From 64dc13b3ad032c319415c22b96549f43dab27c81 Mon Sep 17 00:00:00 2001 From: red Date: Wed, 5 Mar 2025 23:48:51 -0500 Subject: [PATCH] Configure minio, restructure manifests --- manifests/deployments/minio.yaml | 75 ++++++ manifests/deployments/pleroma.yaml | 114 +++++++++ .../deployments/postgres.yaml | 217 +++++------------- pleroma.yaml => manifests/pleroma.yaml | 27 +++ .../secrets.yaml.example | 20 +- pleroma/Dockerfile | 2 +- pleroma/docker.exs | 37 ++- 7 files changed, 306 insertions(+), 186 deletions(-) create mode 100644 manifests/deployments/minio.yaml create mode 100644 manifests/deployments/pleroma.yaml rename deployment.yaml => manifests/deployments/postgres.yaml (56%) rename pleroma.yaml => manifests/pleroma.yaml (79%) rename secrets.yaml.example => manifests/secrets.yaml.example (54%) diff --git a/manifests/deployments/minio.yaml b/manifests/deployments/minio.yaml new file mode 100644 index 0000000..861dec7 --- /dev/null +++ b/manifests/deployments/minio.yaml @@ -0,0 +1,75 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: minio-pvc + namespace: darkdork-dev + labels: + app: minio +spec: + storageClassName: longhorn-ssd + accessModes: + - ReadWriteMany + resources: + requests: + storage: + 10Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: minio + namespace: darkdork-dev +spec: + ports: + - port: 80 + name: minio + targetPort: 9000 + protocol: TCP + - port: 9001 + name: minio-admin + targetPort: 9001 + protocol: TCP + selector: + app: minio +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: minio + namespace: darkdork-dev +spec: + replicas: 1 + selector: + matchLabels: + app: minio + template: + metadata: + labels: + app: minio + spec: + imagePullSecrets: + - name: registry-credentials + containers: + - name: minio + image: minio/minio + imagePullPolicy: Always + ports: + - containerPort: 9000 + - containerPort: 9001 + env: + - name: MINIO_ROOT_USER + value: red + - name: MINIO_ROOT_PASSWORD + valueFrom: + secretKeyRef: + name: minio + key: root-password + args: ["server", "/data", "--console-address", ":9001"] + volumeMounts: + - name: minio-data-volume + mountPath: /data + volumes: + - name: minio-data-volume + persistentVolumeClaim: + claimName: minio-pvc \ No newline at end of file diff --git a/manifests/deployments/pleroma.yaml b/manifests/deployments/pleroma.yaml new file mode 100644 index 0000000..b5a4678 --- /dev/null +++ b/manifests/deployments/pleroma.yaml @@ -0,0 +1,114 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pleroma-pvc + namespace: darkdork-dev + labels: + app: pleroma +spec: + storageClassName: longhorn-ssd + accessModes: + - ReadWriteMany + resources: + requests: + storage: + 10Gi +--- +apiVersion: v1 +kind: Service +metadata: + name: pleroma + namespace: darkdork-dev +spec: + ports: + - port: 80 + targetPort: 4000 + protocol: TCP + selector: + app: pleroma +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: pleroma + namespace: darkdork-dev +spec: + replicas: 1 + selector: + matchLabels: + app: pleroma + template: + metadata: + labels: + app: pleroma + spec: + imagePullSecrets: + - name: registry-credentials + containers: + - name: pleroma + image: cr.forge.lan/darkdork-dev/pleroma + imagePullPolicy: Always + ports: + - containerPort: 4000 + env: + - name: DOMAIN + value: darkdork.dev + - name: INSTANCE_NAME + value: DarkDork.dev + - name: ADMIN_EMAIL + value: pwm@crlf.ninja + - name: NOTIFY_EMAIL + value: pleroma@crlf.ninja + - name: REGISTRATIONS_OPEN + value: "false" + - name: INVITES_ENABLED + value: "true" + - name: SECRET_KEY_BASE + valueFrom: + secretKeyRef: + name: pleroma + key: secret-key-base + - name: WEB_PUSH_PUBLIC_KEY + valueFrom: + secretKeyRef: + name: pleroma + key: web-push-public-key + - name: WEB_PUSH_PRIVATE_KEY + valueFrom: + secretKeyRef: + name: pleroma + key: web-push-private-key + - name: DEFAULT_SIGNER + valueFrom: + secretKeyRef: + name: pleroma + key: default-signer + - name: S3_ACCESS_KEY + valueFrom: + secretKeyRef: + name: pleroma + key: minio-access-key + - name: S3_SECRET_KEY + valueFrom: + secretKeyRef: + name: pleroma + key: minio-secret-key + - name: DB_HOST + value: postgres + - name: DB_NAME + value: pleroma + - name: DB_USER + value: pleroma + - name: DB_PASS + valueFrom: + secretKeyRef: + name: postgres + key: postgres-password + volumeMounts: + - name: pleroma-data-volume + mountPath: /var/lib/pleroma + volumes: + - name: pleroma-data-volume + persistentVolumeClaim: + claimName: pleroma-pvc \ No newline at end of file diff --git a/deployment.yaml b/manifests/deployments/postgres.yaml similarity index 56% rename from deployment.yaml rename to manifests/deployments/postgres.yaml index 7867b9e..eccf20a 100644 --- a/deployment.yaml +++ b/manifests/deployments/postgres.yaml @@ -1,5 +1,53 @@ --- apiVersion: v1 +kind: ConfigMap +metadata: + name: postgres-init + namespace: darkdork-dev +data: + init-db.sh: | + #!/bin/bash + set -e + DB_USER=${DB_USER:-pleroma} + DB_NAME=${DB_NAME:-pleroma} + psql -U ${POSTGRES_USER:-postgres} -tc "SELECT 1 FROM pg_user WHERE usename = '$DB_USER'" | \ + grep -q 1 || psql -U postgres -c "CREATE USER $DB_USER WITH ENCRYPTED PASSWORD '$DB_PASS'" + psql -U ${POSTGRES_USER:-postgres} -tc "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME'" | \ + grep -q 1 || psql -U postgres -c "CREATE DATABASE $DB_NAME OWNER $DB_USER" + psql -v ON_ERROR_STOP=1 --username "${POSTGRES_USER:-postgres}" --dbname "$DB_NAME" <<-EOSQL + CREATE EXTENSION IF NOT EXISTS citext; + CREATE EXTENSION IF NOT EXISTS pg_trgm; + CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; + EOSQL +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: postgres-config + namespace: darkdork-dev +data: + postgresql.conf: | + # DB Version: 17 + # OS Type: linux + # DB Type: web + # Total Memory (RAM): 4 GB + # Data Storage: ssd + + max_connections = 200 + shared_buffers = 1GB + effective_cache_size = 3GB + maintenance_work_mem = 256MB + checkpoint_completion_target = 0.9 + wal_buffers = 16MB + default_statistics_target = 100 + random_page_cost = 1.1 + effective_io_concurrency = 200 + work_mem = 2621kB + huge_pages = off + min_wal_size = 1GB + max_wal_size = 4GB +--- +apiVersion: v1 kind: PersistentVolumeClaim metadata: name: postgres-pvc @@ -15,20 +63,18 @@ spec: storage: 10Gi --- apiVersion: v1 -kind: PersistentVolumeClaim +kind: Service metadata: - name: pleroma-pvc + name: postgres namespace: darkdork-dev - labels: - app: pleroma spec: - storageClassName: longhorn-ssd - accessModes: - - ReadWriteMany - resources: - requests: - storage: - 10Gi + ports: + - port: 5432 + targetPort: 5432 + protocol: TCP + selector: + app: postgres + --- apiVersion: apps/v1 kind: Deployment @@ -83,152 +129,3 @@ spec: - name: postgres-config-volume configMap: name: postgres-config ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: pleroma - namespace: darkdork-dev -spec: - replicas: 1 - selector: - matchLabels: - app: pleroma - template: - metadata: - labels: - app: pleroma - spec: - imagePullSecrets: - - name: registry-credentials - containers: - - name: pleroma - image: cr.forge.lan/darkdork-dev/pleroma - imagePullPolicy: Always - ports: - - containerPort: 4000 - env: - - name: DOMAIN - value: darkdork.dev - - name: INSTANCE_NAME - value: DarkDork.dev - - name: ADMIN_EMAIL - value: pwm@crlf.ninja - - name: NOTIFY_EMAIL - value: pleroma@crlf.ninja - - name: REGISTRATIONS_OPEN - value: "false" - - name: INVITES_ENABLED - value: "true" - - name: SECRET_KEY_BASE - valueFrom: - secretKeyRef: - name: pleroma - key: secret-key-base - - name: WEB_PUSH_PUBLIC_KEY - valueFrom: - secretKeyRef: - name: pleroma - key: web-push-public-key - - name: WEB_PUSH_PRIVATE_KEY - valueFrom: - secretKeyRef: - name: pleroma - key: web-push-private-key - - name: DEFAULT_SIGNER - valueFrom: - secretKeyRef: - name: pleroma - key: default-signer - - name: DB_HOST - value: postgres - - name: DB_NAME - value: pleroma - - name: DB_USER - value: pleroma - - name: DB_PASS - valueFrom: - secretKeyRef: - name: postgres - key: postgres-password - volumeMounts: - - name: pleroma-data-volume - mountPath: /var/lib/pleroma - volumes: - - name: pleroma-data-volume - persistentVolumeClaim: - claimName: pleroma-pvc ---- -apiVersion: v1 -kind: Service -metadata: - name: postgres - namespace: darkdork-dev -spec: - ports: - - port: 5432 - targetPort: 5432 - protocol: TCP - selector: - app: postgres ---- -apiVersion: v1 -kind: Service -metadata: - name: pleroma - namespace: darkdork-dev -spec: - ports: - - port: 80 - targetPort: 4000 - protocol: TCP - selector: - app: pleroma ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: postgres-init - namespace: darkdork-dev -data: - init-db.sh: | - #!/bin/bash - set -e - DB_USER=${DB_USER:-pleroma} - DB_NAME=${DB_NAME:-pleroma} - psql -U ${POSTGRES_USER:-postgres} -tc "SELECT 1 FROM pg_user WHERE usename = '$DB_USER'" | \ - grep -q 1 || psql -U postgres -c "CREATE USER $DB_USER WITH ENCRYPTED PASSWORD '$DB_PASS'" - psql -U ${POSTGRES_USER:-postgres} -tc "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME'" | \ - grep -q 1 || psql -U postgres -c "CREATE DATABASE $DB_NAME OWNER $DB_USER" - psql -v ON_ERROR_STOP=1 --username "${POSTGRES_USER:-postgres}" --dbname "$DB_NAME" <<-EOSQL - CREATE EXTENSION IF NOT EXISTS citext; - CREATE EXTENSION IF NOT EXISTS pg_trgm; - CREATE EXTENSION IF NOT EXISTS "uuid-ossp"; - EOSQL ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: postgres-config - namespace: darkdork-dev -data: - postgresql.conf: | - # DB Version: 17 - # OS Type: linux - # DB Type: web - # Total Memory (RAM): 4 GB - # Data Storage: ssd - - max_connections = 200 - shared_buffers = 1GB - effective_cache_size = 3GB - maintenance_work_mem = 256MB - checkpoint_completion_target = 0.9 - wal_buffers = 16MB - default_statistics_target = 100 - random_page_cost = 1.1 - effective_io_concurrency = 200 - work_mem = 2621kB - huge_pages = off - min_wal_size = 1GB - max_wal_size = 4GB \ No newline at end of file diff --git a/pleroma.yaml b/manifests/pleroma.yaml similarity index 79% rename from pleroma.yaml rename to manifests/pleroma.yaml index 9ad1136..52dd98a 100644 --- a/pleroma.yaml +++ b/manifests/pleroma.yaml @@ -56,6 +56,33 @@ spec: port: number: 80 --- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: minio + namespace: darkdork-dev + annotations: + cert-manager.io/issuer: "letsencrypt-prod" + nginx.ingress.kubernetes.io/rewrite-target: /pleroma.darkdork.dev/$1 +spec: + ingressClassName: nginx + tls: + - hosts: + - media.darkdork.dev + secretName: tls-secret-media + rules: + - host: media.darkdork.dev + http: + paths: + - path: /(.+) + pathType: ImplementationSpecific + backend: + service: + name: minio + port: + number: 80 + +--- apiVersion: cert-manager.io/v1 kind: Issuer metadata: diff --git a/secrets.yaml.example b/manifests/secrets.yaml.example similarity index 54% rename from secrets.yaml.example rename to manifests/secrets.yaml.example index 88e4650..54e41d9 100644 --- a/secrets.yaml.example +++ b/manifests/secrets.yaml.example @@ -11,7 +11,7 @@ metadata: name: postgres type: Opaque stringData: - postgres-password: + postgres-password: --- apiVersion: v1 kind: Secret @@ -19,8 +19,16 @@ metadata: namespace: darkdork-dev name: pleroma stringData: - secret-key-base: - signing-salt: - web-push-public-key: - web-push-private-key: - default-signer: + secret-key-base: + signing-salt: + web-push-public-key: + web-push-private-key: + default-signer: +--- +apiVersion: v1 +kind: Secret +metadata: + name: minio + namespace: darkdork-dev +stringData: + root-password: \ No newline at end of file diff --git a/pleroma/Dockerfile b/pleroma/Dockerfile index 69ccf0c..8b0f42d 100644 --- a/pleroma/Dockerfile +++ b/pleroma/Dockerfile @@ -22,7 +22,7 @@ RUN adduser --system --shell /bin/false --home ${HOME} pleroma &&\ RUN rm -r /tmp/release RUN rm /tmp/pleroma.zip -USER pleroma +# USER pleroma COPY --chmod=0764 --chown=pleroma ./static-files/ /static-files/ COPY --chmod=0640 --chown=pleroma ./docker.exs /etc/pleroma/config.exs diff --git a/pleroma/docker.exs b/pleroma/docker.exs index 3249968..126391e 100644 --- a/pleroma/docker.exs +++ b/pleroma/docker.exs @@ -20,6 +20,8 @@ config :pleroma, :instance, invites_enabled: true, healthcheck: true +config :pleroma, :http, proxy_url: {:socks5h, "10.8.1.1", 1080} + config :pleroma, :media_proxy, enabled: false, redirect_on_failure: true @@ -50,26 +52,23 @@ config :pleroma, Pleroma.Uploaders.Local, uploads: "/var/lib/pleroma/uploads" # The public S3 endpoint (base_url) is different depending on region and provider, # consult your S3 provider's documentation for details on what to use. # -# config :pleroma, Pleroma.Upload, -# uploader: Pleroma.Uploaders.S3, -# base_url: "https://s3.amazonaws.com" -# -# config :pleroma, Pleroma.Uploaders.S3, -# bucket: "some-bucket", -# bucket_namespace: "my-namespace", -# truncated_namespace: nil, -# streaming_enabled: true -# +config :pleroma, Pleroma.Upload, + uploader: Pleroma.Uploaders.S3, + base_url: "https://media.darkdork.dev" + +config :pleroma, Pleroma.Uploaders.S3, + bucket: "pleroma.darkdork.dev", + bucket_namespace: nil, + truncated_namespace: "", + streaming_enabled: false + # Configure S3 credentials: -# config :ex_aws, :s3, -# access_key_id: "xxxxxxxxxxxxx", -# secret_access_key: "yyyyyyyyyyyy", -# region: "us-east-1", -# scheme: "https://" -# -# For using third-party S3 clones like wasabi, also do: -# config :ex_aws, :s3, -# host: "s3.wasabisys.com" +config :ex_aws, :s3, + access_key_id: System.get_env("S3_ACCESS_KEY"), + secret_access_key: System.get_env("S3_SECRET_KEY"), + scheme: "http://", + host: "minio", + port: 80 config :joken, default_signer: System.get_env("DEFAULT_SIGNER")