eblume/blumeops
1
1
Fork 0
Code Issues Pull requests Projects Releases 83 Packages Wiki Activity Actions

Deploy Mealie recipe manager #299

Merged
eblume merged 7 commits from deploy-mealie into main 2026-03-16 21:59:11 -07:00
Conversation 0 Commits 7 Files changed 22 +489 -3

7 commits

Author SHA1 Message Date
Erich Blume
b0023fef92 Switch Mealie OIDC to confidential client 
Mealie requires OIDC_CLIENT_SECRET even though its docs say "public
client with PKCE". The token exchange happens server-side in Mealie's
Python backend, so the secret never reaches the browser.

- Generate client secret, store in 1Password
- Add to Authentik external-secret and worker env
- Switch blueprint from public to confidential
- Add ExternalSecret for mealie namespace
- Update docs to reflect confidential client

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 21:50:34 -07:00
Erich Blume
7dce0abbb9 Update docs: fix mealie storageClass, borgmatic SQLite backups, federated-login 
- mealie.md: fix storageClassName to standard, add auth/backup sections
- borgmatic.md: document k8s SQLite dump pattern and mealie entry
- federated-login.md: remove ArgoCD from future work (already done),
  add mealie to related links

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 21:38:36 -07:00
Erich Blume
c411862fda Add Mealie to service-versions.yaml 
Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 21:36:55 -07:00
Erich Blume
ac83bd14e3 Add borgmatic backup for Mealie SQLite, set image tag 
- Add before_backup hook to borgmatic: kubectl exec + python3 sqlite3
  .backup to safely dump the database, then kubectl cp to host
- Include k8s-dumps directory in borgmatic source_directories
- Generic pattern: borgmatic_k8s_sqlite_dumps list in defaults
- Fix PVC storageClassName: standard (not local-path) on minikube
- Set container image tag to v3.12.0-5c5fd18 from CI build

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 21:36:00 -07:00
Erich Blume
30a114462c Allow all Authentik users to access Mealie 
Remove admins-only policy binding from Mealie app. Any authenticated
Authentik user can log in (account auto-created). Mealie's
OIDC_ADMIN_GROUP=admins handles admin privilege mapping internally.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 21:19:26 -07:00
Erich Blume
5c5fd18cac Add Authentik OIDC integration for Mealie 
Configure Mealie as a public PKCE client in Authentik. Mealie's OIDC
flow runs client-side (Vue.js SPA) so it uses PKCE instead of a
client_secret. No 1Password secret or ExternalSecret needed.

- Add mealie.yaml blueprint to Authentik configmap (public client, admins group)
- Add OIDC env vars to Mealie deployment
- Update service docs

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 21:15:21 -07:00
Erich Blume
bd2b02f51c Add Mealie recipe manager service 
Deploy Mealie on minikube-indri for meal planning and prep automation.
Built from source via forge mirror (mirrors/mealie) with multi-stage
Dockerfile: Node.js frontend + Python/uv backend. Includes ArgoCD app,
k8s manifests, Caddy proxy entry, and service documentation.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
 2026-03-16 21:07:25 -07:00