Configure minio, restructure manifests

manifests/deployments/minio.yaml

@@ -0,0 +1,75 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: minio-pvc
+  namespace: darkdork-dev
+  labels:
+    app: minio
+spec:
+  storageClassName: longhorn-ssd
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage:
+        10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: minio
+  namespace: darkdork-dev
+spec:
+  ports:
+    - port: 80
+      name: minio
+      targetPort: 9000
+      protocol: TCP
+    - port: 9001
+      name: minio-admin
+      targetPort: 9001
+      protocol: TCP
+  selector:
+    app: minio
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: minio
+  namespace: darkdork-dev
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: minio
+  template:
+    metadata:
+      labels:
+        app: minio
+    spec:
+      imagePullSecrets:
+        - name: registry-credentials
+      containers:
+        - name: minio
+          image: minio/minio
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 9000
+            - containerPort: 9001
+          env:
+            - name: MINIO_ROOT_USER
+              value: red
+            - name: MINIO_ROOT_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: minio
+                  key: root-password
+          args: ["server", "/data", "--console-address", ":9001"]
+          volumeMounts:
+            - name: minio-data-volume
+              mountPath: /data
+      volumes:
+        - name: minio-data-volume
+          persistentVolumeClaim:
+            claimName: minio-pvc

manifests/deployments/pleroma.yaml

@@ -0,0 +1,114 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: pleroma-pvc
+  namespace: darkdork-dev
+  labels:
+    app: pleroma
+spec:
+  storageClassName: longhorn-ssd
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage:
+        10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: pleroma
+  namespace: darkdork-dev
+spec:
+  ports:
+    - port: 80
+      targetPort: 4000
+      protocol: TCP
+  selector:
+    app: pleroma
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: pleroma
+  namespace: darkdork-dev
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: pleroma
+  template:
+    metadata:
+      labels:
+        app: pleroma
+    spec:
+      imagePullSecrets:
+        - name: registry-credentials
+      containers:
+        - name: pleroma
+          image: cr.forge.lan/darkdork-dev/pleroma
+          imagePullPolicy: Always
+          ports:
+            - containerPort: 4000
+          env:
+            - name: DOMAIN
+              value: darkdork.dev
+            - name: INSTANCE_NAME
+              value: DarkDork.dev
+            - name: ADMIN_EMAIL
+              value: pwm@crlf.ninja
+            - name: NOTIFY_EMAIL
+              value: pleroma@crlf.ninja
+            - name: REGISTRATIONS_OPEN
+              value: "false"
+            - name: INVITES_ENABLED
+              value: "true"
+            - name: SECRET_KEY_BASE
+              valueFrom:
+                secretKeyRef:
+                  name: pleroma
+                  key: secret-key-base
+            - name: WEB_PUSH_PUBLIC_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: pleroma
+                  key: web-push-public-key
+            - name: WEB_PUSH_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: pleroma
+                  key: web-push-private-key
+            - name: DEFAULT_SIGNER
+              valueFrom:
+                secretKeyRef:
+                  name: pleroma
+                  key: default-signer
+            - name: S3_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: pleroma
+                  key: minio-access-key
+            - name: S3_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: pleroma
+                  key: minio-secret-key
+            - name: DB_HOST
+              value: postgres
+            - name: DB_NAME
+              value: pleroma
+            - name: DB_USER
+              value: pleroma
+            - name: DB_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: postgres
+                  key: postgres-password
+          volumeMounts:
+            - name: pleroma-data-volume
+              mountPath: /var/lib/pleroma
+      volumes:
+        - name: pleroma-data-volume
+          persistentVolumeClaim:
+            claimName: pleroma-pvc

manifests/deployments/postgres.yaml

@@ -0,0 +1,131 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-init
+  namespace: darkdork-dev
+data:
+  init-db.sh: |
+    #!/bin/bash
+    set -e
+    DB_USER=${DB_USER:-pleroma}
+    DB_NAME=${DB_NAME:-pleroma}
+     psql -U ${POSTGRES_USER:-postgres} -tc "SELECT 1 FROM pg_user WHERE usename = '$DB_USER'" | \
+      grep -q 1 || psql -U postgres -c "CREATE USER $DB_USER WITH ENCRYPTED PASSWORD '$DB_PASS'"
+    psql -U ${POSTGRES_USER:-postgres} -tc "SELECT 1 FROM pg_database WHERE datname = '$DB_NAME'" | \
+      grep -q 1 || psql -U postgres -c "CREATE DATABASE $DB_NAME OWNER $DB_USER"
+    psql -v ON_ERROR_STOP=1 --username "${POSTGRES_USER:-postgres}" --dbname "$DB_NAME" <<-EOSQL
+    	CREATE EXTENSION IF NOT EXISTS citext;
+      CREATE EXTENSION IF NOT EXISTS pg_trgm;
+      CREATE EXTENSION IF NOT EXISTS "uuid-ossp";
+    EOSQL
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-config
+  namespace: darkdork-dev
+data:
+  postgresql.conf: |
+    # DB Version: 17
+    # OS Type: linux
+    # DB Type: web
+    # Total Memory (RAM): 4 GB
+    # Data Storage: ssd
+
+    max_connections = 200
+    shared_buffers = 1GB
+    effective_cache_size = 3GB
+    maintenance_work_mem = 256MB
+    checkpoint_completion_target = 0.9
+    wal_buffers = 16MB
+    default_statistics_target = 100
+    random_page_cost = 1.1
+    effective_io_concurrency = 200
+    work_mem = 2621kB
+    huge_pages = off
+    min_wal_size = 1GB
+    max_wal_size = 4GB
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postgres-pvc
+  namespace: darkdork-dev
+  labels:
+    app: postgres
+spec:
+  storageClassName: longhorn-ssd
+  accessModes:
+    - ReadWriteMany
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  namespace: darkdork-dev
+spec:
+  ports:
+  - port: 5432
+    targetPort: 5432
+    protocol: TCP
+  selector:
+    app: postgres
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postgres
+  namespace: darkdork-dev
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      imagePullSecrets:
+        - name: registry-credentials
+      containers:
+        - name: postgres
+          image: postgres:17-alpine
+          imagePullPolicy: Always
+          volumeMounts:
+            - name: postgres-data-volume
+              mountPath: /var/lib/postgresql/data
+            - name: postgres-init-volume
+              mountPath: /docker-entrypoint-initdb.d
+            - name: postgres-config-volume
+              mountPath: /etc/postgresql/postgresql.conf
+              subPath: postgresql.conf
+          ports:
+            - containerPort: 5432
+          env:
+            - name: POSTGRES_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: postgres
+                  key: postgres-password
+            - name: DB_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: postgres
+                  key: postgres-password
+      volumes:
+        - name: postgres-data-volume
+          persistentVolumeClaim:
+            claimName: postgres-pvc
+        - name: postgres-init-volume
+          configMap:
+            name: postgres-init
+            defaultMode: 0755
+        - name: postgres-config-volume
+          configMap:
+            name: postgres-config

manifests/pleroma.yaml

@@ -0,0 +1,124 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: darkdork-dev
+---
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: longhorn-ssd
+  namespace: darkdork-dev
+provisioner: driver.longhorn.io
+allowVolumeExpansion: true
+parameters:
+  numberOfReplicas: "3"
+  staleReplicaTimeout: "2880" # 48 hours in minutes
+  fromBackup: ""
+  fsType: "xfs"
+#  backupTargetName: "default"
+#  mkfsParams: "-I 256 -b 4096 -O ^metadata_csum,^64bit"
+#  diskSelector: "ssd,fast"
+#  nodeSelector: "storage,fast"
+#  recurringJobSelector: '[
+#   {
+#     "name":"snap",
+#     "isGroup":true,
+#   },
+#   {
+#     "name":"backup",
+#     "isGroup":false,
+#   }
+#  ]'
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: pleroma
+  namespace: darkdork-dev
+  annotations:
+    cert-manager.io/issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - darkdork.dev
+    secretName: tls-secret
+  rules:
+  - host: darkdork.dev
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: pleroma
+            port:
+              number: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: minio
+  namespace: darkdork-dev
+  annotations:
+    cert-manager.io/issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/rewrite-target: /pleroma.darkdork.dev/$1
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - media.darkdork.dev
+    secretName: tls-secret-media
+  rules:
+  - host: media.darkdork.dev
+    http:
+      paths:
+      - path: /(.+)
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: minio
+            port:
+              number: 80
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  namespace: darkdork-dev
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: pwm@crlf.ninja
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: nginx
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  namespace: darkdork-dev
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: pwm@crlf.ninja
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: nginx

manifests/secrets.yaml.example

@@ -0,0 +1,34 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: darkdork-dev
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: darkdork-dev
+  name: postgres
+type: Opaque
+stringData:
+  postgres-password:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  namespace: darkdork-dev
+  name: pleroma
+stringData:
+  secret-key-base:
+  signing-salt:
+  web-push-public-key:
+  web-push-private-key:
+  default-signer:
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: minio
+  namespace: darkdork-dev
+stringData:
+  root-password: