The great reset, we moved infra into two clusters (sekibanki et seija)

apps/seija/ourfigurecollection/deployment.yaml

@@ -0,0 +1,108 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ourfigurecollection
+  labels:
+    app.kubernetes.io/name: ourfigurecollection
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: ourfigurecollection
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: ourfigurecollection
+    spec:
+      affinity:
+        nodeAffinity:
+          preferredDuringSchedulingIgnoredDuringExecution:
+          - weight: 1
+            preference:
+              matchExpressions:
+              - key: location
+                operator: In
+                values:
+                - fsn
+      containers:
+        - name: ourfigurecollection-django
+          image: "git.prettysunflower.moe/prettysunflower/ourfigurecollection:main"
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8001
+          volumeMounts:
+          - name: config
+            mountPath: /ourfigurecollection/ourfigurecollection/local_settings.py
+            subPath: local_settings.py
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+        - name: ourfigurecollection-static
+          image: "git.prettysunflower.moe/prettysunflower/ourfigurecollection-static:main"
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 8002
+        - name: anubis
+          image: ghcr.io/techarohq/anubis:v1.20.0
+          env:
+            - name: "BIND"
+              value: ":8080"
+            - name: "DIFFICULTY"
+              value: "4"
+            - name: ED25519_PRIVATE_KEY_HEX
+              valueFrom:
+                secretKeyRef:
+                  name: anubis-ourfigurecollection-key
+                  key: ED25519_PRIVATE_KEY_HEX
+            - name: "THOTH_URL"
+              valueFrom:
+                secretKeyRef:
+                  name: anubis-ourfigurecollection-key
+                  key: THOTH_URL
+            - name: "THOTH_TOKEN"
+              valueFrom:
+                secretKeyRef:
+                  name: anubis-ourfigurecollection-key
+                  key: THOTH_TOKEN
+            - name: "METRICS_BIND"
+              value: ":9090"
+            - name: "SERVE_ROBOTS_TXT"
+              value: "true"
+            - name: "TARGET"
+              value: "http://localhost:8001"
+            - name: "OG_PASSTHROUGH"
+              value: "true"
+            - name: "OG_EXPIRY_TIME"
+              value: "24h"
+          resources:
+            limits:
+              cpu: 750m
+              memory: 256Mi
+            requests:
+              cpu: 250m
+              memory: 256Mi
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+      volumes:
+      - name: config
+        configMap:
+          name: ourfigurecollection-config
+      dnsPolicy: "None"
+      dnsConfig:
+        nameservers:
+          - 100.96.226.96

apps/seija/ourfigurecollection/kustomization.yaml

@@ -0,0 +1,8 @@
+resources:
+- deployment.yaml
+- svc.yaml
+- secrets.yaml
+configMapGenerator:
+- name: ourfigurecollection-config
+  files:
+  - local_settings.py

apps/seija/ourfigurecollection/local_settings.py

@@ -0,0 +1,35 @@
+DATABASES = {
+    "default": {
+        "ENGINE": "django.db.backends.postgresql",
+        "NAME": "ourfigurecollection",
+        "USER": "ourfigurecollection",
+        "PASSWORD": "xxHWl#d$FoYZ54",
+        "HOST": "100.85.208.69",
+        "PORT": "5432",
+    }
+}
+
+import sentry_sdk
+
+ALLOWED_HOSTS = ["ourfigurecollection.moe"]
+DEBUG = False
+KAKIGOORI_API_KEY = "63586938-dd4b-4e01-a48a-6344e0bc226b"
+OIDC_CLIENT_ID = "749bcfb1-ee32-4c79-85b5-92062d7192b3"
+OIDC_CLIENT_SECRET = "dEhOJ6pvfy3d95Cx7kMq0SHBEgb6romd"
+OIDC_DISCOVERY_URL = "https://auth.remilia.ch/.well-known/openid-configuration"
+
+sentry_sdk.init(
+    dsn="https://62638433153873bc2395021d22e96972@o134957.ingest.us.sentry.io/4508270934360064",
+    # Add data like request headers and IP for users;
+    # see https://docs.sentry.io/platforms/python/data-management/data-collected/ for more info
+    send_default_pii=True,
+    # Set traces_sample_rate to 1.0 to capture 100%
+    # of transactions for tracing.
+    traces_sample_rate=1.0,
+    # To collect profiles for all profile sessions,
+    # set `profile_session_sample_rate` to 1.0.
+    profile_session_sample_rate=1.0,
+    # Profiles will be automatically collected while
+    # there is an active span.
+    profile_lifecycle="trace",
+)

apps/seija/ourfigurecollection/local_settings.sops.py

@@ -0,0 +1,15 @@
+{
+	"data": "ENC[AES256_GCM,data:4MYUeRSLBpr51Gae4rNAhutaDiOT1Bjz0lpDiXGAcv9sAXDQTfJA6nHSAhJxcE0ZopIt4te2F6B105/7fCDa4qBma6lQf3c0wQjd+Q+YhzaUSAhf3MFXANIcmpLVYV5szcgJ/Snc8z4lgzZtt2bONEL/wJQU8dEFBpHKdoqQtWoKJB/XbjvgBMpnTq/FjTiOk6KauD224jf4F2fFGRijkJLJAFp9DAtmZ0zZs/IkVTgsTsXkxyQnMsSN9eOGzT7UIJ6sZIuRpvl1nsTV0sLH545PHSufykJCnrdFl05jjNCUxz10mfDg4dXieuAWHWD7vd3eB71uJS8+iEhMc1+PJLOPiItdtcXqT8Z24Grz6A9ANLHkocqRxZ/x7+2KTy5pKVpLRtdGaSF1oiBiBfHAcZX3CCsEci3k0aohrIVywher8rTf5SLfyb0jjoihTjeKvKzDpgADvJSnEnJMMszuA5K3Vu+wszVP+tlA1pLJ4+nITKhT65PRUw0+A9TA5iA2ETsrfyE8dI4q5TCyfXmh6LP7vB2bZsk5zaKDpfU22gBF/foLV6tlFvvv+zT5UnKRAjTbIzAtIe2VFWG/4aAR++PLqM9W5vUYjwoPxP7GqVa5BQStVgdVu8rGaQfx2Z+aG8VMlODJZrA4U7+XCmlDFZMUJiBOBieVo0gsYkhQO2GNnd8/WpEmlsE+8i6LOJUPopmfpH51wriXBol9SJwxDwslxmCQ6in+kX43Jf57m/1GxLnUeIvEZHlyzesC0WIkmUU20e+1MqRmFI7jAwLBE50tsDB4fRjUF0+TtwFGv9eP0qlS6SNTa/5JrXYP956u35XDqYfy5BTiZyEu9RwwirvaeoamelVgIzhyxbokwK50adYcGoETlg/JEwEffmvb0KxcMJIXC8N6iI79/MpW3vc/u+qPeiY605zaLqKBf5zwlwqAXnMdkN9JEmeuCcOq4OVanrexX1LHTWANJe7cKtLHKAvct/FeDACRCfMBaa47ZGtgRo1fXExQOfA66xAlFGUZRH3l1ucQFHRRDqg8mNB5depedXwwtoC2iX35vKkYXhbMTK5lIgpOvbwDvFYmfD+iD0I4L03aSnDGFxJFAVKVwtPbUUTHT5TQdA4ZaUG/pJlSAaxR9iSd9rbtSPjIoDstdpscovzis9gA0zVhwSKK/24JO55dxFb8wCYlc6RxDW1YgSmNdKDy5AsjSDJF//1nzrU/+raDAB3xr1IUoFDDJy377N7467LKjy6GbDm5PpEhBETnMqV7rHmmy6x7KoieNfwQrY48YF2FbcngwCaQ2dH+irFfYeJ9NdAl1M7DeDLOI6I3E7EL57UbIZSTRXk/RutShRwPr+Mw8iZjB81Ii3vsq7j5LNtRA3flLZdoRtTlw0RS2Rr/yCKmsVqOiTbonbG/WeUFUaPISzm4FsGPoSIXp3yt3FRj1zhPSuKvSw2KolMR4uLz8wEKBplB3/t05bnQn3HvfIOqtXhaNTIKPCr6NUgLrc1H8N+FL/RziwA+46uW4YwpfD435tmN4j3c0tcZLHXc2zfh/molQwOYF9me+KU8OJc/636kThz0tUAp6/DEfV8tkjwjFjfB91/L7ChTyh8NuRidK9KsPSV88yQ9kNWxLnetsKsQMOETBBNx3SCly2x2Qh18a9rjgbPgVg==,iv:7IlGRvqypBq82d5wtssqADkCBOvDnRAlJIewsccOcSw=,tag:H5yQtygO/RNhL+1bdEy4bA==,type:str]",
+	"sops": {
+		"age": [
+			{
+				"recipient": "age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw",
+				"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQlE4dEI4WHp1dWs0MU1J\nWmI1aExtdTNRSWVMK0hCZ3JhbzUyUnpBc3pVCmZRWSs2eWwxaTIydTU1TVdhb3RS\nVU00VWNMb1JKUFpwcElHbk14cStveVUKLS0tIDVrcFlmV0dCNXZVaDV5OTZQOTJ2\ndGtzTzQyL1k5QUlyTVcvdk9wWVBBOUUKnGPFDBicVruq445e5JnPutHoXVFnR7h7\nDNBBiZTNDzV73F/DEmwUtUu5r/0WDWfVBTY7EhXyry//JmViF1HGRw==\n-----END AGE ENCRYPTED FILE-----\n"
+			}
+		],
+		"lastmodified": "2025-07-16T14:35:28Z",
+		"mac": "ENC[AES256_GCM,data:tJ3DK0YoCy3YpdIq0jzPB8kFDyFx064i7DjouO7GVGWgrbm5i11OO/dvG/LkP5xMVHp83TkUAjbeW9SHM8h2+OiHZwCOfnYEcGQqcK+JMa9o8jDGfsARph6GKTM/JnlkLYyYuIgGqK2XJEmOazQ3Yt2BhGAFb5GrHp9/fVxCG+k=,iv:zlGkcrccPBh7Vbxc7rQjLjrXtmv+278BgV+cfcSt+o4=,tag:dRwIf51HJrqCTAIOVz206Q==,type:str]",
+		"unencrypted_suffix": "_unencrypted",
+		"version": "3.10.2"
+	}
+}

apps/seija/ourfigurecollection/secrets.sops.yaml

@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: anubis-ourfigurecollection-key
+type: Opaque
+stringData:
+    ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:cXINZRGu3j/lch50MqcOl7TkuVwFmBN16Dt2G9yvGkiGhAukrRBSXLTM5q7zbu1J+bBJi9a2PLvGS8i/Q2Opbg==,iv:hL1XQ+odWJTp6cMBcMbmg+GxURbx6CvIKB8uwk5U15Q=,tag:7RquLIFtPNGeYNXDQKpQeQ==,type:str]
+    THOTH_URL: ENC[AES256_GCM,data:PqDBOXxE2os0HkTpzhWWDPTxkiQc4N1O8+QCu10DT8QhZneO,iv:jWBYmCIJZJI7atECZSEZ1+SmcWT9F5TR6Az00fohVXA=,tag:NsMNIqQW8OHkn0Ga70hB+A==,type:str]
+    THOTH_TOKEN: ENC[AES256_GCM,data:brbDUCMIm+AuEfDdsrZT5xpas79Z5WUSGvpL98mcIYpswbqrqluhOUkG6kQrbfnxUm9Z0gW9IPgi+4x8K0hz6YMYPaZVJwau+Ggm8raWY2rKSVI/57S+xqWeRMqD/JegvlFjePZZGqtPEjPXurZC9Hh/mSKPNtk0j/41aLrt9cDZVBlHqYjqPFBAQ0G3opWjOvS552sv+hXHzVy5VmbX/DdYeW9+0Nw8yGk1qJKhNj/uOv0/JufSqIvRPgv4jvAKJ/pFiZ5HHZvn1JC4IVdXfey2oNiRKhD89/CcbJCmk8b9dk4MGQoo6O+ppRUNhQozB2cn5RNgF9LJeFD4Cg8ssPavtWtK8deQc4GruHI9sVu7DG90O6fwH3/Ns+LY9D0f11TI9cux5GzAC0RmnBqU8LyVuQKDqsd6htU=,iv:O05keiJh5iPUhVnrPkW4YMNoAha4ghNBIL0bhu5a56Q=,tag:Wt1I+4ccLuAnQR8obRQafw==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlYU0zZG5LSDNvVEFjeXNE
+            bWI4RzhxVUp4M3RYN1V3eE96Y2ZXdUxlTWtrCkRvSTVTcU5TeUJSZXBpWFpVQkF4
+            czUydFVDdFk3djF3eURLd2tyTVEzRzQKLS0tIFR4NzNTQ3lFUnMyU2R5bW5yaDNa
+            MGdKQ0tZRGxFRWlER2d6UExkcnFLUHcKI0785hD9BzhDtZk4lIDq/XFGNkaMiVop
+            PGK6RSbouD5oG0gga07YyAKMsOvz1CCCGEwFhTgsWb2p+1bN2QqXkw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:4GDYYdLIjt+SfUfJvLOLZLrmDBiXhyoh03g5fwk4Uj944I+51paT1oMxJl9Dd0XRWbFK2JMUIc7sSe4HUpsEaSOkfYtM/t4sX0iNTWfPKzxwqOSAE72eDI31ocPUzwlN94/6VYkqPcG1vKADFVqsY4zqp2f2bPOnMbaLLQQGoQU=,iv:91aG7OGowAUkOcp6fLHT8khbSXv2tq8gYFmM4qqcPX0=,tag:zqjA+KVxielyksOtVD8i2w==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

apps/seija/ourfigurecollection/svc.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ourfigurecollection
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: ourfigurecollection
+  ports:
+    - protocol: TCP
+      port: 8001
+      targetPort: 8001
+      name: ourfigurecollection
+    - protocol: TCP
+      port: 8002
+      targetPort: 8002
+      name: ourfigurecollection-static
+    - protocol: TCP
+      port: 80
+      targetPort: 8080
+      name: anubis