From 125c5fabc7942a68d97e20792a6a33635d34f454 Mon Sep 17 00:00:00 2001 From: Robin Scherrer Date: Sat, 5 Oct 2024 16:53:30 +0200 Subject: [PATCH] feat: add firefly --- apps/README.md | 1 + apps/firefly/firefly/deployment.yaml | 107 ++++++++++++++++++ apps/firefly/firefly/ingress.yaml | 28 +++++ apps/firefly/firefly/kustomization.yaml | 9 ++ .../firefly/persistentvolumeclaim.yaml | 13 +++ apps/firefly/firefly/secret.template | 8 ++ apps/firefly/firefly/secret.yaml | 40 +++++++ apps/firefly/firefly/service.yaml | 17 +++ apps/firefly/kustomization.yaml | 6 + apps/firefly/postgres/kustomization.yaml | 7 ++ apps/firefly/postgres/postgres.yaml | 32 ++++++ apps/firefly/postgres/scheduledbackup.yaml | 10 ++ apps/firefly/postgres/secret.template | 9 ++ apps/firefly/postgres/secret.yaml | 41 +++++++ apps/kustomization.yaml | 1 + core/namespaces/firefly.yaml | 5 + core/namespaces/kustomization.yaml | 1 + 17 files changed, 335 insertions(+) create mode 100644 apps/firefly/firefly/deployment.yaml create mode 100644 apps/firefly/firefly/ingress.yaml create mode 100644 apps/firefly/firefly/kustomization.yaml create mode 100644 apps/firefly/firefly/persistentvolumeclaim.yaml create mode 100644 apps/firefly/firefly/secret.template create mode 100644 apps/firefly/firefly/secret.yaml create mode 100644 apps/firefly/firefly/service.yaml create mode 100644 apps/firefly/kustomization.yaml create mode 100644 apps/firefly/postgres/kustomization.yaml create mode 100644 apps/firefly/postgres/postgres.yaml create mode 100644 apps/firefly/postgres/scheduledbackup.yaml create mode 100644 apps/firefly/postgres/secret.template create mode 100644 apps/firefly/postgres/secret.yaml create mode 100644 core/namespaces/firefly.yaml diff --git a/apps/README.md b/apps/README.md index 986e0c7ab..a562e70df 100644 --- a/apps/README.md +++ b/apps/README.md @@ -4,6 +4,7 @@ This directory contains all other common applications. ## Contents +- **firefly** is a self-hosted, open source, and privacy-first personal finance manager - **gitlab** contains gitlab and other gitlab related applications - **keycloak** identity and access management - **nextcloud** self-hosted cloud similar to iCloud diff --git a/apps/firefly/firefly/deployment.yaml b/apps/firefly/firefly/deployment.yaml new file mode 100644 index 000000000..cd5a790d9 --- /dev/null +++ b/apps/firefly/firefly/deployment.yaml @@ -0,0 +1,107 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: firefly + namespace: firefly +spec: + replicas: 1 + selector: + matchLabels: + app: firefly + strategy: + type: Recreate + template: + metadata: + labels: + app: firefly + spec: + initContainers: + - name: wait-for-database + image: busybox:1.37.0 + command: + - sh + - -c + - | + echo 'Waiting for PostgreSQL to become ready...' + until printf "." && nc -z -w 2 firefly-postgres-rw.firefly.svc.cluster.local 5432; do + sleep 2; + done; + echo 'PostgreSQL OK ✓' + securityContext: + allowPrivilegeEscalation: false + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + resources: + requests: + cpu: 10m + memory: 16Mi + limits: + cpu: 10m + memory: 16Mi + containers: + - name: firefly + image: fireflyiii/core:version-6.1.21 + env: + - name: DB_CONNECTION + value: pgsql + - name: DB_HOST + value: firefly-postgres-rw.firefly.svc.cluster.local + - name: DB_PORT + value: "5432" + - name: DB_USERNAME + valueFrom: + secretKeyRef: + name: firefly-postgres-app + key: username + - name: DB_PASSWORD + valueFrom: + secretKeyRef: + name: firefly-postgres-app + key: password + - name: DB_DATABASE + valueFrom: + secretKeyRef: + name: firefly-postgres-app + key: dbname + - name: TRUSTED_PROXIES + value: "*" + - name: AUTHENTICATION_GUARD + value: remote_user_guard + - name: AUTHENTICATION_GUARD_HEADER + value: HTTP_REMOTE_USER + envFrom: + - secretRef: + name: firefly + volumeMounts: + - name: firefly-uploads + mountPath: /var/www/html/storage/upload + ports: + - containerPort: 8080 + # startupProbe: + # httpGet: + # path: /health + # port: 9000 + # initialDelaySeconds: 30 + # timeoutSeconds: 1 + # failureThreshold: 60 + # periodSeconds: 5 + # livenessProbe: + # httpGet: + # path: /health/live + # port: 9000 + # initialDelaySeconds: 0 + # timeoutSeconds: 5 + # readinessProbe: + # httpGet: + # path: /health/ready + # port: 9000 + # initialDelaySeconds: 10 + # timeoutSeconds: 1 + restartPolicy: Always + automountServiceAccountToken: false + volumes: + - name: firefly-uploads + persistentVolumeClaim: + claimName: firefly-uploads diff --git a/apps/firefly/firefly/ingress.yaml b/apps/firefly/firefly/ingress.yaml new file mode 100644 index 000000000..db7ab50da --- /dev/null +++ b/apps/firefly/firefly/ingress.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: firefly + namespace: firefly + annotations: + nginx.ingress.kubernetes.io/auth-url: "https://oauth2-proxy.${BASE_DOMAIN}/oauth2/auth" + nginx.ingress.kubernetes.io/auth-signin: "https://oauth2-proxy.${BASE_DOMAIN}/oauth2/start?rd=$scheme://$best_http_host$request_uri" + nginx.ingress.kubernetes.io/auth-response-headers: "x-auth-request-user, x-auth-request-email, x-auth-request-access-token" + nginx.ingress.kubernetes.io/configuration-snippet: | + auth_request_set $authHeader1 $upstream_http_x_auth_request_email; + proxy_set_header 'remote-user' $authHeader1; + cloudflare-operator.io/content: ${BASE_DOMAIN} + cloudflare-operator.io/type: CNAME +spec: + ingressClassName: nginx + rules: + - host: firefly.${BASE_DOMAIN} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: firefly + port: + number: 8080 diff --git a/apps/firefly/firefly/kustomization.yaml b/apps/firefly/firefly/kustomization.yaml new file mode 100644 index 000000000..86ad93aab --- /dev/null +++ b/apps/firefly/firefly/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yaml + - ingress.yaml + - service.yaml + - secret.yaml + - persistentvolumeclaim.yaml diff --git a/apps/firefly/firefly/persistentvolumeclaim.yaml b/apps/firefly/firefly/persistentvolumeclaim.yaml new file mode 100644 index 000000000..e20a9b9d3 --- /dev/null +++ b/apps/firefly/firefly/persistentvolumeclaim.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: firefly-uploads + namespace: firefly +spec: + accessModes: + - ReadWriteOnce + storageClassName: nvme + resources: + requests: + storage: 100Mi diff --git a/apps/firefly/firefly/secret.template b/apps/firefly/firefly/secret.template new file mode 100644 index 000000000..b4136d8f6 --- /dev/null +++ b/apps/firefly/firefly/secret.template @@ -0,0 +1,8 @@ +apiVersion: v1 +kind: Secret +metadata: + name: firefly + namespace: firefly +type: Opaque +stringData: + APP_KEY: diff --git a/apps/firefly/firefly/secret.yaml b/apps/firefly/firefly/secret.yaml new file mode 100644 index 000000000..c0819b154 --- /dev/null +++ b/apps/firefly/firefly/secret.yaml @@ -0,0 +1,40 @@ +apiVersion: v1 +kind: Secret +metadata: + name: firefly + namespace: firefly +type: Opaque +stringData: + APP_KEY: ENC[AES256_GCM,data:7KsB6CgrjCKf8hxd/Qc/hHveGsne0/V5CR1Tfk/5FRk=,iv:zQrPE15qjXpz0rHoyCrANiTMopgrIOzbPcXnTGMQOXI=,tag:i1ueF9UnscVn5dRnIwUujw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-10-05T14:21:50Z" + mac: ENC[AES256_GCM,data:IL4R3HGSbIB7r+oQ6JGZYAacehZM8DUTW+VXeSb3BnApi5jlyp6jSBKdr5bIRwseU0ESVNSF9hBI07+t+qIs918uOTNHUeJ2GaEoU2pCXXyvFbX7Y9dc65a9NSz9ZaDU2PDeOylsMla8NGyCVFCptfsys3AU8eamQYuEp7dLew8=,iv:u7cSJdqaSz643Vko1ozHy+CSNuSMda2uWLwJ8QE9Y9A=,tag:TKZO2ylxq0NKqLXGdvlOIw==,type:str] + pgp: + - created_at: "2024-10-05T14:21:50Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA8LTdrN3Uc5/AQ/9Gj3VzxZYbMgu63SC3GHsOnRWPJ66cj5ICUiblncrib78 + 5x9d3ZncB9KWiAVveVAUdHe5lA9NXU8cZoq3yddY/OAHD/3xWOyO602Eu2V1EWBR + 1XRMB/xke7WROtCPogZYntpdmIivaUY9FeEd9cRg1sGXXYmW305lSqgs/s88dWWE + kBKQ5t3N1psbx//C8w2FS+8C/m/Mmei6F9XKvMsrRDCcj0OzaTYCz/dTPLta3+67 + 5uRput5eQYSYeDbmAUV61MpcO/i3srtsjA/Sciw0mztQnaAnlCw1+vV6m0UNJ6vu + zf8yzcDJIN2JZrRHkDgDGwa2EFg8pxk8S2u18XPL6CjyuRRJFjd7TMbFSeICGplz + e98sBH/LEHHQfZ+Lwf1/3YcGvT4QA18dP5SggVK3IIWf0oXCZ8EQVXUSnn/2C3kP + oMGeOf98D3VVBk9MypLjHKK623zNK8SuOT1x+T48j1xWD4Czjp0il0UtGc11tnqP + mAv/BqkM58NWQdEgkZ9AosV3NXBNeqRcoc/0RO8aPZxLd/jz8Z6J7PbG4Mp6/Tjy + yCKit07ABwNvE7lHk2FIjz507aR67NEewHrtA7s55tXY+CSQCFsPDWYH+C/AeK9W + 12s92Kge2jeinJXqb0fioZZmz3OSKsuQSZoxm4MTVIun172faAXJdtrWCrFD+hjU + aAEJAhAZcw7eexi7S/f58QB7m5jw7djsqgvL8YjcbpTIXmbpS+djCVWQpiYAKKRA + 9LKDDDiNBTVHZemiaGY9RpeEttu0MkrWkii6dHLYDTgNMDPkDEaff0NkhQTcsErn + g9c39/bquLoi + =ADFM + -----END PGP MESSAGE----- + fp: 4988A3C9ED6515B2E192F0ABE42278AB326CB047 + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/apps/firefly/firefly/service.yaml b/apps/firefly/firefly/service.yaml new file mode 100644 index 000000000..1fbbb2ad5 --- /dev/null +++ b/apps/firefly/firefly/service.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: firefly + namespace: firefly +spec: + ports: + - port: 8080 + targetPort: 8080 + selector: + app: firefly + ipFamilyPolicy: PreferDualStack + ipFamilies: + - IPv4 + - IPv6 + type: ClusterIP diff --git a/apps/firefly/kustomization.yaml b/apps/firefly/kustomization.yaml new file mode 100644 index 000000000..dea08d407 --- /dev/null +++ b/apps/firefly/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - firefly + - postgres diff --git a/apps/firefly/postgres/kustomization.yaml b/apps/firefly/postgres/kustomization.yaml new file mode 100644 index 000000000..3d44a9dc8 --- /dev/null +++ b/apps/firefly/postgres/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - postgres.yaml + - scheduledbackup.yaml + - secret.yaml diff --git a/apps/firefly/postgres/postgres.yaml b/apps/firefly/postgres/postgres.yaml new file mode 100644 index 000000000..da7b35a10 --- /dev/null +++ b/apps/firefly/postgres/postgres.yaml @@ -0,0 +1,32 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: Cluster +metadata: + name: firefly-postgres + namespace: firefly +spec: + instances: 1 + imageName: ghcr.io/cloudnative-pg/postgresql:16.4 + storage: + size: 20Gi + bootstrap: + initdb: + database: firefly + backup: + barmanObjectStore: + destinationPath: s3://db-backups + endpointURL: http://minio.minio.svc.cluster.local:9000 + s3Credentials: + accessKeyId: + name: db-backup + key: accessKey + secretAccessKey: + name: db-backup + key: secretKey + wal: + compression: gzip + data: + compression: gzip + retentionPolicy: 3d + monitoring: + enablePodMonitor: true diff --git a/apps/firefly/postgres/scheduledbackup.yaml b/apps/firefly/postgres/scheduledbackup.yaml new file mode 100644 index 000000000..11285e68d --- /dev/null +++ b/apps/firefly/postgres/scheduledbackup.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: postgresql.cnpg.io/v1 +kind: ScheduledBackup +metadata: + name: firefly-postgres + namespace: firefly +spec: + schedule: 0 0 2 * * SUN + cluster: + name: firefly-postgres diff --git a/apps/firefly/postgres/secret.template b/apps/firefly/postgres/secret.template new file mode 100644 index 000000000..13bdc5875 --- /dev/null +++ b/apps/firefly/postgres/secret.template @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Secret +metadata: + name: db-backup + namespace: firefly +type: Opaque +stringData: + accessKey: + secretKey: diff --git a/apps/firefly/postgres/secret.yaml b/apps/firefly/postgres/secret.yaml new file mode 100644 index 000000000..6c36b99d1 --- /dev/null +++ b/apps/firefly/postgres/secret.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: Secret +metadata: + name: db-backup + namespace: firefly +type: Opaque +stringData: + accessKey: ENC[AES256_GCM,data:tVaQQhtwhnMGpA==,iv:5QqWllwzsC17o75JriqnC7cQtZzNQTjq6aUuXe2Fh50=,tag:Q2ksA5jldT1utDh/heDS2A==,type:str] + secretKey: ENC[AES256_GCM,data:vkM7YwZpjLzlyrNU7ZvR6HOZ+nS/iHCONI6+/emYFwvX1ONSXrlMhApK/bZrXiIMNHcWkYnvgxjY87bGP8GqBA==,iv:7zS6wTiyZjSvjEgjj+pc1hufOh/6/ntxLe4eWpx5+qw=,tag:pjDKjwZr6jSTWRiOkHfX+A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-10-05T14:10:16Z" + mac: ENC[AES256_GCM,data:BqTNoBI3CECFBwezlKf4UaPB3YX//9IAK7kMVvFI/sD21xrrp0XnMZrB2v0jEA8om5Dx5pMAtiIr05aJ8Up7uxD37njf3SPkFAV1cw+PoyjHZd8jLm3WgkujmslsWpNP1qXkZuiHTUuG4WW4Dt6pGiLpyuA7gMl+MnAl1BVsj74=,iv:Ay3Ex/mzbCHm7pzWSQNRG2yL4qVn5YkjRnzbgGvvMoE=,tag:qFreoOrDbVHBvPITgAM80g==,type:str] + pgp: + - created_at: "2024-10-05T14:10:16Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMA8LTdrN3Uc5/AQ//SxeMwoue34ho+UGfeL8AT9OYfhFL6Dp2fNNryeJ0pEQA + 1avLCYd6UTo9xxgBFkgOyWOgTDl+IEREoVj3XE9uEtCmoO4rOJmGbWHdhjZuVfD7 + kfmuYBSiacms7+KzH86gTzBGh5Jz35EDlRVLTdN/dskTFTsadmeULQOjj5RALQbt + NMqEwh7n5EMlTGC3hWoZbQeG/Uv2el/LLzYO69ZpFg7K7zc1/rYaBWT/N+FoU9s0 + UMdZvz9sK9EbvdQ/5we34Y+fN6t5GNW+X6rTOvBwZApQCJgocVE/eGJsbbkmszPx + YDNrE/4k79+2Ljr/hGirLcXdDXZBVho2cgMg/u3ra7IM3Q/kt9ZAFGLFDO/qBzoD + X46/KaEMRy/WEuo/OicTKGXXQ93SNnIfapNmyfRxn8N/VXbIdyRODWc4CjIz7Iw5 + RO25yiYqu8TtXTBv3JD5+mi+TI/NW1aUjDkQnTMXWsI1CQACMaf6RPJK9uf+cH1s + NVZfnW2NmrESw5xOnBifFFwu4XGahedtZDWNCDDGaMaYUHJWQHggBLHlTB6jnpqB + +gTp48eww3EPTP7s9IUNSR3/Tb5e1Dr9UlYguREvtCV21fAjdlQ9ZN7TrLJcZGsm + Z8BcUI2CKkr1TVoi+kKePcG7TUu8b2fCvTFegwFrLaKGDTR3DSHxlItuSZb2i9rU + aAEJAhArj+DUYx9JKCUo8iIJBDld3qepPPp7vrTOsbZm0/zm7Q/q5N9KCnDx4NIE + 8K6+uOmzbOL4Ijt+60lkayDQKhAk8icd0BkwZsqD6zgrf+7qDXU7EmrRnQjyXkm0 + KOND2oUsu62/ + =o9/G + -----END PGP MESSAGE----- + fp: 4988A3C9ED6515B2E192F0ABE42278AB326CB047 + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml index accbfc240..f2c2e7587 100644 --- a/apps/kustomization.yaml +++ b/apps/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - firefly - nextcloud - gitlab - usenet diff --git a/core/namespaces/firefly.yaml b/core/namespaces/firefly.yaml new file mode 100644 index 000000000..a6e8f1c04 --- /dev/null +++ b/core/namespaces/firefly.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: firefly diff --git a/core/namespaces/kustomization.yaml b/core/namespaces/kustomization.yaml index 75bf0459b..d0dc2d83c 100644 --- a/core/namespaces/kustomization.yaml +++ b/core/namespaces/kustomization.yaml @@ -19,5 +19,6 @@ resources: - cert-manager.yaml - teslamate.yaml - minio.yaml + - firefly.yaml - monitoring.yaml - cilium.yaml