🚀(project:maison): Install n8n application

Signed-off-by: Alexandre Nicolaie <[email protected]>

projects/maison/architecture.d2

@@ -280,17 +280,16 @@ maison: {
 
     # - n8n
     n8n: {
-      class: [application; undeployed]
+      class: [application]
       icon: assets/icons/apps/n8n.svg
       link: https://n8n.io/
       tooltip: Secure and AI-native workflow automation tool for technical people.
     }
     n8n <- _.system.Traefik: {
-      class: [undeployed]
       source-arrowhead: HTTP (5678)
     }
     n8n <- _.system.Tailscale: {
-      class: [connect-vpn; undeployed]
+      class: [connect-vpn]
       source-arrowhead: HTTP (5678)
     }
 

projects/maison/src/apps/kustomization.yaml

@@ -10,3 +10,4 @@ resources:
   - jellyseerr.yaml
   - linkding.yaml
   - mealie.yaml
+  - n8n.yaml

projects/maison/src/apps/n8n.yaml

@@ -0,0 +1,18 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: n8n
+spec:
+  interval: 12h0m0s
+  timeout: 30s
+  retryInterval: 0s
+
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  path: ./projects/maison/src/apps/n8n
+
+  prune: true
+  wait: true

projects/maison/src/apps/n8n/n8n.database.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: n8n
+  namespace: n8n
+  labels:
+    app.kubernetes.io/component: database
+    app.kubernetes.io/instance: n8n-database
+    app.kubernetes.io/name: n8n
+    app.kubernetes.io/part-of: n8n
+spec:
+  bootstrap:
+    initdb:
+      database: n8n
+      owner: n8n
+  description: PostgreSQL database dedicated to n8n
+  instances: 1
+
+  storage:
+    size: 5Gi

projects/maison/src/apps/n8n/n8n.deployment.yaml

@@ -0,0 +1,247 @@
+---
+# trunk-ignore(checkov/CKV_K8S_11): DO NOT SET the CPU limit
+# trunk-ignore(checkov/CKV_K8S_15,checkov/CKV_K8S_43): Not aggreed with theses policies about the ImagePullPolicy=Always and digest verification.
+# trunk-ignore(checkov/CKV2_K8S_6)
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: n8n
+  namespace: n8n
+  labels:
+    app.kubernetes.io/name: n8n
+    app.kubernetes.io/instance: n8n
+    app.kubernetes.io/part-of: n8n
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: n8n
+      app.kubernetes.io/instance: n8n
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: n8n
+        app.kubernetes.io/instance: n8n
+    spec:
+      automountServiceAccountToken: false
+      containers:
+        # trunk-ignore(trivy/KSV011): DO NOT SET the CPU limit
+        - name: n8n
+          env:
+            - name: DB_POSTGRESDB_DATABASE_FILE
+              value: /run/secrets/n8n/postgres/dbname
+            - name: DB_POSTGRESDB_HOST_FILE
+              value: /run/secrets/n8n/postgres/host
+            - name: DB_POSTGRESDB_PASSWORD_FILE
+              value: /run/secrets/n8n/postgres/password
+            - name: DB_POSTGRESDB_PORT_FILE
+              value: /run/secrets/n8n/postgres/port
+            - name: DB_POSTGRESDB_USER_FILE
+              value: /run/secrets/n8n/postgres/user
+            - name: DB_TYPE
+              value: postgresdb
+            - name: N8N_DIAGNOSTICS_ENABLED
+              value: "false"
+            - name: N8N_EDITOR_BASE_URL
+              value: https://n8n.chezmoi.sh
+            - name: N8N_EMAIL_MODE
+              value: smtp
+            - name: N8N_HIDE_USAGE_PAGE
+              value: "true"
+            - name: N8N_HIRING_BANNER_ENABLED
+              value: "false"
+            - name: N8N_HOST
+              value: n8n.chezmoi.sh
+            - name: N8N_LISTEN_ADDRESS
+              value: 0.0.0.0
+            - name: N8N_PORT
+              value: "5678"
+            - name: N8N_PROTOCOL
+              value: http
+            - name: N8N_SMTP_HOST_FILE
+              value: /run/secrets/n8n/smtp/aws_ses_host
+            - name: N8N_SMTP_PASS_FILE
+              value: /run/secrets/n8n/smtp/aws_ses_password
+            - name: N8N_SMTP_PORT_FILE
+              value: /run/secrets/n8n/smtp/aws_ses_port
+            - name: N8N_SMTP_SENDER_FILE
+              value: /run/secrets/n8n/smtp/aws_ses_sender
+            - name: N8N_SMTP_USER_FILE
+              value: /run/secrets/n8n/smtp/aws_ses_username
+            - name: N8N_TEMPLATES_ENABLED
+              value: "true"
+            - name: N8N_USER_FOLDER
+              value: /opt/n8n/data
+            - name: TZ
+              value: Europe/Paris
+            - name: VUE_APP_URL_BASE_API
+              value: https://n8n.chezmoi.sh
+          image: docker.n8n.io/n8nio/n8n:1.72.1
+          livenessProbe:
+            httpGet:
+              path: /
+              port: http
+          ports:
+            - name: http
+              containerPort: 5678
+              protocol: TCP
+          readinessProbe:
+            httpGet:
+              path: /
+              port: http
+          resources:
+            requests:
+              cpu: 100m
+              memory: 1Gi
+            limits:
+              memory: 1Gi
+          securityContext:
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            privileged: false
+            readOnlyRootFilesystem: true
+            runAsNonRoot: true
+            runAsUser: 16727
+            runAsGroup: 16727
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - name: cnpg-config
+              mountPath: /run/secrets/n8n/postgress
+              readOnly: true
+            - name: smtp-config
+              mountPath: /run/secrets/n8n/smtp
+              readOnly: true
+            - name: n8n-persistent
+              mountPath: /opt/n8n
+            - name: n8n-cache
+              mountPath: /opt/n8n/.cache
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 16727
+        runAsGroup: 16727
+        fsGroup: 16727
+      volumes:
+        - name: cnpg-config
+          secret:
+            secretName: n8n-app
+        - name: smtp-config
+          secret:
+            secretName: n8n-smtp-credentials
+        - name: n8n-persistent
+          persistentVolumeClaim:
+            claimName: n8n-persistent
+        - name: n8n-cache
+          emptyDir: {}
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: n8n
+  namespace: n8n
+  labels:
+    app.kubernetes.io/name: n8n
+    app.kubernetes.io/instance: n8n
+    app.kubernetes.io/part-of: n8n
+spec:
+  selector:
+    app.kubernetes.io/name: n8n
+    app.kubernetes.io/instance: n8n
+  ports:
+    - name: http
+      port: 80
+      targetPort: http
+      protocol: TCP
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: n8n-persistent
+  namespace: n8n
+  labels:
+    app.kubernetes.io/name: n8n
+    app.kubernetes.io/instance: n8n
+    app.kubernetes.io/part-of: n8n
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  labels:
+    app.kubernetes.io/name: n8n
+    app.kubernetes.io/instance: n8n
+    app.kubernetes.io/part-of: n8n
+  name: n8n-smtp
+  namespace: n8n
+spec:
+  data:
+    - remoteRef:
+        key: apps-n8n-aws-ses
+        property: username
+      secretKey: aws-ses-username
+    - remoteRef:
+        key: apps-n8n-aws-ses
+        property: password
+      secretKey: aws-ses-password
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: kubernetes.maison.chezmoi.sh
+  target:
+    name: n8n-smtp-credentials
+    template:
+      type: Opaque
+      engineVersion: v2
+      data:
+        aws_ses_host: email-smtp.us-east-1.amazonaws.com
+        aws_ses_username: "{{ .aws-ses-username }}"
+        aws_ses_password: "{{ .aws-ses-password }}"
+        aws_ses_port: "587"
+        aws_ses_sender: n8n <[email protected]>
+# ---
+# apiVersion: networking.k8s.io/v1
+# kind: NetworkPolicy
+# metadata:
+#   name: n8n
+#   namespace: n8n
+#   labels:
+#     app.kubernetes.io/name: n8n
+#     app.kubernetes.io/instance: n8n
+#     app.kubernetes.io/part-of: n8n
+# spec:
+#   podSelector:
+#     matchLabels:
+#       app.kubernetes.io/name: n8n
+#       app.kubernetes.io/instance: n8n
+#   policyTypes:
+#     - Ingress
+#     - Egress
+#   ingress:
+#     - from:
+#         - podSelector: {}
+#     - from:
+#         - namespaceSelector:
+#             matchLabels:
+#               kubernetes.io/metadata.name: traefik-system
+#   egress:
+#     - to:
+#         - namespaceSelector: {}
+#           podSelector:
+#             matchLabels:
+#               k8s-app: kube-dns
+#       ports:
+#         - port: 53
+#           protocol: UDP
+#     - to:
+#         - ipBlock:
+#             cidr: 0.0.0.0/0
+#       ports:
+#         - port: 443
+#     - to:
+#         - podSelector: {}

projects/maison/src/apps/n8n/n8n.httproute.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: n8n-websecure
+  namespace: n8n
+spec:
+  parentRefs:
+    - name: default
+      namespace: default
+  hostnames:
+    - n8n.chezmoi.sh
+  rules:
+    - backendRefs:
+        - name: n8n
+          port: 80

projects/maison/src/apps/n8n/n8n.vpn.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: n8n-tailscale
+  namespace: n8n
+spec:
+  defaultBackend:
+    service:
+      name: n8n
+      port:
+        number: 80
+  ingressClassName: tailscale
+  tls:
+    - hosts:
+        - n8n

projects/maison/src/apps/n8n/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: n8n