From cfb9f1bb127b69689005ed36a37e470fe79ef632 Mon Sep 17 00:00:00 2001 From: Pim Kunis Date: Sun, 14 Jul 2024 16:20:24 +0200 Subject: [PATCH] feat(hedgedoc): Move to separate k8s namespace --- README.md | 1 + flake-parts/kubenix.nix | 2 + kubenix-modules/all.nix | 1 - kubenix-modules/base.nix | 1 + kubenix-modules/hedgedoc.nix | 170 +++++++++++++++++------------------ kubenix-modules/volumes.nix | 4 +- secrets/kubernetes.yaml | 6 +- 7 files changed, 90 insertions(+), 95 deletions(-) diff --git a/README.md b/README.md index 1291374..94d4fd1 100644 --- a/README.md +++ b/README.md @@ -59,6 +59,7 @@ Currently, the applications being deployed like this are: - `atuin` - `blog` - `nextcloud` +- `hedgedoc` ## Known bugs diff --git a/flake-parts/kubenix.nix b/flake-parts/kubenix.nix index 2796651..e19bfb6 100644 --- a/flake-parts/kubenix.nix +++ b/flake-parts/kubenix.nix @@ -78,4 +78,6 @@ "${self}/kubenix-modules/blog.nix" "blog" "static-websites"; kubenix.nextcloud = mkDeployScriptAndManifest "${self}/kubenix-modules/nextcloud.nix" "nextcloud" "nextcloud"; + kubenix.hedgedoc = mkDeployScriptAndManifest + "${self}/kubenix-modules/hedgedoc.nix" "hedgedoc" "hedgedoc"; }) diff --git a/kubenix-modules/all.nix b/kubenix-modules/all.nix index c2e6deb..6a722aa 100644 --- a/kubenix-modules/all.nix +++ b/kubenix-modules/all.nix @@ -3,7 +3,6 @@ let ./inbucket.nix ./syncthing.nix ./pihole.nix - ./hedgedoc.nix ./paperless.nix ./kitchenowl.nix ./forgejo diff --git a/kubenix-modules/base.nix b/kubenix-modules/base.nix index a351cee..5210af5 100644 --- a/kubenix-modules/base.nix +++ b/kubenix-modules/base.nix @@ -67,6 +67,7 @@ kms = { }; atuin = { }; nextcloud = { }; + hedgedoc = { }; }; nodes = diff --git a/kubenix-modules/hedgedoc.nix b/kubenix-modules/hedgedoc.nix index 2ee7e30..1ba013b 100644 --- a/kubenix-modules/hedgedoc.nix +++ b/kubenix-modules/hedgedoc.nix @@ -1,26 +1,7 @@ { lib, ... }: { kubernetes.resources = { - configMaps = { - hedgedoc-env.data = { - CMD_DOMAIN = "md.kun.is"; - CMD_PORT = "3000"; - CMD_URL_ADDPORT = "false"; - CMD_ALLOW_ANONYMOUS = "true"; - CMD_ALLOW_EMAIL_REGISTER = "false"; - CMD_PROTOCOL_USESSL = "true"; - CMD_CSP_ENABLE = "false"; - }; - - hedgedoc-config.data.config = lib.generators.toJSON { } { - useSSL = false; - }; - - hedgedoc-db-env.data = { - POSTGRES_DB = "hedgedoc"; - POSTGRES_USER = "hedgedoc"; - POSTGRES_PASSWORD = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/databasePassword"; - PGDATA = "/pgdata/data"; - }; + configMaps.hedgedoc-config.data.config = lib.generators.toJSON { } { + useSSL = false; }; secrets.hedgedoc.stringData = { @@ -29,109 +10,108 @@ }; deployments = { - hedgedoc = { - metadata.labels = { + server.spec = { + selector.matchLabels = { app = "hedgedoc"; component = "website"; }; - spec = { - selector.matchLabels = { + template = { + metadata.labels = { app = "hedgedoc"; component = "website"; }; - template = { - metadata.labels = { - app = "hedgedoc"; - component = "website"; - }; + spec = { + containers.hedgedoc = { + image = "quay.io/hedgedoc/hedgedoc:1.9.9"; + ports.web.containerPort = 3000; - spec = { - containers.hedgedoc = { - image = "quay.io/hedgedoc/hedgedoc:1.9.9"; - envFrom = [{ configMapRef.name = "hedgedoc-env"; }]; - ports.web.containerPort = 3000; + env = { + CMD_DOMAIN.value = "md.kun.is"; + CMD_PORT.value = "3000"; + CMD_URL_ADDPORT.value = "false"; + CMD_ALLOW_ANONYMOUS.value = "true"; + CMD_ALLOW_EMAIL_REGISTER.value = "false"; + CMD_PROTOCOL_USESSL.value = "true"; + CMD_CSP_ENABLE.value = "false"; - env = { - CMD_DB_URL.valueFrom.secretKeyRef = { - name = "hedgedoc"; - key = "databaseURL"; - }; - - CMD_SESSION_SECRET.valueFrom.secretKeyRef = { - name = "hedgedoc"; - key = "sessionSecret"; - }; + CMD_DB_URL.valueFrom.secretKeyRef = { + name = "hedgedoc"; + key = "databaseURL"; }; - volumeMounts = [ - { - name = "uploads"; - mountPath = "/hedgedoc/public/uploads"; - } - { - name = "config"; - mountPath = "/hedgedoc/config.json"; - subPath = "config"; - } - ]; + CMD_SESSION_SECRET.valueFrom.secretKeyRef = { + name = "hedgedoc"; + key = "sessionSecret"; + }; }; - volumes = { - uploads.persistentVolumeClaim.claimName = "hedgedoc-uploads"; - config.configMap.name = "hedgedoc-config"; - }; + volumeMounts = [ + { + name = "uploads"; + mountPath = "/hedgedoc/public/uploads"; + } + { + name = "config"; + mountPath = "/hedgedoc/config.json"; + subPath = "config"; + } + ]; + }; - securityContext = { - fsGroup = 65534; - fsGroupChangePolicy = "OnRootMismatch"; - }; + volumes = { + uploads.persistentVolumeClaim.claimName = "uploads"; + config.configMap.name = "hedgedoc-config"; + }; + + securityContext = { + fsGroup = 65534; + fsGroupChangePolicy = "OnRootMismatch"; }; }; }; }; - hedgedoc-db = { - metadata.labels = { + database.spec = { + selector.matchLabels = { app = "hedgedoc"; component = "database"; }; - spec = { - selector.matchLabels = { + template = { + metadata.labels = { app = "hedgedoc"; component = "database"; }; - template = { - metadata.labels = { - app = "hedgedoc"; - component = "database"; - }; + spec = { + containers.postgres = { + image = "postgres:15"; + imagePullPolicy = "IfNotPresent"; + ports.postgres.containerPort = 5432; - spec = { - containers.postgres = { - image = "postgres:15"; - imagePullPolicy = "IfNotPresent"; - ports.postgres.containerPort = 5432; - envFrom = [{ configMapRef.name = "hedgedoc-db-env"; }]; - - volumeMounts = [{ - name = "data"; - mountPath = "/pgdata"; - }]; + env = { + POSTGRES_DB.value = "hedgedoc"; + POSTGRES_USER.value = "hedgedoc"; + POSTGRES_PASSWORD.value = "ref+sops://secrets/kubernetes.yaml#/hedgedoc/databasePassword"; + PGDATA.value = "/pgdata/data"; }; - volumes.data.persistentVolumeClaim.claimName = "hedgedoc-db"; + volumeMounts = [{ + name = "database"; + mountPath = "/pgdata"; + }]; }; + + volumes.database.persistentVolumeClaim.claimName = "database"; }; }; }; }; services = { - hedgedoc.spec = { + server.spec = { selector = { app = "hedgedoc"; component = "website"; @@ -143,7 +123,7 @@ }; }; - hedgedoc-db.spec = { + database.spec = { selector = { app = "hedgedoc"; component = "database"; @@ -158,13 +138,25 @@ }; lab = { - ingresses.hedgedoc = { + ingresses.web = { host = "md.kun.is"; service = { - name = "hedgedoc"; + name = "server"; portName = "web"; }; }; + + longhorn.persistentVolumeClaim = { + uploads = { + volumeName = "hedgedoc-uploads"; + storage = "50Mi"; + }; + + database = { + volumeName = "hedgedoc-db"; + storage = "100Mi"; + }; + }; }; } diff --git a/kubenix-modules/volumes.nix b/kubenix-modules/volumes.nix index 90097d0..a09a69d 100644 --- a/kubenix-modules/volumes.nix +++ b/kubenix-modules/volumes.nix @@ -14,8 +14,6 @@ lab = { longhornVolumes = { - hedgedoc-uploads.storage = "50Mi"; - hedgedoc-db.storage = "100Mi"; minecraft.storage = "1Gi"; pihole-data.storage = "750Mi"; pihole-dnsmasq.storage = "16Mi"; @@ -45,6 +43,8 @@ atuin-db.storage = "300Mi"; nextcloud.storage = "50Gi"; nextcloud-db.storage = "400Mi"; + hedgedoc-uploads.storage = "50Mi"; + hedgedoc-db.storage = "100Mi"; }; nfsVolumes = { diff --git a/secrets/kubernetes.yaml b/secrets/kubernetes.yaml index 43d6d90..fcb81ee 100644 --- a/secrets/kubernetes.yaml +++ b/secrets/kubernetes.yaml @@ -3,7 +3,7 @@ freshrss: pihole: password: ENC[AES256_GCM,data:yqPpovQKmP7NgUMI3w1p8t7RjbxNsMMHZbsNEaleyLJTqnDzNqONsQ==,iv:i+ys/EZelT4a4Sr0RpDto8udk/9yYC6pzl3FiUZQxrQ=,tag:FlvbMN6fuo+VV50YyuMeGg==,type:str] hedgedoc: - databaseURL: ENC[AES256_GCM,data:dmaXh8wnECBOeEtM00Nc6kpVc3NiJbP5gepToAxLrpmpEEH1vs5SdE90Z3+T3qeXrsTQVr/Q6EOocNKMsTe1pcZoEirECk0dwZ3k6s/bUmUJdZgOf0ir6Iy5J8RZYvJz3AnwuFIsIJ79x0+WfEfACQ==,iv:C7D1zY/vu4zc687XA2mwuYEOFtSFDV+/po4tyNw3ks8=,tag:GQGj4TbP7Mcrm+auuaplnw==,type:str] + databaseURL: ENC[AES256_GCM,data:VVz5meJM/SWC9+gWvorSj4ymLRux0vQPbI0kQLFrUGz2bocaRFzDqHAKbF4sd5iSzc6y5LQqwUfOgNoVrKhIROzKxStOmaQAWTLAJvfdReAqQoEaLVuLcZeML9QIhqvdAvPV5kVMznJ1u5YczSA=,iv:wU/GrAYSF2y0JWl0Nz6UuYmII0kCPIZ+UfAGI/1mUsE=,tag:xVOUwd5T6VHZ7vrpj9FMxg==,type:str] sessionSecret: ENC[AES256_GCM,data:FhYr4rFNHmtk9jUcjM4UthepS/5Z4x7WPAE5lTB94WmHrALbzZl2M3JcmibR6/z1FtAJhCsaPZ7Xeg8nOZtU2g==,iv:7soqcd8A+yNfXEZg0qDjOZgfsUIFHfflxByuf7nZk3Y=,tag:x/rmaXo4nTdA080Zl/0MiQ==,type:str] databasePassword: ENC[AES256_GCM,data:Fv1qeGvXZ93KvdFCCz9t9Dzhe7wKGOfR0lj64lzRM3s48E5FYdrH0w==,iv:cqhIOUKiSSkBpf95Eza9C9l8PX6YmTBpvBAR4+ibgeA=,tag:r8ZvF6l8oNeOt3d5UCA7Ww==,type:str] nextcloud: @@ -50,8 +50,8 @@ sops: aHpYZ2VtdVBVTkxZbGFOYzRpbGltZHMKJs4E+CsthuzQZqA0Yip4G/1XK4SuoiRP Lo65L33lfNibdSOeIygqnyo6GBwjD52TcNQpvzkVbr3M3hWlJs8wCA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-07-12T11:55:18Z" - mac: ENC[AES256_GCM,data:X2uCQfFmVkRq2OSClVlLO9zzmY/jj/B8Qo4dln93KJLRr4g2wdTQVbJWBtLDUMotlHs6b27nJc8T1wTR9/4Q1xqh92DjGeWZQmA5VbBgWuOmCB1xOE8eAFY1rVCT7e2uAFuHknxKhOS2KfOxZyGc4AJ7weXs9bLJWe5i0PSesvA=,iv:KWii9fvWUECng8Nb82nV87HR+BPIyYEfJKZHOrGPjiw=,tag:89xRQre8WahRSt1I6AweYg==,type:str] + lastmodified: "2024-07-14T14:19:35Z" + mac: ENC[AES256_GCM,data:JDlXC7OACi6h78yEMOrJa8Nt/yOlV5es/vhq53UfjlCWEW3Q7haf9eeeTtfRbZ5fubp41M31zkW8fX0vBs7ynq78/3ZY4NDvQqkm6uw4OjDhebfpjqDt4FimUijZM+6GooR12ejWULCLm5oIfR7jsOJKaD7xWTQf+585MBQSIIk=,iv:lTz1X4Dr3B052mjtKaAA/UPJ7myd571INxn6j3oII7I=,tag:AfKcTAY+wPvQUwQrfSNsxA==,type:str] pgp: [] unencrypted_suffix: _unencrypted version: 3.8.1