feat: first deployment in k3s on hetzner

hetzner/helmfile/helmfile.yaml.gotmpl

@@ -0,0 +1,9 @@
+---
+releases:
+  - name: ocelot-social
+    namespace: ocelot-social
+    chart: ./ocelot-social
+    values:
+    - ./values/ocelot.yaml
+    secrets:
+      - ./secrets/ocelot.yaml

hetzner/helmfile/ocelot-social/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

hetzner/helmfile/ocelot-social/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: ocelot-social
+description: A Helm chart for ocelot-social
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "3.2.0"

hetzner/helmfile/ocelot-social/templates/acme-issuer.yaml

@@ -0,0 +1,39 @@
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Release.Name }}-letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ quote .Values.secrets.acme_email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: {{ .Release.Name }}-letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            class: traefik
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: {{ .Release.Name }}-letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: {{ quote .Values.secrets.acme_email }}
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: {{ .Release.Name }}-letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            class: traefik

hetzner/helmfile/ocelot-social/templates/backend/configmap.yml

@@ -0,0 +1,10 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-backend-env
+data:
+  GRAPHQL_URI: "http://{{ .Release.Name }}-backend:4000"
+  NEO4J_URI: "bolt://{{ .Release.Name }}-neo4j:7687"
+{{- range $key, $value := .Values.backend.env }}
+  {{ $key }}: {{ $value | quote }}
+{{- end }}

hetzner/helmfile/ocelot-social/templates/backend/deployment.yaml

@@ -0,0 +1,45 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name:  {{ .Release.Name }}-backend
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-backend
+  template:
+    metadata:
+      annotations:
+        backup.velero.io/backup-volumes: uploads
+      labels:
+        app: {{ .Release.Name }}-backend
+    spec:
+      restartPolicy: Always
+      initContainers:
+        - name: {{ .Release.Name }}-backend-migrations
+          image: "{{ .Values.backend.image.repository }}:{{ default .Values.global.image.tag .Values.backend.image.tag "latest" }}"
+          imagePullPolicy: {{ quote .Values.global.image.pullPolicy }}
+          command: ["/bin/sh", "-c", "yarn prod:migrate up"]
+          envFrom:
+          - configMapRef:
+              name: {{ .Release.Name }}-backend-env
+          - secretRef:
+              name: {{ .Release.Name }}-backend-secret-env
+      containers:
+      - name: {{ .Release.Name }}-backend
+        image: "{{ .Values.backend.image.repository }}:{{ default .Values.global.image.tag .Values.backend.image.tag .Chart.AppVersion "latest" }}"
+        imagePullPolicy: {{ quote .Values.global.image.pullPolicy }}
+        envFrom:
+        - configMapRef:
+            name: {{ .Release.Name }}-backend-env
+        - secretRef:
+            name: {{ .Release.Name }}-backend-secret-env
+        ports:
+        - containerPort: 4000
+          protocol: TCP
+        volumeMounts:
+          - mountPath: /app/public/uploads
+            name: uploads
+      volumes:
+      - name: uploads
+        persistentVolumeClaim:
+          claimName: {{ .Release.Name }}-uploads

hetzner/helmfile/ocelot-social/templates/backend/persistent-volume-claim.yaml

@@ -0,0 +1,10 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-uploads
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage:  {{ .Values.backend.storage }}

hetzner/helmfile/ocelot-social/templates/backend/secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-backend-secret-env
+type: Opaque
+stringData:
+{{ .Values.secrets.backend.env | toYaml | indent 2 }}

hetzner/helmfile/ocelot-social/templates/backend/service.yaml

@@ -0,0 +1,11 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-backend
+spec:
+  ports:
+    - name: {{ .Release.Name }}-graphql
+      port: 4000
+      targetPort: 4000
+  selector:
+    app: {{ .Release.Name }}-backend

hetzner/helmfile/ocelot-social/templates/configmap.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: {{ .Release.Name }}
+data:
+{{ .Values.configmap | toYaml | indent 2 }}

hetzner/helmfile/ocelot-social/templates/ingress.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: {{ .Release.Name }}
+  annotations:
+    cert-manager.io/issuer: {{ .Values.cert_manager.issuer | default (printf "%s-letsencrypt-staging"  .Release.Name) }}
+spec:
+  tls:
+  - hosts:
+      - {{ quote .Values.domain }}
+    secretName: {{ .Release.Name }}-letsencrypt-tls
+
+  rules:
+  - host: {{ quote .Values.domain }}
+    http:
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+          backend:
+            service:
+              name: {{ .Release.Name }}-webapp
+              port:
+                number: 3000

hetzner/helmfile/ocelot-social/templates/maintenance/deployment.yaml

@@ -0,0 +1,23 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name:  {{ .Release.Name }}-maintenance
+spec:
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-maintenance
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-maintenance
+    spec:
+      restartPolicy: Always
+      containers:
+      - name: {{ .Release.Name }}-maintenance
+        image: "{{ .Values.maintenance.image.repository }}:{{ default .Values.global.image.tag .Values.maintenance.image.tag "latest" }}"
+        imagePullPolicy: {{ quote .Values.global.image.pullPolicy }}
+        env:
+          - name: HOST
+            value: 0.0.0.0
+        ports:
+          - containerPort: 80

hetzner/helmfile/ocelot-social/templates/maintenance/service.yaml

@@ -0,0 +1,11 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-maintenance
+spec:
+  ports:
+    - name: {{ .Release.Name }}-http
+      port: 80
+      targetPort: 80
+  selector:
+    app: {{ .Release.Name }}-maintenance

hetzner/helmfile/ocelot-social/templates/neo4j/configmap.yml

@@ -0,0 +1,6 @@
+kind: ConfigMap
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-neo4j-env
+data:
+{{ .Values.neo4j.env | toYaml | indent 2 }}

hetzner/helmfile/ocelot-social/templates/neo4j/deployment.yaml

@@ -0,0 +1,37 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name:  {{ .Release.Name }}-neo4j
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-neo4j
+  template:
+    metadata:
+      name: neo4j
+      annotations:
+        backup.velero.io/backup-volumes: neo4j-data
+      labels:
+        app: {{ .Release.Name }}-neo4j
+    spec:
+      restartPolicy: Always
+      containers:
+      - name: container-{{ .Release.Name }}-neo4j
+        image: "{{ .Values.neo4j.image.repository }}:{{ default .Values.global.image.tag .Values.neo4j.image.tag .Chart.AppVersion "latest" }}"
+        imagePullPolicy: {{ quote .Values.global.image.pullPolicy }}
+        ports:
+        - containerPort: 7687
+        - containerPort: 7474
+        envFrom:
+        - configMapRef:
+            name: {{ .Release.Name }}-neo4j-env
+        - secretRef:
+            name: {{ .Release.Name }}-neo4j-secret-env
+        volumeMounts:
+          - mountPath: /data/
+            name: neo4j-data
+      volumes:
+      - name: neo4j-data
+        persistentVolumeClaim:
+          claimName: {{ .Release.Name }}-neo4j-data

hetzner/helmfile/ocelot-social/templates/neo4j/persistent-volume-claim.yaml

@@ -0,0 +1,10 @@
+kind: PersistentVolumeClaim
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-neo4j-data
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage:  {{ .Values.neo4j.storage }}

hetzner/helmfile/ocelot-social/templates/neo4j/secret.yaml

@@ -0,0 +1,6 @@
+kind: Secret
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-neo4j-secret-env
+stringData:
+{{ .Values.secrets.neo4j.env | toYaml | indent 2 }}

hetzner/helmfile/ocelot-social/templates/neo4j/service.yaml

@@ -0,0 +1,14 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-neo4j
+spec:
+  ports:
+  - name: {{ .Release.Name }}-bolt
+    port: 7687
+    targetPort: 7687
+  - name: {{ .Release.Name }}-http # for debugging only
+    port: 7474
+    targetPort: 7474
+  selector:
+    app: {{ .Release.Name }}-neo4j

hetzner/helmfile/ocelot-social/templates/webapp/deployment.yaml

@@ -0,0 +1,31 @@
+kind: Deployment
+apiVersion: apps/v1
+metadata:
+  name:  {{ .Release.Name }}-webapp
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: {{ .Release.Name }}-webapp
+  template:
+    metadata:
+      labels:
+        app: {{ .Release.Name }}-webapp
+    spec:
+      restartPolicy: Always
+      containers:
+      - name: {{ .Release.Name }}-webapp
+        image: "{{ .Values.webapp.image.repository }}:{{ default .Values.global.image.tag .Values.webapp.image.tag .Chart.AppVersion "latest" }}"
+        imagePullPolicy: {{ quote .Values.global.image.pullPolicy }}
+        ports:
+        - containerPort: 3000
+        env:
+        - name: WEBSOCKETS_URI
+          value: "wss://{{ .Values.domain }}/api/graphql"
+        - name: HOST
+          value: "0.0.0.0"
+        - name: GRAPHQL_URI
+          value: "http://{{ .Release.Name }}-backend:4000"
+        envFrom:
+        - secretRef:
+            name: {{ .Release.Name }}-webapp-secret-env

hetzner/helmfile/ocelot-social/templates/webapp/secret.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: {{ .Release.Name }}-webapp-secret-env
+type: Opaque
+stringData:
+{{ .Values.secrets.webapp.env | toYaml | indent 2 }}

hetzner/helmfile/ocelot-social/templates/webapp/service.yaml

@@ -0,0 +1,11 @@
+kind: Service
+apiVersion: v1
+metadata:
+  name: {{ .Release.Name }}-webapp
+spec:
+  ports:
+    - name: {{ .Release.Name }}-http
+      port: 3000
+      targetPort: 3000
+  selector:
+    app: {{ .Release.Name }}-webapp