diff --git a/kubenix-modules/atticd.nix b/kubenix-modules/atticd.nix index 7a29c74..10333f2 100644 --- a/kubenix-modules/atticd.nix +++ b/kubenix-modules/atticd.nix @@ -1,8 +1,8 @@ { pkgs, ... }: { kubernetes.resources = let - atticdSettings = { - database.url = "ref+sops://secrets/sops.yaml#atticd/databaseURL"; + atticSettings = { + database.url = "ref+sops://secrets/sops.yaml#attic/databaseURL"; storage = { type = "local"; @@ -34,74 +34,146 @@ max-size = 256 * 1024; # 256 KiB }; }; - generatedConfig = (pkgs.formats.toml { }).generate "atticd.toml" atticdSettings; + generatedConfig = (pkgs.formats.toml { }).generate "attic.toml" atticSettings; in { configMaps = { - atticd-env.data.ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 = "ref+sops://secrets/sops.yaml#atticd/jwtToken"; - atticd-config.data.config = builtins.readFile generatedConfig; + attic-env.data.ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 = "ref+sops://secrets/sops.yaml#attic/jwtToken"; + attic-config.data.config = builtins.readFile generatedConfig; + + attic-db-env.data = { + POSTGRES_DB = "attic"; + POSTGRES_USER = "attic"; + POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/attic/databasePassword"; + PGDATA = "/pgdata/data"; + }; }; - deployments.atticd = { - metadata.labels.app = "atticd"; + deployments = { + attic = { + metadata.labels = { + app = "attic"; + component = "website"; + }; - spec = { - selector.matchLabels.app = "atticd"; + spec = { + selector.matchLabels = { + app = "attic"; + component = "website"; + }; - template = { - metadata.labels.app = "atticd"; + template = { + metadata.labels = { + app = "attic"; + component = "website"; + }; - spec = { - containers.atticd = { - image = "git.kun.is/home/atticd:fd910d91c2143295e959d2c903e9ea25cf94ba27"; - envFrom = [{ configMapRef.name = "atticd-env"; }]; - ports.web.containerPort = 8080; - args = [ "-f" "/etc/atticd/config.toml" ]; + spec = { + containers.attic = { + image = "git.kun.is/home/atticd:fd910d91c2143295e959d2c903e9ea25cf94ba27"; + envFrom = [{ configMapRef.name = "attic-env"; }]; + ports.web.containerPort = 8080; + args = [ "-f" "/etc/atticd/config.toml" ]; - volumeMounts = [ - { + volumeMounts = [ + { + name = "data"; + mountPath = "/var/lib/atticd/storage"; + } + { + name = "config"; + mountPath = "/etc/atticd/config.toml"; + subPath = "config"; + } + ]; + }; + + volumes = { + data.persistentVolumeClaim.claimName = "attic"; + config.configMap.name = "attic-config"; + }; + + securityContext = { + fsGroup = 0; + fsGroupChangePolicy = "OnRootMismatch"; + }; + }; + }; + }; + }; + + attic-db = { + metadata.labels = { + app = "attic"; + component = "database"; + }; + + spec = { + selector.matchLabels = { + app = "attic"; + component = "database"; + }; + + template = { + metadata.labels = { + app = "attic"; + component = "database"; + }; + + spec = { + containers.postgres = { + image = "postgres:15"; + imagePullPolicy = "IfNotPresent"; + ports.postgres.containerPort = 5432; + envFrom = [{ configMapRef.name = "attic-db-env"; }]; + + volumeMounts = [{ name = "data"; - mountPath = "/var/lib/atticd/storage"; - } - { - name = "config"; - mountPath = "/etc/atticd/config.toml"; - subPath = "config"; - } - ]; - }; + mountPath = "/pgdata"; + }]; + }; - volumes = { - data.persistentVolumeClaim.claimName = "attic"; - config.configMap.name = "atticd-config"; - }; - - securityContext = { - fsGroup = 0; - fsGroupChangePolicy = "OnRootMismatch"; + volumes.data.persistentVolumeClaim.claimName = "attic-db"; }; }; }; }; }; - services.atticd.spec = { - selector.app = "atticd"; + services = { + attic.spec = { + selector = { + app = "attic"; + component = "website"; + }; - ports.web = { - port = 80; - targetPort = "web"; + ports.web = { + port = 80; + targetPort = "web"; + }; + }; + + attic-db.spec = { + selector = { + app = "attic"; + component = "database"; + }; + + ports.postgres = { + port = 5432; + targetPort = "postgres"; + }; }; }; }; lab = { - ingresses.atticd = { + ingresses.attic = { host = "attic.kun.is"; entrypoint = "localsecure"; service = { - name = "atticd"; + name = "attic"; portName = "web"; }; }; diff --git a/kubenix-modules/volumes.nix b/kubenix-modules/volumes.nix index d0daefb..4e29cb4 100644 --- a/kubenix-modules/volumes.nix +++ b/kubenix-modules/volumes.nix @@ -22,6 +22,7 @@ sonarr.storage = "150Mi"; bazarr.storage = "25Mi"; attic.storage = "15Gi"; + attic-db.storage = "150Mi"; }; nfsVolumes = { diff --git a/nixos-modules/data-sharing.nix b/nixos-modules/data-sharing.nix index 1483d0f..e045acd 100644 --- a/nixos-modules/data-sharing.nix +++ b/nixos-modules/data-sharing.nix @@ -70,7 +70,6 @@ in authentication = '' host nextcloud nextcloud all md5 host paperless paperless all md5 - host attic attic all md5 ''; }; }; diff --git a/secrets/sops.yaml b/secrets/sops.yaml index a87a740..6b52808 100644 --- a/secrets/sops.yaml +++ b/secrets/sops.yaml @@ -16,9 +16,10 @@ kitchenowl: forgejo: lfsJwtSecret: ENC[AES256_GCM,data:TZaptdiX/3HT2Q5lHqAOEQBkT3gV49dD6+RIludIcJVA6AevijgDonuVQA==,iv:hwU0K4JjFs8LaSNe5Dqmsj5Vz/w3sOWgSrnEW22bM/M=,tag:RJTDtYqRQdGVQ6PO2V+31g==,type:str] internalToken: ENC[AES256_GCM,data:28sIm0OW2G48ZECjCf5WM9/O5kbo54S96aD20MYfGrK0pbxgAwLjL8jXO/dNobSQ+26vet2WKfLbC9MPdBjhsQ5zC/keGHUFw6TPqnuhFchTLnP+JvMoqNZzcRo2kHi/EM93luG6xQvy,iv:Iy+1EVS7lvLust4MPkxyFonna/q1NVzRyMcTSJ3F5oM=,tag:v075jl/jtqcjSkEhRZVO2g==,type:str] -atticd: - jwtToken: ENC[AES256_GCM,data:DTiREnIdZxsewzLXeZgERBJKorUuqI71TgmUyKyc8iH6ioJLciU/9wfLiO+ltUA+3eEnuyuJHTpFwtLS0Wrjh5G4kYNkiX6Mw1bEJZnR+x2xJAJmfa4sJw==,iv:8jJfPosy02vezJOA0oKSphUItWqQ0Pr1cc8rBSuSawE=,tag:p+dZBP5+EYHjtTH9EkdYsw==,type:str] - databaseURL: ENC[AES256_GCM,data:beyFNmbapw9asGHZN52taNx6klO3IQJ7wXbYTvo1NMaFyvo5qk2osocrwkeVv3w8bUWGgbQ/LKLuvg==,iv:qGFwhuLj0ApY9EpclM0x1nVBqXjv8XZC58cy6AE3AtQ=,tag:an+slq4Wlh7/sunX44yxOQ==,type:str] +attic: + jwtToken: ENC[AES256_GCM,data:bEf5v8KhIgyKqyjYOzBmJrZ71GagXqOTH+I3J0Iu+Q3X6XUbGxjwW5/RT3AuJAJ+Owp1Uyk26FmEuurYChG13rBWZ0R85MeMBb2sZ/Q22TXeBxRwzq4Izg==,iv:VlIhxGE8I8W+UFyDLnhUxDzf/us95H86V2FLbsKMSGw=,tag:ynz5eNuxkAl35qzcDNzoAw==,type:str] + databaseURL: ENC[AES256_GCM,data:GZcr8hRVIDwhKKwzHygydXAuJpQjKjN95GK+oqb33QgS5HW647+J5wGXxYan9II6iC0N3oSi36cJIkwIjLr9SJhRcjCkdsCZfNrGmT+F9SqUIi8=,iv:HerbEz1oPCE1F1etWHpFkSvulGRU97KPTcrZauIZQNM=,tag:/UXgWvnmCexvxwQONnmATg==,type:str] + databasePassword: ENC[AES256_GCM,data:AZXZyNJ6tGG3OU9CgC+bj43471Q=,iv:DoTSTIMLFi1+U7lvkix+QM8tP1tR0TtxuZRKlBneYek=,tag:+zk8TJRUzk9tNYXGLWIN2w==,type:str] sops: kms: [] gcp_kms: [] @@ -43,8 +44,8 @@ sops: cHJRZWpDdWZlSnh3Qm1GZ28vZ0p0ZjAK7+BS6YQ2cUD21XCISBeNLSUNgNFQfSKI zL/AAqsVoBTrEs7s9fxmWmVm21/M3ZTYfU6Z6gIr6YEWe1pehRd6ZQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-25T14:05:10Z" - mac: ENC[AES256_GCM,data:x0PAMb5EtfuOSzfBv0chWBQUz4+grZEZbzRpXp0xKgMX72jFV+RmmJGL4jfaVXFKnNyFRecQn92UhBNHx1JOVmDMdnEY50CNe3+H6oTTNJpgXRjebIs82NtwbQM/0wUB7PPSFjC0cKAONx5djAnXEs9pRUmRyWMI5I0Uhxz9FCA=,iv:H0JuHLcP0P83e4kaY0mPQRFbMRr6uUcTdRquWSD/VbQ=,tag:k72CmvwU5doNldpFlUy/TQ==,type:str] + lastmodified: "2024-05-25T14:56:33Z" + mac: ENC[AES256_GCM,data:372x93C9PcSp1Snz0zXSwyeOd74wgvoSYClWq4IF7CskFrNgFOl3zDbHtpp2i510LSuzxaPhFuJJm0LXFmHnRJUIgC3D9MyDLxP5Wp0rvfICNmsww9iSNplMN1i3jqHncYtB2rRYN30y5Bo+AJSWto237hcd7fIUgWHGw5Jdk2o=,iv:hzOzgoDQzghTlzKAocnFPPXoBjiZ6VWoJUNbXhdH/OA=,tag:AvyPVMGySMoBQVoNkTdFFQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1