viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions
infra/stacks/novelapp/main.tf
Viktor Barzin a3c198e10e add AUTH_SECRET and ALLOWED_ORIGIN env vars to novelapp deployment 
AUTH_SECRET sourced from Vault (secret/novelapp) via K8s secret,
ALLOWED_ORIGIN set to https://novelapp.viktorbarzin.me.
2026-03-15 00:33:38 +00:00

186 lines
4.2 KiB
HCL
Raw Blame History

variable "tls_secret_name" {
type = string
sensitive = true
}
data "vault_kv_secret_v2" "secrets" {
mount = "secret"
name = "novelapp"
}
resource "kubernetes_namespace" "novelapp" {
metadata {
name = "novelapp"
labels = {
"istio-injection" : "disabled"
tier = local.tiers.aux
}
}
}
module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret"
namespace = kubernetes_namespace.novelapp.metadata[0].name
tls_secret_name = var.tls_secret_name
}
resource "kubernetes_secret" "novelapp_auth" {
metadata {
name = "novelapp-auth"
namespace = kubernetes_namespace.novelapp.metadata[0].name
}
data = {
"auth-secret" = data.vault_kv_secret_v2.secrets.data["auth_secret"]
}
}
resource "kubernetes_persistent_volume_claim" "novelapp-data" {
metadata {
name = "novelapp-data"
namespace = kubernetes_namespace.novelapp.metadata[0].name
}
spec {
access_modes = ["ReadWriteOnce"]
storage_class_name = "iscsi-truenas"
resources {
requests = {
storage = "1Gi"
}
}
}
}
resource "kubernetes_deployment" "novelapp" {
metadata {
name = "novelapp"
namespace = kubernetes_namespace.novelapp.metadata[0].name
labels = {
app = "novelapp"
tier = local.tiers.aux
}
}
lifecycle {
ignore_changes = [
spec[0].template[0].spec[0].container[0].image,
]
}
spec {
replicas = 1
strategy {
type = "Recreate"
}
selector {
match_labels = {
app = "novelapp"
}
}
template {
metadata {
labels = {
app = "novelapp"
}
}
spec {
volume {
name = "data"
persistent_volume_claim {
claim_name = kubernetes_persistent_volume_claim.novelapp-data.metadata[0].name
}
}
container {
image = "mghee/novelapp:latest"
name = "novelapp"
image_pull_policy = "Always"
env {
name = "NODE_ENV"
value = "production"
}
env {
name = "DB_PATH"
value = "/app/data/novelapp.db"
}
env {
name = "DISABLE_BROWSER_SCRAPING"
value = "true"
}
env {
name = "PORT"
value = "3000"
}
env {
name = "AUTH_SECRET"
value_from {
secret_key_ref {
name = kubernetes_secret.novelapp_auth.metadata[0].name
key = "auth-secret"
}
}
}
env {
name = "ALLOWED_ORIGIN"
value = "https://novelapp.viktorbarzin.me"
}
volume_mount {
name = "data"
mount_path = "/app/data"
}
port {
container_port = 3000
}
resources {
requests = {
memory = "128Mi"
cpu = "10m"
}
limits = {
memory = "256Mi"
}
}
}
}
}
}
}
resource "kubernetes_service" "novelapp" {
metadata {
name = "novelapp"
namespace = kubernetes_namespace.novelapp.metadata[0].name
labels = {
"app" = "novelapp"
}
}
spec {
selector = {
app = "novelapp"
}
port {
name = "http"
port = 80
target_port = 3000
}
}
}
module "ingress" {
source = "../../modules/kubernetes/ingress_factory"
namespace = kubernetes_namespace.novelapp.metadata[0].name
name = "novelapp"
tls_secret_name = var.tls_secret_name
extra_annotations = {
"gethomepage.dev/enabled" = "true"
"gethomepage.dev/name" = "NovelApp"
"gethomepage.dev/description" = "Web novel tracker"
"gethomepage.dev/icon" = "mdi-book-open-page-variant"
"gethomepage.dev/group" = "Other"
"gethomepage.dev/pod-selector" = ""
}
}
# Sealed Secrets — encrypted secrets safe to commit to git
resource "kubernetes_manifest" "sealed_secrets" {
for_each = fileset(path.module, "sealed-*.yaml")
manifest = yamldecode(file("${path.module}/${each.value}"))
}
Reference in a new issue View git blame Copy permalink