create plausible clickhouse database

2025-12-10 13:00:14 +01:00
42 changed files with 47 additions and 1926 deletions
--- a/.gitea/workflows/crowdsec.yaml
+++ b/.gitea/workflows/crowdsec.yaml
@@ -16,11 +16,10 @@ concurrency:
 .vault_step: &vault_step
  name: read vault secret
-  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
+  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
  id: vault-secrets
  with:
-    url: https://vault.arcodange.lab
+    url: https://vault.arcodange.duckdns.org
    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
    role: gitea_cicd_crowdsec
    method: jwt
@@ -50,12 +49,12 @@ jobs:
    env:
      OPENTOFU_VERSION: 1.8.2
      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
    steps:
      - *vault_step
      - uses: actions/checkout@v4
-      - name: prepare vault self signed cert
+      # - uses: dflook/terraform-plan@v1
-        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
+      #   with:
      #     path: hashicorp-vault/iac
      - name: terraform apply
        uses: dflook/terraform-apply@v1
        with:
--- a/.gitea/workflows/helmcharts.yaml
+++ b/.gitea/workflows/helmcharts.yaml
@@ -165,7 +165,7 @@ jobs:
          chart_package=${chart}-${chart_version}.tgz
          # helm package ${chart}
          tar -X ${chart}/.helmignore -czf ${chart_package} ${chart}
-          curl --user ${{ github.actor }}:${{ secrets.PACKAGES_TOKEN }} -X POST --upload-file ./${chart_package} https://gitea.arcodange.lab/api/packages/${{ github.repository_owner }}/helm/api/charts
+          curl --user ${{ github.actor }}:${{ secrets.PACKAGES_TOKEN }} -X POST --upload-file ./${chart_package} https://gitea.arcodange.duckdns.org/api/packages/${{ github.repository_owner }}/helm/api/charts
  application-charts:
    <<: *charts-matrix-job
--- a/.gitea/workflows/plausible.yaml
+++ b/.gitea/workflows/plausible.yaml
@@ -1,63 +0,0 @@
 ---
 # template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
 name: Plausible
 on: #[push,pull_request]
  workflow_dispatch: {}
  push: &plausiblePaths
    paths:
      - 'plausible/**/*.tf'
  pull_request: *plausiblePaths
 # cancel any previously-started, yet still active runs of this workflow on the same branch
 concurrency:
  group: ${{ github.ref }}-${{ github.workflow }}
  cancel-in-progress: true
 .vault_step: &vault_step
  name: read vault secret
  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
  id: vault-secrets
  with:
    url: https://vault.arcodange.lab
    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
    role: gitea_cicd_plausible
    method: jwt
    path: gitea_jwt
    secrets: |
        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
        kvv1/gitea/tofu_module_reader ssh_private_key | TERRAFORM_SSH_KEY ;
 jobs:
  gitea_vault_auth:
    name: Auth with gitea for vault
    runs-on: ubuntu-latest
    outputs:
      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
    steps:
      - name: Auth with gitea for vault
        id: gitea_vault_jwt
        run: |
          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
  tofu:
    name: Tofu - plausible IAC
    needs:
      - gitea_vault_auth
    runs-on: ubuntu-latest
    env:
      OPENTOFU_VERSION: 1.8.2
      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
    steps:
      - *vault_step
      - uses: actions/checkout@v4
      - name: prepare vault self signed cert
        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
      - name: terraform apply
        uses: dflook/terraform-apply@v1
        with:
          path: plausible/iac
          auto_approve: true
--- a/.gitea/workflows/vault.yaml
+++ b/.gitea/workflows/vault.yaml
@@ -16,11 +16,10 @@ concurrency:
 .vault_step: &vault_step
  name: read vault secret
-  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
+  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
  id: vault-secrets
  with:
-    url: https://vault.arcodange.lab
+    url: https://vault.arcodange.duckdns.org
    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
    role: gitea_cicd
    method: jwt
@@ -51,12 +50,12 @@ jobs:
    env:
      OPENTOFU_VERSION: 1.8.2
      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
    steps:
      - *vault_step
      - uses: actions/checkout@v4
-      - name: prepare vault self signed cert
+      # - uses: dflook/terraform-plan@v1
-        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
+      #   with:
      #     path: hashicorp-vault/iac
      - name: terraform apply
        uses: dflook/terraform-apply@v1
        with:
--- a/chart/templates/apps.yaml
+++ b/chart/templates/apps.yaml
@@ -10,7 +10,7 @@ metadata:
 spec:
  project: tools
  source:
-    repoURL: https://gitea.arcodange.lab/arcodange-org/tools
+    repoURL: https://gitea.arcodange.duckdns.org/arcodange-org/tools
    targetRevision: HEAD
    path: {{ $app_name }}
  destination:
--- a/chart/templates/project.yaml
+++ b/chart/templates/project.yaml
@@ -10,7 +10,7 @@ metadata:
 spec:
  description: Arcodange tools (monitoring, cache, connection pool, secret management...)
  sourceRepos:
-  - 'https://gitea.arcodange.lab/arcodange-org/tools'
+  - 'https://gitea.arcodange.duckdns.org/arcodange-org/tools'
  # Only permit applications to deploy to the tools namespace in the same cluster
  destinations:
  - namespace: tools
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -7,5 +7,3 @@ tools:
  redis: {}
  clickhouse: {}
  grafana: {}
  plausible: {}
  prometheus: {}
--- a/clickhouse/charts/databases/Chart.yaml
+++ b/clickhouse/charts/databases/Chart.yaml
@@ -21,4 +21,4 @@ version: 0.1.0
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "24.12.6.70-alpine"
+appVersion: "0.0.0"
--- a/clickhouse/charts/databases/templates/init-databases-job.yaml
+++ b/clickhouse/charts/databases/templates/init-databases-job.yaml
@@ -5,15 +5,13 @@ metadata:
  labels:
    app.kubernetes.io/name: clickhouse-db-init
    app.kubernetes.io/instance: {{ .Release.Name }}
  annotations:
    checksum/config: {{ include (print $.Template.BasePath "/init-sql-configmap.yaml") . | sha256sum }}
 spec:
  template:
    spec:
      restartPolicy: OnFailure
      containers:
        - name: clickhouse-init
-          image: clickhouse/clickhouse-server:{{ .Chart.AppVersion }}
+          image: clickhouse/clickhouse-client:latest
          command: ["bash", "-c"]
          args:
            - |
--- a/clickhouse/charts/databases/templates/init-sql-configmap.yaml
+++ b/clickhouse/charts/databases/templates/init-sql-configmap.yaml
@@ -21,6 +21,4 @@ data:
      ON {{ $db }}.*
      TO {{ $db }};
    GRANT SELECT ON system.* TO {{ $db }};
    {{- end }}
--- a/clickhouse/clickhouseValues.yaml
+++ b/clickhouse/clickhouseValues.yaml
@@ -158,15 +158,15 @@ resources: {}
  #   memory: 128Mi
 # -- Pod-level affinity. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
-affinity:
+affinity: {}
-  nodeAffinity:
+  # nodeAffinity:
-    requiredDuringSchedulingIgnoredDuringExecution:
+  #   requiredDuringSchedulingIgnoredDuringExecution:
-      nodeSelectorTerms:
+  #     nodeSelectorTerms:
-      - matchExpressions:
+  #       - matchExpressions:
-        - key: kubernetes.io/hostname
+  #           - key: kubernetes.io/hostname
-          operator: NotIn
+  #             operator: In
-          values:
+  #             values:
-          - pi2
+  #               - my-node-xyz
 # -- Pod-level tolerations. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
 tolerations: []
--- a/clickhouse/kustomization.yaml
+++ b/clickhouse/kustomization.yaml
@@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: tools
 helmGlobals:
 chartHome: charts
--- a/crowdsec/Chart.yaml
+++ b/crowdsec/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
 - name: crowdsec
  version: 0.20.1
  repository: https://crowdsecurity.github.io/helm-charts
--- a/crowdsec/iac/providers.tf
+++ b/crowdsec/iac/providers.tf
@@ -8,7 +8,7 @@ terraform {
 }
 provider "vault" {
-  address = "https://vault.arcodange.lab"
+  address = "https://vault.arcodange.duckdns.org"
  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
    mount = "gitea_jwt"
    role  = "gitea_cicd_crowdsec"
--- a/crowdsec/values.yaml
+++ b/crowdsec/values.yaml
@@ -23,8 +23,6 @@ crowdsec: &crowdsec_config
      - name: TZ
        value: Europe/Paris
  lapi:
    strategy:
      type: Recreate
    env:
      - name: TZ
        value: Europe/Paris
--- a/grafana/Chart.yaml
+++ b/grafana/Chart.yaml
@@ -16,7 +16,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
 - name: grafana
  version: 10.3.0
  repository: https://grafana.github.io/helm-charts
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@@ -270,11 +270,11 @@ grafana: &grafana_config
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
      traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
-      traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
+      traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
-      traefik.ingress.kubernetes.io/router.tls.domains.0.sans: grafana.arcodange.lab
+      traefik.ingress.kubernetes.io/router.tls.domains.0.sans: grafana.arcodange.duckdns.org
      traefik.ingress.kubernetes.io/router.middlewares: localIp@file
    hosts:
-      - grafana.arcodange.lab
+      - grafana.arcodange.duckdns.org
  resources:
   limits:
@@ -553,11 +553,11 @@ grafana: &grafana_config
            username: arcodange
          secureJsonData:
            password: clickhousearcodange
-        - name: Prometheus
+  #    - name: Prometheus
-          type: prometheus
+  #      type: prometheus
-          url: http://prometheus-server.tools.svc.cluster.local
+  #      url: http://prometheus-prometheus-server
-          access: proxy
+  #      access: proxy
-          isDefault: true
+  #      isDefault: true
  #    - name: CloudWatch
  #      type: cloudwatch
  #      access: proxy
@@ -695,15 +695,6 @@ grafana: &grafana_config
          disableDeletion: false
          options:
            path: /var/lib/grafana/dashboards/clickhouse
        - name: 'grafana-dashboards-kubernetes'
          orgId: 1
          folder: 'Kubernetes'
          type: file
          disableDeletion: true
          editable: true
          options:
            path: /var/lib/grafana/dashboards/grafana-dashboards-kubernetes
        # - name: 'default'
        #   orgId: 1
        #   folder: ''
@@ -738,26 +729,6 @@ grafana: &grafana_config
        curlOptions: "-sLf"
        datasource: clickhouse
    grafana-dashboards-kubernetes:
      k8s-system-api-server:
        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-api-server.json
        token: ''
      k8s-system-coredns:
        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-coredns.json
        token: ''
      k8s-views-global:
        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-global.json
        token: ''
      k8s-views-namespaces:
        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-namespaces.json
        token: ''
      k8s-views-nodes:
        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-nodes.json
        token: ''
      k8s-views-pods:
        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-pods.json
        token: ''
    # default:
    #   some-dashboard:
    #     json: |
--- a/hashicorp-vault/Chart.yaml
+++ b/hashicorp-vault/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
 - name: vault
  version: 0.28.1
  repository: https://helm.releases.hashicorp.com
--- a/hashicorp-vault/README.md
+++ b/hashicorp-vault/README.md
@@ -1,8 +1,8 @@
 # Vault
-1. Les [playbooks ansible](https://gitea.arcodange.lab/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
+1. Les [playbooks ansible](https://gitea.arcodange.duckdns.org/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
 2. Configuration des backend d'authentification et des roles pour postgres et kubernetes. Définition de rôles "${app}-ops" pour permettre au dépot d'une application de définir ses propres dépendances dans vault. Rotation de credentials postgres pour les applications.
-3. [Le dépot de l'application webapp](https://gitea.arcodange.lab/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.
+3. [Le dépot de l'application webapp](https://gitea.arcodange.duckdns.org/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.
 ```mermaid
 flowchart LR
--- a/hashicorp-vault/iac/providers.tf
+++ b/hashicorp-vault/iac/providers.tf
@@ -8,7 +8,7 @@ terraform {
 }
 provider "vault" {
-  address = "https://vault.arcodange.lab"
+  address = "https://vault.arcodange.duckdns.org"
  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
    mount = "gitea_jwt"
    role  = "gitea_cicd"
--- a/hashicorp-vault/iac/terraform.tfvars
+++ b/hashicorp-vault/iac/terraform.tfvars
@@ -1,7 +1,6 @@
 applications = [
  { name = "webapp" },
  { name = "erp" },
  { name = "dance-lessons-coach" },
  {
    name                   = "cms"
    ops_policies               = ["factory__cf_r2_arcodange_tf"]
@@ -11,8 +10,4 @@ applications = [
    name = "crowdsec"
    service_account_namespaces = ["tools"]
  },
  {
    name = "plausible"
    service_account_namespaces = ["tools"]
  },
 ]
--- a/hashicorp-vault/values.yaml
+++ b/hashicorp-vault/values.yaml
@@ -15,11 +15,11 @@ vault: &vault_config
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
-        traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
+        traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
-        traefik.ingress.kubernetes.io/router.tls.domains.0.sans: vault.arcodange.lab
+        traefik.ingress.kubernetes.io/router.tls.domains.0.sans: vault.arcodange.duckdns.org
        traefik.ingress.kubernetes.io/router.middlewares: localIp@file
      hosts:
-        - host: vault.arcodange.lab
+        - host: vault.arcodange.duckdns.org
          paths: []
  postStart: [] # https://github.com/hashicorp/vault-helm/blob/main/values.yaml
--- a/pgbouncer/Chart.yaml
+++ b/pgbouncer/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
 - name: pgbouncer
  version: 2.3.1
  repository: https://icoretech.github.io/helm
--- a/pgbouncer/values.yaml
+++ b/pgbouncer/values.yaml
@@ -15,7 +15,6 @@ pgbouncer: &pgbouncer_config
      auth_query: SELECT uname, phash FROM user_lookup($1)
      ignore_startup_parameters: extra_float_digits # unsupported jdbc extra_float_digits=2 argument
      server_reset_query: DEALLOCATE ALL # fix prepared statement already exist (crowdsec)
      server_idle_timeout: 7200
  pgbouncerExporter:
    enabled: false
--- a/pgcat/Chart.yaml
+++ b/pgcat/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
 - name: pgcat
  version: 0.1.0
  repository: https://improwised.github.io/charts/
--- a/plausible/add-initcontainer.yaml
+++ b/plausible/add-initcontainer.yaml
@@ -1,36 +0,0 @@
 - op: add
  path: /spec/template/spec/containers/0/volumeMounts/-
  value:
    name: generated-secrets
    mountPath: /run/secrets
 - op: add
  path: /spec/template/spec/initContainers/0/volumeMounts
  value:
    - name: generated-secrets
      mountPath: /run/secrets
 - op: add
  path: /spec/template/spec/initContainers/0
  value:
    name: build-database-url
    image: alpine:3.19
    command: ["/bin/sh", "-c"]
    args:
      - |
        echo "postgres://${DB_USER}:${DB_PASS}@${DB_HOST}:${DB_PORT}/${DB_NAME}" > /run/secrets/DATABASE_URL
    volumeMounts:
      - name: generated-secrets
        mountPath: /run/secrets
    env:
      - name: DB_USER
        valueFrom:
          secretKeyRef:
            name: plausible-db-credentials
            key: username
      - name: DB_PASS
        valueFrom:
          secretKeyRef:
            name: plausible-db-credentials
            key: password
    envFrom:
      - configMapRef:
          name: plausible-config
--- a/plausible/iac/backend.tf
+++ b/plausible/iac/backend.tf
@@ -1,6 +0,0 @@
 terraform {
  backend "gcs" {
    bucket = "arcodange-tf"
    prefix = "tools/plausible/main"
  }
 }
--- a/plausible/iac/main.tf
+++ b/plausible/iac/main.tf
@@ -1,30 +0,0 @@
 module "app_roles" {
  source = "git::ssh://git@192.168.1.202:2222/arcodange-org/tools.git//hashicorp-vault/iac/modules/app_roles?depth=1&ref=main"
  name = "plausible"
  service_account_namespaces = ["tools"]
 }
 # https://github.com/plausible/community-edition/wiki/configuration#database
 #SECRET_KEY_BASE (openssl rand -base64 48)
 #
 resource "random_password" "secret" {
  for_each = toset(["48","32"])
  length  = tonumber(each.value)
  special = false
 }
 locals {
  config = {
    SECRET_KEY_BASE = base64encode(random_password.secret["48"].result)
    TOTP_VAULT_KEY = base64encode(random_password.secret["32"].result)
  }
 }
 resource "vault_kv_secret_v2" "config" {
  mount                      = "kvv2"
  name                       = "plausible/config"
  cas                        = 1
 #   delete_all_versions        = true
  data_json                  = jsonencode(local.config)
 }
--- a/plausible/iac/providers.tf
+++ b/plausible/iac/providers.tf
@@ -1,16 +0,0 @@
 terraform {
  required_providers {
    vault = {
      source  = "vault"
      version = "4.4.0"
    }
  }
 }
 provider "vault" {
  address = "https://vault.arcodange.lab"
  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
    mount = "gitea_jwt"
    role  = "gitea_cicd_plausible"
  }
 }
--- a/plausible/kustomization.yaml
+++ b/plausible/kustomization.yaml
@@ -1,85 +0,0 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 namespace: tools
 # https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
 helmCharts:
 - name: plausible
  repo: https://charts.pascaliske.dev
  version: 2.0.0
  releaseName: plausible
  valuesFile: plausibleValues.yaml
  namespace: tools
 patches:
  - target:
      kind: IngressRoute
      name: plausible-route
    patch: |-
      - op: add
        path: /spec/tls
        value:
          certResolver: letsencrypt
          domains:
          - main: arcodange.lab
            sans:
            - analytics.arcodange.lab
 resources:
  - resources/vaultauth.yaml
  - resources/vaultdynamicsecret.yaml
  - resources/vaultsecret.yaml
  - resources/configmap.yaml
  - resources/geoipsecret.yaml
  - resources/ingressroute.yaml
 patchesJson6902:
  - target:
      version: v1
      kind: Deployment
      name: plausible
    patch: |-
      - op: replace
        path: /spec/template/spec/containers/1/env/2
        value:
          name: GEOIPUPDATE_LICENSE_KEY
          valueFrom:
            secretKeyRef:
              name: plausible-geoip
              key: LICENSE_KEY
      - op: replace
        path: /spec/template/spec/containers/1/env/4
        value:
          name: GEOIPUPDATE_EDITION_IDS
          value: "GeoLite2-Country GeoLite2-City"
      - op: add
        path: /spec/template/spec/containers/0/env/2
        value:
          name: IP_GEOLOCATION_DB
          value: /geoip/GeoLite2-City.mmdb
      - op: add
        path: /spec/template/spec/volumes/-
        value:
          name: generated-secrets
          emptyDir:
            medium: Memory
      - op: add
        path: /spec/template/spec/containers/0/envFrom
        value:
          - configMapRef:
              name: plausible-config
      - op: add
        path: /spec/template/spec/initContainers/0/envFrom
        value:
          - configMapRef:
              name: plausible-config
      - op: replace
        path: /spec/template/spec/initContainers/0/args
        value:
          - >-
            sleep 10 && /entrypoint.sh db migrate
  - target:
      version: v1
      kind: Deployment
      name: plausible
    path: add-initcontainer.yaml
--- a/plausible/plausibleValues.yaml
+++ b/plausible/plausibleValues.yaml
@@ -1,180 +0,0 @@
 image:
  # -- The registry to pull the image from.
  registry: ghcr.io
  # -- The repository to pull the image from.
  repository: plausible/community-edition
  # -- The docker tag, if left empty chart's appVersion will be used.
  # @default -- `.Chart.AppVersion`
  tag: ''
  # -- The pull policy for the controller.
  pullPolicy: IfNotPresent
 nameOverride: ''
 fullnameOverride: ''
 controller:
  # -- Create a workload for this chart.
  enabled: true
  # -- Type of the workload object.
  kind: Deployment
  # -- The number of replicas.
  replicas: 1
  # -- Additional annotations for the controller object.
  annotations: {}
  # -- Additional labels for the controller object.
  labels: {}
 service:
  # -- Create a service for exposing this chart.
  enabled: true
  # -- The service type used.
  type: ClusterIP
  # -- ClusterIP used if service type is `ClusterIP`.
  clusterIP: ''
  # -- LoadBalancerIP if service type is `LoadBalancer`.
  loadBalancerIP: ''
  # -- Allowed addresses when service type is `LoadBalancer`.
  loadBalancerSourceRanges: []
  # -- Additional annotations for the service object.
  annotations: {}
  # -- Additional labels for the service object.
  labels: {}
 serviceMonitor:
  # -- Create a service monitor for prometheus operator.
  enabled: false
  # -- How frequently the exporter should be scraped.
  interval: 30s
  # -- Timeout value for individual scrapes.
  timeout: 10s
  # -- Additional annotations for the service monitor object.
  annotations: {}
  # -- Additional labels for the service monitor object.
  labels: {}
 ingressRoute:
  # -- Create an IngressRoute object for exposing this chart.
  create: true
  # -- List of [entry points](https://doc.traefik.io/traefik/routing/routers/#entrypoints) on which the ingress route will be available.
  entryPoints: [websecure]
  # -- [Matching rule](https://doc.traefik.io/traefik/routing/routers/#rule) for the underlying router.
  rule: Host(`analytics.arcodange.lab`)
  # -- List of [middleware objects](https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/#kind-middleware) for the ingress route.
  middlewares:
    - name: localIp@file
  # -- Use an existing secret containing the TLS certificate.
  tlsSecretName: ''
  # -- Additional annotations for the ingress route object.
  annotations: {}
  # -- Additional labels for the ingress route object.
  labels: {}
 certificate:
  # -- Create an Certificate object for the exposed chart.
  create: false
  # -- List of subject alternative names for the certificate.
  dnsNames: []
  # -- Name of the secret in which the certificate will be stored. Defaults to the first item in dnsNames.
  secretName: ''
  issuerRef:
    # -- Type of the referenced certificate issuer. Can be "Issuer" or "ClusterIssuer".
    kind: ClusterIssuer
    # -- Name of the referenced certificate issuer.
    name: ''
  # -- Additional annotations for the certificate object.
  annotations: {}
  # -- Additional labels for the certificate object.
  labels: {}
 env:
  # -- Timezone for the container.
  - name: TZ
    value: Europe/Paris
 ports:
  http:
    # -- Enable the port inside the `Deployment` and `Service` objects.
    enabled: true
    # -- The port used as internal port and cluster-wide port if `.service.type` == `ClusterIP`.
    port: 8000
    # -- The external port used if `.service.type` == `NodePort`.
    nodePort: null
    # -- The protocol used for the service.
    protocol: TCP
 secret:
  # -- Create a new secret object.
  create: false
  # -- Use an existing secret object.
  existingSecret: 'plausible-config'
  # -- Secret values used when not using an existing secret. Helm templates are supported for values.
  values:
    # -- Secret key for session tokens.
    SECRET_KEY_BASE: '{{ randAlphaNum 42 | b64enc }}'
    # -- Encryption token for TOTP secrets.
    TOTP_VAULT_KEY: '{{ randAlphaNum 32 | b64enc }}'
  # -- Additional annotations for the secret object.
  annotations: {}
  # -- Additional labels for the secret object.
  labels: {}
 geoip:
  # -- Enable support for MaxMinds GeoLite2 database.
  enabled: true
  image:
    # -- The repository for the geoip image.
    repository: ghcr.io/maxmind/geoipupdate
    # -- The docker tag for the geoip image.
    tag: v7.1.1
  # -- Required. MaxMind account ID.
  accountId: '1266329'
  # -- Required. Case-sensitive MaxMind license key.
  # licenseKey: 'kvv2/data/plausible/geoip LICENSE_KEY'
  # -- Optional. Database update frequency. Defaults to "168" which equals 7 days.
  frequency: 168
  # -- Optional. Specify the database mount path inside the containers.
  mountPath: /geoip
 serviceAccount:
  # -- Create a `ServiceAccount` object.
  create: true
  # -- Specify the service account used for the controller.
  name: ''
  # -- Additional annotations for the service account object.
  annotations: {}
  # -- Additional labels for the service account object.
  labels: {}
 # -- Pod-level security attributes. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context).
 securityContext: {}
  # fsGroup: 1000
  # runAsNonRoot: true
  # runAsGroup: 1000
  # runAsUser: 1000
 # -- Compute resources used by the container. More info [here](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
 resources: {}
  # limits:
  #   cpu: 100m
  #   memory: 128Mi
  # requests:
  #   cpu: 100m
  #   memory: 128Mi
 # -- Pod-level affinity. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
 affinity: {}
  # nodeAffinity:
  #   requiredDuringSchedulingIgnoredDuringExecution:
  #     nodeSelectorTerms:
  #       - matchExpressions:
  #           - key: kubernetes.io/hostname
  #             operator: In
  #             values:
  #               - my-node-xyz
 # -- Pod-level tolerations. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
 tolerations: []
  # - key: node-role.kubernetes.io/control-plane
  #   operator: Exists
  #   effect: NoSchedule
--- a/plausible/resources/configmap.yaml
+++ b/plausible/resources/configmap.yaml
@@ -1,21 +0,0 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: plausible-config
  namespace: tools
 # Doc: https://github.com/plausible/community-edition/wiki/Configuration
 data:
  DB_HOST: pgbouncer.tools
  DB_PORT: !!str 5432
  DB_NAME: plausible
  BASE_URL: https://analytics.arcodange.lab
  CLICKHOUSE_DATABASE_URL: http://plausible:plausiblearcodange@clickhouse.tools:8123/plausible
  DB_POOL_SIZE: "30"
  DB_QUEUE_TARGET: "10000"  # 10 secondes
  DB_CONNECT_TIMEOUT: "30000"  # 30 secondes
  DB_RECONNECT_ATTEMPTS: "5"
  DB_RECONNECT_DELAY: "5000"
--- a/plausible/resources/geoipsecret.yaml
+++ b/plausible/resources/geoipsecret.yaml
@@ -1,24 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: plausible-geoip
  namespace: tools
 spec:
  type: kv-v2
  # mount path
  mount: kvv2
  # path of the secret
  path: plausible/geoip
  # dest k8s secret
  destination:
    name: plausible-geoip
    create: true
  # static secret refresh interval
  refreshAfter: 30s
  # Name of the CRD to authenticate to Vault
  vaultAuthRef: plausible
--- a/plausible/resources/ingressroute.yaml
+++ b/plausible/resources/ingressroute.yaml
@@ -1,20 +0,0 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: plausible-external
  labels:
    app.kubernetes.io/instance: plausible
    app.kubernetes.io/name: plausible
 spec:
  entryPoints:
    - web
  routes:
    - kind: Rule
      match: Host(`analytics.arcodange.fr`) && (PathPrefix(`/api/event`) || PathPrefix(`/js/`))
      middlewares:
        - name: kube-system-crowdsec@kubernetescrd
      services:
        - kind: Service
          name: plausible-web
          namespace: tools
          port: 8000
--- a/plausible/resources/vaultauth.yaml
+++ b/plausible/resources/vaultauth.yaml
@@ -1,14 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultAuth
 metadata:
  name: plausible
  namespace: tools
 spec:
  vaultConnectionRef: default
  method: kubernetes
  mount: kubernetes
  kubernetes:
    role: plausible
    serviceAccount: plausible
    audiences:
      - vault
--- a/plausible/resources/vaultdynamicsecret.yaml
+++ b/plausible/resources/vaultdynamicsecret.yaml
@@ -1,25 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultDynamicSecret
 metadata:
  name: plausible-db-credentials
  namespace: tools
 spec:
  # Mount path of the secrets backend
  mount: postgres
  # Path to the secret
  path: creds/plausible
  # Where to store the secrets, VSO will create the secret
  destination:
    create: true
    name: plausible-db-credentials
  # Restart these pods when secrets rotated
  rolloutRestartTargets:
  - kind: Deployment
    name: plausible
  # Name of the CRD to authenticate to Vault
  vaultAuthRef: plausible
--- a/plausible/resources/vaultsecret.yaml
+++ b/plausible/resources/vaultsecret.yaml
@@ -1,24 +0,0 @@
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
  name: plausible
  namespace: tools
 spec:
  type: kv-v2
  # mount path
  mount: kvv2
  # path of the secret
  path: plausible/config
  # dest k8s secret
  destination:
    name: plausible-config
    create: true
  # static secret refresh interval
  refreshAfter: 30s
  # Name of the CRD to authenticate to Vault
  vaultAuthRef: plausible
--- a/prometheus/Chart.yaml
+++ b/prometheus/Chart.yaml
@@ -1,23 +0,0 @@
 apiVersion: v2
 name: prometheus
 description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: prometheus
  version: 28.13.0
  repository: https://prometheus-community.github.io/helm-charts
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
 # to be deployed.
 #
 # Library charts provide useful utilities or functions for the chart developer. They're included as
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 version: 0.1.0
 appVersion: "v3.10.0"
--- a/prometheus/templates/helm-chart-config.yaml
+++ b/prometheus/templates/helm-chart-config.yaml
@@ -1,3 +0,0 @@
 {{- if eq .Values.tool.kind "HelmChart" -}}
 {{- include "tool.helm-chart-config.tpl" . -}}
 {{- end -}}
--- a/prometheus/templates/helm-chart.yaml
+++ b/prometheus/templates/helm-chart.yaml
@@ -1,3 +0,0 @@
 {{- if eq .Values.tool.kind "HelmChart" -}}
 {{- include "tool.helm-chart.tpl" . -}}
 {{- end -}}
--- a/prometheus/values.yaml
+++ b/prometheus/values.yaml
--- a/redis/Chart.yaml
+++ b/redis/Chart.yaml
@@ -16,7 +16,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
 - name: redis
  version: 2.1.0
  repository: https://charts.pascaliske.dev