diff --git a/apps/linkwarden.yaml b/apps/linkwarden.yaml new file mode 100644 index 0000000..c54c44e --- /dev/null +++ b/apps/linkwarden.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: linkwarden + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: main + path: linkwarden + destination: + server: https://kubernetes.default.svc + namespace: linkwarden + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/linkwarden/certificate.yaml b/linkwarden/certificate.yaml new file mode 100644 index 0000000..933c2bc --- /dev/null +++ b/linkwarden/certificate.yaml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: linkwarden-cert + namespace: istio-system +spec: + secretName: linkwarden-cert + issuerRef: + name: letsencrypt-dns + kind: ClusterIssuer + dnsNames: + - bookmarks.gwg313.xyz diff --git a/linkwarden/gateway.yaml b/linkwarden/gateway.yaml new file mode 100644 index 0000000..74d4d5b --- /dev/null +++ b/linkwarden/gateway.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: linkwarden-gateway + namespace: linkwarden +spec: + selector: + istio: gateway + servers: + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: linkwarden-cert + hosts: + - bookmarks.gwg313.xyz diff --git a/linkwarden/iscsi-sealed.yaml b/linkwarden/iscsi-sealed.yaml new file mode 100644 index 0000000..f747c08 --- /dev/null +++ b/linkwarden/iscsi-sealed.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: linkwarden-iscsi-auth + namespace: linkwarden +spec: + encryptedData: + discovery.sendtargets.auth.password: AgAo6dvx0sb5AklRqs6kLDp+Axa39HF9VvbRmiAqTb1aqS1pmpkt774c6X5B0pVM9Tkz5XANdPriEzpKcBsPLCuBRGrXAjIrzdao6RgXS+11zLx4rnIhw/HUTrFcsbPC1N3ilxICu6y/1pr1alOrtoRa9azKN0R9LoCuM8+T2ea3w7NHjLhxeIGnOe1aOsZQ1Dp3cZQbHiajSGZW9kj0NquJAvVq+tpFNIYDwo08YtOPvGa0jKiZCDq1a29t8yMUY7YLKpEDIibVtFU+OkpiK7TW/cTzURO1Hr+bH3WdLsB6bcQjrtnD75vxYGLTXbjNTjWtkolsZ3tsvR1FVr1iELrXooMrtsEDEum7UyNOf079pwvLMFsz+UrM78bE/JEYzm9YowfBdvOAkvqkwZq9MiJq5heAi1kMgE1p5LPHZGTtVKTBXxwdFRM3qZWRl82nTI+nVAiTqNDP2ZCHvsEOTIIgxb6zSvEcQ1Mjit3PnNh9KmiasGX454S1vS7TROwLsjzubWaMoS3ADN2DSV1uh6pe7/lfn8GcfSfcyYOzGZcgVFWeQoBMXPG+3HsFfidQU+DLdovdqw0DPsEYK7Crvhskz6thfERZDYFMt2RIbsTUeo46SyqhiMuIetmVcvvomgngUM7rclS86B3bMnrXwjkYBznaYBw9+XrUBAoaMChAPkVGT6JKi9hF9cd5R3mfPkvjphKWegyYQlYvyjvG93EN + discovery.sendtargets.auth.username: AgBcERjX9uRVG5MsS6ZALQax8BjEtmfnNuyMMNw5P3Z5Y/ktHQJPY533u2nDaRYp/Gu7EaREQ50UpJ4X93TbbqCHG11N6KLnhxYO1UhlOV3ZJhWvvfKjGF9328uuJdN1Kgf1kZIaZ28bTBQqKFuYCkQzxTuQc5rmXov9uwHFJkcn1+eqHfHMNoBT5L7ljFziLstK11s/WlVpVseMfvOL4nTtLRckAn136ToDakYXX3jJnw/f2ZQADwXN5am53+B24Wcu+ugZxCbESKMQ4qCJc3VAkv+5809N6UPvCKXe8by1J8L6RUZH1ax4bUGci6rEekSl9dEuSaKxMuUZ8dwPf5lMOvGwCm0LvfMqoMFjonb290wU4UgLwVKK7vkoh0ZCBLRkX/zl0BaUAdtcUozT88ZeFfSi8Yv5qEO5jLXb+oUQOID/7PWxyFh0AH2ct/b7utGK06m6HXZnEjOb20tTZw6W16OZxTd7qwGvj6JLznLZBeJGDNeg2AjCIBcBsmA6ocI4pMOpSlAfGWZuvYnRPbov32QEP+zB4aqDk7cRAWUATIs0ES4HK/COpah7k2M0PZ9/YOhWgYfRFKWpHdeB2CUDKRgT0Hyi3xx6HBK0o4S/doBQmaPJq3GsjpVLLaqH6W+KL962/VMSx1QXmcn1dUGT1Qs6o52622dD8WawLIuazRl0pkteckTuEsbxVFms2+nfQUzyihZF6L01 + node.session.auth.password: AgAk19CA2EtTgSPRgzD2B7Zbw58r3+rlVyOEkxuMUvWlULqsWp7DSUFcIySH/2kCU4XkMxZOLQiuCdIx7ccBx5CRKFrVAS1L/2L6tZGeLc7NfI8M5Ka8HFy4K1X75yBBd0KiUHn0VEkwyinfDTzSK66+ZYhxgYlBviyhjB+1ieSBTaoXZcJ2AsS9ZsHYmUniro3wr2v/VvmsC2Tgx2TYMpBjC6KWxTJW7QNEMMrBOTnaaYrYDGFe9/as52amuM0Qqygb6bmSp+QEJGUohVgk1dpLFTHubUxMM3aA8UVAh8Ual81DXmBsVUQEx+IuEpNRm76UXlW7Iod5yi9zDWA3Lo4AzdPE112CYwQOR5lf7jqVSyLdcVrweFxY2J8Yh3hPVoM8P93HVGUlatwIlSJXmApfx3TeGvZ7gi1xIfKCpsBlifLCOxLIFE7IghcumDw20lFamuEgXX2iyqbtCgcbibjYbS7NflfjYq5JXx8EwKS89Zqdt3UdsJcvWskO4i0ouXzLxERy+jnRHGtNoUrgziYbkSRyzSCTLIcypn80HA/rZpZc1ZuQYTpJF1JO05QI0pz73U58Tf/gWf/rnwRVtoZmmGZ2tKl+HG0oqlZNEMdrxLcERQ1zEuXXoaSaRm4bbSfhzVfYVyLNA3O+T4EXm4jWY9v7bMHitn+iyfVFTCXhitoIc10F/ZcYHT5rb9cuxE2R5ivqxnDKc0ldbU2JU8Eu + node.session.auth.username: AgAjBMKyXteIqLgPraY9U7n5NzsoWvyi5jVyz0M7i+StCVp2BeKaqhxNMpmxQ98EhAflhh4A/DeLsQueDAMSv2v9So4WmwTCHFRVKxUgLoXjAgzttlsaMrItmIuzGEy5Kx22MkDN5K25PJ2ZelGzY6FUy7LYzJtHLZvU+vZaLKpraw9RrqGHd3M2se5e5GalzIOI3h2K/5Ljs0VfggZEy9wjZvGSeLTPVMXvCtAExAll8wZ5j1U78ddG+rE2Ox0SwB7aF5BqK9f+calijYHNxyCGwoh35T8uCJELIG2GVXIifNvFtLX8vv/si7d60ptoPd1kxcKgCV5mJx1mE7FfeTrFFuqzZThsqwOzfFAoEbcPlE+CJOsJm8DnWlXxHicK6DMaN2LIxk9hMvns8tcr/8VURwZ/8yU9Z8GvEG8tP8zAMc/RP5ZysQIDYAA2EZGtsVrynWRo6K82u5I1axMcwEt0oslQyHrJpmLZv/AOBdjWsvWV6lT7Sv3PlUuqxsw1IRyjokiro74kLNgvTlgluiyhRHb7mjzREZzHoKSYI/6Yzx8xNoLZM2y0VA6NTHHFOorXcxWSeoG1eTynpuJY6jQma1Ie3bN9ohEwoV0trvqotaxku1meJAmZUJTzJ3AkrO43XGMYFYkQfuF8wmEU0Yp1GOtNMKhoa/GnFobnJaviJz8RL6aXUek1Y8LV0s9fhyCxWyuzJxpBUDrm + template: + metadata: + creationTimestamp: null + name: linkwarden-iscsi-auth + namespace: linkwarden + type: kubernetes.io/iscsi-chap diff --git a/linkwarden/linkwarden-deployment.yml b/linkwarden/linkwarden-deployment.yml new file mode 100644 index 0000000..2bfdb66 --- /dev/null +++ b/linkwarden/linkwarden-deployment.yml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: linkwarden + namespace: linkwarden +spec: + replicas: 1 + selector: + matchLabels: + app: linkwarden + template: + metadata: + labels: + app: linkwarden + spec: + containers: + - name: linkwarden + image: ghcr.io/linkwarden/linkwarden:latest + ports: + - containerPort: 3000 + env: + - name: POSTGRES_PASSWORD + valueFrom: + secretKeyRef: + name: postgresql-secret-linkwarden + key: POSTGRESQL_PASSWORD + - name: DATABASE_URL + value: "postgres://postgres:$(POSTGRES_PASSWORD)@postgres:5432/postgres" + - name: NEXTAUTH_SECRET + value: SgG4jVtm9ukRKEbJw7vw + - name: NEXTAUTH_URL + value: "https://bookmarks.gwg313.xyz/api/v1/auth" + - name: NEXT_PUBLIC_DISABLE_REGISTRATION + value: "true" + volumeMounts: + - mountPath: /data/data + name: linkwarden-data + volumes: + - name: linkwarden-data + persistentVolumeClaim: + claimName: linkwarden-data-pvc diff --git a/linkwarden/linkwarden-pv.yml b/linkwarden/linkwarden-pv.yml new file mode 100644 index 0000000..cd21ddc --- /dev/null +++ b/linkwarden/linkwarden-pv.yml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: linkwarden-data-pv +spec: + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + iscsi: + targetPortal: truenas.local.gwg313.xyz:3260 + iqn: iqn.2005-10.org.freenas.ctl:linkwarden-data + lun: 0 + fsType: ext4 + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: linkwarden-iscsi-auth + claimRef: + namespace: linkwarden + name: linkwarden-data-pvc diff --git a/linkwarden/linkwarden-pvc.yml b/linkwarden/linkwarden-pvc.yml new file mode 100644 index 0000000..47573fc --- /dev/null +++ b/linkwarden/linkwarden-pvc.yml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: linkwarden-data-pvc + namespace: linkwarden +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5Gi + storageClassName: manual + volumeName: linkwarden-data-pv diff --git a/linkwarden/namespace.yml b/linkwarden/namespace.yml new file mode 100644 index 0000000..14f3251 --- /dev/null +++ b/linkwarden/namespace.yml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: linkwarden diff --git a/linkwarden/postgres-configmap.yml b/linkwarden/postgres-configmap.yml new file mode 100644 index 0000000..56118dc --- /dev/null +++ b/linkwarden/postgres-configmap.yml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: postgresql-config + namespace: linkwarden +data: + POSTGRESQL_FSYNC: "on" + POSTGRESQL_SYNCHRONOUS_COMMIT: "on" + POSTGRESQL_FULL_PAGE_WRITES: "on" + POSTGRESQL_WAL_LEVEL: "replica" + POSTGRESQL_ARCHIVE_MODE: "on" + POSTGRESQL_MAX_WAL_SIZE: "2GB" + POSTGRESQL_MIN_WAL_SIZE: "1GB" + POSTGRESQL_CHECKPOINT_TIMEOUT: "5min" + POSTGRESQL_LOG_CONNECTIONS: "on" + POSTGRESQL_LOG_DISCONNECTIONS: "on" + POSTGRESQL_LOG_STATEMENT: "all" + POSTGRESQL_LOG_DURATION: "1000" + POSTGRESQL_AUTOVACUUM: "on" + POSTGRESQL_VACUUM_COST_DELAY: "20ms" + POSTGRESQL_LOG_TIMEZONE: "UTC" + POSTGRESQL_LOG_CHECKPOINTS: "on" + POSTGRESQL_LOG_ERROR_VERBOSITY: "verbose" + POSTGRESQL_HOT_STANDBY: "on" + POSTGRESQL_ARCHIVE_TIMEOUT: "60s" diff --git a/linkwarden/postgres-deployment.yml b/linkwarden/postgres-deployment.yml new file mode 100644 index 0000000..11cc9f6 --- /dev/null +++ b/linkwarden/postgres-deployment.yml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: postgres + namespace: linkwarden +spec: + replicas: 1 + selector: + matchLabels: + app: postgres + template: + metadata: + labels: + app: postgres + spec: + securityContext: + fsGroup: 999 # PostgreSQL's default GID (postgres group) + containers: + - name: postgres + image: bitnami/postgresql:latest + ports: + - containerPort: 5432 + env: + - name: POSTGRESQL_PASSWORD + valueFrom: + secretKeyRef: + name: postgresql-secret-linkwarden + key: POSTGRESQL_PASSWORD + - name: POSTGRESQL_PERFORM_RESTORE + value: "true" + envFrom: + - configMapRef: + name: postgresql-config + volumeMounts: + - mountPath: /var/lib/postgresql/data + name: postgres-storage + volumes: + - name: postgres-storage + persistentVolumeClaim: + claimName: linkwarden-postgres-pvc + securityContext: + runAsUser: 999 # Ensure the container runs as the 'postgres' user (UID 999) + fsGroup: 999 # Ensure the filesystem group is 'postgres' (GID 999) diff --git a/linkwarden/postgres-pv.yml b/linkwarden/postgres-pv.yml new file mode 100644 index 0000000..d8c9b13 --- /dev/null +++ b/linkwarden/postgres-pv.yml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: linkwarden-postgres-pv +spec: + capacity: + storage: 5Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + iscsi: + targetPortal: truenas.local.gwg313.xyz:3260 + iqn: iqn.2005-10.org.freenas.ctl:linkwarden-postgres + lun: 1 + fsType: ext4 + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: linkwarden-iscsi-auth + claimRef: + namespace: linkwarden + name: linkwarden-postgres-pvc diff --git a/linkwarden/postgres-pvc.yml b/linkwarden/postgres-pvc.yml new file mode 100644 index 0000000..9474b03 --- /dev/null +++ b/linkwarden/postgres-pvc.yml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: linkwarden-postgres-pvc + namespace: linkwarden +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5Gi + storageClassName: manual + volumeName: linkwarden-postgres-pv diff --git a/linkwarden/postgres-secret.yml b/linkwarden/postgres-secret.yml new file mode 100644 index 0000000..7b6eacb --- /dev/null +++ b/linkwarden/postgres-secret.yml @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: postgresql-secret-linkwarden + namespace: linkwarden +type: Opaque +data: + POSTGRESQL_PASSWORD: dWtGbTYyOGR2QnpKQUpLWGVVdUs= diff --git a/linkwarden/postgres-service.yml b/linkwarden/postgres-service.yml new file mode 100644 index 0000000..7fb2fb1 --- /dev/null +++ b/linkwarden/postgres-service.yml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: postgres + namespace: linkwarden +spec: + type: ClusterIP + selector: + app: postgres + ports: + - port: 5432 + targetPort: 5432 diff --git a/linkwarden/service.yaml b/linkwarden/service.yaml new file mode 100644 index 0000000..4f7a1ad --- /dev/null +++ b/linkwarden/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: linkwarden + namespace: linkwarden +spec: + selector: + app: linkwarden + ports: + - name: http + port: 80 + targetPort: 3000 + type: ClusterIP diff --git a/linkwarden/virtualservice.yaml b/linkwarden/virtualservice.yaml new file mode 100644 index 0000000..ba970ee --- /dev/null +++ b/linkwarden/virtualservice.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: linkwarden + namespace: linkwarden +spec: + hosts: + - bookmarks.gwg313.xyz + gateways: + - linkwarden-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: linkwarden + port: + number: 80