From 3a57ef6953e85b07e978a7e1001aa8fd1db4bf98 Mon Sep 17 00:00:00 2001 From: Lumpiasty Date: Mon, 3 Nov 2025 00:41:07 +0100 Subject: [PATCH] add nas deployment --- apps/kustomization.yaml | 1 + apps/nas/configmap.yaml | 14 ++++++ apps/nas/deployment.yaml | 94 +++++++++++++++++++++++++++++++++++++ apps/nas/kustomization.yaml | 9 ++++ apps/nas/namespace.yaml | 4 ++ apps/nas/pvc.yaml | 12 +++++ apps/nas/secret.yaml | 9 ++++ apps/nas/service.yaml | 15 ++++++ 8 files changed, 158 insertions(+) create mode 100644 apps/nas/configmap.yaml create mode 100644 apps/nas/deployment.yaml create mode 100644 apps/nas/kustomization.yaml create mode 100644 apps/nas/namespace.yaml create mode 100644 apps/nas/pvc.yaml create mode 100644 apps/nas/secret.yaml create mode 100644 apps/nas/service.yaml diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml index 086cd1e..ccf748f 100644 --- a/apps/kustomization.yaml +++ b/apps/kustomization.yaml @@ -8,4 +8,5 @@ resources: - frigate - llama - immich + - nas - searxng diff --git a/apps/nas/configmap.yaml b/apps/nas/configmap.yaml new file mode 100644 index 0000000..d84e252 --- /dev/null +++ b/apps/nas/configmap.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: nas-sshd-config + namespace: nas +data: + 00-chroot.conf: | + Subsystem sftp internal-sftp + Match User nas + ChrootDirectory /config + ForceCommand internal-sftp -d /data + AllowTcpForwarding no + X11Forwarding no + PermitTunnel no diff --git a/apps/nas/deployment.yaml b/apps/nas/deployment.yaml new file mode 100644 index 0000000..be18321 --- /dev/null +++ b/apps/nas/deployment.yaml @@ -0,0 +1,94 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: nas-ssh + namespace: nas +spec: + replicas: 1 + selector: + matchLabels: + app: nas-ssh + template: + metadata: + labels: + app: nas-ssh + spec: + securityContext: + fsGroup: 1000 + initContainers: + - name: prepare-config + image: alpine:3.20.3 + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + - | + set -euo pipefail + chown root:root /config + chmod 755 /config + mkdir -p /config/data + chown 1000:1000 /config/data + chmod 750 /config/data + mkdir -p /config/ssh_host_keys + chown root:root /config/ssh_host_keys + chmod 700 /config/ssh_host_keys + for key in /config/ssh_host_keys/*; do + [ -f "$key" ] || continue + chown root:root "$key" + chmod 600 "$key" + done + mkdir -p /config/sshd/sshd_config.d + cp /defaults/00-chroot.conf /config/sshd/sshd_config.d/00-chroot.conf + chown root:root /config/sshd/sshd_config.d/00-chroot.conf + chmod 644 /config/sshd/sshd_config.d/00-chroot.conf + volumeMounts: + - name: data + mountPath: /config + - name: sshd-config + mountPath: /defaults/00-chroot.conf + subPath: 00-chroot.conf + readOnly: true + containers: + - name: ssh + image: lscr.io/linuxserver/openssh-server:version-10.0_p1-r9 + imagePullPolicy: IfNotPresent + env: + - name: PUID + value: "1000" + - name: PGID + value: "1000" + - name: TZ + value: Etc/UTC + - name: USER_NAME + value: nas + - name: SUDO_ACCESS + value: "false" + - name: PASSWORD_ACCESS + value: "false" + - name: LOG_STDOUT + value: "true" + - name: PUBLIC_KEY + valueFrom: + secretKeyRef: + name: nas-ssh-authorized-keys + key: public_key + ports: + - containerPort: 2222 + name: ssh + protocol: TCP + volumeMounts: + - name: data + mountPath: /config + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + memory: 512Mi + volumes: + - name: data + persistentVolumeClaim: + claimName: nas-data + - name: sshd-config + configMap: + name: nas-sshd-config diff --git a/apps/nas/kustomization.yaml b/apps/nas/kustomization.yaml new file mode 100644 index 0000000..52af263 --- /dev/null +++ b/apps/nas/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - namespace.yaml + - secret.yaml + - configmap.yaml + - pvc.yaml + - deployment.yaml + - service.yaml diff --git a/apps/nas/namespace.yaml b/apps/nas/namespace.yaml new file mode 100644 index 0000000..d058aa9 --- /dev/null +++ b/apps/nas/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nas diff --git a/apps/nas/pvc.yaml b/apps/nas/pvc.yaml new file mode 100644 index 0000000..99d6426 --- /dev/null +++ b/apps/nas/pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: nas-data + namespace: nas +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 500Gi + storageClassName: mayastor-single-hdd diff --git a/apps/nas/secret.yaml b/apps/nas/secret.yaml new file mode 100644 index 0000000..baa144a --- /dev/null +++ b/apps/nas/secret.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: nas-ssh-authorized-keys + namespace: nas +type: Opaque +stringData: + public_key: | + ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCresbDFZijI+rZMgd3LdciPjpb4x4S5B7y0U+EoYPaz6hILT72fyz3QdcgKJJv8JUJI6g0811/yFRuOzCXgWaA922c/S/t6HMUrorh7mPVQMTN2dc/SVBvMa7S2M9NYBj6z1X2LRHs+g1JTMCtL202PIjes/E9qu0as0Vx6n/6HHNmtmA9LrpiAmurbeKXDmrYe2yWg/FA6cX5d86SJb21Dj8WqdCd3Hz0Pi6FzMKXhpWvs5Hfei1htsjsRzCxkpSTjlgFEFVfmHIXPfB06Sa6aCnkxAFnE7N+xNa9RIWeZmOXdA74LsfSKQ9eAXSrsC/IRxo2ce8cBzXJy+Itxw24fUqGYXBiCgx8i3ZA9IdwI1u71xYo9lyNjav5VykzKnAHRAYnDm9UsCf8k04reBevcLdtxL11vPCtind3xn76Nhy2b45dcp/MdYFANGsCcXJOMb6Aisb03HPGhs/aU3tCAQbTVe195mL9FWhGqIK2wBmF1SKW+4ssX2bIU6YaCYc= cardno:23_671_999 diff --git a/apps/nas/service.yaml b/apps/nas/service.yaml new file mode 100644 index 0000000..f749986 --- /dev/null +++ b/apps/nas/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: nas-ssh + namespace: nas +spec: + type: LoadBalancer + externalTrafficPolicy: Cluster + ports: + - name: ssh + port: 22 + targetPort: 2222 + protocol: TCP + selector: + app: nas-ssh