loomio (not yet working), and new config for postgres and redis

ADDING-APPS.md

@@ -40,7 +40,7 @@ defaultConfig:
   dbHostname: postgres.postgres.svc.cluster.local
   dbUsername: immich
   domain: immich.{{ .cloud.domain }}
-requiredSecrets:
+defaultSecrets:
   - apps.immich.dbPassword
   - apps.postgres.password
 ```
@@ -55,7 +55,7 @@ requiredSecrets:
 | `icon` | No | URL to app icon for UI display |
 | `requires` | No | List of dependency apps (e.g., `postgres`, `redis`) |
 | `defaultConfig` | Yes | Default configuration values merged into operator's `config.yaml` |
-| `requiredSecrets` | No | List of secrets in dotted-path format (e.g., `apps.appname.dbPassword`) |
+| `defaultSecrets` | No | List of secrets in dotted-path format (e.g., `apps.appname.dbPassword`) |
 
 **Important:** All configuration keys referenced in templates (via `{{ .apps.appname.key }}`) must be defined in `defaultConfig` or be standard Wild Cloud variables.
 
@@ -177,7 +177,7 @@ When apps need database URLs with embedded credentials, **always use a dedicated
       key: apps.myapp.dbUrl
 ```
 
-Add `apps.myapp.dbUrl` to your manifest's `requiredSecrets`, and the system will generate the complete URL with embedded credentials automatically when the app is added.
+Add `apps.myapp.dbUrl` to your manifest's `defaultSecrets`, and the system will generate the complete URL with embedded credentials automatically when the app is added.
 
 ## Security Requirements
 
@@ -215,7 +215,7 @@ Secrets use a **full dotted-path naming convention** to prevent naming conflicts
 
 **In manifest:**
 ```yaml
-requiredSecrets:
+defaultSecrets:
   - apps.myapp.dbPassword
   - apps.postgres.password
 ```
@@ -231,7 +231,7 @@ env:
 ```
 
 **Secret workflow:**
-1. List secrets in manifest's `requiredSecrets`
+1. List secrets in manifest's `defaultSecrets`
 2. When adding an app, the system generates random values in the instance's `secrets.yaml`
 3. When deploying, the system creates a Kubernetes Secret named `<app-name>-secrets`
 4. Resources reference secrets using full dotted paths

CLAUDE.md

@@ -1,171 +1,15 @@
-# CLAUDE.md
+- @README.md
+- @ADDING-APPS.md
 
-This file provides guidance to Claude Code (claude.ai/code) when working with code in this repository.
+## IMPORTANT
 
-## Overview
-
-This repository contains the Wild Cloud apps directory - a collection of Kubernetes applications packaged as Kustomize configurations. Each app is a self-contained directory with standardized manifests that can be deployed to Wild Cloud clusters using Wild Cloud CLI tools.
-
-## Repository Architecture
-
-### App Structure
-
-Each app follows a strict structure:
-- **`manifest.yaml`** - App metadata, dependencies, default configuration, and secret requirements
-- **`kustomization.yaml`** - Kustomize configuration with standard Wild Cloud labels
-- **Resource files** - Kubernetes objects (deployments, services, ingresses, PVCs, jobs, etc.)
-
-### Templating System
-
-Configuration files use **gomplate templating** to reference operator configuration:
-- Use `{{ .cloud.domain }}` for the operator's domain
-- Use `{{ .apps.appname.configKey }}` for app-specific configuration
-- Use `{{ .operator.email }}` for operator email
-- All template variables must be defined in either the app's `manifest.yaml` under `defaultConfig` or be standard Wild Cloud operator variables
-
-Templates are compiled when users add apps to their Wild Cloud instance via the web app, CLI, or API.
-
-### Label Strategy
-
-Wild Cloud uses a consistent labeling approach powered by Kustomize's `includeSelectors: true` feature:
-
-```yaml
-labels:
-  - includeSelectors: true
-    pairs:
-      app: appname           # App name (matches directory)
-      managedBy: kustomize
-      partOf: wild-cloud
-```
-
-This automatically applies labels to all resources AND their selectors. Individual resources can use simple component-specific selectors like `component: web` or `component: worker`, and Kustomize will expand them to include the standard Wild Cloud labels.
-
-**Important:** Do NOT use Helm-style labels (`app.kubernetes.io/name`, `app.kubernetes.io/instance`). Use simple component labels instead.
-
-## Working with Apps
-
-### Creating/Modifying Apps
-
-1. **Manifest fields:**
-   - `name` - Must match directory name
-   - `description` - Brief app description
-   - `version` - App version (follow upstream versioning)
-   - `icon` - URL to app icon
-   - `requires` - List of dependency apps (e.g., `postgres`, `redis`, `memcached`)
-   - `defaultConfig` - Default configuration values (will be added to operator's `config.yaml`)
-   - `requiredSecrets` - List of secrets in dotted path format (e.g., `apps.appname.dbPassword`)
-
-2. **Kustomization requirements:**
-   - Must include standard Wild Cloud labels with `includeSelectors: true`
-   - Namespace must match app name
-   - List all resource files under `resources:`
-
-3. **Security contexts:**
-   All pods must comply with Pod Security Standards:
-   ```yaml
-   securityContext:
-     runAsNonRoot: true
-     runAsUser: 999  # Use appropriate non-root UID
-     runAsGroup: 999
-     seccompProfile:
-       type: RuntimeDefault
-   containers:
-   - securityContext:
-       allowPrivilegeEscalation: false
-       capabilities:
-         drop: [ALL]
-       readOnlyRootFilesystem: false  # Set to true when possible
-   ```
-
-### Secrets Management
-
-Secrets use **full dotted paths** as keys:
-```yaml
-env:
-  - name: DB_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: appname-secrets
-        key: apps.appname.dbPassword  # Full path, not just "dbPassword"
-```
-
-**Database URL secrets:** When apps need database URLs with embedded credentials, always use a dedicated `dbUrl` secret in `requiredSecrets`. Do NOT try to construct URLs with env var substitution in templates - Kustomize cannot process runtime environment variables.
-
-### Database Initialization Jobs
-
-Apps requiring PostgreSQL/MySQL databases should include a `db-init-job.yaml`:
-- Creates the app database if it doesn't exist
-- Creates/updates the app user with proper password
-- Grants appropriate permissions
-- For PostgreSQL jobs: use `runAsUser: 999` (postgres user)
-- Include any required database extensions (e.g., Immich requires `vector`, `cube`, `earthdistance`)
-
-Examples: [immich/db-init-job.yaml](immich/db-init-job.yaml), [gitea/db-init-job.yaml](gitea/db-init-job.yaml)
-
-### External DNS Configuration
-
-Ingress resources should include external-dns annotations:
-```yaml
-annotations:
-  external-dns.alpha.kubernetes.io/target: {{ .cloud.domain }}
-  external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
-```
-
-This creates CNAME records pointing app subdomains to the main cluster domain.
-
-### Converting Helm Charts
-
-Wild Cloud prefers Kustomize over Helm for transparency and Git-friendliness. To convert a Helm chart:
-
-```bash
-helm fetch --untar --untardir charts repo/chart-name
-helm template --output-dir base --namespace namespace --values values.yaml release-name charts/chart-name
-cd base/chart-name
-kustomize create --autodetect
-```
-
-Then:
-1. Add `manifest.yaml`
-2. Replace hardcoded values with gomplate variables
-3. Update secrets to use Wild Cloud's dotted-path approach
-4. Replace Helm labels with simple component labels
-5. Add standard Wild Cloud labels to `kustomization.yaml`
-6. Add security contexts to all pods
-
-## Managing Wild Cloud Apps
-
-Users can manage apps through:
-
-1. **Web App**: Navigate to the Apps page in your instance to browse, add, configure, and deploy apps
-
-2. **CLI**: Use the Wild CLI for terminal-based workflows:
-   - `wild app list` - List all available apps
-   - `wild app add <app-name>` - Add an app (compiles templates, updates config/secrets)
-   - `wild app deploy <app-name>` - Deploy an app to the cluster
-   - `wild app list-deployed` - List deployed apps
-   - `wild app status <app-name>` - Get app status
-   - `wild app delete <app-name>` - Delete an app
-
-3. **API**: Use the Wild Central API endpoints for automation:
-   - `GET /api/v1/apps/available` - List all available apps
-   - `GET /api/v1/apps/available/{app-name}` - Get app details
-   - `POST /api/v1/instances/{instance-name}/apps` - Add an app (compiles templates, updates config/secrets)
-   - `POST /api/v1/instances/{instance-name}/apps/{app-name}/deploy` - Deploy an app to the cluster
-   - `GET /api/v1/instances/{instance-name}/apps` - List deployed apps
-   - `GET /api/v1/instances/{instance-name}/apps/{app-name}/status` - Get app status
-
-## Validation
-
-Before submitting changes:
-1. Ensure `manifest.yaml` has all required fields
-2. Verify `kustomization.yaml` includes standard Wild Cloud labels
-3. Check all templates use valid configuration paths defined in `defaultConfig`
-4. Confirm secrets use full dotted-path keys
-5. Verify all pods have proper security contexts
-6. Test template compilation works with sample operator config
-
-## Examples of Well-Structured Apps
-
-- **immich** - Multi-deployment app with database init, multiple services, PostgreSQL extensions
-- **openproject** - App with multiple dependencies (postgres, memcached), configmap-based configuration
-- **gitea** - Standard app with database init, PVC for storage
+- When adding a new app to the directory, check to make sure you are adding the latest app version.
+- Use traefik for ingress.
+- Use postgres for database if supported.
+- Keep config key naming (including nesting) consistent with other apps.
+- Don't use helm
+- If the app requires a specific platform (amd64, arm64, etc.), make sure it is called out in the manifest and the k8s tags are set
+- when developing a new app:
+  - test with:
+  - reset to a fresh state between tests:
+- secrets.yaml is not checked in and any values unrelated to your current task should be preserved

discourse/manifest.yaml

@@ -26,11 +26,11 @@ defaultConfig:
     from: "{{ .cloud.smtp.from }}"
     tls: {{ .cloud.smtp.tls }}
     startTls: {{ .cloud.smtp.startTls }}
-requiredSecrets:
-  - apps.discourse.adminPassword
-  - apps.discourse.dbPassword
-  - apps.discourse.dbUrl
-  - apps.redis.password
-  - apps.discourse.secretKeyBase
-  - apps.discourse.smtpPassword
-  - apps.postgres.password
+defaultSecrets:
+  - - key: apps.discourse.adminPassword
+  - - key: apps.discourse.dbPassword
+  - - key: apps.discourse.dbUrl
+  - - key: apps.redis.password
+  - - key: apps.discourse.secretKeyBase
+  - - key: apps.discourse.smtpPassword
+  - - key: apps.postgres.password

ghost/manifest.yaml

@@ -24,7 +24,7 @@ defaultConfig:
     port: "{{ .cloud.smtp.port }}"
     from: "{{ .cloud.smtp.from }}"
     user: "{{ .cloud.smtp.user }}"
-requiredSecrets:
-  - apps.ghost.adminPassword
-  - apps.ghost.dbPassword
-  - apps.ghost.smtpPassword
+defaultSecrets:
+  - key: apps.ghost.adminPassword
+  - key: apps.ghost.dbPassword
+  - key: apps.ghost.smtpPassword

gitea/README.md

@@ -20,7 +20,7 @@ Sensitive configuration is stored in the `gitea-secrets` secret and managed by t
 - `dbPassword` - Database password
 - `smtpPassword` - SMTP authentication password
 
-Secrets are defined in `secrets.yaml` and listed in `manifest.yaml` under `requiredSecrets`. When deploying, the system automatically ensures all required secrets exist in the `gitea-secrets` secret before deployment.
+Secrets are defined in `secrets.yaml` and listed in `manifest.yaml` under `defaultSecrets`. When deploying, the system automatically ensures all required secrets exist in the `gitea-secrets` secret before deployment.
 
 ### Persistent Configuration (app.ini)
 Gitea manages its own `app.ini` file on persistent storage for:
@@ -46,7 +46,7 @@ Gitea manages its own `app.ini` file on persistent storage for:
 
 ### Secret Settings
 1. Edit `secrets.yaml` with your secret values
-2. Ensure the secret key is listed in `manifest.yaml` under `requiredSecrets`
+2. Ensure the secret key is listed in `manifest.yaml` under `defaultSecrets`
 3. Deploy the app via the web app, CLI, or API - this will automatically update the `gitea-secrets` secret and restart the pod
 
 ### Web UI Changes

gitea/manifest.yaml

@@ -21,13 +21,13 @@ defaultConfig:
   timezone: UTC
   runMode: prod
   smtp:
-    host: TBD
-    port: 465
-    from: no-reply@{{ .cloud.domain }}
-    user: TBD
-requiredSecrets:
-  - apps.gitea.adminPassword
-  - apps.gitea.dbPassword
-  - apps.gitea.secretKey
-  - apps.gitea.jwtSecret
-  - apps.gitea.smtpPassword
+    host: "{{ .cloud.smtp.host }}"
+    port: "{{ .cloud.smtp.port }}"
+    user: "{{ .cloud.smtp.user }}"
+    from: "{{ .cloud.smtp.from }}"
+defaultSecrets:
+  - key: apps.gitea.adminPassword
+  - key: apps.gitea.dbPassword
+  - key: apps.gitea.secretKey
+  - key: apps.gitea.jwtSecret
+  - key: apps.gitea.smtpPassword

immich/manifest.yaml

@@ -19,7 +19,7 @@ defaultConfig:
   dbUsername: immich
   domain: immich.{{ .cloud.domain }}
   tlsSecretName: wildcard-wild-cloud-tls
-requiredSecrets:
-  - apps.immich.dbPassword
-  - apps.postgres.password
-  - apps.redis.password
+defaultSecrets:
+  - key: apps.immich.dbPassword
+  - key: apps.postgres.password
+  - key: apps.redis.password

keila/manifest.yaml

@@ -22,10 +22,10 @@ defaultConfig:
     user: "{{ .cloud.smtp.user }}"
     tls: {{ .cloud.smtp.tls }}
     startTls: {{ .cloud.smtp.startTls }}
-requiredSecrets:
-  - apps.keila.secretKeyBase
-  - apps.keila.dbPassword
-  - apps.keila.dbUrl
-  - apps.keila.adminPassword
-  - apps.keila.smtpPassword
-  - apps.postgres.password
+defaultSecrets:
+  - key: apps.keila.secretKeyBase
+  - key: apps.keila.dbPassword
+  - key: apps.keila.dbUrl
+  - key: apps.keila.adminPassword
+  - key: apps.keila.smtpPassword
+  - key: apps.postgres.password

listmonk/manifest.yaml

@@ -14,7 +14,7 @@ defaultConfig:
   dbUser: listmonk
   dbSSLMode: disable
   timezone: UTC
-requiredSecrets:
-  - apps.listmonk.dbPassword
-  - apps.listmonk.dbUrl
-  - apps.postgres.password
+defaultSecrets:
+  - key: apps.listmonk.dbPassword
+  - key: apps.listmonk.dbUrl
+  - key: apps.postgres.password

loomio/db-init-job.yaml

@@ -0,0 +1,64 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: loomio-db-init
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+      - name: db-init
+        image: postgres:15-alpine
+        env:
+        - name: PGHOST
+          value: "{{ .db.host }}"
+        - name: PGPORT
+          value: "{{ .db.port }}"
+        - name: PGUSER
+          value: postgres
+        - name: PGPASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: postgres-secrets
+              key: postgres.password
+        - name: LOOMIO_DB_NAME
+          value: "{{ .db.name }}"
+        - name: LOOMIO_DB_USER
+          value: "{{ .db.user }}"
+        - name: LOOMIO_DB_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: loomio-secrets
+              key: dbPassword
+        command:
+        - sh
+        - -c
+        - |
+          echo "Creating database and user for Loomio..."
+
+          # Check if database exists, create if not
+          psql -tc "SELECT 1 FROM pg_database WHERE datname = '$LOOMIO_DB_NAME'" | grep -q 1 || \
+            psql -c "CREATE DATABASE \"$LOOMIO_DB_NAME\""
+
+          # Check if user exists, create or update password
+          psql -tc "SELECT 1 FROM pg_user WHERE usename = '$LOOMIO_DB_USER'" | grep -q 1 && \
+            psql -c "ALTER USER \"$LOOMIO_DB_USER\" WITH PASSWORD '$LOOMIO_DB_PASSWORD'" || \
+            psql -c "CREATE USER \"$LOOMIO_DB_USER\" WITH PASSWORD '$LOOMIO_DB_PASSWORD'"
+
+          # Grant all privileges
+          psql -c "GRANT ALL PRIVILEGES ON DATABASE \"$LOOMIO_DB_NAME\" TO \"$LOOMIO_DB_USER\""
+
+          # Connect to the database and grant schema permissions
+          psql -d "$LOOMIO_DB_NAME" -c "GRANT ALL ON SCHEMA public TO \"$LOOMIO_DB_USER\""
+
+          echo "Database initialization complete!"
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 999  # postgres user
+          runAsGroup: 999
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: [ALL]
+          readOnlyRootFilesystem: true
+          seccompProfile:
+            type: RuntimeDefault

loomio/deployment-worker.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: loomio-worker
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      component: worker
+  template:
+    metadata:
+      labels:
+        component: worker
+    spec:
+      containers:
+      - name: worker
+        image: {{ .workerImage }}
+        env:
+        - name: TASK
+          value: worker
+        - name: RAILS_ENV
+          value: production
+        - name: SITE_NAME
+          value: {{ .appName }}
+        - name: CANONICAL_HOST
+          value: {{ .domain }}
+        - name: PUBLIC_APP_URL
+          value: https://{{ .domain }}
+        - name: SUPPORT_EMAIL
+          value: {{ .supportEmail }}
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: loomio-secrets
+              key: dbUrl
+        - name: REDIS_URL
+          value: {{ .redisUrl }}
+        - name: DEVISE_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: loomio-secrets
+              key: deviseSecret
+        - name: SECRET_COOKIE_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: loomio-secrets
+              key: secretCookieToken
+        - name: ACTIVE_STORAGE_SERVICE
+          value: {{ .activeStorageService }}
+        - name: SMTP_AUTH
+          value: {{ .smtp.auth }}
+        - name: SMTP_DOMAIN
+          value: {{ .smtp.domain }}
+        - name: SMTP_SERVER
+          value: {{ .smtp.host }}
+        - name: SMTP_PORT
+          value: "{{ .smtp.port }}"
+        - name: SMTP_USERNAME
+          value: {{ .smtp.user }}
+        - name: SMTP_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: loomio-secrets
+              key: smtpPassword
+        - name: SMTP_USE_SSL
+          value: "{{ .smtp.tls }}"
+        - name: REPLY_HOSTNAME
+          value: {{ .smtp.from }}
+        volumeMounts:
+        - name: uploads
+          mountPath: /loomio/public/system
+        - name: storage
+          mountPath: /loomio/storage
+        - name: tmp
+          mountPath: /loomio/tmp
+        resources:
+          requests:
+            memory: 256Mi
+            cpu: 100m
+          limits:
+            memory: 1Gi
+            cpu: 500m
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 1000
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: [ALL]
+          readOnlyRootFilesystem: false
+          seccompProfile:
+            type: RuntimeDefault
+      volumes:
+      - name: uploads
+        persistentVolumeClaim:
+          claimName: loomio-uploads
+      - name: storage
+        persistentVolumeClaim:
+          claimName: loomio-storage
+      - name: tmp
+        emptyDir: {}

loomio/deployment.yaml

@@ -0,0 +1,124 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: loomio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      component: web
+  template:
+    metadata:
+      labels:
+        component: web
+    spec:
+      containers:
+      - name: loomio
+        image: {{ .image }}
+        ports:
+        - containerPort: 3000
+          name: http
+        env:
+        - name: RAILS_ENV
+          value: production
+        - name: SITE_NAME
+          value: {{ .appName }}
+        - name: CANONICAL_HOST
+          value: {{ .domain }}
+        - name: PUBLIC_APP_URL
+          value: https://{{ .domain }}
+        - name: SUPPORT_EMAIL
+          value: {{ .supportEmail }}
+        - name: DATABASE_URL
+          valueFrom:
+            secretKeyRef:
+              name: loomio-secrets
+              key: dbUrl
+        - name: REDIS_URL
+          value: {{ .redisUrl }}
+        - name: DEVISE_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: loomio-secrets
+              key: deviseSecret
+        - name: SECRET_COOKIE_TOKEN
+          valueFrom:
+            secretKeyRef:
+              name: loomio-secrets
+              key: secretCookieToken
+        - name: FORCE_SSL
+          value: "{{ .forceSSL }}"
+        - name: USE_RACK_ATTACK
+          value: "{{ .useRackAttack }}"
+        - name: PUMA_WORKERS
+          value: "{{ .pumaWorkers }}"
+        - name: MIN_THREADS
+          value: "{{ .minThreads }}"
+        - name: MAX_THREADS
+          value: "{{ .maxThreads }}"
+        - name: ACTIVE_STORAGE_SERVICE
+          value: {{ .activeStorageService }}
+        - name: SMTP_AUTH
+          value: {{ .smtp.auth }}
+        - name: SMTP_DOMAIN
+          value: {{ .smtp.domain }}
+        - name: SMTP_SERVER
+          value: {{ .smtp.host }}
+        - name: SMTP_PORT
+          value: "{{ .smtp.port }}"
+        - name: SMTP_USERNAME
+          value: {{ .smtp.user }}
+        - name: SMTP_PASSWORD
+          valueFrom:
+            secretKeyRef:
+              name: loomio-secrets
+              key: smtpPassword
+        - name: SMTP_USE_SSL
+          value: "{{ .smtp.tls }}"
+        - name: REPLY_HOSTNAME
+          value: {{ .smtp.from }}
+        volumeMounts:
+        - name: uploads
+          mountPath: /loomio/public/system
+        - name: storage
+          mountPath: /loomio/storage
+        - name: tmp
+          mountPath: /loomio/tmp
+        resources:
+          requests:
+            memory: 512Mi
+            cpu: 200m
+          limits:
+            memory: 2Gi
+            cpu: 1000m
+        livenessProbe:
+          httpGet:
+            path: /health
+            port: 3000
+          initialDelaySeconds: 60
+          periodSeconds: 30
+        readinessProbe:
+          httpGet:
+            path: /health
+            port: 3000
+          initialDelaySeconds: 30
+          periodSeconds: 10
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 1000
+          allowPrivilegeEscalation: false
+          capabilities:
+            drop: [ALL]
+          readOnlyRootFilesystem: false
+          seccompProfile:
+            type: RuntimeDefault
+      volumes:
+      - name: uploads
+        persistentVolumeClaim:
+          claimName: loomio-uploads
+      - name: storage
+        persistentVolumeClaim:
+          claimName: loomio-storage
+      - name: tmp
+        emptyDir: {}

loomio/ingress.yaml

@@ -0,0 +1,24 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: loomio
+  annotations:
+    external-dns.alpha.kubernetes.io/target: {{ .externalDnsDomain }}
+    external-dns.alpha.kubernetes.io/cloudflare-proxied: "false"
+spec:
+  ingressClassName: traefik
+  tls:
+  - hosts:
+    - {{ .domain }}
+    secretName: {{ .tlsSecretName }}
+  rules:
+  - host: {{ .domain }}
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: loomio
+            port:
+              number: 80

loomio/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: loomio
+
+resources:
+  - namespace.yaml
+  - pvc-uploads.yaml
+  - pvc-storage.yaml
+  - deployment.yaml
+  - deployment-worker.yaml
+  - service.yaml
+  - ingress.yaml
+  - db-init-job.yaml
+
+labels:
+  - includeSelectors: true
+    pairs:
+      app: loomio
+      managedBy: kustomize
+      partOf: wild-cloud

loomio/manifest.yaml

@@ -0,0 +1,55 @@
+name: loomio
+description: Loomio is a collaborative decision-making tool that makes it easy for groups to make decisions together
+version: 3.0.11
+icon: https://www.loomio.com/favicon.ico
+requires:
+  - name: postgres
+    installed_as: postgres
+  - name: redis
+defaultConfig:
+  namespace: loomio
+  externalDnsDomain: {{ .cloud.domain }}
+  image: loomio/loomio:v3.0.11
+  workerImage: loomio/loomio:v3.0.11
+  appName: Loomio
+  domain: loomio.{{ .cloud.domain }}
+  tlsSecretName: wildcard-wild-cloud-tls
+  port: 3000
+  storage:
+    uploads: 5Gi
+    files: 5Gi
+    plugins: 1Gi
+  redisUrl: {{ .apps.redis.uri }}
+  adminEmail: "admin@{{ .cloud.domain }}"
+  supportEmail: "support@{{ .cloud.domain }}"
+  forceSSL: "1"
+  useRackAttack: "1"
+  pumaWorkers: "2"
+  minThreads: "5"
+  maxThreads: "5"
+  activeStorageService: local
+  db:
+    name: loomio
+    user: loomio
+    host: {{ .apps.postgres.host }}
+    port: {{ .apps.postgres.port }}
+  smtp:
+    auth: plain
+    domain: "{{ .cloud.domain }}"
+    host: "{{ .cloud.smtp.host }}"
+    port: "{{ .cloud.smtp.port }}"
+    user: "{{ .cloud.smtp.user }}"
+    tls: "{{ .cloud.smtp.tls }}"
+    from: "{{ .cloud.smtp.from }}"
+defaultSecrets:
+  - key: dbPassword
+    default: "{{ random.AlphaNum 32 }}"
+  - key: dbUrl
+    default: "postgresql://{{ .app.db.user }}:{{ .secrets.dbPassword }}@{{ .app.db.host }}:{{ .app.db.port }}/{{ .app.db.name }}?pool=30"
+  - key: deviseSecret
+    default: "{{ random.AlphaNum 32 }}"
+  - key: secretCookieToken
+    default: "{{ random.AlphaNum 32 }}"
+  - key: smtpPassword
+requiredSecrets:
+  - postgres.password

loomio/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: {{ .namespace }}

loomio/pvc-storage.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: loomio-storage
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .storage.files }}
+  storageClassName: longhorn

loomio/pvc-uploads.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: loomio-uploads
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: {{ .storage.uploads }}
+  storageClassName: longhorn

loomio/service.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: loomio
+spec:
+  type: ClusterIP
+  selector:
+    component: web
+  ports:
+  - name: http
+    port: 80
+    targetPort: 3000
+    protocol: TCP

memcached/manifest.yaml

@@ -16,4 +16,4 @@ defaultConfig:
     limits:
       memory: 128Mi
       cpu: 200m
-requiredSecrets: []
+defaultSecrets: []

mysql/manifest.yaml

@@ -12,6 +12,6 @@ defaultConfig:
   user: mysql
   timezone: UTC
   enableSSL: false
-requiredSecrets:
-  - apps.mysql.rootPassword
-  - apps.mysql.password
+defaultSecrets:
+  - key: apps.mysql.rootPassword
+  - key: apps.mysql.password

open-webui/manifest.yaml

@@ -13,5 +13,5 @@ defaultConfig:
   # Authentication settings
   enableAuth: true
   enableSignup: false
-requiredSecrets:
-  - apps.openWebui.secretKey
+defaultSecrets:
+  - key: apps.openWebui.secretKey

openproject/manifest.yaml

@@ -27,7 +27,7 @@ defaultConfig:
   tlsSecretName: wildcard-wild-cloud-tls
   cacheStore: memcache
   railsRelativeUrlRoot: ""
-requiredSecrets:
-  - apps.openproject.dbPassword
-  - apps.openproject.adminPassword
-  - apps.postgres.password
+defaultSecrets:
+  - key: apps.openproject.dbPassword
+  - key: apps.openproject.adminPassword
+  - key: apps.postgres.password

postgres/deployment.yaml

@@ -15,7 +15,7 @@ spec:
     spec:
       containers:
         - name: postgres
-          image: "{{ .apps.postgres.image }}"
+          image: "{{ .image }}"
           args:
             [
               "-c",
@@ -35,16 +35,16 @@ spec:
             - name: PGDATA
               value: /var/lib/postgresql/data/pgdata
             - name: TZ
-              value: "{{ .apps.postgres.timezone }}"
+              value: "{{ .timezone }}"
             - name: POSTGRES_DB
-              value: "{{ .apps.postgres.database }}"
+              value: "{{ .database }}"
             - name: POSTGRES_USER
-              value: "{{ .apps.postgres.user }}"
+              value: "{{ .user }}"
             - name: POSTGRES_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: postgres-secrets
-                  key: apps.postgres.password
+                  key: password
           volumeMounts:
             - name: postgres-data
               mountPath: /var/lib/postgresql/data

postgres/manifest.yaml

@@ -4,10 +4,13 @@ description: PostgreSQL is a powerful, open source object-relational database sy
 version: 1.0.0
 icon: https://www.postgresql.org/media/img/about/press/elephant.png
 defaultConfig:
+  namespace: postgres
+  host: postgres.postgres.svc.cluster.local
+  port: 5432
   database: postgres
   user: postgres
   storage: 10Gi
   image: pgvector/pgvector:pg15
   timezone: UTC
-requiredSecrets:
-  - apps.postgres.password
+defaultSecrets:
+  - key: password

postgres/namespace.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: postgres
+  name: {{ .namespace }}

postgres/pvc.yaml

@@ -9,4 +9,4 @@ spec:
   storageClassName: longhorn
   resources:
     requests:
-      storage: {{ .apps.postgres.storage | default "10Gi" }}
+      storage: {{ .storage }}

postgres/service.yaml

@@ -5,6 +5,6 @@ metadata:
   name: postgres
 spec:
   ports:
-    - port: 5432
+    - port: {{ .port }}
   selector:
     app: postgres

redis/deployment.yaml

@@ -14,18 +14,18 @@ spec:
         app: redis
     spec:
       containers:
-        - image: "{{ .apps.redis.image }}"
+        - image: "{{ .image }}"
           name: redis
           ports:
-            - containerPort: {{ .apps.redis.port }}
+            - containerPort: {{ .port }}
           env:
             - name: TZ
-              value: "{{ .apps.redis.timezone }}"
+              value: "{{ .timezone }}"
             - name: REDIS_PASSWORD
               valueFrom:
                 secretKeyRef:
                   name: redis-secrets
-                  key: apps.redis.password
+                  key: password
           command:
             - redis-server
             - --requirepass

redis/manifest.yaml

@@ -4,8 +4,11 @@ description: Redis is an open source, in-memory data structure store, used as a
 version: 1.0.0
 icon: <svg xmlns="http://www.w3.org/2000/svg" fill="none" viewBox="0 0 85 27"><path fill="#FF4438" fill-rule="evenodd" d="M75.29 13.813c0-2.968 2.2-4.69 4.947-4.69 2.052 0 3.884.99 4.763 3.444-.257 1.245-1.795 2.638-2.455 2.858-.55-1.173-1.172-1.869-1.758-1.869-.733 0-.77.513-.77 1.172 0 .467.134 1.155.295 1.983.243 1.25.548 2.82.548 4.43 0 2.93-2.052 5.092-5.203 5.092-2.885 0-4.48-1.892-5.19-4.913-1.885 3.377-4.641 4.913-6.754 4.913-3.302 0-4.08-2.441-4-4.917-1.328 2.345-3.882 4.917-6.331 4.917-2.501 0-3.384-2.177-3.182-4.712-1.498 2.791-4.208 4.712-6.82 4.712-2.836 0-4.239-2.252-3.785-5.044-1.907 2.344-5.458 5.044-9.149 5.044-4.209 0-6.04-2.27-6.258-5.114-2.031 3.256-4.77 5.224-8.03 5.224-4.709 0-6.393-4.187-6.638-7.611a111 111 0 0 1-6.113 7.464c-.256.257-.476.403-.732.403C1.832 26.6.11 22.862 0 21.47c.723-1.121 5.281-6.13 8.95-10.161 1.29-1.417 2.471-2.714 3.336-3.679-2.247.678-4.564 2.03-7.486 4.132-.513.366-1.942-2.968-1.906-5.533 3.371-2.49 8.5-4.066 12.64-4.066 5.79 0 9.123 3.224 9.123 7.694 0 3.737-3.114 7.84-7.657 7.987-2.362.061-3.876-1.265-4.65-2.902.092 2.532 1.409 5.65 4.943 5.65 3.853 0 5.704-2.326 8.463-5.795q.269-.339.55-.69c2.345-2.895 5.056-5.46 9.013-5.46 2.418 0 4.067 1.503 4.067 3.774 0 2.748-3.224 6.558-7.73 6.558-.77 0-1.472-.101-2.064-.301q-.024.173-.025.338c0 1.282.476 2.052 2.565 2.052 3.077 0 5.971-1.832 9.489-6.119 3.444-4.213 6.045-6.045 8.793-6.045 1.855 0 3.262 1.005 3.883 2.698C57.98 6.283 61.104 2.514 63.75 0c2.601 1.1 4.47 3.26 3.957 3.7-1.942 1.76-8.427 8.83-10.991 13.044-.66 1.099-1.283 2.308-1.283 2.894 0 .55.33.733.696.733 1.76 0 5.289-4.156 8.336-7.746 1.138-1.34 2.209-2.602 3.095-3.539 2.052.843 4.14 2.638 3.627 3.261-2.71 3.224-4.762 5.862-4.762 7.364 0 .403.146.66.696.66 1.026 0 1.978-.916 3.554-2.858.33-.403.732-.403.989.22.696 1.685 1.722 2.601 2.528 2.601.952 0 1.429-.843 1.429-2.125 0-.876-.107-1.895-.2-2.772-.069-.664-.13-1.246-.13-1.624m-59.096-.477c1.942 0 4.067-1.062 4.067-3.224 0-1.312-.814-2.521-2.99-2.89l-.342.535c-1.106 1.729-2.149 3.359-3.2 4.953.63.354 1.427.626 2.465.626m19.638.66c0-.587-.367-.99-.953-.99-1.47 0-3.687 2.063-4.73 4.055.385.15.837.232 1.323.232 2.601 0 4.36-1.978 4.36-3.297m9.636 5.312c0 .66.366 1.1 1.135 1.1 2.382 0 5.35-4.324 5.35-6.083 0-.732-.403-1.172-1.063-1.172-2.162 0-5.422 4.103-5.422 6.155M76.06 6.082c-.843 1.392-2.125 2.968-2.601 3.444-2.199-.916-4.25-2.748-3.957-3.26.806-1.43 2.125-2.968 2.601-3.445 2.198.916 4.25 2.785 3.957 3.261" clip-rule="evenodd"></path></svg>
 defaultConfig:
+  namespace: redis
   image: redis:alpine
   timezone: UTC
+  host: redis.redis.svc.cluster.local
   port: 6379
-requiredSecrets:
-  - apps.redis.password
+  uri: redis://{{ .app.host }}:{{ .app.port }}/0
+defaultSecrets:
+  - key: password

redis/namespace.yaml

@@ -1,4 +1,4 @@
 apiVersion: v1
 kind: Namespace
 metadata:
-  name: redis
+  name: {{ .namespace }}

redis/service.yaml

@@ -7,7 +7,7 @@ metadata:
     app: redis
 spec:
   ports:
-    - port: {{ .apps.redis.port }}
-      targetPort: {{ .apps.redis.port }}
+    - port: {{ .port }}
+      targetPort: {{ .port }}
   selector:
     app: redis

vllm/manifest.yaml

@@ -18,4 +18,4 @@ defaultConfig:
   gpuCount: 1
   domain: vllm.{{ .cloud.domain }}
   namespace: llm
-requiredSecrets: []
+defaultSecrets: []