shpaq/auricom-home-cluster
1
0
Fork 0
mirror of https://github.com/auricom/home-cluster.git synced 2025-09-17 18:24:14 +02:00
Code Issues Packages Projects Releases Wiki Activity

new talos cluster

Browse Source
This commit is contained in:
auricom
2022-11-19 04:47:32 +01:00
parent 42346bd99b
commit 4ac38f95e9
548 changed files with 1642 additions and 2331 deletions
Download Patch File Download Diff File Expand all files Collapse all files

88
kubernetes/cluster-0/apps/authentication/authelia/config/configuration.yml Normal file
View File

@@ -0,0 +1,88 @@
---
session:
redis:
high_availability:
sentinel_name: redis-master
nodes:
- host: redis-node-0.redis-headless.default.svc.cluster.local.
port: 26379
- host: redis-node-1.redis-headless.default.svc.cluster.local.
port: 26379
- host: redis-node-2.redis-headless.default.svc.cluster.local.
port: 26379
access_control:
## Default policy can either be 'bypass', 'one_factor', 'two_factor' or 'deny'. It is the policy applied to any
## resource if there is no policy to be applied to the user.
default_policy: deny
networks:
- name: private
networks: ["10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16"]
- name: vpn
networks: ["10.10.0.0/16"]
rules:
# bypass Authelia WAN + LAN
- domain:
- auth.${SECRET_CLUSTER_DOMAIN}
policy: bypass
# One factor auth for LAN
- domain:
- "*.${SECRET_CLUSTER_DOMAIN}"
policy: one_factor
subject: ["group:admins", "group:users"]
networks:
- private
# Deny public resources
- domain: ["navidrome.${SECRET_CLUSTER_DOMAIN}"]
resources: ["^/metrics.*$"]
policy: deny
# Two factors auth for WAN
- domain:
- "*.${SECRET_CLUSTER_DOMAIN}"
subject: ["group:admins", "group:users"]
policy: two_factor
identity_providers:
oidc:
cors:
endpoints: ["authorization", "token", "revocation", "introspection"]
allowed_origins_from_client_redirect_uris: true
clients:
- id: gitea
secret: "${SECRET_GITEA_OAUTH_CLIENT_SECRET}"
public: false
authorization_policy: two_factor
scopes: ["openid", "profile", "groups", "email"]
redirect_uris:
[
"https://gitea.${SECRET_CLUSTER_DOMAIN}/user/oauth2/authelia/callback",
]
userinfo_signing_algorithm: none
- id: grafana
description: Grafana
secret: "${SECRET_GRAFANA_OAUTH_CLIENT_SECRET}"
public: false
authorization_policy: two_factor
pre_configured_consent_duration: 1y
scopes: ["openid", "profile", "groups", "email"]
redirect_uris:
["https://grafana.${SECRET_CLUSTER_DOMAIN}/login/generic_oauth"]
userinfo_signing_algorithm: none
- id: outline
description: Outline
secret: "${SECRET_OUTLINE_OAUTH_CLIENT_SECRET}"
public: false
authorization_policy: two_factor
pre_configured_consent_duration: 1y
scopes: ["openid", "profile", "email", "offline_access"]
redirect_uris:
["https://docs.${SECRET_CLUSTER_DOMAIN}/auth/oidc.callback"]
userinfo_signing_algorithm: none
# - id: minio
# description: Minio
# secret: "${SECRET_MINIO_OAUTH_CLIENT_SECRET}"
# public: false
# authorization_policy: two_factor
# pre_configured_consent_duration: 1y
# scopes: ["openid", "profile", "groups", "email"]
# redirect_uris: ["https://minio.${SECRET_CLUSTER_DOMAIN}/oauth_callback"]
# userinfo_signing_algorithm: none

106
kubernetes/cluster-0/apps/authentication/authelia/helm-release.yaml Normal file
View File

@@ -0,0 +1,106 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app authelia
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: glauth
namespace: default
- name: postgres-cluster
namespace: default
- name: redis
namespace: default
values:
controller:
replicas: 2
strategy: RollingUpdate
image:
repository: ghcr.io/authelia/authelia
tag: 4.37.2
envFrom:
- secretRef:
name: *app
enableServiceLinks: false
service:
main:
ports:
http:
port: 80
metrics:
enabled: true
port: 8080
serviceMonitor:
main:
enabled: true
endpoints:
- port: metrics
scheme: http
path: /metrics
interval: 1m
scrapeTimeout: 10s
ingress:
main:
enabled: true
ingressClassName: "nginx"
annotations:
external-dns.home.arpa/enabled: "true"
nginx.ingress.kubernetes.io/configuration-snippet: |
add_header Cache-Control "no-store";
add_header Pragma "no-cache";
add_header X-Frame-Options "SAMEORIGIN";
add_header X-XSS-Protection "1; mode=block";
hosts:
- host: &host "auth.${SECRET_CLUSTER_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- *host
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: "OnRootMismatch"
persistence:
config:
enabled: true
type: configMap
name: *app
subPath: configuration.yml
mountPath: /config/configuration.yml
readOnly: false
podAnnotations:
configmap.reloader.stakater.com/reload: *app
secret.reloader.stakater.com/reload: *app
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
resources:
requests:
cpu: 5m
memory: 10Mi
limits:
memory: 100Mi

16
kubernetes/cluster-0/apps/authentication/authelia/kustomization.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- secret.sops.yaml
- helm-release.yaml
patchesStrategicMerge:
- patches/env.yaml
- patches/postgres.yaml
configMapGenerator:
- name: authelia
files:
- config/configuration.yml
generatorOptions:
disableNameSuffixHash: true

39
kubernetes/cluster-0/apps/authentication/authelia/patches/env.yaml Normal file
View File

@@ -0,0 +1,39 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: authelia
namespace: default
spec:
values:
env:
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN: ou=users
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN: dc=home,dc=arpa
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE: givenName
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER: "(&(memberUid={username})(objectClass=posixGroup))"
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE: cn
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE: mail
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL: "ldap://glauth.default.svc.cluster.local.:389"
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: cn=search,ou=svcaccts,dc=home,dc=arpa
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE: uid
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER: "(&({username_attribute}={input})(objectClass=posixAccount))"
AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE: "true"
AUTHELIA_DEFAULT_REDIRECTION_URL: "https://auth.${SECRET_CLUSTER_DOMAIN}"
AUTHELIA_DUO_API_DISABLE: "true"
AUTHELIA_LOG_LEVEL: trace
AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: "true"
AUTHELIA_NOTIFIER_SMTP_HOST: smtp-relay.default.svc.cluster.local.
AUTHELIA_NOTIFIER_SMTP_PORT: "2525"
AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia <authelia@${SECRET_DOMAIN}>"
AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
AUTHELIA_SERVER_PORT: 80
AUTHELIA_SESSION_DOMAIN: "${SECRET_CLUSTER_DOMAIN}"
AUTHELIA_SESSION_REDIS_DATABASE_INDEX: 14
AUTHELIA_SESSION_REDIS_HOST: redis.default.svc.cluster.local.
AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia
AUTHELIA_STORAGE_POSTGRES_HOST: postgres-rw.default.svc.cluster.local.
AUTHELIA_TELEMETRY_METRICS_ADDRESS: "tcp://0.0.0.0:8080"
AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
AUTHELIA_THEME: grey
AUTHELIA_TOTP_ISSUER: authelia.com
AUTHELIA_WEBAUTHN_DISABLE: "true"

31
kubernetes/cluster-0/apps/authentication/authelia/patches/postgres.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: authelia
namespace: default
spec:
values:
initContainers:
init-db:
image: ghcr.io/onedr0p/postgres-initdb:14.5
env:
- name: POSTGRES_HOST
value: postgres-rw.default.svc.cluster.local.
- name: POSTGRES_DB
value: authelia
- name: POSTGRES_SUPER_PASS
valueFrom:
secretKeyRef:
name: postgres-superuser
key: password
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: authelia
key: AUTHELIA_STORAGE_POSTGRES_USERNAME
- name: POSTGRES_PASS
valueFrom:
secretKeyRef:
name: authelia
key: AUTHELIA_STORAGE_POSTGRES_PASSWORD

36
kubernetes/cluster-0/apps/authentication/authelia/secret.sops.yaml Normal file
View File

@@ -0,0 +1,36 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: authelia
namespace: default
type: Opaque
stringData:
AUTHELIA_STORAGE_POSTGRES_USERNAME: ENC[AES256_GCM,data:popD58odXyQ=,iv:gw+Y2n/ZRRAudSZy6T6aYdLq504xEH6Ntk+nWY39zjE=,tag:okpCZIGgCzeooa+eSWhAbA==,type:str]
AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:j/VlSpeqwTVKCDN+Law=,iv:k+PKPq1iF/bl0acff1DrbQzRKOb3cy37Sq5R+wuKOQc=,tag:ouhjcJuZJQ0Gc/T396WDrg==,type:str]
AUTHELIA_JWT_SECRET: ENC[AES256_GCM,data:/FH8Yi4olsLQgbAbTGh23wvZ+0bY5XZMxyXUcQ==,iv:BB18NV8++Uqh3TS9KeDAOV3WH8gvBa/vKRAoV48ddMU=,tag:jbNMXobzUIIEd/fQKrD17Q==,type:str]
AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:oKlY7wYdJWyVyS9L0kEyE/FBaX8QguU7ZwN4wg==,iv:qn3DBkozHECvEvjfJaGwogGdNcEYfL9Mr4sZhkmRvUs=,tag:tmvKCTehK5APrJG/xRzdtg==,type:str]
AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:dhPWtO+l7X+9chnJczfL1qE0ckO58kRAvzjTiA==,iv:ac8mMxYENkUv7llxkHHdTiCxMaqP0/joJeAxDkc7vNE=,tag:HUZudNImGCxzlGXeYJZGtA==,type:str]
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ENC[AES256_GCM,data:iF/190/mZpbDwCd5Q+VOTQVyRbs=,iv:xKhvy4ufkiPqmiWUPKQjxRqUA3VH1Y/PTc8BVnLIaDA=,tag:KB3Bs71cARnYo3noOZs+Fw==,type:str]
AUTHELIA_IDENTITY_PROVIDERS_OIDC_HMAC_SECRET: ENC[AES256_GCM,data:GQ5FI3GP+dNfWapUXbkWRoUi4N8oHLn6Kotmmfaqxd0=,iv:iZMUl9vBZUdWElVV1iqPNhdTy0aQKw3H318UT/rTpWs=,tag:iuKMZal34P0zFy6v+Dvj7g==,type:str]
AUTHELIA_IDENTITY_PROVIDERS_OIDC_ISSUER_PRIVATE_KEY: ENC[AES256_GCM,data:IeAA9iN8w6vU5ZsJVAmLyaH4xuADYg0ESKdqIWSCQ6OJKd60E0UNhIQOIH25JCQnRo3cpAflkqDHRdMNnoUY4apsA5GBZtO9+kDnswMHFfMwhgP15V6RBLObvIFVFfjH5n2k7hObMeS2qm8+rVIaUpyNDu3elD8KrKHOiqN0dxbd4PVx1CmN3c9kJGqSWrYFhBo44fULjUzWYSaQbfMqxotkxodtfRDKYlwvXBh9fg1hWblBj2LEl8yPd2V3QiKDH2o6um8VWw33ryUzAeefJOelUUU/s8EynbGwTZwuPVy8LATSSiDtvramFpsk7XXshDLrwEir7hujaieP3P0T7XspF9i85wFVZrTqZDtlysYgziwTEqSbd2vL737p6S5l3QpAn5De+QkZyYDbPYJ2X/PTESeY1X4hJ8TI0OK15DXX5+YYkh3Vnvl21xseaAoT9QvTcXM9jjUug8cwt56UhG/grNFrYLjngq4cLPHI4vzE9JXLfXlax+Y+jj0t1Bv8EPA66RzXxJWYgbLP/SdHPFDpyMwRjSzm5zJ9ldG+ajJ1B6pVuWb53USVxtRu6aRnZsxWpJfkn7HqGkXjRPT0mSiU2tFpwaM/NDxMB66DiIZjCwjeTfbFSngDQc88fcwv8V6klASM0iCbsQCtXDGoAt1mG6wmA5UhMmoKkqdRVj+qov+ZeMz+dlafdoXJNXT8ncTo06RDQAZX/3kW+7uK5EbfSRUmDUdPnHHBL/fhEYEasZoF5nwegp9gGPOX6N+mHyYoB3tJNrATJkBa7bTDcPcKpRL5a472ApXva6WYyDgnO4FrvxlkC0wt9Dt8Tw/YakwxY+UtatmdEyYRprxRWQDPYHCqe+lK8S0LGHq+2HEcf109lzAszhkEHj4AKXVuwc2ooWlqVFoCMB4+1sJzawA4Ry5mXNFLN9eb+6xO8fg6DMxRZFbZTL+mdOUfIQxz+nCbEm48xakSj3NJzQ4Rd+31kuapmcnjCLoWdDItXfPrIV160v0GGGMQmrzL7PJVmBaFwmRfJ5YJz5UE0qi8z5RC1d//0ywEyb0EBNCouuWh47XHo2EDKTbhy3o0qpkQBHIQuxUZcIPM+3veF/SOT7pFYPGHMFPbif/71j1HgxuE/E1p+How0XfelOfP4Z8rUWZcDWLJp0wDrD7WRe9564/cqCTvqBRusPKYlCG/xJreqn42LV0bVN4JxJAiBXM68lasZJHunMJcd1E1DB/p1S0Wooezc7J67sPMiLAfiq4GdBSq8Z+8OJKcv88KDXu/PPCh8Ke4xVLdovK1KUncP/T8cppFhyE61CkDjcGvahGbuLkZl2mkR5oHoNerOXqFQ/tvIR34vXRRbb6Qo92r/yJmi6lsXGEu1dxMKBPKkOdCqWYXcSgGtDgyETm1+keoNjh67f7M0rl7eztHpFDl9CX9b4lYEBTiaaozWN+LYdPQps5IZfZDzTN4NScfx2CDve46xVLxNc/DpLhUih/a9i3/kHUB6aPNN/IxA6mhZqrya3gAUfAstxlkiBme8Wa902DFOh10YTn0VP9H+yRihK/OECDMhDDwrqSC1dn7BOF5iWFg9CMB6OzABstucmFDAgRxkqkaIPTSYF0mbZnD5KeZYRjeUV43m7BstHFXGSmb4R2CI9popqvDV1y/7ANpiepXlN2JFGCeCgW/SyyPAZw/xnQUH3ZGjK4lon1l45YA2YRvWnfurGZemaAtir499dbKNa1JK+1POmpAHvMw7tm7Jj2LjaHNKD40jGY782ucZkLFGwBm8P0KU44vjKinQNvjhNrct/USTEMxU+sHtuE9jFDsufKlNeOK/LkjCKfbOu6PNKF8MXoXw8bUsHSqMYHXRvBDiYNmuHp0zitet8JLvdKW1LVLTpuFR7/13y5L//9RvpvD66gjbO9LawIm4oX/RrkzzCEf/eMC4jCPvAe5KhcDGxW53LRYAowGLHmNlKDzWMWMAwe86dT9Y49cQYuznLYifu2ApeQ4nEFW4b0bktrzxSuZCVhWXPs+e0OnEWTUC3lzTd0MSfUgI1pSW+HmKs9+nr+YcEOBTmGd35oyjKGLq4SE4SecckslWnvYpXnHj2QOTqVD/Mn36B3NQgPIQOeh3uOiKhfOw4T0TiBc8ElBGbM0bsp5Cp2q41xByITXaVsgPo6IksI+dnoaqaDwzXVW2RABuuEDNAhC64gJW+t94obETP8X/ulGzxqibLVmOJgcdQ31TuEoE1z17TALTjm6GwZj8Jz80CfM2gHivh41xHjw23yHev3tJ4y5iOQ2fJRE9nM+Lwx3YjN0311PQ63ZfF453flkw7tzvHT+WMUyMHJBCwlQyrYVSVAd1NPdov4i/Ru/OSGGRQ2W3gdkDpTTbxB3rHzWaXS47mQHT9m60SfXDccT7JrZeDb6R8KhpS3aBL8k9paarynaFPrvjwRgJyjZAXzk38StzSRoRIUdS4teWlOm0aLjWA2N+FNxTnHif7fXLXQGnlHIhAU2U3KJ9mlqCq+pxqy2nmnDoXwBh0MjWYvEXwJhEQXv7PdXN6+74jlgx5xrmvyCqOJFuVIvIcRzj74mFIqMTMzXLL6eAjg9xLleTtCbY8jxjBrzfENYpYMQHPVRM1fwipu973WV33sEGmmtk6K79sQyI9Re2J5vneBJ5nT0/xqzA3EWQVEgXMXuOSthjO3PICYrPaH0ohlhiFEwlKpFWBAFKDwxilXeYMBN8epnm3tQjsnUoDyW4TTO/5j4e0Yb/k2z3T7IMYSme4AJq/ulf1Og+aIxHPfJ+QPfTqDnaF/zhkhYHh1iDEa9Dp4UEXyhgytbpr5f+tmcVuvGmtK4k6aOi1XkaLg6/CUa2O00MVqyLmqOeGDAw8z+UJcyFTk86kvNk8PMMrXsEzt6xDGkpSEjiPXL2vf1PrJIYi/99rcWrXR82zMCZg0EaM3zxhZvWzOFrWqHuE9u2ErgzgRt1GQ8iA3gFPw8uP7o8SCjE1Ig9kf56+OncA1fyJRFCPBe9Y36izZtEt901k9aMhZVmiuuCQAtptGFYslKFkLTeaQesnaSgSO2jq1wDEUtRHLHaTeBVWupB1AWvM9u661iC1dk32eVsclftyH5Auf0R58TohDLzhGT8e8NkOii9IJ2+N+ua8nPPiQqxfjbdXrKJFLFeyYimb/h6yfugQpxiDXWOfZFFkdKSZJqONaQ+aURqK3gyavzJeYUdRoiattdNNgGl+jTI/OEe3lt69oimYYExFQRzJ2R3uYYVbVyvaptW7+ppGxOxk4yfoQAcMZnOTGu9DKgBDClGOcdI2LeluieJrfXwoMq3o5wcoM6yvTmgfxzUMZ3DELWwP7Fqv0IJyRD0tXbIcQxGGyd1U3aGq6u0sGJaQy6+sb+s8hFPglL0CrzvCJPJERm8PHiJtiLHDa6WG1+b3V9fPnmJFD0AJEggE7fPolq5/j1dm1SRNmWNffHXcqGrCDcZ0qx6BE2pEzTY2VtyinsaNuigULK6kL55srFHh9xjwdgTD5F7czuqoIo2Phm8PoRW5X8I7dQZ0Psiur2d9tMAT+ChDWoytqmZH3edCN0a1kjWKN8+hDzIptbW68j+JuNLCtBc2ENtCo2mne4Kz15oYgbR7urht+CvagdKxauBiDGcp/KXuRUQKz7onCgnMmMkLP3lHXeyRqi2maG58K0Vngdsi2nFn7IzbeM8ieF2D7mo7FK5lyRlyIy3X2GwTQvEUTUyTUkv/cNCSet4O3zVeMY+hgegZzU1h8Cpzp+GF7v8wEVAe6DZTu+0aubwb27lqiweBUBBNJf9GuAMnuYGHODMsn1CNe3wNtgRlp0liGyT4YmoZlgO6rPcpUpjtxAdw+legYXdylGMwX/Cer2OLxe/VOsd1wjmMcZL1009guK7t6BjwGY9/g85y8MMPiHpWwo1MUOuKPQZFK2c2iu3IiQJtawqocNvmBeZ4/h9978Rod2aUbYXvTRFJbDbRqfqojEDgZv0JgIpBQKT/cIqQLPXoigyab45tMoKWKm2D7lSdwQIWpc2tx4qkECbLy5KEmd0UbCmCC8RDUk3I/Nkycwf1XrlZVYwNpKhQMIytDUyIf9TqTrU/XIJ/Q6Ib7kSyjZeK46GldMNuGnc05mPlJQoj75ZxxtWibfPG9kH7ImR4K1PgHoY2gHleca/paVyC9jNKpKiyB3m4WDnrxK5N+NpO+wlbNXAtGeqZJd6H/V8URnBuIv0NxFRhQ1seVZQKElkol1KCe9H/+n0Hs/fz5RdBwa/Oh9/lVNrJiVcnH1/5JGpR5/p/RLElE9Nl+GJGS2uWasvREyXjoLrB0aSwQK,iv:+H0Qz07NHU6fs7mJk9VnLZlYSoxTCnW59oPSHOmGr+s=,tag:w7NtwB7ks/Tb3eky5e/P/A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4TWU5YTlFY3FPQWhnZ2I2
akxnZ2xIRVNFZTdOWmg0dFhxTUNoZEFIM1cwCit5WnduNlQ1MkF2aytCVldMeVlC
Yk5QNWRQRllOT3ZTL3VGcjJNK1VqeUkKLS0tIFMyWHNFd29nc2tMektxclJkK0pT
Ny9OQ0l4ZXMrdW40NmRsbzgvZ0w5V3cKqTGvN5zk2TPgtxoVfwI7Wsz4N+lC9+Kq
DCXTgTU/QXm9dvo4ErPPzeWFqdk4JchExhvSJV2JfM32O+3z+EGhNg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-09-13T21:14:03Z"
mac: ENC[AES256_GCM,data:ujW5w84/5GmwWvH8RdAoMdEXDNQptKhK0Whbd3Byg0o02NDA3SkQsMJsaSNG9Sp5CZnYxSBHdL1AT/1pldFsrxU7TcIpU1mh9zs4nf9B8x/9CEH/3fKSOZuHRKF56LHkqXLFbcC1o+GQHfg1zWlNFWBQ4ToPnqFlLneKFcHT/Sc=,iv:15KsYWcwbuCnsNOvjh7iMuv9gOsLnbvldUlUOl1l2eI=,tag:spHas6eWDLhcaK4cFStnww==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

20
kubernetes/cluster-0/apps/authentication/glauth/config/groups.sops.toml Normal file
View File

@@ -0,0 +1,20 @@
{
"data": "ENC[AES256_GCM,data:s910tBBBfRjMxw3/W+Y8Wpm9ODOtWGb8MLQUgRbLLBIczBnZvuDUE6NrQnJAyK7H8sY0SqF2iYGbCKhbp/kFMe1zkB7Txi0EC81+vNCWMEzsKBWeB5HN7R/4LgwT19Ge0vXWYwfP4++Twiin/C5n8/KiPCqQDvcO92o96c5+zkWmvnayGYovmAuTkguSUDaPNJRffHZob7HOc9T9Tw==,iv:YoK+RSBsONPNzzyC6hJDTboz+MpoSv+nmjuypUyYVhk=,tag:UdUlrEe9yoOnFKBP1eSCXg==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvZFcremxrOFJCbU12ektL\na0kwajkzRDVkQlQ3ODN2R01LNDhONVRMcDFFCnI1Mk1EWGszSm4rU0Nra0J2VUFq\nTVc3UGU1NHpQZCtTdEI5OFpIVnNKRG8KLS0tIFg4WHNUVS9pTXQxb1k3V0xsd0lL\nV09lKy9nTzBBZ3QyRDByOUhYOUd5bUkK4IEvbv8gyFv3v40Iz6Gso7M1rTWBNKBW\nGJM4LaUoAM5gCSSjPeSB1ZLn7j226Qr2M65GxQiA/4xPpBaOgzguow==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-09-18T16:37:58Z",
"mac": "ENC[AES256_GCM,data:T0DB0qKA9BLT6pSud+WLeCTaYltvA19Uf2Klm/vsqCOXvtAVJVTWRMvE3OzcwTieJgBn4UOEaoUUEkpOo6T9ZKyqVzJ+Ir+RmYBkZZs08g86wPsUoMzEwmxQwz7rhaR/dqiNiWp7L0wE1ZbBg5gFpSj5WE8Hs0YJI4VZLFwVwfw=,iv:vSE1TboA1VknRr057d7ESWV8SvGGuNTbQnapieZvy7o=,tag:f2DSJqiBsjzBmexNo9U+ZA==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

20
kubernetes/cluster-0/apps/authentication/glauth/config/server.sops.toml Normal file
View File

@@ -0,0 +1,20 @@
{
"data": "ENC[AES256_GCM,data:78oUuR7O9j8wqKKiTrCbg1QNVB2a+i3CWgNDNM38zQNDO/LZ3juQkda5rRZsvvH9ovGwsIVo+nk2omMLY5FUceFxQFssXYH5EGgPOA9cXYtbql8jdbp0Lh/41RAC3+WrEe3Pj/5/Qyl+1rMgQPg2JJf7KudJRt4whA6Lkehd3147Au12fMxTpxZpnSczk1MroZwsE+DdQStkVDdzwMA/QvWhnXCDCMcawFrHxrQvmRGOHAyYGomOrPm8WMKSdBpNDMZQFg1pjORK/QQ3LzeQpnoJ25iu/fA9OfpyYsbhryk2asOCyA==,iv:SZ1DXCoib5E9PurrC622tAcELIxxWGiensfZTVKFzXw=,tag:lDDsTO/Y5mXfEqyAJ0z0jQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3Mk9heFBGdDdueGFkT3Va\nS1pyMC8wOGJDSTJ3d3JPSjNnTVkzYVJ0eTJJCjVoUy8wMXdPc3Myc2JaalZ2ZG9Q\nc3J4QldvZlJqMFN4WnhvYnJmZXVuNjAKLS0tIDR5K08rWmJvR1VSSjVHUFdWNjRK\nWHd4Ny9ubjVIZ0V1SXhTMnJFN3hCK00KvH0z/ys31lAX2pYNt2JdWqPSDhp4PKEn\nbQ1Z99aG5DedV/4KqOH3L9bvHl3M5am0MiKW/CngOfN9M49bWwQ6VQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-09-13T21:10:04Z",
"mac": "ENC[AES256_GCM,data:rKjnXHgG5ws0WdcGmTXpZ7PPGm2UIhVASqQ8K6Vtadws2g4M5OOk2JYI9sKjpnGd/Ht0pssBBpLWbqcwV2M2Ug96tkiDMRHHT7vgw4X5Y9NmnYt+5/An7ynsudraAr9AvjRS7Xux03OIPc7LjzOtCv4BIDyFR7vPj5+7opdedC0=,iv:3VPRTkVPL640URtVG5SxLKXE0/Pe3RORttfmnU0AYY0=,tag:Fcl2j31dKdCUwvfozWpRTw==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

20
kubernetes/cluster-0/apps/authentication/glauth/config/users.sops.toml Normal file
View File

@@ -0,0 +1,20 @@
{
"data": "ENC[AES256_GCM,data:q7pZXn6YGFKwKlEX+Iax8ZWoRkuK3a0HZlbKn/aDHpf9DCOpaJuxXpFL6hlkoKb3eoFBdjLHV2Yh+y6u+v/aPnLA9yaMuhZ9MDC0I6KF+5onRermWvtadiW/pmLLBd9fFBTxvKPni3sgHpZoZ7VZMRe6YZ88StsGJBX/cXjEZkOIO9S3GC28f3iNDKH5HGsYHUWyTn2osmOfrLahG5We3P9GeVTKgbnB6/OWC0lSRR+mmPc0yAjAXklTrGuk4zRV54qDoS8HdCO0FTq3Z83f6Qa3eoFDiOrm8yLCmXRqNGSoHoFrp7dnPzCna2SMAX7RBRCrOBRw+mijaxBrbMSp/2/5MqnJyJDz53ozUZog88Ywu595vfo3lEyJ7Qu/O1DX5aJTXKCPAvOIvAwSSFXfdKGmUAQrQvEP3VgpYnzGbuhnfPTJivXKpgc4vutvOH98itTquOq9KJdCOKcsd8gmBtOpPcMrUwA7jP1TV7eJIKhSN9YFt6jflTtqxfa9a4hB6FKXkXqJOrs9b4sT1iGi1bk9uVBF+3Ccc5X/JNRZ6Q6DSLYE5SkOZGOylsS4cjzjUcFSsnyNSfTwjca8SKLlc8bnPU0qFCOIVARIjKw8vMwedYKk0aiNTEa6vqShsGTUHVV/Lx7KqaVgayX+OjhUTzK4Wtrml2dvfoO4TePRmlg0AyeeqvJiIA+Fq9kaxsDkx63HSeK+0wjFH5HWThElycxVWozN6BAQ6EK4sPqrCdjfOpIAnv2YAazY647N8gcKd/OjvYM9lo0d3X0j/EiiFo3nq7ldggMJJRt9MmXVK3Ep31jjkqaeX9nljvMWsnFWwzXq/itPheEaKT3ch44PLPSFZu8NTMn0Xe4SoDaItbCAlXWjfGaLqBSGhVXCgXlzwx9ks75HntQ1zZMR151lU1RpnrZxB0g96uRAdkNBxYtxGkfqr/L4FjbDZSbLSm6JzV6hFgZZmfK4wsDJVG8dzT5/+1XNDfu9Ih2HCbh+upoNSQVzQhcHgtawpESP1v8OQr+t8KMmtVQGKLkCJAufabTI7Q==,iv:Y5jO9xDZwhvBfMUImMz6d9IksMpPCLKhzzrecbahp2Y=,tag:Bha5EyxQ3a7l+x/i0DsiaQ==,type:str]",
"sops": {
"kms": null,
"gcp_kms": null,
"azure_kv": null,
"hc_vault": null,
"age": [
{
"recipient": "age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg",
"enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoeDRMTnBlWXhEbXIrR0Fh\naFJXTEdWS0V3TCtmNFN1UFhGSXFLSExwNFRrCngzdVRhTG5LK2FWV2d3WTNvTTY5\nV0JrNWh0bGFaK0wvanZmL2dBSENkQkEKLS0tIHlVY2daMlVwNW8wMDRNNHN1RzdP\nRmsyY2NublJsWTRsRUJqYVlZTlRJS28Ky5QoK04bIpqAiHepeIS0FBVU+Kqn9IvY\nQ3yJxfye9EO1XJ60goxur9yzq3TNyGFykhvqVsizVBVuir1Ow3sLoQ==\n-----END AGE ENCRYPTED FILE-----\n"
}
],
"lastmodified": "2022-09-18T16:27:14Z",
"mac": "ENC[AES256_GCM,data:W77zbh5xtZPJC7nAuJ3LyZUlfQM9cmNJo6rBGnp34vxfA/H7m0OExHTaJkW+o0Zajk/3/zC9jwhmNRJdiQzd/k1M+a3q+DGOU2vt+On7Mo8mDfyuPOA6DvQnXf9ouwBPPkFjtn8t2Hb1cKvCLVdeMqRgz+x3MwJRbB2rB5YEY4o=,iv:+figksDMN3AP5+dD/gn9cE18HlgU8BOHtMtvaDEQUzs=,tag:9eo27jDtrFrqXWef5/T2nQ==,type:str]",
"pgp": null,
"unencrypted_suffix": "_unencrypted",
"version": "3.7.3"
}
}

64
kubernetes/cluster-0/apps/authentication/glauth/helm-release.yaml Normal file
View File

@@ -0,0 +1,64 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: &app glauth
namespace: default
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.0.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
controller:
replicas: 1
strategy: RollingUpdate
image:
repository: docker.io/glauth/glauth
tag: v2.1.0
command: ["/app/glauth", "-c", "/config"]
service:
main:
ports:
http:
port: 5555
ldap:
enabled: true
port: 389
podSecurityContext:
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
persistence:
config:
enabled: true
type: secret
name: *app
items:
- key: server.toml
path: server.toml
- key: groups.toml
path: groups.toml
- key: users.toml
path: users.toml
podAnnotations:
secret.reloader.stakater.com/reload: *app
resources:
requests:
cpu: 15m
memory: 105Mi
limits:
memory: 105Mi

14
kubernetes/cluster-0/apps/authentication/glauth/kustomization.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- helm-release.yaml
secretGenerator:
- name: glauth
files:
- server.toml=config/server.sops.toml
- groups.toml=config/groups.sops.toml
- users.toml=config/users.sops.toml
generatorOptions:
disableNameSuffixHash: true

7
kubernetes/cluster-0/apps/authentication/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: default
resources:
- authelia
- glauth

90
kubernetes/cluster-0/apps/authentication/readme.md Normal file
View File

@@ -0,0 +1,90 @@
# Authentication
## GLAuth
### Repo configuration
1. Add/Update `.vscode/extensions.json`
```json
{
"files.associations": {
"**/cluster/**/*.sops.toml": "plaintext"
}
}
```
2. Add/Update `.gitattributes`
```text
*.sops.toml linguist-language=JSON
```
3. Add/Update `.sops.yaml`
```yaml
- path_regex: cluster/.*\.sops\.toml
key_groups:
- age:
- age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
```
## App Configuration
Below are the decrypted versions of the sops encrypted toml files.
> `passbcrypt` can be generated [on CyberChef](https://gchq.github.io/CyberChef/#recipe=Bcrypt(12)To_Hex(%27None%27,0))
1. `server.sops.toml`
```toml
debug = true
[ldap]
enabled = true
listen = "0.0.0.0:389"
[ldaps]
enabled = false
[api]
enabled = true
tls = false
listen = "0.0.0.0:5555"
[backend]
datastore = "config"
baseDN = "dc=home,dc=arpa"
```
2. `groups.sops.toml`
```toml
[[groups]]
name = "svcaccts"
gidnumber = 6500
[[groups]]
name = "admins"
gidnumber = 6501
[[groups]]
name = "people"
gidnumber = 6502
```
3. `users.sops.toml`
```toml
[[users]]
name = "search"
uidnumber = 5000
primarygroup = 6500
passbcrypt = ""
[[users.capabilities]]
action = "search"
object = "*"
[[users]]
name = "<name>"
mail = ""
givenname = "<Name>"
sn = "<sn>"
uidnumber = <uid>
primarygroup = <gid>
othergroups = [ <gid> ]
passbcrypt = ""
```