Skip to content

mbugeia/privyplace

Repository files navigation

PrivyPlace

Disclaimer: still in development, use at your own risk

PrivyPlace is a opiniated personal cloud distribution based on a selection of open source software and deployed on a single node Kubernetes cluster.

It makes use of several open-source software, mainly:

Additionnaly to the infrastucture, several apps are available to install on the cluster, for now:

  • An application portal, based on Homer
  • FreshRSS a great RSS aggregator
  • Searx an internet metasearch engine
  • srt2hls an audio HLS streaming server
  • Droppy a file storage server with a web interface
  • The Lounge a web IRC client
  • mStream a music streaming server
  • Shiori a simple bookmark manager
  • Adminer for database management

Alt text

Security considerations

PrivyPlace assumes, for now, a single tenant cluster where everyone connected is an administrator.

SSO and ingress protection

By default, once the first run setup done (see below), all applications will be secured by proper default values and a Single Sign-On solution. For now, it use the external auth ingress functionality coupled to Organizr.

All apps that support reverse proxy header authentification can make use of it to manage user. This is the case for Grafana where the x-organizr-user header is used to pass the Organizr user to Grafana.

The authentification can be disabled on specific ingress like in the stream app by using the annotation nginx.ingress.kubernetes.io/enable-global-auth: "false".

Usage

Requirements

local machine

pip3 install ansible PyYAML openshift
git clone https://github.com/mbugeia/privyplace
cd privyplace

remote server

  • Debian 10 (untested on other)
  • root ssh access
  • Firewall rules to allow ports 80 and 443 from internet
  • A domain with DNS configured to point to your server, for example
yourdomain.tld. 300 IN A yourserveripv4
*.yourdomain.tld. 300 IN A yourserveripv4

Configure

Configure ansible inventory

cp inventory.yml.example inventory.yml

Then edit inventory.yml and replace yourdomain.tld by your real domain name.

Customize your installation

Common default value are in group_vars/all.yml, you can overide them in group_vars/privyplace.yml, some options need to be set:

# mains options
letsencrypt_email: "[email protected]"
letsencrypt_env: # staging or prod
main_domain: yourdomain.tld

# passwords
postgres_password: postgresmasterpassword
freshrss_db_password: freshrsspassword

# shh public key to connect to ansible-executor
authorized_keys: |
  ssh-rsa your ssh public key

You can override default value here like freshrss_domain: "myrssdomain.tld" or disable app by setting app_freshrss_enabled: false.

Deploy

ansible-playbook -i inventory.yml privyplace.yml --diff

First run configuration

As for now, Organizr need to be configured manually. Once the deploy is finished, go to https://yourdomain.tld.

You can then follow Organizr first time setup instructions https://docs.organizr.app/books/installation/page/first-time-setup

Here is the values you need to set to makes it work:

  • Install type: Personal
  • Admin infos: Whatever you want
  • Security: Whatever you want
  • Database: Name: organizr Location: /data

Enjoy you self-hosted applications

Go to https://portal.yourdomain.tld

Advanced Usage

Access the cluster from you local machine

Partial deploy

# Check before deploy
ansible-playbook -i inventory.yml privyplace.yml --diff --check
# Deploy only ingress
ansible-playbook -i inventory.yml privyplace.yml --diff --tags ingress
# Deploy only roles setup-cluster
ansible-playbook -i inventory.yml privyplace.yml --diff --tags setup-cluster
# Deploy only organizr
ansible-playbook -i inventory.yml privyplace.yml --diff --tags organizr

Build monitoring ressources

apt install jsonnet
GO111MODULE="on" go get github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb
mkdir kube-prometheus
cd kube-prometheus
jb init
jb install github.com/coreos/kube-prometheus/jsonnet/kube-prometheus
# customize custom-kube-prometheus.jsonnet
./build-monitoring.sh

Build docker image

export DOCKER_ID_USER="privyplace"
# build and push latest php/* images
./docker-build.sh docker/debian/php
# make a clean release and push all debian images
./docker-build.sh docker/debian v0.0.1

Knows issues

  • SSO doesn't redirect back to the app after login