public
/
stack
5
0
Fork 1
Code Issues 4 Pull Requests 1 Packages Projects Releases Wiki Activity

Merge remote-tracking branch 'origin/pull/8/head'

This commit is contained in:
Ryan Heywood 2024-05-30 01:08:09 -04:00
parent 0ca85e65f8 9d5e1f074f
commit 800af4d364
Signed by: ryan
GPG Key ID: 8E401478A3FBEF72
13 changed files with 324 additions and 25 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

34
Makefile
View File

@ -7,7 +7,7 @@ ENVIRONMENT := production
REGION := sfo3 REGION := sfo3
ROOT_DIR := $(shell pwd) ROOT_DIR := $(shell pwd)
# TODO: automatically determine # TODO: automatically determine
TERRAFORM := $(ROOT_DIR)/out/terraform.linux-x86_64 TERRAFORM := $(ROOT_DIR)/out/tofu.linux-x86_64
SOPS := $(ROOT_DIR)/out/sops.linux-x86_64 SOPS := $(ROOT_DIR)/out/sops.linux-x86_64
KEYS := \ KEYS := \
6B61ECD76088748C70590D55E90A401336C8AAA9 \ 6B61ECD76088748C70590D55E90A401336C8AAA9 \
@ -15,13 +15,13 @@ KEYS := \
3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \ 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA \
F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
EXTRA_ARGS :=
.DEFAULT_GOAL := .DEFAULT_GOAL :=
.PHONY: default .PHONY: default
default: \ default: \
toolchain \ toolchain \
tools \ tools \
$(patsubst %,$(KEY_DIR)/%.asc,$(KEYS)) \
$(CACHE_DIR)/website/.well-known/openpgpkey \
apply apply
.PHONY: .PHONY:
@ -76,6 +76,13 @@ infra/backend/.terraform: \
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
env -C infra/backend $(TERRAFORM) init -upgrade \ env -C infra/backend $(TERRAFORM) init -upgrade \
' '
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
env -C infra/backend $(TERRAFORM) refresh \
-var environment=$(ENVIRONMENT) \
-var namespace=$(ENVIRONMENT) \
-var region=$(REGION) \
-state $(ENVIRONMENT).tfstate \
'
infra/main/.terraform: | \ infra/main/.terraform: | \
$(TERRAFORM) \ $(TERRAFORM) \
@ -85,6 +92,13 @@ infra/main/.terraform: | \
env -C infra/main $(TERRAFORM) init -upgrade \ env -C infra/main $(TERRAFORM) init -upgrade \
-backend-config="../../config/$(ENVIRONMENT).tfbackend" \ -backend-config="../../config/$(ENVIRONMENT).tfbackend" \
' '
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
env -C infra/main $(TERRAFORM) refresh \
-var environment=$(ENVIRONMENT) \
-var namespace=$(ENVIRONMENT) \
-var region=$(REGION) \
-state $(ENVIRONMENT).tfstate \
'
infra/backend/$(ENVIRONMENT).tfstate: \ infra/backend/$(ENVIRONMENT).tfstate: \
$(TERRAFORM) \ $(TERRAFORM) \
@ -96,7 +110,7 @@ infra/backend/$(ENVIRONMENT).tfstate: \
-var environment=$(ENVIRONMENT) \ -var environment=$(ENVIRONMENT) \
-var namespace=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \
-var region=$(REGION) \ -var region=$(REGION) \
-state ../../$@ \ -state $@ \
' '
config/$(ENVIRONMENT).tfbackend: | \ config/$(ENVIRONMENT).tfbackend: | \
@ -107,9 +121,17 @@ config/$(ENVIRONMENT).tfbackend: | \
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\ $(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
env -C infra/backend \ env -C infra/backend \
$(TERRAFORM) \ $(TERRAFORM) \
output -state ../../$< \ output -state $(ENVIRONMENT).tfstate \
> $@ \ > $@ \
' '
$(SOPS) exec-env secrets/$(ENVIRONMENT).enc.env '\
env -C infra/backend \
$(TERRAFORM) refresh \
-var environment=$(ENVIRONMENT) \
-var namespace=$(ENVIRONMENT) \
-var region=$(REGION) \
-state $(ENVIRONMENT).tfstate \
'
.PHONY: .PHONY:
apply: \ apply: \
@ -126,7 +148,7 @@ apply: \
-var environment=$(ENVIRONMENT) \ -var environment=$(ENVIRONMENT) \
-var namespace=$(ENVIRONMENT) \ -var namespace=$(ENVIRONMENT) \
-var region=$(REGION) \ -var region=$(REGION) \
' $(EXTRA_ARGS) '
$(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig) $(call maybe_encrypt_secret,infra/main/talos/talosconfig,secrets/$(ENVIRONMENT).talosconfig)
$(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig) $(call maybe_encrypt_secret,infra/main/talos/kubeconfig,secrets/$(ENVIRONMENT).kubeconfig)
$(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml) $(call maybe_encrypt_secret,infra/main/talos/controlplane.yaml,secrets/$(ENVIRONMENT).controlplane.yaml)

2
config/make.env
View File

@ -22,7 +22,7 @@ SOPS_REF=b6d3c9700d88e0c9348f3ec7cd2f10ce4a4b3ee1
BUSYBOX_URL=https://busybox.net/downloads/busybox-1.36.1.tar.bz2 BUSYBOX_URL=https://busybox.net/downloads/busybox-1.36.1.tar.bz2
BUSYBOX_HASH=b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314 BUSYBOX_HASH=b8cc24c9574d809e7279c3be349795c5d5ceb6fdf19ca709f80cde50e47de314
TOFU_REPO=https://github.com/opentofu/opentofu TOFU_REPO=https://github.com/opentofu/opentofu
TOFU_REF=f9d8b3ca2c0926f66757241baf81af523be73726 TOFU_REF=5d05dba18b6e276a6262a4722fe90c13350c5428
KSOPS_REPO=https://github.com/viaduct-ai/kustomize-sops KSOPS_REPO=https://github.com/viaduct-ai/kustomize-sops
KSOPS_REF=ac33c40e1b78d9847a8d0f58473e99419be5b170 KSOPS_REF=ac33c40e1b78d9847a8d0f58473e99419be5b170
KUSTOMIZE_REPO=https://github.com/kubernetes-sigs/kustomize KUSTOMIZE_REPO=https://github.com/kubernetes-sigs/kustomize

40
infra/main/main.tf
View File

@ -10,21 +10,18 @@ resource "random_id" "suffix" {
byte_length = 8 byte_length = 8
} }
data "digitalocean_region" "provided" {
slug = var.region
}
resource "digitalocean_custom_image" "talos" { resource "digitalocean_custom_image" "talos" {
name = "talos" name = "talos"
url = "https://github.com/siderolabs/talos/releases/download/v1.4.3/digital-ocean-amd64.raw.gz" url = "https://github.com/siderolabs/talos/releases/download/v1.4.3/digital-ocean-amd64.raw.gz"
# this gets reset by DigitalOcean otherwise # this gets reset by DigitalOcean otherwise
distribution = "Unknown OS" distribution = "Unknown OS"
regions = [data.digitalocean_region.provided.slug] regions = [var.region]
} }
resource "digitalocean_vpc" "main" { resource "digitalocean_vpc" "main" {
name = "talos" name = "talos"
region = data.digitalocean_region.provided.slug region = var.region
# Note: This is VERY CAREFULLY chosen to avoid conflict with k8s and cilium # Note: This is VERY CAREFULLY chosen to avoid conflict with k8s and cilium
ip_range = "192.168.0.0/16" ip_range = "192.168.0.0/16"
} }
@ -45,7 +42,7 @@ module "digitalocean_talos_cluster" {
size = "s-2vcpu-4gb", size = "s-2vcpu-4gb",
}] }]
vpc_id = digitalocean_vpc.main.id vpc_id = digitalocean_vpc.main.id
digitalocean_region = data.digitalocean_region.provided.slug digitalocean_region = var.region
} }
module "digitalocean_database_cluster" { module "digitalocean_database_cluster" {
@ -84,7 +81,28 @@ module "digitalocean_database_cluster" {
}] }]
vpc_id = digitalocean_vpc.main.id vpc_id = digitalocean_vpc.main.id
digitalocean_region = data.digitalocean_region.provided.slug digitalocean_region = var.region
}
# Crater App requires MySQL currently, when it adds PG support we should migrate
#
module "digitalocean_mysql_database_cluster" {
source = "../../terraform_modules/digitalocean_database_cluster"
cluster_name = "distrust-mysql"
db_engine = "mysql"
dbcli_name = "mariadb"
db_version = "8"
size = "db-s-1vcpu-1gb"
node_count = 1
databases = [{
name = "crater",
create_default_superuser = true,
}]
vpc_id = digitalocean_vpc.main.id
digitalocean_region = var.region
} }
resource "digitalocean_spaces_bucket" "matrix_media_repo" { resource "digitalocean_spaces_bucket" "matrix_media_repo" {
@ -103,10 +121,11 @@ locals {
]) ])
} }
# `jq .database_users.value.forgejo | sops --encrypt` # `jq .database_users.value.forgejo | sops --encrypt`
output "database_users" { output "database_users" {
value = { value = {
for db_user in module.digitalocean_database_cluster.database_users: for db_user in concat(module.digitalocean_database_cluster.database_users, module.digitalocean_mysql_database_cluster.database_users):
db_user.name => { db_user.name => {
apiVersion = "v1", apiVersion = "v1",
kind = "Secret", kind = "Secret",
@ -134,6 +153,11 @@ output "database" {
sensitive = true sensitive = true
} }
output "mysql_database" {
value = module.digitalocean_mysql_database_cluster.database_cluster
sensitive = true
}
output "vpc_id" { output "vpc_id" {
value = digitalocean_vpc.main.id value = digitalocean_vpc.main.id
} }

3
infra/main/provider.tf
View File

@ -2,12 +2,13 @@ terraform {
required_providers { required_providers {
digitalocean = { digitalocean = {
source = "digitalocean/digitalocean" source = "digitalocean/digitalocean"
version = "2.28.1" version = "2.36.0"
} }
} }
backend "s3" { backend "s3" {
skip_requesting_account_id = true skip_requesting_account_id = true
skip_credentials_validation = true skip_credentials_validation = true
skip_region_validation = true
skip_get_ec2_platforms = true skip_get_ec2_platforms = true
skip_metadata_api_check = true skip_metadata_api_check = true
} }

117
kustomizations/invoiceshelf/env.enc.yaml Normal file
View File

@ -0,0 +1,117 @@
apiVersion: v1
kind: Secret
metadata:
name: env
stringData:
env: ENC[AES256_GCM,data:eOLjpVzWl5bamDBmg3an2DrYKJcyMve/RkHha5PvsPFInQLJHlPm0qHP8AucafntFbTg2tV5umcnlJ2+aqNv5h1UF7QGN1oKhe8VTHHxKG4fZWD+m+j+UfpD6eA8dmEf//npgiJsBAx6qRBDWN4SxkryNAP9WsiiN9+VMsJdWe5ItQYQLU+uPNjDHMjYnw1p/JcIxilFFMn6GSV4Kc62ilE6oU5cUKk96xm/JzIX/T4GZ9q3LzCdJtaXsNic/9i6EDDIxNsLYzn0A+T1hp+jZ4k4HICx6ATPA85k1NhH0cH/r4aOv9BYed1375wkWWp4v3qzC8paHATZ5pyPeUrpJqd/uPAE8IYO3sDTimWBKU7X/O0lfTO4tiNVQFDF8cXq8tRJlZWogs67iSSepjb04e7a+OFW9f++E4eeXrbSsVw+YW43Rtbhjw0qlVBM4nBFCchiZk8etTIFkfVvbirvdcLCOCtzjtYO8rVNdj6tzwBFrpFrbvCxgEMLB6P6FwM5epMfiiOLF9DT+ljFeafBEXvy+kU5afYkf1Sh9HNvvs9ifOILyFXjMXb9jAKvNPqd0rZPOQhyvBIwRlhbsWfPO4owa/mFpNmU9mYOwHSFrVZ+V5bDAzXTQ9LKS25/NonBil0c+99peN09U5CwL1gNOtRIaFP3VlRR3/FhUwyKlgeq/Ah0s6jYN7LcNyTj0PKIMjdLotO5XHssQW+Z34s0EDDdkH1t+IODbtE39oVeErfatj+i3kFNSL+E6iVbe3KiWLIWm1xDf0pP5PD/N0OVi6abj/2OD5ClylDzO2q7dRKn3aHlRAZWXeQGMq9hxJm6VCP9HspQs+pGjDiMOs/cYib6LWkoeVN3IDV9rQ9XHeHKAXOQYVQ58auuYAIJ9qbLG0+YQvHoHiFtuK3ucXMbq17oQ/NjZEX/e77ZZCYTfxuxhW9Zwa1abojIwrfKSyhoh91HHvgYmOh8hU+gCthWDNaPJ8XIAaGy+M9V7F2TK4V2vPy6xLp/XmzPUchO78/ZcW71jPDoR7pV5I3vab+c27EWlPw4mv4U+emnVZ1L7VM7+EkpsXuncNaKPCaFz1LDl4sbaAJSS2UK2ZfBBbM/EcGT2Ymm8jOjBwHwDi2VqN/CHMf6qG3P9R3XN/jNU5ShR97D52mSE3zy25wJHcv4Z8iSu98KEC9rNvJviPjncftWkycGjWFXx7mLwsKo6VyfUn/OXuk=,iv:HXTsRJEHxceO1HIA4CaR9CYt3oO18+cdeTAiBk4w0zo=,tag:e44hqgGLC9ugivxaxr+0Gw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-04-01T03:47:06Z"
mac: ENC[AES256_GCM,data:mrjkTQF+cKuNzbaAaflQCTMT+H7D0dKL6keVLs1ig6ok4Z6JCKxe9+1Fa3q2OIpgq0bhHZqPPe5e2ztQSAzFC9z6c7YCHGh6kPZ8fQ7F0l2dATqNSeaRMsjsMdo7vOOQjNqj0SkeU5c4PSQpQHz9Rg7CtMupQ60iLbsm8GGM1tU=,iv:uhzyxgDSdJ/jw0qZyOddxP3JZ3S4okuWhZdJE22nDEI=,tag:EYe9MYxL8QDPe9Rf53OM+Q==,type:str]
pgp:
- created_at: "2024-01-11T20:56:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA82rPM2mSf/aARAAvQd7qO44LNyywY03qCXI18cx6nj9mo36ehJyq6wuYhWa
n95jXEsmRbGt2l8cAJrH9sZB3uE5DCfeZMzEiZ9heaAyxzC34BxSGP+4PBdRqp6B
jv7Ej6F9lV70bQYvDDry5ihWRmADEVrnDrs2+pXsMQiui9dZSGB676d2PIdliV6y
StqbyudjWZS6fLv2xy25yxJBfzb27rLh1d2yo/9AEm873bFVn7bXQxwOoud8s8KU
MLsQxE05zDQrzm+RpDU0mYk3X4ByyL0/J0dyipjHErOLhOCk2MZ4xTVW8U+Jefuu
htLAzftc9NGwWHdSVXqfwSWUq/UklzurPdDcA1riEqE4XmE74cdgP0vqHYeGPykh
M67Xcr1WLDk7i/n4EISqnp5qwItfJIxWlEpKNANEMveYggHXUz3wTk7qHwjpIDwG
7mMfKlL221M1elk1lY60bx//tr2ZqIlN9IXCjOUZOlxlqvYcmie09YbR6tRZAbag
KZcq4s5y5HlVQ10ZUe7eY8qjXMlLVm7N+TJRnfgJrr2+7GTy/wCcx5nwsVBeYm8h
GrHT3PS0CVRA19ynlEqF1jXfqlRMjX0szPIUGb6/7HLiw514otq3KuZmHYAq2TZ2
HMKncOptoUyfpG252v6NJYQC7yF76tdd5YuykeD40ZOBUULtvUEOZyZVdsaAU9zS
UQHygqf8d16qbh2rWK69Kqmc8DbZHCH/f1IDwekPOsNltQhdgn3lOP7gNSEwI7yV
/qk+5kVHg+Yk0l1K34v5aiWEGrI1SKd1m+nvVW7VcEtufw==
=SjUY
-----END PGP MESSAGE-----
fp: 6B61ECD76088748C70590D55E90A401336C8AAA9
- created_at: "2024-01-11T20:56:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMAw95Vf08z8oUAQ/+OHoip407wu+pF9bWolOK+dViuRhA/X9JUVyQfJer9HM2
thZUChYerdnUBn674pVUkjS5szch19pdZLeK5/YqUXyWoW1qHUgYgzHHq6JvxXXf
PIC7Q+jCfsmDBGcSJefK9rA5u7S+7rULBZvbMbL7gpCG8cG0aXJBoNLzZ/vva16V
x/3Mn6taKjZX0ACeoQ4ma4HS6kB3Nz280S8PKIQeMuUQQfXNWMAlR2ebleovvmvh
pJtN0T5dMLEImexLFSgfPoU1OQmfrnQR/mWP0W3LtGn2o8EE5LordJSgMuwd5eqv
v+XOHoj5E5O88SO2mIwWY0Oh+6P5pf6PJDL8XLLq+0nm2HZrK1Ip8WvYar9xi/12
HClde7vk1ESWw9Kdiop6rSj7C7M3dD+95ufG6F3c1XJQkp3H+AlK7aTK3/rx6Dml
FekNVioLC0LjiMZ1ZeVBOtIYoXXyrYE8nQF9E6kkW/o6dajMDo9F0Ck5LWLiES/E
34bHkP3p+lwOOj0l8PONG/MaP5j2S8v7LjfuMBxcuoo1RhplLJQLUYGvkywmqDK2
2t5vqIkpGAxBN6WNgZt0OwcBlPC3PP3JHQ+kIn9Sk3MAR5plCAhkywTHFwoDBe1e
FnlmDyVjgOdtzZl3aNjz7uOiDtpecwPmsxah8ox7H5wOOagAabDhweFXh0IxKKXS
UQH4zAt2MLHWqAAGjFPFiYxb/ugU1R5Qjv6NKw8bWGFOrbexMiA2bCGOGmstxd7G
SU0tn54SBi+wOEDmJGnaZS89ZzGEoRm6LRJ5EJz+a03tTg==
=KOLu
-----END PGP MESSAGE-----
fp: 88823A75ECAA786B0FF38B148E401478A3FBEF72
- created_at: "2024-01-11T20:56:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA0/D4ws+/KPtARAArZ/F2Sh0LIACUnzLO45O0GsesOm4QS/vVEcZ0BDms/fi
Xe4mmJbYTvRIgWfoXpbt79UreBamMFCSpXBPJnx/d2F0s1RHxKvbq7LwNL/qpH3/
pUJuAbToVTqLyS329YfJVtGtfYRsL0nIyt28wNjz4XudoTfoaaegk+1SSpedT7gW
Wq4ipL3m226yXyTv6DTu61o389TV3H2OR18hawjF6lDfDSCYtNexRCxV3aSqkDU5
Ik9n9OkWrIgJ0ZM4DJ7U/Ltx9ju89oWCmjBfw6IPSkQGSBMNbTolVHdrFbtsygK4
FnHRJn75Q7RkrobkrusqypFqu+D9QK2tijOhahFxfdU/S/zWuzfPiKv4m+iwRo5Q
UeJ43uea8DtnfLCIHISh80mqXwhEpulEb73l7y80EdtHuRURlqer4KPmVtV2Q620
OyLHugmLaqJUXzC6sPyrWBO2tPMqD7JRA34fx5gOVRvyd6KdTc/Pn64/nbqWFcIM
94VIOdJUGoyDtxLVPu7nttlVddqn0obUmSuSvs1ouTntMkScRS6hNTptxS3BbQZ+
FDG/mLgArkrEk/2m/+OuxH4teRqDVcwgbKzkZWgZ0RH6k4v2BJSKnTT1S5TOjJg5
H/RcnMtQeZq0G67fz8uwo3Hqm6FAGBuaWkhtDknNtLEXHaOGE8IIM9L2CeLftq7S
UQGxv6DQZ7PpMjo4LRCyCHNj9ddykRneojKG5cjQxMhTMH2PmamfpB+c2dUSvqin
Ius8vdBiHGuvEwcdJQ3m7cYhkLZWuRgIqGpIrGJX5dvTIw==
=Hi+j
-----END PGP MESSAGE-----
fp: 3D7C8D39E8C4DF771583D3F0A8A091FD346001CA
- created_at: "2024-01-11T20:56:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA5Wf+FyJ+zFJAQ//fyZa4Tzetgnur+02xwrfyxuU3Pvh2+NqSwFQCpo+reWo
bO59a5McV5rWnzL59r9XK/SGwBN87JiDFaTvpc2VJnGAxkz6vw5fuXQI7opybVp/
exqsqtR6lFLaznAi53oeIgBXIg2svOLr5tD6y9eh6eB4rGrbVf8T2N7TlrSal1RT
qoRjtLLZtNXWPMyIGUTjTr4HIUoYvScwQkBhG54R78PXtkW3QfmYJVqXlzTsbKrM
uAdC+Fd7k2ko39s64PPG6QsFFBg81UAz8SvQPfe6b8sv5IaVDBBk8IJ1tORX5/26
BbXOQLjyqdxHR9/KDeS/wj1e9rpRH3BgHybft0T9vBZyyBZY1dPAisRKXThs/Khb
QZUrEd9tNQqGhJrBEKGQuoY39G6mVOywvi4Amubg4L4VbETOD1CM8MMQFlhWmXDP
k6UYMY4vUt9O9/R8SljZBejO6Y2+smCzC4lDq5W3sBu5P+JnnHCnM0wgRoS1aCpR
tsBIKE1f+rlG+kb6eTGcCCR64H+TK9hT49MtbkFeKUO7rlZkbxqKgYdN/Q1HzCEW
YCYsxzJQo4mqTRQ4PYRvo+9Oo9gGtWY48H09qTGR737qayxA3VpdHepABBHC9nm5
BogU/3lTH9PzjESZkEckE1sx7QHUs39FiovXDgvsMRt6+wo6Y5L+dKoXU4MszAzS
UQE0UZL7h7N+QvTbujVrarB6A6vVlwjV0gbQJDRXmPw2awJjBvsjGNfLQ0mruwqb
RLB5G2SvQHiILN/ByD3NxhonQ90mPSjmVBfbdsOp6H4woQ==
=J+qg
-----END PGP MESSAGE-----
fp: F4BF5C81EC78A5DD341C91EEDC4B7D1F52E0BA4D
- created_at: "2024-01-11T20:56:10Z"
enc: |-
-----BEGIN PGP MESSAGE-----
wcFMA8KRInHl7Vz+AQ//USOIJ5cPWOQgcqjauvvccC22wxU7Rp/Bx86ajZFpL6M3
ns8g3TC4ga8OO2XYjLTHNXPAzPvEE5lskpO+bkDbqRPkkkGeauqupQTtDIMg25kF
ouBPcvCirWvBJ3uiHHKw1hvTMXAIwcdvIyvxP4zK7sWU8OScDw9nNS8uhOLH9wds
J+Y0qWPuxAJrJF8cgLORxjk5BFh5IdOrmijm72+qEHER6qgYgXoVVbGtIixUTcfv
H9TqxHPkeqgMH2QVGEGKGRueoUVWc0FXtVLNRKlZ5VYX+nZUBDdhVjiiG6DBkWtu
BayAhjRFh/oGs4Q+WyozKy/mv1hJvxsRjpyK78wYw0yQVuwfd/X73y2EkQQNquCk
SyzU+C+5+faJpf9HPq2nv1zrUJid1zSv01IE70OsRFAgKXI9thQlx3VIbLTU6RkZ
Bw6BsWoQmanUR3DUzWvL+lhzYLKhVQ9Gf9rPOK0B1XTvntTGgq1zOYQn/FmlhJjc
SJoXgNU+i9F52CGIJ0fTZaw+8+aJ6oL9SLETl4T9Gj/XCpuDUGJAMP++V7YLWsEf
5tqwHDngm5UJNmqy5vzVbQAIVyLCK868S4xNFRUFwQMCZCHQeW4MhVM5XFE0d0ab
A5MSm8X7HmYgvg+WvXzawyEX3OyAnw1RZ+n+b6w2NN8YLP1kRLjirDS3PbsLybTS
UQHc1/GvEhu+7CSv118mKOyJwOQ6u1KAblmg2yzyhxN6ZvuwNJ9zvSnovSALJHWQ
HSwUH1xcOoL1xQTwJ/+Ha/n1q9i2MqD4uLSP29yYGgdq1A==
=cXXw
-----END PGP MESSAGE-----
fp: C92FE5A3FBD58DD3EC5AA26BB10116B8193F2DBD
encrypted_regex: ^(data|stringData)$
version: 3.8.1

23
kustomizations/invoiceshelf/ingress.yaml Normal file
View File

@ -0,0 +1,23 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: invoiceshelf
annotations:
cert-manager.io/cluster-issuer: letsencrypt
spec:
ingressClassName: nginx
rules:
- host: billing.distrust.co
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: invoiceshelf
port:
name: http
tls:
- hosts:
- billing.distrust.co
secretName: invoiceshelf-tls

13
kustomizations/invoiceshelf/kustomization.yaml Normal file
View File

@ -0,0 +1,13 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app.kubernetes.io/part-of: invoiceshelf
resources:
- statefulset.yaml
- service.yaml
- ingress.yaml
generators:
- secret-generator.yaml
images:
- name: invoiceshelf/invoiceshelf
newTag: 1.1.0@sha256:50787e404725ad4f47462eaf38832d97c627a5d139d51a84f31a9bd90caffb3f

6
kustomizations/invoiceshelf/secret-generator.yaml Normal file
View File

@ -0,0 +1,6 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: invoiceshelf
files:
- ./env.enc.yaml

15
kustomizations/invoiceshelf/service.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: invoiceshelf
labels:
app.kubernetes.io/name: invoiceshelf
app.kubernetes.io/part-of: invoiceshelf
spec:
selector:
app.kubernetes.io/name: invoiceshelf
app.kubernetes.io/component: server
ports:
- name: http
port: 80
targetPort: 80

62
kustomizations/invoiceshelf/statefulset.yaml Normal file
View File

@ -0,0 +1,62 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: invoiceshelf
labels:
app.kubernetes.io/name: invoiceshelf
app.kubernetes.io/component: server
spec:
selector:
matchLabels:
app.kubernetes.io/name: invoiceshelf
app.kubernetes.io/component: server
template:
metadata:
labels:
app.kubernetes.io/name: invoiceshelf
app.kubernetes.io/component: server
spec:
containers:
- name: invoiceshelf
image: invoiceshelf/invoiceshelf
ports:
- name: http
containerPort: 80
securityContext:
allowPrivilegeEscalation: false
startupProbe:
initialDelaySeconds: 60
periodSeconds: 5
failureThreshold: 10
httpGet:
path: /api/v1/app/version
port: http
livenessProbe:
periodSeconds: 5
httpGet:
path: /api/v1/app/version
port: http
readinessProbe:
periodSeconds: 5
httpGet:
path: /api/v1/app/version
port: http
volumeMounts:
- name: invoiceshelf-data
mountPath: /data
subPath: data
- name: dot-env
mountPath: /conf/.env
subPath: env
volumes:
- name: dot-env
secret:
secretName: env
volumeClaimTemplates:
- metadata:
name: invoiceshelf-data
spec:
accessModes: ["ReadWriteOnce"]
resources:
requests:
storage: 10Gi

2
src/toolchain

@ -1 +1 @@
Subproject commit 23fc267a9dfdda30ba4287f8234879961722bafb Subproject commit a2315fdbc8cd0e4a654d1aa4623a53d5292b3574

27
terraform_modules/digitalocean_database_cluster/main.tf
View File

@ -39,23 +39,34 @@ resource "digitalocean_database_user" "default_users" {
name = each.key name = each.key
provisioner "local-exec" { provisioner "local-exec" {
command = "GRANT ALL ON DATABASE ${each.key} TO ${each.key};" command = var.dbcli_name == "psql" ? "GRANT ALL ON DATABASE ${each.key} TO ${each.key};" : "GRANT ALL PRIVILEGES ON ${each.key} TO '${each.key}'@'%';"
interpreter = [ interpreter = var.dbcli_name == "psql" ? [
"psql", "${var.dbcli_name}",
"-v", "ON_ERROR_STOP=1",
"${local.base_connection_string}/${each.key}", "${local.base_connection_string}/${each.key}",
"-c" "-c"
] : [
"${var.dbcli_name}",
"-u",
"${digitalocean_database_cluster.main.user}",
"-p",
"-h",
"${digitalocean_database_cluster.main.host}",
"-P",
"25060",
"-D",
"${each.key}",
"-e"
] ]
} }
provisioner "local-exec" { provisioner "local-exec" {
command = "GRANT ALL ON SCHEMA public TO ${each.key}" command = var.dbcli_name == "psql" ? "GRANT ALL ON SCHEMA public TO ${each.key}" : "true"
interpreter = [ interpreter = var.dbcli_name == "psql" ? [
"psql", "${var.dbcli_name}",
"-v", "ON_ERROR_STOP=1", "-v", "ON_ERROR_STOP=1",
"${local.base_connection_string}/${each.key}", "${local.base_connection_string}/${each.key}",
"-c" "-c"
] ] : ["true"]
} }
# Note: provisioners depend on databases existing # Note: provisioners depend on databases existing

5
terraform_modules/digitalocean_database_cluster/variables.tf
View File

@ -33,3 +33,8 @@ variable "vpc_id" {
type = string type = string
nullable = true nullable = true
} }
variable "dbcli_name" {
type = string
default = "psql"
}