admin/honeyDueAPI
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
Files
ca818e84785b741b2f2151d0dfa74a68874d0e51
honeyDueAPI/deploy-k3s-dev/README.md
Trey t 34553f3bec Add K3s dev deployment setup for single-node VPS 
Mirrors the prod deploy-k3s/ setup but runs all services in-cluster
on a single node: PostgreSQL (replaces Neon), MinIO S3-compatible
storage (replaces B2), Redis, API, worker, and admin.

Includes fully automated setup scripts (00-init through 04-verify),
server hardening (SSH, fail2ban, ufw), Let's Encrypt TLS via Traefik,
network policies, RBAC, and security contexts matching prod.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
2026-03-30 21:30:39 -05:00

79 lines
2.5 KiB
Markdown
Raw Blame History

# honeyDue — K3s Dev Deployment
Single-node K3s dev environment that replicates the production setup with all services running locally.
**Architecture**: 1-node K3s, in-cluster PostgreSQL + Redis + MinIO (S3-compatible), Let's Encrypt TLS.
**Domains**: `devapi.myhoneydue.com`, `devadmin.myhoneydue.com`
---
## Quick Start
```bash
cd honeyDueAPI-go/deploy-k3s-dev
# 1. Fill in config
cp config.yaml.example config.yaml
# Edit config.yaml — fill in ALL empty values
# 2. Create secret files (see secrets/README.md)
echo "your-postgres-password" > secrets/postgres_password.txt
openssl rand -base64 48 > secrets/secret_key.txt
echo "your-smtp-password" > secrets/email_host_password.txt
echo "your-fcm-key" > secrets/fcm_server_key.txt
openssl rand -base64 24 > secrets/minio_root_password.txt
cp /path/to/AuthKey.p8 secrets/apns_auth_key.p8
# 3. Install K3s → Create secrets → Deploy
./scripts/01-setup-k3s.sh
./scripts/02-setup-secrets.sh
./scripts/03-deploy.sh
# 4. Point DNS at the server IP, then verify
./scripts/04-verify.sh
curl https://devapi.myhoneydue.com/api/health/
```
## Prod vs Dev
| Component | Prod (`deploy-k3s/`) | Dev (`deploy-k3s-dev/`) |
|---|---|---|
| Nodes | 3x CX33 (HA etcd) | 1 node (any VPS) |
| PostgreSQL | Neon (managed) | In-cluster container |
| File storage | Backblaze B2 | MinIO (S3-compatible) |
| Redis | In-cluster | In-cluster (identical) |
| TLS | Cloudflare origin cert | Let's Encrypt (or Cloudflare) |
| Replicas | api=3, worker=2 | All 1 |
| HPA/PDB | Enabled | Not deployed |
| Network policies | Same | Same + postgres/minio rules |
| Security contexts | Same | Same (except postgres) |
| Deploy workflow | Same scripts | Same scripts |
| Docker images | Same | Same |
## TLS Modes
**Let's Encrypt** (default): Traefik auto-provisions certs. Set `tls.letsencrypt_email` in config.yaml.
**Cloudflare**: Same as prod. Set `tls.mode: cloudflare`, add origin cert files to `secrets/`.
## Storage Note
MinIO provides the same S3-compatible API as Backblaze B2. The Go API uses the same env vars (`B2_KEY_ID`, `B2_APP_KEY`, `B2_BUCKET_NAME`, `B2_ENDPOINT`) — it connects to MinIO instead of B2 without code changes.
An additional env var `STORAGE_USE_SSL=false` is set since MinIO runs in-cluster over HTTP. If the Go storage service hardcodes HTTPS, it may need a small change to respect this flag.
## Monitoring
```bash
stern -n honeydue . # All logs
kubectl logs -n honeydue deploy/api -f # API logs
kubectl top pods -n honeydue # Resource usage
```
## Rollback
```bash
./scripts/rollback.sh
```
Reference in New Issue View Git Blame Copy Permalink