feat(obsidian): deploy CouchDB for Obsidian sync

.gitignore

@@ -2,3 +2,4 @@
 .vaultpw
 .vscode/
 .ssh/
+*/charts/

obsidian/config/Caddyfile

@@ -0,0 +1,3 @@
+:8080 {
+    respond "Hello, world"
+}

obsidian/config/admin-secret.enc.yaml

@@ -0,0 +1,39 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: obsidian-couchdb
+type: Opaque
+stringData:
+    adminUsername: ENC[AES256_GCM,data:YPev8S8=,iv:rmKKp0n5JCCRsW8MV0DHcAdRCjh7LB690r1i8t2l5ac=,tag:8AOCgrJk4yYvI1lPFfYx6g==,type:str]
+    adminPassword: ENC[AES256_GCM,data:HtwmAsRmZCzIepwtDiLc6/s+1SwFXeKkMSw7uHHG3Mk=,iv:YdPguuTDKg9kuARDwfFcFrPyJGd0jQjO/I8AOygm7VY=,tag:CvzFhEed0mvxwDheIQE/NA==,type:str]
+    cookieAuthSecret: ENC[AES256_GCM,data:xnOSCxMyquMi+akVUBCAECjIqcSa1gzYCA8lVIyeLbnLHAykzsZl5g==,iv:Roe4MwI9lNd78Y36X7qZ1VTRxO7Ztl2SfmHeRzX7i60=,tag:DEJ2xzv0OOrcHarlxlk3gQ==,type:str]
+    erlangCookie: ENC[AES256_GCM,data:KilAsXBz8TJO1hu6IE/Mquz7QUl9qJzPzF1CIy925tf89KUN83QhVA==,iv:I+W5Gqg4DbT5F+lGVhXaUSs9rPGjYMoYD0T9v9AHlOk=,tag:/n1hRrzU1DTqhZJhvq7Qwg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4UGlxRGxQc3AzNW42Tlpt
+            ZFVMR1JWWk1OVWNjNXBScFRldWFqSHVXZXpZClp2cm82ZytnRk5qblZsb3RDU2xw
+            aWtOa0paeVo2ZTZzQy9weVNNNFQ2b3cKLS0tIEdmWGxxTC9qZVBLelJCV3dncURB
+            QjhUT2YvaS83bkpsUjFtTURNZE9hME0KKtGiUiGoulnswTi3mAq8zdq1MOmrqSbP
+            E1Bbdb3amH9mDD+MaXSTxXGcD0X10m6ge+E0c3BMfoF0ssZpQ2hQNw==
+            -----END AGE ENCRYPTED FILE-----
+        - recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIWHZTUDhON0wvZVlZTk1D
+            SGY0dHJjaEdkcklwUjh0Yjk4dVdUWGVYRVFZCkh0bDU4THQ2N0RjMGg2aGRDbklG
+            ZjFUWEFabFJrSDJUZHR4bjAyNjZRb2cKLS0tIGNIT2ZHQ2R1ZEVJbWY4ZVh4QTl3
+            NlFuMS91OHozaW8rcHNqZVhSOCtWaDgKpsTPthtNzoyLcWbiWFFNLI/oNTIYf64t
+            +t5dkS8DRb/+iSRIMfP5rIY3Vo8qWiMy8KJW+GgPOo8wLEpkRyjAvA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-03-12T16:48:23Z"
+    mac: ENC[AES256_GCM,data:iUzppA+NV3LcZgo5HQLRt5HXONSbQ1PKMfd02ULho7lLpz6HyvCzdBdyUrF0+vUe/WO2BdbY3tGwmt7MEgG7aBIvCscfFKoX5enetOQxKacHBtD8mFBaLF9NIujiSWLQ6j/C9mALcKTJhQgV7eG47jMNiCERe1KJ3P0Z3wl6lhg=,iv:wrE77/hBAtvVmVzaO37pXEdJwRP9YU+CQxt8R/gIvXA=,tag:QSjf2QmJXUFmh7YPoBiJdQ==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.8.1

obsidian/config/values.yaml

@@ -0,0 +1,23 @@
+clusterSize: 3
+
+createAdminSecret: false
+
+couchdbConfig:
+  couchdb:
+    uuid: 04D9BED5-7280-4E43-9C86-1C3EEC1944FB
+  chttpd:
+    require_valid_user: "true"
+    enable_cors: "true"
+  chttpd_auth:
+    allow_persistent_cookies: "true"
+  cors:
+    credentials: 'true'
+    origins: 'app://obsidian.md'
+    methods: 'GET,PUT,POST,HEAD,DELETE'
+
+persistentVolume:
+  enabled: true
+  size: 10Gi
+  storageClass: hcloud-volumes
+  accessModes:
+    - ReadWriteOnce

obsidian/kustomization.yaml

@@ -0,0 +1,38 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: obsidian
+
+images:
+  - name: caddy
+    newName: caddy
+    newTag: 2.7.6-alpine
+
+labels:
+- includeSelectors: true
+  pairs:
+    app.kubernetes.io/instance: obsidian
+    app.kubernetes.io/managed-by: kustomize
+
+resources:
+  - resources/namespace.yaml
+  - resources/http_routes.yaml
+  - resources/caddy_deployment.yaml
+  - resources/service.yaml
+
+helmCharts:
+  - name: couchdb
+    repo: https://apache.github.io/couchdb-helm/
+    releaseName: obsidian
+    namespace: obsidian
+    version: 4.5.0
+    valuesFile: config/values.yaml
+    skipTests: true
+
+configMapGenerator:
+  - name: caddy-hack
+    files:
+      - Caddyfile=config/Caddyfile
+
+generators:
+  - ./secret-generator.yaml

obsidian/resources/caddy_deployment.yaml

@@ -0,0 +1,39 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: caddy-hack
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: caddy-hack
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: caddy-hack
+    spec:
+      containers:
+        - name: caddy
+          image: caddy
+          command:
+            - caddy
+          args:
+            - run
+            - -c
+            - /etc/caddy/Caddyfile
+          ports:
+            - containerPort: 8080
+              protocol: TCP
+              name: web
+          resources:
+            limits:
+              cpu: 10m
+              memory: 30Mi
+          volumeMounts:
+            - name: config
+              mountPath: /etc/caddy
+      volumes:
+        - name: config
+          configMap:
+            name: caddy-hack

obsidian/resources/http_routes.yaml

@@ -0,0 +1,56 @@
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: obsidian-db-http
+spec:
+  parentRefs:
+  - name: contour
+    sectionName: http
+    namespace: projectcontour
+  hostnames:
+  - obsidian-db.icb4dc0.de
+  rules:
+  - filters:
+    - type: RequestRedirect
+      requestRedirect:
+        scheme: https
+        statusCode: 301
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: HTTPRoute
+metadata:
+  name: obsidian-db-https
+spec:
+  parentRefs:
+  - name: contour
+    sectionName: https
+    namespace: projectcontour
+  hostnames:
+  - obsidian-db.icb4dc0.de
+  rules:
+  - matches:
+      - method: OPTIONS
+        headers:
+          - name: Origin
+            value: 'app://obsidian.md'
+    filters:
+      - type: ResponseHeaderModifier
+        responseHeaderModifier:
+          add:
+            - name: Access-Control-Allow-Origin
+              value: 'app://obsidian.md'
+            - name: Access-Control-Allow-Methods
+              value: 'GET,PUT,POST,HEAD,DELETE'
+            - name: Access-Control-Allow-Credentials
+              value: 'true'
+            - name: Access-Control-Allow-Headers
+              value: 'accept,authorization,content-type,origin,referer'
+            - name: Access-Control-Max-Age
+              value: '3600'
+    backendRefs:
+      - name: caddy-hack
+        port: 8080
+  - backendRefs:
+    - name: obsidian-svc-couchdb
+      port: 5984

obsidian/resources/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: obsidian
+  labels:
+    prometheus: default

obsidian/resources/service.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: caddy-hack
+spec:
+  selector:
+    app.kubernetes.io/name: caddy-hack
+  ports:
+    - protocol: TCP
+      port: 8080
+      targetPort: 8080

obsidian/secret-generator.yaml

@@ -0,0 +1,11 @@
+apiVersion: viaduct.ai/v1
+kind: ksops
+metadata:
+  # Specify a name
+  name: obsidian-secret-generator
+  annotations:
+    config.kubernetes.io/function: |
+        exec:
+          path: ksops
+files:
+  - config/admin-secret.enc.yaml