studio/sbbb
2
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ccfe8b877a1db4725dc06d6772dafd71f2127d09
sbbb/overlays/production/kustomization.yaml
Sienna Meridian Satterwhite e5741c4df6 feat: integrate tuwunel with Ory SSO, rename chat to messages subdomain 
- Add matrix to hydra-maester enabledNamespaces for OAuth2Client CRD
- Update allowed_return_urls and selfservice URLs: chat→messages
- Add Kratos verification flow, employee/external identity schemas
- Extend session lifespan to 30 days with persistent cookies
- Route messages.* to tuwunel via Pingora with WebSocket support
- Replace login-ui with kratos-admin-ui as unified auth frontend
- Update TLS certificate SANs: chat→messages, add monitoring subdomains
- Add tuwunel + La Suite images to production overlay
- Switch DDoS/scanner detection to compiled-in ensemble models (observe_only)
2026-03-10 18:52:47 +00:00

103 lines
3.0 KiB
YAML
Raw Blame History

apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
# Production overlay — targets Scaleway Elastic Metal (Paris)
#
# Deploy (DOMAIN_SUFFIX and ACME_EMAIL are substituted by sunbeam apply):
# sunbeam apply --env production --domain yourdomain.com
resources:
- ../../base/build
- ../../base/longhorn
- ../../base/cert-manager
- ../../base/ingress
- ../../base/ory
- ../../base/data
- ../../base/storage
- ../../base/lasuite
- ../../base/media
- ../../base/devtools
- ../../base/vso
- ../../base/monitoring
- ../../base/matrix
# cert-manager ClusterIssuer + Certificate (requires cert-manager to be installed)
- cert-manager.yaml
# CNPG daily backup schedule
- postgres-scheduled-backup.yaml
images:
# La Gaufre integration service — built and pushed by `sunbeam build integration`
- name: integration
newName: src.DOMAIN_SUFFIX/studio/integration
newTag: latest
# Meet — built from source and pushed to Gitea registry.
- name: meet-backend
newName: src.DOMAIN_SUFFIX/studio/meet-backend
newTag: latest
- name: meet-frontend
newName: src.DOMAIN_SUFFIX/studio/meet-frontend
newTag: latest
# people-frontend — built from source with estudio theme baked in.
- name: lasuite/people-frontend
newName: src.DOMAIN_SUFFIX/studio/people-frontend
newTag: latest
# Messages — built from source and pushed to Gitea registry.
- name: messages-backend
newName: src.DOMAIN_SUFFIX/studio/messages-backend
newTag: latest
- name: messages-frontend
newName: src.DOMAIN_SUFFIX/studio/messages-frontend
newTag: latest
- name: messages-mta-in
newName: src.DOMAIN_SUFFIX/studio/messages-mta-in
newTag: latest
- name: messages-mta-out
newName: src.DOMAIN_SUFFIX/studio/messages-mta-out
newTag: latest
- name: messages-mpa
newName: src.DOMAIN_SUFFIX/studio/messages-mpa
newTag: latest
- name: messages-socks-proxy
newName: src.DOMAIN_SUFFIX/studio/messages-socks-proxy
newTag: latest
# Tuwunel Matrix homeserver — built and pushed by `sunbeam build tuwunel`
- name: tuwunel
newName: src.DOMAIN_SUFFIX/studio/tuwunel
newTag: latest
patches:
# Pingora host ports — bind :80/:443 to the host network
- path: patch-pingora-hostport.yaml
# Production resource limits for 64 GiB server
- path: values-resources.yaml
# LiveKit TURN service: ClusterIP (Pingora routes TURN traffic on :443)
- path: patch-livekit-service.yaml
# CNPG: production sizing (500 Gi, 8 Gi RAM) + barman S3 backup config
- path: patch-postgres-production.yaml
# OpenSearch: expand PVC to 50 Gi
- path: patch-opensearch-storage.yaml
# Tuwunel: production resource limits and PVC sizing
- path: patch-tuwunel.yaml
# SeaweedFS volume: expand PVC to 600 Gi
- path: patch-seaweedfs-volume-size.yaml
# MTA-in: bind port 25 to the host for inbound email delivery
- patch: |
- op: add
path: /spec/template/spec/containers/0/ports/0/hostPort
value: 25
target:
kind: Deployment
name: messages-mta-in
namespace: lasuite
Reference in New Issue View Git Blame Copy Permalink