✨ new talos cluster

2025-09-17 18:24:14 +02:00 · 2022-11-19 04:47:32 +01:00
parent 42346bd99b
commit 4ac38f95e9
548 changed files with 1642 additions and 2331 deletions
--- a/kubernetes/cluster-0/apps/networking/smtp-relay/helm-release.yaml
+++ b/kubernetes/cluster-0/apps/networking/smtp-relay/helm-release.yaml
@@ -0,0 +1,89 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app smtp-relay
+  namespace: default
+spec:
+  interval: 15m
+  chart:
+    spec:
+      chart: app-template
+      version: 1.0.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
+  values:
+    controller:
+      replicas: 1
+      strategy: RollingUpdate
+    image:
+      repository: ghcr.io/foxcpp/maddy
+      tag: 0.6.2
+    env:
+      DEBUG: "true"
+      SMTP_DOMAIN: "${SECRET_DOMAIN}"
+      SMTP_SERVER: "smtp.fastmail.com"
+      SMTP_USERNAME: "${SECRET_EMAIL_SMTP_USERNAME}"
+      SMTP_PORT: "465"
+    envFrom:
+      - secretRef:
+          name: *app
+    service:
+      main:
+        type: LoadBalancer
+        loadBalancerIP: "${CLUSTER_LB_SMTP_RELAY}"
+        externalTrafficPolicy: Local
+        ports:
+          http:
+            port: 2525
+          metrics:
+            enabled: true
+            port: 9749
+    serviceMonitor:
+      main:
+        enabled: true
+        endpoints:
+          - port: metrics
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 10s
+    persistence:
+      config:
+        enabled: true
+        type: configMap
+        name: *app
+        subPath: maddy.conf
+        mountPath: /data/maddy.conf
+        readOnly: true
+      data:
+        enabled: true
+        type: emptyDir
+        medium: Memory
+        sizeLimit: 1Gi
+        mountPath: /dev/shm
+    podAnnotations:
+      configmap.reloader.stakater.com/reload: *app
+      secret.reloader.stakater.com/reload: *app
+    topologySpreadConstraints:
+      - maxSkew: 1
+        topologyKey: kubernetes.io/hostname
+        whenUnsatisfiable: DoNotSchedule
+        labelSelector:
+          matchLabels:
+            app.kubernetes.io/name: *app
+    resources:
+      requests:
+        cpu: 10m
+        memory: 10Mi
+      limits:
+        memory: 50Mi
--- a/kubernetes/cluster-0/apps/networking/smtp-relay/kustomization.yaml
+++ b/kubernetes/cluster-0/apps/networking/smtp-relay/kustomization.yaml
@@ -0,0 +1,15 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-release.yaml
+  - secret.sops.yaml
+namespace: default
+configMapGenerator:
+  - name: smtp-relay
+    files:
+      - maddy.conf
+generatorOptions:
+  disableNameSuffixHash: true
+  annotations:
+    kustomize.toolkit.fluxcd.io/substitute: disabled
--- a/kubernetes/cluster-0/apps/networking/smtp-relay/maddy.conf
+++ b/kubernetes/cluster-0/apps/networking/smtp-relay/maddy.conf
@@ -0,0 +1,33 @@
+state_dir /dev/shm/maddy/state
+runtime_dir /dev/shm/maddy/run
+
+openmetrics tcp://0.0.0.0:9749 { }
+
+tls off
+hostname {env:SMTP_DOMAIN}
+
+smtp tcp://0.0.0.0:2525 {
+    debug {env:DEBUG}
+    io_debug {env:DEBUG}
+
+    source {env:SMTP_DOMAIN} {
+        deliver_to &remote_queue
+    }
+
+    default_source {
+        reject
+    }
+}
+
+target.queue remote_queue {
+    debug {env:DEBUG}
+    target &remote_smtp
+}
+
+target.smtp remote_smtp {
+    debug {env:DEBUG}
+    attempt_starttls yes
+    require_tls yes
+    auth plain {env:SMTP_USERNAME} {env:SMTP_PASSWORD}
+    targets tls://{env:SMTP_SERVER}:{env:SMTP_PORT}
+}
--- a/kubernetes/cluster-0/apps/networking/smtp-relay/secret.sops.yaml
+++ b/kubernetes/cluster-0/apps/networking/smtp-relay/secret.sops.yaml
@@ -0,0 +1,29 @@
+# yamllint disable
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+    name: smtp-relay
+    namespace: default
+stringData:
+    SMTP_PASSWORD: ENC[AES256_GCM,data:Yf/FCPWceNJadwSaTvNXug==,iv:eErTrc6gWkClzoMmLgkz6xgaUA/W7cZoxhgGeCuHPyk=,tag:HYWJN3imrt/Umv4NREuQpg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkSGowVER2SFNrYTVxOUc4
+            S1lDV295S2tnTlE1TkFuWnFYdXZoZ2ZlYkVrCmdRaXpGNTZTbDBjbkxPTkhaSkU1
+            ZTZEakZwV1prTXpGalc2L0MrQ3BlVlEKLS0tIDdIdTdKTzBybHc5NjJaU0Z4dFg1
+            U003SkswTXRYaUdWYzVRL2oxb2RGdEEKQojCy0af9JFKnKSYQhT2C1sXIBjfKjEz
+            b7/1MAC99t37PRSsyh+ALf6DctqxysHKpG6Ku/RAchPqd2MwtIjWlQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2022-09-13T20:15:28Z"
+    mac: ENC[AES256_GCM,data:PwHnx7chnuV4lmmdZO+areDkucOHdR03xkk9DPiB3GT4NKGvO0lBBRr/KkrENRRoL8EwsYD2UH/o6SPdes76F0vFJYzP3Q33kBY4dRpIzTcbzKFwpvmQszzmDbFFZoUe25Fq0kDcMN2IC20MwvNHFQDJFwQJ4JkWLwRuP6rAIjQ=,iv:thrY5JxFdidqumX+APUxthqdcKrmozQ6zLnmGTzMrFk=,tag:KBXseUVIAMvIDTN2krEY5Q==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.7.3