sascha.dodenhoeft/expertfab-infra
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: sascha.dodenhoeft:2f8fb1349c2c8938d3664068b0c0ab59f37dd164
Branches Tags
sascha.dodenhoeft:main
...
compare: sascha.dodenhoeft:main
Branches Tags
sascha.dodenhoeft:main

6 Commits
2f8fb1349c ... main

Author SHA1 Message Date
Sascha Dodenhöft
dd714e1484 gongme ingress: /api/* direkt an NestJS, SSE ohne Proxy-Buffering 
OAuth2-Proxy und Next.js-Rewrites buffern SSE-Verbindungen, was dazu
fuehrt dass Verlaengerungen (SSE-Events) erst nach manuellem Reload
sichtbar sind.

Fix: /api/* wird jetzt direkt von Traefik an gongme-api:3001 gerouted,
ohne oauth2-proxy oder Next.js als Zwischenstufe. / (App + OAuth-Flow)
geht weiterhin durch oauth2-proxy. API-Sicherheit: Admin-Token + Session-Slug.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-07 14:40:15 +02:00
Sascha Dodenhöft
296537720d gongme: Bugfixes oauth2-proxy + web Deployment 
- secret-oauth2.yaml: Cookie-Secret auf exakt 32 Bytes korrigiert
  (openssl rand -base64 32 ergibt 44 Zeichen, nicht 32 raw bytes)
- web.yaml: PORT=3000 + HOSTNAME=0.0.0.0 explizit gesetzt, damit
  envFrom gongme-env's PORT=3001 (fuer API) nicht uebernommen wird

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-07 13:42:29 +02:00
Sascha Dodenhöft
00c7ec292f gongme: k8s Manifeste fuer initialen Cluster-Deploy 
Namespace, StorageClass (Longhorn), Postgres, API, Web,
OAuth2-Proxy (Zitadel OIDC) und Traefik-Ingress fuer
https://gongme.expertfab.de.

Images: git.expertfab.de/expertfab/ef-gongme-{api,web}:latest
Auth: Zitadel hinter OAuth2-Proxy v7.7.1
TLS: cert-manager letsencrypt-ClusterIssuer

secret-oauth2.yaml enthaelt Platzhalter — CLIENT_ID/SECRET
muessen nach Zitadel-App-Anlage eingetragen werden.

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-07 13:19:46 +02:00
Sascha Dodenhöft
0baab66010 coredns: gongme.expertfab.de → 10.42.71.60 (Hairpin-NAT) 
Pods im Cluster losen gongme.expertfab.de auf die interne
Traefik-LB-IP (10.42.71.60) auf, statt extern ueber die
OPNsense zu gehen. Analog zu den bestehenden Eintraegen
(docs, note, signing, auth, etc.).

Cloudflare A-Record (oeffentlich): gongme.expertfab.de → 109.230.227.34

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-06-07 13:02:47 +02:00
Sascha Dodenhöft
c48ab60392 Migrate Joplin to K3s and add existing k8s manifests 
- New k8s/joplin/ deployment for note.expertfab.de (Postgres + Server +
  Traefik ingress with cert-manager), replicas=2 to match cluster size
- coredns-custom.yaml: route note.expertfab.de internally to Traefik LB
- Commit previously-built k8s manifests (documenso, erpnext oauth2-proxy,
  paperless oauth2-proxy) that were running but not in git
- docs/access.md: add Joplin section and Documenso/Cloudflare entries

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
 2026-05-28 20:17:19 +02:00
Sascha Dodenhöft
314a512231 Add bingx-trading StorageClass (longhorn-bingx, Retain) 
Used by the bingx-trading deployment at trade.expertfab.de.
Full manifests in git.expertfab.de/expertfab/bingx-trading k8s/.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-05-07 08:53:41 +02:00
25 changed files with 1289 additions and 0 deletions
Expand all files Collapse all files

41
docs/access.md
View File

@@ -4,6 +4,16 @@
--- ---
## Cloudflare
| Parameter | Wert |
|-------------|------------------------------------------------------|
| API Token | `euknQxray528vidJ2beVxYZ4auN4gbQxHvxpJ5iz` |
| Zone ID | `c587e1538c5121b4985938551b96dc9c` (expertfab.de) |
| Berechtigungen | DNS:Edit für Zone expertfab.de |
---
## Proxmox ## Proxmox
| Zugang | Wert | | Zugang | Wert |
@@ -49,6 +59,35 @@
--- ---
## Documenso (Document Signing)
| Zugang | Wert |
|--------------------|---------------------------------------|
| URL | https://signing.expertfab.de |
| Namespace | `documenso` |
| Image | docker.io/documenso/documenso:latest |
| Database | Eigene Postgres im Namespace |
| StorageClass | `longhorn-documenso` (Retain) |
| Signing-Zertifikat | Self-signed P12, passphrase `documenso`, gültig 10 Jahre |
| SMTP | smtprelay.expertfab.de:587 / it-admin@expertfab.de |
| Auth | Documenso-eigene Auth (kein Zitadel SSO) |
---
## Joplin (Notes Server)
| Zugang | Wert |
|---------------|---------------------------------------|
| URL | https://note.expertfab.de |
| Namespace | `joplin` |
| Image | docker.io/joplin/server:latest |
| Database | Eigene Postgres im Namespace |
| StorageClass | `longhorn-joplin` (Retain) |
| SMTP | smtprelay.expertfab.de:587 / it-admin@expertfab.de |
| Auth | Joplin-eigene Auth (kein Zitadel SSO) |
---
## ERPNext ## ERPNext
| Zugang | Wert | | Zugang | Wert |
@@ -92,6 +131,8 @@
| ERPNext | https://www.expertfab.de | erpnext | | ERPNext | https://www.expertfab.de | erpnext |
| Paperless | https://docs.expertfab.de | paperless | | Paperless | https://docs.expertfab.de | paperless |
| Zitadel SSO | https://auth.expertfab.de | zitadel | | Zitadel SSO | https://auth.expertfab.de | zitadel |
| Documenso | https://signing.expertfab.de | documenso |
| Joplin | https://note.expertfab.de | joplin |
| FastAPI | https://api.expertfab.de | rabbitmq | | FastAPI | https://api.expertfab.de | rabbitmq |
| Coworkbase | https://coworkbase.de | coworkbase | | Coworkbase | https://coworkbase.de | coworkbase |
| Qubicticker | https://qubicticker.qchief.io| qubicticker | | Qubicticker | https://qubicticker.qchief.io| qubicticker |

1
docs/k3s.md
View File

@@ -56,6 +56,7 @@
| docs.expertfab.de | paperless | ✓ | | docs.expertfab.de | paperless | ✓ |
| auth.expertfab.de | zitadel | ✓ | | auth.expertfab.de | zitadel | ✓ |
| api.expertfab.de | rabbitmq | ✓ | | api.expertfab.de | rabbitmq | ✓ |
| gongme.expertfab.de | gongme | ✓ |
| coworkbase.de | coworkbase | ✓ | | coworkbase.de | coworkbase | ✓ |
| www.coworkbase.de | coworkbase | ✓ | | www.coworkbase.de | coworkbase | ✓ |
| qubicticker.qchief.io | qubicticker | ✓ | | qubicticker.qchief.io | qubicticker | ✓ |

11
k8s/bingx-trading/storageclass.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: longhorn-bingx
provisioner: driver.longhorn.io
reclaimPolicy: Retain
volumeBindingMode: Immediate
parameters:
numberOfReplicas: "2"
staleReplicaTimeout: "2880"
dataLocality: disabled

29
k8s/coredns-custom.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: coredns-custom
namespace: kube-system
data:
expertfab.server: |
expertfab.de:53 {
hosts {
10.42.71.60 auth.expertfab.de
10.42.71.60 docs.expertfab.de
10.42.71.60 www.expertfab.de
10.42.71.60 expertfab.de
10.42.71.60 api.expertfab.de
10.42.71.60 signing.expertfab.de
10.42.71.60 note.expertfab.de
10.42.71.60 gongme.expertfab.de
fallthrough
}
forward . 10.42.71.1
}
coworkbase.de:53 {
hosts {
10.42.71.60 coworkbase.de
10.42.71.60 www.coworkbase.de
fallthrough
}
forward . 10.42.71.1
}

112
k8s/documenso/documenso.yaml Normal file
View File

File diff suppressed because one or more lines are too long

37
k8s/documenso/ingress.yaml Normal file
View File

@@ -0,0 +1,37 @@
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirect-https
namespace: documenso
spec:
redirectScheme:
scheme: https
permanent: true
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: documenso
namespace: documenso
annotations:
cert-manager.io/cluster-issuer: letsencrypt
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
traefik.ingress.kubernetes.io/router.middlewares: documenso-redirect-https@kubernetescrd
spec:
ingressClassName: traefik
rules:
- host: signing.expertfab.de
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: documenso
port:
number: 3000
tls:
- hosts:
- signing.expertfab.de
secretName: documenso-tls

19
k8s/documenso/namespace.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: documenso
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: longhorn-documenso
provisioner: driver.longhorn.io
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: Immediate
parameters:
numberOfReplicas: "2"
staleReplicaTimeout: "30"
fromBackup: ""
fsType: "ext4"

96
k8s/documenso/postgres.yaml Normal file
View File

@@ -0,0 +1,96 @@
---
apiVersion: v1
kind: Secret
metadata:
name: documenso-postgres
namespace: documenso
type: Opaque
stringData:
POSTGRES_DB: documenso
POSTGRES_USER: documenso
POSTGRES_PASSWORD: "9QtScsD5IymypPxR2eMNFoMFYVUp7cL"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: documenso-postgres-data
namespace: documenso
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: longhorn-documenso
resources:
requests:
storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: documenso-postgres
namespace: documenso
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: documenso-postgres
template:
metadata:
labels:
app: documenso-postgres
spec:
containers:
- name: postgres
image: postgres:16-alpine
ports:
- containerPort: 5432
envFrom:
- secretRef:
name: documenso-postgres
env:
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
startupProbe:
exec:
command: ["pg_isready", "-U", "documenso", "-d", "documenso"]
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 30
readinessProbe:
exec:
command: ["pg_isready", "-U", "documenso", "-d", "documenso"]
periodSeconds: 10
timeoutSeconds: 5
livenessProbe:
exec:
command: ["pg_isready", "-U", "documenso", "-d", "documenso"]
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 5
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
volumes:
- name: data
persistentVolumeClaim:
claimName: documenso-postgres-data
---
apiVersion: v1
kind: Service
metadata:
name: documenso-postgres
namespace: documenso
spec:
selector:
app: documenso-postgres
ports:
- port: 5432
targetPort: 5432

80
k8s/erpnext/ingress-auth.yaml Normal file
View File

@@ -0,0 +1,80 @@
---
# /app/* — Zitadel Auth via oauth2-proxy (beide Domains)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: erpnext-app-auth
namespace: erpnext
annotations:
cert-manager.io/cluster-issuer: letsencrypt
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.priority: "100"
spec:
ingressClassName: traefik
rules:
- host: expertfab.de
http:
paths:
- path: /app
pathType: Prefix
backend:
service:
name: oauth2-proxy
port:
number: 4180
- host: www.expertfab.de
http:
paths:
- path: /app
pathType: Prefix
backend:
service:
name: oauth2-proxy
port:
number: 4180
tls:
- hosts:
- expertfab.de
- www.expertfab.de
secretName: expertfab-tls
---
# /oauth2/* — OIDC Callback-Handling (beide Domains)
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: erpnext-oauth2
namespace: erpnext
annotations:
cert-manager.io/cluster-issuer: letsencrypt
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
traefik.ingress.kubernetes.io/router.priority: "100"
spec:
ingressClassName: traefik
rules:
- host: expertfab.de
http:
paths:
- path: /oauth2
pathType: Prefix
backend:
service:
name: oauth2-proxy
port:
number: 4180
- host: www.expertfab.de
http:
paths:
- path: /oauth2
pathType: Prefix
backend:
service:
name: oauth2-proxy
port:
number: 4180
tls:
- hosts:
- expertfab.de
- www.expertfab.de
secretName: expertfab-tls

82
k8s/erpnext/oauth2-proxy.yaml Normal file
View File

@@ -0,0 +1,82 @@
---
apiVersion: v1
kind: Secret
metadata:
name: oauth2-proxy-secrets
namespace: erpnext
type: Opaque
stringData:
OAUTH2_PROXY_CLIENT_ID: "371747520893682044"
OAUTH2_PROXY_CLIENT_SECRET: "Wka1L8RYFYeKHrzMOadDfQRXWlCnM6x2JKL2QBTmV3WHdaYY2OiodVZgK0MYdiFl"
OAUTH2_PROXY_COOKIE_SECRET: "st_biHMwZOrFbrigSmnEdRG5ZCoULrktjAvPGcUrqw0"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy
namespace: erpnext
spec:
replicas: 1
selector:
matchLabels:
app: oauth2-proxy
template:
metadata:
labels:
app: oauth2-proxy
spec:
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1
args:
- --provider=oidc
- --oidc-issuer-url=https://auth.expertfab.de
- --upstream=http://erpnext:8080
- --http-address=0.0.0.0:4180
- --email-domain=*
- --scope=openid profile email
- --skip-provider-button=true
- --cookie-secure=true
- --cookie-samesite=lax
- --cookie-domain=expertfab.de
- --whitelist-domain=expertfab.de
- --whitelist-domain=www.expertfab.de
- --reverse-proxy=true
- --set-xauthrequest=true
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
name: oauth2-proxy-secrets
key: OAUTH2_PROXY_CLIENT_ID
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-secrets
key: OAUTH2_PROXY_CLIENT_SECRET
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-secrets
key: OAUTH2_PROXY_COOKIE_SECRET
ports:
- containerPort: 4180
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 100m
memory: 128Mi
---
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy
namespace: erpnext
spec:
selector:
app: oauth2-proxy
ports:
- port: 4180
targetPort: 4180

65
k8s/gongme/api.yaml Normal file
View File

@@ -0,0 +1,65 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gongme-api
namespace: gongme
spec:
replicas: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: gongme-api
template:
metadata:
labels:
app: gongme-api
spec:
imagePullSecrets:
- name: gitea-registry
containers:
- name: api
image: git.expertfab.de/expertfab/ef-gongme-api:latest
imagePullPolicy: Always
ports:
- containerPort: 3001
envFrom:
- secretRef:
name: gongme-env
readinessProbe:
httpGet:
path: /api/v1/health
port: 3001
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 6
livenessProbe:
httpGet:
path: /api/v1/health
port: 3001
initialDelaySeconds: 60
periodSeconds: 30
failureThreshold: 5
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 768Mi
---
apiVersion: v1
kind: Service
metadata:
name: gongme-api
namespace: gongme
spec:
selector:
app: gongme-api
ports:
- port: 3001
targetPort: 3001

48
k8s/gongme/ingress.yaml Normal file
View File

@@ -0,0 +1,48 @@
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirect-https
namespace: gongme
spec:
redirectScheme:
scheme: https
permanent: true
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gongme
namespace: gongme
annotations:
cert-manager.io/cluster-issuer: letsencrypt
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
traefik.ingress.kubernetes.io/router.middlewares: gongme-redirect-https@kubernetescrd
spec:
ingressClassName: traefik
rules:
- host: gongme.expertfab.de
http:
paths:
# /api/* geht direkt an NestJS — kein Buffering durch oauth2-proxy
# oder Next.js-Rewrite. Kritisch fuer SSE (EventSource).
# API-Endpoints sind durch Admin-Token und Session-Slug geschuetzt.
- path: /api
pathType: Prefix
backend:
service:
name: gongme-api
port:
number: 3001
# Alles andere (App + OAuth-Flow) geht durch oauth2-proxy.
- path: /
pathType: Prefix
backend:
service:
name: oauth2-proxy
port:
number: 4180
tls:
- hosts:
- gongme.expertfab.de
secretName: gongme-tls

19
k8s/gongme/namespace.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: gongme
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: longhorn-gongme
provisioner: driver.longhorn.io
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: Immediate
parameters:
numberOfReplicas: "2"
staleReplicaTimeout: "30"
fromBackup: ""
fsType: "ext4"

70
k8s/gongme/oauth2-proxy.yaml Normal file
View File

@@ -0,0 +1,70 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy
namespace: gongme
spec:
replicas: 1
selector:
matchLabels:
app: oauth2-proxy
template:
metadata:
labels:
app: oauth2-proxy
spec:
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1
args:
- --provider=oidc
- --oidc-issuer-url=https://auth.expertfab.de
- --redirect-url=https://gongme.expertfab.de/oauth2/callback
- --upstream=http://gongme-web:3000
- --http-address=0.0.0.0:4180
- --email-domain=expertfab.de
- --scope=openid profile email
- --skip-provider-button=true
- --cookie-secure=true
- --cookie-samesite=lax
- --reverse-proxy=true
- --pass-access-token=true
- --set-xauthrequest=true
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
name: oauth2-proxy-secrets
key: OAUTH2_PROXY_CLIENT_ID
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-secrets
key: OAUTH2_PROXY_CLIENT_SECRET
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-secrets
key: OAUTH2_PROXY_COOKIE_SECRET
ports:
- containerPort: 4180
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 100m
memory: 128Mi
---
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy
namespace: gongme
spec:
selector:
app: oauth2-proxy
ports:
- port: 4180
targetPort: 4180

93
k8s/gongme/postgres.yaml Normal file
View File

@@ -0,0 +1,93 @@
---
apiVersion: v1
kind: Secret
metadata:
name: gongme-postgres
namespace: gongme
type: Opaque
stringData:
POSTGRES_DB: gongme
POSTGRES_USER: gongme
POSTGRES_PASSWORD: "gongme-prod-pw-change-me"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gongme-postgres-data
namespace: gongme
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: longhorn-gongme
resources:
requests:
storage: 5Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gongme-postgres
namespace: gongme
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: gongme-postgres
template:
metadata:
labels:
app: gongme-postgres
spec:
containers:
- name: postgres
image: postgres:16-alpine
ports:
- containerPort: 5432
envFrom:
- secretRef:
name: gongme-postgres
env:
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
startupProbe:
exec:
command: ["pg_isready", "-U", "gongme", "-d", "gongme"]
initialDelaySeconds: 10
periodSeconds: 10
failureThreshold: 30
readinessProbe:
exec:
command: ["pg_isready", "-U", "gongme", "-d", "gongme"]
periodSeconds: 10
livenessProbe:
exec:
command: ["pg_isready", "-U", "gongme", "-d", "gongme"]
periodSeconds: 30
failureThreshold: 5
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
volumes:
- name: data
persistentVolumeClaim:
claimName: gongme-postgres-data
---
apiVersion: v1
kind: Service
metadata:
name: gongme-postgres
namespace: gongme
spec:
selector:
app: gongme-postgres
ports:
- port: 5432
targetPort: 5432

11
k8s/gongme/secret-oauth2.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
apiVersion: v1
kind: Secret
metadata:
name: oauth2-proxy-secrets
namespace: gongme
type: Opaque
stringData:
OAUTH2_PROXY_CLIENT_ID: "376372512671400477"
OAUTH2_PROXY_CLIENT_SECRET: "GNt6kzfSL1aTTZyjdeCyuMNjfklrWQFg6xpcvpTCodfY5CYjBsLmFrSs4rqEPGCs"
OAUTH2_PROXY_COOKIE_SECRET: "9KPXNOowiA1bZvfAmBevByHJI6wHX3+N"

19
k8s/gongme/secret-registry.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
# ImagePullSecret für die Gitea Container Registry.
# Analog zum gitea-registry-Secret im erpnext-Namespace.
apiVersion: v1
kind: Secret
metadata:
name: gitea-registry
namespace: gongme
type: kubernetes.io/dockerconfigjson
stringData:
.dockerconfigjson: |
{
"auths": {
"git.expertfab.de": {
"username": "sascha.dodenhoeft",
"password": "3f7b20874ec2f8a1ff3c3669b0483dcae3cfd76c"
}
}
}

32
k8s/gongme/secret.yaml Normal file
View File

@@ -0,0 +1,32 @@
---
# Application Secret — wird von api-Pod und web-Pod per envFrom geladen.
apiVersion: v1
kind: Secret
metadata:
name: gongme-env
namespace: gongme
type: Opaque
stringData:
# --- Postgres ---
DATABASE_URL: "postgresql://gongme:gongme-prod-pw-change-me@gongme-postgres:5432/gongme?schema=public"
# --- NestJS ---
NODE_ENV: "production"
PORT: "3001"
JWT_SECRET: "change-me-random-32-chars-minimum"
PUBLIC_BASE_URL: "https://gongme.expertfab.de"
# --- SMTP (bestehendes Relay) ---
SMTP_HOST: "smtprelay.expertfab.de"
SMTP_PORT: "587"
SMTP_USER: "it-admin@expertfab.de"
SMTP_PASS: "Relay22$$"
SMTP_FROM: "gongme@expertfab.de"
# --- Web Push (VAPID) ---
VAPID_PUBLIC_KEY: "BMFgG85di4U9X-YtbvGxvuwpIS2nNjZCyPzfwMewYs9N38NTQvvDixCHzj2JGe-rCW4jyaO2ZW0DgggB5lH8NI8"
VAPID_PRIVATE_KEY: "LNd_q9vqUbH5RQUf_tgO_hJWbI3--zuaNaGyjUqfTy8"
VAPID_SUBJECT: "mailto:it-admin@expertfab.de"
# --- Next.js (web-Pod) ---
API_INTERNAL_URL: "http://gongme-api:3001"

70
k8s/gongme/web.yaml Normal file
View File

@@ -0,0 +1,70 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gongme-web
namespace: gongme
spec:
replicas: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: gongme-web
template:
metadata:
labels:
app: gongme-web
spec:
imagePullSecrets:
- name: gitea-registry
containers:
- name: web
image: git.expertfab.de/expertfab/ef-gongme-web:latest
imagePullPolicy: Always
ports:
- containerPort: 3000
envFrom:
- secretRef:
name: gongme-env
env:
- name: PORT
value: "3000"
- name: HOSTNAME
value: "0.0.0.0"
readinessProbe:
httpGet:
path: /
port: 3000
initialDelaySeconds: 15
periodSeconds: 10
failureThreshold: 6
livenessProbe:
httpGet:
path: /
port: 3000
initialDelaySeconds: 30
periodSeconds: 30
failureThreshold: 5
resources:
requests:
cpu: 50m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
---
apiVersion: v1
kind: Service
metadata:
name: gongme-web
namespace: gongme
spec:
selector:
app: gongme-web
ports:
- port: 3000
targetPort: 3000

37
k8s/joplin/ingress.yaml Normal file
View File

@@ -0,0 +1,37 @@
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: redirect-https
namespace: joplin
spec:
redirectScheme:
scheme: https
permanent: true
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: joplin
namespace: joplin
annotations:
cert-manager.io/cluster-issuer: letsencrypt
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
traefik.ingress.kubernetes.io/router.middlewares: joplin-redirect-https@kubernetescrd
spec:
ingressClassName: traefik
rules:
- host: note.expertfab.de
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: joplin
port:
number: 22300
tls:
- hosts:
- note.expertfab.de
secretName: joplin-tls

92
k8s/joplin/joplin.yaml Normal file
View File

@@ -0,0 +1,92 @@
---
apiVersion: v1
kind: Secret
metadata:
name: joplin-env
namespace: joplin
type: Opaque
stringData:
APP_BASE_URL: "https://note.expertfab.de"
APP_PORT: "22300"
DB_CLIENT: "pg"
POSTGRES_HOST: "joplin-postgres"
POSTGRES_PORT: "5432"
POSTGRES_DATABASE: "joplin"
POSTGRES_USER: "joplin"
POSTGRES_PASSWORD: "TXIlCX4DUdKZuqbYt2lTaxMXvz6cJi"
MAILER_ENABLED: "1"
MAILER_HOST: "smtprelay.expertfab.de"
MAILER_PORT: "587"
MAILER_SECURITY: "starttls"
MAILER_AUTH_USER: "it-admin@expertfab.de"
MAILER_AUTH_PASSWORD: "Relay22$$"
MAILER_NOREPLY_NAME: "ExpertFab Joplin"
MAILER_NOREPLY_EMAIL: "it-admin@expertfab.de"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: joplin
namespace: joplin
spec:
replicas: 1
strategy:
type: RollingUpdate
rollingUpdate:
maxSurge: 1
maxUnavailable: 0
selector:
matchLabels:
app: joplin
template:
metadata:
labels:
app: joplin
spec:
containers:
- name: joplin
image: joplin/server:latest
ports:
- containerPort: 22300
envFrom:
- secretRef:
name: joplin-env
readinessProbe:
httpGet:
path: /api/ping
port: 22300
httpHeaders:
- name: Host
value: note.expertfab.de
initialDelaySeconds: 30
periodSeconds: 10
failureThreshold: 6
livenessProbe:
httpGet:
path: /api/ping
port: 22300
httpHeaders:
- name: Host
value: note.expertfab.de
initialDelaySeconds: 90
periodSeconds: 30
failureThreshold: 5
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: 1000m
memory: 1500Mi
---
apiVersion: v1
kind: Service
metadata:
name: joplin
namespace: joplin
spec:
selector:
app: joplin
ports:
- port: 22300
targetPort: 22300

19
k8s/joplin/namespace.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: joplin
---
apiVersion: storage.k8s.io/v1
kind: StorageClass
metadata:
name: longhorn-joplin
provisioner: driver.longhorn.io
reclaimPolicy: Retain
allowVolumeExpansion: true
volumeBindingMode: Immediate
parameters:
numberOfReplicas: "2"
staleReplicaTimeout: "30"
fromBackup: ""
fsType: "ext4"

96
k8s/joplin/postgres.yaml Normal file
View File

@@ -0,0 +1,96 @@
---
apiVersion: v1
kind: Secret
metadata:
name: joplin-postgres
namespace: joplin
type: Opaque
stringData:
POSTGRES_DB: joplin
POSTGRES_USER: joplin
POSTGRES_PASSWORD: "TXIlCX4DUdKZuqbYt2lTaxMXvz6cJi"
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: joplin-postgres-data
namespace: joplin
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: longhorn-joplin
resources:
requests:
storage: 10Gi
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: joplin-postgres
namespace: joplin
spec:
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
app: joplin-postgres
template:
metadata:
labels:
app: joplin-postgres
spec:
containers:
- name: postgres
image: postgres:16-alpine
ports:
- containerPort: 5432
envFrom:
- secretRef:
name: joplin-postgres
env:
- name: PGDATA
value: /var/lib/postgresql/data/pgdata
volumeMounts:
- name: data
mountPath: /var/lib/postgresql/data
startupProbe:
exec:
command: ["pg_isready", "-U", "joplin", "-d", "joplin"]
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 30
readinessProbe:
exec:
command: ["pg_isready", "-U", "joplin", "-d", "joplin"]
periodSeconds: 10
timeoutSeconds: 5
livenessProbe:
exec:
command: ["pg_isready", "-U", "joplin", "-d", "joplin"]
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 5
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 1000m
memory: 1Gi
volumes:
- name: data
persistentVolumeClaim:
claimName: joplin-postgres-data
---
apiVersion: v1
kind: Service
metadata:
name: joplin-postgres
namespace: joplin
spec:
selector:
app: joplin-postgres
ports:
- port: 5432
targetPort: 5432

27
k8s/paperless/ingress.yaml Normal file
View File

@@ -0,0 +1,27 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: paperless
namespace: paperless
annotations:
cert-manager.io/cluster-issuer: letsencrypt
traefik.ingress.kubernetes.io/router.entrypoints: web,websecure
traefik.ingress.kubernetes.io/router.middlewares: paperless-redirect-https@kubernetescrd
spec:
ingressClassName: traefik
rules:
- host: docs.expertfab.de
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: oauth2-proxy
port:
number: 4180
tls:
- hosts:
- docs.expertfab.de
secretName: paperless-tls

83
k8s/paperless/oauth2-proxy.yaml Normal file
View File

@@ -0,0 +1,83 @@
---
apiVersion: v1
kind: Secret
metadata:
name: oauth2-proxy-secrets
namespace: paperless
type: Opaque
stringData:
OAUTH2_PROXY_CLIENT_ID: "371736929185563308"
OAUTH2_PROXY_CLIENT_SECRET: "2WVS5uGOKOYozY0T6QLi854vihLrNbchqkPhEZxKS74b5iRQeeLH8EMhUiZIHWPH"
OAUTH2_PROXY_COOKIE_SECRET: "NcF3zVJcPIpBYpLL4TIqpmBAcESddly-LVHAKw--xl8"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: oauth2-proxy
namespace: paperless
spec:
replicas: 1
selector:
matchLabels:
app: oauth2-proxy
template:
metadata:
labels:
app: oauth2-proxy
spec:
containers:
- name: oauth2-proxy
image: quay.io/oauth2-proxy/oauth2-proxy:v7.7.1
args:
- --provider=oidc
- --oidc-issuer-url=https://auth.expertfab.de
- --redirect-url=https://docs.expertfab.de/oauth2/callback
- --upstream=http://paperless:8000
- --http-address=0.0.0.0:4180
- --email-domain=*
- --scope=openid profile email
- --skip-provider-button=true
- --skip-auth-regex=^/api/
- --skip-auth-regex=^/api-auth/
- --cookie-secure=true
- --cookie-samesite=lax
- --reverse-proxy=true
- --pass-access-token=true
- --set-xauthrequest=true
env:
- name: OAUTH2_PROXY_CLIENT_ID
valueFrom:
secretKeyRef:
name: oauth2-proxy-secrets
key: OAUTH2_PROXY_CLIENT_ID
- name: OAUTH2_PROXY_CLIENT_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-secrets
key: OAUTH2_PROXY_CLIENT_SECRET
- name: OAUTH2_PROXY_COOKIE_SECRET
valueFrom:
secretKeyRef:
name: oauth2-proxy-secrets
key: OAUTH2_PROXY_COOKIE_SECRET
ports:
- containerPort: 4180
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
cpu: 100m
memory: 128Mi
---
apiVersion: v1
kind: Service
metadata:
name: oauth2-proxy
namespace: paperless
spec:
selector:
app: oauth2-proxy
ports:
- port: 4180
targetPort: 4180