add source code and readme

manifests/applications/picsur/README.md

@@ -0,0 +1,85 @@
+# Picsur Image Hosting Service
+
+Picsur is a self-hosted image sharing service similar to Imgur. This deployment integrates with the existing PostgreSQL cluster and provides automatic DNS/SSL setup.
+
+## Prerequisites
+
+### Database Setup
+Before deploying, create the database and user manually. **Note**: Connect to the PRIMARY instance (check with `kubectl get cluster postgresql-shared -n postgresql-system -o jsonpath="{.status.currentPrimary}"`):
+
+```bash
+# Step 1: Create database and user (if they don't exist)
+kubectl exec -it postgresql-shared-2 -n postgresql-system -- psql -U postgres -c "CREATE DATABASE picsur;"
+kubectl exec -it postgresql-shared-2 -n postgresql-system -- psql -U postgres -c "CREATE USER picsur WITH ENCRYPTED PASSWORD 'your_secure_password';"
+
+# Step 2: Grant database-level permissions
+kubectl exec -it postgresql-shared-2 -n postgresql-system -- psql -U postgres -c "GRANT ALL PRIVILEGES ON DATABASE picsur TO picsur;"
+
+# Step 3: Grant schema-level permissions (CRITICAL for table creation)
+kubectl exec -it postgresql-shared-2 -n postgresql-system -- psql -U postgres -d picsur -c "GRANT ALL ON SCHEMA public TO picsur; GRANT ALL PRIVILEGES ON ALL TABLES IN SCHEMA public TO picsur; GRANT ALL PRIVILEGES ON ALL SEQUENCES IN SCHEMA public TO picsur;"
+```
+
+**Troubleshooting**: If Picsur fails with "permission denied for schema public", you need to run Step 3 above. The user needs explicit permissions on the public schema to create tables.
+
+### Secret Configuration
+Update the `secret.yaml` file with proper SOPS encryption:
+
+```bash
+# Edit the secret with your actual values
+sops manifests/applications/picsur/secret.yaml
+
+# Update these values:
+# - PICSUR_DB_USERNAME: picsur
+# - PICSUR_DB_PASSWORD: your_secure_password
+# - PICSUR_DB_DATABASE: picsur
+# - PICSUR_ADMIN_PASSWORD: your_admin_password
+# - PICSUR_JWT_SECRET: your_jwt_secret_key
+```
+
+## Configuration
+
+### Environment Variables
+- `PICSUR_DB_HOST`: PostgreSQL connection host
+- `PICSUR_DB_PORT`: PostgreSQL port (5432)
+- `PICSUR_DB_USERNAME`: Database username
+- `PICSUR_DB_PASSWORD`: Database password
+- `PICSUR_DB_DATABASE`: Database name
+- `PICSUR_ADMIN_PASSWORD`: Admin user password
+- `PICSUR_JWT_SECRET`: JWT secret for authentication
+- `PICSUR_MAX_FILE_SIZE`: Maximum file size (default: 50MB)
+
+### Storage
+- Uses Longhorn persistent volume with `longhorn-retain` storage class
+- 20GB initial storage allocation
+- Volume labeled for S3 backup inclusion
+
+### Resources
+- **Requests**: 200m CPU, 512Mi memory
+- **Limits**: 1000m CPU, 2Gi memory
+- **Worker Memory**: 1024MB (configured in Picsur admin UI)
+- Suitable for image hosting with large file processing (up to 50MB files, 40MP+ panoramas)
+
+## Access
+
+Once deployed, Picsur will be available at:
+- **URL**: https://picsur.keyboardvagabond.com
+- **Admin Username**: admin
+- **Admin Password**: As configured in secret
+
+## Monitoring
+
+Basic health checks are configured. If Picsur exposes metrics, uncomment the ServiceMonitor in `monitoring.yaml`.
+
+## Integration with WriteFreely
+
+Picsur can be used as an image backend for WriteFreely:
+1. Upload images to Picsur
+2. Use the direct image URLs in WriteFreely posts
+3. Images are served from your own infrastructure
+
+## Scaling
+
+Current deployment is single-replica. For high availability:
+1. Increase replica count
+2. Consider using ReadWriteMany storage if needed
+3. Ensure database can handle multiple connections 

manifests/applications/picsur/deployment.yaml

@@ -0,0 +1,71 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: picsur
+  namespace: picsur-system
+  labels:
+    app: picsur
+spec:
+  replicas: 2
+  selector:
+    matchLabels:
+      app: picsur
+  template:
+    metadata:
+      labels:
+        app: picsur
+    spec:
+      containers:
+      - name: picsur
+        image: ghcr.io/caramelfur/picsur:latest
+        imagePullPolicy: Always
+        ports:
+        - containerPort: 8080
+          protocol: TCP
+        env:
+        - name: PICSUR_PORT
+          value: "8080"
+        - name: PICSUR_HOST
+          value: "0.0.0.0"
+        envFrom:
+        - secretRef:
+            name: picsur-config
+        volumeMounts:
+        - name: picsur-data
+          mountPath: /app/data
+        resources:
+          requests:
+            memory: "256Mi"
+            cpu: "200m"
+          limits:
+            memory: "1Gi"
+            cpu: "1000m"
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          timeoutSeconds: 5
+          failureThreshold: 3
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+          initialDelaySeconds: 5
+          periodSeconds: 5
+          timeoutSeconds: 5
+          failureThreshold: 3
+        securityContext:
+          runAsNonRoot: true
+          runAsUser: 1000
+          runAsGroup: 1000
+          allowPrivilegeEscalation: false
+          readOnlyRootFilesystem: false
+          capabilities:
+            drop:
+              - ALL
+      volumes:
+      - name: picsur-data
+        persistentVolumeClaim:
+          claimName: picsur-data 

manifests/applications/picsur/ingress.yaml

@@ -0,0 +1,28 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: picsur-ingress
+  namespace: picsur-system
+  annotations:
+    # Basic NGINX Configuration only - no cert-manager or external-dns
+    kubernetes.io/ingress.class: nginx
+    
+    # nginx annotations for large file uploads
+    nginx.ingress.kubernetes.io/proxy-body-size: "100m"
+    nginx.ingress.kubernetes.io/proxy-read-timeout: "300"
+    nginx.ingress.kubernetes.io/proxy-send-timeout: "300"
+    nginx.ingress.kubernetes.io/client-max-body-size: "100m"
+spec:
+  ingressClassName: nginx
+  tls: []
+  rules:
+  - host: picsur.keyboardvagabond.com
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: picsur
+            port:
+              number: 8080 

manifests/applications/picsur/kustomization.yaml

@@ -0,0 +1,16 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - namespace.yaml
+  - secret.yaml
+  - storage.yaml
+  - deployment.yaml
+  - service.yaml
+  - ingress.yaml
+  - monitoring.yaml
+
+commonLabels:
+  app.kubernetes.io/name: picsur
+  app.kubernetes.io/instance: picsur
+  app.kubernetes.io/component: image-hosting 

manifests/applications/picsur/monitoring.yaml

@@ -0,0 +1,17 @@
+# ServiceMonitor for Picsur (uncomment if metrics endpoint is available)
+# apiVersion: monitoring.coreos.com/v1
+# kind: ServiceMonitor
+# metadata:
+#   name: picsur-metrics
+#   namespace: picsur-system
+#   labels:
+#     app: picsur
+# spec:
+#   selector:
+#     matchLabels:
+#       app: picsur
+#   endpoints:
+#   - port: http
+#     path: /metrics
+#     interval: 30s
+#     scrapeTimeout: 10s 

manifests/applications/picsur/namespace.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: picsur-system
+  labels:
+    name: picsur-system 

manifests/applications/picsur/secret.yaml

@@ -0,0 +1,50 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: picsur-config
+    namespace: picsur-system
+type: Opaque
+stringData:
+    #ENC[AES256_GCM,data:BP0prorka9fFS/Qa9x5pKWgc05JJMFSCn8sEsCkq,iv:B89o/vFJyI9cskuBag2zKcgxSoBTUR1x0r/VKiuPwEw=,tag:W8yTa6XowApJRzYxuq0UkA==,type:comment]
+    PICSUR_DB_HOST: ENC[AES256_GCM,data:zJGjviO8K52AZT3egABcWniSvnuQ2umVtQ+uSBps+e+TztP+M/oOxGqnInu0zCv8oIWHGtS8XIs=,iv:t1j/XDvdVDI/rIZutzGpHJdHlCkuIlKHZBt+CMPMgLw=,tag:6S3Mfzeps7BbIGrcq+2f+A==,type:str]
+    PICSUR_DB_PORT: ENC[AES256_GCM,data:SxJkeA==,iv:YrUdhNXax7bKh237EX13WtrO0/b/pY/obc5YKLddeyI=,tag:0FxGQ/WC6Ox7+3K1qWHaxg==,type:str]
+    PICSUR_DB_USERNAME: ENC[AES256_GCM,data:9yKUUdCh,iv:xl5N7UmMB7DKTsJolX/DJwR4gGn0cqlLxdyLSdRgSmU=,tag:rHzyQZ5nlXKcMVY1F90Icw==,type:str]
+    PICSUR_DB_PASSWORD: ENC[AES256_GCM,data:4P7j6qxY33HWqFFm71y/Cy7WEOTPQ9xpFseiX1+1bxEOTzf7TF7tbXbaWXitaDS85Xo=,iv:TqpNV0KHzDdNyIhhXFeb3DSvLeI32dMJ7QJMaMcyIQE=,tag:5ygqR36zKe+IOwo6wZ3OEA==,type:str]
+    PICSUR_DB_DATABASE: ENC[AES256_GCM,data:vXt8Jume,iv:PYdTjq5h6SImXjZ5FpLZT9GTgbi54TqDMdn15K7RHpI=,tag:l9Y7HLoQxHYm/V6KTe9/LQ==,type:str]
+    #ENC[AES256_GCM,data:BztJjxk73uA1pei7Tt466P/BTPs=,iv:/yb9bLGa7N47Gy4jDUq5TtUu0JIzqMB/e9hEvP1fJjs=,tag:RqDkJnHezi6h1bqXSc6TJA==,type:comment]
+    PICSUR_ADMIN_PASSWORD: ENC[AES256_GCM,data:vMDhEwd2eEVUR89e7MEjug/cXlsmu3s3cdqPa57P2/NpU9LT2f+4Ey8iWVI9wedxu3c=,iv:gLSB4EaRrhZSru4+x0RviEdCS72JmrMnZwQ1AfBA1YY=,tag:SrFAw5TEvaBNvzWbKXyrHw==,type:str]
+    PICSUR_JWT_SECRET: ENC[AES256_GCM,data:ki9yTwg5w1Mxdf3mcwQb6TkC4jDed/SbawH3f738e6TcbkLZCfWcl2zMZwOkWM4Eqr4=,iv:tNo0eMMl5bDjvhwxI9st8jSBUH7CfsCZp3JAMJPaW/0=,tag:Uc/RS+CytnBRt64gEwawDQ==,type:str]
+    #ENC[AES256_GCM,data:tPpKr63BAREPqFFp3AA=,iv:GDFAxinjWQr60dm0Sf2th5OW3oYh8KfQWfgegHms8U0=,tag:WIvROBuzzhww/4eJIvNAbg==,type:comment]
+    PICSUR_MAX_FILE_SIZE: ENC[AES256_GCM,data:M78ZZQ==,iv:AeVeN1QR8G3Focc52nbArGEwm741jtlIDAEX3FZCswk=,tag:K8AGL1TSc+FD2cb/3rzd/w==,type:str]
+    #ENC[AES256_GCM,data:c043AZewfspILmV8e1vmZJJf9yaMz0loTXQ=,iv:0f6JbmMLXtourJ8xKu0f7T5b1Yo5MYpyLLX0jUT74oo=,tag:fjXSt1I24ja+FZVkH/Ax7Q==,type:comment]
+    PICSUR_STATIC_FRONTEND: ENC[AES256_GCM,data:1zROtg==,iv:HCtcGrBKsup2S+xqc+9iGR/8AzVzc+uM+yX9EqxL5Q8=,tag:qs+qydu6fAA2Zmt1lGiRdg==,type:str]
+sops:
+    lastmodified: "2025-11-24T15:23:11Z"
+    mac: ENC[AES256_GCM,data:DZxdljNGEpqvVikakfK2/MD+rBYiSVkm52UHgHbWJpeMO4XewZ4d8Q3NlikfTaeRgx3xy95vkLXou5khUh35F+wqOppIt7tF53eNnz3Nx8f699h9TNO+RD0w9v1f7CX+s0aSA2X0EA1wFUaYN+EvcFc0PgQRuxpoxVnWLrCsv1k=,iv:5rP+Lp3OYTlbatk3YAbWzcqaJCzMGTpLp1qjRWNgKLM=,tag:ffO4J8VOIisBCI+jkdXiJA==,type:str]
+    pgp:
+        - created_at: "2025-11-24T15:23:11Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DZT3mpHTS/JgSAQdAJFZhk6STCev/LCydZnfdlo3nL7Q4VNz4v5eKkvMcfkMw
+            amc2Tboe1Ki6TfBqhDcnZipjKralqz6BLLCHntDpgUgwsgWKMSZOfVOStRIPF8vQ
+            1GgBCQIQCPOdafK3ZmOuCvqoEcnaY3MiF9wpNuYIMWoy6qA/fVtZ4e1w2+2uqFjw
+            S8ce7vEV7L4yGUcHhK9aXSDJI4z33fOKt2jysTiiawY3h+KiUaVlaJgOnNPPSJVM
+            4IPRFzWHRnNySw==
+            =a0/m
+            -----END PGP MESSAGE-----
+          fp: B120595CA9A643B051731B32E67FF350227BA4E8
+        - created_at: "2025-11-24T15:23:11Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DSXzd60P2RKISAQdAUy4qBsxEzpryn7Ux5519ZlnZAZDR4mAnBm8M1hCAK3Uw
+            v5ZAdnerLmB/wedb3yCLA9eizmgBWz91SB13iw+hegfvLzH9TdpvbI6xA9oSwfmo
+            1GgBCQIQ4LMM//fiTY4OzaF5QT7Af8s9FCYQUzSOvL73ANofh4jA6RrBcmTOgxPT
+            z11NERcEdsy4Yy81ENPMk1rG5U/5R7ZmGPVI2krhLlwGWDRH1fkjtLzd84NYL7eT
+            0Jh0ySW9QbfAhg==
+            =OIIi
+            -----END PGP MESSAGE-----
+          fp: 4A8AADB4EBAB9AF88EF7062373CECE06CC80D40C
+    encrypted_regex: ^(data|stringData)$
+    version: 3.10.2

manifests/applications/picsur/service.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: picsur
+  namespace: picsur-system
+  labels:
+    app: picsur
+spec:
+  selector:
+    app: picsur
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+    protocol: TCP
+  type: ClusterIP 

manifests/applications/picsur/storage.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: picsur-data
+  namespace: picsur-system
+  labels:
+    # Enable S3 backup with correct Longhorn labels (daily + weekly)
+    recurring-job.longhorn.io/source: "enabled"
+    recurring-job-group.longhorn.io/longhorn-s3-backup: "enabled"
+    recurring-job-group.longhorn.io/longhorn-s3-backup-weekly: "enabled"
+spec:
+  accessModes:
+    - ReadWriteMany  # ReadWriteMany allows horizontal scaling of Picsur pods
+  storageClassName: longhorn-retain
+  resources:
+    requests:
+      storage: 20Gi  # Adjust based on expected image storage needs