feat(home): deploy miniflux

buroa · Dec 31, 2023 · 4863ea2 · 4863ea2
1 parent 06e77b3
commit 4863ea2
Show file tree

Hide file tree

Showing 8 changed files with 203 additions and 1 deletion.
diff --git a/kubernetes/apps/home/kustomization.yaml b/kubernetes/apps/home/kustomization.yaml
@@ -6,6 +6,7 @@ resources:
   - ./atuin/ks.yaml
   - ./hajimari/ks.yaml
   - ./home-assistant/ks.yaml
+  - ./miniflux/ks.yaml
   - ./mosquitto/ks.yaml
   - ./node-red/ks.yaml
   - ./thelounge/ks.yaml

diff --git a/kubernetes/apps/home/miniflux/app/externalsecret.yaml b/kubernetes/apps/home/miniflux/app/externalsecret.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: miniflux
+spec:
+  secretStoreRef:
+    kind: ClusterSecretStore
+    name: onepassword-connect
+  target:
+    name: miniflux-secret
+    template:
+      engineVersion: v2
+      data:
+        ADMIN_USERNAME: "{{ .MINIFLUX_ADMIN_USERNAME }}"
+        ADMIN_PASSWORD: "{{ .MINIFLUX_ADMIN_PASSWORD }}"
+        DATABASE_URL: |-
+          postgres://{{ .MINIFLUX_POSTGRES_USER }}:{{ .MINIFLUX_POSTGRES_PASS }}@postgres-rw.databases.svc.cluster.local/miniflux?sslmode=disable
+        OAUTH2_CLIENT_SECRET: "{{ .MINIFLUX_OAUTH_CLIENT_SECRET }}"
+        INIT_POSTGRES_DBNAME: miniflux
+        INIT_POSTGRES_HOST: postgres-rw.databases.svc.cluster.local
+        INIT_POSTGRES_USER: "{{ .MINIFLUX_POSTGRES_USER }}"
+        INIT_POSTGRES_PASS: "{{ .MINIFLUX_POSTGRES_PASS }}"
+        INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}"
+  dataFrom:
+    - extract:
+        key: miniflux
+    - extract:
+        key: cloudnative-pg
diff --git a/kubernetes/apps/home/miniflux/app/helmrelease.yaml b/kubernetes/apps/home/miniflux/app/helmrelease.yaml
@@ -0,0 +1,126 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: &app miniflux
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 2.4.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s-charts
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  uninstall:
+    keepHistory: false
+  values:
+    controllers:
+      main:
+        replicas: 2
+        strategy: RollingUpdate
+        annotations:
+          reloader.stakater.com/auto: "true"
+        initContainers:
+          init-db:
+            image:
+              repository: ghcr.io/onedr0p/postgres-init
+              tag: 16
+            envFrom: &envFrom
+              - secretRef:
+                  name: miniflux-secret
+        containers:
+          main:
+            image:
+              repository: ghcr.io/miniflux/miniflux
+              tag: 2.0.50-distroless@sha256:625f6decf8740020fabec273e0f694f218a50281e251e13514ac2be4d9147ca8
+            env:
+              BASE_URL: https://{{ .Release.Name }}.${PUBLIC_DOMAIN}
+              CREATE_ADMIN: 1
+              LOG_DATE_TIME: 1
+              METRICS_ALLOWED_NETWORKS: ${CLUSTER_POD_IP_CIDR}
+              METRICS_COLLECTOR: 1
+              OAUTH2_CLIENT_ID: miniflux
+              OAUTH2_OIDC_DISCOVERY_ENDPOINT: https://auth.${PUBLIC_DOMAIN}
+              OAUTH2_PROVIDER: oidc
+              OAUTH2_REDIRECT_URL: https://{{ .Release.Name }}.${PUBLIC_DOMAIN}/oauth2/oidc/callback
+              OAUTH2_USER_CREATION: 1
+              POLLING_FREQUENCY: 15
+              POLLING_SCHEDULER: entry_frequency
+              PORT: &port 80
+              RUN_MIGRATIONS: 1
+            envFrom: *envFrom
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: &path /healthcheck
+                    port: *port
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness: *probes
+              startup:
+                enabled: false
+            resources:
+              requests:
+                cpu: 10m
+                memory: 250M
+              limits:
+                memory: 512M
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities:
+                drop:
+                  - ALL
+        pod:
+          securityContext:
+            runAsUser: 568
+            runAsGroup: 568
+            runAsNonRoot: true
+          topologySpreadConstraints:
+            - maxSkew: 1
+              topologyKey: kubernetes.io/hostname
+              whenUnsatisfiable: DoNotSchedule
+              labelSelector:
+                matchLabels:
+                  app.kubernetes.io/name: *app
+    ingress:
+      main:
+        enabled: true
+        className: external
+        annotations:
+          gatus.io/enabled: "true"
+          gatus.io/path: *path
+          hajimari.io/icon: mdi:rss
+          external-dns.alpha.kubernetes.io/target: external.${PUBLIC_DOMAIN}
+        hosts:
+          - host: &host "{{ .Release.Name }}.${PUBLIC_DOMAIN}"
+            paths:
+              - path: /
+                service:
+                  name: main
+                  port: http
+        tls:
+          - hosts:
+              - *host
+    service:
+      main:
+        ports:
+          http:
+            port: 80
+    serviceMonitor:
+      main:
+        enabled: true
diff --git a/kubernetes/apps/home/miniflux/app/kustomization.yaml b/kubernetes/apps/home/miniflux/app/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./externalsecret.yaml
+  - ./helmrelease.yaml
diff --git a/kubernetes/apps/home/miniflux/ks.yaml b/kubernetes/apps/home/miniflux/ks.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster-apps-miniflux
+  namespace: flux-system
+spec:
+  targetNamespace: home
+  dependsOn:
+    - name: cluster-apps-cloudnative-pg-cluster
+    - name: cluster-apps-external-secrets-stores
+  path: ./kubernetes/apps/home/miniflux/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: k8s-gitops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
diff --git a/kubernetes/apps/security/authelia/app/configs/configuration.yml b/kubernetes/apps/security/authelia/app/configs/configuration.yml
@@ -60,6 +60,21 @@ identity_providers:
           - https://grafana.${PUBLIC_DOMAIN}/login/generic_oauth
         userinfo_signed_response_alg: none
 
+      - id: miniflux
+        description: Miniflux
+        secret: ${MINIFLUX_OAUTH_CLIENT_SECRET}
+        public: false
+        authorization_policy: two_factor
+        pre_configured_consent_duration: 1y
+        scopes:
+          - openid
+          - profile
+          - groups
+          - email
+        redirect_uris:
+          - https://miniflux.${PUBLIC_DOMAIN}/oauth2/oidc/callback
+        userinfo_signed_response_alg: none
+
       - id: nodered
         description: Node-RED
         secret: ${NODE_RED_OAUTH_CLIENT_SECRET}

diff --git a/kubernetes/apps/security/authelia/app/externalsecret.yaml b/kubernetes/apps/security/authelia/app/externalsecret.yaml
@@ -26,6 +26,7 @@ spec:
         AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}"
         # OIDC Apps
         GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}"
+        MINIFLUX_OAUTH_CLIENT_SECRET: "{{ .MINIFLUX_OAUTH_CLIENT_SECRET }}"
         NODE_RED_OAUTH_CLIENT_SECRET: "{{ .NODE_RED_OAUTH_CLIENT_SECRET }}"
         WEAVE_GITOPS_OAUTH_CLIENT_SECRET: "{{ .WEAVE_GITOPS_OAUTH_CLIENT_SECRET }}"
         # Postgres Init
@@ -43,6 +44,8 @@ spec:
         key: cloudnative-pg
     - extract:
         key: grafana
+    - extract:
+        key: miniflux
     - extract:
         key: node-red
     - extract:

diff --git a/kubernetes/apps/security/authelia/app/helmrelease.yaml b/kubernetes/apps/security/authelia/app/helmrelease.yaml
@@ -79,14 +79,16 @@ spec:
     ingress:
       main:
         enabled: true
-        className: internal
+        className: external
         annotations:
+          gatus.io/enabled: "true"
           hajimari.io/icon: mdi:shield-account
           nginx.ingress.kubernetes.io/configuration-snippet: |
             add_header Cache-Control "no-store";
             add_header Pragma "no-cache";
             add_header X-Frame-Options "SAMEORIGIN";
             add_header X-XSS-Protection "1; mode=block";
+          external-dns.alpha.kubernetes.io/target: external.${PUBLIC_DOMAIN}
         hosts:
           - host: &host "{{ .Release.Name }}.${PUBLIC_DOMAIN}"
             paths: &paths