Initial commit

apps/README.md

@@ -0,0 +1,68 @@
+# Apps
+
+Application deployments managed by Flux. Each app lives in its own directory with a Kustomize-based layout.
+
+## Gitea (Example App)
+
+The included Gitea deployment consists of:
+
+| File | Contents |
+|------|----------|
+| `gitea/install/kustomization.yaml` | Lists the resources Flux should apply |
+| `gitea/install/postgresql.yaml` | PostgreSQL Secret, Service, and StatefulSet |
+| `gitea/install/gitea.yaml` | Gitea PVC, HTTP/SSH Services, and Deployment |
+
+The IngressRoute for Gitea lives in `infrastructure/routes/gitea.yaml` (routes are managed at the infrastructure layer).
+
+## Adding Your Own App
+
+Here's the checklist for adding a new app. For a full walkthrough with example files, see [`../docs/adding-an-app.md`](../docs/adding-an-app.md).
+
+### 1. Create a namespace
+
+Add your namespace to `bootstrap/ns/apps.yaml`:
+
+```yaml
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: my-app
+```
+
+### 2. Create app manifests
+
+Create `apps/my-app/install/` with:
+- `kustomization.yaml` listing your resource files
+- Your Kubernetes manifests (Deployments, Services, PVCs, Secrets, etc.)
+
+### 3. Create a Flux Kustomization
+
+Add `bootstrap/kustomization/apps/my-app/my-app-install.yaml`:
+
+```yaml
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: install-my-app--app
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 4m
+  dependsOn:
+    - name: install-traefik--infra
+  path: ./apps/my-app/install
+  prune: true
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+```
+
+### 4. Create an IngressRoute
+
+Add `infrastructure/routes/my-app.yaml` with your Traefik IngressRoute (use `gitea.yaml` as a template).
+
+### 5. Commit and push
+
+Flux will detect the changes and deploy your app automatically.

apps/gitea/install/gitea.yaml

@@ -0,0 +1,98 @@
+# Gitea deployment.
+# Replace <YOUR_DOMAIN> with your domain (e.g. git.example.com).
+# Replace <YOUR_DB_PASSWORD> with the same password used in postgresql.yaml.
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-data
+  namespace: gitea
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: local-path
+  resources:
+    requests:
+      storage: 10Gi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-http
+  namespace: gitea
+spec:
+  type: ClusterIP
+  ports:
+    - port: 3000
+      targetPort: 3000
+  selector:
+    app: gitea
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea-ssh
+  namespace: gitea
+spec:
+  type: ClusterIP
+  ports:
+    - port: 22
+      targetPort: 22
+  selector:
+    app: gitea
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: gitea
+  namespace: gitea
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: gitea
+  template:
+    metadata:
+      labels:
+        app: gitea
+    spec:
+      initContainers:
+        - name: wait-for-db
+          image: busybox:1.36
+          command: ['sh', '-c', 'until nc -z postgresql 5432; do sleep 2; done']
+      containers:
+        - name: gitea
+          image: gitea/gitea:1.23
+          ports:
+            - containerPort: 3000
+              name: http
+            - containerPort: 22
+              name: ssh
+          env:
+            - name: GITEA__database__DB_TYPE
+              value: postgres
+            - name: GITEA__database__HOST
+              value: postgresql:5432
+            - name: GITEA__database__NAME
+              value: gitea
+            - name: GITEA__database__USER
+              value: gitea
+            - name: GITEA__database__PASSWD
+              value: <YOUR_DB_PASSWORD>
+            - name: GITEA__server__DOMAIN
+              value: <YOUR_DOMAIN>
+            - name: GITEA__server__ROOT_URL
+              value: https://<YOUR_DOMAIN>/
+          volumeMounts:
+            - name: data
+              mountPath: /data
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 100m
+            limits:
+              memory: 1Gi
+              cpu: 1000m
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: gitea-data

apps/gitea/install/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: gitea
+resources:
+  - secrets.yaml
+  - postgresql.yaml
+  - gitea.yaml

apps/gitea/install/postgresql.yaml

@@ -0,0 +1,56 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgresql
+  namespace: gitea
+spec:
+  type: ClusterIP
+  ports:
+    - port: 5432
+      targetPort: 5432
+  selector:
+    app: postgresql
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgresql
+  namespace: gitea
+spec:
+  serviceName: postgresql
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgresql
+  template:
+    metadata:
+      labels:
+        app: postgresql
+    spec:
+      containers:
+        - name: postgresql
+          image: postgres:17-alpine
+          ports:
+            - containerPort: 5432
+          envFrom:
+            - secretRef:
+                name: postgresql-credentials
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+          resources:
+            requests:
+              memory: 256Mi
+              cpu: 100m
+            limits:
+              memory: 512Mi
+              cpu: 500m
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: local-path
+        resources:
+          requests:
+            storage: 5Gi

apps/gitea/install/secrets.yaml

@@ -0,0 +1,14 @@
+# PostgreSQL credentials.
+# Replace <YOUR_DB_PASSWORD> with a strong password.
+#
+# Encrypt this file with: sops --encrypt --in-place secrets.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgresql-credentials
+  namespace: gitea
+type: Opaque
+stringData:
+  POSTGRES_USER: gitea
+  POSTGRES_PASSWORD: <YOUR_DB_PASSWORD>
+  POSTGRES_DB: gitea