From abfddfbab1c92978b6d91cb7125ae0994ed5c035 Mon Sep 17 00:00:00 2001
From: Viktor Barzin <vbarzin@gmail.com>
Date: Fri, 6 Feb 2026 20:32:08 +0000
Subject: [PATCH] [ci skip] add blotting book repo

---
 modules/kubernetes/main.tf               | 11 ++-
 modules/kubernetes/plotting-book/main.tf | 97 ++++++++++++++++++++++++
 2 files changed, 107 insertions(+), 1 deletion(-)
 create mode 100644 modules/kubernetes/plotting-book/main.tf

diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf
index 9bec6813..28ca3ce1 100644
--- a/modules/kubernetes/main.tf
+++ b/modules/kubernetes/main.tf
@@ -149,7 +149,7 @@ locals {
       "url", "excalidraw", "travel_blog", "dashy", "send", "ytdlp", "wealthfolio", "rybbit", "stirling-pdf",
       "networking-toolbox", "navidrome", "freshrss", "forgejo", "tor-proxy", "real-estate-crawler", "n8n",
       "changedetection", "linkwarden", "matrix", "homepage", "meshcentral", "diun", "cyberchef", "ntfy", "ollama",
-      "servarr", "jsoncrack", "paperless-ngx", "frigate", "audiobookshelf", "tandoor", "ebook2audiobook", "netbox", "speedtest", "resume", "freedify", "mcaptcha", "affine"
+      "servarr", "jsoncrack", "paperless-ngx", "frigate", "audiobookshelf", "tandoor", "ebook2audiobook", "netbox", "speedtest", "resume", "freedify", "mcaptcha", "affine", "plotting-book"
     ],
   }
   active_modules = distinct(flatten([
@@ -1082,3 +1082,12 @@ module "affine" {
 
   depends_on = [null_resource.core_services]
 }
+
+module "plotting-book" {
+  source          = "./plotting-book"
+  for_each        = contains(local.active_modules, "plotting-book") ? { plotting-book = true } : {}
+  tls_secret_name = var.tls_secret_name
+  tier            = local.tiers.aux
+
+  depends_on = [null_resource.core_services]
+}
diff --git a/modules/kubernetes/plotting-book/main.tf b/modules/kubernetes/plotting-book/main.tf
new file mode 100644
index 00000000..692737ee
--- /dev/null
+++ b/modules/kubernetes/plotting-book/main.tf
@@ -0,0 +1,97 @@
+variable "tls_secret_name" {}
+variable "tier" { type = string }
+
+resource "kubernetes_namespace" "plotting-book" {
+  metadata {
+    name = "plotting-book"
+    labels = {
+      "istio-injection" : "disabled"
+    }
+  }
+}
+
+module "tls_secret" {
+  source          = "../setup_tls_secret"
+  namespace       = kubernetes_namespace.plotting-book.metadata[0].name
+  tls_secret_name = var.tls_secret_name
+}
+
+resource "kubernetes_deployment" "plotting-book" {
+  metadata {
+    name      = "plotting-book"
+    namespace = kubernetes_namespace.plotting-book.metadata[0].name
+    labels = {
+      app  = "plotting-book"
+      tier = var.tier
+    }
+  }
+  spec {
+    replicas = 1
+    selector {
+      match_labels = {
+        app = "plotting-book"
+      }
+    }
+    template {
+      metadata {
+        labels = {
+          app = "plotting-book"
+        }
+      }
+      spec {
+        container {
+          # image = "ancamilea/book-plotter:7"
+          image = "viktorbarzin/book-plotter:7"
+          name  = "plotting-book"
+          port {
+            container_port = 3001
+          }
+          resources {
+            requests = {
+              memory = "128Mi"
+              cpu    = "50m"
+            }
+            limits = {
+              memory = "512Mi"
+              cpu    = "500m"
+            }
+          }
+        }
+      }
+    }
+  }
+}
+
+resource "kubernetes_service" "plotting-book" {
+  metadata {
+    name      = "plotting-book"
+    namespace = kubernetes_namespace.plotting-book.metadata[0].name
+    labels = {
+      "app" = "plotting-book"
+    }
+  }
+
+  spec {
+    selector = {
+      app = "plotting-book"
+    }
+    port {
+      name        = "http"
+      port        = 80
+      target_port = 3001
+    }
+  }
+}
+
+module "ingress" {
+  source          = "../ingress_factory"
+  namespace       = kubernetes_namespace.plotting-book.metadata[0].name
+  name            = "plotting-book"
+  tls_secret_name = var.tls_secret_name
+
+  additional_configuration_snippet = <<-EOF
+    # Override CSP to allow data: URIs and blob: for database/workers
+    proxy_hide_header Content-Security-Policy;
+    add_header Content-Security-Policy "default-src 'self' blob: data:; img-src 'self' data: blob:; style-src 'self' 'unsafe-inline'; script-src 'self' 'unsafe-inline' 'unsafe-eval' blob:; worker-src 'self' blob:; connect-src 'self' blob:; frame-ancestors 'self' *.viktorbarzin.me viktorbarzin.me" always;
+  EOF
+}