From b6533211c0bb49db2cd7e7655809dbce0e1409a4 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Mon, 17 Jul 2023 06:18:12 +0800 Subject: [PATCH] feat: add firefly --- .../biohazard/config/secrets.sops.env | 16 ++- kube/clusters/biohazard/config/vars.sops.env | 13 +- .../biohazard/flux/kustomization.yaml | 1 + kube/deploy/apps/firefly/app/hr.yaml | 127 ++++++++++++++++++ kube/deploy/apps/firefly/app/netpol.yaml | 18 +++ kube/deploy/apps/firefly/app/pvc.yaml | 15 +++ kube/deploy/apps/firefly/app/secrets.yaml | 10 ++ kube/deploy/apps/firefly/app/volsync.yaml | 36 +++++ kube/deploy/apps/firefly/ks.yaml | 53 ++++++++ kube/deploy/apps/firefly/kustomization.yaml | 7 + kube/deploy/apps/firefly/ns.yaml | 5 + kube/deploy/apps/firefly/secret-pg.yaml | 11 ++ 12 files changed, 301 insertions(+), 11 deletions(-) create mode 100644 kube/deploy/apps/firefly/app/hr.yaml create mode 100644 kube/deploy/apps/firefly/app/netpol.yaml create mode 100644 kube/deploy/apps/firefly/app/pvc.yaml create mode 100644 kube/deploy/apps/firefly/app/secrets.yaml create mode 100644 kube/deploy/apps/firefly/app/volsync.yaml create mode 100644 kube/deploy/apps/firefly/ks.yaml create mode 100644 kube/deploy/apps/firefly/kustomization.yaml create mode 100644 kube/deploy/apps/firefly/ns.yaml create mode 100644 kube/deploy/apps/firefly/secret-pg.yaml diff --git a/kube/clusters/biohazard/config/secrets.sops.env b/kube/clusters/biohazard/config/secrets.sops.env index fcde7d2b..74504030 100644 --- a/kube/clusters/biohazard/config/secrets.sops.env +++ b/kube/clusters/biohazard/config/secrets.sops.env @@ -68,12 +68,16 @@ SECRET_MINIFLUX_PG_USER=ENC[AES256_GCM,data:qMBC7e5KW98=,iv:wu2+CK0pRy+uwQzDng/W SECRET_MINIFLUX_PG_PASS=ENC[AES256_GCM,data:rLuVT8S9hkQTE/T0Z6M06qgmzIt8ufC8drdofL1n19uefnLsU4WqgLZ/KYGrxQ==,iv:oLcrZilIuQf+QHCJYiQllummr4yRz6aflDhNb21GNUE=,tag:H4XCkfmJl8jQogvGDCVZOw==,type:str] SECRET_OVENMEDIAENGINE_SIGNEDPOLICY_SECRETKEY=ENC[AES256_GCM,data:5RF5A82+VFFBExTrY2QRRjUBuEq3peY/MAXDh7K/U6U3z6tzqqa+Cw==,iv:qz9k3l+Xi/O/13FPRTzIwozAVdRdGhjrFxxeo/YjUdE=,tag:aLNBq5qlxpJptIhGqLMCxg==,type:str] SECRET_OVENMEDIAENGINE_ACCESSTOKEN=ENC[AES256_GCM,data:5wq3Eh0MR/yZ09VIOCoiPO4bxRHkMU3S8AVlsR0BZVQpm/q/8WBjh+E7rxb2NlX+D2Lsdsy2VkGVKlD7DU2ysOe+h40HmxmW66A9dZAS/IoQfxfE3QXquVmHrRvdd7GEPi36sw51ZDstfWiL1YRA0TV6mfAi+Z/1UgD3bMlL7QI=,iv:rczJrTn9trKCWd1qdw1DyZDdLhjEE8nfNysYtkiXV1s=,tag:Gnd8kEAGLScgRW5ffWiOpQ==,type:str] +SECRET_FIREFLY_APP_KEY=ENC[AES256_GCM,data:3QESMqZ4oVXlczAALYAPBgPcP/PZKF8gyhK6efYU4Jk=,iv:xNd99n5fwWG/6Aa1ZCDRaRHOq5Cj3tjIHVS3KnGesPM=,tag:oWn0Bx2XYOaqYvGpqMMQJg==,type:str] +SECRET_FIREFLY_PG_SUPER_PASS=ENC[AES256_GCM,data:5xfK7H3pl1mLlhgehQu+zLrT5RB+2N5oD30zoTNpWzAzKWtsUghV42D6nT8lFAhdFK0IAE8aQFwE4jjgVLUsn3mdwNYHQehp3fHEUpRUBP9quq8YmL+alhSE,iv:qXDnjdj2PLw7BYL1OVFXYOLb4dlwK1K18mdkUyR2mn8=,tag:pxc4154huxbvBAlmloDfAA==,type:str] +SECRET_FIREFLY_PG_DBNAME=ENC[AES256_GCM,data:3EA1/0emxdAbSdIxpcSAr6hjA6nGwIT5izab0fzR,iv:lnLSBreHziLwHFBP+fKAoTOzUAC/L+TCVQJB6RkdJtg=,tag:NiX/M8WAz+qLm/1zt55sXQ==,type:str] +SECRET_FIREFLY_PG_USER=ENC[AES256_GCM,data:+0n0LWhlYfcgyrQZPaN/JHk9HNIKspJLEIS4QXUB,iv:ShpL1UA0EzkLdg/k7/33XjsdP5cTA5x+1l/iSOMLrxA=,tag:vfkj00ciXtpbVZqQ5Eicfg==,type:str] +sops_lastmodified=2023-07-16T22:13:41Z sops_unencrypted_suffix=_unencrypted -sops_version=3.7.3 -sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_lastmodified=2023-06-24T22:17:31Z sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n -sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z -sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n -sops_mac=ENC[AES256_GCM,data:Q97o4w/Ge5ZNtrei4yuwqPhZcVGAVfyAgvaGSiUvb5Sav/u4+T2uxZSdbf5p+nlLgszVo5CmW7hw1dvn1edKTB/RqHCJk2U/Ue1cpWZ8M/3rj3IioR4GybHIxKpQiTNCmIBn00YJx8l+0new0ohxnaWfGxsXcYboHxPninSOkpI=,iv:GLzaZSJvMjEvLCWqKajP2x9qmE9mieiaSEOQngqB0Fc=,tag:iAtNDY7Zq9lpT0E/zZTZZw==,type:str] sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 +sops_version=3.7.3 +sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n +sops_mac=ENC[AES256_GCM,data:JM2M/N5/PKT/S0xi4XBdc0IFHbLMFE0XWY1Fty8WSXwkVhlSd+PKVfwHHtALnp6pYTrdCb8DcIN0K0DsTmrsXQ4B8+j0Oz2QQCxIRRkFAi1Vl9SZswiidU911R/zsemKsEBO+r0fXYBD7jeX0mpSPiBSq5oDhOj3KyjZLltsviY=,iv:mxgE12LYSuuMNYVhPJm8Qi64RRqSBWi/E45D5tDycr8=,tag:4DWe6+u40VCacsECN9rkhQ==,type:str] +sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z +sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj diff --git a/kube/clusters/biohazard/config/vars.sops.env b/kube/clusters/biohazard/config/vars.sops.env index 897c73dc..7b262e9e 100644 --- a/kube/clusters/biohazard/config/vars.sops.env +++ b/kube/clusters/biohazard/config/vars.sops.env @@ -2,6 +2,7 @@ CLUSTER_NAME=ENC[AES256_GCM,data:VEDYOJ8ZUwrG,iv:Wr1n+LLZNiB0m9PHs+jjRJssXWpvNKV CLUSTER_NAME_UPPER=ENC[AES256_GCM,data:brbPB3I9mZVo,iv:a4qpy23gX77lAhqtQ9Nj1YnPA420cqw+OknBEUURgDQ=,tag:jB+C2Oc2y9tUMNO881OKvw==,type:str] CONFIG_CILIUM_CLUSTER_ID=ENC[AES256_GCM,data:fs/S,iv:DhNm7cffZkRwtq5K6oK/z/DaWdQNVkJA1SBnur+AeFc=,tag:9UudcbEBO52EyXHPUOEfUA==,type:str] CONFIG_TZ=ENC[AES256_GCM,data:yjenwiH185SgIz1gDHs=,iv:zWulurvktdU7e+866iNrafkjqAuqZSnJtx8kq7RhNTM=,tag:M5IkAMqEep8dIIbHGXetIg==,type:str] +ADMIN_EMAIL=ENC[AES256_GCM,data:wbMUdJNx+sDHW4CsPjXygR9o7NDSDw==,iv:r692Zq4sXcNuqfOfqTQOvO70XekdRcJLcvaZVrOW6Io=,tag:SoRRgPh7doIrAaI8a4iSRw==,type:str] USERS_1_UID=ENC[AES256_GCM,data:DY9qIA==,iv:M0E4LpIkCL4gABzOEzLVBHjGfXpPtYXb1ssezvN4D9o=,tag:wopQ/2iWx7aoxnLaQrYgFg==,type:str] USERS_1_ID=ENC[AES256_GCM,data:KC5Etz5c60gQ,iv:1kEHHkNqOxZVC+2InmSigQ+cnezXtZtSRTkzuaqYIAE=,tag:jMTC/BjiH8O+Tzfa//a3ig==,type:str] USERS_1_NAME=ENC[AES256_GCM,data:sPOtMDyiXKKt,iv:Qx2Kbrtgh6qhD5kIe4P6mEZ6H4mGhFHs1exEeiiwJew=,tag:TcmlQ+lx/3soaPDQ0WYRTA==,type:str] @@ -104,6 +105,8 @@ APP_DNS_ATUIN=ENC[AES256_GCM,data:Kgs4WlWUPIJYD+87,iv:uUeziXEoVAFqfUWE2o/onryjeT APP_UID_ATUIN=ENC[AES256_GCM,data:HYuHZ24=,iv:zHsrDTCdO0T4+RCAun8PRVyRiIlQHI4ijxIn+XS21x4=,tag:lFgExxN5ltzTzJtAvxy6rQ==,type:str] APP_DNS_MINIFLUX=ENC[AES256_GCM,data:BbbqsaMScHlifA==,iv:fIj1yKEoPyqvQoyMz5tghISWAcNL1A/3U4i2qBdt22c=,tag:/AVqrNyeL+Dm+F79ZbxyFA==,type:str] APP_UID_MINIFLUX=ENC[AES256_GCM,data:voTUTRE=,iv:uI1q5m+6yoQU+PtGVTrHU5uEgeC34Uow6g4gu8Agk3E=,tag:0/x8Il74NMp7gssnPNn61Q==,type:str] +APP_DNS_FIREFLY=ENC[AES256_GCM,data:Z63+ioekJKPZatek,iv:BOx+OthYjX6Gwn8XxHPUIS9dHcF9yAN70iIO7rwfrMA=,tag:Cm384NVsLFjTjtphYRfZUw==,type:str] +APP_UID_FIREFLY=ENC[AES256_GCM,data:jWRGD+8=,iv:dVYdD0RaflZjsMLD5+PZOlvOE1RvTKGTiGrc046aVw8=,tag:M9rY2p0BdfViDh3p48wbCg==,type:str] APP_DNS_OVENMEDIAENGINE=ENC[AES256_GCM,data:dyvSaVilJkBbBF88NW6aIsuVx1iTZss=,iv:Gb7V+4xmtYou/r0Y7avvX/oxtuMUiQ34vNnvhV3K3d0=,tag:lCrVrZ8PQzeRL1XC3nncVg==,type:str] APP_IP_OVENMEDIAENGINE=ENC[AES256_GCM,data:DkdaSMMW5NOTRHA=,iv:rbSo41gsGni4JvrMEnF2JyVKDvUc94EwJCwgpFAlNCo=,tag:C8gGscAF5TEq2krvXWkE7Q==,type:str] APP_UID_OVENMEDIAENGINE=ENC[AES256_GCM,data:ikSvegw=,iv:uWQZ+ECxaauHa5e77lxvr0CH20Ya7+jui7gZqYCVciA=,tag:YTfpLstA7TvvxvkXwWWi7A==,type:str] @@ -123,12 +126,12 @@ CONFIG_ZEROTIER_ENDPOINT=ENC[AES256_GCM,data:tOyIlrzdn8sck7um7OSicq5T0XWAmymaRLn CONFIG_AUTHENTIK_REMOTE_HOST=ENC[AES256_GCM,data:Iv7k3CoKsLrQf0PRIfhGMCAjOU3AdweS+LFWMeEQoWc=,iv:TsRwWDUrI3zAgBgFRkZAYUNlZV0Q/gOlGjKFrheM0nE=,tag:38OGfWYEm/h/+FH7IsIH3Q==,type:str] CONFIG_HEADSCALE_IPV4=ENC[AES256_GCM,data:EZ7GMHA6u1wWPS5g6Pg=,iv:W1hcseQ4Q6CisTXnDLI7hWTy18fIVKtZ46tudCyhfa4=,tag:2WnnNjuZhwUPG07OKTQt2g==,type:str] CONFIG_OVENMEDIAENGINE_NAME=ENC[AES256_GCM,data:58CuH8bcUHWXBZA=,iv:BN7x6aAJPbzIn25sNoycsHRE5pugkubLS2VrM77+g/E=,tag:6JAsRjU0L6wbZtns3rk6KQ==,type:str] -sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n -sops_unencrypted_suffix=_unencrypted -sops_mac=ENC[AES256_GCM,data:y1VZHReNoFV2saUsBtIp5IncWZr1JoyLBzOSv9gSoDqPO1yGSJRsWqnNZhdbzNBTeKrcaZIxldFHiUFwPGHa3pEadkhNHcPOv1uidsKoeJUm1hI1gGcJPj5j6oyK+vtOd2GpiUjurKDhvkaRGuCUit3UoX5LofoWigG5xFtK7tI=,iv:VPyRzB4/gur1qEWqi70R26EGCGrfhJmABpU3eQ56M00=,tag:fx6QDKZW7rS51T4OKC/81g==,type:str] -sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 +sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj +sops_mac=ENC[AES256_GCM,data:TZqTBrYmSQiIo6GFhGXYKeeh6gTieYisfRtInXXD7nfGPyJCnLICC8Rajt59AoA5R2gSTwJXo+Wi4OC8mVeLS8ckf5EllOZeRhEhbygj5R1HQlqjHn3Vgw8vGy1fcbLxBwShYfVPXS+3trMPqMFv7fvwzzN1JAIRN47tNG5E+Ao=,iv:CATKvcj7Qyc+LfL/vmDuKBOMnkkGgyf1BfQWo4NGuxA=,tag:D6op/eANwVDl72HpzzOgcA==,type:str] sops_version=3.7.3 -sops_lastmodified=2023-06-29T21:14:36Z sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n +sops_unencrypted_suffix=_unencrypted +sops_lastmodified=2023-07-16T22:15:23Z +sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index e9fe3e3c..39665ca3 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -53,5 +53,6 @@ resources: - ../../../deploy/apps/atuin/ - ../../../deploy/apps/miniflux/ - ../../../deploy/apps/elk/ + - ../../../deploy/apps/firefly/ - ../../../deploy/apps/livestream/ - ../../../deploy/apps/livestream/oven diff --git a/kube/deploy/apps/firefly/app/hr.yaml b/kube/deploy/apps/firefly/app/hr.yaml new file mode 100644 index 00000000..690c407d --- /dev/null +++ b/kube/deploy/apps/firefly/app/hr.yaml @@ -0,0 +1,127 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app firefly + namespace: *app +spec: + chart: + spec: + chart: app-template + version: 1.5.1 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + global: + fullnameOverride: *app + automountServiceAccountToken: false + controller: + type: deployment + replicas: 1 + image: + repository: docker.io/fireflyiii/core + tag: version-6.0.17 + podLabels: + ingress.home.arpa/nginx: "allow" + env: + TZ: "${CONFIG_TZ}" + APP_ENV: "production" + APP_DEBUG: "false" + LOG_CHANNEL: "stdout" + APP_LOG_LEVEL: "notice" + AUDIT_LOG_LEVEL: "info" + DEFAULT_LANGUAGE: "en_US" + DEFAULT_LOCALE: "equal" + SITE_OWNER: "${ADMIN_EMAIL}" + APP_KEY_FILE: &file-app-key "/secretkey" + APP_URL: "https://${APP_DNS_FIREFLY}" + TRUSTED_PROXIES: "*" + COOKIE_PATH: "/" + COOKIE_DOMAIN: "${APP_DNS_FIREFLY}" + COOKIE_SECURE: "true" + COOKIE_SAMESITE: "lax" + DISABLE_FRAME_HEADER: "false" # just to be sure + DISABLE_CSP_HEADER: "false" # just to be sure + TRACKER_SITE_ID: "" # just to be sure + TRACKER_URL: "" # just to be sure + AUTHENTICATION_GUARD: "remote_user_guard" + AUTHENTICATION_GUARD_HEADER: "X-authentik-uid" + AUTHENTICATION_GUARD_EMAIL: "X-authentik-email" + DB_CONNECTION: "pgsql" + DB_HOST: "pg-firefly-rw.firefly.svc.cluster.local" + DB_PORT: "5432" + DB_DATABASE_FILE: &file-db-name "/db/database" + DB_USERNAME_FILE: &file-db-user "/db/username" + DB_PASSWORD_FILE: &file-db-pass "/db/password" + PGSQL_SSL_MODE: "prefer" + PGSQL_SCHEMA: "public" + CACHE_DRIVER: "file" + SESSION_DRIVER: "file" + SEND_ERROR_MESSAGE: "true" + SEND_REPORT_JOURNALS: "false" + ENABLE_EXTERNAL_RATES: "true" + ALLOW_WEBHOOKS: "false" + service: + main: + ports: + http: + port: 8080 + ingress: + main: + enabled: true + primary: true + ingressClassName: nginx + hosts: + - host: &host "${APP_DNS_FIREFLY}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - *host + podSecurityContext: + runAsUser: &uid ${APP_UID_FIREFLY} + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: Always + persistence: + data: + enabled: true + existingClaim: firefly-uploads + mountPath: "/var/www/html/firefly-iii/storage/upload" + app-key: + enabled: true + type: secret + name: firefly-secrets + subPath: app-key + mountPath: *file-app-key + readOnly: true + db-database: + enabled: true + type: secret + name: firefly-secrets + subPath: db-name + mountPath: *file-db-name + readOnly: true + db-username: + enabled: true + type: secret + name: pg-firefly-app + subPath: username + mountPath: *file-db-user + readOnly: true + db-password: + enabled: true + type: secret + name: pg-firefly-app + subPath: password + mountPath: *file-db-pass + readOnly: true + resources: + requests: + cpu: 10m + memory: 200Mi + limits: + memory: 500Mi diff --git a/kube/deploy/apps/firefly/app/netpol.yaml b/kube/deploy/apps/firefly/app/netpol.yaml new file mode 100644 index 00000000..3f616e62 --- /dev/null +++ b/kube/deploy/apps/firefly/app/netpol.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app firefly + namespace: *app +spec: + endpointSelector: {} + ingress: + # same namespace + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + egress: + # same namespace + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app diff --git a/kube/deploy/apps/firefly/app/pvc.yaml b/kube/deploy/apps/firefly/app/pvc.yaml new file mode 100644 index 00000000..9f567585 --- /dev/null +++ b/kube/deploy/apps/firefly/app/pvc.yaml @@ -0,0 +1,15 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: firefly-uploads + labels: + app.kubernetes.io/name: firefly + app.kubernetes.io/instance: firefly +spec: + storageClassName: file + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi \ No newline at end of file diff --git a/kube/deploy/apps/firefly/app/secrets.yaml b/kube/deploy/apps/firefly/app/secrets.yaml new file mode 100644 index 00000000..52ec7ae5 --- /dev/null +++ b/kube/deploy/apps/firefly/app/secrets.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: "firefly-secrets" + namespace: "firefly" +type: Opaque +stringData: + app-key: "${SECRET_FIREFLY_APP_KEY}" + db-name: "${SECRET_FIREFLY_PG_DBNAME}" \ No newline at end of file diff --git a/kube/deploy/apps/firefly/app/volsync.yaml b/kube/deploy/apps/firefly/app/volsync.yaml new file mode 100644 index 00000000..24f5e288 --- /dev/null +++ b/kube/deploy/apps/firefly/app/volsync.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: firefly-restic + namespace: firefly +type: Opaque +stringData: + RESTIC_REPOSITORY: ${SECRET_VOLSYNC_R2_REPO}/firefly + RESTIC_PASSWORD: ${SECRET_VOLSYNC_PASSWORD} + AWS_ACCESS_KEY_ID: ${SECRET_VOLSYNC_R2_ID} + AWS_SECRET_ACCESS_KEY: ${SECRET_VOLSYNC_R2_KEY} +--- +apiVersion: volsync.backube/v1alpha1 +kind: ReplicationSource +metadata: + name: firefly-restic + namespace: firefly +spec: + sourcePVC: firefly-uploads + trigger: + schedule: "0 6 * * *" + restic: + copyMethod: Snapshot + pruneIntervalDays: 14 + repository: firefly-restic + cacheCapacity: 2Gi + volumeSnapshotClassName: file + storageClassName: file + moverSecurityContext: + runAsUser: ${UID} + runAsGroup: ${UID} + fsGroup: ${UID} + retain: + daily: 14 + within: 7d diff --git a/kube/deploy/apps/firefly/ks.yaml b/kube/deploy/apps/firefly/ks.yaml new file mode 100644 index 00000000..0c9d979c --- /dev/null +++ b/kube/deploy/apps/firefly/ks.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: firefly-app + namespace: flux-system + labels: + wait.flux.home.arpa/disabled: "true" +spec: + path: ./kube/deploy/apps/firefly/app + dependsOn: + - name: 1-core-ingress-nginx-app + - name: firefly-db +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: firefly-db + namespace: flux-system + labels: + substitution.flux.home.arpa/disabled: "true" +spec: + path: ./kube/deploy/core/db/pg/clusters/template + dependsOn: + - name: 1-core-db-pg-app + postBuild: + substitute: + PG_APP_NAME: &app "firefly" + PG_APP_NS: *app + PG_CONFIG_VERSION: "15.2-11" + PG_CONFIG_SIZE: "20Gi" + PG_DB_REBUILD: "v1" + PG_DB_LCOLLATE: "en_US.utf8" + PG_DB_LCTYPE: "en_US.utf8" + substituteFrom: + - kind: Secret + name: "firefly-db-secret" + optional: false + - kind: Secret + name: "${CLUSTER_NAME}-vars" + optional: false + - kind: Secret + name: "${CLUSTER_NAME}-secrets" + optional: false + healthChecks: + - name: pg-firefly-s3 + namespace: firefly + kind: ObjectBucketClaim + apiVersion: objectbucket.io/v1alpha1 + - name: pg-firefly + namespace: firefly + kind: Cluster + apiVersion: postgresql.cnpg.io/v1 \ No newline at end of file diff --git a/kube/deploy/apps/firefly/kustomization.yaml b/kube/deploy/apps/firefly/kustomization.yaml new file mode 100644 index 00000000..d727697b --- /dev/null +++ b/kube/deploy/apps/firefly/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - secret-pg.yaml + - ns.yaml + - ks.yaml diff --git a/kube/deploy/apps/firefly/ns.yaml b/kube/deploy/apps/firefly/ns.yaml new file mode 100644 index 00000000..a6e8f1c0 --- /dev/null +++ b/kube/deploy/apps/firefly/ns.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: firefly diff --git a/kube/deploy/apps/firefly/secret-pg.yaml b/kube/deploy/apps/firefly/secret-pg.yaml new file mode 100644 index 00000000..2ecce4b7 --- /dev/null +++ b/kube/deploy/apps/firefly/secret-pg.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: "firefly-db-secret" + namespace: "flux-system" +type: Opaque +stringData: + PG_DB_NAME: "${SECRET_FIREFLY_PG_DBNAME}" + PG_DB_USER: "${SECRET_FIREFLY_PG_USER}" + PG_SUPER_PASS: "${SECRET_FIREFLY_PG_SUPER_PASS}" \ No newline at end of file