From 7fd3c78db88e3be5890957446de7ea5d73cfd7fa Mon Sep 17 00:00:00 2001 From: auricom <27022259+auricom@users.noreply.github.com> Date: Sat, 13 Jan 2024 17:47:18 +0100 Subject: [PATCH] =?UTF-8?q?=E2=99=BB=EF=B8=8F=20migrate=20postgresql=20to?= =?UTF-8?q?=20truenas=20jail=20+=20minio=20https?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit --- ansible/ansible.cfg | 1 + ansible/inventory/group_vars/all/all.sops.yml | 8 +- ansible/inventory/host_vars/minio.sops.yaml | 23 --- .../inventory/host_vars/postgresql_v15.yml | 1 + .../inventory/host_vars/postgresql_v16.yml | 1 + .../inventory/host_vars/truenas-remote.yaml | 1 - ansible/inventory/host_vars/truenas.sops.yaml | 9 +- ansible/inventory/host_vars/truenas.yaml | 5 +- ansible/inventory/hosts.yml | 12 +- ansible/roles/truenas/handlers/main.yml | 7 - ansible/roles/truenas/tasks/jails/init.yml | 32 +++++ ansible/roles/truenas/tasks/jails/main.yml | 42 ++++++ .../roles/truenas/tasks/jails/minio-conf.yml | 70 +++++++++ .../roles/truenas/tasks/jails/minio-init.yml | 32 +++++ .../truenas/tasks/jails/postgresql-conf.yml | 64 +++++++++ .../truenas/tasks/jails/postgresql-init.yml | 134 ++++++++++++++++++ ansible/roles/truenas/tasks/main.yml | 40 ++++++ .../{postgres => postgresql}/pg_hba.conf | 0 .../templates/scripts/snapshots_prune.sh | 3 +- ansible/shell.nix | 1 + .../default/atuin/app/externalsecret.yaml | 6 +- .../apps/default/atuin/app/helmrelease.yaml | 5 +- kubernetes/apps/default/atuin/ks.yaml | 1 - .../default/authelia/app/externalsecret.yaml | 9 +- .../default/authelia/app/helmrelease.yaml | 8 +- kubernetes/apps/default/authelia/ks.yaml | 1 - .../default/babybuddy/app/externalsecret.yaml | 4 +- .../default/babybuddy/app/helmrelease.yaml | 27 ++-- kubernetes/apps/default/babybuddy/ks.yaml | 3 +- .../default/bazarr/app/externalsecret.yaml | 4 +- .../apps/default/bazarr/app/helmrelease.yaml | 6 +- kubernetes/apps/default/bazarr/ks.yaml | 1 - .../cloudnative-pg/cluster/cluster.yaml | 2 +- .../default/freshrss/app/externalsecret.yaml | 4 +- .../default/freshrss/app/helmrelease.yaml | 6 +- kubernetes/apps/default/freshrss/ks.yaml | 1 - .../ghostfolio/app/externalsecret.yaml | 6 +- .../default/ghostfolio/app/helmrelease.yaml | 5 +- kubernetes/apps/default/ghostfolio/ks.yaml | 1 - .../default/hajimari/app/helmrelease.yaml | 2 +- .../home-assistant/app/externalsecret.yaml | 6 +- .../home-assistant/app/helmrelease.yaml | 5 +- .../apps/default/home-assistant/ks.yaml | 1 - kubernetes/apps/default/homelab/ks.yaml | 6 +- .../default/homelab/minio/backup/rclone.conf | 2 +- .../homelab/opnsense/backup/helmrelease.yaml | 2 +- .../homelab/truenas/backup/truenas-backup.sh | 2 +- .../truenas/certs-deploy/helmrelease.yaml | 6 +- .../certs-deploy/truenas-certs-deploy.sh | 41 +++++- .../homelab/truenas/kustomization.yaml | 1 + .../truenas/pgdump/externalsecret.yaml | 25 ++++ .../homelab/truenas/pgdump/helmrelease.yaml | 104 ++++++++++++++ .../homelab/truenas/pgdump/kustomization.yaml | 8 ++ .../default/immich/app/externalsecret.yaml | 4 +- .../immich/app/server/helmrelease.yaml | 5 +- kubernetes/apps/default/immich/ks.yaml | 1 - .../default/invidious/app/externalsecret.yaml | 6 +- .../default/invidious/app/helmrelease.yaml | 5 +- kubernetes/apps/default/invidious/ks.yaml | 1 - .../default/joplin/app/externalsecret.yaml | 4 +- .../apps/default/joplin/app/helmrelease.yaml | 5 +- kubernetes/apps/default/joplin/ks.yaml | 1 - .../default/kresus/app/externalsecret.yaml | 4 +- .../apps/default/kresus/app/helmrelease.yaml | 5 +- kubernetes/apps/default/kresus/ks.yaml | 1 - kubernetes/apps/default/libmedium/ks.yaml | 1 - .../default/linkding/app/externalsecret.yaml | 4 +- .../default/linkding/app/helmrelease.yaml | 5 +- kubernetes/apps/default/linkding/ks.yaml | 1 - .../default/lldap/app/externalsecret.yaml | 6 +- kubernetes/apps/default/lldap/ks.yaml | 2 - .../default/lychee/app/externalsecret.yaml | 4 +- .../apps/default/lychee/app/helmrelease.yaml | 7 +- kubernetes/apps/default/lychee/ks.yaml | 1 - .../default/outline/app/externalsecret.yaml | 7 +- .../apps/default/outline/app/helmrelease.yaml | 23 ++- kubernetes/apps/default/outline/ks.yaml | 1 - .../default/paperless/app/externalsecret.yaml | 4 +- .../default/paperless/app/helmrelease.yaml | 5 +- kubernetes/apps/default/paperless/ks.yaml | 1 - .../default/prowlarr/app/externalsecret.yaml | 2 +- .../default/prowlarr/app/helmrelease.yaml | 5 +- .../pushover-notifier/app/externalsecret.yaml | 4 +- .../app/github-releases/helmrelease.yaml | 5 +- .../apps/default/pushover-notifier/ks.yaml | 1 - .../default/radarr/app/externalsecret.yaml | 4 +- .../apps/default/radarr/app/helmrelease.yaml | 5 +- kubernetes/apps/default/radarr/ks.yaml | 1 - .../default/sharry/app/config/sharry.conf | 4 +- .../default/sharry/app/externalsecret.yaml | 8 +- .../apps/default/sharry/app/helmrelease.yaml | 5 +- kubernetes/apps/default/sharry/ks.yaml | 2 - .../default/sonarr/app/externalsecret.yaml | 4 +- .../apps/default/sonarr/app/helmrelease.yaml | 5 +- .../default/tandoor/app/externalsecret.yaml | 4 +- .../apps/default/tandoor/app/helmrelease.yaml | 11 +- kubernetes/apps/default/tandoor/ks.yaml | 1 - .../vaultwarden/app/externalsecret.yaml | 6 +- .../default/vaultwarden/app/helmrelease.yaml | 21 ++- kubernetes/apps/default/vaultwarden/ks.yaml | 1 - .../default/vikunja/app/externalsecret.yaml | 4 +- .../apps/default/vikunja/app/helmrelease.yaml | 5 +- kubernetes/apps/default/vikunja/ks.yaml | 1 - .../default/wallabag/app/externalsecret.yaml | 4 +- .../default/wallabag/app/helmrelease.yaml | 11 +- kubernetes/apps/default/wallabag/ks.yaml | 1 - .../monitoring/gatus/app/config/config.yaml | 2 +- .../monitoring/gatus/app/externalsecret.yaml | 4 +- kubernetes/apps/monitoring/gatus/ks.yaml | 1 - .../flux/vars/cluster-secrets.sops.yaml | 6 +- kubernetes/flux/vars/cluster-settings.yaml | 2 - 111 files changed, 785 insertions(+), 266 deletions(-) delete mode 100644 ansible/inventory/host_vars/minio.sops.yaml create mode 100644 ansible/inventory/host_vars/postgresql_v15.yml create mode 100644 ansible/inventory/host_vars/postgresql_v16.yml delete mode 100644 ansible/roles/truenas/handlers/main.yml create mode 100644 ansible/roles/truenas/tasks/jails/init.yml create mode 100644 ansible/roles/truenas/tasks/jails/main.yml create mode 100644 ansible/roles/truenas/tasks/jails/minio-conf.yml create mode 100644 ansible/roles/truenas/tasks/jails/minio-init.yml create mode 100644 ansible/roles/truenas/tasks/jails/postgresql-conf.yml create mode 100644 ansible/roles/truenas/tasks/jails/postgresql-init.yml rename ansible/roles/truenas/templates/{postgres => postgresql}/pg_hba.conf (100%) create mode 100644 kubernetes/apps/default/homelab/truenas/pgdump/externalsecret.yaml create mode 100644 kubernetes/apps/default/homelab/truenas/pgdump/helmrelease.yaml create mode 100644 kubernetes/apps/default/homelab/truenas/pgdump/kustomization.yaml diff --git a/ansible/ansible.cfg b/ansible/ansible.cfg index 5869cbfc4..18a330b1e 100644 --- a/ansible/ansible.cfg +++ b/ansible/ansible.cfg @@ -18,6 +18,7 @@ fact_caching_connection = ~/.ansible/facts_cache remote_port = 22 timeout = 60 host_key_checking = False +privatekeyfile = ~/.ssh/id_ed25519 # Plugin settings vars_plugins_enabled = host_group_vars,community.sops.sops diff --git a/ansible/inventory/group_vars/all/all.sops.yml b/ansible/inventory/group_vars/all/all.sops.yml index ab421e74b..8d1915a66 100644 --- a/ansible/inventory/group_vars/all/all.sops.yml +++ b/ansible/inventory/group_vars/all/all.sops.yml @@ -1,5 +1,9 @@ kind: Secret secret_domain: ENC[AES256_GCM,data:SjdnR9pDjveodvo=,iv:GKvdD7c3bmaQN+CAYoKwAy78em9vYljGyl6VfGmJk9E=,tag:hz92J7d1NokEeyB6vxr3Uw==,type:str] +public_ssh_keys: + - ENC[AES256_GCM,data:/J9ejzvJHV5wdz9Dj0jUmAaVtIkgVpEoIRJocNGhszY2bmu5mruwWSz6E+XkcAGE0zQMo/9N8imIZoXfq0UQSyfCCitrA09x1z0Hf0s3iSA=,iv:jzA3bIQw+pL4tjNASNMwMcdHW+vSxgVo4Czo/ja0AO8=,tag:iTEDjARfH96oXATQu8VR8Q==,type:str] + - ENC[AES256_GCM,data:c105qLvE6iHoBQl4X0qEFDPXOsiA+YGUVK4gl7O0pqHZ6IIs3m1Z28PKl84GuaPL1pV7I55KccQdAnqjQw0XSZ/lWI+IC2BXj3dJ6paLZNU=,iv:lQod/AwDquA22zJLmvpiuQvaPXo1JFSOV+9yybVjMZc=,tag:Z2eArvfrP8YN3irG45wMRw==,type:str] + - ENC[AES256_GCM,data:pMYg+hNpYCl5fwvNbz0bjm0KaEuIGMeBXXblTGpbur17Nxulnn5DQ5H3k8Wash1F9BJeBfQOTGXDx1XEfp2CDlymuLHdjP6xU7+daD0/JbA=,iv:49Mh9zGN5AJgTXGb8lF38jyme46nd7RqKil3PI13ww8=,tag:2c6jSEZImNEWvM3Asc2jhw==,type:str] sops: kms: [] gcp_kms: [] @@ -15,8 +19,8 @@ sops: c3JkOFZzYnpINjQ5QnNkaE9IYUdXL3MKsBelDv/z5nTYC6/1Zm8kmzqEoLBVPnhy v0v/6n1GksmzslbNdKhy+xtxHYrqouhc2P4hNi0R8p8u76RXERN5fg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-11-11T15:03:36Z" - mac: ENC[AES256_GCM,data:PYjJ/WxF8UXZPnccFdjtwsS+W2N1TQmNFtTIHazFLFiSxC4b6li7TcOEpQL2HClWeXwJXkUnWGUfH9YLEPVxlAqBygaDBdghPN0uTrKaV4ZaiAQ1EhtKfGDkIGvb+aDpbRuNH77nXzDv4ws3ObSdTCsHp2LOepi4NVSuEw6MlOY=,iv:Bk+VTEsAyeRQkf9wbcBpANeXvIvGn6JzOuHRM0ilF/s=,tag:6MT3xUDX/o3e1zu8WrGm/A==,type:str] + lastmodified: "2024-01-13T09:43:41Z" + mac: ENC[AES256_GCM,data:R7gzINLxiaqSh4JgP9jhMTG1GaM5WnUA24Uv5OMVB3cHIjgE65o3ybjbmPGpAejpfQ+lKSKKXxeWRpissn9h6DVr1RLi5jnXlngMt5REDiNSsxRI7j3aktTvd2wJQUcGObrhngp+lhFPsufZuOg7hFdvcgCP3SM7sDwrxBaOjgk=,iv:XqaEQtFhBkm1qV7khzhftE2Sxy5xUH/I4/CBqKW9R+w=,tag:FRbncSBOFqVrFTEXmZf+uw==,type:str] pgp: [] unencrypted_regex: ^(kind)$ version: 3.8.1 diff --git a/ansible/inventory/host_vars/minio.sops.yaml b/ansible/inventory/host_vars/minio.sops.yaml deleted file mode 100644 index 4d1355fb2..000000000 --- a/ansible/inventory/host_vars/minio.sops.yaml +++ /dev/null @@ -1,23 +0,0 @@ -kind: Secret -minio_access_key: ENC[AES256_GCM,data:4MC50gc06VvP9BViitovlw==,iv:Bu8c986MyeHrMioPYlBG/zSzFv4EOytxTHkXZzI6Iow=,tag:EbRlKgdx63M8CDNa/8RrWQ==,type:str] -minio_secret_key: ENC[AES256_GCM,data:zd7bC1c3pam4xqcsaZOf3A==,iv:8K8x9dcsByZ60pytIPl9ESUbZeu+7S8Z+faQEewDZB8=,tag:3/5b8ZzAIqrVtf37eziwjg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1hhurqwmfvl9m3vh3hk8urulfzcdsrep2ax2neazqt435yhpamu3qj20asg - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVy9DRjhqOW05Wm4rNXZo - bFJxem9UZjNSQW5UaTRZaWQ1clZQSHJrNHpVCmo3Y0RPd1BRRC9ZZHJ0SndSUXJv - UkpPWTNOUWFPL1hCUGJrTFBPZml5QncKLS0tIGI5UUJKMXR0d1d3ZzRDSURuWVFl - ZFlyQ1lGbnVPaSs4cytQYzNwRnJabmcKP0ogZqsaoD6heCqmObwttBgE039aLqe2 - R55NPkQJJyFSbDbdDmPApE4IwtXay54QGw2RR4AxOZW4G2dWhdzP3w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-09T13:25:29Z" - mac: ENC[AES256_GCM,data:ro+P8PAr0YDuer3CBf7XBIBz+YlnHGCDGIkKFw1TRvEeJNgNFF6mv+voPyiTFIHRh/541MNlzEyRpc0As1PHU/7O2SLBqKA3GnzaLM4s/5Euu7pXTFl3jtIXtTe1DMGTWmyvyqSNXEoEhPmjFn0bMXKhrINuVWxYkDspZxnnOe4=,iv:MZjiTvWIPacX55RZfVh8qUmVsNPMJaZcJIc8JmxuUag=,tag:Q6MnDbByAno9pwH0xWTKMA==,type:str] - pgp: [] - unencrypted_regex: ^(kind)$ - version: 3.8.1 diff --git a/ansible/inventory/host_vars/postgresql_v15.yml b/ansible/inventory/host_vars/postgresql_v15.yml new file mode 100644 index 000000000..81afe3226 --- /dev/null +++ b/ansible/inventory/host_vars/postgresql_v15.yml @@ -0,0 +1 @@ +postgresql_version: 15 diff --git a/ansible/inventory/host_vars/postgresql_v16.yml b/ansible/inventory/host_vars/postgresql_v16.yml new file mode 100644 index 000000000..ce2de941e --- /dev/null +++ b/ansible/inventory/host_vars/postgresql_v16.yml @@ -0,0 +1 @@ +postgresql_version: 16 diff --git a/ansible/inventory/host_vars/truenas-remote.yaml b/ansible/inventory/host_vars/truenas-remote.yaml index 384f4d1e7..40302316b 100644 --- a/ansible/inventory/host_vars/truenas-remote.yaml +++ b/ansible/inventory/host_vars/truenas-remote.yaml @@ -1,4 +1,3 @@ main_nas: false pool_name: vol1 snapshots_interval: "daily:14,weekly:12,monthly:12,yearly:3" -uptime_kuma_id_truenas_cert: Oxu1GVb5tl diff --git a/ansible/inventory/host_vars/truenas.sops.yaml b/ansible/inventory/host_vars/truenas.sops.yaml index b056ec7f6..be58ba5fe 100644 --- a/ansible/inventory/host_vars/truenas.sops.yaml +++ b/ansible/inventory/host_vars/truenas.sops.yaml @@ -2,6 +2,9 @@ kind: Secret root_api_key: ENC[AES256_GCM,data:Fhj1MGeHxe/A6O7uVjMrCEu7J4rsiWrhbXgbAenb5CunoRPu0XLV/227WAFc4wFkboFNnt3bjzugvdvM5w/0JSry,iv:7uuHkrSKGShhIso8RgIJsOSYOxBiyyM/D5Dg+IGDh1Y=,tag:dP4gfIIUAEBUm91h5IHSug==,type:str] ansible_password: ENC[AES256_GCM,data:zRaOy+b26VWMCVIPKLU=,iv:S+BX0fqVizWTZZr0A4MaXkw/4XhE2Pb+RGPjvnWuUpk=,tag:TUcGk8Hp9Zv17L/pmX4E7g==,type:str] ansible_become_pass: ENC[AES256_GCM,data:xGVU7dW/MMI9bV6Vz+M=,iv:6/ikVQfHxjdCy5KKT+Yksj/OFws2WRcy8oDI2Oay7Eo=,tag:JOLmvpOAIjIHJ/K7Eaoxjw==,type:str] +minio_access_key: ENC[AES256_GCM,data:S4jElnraMiUip89QcF9VjQ==,iv:gSgUnDPTgIyXvmXt/ocIB3v6Dcq+c8ADrmQXVwgXVAM=,tag:ykHGBcHbZ431gvkxp6q+iA==,type:str] +minio_secret_key: ENC[AES256_GCM,data:kfeIRjsEGFAsQmVw9QsyoA==,iv:milmhE0Y2mdW6Yx910IsRRwNO7JxsYhUL5wBDTOUBLU=,tag:Ghy68+5i4m/0+IIve23YJQ==,type:str] +postgresql_password: ENC[AES256_GCM,data:Fm/TW9zb36GzPOstV2kt96WJPAJ/0ylsSKDzzJdLmmsUQINSsXag5g==,iv:KkdOsbTN8i6taJXpavBTXCcJhRyMzmwf3gjh/nubu5M=,tag:0wWqT3ij2mudjT/vZT9OjA==,type:str] sops: kms: [] gcp_kms: [] @@ -17,8 +20,8 @@ sops: aG5zWW1XclBOS2cxMkwzZ3c1R1psNGsKzeSHHV7AYXCUNiiXJlBRFVWMZtfK3naj VRtF22+DYfjumQuwam2ZzhdLQ//1ciHnkJc58dKeTbYUHzC+fWpaZQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2022-07-21T19:48:18Z" - mac: ENC[AES256_GCM,data:nBonR9Ab5aY+F7w0HE+TRLScRtF5cQNxh3Uvc7jewiLnieolRQtfNiGzKk4YRgqFV8zRTbwS0jvpiqynhxl/ctIKWl2odVDrNkZljidn3jbSz5HUp+f6zxP3DCRXzsBFpunDT8CSdHBhdUWv+82WtFwg2pLH+nTtY11QkH4rQQk=,iv:ILeqDNEEPnb0serEObPMA2LC16ddScH1NwOiZ0M0EHo=,tag:puyv0jvBkCm/X/za6u3oVA==,type:str] + lastmodified: "2024-01-14T10:19:17Z" + mac: ENC[AES256_GCM,data:51zO9hPDmKOQN3ui9+/4tHVg+xYIoNw0y/BQ/f0QSW968ZhotHftQqLS7i9h14871zWPI8/J7m7hWb4X8LIS4Hn8Bf6PsBt6efm0QSsNvvaiUUwisn/WgbQXp7fF6NyN3f1beHJAm5a/qmVbuCYwySwDlZfAbrHnyY3ogq3dKjs=,iv:V2F4Dc7VxodM6d6ioD8tROjwPcU671a8IZzm8GWpihc=,tag:5JU0/QzcGjn2xJLbSB/tJA==,type:str] pgp: [] unencrypted_regex: ^(kind)$ - version: 3.7.3 + version: 3.8.1 diff --git a/ansible/inventory/host_vars/truenas.yaml b/ansible/inventory/host_vars/truenas.yaml index d0ebb9a4e..c8a93c0b6 100644 --- a/ansible/inventory/host_vars/truenas.yaml +++ b/ansible/inventory/host_vars/truenas.yaml @@ -1,5 +1,6 @@ main_nas: true pool_name: storage -service_s3: true +iocage_pool_name: apps +postgresql_pool_name: apps +minio_pool_name: storage snapshots_interval: "daily:14,weekly:12,monthly:3" -uptime_kuma_id_truenas_cert: f8nAZOHoQb diff --git a/ansible/inventory/hosts.yml b/ansible/inventory/hosts.yml index e7f60d6de..ed4cb2d2f 100644 --- a/ansible/inventory/hosts.yml +++ b/ansible/inventory/hosts.yml @@ -1,21 +1,21 @@ --- all: hosts: - localhost: - ansible_connection: local - ansible_python_interpreter: /usr/bin/python3 coreelec: ansible_host: coreelec.{{ secret_domain }} ansible_user: root - minio: - ansible_host: 192.168.9.14 - ansible_user: minio children: truenas-instances: hosts: truenas: ansible_host: truenas.{{ secret_domain }} truenas-remote: + ansible_host: truenas-remote.{{ secret_domain }} ansible_port: 35875 vars: ansible_user: homelab + truenas-jails: + hosts: + minio_v2: + postgresql_v15: + postgresql_v16: diff --git a/ansible/roles/truenas/handlers/main.yml b/ansible/roles/truenas/handlers/main.yml deleted file mode 100644 index 89d8a7e5d..000000000 --- a/ansible/roles/truenas/handlers/main.yml +++ /dev/null @@ -1,7 +0,0 @@ ---- -- name: restart postgresql - ansible.builtin.service: - name: postgresql - state: restarted - delegate_to: "{{ postgres_jail_ip.stdout }}" - remote_user: root diff --git a/ansible/roles/truenas/tasks/jails/init.yml b/ansible/roles/truenas/tasks/jails/init.yml new file mode 100644 index 000000000..b0da4d69b --- /dev/null +++ b/ansible/roles/truenas/tasks/jails/init.yml @@ -0,0 +1,32 @@ +--- +- block: + - name: jail-init | {{ outside_item.item }} | start jail + ansible.builtin.shell: + cmd: iocage list | grep -q '^.*\s{{ outside_item.item }}\s.*\sdown\s.*$' && iocage start {{ outside_item.item }} + failed_when: false + + - name: jail-init | {{ outside_item.item }} | create .ssh directory + ansible.builtin.shell: + cmd: iocage exec {{ outside_item.item }} 'mkdir -p /root/.ssh; echo "" > /root/.ssh/authorized_keys; chmod 700 /root/.ssh; chmod 600 /root/.ssh/authorized_keys' + + - name: jail-init | {{ outside_item.item }} | deploy ssh keys + ansible.builtin.shell: + cmd: iocage exec {{ outside_item.item }} 'echo "{{ item }}" >> /root/.ssh/authorized_keys' + loop: "{{ public_ssh_keys }}" + + - name: jail-init | {{ outside_item.item }} | activate sshd + ansible.builtin.shell: + cmd: iocage exec {{ outside_item.item }} 'sysrc sshd_enable="YES"' + + - name: jail-init | {{ outside_item.item }} | sshd permit root login + ansible.builtin.shell: + cmd: iocage exec {{ outside_item.item }} 'echo "PermitRootLogin yes" >> /etc/ssh/sshd_config' + + - name: jail-init | {{ outside_item.item }} | start sshd + ansible.builtin.shell: + cmd: iocage exec {{ outside_item.item }} 'service sshd start' + + - name: jail-init | {{ outside_item.item }} | install packages + ansible.builtin.shell: + cmd: iocage exec {{ outside_item.item }} 'pkg install -y python39 bash sudo; ln -s /usr/local/bin/bash /bin/bash' + become: true diff --git a/ansible/roles/truenas/tasks/jails/main.yml b/ansible/roles/truenas/tasks/jails/main.yml new file mode 100644 index 000000000..f48e6f9ac --- /dev/null +++ b/ansible/roles/truenas/tasks/jails/main.yml @@ -0,0 +1,42 @@ +--- +- name: jails | check if jail exist + ansible.builtin.shell: + cmd: iocage list --header | awk '{print $2}' | grep --word-regexp {{ item }} + loop: "{{ groups['truenas-jails'] }}" + register: jails_check + changed_when: false + failed_when: jails_check.rc != 0 and jails_check.rc != 1 + +- name: jails | is iocage fetch required + ansible.builtin.set_fact: + jail_missing: true + loop: "{{ jails_check.results }}" + when: item.rc == 1 + +- block: + - name: jails | get current FreeBSD release + ansible.builtin.shell: + cmd: freebsd-version | cut -d '-' -f 1-2 + register: release + failed_when: release.rc != 0 + + - name: jails | fetch iocage template {{ release.stdout }} + ansible.builtin.shell: + cmd: iocage fetch -r {{ release.stdout }} + become: true + + - name: jails | create jail + ansible.builtin.shell: + cmd: iocage create -r {{ release.stdout }} -n {{ item.item }} dhcp=on boot=on + loop: "{{ jails_check.results }}" + when: item.rc == 1 + become: true + + - name: jails | init jails + ansible.builtin.include_tasks: init.yml + loop: "{{ jails_check.results }}" + loop_control: + loop_var: outside_item + when: outside_item.rc == 1 + + when: jail_missing diff --git a/ansible/roles/truenas/tasks/jails/minio-conf.yml b/ansible/roles/truenas/tasks/jails/minio-conf.yml new file mode 100644 index 000000000..edcda58b4 --- /dev/null +++ b/ansible/roles/truenas/tasks/jails/minio-conf.yml @@ -0,0 +1,70 @@ +--- +- name: jail-minio | get jail ip + ansible.builtin.shell: + cmd: iocage exec minio_v2 ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }' + changed_when: false + register: minio_jail_ip + become: true + +- name: jail-minio_v2 | copy letsencrypt certificate + ansible.builtin.copy: + src: /mnt/{{ pool_name }}/home/homelab/letsencrypt/xpander.ovh/{{ item.src }} + remote_src: true + dest: /mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs/{{ item.dest }} + owner: 1002 + group: 1002 + mode: 0600 + loop: + - { src: "fullchain.pem", dest: "public.crt" } + - { src: "key.pem", dest: "private.key" } + register: certificates + become: true + +- block: + - name: jail-minio | install minio + ansible.builtin.pkgng: + name: + - minio + - curl + state: present + register: installation + + - name: jail-minio | create minio configuration in /etc/rc.conf + ansible.builtin.blockinfile: + path: /etc/rc.conf + state: present + block: | + # MINIO + minio_enable="YES" + minio_address=":9000" + minio_console_address=":9001" + minio_disks="/mnt/data" + minio_certs="/home/minio/certs" + minio_env="MINIO_ACCESS_KEY={{ minio_access_key }} MINIO_SECRET_KEY={{ minio_secret_key }}" + no_log: false + register: configuration + + - name: jail-minio | restart minio service + ansible.builtin.service: + name: minio + state: restarted + enabled: true + when: configuration.changed == true or installation.changed == true or certificates.changed == true + + - name: jail-minio | wait for 5 seconds + ansible.builtin.pause: + seconds: 5 + + - name: jail-minio | check minio service + ansible.builtin.command: curl -s localhost:9000/minio/health/live + register: curl_result + ignore_errors: true + changed_when: false + + - name: jail-minio | fail if curl command failed + ansible.builtin.fail: + msg: 'Curl command failed' + when: curl_result.rc != 0 + + delegate_to: "{{ minio_jail_ip.stdout }}" + remote_user: root diff --git a/ansible/roles/truenas/tasks/jails/minio-init.yml b/ansible/roles/truenas/tasks/jails/minio-init.yml new file mode 100644 index 000000000..52a328bbb --- /dev/null +++ b/ansible/roles/truenas/tasks/jails/minio-init.yml @@ -0,0 +1,32 @@ +--- +- block: + - name: jail-minio_v2_v2 | create zfs pools + community.general.zfs: + name: "{{ minio_pool_name }}/minio_v2" + state: present + extra_zfs_properties: + atime: off + setuid: off + + - name: jail-minio_v2 | create empty data dir + ansible.builtin.shell: + cmd: iocage exec minio_v2 mkdir -p /mnt/data + + - name: jail-minio_v2 | mount data + ansible.builtin.shell: + cmd: iocage fstab -a minio /mnt/{{ minio_pool_name }}/minio /mnt/data nullfs rw 0 0 + + - name: jail-minio_v2 | change create minio user + ansible.builtin.shell: + cmd: iocage exec minio_v2 'pw useradd minio -u 1002 -g 1002 -d /home/minio -m' + + - name: jail-minio_v2 | change owner on data dir + ansible.builtin.shell: + cmd: iocage exec minio_v2 'chown 1002:1002 /mnt/data' + + - name: jail-minio_v2 | create certificates folder + ansible.builtin.file: + path: /mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs + owner: 1002 + group: 1002 + become: true diff --git a/ansible/roles/truenas/tasks/jails/postgresql-conf.yml b/ansible/roles/truenas/tasks/jails/postgresql-conf.yml new file mode 100644 index 000000000..6f63021ee --- /dev/null +++ b/ansible/roles/truenas/tasks/jails/postgresql-conf.yml @@ -0,0 +1,64 @@ +--- +- name: jail-{{ outside_item.item }} | get jail ip + ansible.builtin.shell: + cmd: iocage exec {{ outside_item.item }} ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }' + changed_when: false + register: postgresql_jail_ip + become: true + +- name: jail-{{ outside_item.item }} | copy letsencrypt certificate + ansible.builtin.copy: + src: /mnt/{{ pool_name }}/home/homelab/letsencrypt/xpander.ovh/{{ item.src }} + remote_src: true + dest: /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item.dest }} + owner: 770 + group: 770 + mode: 0600 + loop: + - { src: "fullchain.pem", dest: "server.crt" } + - { src: "key.pem", dest: "server.key" } + register: certificates + become: true + tags: + - certificates + +- block: + - name: jail-{{ outside_item.item }} | configure pg_hba + ansible.builtin.template: + src: postgresql/pg_hba.conf + dest: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/pg_hba.conf + owner: postgres + group: postgres + register: pg_hba + + - name: jail-{{ outside_item.item }} | postgresql configuration + community.postgresql.postgresql_set: + name: "{{ item.name }}" + value: "{{ item.value }}" + loop: + # listen to all addresses + - { name: 'listen_addresses', value: '*' } + # disable full page writes because of ZFS + - { name: 'full_page_writes', value: 'off' } + # SSL configuration + - { name: 'ssl', value: 'on' } + - { name: 'ssl_cert_file', value: 'server.crt' } + - { name: 'ssl_key_file', value: 'server.key' } + - { name: 'ssl_prefer_server_ciphers', value: 'on' } + loop_control: + loop_var: item + become: true + vars: + ansible_become_user: postgres + register: pg_conf + + - name: restart postgresql + ansible.builtin.service: + name: postgresql + state: reloaded + when: certificates.changed or pg_hba.changed or pg_conf.changed + tags: + - certificates + + delegate_to: "{{ postgresql_jail_ip.stdout }}" + remote_user: root diff --git a/ansible/roles/truenas/tasks/jails/postgresql-init.yml b/ansible/roles/truenas/tasks/jails/postgresql-init.yml new file mode 100644 index 000000000..7c9075f44 --- /dev/null +++ b/ansible/roles/truenas/tasks/jails/postgresql-init.yml @@ -0,0 +1,134 @@ +--- +- name: jail-{{ outside_item.item }} | get jail ip + ansible.builtin.shell: + cmd: iocage exec {{ outside_item.item }} ifconfig epair0b | grep 'inet' | awk -F ' ' '{ print $2 }' + changed_when: false + register: postgresql_jail_ip + become: true + +- block: + - name: jail-{{ outside_item.item }} | create zfs pools + community.general.zfs: + name: "{{ item }}" + state: present + loop: + - "{{ postgresql_pool_name }}/postgresql" + - "{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}" + + - name: jail-{{ outside_item.item }} | configure zfs pool postgresql + community.general.zfs: + name: "{{ postgresql_pool_name }}/postgresql" + state: present + extra_zfs_properties: + atime: off + setuid: off + + - name: jail-{{ outside_item.item }} | create empty data{{ hostvars[outside_item.item]['postgresql_version'] }} dir + ansible.builtin.shell: + cmd: iocage exec {{ outside_item.item }} mkdir -p /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }} + + - name: jail-{{ outside_item.item }} | mount data{{ hostvars[outside_item.item]['postgresql_version'] }} + ansible.builtin.shell: + cmd: iocage fstab -a {{ outside_item.item }} /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }} /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }} nullfs rw 0 0 + become: true + +- block: + - name: jail-{{ outside_item.item }} | packages + community.general.pkgng: + name: + - postgresql{{ hostvars[outside_item.item]['postgresql_version'] }}-server + - postgresql{{ hostvars[outside_item.item]['postgresql_version'] }}-contrib + - postgresql{{ hostvars[outside_item.item]['postgresql_version'] }}-client + - py39-pip + state: present + + - name: jail-{{ outside_item.item }} | pip packages + ansible.builtin.pip: + name: psycopg2 + state: present + + - name: jail-{{ outside_item.item }} | change postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }} mod + ansible.builtin.file: + path: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }} + owner: postgres + group: postgres + + - name: jail-{{ outside_item.item }} | initdb + ansible.builtin.shell: + cmd: su -m postgres -c 'initdb -E UTF-8 /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}' + + - name: jail-{{ outside_item.item }} | move base and pg_wal + ansible.builtin.shell: + cmd: su -m postgres -c 'mv /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }} /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}0' + loop: + - base + - pg_wal + + - name: jail-{{ outside_item.item }} | create base and pg_wal empty dirs + ansible.builtin.file: + path: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }} + state: directory + owner: postgres + group: postgres + loop: + - base + - pg_wal + + delegate_to: "{{ postgresql_jail_ip.stdout }}" + remote_user: root + +- block: + - name: jail-{{ outside_item.item }} | create missing zfs pools + community.general.zfs: + name: "{{ item }}" + state: present + loop: + - "{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/base" + - "{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/pg_wal" + + - name: jail-{{ outside_item.item }} | mount base + ansible.builtin.shell: + cmd: iocage fstab -a {{ outside_item.item }} /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }} /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }} nullfs rw 0 0 + loop: + - base + - pg_wal + + become: true + +- block: + - name: jail-{{ outside_item.item }} | move base and pg_wal content to mounts + ansible.builtin.shell: + cmd: mv /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}0/* /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}/; rmdir /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }}0 + loop: + - base + - pg_wal + + - name: jail-{{ outside_item.item }} | change mod + ansible.builtin.file: + path: /var/db/postgres/data{{ hostvars[outside_item.item]['postgresql_version'] }}/{{ item }} + state: directory + owner: postgres + group: postgres + recurse: true + loop: + - base + - pg_wal + + - name: jail-{{ outside_item.item }} | enable postgresql service + community.general.sysrc: + name: postgresql_enable + state: present + value: "YES" + + - name: jail-{{ outside_item.item }} | start postgresql service + ansible.builtin.service: + name: postgresql + state: started + + - name: jail-{{ outside_item.item }} | change postgresql password + postgresql_query: + login_user: postgres + query: ALTER USER postgres PASSWORD '{{ postgresql_password }}' + + delegate_to: "{{ postgresql_jail_ip.stdout }}" + remote_user: root diff --git a/ansible/roles/truenas/tasks/main.yml b/ansible/roles/truenas/tasks/main.yml index 1df06d640..d55a7e043 100644 --- a/ansible/roles/truenas/tasks/main.yml +++ b/ansible/roles/truenas/tasks/main.yml @@ -7,3 +7,43 @@ - ansible.builtin.include_tasks: wireguard.yml when: "main_nas == false" + +- ansible.builtin.include_tasks: jails/main.yml + when: "main_nas" + +- block: + - ansible.builtin.shell: + cmd: test -f /mnt/{{ minio_pool_name }}/minio_v2/.minio.sys/config/config.json/xl.meta + register: minio_data_exists + become: true + changed_when: false + failed_when: minio_data_exists.rc != 0 and minio_data_exists.rc != 1 + + - ansible.builtin.include_tasks: jails/minio-init.yml + when: minio_data_exists.rc == 1 + + - ansible.builtin.include_tasks: jails/minio-conf.yml + tags: + - certificates + + - ansible.builtin.shell: + cmd: test -f /mnt/{{ postgresql_pool_name }}/postgresql/data{{ hostvars[item]['postgresql_version'] }}/postgresql.conf + loop: "{{ groups['truenas-jails'] | select('search', 'postgresql') | list }}" + register: postgresql_data_exists + become: true + changed_when: false + failed_when: postgresql_data_exists.rc != 0 and postgresql_data_exists.rc != 1 + + - ansible.builtin.include_tasks: jails/postgresql-init.yml + loop: "{{ postgresql_data_exists.results }}" + loop_control: + loop_var: outside_item + when: outside_item.rc == 1 + + - ansible.builtin.include_tasks: jails/postgresql-conf.yml + loop: "{{ postgresql_data_exists.results }}" + loop_control: + loop_var: outside_item + tags: + - certificates + when: "main_nas" diff --git a/ansible/roles/truenas/templates/postgres/pg_hba.conf b/ansible/roles/truenas/templates/postgresql/pg_hba.conf similarity index 100% rename from ansible/roles/truenas/templates/postgres/pg_hba.conf rename to ansible/roles/truenas/templates/postgresql/pg_hba.conf diff --git a/ansible/roles/truenas/templates/scripts/snapshots_prune.sh b/ansible/roles/truenas/templates/scripts/snapshots_prune.sh index 93479e440..57eb1980b 100644 --- a/ansible/roles/truenas/templates/scripts/snapshots_prune.sh +++ b/ansible/roles/truenas/templates/scripts/snapshots_prune.sh @@ -11,6 +11,7 @@ POOL_NAME="{{ pool_name }}" # Prune ${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals ${INTERVAL} ${POOL_NAME} -${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals daily:14 ${POOL_NAME}{% if not main_nas %}/replication/storage{% endif %}/minio +${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals daily:14 ${POOL_NAME}{% if not main_nas %}/replication/storage{% endif %}/minio_v2 {% if main_nas %}${SCRIPT_PATH}/snapshots_prune.py --recursive --intervals daily:7 ${POOL_NAME}/video{% endif %} + ${SCRIPT_PATH}/snapshots_clearempty.py --recursive ${POOL_NAME} diff --git a/ansible/shell.nix b/ansible/shell.nix index 4948bf11d..f936cb8d7 100644 --- a/ansible/shell.nix +++ b/ansible/shell.nix @@ -3,5 +3,6 @@ with pkgs; mkShell { buildInputs = [ ansible + sshpass ]; } diff --git a/kubernetes/apps/default/atuin/app/externalsecret.yaml b/kubernetes/apps/default/atuin/app/externalsecret.yaml index 99c2a2ef7..d1b72a2b9 100644 --- a/kubernetes/apps/default/atuin/app/externalsecret.yaml +++ b/kubernetes/apps/default/atuin/app/externalsecret.yaml @@ -15,10 +15,10 @@ spec: engineVersion: v2 data: # App - ATUIN_DB_URI: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local/atuin" + ATUIN_DB_URI: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}/atuin" # Postgres Init INIT_POSTGRES_DBNAME: atuin - INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local + INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN} INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" @@ -26,4 +26,4 @@ spec: - extract: key: atuin - extract: - key: cloudnative-pg + key: generic diff --git a/kubernetes/apps/default/atuin/app/helmrelease.yaml b/kubernetes/apps/default/atuin/app/helmrelease.yaml index 18e158625..764280a63 100644 --- a/kubernetes/apps/default/atuin/app/helmrelease.yaml +++ b/kubernetes/apps/default/atuin/app/helmrelease.yaml @@ -33,9 +33,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: atuin-secret diff --git a/kubernetes/apps/default/atuin/ks.yaml b/kubernetes/apps/default/atuin/ks.yaml index 9a752263a..1249b524f 100644 --- a/kubernetes/apps/default/atuin/ks.yaml +++ b/kubernetes/apps/default/atuin/ks.yaml @@ -7,7 +7,6 @@ metadata: namespace: flux-system spec: dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores path: ./kubernetes/apps/default/atuin/app prune: true diff --git a/kubernetes/apps/default/authelia/app/externalsecret.yaml b/kubernetes/apps/default/authelia/app/externalsecret.yaml index d6b8b7fb5..e7f116c30 100644 --- a/kubernetes/apps/default/authelia/app/externalsecret.yaml +++ b/kubernetes/apps/default/authelia/app/externalsecret.yaml @@ -22,12 +22,13 @@ spec: AUTHELIA_SESSION_SECRET: "{{ .AUTHELIA_SESSION_SECRET }}" AUTHELIA_STORAGE_ENCRYPTION_KEY: "{{ .AUTHELIA_STORAGE_ENCRYPTION_KEY }}" AUTHELIA_STORAGE_POSTGRES_DATABASE: &dbName authelia - AUTHELIA_STORAGE_POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local + AUTHELIA_STORAGE_POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN} AUTHELIA_STORAGE_POSTGRES_USERNAME: &dbUser "{{ .AUTHELIA_STORAGE_POSTGRES_USERNAME }}" AUTHELIA_STORAGE_POSTGRES_PASSWORD: &dbPass "{{ .AUTHELIA_STORAGE_POSTGRES_PASSWORD }}" + AUTHELIA_STORAGE_POSTGRES_TLS_SERVER_NAME: *dbHost + AUTHELIA_STORAGE_POSTGRES_TLS_SKIP_VERIFY: "false" GRAFANA_OAUTH_CLIENT_SECRET: "{{ .GRAFANA_OAUTH_CLIENT_SECRET }}" IMMICH_OAUTH_CLIENT_SECRET: "{{ .IMMICH_OAUTH_CLIENT_SECRET }}" - MINIFLUX_OAUTH_CLIENT_SECRET: "{{ .MINIFLUX_OAUTH_CLIENT_SECRET }}" WEAVEGITOPS_OAUTH_CLIENT_SECRET: "{{ .WEAVEGITOPS_OAUTH_CLIENT_SECRET }}" GITEA_OAUTH_CLIENT_SECRET: "{{ .GITEA_OAUTH_CLIENT_SECRET }}" # Postgres Init @@ -39,7 +40,7 @@ spec: dataFrom: - extract: key: authelia - - extract: - key: cloudnative-pg - extract: key: lldap + - extract: + key: generic diff --git a/kubernetes/apps/default/authelia/app/helmrelease.yaml b/kubernetes/apps/default/authelia/app/helmrelease.yaml index b62b2dc0f..c25fbede6 100644 --- a/kubernetes/apps/default/authelia/app/helmrelease.yaml +++ b/kubernetes/apps/default/authelia/app/helmrelease.yaml @@ -51,10 +51,10 @@ spec: reloader.stakater.com/auto: "true" initContainers: init-db: + order: 1 image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: authelia-secret @@ -94,8 +94,6 @@ spec: AUTHELIA_SESSION_NAME: authelia-home-ops AUTHELIA_SESSION_REDIS_HOST: authelia-redis.default.svc.cluster.local. AUTHELIA_SESSION_REDIS_PORT: 6379 - AUTHELIA_STORAGE_POSTGRES_DATABASE: authelia - AUTHELIA_STORAGE_POSTGRES_HOST: ${POSTGRES_HOST} AUTHELIA_TELEMETRY_METRICS_ADDRESS: tcp://0.0.0.0:8080 AUTHELIA_TELEMETRY_METRICS_ENABLED: "true" AUTHELIA_THEME: dark diff --git a/kubernetes/apps/default/authelia/ks.yaml b/kubernetes/apps/default/authelia/ks.yaml index 4209697c6..b2a082a84 100644 --- a/kubernetes/apps/default/authelia/ks.yaml +++ b/kubernetes/apps/default/authelia/ks.yaml @@ -8,7 +8,6 @@ metadata: spec: dependsOn: - name: cluster-apps-authelia-redis - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores path: ./kubernetes/apps/default/authelia/app prune: true diff --git a/kubernetes/apps/default/babybuddy/app/externalsecret.yaml b/kubernetes/apps/default/babybuddy/app/externalsecret.yaml index c2057f887..21d2aefc9 100644 --- a/kubernetes/apps/default/babybuddy/app/externalsecret.yaml +++ b/kubernetes/apps/default/babybuddy/app/externalsecret.yaml @@ -16,7 +16,7 @@ spec: data: # App DB_NAME: &dbName babybuddy - DB_HOST: &dbHost postgres-rw.default.svc.cluster.local + DB_HOST: &dbHost postgres.${SECRET_DOMAIN} DB_USER: &dbUser "{{ .POSTGRES_USER }}" DB_PASS: &dbPass "{{ .POSTGRES_PASS }}" SECRET_KEY: "{{ .BABYBUDDY_SECRET_KEY }}" @@ -32,4 +32,4 @@ spec: - extract: key: babybuddy - extract: - key: cloudnative-pg + key: generic diff --git a/kubernetes/apps/default/babybuddy/app/helmrelease.yaml b/kubernetes/apps/default/babybuddy/app/helmrelease.yaml index b3f5dd214..bf9abf5f4 100644 --- a/kubernetes/apps/default/babybuddy/app/helmrelease.yaml +++ b/kubernetes/apps/default/babybuddy/app/helmrelease.yaml @@ -33,15 +33,16 @@ spec: reloader.stakater.com/auto: "true" type: statefulset initContainers: - 01-init-db: + init-db: + order: 1 image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: babybuddy-secret - 02-migrations: + migrations: + order: 2 image: repository: ghcr.io/auricom/babybuddy tag: 2.1.2@sha256:c5529ddb13b5e704ba997c3f555f5e4dcf9f83080370bbb00eef22a10b2c2915 @@ -74,14 +75,14 @@ spec: requests: cpu: 100m memory: 256Mi - statefulset: - volumeClaimTemplates: - - name: config - accessMode: ReadWriteOnce - size: 1Gi - storageClass: rook-ceph-block - globalMounts: - - path: /config + # statefulset: + # volumeClaimTemplates: + # - name: config + # accessMode: ReadWriteOnce + # size: 1Gi + # storageClass: rook-ceph-block + # globalMounts: + # - path: /config service: main: ports: diff --git a/kubernetes/apps/default/babybuddy/ks.yaml b/kubernetes/apps/default/babybuddy/ks.yaml index a53060746..32d66518d 100644 --- a/kubernetes/apps/default/babybuddy/ks.yaml +++ b/kubernetes/apps/default/babybuddy/ks.yaml @@ -12,9 +12,8 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - - name: cluster-apps-volsync-app + # - name: cluster-apps-volsync-app interval: 30m retryInterval: 1m timeout: 3m diff --git a/kubernetes/apps/default/bazarr/app/externalsecret.yaml b/kubernetes/apps/default/bazarr/app/externalsecret.yaml index 88b47a1f6..2133fecd3 100644 --- a/kubernetes/apps/default/bazarr/app/externalsecret.yaml +++ b/kubernetes/apps/default/bazarr/app/externalsecret.yaml @@ -17,7 +17,7 @@ spec: # App POSTGRES_ENABLED: "true" POSTGRES_DATABASE: &dbName bazarr - POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local + POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN} POSTGRES_USERNAME: &dbUser "{{ .POSTGRES_USER }}" POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}" POSTGRES_PORT: "5432" @@ -31,4 +31,4 @@ spec: - extract: key: bazarr - extract: - key: cloudnative-pg + key: generic diff --git a/kubernetes/apps/default/bazarr/app/helmrelease.yaml b/kubernetes/apps/default/bazarr/app/helmrelease.yaml index 7eac8e4d5..03f04067b 100644 --- a/kubernetes/apps/default/bazarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/bazarr/app/helmrelease.yaml @@ -45,10 +45,10 @@ spec: reloader.stakater.com/auto: "true" initContainers: init-db: + order: 1 image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: atuin-secret diff --git a/kubernetes/apps/default/bazarr/ks.yaml b/kubernetes/apps/default/bazarr/ks.yaml index 0d53a9b9b..7ed02ec62 100644 --- a/kubernetes/apps/default/bazarr/ks.yaml +++ b/kubernetes/apps/default/bazarr/ks.yaml @@ -7,7 +7,6 @@ metadata: namespace: flux-system spec: dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - name: cluster-apps-volsync-app path: ./kubernetes/apps/default/bazarr/app diff --git a/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml b/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml index dbe719b3b..8040bf104 100644 --- a/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml +++ b/kubernetes/apps/default/cloudnative-pg/cluster/cluster.yaml @@ -39,7 +39,7 @@ spec: # - name: postgres-v6 # barmanObjectStore: # destinationPath: s3://postgresql/ - # endpointURL: http://minio.${SECRET_DOMAIN}:9000 + # endpointURL: https://minio.${SECRET_DOMAIN}:9000 # s3Credentials: # accessKeyId: # name: postgres-minio diff --git a/kubernetes/apps/default/freshrss/app/externalsecret.yaml b/kubernetes/apps/default/freshrss/app/externalsecret.yaml index de8860db1..eeaaf8d0e 100644 --- a/kubernetes/apps/default/freshrss/app/externalsecret.yaml +++ b/kubernetes/apps/default/freshrss/app/externalsecret.yaml @@ -16,12 +16,12 @@ spec: data: # Postgres Init INIT_POSTGRES_DBNAME: freshrss - INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local + INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN} INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: freshrss diff --git a/kubernetes/apps/default/freshrss/app/helmrelease.yaml b/kubernetes/apps/default/freshrss/app/helmrelease.yaml index f8347a52a..b6a623caf 100644 --- a/kubernetes/apps/default/freshrss/app/helmrelease.yaml +++ b/kubernetes/apps/default/freshrss/app/helmrelease.yaml @@ -34,10 +34,10 @@ spec: reloader.stakater.com/auto: "true" initContainers: init-db: + order: 1 image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: freshrss-secret diff --git a/kubernetes/apps/default/freshrss/ks.yaml b/kubernetes/apps/default/freshrss/ks.yaml index fb35721fa..e978b0ccf 100644 --- a/kubernetes/apps/default/freshrss/ks.yaml +++ b/kubernetes/apps/default/freshrss/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - name: cluster-apps-volsync-app interval: 30m diff --git a/kubernetes/apps/default/ghostfolio/app/externalsecret.yaml b/kubernetes/apps/default/ghostfolio/app/externalsecret.yaml index 6527d7d6a..32b792b1c 100644 --- a/kubernetes/apps/default/ghostfolio/app/externalsecret.yaml +++ b/kubernetes/apps/default/ghostfolio/app/externalsecret.yaml @@ -16,16 +16,16 @@ spec: data: # App ACCESS_TOKEN_SALT: "{{ .GHOSTFOLIO_ACCESS_TOKEN_SALT }}" - DATABASE_URL: postgresql://{{ .POSTGRES_USERNAME }}:{{ .POSTGRES_PASSWORD }}@postgres-rw.default.svc.cluster.local:5432/ghostfolio + DATABASE_URL: postgresql://{{ .POSTGRES_USERNAME }}:{{ .POSTGRES_PASSWORD }}@postgres.${SECRET_DOMAIN}:5432/ghostfolio JWT_SECRET_KEY: "{{ .GHOSTFOLIO_JWT_SECRET_KEY }}" # Postgres Init INIT_POSTGRES_DBNAME: ghostfolio - INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local + INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN} INIT_POSTGRES_USER: "{{ .POSTGRES_USERNAME }}" INIT_POSTGRES_PASS: "{{ .POSTGRES_PASSWORD }}" INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: ghostfolio diff --git a/kubernetes/apps/default/ghostfolio/app/helmrelease.yaml b/kubernetes/apps/default/ghostfolio/app/helmrelease.yaml index acfde64c5..ba9727106 100644 --- a/kubernetes/apps/default/ghostfolio/app/helmrelease.yaml +++ b/kubernetes/apps/default/ghostfolio/app/helmrelease.yaml @@ -37,9 +37,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: ghostfolio-secret diff --git a/kubernetes/apps/default/ghostfolio/ks.yaml b/kubernetes/apps/default/ghostfolio/ks.yaml index b3a8e34fd..a01fd1382 100644 --- a/kubernetes/apps/default/ghostfolio/ks.yaml +++ b/kubernetes/apps/default/ghostfolio/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - name: cluster-apps-ghostfolio-redis interval: 30m diff --git a/kubernetes/apps/default/hajimari/app/helmrelease.yaml b/kubernetes/apps/default/hajimari/app/helmrelease.yaml index 808ef3ffe..7316d4555 100644 --- a/kubernetes/apps/default/hajimari/app/helmrelease.yaml +++ b/kubernetes/apps/default/hajimari/app/helmrelease.yaml @@ -67,7 +67,7 @@ spec: url: "https://truenas-remote.${SECRET_DOMAIN}" - name: minio icon: mdi:aws - url: "http://minio.${SECRET_DOMAIN}:9000" + url: "https://minio.${SECRET_DOMAIN}:9000" - name: pikvm icon: mdi:ip-network url: "https://pikvm.${SECRET_DOMAIN}" diff --git a/kubernetes/apps/default/home-assistant/app/externalsecret.yaml b/kubernetes/apps/default/home-assistant/app/externalsecret.yaml index 8ca351058..54e8e21c8 100644 --- a/kubernetes/apps/default/home-assistant/app/externalsecret.yaml +++ b/kubernetes/apps/default/home-assistant/app/externalsecret.yaml @@ -18,17 +18,17 @@ spec: HASS_SECRET_ELEVATION: "{{ .HASS_ELEVATION }}" HASS_SECRET_LATITUDE: "{{ .HASS_LATITUDE }}" HASS_SECRET_LONGITUDE: "{{ .HASS_LONGITUDE }}" - HASS_SECRET_DB_URL: "postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local/home_assistant" + HASS_SECRET_DB_URL: "postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}/home_assistant" HASS_SECRET_URL: "{{ .HASS_URL }}" PROMETHEUS_TOKEN: "{{ .PROMETHEUS_TOKEN }}" # Postgres Init INIT_POSTGRES_DBNAME: home_assistant - INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local + INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN} INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: home-assistant diff --git a/kubernetes/apps/default/home-assistant/app/helmrelease.yaml b/kubernetes/apps/default/home-assistant/app/helmrelease.yaml index 1a19930df..6c61b9ed7 100644 --- a/kubernetes/apps/default/home-assistant/app/helmrelease.yaml +++ b/kubernetes/apps/default/home-assistant/app/helmrelease.yaml @@ -43,9 +43,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: home-assistant-secret diff --git a/kubernetes/apps/default/home-assistant/ks.yaml b/kubernetes/apps/default/home-assistant/ks.yaml index 3b75e1f8c..fde0cb418 100644 --- a/kubernetes/apps/default/home-assistant/ks.yaml +++ b/kubernetes/apps/default/home-assistant/ks.yaml @@ -7,7 +7,6 @@ metadata: namespace: flux-system spec: dependsOn: - - name: cluster-apps-cloudnative-pg-app - name: cluster-apps-external-secrets-stores - name: cluster-apps-volsync-app path: ./kubernetes/apps/default/home-assistant/app diff --git a/kubernetes/apps/default/homelab/ks.yaml b/kubernetes/apps/default/homelab/ks.yaml index c410b7f97..94dacde60 100644 --- a/kubernetes/apps/default/homelab/ks.yaml +++ b/kubernetes/apps/default/homelab/ks.yaml @@ -3,7 +3,7 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: cluster-apps-homnelab-minio + name: cluster-apps-homelab-minio namespace: flux-system spec: path: ./kubernetes/apps/default/homelab/minio @@ -21,7 +21,7 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: cluster-apps-homnelab-opnsense + name: cluster-apps-homelab-opnsense namespace: flux-system spec: path: ./kubernetes/apps/default/homelab/opnsense @@ -39,7 +39,7 @@ spec: apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: cluster-apps-homnelab-truenas + name: cluster-apps-homelab-truenas namespace: flux-system spec: path: ./kubernetes/apps/default/homelab/truenas diff --git a/kubernetes/apps/default/homelab/minio/backup/rclone.conf b/kubernetes/apps/default/homelab/minio/backup/rclone.conf index b04e1d7e8..0164479c4 100644 --- a/kubernetes/apps/default/homelab/minio/backup/rclone.conf +++ b/kubernetes/apps/default/homelab/minio/backup/rclone.conf @@ -3,7 +3,7 @@ type = s3 provider = Minio access_key_id = __RCLONE_ACCESS_ID__ secret_access_key = __RCLONE_SECRET_KEY__ -endpoint = http://minio.${SECRET_DOMAIN}:9000 +endpoint = https://minio.${SECRET_DOMAIN}:9000 acl = private [gdrive-homelab-backups] diff --git a/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml b/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml index 6d4ff0554..2164c83ec 100644 --- a/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml +++ b/kubernetes/apps/default/homelab/opnsense/backup/helmrelease.yaml @@ -41,7 +41,7 @@ spec: command: ["/bin/bash", "/app/opnsense-backup.sh"] env: OPNSENSE_URL: "https://opnsense.${SECRET_DOMAIN}" - S3_URL: "http://minio.${SECRET_DOMAIN}:9000" + S3_URL: "https://minio.${SECRET_DOMAIN}:9000" envFrom: - secretRef: name: homelab-opnsense-secret diff --git a/kubernetes/apps/default/homelab/truenas/backup/truenas-backup.sh b/kubernetes/apps/default/homelab/truenas/backup/truenas-backup.sh index 75ce12c8c..09dd0ec2c 100755 --- a/kubernetes/apps/default/homelab/truenas/backup/truenas-backup.sh +++ b/kubernetes/apps/default/homelab/truenas/backup/truenas-backup.sh @@ -44,7 +44,7 @@ curl -fsSL \ -H "Date: ${http_request_date}" \ -H "Content-Type: ${http_content_type}" \ -H "Authorization: AWS ${AWS_ACCESS_KEY_ID}:${http_signature}" \ - "http://minio.${SECRET_DOMAIN}:9000/${http_filepath}" + "https://minio.${SECRET_DOMAIN}:9000/${http_filepath}" rm /tmp/backup-*.tar diff --git a/kubernetes/apps/default/homelab/truenas/certs-deploy/helmrelease.yaml b/kubernetes/apps/default/homelab/truenas/certs-deploy/helmrelease.yaml index 7d07fbce9..ff76467bd 100644 --- a/kubernetes/apps/default/homelab/truenas/certs-deploy/helmrelease.yaml +++ b/kubernetes/apps/default/homelab/truenas/certs-deploy/helmrelease.yaml @@ -42,7 +42,8 @@ spec: env: HOSTNAME: truenas TRUENAS_HOME: /mnt/storage/home/homelab - CERTS_DEPLOY_S3_ENABLED: "True" + CERTS_DEPLOY_MINIO_ENABLED: "True" + CERTS_DEPLOY_POSTGRESQL_ENABLED: "True" envFrom: &envFrom - secretRef: name: &secret homelab-truenas-secret @@ -54,7 +55,8 @@ spec: env: HOSTNAME: truenas-remote TRUENAS_HOME: /mnt/vol1/home/homelab - CERTS_DEPLOY_S3_ENABLED: "False" + CERTS_DEPLOY_MINIO_ENABLED: "False" + CERTS_DEPLOY_POSTGRESQL_ENABLED: "False" envFrom: *envFrom service: main: diff --git a/kubernetes/apps/default/homelab/truenas/certs-deploy/truenas-certs-deploy.sh b/kubernetes/apps/default/homelab/truenas/certs-deploy/truenas-certs-deploy.sh index 667c65508..5b756da5f 100644 --- a/kubernetes/apps/default/homelab/truenas/certs-deploy/truenas-certs-deploy.sh +++ b/kubernetes/apps/default/homelab/truenas/certs-deploy/truenas-certs-deploy.sh @@ -12,21 +12,22 @@ if [ "${HOSTNAME}" == "truenas" ]; then elif [ "${HOSTNAME}" == "truenas-remote" ]; then printf -v truenas_api_key %q "$TRUENAS_REMOTE_API_KEY" fi -printf -v cert_deploy_s3_enabled_str %q "$CERTS_DEPLOY_S3_ENABLED" +printf -v cert_deploy_minio_enabled_str %q "$CERTS_DEPLOY_MINIO_ENABLED" +printf -v cert_deploy_postgresql_enabled_str %q "$CERTS_DEPLOY_POSTGRESQL_ENABLED" printf -v pushover_api_token_str %q "$PUSHOVER_API_TOKEN" printf -v pushover_user_key_str %q "$PUSHOVER_USER_KEY" printf -v secret_domain_str %q "$SECRET_DOMAIN" scp -o StrictHostKeyChecking=no /app/truenas-certs-deploy.py homelab@${HOSTNAME}.${SECRET_DOMAIN}:${TRUENAS_HOME}/scripts/certificates_deploy.py -ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_s3_enabled_str $pushover_api_token_str $pushover_user_key_str $secret_domain_str" << 'EOF' +ssh -o StrictHostKeyChecking=no homelab@${HOSTNAME}.${SECRET_DOMAIN} "/bin/bash -s $truenas_api_key $cert_deploy_minio_enabled_str $cert_deploy_postgresql_enabled_str $pushover_api_token_str $pushover_user_key_str $secret_domain_str" << 'EOF' set -o nounset set -o errexit -PUSHOVER_API_TOKEN=$3 -PUSHOVER_USER_KEY=$4 -SECRET_DOMAIN=$5 +PUSHOVER_API_TOKEN=$4 +PUSHOVER_USER_KEY=$5 +SECRET_DOMAIN=$6 # Variables TARGET=$(hostname) @@ -38,8 +39,13 @@ export CERTS_DEPLOY_API_KEY=$1 export CERTS_DEPLOY_PRIVATE_KEY_PATH=${CERTIFICATE_PATH}/key.pem export CERTS_DEPLOY_FULLCHAIN_PATH=${CERTIFICATE_PATH}/fullchain.pem if [ "$2" == "True" ]; then - export CERTS_DEPLOY_S3_ENABLED=$2 + export CERTS_DEPLOY_MINIO_ENABLED=$2 fi +CERTS_DEPLOY_MINIO_CERT_PATH=/mnt/{{ iocage_pool_name }}/iocage/jails/minio_v2/root/home/minio/certs +if [ "$3" == "True" ]; then + export CERTS_DEPLOY_POSTGRESQL_ENABLED=$3 +fi +CERTS_DEPLOY_POSTGRESQL_PATH=/mnt/{{ postgresql_pool_name }}/postgresql # Check if cert is older than 69 days result=$(find ${CERTS_DEPLOY_PRIVATE_KEY_PATH} -mtime +69) @@ -60,8 +66,29 @@ else set -o errexit echo "INFO - Certificate expires in less than $DAYS days" echo "INFO - Deploying new certificate" - # Deploy certificate (truenas UI & minio) + # Deploy certificate (truenas UI) python ${SCRIPT_PATH}/certificates_deploy.py + # Copy certificates (minio) + if [ "CERTS_DEPLOY_MINIO_ENABLED" == "True" ]; then + cp -pr ${CERTS_DEPLOY_PRIVATE_KEY_PATH} ${CERTS_DEPLOY_MINIO_CERT_PATH}/private.key + cp -pr ${CERTS_DEPLOY_FULLCHAIN_PATH} ${CERTS_DEPLOY_MINIO_CERT_PATH}/public.crt + iocage exec minio_v2 'service minio restart' + fi + # Copy certificates (postgresql) + if [ "CERTS_DEPLOY_POSTGRESQL_ENABLED" == "True" ]; then + pg_data_dirs=$(find /mnt/{{ postgresql_pool_name }}/postgresql -type d -maxdepth 1 -name '*data*' -exec basename {} \;) + for i in $pg_data_dirs; do + cp -pr ${CERTS_DEPLOY_PRIVATE_KEY_PATH} ${CERTS_DEPLOY_POSTGRESQL_PATH}/$i/server.key + cp -pr ${CERTS_DEPLOY_FULLCHAIN_PATH} ${CERTS_DEPLOY_POSTGRESQL_PATH}/$i/server.crt + iocage exec postgresql_v${i: -2} 'service postgresql reload' + done + fi + curl -s \ + --form-string "token=${PUSHOVER_API_TOKEN}" \ + --form-string "user=${PUSHOVER_USER_KEY}" \ + --form-string "message=New Let's Encrypt certificate deployed on $TARGET." \ + https://api.pushover.net/1/messages.json + else echo "INFO - Certificate expires in more than $DAYS" fi diff --git a/kubernetes/apps/default/homelab/truenas/kustomization.yaml b/kubernetes/apps/default/homelab/truenas/kustomization.yaml index 179bbd8cf..3cf062b74 100644 --- a/kubernetes/apps/default/homelab/truenas/kustomization.yaml +++ b/kubernetes/apps/default/homelab/truenas/kustomization.yaml @@ -7,3 +7,4 @@ resources: - ./backup - ./certs-deploy - ./externalsecret.yaml + - ./pgdump diff --git a/kubernetes/apps/default/homelab/truenas/pgdump/externalsecret.yaml b/kubernetes/apps/default/homelab/truenas/pgdump/externalsecret.yaml new file mode 100644 index 000000000..162630c1e --- /dev/null +++ b/kubernetes/apps/default/homelab/truenas/pgdump/externalsecret.yaml @@ -0,0 +1,25 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: homelab-truenas-pgdump + namespace: default +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: homelab-truenas-pgdump-secret + template: + engineVersion: v2 + data: + # App + POSTGRES_HOST: postgres.${SECRET_DOMAIN} + POSTGRES_USER: "{{ .POSTGRES_SUPER_USER }}" + POSTGRES_PASSWORD: "{{ .POSTGRES_SUPER_PASS }}" + POSTGRES_PORT: "5432" + dataFrom: + + - extract: + key: generic diff --git a/kubernetes/apps/default/homelab/truenas/pgdump/helmrelease.yaml b/kubernetes/apps/default/homelab/truenas/pgdump/helmrelease.yaml new file mode 100644 index 000000000..31bc85645 --- /dev/null +++ b/kubernetes/apps/default/homelab/truenas/pgdump/helmrelease.yaml @@ -0,0 +1,104 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: homelab-truenas-pgdump + namespace: default +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 2.4.0 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + maxHistory: 2 + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + controllers: + main: + type: cronjob + cronjob: + concurrencyPolicy: Forbid + schedule: "@daily" + initContainers: + init-db: + image: + repository: ghcr.io/onedr0p/postgres-init + tag: 16 + env: + EXCLUDE_DBS: "home_assistant radarr_log sonarr_log prowlarr_log postgres template0 template1" + envFrom: &envFrom + - secretRef: + name: homelab-truenas-pgdump-secret + command: + - "/bin/bash" + - "-c" + - | + #!/bin/bash + + set -o nounset + set -o errexit + + # File to store the list of databases + OUTPUT_FILE="/config/db_list" + + # Export PG password to avoid password prompt + export PGPASSWORD=$POSTGRES_PASSWORD + + # Generate a regex pattern for exclusion + EXCLUDE_PATTERN=$(echo $EXCLUDE_DBS | sed 's/ /\\|/g') + + # List all databases, exclude the ones in EXCLUDE_DBS, and write to the file + psql -h $POSTGRES_HOST -p $POSTGRES_PORT -U $POSTGRES_USER -lqt | \ + cut -d \| -f 1 | \ + grep -Ev "^\s*($EXCLUDE_PATTERN)\s*$" > "$OUTPUT_FILE" + + # Unset PG password + unset PGPASSWORD + + echo "Database list saved to $OUTPUT_FILE" + + cat $OUTPUT_FILE + containers: + main: + image: + repository: prodrigestivill/postgres-backup-local + tag: 16-alpine + command: ["/backup.sh"] + env: + POSTGRES_DB_FILE: /config/db_list + POSTGRES_EXTRA_OPTS: "-Z9 --schema=public --blobs" + BACKUP_KEEP_DAYS: "7" + BACKUP_KEEP_WEEKS: "4" + BACKUP_KEEP_MONTHS: "3" + HEALTHCHECK_PORT: "8080" + envFrom: *envFrom + service: + main: + enabled: false + persistence: + config: + enabled: true + type: emptyDir + globalMounts: + - path: /config + backups: + enabled: true + type: nfs + server: "${LOCAL_LAN_TRUENAS}" + path: /mnt/storage/backups/postgresql + globalMounts: + - path: /backups diff --git a/kubernetes/apps/default/homelab/truenas/pgdump/kustomization.yaml b/kubernetes/apps/default/homelab/truenas/pgdump/kustomization.yaml new file mode 100644 index 000000000..ac5ae96e1 --- /dev/null +++ b/kubernetes/apps/default/homelab/truenas/pgdump/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/SchemaStore/schemastore/master/src/schemas/json/kustomization.json +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: default +resources: + - ./externalsecret.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/default/immich/app/externalsecret.yaml b/kubernetes/apps/default/immich/app/externalsecret.yaml index 55ebb0fff..7eeb48382 100644 --- a/kubernetes/apps/default/immich/app/externalsecret.yaml +++ b/kubernetes/apps/default/immich/app/externalsecret.yaml @@ -16,7 +16,7 @@ spec: data: # App DB_DATABASE_NAME: &dbName immich - DB_HOSTNAME: &dbHost postgres-rw.default.svc.cluster.local + DB_HOSTNAME: &dbHost postgres.${SECRET_DOMAIN} DB_USERNAME: &dbUser "{{ .POSTGRES_USER }}" DB_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}" DB_PORT: "5432" @@ -30,6 +30,6 @@ spec: INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: immich diff --git a/kubernetes/apps/default/immich/app/server/helmrelease.yaml b/kubernetes/apps/default/immich/app/server/helmrelease.yaml index 2523bda4c..d212bb55b 100644 --- a/kubernetes/apps/default/immich/app/server/helmrelease.yaml +++ b/kubernetes/apps/default/immich/app/server/helmrelease.yaml @@ -55,9 +55,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - configMapRef: name: *configMap diff --git a/kubernetes/apps/default/immich/ks.yaml b/kubernetes/apps/default/immich/ks.yaml index 01f7b74eb..64764ff1e 100644 --- a/kubernetes/apps/default/immich/ks.yaml +++ b/kubernetes/apps/default/immich/ks.yaml @@ -7,7 +7,6 @@ metadata: namespace: flux-system spec: dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores path: ./kubernetes/apps/default/immich/app prune: true diff --git a/kubernetes/apps/default/invidious/app/externalsecret.yaml b/kubernetes/apps/default/invidious/app/externalsecret.yaml index 9c02dd2ca..e2cac4b3d 100644 --- a/kubernetes/apps/default/invidious/app/externalsecret.yaml +++ b/kubernetes/apps/default/invidious/app/externalsecret.yaml @@ -16,7 +16,7 @@ spec: data: # App INVIDIOUS_CONFIG: | - database_url: postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local.:5432/invidious + database_url: postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}.:5432/invidious check_tables: true port: 3000 domain: invidious.${SECRET_CLUSTER_DOMAIN} @@ -24,12 +24,12 @@ spec: hmac_key: {{ .HMAC_KEY }} # Postgres Init INIT_POSTGRES_DBNAME: invidious - INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local + INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN} INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: invidious diff --git a/kubernetes/apps/default/invidious/app/helmrelease.yaml b/kubernetes/apps/default/invidious/app/helmrelease.yaml index 9e9784f19..bf79f7108 100644 --- a/kubernetes/apps/default/invidious/app/helmrelease.yaml +++ b/kubernetes/apps/default/invidious/app/helmrelease.yaml @@ -35,9 +35,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: invidious-secret diff --git a/kubernetes/apps/default/invidious/ks.yaml b/kubernetes/apps/default/invidious/ks.yaml index 5fc9b9dfa..7ba10f098 100644 --- a/kubernetes/apps/default/invidious/ks.yaml +++ b/kubernetes/apps/default/invidious/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/default/joplin/app/externalsecret.yaml b/kubernetes/apps/default/joplin/app/externalsecret.yaml index 7f5a0d22a..c535a5860 100644 --- a/kubernetes/apps/default/joplin/app/externalsecret.yaml +++ b/kubernetes/apps/default/joplin/app/externalsecret.yaml @@ -16,7 +16,7 @@ spec: data: # App POSTGRES_DATABASE: &dbName joplin - POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local. + POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN}. POSTGRES_PORT: "5432" POSTGRES_USER: &dbUser "{{ .POSTGRES_USER }}" POSTGRES_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}" @@ -28,6 +28,6 @@ spec: INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: joplin diff --git a/kubernetes/apps/default/joplin/app/helmrelease.yaml b/kubernetes/apps/default/joplin/app/helmrelease.yaml index e22f0ea46..fb6b0a3f7 100644 --- a/kubernetes/apps/default/joplin/app/helmrelease.yaml +++ b/kubernetes/apps/default/joplin/app/helmrelease.yaml @@ -35,9 +35,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: joplin-secret diff --git a/kubernetes/apps/default/joplin/ks.yaml b/kubernetes/apps/default/joplin/ks.yaml index 73220b8ce..6c0311822 100644 --- a/kubernetes/apps/default/joplin/ks.yaml +++ b/kubernetes/apps/default/joplin/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/default/kresus/app/externalsecret.yaml b/kubernetes/apps/default/kresus/app/externalsecret.yaml index e0c838793..0d55a4588 100644 --- a/kubernetes/apps/default/kresus/app/externalsecret.yaml +++ b/kubernetes/apps/default/kresus/app/externalsecret.yaml @@ -15,7 +15,7 @@ spec: engineVersion: v2 data: # App - KRESUS_DB_HOST: &dbHost postgres-rw.default.svc.cluster.local + KRESUS_DB_HOST: &dbHost postgres.${SECRET_DOMAIN} KRESUS_DB_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}" KRESUS_DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}" KRESUS_DB_NAME: &dbName kresus @@ -29,6 +29,6 @@ spec: dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: kresus diff --git a/kubernetes/apps/default/kresus/app/helmrelease.yaml b/kubernetes/apps/default/kresus/app/helmrelease.yaml index af35456ca..8e1f0ac1e 100644 --- a/kubernetes/apps/default/kresus/app/helmrelease.yaml +++ b/kubernetes/apps/default/kresus/app/helmrelease.yaml @@ -41,9 +41,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: kresus-secret diff --git a/kubernetes/apps/default/kresus/ks.yaml b/kubernetes/apps/default/kresus/ks.yaml index 3857bb16d..d5e252df4 100644 --- a/kubernetes/apps/default/kresus/ks.yaml +++ b/kubernetes/apps/default/kresus/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - name: cluster-apps-volsync-app interval: 30m diff --git a/kubernetes/apps/default/libmedium/ks.yaml b/kubernetes/apps/default/libmedium/ks.yaml index 321511b80..47b4c03ea 100644 --- a/kubernetes/apps/default/libmedium/ks.yaml +++ b/kubernetes/apps/default/libmedium/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/default/linkding/app/externalsecret.yaml b/kubernetes/apps/default/linkding/app/externalsecret.yaml index 621367144..3732a8b23 100644 --- a/kubernetes/apps/default/linkding/app/externalsecret.yaml +++ b/kubernetes/apps/default/linkding/app/externalsecret.yaml @@ -18,7 +18,7 @@ spec: LD_DB_ENGINE: "postgres" LD_DB_USER: &dbUser "{{ .POSTGRES_USERNAME }}" LD_DB_PASSWORD: &dbPass "{{ .POSTGRES_PASSWORD }}" - LD_DB_HOST: &dbHost postgres-rw.default.svc.cluster.local + LD_DB_HOST: &dbHost postgres.${SECRET_DOMAIN} LD_DB_DATABASE: &dbName linkding LD_SUPERUSER_NAME: "{{ .username }}" LD_SUPERUSER_PASSWORD: "{{ .password }}" @@ -30,6 +30,6 @@ spec: INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: linkding diff --git a/kubernetes/apps/default/linkding/app/helmrelease.yaml b/kubernetes/apps/default/linkding/app/helmrelease.yaml index 006b74248..a66e45524 100644 --- a/kubernetes/apps/default/linkding/app/helmrelease.yaml +++ b/kubernetes/apps/default/linkding/app/helmrelease.yaml @@ -35,9 +35,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: linkding-secret diff --git a/kubernetes/apps/default/linkding/ks.yaml b/kubernetes/apps/default/linkding/ks.yaml index b0fb78fa7..211c22df7 100644 --- a/kubernetes/apps/default/linkding/ks.yaml +++ b/kubernetes/apps/default/linkding/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/default/lldap/app/externalsecret.yaml b/kubernetes/apps/default/lldap/app/externalsecret.yaml index 038b1b15c..89e4d4734 100644 --- a/kubernetes/apps/default/lldap/app/externalsecret.yaml +++ b/kubernetes/apps/default/lldap/app/externalsecret.yaml @@ -20,10 +20,10 @@ spec: LLDAP_USER_DN: "{{ .username }}" LLDAP_LDAP_USER_EMAIL: "{{ .LLDAP_LDAP_USER_EMAIL }}" LLDAP_SERVER_KEY_SEED: "{{ .LLDAP_SERVER_KEY_SEED }}" - LLDAP_DATABASE_URL: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local/lldap" + LLDAP_DATABASE_URL: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}/lldap" # Postgres Init INIT_POSTGRES_DBNAME: lldap - INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local + INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN} INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" @@ -31,4 +31,4 @@ spec: - extract: key: lldap - extract: - key: cloudnative-pg + key: generic diff --git a/kubernetes/apps/default/lldap/ks.yaml b/kubernetes/apps/default/lldap/ks.yaml index e4ab765b8..7c5b11a13 100644 --- a/kubernetes/apps/default/lldap/ks.yaml +++ b/kubernetes/apps/default/lldap/ks.yaml @@ -6,8 +6,6 @@ metadata: name: cluster-apps-lldap namespace: flux-system spec: - dependsOn: - - name: cluster-apps-cloudnative-pg-cluster path: ./kubernetes/apps/default/lldap/app prune: true sourceRef: diff --git a/kubernetes/apps/default/lychee/app/externalsecret.yaml b/kubernetes/apps/default/lychee/app/externalsecret.yaml index c24fc08fc..7a6a0572e 100644 --- a/kubernetes/apps/default/lychee/app/externalsecret.yaml +++ b/kubernetes/apps/default/lychee/app/externalsecret.yaml @@ -15,7 +15,7 @@ spec: engineVersion: v2 data: # App - DB_HOST: &dbHost postgres-rw.default.svc.cluster.local + DB_HOST: &dbHost postgres.${SECRET_DOMAIN} DB_PORT: "5432" DB_DATABASE: &dbName lychee DB_USERNAME: &dbUser "{{ .POSTGRES_USERNAME }}" @@ -28,6 +28,6 @@ spec: INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: lychee diff --git a/kubernetes/apps/default/lychee/app/helmrelease.yaml b/kubernetes/apps/default/lychee/app/helmrelease.yaml index f55a7198f..d72ab30a4 100644 --- a/kubernetes/apps/default/lychee/app/helmrelease.yaml +++ b/kubernetes/apps/default/lychee/app/helmrelease.yaml @@ -35,11 +35,10 @@ spec: reloader.stakater.com/auto: "true" type: statefulset initContainers: - 01-init-db: + init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: lychee-secret diff --git a/kubernetes/apps/default/lychee/ks.yaml b/kubernetes/apps/default/lychee/ks.yaml index d5924be4a..06c4a775d 100644 --- a/kubernetes/apps/default/lychee/ks.yaml +++ b/kubernetes/apps/default/lychee/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - name: cluster-apps-lychee-redis - name: cluster-apps-rook-ceph-cluster diff --git a/kubernetes/apps/default/outline/app/externalsecret.yaml b/kubernetes/apps/default/outline/app/externalsecret.yaml index f479dd90a..1125e153e 100644 --- a/kubernetes/apps/default/outline/app/externalsecret.yaml +++ b/kubernetes/apps/default/outline/app/externalsecret.yaml @@ -19,15 +19,16 @@ spec: AWS_SECRET_ACCESS_KEY: "{{ .OUTLINE_AWS_SECRET_ACCESS_KEY }}" SECRET_KEY: "{{ .OUTLINE_SECRET_KEY }}" UTILS_SECRET: "{{ .OUTLINE_UTILS_SECRET }}" - DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local:5432/outline + DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}:5432/outline + PGSSLMODE: require # Postgres Init INIT_POSTGRES_DBNAME: outline - INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local + INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN} INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: outline diff --git a/kubernetes/apps/default/outline/app/helmrelease.yaml b/kubernetes/apps/default/outline/app/helmrelease.yaml index c9a3ac27f..e607c9737 100644 --- a/kubernetes/apps/default/outline/app/helmrelease.yaml +++ b/kubernetes/apps/default/outline/app/helmrelease.yaml @@ -31,30 +31,30 @@ spec: values: controllers: main: - type: statefulset annotations: reloader.stakater.com/auto: "true" initContainers: - init-db: - image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent - envFrom: &envFrom - - secretRef: - name: outline-secret + # init-db: + # image: + # repository: ghcr.io/onedr0p/postgres-init + # tag: 16 + # envFrom: &envFrom + # - secretRef: + # name: outline-secret containers: main: image: repository: docker.io/outlinewiki/outline tag: 0.74.0 - envFrom: *envFrom + envFrom: + - secretRef: + name: outline-secret env: AWS_REGION: us-east-1 AWS_S3_ACL: private AWS_S3_FORCE_PATH_STYLE: "true" AWS_S3_UPLOAD_BUCKET_NAME: outline - AWS_S3_UPLOAD_BUCKET_URL: "http://minio.${SECRET_DOMAIN}:9000" + AWS_S3_UPLOAD_BUCKET_URL: "https://minio.${SECRET_DOMAIN}:9000" ENABLE_UPDATES: "false" FILE_STORAGE_UPLOAD_MAX_SIZE: "26214400" OIDC_AUTH_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/authorization" @@ -65,7 +65,6 @@ spec: OIDC_TOKEN_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/token" OIDC_USERINFO_URI: "https://auth.${SECRET_CLUSTER_DOMAIN}/api/oidc/userinfo" OIDC_USERNAME_CLAIM: email - PGSSLMODE: disable PORT: 8080 REDIS_URL: redis://outline-redis.default.svc.cluster.local.:6379 SMTP_HOST: smtp-relay.default.svc.cluster.local. diff --git a/kubernetes/apps/default/outline/ks.yaml b/kubernetes/apps/default/outline/ks.yaml index d8dbab3d9..4e1291f9a 100644 --- a/kubernetes/apps/default/outline/ks.yaml +++ b/kubernetes/apps/default/outline/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - name: cluster-apps-outline-redis interval: 30m diff --git a/kubernetes/apps/default/paperless/app/externalsecret.yaml b/kubernetes/apps/default/paperless/app/externalsecret.yaml index 7cc798947..fc61ff1c5 100644 --- a/kubernetes/apps/default/paperless/app/externalsecret.yaml +++ b/kubernetes/apps/default/paperless/app/externalsecret.yaml @@ -20,7 +20,7 @@ spec: PAPERLESS_SECRET_KEY: "{{ .PAPERLESS_SECRET_KEY }}" PAPERLESS_DBUSER: &dbUser "{{ .POSTGRES_USER }}" PAPERLESS_DBPASS: &dbPass "{{ .POSTGRES_PASS }}" - PAPERLESS_DBHOST: &dbHost postgres-rw.default.svc.cluster.local + PAPERLESS_DBHOST: &dbHost postgres.${SECRET_DOMAIN} PAPERLESS_DBPORT: "5432" # Postgres Init @@ -31,6 +31,6 @@ spec: INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: paperless diff --git a/kubernetes/apps/default/paperless/app/helmrelease.yaml b/kubernetes/apps/default/paperless/app/helmrelease.yaml index b905ae58c..f622da8c0 100644 --- a/kubernetes/apps/default/paperless/app/helmrelease.yaml +++ b/kubernetes/apps/default/paperless/app/helmrelease.yaml @@ -37,9 +37,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: paperless-secret diff --git a/kubernetes/apps/default/paperless/ks.yaml b/kubernetes/apps/default/paperless/ks.yaml index 634ad85fe..27249b4ce 100644 --- a/kubernetes/apps/default/paperless/ks.yaml +++ b/kubernetes/apps/default/paperless/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - name: cluster-apps-paperless-redis interval: 30m diff --git a/kubernetes/apps/default/prowlarr/app/externalsecret.yaml b/kubernetes/apps/default/prowlarr/app/externalsecret.yaml index c2b5495b0..da13a7a8e 100644 --- a/kubernetes/apps/default/prowlarr/app/externalsecret.yaml +++ b/kubernetes/apps/default/prowlarr/app/externalsecret.yaml @@ -15,7 +15,7 @@ spec: data: # App PROWLARR__API_KEY: "{{ .PROWLARR__API_KEY }}" - PROWLARR__POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local + PROWLARR__POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN} PROWLARR__POSTGRES_PORT: "5432" PROWLARR__POSTGRES_USER: &dbUser "{{ .PROWLARR__POSTGRES_USER }}" PROWLARR__POSTGRES_PASSWORD: &dbPass "{{ .PROWLARR__POSTGRES_PASSWORD }}" diff --git a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml index 3b05fee1e..114629aa6 100644 --- a/kubernetes/apps/default/prowlarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/prowlarr/app/helmrelease.yaml @@ -34,9 +34,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: prowlarr-secret diff --git a/kubernetes/apps/default/pushover-notifier/app/externalsecret.yaml b/kubernetes/apps/default/pushover-notifier/app/externalsecret.yaml index e05213044..cf61807a1 100644 --- a/kubernetes/apps/default/pushover-notifier/app/externalsecret.yaml +++ b/kubernetes/apps/default/pushover-notifier/app/externalsecret.yaml @@ -16,7 +16,7 @@ spec: data: # App POSTGRES_DB: &dbName pushover-notifier - POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local + POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN} POSTGRES_USER: &dbUser "{{ .POSTGRES_USER }}" POSTGRES_PASS: &dbPass "{{ .POSTGRES_PASS }}" PUSHOVER_API_TOKEN: "{{ .PUSHOVER_API_TOKEN }}" @@ -29,7 +29,7 @@ spec: INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: pushover-notifier - extract: diff --git a/kubernetes/apps/default/pushover-notifier/app/github-releases/helmrelease.yaml b/kubernetes/apps/default/pushover-notifier/app/github-releases/helmrelease.yaml index 5c223c09c..78e1a0c80 100644 --- a/kubernetes/apps/default/pushover-notifier/app/github-releases/helmrelease.yaml +++ b/kubernetes/apps/default/pushover-notifier/app/github-releases/helmrelease.yaml @@ -36,9 +36,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: pushover-notifier-secret diff --git a/kubernetes/apps/default/pushover-notifier/ks.yaml b/kubernetes/apps/default/pushover-notifier/ks.yaml index f806a8c47..08fda48a7 100644 --- a/kubernetes/apps/default/pushover-notifier/ks.yaml +++ b/kubernetes/apps/default/pushover-notifier/ks.yaml @@ -7,7 +7,6 @@ metadata: namespace: flux-system spec: dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores path: ./kubernetes/apps/default/pushover-notifier/app prune: true diff --git a/kubernetes/apps/default/radarr/app/externalsecret.yaml b/kubernetes/apps/default/radarr/app/externalsecret.yaml index 5ca137951..b67dd0122 100644 --- a/kubernetes/apps/default/radarr/app/externalsecret.yaml +++ b/kubernetes/apps/default/radarr/app/externalsecret.yaml @@ -15,7 +15,7 @@ spec: data: # App RADARR__API_KEY: "{{ .RADARR__API_KEY }}" - RADARR__POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local + RADARR__POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN} RADARR__POSTGRES_PORT: "5432" RADARR__POSTGRES_USER: &dbUser "{{ .RADARR__POSTGRES_USER }}" RADARR__POSTGRES_PASSWORD: &dbPass "{{ .RADARR__POSTGRES_PASSWORD }}" @@ -31,7 +31,7 @@ spec: INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: pushover - extract: diff --git a/kubernetes/apps/default/radarr/app/helmrelease.yaml b/kubernetes/apps/default/radarr/app/helmrelease.yaml index 76af141a8..59471f663 100644 --- a/kubernetes/apps/default/radarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/radarr/app/helmrelease.yaml @@ -42,9 +42,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: radarr-secret diff --git a/kubernetes/apps/default/radarr/ks.yaml b/kubernetes/apps/default/radarr/ks.yaml index a93bde541..339f07a44 100644 --- a/kubernetes/apps/default/radarr/ks.yaml +++ b/kubernetes/apps/default/radarr/ks.yaml @@ -7,7 +7,6 @@ metadata: namespace: flux-system spec: dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app diff --git a/kubernetes/apps/default/sharry/app/config/sharry.conf b/kubernetes/apps/default/sharry/app/config/sharry.conf index 435327220..a07c51a91 100644 --- a/kubernetes/apps/default/sharry/app/config/sharry.conf +++ b/kubernetes/apps/default/sharry/app/config/sharry.conf @@ -14,7 +14,7 @@ sharry.restserver { fixed.enabled = false } jdbc { - url = "jdbc:postgresql://${POSTGRES_HOST}:${POSTGRES_PORT}/sharry" + url = "jdbc:postgresql://postgres.${SECRET_DOMAIN}:5432/sharry?ssl=true&sslmode=require" user = "${SECRET_SHARRY_DB_USERNAME}" password = "${SECRET_SHARRY_DB_PASSWORD}" } @@ -33,7 +33,7 @@ sharry.restserver { minio = { enabled = true type = "s3" - endpoint = "http://minio.${SECRET_DOMAIN}:9000" + endpoint = "https://minio.${SECRET_DOMAIN}:9000" access-key = "${SECRET_SHARRY_MINIO_S3_ACCESS_KEY}" secret-key = "${SECRET_SHARRY_MINIO_S3_SECRET_KEY}" bucket = "sharry" diff --git a/kubernetes/apps/default/sharry/app/externalsecret.yaml b/kubernetes/apps/default/sharry/app/externalsecret.yaml index 3ce36614a..80608f9e0 100644 --- a/kubernetes/apps/default/sharry/app/externalsecret.yaml +++ b/kubernetes/apps/default/sharry/app/externalsecret.yaml @@ -16,12 +16,12 @@ spec: data: # Postgres Init INIT_POSTGRES_DBNAME: sharry - INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local - INIT_POSTGRES_USER: "{{ .POSTGRES_USERNAME }}" - INIT_POSTGRES_PASS: "{{ .POSTGRES_PASSWORD }}" + INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN} + INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" + INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: sharry diff --git a/kubernetes/apps/default/sharry/app/helmrelease.yaml b/kubernetes/apps/default/sharry/app/helmrelease.yaml index 79a54eb7a..a1f4e54ca 100644 --- a/kubernetes/apps/default/sharry/app/helmrelease.yaml +++ b/kubernetes/apps/default/sharry/app/helmrelease.yaml @@ -34,9 +34,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: sharry-secret diff --git a/kubernetes/apps/default/sharry/ks.yaml b/kubernetes/apps/default/sharry/ks.yaml index 9fe963cb2..b40bf61b8 100644 --- a/kubernetes/apps/default/sharry/ks.yaml +++ b/kubernetes/apps/default/sharry/ks.yaml @@ -11,8 +11,6 @@ spec: sourceRef: kind: GitRepository name: home-ops-kubernetes - dependsOn: - - name: cluster-apps-cloudnative-pg-cluster interval: 30m retryInterval: 1m timeout: 3m diff --git a/kubernetes/apps/default/sonarr/app/externalsecret.yaml b/kubernetes/apps/default/sonarr/app/externalsecret.yaml index d6d47bcba..576cc5aae 100644 --- a/kubernetes/apps/default/sonarr/app/externalsecret.yaml +++ b/kubernetes/apps/default/sonarr/app/externalsecret.yaml @@ -15,7 +15,7 @@ spec: data: # App SONARR__API_KEY: "{{ .SONARR__API_KEY }}" - SONARR__POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local + SONARR__POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN} SONARR__POSTGRES_PORT: "5432" SONARR__POSTGRES_USER: &dbUser "{{ .SONARR__POSTGRES_USER }}" SONARR__POSTGRES_PASSWORD: &dbPass "{{ .SONARR__POSTGRES_PASSWORD }}" @@ -31,7 +31,7 @@ spec: INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: pushover - extract: diff --git a/kubernetes/apps/default/sonarr/app/helmrelease.yaml b/kubernetes/apps/default/sonarr/app/helmrelease.yaml index 43060a641..917c9f0cb 100644 --- a/kubernetes/apps/default/sonarr/app/helmrelease.yaml +++ b/kubernetes/apps/default/sonarr/app/helmrelease.yaml @@ -41,9 +41,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: sonarr-secret diff --git a/kubernetes/apps/default/tandoor/app/externalsecret.yaml b/kubernetes/apps/default/tandoor/app/externalsecret.yaml index 09ca8d160..269d32964 100644 --- a/kubernetes/apps/default/tandoor/app/externalsecret.yaml +++ b/kubernetes/apps/default/tandoor/app/externalsecret.yaml @@ -16,7 +16,7 @@ spec: # App DB_ENGINE: django.db.backends.postgresql_psycopg2 SECRET_KEY: "{{ .TANDOOR_SECRET_KEY }}" - POSTGRES_HOST: &dbHost postgres-rw.default.svc.cluster.local + POSTGRES_HOST: &dbHost postgres.${SECRET_DOMAIN} POSTGRES_PORT: "5432" POSTGRES_DB: &dbName tandoor POSTGRES_USER: &dbUser "{{ .TANDOOR_POSTGRES_USER }}" @@ -29,6 +29,6 @@ spec: INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: tandoor diff --git a/kubernetes/apps/default/tandoor/app/helmrelease.yaml b/kubernetes/apps/default/tandoor/app/helmrelease.yaml index 4bce549a3..3e9e956be 100644 --- a/kubernetes/apps/default/tandoor/app/helmrelease.yaml +++ b/kubernetes/apps/default/tandoor/app/helmrelease.yaml @@ -38,15 +38,16 @@ spec: annotations: reloader.stakater.com/auto: "true" initContainers: - 01-init-db: + init-db: + order: 1 image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: tandoor-secret - 02-init-migrate: + migrations: + order: 2 image: repository: vabene1111/recipes tag: 1.5.10 diff --git a/kubernetes/apps/default/tandoor/ks.yaml b/kubernetes/apps/default/tandoor/ks.yaml index d2708d389..fdd14011d 100644 --- a/kubernetes/apps/default/tandoor/ks.yaml +++ b/kubernetes/apps/default/tandoor/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app diff --git a/kubernetes/apps/default/vaultwarden/app/externalsecret.yaml b/kubernetes/apps/default/vaultwarden/app/externalsecret.yaml index 164a67922..fb6151f9c 100644 --- a/kubernetes/apps/default/vaultwarden/app/externalsecret.yaml +++ b/kubernetes/apps/default/vaultwarden/app/externalsecret.yaml @@ -15,16 +15,16 @@ spec: engineVersion: v2 data: # App - DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres-rw.default.svc.cluster.local.:5432/vaultwarden + DATABASE_URL: postgresql://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASS }}@postgres.${SECRET_DOMAIN}.:5432/vaultwarden ADMIN_TOKEN: "{{ .VAULTWARDEN_ADMIN_TOKEN }}" # Postgres Init INIT_POSTGRES_DBNAME: vaultwarden - INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local + INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN} INIT_POSTGRES_USER: "{{ .POSTGRES_USER }}" INIT_POSTGRES_PASS: "{{ .POSTGRES_PASS }}" INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: vaultwarden diff --git a/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml b/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml index ba8124152..c9ece1daf 100644 --- a/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml +++ b/kubernetes/apps/default/vaultwarden/app/helmrelease.yaml @@ -35,9 +35,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: vaultwarden-secret @@ -68,14 +67,14 @@ spec: memory: 100Mi limits: memory: 2Gi - statefulset: - volumeClaimTemplates: - - name: config - accessMode: ReadWriteOnce - size: 10Gi - storageClass: rook-ceph-block - globalMounts: - - path: /data + # statefulset: + # volumeClaimTemplates: + # - name: config + # accessMode: ReadWriteOnce + # size: 10Gi + # storageClass: rook-ceph-block + # globalMounts: + # - path: /data service: main: ports: diff --git a/kubernetes/apps/default/vaultwarden/ks.yaml b/kubernetes/apps/default/vaultwarden/ks.yaml index 5b9e6668d..c5f63e401 100644 --- a/kubernetes/apps/default/vaultwarden/ks.yaml +++ b/kubernetes/apps/default/vaultwarden/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app diff --git a/kubernetes/apps/default/vikunja/app/externalsecret.yaml b/kubernetes/apps/default/vikunja/app/externalsecret.yaml index aa6356d71..013c73f4d 100644 --- a/kubernetes/apps/default/vikunja/app/externalsecret.yaml +++ b/kubernetes/apps/default/vikunja/app/externalsecret.yaml @@ -15,7 +15,7 @@ spec: engineVersion: v2 data: # App - VIKUNJA_DATABASE_HOST: &dbHost postgres-rw.default.svc.cluster.local. + VIKUNJA_DATABASE_HOST: &dbHost postgres.${SECRET_DOMAIN}. VIKUNJA_DATABASE_DATABASE: &dbName vikunja VIKUNJA_DATABASE_USER: &dbUser "{{ .VIKUNJA_POSTGRES_USER }}" VIKUNJA_DATABASE_PASSWORD: &dbPass "{{ .VIKUNJA_POSTGRES_PASS }}" @@ -29,6 +29,6 @@ spec: INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: vikunja diff --git a/kubernetes/apps/default/vikunja/app/helmrelease.yaml b/kubernetes/apps/default/vikunja/app/helmrelease.yaml index 9e5d88886..1e61ae627 100644 --- a/kubernetes/apps/default/vikunja/app/helmrelease.yaml +++ b/kubernetes/apps/default/vikunja/app/helmrelease.yaml @@ -36,9 +36,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: vikunja-secret diff --git a/kubernetes/apps/default/vikunja/ks.yaml b/kubernetes/apps/default/vikunja/ks.yaml index 4b209293c..549c08978 100644 --- a/kubernetes/apps/default/vikunja/ks.yaml +++ b/kubernetes/apps/default/vikunja/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app diff --git a/kubernetes/apps/default/wallabag/app/externalsecret.yaml b/kubernetes/apps/default/wallabag/app/externalsecret.yaml index 9dc29f2a0..60f5b1c3e 100644 --- a/kubernetes/apps/default/wallabag/app/externalsecret.yaml +++ b/kubernetes/apps/default/wallabag/app/externalsecret.yaml @@ -17,7 +17,7 @@ spec: # App SYMFONY__ENV__DATABASE_USER: &dbUser "{{ .POSTGRES_USER }}" SYMFONY__ENV__DATABASE_PASSWORD: &dbPass "{{ .POSTGRES_PASS }}" - SYMFONY__ENV__DATABASE_HOST: &dbHost postgres-rw.default.svc.cluster.local + SYMFONY__ENV__DATABASE_HOST: &dbHost postgres.${SECRET_DOMAIN} SYMFONY__ENV__DATABASE_PORT: "5432" SYMFONY__ENV__DATABASE_NAME: &dbName wallabag # Postgres Init @@ -28,6 +28,6 @@ spec: INIT_POSTGRES_SUPER_PASS: "{{ .POSTGRES_SUPER_PASS }}" dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: wallabag diff --git a/kubernetes/apps/default/wallabag/app/helmrelease.yaml b/kubernetes/apps/default/wallabag/app/helmrelease.yaml index 8cec853f5..393fea549 100644 --- a/kubernetes/apps/default/wallabag/app/helmrelease.yaml +++ b/kubernetes/apps/default/wallabag/app/helmrelease.yaml @@ -40,15 +40,16 @@ spec: pod: enableServiceLinks: false initContainers: - 01-init-db: + init-db: + order: 1 image: - repository: ghcr.io/auricom/postgres-init - tag: 15.5@sha256:9b1b80d8101d3f1c73ef13b90dff2ab3bc855bd79ebcd334cba57db391ce6db0 - pullPolicy: IfNotPresent + repository: ghcr.io/onedr0p/postgres-init + tag: 16 envFrom: &envFrom - secretRef: name: wallabag-secret - 02-init-migrate: + migrations: + order: 2 image: repository: wallabag/wallabag tag: 2.6.8@sha256:85b31297ec0dbfc5db32f9b8c0d5b598846469ff664e9e1c41b770aeca395a87 diff --git a/kubernetes/apps/default/wallabag/ks.yaml b/kubernetes/apps/default/wallabag/ks.yaml index 8b503217e..83c495bdf 100644 --- a/kubernetes/apps/default/wallabag/ks.yaml +++ b/kubernetes/apps/default/wallabag/ks.yaml @@ -12,7 +12,6 @@ spec: kind: GitRepository name: home-ops-kubernetes dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores - name: cluster-apps-rook-ceph-cluster - name: cluster-apps-volsync-app diff --git a/kubernetes/apps/monitoring/gatus/app/config/config.yaml b/kubernetes/apps/monitoring/gatus/app/config/config.yaml index dec58eacc..ffc4f2ab0 100644 --- a/kubernetes/apps/monitoring/gatus/app/config/config.yaml +++ b/kubernetes/apps/monitoring/gatus/app/config/config.yaml @@ -3,7 +3,7 @@ web: port: ${CUSTOM_WEB_PORT} storage: type: postgres - path: postgres://${INIT_POSTGRES_USER}:${INIT_POSTGRES_PASS}@${INIT_POSTGRES_HOST}:5432/${INIT_POSTGRES_DBNAME}?sslmode=disable + path: postgres://${INIT_POSTGRES_USER}:${INIT_POSTGRES_PASS}@${INIT_POSTGRES_HOST}:5432/${INIT_POSTGRES_DBNAME}?sslmode=require caching: true metrics: true debug: false diff --git a/kubernetes/apps/monitoring/gatus/app/externalsecret.yaml b/kubernetes/apps/monitoring/gatus/app/externalsecret.yaml index c5da53641..29b1c9551 100644 --- a/kubernetes/apps/monitoring/gatus/app/externalsecret.yaml +++ b/kubernetes/apps/monitoring/gatus/app/externalsecret.yaml @@ -18,13 +18,13 @@ spec: CUSTOM_PUSHOVER_USER_KEY: '{{ .PUSHOVER_USER_KEY }}' # Postgres Init INIT_POSTGRES_DBNAME: gatus - INIT_POSTGRES_HOST: postgres-rw.default.svc.cluster.local + INIT_POSTGRES_HOST: postgres.${SECRET_DOMAIN} INIT_POSTGRES_USER: '{{ .POSTGRES_USER }}' INIT_POSTGRES_PASS: '{{ .POSTGRES_PASS }}' INIT_POSTGRES_SUPER_PASS: '{{ .POSTGRES_SUPER_PASS }}' dataFrom: - extract: - key: cloudnative-pg + key: generic - extract: key: pushover - extract: diff --git a/kubernetes/apps/monitoring/gatus/ks.yaml b/kubernetes/apps/monitoring/gatus/ks.yaml index e0eda2944..b036cf818 100644 --- a/kubernetes/apps/monitoring/gatus/ks.yaml +++ b/kubernetes/apps/monitoring/gatus/ks.yaml @@ -7,7 +7,6 @@ metadata: namespace: flux-system spec: dependsOn: - - name: cluster-apps-cloudnative-pg-cluster - name: cluster-apps-external-secrets-stores path: ./kubernetes/apps/monitoring/gatus/app prune: true diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index 45b6e0b58..a6f898296 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -25,7 +25,7 @@ stringData: SECRET_NITTER_HMAC: ENC[AES256_GCM,data:pOA1LqHV9rcY3xAv5JMuSCMz1rk=,iv:3LkFNu/M3r1K/xBE/f7Kbf526eA4cgyGr4Wu/c+gxD0=,tag:ibJ8U+Pa66B2UmWwP/ZhNQ==,type:str] SECRET_OUTLINE_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BB/eZQ/oLQ09AxGwKRddbiyiRMA=,iv:dhiyOUP3GyvHXUdPYqQKPQCMmqornj6WVWtfreq9T6A=,tag:WijFyu8XGk3dklYJR4/81A==,type:str] SECRET_SHARRY_DB_USERNAME: ENC[AES256_GCM,data:wWnV6hHz,iv:+uV0X2tovaisFuO5KcF9PpKPyYeS4WtrrPt4Ll+CnsU=,tag:zNWR9AqheMGho0yV923vvw==,type:str] - SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:Y0gk4bRcEws2b0SF4AY=,iv:3cQbD/uvWNGjEmz3z8uEbXWwJffIrTj3nSDsGBS0MEU=,tag:RsIBq9zI8+2temGj5r/Lqg==,type:str] + SECRET_SHARRY_DB_PASSWORD: ENC[AES256_GCM,data:HYnqUw3owZ6lQSgAVhY68Pi64pv4iNHePVNgOq3a,iv:3I2C4k3ge3WGmNB7NPE7bxucjuhBs386gPTYSLhu5IA=,tag:AryVw5aecht3NO7gN2vNyQ==,type:str] SECRET_SHARRY_MINIO_S3_ACCESS_KEY: ENC[AES256_GCM,data:vAVoafxfbareIodsClVGDQ==,iv:1zojUukd2WQEE3ZBpGrIHaDwkWfAqmF1esjxCGWz3mQ=,tag:8HvBGXkTBJwhel89qffWgA==,type:str] SECRET_SHARRY_MINIO_S3_SECRET_KEY: ENC[AES256_GCM,data:3MuIeOh66mJ5mblWSPdz/WybNnSRJKZypRuo4ycvKBA=,iv:NHDNCo+y9f5GlwhlPco5nyrHH7t5diFSUydiX3KFfdY=,tag:vf7RCvIznpiM576gmyJK6w==,type:str] type: Opaque @@ -44,8 +44,8 @@ sops: WG82VkdBMlNnRzBySFQzMk41cEtXSlEKBqOmq9UpO61C85+pj0ibdT31y4pmFsbm pTi4N0vv81kcf4ilqBU5h1gudNCb42Q2iL0eGNR4e3JzH4iaNsvnEg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-10T00:29:33Z" - mac: ENC[AES256_GCM,data:WtDnq2nkE5pYz1wt7bpkEfwr2BP1WoI7GiZLQwm6h67T9EtrLY9Dk+3XNTIx8rP/YKuOoLcomxCer4aMNZDib1TC62yZ8gwt9loZNmyqePxOBwSnxQntw+hNlwk2MT3D8lcbWlfq+88vXUeRw/S4SZCpExfBD2ig4y1cj5/fVO8=,iv:UqhcLg+8qHhm5qtokYwS93ZZZFT9AcN65zevNj/iZ2A=,tag:4b+b/DKhidhZC0mY3EvomQ==,type:str] + lastmodified: "2024-01-14T00:12:27Z" + mac: ENC[AES256_GCM,data:HyYwq36qmwZaN/gg1fcA5cS2DHxAOW9D3umq/LOy1jxG2AixinSIRZTyi7j9reskocFNEKrEfZOSFUClbTzDX6RLJNQHwkPifXddPizk66+3KkKEQ7fkLhKmOo0gBI0fl72WR/YcD8YDDe1+/YAdUIect7ywSg7DIp8wcowTijc=,iv:3zTM2TgIejuLfDki9nnedY3jjhLpoimTMYLQJ2ATvBg=,tag:LPtlm8LF8J9PF0N1zoy8jA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/flux/vars/cluster-settings.yaml b/kubernetes/flux/vars/cluster-settings.yaml index dac26268e..ff2bd8b71 100644 --- a/kubernetes/flux/vars/cluster-settings.yaml +++ b/kubernetes/flux/vars/cluster-settings.yaml @@ -30,5 +30,3 @@ data: LOCAL_LAN_TRUENAS_REMOTE: 10.10.0.2 LOCAL_LAN_OPENMEDIAVAULT: 192.168.9.13 TIMEZONE: "Europe/Paris" - POSTGRES_HOST: "postgres-rw.default.svc.cluster.local." - POSTGRES_PORT: "5432"