🚀(project:maison): Install Actual Budget application

Signed-off-by: Alexandre Nicolaie <[email protected]>
chezmoi-sh · Dec 28, 2024 · 004433c · 004433c
1 parent e739227
commit 004433c
Show file tree

Hide file tree

Showing 7 changed files with 206 additions and 2 deletions.
diff --git a/projects/maison/architecture.d2 b/projects/maison/architecture.d2
@@ -210,13 +210,15 @@ maison: {
 
     # - Actual Budget
     Actual-Budget: {
-      class: [application; undeployed]
+      class: [application]
       icon: assets/icons/apps/actual-budget.png
       link: https://actualbudget.com/
       tooltip: Actual Budget is a personal finance app that helps you track your spending and save money.
     }
     Actual-Budget <- _.system.Traefik: {
-      class: [undeployed]
+      source-arrowhead: HTTP (5006)
+    }
+    Actual-Budget <- _.system.Tailscale: {
       source-arrowhead: HTTP (5006)
     }
 

diff --git a/projects/maison/src/apps/actual-budget.yaml b/projects/maison/src/apps/actual-budget.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: actual-budget
+spec:
+  interval: 12h0m0s
+  timeout: 30s
+  retryInterval: 0s
+
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  path: ./projects/maison/src/apps/actual-budget
+
+  prune: true
+  wait: true
diff --git a/projects/maison/src/apps/actual-budget/actual-budget.deployment.yaml b/projects/maison/src/apps/actual-budget/actual-budget.deployment.yaml
@@ -0,0 +1,146 @@
+---
+# trunk-ignore(checkov/CKV_K8S_11): DO NOT SET the CPU limit
+# trunk-ignore(checkov/CKV_K8S_15,checkov/CKV_K8S_43): Not aggreed with theses policies about the ImagePullPolicy=Always and digest verification.
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: actual-budget
+  namespace: actual-budget
+  labels:
+    app.kubernetes.io/name: actual-budget
+    app.kubernetes.io/instance: actual-budget
+    app.kubernetes.io/part-of: actual-budget
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: actual-budget
+      app.kubernetes.io/instance: actual-budget
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: actual-budget
+        app.kubernetes.io/instance: actual-budget
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        # trunk-ignore(trivy): Everything about security context cannot be configured for the official image.
+        - name: actual-budget
+          image: ghcr.io/actualbudget/actual-server:24.12.0
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          ports:
+            - name: http
+              containerPort: 5006
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            requests:
+              cpu: 100m
+              memory: 128Mi
+            limits:
+              memory: 128Mi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 38069
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - name: persistent
+              mountPath: /data
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 38069
+        runAsGroup: 38069
+        fsGroup: 38069
+      volumes:
+        - name: persistent
+          persistentVolumeClaim:
+            claimName: actual-budget-persistent
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: actual-budget
+  namespace: actual-budget
+  labels:
+    app.kubernetes.io/name: actual-budget
+    app.kubernetes.io/instance: actual-budget
+    app.kubernetes.io/part-of: actual-budget
+spec:
+  selector:
+    app.kubernetes.io/name: actual-budget
+    app.kubernetes.io/instance: actual-budget
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+      protocol: TCP
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: actual-budget-persistent
+  namespace: actual-budget
+  labels:
+    app.kubernetes.io/name: actual-budget
+    app.kubernetes.io/instance: actual-budget
+    app.kubernetes.io/part-of: actual-budget
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: actual-budget
+  namespace: actual-budget
+  labels:
+    app.kubernetes.io/name: actual-budget
+    app.kubernetes.io/instance: actual-budget
+    app.kubernetes.io/part-of: actual-budget
+spec:
+  podSelector:
+    matchLabels:
+      app.kubernetes.io/name: actual-budget
+      app.kubernetes.io/instance: actual-budget
+  policyTypes:
+    - Ingress
+    - Egress
+  ingress:
+    - from:
+        - podSelector: {}
+    - from:
+        - namespaceSelector:
+            matchLabels:
+              kubernetes.io/metadata.name: traefik-system
+  egress:
+    - to:
+        - namespaceSelector: {}
+          podSelector:
+            matchLabels:
+              k8s-app: kube-dns
+      ports:
+        - port: 53
+          protocol: UDP
+    - to:
+        - ipBlock:
+            cidr: 0.0.0.0/0
+      ports:
+        - port: 443
+    - to:
+        - podSelector: {}
diff --git a/projects/maison/src/apps/actual-budget/actual-budget.httproute.yaml b/projects/maison/src/apps/actual-budget/actual-budget.httproute.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: actual-budget-websecure
+  namespace: actual-budget
+spec:
+  parentRefs:
+    - name: default
+      namespace: default
+  hostnames:
+    - budget.chezmoi.sh
+  rules:
+    - backendRefs:
+        - name: actual-budget
+          port: 80
diff --git a/projects/maison/src/apps/actual-budget/actual-budget.vpn.yaml b/projects/maison/src/apps/actual-budget/actual-budget.vpn.yaml
@@ -0,0 +1,16 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: actual-budget-tailscale
+  namespace: actual-budget
+spec:
+  defaultBackend:
+    service:
+      name: actual-budget
+      port:
+        number: 80
+  ingressClassName: tailscale
+  tls:
+    - hosts:
+        - actual-budget
diff --git a/projects/maison/src/apps/actual-budget/namespace.yaml b/projects/maison/src/apps/actual-budget/namespace.yaml
@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: actual-budget
diff --git a/projects/maison/src/apps/kustomization.yaml b/projects/maison/src/apps/kustomization.yaml
@@ -5,5 +5,6 @@ kind: Kustomization
 resources:
   # NOTE: Applications are manually installed using this kustomization to avoid
   #       installing automatically if it is not needed.
+  - actual-budget.yaml
   - jellyfin.yaml
   - linkding.yaml