apps/do/vikunja-secrets/vikunja-test-oauth-secret.yaml

+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-vikunja-test-oauth-variables
+  namespace: flux-system
+spec:
+  data:
+    client_id: vikunja-test
+  fields:
+  - fieldName: client_secret
+    length: "32"

apps/do/vikunja-secrets/vikunja-variables.yaml

+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-vikunja-variables
+  namespace: flux-system
+spec:
+  fields:
+  - fieldName: jwt
+  - fieldName: postgresql_password
+  - fieldName: postgresql_admin_password

apps/do/vikunja-test-kustomization.yaml

+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: vikunja-test
+  namespace: flux-system
+spec:
+  interval: 5m
+  retryInterval: 2m
+  timeout: 10m
+  wait: true
+  prune: true
+  path: ./apps/do/vikunja-test
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: local-path-provisioner
+    - name: vikunja-secrets
+    - name: nginx
+    - name: single-sign-on
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables
+      - kind: ConfigMap
+        name: stackspin-vikunja-kustomization-variables
+      - kind: Secret
+        name: stackspin-vikunja-variables
+      # OIDC
+      - kind: Secret
+        name: stackspin-vikunja-test-oauth-variables
+      - kind: ConfigMap
+        name: stackspin-single-sign-on-kustomization-variables

apps/do/vikunja-test/vikunja-files-pvc.yaml

+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vikunja-test-files
+  namespace: stackspout
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path

apps/do/vikunja-test/vikunja-oauth-client.yaml

+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: vikunja-test-oauth-client
+  # Has to live in the same namespace as the stackspin-*-oauth-variables secret
+  namespace: flux-system
+spec:
+  # TODO copied from wekan: https://github.com/wekan/wekan/wiki/Keycloak
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-vikunja-test-oauth-variables
+  redirectUris:
+    - https://test.${vikunja_domain}/auth/openid/stackspin
+  tokenEndpointAuthMethod: client_secret_post

apps/do/vikunja-test/vikunja-postgres-pvc.yaml

+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vikunja-test-postgres
+  namespace: stackspout
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path

apps/do/vikunja-test/vikunja-release.yaml

+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: vikunja-test
+  namespace: stackspout
+spec:
+  releaseName: vikunja-test
+  chart:
+    spec:
+      chart: vikunja
+      version: 0.4.1
+      sourceRef:
+        kind: HelmRepository
+        name: vikunja
+        namespace: flux-system
+  interval: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: stackspin-vikunja-test-values
+      optional: false
+    # Allow overriding values by ConfigMap or Secret
+    - kind: ConfigMap
+      name: stackspin-vikunja-test-override
+      optional: true
+    - kind: Secret
+      name: stackspin-vikunja-test-override
+      optional: true

apps/do/vikunja-test/vikunja-values-configmap.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-vikunja-test-values
+  namespace: stackspout
+data:
+  # https://kolaente.dev/vikunja/helm-chart/src/branch/main/values.yaml
+  values.yaml: |
+    frontend:
+      enabled: false
+      ingress:
+        main:
+          enabled: false
+    api:
+      image:
+        repository: vikunja/vikunja
+        tag: unstable
+      persistence:
+        data:
+          existingClaim: vikunja-test-files
+      ingress:
+        main:
+          enabled: true
+          annotations:
+            kubernetes.io/tls-acme: "true"
+          hosts:
+            - host: "test.${vikunja_domain}"
+              paths:
+                 - path: /
+          tls:
+            - secretName: vikunja-test-tls
+              hosts:
+                - "test.${vikunja_domain}"
+      configMaps:
+        config:
+          data:
+            config.yml: |-
+              auth:
+                openid:
+                  # https://vikunja.io/docs/config-options/#openid
+                  # Example: https://github.com/go-vikunja/api/blob/main/config.yml.sample#L289-L312
+                  enabled: true
+                  redirecturl: "https://test.${vikunja_domain}/auth/openid/"
+                  providers:
+                    - name: Stackspin
+                      authurl: "https://${hydra_domain}/"
+                      clientid: "${client_id}"
+                      clientsecret: "${client_secret}"
+                local:
+                  enabled: false
+              mailer:
+                enabled: "${outgoing_mail_enabled}"
+                host: "${outgoing_mail_smtp_host}"
+                port: "${outgoing_mail_smtp_port}"
+                username: "${outgoing_mail_smtp_user}"
+                password: "${outgoing_mail_smtp_password}"
+                fromemail: "${outgoing_mail_from_address}"
+                forcessl: true
+              service:
+                frontendurl: "https://test.${vikunja_domain}"
+                timezone: "CET"
+                JWTSecret: "${jwt}"
+              database:
+                type: postgres
+                host: vikunja-test-postgresql
+                password: "${postgresql_password}"
+              log:
+                path: "/app/vikunja"
+                http: file
+                database: stderr
+                databaselevel: debug
+              defaultsettings:
+                avatar_provider: gravatar
+                discoverable_by_name: true
+                discoverable_by_email: true
+                week_start: 1
+                timezone: CET
+    postgresql:
+      enabled: true
+      global:
+        postgresql:
+          auth:
+            database: vikunja
+            username: vikunja
+            password: "${postgresql_password}"
+            postgresPassword: "${postgresql_admin_password}"
+      primary:
+        persistence:
+          existingClaim: vikunja-test-postgres
+    typesense:
+      enabled: false

apps/do/vikunja/vikunja-files-pvc.yaml

+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vikunja-files
+  namespace: stackspout
+  labels:
+    stackspin.net/backupSet: "vikunja"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path

apps/do/vikunja/vikunja-oauth-client.yaml

+apiVersion: hydra.ory.sh/v1alpha1
+kind: OAuth2Client
+metadata:
+  name: vikunja-oauth-client
+  # Has to live in the same namespace as the stackspin-*-oauth-variables secret
+  namespace: flux-system
+spec:
+  # TODO copied from wekan: https://github.com/wekan/wekan/wiki/Keycloak
+  grantTypes:
+    - authorization_code
+    - refresh_token
+    - client_credentials
+    - implicit
+  responseTypes:
+    - id_token
+    - code
+  scope: "openid profile email stackspin_roles"
+  secretName: stackspin-vikunja-oauth-variables
+  redirectUris:
+    - https://${vikunja_domain}/auth/openid/stackspin
+  tokenEndpointAuthMethod: client_secret_post

apps/do/vikunja/vikunja-postgres-pvc.yaml

+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vikunja-postgres
+  namespace: stackspout
+  labels:
+    stackspin.net/backupSet: "vikunja"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  volumeMode: Filesystem
+  resources:
+    requests:
+      storage: 2Gi
+  storageClassName: local-path

apps/do/vikunja/vikunja-release.yaml

+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: vikunja
+  namespace: stackspout
+spec:
+  releaseName: vikunja
+  chart:
+    spec:
+      chart: vikunja
+      version: 0.4.1
+      sourceRef:
+        kind: HelmRepository
+        name: vikunja
+        namespace: flux-system
+  interval: 5m
+  valuesFrom:
+    - kind: ConfigMap
+      name: stackspin-vikunja-values
+      optional: false
+    # Allow overriding values by ConfigMap or Secret
+    - kind: ConfigMap
+      name: stackspin-vikunja-override
+      optional: true
+    - kind: Secret
+      name: stackspin-vikunja-override
+      optional: true

apps/do/vikunja/vikunja-values-configmap.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-vikunja-values
+  namespace: stackspout
+data:
+  # https://kolaente.dev/vikunja/helm-chart/src/branch/main/values.yaml
+  values.yaml: |
+    frontend:
+      image:
+        tag: 0.22
+      ingress:
+        main:
+          enabled: true
+          annotations:
+            kubernetes.io/tls-acme: "true"
+          hosts:
+            - host: "${vikunja_domain}"
+              paths:
+                 - path: /
+          tls:
+            - secretName: vikunja-tls
+              hosts:
+                - "${vikunja_domain}"
+      env:
+        VIKUNJA_API_URL: https://${vikunja_domain}/api/v1
+    api:
+      image:
+        tag: 0.22
+      persistence:
+        data:
+          existingClaim: vikunja-files
+      ingress:
+        main:
+          enabled: true
+          annotations:
+            kubernetes.io/tls-acme: "true"
+          hosts:
+            - host: "${vikunja_domain}"
+              paths:
+                 - path: /api
+          tls:
+            - secretName: vikunja-tls
+              hosts:
+                - "${vikunja_domain}"
+      configMaps:
+        config:
+          data:
+            config.yml: |-
+              auth:
+                openid:
+                  # https://vikunja.io/docs/config-options/#openid
+                  # Example: https://github.com/go-vikunja/api/blob/main/config.yml.sample#L289-L312
+                  enabled: true
+                  redirecturl: "https://${vikunja_domain}/auth/openid/"
+                  providers:
+                    - name: Stackspin
+                      authurl: "https://${hydra_domain}/"
+                      clientid: "${client_id}"
+                      clientsecret: "${client_secret}"
+                local:
+                  enabled: false
+              mailer:
+                enabled: "${outgoing_mail_enabled}"
+                host: "${outgoing_mail_smtp_host}"
+                port: "${outgoing_mail_smtp_port}"
+                username: "${outgoing_mail_smtp_user}"
+                password: "${outgoing_mail_smtp_password}"
+                fromemail: "${outgoing_mail_from_address}"
+                forcessl: true
+              service:
+                #rootpath: "/app/vikunja"
+                frontendurl: "https://${vikunja_domain}"
+                timezone: "CET"
+                JWTSecret: "${jwt}"
+              database:
+                type: postgres
+                host: vikunja-postgresql
+                password: "${postgresql_password}"
+              # https://vikunja.io/docs/config-options/#log
+              log:
+                standard: stderr
+                level: debug
+                database: file
+                databaselevel: debug
+                http: file
+                echo: file
+                events: file
+                eventslevel: debug
+                mail: file
+                maillevel: debug
+              defaultsettings:
+                avatar_provider: gravatar
+                discoverable_by_name: true
+                discoverable_by_email: true
+                week_start: 1
+                timezone: CET
+                # TODO default_project_id
+    global:
+      labels:
+        stackspin.net/backupSet: "vikunja"
+    podLabels:
+      stackspin.net/backupSet: "vikunja"
+    podAnnotations:
+      backup.velero.io/backup-volumes: "data"
+    postgresql:
+      enabled: true
+      commonLabels:
+        stackspin.net/backupSet: "vikunja"
+      global:
+        postgresql:
+          auth:
+            database: vikunja
+            username: vikunja
+            password: "${postgresql_password}"
+            postgresPassword: "${postgresql_admin_password}"
+      primary:
+        persistence:
+          existingClaim: vikunja-postgres
+        podAnnotations:
+          backup.velero.io/backup-volumes: "data"
+    typesense:
+      enabled: false

apps/flow-kustomization.yaml

+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: add-flow
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  path: ./apps/flow
+  sourceRef:
+    kind: GitRepository
+    name: stackspout

apps/flow/kustomization.yaml

+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - n8n-kustomization.yaml
+  - n8n-secrets-kustomization.yaml

apps/flow/n8n-kustomization.yaml

+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: n8n
+  namespace: flux-system
+spec:
+  interval: 5m
+  retryInterval: 2m
+  timeout: 10m
+  wait: true
+  prune: true
+  path: ./apps/flow/n8n
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: local-path-provisioner
+    - name: n8n-secrets
+    - name: nginx
+    - name: single-sign-on
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables
+      - kind: ConfigMap
+        name: stackspin-n8n-kustomization-variables
+      - kind: Secret
+        name: stackspin-n8n-variables
+      # OIDC
+      - kind: Secret
+        name: stackspin-n8n-oauth-variables
+      - kind: ConfigMap
+        name: stackspin-single-sign-on-kustomization-variables

apps/flow/n8n-secrets-kustomization.yaml

+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: n8n-secrets
+  namespace: flux-system
+spec:
+  interval: 5m
+  timeout: 4m
+  wait: true
+  prune: true
+  path: ./apps/flow/n8n-secrets
+  sourceRef:
+    kind: GitRepository
+    name: stackspout
+  dependsOn:
+    - name: flux
+    - name: secrets-controller
+  postBuild:
+    substituteFrom:
+      - kind: Secret
+        name: stackspin-cluster-variables

apps/flow/n8n-secrets/n8n-kustomization-variables.yaml

+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: stackspin-n8n-kustomization-variables
+  namespace: flux-system
+data:
+  n8n_domain: flow.${domain}

apps/flow/n8n-secrets/n8n-oauth-secret.yaml

+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-n8n-oauth-variables
+  namespace: flux-system
+spec:
+  data:
+    client_id: n8n
+  fields:
+  - fieldName: client_secret
+    length: "32"

apps/flow/n8n-secrets/n8n-variables.yaml

+---
+apiVersion: secretgenerator.mittwald.de/v1alpha1
+kind: StringSecret
+metadata:
+  name: stackspin-n8n-variables
+  namespace: flux-system
+spec:
+  fields:
+  - fieldName: encryption_key