feat(cryptpad): expose externally

2026-01-27 10:18:27 +00:00 · 2025-10-20 01:45:10 +08:00
parent 7fa18d66a6
commit 2d805066ed
2 changed files with 18 additions and 14 deletions
--- a/kube/deploy/apps/cryptpad/app/hr.yaml
+++ b/kube/deploy/apps/cryptpad/app/hr.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.7.3/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -21,7 +22,7 @@ spec:
        replicas: 1
        pod:
          labels:
-            ingress.home.arpa/nginx-internal: allow
+            ingress.home.arpa/nginx-external: allow
            authentik.home.arpa/https: allow
            egress.home.arpa/github: allow
        containers:
@@ -42,10 +43,9 @@ spec:
            resources:
              requests:
                cpu: "10m"
-                memory: "128Mi"
              limits:
-                cpu: "3000m"
-                memory: "6Gi"
+                cpu: "1"
+                memory: "512Mi"
            probes:
              liveness:
                enabled: true
@@ -87,7 +87,10 @@ spec:
            appProtocol: http
    ingress:
      main:
-        className: nginx-internal
+        className: nginx-external
+        annotations:
+          external-dns.alpha.kubernetes.io/target: "${DNS_CF:=cf}"
+          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
        hosts:
          - host: &host "${APP_DNS_CRYPTPAD:=cryptpad}"
            paths: &paths
@@ -136,15 +139,18 @@ spec:
      tmp:
        type: emptyDir
        medium: Memory
-        globalMounts:
-          - subPath: tmp
-            path: /tmp
+        sizeLimit: 100Mi
    defaultPodOptions:
      automountServiceAccountToken: false
      enableServiceLinks: false
      hostAliases:
        - ip: "${APP_IP_AUTHENTIK:=127.0.0.1}"
          hostnames: ["${APP_DNS_AUTHENTIK:=authentik}"]
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "1"
+      hostUsers: false
      securityContext:
        runAsNonRoot: true
        runAsUser: &uid 4001 # upstream `cryptpad` user
--- a/kube/deploy/apps/cryptpad/ks.yaml
+++ b/kube/deploy/apps/cryptpad/ks.yaml
@@ -37,9 +37,7 @@ spec:
      SC: &sc "file"
      SNAP: *sc
      ACCESSMODE: "ReadWriteMany"
-      RUID: !!str &uid |
-        ${APP_UID_CRYPTPAD}
-      RGID: !!str |
-        ${APP_UID_CRYPTPAD}
-      RFSG: !!str |
-        ${APP_UID_CRYPTPAD}
+      RUID: &uid "4001"
+      RGID: *uid
+      RFSG: *uid
+      VS_APP_CURRENT_VERSION: docker.io/cryptpad/cryptpad:version-2024.6.1@sha256:601a3af0f7837de6683d6c25dca55597b4f2671ac0e9b51e70e5f8fd1c7aa981