feat(postiz): Deploy postiz

k8s/apps/communications/kustomization.yaml

@@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - jitsi.k8s.yaml
+  - postiz.k8s.yaml

k8s/apps/communications/postiz.k8s.yaml

@@ -0,0 +1,15 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: postiz
+  namespace: flux-system
+spec:
+  interval: 10m
+  path: ./k8s/apps/communications/postiz
+  dependsOn:
+    - name: ingress
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: emnt-ops

k8s/apps/communications/postiz/deployment.k8s.yaml

@@ -0,0 +1,57 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: postiz
+  namespace: postiz
+  labels:
+    app.kubernetes.io/name: postiz
+    app.kubernetes.io/instance: postiz
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: postiz
+      app.kubernetes.io/instance: postiz
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: postiz
+        app.kubernetes.io/instance: postiz
+    spec:
+      containers:
+        - name: postiz
+          image: ghcr.io/gitroomhq/postiz-app:v1.31.1-amd64
+          env:
+            - name: MAIN_URL
+              value: https://postiz.${CLUSTER_DOMAIN}
+            - name: FRONTEND_URL
+              value: https://postiz.${CLUSTER_DOMAIN}
+            - name: NEXT_PUBLIC_BACKEND_URL
+              value: https://postiz.${CLUSTER_DOMAIN}/api
+            - name: BACKEND_INTERNAL_URL
+              value: http://localhost:3000
+            - name: IS_GENERAL
+              value: "true"
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: postiz-pg-pguser-postiz
+                  key: uri
+            - name: REDIS_URL
+              valueFrom:
+                secretKeyRef:
+                  name: keydb-url
+                  key: KEYDB_URL
+          envFrom:
+            - secretRef:
+                name: postiz-secrets
+          ports:
+            - name: http
+              containerPort: 5000
+          volumeMounts:
+            - name: uploads
+              mountPath: /uploads
+      volumes:
+        - name: uploads
+          persistentVolumeClaim:
+            claimName: postiz-uploads

k8s/apps/communications/postiz/ingress.k8s.yaml

@@ -0,0 +1,40 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postiz
+  namespace: postiz
+  labels:
+    app.kubernetes.io/name: postiz
+    app.kubernetes.io/instance: postiz
+spec:
+  type: ClusterIP
+  selector:
+    app.kubernetes.io/name: postiz
+    app.kubernetes.io/instance: postiz
+  ports:
+    - name: postiz
+      port: 5000
+      targetPort: http
+      protocol: TCP
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: postiz
+  namespace: postiz
+  labels:
+    app.kubernetes.io/name: postiz
+    app.kubernetes.io/instance: postiz
+spec:
+  ingressClassName: ingress-internal-traefik
+  rules:
+    - host: postiz.${CLUSTER_DOMAIN}
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: postiz
+                port:
+                  name: http

k8s/apps/communications/postiz/keydb-url-template.k8s.yaml

@@ -0,0 +1,21 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/external-secrets.io/externalsecret_v1beta1.json
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: keydb-url-template
+  namespace: postiz
+spec:
+  secretStoreRef:
+    kind: SecretStore
+    name: postiz-secrets
+  target:
+    name: keydb-url
+    template:
+      engineVersion: v2
+      data:
+        KEYDB_URL: "redis://postiz-postiz-keydb.postiz.svc.cluster.local:6379/?password={{ .password }}"
+  data:
+    - secretKey: password
+      remoteRef:
+        key: keydb-creds
+        property: password

k8s/apps/communications/postiz/keydb.k8s.yaml

@@ -0,0 +1,32 @@
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/helm.toolkit.fluxcd.io/helmrelease_v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: postiz-keydb
+  namespace: flux-system
+spec:
+  interval: 30m
+  targetNamespace: postiz
+  chart:
+    spec:
+      chart: keydb
+      version: 0.48.0
+      sourceRef:
+        kind: HelmRepository
+        name: enapter
+        namespace: flux-system
+      interval: 30m
+  values:
+    existingSecret: keydb-creds
+    existingSecretKey: password
+    readinessProbeRandomUuid: 1e1554a3-f51a-466b-8182-169ff1ba2bf9
+    persistentVolume:
+      storageClass: freenas-api-iscsi-csi
+    serviceMonitor:
+      enabled: true
+      labels:
+        release: prometheus
+    exporter:
+      enabled: true
+    scripts:
+      enabled: true

k8s/apps/communications/postiz/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.k8s.yaml
+  - deployment.k8s.yaml
+  - pvc.k8s.yaml
+  - ingress.k8s.yaml
+  - postgres.k8s.yaml
+  - keydb.k8s.yaml
+  - secrets.sops.yaml
+  - secretstore.k8s.yaml
+  - keydb-url-template.k8s.yaml

k8s/apps/communications/postiz/namespace.k8s.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: postiz

k8s/apps/communications/postiz/postgres.k8s.yaml

@@ -0,0 +1,98 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: s3-creds
+  namespace: postiz
+  annotations:
+    reflector.v1.k8s.emberstack.com/reflects: "local-backup-s3/pgbackrest-postiz-s3creds"
+data: {}
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/postgres-operator.crunchydata.com/postgrescluster_v1beta1.json
+apiVersion: postgres-operator.crunchydata.com/v1beta1
+kind: PostgresCluster
+metadata:
+  name: postiz-pg
+  namespace: postiz
+  annotations:
+    postgres-operator.crunchydata.com/autoCreateUserSchema: "true"
+spec:
+  image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.7-1
+  postgresVersion: 15
+  users:
+    - name: postiz
+      password:
+        type: AlphaNumeric
+      databases:
+        - postiz
+  instances:
+    - name: instance1
+      metadata:
+        labels:
+          app.kubernetes.io/name: postgresql
+          app.kubernetes.io/instance: postiz-pg
+      resources:
+        requests:
+          cpu: 50m
+          memory: 128Mi
+        limits:
+          memory: 512Mi
+      sidecars:
+        replicaCertCopy:
+          resources:
+            requests:
+              cpu: 10m
+              memory: 2Mi
+            limits:
+              memory: 16Mi
+      dataVolumeClaimSpec:
+        storageClassName: freenas-api-iscsi-csi
+        accessModes:
+          - "ReadWriteOnce"
+        resources:
+          requests:
+            storage: 10Gi
+  patroni:
+    dynamicConfiguration:
+      # Prevents failovers due to latency issues with etcd, useful for non-HA controlplane
+      failsafe_mode: true
+      postgresql:
+        parameters:
+          max_slot_wal_keep_size: 1GB
+          max_wal_size: 1GB
+  backups:
+    pgbackrest:
+      image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-1
+      global:
+        repo1-s3-uri-style: path
+        repo1-path: /pgbackrest-postiz/postiz-pg/repo1
+        repo1-retention-full: "30"
+        repo1-retention-full-type: time
+      jobs:
+        resources:
+          requests:
+            cpu: 10m
+            memory: 32Mi
+          limits:
+            memory: 128Mi
+      configuration:
+        - secret:
+            name: s3-creds
+      repos:
+        - name: repo1
+          s3:
+            endpoint: https://backup-s3.${CLUSTER_DOMAIN}
+            region: us-west-1
+            bucket: pgbackrest
+          schedules:
+            full: 0 6 * * 0
+            incremental: 0 6 * * 1-6
+  monitoring:
+    pgmonitor:
+      exporter:
+        resources:
+          requests:
+            cpu: 10m
+            memory: 16Mi
+          limits:
+            memory: 64Mi
+        image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.3.1-0

k8s/apps/communications/postiz/pvc.k8s.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: postiz-uploads
+  namespace: postiz
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 50Gi
+  storageClassName: freenas-api-iscsi-csi

k8s/apps/communications/postiz/secrets.sops.yaml

@@ -0,0 +1,85 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: keydb-creds
+    namespace: postiz
+stringData:
+    password: ENC[AES256_GCM,data:c31lC+cHdcwYYv+ZrEcaefHrCeO7TMsw3+A4+BEcRgc=,iv:80iHwCmQ4+JReeOrK3cmcFTkGrmciFq2uisOxomabDc=,tag:vBplccwi2kPWjuCsXWGQUA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1exncnhces66v0uc67xm009v2d2237hgdxtaa8tdy0hvusexjry0qye4ad2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cThCWWdVNUxDRmRER1dt
+            WkU4cUMrMlMwL2FTYkgzT1lQNC9sMmFFY0QwCjVKd3Jodk1jblNYYTNpZGJndDV1
+            QnRZblBaeXZ5SW5Ib2RiT21KUk80eHcKLS0tIGMvWVdQTVFuWVdhWDZjWFJqSnZ4
+            M1hOSko5eEE0YzJpR3Y5UkdBRThPcEUKCeQbB7m+Uqsll0JgWWSb8y3F6bbj7Y+b
+            OwoaeHoWXj3LbQmweP5MHAlX/qHDEmjGRNAz5rYXQMcfjFhIopcJ4Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-29T05:58:20Z"
+    mac: ENC[AES256_GCM,data:LglfFeHbhqEVA/EA1Vx90xbWTx0hXztV35gZ7ctFfDCodp5Zmlfo1Y15qKKqrWT/p8WObbGWAvZIcAKJvWLASEm09MbRBBtMn6Thjv6l5ALo561lQPR1WKJ3FWY2PWz06Z+SpS2G3iJO6LmccZotBRa4a7flOOg/epMyZvlhQGw=,iv:Ig9DAS8TxeMnSHeC02qvOJNgaNVN3saacDdZyBuAb/E=,tag:iFNxKDhsuQLVVNpd0V5upQ==,type:str]
+    pgp:
+        - created_at: "2025-01-29T05:58:20Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAzB6fv8Ha/LEAQf8CjuDRyP29zrJMpDwCtbeiVU4imlvq1JMgvdhXhvAZGgE
+            qizvKeK14cm6Mgav4lsz8GGkt84rMmIKGNvd/aDSykZmgApKwbXCQilhVot6kq2J
+            Hqh361F18mqoO+RJNdwADs63i2kRcH5b5O2yAPHnyojpI7mdpCRfnhrWP5Tfs0Tu
+            w99LG+fx6ZL74bQNX1d36afQ10AN9NrEO77XHo1qUdsTnDGklHlvlpGRbfCNERV/
+            N7wjooQ540u5R37uA7KzP2ruZjkr0I2X3npCpqYLZ8eheWN1e7Qvqctzcu9aOn7k
+            oOEoWikk0qkWvjad5ymNFyYyNBBVAHNFnaZxXdaBcdJeATnZtkW8uI6wvYFvBSyo
+            x9jy/C/ehjxVa8ykUvZFf/ZJuq35tcEyfX5mjamNRH+PDpJhbwaqfpw3f6sqjJBl
+            3qoymo5O/xIsRJWjiFGFfgS6gncZJLZuTEXiNLGQgA==
+            =xuC3
+            -----END PGP MESSAGE-----
+          fp: C5B9ADB07DBE5A2E
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.3
+---
+apiVersion: v1
+kind: Secret
+metadata:
+    name: postiz-secrets
+    namespace: postiz
+stringData:
+    JWT_SECRET: ENC[AES256_GCM,data:bxf91g2pKUIVDK9UJx+nPvfNvW6PZU5ZPueyrxXzamN/OIyIxZ3hlHu11oBFHe0D8WHpnj6QLmegiLfkaoAY0w==,iv:a5cuIMQzJ/eGkr9bTFWUnRLfuh0VM0GIC3XO/vS7fss=,tag:xMJ4jUm0DMImLGUFII72HQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1exncnhces66v0uc67xm009v2d2237hgdxtaa8tdy0hvusexjry0qye4ad2
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cThCWWdVNUxDRmRER1dt
+            WkU4cUMrMlMwL2FTYkgzT1lQNC9sMmFFY0QwCjVKd3Jodk1jblNYYTNpZGJndDV1
+            QnRZblBaeXZ5SW5Ib2RiT21KUk80eHcKLS0tIGMvWVdQTVFuWVdhWDZjWFJqSnZ4
+            M1hOSko5eEE0YzJpR3Y5UkdBRThPcEUKCeQbB7m+Uqsll0JgWWSb8y3F6bbj7Y+b
+            OwoaeHoWXj3LbQmweP5MHAlX/qHDEmjGRNAz5rYXQMcfjFhIopcJ4Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2025-01-29T05:58:20Z"
+    mac: ENC[AES256_GCM,data:LglfFeHbhqEVA/EA1Vx90xbWTx0hXztV35gZ7ctFfDCodp5Zmlfo1Y15qKKqrWT/p8WObbGWAvZIcAKJvWLASEm09MbRBBtMn6Thjv6l5ALo561lQPR1WKJ3FWY2PWz06Z+SpS2G3iJO6LmccZotBRa4a7flOOg/epMyZvlhQGw=,iv:Ig9DAS8TxeMnSHeC02qvOJNgaNVN3saacDdZyBuAb/E=,tag:iFNxKDhsuQLVVNpd0V5upQ==,type:str]
+    pgp:
+        - created_at: "2025-01-29T05:58:20Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQEMAzB6fv8Ha/LEAQf8CjuDRyP29zrJMpDwCtbeiVU4imlvq1JMgvdhXhvAZGgE
+            qizvKeK14cm6Mgav4lsz8GGkt84rMmIKGNvd/aDSykZmgApKwbXCQilhVot6kq2J
+            Hqh361F18mqoO+RJNdwADs63i2kRcH5b5O2yAPHnyojpI7mdpCRfnhrWP5Tfs0Tu
+            w99LG+fx6ZL74bQNX1d36afQ10AN9NrEO77XHo1qUdsTnDGklHlvlpGRbfCNERV/
+            N7wjooQ540u5R37uA7KzP2ruZjkr0I2X3npCpqYLZ8eheWN1e7Qvqctzcu9aOn7k
+            oOEoWikk0qkWvjad5ymNFyYyNBBVAHNFnaZxXdaBcdJeATnZtkW8uI6wvYFvBSyo
+            x9jy/C/ehjxVa8ykUvZFf/ZJuq35tcEyfX5mjamNRH+PDpJhbwaqfpw3f6sqjJBl
+            3qoymo5O/xIsRJWjiFGFfgS6gncZJLZuTEXiNLGQgA==
+            =xuC3
+            -----END PGP MESSAGE-----
+          fp: C5B9ADB07DBE5A2E
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.3