install: prune installation steps

README.md

@@ -26,21 +26,28 @@ they come in one package with the repository.
 Below list is formatted as:
 > subdomain: Service (helmrepo, if not by the application authors themselves)
 
+#### Stackspin Tools
+- dashboard: Toolübersicht von Stackspin
+- files: Nextcloud - Tools Hub, Dokumentation, Filesharing, Kalender, Kontakte
+- chat: Zulip - WIP-Updates und Kommunikation
+- note: Hedgedoc - Lebende, kollaborative Dokumente
 #### Stable including Single-Sign-On
-- forge: Forgejo
-- do: Vikunja [needs upgrade]
+- forge: Forgejo - Code Repositories
+- do: Vikunja - Projektmanagement
 - status: Gatus (minicloudlabs)
 #### No SSO
-- ninja: InvoiceNinja
-- support: Zammad
+- ninja: InvoiceNinja - Rechnungsstellung, Angebote, ggf. Zeiterfassung, Auslagenerfassung
+- support: Zammad - Kundensupport, Login-Codes
 - flow: n8n (8gears)
 - meet: cal.com (pyrrha)
+- board: openproject (https://www.openproject.org/docs/installation-and-operations/installation/helm-chart/)
 #### Planned
 - design: penpot
 - sprint: taiga (nemonik)
 - video: Peertube ([LecygneNoir](https://git.lecygnenoir.info/LecygneNoir/peertube-helm))
 - call: Jitsi Meet / OpenTalk / Element Call
 - wiki/know: Wiki (maybe wikijs, but I'd like something that integrates with Nextcloud and Markdown/Orgdown)
+- sign: https://github.com/zekker6/helm-charts/tree/main/charts/apps/docuseal
 #### Ideas
 - link: URL Shortener
 - connect: Bonfire

apps/board-kustomization.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: add-board
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  path: ./apps/board
+  sourceRef:
+    kind: GitRepository
+    name: stackspout

apps/board/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - openproject-kustomization.yaml
+  - openproject-secrets-kustomization.yaml

apps/board/openproject-kustomization.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: openproject
+  namespace: flux-system
+spec:
+  interval: 5m
+  retryInterval: 2m
+  timeout: 10m
+  wait: true
+  prune: true
+  path: ./apps/board/openproject
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: local-path-provisioner
+    - name: openproject-secrets
+    - name: nginx
+    - name: single-sign-on
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables
+      - kind: ConfigMap
+        name: stackspin-openproject-kustomization-variables
+      - kind: Secret
+        name: stackspin-openproject-variables
+      # OIDC
+      - kind: Secret
+        name: stackspin-openproject-oauth-variables
+      - kind: ConfigMap
+        name: stackspin-single-sign-on-kustomization-variables

apps/board/openproject-secrets-kustomization.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: openproject-secrets
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 4m
+  wait: true
+  prune: true
+  path: ./apps/board/openproject-secrets
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: secrets-controller
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables

apps/board/openproject-secrets/openproject-kustomization-variables.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-openproject-kustomization-variables
+  namespace: flux-system
+data:
+  openproject_domain: board.${domain}

apps/board/openproject-secrets/openproject-oauth-secret.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-openproject-oauth-variables
+  namespace: flux-system
+spec:
+  data:
+    client_id: openproject
+  fields:
+  - fieldName: client_secret
+    length: "32"

apps/board/openproject-secrets/openproject-variables.yaml

@@ -0,0 +1,11 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-openproject-variables
+  namespace: flux-system
+spec:
+  fields:
+  - fieldName: admin_password
+  - fieldName: postgresql_password
+  - fieldName: postgresql_postgres_password

apps/board/openproject/openproject-oauth-client.yaml

@@ -0,0 +1,21 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: openproject-oauth-client
+  # Has to live in the same namespace as the stackspin-openproject-oauth-variables secret
+  namespace: flux-system
+spec:
+  # TODO copied from wekan: https://github.com/wekan/wekan/wiki/Keycloak
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-openproject-oauth-variables
+  #redirectUris:
+  #  - https://${openproject_domain}/oauth/openid/
+  #tokenEndpointAuthMethod: client_secret_post

apps/board/openproject/openproject-postgres-pvc.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: openproject-postgres
+  namespace: stackspout
+  labels:
+    stackspin.net/backupSet: "openproject"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path

apps/board/openproject/openproject-pvc.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: openproject-data
+  namespace: stackspout
+  labels:
+    stackspin.net/backupSet: "openproject"
+spec:
+  accessModes:
+    - ReadWriteMany
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path

apps/board/openproject/openproject-release.yaml

@@ -0,0 +1,27 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: openproject
+  namespace: stackspout
+spec:
+  releaseName: openproject
+  chart:
+    spec:
+      chart: openproject
+      version: 9.10.1
+      sourceRef:
+        kind: HelmRepository
+        name: openproject
+        namespace: flux-system
+  interval: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: stackspin-openproject-values
+      optional: false
+    # Allow overriding values by ConfigMap or Secret
+    - kind: ConfigMap
+      name: stackspin-openproject-override
+      optional: true
+    - kind: Secret
+      name: stackspin-openproject-override
+      optional: true

apps/board/openproject/openproject-values-configmap.yaml

@@ -0,0 +1,86 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-openproject-values
+  namespace: stackspout
+data:
+  values.yaml: |
+    # TODO verify structure matches chart
+    commonLabels:
+      stackspin.net/backupSet: "openproject"
+    podLabels:
+      stackspin.net/backupSet: "openproject"
+    # TODO Configure PVC for data & database including backup labels
+    podAnnotations:
+      backup.velero.io/backup-volumes: "data"
+    persistence:
+      enabled: true
+      accessModes:
+        - "ReadWriteMany"
+      existingClaim: "openproject-data"
+
+    ingress:
+      enabled: true
+      annotations:
+        kubernetes.io/tls-acme: "true"
+        nginx.ingress.kubernetes.io/configuration-snippet: |
+          more_set_headers "Content-Security-Policy: frame-ancestors 'self' files.";
+      host: "${openproject_domain}"
+      path: /
+      pathType: Prefix
+      tls:
+        enabled: true
+        secretName: openproject-tls
+
+    postgresql:
+      bundled: true
+      commonLabels:
+        stackspin.net/backupSet: "openproject"
+      global:
+        postgresql:
+          auth:
+            database: openproject
+            username: openproject
+            password: "${postgresql_password}"
+            postgresPassword: "${postgresql_admin_password}"
+      primary:
+        persistence:
+          existingClaim: openproject-postgres
+        podAnnotations:
+          backup.velero.io/backup-volumes: "data"
+
+    openproject:
+      admin_user:
+        password: "${admin_password}"
+        password_reset: "false"
+        name: "${org_name} Admin"
+        mail: "${admin_email}"
+
+      ## Define OpenID Connect providers
+      #oidc:
+      #  enabled: false
+      #  provider: "Keycloak"
+      #  displayName: "Keycloak"
+      #  host: ""
+      #  identifier: ""
+      #  secret: ""
+      #  authorizationEndpoint: ""
+      #  tokenEndpoint: ""
+      #  userinfoEndpoint: ""
+      #  endSessionEndpoint: ""
+      #  scope: "[openid]"
+
+    # TODO Adjust openproject Mailing config
+    #    mailer:
+    #      enabled: "${outgoing_mail_enabled}"
+    #      host: "${outgoing_mail_smtp_host}"
+    #      port: "${outgoing_mail_smtp_port}"
+    #      username: "${outgoing_mail_smtp_user}"
+    #      password: "${outgoing_mail_smtp_password}"
+    #      fromemail: "${outgoing_mail_from_address}"
+    # TODO Adjust openproject OpenID Connect Single Sign-On Configuration
+    #    - name: Stackspin
+    #      key: "${client_id}"
+    #      secret: "${client_secret}"
+    #      issuer: "https://${hydra_domain}"
+    #      autoDiscoverUrl: 'https://${hydra_domain}/.well-known/openid-configuration'

apps/kustomization.yaml

@@ -8,6 +8,7 @@ resources:
   - flow-kustomization.yaml
   - meet-kustomization.yaml
   - status-kustomization.yaml
-  - design-kustomization.yaml
+  - board-kustomization.yaml
+  #- design-kustomization.yaml #
   #- sprint-kustomization.yaml #charts outdated
   #- video-kustomization.yaml #missing storage

infrastructure/sources/openproject.yaml

@@ -0,0 +1,8 @@
+apiVersion: source.toolkit.fluxcd.io/v1beta2
+kind: HelmRepository
+metadata:
+  name: openproject
+  namespace: flux-system
+spec:
+  interval: 60m
+  url: https://charts.openproject.org

install.sh

@@ -1,12 +1,15 @@
-#!/usr/bin/env bash
+#!/bin/sh -x
 
-kubectl get namespace stackspout 2>/dev/null || kubectl create namespace stackspout
+kubectl get namespace stackspout 2>/dev/null ||
+  kubectl create namespace stackspout
 
 echo "Creating / Updating gitRepository stackspout"
 flux create source git stackspout \
-  --url=https://forge.ftt.gmbh/polygon/stackspout.git \
+  --url=https://open.greenhost.net/xeruf/stackspout.git \
   --branch=main \
   --interval=5m
+# Don't depend on a repo hosted by this cluster
+#url=https://forge.ftt.gmbh/polygon/stackspout.git \
 
 echo "Creating / Updating kustomization stackspout"
 flux create kustomization stackspout \
@@ -14,13 +17,3 @@ flux create kustomization stackspout \
   --path="./infrastructure/kustomizations/" \
   --prune=true \
   --interval=5m
-
-# Required for oversized truecharts repo
-export GITEA_TOKEN=$(pass business/ftt/stackspout)
-flux bootstrap gitea \
-  --token-auth \
-  --branch=main \
-  --hostname=forge.ftt.gmbh \
-  --owner=polygon \
-  --repository=stackspout \
-  --path=util/flux

overrides/stackspin-velero-override.yaml

@@ -5,5 +5,7 @@ metadata:
   name: stackspin-velero-override
 data:
   values.yaml: |
-    extraArgs:
-      - --restic-timeout=20h
+    configuration:
+      #backupSyncPeriod: 1h
+      uploaderType: restic
+      fsBackupTimeout: "20h"