# services/finance/firefly-deployment.yaml apiVersion: apps/v1 kind: Deployment metadata: name: firefly namespace: finance labels: app: firefly spec: replicas: 1 selector: matchLabels: app: firefly strategy: type: RollingUpdate rollingUpdate: maxSurge: 0 maxUnavailable: 1 template: metadata: labels: app: firefly annotations: vault.hashicorp.com/agent-inject: "true" vault.hashicorp.com/role: "finance" vault.hashicorp.com/agent-inject-secret-firefly-env.sh: "kv/data/atlas/finance/firefly-db" vault.hashicorp.com/agent-inject-template-firefly-env.sh: | {{ with secret "kv/data/atlas/finance/firefly-db" }} export DB_CONNECTION="pgsql" export DB_HOST="{{ .Data.data.DB_HOST }}" export DB_PORT="{{ .Data.data.DB_PORT }}" export DB_DATABASE="{{ .Data.data.DB_DATABASE }}" export DB_USERNAME="{{ .Data.data.DB_USERNAME }}" export DB_PASSWORD="$(cat /vault/secrets/firefly-db-password)" {{ end }} {{ with secret "kv/data/atlas/finance/firefly-secrets" }} export APP_KEY="$(cat /vault/secrets/firefly-app-key)" export STATIC_CRON_TOKEN="$(cat /vault/secrets/firefly-cron-token)" {{ end }} {{ with secret "kv/data/atlas/shared/postmark-relay" }} export MAIL_USERNAME="{{ index .Data.data "apikey" }}" export MAIL_PASSWORD="{{ index .Data.data "apikey" }}" {{ end }} vault.hashicorp.com/agent-inject-secret-firefly-db-password: "kv/data/atlas/finance/firefly-db" vault.hashicorp.com/agent-inject-template-firefly-db-password: | {{- with secret "kv/data/atlas/finance/firefly-db" -}} {{ .Data.data.DB_PASSWORD }} {{- end -}} vault.hashicorp.com/agent-inject-secret-firefly-app-key: "kv/data/atlas/finance/firefly-secrets" vault.hashicorp.com/agent-inject-template-firefly-app-key: | {{- with secret "kv/data/atlas/finance/firefly-secrets" -}} {{ .Data.data.APP_KEY }} {{- end -}} vault.hashicorp.com/agent-inject-secret-firefly-cron-token: "kv/data/atlas/finance/firefly-secrets" vault.hashicorp.com/agent-inject-template-firefly-cron-token: | {{- with secret "kv/data/atlas/finance/firefly-secrets" -}} {{ .Data.data.STATIC_CRON_TOKEN }} {{- end -}} firefly.bstein.dev/restart-rev: "2" spec: serviceAccountName: finance-vault nodeSelector: kubernetes.io/arch: arm64 node-role.kubernetes.io/worker: "true" affinity: nodeAffinity: preferredDuringSchedulingIgnoredDuringExecution: - weight: 100 preference: matchExpressions: - key: hardware operator: In values: ["rpi5"] - weight: 70 preference: matchExpressions: - key: hardware operator: In values: ["rpi4"] securityContext: fsGroup: 33 fsGroupChangePolicy: OnRootMismatch initContainers: - name: init-storage-permissions image: docker.io/alpine:3.20 command: ["/bin/sh", "-c"] args: - | set -e mkdir -p /var/www/html/storage chown -R 33:33 /var/www/html/storage securityContext: runAsUser: 0 runAsGroup: 0 volumeMounts: - name: firefly-storage mountPath: /var/www/html/storage containers: - name: firefly image: fireflyiii/core:version-6.4.15 command: ["/bin/sh", "-c"] args: - | . /vault/secrets/firefly-env.sh exec /usr/local/bin/docker-php-serversideup-entrypoint /init env: - name: APP_ENV value: production - name: APP_DEBUG value: "false" - name: APP_URL value: https://money.bstein.dev - name: SITE_OWNER value: brad@bstein.dev - name: TZ value: Etc/UTC - name: TRUSTED_PROXIES value: "**" - name: AUTHENTICATION_GUARD value: web - name: MAIL_MAILER value: smtp - name: MAIL_HOST value: mail.bstein.dev - name: MAIL_PORT value: "587" - name: MAIL_ENCRYPTION value: tls - name: MAIL_FROM_ADDRESS value: no-reply-firefly@bstein.dev - name: MAIL_FROM_NAME value: Firefly III - name: CACHE_DRIVER value: file - name: SESSION_DRIVER value: file ports: - name: http containerPort: 8080 volumeMounts: - name: firefly-storage mountPath: /var/www/html/storage readinessProbe: httpGet: path: / port: http initialDelaySeconds: 20 periodSeconds: 10 timeoutSeconds: 5 failureThreshold: 6 livenessProbe: httpGet: path: / port: http initialDelaySeconds: 30 periodSeconds: 20 timeoutSeconds: 5 failureThreshold: 6 resources: requests: cpu: 200m memory: 512Mi limits: cpu: "1" memory: 1Gi volumes: - name: firefly-storage persistentVolumeClaim: claimName: firefly-storage