Disclaimer: still in development, use at your own risk
PrivyPlace is a opiniated personal cloud distribution based on a selection of open source software and deployed on a single node Kubernetes cluster.
It makes use of several open-source software, mainly:
- k3s: A lightweight distribtution of Kubernetes
- Ansible: to orchestrate cluster installation, generate and deploy the k8s ressources
- kube-prometheus for the monitoring stack, based on Prometheus and grafana
- Organizr to protect applications and provide Single Sign-On
- Ingress-nginx to serve cluster ingress in https
- Cert-Manager to generate Let's Encrypt certificate
- Postgresql as main database for apps
Additionnaly to the infrastucture, several apps are available to install on the cluster, for now:
- An application portal, based on Homer
- FreshRSS a great RSS aggregator
- Searx an internet metasearch engine
- srt2hls an audio HLS streaming server
- Droppy a file storage server with a web interface
- The Lounge a web IRC client
- mStream a music streaming server
- Shiori a simple bookmark manager
- Adminer for database management
PrivyPlace assumes, for now, a single tenant cluster where everyone connected is an administrator.
By default, once the first run setup done (see below), all applications will be secured by proper default values and a Single Sign-On solution. For now, it use the external auth ingress functionality coupled to Organizr.
All apps that support reverse proxy header authentification can make use of it to manage user.
This is the case for Grafana where the x-organizr-user header is used to pass the Organizr user to Grafana.
The authentification can be disabled on specific ingress like in the stream app by using the annotation nginx.ingress.kubernetes.io/enable-global-auth: "false".
pip3 install ansible PyYAML openshift
git clone https://github.com/mbugeia/privyplace
cd privyplace
- Debian 10 (untested on other)
- root ssh access
- Firewall rules to allow ports 80 and 443 from internet
- A domain with DNS configured to point to your server, for example
yourdomain.tld. 300 IN A yourserveripv4
*.yourdomain.tld. 300 IN A yourserveripv4
cp inventory.yml.example inventory.yml
Then edit inventory.yml and replace yourdomain.tld by your real domain name.
Common default value are in group_vars/all.yml, you can overide them in group_vars/privyplace.yml, some options need to be set:
# mains options
letsencrypt_email: "youremail@example.com"
letsencrypt_env: # staging or prod
main_domain: yourdomain.tld
# passwords
postgres_password: postgresmasterpassword
freshrss_db_password: freshrsspassword
# shh public key to connect to ansible-executor
authorized_keys: |
ssh-rsa your ssh public key
You can override default value here like freshrss_domain: "myrssdomain.tld" or disable app by setting app_freshrss_enabled: false.
ansible-playbook -i inventory.yml privyplace.yml --diff
As for now, Organizr need to be configured manually. Once the deploy is finished, go to https://yourdomain.tld.
You can then follow Organizr first time setup instructions https://docs.organizr.app/books/installation/page/first-time-setup
Here is the values you need to set to makes it work:
- Install type:
Personal - Admin infos: Whatever you want
- Security: Whatever you want
- Database: Name:
organizrLocation:/data
Go to https://portal.yourdomain.tld
- Install Kubectl
- mkdir ~/.kube
- scp root@youserverip:.kube/config ~/.kube/config
- Edit ~/.kube/config and replace https://127.0.0.1:6443 with your server ip
# Check before deploy
ansible-playbook -i inventory.yml privyplace.yml --diff --check
# Deploy only ingress
ansible-playbook -i inventory.yml privyplace.yml --diff --tags ingress
# Deploy only roles setup-cluster
ansible-playbook -i inventory.yml privyplace.yml --diff --tags setup-cluster
# Deploy only organizr
ansible-playbook -i inventory.yml privyplace.yml --diff --tags organizr
apt install jsonnet
GO111MODULE="on" go get github.com/jsonnet-bundler/jsonnet-bundler/cmd/jb
mkdir kube-prometheus
cd kube-prometheus
jb init
jb install github.com/coreos/kube-prometheus/jsonnet/kube-prometheus
# customize custom-kube-prometheus.jsonnet
./build-monitoring.sh
export DOCKER_ID_USER="privyplace"
# build and push latest php/* images
./docker-build.sh docker/debian/php
# make a clean release and push all debian images
./docker-build.sh docker/debian v0.0.1
- SSO doesn't redirect back to the app after login