helm-charts/gotosocial/values.yaml

# Default values for gotosocial.
# This is a YAML-formatted file.
# Declare variables to be passed into your templates.

global:
  image:
    # -- if set it will overwrite all registry entries
    registry:
    # -- if set it will overwrite all pullPolicy
    pullPolicy:

replicaCount: 1

image:
  registry: docker.io
  repository: superseriousbusiness/gotosocial
  pullPolicy: IfNotPresent
  # -- Overrides the image tag whose default is the chart appVersion.
  tag: ""

imagePullSecrets: []
nameOverride: ""
fullnameOverride: ""

gotosocial:
  tz: "UTC"
  applicationName: "gotosocial"
  landingPageUser: ""
  host: "localhost"
  accountDomain: ""
  database:
    # -- Database type.
    # Options: ["postgres","sqlite"]
    type: "sqlite"
    # -- Database address or parameters.
    # For Postgres, this should be the address or socket at which the database can be reached.
    address: ""
    # -- Port for database connection.
    port: 5432
    # -- Username for the database connection.
    username: ""
    # -- Password to use for the database connection
    password: ""
    # -- Name of the database to use within the provided database type.
    database: "gotosocial"
    # -- Disable, enable, or require SSL/TLS connection to the database.
    # If "disable" then no TLS connection will be attempted.
    # If "enable" then TLS will be tried, but the database certificate won't be checked (for self-signed certs).
    # If "require" then TLS will be required to make a connection, and a valid certificate must be presented.
    tlsMode: "disabled"
    # -- Path to a CA certificate on the host machine for db certificate validation.
    # If this is left empty, just the host certificates will be used.
    # If filled in, the certificate will be loaded and added to host certificates.
    tlsCACert: ""
  accounts:
    # -- Do we want people to be able to just submit sign up requests, or do we want invite only?
    registrationOpen: true
    # -- Do sign up requests require approval from an admin/moderator before an account can sign in/use the server?
    approvalRequired: true
    # -- Are sign up requests required to submit a reason for the request (eg., an explanation of why they want to join the instance)?
    reasonRequired: true
    # -- Allow accounts on this instance to set custom CSS for their profile pages and statuses.
    # Enabling this setting will allow accounts to upload custom CSS via the /user settings page,
    # which will then be rendered on the web view of the account's profile and statuses.
    #
    # For instances with public sign ups, it is **HIGHLY RECOMMENDED** to leave this setting on 'false',
    # since setting it to true allows malicious accounts to make their profile pages misleading, unusable
    # or even dangerous to visitors. In other words, you should only enable this setting if you trust
    # the users on your instance not to produce harmful CSS.
    #
    # Regardless of what this value is set to, any uploaded CSS will not be federated to other instances,
    # it will only be shown on profiles and statuses on *this* instance.
    allowCustomCSS: false
    # -- If accounts-allow-custom-css is true, this is the permitted length in characters for
    # CSS uploaded by accounts on this instance. No effect if accounts-allow-custom-css is false.
    customCSSLength: 10000
  storage:
    # -- Type of storage backend to use.
    # Examples: ["local", "s3"]
    # Default: "local" (storage on local disk)
    backend: "local"
    s3:
      # -- API endpoint of the S3 compatible service.
      # Only required when running with the s3 storage backend.
      # GoToSocial uses "DNS-style" when accessing buckets.
      # If you are using Scaleways object storage, please remove the "bucket name" from the endpoint address
      endpoint: ""
      # -- If data stored in S3 should be proxied through GoToSocial instead of redirecting to a presigned URL.
      proxy: false
      # -- Use SSL for S3 connections.
      #
      # Only set this to 'false' when testing locally.
      useSSL: true
      # -- Name of the storage bucket.
      #
      # If you have already encoded your bucket name in the storage-s3-endpoint, this
      # value will be used as a directory containing your data.
      #
      # The bucket must exist prior to starting GoToSocial
      #
      # Only required when running with the s3 storage backend.
      bucket: ""
      # -- Access key part of the S3 credentials.
      # Consider setting this value using environment variables to avoid leaking it via the config file
      # Only required when running with the s3 storage backend.
      accessKey: ""
      # -- Secret key part of the S3 credentials.
      # Consider setting this value using environment variables to avoid leaking it via the config file
      # Only required when running with the s3 storage backend.
      secretKey: ""
  oidc:
    # -- Enable authentication with external OIDC provider. If set to true, then
    # the other OIDC options must be set as well. If this is set to false, then the standard
    # internal oauth flow will be used, where users sign in to GtS with username/password.
    enabled: false
    # -- Name of the oidc idp (identity provider). This will be shown to users when they log in.
    idpName: ""
    # -- Skip the normal verification flow of tokens returned from the OIDC provider, ie.,
    # don't check the expiry or signature. This should only be used in debugging or testing,
    # never ever in a production environment as it's extremely unsafe!
    skipVerification: false
    # -- The OIDC issuer URI. This is where GtS will redirect users to for login.
    # Typically this will look like a standard web URL.
    issuer: ""
    # -- The ID for this client as registered with the OIDC provider.
    clientID: ""
    # -- The secret for this client as registered with the OIDC provider.
    clientSecret: ""
    # -- Scopes to request from the OIDC provider. The returned values will be used to
    # populate users created in GtS as a result of the authentication flow. 'openid' and 'email' are required.
    # 'profile' is used to extract a username for the newly created user.
    # 'groups' is optional and can be used to determine if a user is an admin based on oidc-admin-groups.
    scopes:
      - "openid"
      - "email"
      - "profile"
      - "groups"
    # -- Link OIDC authenticated users to existing ones based on their email address.
    # This is mostly intended for migration purposes if you were running previous versions of GTS
    # which only correlated users with their email address. Should be set to false for most usecases.
    linkExisting: false
    # -- If the returned ID token contains a 'groups' claim that matches one of the
    # groups in oidc-admin-groups, then this user will be granted admin rights on the GtS instance
    adminGroups:
      - "admins"
  smtp:
    # -- The hostname of the smtp server you want to use.
    # If this is not set, smtp will not be used to send emails, and you can ignore the other settings.
    host: ""
    # -- Port to use to connect to the smtp server.
    port: 0
    # -- Username to use when authenticating with the smtp server.
    # This should have been provided to you by your smtp host.
    # This is often, but not always, an email address.
    username: ""
    # -- Password to use when authenticating with the smtp server.
    # This should have been provided to you by your smtp host.
    password: ""
    # -- 'From' address for sent emails.
    from: ""
    # -- If true, when an email is sent that has multiple recipients, each recipient
    # will be included in the To field, so that each recipient can see who else got the
    # email, and they can 'reply all' to the other recipients if they want to.
    #
    # If false, email will be sent to Undisclosed Recipients, and each recipient will not
    # be able to see who else received the email.
    #
    # It might be useful to change this setting to 'true' if you want to be able to discuss
    # new moderation reports with other admins by 'replying-all' to the notification email.
    discloseRecipients: false
  metrics:
    enabled: true
    auth:
      enabled: false
      username: ""
      password: ""
  tracing:
    # -- Enable OpenTelemetry based tracing support.
    enabled: false
    # -- Set the transport protocol for the tracing system. Can either be "grpc" for OTLP gRPC, or "http" for OTLP HTTP.
    transport: grpc
    # -- Endpoint of the trace ingester. When using the gRPC or HTTP based transports, provide the endpoint as a single address/port combination without a protocol scheme.
    endpoint: ""
    # -- Disable TLS for the gRPC and HTTP transport protocols.
    insecureTransport: false

prometheus:
  servicemonitor:
    enabled: false
    labels: {}

serviceAccount:
  # -- Specifies whether a service account should be created
  create: false
  # -- Automatically mount a ServiceAccount's API credentials?
  automount: true
  # -- Annotations to add to the service account
  annotations: {}
  # -- The name of the service account to use.
  #  If not set and create is true, a name is generated using the fullname template
  name: ""

podAnnotations: {}
podLabels: {}

podSecurityContext: {}
  # fsGroup: 2000

securityContext: {}
  # capabilities:
  #   drop:
  #   - ALL
  # readOnlyRootFilesystem: true
  # runAsNonRoot: true
  # runAsUser: 1000

service:
  type: ClusterIP
  port: 8080

ingress:
  enabled: false
  className: ""
  annotations: {}
    # kubernetes.io/ingress.class: nginx
    # kubernetes.io/tls-acme: "true"
  hosts:
    - host: chart-example.local
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls: []
  #  - secretName: chart-example-tls
  #    hosts:
  #      - chart-example.local

resources: {}
  # We usually recommend not to specify default resources and to leave this as a conscious
  # choice for the user. This also increases chances charts run on environments with little
  # resources, such as Minikube. If you do want to specify resources, uncomment the following
  # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi

autoscaling:
  enabled: false
  minReplicas: 1
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80

# Additional volumes on the output Deployment definition.
volumes: []
# - name: foo
#   secret:
#     secretName: mysecret
#     optional: false

# Additional volumeMounts on the output Deployment definition.
volumeMounts: []
# - name: foo
#   mountPath: "/etc/foo"
#   readOnly: true

nodeSelector: {}

tolerations: []

affinity: {}


persistence:
  # -- Enable persistence using Persistent Volume Claims
  # ref: http://kubernetes.io/docs/user-guide/persistent-volumes/
  enabled: true
  annotations: {}
  # -- Persistent Volume Storage Class
  # If defined, storageClassName: <storageClass>
  # If set to "-", storageClassName: "", which disables dynamic provisioning
  # If undefined (the default) or set to null, no storageClassName spec is
  #   set, choosing the default provisioner.  (gp2 on AWS, standard on
  #   GKE, AWS & OpenStack)
  storageClass:

  # -- A manually managed Persistent Volume and Claim
  # Requires persistence.enabled: true
  # If defined, PVC must be created manually before volume will be bound
  existingClaim:

  # --  Do not create an PVC, direct use hostPath in Pod
  hostPath:
  # --  accessMode
  accessMode: ReadWriteOnce
  # -- size
  size: 10Gi