rompr new

gitea with limits adapted
descheduler, still

.drone.jsonnet

@@ -0,0 +1,77 @@
+#local dirs = ['_CI-CD', 'apps'];
+local dirs = ['apps'];
+
+local packages = ['debian-stable', 'debian-stable-build-essential', 'debian-stable-openwrt', 
+                    'debian-golang', 'debian-stable-php-fpm', 'debian-testing'];
+#local packages = ['debian-stable-openwrt'];
+
+local apps = ['rompr', 'apt-cacher-ng', 'curl', 'mosquitto', 'mosquitto-prometheus-exporter'];
+#local apps = ['rompr'];
+
+local build(dir, package) = {
+  name: '%(package)s' % { package: package },
+  image: 'plugins/docker',
+  settings: {
+    context: '%(dir)s/%(package)s' % { dir: dir, package: package },
+    dockerfile: '%(dir)s/%(package)s/Dockerfile' % { dir: dir, package: package },
+    registry: 'http://cr.wks',
+    insecure: 'true',
+    purge: 'false',
+    experimental: 'true',
+    tags: ['latest'],
+    repo: 'cr.wks/%(package)s' % { package: package },
+    cache_from: 'cr.wks/%(package)s:latest' % { package: package },
+  },
+};
+[
+  {
+    kind: 'pipeline',
+    type: 'docker',
+    name: 'Build Changes',
+    platform: {
+      os: 'linux',
+      arch: 'arm64',
+    },
+    steps: [
+      {
+       name: 'git log',
+       image: 'cr.wks/debian-testing',
+       commands: [ 'bin/find_changes.sh', 'ls -la' ]
+       },
+     #  [
+     # build('_CI-CD', app)
+     # for app in packages
+     # ],
+     # [
+     #  build('apps', app)
+     # for app in apps
+     # ]
+    ],
+  },
+ #{
+ #   kind: 'pipeline',
+ #   type: 'docker',
+ #   name: '_CI-CD',
+ #   platform: {
+ #     os: 'linux',
+ #     arch: 'arm64',
+ #   },
+ #   steps: [
+ #     build('_CI-CD', pkg)
+ #     for pkg in packages
+ #   ],
+ # },
+  {
+    kind: 'pipeline',
+    type: 'docker',
+    name: 'apps',
+    platform: {
+      os: 'linux',
+      arch: 'arm64',
+    },
+    steps: [
+      build('apps', app)
+      for app in apps
+    ],
+  },
+]

.gitignore

@@ -1 +1 @@
-csi-s3/storage-csi-s3/cmd/s3driver/s3driver
+*.swp

.gitmodules

@@ -1,48 +0,0 @@
-[submodule "kube-prometheus"]
-	path = kube-prometheus
-	url = https://github.com/coreos/kube-prometheus.git
-[submodule "cluster-monitoring"]
-	path = cluster-monitoring
-	url = https://github.com/carlosedp/cluster-monitoring.git
-[submodule "gluster-kubernetes"]
-	path = gluster-kubernetes
-	url = https://github.com/jayflory/gluster-kubernetes.git
-[submodule "kubernetes-ingress"]
-	path = kubernetes-ingress
-	url = https://github.com/haproxytech/kubernetes-ingress.git
-[submodule "ingress-nginx"]
-	path = ingress-nginx
-	url = https://github.com/kubernetes/ingress-nginx.git
-[submodule "pihole-kubernetes"]
-	path = pihole-kubernetes
-	url = https://github.com/MoJo2600/pihole-kubernetes.git
-[submodule "pihole-helm"]
-	path = pihole-helm
-	url = https://github.com/ChrisPhillips-cminion/pihole-helm.git
-[submodule "helm"]
-	path = helm
-	url = https://github.com/helm/helm.git
-[submodule "docker-apt-cacher-ng"]
-	path = docker-apt-cacher-ng
-	url = https://github.com/sameersbn/docker-apt-cacher-ng.git
-[submodule "mosquitto/charts"]
-	path = mosquitto/charts
-	url = https://github.com/smizy/charts.git
-[submodule "external-storage"]
-	path = external-storage
-	url = https://github.com/kubernetes-incubator/external-storage.git
-[submodule "mosquitto-exporter"]
-	path = mosquitto-exporter
-	url = https://github.com/sapcc/mosquitto-exporter.git
-[submodule "csi-s3/storage-csi-s3"]
-	path = csi-s3/storage-csi-s3
-	url = https://github.com/ctrox/csi-s3.git
-[submodule "csi-s3/external-attacher"]
-	path = csi-s3/external-attacher
-	url = https://github.com/kubernetes-csi/external-attacher.git
-[submodule "csi-s3/external-provisioner"]
-	path = csi-s3/external-provisioner
-	url = https://github.com/kubernetes-csi/external-provisioner.git
-[submodule "csi-s3/node-driver-registrar"]
-	path = csi-s3/node-driver-registrar
-	url = https://github.com/kubernetes-csi/node-driver-registrar.git

.project

@@ -1,11 +1,23 @@
 <?xml version="1.0" encoding="UTF-8"?>
 <projectDescription>
-	<name>kubernetes</name>
+	<name>docker-images</name>
 	<comment></comment>
 	<projects>
 	</projects>
 	<buildSpec>
+		<buildCommand>
+			<name>org.eclipse.xtext.ui.shared.xtextBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
+		<buildCommand>
+			<name>org.python.pydev.PyDevBuilder</name>
+			<arguments>
+			</arguments>
+		</buildCommand>
 	</buildSpec>
 	<natures>
+		<nature>org.python.pydev.pythonNature</nature>
+		<nature>org.eclipse.xtext.ui.shared.xtextNature</nature>
 	</natures>
 </projectDescription>

.pydevproject

@@ -0,0 +1,5 @@
+<?xml version="1.0" encoding="UTF-8" standalone="no"?>
+<?eclipse-pydev version="1.0"?><pydev_project>
+    <pydev_property name="org.python.pydev.PYTHON_PROJECT_INTERPRETER">Default</pydev_property>
+    <pydev_property name="org.python.pydev.PYTHON_PROJECT_VERSION">python interpreter</pydev_property>
+</pydev_project>

_CI-CD/debian-golang/Dockerfile

@@ -0,0 +1,11 @@
+FROM cr.wks/debian-stable
+
+RUN apt-get update && apt-get install -y \
+	golang make git
+	
+RUN	apt-get remove -y --purge man-db ;\
+	apt-get autoremove -y --purge ;\ 
+	apt-get clean -y ;\ 
+	rm -rf /var/lib/apt/lists/* ;\
+	rm -rf /var/cache/apt/*
+	

_CI-CD/debian-stable-build-essential/Dockerfile

@@ -0,0 +1,15 @@
+FROM cr.wks/debian-stable
+
+RUN apt-get update && apt-get install -y \
+	dnsutils procps nmap bash iputils-ping bash \
+			build-essential make ccache distcc-pump distcc g++ \
+			libncursesw5-dev
+
+RUN	apt-get remove -y --purge man-db ;\
+	apt-get autoremove -y --purge ;\ 
+	apt-get clean -y ;\ 
+	rm -rf /var/lib/apt/lists/* ;\
+	rm -rf /var/cache/apt/*
+	
+ADD docker-entrypoint.sh /
+ENTRYPOINT ["/docker-entrypoint.sh"]

_CI-CD/debian-stable-build-essential/docker-entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+exec "$@"

_CI-CD/debian-stable-openwrt/Dockerfile

@@ -0,0 +1,14 @@
+FROM cr.wks/debian-stable-build-essential
+
+RUN apt update -y; \
+        apt install -y build-essential ccache ecj fastjar file g++ gawk \
+              gettext git java-propose-classpath libelf-dev libncurses5-dev \
+              libncursesw5-dev libssl-dev python3 python3-dev unzip wget \
+              python3-distutils python3-setuptools rsync subversion swig time \
+              xsltproc zlib1g-dev make distcc distcc-pump nfs-common clang flex bison g++ gawk \
+              gcc-multilib-mips-linux-gnu git libncurses-dev libssl-dev  && \
+       apt-get remove --purge -y exim* && \
+	   apt-get autoremove --purge -y && \
+       apt-get clean -y && \                                                                                           
+       rm -rf /var/lib/apt/lists/* && \                                                                                
+       rm -rf /var/cache/apt/*

_CI-CD/debian-stable-php-fpm/Dockerfile

@@ -0,0 +1,21 @@
+FROM debian:stable AS baseimage
+
+ENV DEBIAN_FRONTEND noninteractive
+RUN apt-get update && apt-get install -y \
+	dnsutils procps nmap bash iputils-ping bash openssl \
+	php-fpm php-zip php-sqlite3 php-pgsql php-mysqli php-json php-readline \
+	php-xml php-intl php-xmlrpc php-imagick php-gd php-cli php-curl \
+	php-bz2 php-mbstring
+	
+#cleanup
+RUN	apt-get remove -y --purge man-db ;\
+	apt-get autoremove -y --purge ;\ 
+	apt-get clean -y ;\ 
+	rm -rf /var/lib/apt/lists/* ;\
+	rm -rf /var/cache/apt/*
+
+FROM baseimage as final
+
+ADD etc_php-fpm/www.conf /etc/php/8.4/fpm/pool.d
+ADD docker-entrypoint.sh /
+ENTRYPOINT ["/docker-entrypoint.sh"]

_CI-CD/debian-stable-php-fpm/docker-entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+exec "$@"

_CI-CD/debian-stable-php-fpm/etc_php-fpm/www.conf

@@ -0,0 +1,440 @@
+; Start a new pool named 'www'.
+; the variable $pool can be used in any directive and will be replaced by the
+; pool name ('www' here)
+[www]
+
+; Per pool prefix
+; It only applies on the following directives:
+; - 'access.log'
+; - 'slowlog'
+; - 'listen' (unixsocket)
+; - 'chroot'
+; - 'chdir'
+; - 'php_values'
+; - 'php_admin_values'
+; When not set, the global prefix (or /usr) applies instead.
+; Note: This directive can also be relative to the global prefix.
+; Default Value: none
+;prefix = /path/to/pools/$pool
+
+; Unix user/group of processes
+; Note: The user is mandatory. If the group is not set, the default user's group
+;       will be used.
+user = www-data
+group = www-data
+
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+; listen = /run/php/php7.4-fpm.sock
+listen = 127.0.0.1:9000
+
+; Set listen(2) backlog.
+; Default Value: 511 (-1 on FreeBSD and OpenBSD)
+;listen.backlog = 511
+
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server. Many
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
+; Default Values: user and group are set as the running user
+;                 mode is set to 0660
+listen.owner = www-data
+listen.group = www-data
+;listen.mode = 0660
+; When POSIX Access Control Lists are supported you can set them using
+; these options, value is a comma separated list of user/group names.
+; When set, listen.owner and listen.group are ignored
+;listen.acl_users =
+;listen.acl_groups =
+
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
+; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
+; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
+; must be separated by a comma. If this value is left blank, connections will be
+; accepted from any ip address.
+; Default Value: any
+;listen.allowed_clients = 127.0.0.1
+
+; Specify the nice(2) priority to apply to the pool processes (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool processes will inherit the master process priority
+;         unless it specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
+; or group is differrent than the master process user. It allows to create process
+; core dump and ptrace the process for the pool user.
+; Default Value: no
+; process.dumpable = yes
+
+; Choose how the process manager will control the number of child processes.
+; Possible Values:
+;   static  - a fixed number (pm.max_children) of child processes;
+;   dynamic - the number of child processes are set dynamically based on the
+;             following directives. With this process management, there will be
+;             always at least 1 children.
+;             pm.max_children      - the maximum number of children that can
+;                                    be alive at the same time.
+;             pm.start_servers     - the number of children created on startup.
+;             pm.min_spare_servers - the minimum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is less than this
+;                                    number then some children will be created.
+;             pm.max_spare_servers - the maximum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is greater than this
+;                                    number then some children will be killed.
+;  ondemand - no children are created at startup. Children will be forked when
+;             new requests will connect. The following parameter are used:
+;             pm.max_children           - the maximum number of children that
+;                                         can be alive at the same time.
+;             pm.process_idle_timeout   - The number of seconds after which
+;                                         an idle process will be killed.
+; Note: This value is mandatory.
+pm = dynamic
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = 5
+
+; The number of child processes created on startup.
+; Note: Used only when pm is set to 'dynamic'
+; Default Value: (min_spare_servers + max_spare_servers) / 2
+pm.start_servers = 2
+
+; The desired minimum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.min_spare_servers = 1
+
+; The desired maximum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.max_spare_servers = 3
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+;pm.process_idle_timeout = 10s;
+
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+;pm.max_requests = 500
+
+; The URI to view the FPM status page. If this value is not set, no URI will be
+; recognized as a status page. It shows the following informations:
+;   pool                 - the name of the pool;
+;   process manager      - static, dynamic or ondemand;
+;   start time           - the date and time FPM has started;
+;   start since          - number of seconds since FPM has started;
+;   accepted conn        - the number of request accepted by the pool;
+;   listen queue         - the number of request in the queue of pending
+;                          connections (see backlog in listen(2));
+;   max listen queue     - the maximum number of requests in the queue
+;                          of pending connections since FPM has started;
+;   listen queue len     - the size of the socket queue of pending connections;
+;   idle processes       - the number of idle processes;
+;   active processes     - the number of active processes;
+;   total processes      - the number of idle + active processes;
+;   max active processes - the maximum number of active processes since FPM
+;                          has started;
+;   max children reached - number of times, the process limit has been reached,
+;                          when pm tries to start more children (works only for
+;                          pm 'dynamic' and 'ondemand');
+; Value are updated in real time.
+; Example output:
+;   pool:                 www
+;   process manager:      static
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          62636
+;   accepted conn:        190460
+;   listen queue:         0
+;   max listen queue:     1
+;   listen queue len:     42
+;   idle processes:       4
+;   active processes:     11
+;   total processes:      15
+;   max active processes: 12
+;   max children reached: 0
+;
+; By default the status page output is formatted as text/plain. Passing either
+; 'html', 'xml' or 'json' in the query string will return the corresponding
+; output syntax. Example:
+;   http://www.foo.bar/status
+;   http://www.foo.bar/status?json
+;   http://www.foo.bar/status?html
+;   http://www.foo.bar/status?xml
+;
+; By default the status page only outputs short status. Passing 'full' in the
+; query string will also return status for each pool process.
+; Example:
+;   http://www.foo.bar/status?full
+;   http://www.foo.bar/status?json&full
+;   http://www.foo.bar/status?html&full
+;   http://www.foo.bar/status?xml&full
+; The Full status returns for each process:
+;   pid                  - the PID of the process;
+;   state                - the state of the process (Idle, Running, ...);
+;   start time           - the date and time the process has started;
+;   start since          - the number of seconds since the process has started;
+;   requests             - the number of requests the process has served;
+;   request duration     - the duration in µs of the requests;
+;   request method       - the request method (GET, POST, ...);
+;   request URI          - the request URI with the query string;
+;   content length       - the content length of the request (only with POST);
+;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
+;   script               - the main script called (or '-' if not set);
+;   last request cpu     - the %cpu the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because CPU calculation is done when the request
+;                          processing has terminated;
+;   last request memory  - the max amount of memory the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because memory calculation is done when the request
+;                          processing has terminated;
+; If the process is in Idle state, then informations are related to the
+; last request the process has served. Otherwise informations are related to
+; the current request being served.
+; Example output:
+;   ************************
+;   pid:                  31330
+;   state:                Running
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          63087
+;   requests:             12808
+;   request duration:     1250261
+;   request method:       GET
+;   request URI:          /test_mem.php?N=10000
+;   content length:       0
+;   user:                 -
+;   script:               /home/fat/web/docs/php/test_mem.php
+;   last request cpu:     0.00
+;   last request memory:  0
+;
+; Note: There is a real-time FPM status monitoring sample web page available
+;       It's available in: /usr/share/php/7.4/fpm/status.html
+;
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+;pm.status_path = /status
+
+; The ping URI to call the monitoring page of FPM. If this value is not set, no
+; URI will be recognized as a ping page. This could be used to test from outside
+; that FPM is alive and responding, or to
+; - create a graph of FPM availability (rrd or such);
+; - remove a server from a group if it is not responding (load balancing);
+; - trigger alerts for the operating team (24/7).
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+;ping.path = /ping
+
+; This directive may be used to customize the response of a ping request. The
+; response is formatted as text/plain with a 200 response code.
+; Default Value: pong
+;ping.response = pong
+
+; The access log file
+; Default: not set
+;access.log = log/$pool.access.log
+
+; The access log format.
+; The following syntax is allowed
+;  %%: the '%' character
+;  %C: %CPU used by the request
+;      it can accept the following format:
+;      - %{user}C for user CPU only
+;      - %{system}C for system CPU only
+;      - %{total}C  for user + system CPU (default)
+;  %d: time taken to serve the request
+;      it can accept the following format:
+;      - %{seconds}d (default)
+;      - %{miliseconds}d
+;      - %{mili}d
+;      - %{microseconds}d
+;      - %{micro}d
+;  %e: an environment variable (same as $_ENV or $_SERVER)
+;      it must be associated with embraces to specify the name of the env
+;      variable. Some exemples:
+;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
+;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
+;  %f: script filename
+;  %l: content-length of the request (for POST request only)
+;  %m: request method
+;  %M: peak of memory allocated by PHP
+;      it can accept the following format:
+;      - %{bytes}M (default)
+;      - %{kilobytes}M
+;      - %{kilo}M
+;      - %{megabytes}M
+;      - %{mega}M
+;  %n: pool name
+;  %o: output header
+;      it must be associated with embraces to specify the name of the header:
+;      - %{Content-Type}o
+;      - %{X-Powered-By}o
+;      - %{Transfert-Encoding}o
+;      - ....
+;  %p: PID of the child that serviced the request
+;  %P: PID of the parent of the child that serviced the request
+;  %q: the query string
+;  %Q: the '?' character if query string exists
+;  %r: the request URI (without the query string, see %q and %Q)
+;  %R: remote IP address
+;  %s: status (response code)
+;  %t: server time the request was received
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+;  %T: time the log has been written (the request has finished)
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+;  %u: remote user
+;
+; Default: "%R - %u %t \"%m %r\" %s"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+
+; The log file for slow requests
+; Default Value: not set
+; Note: slowlog is mandatory if request_slowlog_timeout is set
+;slowlog = log/$pool.log.slow
+
+; The timeout for serving a single request after which a PHP backtrace will be
+; dumped to the 'slowlog' file. A value of '0s' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_slowlog_timeout = 0
+
+; Depth of slow log stack trace.
+; Default Value: 20
+;request_slowlog_trace_depth = 20
+
+; The timeout for serving a single request after which the worker process will
+; be killed. This option should be used when the 'max_execution_time' ini option
+; does not stop script execution for some reason. A value of '0' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_terminate_timeout = 0
+
+; The timeout set by 'request_terminate_timeout' ini option is not engaged after
+; application calls 'fastcgi_finish_request' or when application has finished and
+; shutdown functions are being called (registered via register_shutdown_function).
+; This option will enable timeout limit to be applied unconditionally
+; even in such cases.
+; Default Value: no
+;request_terminate_timeout_track_finished = no
+
+; Set open file descriptor rlimit.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Chroot to this directory at the start. This value must be defined as an
+; absolute path. When this value is not set, chroot is not used.
+; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
+; of its subdirectories. If the pool prefix is not set, the global prefix
+; will be used instead.
+; Note: chrooting is a great security feature and should be used whenever
+;       possible. However, all PHP paths will be relative to the chroot
+;       (error_log, sessions.save_path, ...).
+; Default Value: not set
+;chroot =
+
+; Chdir to this directory at the start.
+; Note: relative path can be used.
+; Default Value: current directory or / when chroot
+;chdir = /var/www
+
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Note: on highloaded environement, this can cause some delay in the page
+; process time (several ms).
+; Default Value: no
+;catch_workers_output = yes
+
+; Decorate worker output with prefix and suffix containing information about
+; the child that writes to the log and if stdout or stderr is used as well as
+; log level and time. This options is used only if catch_workers_output is yes.
+; Settings to "no" will output data as written to the stdout or stderr.
+; Default value: yes
+;decorate_workers_output = no
+
+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+;clear_env = no
+
+; Limits the extensions of the main script FPM will allow to parse. This can
+; prevent configuration mistakes on the web server side. You should only limit
+; FPM to .php extensions to prevent malicious users to use other extensions to
+; execute php code.
+; Note: set an empty value to allow all extensions.
+; Default Value: .php
+;security.limit_extensions = .php .php3 .php4 .php5 .php7
+
+; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
+; the current environment.
+; Default Value: clean env
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
+
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+;   php_value/php_flag             - you can set classic ini defines which can
+;                                    be overwritten from PHP call 'ini_set'.
+;   php_admin_value/php_admin_flag - these directives won't be overwritten by
+;                                     PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or /usr)
+
+; Default Value: nothing is defined by default except the values in php.ini and
+;                specified at startup with the -d argument
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
+;php_flag[display_errors] = off
+;php_admin_value[error_log] = /var/log/fpm-php.www.log
+;php_admin_flag[log_errors] = on
+;php_admin_value[memory_limit] = 32M

_CI-CD/debian-stable/Dockerfile

@@ -0,0 +1,15 @@
+FROM debian:stable-slim
+
+RUN sed -i 's@deb.debian.org@apt-cache.service.nr5/deb.debian.org@g' /etc/apt/sources.list.d/debian.sources && \
+	sed -i 's@security.debian.org@apt-cache.service.nr5/security.debian.org@g' /etc/apt/sources.list.d/debian.sources
+	
+RUN	apt-get update && apt-get install -y \
+	man-db- \
+    dnsutils procps nmap bash iputils-ping bash git
+
+RUN	apt-get autoremove -y --purge ;\ 
+	apt-get clean -y ;\ 
+	rm -rf /var/lib/apt/lists/* ;\
+	rm -rf /var/cache/apt/*
+ADD docker-entrypoint.sh /
+ENTRYPOINT ["/docker-entrypoint.sh"]

_CI-CD/debian-stable/docker-entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+exec "$@"

_CI-CD/debian-testing/Dockerfile

@@ -0,0 +1,15 @@
+FROM debian:testing-slim
+
+RUN sed -i 's@deb.debian.org@apt-cache.service.nr5/deb.debian.org@g' /etc/apt/sources.list.d/debian.sources && \
+    sed -i 's@security.debian.org@apt-cache.service.nr5/security.debian.org@g' /etc/apt/sources.list.d/debian.sources
+
+RUN	apt-get update && apt-get install -y \
+	dnsutils procps nmap bash iputils-ping bash git
+
+RUN	apt-get autoremove -y --purge ;\ 
+	apt-get clean -y ;\ 
+	rm -rf /var/lib/apt/lists/* ;\
+	rm -rf /var/cache/apt/*
+	
+ADD docker-entrypoint.sh /
+ENTRYPOINT ["/docker-entrypoint.sh"]

_CI-CD/debian-testing/docker-entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+exec "$@"

_CI-CD/distcc/Dockerfile

@@ -0,0 +1,21 @@
+FROM cr.wks/debian-stable-build-essential
+
+RUN apt-get update && \
+  	apt-get install -y \
+    gcc-arm-linux-gnueabihf g++-arm-linux-gnueabihf \
+    dpkg-dev distcc ccache \
+    build-essential gcc cpp g++ clang llvm 
+	
+RUN	apt-get remove -y --purge man-db ;\
+	apt-get autoremove -y --purge ;\ 
+	apt-get clean -y ;\ 
+	rm -rf /var/lib/apt/lists/* ;\
+	rm -rf /var/cache/apt/*
+		
+# Op port
+EXPOSE 3632
+# Stats port
+EXPOSE 3633
+
+USER distccd
+ENTRYPOINT /usr/bin/distccd --no-detach --daemon --stats --log-level error --log-stderr $OPTIONS

_CI-CD/distcc/deployment.yaml

@@ -1,27 +1,25 @@
 apiVersion: apps/v1
-kind: Deployment
+kind: StatefulSet
 metadata:
   labels:
     app: distcc
-    release: buster
+    release: stable
   name: distcc
-  namespace: default
 spec:
-  replicas: 3
+  serviceName: distcc
+  replicas: 4
   selector:
     matchLabels:
       app: distcc
-  strategy:
-    type: RollingUpdate
   template:
     metadata:
       labels:
         app: distcc
-        release: buster
+        release: stable
     spec:
       containers:
       - name: distcc
-        image: docker-registry.lan/distcc:armhf
+        image: cr.lan/distcc
         imagePullPolicy: Always
 #env:
 #- name: OPTIONS
@@ -35,12 +33,11 @@ spec:
           protocol: TCP
         resources:
           limits:
-            cpu: 1
+            cpu: 4
             memory: 128Mi
           requests:
-            cpu: 1
+            cpu: 50m
             memory: 64Mi
-      dnsPolicy: ClusterFirst
       restartPolicy: Always
       schedulerName: default-scheduler
       securityContext: {}
@@ -61,11 +58,9 @@ kind: Service
 metadata:
   labels:
     app: distcc
-    release: buster
-  namespace: default
+    release: stable
   name: distcc
 spec:
-  externalTrafficPolicy: Cluster
   ports:
   - name: distcc-data
     port: 3632
@@ -77,4 +72,3 @@ spec:
     protocol: TCP
   selector:
     app: distcc
-  type: LoadBalancer

_sys/kube-router-accounts.yaml

@@ -1,53 +0,0 @@
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: kube-router
-  namespace: kube-system
----
-kind: ClusterRole
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: kube-router
-rules:
-  - apiGroups:
-    - ""
-    resources:
-      - namespaces
-      - pods
-      - services
-      - nodes
-      - endpoints
-    verbs:
-      - list
-      - get
-      - watch
-  - apiGroups:
-    - "networking.k8s.io"
-    resources:
-      - networkpolicies
-    verbs:
-      - list
-      - get
-      - watch
-  - apiGroups:
-    - extensions
-    resources:
-      - networkpolicies
-    verbs:
-      - get
-      - list
-      - watch
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1beta1
-metadata:
-  name: kube-router
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: kube-router
-subjects:
-- kind: ServiceAccount
-  name: kube-router
-  namespace: kube-system

_sys/kube-router-all-service-daemonset.yaml

@@ -1,137 +0,0 @@
-#https://gist.github.com/jjo/8c616aaf795284bb5b85d02143745f63
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: kube-router-cfg
-  namespace: kube-system
-  labels:
-    tier: node
-    k8s-app: kube-router
-data:
-  cni-conf.json: |
-    {
-       "cniVersion":"0.3.0",
-       "name":"mynet",
-       "plugins":[
-          {
-             "name":"kubernetes",
-             "type":"bridge",
-             "bridge":"kube-bridge",
-             "isDefaultGateway":true,
-             "hairpinMode":true,
-             "ipam":{
-                "type":"host-local"
-             }
-          }
-       ]
-    }
----
-apiVersion: apps/v1
-kind: DaemonSet
-metadata:
-  name: kube-router
-  namespace: kube-system
-  labels:
-    k8s-app: kube-router
-spec:
-  selector:
-    matchLabels:
-      k8s-app: kube-router
-  template:
-    metadata:
-      labels:
-        k8s-app: kube-router
-    spec:
-      priorityClassName: system-node-critical
-      containers:
-      - name: kube-router
-        image: docker.io/cloudnativelabs/kube-router
-        args:
-          - "--run-router=true"
-          - "--run-firewall=true"
-          - "--run-service-proxy=true"
-          - "--bgp-graceful-restart=true"
-          - "--hairpin-mode=true"
-          - "--enable-cni=true"
-          - "--advertise-cluster-ip=true"
-          - "--advertise-external-ip=true"
-          - "--advertise-loadbalancer-ip=true"
-          - "--kubeconfig=/var/lib/kube-router/kubeconfig"
-            #- "--master=https://192.168.10.13:6443"
-        securityContext:
-          privileged: true
-        imagePullPolicy: Always
-        env:
-        - name: NODE_NAME
-          valueFrom:
-            fieldRef:
-              fieldPath: spec.nodeName
-        - name: KUBE_ROUTER_CNI_CONF_FILE
-          value: /etc/cni/net.d/10-kuberouter.conflist
-        livenessProbe:
-          httpGet:
-            path: /healthz
-            port: 20244
-          initialDelaySeconds: 10
-          periodSeconds: 3
-        volumeMounts:
-        - name: lib-modules
-          mountPath: /lib/modules
-          readOnly: true
-        - name: cni-conf-dir
-          mountPath: /etc/cni/net.d
-        - name: kubeconfig
-          mountPath: /var/lib/kube-router/kubeconfig
-          readOnly: true
-        - name: xtables-lock
-          mountPath: /run/xtables.lock
-          readOnly: false
-      initContainers:
-      - name: install-cni
-        image: docker.io/cloudnativelabs/kube-router
-        imagePullPolicy: Always
-        command:
-        - /bin/sh
-        - -c
-        - set -e -x;
-          if [ ! -f /etc/cni/net.d/10-kuberouter.conflist ]; then
-            if [ -f /etc/cni/net.d/*.conf ]; then
-              rm -f /etc/cni/net.d/*.conf;
-            fi;
-            TMP=/etc/cni/net.d/.tmp-kuberouter-cfg;
-            cp /etc/kube-router/cni-conf.json ${TMP};
-            mv ${TMP} /etc/cni/net.d/10-kuberouter.conflist;
-          fi
-        volumeMounts:
-        - name: cni-conf-dir
-          mountPath: /etc/cni/net.d
-        - name: kube-router-cfg
-          mountPath: /etc/kube-router
-      hostNetwork: true
-      serviceAccountName: kube-router
-      serviceAccount: kube-router
-      tolerations:
-      - effect: NoSchedule
-        operator: Exists
-      - key: CriticalAddonsOnly
-        operator: Exists
-      - effect: NoExecute
-        operator: Exists
-      volumes:
-      - name: lib-modules
-        hostPath:
-          path: /lib/modules
-      - name: cni-conf-dir
-        hostPath:
-          path: /etc/cni/net.d
-      - name: kube-router-cfg
-        configMap:
-          name: kube-router-cfg
-      - name: kubeconfig
-        hostPath:
-          path: /var/lib/kube-router/kubeconfig
-      - name: xtables-lock
-        hostPath:
-          path: /run/xtables.lock
-          type: FileOrCreate
-

_sys/metallb.yaml

@@ -1,12 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-        namespace: metallb-system
-        name: config
-data:
-        config: |
-          address-pools:
-          - name: default
-            protocol: layer2
-            addresses:
-            - 172.23.255.1-172.23.255.254 

apps/almond-cloud/Dockerfile

@@ -0,0 +1,37 @@
+FROM debian:stable
+ENV DEBIAN_FRONTEND noninteractive
+ARG DEVPKGS="git make cmake gcc g++ python-dev libsqlcipher-dev"
+
+RUN sed -i 's@deb.debian.org@apt-cache.lan/deb.debian.org@g' /etc/apt/sources.list && \
+	sed -i 's@security.debian.org@apt-cache.lan/security.debian.org@g' /etc/apt/sources.list && \
+	apt-get update && \
+  	apt-get -y install ${DEVPKGS} python3-pip python3-torch python3-dateutil python3-filelock python3-tqdm python3-pyparsing python3-joblib \ 
+  						python3-portalocker python3-click python3-packaging python3-regex python3-docopt python3-systemd \
+  						libsystemd-dev graphicsmagick zip unzip bubblewrap sqlcipher gettext nodejs npm && \
+    pip3 install tensorboardX && \
+  	pip3 install 'git+https://github.com/stanford-oval/genienlp@0969c6ea74376b20982c0c8bea9a4732547b15cb#egg=genienlp' && \
+  	git clone --depth=1 --branch v1.99.0 https://github.com/stanford-oval/almond-cloud.git /opt/almond-cloud 
+  						
+#setup
+RUN useradd -ms /bin/bash -r almond-cloud && id almond-cloud
+WORKDIR /opt/almond-cloud/
+RUN chown -R almond-cloud:almond-cloud /opt/almond-cloud && \ 
+  echo "build_from_source = true" > ~almond-cloud/.npmrc && \
+  echo "sqlite = external" >> ~almond-cloud/.npmrc && \
+  echo "sqlite_libname = sqlcipher" >> ~almond-cloud/.npmrc && \
+  echo "======== package.json ============="; cat package.json && \
+  su almond-cloud -c 'CPLUS_INCLUDE_PATH=/usr/include/sqlcipher npm install' && \
+  chown -R root:root /opt/almond-cloud  
+  
+COPY --chown=almond-cloud:almond-cloud start.sh /opt/almond-cloud/  
+
+# CLeanup	
+RUN	apt-get remove -y --purge ${DEVPKGS} && \
+	apt-get autoremove --purge -y && \
+	apt-get clean -y && \ 
+	rm -rf /var/lib/apt/lists/* && \
+	rm -rf /var/cache/apt/* /tmp/* /var/tmp/* /var/log/* /root/.cache
+	
+USER almond-cloud
+WORKDIR /home/almond-cloud
+ENTRYPOINT ["/opt/almond-cloud/start.sh"]

apps/almond-cloud/deployment.yaml

@@ -0,0 +1,67 @@
+---
+apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
+kind: Deployment
+metadata:
+  name: almond-cloud
+spec:
+  selector:
+    matchLabels:
+      app: almond-cloud
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: almond-cloud
+    spec:
+      containers:
+      - image: cr.lan/almond-cloud
+        name: almond-cloud
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 80
+          name: http
+        volumeMounts:
+        - name: almond-cloud-data
+          mountPath: /home/almond-cloud
+      volumes:
+      - name: almond-cloud-data
+        persistentVolumeClaim:
+          claimName: almond-cloud-data
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: almond-cloud
+spec:
+  ports:
+  - name: http
+    port: 3000
+  selector:
+    app: almond-cloud
+---
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: almond-cloud
+spec:
+  rules:
+  - host: almond.lan
+    http:
+      paths:
+      - backend:
+          serviceName: almond-cloud
+          servicePort: http
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: almond-cloud-data
+spec:
+  storageClassName: nfs-ssd-ebin01
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 6Gi
+      

apps/almond-cloud/start.sh

@@ -0,0 +1,3 @@
+#!/bin/bash
+NODE_MAX_OLD_SPACE_SIZE=${NODE_MAX_OLD_SPACE_SIZE:-500}
+exec node --max_old_space_size=${NODE_MAX_OLD_SPACE_SIZE} /opt/almond-cloud/main.js "$@"

apps/almond-cloud/tekton-image-build.yaml

@@ -0,0 +1,77 @@
+apiVersion: tekton.dev/v1alpha1
+kind: PipelineResource
+metadata:
+  name: chaos-kubernetes-git
+spec:
+  type: git
+  params:
+    - name: revision
+      value: master
+    - name: url
+      value: http://git-ui.lan/chaos/kubernetes.git
+    - name: submodules
+      value: "false"
+---
+apiVersion: tekton.dev/v1alpha1
+kind: PipelineResource
+metadata:
+  name: img-almond-cloud
+spec:
+  type: image
+  params:
+    - name: url
+      value: cr.lan/almond-cloud
+---
+apiVersion: tekton.dev/v1beta1
+kind: Task
+metadata:
+  name: build-almond-cloud
+spec:
+  params:
+    - name: pathToDockerFile
+      type: string
+      default: $(resources.inputs.source.path)/apps/almond-cloud/Dockerfile
+    - name: pathToContext
+      type: string
+      default: $(resources.inputs.source.path)/apps/almond-cloud
+  resources:
+    inputs:
+      - name: source
+        type: git
+    outputs:
+      - name: builtImage
+        type: image
+  steps:
+    - name: build-and-push
+      image: gcr.io/kaniko-project/executor:arm64
+      command:
+        - /kaniko/executor
+      args:
+        - --dockerfile=$(params.pathToDockerFile)
+        - --destination=$(resources.outputs.builtImage.url)
+        - --context=$(params.pathToContext)
+        - --snapshotMode=redo
+        - --skip-tls-verify
+---
+apiVersion: tekton.dev/v1beta1
+kind: TaskRun
+metadata:
+  name: img-almond-cloud-taskrun
+spec:
+  #serviceAccountName: dockerhub-service
+  taskRef:
+    name: build-almond-cloud
+  params:
+    - name: pathToDockerFile
+      value: Dockerfile
+  resources:
+    inputs:
+      - name: source
+        resourceRef:
+          name: chaos-kubernetes-git
+    outputs:
+      - name: builtImage
+        resourceRef:
+          name: img-almond-cloud
+          
+          

apps/apt-cacher-ng/Dockerfile

@@ -1,17 +1,12 @@
-FROM debian:stable-slim
+FROM cr.wks/debian-stable
 
-RUN echo 'Acquire::http::proxy "http://172.23.255.1:3142";' >/etc/apt/apt.conf.d/proxy
 RUN apt-get update && apt-get install -y \
-	apt-cacher-ng procps && \
+	apt-cacher-ng && \
 	apt-get clean -y && \ 
 	rm -rf /var/lib/apt/lists/* && \
 	rm -rf /var/cache/apt/*
 
 RUN echo 'PassThroughPattern: .*' >> /etc/apt-cacher-ng/acng.conf
 
-CMD chown apt-cacher-ng:apt-cacher-ng /var/cache/apt-cacher-ng
-EXPOSE      3142
-
-USER apt-cacher-ng
-#CMD     chmod 777 /var/cache/apt-cacher-ng && /etc/init.d/apt-cacher-ng start && tail -f /var/log/apt-cacher-ng/*
+EXPOSE 3142
 CMD /usr/sbin/apt-cacher-ng -c /etc/apt-cacher-ng pidfile=/var/run/apt-cacher-ng/pid SocketPath=/var/run/apt-cacher-ng/socket foreground=1

apps/apt-cacher-ng/live-deployment.yaml

@@ -18,7 +18,7 @@ spec:
     spec:
       containers:
         - name: apt-cacher-ng
-          image: docker-registry.lan/apt-cacher-ng:arm64
+          image: cr.lan/apt-cacher-ng:latest
           ports:
             - containerPort: 3142
               protocol: TCP
@@ -27,10 +27,10 @@ spec:
               name: data
           resources:
             requests:
-              memory: "24Mi"
+              memory: "64Mi"
               cpu: "50m"
             limits:
-              memory: "256Mi"
+              memory: "192Mi"
               cpu: "100m"
       volumes:
         - name: data
@@ -52,29 +52,54 @@ spec:
   selector:
     app: apt-cacher-ng
 ---
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
     name: apt-cacher-ng
+    annotations:
+      kubernetes.io/ingress.class: nginx
 spec:
     rules:
     - host: apt-cache.lan
       http:
           paths:
-          - backend:
-              serviceName: apt-cacher-ng
-              servicePort: 3142 
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+               name: apt-cacher-ng
+               port: 
+                 number: 3142
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: apt-cacher-volume 
-  #annotations:
-  #  volume.beta.kubernetes.io/storage-class: "managed-nfs-storage"
 spec:
-  storageClassName: nfs-ssd 
+  storageClassName: nfs-ssd-ebin02
+  volumeName: apt-cacher-ng
   accessModes:
   - ReadWriteOnce
   resources:
     requests:
       storage: 40Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: apt-cacher-ng
+spec:
+  storageClassName: "nfs-ssd-ebin02"
+  nfs:
+    path: /data/raid1-ssd/k8s-data/apt-cacher-ng
+    server: ebin02
+  capacity:
+    storage: 40Gi
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  persistentVolumeReclaimPolicy: Retain
+  claimRef:
+    kind: PersistentVolumeClaim
+    name: apt-cacher-volume
+    namespace: live-infra

apps/apt-cacher-ng/test-deployment.yaml

@@ -1,73 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: apt-cacher-ng-test
-  namespace: test
-  labels:
-    app: apt-cacher-ng-test
-spec:
-  replicas: 1
-  selector:
-      matchLabels:
-          app: apt-cacher-ng-test
-  strategy:
-      type: Recreate
-  template:
-    metadata:
-        labels:
-            app: apt-cacher-ng-test
-    spec:
-      containers:
-        - name: apt-cacher-ng-test
-          image: docker-registry.lan/apt-cacher-ng:arm64
-          imagePullPolicy: Always
-          ports:
-            - containerPort: 3142
-              protocol: TCP
-          volumeMounts:
-            - mountPath: /var/cache/apt-cacher-ng
-              name: data
-          resources:
-             requests: 
-                memory: 64Mi
-                cpu: 50m
-             limits:
-                memory: 128Mi
-                cpu: 100m
-      volumes:
-        - name: data
-          persistentVolumeClaim:
-              claimName: apt-cacher-volume-test
-              #---
-              #apiVersion: v1
-              #kind: Service 
-              #metadata:
-              #  name: apt-cacher-ng
-              #  labels:
-              #    app: apt-cacher-ng
-              #spec:
-              #  type: LoadBalancer
-              #  loadBalancerIP: 172.23.255.1
-              #  ports:
-              #    - name: apt-cacher-ng
-              #      port: 3142
-              #      targetPort: 3142
-              #      protocol: TCP
-              #  selector:
-              #    app: apt-cacher-ng
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: apt-cacher-volume-test 
-  namespace: test
-  #annotations:
-  #  volume.beta.kubernetes.io/storage-class: "managed-nfs-storage"
-spec:
-  storageClassName: csi-s3-slow
-    #storageClassName: fast
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 40Gi

apps/argo-install.yaml

@@ -1,464 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: argo
----
-# This is an auto-generated file. DO NOT EDIT
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: clusterworkflowtemplates.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: ClusterWorkflowTemplate
-    listKind: ClusterWorkflowTemplateList
-    plural: clusterworkflowtemplates
-    shortNames:
-    - clusterwftmpl
-    - cwft
-    singular: clusterworkflowtemplate
-  scope: Cluster
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: cronworkflows.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: CronWorkflow
-    listKind: CronWorkflowList
-    plural: cronworkflows
-    shortNames:
-    - cwf
-    - cronwf
-    singular: cronworkflow
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workflows.argoproj.io
-spec:
-  additionalPrinterColumns:
-  - JSONPath: .status.phase
-    description: Status of the workflow
-    name: Status
-    type: string
-  - JSONPath: .status.startedAt
-    description: When the workflow was started
-    format: date-time
-    name: Age
-    type: date
-  group: argoproj.io
-  names:
-    kind: Workflow
-    listKind: WorkflowList
-    plural: workflows
-    shortNames:
-    - wf
-    singular: workflow
-  scope: Namespaced
-  subresources: {}
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: apiextensions.k8s.io/v1beta1
-kind: CustomResourceDefinition
-metadata:
-  name: workflowtemplates.argoproj.io
-spec:
-  group: argoproj.io
-  names:
-    kind: WorkflowTemplate
-    listKind: WorkflowTemplateList
-    plural: workflowtemplates
-    shortNames:
-    - wftmpl
-    singular: workflowtemplate
-  scope: Namespaced
-  version: v1alpha1
-  versions:
-  - name: v1alpha1
-    served: true
-    storage: true
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argo
----
-apiVersion: v1
-kind: ServiceAccount
-metadata:
-  name: argo-server
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: Role
-metadata:
-  name: argo-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-admin: "true"
-  name: argo-aggregate-to-admin
-rules:
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workflows/finalizers
-  - workflowtemplates
-  - workflowtemplates/finalizers
-  - cronworkflows
-  - cronworkflows/finalizers
-  - clusterworkflowtemplates
-  - clusterworkflowtemplates/finalizers
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - get
-  - list
-  - patch
-  - update
-  - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-edit: "true"
-  name: argo-aggregate-to-edit
-rules:
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workflows/finalizers
-  - workflowtemplates
-  - workflowtemplates/finalizers
-  - cronworkflows
-  - cronworkflows/finalizers
-  - clusterworkflowtemplates
-  - clusterworkflowtemplates/finalizers
-  verbs:
-  - create
-  - delete
-  - deletecollection
-  - get
-  - list
-  - patch
-  - update
-  - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  labels:
-    rbac.authorization.k8s.io/aggregate-to-view: "true"
-  name: argo-aggregate-to-view
-rules:
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workflows/finalizers
-  - workflowtemplates
-  - workflowtemplates/finalizers
-  - cronworkflows
-  - cronworkflows/finalizers
-  - clusterworkflowtemplates
-  - clusterworkflowtemplates/finalizers
-  verbs:
-  - get
-  - list
-  - watch
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: argo-cluster-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - persistentvolumeclaims
-  verbs:
-  - create
-  - delete
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workflows/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-  - create
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflowtemplates
-  - workflowtemplates/finalizers
-  - clusterworkflowtemplates
-  - clusterworkflowtemplates/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-- apiGroups:
-  - ""
-  resources:
-  - serviceaccounts
-  verbs:
-  - get
-  - list
-- apiGroups:
-  - argoproj.io
-  resources:
-  - cronworkflows
-  - cronworkflows/finalizers
-  verbs:
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
-- apiGroups:
-  - ""
-  resources:
-  - events
-  verbs:
-  - create
-  - patch
-- apiGroups:
-  - policy
-  resources:
-  - poddisruptionbudgets
-  verbs:
-  - create
-  - get
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRole
-metadata:
-  name: argo-server-cluster-role
-rules:
-- apiGroups:
-  - ""
-  resources:
-  - configmaps
-  verbs:
-  - get
-  - watch
-  - list
-- apiGroups:
-  - ""
-  resources:
-  - secrets
-  verbs:
-  - get
-- apiGroups:
-  - ""
-  resources:
-  - pods
-  - pods/exec
-  - pods/log
-  verbs:
-  - get
-  - list
-  - watch
-  - delete
-- apiGroups:
-  - argoproj.io
-  resources:
-  - workflows
-  - workflowtemplates
-  - cronworkflows
-  - clusterworkflowtemplates
-  verbs:
-  - create
-  - get
-  - list
-  - watch
-  - update
-  - patch
-  - delete
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: RoleBinding
-metadata:
-  name: argo-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: Role
-  name: argo-role
-subjects:
-- kind: ServiceAccount
-  name: argo
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: argo-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: argo-cluster-role
-subjects:
-- kind: ServiceAccount
-  name: argo
-  namespace: argo
----
-apiVersion: rbac.authorization.k8s.io/v1
-kind: ClusterRoleBinding
-metadata:
-  name: argo-server-binding
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: argo-server-cluster-role
-subjects:
-- kind: ServiceAccount
-  name: argo-server
-  namespace: argo
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: workflow-controller-configmap
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: argo-server
-spec:
-  ports:
-  - name: web
-    port: 2746
-    targetPort: 2746
-  selector:
-    app: argo-server
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: workflow-controller-metrics
-spec:
-  ports:
-  - name: metrics
-    port: 9090
-    protocol: TCP
-    targetPort: 9090
-  selector:
-    app: workflow-controller
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: argo-server
-spec:
-  selector:
-    matchLabels:
-      app: argo-server
-  template:
-    metadata:
-      labels:
-        app: argo-server
-    spec:
-      containers:
-      - args:
-        - server
-        image: argoproj/argocli:latest
-        name: argo-server
-        ports:
-        - containerPort: 2746
-          name: web
-        readinessProbe:
-          httpGet:
-            path: /
-            port: 2746
-            scheme: HTTP
-          initialDelaySeconds: 10
-          periodSeconds: 20
-      nodeSelector:
-        kubernetes.io/os: linux
-      serviceAccountName: argo-server
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: workflow-controller
-spec:
-  selector:
-    matchLabels:
-      app: workflow-controller
-  template:
-    metadata:
-      labels:
-        app: workflow-controller
-    spec:
-      containers:
-      - args:
-        - --configmap
-        - workflow-controller-configmap
-        - --executor-image
-        - argoproj/argoexec:latest
-        command:
-        - workflow-controller
-        image: argoproj/workflow-controller:latest
-        name: workflow-controller
-      nodeSelector:
-        kubernetes.io/os: linux
-      serviceAccountName: argo

apps/authelia/README.md

@@ -0,0 +1,3 @@
+### Apply new config
+
+$ kubectl -n live-infra create configmap authelia-config --from-file=configMaps/ -o yaml --dry-run |kubectl apply -f -

apps/authelia/configMaps/configuration.yml

@@ -0,0 +1,678 @@
+# yamllint disable rule:comments-indentation
+---
+###############################################################################
+#                           Authelia Configuration                            #
+###############################################################################
+
+## Certificates directory specifies where Authelia will load trusted certificates (public portion) from in addition to
+## the system certificates store.
+## They should be in base64 format, and have one of the following extensions: *.cer, *.crt, *.pem.
+certificates_directory: /etc/pki/chain
+
+## The theme to display: light, dark, grey, auto.
+theme: dark
+
+## The secret used to generate JWT tokens when validating user identity by email confirmation. JWT Secret can also be
+## set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+jwt_secret: hAnFzapSCusyF2W83JAg6PRqc6v7iQvN7sP3PQ70HAbPBshJzAMz 
+
+## Default redirection URL
+##
+## If user tries to authenticate without any referer, Authelia does not know where to redirect the user to at the end
+## of the authentication process. This parameter allows you to specify the default redirection URL Authelia will use
+## in such a case.
+##
+## Note: this parameter is optional. If not provided, user won't be redirected upon successful authentication.
+default_redirection_url: http://nc.lan
+
+##
+## Server Configuration
+##
+server:
+
+  ## The address to listen on.
+  host: 0.0.0.0
+
+  ## The port to listen on.
+  port: 9091
+
+  ## Set the single level path Authelia listens on.
+  ## Must be alphanumeric chars and should not contain any slashes.
+  path: ""
+
+  ## Buffers usually should be configured to be the same value.
+  ## Explanation at https://www.authelia.com/docs/configuration/server.html
+  ## Read buffer size adjusts the server's max incoming request size in bytes.
+  ## Write buffer size does the same for outgoing responses.
+  read_buffer_size: 4096
+  write_buffer_size: 4096
+
+  ## Enables the pprof endpoint.
+  enable_pprof: false
+
+  ## Enables the expvars endpoint.
+  enable_expvars: false
+
+  ## Disables writing the health check vars to /app/.healthcheck.env which makes healthcheck.sh return exit code 0.
+  ## This is disabled by default if either /app/.healthcheck.env or /app/healthcheck.sh do not exist.
+  disable_healthcheck: false
+
+  ## Authelia by default doesn't accept TLS communication on the server port. This section overrides this behaviour.
+  tls:
+    ## The path to the DER base64/PEM format private key.
+    #key: "/etc/pki/private.key"
+    key: ""
+
+    ## The path to the DER base64/PEM format public certificate.
+    #certificate: "/etc/pki/auth.lan.crt"
+    certificate : ""
+
+##
+## Log Configuration
+##
+log:
+  ## Level of verbosity for logs: info, debug, trace.
+  level: debug
+
+  ## Format the logs are written as: json, text.
+  format: text
+
+  ## File path where the logs will be written. If not set logs are written to stdout.
+  file_path: "" #/config-nfs/authelia.log
+
+  ## Whether to also log to stdout when a log_file_path is defined.
+  # keep_stdout: false
+
+##
+## TOTP Configuration
+##
+## Parameters used for TOTP generation.
+totp:
+  ## The issuer name displayed in the Authenticator application of your choice
+  ## See: https://github.com/google/google-authenticator/wiki/Key-Uri-Format for more info on issuer names
+  issuer: auth.lan
+  ## The period in seconds a one-time password is current for. Changing this will require all users to register
+  ## their TOTP applications again. Warning: before changing period read the docs link below.
+  period: 30
+  ## The skew controls number of one-time passwords either side of the current one that are valid.
+  ## Warning: before changing skew read the docs link below.
+  skew: 1
+  ## See: https://www.authelia.com/docs/configuration/one-time-password.html#period-and-skew to read the documentation.
+
+##
+## Duo Push API Configuration
+##
+## Parameters used to contact the Duo API. Those are generated when you protect an application of type
+## "Partner Auth API" in the management panel.
+duo_api:
+  hostname: api.auth.lan
+  integration_key: AUTHELIA
+  ## Secret can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+  secret_key: 8Jp5e822KP
+
+##
+## Authentication Backend Provider Configuration
+##
+## Used for verifying user passwords and retrieve information such as email address and groups users belong to.
+##
+## The available providers are: `file`, `ldap`. You must use only one of these providers.
+authentication_backend:
+  ## Disable both the HTML element and the API for reset password functionality.
+  disable_reset_password: false
+
+  ## The amount of time to wait before we refresh data from the authentication backend. Uses duration notation.
+  ## To disable this feature set it to 'disable', this will slightly reduce security because for Authelia, users will
+  ## always belong to groups they belonged to at the time of login even if they have been removed from them in LDAP.
+  ## To force update on every request you can set this to '0' or 'always', this will increase processor demand.
+  ## See the below documentation for more information.
+  ## Duration Notation docs:  https://www.authelia.com/docs/configuration/index.html#duration-notation-format
+  ## Refresh Interval docs: https://www.authelia.com/docs/configuration/authentication/ldap.html#refresh-interval
+  refresh_interval: 5m
+
+  ##
+  ## LDAP (Authentication Provider)
+  ##
+  ## This is the recommended Authentication Provider in production
+  ## because it allows Authelia to offload the stateful operations
+  ## onto the LDAP service.
+#  ldap:
+#    ## The LDAP implementation, this affects elements like the attribute utilised for resetting a password.
+#    ## Acceptable options are as follows:
+#    ## - 'activedirectory' - For Microsoft Active Directory.
+#    ## - 'custom' - For custom specifications of attributes and filters.
+#    ## This currently defaults to 'custom' to maintain existing behaviour.
+#    ##
+#    ## Depending on the option here certain other values in this section have a default value, notably all of the
+#    ## attribute mappings have a default value that this config overrides, you can read more about these default values
+#    ## at https://www.authelia.com/docs/configuration/authentication/ldap.html#defaults
+#    implementation: custom
+#
+#    ## The url to the ldap server. Format: <scheme>://<address>[:<port>].
+#    ## Scheme can be ldap or ldaps in the format (port optional).
+#    url: ldap://127.0.0.1
+#
+#    ## The dial timeout for LDAP.
+#    timeout: 5s
+#
+#    ## Use StartTLS with the LDAP connection.
+#    start_tls: false
+#
+#    tls:
+#      ## Server Name for certificate validation (in case it's not set correctly in the URL).
+#      # server_name: ldap.example.com
+#
+#      ## Skip verifying the server certificate (to allow a self-signed certificate).
+#      ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
+#      ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
+#      skip_verify: false
+#
+#      ## Minimum TLS version for either Secure LDAP or LDAP StartTLS.
+#      minimum_version: TLS1.2
+#
+#    ## The distinguished name of the container searched for objects in the directory information tree.
+#    ## See also: additional_users_dn, additional_groups_dn.
+#    base_dn: dc=example,dc=com
+#
+#    ## The attribute holding the username of the user. This attribute is used to populate the username in the session
+#    ## information. It was introduced due to #561 to handle case insensitive search queries. For you information,
+#    ## Microsoft Active Directory usually uses 'sAMAccountName' and OpenLDAP usually uses 'uid'. Beware that this
+#    ## attribute holds the unique identifiers for the users binding the user and the configuration stored in database.
+#    ## Therefore only single value attributes are allowed and the value must never be changed once attributed to a user
+#    ## otherwise it would break the configuration for that user. Technically, non-unique attributes like 'mail' can also
+#    ## be used but we don't recommend using them, we instead advise to use the attributes mentioned above
+#    ## (sAMAccountName and uid) to follow https://www.ietf.org/rfc/rfc2307.txt.
+#    # username_attribute: uid
+#
+#    ## The additional_users_dn is prefixed to base_dn and delimited by a comma when searching for users.
+#    ## i.e. with this set to OU=Users and base_dn set to DC=a,DC=com; OU=Users,DC=a,DC=com is searched for users.
+#    additional_users_dn: ou=users
+#
+#    ## The users filter used in search queries to find the user profile based on input filled in login form.
+#    ## Various placeholders are available in the user filter which you can read about in the documentation which can
+#    ## be found at: https://www.authelia.com/docs/configuration/authentication/ldap.html#users-filter-replacements
+#    ##
+#    ## Recommended settings are as follows:
+#    ## - Microsoft Active Directory: (&({username_attribute}={input})(objectCategory=person)(objectClass=user))
+#    ## - OpenLDAP:
+#    ##   - (&({username_attribute}={input})(objectClass=person))
+#    ##   - (&({username_attribute}={input})(objectClass=inetOrgPerson))
+#    ##
+#    ## To allow sign in both with username and email, one can use a filter like
+#    ## (&(|({username_attribute}={input})({mail_attribute}={input}))(objectClass=person))
+#    users_filter: (&({username_attribute}={input})(objectClass=person))
+#
+#    ## The additional_groups_dn is prefixed to base_dn and delimited by a comma when searching for groups.
+#    ## i.e. with this set to OU=Groups and base_dn set to DC=a,DC=com; OU=Groups,DC=a,DC=com is searched for groups.
+#    additional_groups_dn: ou=groups
+#
+#    ## The groups filter used in search queries to find the groups based on relevant authenticated user.
+#    ## Various placeholders are available in the groups filter which you can read about in the documentation which can
+#    ## be found at: https://www.authelia.com/docs/configuration/authentication/ldap.html#groups-filter-replacements
+#    ##
+#    ## If your groups use the `groupOfUniqueNames` structure use this instead:
+#    ##    (&(uniqueMember={dn})(objectClass=groupOfUniqueNames))
+#    groups_filter: (&(member={dn})(objectClass=groupOfNames))
+#
+#    ## The attribute holding the name of the group.
+#    # group_name_attribute: cn
+#
+#    ## The attribute holding the mail address of the user. If multiple email addresses are defined for a user, only the
+#    ## first one returned by the LDAP server is used.
+#    # mail_attribute: mail
+#
+#    ## The attribute holding the display name of the user. This will be used to greet an authenticated user.
+#    # display_name_attribute: displayName
+#
+#    ## The username and password of the admin user.
+#    user: cn=admin,dc=example,dc=com
+#    ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+#    password: password
+#
+  ##
+  ## File (Authentication Provider)
+  ##
+  ## With this backend, the users database is stored in a file which is updated when users reset their passwords.
+  ## Therefore, this backend is meant to be used in a dev environment and not in production since it prevents Authelia
+  ## to be scaled to more than one instance. The options under 'password' have sane defaults, and as it has security
+  ## implications it is highly recommended you leave the default values. Before considering changing these settings
+  ## please read the docs page below:
+  ## https://www.authelia.com/docs/configuration/authentication/file.html#password-hash-algorithm-tuning
+  ##
+  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
+  ##
+  file:
+    path: /config-nfs/users_database.yml
+    password:
+      algorithm: sha512
+      salt_length: 16
+      #algorithm: argon2id
+      #iterations: 1
+      #key_length: 32
+      #memory: 32
+      #parallelism: 4
+##
+## Access Control Configuration
+##
+## Access control is a list of rules defining the authorizations applied for one resource to users or group of users.
+##
+## If 'access_control' is not defined, ACL rules are disabled and the 'bypass' rule is applied, i.e., access is allowed
+## to anyone. Otherwise restrictions follow the rules defined.
+##
+## Note: One can use the wildcard * to match any subdomain.
+## It must stand at the beginning of the pattern. (example: *.mydomain.com)
+##
+## Note: You must put patterns containing wildcards between simple quotes for the YAML to be syntactically correct.
+##
+## Definition: A 'rule' is an object with the following keys: 'domain', 'subject', 'policy' and 'resources'.
+##
+## - 'domain' defines which domain or set of domains the rule applies to.
+##
+## - 'subject' defines the subject to apply authorizations to. This parameter is optional and matching any user if not
+##    provided. If provided, the parameter represents either a user or a group. It should be of the form
+##    'user:<username>' or 'group:<groupname>'.
+##
+## - 'policy' is the policy to apply to resources. It must be either 'bypass', 'one_factor', 'two_factor' or 'deny'.
+##
+## - 'resources' is a list of regular expressions that matches a set of resources to apply the policy to. This parameter
+##   is optional and matches any resource if not provided.
+##
+## Note: the order of the rules is important. The first policy matching (domain, resource, subject) applies.
+access_control:
+  ## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
+  ## resource if there is no policy to be applied to the user.
+  default_policy: deny
+
+  networks:
+    - name: internal
+      networks:
+        - 10.10.0.0/16
+        - 172.23.0.0/16
+        - 172.16.23.0/24
+        - 192.168.10.0/24
+    - name: VPN
+      networks: 10.14.0.0/27
+
+  rules:
+    ## Rules applied to everyone
+    - domain: public.auth.lan
+      policy: bypass
+
+    - domain: secure.auth.lan
+      policy: one_factor
+      ## Network based rule, if not provided any network matches.
+      networks:
+        - internal
+        - VPN
+
+    - domain:
+        - secure.auth.lan
+        - private.auth.lan
+      policy: two_factor
+
+    - domain: singlefactor.auth.lan
+      policy: one_factor
+
+    ## Rules applied to 'admins' group
+    - domain: "mx2.mail.example.com"
+      subject: "group:admins"
+      policy: deny
+
+    - domain: "*.auth.lan"
+      subject:
+        - "group:admins"
+        - "group:moderators"
+      policy: two_factor
+
+    ## Rules applied to 'dev' group
+    - domain: dev.auth.lan
+      resources:
+        - "^/groups/dev/.*$"
+      subject: "group:dev"
+      policy: two_factor
+
+    ## Rules applied to user 'john'
+    - domain: dev.auth.lan
+      resources:
+        - "^/users/john/.*$"
+      subject: "user:john"
+      policy: two_factor
+
+    ## Rules applied to user 'harry'
+    - domain: dev.auth.lan
+      resources:
+        - "^/users/harry/.*$"
+      subject: "user:harry"
+      policy: two_factor
+
+    ## Rules applied to user 'bob'
+    - domain: "*.mail.auth.lan"
+      subject: "user:bob"
+      policy: two_factor
+    - domain: "dev.auth.lan"
+      resources:
+        - "^/users/bob/.*$"
+      subject: "user:bob"
+      policy: two_factor
+
+##
+## Session Provider Configuration
+##
+## The session cookies identify the user once logged in.
+## The available providers are: `memory`, `redis`. Memory is the provider unless redis is defined.
+session:
+  ## The name of the session cookie.
+  name: authelia_session
+
+  ## The domain to protect.
+  ## Note: the authenticator must also be in that domain.
+  ## If empty, the cookie is restricted to the subdomain of the issuer.
+  domain: lan
+
+  ## Sets the Cookie SameSite value. Possible options are none, lax, or strict.
+  ## Please read https://www.authelia.com/docs/configuration/session.html#same_site
+  same_site: lax
+
+  ## The secret to encrypt the session data. This is only used with Redis / Redis Sentinel.
+  ## Secret can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+  secret: insecure_session_secret
+
+  ## The value for expiration, inactivity, and remember_me_duration are in seconds or the duration notation format.
+  ## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
+  ## All three of these values affect the cookie/session validity period. Longer periods are considered less secure
+  ## because a stolen cookie will last longer giving attackers more time to spy or attack.
+
+  ## The time before the cookie expires and the session is destroyed if remember me IS NOT selected.
+  expiration: 1h
+
+  ## The inactivity time before the session is reset. If expiration is set to 1h, and this is set to 5m, if the user
+  ## does not select the remember me option their session will get destroyed after 1h, or after 5m since the last time
+  ## Authelia detected user activity.
+  inactivity: 5m
+
+  ## The time before the cookie expires and the session is destroyed if remember me IS selected.
+  ## Value of 0 disables remember me.
+  remember_me_duration: 1M
+
+  ##
+  ## Redis Provider
+  ##
+  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
+  ##
+  #redis:
+  #  host: 127.0.0.1
+  #  port: 6379
+  #  ## Use a unix socket instead
+  #  # host: /var/run/redis/redis.sock
+  #
+  #  ## Username used for redis authentication. This is optional and a new feature in redis 6.0.
+  #  # username: authelia
+  #
+  #  ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+  #  password: authelia
+  #
+  #  ## This is the Redis DB Index https://redis.io/commands/select (sometimes referred to as database number, DB, etc).
+  #  database_index: 0
+  #
+  #  ## The maximum number of concurrent active connections to Redis.
+  #  maximum_active_connections: 8
+  #
+  #  ## The target number of idle connections to have open ready for work. Useful when opening connections is slow.
+  #  minimum_idle_connections: 0
+  #
+  #  ## The Redis TLS configuration. If defined will require a TLS connection to the Redis instance(s).
+  #  # tls:
+  #    ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
+  #    # server_name: myredis.example.com
+  #
+  #    ## Skip verifying the server certificate (to allow a self-signed certificate).
+  #    ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
+  #    ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
+  #    # skip_verify: false
+  #
+  #    ## Minimum TLS version for the connection.
+  #    # minimum_version: TLS1.2
+  #
+  #  ## The Redis HA configuration options.
+  #  ## This provides specific options to Redis Sentinel, sentinel_name must be defined (Master Name).
+  #  # high_availability:
+  #    ## Sentinel Name / Master Name.
+  #    # sentinel_name: mysentinel
+  #
+  #    ## Specific password for Redis Sentinel. The node username and password is configured above.
+  #    # sentinel_password: sentinel_specific_pass
+  #
+  #    ## The additional nodes to pre-seed the redis provider with (for sentinel).
+  #    ## If the host in the above section is defined, it will be combined with this list to connect to sentinel.
+  #    ## For high availability to be used you must have either defined; the host above or at least one node below.
+  #    # nodes:
+  #    #   - host: sentinel-node1
+  #    #     port: 6379
+  #    #   - host: sentinel-node2
+  #    #     port: 6379
+  #
+  #    ## Choose the host with the lowest latency.
+  #    # route_by_latency: false
+  #
+  #    ## Choose the host randomly.
+  #    # route_randomly: false
+
+##
+## Regulation Configuration
+##
+## This mechanism prevents attackers from brute forcing the first factor. It bans the user if too many attempts are made
+## in a short period of time.
+regulation:
+  ## The number of failed login attempts before user is banned. Set it to 0 to disable regulation.
+  max_retries: 3
+
+  ## The time range during which the user can attempt login before being banned. The user is banned if the
+  ## authentication failed 'max_retries' times in a 'find_time' seconds window. Find Time accepts duration notation.
+  ## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
+  find_time: 2m
+
+  ## The length of time before a banned user can login again. Ban Time accepts duration notation.
+  ## See: https://www.authelia.com/docs/configuration/index.html#duration-notation-format
+  ban_time: 5m
+
+##
+## Storage Provider Configuration
+##
+## The available providers are: `local`, `mysql`, `postgres`. You must use one and only one of these providers.
+storage:
+  ##
+  ## Local (Storage Provider)
+  ##
+  ## This stores the data in a SQLite3 Database.
+  ## This is only recommended for lightweight non-stateful installations.
+  ##
+  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
+  ##
+  # local:
+  #   path: /config/db.sqlite3
+
+  ##
+  ## MySQL / MariaDB (Storage Provider)
+  ##
+  #mysql:
+  #  host: 127.0.0.1
+  #  port: 3306
+  #  database: authelia
+  #  username: authelia
+  #  ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+  #  password: mypassword
+  #  timeout: 5s
+  #
+  ##
+  ## PostgreSQL (Storage Provider)
+  ##
+  postgres:
+    host: postgres.live-env.svc.cluster.local
+    port: 5432
+    database: authelia
+    username: authelia
+    ## Password can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+    password: auth2021
+    timeout: 5s
+    sslmode: disable
+
+##
+## Notification Provider
+##
+## Notifications are sent to users when they require a password reset, a U2F registration or a TOTP registration.
+## The available providers are: filesystem, smtp. You must use only one of these providers.
+notifier:
+  ## You can disable the notifier startup check by setting this to true.
+  disable_startup_check: false
+
+  ##
+  ## File System (Notification Provider)
+  ##
+  ## Important: Kubernetes (or HA) users must read https://www.authelia.com/docs/features/statelessness.html
+  ##
+  filesystem:
+    filename: /config-nfs/notification.txt
+
+  ##
+  ## SMTP (Notification Provider)
+  ##
+  ## Use a SMTP server for sending notifications. Authelia uses the PLAIN or LOGIN methods to authenticate.
+  ## [Security] By default Authelia will:
+  ##   - force all SMTP connections over TLS including unauthenticated connections
+  ##      - use the disable_require_tls boolean value to disable this requirement
+  ##        (only works for unauthenticated connections)
+  ##   - validate the SMTP server x509 certificate during the TLS handshake against the hosts trusted certificates
+  ##     (configure in tls section)
+  #smtp:
+  #  ## The SMTP host to connect to.
+  #  host: 127.0.0.1
+  #
+  #  ## The port to connect to the SMTP host on.
+  #  port: 1025
+  #
+  #  ## The connection timeout.
+  #  timeout: 5s
+  #
+  #  ## The username used for SMTP authentication.
+  #  username: test
+  #
+  #  ## The password used for SMTP authentication.
+  #  ## Can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+  #  password: password
+  #
+  #  ## The address to send the email FROM.
+  #  sender: admin@example.com
+  #
+  #  ## HELO/EHLO Identifier. Some SMTP Servers may reject the default of localhost.
+  #  identifier: localhost
+  #
+  #  ## Subject configuration of the emails sent. {title} is replaced by the text from the notifier.
+  #  subject: "[Authelia] {title}"
+  #
+  #  ## This address is used during the startup check to verify the email configuration is correct.
+  #  ## It's not important what it is except if your email server only allows local delivery.
+  #  startup_check_address: test@authelia.com
+  #
+  #  ## By default we require some form of TLS. This disables this check though is not advised.
+  #  disable_require_tls: false
+  #
+  #  ## Disables sending HTML formatted emails.
+  #  disable_html_emails: false
+  #
+  #  tls:
+  #    ## Server Name for certificate validation (in case you are using the IP or non-FQDN in the host option).
+  #    # server_name: smtp.example.com
+  #
+  #    ## Skip verifying the server certificate (to allow a self-signed certificate).
+  #    ## In preference to setting this we strongly recommend you add the public portion of the certificate to the
+  #    ## certificates directory which is defined by the `certificates_directory` option at the top of the config.
+  #    skip_verify: false
+  #
+  #    ## Minimum TLS version for either StartTLS or SMTPS.
+  #    minimum_version: TLS1.2
+
+##
+## Identity Providers
+##
+# identity_providers:
+
+  ##
+  ## OpenID Connect (Identity Provider)
+  ##
+  ## It's recommended you read the documentation before configuration of this section:
+  ## https://www.authelia.com/docs/configuration/identity-providers/oidc.html
+  # oidc:
+    ## The hmac_secret is used to sign OAuth2 tokens (authorization code, access tokens and refresh tokens).
+    ## HMAC Secret can also be set using a secret: https://www.authelia.com/docs/configuration/secrets.html
+    # hmac_secret: this_is_a_secret_abc123abc123abc
+
+    ## The issuer_private_key is used to sign the JWT forged by OpenID Connect.
+    ## Issuer Private Key can also be set using a secret: https://docs.authelia.com/configuration/secrets.html
+    # issuer_private_key: |
+    #   --- KEY START
+    #   --- KEY END
+
+    ## The lifespans configure the expiration for these token types.
+    # access_token_lifespan: 1h
+    # authorize_code_lifespan: 1m
+    # id_token_lifespan: 1h
+    # refresh_token_lifespan: 90m
+
+    ## Enables additional debug messages.
+    # enable_client_debug_messages: false
+
+    ## SECURITY NOTICE: It's not recommended changing this option, and highly discouraged to have it below 8 for
+    ## security reasons.
+    # minimum_parameter_entropy: 8
+
+    ## Clients is a list of known clients and their configuration.
+    # clients:
+      # -
+        ## The ID is the OpenID Connect ClientID which is used to link an application to a configuration.
+        # id: myapp
+
+        ## The description to show to users when they end up on the consent screen. Defaults to the ID above.
+        # description: My Application
+
+        ## The client secret is a shared secret between Authelia and the consumer of this client.
+        # secret: this_is_a_secret
+
+        ## Sets the client to public. This should typically not be set, please see the documentation for usage.
+        # public: false
+
+        ## The policy to require for this client; one_factor or two_factor.
+        # authorization_policy: two_factor
+
+        ## Audience this client is allowed to request.
+        # audience: []
+
+        ## Scopes this client is allowed to request.
+        # scopes:
+          # - openid
+          # - groups
+          # - email
+          # - profile
+
+        ## Redirect URI's specifies a list of valid case-sensitive callbacks for this client.
+        # redirect_uris:
+        # - https://oidc.example.com:8080/oauth2/callback
+
+        ## Grant Types configures which grants this client can obtain.
+        ## It's not recommended to define this unless you know what you're doing.
+        # grant_types:
+          # - refresh_token
+          # - authorization_code
+
+        ## Response Types configures which responses this client can be sent.
+        ## It's not recommended to define this unless you know what you're doing.
+        # response_types:
+          # - code
+
+        ## Response Modes configures which response modes this client supports.
+        # response_modes:
+          # - form_post
+          # - query
+          # - fragment
+
+        ## The algorithm used to sign userinfo endpoint responses for this client, either none or RS256.
+        # userinfo_signing_algorithm: none
+...

apps/authelia/deployment.yaml

@@ -0,0 +1,172 @@
+#we use postgresql:
+#create database authelia;
+#create user authelia with encrypted password 'secret';
+#grant all privileges on database authelia to authelia;
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: authelia
+  labels:
+    app: authelia
+    release: latest
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: authelia
+      release: latest
+  template:
+    metadata:
+      labels:
+        app: authelia
+        release: latest
+    spec:
+      containers:
+        - name: authelia
+          image: authelia/authelia:latest
+          env:
+            #- name: AUTHELIA_SERVER_PORT
+            #  value: "9091"
+            - name: TZ
+              value: "Europe/Berlin"
+          volumeMounts:
+            - name: authelia
+              mountPath: /config-nfs
+            - name: authelia-config
+              mountPath: /config
+            - name: pki
+              mountPath: /etc/pki
+          ports:
+            - name: http
+              containerPort: 9091
+              protocol: TCP
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+            limits:
+              memory: "1000Mi"
+              cpu: "1500m"
+      enableServiceLinks: false
+      volumes:
+      - name: authelia
+        persistentVolumeClaim:
+          claimName: authelia
+      - name: authelia-config
+        configMap:
+          name: authelia-config
+          items:
+          - key: configuration.yml
+            path: configuration.yml
+      - name: pki
+        hostPath:
+          path: /etc/pki
+          type: Directory
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: authelia
+  labels:
+    app: authelia
+spec:
+  storageClassName: nfs-ssd-ebin02
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Mi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: authelia
+spec:
+  storageClassName: "nfs-ssd-ebin02"
+  nfs:
+    path: /data/raid1-ssd/k8s-data/authelia
+    server: ebin02
+  capacity:
+    storage: 100Mi
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  persistentVolumeReclaimPolicy: Retain
+  claimRef:
+    kind: PersistentVolumeClaim
+    name: authelia
+    namespace: live-infra
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: authelia
+  labels:
+    app: authelia
+spec:
+  ports:
+    - port: 80
+      targetPort: http
+      protocol: TCP
+      name: http
+    - port: 443
+      targetPort: http
+      name: https
+  selector:
+      app: authelia
+      release: latest
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+    name: authelia
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/auth-url: https://authelia.live-infra.svc.cluster.local/api/verify
+      nginx.ingress.kubernetes.io/auth-signin: https://auth.lan
+      nginx.ingress.kubernetes.io/auth-response-headers: Remote-User,Remote-Name,Remote-Groups,Remote-Email
+      nginx.ingress.kubernetes.io/auth-snippet: |
+        proxy_set_header X-Forwarded-Method $request_method;
+      nginx.ingress.kubernetes.io/configuration-snippet: |
+        proxy_set_header X-Forwarded-Method $request_method;
+spec:
+    rules:
+    - host: auth.lan
+      http:
+          paths:
+          - backend:
+              service:
+                name: authelia
+                port: 
+                  name: http
+            path: / 
+            pathType: Prefix
+    - host: secure.auth.lan
+      http:
+          paths:
+          - backend:
+              service:
+                name: authelia
+                port: 
+                  name: http
+            path: / 
+            pathType: Prefix
+    - host: public.auth.lan
+      http:
+          paths:
+          - backend:
+              service:
+                name: authelia
+                port: 
+                  name: http
+            path: / 
+            pathType: Prefix
+    

apps/codetogether.yaml

@@ -0,0 +1,133 @@
+# ========================================================================
+# Secret: CodeTogether License Values
+# ========================================================================
+apiVersion: v1
+kind: Secret
+metadata:
+  name: codetogether-license
+  namespace: default
+type: Opaque
+stringData:
+  # Configure as needed for your deployment, should match your SSL certificate
+  CT_SERVER_URL: "https://cd.lan"
+  CT_TRUST_ALL_CERTS: "true"
+  # Provided by your Genuitec Sales Representative
+  # *values must match exactly
+  CT_LICENSEE: "Werkstatt"
+  CT_MAXCONNECTIONS: "0"
+  CT_EXPIRATION: "2022/10/01"
+  CT_SIGNATURE: "xXM4cwzG...619bef4"
+---
+# ========================================================================
+# Secret: SSL Key and Certificate for SSL used by Ingress
+# ========================================================================
+apiVersion: v1
+kind: Secret
+metadata:
+  name: codetogether-sslsecret
+  namespace: default
+type: kubernetes.io/tls
+data:
+  # value from "cat ssl.crt | base64 -w 0"
+  tls.crt: "LS0tLS1CRUdJTi...UZJQ0FURS0tLS0tDQo="
+  # value from "cat ssl.key | base64 -w 0"
+  tls.key: "LS0tLS1CRUdJTi...EUgS0VZLS0tLS0NCg=="
+---
+# ========================================================================
+# Ingress: Expose the HTTPS service to the network
+# ========================================================================
+apiVersion: networking.k8s.io/v1beta1
+kind: Ingress
+metadata:
+  name: codetogether
+spec:
+  tls:
+  - hosts:
+      - SERVERFQDN
+    secretName: codetogether-sslsecret
+  rules:
+  - host: SERVERFQDN
+    http:
+      paths:
+      - path: /
+        backend:
+          serviceName: codetogether
+          servicePort: 80
+---
+# ========================================================================
+# Service: Map the HTTP port from the container
+# ========================================================================
+apiVersion: v1
+kind: Service
+metadata:
+  name: codetogether
+  labels:
+    run: codetogether
+spec:
+  ports:
+  - port: 80
+    name: http
+    targetPort: 1080
+    protocol: TCP
+  selector:
+    run: codetogether
+---
+# ========================================================================
+# Deployment: Configure the Container Deployment
+# ========================================================================
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: codetogether
+  namespace: default
+spec:
+  selector:
+    matchLabels:
+      run: codetogether
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        run: codetogether
+    spec:
+      containers:
+      - name: codetogether
+        image: hub.edge.codetogether.com/latest/codetogether:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 1080
+        env:
+        - name: CT_LOCATOR
+          value: "none"
+        - name: CT_SERVER_URL
+          valueFrom:
+              secretKeyRef:
+                name: codetogether-license
+                key: CT_SERVER_URL
+        - name: CT_TRUST_ALL_CERTS
+          valueFrom:
+              secretKeyRef:
+                name: codetogether-license
+                key: CT_TRUST_ALL_CERTS
+        - name: CT_LICENSEE
+          valueFrom:
+              secretKeyRef:
+                name: codetogether-license
+                key: CT_LICENSEE
+        - name: CT_MAXCONNECTIONS
+          valueFrom:
+              secretKeyRef:
+                name: codetogether-license
+                key: CT_MAXCONNECTIONS
+        - name: CT_EXPIRATION
+          valueFrom:
+              secretKeyRef:
+                name: codetogether-license
+                key: CT_EXPIRATION
+        - name: CT_SIGNATURE
+          valueFrom:
+              secretKeyRef:
+                name: codetogether-license
+                key: CT_SIGNATURE
+      imagePullSecrets:
+      - name: ctcreds

apps/curl/Dockerfile

@@ -1,6 +1,4 @@
-FROM debian:stable-slim
-
-#RUN echo 'Acquire::http::proxy "http://172.23.255.1:3142";' >/etc/apt/apt.conf.d/proxy
+FROM cr.wks/debian-stable
 RUN apt-get update && apt-get install -y \
 	curl procps && \
 	apt-get clean -y && \ 

apps/distcc/Dockerfile

@@ -1,25 +0,0 @@
-FROM debian:buster-slim
-
-RUN echo 'Acquire::http::proxy "http://172.23.255.1:3142";' >/etc/apt/apt.conf.d/proxy
-RUN  dpkg --add-architecture armhf && \
-  apt-get update && \
-  apt-get install -y \
-    multiarch-support \
-    dpkg-dev \
-    distcc ccache \
-    build-essential \
-    gcc \
-    cpp \
-    g++ \
-    clang \
-    llvm && \
-    apt-get clean -y && \
-    rm -rf /var/lib/apt/lists/*
-
-# Op port
-EXPOSE 3632
-# Stats port
-EXPOSE 3633
-
-USER distccd
-ENTRYPOINT /usr/bin/distccd --no-detach --daemon --stats --log-level error --log-stderr $OPTIONS

apps/docker-registry/README.md

@@ -1,9 +1,7 @@
 Docker-ui
 
-Build it for arm64:
+Build it for arm64 in docker-registry-ui
 
-docker build --platform linux/arm64 -t joxit/docker-registry-ui:static -f static.dockerfile github.com/Joxit/docker-registry-ui
+ARCH=arm64; APP=docker-registry-ui ; podman build --arch=$ARCH  -t $APP:$ARCH -t cr.lan/$APP:$ARCH -f arm64v8-static.dockerfile
 
-
-docker tag 1494c11066f5 docker-registry.lan/docker-registry-ui:arm64
-docker push docker-registry.lan/docker-registry-ui:arm64
+ARCH=arm64; APP=docker-registry-ui ; podman push cr.lan/$APP:$ARCH

apps/docker-registry/certs/docker-registry.lan

@@ -1,52 +0,0 @@
------BEGIN PRIVATE KEY-----
-MIIJQgIBADANBgkqhkiG9w0BAQEFAASCCSwwggkoAgEAAoICAQCaHN7wa2QK9qD3
-ovn7ZZiKQ+E/f54MnHGgdlTcskTuiysbS4rqUC49MzWRZjxzxukbwF0a1yOOJUSM
-YgOeDntRU4T49FLxY3YAZ9RV4Lr6qU8Tz45Ez4N7RLa3QLqY2wf3BEy32k8SqHsI
-XMt0DV93w6q1eqW95XRNDDJF0xm4Oa4yaew0tNCx8Senv51jZ8lOX8CJljnE2Sil
-P0HBFwfJqKk9qZg5WstQZFsr3D1wTpMZ3UmnzDN3EEBLJkvcAJvdo2E8TGb29UcD
-OopHCeixdoKJw/BBdDCXDoSs9N+pDmoY7QSQaXP91sybP/zrcvrIFTT39IFrARRh
-5X9QvCnJxhHXPhqqSeAE4YzTGHJV3BdpIVMPMWUHL9TfLFJxbUGImE2IUQZxSb2i
-Wy8w9mnt4SFARGUIr0+tOmEDQ7smlFUke9yIPnti01OogfDNR4/szpwYvfE5+xG6
-Vp0W590HxL6JE3nqaTJu+KIkBcRzroZZghmNEKik2MeRIxHjCpjvNr2INLn30S81
-NhdP4uZdCeI5sERFaFOCgA64MPTtPYjQRV7BFwpN3+alUK8zVtXat/n5HyxvqrzG
-s7IHA/GyCLjfsh9sWDhsfgsuIZzL+KblYnU1XPhRko4BQ2Y3GwA0QGFvM0+J1z/V
-r3ieyio37CbEuVugMQ/VYYl8UYE0TwIDAQABAoICAC+rnopfraJ2h3QSRaEt2/Fo
-7dPmdc0Q11T7RWS+//OJuNvIkj/IbYUgwgEnzqtBa/nZlvMmeSkO/hUufE/3ys1t
-OESJzt48FdQqSdQGn8/Jb1yBZ1CBn/oRVzN4IkAGAIC4I8L7FFqBIw2DJqvPNyik
-rblVJs+GmmL60tImal5B+VA+04G6LJPeNJX+/4AwKmTD2Zq1jUkGozv6RSylIxON
-yEv6mcuj+h/z6v+2MIr8wyPM/2uYDpNVw417WxvCVHRKhVlRiMf7NuwYv40Z05CR
-R++1XCvi9OTE6OVXGZgBjXAIYNEKzYZHWyLquCFcf5ZEeQ35485llxhxFOC0U3hL
-lT8pI6EFnRiTi+Eq+7GOmvKYjNda6UtUVYPFIX0Ff3IkkwJ53rYdrar4xLnpmeUF
-LcJhGJdfJSsvO2mdiLEFm/K7dQxDadusYPYFeUK4CGgoIsauf6XzdWbxJgv4qcOJ
-dMzt2uLxpq5k7pQ5HU96Pa9g1flR1vaAtZ4htTMbQ6o7nrUoc8+zoo8pBYW6/zi+
-OXf/9BvDQ/dQvtAF+gJQMfGDO5J0x5+yr+Jp7LKjlmG5B2bYMYF9/uZQTgY5kla5
-uqihCZVZ14uojbXA3eqHvmtRfFqQ4Us3s0BUDm4W5PUe6jwJ8TavP+XJIjcCLU2c
-kOrKZ0ZtIXwTUqKE5Z2BAoIBAQDKXleKtzEvvOWihxzuUmQYIT2HzrMG14s1M7wo
-YF0ARaQTxX5HH2lYN7znWb/RpcDSj+IBNV4PxEOHVNCTWhev/PnFmm6FuqopJDIZ
-sumP3jJg0K2/MFjBsHXNqacqjqMKlWFnuYqDHZSRX1bjC9IWB6HfS9Wjm2XrgBGx
-xFTcAZ3kXX4NlVMz/JgWMKLRY+qGtDWG11sT+oAge81La+MRz/R/fAhf3K+0iDaK
-F1iX8jXIcRfqk9OLafRcuIkS4q4rV6D9bI9xjbTz2tsm3b/wJezoSC06mTHoUEoG
-p3MIPZ6ETDADDlB9hsWS23p2ueuUOCHg19+n30ah6qWx7UzjAoIBAQDC9KBAYr0T
-sf7o5FA+Xp/N6ALxarNa1b15TjFtwSfvwZrrg02QQIpQCR70vy6wiczkTcmRCi4P
-uiiVQz8abWbOW+aG4ThTpkOZDbCEVghFzGWPZjRsyrlhcegdS5FL4fCBrtUzOs7e
-e+YtgyPrvmHamhMvKYWfW/DWfxOoBFoL9GTuC1646Va63u3MmLMflzYhj4dgbsm0
-ut70aK3RAFkLVwswmx+OPINeSpEz6iIRArF4aSi8rH2eaMp4QiXz+zXSP+Bm4XTN
-C6HrQeyOmiEtXcZemZVnUtkJBdkW+iRiiD3+xLEX11c/kzcyIeNpaGu9LckXuxqY
-chu4XOVHLaKlAoIBAFapGfIESyL3UJtOIvyH+ec/bNsYkB/w8+M/mWbtBUaVjBMP
-culAMVue2t1z2KoNwkopZY5A7VvxHz33+y3u2c/6lHejj4rjCfV+U5ofvNdoPsio
-9I64RHoFeB0vdq/Jz1Y77C+ADCnj4/hxDINET54xfIdkMUPTy0yTVoB65CAm7Reb
-Vdy5Qp0zoWl3QHJMyGURDQ8GcDFZB79hZOPUerPpCvoBApESr4evATQXlU/UYGXK
-0IQa8+9y2ztNpx2YRx+2cfG0qKTnG0OGSG0XbxeHFjHOntfGPNIQd/LriF5SDOz4
-t2LHoX5v1XHzXTk0mwapFxDzQQrhmZzDIFvWlCMCggEANLHORtjpZlNsJSLhFZqZ
-8xvM/9fpVpoDNrCN566XztQzvYimBGGNgQiWF209f3YfrW3hF5T60kFtCrs8aTY8
-3XY1nyttAB8mkk4C8iIW5lbS9KmZbfZ1mQMizBhK04nkagkJk2lH1RcEJjUWFnhF
-FsMigFLmzSYauL9sXrOeazDJvxXPqodXa/cpq21yrQ1AEl4rJ0OKvZDtBn7szFsd
-tlT2r1KeeuGcWHYrPS8BujtSIMu7uROeeJy2bT7j50h1Sbj+PJCf83Q7dc1B1WGP
-qiV4osU8fssD4s5z2SQPhZpxt1UO0PThnkt6VdCXGTyiMmYXvpRSIfZly7VAO7b4
-CQKCAQEAoVcWk9yQ5fD+uQ40duvjpzeNxBjttFLHe1CeOCIPtA3KBak4O+MNwZMz
-oVUe2V/vb3kGpngF56d1hrBa4iQhvq4mGfnF/ZsbQHa4BZyaFIFvcOwZsgCjAO65
-MpbybhRiOMMtu0Bg/H1hH2dzatugrqfVDYRnt9EgpDl7gkdVvmRu9khMWGHLv9qJ
-gVeH5dNlpty3gkpSjJgTpEuKF7Yzw4seHpjkiwzIitgE2F7Xrv+6GtYOs0iziJTx
-ZNq3BtxzCGe6MamLkXOj5DREhQMqAxJTUo/AYRNRiOeq+AdYgoAulse7HIO8q77E
-i+DOL/C63wFKJddUnKSXCf+iAJraGw==
------END PRIVATE KEY-----

apps/docker-registry/certs/docker-registry.lan.crt

@@ -1,34 +0,0 @@
------BEGIN CERTIFICATE-----
-MIIF2zCCA8OgAwIBAgIUCvX0FglFpG7UJJe6QruGhfKwglUwDQYJKoZIhvcNAQEL
-BQAwfDELMAkGA1UEBhMCREUxDzANBgNVBAgMBkJlcmxpbjEPMA0GA1UEBwwGQmVy
-bGluMQ4wDAYDVQQKDAVjaGFvczEcMBoGA1UEAwwTZG9ja2VyLXJlZ2lzdHJ5Lmxh
-bTEdMBsGCSqGSIb3DQEJARYOcm9vdEBjaGFvcy5sYW4wIBcNMjAwNjI0MTUxODE5
-WhgPMjEyMDA1MzExNTE4MTlaMHwxCzAJBgNVBAYTAkRFMQ8wDQYDVQQIDAZCZXJs
-aW4xDzANBgNVBAcMBkJlcmxpbjEOMAwGA1UECgwFY2hhb3MxHDAaBgNVBAMME2Rv
-Y2tlci1yZWdpc3RyeS5sYW0xHTAbBgkqhkiG9w0BCQEWDnJvb3RAY2hhb3MubGFu
-MIICIjANBgkqhkiG9w0BAQEFAAOCAg8AMIICCgKCAgEAmhze8GtkCvag96L5+2WY
-ikPhP3+eDJxxoHZU3LJE7osrG0uK6lAuPTM1kWY8c8bpG8BdGtcjjiVEjGIDng57
-UVOE+PRS8WN2AGfUVeC6+qlPE8+ORM+De0S2t0C6mNsH9wRMt9pPEqh7CFzLdA1f
-d8OqtXqlveV0TQwyRdMZuDmuMmnsNLTQsfEnp7+dY2fJTl/AiZY5xNkopT9BwRcH
-yaipPamYOVrLUGRbK9w9cE6TGd1Jp8wzdxBASyZL3ACb3aNhPExm9vVHAzqKRwno
-sXaCicPwQXQwlw6ErPTfqQ5qGO0EkGlz/dbMmz/863L6yBU09/SBawEUYeV/ULwp
-ycYR1z4aqkngBOGM0xhyVdwXaSFTDzFlBy/U3yxScW1BiJhNiFEGcUm9olsvMPZp
-7eEhQERlCK9PrTphA0O7JpRVJHvciD57YtNTqIHwzUeP7M6cGL3xOfsRuladFufd
-B8S+iRN56mkybviiJAXEc66GWYIZjRCopNjHkSMR4wqY7za9iDS599EvNTYXT+Lm
-XQniObBERWhTgoAOuDD07T2I0EVewRcKTd/mpVCvM1bV2rf5+R8sb6q8xrOyBwPx
-sgi437IfbFg4bH4LLiGcy/im5WJ1NVz4UZKOAUNmNxsANEBhbzNPidc/1a94nsoq
-N+wmxLlboDEP1WGJfFGBNE8CAwEAAaNTMFEwHQYDVR0OBBYEFCtnUlt2y35MUJ0x
-YSvt8G3vi0NMMB8GA1UdIwQYMBaAFCtnUlt2y35MUJ0xYSvt8G3vi0NMMA8GA1Ud
-EwEB/wQFMAMBAf8wDQYJKoZIhvcNAQELBQADggIBAEXDBh9NNZza6Vjzwcll7uAc
-x22ghoDinHOdfNWe9Hgocmj/Ci4M7f8TL35Zlm2PhOfYaol88uVIOiTKrf2USY2J
-7RSvpl34voiWR8HBtkIFvmiUE2GR5I8gA21H8xaenIbg1Pj9V+E4SgIN1V9lX6S1
-tjNVbhs/mU6YqyNytkjCuwJgCMPgXx4wwPZqaBqGJ5IrJfag0ZahT0IfKSzKtc8M
-HBeXTy7Ck7WUOQWRCe289CBkYHZ+ScdnXnJao7uLvpuoUpu6/WPAnMN1t7KUO4tU
-Z0SwNpY/Xsq3pjwTk2ZJwhFI1baaOyDZJW0+l2D48q7ADavq72NlPerZFkIN6Uvh
-iyb4A/dzZWeZPIJinLtC6Bip5epg03KR0O4D/rYHbn6uVTq894ThIAXt1Q8fFVGb
-oX+AK+ERCWc4ost+pr+Dk78bJUEcHCMRIGaWUVfzXvCagrx4eRLwoaLTovPHVvVl
-on61w57W8csoj8lh3TX5t0MB4s87twHlErRIALqMd+m5K+2CPeWRd/6ZpmCGuL9s
-bT+Rde3Sqw45N3Asw795yA73Av0coq8pB2DyDR5SoHkMD1rzJIVg4lBCwMSR3IJk
-hiIO2qV1xNFrnA3ggKZSyDkH8eOR0dAmtthX6nDGvUbFsMFYnXli5wngTuXdHiYo
-Lpilp6oWJLkzjfyGR3Um
------END CERTIFICATE-----

apps/docker-registry/docker-registry-ui.yaml

@@ -6,7 +6,6 @@ metadata:
   labels:
     app: registry-ui
     release: docker-registry-ui
-    app/version: "1.2.1"
 spec:
   replicas: 1
   selector:
@@ -21,38 +20,36 @@ spec:
     spec:
       containers:
         - name: registry-ui
-          image: "docker-registry.lan/docker-registry-ui:arm64"
+          image: docker.io/joxit/docker-registry-ui:latest
           imagePullPolicy: Always
           env:
-            - name: URL
-              value: "http://docker-registry.lan"
+            - name: NGINX_PROXY_PASS_URL
+              value: "http://cr.lan"
             - name: REGISTRY_TITLE
-              value: "dReg"
+              value: "cReg"
             - name: DELETE_IMAGES
               value: "true"
-            - name: REGISTRY_URL
-              value: "http://docker-registry-ui.lan"
-            - name: PULL_URL
-              value: "http://docker-registry.lan"
+            #- name: REGISTRY_URL
+            #  value: "http://cr.lan"
           ports:
             - name: http
               containerPort: 80
               protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /
-              port: http
-          readinessProbe:
-            httpGet:
-              path: /
-              port: http
+          #livenessProbe:
+          #  httpGet:
+          #    path: /
+          #    port: http
+          #readinessProbe:
+          #  httpGet:
+          #    path: /
+          #    port: http
           resources:
             requests:
-              memory: "24Mi"
-              cpu: "50m"
+              memory: "20Mi"
+              cpu: "10m"
             limits:
-              memory: "64Mi"
-              cpu: "100m"
+              memory: "32Mi"
+              cpu: "50m"
 ---
 apiVersion: v1
 kind: Service
@@ -61,7 +58,6 @@ metadata:
   labels:
     app: registry-ui
     release: docker-registry-ui
-    app/version: "1.2.1"
 spec:
   ports:
     - port: 80
@@ -72,16 +68,25 @@ spec:
       app: registry-ui
       release: docker-registry-ui
 ---
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
     name: docker-registry-ui
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      nginx.ingress.kubernetes.io/enable-cors: "true"
+      nginx.ingress.kubernetes.io/cors-allow-origin: "*"
+      nginx.ingress.kubernetes.io/cors-expose-headers: "*"
 spec:
     rules:
-    - host: docker-registry-ui.lan
+    - host: cr-ui.lan
       http:
           paths:
-          - backend:
-              serviceName: docker-registry-ui
-              servicePort: http
-            path: / 
+          - path: / 
+            pathType: Prefix
+            backend:
+              service:
+                name: docker-registry-ui
+                port: 
+                  number: 80
+            

apps/docker-registry/registry-deployment.yaml

@@ -1,12 +1,4 @@
 apiVersion: v1
-kind: Namespace
-metadata:
-    name: docker-registry
-spec:
-    finalizers:
-    - kubernetes
----
-apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: docker-registry
@@ -28,7 +20,7 @@ metadata:
   name: registry
   labels:
     app: registry
-  namespace: docker-registry
+  namespace: live-env
 spec:
   replicas: 1
   selector:
@@ -66,7 +58,7 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
   name: docker-registry-config
-  namespace: docker-registry
+  namespace: live-env
   labels:
     app: registry
 data:
@@ -86,7 +78,7 @@ data:
       addr: :5000
       headers:
         X-Content-Type-Options: [nosniff]
-        Access-Control-Allow-Origin: ['*']
+        Access-Control-Allow-Origin: ['*', 'http://cr-ui.lan']
         Access-Control-Allow-Methods: ['HEAD', 'GET', 'OPTIONS', 'DELETE']
         Access-Control-Allow-Headers: ['Authorization', 'Accept']
         Access-Control-Max-Age: [1728000]
@@ -97,42 +89,43 @@ kind: Service
 apiVersion: v1
 metadata:
   name: registry
-  namespace: docker-registry
+  namespace: live-env
 spec:
   selector:
     app: registry
   ports:
     - port: 5000
       targetPort: 5000
+#---
+#apiVersion: v1
+#data:
+#  proxy-connect-timeout: "30"
+#  proxy-read-timeout: "1801"
+#  proxy-send-timeout: "1801"
+#  proxy-body-size: "0"
+#  client-max-body-size: "0"
+#kind: ConfigMap
+#metadata:
+#  name: ingress-nginx-controller
+#  namespace: ingress-nginx
 ---
-apiVersion: v1
-data:
-  proxy-connect-timeout: "30"
-  proxy-read-timeout: "1801"
-  proxy-send-timeout: "1801"
-  proxy-body-size: "0"
-  client-max-body-size: "0"
-kind: ConfigMap
-metadata:
-  name: ingress-nginx-controller
-  namespace: ingress-nginx
----
-apiVersion: networking.k8s.io/v1beta1 
+apiVersion: networking.k8s.io/v1 
 kind: Ingress
 metadata:
     name: docker-registry
-    namespace: docker-registry
-    #annotations:
-    #  nginx.ingress.kubernetes.io/proxy‑connect‑timeout: 30
-    #  nginx.ingress.kubernetes.io/proxy‑read‑timeout: 1800
-    #  nginx.ingress.kubernetes.io/proxy‑send‑timeout: 1800
-    #  nginx.ingress.kubernetes.io/proxy-body-size: '5g' 
+    namespace: live-env
+    annotations:
+      kubernetes.io/ingress.class: nginx
 spec:
     rules:
     - host: docker-registry.lan
       http:
           paths:
-          - backend:
-              serviceName: registry
-              servicePort: 5000 
-            path: /
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: registry
+                port: 
+                  number: 5000 
+            

apps/dolibarr/Dockerfile

@@ -0,0 +1,116 @@
+FROM cr.lan/debian-stable-php-fpm
+
+# see https://wiki.dolibarr.org/index.php/Dependencies_and_external_libraries
+# Prepare folders
+ENV DEBIAN_FRONTEND noninteractive
+RUN set -ex; \
+	apt-get update -q; \
+	apt-get install -y --no-install-recommends \
+		bzip2 \
+		default-mysql-client \
+		cron \
+		rsync \
+		unzip \
+		zip php-soap;\
+	mkdir -p /var/www/documents; \
+	chown -R www-data:root /var/www; \
+	chmod -R g=u /var/www
+
+# CLeanup	
+RUN	apt-get autoremove --purge -y && \
+	apt-get clean -y && \ 
+	rm -rf /var/lib/apt/lists/* && \
+	rm -rf /var/cache/apt/* /tmp/* /var/tmp/* /var/log/*
+	
+	
+VOLUME /var/www/html /var/www/documents /var/www/scripts
+
+# Runtime env var
+ENV DOLI_AUTO_CONFIGURE=1 \
+	DOLI_DB_TYPE=mysqli \
+	DOLI_DB_HOST= \
+	DOLI_DB_PORT=3306 \
+	DOLI_DB_USER=dolibarr \
+	DOLI_DB_PASSWORD='' \
+	DOLI_DB_NAME=dolibarr \
+	DOLI_DB_PREFIX=llx_ \
+	DOLI_DB_CHARACTER_SET=utf8 \
+	DOLI_DB_COLLATION=utf8_unicode_ci \
+	DOLI_DB_ROOT_LOGIN='' \
+	DOLI_DB_ROOT_PASSWORD='' \
+	DOLI_ADMIN_LOGIN=admin \
+	DOLI_MODULES='' \
+	DOLI_URL_ROOT='http://localhost' \
+	DOLI_AUTH=dolibarr \
+	DOLI_LDAP_HOST= \
+	DOLI_LDAP_PORT=389 \
+	DOLI_LDAP_VERSION=3 \
+	DOLI_LDAP_SERVERTYPE=openldap \
+	DOLI_LDAP_LOGIN_ATTRIBUTE=uid \
+	DOLI_LDAP_DN='' \
+	DOLI_LDAP_FILTER='' \
+	DOLI_LDAP_ADMIN_LOGIN='' \
+	DOLI_LDAP_ADMIN_PASS='' \
+	DOLI_LDAP_DEBUG=false \
+	DOLI_HTTPS=0 \
+	DOLI_PROD=0 \
+	DOLI_NO_CSRF_CHECK=0 \
+	WWW_USER_ID=33 \
+	WWW_GROUP_ID=33 \
+	PHP_INI_DATE_TIMEZONE='UTC' \
+	PHP_MEMORY_LIMIT=256M \
+	PHP_MAX_UPLOAD=20M \
+	PHP_MAX_EXECUTION_TIME=300
+
+# Build time env var
+ARG DOLI_VERSION=13.0.4
+
+# Get Dolibarr
+ADD https://github.com/Dolibarr/dolibarr/archive/${DOLI_VERSION}.zip /tmp/dolibarr.zip
+
+# Install Dolibarr from tag archive
+RUN set -ex; \
+	mkdir -p /tmp/dolibarr; \
+	unzip -q /tmp/dolibarr.zip -d /tmp/dolibarr; \
+	rm /tmp/dolibarr.zip; \
+	mkdir -p /usr/src/dolibarr; \
+	cp -r "/tmp/dolibarr/dolibarr-${DOLI_VERSION}"/* /usr/src/dolibarr; \
+	rm -rf /tmp/dolibarr; \
+	chmod +x /usr/src/dolibarr/scripts/*; \
+	echo "${DOLI_VERSION}" > /usr/src/dolibarr/.docker-image-version
+
+COPY entrypoint.sh /
+RUN set -ex; \
+	chmod 755 /entrypoint.sh ;\
+	mkdir -p /run/php
+
+ENTRYPOINT ["/entrypoint.sh"]
+CMD ["php-fpm7.4", "--nodaemonize", "-c", "/etc/php/7.4/fpm/php.ini", "--fpm-config", "/etc/php/7.4/fpm/php-fpm.conf"]
+
+# Arguments to label built container
+ARG VCS_REF
+ARG BUILD_DATE
+
+# Container labels (http://label-schema.org/)
+# Container annotations (https://github.com/opencontainers/image-spec)
+LABEL maintainer="Monogramm maintainers <opensource at monogramm dot io>" \
+	  product="Dolibarr" \
+	  version=${DOLI_VERSION} \
+	  org.label-schema.vcs-ref=${VCS_REF} \
+	  org.label-schema.vcs-url="https://github.com/Monogramm/docker-dolibarr" \
+	  org.label-schema.build-date=${BUILD_DATE} \
+	  org.label-schema.name="Dolibarr" \
+	  org.label-schema.description="Open Source ERP & CRM for Business" \
+	  org.label-schema.url="https://www.dolibarr.org/" \
+	  org.label-schema.vendor="Dolibarr" \
+	  org.label-schema.version=$DOLI_VERSION \
+	  org.label-schema.schema-version="1.0" \
+	  org.opencontainers.image.revision=${VCS_REF} \
+	  org.opencontainers.image.source="https://github.com/Monogramm/docker-dolibarr" \
+	  org.opencontainers.image.created=${BUILD_DATE} \
+	  org.opencontainers.image.title="Dolibarr" \
+	  org.opencontainers.image.description="Open Source ERP & CRM for Business" \
+	  org.opencontainers.image.url="https://www.dolibarr.org/" \
+	  org.opencontainers.image.vendor="Dolibarr" \
+	  org.opencontainers.image.version=${DOLI_VERSION} \
+	  org.opencontainers.image.authors="Monogramm maintainers <opensource at monogramm dot io>"

apps/dolibarr/README.md

@@ -0,0 +1,3 @@
+create nginx configmap
+
+ kubectl -n live-env create configmap dolibarr-nginx-site --from-file=nginx-site.configmap.conf

apps/dolibarr/deployment.yaml

@@ -0,0 +1,104 @@
+#we use postgresql:
+#create database dolibarr;
+#create user dolibarr with encrypted password 'secret';
+#grant all privileges on database dolibarr to dolibarr;
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: dolibarr
+  labels:
+    app: dolibarr
+    release: latest
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: dolibarr
+      release: latest
+  template:
+    metadata:
+      labels:
+        app: dolibarr
+        release: latest
+    spec:
+      volumes:
+        - name: dolibarr-nginx-site
+          configMap:
+            name: dolibarr-nginx-site
+        - name: www-data
+          emptyDir: {}
+      containers:
+        - name: nginx-proxy
+          image: nginx
+          volumeMounts:
+            - name: dolibarr-nginx-site
+              mountPath: /etc/nginx/conf.d
+            - name: www-data
+              mountPath: /var/www/html
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+        - name: dolibarr
+          image: cr.lan/dolibarr:latest
+          volumeMounts:
+            - name: www-data
+              mountPath: /var/www/html
+          env:
+            - name: TZ
+              value: "Europe/Berlin"
+            - name: DOLI_DB_HOST
+              value: postgres.live-env.svc.cluster.local
+            - name: DOLI_DB_PORT
+              value: "5432"
+            - name: DOLI_DB_NAME
+              value: dolibarr
+            - name: DOLI_DB_USER
+              value: dolibarr
+            - name: DOLI_DB_PASSWORD
+              value: Vb7yHzmE5HIjfU4hjghjghj6AnMdB
+            - name: DOLI_DB_TYPE
+              value: pgsql
+          ports:
+            - name: php-fpm
+              containerPort: 9000
+              protocol: TCP
+          resources:
+            requests:
+              memory: "256Mi"
+              cpu: "250m"
+            limits:
+              memory: "512Mi"
+              cpu: "3000m"
+         
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dolibarr
+spec:
+  ports:
+  - name: http
+    port: 80
+  selector:
+    app: dolibarr
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+    name: dolibarr
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      ingress.kubernetes.io/whitelist-x-forwarded-for: "true"
+spec:
+    rules:
+    - host: dolibarr.lan
+      http:
+          paths:
+          - backend:
+              service:
+                name: dolibarr
+                port: 
+                  name: http
+            path: / 
+            pathType: Prefix

apps/dolibarr/entrypoint.sh

@@ -0,0 +1,271 @@
+#!/bin/sh
+set -e
+
+log() {
+    echo "[$0] [$(date +%Y-%m-%dT%H:%M:%S)] $*"
+}
+
+# version_greater A B returns whether A > B
+version_greater() {
+	[ "$(printf '%s\n' "$@" | sort -t '.' -n -k1,1 -k2,2 -k3,3 -k4,4 | head -n 1)" != "$1" ]
+}
+
+# return true if specified directory is empty
+directory_empty() {
+	[ -z "$(ls -A "$1/")" ]
+}
+
+run_as() {
+	if [ "$(id -u)" = 0 ]; then
+		su - www-data -s /bin/sh -c "$1"
+	else
+		sh -c "$1"
+	fi
+}
+
+
+if [ ! -f /usr/local/etc/php/php.ini ]; then
+	log "Initializing PHP configuration..."
+	cat <<EOF > /etc/php/7.4/fpm/php.ini
+date.timezone = "${PHP_INI_DATE_TIMEZONE}"
+memory_limit = ${PHP_MEMORY_LIMIT}
+file_uploads = On
+upload_max_filesize = ${PHP_MAX_UPLOAD}
+post_max_size = ${PHP_MAX_UPLOAD}
+max_execution_time = ${PHP_MAX_EXECUTION_TIME}
+sendmail_path = /usr/sbin/sendmail -t -i
+extension = calendar.so
+EOF
+fi
+
+
+if [ ! -d /var/www/documents ]; then
+	log "Initializing Dolibarr documents directory..."
+	mkdir -p /var/www/documents
+fi
+
+log "Updating Dolibarr users and group..."
+usermod -u "$WWW_USER_ID" www-data
+groupmod -g "$WWW_GROUP_ID" www-data
+
+log "Updating Dolibarr folder ownership..."
+chown -R www-data:www-data /var/www
+
+
+if [ ! -d /var/www/html/conf/ ]; then
+	log "Initializing Dolibarr HTML configuration directory..."
+	mkdir -p /var/www/html/conf/
+fi
+
+# Create a default config if autoconfig enabled
+if [ -n "$DOLI_AUTO_CONFIGURE" ] && [ ! -f /var/www/html/conf/conf.php ]; then
+	log "Initializing Dolibarr HTML configuration..."
+	cat <<EOF > /var/www/html/conf/conf.php
+<?php
+// Config file for Dolibarr ${DOLI_VERSION} ($(date +%Y-%m-%dT%H:%M:%S%:z))
+
+// ###################
+// # Main parameters #
+// ###################
+\$dolibarr_main_url_root='${DOLI_URL_ROOT}';
+\$dolibarr_main_document_root='/var/www/html';
+\$dolibarr_main_url_root_alt='/custom';
+\$dolibarr_main_document_root_alt='/var/www/html/custom';
+\$dolibarr_main_data_root='/var/www/documents';
+\$dolibarr_main_db_host='${DOLI_DB_HOST}';
+\$dolibarr_main_db_port='${DOLI_DB_PORT}';
+\$dolibarr_main_db_name='${DOLI_DB_NAME}';
+\$dolibarr_main_db_prefix='${DOLI_DB_PREFIX}';
+\$dolibarr_main_db_user='${DOLI_DB_USER}';
+\$dolibarr_main_db_pass='${DOLI_DB_PASSWORD}';
+\$dolibarr_main_db_type='${DOLI_DB_TYPE}';
+\$dolibarr_main_db_character_set='${DOLI_DB_CHARACTER_SET}';
+\$dolibarr_main_db_collation='${DOLI_DB_COLLATION}';
+
+// ##################
+// # Login          #
+// ##################
+\$dolibarr_main_authentication='${DOLI_AUTH}';
+\$dolibarr_main_auth_ldap_host='${DOLI_LDAP_HOST}';
+\$dolibarr_main_auth_ldap_port='${DOLI_LDAP_PORT}';
+\$dolibarr_main_auth_ldap_version='${DOLI_LDAP_VERSION}';
+\$dolibarr_main_auth_ldap_servertype='${DOLI_LDAP_SERVERTYPE}';
+\$dolibarr_main_auth_ldap_login_attribute='${DOLI_LDAP_LOGIN_ATTRIBUTE}';
+\$dolibarr_main_auth_ldap_dn='${DOLI_LDAP_DN}';
+\$dolibarr_main_auth_ldap_filter ='${DOLI_LDAP_FILTER}';
+\$dolibarr_main_auth_ldap_admin_login='${DOLI_LDAP_ADMIN_LOGIN}';
+\$dolibarr_main_auth_ldap_admin_pass='${DOLI_LDAP_ADMIN_PASS}';
+\$dolibarr_main_auth_ldap_debug='${DOLI_LDAP_DEBUG}';
+
+// ##################
+// # Security       #
+// ##################
+\$dolibarr_main_prod='${DOLI_PROD}';
+\$dolibarr_main_force_https='${DOLI_HTTPS}';
+\$dolibarr_main_restrict_os_commands='mysqldump, mysql, pg_dump, pgrestore';
+\$dolibarr_nocsrfcheck='${DOLI_NO_CSRF_CHECK}';
+\$dolibarr_main_cookie_cryptkey='$(openssl rand -hex 32)';
+\$dolibarr_mailing_limit_sendbyweb='0';
+EOF
+
+	chown www-data:www-data /var/www/html/conf/conf.php
+	chmod 766 /var/www/html/conf/conf.php
+fi
+
+
+# Detect Docker container version (ie. previous installed version)
+installed_version="0.0.0.0"
+if [ -f /var/www/documents/.docker-container-version ]; then
+	# shellcheck disable=SC2016
+	installed_version="$(cat /var/www/documents/.docker-container-version)"
+fi
+if [ -f /var/www/documents/install.version ]; then
+	# shellcheck disable=SC2016
+	installed_version="$(cat /var/www/documents/install.version)"
+	mv \
+		/var/www/documents/install.version \
+		/var/www/documents/.docker-container-version
+fi
+
+# Detect Docker image version (docker specific solution)
+# shellcheck disable=SC2016
+image_version="${DOLI_VERSION}"
+if [ -f /usr/src/dolibarr/.docker-image-version ]; then
+	# shellcheck disable=SC2016
+	image_version="$(cat /usr/src/dolibarr/.docker-image-version)"
+fi
+
+if version_greater "$installed_version" "$image_version"; then
+	log "Can't start Dolibarr because the version of the data ($installed_version) is higher than the docker image version ($image_version) and downgrading is not supported. Are you sure you have pulled the newest image version?"
+	exit 1
+fi
+
+# Initialize image
+if version_greater "$image_version" "$installed_version"; then
+	log "Dolibarr initialization..."
+	if [ "$(id -u)" = 0 ]; then
+		rsync_options="-rvlDog --chown www-data:root"
+	else
+		rsync_options="-rvlD"
+	fi
+
+	mkdir -p /var/www/scripts
+	rsync $rsync_options /usr/src/dolibarr/scripts/ /var/www/scripts/
+	rsync $rsync_options --delete --exclude /conf/ --exclude /custom/ --exclude /theme/ /usr/src/dolibarr/htdocs/ /var/www/html/
+
+	for dir in conf custom; do
+		if [ ! -d "/var/www/html/$dir" ] || directory_empty "/var/www/html/$dir"; then
+			rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/dolibarr/htdocs/ /var/www/html/
+		fi
+	done
+
+	# The theme folder contains custom and official themes. We must copy even if folder is not empty, but not delete content either
+	for dir in theme; do
+		rsync $rsync_options --include "/$dir/" --exclude '/*' /usr/src/dolibarr/htdocs/ /var/www/html/
+	done
+
+	if [ "$installed_version" != "0.0.0.0" ]; then
+		# Call upgrade if needed
+		# https://wiki.dolibarr.org/index.php/Installation_-_Upgrade#With_Dolibarr_.28standard_.zip_package.29
+		log "Dolibarr upgrade from $installed_version to $image_version..."
+
+		if [ -f /var/www/documents/install.lock ]; then
+			rm /var/www/documents/install.lock
+		fi
+
+		base_version=$(echo "${installed_version}" | sed -e 's|\(.*\..*\)\..*|\1|g')
+		target_version=$(echo "${image_version}" | sed -e 's|\(.*\..*\)\..*|\1|g')
+
+		run_as "cd /var/www/html/install/ && php upgrade.php ${base_version}.0 ${target_version}.0"
+		run_as "cd /var/www/html/install/ && php upgrade2.php ${base_version}.0 ${target_version}.0"
+		run_as "cd /var/www/html/install/ && php step5.php ${base_version}.0 ${target_version}.0"
+
+		log 'This is a lock file to prevent use of install pages (generated by container entrypoint)' > /var/www/documents/install.lock
+		chown www-data:www-data /var/www/documents/install.lock
+		chmod 400 /var/www/documents/install.lock
+	elif [ -n "$DOLI_AUTO_CONFIGURE" ] && [ ! -f /var/www/documents/install.lock ]; then
+			log "Create forced values for first Dolibarr install..."
+			cat <<EOF > /var/www/html/install/install.forced.php
+<?php
+// Forced install config file for Dolibarr ${DOLI_VERSION} ($(date +%Y-%m-%dT%H:%M:%S%:z))
+
+/** @var bool Hide PHP informations */
+\$force_install_nophpinfo = true;
+
+/** @var int 1 = Lock and hide environment variables, 2 = Lock all set variables */
+\$force_install_noedit = 2;
+
+/** @var string Information message */
+\$force_install_message = 'Dolibarr installation (Docker)';
+
+/** @var string Data root absolute path (documents folder) */
+\$force_install_main_data_root = '/var/www/documents';
+
+/** @var bool Force HTTPS */
+\$force_install_mainforcehttps = !empty('${DOLI_HTTPS}');
+
+/** @var string Database name */
+\$force_install_database = '${DOLI_DB_NAME}';
+
+/** @var string Database driver (mysql|mysqli|pgsql|mssql|sqlite|sqlite3) */
+\$force_install_type = '${DOLI_DB_TYPE}';
+
+/** @var string Database server host */
+\$force_install_dbserver = '${DOLI_DB_HOST}';
+
+/** @var int Database server port */
+\$force_install_port = '${DOLI_DB_PORT}';
+
+/** @var string Database tables prefix */
+\$force_install_prefix = '${DOLI_DB_PREFIX}';
+
+/** @var string Database username */
+\$force_install_databaselogin = '${DOLI_DB_USER}';
+
+/** @var string Database password */
+\$force_install_databasepass = '${DOLI_DB_PASSWORD}';
+
+/** @var bool Force database user creation */
+\$force_install_createuser = false;
+
+/** @var bool Force database creation */
+\$force_install_createdatabase = !empty('${DOLI_DB_ROOT_LOGIN}');
+
+/** @var string Database root username */
+\$force_install_databaserootlogin = '${DOLI_DB_ROOT_LOGIN}';
+
+/** @var string Database root password */
+\$force_install_databaserootpass = '${DOLI_DB_ROOT_PASSWORD}';
+
+/** @var string Dolibarr super-administrator username */
+\$force_install_dolibarrlogin = '${DOLI_ADMIN_LOGIN}';
+
+/** @var bool Force install locking */
+\$force_install_lockinstall = true;
+
+/** @var string Enable module(s) (Comma separated class names list) */
+\$force_install_module = '${DOLI_MODULES}';
+
+EOF
+
+		log "You shall complete Dolibarr install manually at '${DOLI_URL_ROOT}/install'"
+	fi
+fi
+
+if [ ! -d /var/www/htdocs ]; then
+	log "Adding a symlink to /var/www/htdocs..."
+	ln -s /var/www/html /var/www/htdocs
+fi
+
+if [ ! -d /var/www/scripts ]; then
+	log "Initializing Dolibarr scripts directory..."
+	cp /usr/src/dolibarr/scripts /var/www/scripts
+fi
+
+if [ -f /var/www/documents/install.lock ]; then
+	log "Updating Dolibarr installed version..."
+	echo "$image_version" > /var/www/documents/.docker-container-version
+fi
+
+log "Serving Dolibarr...$@"
+exec "$@"

apps/dolibarr/nginx-site.configmap.conf

@@ -0,0 +1,60 @@
+server {
+	listen 80;
+	listen [::]:80;
+
+	add_header Referrer-Policy origin; # make sure outgoing links don't show the URL to the Matomo instance
+	root /var/www/html;
+	index index.php index.html;
+	try_files $uri $uri/ =404;
+
+	## only allow accessing the following php files
+	location ~ \.php$ {
+		# regex to split $uri to $fastcgi_script_name and $fastcgi_path
+		fastcgi_split_path_info ^(.+\.php)(/.+)$;
+		fastcgi_index index.php;
+
+		# Check that the PHP script exists before passing it
+		try_files $fastcgi_script_name =404;
+
+		proxy_connect_timeout       3600;
+		proxy_send_timeout          3600;
+		proxy_read_timeout          3600;
+		send_timeout                3600;
+
+		include fastcgi_params;
+		fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+		fastcgi_param PATH_INFO $fastcgi_path_info;
+		fastcgi_param HTTP_PROXY ""; # prohibit httpoxy: https://httpoxy.org/
+		fastcgi_pass 127.0.0.1:9000;
+	}
+
+	## disable all access to the following directories
+	location ~ /\.ht {
+		deny all;
+		return 403;
+	}
+	location ~ /\.git {
+		deny all;
+	}
+
+	location ~ \.(gif|ico|jpg|png|svg|js|css|htm|html|mp3|mp4|wav|ogg|avi|ttf|eot|woff|woff2|json)$ {
+		allow all;
+		## Cache images,CSS,JS and webfonts for an hour
+		## Increasing the duration may improve the load-time, but may cause old files to show after an Matomo upgrade
+		expires 1h;
+		add_header Pragma public;
+		add_header Cache-Control "public";
+	}
+
+	location ~ /(libs|vendor|plugins|misc/user) {
+		deny all;
+		return 403;
+	}
+
+	## properly display textfiles in root directory
+	location ~/(.*\.md|LEGALNOTICE|LICENSE) {
+		default_type text/plain;
+	}
+}
+
+# vim: filetype=nginx

apps/dolibarr/tekton.yaml

@@ -0,0 +1,23 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: img-dolibarr
+spec:
+  pipelineRef:
+    name: kaniko-pipeline
+  params:
+    - name: git-url
+      value: http://git-ui.lan/chaos/kubernetes.git
+    - name: git-revision
+      value: master
+    - name: path-to-image-context
+      value: apps/dolibarr
+    - name: path-to-dockerfile
+      value: apps/dolibarr/Dockerfile
+    - name: image-name
+      value: cr.lan/dolibarr
+  workspaces:
+      - name: git-source
+        persistentVolumeClaim:
+          claimName: tektoncd-workspaces
+        subPath: tekton/dolibarr

apps/gitea.yaml

@@ -1,3 +1,7 @@
+#we use postgresql:
+#create database gitea;
+#create user gitea with encrypted password 'secret';
+#grant all privileges on database gitea to gitea;
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -7,6 +11,8 @@ metadata:
     release: latest
 spec:
   replicas: 1
+  strategy:
+    type: Recreate
   selector:
     matchLabels:
       app: gitea
@@ -20,7 +26,6 @@ spec:
       containers:
         - name: gitea
           image: gitea/gitea:latest
-          imagePullPolicy: IfNotPresent
           env:
             - name: USER_UID
               value: "1000"
@@ -28,6 +33,38 @@ spec:
               value: "1000"
             - name: TZ
               value: "Europe/Berlin"
+            - name: GITEA__lfs__PATH
+              value: /data/git/lfs
+            - name: DB_TYPE
+              value: postgres
+            - name: DB_HOST
+              value: postgres.live-env.svc.cluster.local:5432
+            - name: DB_NAME
+              value: gitea
+            - name: DB_USER
+              value: gitea
+            - name: DB_PASSWD
+              value: giteaEu94XSS4gKpheSBoMsIs
+                #- name: GITEA__indexer__ISSUE_INDEXER
+                #value: redis
+                #- name: GITEA__indexer__ISSUE_INDEXER_QUEUE_CONN_STR
+                #value: addrs=redis-standalone.live-env.svc.cluster.local:6379 db=1
+            - name: GITEA__packages__ENABLED
+              value: "true"
+            - name: GITEA__log__LEVEL
+              value: warn 
+            - name: GITEA__log__MODE
+              value: file 
+            - name: GITEA__log__ROUTER
+              value: file 
+            - name: GITEA__log__MACARON
+              value: file 
+                #- name: GITEA__queue__TYPE
+                #value: redis 
+                #- name: GITEA__queue__CONN_STR
+                #value: redis://redis-standalone.live-env.svc.cluster.local:6397/0
+            - name: GITEA__server__ROOT_URL
+              value: http://git-ui.lan/
           volumeMounts:
             - name: gitea
               mountPath: /data
@@ -39,20 +76,24 @@ spec:
               containerPort: 22
               protocol : TCP 
           livenessProbe:
-            httpGet:
-              path: /
-              port: http
+             initialDelaySeconds: 300
+             periodSeconds: 10
+             httpGet:
+               path: /
+               port: http
           readinessProbe:
+            initialDelaySeconds: 300
+            periodSeconds: 10
             httpGet:
               path: /
               port: http
-#           resources:
-#             requests:
-#               memory: "256Mi"
-#               cpu: "250m"
-#             limits:
-#               memory: "1000Mi"
-#               cpu: "500m"
+          resources:
+            requests:
+              memory: "300Mi"
+              cpu: "150m"
+            limits:
+              memory: "512Mi"
+              cpu: "1000m"
       volumes:
       - name: gitea
         persistentVolumeClaim:
@@ -65,7 +106,8 @@ metadata:
   labels:
     app: gitea
 spec:
-  storageClassName: nfs-ssd
+  storageClassName: nfs-ssd-ebin02
+  volumeName: gitea
   accessModes:
   - ReadWriteOnce
   resources:
@@ -73,35 +115,64 @@ spec:
       storage: 20Gi
 ---
 apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: gitea
+spec:
+  storageClassName: "nfs-ssd-ebin02"
+  nfs:
+    path: /data/raid1-ssd/k8s-data/gitea-data
+    server: ebin02
+  capacity:
+    storage: 20Gi
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  persistentVolumeReclaimPolicy: Retain
+  claimRef:
+    kind: PersistentVolumeClaim
+    name: gitea
+    namespace: live-env
+---
+apiVersion: v1
 kind: Service
 metadata:
   name: gitea
   labels:
     app: gitea
-    release: latest
 spec:
+  type: LoadBalancer
+  loadBalancerIP: 172.23.255.2
   ports:
     - port: 3000
       targetPort: http
       protocol: TCP
       name: http
-    - port: 2222
+    - port: 22
       targetPort: 22
       name: ssh
   selector:
       app: gitea
       release: latest
 ---
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
     name: gitea
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      ingress.kubernetes.io/whitelist-x-forwarded-for: "true"
+      nginx.ingress.kubernetes.io/proxy-body-size: 512m
 spec:
     rules:
-    - host: git.lan
+    - host: git-ui.lan
       http:
           paths:
-          - backend:
-              serviceName: gitea
-              servicePort: http
-            path: / 
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: gitea
+                port: 
+                  number: 3000
+             

apps/grav/Dockerfile

@@ -0,0 +1,34 @@
+FROM cr.lan/debian-stable-php-fpm
+ENV DEBIAN_FRONTEND noninteractive
+ARG GRAV_VERSION=1.7.34
+
+ARG DEV_PKGS="zlib1g-dev libpng-dev libjpeg-dev libfreetype6-dev \
+	libcurl4-gnutls-dev libxml2-dev libonig-dev"
+	
+RUN apt-get update && \
+	apt-get install -y git bash procps wget unzip supervisor \
+					php-fpm php-gd php-json php-curl php-dom php-xml php-yaml php-apcu \
+					php-opcache php-simplexml php-zip php-mbstring cron \ 
+	&& mkdir /var/www \
+	&& chown www-data:www-data /var/www \
+	&& cd /var/www
+
+# CLeanup	
+RUN	apt-get remove -y --purge ${DEV_PKGS} exim4* && \
+	apt-get autoremove --purge -y && \
+	apt-get clean -y && \ 
+	rm -rf /var/lib/apt/lists/* && \
+	rm -rf /var/cache/apt/* /tmp/* /var/tmp/* /var/log/*
+
+RUN mkdir /run/php && \
+	chown www-data:www-data /var/log /run/php && \
+	mkdir -p /etc/php/7.4/fpm/pool.d
+ADD docker-entrypoint.sh /
+ADD supervisor.conf /etc/supervisor.conf
+
+ENTRYPOINT ["/docker-entrypoint.sh"]	
+
+#USER www-data
+RUN (crontab -l; echo "* * * * * cd /var/www/grav;/usr/bin/php bin/grav scheduler 1>> /dev/null 2>&1") | crontab -u www-data -
+#CMD ["dumb-init", "/usr/sbin/php-fpm7.3", "--nodaemonize", "--force-stderr"]
+CMD ["supervisord", "-c", "/etc/supervisor.conf"]

apps/grav/README.md

@@ -0,0 +1,3 @@
+lighttpd is configured in etc_lighttpd
+generate a configmap with:
+	kubectl create configmap grav-lighttpd-config --from-file etc_lighthttpd/

apps/grav/deployment.yaml

@@ -0,0 +1,111 @@
+---
+apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
+kind: Deployment
+metadata:
+  name: grav
+spec:
+  selector:
+    matchLabels:
+      app: grav
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: grav
+    spec:
+      containers:
+      - image: cr.lan/grav:arm64
+        name: grav
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 9000
+          name: php-fpm
+        volumeMounts:
+        - name: grav-pages
+          mountPath: /var/www/grav
+        - name: grav-etc-php-fpm-www-conf
+          mountPath: /etc/php/7.4/fpm/pool.d
+      - image: nginx:alpine
+        name: nginx
+        imagePullPolicy: IfNotPresent
+        ports:
+        - containerPort: 80
+          name: http
+        volumeMounts:
+        - name: grav-nginx-proxy-config
+          mountPath: /etc/nginx/nginx.conf
+          subPath: nginx.conf
+        - name: grav-pages
+          mountPath: /var/www/grav
+      initContainers:
+      - name: grav-install
+        image: busybox
+        command: ["/bin/sh"]
+        args:
+         - -c
+         - >-
+           wget -O /grav.zip "https://getgrav.org/download/core/grav-admin/latest" &&
+           unzip -q /grav.zip &&
+           rm -rf grav-admin/user/pages/* &&
+           cp -ru grav-admin/* /workdir/ &&
+           rm -rf /grav.zip &&
+           rm -rf /grav-admin &&
+           chown -R 33:33 /workdir/*
+        volumeMounts:
+        - name: grav-pages
+          mountPath: /workdir
+      volumes:
+      - name: grav-pages
+        persistentVolumeClaim:
+          claimName: grav-pages
+      - name: grav-nginx-proxy-config
+        configMap:
+          name: grav-nginx-proxy-config
+      - name: grav-etc-php-fpm-www-conf
+        configMap:
+          name: grav-etc-php-fpm-www-conf
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: grav
+spec:
+  ports:
+  - name: http
+    port: 80
+  selector:
+    app: grav
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grav
+  annotations:
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/proxy-body-size: 512m
+spec:
+  rules:
+  - host: grav.lan
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: grav
+            port: 
+              name: http
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: grav-pages
+spec:
+  storageClassName: nfs-ssd-ebin01
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 6Gi
+      

apps/grav/docker-entrypoint.sh

@@ -0,0 +1,5 @@
+#!/bin/sh
+
+set -e
+
+exec "$@"

apps/grav/etc_php-fpm/www.conf

@@ -0,0 +1,440 @@
+; Start a new pool named 'www'.
+; the variable $pool can be used in any directive and will be replaced by the
+; pool name ('www' here)
+[www]
+
+; Per pool prefix
+; It only applies on the following directives:
+; - 'access.log'
+; - 'slowlog'
+; - 'listen' (unixsocket)
+; - 'chroot'
+; - 'chdir'
+; - 'php_values'
+; - 'php_admin_values'
+; When not set, the global prefix (or /usr) applies instead.
+; Note: This directive can also be relative to the global prefix.
+; Default Value: none
+;prefix = /path/to/pools/$pool
+
+; Unix user/group of processes
+; Note: The user is mandatory. If the group is not set, the default user's group
+;       will be used.
+user = www-data
+group = www-data
+
+; The address on which to accept FastCGI requests.
+; Valid syntaxes are:
+;   'ip.add.re.ss:port'    - to listen on a TCP socket to a specific IPv4 address on
+;                            a specific port;
+;   '[ip:6:addr:ess]:port' - to listen on a TCP socket to a specific IPv6 address on
+;                            a specific port;
+;   'port'                 - to listen on a TCP socket to all addresses
+;                            (IPv6 and IPv4-mapped) on a specific port;
+;   '/path/to/unix/socket' - to listen on a unix socket.
+; Note: This value is mandatory.
+; listen = /run/php/php7.4-fpm.sock
+listen = 127.0.0.1:9000
+
+; Set listen(2) backlog.
+; Default Value: 511 (-1 on FreeBSD and OpenBSD)
+;listen.backlog = 511
+
+; Set permissions for unix socket, if one is used. In Linux, read/write
+; permissions must be set in order to allow connections from a web server. Many
+; BSD-derived systems allow connections regardless of permissions. The owner
+; and group can be specified either by name or by their numeric IDs.
+; Default Values: user and group are set as the running user
+;                 mode is set to 0660
+listen.owner = www-data
+listen.group = www-data
+;listen.mode = 0660
+; When POSIX Access Control Lists are supported you can set them using
+; these options, value is a comma separated list of user/group names.
+; When set, listen.owner and listen.group are ignored
+;listen.acl_users =
+;listen.acl_groups =
+
+; List of addresses (IPv4/IPv6) of FastCGI clients which are allowed to connect.
+; Equivalent to the FCGI_WEB_SERVER_ADDRS environment variable in the original
+; PHP FCGI (5.2.2+). Makes sense only with a tcp listening socket. Each address
+; must be separated by a comma. If this value is left blank, connections will be
+; accepted from any ip address.
+; Default Value: any
+;listen.allowed_clients = 127.0.0.1
+
+; Specify the nice(2) priority to apply to the pool processes (only if set)
+; The value can vary from -19 (highest priority) to 20 (lower priority)
+; Note: - It will only work if the FPM master process is launched as root
+;       - The pool processes will inherit the master process priority
+;         unless it specified otherwise
+; Default Value: no set
+; process.priority = -19
+
+; Set the process dumpable flag (PR_SET_DUMPABLE prctl) even if the process user
+; or group is differrent than the master process user. It allows to create process
+; core dump and ptrace the process for the pool user.
+; Default Value: no
+; process.dumpable = yes
+
+; Choose how the process manager will control the number of child processes.
+; Possible Values:
+;   static  - a fixed number (pm.max_children) of child processes;
+;   dynamic - the number of child processes are set dynamically based on the
+;             following directives. With this process management, there will be
+;             always at least 1 children.
+;             pm.max_children      - the maximum number of children that can
+;                                    be alive at the same time.
+;             pm.start_servers     - the number of children created on startup.
+;             pm.min_spare_servers - the minimum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is less than this
+;                                    number then some children will be created.
+;             pm.max_spare_servers - the maximum number of children in 'idle'
+;                                    state (waiting to process). If the number
+;                                    of 'idle' processes is greater than this
+;                                    number then some children will be killed.
+;  ondemand - no children are created at startup. Children will be forked when
+;             new requests will connect. The following parameter are used:
+;             pm.max_children           - the maximum number of children that
+;                                         can be alive at the same time.
+;             pm.process_idle_timeout   - The number of seconds after which
+;                                         an idle process will be killed.
+; Note: This value is mandatory.
+pm = dynamic
+
+; The number of child processes to be created when pm is set to 'static' and the
+; maximum number of child processes when pm is set to 'dynamic' or 'ondemand'.
+; This value sets the limit on the number of simultaneous requests that will be
+; served. Equivalent to the ApacheMaxClients directive with mpm_prefork.
+; Equivalent to the PHP_FCGI_CHILDREN environment variable in the original PHP
+; CGI. The below defaults are based on a server without much resources. Don't
+; forget to tweak pm.* to fit your needs.
+; Note: Used when pm is set to 'static', 'dynamic' or 'ondemand'
+; Note: This value is mandatory.
+pm.max_children = 5
+
+; The number of child processes created on startup.
+; Note: Used only when pm is set to 'dynamic'
+; Default Value: (min_spare_servers + max_spare_servers) / 2
+pm.start_servers = 2
+
+; The desired minimum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.min_spare_servers = 1
+
+; The desired maximum number of idle server processes.
+; Note: Used only when pm is set to 'dynamic'
+; Note: Mandatory when pm is set to 'dynamic'
+pm.max_spare_servers = 3
+
+; The number of seconds after which an idle process will be killed.
+; Note: Used only when pm is set to 'ondemand'
+; Default Value: 10s
+;pm.process_idle_timeout = 10s;
+
+; The number of requests each child process should execute before respawning.
+; This can be useful to work around memory leaks in 3rd party libraries. For
+; endless request processing specify '0'. Equivalent to PHP_FCGI_MAX_REQUESTS.
+; Default Value: 0
+;pm.max_requests = 500
+
+; The URI to view the FPM status page. If this value is not set, no URI will be
+; recognized as a status page. It shows the following informations:
+;   pool                 - the name of the pool;
+;   process manager      - static, dynamic or ondemand;
+;   start time           - the date and time FPM has started;
+;   start since          - number of seconds since FPM has started;
+;   accepted conn        - the number of request accepted by the pool;
+;   listen queue         - the number of request in the queue of pending
+;                          connections (see backlog in listen(2));
+;   max listen queue     - the maximum number of requests in the queue
+;                          of pending connections since FPM has started;
+;   listen queue len     - the size of the socket queue of pending connections;
+;   idle processes       - the number of idle processes;
+;   active processes     - the number of active processes;
+;   total processes      - the number of idle + active processes;
+;   max active processes - the maximum number of active processes since FPM
+;                          has started;
+;   max children reached - number of times, the process limit has been reached,
+;                          when pm tries to start more children (works only for
+;                          pm 'dynamic' and 'ondemand');
+; Value are updated in real time.
+; Example output:
+;   pool:                 www
+;   process manager:      static
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          62636
+;   accepted conn:        190460
+;   listen queue:         0
+;   max listen queue:     1
+;   listen queue len:     42
+;   idle processes:       4
+;   active processes:     11
+;   total processes:      15
+;   max active processes: 12
+;   max children reached: 0
+;
+; By default the status page output is formatted as text/plain. Passing either
+; 'html', 'xml' or 'json' in the query string will return the corresponding
+; output syntax. Example:
+;   http://www.foo.bar/status
+;   http://www.foo.bar/status?json
+;   http://www.foo.bar/status?html
+;   http://www.foo.bar/status?xml
+;
+; By default the status page only outputs short status. Passing 'full' in the
+; query string will also return status for each pool process.
+; Example:
+;   http://www.foo.bar/status?full
+;   http://www.foo.bar/status?json&full
+;   http://www.foo.bar/status?html&full
+;   http://www.foo.bar/status?xml&full
+; The Full status returns for each process:
+;   pid                  - the PID of the process;
+;   state                - the state of the process (Idle, Running, ...);
+;   start time           - the date and time the process has started;
+;   start since          - the number of seconds since the process has started;
+;   requests             - the number of requests the process has served;
+;   request duration     - the duration in µs of the requests;
+;   request method       - the request method (GET, POST, ...);
+;   request URI          - the request URI with the query string;
+;   content length       - the content length of the request (only with POST);
+;   user                 - the user (PHP_AUTH_USER) (or '-' if not set);
+;   script               - the main script called (or '-' if not set);
+;   last request cpu     - the %cpu the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because CPU calculation is done when the request
+;                          processing has terminated;
+;   last request memory  - the max amount of memory the last request consumed
+;                          it's always 0 if the process is not in Idle state
+;                          because memory calculation is done when the request
+;                          processing has terminated;
+; If the process is in Idle state, then informations are related to the
+; last request the process has served. Otherwise informations are related to
+; the current request being served.
+; Example output:
+;   ************************
+;   pid:                  31330
+;   state:                Running
+;   start time:           01/Jul/2011:17:53:49 +0200
+;   start since:          63087
+;   requests:             12808
+;   request duration:     1250261
+;   request method:       GET
+;   request URI:          /test_mem.php?N=10000
+;   content length:       0
+;   user:                 -
+;   script:               /home/fat/web/docs/php/test_mem.php
+;   last request cpu:     0.00
+;   last request memory:  0
+;
+; Note: There is a real-time FPM status monitoring sample web page available
+;       It's available in: /usr/share/php/7.4/fpm/status.html
+;
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+;pm.status_path = /status
+
+; The ping URI to call the monitoring page of FPM. If this value is not set, no
+; URI will be recognized as a ping page. This could be used to test from outside
+; that FPM is alive and responding, or to
+; - create a graph of FPM availability (rrd or such);
+; - remove a server from a group if it is not responding (load balancing);
+; - trigger alerts for the operating team (24/7).
+; Note: The value must start with a leading slash (/). The value can be
+;       anything, but it may not be a good idea to use the .php extension or it
+;       may conflict with a real PHP file.
+; Default Value: not set
+;ping.path = /ping
+
+; This directive may be used to customize the response of a ping request. The
+; response is formatted as text/plain with a 200 response code.
+; Default Value: pong
+;ping.response = pong
+
+; The access log file
+; Default: not set
+;access.log = log/$pool.access.log
+
+; The access log format.
+; The following syntax is allowed
+;  %%: the '%' character
+;  %C: %CPU used by the request
+;      it can accept the following format:
+;      - %{user}C for user CPU only
+;      - %{system}C for system CPU only
+;      - %{total}C  for user + system CPU (default)
+;  %d: time taken to serve the request
+;      it can accept the following format:
+;      - %{seconds}d (default)
+;      - %{miliseconds}d
+;      - %{mili}d
+;      - %{microseconds}d
+;      - %{micro}d
+;  %e: an environment variable (same as $_ENV or $_SERVER)
+;      it must be associated with embraces to specify the name of the env
+;      variable. Some exemples:
+;      - server specifics like: %{REQUEST_METHOD}e or %{SERVER_PROTOCOL}e
+;      - HTTP headers like: %{HTTP_HOST}e or %{HTTP_USER_AGENT}e
+;  %f: script filename
+;  %l: content-length of the request (for POST request only)
+;  %m: request method
+;  %M: peak of memory allocated by PHP
+;      it can accept the following format:
+;      - %{bytes}M (default)
+;      - %{kilobytes}M
+;      - %{kilo}M
+;      - %{megabytes}M
+;      - %{mega}M
+;  %n: pool name
+;  %o: output header
+;      it must be associated with embraces to specify the name of the header:
+;      - %{Content-Type}o
+;      - %{X-Powered-By}o
+;      - %{Transfert-Encoding}o
+;      - ....
+;  %p: PID of the child that serviced the request
+;  %P: PID of the parent of the child that serviced the request
+;  %q: the query string
+;  %Q: the '?' character if query string exists
+;  %r: the request URI (without the query string, see %q and %Q)
+;  %R: remote IP address
+;  %s: status (response code)
+;  %t: server time the request was received
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+;  %T: time the log has been written (the request has finished)
+;      it can accept a strftime(3) format:
+;      %d/%b/%Y:%H:%M:%S %z (default)
+;      The strftime(3) format must be encapsuled in a %{<strftime_format>}t tag
+;      e.g. for a ISO8601 formatted timestring, use: %{%Y-%m-%dT%H:%M:%S%z}t
+;  %u: remote user
+;
+; Default: "%R - %u %t \"%m %r\" %s"
+;access.format = "%R - %u %t \"%m %r%Q%q\" %s %f %{mili}d %{kilo}M %C%%"
+
+; The log file for slow requests
+; Default Value: not set
+; Note: slowlog is mandatory if request_slowlog_timeout is set
+;slowlog = log/$pool.log.slow
+
+; The timeout for serving a single request after which a PHP backtrace will be
+; dumped to the 'slowlog' file. A value of '0s' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_slowlog_timeout = 0
+
+; Depth of slow log stack trace.
+; Default Value: 20
+;request_slowlog_trace_depth = 20
+
+; The timeout for serving a single request after which the worker process will
+; be killed. This option should be used when the 'max_execution_time' ini option
+; does not stop script execution for some reason. A value of '0' means 'off'.
+; Available units: s(econds)(default), m(inutes), h(ours), or d(ays)
+; Default Value: 0
+;request_terminate_timeout = 0
+
+; The timeout set by 'request_terminate_timeout' ini option is not engaged after
+; application calls 'fastcgi_finish_request' or when application has finished and
+; shutdown functions are being called (registered via register_shutdown_function).
+; This option will enable timeout limit to be applied unconditionally
+; even in such cases.
+; Default Value: no
+;request_terminate_timeout_track_finished = no
+
+; Set open file descriptor rlimit.
+; Default Value: system defined value
+;rlimit_files = 1024
+
+; Set max core size rlimit.
+; Possible Values: 'unlimited' or an integer greater or equal to 0
+; Default Value: system defined value
+;rlimit_core = 0
+
+; Chroot to this directory at the start. This value must be defined as an
+; absolute path. When this value is not set, chroot is not used.
+; Note: you can prefix with '$prefix' to chroot to the pool prefix or one
+; of its subdirectories. If the pool prefix is not set, the global prefix
+; will be used instead.
+; Note: chrooting is a great security feature and should be used whenever
+;       possible. However, all PHP paths will be relative to the chroot
+;       (error_log, sessions.save_path, ...).
+; Default Value: not set
+;chroot =
+
+; Chdir to this directory at the start.
+; Note: relative path can be used.
+; Default Value: current directory or / when chroot
+;chdir = /var/www
+
+; Redirect worker stdout and stderr into main error log. If not set, stdout and
+; stderr will be redirected to /dev/null according to FastCGI specs.
+; Note: on highloaded environement, this can cause some delay in the page
+; process time (several ms).
+; Default Value: no
+;catch_workers_output = yes
+
+; Decorate worker output with prefix and suffix containing information about
+; the child that writes to the log and if stdout or stderr is used as well as
+; log level and time. This options is used only if catch_workers_output is yes.
+; Settings to "no" will output data as written to the stdout or stderr.
+; Default value: yes
+;decorate_workers_output = no
+
+; Clear environment in FPM workers
+; Prevents arbitrary environment variables from reaching FPM worker processes
+; by clearing the environment in workers before env vars specified in this
+; pool configuration are added.
+; Setting to "no" will make all environment variables available to PHP code
+; via getenv(), $_ENV and $_SERVER.
+; Default Value: yes
+;clear_env = no
+
+; Limits the extensions of the main script FPM will allow to parse. This can
+; prevent configuration mistakes on the web server side. You should only limit
+; FPM to .php extensions to prevent malicious users to use other extensions to
+; execute php code.
+; Note: set an empty value to allow all extensions.
+; Default Value: .php
+;security.limit_extensions = .php .php3 .php4 .php5 .php7
+
+; Pass environment variables like LD_LIBRARY_PATH. All $VARIABLEs are taken from
+; the current environment.
+; Default Value: clean env
+;env[HOSTNAME] = $HOSTNAME
+;env[PATH] = /usr/local/bin:/usr/bin:/bin
+;env[TMP] = /tmp
+;env[TMPDIR] = /tmp
+;env[TEMP] = /tmp
+
+; Additional php.ini defines, specific to this pool of workers. These settings
+; overwrite the values previously defined in the php.ini. The directives are the
+; same as the PHP SAPI:
+;   php_value/php_flag             - you can set classic ini defines which can
+;                                    be overwritten from PHP call 'ini_set'.
+;   php_admin_value/php_admin_flag - these directives won't be overwritten by
+;                                     PHP call 'ini_set'
+; For php_*flag, valid values are on, off, 1, 0, true, false, yes or no.
+
+; Defining 'extension' will load the corresponding shared extension from
+; extension_dir. Defining 'disable_functions' or 'disable_classes' will not
+; overwrite previously defined php.ini values, but will append the new value
+; instead.
+
+; Note: path INI options can be relative and will be expanded with the prefix
+; (pool, global or /usr)
+
+; Default Value: nothing is defined by default except the values in php.ini and
+;                specified at startup with the -d argument
+;php_admin_value[sendmail_path] = /usr/sbin/sendmail -t -i -f www@my.domain.com
+;php_flag[display_errors] = off
+;php_admin_value[error_log] = /var/log/fpm-php.www.log
+;php_admin_flag[log_errors] = on
+;php_admin_value[memory_limit] = 32M

apps/grav/nginx.conf.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: grav-nginx-proxy-config
+data:
+  nginx.conf: |-
+    user  nginx;
+    worker_processes  1;
+
+    error_log  /var/log/nginx/error.log warn;
+    pid        /var/run/nginx.pid;
+
+    events {
+        worker_connections  64;
+    }
+
+    http {
+        include       /etc/nginx/mime.types;
+        default_type  application/octet-stream;
+
+        log_format  main  '$remote_addr - $remote_user [$time_local] "$request" '
+                          '$status $body_bytes_sent "$http_referer" '
+                          '"$http_user_agent" "$http_x_forwarded_for"';
+
+        access_log  off; 
+        #access_log /var/log/nginx/access.log  main;
+
+        sendfile        on;
+        keepalive_timeout  65;
+
+        server {
+            listen 80;
+            server_name _;
+            index index.html index.php;
+            root /var/www/grav;
+            ## Begin - Index
+            # for subfolders, simply adjust:
+            # `location /subfolder {`
+            # and the rewrite to use `/subfolder/index.php`
+            location / {
+                try_files $uri $uri/ /index.php?$query_string;
+            }
+            ## End - Index
+        
+            ## Begin - Security
+            # deny all direct access for these folders
+            location ~* /(\.git|cache|bin|logs|backup|tests)/.*$ { return 403; }
+            # deny running scripts inside core system folders
+            location ~* /(system|vendor)/.*\.(txt|xml|md|html|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+            # deny running scripts inside user folder
+            location ~* /user/.*\.(txt|md|yaml|yml|php|pl|py|cgi|twig|sh|bat)$ { return 403; }
+            # deny access to specific files in the root folder
+            location ~ /(LICENSE\.txt|composer\.lock|composer\.json|nginx\.conf|web\.config|htaccess\.txt|\.htaccess) { return 403; }
+            ## End - Security
+        
+            ## Begin - PHP
+            location ~ \.php$ {
+                # Choose either a socket or TCP/IP address
+                fastcgi_pass 127.0.0.1:9000;
+        
+                fastcgi_split_path_info ^(.+\.php)(/.+)$;
+                fastcgi_index index.php;
+                include fastcgi_params;
+                fastcgi_param SCRIPT_FILENAME $document_root/$fastcgi_script_name;
+            }
+            ## End - PHP
+        }
+    }

apps/grav/supervisor.conf

@@ -0,0 +1,14 @@
+[supervisord]
+nodaemon=true
+
+[program:cron]
+command=/usr/sbin/cron
+killasgroup=true
+stopasgroup=true
+redirect_stderr=true
+user=root
+
+
+[program:php-fpm]
+command=/usr/sbin/php-fpm7.4 --nodaemonize --force-stderr
+user=www-data

apps/home-assistant.yaml

@@ -1,94 +0,0 @@
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  name: hassio
-  labels:
-    app: hassio
-    release: latest
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      app: hassio
-      release: latest
-  template:
-    metadata:
-      labels:
-        app: hassio
-        release: latest
-    spec:
-      containers:
-        - name: hassio
-          image: "homeassistant/home-assistant:latest"
-          imagePullPolicy: Always
-          volumeMounts:
-            - name: hassio-storage
-              mountPath: /.storage
-          ports:
-            - name: http
-              containerPort: 8123
-              protocol: TCP
-          livenessProbe:
-            httpGet:
-              path: /
-              port: http
-          readinessProbe:
-            httpGet:
-              path: /
-              port: http
-#           resources:
-#             requests:
-#               memory: "256Mi"
-#               cpu: "250m"
-#             limits:
-#               memory: "1000Mi"
-#               cpu: "500m"
-      volumes:
-      - name: hassio-storage
-        persistentVolumeClaim:
-          claimName: hassio-storage
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: hassio-storage
-  labels:
-    app: hassio
-spec:
-  storageClassName: nfs-ssd
-  accessModes:
-  - ReadWriteOnce
-  resources:
-    requests:
-      storage: 20Mi
----
-apiVersion: v1
-kind: Service
-metadata:
-  name: hassio
-  labels:
-    app: hassio
-    release: latest
-spec:
-  ports:
-    - port: 80
-      targetPort: http
-      protocol: TCP
-      name: http
-  selector:
-      app: hassio
-      release: latest
----
-apiVersion: networking.k8s.io/v1beta1
-kind: Ingress
-metadata:
-    name: hassio
-spec:
-    rules:
-    - host: hassio.lan
-      http:
-          paths:
-          - backend:
-              serviceName: hassio
-              servicePort: http
-            path: / 

apps/mariadb/mariadb-deployment.yaml

@@ -11,7 +11,7 @@ spec:
   selector:
     app: mariadb
   type: LoadBalancer
-  loadBalancerIP: 172.23.255.4
+  loadBalancerIP: 172.23.255.5
 ---
 apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
 kind: Deployment
@@ -29,7 +29,7 @@ spec:
         app: mariadb
     spec:
       containers:
-      - image: docker-registry.lan/mariadb:arm64
+      - image: cr.lan/mariadb
         name: mariadb
         imagePullPolicy: Always
         env:
@@ -49,7 +49,7 @@ spec:
           limits:
             memory: "1500Mi"
             cpu: "2000m"
-      - image: docker-registry.lan/mariadb-prometheus-exporter:arm64
+      - image: cr.lan/mariadb-prometheus-exporter
         name: mariadb-prometheus-exporter
         imagePullPolicy: Always
         ports:
@@ -65,18 +65,37 @@ spec:
       volumes:
       - name: mariadb-persistent-storage
         persistentVolumeClaim:
-          claimName: mariadb-pv-claim
+          claimName: mariadb-data
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: mariadb-pv-claim
-  annotations:
-    volume.beta.kubernetes.io/storage-class: nfs-ssd
+  name: mariadb-data
 spec:
   storageClassName: nfs-ssd
+  volumeName: mariadb-data
   accessModes:
   - ReadWriteOnce
   resources:
     requests:
-      storage: 20Gi
+      storage: 40Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: mariadb-data 
+spec:
+  storageClassName: "nfs-ssd"
+  nfs:
+    path: /data/raid1-ssd/k8s-data/mariadb-data
+    server: ebin01
+  capacity:
+    storage: 40Gi
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  persistentVolumeReclaimPolicy: Retain
+  claimRef:
+    kind: PersistentVolumeClaim
+    name: mariadb-data
+    namspace: live-env

apps/mariadb/mariadb-prometheus/Dockerfile

@@ -1,5 +1,5 @@
 # vim:set ft=dockerfile:
-FROM debian:buster-slim
+FROM cr.lan/debian-stable
 
 RUN set -ex; \
 	apt-get update; \

apps/mariadb/mariadb/Dockerfile

@@ -1,11 +1,13 @@
 # vim:set ft=dockerfile:
-FROM debian:buster-slim
+FROM cr.lan/debian-stable
 
 # add our user and group first to make sure their IDs get assigned consistently, regardless of whatever dependencies get added
 RUN groupadd -r mysql && useradd -r -g mysql mysql
 
 # https://bugs.debian.org/830696 (apt uses gpgv by default in newer releases, rather than gpg)
 RUN set -ex; \
+	sed -i 's@deb.debian.org@apt-cache.lan/deb.debian.org@g' /etc/apt/sources.list; \
+	sed -i 's@security.debian.org@apt-cache.lan/security.debian.org@g' /etc/apt/sources.list; \
 	apt-get update; \
 	if ! which gpg; then \
 		apt-get install -y --no-install-recommends gnupg; \
@@ -93,6 +95,7 @@ RUN set -ex; \
 		| xargs -rt -0 sed -Ei 's/^(bind-address|log)/#&/'; \
 # don't reverse lookup hostnames, they are usually another container
 	echo '[mysqld]\nskip-host-cache\nskip-name-resolve' > /etc/mysql/conf.d/docker.cnf; \
+	mkdir -p /run/mysqld; \
 	apt-get clean -y;
 	
 VOLUME /var/lib/mysql

apps/mariadb/tekton-image-build-mariadb-prometheus-exporter.yaml

@@ -0,0 +1,23 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: img-mariadb-prometheus-node-exporter
+spec:
+  pipelineRef:
+    name: kaniko-pipeline
+  params:
+    - name: git-url
+      value: http://git-ui.lan/chaos/kubernetes.git
+    - name: git-revision
+      value: master
+    - name: path-to-image-context
+      value: apps/mariadb/mariadb-prometheus
+    - name: path-to-dockerfile
+      value: apps/mariadb/mariadb-prometheus/Dockerfile
+    - name: image-name
+      value: cr.lan/mariadb-prometheus-node-exporter
+  workspaces:
+      - name: git-source
+        persistentVolumeClaim:
+          claimName: tektoncd-workspaces
+        subPath: tekton/mariadb-prometheus-node-exporter

apps/mariadb/tekton-image-build-mariadb.yaml

@@ -0,0 +1,23 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: img-mariadb
+spec:
+  pipelineRef:
+    name: kaniko-pipeline
+  params:
+    - name: git-url
+      value: http://git-ui.lan/chaos/kubernetes.git
+    - name: git-revision
+      value: master
+    - name: path-to-image-context
+      value: apps/mariadb/mariadb
+    - name: path-to-dockerfile
+      value: apps/mariadb/mariadb/Dockerfile
+    - name: image-name
+      value: cr.lan/mariadb
+  workspaces:
+      - name: git-source
+        persistentVolumeClaim:
+          claimName: tektoncd-workspaces
+        subPath: tekton/mariadb

apps/mosquitto-prometheus-exporter/Dockerfile

@@ -0,0 +1,19 @@
+FROM cr.wks/debian-golang AS build
+
+ENV GOARCH=arm64
+ENV GOPATH=/usr/src/gopath
+ENV GOCACHE=/usr/src/gocache
+RUN go env
+WORKDIR /usr/src
+RUN go install github.com/sapcc/mosquitto-exporter@latest
+#RUN go mod download
+
+FROM cr.wks/debian-stable
+LABEL source_repository="https://github.com/sapcc/mosquitto-exporter"
+
+COPY --from=build /usr/src/gopath/bin/mosquitto-exporter /mosquitto-exporter
+RUN chmod 0755 /mosquitto-exporter
+
+EXPOSE 9234
+
+ENTRYPOINT [ "/mosquitto-exporter" ]

apps/mosquitto/Dockerfile

@@ -1,19 +1,16 @@
-FROM debian:buster-slim
+FROM cr.wks/debian-stable
 
-RUN echo 'Acquire::http::proxy "http://172.23.255.1:3142";' >/etc/apt/apt.conf.d/proxy
 RUN apt-get update && \
     apt-get install -y --no-install-recommends \
-	mosquitto mosquitto-clients procps && \
+	mosquitto procps && \
     apt-get clean -y && \
     rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
 
 # Op port
 EXPOSE 1883
-# Stats port
-#EXPOSE 9090
 
 ADD docker-entrypoint.sh /
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
-CMD ["/usr/sbin/mosquitto", "-c", "/mosquitto/config/mosquitto.conf"]
+CMD ["/usr/sbin/mosquitto", "-v", "-c", "/mosquitto/config/mosquitto.conf"]

apps/mosquitto/deployment.yaml

@@ -6,7 +6,6 @@ metadata:
     app: mosquitto
     release: mqtt
   name: mqtt-mosquitto
-  namespace: default
 spec:
   replicas: 1
   selector:
@@ -23,7 +22,7 @@ spec:
     spec:
       containers:
       - name: mqtt-mosquitto
-        image: docker-registry.lan/mosquitto:arm64
+        image: cr.lan/mosquitto
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 3
@@ -63,7 +62,8 @@ spec:
           name: mosquitto-data
           subPath: mosquitto/data
       - name: mosquitto-exporter
-        image: docker-registry.lan/mosquitto-exporter:arm64
+        image: cr.lan/mosquitto-prometheus-exporter
+        args: ["--endpoint", "tcp://mqtt.lan:1883"]
         imagePullPolicy: Always
         ports:
         - containerPort: 9234
@@ -96,7 +96,6 @@ metadata:
     labels:
         app: mosquitto
         release: mqtt
-    namespace: default
     name: mqtt-mosquitto
 spec:
     externalTrafficPolicy: Cluster
@@ -117,13 +116,10 @@ spec:
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-    #annotations:
-    #  volume.beta.kubernetes.io/storage-provisioner: nfs-storage
   labels:
     app: mosquitto
     release: mqtt
   name: mqtt-mosquitto
-  namespace: default
 spec:
   accessModes:
   - ReadWriteOnce
@@ -137,7 +133,6 @@ apiVersion: v1
 kind: ConfigMap
 metadata:
     name: mqtt-mosquitto
-    namespace: default
     labels:
       app: mosquitto
       release: mqtt
@@ -148,4 +143,3 @@ data:
     port 1883
     persistence true 
     persistence_location /mosquitto/data/
-

apps/namspaces.yaml

@@ -1,4 +0,0 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  name: test

apps/nextcloud/Dockerfile

@@ -0,0 +1,86 @@
+FROM nextcloud:24-fpm
+#needed for some reason
+ENV NEXTCLOUD_UPDATE=1 
+
+
+RUN sed -i 's@deb.debian.org@apt-cache.lan/deb.debian.org@g' /etc/apt/sources.list && \
+	sed -i 's@security.debian.org@apt-cache.lan/security.debian.org@g' /etc/apt/sources.list && \
+	apt-get update && apt-get install -y \
+	procps bash iputils-ping libmagickcore-6.q16-6-extra vim-tiny
+	
+RUN apt-get clean -y && \
+    rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+
+RUN	touch /usr/src/nextcloud/data/.ocdata
+COPY config.php /usr/src/nextcloud/config/
+#COPY htaccess-data /usr/src/nextcloud/data/.htaccess
+#COPY apache-default-vhost.conf /etc/apache2/sites-available/000-default.conf
+RUN mv /usr/src/nextcloud/.htaccess /usr/src/nextcloud/.htaccess.bak
+RUN mv /usr/src/nextcloud/config/.htaccess /usr/src/nextcloud/config/.htaccess.bak
+
+#install ca.crt update script to the container
+
+COPY post-start.sh /
+RUN chmod +x /post-start.sh
+
+#RUN set -ex; \
+#    \
+#    apt-get update; \
+#    apt-get install -y --no-install-recommends \
+#        ffmpeg \
+#        libmagickcore-6.q16-6-extra \
+#        procps \
+#        smbclient \
+#        supervisor \
+##       libreoffice \
+#    ; \
+#    rm -rf /var/lib/apt/lists/*
+#
+#RUN set -ex; \
+#    \
+#    savedAptMark="$(apt-mark showmanual)"; \
+#    \
+#    apt-get update; \
+#    apt-get install -y --no-install-recommends \
+#        libbz2-dev \
+#        libc-client-dev \
+#        libkrb5-dev \
+#        libsmbclient-dev \
+#    ; \
+#    \
+#    docker-php-ext-configure imap --with-kerberos --with-imap-ssl; \
+#    docker-php-ext-install \
+#        bz2 \
+#        imap \
+#    ; \
+#    pecl install smbclient; \
+#    docker-php-ext-enable smbclient; \
+#    \
+## reset apt-mark's "manual" list so that "purge --auto-remove" will remove all build dependencies
+#    apt-mark auto '.*' > /dev/null; \
+#    apt-mark manual $savedAptMark; \
+#    ldd "$(php -r 'echo ini_get("extension_dir");')"/*.so \
+#        | awk '/=>/ { print $3 }' \
+#        | sort -u \
+#        | xargs -r dpkg-query -S \
+#        | cut -d: -f1 \
+#        | sort -u \
+#        | xargs -rt apt-mark manual; \
+#    \
+#    apt-get purge -y --auto-remove -o APT::AutoRemove::RecommendsImportant=false; \
+#    apt-get clean -y; \ 
+#	rm -rf /var/cache/apt/*; \
+#    rm -rf /var/lib/apt/lists/*
+#
+#RUN mkdir -p \
+#    /var/log/supervisord \
+#    /var/run/supervisord \
+#;
+#RUN chown www-data:www-data \
+#	/var/log/supervisord \
+#	/var/run/supervisord;
+#	
+#COPY supervisord.conf /
+#
+#CMD ["/usr/bin/supervisord", "-c", "/supervisord.conf"]

apps/nextcloud/README.md

@@ -0,0 +1,2 @@
+# kubectl -n live-env create configmap nextcloud-config --from-file=config.php
+# kubectl -n live-env create configmap nextcloud-nginx-site --from-file=nginx-site.configmap.conf

apps/nextcloud/config.php

@@ -0,0 +1,60 @@
+<?php
+//
+// Manually deployed by yourself
+//
+$CONFIG = array(
+    'config_is_read_only' => false,
+    'htaccess.RewriteBase' => '/',
+    'memcache.local' => '\\OC\\Memcache\\APCu',
+    'apps_paths' => array(
+        0 => array(
+            'path' => '/var/www/html/apps',
+            'url' => '/apps',
+            'writable' => false
+        ),
+        1 => array(
+            'path' => '/var/www/html/custom_apps',
+            'url' => '/custom_apps',
+            'writable' => true
+        )
+    ),
+    'objectstore' => array(
+        'class' => '\\OC\\Files\\ObjectStore\\S3',
+        'arguments' => array(
+            'bucket' => 'nextcloud',
+            'key' => 'nextcloud',
+            'secret' => 'tWnc3zdxcDUvcX5f9uY7RRYvKLcWI1KY',
+            'region' => '',
+            'hostname' => 'minio.live-infra.svc.cluster.local',
+            'port' => '443',
+            'objectPrefix' => 'urn:oid:',
+            'autocreate' => false,
+            'use_ssl' => true,
+            'use_path_style' => true,
+            'legacy_auth' => false
+        )
+    ),
+    'instanceid' => 'ocsxqijfvpf7',
+    'passwordsalt' => 'OTjmXJP0VKlw+OLja6wUxbHlZk4Txw',
+    'secret' => '0g94SdF7A2k/LHTKUM+8HwEDFgF1zz7I/sMauap02/d8G677',
+    'trusted_domains' => array(
+        0 => 'nc.lan'
+    ),
+    'trusted_proxies' => array(
+        0 => '172.23.255.1', 
+        1 => '127.0.0.1'
+    ),
+    'datadirectory' => '/var/www/html/data',
+    'dbtype' => 'pgsql',
+    'version' => '24.0.0',
+    'overwrite.cli.url' => 'http://nc.lan',
+    'dbname' => 'nextcloud',
+    'dbhost' => 'postgres.live-env.svc.cluster.local:5432',
+    'dbport' => '',
+    'dbtableprefix' => 'oc_',
+    'dbuser' => 'nextcloud',
+    'dbpassword' => 'Vb7yHzmE5HIjfU4hf89aXAmEEmxAnMdB',
+    'installed' => true,
+    'default_phone_region' => 'DE',
+    'updater.release.channel' => 'stable',
+);

apps/nextcloud/deployment.yaml

@@ -0,0 +1,140 @@
+#we use postgresql:
+#create database nextcloud;
+#create user nextcloud with encrypted password 'secret';
+#grant all privileges on database nextcloud to nextcloud;
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: nextcloud
+  labels:
+    app: nextcloud
+    release: latest
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nextcloud
+      release: latest
+  template:
+    metadata:
+      labels:
+        app: nextcloud
+        release: latest
+    spec:
+      volumes:
+        - name: nextcloud-nginx-site
+          configMap:
+            name: nextcloud-nginx-site
+        - name: nextcloud-config
+          configMap:
+            name: nextcloud-config
+        - name: www-data
+          emptyDir: {}
+      containers:
+        - name: nginx-proxy
+          image: nginx
+          volumeMounts:
+            - name: nextcloud-nginx-site
+              mountPath: /etc/nginx/conf.d
+            - name: www-data
+              mountPath: /var/www/html
+          ports:
+            - name: http
+              containerPort: 80
+              protocol: TCP
+        - name: nextcloud
+          image: cr.lan/nextcloud:latest
+          lifecycle:
+            postStart:
+              exec:
+                command: 
+                  - /post-start.sh
+          volumeMounts:
+            - name: www-data
+              mountPath: /var/www/html
+            #- name: nextcloud-config
+            #  mountPath: /var/www/html/config/config.php
+            #  subPath: config.php
+          env:
+            - name: TZ
+              value: "Europe/Berlin"
+            - name: POSTGRES_HOST
+              value: postgres.live-env.svc.cluster.local:5432
+            - name: POSTGRES_DB
+              value: nextcloud
+            - name: POSTGRES_USER
+              value: nextcloud
+            - name: POSTGRES_PASSWORD
+              value: Vb7yHzmE5HIjfU4hf89aXAmEEmxAnMdB
+            - name: NEXTCLOUD_TRUSTED_DOMAINS
+              value: nc nc.lan 172.23.255.1
+            - name: OBJECTSTORE_S3_HOST
+              value: minio.live-infra.svc.cluster.local
+            - name: OBJECTSTORE_S3_BUCKET
+              value: nextcloud
+            - name: OBJECTSTORE_S3_KEY
+              value: nextcloud
+            - name: OBJECTSTORE_S3_SECRET
+              value: tWnc3zdxcDUvcX5f9uY7RRYvKLcWI1KY
+            - name: OBJECTSTORE_S3_PORT
+              value: "443"
+            - name: OBJECTSTORE_S3_USEPATH_STYLE
+              value: "true"
+            - name: OBJECTSTORE_S3_SSL
+              value: "true"
+          ports:
+            - name: php-fpm
+              containerPort: 9000
+              protocol: TCP
+#          startupProbe:
+#            httpGet:
+#              path: /
+#              port: http
+#           livenessProbe:
+#             httpGet:
+#               path: /
+#               port: http
+#           readinessProbe:
+#             httpGet:
+#               path: /
+#               port: http
+          resources:
+            requests:
+              memory: "512Mi"
+              cpu: "250m"
+            limits:
+              memory: "768Mi"
+              cpu: "3000m"
+         
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: nextcloud
+spec:
+  ports:
+  - name: http
+    port: 80
+  selector:
+    app: nextcloud
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+    name: nextcloud
+    annotations:
+      kubernetes.io/ingress.class: nginx
+      ingress.kubernetes.io/whitelist-x-forwarded-for: "true"
+      nginx.ingress.kubernetes.io/proxy-body-size: 512m
+spec:
+    rules:
+    - host: nc.lan
+      http:
+          paths:
+          - backend:
+              service:
+                name: nextcloud
+                port: 
+                  name: http
+            path: / 
+            pathType: Prefix

apps/nextcloud/nginx-site.configmap.conf

@@ -0,0 +1,146 @@
+upstream php-handler {
+    server 127.0.0.1:9000;
+    #server unix:/var/run/php/php7.4-fpm.sock;
+}
+
+#server {
+#    listen 80;
+#    listen [::]:80;
+#    server_name cloud.example.com;
+#
+#    # Enforce HTTPS
+#    return 301 https://$server_name$request_uri;
+#}
+
+server {
+    listen 80;
+    listen [::]:80;
+    server_name _;
+
+    # Use Mozilla's guidelines for SSL/TLS settings
+    # https://mozilla.github.io/server-side-tls/ssl-config-generator/
+    #ssl_certificate     /etc/ssl/nginx/cloud.example.com.crt;
+    #ssl_certificate_key /etc/ssl/nginx/cloud.example.com.key;
+
+    # HSTS settings
+    # WARNING: Only add the preload option once you read about
+    # the consequences in https://hstspreload.org/. This option
+    # will add the domain to a hardcoded list that is shipped
+    # in all major browsers and getting removed from this list
+    # could take several months.
+    #add_header Strict-Transport-Security "max-age=15768000; includeSubDomains; preload;" always;
+
+    # set max upload size
+    client_max_body_size 512M;
+    fastcgi_buffers 64 4K;
+
+    # Enable gzip but do not remove ETag headers
+    gzip on;
+    gzip_vary on;
+    gzip_comp_level 4;
+    gzip_min_length 256;
+    gzip_proxied expired no-cache no-store private no_last_modified no_etag auth;
+    gzip_types application/atom+xml application/javascript application/json application/ld+json application/manifest+json application/rss+xml application/vnd.geo+json application/vnd.ms-fontobject application/x-font-ttf application/x-web-app-manifest+json application/xhtml+xml application/xml font/opentype image/bmp image/svg+xml image/x-icon text/cache-manifest text/css text/plain text/vcard text/vnd.rim.location.xloc text/vtt text/x-component text/x-cross-domain-policy;
+
+    # Pagespeed is not supported by Nextcloud, so if your server is built
+    # with the `ngx_pagespeed` module, uncomment this line to disable it.
+    #pagespeed off;
+
+    # HTTP response headers borrowed from Nextcloud `.htaccess`
+    add_header Referrer-Policy                      "no-referrer"   always;
+    add_header X-Content-Type-Options               "nosniff"       always;
+    add_header X-Download-Options                   "noopen"        always;
+    add_header X-Frame-Options                      "SAMEORIGIN"    always;
+    add_header X-Permitted-Cross-Domain-Policies    "none"          always;
+    add_header X-Robots-Tag                         "none"          always;
+    add_header X-XSS-Protection                     "1; mode=block" always;
+
+    # Remove X-Powered-By, which is an information leak
+    fastcgi_hide_header X-Powered-By;
+
+    # Path to the root of your installation
+    root /var/www/html;
+
+    # Specify how to handle directories -- specifying `/index.php$request_uri`
+    # here as the fallback means that Nginx always exhibits the desired behaviour
+    # when a client requests a path that corresponds to a directory that exists
+    # on the server. In particular, if that directory contains an index.php file,
+    # that file is correctly served; if it doesn't, then the request is passed to
+    # the front-end controller. This consistent behaviour means that we don't need
+    # to specify custom rules for certain paths (e.g. images and other assets,
+    # `/updater`, `/ocm-provider`, `/ocs-provider`), and thus
+    # `try_files $uri $uri/ /index.php$request_uri`
+    # always provides the desired behaviour.
+    index index.php index.html /index.php$request_uri;
+
+    # Rule borrowed from `.htaccess` to handle Microsoft DAV clients
+    location = / {
+        if ( $http_user_agent ~ ^DavClnt ) {
+            return 302 /remote.php/webdav/$is_args$args;
+        }
+    }
+
+    location = /robots.txt {
+        allow all;
+        log_not_found off;
+        access_log off;
+    }
+
+    # Make a regex exception for `/.well-known` so that clients can still
+    # access it despite the existence of the regex rule
+    # `location ~ /(\.|autotest|...)` which would otherwise handle requests
+    # for `/.well-known`.
+    location ^~ /.well-known {
+        # The following 6 rules are borrowed from `.htaccess`
+
+        location = /.well-known/carddav     { return 301 /remote.php/dav/; }
+        location = /.well-known/caldav      { return 301 /remote.php/dav/; }
+        # Anything else is dynamically handled by Nextcloud
+        location ^~ /.well-known            { return 301 /index.php$uri; }
+
+        try_files $uri $uri/ =404;
+    }
+
+    # Rules borrowed from `.htaccess` to hide certain paths from clients
+    location ~ ^/(?:build|tests|config|lib|3rdparty|templates|data)(?:$|/)  { return 404; }
+    location ~ ^/(?:\.|autotest|occ|issue|indie|db_|console)              { return 404; }
+
+    # Ensure this block, which passes PHP files to the PHP process, is above the blocks
+    # which handle static assets (as seen below). If this block is not declared first,
+    # then Nginx will encounter an infinite rewriting loop when it prepends `/index.php`
+    # to the URI, resulting in a HTTP 500 error response.
+    location ~ \.php(?:$|/) {
+        fastcgi_split_path_info ^(.+?\.php)(/.*)$;
+        set $path_info $fastcgi_path_info;
+
+        try_files $fastcgi_script_name =404;
+
+        include fastcgi_params;
+        fastcgi_param SCRIPT_FILENAME $document_root$fastcgi_script_name;
+        fastcgi_param PATH_INFO $path_info;
+        fastcgi_param HTTPS off;
+
+        fastcgi_param modHeadersAvailable true;         # Avoid sending the security headers twice
+        fastcgi_param front_controller_active true;     # Enable pretty urls
+        fastcgi_pass php-handler;
+
+        fastcgi_intercept_errors on;
+        fastcgi_request_buffering off;
+    }
+
+    location ~ \.(?:css|js|svg|gif)$ {
+        try_files $uri /index.php$request_uri;
+        expires 6M;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    location ~ \.woff2?$ {
+        try_files $uri /index.php$request_uri;
+        expires 7d;         # Cache-Control policy borrowed from `.htaccess`
+        access_log off;     # Optional: Don't log access to assets
+    }
+
+    location / {
+        try_files $uri $uri/ /index.php$request_uri;
+    }
+}

apps/nextcloud/post-start.sh

@@ -0,0 +1,22 @@
+#!/bin/bash
+ln -s /var/run/secrets/kubernetes.io/serviceaccount/ca.crt /usr/local/share/ca-certificates/
+/usr/sbin/update-ca-certificates
+
+#su - www-data --shell=/bin/bash --command="cd /var/www/html && php -d memory_limit=512M ./occ upgrade"
+
+# reinstall/activate apps
+#DIS_APP=( accessibility admin_audit contactsinteraction dashboard files_external
+#		files_rightclick firstrunwizard logreader nextcloud_announcements
+#		serverinfo sharebymail survey_client systemtags ser_ldap weather_status )
+#		
+#EN_APP=( activity cloud_federation_api comments dav encryption federatedfilesharing 
+#		federation files files_pdfviewer files_sharing files_trashbin files_videoplayer 
+#		lookup_server_connector notes notifications oauth2 password_policy photos 
+#		privacy provisioning_api recommendations settings support text theming 
+#		twofactor_backupcodes updatenotification user_status viewer workflowengine
+#		files_versions timetracker tasks deck files_3d )
+#		
+#for APP in ${DIS_APP[@]}; do echo "+${APP}+"; done
+#echo "ENABLED"
+#
+#for APP in ${EN_APP[@]}; do echo "+${APP}+"; done

apps/nextcloud/tekton.yaml

@@ -0,0 +1,23 @@
+apiVersion: tekton.dev/v1beta1
+kind: PipelineRun
+metadata:
+  name: img-nextcloud
+spec:
+  pipelineRef:
+    name: kaniko-pipeline
+  params:
+    - name: git-url
+      value: http://git-ui.lan/chaos/kubernetes.git
+    - name: git-revision
+      value: master
+    - name: path-to-image-context
+      value: apps/nextcloud
+    - name: path-to-dockerfile
+      value: apps/nextcloud/Dockerfile
+    - name: image-name
+      value: cr.lan/nextcloud
+  workspaces:
+    - name: git-source
+      persistentVolumeClaim:
+        claimName: tektoncd-workspaces
+      subPath: tekton/nextcloud

apps/nodered-deployment.yaml

@@ -25,6 +25,13 @@ spec:
           volumeMounts:
             - mountPath: /data
               name: data
+          resources:
+            limits:
+              cpu: "1"
+              memory: "200Mi"
+            requests:
+              memory: "64Mi"
+              cpu: "50m"
       volumes:
         - name: data
           persistentVolumeClaim:
@@ -46,29 +53,32 @@ spec:
   selector:
     app: node-red
 ---
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: node-red
   annotations:
+    kubernetes.io/ingress.class: nginx
     nginx.ingress.kubernetes.io/rewrite-target: /
 spec:
   rules:
-  - host: node-red.lan
+  - host: nodered.lan
     http:
       paths:
       - path: /
+        pathType: Prefix
         backend:
-          serviceName: node-red
-          servicePort: 1880
-
+          service:
+            name: node-red
+            port: 
+              number: 1880
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
   name: node-red 
 spec:
-  storageClassName: nfs-ssd 
+  storageClassName: nfs-ssd-ebin01 
   accessModes:
   - ReadWriteOnce
   resources:

apps/pihole-deployment.yaml

@@ -3,7 +3,7 @@ apiVersion: v1
 kind: Secret
 metadata:
   name: pihole-password
-  namespace: default
+  namespace: live-env 
 type: Opaque
 data:
   password: YWRtaW4yMDIw
@@ -33,6 +33,8 @@ spec:
     spec:
       containers:
       - env:
+        - name: TZ
+          value: Europe/Berlin
         - name: WEB_PORT
           value: "80"
         - name: VIRTUAL_HOST
@@ -46,7 +48,7 @@ spec:
           value: 208.67.222.222
         - name: DNS2
           value: 208.67.220.220
-        image: pihole/pihole:v5.1.2
+        image: pihole/pihole:latest
         imagePullPolicy: Always
         livenessProbe:
           failureThreshold: 10
@@ -123,22 +125,23 @@ spec:
           name: pihole-custom-dnsmasq
         name: custom-dnsmasq
 ---
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: pihole 
-  annotations:
-      nginx.ingress.kubernetes.io/rewrite-target: /admin/$1
 spec:
   rules:
   - host: pihole.lan
     http:
         paths:
-        - backend:
-            serviceName: pihole-tcp
-            servicePort: http
-          path: /(.*)
+        - path: /
           pathType: ImplementationSpecific
+          backend:
+            service:
+              name: pihole-tcp
+              port: 
+                name: http
+          
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
@@ -173,7 +176,7 @@ metadata:
   labels:
     app: pihole
   name: pihole-tcp
-  namespace: default
+  namespace: live-env 
 spec:
   type: LoadBalancer
   loadBalancerIP: 172.23.255.253
@@ -205,7 +208,7 @@ metadata:
   labels:
     app: pihole
   name: pihole-udp
-  namespace: default
+  namespace: live-env 
 spec:
   type: LoadBalancer
   loadBalancerIP: 172.23.255.253

apps/piwigo/Dockerfile

@@ -1,4 +1,4 @@
-FROM debian:stable-slim
+FROM cr.lan/debian-stable
 
 #RUN echo 'Acquire::http::proxy "http://172.23.255.1:3142";' >/etc/apt/apt.conf.d/proxy
 RUN apt-get update && apt-get install -y \

apps/piwigo/deployment.yaml

@@ -17,9 +17,8 @@ spec:
         app: piwigo
     spec:
       containers:
-      - image: linuxserver/piwigo
+      - image: linuxserver/piwigo:latest
         name: piwigo
-        imagePullPolicy: IfNotPresent
         env:
 # Use secret in real usage
         - name: TZ
@@ -74,20 +73,26 @@ spec:
   selector:
     app: piwigo
 ---
-apiVersion: networking.k8s.io/v1beta1
+apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
   name: piwigo
   labels:
     app: piwigo
+  annotations:
+    kubernetes.io/ingress.class: nginx
 spec:
   rules:
   - host: foto.lan
     http:
       paths:
-      - backend:
-          serviceName: piwigo
-          servicePort: http
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: piwigo
+            port: 
+              name: http
 ---
 apiVersion: batch/v1beta1
 kind: CronJob

apps/postgresql-deploy.yaml

@@ -0,0 +1,128 @@
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+  labels:
+    app: postgres
+    env: live
+spec:
+  selector:
+    matchLabels:
+      app: postgres
+      env: live
+  serviceName: postgres-service
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: postgres
+        env: live
+    spec:
+      containers:
+      - name: postgres-exporter
+        image: quay.io/prometheuscommunity/postgres-exporter
+        ports:
+          - containerPort: 9187
+            protocol: TCP
+        env:
+        - name: DATA_SOURCE_NAME
+          value: "postgresql://postgres:pg2020@localhost:5432/postgres?sslmode=disable"
+          #value: "port=5432 host=127.0.0.1"
+      - name: postgres
+        image: postgres:13
+        ports:
+          - containerPort: 5432 
+            protocol: TCP
+        volumeMounts:
+        - name: postgres-disk
+          mountPath: /var/lib/postgresql/data
+        env:
+        - name: POSTGRES_PASSWORD
+          value: pg2020
+        - name: PGDATA
+          value: /var/lib/postgresql/data/pgdata
+      affinity:
+        podAntiAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+          - labelSelector:
+              matchExpressions:
+              - key: app
+                operator: In
+                values:
+                - prometheus
+                - loki
+            topologyKey: kubernetes.io/hostname
+#      - name: prometheus-exporter
+#        image: wrouesnel/postgres_exporter
+#        env:
+#        - name: DATA_SOURCE_NAME
+#          value: postgresql://postgres:pg2020@localhost:5432/postgres?sslmode=disable
+      volumes:
+      - name: postgres-disk
+        persistentVolumeClaim:
+          claimName: postgres-data
+#  volumeClaimTemplates:
+#  - metadata:
+#      name: postgres-disk
+#    spec:
+#      accessModes:
+#      - ReadWriteOnce
+#      resources:
+#        requests:
+#          storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgres-data
+  labels:
+    app: postgres
+spec:
+  storageClassName: nfs-ssd
+  volumeName: postgres-data
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 40Gi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: postgres-data 
+spec:
+  storageClassName: "nfs-ssd"
+  nfs:
+    path: /data/raid1-ssd/k8s-data/postgres-data
+    server: ebin01
+  capacity:
+    storage: 40Gi
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  persistentVolumeReclaimPolicy: Retain
+  claimRef:
+    kind: PersistentVolumeClaim
+    name: postgres-data
+    namespace: live-env
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  labels:
+    app: postgres
+    env: live
+spec:
+  selector:
+    env: live
+  type: LoadBalancer
+  loadBalancerIP: 172.23.255.4
+  ports:
+  - name: postgres
+    port: 5432
+    targetPort: 5432
+  - name: exporter
+    port: 9187
+    targetPort: 9187
+  

apps/redis.yaml

@@ -0,0 +1,103 @@
+apiVersion: v1
+kind: ConfigMap
+metadata: 
+  name: redis-cm
+  namespace: live-env
+data: 
+  redis.conf: |-
+    bind * -::*
+    appendonly yes
+    maxmemory 5mb
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: redis-standalone
+  namespace: live-env
+spec:
+  serviceName: redis-standalone
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis-standalone
+  template:
+    metadata:
+      labels:
+        app: redis-standalone
+    spec:
+      containers:
+      - name: redis-standalone
+        image: redis
+        command: ["redis-server"]
+        args: ["/usr/local/etc/redis/redis.conf"]
+        resources:
+          limits:
+            memory: "128Mi"
+            cpu: "50m"
+        ports:
+        - containerPort: 6379
+        volumeMounts:
+          - name: redis-standalone-pv 
+            mountPath: /data
+          - name: config
+            mountPath: /usr/local/etc/redis
+      volumes:
+        - name: config
+          configMap: 
+            name: redis-cm
+        - name: redis-standalone-pv
+          persistentVolumeClaim:
+            claimName: redis-standalone-pv
+            
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis-standalone
+  labels:
+    app: redis-standalone
+    env: live-env
+spec:
+  selector:
+    env: live-env
+  type: LoadBalancer
+  loadBalancerIP: 172.23.255.6
+  ports:
+  - name: redis-standalone
+    port: 6379
+    targetPort: 6379
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: redis-standalone-pv
+  labels:
+    app: redis-stndalone
+spec:
+  storageClassName: nfs-ssd-ebin02
+  volumeName: redis-standalone-pv
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 100Mi
+---
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: redis-standalone-pv
+spec:
+  storageClassName: "nfs-ssd-ebin02"
+  nfs:
+    path: /data/raid1-ssd/k8s-data/redis-standalone-pv
+    server: ebin02
+  capacity:
+    storage: 100Mi
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  persistentVolumeReclaimPolicy: Retain
+  claimRef:
+    kind: PersistentVolumeClaim
+    name: redis-standalone-pv
+    namespace: live-env

apps/rompr/Dockerfile

@@ -1,25 +1,43 @@
-FROM php:7-fpm
+FROM cr.chaos/debian-stable-php-fpm as baseimage
 
-#RUN echo 'Acquire::http::proxy "http://172.23.255.1:3142";' >/etc/apt/apt.conf.d/proxy
-
-ARG DEV_PKGS='zlib1g-dev libpng-dev libjpeg-dev libfreetype6-dev \
-	libcurl4-gnutls-dev default-libmysqlclient-dev'
-	
-RUN apt-get update && \
-	apt-get install -y imagemagick git bash procps \
-	${DEV_PKGS} && \
-	docker-php-ext-configure gd --with-freetype --with-jpeg && \
-    docker-php-ext-install -j$(nproc) gd && \
-    docker-php-ext-install -j$(nproc) json && \ 
-    docker-php-ext-install -j$(nproc) curl && \
-    docker-php-ext-install -j$(nproc) mysqli && \
-    docker-php-ext-install -j$(nproc) pdo pdo_mysql
-	
+ARG ROMPR_VERSION=2.24
+# Install packages
+ENV DEBIAN_FRONTEND=noninteractive
+RUN apt-get update && apt-get -y install \
+      nginx \
+      curl \
+      unzip
 # CLeanup	
-RUN	apt-get remove -y --purge ${DEV_PKGS} && \
-	apt-get autoremove --purge -y && \
+RUN	apt-get autoremove --purge -y && \
 	apt-get clean -y && \ 
 	rm -rf /var/lib/apt/lists/* && \
 	rm -rf /var/cache/apt/* /tmp/* /var/tmp/* /var/log/*
 	
-VOLUME [ "/rompr" ]
+RUN curl -k -L -o rompr.zip https://github.com/fatg3erman/RompR/releases/download/${ROMPR_VERSION}/rompr-${ROMPR_VERSION}.zip
+RUN mkdir -p /app /rompr
+RUN unzip -d /app rompr.zip && rm rompr.zip
+RUN ln -sf /rompr/prefs /app/rompr/prefs; ln -sf /rompr/albumart /app/rompr/albumart;
+RUN chown -R www-data:www-data /app/rompr /rompr
+RUN pwd; ls -la .;ls -la /etc/php/
+ADD files/nginx_default /etc/nginx/sites-available/default
+RUN mkdir -p /run/php/
+
+FROM baseimage as final
+
+#Environment variables to configure php
+RUN sed -ri -e  's/^allow_url_fopen =.*/allow_url_fopen = On/g' /etc/php/8.4/fpm/php.ini && \
+    sed -ri -e  's/^memory_limit =.*/memory_limit = 128M/g' /etc/php/8.4/fpm/php.ini && \
+    sed -ri -e  's/^max_execution_time =.*/max_execution_time = 1800/g' /etc/php/8.4/fpm/php.ini && \
+    sed -ri -e  's/^post_max_size =.*/post_max_size = 256M/g' /etc/php/8.4/fpm/php.ini && \
+    sed -ri -e  's/^upload_max_filesize =.*/upload_max_filesize = 8M/g' /etc/php/8.4/fpm/php.ini && \
+    sed -ri -e  's/^max_file_uploads =.*/max_file_uploads = 50/g' /etc/php/8.4/fpm/php.ini && \
+    sed -ri -e  's/^display_errors =.*/display_errors = On/g' /etc/php/8.4/fpm/php.ini && \
+    sed -ri -e  's/^display_startup_errors =.*/display_startup_errors = On/g' /etc/php/8.4/fpm/php.ini
+
+RUN echo "<?php phpinfo(); ?>" > /app/rompr/phpinfo.php
+RUN update-rc.d php8.4-fpm defaults
+ADD files/run-httpd /usr/local/bin/
+RUN chmod 755 /usr/local/bin/run-httpd
+EXPOSE 80
+VOLUME ["/rompr"]
+CMD ["/usr/local/bin/run-httpd"]

apps/rompr/README.md

@@ -1,3 +1,5 @@
-lighttpd is configured in etc_lighttpd
-generate a configmap with:
-	kubectl create configmap rompr-lighttpd-config --from-file etc_lighthttpd/
+Run with:
+
+```podman run --pull=always -d --replace -p 127.0.0.1:8081:80 \
+           --mount=type=bind,source=/var/lib/rompr,destination=/rompr \
+           --tz=Europe/Berlin --name=rompr cr.wks/rompr:latest```

apps/rompr/deployment.yaml

@@ -1,81 +0,0 @@
----
-apiVersion: apps/v1 # for versions before 1.9.0 use apps/v1beta2
-kind: Deployment
-metadata:
-   name: rompr
-spec:
-   selector:
-      matchLabels:
-         app: rompr
-   strategy:
-      type: Recreate
-   template:
-      metadata:
-         labels:
-            app: rompr
-      spec:
-         containers:
-         -  image: docker-registry.lan/rompr:arm64
-            name: rompr
-            imagePullPolicy: Always
-            ports:
-            -  containerPort: 9000
-               name: php-fpm
-            volumeMounts:
-            -  name: rompr-data
-               mountPath: /rompr
-         -  image: sebp/lighttpd:latest
-            name: lighttpd
-            imagePullPolicy: IfNotPresent
-            ports:
-            -  containerPort: 80
-               name: http
-            volumeMounts:
-            - name: rompr-data
-              mountPath: /rompr
-            - name: rompr-lighttpd-config
-              mountPath: /etc/lighttpd
-         volumes:
-         - name: rompr-data
-           persistentVolumeClaim:
-             claimName: rompr-data
-         - name: rompr-lighttpd-config
-           configMap:
-             name: rompr-lighttpd-config
----
-apiVersion: v1
-kind: Service
-metadata:
-   name: rompr
-spec:
-   ports:
-   - name: http
-     port: 80
-   selector:
-      app: rompr
----
-apiVersion: networking.k8s.io/v1beta1
-kind: Ingress
-metadata:
-   name: rompr
-spec:
-   rules:
-   -  host: musik.lan
-      http:
-         paths:
-         -  backend:
-               serviceName: rompr
-               servicePort: http
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-   name: rompr-data
-spec:
-   storageClassName: nfs-ssd
-   accessModes:
-   - ReadWriteOnce
-   resources:
-      requests:
-         storage: 6Gi
-         

apps/rompr/etc_lighthttpd/lighttpd.conf

@@ -1,335 +0,0 @@
-###############################################################################
-# Default lighttpd.conf for Gentoo.
-# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/lighttpd.conf,v 1.3 2005/09/01 14:22:35 ka0ttic Exp $
-###############################################################################
-
-# {{{ variables
-var.basedir  = "/rompr"
-var.logdir   = "/var/log/lighttpd"
-var.statedir = "/var/lib/lighttpd"
-# }}}
-
-# {{{ modules
-# At the very least, mod_access and mod_accesslog should be enabled.
-# All other modules should only be loaded if necessary.
-# NOTE: the order of modules is important.
-server.modules = (
-    "mod_rewrite",
-    "mod_redirect",
-    "mod_alias",
-    "mod_access",
-#    "mod_cml",
-#    "mod_trigger_b4_dl",
-#    "mod_auth",
-#    "mod_status",
-#    "mod_setenv",
-#    "mod_proxy",
-#    "mod_simple_vhost",
-#    "mod_evhost",
-#    "mod_userdir",
-    "mod_compress",
-#    "mod_ssi",
-#    "mod_usertrack",
-    "mod_expire",
-#    "mod_secdownload",
-#    "mod_rrdtool",
-#    "mod_webdav",
-#    "mod_accesslog"
-)
-# }}}
-
-# {{{ includes
-include "mime-types.conf"
-# uncomment for cgi support
-#   include "mod_cgi.conf"
-# uncomment for php/fastcgi support
-#   include "mod_fastcgi.conf"
-# uncomment for php/fastcgi fpm support
-include "mod_fastcgi_fpm.conf"
-# }}}
-
-# {{{ server settings
-server.username      = "lighttpd"
-server.groupname     = "www-data"
-
-server.document-root = var.basedir
-server.pid-file      = "/run/lighttpd.pid"
-
-#server.errorlog      = "/dev/pts/0"
-# log errors to syslog instead
-#   server.errorlog-use-syslog = "enable"
-
-server.indexfiles    = ("index.php")
-
-# server.tag           = "lighttpd"
-
-server.follow-symlink = "enable"
-
-# ROMPR
-# Expire header for RompR albumart
-expire.url = ( "/albumart/" => "modification plus 1 seconds" )
-# This sets the 404 page globally for the server which is OK if you're only
-# running RompR but will affect other sites on your system.
-# If you have other sites on this system then you should maybe look at virtual hosts.
-# If you don't use the custom 404 page for RompR your album art manager will 
-# not work correctly.
-server.error-handler-404 = "404.php"
-# ROMPR END
-
-# event handler (defaults to "poll")
-# see performance.txt
-# 
-# for >= linux-2.4
-#   server.event-handler = "linux-rtsig"
-# for >= linux-2.6
-#   server.event-handler = "linux-sysepoll"
-# for FreeBSD
-#   server.event-handler = "freebsd-kqueue"
-
-# chroot to directory (defaults to no chroot)
-# server.chroot      = "/"
-
-# bind to port (defaults to 80)
-# server.port          = 81
-
-# bind to name (defaults to all interfaces)
-# server.bind          = "grisu.home.kneschke.de"
-
-# error-handler for status 404
-# server.error-handler-404 = "/error-handler.html"
-# server.error-handler-404 = "/error-handler.php"
-
-# Format: <errorfile-prefix><status-code>.html
-# -> ..../status-404.html for 'File not found'
-# server.errorfile-prefix    = var.basedir + "/error/status-"
-
-# FAM support for caching stat() calls
-# requires that lighttpd be built with USE=fam
-#   server.stat-cache-engine = "fam"
-# }}}
-
-# {{{ mod_staticfile
-
-# which extensions should not be handled via static-file transfer
-# (extensions that are usually handled by mod_cgi, mod_fastcgi, etc).
-static-file.exclude-extensions = (".php", ".pl", ".cgi", ".fcgi")
-# }}}
-
-# {{{ mod_accesslog
-# accesslog.filename   = "/dev/pts/0"
-# }}}
-
-# {{{ mod_dirlisting
-# enable directory listings
-#   dir-listing.activate      = "enable"
-#
-# don't list hidden files/directories
-#   dir-listing.hide-dotfiles = "enable"
-#
-# use a different css for directory listings
-#   dir-listing.external-css  = "/path/to/dir-listing.css"
-#
-# list of regular expressions.  files that match any of the
-# specified regular expressions will be excluded from directory
-# listings.
-#   dir-listing.exclude = ("^\.", "~$")
-# }}}
-
-# {{{ mod_access
-# see access.txt
-
-url.access-deny = ("~", ".inc")
-# }}}
-
-# {{{ mod_userdir
-# see userdir.txt
-#
-# userdir.path = "public_html"
-# userdir.exclude-user = ("root")
-# }}}
-
-# {{{ mod_ssi
-# see ssi.txt
-#
-# ssi.extension = (".shtml")
-# }}}
-
-# {{{ mod_ssl
-# see ssl.txt
-#
-# ssl.engine    = "enable"
-# ssl.pemfile   = "server.pem"
-# }}}
-
-# {{{ mod_status
-# see status.txt
-#
-# status.status-url  = "/server-status"
-# status.config-url  = "/server-config"
-# }}}
-
-# {{{ mod_simple_vhost
-# see simple-vhost.txt
-#
-#  If you want name-based virtual hosting add the next three settings and load
-#  mod_simple_vhost
-#
-# document-root =
-#   virtual-server-root + virtual-server-default-host + virtual-server-docroot
-# or
-#   virtual-server-root + http-host + virtual-server-docroot
-#
-# simple-vhost.server-root   = "/home/weigon/wwwroot/servers/"
-# simple-vhost.default-host  = "grisu.home.kneschke.de"
-# simple-vhost.document-root = "/pages/"
-# }}}
-
-# {{{ mod_compress
-# see compress.txt
-#
-compress.cache-dir   = "/tmp"
-compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )
-
-# }}}
-
-# {{{ mod_proxy
-# see proxy.txt
-#
-# proxy.server               = ( ".php" =>
-#                               ( "localhost" =>
-#                                 (
-#                                   "host" => "192.168.0.101",
-#                                   "port" => 80
-#                                 )
-#                               )
-#                             )
-# }}}
-
-# {{{ mod_auth
-# see authentication.txt
-#
-# auth.backend               = "plain"
-# auth.backend.plain.userfile = "lighttpd.user"
-# auth.backend.plain.groupfile = "lighttpd.group"
-
-# auth.backend.ldap.hostname = "localhost"
-# auth.backend.ldap.base-dn  = "dc=my-domain,dc=com"
-# auth.backend.ldap.filter   = "(uid=$)"
-
-# auth.require               = ( "/server-status" =>
-#                               (
-#                                 "method"  => "digest",
-#                                 "realm"   => "download archiv",
-#                                 "require" => "user=jan"
-#                               ),
-#                               "/server-info" =>
-#                               (
-#                                 "method"  => "digest",
-#                                 "realm"   => "download archiv",
-#                                 "require" => "valid-user"
-#                               )
-#                             )
-# }}}
-
-# {{{ mod_rewrite
-# see rewrite.txt
-#
-# url.rewrite = (
-#	"^/$"		=>		"/server-status"
-# )
-# }}}
-
-# {{{ mod_redirect
-# see redirect.txt
-#
-# url.redirect = (
-#	"^/wishlist/(.+)"		=>		"http://www.123.org/$1"
-# )
-# }}}
-
-# {{{ mod_evhost
-# define a pattern for the host url finding
-# %% => % sign
-# %0 => domain name + tld
-# %1 => tld
-# %2 => domain name without tld
-# %3 => subdomain 1 name
-# %4 => subdomain 2 name
-#
-# evhost.path-pattern        = "/home/storage/dev/www/%3/htdocs/"
-# }}}
-
-# {{{ mod_expire
-# expire.url = (
-#	"/buggy/"		=>		"access 2 hours",
-#	"/asdhas/"		=>		"access plus 1 seconds 2 minutes"
-# )
-# }}}
-
-# {{{ mod_rrdtool
-# see rrdtool.txt
-#
-# rrdtool.binary  = "/usr/bin/rrdtool"
-# rrdtool.db-name = var.statedir + "/lighttpd.rrd"
-# }}}
-
-# {{{ mod_setenv
-# see setenv.txt
-#
-# setenv.add-request-header  = ( "TRAV_ENV" => "mysql://user@host/db" )
-# setenv.add-response-header = ( "X-Secret-Message" => "42" )
-# }}}
-
-# {{{ mod_trigger_b4_dl
-# see trigger_b4_dl.txt
-#
-# trigger-before-download.gdbm-filename = "/home/weigon/testbase/trigger.db"
-# trigger-before-download.memcache-hosts = ( "127.0.0.1:11211" )
-# trigger-before-download.trigger-url = "^/trigger/"
-# trigger-before-download.download-url = "^/download/"
-# trigger-before-download.deny-url = "http://127.0.0.1/index.html"
-# trigger-before-download.trigger-timeout = 10
-# }}}
-
-# {{{ mod_cml
-# see cml.txt
-#
-# don't forget to add index.cml to server.indexfiles
-# cml.extension               = ".cml"
-# cml.memcache-hosts          = ( "127.0.0.1:11211" )
-# }}} 
-
-# {{{ mod_webdav
-# see webdav.txt
-#
-# $HTTP["url"] =~ "^/dav($|/)" {
-#     webdav.activate = "enable"
-#     webdav.is-readonly = "enable"
-# }
-# }}}
-
-# {{{ extra rules
-#
-# set Content-Encoding and reset Content-Type for browsers that
-# support decompressing on-thy-fly (requires mod_setenv)
-# $HTTP["url"] =~ "\.gz$" {
-#     setenv.add-response-header = ("Content-Encoding" => "x-gzip")
-#     mimetype.assign = (".gz" => "text/plain")
-# }
-
-# $HTTP["url"] =~ "\.bz2$" {
-#     setenv.add-response-header = ("Content-Encoding" => "x-bzip2")
-#     mimetype.assign = (".bz2" => "text/plain")
-# }
-#
-# }}}
-
-# {{{ debug
-# debug.log-request-header   = "enable"
-# debug.log-response-header  = "enable"
-# debug.log-request-handling = "enable"
-# debug.log-file-not-found   = "enable"
-# }}}
-
-# vim: set ft=conf foldmethod=marker et :
-server.network-backend = "writev"

apps/rompr/etc_lighthttpd/mime-types.conf

@@ -1,79 +0,0 @@
-###############################################################################
-# Default mime-types.conf for Gentoo.
-# include'd from lighttpd.conf.
-# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mime-types.conf,v 1.4 2010/03/14 21:45:18 bangert Exp $
-###############################################################################
-
-# {{{ mime types
-mimetype.assign             = (
-  ".svg"          =>      "image/svg+xml",
-  ".svgz"         =>      "image/svg+xml",
-  ".pdf"          =>      "application/pdf",
-  ".sig"          =>      "application/pgp-signature",
-  ".spl"          =>      "application/futuresplash",
-  ".class"        =>      "application/octet-stream",
-  ".ps"           =>      "application/postscript",
-  ".torrent"      =>      "application/x-bittorrent",
-  ".dvi"          =>      "application/x-dvi",
-  ".gz"           =>      "application/x-gzip",
-  ".pac"          =>      "application/x-ns-proxy-autoconfig",
-  ".swf"          =>      "application/x-shockwave-flash",
-  ".tar.gz"       =>      "application/x-tgz",
-  ".tgz"          =>      "application/x-tgz",
-  ".tar"          =>      "application/x-tar",
-  ".zip"          =>      "application/zip",
-  ".dmg"          =>      "application/x-apple-diskimage",
-  ".mp3"          =>      "audio/mpeg",
-  ".m3u"          =>      "audio/x-mpegurl",
-  ".wma"          =>      "audio/x-ms-wma",
-  ".wax"          =>      "audio/x-ms-wax",
-  ".ogg"          =>      "application/ogg",
-  ".wav"          =>      "audio/x-wav",
-  ".gif"          =>      "image/gif",
-  ".jpg"          =>      "image/jpeg",
-  ".jpeg"         =>      "image/jpeg",
-  ".png"          =>      "image/png",
-  ".xbm"          =>      "image/x-xbitmap",
-  ".xpm"          =>      "image/x-xpixmap",
-  ".xwd"          =>      "image/x-xwindowdump",
-  ".css"          =>      "text/css",
-  ".html"         =>      "text/html",
-  ".htm"          =>      "text/html",
-  ".js"           =>      "text/javascript",
-  ".asc"          =>      "text/plain",
-  ".c"            =>      "text/plain",
-  ".h"            =>      "text/plain",
-  ".cc"           =>      "text/plain",
-  ".cpp"          =>      "text/plain",
-  ".hh"           =>      "text/plain",
-  ".hpp"          =>      "text/plain",
-  ".conf"         =>      "text/plain",
-  ".log"          =>      "text/plain",
-  ".text"         =>      "text/plain",
-  ".txt"          =>      "text/plain",
-  ".diff"         =>      "text/plain",
-  ".patch"        =>      "text/plain",
-  ".ebuild"       =>      "text/plain",
-  ".eclass"       =>      "text/plain",
-  ".rtf"          =>      "application/rtf",
-  ".bmp"          =>      "image/bmp",
-  ".tif"          =>      "image/tiff",
-  ".tiff"         =>      "image/tiff",
-  ".ico"          =>      "image/x-icon",
-  ".dtd"          =>      "text/xml",
-  ".xml"          =>      "text/xml",
-  ".mpeg"         =>      "video/mpeg",
-  ".mpg"          =>      "video/mpeg",
-  ".mov"          =>      "video/quicktime",
-  ".qt"           =>      "video/quicktime",
-  ".avi"          =>      "video/x-msvideo",
-  ".asf"          =>      "video/x-ms-asf",
-  ".asx"          =>      "video/x-ms-asf",
-  ".wmv"          =>      "video/x-ms-wmv",
-  ".bz2"          =>      "application/x-bzip",
-  ".tbz"          =>      "application/x-bzip-compressed-tar",
-  ".tar.bz2"      =>      "application/x-bzip-compressed-tar"
- )
-# }}}
-
-# vim: set ft=conf foldmethod=marker et :

apps/rompr/etc_lighthttpd/mod_cgi.conf

@@ -1,33 +0,0 @@
-###############################################################################
-# mod_cgi.conf
-# include'd by lighttpd.conf.
-# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_cgi.conf,v 1.1 2005/08/27 12:36:13 ka0ttic Exp $
-###############################################################################
-
-#
-# see cgi.txt for more information on using mod_cgi
-#
-
-server.modules += ("mod_cgi")
-
-# NOTE: this requires mod_alias
-alias.url = (
-     "/cgi-bin/"	    =>	    var.basedir + "/cgi-bin/"
-)
-
-#
-# Note that you'll also want to enable the
-# cgi-bin alias via mod_alias (above).
-#
-
-$HTTP["url"] =~ "^/cgi-bin/" {
-    # disable directory listings
-    dir-listing.activate = "disable"
-    # only allow cgi's in this directory
-    cgi.assign = (
-		".pl"	=>	"/usr/bin/perl",
-		".cgi"	=>	"/usr/bin/perl"
-	)
-}
-
-# vim: set ft=conf foldmethod=marker et :

apps/rompr/etc_lighthttpd/mod_fastcgi.conf

@@ -1,17 +0,0 @@
-###############################################################################
-# mod_fastcgi.conf
-# include'd by lighttpd.conf.
-# $Header: /var/cvsroot/gentoo-x86/www-servers/lighttpd/files/conf/mod_fastcgi.conf-1.4.13-r2,v 1.1 2007/04/01 23:22:00 robbat2 Exp $
-###############################################################################
-
-server.modules += ("mod_fastcgi")
-fastcgi.server = ( ".php" =>
-		            ( "localhost" =>
-			            (
-				            "socket"		=>		"/run/lighttpd/lighttpd-fastcgi-php-" + PID + ".socket",
-				            "bin-path"	=>		"/usr/bin/php-cgi"
-			            )
-		            )
-	            )
-
-# vim: set ft=conf foldmethod=marker et :

apps/rompr/etc_lighthttpd/mod_fastcgi_fpm.conf

@@ -1,16 +0,0 @@
-###############################################################################
-# mod_fastcgi_fpm.conf
-# include'd by lighttpd.conf.
-###############################################################################
-
-server.modules += ("mod_fastcgi")
-fastcgi.server = ( ".php" =>
-		            ( 
-			            (
-				            "host" => "127.0.0.1",
-				            "port" => "9000"
-			            )
-		            )
-	            )
-
-# vim: set ft=conf foldmethod=marker et :

apps/rompr/etc_lighthttpd/rompr.conf

@@ -1,15 +0,0 @@
-# Expire header for RompR albumart
-expire.url = ( "/albumart/" => "modification plus 1 seconds" )
-# This sets the 404 page globally for the server which is OK if you're only
-# running RompR but will affect other sites on your system.
-# If you have other sites on this system then you should maybe look at virtual hosts.
-# If you don't use the custom 404 page for RompR your album art manager will 
-# not work correctly.
-server.error-handler-404 = "404.php"
-
-index-file.names            = ( "index.php", "index.html", "index.lighttpd.html" )
-url.access-deny             = ( "~", ".inc" )
-#static-file.exclude-extensions = ( ".php", ".pl", ".fcgi" )
-
-compress.cache-dir          = "/var/cache/lighttpd/compress/"
-compress.filetype           = ( "application/javascript", "text/css", "text/html", "text/plain" )

apps/rompr/files/nginx_default

@@ -0,0 +1,36 @@
+# Default server configuration
+#
+server {
+        listen 80;
+        listen [::]:80;
+
+        root /app/rompr;
+
+        # Add index.php to the list if you are using PHP
+        index index.php index.html index.htm;
+
+        server_name _;
+
+        client_max_body_size 256M;
+
+    # This section can be copied into an existing default setup
+        location / {
+           allow all;
+           access_log off;
+           index index.php;
+           location ~ \.php {
+                try_files $uri index.php =404;
+                fastcgi_pass 127.0.0.1:9000;
+                fastcgi_index index.php;
+                fastcgi_param SCRIPT_FILENAME $request_filename;
+                include /etc/nginx/fastcgi_params;
+                fastcgi_read_timeout 1800;
+           }
+           error_page 404 = /rompr/404.php;
+           try_files $uri $uri/ =404;
+           location ~ /albumart/* {
+                  expires -1s;
+           }
+        }
+
+}

apps/rompr/files/run-httpd

@@ -0,0 +1,8 @@
+#!/bin/sh
+rm -f /var/run/nginx.pid
+mkdir -p /var/log/nginx
+set -e
+mkdir -p /rompr/albumart /rompr/prefs
+chown www-data:www-data -R /rompr/albumart /rompr/prefs
+/etc/init.d/php8.4-fpm restart
+exec /usr/sbin/nginx -g 'daemon off;'

apps/smarthome/Containerfile

@@ -0,0 +1,50 @@
+FROM node:current-buster
+
+# Set the commit of Zwave2Mqtt to checkout when cloning the repo
+ENV Z2M_VERSION=9cc3740740b57f1e896139b5ffdb25be7576ad58
+ENV DEBIAN_FRONTEND noninteractive
+
+#setup local apt cache
+#RUN sed -i 's@http://@http://apt-cache.lan/@g' /etc/apt/sources.list
+#/apt-cache
+
+# Install required dependencies
+RUN apt update -y
+RUN apt full-upgrade -y
+
+# Packages we need
+RUN apt install -y \
+	socat libopenzwave1.5 npm git
+
+# Clone Zwave2Mqtt build pkg files and move them to /dist/pkg
+RUN npm config set unsafe-perm true && npm install -g pkg
+RUN cd /root \
+	&& git clone https://github.com/OpenZWave/Zwave2Mqtt.git  \
+	&& cd Zwave2Mqtt \
+	&& git checkout ${Z2M_VERSION} \
+	&& npm install \
+	&& npm run build
+
+# Clean up
+RUN apt autoremove -y
+RUN apt clean -y
+RUN rm -rf /root/*
+RUN	apt-get clean -y
+RUN	rm -rf /var/lib/apt/lists/* /tmp/* /var/tmp/*
+
+COPY --from=build /dist/lib/ /lib/
+COPY --from=build /dist/pkg /usr/src/app
+
+# supervisor base configuration 
+ADD supervisor.conf /etc/supervisor.conf
+
+LABEL maintainer="zoide"
+
+# Set enviroment
+ENV LD_LIBRARY_PATH /lib
+
+EXPOSE 8091
+
+CMD ["supervisord", "-c", "/etc/supervisor.conf"]
+#CMD ["/usr/src/app/zwave2mqtt"]
+

apps/smarthome/home-assistant.yaml

@@ -0,0 +1,179 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hassio
+  labels:
+    app: hassio
+    release: latest
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: hassio
+      release: latest
+  template:
+    metadata:
+      labels:
+        app: hassio
+        release: latest
+    spec:
+      containers:
+      - name: hassio
+        image: homeassistant/home-assistant:latest
+        imagePullPolicy: Always
+        env:
+        - name: TZ
+          value: Europe/Berlin
+        volumeMounts:
+        - name: hassio-storage
+          mountPath: /config
+        ports:
+        - name: http
+          containerPort: 8123
+          protocol: TCP
+        livenessProbe:
+          httpGet:
+            path: /
+            port: http
+          initialDelaySeconds: 300
+          periodSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /
+            port: http
+          initialDelaySeconds: 120
+          periodSeconds: 5
+        resources:
+          requests:
+            memory: "200Mi"
+            cpu: "250m"
+          limits:
+            memory: "256Mi"
+            cpu: "500m"
+      - name: configurator
+        image: "causticlab/hass-configurator-docker:arm"
+        imagePullPolicy: Always
+        env:
+        - name: HC_HASS_API
+          value: http://127.0.0.1:8123/api/
+        - name: HC_HASS_API_PASSWORD 
+          value: eyJ0eXAiOiJKV1QiLCJhbGciOiJIUzI1NiJ9.eyJpc3MiOiJhMzBmYjU1ZjcyZGE0Yzc2YmU2NmY0NjljNTAyMjdjZCIsImlhdCI6MTYxMjg4MzI5NywiZXhwIjoxOTI4MjQzMjk3fQ.1ICsHliUXR0CG4H8vQRYJ5jVqFwmqKSB0fScSitC-Q4
+        ports:
+        - name: adm
+          containerPort: 3218
+          protocol: TCP
+        #livenessProbe:
+        #  httpGet:
+        #    path: /
+        #    port: 3218
+        #  initialDelaySeconds: 60
+        #  periodSeconds: 3
+        #readinessProbe:
+        #  httpGet:
+        #    path: /
+        #    port: 3218
+        #  initialDelaySeconds: 60
+        #  periodSeconds: 5
+        volumeMounts:
+        - name: hassio-storage
+          mountPath: /hass-config
+        - name: hassio-conf-storage
+          mountPath: /config
+      volumes:
+      - name: hassio-storage
+        persistentVolumeClaim:
+          claimName: hassio-storage
+      - name: hassio-conf-storage
+        persistentVolumeClaim:
+          claimName: hassio-configurator
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: hassio-storage
+  labels:
+    app: hassio
+spec:
+  storageClassName: nfs-ssd
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Mi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: hassio-configurator
+  labels:
+    app: hassio
+spec:
+  storageClassName: nfs-ssd
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Mi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hassio
+  labels:
+    app: hassio
+    release: latest
+spec:
+  ports:
+  - port: 80
+    targetPort: http
+    protocol: TCP
+    name: http
+  selector:
+    app: hassio
+    release: latest
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: hassio-conf
+  labels:
+    app: hassio
+    release: latest
+spec:
+  ports:
+  - port: 80
+    targetPort: adm
+    protocol: TCP
+    name: adm
+  selector:
+    app: hassio
+    release: latest
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: hassio
+  annotations: 
+    kubernetes.io/ingress.class: nginx
+spec:
+  rules:
+  - host: hassio.lan
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: hassio
+            port: 
+              name: http
+  - host: hassio-conf.lan
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: hassio-conf
+            port: 
+              name: adm

apps/smarthome/socat/Containerfile

@@ -0,0 +1,8 @@
+FROM alpine:latest
+
+ARG VERSION=1.7.3.2
+
+RUN apk --no-cache add socat
+#=${VERSION}
+
+ENTRYPOINT ["socat"]

apps/smarthome/supervisor.conf

@@ -0,0 +1,13 @@
+[supervisord]
+nodaemon=true
+
+[program:socat]
+command=/usr/bin/socat -d -d -d pty,link=/dev/ttySER2NET0,raw,user=root,group=root,mode=660 tcp:auto:3333
+killasgroup=true
+stopasgroup=true
+redirect_stderr=true
+
+[program:zwave2mqtt]
+directory=/usr/src/app
+command=/usr/src/app/zwave2mqtt
+redirect_stderr=true

apps/smarthome/zwave2mqtt.yaml

@@ -0,0 +1,120 @@
+## FROM: https://github.com/OpenZWave/Zwave2Mqtt
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: zwave2mqtt
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      name: zwave2mqtt
+  template:
+    metadata:
+      labels:
+        name: zwave2mqtt
+    spec:
+      containers:
+      - name: zwave2mqtt
+        image: docker-registry.lan/zwave2mqtt:arm64
+        livenessProbe:
+          failureThreshold: 12
+          httpGet:
+            httpHeaders:
+            - name: Accept
+              value: text/plain
+            path: /
+            port: http
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          successThreshold: 1
+          timeoutSeconds: 2
+        ports:
+        - containerPort: 8091
+          name: http
+          protocol: TCP
+        resources:
+          limits:
+            cpu: '1'
+            memory: 512Mi
+          requests:
+            cpu: '1'
+            memory: 200Mi
+        securityContext:
+          allowPrivilegeEscalation: true
+          privileged: true
+        volumeMounts:
+        - mountPath: /usr/src/app/store
+          name: data
+# - mountPath: /usr/local/etc/openzwave
+#   name: ozwdatabase
+# - mountPath: /usr/src/app/store/settings.json <-- if putting your settings.json in a secret
+#   name: config
+#   readOnly: true
+#   subPath: settings.json
+# nodeSelector:
+#   kubernetes.io/hostname: stick1 #<--- the name of your cluster node that the zwave usb stick in
+#      - name: socat
+#        image: docker-registry.lan/socat:arm64
+#        args:
+#         - pty,link=/dev/ttySER2NET0,raw,user=root,group=root,mode=660
+#         - tcp:auto:3333
+#        securityContext:
+#          allowPrivilegeEscalation: true
+#          privileged: true
+      volumes:
+# - name: config <-- if putting your settings.json in a secret
+#   secret:
+#     defaultMode: 420
+#     secretName: zwave2mqtt
+      #- name: zwavestick
+      #  hostPath:
+      #    path: /dev/ttyACM0
+      #    type: File
+      - name: data
+        persistentVolumeClaim:
+          claimName: zwave2mqtt-storage
+# - name: ozwdatabase
+#   hostPath:
+#     path: /zwave2mqtt/database
+
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: zwave2mqtt-storage
+  labels:
+    app: zwave2mqtt
+spec:
+  storageClassName: nfs-ssd
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 20Mi
+---
+apiVersion: extensions/v1beta1
+kind: Ingress
+metadata:
+  name: zwave2mqtt
+spec:
+  rules:
+  - host: zwave.lan
+    http:
+      paths:
+      - backend:
+          serviceName: zwave2mqtt
+          servicePort: http
+          
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: zwave2mqtt
+spec:
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+  selector:
+    name: zwave2mqtt

bin/find_changes.sh

@@ -0,0 +1,14 @@
+#!/bin/bash
+declare -A CH
+CH=()
+i=0
+echo $(git --version)
+while read line; do
+    WHAT=$(dirname ${line})
+    echo "LIN: ${line}    WHAT: ${WHAT}"
+    CH[$i]=$WHAT
+    i=$((i++))
+done < <(git diff-tree --no-commit-id --name-only HEAD -r| egrep '^_')
+#echo "UNIQ:"
+UNIQ=$(echo ${CH} |sort |uniq)
+echo ${UNIQ}

csi-s3/README.md

@@ -1,12 +0,0 @@
-COMMON:
-** git tag -l 
-** V=GIT_TAG git checkout -b branch=$V $V
-** run: build.sh dir-name
-
-
-external-provisioner:
-
-external-attacher:
-
-node-driver-registrar:
-

csi-s3/build.sh

@@ -1,27 +0,0 @@
-#!/bin/bash
-
-APP=$1
-cd $APP
-VERSION=arm64 make -j8 GOARCH=arm64
-docker build -t $APP:arm64 --platform linux/arm64 .
-docker tag ${APP}:arm64 docker-registry.lan/${APP}:arm64
-
-echo "=============================================="
-
-while true; do
-    read -p "Push it real good? " yn
-    case $yn in
-        [Yy]* ) 
-	    docker push docker-registry.lan/${APP}:arm64; 
-	    echo "-> Cheers"; 
-	    echo;
-	    break;;
-        [Nn]* ) 
-	    echo "x> Cheers!";
-	    echo;
-	    exit;;
-        * ) echo "Please answer [y]es or [n]o.";;
-    esac
-done
-
-cd -