setup a single user activity pub inbox on ap1.xai-corp.net

ansible-5/roles/prod.k3s/defaults/main.yml

@@ -122,3 +122,8 @@ apps:
     enabled: true
     namespace: metallb-system
     state: absent
+
+  ktistec:
+    enabled: true
+    namespace: ktistec
+    state: present

ansible-5/roles/prod.k3s/tasks/deployments/ktistec.yaml

@@ -0,0 +1,66 @@
+---
+
+#- name: create persistent volume resources
+#  kubernetes.core.k8s:
+#    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+#    state: "{{apps.ktistec.state}}"
+#    definition: "{{ lookup('template', item) | from_yaml }}"
+#  loop:
+#    - ktistec/pv.yaml
+#    - ktistec/pv-claim.yaml
+#    - ktistec/pv-auth.yaml
+#    - ktistec/pv-auth-claim.yaml
+#  become: true
+
+#- name: create secret for ktistec
+#  kubernetes.core.k8s:
+#    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+#    state: "{{apps.ktistec.state}}"
+#    definition:
+#      apiVersion: v1
+#      kind: Secret
+#      type: Opaque
+#      metadata:
+#        name: auth-secret-2025
+#        namespace: "{{apps.ktistec.namespace}}"
+#      stringData:
+#        htpasswd: "richard:$2y$05$E7B3.iHmoLLSyFZJJWEj3u6eMdm2gPGBu1vAn7VPo9Axk3Wbict2m"
+#  become: true
+
+- name: create ktistec namespace
+  kubernetes.core.k8s:
+    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+    name: "{{apps.ktistec.namespace}}"
+    api_version: v1
+    kind: Namespace
+    state: "{{apps.ktistec.state}}"
+  become: true
+
+- name: create login secret for dkregistry
+  kubernetes.core.k8s:
+    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+    state: "{{apps.ktistec.state}}"
+    definition:
+      apiVersion: v1
+      kind: Secret
+      type: kubernetes.io/dockerconfigjson
+      metadata:
+        name: dkregistry-login
+        namespace: "{{apps.ktistec.namespace}}"
+      data:
+        .dockerconfigjson: "eyJhdXRocyI6eyJka3JlZ2lzdHJ5LnhhaS1jb3JwLm5ldCI6eyJ1c2VybmFtZSI6InJpY2hhcmQiLCJwYXNzd29yZCI6Im1lMSIsImVtYWlsIjoicmljaGFyZEBleGFtcGxlLmNvbSIsImF1dGgiOiJjbWxqYUdGeVpEcHRaVEU9In19fQ=="
+  become: true
+
+- name: create ktistec activity pub resources
+  kubernetes.core.k8s:
+    kubeconfig: "/etc/rancher/k3s/k3s.yaml"
+    state: "{{apps.ktistec.state}}"
+    namespace: "{{apps.ktistec.namespace}}"
+    definition: "{{ lookup('template', item) | from_yaml }}"
+  loop:
+#    - ktistec/configmap.yaml
+    - ktistec/ingress.yaml
+    - ktistec/service.yaml
+    - ktistec/deployment.yaml
+  become: true
+

ansible-5/roles/prod.k3s/tasks/main.yml

@@ -59,6 +59,10 @@
   include_tasks: deployments/pixelfed.yaml
   when: apps.pixelfed.enabled
 
+- name: deploy ktistec
+  include_tasks: deployments/ktistec.yaml
+  when: apps.ktistec.enabled
+
 #- name: deploy metallb
 #  include_tasks: deployments/metallb.yaml
 #  when: apps.metallb.enabled

ansible-5/roles/prod.k3s/templates/ktistec/deployment.yaml

@@ -0,0 +1,49 @@
+apiVersion: v1
+kind: Pod
+metadata:
+  name: ktistec-pod
+  namespace: "{{apps.ktistec.namespace}}"
+  labels:
+    app: ktistec
+spec:
+  imagePullSecrets:
+    - name: dkregistry-login
+  containers:
+    - name: ktistec
+      image: dkregistry.xai-corp.net/ktistec/app:2.4.13
+#      volumeMounts:
+#        - name: repo-vol
+#          mountPath: "/var/lib/registry"
+##        - name: certs-vol
+##          mountPath: "/certs"
+##          readOnly: true
+##        - name: auth-vol
+##          mountPath: "/auth"
+##          readOnly: false
+#        - name: auth-secret
+#          mountPath: "/auth"
+#          readOnly: true
+#      env:
+#        - name: REGISTRY_AUTH
+#          value: "htpasswd"
+#        - name: REGISTRY_AUTH_HTPASSWD_REALM
+#          value: "Registry Realm"
+#        - name: REGISTRY_AUTH_HTPASSWD_PATH
+#          value: "/auth/htpasswd"
+#        - name: REGISTRY_HTTP_SECRET
+#          value: "/auth/htpasswd"
+#        - name: REGISTRY_HTTP_TLS_CERTIFICATE
+#          value: "/certs/tls.crt"
+#        - name: REGISTRY_HTTP_TLS_KEY
+#          value: "/certs/tls.key"
+#  volumes:
+#    - name: repo-vol
+#      persistentVolumeClaim:
+#        claimName: data-dkregistry-0
+#    - name: auth-vol
+#      persistentVolumeClaim:
+#        claimName: data-dkregistry-auth-0
+
+#    - name: auth-secret
+#      secret:
+#        secretName: auth-secret-2025

ansible-5/roles/prod.k3s/templates/ktistec/ingress.yaml

@@ -0,0 +1,29 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ktistec
+  namespace: "{{apps.ktistec.namespace}}"
+  annotations:
+    kubernetes.io/ingress.class: "traefik"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-production
+
+spec:
+  rules:
+    - host: ap1.xai-corp.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: ktistec
+                port:
+                  number: 3000
+
+  tls: # < placing a host in the TLS config will determine what ends up in the cert's subjectAltNames
+    - secretName: xai-corp-production-tls-ap1
+      hosts:
+        - ap1.xai-corp.net

ansible-5/roles/prod.k3s/templates/ktistec/service.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ktistec
+  namespace: "{{apps.ktistec.namespace}}"
+spec:
+  selector:
+    app: ktistec
+  ports:
+    - port: 3000
+      targetPort: 3000