
image: homeassistant/home-assistant:latest
imagePullPolicy: Always
env:
- name: TZ
value: Europe/Berlin
volumeMounts:
- name: hassio-storage
mountPath: /config
ports:
- name: http
containerPort: 8123
protocol: TCP
livenessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 300
periodSeconds: 10
readinessProbe:
httpGet:
path: /
port: http
initialDelaySeconds: 120
periodSeconds: 5
resources:
requests:
memory: "200Mi"
cpu: "250m"
limits:
memory: "256Mi"
cpu: "500m"
- name: configurator
image: "causticlab/hass-configurator-docker:arm"
imagePullPolicy: Always
env:
- name: HC_HASS_API
value: http://127.0.0.1:8123/api/
- name: HC_HASS_API_PASSWORD
value: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhMzBmYjU1ZjcyZGE0Yzc2YmU2NmY0NjljNTAyMjdjZCIsImlhdCI6MTYxMjg4MzI5NywiZXhwIjoxOTI4MjQzMjk3fQ.1ICsHliUXR0CG4H8vQRYJ5jVqFwmqKSB0fScSitC-Q4
ports:
- name: adm
containerPort: 3218
protocol: TCP
#livenessProbe:
# httpGet:
# path: /
# port: 3218
# initialDelaySeconds: 60
# periodSeconds: 3
#readinessProbe:
# httpGet:
# path: /
# port: 3218
# initialDelaySeconds: 60
# periodSeconds: 5
volumeMounts:
- name: hassio-storage
mountPath: /hass-config
- name: hassio-conf-storage
mountPath: /config
volumes:
- name: hassio-storage
persistentVolumeClaim:
claimName: hassio-storage
- name: hassio-conf-storage
persistentVolumeClaim:
claimName: hassio-configurator
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: hassio-storage
labels:
app: hassio
spec:
storageClassName: nfs-ssd
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Mi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: hassio-configurator
labels:
app: hassio
spec:
storageClassName: nfs-ssd
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Mi
---
apiVersion: v1
kind: Service
metadata:
name: hassio
labels:
app: hassio
release: latest
spec:
ports:
- port: 80
targetPort: http
protocol: TCP
name: http
selector:
app: hassio
release: latest
---
apiVersion: v1
kind: Service
metadata:
name: hassio-conf
labels:
app: hassio
release: latest
spec:
ports:
- port: 80
targetPort: adm
protocol: TCP
name: adm
selector:
app: hassio
release: latest
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hassio
annotations:
kubernetes.io/ingress.class: nginx
spec:
rules:
- host: hassio.lan
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hassio
port:
name: http
- host: hassio-conf.lan
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: hassio-conf
port:
name: adm

8
_apps/smarthome/socat/Containerfile Normal file
View File

@@ -0,0 +1,8 @@
FROM alpine:latest
ARG VERSION=1.7.3.2
RUN apk --no-cache add socat
#=${VERSION}
ENTRYPOINT ["socat"]

13
_apps/smarthome/supervisor.conf Normal file
View File

@@ -0,0 +1,13 @@
[supervisord]
nodaemon=true
[program:socat]
command=/usr/bin/socat -d -d -d pty,link=/dev/ttySER2NET0,raw,user=root,group=root,mode=660 tcp:auto:3333
killasgroup=true
stopasgroup=true
redirect_stderr=true
[program:zwave2mqtt]
directory=/usr/src/app
command=/usr/src/app/zwave2mqtt
redirect_stderr=true

120
_apps/smarthome/zwave2mqtt.yaml Normal file
View File

@@ -0,0 +1,120 @@
## FROM: https://github.com/OpenZWave/Zwave2Mqtt
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: zwave2mqtt
spec:
replicas: 1
selector:
matchLabels:
name: zwave2mqtt
template:
metadata:
labels:
name: zwave2mqtt
spec:
containers:
- name: zwave2mqtt
image: docker-registry.lan/zwave2mqtt:arm64
livenessProbe:
failureThreshold: 12
httpGet:
httpHeaders:
- name: Accept
value: text/plain
path: /
port: http
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 2
ports:
- containerPort: 8091
name: http
protocol: TCP
resources:
limits:
cpu: '1'
memory: 512Mi
requests:
cpu: '1'
memory: 200Mi
securityContext:
allowPrivilegeEscalation: true
privileged: true
volumeMounts:
- mountPath: /usr/src/app/store
name: data
# - mountPath: /usr/local/etc/openzwave
# name: ozwdatabase
# - mountPath: /usr/src/app/store/settings.json <-- if putting your settings.json in a secret
# name: config
# readOnly: true
# subPath: settings.json
# nodeSelector:
# kubernetes.io/hostname: stick1 #<--- the name of your cluster node that the zwave usb stick in
# - name: socat
# image: docker-registry.lan/socat:arm64
# args:
# - pty,link=/dev/ttySER2NET0,raw,user=root,group=root,mode=660
# - tcp:auto:3333
# securityContext:
# allowPrivilegeEscalation: true
# privileged: true
volumes:
# - name: config <-- if putting your settings.json in a secret
# secret:
# defaultMode: 420
# secretName: zwave2mqtt
#- name: zwavestick
# hostPath:
# path: /dev/ttyACM0
# type: File
- name: data
persistentVolumeClaim:
claimName: zwave2mqtt-storage
# - name: ozwdatabase
# hostPath:
# path: /zwave2mqtt/database
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: zwave2mqtt-storage
labels:
app: zwave2mqtt
spec:
storageClassName: nfs-ssd
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 20Mi
---
apiVersion: extensions/v1beta1
kind: Ingress
metadata:
name: zwave2mqtt
spec:
rules:
- host: zwave.lan
http:
paths:
- backend:
serviceName: zwave2mqtt
servicePort: http
---
apiVersion: v1
kind: Service
metadata:
name: zwave2mqtt
spec:
ports:
- name: http
port: 80
targetPort: http
selector:
name: zwave2mqtt