add webdav

9 files changed, 249 insertions, 4 deletions

diff --git a/f3s/filebrowser/helm-chart/templates/deployment.yaml b/f3s/filebrowser/helm-chart/templates/deployment.yaml
index b0d5270..e079055 100644
--- a/f3s/filebrowser/helm-chart/templates/deployment.yaml
+++ b/f3s/filebrowser/helm-chart/templates/deployment.yaml
@@ -14,7 +14,9 @@ spec:
         app: filebrowser
     spec:
       securityContext:
-        fsGroup: 1000
+        runAsUser: 65534
+        runAsGroup: 65534
+        fsGroup: 65534
       containers:
       - name: filebrowser
         image: filebrowser/filebrowser:latest
@@ -22,9 +24,9 @@ spec:
         - containerPort: 80
         env:
         - name: PUID
-          value: "1000"
+          value: "65534"
         - name: PGID
-          value: "1000"
+          value: "65534"
         volumeMounts:
         - name: filebrowser-data
           mountPath: /srv
diff --git a/f3s/webdav/Justfile b/f3s/webdav/Justfile
new file mode 100644
index 0000000..3ee3d88
--- /dev/null
+++ b/f3s/webdav/Justfile
@@ -0,0 +1,14 @@
+NAMESPACE := "services"
+RELEASE_NAME := "webdav"
+CHART_PATH := "./helm-chart"
+
+install:
+    helm install {{RELEASE_NAME}} {{CHART_PATH}} --namespace {{NAMESPACE}} --create-namespace
+
+upgrade:
+    helm upgrade {{RELEASE_NAME}} {{CHART_PATH}} --namespace {{NAMESPACE}}
+
+delete:
+    helm uninstall {{RELEASE_NAME}} --namespace {{NAMESPACE}}
+
+deinstall: delete
diff --git a/f3s/webdav/README.md b/f3s/webdav/README.md
new file mode 100644
index 0000000..39ec307
--- /dev/null
+++ b/f3s/webdav/README.md
@@ -0,0 +1,81 @@
+# WebDAV Kubernetes Deployment
+
+This directory contains the Kubernetes configuration for deploying an Apache WebDAV server to a k3s cluster. It shares the same data directory as File Browser.
+
+## Prerequisites
+
+### 1. File Browser must be deployed first
+
+This WebDAV server reuses the `filebrowser-data-pvc` persistent volume claim. Ensure File Browser is already deployed:
+
+```bash
+cd ../filebrowser
+just install
+```
+
+### 2. Create the htpasswd secret
+
+Generate a password file and create the Kubernetes secret:
+
+```bash
+# Install htpasswd if not available
+# On Fedora: dnf install httpd-tools
+# On Debian/Ubuntu: apt install apache2-utils
+
+# Generate htpasswd file (replace USERNAME and PASSWORD)
+htpasswd -cb /tmp/webdav.htpasswd USERNAME PASSWORD
+
+# Create the secret
+kubectl create secret generic webdav-htpasswd \
+    --from-file=webdav.htpasswd=/tmp/webdav.htpasswd \
+    -n services
+
+# Clean up
+rm /tmp/webdav.htpasswd
+```
+
+To add additional users:
+
+```bash
+htpasswd -b /tmp/webdav.htpasswd ANOTHER_USER ANOTHER_PASSWORD
+kubectl delete secret webdav-htpasswd -n services
+kubectl create secret generic webdav-htpasswd \
+    --from-file=webdav.htpasswd=/tmp/webdav.htpasswd \
+    -n services
+kubectl rollout restart deployment/webdav -n services
+```
+
+## Deployment
+
+```bash
+just install
+```
+
+## Configuration
+
+WebDAV will be accessible at: `http://webdav.f3s.buetow.org`
+
+The WebDAV root (`/webdav`) serves files from `/data/nfs/k3svolumes/filebrowser/data` - the same directory as File Browser.
+
+## Storage
+
+Uses the same persistent volume as File Browser:
+- **data** (50Gi): Shared with File Browser at `/data/nfs/k3svolumes/filebrowser/data`
+
+## Permissions
+
+Runs with UID/GID 1000:1000, matching File Browser's permissions.
+
+## Justfile Commands
+
+- `just install` - Install WebDAV using Helm
+- `just upgrade` - Upgrade the WebDAV deployment
+- `just delete` - Uninstall WebDAV from the cluster
+
+## WebDAV Client Access
+
+Connect using any WebDAV client with:
+- URL: `https://webdav.f3s.buetow.org/webdav/` (after TLS offloading via relayd)
+- Username/Password: As configured in the htpasswd secret
+
+
diff --git a/f3s/webdav/helm-chart/Chart.yaml b/f3s/webdav/helm-chart/Chart.yaml
new file mode 100644
index 0000000..24aac6a
--- /dev/null
+++ b/f3s/webdav/helm-chart/Chart.yaml
@@ -0,0 +1,5 @@
+apiVersion: v2
+name: webdav
+description: A Helm chart for deploying Apache WebDAV server
+version: 0.1.0
+appVersion: "2.4"
diff --git a/f3s/webdav/helm-chart/templates/deployment.yaml b/f3s/webdav/helm-chart/templates/deployment.yaml
new file mode 100644
index 0000000..d528ce2
--- /dev/null
+++ b/f3s/webdav/helm-chart/templates/deployment.yaml
@@ -0,0 +1,106 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: webdav
+  namespace: services
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: webdav
+  template:
+    metadata:
+      labels:
+        app: webdav
+    spec:
+      securityContext:
+        fsGroup: 65534
+        seLinuxOptions:
+          type: spc_t
+      initContainers:
+      - name: setup
+        image: httpd:2.4
+        command:
+        - /bin/bash
+        - -c
+        - |
+          cp -r /usr/local/apache2/conf/* /apache-conf/
+          cp -r /usr/local/apache2/logs /apache-logs-init/
+          echo "Include conf/extra/httpd-dav.conf" >> /apache-conf/httpd.conf
+          sed -i 's/Listen 80/Listen 8080/' /apache-conf/httpd.conf
+          sed -i 's/User daemon/User #65534/' /apache-conf/httpd.conf
+          sed -i 's/Group daemon/Group #65534/' /apache-conf/httpd.conf
+          mkdir -p /lock-dir/apache2
+          chown -R 65534:65534 /apache-conf /apache-logs-init /lock-dir
+        volumeMounts:
+        - name: apache-conf
+          mountPath: /apache-conf
+        - name: apache-logs
+          mountPath: /apache-logs-init
+        - name: webdav-lock
+          mountPath: /lock-dir
+      containers:
+      - name: webdav
+        image: httpd:2.4
+        securityContext:
+          runAsUser: 65534
+          runAsGroup: 65534
+        ports:
+        - containerPort: 8080
+        volumeMounts:
+        - name: webdav-data
+          mountPath: /var/www/webdav
+        - name: webdav-config
+          mountPath: /usr/local/apache2/conf/extra/httpd-dav.conf
+          subPath: httpd-dav.conf
+        - name: webdav-htpasswd
+          mountPath: /etc/apache2/webdav.htpasswd
+          subPath: webdav.htpasswd
+        - name: webdav-lock
+          mountPath: /var/lock
+        - name: apache-conf
+          mountPath: /usr/local/apache2/conf
+        - name: apache-logs
+          mountPath: /usr/local/apache2/logs
+      volumes:
+      - name: webdav-data
+        persistentVolumeClaim:
+          claimName: filebrowser-data-pvc
+      - name: webdav-config
+        configMap:
+          name: webdav-config
+      - name: webdav-htpasswd
+        secret:
+          secretName: webdav-htpasswd
+      - name: webdav-lock
+        emptyDir: {}
+      - name: apache-conf
+        emptyDir: {}
+      - name: apache-logs
+        emptyDir: {}
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: webdav-config
+  namespace: services
+data:
+  httpd-dav.conf: |
+    LoadModule dav_module modules/mod_dav.so
+    LoadModule dav_fs_module modules/mod_dav_fs.so
+    LoadModule auth_basic_module modules/mod_auth_basic.so
+    LoadModule authn_file_module modules/mod_authn_file.so
+    LoadModule authz_user_module modules/mod_authz_user.so
+
+    DavLockDB /var/lock/apache2/DavLock
+    DocumentRoot "/var/www/webdav"
+
+    <Directory "/var/www/webdav">
+        Dav On
+        Options Indexes FollowSymLinks
+
+        AuthType Basic
+        AuthName "WebDAV"
+        AuthUserFile /etc/apache2/webdav.htpasswd
+        Require valid-user
+    </Directory>
diff --git a/f3s/webdav/helm-chart/templates/ingress.yaml b/f3s/webdav/helm-chart/templates/ingress.yaml
new file mode 100644
index 0000000..e79aadb
--- /dev/null
+++ b/f3s/webdav/helm-chart/templates/ingress.yaml
@@ -0,0 +1,20 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: webdav-ingress
+  namespace: services
+  annotations:
+    spec.ingressClassName: traefik
+    traefik.ingress.kubernetes.io/router.entrypoints: web
+spec:
+  rules:
+    - host: webdav.f3s.buetow.org
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: webdav-service
+                port:
+                  number: 80
diff --git a/f3s/webdav/helm-chart/templates/persistent-volume.yaml b/f3s/webdav/helm-chart/templates/persistent-volume.yaml
new file mode 100644
index 0000000..3abba20
--- /dev/null
+++ b/f3s/webdav/helm-chart/templates/persistent-volume.yaml
@@ -0,0 +1,2 @@
+# WebDAV reuses the filebrowser-data-pvc which is already created by the filebrowser chart.
+# No additional PV/PVC needed since we share the same data directory.
diff --git a/f3s/webdav/helm-chart/templates/service.yaml b/f3s/webdav/helm-chart/templates/service.yaml
new file mode 100644
index 0000000..97c0af3
--- /dev/null
+++ b/f3s/webdav/helm-chart/templates/service.yaml
@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: webdav
+  name: webdav-service
+  namespace: services
+spec:
+  ports:
+    - name: web
+      port: 80
+      protocol: TCP
+      targetPort: 8080
+  selector:
+    app: webdav
diff --git a/frontends/Rexfile b/frontends/Rexfile
index b2507f9..e555124 100644
--- a/frontends/Rexfile
+++ b/frontends/Rexfile
@@ -77,7 +77,7 @@ our @dns_zones_remove = qw//;
 
 # k3s cluster running on FreeBSD in my LAN
 our @f3s_hosts =
-  qw/f3s.buetow.org keybr.f3s.buetow.org anki.f3s.buetow.org bag.f3s.buetow.org flux.f3s.buetow.org audiobookshelf.f3s.buetow.org grafana.f3s.buetow.org radicale.f3s.buetow.org vault.f3s.buetow.org syncthing.f3s.buetow.org uprecords.f3s.buetow.org koreader.f3s.buetow.org filebrowser.f3s.buetow.org/;
+  qw/f3s.buetow.org keybr.f3s.buetow.org anki.f3s.buetow.org bag.f3s.buetow.org flux.f3s.buetow.org audiobookshelf.f3s.buetow.org grafana.f3s.buetow.org radicale.f3s.buetow.org vault.f3s.buetow.org syncthing.f3s.buetow.org uprecords.f3s.buetow.org koreader.f3s.buetow.org filebrowser.f3s.buetow.org webdav.f3s.buetow.org/;
 
 # optionally, only enable manually for temp time, as no password protection yet
 # push @f3s_hosts, 'registry.f3s.buetow.org';