feat(homepage): add homepage and blog

Add Vue Homepage, Hugo blog and Remark 42 for comments

remodel/k8s/apps/homepage/application-set.yaml

@@ -0,0 +1,34 @@
+apiVersion: argoproj.io/v1alpha1
+kind: ApplicationSet
+metadata:
+  name: homepage
+  namespace: argocd
+  labels:
+    dev.stonegarden: application
+spec:
+  generators:
+    - git:
+        repoURL: https://github.com/vehagn/homelab
+        revision: remodel
+        directories:
+          - path: remodel/k8s/apps/homepage/*
+  template:
+    metadata:
+      name: '{{ path.basename }}'
+      labels:
+        dev.stonegarden: application
+      finalizers:
+        - resources-finalizer.argocd.argoproj.io
+    spec:
+      project: homepage
+      source:
+        repoURL: https://github.com/vehagn/homelab
+        targetRevision: remodel
+        path: '{{ path }}'
+      destination:
+        name: in-cluster
+        namespace: argocd
+      syncPolicy:
+        automated:
+          selfHeal: true
+          prune: true

remodel/k8s/apps/homepage/blog/hugo/deployment.yaml

@@ -0,0 +1,48 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: hugo
+  namespace: blog
+  labels:
+    app: hugo
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: hugo
+  template:
+    metadata:
+      namespace: blog
+      labels:
+        app: hugo
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        fsGroup: 65534
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: hugo
+          image: registry.gitlab.com/vehagn/blog
+          imagePullPolicy: Always
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: [ "ALL" ]
+          envFrom:
+            - configMapRef:
+                name: hugo-env
+          ports:
+            - name: http
+              containerPort: 8080
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              cpu: 1000m
+              memory: 128Mi

remodel/k8s/apps/homepage/blog/hugo/http-route.yaml

@@ -0,0 +1,19 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: hugo-http-route
+  namespace: blog
+spec:
+  parentRefs:
+    - name: euclid
+      namespace: gateway
+  hostnames:
+    - "blog.euclid.stonegarden.dev"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: hugo
+          port: 80

remodel/k8s/apps/homepage/blog/hugo/kustomization.yaml

@@ -0,0 +1,15 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+configMapGenerator:
+  - name: hugo-env
+    namespace: blog
+    literals:
+      - TZ=Europe/Oslo
+      - SERVER_LOG_LEVEL=warn
+      - SERVER_PORT=8080
+
+resources:
+  - svc.yaml
+  - deployment.yaml
+  - http-route.yaml

remodel/k8s/apps/homepage/blog/hugo/svc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: hugo
+  namespace: blog
+spec:
+  selector:
+    app: hugo
+  ports:
+    - name: web
+      port: 80
+      targetPort: http

remodel/k8s/apps/homepage/blog/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ns.yaml
+  - hugo
+  - remark42

remodel/k8s/apps/homepage/blog/ns.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: blog

remodel/k8s/apps/homepage/blog/remark42/deployment.yaml

@@ -0,0 +1,63 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: remark42
+  namespace: blog
+  labels:
+    app: remark42
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: remark42
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      namespace: remark42
+      labels:
+        app: remark42
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        fsGroup: 65534
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: remark42
+          image: umputun/remark42:v1.12.1
+          ports:
+            - name: http
+              containerPort: 8080
+          envFrom:
+            - configMapRef:
+                name: remark42-env
+            - secretRef:
+                name: remark42-secret
+            - secretRef:
+                name: remark42-github
+            - secretRef:
+                name: remark42-google
+          volumeMounts:
+            - name: remark42
+              mountPath: /srv/var
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: [ "ALL" ]
+          resources:
+            requests:
+              cpu: 50m
+              memory: 64Mi
+            limits:
+              cpu: 1000m
+              memory: 128Mi
+      volumes:
+        - name: remark42
+          persistentVolumeClaim:
+            claimName: remark42
+      

remodel/k8s/apps/homepage/blog/remark42/http-route.yaml

@@ -0,0 +1,19 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: remark42-http-route
+  namespace: blog
+spec:
+  parentRefs:
+    - name: euclid
+      namespace: gateway
+  hostnames:
+    - "remark42.euclid.stonegarden.dev"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: remark42
+          port: 80

remodel/k8s/apps/homepage/blog/remark42/kustomization.yaml

@@ -0,0 +1,19 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+configMapGenerator:
+  - name: remark42-env
+    namespace: blog
+    literals:
+      - TIME_ZONE=Europe/Oslo
+      - REMARK_URL=https://remark42.euclid.stonegarden.dev
+      - SITE=stonegarden.dev
+
+resources:
+  - svc.yaml
+  - pvc.yaml
+  - secret-github.yaml
+  - secret-google.yaml
+  - secret-remark42.yaml
+  - deployment.yaml
+  - http-route.yaml

remodel/k8s/apps/homepage/blog/remark42/pvc.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: remark42
+  namespace: blog
+spec:
+  storageClassName: proxmox-csi
+  volumeName: pv-remark42
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1G

remodel/k8s/apps/homepage/blog/remark42/secret-github.yaml

@@ -0,0 +1,14 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: remark42-github
+  namespace: blog
+spec:
+  template:
+    metadata:
+      name: remark42-github
+      namespace: blog
+    type: Opaque
+  encryptedData:
+    AUTH_GITHUB_CID: AgCXAD8duSmHjp2yvx+vLBhzTDj6t1Qi+H7IreCMX4jcIbNYRvcuPl5/QqklNAqsx9depqK2tdiGpm/OlKPvhcaspndiFEGpMPh4II+NM7LojM547f+tJGGd03zQO3x4pHMnQLgE4JOhq4zDU+YSZT/g8MVDZmQuw+XHZfLH+6TpvfVrgqsH74ylWol7e6LpXo+qfv64GODN2s6PJwEXgLUYB5EcukqFz3fuHOtbaz1EbgfwznNU2n3UW7mXg712zg05CZ/JN+6zPgDXV+9sQyk9UBmy5zSka9WJISNPI5akXR5nyRLYOfGmv0J2KuAcnbIUVpkUpqAoWBy1dO2PvwWxyvc+ME8F+ZgHPajqAHx9oB7F5BoSCYUsRr/fVgGby+A9qld7Rio8LoMMEKS8fe6A9TMDPkXOyil4WuvtcQuFlfssCAHfg2bjP05TblnMIPxsQEjDh1iqj+eKE8Kmka/uX7yR7MKJxhU7prCN/kpWbWGbZIR4ECl6R1xB8MJdN6I+VG9Ipv59NeeDGUo5UZvj8/DtHvc+67fGQV3oOiBUinYxiByLDrRjacipk3oCIe14j7yclzj/rXaHaJvGpySXQrx/BTfisUuCoLpENCr7bTT2PDsK4H5vfUoo/SG8c65dlrQuF91C3ILeS0ZZMKsa90U4+OkSDZw+2O5QO+5IXWIbztI8RAPq+DrlkcQJTg+Z2Duah1A4q0JVANamiFNLUM4GkA==
+    AUTH_GITHUB_CSEC: AgCPS02vJBCvE3OvNOWg7jWXTYqPEEibShhDc+RnhORY5o3GZ0IFpaflsGEJo4dNObNFhlaMZuZp1IZ9XceFqebX65CjwtM7HfHCgLRPI4Y2x5dmUcK0RnDtqbQsc1ecr5A3A10kMYTxa8gzPkEMM/R/pb/6/hOY4CO2DgvPP6386eyrKDL41hRAXQHJm/tceg7Nq0GRRFG+kA51VeVmQavAejeyyqgatYlOkz6wiZOs4bdNRyUbA2IuidQJaivfwcFWu8+vNw73RNQBZEkw938xQPoDvcbSt1tlSm3g6oMwTrUgrcQaiKv9g1MgfgKDq6MMLQSIjB1zYse8927r7668Robtd80wkwZPdOhUdYpmOHI4uSS9x6mxqaNlTjTxeg1bjgULTKl9NAeY9djpjJRDaMGnyZhAcsnsY15MWlTlX6SazrtvYdFlkDEnUbA5ahQBltV6pFr4RE9eoi16tsKRQFKGWnLx3vZo7zNpQKbxcFHoY64swXGNNgFCg3xIFeXsuu3CeQkDnC6mwjfXZOjc6B2T25sgnPCnPT3IRi0UDlwAO1mCO+gikDta4WyP+uPQ0frhkt5nezJQc8Y/mgCLjANvIY1zeP3k2StndOS5fefB+56iBLNPxABMQxXwjNacZ+/ONwe5lDb4fpY/2EGxR4nACY+7wPbE2YPFzLv/gAYoBbxus1muSF3l4Is25r5urJE6Th3RHtCMS+VSA/4WYxxRN4ctvkmUAJ9nfzM0YrwIwXJtCW0l

remodel/k8s/apps/homepage/blog/remark42/secret-google.yaml

@@ -0,0 +1,14 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: remark42-google
+  namespace: blog
+spec:
+  template:
+    metadata:
+      name: remark42-google
+      namespace: blog
+    type: Opaque
+  encryptedData:
+    AUTH_GOOGLE_CID: AgAa1H8GiVeeW1IfzSa8IgqmgdH7FOJBJ+ymfXTLjzuXSc38WaqegeY2PFL+ekE4fGTozBE5aNK1tgVL6oL4ir+bAZD04FKUkQAlvwQtvX8ROPhn6+bV3YS1041rxKDn11e/S5GC2cEzYmtqI2VH/TOPuEbm74FTwcMvi/SImDWWsxT6RzpBoGhQf7mSFLLkRXibhO67iWnvI+/v7KEFIxuhb6t5BCmRc8tq3PVJZX1CSMXoxbo0S5xIHK0BO2Ruy6wyUKNDGS192E4a2fueM/Iyf3+DmC0jbw18W18BvwiA8aS5tSp9xOJ+qkK1qsowhi6QubOKK6yuQAEPxczp7J3LhrdZ2zfQkHIl7mR6sTjrGM8i9GFgxOcUdTsP5Rr/x+okjPgezMpoTKuVUfdZ9ide9nCHVWELRp5YQUPWk7sWskuYepfMvI/x6M62NuWGJWATy4tfBSB/psCi9amJXwL4akb6NKzzsjHcTtRnL6wpLRlLrNyN7kCtfLg8qOjxovLzEWydJznRnAs9v8gqjlUD7U7kh+k+9Nc1Rqrn8WEfb1lPHtUgoB0G+4SCzeYqHqBOgjN6RIXP4y74wSB72aN8ZFzpbfCbMlSU9gMFN+alQ0GoWGTQ4mlkuy6t8rV+C7joM/KXdvBVQ/nARyXgyde5Uoh1E8gKYaZXAFCaZySdUCznwdm1Ue+q2X33Pobf4Gqpuu9WxKWENphPs2c6iS2yMw6T4mPU4yyLunipLqRrXf4VQMiwxD1YP1QK7ZkeCkoMQOqS6pOKDFaP4u/NVAxANH2otoha5VM=
+    AUTH_GOOGLE_CSEC: AgB5ZOQUZgptMzvi3IR+XWq6a2FA5NeBg8kxEJBbRhtRRevoQ0p+puHtyT1skX9t4rhdFgRKpJPuEAzus63t4mrv9PPJ9l3XXvmztFsXLTpJdDWXoskaFD9kks+BJzlS6kCFYmLnljm5E3rHk1B1ImrePus1YtMbjOev8Arzxkks2EqFW9k88LpXsgVyya2ueUNvCdE6LmSjIKa9W33+Tm5qgoNYbXY6zAaMQzhiN2PA46oHBccabxKSzVbdaDj7Xz3IAzb5TF7GSQlHCClU3p0hgBninL9nuuVyICH2I+5m0Vv9LnmJ+CItkA/8FZNbxUX4Z7ZMaG9gl3jAtBJqbz54KeTCgOz9HZarEI5EepWKom0VqBY8/05BqMQz1om7Y7FlCx5lZ6FjnJVBD2cGc/g7q824Q1X8POQnh46gnLySd2FCOSv38QoJjdkzdMjT61LTqSnPT7R8ZE0+lMCkmBopsBs8DbuM5/YxjFUzsVj9zs5mq/EWl5G835l+aHXkQWOmlE9UOiD7nPWQX58sL8QZdt0Maj/Q84CMHWS1ZWtV+lmA98XnT5oHwE9GL3SNCVWW33Ld6KQlxPyuMol0PsiNySJVzu+yX2S/BzMrmcrgLqAiZvI5dXX5RfUE3uQmyekxMPYh9B5BBmr9SS3WB0o5kEdEF4stt1UhWRj/Sazdh5TWJ8NP6brkS+CXhX9RA9pAW3wvFAPUbu7w+Be/cRm4wJpm8J6ekm+4PIKUVoE5J7EnIw==

remodel/k8s/apps/homepage/blog/remark42/secret-remark42.yaml

@@ -0,0 +1,14 @@
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: remark42-secret
+  namespace: blog
+spec:
+  template:
+    metadata:
+      name: remark42-secret
+      namespace: blog
+    type: Opaque
+  encryptedData:
+    ADMIN_SHARED_ID: AgB/aNJf9wbGvxZjqooeNaCTGSSi+Mq9ihYlI8bnendht9BRpT1Kil2x9S+J1FSnzpW0xYFjCM6wYPUxBFU8G+/vU7ZdmUHUt+ID/aHDju5HmL28OIMdgijJBK0KXXs+qZGM5TzYl7nu4fUAc/qM0S4dGket6Sfb8haJEW3DOpgJ1LqGptaAhHwHLdT91qjkGSw/vEK9GtQFVbcF6q+O699gXKY52u+D8JrfItp+LIOqhcpDnGA7R9alwCBOtsw0cFxUTyYTojlmU4EKggqgzP0vssLYBiv9Du8k0IUUZw8lU/lsOVTR8xJB0ZdeIB6tSwUO+T1WhmTzv0MoJM2picujHVdfWMXA2SGPVnAFCXqopnqXpFLv/oDGgqDAV8PxAO3HlyYV3+yir6LnurEZgtSoyVG5RErJRLwsjZthfAUeJyl/uo7fSQQ1bFRIUaMk/8qmxOv/h0EiDg/nWZlJaD3Bdi+xGt8m+SpzUQitsEPR98L8ccRPyKDRUGp37+JbPDQzYxLnLwmvb1GLcNkApvpGD/IimlHLMM9M5HiMILUEoJL7KU5BX5epgSA5T2VVrdLu00kjQK5f8iRGXUWc4R8/t+BFPgm0PIu2aUeC1p59Gk82gVL8uTI8CBehjWeRvhtVFl/U4fqpyvgKy6hrAu89Bs+WrJ7YdwYs9CJfQ87WTaSW+b2z6YBcOTbFrtbd1hvDSypr9O+L4FxorvB78F7K7ixiaugCreFWX1x85J2tzVl8Aal+JQXezszXMuCJ4Oeqe2Aykvr1SXek/jdEdbXUb0tIvwZWOEdvXD4a+g6i/5v2iEhWk1suEwdEBRpW7Q==
+    SECRET: AgAINe0r/Bk3kMdrMba/+kCiMsAuNE5OIptTnmzBlZfpTWuAo9ozKRVBBvo+/zGDmlETQMlq4C1MsrvcPHXnJols8DCfufMVuIyMWosxzhVOiApoEc6MGwy6QfgI19AbliBes5fCTqGHc39WKg+UA64OkEl5H+LtMezPC6EGnezL7sD5rrc3Vqdi7x/XfrwBI6xJ044aE8wRH6syuH1Py2FPdn8Y07DaV2Wuz9jNIhhjNQdDy80G+q6GHYKi0PsMe8zdLyd9rCxWmMk6SW8pyjTf2xn48Tp1ep9zfauhCnUQWDwPTz3JWe6GmPpTAH+xKDk5Glhyl6h0E/ScQJzdhUKcfh0idw8yALnzQhYPRQD4g/CcBXeu7DGURw8TM4VpwFPQAHVDfD2qvqfEaVoXCZkLpPGTotj8wr7MnB1nK8Ibcj4KbgGqIM6SlCS/AmlpmIBWlEQrAPYF9Hj/JR74+F43HZrwx2Ux8/8GBJCYlBgX9QAqrfffIBsDH89PPXyJgwTK3T1PMrRFRf7fx71NmOFogy7cBgiYYMka0VmCtDLvUfegO1KcQ1rjaNYkLai48u/CP/7Nyvz6LrF1tXe6w0AoEgRMGGZpB9InoF+5Xo8ZL9eZcz6dKyO1tUbIIEE5xbU7dGruWfcDh2upGAjbKQDcnZE+RaWallxaX+jfubwTh8G0Vah9wxt08ifTzF7R0AnAahS/8JQuo4R+kylczMNMTelOaelIN9Obx82JQBiAGrPTmXPW2RYr

remodel/k8s/apps/homepage/blog/remark42/svc.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: remark42
+  namespace: blog
+spec:
+  selector:
+    app: remark42
+  ports:
+    - name: web
+      port: 80
+      targetPort: http

remodel/k8s/apps/homepage/kustomization.yaml

@@ -0,0 +1,10 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: argocd
+commonLabels:
+  dev.stonegarden: app-management
+  app.kubernetes.io/managed-by: argocd
+
+resources:
+  - project.yaml
+  - application-set.yaml

remodel/k8s/apps/homepage/project.yaml

@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: homepage
+  namespace: argocd
+spec:
+  sourceRepos:
+    - 'https://github.com/vehagn/homelab'
+  destinations:
+    - namespace: 'argocd'
+      server: '*'
+    - namespace: 'blog'
+      server: '*'
+    - namespace: 'stonegarden'
+      server: '*'
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'

remodel/k8s/apps/homepage/stonegarden/deployment.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: stonegarden
+  namespace: stonegarden
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: stonegarden
+  template:
+    metadata:
+      namespace: stonegarden
+      labels:
+        app: stonegarden
+    spec:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        fsGroup: 65534
+        fsGroupChangePolicy: OnRootMismatch
+        seccompProfile:
+          type: RuntimeDefault
+      containers:
+        - name: stonegarden
+          image: registry.gitlab.com/vehagn/stonegarden:latest
+          imagePullPolicy: Always
+          securityContext:
+            allowPrivilegeEscalation: false
+            readOnlyRootFilesystem: true
+            capabilities:
+              drop: [ "ALL" ]
+          ports:
+            - name: web
+              containerPort: 3000

remodel/k8s/apps/homepage/stonegarden/http-route.yaml

@@ -0,0 +1,19 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: stonegarden
+  namespace: stonegarden
+spec:
+  parentRefs:
+    - name: stonegarden
+      namespace: gateway
+  hostnames:
+    - "stonegarden.dev"
+  rules:
+    - matches:
+        - path:
+            type: PathPrefix
+            value: /
+      backendRefs:
+        - name: stonegarden
+          port: 3000

remodel/k8s/apps/homepage/stonegarden/kustomization.yaml

@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - ns.yaml
+  - service.yaml
+  - deployment.yaml
+  - http-route.yaml

remodel/k8s/apps/homepage/stonegarden/ns.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: stonegarden
+  labels:
+    dev.stonegarden.app: homepage

remodel/k8s/apps/homepage/stonegarden/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: stonegarden
+  namespace: stonegarden
+spec:
+  type: ClusterIP
+  ports:
+    - name: web
+      port: 3000
+  selector:
+    app: stonegarden

remodel/tofu/kubernetes/main.tf

@@ -121,6 +121,10 @@ module "volumes" {
       node = "euclid"
       size = "1G"
     }
+    pv-remark42 = {
+      node = "euclid"
+      size = "1G"
+    }
     pv-jellyfin-config = {
       node = "euclid"
       size = "12G"