From 14e0772d45730c29abffde439cab046769d38d33 Mon Sep 17 00:00:00 2001
From: JJGadgets <git@jjgadgets.tech>
Date: Mon, 17 Feb 2025 20:36:37 +0800
Subject: [PATCH] feat: add fava

---
 .../biohazard/flux/kustomization.yaml         |   1 +
 kube/deploy/apps/fava/app/hr.yaml             | 100 ++++++++++++++++++
 kube/deploy/apps/fava/app/ns.yaml             |  10 ++
 kube/deploy/apps/fava/ks.yaml                 |  30 ++++++
 kube/deploy/apps/fava/kustomization.yaml      |   6 ++
 5 files changed, 147 insertions(+)
 create mode 100644 kube/deploy/apps/fava/app/hr.yaml
 create mode 100644 kube/deploy/apps/fava/app/ns.yaml
 create mode 100644 kube/deploy/apps/fava/ks.yaml
 create mode 100644 kube/deploy/apps/fava/kustomization.yaml

diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml
index 9e156259..c6b1a32d 100644
--- a/kube/clusters/biohazard/flux/kustomization.yaml
+++ b/kube/clusters/biohazard/flux/kustomization.yaml
@@ -147,6 +147,7 @@ resources:
   - ../../../deploy/apps/flatnotes/
   - ../../../deploy/apps/stirling-pdf/
   - ../../../deploy/apps/fortidynasync/
+  - ../../../deploy/apps/fava/
   - ../../../deploy/vm/_kubevirt/
   #- ../../../deploy/vm/_base/
   - ../../../deploy/vm/ad/
diff --git a/kube/deploy/apps/fava/app/hr.yaml b/kube/deploy/apps/fava/app/hr.yaml
new file mode 100644
index 00000000..f6ed06fc
--- /dev/null
+++ b/kube/deploy/apps/fava/app/hr.yaml
@@ -0,0 +1,100 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.7.1/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app fava
+  namespace: *app
+spec:
+  interval: 5m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.7.1
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controllers:
+      fava:
+        type: deployment
+        replicas: 1
+        pod:
+          labels:
+            ingress.home.arpa/nginx-internal: allow
+        containers:
+          main:
+            image: &img
+              repository: jank.ing/jjgadgets/fava
+              tag: 1.30.1@sha256:1da5e3ff5f62bdfd5cf91730727e650b6bb657fc94cc35d58818a6d35f926446
+            env: &env
+              TZ: "${CONFIG_TZ}"
+            securityContext: &sc
+              readOnlyRootFilesystem: true
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+            resources:
+              requests:
+                cpu: "10m"
+                memory: "64Mi"
+              limits:
+                cpu: "1"
+                memory: "512Mi"
+            probes:
+              liveness:
+                enabled: true
+              readiness:
+                enabled: true
+    service:
+      fava:
+        controller: fava
+        ports:
+          http:
+            port: 5000
+            protocol: HTTP
+            appProtocol: http
+    ingress:
+      main:
+        className: nginx-internal
+        annotations:
+          nginx.ingress.kubernetes.io/whitelist-source-range: "${IP_JJ_V4:=127.0.0.1/32}"
+        hosts:
+          - host: &host "${APP_DNS_FAVA:=fava}"
+            paths: &paths
+              - path: /
+                pathType: Prefix
+                service:
+                  identifier: fava
+                  port: http
+        tls:
+          - hosts: [*host]
+    persistence:
+      data:
+        existingClaim: fava-data
+        globalMounts:
+          - subPath: data
+            path: /data
+    defaultPodOptions:
+      automountServiceAccountToken: false
+      enableServiceLinks: false
+      dnsConfig:
+        options:
+          - name: ndots
+            value: "1"
+      hostUsers: false
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: &uid 1000
+        runAsGroup: *uid
+        fsGroup: *uid
+        fsGroupChangePolicy: Always
+        seccompProfile: { type: "RuntimeDefault" }
+      affinity:
+        nodeAffinity:
+          requiredDuringSchedulingIgnoredDuringExecution:
+            nodeSelectorTerms:
+              - matchExpressions:
+                  - key: fuckoff.home.arpa/fava
+                    operator: DoesNotExist
diff --git a/kube/deploy/apps/fava/app/ns.yaml b/kube/deploy/apps/fava/app/ns.yaml
new file mode 100644
index 00000000..6fba5ddb
--- /dev/null
+++ b/kube/deploy/apps/fava/app/ns.yaml
@@ -0,0 +1,10 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: fava
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
+    pod-security.kubernetes.io/enforce: &ps restricted
+    pod-security.kubernetes.io/audit: *ps
+    pod-security.kubernetes.io/warn: *ps
diff --git a/kube/deploy/apps/fava/ks.yaml b/kube/deploy/apps/fava/ks.yaml
new file mode 100644
index 00000000..271a0ffe
--- /dev/null
+++ b/kube/deploy/apps/fava/ks.yaml
@@ -0,0 +1,30 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: fava-app
+  namespace: flux-system
+  labels: &l
+    app.kubernetes.io/name: "fava"
+spec:
+  targetNamespace: "fava"
+  commonMetadata:
+    labels: *l
+  path: ./kube/deploy/apps/fava/app
+  components:
+    - ../../../core/storage/volsync/component/
+    - ../../../core/flux-system/alerts/template/
+  dependsOn:
+    - name: 1-core-storage-volsync-app
+    - name: 1-core-storage-rook-ceph-cluster
+  postBuild:
+    substitute:
+      PVC: "fava-data"
+      SIZE: "10Gi"
+      SC: &sc "file"
+      SNAP: *sc
+      ACCESSMODE: "ReadWriteMany"
+      SNAP_ACCESSMODE: "ReadOnlyMany"
+      RUID: &uid "1000"
+      RGID: *uid
+      RFSG: *uid
diff --git a/kube/deploy/apps/fava/kustomization.yaml b/kube/deploy/apps/fava/kustomization.yaml
new file mode 100644
index 00000000..45bc3673
--- /dev/null
+++ b/kube/deploy/apps/fava/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  # - ns.yaml
+  - ks.yaml