use amd64 for redis

.gitignore

@@ -1 +1,2 @@
 **/.DS_Store
+.idea/

deploy/affine/deployment.yaml

@@ -0,0 +1,93 @@
+# --------------------------------------------------------------------
+# 5b) Deployment: affine-server (serves HTTP on port 3010)
+# --------------------------------------------------------------------
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: affine-server
+  namespace: affine
+  labels:
+    app: affine-server
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: affine-server
+  template:
+    metadata:
+      labels:
+        app: affine-server
+    spec:
+      initContainers:
+        - name: affine-migrate
+          image: ghcr.io/toeverything/affine-graphql:stable-9e7280c
+          command: ["sh", "-c", "node ./scripts/self-host-predeploy.js"]
+          env:
+            - name: REDIS_SERVER_HOST
+              value: "redis-lb.redis.svc.cluster.local"
+            - name: REDIS_SERVER_PORT
+              value: "6379"
+            - name: DATABASE_URL
+              value: >
+                postgresql://$(DB_USERNAME):$(DB_PASSWORD)@postgres-base-rw.postgres.svc.cluster.local:5432/$(DB_DATABASE)
+            - name: AFFINE_SERVER_PORT
+              value: "3010"
+          envFrom:
+            - secretRef:
+                name: affine-db-secret
+          volumeMounts:
+            - name: affine-storage
+              mountPath: /root/.affine/storage
+            - name: affine-config
+              mountPath: /root/.affine/config
+      containers:
+        - name: affine
+          image: ghcr.io/toeverything/affine-graphql:stable-9e7280c
+          ports:
+            - containerPort: 3010
+              name: http
+          env:
+            - name: NODE_TLS_REJECT_UNAUTHORIZED
+              value: "0"
+            - name: AFFINE_SERVER_HTTPS
+              value: "true"
+            - name: AFFINE_SERVER_HOST
+              value: "affine.prod.panic.haus"
+            - name: REDIS_SERVER_HOST
+              value: "redis-lb.redis.svc.cluster.local"
+            - name: REDIS_SERVER_PORT
+              value: "6379"
+            - name: DATABASE_URL
+              value: >-
+                postgresql://$(DB_USERNAME):$(DB_PASSWORD)@postgres-base-rw.postgres.svc.cluster.local:5432/$(DB_DATABASE)
+            - name: AFFINE_SERVER_EXTERNAL_URL
+              value: "https://affine.prod.panic.haus"
+            - name: AFFINE_SERVER_PORT
+              value: "3010"
+          envFrom:
+            - secretRef:
+                name: affine-db-secret
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 3010
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 3010
+            initialDelaySeconds: 30
+            periodSeconds: 20
+          volumeMounts:
+            - name: affine-storage
+              mountPath: /root/.affine/storage
+            - name: affine-config
+              mountPath: /root/.affine/config
+      volumes:
+        - name: affine-storage
+          persistentVolumeClaim:
+            claimName: affine-storage-pvc
+        - name: affine-config
+          persistentVolumeClaim:
+            claimName: affine-config-pvc

deploy/affine/ingress.yaml

@@ -0,0 +1,27 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: affine-ingress
+  namespace: affine
+  annotations:
+    # (If you’re using cert-manager + Let’s Encrypt)
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - affine.prod.panic.haus      # ← replace with your desired Affine hostname
+      secretName: affine-tls          # ← must match an existing TLS Secret for that host
+  rules:
+    - host: affine.prod.panic.haus   # ← change to whatever subdomain you choose
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: affine-server
+                port:
+                  number: 3010

deploy/affine/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: affine
+
+resources:
+  - secret.yaml
+  - pvc.yaml
+  - service.yaml
+  - deployment.yaml
+  - ingress.yaml

deploy/affine/pvc.yaml

@@ -0,0 +1,28 @@
+# 3a) PVC for Affine’s upload storage (~/root/.affine/storage)
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: affine-storage-pvc
+  namespace: affine
+spec:
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+
+---
+# 3b) PVC for Affine’s config (~/root/.affine/config)
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: affine-config-pvc
+  namespace: affine
+spec:
+  storageClassName: longhorn
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

deploy/affine/secret.yaml

@@ -0,0 +1,10 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: affine-db-secret
+  namespace: affine
+stringData:
+  # Database credentials for Affine
+  DB_USERNAME: "affine"
+  DB_PASSWORD: "tqMB9UjJ7GZrWnux4sJ9nDPR4xQLq6Vz"
+  DB_DATABASE: "affine_db"

deploy/affine/service.yaml

@@ -0,0 +1,15 @@
+# This Service exposes Affine on port 3010 within the cluster
+apiVersion: v1
+kind: Service
+metadata:
+  name: affine-server
+  namespace: affine
+spec:
+  selector:
+    app: affine-server
+  ports:
+    - name: http
+      port: 3010
+      targetPort: 3010
+      protocol: TCP
+  type: ClusterIP

deploy/appflowy/deployment.yaml

@@ -0,0 +1,350 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gotrue
+  namespace: appflowy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gotrue
+  template:
+    metadata:
+      labels:
+        app: gotrue
+    spec:
+      containers:
+        - name: gotrue
+          image: appflowyinc/gotrue:latest
+          ports:
+            - containerPort: 9999
+          env:
+            - name: GOTRUE_SAML_ENABLED
+              value: "true"
+            - name: GOTRUE_SAML_PRIVATE_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: GOTRUE_SAML_PRIVATE_KEY
+            # ----- DB (Postgres HA) -----
+            - name: GOTRUE_DB_DRIVER
+              value: postgres
+            - name: DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: GOTRUE_DATABASE_URL
+            - name: GOTRUE_ADMIN_EMAIL
+              value: hello@beatrice.wtf
+            - name: GOTRUE_ADMIN_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: GOTRUE_ADMIN_PASSWORD
+            - name: GOTRUE_DISABLE_SIGNUP
+              value: "true"
+            - name: GOTRUE_SITE_URL
+              value: "appflowy-flutter://"
+            - name: GOTRUE_URI_ALLOW_LIST
+              value: "**"
+            - name: GOTRUE_JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: GOTRUE_JWT_SECRET
+            - name: GOTRUE_JWT_EXP
+              value: "7200"
+            - name: GOTRUE_SMTP_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: SMTP_HOST
+            - name: GOTRUE_SMTP_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: SMTP_PORT
+            - name: GOTRUE_SMTP_USER
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: SMTP_USER
+            - name: GOTRUE_SMTP_PASS
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: SMTP_PASS
+            - name: GOTRUE_SMTP_ADMIN_EMAIL
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: SMTP_USER
+            - name: PORT
+              value: "9999"
+            - name: GOTRUE_JWT_ADMIN_GROUP_NAME
+              value: supabase_admin
+            - name: API_EXTERNAL_URL
+              value: https://orbit.panic.haus/gotrue
+            - name: GOTRUE_MAILER_URLPATHS_CONFIRMATION
+              value: /gotrue/verify
+            - name: GOTRUE_MAILER_URLPATHS_INVITE
+              value: /gotrue/verify
+            - name: GOTRUE_MAILER_URLPATHS_RECOVERY
+              value: /gotrue/verify
+            - name: GOTRUE_MAILER_URLPATHS_EMAIL_CHANGE
+              value: /gotrue/verify
+
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: appflowy-cloud
+  namespace: appflowy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: appflowy-cloud
+  template:
+    metadata:
+      labels:
+        app: appflowy-cloud
+    spec:
+      containers:
+        - name: appflowy-cloud
+          image: appflowyinc/appflowy_cloud:latest
+          ports:
+            - containerPort: 8000
+          env:
+            # ----- Database -----
+            - name: APPFLOWY_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: APPFLOWY_DATABASE_URL
+            - name: APPFLOWY_REDIS_URI
+              value: "redis://redis-lb.redis.svc.cluster.local:6379"
+
+            # ----- GoTrue (Auth) -----
+            - name: APPFLOWY_GOTRUE_BASE_URL
+              value: "http://gotrue.appflowy.svc.cluster.local:9999"
+            - name: APPFLOWY_GOTRUE_JWT_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: GOTRUE_JWT_SECRET
+            - name: APPFLOWY_GOTRUE_JWT_EXP
+              value: "7200"
+
+            # ----- S3 / Minio -----
+            - name: APPFLOWY_S3_USE_MINIO
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: APPFLOWY_S3_USE_MINIO
+            - name: APPFLOWY_S3_MINIO_URL
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: APPFLOWY_S3_MINIO_URL
+            - name: APPFLOWY_S3_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: APPFLOWY_S3_BUCKET
+            - name: APPFLOWY_S3_REGION
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: AWS_REGION
+            - name: APPFLOWY_S3_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: AWS_ACCESS_KEY
+            - name: APPFLOWY_S3_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: AWS_SECRET_KEY
+            #- name: APPFLOWY_S3_PRESIGNED_URL_ENDPOINT
+            #  value: "https://minio.example.com"
+              # ← Replace with your actual public Minio endpoint if different
+
+            # ----- Mailer (AppFlowy Cloud) -----
+            - name: APPFLOWY_MAILER_SMTP_HOST
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: SMTP_HOST
+            - name: APPFLOWY_MAILER_SMTP_PORT
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: SMTP_PORT
+            - name: APPFLOWY_MAILER_SMTP_USERNAME
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: SMTP_USER
+            - name: APPFLOWY_MAILER_SMTP_PASSWORD
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: SMTP_PASS
+            - name: APPFLOWY_MAILER_SMTP_EMAIL
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: SMTP_USER
+            - name: APPFLOWY_MAILER_SMTP_TLS_KIND
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: SMTP_TLS_KIND
+
+            # ----- General -----
+            - name: APPFLOWY_ACCESS_CONTROL
+              value: "true"
+            - name: RUST_LOG
+              value: info
+            - name: APPFLOWY_ENVIRONMENT
+              value: production
+            - name: APPFLOWY_WEB_URL
+              value: "https://orbit.panic.haus"   # ← your public AppFlowy URL
+          readinessProbe:
+            httpGet:
+              path: /health
+              port: 8000
+            initialDelaySeconds: 10
+            periodSeconds: 10
+          livenessProbe:
+            httpGet:
+              path: /health
+              port: 8000
+            initialDelaySeconds: 20
+            periodSeconds: 20
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: admin-frontend
+  namespace: appflowy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: admin-frontend
+  template:
+    metadata:
+      labels:
+        app: admin-frontend
+    spec:
+      containers:
+        - name: admin-frontend
+          image: appflowyinc/admin_frontend:latest
+          ports:
+            - containerPort: 80
+          env:
+            - name: ADMIN_FRONTEND_REDIS_URL
+              value: "redis://redis-lb.redis.svc.cluster.local:6379"
+            - name: ADMIN_FRONTEND_GOTRUE_URL
+              value: "http://gotrue.appflowy.svc.cluster.local:9999"
+            - name: ADMIN_FRONTEND_APPFLOWY_CLOUD_URL
+              value: "http://appflowy-cloud.appflowy.svc.cluster.local:8000"
+            - name: ADMIN_FRONTEND_PATH_PREFIX
+              value: "/console"
+            - name: ADMIN_FRONTEND_PORT
+              value: "80"
+          readinessProbe:
+            httpGet:
+              path: /console
+              port: 80
+            initialDelaySeconds: 5
+            periodSeconds: 10
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: appflowy-worker
+  namespace: appflowy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: appflowy-worker
+  template:
+    metadata:
+      labels:
+        app: appflowy-worker
+    spec:
+      containers:
+        - name: appflowy-worker
+          image: appflowyinc/appflowy_worker:latest
+          env:
+            - name: RUST_LOG
+              value: info
+            - name: APPFLOWY_ENVIRONMENT
+              value: production
+            - name: APPFLOWY_WORKER_REDIS_URL
+              value: "redis://redis-lb.redis.svc.cluster.local:6379"
+            - name: APPFLOWY_WORKER_DATABASE_URL
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: GOTRUE_DATABASE_URL
+            - name: APPFLOWY_WORKER_DATABASE_NAME
+              value: appflowy_db
+            - name: APPFLOWY_S3_USE_MINIO
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: APPFLOWY_S3_USE_MINIO
+            - name: APPFLOWY_S3_MINIO_URL
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: APPFLOWY_S3_MINIO_URL
+            - name: APPFLOWY_S3_ACCESS_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: AWS_ACCESS_KEY
+            - name: APPFLOWY_S3_SECRET_KEY
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: AWS_SECRET_KEY
+            - name: APPFLOWY_S3_BUCKET
+              valueFrom:
+                secretKeyRef:
+                  name: appflowy-secrets
+                  key: APPFLOWY_S3_BUCKET
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: appflowy-web
+  namespace: appflowy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: appflowy-web
+  template:
+    metadata:
+      labels:
+        app: appflowy-web
+    spec:
+      containers:
+        - name: appflowy-web
+          image: appflowyinc/appflowy_web:latest
+          ports:
+            - containerPort: 80
+          env:
+            - name: APPFLOWY_CLOUD_URL
+              value: "http://appflowy-cloud.appflowy.svc.cluster.local:8000"

deploy/appflowy/gotrue-ingress.yaml

@@ -0,0 +1,31 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: appflowy-gotrue-ingress
+  namespace: appflowy
+  annotations:
+    nginx.ingress.kubernetes.io/use-regex:   "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+
+  tls:
+    - hosts:
+        - orbit.panic.haus
+      secretName: appflowy-tls
+
+  rules:
+    - host: orbit.panic.haus
+      http:
+        paths:
+          # GoTrue: rewrite /gotrue(/|$)(.*) → /$2
+          - path: /gotrue(/|$)(.*)
+            pathType: ImplementationSpecific
+            backend:
+              service:
+                name: gotrue
+                port:
+                  number: 9999

deploy/appflowy/ingress.yaml

@@ -0,0 +1,56 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: appflowy-ingress
+  namespace: appflowy
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/proxy-body-size: "50m"
+spec:
+  ingressClassName: nginx
+
+  tls:
+    - hosts:
+        - orbit.panic.haus           # ← replace with your public domain
+      secretName: appflowy-tls
+
+  rules:
+    - host: orbit.panic.haus
+      http:
+        paths:
+          # ┌──────────────────────────────────────────────────────────────────────────────┐
+          # │ 1) Admin UI (served under /console)                                          │
+          # └──────────────────────────────────────────────────────────────────────────────┘
+          - path: /console
+            pathType: Prefix
+            backend:
+              service:
+                name: admin-frontend
+                port:
+                  number: 80
+
+          # ┌──────────────────────────────────────────────────────────────────────────────┐
+          # │ 3) AppFlowy-Cloud API & Web                                                  │
+          #    • If you want API served on /api, and the static Web on /                   │
+          #    • You could also send all traffic to appflowy-web and let it call           │
+          #    • the backend at /api internally.                                           │
+          # └──────────────────────────────────────────────────────────────────────────────┘
+
+          # a) Direct all `/api/*` calls to the backend service
+          - path: /api
+            pathType: Prefix
+            backend:
+              service:
+                name: appflowy-cloud
+                port:
+                  number: 8000
+
+          # b) Everything else (root path) → appflowy-web (static UI)
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: appflowy-web
+                port:
+                  number: 80

deploy/appflowy/kustomization.yaml

@@ -0,0 +1,11 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: appflowy
+
+resources:
+  - secret.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - gotrue-ingress.yaml

deploy/appflowy/secret.yaml

@@ -0,0 +1,46 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: appflowy-secrets
+  namespace: appflowy
+stringData:
+  FQDN: "orbit.panic.haus"
+  SCHEME: "https"
+  APPFLOWY_BASE_URL: "https://orbit.panic.haus"
+  APPFLOWY_WEB_URL: "https://orbit.panic.haus"
+
+  # ==== PostgreSQL credentials ====
+  GOTRUE_DATABASE_URL: "postgres://appflowy:AjUIkz5lcaEGpCrO9KHYAvaKbLsH2Q0e@postgres-base-rw.postgres.svc.cluster.local:5432/appflowy_db?search_path=auth"
+  APPFLOWY_DATABASE_URL: "postgres://appflowy:AjUIkz5lcaEGpCrO9KHYAvaKbLsH2Q0e@postgres-base-rw.postgres.svc.cluster.local:5432/appflowy_db"
+
+  # ==== GoTrue (Auth) keys ====
+  GOTRUE_JWT_SECRET: "5IqQzMmpRPoeParMsgoWIphrCYdhFhxz9NSyEQYlwGyTrRSsjInyMSaM44ZCH"
+  GOTRUE_ADMIN_PASSWORD: "KaTPKUXiDUVIcUYWjqSy5SFdqrIl5csS"
+  GOTRUE_SAML_PRIVATE_KEY: "MIIEpAIBAAKCAQEAz625FMeC/kzE3M1PcX9klYmq4cNJKCXFl3UAiu/VR+RsPoMskVloyNaeESx+C/XhjMySxOGyeAepO6haIybMFqbEiBPjkQNASYUcEdp+pfGliTkgkiffiq3qSIt+ZylVUniGEEnM3JznIoFlW9ikNDlCTRObasIQ0io3bwaRP5pnzMDAPc7i8xBlkybj8Mu3HZmGU+xqiv1zNP9kSWINsMm4wt6Lwqbqt+LNr0q+F3H9yORbErFEGRsAsPMTtPIwX8eUb241MU5WmQ8n7Ea/U1+E3scaPr44TSZg9Xl+KwEVhdX9yX6/QKBefv6d/IwgNVkHxyRmRh9dkONxhWZ/8wIDAQABAoIBAAQjEEhHLydUrSk+18HJiV3nN6W2p6rqkbSSKpgZ7fQ4KyXVpBojH1C84boy2jHvzHXrD1NnsY/tiyP6lw0TNUaQPOL/Dm3xlCLCyYvbf+FbXnJM1obCz5OqIjwetz5j1uTFLNp/NdsBLyODU1sQhjjaGSWC6fom8oHVQHRwO416Qz11ZrOzXB8WDUyPImFkT7hU5F2MJFLU94MY6dBC0NKQBWIvFZQMN8WHoTeTlDcdljN9qduqDFAdMZi6JW0YNr0Ycvgt5qn/Me5EFN3+s3RVRnTL/rSENKeKJFcDXes3XEKxbwtzMVqa6sHZrt6LJtN8jx3tpryD2priCjC0TU0CgYEA7RdDpqmgtkeWHeu5nfzJyE1TEvl2qIezhpNIBwYuzACWRWWbzK3XKaLMq91JJSacHLB9kYpp08Rzsk33m6OLk+Q7g1E8ltHyMvR8avX7kczbL4/FV50Ydb14MOrPPlL/xemL0/faIRmfhGaQ3XgOAIqCoYIPY3HHjCUAMRDpZI8CgYEA4D3xJ9+qCtqzwf6afBHfymkCkEn8mO+4dB6kdXIjppor0EW8Xvg4zDYMq9RmO/ROUQypljCLrwx9ZiElNPTwmIAFPWjuSpAEyzZdxEz0H01PhwERvdMtt6FFTSGRQsTUzWTa7oYAn8K/Fu4VkKBVdbmqQhfUdsk+/RqUHRw/iF0CgYEA400th6gSsw7YpeDr+MJ09brkTUmrcBGBlSC4qjtMPDrH1sp+XvG/WWSCErc5PAvTGVI/YHwxz1wFi8lh/O4DkAr8333Pt8yaBi4M5kLkJ7kd3nBYwxGSdLbsdwF3JQpPuv+YFeUGVDuLilUGx70kt3IToSHe/PkFVZ/XmjLbf5MCgYAHAQhKRYsrIZ+hvJEYtPo3eUYyOY1hPYOWZOqgHHuOlZwuui7jDH/BqSKGL3EuCDh2AZ4+aa/DPPGhwgFGgSwOp1kCjQd8Xrk3m7AcFIc/fwuv3NGwCyuPY8MlYJoH6tv2umK4NolIdC3Bypfz134z2iO+Qr5JI4oLH8xmiF5XpQKBgQDM+vmlxMcHfl0OcnAJuQ0SaqVk6ufrMKRg8dPSvn2G84LdF3Vbr0Qx0vCRrmz85Netj5RdqkQh1dhi/QWMGegMw+bPmrDM6/CCEhT+9e6v5r2iKt3BbskbWdyhTm/nX98Er139/0xllF5Cyx54Xq2cTnDEM/Zaq+UXREHTr/L61Q=="
+
+  # ==== Minio (S3) ====
+  APPFLOWY_S3_MINIO_URL: "https://s3.minio.panic.haus"
+  MINIO_HOST: "s3.minio.panic.haus"
+  MINIO_PORT: "443"
+  AWS_ACCESS_KEY: "rjtPFRp52DgmWb4kdsyiFKjtBMxYSaow"          # must match your Minio secret
+  AWS_SECRET_KEY: "kabSK8RXcONjO8I7GNfJ03WMueJ7fk6z"          # must match your Minio secret
+  APPFLOWY_S3_BUCKET: "appflowy"                # your bucket name
+  APPFLOWY_S3_USE_MINIO: "true"
+  AWS_REGION: "cluster-panic-haus"
+  # If you use AWS S3 instead of Minio, set APPFLOWY_S3_CREATE_BUCKET / AWS_REGION here.
+
+  # ==== GoTrue SMTP (optional) ====
+  SMTP_HOST: "mail.mind-overflow.net"
+  SMTP_PORT: "465"
+  SMTP_USER: "cloud@mind-overflow.net"
+  SMTP_PASS: "PcYchuLLUyfT2gvY4Tx7wQ575Tnqjx84zVNoP6Mb"
+  SMTP_ADMIN_EMAIL: "hello@beatrice.wtf"
+
+  # ==== AppFlowy Mailer (Cloud) ====
+  SMTP_EMAIL: "cloud@mind-overflow.net"
+  SMTP_TLS_KIND: "wrapper"   # "none" "wrapper" "required" "opportunistic"
+
+  # ==== Additional secrets for AppFlowy AI (if used) ====
+  AI_OPENAI_API_KEY: ""
+
+  # (Optional) any other secrets you need can go here.

deploy/appflowy/service.yaml

@@ -0,0 +1,95 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gotrue
+  namespace: appflowy
+spec:
+  ports:
+    - port: 9999
+      targetPort: 9999
+      protocol: TCP
+      name: http
+  selector:
+    app: gotrue
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: appflowy-cloud
+  namespace: appflowy
+spec:
+  ports:
+    - port: 8000
+      targetPort: 8000
+      protocol: TCP
+      name: http
+  selector:
+    app: appflowy-cloud
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: admin-frontend
+  namespace: appflowy
+spec:
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+      name: http
+  selector:
+    app: admin-frontend
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: appflowy-worker
+  namespace: appflowy
+spec:
+  ports:
+    - port: 8081
+      targetPort: 8081
+      protocol: TCP
+      name: http
+  selector:
+    app: appflowy-worker
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: appflowy-web
+  namespace: appflowy
+spec:
+  ports:
+    - port: 80
+      targetPort: 80
+      protocol: TCP
+      name: http
+  selector:
+    app: appflowy-web
+  type: ClusterIP
+
+# (If you added appflowy-ai)
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: appflowy-ai
+  namespace: appflowy
+spec:
+  ports:
+    - port: 5001
+      targetPort: 5001
+      protocol: TCP
+      name: http
+  selector:
+    app: appflowy-ai
+  type: ClusterIP

deploy/descheduler/values.yaml

@@ -130,12 +130,12 @@ deschedulerPolicy:
         - name: LowNodeUtilization
           args:
             thresholds:
-              cpu: 20
-              memory: 20
-              pods: 20
+              cpu: 40
+              memory: 30
+              pods: 30
             targetThresholds:
               cpu: 50
-              memory: 50
+              memory: 60
               pods: 50
       plugins:
         balance:

deploy/longhorn/longhorn-deploy.yaml

@@ -103,7 +103,7 @@ data:
     reclaimPolicy: "Delete"
     volumeBindingMode: Immediate
     parameters:
-      numberOfReplicas: "3"
+      numberOfReplicas: "1"
       staleReplicaTimeout: "30"
       fromBackup: ""
       fsType: "ext4"

deploy/outline-wiki/deploy.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
         - name: outline
-          image: outlinewiki/outline:0.82.0
+          image: outlinewiki/outline:0.84.0
           ports:
             - containerPort: 8089
           envFrom:

deploy/outline-wiki/secret.yaml

@@ -19,7 +19,7 @@ stringData:
   FILE_STORAGE_UPLOAD_MAX_SIZE: "26214400"
   AWS_S3_FORCE_PATH_STYLE: "true"
   AWS_S3_ACL: private
-  OIDC_DISPLAY_NAME: beeSSO
+  OIDC_DISPLAY_NAME: panicSSO
   OIDC_CLIENT_ID: outline
   OIDC_CLIENT_SECRET: W4KxpMkWiRL5EU8yknamRkkZpFFQ1rKN
   OIDC_AUTH_URI: https://sso.panic.haus/realms/panic-haus/protocol/openid-connect/auth?scope=openid

deploy/plausible/clickhouse-config.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: clickhouse-config
+data:
+  clickhouse-config.xml: |
+    <clickhouse>
+      <logger>
+        <level>warning</level>
+        <console>true</console>
+      </logger>
+      <query_thread_log remove="remove"/>
+      <query_log remove="remove"/>
+      <text_log remove="remove"/>
+      <trace_log remove="remove"/>
+      <metric_log remove="remove"/>
+      <asynchronous_metric_log remove="remove"/>
+
+      <!-- Update: Required for newer versions of Clickhouse -->
+      <session_log remove="remove"/>
+      <part_log remove="remove"/>
+    </clickhouse>

deploy/plausible/clickhouse-deploy.yaml

@@ -0,0 +1,41 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: clickhouse
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: clickhouse
+  template:
+    metadata:
+      labels:
+        app: clickhouse
+    spec:
+      containers:
+        - name: clickhouse
+          image: clickhouse/clickhouse-server:22.6-alpine
+          # You may expose ports if needed (for example, HTTP on 8123)
+          ports:
+            - containerPort: 8123
+          volumeMounts:
+            - name: event-data
+              mountPath: /var/lib/clickhouse
+            - name: clickhouse-config
+              mountPath: /etc/clickhouse-server/config.d/logging.xml
+              subPath: clickhouse-config.xml
+              readOnly: true
+            - name: clickhouse-user-config
+              mountPath: /etc/clickhouse-server/users.d/logging.xml
+              subPath: clickhouse-user-config.xml
+              readOnly: true
+      volumes:
+        - name: event-data
+          persistentVolumeClaim:
+            claimName: event-data-pvc
+        - name: clickhouse-config
+          configMap:
+            name: clickhouse-config
+        - name: clickhouse-user-config
+          configMap:
+            name: clickhouse-user-config

deploy/plausible/clickhouse-pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: event-data-pvc
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: longhorn

deploy/plausible/clickhouse-svc.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: clickhouse
+  labels:
+    app: clickhouse
+spec:
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8123
+      targetPort: 8123
+  selector:
+    app: clickhouse

deploy/plausible/clickhouse-user-config.yaml

@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: clickhouse-user-config
+data:
+  clickhouse-user-config.xml: |
+    <clickhouse>
+        <profiles>
+            <default>
+                <log_queries>0</log_queries>
+                <log_query_threads>0</log_query_threads>
+            </default>
+        </profiles>
+    </clickhouse>

deploy/plausible/kustomization.yaml

@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: plausible
+
+resources:
+  - clickhouse-config.yaml
+  - clickhouse-pvc.yaml
+  - clickhouse-svc.yaml
+  - mail-svc.yaml
+  - plausible-secret.yaml
+  - clickhouse-deploy.yaml
+  - clickhouse-user-config.yaml
+  - mail-deploy.yaml
+  - plausible-deploy.yaml
+  - plausible-ingress.yaml
+  - plausible-svc.yaml

deploy/plausible/mail-deploy.yaml

@@ -0,0 +1,21 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mail
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mail
+  template:
+    metadata:
+      labels:
+        app: mail
+    spec:
+      nodeSelector:
+        kubernetes.io/arch: "amd64"
+      containers:
+        - name: mail
+          image: bytemark/smtp
+          ports:
+            - containerPort: 25

deploy/plausible/mail-svc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: mail
+spec:
+  selector:
+    app: mail
+  ports:
+    - protocol: TCP
+      port: 25
+      targetPort: 25

deploy/plausible/plausible-deploy.yaml

@@ -0,0 +1,26 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: plausible
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: plausible
+  template:
+    metadata:
+      labels:
+        app: plausible
+    spec:
+      containers:
+        - name: plausible
+          image: plausible/analytics:latest
+          command:
+            - sh
+            - -c
+            - "sleep 10 && /entrypoint.sh db createdb && /entrypoint.sh db migrate && /entrypoint.sh run"
+          ports:
+            - containerPort: 8000
+          envFrom:
+            - secretRef:
+                name: plausible-env

deploy/plausible/plausible-ingress.yaml

@@ -0,0 +1,25 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: plausible-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - webstats.beatrice.wtf
+      secretName: plausible-tls
+  rules:
+    - host: webstats.beatrice.wtf
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: plausible
+                port:
+                  number: 8000

deploy/plausible/plausible-secret.yaml

@@ -0,0 +1,22 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: plausible-env
+data:
+  ADMIN_USER_EMAIL: aGVsbG9AYmVhdHJpY2Uud3Rm
+  ADMIN_USER_NAME: YmVhdHJpY2U=
+  ADMIN_USER_PWD: Xl55Z1d4UGtEMiRQSlF1JXZAQ1Q1ZF5lNnRDbmhBXk5qZnpTVlYyISNTN2U3N25wU25wZkpUYWF6RGVWRFVSTA==
+  BASE_URL: aHR0cHM6Ly93ZWJzdGF0cy5iZWF0cmljZS53dGY=
+  DATABASE_URL: cG9zdGdyZXM6Ly9wbGF1c2libGU6cnY5Mzhnd2d3ZzQzNGYyZjRoZzNnN2gzMDg5N2czaDVnMDk4akBwb3N0Z3Jlcy1iYXNlLXJ3LnBvc3RncmVzOjU0MzIvcGxhdXNpYmxlX2Ri
+  CLICKHOUSE_DATABASE_URL: aHR0cDovL2NsaWNraG91c2U6ODEyMy9wbGF1c2libGVfZXZlbnRzX2Ri
+  DISABLE_REGISTRATION: dHJ1ZQ==
+  MAILER_EMAIL: Y2xvdWRAbWluZC1vdmVyZmxvdy5uZXQ=
+  PORT: ODAwMA==
+  SECRET_KEY_BASE: M1FRQS9EdEdmR3c3cytjMzF2dnlmZ3lVc2F4RStNOWsxSWIvNVBjTUJIQjVHNWdpek00a2tSQ2lvbUFkU0lKR3FybGJ5R2h6VEFOcUJLWWZyeFZ0eHc9PQ==
+  SMTP_HOST_ADDR: bWFpbC5taW5kLW92ZXJmbG93Lm5ldA==
+  SMTP_HOST_PORT: NTg3
+  SMTP_HOST_SSL_ENABLED: ZmFsc2U=
+  SMTP_USER_NAME: Y2xvdWRAbWluZC1vdmVyZmxvdy5uZXQ=
+  SMTP_USER_PWD: UGNZY2h1TExVeWZUMmd2WTRUeDd3UTU3NVRucWp4ODR6Vk5vUDZNYg==
+
+

deploy/plausible/plausible-svc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: plausible
+spec:
+  selector:
+    app: plausible
+  ports:
+    - protocol: TCP
+      port: 8000
+      targetPort: 8000

deploy/prometheus/deploy.jsonnet

@@ -13,13 +13,19 @@ local kp = (import 'kube-prometheus/main.libsonnet') + {
   prometheus+:: {
     prometheus+: {
       spec+: {
+        serviceMonitorSelector: {},
         externalUrl: 'https://metrics.prod.panic.haus',
         retention: '30d',
+        retentionSize: '16GB',
+        additionalScrapeConfigs: {
+            name: 'prometheus-additional-scrape-configs',
+            key: 'additional-scrape-configs.yaml',
+        },
         storage: {
           volumeClaimTemplate: {
             spec: {
               accessModes: ['ReadWriteOnce'],
-              resources: { requests: { storage: '40Gi' } },
+              resources: { requests: { storage: '20Gi' } },
               storageClassName: 'longhorn',
             },
           },

deploy/prometheus/manifests/prometheus-prometheus.yaml

@@ -10,6 +10,9 @@ metadata:
   name: k8s
   namespace: monitoring
 spec:
+  additionalScrapeConfigs:
+    key: additional-scrape-configs.yaml
+    name: prometheus-additional-scrape-configs
   alerting:
     alertmanagers:
     - apiVersion: v2
@@ -38,6 +41,7 @@ spec:
     requests:
       memory: 400Mi
   retention: 30d
+  retentionSize: 16GB
   ruleNamespaceSelector: {}
   ruleSelector: {}
   scrapeConfigNamespaceSelector: {}

deploy/prometheus/prometheus-additional-scrape-configs.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: prometheus-additional-scrape-configs
+  namespace: monitoring
+stringData:
+  additional-scrape-configs.yaml: |
+    - job_name: 'proxmox-holly-node-exporter'
+      scheme: https
+      metrics_path: /metrics
+      static_configs:
+        - targets: ['node-exporter.holly.panic.haus']

deploy/redis/redis-statefulset.yaml

@@ -16,6 +16,8 @@ spec:
       labels:
         app: redis
     spec:
+      nodeSelector:
+        kubernetes.io/arch: amd64
       containers:
       - name: redis
         image: redis:7.4-alpine