Biohazard
Biohazard copied to clipboard
Published
20 hours ago •
JJGadgets
JJGadgets
feat(gotosocial): app-template v2, TLS off
--- kube/deploy/core/ingress/cloudflare/tunnel Kustomization: flux-system/1-core-ingress-cloudflare-tunnel HelmRelease: cloudflare/cloudflared
+++ kube/deploy/core/ingress/cloudflare/tunnel Kustomization: flux-system/1-core-ingress-cloudflare-tunnel HelmRelease: cloudflare/cloudflared
@@ -54,15 +54,14 @@
data:
config.yaml: "tunnel: \"${SECRET_CLOUDFLARE_TUNNEL_ID}\"\ncredentials-file:\
\ /etc/cloudflared/credentials.json\nno-autoupdate: true\n\ningress:\n\
\ - hostname: \"cftest.${DNS_SHORT}\"\n service: hello_world\n\n \
\ - hostname: \"*\"\n path: \"^/metrics\"\n service: http://default-backend.ingress.svc.cluster.local:80\n\
\ \n - hostname: \"${APP_DNS_FLUX_WEBHOOK}\"\n service: \"http://webhook-receiver.flux-system.svc.cluster.local:80\"\
- \n \n - hostname: \"social.jjgadgets.tech\"\n service: https://gotosocial.gotosocial.svc.cluster.local.:8080\n\
- \ originRequest:\n originServerName: \"social.jjgadgets.tech\"\
- \n \n - hostname: \"${APP_DNS_HEADSCALE}\"\n service: https://headscale.headscale.svc.cluster.local.:8080\n\
+ \n \n - hostname: \"social.jjgadgets.tech\"\n service: http://gotosocial.gotosocial.svc.cluster.local.:8080\n\
+ \ \n - hostname: \"${APP_DNS_HEADSCALE}\"\n service: https://headscale.headscale.svc.cluster.local.:8080\n\
\ originRequest:\n originServerName: \"${APP_DNS_HEADSCALE}\"\n\
\ \n - hostname: \"*.${DNS_SHORT}\"\n service: https://nginx-external-controller.ingress.svc.cluster.local:443\n\
\ originRequest:\n originServerName: \"ingress.${DNS_SHORT}\"\n\
\ \n - hostname: \"${DNS_SHORT}\"\n service: https://nginx-public-controller.ingress.svc.cluster.local:443\n\
\ originRequest:\n originServerName: \"${DNS_SHORT}\"\n \n -\
\ hostname: \"${APP_DNS_AUTHENTIK}\"\n service: https://nginx-external-controller.ingress.svc.cluster.local:443\n\
--- kube/deploy/apps/gotosocial/app Kustomization: flux-system/gotosocial-app PersistentVolume: flux-system/gotosocial-nas-media
+++ kube/deploy/apps/gotosocial/app Kustomization: flux-system/gotosocial-app PersistentVolume: flux-system/gotosocial-nas-media
@@ -1,31 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: gotosocial-app
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: gotosocial-nas-media
-spec:
- accessModes:
- - ReadWriteMany
- capacity:
- storage: 1Mi
- mountOptions:
- - nfsvers=4.2
- - tcp
- - intr
- - soft
- - noatime
- - nodiratime
- - nocto
- - nconnect=8
- - rsize=131072
- - wsize=131072
- - local_lock=posix
- nfs:
- path: ${PATH_NAS_PERSIST_K8S}/gotosocial-media
- server: ${IP_TRUENAS}
- persistentVolumeReclaimPolicy: Retain
- storageClassName: gotosocial-nas-media
-
--- kube/deploy/apps/gotosocial/app Kustomization: flux-system/gotosocial-app PersistentVolumeClaim: gotosocial/gotosocial-nas-media
+++ kube/deploy/apps/gotosocial/app Kustomization: flux-system/gotosocial-app PersistentVolumeClaim: gotosocial/gotosocial-nas-media
@@ -1,17 +0,0 @@
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: gotosocial-app
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: gotosocial-nas-media
- namespace: gotosocial
-spec:
- accessModes:
- - ReadWriteMany
- resources:
- requests:
- storage: 1Mi
- storageClassName: gotosocial-nas-media
-
--- kube/deploy/apps/gotosocial/app Kustomization: flux-system/gotosocial-app HelmRelease: gotosocial/gotosocial
+++ kube/deploy/apps/gotosocial/app Kustomization: flux-system/gotosocial-app HelmRelease: gotosocial/gotosocial
@@ -1,24 +1,26 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
kustomize.toolkit.fluxcd.io/name: gotosocial-app
kustomize.toolkit.fluxcd.io/namespace: flux-system
+ wait.flux.home.arpa/disabled: 'true'
name: gotosocial
namespace: gotosocial
spec:
chart:
spec:
chart: app-template
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
- version: 1.5.1
+ version: 2.5.0
driftDetection:
ignore:
- paths:
- /spec/replicas
mode: warn
install:
@@ -38,170 +40,159 @@
cleanupOnFail: true
crds: CreateReplace
remediation:
retries: 5
strategy: uninstall
values:
- automountServiceAccountToken: false
- controller:
- replicas: 1
- type: deployment
- env:
- GTS_ACCOUNT_DOMAIN: jjgadgets.tech
- GTS_ACCOUNTS_REGISTRATION_OPEN: 'false'
- GTS_APPLICATION_NAME: The JJGadgets Hut
- GTS_DB_ADDRESS:
- valueFrom:
- secretKeyRef:
- key: pgbouncer-host
- name: pg-gotosocial-pguser-gotosocial
- GTS_DB_DATABASE:
- valueFrom:
- secretKeyRef:
- key: dbname
- name: pg-gotosocial-pguser-gotosocial
- GTS_DB_PASSWORD:
- valueFrom:
- secretKeyRef:
- key: password
- name: pg-gotosocial-pguser-gotosocial
- GTS_DB_TLS_MODE: enable
- GTS_DB_TYPE: postgres
- GTS_DB_USER:
- valueFrom:
- secretKeyRef:
- key: user
- name: pg-gotosocial-pguser-gotosocial
- GTS_HOST: social.jjgadgets.tech
- GTS_LANDING_PAGE_USER: jj
- GTS_METRICS_ENABLED: 'true'
- GTS_PORT: '8080'
- GTS_PROTOCOL: https
- GTS_STORAGE_BACKEND: s3
- GTS_STORAGE_S3_ACCESS_KEY:
- valueFrom:
- secretKeyRef:
- key: AWS_ACCESS_KEY_ID
- name: gotosocial-media-s3
- GTS_STORAGE_S3_BUCKET: gotosocial-media
- GTS_STORAGE_S3_ENDPOINT: rook-ceph-rgw-${CLUSTER_NAME}.rook-ceph.svc.cluster.local.:6953
- GTS_STORAGE_S3_PROXY: 'true'
- GTS_STORAGE_S3_SECRET_KEY:
- valueFrom:
- secretKeyRef:
- key: AWS_SECRET_ACCESS_KEY
- name: gotosocial-media-s3
- GTS_STORAGE_S3_USE_SSL: 'false'
- GTS_TLS_CERTIFICATE_CHAIN: /tls/fullchain.pem
- GTS_TLS_CERTIFICATE_KEY: /tls/privkey.pem
- GTS_TRUSTED_PROXIES: ${IP_POD_CIDR_V4}
- TZ: ${CONFIG_TZ}
- envFrom:
- - secretRef:
- name: gotosocial-oidc
- global:
- fullnameOverride: gotosocial
- image:
- repository: registry.jjgadgets.tech/jjgadgets/gotosocial
- tag: 0.13.2@sha256:3de7c10da1eb45724aa552fe50239ac396a918dc09614881925826e43feb2a32
+ controllers:
+ main:
+ containers:
+ main:
+ env:
+ GTS_ACCOUNT_DOMAIN: jjgadgets.tech
+ GTS_ACCOUNTS_REGISTRATION_OPEN: 'false'
+ GTS_APPLICATION_NAME: The JJGadgets Hut
+ GTS_DB_ADDRESS:
+ valueFrom:
+ secretKeyRef:
+ key: pgbouncer-host
+ name: pg-gotosocial-pguser-gotosocial
+ GTS_DB_DATABASE:
+ valueFrom:
+ secretKeyRef:
+ key: dbname
+ name: pg-gotosocial-pguser-gotosocial
+ GTS_DB_PASSWORD:
+ valueFrom:
+ secretKeyRef:
+ key: password
+ name: pg-gotosocial-pguser-gotosocial
+ GTS_DB_TLS_MODE: enable
+ GTS_DB_TYPE: postgres
+ GTS_DB_USER:
+ valueFrom:
+ secretKeyRef:
+ key: user
+ name: pg-gotosocial-pguser-gotosocial
+ GTS_HOST: social.jjgadgets.tech
+ GTS_LANDING_PAGE_USER: jj
+ GTS_METRICS_ENABLED: 'true'
+ GTS_OIDC_CLIENT_ID:
+ valueFrom:
+ secretKeyRef:
+ key: GTS_OIDC_CLIENT_ID
+ name: gotosocial-secrets
+ GTS_OIDC_CLIENT_SECRET:
+ valueFrom:
+ secretKeyRef:
+ key: GTS_OIDC_CLIENT_SECRET
+ name: gotosocial-secrets
+ GTS_OIDC_ENABLED: 'true'
+ GTS_OIDC_IDP_NAME: JJGadgets Auth
+ GTS_OIDC_ISSUER:
+ valueFrom:
+ secretKeyRef:
+ key: GTS_OIDC_ISSUER
+ name: gotosocial-secrets
+ GTS_PORT: '8080'
+ GTS_PROTOCOL: http
+ GTS_STORAGE_BACKEND: s3
+ GTS_STORAGE_S3_ACCESS_KEY:
+ valueFrom:
+ secretKeyRef:
+ key: AWS_ACCESS_KEY_ID
+ name: gotosocial-media-s3
+ GTS_STORAGE_S3_BUCKET: gotosocial-media
+ GTS_STORAGE_S3_ENDPOINT: rook-ceph-rgw-${CLUSTER_NAME}.rook-ceph.svc.cluster.local.:6953
+ GTS_STORAGE_S3_PROXY: 'true'
+ GTS_STORAGE_S3_SECRET_KEY:
+ valueFrom:
+ secretKeyRef:
+ key: AWS_SECRET_ACCESS_KEY
+ name: gotosocial-media-s3
+ GTS_STORAGE_S3_USE_SSL: 'false'
+ GTS_TRUSTED_PROXIES: ${IP_POD_CIDR_V4}
+ TZ: ${CONFIG_TZ}
+ image:
+ repository: jank.ing/jjgadgets/gotosocial
+ tag: 0.13.2@sha256:3de7c10da1eb45724aa552fe50239ac396a918dc09614881925826e43feb2a32
+ resources:
+ limits:
+ cpu: 3000m
+ memory: 1.5Gi
+ requests:
+ cpu: 10m
+ memory: 512Mi
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ pod:
+ labels:
+ authentik.home.arpa/https: allow
+ db.home.arpa/pg: pg-gotosocial
+ egress.home.arpa/internet: allow
+ ingress.home.arpa/cloudflare: allow
+ ingress.home.arpa/nginx-internal: allow
+ prom.home.arpa/kps: allow
+ s3.home.arpa/store: rgw-${CLUSTER_NAME}
+ replicas: 1
+ type: deployment
+ defaultPodOptions:
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: fuckoff.home.arpa/gotosocial
+ operator: DoesNotExist
+ automountServiceAccountToken: false
+ enableServiceLinks: false
+ hostAliases:
+ - hostnames:
+ - ${APP_DNS_AUTHENTIK}
+ ip: ${APP_IP_AUTHENTIK}
+ securityContext:
+ fsGroup: 568
+ fsGroupChangePolicy: Always
+ runAsGroup: 568
+ runAsNonRoot: true
+ runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: gotosocial
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
ingress:
main:
annotations:
external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true'
external-dns.alpha.kubernetes.io/target: ${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com
- nginx.ingress.kubernetes.io/backend-protocol: HTTPS
- nginx.ingress.kubernetes.io/server-snippet: |
- proxy_ssl_name social.jjgadgets.tech;
- proxy_ssl_server_name on;
+ className: nginx-public
enabled: true
hosts:
- host: social.jjgadgets.tech
paths:
- path: /
pathType: Prefix
- ingressClassName: nginx-internal
+ service:
+ name: main
+ port: http
primary: true
tls:
- hosts:
- social.jjgadgets.tech
- secretName: gotosocial-tls
- persistence:
- config:
- enabled: false
- tls-fullchain:
- enabled: true
- mountPath: /tls/fullchain.pem
- name: gotosocial-tls
- readOnly: true
- subPath: tls.crt
- type: secret
- tls-privkey:
- enabled: true
- mountPath: /tls/privkey.pem
- name: gotosocial-tls
- readOnly: true
- subPath: tls.key
- type: secret
- podLabels:
- db.home.arpa/pg: pg-gotosocial
- egress.home.arpa/nginx-external: allow
- egress.home.arpa/world: allow
- ingress.home.arpa/cloudflare: allow
- ingress.home.arpa/nginx-internal: allow
- prom.home.arpa/kps: allow
- s3.home.arpa/store: rgw-${CLUSTER_NAME}
- podSecurityContext:
- fsGroup: 568
- fsGroupChangePolicy: Always
- runAsGroup: 568
- runAsUser: 568
- probes:
- liveness:
- custom: true
- spec:
- httpGet:
- httpHeaders:
- - name: Host
- value: social.jjgadgets.tech
- path: /api/v2/instance
- port: 8080
- scheme: HTTPS
- periodSeconds: 60
- readiness:
- custom: true
- spec:
- httpGet:
- httpHeaders:
- - name: Host
- value: social.jjgadgets.tech
- path: /api/v2/instance
- port: 8080
- scheme: HTTPS
- periodSeconds: 60
- startup:
- custom: true
- spec:
- failureThreshold: 300
- httpGet:
- httpHeaders:
- - name: Host
- value: social.jjgadgets.tech
- path: /api/v2/instance
- port: 8080
- scheme: HTTPS
- periodSeconds: 1
- resources:
- limits:
- memory: 1536Mi
[Diff truncated by flux-local]
--- kube/deploy/apps/gotosocial/app Kustomization: flux-system/gotosocial-app ObjectBucketClaim: gotosocial/gotosocial-media-s3
+++ kube/deploy/apps/gotosocial/app Kustomization: flux-system/gotosocial-app ObjectBucketClaim: gotosocial/gotosocial-media-s3
@@ -1,13 +1,16 @@
---
apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
kustomize.toolkit.fluxcd.io/name: gotosocial-app
kustomize.toolkit.fluxcd.io/namespace: flux-system
+ kustomize.toolkit.fluxcd.io/prune: Disabled
+ wait.flux.home.arpa/disabled: 'true'
name: gotosocial-media-s3
namespace: gotosocial
spec:
bucketName: gotosocial-media
storageClassName: rgw-${CLUSTER_NAME}
--- kube/deploy/apps/gotosocial/app Kustomization: flux-system/gotosocial-app Certificate: gotosocial/gotosocial
+++ kube/deploy/apps/gotosocial/app Kustomization: flux-system/gotosocial-app Certificate: gotosocial/gotosocial
@@ -1,21 +0,0 @@
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: gotosocial-app
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: gotosocial
- namespace: gotosocial
-spec:
- commonName: social.jjgadgets.tech
- dnsNames:
- - social.jjgadgets.tech
- issuerRef:
- kind: ClusterIssuer
- name: letsencrypt-production
- privateKey:
- algorithm: ECDSA
- size: 384
- secretName: gotosocial-tls
-
--- kube/deploy/apps/gotosocial/app Kustomization: flux-system/gotosocial-app ExternalSecret: gotosocial/gotosocial-secrets
+++ kube/deploy/apps/gotosocial/app Kustomization: flux-system/gotosocial-app ExternalSecret: gotosocial/gotosocial-secrets
@@ -0,0 +1,23 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+ labels:
+ app.kubernetes.io/name: gotosocial
+ kustomize.toolkit.fluxcd.io/name: gotosocial-app
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ wait.flux.home.arpa/disabled: 'true'
+ name: gotosocial-secrets
+ namespace: gotosocial
+spec:
+ dataFrom:
+ - extract:
+ key: GoToSocial (${CLUSTER_NAME})
+ secretStoreRef:
+ kind: ClusterSecretStore
+ name: 1p
+ target:
+ creationPolicy: Owner
+ deletionPolicy: Retain
+ name: gotosocial-secrets
+
--- kube/clusters/biohazard/flux Kustomization: flux-system/0-biohazard-config Namespace: flux-system/gotosocial
+++ kube/clusters/biohazard/flux Kustomization: flux-system/0-biohazard-config Namespace: flux-system/gotosocial
@@ -2,8 +2,12 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
kustomize.toolkit.fluxcd.io/name: 0-biohazard-config
kustomize.toolkit.fluxcd.io/namespace: flux-system
+ kustomize.toolkit.fluxcd.io/prune: disabled
+ pod-security.kubernetes.io/audit: restricted
+ pod-security.kubernetes.io/enforce: restricted
+ pod-security.kubernetes.io/warn: restricted
name: gotosocial
--- kube/clusters/biohazard/flux Kustomization: flux-system/0-biohazard-config Kustomization: flux-system/gotosocial-app
+++ kube/clusters/biohazard/flux Kustomization: flux-system/0-biohazard-config Kustomization: flux-system/gotosocial-app
@@ -1,22 +1,28 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
kustomize.toolkit.fluxcd.io/name: 0-biohazard-config
kustomize.toolkit.fluxcd.io/namespace: flux-system
wait.flux.home.arpa/disabled: 'true'
name: gotosocial-app
namespace: flux-system
spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: gotosocial
+ wait.flux.home.arpa/disabled: 'true'
decryption:
provider: sops
secretRef:
name: biohazard-secrets-decrypt-sops-age
dependsOn:
+ - name: gotosocial-db
- name: 0-biohazard-config
- name: 1-core-1-networking-cilium-app
- name: 1-core-kyverno-crds
- name: 1-core-monitoring-prom-crds
- name: zzz-flux-repos-helm
interval: 5m0s
@@ -190,9 +196,10 @@
name: biohazard-secrets
optional: false
prune: false
sourceRef:
kind: GitRepository
name: flux-system
+ targetNamespace: gotosocial
timeout: 10m0s
wait: false
--- kube/clusters/biohazard/flux Kustomization: flux-system/0-biohazard-config Kustomization: flux-system/gotosocial-db
+++ kube/clusters/biohazard/flux Kustomization: flux-system/0-biohazard-config Kustomization: flux-system/gotosocial-db
@@ -1,16 +1,22 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/name: 0-biohazard-config
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: gotosocial-db
namespace: flux-system
spec:
+ commonMetadata:
+ labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
decryption:
provider: sops
secretRef:
name: biohazard-secrets-decrypt-sops-age
dependsOn:
- name: 1-core-db-pg-app
@@ -201,9 +207,10 @@
name: biohazard-secrets
optional: false
prune: false
sourceRef:
kind: GitRepository
name: flux-system
+ targetNamespace: gotosocial
timeout: 10m0s
wait: true
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db ObjectBucketClaim: gotosocial/pg-gotosocial-s3
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db ObjectBucketClaim: gotosocial/pg-gotosocial-s3
@@ -1,11 +1,13 @@
---
apiVersion: objectbucket.io/v1alpha1
kind: ObjectBucketClaim
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/name: gotosocial-db
kustomize.toolkit.fluxcd.io/namespace: flux-system
kustomize.toolkit.fluxcd.io/prune: Disabled
name: pg-gotosocial-s3
namespace: gotosocial
spec:
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db Role: gotosocial/external-secrets-kubernetes-provider
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db Role: gotosocial/external-secrets-kubernetes-provider
@@ -1,11 +1,13 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/name: gotosocial-db
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: external-secrets-kubernetes-provider
namespace: gotosocial
rules:
- apiGroups:
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db RoleBinding: gotosocial/external-secrets-kubernetes-provider
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db RoleBinding: gotosocial/external-secrets-kubernetes-provider
@@ -1,17 +1,20 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/name: gotosocial-db
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: external-secrets-kubernetes-provider
namespace: gotosocial
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: external-secrets-kubernetes-provider
subjects:
- kind: ServiceAccount
name: external-secrets-kubernetes-provider
+ namespace: gotosocial
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db ServiceAccount: gotosocial/external-secrets-kubernetes-provider
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db ServiceAccount: gotosocial/external-secrets-kubernetes-provider
@@ -1,10 +1,12 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/name: gotosocial-db
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: external-secrets-kubernetes-provider
namespace: gotosocial
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db SecretStore: gotosocial/kubernetes-gotosocial
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db SecretStore: gotosocial/kubernetes-gotosocial
@@ -1,11 +1,13 @@
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/name: gotosocial-db
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: kubernetes-gotosocial
namespace: gotosocial
spec:
provider:
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db ExternalSecret: gotosocial/pg-gotosocial-s3
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db ExternalSecret: gotosocial/pg-gotosocial-s3
@@ -1,11 +1,13 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/name: gotosocial-db
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: pg-gotosocial-s3
namespace: gotosocial
spec:
data:
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db PersistentVolume: flux-system/pg-gotosocial-wal-nfs
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db PersistentVolume: flux-system/pg-gotosocial-wal-nfs
@@ -1,11 +1,13 @@
---
apiVersion: v1
kind: PersistentVolume
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/force: Enabled
kustomize.toolkit.fluxcd.io/name: gotosocial-db
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: pg-gotosocial-wal-nfs
spec:
accessModes:
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db CiliumClusterwideNetworkPolicy: flux-system/apps-to-pg-gotosocial
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db CiliumClusterwideNetworkPolicy: flux-system/apps-to-pg-gotosocial
@@ -1,41 +0,0 @@
----
-apiVersion: cilium.io/v2
-kind: CiliumClusterwideNetworkPolicy
-metadata:
- labels:
- kustomize.toolkit.fluxcd.io/name: gotosocial-db
- kustomize.toolkit.fluxcd.io/namespace: flux-system
- name: apps-to-pg-gotosocial
-spec:
- egress:
- - toEndpoints:
- - matchExpressions:
- - key: io.kubernetes.pod.namespace
- operator: Exists
- matchLabels:
- cnpg.io/cluster: pg-gotosocial
- - matchExpressions:
- - key: io.kubernetes.pod.namespace
- operator: Exists
- matchLabels:
- postgres-operator.crunchydata.com/cluster: pg-gotosocial
- toPorts:
- - ports:
- - port: '5432'
- - icmps:
- - {}
- toEndpoints:
- - matchExpressions:
- - key: io.kubernetes.pod.namespace
- operator: Exists
- matchLabels:
- cnpg.io/cluster: pg-gotosocial
- - matchExpressions:
- - key: io.kubernetes.pod.namespace
- operator: Exists
- matchLabels:
- postgres-operator.crunchydata.com/cluster: pg-gotosocial
- endpointSelector:
- matchLabels:
- db.home.arpa/pg: pg-gotosocial
-
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db CiliumNetworkPolicy: gotosocial/pg-gotosocial
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db CiliumNetworkPolicy: gotosocial/pg-gotosocial
@@ -1,11 +1,13 @@
---
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/name: gotosocial-db
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: pg-gotosocial
namespace: gotosocial
spec:
egress:
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db PostgresCluster: gotosocial/pg-gotosocial
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db PostgresCluster: gotosocial/pg-gotosocial
@@ -1,11 +1,13 @@
---
apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PostgresCluster
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/name: gotosocial-db
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: pg-gotosocial
namespace: gotosocial
spec:
backups:
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db CronJob: gotosocial/pg-gotosocial-gotosocial-dump-local
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db CronJob: gotosocial/pg-gotosocial-gotosocial-dump-local
@@ -1,13 +1,14 @@
---
apiVersion: batch/v1
kind: CronJob
metadata:
labels:
app.kubernetes.io/instance: pg-gotosocial
- app.kubernetes.io/name: pg-dump-local
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/force: Enabled
kustomize.toolkit.fluxcd.io/name: gotosocial-db
kustomize.toolkit.fluxcd.io/namespace: flux-system
postgresql: pg-gotosocial
name: pg-gotosocial-gotosocial-dump-local
namespace: gotosocial
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db PersistentVolume: flux-system/pg-gotosocial-gotosocial-dump-local
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db PersistentVolume: flux-system/pg-gotosocial-gotosocial-dump-local
@@ -1,11 +1,13 @@
---
apiVersion: v1
kind: PersistentVolume
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/force: Enabled
kustomize.toolkit.fluxcd.io/name: gotosocial-db
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: pg-gotosocial-gotosocial-dump-local
spec:
accessModes:
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db PersistentVolumeClaim: gotosocial/pg-gotosocial-gotosocial-dump-local
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db PersistentVolumeClaim: gotosocial/pg-gotosocial-gotosocial-dump-local
@@ -1,11 +1,13 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
kustomize.toolkit.fluxcd.io/force: Enabled
kustomize.toolkit.fluxcd.io/name: gotosocial-db
kustomize.toolkit.fluxcd.io/namespace: flux-system
name: pg-gotosocial-gotosocial-dump-local
namespace: gotosocial
spec:
--- kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db CiliumClusterwideNetworkPolicy: gotosocial/apps-to-pg-gotosocial
+++ kube/deploy/core/db/pg/clusters/template Kustomization: flux-system/gotosocial-db CiliumClusterwideNetworkPolicy: gotosocial/apps-to-pg-gotosocial
@@ -0,0 +1,44 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumClusterwideNetworkPolicy
+metadata:
+ labels:
+ app.kubernetes.io/name: gotosocial
+ db.home.arpa/pg: pg-gotosocial
+ kustomize.toolkit.fluxcd.io/name: gotosocial-db
+ kustomize.toolkit.fluxcd.io/namespace: flux-system
+ name: apps-to-pg-gotosocial
+ namespace: gotosocial
+spec:
+ egress:
+ - toEndpoints:
+ - matchExpressions:
+ - key: io.kubernetes.pod.namespace
+ operator: Exists
+ matchLabels:
+ cnpg.io/cluster: pg-gotosocial
+ - matchExpressions:
+ - key: io.kubernetes.pod.namespace
+ operator: Exists
+ matchLabels:
+ postgres-operator.crunchydata.com/cluster: pg-gotosocial
+ toPorts:
+ - ports:
+ - port: '5432'
+ - icmps:
+ - {}
+ toEndpoints:
+ - matchExpressions:
+ - key: io.kubernetes.pod.namespace
+ operator: Exists
+ matchLabels:
+ cnpg.io/cluster: pg-gotosocial
+ - matchExpressions:
+ - key: io.kubernetes.pod.namespace
+ operator: Exists
+ matchLabels:
+ postgres-operator.crunchydata.com/cluster: pg-gotosocial
+ endpointSelector:
+ matchLabels:
+ db.home.arpa/pg: pg-gotosocial
+
--- HelmRelease: cloudflare/cloudflared ConfigMap: cloudflare/cloudflared-config
+++ HelmRelease: cloudflare/cloudflared ConfigMap: cloudflare/cloudflared-config
@@ -9,15 +9,14 @@
app.kubernetes.io/name: cloudflared
data:
config.yaml: "tunnel: \"${SECRET_CLOUDFLARE_TUNNEL_ID}\"\ncredentials-file: /etc/cloudflared/credentials.json\n\
no-autoupdate: true\n\ningress:\n - hostname: \"cftest.${DNS_SHORT}\"\n service:\
\ hello_world\n\n - hostname: \"*\"\n path: \"^/metrics\"\n service: http://default-backend.ingress.svc.cluster.local:80\n\
\ \n - hostname: \"${APP_DNS_FLUX_WEBHOOK}\"\n service: \"http://webhook-receiver.flux-system.svc.cluster.local:80\"\
- \n \n - hostname: \"social.jjgadgets.tech\"\n service: https://gotosocial.gotosocial.svc.cluster.local.:8080\n\
- \ originRequest:\n originServerName: \"social.jjgadgets.tech\"\n \n \
- \ - hostname: \"${APP_DNS_HEADSCALE}\"\n service: https://headscale.headscale.svc.cluster.local.:8080\n\
+ \n \n - hostname: \"social.jjgadgets.tech\"\n service: http://gotosocial.gotosocial.svc.cluster.local.:8080\n\
+ \ \n - hostname: \"${APP_DNS_HEADSCALE}\"\n service: https://headscale.headscale.svc.cluster.local.:8080\n\
\ originRequest:\n originServerName: \"${APP_DNS_HEADSCALE}\"\n \n -\
\ hostname: \"*.${DNS_SHORT}\"\n service: https://nginx-external-controller.ingress.svc.cluster.local:443\n\
\ originRequest:\n originServerName: \"ingress.${DNS_SHORT}\"\n \n -\
\ hostname: \"${DNS_SHORT}\"\n service: https://nginx-public-controller.ingress.svc.cluster.local:443\n\
\ originRequest:\n originServerName: \"${DNS_SHORT}\"\n \n - hostname:\
\ \"${APP_DNS_AUTHENTIK}\"\n service: https://nginx-external-controller.ingress.svc.cluster.local:443\n\
--- HelmRelease: gotosocial/gotosocial Service: gotosocial/gotosocial
+++ HelmRelease: gotosocial/gotosocial Service: gotosocial/gotosocial
@@ -1,23 +1,22 @@
---
apiVersion: v1
kind: Service
metadata:
name: gotosocial
labels:
- app.kubernetes.io/service: gotosocial
app.kubernetes.io/instance: gotosocial
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: gotosocial
- annotations:
- traefik.ingress.kubernetes.io/service.serversscheme: https
+ app.kubernetes.io/service: gotosocial
spec:
type: ClusterIP
ports:
- port: 8080
- targetPort: http
+ targetPort: 8080
protocol: TCP
name: http
selector:
+ app.kubernetes.io/component: main
app.kubernetes.io/instance: gotosocial
app.kubernetes.io/name: gotosocial
--- HelmRelease: gotosocial/gotosocial Deployment: gotosocial/gotosocial
+++ HelmRelease: gotosocial/gotosocial Deployment: gotosocial/gotosocial
@@ -1,51 +1,75 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gotosocial
labels:
+ app.kubernetes.io/component: main
app.kubernetes.io/instance: gotosocial
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: gotosocial
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: Recreate
selector:
matchLabels:
+ app.kubernetes.io/component: main
app.kubernetes.io/name: gotosocial
app.kubernetes.io/instance: gotosocial
template:
metadata:
labels:
+ app.kubernetes.io/component: main
+ app.kubernetes.io/instance: gotosocial
app.kubernetes.io/name: gotosocial
- app.kubernetes.io/instance: gotosocial
+ authentik.home.arpa/https: allow
db.home.arpa/pg: pg-gotosocial
- egress.home.arpa/nginx-external: allow
- egress.home.arpa/world: allow
+ egress.home.arpa/internet: allow
ingress.home.arpa/cloudflare: allow
ingress.home.arpa/nginx-internal: allow
prom.home.arpa/kps: allow
s3.home.arpa/store: rgw-${CLUSTER_NAME}
spec:
+ enableServiceLinks: false
serviceAccountName: default
automountServiceAccountToken: false
securityContext:
fsGroup: 568
fsGroupChangePolicy: Always
runAsGroup: 568
+ runAsNonRoot: true
runAsUser: 568
+ seccompProfile:
+ type: RuntimeDefault
+ hostIPC: false
+ hostNetwork: false
+ hostPID: false
dnsPolicy: ClusterFirst
- enableServiceLinks: true
+ hostAliases:
+ - hostnames:
+ - ${APP_DNS_AUTHENTIK}
+ ip: ${APP_IP_AUTHENTIK}
+ affinity:
+ nodeAffinity:
+ requiredDuringSchedulingIgnoredDuringExecution:
+ nodeSelectorTerms:
+ - matchExpressions:
+ - key: fuckoff.home.arpa/gotosocial
+ operator: DoesNotExist
+ topologySpreadConstraints:
+ - labelSelector:
+ matchLabels:
+ app.kubernetes.io/name: gotosocial
+ maxSkew: 1
+ topologyKey: kubernetes.io/hostname
+ whenUnsatisfiable: DoNotSchedule
containers:
- - name: gotosocial
- image: registry.jjgadgets.tech/jjgadgets/gotosocial:0.13.2@sha256:3de7c10da1eb45724aa552fe50239ac396a918dc09614881925826e43feb2a32
- imagePullPolicy: null
- env:
+ - env:
- name: GTS_ACCOUNTS_REGISTRATION_OPEN
value: 'false'
- name: GTS_ACCOUNT_DOMAIN
value: jjgadgets.tech
- name: GTS_APPLICATION_NAME
value: The JJGadgets Hut
@@ -76,16 +100,35 @@
- name: GTS_HOST
value: social.jjgadgets.tech
- name: GTS_LANDING_PAGE_USER
value: jj
- name: GTS_METRICS_ENABLED
value: 'true'
+ - name: GTS_OIDC_CLIENT_ID
+ valueFrom:
+ secretKeyRef:
+ key: GTS_OIDC_CLIENT_ID
+ name: gotosocial-secrets
+ - name: GTS_OIDC_CLIENT_SECRET
+ valueFrom:
+ secretKeyRef:
+ key: GTS_OIDC_CLIENT_SECRET
+ name: gotosocial-secrets
+ - name: GTS_OIDC_ENABLED
+ value: 'true'
+ - name: GTS_OIDC_IDP_NAME
+ value: JJGadgets Auth
+ - name: GTS_OIDC_ISSUER
+ valueFrom:
+ secretKeyRef:
+ key: GTS_OIDC_ISSUER
+ name: gotosocial-secrets
- name: GTS_PORT
value: '8080'
- name: GTS_PROTOCOL
- value: https
+ value: http
- name: GTS_STORAGE_BACKEND
value: s3
- name: GTS_STORAGE_S3_ACCESS_KEY
valueFrom:
secretKeyRef:
key: AWS_ACCESS_KEY_ID
@@ -100,80 +143,47 @@
valueFrom:
secretKeyRef:
key: AWS_SECRET_ACCESS_KEY
name: gotosocial-media-s3
- name: GTS_STORAGE_S3_USE_SSL
value: 'false'
- - name: GTS_TLS_CERTIFICATE_CHAIN
- value: /tls/fullchain.pem
- - name: GTS_TLS_CERTIFICATE_KEY
- value: /tls/privkey.pem
- name: GTS_TRUSTED_PROXIES
value: ${IP_POD_CIDR_V4}
- name: TZ
value: ${CONFIG_TZ}
- envFrom:
- - secretRef:
- name: gotosocial-oidc
- ports:
- - name: http
- containerPort: 8080
- protocol: TCP
- volumeMounts:
- - name: tls-fullchain
- mountPath: /tls/fullchain.pem
- subPath: tls.crt
- readOnly: true
- - name: tls-privkey
- mountPath: /tls/privkey.pem
- subPath: tls.key
- readOnly: true
+ image: jank.ing/jjgadgets/gotosocial:0.13.2@sha256:3de7c10da1eb45724aa552fe50239ac396a918dc09614881925826e43feb2a32
livenessProbe:
failureThreshold: 3
- httpGet:
- httpHeaders:
- - name: Host
- value: social.jjgadgets.tech
- path: /api/v2/instance
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ tcpSocket:
port: 8080
- scheme: HTTPS
- initialDelaySeconds: 0
- periodSeconds: 60
timeoutSeconds: 1
+ name: main
readinessProbe:
failureThreshold: 3
- httpGet:
- httpHeaders:
- - name: Host
- value: social.jjgadgets.tech
- path: /api/v2/instance
+ initialDelaySeconds: 0
+ periodSeconds: 10
+ tcpSocket:
port: 8080
- scheme: HTTPS
- initialDelaySeconds: 0
- periodSeconds: 60
- timeoutSeconds: 1
- startupProbe:
- failureThreshold: 300
- httpGet:
- httpHeaders:
- - name: Host
- value: social.jjgadgets.tech
- path: /api/v2/instance
- port: 8080
- scheme: HTTPS
- initialDelaySeconds: 0
- periodSeconds: 1
timeoutSeconds: 1
resources:
limits:
- memory: 1536Mi
+ cpu: 3000m
+ memory: 1.5Gi
requests:
cpu: 10m
memory: 512Mi
- volumes:
- - name: tls-fullchain
- secret:
- secretName: gotosocial-tls
- - name: tls-privkey
- secret:
- secretName: gotosocial-tls
+ securityContext:
+ allowPrivilegeEscalation: false
+ capabilities:
+ drop:
+ - ALL
+ readOnlyRootFilesystem: true
+ startupProbe:
+ failureThreshold: 30
+ initialDelaySeconds: 0
+ periodSeconds: 5
+ tcpSocket:
+ port: 8080
+ timeoutSeconds: 1
--- HelmRelease: gotosocial/gotosocial Ingress: gotosocial/gotosocial
+++ HelmRelease: gotosocial/gotosocial Ingress: gotosocial/gotosocial
@@ -7,22 +7,17 @@
app.kubernetes.io/instance: gotosocial
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: gotosocial
annotations:
external-dns.alpha.kubernetes.io/cloudflare-proxied: 'true'
external-dns.alpha.kubernetes.io/target: ${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com
- nginx.ingress.kubernetes.io/backend-protocol: HTTPS
- nginx.ingress.kubernetes.io/server-snippet: |
- proxy_ssl_name social.jjgadgets.tech;
- proxy_ssl_server_name on;
spec:
- ingressClassName: nginx-internal
+ ingressClassName: nginx-public
tls:
- hosts:
- social.jjgadgets.tech
- secretName: gotosocial-tls
rules:
- host: social.jjgadgets.tech
http:
paths:
- path: /
pathType: Prefix