404 lines
16 KiB
YAML
404 lines
16 KiB
YAML
|
apiVersion: argoproj.io/v1alpha1
|
||
|
kind: Application
|
||
|
metadata:
|
||
|
name: mastodon
|
||
|
namespace: argocd
|
||
|
spec:
|
||
|
destination:
|
||
|
name: in-cluster
|
||
|
namespace: mastodon
|
||
|
project: default
|
||
|
source:
|
||
|
path: .
|
||
|
repoURL: https://gitea.gitea.svc.cluster.local:3000/infra/mastodon-chart
|
||
|
targetRevision: main
|
||
|
helm:
|
||
|
values: |
|
||
|
image:
|
||
|
repository: ghcr.io/mastodon/mastodon
|
||
|
# https://github.com/mastodon/mastodon/pkgs/container/mastodon
|
||
|
#
|
||
|
# alternatively, use `latest` for the latest release or `edge` for the image
|
||
|
# built from the most recent commit
|
||
|
#
|
||
|
# tag: latest
|
||
|
tag: "latest"
|
||
|
# use `Always` when using `latest` tag
|
||
|
pullPolicy: IfNotPresent
|
||
|
|
||
|
mastodon:
|
||
|
# -- create an initial administrator user; the password is autogenerated and will
|
||
|
# have to be reset
|
||
|
createAdmin:
|
||
|
# @ignored
|
||
|
enabled: false
|
||
|
# @ignored
|
||
|
username: not_gargron
|
||
|
# @ignored
|
||
|
email: not@example.com
|
||
|
cron:
|
||
|
# -- run `tootctl media remove` every week
|
||
|
removeMedia:
|
||
|
# @ignored
|
||
|
enabled: true
|
||
|
# @ignored
|
||
|
schedule: "0 0 * * 0"
|
||
|
# -- available locales: https://github.com/mastodon/mastodon/blob/main/config/application.rb#L71
|
||
|
locale: en
|
||
|
local_domain: werts.us
|
||
|
# -- Use of WEB_DOMAIN requires careful consideration: https://docs.joinmastodon.org/admin/config/#federation
|
||
|
# You must redirect the path LOCAL_DOMAIN/.well-known/ to WEB_DOMAIN/.well-known/ as described
|
||
|
# Example: mastodon.example.com
|
||
|
web_domain: mastodon.werts.us
|
||
|
# -- If set to true, the frontpage of your Mastodon server will always redirect to the first profile in the database and registrations will be disabled.
|
||
|
singleUserMode: false
|
||
|
# -- Enables "Secure Mode" for more details see: https://docs.joinmastodon.org/admin/config/#authorized_fetch
|
||
|
authorizedFetch: false
|
||
|
# -- Enables "Limited Federation Mode" for more detauls see: https://docs.joinmastodon.org/admin/config/#limited_federation_mode
|
||
|
limitedFederationMode: true
|
||
|
persistence:
|
||
|
assets:
|
||
|
# -- ReadWriteOnce is more widely supported than ReadWriteMany, but limits
|
||
|
# scalability, since it requires the Rails and Sidekiq pods to run on the
|
||
|
# same node.
|
||
|
accessMode: ReadWriteMany
|
||
|
resources:
|
||
|
requests:
|
||
|
storage: 10Gi
|
||
|
storageClassName: nfs
|
||
|
system:
|
||
|
accessMode: ReadWriteOnce
|
||
|
resources:
|
||
|
requests:
|
||
|
storage: 10Gi
|
||
|
storageClassName: local
|
||
|
s3:
|
||
|
enabled: false
|
||
|
access_key: ""
|
||
|
access_secret: ""
|
||
|
# -- you can also specify the name of an existing Secret
|
||
|
# with keys AWS_ACCESS_KEY_ID and AWS_SECRET_ACCESS_KEY
|
||
|
existingSecret: "mastodon-secrets-s3"
|
||
|
bucket: "mastodon"
|
||
|
endpoint: "https://minio.strudelline.net"
|
||
|
hostname: ""
|
||
|
region: ""
|
||
|
permission: ""
|
||
|
# -- If you have a caching proxy, enter its base URL here.
|
||
|
alias_host: ""
|
||
|
# these must be set manually; autogenerated keys are rotated on each upgrade
|
||
|
secrets:
|
||
|
secret_key_base: ""
|
||
|
otp_secret: ""
|
||
|
vapid:
|
||
|
private_key: ""
|
||
|
public_key: ""
|
||
|
# -- you can also specify the name of an existing Secret
|
||
|
# with keys SECRET_KEY_BASE and OTP_SECRET and
|
||
|
# VAPID_PRIVATE_KEY and VAPID_PUBLIC_KEY
|
||
|
existingSecret: "mastodon-secrets-secrets"
|
||
|
sidekiq:
|
||
|
# -- Pod security context for all Sidekiq Pods, overwrites .Values.podSecurityContext
|
||
|
podSecurityContext: {}
|
||
|
# -- (Sidekiq Container) Security Context for all Pods, overwrites .Values.securityContext
|
||
|
securityContext: {}
|
||
|
# -- Resources for all Sidekiq Deployments unless overwritten
|
||
|
resources: {}
|
||
|
# -- Affinity for all Sidekiq Deployments unless overwritten, overwrites .Values.affinity
|
||
|
affinity: {}
|
||
|
# limits:
|
||
|
# cpu: "1"
|
||
|
# memory: 768Mi
|
||
|
# requests:
|
||
|
# cpu: 250m
|
||
|
# memory: 512Mi
|
||
|
workers:
|
||
|
- name: all-queues
|
||
|
# -- Number of threads / parallel sidekiq jobs that are executed per Pod
|
||
|
concurrency: 25
|
||
|
# -- Number of Pod replicas deployed by the Deployment
|
||
|
replicas: 1
|
||
|
# -- Resources for this specific deployment to allow optimised scaling, overwrites .Values.mastodon.sidekiq.resources
|
||
|
resources: {}
|
||
|
# -- Affinity for this specific deployment, overwrites .Values.affinity and .Values.mastodon.sidekiq.affinity
|
||
|
affinity: {}
|
||
|
# -- Sidekiq queues for Mastodon that are handled by this worker. See https://docs.joinmastodon.org/admin/scaling/#concurrency
|
||
|
# See https://github.com/mperham/sidekiq/wiki/Advanced-Options#queues for how to weight queues as argument
|
||
|
queues:
|
||
|
- default,8
|
||
|
- push,6
|
||
|
- ingress,4
|
||
|
- mailers,2
|
||
|
- pull
|
||
|
- scheduler # Make sure the scheduler queue only exists once and with a worker that has 1 replica.
|
||
|
#- name: push-pull
|
||
|
# concurrency: 50
|
||
|
# resources: {}
|
||
|
# replicas: 2
|
||
|
# queues:
|
||
|
# - push
|
||
|
# - pull
|
||
|
#- name: mailers
|
||
|
# concurrency: 25
|
||
|
# replicas: 2
|
||
|
# queues:
|
||
|
# - mailers
|
||
|
#- name: default
|
||
|
# concurrency: 25
|
||
|
# replicas: 2
|
||
|
# queues:
|
||
|
# - default
|
||
|
smtp:
|
||
|
auth_method: plain
|
||
|
ca_file: /etc/ssl/certs/ca-certificates.crt
|
||
|
delivery_method: smtp
|
||
|
domain:
|
||
|
enable_starttls: 'auto'
|
||
|
from_address: notifications@example.com
|
||
|
return_path:
|
||
|
openssl_verify_mode: peer
|
||
|
port: 587
|
||
|
reply_to:
|
||
|
server: smtp.mailgun.org
|
||
|
tls: false
|
||
|
login:
|
||
|
password:
|
||
|
# -- Instead of defining login/password above, you can specify the name of an existing secret here. Login and
|
||
|
# password must be located in keys named `login` and `password` respectively.
|
||
|
existingSecret: mastdon-secrets-smtp
|
||
|
streaming:
|
||
|
port: 4000
|
||
|
# -- this should be set manually since os.cpus() returns the number of CPUs on
|
||
|
# the node running the pod, which is unrelated to the resources allocated to
|
||
|
# the pod by k8s
|
||
|
workers: 1
|
||
|
# -- The base url for streaming can be set if the streaming API is deployed to
|
||
|
# a different domain/subdomain.
|
||
|
base_url: null
|
||
|
# -- Number of Streaming Pods running
|
||
|
replicas: 1
|
||
|
# -- Affinity for Streaming Pods, overwrites .Values.affinity
|
||
|
affinity: {}
|
||
|
# -- Pod Security Context for Streaming Pods, overwrites .Values.podSecurityContext
|
||
|
podSecurityContext: {}
|
||
|
# -- (Streaming Container) Security Context for Streaming Pods, overwrites .Values.securityContext
|
||
|
securityContext: {}
|
||
|
# -- (Streaming Container) Resources for Streaming Pods, overwrites .Values.resources
|
||
|
resources: {}
|
||
|
# limits:
|
||
|
# cpu: "500m"
|
||
|
# memory: 512Mi
|
||
|
# requests:
|
||
|
# cpu: 250m
|
||
|
# memory: 128Mi
|
||
|
web:
|
||
|
port: 3000
|
||
|
# -- Number of Web Pods running
|
||
|
replicas: 1
|
||
|
# -- Affinity for Web Pods, overwrites .Values.affinity
|
||
|
affinity: {}
|
||
|
# -- Pod Security Context for Web Pods, overwrites .Values.podSecurityContext
|
||
|
podSecurityContext: {}
|
||
|
# -- (Web Container) Security Context for Web Pods, overwrites .Values.securityContext
|
||
|
securityContext: {}
|
||
|
# -- (Web Container) Resources for Web Pods, overwrites .Values.resources
|
||
|
resources: {}
|
||
|
# limits:
|
||
|
# cpu: "1"
|
||
|
# memory: 1280Mi
|
||
|
# requests:
|
||
|
# cpu: 250m
|
||
|
# memory: 768Mi
|
||
|
# -- Puma-specific options. Below values are based on default behavior in
|
||
|
# config/puma.rb when no custom values are provided.
|
||
|
minThreads: "5"
|
||
|
maxThreads: "5"
|
||
|
workers: "2"
|
||
|
persistentTimeout: "20"
|
||
|
|
||
|
metrics:
|
||
|
statsd:
|
||
|
# -- Enable statsd publishing via STATSD_ADDR environment variable
|
||
|
address: ""
|
||
|
|
||
|
# Sets the PREPARED_STATEMENTS environment variable: https://docs.joinmastodon.org/admin/config/#prepared_statements
|
||
|
preparedStatements: true
|
||
|
|
||
|
ingress:
|
||
|
enabled: true
|
||
|
annotations:
|
||
|
# For choosing an ingress ingressClassName is preferred over annotations
|
||
|
# kubernetes.io/ingress.class: nginx
|
||
|
#
|
||
|
# To automatically request TLS certificates use one of the following
|
||
|
# kubernetes.io/tls-acme: "true"
|
||
|
# cert-manager.io/cluster-issuer: "letsencrypt"
|
||
|
#
|
||
|
# ensure that NGINX's upload size matches Mastodon's
|
||
|
# for the K8s ingress controller:
|
||
|
# nginx.ingress.kubernetes.io/proxy-body-size: 40m
|
||
|
# for the NGINX ingress controller:
|
||
|
# nginx.org/client-max-body-size: 40m
|
||
|
# -- you can specify the ingressClassName if it differs from the default
|
||
|
ingressClassName:
|
||
|
hosts:
|
||
|
- host: mastodon.werts.us
|
||
|
paths:
|
||
|
- path: '/'
|
||
|
|
||
|
# -- https://github.com/bitnami/charts/tree/master/bitnami/elasticsearch#parameters
|
||
|
elasticsearch:
|
||
|
# `false` will disable full-text search
|
||
|
#
|
||
|
# if you enable ES after the initial install, you will need to manually run
|
||
|
# RAILS_ENV=production bundle exec rake chewy:sync
|
||
|
# (https://docs.joinmastodon.org/admin/optional/elasticsearch/)
|
||
|
# @ignored
|
||
|
enabled: true
|
||
|
# @ignored
|
||
|
image:
|
||
|
tag: 7
|
||
|
|
||
|
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#parameters
|
||
|
postgresql:
|
||
|
# -- disable if you want to use an existing db; in which case the values below
|
||
|
# must match those of that external postgres instance
|
||
|
enabled: true
|
||
|
# postgresqlHostname: preexisting-postgresql
|
||
|
# postgresqlPort: 5432
|
||
|
auth:
|
||
|
database: mastodon_production
|
||
|
username: mastodon
|
||
|
# you must set a password; the password generated by the postgresql chart will
|
||
|
# be rotated on each upgrade:
|
||
|
# https://github.com/bitnami/charts/tree/master/bitnami/postgresql#upgrade
|
||
|
password: ""
|
||
|
# Set the password for the "postgres" admin user
|
||
|
# set this to the same value as above if you've previously installed
|
||
|
# this chart and you're having problems getting mastodon to connect to the DB
|
||
|
# postgresPassword: ""
|
||
|
# you can also specify the name of an existing Secret
|
||
|
# with a key of password set to the password you want
|
||
|
existingSecret: "mastodon-secrets-postgres"
|
||
|
|
||
|
# https://github.com/bitnami/charts/tree/master/bitnami/redis#parameters
|
||
|
redis:
|
||
|
# disable if you want to use an existing redis instance; in which case the
|
||
|
# values below must match those of that external redis instance
|
||
|
enabled: true
|
||
|
hostname: ""
|
||
|
port: 6379
|
||
|
auth:
|
||
|
# -- you must set a password; the password generated by the redis chart will be
|
||
|
# rotated on each upgrade:
|
||
|
password: ""
|
||
|
# you can also specify the name of an existing Secret
|
||
|
# with a key of redis-password set to the password you want
|
||
|
existingSecret: "mastodon-secrets-redis"
|
||
|
|
||
|
# @ignored
|
||
|
service:
|
||
|
type: ClusterIP
|
||
|
port: 80
|
||
|
|
||
|
externalAuth:
|
||
|
oidc:
|
||
|
# -- OpenID Connect support is proposed in PR #16221 and awaiting merge.
|
||
|
enabled: true
|
||
|
display_name: "werts.us"
|
||
|
issuer: https://auth.werts.us/realms/werts
|
||
|
discovery: true
|
||
|
scope: "openid,profile"
|
||
|
uid_field: uid
|
||
|
client_id: mastodon
|
||
|
client_secret: eJ7ytP63vdMr8tK5KDyvYwr7ce6pSXhtc1x5GSx5yVOLzOl66Tb6OqwSWt776zhKkt18xFpPAGF2WdkUM7Y7HN
|
||
|
redirect_uri: https://mastodon.werts.us/auth/auth/openid_connect/callback
|
||
|
assume_email_is_verified: true
|
||
|
# client_auth_method:
|
||
|
# response_type:
|
||
|
# response_mode:
|
||
|
# display:
|
||
|
# prompt:
|
||
|
# send_nonce:
|
||
|
# send_scope_to_token_endpoint:
|
||
|
# idp_logout_redirect_uri:
|
||
|
# http_scheme:
|
||
|
# host:
|
||
|
# port:
|
||
|
# jwks_uri:
|
||
|
# auth_endpoint:
|
||
|
# token_endpoint:
|
||
|
# user_info_endpoint:
|
||
|
# end_session_endpoint:
|
||
|
|
||
|
# -- https://github.com/mastodon/mastodon/blob/main/Dockerfile#L75
|
||
|
#
|
||
|
# if you manually change the UID/GID environment variables, ensure these values
|
||
|
# match:
|
||
|
podSecurityContext:
|
||
|
runAsUser: 991
|
||
|
runAsGroup: 991
|
||
|
fsGroup: 991
|
||
|
|
||
|
# @ignored
|
||
|
securityContext: {}
|
||
|
|
||
|
serviceAccount:
|
||
|
# -- Specifies whether a service account should be created
|
||
|
create: true
|
||
|
# -- Annotations to add to the service account
|
||
|
annotations: {}
|
||
|
# -- The name of the service account to use.
|
||
|
# If not set and create is true, a name is generated using the fullname template
|
||
|
name: ""
|
||
|
|
||
|
# Custom annotations to apply to all created deployment objects. These can be
|
||
|
# used to help mastodon interact with other services in the cluster.
|
||
|
deploymentAnnotations: {}
|
||
|
|
||
|
# -- Kubernetes manages pods for jobs and pods for deployments differently, so you might
|
||
|
# need to apply different annotations to the two different sets of pods. The annotations
|
||
|
# set with podAnnotations will be added to all deployment-managed pods.
|
||
|
podAnnotations: {}
|
||
|
|
||
|
# If set to true, an annotation with the current chart release number will be added to all mastodon pods. This will
|
||
|
# cause all pods to be recreated every `helm upgrade` regardless of whether their config or spec changes.
|
||
|
revisionPodAnnotation: true
|
||
|
|
||
|
# The annotations set with jobAnnotations will be added to all job pods.
|
||
|
jobAnnotations: {}
|
||
|
|
||
|
# -- Default resources for all Deployments and jobs unless overwritten
|
||
|
resources: {}
|
||
|
# We usually recommend not to specify default resources and to leave this as a conscious
|
||
|
# choice for the user. This also increases chances charts run on environments with little
|
||
|
# resources, such as Minikube. If you do want to specify resources, uncomment the following
|
||
|
# lines, adjust them as necessary, and remove the curly braces after 'resources:'.
|
||
|
# limits:
|
||
|
# cpu: 100m
|
||
|
# memory: 128Mi
|
||
|
# requests:
|
||
|
# cpu: 100m
|
||
|
# memory: 128Mi
|
||
|
|
||
|
# @ignored
|
||
|
nodeSelector: {}
|
||
|
|
||
|
# @ignored
|
||
|
tolerations: []
|
||
|
|
||
|
# -- Affinity for all pods unless overwritten
|
||
|
affinity: {}
|
||
|
syncPolicy:
|
||
|
automated:
|
||
|
prune: true
|
||
|
selfHeal: true
|
||
|
retry:
|
||
|
backoff:
|
||
|
duration: 5s
|
||
|
factor: 2
|
||
|
maxDuration: 3m0s
|
||
|
limit: 10
|
||
|
syncOptions:
|
||
|
- CreateNamespace=true
|