feat(deploy): Datasette analytics sidecar + analytics.aleshym.co ingress

Adds a Datasette container alongside the existing server in the same pod so
it can read the SQLite PVC without a second ReadWriteOnce mount. Protected
by a Traefik BasicAuth middleware at analytics.aleshym.co.

Also fixes the ArgoCD repoURL to point to the migrated Gitea hostname
(git.aleshym.co) instead of the old bare IP.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>

argocd/application.yaml

@@ -6,7 +6,7 @@ metadata:
 spec:
   project: default
   source:
-    repoURL: http://10.10.0.64:3000/funman300/Rusty_Solitare.git
+    repoURL: https://git.aleshym.co/funman300/Rusty_Solitare.git
     targetRevision: master
     path: deploy
   destination:

deploy/deployment.yaml

@@ -19,6 +19,47 @@ spec:
       imagePullSecrets:
         - name: gitea-registry
       containers:
+        - name: analytics
+          image: datasetteproject/datasette:0.65.1
+          args:
+            - serve
+            - /data/sol.db
+            - --host
+            - "0.0.0.0"
+            - --port
+            - "8001"
+            - --readonly
+            - --setting
+            - sql_time_limit_ms
+            - "5000"
+            - --setting
+            - max_returned_rows
+            - "1000"
+          ports:
+            - containerPort: 8001
+          volumeMounts:
+            - name: db-data
+              mountPath: /data
+              readOnly: true
+          livenessProbe:
+            httpGet:
+              path: /-/alive
+              port: 8001
+            initialDelaySeconds: 10
+            periodSeconds: 30
+          readinessProbe:
+            httpGet:
+              path: /-/alive
+              port: 8001
+            initialDelaySeconds: 5
+            periodSeconds: 10
+          resources:
+            requests:
+              cpu: 25m
+              memory: 48Mi
+            limits:
+              cpu: 200m
+              memory: 128Mi
         - name: server
           image: solitaire-server
           imagePullPolicy: Always

deploy/ingress-analytics.yaml

@@ -0,0 +1,26 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: solitaire-analytics
+  namespace: solitaire
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+    traefik.ingress.kubernetes.io/router.entrypoints: websecure
+    traefik.ingress.kubernetes.io/router.middlewares: solitaire-analytics-auth@kubernetescrd
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: analytics.aleshym.co
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: solitaire-server
+                port:
+                  name: analytics
+  tls:
+    - hosts:
+        - analytics.aleshym.co
+      secretName: analytics-tls

deploy/kustomization.yaml

@@ -7,6 +7,9 @@ resources:
 - deployment.yaml
 - service.yaml
 - ingress.yaml
+- middleware-analytics-auth.yaml
+- secret-analytics-auth.yaml
+- ingress-analytics.yaml
 
 # CI updates this block automatically via `kustomize edit set image`.
 # The image name here matches the `image: solitaire-server` stub in deployment.yaml.

deploy/middleware-analytics-auth.yaml

@@ -0,0 +1,8 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: analytics-auth
+  namespace: solitaire
+spec:
+  basicAuth:
+    secret: analytics-auth-secret

deploy/service.yaml

@@ -10,3 +10,6 @@ spec:
     - name: http
       port: 80
       targetPort: 8080
+    - name: analytics
+      port: 8001
+      targetPort: 8001