new gitops template

cluster/apps/development/docker-registry/helm-release.yaml

@@ -0,0 +1,47 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: docker-registry
+  namespace: development
+spec:
+  interval: 5m
+  chart:
+    spec:
+      # renovate: registryUrl=https://helm.twun.io
+      chart: docker-registry
+      version: 1.10.1
+      sourceRef:
+        kind: HelmRepository
+        name: twuni-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    storage: s3
+    s3:
+      region: "us-east-1"
+      regionEndpoint: ${SECRET_MINIO_ENDPOINT}
+      bucket: docker-registry
+      encrypt: false
+      secure: true
+    secrets:
+      htpasswd: ${SECRET_DOCKER_REGISTRY_HTPASSWD}
+      s3:
+        accessKey: ${SECRET_MINIO_ACCESS_KEY}
+        secretKey: ${SECRET_MINIO_SECRET_KEY}
+    ingress:
+      enabled: true
+      annotations:
+        kubernetes.io/ingress.class: "nginx"
+        nginx.ingress.kubernetes.io/proxy-body-size: "0"
+        nginx.ingress.kubernetes.io/proxy-read-timeout: "600"
+        nginx.ingress.kubernetes.io/proxy-send-timeout: "600"
+      hosts:
+        - registry.${SECRET_CLUSTER_DOMAIN}
+      tls:
+        - hosts:
+            - registry.${SECRET_CLUSTER_DOMAIN}
+    service:
+      annotations:
+        prometheus.io/probe: "true"
+        prometheus.io/protocol: http

cluster/apps/development/docker-registry/kustomization.yaml

@@ -0,0 +1,4 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-release.yaml

cluster/apps/development/drone-runner-kube/drone-runner-kube-secrets-helm-release.yaml

@@ -0,0 +1,24 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: drone-kubernetes-secrets
+  namespace: development
+spec:
+  interval: 5m
+  chart:
+    spec:
+      # renovate: registryUrl=https://charts.drone.io
+      chart: drone-kubernetes-secrets
+      version: 0.1.1
+      sourceRef:
+        kind: HelmRepository
+        name: drone-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    rbac:
+      enabled: false
+    env:
+      KUBERNETES_NAMESPACE: development
+      SECRET_KEY: ${SECRET_DRONE_PLUGIN_TOKEN}

cluster/apps/development/drone-runner-kube/helm-release.yaml

@@ -0,0 +1,32 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: drone-runner-kube
+  namespace: development
+spec:
+  interval: 5m
+  chart:
+    spec:
+      # renovate: registryUrl=https://charts.drone.io
+      chart: drone-runner-kube
+      version: 0.1.5
+      sourceRef:
+        kind: HelmRepository
+        name: drone-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    image:
+      repository: drone/drone-runner-kube
+      tag: 1.0.0-beta.6
+    env:
+      DRONE_RPC_SECRET: ${SECRET_DRONE_RPC_SECRET}
+      DRONE_RPC_PROTO: http
+      DRONE_SECRET_PLUGIN_TOKEN: ${SECRET_DRONE_PLUGIN_TOKEN}
+      DRONE_NAMESPACE_DEFAULT: development
+      DRONE_RPC_HOST: drone
+      DRONE_SECRET_PLUGIN_ENDPOINT: http://drone-kubernetes-secrets:3000
+    rbac:
+      buildNamespaces:
+        - development

cluster/apps/development/drone-runner-kube/kustomization.yaml

@@ -0,0 +1,6 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - drone-runner-kube-secrets-helm-release.yaml
+  - helm-release.yaml
+  - rbac.yaml

cluster/apps/development/drone-runner-kube/rbac.yaml

@@ -0,0 +1,51 @@
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: drone-kubernetes-secrets
+  namespace: development
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "watch", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: drone-kubernetes-secrets
+  namespace: development
+subjects:
+  - kind: ServiceAccount
+    name: drone-kubernetes-secrets
+roleRef:
+  kind: Role
+  name: drone-kubernetes-secrets
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: drone-edit
+  namespace: media
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: development
+roleRef:
+  kind: ClusterRole
+  name: edit
+  apiGroup: rbac.authorization.k8s.io
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: drone-edit
+  namespace: data
+subjects:
+  - kind: ServiceAccount
+    name: default
+    namespace: development
+roleRef:
+  kind: ClusterRole
+  name: edit
+  apiGroup: rbac.authorization.k8s.io

cluster/apps/development/drone/helm-release.yaml

@@ -0,0 +1,50 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: drone
+  namespace: development
+spec:
+  interval: 5m
+  chart:
+    spec:
+      # renovate: registryUrl=https://charts.drone.io
+      chart: drone
+      version: 0.1.7
+      sourceRef:
+        kind: HelmRepository
+        name: drone-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    updateStrategy:
+      type: Recreate
+    image:
+      repository: drone/drone
+      tag: 1.10.1
+    persistentVolume:
+      enabled: true
+      existingClaim: drone-config
+    env:
+      DRONE_DATABASE_SECRET: ${SECRET_DRONE_DATABASE_SECRET}
+      DRONE_GITEA_CLIENT_ID: ${SECRET_DRONE_GITEA_CLIENT_ID}
+      DRONE_GITEA_CLIENT_SECRET: ${SECRET_DRONE_GITEA_CLIENT_SECRET}
+      DRONE_RPC_SECRET: ${SECRET_DRONE_RPC_SECRET}
+      DRONE_SERVER_PROTO: https
+      DRONE_GIT_ALWAYS_AUTH: true
+      DRONE_LOGS_TEXT: true
+      DRONE_LOGS_PRETTY: true
+      DRONE_LOGS_COLOR: true
+      DRONE_SERVER_HOST: drone.${SECRET_CLUSTER_DOMAIN}
+      DRONE_GITEA_SERVER: https://gitea.${SECRET_CLUSTER_DOMAIN}
+    ingress:
+      enabled: true
+      annotations:
+        kubernetes.io/ingress.class: "nginx"
+        prometheus.io/probe: "true"
+      hosts:
+        - host: drone.${SECRET_CLUSTER_DOMAIN}
+          paths: ["/"]
+      tls:
+        - hosts:
+            - drone.${SECRET_CLUSTER_DOMAIN}

cluster/apps/development/drone/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-release.yaml
+  - volume.yaml

cluster/apps/development/drone/volume.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: drone-config
+  namespace: development
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn-backups
+  resources:
+    requests:
+      storage: 10Gi

cluster/apps/development/gitea/helm-release.yaml

@@ -0,0 +1,87 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: gitea
+  namespace: development
+spec:
+  interval: 5m
+  chart:
+    spec:
+      # renovate: registryUrl=https://dl.gitea.io/charts
+      chart: gitea
+      version: 2.2.4
+      sourceRef:
+        kind: HelmRepository
+        name: gitea-charts
+        namespace: flux-system
+      interval: 5m
+  values:
+    persistence:
+      enabled: true
+      size: 10Gi
+      existingClaim: "gitea-config"
+    ingress:
+      enabled: true
+      annotations:
+        kubernetes.io/ingress.class: "nginx"
+        nginx.ingress.kubernetes.io/proxy-body-size: 128m
+        prometheus.io/probe: "true"
+      hosts:
+        - "gitea.${SECRET_CLUSTER_DOMAIN}"
+      tls:
+        - hosts:
+            - "gitea.${SECRET_CLUSTER_DOMAIN}"
+    service:
+      http:
+        port: 3000
+      ssh:
+        annotations:
+          prometheus.io/probe: "true"
+          prometheus.io/protocol: tcp
+        type: LoadBalancer
+        port: 22
+        externalTrafficPolicy: Local
+        externalIPs:
+          - ${CLUSTER_LB_GITEA}
+    gitea:
+      admin:
+        email: ${SECRET_GITEA_ADMIN_EMAIL}
+        username: auricom
+        password: ${SECRET_GITEA_ADMIN_PASSWORD}
+      config:
+        APP_NAME: "Homelab Gitea"
+        database:
+          DB_TYPE: postgres
+          HOST: postgresql:5432
+          NAME: gitea
+          USER: gitea
+          PASSWD: ${SECRET_GITEA_DB_PASSWORD}
+          SCHEMA: gitea
+        server:
+          SSH_PORT: 22
+          SSH_LISTEN_PORT: 22
+        respository:
+          DEFAULT_PRIVATE: true
+        admin:
+          DISABLE_REGULAR_ORG_CREATION: true
+        security:
+          PASSWORD_COMPLEXITY: "lower,upper"
+          MIN_PASSWORD_LENGTH: 12
+        service:
+          DISABLE_REGISTRATION: true
+          REQUIRE_SIGNIN_VIEW: true
+      database:
+        builtIn:
+          postgresql:
+            enabled: false
+        postgresql:
+      cache:
+        builtIn:
+          enabled: true
+    memcached:
+      image:
+        repository: bitnami/memcached
+        tag: 1.6.9
+      service:
+        port: 11211

cluster/apps/development/gitea/kustomization.yaml

@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - helm-release.yaml
+  - volume.yaml

cluster/apps/development/gitea/volume.yaml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: gitea-config
+  namespace: development
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn-backups
+  resources:
+    requests:
+      storage: 15Gi

cluster/apps/development/kustomization.yaml

@@ -0,0 +1,7 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - docker-registry
+  - drone
+  - drone-runner-kube
+  - gitea