Merge pull request #1 from nycmeshnet/james/test

Updates

.github/workflows/deploy.yaml

@@ -0,0 +1,24 @@
+name: Deploy
+
+on:
+  push:
+    branches: [ master, james/test ]
+
+permissions: read-all
+
+jobs:
+  deploy_to_dev3:
+    name: Deploy to dev 3
+    uses: ./.github/workflows/helm_deploy.yaml
+    with:
+      environment: dev3
+    secrets: inherit
+    #if: github.ref == 'refs/heads/main'
+
+  deploy_to_prod1:
+    name: Deploy to prod 1
+    uses: ./.github/workflows/helm_deploy.yaml
+    with:
+      environment: prod1
+    secrets: inherit
+    if: github.ref == 'refs/heads/main'

.github/workflows/helm_deploy.yaml

@@ -0,0 +1,57 @@
+name: Deploy Helm Chart
+permissions: read-all
+
+on:
+  workflow_call:
+    inputs:
+      environment:
+        required: true
+        type: string
+
+jobs:
+  helm_deploy:
+      name: Deploy helm chart
+      environment: ${{ inputs.environment }}
+      runs-on: ubuntu-latest
+      steps:
+      - name: Check out the repo
+        uses: actions/checkout@v4
+
+      - name: Install SSH key
+        uses: shimataro/ssh-key-action@d4fffb50872869abe2d9a9098a6d9c5aa7d16be4 # v2
+        with:
+          key: ${{ secrets.SSH_PRIVATE_KEY }}
+          name: id_ed25519 # optional
+          known_hosts: ${{ secrets.SSH_KNOWN_HOSTS }}
+          if_key_exists: fail # replace / ignore / fail; optional (defaults to fail)
+
+      - name: Setup WireGuard
+        run:  |
+          sudo apt install wireguard
+          echo "${{ secrets.WIREGUARD_PRIVATE_KEY }}" > privatekey
+          sudo ip link add dev wg1 type wireguard
+          sudo ip address add dev wg1 ${{ secrets.WIREGUARD_OVERLAY_NETWORK_IP }} peer ${{ secrets.SSH_TARGET_IP }}
+          sudo wg set wg1 listen-port 48123 private-key privatekey peer ${{ secrets.WIREGUARD_PEER_PUBLIC_KEY }} allowed-ips 0.0.0.0/0 endpoint ${{ secrets.WIREGUARD_ENDPOINT }}
+          sudo ip link set up dev wg1
+
+      - name: Install Helm Chart
+        run: |
+          scp ${{ secrets.SSH_USER }}@${{ secrets.SSH_TARGET_IP }}:~/.kube/config ./
+          helm upgrade \
+            wiki \
+            bookstack-helm \
+            --install \
+            --kubeconfig ./config \
+            --kube-apiserver https://${{ secrets.SSH_TARGET_IP }}:6443 \
+            -n ${{ vars.APP_NAMESPACE }} \
+            --create-namespace \
+            -f ./bookstack-helm/values.yaml \
+            --set bookstack.fqdn="${{ vars.FQDN }}" \
+            --set bookstack.db.username="${{ secrets.DB_USERNAME }}" \
+            --set bookstack.db.password="${{ secrets.DB_PASSWORD }}" \
+            --set bookstack.db.root_password="${{ secrets.ROOT_PASSWORD }}" \
+            --set bookstack.mail.username="${{ secrets.MAIL_USERNAME }}" \
+            --set bookstack.mail.password="${{ secrets.MAIL_PASSWORD }}" \
+            --set bookstack.aws.access_key_id="${{ secrets.ACCESS_KEY_ID }}" \
+            --set bookstack.aws.secret_access_key="${{ secrets.SECRET_ACCESS_KEY }}" \
+            --set bookstack.aws.backup_s3_url="${{ secrets.BACKUP_S3_URL }}"

README.md

@@ -1 +1,110 @@
-# Wiki Infra
+# Wiki Infra
+
+## Backups
+
+```
+docker exec 55fb8319dfd0 tar -chvf /config/wiki.tar /app/www/public/uploads/ /app/www/storage/uploads/ /app/www/public/img/
+
+docker exec 00bf1e961d6b mysqldump -u bookstack --password=$THE_REAL_THING bookstackapp > wiki.sql
+
+tar --append -f wiki.tar wiki.sql
+
+gzip < wiki.tar > wiki.tgz
+
+# upload the tgz to s3...
+```
+
+## Restore
+
+1. Create `restore.yaml`
+
+```yaml
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: restorejob
+  namespace: wiki
+spec:
+  template:
+    spec:
+      containers:
+      - name: restorejob
+        image: lscr.io/linuxserver/mariadb
+        command:
+          - /bin/bash
+          - /restore.sh
+        volumeMounts:
+          - name: backup-script
+            mountPath: /restore.sh
+            subPath: restore.sh
+            readOnly: true
+          - name: config-vol
+            mountPath: /config
+          - name: image-uploads-vol
+            mountPath: /app/www/public/img
+        env:
+          - name: RESTORE_S3_URL
+            value: "s3://.../backups/wiki.tgz"
+          - name: DB_HOST
+            valueFrom:
+              configMapKeyRef:
+                name: wikiconfig
+                key: DB_HOST
+          - name: DB_USER
+            valueFrom:
+              secretKeyRef:
+                name: wiki-secrets
+                key: db-username
+          - name: DB_DATABASE
+            valueFrom:
+              configMapKeyRef:
+                name: wikiconfig
+                key: DB_DATABASE
+          - name: DB_PASS
+            valueFrom:
+              secretKeyRef:
+                name: wiki-secrets
+                key: db-password
+          - name: AWS_ACCESS_KEY_ID
+            valueFrom:
+              secretKeyRef:
+                name: wiki-secrets
+                key: access-key-id
+          - name: AWS_SECRET_ACCESS_KEY
+            valueFrom:
+              secretKeyRef:
+                name: wiki-secrets
+                key: secret-access-key
+      restartPolicy: OnFailure
+      volumes:
+        - name: backup-script
+          configMap:
+            name: backup-script
+            items:
+              - key: restore.sh
+                path: restore.sh
+        - name: config-vol
+          persistentVolumeClaim:
+            claimName: wikiconfig
+        - name: image-uploads-vol
+          persistentVolumeClaim:
+            claimName: wikiimages
+```
+
+2. Run the restore job
+
+```
+kubectl scale --replicas=0 deployment.apps/wiki-bookstack-helm-bookstack -n wiki
+kubectl apply -f restore.yaml
+# wait for it to complete
+kubectl get all -n wiki
+kubectl scale --replicas=1 deployment.apps/wiki-bookstack-helm-bookstack -n wiki
+```
+
+3. If the url is changing, you may need the following:
+
+```
+kubectl exec -n wiki -it pod/wiki-bookstack-helm-bookstack-695945475d-mrlhf bash
+cd /app/www
+php artisan bookstack:update-url https://wiki.mesh.nycmesh.net https://devwiki.mesh.nycmesh.net
+```

bookstack-helm/templates/backup.yaml

@@ -0,0 +1,67 @@
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: backupjob
+  namespace: {{ .Values.meshwiki_app_namespace }}
+spec:
+  schedule: {{ .Values.bookstack.backup.cron_schedule | quote }}
+  jobTemplate:
+    spec:
+      template:
+        spec:
+          restartPolicy: OnFailure
+          containers:
+            - name: backupjob
+              image: "{{ .Values.db_image.repository }}:{{ .Values.db_image.tag }}"
+              imagePullPolicy: {{ .Values.db_image.pullPolicy }}
+              command:
+                - /bin/bash
+                - /backup.sh
+              volumeMounts:
+                - name: backup-script
+                  mountPath: /backup.sh
+                  subPath: backup.sh
+                  readOnly: true
+              env:
+                - name: DB_HOST
+                  valueFrom:
+                    configMapKeyRef:
+                      name: wikiconfig
+                      key: DB_HOST
+                - name: DB_DATABASE
+                  valueFrom:
+                    configMapKeyRef:
+                      name: wikiconfig
+                      key: DB_DATABASE
+                - name: DB_USER
+                  valueFrom:
+                    secretKeyRef:
+                      name: wiki-secrets
+                      key: db-username
+                - name: DB_PASS
+                  valueFrom:
+                    secretKeyRef:
+                      name: wiki-secrets
+                      key: db-password
+                - name: BACKUP_S3_URL
+                  valueFrom:
+                    secretKeyRef:
+                      name: wiki-secrets
+                      key: backup-s3-url
+                - name: AWS_ACCESS_KEY_ID
+                  valueFrom:
+                    secretKeyRef:
+                      name: wiki-secrets
+                      key: access-key-id
+                - name: AWS_SECRET_ACCESS_KEY
+                  valueFrom:
+                    secretKeyRef:
+                      name: wiki-secrets
+                      key: secret-access-key
+          volumes:
+            - name: backup-script
+              configMap:
+                name: backup-script
+                items:
+                  - key: backup.sh
+                    path: backup.sh

bookstack-helm/templates/backupscript.yaml

@@ -0,0 +1,31 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: backup-script
+  namespace: {{ .Values.meshwiki_app_namespace }}
+data:
+  backup.sh: |
+    echo "Dumping db"
+    mysqldump -h "$DB_HOST" -u "$DB_USER" --password="$DB_PASS" "$DB_DATABASE" > wiki.sql
+    echo "Creating tarball"
+    backup_name="wiki_backup_$(date +%s).tar.gz"
+    tar -chzvf $backup_name wiki.sql /app/www/public/uploads/ /app/www/storage/uploads/ /app/www/public/img/
+    echo "push to s3"
+    apk add aws-cli
+    aws s3 cp ./$backup_name "$BACKUP_S3_URL"
+    echo "done"
+  restore.sh: |
+    echo "Checking if restore is needed"
+    echo "Restore file is: $RESTORE_S3_URL"
+    if [ ! -z "$RESTORE_S3_URL" ]; then
+      echo "Restoring from $RESTORE_S3_URL"
+      apk add aws-cli
+      aws s3 cp "$RESTORE_S3_URL" /tmp/restore.tgz
+      echo "downloaded tarball"
+      tar -xzf /tmp/restore.tgz -C /
+      echo "Files restored"
+      mysql -h "$DB_HOST" -u "$DB_USER" --password="$DB_PASS" $DB_DATABASE < /wiki.sql
+    else
+      echo "Not restoring"
+    fi
+    echo "done"

bookstack-helm/templates/bookstack.yaml

@@ -17,6 +17,7 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
+        app: bookstack
         {{- include "bookstack-helm.labels" . | nindent 8 }}
         {{- with .Values.podLabels }}
         {{- toYaml . | nindent 8 }}
@@ -40,6 +41,16 @@ spec:
                 configMapKeyRef:
                   name: wikiconfig
                   key: TZ
+            - name: PUID
+              valueFrom:
+                configMapKeyRef:
+                  name: wikiconfig
+                  key: PUID
+            - name: PGID
+              valueFrom:
+                configMapKeyRef:
+                  name: wikiconfig
+                  key: PGID
             - name: APP_URL
               valueFrom:
                 configMapKeyRef:
@@ -95,12 +106,12 @@ spec:
                 configMapKeyRef:
                   name: wikiconfig
                   key: DB_DATABASE
-            - name: DB_USERNAME
+            - name: DB_USER
               valueFrom:
                 secretKeyRef:
                   name: wiki-secrets
                   key: db-username
-            - name: DB_PASSWORD
+            - name: DB_PASS
               valueFrom:
                 secretKeyRef:
                   name: wiki-secrets

bookstack-helm/templates/bookstack_service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ include "bookstack-helm.fullname" . }}-bookstack
+  namespace: {{ .Values.meshwiki_app_namespace }}
+  labels:
+    {{- include "bookstack-helm.labels" . | nindent 4 }}
+spec:
+  type: NodePort
+  ports:
+    - port: {{ .Values.bookstack.port }}
+      targetPort: {{ .Values.bookstack.port }}
+      protocol: TCP
+      name: http
+      nodePort: 30875
+  selector:
+    app: bookstack

bookstack-helm/templates/configmap.yaml

@@ -4,7 +4,9 @@ metadata:
   name: wikiconfig
   namespace: {{ .Values.meshwiki_app_namespace }}
 data:
-  APP_URL: {{ .Values.bookstack.app_url | quote }}
+  APP_URL: https://{{ .Values.bookstack.fqdn }}
+  PUID: {{ .Values.bookstack.uid | quote }}
+  PGID: {{ .Values.bookstack.gid | quote }}
   DB_HOST: {{ include "bookstack-helm.fullname" . }}-db.{{ .Values.meshwiki_app_namespace }}.svc.cluster.local
   DB_DATABASE: {{ .Values.bookstack.db.database_name | quote }}
   TZ: {{ .Values.timezone | quote }}

bookstack-helm/templates/db.yaml

@@ -17,7 +17,8 @@ spec:
         {{- toYaml . | nindent 8 }}
       {{- end }}
       labels:
-        {{- include "bookstack-helm.labels" . | nindent 8 }}
+        app: wiki-db
+        {{- include "bookstack-helm.labels" . | nindent 8 }}-db
         {{- with .Values.podLabels }}
         {{- toYaml . | nindent 8 }}
         {{- end }}
@@ -31,8 +32,8 @@ spec:
           image: "{{ .Values.db_image.repository }}:{{ .Values.db_image.tag }}"
           imagePullPolicy: {{ .Values.db_image.pullPolicy }}
           ports:
-            - name: http
-              containerPort: {{ .Values.service.port }}
+            - name: db
+              containerPort: {{ .Values.bookstack.db.port }}
               protocol: TCP
           env:
             - name: TZ