From ea69e01760f2ad1c80261bb4243e2ef3a58f9ec2 Mon Sep 17 00:00:00 2001 From: fchinembiri Date: Thu, 21 May 2026 17:02:16 +0200 Subject: [PATCH] feat: deploy family-apps (grocy/mealie) for 4 users and fix node metrics connectivity --- k8s/argocd-family-apps.yaml | 20 ++++ k8s/family-apps/00-namespace.yaml | 4 + k8s/family-apps/kecy.yaml | 153 +++++++++++++++++++++++++++++ k8s/family-apps/kustomization.yaml | 9 ++ k8s/family-apps/tawona.yaml | 153 +++++++++++++++++++++++++++++ k8s/family-apps/tendai.yaml | 153 +++++++++++++++++++++++++++++ k8s/family-apps/tsitsi.yaml | 153 +++++++++++++++++++++++++++++ k8s/fix-ufw-ds-v2.yaml | 33 +++++-- 8 files changed, 672 insertions(+), 6 deletions(-) create mode 100644 k8s/argocd-family-apps.yaml create mode 100644 k8s/family-apps/00-namespace.yaml create mode 100644 k8s/family-apps/kecy.yaml create mode 100644 k8s/family-apps/kustomization.yaml create mode 100644 k8s/family-apps/tawona.yaml create mode 100644 k8s/family-apps/tendai.yaml create mode 100644 k8s/family-apps/tsitsi.yaml diff --git a/k8s/argocd-family-apps.yaml b/k8s/argocd-family-apps.yaml new file mode 100644 index 0000000..295f5b3 --- /dev/null +++ b/k8s/argocd-family-apps.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: family-apps + namespace: argocd +spec: + project: default + source: + repoURL: http://gitea.geocrop.svc.cluster.local:3000/fchinembiri/geocrop-platform.git + targetRevision: HEAD + path: k8s/family-apps + destination: + server: https://kubernetes.default.svc + namespace: family-apps + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/k8s/family-apps/00-namespace.yaml b/k8s/family-apps/00-namespace.yaml new file mode 100644 index 0000000..f58a59b --- /dev/null +++ b/k8s/family-apps/00-namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: family-apps diff --git a/k8s/family-apps/kecy.yaml b/k8s/family-apps/kecy.yaml new file mode 100644 index 0000000..dc440b3 --- /dev/null +++ b/k8s/family-apps/kecy.yaml @@ -0,0 +1,153 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: grocy-pvc-kecy +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grocy-kecy +spec: + replicas: 1 + selector: + matchLabels: + app: grocy-kecy + template: + metadata: + labels: + app: grocy-kecy + spec: + containers: + - name: grocy + image: lscr.io/linuxserver/grocy:latest + env: + - name: PUID + value: "1000" + - name: PGID + value: "1000" + - name: TZ + value: "Africa/Harare" + ports: + - containerPort: 80 + volumeMounts: + - name: config + mountPath: /config + volumes: + - name: config + persistentVolumeClaim: + claimName: grocy-pvc-kecy +--- +apiVersion: v1 +kind: Service +metadata: + name: grocy-kecy +spec: + ports: + - port: 80 + targetPort: 80 + selector: + app: grocy-kecy +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grocy-kecy-ingress + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + ingressClassName: nginx + tls: + - hosts: + - grocy-kecy.techarvest.co.zw + secretName: grocy-kecy-tls + rules: + - host: grocy-kecy.techarvest.co.zw + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grocy-kecy + port: + number: 80 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mealie-pvc-kecy +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mealie-kecy +spec: + replicas: 1 + selector: + matchLabels: + app: mealie-kecy + template: + metadata: + labels: + app: mealie-kecy + spec: + containers: + - name: mealie + image: ghcr.io/mealie-recipes/mealie:latest + env: + - name: TZ + value: "Africa/Harare" + ports: + - containerPort: 9000 + volumeMounts: + - name: data + mountPath: /app/data + volumes: + - name: data + persistentVolumeClaim: + claimName: mealie-pvc-kecy +--- +apiVersion: v1 +kind: Service +metadata: + name: mealie-kecy +spec: + ports: + - port: 80 + targetPort: 9000 + selector: + app: mealie-kecy +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: mealie-kecy-ingress + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + ingressClassName: nginx + tls: + - hosts: + - mealie-kecy.techarvest.co.zw + secretName: mealie-kecy-tls + rules: + - host: mealie-kecy.techarvest.co.zw + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: mealie-kecy + port: + number: 80 diff --git a/k8s/family-apps/kustomization.yaml b/k8s/family-apps/kustomization.yaml new file mode 100644 index 0000000..ec68229 --- /dev/null +++ b/k8s/family-apps/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - 00-namespace.yaml + - tawona.yaml + - tendai.yaml + - tsitsi.yaml + - kecy.yaml diff --git a/k8s/family-apps/tawona.yaml b/k8s/family-apps/tawona.yaml new file mode 100644 index 0000000..93de785 --- /dev/null +++ b/k8s/family-apps/tawona.yaml @@ -0,0 +1,153 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: grocy-pvc-tawona +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grocy-tawona +spec: + replicas: 1 + selector: + matchLabels: + app: grocy-tawona + template: + metadata: + labels: + app: grocy-tawona + spec: + containers: + - name: grocy + image: lscr.io/linuxserver/grocy:latest + env: + - name: PUID + value: "1000" + - name: PGID + value: "1000" + - name: TZ + value: "Africa/Harare" + ports: + - containerPort: 80 + volumeMounts: + - name: config + mountPath: /config + volumes: + - name: config + persistentVolumeClaim: + claimName: grocy-pvc-tawona +--- +apiVersion: v1 +kind: Service +metadata: + name: grocy-tawona +spec: + ports: + - port: 80 + targetPort: 80 + selector: + app: grocy-tawona +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grocy-tawona-ingress + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + ingressClassName: nginx + tls: + - hosts: + - grocy-tawona.techarvest.co.zw + secretName: grocy-tawona-tls + rules: + - host: grocy-tawona.techarvest.co.zw + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grocy-tawona + port: + number: 80 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mealie-pvc-tawona +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mealie-tawona +spec: + replicas: 1 + selector: + matchLabels: + app: mealie-tawona + template: + metadata: + labels: + app: mealie-tawona + spec: + containers: + - name: mealie + image: ghcr.io/mealie-recipes/mealie:latest + env: + - name: TZ + value: "Africa/Harare" + ports: + - containerPort: 9000 + volumeMounts: + - name: data + mountPath: /app/data + volumes: + - name: data + persistentVolumeClaim: + claimName: mealie-pvc-tawona +--- +apiVersion: v1 +kind: Service +metadata: + name: mealie-tawona +spec: + ports: + - port: 80 + targetPort: 9000 + selector: + app: mealie-tawona +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: mealie-tawona-ingress + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + ingressClassName: nginx + tls: + - hosts: + - mealie-tawona.techarvest.co.zw + secretName: mealie-tawona-tls + rules: + - host: mealie-tawona.techarvest.co.zw + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: mealie-tawona + port: + number: 80 diff --git a/k8s/family-apps/tendai.yaml b/k8s/family-apps/tendai.yaml new file mode 100644 index 0000000..0e3c274 --- /dev/null +++ b/k8s/family-apps/tendai.yaml @@ -0,0 +1,153 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: grocy-pvc-tendai +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grocy-tendai +spec: + replicas: 1 + selector: + matchLabels: + app: grocy-tendai + template: + metadata: + labels: + app: grocy-tendai + spec: + containers: + - name: grocy + image: lscr.io/linuxserver/grocy:latest + env: + - name: PUID + value: "1000" + - name: PGID + value: "1000" + - name: TZ + value: "Africa/Harare" + ports: + - containerPort: 80 + volumeMounts: + - name: config + mountPath: /config + volumes: + - name: config + persistentVolumeClaim: + claimName: grocy-pvc-tendai +--- +apiVersion: v1 +kind: Service +metadata: + name: grocy-tendai +spec: + ports: + - port: 80 + targetPort: 80 + selector: + app: grocy-tendai +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grocy-tendai-ingress + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + ingressClassName: nginx + tls: + - hosts: + - grocy-tendai.techarvest.co.zw + secretName: grocy-tendai-tls + rules: + - host: grocy-tendai.techarvest.co.zw + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grocy-tendai + port: + number: 80 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mealie-pvc-tendai +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mealie-tendai +spec: + replicas: 1 + selector: + matchLabels: + app: mealie-tendai + template: + metadata: + labels: + app: mealie-tendai + spec: + containers: + - name: mealie + image: ghcr.io/mealie-recipes/mealie:latest + env: + - name: TZ + value: "Africa/Harare" + ports: + - containerPort: 9000 + volumeMounts: + - name: data + mountPath: /app/data + volumes: + - name: data + persistentVolumeClaim: + claimName: mealie-pvc-tendai +--- +apiVersion: v1 +kind: Service +metadata: + name: mealie-tendai +spec: + ports: + - port: 80 + targetPort: 9000 + selector: + app: mealie-tendai +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: mealie-tendai-ingress + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + ingressClassName: nginx + tls: + - hosts: + - mealie-tendai.techarvest.co.zw + secretName: mealie-tendai-tls + rules: + - host: mealie-tendai.techarvest.co.zw + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: mealie-tendai + port: + number: 80 diff --git a/k8s/family-apps/tsitsi.yaml b/k8s/family-apps/tsitsi.yaml new file mode 100644 index 0000000..acb7c75 --- /dev/null +++ b/k8s/family-apps/tsitsi.yaml @@ -0,0 +1,153 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: grocy-pvc-tsitsi +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: grocy-tsitsi +spec: + replicas: 1 + selector: + matchLabels: + app: grocy-tsitsi + template: + metadata: + labels: + app: grocy-tsitsi + spec: + containers: + - name: grocy + image: lscr.io/linuxserver/grocy:latest + env: + - name: PUID + value: "1000" + - name: PGID + value: "1000" + - name: TZ + value: "Africa/Harare" + ports: + - containerPort: 80 + volumeMounts: + - name: config + mountPath: /config + volumes: + - name: config + persistentVolumeClaim: + claimName: grocy-pvc-tsitsi +--- +apiVersion: v1 +kind: Service +metadata: + name: grocy-tsitsi +spec: + ports: + - port: 80 + targetPort: 80 + selector: + app: grocy-tsitsi +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: grocy-tsitsi-ingress + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + ingressClassName: nginx + tls: + - hosts: + - grocy-tsitsi.techarvest.co.zw + secretName: grocy-tsitsi-tls + rules: + - host: grocy-tsitsi.techarvest.co.zw + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: grocy-tsitsi + port: + number: 80 +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: mealie-pvc-tsitsi +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 2Gi +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mealie-tsitsi +spec: + replicas: 1 + selector: + matchLabels: + app: mealie-tsitsi + template: + metadata: + labels: + app: mealie-tsitsi + spec: + containers: + - name: mealie + image: ghcr.io/mealie-recipes/mealie:latest + env: + - name: TZ + value: "Africa/Harare" + ports: + - containerPort: 9000 + volumeMounts: + - name: data + mountPath: /app/data + volumes: + - name: data + persistentVolumeClaim: + claimName: mealie-pvc-tsitsi +--- +apiVersion: v1 +kind: Service +metadata: + name: mealie-tsitsi +spec: + ports: + - port: 80 + targetPort: 9000 + selector: + app: mealie-tsitsi +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: mealie-tsitsi-ingress + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-prod" +spec: + ingressClassName: nginx + tls: + - hosts: + - mealie-tsitsi.techarvest.co.zw + secretName: mealie-tsitsi-tls + rules: + - host: mealie-tsitsi.techarvest.co.zw + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: mealie-tsitsi + port: + number: 80 diff --git a/k8s/fix-ufw-ds-v2.yaml b/k8s/fix-ufw-ds-v2.yaml index b34fbe2..0d2ba4e 100644 --- a/k8s/fix-ufw-ds-v2.yaml +++ b/k8s/fix-ufw-ds-v2.yaml @@ -12,22 +12,43 @@ spec: labels: name: fix-ufw spec: - hostNetwork: true hostPID: true containers: - name: fix image: alpine securityContext: privileged: true - command: ["/bin/sh", "-c"] + command: ["nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "sh", "-c"] args: - | - nsenter --target 1 --mount --uts --ipc --net --pid -- sh -c " + if command -v ufw >/dev/null; then + ufw allow 8472/udp + ufw allow 80/tcp + ufw allow 443/tcp + ufw allow 8443/tcp + ufw allow 10250/tcp ufw allow from 10.42.0.0/16 ufw allow from 10.43.0.0/16 ufw allow from 172.16.0.0/12 ufw allow from 192.168.0.0/16 ufw allow from 10.0.0.0/8 - ufw allow proto tcp from any to any port 80,443 - " - while true; do sleep 3600; done + ufw allow from 37.60.237.100 + ufw allow from 167.86.68.48 + ufw allow from 95.111.235.130 + elif command -v firewall-cmd >/dev/null; then + firewall-cmd --permanent --add-port=8472/udp + firewall-cmd --permanent --add-port=80/tcp + firewall-cmd --permanent --add-port=443/tcp + firewall-cmd --permanent --add-port=8443/tcp + firewall-cmd --permanent --add-port=10250/tcp + firewall-cmd --permanent --add-source=10.42.0.0/16 + firewall-cmd --permanent --add-source=10.43.0.0/16 + firewall-cmd --permanent --add-source=172.16.0.0/12 + firewall-cmd --permanent --add-source=192.168.0.0/16 + firewall-cmd --permanent --add-source=10.0.0.0/8 + firewall-cmd --permanent --add-source=37.60.237.100 + firewall-cmd --permanent --add-source=167.86.68.48 + firewall-cmd --permanent --add-source=95.111.235.130 + firewall-cmd --reload + fi + sleep 3600