prettysunflower/infra
1
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

The great reset, we moved infra into two clusters (sekibanki et seija)

Browse Source
This commit is contained in:
prettysunflower
2025-07-16 10:39:09 -04:00
parent 68f1108c2d
commit 1df5459f70
145 changed files with 2431 additions and 576 deletions
Download Patch File Download Diff File Expand all files Collapse all files

1
apps/seija/kakigoori/.gitignore vendored Normal file
View File

@@ -0,0 +1 @@
local_settings.py

93
apps/seija/kakigoori/deployment.yaml Normal file
View File

@@ -0,0 +1,93 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: kakigoori
labels:
app.kubernetes.io/name: kakigoori
spec:
replicas: 3
selector:
matchLabels:
app.kubernetes.io/name: kakigoori
template:
metadata:
labels:
app.kubernetes.io/name: kakigoori
spec:
containers:
- name: kakigoori
image: "git.prettysunflower.moe/prettysunflower/kakigoori:main"
imagePullPolicy: Always
ports:
- containerPort: 8001
volumeMounts:
- name: config
mountPath: /kakigoori/kakigoori/local_settings.py
subPath: local_settings.py
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
- name: anubis
image: ghcr.io/techarohq/anubis:v1.20.0
env:
- name: "BIND"
value: ":8080"
- name: "DIFFICULTY"
value: "4"
- name: ED25519_PRIVATE_KEY_HEX
valueFrom:
secretKeyRef:
name: anubis-kakigoori-key
key: ED25519_PRIVATE_KEY_HEX
- name: "THOTH_URL"
valueFrom:
secretKeyRef:
name: anubis-kakigoori-key
key: THOTH_URL
- name: "THOTH_TOKEN"
valueFrom:
secretKeyRef:
name: anubis-kakigoori-key
key: THOTH_TOKEN
- name: "METRICS_BIND"
value: ":9090"
- name: "SERVE_ROBOTS_TXT"
value: "true"
- name: "TARGET"
value: "http://localhost:8001"
- name: "OG_PASSTHROUGH"
value: "true"
- name: "OG_EXPIRY_TIME"
value: "24h"
resources:
limits:
cpu: 750m
memory: 256Mi
requests:
cpu: 250m
memory: 256Mi
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumes:
- name: config
configMap:
name: kakigoori-config
dnsPolicy: "None"
dnsConfig:
nameservers:
- 100.96.226.96

8
apps/seija/kakigoori/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
resources:
- deployment.yaml
- services.yaml
- secrets.yaml
configMapGenerator:
- name: kakigoori-config
files:
- local_settings.py

15
apps/seija/kakigoori/local_settings.sops.py Normal file
View File

@@ -0,0 +1,15 @@
{
"data": "ENC[AES256_GCM,data:xk32d+fT8YwTbJ9zSh+5ceMzF43NCRnQzPeoxcgRijQHKAbTiJyG6bz5bd98aNkc5dTKtDmFzJlPVszzud4g/zQAUxToJ/IMiWG+6YQxcUZA6b/DsTYu8hB/sw8YVS/fUhvtOMaI4p5Yt/cxFSkRBDLumTMIiCMr/hjJfL7KsnQnT+G1SOkdXKOW5ZCC1DwePH4uSAT+pIBDS4T/j6+bfnIk69BFo2O6J30abNJv8n7/jCLUDCuuZ+KQNfiAYHJIcsj1HI5hLUyTxSRXDxBYBDhar/sceJWZCzumEiqieSmWiUTBELQmado4+i5sqEVBNCqAcDmtRBJM67au0CKoOLM1Zce1O9JBOT/pPA1h5oIQ8j3S4JcEwivcZOvI1F47QkMcwqzvsVY1l43Jj2bAs8f9i/QfyoahBjIQdqTZ1GSMMDiZxv8Od1pMZ3RduptdzUZwXlghdtQRRaO9Wp/Qdm+EhcN89k9lmw9wcNl3sAywjmy+7ZeHMwTxZdWHW7ooYf3miaxahewqQXKkydLoaPF2LjI2b76mMiuw45HsKg8laURrdRp9KP8YEZUz43BEOUPBicL5SHvBJbvZOhtMKgGkX4vKvGztUdkDlk8Jn/KCoKL6eWyqJs90lTp7pY+pf8CTFeZk9cHamBF6qi3But95pPGFz65ZOJP5PUrVkM0HY1gsMlXJQyo6umMo6NYtwnlXakqcN5lr9noAZdZZljzfPlDEwLOQ/UkDuoMhFbIRtsE6bqibs4NRAPdboI9dh97HPns3jx4krXjm+IaLyG2Fjb+HsrpxOpOKhVYxE6ogB32gm0jmd0OsuIQHHhuI6XTCv7ojCTAfWHpDzfa/wpj5JTaDT2KhaKmwxDremT3QtdoEA4tC5TYmw9ACoYL2sLsw6bKikMi3eW+aqUCUnxGoB1s51bBeEjKCN6v/qYaPOh7+3MkqGsOJpyTrcYkk+QznYKRJBN9J0qK36PwCtS0IOeHErtNkzo8k8di4M5Gfmgtym406Bmv2v5fRiCfUHZ3TszOSILi8VmlzmkjRuD96zatnlS5LGbf5fSRfRjqBLpx6vHrzlmACzMqJtLGW3zHm/8b5tffLAy+uNMTFj25o+iFRMPCC0nBeCmBex2AAcbZEmEeiUgx1zfQEUVo3HotdXbXCCWBL0l6YCInZ9QikANqMo6urUAtG1nBxe6GxG+2t3KI=,iv:K8WPuND70blkG810M/ru82znvGVqJVWh7U3ZfhRTS5Q=,tag:e7TewsvDz2x0R+pohEGlDA==,type:str]",
"sops": {
"age": [
{
"recipient": "age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MEQxbnA4T0NQSER6NzhG\nN29rVVpmOEJWbEV0TmdVbVp0SGdoMXU4cmxnCkNpMS9Ua2dqQkNQU0RJSUNSTkZu\nUzc4RldaeERPYWxWaElwZlBzU3JjWHcKLS0tIGRoa3pSdDhQbG1kYm9Jb0F6eVZs\nODNRaHFtbnlGMC9rTDJFVWZOMkdZd00KBBUHdx/zbhwEqBaAoeaauiWgkrQ/06wO\nAcGtTapGrKKEj+hDJNVIuP4EcCXt6tlaYPm9IVxQh92VQ3YrAkHLrw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-07-16T14:35:28Z",
"mac": "ENC[AES256_GCM,data:+boBB9vcGpRgwaxDs4kFgQk6nVmE3jL1lCkNnmL0ya501M2YlKgZ/UP87qkh8eMQFizpWfs6NFamdF0Zfd7fM1hokOjXQ4pM3rfNa+3lxK2pkEV16OOA5V2F9vTAIkuaCHqKihUZL/PMIko/koKroGU8jfq3ZtgBXTlhIRKeGNI=,iv:zc7vR7gJrMbGIUr+C/R4EWH8LaYX2SxwNtX050nrfEI=,tag:EacHLbwFtujnJuQaKteXkw==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

25
apps/seija/kakigoori/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: Secret
metadata:
name: anubis-kakigoori-key
type: Opaque
data:
ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:mLGdCjuZFgjQ/0WlGBRCf+T0TKHbc/1otllDvsqmAOi+1unw0ZEoCH6+fr1WEAagN0VKulwQmlf26ji7g/+9Q1fiwWMBzxAd1/ZbDZdRptLBvDRBjAP6zA==,iv:P2bwoNjfT8NkBtf8xcKk+VlAPUMzjiuD3z/DHIiDacg=,tag:3CE4qOo0K0BVGgFAUIGZ2Q==,type:str]
stringData:
THOTH_URL: ENC[AES256_GCM,data:9jcvAvIylF4WkQKvAPwyOLpE8w9Es7XJCBHi2gU6A79dTnnl,iv:PcwIyDifQxOmJzrxNxPQqvhS5gT2r7G2+mBP7OYNvCs=,tag:a+sqdXJpd1WVWQlAC3lgdw==,type:str]
THOTH_TOKEN: ENC[AES256_GCM,data:ER/93+x9aFGjSPtv7ObT4zhTnCdlJGa+MMY1nqGNGH/GtDKoF+XtyRmclQj+oFZ6DxhV9gM6VeP20YLz7g5t5K23ZmIfFzwAtQAxwJSvDeJw85dkhQbKfTIvou/NM4bL9T1A7j9zGuKvpYAqlkwYnLlDfBy3aWUdD4qkRIjTvXwijG6BjL3dBNXqC1UAxn7j5Y9QojGt6j04/rllYfjuADsIsT4Kbb/EM4jgP13Mu+nJP/3GkfjBQfaC02RvAREjIPuKfVz28zcwLbBTT2kPPSYGuSxIpo1kWKnpttmHDkKgcHu9/q6EFaswgeX3aIbowXiPEY20yYZW4QBbvcBSQOX27Rhg9HR4pcYVM5VT7RTia+kDWIEmhV5JtFlYzx5wiXDM2vgEF+wX+t5mVC96I+En4PuTaBV2lbE=,iv:3dvQjX+takhickmJ3AHo29sEUEfXpSYgh78Rqkfmgkw=,tag:78wOIOovvjkfRxbpDpQoKg==,type:str]
sops:
age:
- recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK2RpVUIxZkZVMjdFV29L
VnpYUVJnY3hIYTVSb1htNm5xcTJGRlVWZ0IwCmdSWXFFanBMV1FKTnozUmorL0Qr
Z0F0cjc1T2VqRXRwK080VU5tUk1VbkUKLS0tIENiTm5CbkVmTnRRNzJaK3hjMjgr
TzhQMmFQOXhCWjRUbGNGOUZHazFNdU0KTLIACJrcciwiFdEhyQCY+ln/afHuwaUU
dQXcslNIFa5GeFCA7P7zDkhJWbM1nwOg2D/hh36vYKH6mwdhKVy3Bw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-16T14:35:28Z"
mac: ENC[AES256_GCM,data:uPR8lkkMZ1Uko36jISMNG6YMKRHh2jZ1P6aA8lY12Qlml21QsDz3z2c+3iOFaSE9CHZ2TPaMj4gkTkHojkkoKmOdGOZSulKKnnSZ42bDVZPPIjiTcMZxYGUiloBrFAzitRqub5UPtgnoKIxnlsZvMJvl8m9oZ27oi9R7K0MgyYI=,iv:AJBS0RDHXDkjF0DMctPCka2f7iaKFw6VQIHl9VWOCog=,tag:bL5DPT/uvQElYbUG9BjxJQ==,type:str]
encrypted_regex: ^(data|stringData)$
version: 3.10.2

17
apps/seija/kakigoori/services.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: kakigoori
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: kakigoori
ports:
- protocol: TCP
port: 8001
targetPort: 8001
name: kakigoori
- protocol: TCP
port: 80
targetPort: 8080
name: anubis

22
apps/seija/mazanoke/deployment.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: mazanoke
labels:
app.kubernetes.io/name: mazanoke
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: mazanoke
template:
metadata:
labels:
app.kubernetes.io/name: mazanoke
spec:
containers:
- name: mazanoke
image: ghcr.io/civilblur/mazanoke:v1.1.5
ports:
- containerPort: 80
name: http

3
apps/seija/mazanoke/kustomization.yaml Normal file
View File

@@ -0,0 +1,3 @@
resources:
- deployment.yaml
- svc.yaml

12
apps/seija/mazanoke/svc.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: Service
metadata:
name: mazanoke
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: mazanoke
ports:
- protocol: TCP
port: 80
targetPort: http

108
apps/seija/ourfigurecollection/deployment.yaml Normal file
View File

@@ -0,0 +1,108 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: ourfigurecollection
labels:
app.kubernetes.io/name: ourfigurecollection
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ourfigurecollection
template:
metadata:
labels:
app.kubernetes.io/name: ourfigurecollection
spec:
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
preference:
matchExpressions:
- key: location
operator: In
values:
- fsn
containers:
- name: ourfigurecollection-django
image: "git.prettysunflower.moe/prettysunflower/ourfigurecollection:main"
imagePullPolicy: Always
ports:
- containerPort: 8001
volumeMounts:
- name: config
mountPath: /ourfigurecollection/ourfigurecollection/local_settings.py
subPath: local_settings.py
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
- name: ourfigurecollection-static
image: "git.prettysunflower.moe/prettysunflower/ourfigurecollection-static:main"
imagePullPolicy: Always
ports:
- containerPort: 8002
- name: anubis
image: ghcr.io/techarohq/anubis:v1.20.0
env:
- name: "BIND"
value: ":8080"
- name: "DIFFICULTY"
value: "4"
- name: ED25519_PRIVATE_KEY_HEX
valueFrom:
secretKeyRef:
name: anubis-ourfigurecollection-key
key: ED25519_PRIVATE_KEY_HEX
- name: "THOTH_URL"
valueFrom:
secretKeyRef:
name: anubis-ourfigurecollection-key
key: THOTH_URL
- name: "THOTH_TOKEN"
valueFrom:
secretKeyRef:
name: anubis-ourfigurecollection-key
key: THOTH_TOKEN
- name: "METRICS_BIND"
value: ":9090"
- name: "SERVE_ROBOTS_TXT"
value: "true"
- name: "TARGET"
value: "http://localhost:8001"
- name: "OG_PASSTHROUGH"
value: "true"
- name: "OG_EXPIRY_TIME"
value: "24h"
resources:
limits:
cpu: 750m
memory: 256Mi
requests:
cpu: 250m
memory: 256Mi
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
volumes:
- name: config
configMap:
name: ourfigurecollection-config
dnsPolicy: "None"
dnsConfig:
nameservers:
- 100.96.226.96

8
apps/seija/ourfigurecollection/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
resources:
- deployment.yaml
- svc.yaml
- secrets.yaml
configMapGenerator:
- name: ourfigurecollection-config
files:
- local_settings.py

35
apps/seija/ourfigurecollection/local_settings.py Normal file
View File

@@ -0,0 +1,35 @@
DATABASES = {
"default": {
"ENGINE": "django.db.backends.postgresql",
"NAME": "ourfigurecollection",
"USER": "ourfigurecollection",
"PASSWORD": "xxHWl#d$FoYZ54",
"HOST": "100.85.208.69",
"PORT": "5432",
}
}
import sentry_sdk
ALLOWED_HOSTS = ["ourfigurecollection.moe"]
DEBUG = False
KAKIGOORI_API_KEY = "63586938-dd4b-4e01-a48a-6344e0bc226b"
OIDC_CLIENT_ID = "749bcfb1-ee32-4c79-85b5-92062d7192b3"
OIDC_CLIENT_SECRET = "dEhOJ6pvfy3d95Cx7kMq0SHBEgb6romd"
OIDC_DISCOVERY_URL = "https://auth.remilia.ch/.well-known/openid-configuration"
sentry_sdk.init(
dsn="https://62638433153873bc2395021d22e96972@o134957.ingest.us.sentry.io/4508270934360064",
# Add data like request headers and IP for users;
# see https://docs.sentry.io/platforms/python/data-management/data-collected/ for more info
send_default_pii=True,
# Set traces_sample_rate to 1.0 to capture 100%
# of transactions for tracing.
traces_sample_rate=1.0,
# To collect profiles for all profile sessions,
# set `profile_session_sample_rate` to 1.0.
profile_session_sample_rate=1.0,
# Profiles will be automatically collected while
# there is an active span.
profile_lifecycle="trace",
)

15
apps/seija/ourfigurecollection/local_settings.sops.py Normal file
View File

@@ -0,0 +1,15 @@
{
"data": "ENC[AES256_GCM,data:4MYUeRSLBpr51Gae4rNAhutaDiOT1Bjz0lpDiXGAcv9sAXDQTfJA6nHSAhJxcE0ZopIt4te2F6B105/7fCDa4qBma6lQf3c0wQjd+Q+YhzaUSAhf3MFXANIcmpLVYV5szcgJ/Snc8z4lgzZtt2bONEL/wJQU8dEFBpHKdoqQtWoKJB/XbjvgBMpnTq/FjTiOk6KauD224jf4F2fFGRijkJLJAFp9DAtmZ0zZs/IkVTgsTsXkxyQnMsSN9eOGzT7UIJ6sZIuRpvl1nsTV0sLH545PHSufykJCnrdFl05jjNCUxz10mfDg4dXieuAWHWD7vd3eB71uJS8+iEhMc1+PJLOPiItdtcXqT8Z24Grz6A9ANLHkocqRxZ/x7+2KTy5pKVpLRtdGaSF1oiBiBfHAcZX3CCsEci3k0aohrIVywher8rTf5SLfyb0jjoihTjeKvKzDpgADvJSnEnJMMszuA5K3Vu+wszVP+tlA1pLJ4+nITKhT65PRUw0+A9TA5iA2ETsrfyE8dI4q5TCyfXmh6LP7vB2bZsk5zaKDpfU22gBF/foLV6tlFvvv+zT5UnKRAjTbIzAtIe2VFWG/4aAR++PLqM9W5vUYjwoPxP7GqVa5BQStVgdVu8rGaQfx2Z+aG8VMlODJZrA4U7+XCmlDFZMUJiBOBieVo0gsYkhQO2GNnd8/WpEmlsE+8i6LOJUPopmfpH51wriXBol9SJwxDwslxmCQ6in+kX43Jf57m/1GxLnUeIvEZHlyzesC0WIkmUU20e+1MqRmFI7jAwLBE50tsDB4fRjUF0+TtwFGv9eP0qlS6SNTa/5JrXYP956u35XDqYfy5BTiZyEu9RwwirvaeoamelVgIzhyxbokwK50adYcGoETlg/JEwEffmvb0KxcMJIXC8N6iI79/MpW3vc/u+qPeiY605zaLqKBf5zwlwqAXnMdkN9JEmeuCcOq4OVanrexX1LHTWANJe7cKtLHKAvct/FeDACRCfMBaa47ZGtgRo1fXExQOfA66xAlFGUZRH3l1ucQFHRRDqg8mNB5depedXwwtoC2iX35vKkYXhbMTK5lIgpOvbwDvFYmfD+iD0I4L03aSnDGFxJFAVKVwtPbUUTHT5TQdA4ZaUG/pJlSAaxR9iSd9rbtSPjIoDstdpscovzis9gA0zVhwSKK/24JO55dxFb8wCYlc6RxDW1YgSmNdKDy5AsjSDJF//1nzrU/+raDAB3xr1IUoFDDJy377N7467LKjy6GbDm5PpEhBETnMqV7rHmmy6x7KoieNfwQrY48YF2FbcngwCaQ2dH+irFfYeJ9NdAl1M7DeDLOI6I3E7EL57UbIZSTRXk/RutShRwPr+Mw8iZjB81Ii3vsq7j5LNtRA3flLZdoRtTlw0RS2Rr/yCKmsVqOiTbonbG/WeUFUaPISzm4FsGPoSIXp3yt3FRj1zhPSuKvSw2KolMR4uLz8wEKBplB3/t05bnQn3HvfIOqtXhaNTIKPCr6NUgLrc1H8N+FL/RziwA+46uW4YwpfD435tmN4j3c0tcZLHXc2zfh/molQwOYF9me+KU8OJc/636kThz0tUAp6/DEfV8tkjwjFjfB91/L7ChTyh8NuRidK9KsPSV88yQ9kNWxLnetsKsQMOETBBNx3SCly2x2Qh18a9rjgbPgVg==,iv:7IlGRvqypBq82d5wtssqADkCBOvDnRAlJIewsccOcSw=,tag:H5yQtygO/RNhL+1bdEy4bA==,type:str]",
"sops": {
"age": [
{
"recipient": "age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQlE4dEI4WHp1dWs0MU1J\nWmI1aExtdTNRSWVMK0hCZ3JhbzUyUnpBc3pVCmZRWSs2eWwxaTIydTU1TVdhb3RS\nVU00VWNMb1JKUFpwcElHbk14cStveVUKLS0tIDVrcFlmV0dCNXZVaDV5OTZQOTJ2\ndGtzTzQyL1k5QUlyTVcvdk9wWVBBOUUKnGPFDBicVruq445e5JnPutHoXVFnR7h7\nDNBBiZTNDzV73F/DEmwUtUu5r/0WDWfVBTY7EhXyry//JmViF1HGRw==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2025-07-16T14:35:28Z",
"mac": "ENC[AES256_GCM,data:tJ3DK0YoCy3YpdIq0jzPB8kFDyFx064i7DjouO7GVGWgrbm5i11OO/dvG/LkP5xMVHp83TkUAjbeW9SHM8h2+OiHZwCOfnYEcGQqcK+JMa9o8jDGfsARph6GKTM/JnlkLYyYuIgGqK2XJEmOazQ3Yt2BhGAFb5GrHp9/fVxCG+k=,iv:zlGkcrccPBh7Vbxc7rQjLjrXtmv+278BgV+cfcSt+o4=,tag:dRwIf51HJrqCTAIOVz206Q==,type:str]",
"unencrypted_suffix": "_unencrypted",
"version": "3.10.2"
}
}

24
apps/seija/ourfigurecollection/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: v1
kind: Secret
metadata:
name: anubis-ourfigurecollection-key
type: Opaque
stringData:
ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:cXINZRGu3j/lch50MqcOl7TkuVwFmBN16Dt2G9yvGkiGhAukrRBSXLTM5q7zbu1J+bBJi9a2PLvGS8i/Q2Opbg==,iv:hL1XQ+odWJTp6cMBcMbmg+GxURbx6CvIKB8uwk5U15Q=,tag:7RquLIFtPNGeYNXDQKpQeQ==,type:str]
THOTH_URL: ENC[AES256_GCM,data:PqDBOXxE2os0HkTpzhWWDPTxkiQc4N1O8+QCu10DT8QhZneO,iv:jWBYmCIJZJI7atECZSEZ1+SmcWT9F5TR6Az00fohVXA=,tag:NsMNIqQW8OHkn0Ga70hB+A==,type:str]
THOTH_TOKEN: ENC[AES256_GCM,data:brbDUCMIm+AuEfDdsrZT5xpas79Z5WUSGvpL98mcIYpswbqrqluhOUkG6kQrbfnxUm9Z0gW9IPgi+4x8K0hz6YMYPaZVJwau+Ggm8raWY2rKSVI/57S+xqWeRMqD/JegvlFjePZZGqtPEjPXurZC9Hh/mSKPNtk0j/41aLrt9cDZVBlHqYjqPFBAQ0G3opWjOvS552sv+hXHzVy5VmbX/DdYeW9+0Nw8yGk1qJKhNj/uOv0/JufSqIvRPgv4jvAKJ/pFiZ5HHZvn1JC4IVdXfey2oNiRKhD89/CcbJCmk8b9dk4MGQoo6O+ppRUNhQozB2cn5RNgF9LJeFD4Cg8ssPavtWtK8deQc4GruHI9sVu7DG90O6fwH3/Ns+LY9D0f11TI9cux5GzAC0RmnBqU8LyVuQKDqsd6htU=,iv:O05keiJh5iPUhVnrPkW4YMNoAha4ghNBIL0bhu5a56Q=,tag:Wt1I+4ccLuAnQR8obRQafw==,type:str]
sops:
age:
- recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlYU0zZG5LSDNvVEFjeXNE
bWI4RzhxVUp4M3RYN1V3eE96Y2ZXdUxlTWtrCkRvSTVTcU5TeUJSZXBpWFpVQkF4
czUydFVDdFk3djF3eURLd2tyTVEzRzQKLS0tIFR4NzNTQ3lFUnMyU2R5bW5yaDNa
MGdKQ0tZRGxFRWlER2d6UExkcnFLUHcKI0785hD9BzhDtZk4lIDq/XFGNkaMiVop
PGK6RSbouD5oG0gga07YyAKMsOvz1CCCGEwFhTgsWb2p+1bN2QqXkw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-16T14:35:28Z"
mac: ENC[AES256_GCM,data:4GDYYdLIjt+SfUfJvLOLZLrmDBiXhyoh03g5fwk4Uj944I+51paT1oMxJl9Dd0XRWbFK2JMUIc7sSe4HUpsEaSOkfYtM/t4sX0iNTWfPKzxwqOSAE72eDI31ocPUzwlN94/6VYkqPcG1vKADFVqsY4zqp2f2bPOnMbaLLQQGoQU=,iv:91aG7OGowAUkOcp6fLHT8khbSXv2tq8gYFmM4qqcPX0=,tag:zqjA+KVxielyksOtVD8i2w==,type:str]
encrypted_regex: ^(data|stringData)$
version: 3.10.2

21
apps/seija/ourfigurecollection/svc.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v1
kind: Service
metadata:
name: ourfigurecollection
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: ourfigurecollection
ports:
- protocol: TCP
port: 8001
targetPort: 8001
name: ourfigurecollection
- protocol: TCP
port: 8002
targetPort: 8002
name: ourfigurecollection-static
- protocol: TCP
port: 80
targetPort: 8080
name: anubis

7
apps/seija/pocketid/configmap.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: pocketid-config
data:
APP_URL: "https://auth.remilia.ch"
TRUST_PROXY: "true"

57
apps/seija/pocketid/deployment.yaml Normal file
View File

@@ -0,0 +1,57 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: pocketid
labels:
app.kubernetes.io/name: pocketid
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: pocketid
template:
metadata:
labels:
app.kubernetes.io/name: pocketid
spec:
volumes:
- name: pocketid-data
persistentVolumeClaim:
claimName: pocketid-pvc
containers:
- name: pocketid
image: ghcr.io/pocket-id/pocket-id:v1.6.2-distroless
imagePullPolicy: Always
ports:
- containerPort: 1411
envFrom:
- configMapRef:
name: pocketid-config
volumeMounts:
- name: pocketid-data
mountPath: "/app/data"
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
livenessProbe:
exec:
command:
- /app/pocket-id
- healthcheck
initialDelaySeconds: 10
failureThreshold: 3
periodSeconds: 90
startupProbe:
exec:
command:
- /app/pocket-id
- healthcheck
failureThreshold: 30
periodSeconds: 10

5
apps/seija/pocketid/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
resources:
- configmap.yaml
- deployment.yaml
- pvc.yaml
- services.yaml

11
apps/seija/pocketid/pvc.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pocketid-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: hcloud-volumes

13
apps/seija/pocketid/services.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: pocketid
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: pocketid
ports:
- protocol: TCP
port: 80
targetPort: 1411
name: http

84
apps/seija/prettysunflower-website/deployment.yaml Normal file
View File

@@ -0,0 +1,84 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: prettysunflower-website
labels:
app.kubernetes.io/name: prettysunflower-website
spec:
replicas: 2
selector:
matchLabels:
app.kubernetes.io/name: prettysunflower-website
template:
metadata:
labels:
app.kubernetes.io/name: prettysunflower-website
spec:
containers:
- name: website
image: 'git.prettysunflower.moe/prettysunflower/prettysunflower-website:latest'
imagePullPolicy: Always
envFrom:
- secretRef:
name: prettysunflower-website-secret
ports:
- containerPort: 3334
- name: website-static
image: 'git.prettysunflower.moe/prettysunflower/prettysunflower-website-static:main'
imagePullPolicy: Always
ports:
- containerPort: 8001
- name: anubis
image: ghcr.io/techarohq/anubis:latest
imagePullPolicy: Always
env:
- name: "BIND"
value: ":8080"
- name: "DIFFICULTY"
value: "4"
- name: ED25519_PRIVATE_KEY_HEX
valueFrom:
secretKeyRef:
name: anubis-prettysunflower-website-key
key: ED25519_PRIVATE_KEY_HEX
- name: "METRICS_BIND"
value: ":9090"
- name: "SERVE_ROBOTS_TXT"
value: "false"
- name: "TARGET"
value: "http://localhost:3334"
- name: "OG_PASSTHROUGH"
value: "true"
- name: "OG_EXPIRY_TIME"
value: "24h"
- name: "THOTH_URL"
valueFrom:
secretKeyRef:
name: anubis-prettysunflower-website-key
key: THOTH_URL
- name: "THOTH_TOKEN"
valueFrom:
secretKeyRef:
name: anubis-prettysunflower-website-key
key: THOTH_TOKEN
resources:
limits:
cpu: 750m
memory: 256Mi
requests:
cpu: 250m
memory: 256Mi
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
dnsPolicy: "ClusterFirst"
dnsConfig:
nameservers:
- 100.96.226.96

4
apps/seija/prettysunflower-website/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
resources:
- deployment.yaml
- services.yaml
- secrets.yaml

48
apps/seija/prettysunflower-website/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,48 @@
apiVersion: v1
kind: Secret
metadata:
name: prettysunflower-website-secret
type: Opaque
data:
GOOGLE_API_KEY: ENC[AES256_GCM,data:irEM9uQpUiQiQ1ORclh6DbAPdahzXGCC/32KhgVmgxd1ApEd9yxcaH/DaCssldoMyu0EDQ==,iv:rQtEs+4zhA6MVXGJbCFeG+I7X/kGMNW1fcH6jR5hS8w=,tag:dfRid1Arrui6EcFEKh1b4Q==,type:str]
sops:
age:
- recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d0dIQnlnRjk1UFJTdFlx
bkVjdytJUjF6SnRVMW1tckdGVUN3OTRCRkIwClBhNi9NR1VIQ2dQR2ZjbWd5dnNT
MzlsV2xjaW93NUljeGlnelgxT1pSZlUKLS0tIEJEMS9VNDdQN0ppOEFnZ2lqeFJp
V2cyekl2WmN1cjBWNzVQUStQVmNBQ3MKaAzPeJuPHKUsF8WFMKBLfijcc9xGoiIy
7ZUqenMvu/hO62LgT+4NlQ66XN/OfLSiwSl3YYuGuELR1jGdK9LXVA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-16T14:35:28Z"
mac: ENC[AES256_GCM,data:vaiTEgR5/qYJf9tOwnn4ZB3ZgD62taLHHBEw252d1eaW9TSOCv4UGplPao8CVpp4dtEPY+EJlBV5h3pBB42KFDKZHDSrGqIz3wE/H3xJMovazmz4ZtHKVFbzp852CApL2F7GNWZgyZI/IRyYVk74v7XYqrks+BgF9WnPLdka1WY=,iv:zKYlyFmLeVaMfLiX3ZB3evlbekzrnQKripy6shpWTCs=,tag:dGjhYoaGCxvnJ8JQ6h5qfA==,type:str]
encrypted_regex: ^(data|stringData)$
version: 3.10.2
---
apiVersion: v1
kind: Secret
metadata:
name: anubis-prettysunflower-website-key
type: Opaque
data:
ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:rsuPNEvHbI3CRnCDydyYrtkT2VIz9Ps4hos35joR2sVuaNtaLC9NGYeueRRMxusHZIgFED+KqP8YbIYotpOXqJuS8NTjFI8dgQj5dkXF6ZjNk5L3nJz9BA==,iv:mTmq2vSmJVJBQTVPINC4lcK6yxdxOpkHLk3mF8UJ84k=,tag:WbvdAu69Rhdr36aQq1zeYg==,type:str]
stringData:
THOTH_URL: ENC[AES256_GCM,data:o1Gk3f6ADbEyQ1dKXlcMyZqIj9Fb0IXFBkm+PrlBcMb/lPi9,iv:vBS7y4Hj4v8ySNL2zgIIK97wxIwgYs9vuM6lwVZeywc=,tag:SiFy3WIHTz585Zi/BR8X+g==,type:str]
THOTH_TOKEN: ENC[AES256_GCM,data:S9ZIlYOTEF31n/AdnPKd/JByg/B+tQpSRLXl8bLjbpA5dMEVBJfjYT68WBh/cJLRIUwkJMJhgIEVN3yJBePRpu+kRRzcg+XE2f4yuYdbgplGYfm7RG50CjE8GRNdLnE5bK05Z7LIuEGeYG6DEDiH0iNHWeZdGpmzeynSxTdVFlcRMSBzi8LRXQdw3ZySOabn+Z2F45Fv6DMKbyANLtR9YPViLvo0B8VLhVtoYJ5spu0Rr31p9ZLv4+w/AfeCt1NrN379UXmEoZ8YgvScpi42q9/qC/zjtKPx0AfC7vuTGSodQPcmmlDkvrxsZC3/mhy9QFsE3vHt64Yk9PcJXiv8R8ZgGN04yiWrI48vkeXjtEe/UIOnCyExwfXVQk6xRATY+xO946NgPUBz6ACX8CcEiiK9UNkZbEULho4=,iv:4+0uA3BWZgctn6W1xZYHjXHksdx364Y+PG6CqCiHKCw=,tag:2lJyO+KISqLFZfaJeaHGbQ==,type:str]
sops:
age:
- recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d0dIQnlnRjk1UFJTdFlx
bkVjdytJUjF6SnRVMW1tckdGVUN3OTRCRkIwClBhNi9NR1VIQ2dQR2ZjbWd5dnNT
MzlsV2xjaW93NUljeGlnelgxT1pSZlUKLS0tIEJEMS9VNDdQN0ppOEFnZ2lqeFJp
V2cyekl2WmN1cjBWNzVQUStQVmNBQ3MKaAzPeJuPHKUsF8WFMKBLfijcc9xGoiIy
7ZUqenMvu/hO62LgT+4NlQ66XN/OfLSiwSl3YYuGuELR1jGdK9LXVA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-16T14:35:28Z"
mac: ENC[AES256_GCM,data:vaiTEgR5/qYJf9tOwnn4ZB3ZgD62taLHHBEw252d1eaW9TSOCv4UGplPao8CVpp4dtEPY+EJlBV5h3pBB42KFDKZHDSrGqIz3wE/H3xJMovazmz4ZtHKVFbzp852CApL2F7GNWZgyZI/IRyYVk74v7XYqrks+BgF9WnPLdka1WY=,iv:zKYlyFmLeVaMfLiX3ZB3evlbekzrnQKripy6shpWTCs=,tag:dGjhYoaGCxvnJ8JQ6h5qfA==,type:str]
encrypted_regex: ^(data|stringData)$
version: 3.10.2

17
apps/seija/prettysunflower-website/services.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: prettysunflower-website
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: prettysunflower-website
ports:
- protocol: TCP
port: 80
targetPort: 8080
name: anubis
- protocol: TCP
port: 8001
targetPort: 8001
name: website-static

78
apps/seija/privatebin/deployment.yaml Normal file
View File

@@ -0,0 +1,78 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: privatebin
labels:
app.kubernetes.io/name: privatebin
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: privatebin
template:
metadata:
labels:
app.kubernetes.io/name: privatebin
spec:
volumes:
- name: privatebin-data
persistentVolumeClaim:
claimName: privatebin-data-pvc
containers:
- image: privatebin/nginx-fpm-alpine:1.7.8
name: privatebin
imagePullPolicy: Always
ports:
- containerPort: 8080
protocol: TCP
volumeMounts:
- name: privatebin-data
mountPath: "/srv/data"
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
- name: anubis
image: ghcr.io/techarohq/anubis:v1.20.0
imagePullPolicy: Always
env:
- name: "BIND"
value: ":8081"
- name: "DIFFICULTY"
value: "3"
- name: ED25519_PRIVATE_KEY_HEX
valueFrom:
secretKeyRef:
name: anubis-key
key: ED25519_PRIVATE_KEY_HEX
- name: "METRICS_BIND"
value: ":9090"
- name: "SERVE_ROBOTS_TXT"
value: "true"
- name: "TARGET"
value: "http://localhost:8080"
- name: "OG_PASSTHROUGH"
value: "false"
resources:
limits:
cpu: 750m
memory: 256Mi
requests:
cpu: 250m
memory: 256Mi
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault

5
apps/seija/privatebin/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
resources:
- pvc.yaml
- deployment.yaml
- services.yaml
- secrets.yaml

12
apps/seija/privatebin/pvc.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: privatebin-data-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: hcloud-volumes

22
apps/seija/privatebin/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,22 @@
apiVersion: v1
kind: Secret
metadata:
name: anubis-key
type: Opaque
data:
ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:iatFUERK2zHMMq+2uzsTdr15pnyEY9bXYlXFt3sZR+C36cneumogFu3AhV4j0EadseLDPKxkSml3bazpejSyNvWinjpIOwORSi6EHlw71ByDy4Li4/hppg==,iv:5/wZHTzGHN8okMzzm19gt3T5d2rCjvb4RtoaWCwUwgY=,tag:9ZC63C2okeTRt/wGlvb6Lg==,type:str]
sops:
age:
- recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aFZqQ3g1VDFLY0RuaVZ0
bzhpVHd0UERaSnlidVBidzVnR256T0xWS3lnCnBlbDdlSm9CNWlmVmFzdTZPSmFX
bTJUU3hJZy9jKzVWOTJFNVVMbWMzUnMKLS0tIFdDUnpLMGRQTlNjT3pqV2s2OVZH
V0lpRFdvMXVaYWZ6NmVxNTlsM2IvZHMK10ArWUv7S8w0WwDJCmOwWp56Us8fAkrp
5rZPG2IhlxAG+5NbbQq13jxjGuQuzACllkreXD3NtwmACWgubGZV2Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-16T14:35:28Z"
mac: ENC[AES256_GCM,data:K7jl1bA6UAlJ3LVJsnAOdHf1MFJAK4vrxRktWzoV1zh4DSOVIo3TeGn7wLqlPlbbILFlXKMJUHT7AzfKyv/MtECTe5TOyjQqFYPZ7ZRvE72faghkJAN/AfHIjLZWFOuWOAB2ZEY9cJWCe7zLbC+cwHC7KxepPBHZdQnh//wuz4s=,iv:aooSLGTTL5v5ZhHGJKKcaCGhSl6GciHpGyG00ybzWIQ=,tag:pQ/HNQODherqkToT+JTbIA==,type:str]
encrypted_regex: ^(data|stringData)$
version: 3.10.2

13
apps/seija/privatebin/services.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: privatebin
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: privatebin
ports:
- protocol: TCP
port: 80
targetPort: 8081
name: http

32
apps/seija/uptime-kuma/deployment.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: uptime-kuma
labels:
app.kubernetes.io/name: uptime-kuma
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: uptime-kuma
template:
metadata:
labels:
app.kubernetes.io/name: uptime-kuma
spec:
hostAliases:
- ip: "100.113.193.5"
hostnames:
- "mail.prettysunflower.moe"
volumes:
- name: uptime-kuma-data
persistentVolumeClaim:
claimName: uptime-kuma-pvc
containers:
- image: louislam/uptime-kuma:1
name: uptime-kuma
ports:
- containerPort: 3001
volumeMounts:
- name: uptime-kuma-data
mountPath: "/app/data"

4
apps/seija/uptime-kuma/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
resources:
- deployment.yaml
- services.yaml
- pvc.yaml

11
apps/seija/uptime-kuma/pvc.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: uptime-kuma-pvc
spec:
accessModes:
- ReadWriteOnce
storageClassName: hcloud-volumes
resources:
requests:
storage: 3Gi

13
apps/seija/uptime-kuma/services.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v1
kind: Service
metadata:
name: uptime-kuma
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: uptime-kuma
ports:
- protocol: TCP
port: 80
targetPort: 3001
name: http

4
apps/seija/znc/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
resources:
- pvc.yaml
- services.yaml
- statefulset.yaml

11
apps/seija/znc/pvc.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: znc-pvc
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: hcloud-volumes

17
apps/seija/znc/services.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v1
kind: Service
metadata:
name: znc
spec:
type: NodePort
selector:
app.kubernetes.io/name: znc
ports:
- protocol: TCP
port: 4921
targetPort: 4921
name: https
- protocol: TCP
port: 4922
targetPort: 4922
name: http

40
apps/seija/znc/statefulset.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: znc
labels:
app.kubernetes.io/name: znc
spec:
replicas: 1
serviceName: "znc"
selector:
matchLabels:
app.kubernetes.io/name: znc
template:
metadata:
labels:
app.kubernetes.io/name: znc
spec:
volumes:
- name: znc-config
persistentVolumeClaim:
claimName: znc-pvc
containers:
- name: znc
image: znc:1.10.1
imagePullPolicy: Always
ports:
- containerPort: 4921
volumeMounts:
- name: znc-config
mountPath: "/znc-data"
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault