2026-01-16 23:52:56 -03:00
|
|
|
# services/finance/firefly-deployment.yaml
|
|
|
|
|
apiVersion: apps/v1
|
|
|
|
|
kind: Deployment
|
|
|
|
|
metadata:
|
|
|
|
|
name: firefly
|
|
|
|
|
namespace: finance
|
|
|
|
|
labels:
|
|
|
|
|
app: firefly
|
|
|
|
|
spec:
|
|
|
|
|
replicas: 1
|
|
|
|
|
selector:
|
|
|
|
|
matchLabels:
|
|
|
|
|
app: firefly
|
|
|
|
|
strategy:
|
|
|
|
|
type: RollingUpdate
|
|
|
|
|
rollingUpdate:
|
|
|
|
|
maxSurge: 0
|
|
|
|
|
maxUnavailable: 1
|
|
|
|
|
template:
|
|
|
|
|
metadata:
|
|
|
|
|
labels:
|
|
|
|
|
app: firefly
|
|
|
|
|
annotations:
|
|
|
|
|
vault.hashicorp.com/agent-inject: "true"
|
|
|
|
|
vault.hashicorp.com/role: "finance"
|
|
|
|
|
vault.hashicorp.com/agent-inject-secret-firefly-env.sh: "kv/data/atlas/finance/firefly-db"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-firefly-env.sh: |
|
|
|
|
|
{{ with secret "kv/data/atlas/finance/firefly-db" }}
|
|
|
|
|
export DB_CONNECTION="pgsql"
|
|
|
|
|
export DB_HOST="{{ .Data.data.DB_HOST }}"
|
|
|
|
|
export DB_PORT="{{ .Data.data.DB_PORT }}"
|
|
|
|
|
export DB_DATABASE="{{ .Data.data.DB_DATABASE }}"
|
|
|
|
|
export DB_USERNAME="{{ .Data.data.DB_USERNAME }}"
|
|
|
|
|
export DB_PASSWORD="$(cat /vault/secrets/firefly-db-password)"
|
|
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/finance/firefly-secrets" }}
|
|
|
|
|
export APP_KEY="$(cat /vault/secrets/firefly-app-key)"
|
|
|
|
|
export STATIC_CRON_TOKEN="$(cat /vault/secrets/firefly-cron-token)"
|
|
|
|
|
{{ end }}
|
|
|
|
|
{{ with secret "kv/data/atlas/shared/postmark-relay" }}
|
2026-01-18 09:21:33 -03:00
|
|
|
export MAIL_USERNAME="{{ index .Data.data "apikey" }}"
|
|
|
|
|
export MAIL_PASSWORD="{{ index .Data.data "apikey" }}"
|
2026-01-16 23:52:56 -03:00
|
|
|
{{ end }}
|
|
|
|
|
vault.hashicorp.com/agent-inject-secret-firefly-db-password: "kv/data/atlas/finance/firefly-db"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-firefly-db-password: |
|
|
|
|
|
{{- with secret "kv/data/atlas/finance/firefly-db" -}}
|
|
|
|
|
{{ .Data.data.DB_PASSWORD }}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
vault.hashicorp.com/agent-inject-secret-firefly-app-key: "kv/data/atlas/finance/firefly-secrets"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-firefly-app-key: |
|
|
|
|
|
{{- with secret "kv/data/atlas/finance/firefly-secrets" -}}
|
|
|
|
|
{{ .Data.data.APP_KEY }}
|
|
|
|
|
{{- end -}}
|
|
|
|
|
vault.hashicorp.com/agent-inject-secret-firefly-cron-token: "kv/data/atlas/finance/firefly-secrets"
|
|
|
|
|
vault.hashicorp.com/agent-inject-template-firefly-cron-token: |
|
|
|
|
|
{{- with secret "kv/data/atlas/finance/firefly-secrets" -}}
|
|
|
|
|
{{ .Data.data.STATIC_CRON_TOKEN }}
|
|
|
|
|
{{- end -}}
|
2026-01-17 02:59:38 -03:00
|
|
|
firefly.bstein.dev/restart-rev: "2"
|
2026-01-16 23:52:56 -03:00
|
|
|
spec:
|
|
|
|
|
serviceAccountName: finance-vault
|
|
|
|
|
nodeSelector:
|
|
|
|
|
kubernetes.io/arch: arm64
|
|
|
|
|
node-role.kubernetes.io/worker: "true"
|
|
|
|
|
affinity:
|
|
|
|
|
nodeAffinity:
|
|
|
|
|
preferredDuringSchedulingIgnoredDuringExecution:
|
|
|
|
|
- weight: 100
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
|
|
|
|
- key: hardware
|
|
|
|
|
operator: In
|
|
|
|
|
values: ["rpi5"]
|
|
|
|
|
- weight: 70
|
|
|
|
|
preference:
|
|
|
|
|
matchExpressions:
|
|
|
|
|
- key: hardware
|
|
|
|
|
operator: In
|
|
|
|
|
values: ["rpi4"]
|
|
|
|
|
securityContext:
|
|
|
|
|
fsGroup: 33
|
|
|
|
|
fsGroupChangePolicy: OnRootMismatch
|
|
|
|
|
initContainers:
|
|
|
|
|
- name: init-storage-permissions
|
|
|
|
|
image: docker.io/alpine:3.20
|
|
|
|
|
command: ["/bin/sh", "-c"]
|
|
|
|
|
args:
|
|
|
|
|
- |
|
|
|
|
|
set -e
|
|
|
|
|
mkdir -p /var/www/html/storage
|
|
|
|
|
chown -R 33:33 /var/www/html/storage
|
|
|
|
|
securityContext:
|
|
|
|
|
runAsUser: 0
|
|
|
|
|
runAsGroup: 0
|
|
|
|
|
volumeMounts:
|
|
|
|
|
- name: firefly-storage
|
|
|
|
|
mountPath: /var/www/html/storage
|
|
|
|
|
containers:
|
|
|
|
|
- name: firefly
|
|
|
|
|
image: fireflyiii/core:version-6.4.15
|
2026-01-17 03:03:16 -03:00
|
|
|
command: ["/bin/sh", "-c"]
|
2026-01-17 08:12:14 -03:00
|
|
|
args:
|
|
|
|
|
- |
|
|
|
|
|
. /vault/secrets/firefly-env.sh
|
|
|
|
|
exec /usr/local/bin/docker-php-serversideup-entrypoint /init
|
2026-01-16 23:52:56 -03:00
|
|
|
env:
|
|
|
|
|
- name: APP_ENV
|
|
|
|
|
value: production
|
|
|
|
|
- name: APP_DEBUG
|
|
|
|
|
value: "false"
|
|
|
|
|
- name: APP_URL
|
|
|
|
|
value: https://money.bstein.dev
|
|
|
|
|
- name: SITE_OWNER
|
|
|
|
|
value: brad@bstein.dev
|
|
|
|
|
- name: TZ
|
|
|
|
|
value: Etc/UTC
|
|
|
|
|
- name: TRUSTED_PROXIES
|
|
|
|
|
value: "**"
|
|
|
|
|
- name: AUTHENTICATION_GUARD
|
|
|
|
|
value: web
|
|
|
|
|
- name: MAIL_MAILER
|
|
|
|
|
value: smtp
|
|
|
|
|
- name: MAIL_HOST
|
|
|
|
|
value: mail.bstein.dev
|
|
|
|
|
- name: MAIL_PORT
|
|
|
|
|
value: "587"
|
|
|
|
|
- name: MAIL_ENCRYPTION
|
|
|
|
|
value: tls
|
2026-01-17 00:54:49 -03:00
|
|
|
- name: MAIL_FROM_ADDRESS
|
2026-01-16 23:52:56 -03:00
|
|
|
value: no-reply-firefly@bstein.dev
|
2026-01-17 00:54:49 -03:00
|
|
|
- name: MAIL_FROM_NAME
|
|
|
|
|
value: Firefly III
|
2026-01-16 23:52:56 -03:00
|
|
|
- name: CACHE_DRIVER
|
|
|
|
|
value: file
|
|
|
|
|
- name: SESSION_DRIVER
|
|
|
|
|
value: file
|
|
|
|
|
ports:
|
|
|
|
|
- name: http
|
|
|
|
|
containerPort: 8080
|
|
|
|
|
volumeMounts:
|
|
|
|
|
- name: firefly-storage
|
|
|
|
|
mountPath: /var/www/html/storage
|
|
|
|
|
readinessProbe:
|
|
|
|
|
httpGet:
|
|
|
|
|
path: /
|
|
|
|
|
port: http
|
|
|
|
|
initialDelaySeconds: 20
|
|
|
|
|
periodSeconds: 10
|
|
|
|
|
timeoutSeconds: 5
|
|
|
|
|
failureThreshold: 6
|
|
|
|
|
livenessProbe:
|
|
|
|
|
httpGet:
|
|
|
|
|
path: /
|
|
|
|
|
port: http
|
|
|
|
|
initialDelaySeconds: 30
|
|
|
|
|
periodSeconds: 20
|
|
|
|
|
timeoutSeconds: 5
|
|
|
|
|
failureThreshold: 6
|
|
|
|
|
resources:
|
|
|
|
|
requests:
|
|
|
|
|
cpu: 200m
|
|
|
|
|
memory: 512Mi
|
|
|
|
|
limits:
|
|
|
|
|
cpu: "1"
|
|
|
|
|
memory: 1Gi
|
|
|
|
|
volumes:
|
|
|
|
|
- name: firefly-storage
|
|
|
|
|
persistentVolumeClaim:
|
|
|
|
|
claimName: firefly-storage
|
