diff --git a/servers/legion/apps/dharma.yaml b/servers/legion/apps/dharma.yaml new file mode 100644 index 0000000..46c511f --- /dev/null +++ b/servers/legion/apps/dharma.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: dharma + namespace: argocd +spec: + project: neuron-prod + source: + repoURL: http://gitea.git.svc.cluster.local:3000/will/infrastructure.git + targetRevision: main + path: servers/legion/k8s/neuron-technologies/dharma + destination: + server: https://kubernetes.default.svc + namespace: neuron-prod + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=false diff --git a/servers/legion/dns-neurontechnologies.tf b/servers/legion/dns-neurontechnologies.tf index 3ab711b..532860e 100644 --- a/servers/legion/dns-neurontechnologies.tf +++ b/servers/legion/dns-neurontechnologies.tf @@ -95,6 +95,15 @@ resource "cloudflare_record" "nt_tunnel_gamma" { ttl = 1 } +resource "cloudflare_record" "nt_tunnel_dharma" { + zone_id = local.zone_neurontechnologies_ai + name = "dharma" + type = "CNAME" + content = "${var.cloudflare_tunnel_id}.cfargotunnel.com" + proxied = true + ttl = 1 +} + # ── Google Workspace MX records ────────────────────────────────────────────── resource "cloudflare_record" "nt_mx_1" { zone_id = local.zone_neurontechnologies_ai diff --git a/servers/legion/k8s/neuron-technologies/dharma/deployment.yaml b/servers/legion/k8s/neuron-technologies/dharma/deployment.yaml new file mode 100644 index 0000000..2209e88 --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/dharma/deployment.yaml @@ -0,0 +1,65 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: dharma + namespace: neuron-prod + labels: + app: dharma + env: prod +spec: + replicas: 1 + selector: + matchLabels: + app: dharma + template: + metadata: + labels: + app: dharma + env: prod + spec: + securityContext: + runAsNonRoot: true + runAsUser: 1001 + fsGroup: 1001 + seccompProfile: + type: RuntimeDefault + containers: + - name: dharma + image: registry.neuralplatform.ai/neuron-technologies/dharma:latest + imagePullPolicy: Always + ports: + - name: http + containerPort: 8765 + env: + - name: DHARMA_PORT + value: "8765" + envFrom: + - secretRef: + name: dharma-secrets + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + runAsNonRoot: true + capabilities: + drop: ["ALL"] + livenessProbe: + httpGet: + path: /health + port: 8765 + initialDelaySeconds: 10 + periodSeconds: 30 + failureThreshold: 3 + readinessProbe: + httpGet: + path: /health + port: 8765 + initialDelaySeconds: 5 + periodSeconds: 10 + failureThreshold: 3 + resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 500m + memory: 256Mi diff --git a/servers/legion/k8s/neuron-technologies/dharma/externalsecret.yaml b/servers/legion/k8s/neuron-technologies/dharma/externalsecret.yaml new file mode 100644 index 0000000..dc386a6 --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/dharma/externalsecret.yaml @@ -0,0 +1,43 @@ +# Populate Vault before first deploy: +# +# vault kv put secret/neuron-technologies/dharma \ +# api_key="..." \ +# encryption_key="..." \ +# jwt_secret="..." \ +# engram_key="..." \ +# engram_url="http://neuron-daemon.neuron-prod.svc.cluster.local:7749" + +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: dharma-secrets + namespace: neuron-prod +spec: + refreshInterval: 1h + secretStoreRef: + name: vault + kind: ClusterSecretStore + target: + name: dharma-secrets + creationPolicy: Owner + data: + - secretKey: DHARMA_API_KEY + remoteRef: + key: secret/data/neuron-technologies/dharma + property: api_key + - secretKey: DHARMA_ENCRYPTION_KEY + remoteRef: + key: secret/data/neuron-technologies/dharma + property: encryption_key + - secretKey: DHARMA_JWT_SECRET + remoteRef: + key: secret/data/neuron-technologies/dharma + property: jwt_secret + - secretKey: ENGRAM_KEY + remoteRef: + key: secret/data/neuron-technologies/dharma + property: engram_key + - secretKey: ENGRAM_URL + remoteRef: + key: secret/data/neuron-technologies/dharma + property: engram_url diff --git a/servers/legion/k8s/neuron-technologies/dharma/ingressroute.yaml b/servers/legion/k8s/neuron-technologies/dharma/ingressroute.yaml new file mode 100644 index 0000000..413333e --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/dharma/ingressroute.yaml @@ -0,0 +1,18 @@ +apiVersion: traefik.io/v1alpha1 +kind: IngressRoute +metadata: + name: dharma + namespace: neuron-prod + labels: + app: dharma +spec: + entryPoints: + - websecure + routes: + - match: Host(`dharma.neurontechnologies.ai`) + kind: Rule + services: + - name: dharma + port: 8765 + tls: + certResolver: letsencrypt diff --git a/servers/legion/k8s/neuron-technologies/dharma/kustomization.yaml b/servers/legion/k8s/neuron-technologies/dharma/kustomization.yaml new file mode 100644 index 0000000..9ecf365 --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/dharma/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - externalsecret.yaml + - deployment.yaml + - service.yaml + - ingressroute.yaml diff --git a/servers/legion/k8s/neuron-technologies/dharma/service.yaml b/servers/legion/k8s/neuron-technologies/dharma/service.yaml new file mode 100644 index 0000000..01d5fed --- /dev/null +++ b/servers/legion/k8s/neuron-technologies/dharma/service.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: dharma + namespace: neuron-prod + labels: + app: dharma +spec: + selector: + app: dharma + ports: + - name: http + port: 8765 + targetPort: 8765 + type: ClusterIP diff --git a/servers/legion/main.tf b/servers/legion/main.tf index 532ffd9..7ded466 100644 --- a/servers/legion/main.tf +++ b/servers/legion/main.tf @@ -229,6 +229,15 @@ resource "cloudflare_zero_trust_tunnel_cloudflared_config" "legion" { } } + # dharma.neurontechnologies.ai — DHARMA CGI registry + ingress_rule { + hostname = "dharma.neurontechnologies.ai" + service = "https://traefik.kube-system.svc:443" + origin_request { + no_tls_verify = true + } + } + # sign.neurontechnologies.ai — Docuseal e-signature ingress_rule { hostname = "sign.neurontechnologies.ai"