feat: La Suite email/messages, buildkitd, monitoring, vault and storage updates

- Add Messages (email) service: backend, frontend, MTA in/out, MPA, SOCKS proxy, worker, DKIM config, and theme customization - Add Collabora deployment for document collaboration - Add Drive frontend nginx config and values - Add buildkitd namespace for in-cluster container builds - Add SeaweedFS remote sync and additional S3 buckets - Update vault secrets across namespaces (devtools, lasuite, media, monitoring, ory, storage) with expanded credential management - Update monitoring: rename grafana→metrics OAuth2Client, add Prometheus remote write and additional scrape configs - Update local/production overlays with resource patches - Remove stale login-ui resource patch from production overlay
2026-03-10 19:00:57 +00:00
parent e5741c4df6
commit ccfe8b877a
50 changed files with 1885 additions and 236 deletions
--- a/base/storage/kustomization.yaml
+++ b/base/storage/kustomization.yaml
@@ -11,3 +11,4 @@ resources:
  - seaweedfs-filer.yaml
  - seaweedfs-filer-pvc.yaml
  - vault-secrets.yaml
+  - seaweedfs-remote-sync.yaml
--- a/base/storage/seaweedfs-remote-sync.yaml
+++ b/base/storage/seaweedfs-remote-sync.yaml
@@ -0,0 +1,62 @@
+# SeaweedFS S3 mirror — hourly mc mirror from SeaweedFS → Scaleway Object Storage.
+# Mirrors all buckets to s3://sunbeam-backups/seaweedfs/<bucket>/.
+# No --remove: deleted files are left in Scaleway (versioning provides recovery window).
+# concurrencyPolicy: Forbid prevents overlap if a run takes longer than an hour.
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: seaweedfs-s3-mirror
+  namespace: storage
+spec:
+  schedule: "0 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      activeDeadlineSeconds: 3300
+      template:
+        spec:
+          restartPolicy: OnFailure
+          containers:
+            - name: mirror
+              image: minio/mc:latest
+              command: ["/bin/sh", "-c"]
+              args:
+                - |
+                  set -e
+                  mc alias set seaweed \
+                    http://seaweedfs-filer.storage.svc.cluster.local:8333 \
+                    "${S3_ACCESS_KEY}" "${S3_SECRET_KEY}"
+                  mc alias set scaleway \
+                    https://s3.fr-par.scw.cloud \
+                    "${ACCESS_KEY_ID}" "${SECRET_ACCESS_KEY}"
+                  mc mirror --overwrite seaweed/ scaleway/sunbeam-backups/seaweedfs/
+              env:
+                - name: S3_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: seaweedfs-s3-credentials
+                      key: S3_ACCESS_KEY
+                - name: S3_SECRET_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: seaweedfs-s3-credentials
+                      key: S3_SECRET_KEY
+                - name: ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: scaleway-s3-creds
+                      key: ACCESS_KEY_ID
+                - name: SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: scaleway-s3-creds
+                      key: SECRET_ACCESS_KEY
+              resources:
+                requests:
+                  memory: 128Mi
+                  cpu: 10m
+                limits:
+                  memory: 512Mi
--- a/base/storage/seaweedfs-volume.yaml
+++ b/base/storage/seaweedfs-volume.yaml
@@ -46,7 +46,7 @@ spec:
        accessModes: ["ReadWriteOnce"]
        resources:
          requests:
-            storage: 20Gi
+            storage: 400Gi
 ---
 apiVersion: v1
 kind: Service
--- a/base/storage/vault-secrets.yaml
+++ b/base/storage/vault-secrets.yaml
@@ -11,6 +11,31 @@ spec:
    role: vso
    serviceAccount: default
 ---
+# Scaleway S3 credentials for SeaweedFS remote sync.
+# Same KV path as barman; synced separately so storage namespace has its own Secret.
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: scaleway-s3-creds
+  namespace: storage
+spec:
+  vaultAuthRef: vso-auth
+  mount: secret
+  type: kv-v2
+  path: scaleway-s3
+  refreshAfter: 30s
+  destination:
+    name: scaleway-s3-creds
+    create: true
+    overwrite: true
+    transformation:
+      excludeRaw: true
+      templates:
+        ACCESS_KEY_ID:
+          text: "{{ index .Secrets \"access-key-id\" }}"
+        SECRET_ACCESS_KEY:
+          text: "{{ index .Secrets \"secret-access-key\" }}"
+---
 apiVersion: secrets.hashicorp.com/v1beta1
 kind: VaultStaticSecret
 metadata:
@@ -22,6 +47,9 @@ spec:
  type: kv-v2
  path: seaweedfs
  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: seaweedfs-filer
  destination:
    name: seaweedfs-s3-credentials
    create: true
@@ -45,6 +73,9 @@ spec:
  type: kv-v2
  path: seaweedfs
  refreshAfter: 30s
+  rolloutRestartTargets:
+    - kind: Deployment
+      name: seaweedfs-filer
  destination:
    name: seaweedfs-s3-json
    create: true