Malin/paste.es
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: rebrand Hemmelig to paste.es for cloudhost.es

Browse Source 
- Set Spanish as default language with ephemeral/encrypted privacy focus
- Translate all user-facing strings and legal pages to Spanish
- Replace Norwegian flag with Spanish flag in footer
- Remove Hemmelig/terces.cloud links, add cloudhost.es sponsorship
- Rewrite PrivacyPage: zero data collection, ephemeral design emphasis
- Rewrite TermsPage: Spanish law, RGPD, paste.es/CloudHost.es references
- Update PWA manifest, HTML meta tags, package.json branding
- Rename webhook headers to X-Paste-Event / X-Paste-Signature
- Update API docs title and contact to paste.es / cloudhost.es

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
This commit is contained in:
Malin
2026-02-24 09:30:19 +01:00
commit bc9f96cbd4
268 changed files with 45773 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

18
helm/hemmelig/.helmignore Normal file
View File

@@ -0,0 +1,18 @@
# Patterns to ignore when building packages.
.DS_Store
.git/
.gitignore
.bzr/
.bzrignore
.hg/
.hgignore
.svn/
*.swp
*.bak
*.tmp
*.orig
*~
.project
.idea/
*.tmproj
.vscode/

17
helm/hemmelig/Chart.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v2
name: hemmelig
description: A Helm chart for Hemmelig - Encrypted secret sharing application
type: application
version: 1.0.0
appVersion: "7.0.0"
keywords:
- secrets
- encryption
- security
- sharing
home: https://hemmelig.app
sources:
- https://github.com/HemmeligOrg/Hemmelig.app
maintainers:
- name: HemmeligOrg
url: https://github.com/HemmeligOrg

38
helm/hemmelig/templates/NOTES.txt Normal file
View File

@@ -0,0 +1,38 @@
Thank you for installing {{ .Chart.Name }}!
{{- if .Values.ingress.enabled }}
Your Hemmelig instance is available at:
{{- range $host := .Values.ingress.hosts }}
{{- range .paths }}
http{{ if $.Values.ingress.tls }}s{{ end }}://{{ $host.host }}{{ .path }}
{{- end }}
{{- end }}
{{- else if contains "NodePort" .Values.service.type }}
Get the application URL by running:
export NODE_PORT=$(kubectl get --namespace {{ .Release.Namespace }} -o jsonpath="{.spec.ports[0].nodePort}" services {{ include "hemmelig.fullname" . }})
export NODE_IP=$(kubectl get nodes --namespace {{ .Release.Namespace }} -o jsonpath="{.items[0].status.addresses[0].address}")
echo http://$NODE_IP:$NODE_PORT
{{- else if contains "LoadBalancer" .Values.service.type }}
Get the application URL by running:
NOTE: It may take a few minutes for the LoadBalancer IP to be available.
kubectl get --namespace {{ .Release.Namespace }} svc -w {{ include "hemmelig.fullname" . }}
{{- else if contains "ClusterIP" .Values.service.type }}
Get the application URL by running:
kubectl --namespace {{ .Release.Namespace }} port-forward svc/{{ include "hemmelig.fullname" . }} 3000:{{ .Values.service.port }}
echo "Visit http://127.0.0.1:3000"
{{- end }}
{{- if not .Values.config.betterAuthSecret }}
WARNING: You have not set config.betterAuthSecret!
Please set this value or use existingSecret to provide authentication secrets.
Generate a secret with: openssl rand -base64 32
{{- end }}
{{- if not .Values.config.betterAuthUrl }}
WARNING: You have not set config.betterAuthUrl!
This is required for OAuth authentication and proper cookie handling.
{{- end }}
For more information, visit: https://github.com/HemmeligOrg/Hemmelig.app

60
helm/hemmelig/templates/_helpers.tpl Normal file
View File

@@ -0,0 +1,60 @@
{{/*
Expand the name of the chart.
*/}}
{{- define "hemmelig.name" -}}
{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Create a default fully qualified app name.
*/}}
{{- define "hemmelig.fullname" -}}
{{- if .Values.fullnameOverride }}
{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- $name := default .Chart.Name .Values.nameOverride }}
{{- if contains $name .Release.Name }}
{{- .Release.Name | trunc 63 | trimSuffix "-" }}
{{- else }}
{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }}
{{- end }}
{{- end }}
{{- end }}
{{/*
Create chart name and version as used by the chart label.
*/}}
{{- define "hemmelig.chart" -}}
{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }}
{{- end }}
{{/*
Common labels
*/}}
{{- define "hemmelig.labels" -}}
helm.sh/chart: {{ include "hemmelig.chart" . }}
{{ include "hemmelig.selectorLabels" . }}
{{- if .Chart.AppVersion }}
app.kubernetes.io/version: {{ .Chart.AppVersion | quote }}
{{- end }}
app.kubernetes.io/managed-by: {{ .Release.Service }}
{{- end }}
{{/*
Selector labels
*/}}
{{- define "hemmelig.selectorLabels" -}}
app.kubernetes.io/name: {{ include "hemmelig.name" . }}
app.kubernetes.io/instance: {{ .Release.Name }}
{{- end }}
{{/*
Create the name of the service account to use
*/}}
{{- define "hemmelig.serviceAccountName" -}}
{{- if .Values.serviceAccount.create }}
{{- default (include "hemmelig.fullname" .) .Values.serviceAccount.name }}
{{- else }}
{{- default "default" .Values.serviceAccount.name }}
{{- end }}
{{- end }}

318
helm/hemmelig/templates/deployment.yaml Normal file
View File

@@ -0,0 +1,318 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: {{ include "hemmelig.fullname" . }}
labels:
{{- include "hemmelig.labels" . | nindent 4 }}
spec:
replicas: {{ .Values.replicaCount }}
strategy:
type: Recreate
selector:
matchLabels:
{{- include "hemmelig.selectorLabels" . | nindent 6 }}
template:
metadata:
{{- with .Values.podAnnotations }}
annotations:
{{- toYaml . | nindent 8 }}
{{- end }}
labels:
{{- include "hemmelig.labels" . | nindent 8 }}
{{- with .Values.podLabels }}
{{- toYaml . | nindent 8 }}
{{- end }}
spec:
{{- with .Values.imagePullSecrets }}
imagePullSecrets:
{{- toYaml . | nindent 8 }}
{{- end }}
serviceAccountName: {{ include "hemmelig.serviceAccountName" . }}
containers:
- name: {{ .Chart.Name }}
image: "{{ .Values.image.repository }}:{{ .Values.image.tag | default .Chart.AppVersion }}"
imagePullPolicy: {{ .Values.image.pullPolicy }}
ports:
- name: http
containerPort: 3000
protocol: TCP
env:
- name: NODE_ENV
value: "production"
- name: DATABASE_URL
value: "file:/app/database/hemmelig.db"
{{- if .Values.config.betterAuthUrl }}
- name: BETTER_AUTH_URL
value: {{ .Values.config.betterAuthUrl | quote }}
{{- end }}
{{- if .Values.config.baseUrl }}
- name: HEMMELIG_BASE_URL
value: {{ .Values.config.baseUrl | quote }}
{{- end }}
{{- if .Values.existingSecret }}
- name: BETTER_AUTH_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: BETTER_AUTH_SECRET
{{- else if .Values.config.betterAuthSecret }}
- name: BETTER_AUTH_SECRET
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: BETTER_AUTH_SECRET
{{- end }}
{{- if or (.Values.oauth.github.enabled) (.Values.oauth.google.enabled) (.Values.oauth.microsoft.enabled) (.Values.oauth.discord.enabled) (.Values.oauth.gitlab.enabled) (.Values.oauth.apple.enabled) (.Values.oauth.twitter.enabled) (.Values.oauth.generic) }}
{{- if .Values.existingSecret }}
# OAuth variables from existing secret
{{- if .Values.oauth.github.enabled }}
- name: HEMMELIG_AUTH_GITHUB_ID
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_GITHUB_ID
- name: HEMMELIG_AUTH_GITHUB_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_GITHUB_SECRET
{{- end }}
{{- if .Values.oauth.google.enabled }}
- name: HEMMELIG_AUTH_GOOGLE_ID
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_GOOGLE_ID
- name: HEMMELIG_AUTH_GOOGLE_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_GOOGLE_SECRET
{{- end }}
{{- if .Values.oauth.microsoft.enabled }}
- name: HEMMELIG_AUTH_MICROSOFT_ID
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_MICROSOFT_ID
- name: HEMMELIG_AUTH_MICROSOFT_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_MICROSOFT_SECRET
- name: HEMMELIG_AUTH_MICROSOFT_TENANT_ID
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_MICROSOFT_TENANT_ID
optional: true
{{- end }}
{{- if .Values.oauth.discord.enabled }}
- name: HEMMELIG_AUTH_DISCORD_ID
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_DISCORD_ID
- name: HEMMELIG_AUTH_DISCORD_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_DISCORD_SECRET
{{- end }}
{{- if .Values.oauth.gitlab.enabled }}
- name: HEMMELIG_AUTH_GITLAB_ID
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_GITLAB_ID
- name: HEMMELIG_AUTH_GITLAB_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_GITLAB_SECRET
- name: HEMMELIG_AUTH_GITLAB_ISSUER
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_GITLAB_ISSUER
optional: true
{{- end }}
{{- if .Values.oauth.apple.enabled }}
- name: HEMMELIG_AUTH_APPLE_ID
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_APPLE_ID
- name: HEMMELIG_AUTH_APPLE_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_APPLE_SECRET
{{- end }}
{{- if .Values.oauth.twitter.enabled }}
- name: HEMMELIG_AUTH_TWITTER_ID
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_TWITTER_ID
- name: HEMMELIG_AUTH_TWITTER_SECRET
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_TWITTER_SECRET
{{- end }}
{{- if .Values.oauth.generic }}
- name: HEMMELIG_AUTH_GENERIC_OAUTH
valueFrom:
secretKeyRef:
name: {{ .Values.existingSecret }}
key: HEMMELIG_AUTH_GENERIC_OAUTH
{{- end }}
{{- else }}
# OAuth variables from default secret (when not using existingSecret)
{{- if .Values.oauth.github.enabled }}
- name: HEMMELIG_AUTH_GITHUB_ID
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_GITHUB_ID
- name: HEMMELIG_AUTH_GITHUB_SECRET
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_GITHUB_SECRET
{{- end }}
{{- if .Values.oauth.google.enabled }}
- name: HEMMELIG_AUTH_GOOGLE_ID
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_GOOGLE_ID
- name: HEMMELIG_AUTH_GOOGLE_SECRET
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_GOOGLE_SECRET
{{- end }}
{{- if .Values.oauth.microsoft.enabled }}
- name: HEMMELIG_AUTH_MICROSOFT_ID
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_MICROSOFT_ID
- name: HEMMELIG_AUTH_MICROSOFT_SECRET
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_MICROSOFT_SECRET
- name: HEMMELIG_AUTH_MICROSOFT_TENANT_ID
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_MICROSOFT_TENANT_ID
optional: true
{{- end }}
{{- if .Values.oauth.discord.enabled }}
- name: HEMMELIG_AUTH_DISCORD_ID
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_DISCORD_ID
- name: HEMMELIG_AUTH_DISCORD_SECRET
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_DISCORD_SECRET
{{- end }}
{{- if .Values.oauth.gitlab.enabled }}
- name: HEMMELIG_AUTH_GITLAB_ID
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_GITLAB_ID
- name: HEMMELIG_AUTH_GITLAB_SECRET
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_GITLAB_SECRET
- name: HEMMELIG_AUTH_GITLAB_ISSUER
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_GITLAB_ISSUER
optional: true
{{- end }}
{{- if .Values.oauth.apple.enabled }}
- name: HEMMELIG_AUTH_APPLE_ID
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_APPLE_ID
- name: HEMMELIG_AUTH_APPLE_SECRET
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_APPLE_SECRET
{{- end }}
{{- if .Values.oauth.twitter.enabled }}
- name: HEMMELIG_AUTH_TWITTER_ID
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_TWITTER_ID
- name: HEMMELIG_AUTH_TWITTER_SECRET
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_TWITTER_SECRET
{{- end }}
{{- if .Values.oauth.generic }}
- name: HEMMELIG_AUTH_GENERIC_OAUTH
valueFrom:
secretKeyRef:
name: {{ include "hemmelig.fullname" . }}
key: HEMMELIG_AUTH_GENERIC_OAUTH
{{- end }}
{{- end }}
{{- end }}
{{- with .Values.env }}
{{- toYaml . | nindent 12 }}
{{- end }}
volumeMounts:
- name: data
mountPath: /app/database
- name: uploads
mountPath: /app/uploads
livenessProbe:
{{- toYaml .Values.livenessProbe | nindent 12 }}
readinessProbe:
{{- toYaml .Values.readinessProbe | nindent 12 }}
resources:
{{- toYaml .Values.resources | nindent 12 }}
volumes:
- name: data
{{- if .Values.persistence.data.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.data.existingClaim | default (printf "%s-data" (include "hemmelig.fullname" .)) }}
{{- else }}
emptyDir: {}
{{- end }}
- name: uploads
{{- if .Values.persistence.uploads.enabled }}
persistentVolumeClaim:
claimName: {{ .Values.persistence.uploads.existingClaim | default (printf "%s-uploads" (include "hemmelig.fullname" .)) }}
{{- else }}
emptyDir: {}
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.affinity }}
affinity:
{{- toYaml . | nindent 8 }}
{{- end }}
{{- with .Values.tolerations }}
tolerations:
{{- toYaml . | nindent 8 }}
{{- end }}

41
helm/hemmelig/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,41 @@
{{- if .Values.ingress.enabled -}}
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: {{ include "hemmelig.fullname" . }}
labels:
{{- include "hemmelig.labels" . | nindent 4 }}
{{- with .Values.ingress.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
spec:
{{- if .Values.ingress.className }}
ingressClassName: {{ .Values.ingress.className }}
{{- end }}
{{- if .Values.ingress.tls }}
tls:
{{- range .Values.ingress.tls }}
- hosts:
{{- range .hosts }}
- {{ . | quote }}
{{- end }}
secretName: {{ .secretName }}
{{- end }}
{{- end }}
rules:
{{- range .Values.ingress.hosts }}
- host: {{ .host | quote }}
http:
paths:
{{- range .paths }}
- path: {{ .path }}
pathType: {{ .pathType }}
backend:
service:
name: {{ include "hemmelig.fullname" $ }}
port:
number: {{ $.Values.service.port }}
{{- end }}
{{- end }}
{{- end }}

35
helm/hemmelig/templates/pvc.yaml Normal file
View File

@@ -0,0 +1,35 @@
{{- if and .Values.persistence.data.enabled (not .Values.persistence.data.existingClaim) }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "hemmelig.fullname" . }}-data
labels:
{{- include "hemmelig.labels" . | nindent 4 }}
spec:
accessModes:
- {{ .Values.persistence.data.accessMode }}
{{- if .Values.persistence.data.storageClass }}
storageClassName: {{ .Values.persistence.data.storageClass }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.data.size }}
{{- end }}
---
{{- if and .Values.persistence.uploads.enabled (not .Values.persistence.uploads.existingClaim) }}
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: {{ include "hemmelig.fullname" . }}-uploads
labels:
{{- include "hemmelig.labels" . | nindent 4 }}
spec:
accessModes:
- {{ .Values.persistence.uploads.accessMode }}
{{- if .Values.persistence.uploads.storageClass }}
storageClassName: {{ .Values.persistence.uploads.storageClass }}
{{- end }}
resources:
requests:
storage: {{ .Values.persistence.uploads.size }}
{{- end }}

78
helm/hemmelig/templates/secret.yaml Normal file
View File

@@ -0,0 +1,78 @@
{{- if and (or .Values.config.betterAuthSecret (or .Values.oauth.github.enabled (or .Values.oauth.google.enabled (or .Values.oauth.microsoft.enabled (or .Values.oauth.discord.enabled (or .Values.oauth.gitlab.enabled (or .Values.oauth.apple.enabled (or .Values.oauth.twitter.enabled .Values.oauth.generic)))))))) (not .Values.existingSecret) }}
apiVersion: v1
kind: Secret
metadata:
name: {{ include "hemmelig.fullname" . }}
labels:
{{- include "hemmelig.labels" . | nindent 4 }}
type: Opaque
data:
{{- if .Values.config.betterAuthSecret }}
BETTER_AUTH_SECRET: {{ .Values.config.betterAuthSecret | b64enc | quote }}
{{- end }}
{{- if .Values.oauth.github.enabled }}
{{- if .Values.oauth.github.clientId }}
HEMMELIG_AUTH_GITHUB_ID: {{ .Values.oauth.github.clientId | b64enc | quote }}
{{- end }}
{{- if .Values.oauth.github.clientSecret }}
HEMMELIG_AUTH_GITHUB_SECRET: {{ .Values.oauth.github.clientSecret | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.oauth.google.enabled }}
{{- if .Values.oauth.google.clientId }}
HEMMELIG_AUTH_GOOGLE_ID: {{ .Values.oauth.google.clientId | b64enc | quote }}
{{- end }}
{{- if .Values.oauth.google.clientSecret }}
HEMMELIG_AUTH_GOOGLE_SECRET: {{ .Values.oauth.google.clientSecret | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.oauth.microsoft.enabled }}
{{- if .Values.oauth.microsoft.clientId }}
HEMMELIG_AUTH_MICROSOFT_ID: {{ .Values.oauth.microsoft.clientId | b64enc | quote }}
{{- end }}
{{- if .Values.oauth.microsoft.clientSecret }}
HEMMELIG_AUTH_MICROSOFT_SECRET: {{ .Values.oauth.microsoft.clientSecret | b64enc | quote }}
{{- end }}
{{- if .Values.oauth.microsoft.tenantId }}
HEMMELIG_AUTH_MICROSOFT_TENANT_ID: {{ .Values.oauth.microsoft.tenantId | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.oauth.discord.enabled }}
{{- if .Values.oauth.discord.clientId }}
HEMMELIG_AUTH_DISCORD_ID: {{ .Values.oauth.discord.clientId | b64enc | quote }}
{{- end }}
{{- if .Values.oauth.discord.clientSecret }}
HEMMELIG_AUTH_DISCORD_SECRET: {{ .Values.oauth.discord.clientSecret | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.oauth.gitlab.enabled }}
{{- if .Values.oauth.gitlab.clientId }}
HEMMELIG_AUTH_GITLAB_ID: {{ .Values.oauth.gitlab.clientId | b64enc | quote }}
{{- end }}
{{- if .Values.oauth.gitlab.clientSecret }}
HEMMELIG_AUTH_GITLAB_SECRET: {{ .Values.oauth.gitlab.clientSecret | b64enc | quote }}
{{- end }}
{{- if .Values.oauth.gitlab.issuer }}
HEMMELIG_AUTH_GITLAB_ISSUER: {{ .Values.oauth.gitlab.issuer | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.oauth.apple.enabled }}
{{- if .Values.oauth.apple.clientId }}
HEMMELIG_AUTH_APPLE_ID: {{ .Values.oauth.apple.clientId | b64enc | quote }}
{{- end }}
{{- if .Values.oauth.apple.clientSecret }}
HEMMELIG_AUTH_APPLE_SECRET: {{ .Values.oauth.apple.clientSecret | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.oauth.twitter.enabled }}
{{- if .Values.oauth.twitter.clientId }}
HEMMELIG_AUTH_TWITTER_ID: {{ .Values.oauth.twitter.clientId | b64enc | quote }}
{{- end }}
{{- if .Values.oauth.twitter.clientSecret }}
HEMMELIG_AUTH_TWITTER_SECRET: {{ .Values.oauth.twitter.clientSecret | b64enc | quote }}
{{- end }}
{{- end }}
{{- if .Values.oauth.generic }}
HEMMELIG_AUTH_GENERIC_OAUTH: {{ .Values.oauth.generic | b64enc | quote }}
{{- end }}
{{- end }}

15
helm/hemmelig/templates/service.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: {{ include "hemmelig.fullname" . }}
labels:
{{- include "hemmelig.labels" . | nindent 4 }}
spec:
type: {{ .Values.service.type }}
ports:
- port: {{ .Values.service.port }}
targetPort: http
protocol: TCP
name: http
selector:
{{- include "hemmelig.selectorLabels" . | nindent 4 }}

13
helm/hemmelig/templates/serviceaccount.yaml Normal file
View File

@@ -0,0 +1,13 @@
{{- if .Values.serviceAccount.create -}}
apiVersion: v1
kind: ServiceAccount
metadata:
name: {{ include "hemmelig.serviceAccountName" . }}
labels:
{{- include "hemmelig.labels" . | nindent 4 }}
{{- with .Values.serviceAccount.annotations }}
annotations:
{{- toYaml . | nindent 4 }}
{{- end }}
automountServiceAccountToken: {{ .Values.serviceAccount.automount }}
{{- end }}

153
helm/hemmelig/values.yaml Normal file
View File

@@ -0,0 +1,153 @@
# Default values for hemmelig
replicaCount: 1
image:
repository: hemmeligapp/hemmelig
tag: "v7"
pullPolicy: IfNotPresent
imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""
# Required configuration
config:
# Generate with: openssl rand -base64 32
betterAuthSecret: ""
# Public URL of your instance (required for OAuth and cookie handling)
betterAuthUrl: ""
# Base URL for OAuth callbacks (required for social login)
baseUrl: ""
# Additional environment variables
env: []
# - name: HEMMELIG_ANALYTICS_ENABLED
# value: "true"
# Use existing secret for sensitive values
existingSecret: ""
# Keys expected in the secret:
# BETTER_AUTH_SECRET
# HEMMELIG_ANALYTICS_HMAC_SECRET (optional)
# HEMMELIG_AUTH_GITHUB_ID, HEMMELIG_AUTH_GITHUB_SECRET (optional)
# HEMMELIG_AUTH_GOOGLE_ID, HEMMELIG_AUTH_GOOGLE_SECRET (optional)
# HEMMELIG_AUTH_MICROSOFT_ID, HEMMELIG_AUTH_MICROSOFT_SECRET, HEMMELIG_AUTH_MICROSOFT_TENANT_ID (optional)
# HEMMELIG_AUTH_DISCORD_ID, HEMMELIG_AUTH_DISCORD_SECRET (optional)
# HEMMELIG_AUTH_GITLAB_ID, HEMMELIG_AUTH_GITLAB_SECRET, HEMMELIG_AUTH_GITLAB_ISSUER (optional)
# HEMMELIG_AUTH_APPLE_ID, HEMMELIG_AUTH_APPLE_SECRET (optional)
# HEMMELIG_AUTH_TWITTER_ID, HEMMELIG_AUTH_TWITTER_SECRET (optional)
# HEMMELIG_AUTH_GENERIC_OAUTH (optional)
# OAuth / Social Login Configuration
oauth:
github:
enabled: false
clientId: ""
clientSecret: ""
google:
enabled: false
clientId: ""
clientSecret: ""
microsoft:
enabled: false
clientId: ""
clientSecret: ""
tenantId: "" # Optional
discord:
enabled: false
clientId: ""
clientSecret: ""
gitlab:
enabled: false
clientId: ""
clientSecret: ""
issuer: "" # Optional, for self-hosted GitLab (e.g., https://gitlab.example.com)
apple:
enabled: false
clientId: ""
clientSecret: ""
twitter:
enabled: false
clientId: ""
clientSecret: ""
generic: ""
# Example: '[{"providerId":"authentik","discoveryUrl":"https://auth.example.com/.well-known/openid-configuration","clientId":"client-id","clientSecret":"secret","scopes":["openid","profile","email"]}]'
serviceAccount:
create: true
automount: true
annotations: {}
name: ""
podAnnotations: {}
podLabels: {}
service:
type: ClusterIP
port: 3000
ingress:
enabled: false
className: ""
annotations: {}
# kubernetes.io/ingress.class: nginx
# cert-manager.io/cluster-issuer: letsencrypt-prod
hosts:
- host: hemmelig.local
paths:
- path: /
pathType: Prefix
tls: []
# - secretName: hemmelig-tls
# hosts:
# - hemmelig.local
resources: {}
# limits:
# cpu: 500m
# memory: 512Mi
# requests:
# cpu: 100m
# memory: 128Mi
# Persistence for SQLite database and uploads
persistence:
data:
enabled: true
size: 1Gi
storageClass: ""
accessMode: ReadWriteOnce
# existingClaim: ""
uploads:
enabled: true
size: 5Gi
storageClass: ""
accessMode: ReadWriteOnce
# existingClaim: ""
livenessProbe:
httpGet:
path: /api/healthz
port: http
initialDelaySeconds: 10
periodSeconds: 30
timeoutSeconds: 10
failureThreshold: 3
readinessProbe:
httpGet:
path: /api/healthz
port: http
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
nodeSelector: {}
tolerations: []
affinity: {}