henry/HomeLabScripts
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: henry:95eb12797dff763f6d0d8ba398716cd5241cdaa3
Branches Tags
henry:main
...
compare: henry:main
Branches Tags
henry:main

3 Commits
95eb12797d ... main

Author SHA1 Message Date
Henry Winkel
2ea9f3973f ADD: addend gitlab 2026-03-12 14:23:02 +01:00
Henry Winkel
f0a02c3740 ADD: added working nextcloud version 2026-03-02 20:49:50 +01:00
Henry Winkel
f0c47beaad ADD: added nextcloud 2026-02-27 20:54:54 +01:00
30 changed files with 1375 additions and 33 deletions
Expand all files Collapse all files

2
k3s/apps/Nextcloud/README.md Normal file
View File

@@ -0,0 +1,2 @@
smb user nextcloud
smb pass qCPJgc7C

156
k3s/apps/Nextcloud/helm/cleanRestart.sh Executable file
View File

@@ -0,0 +1,156 @@
#!/usr/bin/env bash
set -euo pipefail
# Konfiguration (anpassen falls nötig)
NAMESPACE="nextcloud"
RELEASE="nextcloud"
CHART="nextcloud/nextcloud"
VALUES_FILE="values-nextcloud.yaml"
SMB_SCRIPT_FILE="install-smb.sh"
CONFIGMAP_NAME="smb-install-script"
HELM_REPO_NAME="nextcloud"
HELM_REPO_URL="https://nextcloud.github.io/helm/"
WAIT_TIMEOUT="600s" # Timeout für Pod-Readiness (10m)
# Hilfsfunktionen
err() { echo "ERROR: $*" >&2; exit 1; }
info() { echo "INFO: $*"; }
confirm() {
echo
echo "!!! Achtung: Das Skript wird das Helm-Release '$RELEASE' im Namespace '$NAMESPACE' deinstallieren"
echo " und alle zugehörigen PersistentVolumeClaims (PVCs) löschen. Daten gehen verloren!"
echo
read -p "Tippe DELETE um fortzufahren (oder STRG-C zum Abbrechen): " ans
if [ "$ans" != "DELETE" ]; then
echo "Abgebrochen."
exit 0
fi
}
check_tools() {
command -v kubectl >/dev/null 2>&1 || err "kubectl ist nicht installiert oder nicht in PATH"
command -v helm >/dev/null 2>&1 || err "helm ist nicht installiert oder nicht in PATH"
}
create_namespace_if_missing() {
if ! kubectl get namespace "$NAMESPACE" >/dev/null 2>&1; then
info "Namespace $NAMESPACE existiert nicht — wird angelegt"
kubectl create namespace "$NAMESPACE"
else
info "Namespace $NAMESPACE existiert"
fi
}
uninstall_release() {
if helm -n "$NAMESPACE" status "$RELEASE" >/dev/null 2>&1; then
info "Helm-Release '$RELEASE' gefunden -> deinstalliere..."
helm -n "$NAMESPACE" uninstall "$RELEASE"
info "Warte bis alle Pods des Releases entfernt sind..."
# Warte bis keine Pods mehr mit dem Release-Label vorhanden sind
for i in $(seq 1 60); do
sleep 2
COUNT=$(kubectl -n "$NAMESPACE" get pods -l app.kubernetes.io/instance="$RELEASE" --no-headers 2>/dev/null | wc -l || true)
if [ "$COUNT" -eq 0 ]; then
break
fi
echo -n "."
done
echo
else
info "Kein bestehendes Helm-Release '$RELEASE' gefunden"
fi
}
delete_pvcs() {
# Liste PVCs, die zum Release gehören (Label app.kubernetes.io/instance)
PVCS=$(kubectl -n "$NAMESPACE" get pvc -l app.kubernetes.io/instance="$RELEASE" -o jsonpath='{.items[*].metadata.name}' || true)
if [ -z "$PVCS" ]; then
info "Keine PVCs mit Label app.kubernetes.io/instance=$RELEASE gefunden"
return
fi
info "Folgende PVCs werden gelöscht: $PVCS"
kubectl -n "$NAMESPACE" delete pvc $PVCS
info "Warte auf Löschung der PVCs..."
for pvc in $PVCS; do
kubectl -n "$NAMESPACE" wait --for=delete pvc/"$pvc" --timeout=120s || true
done
}
recreate_configmap() {
if [ ! -f "$SMB_SCRIPT_FILE" ]; then
err "SMB-Script '$SMB_SCRIPT_FILE' fehlt. Lege die Datei an oder passe \$SMB_SCRIPT_FILE an."
fi
info "Erstelle/aktualisiere ConfigMap $CONFIGMAP_NAME aus $SMB_SCRIPT_FILE"
kubectl -n "$NAMESPACE" create configmap "$CONFIGMAP_NAME" --from-file="$SMB_SCRIPT_FILE" -o yaml --dry-run=client | kubectl apply -f -
}
add_helm_repo() {
# Add repo if not exists
if ! helm repo list | awk '{print $1}' | grep -xq "$HELM_REPO_NAME"; then
info "Füge Helm-Repo $HELM_REPO_NAME hinzu"
helm repo add "$HELM_REPO_NAME" "$HELM_REPO_URL"
fi
helm repo update
}
install_release() {
if [ ! -f "$VALUES_FILE" ]; then
err "Values-File '$VALUES_FILE' nicht gefunden. Abbruch."
fi
info "Installiere Helm-Release '$RELEASE' mit values '$VALUES_FILE'"
helm upgrade --install "$RELEASE" "$CHART" -n "$NAMESPACE" -f "$VALUES_FILE"
}
wait_pods_ready() {
info "Warte bis alle Pods des Releases ready sind (Timeout $WAIT_TIMEOUT)..."
# Warte auf Ready-Bedingung für alle Pods mit dem instance-Label
if ! kubectl -n "$NAMESPACE" wait --for=condition=Ready pod -l app.kubernetes.io/instance="$RELEASE" --all --timeout="$WAIT_TIMEOUT"; then
echo "WARNUNG: Nicht alle Pods sind innerhalb des Timeouts ready. Aktuelle Pods:"
kubectl -n "$NAMESPACE" get pods -o wide
return 1
fi
info "Alle Pods sind ready."
}
post_checks() {
info "Prüfe smbclient im Nextcloud-Container (falls Pod läuft)..."
POD=$(kubectl -n "$NAMESPACE" get pod -l app.kubernetes.io/instance="$RELEASE",app.kubernetes.io/component=app -o jsonpath='{.items[0].metadata.name}' 2>/dev/null || true)
if [ -n "$POD" ]; then
kubectl -n "$NAMESPACE" exec -it "$POD" -- sh -c 'command -v smbclient && smbclient -V || echo "smbclient nicht gefunden"'
else
info "Nextcloud-App-Pod nicht gefunden (noch nicht gestartet)."
fi
info "Führe 'occ files_external:backends' aus (falls Pod läuft)..."
if [ -n "$POD" ]; then
kubectl -n "$NAMESPACE" exec -it "$POD" -- sh -c 'php /var/www/html/occ files_external:backends || true'
fi
}
main() {
check_tools
confirm
create_namespace_if_missing
uninstall_release
delete_pvcs
# recreate_configmap
# add_helm_repo
# install_release
# # Warte auf Pods
# if ! wait_pods_ready; then
# info "Einige Pods sind möglicherweise nicht ready. Schaue in die Logs:"
# kubectl -n "$NAMESPACE" get pods
# kubectl -n "$NAMESPACE" logs -l app.kubernetes.io/instance="$RELEASE" --tail=100 || true
# fi
# post_checks
echo
echo "Fertig. Prüfe die Nextcloud-WebUI und gegebenenfalls die External Storage Einstellungen."
}
main "$@"

20
k3s/apps/Nextcloud/helm/install-smb.sh Normal file
View File

@@ -0,0 +1,20 @@
#!/bin/sh
set -eux
# Installiere SMB Tools in einem Init-Container und kopiere sie in ein shared Volume,
# damit der Nextcloud-Container smbclient nutzen kann.
apt-get update
apt-get install -y --no-install-recommends smbclient libsmbclient-dev libwbclient0 ca-certificates
mkdir -p /opt/smb-tools/bin /opt/smb-tools/lib
# Binary
cp -a /usr/bin/smbclient /opt/smb-tools/bin/
# Libraries (best effort; Pfade können je nach Debian-Release leicht variieren)
cp -a /usr/lib/x86_64-linux-gnu/libsmbclient.so* /opt/smb-tools/lib/ || true
cp -a /usr/lib/x86_64-linux-gnu/libwbclient.so* /opt/smb-tools/lib/ || true
# Debug-Ausgabe
/opt/smb-tools/bin/smbclient -V || true
ls -la /opt/smb-tools/bin /opt/smb-tools/lib || true

58
k3s/apps/Nextcloud/helm/values-nextcloud.yaml Normal file
View File

@@ -0,0 +1,58 @@
# Chart-internes Persistence deaktivieren (nicht ganzes Webroot mounten)
persistence:
enabled: false
# Nextcloud Config
nextcloud:
host: 192.168.178.138
username: admin
password: admin
datadir: /data
trustedDomains:
- 192.168.178.138
- nextcloud.lan
- knode0
# PodSecurityContext wichtig für NFS (www-data ist UID/GID 33)
podSecurityContext:
fsGroup: 33
# Extra Volume nur für /data mounten
extraVolumes:
- name: nextcloud-data
persistentVolumeClaim:
claimName: nextcloud-data-pvc
extraVolumeMounts:
- name: nextcloud-data
mountPath: /data
# MariaDB intern
internalDatabase:
enabled: false
mariadb:
enabled: true
architecture: standalone
auth:
database: nextcloud
username: nextcloud
password: nextcloud
rootPassword: "123456"
primary:
persistence:
enabled: true
storageClass: local-path
size: 10Gi
# Redis
redis:
enabled: true
auth:
enabled: true
password: redis
master:
persistence:
enabled: true
storageClass: local-path
size: 1Gi

91
k3s/apps/Nextcloud/helm/values-nextcloud.yaml.bac Normal file
View File

@@ -0,0 +1,91 @@
global:
security:
allowInsecureImages: true
image:
registry: docker.io
repository: library/nextcloud
flavor: apache
tag: "33.0.0-apache"
pullPolicy: IfNotPresent
service:
type: NodePort
port: 80
nodePort: 30180
internalDatabase:
enabled: false
nextcloud:
username: "admin"
password: "admin"
host: "192.168.178.138"
trustedDomains:
- "192.168.178.138"
- "nextcloud.lan"
- "knode0"
persistence:
enabled: true
storageClass: local-path
accessMode: ReadWriteOnce
size: 5Gi
# --- SMB "Nachinstallation" via ConfigMap + initContainer ---
extraVolumes:
- name: smb-tools
emptyDir: {}
- name: smb-install-script
configMap:
name: smb-install-script
defaultMode: 0755
extraVolumeMounts:
- name: smb-tools
mountPath: /opt/smb-tools
- name: smb-install-script
mountPath: /scripts
extraInitContainers:
- name: install-smbclient
image: debian:bookworm-slim
imagePullPolicy: IfNotPresent
command: ["sh", "/scripts/install-smb.sh"]
volumeMounts:
- name: smb-tools
mountPath: /opt/smb-tools
- name: smb-install-script
mountPath: /scripts
extraEnv:
- name: PATH
value: "/opt/smb-tools/bin:/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin"
- name: LD_LIBRARY_PATH
value: "/opt/smb-tools/lib"
mariadb:
enabled: true
architecture: standalone
auth:
database: nextcloud
username: nextcloud
password: "nextcloud"
rootPassword: "nextcloud"
primary:
persistence:
enabled: true
storageClass: local-path
size: 10Gi
redis:
enabled: true
auth:
enabled: true
password: "redis"
master:
persistence:
enabled: true
storageClass: local-path
size: 1Gi

13
k3s/apps/Nextcloud/manifest/collabora-clusterip.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: collabora
namespace: nextcloud
spec:
selector:
app: collabora
ports:
- port: 9980
targetPort: 9980
protocol: TCP
type: ClusterIP

33
k3s/apps/Nextcloud/manifest/collabora-deployment.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: collabora
namespace: nextcloud
spec:
replicas: 1
selector:
matchLabels:
app: collabora
template:
metadata:
labels:
app: collabora
spec:
containers:
- name: collabora
image: collabora/code:latest
imagePullPolicy: Always
ports:
- containerPort: 9980
env:
- name: domain
value: "henryathome.home64.de"
- name: extra_params
value: "--o:ssl.enable=false --o:ssl.termination=true"
resources:
requests:
memory: "1Gi"
cpu: "500m"
limits:
memory: "4Gi"
cpu: "2"

13
k3s/apps/Nextcloud/manifest/collabora-service.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: collabora-nodeport
namespace: nextcloud
spec:
type: NodePort
selector:
app: collabora
ports:
- port: 9980
targetPort: 9980
nodePort: 30980

44
k3s/apps/Nextcloud/manifest/mariadb-deployment.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mariadb
namespace: nextcloud
spec:
replicas: 1
selector:
matchLabels:
app: mariadb
template:
metadata:
labels:
app: mariadb
spec:
containers:
- name: mariadb
image: mariadb:10.8
imagePullPolicy: IfNotPresent
env:
- name: MYSQL_ROOT_PASSWORD
value: "123456"
- name: MYSQL_DATABASE
value: nextcloud
- name: MYSQL_USER
value: nextcloud
- name: MYSQL_PASSWORD
value: nextcloud
ports:
- containerPort: 3306
resources:
requests:
memory: "256Mi"
cpu: "250m"
limits:
memory: "512Mi"
cpu: "500m"
volumeMounts:
- name: mariadb-data
mountPath: /var/lib/mysql
volumes:
- name: mariadb-data
persistentVolumeClaim:
claimName: nextcloud-mariadb-pvc

32
k3s/apps/Nextcloud/manifest/mariadb-pv-pvc.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-mariadb-pvc
namespace: nextcloud
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: local-path # <-- explicit default StorageClass
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: nextcloud-mariadb-pv
labels:
app: mariadb
spec:
capacity:
storage: 10Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: local-path
claimRef:
namespace: nextcloud
name: nextcloud-mariadb-pvc
hostPath:
path: /var/lib/nextcloud/mariadb-data
type: DirectoryOrCreate

11
k3s/apps/Nextcloud/manifest/mariadb-service.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: mariadb
namespace: nextcloud
spec:
selector:
app: mariadb
ports:
- port: 3306
targetPort: 3306

31
k3s/apps/Nextcloud/manifest/nextcloud-apps-pv-pvc.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-apps-pvc
namespace: nextcloud
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
volumeName: nextcloud-apps-pv
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: nextcloud-apps-pv
labels:
app: nextcloud
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
claimRef:
namespace: nextcloud
name: nextcloud-apps-pvc
hostPath:
path: /var/lib/nextcloud/custom_apps
type: DirectoryOrCreate

32
k3s/apps/Nextcloud/manifest/nextcloud-config-pv-pvc.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-config-pvc
namespace: nextcloud
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: local-path # match mariadb local-path style
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-nextcloud-config
labels:
app: nextcloud
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: local-path
claimRef:
namespace: nextcloud
name: nextcloud-config-pvc
hostPath:
path: /var/lib/nextcloud/nextcloud-config
type: DirectoryOrCreate

21
k3s/apps/Nextcloud/manifest/nextcloud-cron-job.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: batch/v1
kind: CronJob
metadata:
name: nextcloud-webcron
namespace: nextcloud
spec:
schedule: "*/5 * * * *" # alle 5 Minuten
successfulJobsHistoryLimit: 3
failedJobsHistoryLimit: 3
jobTemplate:
spec:
activeDeadlineSeconds: 300
template:
spec:
restartPolicy: Never
containers:
- name: webcron
image: curlimages/curl:8.5.0
command: ["/bin/sh", "-c"]
args:
- 'until curl -fsS http://nextcloud.nextcloud.svc.cluster.local/status.php; do echo "waiting for nextcloud..."; sleep 5; done; curl -s -o /dev/null -w "%{http_code}\n" http://nextcloud.nextcloud.svc.cluster.local/cron.php'

79
k3s/apps/Nextcloud/manifest/nextcloud-deployment.yaml Normal file
View File

@@ -0,0 +1,79 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: nextcloud
namespace: nextcloud
spec:
replicas: 1
selector:
matchLabels:
app: nextcloud
template:
metadata:
labels:
app: nextcloud
spec:
# fsGroup sorgt dafür, dass gemountete Volumes die Gruppe www-data (33) bekommen
securityContext:
fsGroup: 33
# hostAliases mappt die öffentliche Domain intern auf die Service-ClusterIP,
# damit der Pod henryathome.home64.de direkt intern erreicht (vermeidet externe Loopback/Firewall/403)
hostAliases:
- ip: "10.43.107.87"
hostnames:
- "henryathome.home64.de"
containers:
- name: nextcloud
image: nextcloud:33-apache
imagePullPolicy: IfNotPresent
ports:
- containerPort: 80
env:
# - name: NEXTCLOUD_ADMIN_USER
# value: admin
# - name: NEXTCLOUD_ADMIN_PASSWORD
# value: admin
- name: MYSQL_HOST
value: mariadb.nextcloud.svc.cluster.local
- name: MYSQL_DATABASE
value: nextcloud
- name: MYSQL_USER
value: nextcloud
- name: MYSQL_PASSWORD
value: "nextcloud"
- name: REDIS_HOST
value: redis.nextcloud.svc.cluster.local
- name: NEXTCLOUD_TRUSTED_DOMAINS
value: "henryathome.home64.de,192.168.178.0/24,192.168.178.138,nextcloud.nextcloud.svc.cluster.local"
- name: TRUSTED_PROXIES
value: "192.168.178.120"
- name: OVERWRITEHOST
value: "henryathome.home64.de"
- name: OVERWRITEPROTOCOL
value: "https"
- name: OVERWRITECLIURL
value: "https://henryathome.home64.de"
resources:
requests:
memory: "512Mi"
cpu: "500m"
limits:
memory: "4Gi"
cpu: "3000m"
volumeMounts:
- name: data
mountPath: /var/www/html/data
- name: config
mountPath: /var/www/html/config
- name: apps
mountPath: /var/www/html/custom_apps
volumes:
- name: data
persistentVolumeClaim:
claimName: nextcloud-data-pvc
- name: config
persistentVolumeClaim:
claimName: nextcloud-config-pvc
- name: apps
persistentVolumeClaim:
claimName: nextcloud-apps-pvc

33
k3s/apps/Nextcloud/manifest/nextcloud-pv-pvc.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: pv-nextcloud-data-nfs
spec:
capacity:
storage: 500Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs
mountOptions:
- vers=4
- rsize=65536
- wsize=65536
- noatime
nfs:
server: 192.168.178.186 # <-- ERSETZEN: IP oder Hostname deiner NAS
path: /volume1/Nextcloud/data # <-- ERSETZEN: Pfad zum Share auf der NAS (z.B. /volume1/nextcloud)
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-data-pvc
namespace: nextcloud
spec:
accessModes:
- ReadWriteMany
storageClassName: nfs
resources:
requests:
storage: 500Gi
volumeName: pv-nextcloud-data-nfs

13
k3s/apps/Nextcloud/manifest/nextcloud-service.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: nextcloud
namespace: nextcloud
spec:
type: NodePort
selector:
app: nextcloud
ports:
- port: 80
targetPort: 80
nodePort: 30180

26
k3s/apps/Nextcloud/manifest/redis-deployment.yaml Normal file
View File

@@ -0,0 +1,26 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: redis
namespace: nextcloud
spec:
replicas: 1
selector:
matchLabels:
app: redis
template:
metadata:
labels:
app: redis
spec:
containers:
- name: redis
image: redis:7.0
ports:
- containerPort: 6379
volumeMounts:
- name: redis-data
mountPath: /data
volumes:
- name: redis-data
emptyDir: {}

11
k3s/apps/Nextcloud/manifest/redis-service.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: Service
metadata:
name: redis
namespace: nextcloud
spec:
selector:
app: redis
ports:
- port: 6379
targetPort: 6379

13
k3s/apps/Nextcloud/pv/pvc-nexcloud.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nextcloud-data-pvc
namespace: nextcloud
spec:
accessModes:
- ReadWriteMany
storageClassName: nfs
resources:
requests:
storage: 500Gi
volumeName: pv-nextcloud-data-nfs

262
k3s/apps/gitLab/manifest.yaml Normal file
View File

@@ -0,0 +1,262 @@
apiVersion: v1
kind: Namespace
metadata:
name: gitlab
---
# ─── NFS PersistentVolume für gitlab-data ─────────────────────────
apiVersion: v1
kind: PersistentVolume
metadata:
name: gitlab-data-pv
spec:
capacity:
storage: 50Gi
accessModes:
- ReadWriteMany # NFS unterstützt RWX
persistentVolumeReclaimPolicy: Retain
mountOptions:
- hard
- nfsvers=4.1
- rsize=1048576
- wsize=1048576
- timeo=600
- retrans=2
nfs:
server: 192.168.1.100 # ← deine NFS Server IP
path: /exports/gitlab/data # ← NFS Export Pfad
---
# ─── PVC für gitlab-data (NFS) ────────────────────────────────────
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitlab-data-pvc
namespace: gitlab
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Gi
volumeName: gitlab-data-pv # direkte Bindung an den PV oben
storageClassName: "" # wichtig: verhindert dynamische Provisionierung
---
# ─── Lokale PVCs (Logs & Config bleiben lokal) ────────────────────
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitlab-logs-pvc
namespace: gitlab
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: standard
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitlab-config-pvc
namespace: gitlab
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: standard
---
# ─── Secret ───────────────────────────────────────────────────────
apiVersion: v1
kind: Secret
metadata:
name: gitlab-secrets
namespace: gitlab
type: Opaque
stringData:
GITLAB_ROOT_PASSWORD: "ChangeMeSecurely123!"
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.example.com'
gitlab_rails['gitlab_shell_ssh_port'] = 22
nginx['listen_port'] = 80
nginx['listen_https'] = false
prometheus_monitoring['enable'] = false
---
# ─── ConfigMap ────────────────────────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
name: gitlab-config
namespace: gitlab
data:
GITLAB_TIMEZONE: "Europe/Berlin"
---
# ─── Deployment ───────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab
namespace: gitlab
labels:
app: gitlab
spec:
replicas: 1
selector:
matchLabels:
app: gitlab
strategy:
type: Recreate
template:
metadata:
labels:
app: gitlab
spec:
initContainers:
- name: fix-permissions
image: busybox
command:
- sh
- -c
- |
chown -R 998:998 /var/opt/gitlab /var/log/gitlab /etc/gitlab
# NFS: sicherstellen dass das Verzeichnis existiert
mkdir -p /var/opt/gitlab/git-data
volumeMounts:
- name: gitlab-data
mountPath: /var/opt/gitlab
- name: gitlab-logs
mountPath: /var/log/gitlab
- name: gitlab-config
mountPath: /etc/gitlab
containers:
- name: gitlab
image: gitlab/gitlab-ce:16.9.0-ce.0
imagePullPolicy: IfNotPresent
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: ssh
containerPort: 22
envFrom:
- configMapRef:
name: gitlab-config
- secretRef:
name: gitlab-secrets
resources:
requests:
memory: "4Gi"
cpu: "1000m"
limits:
memory: "8Gi"
cpu: "4000m"
# ─── Mounts ─────────────────────────────────────────────
volumeMounts:
- name: gitlab-data # → NFS
mountPath: /var/opt/gitlab
- name: gitlab-logs # → lokal
mountPath: /var/log/gitlab
- name: gitlab-config # → lokal
mountPath: /etc/gitlab
- name: shm
mountPath: /dev/shm
readinessProbe:
httpGet:
path: /-/readiness
port: 80
initialDelaySeconds: 60
periodSeconds: 10
failureThreshold: 30
livenessProbe:
httpGet:
path: /-/liveness
port: 80
initialDelaySeconds: 120
periodSeconds: 30
failureThreshold: 5
# ─── Volumes ──────────────────────────────────────────────────
volumes:
- name: gitlab-data # NFS via PVC
persistentVolumeClaim:
claimName: gitlab-data-pvc
- name: gitlab-logs # lokal via PVC
persistentVolumeClaim:
claimName: gitlab-logs-pvc
- name: gitlab-config # lokal via PVC
persistentVolumeClaim:
claimName: gitlab-config-pvc
- name: shm
emptyDir:
medium: Memory
sizeLimit: 256Mi
---
# ─── Service ──────────────────────────────────────────────────────
apiVersion: v1
kind: Service
metadata:
name: gitlab
namespace: gitlab
spec:
selector:
app: gitlab
ports:
- name: http
port: 80
targetPort: 80
- name: https
port: 443
targetPort: 443
- name: ssh
port: 22
targetPort: 22
type: ClusterIP
---
# ─── Ingress ──────────────────────────────────────────────────────
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: gitlab
namespace: gitlab
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: "512m"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
spec:
ingressClassName: nginx
tls:
- hosts:
- gitlab.example.com
secretName: gitlab-tls
rules:
- host: gitlab.example.com
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: gitlab
port:
number: 80

118
k3s/apps/gitLab/manifest/gitlab-deployment.yaml Normal file
View File

@@ -0,0 +1,118 @@
# ─── Deployment ───────────────────────────────────────────────────
apiVersion: apps/v1
kind: Deployment
metadata:
name: gitlab
namespace: gitlab
labels:
app: gitlab
spec:
replicas: 1
selector:
matchLabels:
app: gitlab
strategy:
type: Recreate
template:
metadata:
labels:
app: gitlab
spec:
initContainers:
- name: fix-permissions
image: busybox
command:
- sh
- -c
- mkdir -p /var/opt/gitlab/git-data
volumeMounts:
- name: gitlab-data
mountPath: /var/opt/gitlab
- name: gitlab-git
mountPath: /var/opt/gitlab/git-data
- name: gitlab-config
mountPath: /etc/gitlab
containers:
- name: gitlab
image: gitlab/gitlab-ce:latest
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
add:
- SYS_RESOURCE
ports:
- name: http
containerPort: 80
- name: https
containerPort: 443
- name: ssh
containerPort: 22
envFrom:
- configMapRef:
name: gitlab-config
- secretRef:
name: gitlab-secrets
resources:
requests:
memory: "4Gi"
cpu: "1000m"
limits:
memory: "8Gi"
cpu: "4000m"
# ─── Mounts ─────────────────────────────────────────────
volumeMounts:
- name: gitlab-data # → lokal (postgresql, redis, etc.)
mountPath: /var/opt/gitlab
- name: gitlab-git # → NFS (Git-Repositories)
mountPath: /var/opt/gitlab/git-data
- name: gitlab-config # → lokal
mountPath: /etc/gitlab
- name: gitlab-logs # → ephemeral
mountPath: /var/log/gitlab
- name: shm
mountPath: /dev/shm
startupProbe:
exec:
command: ["curl", "-sf", "http://localhost/-/health"]
failureThreshold: 40
periodSeconds: 15
readinessProbe:
exec:
command: ["curl", "-sf", "http://localhost/-/health"]
periodSeconds: 15
failureThreshold: 3
livenessProbe:
exec:
command: ["curl", "-sf", "http://localhost/-/health"]
periodSeconds: 30
failureThreshold: 5
# ─── Volumes ──────────────────────────────────────────────────
volumes:
- name: gitlab-data # lokal (postgresql, redis, etc.)
persistentVolumeClaim:
claimName: gitlab-data-pvc
- name: gitlab-git # NFS (Git-Repositories)
persistentVolumeClaim:
claimName: gitlab-git-pvc
- name: gitlab-config # lokal
persistentVolumeClaim:
claimName: gitlab-config-pvc
- name: gitlab-logs # ephemeral
emptyDir: {}
- name: shm
emptyDir:
medium: Memory
sizeLimit: 256Mi

4
k3s/apps/gitLab/manifest/namespace.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: gitlab

98
k3s/apps/gitLab/manifest/pv-pvc.yaml Normal file
View File

@@ -0,0 +1,98 @@
# ─── NFS PV für git-data (Repositories) ──────────────────────────
apiVersion: v1
kind: PersistentVolume
metadata:
name: gitlab-git-pv
spec:
capacity:
storage: 50Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs
mountOptions:
- hard
- rsize=1048576
- wsize=1048576
- timeo=600
- retrans=2
nfs:
server: 192.168.178.166
path: /export/gitlab
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitlab-git-pvc
namespace: gitlab
spec:
accessModes:
- ReadWriteMany
storageClassName: nfs
resources:
requests:
storage: 50Gi
volumeName: gitlab-git-pv
---
# ─── Lokaler PV für /var/opt/gitlab (postgresql, redis, etc.) ─────
apiVersion: v1
kind: PersistentVolume
metadata:
name: gitlab-data-pv
spec:
capacity:
storage: 20Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: local-path
hostPath:
path: /var/lib/gitlab/data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitlab-data-pvc
namespace: gitlab
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 20Gi
volumeName: gitlab-data-pv
---
# ─── Lokaler PV für /etc/gitlab (Konfiguration) ───────────────────
apiVersion: v1
kind: PersistentVolume
metadata:
name: gitlab-config-pv
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteOnce
persistentVolumeReclaimPolicy: Retain
storageClassName: local-path
hostPath:
path: /var/lib/gitlab/config
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitlab-config-pvc
namespace: gitlab
spec:
accessModes:
- ReadWriteOnce
storageClassName: local-path
resources:
requests:
storage: 1Gi
volumeName: gitlab-config-pv

58
k3s/apps/gitLab/manifest/secret.yaml Normal file
View File

@@ -0,0 +1,58 @@
# ─── Secret ───────────────────────────────────────────────────────
apiVersion: v1
kind: Secret
metadata:
name: gitlab-secrets
namespace: gitlab
type: Opaque
stringData:
GITLAB_ROOT_PASSWORD: "NewPassword123!"
GITLAB_OMNIBUS_CONFIG: |
external_url 'https://gitlab.henryathome.home64.de'
gitlab_rails['gitlab_shell_ssh_port'] = 31022
nginx['listen_port'] = 80
nginx['listen_https'] = false
nginx['proxy_set_headers'] = {
'X-Forwarded-Proto' => 'https',
'X-Forwarded-Ssl' => 'on'
}
prometheus_monitoring['enable'] = false
# Authentik SSO (OpenID Connect)
gitlab_rails['omniauth_enabled'] = true
gitlab_rails['omniauth_allow_single_sign_on'] = ['openid_connect']
gitlab_rails['omniauth_sync_email_from_provider'] = 'openid_connect'
gitlab_rails['omniauth_sync_profile_from_provider'] = ['openid_connect']
gitlab_rails['omniauth_sync_profile_attributes'] = ['email', 'name']
gitlab_rails['omniauth_block_auto_created_users'] = false
gitlab_rails['omniauth_providers'] = [
{
name: "openid_connect",
label: "Authentik",
args: {
name: "openid_connect",
scope: ["openid", "profile", "email"],
response_type: "code",
issuer: "https://authentik.henryathome.home64.de/application/o/gitlab/",
discovery: true,
client_auth_method: "query",
uid_field: "sub",
pkce: true,
client_options: {
identifier: "HaKYx5sj767TYywPOekXD99ylk4NdPEX85UWa9Jo",
secret: "9AazToYtgYdfaAgZauR8FMNJVj0qF8qePz0Gq5TPYK9fiE45QUDoEM1v3CEROiSI2BngXJVRqSEgBszSyieHe283w8Ube0yWXzesLNS84qR3fDWWSpbJ3sLZBlJMKMUj",
redirect_uri: "https://gitlab.henryathome.home64.de/users/auth/openid_connect/callback"
}
}
}
]
---
# ─── ConfigMap ────────────────────────────────────────────────────
apiVersion: v1
kind: ConfigMap
metadata:
name: gitlab-config
namespace: gitlab
data:
GITLAB_TIMEZONE: "Europe/Berlin"

52
k3s/apps/gitLab/manifest/service.yaml Normal file
View File

@@ -0,0 +1,52 @@
# ─── Service ──────────────────────────────────────────────────────
apiVersion: v1
kind: Service
metadata:
name: gitlab
namespace: gitlab
spec:
selector:
app: gitlab
ports:
- name: http
port: 80
targetPort: 80
nodePort: 31080
- name: https
port: 443
targetPort: 443
nodePort: 31443
- name: ssh
port: 31022
targetPort: 31022
nodePort: 31022
type: NodePort
# ---
# ─── Ingress ──────────────────────────────────────────────────────
# apiVersion: networking.k8s.io/v1
# kind: Ingress
# metadata:
# name: gitlab
# namespace: gitlab
# annotations:
# nginx.ingress.kubernetes.io/proxy-body-size: "512m"
# nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
# nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
# spec:
# ingressClassName: nginx
# tls:
# - hosts:
# - gitlab.example.com
# secretName: gitlab-tls
# rules:
# - host: gitlab.example.com
# http:
# paths:
# - path: /
# pathType: Prefix
# backend:
# service:
# name: gitlab
# port:
# number: 80

2
k3s/apps/photo/immich/immich-server-deployment.yaml
View File

@@ -112,4 +112,4 @@ spec:
claimName: immich-library-pvc claimName: immich-library-pvc
- name: ext-library - name: ext-library
persistentVolumeClaim: persistentVolumeClaim:
claimName: photoprism-storage claimName: photoprism-library-pvc

13
k3s/apps/photo/photoprism/photoprism-storrage-pvc.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: photoprism-library-pvc
namespace: photoprism
spec:
storageClassName: nfs
volumeName: photos-nfs-pv
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Gi

52
k3s/apps/photo/photoprism/photoprism.yaml
View File

@@ -1,31 +1,3 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: photoprism-storage
namespace: photoprism
spec:
storageClassName: nfs
volumeName: nfs-pv
accessModes:
- ReadWriteMany
resources:
requests:
storage: 50Gi
---
#apiVersion: v1
#kind: PersistentVolumeClaim
#metadata:
# name: photoprism-originals
# namespace: photoprism
#spec:
# storageClassName: nfs
# volumeName: nfs-pv
# accessModes:
# - ReadWriteMany
# resources:
# requests:
# storage: 100Gi
---
apiVersion: apps/v1 apiVersion: apps/v1
kind: Deployment kind: Deployment
metadata: metadata:
@@ -76,7 +48,23 @@ spec:
value: "true" value: "true"
- name: PHOTOPRISM_SIDECAR_JSON - name: PHOTOPRISM_SIDECAR_JSON
value: "true" value: "true"
# resources: - name: PHOTOPRISM_OIDC_URI
value: "https://authentik.henryathome.home64.de/application/o/photoprism/"
- name: PHOTOPRISM_OIDC_CLIENT
value: "UL29po2otoaH2mioipq9cekGkFSUvX6hTywaRsZ6"
- name: PHOTOPRISM_OIDC_SECRET
value: "Dx1FXPuFMtDFliZaZbpCOnlYvJYsFiBW533IyeRVdsT4y6XIAsHKVtLFYBijLXVQElu0UqoGOF1JJ8E2Gy3v97chQf6kXBQ5T2UMOXeFWSUlzhXVbNTFGwhITqPizycv"
- name: PHOTOPRISM_OIDC_PROVIDER
value: authentik
- name: PHOTOPRISM_OIDC_REDIRECT
value: "true"
- name: PHOTOPRISM_OIDC_REGISTER
value: "true"
- name: PHOTOPRISM_OIDC_ICON
value: "/static/img/oidc.svg"
- name: PHOTOPRISM_OIDC_USERNAME
value: "email"
resources:
# requests: # requests:
# cpu: "100m" # cpu: "100m"
# memory: "128Mi" # memory: "128Mi"
@@ -85,7 +73,7 @@ spec:
# memory: "512Mi" # memory: "512Mi"
volumeMounts: volumeMounts:
- mountPath: /photoprism/ - mountPath: /photoprism/
name: photoprism-storage name: photoprism-library-pvc
# - mountPath: /photoprism/storage # - mountPath: /photoprism/storage
# name: photoprism-storage # name: photoprism-storage
# - mountPath: /photoprism/originals # - mountPath: /photoprism/originals
@@ -95,9 +83,9 @@ spec:
# runAsUser: 1000 # runAsUser: 1000
# runAsGroup: 1000 # runAsGroup: 1000
volumes: volumes:
- name: photoprism-storage - name: photoprism-library-pvc
persistentVolumeClaim: persistentVolumeClaim:
claimName: photoprism-storage claimName: photoprism-library-pvc
# - name: photoprism-originals # - name: photoprism-originals
# persistentVolumeClaim: # persistentVolumeClaim:
# claimName: photoprism-originals # claimName: photoprism-originals

17
k3s/apps/photo/photos-pv.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: photos-nfs-pv
spec:
capacity:
storage: 200Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs
nfs:
server: 192.168.178.186
path: /volume1/Photos
mountOptions:
- hard
- nfsvers=4