diff --git a/.env b/.env new file mode 100644 index 0000000..76a9ce4 --- /dev/null +++ b/.env @@ -0,0 +1 @@ +OCELOT_VERSION=sha-80ff4ef diff --git a/.env.dist b/.env.dist deleted file mode 100644 index d35240e..0000000 --- a/.env.dist +++ /dev/null @@ -1,23 +0,0 @@ -# GITHUB_OCELOT_REF affects the publish workflow -# GITHUB_OCELOT_REF is a ref (branch, tag, hash) of the ocelot repository -# if this value is not set the github ref just built in the triggering workflow is used. -# if this workflow is triggered by push to master instead of a build-trigger, -# the `master` branch of the ocelot repo is used. -# if you set it to `GITHUB_OCELOT_REF=master` unnessecary builds can occur. -# It is recommended to not set it rather then to set it to `master` -#GITHUB_OCELOT_REF=b2.4.0-351 -#OCELOT_VERSION=2.4.0-351 - -# DOCKERHUB_OCELOT_TAG applies to the deploy workflow -# DOCKERHUB_OCELOT_TAG is a dockerhub tag for the configured (values.yaml) docker images -# if this value is not set the version just built in the triggering workflow is used. -# using `DOCKERHUB_OCELOT_TAG=latest` is the default behaviour of the Kubernetes Chart, -# but its inaccurate if two workflows are running at the same time. -# It is recommended to not set it rather then to set it to `latest` -#DOCKERHUB_OCELOT_TAG=12-ocelot.social2.4.0 - -# DOCKERHUB_BRAND_VARRIANT defines the name of the branded image uploaded to dockerhub. -DOCKERHUB_BRAND_VARRIANT=stage-ocelot-social - -# DOCKERHUB_ORGANISATION defines which dockerhub organisation images will be uploaded to -# DOCKERHUB_ORGANISATION=ocelotsocialnetwork \ No newline at end of file diff --git a/.env.enc b/.env.enc deleted file mode 100644 index 0c505c5..0000000 Binary files a/.env.enc and /dev/null differ diff --git a/.github/workflows/deploy.yml b/.github/workflows/deploy.yml deleted file mode 100644 index 5cd2c12..0000000 --- a/.github/workflows/deploy.yml +++ /dev/null @@ -1,57 +0,0 @@ -name: deploy - -on: - repository_dispatch: - types: [trigger-ocelot-brand-build-success] - -jobs: - deploy: - # see example https://github.com/do-community/example-doctl-action - # see example https://github.com/do-community/example-doctl-action/blob/main/.github/workflows/workflow.yaml - name: Deploy defined version to cluster - runs-on: ubuntu-latest - env: - SECRET: ${{ secrets.SECRET }} - CONFIGURATION: "this" - GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ocelot_ref }} - DOCKERHUB_OCELOT_TAG_JUST_BUILT: ${{ github.event.client_payload.BUILD_VERSION }} - steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: Decrypt .env - run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc - - name: Load .env - uses: aarcangeli/load-dotenv@v1.0.0 - with: - quiet: true - - name: Set GITHUB_OCELOT_REF - run: | - if [ -z ${GITHUB_OCELOT_REF} ]; then - echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV - fi - shell: bash - - name: Checkout Ocelot code - uses: actions/checkout@v3 - with: - repository: 'Ocelot-Social-Community/Ocelot-Social' - ref: ${{ env.GITHUB_OCELOT_REF }} - path: 'ocelot/' - fetch-depth: 0 - - name: Checkout code - uses: actions/checkout@v3 - with: - path: "ocelot/deployment/configurations/${{ env.CONFIGURATION }}" - - name: Set DOCKERHUB_OCELOT_TAG - run: | - if [ -z ${DOCKERHUB_OCELOT_TAG} ]; then - echo "DOCKERHUB_OCELOT_TAG=${DOCKERHUB_OCELOT_TAG_JUST_BUILT}" >> $GITHUB_ENV - fi - shell: bash - - name: Decrypt all secrets - run: ocelot/deployment/scripts/secrets.decrypt.sh - - name: Upgrade Cluster - run: ocelot/deployment/scripts/cluster.upgrade.sh - #- name: Sleep for 4 minutes - # run: sleep 240s - #- name: Reset and seed Neo4j database - # run: ocelot/deployment/scripts/cluster.reseed.sh \ No newline at end of file diff --git a/.github/workflows/publish.yml b/.github/workflows/publish.yml index 7086d87..3e1e651 100644 --- a/.github/workflows/publish.yml +++ b/.github/workflows/publish.yml @@ -1,267 +1,85 @@ name: publish -on: - #repository_dispatch: - # types: [trigger-ocelot-build-success] - push: - branches: - - master + +on: push jobs: - build_branded: - name: Docker Build Branded + build-and-push-images: + strategy: + matrix: + app: + - name: backend + file: docker/backend.Dockerfile + - name: webapp + file: docker/webapp.Dockerfile + - name: maintenance + file: docker/maintenance.Dockerfile runs-on: ubuntu-latest env: - SECRET: ${{ secrets.SECRET }} - CONFIGURATION: "this" - GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }} - OCELOT_GITHUB_RUN_NUMBER: ${{ github.event.client_payload.GITHUB_RUN_NUMBER }} + REGISTRY: ghcr.io + IMAGE_NAME: ${{ github.repository }}/${{ matrix.app.name }} + permissions: + contents: read + packages: write + attestations: write + id-token: write + steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: Decrypt .env - run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc - - name: Load .env - uses: aarcangeli/load-dotenv@v1.0.0 + - name: Checkout repository + uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.1.7 + - name: Log in to the Container registry + uses: docker/login-action@9780b0c442fbb1117ed29e0efdff1e18412f7567 with: - quiet: true - - name: Set GITHUB_OCELOT_REF - run: | - if [ -z ${GITHUB_OCELOT_REF} ]; then - echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV - fi - shell: bash - - name: Set DOCKERHUB_ORGANISATION - run: | - if [ -z ${DOCKERHUB_ORGANISATION} ]; then - echo "DOCKERHUB_ORGANISATION=ocelotsocialnetwork" >> $GITHUB_ENV - fi - - name: Checkout Ocelot code - uses: actions/checkout@v3 + registry: ${{ env.REGISTRY }} + username: ${{ github.actor }} + password: ${{ secrets.GITHUB_TOKEN }} + - name: Extract metadata (tags, labels) for Docker + id: meta + uses: docker/metadata-action@70b2cdc6480c1a8b86edf1777157f8f437de2166 with: - repository: 'Ocelot-Social-Community/Ocelot-Social' - ref: ${{ env.GITHUB_OCELOT_REF }} - path: 'ocelot/' - fetch-depth: 0 - - name: Set OCELOT_GITHUB_RUN_NUMBER - run: | - if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then - echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV - fi - if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then - echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV - fi - shell: bash - - name: Checkout Branded Repo code - uses: actions/checkout@v3 + images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} + tags: | + type=schedule + type=semver,pattern={{version}} + type=semver,pattern={{major}}.{{minor}} + type=semver,pattern={{major}} + type=ref,event=branch + type=ref,event=pr + type=sha + - name: Read $OCELOT_VERSION from file + run: cat .env >> $GITHUB_ENV + - name: Build and push Docker images + id: push + uses: docker/build-push-action@4f58ea79222b3b9dc2c8bbdd6debcef730109a75 with: - ref: 'master' - path: "ocelot/deployment/configurations/${{ env.CONFIGURATION }}" - fetch-depth: 0 - - name: Build branded images - run: | - ocelot/deployment/scripts/branded-images.build.sh - docker save "${DOCKERHUB_ORGANISATION}/backend-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/backend-branded.tar - docker save "${DOCKERHUB_ORGANISATION}/webapp-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/webapp-branded.tar - docker save "${DOCKERHUB_ORGANISATION}/maintenance-${DOCKERHUB_BRAND_VARRIANT}" > /tmp/maintenance-branded.tar + file: ${{ matrix.app.file }} + context: . + push: true + build-args: | + OCELOT_VERSION=${{ env.OCELOT_VERSION }} + tags: ${{ steps.meta.outputs.tags }} + labels: ${{ steps.meta.outputs.labels }} - - name: Upload Artifact (Backend) - uses: actions/upload-artifact@v2 - with: - name: docker-backend-branded - path: /tmp/backend-branded.tar - - - name: Upload Artifact (Webapp) - uses: actions/upload-artifact@v2 - with: - name: docker-webapp-branded - path: /tmp/webapp-branded.tar - - - name: Upload Artifact (Maintenance) - uses: actions/upload-artifact@v2 - with: - name: docker-maintenance-branded - path: /tmp/maintenance-branded.tar - - upload_to_dockerhub: - name: Upload to Dockerhub + deploy-to-kubernetes: runs-on: ubuntu-latest - needs: [build_branded] - env: - SECRET: ${{ secrets.SECRET }} - DOCKERHUB_USERNAME: ${{ secrets.DOCKERHUB_USERNAME }} - DOCKERHUB_TOKEN: ${{ secrets.DOCKERHUB_TOKEN }} - GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }} + if: ${{ startsWith(github.ref, 'refs/tags/') }} + needs: build-and-push-images steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: Decrypt .env - run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc - - name: Load .env - uses: aarcangeli/load-dotenv@v1.0.0 - with: - quiet: true - - name: Set GITHUB_OCELOT_REF - run: | - if [ -z ${GITHUB_OCELOT_REF} ]; then - echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV - fi - shell: bash - - name: Checkout Ocelot code - uses: actions/checkout@v3 - with: - repository: 'Ocelot-Social-Community/Ocelot-Social' - ref: ${{ env.GITHUB_OCELOT_REF }} - path: 'ocelot/' - fetch-depth: 0 - - - name: Download Docker Image (Backend) - uses: actions/download-artifact@v2 - with: - name: docker-backend-branded - path: /tmp - - name: Load Docker Image - run: docker load < /tmp/backend-branded.tar - - - name: Download Docker Image (Webapp) - uses: actions/download-artifact@v2 - with: - name: docker-webapp-branded - path: /tmp - - name: Load Docker Image - run: docker load < /tmp/webapp-branded.tar - - - name: Download Docker Image (Maintenance) - uses: actions/download-artifact@v2 - with: - name: docker-maintenance-branded - path: /tmp - - name: Load Docker Image - run: docker load < /tmp/maintenance-branded.tar - - - name: Upload to dockerhub - run: ocelot/deployment/scripts/branded-images.upload.sh - - github_tag: - name: Tag latest version on Github - runs-on: ubuntu-latest - needs: [upload_to_dockerhub] - env: - SECRET: ${{ secrets.SECRET }} - GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }} - OCELOT_GITHUB_RUN_NUMBER: ${{ github.event.client_payload.GITHUB_RUN_NUMBER }} - steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: Decrypt .env - run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc - - name: Load .env - uses: aarcangeli/load-dotenv@v1.0.0 - with: - quiet: true - - name: Set GITHUB_OCELOT_REF - run: | - if [ -z ${GITHUB_OCELOT_REF} ]; then - echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV - fi - shell: bash - - name: Checkout Ocelot code - uses: actions/checkout@v3 - with: - repository: 'Ocelot-Social-Community/Ocelot-Social' - ref: ${{ env.GITHUB_OCELOT_REF }} - path: 'ocelot/' - fetch-depth: 0 - - name: Set OCELOT_GITHUB_RUN_NUMBER - run: | - if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then - echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV - fi - if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then - echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV - fi - shell: bash - - name: Setup env - run: | - echo "OCELOT_VERSION=$(node -p -e "require('./ocelot/package.json').version")" >> $GITHUB_ENV - echo "BRANDED_VERSION=${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV - echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV - echo "BUILD_COMMIT=${GITHUB_SHA}" >> $GITHUB_ENV - - run: echo "BUILD_VERSION=${BRANDED_VERSION}-ocelot.social${OCELOT_VERSION}-${OCELOT_GITHUB_RUN_NUMBER}" >> $GITHUB_ENV - - name: package-version-to-git-tag + build number - uses: pkgdeps/git-tag-action@v2 - with: - github_token: ${{ github.token }} #${{ secrets.GITHUB_TOKEN }} - github_repo: ${{ github.repository }} - version: ${{ env.BUILD_VERSION }} - git_commit_sha: ${{ github.sha }} - git_tag_prefix: "b" - #- name: Generate changelog - # run: | - # yarn install - # yarn auto-changelog --latest-version ${{ env.VERSION }} --unreleased-only - - name: package-version-to-git-release - continue-on-error: true # Will fail if tag exists - id: create_release - uses: actions/create-release@v1 + - uses: mdgreenwald/mozilla-sops-action@d9714e521cbaecdae64a89d2fdd576dd2aa97056 # v1.6.0 + - uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4.1.7 + - run: | + mkdir -p ~/.config/sops/age + echo $SOPS_KEY | base64 --decode > ~/.config/sops/age/keys.txt env: - GITHUB_TOKEN: ${{ github.token }} #${{ secrets.GITHUB_TOKEN }} # This token is provided by Actions, you do not need to create your own token + SOPS_KEY: ${{ secrets.SOPS_KEY }} + - run: | + mkdir -p ~/.kube + sops decrypt ./helmfile/secrets/kubeconfig > ~/.kube/config + chmod 600 ~/.kube/config + - uses: helmfile/helmfile-action@80fbb6408b98822310f94d8d1321a2cacf87f78f #v1.9.2 with: - tag_name: ${{ env.BUILD_VERSION }} - release_name: ${{ env.BUILD_VERSION }} - #body_path: ./CHANGELOG.md - draft: false - prerelease: false - -# TODO correct version - build_trigger: - name: Trigger successful brand build - runs-on: ubuntu-latest - needs: [github_tag] - env: - SECRET: ${{ secrets.SECRET }} - GITHUB_OCELOT_REF_JUST_BUILT: ${{ github.event.client_payload.ref }} - steps: - - name: Checkout code - uses: actions/checkout@v3 - - name: Decrypt .env - run: gpg --quiet --batch --yes --decrypt --passphrase="${{ env.SECRET }}" --output .env .env.enc - - name: Load .env - uses: aarcangeli/load-dotenv@v1.0.0 - with: - quiet: true - - name: Set GITHUB_OCELOT_REF - run: | - if [ -z ${GITHUB_OCELOT_REF} ]; then - echo "GITHUB_OCELOT_REF=${GITHUB_OCELOT_REF_JUST_BUILT}" >> $GITHUB_ENV - fi - shell: bash - - name: Checkout Ocelot code - uses: actions/checkout@v3 - with: - repository: 'Ocelot-Social-Community/Ocelot-Social' - ref: ${{ env.GITHUB_OCELOT_REF }} - path: 'ocelot/' - fetch-depth: 0 - - name: Set OCELOT_GITHUB_RUN_NUMBER - run: | - if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then - echo "OCELOT_GITHUB_RUN_NUMBER=${GITHUB_OCELOT_REF}" >> $GITHUB_ENV - fi - if [ -z ${OCELOT_GITHUB_RUN_NUMBER} ]; then - echo "OCELOT_GITHUB_RUN_NUMBER=master" >> $GITHUB_ENV - fi - shell: bash - - name: Setup env - run: | - echo "OCELOT_VERSION=$(node -p -e "require('./ocelot/package.json').version")" >> $GITHUB_ENV - echo "BRANDED_VERSION=${GITHUB_RUN_NUMBER}" >> $GITHUB_ENV - echo "BUILD_DATE=$(date -u +'%Y-%m-%dT%H:%M:%SZ')" >> $GITHUB_ENV - echo "BUILD_COMMIT=${GITHUB_SHA}" >> $GITHUB_ENV - - run: echo "BUILD_VERSION=${BRANDED_VERSION}-ocelot.social${OCELOT_VERSION}-${OCELOT_GITHUB_RUN_NUMBER}" >> $GITHUB_ENV - - name: Repository Dispatch - uses: peter-evans/repository-dispatch@v2 - with: - token: ${{ github.token }} - event-type: trigger-ocelot-brand-build-success - repository: ${{ github.repository }} - client-payload: '{"ref": "${{ github.ref }}", "sha": "${{ github.sha }}", "ref_ocelot": "${{ github.event.client_payload.ref }}", "sha_ocelot": "${{ github.event.client_payload.sha }}", "OCELOT_VERSION": "${{ env.OCELOT_VERSION }}", "BRANDED_VERSION": "${{ env.BRANDED_VERSION }}", "BUILD_DATE": "${{ env.BUILD_DATE }}", "BUILD_COMMIT": "${{ env.BUILD_COMMIT }}", "BUILD_VERSION": "${{ env.BUILD_VERSION }}"}' \ No newline at end of file + helmfile-args: apply + helmfile-workdirectory: ./helmfile + helm-plugins: > + https://github.com/databus23/helm-diff, + https://github.com/jkroepke/helm-secrets, + https://github.com/aslafy-z/helm-git diff --git a/.gitignore b/.gitignore deleted file mode 100644 index 327758b..0000000 --- a/.gitignore +++ /dev/null @@ -1,6 +0,0 @@ -.DS_Store - -*.yaml -SECRET -.env -/backup \ No newline at end of file diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..ef28634 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,13 @@ +creation_rules: + - age: >- + age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00, + age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw, + age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp, + age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr, + age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s, + age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5 + +# age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00 SOPS_KEY github secret +# age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw @roschaefer +# age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s @ulfgebhardt +# age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5 @Tirokk diff --git a/branding/constants/donation.ts b/branding/constants/donation.js similarity index 100% rename from branding/constants/donation.ts rename to branding/constants/donation.js diff --git a/branding/constants/emails.ts b/branding/constants/emails.js similarity index 100% rename from branding/constants/emails.ts rename to branding/constants/emails.js diff --git a/branding/constants/filter.ts b/branding/constants/filter.js similarity index 100% rename from branding/constants/filter.ts rename to branding/constants/filter.js diff --git a/branding/constants/groups.ts b/branding/constants/groups.js similarity index 100% rename from branding/constants/groups.ts rename to branding/constants/groups.js diff --git a/branding/constants/headerMenu.ts b/branding/constants/headerMenu.js similarity index 100% rename from branding/constants/headerMenu.ts rename to branding/constants/headerMenu.js diff --git a/branding/constants/links.ts b/branding/constants/links.js similarity index 99% rename from branding/constants/links.ts rename to branding/constants/links.js index a7a798e..f0efab2 100644 --- a/branding/constants/links.ts +++ b/branding/constants/links.js @@ -148,4 +148,4 @@ export default { IMPRINT, // SUPPORT, ], -} \ No newline at end of file +} diff --git a/branding/constants/logos.ts b/branding/constants/logos.js similarity index 100% rename from branding/constants/logos.ts rename to branding/constants/logos.js diff --git a/branding/constants/metadata.ts b/branding/constants/metadata.js similarity index 100% rename from branding/constants/metadata.ts rename to branding/constants/metadata.js diff --git a/branding/locales/de.json b/branding/locales/tmp/de.json similarity index 100% rename from branding/locales/de.json rename to branding/locales/tmp/de.json diff --git a/branding/locales/en.json b/branding/locales/tmp/en.json similarity index 100% rename from branding/locales/en.json rename to branding/locales/tmp/en.json diff --git a/docker-compose.yml b/docker-compose.yml new file mode 100644 index 0000000..3731b67 --- /dev/null +++ b/docker-compose.yml @@ -0,0 +1,58 @@ +services: + webapp: + image: ghcr.io/wir-social/freilernen.social/webapp + build: + context: . + dockerfile: ./docker/webapp.Dockerfile + target: branded + args: + OCELOT_VERSION: ${OCELOT_VERSION:-master} + environment: + HOST: 0.0.0.0 + WEBSOCKETS_URI: ws://localhost:3000/api/graphql + GRAPHQL_URI: http://backend:4000/ + MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g" + ports: + - 3000:3000 + depends_on: + - backend + + backend: + image: ghcr.io/wir-social/freilernen.social/backend + build: + context: . + dockerfile: ./docker/backend.Dockerfile + target: branded + args: + OCELOT_VERSION: ${OCELOT_VERSION:-master} + environment: + CLIENT_URI: http://localhost:3000 + GRAPHQL_URI: http://backend:4000 + NEO4J_URI: bolt://neo4j:7687 + MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g" + JWT_SECRET: "b/&&7b78BF&fv/Vd" + PRIVATE_KEY_PASSPHRASE: "a7dsf78sadg87ad87sfagsadg78" + ports: + - 4000:4000 + depends_on: + - neo4j + + maintenance: + image: ghcr.io/wir-social/freilernen.social/maintenance + build: + context: . + dockerfile: ./docker/maintenance.Dockerfile + target: branded + args: + OCELOT_VERSION: ${OCELOT_VERSION:-master} + ports: + - 3001:80 + + neo4j: + image: ghcr.io/ocelot-social-community/ocelot-social/neo4j:master + environment: + NEO4J_AUTH: none + NEO4J_dbms_allow__format__migration: "true" + NEO4J_dbms_allow__upgrade: "true" + NEO4J_dbms_security_procedures_unrestricted: algo.*,apoc.* + diff --git a/docker/backend.Dockerfile b/docker/backend.Dockerfile new file mode 100644 index 0000000..5e5fbda --- /dev/null +++ b/docker/backend.Dockerfile @@ -0,0 +1,6 @@ +ARG OCELOT_VERSION=master + +FROM ghcr.io/ocelot-social-community/ocelot-social/backend-build:${OCELOT_VERSION} AS build + +FROM ghcr.io/ocelot-social-community/ocelot-social/backend-base:${OCELOT_VERSION} AS branded +COPY --from=build /build . diff --git a/docker/maintenance.Dockerfile b/docker/maintenance.Dockerfile new file mode 100644 index 0000000..b471bbd --- /dev/null +++ b/docker/maintenance.Dockerfile @@ -0,0 +1,7 @@ +ARG OCELOT_VERSION=master + +FROM ghcr.io/ocelot-social-community/ocelot-social/maintenance-build:${OCELOT_VERSION} AS build + +FROM ghcr.io/ocelot-social-community/ocelot-social/maintenance-base:${OCELOT_VERSION} AS branded +COPY --from=build ./app/dist/ /usr/share/nginx/html/ +COPY --from=build ./app/maintenance/nginx/custom.conf /etc/nginx/conf.d/default.conf diff --git a/docker/webapp.Dockerfile b/docker/webapp.Dockerfile new file mode 100644 index 0000000..1a6b024 --- /dev/null +++ b/docker/webapp.Dockerfile @@ -0,0 +1,6 @@ +ARG OCELOT_VERSION=master + +FROM ghcr.io/ocelot-social-community/ocelot-social/webapp-build:${OCELOT_VERSION} AS build + +FROM ghcr.io/ocelot-social-community/ocelot-social/webapp-base:${OCELOT_VERSION} AS branded +COPY --from=build /build . diff --git a/helmfile/environments/default.yaml.gotmpl b/helmfile/environments/default.yaml.gotmpl new file mode 100644 index 0000000..18976d3 --- /dev/null +++ b/helmfile/environments/default.yaml.gotmpl @@ -0,0 +1,7 @@ +{{ $branded_image_tag:= env "BRANDED_IMAGE_TAG" | default (exec "../scripts/branded_image_tag.sh" (list) | trim) }} +{{ $ocelot_image_tag := env "OCELOT_IMAGE_TAG" | default (exec "../scripts/ocelot_image_tag.sh" (list) | trim) }} + +domain: freilernen.ocelot-social.roschaefer.de +namespace: freilernen-staging +image_tag: {{ env "IMAGE_TAG" | default (printf "ocelot-%s--branded-%s" $ocelot_image_tag $branded_image_tag) }} +github_repository: wir-social/freilernen.social diff --git a/helmfile/helmfile.yaml.gotmpl b/helmfile/helmfile.yaml.gotmpl new file mode 100644 index 0000000..02ac5a0 --- /dev/null +++ b/helmfile/helmfile.yaml.gotmpl @@ -0,0 +1,26 @@ +--- +environments: + default: + values: + - ./environments/default.yaml.gotmpl +--- +repositories: + - name: ocelot-social + url: git+https://github.com/Ocelot-Social-Community/Ocelot-Social@deployment/helm/charts?ref=hetzner + +releases: + - name: ocelot-social + namespace: {{ .StateValues.namespace }} + chart: ocelot-social/ocelot-social + values: + - ./values/ocelot.yaml.gotmpl + secrets: + - ./secrets/ocelot.yaml + + - name: ocelot-neo4j + namespace: {{ .StateValues.namespace }} + chart: ocelot-social/ocelot-social + values: + - ./values/ocelot.yaml.gotmpl + secrets: + - ./secrets/ocelot.yaml diff --git a/helmfile/scripts/branded_image_tag.sh b/helmfile/scripts/branded_image_tag.sh new file mode 100755 index 0000000..f921945 --- /dev/null +++ b/helmfile/scripts/branded_image_tag.sh @@ -0,0 +1,2 @@ +#!/usr/bin/env bash +echo "sha-$(git rev-parse HEAD | cut -c 1-7)" diff --git a/helmfile/scripts/ocelot_image_tag.sh b/helmfile/scripts/ocelot_image_tag.sh new file mode 100755 index 0000000..6cc9baa --- /dev/null +++ b/helmfile/scripts/ocelot_image_tag.sh @@ -0,0 +1,6 @@ +#!/usr/bin/env bash +SCRIPT_PATH=$(realpath $0) +SCRIPT_DIR=$(dirname $SCRIPT_PATH) + +set -a; . ${SCRIPT_DIR}/../../.env; set +a; +echo $OCELOT_VERSION diff --git a/helmfile/secrets/kubeconfig b/helmfile/secrets/kubeconfig new file mode 100644 index 0000000..f75979a --- /dev/null +++ b/helmfile/secrets/kubeconfig @@ -0,0 +1,40 @@ +{ + "data": "ENC[AES256_GCM,data:xjTZnUT8MjCjbMkdSTn998p+lI6VxnFsDVug82MMP82YReTT6HLMJpaoFCdCWYWKoru/yFx2bLC1oo31tVkRWd+uYLyktzgYLBEpewkXUr3r9LQw+gkZJXuYHwgtTCZ3bW1+9PxE4Wl0jnEOY9Ao1OSh23D+mzjfycHCUv7Zn9/DRy0suIUZe0sn3rHKxFA6bclc2Lq37D2wrfrQVq8bXuIBXhVGr/jaxVAvd4dtTnldWRNUkegU83+H85hesKtCCxf9RupHqs3x5BoVvEDVk9yjSUOns+yMQbbIVVHdS5aTzBSxT0UV7hr/9j7QyV5Kxo5njbAkEt+lfLp20WrOeYY32AUQ5dbLOjd2DTfyvZChlzjCE+MTHtjmfC7ESO0mIWODRV6NkBYhL3TZVfD+7FMllGu6jOv6XeNJH9fxKJFhl6zkjFDZ8gnMVjorq2MR4wd81bZYIboUwZ+qPt+Gr1MEnapHPcCGKkW80+7jpvT6nAIXJOeMIPYLJprt6HZKLNyaTWkTaxcQsPh9UPZqY2QXPFx6nB1LhbZu70U1ZfFFvtFndF5hXeUBKrEn5SDyYffwmGjtShkTHNPAyeCUox/9Ns8dPNjw0BPkaw0zjDYR65io5PwLMtuuKwT7kI6iuK2f66m3qG3I3LL5UOS3PkON4+rkC6woIWqg7b9P7WdtAlNL+ScEBr78aQ3AZXGSyX27H9rjTSkKAaoMy5LepAVmHE1OM9qXzsk8cLC/J2GHgeOiyeA9veMWEHTZahF7+UB/43m0feWDgkj1nKFrSImWaKlDUsu3EIU9o7crnjUUgwtUqPz8xs6C4CK+Mx+The/Z3yFGJ3nPi6htntvalPtniWZSM9yARTbz5wAcWcAYJhNm4sdw6nCMUTI3hbxmrnXNuV3u/RO9TwEeEB5YjXRB/UjxRmBd0rVb2RgTsef8ZeNFeb5/hhvl5HwMFghlGUDp5XgfkhukL1mUjZABq42y+oil4oVQUs78II0uDlcu4vld8y/VQLTM4OjhwmCE60LBiTVNHVkxh0mW88cN1wB6ZR99RFK6MNwrlGzdn9EDFcigXURF5iiQcRXXcOn1EefHrJFwFKBoe7pNlwKbyOKEbrYS0LrCp2//jki/ri62ufL0EDHB2+G+LV8736jiK/Cn0b4hHIcm1bYhYM7p9t8fIJe4GyysGvoaGdnjpchL3grZpoX3PJkPiIrV+ZXDDRjHgpsXnzlNsyFx9Y4XeKKQC69XIknUjJukUqXTPT4tQXK5jdVVK5VeJ/f82Hgi3+wQB2uAVzSFPbNk8FmnvXbbTyBMFle3vDqy3TQsh8sXPFWrCx7alPl4w+ZTk0E2KXZau1Vgi5YDLqFqpwXP6nMOBHYefbirlIUgCOLuEbsi7kTNKZN5MS/iepjVuROqMJj7rmlrE5uDXCo8MMT7levILltn2pfKfO094zZMCwXXz8xMFa2KsJD4dG6UwXJYAWCHsak3GCjbJNGujeewNi09GDL/iSD276LEb8ILWaSAyD6IAAylowiu1MhkV4PFAfo5N+m+MFjELdKl6numvlbBAIfdIP586ASj5NrTErEQcSd9AyrjdgKR/GLdqrDrAqOC7p284k+0Rq7OuhgMpEqAs7yjt/PAFPusv95L2HWA+A0ehI5sGXuhY1PLJ3rhr1Aab170/P9iPf1+Pw3grf9TGLGB57mfOB8w9l84hQWwTCvtwi6aza5vCog5pembxlZlm7TackPTKDtjlSuf0GiTbOJoLVtJlyViJrxyrcYF6MBO+Ov4D0EdwmY0aLM9CRMIrJDJ7+WXgST3Ed02W74LzNymEOTDeIm3csARC1ZvPLgWmJd4JvGya4XuIndE1rGNhjzJr815ADa0zLetYAYdMoC7alSmFZDzAZuW4xAG6vVQccWri53k1virApOM5OKPcMNher9zoUuj8OaAeNP1rKEebpTrlsBQEILgLLez4WuN9ACjuuGLhjL983hAvkSGdL37yc17JZ5HMoI65ASRL3IylYBgINvV8i9GK7iqc7or5PEBYkd+x950NoOX+ViIPZwyE8d94NVi0iqDOLBbWU+8jgTk+Ka39yowlUMpvHmuQ/DbDscW6XglgFfMIMKfQKxdE7zCzNZDAX6Ob6GP7L8Ou/MXQpi62kJwkUQeAM/eQqkNb8OvtNErcNqs+0KxBTzsTVpisbiNnY4uuokGQPfa743tfAasKPUlQyI1mIUGri0/H4EFCWSNGCD903PiFAZNkG6nzcwGPVZ7oisA+Lv+GYt30rw7SI7Ppvrqdd+uAqlucweZnNeulQbzFBkGIHsa/0/mJglPZU3gRblT7xx/EUJm89EB3AS42Nl+Mr+HW4Syl6rYttiFpBW8v7lppKVGCw2vWgh/XUCKfhCjHr2ElXdLbOFN+FglLy+IxrEDaSgVgA904nCL2VY+YOPifb+palPCZAsU09CmCz+CuoS9j0NePsm7dPD+k+1eomafMDvyrO3EmvoasMwUwTSuHBPFWhDqzUJk4Q0UV38lA3iN23NgDoOzdlkw7acQhLYbFMd3Pwfc0yIndcpen+d74gEhMBy0XhLNcNccT4uSY/5CBs23l5OqCv+W7KjrnI0NKmrdt7XnqmP6eD2YAiZnOXFWZd8l6P+F55+qOR76deETLzfWkBNkPu9cugysa2fsryXFu3C8mFc+stC0owQIw8RZ3oo8GZFRaNPfKlHn56zb58I7/e6TYgeYbBamr9EL8y86WIdju8nUEEYFIPe5K6CfoLzmTRHfXs2uOmQ0szEfAsr71l3P30v0lFq24KbjdPZArJMxk4UONyy7J7OXTjA=,iv:EXRvr5+/8pY5LD+zCYH7HJrPkL3bJ2r1oCawbK5tltM=,tag:um8ypdAH81GERjJ70YioXA==,type:str]", + "sops": { + "kms": null, + "gcp_kms": null, + "azure_kv": null, + "hc_vault": null, + "age": [ + { + "recipient": "age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbTg4M2hWc2xzY2NTRi91\nZTRPSmNETkUrREY2cjRKR0RsZHBiRHVpWGxrCmdsZ0kxWlQ4azhYUnZCaDNQN0Ev\nU1VnY0NJNUVnR2tQWTZmRkN5RE5iancKLS0tIEprbHp1Q3hoUyt2TTNDS2duMGIz\nMFVxM1laZUtkbmFWNDhvdDFJM1o4SHMKop5+zBz+WypRotFeZjHpu6HhTSKTiJPQ\nS6EsWnh0pxrYuBqksA+LfuJFnzTo3mL2Jj9Ozam6vHRkC48/NW906A==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRGxhTDJzUW5Gc01XT0h1\nUCttZVVyK1dsSmVZRnRGaWNkclprMmk3MlhNCjBhTm0rT2VZb2V2SllHVklRRmtQ\nQ0ljQm9xQTRiWjhWREFacVZwM0Q2M2sKLS0tIFUyVVpEUmswaTlYWTAxbFk2c1Vz\nUU1ESkRua3NEVFdqd2gySDVjQnhzRG8K/XGr8+Y1I3eQIPdludqFabCZeOGVo2A7\nYYrur8Eo3GcrMEO0NYc35wogS1sugDCoklaVm6wbQaI+h+RnNjGH7w==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1UFdPYjVPSW1uaEl1WlFE\nRzliV1hhWGxuRTFoN0pzMGc5R3lBaUQyZW1FCkJhalNkWlQwOUNnOXhKaEtuMTNv\nVTljenRpcXdJaEZOdU9Dbjh6dFJmTVUKLS0tIGJMWlQ3U05la3Z5c2s5L1E4MVIx\nWUZsQ2tyTHFPVWxaS3pPWEtqN3Q1UGsKcDWGyReO8IeTO79elPbvFyNE0ugx9vpP\nnnPd+RgX//wQtjJ6Va9bxDIN3Vn/iZrWs+bJEzR4nbnuO0m+UOdoiA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1em9FTUduYTZJbmdST2R3\neDU2K0FEVFlQRTcvSGZuNTZaRnljcnZ3ZTBJCm1VV3EyNUdMVlJiWWdFSGJCRnZr\nemFBaTE2RlRTNUJLOXY5SkZsRmxEYkkKLS0tIHhwL0EzL05jN0NKTjhZeXY1bFFx\nZEtDam40eDYraUtVMXErck15NHNGQzAKxYRY423QKAVtqE7zMerPmIEqeNWZFH6q\nLT5kaz6tOMAeNgcvWs37jKsoCBvoRnBIMf3t59QrXQ26YKJWkOM6AA==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSODdSVVFGdEhkbFkwTkZ3\nNFB1TkhsTStOT05qM3hiempkSWhiN2ZEWVY0CjIwcjFEMGZubFNvS1ZQZDgxbVg1\nN2VYM0JVTjBOTVFRbExiNytlRWRnOFkKLS0tIHpVODFHMk9iUmMrbFNVbkFraXBu\ndFd6MGsrRXIrN0lzcC9ab3Z1L1NrQU0KXbmtuFXkj+KxeRirMLX4SWaKy3Qz/dZt\nffpXyHIJj4Rf2frwN5ERHiTPBvlNeRnYtgi9aQug2vic/54+vskSiw==\n-----END AGE ENCRYPTED FILE-----\n" + }, + { + "recipient": "age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMeEVaa3RzbnliemxwbFJk\nUWxUYVZOTFFIdzRhREl0bm5jblJKOVl6ZzJZCm5wc3hERm9mRHUzdS9FaGN0SlZ3\nNkdGSnBmVnUxUE9qR0wzL3R1TW9ZeEEKLS0tIFc5UVZVd0dQbGlQc1dCWG1HenMx\nNW5FM2JpMWxBR3JGQWJ5VWIwQ2F6THcKXkf7q2+0A9qRlMWhG0jR3fcGIfLwy/VN\nzNXSjLKts655mBag5PpH9uunbpJr+hT6vZVPA2FEVSE3eyooeq/cIQ==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2024-10-28T19:13:02Z", + "mac": "ENC[AES256_GCM,data:0GF6Uc3P3NceNNHAdr19uvq1SK50slphD5Ya+z7gIDMuhU5LmGCM38wBJ6a6h7Zlqq18qwQD7HSHGmwaU7OjgqdKvw7SJh4oJmEbTwZUqT5LKTNKZXE4jpVqWvTeJUpE5ehHpjJ4w0mF0wJFraAkEbNcKNjZweVoOgypktjhVqQ=,iv:K6/VfiPjZYnzlEkjfWlz+DOMZ900Ekb7eN5S1lsVA+0=,tag:l+6J3PpGyxwXoUhkVK3kLA==,type:str]", + "pgp": null, + "unencrypted_suffix": "_unencrypted", + "version": "3.9.0" + } +} \ No newline at end of file diff --git a/helmfile/secrets/ocelot.yaml b/helmfile/secrets/ocelot.yaml new file mode 100644 index 0000000..fcc0191 --- /dev/null +++ b/helmfile/secrets/ocelot.yaml @@ -0,0 +1,94 @@ +secrets: + acme_email: ENC[AES256_GCM,data:REcl0BYya0a140f1AgTim1cBmtM=,iv:Wuhk6ht5TIQLCsjMmzTDJONm56/t8kPjAF6DnhpiQ+E=,tag:iyQ+EoonRk3uBdDWkw/HKQ==,type:str] + webapp: + env: + MAPBOX_TOKEN: ENC[AES256_GCM,data:7Ka4BvQh6NDw9NKUcgGjLwxNHOqhVrZEj/DcGnyv1nXQIG/2WWGGHazAFWUCFpCUmCSaTPSkyLHPFyGQtQ7VAON3AG3tHtv5JvcBb4KDYrjAIzxhAAiHMYFtVJs=,iv:X0YL2dW42TUidJdBlRKb4Vq86X1OzHqipNHTBxmE7ds=,tag:KDH9NwDy6ghqdkXeZxuHgg==,type:str] + backend: + env: + JWT_SECRET: ENC[AES256_GCM,data:VcwHkwob0cLgdyZh7tVzsQ==,iv:kEc6SERRgh7jHbQCoWtgCfmrFxnUmtwZFGhNCTj1VrE=,tag:nmeDl2e42iqNKfIvtKMqqA==,type:str] + MAPBOX_TOKEN: ENC[AES256_GCM,data:qK6iTYKiWfkvXBodm8zVmfr5ACTTz1+7Pt7Q/hwgv3SYERyo5NyqfsvbVKuDAD90kTCNODpSwUApJE6do/Umedg4s8mrnHXCckIDbX5BztoeHJBehsUC54ELcrQ=,iv:b65yqfdoOX366UXt7HS6nhL8hlZn4l5hQfrhI6NXc+I=,tag:vF48V+TRS5g9ezXhzAJnPw==,type:str] + PRIVATE_KEY_PASSPHRASE: ENC[AES256_GCM,data:05WXBFKIk0BtfUYmkWSwAP+/Y7v18LUow4X/,iv:y7VyymcoRLr2CK96BiErXvKP2Gn/QhECBZyeP+wo8LA=,tag:Hg/fIGyIDMY8P3mWfVupCw==,type:str] + #ENC[AES256_GCM,data:llx+JN8fRqwrLd2ahkmPrhPwcGIkn695l3Ox8VEs9YAR+1wpz3yujA==,iv:4Ctez8zMeqo3cpCCUVy6ZP4T1Z/myPw/FTq+++YAYbc=,tag:al/J8DLqNz6CoLl+TgUdOw==,type:comment] + EMAIL_DEFAULT_SENDER: ENC[AES256_GCM,data:rHYc1YrDjpJkYz05ua5dTcj2UCzTc9s=,iv:c6qKbGkE3XjGOd6/iK91bKJs2HSCMJvCblmqbNDu1iU=,tag:TwCjrKyWMMTbU8zZedt0JA==,type:str] + SMTP_HOST: ENC[AES256_GCM,data:V0G3eTrKh2vfBteawPBX7oSailTlRA==,iv:22GkKbk0jeHD/jO8Sq5n9RTmSkJv5jmjx2fkUbueVgc=,tag:ZQm78ljQSxebydN8QiEvxg==,type:str] + SMTP_USERNAME: ENC[AES256_GCM,data:6Ka6ZRqRHb00SlddEKRRMcZ9y+6XeSk=,iv:441t2vZ2X+7Jgwt5kRpPvqd1/p0MVHywDF08wsMVc8A=,tag:t48CFvRD263UBwcDO2VHsA==,type:str] + SMTP_PASSWORD: ENC[AES256_GCM,data:ZFxPNSQpOOi6w+ekQc6Le6pmYz2/,iv:u/c+iFGPJL0lMa7Z9FHfp+3kDNkAuLBlj1weUeoBp94=,tag:6V6XQ65KpQ43wkY9TsAI3A==,type:str] + SMTP_PORT: ENC[AES256_GCM,data:J9uY,iv:T/2Y9CLSR7y6vMDtBigcv6r4Q6nHeqKosKoO78qwC60=,tag:pVyv0sj6kXLJa7uyyOhFZA==,type:str] + SMTP_IGNORE_TLS: ENC[AES256_GCM,data:Q6Dm/A==,iv:mD8WdkyQ/MAtmkPehcQW/Zw2hiV2ymZLYMJ/7uyASgQ=,tag:5DgeSjQHIF3tSgbb2z6GRw==,type:str] + #ENC[AES256_GCM,data:wEE3/SPsZqy9LATseOZG7LsCbjG5gY4VUT/TzxhHLJqcYP5I,iv:gcOA0XiUGWq15G4zTRPZ0qZ/XYMTjr+9krbOx0dwpeY=,tag:jd8LTiVT7UQShqMR9zZUZA==,type:comment] + SMTP_SECURE: ENC[AES256_GCM,data:VRfz+Q==,iv:R+Zj1ok9/ArLUUILLVL0P5on/j91kO00YZ8ztDYA2dA=,tag:8V2h7DdthGofXoak4nrkTg==,type:str] + SMTP_DKIM_PRIVATKEY: ENC[AES256_GCM,data:eWKXz3Xoh9VA0rIlGJ8kOAix+VCQdAItoVdYz2Z80q3vWUF4hUJ4tNVIuZJwQoMuna5K+LC6NgfXhYFdxmYJiMn9Nc1l2bDTEVUMV7uTayp+VPaWKDordsM9YAaojDmnMTHVIOSdIMv5BKWwptIz5DP7tuZKk60bxCZsklgoQ/XWKo5r+GJDShRyV6EUPks622f6aMXNHaSD+n/8EAMRNklhRsnU9yVebP/IMl+nV/oL4n741Bngo+LjcPsdQjGsOZk1W8MPgustK0jxNCjmu+4A0d0t8dur3XkxXMdrex3eondyrT3Qjanp7dCwY+zY5Jtq7GCtRFoDdcVhZertF7vVdP9XsKNoQ4lsWvChn6VSQJDKwqTOc+Idif4i0NiQJsWpsLef6bVDZhF0wbORRLzmd4cA3SB70HKRqY81SV9mnLH3dhMLSSEGnNQR9dm/SF4jbHNinSyH2siagiz1QWBxiOS6dbMZAPmnLi3HVM33gQdeSRFE+J3KUz7xm8OPt2xn7MvuB/5FNHuoOOwZ1aYuKFJ2d4kTfsM2vZIBECFSftUCdwmVhrBMMEd+jhZkSXe9Msmhn+QUcbgV0CDxsqM4DAr4EgLhZWt1rUmHMysSaMki93uC8YOz4pi6ccQotlwqt3fTaaLFakK1zN5qjMwhOJMaa1wx2P3N+hM8n4iRtZtGF4GxgolmMGluA/ax4Ri4NCz/mkPxQ+EzfvqTxc9f7O09Y3Qv7s62iIU/5dU6uJzQ930C6liGrTQoQ2BWEZOqq2p7icJBkqMBgqbSF2sbcgnKagpJxR/LZXMecx0qETYHTswU6gfxFY8H8Ir18m9lYkPApgF+H103TMDbH4b3dkmzfax1tKOZgVb+7PMM3hTm3LpLpzZCu6AblaWbbQm4hgrQe4GAE+iuZCcN4GU2T7BGjG6EaNC2hG1zJe3LZPxFul+T38BtYLHYhmCYIDgu+8jqX3LFWa8iT4+01cnxvyhZlUb0N46gVW92q3y6eh77bcgOrjUECK6mmusVt0QcvodineJthGPMiaqOIzAdItm7of670iOIjBwMpdgzAeu8Asemzav+q1nz+OxMMPXtip78muQBM/hSrmgvFToPQs0oNcEzSt0F9XqHAUVL6bjkGy/1I4ghTR1dAu7w+u1HeR3xzkcTXyMptoHq7R7IZ4sovPK+xa/OvUZ0WYuMYHm+pvhc5XQXo7ucFLJftaL+9y7z16f0ru/Nd0K6pGU8yL61GdPF2d380Otn4Zc4Mni+uWJJU1DEHVbcuLZ5KajDkaS9AHHzR3ttB+MxCKeSUeRqNNTZftfVF0FFG0whTJKZDqb9lzIyaSzST9mjQDMd1ZcWZNQfROnbXTXjL9fhEgqIBV650HKjlmuT0nOH7AktM+elkeKCK1Zq4sPSARljEvxYaMi/CompSidypWFZ5RCYLL33XCfUIkin96IoQPIEdqE828sZRMt70ZDHW/sW4dLIvKW/XocwbdaA32nAeBktFFrnH/h+qYWUz1uJzyJ5AzIXnLWWSXzeISRAQxyUQWHCeDnyZImMEFhYpQrJOC8lGVkQRXjWV5+etP0ND9fRVZFXk0YK1ke1BsGwbWCFvU+jXG1eWe/CKnAs0jSNCxFpN37V9DE2V9Jx33iAECn2Tq8XZaN/nr6NaNO23J3bX3932O9e7oJsRthEFIkilseNX635MciW9aXCv5EVSO5PEIB0MnX2vtUS8ti4dth+9Gb1SfvJACFaElS8zgQVlw6diy2JMwiW1MwmQ+HbjkDWBtNEPm14tbO3tbhV+oWTgmmKxKI7fsEDya5+EwApR6KIzV+xIPN4GcMd/RylNgDYZfN47IePgBfs6YaQRI63cG3IuY3PN7jtM3cYVjjyNFU0htjiaUfRJO0KKOKlkB7C+2SKTupFFl0C5r9LK5wNtN+CVSO5DzX5I0J2Xq9eojv1j6siBQVrjGbSLZQNEa0DxBDbZvVIA5PlL1Uziacovp4De+2+90xXj2lTKhi8/jm9vbM7RqG3kIy3yRdanxsJ2kDuqvXV0U/o5GMzZoCfTUr7IFL4tlG92YfOWyXOHdfUONK36DH5fGhQJl/RpQezs1keU7cEbcgpuDWkGi4xzag/cr7pAiY2uVxtH+TzUFPdp9VCB0vL0WloMNlmXobqKGNu6Y31jVzfNgrICrN4Yo2Q29Whjx4uU++ifulkKQVghTK8gREHE7ZmqoG71OjFpq+8MtSfY+bHDIbxkTkDMMFkVlDftWkJA0ZKOW2Ete7NT47trIE=,iv:vambFbVHaNmdvec33gn/Dcy0OWTxTxiqGslAvuO1otY=,tag:ZQPHY9gqKyKz1k507f5iCQ==,type:str] + SMTP_DKIM_DOMAINNAME: ENC[AES256_GCM,data:ckEyqZOwAY301we7YnijXto=,iv:5q0JAgG8dUXFR9ArcB9HF1SjJ+vbcev90LrzASfGg9E=,tag:KmLUboHo4ZnKnhUCgzrECA==,type:str] + SMTP_DKIM_KEYSELECTOR: ENC[AES256_GCM,data:VePn4Q==,iv:/ieCYHt5mcFScDd7azPaGQfH1RWHcTAG1LotdBXle78=,tag:ZYxP7lBPwL5H5WvhC7QutA==,type:str] + NEO4J_USERNAME: null + NEO4J_PASSWORD: null + REDIS_PASSWORD: null + neo4j: + env: + NEO4J_USERNAME: "" + NEO4J_PASSWORD: "" +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1al36hkk8can83zpxq8qyy07gpv83hdw9vchfly5f264kanz405as283a00 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MjZ5RGI0YTFIbDk3MnBs + ODN3RUg3ZVhsS1dEeDdodFJaQzg2RjFpcm1vClNzV1NwdEFwaXJnclRNVTJIbzVk + VEc3YUV4eWJLb04valdNV216SnhtbzQKLS0tIHpuR2JGZWp0WnNUdStuL1ZLU0FK + eGEreGNJTnU1OTgxL2ljVVRjUUxraEkKvkV7G56/GtJLbLVHvrq+rJ8npBckvww/ + Tq7/k/YmGV764d3Zb0Vs6TNJhoOvKF6sK645wrFlSzVNj51UxkhWYw== + -----END AGE ENCRYPTED FILE----- + - recipient: age1llp6k66265q3rzqemxpnq0x3562u20989vcjf65fl9s3hjhgcscq6mhnjw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHWTI4M202SmlhbzJnckF3 + ODZrY3ZQQkRLZmQrNmg4Uys2d0JBWWJMWkN3CmNwUi9HT2VYd0paMnJScnFxSXB0 + YThaU2RqWFdHMXczQ1VmdFdJQmJSU00KLS0tIDk4TW5DdUNJY3dnS1JGQUluaTJw + d3ErbWdrZ2I3ZU1ZZGZBZ1JZU0lZMUEKnQHREjKUZ6a2+Es7SlLY46h4NPdeaE8c + w4My+za7IjGSyL6HKqxSBLUS4Q79cI3iBNu8SwikocmEkqQ/DWlC6g== + -----END AGE ENCRYPTED FILE----- + - recipient: age1zycwtk6dkxj6vuqhj9jw7932ythky9p3att6df4z9qasyw8v5dxquejcmp + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhTmhYKzUyUGJnRHhjTU5m + TVVFOGl5d3ZFYzE4U216a1YvVUlXTGFvYTM4CkZaMTcvRk1CVDJwek9TT0UvOWMr + SWNrb0pvYTZaTHM4aGRpcG9odDhyUm8KLS0tIEkrSmc4V2c0Q0ltWkdRZWQ5NFEr + Y1VWV0JTRjVmWUU4U1pTZkVhbTVLREEKvCxhsCX//e7XawyJG3XeCGLOUqxCx9No + To4JGg10ciWcW0eqyP5lQfwdlECkmPapNz8gaf40DVpPDij5Nja+zA== + -----END AGE ENCRYPTED FILE----- + - recipient: age15arcg8x6ltnsacwalvny0h2d4d4wkdmax328mw3v5vda9zm97uqshtavmr + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTaHh6b3hpbFJrcHl6eHl6 + MkZmNUJWSTJRUFVNOHJaYld3QWUwSy93aEFNCjZTZnNZRlJRR3VEeXROOFBmY2Qz + SHF2bWMvdm5zNi92SUFlc2FZcFl1Y1kKLS0tIG4wYzdKTWFKaExiTVlFa0tRdzVs + bGFuMlF6bkw2Z1lGNmZTV1R0ZEs2T0EK78at74wFk1B5OgeMSKrGLl3sNiwrzitL + 0kcMVyxfV68mpjb0Cw2WtEUo0jFmKFXi7H5FbJeoPrDG0QFvIvgfsA== + -----END AGE ENCRYPTED FILE----- + - recipient: age1khw2eps099audp3uu5s9rk07qznllh5c8a43gv5dtpnq2a7lue6qrehn5s + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJYXE0V2pFYnU5Slk5Nk5j + Snh2UElZajhMZnlZTjVkcFBSMnF2VFJ6TG40ClBFQzV4SUpUZTZaSWpRdXNIdDBq + ZHFUSG5uUHU0bXhhcEpCejh2elM1M2MKLS0tIEovMDdrUEs5blNvL3R0VGVaMVhw + Q3V1UmU0OUtWRmRuQ1dtMFROUDF6NG8KRJRymV0GaOW7sENEqYogNK2HeArsuY8Y + lVWepYYDoeRWwu7kmzORaEnW6G4m0F3rADfwMrQVTNvZ+1Xn/yFOXg== + -----END AGE ENCRYPTED FILE----- + - recipient: age1f6mzqe0cejajzt0c7nwdjz4xvs4hjct9d8hrgj60e7unzyfd7prsn0npe5 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzbHhMUElKUWhFMERGVWpz + cFRwTVovOStYNUQ4czIxR25MUzNON2ZzRmc0CjNvOGd4bmdjWHhwdEMzTzJkQU1Y + SHJrZG1pQ3pmZnZxWXh4bjkwN3ZvVFEKLS0tIHRhVDgzUHNsMHYrV0RoWCtmR0Nl + Tkx0VFJpN1pZam4yeTNYU1Jnb1JyR1EKJSQYyAi9ZZr+njaXV/62nshPVLtWIcLY + pwP8ikur4tKrbyg7H+/f3+9jPsr2Jw3xxgkeS4GL+DsTwrGDEwoaiw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-29T16:44:49Z" + mac: ENC[AES256_GCM,data:5Vc2pwT37LAxNMFcsA6ZbKA04PfFLSkonE6BH2VRfGNO7qXaHo0FTVg9COgx/xoIVamFmqE5nGBqOzRoHalYp5NS9QvNUbiB2kIMMNPsCOD0AFcdsLg8AcyRmwqS5foxcthzWdudB/E5fnbD94K8aSH7cU4tQgiDRnOSKUNNmdg=,iv:wcyPAmDeaXO4t/R7IqZVYIAxBXTVXn00+jmmUviCFxE=,tag:V6QNtYLbPuw24eLNvXK64Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/helmfile/values/ocelot.yaml.gotmpl b/helmfile/values/ocelot.yaml.gotmpl new file mode 100644 index 0000000..95c8bc9 --- /dev/null +++ b/helmfile/values/ocelot.yaml.gotmpl @@ -0,0 +1,36 @@ +domain: {{ .StateValues.domain }} + +cert_manager: + issuer: {{ .Release.Name }}-letsencrypt-prod + +underMaintenance: false + +global: + image: + tag: {{ .StateValues.image_tag }} + pullPolicy: Always + +backend: + image: + repository: ghcr.io/{{ .StateValues.github_repository | lower }}/backend + storage: "10Gi" + env: + PRODUCTION_DB_CLEAN_ALLOW: "true" + PUBLIC_REGISTRATION: "true" + INVITE_REGISTRATION: "true" + CATEGORIES_ACTIVE: + +webapp: + image: + repository: ghcr.io/{{ .StateValues.github_repository | lower }}/webapp + +maintenance: + image: + repository: ghcr.io/{{ .StateValues.github_repository | lower }}/maintenance + +neo4j: + image: + repository: ghcr.io/ocelot-social-community/ocelot-social/neo4j + tag: hetzner + storage: "5Gi" + storageBackups: "10Gi" diff --git a/kubeconfig.yaml.enc b/kubeconfig.yaml.enc deleted file mode 100644 index 32172c3..0000000 Binary files a/kubeconfig.yaml.enc and /dev/null differ diff --git a/kubernetes/dns.values.yaml.enc b/kubernetes/dns.values.yaml.enc deleted file mode 100644 index d2020f0..0000000 Binary files a/kubernetes/dns.values.yaml.enc and /dev/null differ diff --git a/kubernetes/dns.values.yaml.template b/kubernetes/dns.values.yaml.template deleted file mode 100644 index 09539e3..0000000 --- a/kubernetes/dns.values.yaml.template +++ /dev/null @@ -1,12 +0,0 @@ -# please duplicate template file and rename to "dns.values.yaml" and fill in your value - -provider: digitalocean -digitalocean: - # create the API token at https://cloud.digitalocean.com/account/api/tokens - # needs read + write - apiToken: "TODO" -domainFilters: - # domains you want external-dns to be able to edit - - TODO.TODO -rbac: - create: true \ No newline at end of file diff --git a/kubernetes/values.yaml.enc b/kubernetes/values.yaml.enc deleted file mode 100644 index 881e98a..0000000 Binary files a/kubernetes/values.yaml.enc and /dev/null differ diff --git a/kubernetes/values.yaml.template b/kubernetes/values.yaml.template deleted file mode 100644 index 22e69ca..0000000 --- a/kubernetes/values.yaml.template +++ /dev/null @@ -1,129 +0,0 @@ -# please duplicate template file and rename to "values.yaml" and fill in your value - -# change all the below if needed -MAPBOX_TOKEN: "pk.eyJ1IjoiYnVzZmFrdG9yIiwiYSI6ImNraDNiM3JxcDBhaWQydG1uczhpZWtpOW4ifQ.7TNRTO-o9aK1Y6MyW_Nd4g" -PRODUCTION_DB_CLEAN_ALLOW: false # only true for production environments on staging servers -PUBLIC_REGISTRATION: false -INVITE_REGISTRATION: false -COOKIE_EXPIRE_TIME: 730 # days (730 days, two years is the default in main code) -CATEGORIES_ACTIVE: false - -BACKEND: - # change all the below if needed - # DOCKER_IMAGE_REPO - change that to your branded docker image - # label is appended based on .Chart.appVersion - DOCKER_IMAGE_REPO: "ocelotsocialnetwork/backend-branded" - CLIENT_URI: "https://staging.ocelot.social" - # create a new one for your network - JWT_SECRET: "b/&&7b78BF&fv/Vd" - PRIVATE_KEY_PASSPHRASE: "a7dsf78sadg87ad87sfagsadg78" - # ocelot.social mail dummy - EMAIL_DEFAULT_SENDER: "devops@ocelot.social" - SMTP_HOST: "mail.ocelot.social" - SMTP_USERNAME: "devops@ocelot.social" - SMTP_PASSWORD: "devops@ocelot.social" - SMTP_PORT: "587" - SMTP_IGNORE_TLS: 'false' - SMTP_SECURE: 'false' # true for 465, false for other ports - # or - # SMTP_PORT: "465" - # SMTP_IGNORE_TLS: 'true' - # SMTP_SECURE: 'true' # true for 465, false for other ports - # optional - SMTP_DKIM_DOMAINNAME: ocelot.social - SMTP_DKIM_KEYSELECTOR: 2017 - # all newlines in one line with "\\n". multi line doesn't work with Helm - SMTP_DKIM_PRIVATKEY: "-----BEGIN RSA PRIVATE KEY-----\\n\\n-----END RSA PRIVATE KEY-----\\n" - - # most likely you don't need to change this - MIN_READY_SECONDS: "15" - PROGRESS_DEADLINE_SECONDS: "60" - REVISIONS_HISTORY_LIMIT: "25" - CONTAINER_RESTART_POLICY: "Always" - CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30" - DOCKER_IMAGE_PULL_POLICY: "Always" - STORAGE_UPLOADS: "25Gi" - RESOURCE_REQUESTS_MEMORY: "1G" - RESOURCE_LIMITS_MEMORY: "2G" - -WEBAPP: - # change all the below if needed - # DOCKER_IMAGE_REPO - change that to your branded docker image - # label is appended based on .Chart.appVersion - DOCKER_IMAGE_REPO: "ocelotsocialnetwork/webapp-branded" - WEBSOCKETS_URI: "wss://staging.ocelot.social/api/graphql" - - # Most likely you don't need to change this - REPLICAS: "2" - MIN_READY_SECONDS: "15" - PROGRESS_DEADLINE_SECONDS: "60" - REVISIONS_HISTORY_LIMIT: "25" - CONTAINER_RESTART_POLICY: "Always" - CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30" - DOCKER_IMAGE_PULL_POLICY: "Always" - RESOURCE_REQUESTS_MEMORY: "1G" - RESOURCE_LIMITS_MEMORY: "2G" - -NEO4J: - # most likely you don't need to change this - REVISIONS_HISTORY_LIMIT: "25" - DOCKER_IMAGE_REPO: "ocelotsocialnetwork/neo4j-community-branded" - DOCKER_IMAGE_PULL_POLICY: "Always" - CONTAINER_RESTART_POLICY: "Always" - CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30" - STORAGE: "5Gi" - RESOURCE_REQUESTS_MEMORY: "2G" - RESOURCE_LIMITS_MEMORY: "4G" - # required for Neo4j Enterprice version - #ACCEPT_LICENSE_AGREEMENT: "yes" - ACCEPT_LICENSE_AGREEMENT: "no" - AUTH: "none" - #DBMS_CONNECTOR_BOLT_THREAD_POOL_MAX_SIZE: "10000" # hc value - DBMS_CONNECTOR_BOLT_THREAD_POOL_MAX_SIZE: "400" # default value - #DBMS_MEMORY_HEAP_INITIAL_SIZE: "500MB" # HC value - DBMS_MEMORY_HEAP_INITIAL_SIZE: "" # default - #DBMS_MEMORY_HEAP_MAX_SIZE: "500MB" # HC value - DBMS_MEMORY_HEAP_MAX_SIZE: "" # default - #DBMS_MEMORY_PAGECACHE_SIZE: "490M" # HC value - DBMS_MEMORY_PAGECACHE_SIZE: "" # default - #APOC_IMPORT_FILE_ENABLED: "true" # HC value - APOC_IMPORT_FILE_ENABLED: "false" # default - DBMS_SECURITY_PROCEDURES_UNRESTRICTED: "algo.*,apoc.*" - -MAINTENANCE: - # change all the below if needed - # DOCKER_IMAGE_REPO - change that to your branded docker image - # label is appended based on .Chart.appVersion - DOCKER_IMAGE_REPO: "ocelotsocialnetwork/maintenance-branded" - - # Most likely you don't need to change this - REVISIONS_HISTORY_LIMIT: "25" - CONTAINER_RESTART_POLICY: "Always" - CONTAINER_TERMINATION_GRACE_PERIOD_SECONDS: "30" - DOCKER_IMAGE_PULL_POLICY: "Always" - RESOURCE_REQUESTS_MEMORY: "500M" - RESOURCE_LIMITS_MEMORY: "1G" - -LETSENCRYPT: - # change all the below if needed - # ISSUER is used by cert-manager to set up certificates with the given provider. - # change it to "letsencrypt-production" once you are ready to have valid cetrificates. - # Be aware that the is an issuing limit with letsencrypt, so a dry run with staging might be wise - ISSUER: "letsencrypt-staging" - EMAIL: "devops@ocelot.social" - DOMAINS: - - "staging.ocelot.social" - - "www.staging.ocelot.social" - -NGINX: - # most likely you don't need to change this - PROXY_BODY_SIZE: "10m" - -STORAGE: - # change all the below if needed - PROVISIONER: "dobs.csi.digitalocean.com" - - # most likely you don't need to change this - RECLAIM_POLICY: "Retain" - VOLUME_BINDING_MODE: "Immediate" - ALLOW_VOLUME_EXPANSION: true \ No newline at end of file