| .. | ||
| secrets | ||
| ingress-hosts.patch.yaml | ||
| issuer-email.patch.yaml | ||
| kustomization.yaml | ||
| README.md | ||
| storage-class.patch.yaml | ||
Hetzner single-node overlay
This overlay turns the shared platform and unrip project bases into a concrete first-node bootstrap target for the Terraform-provisioned k3s VM.
Before apply
Create real secret material from the examples:
cp deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env.example deploy/k8s/overlays/hetzner-single-node/secrets/unrip.env
cp deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env.example deploy/k8s/overlays/hetzner-single-node/secrets/forgejo.env
cp deploy/k8s/overlays/hetzner-single-node/secrets/registry.htpasswd.example deploy/k8s/overlays/hetzner-single-node/secrets/registry.htpasswd
Update:
- ingress hosts in
ingress-hosts.patch.yaml - ACME email in
issuer-email.patch.yaml - project secret values in
secrets/unrip.env - Forgejo secret values in
secrets/forgejo.env - registry htpasswd in
secrets/registry.htpasswd
Apply
kubectl apply -k deploy/k8s/overlays/hetzner-single-node
What gets installed
- shared platform namespaces for registry, ingress, cert-manager, and Forgejo
- project namespace
unrip - Redpanda plus a topic bootstrap job inside
unrip - app worker deployments referencing
unrip-secrets - Forgejo and Forgejo runner referencing
forgejo-secrets - private registry protected by htpasswd from
registry-secrets - nginx ingress and ACME issuers for TLS
For future projects, do not reuse unrip; create a new project namespace and matching <project>-config, <project>-secrets, and <project>-registry-creds resources.