admin/homelab-manifests
1
0
Fork 0
Code Issues 1 Pull Requests Actions Packages Projects Releases Wiki Activity
Files
main
homelab-manifests/wanderer-system/wanderer.yaml
T
admin 1338bbb6ae wanderer/renovate: roll back meilisearch v1.45.2 -> v1.11.3 + gate future bumps 
Renovate PR #32 (merged 2026-06-06 09:30) bumped getmeili/meilisearch
from v1.11.3 to v1.45.2 under the default-allow + 3-day stability rule.
Meilisearch's on-disk index format is NOT forward-compatible across
that range; wanderer-meilisearch went into CrashLoopBackOff with:

  Error: Your database version (1.11.3) is incompatible with your
  current engine version (1.45.2).

The PVC still holds the v1.11.x index, so the safest immediate recovery
is reverting the image tag. Wanderer's search starts working again the
moment the pod comes up on v1.11.3.

To prevent recurrence, add a packageRule that holds ALL meilisearch
updates behind the dashboard's "Pending Approval" checkbox via
`dependencyDashboardApproval: true`. PRs won't be opened until the
user explicitly approves them on the dashboard, so the version bump
can be planned around the documented dump/restore migration path
(https://www.meilisearch.com/docs/learn/update_and_migration/updating).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
2026-06-06 10:45:23 +02:00

390 lines
10 KiB
YAML
Raw Permalink Blame History

# Wanderer - Self-hosted trail manager
# https://github.com/Flomp/wanderer
# Version: v0.18.13
# Domain: wanderer.dooplex.hu
# Auth: OAuth configured via PocketBase admin UI
#
# wanderer uses PocketBase as its backend, which supports OAuth2/OIDC
# configured through the PocketBase admin panel.
#
# Setup steps after deployment:
# 1. Access PocketBase admin: https://wanderer.dooplex.hu/api/_/
# 2. Create admin account on first access
# 3. Go to Settings > Auth providers
# 4. Add OpenID Connect provider:
# - Client ID: from Authentik
# - Client Secret: from Authentik
# - Auth URL: https://authentik.dooplex.hu/application/o/authorize/
# - Token URL: https://authentik.dooplex.hu/application/o/token/
# - User info URL: https://authentik.dooplex.hu/application/o/userinfo/
#
# Authentik Setup:
# 1. Create OAuth2/OIDC Provider:
# - Name: wanderer
# - Client Type: Confidential
# - Redirect URIs: https://wanderer.dooplex.hu/api/oauth2-redirect
# - Scopes: openid, email, profile
# 2. Create Application linked to this provider
---
apiVersion: v1
kind: Namespace
metadata:
name: wanderer-system
labels:
app.kubernetes.io/name: wanderer
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: wanderer-meilisearch
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
spec:
containers:
- name: meilisearch
image: getmeili/meilisearch:v1.11.3
env:
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: meili-master-key
- name: MEILI_ENV
value: "production"
- name: MEILI_NO_ANALYTICS
value: "true"
ports:
- containerPort: 7700
name: http
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: meili-data
mountPath: /meili_data
livenessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /health
port: http
initialDelaySeconds: 10
periodSeconds: 10
volumes:
- name: meili-data
persistentVolumeClaim:
claimName: wanderer-meilisearch
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: wanderer-db
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
spec:
containers:
- name: pocketbase
image: flomp/wanderer-db:v0.19.2
env:
- name: ORIGIN
value: "https://wanderer.dooplex.hu"
- name: MEILI_URL
value: "http://wanderer-meilisearch:7700"
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: meili-master-key
- name: POCKETBASE_ENCRYPTION_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: pocketbase-encryption-key
ports:
- containerPort: 8090
name: http
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 500m
memory: 512Mi
volumeMounts:
- name: pb-data
mountPath: /pb_data
livenessProbe:
httpGet:
path: /api/health
port: http
initialDelaySeconds: 30
periodSeconds: 30
readinessProbe:
httpGet:
path: /api/health
port: http
initialDelaySeconds: 10
periodSeconds: 10
volumes:
- name: pb-data
persistentVolumeClaim:
claimName: wanderer-db
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: wanderer-web
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-web
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-web
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-web
spec:
containers:
- name: wanderer-web
image: flomp/wanderer-web:v0.19.2
env:
- name: NODE_TLS_REJECT_UNAUTHORIZED
value: "0"
- name: NODE_OPTIONS
value: "--max-old-space-size=7168"
- name: ORIGIN
value: "https://wanderer.dooplex.hu"
- name: POCKETBASE_URL
value: "http://wanderer-db:8090"
- name: PUBLIC_POCKETBASE_URL
value: "https://pb.wanderer.dooplex.hu"
- name: MEILI_URL
value: "http://wanderer-meilisearch:7700"
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: wanderer-app
key: meili-master-key
- name: PUBLIC_DISABLE_SIGNUP
value: "true"
- name: BODY_SIZE_LIMIT
value: "Infinity"
ports:
- containerPort: 3000
name: http
resources:
requests:
cpu: 50m
memory: 64Mi
limits:
memory: 8Gi
readinessProbe:
tcpSocket:
port: 3000
initialDelaySeconds: 5
periodSeconds: 10
timeoutSeconds: 1
failureThreshold: 3
---
apiVersion: v1
kind: Service
metadata:
name: wanderer-meilisearch
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
spec:
type: ClusterIP
ports:
- name: http
port: 7700
targetPort: http
selector:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
---
apiVersion: v1
kind: Service
metadata:
name: wanderer-db
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
spec:
type: ClusterIP
ports:
- name: http
port: 8090
targetPort: http
selector:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
---
apiVersion: v1
kind: Service
metadata:
name: wanderer-web
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-web
spec:
type: ClusterIP
ports:
- name: http
port: 3000
targetPort: http
selector:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-web
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wanderer-web
namespace: wanderer-system
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
# optional, only if you actually use external-dns:
external-dns.alpha.kubernetes.io/hostname: wanderer.dooplex.hu
nginx.ingress.kubernetes.io/configuration-snippet: |
set $geo_allowed 0;
if ($remote_addr ~ "^192\.168\.") { set $geo_allowed 1; }
if ($remote_addr ~ "^10\.") { set $geo_allowed 1; }
if ($geoip2_country_code = "HU") { set $geo_allowed 1; }
if ($geo_allowed = 0) {
return 403 "Access restricted to Hungary";
}
spec:
ingressClassName: nginx-internal
tls:
- hosts:
- wanderer.dooplex.hu
secretName: wanderer-web-tls
rules:
- host: wanderer.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wanderer-web
port:
number: 3000
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: wanderer-pocketbase
namespace: wanderer-system
annotations:
cert-manager.io/cluster-issuer: letsencrypt-prod
nginx.ingress.kubernetes.io/ssl-redirect: "true"
nginx.ingress.kubernetes.io/proxy-body-size: "100m"
# optional, only if you actually use external-dns:
external-dns.alpha.kubernetes.io/hostname: pb.wanderer.dooplex.hu
spec:
ingressClassName: nginx-internal
tls:
- hosts:
- pb.wanderer.dooplex.hu
secretName: wanderer-pb-tls
rules:
- host: pb.wanderer.dooplex.hu
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: wanderer-db
port:
number: 8090
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wanderer-meilisearch
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-meilisearch
recurring-job-group.longhorn.io/needbackup: enabled
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: wanderer-db
namespace: wanderer-system
labels:
app.kubernetes.io/instance: wanderer
app.kubernetes.io/name: wanderer-db
recurring-job-group.longhorn.io/needbackup: enabled
recurring-job.longhorn.io/source: enabled
spec:
accessModes:
- ReadWriteOnce
storageClassName: longhorn
resources:
requests:
storage: 5Gi
Reference in New Issue View Git Blame Copy Permalink