mirror of
https://github.com/mauriceboe/TREK.git
synced 2026-06-30 18:46:00 +00:00
Maurice
266fd004d2
Builds on @Hardik-369's instance-specific User-Agent idea and reworks the rest of the #1309 fix: - keep the unique User-Agent (buildUserAgent) — a shared UA gets the public Overpass mirrors to rate-limit harder; it appends the configured instance URL and is applied to every Nominatim/Overpass/Wikimedia call - add OVERPASS_URL so an operator behind locked-down egress (e.g. a Kubernetes cluster) can point the explore search at an internal/self-hosted Overpass instance instead of the public mirrors - keep the per-endpoint timeout default at 12s but make it tunable via OVERPASS_TIMEOUT_MS for slow self-hosted instances; non-positive/invalid values fall back to the default rather than 502-ing every search at a 0ms cap - log each endpoint's failure reason before the 502 so blocked egress is diagnosable instead of a bare "Overpass request failed" Adds unit tests for the User-Agent, endpoint and timeout resolution plus the all-mirrors-down path, and documents the two new env vars in .env.example, the wiki and the Helm chart.
TREK Helm Chart
This is a minimal Helm chart for deploying the TREK app.
Features
- Deploys the TREK container
- Exposes port 3000 via Service
- Optional persistent storage for
/app/dataand/app/uploads - Configurable environment variables and secrets
- Optional generic Ingress support
- Health checks on
/api/health
Helm Repository
A hosted Helm repository is available:
helm repo add trek https://mauriceboe.github.io/TREK
helm repo update
helm install trek trek/trek
Usage
Or install directly from the local chart:
helm install trek ./chart \
--set ingress.enabled=true \
--set ingress.hosts[0].host=yourdomain.com
See values.yaml for more options.
Files
Chart.yaml— chart metadatavalues.yaml— configuration valuestemplates/— Kubernetes manifests
Notes
- Ingress is off by default. Enable and configure hosts for your domain.
- PVCs use the cluster's default StorageClass. Set
persistence.data.storageClassNameand/orpersistence.uploads.storageClassNameto bind a specific class. JWT_SECRETis managed entirely by the server — auto-generated into the data PVC on first start and rotatable via the admin panel (Settings → Danger Zone). No Helm configuration needed.ENCRYPTION_KEYencrypts stored secrets (API keys, MFA, SMTP, OIDC) at rest. Recommended: set viasecretEnv.ENCRYPTION_KEYorexistingSecret. If left empty, the server falls back automatically: existing installs usedata/.jwt_secret(no action needed on upgrade); fresh installs auto-generate a key persisted to the data PVC.- If using ingress, you must manually keep
env.ALLOWED_ORIGINSandingress.hostsin sync to ensure CORS works correctly. The chart does not sync these automatically. - Set
env.ALLOW_INTERNAL_NETWORK: "true"if Immich or other integrated services are hosted on a private/RFC-1918 address (e.g. a pod on the same cluster or a NAS on your LAN). Loopback (127.x) and link-local/metadata addresses (169.254.x) remain blocked regardless. FORCE_HTTPSis optional. Setenv.FORCE_HTTPS: "true"only when ingress (or another proxy) terminates TLS. It enables HTTPS redirects, HSTS, CSPupgrade-insecure-requests, and forces the session cookiesecureflag. RequiresTRUST_PROXYto be set.- Set
env.TRUST_PROXY: "1"(or the number of proxy hops) when running behind ingress or a load balancer. Required forFORCE_HTTPSto detect the forwarded protocol correctly. In production it defaults to1automatically. COOKIE_SECUREis auto-derived (on whenNODE_ENV=productionorFORCE_HTTPS=true). Setenv.COOKIE_SECURE: "false"only during local testing without TLS. Not recommended for production.- Set
env.OIDC_DISCOVERY_URLto override the auto-constructed OIDC discovery endpoint. Required for providers (e.g. Authentik) that expose it at a non-standard path.