chore: initial infrastructure scaffold

Kustomize base + overlays for the full Sunbeam k3s stack: - base/mesh — Linkerd edge (crds + control-plane + viz) - base/ingress — custom Pingora edge proxy - base/ory — Kratos 0.60.1 + Hydra 0.60.1 + login-ui - base/data — CloudNativePG 0.27.1, Valkey 8, OpenSearch 2 - base/storage — SeaweedFS master + volume + filer (S3 on :8333) - base/lasuite — Hive sync daemon + La Suite app placeholders - base/media — LiveKit livekit-server 1.9.0 - base/devtools — Gitea 12.5.0 (external PG + Valkey) overlays/local — sslip.io domain, mkcert TLS, Lima hostPort overlays/production — stub (TODOs for sunbeam.pt values) scripts/ — local-up/down/certs/urls helpers justfile — up / down / certs / urls targets
2026-02-28 13:42:27 +00:00
commit 5d9bd7b067
51 changed files with 2647 additions and 0 deletions
--- a/base/ory/hydra-values.yaml
+++ b/base/ory/hydra-values.yaml
@@ -0,0 +1,45 @@
+# Base Ory Hydra Helm values.
+# DOMAIN_SUFFIX is replaced by overlay patches.
+# DSN and system secrets come from the overlay-specific Secret.
+
+hydra:
+  config:
+    dsn: "postgresql://hydra:$(HYDRA_DB_PASSWORD)@postgres-rw.data.svc.cluster.local:5432/hydra_db"
+
+    urls:
+      self:
+        issuer: https://auth.DOMAIN_SUFFIX/
+      consent: https://auth.DOMAIN_SUFFIX/consent
+      login: https://auth.DOMAIN_SUFFIX/login
+      logout: https://auth.DOMAIN_SUFFIX/logout
+      error: https://auth.DOMAIN_SUFFIX/error
+
+    secrets:
+      system:
+        - $(HYDRA_SYSTEM_SECRET)
+      cookie:
+        - $(HYDRA_COOKIE_SECRET)
+
+    oidc:
+      subject_identifiers:
+        supported_types:
+          - public
+        pairwise:
+          salt: $(HYDRA_PAIRWISE_SALT)
+
+    serve:
+      cookies:
+        same_site_mode: Lax
+      public:
+        cors:
+          enabled: true
+          allowed_origins:
+            - https://*.DOMAIN_SUFFIX
+
+deployment:
+  resources:
+    limits:
+      memory: 64Mi
+    requests:
+      memory: 32Mi
+      cpu: 25m
--- a/base/ory/kratos-values.yaml
+++ b/base/ory/kratos-values.yaml
@@ -0,0 +1,60 @@
+# Base Ory Kratos Helm values.
+# DOMAIN_SUFFIX is replaced by overlay patches (sunbeam.pt / <LIMA_IP>.sslip.io).
+# DSN and SMTP credentials come from the overlay-specific Secret.
+
+kratos:
+  config:
+    version: v0.13.0
+
+    dsn: "postgresql://kratos:$(KRATOS_DB_PASSWORD)@postgres-rw.data.svc.cluster.local:5432/kratos_db"
+
+    selfservice:
+      default_browser_return_url: https://auth.DOMAIN_SUFFIX/
+      allowed_return_urls:
+        - https://auth.DOMAIN_SUFFIX/
+        - https://docs.DOMAIN_SUFFIX/
+        - https://meet.DOMAIN_SUFFIX/
+        - https://drive.DOMAIN_SUFFIX/
+        - https://mail.DOMAIN_SUFFIX/
+        - https://chat.DOMAIN_SUFFIX/
+        - https://people.DOMAIN_SUFFIX/
+        - https://src.DOMAIN_SUFFIX/
+      flows:
+        login:
+          ui_url: https://auth.DOMAIN_SUFFIX/login
+        registration:
+          ui_url: https://auth.DOMAIN_SUFFIX/registration
+        recovery:
+          ui_url: https://auth.DOMAIN_SUFFIX/recovery
+        settings:
+          ui_url: https://auth.DOMAIN_SUFFIX/settings
+
+    identity:
+      default_schema_id: default
+      schemas:
+        - id: default
+          url: file:///etc/config/kratos/identity.schema.json
+
+    courier:
+      smtp:
+        connection_uri: "smtp://$(SMTP_USER):$(SMTP_PASSWORD)@localhost:25/"
+        from_address: no-reply@DOMAIN_SUFFIX
+        from_name: Sunbeam
+
+    serve:
+      public:
+        base_url: https://auth.DOMAIN_SUFFIX/kratos/
+        cors:
+          enabled: true
+          allowed_origins:
+            - https://*.DOMAIN_SUFFIX
+      admin:
+        base_url: http://kratos-admin.ory.svc.cluster.local:4434/
+
+deployment:
+  resources:
+    limits:
+      memory: 64Mi
+    requests:
+      memory: 32Mi
+      cpu: 25m
--- a/base/ory/kustomization.yaml
+++ b/base/ory/kustomization.yaml
@@ -0,0 +1,24 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: ory
+
+resources:
+  - namespace.yaml
+  - login-ui-deployment.yaml
+
+helmCharts:
+  # helm repo add ory https://k8s.ory.sh/helm/charts
+  - name: kratos
+    repo: https://k8s.ory.sh/helm/charts
+    version: "0.60.1"
+    releaseName: kratos
+    namespace: ory
+    valuesFile: kratos-values.yaml
+
+  - name: hydra
+    repo: https://k8s.ory.sh/helm/charts
+    version: "0.60.1"
+    releaseName: hydra
+    namespace: ory
+    valuesFile: hydra-values.yaml
--- a/base/ory/login-ui-deployment.yaml
+++ b/base/ory/login-ui-deployment.yaml
@@ -0,0 +1,49 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: login-ui
+  namespace: ory
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: login-ui
+  template:
+    metadata:
+      labels:
+        app: login-ui
+    spec:
+      containers:
+        - name: login-ui
+          image: ghcr.io/sunbeam-studio/login-ui:latest
+          ports:
+            - name: http
+              containerPort: 3000
+              protocol: TCP
+          env:
+            - name: KRATOS_PUBLIC_URL
+              value: "http://kratos-public.ory.svc.cluster.local:4433"
+            - name: HYDRA_ADMIN_URL
+              value: "http://hydra-admin.ory.svc.cluster.local:4445"
+            - name: PORT
+              value: "3000"
+          resources:
+            limits:
+              memory: 64Mi
+            requests:
+              memory: 32Mi
+              cpu: 25m
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: login-ui
+  namespace: ory
+spec:
+  selector:
+    app: login-ui
+  ports:
+    - name: http
+      port: 3000
+      targetPort: 3000
+      protocol: TCP
--- a/base/ory/namespace.yaml
+++ b/base/ory/namespace.yaml
@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: ory
+  annotations:
+    linkerd.io/inject: enabled