Merge pull request 'feat: add postiz temporal' (#5568) from tmp/postiz-1 into main

Reviewed-on: #5568

clusters/cl01tl/helm/postiz/Chart.lock

@@ -2,6 +2,9 @@ dependencies:
 - name: app-template
   repository: https://bjw-s-labs.github.io/helm-charts/
   version: 4.6.2
+- name: temporal
+  repository: https://go.temporal.io/helm-charts
+  version: 1.0.0-rc.3
 - name: cloudflared
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 2.4.0
@@ -17,5 +20,5 @@ dependencies:
 - name: volsync-target
   repository: oci://harbor.alexlebens.net/helm-charts
   version: 0.8.0
-digest: sha256:1c7f2f341be8892e4b8e016c34676dee45f35caf75908a0eabe845b5683948c4
+digest: sha256:a5d285d997702cefaac9808ac6556a566d7974773c7fb2c7a0defb8f64226443
-generated: "2026-04-05T19:40:33.153012-05:00"
+generated: "2026-04-05T20:33:43.946895-05:00"

clusters/cl01tl/helm/postiz/Chart.yaml

@@ -8,8 +8,14 @@ keywords:
 home: https://docs.alexlebens.dev/applications/plex/
 sources:
   - https://github.com/gitroomhq/postiz-app
+  - https://github.com/getsentry/spotlight
   - https://github.com/gitroomhq/postiz-app/pkgs/container/postiz-app
+  - https://github.com/getsentry/spotlight/pkgs/container/spotlight
+  - https://hub.docker.com/r/temporalio/server
+  - https://hub.docker.com/r/temporalio/admin-tools
+  - https://hub.docker.com/r/temporalio/ui
   - https://github.com/bjw-s-labs/helm-charts/tree/main/charts/other/app-template
+  - https://github.com/temporalio/helm-charts/tree/main/charts/temporal
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/cloudflared
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/postgres-cluster
   - https://gitea.alexlebens.dev/alexlebens/helm-charts/src/branch/main/charts/valkey
@@ -21,6 +27,9 @@ dependencies:
     alias: postiz
     repository: https://bjw-s-labs.github.io/helm-charts/
     version: 4.6.2
+  - name: temporal
+    repository: https://go.temporal.io/helm-charts
+    version: 1.0.0-rc.3
   - name: cloudflared
     repository: oci://harbor.alexlebens.net/helm-charts
     version: 2.4.0

clusters/cl01tl/helm/postiz/templates/elasticsearch.yaml

@@ -0,0 +1,30 @@
+apiVersion: elasticsearch.k8s.elastic.co/v1
+kind: Elasticsearch
+metadata:
+  name: elasticsearch-postiz
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: elasticsearch-postiz
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}``
+spec:
+  # renovate: datasource=docker depName=elasticsearch
+  version: 8.19.8@sha256:e6ef2af8db3269ffd075ebf5e605d62324345d646c4fa201654f648d1cad44a4
+  auth:
+    fileRealm:
+      - secretName: postiz-elasticsearch-secret
+  nodeSets:
+    - name: default
+      count: 2
+      config:
+        node.store.allow_mmap: false
+      volumeClaimTemplates:
+        - metadata:
+            name: elasticsearch-data
+          spec:
+            accessModes:
+              - ReadWriteOnce
+            resources:
+              requests:
+                storage: 5Gi
+            storageClassName: ceph-block

clusters/cl01tl/helm/postiz/templates/http-route.yaml

@@ -0,0 +1,58 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: temporal-ui
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: temporal-ui
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - temporal-ui.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: temporal-ui
+          port: 8080
+          weight: 100
+
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: temporal-frontend
+  namespace: {{ .Release.Namespace }}
+  labels:
+    app.kubernetes.io/name: temporal-frontend
+    app.kubernetes.io/instance: {{ .Release.Name }}
+    app.kubernetes.io/part-of: {{ .Release.Name }}
+spec:
+  parentRefs:
+    - group: gateway.networking.k8s.io
+      kind: Gateway
+      name: traefik-gateway
+      namespace: traefik
+  hostnames:
+    - temporal-frontend.alexlebens.net
+  rules:
+    - matches:
+      - path:
+          type: PathPrefix
+          value: /
+      backendRefs:
+        - group: ''
+          kind: Service
+          name: temporal-frontend
+          port: 80
+          weight: 100

clusters/cl01tl/helm/postiz/values.yaml

@@ -10,17 +10,21 @@ postiz:
             repository: ghcr.io/gitroomhq/postiz-app
             tag: v2.21.4@sha256:a339e9ee256537526d0eda19e5919e01fa7649a40596ebec5d9e1389850836bc
           env:
+            - name: JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: postiz-config-secret
+                  key: JWT_SECRET
             - name: MAIN_URL
               value: https://postiz.alexlebens.dev
             - name: FRONTEND_URL
               value: https://postiz.alexlebens.dev
             - name: NEXT_PUBLIC_BACKEND_URL
               value: https://postiz.alexlebens.dev/api
-            - name: JWT_SECRET
+            - name: BACKEND_INTERNAL_URL
-              valueFrom:
+              value: http://temporal:3000
-                secretKeyRef:
+            - name: TEMPORAL_ADDRESS
-                  name: postiz-config-secret
+              value: http://temporal:3000
-                  key: JWT_SECRET
             - name: DATABASE_URL
               valueFrom:
                 secretKeyRef:
@@ -31,10 +35,12 @@ postiz:
                 secretKeyRef:
                   name: postiz-valkey-config
                   key: REDIS_URL
-            - name: BACKEND_INTERNAL_URL
-              value: http://localhost:3000
             - name: IS_GENERAL
               value: "true"
+            - name: DISABLE_REGISTRATION
+              value: "false"
+            - name: RUN_CRON
+              value: "true"
             - name: STORAGE_PROVIDER
               value: local
             - name: UPLOAD_DIRECTORY
@@ -67,10 +73,27 @@ postiz:
                   key: secret
             - name: POSTIZ_OAUTH_SCOPE
               value: openid profile email
+            - name: NEXT_PUBLIC_SENTRY_DSN
+              value: http://spotlight:8969/stream
+            - name: SENTRY_SPOTLIGHT
+              value: "1"
           resources:
             requests:
               cpu: 10m
               memory: 1Gi
+    spotlight:
+      type: deployment
+      replicas: 1
+      strategy: Recreate
+      containers:
+        main:
+          image:
+            repository: ghcr.io/getsentry/spotlight
+            tag: 4.11.3@sha256:be6eb5b5d0df882025dcef138c217d493e6dcb684aebc235bc1b2832eb347c7f
+          resources:
+            requests:
+              cpu: 10m
+              memory: 40Mi
   service:
     main:
       controller: main
@@ -78,24 +101,12 @@ postiz:
         http:
           port: 80
           targetPort: 5000
-  route:
+    spotlight:
-    main:
+      controller: spotlight
-      kind: HTTPRoute
+      ports:
-      parentRefs:
+        http:
-        - group: gateway.networking.k8s.io
+          port: 8969
-          kind: Gateway
+          targetPort: 8969
-          name: traefik-gateway
-          namespace: traefik
-      hostnames:
-        - postiz.alexlebens.net
-      rules:
-        - backendRefs:
-            - name: postiz
-              port: 80
-          matches:
-            - path:
-                type: PathPrefix
-                value: /
   persistence:
     config:
       forceRename: postiz-config
@@ -117,6 +128,94 @@ postiz:
           main:
             - path: /uploads
               readOnly: false
+temporal:
+  server:
+    image:
+      repository: temporalio/server
+      tag: 1.30.2@sha256:d5334ee3ddce1617efbe280a10afc85916cf8d81798415c98988dbda2b46773e
+    metrics:
+      serviceMonitor:
+        enabled: true
+    resources:
+      requests:
+        cpu: 10m
+        memory: 60Mi
+    config:
+      logLevel: "debug,info"
+      persistence:
+        datastores:
+          default:
+            sql:
+              pluginName: postgres12
+              driverName: postgres12
+              databaseName: app
+              connectAddr: postiz-postgresql-18-cluster-rw.postiz:5432
+              user: app
+              existingSecret: postiz-postgresql-18-cluster-app
+              secretKey: password
+              tls:
+                enabled: false
+          visibility:
+            elasticsearch:
+              version: v8
+              url:
+                scheme: http
+                host: elasticsearch-postiz-es-http.postiz:9200
+              logLevel: error
+              indices:
+                visibility: temporal_visibility_v1
+              tls:
+                enabled: false
+    frontend:
+      ingress:
+        enabled: false
+      metrics:
+        serviceMonitor:
+          enabled: true
+      resources:
+        requests:
+          cpu: 10m
+          memory: 60Mi
+    history:
+      metrics:
+        serviceMonitor:
+          enabled: true
+      resources:
+        requests:
+          cpu: 10m
+          memory: 60Mi
+    matching:
+      metrics:
+        serviceMonitor:
+          enabled: true
+      resources:
+        requests:
+          cpu: 10m
+          memory: 60Mi
+    worker:
+      metrics:
+        serviceMonitor:
+          enabled: true
+      resources:
+        requests:
+          cpu: 10m
+          memory: 60Mi
+  admintools:
+    image:
+      repository: temporalio/admin-tools
+      tag: 1.30.2@sha256:024c6473df113e4b220b3caf6056d30964582ffcae6f6e46a1074aa6c67968d3
+    resources:
+      requests:
+        cpu: 10m
+        memory: 60Mi
+  web:
+    image:
+      repository: temporalio/ui
+      tag: 2.48.1@sha256:edb5dd1b3e0ddb35611939dde9b573533afd6fbafbbf077b73c7131a30ca91ff
+    resources:
+      requests:
+        cpu: 10m
+        memory: 60Mi
 postgres-18-cluster:
   mode: recovery
   recovery:
@@ -136,6 +235,10 @@ postgres-18-cluster:
         immediate: true
         schedule: "0 20 15 * * *"
         backupName: garage-local
+  databases:
+    - name: temporal
+      ensure: present
+      owner: app
 valkey:
   valkey:
     auth:

clusters/cl01tl/helm/stalwart/templates/elasticsearch.yaml

@@ -8,7 +8,8 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  version: 8.19.8
+  # renovate: datasource=docker depName=elasticsearch
+  version: 8.19.8@sha256:e6ef2af8db3269ffd075ebf5e605d62324345d646c4fa201654f648d1cad44a4
   auth:
     fileRealm:
       - secretName: stalwart-elasticsearch-secret

clusters/cl01tl/helm/tubearchivist/templates/elasticsearch.yaml

@@ -8,7 +8,8 @@ metadata:
     app.kubernetes.io/instance: {{ .Release.Name }}
     app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
-  version: 8.19.8
+  # renovate: datasource=docker depName=elasticsearch
+  version: 8.19.8@sha256:e6ef2af8db3269ffd075ebf5e605d62324345d646c4fa201654f648d1cad44a4
   auth:
     fileRealm:
       - secretName: tubearchivist-elasticsearch-secret