penpot:
  ingress:
    enabled: true
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
      cert-manager.io/cluster-issuer: letsencrypt-issuer
    hosts:
      - host: penpot.alexlebens.net
    tls:
      - secretName: penpot-secret-tls
        hosts:
          - penpot.alexlebens.net
  persistence:
    enabled: true
    storageClass: ceph-block
    size: 8Gi
    accessModes:
      - ReadWriteOnce
  config:
    publicURI: https://penpot.alexlebens.net
    flags: enable-registration enable-insecure-register enable-login enable-login-with-oidc disable-demo-users disable-demo-warning
    apiSecretKey:
      existingSecretName: penpot-key-secret
      existingSecretKey: key
    postgresql:
      host: penpot-postgresql-16-cluster-rw.penpot.svc.cluster.local
      port: 5432
      database: app
      existingSecret: penpot-postgresql-16-cluster-app
      secretKeys:
        usernameKey: username
        passwordKey: password
    redis:
      host: penpot-redis-headless.penpot.svc.cluster.local
      port: 6379
      database: 0
    assets:
      storageBackend: assets-s3
      s3:
        region: us-east-1
        bucket: penpot
        endpointURI: https://minio-penpot-api.alexlebens.net/penpot
        existingSecret: penpot-bucket-user-secret
        secretKeys:
          accessKeyIDKey: AWS_ACCESS_KEY_ID
          secretAccessKey: AWS_SECRET_ACCESS_KEY
    telemetryEnabled: false
    providers:
      oidc:
        enabled: true
        baseURI: https://authentik.alexlebens.net/application/o/
        authURI: https://authentik.alexlebens.net/application/o/authorize/
        tokenURI: https://authentik.alexlebens.net/application/o/token/
        userURI: https://authentik.alexlebens.net/application/o/userinfo/
        roles: ""
        rolesAttribute: ""
        scopes: "openid profile email"
        nameAttribute: preferred_username
        emailAttribute: email
      existingSecret: penpot-oidc-secret
      secretKeys:
        oidcClientIDKey: client
        oidcClientSecretKey: secret
redis:
  architecture: standalone
  auth:
    enabled: false
minio:
  existingSecret:
    name: penpot-minio-root-secret
  tenant:
    name: minio-penpot
    configuration:
      name: penpot-minio-config-secret
    pools:
      - servers: 3
        name: pool
        volumesPerServer: 2
        size: 10Gi
        storageClassName: ceph-block
    mountPath: /export
    subPath: /data
    metrics:
      enabled: true
      port: 9000
      protocol: http
    certificate:
      requestAutoCert: false
  ingress:
    api:
      enabled: true
      ingressClassName: traefik
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      tls:
        - secretName: minio-penpot-api-secret-tls
          hosts:
            - minio-penpot-api.alexlebens.net
      host: minio-penpot-api.alexlebens.net
      path: /
      pathType: Prefix
    console:
      enabled: true
      ingressClassName: traefik
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      tls:
        - secretName: minio-penpot-console-secret-tls
          hosts:
            - minio-penpot.alexlebens.net
      host: minio-penpot.alexlebens.net
      path: /
      pathType: Prefix
postgres-16-cluster:
  mode: standalone
  kubernetesClusterName: cl01tl
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  backup:
    enabled: true
    endpointURL: https://s3.us-east-2.amazonaws.com
    destinationPath: s3://cl01tl-postgresql-backups/penpot
    endpointCredentials: penpot-postgresql-16-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: 14d