Merge pull request #3539 from rxbn/feat/firefly

feat: add firefly

apps/README.md

@@ -4,6 +4,7 @@ This directory contains all other common applications.
 
 ## Contents
 
+- **firefly** is a self-hosted, open source, and privacy-first personal finance manager
 - **gitlab** contains gitlab and other gitlab related applications
 - **keycloak** identity and access management
 - **nextcloud** self-hosted cloud similar to iCloud

apps/firefly/firefly/deployment.yaml

@@ -0,0 +1,107 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: firefly
+  namespace: firefly
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: firefly
+  strategy:
+    type: Recreate
+  template:
+    metadata:
+      labels:
+        app: firefly
+    spec:
+      initContainers:
+        - name: wait-for-database
+          image: busybox:1.37.0
+          command:
+            - sh
+            - -c
+            - |
+              echo 'Waiting for PostgreSQL to become ready...'
+              until printf "." && nc -z -w 2 firefly-postgres-rw.firefly.svc.cluster.local 5432; do
+                  sleep 2;
+              done;
+              echo 'PostgreSQL OK ✓'
+          securityContext:
+            allowPrivilegeEscalation: false
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+          resources:
+            requests:
+              cpu: 10m
+              memory: 16Mi
+            limits:
+              cpu: 10m
+              memory: 16Mi
+      containers:
+        - name: firefly
+          image: fireflyiii/core:version-6.1.21
+          env:
+            - name: DB_CONNECTION
+              value: pgsql
+            - name: DB_HOST
+              value: firefly-postgres-rw.firefly.svc.cluster.local
+            - name: DB_PORT
+              value: "5432"
+            - name: DB_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: firefly-postgres-app
+                  key: username
+            - name: DB_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: firefly-postgres-app
+                  key: password
+            - name: DB_DATABASE
+              valueFrom:
+                secretKeyRef:
+                  name: firefly-postgres-app
+                  key: dbname
+            - name: TRUSTED_PROXIES
+              value: "*"
+            - name: AUTHENTICATION_GUARD
+              value: remote_user_guard
+            - name: AUTHENTICATION_GUARD_HEADER
+              value: HTTP_REMOTE_USER
+          envFrom:
+            - secretRef:
+                name: firefly
+          volumeMounts:
+            - name: firefly-uploads
+              mountPath: /var/www/html/storage/upload
+          ports:
+            - containerPort: 8080
+          # startupProbe:
+          #   httpGet:
+          #     path: /health
+          #     port: 9000
+          #   initialDelaySeconds: 30
+          #   timeoutSeconds: 1
+          #   failureThreshold: 60
+          #   periodSeconds: 5
+          # livenessProbe:
+          #   httpGet:
+          #     path: /health/live
+          #     port: 9000
+          #   initialDelaySeconds: 0
+          #   timeoutSeconds: 5
+          # readinessProbe:
+          #   httpGet:
+          #     path: /health/ready
+          #     port: 9000
+          #   initialDelaySeconds: 10
+          #   timeoutSeconds: 1
+      restartPolicy: Always
+      automountServiceAccountToken: false
+      volumes:
+        - name: firefly-uploads
+          persistentVolumeClaim:
+            claimName: firefly-uploads

apps/firefly/firefly/ingress.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: firefly
+  namespace: firefly
+  annotations:
+    nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.${BASE_DOMAIN}/oauth2/auth"
+    nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.${BASE_DOMAIN}/oauth2/start?rd=$scheme://$best_http_host$request_uri"
+    nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-email, x-auth-request-access-token"
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      auth_request_set $authHeader1 $upstream_http_x_auth_request_email;
+      proxy_set_header 'remote-user' $authHeader1;
+    cloudflare-operator.io/content: ${BASE_DOMAIN}
+    cloudflare-operator.io/type: CNAME
+spec:
+  ingressClassName: nginx
+  rules:
+    - host: firefly.${BASE_DOMAIN}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: firefly
+                port:
+                  number: 8080

apps/firefly/firefly/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - deployment.yaml
+  - ingress.yaml
+  - service.yaml
+  - secret.yaml
+  - persistentvolumeclaim.yaml

apps/firefly/firefly/persistentvolumeclaim.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: firefly-uploads
+  namespace: firefly
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: nvme
+  resources:
+    requests:
+      storage: 100Mi

apps/firefly/firefly/secret.template

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: firefly
+    namespace: firefly
+type: Opaque
+stringData:
+    APP_KEY:

apps/firefly/firefly/secret.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: firefly
+    namespace: firefly
+type: Opaque
+stringData:
+    APP_KEY: ENC[AES256_GCM,data:7KsB6CgrjCKf8hxd/Qc/hHveGsne0/V5CR1Tfk/5FRk=,iv:zQrPE15qjXpz0rHoyCrANiTMopgrIOzbPcXnTGMQOXI=,tag:i1ueF9UnscVn5dRnIwUujw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-10-05T14:21:50Z"
+    mac: ENC[AES256_GCM,data:IL4R3HGSbIB7r+oQ6JGZYAacehZM8DUTW+VXeSb3BnApi5jlyp6jSBKdr5bIRwseU0ESVNSF9hBI07+t+qIs918uOTNHUeJ2GaEoU2pCXXyvFbX7Y9dc65a9NSz9ZaDU2PDeOylsMla8NGyCVFCptfsys3AU8eamQYuEp7dLew8=,iv:u7cSJdqaSz643Vko1ozHy+CSNuSMda2uWLwJ8QE9Y9A=,tag:TKZO2ylxq0NKqLXGdvlOIw==,type:str]
+    pgp:
+        - created_at: "2024-10-05T14:21:50Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA8LTdrN3Uc5/AQ/9Gj3VzxZYbMgu63SC3GHsOnRWPJ66cj5ICUiblncrib78
+            5x9d3ZncB9KWiAVveVAUdHe5lA9NXU8cZoq3yddY/OAHD/3xWOyO602Eu2V1EWBR
+            1XRMB/xke7WROtCPogZYntpdmIivaUY9FeEd9cRg1sGXXYmW305lSqgs/s88dWWE
+            kBKQ5t3N1psbx//C8w2FS+8C/m/Mmei6F9XKvMsrRDCcj0OzaTYCz/dTPLta3+67
+            5uRput5eQYSYeDbmAUV61MpcO/i3srtsjA/Sciw0mztQnaAnlCw1+vV6m0UNJ6vu
+            zf8yzcDJIN2JZrRHkDgDGwa2EFg8pxk8S2u18XPL6CjyuRRJFjd7TMbFSeICGplz
+            e98sBH/LEHHQfZ+Lwf1/3YcGvT4QA18dP5SggVK3IIWf0oXCZ8EQVXUSnn/2C3kP
+            oMGeOf98D3VVBk9MypLjHKK623zNK8SuOT1x+T48j1xWD4Czjp0il0UtGc11tnqP
+            mAv/BqkM58NWQdEgkZ9AosV3NXBNeqRcoc/0RO8aPZxLd/jz8Z6J7PbG4Mp6/Tjy
+            yCKit07ABwNvE7lHk2FIjz507aR67NEewHrtA7s55tXY+CSQCFsPDWYH+C/AeK9W
+            12s92Kge2jeinJXqb0fioZZmz3OSKsuQSZoxm4MTVIun172faAXJdtrWCrFD+hjU
+            aAEJAhAZcw7eexi7S/f58QB7m5jw7djsqgvL8YjcbpTIXmbpS+djCVWQpiYAKKRA
+            9LKDDDiNBTVHZemiaGY9RpeEttu0MkrWkii6dHLYDTgNMDPkDEaff0NkhQTcsErn
+            g9c39/bquLoi
+            =ADFM
+            -----END PGP MESSAGE-----
+          fp: 4988A3C9ED6515B2E192F0ABE42278AB326CB047
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1

apps/firefly/firefly/service.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: firefly
+  namespace: firefly
+spec:
+  ports:
+    - port: 8080
+      targetPort: 8080
+  selector:
+    app: firefly
+  ipFamilyPolicy: PreferDualStack
+  ipFamilies:
+    - IPv4
+    - IPv6
+  type: ClusterIP

apps/firefly/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - firefly
+  - postgres

apps/firefly/postgres/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - postgres.yaml
+  - scheduledbackup.yaml
+  - secret.yaml

apps/firefly/postgres/postgres.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: firefly-postgres
+  namespace: firefly
+spec:
+  instances: 1
+  imageName: ghcr.io/cloudnative-pg/postgresql:16.4
+  storage:
+    size: 20Gi
+  bootstrap:
+    initdb:
+      database: firefly
+  backup:
+    barmanObjectStore:
+      destinationPath: s3://db-backups
+      endpointURL: http://minio.minio.svc.cluster.local:9000
+      s3Credentials:
+        accessKeyId:
+          name: db-backup
+          key: accessKey
+        secretAccessKey:
+          name: db-backup
+          key: secretKey
+      wal:
+        compression: gzip
+      data:
+        compression: gzip
+    retentionPolicy: 3d
+  monitoring:
+    enablePodMonitor: true

apps/firefly/postgres/scheduledbackup.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: ScheduledBackup
+metadata:
+  name: firefly-postgres
+  namespace: firefly
+spec:
+  schedule: 0 0 2 * * SUN
+  cluster:
+    name: firefly-postgres

apps/firefly/postgres/secret.template

@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: db-backup
+    namespace: firefly
+type: Opaque
+stringData:
+    accessKey:
+    secretKey:

apps/firefly/postgres/secret.yaml

@@ -0,0 +1,41 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: db-backup
+    namespace: firefly
+type: Opaque
+stringData:
+    accessKey: ENC[AES256_GCM,data:tVaQQhtwhnMGpA==,iv:5QqWllwzsC17o75JriqnC7cQtZzNQTjq6aUuXe2Fh50=,tag:Q2ksA5jldT1utDh/heDS2A==,type:str]
+    secretKey: ENC[AES256_GCM,data:vkM7YwZpjLzlyrNU7ZvR6HOZ+nS/iHCONI6+/emYFwvX1ONSXrlMhApK/bZrXiIMNHcWkYnvgxjY87bGP8GqBA==,iv:7zS6wTiyZjSvjEgjj+pc1hufOh/6/ntxLe4eWpx5+qw=,tag:pjDKjwZr6jSTWRiOkHfX+A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-10-05T14:10:16Z"
+    mac: ENC[AES256_GCM,data:BqTNoBI3CECFBwezlKf4UaPB3YX//9IAK7kMVvFI/sD21xrrp0XnMZrB2v0jEA8om5Dx5pMAtiIr05aJ8Up7uxD37njf3SPkFAV1cw+PoyjHZd8jLm3WgkujmslsWpNP1qXkZuiHTUuG4WW4Dt6pGiLpyuA7gMl+MnAl1BVsj74=,iv:Ay3Ex/mzbCHm7pzWSQNRG2yL4qVn5YkjRnzbgGvvMoE=,tag:qFreoOrDbVHBvPITgAM80g==,type:str]
+    pgp:
+        - created_at: "2024-10-05T14:10:16Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA8LTdrN3Uc5/AQ//SxeMwoue34ho+UGfeL8AT9OYfhFL6Dp2fNNryeJ0pEQA
+            1avLCYd6UTo9xxgBFkgOyWOgTDl+IEREoVj3XE9uEtCmoO4rOJmGbWHdhjZuVfD7
+            kfmuYBSiacms7+KzH86gTzBGh5Jz35EDlRVLTdN/dskTFTsadmeULQOjj5RALQbt
+            NMqEwh7n5EMlTGC3hWoZbQeG/Uv2el/LLzYO69ZpFg7K7zc1/rYaBWT/N+FoU9s0
+            UMdZvz9sK9EbvdQ/5we34Y+fN6t5GNW+X6rTOvBwZApQCJgocVE/eGJsbbkmszPx
+            YDNrE/4k79+2Ljr/hGirLcXdDXZBVho2cgMg/u3ra7IM3Q/kt9ZAFGLFDO/qBzoD
+            X46/KaEMRy/WEuo/OicTKGXXQ93SNnIfapNmyfRxn8N/VXbIdyRODWc4CjIz7Iw5
+            RO25yiYqu8TtXTBv3JD5+mi+TI/NW1aUjDkQnTMXWsI1CQACMaf6RPJK9uf+cH1s
+            NVZfnW2NmrESw5xOnBifFFwu4XGahedtZDWNCDDGaMaYUHJWQHggBLHlTB6jnpqB
+            +gTp48eww3EPTP7s9IUNSR3/Tb5e1Dr9UlYguREvtCV21fAjdlQ9ZN7TrLJcZGsm
+            Z8BcUI2CKkr1TVoi+kKePcG7TUu8b2fCvTFegwFrLaKGDTR3DSHxlItuSZb2i9rU
+            aAEJAhArj+DUYx9JKCUo8iIJBDld3qepPPp7vrTOsbZm0/zm7Q/q5N9KCnDx4NIE
+            8K6+uOmzbOL4Ijt+60lkayDQKhAk8icd0BkwZsqD6zgrf+7qDXU7EmrRnQjyXkm0
+            KOND2oUsu62/
+            =o9/G
+            -----END PGP MESSAGE-----
+          fp: 4988A3C9ED6515B2E192F0ABE42278AB326CB047
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1

apps/kustomization.yaml

@@ -2,6 +2,7 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - firefly
   - nextcloud
   - gitlab
   - usenet

core/namespaces/firefly.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: firefly

core/namespaces/kustomization.yaml

@@ -19,5 +19,6 @@ resources:
   - cert-manager.yaml
   - teslamate.yaml
   - minio.yaml
+  - firefly.yaml
   - monitoring.yaml
   - cilium.yaml