diff --git a/clusters/cl01tl/applications/hoarder/Chart.yaml b/clusters/cl01tl/applications/hoarder/Chart.yaml new file mode 100644 index 000000000..4b5be0739 --- /dev/null +++ b/clusters/cl01tl/applications/hoarder/Chart.yaml @@ -0,0 +1,32 @@ +apiVersion: v2 +name: hoarder +version: 1.0.0 +description: Hoarder +keywords: + - hoarder + - bookmarks +home: https://wiki.alexlebens.dev/doc/hoarder- +sources: + - https://github.com/hoarder-app/hoarder + - https://github.com/cloudflare/cloudflared + - https://github.com/meilisearch/meilisearch + - https://github.com/hoarder-app/hoarder/pkgs/container/hoarder + - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template + - https://github.com/alexlebens/helm-charts/tree/main/charts/cloudflared + - https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch +maintainers: + - name: alexlebens +dependencies: + - name: app-template + alias: hoarder + repository: https://bjw-s.github.io/helm-charts/ + version: 3.6.1 + - name: meilisearch + version: 0.11.0 + repository: https://meilisearch.github.io/meilisearch-kubernetes + - name: cloudflared + alias: cloudflared + repository: http://alexlebens.github.io/helm-charts + version: 1.13.0 +icon: https://cdn.jsdelivr.net/gh/selfhst/icons/svg/hoarder.svg +appVersion: 0.19.0 diff --git a/clusters/cl01tl/applications/hoarder/templates/external-secret.yaml b/clusters/cl01tl/applications/hoarder/templates/external-secret.yaml new file mode 100644 index 000000000..e37107825 --- /dev/null +++ b/clusters/cl01tl/applications/hoarder/templates/external-secret.yaml @@ -0,0 +1,164 @@ +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: hoarder-key-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: hoarder-key-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: key + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/hoarder/key + metadataPolicy: None + property: key + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: hoarder-oidc-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: hoarder-oidc-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: AUTHENTIK_CLIENT_ID + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /authentik/oidc/hoarder + metadataPolicy: None + property: client + - secretKey: AUTHENTIK_CLIENT_SECRET + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /authentik/oidc/hoarder + metadataPolicy: None + property: secret + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: hoarder-meilisearch-master-key-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: hoarder-meilisearch-master-key-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: meilisearch + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: MEILI_MASTER_KEY + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cl01tl/hoarder/meilisearch + metadataPolicy: None + property: MEILI_MASTER_KEY + +--- +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: hoarder-cloudflared-secret + namespace: {{ .Release.Namespace }} + labels: + app.kubernetes.io/name: hoarder-cloudflared-secret + app.kubernetes.io/instance: {{ .Release.Name }} + app.kubernetes.io/version: {{ .Chart.AppVersion }} + app.kubernetes.io/component: web + app.kubernetes.io/part-of: {{ .Release.Name }} +spec: + secretStoreRef: + kind: ClusterSecretStore + name: vault + data: + - secretKey: cf-tunnel-token + remoteRef: + conversionStrategy: Default + decodingStrategy: None + key: /cloudflare/tunnels/hoarder + metadataPolicy: None + property: token + +# --- +# apiVersion: external-secrets.io/v1beta1 +# kind: ExternalSecret +# metadata: +# name: hoarder-data-backup-secret +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: hoarder-data-backup-secret +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: backup +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# secretStoreRef: +# kind: ClusterSecretStore +# name: vault +# target: +# template: +# mergePolicy: Merge +# engineVersion: v2 +# data: +# RESTIC_REPOSITORY: "{{ `{{ .BUCKET_ENDPOINT }}` }}/hoarder/hoarder-data" +# data: +# - secretKey: BUCKET_ENDPOINT +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/volsync/restic/config +# metadataPolicy: None +# property: S3_BUCKET_ENDPOINT +# - secretKey: RESTIC_PASSWORD +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/volsync/restic/config +# metadataPolicy: None +# property: RESTIC_PASSWORD +# - secretKey: AWS_DEFAULT_REGION +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /cl01tl/volsync/restic/config +# metadataPolicy: None +# property: AWS_DEFAULT_REGION +# - secretKey: AWS_ACCESS_KEY_ID +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /digital-ocean/home-infra/volsync-backups +# metadataPolicy: None +# property: access_key +# - secretKey: AWS_SECRET_ACCESS_KEY +# remoteRef: +# conversionStrategy: Default +# decodingStrategy: None +# key: /digital-ocean/home-infra/volsync-backups +# metadataPolicy: None +# property: secret_key diff --git a/clusters/cl01tl/applications/hoarder/templates/replication-source.yaml b/clusters/cl01tl/applications/hoarder/templates/replication-source.yaml new file mode 100644 index 000000000..e8b1c82cc --- /dev/null +++ b/clusters/cl01tl/applications/hoarder/templates/replication-source.yaml @@ -0,0 +1,27 @@ +# apiVersion: volsync.backube/v1alpha1 +# kind: ReplicationSource +# metadata: +# name: hoarder-data-backup-source +# namespace: {{ .Release.Namespace }} +# labels: +# app.kubernetes.io/name: hoarder-data-backup-source +# app.kubernetes.io/instance: {{ .Release.Name }} +# app.kubernetes.io/version: {{ .Chart.AppVersion }} +# app.kubernetes.io/component: backup +# app.kubernetes.io/part-of: {{ .Release.Name }} +# spec: +# sourcePVC: hoarder-data +# trigger: +# schedule: 0 0 */3 * * +# restic: +# pruneIntervalDays: 14 +# repository: hoarder-data-backup-secret +# retain: +# hourly: 1 +# daily: 1 +# weekly: 1 +# monthly: 2 +# yearly: 4 +# copyMethod: Snapshot +# storageClassName: ceph-block +# volumeSnapshotClassName: ceph-blockpool-snapshot diff --git a/clusters/cl01tl/applications/hoarder/values.yaml b/clusters/cl01tl/applications/hoarder/values.yaml new file mode 100644 index 000000000..bda9ae561 --- /dev/null +++ b/clusters/cl01tl/applications/hoarder/values.yaml @@ -0,0 +1,128 @@ +hoarder: + controllers: + main: + type: deployment + replicas: 1 + strategy: Recreate + revisionHistoryLimit: 3 + containers: + main: + image: + repository: ghcr.io/hoarder-app/hoarder + tag: 0.22.0 + pullPolicy: IfNotPresent + env: + - name: DATA_DIR + value: /data + - name: NEXTAUTH_URL + value: https://hoarder.alexlebens.dev/ + - name: NEXTAUTH_SECRET + valueFrom: + secretKeyRef: + name: hoarder-key-secret + key: key + - name: MEILI_ADDR + value: http://hoarder-meilisearch.hoarder:7700 + - name: MEILI_MASTER_KEY + valueFrom: + secretKeyRef: + name: hoarder-meilisearch-master-key-secret + key: MEILI_MASTER_KEY + - name: BROWSER_WEB_URL + value: http://hoarder.hoarder:9222 + - name: DISABLE_SIGNUPS + value: true + - name: OAUTH_PROVIDER_NAME + value: "Authentik" + - name: OAUTH_WELLKNOWN_URL + value: https://auth.alexlebens.dev/application/o/hoarder/.well-known/openid-configuration + - name: OAUTH_SCOPE + value: "openid email profile" + - name: OAUTH_CLIENT_ID + valueFrom: + secretKeyRef: + name: hoarder-oidc-secret + key: AUTHENTIK_CLIENT_ID + - name: OAUTH_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: hoarder-oidc-secret + key: AUTHENTIK_CLIENT_SECRET + - name: OLLAMA_BASE_URL + value: http://ollama-server-1.ollama:11434 + - name: OLLAMA_KEEP_ALIVE + value: 5m + - name: INFERENCE_TEXT_MODEL + value: llama3.1:8b + - name: INFERENCE_IMAGE_MODEL + value: llama3.2-vision:11b + - name: EMBEDDING_TEXT_MODEL + value: mxbai-embed-large + - name: INFERENCE_JOB_TIMEOUT_SEC + value: 720 + resources: + requests: + cpu: 10m + memory: 256Mi + chrome: + image: + repository: gcr.io/zenika-hub/alpine-chrome + tag: 124 + pullPolicy: IfNotPresent + args: + - --no-sandbox + - --disable-gpu + - --disable-dev-shm-usage + - --remote-debugging-address=0.0.0.0 + - --remote-debugging-port=9222 + - --hide-scrollbars + resources: + requests: + cpu: 10m + memory: 128Mi + serviceAccount: + create: true + service: + main: + controller: main + ports: + http: + port: 3000 + targetPort: 3000 + protocol: HTTP + chrome: + port: 9222 + targetPort: 9222 + protocol: HTTP + persistence: + data: + storageClass: ceph-block + accessMode: ReadWriteOnce + size: 10Gi + retain: true + advancedMounts: + main: + main: + - path: /data + readOnly: false +meilisearch: + environment: + MEILI_NO_ANALYTICS: true + MEILI_ENV: production + auth: + existingMasterKeySecret: hoarder-meilisearch-master-key-secret + service: + type: ClusterIP + port: 7700 + persistence: + enabled: true + storageClass: ceph-block + size: 10Gi + resources: + requests: + cpu: 10m + memory: 128Mi + serviceMonitor: + enabled: true +cloudflared: + existingSecretName: hoarder-cloudflared-secret