feat: rebrand Hemmelig to paste.es for cloudhost.es

- Set Spanish as default language with ephemeral/encrypted privacy focus - Translate all user-facing strings and legal pages to Spanish - Replace Norwegian flag with Spanish flag in footer - Remove Hemmelig/terces.cloud links, add cloudhost.es sponsorship - Rewrite PrivacyPage: zero data collection, ephemeral design emphasis - Rewrite TermsPage: Spanish law, RGPD, paste.es/CloudHost.es references - Update PWA manifest, HTML meta tags, package.json branding - Rename webhook headers to X-Paste-Event / X-Paste-Signature - Update API docs title and contact to paste.es / cloudhost.es Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-02-24 09:30:19 +01:00
commit bc9f96cbd4
268 changed files with 45773 additions and 0 deletions
--- a/docs/helm-oauth.md
+++ b/docs/helm-oauth.md
@@ -0,0 +1,141 @@
+# Hemmelig Helm Chart - OAuth Configuration Examples
+
+This document demonstrates how to configure OAuth providers with the Hemmelig Helm Chart.
+
+## Using Default Secret Management
+
+The chart can automatically create secrets with your OAuth configuration.
+
+The example below contains all providers supported by the Helm Chart:
+
+```yaml
+# values.yaml
+config:
+  betterAuthSecret: "your-auth-secret-here"
+  betterAuthUrl: "https://secrets.example.com"
+  baseUrl: "https://secrets.example.com"  # Required for OAuth callbacks
+
+oauth:
+  github:
+    enabled: true
+    clientId: "your-github-client-id"
+    clientSecret: "your-github-client-secret"
+  
+  google:
+    enabled: true
+    clientId: "your-google-client-id"
+    clientSecret: "your-google-client-secret"
+  
+  microsoft:
+    enabled: true
+    clientId: "your-microsoft-client-id"
+    clientSecret: "your-microsoft-client-secret"
+    tenantId: "your-tenant-id"  # Optional
+  
+  discord:
+    enabled: true
+    clientId: "your-discord-client-id"
+    clientSecret: "your-discord-client-secret"
+  
+  gitlab:
+    enabled: true
+    clientId: "your-gitlab-client-id"
+    clientSecret: "your-gitlab-client-secret"
+    issuer: "https://gitlab.example.com"  # Optional, for self-hosted GitLab
+  
+  apple:
+    enabled: true
+    clientId: "your-apple-client-id"
+    clientSecret: "your-apple-client-secret"
+  
+  twitter:
+    enabled: true
+    clientId: "your-twitter-client-id"
+    clientSecret: "your-twitter-client-secret"
+  
+  generic: '[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"secret","scopes":["openid","profile","email"]}]'
+```
+
+## Using Existing Secret
+
+If you prefer to manage secrets yourself, reference an existing secret
+and enable your desired providers:
+
+```yaml
+# values.yaml
+existingSecret: "hemmelig-secrets"
+
+oauth:
+  github:
+    enabled: true
+  google:
+    enabled: true
+  microsoft:
+    enabled: true
+  discord:
+    enabled: true
+  gitlab:
+    enabled: true
+  apple:
+    enabled: true
+  twitter:
+    enabled: true
+  generic: '[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"secret","scopes":["openid","profile","email"]}]'
+```
+
+Your referenced secret should contain the relevant keys for the providers enabled:
+
+```yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: hemmelig-secrets
+type: Opaque
+stringData:
+  BETTER_AUTH_SECRET: "your-auth-secret"
+  # GitHub
+  HEMMELIG_AUTH_GITHUB_ID: "github-client-id"
+  HEMMELIG_AUTH_GITHUB_SECRET: "github-client-secret"
+  # Google
+  HEMMELIG_AUTH_GOOGLE_ID: "google-client-id"
+  HEMMELIG_AUTH_GOOGLE_SECRET: "google-client-secret"
+  # Microsoft (Azure AD)
+  HEMMELIG_AUTH_MICROSOFT_ID: "microsoft-client-id"
+  HEMMELIG_AUTH_MICROSOFT_SECRET: "microsoft-client-secret"
+  HEMMELIG_AUTH_MICROSOFT_TENANT_ID: "tenant-id" # Optional
+  # Discord
+  HEMMELIG_AUTH_DISCORD_ID: "discord-client-id"
+  HEMMELIG_AUTH_DISCORD_SECRET: "discord-client-secret"
+  # GitLab
+  HEMMELIG_AUTH_GITLAB_ID: "gitlab-client-id"
+  HEMMELIG_AUTH_GITLAB_SECRET: "gitlab-client-secret"
+  HEMMELIG_AUTH_GITLAB_ISSUER: "https://gitlab.example.com"  # Optional
+  # Apple
+  HEMMELIG_AUTH_APPLE_ID: "apple-client-id"
+  HEMMELIG_AUTH_APPLE_SECRET: "apple-client-secret"
+  # Twitter/X
+  HEMMELIG_AUTH_TWITTER_ID: "twitter-client-id"
+  HEMMELIG_AUTH_TWITTER_SECRET: "twitter-client-secret"
+  # Generic OAuth (JSON array - supports any OAuth 2.0 / OIDC provider)
+  HEMMELIG_AUTH_GENERIC_OAUTH: "[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"client-secret","scopes":["openid","profile","email"]}]"
+```
+
+## Notes
+
+- All `HEMMELIG_AUTH_*` variables require both `_ID` and `_SECRET`
+to enable a provider, except the "Generic" type.
+
+If you enable a provider and not include the required environment variables for it,
+the pod will fail to start with CreateContainerConfigError, with an event
+similar to the one below:
+
+```
+Error: couldn't find key HEMMELIG_AUTH_<missing_env> in Secret default/hemmelig
+```
+
+- All OAuth environment variables will be automatically injected into
+the deployment, sourced either from the chart-generated secret
+or your existing secret.
+
+- If the `existingSecret` value is provided, the `clientId`, `clientSecret`, etc.
+values are ignored from the `values.yaml`