github-personal/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-01-27 10:18:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(renovate): add GHCR private packages support

Browse Source
This commit is contained in:
JJGadgets
2024-12-13 18:27:25 +08:00
parent c251981c99
commit e425ce229d
2 changed files with 434 additions and 1 deletions
Download Patch File Download Diff File Expand all files Collapse all files

7
.github/workflows/renovate.yaml vendored
View File

@@ -51,13 +51,18 @@ env:
RENOVATE_AUTODISCOVER_FILTER: "${{ github.repository }}" # this is to prevent forks from running Renovate against upstream repo
RENOVATE_USERNAME: "${{ secrets.BOT_USERNAME }}[bot]"
RENOVATE_GIT_AUTHOR: "${{ secrets.BOT_USERNAME }} <${{ secrets.BOT_API_ID }}+${{ secrets.BOT_USERNAME }}[bot]@users.noreply.github.com>" # get $BOT_API_ID from `curl -s 'https://api.github.com/users/$(BOT_USERNAME)%5Bbot%5D' | yq .id`
RENOVATE_REPOSITORY_CACHE: "enabled"
RENOVATE_DETECT_HOST_RULES_FROM_ENV: true # private registries/repos
DOCKER_GHCR_IO_USERNAME: "${{ github.actor }}"
DOCKER_GHCR_IO_PASSWORD: "${{ secrets.GITHUB_TOKEN }}"
RENOVATE_REPOSITORY_CACHE: "enabled" # hopefully speed up Renovate
GH_CACHE_DIR: "/tmp/renovate/cache/renovate/repository"
jobs:
renovate:
name: Renovate
runs-on: ubuntu-latest
permissions:
packages: read # for private GHCR packages
steps:
- name: "Generate Short Lived OAuth App Token (ghs_*)"
uses: actions/create-github-app-token@5d869da34e18e7287c1daad50e0b8ea0f506ce69 # v1.11.0

428
kube/deploy/apps/nextcloud/app/hr.yaml Normal file
View File

@@ -0,0 +1,428 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: &app nextcloud
namespace: *app
spec:
timeout: 1h
chart:
spec:
chart: app-template
version: 2.6.0
sourceRef:
name: bjw-s
kind: HelmRepository
namespace: flux-system
values:
controllers:
main:
type: statefulset
replicas: 1
pod:
labels:
ingress.home.arpa/nginx-internal: "allow"
egress.home.arpa/world: "allow" # TODO: tighten this
# s3.home.arpa/store: "rgw-${CLUSTER_NAME}"
containers:
main:
image: &ncimg
repository: "ghcr.io/jjgadgets/nextcloud"
tag: "27.1.3-fpm"
env: &env
TZ: "${CONFIG_TZ}"
NC_DOMAIN: &host "${APP_DNS_NEXTCLOUD}"
NC_VERSION: "27.1.3"
NEXTCLOUD_DATA_DIR: "/ceph/data"
NEXTCLOUD_TRUSTED_DOMAINS: *host
POSTGRES_HOST:
valueFrom:
secretKeyRef:
name: &pgsec "pg-nextcloud-pguser-nextcloud"
key: "host"
POSTGRES_DB:
valueFrom:
secretKeyRef:
name: *pgsec
key: "dbname"
POSTGRES_USER:
valueFrom:
secretKeyRef:
name: *pgsec
key: "user"
POSTGRES_PASSWORD:
valueFrom:
secretKeyRef:
name: *pgsec
key: "password"
envFrom: &envFrom
- secretRef:
name: "nextcloud-secrets"
securityContext: &sc
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
probes:
startup:
enabled: true
type: TCP
spec:
initialDelaySeconds: 5
timeoutSeconds: 1
periodSeconds: 1
failureThreshold: 7200 # 2 hours
resources:
requests:
cpu: 10m
memory: 128Mi
limits:
memory: 6000Mi
web: # just a static web server
image:
repository: "gcr.io/distroless/static-debian12"
tag: "latest" # screw version controlling a static web server, always tinfoil with latest version!
# command: ["/caddy/caddy", "file-server", "--listen", ":8080", "--root", "/var/www/html"]
command: ["/caddy/caddy", "run", "--config", "/Caddyfile"]
securityContext: *sc
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
memory: 256Mi
redis:
image:
repository: "public.ecr.aws/docker/library/redis"
tag: "7.2.4-bookworm@sha256:8a4aaf84f31a637cb4e88b82f64d898448ed2e1eabbd8484eb202a492cc98c63"
command: ["redis-server", "--port", "0", "--bind", "127.0.0.1", "--unixsocket", "/sockets/redis.sock", "--unixsocketperm", "700"]
securityContext: *sc
resources:
requests:
cpu: 10m
memory: 32Mi
limits:
memory: 256Mi
# push:
# image: *ncimg
# command: ["/var/www/html/custom_apps/notify_push/bin/x86_64/notify_push", "/var/www/html/config/redis.php"]
# env:
# PORT: &push "7867"
# NEXTCLOUD_URL: "https://${APP_DNS_NEXTCLOUD}"
# DATABASE_PREFIX: "oc"
# DATABASE_URL:
# valueFrom:
# secretKeyRef:
# name: *pgsec
# key: "uri"
# securityContext: *sc
# resources:
# requests:
# cpu: 10m
# memory: 32Mi
# limits:
# memory: 256Mi
statefulset:
volumeClaimTemplates:
- name: "data"
accessMode: ReadWriteOnce
size: 100Gi
storageClass: block
advancedMounts:
main:
- subPath: nextcloud
path: /var/www/html
- subPath: config
path: /var/www/html/config
- subPath: data
path: /ceph
# push:
# - subPath: nextcloud
# path: /var/www/html
# readOnly: true
web:
- subPath: nextcloud
path: /var/www/html
readOnly: true
initContainers:
# 01-cp-config:
# image: *ncimg
# command: ["/bin/sh", "-c", "cp /nc-config/config.php /var/www/html/config/config.php; chmod 0400 /var/www/html/config/config.php"]
# securityContext: *sc
02-caddy:
image:
repository: "public.ecr.aws/docker/library/caddy"
tag: "latest"
command: ["/bin/sh", "-c", "cp /usr/bin/caddy /caddy/caddy"]
securityContext: *sc
# 01-init-db:
# image: "ghcr.io/onedr0p/postgres-init:14.8"
# imagePullPolicy: IfNotPresent
# envFrom: [secretRef: {name: "nextcloud-pg-superuser"}]
service:
main:
ports:
http:
primary: false
port: 8080
fpm:
primary: true
port: 9000
# push:
# port: *push
ingress:
main: &ingress
enabled: true
primary: false
className: "nginx-internal"
hosts:
- host: *host
paths:
- &path
path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
# fpm:
# <<: *ingress
# primary: true
# annotations: &fpm-anno
# nginx.ingress.kubernetes.io/use-regex: "true"
# nginx.ingress.kubernetes.io/backend-protocol: "FCGI"
# nginx.ingress.kubernetes.io/fastcgi-index: "index.php"
# nginx.ingress.kubernetes.io/fastcgi-params-configmap: "nextcloud/nextcloud-ingress-nginx-fastcgi"
# hosts:
# - host: *host
# paths:
# - path: "/.*\\.php(/|$)(.*)"
# pathType: ImplementationSpecific
# service:
# name: main
# port: fpm
# push:
# <<: *ingress
# annotations:
# nginx.ingress.kubernetes.io/use-regex: "true"
# nginx.ingress.kubernetes.io/rewrite-target: "/$2"
# hosts:
# - host: *host
# paths:
# - path: "/push(/|$)(.*)"
# pathType: ImplementationSpecific
# service:
# name: main
# port: push
dav:
<<: *ingress
annotations:
nginx.ingress.kubernetes.io/permanent-redirect: "/remote.php/dav/"
nginx.ingress.kubernetes.io/permanent-redirect-code: "301"
hosts:
- host: *host
paths:
- <<: *path
path: "/.well-known/carddav"
- <<: *path
path: "/.well-known/caldav"
well-known:
<<: *ingress
annotations:
nginx.ingress.kubernetes.io/permanent-redirect: "/index.php$request_uri"
nginx.ingress.kubernetes.io/permanent-redirect-code: "301"
hosts:
- host: *host
paths:
- <<: *path
path: "/.well-known"
persistence:
config:
enabled: true
type: configMap
name: "nextcloud-config"
advancedMounts:
main:
# 01-cp-config:
# - path: "/nc-config"
# readOnly: true
main:
# - path: "/nc-config"
- subPath: "config.php"
path: "/var/www/html/config/jj.config.php"
readOnly: true
# push:
# - path: "/var/www/html/config"
# readOnly: true
# caddy:
# enabled: true
# type: configMap
# name: "nextcloud-caddy"
# advancedMounts:
# main:
web:
- subPath: "Caddyfile"
path: "/Caddyfile"
readOnly: true
secrets:
enabled: true
type: secret
name: "nextcloud-secrets"
advancedMounts:
main:
main:
- subPath: "secrets.config.php"
path: "/var/www/html/config/secrets.config.php"
readOnly: true
nas:
enabled: true
existingClaim: "nextcloud-nas-data"
advancedMounts:
main:
# 01-cp-config:
# - subPath: "config"
# path: "/var/www/html/config"
main:
- subPath: "data"
path: "/nas"
# - subPath: "config"
# path: "/var/www/html/config"
tmp:
enabled: true
type: emptyDir
medium: Memory
advancedMounts:
main:
# 01-cp-config:
# - &cfgmnt
# subPath: "config"
# path: "/var/www/html/config"
main:
- subPath: "nextcloud"
path: "/tmp"
# - <<: *cfgmnt
# readOnly: true
- &sockmnt
subPath: "sockets"
path: "/sockets"
# push:
# - subPath: "nextcloud"
# path: "/tmp"
# - *sockmnt
redis:
- subPath: "redis-tmp"
path: "/tmp"
- subPath: "redis-data"
path: "/data" # for interval RDB saving
- *sockmnt
web:
- subPath: "caddy"
path: "/caddy"
readOnly: true
02-caddy:
- subPath: "caddy"
path: "/caddy"
configMaps:
config:
enabled: true
data:
config.php: |-
<?php
$CONFIG = array (
'datadirectory' => '/ceph/data',
'overwrite.cli.url' => 'https://${APP_DNS_NEXTCLOUD}',
'overwriteprotocol' => 'https',
'default_phone_region' => 'SG',
'dbtype' => 'pgsql',
'dbhost' => getenv('POSTGRES_HOST'),
'dbport' => '5432',
'dbname' => getenv('POSTGRES_DB'),
'dbuser' => getenv('POSTGRES_USER'),
'dbpassword' => getenv('POSTGRES_PASSWORD'),
'dbtableprefix' => 'oc_',
'memcache.local' => '\\OC\\Memcache\\APCu',
'memcache.distributed' => '\\OC\\Memcache\\Redis',
'memcache.locking' => '\\OC\\Memcache\\Redis',
'redis' =>
array (
'host' => '/sockets/redis.sock',
'port' => 0,
),
'trusted_domains' =>
array (
0 => '${APP_DNS_NEXTCLOUD}',
1 => 'localhost',
2 => '127.0.0.1',
),
'trusted_proxies' =>
array (
0 => '${IP_POD_CIDR_V4}',
1 => '127.0.0.1',
),
'apps_paths' =>
array (
0 =>
array (
'path' => '/var/www/html/apps',
'url' => '/apps',
'writable' => false,
),
1 =>
array (
'path' => '/var/www/html/custom_apps',
'url' => '/custom_apps',
'writable' => true,
),
),
);
# redis.php: |
# <?php
# $CONFIG = array (
# 'memcache.local' => '\\OC\\Memcache\\APCu',
# 'memcache.distributed' => '\\OC\\Memcache\\Redis',
# 'memcache.locking' => '\\OC\\Memcache\\Redis',
# 'redis' =>
# array (
# 'host' => '/sockets/redis.sock',
# 'port' => 0,
# ),
# );
# caddy:
# enabled: true
# data:
Caddyfile: |
{
http_port 8080
https_port 8443
}
${APP_DNS_NEXTCLOUD}:8080 {
header Strict-Transport-Security "max-age=15768000;preload"
redir /.well-known/carddav /remote.php/dav 301
redir /.well-known/caldav /remote.php/dav 301
root * /var/www/html
encode zstd gzip
php_fastcgi 127.0.0.1:9000 {
root /var/www/html
env front_controller_active true
trusted_proxies ${IP_POD_CIDR_V4}
}
file_server
}
ingress-nginx-fastcgi:
enabled: true
data:
SCRIPT_FILENAME: "/var/www/html/$fastcgi_script_name"
PATH_INFO: "$fastcgi_path_info"
modHeadersAvailable: "true"
front_controller_active: "true"
defaultPodOptions:
automountServiceAccountToken: false
securityContext:
runAsUser: &uid 33
runAsGroup: *uid
fsGroup: *uid
runAsNonRoot: false
seccompProfile: {type: "RuntimeDefault"}
fsGroupChangePolicy: "Always"