From 9d01dbb57714d1e6bfa4ab8f18ddacd68cea4b34 Mon Sep 17 00:00:00 2001
From: Michael Thomson <me@michaelthomson.dev>
Date: Sun, 24 May 2026 14:49:20 -0400
Subject: [PATCH] grimmory

---
 apps/grimmory/mariadb-credentials.yaml        | 23 ++++++++++
 apps/grimmory/release.yaml                    | 46 +++++++++++++++++++
 apps/grimmory/repository.yaml                 |  9 ++++
 bootstrap/apps/kustomization-grimmory.yaml    | 19 ++++++++
 .../namespaces/namespace-grimmory.yaml        |  4 ++
 5 files changed, 101 insertions(+)
 create mode 100644 apps/grimmory/mariadb-credentials.yaml
 create mode 100644 apps/grimmory/release.yaml
 create mode 100644 apps/grimmory/repository.yaml
 create mode 100644 bootstrap/apps/kustomization-grimmory.yaml
 create mode 100644 infrastructure/namespaces/namespace-grimmory.yaml

diff --git a/apps/grimmory/mariadb-credentials.yaml b/apps/grimmory/mariadb-credentials.yaml
new file mode 100644
index 0000000..dbe97ac
--- /dev/null
+++ b/apps/grimmory/mariadb-credentials.yaml
@@ -0,0 +1,23 @@
+apiVersion: v1
+stringData:
+    mariadb-password: ENC[AES256_GCM,data:sRg+BqCvSWe/I9vLLRcgPyMs87BttZAejfKPI7kIej6L3sXasYE700jr9tw=,iv:VMnb9a72TYYBdC2RCD9wwpRdUZiiD+SFOZOl0ZIHjbU=,tag:eXRgY1VO0PDRJPUAr4RYXw==,type:str]
+    mariadb-root-password: ENC[AES256_GCM,data:86cu/5fSD2h7yQSt0b9cp15a56LYiyhdUfFVdhla7cs0GsIyDul2A4TuSQA=,iv:U+JPt6UUc70MzYAQBODEzl/wMQ+TEVBYZHxxMZf4xyw=,tag:CAdI37E9cj07yoltPxLjWg==,type:str]
+kind: Secret
+metadata:
+    name: mariadb-credentials
+    namespace: grimmory
+sops:
+    age:
+        - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvOEhieFpaNU5CRElYRFRx
+            VjJqUm9Zbk44M3QvVlNqcUFGUnRjNlUvUERZCjA2VjJXdlJmSDdYeW5BbEF2RElV
+            QXZ6YVl3REVFRzY5RG81YzVyaWpBWTgKLS0tIEdITTBCUm1tZGhZVzFwbGszbDF6
+            ZzhZOEU2SUFUWllqOHZCS1c5YW5TQjQKbQqmVAWZq7aqBaFt+51oY7PZ2BcLc7Wa
+            neOgcwRTq2x27yoWNPlcWSsqFss5RLldriEer4QdwdIDlWEj8Js7uA==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2026-05-24T18:40:49Z"
+    mac: ENC[AES256_GCM,data:URvFnjTBRU17FIJTLjggheWWI63UcktsyMgrKP5Ib7/F4HcSbZySGis6Ty/y2Cn5uessjpf12IQ1EZ0Vybnm7w58/nb3+ZiEow5XtJ91OAw2iCJv00YyKtWgFqkymCHJu2a/SuuG3ibH5+MbucQKHUSXuxsRvYaJaigw1Gzi80I=,iv:3H2NNqh8eBqNvKybtsKYujjDeDlvmlwXxdzRoazU46E=,tag:tgYlwl0K7GbSX1pBtlD/xg==,type:str]
+    encrypted_regex: ^(data|stringData)$
+    version: 3.12.2
diff --git a/apps/grimmory/release.yaml b/apps/grimmory/release.yaml
new file mode 100644
index 0000000..536bf2c
--- /dev/null
+++ b/apps/grimmory/release.yaml
@@ -0,0 +1,46 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: grimmory
+  namespace: grimmory
+spec:
+  chart:
+    spec:
+      chart: grimmory
+      version: 3.x
+      sourceRef:
+        kind: HelmRepository
+        name: grimmory
+  interval: 15m
+  releaseName: grimmory
+  values:
+mariadb:
+  auth:
+    existingSecret: mariadb-credentials
+    secretKeys:
+      rootPasswordKey: mariadb-root-password
+      userPasswordKey: mariadb-password
+ingress:
+  enabled: true
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.tls: "true"
+  hosts:
+    - host: grimmory.michaelthomson.dev
+      paths:
+        - path: /
+          pathType: ImplementationSpecific
+  tls:
+    - hosts:
+        - grimmory.michaelthomson.dev
+      secretName: grimmory-tls
+persistence:
+  dataVolume:
+    enabled: true
+    size: 100Mi
+    existingClaim: ""
+  booksVolume:
+    enabled: true
+    size: 10Gi
+    existingClaim: ""
diff --git a/apps/grimmory/repository.yaml b/apps/grimmory/repository.yaml
new file mode 100644
index 0000000..e873494
--- /dev/null
+++ b/apps/grimmory/repository.yaml
@@ -0,0 +1,9 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: grimmory
+  namespace: grimmory
+spec:
+  type: "oci"
+  interval: 15m
+  url: oci://ghcr.io/grimmory-tools/helm-charts/grimmory:3.1.0
diff --git a/bootstrap/apps/kustomization-grimmory.yaml b/bootstrap/apps/kustomization-grimmory.yaml
new file mode 100644
index 0000000..95d60e7
--- /dev/null
+++ b/bootstrap/apps/kustomization-grimmory.yaml
@@ -0,0 +1,19 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: grimmory
+  namespace: flux-system
+spec:
+  interval: 15m
+  path: ./apps/grimmory
+  prune: true # remove any elements later removed from the above path
+  wait: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  decryption:
+    provider: sops
+    secretRef:
+      name: sops-age
+  dependsOn:
+    - name: infra-configs
diff --git a/infrastructure/namespaces/namespace-grimmory.yaml b/infrastructure/namespaces/namespace-grimmory.yaml
new file mode 100644
index 0000000..0151e76
--- /dev/null
+++ b/infrastructure/namespaces/namespace-grimmory.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: grimmory