✨ new talos cluster

kubernetes/cluster-0/apps/web-tools/tandoor/config/nginx-config

@@ -0,0 +1,25 @@
+events {
+  worker_connections 1024;
+}
+http {
+  include /etc/nginx/mime.types;
+  server {
+    listen 80;
+    server_name _;
+    client_max_body_size 128M;
+    # serve media files
+    location /media/ {
+      alias /media/;
+    }
+    # serve static files
+    location /static/ {
+      alias /static/;
+    }
+    # pass requests for dynamic content to gunicorn
+    location / {
+      proxy_set_header Host $host;
+      proxy_set_header REMOTE-USER $http_x_authentik_username;
+      proxy_pass http://localhost:8080;
+    }
+  }
+}

kubernetes/cluster-0/apps/web-tools/tandoor/helm-release.yaml

@@ -0,0 +1,103 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app tandoor
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.0.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  dependsOn:
+    - name: postgres-cluster
+      namespace: default
+  values:
+    image:
+      repository: vabene1111/recipes
+      tag: "1.4.5"
+    envFrom:
+      - secretRef:
+          name: *app
+    service:
+      main:
+        ports:
+          http:
+            port: 80
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: "nginx"
+        hosts:
+          - host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+          - host: &host2 "recipes.${SECRET_CLUSTER_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+              - *host2
+    persistence:
+      files:
+        enabled: true
+        existingClaim: tandoor-files
+        mountPath: /opt/recipes/mediafiles
+      nginx-config:
+        enabled: "true"
+        mountPath: /etc/nginx/nginx.conf
+        subPath: nginx-config
+        type: "custom"
+        volumeSpec:
+          configMap:
+            name: *app
+      static:
+        enabled: true
+        mountPath: /opt/recipes/staticfiles
+        type: emptyDir
+    podSecurityContext:
+      runAsUser: 0
+    podAnnotations:
+      configMap.reloader.stakater.com/reload: *app
+      secret.reloader.stakater.com/reload: *app
+    securityContext:
+      runAsUser: 65534
+    resources:
+      requests:
+        cpu: 100m
+        memory: 256Mi
+      limits:
+        memory: 512Mi
+    additionalContainers:
+      nginx:
+        name: nginx
+        image: nginx:1.23.2
+        imagePullPolicy: IfNotPresent
+        ports:
+          - name: http
+            containerPort: 80
+            protocol: TCP
+        volumeMounts:
+          - name: nginx-config
+            readOnly: true
+            mountPath: /etc/nginx/nginx.conf
+            subPath: nginx-config
+          - name: files
+            mountPath: /media
+          - name: static
+            mountPath: /static

kubernetes/cluster-0/apps/web-tools/tandoor/kustomization.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - secret.sops.yaml
+  - helm-release.yaml
+  - volume.yaml
+patchesStrategicMerge:
+  - patches/env.yaml
+  - patches/postgres.yaml
+configMapGenerator:
+  - name: tandoor
+    files:
+      - config/nginx-config
+generatorOptions:
+  disableNameSuffixHash: true

kubernetes/cluster-0/apps/web-tools/tandoor/patches/env.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: tandoor
+  namespace: default
+spec:
+  values:
+    env:
+      DEBUG: "0"
+      ALLOWED_HOSTS: "*"
+      DB_ENGINE: django.db.backends.postgresql_psycopg2
+      POSTGRES_HOST: postgres-rw.default.svc.cluster.local.
+      POSTGRES_PORT: 5432
+      POSTGRES_DB: recipes
+      GUNICORN_MEDIA: "0"
+      TIMEZONE: ${TIMEZONE}
+      TANDOOR_PORT: 8080
+      FRACTION_PREF_DEFAULT: "0"
+      COMMENT_PREF_DEFAULT: "1"
+      SHOPPING_MIN_AUTOSYNC_INTERVAL: "5"

kubernetes/cluster-0/apps/web-tools/tandoor/patches/postgres.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: tandoor
+  namespace: default
+spec:
+  values:
+    initContainers:
+      init-db:
+        image: ghcr.io/onedr0p/postgres-initdb:14.5
+        env:
+          - name: POSTGRES_HOST
+            value: postgres-rw.default.svc.cluster.local.
+          - name: POSTGRES_DB
+            value: recipes
+          - name: POSTGRES_SUPER_PASS
+            valueFrom:
+              secretKeyRef:
+                name: postgres-superuser
+                key: password
+          - name: POSTGRES_USER
+            valueFrom:
+              secretKeyRef:
+                name: tandoor
+                key: POSTGRES_USER
+          - name: POSTGRES_PASS
+            valueFrom:
+              secretKeyRef:
+                name: tandoor
+                key: POSTGRES_PASSWORD

kubernetes/cluster-0/apps/web-tools/tandoor/secret.sops.yaml

@@ -0,0 +1,31 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: tandoor
+    namespace: default
+type: Opaque
+stringData:
+    SECRET_KEY: ENC[AES256_GCM,data:Em/RAzEFrQ0vSHrTUAe2CfWii49IVRZkZQt9czp41j0=,iv:cF+q2+E9gtF5LKP974Y5o/MOrdxcvfe8VXUqHhP46Mc=,tag:RlY7ciWvKsZl5S/ljUc9GA==,type:str]
+    POSTGRES_USER: ENC[AES256_GCM,data:2l2CmdToJg==,iv:lP3yvRedxN3L8sheO71sI5BNOBIEAnQ+QoAm5j4pyyc=,tag:b0yimiebuxKE/PIjhpWr6g==,type:str]
+    POSTGRES_PASSWORD: ENC[AES256_GCM,data:eGkJzNO6i0vARiw3XXK87g==,iv:iVwOOiTuwI3aK+zdDIZotgLCvbyvYC7sl8vuhyMSyUg=,tag:Vix0RHru20p0fj0a5LH9Sw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2
+            akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC
+            Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT
+            Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq
+            DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-17T09:12:23Z"
+    mac: ENC[AES256_GCM,data:aftbkgTFye4mvKE2cT8ygQ76Ybx8Lt5dd9moHJgdMqRzQZBeOctMlaMD2Jm7EY0psuAUkGz4+OS5pv7HJ2/1/rVYNqMsLSpoIYs236te0F58BS1yjHHi1YPNsfhdskPBs6e7xONQTrwQ9Swp/jynosNvuchDCBufxDVk5WG8auo=,iv:JjmbM44EKp6Suw/B2VLLcBZmsfxNuA6OZPaUoWQDvVo=,tag:X1Cuo0XvgmyOWiOQxIZiKg==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3

kubernetes/cluster-0/apps/web-tools/tandoor/volume.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: tandoor-files
+  namespace: default
+  labels:
+    app.kubernetes.io/name: &name tandoor
+    app.kubernetes.io/instance: *name
+    snapshot.home.arpa/enabled: "true"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: rook-ceph-block
+  resources:
+    requests:
+      storage: 1Gi