feat(infra): k3s foundation — cert-manager, Longhorn config, in-cluster data tier
ci / typecheck (map[dir:apps/website name:website]) (push) Failing after 10m58s
ci / typecheck (map[dir:apps/portal name:portal]) (push) Failing after 11m56s
ci / typecheck (map[dir:apps/booking name:booking]) (push) Failing after 14m0s
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / test (push) Has been cancelled
ci / typecheck (map[dir:apps/website name:website]) (push) Failing after 10m58s
ci / typecheck (map[dir:apps/portal name:portal]) (push) Failing after 11m56s
ci / typecheck (map[dir:apps/booking name:booking]) (push) Failing after 14m0s
ci / typecheck (map[dir:services/platform-api name:platform-api]) (push) Has been cancelled
ci / test (push) Has been cancelled
Adds the production cluster foundation (authored + applied live on node1): - cert-manager via the k3s HelmChart controller + letsencrypt staging/prod ClusterIssuers (HTTP-01 / Traefik). - Longhorn config for single-node (values: replica=1, default StorageClass, Retain) + backup-to-Hetzner-Object-Storage credential template. - In-cluster data tier (dezky-data): Postgres 16 (with Authentik+OCIS DB init), MongoDB 7, Redis 7 as StatefulSets on Longhorn, + secret template. - bootstrap.sh: install open-iscsi/nfs-common + enable iscsid (Longhorn prereq). - RUNBOOK.md: full reproducible node1 build order. Real secrets are generated on-box and kept in Bitwarden — never in git.
This commit is contained in:
Ronni Baslund
@@ -0,0 +1,42 @@
|
||||
# Longhorn Helm values — single-node config for the dezky AX41 (node1).
|
||||
# You install Longhorn; feed it these values, e.g.:
|
||||
#
|
||||
# helm repo add longhorn https://charts.longhorn.io && helm repo update
|
||||
# helm install longhorn longhorn/longhorn \
|
||||
# -n longhorn-system --create-namespace \
|
||||
# --version 1.12.0 -f values.yaml
|
||||
#
|
||||
# (Or paste this into Rancher → Apps → Longhorn → Edit YAML.)
|
||||
#
|
||||
# Host prereq (added to bootstrap.sh): open-iscsi + a running iscsid + nfs-common
|
||||
# on EVERY node. Verify: `systemctl is-active iscsid` → active.
|
||||
|
||||
defaultSettings:
|
||||
# Single node → 1 replica. No cross-node redundancy yet (durability is the
|
||||
# same as local disk, but you gain snapshots + off-box backups). Bump to 2–3
|
||||
# once you add nodes and Longhorn will rebalance.
|
||||
defaultReplicaCount: 1
|
||||
# Replica data lives here on the AX41 NVMe.
|
||||
defaultDataPath: /var/lib/longhorn
|
||||
# Don't pack the disk to 100%.
|
||||
storageMinimalAvailablePercentage: 15
|
||||
storageOverProvisioningPercentage: 100
|
||||
# Tidy up orphaned replicas automatically.
|
||||
orphanResourceAutoDeletion: "replica-data"
|
||||
# ── Backups → Hetzner Object Storage (set after creating the bucket+secret;
|
||||
# see README). Can also be set in the UI under Settings → General. ──
|
||||
# backupTarget: s3://dezky-longhorn@fsn1/
|
||||
# backupTargetCredentialSecret: longhorn-backup-secret
|
||||
|
||||
persistence:
|
||||
# Make Longhorn the DEFAULT StorageClass so PVCs land on it automatically.
|
||||
# ALSO unset local-path's default flag (one default only — see README).
|
||||
defaultClass: true
|
||||
defaultClassReplicaCount: 1
|
||||
# Databases: keep the volume if a PVC is deleted, until you reclaim it by hand.
|
||||
reclaimPolicy: Retain
|
||||
|
||||
# The Longhorn UI is full storage admin — keep its Ingress OFF until you decide
|
||||
# how to protect it (IP allowlist at Traefik, or behind Authentik forward-auth).
|
||||
ingress:
|
||||
enabled: false
|
||||
Reference in New Issue
Block a user