feat(k3s): add outline setup

Author: raisedadead

k3s/apps/outline/manifests/base/kustomization.yaml

@@ -0,0 +1,21 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: outline
+
+resources:
+- namespace.yaml
+
+secretGenerator:
+- name: outline-secrets
+  type: Opaque
+  envs:
+  - secrets/.secrets.env
+  options:
+    disableNameSuffixHash: true
+- name: outline-tls-cloudflare
+  type: kubernetes.io/tls
+  files:
+  - tls.crt=secrets/tls.crt
+  - tls.key=secrets/tls.key
+  options:
+    disableNameSuffixHash: true

k3s/apps/outline/manifests/base/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: outline

k3s/apps/outline/manifests/base/secrets/.secrets.env.sample

@@ -0,0 +1,30 @@
+# Outline secrets for outline.freecodecamp.net
+# All values must be unquoted
+# Generate secrets with: openssl rand -hex 32
+
+# =============================================================================
+# REQUIRED - Application Secrets
+# =============================================================================
+SECRET_KEY=<openssl-rand-hex-32>
+UTILS_SECRET=<openssl-rand-hex-32>
+
+# =============================================================================
+# REQUIRED - Database (internal, don't change unless you know what you're doing)
+# =============================================================================
+POSTGRES_USER=outline
+POSTGRES_PASSWORD=<generate-secure-password>
+POSTGRES_DB=outline
+
+# =============================================================================
+# REQUIRED - Google OAuth
+# =============================================================================
+# Create at: https://console.cloud.google.com/apis/credentials
+# Authorized redirect URI: https://outline.freecodecamp.net/auth/google.callback
+GOOGLE_CLIENT_ID=<your-google-client-id>
+GOOGLE_CLIENT_SECRET=<your-google-client-secret>
+
+# =============================================================================
+# OPTIONAL - Restrict to specific domain(s)
+# =============================================================================
+# Comma-separated list of allowed domains for signup
+# GOOGLE_ALLOWED_DOMAINS=freecodecamp.org

k3s/apps/outline/manifests/deployment.yaml

@@ -0,0 +1,180 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: outline
+  namespace: outline
+  labels:
+    app: outline
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: outline
+  template:
+    metadata:
+      labels:
+        app: outline
+    spec:
+      initContainers:
+      - name: fix-permissions
+        image: busybox:1.36
+        command: ["sh", "-c", "chown -R 1001:1001 /var/lib/outline/data"]
+        volumeMounts:
+        - name: outline-data
+          mountPath: /var/lib/outline/data
+      containers:
+      # Outline application
+      - name: outline
+        image: docker.getoutline.com/outlinewiki/outline:latest
+        ports:
+        - containerPort: 3000
+          name: http
+        env:
+        - name: NODE_ENV
+          value: "production"
+        - name: URL
+          value: "https://outline.freecodecamp.net"
+        - name: PORT
+          value: "3000"
+        - name: DATABASE_URL
+          value: "postgres://$(POSTGRES_USER):$(POSTGRES_PASSWORD)@localhost:5432/$(POSTGRES_DB)"
+        - name: PGSSLMODE
+          value: "disable"
+        - name: REDIS_URL
+          value: "redis://localhost:6379"
+        - name: FILE_STORAGE
+          value: "local"
+        - name: FILE_STORAGE_LOCAL_ROOT_DIR
+          value: "/var/lib/outline/data"
+        - name: FILE_STORAGE_UPLOAD_MAX_SIZE
+          value: "262144000"
+        - name: FORCE_HTTPS
+          value: "true"
+        - name: ENABLE_UPDATES
+          value: "false"
+        - name: WEB_CONCURRENCY
+          value: "1"
+        - name: LOG_LEVEL
+          value: "info"
+        - name: DEFAULT_LANGUAGE
+          value: "en_US"
+        envFrom:
+        - secretRef:
+            name: outline-secrets
+        volumeMounts:
+        - name: outline-data
+          mountPath: /var/lib/outline/data
+        resources:
+          requests:
+            cpu: 250m
+            memory: 512Mi
+          limits:
+            cpu: 1000m
+            memory: 1Gi
+        livenessProbe:
+          httpGet:
+            path: /_health
+            port: 3000
+          initialDelaySeconds: 60
+          periodSeconds: 30
+          timeoutSeconds: 10
+        readinessProbe:
+          httpGet:
+            path: /_health
+            port: 3000
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+
+      # PostgreSQL database
+      - name: postgres
+        image: postgres:16-alpine
+        ports:
+        - containerPort: 5432
+        env:
+        - name: POSTGRES_USER
+          valueFrom:
+            secretKeyRef:
+              name: outline-secrets
+              key: POSTGRES_USER
+        - name: POSTGRES_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: outline-secrets
+              key: POSTGRES_PASSWORD
+        - name: POSTGRES_DB
+          valueFrom:
+            secretKeyRef:
+              name: outline-secrets
+              key: POSTGRES_DB
+        - name: PGDATA
+          value: /var/lib/postgresql/data/pgdata
+        volumeMounts:
+        - name: postgres-data
+          mountPath: /var/lib/postgresql/data
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            cpu: 500m
+            memory: 512Mi
+        livenessProbe:
+          exec:
+            command:
+            - pg_isready
+            - -U
+            - outline
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        readinessProbe:
+          exec:
+            command:
+            - pg_isready
+            - -U
+            - outline
+          initialDelaySeconds: 5
+          periodSeconds: 5
+
+      # Redis cache
+      - name: redis
+        image: redis:7-alpine
+        ports:
+        - containerPort: 6379
+        command:
+        - redis-server
+        - --appendonly
+        - "no"
+        - --save
+        - ""
+        resources:
+          requests:
+            cpu: 50m
+            memory: 64Mi
+          limits:
+            cpu: 200m
+            memory: 128Mi
+        livenessProbe:
+          exec:
+            command:
+            - redis-cli
+            - ping
+          initialDelaySeconds: 10
+          periodSeconds: 10
+        readinessProbe:
+          exec:
+            command:
+            - redis-cli
+            - ping
+          initialDelaySeconds: 5
+          periodSeconds: 5
+
+      volumes:
+      - name: postgres-data
+        persistentVolumeClaim:
+          claimName: outline-postgres
+      - name: outline-data
+        persistentVolumeClaim:
+          claimName: outline-data

k3s/apps/outline/manifests/gateway/gateway.yaml

@@ -0,0 +1,26 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: outline-gateway
+  namespace: outline
+spec:
+  gatewayClassName: traefik
+  listeners:
+  - name: websecure
+    protocol: HTTPS
+    port: 8443
+    hostname: outline.freecodecamp.net
+    tls:
+      mode: Terminate
+      certificateRefs:
+      - name: outline-tls-cloudflare
+    allowedRoutes:
+      namespaces:
+        from: Same
+  - name: web
+    protocol: HTTP
+    port: 8000
+    hostname: outline.freecodecamp.net
+    allowedRoutes:
+      namespaces:
+        from: Same

k3s/apps/outline/manifests/gateway/httproutes.yaml

@@ -0,0 +1,75 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: secure-headers
+  namespace: outline
+spec:
+  headers:
+    customRequestHeaders:
+      X-Forwarded-Proto: "https"
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: redirect-https
+  namespace: outline
+spec:
+  redirectScheme:
+    scheme: https
+    permanent: true
+
+---
+# HTTP to HTTPS redirect
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: http-redirect
+  namespace: outline
+spec:
+  parentRefs:
+  - name: outline-gateway
+    namespace: outline
+    sectionName: web
+  hostnames:
+  - outline.freecodecamp.net
+  rules:
+  - filters:
+    - type: ExtensionRef
+      extensionRef:
+        group: traefik.io
+        kind: Middleware
+        name: redirect-https
+    backendRefs:
+    - name: outline
+      port: 80
+
+---
+# Main Outline route
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: outline-route
+  namespace: outline
+spec:
+  parentRefs:
+  - name: outline-gateway
+    namespace: outline
+    sectionName: websecure
+  hostnames:
+  - outline.freecodecamp.net
+  rules:
+  - matches:
+    - path:
+        type: PathPrefix
+        value: /
+    filters:
+    - type: ExtensionRef
+      extensionRef:
+        group: traefik.io
+        kind: Middleware
+        name: secure-headers
+    backendRefs:
+    - name: outline
+      port: 80

k3s/apps/outline/manifests/pvc.yaml

@@ -0,0 +1,25 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: outline-postgres
+  namespace: outline
+spec:
+  accessModes:
+  - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: outline-data
+  namespace: outline
+spec:
+  accessModes:
+  - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 10Gi

k3s/apps/outline/manifests/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: outline
+  namespace: outline
+  labels:
+    app: outline
+spec:
+  type: ClusterIP
+  ports:
+  - port: 80
+    targetPort: 3000
+    protocol: TCP
+    name: http
+  selector:
+    app: outline