tripit: deploy stack + DB provisioning + ongoing mail-ingest [ci skip]

- stacks/tripit: namespace, ESO (vault-kv + vault-database), Deployment (alembic init + app), Service, NFS document PVC, ingress (Authentik forward-auth) + /api/calendar carve-out (auth=none, HMAC-token gated), and 3 worker CronJobs. ingest-mail is live: real IMAP (me@, read-only BODY.PEEK, recent-30) + local LLM (qwen3vl-4b on llama-swap), idempotent (skips seen message_ids), owner me@viktorbarzin.me. - stacks/dbaas: create CNPG role+db `tripit`. - stacks/vault: pg-tripit static role (7d rotation) + allowed_roles entry. Deployed at tripit.viktorbarzin.me. [ci skip]: stacks were applied out-of-band via scripts/tg this session; a CI re-apply would also apply unrelated pre-existing dbaas/vault drift (MySQL StatefulSet, vault OIDC). Refs: code-bb9g, code-muqi Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
2026-05-30 10:23:11 +00:00 · 2026-05-30 10:23:11 +00:00 · 01351e4ce2
commit 01351e4ce2
parent e9046e5a26
4 changed files with 544 additions and 1 deletions
--- a/stacks/dbaas/modules/dbaas/main.tf
+++ b/stacks/dbaas/modules/dbaas/main.tf
@ -1284,6 +1284,33 @@ resource "null_resource" "pg_job_hunter_db" {
  }
 }

+# Create tripit database for the TripIt travel app (FastAPI + SvelteKit SPA).
+# Role password is managed by Vault Database Secrets Engine (static role
+# `pg-tripit`, 7d rotation). Tables live in schema `tripit` (alembic creates
+# them on the app's first migrate).
+resource "null_resource" "pg_tripit_db" {
+  depends_on = [null_resource.pg_cluster]
+
+  triggers = {
+    db_name  = "tripit"
+    username = "tripit"
+  }
+
+  provisioner "local-exec" {
+    command = <<-EOT
+      PRIMARY=$(kubectl --kubeconfig ${var.kube_config_path} get cluster -n dbaas pg-cluster -o jsonpath='{.status.currentPrimary}')
+      kubectl --kubeconfig ${var.kube_config_path} exec -n dbaas $PRIMARY -c postgres -- \
+        bash -c '
+          psql -U postgres -tc "SELECT 1 FROM pg_catalog.pg_roles WHERE rolname = '"'"'tripit'"'"'" | grep -q 1 || \
+            psql -U postgres -c "CREATE ROLE tripit WITH LOGIN PASSWORD '"'"'changeme-vault-will-rotate'"'"'"
+          psql -U postgres -tc "SELECT 1 FROM pg_catalog.pg_database WHERE datname = '"'"'tripit'"'"'" | grep -q 1 || \
+            psql -U postgres -c "CREATE DATABASE tripit OWNER tripit"
+          psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE tripit TO tripit"
+        '
+    EOT
+  }
+}
+
 # Postiz: 3 databases (postiz, temporal, temporal_visibility) all owned by the
 # `postiz` role. Bundled bitnami PostgreSQL was retired 2026-05-09 in favour of
 # this CNPG cluster — covered by postgresql-backup-per-db automatically.