The great reset, we moved infra into two clusters (sekibanki et seija)

2025-07-16 10:39:09 -04:00
parent 68f1108c2d
commit 1df5459f70
145 changed files with 2431 additions and 576 deletions
--- a/apps/sekibanki/gotosocial/configmap.yaml
+++ b/apps/sekibanki/gotosocial/configmap.yaml
@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: gotosocial-config
+data:
+  GTS_HOST: fedi.prettysunflower.moe
+  GTS_ACCOUNT_DOMAIN: prettysunflower.moe
+  GTS_TRUSTED_PROXIES: "10.217.0.0/32"
+  GTS_INSTANCE_LANGUAGES: en,fr
+  GTS_ACCOUNTS_ALLOW_CUSTOM_CSS: "true"
--- a/apps/sekibanki/gotosocial/deployment.yaml
+++ b/apps/sekibanki/gotosocial/deployment.yaml
@@ -0,0 +1,76 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gotosocial
+  labels:
+    app.kubernetes.io/name: gotosocial
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: gotosocial
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: gotosocial
+    spec:
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: gotosocial-pvc
+      dnsPolicy: "None"
+      dnsConfig:
+        nameservers:
+          - 100.96.226.96
+      containers:
+        - image: docker.io/superseriousbusiness/gotosocial:0.19.1
+          name: gotosocial
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+              name: http
+          volumeMounts:
+          - name: data
+            mountPath: /gotosocial/storage
+          envFrom:
+            - configMapRef:
+                name: gotosocial-config
+            - secretRef:
+                name: gotosocial-secrets
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          livenessProbe:
+            httpGet:
+              path: /livez
+              port: http
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            timeoutSeconds: 5
+            failureThreshold: 3
+            successThreshold: 1
+          startupProbe:
+            httpGet:
+              path: /readyz
+              port: http
+            initialDelaySeconds: 10
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 30
+            successThreshold: 1
+          readinessProbe:
+            httpGet:
+              path: /readyz
+              port: http
+            initialDelaySeconds: 15
+            periodSeconds: 10
+            timeoutSeconds: 5
+            failureThreshold: 3
+            successThreshold: 1
--- a/apps/sekibanki/gotosocial/kustomization.yaml
+++ b/apps/sekibanki/gotosocial/kustomization.yaml
@@ -0,0 +1,6 @@
+resources:
+- configmap.yaml
+- deployment.yaml
+- pvc.yaml
+- secrets.yaml
+- svc.yaml
--- a/apps/sekibanki/gotosocial/pvc.yaml
+++ b/apps/sekibanki/gotosocial/pvc.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gotosocial-pvc
+spec:
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10G
+  storageClassName: nfs-csi
--- a/apps/sekibanki/gotosocial/secrets.sops.yaml
+++ b/apps/sekibanki/gotosocial/secrets.sops.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: gotosocial-secrets
+type: Opaque
+stringData:
+    GTS_DB_ADDRESS: ENC[AES256_GCM,data:PqPAl3c/2yYw/R+o,iv:01M73o6Ok/cDxxtSpHjduWKSFplXNJ93WcQYf19DTWg=,tag:KdMISrg8LEG7pj49OyeYdA==,type:str]
+    GTS_DB_USER: ENC[AES256_GCM,data:LFMfG09Z2OIBhA==,iv:L2Gapmk2nvOdDRiRM7sRLdIJnhhJ+N9kAzYl4P4w7r8=,tag:PghjpZRZjiN6BqvCz5g3Dg==,type:str]
+    GTS_DB_PASSWORD: ENC[AES256_GCM,data:CnqraWwcOkRHt+ET/0lp,iv:asmChmzapS73l3nTVK+qhBr3HDNi7UvNVwjOO2razPk=,tag:fB9JOnpqWf1ZczAjIjc9Zg==,type:str]
+sops:
+    age:
+        - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dkoxaUJ2bnRDNEFadjdN
+            MFRmUUM2M0xlRXJ1WmhPY080WVdHa2h2S1FRCnI2MmdJRUxlUlNxVnBUa3ZHUEVF
+            YkxKaUZXYTFrU0FYSmNIQm94SDN4bHcKLS0tIHIvdTBXdmxqM2I3WGo3dWpPK3lL
+            ditudGE2OVpNZVRTMXdoM2w2eHdpZkUKOQ+LS4zDEeJheoJ/pR06h/WwozoyBXMz
+            DbxFpJ0ykjmUuRJ3CBr/MPVRa0V8NA8qVTHxjYDYwg4H9LH4nB+yiw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-07-16T14:35:28Z"
+    mac: ENC[AES256_GCM,data:Ys4wt4Z2ocKt3WPxztXl7K/2gEFnnppxvSPGxqB6KBeNe/mRkYQ7PAqCcUKZledncIgXpxRfU/Cv7huc93MlQVGyNZ1MgYO7U9H8vBHaDJuS1bAJ6n/NnDKKCQA7yJOJpfd09FnScOpeMf1cO+PQPuHaYUbIZpS+6ctepXLpHQo=,iv:uCFSGP8qvZA6EmTzUD6q9uwrkIHraMGyyjQ+42FikTM=,tag:gCePqCDIeZ3yxkKbsWCsZw==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2
--- a/apps/sekibanki/gotosocial/svc.yaml
+++ b/apps/sekibanki/gotosocial/svc.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gotosocial
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: gotosocial
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: http
+      name: http