gitops/plane: fix issuer on ingress

gitops/home-kubernetes/external-secrets/secretstore-vault.yaml

@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: SecretStore
-metadata:
-  name: vault-backend
-  namespace: external-secrets
-spec:
-  provider:
-    vault:
-      server: "https://vault.hrajfrisbee.cz:8200"
-      path: "secret"
-      version: "v2"
-      auth:
-        appRole:
-          path: "approle"
-          roleId: "864e352d-2064-2bf9-2c73-dbd676a95368"  # or reference a secret
-          secretRef:
-            name: vault-approle
-            key: secret-id

gitops/home-kubernetes/ingress-nginx/helmrelease_ingress-nginx.yaml

@@ -11,11 +11,13 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx
-      version: 4.12.0
+      version: 4.14.1
   values:
     controller:
       admissionWebhooks:
         enabled: false
         patch:
           enabled: false
+      config:
+        annotations-risk-level: "Critical"
   interval: 5m0s

gitops/home-kubernetes/mariadb-operator/helmrelease-crds.yaml

@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mariadb-operator-crds
+  namespace: mariadb-operator
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: mariadb-operator-crds
+      version: "25.10.*"
+      sourceRef:
+        kind: HelmRepository
+        name: mariadb-operator
+        namespace: flux-system
+  install:
+    crds: Create
+  upgrade:
+    crds: CreateReplace

gitops/home-kubernetes/mariadb-operator/helmrelease-operator.yaml

@@ -0,0 +1,31 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mariadb-operator
+  namespace: mariadb-operator
+spec:
+  interval: 1h
+  dependsOn:
+    - name: mariadb-operator-crds
+  chart:
+    spec:
+      chart: mariadb-operator
+      version: "25.10.*"
+      sourceRef:
+        kind: HelmRepository
+        name: mariadb-operator
+        namespace: flux-system
+  values:
+    # uses built-in cert-controller for webhook TLS (no cert-manager dep)
+    webhook:
+      cert:
+        certManager:
+          enabled: false
+    # disable HA for operator itself (fine for testing)
+    ha:
+      enabled: false
+    # optional: enable metrics
+    metrics:
+      enabled: false
+      serviceMonitor:
+        enabled: false

gitops/home-kubernetes/mariadb-operator/helmrepository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: mariadb-operator
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://helm.mariadb.com/mariadb-operator

gitops/home-kubernetes/mariadb-operator/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mariadb-operator

gitops/home-kubernetes/next-cloud/externalsecret.yaml

@@ -0,0 +1,34 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: nextcloud-secrets
+  namespace: nextcloud
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend  # or your store
+    kind: ClusterSecretStore
+  target:
+    name: nextcloud-secrets
+    creationPolicy: Owner
+  data:
+    - secretKey: nextcloud-password
+      remoteRef:
+        key: k8s_home/nextcloud/admin
+        property: password
+    - secretKey: nextcloud-username
+      remoteRef:
+        key: k8s_home/nextcloud/admin
+        property: username
+    - secretKey: db-username
+      remoteRef:
+        key: k8s_home/nextcloud/postgres
+        property: db-username
+    - secretKey: postgres-password
+      remoteRef:
+        key: k8s_home/nextcloud/postgres
+        property: password
+    - secretKey: redis-password
+      remoteRef:
+        key: k8s_home/nextcloud/redis
+        property: password

gitops/home-kubernetes/next-cloud/helmrelease.yaml

@@ -0,0 +1,263 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: nextcloud
+  namespace: nextcloud
+spec:
+  interval: 30m
+  timeout: 15m  # Nextcloud init can be slow
+  chart:
+    spec:
+      chart: nextcloud
+      version: "8.6.0"  # Latest as of Jan 2025
+      sourceRef:
+        kind: HelmRepository
+        name: nextcloud
+        namespace: flux-system
+      interval: 12h
+  install:
+    crds: CreateReplace
+    remediation:
+      retries: 3
+  upgrade:
+    crds: CreateReplace
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+      remediateLastFailure: true
+  # CRITICAL: Suspend during major version upgrades to prevent restart loops
+  # suspend: true
+  values:
+    image:
+      repository: nextcloud
+      tag: 32.0.3-apache  # Latest as of Jan 2025. For fresh installs only.
+      # UPGRADE PATH: If upgrading from older version, go sequentially:
+      # 29.x → 30.0.x → 31.0.x → 32.0.x (one major at a time)
+      pullPolicy: IfNotPresent
+
+    replicaCount: 1  # >1 requires Redis, see below
+
+    nextcloud:
+      host: nextcloud.lab.home.hrajfrisbee.cz  # Substitute or hardcode
+      # existingSecret: nextcloud-admin  # Alternative to inline credentials
+      existingSecret:
+        enabled: true
+        secretName: nextcloud-secrets
+        # usernameKey: username
+        passwordKey: nextcloud-password
+
+      username: admin
+      # password set via valuesFrom secret
+
+
+      # PHP tuning - critical for stability
+      phpConfigs:
+        uploadLimit.ini: |
+          upload_max_filesize = 16G
+          post_max_size = 16G
+          max_input_time = 3600
+          max_execution_time = 3600
+        www-conf.ini: |
+          [www]
+          pm = dynamic
+          pm.max_children = 20
+          pm.start_servers = 4
+          pm.min_spare_servers = 2
+          pm.max_spare_servers = 6
+          pm.max_requests = 500
+        memory.ini: |
+          memory_limit = 1G
+        opcache.ini: |
+          opcache.enable = 1
+          opcache.interned_strings_buffer = 32
+          opcache.max_accelerated_files = 10000
+          opcache.memory_consumption = 256
+          opcache.save_comments = 1
+          opcache.revalidate_freq = 60
+          ; Set to 0 if using ConfigMap-mounted configs
+
+      configs:
+        # Proxy and overwrite settings - CRITICAL for ingress
+        proxy.config.php: |-
+          <?php
+          $CONFIG = array (
+            'trusted_proxies' => array(
+              0 => '127.0.0.1',
+              1 => '10.0.0.0/8',
+              2 => '172.16.0.0/12',
+              3 => '192.168.0.0/16',
+            ),
+            'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
+            'overwriteprotocol' => 'https',
+          );
+
+        # Performance and maintenance
+        custom.config.php: |-
+          <?php
+          $CONFIG = array (
+            'default_phone_region' => 'US',
+            'maintenance_window_start' => 1,
+            'filelocking.enabled' => true,
+            'memcache.local' => '\\OC\\Memcache\\APCu',
+            'memcache.distributed' => '\\OC\\Memcache\\Redis',
+            'memcache.locking' => '\\OC\\Memcache\\Redis',
+            'redis' => array(
+              'host' => 'nextcloud-redis-master',
+              'port' => 6379,
+              'password' => getenv('REDIS_PASSWORD'),
+            ),
+          );
+
+      extraEnv:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-secrets
+              key: redis-password
+
+    # Ingress - adjust for your ingress controller
+    ingress:
+      enabled: true
+      className: nginx  # or traefik, etc.
+      annotations:
+        nginx.ingress.kubernetes.io/proxy-body-size: "16G"
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+        nginx.ingress.kubernetes.io/server-snippet: |
+          server_tokens off;
+          proxy_hide_header X-Powered-By;
+          rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
+          rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
+          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
+          location = /.well-known/carddav {
+            return 301 $scheme://$host/remote.php/dav;
+          }
+          location = /.well-known/caldav {
+            return 301 $scheme://$host/remote.php/dav;
+          }
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+      tls:
+        - secretName: nextcloud-tls
+          hosts:
+            - nextcloud.lab.home.hrajfrisbee.cz
+
+    # PostgreSQL - strongly recommended over MariaDB for Nextcloud
+    postgresql:
+      enabled: true
+      global:
+        postgresql:
+          auth:
+            username: nextcloud
+            database: nextcloud
+            existingSecret: nextcloud-secrets
+            secretKeys:
+              userPasswordKey: postgres-password
+      primary:
+        persistence:
+          enabled: true
+          size: 8Gi
+          storageClass: ""  # Use default or specify
+        resources:
+          requests:
+            memory: 256Mi
+            cpu: 100m
+          limits:
+            memory: 512Mi
+
+    # Redis - required for file locking and sessions
+    redis:
+      enabled: true
+      auth:
+        enabled: true
+        existingSecret: nextcloud-secrets
+        existingSecretPasswordKey: redis-password
+      architecture: standalone
+      master:
+        persistence:
+          enabled: true
+          size: 1Gi
+
+    # Disable built-in databases we're not using
+    mariadb:
+      enabled: false
+    internalDatabase:
+      enabled: false
+
+    externalDatabase:
+      enabled: true
+      type: postgresql
+      host: nextcloud-postgresql  # Service name created by subchart
+      user: nextcloud
+      database: nextcloud
+      existingSecret:
+        enabled: true
+        secretName: nextcloud-secrets
+        passwordKey: postgres-password      
+
+    # Cron job - CRITICAL: never use AJAX cron
+    cronjob:
+      enabled: true
+      schedule: "*/5 * * * *"
+      resources:
+        requests:
+          memory: 256Mi
+          cpu: 50m
+        limits:
+          memory: 512Mi
+
+    # Main persistence
+    persistence:
+      enabled: true
+      storageClass: ""  # Specify your storage class
+      size: 100Gi
+      accessMode: ReadWriteOnce
+      # nextcloudData - separate PVC for user data (recommended)
+      nextcloudData:
+        enabled: true
+        storageClass: ""
+        size: 500Gi
+        accessMode: ReadWriteOnce
+
+    # Resource limits - tune based on usage
+    resources:
+      requests:
+        cpu: 200m
+        memory: 512Mi
+      limits:
+        memory: 2Gi
+
+    # Liveness/Readiness - tuned to prevent upgrade restart loops
+    livenessProbe:
+      enabled: true
+      initialDelaySeconds: 30
+      periodSeconds: 30
+      timeoutSeconds: 10
+      failureThreshold: 6
+      successThreshold: 1
+    readinessProbe:
+      enabled: true
+      initialDelaySeconds: 30
+      periodSeconds: 30
+      timeoutSeconds: 10
+      failureThreshold: 6
+      successThreshold: 1
+    startupProbe:
+      enabled: true
+      initialDelaySeconds: 60
+      periodSeconds: 30
+      timeoutSeconds: 10
+      failureThreshold: 30  # 15 minutes for upgrades
+
+    # Security context - avoid fsGroup recursive chown
+    securityContext:
+      fsGroupChangePolicy: OnRootMismatch
+    podSecurityContext:
+      fsGroup: 33  # www-data
+
+    # Metrics - optional but recommended
+    metrics:
+      enabled: false  # Enable if you have Prometheus
+      # serviceMonitor:
+      #   enabled: true

gitops/home-kubernetes/next-cloud/helmrepository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: nextcloud
+  namespace: flux-system
+spec:
+  interval: 24h
+  url: https://nextcloud.github.io/helm/

gitops/home-kubernetes/next-cloud/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nextcloud
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted

gitops/home-kubernetes/plane/helmrelease.yaml

@@ -33,7 +33,7 @@ spec:
       rabbitmqHost: "plane-mq.lab.home.hrajfrisbee.cz"  # optional
       ingressClass: nginx
       ingress_annotations:
-        cert-manager.io/cluster-issuer: letsencrypt-production
+        cert-manager.io/cluster-issuer: letsencrypt-prod
         nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/auth"
         nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/start?rd=$scheme://$host$escaped_request_uri"
         nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,Authorization"

gitops/home-kubernetes/seafile/externalsecret.yaml

@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: seafile-secret
+  namespace: seafile
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend  # or your store
+    kind: ClusterSecretStore
+  target:
+    name: seafile-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: JWT_PRIVATE_KEY
+      remoteRef:
+        key: k8s_home/seafile
+        property: JWT_PRIVATE_KEY
+    - secretKey: SEAFILE_MYSQL_DB_PASSWORD
+      remoteRef:
+        key: k8s_home/seafile
+        property: SEAFILE_MYSQL_DB_PASSWORD
+    - secretKey: INIT_SEAFILE_ADMIN_PASSWORD
+      remoteRef:
+        key: k8s_home/seafile
+        property: INIT_SEAFILE_ADMIN_PASSWORD
+    - secretKey: INIT_SEAFILE_MYSQL_ROOT_PASSWORD
+      remoteRef:
+        key: k8s_home/seafile
+        property: INIT_SEAFILE_MYSQL_ROOT_PASSWORD

gitops/home-kubernetes/seafile/helmrelease.yaml

@@ -0,0 +1,114 @@
+# apps/seafile/helmrelease.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: seafile
+  namespace: seafile
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: ce
+      version: "13.0.2"
+      sourceRef:
+        kind: HelmRepository
+        name: seafile
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+
+  # Post-render patches
+  postRenderers:
+    - kustomize:
+        patches:
+          # Remove imagePullSecrets from all Deployments
+          - target:
+              kind: Deployment
+            patch: |
+              - op: remove
+                path: /spec/template/spec/imagePullSecrets
+          # Remove from StatefulSets (MariaDB, etc.)
+          - target:
+              kind: StatefulSet
+            patch: |
+              - op: remove
+                path: /spec/template/spec/imagePullSecrets
+          # Remove from Pods if any
+          - target:
+              kind: Pod
+            patch: |
+              - op: remove
+                path: /spec/imagePullSecrets
+  values:
+    seafile:
+      initMode: true
+
+      # The following are the configurations of seafile container
+      configs:
+        image: seafileltd/seafile-mc:13.0-latest 
+        seafileDataVolume: 
+          storage: 10Gi
+      
+      # The following are environments of seafile services
+      env:
+        # for Seafile server
+        TIME_ZONE: "UTC"
+        SEAFILE_LOG_TO_STDOUT: "true"
+        SITE_ROOT: "/"
+        SEAFILE_SERVER_HOSTNAME: "seafile.lab.home.hrajfrisbee.cz"
+        SEAFILE_SERVER_PROTOCOL: "https"
+
+        # for database
+        SEAFILE_MYSQL_DB_HOST: "seafile-mariadb"
+        SEAFILE_MYSQL_DB_PORT: "3306"
+        SEAFILE_MYSQL_DB_USER: "seafile"
+        #SEAFILE_MYSQL_DB_CCNET_DB_NAME: "ccnet-db"
+        #SEAFILE_MYSQL_DB_SEAFILE_DB_NAME: "seafile-db"
+        #SEAFILE_MYSQL_DB_SEAHUB_DB_NAME: "seahub-db"
+
+        # for cache
+        CACHE_PROVIDER: "redis"
+
+        ## for redis
+        REDIS_HOST: "redis"
+        REDIS_PORT: "6379"
+
+        ## for memcached
+        #MEMCACHED_HOST: ""
+        #MEMCACHED_PORT: "11211"
+
+        # for notification
+        ENABLE_NOTIFICATION_SERVER: "false"
+        NOTIFICATION_SERVER_URL: ""
+
+        # for seadoc
+        ENABLE_SEADOC: "false"
+        SEADOC_SERVER_URL: "" # only valid in ENABLE_SEADOC = true
+
+        # for Seafile AI
+        ENABLE_SEAFILE_AI: "false"
+        SEAFILE_AI_SERVER_URL: ""
+
+        # for Metadata server
+        MD_FILE_COUNT_LIMIT: "100000"
+
+        # initialization (only valid in first-time deployment and initMode = true)
+
+        ## for Seafile admin
+        INIT_SEAFILE_ADMIN_EMAIL: "kacerr.cz@gmail.com"
+
+      # if you are using another secret name / key for seafile or mysql, please make correct the following fields:
+      #secretsMap:
+      #  DB_ROOT_PASSWD:  # Env's name
+      #    secret: seafile-secret # secret's name, `seafile-secret` if not specify
+      #    key: INIT_SEAFILE_MYSQL_ROOT_PASSWORD # secret's key, `Env's name` if not specify
+      
+      # extra configurations
+      extraResources: {}
+      extraEnv: []
+      extraVolumes: []

gitops/home-kubernetes/seafile/helmrepository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: seafile
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://haiwen.github.io/seafile-helm-chart/repo

gitops/home-kubernetes/seafile/ingress.yaml

@@ -0,0 +1,35 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    meta.helm.sh/release-name: seafile
+    meta.helm.sh/release-namespace: seafile
+    nginx.ingress.kubernetes.io/proxy-body-size: "100m"  # 0 = unlimited, or "500m"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-request-buffering: "off"    
+  labels:
+    app.kubernetes.io/component: app
+    app.kubernetes.io/instance: seafile
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: seafile
+  name: seafile
+  namespace: seafile
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: seafile.lab.home.hrajfrisbee.cz
+    http:
+      paths:
+      - backend:
+          service:
+            name: seafile
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - seafile.lab.home.hrajfrisbee.cz
+    secretName: seafile-tls

gitops/home-kubernetes/seafile/mariadb-database-ccnet-db.yaml.rmv

@@ -0,0 +1,10 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: ccnet-db
+  namespace: seafile
+spec:
+  mariaDbRef:
+    name: seafile-mariadb
+  characterSet: utf8mb4
+  collate: utf8mb4_general_ci

gitops/home-kubernetes/seafile/mariadb-database-seafile-db.yaml.rmv

@@ -0,0 +1,10 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: seafile-db
+  namespace: seafile
+spec:
+  mariaDbRef:
+    name: seafile-mariadb
+  characterSet: utf8mb4
+  collate: utf8mb4_general_ci

gitops/home-kubernetes/seafile/mariadb-database-seahub-db.yaml.rmv

@@ -0,0 +1,10 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: seahub-db
+  namespace: seafile
+spec:
+  mariaDbRef:
+    name: seafile-mariadb
+  characterSet: utf8mb4
+  collate: utf8mb4_general_ci

gitops/home-kubernetes/seafile/mariadb-grant-seafile.yaml

@@ -0,0 +1,61 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: all-privileges
+spec:
+  mariaDbRef:
+    name: seafile-mariadb
+  username: seafile
+  database: "*"
+  table: "*"
+  privileges:
+    - ALL PRIVILEGES
+  grantOption: true
+# ---
+# apiVersion: k8s.mariadb.com/v1alpha1
+# kind: Grant
+# metadata:
+#   name: seafile-grant
+#   namespace: seafile
+# spec:
+#   mariaDbRef:
+#     name: seafile-mariadb
+#   privileges:
+#     - ALL PRIVILEGES
+#   database: seafile-db
+#   table: "*"
+#   username: seafile
+#   host: "%"
+#   grantOption: false
+# ---
+# apiVersion: k8s.mariadb.com/v1alpha1
+# kind: Grant
+# metadata:
+#   name: seahub-grant
+#   namespace: seafile
+# spec:
+#   mariaDbRef:
+#     name: seafile-mariadb
+#   privileges:
+#     - ALL PRIVILEGES
+#   database: seahub-db
+#   table: "*"
+#   username: seafile
+#   host: "%"
+#   grantOption: false
+# ---
+# apiVersion: k8s.mariadb.com/v1alpha1
+# kind: Grant
+# metadata:
+#   name: ccnet-grant
+#   namespace: seafile
+# spec:
+#   mariaDbRef:
+#     name: seafile-mariadb
+#   privileges:
+#     - ALL PRIVILEGES
+#   database: ccnet-db
+#   table: "*"
+#   username: seafile
+#   host: "%"
+#   grantOption: false  

gitops/home-kubernetes/seafile/mariadb-user.yaml

@@ -0,0 +1,13 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: User
+metadata:
+  name: seafile
+  namespace: seafile
+spec:
+  mariaDbRef:
+    name: seafile-mariadb
+  passwordSecretKeyRef:
+    name: seafile-secret
+    key: SEAFILE_MYSQL_DB_PASSWORD
+  maxUserConnections: 20
+  host: "%"

gitops/home-kubernetes/seafile/mariadb.yaml

@@ -0,0 +1,33 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: MariaDB
+metadata:
+  name: seafile-mariadb
+  namespace: seafile
+spec:
+  rootPasswordSecretKeyRef:
+    name: seafile-secret
+    key: INIT_SEAFILE_MYSQL_ROOT_PASSWORD
+
+  image: mariadb:11.4
+
+  port: 3306
+
+  storage:
+    size: 10Gi
+    # storageClassName: your-storage-class
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      memory: 1Gi
+
+  myCnf: |
+    [mariadb]
+    bind-address=*
+    default_storage_engine=InnoDB
+    binlog_format=row
+    innodb_autoinc_lock_mode=2
+    innodb_buffer_pool_size=256M
+    max_allowed_packet=256M

gitops/home-kubernetes/seafile/memcached.yaml

@@ -0,0 +1,39 @@
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+#   name: seafile-memcached
+#   namespace: seafile
+# spec:
+#   replicas: 1
+#   selector:
+#     matchLabels:
+#       app: seafile-memcached
+#   template:
+#     metadata:
+#       labels:
+#         app: seafile-memcached
+#     spec:
+#       containers:
+#         - name: memcached
+#           image: memcached:1.6-alpine
+#           args: ["-m", "128"]  # 128MB memory limit
+#           ports:
+#             - containerPort: 11211
+#           resources:
+#             requests:
+#               memory: 64Mi
+#               cpu: 25m
+#             limits:
+#               memory: 192Mi
+# ---
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   name: seafile-memcached
+#   namespace: seafile
+# spec:
+#   selector:
+#     app: seafile-memcached
+#   ports:
+#     - port: 11211
+#       targetPort: 11211

gitops/home-kubernetes/seafile/my-values.yaml.src

@@ -0,0 +1,67 @@
+seafile:
+  initMode: true
+
+  # The following are the configurations of seafile container
+  configs:
+    image: seafileltd/seafile-mc:13.0-latest 
+    seafileDataVolume: 
+      storage: 10Gi
+  
+  # The following are environments of seafile services
+  env:
+    # for Seafile server
+    TIME_ZONE: "UTC"
+    SEAFILE_LOG_TO_STDOUT: "true"
+    SITE_ROOT: "/"
+    SEAFILE_SERVER_HOSTNAME: "seafile.lab.home.hrajfrisbee.cz"
+    SEAFILE_SERVER_PROTOCOL: "https"
+
+    # for database
+    SEAFILE_MYSQL_DB_HOST: "seafile-mariadb"
+    SEAFILE_MYSQL_DB_PORT: "3306"
+    SEAFILE_MYSQL_DB_USER: "seafile"
+    SEAFILE_MYSQL_DB_CCNET_DB_NAME: "ccnet-db"
+    SEAFILE_MYSQL_DB_SEAFILE_DB_NAME: "seafile-db"
+    SEAFILE_MYSQL_DB_SEAHUB_DB_NAME: "seahub-db"
+
+    # for cache
+    CACHE_PROVIDER: "redis"
+
+    ## for redis
+    REDIS_HOST: "redis"
+    REDIS_PORT: "6379"
+
+    ## for memcached
+    #MEMCACHED_HOST: ""
+    #MEMCACHED_PORT: "11211"
+
+    # for notification
+    ENABLE_NOTIFICATION_SERVER: "false"
+    NOTIFICATION_SERVER_URL: ""
+
+    # for seadoc
+    ENABLE_SEADOC: "false"
+    SEADOC_SERVER_URL: "" # only valid in ENABLE_SEADOC = true
+
+    # for Seafile AI
+    ENABLE_SEAFILE_AI: "false"
+    SEAFILE_AI_SERVER_URL: ""
+
+    # for Metadata server
+    MD_FILE_COUNT_LIMIT: "100000"
+
+    # initialization (only valid in first-time deployment and initMode = true)
+
+    ## for Seafile admin
+    INIT_SEAFILE_ADMIN_EMAIL: "kacerr.cz@gmail.com"
+
+  # if you are using another secret name / key for seafile or mysql, please make correct the following fields:
+  #secretsMap:
+  #  DB_ROOT_PASSWD:  # Env's name
+  #    secret: seafile-secret # secret's name, `seafile-secret` if not specify
+  #    key: INIT_SEAFILE_MYSQL_ROOT_PASSWORD # secret's key, `Env's name` if not specify
+  
+  # extra configurations
+  extraResources: {}
+  extraEnv: []
+  extraVolumes: []

gitops/home-kubernetes/seafile/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    kubernetes.io/metadata.name: seafile
+  name: seafile

gitops/home-kubernetes/seafile/readme.md

@@ -0,0 +1,4 @@
+## deployment
+
+it looks like seafile deployment is not "straightforward" it first has to be started in `initialization mode` - `initMode: true` and after initialization switched into `normal` mode.
+

gitops/home-kubernetes/seafile/redis-full-deployment.yaml

@@ -0,0 +1,84 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: redis-config
+  namespace: seafile
+data:
+  redis.conf: |
+    maxmemory 128mb
+    maxmemory-policy allkeys-lru
+    appendonly yes
+    appendfsync everysec
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis
+  namespace: seafile
+  labels:
+    app: redis
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: redis:7-alpine
+          args:
+            - redis-server
+            - /etc/redis/redis.conf
+          ports:
+            - containerPort: 6379
+              name: redis
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              memory: 256Mi
+          volumeMounts:
+            - name: redis-config
+              mountPath: /etc/redis
+            - name: redis-data
+              mountPath: /data
+          livenessProbe:
+            exec:
+              command: [redis-cli, ping]
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            exec:
+              command: [redis-cli, ping]
+            initialDelaySeconds: 3
+            periodSeconds: 5
+      volumes:
+        - name: redis-config
+          configMap:
+            name: redis-config
+        - name: redis-data
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: seafile
+  labels:
+    app: redis
+spec:
+  selector:
+    app: redis
+  ports:
+    - port: 6379
+      targetPort: 6379
+      name: redis
+  type: ClusterIP