shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

new talos cluster

Browse Source
This commit is contained in:
auricom
2022-11-19 04:47:32 +01:00
parent 42346bd99b
commit 4ac38f95e9
548 changed files with 1642 additions and 2331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

57
kubernetes/base/config/cluster-secrets.sops.yaml Normal file
View File

@@ -0,0 +1,57 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: cluster-secrets
namespace: flux-system
stringData:
SECRET_CLUSTER_CERTIFICATE_DEFAULT: ENC[AES256_GCM,data:7BbZIX1f2j2a15gq1/gwqKcSTA==,iv:WOhJ5HlcnsPEeI/ALT5O+AnKtorJYueQqPJQStpvIMo=,tag:GPOpCrQ9F1ku7tqAtxHJdw==,type:str]
SECRET_CLUSTER_DOMAIN_EMAIL: ENC[AES256_GCM,data:j1yBajAlXKQeDuvbV2IyJp8IT3wA,iv:pxPgYZEZ6pvcr6trM1gkL5MZORewARaiVfwRTyWxny0=,tag:y31EGp46NgF/Pf3hQ2Iavw==,type:str]
SECRET_DOMAIN: ENC[AES256_GCM,data:UtdBDs6+azVHO7Y=,iv:ZnWrBW+vW6HiMs1PbgY2LjcwUwuUh1HxYjqvOXvCrDk=,tag:r6uDIJhVoTIcizIfRW+lHw==,type:str]
SECRET_CLUSTER_DOMAIN: ENC[AES256_GCM,data:lTfn9GCJHlgeO/BGXbvT,iv:LBsxVLf+WpS7Ac233XjVoWCjHqZpnhhhiJn2Q0YEHt8=,tag:d//kWxt2bJkqCF1EkEzYqA==,type:str]
SECRET_CLUSTER_OVH_APPLICATION_KEY: ENC[AES256_GCM,data:W8BOyYQbQJpQco0XQ8wgtA==,iv:z/nc9+DkIkvKw6Daf/UpuMsIc/H7AnwQF5ZjQarf03U=,tag:j+Qm6oK6jei7EFDBTT5ddQ==,type:str]
SECRET_CLUSTER_OVH_APPLICATION_SECRET: ENC[AES256_GCM,data:+R6Vy1qlYZuvFsGTnK3m94PuzdsYNPe1JVpGqhq9Dy0=,iv:bNKMp6VNMyuiJokr5xm9To2OuBYzoiJSRXUm4S00MdI=,tag:8YJoz5MICyC9bES/IP6ROw==,type:str]
SECRET_CLUSTER_OVH_CONSUMER_KEY: ENC[AES256_GCM,data:HwEaNSLEoON99KzgVLuDWxj8DPz1gz8tc3q/1hWJOvM=,iv:uTHCAT81Js9yQ/7iK90+elZzA0j6ia7AOWEufE1i/4k=,tag:D4tI50RyJz8o3n9hrrYz4Q==,type:str]
SECRET_EMAIL_DOMAIN: ENC[AES256_GCM,data:tggMEXyLi03dAorm,iv:tXHmWmm9wUIOyGXbHUagS0gl4cEW588XSvBIoNsADFw=,tag:69X+WZoj6CiI6mUJT01DzQ==,type:str]
SECRET_EMAIL_SMTP_USERNAME: ENC[AES256_GCM,data:U8UiC6SdBbX9JbpRglyXfofDzYf+LNY=,iv:BLqn6nWm+il2yxWBJgpjlLKp5/eVh8L9qSEfM9LzUEo=,tag:1+afhSVYeHTvzzBiTxP7Ew==,type:str]
SECRET_GITEA_API_TOKEN: ENC[AES256_GCM,data:A5zJGhQdlWUAagcPIvCIzvpeyzVaV5uDGegjvW4zl6X9kYDxG7JDUA==,iv:kogD/wl3KTlVE4by96vyEwTCMEmzbmEKmcAVK+8OjnI=,tag:PLbEaJQI7fWKz0tQSO35iA==,type:str]
SECRET_GITEA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:VWetZHP8haXPy1r20RMJvECxEWw=,iv:B3+rjPXWSbyCdi4KAy/FeMbtNUv40UIWN462OWfv9Ww=,tag:5wK7nUGu7HmdC90d2jllwQ==,type:str]
SECRET_GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:3igfeqGHygjnmJXnoiKV7W8Tm2M=,iv:Hrjh38GuRvzS4Hi69QftBhaAJ02is5B0E5h23XICpUc=,tag:O4JFVSaoTQDhf3QZPLbn1Q==,type:str]
SECRET_HEALTHCHECKS_PING_KEY: ENC[AES256_GCM,data:ik/lEfCHBKcgnc+zRDrkhw3ykbITSw==,iv:XYqxF9yuRbR+WECjC+0xaT8V4qKYpdsWoNCzfzr33cc=,tag:AZBATumRJMbsLBw2XttV/w==,type:str]
SECRET_INVIDIOUS_DB_USER: ENC[AES256_GCM,data:snjA33syqy4X,iv:OF8LJSTdcIGgwAJPmS0HdCz0adsTuTwZ5zfuvJrA7fs=,tag:E4EnsKWITN4l6qnuxZ3A5g==,type:str]
SECRET_INVIDIOUS_DB_PASSWORD: ENC[AES256_GCM,data:jmHWk/hXAb9E97CEa4w=,iv:RYnGwoCy+RyVDdKVOXWFWPB/dqF2vPlx7ofRApEAsMg=,tag:nEydKLEw6mHJetEVa+NFzQ==,type:str]
SECRET_K10_HTPASSWD: ENC[AES256_GCM,data:u89AKCM/FSXn6Czo6KnG1rqkxclczczcE+wz7GMWU2HIoC9qUzqHvFKe7w==,iv:ZjE1p2P65TbSeVk0oXiWd4nH+7zNWonTjWYNmb3NFg0=,tag:UJn01B6MdJDHv1fN8mV21g==,type:str]
SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_USER_KEY: ENC[AES256_GCM,data:X1J9WLT26soYzlDb8+YtPotGw8p0lJKMuNkn69WX,iv:mW2cJOq5gfzSE+U24IuvPVL+dL2nZcTFpPAkG77Ohus=,tag:kxokidtuE5RAGJlj4Q4P2A==,type:str]
SECRET_KUBE_PROMETHEUS_STACK_ALERTMANAGER_PUSHOVER_TOKEN: ENC[AES256_GCM,data:Bwvuy/jHIRduy/r1A8dOs0OE8ewdjCgs8g/br1oW,iv:PdnPH9I509MT6UJkUG1zLAGn9aV4AVrROgAVCD4a3Y0=,tag:59kBGx9qx3jeauokyoolQQ==,type:str]
SECRET_KUBE_PROMETHEUS_STACK_GRAFANA_ADMIN_PASSWORD: ENC[AES256_GCM,data:L7LS6+tuwPCyb5HN4zg=,iv:JM2KTtDN/VrKicjp5qwqusWiJKHRZnfTtsZE2hkLq6Q=,tag:XGF3L5P6JxVBrlGuKosdZA==,type:str]
SECRET_MQTT_USER: ENC[AES256_GCM,data:Ggn82GysDHM2b/uNhQ==,iv:f5NXCE5/nfTqq1zdtBNH6Lu8ndf5YZKHgEWc9O0fB0I=,tag:z1OUzEeVgm+a9QRBxo9BEg==,type:str]
SECRET_MQTT_PASSWORD: ENC[AES256_GCM,data:WBqLezPi1sbzyzfubG71KfR+tg==,iv:gKDgjpPwZ+fEWs+zn3aHiiKglsEl/kue/vx2FaSAtsA=,tag:jXECLxyekqmejJfi11DKsQ==,type:str]
SECRET_NITTER_HMAC: ENC[AES256_GCM,data:pOA1LqHV9rcY3xAv5JMuSCMz1rk=,iv:3LkFNu/M3r1K/xBE/f7Kbf526eA4cgyGr4Wu/c+gxD0=,tag:ibJ8U+Pa66B2UmWwP/ZhNQ==,type:str]
SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str]
SECRET_RADARR_API_KEY: ENC[AES256_GCM,data:Mom5SOMHf7xUvvUkjLIRqMzOSSQshzWdKlSGIzZtIGM=,iv:4vrZFrsTCUW2e0bo2sA2iT+ZVKUDEuyferNJ5Q5klFY=,tag:xha/NKx2XN3Mpa0XPSMPvA==,type:str]
SECRET_SONARR_API_KEY: ENC[AES256_GCM,data:JO5N+MeVeQmAlfv/dLJru5oHyVjpy9iUrfrTe4PLVXA=,iv:NjGstpjwFapd2LJNPy6nhXsp9UuCYTBuHRovmHdCSNc=,tag:BARsx6FBISHhxueBSDJSNw==,type:str]
SECRET_SHARRY_DB_USERNAME: ENC[AES256_GCM,data:wWnV6hHz,iv:+uV0X2tovaisFuO5KcF9PpKPyYeS4WtrrPt4Ll+CnsU=,tag:zNWR9AqheMGho0yV923vvw==,type:str]
SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:Y0gk4bRcEws2b0SF4AY=,iv:3cQbD/uvWNGjEmz3z8uEbXWwJffIrTj3nSDsGBS0MEU=,tag:RsIBq9zI8+2temGj5r/Lqg==,type:str]
SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:2qLE/cs=,iv:Ctrw213BgCC2jyEvFp38aOejzY/ZYiwAj9fsPzXgaY0=,tag:LBlIUm1LTAjUIKu4JeLw9A==,type:str]
SECRET_SHARRY_MINIO_S3_SECRET_KEY: ENC[AES256_GCM,data:ewm/Pfjb0t3KY46o2+DsnOGUzrk=,iv:rf6K/qx24iMeHG/a/mCQgD132LsFt+wme4Udx50v6NA=,tag:OskpvWusk2B1P/OACWN2eA==,type:str]
type: Opaque
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGVkZXb3RYbEZ5eTVSbmFE
R1QxMmw0ZzkvT0NIa01URTAvQ0xWa2tZKzNvCnl0UDQ1MGV6dEtuVEd2S0NhcThS
MGZ1VWNXMmxHSi90eFBGbXE2V0hwamcKLS0tIEp3a2ZTeTNyaXBhSW5nSU0yN1hu
WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm
pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-19T03:54:00Z"
mac: ENC[AES256_GCM,data:OTGwsnmD9ZMe3WJ+g2OOtd9wV2U8VC/HAew9uQ3WGv/I8lChcYl+2Q8JOH3GNQXghnME5OVuXCXK2Ax75p1DO1eXcR3NfTT2/uEeu3Ttdc0PRKynxEkmVQSZE8LrBzBHl+uiNhjOqHeMnw7JTAyRBwBoXJqpbWVAvkpsZ1PQbDY=,iv:nOoyPOesi+/NEywQF25smTgisS+b9vFnfPL71P785hU=,tag:zbhrHCwFs3F77oXcyYXA9A==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

26
kubernetes/base/config/cluster-settings.yaml Normal file
View File

@@ -0,0 +1,26 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: flux-system
name: cluster-settings
data:
CILIUM_BGP_SVC_RANGE: 192.168.169.0/24
CILIUM_POD_CIDR: 10.69.0.0/16
CLUSTER_LB_K8SGATEWAY: 192.168.169.100
CLUSTER_LB_NGINX: 192.168.169.101
CLUSTER_LB_SMTP_RELAY: 192.168.169.102
CLUSTER_LB_UNIFI: 192.168.169.103
CLUSTER_LB_GITEA: 192.168.169.104
CLUSTER_LB_QBITTORRENT: 192.168.169.105
CLUSTER_LB_RESILIOSYNC_CLAUDE: 192.168.169.106
CLUSTER_LB_HASS: 192.168.169.107
CLUSTER_LB_VECTOR: 192.168.169.108
CLUSTER_LB_EMQX: 192.168.169.109
CLUSTER_LB_JELLYFIN: 192.168.169.110
CLUSTER_LB_RESILIOSYNC_HELENE: 192.168.169.111
LOCAL_LAN: 192.168.8.0/22
LOCAL_LAN_OPNSENSE: 192.168.8.1
LOCAL_LAN_TRUENAS: 192.168.9.10
LOCAL_LAN_TRUENAS_REMOTE: 10.10.0.2
TIMEZONE: "Europe/Paris"

5
kubernetes/base/config/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cluster-secrets.sops.yaml
- cluster-settings.yaml

5
kubernetes/base/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- config
- repositories

10
kubernetes/base/repositories/helm/bitnami.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: bitnami
namespace: flux-system
spec:
interval: 1h
url: https://charts.bitnami.com/bitnami
timeout: 3m

9
kubernetes/base/repositories/helm/bjw-s.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: bjw-s
namespace: flux-system
spec:
interval: 1h
url: https://bjw-s.github.io/helm-charts/

16
kubernetes/base/repositories/helm/cert-manager-webhook-ovh.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: GitRepository
metadata:
name: cert-manager-webhook-ovh
namespace: flux-system
spec:
interval: 12h
url: https://github.com/baarde/cert-manager-webhook-ovh
ref:
branch: master
ignore: |
# exclude all
/*
# include charts directory
!/deploy/

9
kubernetes/base/repositories/helm/cilium.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: cilium
namespace: flux-system
spec:
interval: 1h
url: https://helm.cilium.io

9
kubernetes/base/repositories/helm/cloudnative-pg.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: cloudnative-pg
namespace: flux-system
spec:
interval: 1h
url: https://cloudnative-pg.github.io/charts

9
kubernetes/base/repositories/helm/descheduler.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: descheduler
namespace: flux-system
spec:
interval: 1h
url: https://kubernetes-sigs.github.io/descheduler

8
kubernetes/base/repositories/helm/drone.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: drone
namespace: flux-system
spec:
interval: 1h
url: https://charts.drone.io

9
kubernetes/base/repositories/helm/dysnix.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: dysnix
namespace: flux-system
spec:
interval: 1h
url: https://dysnix.github.io/charts

10
kubernetes/base/repositories/helm/emxq.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: emqx
namespace: flux-system
spec:
interval: 1h
url: https://repos.emqx.io/charts
timeout: 3m

9
kubernetes/base/repositories/helm/external-dns.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: external-dns
namespace: flux-system
spec:
interval: 1h
url: https://kubernetes-sigs.github.io/external-dns

10
kubernetes/base/repositories/helm/gitea.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: gitea
namespace: flux-system
spec:
interval: 1h
url: https://dl.gitea.io/charts
timeout: 3m

10
kubernetes/base/repositories/helm/grafana.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: grafana
namespace: flux-system
spec:
interval: 1h
url: https://grafana.github.io/helm-charts
timeout: 3m

10
kubernetes/base/repositories/helm/ingress-nginx.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: ingress-nginx
namespace: flux-system
spec:
interval: 1h
url: https://kubernetes.github.io/ingress-nginx
timeout: 3m

10
kubernetes/base/repositories/helm/jetstack.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: jetstack
namespace: flux-system
spec:
interval: 1h
url: https://charts.jetstack.io/
timeout: 3m

10
kubernetes/base/repositories/helm/k8s-gateway.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: k8s-gateway
namespace: flux-system
spec:
interval: 1h
url: https://ori-edge.github.io/k8s_gateway/
timeout: 3m

27
kubernetes/base/repositories/helm/kustomization.yaml Normal file
View File

@@ -0,0 +1,27 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- bitnami.yaml
- bjw-s.yaml
- cert-manager-webhook-ovh.yaml
- cilium.yaml
- cloudnative-pg.yaml
- descheduler.yaml
- drone.yaml
- dysnix.yaml
- emxq.yaml
- external-dns.yaml
- gitea.yaml
- grafana.yaml
- ingress-nginx.yaml
- jetstack.yaml
- k8s-gateway.yaml
- kyverno.yaml
- metrics-server.yaml
- node-feature-discovery.yaml
- prometheus-community.yaml
- rook-ceph.yaml
- stakater.yaml
- vector.yaml
- weave-gitops.yaml

9
kubernetes/base/repositories/helm/kyverno.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: kyverno
namespace: flux-system
spec:
interval: 1h
url: https://kyverno.github.io/kyverno/

9
kubernetes/base/repositories/helm/metrics-server.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: metrics-server
namespace: flux-system
spec:
interval: 1h
url: https://kubernetes-sigs.github.io/metrics-server

10
kubernetes/base/repositories/helm/node-feature-discovery.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: node-feature-discovery
namespace: flux-system
spec:
interval: 1h
url: https://kubernetes-sigs.github.io/node-feature-discovery/charts
timeout: 3m

10
kubernetes/base/repositories/helm/prometheus-community.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: prometheus-community
namespace: flux-system
spec:
interval: 1h
url: https://prometheus-community.github.io/helm-charts
timeout: 3m

10
kubernetes/base/repositories/helm/rook-ceph.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: rook-ceph
namespace: flux-system
spec:
interval: 1h
url: https://charts.rook.io/release
timeout: 3m

10
kubernetes/base/repositories/helm/stakater.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: stakater
namespace: flux-system
spec:
interval: 1h
url: https://stakater.github.io/stakater-charts
timeout: 3m

9
kubernetes/base/repositories/helm/vector.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: vector
namespace: flux-system
spec:
interval: 1h
url: https://helm.vector.dev

10
kubernetes/base/repositories/helm/weave-gitops.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: weave-gitops
namespace: flux-system
spec:
interval: 30m
url: https://helm.gitops.weave.works
timeout: 3m

4
kubernetes/base/repositories/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm

88
kubernetes/cluster-0/apps/authentication/authelia/config/configuration.yml Normal file
View File

@@ -0,0 +1,88 @@
---
session:
redis:
high_availability:
sentinel_name: redis-master
nodes:
- host: redis-node-0.redis-headless.default.svc.cluster.local.
port: 26379
- host: redis-node-1.redis-headless.default.svc.cluster.local.
port: 26379
- host: redis-node-2.redis-headless.default.svc.cluster.local.
port: 26379
access_control:
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
## resource if there is no policy to be applied to the user.
default_policy: deny
networks:
- name: private
networks: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
- name: vpn
networks: ["10.10.0.0/16"]
rules:
# bypass Authelia WAN + LAN
- domain:
- auth.${SECRET_CLUSTER_DOMAIN}
policy: bypass
# One factor auth for LAN
- domain:
- "*.${SECRET_CLUSTER_DOMAIN}"
policy: one_factor
subject: ["group:admins", "group:users"]
networks:
- private
# Deny public resources
- domain: ["navidrome.${SECRET_CLUSTER_DOMAIN}"]
resources: ["^/metrics.*$"]
policy: deny
# Two factors auth for WAN
- domain:
- "*.${SECRET_CLUSTER_DOMAIN}"
subject: ["group:admins", "group:users"]
policy: two_factor
identity_providers:
oidc:
cors:
endpoints: ["authorization", "token", "revocation", "introspection"]
allowed_origins_from_client_redirect_uris: true
clients:
- id: gitea
secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
public: false
authorization_policy: two_factor
scopes: ["openid", "profile", "groups", "email"]
redirect_uris:
[
"https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback",
]
userinfo_signing_algorithm: none
- id: grafana
description: Grafana
secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}"
public: false
authorization_policy: two_factor
pre_configured_consent_duration: 1y
scopes: ["openid", "profile", "groups", "email"]
redirect_uris:
["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"]
userinfo_signing_algorithm: none
- id: outline
description: Outline
secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
public: false
authorization_policy: two_factor
pre_configured_consent_duration: 1y
scopes: ["openid", "profile", "email", "offline_access"]
redirect_uris:
["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
userinfo_signing_algorithm: none
# - id: minio
# description: Minio
# secret: "${SECRET_MINIO_OAUTH_CLIENT_SECRET}"
# public: false
# authorization_policy: two_factor
# pre_configured_consent_duration: 1y
# scopes: ["openid", "profile", "groups", "email"]
# redirect_uris: ["https://minio.${SECRET_CLUSTER_DOMAIN}/oauth_callback"]
# userinfo_signing_algorithm: none

106
kubernetes/cluster-0/apps/authentication/authelia/helm-release.yaml Normal file
View File

@@ -0,0 +1,106 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app authelia
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: glauth
namespace: default
- name: postgres-cluster
namespace: default
- name: redis
namespace: default
values:
controller:
replicas: 2
strategy: RollingUpdate
image:
repository: ghcr.io/authelia/authelia
tag: 4.37.2
envFrom:
- secretRef:
name: *app
enableServiceLinks: false
service:
main:
ports:
http:
port: 80
metrics:
enabled: true
port: 8080
serviceMonitor:
main:
enabled: true
endpoints:
- port: metrics
scheme: http
path: /metrics
interval: 1m
scrapeTimeout: 10s
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
external-dns.home.arpa/enabled: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
add_header Cache-Control "no-store";
add_header Pragma "no-cache";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
hosts:
- host: &host "auth.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: "OnRootMismatch"
persistence:
config:
enabled: true
type: configMap
name: *app
subPath: configuration.yml
mountPath: /config/configuration.yml
readOnly: false
podAnnotations:
configmap.reloader.stakater.com/reload: *app
secret.reloader.stakater.com/reload: *app
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
resources:
requests:
cpu: 5m
memory: 10Mi
limits:
memory: 100Mi

16
kubernetes/cluster-0/apps/authentication/authelia/kustomization.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- secret.sops.yaml
- helm-release.yaml
patchesStrategicMerge:
- patches/env.yaml
- patches/postgres.yaml
configMapGenerator:
- name: authelia
files:
- config/configuration.yml
generatorOptions:
disableNameSuffixHash: true

39
kubernetes/cluster-0/apps/authentication/authelia/patches/env.yaml Normal file
View File

@@ -0,0 +1,39 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: authelia
namespace: default
spec:
values:
env:
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN: ou=users
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN: dc=home,dc=arpa
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE: givenName
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER: "(&(memberUid={username})(objectClass=posixGroup))"
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE: cn
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE: mail
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL: "ldap://glauth.default.svc.cluster.local.:389"
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: cn=search,ou=svcaccts,dc=home,dc=arpa
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE: uid
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER: "(&({username_attribute}={input})(objectClass=posixAccount))"
AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE: "true"
AUTHELIA_DEFAULT_REDIRECTION_URL: "https://auth.${SECRET_CLUSTER_DOMAIN}"
AUTHELIA_DUO_API_DISABLE: "true"
AUTHELIA_LOG_LEVEL: trace
AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: "true"
AUTHELIA_NOTIFIER_SMTP_HOST: smtp-relay.default.svc.cluster.local.
AUTHELIA_NOTIFIER_SMTP_PORT: "2525"
AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia <authelia@${SECRET_DOMAIN}>"
AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
AUTHELIA_SERVER_PORT: 80
AUTHELIA_SESSION_DOMAIN: "${SECRET_CLUSTER_DOMAIN}"
AUTHELIA_SESSION_REDIS_DATABASE_INDEX: 14
AUTHELIA_SESSION_REDIS_HOST: redis.default.svc.cluster.local.
AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia
AUTHELIA_STORAGE_POSTGRES_HOST: postgres-rw.default.svc.cluster.local.
AUTHELIA_TELEMETRY_METRICS_ADDRESS: "tcp://0.0.0.0:8080"
AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
AUTHELIA_THEME: grey
AUTHELIA_TOTP_ISSUER: authelia.com
AUTHELIA_WEBAUTHN_DISABLE: "true"

31
kubernetes/cluster-0/apps/authentication/authelia/patches/postgres.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: authelia
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.5
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: authelia
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: authelia
key: AUTHELIA_STORAGE_POSTGRES_USERNAME
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: authelia
key: AUTHELIA_STORAGE_POSTGRES_PASSWORD

36
kubernetes/cluster-0/apps/authentication/authelia/secret.sops.yaml Normal file
View File

@@ -0,0 +1,36 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: authelia
namespace: default
type: Opaque
stringData:
AUTHELIA_STORAGE_POSTGRES_USERNAME: ENC[AES256_GCM,data:popD58odXyQ=,iv:gw+Y2n/ZRRAudSZy6T6aYdLq504xEH6Ntk+nWY39zjE=,tag:okpCZIGgCzeooa+eSWhAbA==,type:str]
AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:j/VlSpeqwTVKCDN+Law=,iv:k+PKPq1iF/bl0acff1DrbQzRKOb3cy37Sq5R+wuKOQc=,tag:ouhjcJuZJQ0Gc/T396WDrg==,type:str]
AUTHELIA_JWT_SECRET: ENC[AES256_GCM,data:/FH8Yi4olsLQgbAbTGh23wvZ+0bY5XZMxyXUcQ==,iv:BB18NV8++Uqh3TS9KeDAOV3WH8gvBa/vKRAoV48ddMU=,tag:jbNMXobzUIIEd/fQKrD17Q==,type:str]
AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:oKlY7wYdJWyVyS9L0kEyE/FBaX8QguU7ZwN4wg==,iv:qn3DBkozHECvEvjfJaGwogGdNcEYfL9Mr4sZhkmRvUs=,tag:tmvKCTehK5APrJG/xRzdtg==,type:str]
AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:dhPWtO+l7X+9chnJczfL1qE0ckO58kRAvzjTiA==,iv:ac8mMxYENkUv7llxkHHdTiCxMaqP0/joJeAxDkc7vNE=,tag:HUZudNImGCxzlGXeYJZGtA==,type:str]
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ENC[AES256_GCM,data:iF/190/mZpbDwCd5Q+VOTQVyRbs=,iv:xKhvy4ufkiPqmiWUPKQjxRqUA3VH1Y/PTc8BVnLIaDA=,tag:KB3Bs71cARnYo3noOZs+Fw==,type:str]
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: ENC[AES256_GCM,data:GQ5FI3GP+dNfWapUXbkWRoUi4N8oHLn6Kotmmfaqxd0=,iv:iZMUl9vBZUdWElVV1iqPNhdTy0aQKw3H318UT/rTpWs=,tag:iuKMZal34P0zFy6v+Dvj7g==,type:str]
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: ENC[AES256_GCM,data:IeAA9iN8w6vU5ZsJVAmLyaH4xuADYg0ESKdqIWSCQ6OJKd60E0UNhIQOIH25JCQnRo3cpAflkqDHRdMNnoUY4apsA5GBZtO9+kDnswMHFfMwhgP15V6RBLObvIFVFfjH5n2k7hObMeS2qm8+rVIaUpyNDu3elD8KrKHOiqN0dxbd4PVx1CmN3c9kJGqSWrYFhBo44fULjUzWYSaQbfMqxotkxodtfRDKYlwvXBh9fg1hWblBj2LEl8yPd2V3QiKDH2o6um8VWw33ryUzAeefJOelUUU/s8EynbGwTZwuPVy8LATSSiDtvramFpsk7XXshDLrwEir7hujaieP3P0T7XspF9i85wFVZrTqZDtlysYgziwTEqSbd2vL737p6S5l3QpAn5De+QkZyYDbPYJ2X/PTESeY1X4hJ8TI0OK15DXX5+YYkh3Vnvl21xseaAoT9QvTcXM9jjUug8cwt56UhG/grNFrYLjngq4cLPHI4vzE9JXLfXlax+Y+jj0t1Bv8EPA66RzXxJWYgbLP/SdHPFDpyMwRjSzm5zJ9ldG+ajJ1B6pVuWb53USVxtRu6aRnZsxWpJfkn7HqGkXjRPT0mSiU2tFpwaM/NDxMB66DiIZjCwjeTfbFSngDQc88fcwv8V6klASM0iCbsQCtXDGoAt1mG6wmA5UhMmoKkqdRVj+qov+ZeMz+dlafdoXJNXT8ncTo06RDQAZX/3kW+7uK5EbfSRUmDUdPnHHBL/fhEYEasZoF5nwegp9gGPOX6N+mHyYoB3tJNrATJkBa7bTDcPcKpRL5a472ApXva6WYyDgnO4FrvxlkC0wt9Dt8Tw/YakwxY+UtatmdEyYRprxRWQDPYHCqe+lK8S0LGHq+2HEcf109lzAszhkEHj4AKXVuwc2ooWlqVFoCMB4+1sJzawA4Ry5mXNFLN9eb+6xO8fg6DMxRZFbZTL+mdOUfIQxz+nCbEm48xakSj3NJzQ4Rd+31kuapmcnjCLoWdDItXfPrIV160v0GGGMQmrzL7PJVmBaFwmRfJ5YJz5UE0qi8z5RC1d//0ywEyb0EBNCouuWh47XHo2EDKTbhy3o0qpkQBHIQuxUZcIPM+3veF/SOT7pFYPGHMFPbif/71j1HgxuE/E1p+How0XfelOfP4Z8rUWZcDWLJp0wDrD7WRe9564/cqCTvqBRusPKYlCG/xJreqn42LV0bVN4JxJAiBXM68lasZJHunMJcd1E1DB/p1S0Wooezc7J67sPMiLAfiq4GdBSq8Z+8OJKcv88KDXu/PPCh8Ke4xVLdovK1KUncP/T8cppFhyE61CkDjcGvahGbuLkZl2mkR5oHoNerOXqFQ/tvIR34vXRRbb6Qo92r/yJmi6lsXGEu1dxMKBPKkOdCqWYXcSgGtDgyETm1+keoNjh67f7M0rl7eztHpFDl9CX9b4lYEBTiaaozWN+LYdPQps5IZfZDzTN4NScfx2CDve46xVLxNc/DpLhUih/a9i3/kHUB6aPNN/IxA6mhZqrya3gAUfAstxlkiBme8Wa902DFOh10YTn0VP9H+yRihK/OECDMhDDwrqSC1dn7BOF5iWFg9CMB6OzABstucmFDAgRxkqkaIPTSYF0mbZnD5KeZYRjeUV43m7BstHFXGSmb4R2CI9popqvDV1y/7ANpiepXlN2JFGCeCgW/SyyPAZw/xnQUH3ZGjK4lon1l45YA2YRvWnfurGZemaAtir499dbKNa1JK+1POmpAHvMw7tm7Jj2LjaHNKD40jGY782ucZkLFGwBm8P0KU44vjKinQNvjhNrct/USTEMxU+sHtuE9jFDsufKlNeOK/LkjCKfbOu6PNKF8MXoXw8bUsHSqMYHXRvBDiYNmuHp0zitet8JLvdKW1LVLTpuFR7/13y5L//9RvpvD66gjbO9LawIm4oX/RrkzzCEf/eMC4jCPvAe5KhcDGxW53LRYAowGLHmNlKDzWMWMAwe86dT9Y49cQYuznLYifu2ApeQ4nEFW4b0bktrzxSuZCVhWXPs+e0OnEWTUC3lzTd0MSfUgI1pSW+HmKs9+nr+YcEOBTmGd35oyjKGLq4SE4SecckslWnvYpXnHj2QOTqVD/Mn36B3NQgPIQOeh3uOiKhfOw4T0TiBc8ElBGbM0bsp5Cp2q41xByITXaVsgPo6IksI+dnoaqaDwzXVW2RABuuEDNAhC64gJW+t94obETP8X/ulGzxqibLVmOJgcdQ31TuEoE1z17TALTjm6GwZj8Jz80CfM2gHivh41xHjw23yHev3tJ4y5iOQ2fJRE9nM+Lwx3YjN0311PQ63ZfF453flkw7tzvHT+WMUyMHJBCwlQyrYVSVAd1NPdov4i/Ru/OSGGRQ2W3gdkDpTTbxB3rHzWaXS47mQHT9m60SfXDccT7JrZeDb6R8KhpS3aBL8k9paarynaFPrvjwRgJyjZAXzk38StzSRoRIUdS4teWlOm0aLjWA2N+FNxTnHif7fXLXQGnlHIhAU2U3KJ9mlqCq+pxqy2nmnDoXwBh0MjWYvEXwJhEQXv7PdXN6+74jlgx5xrmvyCqOJFuVIvIcRzj74mFIqMTMzXLL6eAjg9xLleTtCbY8jxjBrzfENYpYMQHPVRM1fwipu973WV33sEGmmtk6K79sQyI9Re2J5vneBJ5nT0/xqzA3EWQVEgXMXuOSthjO3PICYrPaH0ohlhiFEwlKpFWBAFKDwxilXeYMBN8epnm3tQjsnUoDyW4TTO/5j4e0Yb/k2z3T7IMYSme4AJq/ulf1Og+aIxHPfJ+QPfTqDnaF/zhkhYHh1iDEa9Dp4UEXyhgytbpr5f+tmcVuvGmtK4k6aOi1XkaLg6/CUa2O00MVqyLmqOeGDAw8z+UJcyFTk86kvNk8PMMrXsEzt6xDGkpSEjiPXL2vf1PrJIYi/99rcWrXR82zMCZg0EaM3zxhZvWzOFrWqHuE9u2ErgzgRt1GQ8iA3gFPw8uP7o8SCjE1Ig9kf56+OncA1fyJRFCPBe9Y36izZtEt901k9aMhZVmiuuCQAtptGFYslKFkLTeaQesnaSgSO2jq1wDEUtRHLHaTeBVWupB1AWvM9u661iC1dk32eVsclftyH5Auf0R58TohDLzhGT8e8NkOii9IJ2+N+ua8nPPiQqxfjbdXrKJFLFeyYimb/h6yfugQpxiDXWOfZFFkdKSZJqONaQ+aURqK3gyavzJeYUdRoiattdNNgGl+jTI/OEe3lt69oimYYExFQRzJ2R3uYYVbVyvaptW7+ppGxOxk4yfoQAcMZnOTGu9DKgBDClGOcdI2LeluieJrfXwoMq3o5wcoM6yvTmgfxzUMZ3DELWwP7Fqv0IJyRD0tXbIcQxGGyd1U3aGq6u0sGJaQy6+sb+s8hFPglL0CrzvCJPJERm8PHiJtiLHDa6WG1+b3V9fPnmJFD0AJEggE7fPolq5/j1dm1SRNmWNffHXcqGrCDcZ0qx6BE2pEzTY2VtyinsaNuigULK6kL55srFHh9xjwdgTD5F7czuqoIo2Phm8PoRW5X8I7dQZ0Psiur2d9tMAT+ChDWoytqmZH3edCN0a1kjWKN8+hDzIptbW68j+JuNLCtBc2ENtCo2mne4Kz15oYgbR7urht+CvagdKxauBiDGcp/KXuRUQKz7onCgnMmMkLP3lHXeyRqi2maG58K0Vngdsi2nFn7IzbeM8ieF2D7mo7FK5lyRlyIy3X2GwTQvEUTUyTUkv/cNCSet4O3zVeMY+hgegZzU1h8Cpzp+GF7v8wEVAe6DZTu+0aubwb27lqiweBUBBNJf9GuAMnuYGHODMsn1CNe3wNtgRlp0liGyT4YmoZlgO6rPcpUpjtxAdw+legYXdylGMwX/Cer2OLxe/VOsd1wjmMcZL1009guK7t6BjwGY9/g85y8MMPiHpWwo1MUOuKPQZFK2c2iu3IiQJtawqocNvmBeZ4/h9978Rod2aUbYXvTRFJbDbRqfqojEDgZv0JgIpBQKT/cIqQLPXoigyab45tMoKWKm2D7lSdwQIWpc2tx4qkECbLy5KEmd0UbCmCC8RDUk3I/Nkycwf1XrlZVYwNpKhQMIytDUyIf9TqTrU/XIJ/Q6Ib7kSyjZeK46GldMNuGnc05mPlJQoj75ZxxtWibfPG9kH7ImR4K1PgHoY2gHleca/paVyC9jNKpKiyB3m4WDnrxK5N+NpO+wlbNXAtGeqZJd6H/V8URnBuIv0NxFRhQ1seVZQKElkol1KCe9H/+n0Hs/fz5RdBwa/Oh9/lVNrJiVcnH1/5JGpR5/p/RLElE9Nl+GJGS2uWasvREyXjoLrB0aSwQK,iv:+H0Qz07NHU6fs7mJk9VnLZlYSoxTCnW59oPSHOmGr+s=,tag:w7NtwB7ks/Tb3eky5e/P/A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2
akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC
Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT
Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq
DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-13T21:14:03Z"
mac: ENC[AES256_GCM,data:ujW5w84/5GmwWvH8RdAoMdEXDNQptKhK0Whbd3Byg0o02NDA3SkQsMJsaSNG9Sp5CZnYxSBHdL1AT/1pldFsrxU7TcIpU1mh9zs4nf9B8x/9CEH/3fKSOZuHRKF56LHkqXLFbcC1o+GQHfg1zWlNFWBQ4ToPnqFlLneKFcHT/Sc=,iv:15KsYWcwbuCnsNOvjh7iMuv9gOsLnbvldUlUOl1l2eI=,tag:spHas6eWDLhcaK4cFStnww==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

20
kubernetes/cluster-0/apps/authentication/glauth/config/groups.sops.toml Normal file
View File

@@ -0,0 +1,20 @@
{
"data": "ENC[AES256_GCM,data:s910tBBBfRjMxw3/W+Y8Wpm9ODOtWGb8MLQUgRbLLBIczBnZvuDUE6NrQnJAyK7H8sY0SqF2iYGbCKhbp/kFMe1zkB7Txi0EC81+vNCWMEzsKBWeB5HN7R/4LgwT19Ge0vXWYwfP4++Twiin/C5n8/KiPCqQDvcO92o96c5+zkWmvnayGYovmAuTkguSUDaPNJRffHZob7HOc9T9Tw==,iv:YoK+RSBsONPNzzyC6hJDTboz+MpoSv+nmjuypUyYVhk=,tag:UdUlrEe9yoOnFKBP1eSCXg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZFcremxrOFJCbU12ektL\na0kwajkzRDVkQlQ3ODN2R01LNDhONVRMcDFFCnI1Mk1EWGszSm4rU0Nra0J2VUFq\nTVc3UGU1NHpQZCtTdEI5OFpIVnNKRG8KLS0tIFg4WHNUVS9pTXQxb1k3V0xsd0lL\nV09lKy9nTzBBZ3QyRDByOUhYOUd5bUkK4IEvbv8gyFv3v40Iz6Gso7M1rTWBNKBW\nGJM4LaUoAM5gCSSjPeSB1ZLn7j226Qr2M65GxQiA/4xPpBaOgzguow==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-09-18T16:37:58Z",
"mac": "ENC[AES256_GCM,data:T0DB0qKA9BLT6pSud+WLeCTaYltvA19Uf2Klm/vsqCOXvtAVJVTWRMvE3OzcwTieJgBn4UOEaoUUEkpOo6T9ZKyqVzJ+Ir+RmYBkZZs08g86wPsUoMzEwmxQwz7rhaR/dqiNiWp7L0wE1ZbBg5gFpSj5WE8Hs0YJI4VZLFwVwfw=,iv:vSE1TboA1VknRr057d7ESWV8SvGGuNTbQnapieZvy7o=,tag:f2DSJqiBsjzBmexNo9U+ZA==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

20
kubernetes/cluster-0/apps/authentication/glauth/config/server.sops.toml Normal file
View File

@@ -0,0 +1,20 @@
{
"data": "ENC[AES256_GCM,data:78oUuR7O9j8wqKKiTrCbg1QNVB2a+i3CWgNDNM38zQNDO/LZ3juQkda5rRZsvvH9ovGwsIVo+nk2omMLY5FUceFxQFssXYH5EGgPOA9cXYtbql8jdbp0Lh/41RAC3+WrEe3Pj/5/Qyl+1rMgQPg2JJf7KudJRt4whA6Lkehd3147Au12fMxTpxZpnSczk1MroZwsE+DdQStkVDdzwMA/QvWhnXCDCMcawFrHxrQvmRGOHAyYGomOrPm8WMKSdBpNDMZQFg1pjORK/QQ3LzeQpnoJ25iu/fA9OfpyYsbhryk2asOCyA==,iv:SZ1DXCoib5E9PurrC622tAcELIxxWGiensfZTVKFzXw=,tag:lDDsTO/Y5mXfEqyAJ0z0jQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Mk9heFBGdDdueGFkT3Va\nS1pyMC8wOGJDSTJ3d3JPSjNnTVkzYVJ0eTJJCjVoUy8wMXdPc3Myc2JaalZ2ZG9Q\nc3J4QldvZlJqMFN4WnhvYnJmZXVuNjAKLS0tIDR5K08rWmJvR1VSSjVHUFdWNjRK\nWHd4Ny9ubjVIZ0V1SXhTMnJFN3hCK00KvH0z/ys31lAX2pYNt2JdWqPSDhp4PKEn\nbQ1Z99aG5DedV/4KqOH3L9bvHl3M5am0MiKW/CngOfN9M49bWwQ6VQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-09-13T21:10:04Z",
"mac": "ENC[AES256_GCM,data:rKjnXHgG5ws0WdcGmTXpZ7PPGm2UIhVASqQ8K6Vtadws2g4M5OOk2JYI9sKjpnGd/Ht0pssBBpLWbqcwV2M2Ug96tkiDMRHHT7vgw4X5Y9NmnYt+5/An7ynsudraAr9AvjRS7Xux03OIPc7LjzOtCv4BIDyFR7vPj5+7opdedC0=,iv:3VPRTkVPL640URtVG5SxLKXE0/Pe3RORttfmnU0AYY0=,tag:Fcl2j31dKdCUwvfozWpRTw==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

20
kubernetes/cluster-0/apps/authentication/glauth/config/users.sops.toml Normal file
View File

@@ -0,0 +1,20 @@
{
"data": "ENC[AES256_GCM,data:q7pZXn6YGFKwKlEX+Iax8ZWoRkuK3a0HZlbKn/aDHpf9DCOpaJuxXpFL6hlkoKb3eoFBdjLHV2Yh+y6u+v/aPnLA9yaMuhZ9MDC0I6KF+5onRermWvtadiW/pmLLBd9fFBTxvKPni3sgHpZoZ7VZMRe6YZ88StsGJBX/cXjEZkOIO9S3GC28f3iNDKH5HGsYHUWyTn2osmOfrLahG5We3P9GeVTKgbnB6/OWC0lSRR+mmPc0yAjAXklTrGuk4zRV54qDoS8HdCO0FTq3Z83f6Qa3eoFDiOrm8yLCmXRqNGSoHoFrp7dnPzCna2SMAX7RBRCrOBRw+mijaxBrbMSp/2/5MqnJyJDz53ozUZog88Ywu595vfo3lEyJ7Qu/O1DX5aJTXKCPAvOIvAwSSFXfdKGmUAQrQvEP3VgpYnzGbuhnfPTJivXKpgc4vutvOH98itTquOq9KJdCOKcsd8gmBtOpPcMrUwA7jP1TV7eJIKhSN9YFt6jflTtqxfa9a4hB6FKXkXqJOrs9b4sT1iGi1bk9uVBF+3Ccc5X/JNRZ6Q6DSLYE5SkOZGOylsS4cjzjUcFSsnyNSfTwjca8SKLlc8bnPU0qFCOIVARIjKw8vMwedYKk0aiNTEa6vqShsGTUHVV/Lx7KqaVgayX+OjhUTzK4Wtrml2dvfoO4TePRmlg0AyeeqvJiIA+Fq9kaxsDkx63HSeK+0wjFH5HWThElycxVWozN6BAQ6EK4sPqrCdjfOpIAnv2YAazY647N8gcKd/OjvYM9lo0d3X0j/EiiFo3nq7ldggMJJRt9MmXVK3Ep31jjkqaeX9nljvMWsnFWwzXq/itPheEaKT3ch44PLPSFZu8NTMn0Xe4SoDaItbCAlXWjfGaLqBSGhVXCgXlzwx9ks75HntQ1zZMR151lU1RpnrZxB0g96uRAdkNBxYtxGkfqr/L4FjbDZSbLSm6JzV6hFgZZmfK4wsDJVG8dzT5/+1XNDfu9Ih2HCbh+upoNSQVzQhcHgtawpESP1v8OQr+t8KMmtVQGKLkCJAufabTI7Q==,iv:Y5jO9xDZwhvBfMUImMz6d9IksMpPCLKhzzrecbahp2Y=,tag:Bha5EyxQ3a7l+x/i0DsiaQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeDRMTnBlWXhEbXIrR0Fh\naFJXTEdWS0V3TCtmNFN1UFhGSXFLSExwNFRrCngzdVRhTG5LK2FWV2d3WTNvTTY5\nV0JrNWh0bGFaK0wvanZmL2dBSENkQkEKLS0tIHlVY2daMlVwNW8wMDRNNHN1RzdP\nRmsyY2NublJsWTRsRUJqYVlZTlRJS28Ky5QoK04bIpqAiHepeIS0FBVU+Kqn9IvY\nQ3yJxfye9EO1XJ60goxur9yzq3TNyGFykhvqVsizVBVuir1Ow3sLoQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-09-18T16:27:14Z",
"mac": "ENC[AES256_GCM,data:W77zbh5xtZPJC7nAuJ3LyZUlfQM9cmNJo6rBGnp34vxfA/H7m0OExHTaJkW+o0Zajk/3/zC9jwhmNRJdiQzd/k1M+a3q+DGOU2vt+On7Mo8mDfyuPOA6DvQnXf9ouwBPPkFjtn8t2Hb1cKvCLVdeMqRgz+x3MwJRbB2rB5YEY4o=,iv:+figksDMN3AP5+dD/gn9cE18HlgU8BOHtMtvaDEQUzs=,tag:9eo27jDtrFrqXWef5/T2nQ==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

64
kubernetes/cluster-0/apps/authentication/glauth/helm-release.yaml Normal file
View File

@@ -0,0 +1,64 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app glauth
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
controller:
replicas: 1
strategy: RollingUpdate
image:
repository: docker.io/glauth/glauth
tag: v2.1.0
command: ["/app/glauth", "-c", "/config"]
service:
main:
ports:
http:
port: 5555
ldap:
enabled: true
port: 389
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
persistence:
config:
enabled: true
type: secret
name: *app
items:
- key: server.toml
path: server.toml
- key: groups.toml
path: groups.toml
- key: users.toml
path: users.toml
podAnnotations:
secret.reloader.stakater.com/reload: *app
resources:
requests:
cpu: 15m
memory: 105Mi
limits:
memory: 105Mi

14
kubernetes/cluster-0/apps/authentication/glauth/kustomization.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- helm-release.yaml
secretGenerator:
- name: glauth
files:
- server.toml=config/server.sops.toml
- groups.toml=config/groups.sops.toml
- users.toml=config/users.sops.toml
generatorOptions:
disableNameSuffixHash: true

7
kubernetes/cluster-0/apps/authentication/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- authelia
- glauth

90
kubernetes/cluster-0/apps/authentication/readme.md Normal file
View File

@@ -0,0 +1,90 @@
# Authentication
## GLAuth
### Repo configuration
1. Add/Update `.vscode/extensions.json`
```json
{
"files.associations": {
"**/cluster/**/*.sops.toml": "plaintext"
}
}
```
2. Add/Update `.gitattributes`
```text
*.sops.toml linguist-language=JSON
```
3. Add/Update `.sops.yaml`
```yaml
- path_regex: cluster/.*\.sops\.toml
key_groups:
- age:
- age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
```
## App Configuration
Below are the decrypted versions of the sops encrypted toml files.
> `passbcrypt` can be generated [on CyberChef](https://gchq.github.io/CyberChef/#recipe=Bcrypt(12)To_Hex(%27None%27,0))
1. `server.sops.toml`
```toml
debug = true
[ldap]
enabled = true
listen = "0.0.0.0:389"
[ldaps]
enabled = false
[api]
enabled = true
tls = false
listen = "0.0.0.0:5555"
[backend]
datastore = "config"
baseDN = "dc=home,dc=arpa"
```
2. `groups.sops.toml`
```toml
[[groups]]
name = "svcaccts"
gidnumber = 6500
[[groups]]
name = "admins"
gidnumber = 6501
[[groups]]
name = "people"
gidnumber = 6502
```
3. `users.sops.toml`
```toml
[[users]]
name = "search"
uidnumber = 5000
primarygroup = 6500
passbcrypt = ""
[[users.capabilities]]
action = "search"
object = "*"
[[users]]
name = "<name>"
mail = ""
givenname = "<Name>"
sn = "<sn>"
uidnumber = <uid>
primarygroup = <gid>
othergroups = [ <gid> ]
passbcrypt = ""
```

71
kubernetes/cluster-0/apps/crypto/celestia-app/helm-release.yaml Normal file
View File

@@ -0,0 +1,71 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app celestia-app
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
repository: ghcr.io/auricom/celestia-app
tag: v0.6.0@sha256:43193b1f8a885b00b339be03c260c4ba8445d9dc9f01d87cc237277328c1e6a0
env:
CELESTIA_NODENAME: auricom
CELESTIA_WALLET: auricom_wallet
CELESTIA_CHAIN: mamaki
HOME: /config
command: ["sleep", "6000"]
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: "OnRootMismatch"
# envFrom:
# - secretRef:
# name: *app
service:
main:
ports:
p2p:
port: 26656
rpc:
port: 26657
api:
port: 1317
http:
port: 9090
serviceMonitor:
main:
enabled: true
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
persistence:
data:
enabled: true
existingClaim: celestia-app-config
mountPath: /config
resources:
requests:
memory: 8Gi
cpu: 2

7
kubernetes/cluster-0/apps/crypto/celestia-app/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
# - secret.sops.yaml
- volume.yaml
- helm-release.yaml

29
kubernetes/cluster-0/apps/crypto/celestia-app/secret.sops.yaml Normal file
View File

@@ -0,0 +1,29 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: celestia-app
namespace: default
type: Opaque
stringData:
var1: ENC[AES256_GCM,data:R0U1RA==,iv:jstvwB3ThGbJ91tmXc6gh2s5zV8+/WuvgHGxOOMNfQ0=,tag:xPtGiP1g30AakWVQT8P9CA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn
YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q
Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy
OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy
hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-01T19:06:33Z"
mac: ENC[AES256_GCM,data:on2iN61TYFw9M30knGTuMgcS9UxLNKX6d24EpMExsPMwtJlImf5Ty2cqZXit349Z9Ua/TmdE+2Jaki/1vixegkHBurZUfbcD6aUjUkbngJ5nQIncGEMEN//zUXnDFPDYluPRQjPif7A9p+m2xvlFzT0BHZ+W3Lupd4ALFCADLUE=,iv:MOHgauboMc08qj8BwnJ71YtpHYqIHL4bci2ChaSfreU=,tag:Jr5EmtoTVhFY+9P4UnH3DA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

17
kubernetes/cluster-0/apps/crypto/celestia-app/volume.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: celestia-app-config
namespace: default
labels:
app.kubernetes.io/name: &name celestia-app
app.kubernetes.io/instance: *name
snapshot.home.arpa/enabled: "false"
spec:
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-block
resources:
requests:
storage: 300Gi

6
kubernetes/cluster-0/apps/crypto/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- celestia-app

8
kubernetes/cluster-0/apps/databases/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- pgadmin
- postgres
- redis

69
kubernetes/cluster-0/apps/databases/pgadmin/helm-release.yaml Normal file
View File

@@ -0,0 +1,69 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app pgadmin
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
repository: dpage/pgadmin4
tag: "6.15"
env:
PGADMIN_CONFIG_ENHANCED_COOKIE_PROTECTION: "False"
envFrom:
- secretRef:
name: *app
initContainers:
volume-permissions:
image: dpage/pgadmin4:6.15
command: ["/bin/chown", "-R", "5050:5050", "/var/lib/pgadmin"]
volumeMounts:
- name: config
mountPath: /var/lib/pgadmin
securityContext:
runAsUser: 0
service:
main:
ports:
http:
port: 80
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
persistence:
config:
enabled: true
existingClaim: pgadmin-config
mountPath: /var/lib/pgadmin
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
memory: 500Mi

7
kubernetes/cluster-0/apps/databases/pgadmin/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.sops.yaml
- volume.yaml
- helm-release.yaml

30
kubernetes/cluster-0/apps/databases/pgadmin/secret.sops.yaml Normal file
View File

@@ -0,0 +1,30 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: pgadmin
namespace: default
type: Opaque
stringData:
PGADMIN_DEFAULT_EMAIL: ENC[AES256_GCM,data:Wd9Qcm7AmuvGHWyfe277NnCDaRiKQw==,iv:rP1B90nsQs5s0OAGvTAW9X99fprpTMa9Y1COgtrcPOI=,tag:odhJmt+W6yoXfEhYPj0Rcw==,type:str]
PGADMIN_DEFAULT_PASSWORD: ENC[AES256_GCM,data:SWUqh0QUjYWjCruuZPQ=,iv:F1rwMkkHu2lgFDlUK5ZPtvY4KWh9kF8S5B0VnsiBUoE=,tag:Haa3c8UsJpQDsYG9hWWj/Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJaU16anJNV2pBZmxPR3h2
bWREUnpjcTFvd05ZQ2E4VVBDdm1FL2k4WEYwCkdQSStTNWtpdjNkUW51WS9MekdC
VkpTUUFjSjY2a1JMOUtqOVh5M0JRR2sKLS0tIDRmcWpJSEVvaUp4U1lsaTZYZGNw
OGVKWU0zNUZJSFh4aFJxQWFsYm1VeFkKaDeI/hl7z0Qh8t5W39Kxu9ert1dt4xo+
LX+MjpVqxiZNcfwROD4bkWeQSN+VsxoGOOyj4L15BlggNnlg+L7Hww==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-17T07:32:43Z"
mac: ENC[AES256_GCM,data:iWV6sSItfSAGEjpEytnA/33bkseU+rguCuF3OG7ZAnECFgfLOkTqu4prATJwSKnowom+BcjjqbFMNuS3dQ5l+IIrOVkftpjJEXT0L2/5iry7NBePgqraqOvxSMJ9roxk+yHI1GOWo0UEKehYhLxoCe3g32YqTB4ASflKWJU5bzU=,iv:apZ2IbkwLG4Pppu1tvlXAWmsCZLKwbgRh/QBru4kUBI=,tag:hR5dIbKT3IZcQSCOToWFsw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

17
kubernetes/cluster-0/apps/databases/pgadmin/volume.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pgadmin-config
namespace: default
labels:
app.kubernetes.io/name: &name pgadmin
app.kubernetes.io/instance: *name
snapshot.home.arpa/enabled: "true"
spec:
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-block
resources:
requests:
storage: 1Gi

80
kubernetes/cluster-0/apps/databases/postgres/cluster/helm-release.yaml Normal file
View File

@@ -0,0 +1,80 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: postgres-cluster
namespace: &namespace default
spec:
interval: 15m
chart:
spec:
chart: raw
version: v0.3.1
sourceRef:
kind: HelmRepository
name: dysnix
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres
namespace: default
- name: rook-ceph-cluster
namespace: rook-ceph
values:
resources:
- apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: postgres
namespace: *namespace
annotations:
kyverno.io/ignore: "true"
spec:
instances: 3
primaryUpdateStrategy: unsupervised
storage:
size: 20Gi
storageClass: rook-ceph-block
superuserSecret:
name: postgres-superuser
monitoring:
enablePodMonitor: true
backup:
retentionPolicy: 30d
barmanObjectStore:
wal:
compression: bzip2
maxParallel: 8
destinationPath: s3://postgresql/
endpointURL: https://truenas.${SECRET_DOMAIN}:9000
serverName: postgres-v3
s3Credentials:
accessKeyId:
name: postgres-minio
key: MINIO_ACCESS_KEY
secretAccessKey:
name: postgres-minio
key: MINIO_SECRET_KEY
# bootstrap:
# recovery:
# source: postgres
# externalClusters:
# - name: postgres
# barmanObjectStore:
# destinationPath: s3://postgresql/
# endpointURL: https://truenas.${SECRET_DOMAIN}:9000
# s3Credentials:
# accessKeyId:
# name: postgres-minio
# key: MINIO_ACCESS_KEY
# secretAccessKey:
# name: postgres-minio
# key: MINIO_SECRET_KEY
# wal:
# maxParallel: 8

6
kubernetes/cluster-0/apps/databases/postgres/cluster/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.sops.yaml
- helm-release.yaml

29
kubernetes/cluster-0/apps/databases/postgres/cluster/secret.sops.yaml Normal file
View File

@@ -0,0 +1,29 @@
apiVersion: v1
kind: Secret
type: kubernetes.io/basic-auth
metadata:
name: postgres-superuser
namespace: default
stringData:
username: ENC[AES256_GCM,data:oMwUm7mTJ3U=,iv:hfa6GmA8uFC1gPs7Z0wAaddOhVeHu8FmANOd9n/fLok=,tag:FIv7VhkHlVLq4Q+k7N2DDw==,type:str]
password: ENC[AES256_GCM,data:LCUuhRW3wjkeVQgefTuh9Q==,iv:07R0ZUrLQe8jPZo3wFn/15fXg8yc/pa+a03tWkSrjjM=,tag:0YoG2EZ3JbihlY98ay/5eg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQand1M1U2SytHclJSN1I3
NzdvdjZMQnJPSW9GUXo1SkZ1elRVY1NvK0FJClpiVk9JVWxHSlIwSXZDSWRoOXI4
YkxVeDR5V09OTS92YmpMeUl2a1QyRlUKLS0tIG9iNGJlaDQ3UW1uelFla0cySXRC
SzhQOGRzNnYzcEVjVG0rOUt1T1ZJQkkKtbXybUgBFr69GvBmo8+7J1xrtxJ7y1wo
ZhV6dzuxc2QSd3o9A6f9J/wg9DHtBHviK5nP0K/edHth9darJw/3Eg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-10-25T23:37:50Z"
mac: ENC[AES256_GCM,data:aU5GLUX3Tml3tRZUzRP451X5oeUSEpB2QFp7ys8pnKlskDidWwwy3gCCTeG0gjsmJbYiZqZFS0qnYe5brT1b9gJgQVLTgVA8xcoXMFJnGQfHm+kmqBxfYR2wPyCzE3T/J4/2e01oITuVS5RKtc3/w1L2en8DwttcBBaezh3vRRM=,iv:a11Hm95soVPiALzZSHMkKx+XEdq7PPmVysfhXHY0+pw=,tag:ITVZQw2WSmD9rmU/cSto4w==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

83
kubernetes/cluster-0/apps/databases/postgres/external-backup/helm-release.yaml Normal file
View File

@@ -0,0 +1,83 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app postgres-external-backup
namespace: &namespace default
spec:
interval: 15m
chart:
spec:
chart: raw
version: v0.3.1
sourceRef:
kind: HelmRepository
name: dysnix
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres-cluster
namespace: default
values:
resources:
- apiVersion: batch/v1
kind: CronJob
metadata:
name: *app
namespace: *namespace
spec:
schedule: "@daily"
jobTemplate:
spec:
ttlSecondsAfterFinished: 86400
template:
spec:
automountServiceAccountToken: false
restartPolicy: OnFailure
containers:
- name: *app
image: prodrigestivill/postgres-backup-local:15-alpine@sha256:1209779d7b39a9f73d498091452051fedfe140252bff59ea1c42e0a9a8a9b8e0
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: "drone,freshrss,gitea,healthchecks,invidious,joplin,lychee,recipes,sharry,outline,vaultwarden,vikunja,wallabag"
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: postgres-superuser
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_EXTRA_OPTS
value: "-Z9 --schema=public --blobs"
- name: BACKUP_KEEP_DAYS
value: "7"
- name: BACKUP_KEEP_WEEKS
value: "4"
- name: BACKUP_KEEP_MONTHS
value: "3"
- name: HEALTHCHECK_PORT
value: "8080"
- name: WEBHOOK_URL
value: http://healthchecks.default.svc.cluster.local.:/ping/${SECRET_HEALTHCHECKS_PING_KEY}/postgresql-backup
command:
- "/backup.sh"
volumeMounts:
- name: backups
mountPath: /backups
volumes:
- name: backups
nfs:
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/backups/postgresql

4
kubernetes/cluster-0/apps/databases/postgres/external-backup/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

29
kubernetes/cluster-0/apps/databases/postgres/helm-release.yaml Normal file
View File

@@ -0,0 +1,29 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: postgres
namespace: default
spec:
interval: 15m
chart:
spec:
chart: cloudnative-pg
version: 0.16.0
sourceRef:
kind: HelmRepository
name: cloudnative-pg
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
crds:
create: true
config:
data:
INHERITED_ANNOTATIONS: kyverno.io/ignore

18
kubernetes/cluster-0/apps/databases/postgres/kustomization.yaml Normal file
View File

@@ -0,0 +1,18 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- cluster
- external-backup
- scheduled-backup
configMapGenerator:
- name: cloudnative-pg-dashboard
files:
- cloudnative-pg-dashboard.json=https://raw.githubusercontent.com/cloudnative-pg/charts/main/charts/cnpg-sandbox/dashboard.json
generatorOptions:
disableNameSuffixHash: true
annotations:
kustomize.toolkit.fluxcd.io/substitute: disabled
labels:
grafana_dashboard: "true"

41
kubernetes/cluster-0/apps/databases/postgres/scheduled-backup/helm-release.yaml Normal file
View File

@@ -0,0 +1,41 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: postgres-scheduled-backup
namespace: &namespace default
spec:
interval: 15m
chart:
spec:
chart: raw
version: v0.3.1
sourceRef:
kind: HelmRepository
name: dysnix
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres
namespace: default
- name: rook-ceph-cluster
namespace: rook-ceph
values:
resources:
- apiVersion: postgresql.cnpg.io/v1
kind: ScheduledBackup
metadata:
name: postgres
namespace: *namespace
spec:
schedule: "@daily"
immediate: true
backupOwnerReference: self
cluster:
name: postgres

6
kubernetes/cluster-0/apps/databases/postgres/scheduled-backup/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.sops.yaml
- helm-release.yaml

31
kubernetes/cluster-0/apps/databases/postgres/scheduled-backup/secret.sops.yaml Normal file
View File

@@ -0,0 +1,31 @@
kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: postgres-minio
namespace: default
labels:
k8s.enterprisedb.io/reload: "true"
stringData:
MINIO_ACCESS_KEY: ENC[AES256_GCM,data:lEOKspQaoN5FxOGSnpQuTAzzHrI=,iv:VJQAWK8Sia/wL4iAdpir5fJxBLP1fDQWqj5pBDO6x/g=,tag:5Jf612CStm7NcW1YdrOq1A==,type:str]
MINIO_SECRET_KEY: ENC[AES256_GCM,data:Saad8zdhNfJdCDM/3cwVAtp/Cx8F0R4AFERJA3xT7ZC7M0GptDVaGg==,iv:DnmbB6VCRa2itDLAYwGL3LkTBQlf4sVwu1O5+ZmuukQ=,tag:fG6XMj/rC3moGKVZJn9PBA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQand1M1U2SytHclJSN1I3
NzdvdjZMQnJPSW9GUXo1SkZ1elRVY1NvK0FJClpiVk9JVWxHSlIwSXZDSWRoOXI4
YkxVeDR5V09OTS92YmpMeUl2a1QyRlUKLS0tIG9iNGJlaDQ3UW1uelFla0cySXRC
SzhQOGRzNnYzcEVjVG0rOUt1T1ZJQkkKtbXybUgBFr69GvBmo8+7J1xrtxJ7y1wo
ZhV6dzuxc2QSd3o9A6f9J/wg9DHtBHviK5nP0K/edHth9darJw/3Eg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-10-25T23:37:42Z"
mac: ENC[AES256_GCM,data:VZ5+kUZsCJxiWV7JS+Enhi0yNJ6m+Oi5IurYNxI0gb2+CqENqn4uvOSNMgKTZAc3d/stuI5OGdBbRJo0aBu0hZ950cgbGV6gfEbzzTO9HRstgAwqnEZHj6DPRLcXkCs0jP1p2p0WICe2HZ113C2aN3MjP47J1Jau3yaJlGOsOuU=,iv:EaxUx+ivqYgBm1wUXsCscoJt7x6+3pSM0QZY8h9eI6U=,tag:Q5ix3VW7C2rgm2R3AMDuDA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

67
kubernetes/cluster-0/apps/databases/readme.md Normal file
View File

@@ -0,0 +1,67 @@
# Databases
## Postgres
### S3 Configuration
1. Create `~/.mc/config.json`
```json
{
"version": "10",
"aliases": {
"minio": {
"url": "https://s3.<domain>",
"accessKey": "<access-key>",
"secretKey": "<secret-key>",
"api": "S3v4",
"path": "auto"
}
}
}
```
2. Create the outline user and password
```sh
mc admin user add minio postgresql <super-secret-password>
```
3. Create the outline bucket
```sh
mc mb minio/postgresql
```
4. Create `postgresql-user-policy.json`
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::postgresql/*", "arn:aws:s3:::postgresql"],
"Sid": ""
}
]
}
```
5. Apply the bucket policies
```sh
mc admin policy add minio postgresql-private postgresql-user-policy.json
```
6. Associate private policy with the user
```sh
mc admin policy set minio postgresql-private user=postgresql
```

41
kubernetes/cluster-0/apps/databases/redis/helm-release.yaml Normal file
View File

@@ -0,0 +1,41 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app redis
namespace: default
spec:
interval: 15m
chart:
spec:
chart: redis
version: 17.3.11
sourceRef:
kind: HelmRepository
name: bitnami
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
global:
imageRegistry: public.ecr.aws
storageClass: rook-ceph-block
auth:
enabled: false
sentinel: false
# existingSecret: *app
sentinel:
enabled: true
masterSet: redis-master
getMasterTimeout: 10
startupProbe:
failureThreshold: 2
metrics:
enabled: true
serviceMonitor:
enabled: true

7
kubernetes/cluster-0/apps/databases/redis/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- secret.sops.yaml
- helm-release.yaml

29
kubernetes/cluster-0/apps/databases/redis/secret.sops.yaml Normal file
View File

@@ -0,0 +1,29 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: redis
namespace: default
type: Opaque
stringData:
redis-password: ENC[AES256_GCM,data:jDOKfnXB3U1z/aV86U5euK27edk=,iv:9a946UDG5b8CdjVFqcIG5Hfyz/L62gxN4SEhj3Uzo8Q=,tag:/2ZfSSzXnjEcqXhEV/aHFg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVWZVaFFvMVJRRWR1eUU3
QzI5cjNscE83czk0TG9Ra1JvVmExa0hWbWt3Ck1YY1htcXhDamwxY1pVcE0wS2U3
WWNQbTJFK1dFdEhkMk8vbG9pQlJzN1kKLS0tIDBUTUZhMUF2VVJhbFNpQ1FTNWZC
ZUZsSDdUYXFVb3JROEFnaC8yRU1zZ0UK1klzjeo3oaS6n1Apy0nY746ax2Uxxddg
Mn61QDtkPf8FLNBC3tFTe3pWzhWseD/89WaW3f3GScJxy34SFUZxLQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-12T21:08:53Z"
mac: ENC[AES256_GCM,data:vTtJo+nCb8eK9f4jUJHbq2zUXb8kZf5P91qPsfOfBV1wgMbM3YtlkKQFYsg/eAac/JBoRvUGhzsyFc/MEX3mCGVsU8BQ5cPuM54EVGAkrOAHzm3dXVqf1FDVwfeSXuMZ4iHsfKSyTPLcoZfJq5WQ9p/hIA3PSVsVQrmElS4S8/E=,iv:AxOjOctewK7bUrrSH+kfravg7UKBawUD1q/QBdpPDVw=,tag:j5/wMeAh+FdG/RDOpBt4jw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

23
kubernetes/cluster-0/apps/development/drone/drone-kubernetes-secrets/helm-release.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: drone-kubernetes-secrets
namespace: default
spec:
interval: 1h
chart:
spec:
chart: drone-kubernetes-secrets
version: 0.1.4
sourceRef:
kind: HelmRepository
name: drone
namespace: flux-system
values:
env:
KUBERNETES_NAMESPACE: default
valuesFrom:
- targetPath: env.SECRET_KEY
kind: Secret
name: drone
valuesKey: DRONE_SECRET_PLUGIN_TOKEN

5
kubernetes/cluster-0/apps/development/drone/drone-kubernetes-secrets/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

35
kubernetes/cluster-0/apps/development/drone/drone-runner-kube/helm-release.yaml Normal file
View File

@@ -0,0 +1,35 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: drone-runner-kube
namespace: default
spec:
interval: 1h
chart:
spec:
chart: drone-runner-kube
version: 0.1.10
sourceRef:
kind: HelmRepository
name: drone
namespace: flux-system
dependsOn:
- name: drone-kubernetes-secrets
namespace: default
values:
image:
repository: drone/drone-runner-kube
tag: 1.0.0-beta.5
env:
DRONE_NAMESPACE_DEFAULT: default
DRONE_RPC_HOST: drone.default.svc:8080
DRONE_SECRET_PLUGIN_ENDPOINT: http://drone-kubernetes-secrets.default.svc:3000
valuesFrom:
- targetPath: env.DRONE_RPC_SECRET
kind: Secret
name: drone
valuesKey: DRONE_RPC_SECRET
- targetPath: env.DRONE_SECRET_PLUGIN_TOKEN
kind: Secret
name: drone
valuesKey: DRONE_SECRET_PLUGIN_TOKEN

5
kubernetes/cluster-0/apps/development/drone/drone-runner-kube/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

65
kubernetes/cluster-0/apps/development/drone/helm-release.yaml Normal file
View File

@@ -0,0 +1,65 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: drone
namespace: default
spec:
interval: 1h
chart:
spec:
chart: drone
version: 0.6.4
sourceRef:
kind: HelmRepository
name: drone
namespace: flux-system
dependsOn:
- name: drone-runner-kube
namespace: default
- name: gitea
namespace: default
- name: postgres-cluster
namespace: default
values:
image:
repository: drone/drone
tag: 2.15.0
persistentVolume:
enabled: false
env:
DRONE_DATABASE_DRIVER: postgres
DRONE_GIT_ALWAYS_AUTH: true
DRONE_GITEA_SERVER: https://gitea.${SECRET_CLUSTER_DOMAIN}
DRONE_SERVER_HOST: &host drone.${SECRET_CLUSTER_DOMAIN}
DRONE_SERVER_PROTO: https
DRONE_SERVER_PROXY_HOST: drone.default.svc
DRONE_SERVER_PROXY_PROTO: http
DRONE_USER_CREATE: username:context,admin:true
ingress:
enabled: true
className: nginx
hosts:
- host: *host
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
valuesFrom:
- targetPath: env.DRONE_DATABASE_DATASOURCE
kind: Secret
name: drone
valuesKey: DRONE_DATABASE_DATASOURCE
- targetPath: env.DRONE_GITEA_CLIENT_ID
kind: Secret
name: drone
valuesKey: DRONE_GITEA_CLIENT_ID
- targetPath: env.DRONE_GITEA_CLIENT_SECRET
kind: Secret
name: drone
valuesKey: DRONE_GITEA_CLIENT_SECRET
- targetPath: env.DRONE_RPC_SECRET
kind: Secret
name: drone
valuesKey: DRONE_RPC_SECRET

8
kubernetes/cluster-0/apps/development/drone/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- drone-kubernetes-secrets
- drone-runner-kube
- helm-release.yaml
- secret.sops.yaml

33
kubernetes/cluster-0/apps/development/drone/secret.sops.yaml Normal file
View File

@@ -0,0 +1,33 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: drone
namespace: default
type: Opaque
stringData:
DRONE_DATABASE_DATASOURCE: ENC[AES256_GCM,data:+9NZ76uh+GIJCyXz/4KT9TUhnHRkZ7OCHPEJ9w3zwgxqFhbtf6qRoTbPszumvFkn71xgmBhkul8ZWx6A5/gIhbwfTi3+829VLzBivXdFv0nC9/KYPcEGmsXVMFQ=,iv:NhUdL1/fVhfpsIQYgYGxqhO1zt/4QvgooNb9VVbXrWM=,tag:yWWvV7IwwtlcMYefty3ytw==,type:str]
DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:tcXCVpdKB16QrXd35BhWtafVKgs/BlxWkxK9iQ+sm/wTUren,iv:/zEGKJzuaurIAOWXAhtsRnxkIwmzqrAZkW7rfAaTEVQ=,tag:XnHiNYyHUjsLgnTl62wQPQ==,type:str]
DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:wEIM5nc+cmc18ujFztAQQKO0YFXVtH90G+C4yCQOZlUf1xu9R1t2M0iLB7aP+y1lfxo3cgfiT+k=,iv:Nish+j12JfctzLGLXJ6Gle4sJLTDSlPnVMQ9L1BRRTs=,tag:uXWDbzpE13p5X/BnsKvQPQ==,type:str]
DRONE_RPC_SECRET: ENC[AES256_GCM,data:O+YljkHzgFe4HSgSRkosuTTFpaOPSyAjeVpC39BKSIU=,iv:H8SO0S8TL060mnKCOBPWexUNdYwUmyVPdetuoto6uck=,tag:XU8JCsippp0Gadptpuwuog==,type:str]
DRONE_SECRET_PLUGIN_TOKEN: ENC[AES256_GCM,data:rRP1/jdkyHkwTmB8j5svo0xg6YFw64f9EVcoMzyzHbk=,iv:LYMgl50+edTnk0Im7uzLZW0THemraadOpOLkyvL/5Og=,tag:nIkuWVAK1NvawHksQar0tQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBVWZVaFFvMVJRRWR1eUU3
QzI5cjNscE83czk0TG9Ra1JvVmExa0hWbWt3Ck1YY1htcXhDamwxY1pVcE0wS2U3
WWNQbTJFK1dFdEhkMk8vbG9pQlJzN1kKLS0tIDBUTUZhMUF2VVJhbFNpQ1FTNWZC
ZUZsSDdUYXFVb3JROEFnaC8yRU1zZ0UK1klzjeo3oaS6n1Apy0nY746ax2Uxxddg
Mn61QDtkPf8FLNBC3tFTe3pWzhWseD/89WaW3f3GScJxy34SFUZxLQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-17T00:42:15Z"
mac: ENC[AES256_GCM,data:D401bweTZOPX4wlHObquqTGTVmO7beunzjzGlJMYmxsMVA0lxYqs6tzrjbb/0yy/Dhee6CUCalstX977HltaEOg3TlPdo60wsQe2K4Zl9rikbj7fIM+Qfw433HY4QZ+Rp7oEr5rUXVrGo3zUtaFDBTm5T4x9prDZWL6awGNwGDo=,iv:waybTiK127sh167CfzUwkHnbkzWw28UWYxR4w4QhSK0=,tag:PRV/ruen25JVNnBu7so0tw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

115
kubernetes/cluster-0/apps/development/gitea/external-backup/helm-release.yaml Normal file
View File

@@ -0,0 +1,115 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app gitea-external-backup
namespace: &namespace default
spec:
interval: 15m
chart:
spec:
chart: raw
version: v0.3.1
sourceRef:
kind: HelmRepository
name: dysnix
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: gitea
namespace: default
values:
resources:
- apiVersion: batch/v1
kind: CronJob
metadata:
name: *app
namespace: *namespace
spec:
schedule: "@daily"
jobTemplate:
spec:
template:
metadata:
name: *app
spec:
containers:
- name: *app
image: ghcr.io/auricom/kubectl:1.25.4@sha256:eef66c93cd48cacb338a8994632e0b75aafeac2fbdcc5c64314a9bf422d0380c
imagePullPolicy: IfNotPresent
command:
- "/bin/bash"
- "-c"
- |
#!/bin/bash
set -o nounset
set -o errexit
mkdir -p ~/.ssh
cp /opt/id_rsa ~/.ssh/id_rsa
chmod 600 ~/.ssh/id_rsa
ssh -o StrictHostKeyChecking=no homelab@${LOCAL_LAN_TRUENAS} << 'EOF'
set -o nounset
set -o errexit
WORK_DIR="/mnt/storage/backups/apps/gitea"
ORGANISATIONS=$(curl --silent --location --request GET "https://gitea.${SECRET_CLUSTER_DOMAIN}/api/v1/orgs" --header "Authorization: Bearer ${SECRET_GITEA_API_TOKEN}" | jq --raw-output .[].username)
ORGANISATIONS+=" auricom"
for org in $ORGANISATIONS
do
mkdir -p $WORK_DIR/$org
if [ $org == "auricom" ]; then
keyword="users"
else
keyword="orgs"
fi
REPOSITORIES=$(curl --silent --location --request GET "https://gitea.${SECRET_CLUSTER_DOMAIN}/api/v1/$keyword/$org/repos?limit=1000" --header "Authorization: Bearer ${SECRET_GITEA_API_TOKEN}" | jq --raw-output .[].name)
for repo in $REPOSITORIES
do
if [ -d "$WORK_DIR/$org/$repo" ]; then
echo "INFO: pull $org/$repo..."
cd $WORK_DIR/$org/$repo
git remote show origin -n | grep -c main &> /dev/null && MAIN_BRANCH="main" || MAIN_BRANCH="master"
git fetch --all
test $? -ne 0 && exit 1
git reset --hard origin/$MAIN_BRANCH
test $? -ne 0 && exit 1
git pull origin $MAIN_BRANCH
test $? -ne 0 && exit 1
echo "INFO: clean $org/$repo..."
git fetch --prune
for branch in $(git branch -vv | grep ': gone]' | awk '{print $1}')
do
git branch -D $branch
done
else
echo "INFO: clone $org/$repo..."
cd $WORK_DIR/$org
git clone git@gitea.${SECRET_DOMAIN}:$org/$repo.git
test $? -ne 0 && exit 1
fi
done
done
echo "INFO: Backup done"
curl -m 10 --retry 5 https://healthchecks.${SECRET_CLUSTER_DOMAIN}/ping/${SECRET_HEALTHCHECKS_PING_KEY}/k3s-gitea-repositories-backup
EOF
volumeMounts:
- name: secret
mountPath: /opt/id_rsa
subPath: deployment_rsa_priv_key
volumes:
- name: secret
secret:
secretName: gitea-config
restartPolicy: Never

4
kubernetes/cluster-0/apps/development/gitea/external-backup/kustomization.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

163
kubernetes/cluster-0/apps/development/gitea/helm-release.yaml Normal file
View File

@@ -0,0 +1,163 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: gitea
namespace: default
spec:
interval: 15m
chart:
spec:
chart: gitea
version: 6.0.3
sourceRef:
kind: HelmRepository
name: gitea
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres-cluster
namespace: default
values:
image:
repository: gitea/gitea
tag: 1.17.3
rootless: true
containerSecurityContext:
capabilities:
add: ["SYS_CHROOT"]
gitea:
admin:
username: auricom
config:
APP_NAME: "Gitea Homelab"
cron.resync_all_sshkeys:
ENABLED: true
RUN_AT_START: true
database:
DB_TYPE: postgres
HOST: postgres-rw.default.svc.cluster.local.:5432
NAME: gitea
SCHEMA: public
SSL_MODE: disable
server:
SSH_PORT: 22
SSH_LISTEN_PORT: 30322
SSH_DOMAIN: gitea.${SECRET_DOMAIN}
ROOT_URL: https://gitea.${SECRET_CLUSTER_DOMAIN}
respository:
DEFAULT_BRANCH: main
DEFAULT_PRIVATE: true
admin:
DISABLE_REGULAR_ORG_CREATION: true
security:
PASSWORD_COMPLEXITY: "lower,upper"
MIN_PASSWORD_LENGTH: 12
service:
DISABLE_REGISTRATION: true
REQUIRE_SIGNIN_VIEW: true
cron:
ENABLED: true
attachment:
STORAGE_TYPE: minio
MINIO_ENDPOINT: truenas.${SECRET_DOMAIN}:9000
MINIO_BUCKET: gitea
MINIO_USE_SSL: true
storage:
STORAGE_TYPE: minio
MINIO_ENDPOINT: truenas.${SECRET_DOMAIN}:9000
MINIO_BUCKET: gitea
MINIO_USE_SSL: true
mailer:
ENABLED: true
MAILER_TYPE: smtp
HOST: smtp-relay.default:2525
FROM: "Gitea <gitea@${SECRET_DOMAIN}>"
# openid:
# ENABLE_OPENID_SIGNIN: false
# ENABLE_OPENID_SIGNUP: true
# WHITELISTED_URIS: "auth.${SECRET_CLUSTER_DOMAIN}"
# oauth:
# - name: authelia
# provider: openidConnect
# key: gitea
# secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
# autoDiscoverUrl: "https://auth.${SECRET_CLUSTER_DOMAIN}/.well-known/openid-configuration"
# groupClaimName: groups
# adminGroup: admins
# restrictedGroup: people
metrics:
enabled: true
serviceMonitor:
enabled: true
podAnnotations:
secret.reloader.stakater.com/reload: gitea-config
postgresql:
enabled: false
memcached:
enabled: false
persistence:
enabled: true
existingClaim: "gitea-config"
service:
ssh:
type: LoadBalancer
port: 22
loadBalancerIP: ${CLUSTER_LB_GITEA}
ingress:
enabled: true
className: nginx
hosts:
- host: "gitea.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- "gitea.${SECRET_CLUSTER_DOMAIN}"
resources:
requests:
cpu: 15m
memory: 226M
limits:
cpu: 500m
memory: 1Gi
valuesFrom:
- targetPath: gitea.admin.email
kind: Secret
name: gitea-config
valuesKey: adminEmail
- targetPath: gitea.admin.password
kind: Secret
name: gitea-config
valuesKey: adminPassword
- targetPath: gitea.config.attachment.MINIO_ACCESS_KEY_ID
kind: Secret
name: gitea-config
valuesKey: minioAccessKeyId
- targetPath: gitea.config.attachment.MINIO_SECRET_ACCESS_KEY
kind: Secret
name: gitea-config
valuesKey: minioSecretAccessKey
- targetPath: gitea.config.database.PASSWD
kind: Secret
name: gitea-config
valuesKey: dbPassword
- targetPath: gitea.config.database.USER
kind: Secret
name: gitea-config
valuesKey: dbUser
- targetPath: gitea.config.storage.MINIO_ACCESS_KEY_ID
kind: Secret
name: gitea-config
valuesKey: minioAccessKeyId
- targetPath: gitea.config.storage.MINIO_SECRET_ACCESS_KEY
kind: Secret
name: gitea-config
valuesKey: minioSecretAccessKey

7
kubernetes/cluster-0/apps/development/gitea/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.sops.yaml
- volume.yaml
- helm-release.yaml
- external-backup

34
kubernetes/cluster-0/apps/development/gitea/secret.sops.yaml Normal file
View File

@@ -0,0 +1,34 @@
kind: Secret
apiVersion: v1
type: Opaque
metadata:
name: gitea-config
namespace: default
stringData:
adminEmail: ENC[AES256_GCM,data:KUhhtTXAU/lcKVsuy3tF+QjgRk8m,iv:goqGhOEkpbnYa6uELXYfdQjCdKPOW2KGAjb4cfdHrn0=,tag:SFENNvmSkEfcAgat/BHksg==,type:str]
adminPassword: ENC[AES256_GCM,data:SMR6vlFSysGv7iG+zjk=,iv:PtceAzAWR1nc8nACAYSOe+19evR9+orQa9DRzbcXU4U=,tag:Rq+3Ua0XhOzsnFw6/OdY4A==,type:str]
dbUser: ENC[AES256_GCM,data:4Mb4+JI=,iv:qTzsuXkJGFEtKjoKcAWD2VoBCD4GIH9UsBSWUknez8c=,tag:p5Q0R1DdJuZmpPiBYZxV0A==,type:str]
dbPassword: ENC[AES256_GCM,data:h/qQ43+3E9DfSlY6eww=,iv:ppvnc3A4binyLwnNuEPzmQCyc11RUSZ9cSw0cRYjLdI=,tag:iBXRYFPBCn4AdkdoRZK4eg==,type:str]
minioAccessKeyId: ENC[AES256_GCM,data:Gh41eINrkyjgEpTO5O+5lPWNPd8=,iv:XFH3RvyJwUEtszqtKVjLtMxTamPHPx4Aqi0PqsUmDCQ=,tag:abNj9gjgSlPJFsS9DBs+gw==,type:str]
minioSecretAccessKey: ENC[AES256_GCM,data:ZiCMwvRnVavI62F7+OIDoYEOSvM9Jfh1eqJGbJjOR+GiC2YXw7T4+A==,iv:bbCaIOXhwrCFqiu8AQ1qyWzE+yuTotCjJgaK14qC1Qs=,tag:ZESnmDhsgqffe1rdKoVStQ==,type:str]
deployment_rsa_priv_key: ENC[AES256_GCM,data:3Olhz6VZ6oI18hwCUDIHNLUEMM7PnGIcDDTCtX7sb6+yOmmW8cyKfZo2Ks6c4pEXJjWQ0JpvIYd/JMP53Noyb62H2+JAlcnIYgivJYpKmZ2fFD5i9Nyg+a91w6xkwwfBHEO6BBGAM4j3wARfFqLo4xqQFgf0/2DEUMVwHgXP6JGuqik+fOTHFRP66fQ16m+p+3iig1cvMvkjN7y/KmuBgT8w3VBJ6xukb/rC3mx+h5KIhoMfi+aBXi/SI7hUvnDPmaJs2Q/QlpcudQQHEYC51df0uGEeJaM/136+BON6B8fi2xUw1y/zYPJFabZg3b5Y7KRxKrDUJyOclaXEi8ZI+1Wz64KJ3Zhb7bITNLX7iIMuE2bQZq574xJre5HH/aI6/VAwLIKOFAV/l+WadfEh+1mbmoGRhjC3Ylin01mC9/z+8dxnG5sX+DvGzG7EiwoApIHpEZ4n7DZThi9xR1RSfYCqG5K9D3q+RpsnVoi6busJbevJ9U7fb0Yq7iiZfv+iiZc8HmEWyAy6r967oUGNss8VF/ahucP4uAE6nzTVadOSLc/UyS/jeil593SSn62h2hDYPuDxP/M3odiI40m0kCMuLNdIxFDl8xXNtSNy5nUmdlP/Ez9ach5Zigw+gJaeK/CVhr2e6TFkzfcYri7ryOVVNmoFw6hr66TXGjiwHATj6Ucpm0OLS1C2GP/G5FGqpdbYMTxe6JCOQggnBXLe3v5Dtr2Qrp49yA8UxLG5Ksxxd19Q1uaudWbc4S/Lg6gfey7IkuaMQ6zGIAE8vMNnKHdx0XBqKwBpwajCsFXDCrTnAs6YyST1KXHm/YmRep5KcMMuUk3UhE6TwAYTNK9SHSwXHOxaRETrVnf1XEzg7GATomW7U3Gp4v4OAnZy2T/7NJ1EfhQiMjw4J3RKN7bswITmfhLamXwDk6tiVGv9pQdsAEtr0+A5kKXV2kNXGfZ5U1Uv0wdcAhXxYnc0TaFmQ2J95Kljl/O+SYFxv3UyvQs4O1JQdeXVIrqpRzGtMRQHaPpaT0FMlk5ntShRQhGYZEoHknKw0cniajNpfCC6pqNEGbcL6PhROx9X2AK59YveX4g2z2jEhfrzb/eRow2Ha5gubmMGnwiV07wwzEe5VQCwDQgdcAc8l2bbkpgcws8RCg342towNRwjq81fqWX+hWsufXxIip9PX+AQsAcBpbdfcAEbcxLQLhkxCqA23+k+Ih8Yt/4qqKCT7QMyiJgRmigaXW5J61lVSuRjU2gQfGOqjtqQc23K6bUzrzgGiymWJEMMwKOJuxJiKk7uTs2xowmiSgFsfFdsiD+3UzOX5Fh6Y0OV858oXpzx/vD8J9RwrLnsV36xfeXPX1yh8UoCc0ZeVyvvWvXIa942RSDXtvgt86Y4kT/uTIEKrikReCD1K+1BdE8bwaMHakrKYrRwbauQM3S2SV17/XC6t8A1f4vu8/vV5Ir1oge2tFI/pJU6AqF/k7Lit1JTWXf1qiXxAxFEJJDzuwABWLQKvw1QUBHQiR/Kq5myDN589qSU5/C2zh1zq8k7BE54NR1ZyCAnIkmbZNMEMBNMArr44DbTgm5tiGhCh+OgJD/5DUGi1+E6a4IqoMzgvh3ToHAKveSz3mRQwhXx7RJH4WFkcGBVUaQohg2YlqIQilb1NFHwG5UFnoXlVPY0VpIhyoFCfvg2X/L1UmfpU7V9OpKHOcMFQ0A7YIGXgp/nGVZZchuOcuiwkF5z/GTI14RZOiBFh5P2LR3pa56j4P4PrhWV5mGgAkdfDvh0DY0yWRTzjo0piZPBCnLf/hUn8rpT9T8xIqz0EDoH3pHRR/VKgGxFOcgRecSD+fTnYFGUEi4akcBT5Lgm11/c3VNbO3/nZq6dlTxbjT8/VGOps/tPWPHUUbf/8U1NTD46zjbRGWEjod7Pwnz1hFxU3ql0KBDBhS/J+0kSmz98CPmeS8uW0OCKPFvIoPYJhr9CsxJNVEiW2+pd/WabvlIeOXtmQKjjwvmQaW77FTkKVP8Y0+9qH8Ln4M9h4QrP69YHGBtt3oIej5MUDCoZ+ut1L7ikEHbuOEb1c1a2z0PdzooudgT+NMhcBlGCpoUiC9ZcspOJn+nU6IBkJ2Sjyfl/BrMTBmJ+rs3suoEY3NvA4gWRU9xevNKpjqNRtxiYLll1JZl43lJL5RkG4bXb5JK4nSwJfADu6aIhWL2IjpFYd93A4lg19jf3nVpcazxFXcYY7UpYDhOb7fbWYmI6xV+AX52SwTKRM9fLK7j0EWx/fo0SfdZUNl4T/dtPsqe8Te/ZzkQlHA8tbC5kQeEJxGw72lvjMHNq4Fv0hVZ7r4gEFZhiPlciYG9cOwG1A2GifGthy+1fsCnKxNBx/5Cf+1OOz8AY7ZL9ECSPOrK3zlpXC6P6HhxokvTe5qY9eIR0ztYg1vgxz+XrqzOU7drfUdDigt+uqRZwvfC5AoNF2e5bFO+y83fdeVisZI0qtsOElhBYS6EIHmh1LRNhRfD3tpRyFinNlVVbOy/33A7yEUv+ieO9hL5VOvkJEvEdmeTtcCevniESu2tQEANFUiI6NpoxNycmJaCeejiZ5LvrC+BQjylqPIqAhgHdfWDIcmKjRQuolkOQ2PbzRrGCCcV3sbDaCbH769hGrdBV06bN3gNZNvnAo6kafEw62RGRaGjxJ/O8zHRALVwDECLtE3yW9ghjgPdw2zGItza0qlG2Hr+nzER9aMLWI4dzqnMNFTtiqJDLkL2Qo33h8qtGTtIEuP8jjTbGqMbs8xFzsqPkeSROW34kLAzJold7JAoRLevFGAshk0kGv4C+sXexBwNuTn4JduUdB6niVxzKkhQM3OcKNuFQ0tZNQY8fxbg0h2YhONG3spfQ8UC2bT2lSJfWec26fP8W2VzjjVLeNxpODco0eHre3i/6BRSEn8q2i+n15zKtiDlcEw8R7phnjB3I+JCZAvwy33mI0qJ/5fKIzRKtYtzPWRDcoOazdtfByBZrXjVUpSIm0e4Dxl1AIyKj5ec5DC2Czv1p+uUYMA5lhw1alXOSrlzJnRnsnohtdXIgH+xEf19V6zYf6IQBsB+4Kz1hQYo1IVwKj6qkXReNy9tQ5OrBFMzDLrbCd50gaMyT+86R8EsSZ2nW5anIaMxvSERdmED7QZkizeyUHLyLFPduv20OYQbaUxQ0oRWxpCY9OOq/vxOwLLqoRU+ohc7wnLCjsUmjQA5V5zlBYok8TMv971WM2rqmOfa7F5uOxiQ5RJ4GLCMryBl0UuLpNmN2JTdq3RjzduiQP/osJspJP0evz9ln9b0sdf6KqSnCnTiu2NUMZHhj7oGpFjBZpG7KWROVcjUiS0OVmKWjbYHJE5DNXAK9zcHodPxrAYVxUG+lDhVJ+4GmNY5o+KO5yCOswD93HrTX+KkwaLG9vhdKM3IrC6ttynCzvl1CME5A9HL+VszsJQoXWnZYNl36pD7p1k8AMqINeAN+KahalogAoMXk,iv:CYw3LLwOeyEu3/BK/SjdjneQvXPk2mHMPiFm2T4sXHQ=,tag:Et4HAytIgiVg4n8+D5anfw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSd2h2N2RELzkvODM0WE1p
c1M3bEQxdDZkZ3Zlcm9uKzFWYklLWWpUYXhvCkN1bXU3YmNrY255RmkwSXFDWmt1
dHExaGZRODhKdm1NR2xYV29CeE5vbk0KLS0tIHpBUGVaNUhKaE5UOU1hM3c0akxX
ZWRhWnBrY1FBNVQyOU0yVGFXb0QrVnMK26Nc5Bw/jOzuxXcufHcxnugG1bzqO9T8
LNIau17zdWX5bfWGDj++ipnm8x1sPswEULal4U2Muc2Iy7GuZPhVyg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-16T22:14:19Z"
mac: ENC[AES256_GCM,data:IbNuB2a6Pm2NTA6OS45kmYIdqZZIG1iJewt6n0rWLdYrbaGNGKt1ig0oTu/ubJSHNb/OgoN+fKEj/JQ+kJhwUiTEQhH+IUwPtUZeb0C0/QqatqCXoQk4qBOTuwea4gLLMHqoIwP0fETLiaVphNK7llPaI7aW0Li0W9yAdhu3VCs=,iv:utxR9+tJ8elgdvOQg5eoClb/4DDJyzvz2eWuCDNU3V0=,tag:Y8qEcwVwW2FoUOXZRQHEgA==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

17
kubernetes/cluster-0/apps/development/gitea/volume.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gitea-config
namespace: default
labels:
app.kubernetes.io/name: &name gitea
app.kubernetes.io/instance: *name
snapshot.home.arpa/enabled: "true"
spec:
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-block
resources:
requests:
storage: 10Gi

5
kubernetes/cluster-0/apps/development/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- drone
- gitea

67
kubernetes/cluster-0/apps/development/readme.md Normal file
View File

@@ -0,0 +1,67 @@
# Development
## Gitea
### S3 Configuration
1. Create `~/.mc/config.json`
```json
{
"version": "10",
"aliases": {
"minio": {
"url": "https://s3.<domain>",
"accessKey": "<access-key>",
"secretKey": "<secret-key>",
"api": "S3v4",
"path": "auto"
}
}
}
```
2. Create the gitea user and password
```sh
mc admin user add minio gitea <super-secret-password>
```
3. Create the gitea bucket
```sh
mc mb minio/gitea
```
4. Create `gitea-user-policy.json`
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::gitea/*", "arn:aws:s3:::gitea"],
"Sid": ""
}
]
}
```
5. Apply the bucket policies
```sh
mc admin policy add minio gitea-private gitea-user-policy.json
```
6. Associate private policy with the user
```sh
mc admin policy set minio gitea-private user=gitea
```

6
kubernetes/cluster-0/apps/documentation/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- outline

71
kubernetes/cluster-0/apps/documentation/outline/helm-release.yaml Normal file
View File

@@ -0,0 +1,71 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app outline
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: postgres
namespace: default
- name: redis
namespace: default
values:
controller:
replicas: 1
strategy: RollingUpdate
image:
repository: docker.io/outlinewiki/outline
tag: 0.66.3
envFrom:
- secretRef:
name: *app
command: ["/bin/sh", "-c", "yarn db:migrate && yarn start"]
service:
main:
ports:
http:
port: 80
ingress:
main:
enabled: true
ingressClassName: "nginx"
hosts:
- host: &host "docs.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
podAnnotations:
secret.reloader.stakater.com/reload: *app
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
resources:
requests:
cpu: 10m
memory: 50Mi
limits:
memory: 500Mi

10
kubernetes/cluster-0/apps/documentation/outline/kustomization.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- secret.sops.yaml
- helm-release.yaml
patchesStrategicMerge:
- patches/env.yaml
- patches/postgres.yaml

32
kubernetes/cluster-0/apps/documentation/outline/patches/env.yaml Normal file
View File

@@ -0,0 +1,32 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: outline
namespace: default
spec:
values:
env:
AWS_REGION: us-east-1
AWS_S3_ACL: private
AWS_S3_FORCE_PATH_STYLE: "true"
AWS_S3_UPLOAD_BUCKET_NAME: outline
AWS_S3_UPLOAD_BUCKET_URL: "https://truenas.${SECRET_DOMAIN}:9000"
AWS_S3_UPLOAD_MAX_SIZE: "26214400"
ENABLE_UPDATES: "false"
OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization"
OIDC_CLIENT_ID: outline
OIDC_CLIENT_SECRET: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
OIDC_DISPLAY_NAME: Authelia
OIDC_SCOPES: "openid profile email offline_access"
OIDC_TOKEN_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token"
OIDC_USERINFO_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo"
OIDC_USERNAME_CLAIM: email
PORT: 80
REDIS_URL: ioredis://eyJkYiI6MTUsInNlbnRpbmVscyI6W3siaG9zdCI6InJlZGlzLW5vZGUtMC5yZWRpcy1oZWFkbGVzcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwicG9ydCI6MjYzNzl9LHsiaG9zdCI6InJlZGlzLW5vZGUtMS5yZWRpcy1oZWFkbGVzcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwicG9ydCI6MjYzNzl9LHsiaG9zdCI6InJlZGlzLW5vZGUtMi5yZWRpcy1oZWFkbGVzcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwicG9ydCI6MjYzNzl9XSwibmFtZSI6InJlZGlzLW1hc3RlciJ9
SMTP_HOST: smtp-relay.default.svc.cluster.local.
SMTP_PORT: 2525
SMTP_FROM_EMAIL: "outline@${SECRET_DOMAIN}"
SMTP_SECURE: "false"
URL: "https://docs.${SECRET_CLUSTER_DOMAIN}"
WEB_CONCURRENCY: 10

24
kubernetes/cluster-0/apps/documentation/outline/patches/postgres.yaml Normal file
View File

@@ -0,0 +1,24 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app outline
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.5
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: *app
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
envFrom:
- secretRef:
name: *app

35
kubernetes/cluster-0/apps/documentation/outline/secret.sops.yaml Normal file
View File

@@ -0,0 +1,35 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: outline
namespace: default
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:ZJ6v/Kyxxy5mu2XrA003uRVHRzI=,iv:0tBr1HSrUNMQMxFi+RzgfKV7x/Ee99dL5DFXMSFjJtw=,tag:v7AVhxXjVV3cvpAANGVLeg==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:2GGPneKPmFEtq3A9X7fskiv/FnKv5deoyzNx0/euYrTOJKrRiTgj8g==,iv:u1LLrjxP1GwWcM1FJLjB9OpUFTPI0D9IZEX86IHGpmU=,tag:7vq4QeQagU2B9+WShheDKg==,type:str]
SECRET_KEY: ENC[AES256_GCM,data:RUjf4wghv9PnDdSNWeytoDRzH+A7wa8RNYDP+MYIf8KHjOGyVNzZwEuS8ah8wy8tvBWAE9kykOC1KhP+wFofIA==,iv:3z7NZ87ILlyrkx4YMWQ9uFL2W31bTmwZFkJxOHgSVvo=,tag:umplfrhjvCZX9Ucneo7Q+Q==,type:str]
UTILS_SECRET: ENC[AES256_GCM,data:r5DADkQbM5fEBsWs7ddUx2PXnt+ePiQcJZgKMmHYpkddmPFeS5xpJGgbhun7v409aKJLQRm/tUIysBlxHlnSbA==,iv:cP2KQeUmgjoXuY7UnQ57M4tBUeO0hELGe+HrSB5RJ3Q=,tag:HD4lccnbZXjllmOLyEHY3Q==,type:str]
DATABASE_URL: ENC[AES256_GCM,data:NAAK6EBbngEf1uW7o8Qi2gZJ9z6VYP0btsbKrkf3O/ZmbcRCCUYXfKYg7zUZiyXmyUSqZboCIi7TDPBotrjhimTBelbx/WD0S/41kZBQWYHDIZ2+nYyCGRxP,iv:q1zxJ2oRN6okkOeqrzK0cKaD2dkEGzgC7cqv+kNjCy0=,tag:xltRDd+u16SCJJPh5UU3oQ==,type:str]
POSTGRES_USER: ENC[AES256_GCM,data:4FlwiUkmmQ==,iv:f/mOMCV34bvseHAJ37AaUIZUYcBobtdIAYN/5ONhGbg=,tag:HFvPkQh2i/BtnynAjP0uhg==,type:str]
POSTGRES_PASS: ENC[AES256_GCM,data:/54bUXgZFUnxvB5kqqvU0gbedzc=,iv:sRVKl5qH9zY6pOrzYaIOmF5BG7qahOSb5WFWt8I+BNw=,tag:EkofX2OPX4VdvJNyX2t39Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFYUFSaFFVbVgyTXkzbmFR
NHllQjdJcEUxdlloWC9sSGtJNnBoL0xIM1VjCmk4NFpEM0ZFOEJKWCtyNkRTVkdw
SFVBY1J4c1VUdnQxZnVOWHFWbmYzRlUKLS0tIDE0L3VybUhnSkJlYStxR0k4dzZ6
eGsyL3NhNS8xdUp0VlNQbWRYbHFLYW8KeMc82BlegMJMtAF/WGMbXhpf2MVvUP5q
ehHCSwpe3a8WwXEBNu1u5IPcnMO4Fo5HhjLbMx6H1Ynd6KdyDXUKEg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-11-19T22:40:33Z"
mac: ENC[AES256_GCM,data:nrFpZ3+UBaW9n0uTIArIyPuMuQyh0IHqu5KmcUZHk2weKEQshkx3jfNmpsMieKRbdZjPbopqggeq5wN+6dD01M8+nTMBMNnBCIZMi0SIAVFybwzIR7op5CAAWsCmQuOy3GYCrLrMhujPsN2TBM9VEmlPA5xZRYslNlQShZWrGiQ=,iv:I/tKIbAGkBgh+ruQBCNQ7TxSp4fkknb/rDjAE3BdjIM=,tag:hNF1kscQEMgAElWlpSqzYg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

130
kubernetes/cluster-0/apps/documentation/readme.md Normal file
View File

@@ -0,0 +1,130 @@
# Documentation
## Outline
### Redis Sentinel Configuration
1. Create base64 encoded Redis configuation
```sh
echo -n '{"db":15,"sentinels":[{"host":"redis-node-0.redis-headless.default.svc.cluster.local","port":26379},{"host":"redis-node-1.redis-headless.default.svc.cluster.local","port":26379},{"host":"redis-node-2.redis-headless.default.svc.cluster.local","port":26379}],"name":"redis-master"}' \
| base64 -w 0
```
2. Use this base64 encoded string in the Kubernetes secret
```yaml
REDIS_URL: ioredis://eyJkYiI6MTUsInNlbnRpbmVscyI6W3siaG9zdCI6InJlZGlzLW5vZGUtMC5yZWRpcy1oZWFkbGVzcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwicG9ydCI6MjYzNzl9LHsiaG9zdCI6InJlZGlzLW5vZGUtMS5yZWRpcy1oZWFkbGVzcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwicG9ydCI6MjYzNzl9LHsiaG9zdCI6InJlZGlzLW5vZGUtMi5yZWRpcy1oZWFkbGVzcy5kZWZhdWx0LnN2Yy5jbHVzdGVyLmxvY2FsIiwicG9ydCI6MjYzNzl9XSwibmFtZSI6InJlZGlzLW1hc3RlciJ9
```
## S3 Configuration
1. Create `~/.mc/config.json`
```json
{
"version": "10",
"aliases": {
"minio": {
"url": "https://s3.<domain>",
"accessKey": "<access-key>",
"secretKey": "<secret-key>",
"api": "S3v4",
"path": "auto"
}
}
}
```
2. Create the outline user and password
```sh
mc admin user add minio outline <super-secret-password>
```
3. Create the outline bucket
```sh
mc mb minio/outline
```
4. Create `outline-user-policy.json`
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Action": [
"s3:ListBucket",
"s3:PutObject",
"s3:GetObject",
"s3:DeleteObject"
],
"Effect": "Allow",
"Resource": ["arn:aws:s3:::outline/*", "arn:aws:s3:::outline"],
"Sid": ""
}
]
}
```
5. Create `bucket-policy.json`
```json
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {
"AWS": ["*"]
},
"Action": ["s3:GetBucketLocation"],
"Resource": ["arn:aws:s3:::outline"]
},
{
"Effect": "Allow",
"Principal": {
"AWS": ["*"]
},
"Action": ["s3:ListBucket"],
"Resource": ["arn:aws:s3:::outline"],
"Condition": {
"StringEquals": {
"s3:prefix": ["avatars", "public"]
}
}
},
{
"Effect": "Allow",
"Principal": {
"AWS": ["*"]
},
"Action": ["s3:GetObject"],
"Resource": [
"arn:aws:s3:::outline/avatars*",
"arn:aws:s3:::outline/public*"
]
}
]
}
```
6. Apply the bucket policies
```sh
mc admin policy add minio outline-private outline-user-policy.json
```
7. Associate private policy with the user
```sh
mc admin policy set minio outline-private user=outline
```
8. Associate public policy with the bucket
```sh
mc anonymous set-json bucket-policy.json minio/outline
```

69
kubernetes/cluster-0/apps/downloaders/flood/helm-release.yaml Normal file
View File

@@ -0,0 +1,69 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app flood
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
repository: jesec/flood
tag: master
env:
FLOOD_OPTION_RUNDIR: /data
FLOOD_OPTION_AUTH: "none"
FLOOD_OPTION_QBURL: "http://qbittorrent.default.svc.cluster.local."
envFrom:
- secretRef:
name: *app
service:
main:
ports:
http:
port: 3000
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
auth.home.arpa/enabled: "true"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
podSecurityContext:
runAsUser: 1001
runAsGroup: 1001
fsGroup: 1001
fsGroupChangePolicy: "OnRootMismatch"
persistence:
data:
enabled: true
existingClaim: flood-config
mountPath: /data
resources:
requests:
memory: 250Mi
cpu: 15m
limits:
memory: 512Mi

7
kubernetes/cluster-0/apps/downloaders/flood/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.sops.yaml
- volume.yaml
- helm-release.yaml

30
kubernetes/cluster-0/apps/downloaders/flood/secret.sops.yaml Normal file
View File

@@ -0,0 +1,30 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: flood
namespace: default
type: Opaque
stringData:
FLOOD_OPTION_QBUSER: ENC[AES256_GCM,data:wwb74Ok=,iv:bLa7BU9lqiUKUqO5hLaMKE50ovxUJzJnaEMu9QSX6wQ=,tag:VQjtK4T8AOQIvPEujTOfcA==,type:str]
FLOOD_OPTION_QBPASS: ENC[AES256_GCM,data:8PzsOc2NNHkY8kRVB3z/62W4peA=,iv:pbRQ+I9IBAY/+QYfVKuNGUr4zYAawUzqdbG8IeETIhQ=,tag:X8O0AitScHuBXcoePprZ1Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoN0VJaHVYcXNDZDlZUGRn
YUViZDU0TCtmbzkycUpiZUVDbkluSzdSM2hVClpMRDdKREJBZEpEYUIxUGlIem9Q
Z08rVUVLUFhWNGdncElCR2hFVFNJUEUKLS0tIDZzcDVyb0lMTzRrNStBRU1KN2wy
OU81anNCMk13bXNXRVM3ZWcxTjd6SUkKd5FvLfeXe4p7j5eryl9ZuVh6oT920yiy
hsaI1Cwm2WH55lR++P1jtIyTo+lOL5M+IZUeyC7LXBpMp2UBNbllcw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-15T05:40:26Z"
mac: ENC[AES256_GCM,data:hwIHegLoNt6vHq1Dj3sispmAoByMN25HAG/koTtaNSCs94W4JbGGqJ+6waXX9vlWyWux6gJw8Y4j71BnjfP5Fhk4sTkS2N30XrNt/B4+95jO4u4spfZ5MPzb4FE5qIVaqDliDbhj50GA2eruVtYgGgJ4oCADWGI+iJZYyKnuUNQ=,iv:w9lUfjBF194TQQjUGzPBOpbYeey6eOG8heU7QKYF2gk=,tag:xiTESQOcm/PGaIYZqLgFQQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

17
kubernetes/cluster-0/apps/downloaders/flood/volume.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flood-config
namespace: default
labels:
app.kubernetes.io/name: &name flood
app.kubernetes.io/instance: *name
snapshot.home.arpa/enabled: "true"
spec:
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-block
resources:
requests:
storage: 1Gi

9
kubernetes/cluster-0/apps/downloaders/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- flood
- pyload
- qbittorrent
- sabnzbd

84
kubernetes/cluster-0/apps/downloaders/pyload/helm-release.yaml Normal file
View File

@@ -0,0 +1,84 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app pyload
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
repository: ghcr.io/auricom/pyload-ng
tag: 0.5.0-b3.dev29@sha256:329021cd2c0534807d3e8be9af78dc43bbdbc8d50a66da2d58c2da70269c9534
env:
TZ: "${TIMEZONE}"
service:
main:
ports:
http:
port: 8000
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
auth.home.arpa/enabled: "true"
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
probes:
liveness: &probe
custom: true
enabled: true
spec:
failureThreshold: 5
httpGet:
path: /login
port: 8000
initialDelaySeconds: 30
periodSeconds: 10
timeoutSeconds: 10
readiness: *probe
startup: *probe
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: "OnRootMismatch"
persistence:
config:
enabled: true
existingClaim: pyload-config
mountPath: /config
downloads:
enabled: true
type: nfs
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/downloads
mountPath: /mnt/storage/downloads
resources:
requests:
cpu: 15m
memory: 105Mi
limits:
memory: 1Gi

6
kubernetes/cluster-0/apps/downloaders/pyload/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- volume.yaml
- helm-release.yaml

17
kubernetes/cluster-0/apps/downloaders/pyload/volume.yaml Normal file
View File

@@ -0,0 +1,17 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: pyload-config
namespace: default
labels:
app.kubernetes.io/name: &name pyload
app.kubernetes.io/instance: *name
snapshot.home.arpa/enabled: "true"
spec:
accessModes:
- ReadWriteOnce
storageClassName: rook-ceph-block
resources:
requests:
storage: 1Gi

97
kubernetes/cluster-0/apps/downloaders/qbittorrent/helm-release.yaml Normal file
View File

@@ -0,0 +1,97 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app qbittorrent
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
image:
repository: ghcr.io/onedr0p/qbittorrent
tag: 4.4.5@sha256:51153d31dd1dca2ec67256827ace50dc38911cdbef19cc4d318e92bb84a1ea45
env:
TZ: "${TIMEZONE}"
QBITTORRENT__PORT: &port 80
QBITTORRENT__BT_PORT: &port-bt 58462
service:
main:
ports:
http:
port: *port
bittorent:
enabled: true
type: LoadBalancer
loadBalancerIP: "${CLUSTER_LB_QBITTORRENT}"
ports:
bittorrent:
enabled: true
port: *port-bt
protocol: TCP
targetPort: *port-bt
externalTrafficPolicy: Local
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
nginx.ingress.kubernetes.io/configuration-snippet: |
proxy_hide_header "x-webkit-csp";
proxy_hide_header "content-security-policy";
proxy_hide_header "X-Frame-Options";
proxy_set_header Accept-Encoding "";
sub_filter '</head>' '<link rel="stylesheet" type="text/css" href="https://theme-park.${SECRET_CLUSTER_DOMAIN}/css/base/qbittorrent/nord.css"></head>';
sub_filter_once on;
hosts:
- host: &host "{{ .Release.Name }}.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: "OnRootMismatch"
supplementalGroups:
- 100
persistence:
config:
enabled: true
existingClaim: qbittorrent-config
mountPath: /config
downloads:
enabled: true
type: nfs
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/downloads
mountPath: /mnt/storage/downloads
video-qbittorrent:
enabled: true
type: nfs
server: "${LOCAL_LAN_TRUENAS}"
path: /mnt/storage/video/.qbittorrent
mountPath: /mnt/storage/video/.qbittorrent
resources:
requests:
cpu: 500m
memory: 1Gi
limits:
memory: 8Gi

6
kubernetes/cluster-0/apps/downloaders/qbittorrent/kustomization.yaml Normal file
View File

@@ -0,0 +1,6 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- volume.yaml
- helm-release.yaml

68
kubernetes/cluster-0/apps/downloaders/qbittorrent/upgrade-p2pblocklist/helm-release.yaml Normal file
View File

@@ -0,0 +1,68 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app qbittorrent-upgrade-p2pblocklist
namespace: &namespace default
spec:
interval: 15m
chart:
spec:
chart: raw
version: v0.3.1
sourceRef:
kind: HelmRepository
name: dysnix
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: qbittorrent
namespace: default
values:
resources:
- apiVersion: batch/v1
kind: CronJob
metadata:
name: *app
namespace: *namespace
spec:
schedule: "@daily"
jobTemplate:
spec:
template:
metadata:
name: *app
spec:
serviceAccountName: jobs
containers:
- name: *app
image: ghcr.io/auricom/kubectl:1.25.4@sha256:eef66c93cd48cacb338a8994632e0b75aafeac2fbdcc5c64314a9bf422d0380c
imagePullPolicy: IfNotPresent
command:
- "/bin/bash"
- "-c"
- |
#!/bin/bash
set -o errexit
set -o nounset
curl --location https://github.com/DavidMoore/ipfilter/releases/download/lists/ipfilter.dat.gz --output /tmp/ipfilter.dat.gz
gunzip /tmp/ipfilter.dat.gz
result=$(kubectl get pod --selector app.kubernetes.io/name=qbittorrent --output custom-columns=:metadata.name --namespace default)
QBITTORRENT_POD=$(echo $result | awk '{ print $NF }')
echo $QBITTORRENT_POD | grep qbittorrent
if [[ $(echo $QBITTORRENT_POD | grep qbittorrent) ]]; then
kubectl cp /tmp/ipfilter.dat default/$QBITTORRENT_POD:/config/ipfilter.dat
kubectl rollout restart deployment qbittorrent --namespace default && curl -m 10 --retry 5 http://healthchecks.default.svc.cluster.local.:/ping/${SECRET_HEALTHCHECKS_PING_KEY}/k3s-qbittorrent-p2pblocklist
else
echo "qbittorrent deployment not found"
exit 1
fi
restartPolicy: Never

5
kubernetes/cluster-0/apps/downloaders/qbittorrent/upgrade-p2pblocklist/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- upgrade-p2pblocklist

Some files were not shown because too many files have changed in this diff Show More