apps: preliminiary cal.com and peertube configuration

apps/do/do-test/vikunja-values-configmap.yaml

@@ -1,96 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: stackspin-vikunja-test-values
-  namespace: stackspout
-data:
-  # https://github.com/truecharts/charts/blob/master/charts/stable/vikunja/values.yaml
-  values.yaml: |
-    frontend:
-      image:
-        tag: unstable
-        pullPolicy: Always
-      ingress:
-        main:
-          enabled: true
-          annotations:
-            kubernetes.io/tls-acme: "true"
-          hosts:
-            - host: "do-test.${domain}"
-              paths:
-                 - path: /
-                   pathType: Prefix
-          tls:
-            - secretName: vikunja-test-tls
-              hosts:
-                - "do-test.${domain}"
-    api:
-      image:
-        tag: unstable
-        pullPolicy: Always
-      ingress:
-        main:
-          enabled: true
-          annotations:
-            kubernetes.io/tls-acme: "true"
-          hosts:
-            - host: "do-test.${domain}"
-              paths:
-                 - path: /
-                   pathType: Prefix
-          tls:
-            - secretName: vikunja-test-tls
-              hosts:
-                - "do-test.${domain}"
-      configMaps:
-        config:
-          data:
-            config.yml: |-
-              auth:
-                openid:
-                  # https://vikunja.io/docs/config-options/#openid
-                  # Example: https://github.com/go-vikunja/api/blob/main/config.yml.sample#L289-L312
-                  enabled: true
-                  redirecturl: "https://do-test.${domain}/auth/openid/"
-                  providers:
-                    - name: Stackspin
-                      authurl: "https://${hydra_domain}/"
-                      clientid: "${client_id}"
-                      clientsecret: "${client_secret}"
-              service:
-                frontendurl: "https://do-test.${domain}"
-                motd: "This is a test instance, do not use for production data as it can vanish without notice! Use Stackspin login, as usual."
-                timezone: "CET"
-                JWTSecret: "${jwt}"
-              database:
-                type: postgres
-                host: vikunja-test-postgresql
-                password: "${postgresql_password}"
-              log:
-                path: "/app/vikunja"
-                http: stdout
-                database: stderr
-                databaselevel: debug
-              defaultsettings:
-                avatar_provider: gravatar
-                discoverable_by_name: true
-                discoverable_by_email: true
-                week_start: 1
-                timezone: CET
-                # TODO default_project_id
-    #persistence:
-    #  files:
-    #    labels:
-    #      stackspin.net/backupSet: "vikunja"
-    postgresql:
-      enabled: true
-      global:
-        postgresql:
-          database: vikunja
-          username: vikunja
-          password: "${postgresql_password}"
-      persistence:
-        enabled: true
-        existingClaim: vikunja-postgres
-    typesense:
-      enabled: false

apps/flow/n8n/n8n-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: n8n
-      version: 1.0 # TODO
+      version: 0.20.1
       sourceRef:
         kind: HelmRepository
         name: n8n

apps/kustomization.yaml

@@ -4,6 +4,7 @@ resources:
   - ninja-kustomization.yaml
   - do-kustomization.yaml
   - forge-kustomization.yaml
-  - flow-kustomization.yaml
   - support-kustomization.yaml
+  - flow-kustomization.yaml
   - people-kustomization.yaml
+  - meet-kustomization.yaml

apps/meet-kustomization.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: add-meet
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  path: ./apps/meet
+  sourceRef:
+    kind: GitRepository
+    name: stackspout

apps/meet/calcom-kustomization.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: calcom
+  namespace: flux-system
+spec:
+  interval: 5m
+  retryInterval: 2m
+  timeout: 10m
+  wait: true
+  prune: true
+  path: ./apps/meet/calcom
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: local-path-provisioner
+    - name: calcom-secrets
+    - name: nginx
+    - name: single-sign-on
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables
+      - kind: ConfigMap
+        name: stackspin-calcom-kustomization-variables
+      - kind: Secret
+        name: stackspin-calcom-variables
+      # OIDC
+      - kind: Secret
+        name: stackspin-calcom-oauth-variables
+      - kind: ConfigMap
+        name: stackspin-single-sign-on-kustomization-variables

apps/meet/calcom-secrets-kustomization.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: calcom-secrets
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 4m
+  wait: true
+  prune: true
+  path: ./apps/meet/calcom-secrets
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: secrets-controller
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables

apps/meet/calcom-secrets/calcom-kustomization-variables.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-calcom-kustomization-variables
+  namespace: flux-system
+data:
+  calcom_domain: meet.${domain}

apps/meet/calcom-secrets/calcom-oauth-secret.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-calcom-oauth-variables
+  namespace: flux-system
+spec:
+  data:
+    client_id: calcom
+  fields:
+  - fieldName: client_secret
+    length: "32"

apps/meet/calcom-secrets/calcom-variables.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-calcom-variables
+  namespace: flux-system
+spec:
+  # DATABASE_URL
+  # NEXT_PUBLIC_WEBAPP_URL
+  fields:
+  - fieldname: postgresql_password
+  - fieldname: postgresql_postgres_password
+  - fieldName: NEXTAUTH_SECRET
+  - fieldName: CALENDSO_ENCRYPTION_KEY

apps/meet/calcom/calcom-oauth-client.yaml

@@ -1,8 +1,8 @@
 apiVersion: hydra.ory.sh/v1alpha1
 kind: OAuth2Client
 metadata:
-  name: vikunja-test-oauth-client
-  # Has to live in the same namespace as the stackspin-*-oauth-variables secret
+  name: calcom-oauth-client
+  # Has to live in the same namespace as the stackspin-calcom-oauth-variables secret
   namespace: flux-system
 spec:
   # TODO copied from wekan: https://github.com/wekan/wekan/wiki/Keycloak
@@ -15,7 +15,7 @@ spec:
     - id_token
     - code
   scope: "openid profile email stackspin_roles"
-  secretName: stackspin-vikunja-test-oauth-variables
-  redirectUris:
-    - https://do-test.${domain}/auth/openid/stackspin
-  tokenEndpointAuthMethod: client_secret_post
+  secretName: stackspin-calcom-oauth-variables
+  #redirectUris:
+  #  - https://${calcom_domain}/oauth/openid/
+  #tokenEndpointAuthMethod: client_secret_post

apps/meet/calcom/calcom-postgres-pvc.yaml

@@ -1,8 +1,10 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
-  name: vikunja-test-postgres
+  name: calcom-postgres
   namespace: stackspout
+  labels:
+    stackspin.net/backupSet: "calcom"
 spec:
   accessModes:
     - ReadWriteOnce

apps/meet/calcom/calcom-release.yaml

@@ -1,30 +1,27 @@
 apiVersion: helm.toolkit.fluxcd.io/v2beta1
 kind: HelmRelease
 metadata:
-  name: vikunja-test
+  name: calcom
   namespace: stackspout
 spec:
-  releaseName: vikunja-test
+  releaseName: calcom
   chart:
     spec:
-      chart: vikunja
-      version: 0.4.1
+      chart: calcom-stack
+      version: 0.1.6
       sourceRef:
         kind: HelmRepository
-        name: vikunja
+        name: calcom
         namespace: flux-system
   interval: 5m
   valuesFrom:
     - kind: ConfigMap
-      name: stackspin-vikunja-values
-      optional: false
-    - kind: ConfigMap
-      name: stackspin-vikunja-test-values
+      name: stackspout-calcom-values
       optional: false
     # Allow overriding values by ConfigMap or Secret
     - kind: ConfigMap
-      name: stackspin-vikunja-override
+      name: stackspout-calcom-override
       optional: true
     - kind: Secret
-      name: stackspin-vikunja-override
+      name: stackspout-calcom-override
       optional: true

apps/meet/calcom/calcom-values-configmap.yaml

@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-calcom-values
+  namespace: stackspout
+data:
+  values.yaml: |
+    postgresql:
+      enabled: true
+      commonLabels:
+        stackspin.net/backupSet: "calcom"
+      #global:
+      #  postgresql:
+      auth:
+        database: calcom
+        username: calcom
+        password: "${postgresql_password}"
+        postgresPassword: "${postgresql_postgres_password}"
+      primary:
+        persistence:
+          existingClaim: calcom-postgres
+        podAnnotations:
+          backup.velero.io/backup-volumes: "data"
+
+    calcom:
+      secretRef: "stackspin-calcom-variables"
+      commonLabels:
+        stackspin.net/backupSet: "calcom"
+      podLabels:
+        stackspin.net/backupSet: "calcom"
+      ingress:
+        enabled: true
+        annotations:
+          kubernetes.io/tls-acme: "true"
+        hosts:
+          - host: "${calcom_domain}"
+            paths:
+               - path: /
+                 pathType: Prefix
+        tls:
+          - secretName: calcom-tls
+            hosts:
+              - "${calcom_domain}"
+
+    # TODO Adjust calcom Mailing config
+    #    mailer:
+    #      enabled: "${outgoing_mail_enabled}"
+    #      host: "${outgoing_mail_smtp_host}"
+    #      port: "${outgoing_mail_smtp_port}"
+    #      username: "${outgoing_mail_smtp_user}"
+    #      password: "${outgoing_mail_smtp_password}"
+    #      fromemail: "${outgoing_mail_from_address}"
+    # TODO Adjust calcom OpenID Connect Single Sign-On Configuration
+    #    - name: Stackspin
+    #      key: "${client_id}"
+    #      secret: "${client_secret}"
+    #      autoDiscoverUrl: 'https://${hydra_domain}/.well-known/openid-configuration'

apps/meet/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - calcom-kustomization.yaml
+  - calcom-secrets-kustomization.yaml

apps/people-kustomization.yaml

@@ -1,17 +1,3 @@
----
-apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
-kind: Kustomization
-metadata:
-  name: add-people
-  namespace: flux-system
-spec:
-  interval: 10m
-  prune: true
-  path: ./apps/people
-  sourceRef:
-    kind: GitRepository
-    name: stackspout
----
 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
 kind: Kustomization
 metadata:

apps/support/zammad/zammad-release.yaml

@@ -8,7 +8,7 @@ spec:
   chart:
     spec:
       chart: zammad
-      version:
+      version: 10.3.0
       sourceRef:
         kind: HelmRepository
         name: zammad

apps/video-kustomization.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: add-video
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  path: ./apps/video
+  sourceRef:
+    kind: GitRepository
+    name: stackspout

apps/video/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - peertube-kustomization.yaml
+  - peertube-secrets-kustomization.yaml

apps/video/peertube-kustomization.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: peertube
+  namespace: flux-system
+spec:
+  interval: 5m
+  retryInterval: 2m
+  timeout: 10m
+  wait: true
+  prune: true
+  path: ./apps/video/peertube
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: local-path-provisioner
+    - name: peertube-secrets
+    - name: nginx
+    - name: single-sign-on
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables
+      - kind: ConfigMap
+        name: stackspin-peertube-kustomization-variables
+      - kind: Secret
+        name: stackspin-peertube-variables
+      # OIDC
+      - kind: Secret
+        name: stackspin-peertube-oauth-variables
+      - kind: ConfigMap
+        name: stackspin-single-sign-on-kustomization-variables

apps/video/peertube-secrets-kustomization.yaml

@@ -0,0 +1,22 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: peertube-secrets
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 4m
+  wait: true
+  prune: true
+  path: ./apps/video/peertube-secrets
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: secrets-controller
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables

apps/video/peertube-secrets/peertube-kustomization-variables.yaml

@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-peertube-kustomization-variables
+  namespace: flux-system
+data:
+  peertube_domain: video.${domain}

apps/video/peertube-secrets/peertube-oauth-secret.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-peertube-oauth-variables
+  namespace: flux-system
+spec:
+  data:
+    client_id: peertube
+  fields:
+  - fieldName: client_secret
+    length: "32"

apps/video/peertube-secrets/peertube-variables.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-peertube-variables
+  namespace: flux-system
+spec:
+  fields:
+  - fieldname: password

apps/video/peertube/peertube-oauth-client.yaml

@@ -0,0 +1,21 @@
+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: peertube-oauth-client
+  # Has to live in the same namespace as the stackspin-peertube-oauth-variables secret
+  namespace: flux-system
+spec:
+  # TODO copied from wekan: https://github.com/wekan/wekan/wiki/Keycloak
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-peertube-oauth-variables
+  #redirectUris:
+  #  - https://${peertube_domain}/oauth/openid/
+  #tokenEndpointAuthMethod: client_secret_post

apps/video/peertube/peertube-pvc.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: peertube-data
+  namespace: stackspout
+  labels:
+    stackspin.net/backupSet: "peertube"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path

apps/video/peertube/peertube-release.yaml

@@ -0,0 +1,27 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: peertube
+  namespace: stackspout
+spec:
+  releaseName: peertube
+  chart:
+    spec:
+      chart: peertube
+      version: 1.6.0
+      sourceRef:
+        kind: HelmRepository
+        name: peertube
+        namespace: flux-system
+  interval: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: stackspout-peertube-values
+      optional: false
+    # Allow overriding values by ConfigMap or Secret
+    - kind: ConfigMap
+      name: stackspout-peertube-override
+      optional: true
+    - kind: Secret
+      name: stackspout-peertube-override
+      optional: true

apps/video/peertube/peertube-values-configmap.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-peertube-values
+  namespace: stackspout
+data:
+  values.yaml: |
+    commonLabels:
+      stackspin.net/backupSet: "peertube"
+    podLabels:
+      stackspin.net/backupSet: "peertube"
+    podAnnotations:
+      # TODO FIXME comma separation correct?
+      backup.velero.io/backup-volumes: "data,config"
+
+    persistence:
+      data:
+        enabled: true
+        existingClaim: peertube-data
+      config:
+        enabled: true
+        existingClaim: peertube-config
+
+    ingress:
+      enabled: true
+      annotations:
+        kubernetes.io/tls-acme: "true"
+      hosts:
+        - host: "${peertube_domain}"
+          paths:
+             - path: /
+               pathType: Prefix
+      tls:
+        - secretName: peertube-tls
+          hosts:
+            - "${peertube_domain}"
+
+    resources:
+      requests:
+        cup: 2
+        memory: 4Gi
+
+    environment:
+      hostname: "${peertube_domain}"
+      # TODO database
+      dbHostname: your.postgresql.hostname
+      dbUser: peertube
+      dbPassword: postgres
+      redisHostname: redis
+      redisAuth: redispassword
+      #smtpenabled: "${outgoing_mail_enabled}"
+      smtpHostname: "${outgoing_mail_smtp_host}"
+      smtpPort: "${outgoing_mail_smtp_port}"
+      smtpUser: "${outgoing_mail_smtp_user}"
+      smtpPassword: "${outgoing_mail_smtp_password}"
+      smtpFrom: "${outgoing_mail_from_address}"
+      admin: "${outgoing_mail_from_address}"
+
+    # TODO Adjust peertube OpenID Connect Single Sign-On Configuration
+    #    - name: Stackspin
+    #      key: "${client_id}"
+    #      secret: "${client_secret}"
+    #      autoDiscoverUrl: 'https://${hydra_domain}/.well-known/openid-configuration'