lichen-helm · notplants.bsky.social/lichen-helm@4c93a7a

··· 1 1 + apiVersion: v2 2 2 + name: lichen 3 3 + description: A Helm chart for lichen CMS 4 4 + type: application 5 5 + version: 0.1.0 6 6 + appVersion: "0.1.0"

+119

lichen/README.md

reviewed

··· 1 1 + # Lichen Helm Chart 2 2 + 3 3 + ## Quickstart 4 4 + 5 5 + Prerequisites: a k3s (or k8s) cluster with `helm` installed. 6 6 + 7 7 + ```bash 8 8 + # Install 9 9 + helm install lichen ./charts/lichen \ 10 10 + --set dashboardDomain=lichen.example.com 11 11 + 12 12 + # Get admin password 13 13 + kubectl get secret lichen-admin-password -o jsonpath='{.data.password}' | base64 -d 14 14 + ``` 15 15 + 16 16 + Point your DNS (both `lichen.example.com` and `*.example.com`) to the server. Visit `https://lichen.example.com` and log in with username `admin` and the password above. 17 17 + 18 18 + ## Upgrading 19 19 + 20 20 + ```bash 21 21 + helm upgrade lichen ./charts/lichen \ 22 22 + --set dashboardDomain=lichen.example.com 23 23 + ``` 24 24 + 25 25 + The admin password is preserved across upgrades. 26 26 + 27 27 + ## Configuration 28 28 + 29 29 + ### Dashboard Domain 30 30 + 31 31 + ```bash 32 32 + --set dashboardDomain=lichen.example.com 33 33 + ``` 34 34 + 35 35 + Sets the domain for the management dashboard. Lichen uses this for routing: requests to this domain go to the dashboard, requests to other domains serve sites. 36 36 + 37 37 + ### TLS with Caddy 38 38 + 39 39 + Caddy is enabled by default as a reverse proxy with on-demand TLS. It automatically obtains Let's Encrypt certificates for any domain pointed at the server. No cert-manager or ingress controller needed. 40 40 + 41 41 + ```bash 42 42 + # Disable Caddy (e.g., if using your own ingress controller) 43 43 + --set caddy.enabled=false 44 44 + ``` 45 45 + 46 46 + ### Auth 47 47 + 48 48 + Auth is enabled by default with `file` and `atproto` providers. 49 49 + 50 50 + ```bash 51 51 + # Disable auth 52 52 + --set auth.enabled=false 53 53 + 54 54 + # File auth only 55 55 + --set 'auth.providers={file}' 56 56 + 57 57 + # All providers 58 58 + --set 'auth.providers={file,atproto,oidc}' 59 59 + ``` 60 60 + 61 61 + ### Admin User 62 62 + 63 63 + An admin user is auto-created on first deploy with a random password stored in a Kubernetes Secret. 64 64 + 65 65 + ```bash 66 66 + # Custom username 67 67 + --set auth.adminUser.username=myuser 68 68 + 69 69 + # Specific password instead of random 70 70 + --set auth.adminUser.password=mysecretpassword 71 71 + 72 72 + # Disable auto-creation 73 73 + --set auth.adminUser.enabled=false 74 74 + ``` 75 75 + 76 76 + Retrieve the password: 77 77 + ```bash 78 78 + kubectl get secret lichen-admin-password -o jsonpath='{.data.password}' | base64 -d 79 79 + ``` 80 80 + 81 81 + ### Ingress (alternative to Caddy) 82 82 + 83 83 + If you prefer to use an existing ingress controller instead of Caddy: 84 84 + 85 85 + ```bash 86 86 + helm install lichen ./charts/lichen \ 87 87 + --set ingress.enabled=true \ 88 88 + --set ingress.className=nginx \ 89 89 + --set 'ingress.hosts[0].host=lichen.example.com' \ 90 90 + --set 'ingress.hosts[0].paths[0].path=/' \ 91 91 + --set 'ingress.hosts[0].paths[0].pathType=Prefix' 92 92 + ``` 93 93 + 94 94 + ### Extra Environment Variables 95 95 + 96 96 + Pass additional `LM_` environment variables to the lichen container: 97 97 + 98 98 + ```bash 99 99 + --set env.LM_DEVELOPMENT_MODE=true 100 100 + ``` 101 101 + 102 102 + ### Persistence 103 103 + 104 104 + ```bash 105 105 + --set persistence.size=10Gi 106 106 + --set persistence.storageClass=local-path 107 107 + ``` 108 108 + 109 109 + Data is stored at `/data/lichen` on the PVC. 110 110 + 111 111 + ## Architecture 112 112 + 113 113 + ``` 114 114 + Internet -> Caddy (:443, on-demand TLS) -> lichen Service (:80) -> lichen Pod (:9000) 115 115 + ``` 116 116 + 117 117 + - **Caddy** runs with `hostNetwork` on ports 80/443 and auto-issues TLS certs via Let's Encrypt for any domain 118 118 + - **lichen** runs in multi-site mode with persistent storage and auth 119 119 + - **Init container** writes `lichen.toml` config and creates the admin user on first deploy

+12

lichen/files/Caddyfile

reviewed

··· 1 1 + { 2 2 + on_demand_tls { 3 3 + ask http://{{ .askUpstream }}/tls-check 4 4 + } 5 5 + } 6 6 + 7 7 + :443 { 8 8 + tls { 9 9 + on_demand 10 10 + } 11 11 + reverse_proxy {{ .upstream }} 12 12 + }

+24

lichen/templates/NOTES.txt

reviewed

··· 1 1 + lichen has been deployed in {{ .Values.mode }} mode. 2 2 + 3 3 + {{- if .Values.ingress.enabled }} 4 4 + 5 5 + Access your instance at: 6 6 + {{- range .Values.ingress.hosts }} 7 7 + http{{ if $.Values.ingress.tls }}s{{ end }}://{{ .host }} 8 8 + {{- end }} 9 9 + 10 10 + {{- else }} 11 11 + 12 12 + Get the application URL by running: 13 13 + kubectl port-forward svc/{{ include "lichen.fullname" . }} 9000:{{ .Values.service.port }} 14 14 + 15 15 + Then open http://localhost:9000 16 16 + {{- end }} 17 17 + 18 18 + {{- if .Values.auth.adminUser.enabled }} 19 19 + 20 20 + Admin credentials: 21 21 + Username: {{ .Values.auth.adminUser.username }} 22 22 + Password: kubectl get secret {{ include "lichen.fullname" . }}-admin-password \ 23 23 + -n {{ .Release.Namespace }} -o jsonpath='{.data.password}' | base64 -d 24 24 + {{- end }}

+40

lichen/templates/_helpers.tpl

reviewed

··· 1 1 + {{/* 2 2 + Chart name, truncated to 63 chars. 3 3 + */}} 4 4 + {{- define "lichen.name" -}} 5 5 + {{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} 6 6 + {{- end }} 7 7 + 8 8 + {{/* 9 9 + Fully qualified app name, truncated to 63 chars. 10 10 + */}} 11 11 + {{- define "lichen.fullname" -}} 12 12 + {{- if .Values.fullnameOverride }} 13 13 + {{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} 14 14 + {{- else }} 15 15 + {{- $name := default .Chart.Name .Values.nameOverride }} 16 16 + {{- if contains $name .Release.Name }} 17 17 + {{- .Release.Name | trunc 63 | trimSuffix "-" }} 18 18 + {{- else }} 19 19 + {{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} 20 20 + {{- end }} 21 21 + {{- end }} 22 22 + {{- end }} 23 23 + 24 24 + {{/* 25 25 + Common labels. 26 26 + */}} 27 27 + {{- define "lichen.labels" -}} 28 28 + helm.sh/chart: {{ printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} 29 29 + {{ include "lichen.selectorLabels" . }} 30 30 + app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} 31 31 + app.kubernetes.io/managed-by: {{ .Release.Service }} 32 32 + {{- end }} 33 33 + 34 34 + {{/* 35 35 + Selector labels. 36 36 + */}} 37 37 + {{- define "lichen.selectorLabels" -}} 38 38 + app.kubernetes.io/name: {{ include "lichen.name" . }} 39 39 + app.kubernetes.io/instance: {{ .Release.Name }} 40 40 + {{- end }}

+23

lichen/templates/backup-configmap.yaml

reviewed

··· 1 1 + {{- if .Values.backup.enabled }} 2 2 + apiVersion: v1 3 3 + kind: ConfigMap 4 4 + metadata: 5 5 + name: {{ include "lichen.fullname" . }}-backup 6 6 + labels: 7 7 + {{- include "lichen.labels" . | nindent 4 }} 8 8 + data: 9 9 + config.yaml: | 10 10 + source_directories: 11 11 + - /source 12 12 + repositories: 13 13 + - path: {{ .Values.backup.repo }} 14 14 + archive_name_format: "{hostname}-{now:%Y-%m-%dT%H:%M:%S}" 15 15 + compression: {{ .Values.backup.compression }} 16 16 + retention: 17 17 + keep_daily: {{ .Values.backup.keepDaily }} 18 18 + keep_weekly: {{ .Values.backup.keepWeekly }} 19 19 + keep_monthly: {{ .Values.backup.keepMonthly }} 20 20 + {{- if .Values.backup.sshKeySecret }} 21 21 + ssh_command: "ssh -o StrictHostKeyChecking=accept-new -i /root/.ssh/id_ed25519" 22 22 + {{- end }} 23 23 + {{- end }}

+95

lichen/templates/backup-cronjob.yaml

reviewed

··· 1 1 + {{- if .Values.backup.enabled }} 2 2 + {{- $localRepo := hasPrefix "/" .Values.backup.repo }} 3 3 + apiVersion: batch/v1 4 4 + kind: CronJob 5 5 + metadata: 6 6 + name: {{ include "lichen.fullname" . }}-backup 7 7 + labels: 8 8 + {{- include "lichen.labels" . | nindent 4 }} 9 9 + spec: 10 10 + schedule: {{ .Values.backup.schedule | quote }} 11 11 + concurrencyPolicy: Forbid 12 12 + jobTemplate: 13 13 + spec: 14 14 + template: 15 15 + spec: 16 16 + restartPolicy: OnFailure 17 17 + initContainers: 18 18 + - name: init-repo 19 19 + image: "{{ .Values.backup.image.repository }}:{{ .Values.backup.image.tag }}" 20 20 + command: ["sh", "-c"] 21 21 + args: 22 22 + - | 23 23 + # initialize borg repo if it doesn't exist yet 24 24 + if [ ! -f "{{ .Values.backup.repo }}/README" ]; then 25 25 + borgmatic init --encryption repokey-blake2 26 26 + else 27 27 + echo "borg repo already initialized" 28 28 + fi 29 29 + {{- if .Values.backup.borgPassphraseSecret }} 30 30 + env: 31 31 + - name: BORG_PASSPHRASE 32 32 + valueFrom: 33 33 + secretKeyRef: 34 34 + name: {{ .Values.backup.borgPassphraseSecret }} 35 35 + key: passphrase 36 36 + {{- end }} 37 37 + volumeMounts: 38 38 + - name: borgmatic-config 39 39 + mountPath: /etc/borgmatic 40 40 + {{- if $localRepo }} 41 41 + - name: backup-repo 42 42 + mountPath: /repo 43 43 + {{- end }} 44 44 + {{- if .Values.backup.sshKeySecret }} 45 45 + - name: ssh-key 46 46 + mountPath: /root/.ssh 47 47 + {{- end }} 48 48 + containers: 49 49 + - name: borgmatic 50 50 + image: "{{ .Values.backup.image.repository }}:{{ .Values.backup.image.tag }}" 51 51 + command: ["borgmatic", "--verbosity", "1", "--stats"] 52 52 + {{- if .Values.backup.borgPassphraseSecret }} 53 53 + env: 54 54 + - name: BORG_PASSPHRASE 55 55 + valueFrom: 56 56 + secretKeyRef: 57 57 + name: {{ .Values.backup.borgPassphraseSecret }} 58 58 + key: passphrase 59 59 + {{- end }} 60 60 + volumeMounts: 61 61 + - name: borgmatic-config 62 62 + mountPath: /etc/borgmatic 63 63 + - name: source-data 64 64 + mountPath: /source 65 65 + readOnly: true 66 66 + {{- if $localRepo }} 67 67 + - name: backup-repo 68 68 + mountPath: /repo 69 69 + {{- end }} 70 70 + {{- if .Values.backup.sshKeySecret }} 71 71 + - name: ssh-key 72 72 + mountPath: /root/.ssh 73 73 + {{- end }} 74 74 + volumes: 75 75 + - name: borgmatic-config 76 76 + configMap: 77 77 + name: {{ include "lichen.fullname" . }}-backup 78 78 + - name: source-data 79 79 + persistentVolumeClaim: 80 80 + claimName: {{ include "lichen.fullname" . }} 81 81 + {{- if $localRepo }} 82 82 + - name: backup-repo 83 83 + persistentVolumeClaim: 84 84 + claimName: {{ include "lichen.fullname" . }}-backup 85 85 + {{- end }} 86 86 + {{- if .Values.backup.sshKeySecret }} 87 87 + - name: ssh-key 88 88 + secret: 89 89 + secretName: {{ .Values.backup.sshKeySecret }} 90 90 + defaultMode: 0600 91 91 + items: 92 92 + - key: ssh-key 93 93 + path: id_ed25519 94 94 + {{- end }} 95 95 + {{- end }}

+14

lichen/templates/backup-pvc.yaml

reviewed

··· 1 1 + {{- if and .Values.backup.enabled (hasPrefix "/" .Values.backup.repo) }} 2 2 + apiVersion: v1 3 3 + kind: PersistentVolumeClaim 4 4 + metadata: 5 5 + name: {{ include "lichen.fullname" . }}-backup 6 6 + labels: 7 7 + {{- include "lichen.labels" . | nindent 4 }} 8 8 + spec: 9 9 + accessModes: 10 10 + - ReadWriteOnce 11 11 + resources: 12 12 + requests: 13 13 + storage: {{ .Values.backup.localRepoSize }} 14 14 + {{- end }}

+13

lichen/templates/caddy-configmap.yaml

reviewed

··· 1 1 + {{- if .Values.caddy.enabled }} 2 2 + {{- $upstream := printf "%s:%v" (include "lichen.fullname" .) .Values.service.port }} 3 3 + {{- $askUpstream := printf "%s.%s.svc.cluster.local:%v" (include "lichen.fullname" .) .Release.Namespace .Values.service.port }} 4 4 + apiVersion: v1 5 5 + kind: ConfigMap 6 6 + metadata: 7 7 + name: {{ include "lichen.fullname" . }}-caddy 8 8 + labels: 9 9 + {{- include "lichen.labels" . | nindent 4 }} 10 10 + data: 11 11 + Caddyfile: | 12 12 + {{- tpl (.Files.Get "files/Caddyfile") (dict "upstream" $upstream "askUpstream" $askUpstream) | nindent 4 }} 13 13 + {{- end }}

+50

lichen/templates/caddy-deployment.yaml

reviewed

··· 1 1 + {{- if .Values.caddy.enabled }} 2 2 + apiVersion: apps/v1 3 3 + kind: Deployment 4 4 + metadata: 5 5 + name: {{ include "lichen.fullname" . }}-caddy 6 6 + labels: 7 7 + {{- include "lichen.labels" . | nindent 4 }} 8 8 + app.kubernetes.io/component: caddy 9 9 + spec: 10 10 + replicas: 1 11 11 + strategy: 12 12 + type: Recreate 13 13 + selector: 14 14 + matchLabels: 15 15 + {{- include "lichen.selectorLabels" . | nindent 6 }} 16 16 + app.kubernetes.io/component: caddy 17 17 + template: 18 18 + metadata: 19 19 + annotations: 20 20 + checksum/caddyfile: {{ include (print $.Template.BasePath "/caddy-configmap.yaml") . | sha256sum }} 21 21 + labels: 22 22 + {{- include "lichen.selectorLabels" . | nindent 8 }} 23 23 + app.kubernetes.io/component: caddy 24 24 + spec: 25 25 + hostNetwork: true 26 26 + dnsPolicy: ClusterFirstWithHostNet 27 27 + containers: 28 28 + - name: caddy 29 29 + image: caddy:2-alpine 30 30 + command: ["caddy", "run", "--config", "/etc/caddy/Caddyfile", "--adapter", "caddyfile"] 31 31 + ports: 32 32 + - name: http 33 33 + containerPort: 80 34 34 + protocol: TCP 35 35 + - name: https 36 36 + containerPort: 443 37 37 + protocol: TCP 38 38 + volumeMounts: 39 39 + - name: config 40 40 + mountPath: /etc/caddy 41 41 + - name: data 42 42 + mountPath: /data 43 43 + volumes: 44 44 + - name: config 45 45 + configMap: 46 46 + name: {{ include "lichen.fullname" . }}-caddy 47 47 + - name: data 48 48 + persistentVolumeClaim: 49 49 + claimName: {{ include "lichen.fullname" . }}-caddy 50 50 + {{- end }}

+15

lichen/templates/caddy-pvc.yaml

reviewed

··· 1 1 + {{- if .Values.caddy.enabled }} 2 2 + apiVersion: v1 3 3 + kind: PersistentVolumeClaim 4 4 + metadata: 5 5 + name: {{ include "lichen.fullname" . }}-caddy 6 6 + labels: 7 7 + {{- include "lichen.labels" . | nindent 4 }} 8 8 + app.kubernetes.io/component: caddy 9 9 + spec: 10 10 + accessModes: 11 11 + - ReadWriteOnce 12 12 + resources: 13 13 + requests: 14 14 + storage: 256Mi 15 15 + {{- end }}

+118

lichen/templates/deployment.yaml

reviewed

··· 1 1 + apiVersion: apps/v1 2 2 + kind: Deployment 3 3 + metadata: 4 4 + name: {{ include "lichen.fullname" . }} 5 5 + labels: 6 6 + {{- include "lichen.labels" . | nindent 4 }} 7 7 + spec: 8 8 + replicas: {{ .Values.replicaCount }} 9 9 + selector: 10 10 + matchLabels: 11 11 + {{- include "lichen.selectorLabels" . | nindent 6 }} 12 12 + template: 13 13 + metadata: 14 14 + labels: 15 15 + {{- include "lichen.selectorLabels" . | nindent 8 }} 16 16 + spec: 17 17 + initContainers: 18 18 + - name: init-config 19 19 + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 20 20 + imagePullPolicy: {{ .Values.image.pullPolicy }} 21 21 + command: 22 22 + - /bin/sh 23 23 + - -c 24 24 + - | 25 25 + set -e 26 26 + ROOT_DIR="/data/lichen" 27 27 + mkdir -p "$ROOT_DIR" 28 28 + 29 29 + # Write lichen.toml (helm values are source of truth) 30 30 + cat > "$ROOT_DIR/lichen.toml" <<'TOML' 31 31 + use_auth = {{ .Values.auth.enabled }} 32 32 + auth_providers = [{{ range $i, $p := .Values.auth.providers }}{{ if $i }}, {{ end }}"{{ $p }}"{{ end }}] 33 33 + {{- if .Values.dashboardDomain }} 34 34 + dashboard_domain = "{{ .Values.dashboardDomain }}" 35 35 + public_url = "https://{{ .Values.dashboardDomain }}" 36 36 + {{- end }} 37 37 + TOML 38 38 + 39 39 + {{- if .Values.auth.adminUser.enabled }} 40 40 + # Create admin user if not exists 41 41 + USER_FILE="$ROOT_DIR/users/{{ .Values.auth.adminUser.username }}.toml" 42 42 + if [ -f "$USER_FILE" ]; then 43 43 + echo "User '{{ .Values.auth.adminUser.username }}' already exists, skipping." 44 44 + else 45 45 + echo "Creating admin user '{{ .Values.auth.adminUser.username }}'..." 46 46 + lichen-server --multi --root-dir "$ROOT_DIR" user add \ 47 47 + "{{ .Values.auth.adminUser.username }}" \ 48 48 + --password "$ADMIN_PASSWORD" 49 49 + fi 50 50 + {{- end }} 51 51 + {{- if .Values.auth.adminUser.enabled }} 52 52 + env: 53 53 + - name: ADMIN_PASSWORD 54 54 + valueFrom: 55 55 + secretKeyRef: 56 56 + name: {{ include "lichen.fullname" . }}-admin-password 57 57 + key: password 58 58 + {{- end }} 59 59 + volumeMounts: 60 60 + - name: data 61 61 + mountPath: /data 62 62 + containers: 63 63 + - name: {{ .Chart.Name }} 64 64 + image: "{{ .Values.image.repository }}:{{ .Values.image.tag }}" 65 65 + imagePullPolicy: {{ .Values.image.pullPolicy }} 66 66 + {{- if eq .Values.mode "multi" }} 67 67 + command: ["/bin/sh", "-c", "apk add --no-cache bubblewrap && exec lichen-server --multi --root-dir /data/lichen serve"] 68 68 + {{- else }} 69 69 + command: ["/bin/sh", "-c", "apk add --no-cache bubblewrap && exec lichen-server --site /data/lichen/site serve"] 70 70 + {{- end }} 71 71 + ports: 72 72 + - name: http 73 73 + containerPort: 9000 74 74 + protocol: TCP 75 75 + livenessProbe: 76 76 + tcpSocket: 77 77 + port: http 78 78 + initialDelaySeconds: 5 79 79 + periodSeconds: 10 80 80 + readinessProbe: 81 81 + tcpSocket: 82 82 + port: http 83 83 + initialDelaySeconds: 3 84 84 + periodSeconds: 5 85 85 + {{- if .Values.env }} 86 86 + env: 87 87 + {{- range $key, $value := .Values.env }} 88 88 + - name: {{ $key }} 89 89 + value: {{ $value | quote }} 90 90 + {{- end }} 91 91 + {{- end }} 92 92 + volumeMounts: 93 93 + - name: data 94 94 + mountPath: /data 95 95 + {{- with .Values.resources }} 96 96 + resources: 97 97 + {{- toYaml . | nindent 12 }} 98 98 + {{- end }} 99 99 + volumes: 100 100 + - name: data 101 101 + {{- if .Values.persistence.enabled }} 102 102 + persistentVolumeClaim: 103 103 + claimName: {{ include "lichen.fullname" . }} 104 104 + {{- else }} 105 105 + emptyDir: {} 106 106 + {{- end }} 107 107 + {{- with .Values.nodeSelector }} 108 108 + nodeSelector: 109 109 + {{- toYaml . | nindent 8 }} 110 110 + {{- end }} 111 111 + {{- with .Values.tolerations }} 112 112 + tolerations: 113 113 + {{- toYaml . | nindent 8 }} 114 114 + {{- end }} 115 115 + {{- with .Values.affinity }} 116 116 + affinity: 117 117 + {{- toYaml . | nindent 8 }} 118 118 + {{- end }}

+41

lichen/templates/ingress.yaml

reviewed

··· 1 1 + {{- if .Values.ingress.enabled -}} 2 2 + apiVersion: networking.k8s.io/v1 3 3 + kind: Ingress 4 4 + metadata: 5 5 + name: {{ include "lichen.fullname" . }} 6 6 + labels: 7 7 + {{- include "lichen.labels" . | nindent 4 }} 8 8 + {{- with .Values.ingress.annotations }} 9 9 + annotations: 10 10 + {{- toYaml . | nindent 4 }} 11 11 + {{- end }} 12 12 + spec: 13 13 + {{- if .Values.ingress.className }} 14 14 + ingressClassName: {{ .Values.ingress.className }} 15 15 + {{- end }} 16 16 + {{- if .Values.ingress.tls }} 17 17 + tls: 18 18 + {{- range .Values.ingress.tls }} 19 19 + - secretName: {{ .secretName }} 20 20 + hosts: 21 21 + {{- range .hosts }} 22 22 + - {{ . | quote }} 23 23 + {{- end }} 24 24 + {{- end }} 25 25 + {{- end }} 26 26 + rules: 27 27 + {{- range .Values.ingress.hosts }} 28 28 + - host: {{ .host | quote }} 29 29 + http: 30 30 + paths: 31 31 + {{- range .paths }} 32 32 + - path: {{ .path }} 33 33 + pathType: {{ .pathType }} 34 34 + backend: 35 35 + service: 36 36 + name: {{ include "lichen.fullname" $ }} 37 37 + port: 38 38 + name: http 39 39 + {{- end }} 40 40 + {{- end }} 41 41 + {{- end }}

+19

lichen/templates/pvc.yaml

reviewed

··· 1 1 + {{- if .Values.persistence.enabled -}} 2 2 + apiVersion: v1 3 3 + kind: PersistentVolumeClaim 4 4 + metadata: 5 5 + name: {{ include "lichen.fullname" . }} 6 6 + labels: 7 7 + {{- include "lichen.labels" . | nindent 4 }} 8 8 + spec: 9 9 + accessModes: 10 10 + {{- range .Values.persistence.accessModes }} 11 11 + - {{ . }} 12 12 + {{- end }} 13 13 + {{- if .Values.persistence.storageClass }} 14 14 + storageClassName: {{ .Values.persistence.storageClass | quote }} 15 15 + {{- end }} 16 16 + resources: 17 17 + requests: 18 18 + storage: {{ .Values.persistence.size }} 19 19 + {{- end }}

+24

lichen/templates/secret-admin.yaml

reviewed

··· 1 1 + {{- if .Values.auth.adminUser.enabled }} 2 2 + {{- $secretName := printf "%s-admin-password" (include "lichen.fullname" .) }} 3 3 + {{- $existingSecret := lookup "v1" "Secret" .Release.Namespace $secretName }} 4 4 + {{- $password := "" }} 5 5 + {{- if $existingSecret }} 6 6 + {{- $password = index $existingSecret.data "password" | b64dec }} 7 7 + {{- else if .Values.auth.adminUser.password }} 8 8 + {{- $password = .Values.auth.adminUser.password }} 9 9 + {{- else }} 10 10 + {{- $password = randAlphaNum 24 }} 11 11 + {{- end }} 12 12 + apiVersion: v1 13 13 + kind: Secret 14 14 + metadata: 15 15 + name: {{ $secretName }} 16 16 + labels: 17 17 + {{- include "lichen.labels" . | nindent 4 }} 18 18 + annotations: 19 19 + helm.sh/resource-policy: keep 20 20 + type: Opaque 21 21 + data: 22 22 + password: {{ $password | b64enc | quote }} 23 23 + username: {{ .Values.auth.adminUser.username | b64enc | quote }} 24 24 + {{- end }}

+15

lichen/templates/service.yaml

reviewed

··· 1 1 + apiVersion: v1 2 2 + kind: Service 3 3 + metadata: 4 4 + name: {{ include "lichen.fullname" . }} 5 5 + labels: 6 6 + {{- include "lichen.labels" . | nindent 4 }} 7 7 + spec: 8 8 + type: {{ .Values.service.type }} 9 9 + ports: 10 10 + - port: {{ .Values.service.port }} 11 11 + targetPort: http 12 12 + protocol: TCP 13 13 + name: http 14 14 + selector: 15 15 + {{- include "lichen.selectorLabels" . | nindent 4 }}

+80

lichen/values.yaml

reviewed

··· 1 1 + image: 2 2 + repository: notplants/lichen-full 3 3 + tag: latest 4 4 + pullPolicy: IfNotPresent 5 5 + 6 6 + # "multi" or "single" 7 7 + mode: multi 8 8 + 9 9 + replicaCount: 1 10 10 + 11 11 + persistence: 12 12 + enabled: true 13 13 + size: 5Gi 14 14 + storageClass: "" 15 15 + accessModes: 16 16 + - ReadWriteOnce 17 17 + 18 18 + service: 19 19 + type: ClusterIP 20 20 + port: 80 21 21 + 22 22 + ingress: 23 23 + enabled: false 24 24 + className: "" 25 25 + annotations: {} 26 26 + # hosts: 27 27 + # - host: lichen.example.com 28 28 + # paths: 29 29 + # - path: / 30 30 + # pathType: Prefix 31 31 + # tls: 32 32 + # - secretName: lichen-tls 33 33 + # hosts: 34 34 + # - lichen.example.com 35 35 + hosts: [] 36 36 + tls: [] 37 37 + 38 38 + # Domain configuration 39 39 + # dashboardDomain: the domain serving the management dashboard 40 40 + dashboardDomain: "" 41 41 + # Caddy reverse proxy with on-demand TLS (auto certs for any domain) 42 42 + caddy: 43 43 + enabled: true 44 44 + 45 45 + auth: 46 46 + enabled: true 47 47 + providers: 48 48 + - file 49 49 + - atproto 50 50 + adminUser: 51 51 + enabled: true 52 52 + username: "admin" 53 53 + # If set, use this password instead of generating a random one 54 54 + # password: "" 55 55 + 56 56 + # Additional LM_ environment variables passed to the container 57 57 + env: {} 58 58 + 59 59 + # Borg backup via borgmatic CronJob 60 60 + backup: 61 61 + enabled: false 62 62 + schedule: "0 3 * * *" # nightly at 3am 63 63 + repo: "" # borg repo path (local: /repo) or ssh:// URL 64 64 + sshKeySecret: "" # name of existing Secret with key "ssh-key" (for remote repos) 65 65 + borgPassphraseSecret: "" # name of existing Secret with key "passphrase" 66 66 + compression: "zstd,3" 67 67 + keepDaily: 7 68 68 + keepWeekly: 4 69 69 + keepMonthly: 6 70 70 + # PVC for local borg repo (only used when repo starts with /) 71 71 + localRepoSize: 10Gi 72 72 + image: 73 73 + repository: ghcr.io/borgmatic-collective/borgmatic 74 74 + tag: "1.9.13" 75 75 + 76 76 + resources: {} 77 77 + 78 78 + nodeSelector: {} 79 79 + tolerations: [] 80 80 + affinity: {}