From 6040614016e63fe0113d42d52fc7b5d95e976a7c Mon Sep 17 00:00:00 2001 From: bluejay Date: Sun, 22 Mar 2026 06:15:01 +0000 Subject: [PATCH] feat: Blue Jay branding + 1Password vault extension Custom image fc-guacamole:bluejay with: - Blue Jay dark theme (CSS, login, header) - 1Password Connect vault provider - guacamole.properties ConfigMap - Structured Logback logging --- apps/guacamole/guacamole.yaml | 68 +++++++++++++++++++++++++++++------ 1 file changed, 57 insertions(+), 11 deletions(-) diff --git a/apps/guacamole/guacamole.yaml b/apps/guacamole/guacamole.yaml index 4a48ca2..d0b45f4 100644 --- a/apps/guacamole/guacamole.yaml +++ b/apps/guacamole/guacamole.yaml @@ -1,8 +1,9 @@ -# Apache Guacamole - Remote Desktop Gateway -# MySQL 8 + guacd + guacamole web +# Apache Guacamole - Blue Jay Remote Access +# FlowerCore Infrastructure Gateway +# MySQL 8 + guacd + guacamole web (Blue Jay branded) # ArgoCD managed - BlueJay Lab # ALL credentials sourced from 1Password via OnePasswordItem CRD (guacamole-credentials) -# Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL +# Custom image: fc-guacamole:bluejay (Blue Jay branding + 1Password vault extension) --- apiVersion: v1 kind: Namespace @@ -109,7 +110,6 @@ spec: clusterIP: None --- # DB schema init Job -# Generates the MySQL schema and pipes it into the database apiVersion: batch/v1 kind: Job metadata: @@ -141,9 +141,7 @@ spec: - sh - -c - | - # Generate schema SQL /opt/guacamole/bin/initdb.sh --mysql > /tmp/initdb.sql - # Apply schema (ignore errors if tables already exist) mysql -h guac-mysql -u root -p"$MYSQL_ROOT_PASSWORD" "$MYSQL_DATABASE" < /tmp/initdb.sql || true env: - name: MYSQL_ROOT_PASSWORD @@ -207,7 +205,48 @@ spec: targetPort: 4822 name: guacd --- -# Guacamole Web Application +# Guacamole Properties ConfigMap +apiVersion: v1 +kind: ConfigMap +metadata: + name: guacamole-properties + namespace: guacamole + labels: + app: guacamole +data: + guacamole.properties: | + # Blue Jay Remote Access — Guacamole Configuration + # MySQL/guacd settings provided via env vars — do NOT duplicate here + + # 1Password Vault Integration + 1password-connect-url: http://onepassword-connect.onepassword-system.svc.cluster.local:8080 + 1password-connect-token: placeholder-configure-via-secret + 1password-vault-id: qaphopopkryhbg353ukzhhuqoq + + # Extension Priority + extension-priority: mysql, ban, bluejay, 1password-vault, * + + # Ban (brute force) + ban-max-invalid-attempts: 5 + ban-address-duration: 300000 + ban-max-addresses: 1000 + + # TOTP + totp-issuer: Blue Jay Remote Access + totp-digits: 6 + totp-period: 30 + totp-mode: sha256 + + # Session Recording + recording-search-path: /var/lib/guacamole/recordings + + # Logging + log-level: info + + # API Token Expiry + api-session-timeout: 60 +--- +# Guacamole Web Application — Blue Jay branded apiVersion: apps/v1 kind: Deployment metadata: @@ -227,7 +266,8 @@ spec: spec: containers: - name: guacamole - image: guacamole/guacamole:latest + image: localhost/fc-guacamole:bluejay + imagePullPolicy: Never ports: - containerPort: 8080 name: http @@ -255,6 +295,10 @@ spec: secretKeyRef: name: guacamole-credentials key: DB-Password + volumeMounts: + - name: guac-properties + mountPath: /etc/guacamole/guacamole.properties + subPath: guacamole.properties resources: requests: memory: 256Mi @@ -274,6 +318,10 @@ spec: port: 8080 initialDelaySeconds: 60 periodSeconds: 5 + volumes: + - name: guac-properties + configMap: + name: guacamole-properties --- apiVersion: v1 kind: Service @@ -289,7 +337,6 @@ spec: name: http --- # Traefik addPrefix middleware -# External URL guac.iamworkin.lan/ gets prefix /guacamole added apiVersion: traefik.io/v1alpha1 kind: Middleware metadata: @@ -333,8 +380,7 @@ spec: tls: secretName: guacamole-tls --- -# 1Password secret sync — creates guacamole-credentials K8s Secret -# Fields: username, password, DB-User, DB-Password, DB-Root-Password, DB-Name, URL +# 1Password secret sync apiVersion: onepassword.com/v1 kind: OnePasswordItem metadata: