From 2d805066ed8fc967f003e7574ff9d6754052f0e7 Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Mon, 20 Oct 2025 01:45:10 +0800
Subject: [PATCH] feat(cryptpad): expose externally

---
 kube/deploy/apps/cryptpad/app/hr.yaml | 22 ++++++++++++++--------
 kube/deploy/apps/cryptpad/ks.yaml     | 10 ++++------
 2 files changed, 18 insertions(+), 14 deletions(-)

diff --git a/kube/deploy/apps/cryptpad/app/hr.yaml b/kube/deploy/apps/cryptpad/app/hr.yaml
index 42cdf625..e65018ba 100644
--- a/kube/deploy/apps/cryptpad/app/hr.yaml
+++ b/kube/deploy/apps/cryptpad/app/hr.yaml
@@ -1,4 +1,5 @@
 ---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.7.3/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
 apiVersion: helm.toolkit.fluxcd.io/v2
 kind: HelmRelease
 metadata:
@@ -21,7 +22,7 @@ spec:
         replicas: 1
         pod:
           labels:
-            ingress.home.arpa/nginx-internal: allow
+            ingress.home.arpa/nginx-external: allow
             authentik.home.arpa/https: allow
             egress.home.arpa/github: allow
         containers:
@@ -42,10 +43,9 @@ spec:
             resources:
               requests:
                 cpu: "10m"
-                memory: "128Mi"
               limits:
-                cpu: "3000m"
-                memory: "6Gi"
+                cpu: "1"
+                memory: "512Mi"
             probes:
               liveness:
                 enabled: true
@@ -87,7 +87,10 @@ spec:
             appProtocol: http
     ingress:
       main:
-        className: nginx-internal
+        className: nginx-external
+        annotations:
+          external-dns.alpha.kubernetes.io/target: "${DNS_CF:=cf}"
+          external-dns.alpha.kubernetes.io/cloudflare-proxied: "true"
         hosts:
           - host: &host "${APP_DNS_CRYPTPAD:=cryptpad}"
             paths: &paths
@@ -136,15 +139,18 @@ spec:
       tmp:
         type: emptyDir
         medium: Memory
-        globalMounts:
-          - subPath: tmp
-            path: /tmp
+        sizeLimit: 100Mi
     defaultPodOptions:
       automountServiceAccountToken: false
       enableServiceLinks: false
       hostAliases:
         - ip: "${APP_IP_AUTHENTIK:=127.0.0.1}"
           hostnames: ["${APP_DNS_AUTHENTIK:=authentik}"]
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "1"
+      hostUsers: false
       securityContext:
         runAsNonRoot: true
         runAsUser: &uid 4001 # upstream `cryptpad` user
diff --git a/kube/deploy/apps/cryptpad/ks.yaml b/kube/deploy/apps/cryptpad/ks.yaml
index f81cf1da..3d0ac40a 100644
--- a/kube/deploy/apps/cryptpad/ks.yaml
+++ b/kube/deploy/apps/cryptpad/ks.yaml
@@ -37,9 +37,7 @@ spec:
       SC: &sc "file"
       SNAP: *sc
       ACCESSMODE: "ReadWriteMany"
-      RUID: !!str &uid |
-        ${APP_UID_CRYPTPAD}
-      RGID: !!str |
-        ${APP_UID_CRYPTPAD}
-      RFSG: !!str |
-        ${APP_UID_CRYPTPAD}
+      RUID: &uid "4001"
+      RGID: *uid
+      RFSG: *uid
+      VS_APP_CURRENT_VERSION: docker.io/cryptpad/cryptpad:version-2024.6.1@sha256:601a3af0f7837de6683d6c25dca55597b4f2671ac0e9b51e70e5f8fd1c7aa981