diff --git a/apps/kakigoori/.gitignore b/apps/kakigoori/.gitignore new file mode 100644 index 0000000..6a07bff --- /dev/null +++ b/apps/kakigoori/.gitignore @@ -0,0 +1 @@ +local_settings.py diff --git a/apps/kakigoori/deployment.yaml b/apps/kakigoori/deployment.yaml new file mode 100644 index 0000000..9fe61e5 --- /dev/null +++ b/apps/kakigoori/deployment.yaml @@ -0,0 +1,90 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: kakigoori + labels: + app.kubernetes.io/name: kakigoori +spec: + replicas: 2 + selector: + matchLabels: + app.kubernetes.io/name: kakigoori + template: + metadata: + labels: + app.kubernetes.io/name: kakigoori + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: location + operator: In + values: + - fsn + containers: + - name: kakigoori + image: "git.remilia.ch/remilia/kakigoori:main" + imagePullPolicy: Always + ports: + - containerPort: 8001 + volumeMounts: + - name: config + mountPath: /kakigoori/kakigoori/local_settings.py + subPath: local_settings.py + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + - name: anubis + image: ghcr.io/techarohq/anubis:latest + imagePullPolicy: Always + env: + - name: "BIND" + value: ":8080" + - name: "DIFFICULTY" + value: "4" + - name: ED25519_PRIVATE_KEY_HEX + valueFrom: + secretKeyRef: + name: anubis-kakigoori-key + key: ED25519_PRIVATE_KEY_HEX + - name: "METRICS_BIND" + value: ":9090" + - name: "SERVE_ROBOTS_TXT" + value: "true" + - name: "TARGET" + value: "http://localhost:8001" + - name: "OG_PASSTHROUGH" + value: "true" + - name: "OG_EXPIRY_TIME" + value: "24h" + resources: + limits: + cpu: 750m + memory: 256Mi + requests: + cpu: 250m + memory: 256Mi + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumes: + - name: config + configMap: + name: kakigoori-config \ No newline at end of file diff --git a/apps/kakigoori/kustomization.yaml b/apps/kakigoori/kustomization.yaml new file mode 100644 index 0000000..c182713 --- /dev/null +++ b/apps/kakigoori/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- deployment.yaml +- services.yaml +- secrets.yaml +configMapGenerator: +- name: kakigoori-config + files: + - local_settings.py \ No newline at end of file diff --git a/apps/kakigoori/local_settings.sops.py b/apps/kakigoori/local_settings.sops.py new file mode 100644 index 0000000..25a1fa9 --- /dev/null +++ b/apps/kakigoori/local_settings.sops.py @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:pESnbjbgxGjxVV4Q9oRZxsWXP1eJILBO1jGLp/IRIOw82hWAleen6nECSVuFl4Q7klsChEYrTki2hhNt7+2KQVymUWkfJScPwbRdoP8hlB72fDSxyca7FDrfXg458UcBMozJlrw5XwReTSV3f5OUcUXb2sC9ptUHCvE2U+U4yjHa2TdlvEbuCpY9NOYyl+k1lERzLLj/WhtyjRWk56HSUb4XSr3i3m2SJre6ikywnL7ErzdZ51E34jD23ED7BsAs8UdN7jGk7fyUD4+0P8goBXHqhliaPwoounS3P5MdgL5j5MoIFCih+6LeWBezthVZ6XSqYvVIZI2dtbYh7qzb43k12s2cgxYfRd7VhYSwM0QI3oInsXpr5YTocLBozzXGw1zTeguRR49lPNMPuRx5Yj/3nTnL/qFOPSABIvA9C2L1XohZBELZkuO3kB613vQbPDq48darb075WF9XO7cUN9d3B33X6zoxPRBf5JBGJV6WCx1fWZI+/j5AHPuDm8tXeN1aBcctCEJMjxNO4PVWOkyqEKtpnpPNhMwNriWV0rZkvtPNeDVKvbUCNSJVxCnHViKtIIOtqQX8QrWvGayiQTsr394FB/F+J1wty5Zsvk/WuYN62c5ICPiKWJR4Mb58MrybX1UlxZcnHuJBz7W+yTa6kF5L9GaAuicCORVoDCTGq/QyAUsm1FrUuKjs3CVkXmhtZOMF42kyAlnNKTnBb505hN2NE4iE0xek134K3FW12t37deavyNak96rsn6OVCgsASYiLQo+ygDyWjHfk5rKCc9FoZ+x8TPpEDKx1+N2KRMljq8ECfOCvJPZ+93pUg/ExmrmVtW16tR78AJ0sGFOvyClwwntzhk6KJH5FeaqIbA+lSYbBCLkQvXM7WBnlgaZpvIaO6B7ru7wiGjbojWqyzE/2TEPvXP85,iv:ys2DmK1Y/hGm/t8QRI9DiMpoaP6nwPXXWGTX8yiIYow=,tag:i5zn5dn9F8BorSc+1Zm3Wg==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIaGxKaDVkckwyYktyTzBG\nNVNyUFozblhlaWUra1U2cTRxYm1TOEpyZ0Z3ClRENDA4WXl4QVpQQ3V0RGIrdkVM\nYVFpRWs1WERHK1ZZenVsZU0xZGJQTHcKLS0tIDlVN2c3N21qemd1S3hDaHlDaDU2\nZU1WTTJZUUhaRUkyQW9WL05KNkNwRW8KS3lwtuo1sUo0iwwjV8fQILOsuRv5Onkc\niSc7wDNyvsL+mqkM0DqfgqeSvi6JHDUXxMU6b2OPg4M6YQ0Y/rsTJA==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-05-31T11:09:17Z", + "mac": "ENC[AES256_GCM,data:MbEPM+n/vYATVnstjTsiGmmArSsSiYNXPAPNv9AmNQdxQDgtJSkBSA9TfVBtBL4x9Bymv9v0d+7N+Skn38ZPfQN5cVxncw1d05J03l6+COznyBNVDaA5u6iHrAf6olbfxdhN5/eoT8IZtn+hfSM+ZXM2MDP/u7/VD9j4G2pNTPA=,iv:qdDIp8vHvawnWIhJcJcGYvfHtZknljqfdufi8IlDFr8=,tag:6Kmg1jhv4VE1LLO9lBqzqw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/apps/kakigoori/secrets.sops.yaml b/apps/kakigoori/secrets.sops.yaml new file mode 100644 index 0000000..e943121 --- /dev/null +++ b/apps/kakigoori/secrets.sops.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Secret +metadata: + name: anubis-kakigoori-key +type: Opaque +data: + ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:hLiIseiRyHxRyeqOr/l25I02LIY9UylK2O136X6904c7ZVpYIvqahI8Y94BNkDTSWQCUohEq2gAM3/NUb2OMosRX7/KJFOed3oqruvUz6imaSFTDXu9Jlg==,iv:R2hIPEttqS0k3lawoF1D51AExSodFt5HTs8h6dTr6h0=,tag:NOOZVbGD11jPtDEQ/GhCDw==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUOEtoSE14clR0ZnBiTmxT + Nlc1VDFPWXZBamxySGZVYUxVeklKb0RVdnlnCk9seGNYa1NOSzlENzV5LzQzeGVh + UUd2UllMNUNkbWRyVEhHWmVHd3lyVzQKLS0tIERTdWRZRERBUmNuWm4vRHR4RjBG + RCtXMks0aFlPMHUzQXFuQ2tNb3U5OHMKwBGwir6zmtEuLbk/QJHLshHmby65aeK+ + 4IcT9Ez+OytpTx2iRgCPI5eFFIAirejzpc9TLviHdsPzrq/bN/v6Rw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-05-31T11:19:27Z" + mac: ENC[AES256_GCM,data:pGhHDJqdWQdDePmFqNFJsGb8xQnSIshlC+d2A6tVmPL2GZITFNHs7fjAODSpy91tev4p29N4RaKbukKqz0sXZADqj8edpQ01xrzLxeFsphYiC3wJcpGtlXWNjNxvHC8L1pzKjLS47/V+JcDJxzrZMvP4ZmmwSYXORMErgtARAZI=,iv:W9Kd77VPEDnbRbs4F7PQCj97NwhmIER0FiaRDEoo48I=,tag:R5iHYlsy+pP/GJBw4pci0g==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/kakigoori/services.yaml b/apps/kakigoori/services.yaml new file mode 100644 index 0000000..e1a655c --- /dev/null +++ b/apps/kakigoori/services.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: kakigoori +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: kakigoori + ports: + - protocol: TCP + port: 8001 + targetPort: 8001 + name: kakigoori + - protocol: TCP + port: 80 + targetPort: 8080 + name: anubis \ No newline at end of file