feat: scaffold agentmon services and k8s deploy

Adds Go microservices (ingest-gateway, event-processor, query-api, web-ui), NATS+Postgres wiring, initial schema/init job, ingress manifests for LAN+tailnet, and a multi-arch image build script.

deploy/k8s/base/agentmon.yaml

@@ -0,0 +1,155 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: ingest-gateway
+  namespace: agentmon
+spec:
+  selector:
+    app: ingest-gateway
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8080
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ingest-gateway
+  namespace: agentmon
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ingest-gateway
+  template:
+    metadata:
+      labels:
+        app: ingest-gateway
+    spec:
+      imagePullSecrets:
+        - name: gitea-regcred
+      containers:
+        - name: ingest-gateway
+          image: gitea-http.taildb3494.ts.net/will/agentmon/ingest-gateway:dev-20260117-0832
+          env:
+            - name: AGENTMON_ADDR
+              value: ":8080"
+            - name: NATS_URL
+              value: "nats://nats:4222"
+            - name: NATS_TOPIC
+              value: "agentmon.events.v1"
+          ports:
+            - containerPort: 8080
+              name: http
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: event-processor
+  namespace: agentmon
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: event-processor
+  template:
+    metadata:
+      labels:
+        app: event-processor
+    spec:
+      imagePullSecrets:
+        - name: gitea-regcred
+      containers:
+        - name: event-processor
+          image: gitea-http.taildb3494.ts.net/will/agentmon/event-processor:dev-20260117-0832
+          env:
+            - name: DATABASE_URL
+              value: "postgres://agentmon:agentmon@postgres:5432/agentmon?sslmode=disable"
+            - name: NATS_URL
+              value: "nats://nats:4222"
+            - name: NATS_TOPIC
+              value: "agentmon.events.v1"
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: query-api
+  namespace: agentmon
+spec:
+  selector:
+    app: query-api
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8081
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: query-api
+  namespace: agentmon
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: query-api
+  template:
+    metadata:
+      labels:
+        app: query-api
+    spec:
+      imagePullSecrets:
+        - name: gitea-regcred
+      containers:
+        - name: query-api
+          image: gitea-http.taildb3494.ts.net/will/agentmon/query-api:dev-20260117-0832
+          env:
+            - name: AGENTMON_QUERY_ADDR
+              value: ":8081"
+            - name: DATABASE_URL
+              value: "postgres://agentmon:agentmon@postgres:5432/agentmon?sslmode=disable"
+          ports:
+            - containerPort: 8081
+              name: http
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: web-ui
+  namespace: agentmon
+spec:
+  selector:
+    app: web-ui
+  ports:
+    - name: http
+      port: 80
+      targetPort: 8082
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: web-ui
+  namespace: agentmon
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: web-ui
+  template:
+    metadata:
+      labels:
+        app: web-ui
+    spec:
+      imagePullSecrets:
+        - name: gitea-regcred
+      containers:
+        - name: web-ui
+          image: gitea-http.taildb3494.ts.net/will/agentmon/web-ui:dev-20260117-0832
+          env:
+            - name: AGENTMON_UI_ADDR
+              value: ":8082"
+            - name: AGENTMON_QUERY_BASE
+              value: "http://query-api"
+          ports:
+            - containerPort: 8082
+              name: http

deploy/k8s/base/db/postgres-init-job.yaml

@@ -0,0 +1,58 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: postgres-init-sql
+  namespace: agentmon
+data:
+  init.sql: |
+    -- applied by init job
+    create table if not exists events (
+      event_id text primary key,
+      ts timestamptz not null,
+      type text not null,
+      session_id text null,
+      run_id text null,
+      trace_id text null,
+      span_id text null,
+      parent_span_id text null,
+      source_framework text null,
+      client_id text null,
+      payload jsonb not null
+    );
+
+    create index if not exists events_ts_idx on events (ts);
+    create index if not exists events_session_idx on events (session_id);
+    create index if not exists events_run_idx on events (run_id);
+    create index if not exists events_type_ts_idx on events (type, ts);
+---
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: postgres-init
+  namespace: agentmon
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: psql
+          image: postgres:16
+          env:
+            - name: PGPASSWORD
+              value: agentmon
+          command:
+            - bash
+            - -lc
+            - |
+              until pg_isready -h postgres -p 5432 -U agentmon; do
+                echo "waiting for postgres";
+                sleep 2;
+              done
+              psql -h postgres -p 5432 -U agentmon -d agentmon -f /sql/init.sql
+          volumeMounts:
+            - name: sql
+              mountPath: /sql
+      volumes:
+        - name: sql
+          configMap:
+            name: postgres-init-sql

deploy/k8s/base/ingress/nginx-ingress.yaml

@@ -0,0 +1,39 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: agentmon-web-ui
+  namespace: agentmon
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  rules:
+    - host: web-ui.agentmon.192.168.153.240.nip.io
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: web-ui
+                port:
+                  number: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: agentmon-ingest-gateway
+  namespace: agentmon
+  annotations:
+    kubernetes.io/ingress.class: nginx
+spec:
+  rules:
+    - host: ingest-gateway.agentmon.192.168.153.240.nip.io
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: ingest-gateway
+                port:
+                  number: 80

deploy/k8s/base/ingress/tailscale-ingress.yaml

@@ -0,0 +1,39 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: agentmon-web-ui-ts
+  namespace: agentmon
+  annotations:
+    kubernetes.io/ingress.class: tailscale
+spec:
+  rules:
+    - host: web-ui.agentmon.taildb3494.ts.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: web-ui
+                port:
+                  number: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: agentmon-ingest-gateway-ts
+  namespace: agentmon
+  annotations:
+    kubernetes.io/ingress.class: tailscale
+spec:
+  rules:
+    - host: ingest-gateway.agentmon.taildb3494.ts.net
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: ingest-gateway
+                port:
+                  number: 80

deploy/k8s/base/kustomization.yaml

@@ -0,0 +1,12 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: agentmon
+resources:
+  - namespace.yaml
+  - postgres.yaml
+  - nats.yaml
+  - agentmon.yaml
+  # networkpolicy.yaml intentionally omitted (no tight policies)
+  - ingress/nginx-ingress.yaml
+  - ingress/tailscale-ingress.yaml
+  - db/postgres-init-job.yaml

deploy/k8s/base/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: agentmon

deploy/k8s/base/nats.yaml

@@ -0,0 +1,51 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nats
+  namespace: agentmon
+spec:
+  selector:
+    app: nats
+  ports:
+    - name: client
+      port: 4222
+      targetPort: 4222
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: nats
+  namespace: agentmon
+spec:
+  serviceName: nats
+  replicas: 1
+  selector:
+    matchLabels:
+      app: nats
+  template:
+    metadata:
+      labels:
+        app: nats
+    spec:
+      containers:
+        - name: nats
+          image: nats:2.10
+          args:
+            - -js
+            - -sd
+            - /data
+          ports:
+            - containerPort: 4222
+              name: client
+          volumeMounts:
+            - name: data
+              mountPath: /data
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: longhorn
+        resources:
+          requests:
+            storage: 5Gi

deploy/k8s/base/networkpolicy.yaml

@@ -0,0 +1,72 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-ingress
+  namespace: agentmon
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-web-ui-to-query-api
+  namespace: agentmon
+spec:
+  podSelector:
+    matchLabels:
+      app: query-api
+  policyTypes: [Ingress]
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: web-ui
+      ports:
+        - protocol: TCP
+          port: 8081
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-query-api-to-postgres
+  namespace: agentmon
+spec:
+  podSelector:
+    matchLabels:
+      app: postgres
+  policyTypes: [Ingress]
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: query-api
+        - podSelector:
+            matchLabels:
+              app: event-processor
+      ports:
+        - protocol: TCP
+          port: 5432
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-ingest-to-nats
+  namespace: agentmon
+spec:
+  podSelector:
+    matchLabels:
+      app: nats
+  policyTypes: [Ingress]
+  ingress:
+    - from:
+        - podSelector:
+            matchLabels:
+              app: ingest-gateway
+        - podSelector:
+            matchLabels:
+              app: event-processor
+      ports:
+        - protocol: TCP
+          port: 4222

deploy/k8s/base/postgres.yaml

@@ -0,0 +1,55 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: postgres
+  namespace: agentmon
+spec:
+  selector:
+    app: postgres
+  ports:
+    - name: postgres
+      port: 5432
+      targetPort: 5432
+---
+apiVersion: apps/v1
+kind: StatefulSet
+metadata:
+  name: postgres
+  namespace: agentmon
+spec:
+  serviceName: postgres
+  replicas: 1
+  selector:
+    matchLabels:
+      app: postgres
+  template:
+    metadata:
+      labels:
+        app: postgres
+    spec:
+      containers:
+        - name: postgres
+          image: postgres:16
+          ports:
+            - containerPort: 5432
+              name: postgres
+          env:
+            - name: POSTGRES_DB
+              value: agentmon
+            - name: POSTGRES_USER
+              value: agentmon
+            - name: POSTGRES_PASSWORD
+              value: agentmon
+          volumeMounts:
+            - name: data
+              mountPath: /var/lib/postgresql/data
+              subPath: pgdata
+  volumeClaimTemplates:
+    - metadata:
+        name: data
+      spec:
+        accessModes: ["ReadWriteOnce"]
+        storageClassName: longhorn
+        resources:
+          requests:
+            storage: 10Gi