@vibesdotdev/infra-doks 0.0.1

package/src/implementations/gitea.impl.ts

@@ -0,0 +1,319 @@
+/**
+ * Implementation: infra/git-hosting -> gitea-doks
+ *
+ * Generates K8s manifests for a Gitea git hosting service on DOKS.
+ */
+import { createHash } from 'node:crypto';
+import * as z from 'zod/v4';
+import { createRuntimeImplementation } from '@vibesdotdev/runtime';
+import { GiteaDoksGitHostingConfigSchema, GitHostingTypeSchema } from '@vibesdotdev/infra-core/kinds';
+import { loadGiteaThemeAssets } from '@vibesdotdev/registry-theme';
+import type { K8sDeployment, K8sService } from '../types.ts';
+
+export const GiteaDoksDescriptorSchema = z.object({
+	kind: z.literal('infra/git-hosting'),
+	id: z.string().min(1),
+	name: z.string().optional(),
+	description: z.string().optional(),
+	url: z.string().url(),
+	hostname: z.string().min(1),
+	type: GitHostingTypeSchema,
+	storagePath: z.string().min(1).default('/data'),
+	authMethod: z.enum(['local', 'oauth', 'token']).default('token'),
+	ssl: z.boolean().default(true),
+	env: z.array(z.object({
+		name: z.string().regex(/^[_A-Z0-9]+$/),
+		public: z.boolean().default(false),
+		required: z.boolean().default(true),
+		value: z.string().optional(),
+		secret: z.boolean().default(false),
+		description: z.string().optional(),
+		storeKey: z.string().min(1).optional()
+	})).optional(),
+	config: GiteaDoksGitHostingConfigSchema.extend({
+		adapter: z.literal('gitea-doks')
+	})
+});
+
+export type GiteaDoksDescriptorInput = z.input<typeof GiteaDoksDescriptorSchema>;
+export type GiteaDoksDescriptor = z.infer<typeof GiteaDoksDescriptorSchema>;
+
+export interface GiteaManifest {
+	deployment: K8sDeployment;
+	service: K8sService;
+	pvc: { apiVersion: string; kind: string; metadata: Record<string, unknown>; spec: Record<string, unknown> };
+	themeConfigMap: { apiVersion: string; kind: string; metadata: Record<string, unknown>; data: Record<string, string> };
+	ingress: { apiVersion: string; kind: string; metadata: Record<string, unknown>; spec: Record<string, unknown> };
+}
+
+/**
+ * ConfigMap keys → relative paths under the staging mount. The install-theme
+ * initContainer copies these into the PVC's gitea/custom/ tree where Gitea
+ * picks them up at runtime. Keys are dot-separated because K8s ConfigMap keys
+ * cannot contain slashes; the volume `items[].path` translation produces the
+ * final on-disk layout.
+ */
+const THEME_FILES: Readonly<Record<string, string>> = {
+	'public.css.vibes-tokens.css': 'public/css/vibes-tokens.css',
+	'public.css.vibes-overlay.css': 'public/css/vibes-overlay.css',
+	'public.img.logo.svg': 'public/img/logo.svg',
+	'public.img.favicon.svg': 'public/img/favicon.svg',
+	'templates.custom.header.tmpl': 'templates/custom/header.tmpl',
+	'templates.custom.body_outer_pre.tmpl': 'templates/custom/body_outer_pre.tmpl',
+	'templates.custom.extra_links_footer.tmpl': 'templates/custom/extra_links_footer.tmpl',
+	// home.tmpl REPLACES the stock home page (not under custom/) — go-template
+	// resolution checks templates/home.tmpl first, then falls back to embedded.
+	'templates.home.tmpl': 'templates/home.tmpl',
+	// head_navbar.tmpl REPLACES the stock <nav id="navbar">. We render the
+	// vibes-brand-bar inline here instead of duplicating chrome via body_outer_pre.
+	'templates.base.head_navbar.tmpl': 'templates/base/head_navbar.tmpl'
+};
+
+const ELEMENTS_KEY = 'public.js.elements.js';
+const ELEMENTS_PATH = 'public/js/elements.js';
+
+export function generateGiteaManifest(input: GiteaDoksDescriptorInput): GiteaManifest {
+	const d = GiteaDoksDescriptorSchema.parse(input);
+	const ns = 'vibes';
+	const name = `vibes-${d.id}`;
+	const pvcName = `${name}-data`;
+	const themeCmName = `${name}-theme`;
+	const themeStagingPath = '/etc/gitea-theme';
+	// The official gitea/gitea image sets GITEA_CUSTOM=${GITEA_WORK_DIR}, where
+	// GITEA_WORK_DIR defaults to /data/gitea (NOT /data/gitea/custom). So
+	// custom templates and static assets live directly under /data/gitea/.
+	const giteaCustomPath = `${d.storagePath}/gitea`;
+	const cfg = d.config!;
+	const port = cfg.httpPort;
+	const secretName = 'gitea-secrets';
+
+	const themeAssets = loadGiteaThemeAssets();
+	const themeData: Record<string, string> = {
+		'public.css.vibes-tokens.css': themeAssets.tokensCss,
+		'public.css.vibes-overlay.css': themeAssets.overlayCss,
+		'public.img.logo.svg': themeAssets.logoSvg,
+		'public.img.favicon.svg': themeAssets.faviconSvg,
+		'templates.custom.header.tmpl': themeAssets.headerTmpl,
+		'templates.custom.body_outer_pre.tmpl': themeAssets.bodyOuterPreTmpl,
+		'templates.custom.extra_links_footer.tmpl': themeAssets.extraLinksFooterTmpl,
+		'templates.home.tmpl': themeAssets.homeTmpl,
+		'templates.base.head_navbar.tmpl': themeAssets.headNavbarTmpl
+	};
+	const themeItems = Object.entries(THEME_FILES).map(([key, path]) => ({ key, path }));
+	if (themeAssets.elementsBundle) {
+		themeData[ELEMENTS_KEY] = themeAssets.elementsBundle;
+		themeItems.push({ key: ELEMENTS_KEY, path: ELEMENTS_PATH });
+	}
+	// Hash of theme content so any change causes a rollout (otherwise a
+	// ConfigMap-only diff leaves pods with stale assets in their PVC).
+	const themeChecksum = createHash('sha256')
+		.update(Object.entries(themeData).sort().map(([k, v]) => `${k}:${v}`).join('\n'))
+		.digest('hex')
+		.slice(0, 16);
+
+	// NOTE: the previous Gitea bootstrap container has been removed. It tried to
+	// curl localhost:3000 from inside an *init* container — but Gitea hadn't
+	// started yet (init containers run first), so it could never have worked.
+	// Admin user creation and OAuth provider registration should run as a
+	// separate Job (or via `gitea admin user create` exec) post-Ready.
+
+	const deployment: K8sDeployment = {
+		apiVersion: 'apps/v1',
+		kind: 'Deployment',
+		metadata: {
+			name,
+			namespace: ns,
+			labels: { app: d.id, 'app.kubernetes.io/part-of': 'vibes' },
+			annotations: {
+				'secrets.hashicorp.com/rollout-restart': 'true'
+			}
+		},
+		spec: {
+			replicas: 1,
+			// PVC is ReadWriteOnce — RollingUpdate would Multi-Attach-deadlock.
+			// Recreate stops the old pod, then starts the new one with the freed volume.
+			strategy: { type: 'Recreate' },
+			selector: { matchLabels: { app: d.id } },
+			template: {
+				metadata: {
+					labels: { app: d.id },
+					annotations: { 'vibes.dev/theme-checksum': themeChecksum }
+				},
+				spec: {
+					initContainers: [
+						{
+							name: 'chown',
+							image: 'busybox:1.36',
+							command: ['sh', '-c', `chown -R 1000:1000 ${d.storagePath}`],
+							volumeMounts: [{ name: 'data', mountPath: d.storagePath }],
+							resources: { requests: { cpu: '50m', memory: '32Mi' }, limits: { memory: '128Mi' } }
+						},
+						{
+							name: 'install-theme',
+							image: 'busybox:1.36',
+							command: ['sh', '-c', [
+								// Gitea v1.21 expects custom static assets under `public/assets/<type>/`
+								// (NOT `public/<type>/` — that's a legacy layout it now rejects).
+								`mkdir -p ${giteaCustomPath}/public/assets/css`,
+								`mkdir -p ${giteaCustomPath}/public/assets/img`,
+								`mkdir -p ${giteaCustomPath}/public/assets/js`,
+								`mkdir -p ${giteaCustomPath}/templates/custom`,
+								// Versioned filenames (.v5.) sidestep Cloudflare negative-cache on the unversioned URLs.
+								// Bump the version when bytes change to invalidate browser/edge caches.
+								`cp -f ${themeStagingPath}/public/css/vibes-tokens.css ${giteaCustomPath}/public/assets/css/vibes-tokens.v5.css`,
+								`cp -f ${themeStagingPath}/public/css/vibes-overlay.css ${giteaCustomPath}/public/assets/css/vibes-overlay.v5.css`,
+								`cp -f ${themeStagingPath}/public/img/logo.svg ${giteaCustomPath}/public/assets/img/logo.v5.svg`,
+								`cp -f ${themeStagingPath}/public/img/favicon.svg ${giteaCustomPath}/public/assets/img/favicon.v5.svg`,
+								`cp -f ${themeStagingPath}/templates/custom/header.tmpl ${giteaCustomPath}/templates/custom/header.tmpl`,
+								`cp -f ${themeStagingPath}/templates/custom/body_outer_pre.tmpl ${giteaCustomPath}/templates/custom/body_outer_pre.tmpl`,
+								`cp -f ${themeStagingPath}/templates/custom/extra_links_footer.tmpl ${giteaCustomPath}/templates/custom/extra_links_footer.tmpl`,
+								`cp -f ${themeStagingPath}/templates/home.tmpl ${giteaCustomPath}/templates/home.tmpl`,
+								`mkdir -p ${giteaCustomPath}/templates/base`,
+								`cp -f ${themeStagingPath}/templates/base/head_navbar.tmpl ${giteaCustomPath}/templates/base/head_navbar.tmpl`,
+								// elements.js is optional — copy only if the staging volume includes it (i.e. the @vibesdotdev/elements bundle was built before manifest generation).
+								`if [ -f ${themeStagingPath}/public/js/elements.js ]; then cp -f ${themeStagingPath}/public/js/elements.js ${giteaCustomPath}/public/assets/js/elements.v5.js; fi`,
+								// Clean up files from the previous wrong layouts so they don't confuse Gitea's legacy detection.
+								`rm -rf ${giteaCustomPath}/public/css ${giteaCustomPath}/public/img ${giteaCustomPath}/public/js ${giteaCustomPath}/custom 2>/dev/null || true`,
+								// Update APP_NAME in app.ini directly. Gitea v1.21 doesn't have
+								// `environment-to-ini`, so GITEA__DEFAULT__APP_NAME never reaches
+								// the running config. sed is idempotent: if the line already
+								// matches we no-op.
+								`if [ -f ${giteaCustomPath}/conf/app.ini ]; then sed -i 's|^APP_NAME = .*$|APP_NAME = Vibes Git|' ${giteaCustomPath}/conf/app.ini || true; fi`,
+								`chown -R 1000:1000 ${giteaCustomPath}`,
+								'echo "vibes theme installed"'
+							].join(' && ')],
+							volumeMounts: [
+								{ name: 'data', mountPath: d.storagePath },
+								{ name: 'theme', mountPath: themeStagingPath, readOnly: true }
+							],
+							resources: { requests: { cpu: '50m', memory: '32Mi' }, limits: { memory: '128Mi' } }
+						}
+					],
+					containers: [{
+						name: d.id,
+						image: cfg.dockerImage,
+						ports: [
+							{ name: 'http', containerPort: port },
+							{ name: 'ssh', containerPort: cfg.sshPort, protocol: 'TCP' }
+						],
+						envFrom: [{ secretRef: { name: secretName } }],
+						env: [
+							{ name: 'USER_UID', value: '1000' },
+							{ name: 'USER_GID', value: '1000' },
+							{ name: 'GITEA__server__PROTOCOL', value: 'http' },
+							{ name: 'GITEA__server__DOMAIN', value: cfg.domain },
+							{ name: 'GITEA__server__ROOT_URL', value: `https://${cfg.domain}` },
+							{ name: 'GITEA__server__HTTP_PORT', value: String(port) },
+							{ name: 'GITEA__server__SSH_PORT', value: String(cfg.sshPort) },
+							{ name: 'GITEA__DEFAULT__APP_NAME', value: 'Vibes Git' },
+							{ name: 'GITEA__ui__THEMES', value: 'auto,gitea,arc-green' },
+							{ name: 'GITEA__ui__DEFAULT_THEME', value: 'auto' },
+							{ name: 'GITEA__security__INSTALL_LOCK', value: 'true' },
+							{ name: 'GITEA__oauth2__CLIENT_ID', valueFrom: { secretKeyRef: { name: secretName, key: 'oauth2-client-id' } } },
+							{ name: 'GITEA__oauth2__CLIENT_SECRET', valueFrom: { secretKeyRef: { name: secretName, key: 'oauth2-client-secret' } } },
+							{ name: 'GITEA__security__JWT_SECRET', valueFrom: { secretKeyRef: { name: secretName, key: 'jwt-secret' } } },
+							{ name: 'GITEA__mailer__FROM', valueFrom: { secretKeyRef: { name: 'shared-secrets', key: 'smtp-from' } } },
+							{ name: 'GITEA__mailer__PASSWD', valueFrom: { secretKeyRef: { name: secretName, key: 'smtp-password' } } }
+						],
+						volumeMounts: [{ name: 'data', mountPath: d.storagePath }],
+						livenessProbe: {
+							httpGet: { path: '/', port },
+							initialDelaySeconds: 60,
+							periodSeconds: 30
+						},
+						readinessProbe: {
+							httpGet: { path: '/api/healthz', port },
+							periodSeconds: 10
+						},
+						resources: {
+							requests: { cpu: '100m', memory: '128Mi' },
+							limits: { cpu: '1', memory: '1Gi' }
+						}
+					}],
+					volumes: [
+						{ name: 'data', persistentVolumeClaim: { claimName: pvcName } },
+						{
+							name: 'theme',
+							configMap: {
+								name: themeCmName,
+								items: themeItems
+							}
+						}
+					]
+				}
+			}
+		}
+	};
+
+	const service: K8sService = {
+		apiVersion: 'v1',
+		kind: 'Service',
+		metadata: { name, namespace: ns },
+		spec: {
+			type: 'ClusterIP',
+			selector: { app: d.id },
+			ports: [
+				{ name: 'http', port, targetPort: port },
+				{ name: 'ssh', port: cfg.sshPort, targetPort: cfg.sshPort }
+			]
+		}
+	};
+
+	const pvc = {
+		apiVersion: 'v1',
+		kind: 'PersistentVolumeClaim',
+		metadata: { name: pvcName, namespace: ns, labels: { app: d.id } },
+		spec: {
+			accessModes: ['ReadWriteOnce'],
+			resources: { requests: { storage: `${cfg.volumeSizeGb}Gi` } }
+		}
+	};
+
+	const themeConfigMap = {
+		apiVersion: 'v1',
+		kind: 'ConfigMap',
+		metadata: { name: themeCmName, namespace: ns, labels: { app: d.id } },
+		data: themeData
+	};
+
+	const ingress = {
+		apiVersion: 'networking.k8s.io/v1',
+		kind: 'Ingress',
+		metadata: {
+			name,
+			namespace: ns,
+			labels: { app: d.id },
+			annotations: {
+				'cert-manager.io/cluster-issuer': 'letsencrypt-prod',
+				'nginx.ingress.kubernetes.io/proxy-body-size': '100m'
+			}
+		},
+		spec: {
+			tls: [{ hosts: [cfg.domain], secretName: `${name}-tls` }],
+			rules: [{
+				host: cfg.domain,
+				http: {
+					paths: [{
+						path: '/',
+						pathType: 'Prefix' as const,
+						backend: { service: { name, port: { number: port } } }
+					}]
+				}
+			}]
+		}
+	};
+
+	return { deployment, service, pvc, themeConfigMap, ingress };
+}
+
+export function createGiteaImpl(input: GiteaDoksDescriptorInput) {
+	const descriptor = GiteaDoksDescriptorSchema.parse(input);
+	return createRuntimeImplementation({
+		id: 'gitea-doks',
+		kind: 'infra/git-hosting',
+		priority: 20,
+		implementation: {
+			generateConfig: () => generateGiteaManifest(descriptor)
+		}
+	});
+}

package/src/implementations/managed-db.impl.ts

@@ -0,0 +1,37 @@
+/**
+ * Implementation: infra/database -> do-managed-postgres
+ *
+ * Generates a DigitalOcean API-compatible managed database specification.
+ */
+
+import * as z from 'zod/v4';
+import { DOManagedPostgresConfigSchema } from '@vibesdotdev/infra-core/kinds';
+import type { DOManagedDBSpec } from '../types.ts';
+
+export const DOManagedPostgresDescriptorSchema = z.object({
+	kind: z.literal('infra/database'),
+	id: z.string().min(1),
+	name: z.string().optional(),
+	description: z.string().optional(),
+	engine: z.literal('postgres'),
+	replicas: z.number().int().nonnegative().default(0),
+	config: DOManagedPostgresConfigSchema.extend({
+		adapter: z.literal('do-managed-postgres')
+	})
+});
+
+export type DOManagedPostgresDescriptorInput = z.input<typeof DOManagedPostgresDescriptorSchema>;
+export type DOManagedPostgresDescriptor = z.infer<typeof DOManagedPostgresDescriptorSchema>;
+
+export function generateDOManagedDB(descriptor: DOManagedPostgresDescriptor): DOManagedDBSpec {
+	const parsed = DOManagedPostgresDescriptorSchema.parse(descriptor);
+	const cfg = parsed.config!;
+	return {
+		name: `vibes-${parsed.id}`,
+		engine: 'pg',
+		version: cfg.version,
+		size: cfg.size,
+		region: cfg.region,
+		num_nodes: (parsed.replicas ?? 0) + 1
+	};
+}

package/src/implementations/managed-redis.impl.ts

@@ -0,0 +1,49 @@
+/**
+ * Implementation: infra/cache -> do-managed-redis
+ *
+ * Generates a DigitalOcean API-compatible managed Redis specification.
+ */
+
+import * as z from 'zod/v4';
+import { DOManagedRedisConfigSchema } from '@vibesdotdev/infra-core/kinds';
+import type { DOManagedRedisSpec } from '../types.ts';
+
+const EVICTION_POLICY_MAP: Record<string, string> = {
+	lru: 'allkeys-lru',
+	lfu: 'allkeys-lfu',
+	ttl: 'volatile-ttl'
+};
+
+export const DOManagedRedisDescriptorSchema = z.object({
+	kind: z.literal('infra/cache'),
+	id: z.string().min(1),
+	name: z.string().optional(),
+	description: z.string().optional(),
+	engine: z.literal('redis'),
+	maxMemory: z.string().min(1).optional(),
+	eviction: z.enum(['lru', 'lfu', 'ttl']).optional(),
+	config: DOManagedRedisConfigSchema.extend({
+		adapter: z.literal('do-managed-redis')
+	})
+});
+
+export type DOManagedRedisDescriptorInput = z.input<typeof DOManagedRedisDescriptorSchema>;
+export type DOManagedRedisDescriptor = z.infer<typeof DOManagedRedisDescriptorSchema>;
+
+export function generateDOManagedRedis(descriptor: DOManagedRedisDescriptor): DOManagedRedisSpec {
+	const parsed = DOManagedRedisDescriptorSchema.parse(descriptor);
+	const cfg = parsed.config!;
+	const size =
+		cfg.size ??
+		(parsed.maxMemory ? `db-s-1vcpu-${parsed.maxMemory}` : 'db-s-1vcpu-1gb');
+
+	return {
+		name: `vibes-${parsed.id}`,
+		engine: 'redis',
+		version: cfg.version,
+		size,
+		region: cfg.region,
+		num_nodes: cfg.numNodes,
+		eviction_policy: cfg.eviction ? EVICTION_POLICY_MAP[cfg.eviction] : undefined
+	};
+}

package/src/implementations/spaces.impl.ts

@@ -0,0 +1,52 @@
+/**
+ * Implementation: infra/object-storage -> do-spaces
+ *
+ * Generates a DigitalOcean Spaces specification.
+ */
+
+import * as z from 'zod/v4';
+import {
+	DOSpacesConfigSchema,
+	CorsRuleSchema,
+	LifecycleRuleSchema
+} from '@vibesdotdev/infra-core/kinds';
+import type { DOSpacesSpec } from '../types.ts';
+
+export const DOSpacesDescriptorSchema = z.object({
+	kind: z.literal('infra/object-storage'),
+	id: z.string().min(1),
+	name: z.string().optional(),
+	description: z.string().optional(),
+	publicAccess: z.boolean().default(false),
+	cors: z.array(CorsRuleSchema).optional(),
+	lifecycle: z
+		.array(
+			LifecycleRuleSchema
+		)
+		.optional(),
+	config: DOSpacesConfigSchema.extend({
+		adapter: z.literal('do-spaces')
+	})
+});
+
+export type DOSpacesDescriptorInput = z.input<typeof DOSpacesDescriptorSchema>;
+export type DOSpacesDescriptor = z.infer<typeof DOSpacesDescriptorSchema>;
+
+export function generateDOSpaces(descriptor: DOSpacesDescriptor): DOSpacesSpec {
+	const parsed = DOSpacesDescriptorSchema.parse(descriptor);
+	return {
+		name: `vibes-${parsed.id}`,
+		region: parsed.config?.region ?? 'nyc3',
+		acl: parsed.publicAccess ? 'public-read' : 'private',
+		cors_rules: parsed.cors?.map((rule) => ({
+			allowed_origins: rule.allowedOrigins,
+			allowed_methods: rule.allowedMethods,
+			allowed_headers: rule.allowedHeaders,
+			max_age_seconds: rule.maxAgeSeconds
+		})),
+		lifecycle_rules: parsed.lifecycle?.map((rule) => ({
+			prefix: rule.prefix,
+			expiration_days: rule.expiration
+		}))
+	};
+}

package/src/implementations/statefulset.impl.ts

@@ -0,0 +1,186 @@
+/**
+ * Implementation: infra/queue (Kafka/Redpanda) and infra/database (self-hosted PG)
+ * when adapter is 'doks-statefulset'.
+ *
+ * Generates a K8s StatefulSet with PersistentVolumeClaim templates.
+ */
+
+import * as z from 'zod/v4';
+import {
+	DoksQueueConfigSchema,
+	DoksDatabaseConfigSchema
+} from '@vibesdotdev/infra-core/kinds';
+import type { K8sStatefulSet } from '../types.ts';
+
+export const DoksQueueDescriptorSchema = z.object({
+	kind: z.literal('infra/queue'),
+	id: z.string().min(1),
+	name: z.string().optional(),
+	description: z.string().optional(),
+	engine: z.enum(['redpanda', 'kafka']),
+	config: DoksQueueConfigSchema.extend({
+		adapter: z.literal('doks-statefulset')
+	})
+});
+
+export type DoksQueueDescriptorInput = z.input<typeof DoksQueueDescriptorSchema>;
+export type DoksQueueDescriptor = z.infer<typeof DoksQueueDescriptorSchema>;
+
+export const DoksDatabaseDescriptorSchema = z.object({
+	kind: z.literal('infra/database'),
+	id: z.string().min(1),
+	name: z.string().optional(),
+	description: z.string().optional(),
+	engine: z.literal('postgres'),
+	replicas: z.number().int().nonnegative().default(0),
+	config: DoksDatabaseConfigSchema.extend({
+		adapter: z.literal('doks-statefulset')
+	})
+});
+
+export type DoksDatabaseDescriptorInput = z.input<typeof DoksDatabaseDescriptorSchema>;
+export type DoksDatabaseDescriptor = z.infer<typeof DoksDatabaseDescriptorSchema>;
+
+type QueueOrDatabaseDescriptor = DoksQueueDescriptor | DoksDatabaseDescriptor;
+
+export function generateK8sStatefulSet(descriptor: QueueOrDatabaseDescriptor): K8sStatefulSet {
+	if (descriptor.kind === 'infra/queue') {
+		return generateQueueStatefulSet(descriptor as DoksQueueDescriptor);
+	}
+	return generateDatabaseStatefulSet(descriptor as DoksDatabaseDescriptor);
+}
+
+function generateQueueStatefulSet(descriptor: DoksQueueDescriptor): K8sStatefulSet {
+	const parsed = DoksQueueDescriptorSchema.parse(descriptor);
+	const image =
+		parsed.engine === 'redpanda'
+			? 'vectorized/redpanda:latest'
+			: 'confluentinc/cp-kafka:latest';
+
+	const port = 9092;
+	const namespace = parsed.config?.namespace ?? 'vibes';
+	const storageSize = parsed.config?.storageSize ?? '10Gi';
+	const defaultRequests = { cpu: '250m', memory: '512Mi' };
+	const defaultLimits = { cpu: '1', memory: '1Gi' };
+
+	return {
+		apiVersion: 'apps/v1',
+		kind: 'StatefulSet',
+		metadata: {
+			name: `vibes-${parsed.id}`,
+			namespace,
+			labels: { app: parsed.id, 'app.kubernetes.io/part-of': 'vibes' }
+		},
+		spec: {
+			serviceName: `vibes-${parsed.id}`,
+			replicas: 1,
+			selector: { matchLabels: { app: parsed.id } },
+			template: {
+				metadata: { labels: { app: parsed.id } },
+				spec: {
+					containers: [
+						{
+							name: parsed.id,
+							image,
+							ports: [{ name: 'kafka', containerPort: port, protocol: 'TCP' }],
+							resources: {
+								requests: parsed.config?.resources?.requests ?? defaultRequests,
+								limits: parsed.config?.resources?.limits ?? defaultLimits
+							},
+							volumeMounts: [{ name: 'data', mountPath: '/var/lib/data' }],
+							livenessProbe: {
+								tcpSocket: { port },
+								periodSeconds: 30
+							},
+							readinessProbe: {
+								tcpSocket: { port },
+								periodSeconds: 10
+							}
+						}
+					]
+				}
+			},
+			volumeClaimTemplates: [
+				{
+					metadata: { name: 'data' },
+					spec: {
+						accessModes: ['ReadWriteOnce'],
+						resources: { requests: { storage: storageSize } }
+					}
+				}
+			]
+		}
+	};
+}
+
+function generateDatabaseStatefulSet(descriptor: DoksDatabaseDescriptor): K8sStatefulSet {
+	const parsed = DoksDatabaseDescriptorSchema.parse(descriptor);
+	const storageSize = parsed.config?.storageSize ?? '10Gi';
+	const namespace = parsed.config?.namespace ?? 'vibes';
+	const totalReplicas = parsed.replicas + 1;
+	const version = parsed.config?.version ?? '16-alpine';
+	const image = `postgres:${version}`;
+	const defaultRequests = { cpu: '250m', memory: '256Mi' };
+	const defaultLimits = { cpu: '1', memory: '1Gi' };
+
+	return {
+		apiVersion: 'apps/v1',
+		kind: 'StatefulSet',
+		metadata: {
+			name: `vibes-${parsed.id}`,
+			namespace,
+			labels: { app: parsed.id, 'app.kubernetes.io/part-of': 'vibes' }
+		},
+		spec: {
+			serviceName: `vibes-${parsed.id}`,
+			replicas: totalReplicas,
+			selector: { matchLabels: { app: parsed.id } },
+			template: {
+				metadata: { labels: { app: parsed.id } },
+				spec: {
+					containers: [
+						{
+							name: parsed.id,
+							image,
+							ports: [{ name: 'postgres', containerPort: 5432, protocol: 'TCP' }],
+							env: [
+								{ name: 'POSTGRES_DB', value: `vibes_${parsed.id}` },
+								{
+									name: 'POSTGRES_PASSWORD',
+									valueFrom: {
+										secretKeyRef: {
+											name: `vibes-${parsed.id}-credentials`,
+											key: 'password'
+										}
+									}
+								}
+							],
+							resources: {
+								requests: parsed.config?.resources?.requests ?? defaultRequests,
+								limits: parsed.config?.resources?.limits ?? defaultLimits
+							},
+							volumeMounts: [{ name: 'pgdata', mountPath: '/var/lib/postgresql/data' }],
+							livenessProbe: {
+								exec: { command: ['pg_isready', '-U', 'postgres'] },
+								periodSeconds: 30
+							},
+							readinessProbe: {
+								exec: { command: ['pg_isready', '-U', 'postgres'] },
+								periodSeconds: 10
+							}
+						}
+					]
+				}
+			},
+			volumeClaimTemplates: [
+				{
+					metadata: { name: 'pgdata' },
+					spec: {
+						accessModes: ['ReadWriteOnce'],
+						resources: { requests: { storage: storageSize } }
+					}
+				}
+			]
+		}
+	};
+}