obs livesync

memestream/memestream.ingress.yaml

@@ -28,6 +28,7 @@ spec:
             name: memestream-meili
             port:
               number: 7700
+
   - host: memestream.ntwl.xyz
     http:
       paths:

ops/grafana.yaml

@@ -1,30 +0,0 @@
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: grafana-pv
-spec:
-  storageClassName: ""
-  capacity:
-    storage: 1Gi
-  accessModes:
-    - ReadWriteOnce
-  persistentVolumeReclaimPolicy: Retain
-  claimRef:
-    namespace: monitor
-    name: grafana-pvc
-  hostPath:
-    path: "/var/lib/rancher/k3s/storage/grafana-pv"
-    type: DirectoryOrCreate
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: grafana-pvc
-  namespace: monitor
-spec:
-  volumeName: grafana-pv
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi

ops/kubeseal.yaml

@@ -0,0 +1,14 @@
+---
+
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+  name: sealed-secrets
+  namespace: ops
+spec:
+  repo: https://bitnami-labs.github.io/sealed-secrets
+  chart: sealed-secrets
+  version: 2.17.3
+  targetNamespace: kube-system
+  valuesContent: |-
+    fullnameOverride: sealed-secrets-controller

ops/minio.ingress.yaml

@@ -0,0 +1,39 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: storage
+  namespace: ops
+  labels:
+    app: minio
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    haproxy.org/proxy-body-size-limit: "1g"
+spec:
+  ingressClassName: haproxy
+  tls:
+  - hosts:
+      - minio.ntwl.xyz
+      - storage.ntwl.xyz
+    secretName: minio-tls
+  rules:
+  - host: minio.ntwl.xyz
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: minio
+            port:
+              number: 9090
+
+  - host: storage.ntwl.xyz
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: minio
+            port:
+              number: 9000

ops/minio.yaml

@@ -4,37 +4,18 @@
 
 ---
 
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: minio-pv
-spec:
-  storageClassName: ""
-  capacity:
-    storage: 20Gi
-  accessModes:
-    - ReadWriteOnce
-  persistentVolumeReclaimPolicy: Retain
-  claimRef:
-    namespace: default
-    name: minio-pvc
-  hostPath:
-    path: "/var/lib/rancher/k3s/storage/minio-pv"
-    type: DirectoryOrCreate
-
----
-
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
-  name: minio-pvc
+  name: minio-storage
+  namespace: ops
 spec:
-  volumeName: minio-pv
+  storageClassName: zfs-fast
   accessModes:
     - ReadWriteOnce
   resources:
     requests:
-      storage: 20Gi
+      storage: 100Gi
 
 ---
 
@@ -46,6 +27,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
   name: minio
+  namespace: ops
 spec:
   replicas: 1
   selector:
@@ -107,7 +89,7 @@ spec:
       volumes:
         - name: minio-storage
           persistentVolumeClaim:
-            claimName: minio-pvc
+            claimName: minio-storage
 
 
 ---
@@ -115,7 +97,8 @@ spec:
 apiVersion: v1
 kind: Service
 metadata:
-  name: minio-service
+  name: minio
+  namespace: ops
   labels:
     app: minio
 spec:

ops/values.yaml

@@ -1,20 +0,0 @@
-grafana:
-  persistence:
-    type: pvc
-    enabled: true
-    # annotations: {}
-    finalizers:
-      - kubernetes.io/pvc-protection
-    existingClaim: grafana-pvc
-
-alertmanager:
-  enabled: false
-
-loki:
-  auth_enabled: false
-  commonConfig:
-    replication_factor: 1
-  storage:
-    type: 'filesystem'
-singleBinary:
-  replicas: 1

ops/vlt.seal.json

@@ -0,0 +1,29 @@
+{
+  "kind": "SealedSecret",
+  "apiVersion": "bitnami.com/v1alpha1",
+  "metadata": {
+    "name": "couchdb-couchdb",
+    "namespace": "ops",
+    "creationTimestamp": null
+  },
+  "spec": {
+    "template": {
+      "metadata": {
+        "name": "couchdb-couchdb",
+        "namespace": "ops",
+        "creationTimestamp": null,
+        "labels": {
+          "app": "couchdb",
+          "service": "obsidian-livesync"
+        }
+      },
+      "type": "Opaque"
+    },
+    "encryptedData": {
+      "adminPassword": "AgAv+nUY0+WeMJ2Kz0DX9F2l3BvdRrtqbWIowaiIcbWOEjBh3CAFNj4YqUBcUSKn0RsTqYcStDuM1bHBdoWvUj+bfjuoZcYXlXck0QYoGH6PkVfP67GvTgAgQpD7D3D1Q/su16lVBQ671jIxjBi6J38Aiq7Iqkg70vqTE3fclxW6rD6uuPSuYcpaUEUr98/ZYwKgdOZdYLbPAtdwFY6iD2u7HmhZN8Io7N77ofd8GcVREjsOl/5f9y29OBEyAgRzb0glj10z4cdnR/fhVQeGMFKlFU/ld3lVMqncpmC+/hi2JiNYa31S8Uld4oJp/w74fkWBsV+1rsDIrch1uXjRmdpVfpZ5EYBew/t/5G6PtaTGvI9I00zlbrRflYeSMSe4qNIPP4B77LP78FjuHo+NCqLP5pvJ+e3jJJppy9fuhnoy+1rDo1wl/8l4YcQTL77idgvSwCYmaOXi4BApbebZBKwHdKVEnO+yEHEG9VomVcfSEo8NZeXT6aa8BlmTuQLDOZf1vEfGeYnKNz2t5m4uy5tYZ76i5NM37w2vLv+TU/mG9LbKzFBSJ+CHnnv+pmfoXSd1co7vS2vbi1CRkeB0t1RuB7i/YYtpPCtVTnk8s6eZ315pQkLR7M0/0yi2RyJiYB3UEvaZlDF4y8DstbKDWzqPslmLq5VumxMZEQDYvzPbsdYQaEiX90hDnMfKHt48rnO1htOC5NwaqKWWMWs6",
+      "adminUsername": "AgAe33Ip20GvP1XRkon2XNBwsfTa0YVVlH+jg8NqKKEkRy4Xa6+Nwzl3OAcTxCxrLECxx0OCafCZXTU/dxbaoTO8izrtOGcmlb0fxjucf/5vwJFjTuhdk4AehpUSYXqIw76ZkJLJcqFSHewv7BvbCBRwef7gR/xnpFWak2r2Hhi1po6AmRzhJlp/Z3ndLfpywl1Jnqfsz9H54R5lDz3BXUXxW5zYTS8jsXJS60Cp7oFuNO8UQoYYJ+a1C6kXIvqVuEf1NuFwfx6hjTfm56MjSLTKr7G8rIX4bEpGtjHcAiuNXGlk2of5Uw/PgaUvsIfymoz+tnIsLbHEBOK0v1MRBkvsOz1M/D9C+lu2XX0CrtOX3Ww2Z5L542V8SqL5QBR2PBf0J0IvaDSioh4mgdcHZUhvduUZJ3FLbxVptWMQvRKvhsiR6U5/XXXLIMIQDUQ4kDpgsb7rPYmeqbeJOxY0SZ5XO4OY+kreBP1pylza/mr+DuzSWxzDyDV+VM+XfwkzgeBW8hv9dfuWJnD6Z0T4cYOQ+4VGrTwK5K6hNV84aK+zXDlMiijdX5Gxe3oS7Vdl3pAKz40v/7YZ5UWBHHk+TAu5DKU7mAF6MvICwTFj4M0s85jnI/uUGjEZ0y0BlX9W6cZF5wusczTUyhDv1WvSPpNBv4Htk+NZq50Y/v8PPyQUspLEngfoVEBZUL2z6hLtneITFhI=",
+      "cookieAuthSecret": "AgCIstQYGlgIvZMgx0obHFxz+vpefo9f5ZSiBmdxOm3HiU7saVS2s2Yc1YYhXO4ANvOOz5aRBdTp9l53c735htcq5vIhc9kERsxSLyxsGKfaq7ZtYt8fcHn00cmGwJDfIBzG5u1mBPe+mp+WZaBjXFEbBdISD1cndom7x6JdEljdZ5v19+z3TuAhHo2/kWMK7mVucIn1vglo51SSSz2F1HfgxfdPo7mDPybJYkOV1DOe8xzRvOWcAV7DhPxdkjFlLejTSiwFixkSy8QtnD96gjQXXZfOJsxdaYOXn3QMqNHBOq7qwhdHtJ3ugKHlrlJyGtlYFNhh9+i/MaWCEXvRZmCdZqee7un6KCPlL3vhFR0ABvXqgAWtIHPDgrDihqPHBv+CHvJs8Tu5d2ryKWTUkndMwTs+7BaZFS8KfIUtMrxec7+McEO2SyJOMjMJkDZMzcIz+gfu/9/0LYQ9IGjQ4P4m+/ZxM+VyBQjIRM/TjwmF8pXdB0Zs7HBL3KrWHELoe25lMa0iYOkI0tmZKhR43yCO+NOt93c6LS/QrVcJHnK5aY3GqwG9sjB5MEmR4eycYMNU/EjlYhRHrIMZnRvPb9TF8tD55nc8Eulc9DYZ9uFOG+OFlNRr4XHRvy1cmzS6z8lHntlzGyCMO9lkWGPGHC81llKG9uYpHa/eg0askHa7yjYLU1DfxDPAlIvgOqOLLvODOpoyDqAds/HUxZTpeak=",
+      "erlangCookie": "AgCTickThp91F/3kKWGpsYTKnGKrG7LWN9dbF1vL/gN/4nZ6thW28bQNNSdfKOYLp05U9oRvso4ja3dOpGBGmCS5NnSQY8UA2lGJuGloi49rgeuc34XW/+99RnCG2pwvjLJGhUJ3Zprb5J2Ky6CH4vUVd5Q0/zjGM5MEpaSxqkHriZj33gNy1cink/ZlkSMLpDGktjjHV4k7QHocT06Cu1Gg/ixrF3C2k8kQ9evoJTsOGAXH94E+vdtq/YvH0Be+AKCMc5MldROBEx69qI6uVKh9aM6YKPNfsgoh9A76ialeCYfYxPV/0oSx7YH86tg1yQ3V1Law3Y02tPjfyTsScuLnGbfoDXdcaShyfxxIaUtbEagohpofEZj6xQfO18wwpObZVVny72T9PEt5z5Fbkvv/wHGi0G9BZJ/E6/0T2Onap4WsJlC8I9CwzmcZMhBuECheRxxJ5z20k4bVq99e/iX5Ays90yZeHoJJwVC0e5zxwvdMZ775OSR9I2ibuKZx8UGLw/ZLrFNjdHvt3yAVKNAsdvOg1g7l0zS0i2CW46PcoUaqeFyX5NVda6upc0bEvVDCQV8TKzAv3Kk+rdaIbUM6ovDaClH80oY6lBpVSdGDtJ7Tf5sn5d/jwnm3TJtFyt5B1YXboQL9KWCdYgsUAcWQp9DuCd57sR0BG7oGUuGXwvxLnhAdCe3JkZRrpi7YXr708PXno3dx8wH3K7+j1/zC"
+    }
+  }
+}

ops/vlt.yaml

@@ -0,0 +1,62 @@
+---
+
+apiVersion: helm.cattle.io/v1
+kind: HelmChart
+metadata:
+    name: couchdb
+    namespace: ops
+    labels:
+        app: couchdb
+        service: vlt
+spec:
+    repo: https://apache.github.io/couchdb-helm
+    chart: couchdb
+    version: 4.6.1
+    targetNamespace: ops
+    valuesContent: |-
+        clusterSize: 1
+        createAdminSecret: false
+
+        couchdbConfig:
+            couchdb:
+                single_node: true
+                uuid: 1723f780-f9df-4efb-84dc2e5a691207d8
+                max_document_size: 50000000
+                max_http_request_size: 4294967296
+            chttpd:
+                require_valid_user: true
+                enable_cors: true
+            httpd:
+                enable_cors: true
+                WWW-Authenticate: "Basic realm=\"couchdb\""
+            cors:
+                origins: "*"
+                credentials: true
+                methods: "GET, PUT, POST, HEAD, DELETE"
+                headers: "accept, authorization, content-type, origin, referer, x-csrf-token"
+        
+        persistentVolume:
+            enabled: true
+            storageClass: "zfs-fast"
+            size: 10Gi
+        
+        service:
+            type: ClusterIP
+            port: 5984
+        
+        ingress:
+            enabled: true
+            className: haproxy
+            hosts:
+                - vlt.ntwl.xyz
+            tls:
+                - hosts:
+                      - vlt.ntwl.xyz
+                  secretName: couchdb-tls
+
+            annotations:
+                cert-manager.io/cluster-issuer: "letsencrypt-prod"
+                haproxy.org/ssl-redirect: "true"
+                haproxy.org/proxy-body-size: "100m"
+                haproxy.org/timeout-client: "600s"
+                haproxy.org/timeout-server: "600s"

storage/minio.ingress.yaml

@@ -10,7 +10,6 @@ spec:
   ingressClassName: haproxy
   tls:
   - hosts:
-    - minio.strix.systems
     - minio.ntwl.xyz
     secretName: minio.strix.systems
   rules:
@@ -50,20 +49,9 @@ spec:
   ingressClassName: haproxy
   tls:
   - hosts:
-    - storage.strix.systems
     - storage.ntwl.xyz
-    secretName: storage.strix.systems
+    secretName: storage.ntwl.xyz
   rules:
-  - host: storage.strix.systems
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: minio-service
-            port:
-              number: 9000
   - host: storage.ntwl.xyz
     http:
       paths: