diff --git a/README.md b/README.md index 8ff5002..915f974 100644 --- a/README.md +++ b/README.md @@ -66,6 +66,7 @@ Currently, the applications being deployed like this are: - `syncthing` - `pihole` - `immich` +- `attic` ## Known bugs diff --git a/flake-parts/kubenix.nix b/flake-parts/kubenix.nix index f47fbf6..2844ede 100644 --- a/flake-parts/kubenix.nix +++ b/flake-parts/kubenix.nix @@ -92,4 +92,6 @@ "${self}/kubenix-modules/pihole.nix" "pihole" "pihole"; kubenix.immich = mkDeployScriptAndManifest "${self}/kubenix-modules/immich.nix" "immich" "immich"; + kubenix.attic = mkDeployScriptAndManifest + "${self}/kubenix-modules/attic.nix" "attic" "attic"; }) diff --git a/kubenix-modules/all.nix b/kubenix-modules/all.nix index ca94a07..b07e1a4 100644 --- a/kubenix-modules/all.nix +++ b/kubenix-modules/all.nix @@ -4,7 +4,6 @@ let ./media.nix ./bind9 ./dnsmasq.nix - ./attic.nix # ./argo.nix # ./minecraft.nix ]; diff --git a/kubenix-modules/attic.nix b/kubenix-modules/attic.nix index ea74001..b8fe530 100644 --- a/kubenix-modules/attic.nix +++ b/kubenix-modules/attic.nix @@ -2,7 +2,10 @@ kubernetes.resources = let atticSettings = { - database.url = "ref+sops://secrets/kubernetes.yaml#attic/databaseURL"; + # The '+" is to explicitly denote the end of the Vals expression. + # This is done because we quote the template for the INI file. + # See: https://github.com/helmfile/vals?tab=readme-ov-file#expression-syntax + database.url = "ref+sops://secrets/kubernetes.yaml#attic/databaseURL+"; storage = { type = "local"; @@ -37,104 +40,99 @@ generatedConfig = (pkgs.formats.toml { }).generate "attic.toml" atticSettings; in { - configMaps = { - attic-env.data.ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64 = "ref+sops://secrets/kubernetes.yaml#attic/jwtToken"; - attic-config.data.config = builtins.readFile generatedConfig; + configMaps.config.data.config = builtins.readFile generatedConfig; - attic-db-env.data = { - POSTGRES_DB = "attic"; - POSTGRES_USER = "attic"; - POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/attic/databasePassword"; - PGDATA = "/pgdata/data"; - }; + secrets = { + server.stringData.token = "ref+sops://secrets/kubernetes.yaml#attic/jwtToken"; + database.stringData.password = "ref+sops://secrets/kubernetes.yaml#/attic/databasePassword"; }; deployments = { - attic = { - metadata.labels = { + attic.spec = { + selector.matchLabels = { app = "attic"; component = "website"; }; - spec = { - selector.matchLabels = { + template = { + metadata.labels = { app = "attic"; component = "website"; }; - template = { - metadata.labels = { - app = "attic"; - component = "website"; + spec = { + containers.attic = { + image = "git.kun.is/home/atticd:fd910d91c2143295e959d2c903e9ea25cf94ba27"; + ports.web.containerPort = 8080; + args = [ "-f" "/etc/atticd/config.toml" ]; + + env.ATTIC_SERVER_TOKEN_HS256_SECRET_BASE64.valueFrom.secretKeyRef = { + name = "server"; + key = "token"; + }; + + volumeMounts = [ + { + name = "data"; + mountPath = "/var/lib/atticd/storage"; + } + { + name = "config"; + mountPath = "/etc/atticd/config.toml"; + subPath = "config"; + } + ]; }; - spec = { - containers.attic = { - image = "git.kun.is/home/atticd:fd910d91c2143295e959d2c903e9ea25cf94ba27"; - envFrom = [{ configMapRef.name = "attic-env"; }]; - ports.web.containerPort = 8080; - args = [ "-f" "/etc/atticd/config.toml" ]; + volumes = { + data.persistentVolumeClaim.claimName = "data"; + config.configMap.name = "config"; + }; - volumeMounts = [ - { - name = "data"; - mountPath = "/var/lib/atticd/storage"; - } - { - name = "config"; - mountPath = "/etc/atticd/config.toml"; - subPath = "config"; - } - ]; - }; - - volumes = { - data.persistentVolumeClaim.claimName = "attic"; - config.configMap.name = "attic-config"; - }; - - securityContext = { - fsGroup = 0; - fsGroupChangePolicy = "OnRootMismatch"; - }; + securityContext = { + fsGroup = 0; + fsGroupChangePolicy = "OnRootMismatch"; }; }; }; }; - attic-db = { - metadata.labels = { + attic-db.spec = { + selector.matchLabels = { app = "attic"; component = "database"; }; - spec = { - selector.matchLabels = { + template = { + metadata.labels = { app = "attic"; component = "database"; }; - template = { - metadata.labels = { - app = "attic"; - component = "database"; - }; + spec = { + containers.postgres = { + image = "postgres:15"; + imagePullPolicy = "IfNotPresent"; + ports.postgres.containerPort = 5432; - spec = { - containers.postgres = { - image = "postgres:15"; - imagePullPolicy = "IfNotPresent"; - ports.postgres.containerPort = 5432; - envFrom = [{ configMapRef.name = "attic-db-env"; }]; + env = { + POSTGRES_DB.value = "attic"; + POSTGRES_USER.value = "attic"; + PGDATA.value = "/pgdata/data"; - volumeMounts = [{ - name = "data"; - mountPath = "/pgdata"; - }]; + POSTGRES_PASSWORD.valueFrom.secretKeyRef = { + name = "database"; + key = "password"; + }; }; - volumes.data.persistentVolumeClaim.claimName = "attic-db"; + volumeMounts = [{ + name = "data"; + mountPath = "/pgdata"; + }]; }; + + volumes.data.persistentVolumeClaim.claimName = "database"; }; }; }; @@ -153,7 +151,7 @@ }; }; - attic-db.spec = { + database.spec = { selector = { app = "attic"; component = "database"; @@ -170,12 +168,23 @@ lab = { ingresses.attic = { host = "attic.kun.is"; - # entrypoint = "localsecure"; service = { name = "attic"; portName = "web"; }; }; + + longhorn.persistentVolumeClaim = { + data = { + volumeName = "attic"; + storage = "15Gi"; + }; + + database = { + volumeName = "attic-db"; + storage = "150Mi"; + }; + }; }; } diff --git a/kubenix-modules/base.nix b/kubenix-modules/base.nix index f19a1e3..b9d05b6 100644 --- a/kubenix-modules/base.nix +++ b/kubenix-modules/base.nix @@ -74,6 +74,7 @@ syncthing = { }; pihole = { }; immich = { }; + attic = { }; }; nodes = diff --git a/kubenix-modules/volumes.nix b/kubenix-modules/volumes.nix index b1bedb3..0890cd7 100644 --- a/kubenix-modules/volumes.nix +++ b/kubenix-modules/volumes.nix @@ -32,8 +32,6 @@ prowlarr.storage = "150Mi"; sonarr.storage = "150Mi"; bazarr.storage = "25Mi"; - attic.storage = "15Gi"; - attic-db.storage = "150Mi"; }; longhorn.persistentVolume = { @@ -55,6 +53,8 @@ pihole-dnsmasq.storage = "16Mi"; immich.storage = "50Gi"; immich-db.storage = "5Gi"; + attic.storage = "15Gi"; + attic-db.storage = "150Mi"; }; nfsVolumes = { diff --git a/secrets/kubernetes.yaml b/secrets/kubernetes.yaml index fcb81ee..6fa7adf 100644 --- a/secrets/kubernetes.yaml +++ b/secrets/kubernetes.yaml @@ -19,7 +19,7 @@ forgejo: jwtSecret: ENC[AES256_GCM,data:ZIGOR53XCE1kGPQIpaY6ImbLMISbTpmC8R1oRFbjQGxHDG9dQuBigyjs5w==,iv:14WHd/RwniA7+YFGGrs+oyHx5Cc9G+D/IV9aBqn3KOI=,tag:+3LiFnV3Emx4i4efSRmthw==,type:str] attic: jwtToken: ENC[AES256_GCM,data:nAuryLY1xD9ur3qDcsJXPJPLFcPwssPKv+/BoivZ4aO6ec6rmOaYAkSRsBjgANyKhssbn0fhGsdyhMBwdHTXDnnIo67amFdxxSe+jJlGtcBXcekaOfD0Ug==,iv:h+h7CD8oI8u2ItzD/KKM16FKaG2xuVqIKh4r1TGjYtw=,tag:Er141FCK8usfzRRtrawHOw==,type:str] - databaseURL: ENC[AES256_GCM,data:F2XyCgXRuebQgvkHGz8DVM2z53sC0/8GzVN6P6iJjrVxB522BJnGlw0YdFBg5K9xMWRhuzxRgDJ+ySfIb8HTtFvlF8Ifx41vFZV1zSpmDMzo4/0=,iv:wp3sg+Y9kgGH5GZZDxAE2CpzDvJeV1mH8mfHRPB17Ys=,tag:IhGRIq/qPT0vSbv/L1ODYg==,type:str] + databaseURL: ENC[AES256_GCM,data:caKIXEAOIqWl1tjZItabbdYjotKjMwrPYJKR8mj/Zs0LkrUhOzOlyybNIhHAR/5rqHZlAhimVnVIxh/95g6AJOCNNukbForHUbj/PxkVUG8E,iv:9uh9FyN7n7M+FMLe5G/Z3NmbCgqc3t2SRocc4xL/Qbc=,tag:4JAb3qJUMIkBrAIAuKhjWQ==,type:str] databasePassword: ENC[AES256_GCM,data:Zwv5DKkihOUU/yL1tvbZl1+bPtI=,iv:C+6n6RHo1zTUJ/g0DWCWNxtLbusoYmDHMySsea5Jpz0=,tag:+pyw0WqnX5rMQxSl/48L5A==,type:str] atuin: databaseURL: ENC[AES256_GCM,data:IBmND/J2Pzz+CDCeNBRtErxSQIi8PeUuLGN4rIXKSLwZ6TGJKcNmbuxQDvWkCnI1crx3oak=,iv:wc3G/00oIuaiGF4mA2vIm35wFGxT0a3Ox3k1C9YBAx4=,tag:MQPcsR+vrD85DttYYi6jUw==,type:str] @@ -50,8 +50,8 @@ sops: aHpYZ2VtdVBVTkxZbGFOYzRpbGltZHMKJs4E+CsthuzQZqA0Yip4G/1XK4SuoiRP Lo65L33lfNibdSOeIygqnyo6GBwjD52TcNQpvzkVbr3M3hWlJs8wCA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-14T14:19:35Z" - mac: ENC[AES256_GCM,data:JDlXC7OACi6h78yEMOrJa8Nt/yOlV5es/vhq53UfjlCWEW3Q7haf9eeeTtfRbZ5fubp41M31zkW8fX0vBs7ynq78/3ZY4NDvQqkm6uw4OjDhebfpjqDt4FimUijZM+6GooR12ejWULCLm5oIfR7jsOJKaD7xWTQf+585MBQSIIk=,iv:lTz1X4Dr3B052mjtKaAA/UPJ7myd571INxn6j3oII7I=,tag:AfKcTAY+wPvQUwQrfSNsxA==,type:str] + lastmodified: "2024-07-16T16:10:38Z" + mac: ENC[AES256_GCM,data:VL8fsI2LWvXttPJDi+3TVBec/Ot4CFSM8MWVWu81YJAkG0V7FpUcmJ44PaaknzyISpZGo5hmpJOx8c/ad3CO5Mq1ZIGCf/vyN6iGHFD3tEOsxlp4puJcsoNgM2my5tQ7mRjNZrvgrmoDYinsFRHT+u0DWOcL8A8g8fLOOd/T5KA=,iv:KRW+aFyyYd/S9SMA19GiTQqDyk4b9CdgL5fNqvG9Kew=,tag:8sCbi0s4SJa38sX00qKb8g==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1