From 004433c3e2f630dfb6e724a33a0fe45c9e1cb6ab Mon Sep 17 00:00:00 2001 From: Alexandre Nicolaie Date: Sat, 28 Dec 2024 11:38:14 +0100 Subject: [PATCH] :rocket:(project:maison): Install Actual Budget application Signed-off-by: Alexandre Nicolaie --- projects/maison/architecture.d2 | 6 +- projects/maison/src/apps/actual-budget.yaml | 18 +++ .../actual-budget.deployment.yaml | 146 ++++++++++++++++++ .../actual-budget.httproute.yaml | 16 ++ .../apps/actual-budget/actual-budget.vpn.yaml | 16 ++ .../src/apps/actual-budget/namespace.yaml | 5 + projects/maison/src/apps/kustomization.yaml | 1 + 7 files changed, 206 insertions(+), 2 deletions(-) create mode 100644 projects/maison/src/apps/actual-budget.yaml create mode 100644 projects/maison/src/apps/actual-budget/actual-budget.deployment.yaml create mode 100644 projects/maison/src/apps/actual-budget/actual-budget.httproute.yaml create mode 100644 projects/maison/src/apps/actual-budget/actual-budget.vpn.yaml create mode 100644 projects/maison/src/apps/actual-budget/namespace.yaml diff --git a/projects/maison/architecture.d2 b/projects/maison/architecture.d2 index f1b50f9a..20eddf15 100644 --- a/projects/maison/architecture.d2 +++ b/projects/maison/architecture.d2 @@ -210,13 +210,15 @@ maison: { # - Actual Budget Actual-Budget: { - class: [application; undeployed] + class: [application] icon: assets/icons/apps/actual-budget.png link: https://actualbudget.com/ tooltip: Actual Budget is a personal finance app that helps you track your spending and save money. } Actual-Budget <- _.system.Traefik: { - class: [undeployed] + source-arrowhead: HTTP (5006) + } + Actual-Budget <- _.system.Tailscale: { source-arrowhead: HTTP (5006) } diff --git a/projects/maison/src/apps/actual-budget.yaml b/projects/maison/src/apps/actual-budget.yaml new file mode 100644 index 00000000..d478082c --- /dev/null +++ b/projects/maison/src/apps/actual-budget.yaml @@ -0,0 +1,18 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: actual-budget +spec: + interval: 12h0m0s + timeout: 30s + retryInterval: 0s + + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + path: ./projects/maison/src/apps/actual-budget + + prune: true + wait: true diff --git a/projects/maison/src/apps/actual-budget/actual-budget.deployment.yaml b/projects/maison/src/apps/actual-budget/actual-budget.deployment.yaml new file mode 100644 index 00000000..c7b46d84 --- /dev/null +++ b/projects/maison/src/apps/actual-budget/actual-budget.deployment.yaml @@ -0,0 +1,146 @@ +--- +# trunk-ignore(checkov/CKV_K8S_11): DO NOT SET the CPU limit +# trunk-ignore(checkov/CKV_K8S_15,checkov/CKV_K8S_43): Not aggreed with theses policies about the ImagePullPolicy=Always and digest verification. +apiVersion: apps/v1 +kind: Deployment +metadata: + name: actual-budget + namespace: actual-budget + labels: + app.kubernetes.io/name: actual-budget + app.kubernetes.io/instance: actual-budget + app.kubernetes.io/part-of: actual-budget +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: actual-budget + app.kubernetes.io/instance: actual-budget + template: + metadata: + labels: + app.kubernetes.io/name: actual-budget + app.kubernetes.io/instance: actual-budget + spec: + automountServiceAccountToken: false + containers: + # trunk-ignore(trivy): Everything about security context cannot be configured for the official image. + - name: actual-budget + image: ghcr.io/actualbudget/actual-server:24.12.0 + livenessProbe: + httpGet: + path: / + port: http + ports: + - name: http + containerPort: 5006 + protocol: TCP + readinessProbe: + httpGet: + path: / + port: http + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + memory: 128Mi + securityContext: + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + privileged: false + readOnlyRootFilesystem: true + runAsNonRoot: true + runAsUser: 38069 + seccompProfile: + type: RuntimeDefault + volumeMounts: + - name: persistent + mountPath: /data + securityContext: + runAsNonRoot: true + runAsUser: 38069 + runAsGroup: 38069 + fsGroup: 38069 + volumes: + - name: persistent + persistentVolumeClaim: + claimName: actual-budget-persistent +--- +apiVersion: v1 +kind: Service +metadata: + name: actual-budget + namespace: actual-budget + labels: + app.kubernetes.io/name: actual-budget + app.kubernetes.io/instance: actual-budget + app.kubernetes.io/part-of: actual-budget +spec: + selector: + app.kubernetes.io/name: actual-budget + app.kubernetes.io/instance: actual-budget + ports: + - name: http + port: 80 + targetPort: http + protocol: TCP +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: actual-budget-persistent + namespace: actual-budget + labels: + app.kubernetes.io/name: actual-budget + app.kubernetes.io/instance: actual-budget + app.kubernetes.io/part-of: actual-budget +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi +--- +apiVersion: networking.k8s.io/v1 +kind: NetworkPolicy +metadata: + name: actual-budget + namespace: actual-budget + labels: + app.kubernetes.io/name: actual-budget + app.kubernetes.io/instance: actual-budget + app.kubernetes.io/part-of: actual-budget +spec: + podSelector: + matchLabels: + app.kubernetes.io/name: actual-budget + app.kubernetes.io/instance: actual-budget + policyTypes: + - Ingress + - Egress + ingress: + - from: + - podSelector: {} + - from: + - namespaceSelector: + matchLabels: + kubernetes.io/metadata.name: traefik-system + egress: + - to: + - namespaceSelector: {} + podSelector: + matchLabels: + k8s-app: kube-dns + ports: + - port: 53 + protocol: UDP + - to: + - ipBlock: + cidr: 0.0.0.0/0 + ports: + - port: 443 + - to: + - podSelector: {} diff --git a/projects/maison/src/apps/actual-budget/actual-budget.httproute.yaml b/projects/maison/src/apps/actual-budget/actual-budget.httproute.yaml new file mode 100644 index 00000000..57f58281 --- /dev/null +++ b/projects/maison/src/apps/actual-budget/actual-budget.httproute.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: actual-budget-websecure + namespace: actual-budget +spec: + parentRefs: + - name: default + namespace: default + hostnames: + - budget.chezmoi.sh + rules: + - backendRefs: + - name: actual-budget + port: 80 diff --git a/projects/maison/src/apps/actual-budget/actual-budget.vpn.yaml b/projects/maison/src/apps/actual-budget/actual-budget.vpn.yaml new file mode 100644 index 00000000..267f8bea --- /dev/null +++ b/projects/maison/src/apps/actual-budget/actual-budget.vpn.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: actual-budget-tailscale + namespace: actual-budget +spec: + defaultBackend: + service: + name: actual-budget + port: + number: 80 + ingressClassName: tailscale + tls: + - hosts: + - actual-budget diff --git a/projects/maison/src/apps/actual-budget/namespace.yaml b/projects/maison/src/apps/actual-budget/namespace.yaml new file mode 100644 index 00000000..ef7b9078 --- /dev/null +++ b/projects/maison/src/apps/actual-budget/namespace.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: actual-budget diff --git a/projects/maison/src/apps/kustomization.yaml b/projects/maison/src/apps/kustomization.yaml index 6c9384a0..082b0f72 100644 --- a/projects/maison/src/apps/kustomization.yaml +++ b/projects/maison/src/apps/kustomization.yaml @@ -5,5 +5,6 @@ kind: Kustomization resources: # NOTE: Applications are manually installed using this kustomization to avoid # installing automatically if it is not needed. + - actual-budget.yaml - jellyfin.yaml - linkding.yaml