From 376b4f5f80ce08fbef0fc0efa9ac4e9f46b241d9 Mon Sep 17 00:00:00 2001
From: richard <r_morgan@sympatico.ca>
Date: Mon, 22 Sep 2025 19:59:37 -0400
Subject: [PATCH] setup a single user activity pub inbox on ap1.xai-corp.net

---
 .../templates/xai-corp.net.internal.j2        |  1 +
 ansible-5/roles/prod.k3s/defaults/main.yml    |  5 ++
 .../prod.k3s/tasks/deployments/ktistec.yaml   | 66 +++++++++++++++++++
 ansible-5/roles/prod.k3s/tasks/main.yml       |  4 ++
 .../templates/ktistec/deployment.yaml         | 49 ++++++++++++++
 .../prod.k3s/templates/ktistec/ingress.yaml   | 29 ++++++++
 .../prod.k3s/templates/ktistec/service.yaml   | 12 ++++
 7 files changed, 166 insertions(+)
 create mode 100644 ansible-5/roles/prod.k3s/tasks/deployments/ktistec.yaml
 create mode 100644 ansible-5/roles/prod.k3s/templates/ktistec/deployment.yaml
 create mode 100644 ansible-5/roles/prod.k3s/templates/ktistec/ingress.yaml
 create mode 100644 ansible-5/roles/prod.k3s/templates/ktistec/service.yaml

diff --git a/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2 b/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
index f1df3e6..166d410 100644
--- a/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
+++ b/ansible-5/roles/ns.xai-corp.net/templates/xai-corp.net.internal.j2
@@ -88,3 +88,4 @@ abcapi                  IN CNAME    dkhost
 ;metrics                 IN CNAME    dkhost
 funkwhale               IN CNAME dkhost
 backstage               IN CNAME dkhost
+ap1                     IN CNAME dkhost
diff --git a/ansible-5/roles/prod.k3s/defaults/main.yml b/ansible-5/roles/prod.k3s/defaults/main.yml
index e006d7a..f7b27f2 100644
--- a/ansible-5/roles/prod.k3s/defaults/main.yml
+++ b/ansible-5/roles/prod.k3s/defaults/main.yml
@@ -122,3 +122,8 @@ apps:
     enabled: true
     namespace: metallb-system
     state: absent
+
+  ktistec:
+    enabled: true
+    namespace: ktistec
+    state: present
diff --git a/ansible-5/roles/prod.k3s/tasks/deployments/ktistec.yaml b/ansible-5/roles/prod.k3s/tasks/deployments/ktistec.yaml
new file mode 100644
index 0000000..4d203c7
--- /dev/null
+++ b/ansible-5/roles/prod.k3s/tasks/deployments/ktistec.yaml
@@ -0,0 +1,66 @@
+---
+
+#- name: create persistent volume resources
+#  kubernetes.core.k8s:
+#    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+#    state: "{{apps.ktistec.state}}"
+#    definition: "{{ lookup('template', item) | from_yaml }}"
+#  loop:
+#    - ktistec/pv.yaml
+#    - ktistec/pv-claim.yaml
+#    - ktistec/pv-auth.yaml
+#    - ktistec/pv-auth-claim.yaml
+#  become: true
+
+#- name: create secret for ktistec
+#  kubernetes.core.k8s:
+#    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+#    state: "{{apps.ktistec.state}}"
+#    definition:
+#      apiVersion: v1
+#      kind: Secret
+#      type: Opaque
+#      metadata:
+#        name: auth-secret-2025
+#        namespace: "{{apps.ktistec.namespace}}"
+#      stringData:
+#        htpasswd: "richard:$2y$05$E7B3.iHmoLLSyFZJJWEj3u6eMdm2gPGBu1vAn7VPo9Axk3Wbict2m"
+#  become: true
+
+- name: create ktistec namespace
+  kubernetes.core.k8s:
+    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+    name: "{{apps.ktistec.namespace}}"
+    api_version: v1
+    kind: Namespace
+    state: "{{apps.ktistec.state}}"
+  become: true
+
+- name: create login secret for dkregistry
+  kubernetes.core.k8s:
+    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+    state: "{{apps.ktistec.state}}"
+    definition:
+      apiVersion: v1
+      kind: Secret
+      type: kubernetes.io/dockerconfigjson
+      metadata:
+        name: dkregistry-login
+        namespace: "{{apps.ktistec.namespace}}"
+      data:
+        .dockerconfigjson: "eyJhdXRocyI6eyJka3JlZ2lzdHJ5LnhhaS1jb3JwLm5ldCI6eyJ1c2VybmFtZSI6InJpY2hhcmQiLCJwYXNzd29yZCI6Im1lMSIsImVtYWlsIjoicmljaGFyZEBleGFtcGxlLmNvbSIsImF1dGgiOiJjbWxqYUdGeVpEcHRaVEU9In19fQ=="
+  become: true
+
+- name: create ktistec activity pub resources
+  kubernetes.core.k8s:
+    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+    state: "{{apps.ktistec.state}}"
+    namespace: "{{apps.ktistec.namespace}}"
+    definition: "{{ lookup('template', item) | from_yaml }}"
+  loop:
+#    - ktistec/configmap.yaml
+    - ktistec/ingress.yaml
+    - ktistec/service.yaml
+    - ktistec/deployment.yaml
+  become: true
+
diff --git a/ansible-5/roles/prod.k3s/tasks/main.yml b/ansible-5/roles/prod.k3s/tasks/main.yml
index 134e6f1..ec54dcc 100644
--- a/ansible-5/roles/prod.k3s/tasks/main.yml
+++ b/ansible-5/roles/prod.k3s/tasks/main.yml
@@ -59,6 +59,10 @@
   include_tasks: deployments/pixelfed.yaml
   when: apps.pixelfed.enabled
 
+- name: deploy ktistec
+  include_tasks: deployments/ktistec.yaml
+  when: apps.ktistec.enabled
+
 #- name: deploy metallb
 #  include_tasks: deployments/metallb.yaml
 #  when: apps.metallb.enabled
diff --git a/ansible-5/roles/prod.k3s/templates/ktistec/deployment.yaml b/ansible-5/roles/prod.k3s/templates/ktistec/deployment.yaml
new file mode 100644
index 0000000..d157376
--- /dev/null
+++ b/ansible-5/roles/prod.k3s/templates/ktistec/deployment.yaml
@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ktistec-pod
+  namespace: "{{apps.ktistec.namespace}}"
+  labels:
+    app: ktistec
+spec:
+  imagePullSecrets:
+    - name: dkregistry-login
+  containers:
+    - name: ktistec
+      image: dkregistry.xai-corp.net/ktistec/app:2.4.13
+#      volumeMounts:
+#        - name: repo-vol
+#          mountPath: "/var/lib/registry"
+##        - name: certs-vol
+##          mountPath: "/certs"
+##          readOnly: true
+##        - name: auth-vol
+##          mountPath: "/auth"
+##          readOnly: false
+#        - name: auth-secret
+#          mountPath: "/auth"
+#          readOnly: true
+#      env:
+#        - name: REGISTRY_AUTH
+#          value: "htpasswd"
+#        - name: REGISTRY_AUTH_HTPASSWD_REALM
+#          value: "Registry Realm"
+#        - name: REGISTRY_AUTH_HTPASSWD_PATH
+#          value: "/auth/htpasswd"
+#        - name: REGISTRY_HTTP_SECRET
+#          value: "/auth/htpasswd"
+#        - name: REGISTRY_HTTP_TLS_CERTIFICATE
+#          value: "/certs/tls.crt"
+#        - name: REGISTRY_HTTP_TLS_KEY
+#          value: "/certs/tls.key"
+#  volumes:
+#    - name: repo-vol
+#      persistentVolumeClaim:
+#        claimName: data-dkregistry-0
+#    - name: auth-vol
+#      persistentVolumeClaim:
+#        claimName: data-dkregistry-auth-0
+
+#    - name: auth-secret
+#      secret:
+#        secretName: auth-secret-2025
diff --git a/ansible-5/roles/prod.k3s/templates/ktistec/ingress.yaml b/ansible-5/roles/prod.k3s/templates/ktistec/ingress.yaml
new file mode 100644
index 0000000..9027ea5
--- /dev/null
+++ b/ansible-5/roles/prod.k3s/templates/ktistec/ingress.yaml
@@ -0,0 +1,29 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ktistec
+  namespace: "{{apps.ktistec.namespace}}"
+  annotations:
+    kubernetes.io/ingress.class: "traefik"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-production
+
+spec:
+  rules:
+    - host: ap1.xai-corp.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: ktistec
+                port:
+                  number: 3000
+
+  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
+    - secretName: xai-corp-production-tls-ap1
+      hosts:
+        - ap1.xai-corp.net
diff --git a/ansible-5/roles/prod.k3s/templates/ktistec/service.yaml b/ansible-5/roles/prod.k3s/templates/ktistec/service.yaml
new file mode 100644
index 0000000..94196a6
--- /dev/null
+++ b/ansible-5/roles/prod.k3s/templates/ktistec/service.yaml
@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ktistec
+  namespace: "{{apps.ktistec.namespace}}"
+spec:
+  selector:
+    app: ktistec
+  ports:
+    - port: 3000
+      targetPort: 3000