feat: ++ memos

kubernetes/apps/default/kustomization.yaml

@@ -16,6 +16,7 @@ resources:
   - ./letsblockit/ks.yaml
   - ./linkding/ks.yaml
   - ./mealie/ks.yaml
+  - ./memos/ks.yaml
   - ./miniflux/ks.yaml
   - ./opengist/ks.yaml
   - ./pairdrop/ks.yaml

kubernetes/apps/default/memos/README.md

@@ -0,0 +1,3 @@
+# Application
+
+Short summary

kubernetes/apps/default/memos/app/backup/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./volsync.yaml
+  - ./secret.sops.yaml

kubernetes/apps/default/memos/app/backup/secret.sops.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: memos-restic
+    namespace: default
+type: Opaque
+stringData:
+    #ENC[AES256_GCM,data:GZJDY0DkCd80JkjdcUyzpXx8fIrHf8XPpd1Ncf78Odmwojkm9fex9MxrkWW/TnwMhzVsRb2CzXnN0yWJ4HdTNbB3gCfxwXgme88TM5KDmYY=,iv:MIy0JtL/oDzdOkkf18iRiLerHGP3Ve3gaTqaq19kvbE=,tag:l2rAkNTKoxJovnlQO0hCxA==,type:comment]
+    RESTIC_REPOSITORY: ENC[AES256_GCM,data:6aTu2onVDX2odbV5cCkZaHdIfRFyf4z11hETHNfY0fzx52SABStXdkaqAsJ/ysdDLLNHDVR1,iv:m+mgIiJpSb5//ZBcoRjoT/N1yHs+aV8CWrmpMbsv5UU=,tag:EllJ7XcGVt+yBNmsqJ0n5Q==,type:str]
+    #ENC[AES256_GCM,data:RLF3H/QyOr62PShbNHvT2DH2yxM26frEMWRAYxyA,iv:h781RRnwrz8+xI90MmrR3hHudoGhiBqeLmCjzmbucKE=,tag:w02PpVBQmW4BH7hXHfK5vw==,type:comment]
+    RESTIC_PASSWORD: ENC[AES256_GCM,data:f+NixzLeRvYrkGlP,iv:n1SRZbHL/IUV2nEDRtByojraAoGEDvbbKA4ZRY6IKC0=,tag:jyhxE7/oKYEI/FR3MQ9rIQ==,type:str]
+    #ENC[AES256_GCM,data:czJkfwsGC/LEQtBBfOyjVM5WD6bsW73I18lXU7TR8Uo4W5wi9UdELuM=,iv:buK/zoVpUVd+BeIDeKcjY+jCbNp31XabID/lWK728os=,tag:r3khYuxdGs2aAyt0dfp3RA==,type:comment]
+    #ENC[AES256_GCM,data:/lUMnF8nv7vq0P3PnW29Gu1YM9rzoY9nF+RtSMk8BYTRV3ErTmBYJSv31LSOfrcgiiki+GH+yRth0tLAGQYfCLOHYwdZ4g==,iv:hUvs0i4EIoKZFarydAvnf+w5nWI7n9mMi5ivC6ST23A=,tag:4+3ABlN109TWGOFPJbRP8Q==,type:comment]
+    AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:lUY9txUpmttXwxB8taTO1V6Gqgg=,iv:DvIBdIbW0Amj6EzWHNRv7xx/EsMYwHQQ4AjuvZRZkKU=,tag:9tU7c2PyQo/wRSKrEusuTQ==,type:str]
+    AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:E8JY2Cnd1ITtUu71NqeVBIp+kLxe4BwfbJIAorx2Aw==,iv:XtUK6ICiq+Hmd45gpJ0NTSOTZ1kJWWx3o9OgZAaZ8vA=,tag:pSZMAhwlNcXsoMoEWczcHg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1a7nyvwztvzudynvx92z6tegdxcmudhdh7fh6ty6sqs8n4gh2lelqkqk9aa
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2SHNpdzk3WXFCblpnbHgr
+            MHFwc09HZllucWNieWo5c0ltQk5kMkZIa2pFClk5Vk0vUHlmclBibG5ibTF6NFNo
+            ZHJFV1J2bHNLTHErc1V5STFKOUtwNGMKLS0tIFU5ZExtTnpqa0d2M0tubEduS1do
+            QTV4WFR2VmZLNndyaDU2UmthQkZhTlkKBOlo4ng9x8pC5vTMHvSvnfmw8bnYaAnJ
+            dJRXIIeHImh+YUKlRTWWTtFnlq8RvAhmDOVwbI6IEnVHl8+OCHeyeg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-10-08T00:05:48Z"
+    mac: ENC[AES256_GCM,data:sYPjE2wrU1b7BkpXd9DX/RT/j8SAKAQ0ubaH56771vpNpXBAEPqDZkW1FQxS3rWWQpmoTmuA5FSECtcRww2WkzYI6U5wHcX9DaENqexkEoVMWuWooX627VYSJEj2pVVKMSh97NONOzikce63eGsiCxdv8v6WkcH5Mg1qxQHWL6M=,iv:VUVb+ZqVS166dIrrIvap9kFibMx0pcYpOR1PeCuZdms=,tag:NwqdQm/uayXu76jSfC+c+Q==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.0

kubernetes/apps/default/memos/app/backup/secret.sops.yaml.tmpl

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: memos-restic
+  namespace: default
+type: Opaque
+stringData:
+  # The repository url; add trailing folders if multiple PVCs per app (one per PVC)
+  RESTIC_REPOSITORY: s3:https://${S3_ENDPOINT}/restic-memos
+  # The repository encryption key
+  RESTIC_PASSWORD: ${DEFAULT_PWD}
+  # ENV vars specific to the chosen back end
+  # https://restic.readthedocs.io/en/stable/030_preparing_a_new_repo.html
+  AWS_ACCESS_KEY_ID: ${S3_ACCESS_KEY}
+  AWS_SECRET_ACCESS_KEY: ${S3_SECRET_KEY}

kubernetes/apps/default/memos/app/backup/volsync.yaml

@@ -0,0 +1,26 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/replicationsource_v1alpha1.json
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: &app memos
+  namespace: &namespace default
+spec:
+  sourcePVC: *app
+  trigger:
+    schedule: "0 0 * * *"
+  restic:
+    repository: memos-restic
+    retain:
+      daily: 5
+      weekly: 4
+      monthly: 3
+      yearly: 1
+    pruneIntervalDays: 10
+    cacheCapacity: 2Gi
+    # moverSecurityContext:
+    #   runAsUser: 568
+    #   runAsGroup: 568
+    storageClassName: ceph-block # same as source
+    copyMethod: Snapshot
+    volumeSnapshotClassName: csi-ceph-block

kubernetes/apps/default/memos/app/helmrelease.yaml

@@ -0,0 +1,75 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta1.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app memos
+  namespace: &app-namespace default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  maxHistory: 3
+  # dependsOn:
+  #   - name: DEPENDS_APP
+  #     namespace: DEPENDS_NS
+  install:
+    createNamespace: true
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    global:
+      nameOverride: *app
+      annotations:
+        reloader.stakater.com/search: "true"
+
+    image:
+      repository: ghcr.io/usememos/memos
+      tag: 0.16.0
+    env:
+      TZ: "${TIMEZONE}"
+      MEMOS_PORT: "5230" # https://github.com/usememos/memos/issues/1782
+    service:
+      main:
+        ports:
+          http:
+            port: 5230
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: internal
+        annotations:
+          nginx.ingress.kubernetes.io/whitelist-source-range: |
+            10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
+        hosts:
+          - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}"
+            paths:
+              - path: /
+                pathType: Prefix
+        tls:
+          - hosts:
+              - *host
+    persistence:
+      data:
+        enabled: true
+        ### existing pvc
+        existingClaim: *app
+        mountPath: /var/opt/memos
+    resources:
+      requests:
+        cpu: 25m
+        memory: 105M
+      limits:
+        memory: 105M

kubernetes/apps/default/memos/app/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./backup/
+  - ./helmrelease.yaml
+  - ./pvc.yaml

kubernetes/apps/default/memos/app/pvc.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: &app memos
+  namespace: default
+  labels:
+    app.kubernetes.io/name: *app
+    app.kubernetes.io/instance: *app
+    snapshot.home.arpa/enabled: "true"
+spec:
+  storageClassName: ceph-block
+  accessModes:
+    - ReadWriteOnce
+  # storageClassName: ceph-fs
+  # accessModes:
+  #   - ReadWriteMany
+  resources:
+    requests:
+      storage: 1Gi

kubernetes/apps/default/memos/ks.yaml

@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: default-memos
+  namespace: flux-system
+spec:
+  dependsOn:
+    - name: rook-ceph-cluster
+  path: ./kubernetes/apps/default/memos/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m