redaction (#1)

Add the redacted source file for demo purposes Reviewed-on: https://source.michaeldileo.org/michael_dileo/Keybard-Vagabond-Demo/pulls/1 Co-authored-by: Michael DiLeo <michael_dileo@proton.me> Co-committed-by: Michael DiLeo <michael_dileo@proton.me>
2025-12-24 13:40:47 +00:00
parent 612235d52b
commit 7327d77dcd
333 changed files with 39286 additions and 1 deletions
--- a/manifests/applications/bookwyrm/cronjobs.yaml
+++ b/manifests/applications/bookwyrm/cronjobs.yaml
@@ -0,0 +1,264 @@
+---
+# BookWyrm Automod CronJob
+# Replaces Celery beat scheduler for automod tasks
+# This job checks for spam/moderation rules and creates reports
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: bookwyrm-automod
+  namespace: bookwyrm-application
+  labels:
+    app: bookwyrm
+    component: automod-cronjob
+spec:
+  # Run every 6 hours - adjust based on your moderation needs
+  # "0 */6 * * *" = every 6 hours at minute 0
+  schedule: "0 */6 * * *"
+  timeZone: "UTC"
+  concurrencyPolicy: Forbid  # Don't allow overlapping jobs
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  startingDeadlineSeconds: 600  # 10 minutes
+  jobTemplate:
+    metadata:
+      labels:
+        app: bookwyrm
+        component: automod-cronjob
+    spec:
+      # Clean up jobs after 1 hour
+      ttlSecondsAfterFinished: 3600
+      template:
+        metadata:
+          labels:
+            app: bookwyrm
+            component: automod-cronjob
+        spec:
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+            seccompProfile:
+              type: RuntimeDefault
+          restartPolicy: OnFailure
+          containers:
+          - name: automod-task
+            image: <YOUR_REGISTRY_URL>/library/bookwyrm-worker:latest
+            command: ["/opt/venv/bin/python"]
+            args:
+            - "manage.py"
+            - "shell"
+            - "-c"
+            - "from bookwyrm.models.antispam import automod_task; automod_task()"
+            env:
+            - name: CONTAINER_TYPE
+              value: "cronjob-automod"
+            - name: DJANGO_SETTINGS_MODULE
+              value: "bookwyrm.settings"
+            envFrom:
+            - configMapRef:
+                name: bookwyrm-config
+            - secretRef:
+                name: bookwyrm-secrets
+            resources:
+              requests:
+                cpu: 50m
+                memory: 128Mi
+              limits:
+                cpu: 200m
+                memory: 256Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+              readOnlyRootFilesystem: false
+              runAsNonRoot: true
+              runAsUser: 1000
+          nodeSelector:
+            kubernetes.io/arch: arm64
+          tolerations:
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/control-plane
+            operator: Exists
+
+---
+# BookWyrm Update Check CronJob
+# Replaces Celery beat scheduler for checking software updates
+# This job checks GitHub for new BookWyrm releases
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: bookwyrm-update-check
+  namespace: bookwyrm-application
+  labels:
+    app: bookwyrm
+    component: update-check-cronjob
+spec:
+  # Run daily at 3:00 AM UTC
+  # "0 3 * * *" = every day at 3:00 AM
+  schedule: "0 3 * * *"
+  timeZone: "UTC"
+  concurrencyPolicy: Forbid  # Don't allow overlapping jobs
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  startingDeadlineSeconds: 600  # 10 minutes
+  jobTemplate:
+    metadata:
+      labels:
+        app: bookwyrm
+        component: update-check-cronjob
+    spec:
+      # Clean up jobs after 1 hour
+      ttlSecondsAfterFinished: 3600
+      template:
+        metadata:
+          labels:
+            app: bookwyrm
+            component: update-check-cronjob
+        spec:
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+            seccompProfile:
+              type: RuntimeDefault
+          restartPolicy: OnFailure
+          containers:
+          - name: update-check-task
+            image: <YOUR_REGISTRY_URL>/library/bookwyrm-worker:latest
+            command: ["/opt/venv/bin/python"]
+            args:
+            - "manage.py"
+            - "shell"
+            - "-c"
+            - "from bookwyrm.models.site import check_for_updates_task; check_for_updates_task()"
+            env:
+            - name: CONTAINER_TYPE
+              value: "cronjob-update-check"
+            - name: DJANGO_SETTINGS_MODULE
+              value: "bookwyrm.settings"
+            envFrom:
+            - configMapRef:
+                name: bookwyrm-config
+            - secretRef:
+                name: bookwyrm-secrets
+            resources:
+              requests:
+                cpu: 50m
+                memory: 128Mi
+              limits:
+                cpu: 200m
+                memory: 256Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+              readOnlyRootFilesystem: false
+              runAsNonRoot: true
+              runAsUser: 1000
+          nodeSelector:
+            kubernetes.io/arch: arm64
+          tolerations:
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/control-plane
+            operator: Exists
+
+---
+# BookWyrm Database Cleanup CronJob
+# Optional: Add database maintenance tasks that might be beneficial
+# This can include cleaning up expired sessions, old notifications, etc.
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: bookwyrm-db-cleanup
+  namespace: bookwyrm-application
+  labels:
+    app: bookwyrm
+    component: db-cleanup-cronjob
+spec:
+  # Run weekly on Sunday at 2:00 AM UTC
+  # "0 2 * * 0" = every Sunday at 2:00 AM
+  schedule: "0 2 * * 0"
+  timeZone: "UTC"
+  concurrencyPolicy: Forbid  # Don't allow overlapping jobs
+  successfulJobsHistoryLimit: 2
+  failedJobsHistoryLimit: 2
+  startingDeadlineSeconds: 1800  # 30 minutes
+  jobTemplate:
+    metadata:
+      labels:
+        app: bookwyrm
+        component: db-cleanup-cronjob
+    spec:
+      # Clean up jobs after 2 hours
+      ttlSecondsAfterFinished: 7200
+      template:
+        metadata:
+          labels:
+            app: bookwyrm
+            component: db-cleanup-cronjob
+        spec:
+          securityContext:
+            runAsNonRoot: true
+            runAsUser: 1000
+            runAsGroup: 1000
+            fsGroup: 1000
+            seccompProfile:
+              type: RuntimeDefault
+          restartPolicy: OnFailure
+          containers:
+          - name: db-cleanup-task
+            image: <YOUR_REGISTRY_URL>/library/bookwyrm-worker:latest
+            command: ["/opt/venv/bin/python"]
+            args:
+            - "manage.py"
+            - "shell"
+            - "-c"
+            - |
+              # Clean up expired sessions (older than 2 weeks)
+              from django.contrib.sessions.models import Session
+              from django.utils import timezone
+              from datetime import timedelta
+              cutoff = timezone.now() - timedelta(days=14)
+              expired_count = Session.objects.filter(expire_date__lt=cutoff).count()
+              Session.objects.filter(expire_date__lt=cutoff).delete()
+              print(f"Cleaned up {expired_count} expired sessions")
+              
+              # Clean up old notifications (older than 90 days) if they are read
+              from bookwyrm.models import Notification
+              cutoff = timezone.now() - timedelta(days=90)
+              old_notifications = Notification.objects.filter(created_date__lt=cutoff, read=True)
+              old_count = old_notifications.count()
+              old_notifications.delete()
+              print(f"Cleaned up {old_count} old read notifications")
+            env:
+            - name: CONTAINER_TYPE
+              value: "cronjob-db-cleanup"
+            - name: DJANGO_SETTINGS_MODULE
+              value: "bookwyrm.settings"
+            envFrom:
+            - configMapRef:
+                name: bookwyrm-config
+            - secretRef:
+                name: bookwyrm-secrets
+            resources:
+              requests:
+                cpu: 100m
+                memory: 256Mi
+              limits:
+                cpu: 500m
+                memory: 512Mi
+            securityContext:
+              allowPrivilegeEscalation: false
+              capabilities:
+                drop: ["ALL"]
+              readOnlyRootFilesystem: false
+              runAsNonRoot: true
+              runAsUser: 1000
+          nodeSelector:
+            kubernetes.io/arch: arm64
+          tolerations:
+          - effect: NoSchedule
+            key: node-role.kubernetes.io/control-plane
+            operator: Exists