Add pcab

mebezac · mebezac · commit 0480522054df · 2026-02-05T20:04:28.000-05:00
diff --git a/kubernetes/apps/pcab/pcab/ghcr-secret.sops.yaml b/kubernetes/apps/pcab/pcab/ghcr-secret.sops.yaml
@@ -0,0 +1,24 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: ghcr-secret
+  namespace: pcab
+type: kubernetes.io/dockerconfigjson
+stringData:
+  .dockerconfigjson: ENC[AES256_GCM,data:NeAbtJM8Vo8EA73UzawmLnQDKPTeV5+o/YR+3D8Q93ksvH8wQ1Tgn9uw6nyV00jTMkwQlSoL0ZOKkA5vn2UEveJPcHCFnfFKVPGJtbAbNVved0VqhgBmyfxSZeq2wV8S/pud3G7+uzyfHEFumCx1JP0Xx0tIxNCQNOTQXgmSoFRXh/c/RstLiBRZPCfNLSVyXzFhd5+Yst6eP6vm1tv/hETDXTASQElcU5vmR6C6BuTPSn9VlTCP2AORS1IctJL/C5xliY92F+iTMyy9PPJ4a2lYa5VzFRMu,iv:NNWtlIvFmLdGzJUX5utYasauC/22cx6U3+tzs/uy0cU=,tag:zddO5qzNkyiir/PKLhpoww==,type:str]
+sops:
+  age:
+    - recipient: age1j7x3jkw82w02taqj8dmqplae07fxcrup2enejnta9z2v82fzsakqd4ka6p
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjVkJZS1pCVFdlbVJBWlp5
+        blVROHhXdXNOTHcxNkQ4Rzl6RldVZGVPeFJJCndYd3JoZmJDajdweTBtMklkMzA5
+        TS9oMnNTYytXL2ozSTVLYjU1ZWZWQWcKLS0tIEJJMWV2cC9JRkhSRWF5dS8vaXlr
+        a1EyZTN5dHdnalM2N0lyMWlhR0U0ZncKtPqvp/1Mm7NUfoeab8qVdjKO6mOxK3E3
+        vAYzDocDtMHk2iZTZ3cJIoNgVmE6V2BEpk1vJ5TBLGfr9CPvV32GNw==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-02-05T22:38:04Z"
+  mac: ENC[AES256_GCM,data:CG5kfnnZp09CPCbmjnhBjjFjZSKYsVnjdVGLp+/vPkA6Yg86OzCTLMYIiZyTsU0w/fexV/vgry0+u0lx0imIShW3edsH7dD48+U8yEI7dSU37mericzPYWrt83mMJPoGCU7SQoMLoJkIpaGuh3taQrw5QypC4ERqeRLi/ieeyUU=,iv:I17V/AK9EsfrtKJqszrsgfXk1bRMN3ah1pe3g0m3IvQ=,tag:yk++SuUGzLWCEcW597TlGQ==,type:str]
+  encrypted_regex: ^(data|stringData)$
+  mac_only_encrypted: true
+  version: 3.11.0
diff --git a/kubernetes/apps/pcab/pcab/kustomization.yaml b/kubernetes/apps/pcab/pcab/kustomization.yaml
@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+generators:
+  - secret-generator.yaml
diff --git a/kubernetes/apps/pcab/pcab/pcab-secret.sops.yaml b/kubernetes/apps/pcab/pcab/pcab-secret.sops.yaml
@@ -0,0 +1,57 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: pcab-secret
+  namespace: pcab
+type: Opaque
+stringData:
+  #ENC[AES256_GCM,data:rFbbYomKlow78Ye5XkcHHZWFdwUPm9qYXPCKEA==,iv:fOb9O5N7xzFcqgCRBR9O+E77P5VoxJZwaQc5iZcWJok=,tag:fJfM/5BnVZO9f0vNq+bTrQ==,type:comment]
+  INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:ALjHkw==,iv:pCGPbfv5KRAv3ByF104SxxiZ5vbhoaoPxv699S0kdak=,tag:RB6KmHczRJgaE7ukvC7QNg==,type:str]
+  INIT_POSTGRES_HOST: ENC[AES256_GCM,data:9W7lDl5uF8XelKFyBvudf92l/5+lwINz3PUoMXQltriXqyJzBm94fCvd5Ybnv8nc+w==,iv:VptgGe6DDixl90zlYQ8Enzo2mk6V8LHt56l/srl4vwE=,tag:Qh8PFV6rnCAbh8pqPazPRg==,type:str]
+  INIT_POSTGRES_USER: ENC[AES256_GCM,data:vRtB7Q==,iv:iYCgyCnIuhO/Az68P/BknJqBLI5mgcdBB3CQ5gospQg=,tag:0sl84AUuOHTlo6P+vhCrtQ==,type:str]
+  INIT_POSTGRES_PASS: ENC[AES256_GCM,data:4noDjs8LvAnonpcFaFSwv6fj9+J6O6n0zwv8Zg==,iv:WkcvOjx/MpgJeRqL9893dV4qV2Vv1Jm9vjRrJLnSUDw=,tag:A+fY8MQhwULgl9UgOF+ZRw==,type:str]
+  INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:EQInfptcIaBhEqEumceY6l4gohLUbZ2GJWA=,iv:RZfRMEhb+cFn0k3Qy8+gQziBIBQdjM5HQbmXKW2JwUo=,tag:P2hC3nAdJrzps2BYQ2qnKA==,type:str]
+  #ENC[AES256_GCM,data:O+LwA8qT1nZlqxQicftZQWBUomxMwPrlExCj6PKipps0DyC1nqrCY/fZ4Zi7JhRvdGZ9eBGeNgLPSagkWas=,iv:6Fr3W7DWIy+do0hUXjjPMAShjEBcezoPij/bPAukZhM=,tag:ZKw2i/GBDV6sNhA0gZT4tg==,type:comment]
+  SECRET_KEY_BASE: ENC[AES256_GCM,data:FQwc9ZeKv3NlN9zz4jeBRxwVpJ4o9gNRqTtdd+mdZ5cuRwXEbqVGgV0yCWRFdSCHDzVXicQnu9bDJx49uhZtrg==,iv:VXPhUdPlDgEWAiCDznyd+52y8XGLz86qLEdU45u9NQ8=,tag:OZCn0q9fy+sZOFbYbW6abQ==,type:str]
+  #ENC[AES256_GCM,data:mpLUgpX/VS2Haj9BwDDJG5HFTlWGZHk=,iv:qub5hs3Y6llj2tSpOu/pyaGt2rEaugzYsbM//ZdtYCQ=,tag:z72/4DBrVs7V6z9fakBnSw==,type:comment]
+  DATABASE_URL: ENC[AES256_GCM,data:U+L2P0O2wm8ixTKXi0tsE0bnaWmPluAR0LQZGvZ4/51krM4Zc0Kug5PFUS8Sx8Wbn6kJjTZwbMw5pb/AKajukyP64T+WyVp4efdiX3rfOAMpKLUlqQBa0Q4KyWQpsbb1GqaetEtuaaU=,iv:GMCoOW2khOKYCE0wbktoYr40d6cpPGkBDM9bKDHguew=,tag:ZWvUMSs6rJMs+cQmXM3PRA==,type:str]
+  #ENC[AES256_GCM,data:Tg429cRRseI97Mm5mC7Bkr/DWOt+sPVvmJvS/tyAVlUFLLw=,iv:KQAEhyxdY7QbQ/RkqRSgSnFIEC2FHO/Q9425ENLjzYY=,tag:fa+UkeYZnVIz55o/83Kvjw==,type:comment]
+  GROQ_API_KEY: ENC[AES256_GCM,data:3FoknPw8LNv9oVx/ecCVubV/prdxaUKXL3I80IL/dpblyOVb2cbTBHpmj68N5Rnr+xjUjTWRXWY=,iv:KRXxjX2ApFSzj5GH6GyG9T0695HWExQBl44Q81yVqNI=,tag:Lc/NfB8xh+rdqh/TndjZvg==,type:str]
+  #ENC[AES256_GCM,data:xDdL3IwjDMNOyh6iqXf9AkxgcO6Pptov8HMP7Z6PAL3IXtV9mGeZBe/s9TQ=,iv:4rhw6REgolT2Gw80uOpxh7BbBoFyN5SpsC0QMA4KgjA=,tag:pX8mbv8HyfMVxjuBmPcnHQ==,type:comment]
+  AI_ENDPOINT: ENC[AES256_GCM,data:NM+KNi6LvBx5pQ67ABKbfQPyvPpRmuIOZixEjEZm4DXBoMA=,iv:A1IJmj+Rn3VRhCQTDUuOXBzHKnVAZYddK/gAbkxZ+YI=,tag:NFLe51ttjH/lRkVpvU8g5A==,type:str]
+  AI_API_KEY: ENC[AES256_GCM,data:/BjAnWNEFpPWRIokisK1LntVkZYBhLi28AAbs1AtmixX22cI,iv:CtJK9cLWebMv1JRGc35TekaE4ZJfSrCCqfzDjHdfL0s=,tag:8b49sAOdNsPpELBFR0+RSA==,type:str]
+  AI_MODEL: ENC[AES256_GCM,data:XMYhZPxlgtotFc98NYK2WfCGg8dyROLBzQ==,iv:iJL0F3vTXn9OXjJ1NlLM1BBP+fRW/KPGex45D8XISow=,tag:Na0NdywM/a2IwVgrxUl5SQ==,type:str]
+  PODCAST_INDEX_API_KEY: ENC[AES256_GCM,data:SnBvhqj5TiyJV3gUT5sBjXQO8fM=,iv:6Rx3utog5Y8we+xjGBk5Oo+fTs4QMuVSx2MHfMX6CaM=,tag:YCn6SJJU6rqBMfzWqg0l3A==,type:str]
+  PODCAST_INDEX_API_SECRET: ENC[AES256_GCM,data:nw8UTnukfgXCzfxJ5PaihfPKEWgWNMKVJwTTrshg5poYeKvQdo6GUw==,iv:RyUtASF5/YkajhMqWvibunxp7r33e+Z2tJxowbUSmko=,tag:9Kn9KmyMOH3L4dXoKjIVOQ==,type:str]
+  #ENC[AES256_GCM,data:saiNOWqpNvm7cC9NPZkUsdMr,iv:NpH+gxnHcqFjxfoi5kv9FkdWHBuan+pbp6sY4zdBfaU=,tag:K9j9DnCwVCPCmG4zJyZb0Q==,type:comment]
+  STORAGE_PATH: ENC[AES256_GCM,data:VIYXfpy7Uje44wpymKPzCFE=,iv:ZdusCtqV40qKWmbmlUhSb8TrOp9Y5pR0noSsExRe2ts=,tag:FaEpStB2B6y+CXumxdPDXA==,type:str]
+  #ENC[AES256_GCM,data:B02G0Xc+vWcmgT5AFb28BJ+ojbwJ4J5DmaPRW4B2,iv:I3NqpBdB5wtDV/1J2ephgddOI+mSRQGiynhSXq5azbw=,tag:0j1tG05HowEWmPIE65nnrw==,type:comment]
+  OIDC_ENABLED: ENC[AES256_GCM,data:z0FsJg==,iv:9Q/9xd7WyJcWN/Wm2l9FnqoLaJNS9wgV3TN6H63CMBM=,tag:OfGhkNMR0XJNZPcnsqMI9Q==,type:str]
+  OIDC_ISSUER: ENC[AES256_GCM,data:XsgtHYLXbsKrGpUR4Ys9c5q16j+I1k+1tH4MZbA=,iv:kQ1J9UOF/VmVgx7+RSFc3RRpUTUEeUVyLcE36WPpBLA=,tag:ifUBU76dQRgsCeo1Y7YUVQ==,type:str]
+  OIDC_CLIENT_ID: ENC[AES256_GCM,data:G4u2qf/XU33C3fo7aVpKGkb/d4YXaMnX+FQnjbW0pKDwYR6p6UeyDeQIeWlvOhgl0bk8Mx543S132c+JX9tN2Z5ruQ0rMHAW,iv:jug8HMFnq+FUVk3npVbTPyFYVXsHTmwi2z6no6bXCSM=,tag:udPavnNdXAUgigTvaOfPqQ==,type:str]
+  OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:f6N4371yCZ0yH0k/4tBkOhHAVc53/SDQbSyP1ikhf7JM9XbWF2hMklRdDuaUgGB+LHcLzU3DjgtIiv1ZiIrCE5ZjNZxjTYfz,iv:QKvW1YH4/0/yXGz7ZUEjbez7I5pktr4bbzifw+uy2Fs=,tag:vjt/JJc0fQbp4SkgaedMXg==,type:str]
+  OIDC_REDIRECT_URI: ENC[AES256_GCM,data:cxQN1/1+zIsVrbMAa1dZVy96A731XfQ9zXM+Pnzuck1Z98vKPuRabpGhrpbgEeM=,iv:kPd1l7AbZ1+0HbZmEooOF3Hjk+T3zn8RirzGc66KnRA=,tag:UQnVor7yzJyLxzoTpTQAgg==,type:str]
+  OIDC_SCOPES: ENC[AES256_GCM,data:D4eEsj2MNjHPF9S6jdeOXR5JjHE=,iv:pBqKbzL7PIsUgK1kQ7o/SWsfEDtZomtsaWtrettOdPo=,tag:0usAGZrvyO0Uyg5G8RDyRw==,type:str]
+  OIDC_PKCE: ENC[AES256_GCM,data:RS+8lg==,iv:cr0qOKJVgaGXyzpxREVZLzR4AlkD/eiePqqcQH3ukE0=,tag:74JZ8Lvj4xiBfODIbRFN6Q==,type:str]
+  OIDC_AUTH_METHOD: ENC[AES256_GCM,data:UnWp+BYT4UMQvMBoQa1cvXVcDg==,iv:B938GzXX7XfOPQ2NlxitDRFiVi7PHLLyDTumUTbyOHg=,tag:g0NXf8Mq+rnz5e2cbCERCg==,type:str]
+  OIDC_USE_PAR: ENC[AES256_GCM,data:TYv+FVE=,iv:Zcttxe+7eQtxhwirIkif9eBqsfOTyW6d5oxENzZBzns=,tag:KsE+gTR/y94gCrb++p8nmw==,type:str]
+  #ENC[AES256_GCM,data:UPO4bB57RZcOAECDi2odvYN6F0g9hiYxSCmIhTjluxXO4IwZG4Qgzy8qj5urVTmRoMM=,iv:1Kj3JeutsJ14us5O2O/e9Ue4s5cgqRWDwvP+KM61ECY=,tag:AD9nfi8+HFHmrJQN3R8BTQ==,type:comment]
+  PHX_HOST: ENC[AES256_GCM,data:kMULVQ69HH1+1BWvebepZEaKZ4Q=,iv:JyhrYQGlElc0/5A3C4N+/lu1soHlUGc3l8et3TtVKVs=,tag:1Die9OIjRw3Qnqa28ZwLIw==,type:str]
+  PHX_SCHEME: ENC[AES256_GCM,data:6CjpW2M=,iv:lgKoh08mPyYciw0tdtXkGLkMH17NP5Es/uOK0Jqvv5Q=,tag:Mtu7jIvAEOT2NtBpzPiv8Q==,type:str]
+  PHX_PORT: ENC[AES256_GCM,data:MV+C,iv:CO52sB6bDMTG7RC42eKyIdCwaWIpfR/KIh9s6gyh1Cw=,tag:Irdgu3iGczA6vwp2KpAxMg==,type:str]
+sops:
+  age:
+    - recipient: age1j7x3jkw82w02taqj8dmqplae07fxcrup2enejnta9z2v82fzsakqd4ka6p
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxb2U0bmdsOTVhdUk0Sk9C
+        S2VHWEp6VDZHd2dRN2c1SzJEamlTNFRrZXpjCm03RXgzN3hNOEp3Z0J6T0wyVlho
+        Z1RQS3FiOHhQZVY4bCtvNVNMRmt4aUkKLS0tIFZXYmx4Zi9yMmZjUnhYcFhlNndB
+        akNHclFCb08wWVJxVEJjcjhjV0tzUVUKKr3bvMticlrqISqFyzKGWJn6C08l37US
+        Yf1rBVZxXmNU7cGQXWQjaZeYsSQ2Huhua3qckKB1jJUWdnfcQq42qQ==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2026-02-06T01:00:40Z"
+  mac: ENC[AES256_GCM,data:7QiXVa/6NtPePw0RVMpP6Y+09isOHqPWLHvUYL/pKsOIw5XpEXA/QzXmTmw7GdkTj4+oCke6SET3gyHyFygEhUgK91CPS5IMDf84VHN3g/QIQlPzS5gBN1ENbuPvml85XnwyBNMfzBZZ5K8mFa2Z/AFSRPeBhhfW/jOq4GF7UoE=,iv:HCkGodmclO7T7jiat9fRBmvo9G2EaaXXzCAm0SwMikM=,tag:ULwaEFhIuVfL4M8K897h8A==,type:str]
+  encrypted_regex: ^(data|stringData)$
+  mac_only_encrypted: true
+  version: 3.11.0
diff --git a/kubernetes/apps/pcab/pcab/secret-generator.yaml b/kubernetes/apps/pcab/pcab/secret-generator.yaml
@@ -0,0 +1,11 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  name: pcab-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+      exec:
+        path: ksops
+files:
+  - ./pcab-secret.sops.yaml
+  - ./ghcr-secret.sops.yaml
diff --git a/kubernetes/apps/pcab/pcab/values.yaml b/kubernetes/apps/pcab/pcab/values.yaml
@@ -0,0 +1,104 @@
+defaultPodOptions:
+  securityContext:
+    runAsNonRoot: true
+    runAsUser: 3000
+    runAsGroup: 3000
+    fsGroup: 3000
+    fsGroupChangePolicy: OnRootMismatch
+    seccompProfile: { type: RuntimeDefault }
+  imagePullSecrets:
+    - name: ghcr-secret
+
+controllers:
+  pcab:
+    annotations:
+      reloader.stakater.com/auto: "true"
+    initContainers:
+      init-db:
+        image:
+          repository: ghcr.io/home-operations/postgres-init
+          tag: 18.1
+        envFrom: &envFrom
+          - secretRef:
+              name: pcab-secret
+    containers:
+      app:
+        image:
+          repository: ghcr.io/mebezac/pcab
+          tag: v1.0.4
+        env:
+          TZ: America/New_York
+          PORT: "4000"
+        envFrom: *envFrom
+        probes:
+          startup:
+            enabled: true
+            spec:
+              httpGet:
+                path: /health
+                port: 4000
+              initialDelaySeconds: 30
+              periodSeconds: 10
+              timeoutSeconds: 5
+              failureThreshold: 30
+          liveness:
+            enabled: true
+            spec:
+              httpGet:
+                path: /health
+                port: 4000
+              initialDelaySeconds: 0
+              periodSeconds: 30
+              timeoutSeconds: 10
+              failureThreshold: 3
+          readiness:
+            enabled: true
+            spec:
+              httpGet:
+                path: /health
+                port: 4000
+              initialDelaySeconds: 0
+              periodSeconds: 10
+              timeoutSeconds: 5
+              failureThreshold: 3
+        resources:
+          requests:
+            cpu: 100m
+            memory: 256Mi
+          limits:
+            memory: 4Gi
+
+service:
+  app:
+    controller: pcab
+    ports:
+      http:
+        port: 4000
+
+ingress:
+  app:
+    enabled: true
+    className: external
+    annotations:
+      external-dns.alpha.kubernetes.io/target: external.laboratory.casa
+    hosts:
+      - host: pcab.laboratory.casa
+        paths:
+          - path: /
+            service:
+              identifier: app
+              port: http
+
+persistence:
+  storage:
+    type: persistentVolumeClaim
+    storageClass: longhorn
+    accessMode: ReadWriteOnce
+    size: 10Gi
+    suffix: storage
+    globalMounts:
+      - path: /app/priv/storage
+  tmp:
+    type: emptyDir
+    globalMounts:
+      - path: /tmp
diff --git a/kubernetes/apps/security/authelia/authelia-config.yaml b/kubernetes/apps/security/authelia/authelia-config.yaml
@@ -218,9 +218,9 @@ identity_providers:
         access_token_signed_response_alg: "none"
         userinfo_signed_response_alg: "none"
         # pcab
-      - client_id: "gl6Z~vkcZLeoTh0TiMf8xV0PpcGumStzrLNbcSj_AhUKEIt2CgXi.-NR0U8Cs1_pQJHqCr1e"
+      - client_id: "vhgmgEbo_H_j27QSNDnQG7YuwihZvr1qnZ_dS2moZa0eDMPLwulMdjb5wgDf92l.Giek9zCI"
         client_name: "pcab"
-        client_secret: "$pbkdf2-sha512$310000$iK0beMwNqrrNbU4yxZCDwQ$IWRqhyE.RCrKHyY8WVWXxZJnEzq91sdYGyKTGcleeaAQkxNp9EgUEXhlzBABm32lxzgyHUCmlAik1yPUpvvnOA"
+        client_secret: "$pbkdf2-sha512$310000$v08Ww/VwiK1pLHZ/r91rxg$LqAuMlDuVS84r.ktO3bM/ErGqYCc5vJ/WbGqN0D9CdiymAhstgoUkgfYdpxjwhQwkj4f.3h8xwomF2jR4/FFgg"
         public: false
         authorization_policy: "one_factor"
         require_pkce: true
diff --git a/kubernetes/argo/apps/pcab/pcab.yaml b/kubernetes/argo/apps/pcab/pcab.yaml
@@ -0,0 +1,31 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: pcab
+  namespace: argo-system
+  annotations:
+    argocd.argoproj.io/sync-wave: "0"
+spec:
+  project: kubernetes
+  sources:
+    - repoURL: https://github.com/mebezac/home-cluster.git
+      path: kubernetes/apps/pcab/pcab
+      targetRevision: main
+      ref: pcab-repo
+    - repoURL: ghcr.io/bjw-s-labs/helm
+      chart: app-template
+      targetRevision: 4.6.2
+      helm:
+        releaseName: pcab
+        valueFiles:
+          - $pcab-repo/kubernetes/apps/pcab/pcab/values.yaml
+  destination:
+    name: in-cluster
+    namespace: pcab
+  syncPolicy:
+    automated:
+      allowEmpty: true
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
