From 2f1b6059450448cbddb4e22fc4ac17550f3aa3b0 Mon Sep 17 00:00:00 2001 From: daurnimator Date: Tue, 29 Nov 2022 23:34:46 +1100 Subject: [PATCH 1/3] misskey: initial commit --- misskey/README.md | 8 + misskey/ingress.yaml | 23 +++ misskey/kustomization.yaml | 10 ++ misskey/misskey/deployment.yaml | 53 ++++++ misskey/misskey/files/default.yml | 148 ++++++++++++++++ misskey/misskey/kustomization.yaml | 16 ++ .../misskey/misskey-configuration.enc.yaml | 160 ++++++++++++++++++ misskey/misskey/secret-generator.yaml | 6 + misskey/misskey/service.yaml | 10 ++ misskey/networkpolicy.yaml | 28 +++ misskey/redis/deployment.yaml | 35 ++++ misskey/redis/kustomization.yaml | 12 ++ misskey/redis/service.yaml | 9 + 13 files changed, 518 insertions(+) create mode 100644 misskey/README.md create mode 100644 misskey/ingress.yaml create mode 100644 misskey/kustomization.yaml create mode 100644 misskey/misskey/deployment.yaml create mode 100644 misskey/misskey/files/default.yml create mode 100644 misskey/misskey/kustomization.yaml create mode 100644 misskey/misskey/misskey-configuration.enc.yaml create mode 100644 misskey/misskey/secret-generator.yaml create mode 100644 misskey/misskey/service.yaml create mode 100644 misskey/networkpolicy.yaml create mode 100644 misskey/redis/deployment.yaml create mode 100644 misskey/redis/kustomization.yaml create mode 100644 misskey/redis/service.yaml diff --git a/misskey/README.md b/misskey/README.md new file mode 100644 index 00000000..e3565a03 --- /dev/null +++ b/misskey/README.md @@ -0,0 +1,8 @@ +# Misskey +![Misskey Status Indicator](https://argocd.hashbang.sh/api/badge?name=misskey) + +## TODO: + + - Add an elasticsearch instance + - Likely need to set up ECK operator? + - Add resource requests/limits diff --git a/misskey/ingress.yaml b/misskey/ingress.yaml new file mode 100644 index 00000000..fb1da4a0 --- /dev/null +++ b/misskey/ingress.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: misskey-ingress + annotations: + cert-manager.io/cluster-issuer: letsencrypt-prod +spec: + ingressClassName: nginx + rules: + - host: misskey.hashbang.sh + http: + paths: + - backend: + service: + name: misskey + port: + name: http + path: / + pathType: Prefix + tls: + - hosts: + - misskey.hashbang.sh + secretName: misskey-tls diff --git a/misskey/kustomization.yaml b/misskey/kustomization.yaml new file mode 100644 index 00000000..1e1861c0 --- /dev/null +++ b/misskey/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: misskey +commonLabels: + app.kubernetes.io/name: misskey +resources: + - ./misskey + - ./redis + - networkpolicy.yaml + - ingress.yaml diff --git a/misskey/misskey/deployment.yaml b/misskey/misskey/deployment.yaml new file mode 100644 index 00000000..0804356d --- /dev/null +++ b/misskey/misskey/deployment.yaml @@ -0,0 +1,53 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: misskey +spec: + template: + spec: + initContainers: + - name: migrate + image: misskey/misskey + command: [npm, run, migrate] + env: + - name: NODE_ENV + value: production + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: misskey-configuration + key: PGPASSWORD + - name: PGSSLMODE + value: no-verify + volumeMounts: + - name: misskey-configuration + mountPath: /misskey/.config + readOnly: true + containers: + - name: misskey + image: misskey/misskey + command: [npm, run, start] + env: + - name: NODE_ENV + value: production + - name: PGPASSWORD + valueFrom: + secretKeyRef: + name: misskey-configuration + key: PGPASSWORD + - name: PGSSLMODE + value: no-verify + resources: + requests: + memory: 350M + volumeMounts: + - name: misskey-configuration + mountPath: /misskey/.config + readOnly: true + ports: + - name: http + containerPort: 3000 + volumes: + - name: misskey-configuration + configMap: + name: misskey-configuration diff --git a/misskey/misskey/files/default.yml b/misskey/misskey/files/default.yml new file mode 100644 index 00000000..366ac961 --- /dev/null +++ b/misskey/misskey/files/default.yml @@ -0,0 +1,148 @@ +#━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ +# Misskey configuration +#━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ + +# ┌─────┐ +#───┘ URL └───────────────────────────────────────────────────── + +# Final accessible URL seen by a user. +url: https://misskey.hashbang.sh/ + +# ONCE YOU HAVE STARTED THE INSTANCE, DO NOT CHANGE THE +# URL SETTINGS AFTER THAT! + +# ┌───────────────────────┐ +#───┘ Port and TLS settings └─────────────────────────────────── + +# +# Misskey requires a reverse proxy to support HTTPS connections. +# +# +----- https://example.tld/ ------------+ +# +------+ |+-------------+ +----------------+| +# | User | ---> || Proxy (443) | ---> | Misskey (3000) || +# +------+ |+-------------+ +----------------+| +# +---------------------------------------+ +# +# You need to set up a reverse proxy. (e.g. nginx) +# An encrypted connection with HTTPS is highly recommended +# because tokens may be transferred in GET requests. + +# The port that your Misskey server should listen on. +port: 3000 + +# ┌──────────────────────────┐ +#───┘ PostgreSQL configuration └──────────────────────────────── + +db: + host: userdb-attempt-too-do-user-989073-0.db.ondigitalocean.com + port: 25060 + + # Database name + db: misskey + + # Auth + user: misskey + #pass: + + # Whether disable Caching queries + #disableCache: true + + # Extra Connection options + #extra: + # ssl: true + +# ┌─────────────────────┐ +#───┘ Redis configuration └───────────────────────────────────── + +redis: + host: misskey-redis + port: 6379 + #family: 0 # 0=Both, 4=IPv4, 6=IPv6 + #pass: example-pass + #prefix: example-prefix + #db: 1 + +# ┌─────────────────────────────┐ +#───┘ Elasticsearch configuration └───────────────────────────── + +#elasticsearch: +# host: localhost +# port: 9200 +# ssl: false +# user: +# pass: + +# ┌───────────────┐ +#───┘ ID generation └─────────────────────────────────────────── + +# You can select the ID generation method. +# You don't usually need to change this setting, but you can +# change it according to your preferences. + +# Available methods: +# aid ... Short, Millisecond accuracy +# meid ... Similar to ObjectID, Millisecond accuracy +# ulid ... Millisecond accuracy +# objectid ... This is left for backward compatibility + +# ONCE YOU HAVE STARTED THE INSTANCE, DO NOT CHANGE THE +# ID SETTINGS AFTER THAT! + +id: 'aid' + +# ┌─────────────────────┐ +#───┘ Other configuration └───────────────────────────────────── + +# Whether disable HSTS +#disableHsts: true + +# Number of worker processes +#clusterLimit: 1 + +# Job concurrency per worker +# deliverJobConcurrency: 128 +# inboxJobConcurrency: 16 + +# Job rate limiter +# deliverJobPerSec: 128 +# inboxJobPerSec: 16 + +# Job attempts +# deliverJobMaxAttempts: 12 +# inboxJobMaxAttempts: 8 + +# IP address family used for outgoing request (ipv4, ipv6 or dual) +#outgoingAddressFamily: ipv4 + +# Proxy for HTTP/HTTPS +#proxy: http://127.0.0.1:3128 + +proxyBypassHosts: + - api.deepl.com + - api-free.deepl.com + - www.recaptcha.net + - hcaptcha.com + - challenges.cloudflare.com + +# Proxy for SMTP/SMTPS +#proxySmtp: http://127.0.0.1:3128 # use HTTP/1.1 CONNECT +#proxySmtp: socks4://127.0.0.1:1080 # use SOCKS4 +#proxySmtp: socks5://127.0.0.1:1080 # use SOCKS5 + +# Media Proxy +# Reference Implementation: https://github.com/misskey-dev/media-proxy +#mediaProxy: https://example.com/proxy + +# Proxy remote files (default: false) +#proxyRemoteFiles: true + +# Sign to ActivityPub GET request (default: true) +signToActivityPubGet: true + +#allowedPrivateNetworks: [ +# '127.0.0.1/32' +#] + +# Upload or download file size limits (bytes) +#maxFileSize: 262144000 + diff --git a/misskey/misskey/kustomization.yaml b/misskey/misskey/kustomization.yaml new file mode 100644 index 00000000..d4aea635 --- /dev/null +++ b/misskey/misskey/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + app.kubernetes.io/component: misskey +resources: + - deployment.yaml + - service.yaml +configMapGenerator: + - name: misskey-configuration + files: + - files/default.yml +generators: + - secret-generator.yaml +images: + - name: misskey/misskey + newTag: 13.5.2@sha256:1b8eae17b59cf793b96e3f9128e7021d35bbe0f44142a5bcdc09dbe8df962316 diff --git a/misskey/misskey/misskey-configuration.enc.yaml b/misskey/misskey/misskey-configuration.enc.yaml new file mode 100644 index 00000000..57b57cfd --- /dev/null +++ b/misskey/misskey/misskey-configuration.enc.yaml @@ -0,0 +1,160 @@ +apiVersion: v1 +kind: Secret +metadata: + name: misskey-configuration + annotations: + kustomize.config.k8s.io/needs-hash: true +type: Opaque +stringData: + PGPASSWORD: ENC[AES256_GCM,data:70Vyirhr3m8PFNpG4QOIAqHvm03dhkcChyfXh7LY07KlKzIbLMGsPw==,iv:vkQaCDQg9G6v+oJesT1Qr9hzjb7/HhOT3FdgVzLeOeM=,tag:U9TFXt/VbPEZOK9K3fD8jQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-02-08T14:20:24Z" + mac: ENC[AES256_GCM,data:EI5uz9DFTfrqGfzb+UAnxacu9blmpOAM684InDjNHTp2A/W4AYMAPG/rfVqzn1BOC5GCtNXrKRQvhy1PYtnh5rLtV0qbfHv8uvc4iyc+JK7EVcVibv6zMLm2Dm/a408vhHDGMFpo1sZBjFEcKWfzZXcG2cELKpzm7OtjFByCqX4=,iv:tixU1u5gfPXRL3j0/xZhdLtpywc0B5l/Ml8nC/bqjM8=,tag:dEmeIipYR3pMjxUed03XiQ==,type:str] + pgp: + - created_at: "2023-02-08T13:39:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA4FedWMNSzdLAQ/8C1qY/XyvuIKF5vL3FGEDEeQTRz+N7i3TKziediZ25R29 + +uCHR50gt3rFnXtnE0W0zvxkBSE6c6xT9g7KML48I8yB/afTpIwfYz9gZycmeRcp + UeREmCGXhnZQbITIRmh9qZQFu62MoDwWHkcXcT8TK3VwU3AnQNKigoq2iMM4mqKM + GOHyIM9StkHrLf71/DW9WguVA4ZvJksBA4RbbRYiJ5Am6hbObAMHxAkcXHWPdOtM + FD7I8/6vtod0AuEDlcnMEbZLAp/MejJDt5+eHH6jMJETgH95qdxUuz6lKNbNkXys + eX+PVA8KBM6XXjPUW0m88HN34xYWZ+XD8u7kErtnm4ZfdfYkGAe3kTXtrIiKWnBV + JNCbUtEMfUvDwYdjHpVv0+ZPlwxpzhSwbo0dSQjTI3KpsfLz137BUeRfmHm3YU/m + hQ6aJTessz1/FbZm6pNhAC6zdmDZXWKU1UTt/enBt9wY9KmKye5owTK/NK5/opWs + 6rf3kugR41TT4TpJCLTJDa+huEuS7NIe5oGFqhwsEFY8puawhYgpIx+RXp7Tc8X3 + t3A9+gMhsYDdHRsHO6Z6QWO1VbVM/8k8viZ3VbByxLQEdKlqrv1zunWSuGb4sdO4 + 8zZo3DGUYem7Yvj/vBAWrOF87DrGYYRj/Rs5DddpE9mRHrNYIwbzMi/7T4uRzpLS + UQGLyxLJrxnRCJpKRtwsILCUgc74I0ekH/jsi3eJNW5TsCU8T0GuCcl+y4h5amA1 + dhKfhFfhMg2qNchEjTA47gJtT0kAcanEwRHHES4cgJZTqA== + =ulCt + -----END PGP MESSAGE----- + fp: 954A3772D62EF90E4B31FBC6C91A9911192C187A + - created_at: "2023-02-08T13:39:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMAw95Vf08z8oUARAAt2gVPAnAgNhyRUDba/obL4T7AOXdxfsm4gLgpDjkcGRz + 8lACLEWfn8YA44FOQU0TFAg6RVtlIjYQ9qpYjSHzbTGarWEOSEgcBkb7/FgI2gnE + 0kFHrhm3Cdld/VdR5XxkfYohFbiN4F3kj75slHvXthot0TBsJHgwbPyiOgAp9YIj + bTy9jQo4md4ptwBwXwQlylmmKCmsZyvKFGOQTNq0jwvXOAMGVPXvSYySBxZ4wMlT + Jj5tZWetVCvxqYNDgf+5wO41bCK2qewcxNpPIp036J09gMPhvuBtrY8UCZT3kt09 + y9i7pEeRwVxkfy5+GBxHxzAt3vYEYvqIAXCShEZUePRk91bPBFdA6nGoAl06pAjM + ro65PEK77K13cdrHarSqMB5lI/5B5RxM94eMyNwFiPYMfAsCYIHuFsiTs5F2Peil + T27Dr7/DhZ/ZU5/bd0ORKewxBHbSyib9h5Ss+2dzbXXFqkof7w6R2seLU443+5pW + y61Jiz+3k1K3QbTdqWkfyxKdAoulvajY0XD64fSArGAodRvqjlEAVDflgUzNWL6k + UPH5KAYdAvLxHeLpEhjFZzocDD4ABwCnflnyb2ipcibkW2Oh70p5djCi8M/sfaKm + COHKE9RQr42cdzpZH7aeuiHxcrkUbIaT21Vddx9vPz5V9ngREvfPs6Ayq1mAy/rS + UQHYf3DpasCJjGRu/aia2mOP7hvIMK2qYW15/u1j8TcqttjFmgDVORi4jXeJ5iRq + 1531N2Qa+5p7ofJeFmvy6gg4HamF2+aDWQxtsOIaSx3cpQ== + =JFYq + -----END PGP MESSAGE----- + fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72 + - created_at: "2023-02-08T13:39:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA82rPM2mSf/aARAAghF0w3zcJFsWg+l7/qqoXJN7kEEhSaiJKOFJQZQlULih + m11YfBIYbqQGGmZnF6JoXnW4aaLQdWbLpk8Ynz/54hjwyoNE6VRwwl30xyR63ark + efQ3vnZKIrtLVJ7gpiQAN1BE1w5Kp7WZw98FLEkUJjWlW2UPkCJ6Tfenl2VhNMJ8 + 5WSiLTYUCqrWN/+2N5KLxzJ/IdrsCxWzntY8RownyBeTNveIx7Yfju3MliFqHV+x + DfnonUG1vrgTkxGRVjuv7kKc45cmtAsd+D5yvAlgVgz1FX08ubWa6ytFeJZccWqu + zaUQxhBSFV3t+QAJUT+NoNIeXgqxfENnhxfV39he2hHmTO33WtbVarw+mZ1KwGNF + H1f1cL2FGggVdv2G01k1uzQgv745eRbeBSwEavXfBB65eeuT8S6nTQIi+ZrgPSuK + dMUyBdjkxNSFgudyU1fhlXqWd6BPL6/kVl+mSjKuydNd+nfb37+6i+hZq652cNyb + Mbw9Tf5gNcfciRRtVVLgFMfIQAHz0S95WmvVLf4FYt6Tr9NV4wOq6mkL/sHu/pP8 + FR8yMzjgNJ4XcEq+Y+L4dJtqnHjip26dDG2HeBH7RtGDzS37Ep4/az6NqDcXp/RH + SRCnG7GRVKLFZXuPDxywXdAp7unNlFA/ER7itHY7zUQ4RD13A97k53ly4xgGYWvS + UQFshYGUHvh+9UxKD6vlUOj64mzirRCZ8dKp38/d408SzvZR5XfgEFIlaQP0uhPL + ASFyjhzvNnQ1NhVknY9IJfQCKK74AvVC+y/15o5U8ELD2w== + =b8hq + -----END PGP MESSAGE----- + fp: 6B61ECD76088748C70590D55E90A401336C8AAA9 + - created_at: "2023-02-08T13:39:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA6dhVUuTLV7oAQ//d7/6SpHXBeQwx8X2HUPreYlaikbBWmVkhjgxpUrC7DUX + ZkJFDJNnxVMMKG1ps0cDPjdbET7GFBvdnEHasFKxGizmTW3VEyi00KJXybZdQAL7 + OkMfjKYrjjEDE+sxqZH3setkPQdYxozqQW2JxEG0KQXuh/4qOGq1qsV3usO2bEqE + I9/XA5VmvnaCL4xIFR4p+nBb3vi7hhhPAPDiUEc3NT9tI+Mm/g2ehCYqcbz7y5Tp + YsDX5zTSBfhYIkBzq9TWRsYo4yABkacE2RHh2uZte3rARI0pMark4czPej0AMl1V + F95hUqzx3rFYOb9hy2izur7Q6cZcDuNk8h/10A4idKBVQ/TBoz27P0+FRlEvmKfk + ksY/JtTFXUJhuClbzE3kmfwRcsi21tV0hiTOYPccocuCAmSx7x3rv0WxwwqnMofA + BNUyUN15CrLN9w/RlmUqs+vAEHSwEttVezXYBxQIr72Yno5x5wlQnIvW5TYEfEdV + PFhb7PPYfsm20UaIWEacErIngHmIE1egQCZm+cEr3llbciqHlNYQF3WSgyj1XB/9 + fLQHHrjPER8/8WdGYxCInSaMs42yRhGK0Rvvws9NmPNLpabEfVI9OSloai7aR87+ + AgmwGeymekl3+YeiOoYNgEmDfTFj/ZRxQPV5QGR9kjV4Rx7zt4sK8kx5KaJ/w2XS + UQFoRQTNHGfmkUQK57GHO4DLotMSIDMbj0vtx1Jy8kJAGUB33/kdTPiFaI5+X1z8 + NJKm+1ifcZUZz6GINmI8kLzGB0wsDBhzK2FWpQiiYyu8+Q== + =eSUG + -----END PGP MESSAGE----- + fp: FC2255B7BBC7EABD4EFAFA1068907D8BCCD85A5A + - created_at: "2023-02-08T13:39:37Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + wcFMA8KRInHl7Vz+ARAAi5j44pxPaxjIcKoa4g/RFK09mkSHKRjzKgjdhJQIhQ3L + bH15CdgRFxP0tljGchyPK9riAKhW4f1eDZs2uWOe7bRRxQQR7wpfrjX+zyEvOwz1 + a5IoP5Gci9gEeEKOGHF/BG9exD/PDJxVmuIsdd2T56ZcJXO15qnfPJBkbPrVaSS5 + xJe2ZuH7SIk/c35LmYJyaqyb0L8UVHigVLak/ujsvHciZ5T4tGKZ5a7B45HNxmTr + nr+KegHuIPiSx+xd9ysSMvQlhkt1Eqzqhu06BQS7oN6zwBpbb17W0WS7GLSSm3Y5 + k2zppeFep5eEJyxrD2dC7/Y4tKTHeGIYqOh+HDsGiqpoKkcx18mBpDw41t0YfN9K + 6/i48kjNZUB/ICs53xWYrKl+R16+lmlP/nqxFjQN9Q5/g9xVgvV3G9Er1XPidFzQ + WTlDeJckipqiSqxfqBsgIXjtH3grV5mBvIslfvSBPdRulgaMTqWnrXF5hadIpsDh + fKH3PHzvQeSfy6FvHGtYFITQo7iuYUn6qqvCrC1e2VHO+SYskf9Sh30t1lZ1Uwmd + 7ku2hTw7LkBCjEP3xObkMijsvn9i9bbgC/ySBhIcE/zmvszAATllNg4KG38ZHh14 + jLSXXa2jblEk0QIEA38uMW2wVasiaopa06+lar5mSjL1X4xjK4cuwTtgxD1UWqrS + UQGGWJvE9XLFioWb/38+G87VbuwLjwehXrBJToB6p0Gs+J38YbFasXf8tH3yrUqa + GAo5sJiEzISHaYaLgyoOZCVINjz56bAlNHvWqtiZ8w1g+A== + =4DIe + -----END PGP MESSAGE----- + fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD + - created_at: "2023-02-08T13:39:37Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA/AOBFOW6Hm2AQ/+JEqvfi3odh7/ey0EKg6srPABPd5YV4qbW84MKy8KJaTZ + pb+r543vCEpPj0SJ10xwUK6rtpqbMjVY0ROTGUn1xtkMzbY97SqW/cpsOR+aQqfn + Gry/jx9QcYq9eEKSDYGefmWbcnz+KO1oE/piRJLBBPTOorpIqcBnrqIJv76h1hjl + fbDoNhCIGsXhLEYd1l3APl2PdMZ02EqV+LqhybNPEPgordWbWekt06h0JY3UWtoE + +cDQPNXorDSFp1zVZM0EsU1jnKSZ3F6anacVv20EbWdWRHwiT+mL1wEqnZUmohTX + RFn9YBsg4kbCIroXaVMIzSchWqmvjGCCgCAyJL9shg9DEsqw0tUhDKZYdLwEp6Eo + oB/mfPIL/hxX4vS6Ob3qJ1RCTRSv450gOo58lcFuc0UzLLATD5bUhwq+4F1Mi25x + EgLJurObRIOZ98xa8d1PHwp/XgX39IihP+MXyuLH8iRFsp+ZZLJrIRG0ClLGrCVx + cij26Jht2vnPQsPYZ5ZQkpkikYlHSYYvjVITW4OKpT91Xuo95/j0DGqOQiQZZrAj + UzKPqnFhD6A7e0aaw+JTypHLE+HEEaXU4GKhefTiMh5rx7ihzhrEEl5DTkgmptpP + UydlAOaXk5VNlJzAMBiU30pSpox7HMK7DB06Lr24JWAtKe/89xuMxtotX0yhQkbS + XgHCcfUvtVfGYpE4ZC4jd4CPPswgtvEkyqkoBl/+yxuxruX3byIAek22/3F9n9KZ + gGcAdHCohnoxS8TWlLmh1LRcSICbuJW4ZnawEKdvPXpAs1MlNAJYItI2VeZvgfM= + =puzc + -----END PGP MESSAGE----- + fp: F2B7999666D83093F8D4212926CDD32189AA2885 + - created_at: "2023-02-08T13:39:37Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hQIMA+pWRuJw67SWAQ/9Hx6dnR4/BXMNY+lashry/QJ6eax1wBBVsy/no6pnOkNe + 4f+Za6HlQ0kkTBJRsZAQelCCTF867wTNilnEMljMnaV7aYgGDeF9jSYu3/ENc+CE + XX8bFnF/on4yJPqWBgcnwwieCFdgVV41f/PFdNUYlMcfc4fUaljF85ODp+GwWeql + 3OPF3f/W7x+Vr8biGVl82G5BO42i4F/MHWp8LAhqQ8uue0ieBDzgoHFeApM6wJcB + S5CpZJo0QuNQNybwY0PlfLJmb6JKaFJciSIfYXwDIKMscIrG8ik4+8Xx1KCJwuLo + /8EbbK3s2xwwGakvdyODcnsknIXD3YO8PQMzJ675weUC+QZnR35OqclMZCf8VtKx + qXWQkp3JMwLLnZiDUF0qtGTvEzOdqtLHQ7BnKxmjWRH4KuFPGIbHbjq/X4ayA5Jh + BGPm6Vw59mPR2h1PpaNKW3KH/iQmyeOqipvHQbe+LiOvz1fVoVmVOu4yCzstTLNp + yfQymFRuM5K1014WA7hdtEWCsMK2yUuli5goWxHQvdq/VA1RlEMjssn5tpPGFlpB + yVsHfmYsGVhxOou58JbutwKXzAnNK6OJI8OP9Tb7YjgOWf7oWHC+4MOQr6DnuBRy + qbX0gFWQZIrY3QSVS7Ez/ppDM7iqYtYWeUkIQYx/zra7qRfKzTA0KAeTkxtoPFvS + XgFAo3Pc3l+kjkJmq7vL0sGywVceIinqxQdc9jwVpr9wY6OKPTnizZOnDOP9TeR2 + kGT1o+isvS0HNAs3uL0Go1CHpPCdAHo/KG2fYdhJGaAKVVp/YkPWVjX7dDiHINM= + =IdFH + -----END PGP MESSAGE----- + fp: 1FD6667A0808D4D48BDB8757A61B48D8288FCF8A + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/misskey/misskey/secret-generator.yaml b/misskey/misskey/secret-generator.yaml new file mode 100644 index 00000000..3ad4bbad --- /dev/null +++ b/misskey/misskey/secret-generator.yaml @@ -0,0 +1,6 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: misskey-secrets +files: + - ./misskey-configuration.enc.yaml diff --git a/misskey/misskey/service.yaml b/misskey/misskey/service.yaml new file mode 100644 index 00000000..a7d8c38e --- /dev/null +++ b/misskey/misskey/service.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: misskey +spec: + type: ClusterIP + ports: + - port: 3000 + protocol: TCP + name: http diff --git a/misskey/networkpolicy.yaml b/misskey/networkpolicy.yaml new file mode 100644 index 00000000..2e1f3da3 --- /dev/null +++ b/misskey/networkpolicy.yaml @@ -0,0 +1,28 @@ +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: misskey-redis-network-policy +spec: + egress: + - ports: + - port: 53 + protocol: UDP + - port: 53 + protocol: TCP + to: + - ipBlock: + cidr: 0.0.0.0/0 + ingress: + - from: + - podSelector: + matchLabels: + app.kubernetes.io/name: misskey + ports: + - port: 6379 + protocol: TCP + podSelector: + matchLabels: + app.kubernetes.io/component: redis + policyTypes: + - Ingress + - Egress diff --git a/misskey/redis/deployment.yaml b/misskey/redis/deployment.yaml new file mode 100644 index 00000000..1b8d5b1d --- /dev/null +++ b/misskey/redis/deployment.yaml @@ -0,0 +1,35 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: redis +spec: + template: + spec: + affinity: + podAntiAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - podAffinityTerm: + labelSelector: + matchLabels: {} + topologyKey: kubernetes.io/hostname + weight: 100 + containers: + - name: redis + image: redis + args: + - --save + - "" + - --appendonly + - "no" + ports: + - containerPort: 6379 + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + securityContext: + runAsNonRoot: true + runAsUser: 999 + seccompProfile: + type: RuntimeDefault diff --git a/misskey/redis/kustomization.yaml b/misskey/redis/kustomization.yaml new file mode 100644 index 00000000..c1069c21 --- /dev/null +++ b/misskey/redis/kustomization.yaml @@ -0,0 +1,12 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namePrefix: misskey- +commonLabels: + app.kubernetes.io/component: redis +resources: + - deployment.yaml + - service.yaml +images: + - name: redis + newTag: 7.0.5-alpine + digest: sha256:40b02b7a48829317e973114d07968d28eaaf75ec6b80ddef20f3999238aad7c8 diff --git a/misskey/redis/service.yaml b/misskey/redis/service.yaml new file mode 100644 index 00000000..5ab4a196 --- /dev/null +++ b/misskey/redis/service.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Service +metadata: + name: redis +spec: + ports: + - name: tcp-redis + port: 6379 + targetPort: 6379 From 5023295b731d70192537fc5ecc00e81d69626e2f Mon Sep 17 00:00:00 2001 From: daurnimator Date: Fri, 12 May 2023 22:22:10 +1000 Subject: [PATCH 2/3] Move misskey to 'social' domain + namespace --- {misskey => social}/README.md | 4 ++-- {misskey => social}/ingress.yaml | 10 +++++----- {misskey => social}/kustomization.yaml | 4 ++-- {misskey => social}/misskey/deployment.yaml | 0 {misskey => social}/misskey/files/default.yml | 4 ++-- {misskey => social}/misskey/kustomization.yaml | 0 .../misskey/misskey-configuration.enc.yaml | 0 {misskey => social}/misskey/secret-generator.yaml | 0 {misskey => social}/misskey/service.yaml | 0 {misskey => social}/networkpolicy.yaml | 0 {misskey => social}/redis/deployment.yaml | 0 {misskey => social}/redis/kustomization.yaml | 2 +- {misskey => social}/redis/service.yaml | 0 13 files changed, 12 insertions(+), 12 deletions(-) rename {misskey => social}/README.md (57%) rename {misskey => social}/ingress.yaml (70%) rename {misskey => social}/kustomization.yaml (74%) rename {misskey => social}/misskey/deployment.yaml (100%) rename {misskey => social}/misskey/files/default.yml (98%) rename {misskey => social}/misskey/kustomization.yaml (100%) rename {misskey => social}/misskey/misskey-configuration.enc.yaml (100%) rename {misskey => social}/misskey/secret-generator.yaml (100%) rename {misskey => social}/misskey/service.yaml (100%) rename {misskey => social}/networkpolicy.yaml (100%) rename {misskey => social}/redis/deployment.yaml (100%) rename {misskey => social}/redis/kustomization.yaml (93%) rename {misskey => social}/redis/service.yaml (100%) diff --git a/misskey/README.md b/social/README.md similarity index 57% rename from misskey/README.md rename to social/README.md index e3565a03..80a96646 100644 --- a/misskey/README.md +++ b/social/README.md @@ -1,5 +1,5 @@ -# Misskey -![Misskey Status Indicator](https://argocd.hashbang.sh/api/badge?name=misskey) +# Social +![Social Status Indicator](https://argocd.hashbang.sh/api/badge?name=social) ## TODO: diff --git a/misskey/ingress.yaml b/social/ingress.yaml similarity index 70% rename from misskey/ingress.yaml rename to social/ingress.yaml index fb1da4a0..9f41d040 100644 --- a/misskey/ingress.yaml +++ b/social/ingress.yaml @@ -1,23 +1,23 @@ apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: misskey-ingress + name: social annotations: cert-manager.io/cluster-issuer: letsencrypt-prod spec: ingressClassName: nginx rules: - - host: misskey.hashbang.sh + - host: social.hashbang.sh http: paths: - backend: service: - name: misskey + name: calckey port: name: http path: / pathType: Prefix tls: - hosts: - - misskey.hashbang.sh - secretName: misskey-tls + - social.hashbang.sh + secretName: social-tls diff --git a/misskey/kustomization.yaml b/social/kustomization.yaml similarity index 74% rename from misskey/kustomization.yaml rename to social/kustomization.yaml index 1e1861c0..9088eb1f 100644 --- a/misskey/kustomization.yaml +++ b/social/kustomization.yaml @@ -1,8 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: misskey +namespace: social commonLabels: - app.kubernetes.io/name: misskey + app.kubernetes.io/name: social resources: - ./misskey - ./redis diff --git a/misskey/misskey/deployment.yaml b/social/misskey/deployment.yaml similarity index 100% rename from misskey/misskey/deployment.yaml rename to social/misskey/deployment.yaml diff --git a/misskey/misskey/files/default.yml b/social/misskey/files/default.yml similarity index 98% rename from misskey/misskey/files/default.yml rename to social/misskey/files/default.yml index 366ac961..e9bbba63 100644 --- a/misskey/misskey/files/default.yml +++ b/social/misskey/files/default.yml @@ -6,7 +6,7 @@ #───┘ URL └───────────────────────────────────────────────────── # Final accessible URL seen by a user. -url: https://misskey.hashbang.sh/ +url: https://social.hashbang.sh/ # ONCE YOU HAVE STARTED THE INSTANCE, DO NOT CHANGE THE # URL SETTINGS AFTER THAT! @@ -55,7 +55,7 @@ db: #───┘ Redis configuration └───────────────────────────────────── redis: - host: misskey-redis + host: social-redis port: 6379 #family: 0 # 0=Both, 4=IPv4, 6=IPv6 #pass: example-pass diff --git a/misskey/misskey/kustomization.yaml b/social/misskey/kustomization.yaml similarity index 100% rename from misskey/misskey/kustomization.yaml rename to social/misskey/kustomization.yaml diff --git a/misskey/misskey/misskey-configuration.enc.yaml b/social/misskey/misskey-configuration.enc.yaml similarity index 100% rename from misskey/misskey/misskey-configuration.enc.yaml rename to social/misskey/misskey-configuration.enc.yaml diff --git a/misskey/misskey/secret-generator.yaml b/social/misskey/secret-generator.yaml similarity index 100% rename from misskey/misskey/secret-generator.yaml rename to social/misskey/secret-generator.yaml diff --git a/misskey/misskey/service.yaml b/social/misskey/service.yaml similarity index 100% rename from misskey/misskey/service.yaml rename to social/misskey/service.yaml diff --git a/misskey/networkpolicy.yaml b/social/networkpolicy.yaml similarity index 100% rename from misskey/networkpolicy.yaml rename to social/networkpolicy.yaml diff --git a/misskey/redis/deployment.yaml b/social/redis/deployment.yaml similarity index 100% rename from misskey/redis/deployment.yaml rename to social/redis/deployment.yaml diff --git a/misskey/redis/kustomization.yaml b/social/redis/kustomization.yaml similarity index 93% rename from misskey/redis/kustomization.yaml rename to social/redis/kustomization.yaml index c1069c21..901d5dc7 100644 --- a/misskey/redis/kustomization.yaml +++ b/social/redis/kustomization.yaml @@ -1,6 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namePrefix: misskey- +namePrefix: social- commonLabels: app.kubernetes.io/component: redis resources: diff --git a/misskey/redis/service.yaml b/social/redis/service.yaml similarity index 100% rename from misskey/redis/service.yaml rename to social/redis/service.yaml From 737ca1b0c78fd75883d8a1120b652e5454b31097 Mon Sep 17 00:00:00 2001 From: daurnimator Date: Fri, 12 May 2023 22:27:44 +1000 Subject: [PATCH 3/3] social: move to calckey --- .../calckey-db.enc.yaml} | 6 +- social/{misskey => calckey}/deployment.yaml | 24 +++--- social/{misskey => calckey}/files/default.yml | 77 ++++++++++++++++--- .../{misskey => calckey}/kustomization.yaml | 8 +- social/calckey/secret-generator.yaml | 6 ++ social/{misskey => calckey}/service.yaml | 2 +- social/kustomization.yaml | 2 +- social/misskey/secret-generator.yaml | 6 -- social/networkpolicy.yaml | 4 +- 9 files changed, 94 insertions(+), 41 deletions(-) rename social/{misskey/misskey-configuration.enc.yaml => calckey/calckey-db.enc.yaml} (96%) rename social/{misskey => calckey}/deployment.yaml (69%) rename social/{misskey => calckey}/files/default.yml (76%) rename social/{misskey => calckey}/kustomization.yaml (53%) create mode 100644 social/calckey/secret-generator.yaml rename social/{misskey => calckey}/service.yaml (88%) delete mode 100644 social/misskey/secret-generator.yaml diff --git a/social/misskey/misskey-configuration.enc.yaml b/social/calckey/calckey-db.enc.yaml similarity index 96% rename from social/misskey/misskey-configuration.enc.yaml rename to social/calckey/calckey-db.enc.yaml index 57b57cfd..972ea26b 100644 --- a/social/misskey/misskey-configuration.enc.yaml +++ b/social/calckey/calckey-db.enc.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Secret metadata: - name: misskey-configuration + name: calckey-db annotations: kustomize.config.k8s.io/needs-hash: true type: Opaque @@ -13,8 +13,8 @@ sops: azure_kv: [] hc_vault: [] age: [] - lastmodified: "2023-02-08T14:20:24Z" - mac: ENC[AES256_GCM,data:EI5uz9DFTfrqGfzb+UAnxacu9blmpOAM684InDjNHTp2A/W4AYMAPG/rfVqzn1BOC5GCtNXrKRQvhy1PYtnh5rLtV0qbfHv8uvc4iyc+JK7EVcVibv6zMLm2Dm/a408vhHDGMFpo1sZBjFEcKWfzZXcG2cELKpzm7OtjFByCqX4=,iv:tixU1u5gfPXRL3j0/xZhdLtpywc0B5l/Ml8nC/bqjM8=,tag:dEmeIipYR3pMjxUed03XiQ==,type:str] + lastmodified: "2023-05-12T13:16:40Z" + mac: ENC[AES256_GCM,data:OL7O0OjS9M4ctfEmeZr3waQVpp96aatVy50wULFpFdsmoCH9txgvz7POrVl7PZUOC95XrknedXLXshbHRGm6DUCARPIcGxiHj9aAiVjFnFnZQsl8VGVfaREuiYB09uIrRHDHpm7z7myNJtKHxjoM2bwHW5NtddG23jLyGWWyXY0=,iv:4MAtReNn6N1dBHvt209r80k91H8McQtP8WKYy6X5bvg=,tag:lXnmpCCgAao9wyMarj9HcA==,type:str] pgp: - created_at: "2023-02-08T13:39:37Z" enc: |- diff --git a/social/misskey/deployment.yaml b/social/calckey/deployment.yaml similarity index 69% rename from social/misskey/deployment.yaml rename to social/calckey/deployment.yaml index 0804356d..edbb93fa 100644 --- a/social/misskey/deployment.yaml +++ b/social/calckey/deployment.yaml @@ -1,13 +1,13 @@ apiVersion: apps/v1 kind: Deployment metadata: - name: misskey + name: calckey spec: template: spec: initContainers: - name: migrate - image: misskey/misskey + image: thatonecalculator/calckey command: [npm, run, migrate] env: - name: NODE_ENV @@ -15,17 +15,17 @@ spec: - name: PGPASSWORD valueFrom: secretKeyRef: - name: misskey-configuration + name: calckey-db key: PGPASSWORD - name: PGSSLMODE value: no-verify volumeMounts: - - name: misskey-configuration - mountPath: /misskey/.config + - name: configuration + mountPath: /calckey/.config readOnly: true containers: - - name: misskey - image: misskey/misskey + - name: calckey + image: thatonecalculator/calckey command: [npm, run, start] env: - name: NODE_ENV @@ -33,7 +33,7 @@ spec: - name: PGPASSWORD valueFrom: secretKeyRef: - name: misskey-configuration + name: calckey-db key: PGPASSWORD - name: PGSSLMODE value: no-verify @@ -41,13 +41,13 @@ spec: requests: memory: 350M volumeMounts: - - name: misskey-configuration - mountPath: /misskey/.config + - name: configuration + mountPath: /calckey/.config readOnly: true ports: - name: http containerPort: 3000 volumes: - - name: misskey-configuration + - name: configuration configMap: - name: misskey-configuration + name: calckey-configuration diff --git a/social/misskey/files/default.yml b/social/calckey/files/default.yml similarity index 76% rename from social/misskey/files/default.yml rename to social/calckey/files/default.yml index e9bbba63..95f28dd5 100644 --- a/social/misskey/files/default.yml +++ b/social/calckey/files/default.yml @@ -1,5 +1,5 @@ #━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ -# Misskey configuration +# Calckey configuration #━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ # ┌─────┐ @@ -38,7 +38,7 @@ db: port: 25060 # Database name - db: misskey + db: calckey # Auth user: misskey @@ -93,6 +93,9 @@ id: 'aid' # ┌─────────────────────┐ #───┘ Other configuration └───────────────────────────────────── +# Max note length, should be < 8000. +#maxNoteLength: 3000 + # Whether disable HSTS #disableHsts: true @@ -114,15 +117,18 @@ id: 'aid' # IP address family used for outgoing request (ipv4, ipv6 or dual) #outgoingAddressFamily: ipv4 +# Syslog option +#syslog: +# host: localhost +# port: 514 + # Proxy for HTTP/HTTPS #proxy: http://127.0.0.1:3128 -proxyBypassHosts: - - api.deepl.com - - api-free.deepl.com - - www.recaptcha.net - - hcaptcha.com - - challenges.cloudflare.com +#proxyBypassHosts: [ +# 'example.com', +# '192.0.2.8' +#] # Proxy for SMTP/SMTPS #proxySmtp: http://127.0.0.1:3128 # use HTTP/1.1 CONNECT @@ -130,19 +136,66 @@ proxyBypassHosts: #proxySmtp: socks5://127.0.0.1:1080 # use SOCKS5 # Media Proxy -# Reference Implementation: https://github.com/misskey-dev/media-proxy #mediaProxy: https://example.com/proxy # Proxy remote files (default: false) #proxyRemoteFiles: true -# Sign to ActivityPub GET request (default: true) -signToActivityPubGet: true - #allowedPrivateNetworks: [ # '127.0.0.1/32' #] +# TWA +#twa: +# nameSpace: android_app +# packageName: tld.domain.twa +# sha256CertFingerprints: ['AB:CD:EF'] + # Upload or download file size limits (bytes) #maxFileSize: 262144000 +# Managed hosting settings +# !!!!!!!!!! +# >>>>>> NORMAL SELF-HOSTERS, STAY AWAY! <<<<<< +# >>>>>> YOU DON'T NEED THIS! <<<<<< +# !!!!!!!!!! +# Each category is optional, but if each item in each category is mandatory! +# If you mess this up, that's on you, you've been warned... + +#maxUserSignups: 100 +#isManagedHosting: true +#deepl: +# managed: true +# authKey: '' +# isPro: false +# +#email: +# managed: true +# address: 'example@email.com' +# host: 'email.com' +# port: 587 +# user: 'example@email.com' +# pass: '' +# useImplicitSslTls: false +# +#objectStorage: +# managed: true +# baseUrl: '' +# bucket: '' +# prefix: '' +# endpoint: '' +# region: '' +# accessKey: '' +# secretKey: '' +# useSsl: true +# connnectOverProxy: false +# setPublicReadOnUpload: true +# s3ForcePathStyle: true + +# !!!!!!!!!! +# >>>>>> AGAIN, NORMAL SELF-HOSTERS, STAY AWAY! <<<<<< +# >>>>>> YOU DON'T NEED THIS, ABOVE SETTINGS ARE FOR MANAGED HOSTING ONLY! <<<<<< +# !!!!!!!!!! + +# Seriously. Do NOT fill out the above settings if you're self-hosting. +# They're much better off being set from the control panel. diff --git a/social/misskey/kustomization.yaml b/social/calckey/kustomization.yaml similarity index 53% rename from social/misskey/kustomization.yaml rename to social/calckey/kustomization.yaml index d4aea635..01ccaab2 100644 --- a/social/misskey/kustomization.yaml +++ b/social/calckey/kustomization.yaml @@ -1,16 +1,16 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization commonLabels: - app.kubernetes.io/component: misskey + app.kubernetes.io/component: calckey resources: - deployment.yaml - service.yaml configMapGenerator: - - name: misskey-configuration + - name: calckey-configuration files: - files/default.yml generators: - secret-generator.yaml images: - - name: misskey/misskey - newTag: 13.5.2@sha256:1b8eae17b59cf793b96e3f9128e7021d35bbe0f44142a5bcdc09dbe8df962316 + - name: thatonecalculator/calckey + newTag: v13.1.4.1@sha256:f8a9dd03f8e639f81c6ee3c35985301f4ce49d11ff5ba0d75a6146de5139fe18 diff --git a/social/calckey/secret-generator.yaml b/social/calckey/secret-generator.yaml new file mode 100644 index 00000000..60d601aa --- /dev/null +++ b/social/calckey/secret-generator.yaml @@ -0,0 +1,6 @@ +apiVersion: viaduct.ai/v1 +kind: ksops +metadata: + name: calckey-secrets +files: + - ./calckey-db.enc.yaml diff --git a/social/misskey/service.yaml b/social/calckey/service.yaml similarity index 88% rename from social/misskey/service.yaml rename to social/calckey/service.yaml index a7d8c38e..7b0f2aa5 100644 --- a/social/misskey/service.yaml +++ b/social/calckey/service.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: misskey + name: calckey spec: type: ClusterIP ports: diff --git a/social/kustomization.yaml b/social/kustomization.yaml index 9088eb1f..a90d3766 100644 --- a/social/kustomization.yaml +++ b/social/kustomization.yaml @@ -4,7 +4,7 @@ namespace: social commonLabels: app.kubernetes.io/name: social resources: - - ./misskey + - ./calckey - ./redis - networkpolicy.yaml - ingress.yaml diff --git a/social/misskey/secret-generator.yaml b/social/misskey/secret-generator.yaml deleted file mode 100644 index 3ad4bbad..00000000 --- a/social/misskey/secret-generator.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: viaduct.ai/v1 -kind: ksops -metadata: - name: misskey-secrets -files: - - ./misskey-configuration.enc.yaml diff --git a/social/networkpolicy.yaml b/social/networkpolicy.yaml index 2e1f3da3..e082f9fc 100644 --- a/social/networkpolicy.yaml +++ b/social/networkpolicy.yaml @@ -1,7 +1,7 @@ apiVersion: networking.k8s.io/v1 kind: NetworkPolicy metadata: - name: misskey-redis-network-policy + name: calckey-redis-network-policy spec: egress: - ports: @@ -16,7 +16,7 @@ spec: - from: - podSelector: matchLabels: - app.kubernetes.io/name: misskey + app.kubernetes.io/name: calckey ports: - port: 6379 protocol: TCP