prettysunflower/infra
1
Fork 0
Code Issues 1 Pull Requests 1 Actions Packages Projects Releases Wiki Activity

The great reset, we moved infra into two clusters (sekibanki et seija)

Browse Source
This commit is contained in:
prettysunflower
2025-07-16 10:39:09 -04:00
parent 68f1108c2d
commit 1df5459f70
145 changed files with 2431 additions and 576 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
apps/sekibanki/teable/config.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: teable-config
namespace: teable
data:
PUBLIC_ORIGIN: "https://data.sunflower.lgbt"
BACKEND_CACHE_PROVIDER: "redis"
NEXT_ENV_IMAGES_ALL_REMOTE: "true"
PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING: "1"
NODE_TLS_REJECT_UNAUTHORIZED: '0'
BACKEND_STORAGE_TOKEN_EXPIRE_IN: '1d'

139
apps/sekibanki/teable/deployment.yaml Normal file
View File

@@ -0,0 +1,139 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: teable
namespace: teable
labels:
app.kubernetes.io/name: teable
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: teable
template:
metadata:
labels:
app.kubernetes.io/name: teable
spec:
hostAliases:
- ip: "100.113.193.5"
hostnames:
- "mail.prettysunflower.moe"
initContainers:
- name: db-migrate
image: ghcr.io/teableio/teable:83745958bbba83111145e1cd48de811cfc7db601
args:
- migrate-only
envFrom:
- configMapRef:
name: teable-config
- secretRef:
name: teable-secrets
resources:
requests:
cpu: 100m
memory: 102Mi
limits:
cpu: 1000m
memory: 1024Mi
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault
containers:
- name: teable
image: ghcr.io/teableio/teable:83745958bbba83111145e1cd48de811cfc7db601
args:
- skip-migrate
ports:
- containerPort: 3000
envFrom:
- configMapRef:
name: teable-config
- secretRef:
name: teable-secrets
resources:
requests:
cpu: 200m
memory: 400Mi
limits:
cpu: 2000m
memory: 4096Mi
startupProbe:
httpGet:
path: /health
port: 3000
initialDelaySeconds: 10
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 30
successThreshold: 1
livenessProbe:
httpGet:
path: /health
port: 3000
initialDelaySeconds: 30
periodSeconds: 30
timeoutSeconds: 5
failureThreshold: 3
successThreshold: 1
readinessProbe:
httpGet:
path: /health
port: 3000
initialDelaySeconds: 15
periodSeconds: 10
timeoutSeconds: 5
failureThreshold: 3
successThreshold: 1
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: valkey
namespace: teable
labels:
app.kubernetes.io/name: valkey
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: valkey
template:
metadata:
labels:
app.kubernetes.io/name: valkey
spec:
volumes:
- name: valkey-data
persistentVolumeClaim:
claimName: valkey-data-pvc
containers:
- image: valkey/valkey:8.1.2-alpine
name: valkey
envFrom:
- secretRef:
name: valkey-secrets
command: ["valkey-server"]
ports:
- containerPort: 6379
protocol: TCP
volumeMounts:
- name: valkey-data
mountPath: "/data"
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
seccompProfile:
type: RuntimeDefault

7
apps/sekibanki/teable/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
resources:
- config.yaml
- deployment.yaml
- pvc.yaml
- namespace.yaml
- services.yaml
- secrets.yaml

6
apps/sekibanki/teable/namespace.yaml Normal file
View File

@@ -0,0 +1,6 @@
kind: Namespace
apiVersion: v1
metadata:
name: teable
labels:
name: teable

12
apps/sekibanki/teable/pvc.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: valkey-data-pvc
namespace: teable
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: nfs-csi

63
apps/sekibanki/teable/secrets.sops.yaml Normal file
View File

@@ -0,0 +1,63 @@
apiVersion: v1
kind: Secret
metadata:
name: teable-secrets
namespace: teable
type: Opaque
stringData:
PRISMA_DATABASE_URL: ENC[AES256_GCM,data:S7Y4B5apBAYbZ6lQ5/O31RThkAnKV3Qx+ab2ieQSn63qsik451ciRWzTysIuADOeivo+1sSqyIIdBvBGpPR+n108kw==,iv:zSwa0dgoydq2hbaxxXDO/gBcrLMPFqAxjTUaPMfzyOg=,tag:Uy/+KAP7SE4bOrDN7eNWIg==,type:str]
SECRET_KEY: ENC[AES256_GCM,data:KXnjt6MiPts4u1vqf4pFYjAJq+6xPQ==,iv:8U61KBz8ZaNZluvLsGNmP3X7M5Upv/02ngoy2lpndUQ=,tag:0RmPivQtQgQa+XAltN6Dxg==,type:str]
BACKEND_STORAGE_PROVIDER: ENC[AES256_GCM,data:M9o=,iv:Z8twg5olXc+PtrVNxl24W6m+l/5bS81kAiXF4O8CSHQ=,tag:ImiZg6nCiGGFUPIfWRqrlQ==,type:str]
BACKEND_STORAGE_S3_REGION: ENC[AES256_GCM,data:JvGqWw==,iv:8KbVumdAXPZBLB7g7oqf1rfFnHKhPvleezY7Tryma1o=,tag:9VVoNTjvuPs7v0ep8wSc9w==,type:str]
BACKEND_STORAGE_S3_ENDPOINT: ENC[AES256_GCM,data:THKG0BPjvXU9u1qeutoBkGJ8pbq1aw==,iv:T04svNvlk+05mrwlVV9sp32eyjbKWp/Z0Fdc3PUOB1k=,tag:Ov7Wr4lJ0ixdTD3/9db0DA==,type:str]
BACKEND_STORAGE_S3_ACCESS_KEY: ENC[AES256_GCM,data:4X9UespqF1qtiLIfMQRi79VP5Xdjage7xTxZKPtJ80vs2VnaFknqzzDTMsAm9fZk7FKMCWde,iv:Rp0AlShe6e0JrQ/4fVyiGs5lAkPXl7574UF35HHntwQ=,tag:TSemTreK3c5+mZjTt+Cl0w==,type:str]
BACKEND_STORAGE_S3_SECRET_KEY: ENC[AES256_GCM,data:GtenV4qKUlZmGMV8WCO3/9tsjpdTceoCzY8v4maWIo1L9iy/u4I8TKXa6iv/9QpSTq0YW2qh5YtmSOvpeqOsmceNV3s61CNydqsE,iv:I9cn5jmP6OjQ3H3Z8TLT5ZGNihnME3cnyn7BI9iBIUg=,tag:9CXNZtg9B/4Yj2ZKTgwSRg==,type:str]
BACKEND_STORAGE_PUBLIC_BUCKET: ENC[AES256_GCM,data:GoOlFVdgcG8yx9hTFyI0zK/WvlgnMAYshLejrKs=,iv:lJTx2Wovtka+fHGK7ojWiY81besS7IrV/oPcN5546UI=,tag:M4Q0ukX3Vhc/F6WPQsmmVQ==,type:str]
BACKEND_STORAGE_PRIVATE_BUCKET: ENC[AES256_GCM,data:2pmNoVRrkkwggoj2gjxy2fOGQYTT+q5L7LqYnNOF,iv:LSe93EycfC304/ji1BU/dovsCP2L+s6II3Uz7drl7lY=,tag:NlCE0GMQOEWABcjDKG6rIQ==,type:str]
BACKEND_CACHE_REDIS_URI: ENC[AES256_GCM,data:2WSh32ZQb26dPyI9LVqxQaykMdXhFuA6YKMzpT9X3HXcKO0wGiJMl0tDZvIK/qnGU4ShgCXqD5/TQZSzTe6XI1YKJoFou6pvHkXgFIoEJEZSgxWlhY9unj3Fizwm,iv:8vkHRo5cpLRNzVxmeJILY/DAO9Xgp8RoJnTiG4mqQJc=,tag:EzhcJ9ntjlWD95KDpke2Bg==,type:str]
BACKEND_MAIL_HOST: ENC[AES256_GCM,data:dRZR7Oi9acB5ANFcO6HWUyPyHFcgESYb,iv:uyyQHB18OuZJDM0+6FcYvbyZEjOeOPQj8HTE7zWLl28=,tag:6x5clI3OquJI4ryoJ/mIhQ==,type:str]
BACKEND_MAIL_PORT: ENC[AES256_GCM,data:UzK1,iv:KYdakhFPfe7wLyNbxpQlAmYDYhmHfKVAiDtFMTwxhPU=,tag:KfrNLO7Z5y24gWcFo3O9Sw==,type:str]
BACKEND_MAIL_SECURE: ENC[AES256_GCM,data:yqGAQG0=,iv:oVaScBsc2v7AqudqJxyM/AGmd9479igZzNsY+G+wNWE=,tag:JM7JfT8Ljv6IbytBGmAplg==,type:str]
BACKEND_MAIL_SENDER: ENC[AES256_GCM,data:PNmUSwER7gjYv4bVxBPDxy5LOwFMhoPsY6U=,iv:1lUdrocPb6nP7N/6Xk4+d67pF3iu4jvvskKJ0x/UADU=,tag:reHZtXP0ZXwOFH9XibNrWA==,type:str]
BACKEND_MAIL_SENDER_NAME: ENC[AES256_GCM,data:IipWnw==,iv:Tp6k90QrG1/5M9kdvSLnXtz4xcU/mxNQ4563PSeb0Xc=,tag:oIJjlXpIuDbbTtnbZ6HRgw==,type:str]
BACKEND_MAIL_AUTH_USER: ENC[AES256_GCM,data:7pz5djxOzt19o2KgDchkO4hdXuPoZA==,iv:LHK7Cb1iFJbRWlGEEB4ziKZJKhOJ4OPfEgGNqxm244I=,tag:03A36lsN5GkKZhTqQQFMFw==,type:str]
BACKEND_MAIL_AUTH_PASS: ENC[AES256_GCM,data:7Oo6vF4MRSLuTWJGnZueug==,iv:813e2G1nGQFLv9AWZF4oKIIHq1eBLKuTm/0BR/a0tAw=,tag:iWUsbvmDFLnBVNNoXJ4hcA==,type:str]
sops:
age:
- recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQVVUU3AxN2tnUG1ORmpw
c29YMWErYXl0QmtKVWdjWng2azRBUDJSbnlnClVnSVBlRUJ6NElDWmZOVnJRTUVB
NWVIRm1FUWc2NW14TE9MSnNpVnNPcU0KLS0tIDdrbjhWY3hoZCtROWtPKytXenJ0
eEptQ1R2QlAyeDdnZWdkZGNBcFZxL0EKe5wXjgOEN5hULVrSdyq7ljGIDlhDdwTl
jo0aeu4ObPlgMCc6jC9Coxk62SNt7yVg+brvkX2AmufuwR0lzg7N+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-16T14:35:28Z"
mac: ENC[AES256_GCM,data:aFo7gkxw4ZgbJEkI7UbXwTUwB8DJHZGQ3cjJxTlRuROsoz6ryxzUg6jq0cDHVMrBa+Aj6atU5KUQ/o0krThZzZiL4kAWystxFgHj0IVH5aJBN2R4P5qLzwgofXP0UuTSd5x32hrAi5XVJ4loJGTQBxu/LdBHwOGQTg5Iuclk2K0=,iv:iRWTZnjiCUVCTnB99+wGmOjh6PkGak4PHJrMIs/rptU=,tag:0OgOkXAcsVaeCcXmCTSHjw==,type:str]
encrypted_regex: ^(data|stringData)$
version: 3.10.2
---
apiVersion: v1
kind: Secret
metadata:
name: valkey-secrets
namespace: teable
type: Opaque
stringData:
VALKEY_EXTRA_FLAGS: ENC[AES256_GCM,data:S+rjMu5wNv+Nni1d7/ZZTDoPhqf2TY28xJhgH/FPPmQB5qGpQmkVGoZW9rhsuc6eI7JL7KDRbfPyyoa8,iv:v3pjMJD1RvusZ9+0ppCP3RW3ojpsqQseeitJ8jagvxo=,tag:IQAIFa9vsRmFFDFXAmV8Jg==,type:str]
sops:
age:
- recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQVVUU3AxN2tnUG1ORmpw
c29YMWErYXl0QmtKVWdjWng2azRBUDJSbnlnClVnSVBlRUJ6NElDWmZOVnJRTUVB
NWVIRm1FUWc2NW14TE9MSnNpVnNPcU0KLS0tIDdrbjhWY3hoZCtROWtPKytXenJ0
eEptQ1R2QlAyeDdnZWdkZGNBcFZxL0EKe5wXjgOEN5hULVrSdyq7ljGIDlhDdwTl
jo0aeu4ObPlgMCc6jC9Coxk62SNt7yVg+brvkX2AmufuwR0lzg7N+g==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2025-07-16T14:35:28Z"
mac: ENC[AES256_GCM,data:aFo7gkxw4ZgbJEkI7UbXwTUwB8DJHZGQ3cjJxTlRuROsoz6ryxzUg6jq0cDHVMrBa+Aj6atU5KUQ/o0krThZzZiL4kAWystxFgHj0IVH5aJBN2R4P5qLzwgofXP0UuTSd5x32hrAi5XVJ4loJGTQBxu/LdBHwOGQTg5Iuclk2K0=,iv:iRWTZnjiCUVCTnB99+wGmOjh6PkGak4PHJrMIs/rptU=,tag:0OgOkXAcsVaeCcXmCTSHjw==,type:str]
encrypted_regex: ^(data|stringData)$
version: 3.10.2

28
apps/sekibanki/teable/services.yaml Normal file
View File

@@ -0,0 +1,28 @@
apiVersion: v1
kind: Service
metadata:
name: teable
namespace: teable
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: teable
ports:
- protocol: TCP
port: 80
targetPort: 3000
name: http
---
apiVersion: v1
kind: Service
metadata:
name: valkey
namespace: teable
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: valkey
ports:
- protocol: TCP
port: 6379
targetPort: 6379