sans-self.org / infrastructure
this repo has no description
fork atom

Enable shared Valkey cache for Tranquil PDS 2FA tokens

sans-self.org bcc2527d b947e09b

validate.yml
+33 -2
+7 -2
Makefile
··· 1 1 # Derived secrets — generated from source secrets before kustomize build 2 2 JUICEFS_METAURL := k8s/juicefs/metaurl.secret 3 3 TRANQUIL_DB_URL := k8s/pds/tranquil-database-url.secret 4 + TRANQUIL_VALKEY_URL := k8s/pds/tranquil-valkey-url.secret 4 5 5 6 .PHONY: secrets clean-secrets build 6 7 7 - secrets: $(JUICEFS_METAURL) $(TRANQUIL_DB_URL) 8 + secrets: $(JUICEFS_METAURL) $(TRANQUIL_DB_URL) $(TRANQUIL_VALKEY_URL) 8 9 9 10 $(JUICEFS_METAURL): k8s/juicefs/redis-password.secret 10 11 @pw=$$(cat $< | tr -d '\n') && \ ··· 17 18 build: secrets 18 19 kustomize build k8s/ 19 20 21 + $(TRANQUIL_VALKEY_URL): k8s/juicefs/redis-password.secret 22 + @pw=$$(cat $< | tr -d '\n') && \ 23 + printf 'redis://:%s@redis.juicefs.svc.cluster.local:6379/1' "$$pw" > $@ 24 + 20 25 clean-secrets: 21 - rm -f $(JUICEFS_METAURL) $(TRANQUIL_DB_URL) 26 + rm -f $(JUICEFS_METAURL) $(TRANQUIL_DB_URL) $(TRANQUIL_VALKEY_URL) 22 27 23 28 # Spindle CI runner 24 29 # Full flow: build-spindle → push-spindle → update-spindle → start-spindle (first time only)
+7
k8s/juicefs/network-policy.yaml
··· 17 17 kubernetes.io/metadata.name: juicefs 18 18 ports: 19 19 - port: 6379 20 + # Tranquil PDS cache 21 + - from: 22 + - namespaceSelector: 23 + matchLabels: 24 + kubernetes.io/metadata.name: pds 25 + ports: 26 + - port: 6379
+5
k8s/pds/kustomization.yaml
··· 30 30 - PDS_ADMIN_PASSWORD=admin-password.secret 31 31 - PDS_PLC_ROTATION_KEY_K256_PRIVATE_KEY_HEX=plc-rotation-key.secret 32 32 - PDS_EMAIL_SMTP_URL=smtp-url.secret 33 + - name: tranquil-valkey-url 34 + namespace: pds 35 + type: Opaque 36 + files: 37 + - url=tranquil-valkey-url.secret
+7
k8s/pds/network-policy.yaml
··· 90 90 protocol: UDP 91 91 - port: 53 92 92 protocol: TCP 93 + # Redis (shared cache, juicefs namespace DB 1) 94 + - to: 95 + - namespaceSelector: 96 + matchLabels: 97 + kubernetes.io/metadata.name: juicefs 98 + ports: 99 + - port: 6379 93 100 # External (S3, bsky.network, plc.directory, etc) 94 101 - to: 95 102 - ipBlock:
+7
k8s/pds/tranquil-deployment.yaml
··· 75 75 key: master_key 76 76 - name: PLC_ROTATION_KEY 77 77 value: did:key:zQ3shqeSNmj7mgsxGbZofhCJ36uYzSM8WPFLcxy26WADVaH8c 78 + - name: CACHE_BACKEND 79 + value: valkey 80 + - name: VALKEY_URL 81 + valueFrom: 82 + secretKeyRef: 83 + name: tranquil-valkey-url 84 + key: url 78 85 volumeMounts: 79 86 - name: data 80 87 mountPath: /data