From 99893f2ed2072facfa7a24228142d93f954f2404 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sat, 25 May 2024 16:07:11 +0200 Subject: [PATCH] Migrate hedgedoc database to kubernetes --- kubenix-modules/hedgedoc.nix | 156 ++++++++++++++++++++++++--------- kubenix-modules/volumes.nix | 1 + nixos-modules/data-sharing.nix | 1 - secrets/sops.yaml | 7 +- 4 files changed, 119 insertions(+), 46 deletions(-) diff --git a/kubenix-modules/hedgedoc.nix b/kubenix-modules/hedgedoc.nix index 9fc8b2e..b2dd4a9 100644 --- a/kubenix-modules/hedgedoc.nix +++ b/kubenix-modules/hedgedoc.nix @@ -14,6 +14,13 @@ hedgedoc-config.data.config = lib.generators.toJSON { } { useSSL = false; }; + + hedgedoc-db-env.data = { + POSTGRES_DB = "hedgedoc"; + POSTGRES_USER = "hedgedoc"; + POSTGRES_PASSWORD = "ref+sops://secrets/sops.yaml#/hedgedoc/databasePassword"; + PGDATA = "/pgdata/data"; + }; }; secrets.hedgedoc.stringData = { @@ -21,66 +28,131 @@ sessionSecret = "ref+sops://secrets/sops.yaml#/hedgedoc/sessionSecret"; }; - deployments.hedgedoc = { - metadata.labels.app = "hedgedoc"; + deployments = { + hedgedoc = { + metadata.labels = { + app = "hedgedoc"; + component = "website"; + }; - spec = { - selector.matchLabels.app = "hedgedoc"; + spec = { + selector.matchLabels = { + app = "hedgedoc"; + component = "website"; + }; - template = { - metadata.labels.app = "hedgedoc"; + template = { + metadata.labels = { + app = "hedgedoc"; + component = "website"; + }; - spec = { - containers.hedgedoc = { - image = "quay.io/hedgedoc/hedgedoc:1.9.9"; - envFrom = [{ configMapRef.name = "hedgedoc-env"; }]; - ports.web.containerPort = 3000; + spec = { + containers.hedgedoc = { + image = "quay.io/hedgedoc/hedgedoc:1.9.9"; + envFrom = [{ configMapRef.name = "hedgedoc-env"; }]; + ports.web.containerPort = 3000; - env = { - CMD_DB_URL.valueFrom.secretKeyRef = { - name = "hedgedoc"; - key = "databaseURL"; + env = { + CMD_DB_URL.valueFrom.secretKeyRef = { + name = "hedgedoc"; + key = "databaseURL"; + }; + + CMD_SESSION_SECRET.valueFrom.secretKeyRef = { + name = "hedgedoc"; + key = "sessionSecret"; + }; }; - CMD_SESSION_SECRET.valueFrom.secretKeyRef = { - name = "hedgedoc"; - key = "sessionSecret"; - }; + volumeMounts = [ + { + name = "uploads"; + mountPath = "/hedgedoc/public/uploads"; + } + { + name = "config"; + mountPath = "/hedgedoc/config.json"; + subPath = "config"; + } + ]; }; - volumeMounts = [ - { - name = "uploads"; - mountPath = "/hedgedoc/public/uploads"; - } - { - name = "config"; - mountPath = "/hedgedoc/config.json"; - subPath = "config"; - } - ]; + volumes = { + uploads.persistentVolumeClaim.claimName = "hedgedoc-uploads"; + config.configMap.name = "hedgedoc-config"; + }; + + securityContext = { + fsGroup = 65534; + fsGroupChangePolicy = "OnRootMismatch"; + }; + }; + }; + }; + }; + + hedgedoc-db = { + metadata.labels = { + app = "hedgedoc"; + component = "database"; + }; + + spec = { + selector.matchLabels = { + app = "hedgedoc"; + component = "database"; + }; + + template = { + metadata.labels = { + app = "hedgedoc"; + component = "database"; }; - volumes = { - uploads.persistentVolumeClaim.claimName = "hedgedoc-uploads"; - config.configMap.name = "hedgedoc-config"; - }; + spec = { + containers.postgres = { + image = "postgres:15"; + imagePullPolicy = "IfNotPresent"; + ports.postgres.containerPort = 5432; + envFrom = [{ configMapRef.name = "hedgedoc-db-env"; }]; - securityContext = { - fsGroup = 65534; - fsGroupChangePolicy = "OnRootMismatch"; + volumeMounts = [{ + name = "data"; + mountPath = "/pgdata"; + }]; + }; + + volumes.data.persistentVolumeClaim.claimName = "hedgedoc-db"; }; }; }; }; }; - services.hedgedoc.spec = { - selector.app = "hedgedoc"; + services = { + hedgedoc.spec = { + selector = { + app = "hedgedoc"; + component = "website"; + }; - ports.web = { - port = 80; - targetPort = "web"; + ports.web = { + port = 80; + targetPort = "web"; + }; + }; + + hedgedoc-db.spec = { + selector = { + app = "hedgedoc"; + component = "database"; + }; + + ports.postgres = { + port = 5432; + targetPort = "postgres"; + }; }; }; }; diff --git a/kubenix-modules/volumes.nix b/kubenix-modules/volumes.nix index f8ea4bf..d0daefb 100644 --- a/kubenix-modules/volumes.nix +++ b/kubenix-modules/volumes.nix @@ -2,6 +2,7 @@ lab = { longhornVolumes = { hedgedoc-uploads.storage = "50Mi"; + hedgedoc-db.storage = "100Mi"; freshrss.storage = "400Mi"; radicale.storage = "200Mi"; minecraft.storage = "1Gi"; diff --git a/nixos-modules/data-sharing.nix b/nixos-modules/data-sharing.nix index 99e9bbf..1483d0f 100644 --- a/nixos-modules/data-sharing.nix +++ b/nixos-modules/data-sharing.nix @@ -69,7 +69,6 @@ in authentication = '' host nextcloud nextcloud all md5 - host hedgedoc hedgedoc all md5 host paperless paperless all md5 host attic attic all md5 ''; diff --git a/secrets/sops.yaml b/secrets/sops.yaml index 9f64afd..a87a740 100644 --- a/secrets/sops.yaml +++ b/secrets/sops.yaml @@ -3,8 +3,9 @@ freshrss: pihole: password: ENC[AES256_GCM,data:RkKI/R+mdN0vJRMVKjBJF4y5PKj2J2keg0CsjCiXgZPvFl6jnPqTnQ==,iv:5waAzXb42SHEKAHmEVoIBCkhIJDCunrvaUNg4YI+1xw=,tag:FjGeyZ5G5Cp0imoIbkoBVw==,type:str] hedgedoc: - databaseURL: ENC[AES256_GCM,data:8VS1+EWCWAA3uQ8MVloSD57o3QKPmhvww8utnE2JJGDFMKb6irCNVwkwjRxr8fSnV+wjUvTONfAv+Wm/VBI2PfYgyaSgQD66BdjnQDicTPR9UHqB,iv:d2VHutdOkeyM1Sqwn3khHPOdZkV43RyDb0jQQUe5AxE=,tag:L3EFLzFW6KJNuWqK8IZ3yw==,type:str] + databaseURL: ENC[AES256_GCM,data:hFJIu3Jan1XknGDl5v//kpwafIz05gdH9n8S9BduWq18tPhwdl3ZPzGuQpCAmbLmZj9TVnTySmb9hVP2j9XEc8czH8J1Kvi5WyR4l58+DZO6XM44l8ttO/EMmx/d2oO0UNMrG3piVPAbpL5iMMIypw==,iv:85XDeM8VEGi3nDsU6TxJZJt5yH8R9UWUJOf2uebf9gQ=,tag:1N6B/JQnqOOAt9VCkLcIRQ==,type:str] sessionSecret: ENC[AES256_GCM,data:Qq2FzcIXWbf7FWm0/K1yMl8tmVdNtv3+DGVST3NM2t9N3IJ+Vbz2PKRy3UX2oPJGthIoXChAaWTNU7WGV2zEBA==,iv:aQvXrbUX3ZCpY2OkFDpbl2XHwCDwLwXjiV2Ny4bjoyE=,tag:wPmROgRmWcvilj/W0RANVQ==,type:str] + databasePassword: ENC[AES256_GCM,data:h3xt+libyQVvG51ttyYF6Lhq3QmYptu7Vx7/lZBytw5I8I1/zLMB6g==,iv:DuWMA82HyuupALguemWJmZ0hUA9oPyXB6tTcy3VFGKk=,tag:4ExOslyo8Kjyn7STpjqYAg==,type:str] nextcloud: databasePassword: ENC[AES256_GCM,data:9mkwB4uKUlt1E20n7Wxr9PnKc1bxkYVO5Ph/dFfcuGA=,iv:U3IUz+7izoaeQi03xghDM1dZK01ICi3+r6r3mvNh8u0=,tag:aGKQyzZX210SNTRlvoHUig==,type:str] paperless-ngx: @@ -42,8 +43,8 @@ sops: cHJRZWpDdWZlSnh3Qm1GZ28vZ0p0ZjAK7+BS6YQ2cUD21XCISBeNLSUNgNFQfSKI zL/AAqsVoBTrEs7s9fxmWmVm21/M3ZTYfU6Z6gIr6YEWe1pehRd6ZQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-05-23T18:15:08Z" - mac: ENC[AES256_GCM,data:NUI//u2YJ5w3FyfFBaN7hzdeCKBzmoqMBQ60hhN5vLHf45QNgDtpVo7owaGOClSjaJWMwXHwvVsHWHgu4FlHh6ZPcevjNfZEW8E/kYiczcJTBOyvwuPz7hxSyIRmNC1ijChZgHgKF4ldxm/IscblSIMiLovmgpO5yQre1m89CLg=,iv:uJ22dS/jEKR3/kLbu9CgwgNgEn5YFyv/Kn8dxIwsvFg=,tag:LttLQ6yPD+/kpi7Zt5tZYQ==,type:str] + lastmodified: "2024-05-25T14:05:10Z" + mac: ENC[AES256_GCM,data:x0PAMb5EtfuOSzfBv0chWBQUz4+grZEZbzRpXp0xKgMX72jFV+RmmJGL4jfaVXFKnNyFRecQn92UhBNHx1JOVmDMdnEY50CNe3+H6oTTNJpgXRjebIs82NtwbQM/0wUB7PPSFjC0cKAONx5djAnXEs9pRUmRyWMI5I0Uhxz9FCA=,iv:H0JuHLcP0P83e4kaY0mPQRFbMRr6uUcTdRquWSD/VbQ=,tag:k72CmvwU5doNldpFlUy/TQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1