Initial Commit

2025-03-04 09:51:26 -05:00 · 2025-03-04 09:51:26 -05:00 · 0ec5aa83d5
commit 0ec5aa83d5
8 changed files with 506 additions and 0 deletions
--- a/.gitignore
+++ b/.gitignore
@ -0,0 +1 @@
+secrets.yaml
--- a/deployment.yaml
+++ b/deployment.yaml
@ -0,0 +1,234 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgres-pvc
+  namespace: darkdork-dev
+  labels:
+    app: postgres
+spec:
+  storageClassName: longhorn-ssd
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pleroma-pvc
+  namespace: darkdork-dev
+  labels:
+    app: pleroma
+spec:
+  storageClassName: longhorn-ssd
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage:
+        10Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postgres
+  namespace: darkdork-dev
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      imagePullSecrets:
+        - name: registry-credentials
+      containers:
+        - name: postgres
+          image: postgres:17-alpine
+          imagePullPolicy: Always
+          volumeMounts:
+            - name: postgres-data-volume
+              mountPath: /var/lib/postgresql/data
+            - name: postgres-init-volume
+              mountPath: /docker-entrypoint-initdb.d
+            - name: postgres-config-volume
+              mountPath: /etc/postgresql/postgresql.conf
+              subPath: postgresql.conf
+          ports:
+            - containerPort: 5432
+          env:
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres
+                  key: postgres-password
+            - name: DB_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: postgres
+                  key: postgres-password
+      volumes:
+        - name: postgres-data-volume
+          persistentVolumeClaim:
+            claimName: postgres-pvc
+        - name: postgres-init-volume
+          configMap:
+            name: postgres-init
+            defaultMode: 0755
+        - name: postgres-config-volume
+          configMap:
+            name: postgres-config
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pleroma
+  namespace: darkdork-dev
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pleroma
+  template:
+    metadata:
+      labels:
+        app: pleroma
+    spec:
+      imagePullSecrets:
+        - name: registry-credentials
+      containers:
+        - name: pleroma
+          image: cr.forge.lan/darkdork-dev/pleroma
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 4000
+          env:
+            - name: DOMAIN
+              value: darkdork.dev
+            - name: INSTANCE_NAME
+              value: DarkDork.dev
+            - name: ADMIN_EMAIL
+              value: pwm@crlf.ninja
+            - name: NOTIFY_EMAIL
+              value: pleroma@crlf.ninja
+            - name: REGISTRATIONS_OPEN
+              value: "false"
+            - name: INVITES_ENABLED
+              value: "true"
+            - name: SECRET_KEY_BASE
+              valueFrom:
+                secretKeyRef:
+                  name: pleroma
+                  key: secret-key-base
+            - name: WEB_PUSH_PUBLIC_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: pleroma
+                  key: web-push-public-key
+            - name: WEB_PUSH_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: pleroma
+                  key: web-push-private-key
+            - name: DEFAULT_SIGNER
+              valueFrom:
+                secretKeyRef:
+                  name: pleroma
+                  key: default-signer
+            - name: DB_HOST
+              value: postgres
+            - name: DB_NAME
+              value: pleroma
+            - name: DB_USER
+              value: pleroma
+            - name: DB_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: postgres
+                  key: postgres-password
+          volumeMounts:
+            - name: pleroma-data-volume
+              mountPath: /var/lib/pleroma
+      volumes:
+        - name: pleroma-data-volume
+          persistentVolumeClaim:
+            claimName: pleroma-pvc
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  namespace: darkdork-dev
+spec:
+  ports:
+  - port: 5432
+    targetPort: 5432
+    protocol: TCP
+  selector:
+    app: postgres
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pleroma
+  namespace: darkdork-dev
+spec:
+  ports:
+    - port: 80
+      targetPort: 4000
+      protocol: TCP
+  selector:
+    app: pleroma
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-init
+  namespace: darkdork-dev
+data:
+  init-db.sh: |
+    #!/bin/bash
+    set -e
+    DB_USER=${DB_USER:-pleroma}
+    DB_NAME=${DB_NAME:-pleroma}
+     psql -U ${POSTGRES_USER:-postgres} -tc "SELECT 1 FROM pg_user WHERE usename = '$DB_USER'" | \
+      grep -q 1 || psql -U postgres -c "CREATE USER $DB_USER WITH ENCRYPTED PASSWORD '$DB_PASS'"
+    psql -U ${POSTGRES_USER:-postgres} -tc "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME'" | \
+      grep -q 1 || psql -U postgres -c "CREATE DATABASE $DB_NAME OWNER $DB_USER"
+    psql -v ON_ERROR_STOP=1 --username "${POSTGRES_USER:-postgres}" --dbname "$DB_NAME" <<-EOSQL
+    	CREATE EXTENSION IF NOT EXISTS citext;
+      CREATE EXTENSION IF NOT EXISTS pg_trgm;
+      CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+    EOSQL
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-config
+  namespace: darkdork-dev
+data:
+  postgresql.conf: |
+    # DB Version: 17
+    # OS Type: linux
+    # DB Type: web
+    # Total Memory (RAM): 4 GB
+    # Data Storage: ssd
+
+    max_connections = 200
+    shared_buffers = 1GB
+    effective_cache_size = 3GB
+    maintenance_work_mem = 256MB
+    checkpoint_completion_target = 0.9
+    wal_buffers = 16MB
+    default_statistics_target = 100
+    random_page_cost = 1.1
+    effective_io_concurrency = 200
+    work_mem = 2621kB
+    huge_pages = off
+    min_wal_size = 1GB
+    max_wal_size = 4GB
--- a/pleroma.yaml
+++ b/pleroma.yaml
@ -0,0 +1,97 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: darkdork-dev
+---
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: longhorn-ssd
+  namespace: darkdork-dev
+provisioner: driver.longhorn.io
+allowVolumeExpansion: true
+parameters:
+  numberOfReplicas: "3"
+  staleReplicaTimeout: "2880" # 48 hours in minutes
+  fromBackup: ""
+  fsType: "xfs"
+#  backupTargetName: "default"
+#  mkfsParams: "-I 256 -b 4096 -O ^metadata_csum,^64bit"
+#  diskSelector: "ssd,fast"
+#  nodeSelector: "storage,fast"
+#  recurringJobSelector: '[
+#   {
+#     "name":"snap",
+#     "isGroup":true,
+#   },
+#   {
+#     "name":"backup",
+#     "isGroup":false,
+#   }
+#  ]'
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pleroma
+  namespace: darkdork-dev
+  annotations:
+    cert-manager.io/issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - darkdork.dev
+    secretName: tls-secret
+  rules:
+  - host: darkdork.dev
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: pleroma
+            port:
+              number: 80
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  namespace: darkdork-dev
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: pwm@crlf.ninja
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  namespace: darkdork-dev
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: pwm@crlf.ninja
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: nginx
--- a/pleroma/Dockerfile
+++ b/pleroma/Dockerfile
@ -0,0 +1,33 @@
+FROM alpine
+
+ARG HOME=/opt/pleroma
+ENV HOME=${HOME}
+ARG DATA=/var/lib/pleroma
+ENV DATA=${DATA}
+
+RUN wget 'https://git.pleroma.social/api/v4/projects/2/jobs/artifacts/stable/download?job=amd64-musl' -O /tmp/pleroma.zip
+RUN unzip /tmp/pleroma.zip -d /tmp/
+
+RUN apk update && \
+    apk add exiftool ffmpeg vips libmagic ncurses postgresql-client
+
+RUN	adduser --system --shell /bin/false --home ${HOME} pleroma &&\
+    mkdir -p ${DATA} &&\
+	chown -R pleroma ${DATA} &&\
+	mkdir -p /etc/pleroma &&\
+	chown -R pleroma /etc/pleroma &&\
+    mv /tmp/release/* ${HOME} &&\
+    chown -R pleroma ${HOME}
+
+RUN rm -r /tmp/release
+RUN rm /tmp/pleroma.zip
+
+USER pleroma
+
+COPY --chmod=0764 --chown=pleroma ./static-files/ /static-files/
+COPY --chmod=0640 --chown=pleroma ./docker.exs /etc/pleroma/config.exs
+COPY --chmod=0755 ./docker-entrypoint.sh ${HOME}
+
+EXPOSE 4000
+
+ENTRYPOINT ["/opt/pleroma/docker-entrypoint.sh"]
--- a/pleroma/docker-entrypoint.sh
+++ b/pleroma/docker-entrypoint.sh
@ -0,0 +1,15 @@
+#!/bin/ash
+
+set -e
+
+mkdir -p ${DATA}/uploads && mkdir -p ${DATA}/static
+cp -rf /static-files/* ${DATA}/static
+
+echo "-- Waiting for database..."
+while ! pg_isready -U ${DB_USER:-pleroma} -d postgres://${DB_HOST:-db}:${DB_PORT:-5432}/${DB_NAME:-pleroma} -t 1; do sleep 1s; done;
+echo $DB_PASSWORD
+echo "-- Running migrations..."
+$HOME/bin/pleroma_ctl migrate
+
+echo "-- Starting!"
+exec $HOME/bin/pleroma start
--- a/pleroma/docker.exs
+++ b/pleroma/docker.exs
@ -0,0 +1,78 @@
+# Pleroma instance configuration
+
+# NOTE: This file should not be committed to a repo or otherwise made public
+# without removing sensitive information.
+
+import Config
+
+config :pleroma, Pleroma.Web.Endpoint,
+   url: [host: System.get_env("DOMAIN", "localhost"), scheme: "https", port: 443],
+   http: [ip: {0, 0, 0, 0}, port: 4000],
+   secret_key_base: System.get_env("SECRET_KEY_BASE"),
+   signing_salt: System.get_env("SIGNING_SALT")
+
+config :pleroma, :instance,
+  name: System.get_env("INSTANCE_NAME", "Pleroma"),
+  email: System.get_env("ADMIN_EMAIL"),
+  notify_email: System.get_env("NOTIFY_EMAIL"),
+  limit: 5000,
+  registrations_open: false,
+  invites_enabled: true,
+  healthcheck: true
+
+config :pleroma, :media_proxy,
+  enabled: false,
+  redirect_on_failure: true
+  #base_url: "https://cache.pleroma.social"
+
+config :pleroma, Pleroma.Repo,
+  adapter: Ecto.Adapters.Postgres,
+  username: System.get_env("DB_USER", "pleroma"),
+  password: System.get_env("DB_PASS"),
+  database: System.get_env("DB_NAME", "pleroma"),
+  hostname: System.get_env("DB_HOST", "db")
+
+# Configure web push notifications
+config :web_push_encryption, :vapid_details,
+  subject: "mailto:#{System.get_env("NOTIFY_EMAIL")}",
+  public_key: System.get_env("WEB_PUSH_PUBLIC_KEY"),
+  private_key: System.get_env("WEB_PUSH_PRIVATE_KEY")
+
+config :pleroma, :database, rum_enabled: false
+config :pleroma, :instance, static_dir: "/var/lib/pleroma/static"
+config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads"
+
+# Enable Strict-Transport-Security once SSL is working:
+# config :pleroma, :http_security,
+#   sts: true
+
+# Configure S3 support if desired.
+# The public S3 endpoint (base_url) is different depending on region and provider,
+# consult your S3 provider's documentation for details on what to use.
+#
+# config :pleroma, Pleroma.Upload,
+#  uploader: Pleroma.Uploaders.S3,
+#  base_url: "https://s3.amazonaws.com"
+#
+# config :pleroma, Pleroma.Uploaders.S3,
+#   bucket: "some-bucket",
+#   bucket_namespace: "my-namespace",
+#   truncated_namespace: nil,
+#   streaming_enabled: true
+#
+# Configure S3 credentials:
+# config :ex_aws, :s3,
+#   access_key_id: "xxxxxxxxxxxxx",
+#   secret_access_key: "yyyyyyyyyyyy",
+#   region: "us-east-1",
+#   scheme: "https://"
+#
+# For using third-party S3 clones like wasabi, also do:
+# config :ex_aws, :s3,
+#   host: "s3.wasabisys.com"
+
+config :joken, default_signer: System.get_env("DEFAULT_SIGNER")
+
+config :pleroma, configurable_from_database: false
+
+config :pleroma, Pleroma.Upload, filters: [Pleroma.Upload.Filter.Exiftool.StripLocation, Pleroma.Upload.Filter.Dedupe]
--- a/pleroma/static-files/static/terms-of-service.html
+++ b/pleroma/static-files/static/terms-of-service.html
@ -0,0 +1,22 @@
+<div>
+    <p>
+        Please email me if you want an account. Service is beta quality at best
+        for now, and work is ongoing. You either already know my email address,
+        or you can find it in the instance's nodeinfo.
+    </p>
+    <ul>
+        <li>Do not violate United States law.</li>
+        <li>Do not engage in pedophile/pro-pedophile activity.</li>
+        <li>Do not cause problems for this site on purpose:
+            <ul>
+                <li>
+                    No fedposting.
+                </li>
+                <li>
+                    Phonebooking is technically legal in the United States, but
+                    be smart about your post scope, please and thanks.
+                </li>
+            </ul>
+        </li>
+    </ul>
+</div>
--- a/secrets.yaml.example
+++ b/secrets.yaml.example
@ -0,0 +1,26 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: darkdork-dev
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: darkdork-dev
+  name: postgres
+type: Opaque
+stringData:
+  postgres-password: 
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: darkdork-dev
+  name: pleroma
+stringData:
+  secret-key-base: 
+  signing-salt: 
+  web-push-public-key: 
+  web-push-private-key: 
+  default-signer: