Add K3s dev deployment setup for single-node VPS

Mirrors the prod deploy-k3s/ setup but runs all services in-cluster on a single node: PostgreSQL (replaces Neon), MinIO S3-compatible storage (replaces B2), Redis, API, worker, and admin. Includes fully automated setup scripts (00-init through 04-verify), server hardening (SSH, fail2ban, ufw), Let's Encrypt TLS via Traefik, network policies, RBAC, and security contexts matching prod. Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 21:30:39 -05:00
parent 00fd674b56
commit 34553f3bec
52 changed files with 5319 additions and 0 deletions
--- a/deploy-k3s-dev/README.md
+++ b/deploy-k3s-dev/README.md
@@ -0,0 +1,78 @@
+# honeyDue — K3s Dev Deployment
+
+Single-node K3s dev environment that replicates the production setup with all services running locally.
+
+**Architecture**: 1-node K3s, in-cluster PostgreSQL + Redis + MinIO (S3-compatible), Let's Encrypt TLS.
+
+**Domains**: `devapi.myhoneydue.com`, `devadmin.myhoneydue.com`
+
+---
+
+## Quick Start
+
+```bash
+cd honeyDueAPI-go/deploy-k3s-dev
+
+# 1. Fill in config
+cp config.yaml.example config.yaml
+# Edit config.yaml — fill in ALL empty values
+
+# 2. Create secret files (see secrets/README.md)
+echo "your-postgres-password" > secrets/postgres_password.txt
+openssl rand -base64 48 > secrets/secret_key.txt
+echo "your-smtp-password" > secrets/email_host_password.txt
+echo "your-fcm-key" > secrets/fcm_server_key.txt
+openssl rand -base64 24 > secrets/minio_root_password.txt
+cp /path/to/AuthKey.p8 secrets/apns_auth_key.p8
+
+# 3. Install K3s → Create secrets → Deploy
+./scripts/01-setup-k3s.sh
+./scripts/02-setup-secrets.sh
+./scripts/03-deploy.sh
+
+# 4. Point DNS at the server IP, then verify
+./scripts/04-verify.sh
+curl https://devapi.myhoneydue.com/api/health/
+```
+
+## Prod vs Dev
+
+| Component | Prod (`deploy-k3s/`) | Dev (`deploy-k3s-dev/`) |
+|---|---|---|
+| Nodes | 3x CX33 (HA etcd) | 1 node (any VPS) |
+| PostgreSQL | Neon (managed) | In-cluster container |
+| File storage | Backblaze B2 | MinIO (S3-compatible) |
+| Redis | In-cluster | In-cluster (identical) |
+| TLS | Cloudflare origin cert | Let's Encrypt (or Cloudflare) |
+| Replicas | api=3, worker=2 | All 1 |
+| HPA/PDB | Enabled | Not deployed |
+| Network policies | Same | Same + postgres/minio rules |
+| Security contexts | Same | Same (except postgres) |
+| Deploy workflow | Same scripts | Same scripts |
+| Docker images | Same | Same |
+
+## TLS Modes
+
+**Let's Encrypt** (default): Traefik auto-provisions certs. Set `tls.letsencrypt_email` in config.yaml.
+
+**Cloudflare**: Same as prod. Set `tls.mode: cloudflare`, add origin cert files to `secrets/`.
+
+## Storage Note
+
+MinIO provides the same S3-compatible API as Backblaze B2. The Go API uses the same env vars (`B2_KEY_ID`, `B2_APP_KEY`, `B2_BUCKET_NAME`, `B2_ENDPOINT`) — it connects to MinIO instead of B2 without code changes.
+
+An additional env var `STORAGE_USE_SSL=false` is set since MinIO runs in-cluster over HTTP. If the Go storage service hardcodes HTTPS, it may need a small change to respect this flag.
+
+## Monitoring
+
+```bash
+stern -n honeydue .                    # All logs
+kubectl logs -n honeydue deploy/api -f # API logs
+kubectl top pods -n honeydue           # Resource usage
+```
+
+## Rollback
+
+```bash
+./scripts/rollback.sh
+```