feat: windmill

kubernetes/apps/default/authelia/app/config/configuration.yaml

@@ -1,6 +1,4 @@
 ---
-# Genereate client_secret
-# https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
 authentication_backend:
   ldap:
     address: ldap://lldap.default.svc.cluster.local:5389
@@ -82,6 +80,8 @@ identity_providers:
       endpoints: [authorization, token, revocation, introspection]
       allowed_origins_from_client_redirect_uris: true
     clients:
+    # Genereate client_secret
+    # https://www.authelia.com/integration/openid-connect/frequently-asked-questions/#how-do-i-generate-a-client-identifier-or-client-secret
       - client_id: freshrss
         client_name: freshrss
         client_secret: "$${FRESHRSS_OAUTH_DIGEST}"
@@ -151,3 +151,10 @@ identity_providers:
         redirect_uris: ['https://pgadmin.${SECRET_EXTERNAL_DOMAIN}/oauth2/authorize']
         userinfo_signed_response_alg: none
         token_endpoint_auth_method: client_secret_basic
+      - client_id: windmill
+        client_name: Windmill
+        client_secret: '$${WINDMILL_OAUTH_CLIENT_SECRET}'
+        authorization_policy: 'two_factor'
+        redirect_uris: ['https://windmill.${SECRET_EXTERNAL_DOMAIN}/user/login_callback/authelia']
+        scopes: [openid, profile, groups, email]
+        userinfo_signed_response_alg: none

kubernetes/apps/default/authelia/app/externalsecret.yaml

@@ -43,6 +43,8 @@ spec:
         PAPERLESS_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
         KOMGA_OAUTH_CLIENT_SECRET: "{{ .OUTLINE_OAUTH_CLIENT_SECRET }}"
         KOMGA_OAUTH_DIGEST: "{{ .OUTLINE_OAUTH_DIGEST }}"
+        WINDMILL_OAUTH_CLIENT_SECRET: "{{ .WINDMILL_OAUTH_CLIENT_SECRET }}"
+        WINDMILL_OAUTH_DIGEST: "{{ .WINDMILL_OAUTH_DIGEST }}"
         SECRET_PUBLIC_DOMAIN: "{{ .SECRET_PUBLIC_DOMAIN }}"
         # Postgres Init
         INIT_POSTGRES_DBNAME: *dbName

kubernetes/apps/default/kustomization.yaml

@@ -56,6 +56,7 @@ resources:
   - ./unifi/ks.yaml
   - ./vaultwarden/ks.yaml
   - ./vikunja/ks.yaml
+  - ./windmill/ks.yaml
   - ./zigbee2mqtt/ks.yaml
   - ./zwave-js-ui/ks.yaml
   # Default resources

kubernetes/apps/default/mailrise/app/mailrise.yaml

@@ -10,3 +10,8 @@ configs:
       title_template: "KRESUS"
     urls:
       - !env_var PUSHOVER_KRESUS
+  windmill@mailrise.home.arpa:
+    mailrise:
+      title_template: "WINDMILL"
+    urls:
+      - !env_var PUSHOVER_WINDMILL

kubernetes/apps/default/windmill/app/externalsecret.yaml

@@ -0,0 +1,29 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: windmill
+  namespace: default
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: windmill-secret
+    template:
+      engineVersion: v2
+      data:
+        # App
+        WINDMILL_POSTGRES_URL: "postgres://{{ .WINDMILL__POSTGRES_USER }}:{{ .WINDMILL__POSTGRES_PASS }}@postgres16-rw.database.svc.cluster.local/windmill"
+        # Postgres Init
+        INIT_POSTGRES_DBNAME: windmill
+        INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local
+        INIT_POSTGRES_USER: "{{ .WINDMILL__POSTGRES_USER }}"
+        INIT_POSTGRES_PASS: "{{ .WINDMILL__POSTGRES_PASS }}"
+        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
+  dataFrom:
+    - extract:
+        key: cloudnative-pg
+    - extract:
+        key: windmill

kubernetes/apps/default/windmill/app/helmrelease.yaml

@@ -0,0 +1,97 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app windmill
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: windmill
+      version: 2.0.234
+      sourceRef:
+        kind: HelmRepository
+        name: windmill
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    windmill:
+      app:
+        annotations:
+          reloader.stakater.com/auto: "true"
+        initContainers:
+          - name: init-db
+            image: ghcr.io/onedr0p/postgres-init:16
+            envFrom:
+              - secretRef:
+                  name: &secret windmill-secret
+          - name: init-grants
+            image: ghcr.io/onedr0p/postgres-init:16
+            command:
+              - /bin/bash
+              - -c
+              - |
+                #!/bin/bash
+
+                set -o errexit
+                set -o nounset
+
+                /var/run/grants.sh
+            envFrom:
+              - secretRef:
+                  name: *secret
+            volumeMounts:
+              - name: grants
+                readOnly: true
+                subPath: grants.sh
+                mountPath: /var/run/grants.sh
+        volumes:
+          - name: grants
+            configMap:
+              name: windmill-grants
+              defaultMode: 509
+      baseDomain: &host "windmill.${SECRET_EXTERNAL_DOMAIN}"
+      baseProtocol: https
+      appReplicas: 1
+      lspReplicas: 1
+      multiplayerReplicas: 1
+      workerGroups:
+        - name: default
+          replicas: 2
+          resources:
+            requests:
+              memory: 1028Mi
+              cpu: 500m
+            limits:
+              memory: 2048Mi
+        - name: native
+          replicas: 1
+          resources:
+            requests:
+              memory: 128Mi
+              cpu: 100m
+            limits:
+              memory: 256Mi
+    ingress:
+      enabled: true
+      className: nginx
+      tls:
+        - hosts:
+            - *host
+    postgresql:
+      enabled: false
+  valuesFrom:
+    - kind: Secret
+      name: *secret
+      valuesKey: WINDMILL_POSTGRES_URL
+      targetPath: windmill.databaseUrl

kubernetes/apps/default/windmill/app/kustomization.yaml

@@ -0,0 +1,17 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: default
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
+  - ../../../../templates/gatus/guarded
+configMapGenerator:
+  - name: windmill-grants
+    files:
+      - ./scripts/grants.sh
+generatorOptions:
+  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled

kubernetes/apps/default/windmill/app/scripts/grants.sh

@@ -0,0 +1,60 @@
+#!/usr/bin/env bash
+
+export INIT_POSTGRES_SUPER_USER=${INIT_POSTGRES_SUPER_USER:-postgres}
+export INIT_POSTGRES_PORT=${INIT_POSTGRES_PORT:-5432}
+
+if [[ -z "${INIT_POSTGRES_HOST}"       ||
+      -z "${INIT_POSTGRES_SUPER_PASS}" ||
+      -z "${INIT_POSTGRES_USER}"       ||
+      -z "${INIT_POSTGRES_PASS}"       ||
+      -z "${INIT_POSTGRES_DBNAME}"
+]]; then
+    printf "\e[1;32m%-6s\e[m\n" "Invalid configuration - missing a required environment variable"
+    [[ -z "${INIT_POSTGRES_HOST}" ]]       && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_HOST: unset"
+    [[ -z "${INIT_POSTGRES_SUPER_PASS}" ]] && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_SUPER_PASS: unset"
+    [[ -z "${INIT_POSTGRES_USER}" ]]       && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_USER: unset"
+    [[ -z "${INIT_POSTGRES_PASS}" ]]       && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_PASS: unset"
+    [[ -z "${INIT_POSTGRES_DBNAME}" ]]     && printf "\e[1;32m%-6s\e[m\n" "INIT_POSTGRES_DBNAME: unset"
+    exit 1
+fi
+
+# These env are for the psql CLI
+export PGHOST="${INIT_POSTGRES_HOST}"
+export PGUSER="${INIT_POSTGRES_SUPER_USER}"
+export PGPASSWORD="${INIT_POSTGRES_SUPER_PASS}"
+export PGPORT="${INIT_POSTGRES_PORT}"
+
+until pg_isready; do
+    printf "\e[1;32m%-6s\e[m\n" "Waiting for Host '${PGHOST}' on port '${PGPORT}' ..."
+    sleep 1
+done
+
+for dbname in ${INIT_POSTGRES_DBNAME}; do
+    printf "\e[1;32m%-6s\e[m\n" "Update User Privileges on Database ..."
+    psql --dbname ${dbname} -c "
+        DO \$\$
+    BEGIN
+        IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'windmill_user') THEN
+            CREATE ROLE windmill_user;
+        END IF;
+    END
+    \$\$;
+
+    DO \$\$
+    BEGIN
+        IF NOT EXISTS (SELECT 1 FROM pg_roles WHERE rolname = 'windmill_admin') THEN
+            CREATE ROLE windmill_admin WITH BYPASSRLS;
+        END IF;
+    END
+    \$\$;
+
+    GRANT ALL ON ALL TABLES IN SCHEMA public TO windmill_user;
+    GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO windmill_user;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON TABLES TO windmill_user;
+    ALTER DEFAULT PRIVILEGES IN SCHEMA public GRANT ALL ON SEQUENCES TO windmill_user;
+    GRANT windmill_user TO windmill_admin;
+    GRANT windmill_admin TO ${INIT_POSTGRES_USER};
+    GRANT windmill_user TO ${INIT_POSTGRES_USER};
+    GRANT USAGE ON SCHEMA public TO windmill_admin;
+    GRANT USAGE ON SCHEMA public TO windmill_user;"
+done

kubernetes/apps/default/windmill/ks.yaml

@@ -0,0 +1,27 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app windmill
+  namespace: flux-system
+spec:
+  targetNamespace: default
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: external-secrets-stores
+  path: ./kubernetes/apps/default/windmill/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-ops-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app
+      GATUS_SUBDOMAIN: sh

kubernetes/flux/repositories/helm/kustomization.yaml

@@ -32,4 +32,5 @@ resources:
   - ./stakater.yaml
   - ./stevehipwell.yaml
   - ./vector.yaml
+  - ./windmill.yaml
   - ./xenitab.yaml

kubernetes/flux/repositories/helm/windmill.yaml

@@ -0,0 +1,10 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: windmill
+  namespace: flux-system
+spec:
+  interval: 2h
+  url: https://windmill-labs.github.io/windmill-helm-charts/