gitops/plane: fix issuer on ingress

tailscaled

.gitignore

@@ -1,4 +1,7 @@
-.terraform/
+.DS_Store
 
-./kubernetes-kvm-terraform/join-command.txt
-./kubernetes-kvm-terraform/kubeconfig
+.terraform/
+.terraform.lock.hcl
+
+kubernetes-kvm-terraform/join-command.txt
+kubernetes-kvm-terraform/kubeconfig

docker-30/gitea/docker-compose.yaml

@@ -57,6 +57,15 @@ services:
       - GITEA__server__ROOT_URL=https://gitea.home.hrajfrisbee.cz
       - GITEA__security__SECRET_KEY=${GITEA_SECRET_KEY}
       - GITEA__security__INTERNAL_TOKEN=${INTERNAL_TOKEN}
+      - GITEA__mailer__ENABLED=true
+      - GITEA__mailer__PROTOCOL=smtps
+      - GITEA__mailer__SMTP_ADDR=smtp.gmail.com
+      - GITEA__mailer__SMTP_PORT=465
+      - GITEA__mailer__USER=kacerr.cz@gmail.com
+      - GITEA__mailer__PASSWD=${GMAIL_GITEA_APP_PASSWORD}
+      - GITEA__mailer__FROM=kacerr.cz+gitea@gmail.com
+      - GITEA__packages__ENABLED=true
+
       #- GITEA__storage__STORAGE_TYPE=minio
       #- GITEA__storage__MINIO_ENDPOINT=minio:9000
       #- GITEA__storage__MINIO_ACCESS_KEY_ID=gitea
@@ -83,7 +92,7 @@ services:
     depends_on:
       - gitea
     environment:
-      GITEA_INSTANCE_URL: http://gitea:3000
+      GITEA_INSTANCE_URL: https://gitea.home.hrajfrisbee.cz/
       GITEA_RUNNER_REGISTRATION_TOKEN: ${RUNNER_TOKEN}
     volumes:
       - ./runner-data:/data

docker-30/kanidm/readme.md

@@ -54,6 +54,50 @@ kanidm person get novakj | grep memberof
 kanidm group get idm_people_self_name_write
 ```
 
+## configure oauth proxy
+
+```bash
+kanidm system oauth2 create oauth2-proxy "OAuth2 Proxy" https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/callback
+kanidm system oauth2 set-landing-url oauth2-proxy https://oauth2-proxy.lab.home.hrajfrisbee.cz
+kanidm system oauth2 enable-pkce oauth2-proxy
+kanidm system oauth2 warning-insecure-client-disable-pkce oauth2-proxy  # if proxy doesn't support PKCE
+kanidm system oauth2 get oauth2-proxy  # note the client secret
+
+# update incorrect urls if needed
+remove-redirect-url
+kanidm system oauth2 add-redirect-url oauth2-proxy https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/callback
+kanidm system oauth2 set-landing-url oauth2-proxy https://oauth2-proxy.lab.home.hrajfrisbee.cz
+
+# output
+✔ Multiple authentication tokens exist. Please select one · idm_admin@idm.home.hrajfrisbee.cz
+---
+class: account
+class: key_object
+class: key_object_internal
+class: key_object_jwe_a128gcm
+class: key_object_jwt_es256
+class: memberof
+class: oauth2_resource_server
+class: oauth2_resource_server_basic
+class: object
+displayname: OAuth2 Proxy
+key_internal_data: 69df0a387991455f7c9800f13b881803: valid jwe_a128gcm 0
+key_internal_data: c5f61c48a9c0eb61ba993a36748826cc: valid jws_es256 0
+name: oauth2-proxy
+oauth2_allow_insecure_client_disable_pkce: true
+oauth2_rs_basic_secret: hidden
+oauth2_rs_origin_landing: https://oauth2-proxylab.home.hrajfrisbee.cz/
+oauth2_strict_redirect_uri: true
+spn: oauth2-proxy@idm.home.hrajfrisbee.cz
+uuid: d0dcbad5-90e4-4e36-a51b-653624069009
+
+secret: 7KJbUe5x35NVCT1VbzZfhYBU19cz9Xe9Z1fvw4WazrkHX2c8
+
+
+
+kanidm system oauth2 update-scope-map oauth2-proxy k8s_users openid profile email 
+```
+
 
 
 ```bash

gitops/home-kubernetes/cilium/helmrelelase_cilium.yaml

@@ -18,6 +18,7 @@ spec:
   values:
     cluster:
       name: "home-kube"
+    devices: "eth+ bond+ en+"
     hubble:
       relay:
         enabled: true

gitops/home-kubernetes/external-secrets/secretstore-vault.yaml

@@ -1,18 +0,0 @@
-apiVersion: external-secrets.io/v1
-kind: SecretStore
-metadata:
-  name: vault-backend
-  namespace: external-secrets
-spec:
-  provider:
-    vault:
-      server: "https://vault.hrajfrisbee.cz:8200"
-      path: "secret"
-      version: "v2"
-      auth:
-        appRole:
-          path: "approle"
-          roleId: "864e352d-2064-2bf9-2c73-dbd676a95368"  # or reference a secret
-          secretRef:
-            name: vault-approle
-            key: secret-id

gitops/home-kubernetes/ingress-nginx/helmrelease_ingress-nginx.yaml

@@ -11,11 +11,13 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: ingress-nginx
-      version: 4.12.0
+      version: 4.14.1
   values:
     controller:
       admissionWebhooks:
         enabled: false
         patch:
           enabled: false
+      config:
+        annotations-risk-level: "Critical"
   interval: 5m0s

gitops/home-kubernetes/mariadb-operator/helmrelease-crds.yaml

@@ -0,0 +1,19 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mariadb-operator-crds
+  namespace: mariadb-operator
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: mariadb-operator-crds
+      version: "25.10.*"
+      sourceRef:
+        kind: HelmRepository
+        name: mariadb-operator
+        namespace: flux-system
+  install:
+    crds: Create
+  upgrade:
+    crds: CreateReplace

gitops/home-kubernetes/mariadb-operator/helmrelease-operator.yaml

@@ -0,0 +1,31 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: mariadb-operator
+  namespace: mariadb-operator
+spec:
+  interval: 1h
+  dependsOn:
+    - name: mariadb-operator-crds
+  chart:
+    spec:
+      chart: mariadb-operator
+      version: "25.10.*"
+      sourceRef:
+        kind: HelmRepository
+        name: mariadb-operator
+        namespace: flux-system
+  values:
+    # uses built-in cert-controller for webhook TLS (no cert-manager dep)
+    webhook:
+      cert:
+        certManager:
+          enabled: false
+    # disable HA for operator itself (fine for testing)
+    ha:
+      enabled: false
+    # optional: enable metrics
+    metrics:
+      enabled: false
+      serviceMonitor:
+        enabled: false

gitops/home-kubernetes/mariadb-operator/helmrepository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: mariadb-operator
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://helm.mariadb.com/mariadb-operator

gitops/home-kubernetes/mariadb-operator/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: mariadb-operator

gitops/home-kubernetes/next-cloud/externalsecret.yaml

@@ -0,0 +1,34 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: nextcloud-secrets
+  namespace: nextcloud
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend  # or your store
+    kind: ClusterSecretStore
+  target:
+    name: nextcloud-secrets
+    creationPolicy: Owner
+  data:
+    - secretKey: nextcloud-password
+      remoteRef:
+        key: k8s_home/nextcloud/admin
+        property: password
+    - secretKey: nextcloud-username
+      remoteRef:
+        key: k8s_home/nextcloud/admin
+        property: username
+    - secretKey: db-username
+      remoteRef:
+        key: k8s_home/nextcloud/postgres
+        property: db-username
+    - secretKey: postgres-password
+      remoteRef:
+        key: k8s_home/nextcloud/postgres
+        property: password
+    - secretKey: redis-password
+      remoteRef:
+        key: k8s_home/nextcloud/redis
+        property: password

gitops/home-kubernetes/next-cloud/helmrelease.yaml

@@ -0,0 +1,263 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: nextcloud
+  namespace: nextcloud
+spec:
+  interval: 30m
+  timeout: 15m  # Nextcloud init can be slow
+  chart:
+    spec:
+      chart: nextcloud
+      version: "8.6.0"  # Latest as of Jan 2025
+      sourceRef:
+        kind: HelmRepository
+        name: nextcloud
+        namespace: flux-system
+      interval: 12h
+  install:
+    crds: CreateReplace
+    remediation:
+      retries: 3
+  upgrade:
+    crds: CreateReplace
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+      remediateLastFailure: true
+  # CRITICAL: Suspend during major version upgrades to prevent restart loops
+  # suspend: true
+  values:
+    image:
+      repository: nextcloud
+      tag: 32.0.3-apache  # Latest as of Jan 2025. For fresh installs only.
+      # UPGRADE PATH: If upgrading from older version, go sequentially:
+      # 29.x → 30.0.x → 31.0.x → 32.0.x (one major at a time)
+      pullPolicy: IfNotPresent
+
+    replicaCount: 1  # >1 requires Redis, see below
+
+    nextcloud:
+      host: nextcloud.lab.home.hrajfrisbee.cz  # Substitute or hardcode
+      # existingSecret: nextcloud-admin  # Alternative to inline credentials
+      existingSecret:
+        enabled: true
+        secretName: nextcloud-secrets
+        # usernameKey: username
+        passwordKey: nextcloud-password
+
+      username: admin
+      # password set via valuesFrom secret
+
+
+      # PHP tuning - critical for stability
+      phpConfigs:
+        uploadLimit.ini: |
+          upload_max_filesize = 16G
+          post_max_size = 16G
+          max_input_time = 3600
+          max_execution_time = 3600
+        www-conf.ini: |
+          [www]
+          pm = dynamic
+          pm.max_children = 20
+          pm.start_servers = 4
+          pm.min_spare_servers = 2
+          pm.max_spare_servers = 6
+          pm.max_requests = 500
+        memory.ini: |
+          memory_limit = 1G
+        opcache.ini: |
+          opcache.enable = 1
+          opcache.interned_strings_buffer = 32
+          opcache.max_accelerated_files = 10000
+          opcache.memory_consumption = 256
+          opcache.save_comments = 1
+          opcache.revalidate_freq = 60
+          ; Set to 0 if using ConfigMap-mounted configs
+
+      configs:
+        # Proxy and overwrite settings - CRITICAL for ingress
+        proxy.config.php: |-
+          <?php
+          $CONFIG = array (
+            'trusted_proxies' => array(
+              0 => '127.0.0.1',
+              1 => '10.0.0.0/8',
+              2 => '172.16.0.0/12',
+              3 => '192.168.0.0/16',
+            ),
+            'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'),
+            'overwriteprotocol' => 'https',
+          );
+
+        # Performance and maintenance
+        custom.config.php: |-
+          <?php
+          $CONFIG = array (
+            'default_phone_region' => 'US',
+            'maintenance_window_start' => 1,
+            'filelocking.enabled' => true,
+            'memcache.local' => '\\OC\\Memcache\\APCu',
+            'memcache.distributed' => '\\OC\\Memcache\\Redis',
+            'memcache.locking' => '\\OC\\Memcache\\Redis',
+            'redis' => array(
+              'host' => 'nextcloud-redis-master',
+              'port' => 6379,
+              'password' => getenv('REDIS_PASSWORD'),
+            ),
+          );
+
+      extraEnv:
+        - name: REDIS_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: nextcloud-secrets
+              key: redis-password
+
+    # Ingress - adjust for your ingress controller
+    ingress:
+      enabled: true
+      className: nginx  # or traefik, etc.
+      annotations:
+        nginx.ingress.kubernetes.io/proxy-body-size: "16G"
+        nginx.ingress.kubernetes.io/proxy-connect-timeout: "3600"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
+        nginx.ingress.kubernetes.io/server-snippet: |
+          server_tokens off;
+          proxy_hide_header X-Powered-By;
+          rewrite ^/.well-known/webfinger /index.php/.well-known/webfinger last;
+          rewrite ^/.well-known/nodeinfo /index.php/.well-known/nodeinfo last;
+          rewrite ^/.well-known/host-meta /public.php?service=host-meta last;
+          rewrite ^/.well-known/host-meta.json /public.php?service=host-meta-json;
+          location = /.well-known/carddav {
+            return 301 $scheme://$host/remote.php/dav;
+          }
+          location = /.well-known/caldav {
+            return 301 $scheme://$host/remote.php/dav;
+          }
+        cert-manager.io/cluster-issuer: letsencrypt-prod
+      tls:
+        - secretName: nextcloud-tls
+          hosts:
+            - nextcloud.lab.home.hrajfrisbee.cz
+
+    # PostgreSQL - strongly recommended over MariaDB for Nextcloud
+    postgresql:
+      enabled: true
+      global:
+        postgresql:
+          auth:
+            username: nextcloud
+            database: nextcloud
+            existingSecret: nextcloud-secrets
+            secretKeys:
+              userPasswordKey: postgres-password
+      primary:
+        persistence:
+          enabled: true
+          size: 8Gi
+          storageClass: ""  # Use default or specify
+        resources:
+          requests:
+            memory: 256Mi
+            cpu: 100m
+          limits:
+            memory: 512Mi
+
+    # Redis - required for file locking and sessions
+    redis:
+      enabled: true
+      auth:
+        enabled: true
+        existingSecret: nextcloud-secrets
+        existingSecretPasswordKey: redis-password
+      architecture: standalone
+      master:
+        persistence:
+          enabled: true
+          size: 1Gi
+
+    # Disable built-in databases we're not using
+    mariadb:
+      enabled: false
+    internalDatabase:
+      enabled: false
+
+    externalDatabase:
+      enabled: true
+      type: postgresql
+      host: nextcloud-postgresql  # Service name created by subchart
+      user: nextcloud
+      database: nextcloud
+      existingSecret:
+        enabled: true
+        secretName: nextcloud-secrets
+        passwordKey: postgres-password      
+
+    # Cron job - CRITICAL: never use AJAX cron
+    cronjob:
+      enabled: true
+      schedule: "*/5 * * * *"
+      resources:
+        requests:
+          memory: 256Mi
+          cpu: 50m
+        limits:
+          memory: 512Mi
+
+    # Main persistence
+    persistence:
+      enabled: true
+      storageClass: ""  # Specify your storage class
+      size: 100Gi
+      accessMode: ReadWriteOnce
+      # nextcloudData - separate PVC for user data (recommended)
+      nextcloudData:
+        enabled: true
+        storageClass: ""
+        size: 500Gi
+        accessMode: ReadWriteOnce
+
+    # Resource limits - tune based on usage
+    resources:
+      requests:
+        cpu: 200m
+        memory: 512Mi
+      limits:
+        memory: 2Gi
+
+    # Liveness/Readiness - tuned to prevent upgrade restart loops
+    livenessProbe:
+      enabled: true
+      initialDelaySeconds: 30
+      periodSeconds: 30
+      timeoutSeconds: 10
+      failureThreshold: 6
+      successThreshold: 1
+    readinessProbe:
+      enabled: true
+      initialDelaySeconds: 30
+      periodSeconds: 30
+      timeoutSeconds: 10
+      failureThreshold: 6
+      successThreshold: 1
+    startupProbe:
+      enabled: true
+      initialDelaySeconds: 60
+      periodSeconds: 30
+      timeoutSeconds: 10
+      failureThreshold: 30  # 15 minutes for upgrades
+
+    # Security context - avoid fsGroup recursive chown
+    securityContext:
+      fsGroupChangePolicy: OnRootMismatch
+    podSecurityContext:
+      fsGroup: 33  # www-data
+
+    # Metrics - optional but recommended
+    metrics:
+      enabled: false  # Enable if you have Prometheus
+      # serviceMonitor:
+      #   enabled: true

gitops/home-kubernetes/next-cloud/helmrepository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: nextcloud
+  namespace: flux-system
+spec:
+  interval: 24h
+  url: https://nextcloud.github.io/helm/

gitops/home-kubernetes/next-cloud/namespace.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: nextcloud
+  labels:
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/warn: restricted

gitops/home-kubernetes/plane/helmrelease.yaml

@@ -33,7 +33,7 @@ spec:
       rabbitmqHost: "plane-mq.lab.home.hrajfrisbee.cz"  # optional
       ingressClass: nginx
       ingress_annotations:
-        cert-manager.io/cluster-issuer: letsencrypt-production
+        cert-manager.io/cluster-issuer: letsencrypt-prod
         nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/auth"
         nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.lab.home.hrajfrisbee.cz/oauth2/start?rd=$scheme://$host$escaped_request_uri"
         nginx.ingress.kubernetes.io/auth-response-headers: "X-Auth-Request-User,X-Auth-Request-Email,Authorization"

gitops/home-kubernetes/seafile/externalsecret.yaml

@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: seafile-secret
+  namespace: seafile
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault-backend  # or your store
+    kind: ClusterSecretStore
+  target:
+    name: seafile-secret
+    creationPolicy: Owner
+  data:
+    - secretKey: JWT_PRIVATE_KEY
+      remoteRef:
+        key: k8s_home/seafile
+        property: JWT_PRIVATE_KEY
+    - secretKey: SEAFILE_MYSQL_DB_PASSWORD
+      remoteRef:
+        key: k8s_home/seafile
+        property: SEAFILE_MYSQL_DB_PASSWORD
+    - secretKey: INIT_SEAFILE_ADMIN_PASSWORD
+      remoteRef:
+        key: k8s_home/seafile
+        property: INIT_SEAFILE_ADMIN_PASSWORD
+    - secretKey: INIT_SEAFILE_MYSQL_ROOT_PASSWORD
+      remoteRef:
+        key: k8s_home/seafile
+        property: INIT_SEAFILE_MYSQL_ROOT_PASSWORD

gitops/home-kubernetes/seafile/helmrelease.yaml

@@ -0,0 +1,114 @@
+# apps/seafile/helmrelease.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: seafile
+  namespace: seafile
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: ce
+      version: "13.0.2"
+      sourceRef:
+        kind: HelmRepository
+        name: seafile
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    remediation:
+      retries: 3
+
+  # Post-render patches
+  postRenderers:
+    - kustomize:
+        patches:
+          # Remove imagePullSecrets from all Deployments
+          - target:
+              kind: Deployment
+            patch: |
+              - op: remove
+                path: /spec/template/spec/imagePullSecrets
+          # Remove from StatefulSets (MariaDB, etc.)
+          - target:
+              kind: StatefulSet
+            patch: |
+              - op: remove
+                path: /spec/template/spec/imagePullSecrets
+          # Remove from Pods if any
+          - target:
+              kind: Pod
+            patch: |
+              - op: remove
+                path: /spec/imagePullSecrets
+  values:
+    seafile:
+      initMode: true
+
+      # The following are the configurations of seafile container
+      configs:
+        image: seafileltd/seafile-mc:13.0-latest 
+        seafileDataVolume: 
+          storage: 10Gi
+      
+      # The following are environments of seafile services
+      env:
+        # for Seafile server
+        TIME_ZONE: "UTC"
+        SEAFILE_LOG_TO_STDOUT: "true"
+        SITE_ROOT: "/"
+        SEAFILE_SERVER_HOSTNAME: "seafile.lab.home.hrajfrisbee.cz"
+        SEAFILE_SERVER_PROTOCOL: "https"
+
+        # for database
+        SEAFILE_MYSQL_DB_HOST: "seafile-mariadb"
+        SEAFILE_MYSQL_DB_PORT: "3306"
+        SEAFILE_MYSQL_DB_USER: "seafile"
+        #SEAFILE_MYSQL_DB_CCNET_DB_NAME: "ccnet-db"
+        #SEAFILE_MYSQL_DB_SEAFILE_DB_NAME: "seafile-db"
+        #SEAFILE_MYSQL_DB_SEAHUB_DB_NAME: "seahub-db"
+
+        # for cache
+        CACHE_PROVIDER: "redis"
+
+        ## for redis
+        REDIS_HOST: "redis"
+        REDIS_PORT: "6379"
+
+        ## for memcached
+        #MEMCACHED_HOST: ""
+        #MEMCACHED_PORT: "11211"
+
+        # for notification
+        ENABLE_NOTIFICATION_SERVER: "false"
+        NOTIFICATION_SERVER_URL: ""
+
+        # for seadoc
+        ENABLE_SEADOC: "false"
+        SEADOC_SERVER_URL: "" # only valid in ENABLE_SEADOC = true
+
+        # for Seafile AI
+        ENABLE_SEAFILE_AI: "false"
+        SEAFILE_AI_SERVER_URL: ""
+
+        # for Metadata server
+        MD_FILE_COUNT_LIMIT: "100000"
+
+        # initialization (only valid in first-time deployment and initMode = true)
+
+        ## for Seafile admin
+        INIT_SEAFILE_ADMIN_EMAIL: "kacerr.cz@gmail.com"
+
+      # if you are using another secret name / key for seafile or mysql, please make correct the following fields:
+      #secretsMap:
+      #  DB_ROOT_PASSWD:  # Env's name
+      #    secret: seafile-secret # secret's name, `seafile-secret` if not specify
+      #    key: INIT_SEAFILE_MYSQL_ROOT_PASSWORD # secret's key, `Env's name` if not specify
+      
+      # extra configurations
+      extraResources: {}
+      extraEnv: []
+      extraVolumes: []

gitops/home-kubernetes/seafile/helmrepository.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: seafile
+  namespace: flux-system
+spec:
+  interval: 1h
+  url: https://haiwen.github.io/seafile-helm-chart/repo

gitops/home-kubernetes/seafile/ingress.yaml

@@ -0,0 +1,35 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    meta.helm.sh/release-name: seafile
+    meta.helm.sh/release-namespace: seafile
+    nginx.ingress.kubernetes.io/proxy-body-size: "100m"  # 0 = unlimited, or "500m"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+    nginx.ingress.kubernetes.io/proxy-request-buffering: "off"    
+  labels:
+    app.kubernetes.io/component: app
+    app.kubernetes.io/instance: seafile
+    app.kubernetes.io/managed-by: Helm
+    app.kubernetes.io/name: seafile
+  name: seafile
+  namespace: seafile
+spec:
+  ingressClassName: nginx
+  rules:
+  - host: seafile.lab.home.hrajfrisbee.cz
+    http:
+      paths:
+      - backend:
+          service:
+            name: seafile
+            port:
+              number: 80
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - seafile.lab.home.hrajfrisbee.cz
+    secretName: seafile-tls

gitops/home-kubernetes/seafile/mariadb-database-ccnet-db.yaml.rmv

@@ -0,0 +1,10 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: ccnet-db
+  namespace: seafile
+spec:
+  mariaDbRef:
+    name: seafile-mariadb
+  characterSet: utf8mb4
+  collate: utf8mb4_general_ci

gitops/home-kubernetes/seafile/mariadb-database-seafile-db.yaml.rmv

@@ -0,0 +1,10 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: seafile-db
+  namespace: seafile
+spec:
+  mariaDbRef:
+    name: seafile-mariadb
+  characterSet: utf8mb4
+  collate: utf8mb4_general_ci

gitops/home-kubernetes/seafile/mariadb-database-seahub-db.yaml.rmv

@@ -0,0 +1,10 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Database
+metadata:
+  name: seahub-db
+  namespace: seafile
+spec:
+  mariaDbRef:
+    name: seafile-mariadb
+  characterSet: utf8mb4
+  collate: utf8mb4_general_ci

gitops/home-kubernetes/seafile/mariadb-grant-seafile.yaml

@@ -0,0 +1,61 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: Grant
+metadata:
+  name: all-privileges
+spec:
+  mariaDbRef:
+    name: seafile-mariadb
+  username: seafile
+  database: "*"
+  table: "*"
+  privileges:
+    - ALL PRIVILEGES
+  grantOption: true
+# ---
+# apiVersion: k8s.mariadb.com/v1alpha1
+# kind: Grant
+# metadata:
+#   name: seafile-grant
+#   namespace: seafile
+# spec:
+#   mariaDbRef:
+#     name: seafile-mariadb
+#   privileges:
+#     - ALL PRIVILEGES
+#   database: seafile-db
+#   table: "*"
+#   username: seafile
+#   host: "%"
+#   grantOption: false
+# ---
+# apiVersion: k8s.mariadb.com/v1alpha1
+# kind: Grant
+# metadata:
+#   name: seahub-grant
+#   namespace: seafile
+# spec:
+#   mariaDbRef:
+#     name: seafile-mariadb
+#   privileges:
+#     - ALL PRIVILEGES
+#   database: seahub-db
+#   table: "*"
+#   username: seafile
+#   host: "%"
+#   grantOption: false
+# ---
+# apiVersion: k8s.mariadb.com/v1alpha1
+# kind: Grant
+# metadata:
+#   name: ccnet-grant
+#   namespace: seafile
+# spec:
+#   mariaDbRef:
+#     name: seafile-mariadb
+#   privileges:
+#     - ALL PRIVILEGES
+#   database: ccnet-db
+#   table: "*"
+#   username: seafile
+#   host: "%"
+#   grantOption: false  

gitops/home-kubernetes/seafile/mariadb-user.yaml

@@ -0,0 +1,13 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: User
+metadata:
+  name: seafile
+  namespace: seafile
+spec:
+  mariaDbRef:
+    name: seafile-mariadb
+  passwordSecretKeyRef:
+    name: seafile-secret
+    key: SEAFILE_MYSQL_DB_PASSWORD
+  maxUserConnections: 20
+  host: "%"

gitops/home-kubernetes/seafile/mariadb.yaml

@@ -0,0 +1,33 @@
+apiVersion: k8s.mariadb.com/v1alpha1
+kind: MariaDB
+metadata:
+  name: seafile-mariadb
+  namespace: seafile
+spec:
+  rootPasswordSecretKeyRef:
+    name: seafile-secret
+    key: INIT_SEAFILE_MYSQL_ROOT_PASSWORD
+
+  image: mariadb:11.4
+
+  port: 3306
+
+  storage:
+    size: 10Gi
+    # storageClassName: your-storage-class
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 256Mi
+    limits:
+      memory: 1Gi
+
+  myCnf: |
+    [mariadb]
+    bind-address=*
+    default_storage_engine=InnoDB
+    binlog_format=row
+    innodb_autoinc_lock_mode=2
+    innodb_buffer_pool_size=256M
+    max_allowed_packet=256M

gitops/home-kubernetes/seafile/memcached.yaml

@@ -0,0 +1,39 @@
+# apiVersion: apps/v1
+# kind: Deployment
+# metadata:
+#   name: seafile-memcached
+#   namespace: seafile
+# spec:
+#   replicas: 1
+#   selector:
+#     matchLabels:
+#       app: seafile-memcached
+#   template:
+#     metadata:
+#       labels:
+#         app: seafile-memcached
+#     spec:
+#       containers:
+#         - name: memcached
+#           image: memcached:1.6-alpine
+#           args: ["-m", "128"]  # 128MB memory limit
+#           ports:
+#             - containerPort: 11211
+#           resources:
+#             requests:
+#               memory: 64Mi
+#               cpu: 25m
+#             limits:
+#               memory: 192Mi
+# ---
+# apiVersion: v1
+# kind: Service
+# metadata:
+#   name: seafile-memcached
+#   namespace: seafile
+# spec:
+#   selector:
+#     app: seafile-memcached
+#   ports:
+#     - port: 11211
+#       targetPort: 11211

gitops/home-kubernetes/seafile/my-values.yaml.src

@@ -0,0 +1,67 @@
+seafile:
+  initMode: true
+
+  # The following are the configurations of seafile container
+  configs:
+    image: seafileltd/seafile-mc:13.0-latest 
+    seafileDataVolume: 
+      storage: 10Gi
+  
+  # The following are environments of seafile services
+  env:
+    # for Seafile server
+    TIME_ZONE: "UTC"
+    SEAFILE_LOG_TO_STDOUT: "true"
+    SITE_ROOT: "/"
+    SEAFILE_SERVER_HOSTNAME: "seafile.lab.home.hrajfrisbee.cz"
+    SEAFILE_SERVER_PROTOCOL: "https"
+
+    # for database
+    SEAFILE_MYSQL_DB_HOST: "seafile-mariadb"
+    SEAFILE_MYSQL_DB_PORT: "3306"
+    SEAFILE_MYSQL_DB_USER: "seafile"
+    SEAFILE_MYSQL_DB_CCNET_DB_NAME: "ccnet-db"
+    SEAFILE_MYSQL_DB_SEAFILE_DB_NAME: "seafile-db"
+    SEAFILE_MYSQL_DB_SEAHUB_DB_NAME: "seahub-db"
+
+    # for cache
+    CACHE_PROVIDER: "redis"
+
+    ## for redis
+    REDIS_HOST: "redis"
+    REDIS_PORT: "6379"
+
+    ## for memcached
+    #MEMCACHED_HOST: ""
+    #MEMCACHED_PORT: "11211"
+
+    # for notification
+    ENABLE_NOTIFICATION_SERVER: "false"
+    NOTIFICATION_SERVER_URL: ""
+
+    # for seadoc
+    ENABLE_SEADOC: "false"
+    SEADOC_SERVER_URL: "" # only valid in ENABLE_SEADOC = true
+
+    # for Seafile AI
+    ENABLE_SEAFILE_AI: "false"
+    SEAFILE_AI_SERVER_URL: ""
+
+    # for Metadata server
+    MD_FILE_COUNT_LIMIT: "100000"
+
+    # initialization (only valid in first-time deployment and initMode = true)
+
+    ## for Seafile admin
+    INIT_SEAFILE_ADMIN_EMAIL: "kacerr.cz@gmail.com"
+
+  # if you are using another secret name / key for seafile or mysql, please make correct the following fields:
+  #secretsMap:
+  #  DB_ROOT_PASSWD:  # Env's name
+  #    secret: seafile-secret # secret's name, `seafile-secret` if not specify
+  #    key: INIT_SEAFILE_MYSQL_ROOT_PASSWORD # secret's key, `Env's name` if not specify
+  
+  # extra configurations
+  extraResources: {}
+  extraEnv: []
+  extraVolumes: []

gitops/home-kubernetes/seafile/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  labels:
+    kubernetes.io/metadata.name: seafile
+  name: seafile

gitops/home-kubernetes/seafile/readme.md

@@ -0,0 +1,4 @@
+## deployment
+
+it looks like seafile deployment is not "straightforward" it first has to be started in `initialization mode` - `initMode: true` and after initialization switched into `normal` mode.
+

gitops/home-kubernetes/seafile/redis-full-deployment.yaml

@@ -0,0 +1,84 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: redis-config
+  namespace: seafile
+data:
+  redis.conf: |
+    maxmemory 128mb
+    maxmemory-policy allkeys-lru
+    appendonly yes
+    appendfsync everysec
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: redis
+  namespace: seafile
+  labels:
+    app: redis
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: redis
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: redis
+    spec:
+      containers:
+        - name: redis
+          image: redis:7-alpine
+          args:
+            - redis-server
+            - /etc/redis/redis.conf
+          ports:
+            - containerPort: 6379
+              name: redis
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              memory: 256Mi
+          volumeMounts:
+            - name: redis-config
+              mountPath: /etc/redis
+            - name: redis-data
+              mountPath: /data
+          livenessProbe:
+            exec:
+              command: [redis-cli, ping]
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          readinessProbe:
+            exec:
+              command: [redis-cli, ping]
+            initialDelaySeconds: 3
+            periodSeconds: 5
+      volumes:
+        - name: redis-config
+          configMap:
+            name: redis-config
+        - name: redis-data
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: redis
+  namespace: seafile
+  labels:
+    app: redis
+spec:
+  selector:
+    app: redis
+  ports:
+    - port: 6379
+      targetPort: 6379
+      name: redis
+  type: ClusterIP

kubernetes-kvm-terraform/nodes-on-beelink.tf

@@ -19,7 +19,7 @@ resource "libvirt_volume" "node_02_disk" {
       type = "qcow2"
     }
   }  
-  capacity       = 21474836480
+  capacity       = 53687091200
 }
 
 locals {

kubernetes-kvm-terraform/nodes-on-homer.tf

@@ -19,7 +19,7 @@ resource "libvirt_volume" "node_01_disk" {
       type = "qcow2"
     }
   }  
-  capacity       = 21474836480
+  capacity       = 53687091200
 }
 
 locals {
@@ -162,7 +162,8 @@ locals {
       - curl -fsSL https://download.docker.com/linux/ubuntu/gpg | gpg --dearmor -o /etc/apt/keyrings/docker.gpg
       - echo "deb [arch=amd64 signed-by=/etc/apt/keyrings/docker.gpg] https://download.docker.com/linux/ubuntu $(lsb_release -cs) stable" > /etc/apt/sources.list.d/docker.list
       - apt-get update && apt-get install -y containerd.io
-      - cat > /etc/containerd/config.toml <<'xEOF'
+      - |
+        cat > /etc/containerd/config.toml <<'CONTAINERD'
         version = 2
         [plugins."io.containerd.grpc.v1.cri".containerd.runtimes.runc]
           runtime_type = "io.containerd.runc.v2"
@@ -170,7 +171,7 @@ locals {
             SystemdCgroup = true
         [plugins."io.containerd.grpc.v1.cri".registry]
           config_path = "/etc/containerd/certs.d"
-        xEOF      
+        CONTAINERD
       - systemctl restart containerd
 
       # kubeadm/kubelet/kubectl v1.32

shadow/nginx-sites-enabled-default

@@ -0,0 +1,255 @@
+##
+# You should look at the following URL's in order to grasp a solid understanding
+# of Nginx configuration files in order to fully unleash the power of Nginx.
+# https://www.nginx.com/resources/wiki/start/
+# https://www.nginx.com/resources/wiki/start/topics/tutorials/config_pitfalls/
+# https://wiki.debian.org/Nginx/DirectoryStructure
+#
+# In most cases, administrators will remove this file from sites-enabled/ and
+# leave it as reference inside of sites-available where it will continue to be
+# updated by the nginx packaging team.
+#
+# This file will automatically load configuration files provided by other
+# applications, such as Drupal or Wordpress. These applications will be made
+# available underneath a path with that package name, such as /drupal8.
+#
+# Please see /usr/share/doc/nginx-doc/examples/ for more detailed examples.
+##
+
+
+# Default server configuration
+#
+server {
+	listen 80 default_server;
+	# listen [::]:80 default_server;
+
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+
+	server_name _;
+
+	location / {
+		# First attempt to serve request as file, then
+		# as directory, then fall back to displaying a 404.
+		try_files $uri $uri/ =404;
+	}
+
+	# pass PHP scripts to FastCGI server
+	#
+	#location ~ \.php$ {
+	#	include snippets/fastcgi-php.conf;
+	#
+	#	# With php-fpm (or other unix sockets):
+	#	fastcgi_pass unix:/run/php/php7.4-fpm.sock;
+	#	# With php-cgi (or other tcp sockets):
+	#	fastcgi_pass 127.0.0.1:9000;
+	#}
+
+	# deny access to .htaccess files, if Apache's document root
+	# concurs with nginx's one
+	#
+	#location ~ /\.ht {
+	#	deny all;
+	#}
+}
+
+server {
+	listen 80;
+	server_name *.lab.home.hrajfrisbee.cz;
+
+	location / {
+    		proxy_pass http://docker-30:9080;
+    		proxy_set_header Host $host;
+	}
+}
+
+
+
+server {
+	# listen [::]:80 default_server;
+
+	# SSL configuration
+	#
+	# listen 443 ssl default_server;
+	# listen [::]:443 ssl default_server;
+	#
+	# Note: You should disable gzip for SSL traffic.
+	# See: https://bugs.debian.org/773332
+	#
+	# Read up on ssl_ciphers to ensure a secure configuration.
+	# See: https://bugs.debian.org/765782
+	#
+	# Self signed certs generated by the ssl-cert package
+	# Don't use them in a production server!
+	#
+	# include snippets/snakeoil.conf;
+
+	root /var/www/html;
+
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+}
+
+server {
+	server_name teleport.hrajfrisbee.cz; # managed by Certbot
+	location / {
+		proxy_pass https://192.168.123.26:443;
+		proxy_set_header Host $http_host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+
+		# WebSocket upgrade settings - CRITICAL for Teleport
+		proxy_http_version 1.1;
+		proxy_set_header Upgrade $http_upgrade;
+		proxy_set_header Connection "upgrade";
+
+		# Disable buffering, which can cause issues with real-time connections
+		proxy_buffering off;		
+	}
+
+    listen 8443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/teleport.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/teleport.hrajfrisbee.cz/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+
+server {
+    if ($host = teleport.hrajfrisbee.cz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+	listen 80 ;
+    server_name teleport.hrajfrisbee.cz;
+    return 404; # managed by Certbot
+
+
+}
+
+server {
+	root /var/www/html;
+	# Add index.php to the list if you are using PHP
+	index index.html index.htm index.nginx-debian.html;
+    server_name gitea.home.hrajfrisbee.cz; # managed by Certbot
+
+	location / {
+        proxy_pass http://docker-30:3000;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+	# Gitea Git over HTTP
+	client_max_body_size 512m;
+
+    listen 8443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/gitea.home.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/gitea.home.hrajfrisbee.cz/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    if ($host = gitea.home.hrajfrisbee.cz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+
+	listen 80 ;
+    server_name gitea.home.hrajfrisbee.cz;
+    return 404; # managed by Certbot
+
+
+}
+
+server {
+    server_name idm.home.hrajfrisbee.cz; # managed by Certbot
+
+	location / {
+		proxy_pass https://docker-30:8443;
+		proxy_set_header Host $host;
+		proxy_set_header X-Real-IP $remote_addr;
+		proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+		proxy_set_header X-Forwarded-Proto $scheme;
+	}
+
+    listen 8443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/idm.home.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/idm.home.hrajfrisbee.cz/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    if ($host = idm.home.hrajfrisbee.cz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+	listen 80 ;
+    server_name idm.home.hrajfrisbee.cz;
+    return 404; # managed by Certbot
+}
+
+
+server {
+
+	root /var/www/html;
+    server_name vault.hrajfrisbee.cz; # managed by Certbot
+	location / {
+		proxy_pass http://docker-30:8200;
+        proxy_set_header Host $host;
+        proxy_set_header X-Real-IP $remote_addr;
+        proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+        proxy_set_header X-Forwarded-Proto $scheme;
+
+        # Required for Vault
+        proxy_buffering off;
+        proxy_request_buffering off;
+        proxy_http_version 1.1;
+        proxy_set_header Connection "";
+
+        # Timeouts for long-running ops
+        proxy_connect_timeout 300;
+        proxy_send_timeout 300;
+        proxy_read_timeout 300;	}
+
+    listen 8443 ssl; # managed by Certbot
+    ssl_certificate /etc/letsencrypt/live/vault.hrajfrisbee.cz/fullchain.pem; # managed by Certbot
+    ssl_certificate_key /etc/letsencrypt/live/vault.hrajfrisbee.cz/privkey.pem; # managed by Certbot
+    include /etc/letsencrypt/options-ssl-nginx.conf; # managed by Certbot
+    ssl_dhparam /etc/letsencrypt/ssl-dhparams.pem; # managed by Certbot
+
+}
+server {
+    if ($host = vault.hrajfrisbee.cz) {
+        return 301 https://$host$request_uri;
+    } # managed by Certbot
+
+	listen 80 ;
+    server_name vault.hrajfrisbee.cz;
+    return 404; # managed by Certbot
+
+
+}

shadow/nginx.conf

@@ -0,0 +1,107 @@
+user www-data;
+worker_processes auto;
+pid /run/nginx.pid;
+error_log /var/log/nginx/error.log;
+include /etc/nginx/modules-enabled/*.conf;
+
+events {
+	worker_connections 768;
+	# multi_accept on;
+}
+
+
+http {
+
+	##
+	# Basic Settings
+	##
+
+	sendfile on;
+	tcp_nopush on;
+	types_hash_max_size 2048;
+	# server_tokens off;
+
+	# server_names_hash_bucket_size 64;
+	# server_name_in_redirect off;
+
+	include /etc/nginx/mime.types;
+	default_type application/octet-stream;
+
+	##
+	# SSL Settings
+	##
+
+	ssl_protocols TLSv1 TLSv1.1 TLSv1.2 TLSv1.3; # Dropping SSLv3, ref: POODLE
+	ssl_prefer_server_ciphers on;
+
+	##
+	# Logging Settings
+	##
+
+	access_log /var/log/nginx/access.log;
+
+	##
+	# Gzip Settings
+	##
+
+	gzip on;
+
+	# gzip_vary on;
+	# gzip_proxied any;
+	# gzip_comp_level 6;
+	# gzip_buffers 16 8k;
+	# gzip_http_version 1.1;
+	# gzip_types text/plain text/css application/json application/javascript text/xml application/xml application/xml+rss text/javascript;
+
+	##
+	# Virtual Host Configs
+	##
+
+	include /etc/nginx/conf.d/*.conf;
+	include /etc/nginx/sites-enabled/*;
+}
+
+stream {
+    map $ssl_preread_server_name $backend {
+        # Passthrough to K8s
+        ~^.+\.lab\.home\.hrajfrisbee\.cz$    k8s_ingress;
+
+        default                               local_https;
+    }
+
+    upstream k8s_ingress {
+        server docker-30:9443;
+    }
+
+    upstream local_https {
+        server 127.0.0.1:8443;  # Loop back to http block
+    }
+
+    server {
+        listen 443;
+        ssl_preread on;
+        proxy_pass $backend;
+    }
+}
+
+
+#mail {
+#	# See sample authentication script at:
+#	# http://wiki.nginx.org/ImapAuthenticateWithApachePhpScript
+#
+#	# auth_http localhost/auth.php;
+#	# pop3_capabilities "TOP" "USER";
+#	# imap_capabilities "IMAP4rev1" "UIDPLUS";
+#
+#	server {
+#		listen     localhost:110;
+#		protocol   pop3;
+#		proxy      on;
+#	}
+#
+#	server {
+#		listen     localhost:143;
+#		protocol   imap;
+#		proxy      on;
+#	}
+#}

vagrant/k8s/loadbalancer-ip-pools.yaml

@@ -5,5 +5,5 @@ metadata:
   namespace: kube-system
 spec:
   cidrs:
-    - start: "192.168.0.31"
+    - start: "192.168.0.35"
       stop: "192.168.0.39"