--wip-- [skipci]

kubernetes/lianalabs/apps/bitwarden/bitwarden/app/helmrelease.yaml

@@ -0,0 +1,58 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: bitwarden
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: self-host
+      version: 2024.11.0
+      sourceRef:
+        kind: HelmRepository
+        name: bitwarden
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  values:
+    admins: "${SECRET_ADMIN_EMAIL}"
+    disableUserRegistration: "false"
+    cloudRegion: US
+    enableCloudCommunication: true # Enable billing and license sync
+    sharedStorageClassName: "local-nvme"
+    volumeAccessMode: "ReadWriteOnce"
+    general:
+      domain: "bitwarden.${SECRET_EXTERNAL_DOMAIN}"
+      ingress:
+        enabled: true
+        className: traefik
+        annotations:
+          cert-manager.io/cluster-issuer: "letsencrypt-production"
+          gethomepage.dev/enabled: "true"
+          gethomepage.dev/group: Home
+          gethomepage.dev/name: Bitwarden
+          gethomepage.dev/description: Password management
+          gethomepage.dev/icon: bitwarden
+        cert:
+          tls:
+            name: bitwarden-tls
+            clusterIssuer: letsencrypt-production
+      email:
+        smtpSsl: "false"
+        smtpPort: "465"
+        smtpHost: "${SECRET_SMTP_HOST}"
+        replyToEmail: "${SECRET_SMTP_FROM}"
+    secrets:
+      secretName: bitwarden-secret
+    database:
+      enabled: true
+    volume:
+      logs:
+        enabled: true

kubernetes/lianalabs/apps/bitwarden/bitwarden/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml

kubernetes/lianalabs/apps/bitwarden/bitwarden/app/secret.sops.yaml

@@ -0,0 +1,33 @@
+# yamllint disable
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+  name: bitwarden-secret
+stringData:
+  replyToEmail: ENC[AES256_GCM,data:MoVLizAyKWEwnDtNuO7pph6mHzFY1VB1882DWKEg,iv:Nfr/5zGbM4xBpEPzK53PQKSU+7MiW075WbW3mhvmJys=,tag:EilT8Pw1KWPUDl8qNgtlOA==,type:str]
+  globalSettings__installation__id: ENC[AES256_GCM,data:4yc5KK84NPuUq65T1hZrA6V3qlwWQOaklJac30c2aTpxmqrU,iv:XaqCbM7rCKTq4UD07oF3UY29MJElGXGesNEWpvpNsyI=,tag:nBbNg+fQYjAUp/vp4SlQ3w==,type:str]
+  globalSettings__installation__key: ENC[AES256_GCM,data:gcncj3uMgyTqQCywGsPrmIxAOMk=,iv:WYpNY9CD5c5h75LDCq3Kh4Hgk7tcbBBx+MuC1n+dqQM=,tag:aQGfdBPmQsbUAvClUFNyeA==,type:str]
+  globalSettings__mail__smtp__username: ENC[AES256_GCM,data:Vp8kVFGJduIXaln0KJWvgfQgUZZjfsA4c/ndh5h5,iv:+/QbObZ+JR+ZNZy8wYz2NL/E45mOF5yYYZ2H2t7srIM=,tag:pCqqSp3r0cRgSeQylTow0A==,type:str]
+  globalSettings__mail__smtp__password: ENC[AES256_GCM,data:MqH5LRMfEVkslor8Ykeb7P8ieyhAPN8wMt79iAY2N+xAP7NlYqvVHst7yC5WuwjO7QE=,iv:PYF4AEZi+Ngqw+XyASrskZxab19np+M2ElXJHlptCw4=,tag:GCkBr0Kbaj4fBgOTfQZeQQ==,type:str]
+  SA_PASSWORD: ENC[AES256_GCM,data:qRrF7jmmWMY2za8XzdPsJoZoqYGZ8Px+RpEGZh1dthLI0T9sAfm/oJ8gqlorLtOOJtJlsvMXUU64KWMl6gWHag==,iv:DWwKuKw+GD3AbA5WyrkFEOQvgZj+BMlyDG5VGBpNEdc=,tag:B+T375bMSQbi+CAygn0anw==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3ZUw3d2pUa0ZEZnYza2hl
+        eWxydXFrVXNiY04rN2xPZ2lyQVBFVGh6M1Y0Ckg2aHNtcnliZS9SbXkzVERUK1Zv
+        MlZJbUtDRUFyanV0Q0RtYlMzL2kzT1EKLS0tIG4wM2dLUmVocS9CK29tOUY1aGp1
+        MlVzLys4YWdENGJadkF5RStjVS9WajgKb1jfrt8LzybLkGGBNtWIC/zWKutJccrA
+        Lsimmp4m+EMGVesJHDQA8dpp1I+xMhXGNmVwkNoSOgVBRYEsbWskow==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-11-29T02:11:12Z"
+  mac: ENC[AES256_GCM,data:u2ktT9wUCf1KPLE33amsT9qwnjpc+QBEdlo0UMEfXfyVa6+flVNpxP1Nrd6eGzxvy1HuXcML2kyswWiP5BG7hMGqS5BONr9x/t80nA4xwJMZ06sL+XdJZzTCkusp0IyXw/J6JFiNkPYCXswCbrgXfHR6b9ZokqfsNQ20868AabI=,iv:XVVLiGcC/h6G1qm7aRlEm+T8kjDQ3TFGfB99gSF7i1Q=,tag:4MeGgQEin5O9ixUmbEDLDg==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData)$
+  version: 3.9.1

kubernetes/lianalabs/apps/bitwarden/bitwarden/ks.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app bitwarden
+  namespace: flux-system
+spec:
+  targetNamespace: bitwarden
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/lianalabs/apps/bitwarden/bitwarden/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: k8s-gitops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/lianalabs/apps/bitwarden/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./bitwarden/ks.yaml

kubernetes/lianalabs/apps/bitwarden/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bitwarden
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled

kubernetes/lianalabs/apps/database/mssql/app/helmrelease.yaml

@@ -0,0 +1,95 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
+# TODO: Finish this
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: &app mssql
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.5.1
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    controllers:
+      mssql:
+        strategy: RollingUpdate
+        containers:
+          app:
+            image:
+              repository: mcr.microsoft.com/mssql/server
+              tag: 2022-CU11-ubuntu-22.04
+            env:
+              ACCEPT_EULA: "Y"
+            envFrom:
+              - secretRef:
+                  name: mssql-secret
+            command: ["/manager"]
+            resources:
+              requests:
+                cpu: 100m
+                memory: 2G
+              limits:
+                cpu: 500m
+                memory: 2G
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        seccompProfile: { type: RuntimeDefault }
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: *app
+    service:
+      app:
+        controller: *app
+        ports:
+          sql:
+            port: 1433
+    serviceAccount:
+      create: true
+      name: *app
+    persistence:
+      backups:
+        storageClass: local-nvme
+        accessMode: ReadWriteOnce
+        size: 1Gi
+        retain: true
+        globalMounts:
+          - path: /backups
+      data:
+        storageClass: local-nvme
+        accessMode: ReadWriteOnce
+        size: 10Gi
+        retain: true
+        globalMounts:
+          - path: /data
+      log:
+        storageClass: local-nvme
+        accessMode: ReadWriteOnce
+        size: 10Gi
+        retain: true
+        globalMounts:
+          - path: /log

kubernetes/lianalabs/apps/database/mssql/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml

kubernetes/lianalabs/apps/database/mssql/app/secret.sops.yaml

@@ -0,0 +1,28 @@
+# yamllint disable
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+  name: mssql-secret
+stringData:
+  SA_PASSWORD: ENC[AES256_GCM,data:GoawVX7sVsqHmCH3LyZnMXw2TCI2XELfYrL2G8fDlq5XObnYJwWW5wCoKy7Yf4IzOjk+fwMD/bUpP8J9cPVC4Q==,iv:6eDtv8jFiYaYeDEMdLQVHDqJ1F6hIuQpDzeIcrZgGT8=,tag:HBk4kTILcmfSoKvI0I63og==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTb2N4TDE2NGtTdExiWlVl
+        ODF1Uk5yRmliZ0ZQcG9Wak9NU1UxaGJ1TEVFCi96cUt0YUNtQ2dOWTR2OGlPK2sw
+        bDR5VFViT1FEUXNvOFY5bFR1dVNJN00KLS0tIDJRMk1DUC8yb3cwZGVKaXlDWlNK
+        TTRFZTRXSWFOUktzTzJBVmxHOUJOUlUKbZG3kDRkAVPe4vWOfuij5dX6BL7I+Mp+
+        ScZSmTgajhmnJNrEomq/3GDB9ppbE5gqStiATNeyoqO1Ud54oQqsyA==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-11-29T02:25:56Z"
+  mac: ENC[AES256_GCM,data:FPkasyJCOTL0eWOeK7DizXWNFdfvVr67Wp6JD/XPF4xjjgWRoqOLhd350AVfzrbNWDzgrjevXzRuK307AGaIhRrwAlkXkUAF6fuxwhTES0gOjNtDBeee5h10ragr6tNJ+mos6SRqs0ENSD6Lgh9zEGGMJVKiDDUZb93mEJKC8Ak=,iv:54MhjMza/5TGxtzHU83ZtPTRemVSqm9FUyzNyvo0NNQ=,tag:ae3CVLO4aufcng8L+poEeg==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData)$
+  version: 3.9.1

kubernetes/lianalabs/apps/database/mssql/ks.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app mssql
+  namespace: flux-system
+spec:
+  targetNamespace: database
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/lianalabs/apps/database/mssql/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: k8s-gitops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m

kubernetes/lianalabs/flux/vars/cluster-secrets.sops.yaml

@@ -4,12 +4,12 @@ metadata:
   name: cluster-secrets
   namespace: flux-system
 stringData:
-  SECRET_ACME_EMAIL: ENC[AES256_GCM,data:1AaQq1F2UqrxRs5DrlB8,iv:9rYDfyBqZ8bxX5G8mlGhuxePPox/npgGyx0cSGMp4gY=,tag:x87Dli6XLl01Vtv00F8WAg==,type:str]
-  SECRET_ADMIN_EMAIL: ENC[AES256_GCM,data:IpMjsH5ygDx0wq0UzTu3Zg==,iv:HogttH/bn04jB7tW+tzPNELN0ksEM338wdG7e9YTMUc=,tag:y6jBOrcOxxcK965DnXZSbA==,type:str]
-  SECRET_EXTERNAL_DOMAIN: ENC[AES256_GCM,data:QAlms7BJDwPU6w==,iv:NTWNcOJ4mlfXxYTZhVPVtBQc7gpP4PsmdXZqLnBP0ww=,tag:zWwZ/Zj8bTPhGHB63ZKDNw==,type:str]
-  SECRET_INTERNAL_DOMAIN: ENC[AES256_GCM,data:5HzWijIfqxw9UIVm2FXa,iv:DuOP0CLIQtIETVQe1TfVSTetXKZJisBGkL9ecP/gUMg=,tag:8DWUUvl0KIsh0q9swXHd8A==,type:str]
-  SECRET_SMTP_FROM: ENC[AES256_GCM,data:CufTPWACcce/+b/DfjJH2l3/BK2B2wXMo5dRwiw=,iv:KQe5+OalBVnwCh5+s6kXek30s4UqztMiIAdeqhfpdKI=,tag:UjJ4ei1hqvaJDB7j9Qo6Og==,type:str]
-  SECRET_SMTP_HOST: ENC[AES256_GCM,data:yomsxx84cR3Xb+/mQ3Zpvg==,iv:R8T9hl29PJ9OYQ/8m/MBFDaTc/CPhqa3vVc4gVENSRg=,tag:cR2L9zGBjs9TPE3ZjGw9Mg==,type:str]
+  SECRET_ACME_EMAIL: ENC[AES256_GCM,data:pRCYVCLny1MRaiXuenuo,iv:GbuPF76/Dtlgr8y4Yteu7OwPQb4jWQWN8wGQ86sL0QM=,tag:Q9yvIquaY2TndjKAaPWLgw==,type:str]
+  SECRET_ADMIN_EMAIL: ENC[AES256_GCM,data:suzzKjHPJld0gwBf9Hu0pg==,iv:1s5itV5/obo3jeflnOY861gkmJLS/jScFWOLgT3y7xs=,tag:v4BiAta2GnDbjt95bBcjbw==,type:str]
+  SECRET_EXTERNAL_DOMAIN: ENC[AES256_GCM,data:6Is+18wTC6+YPA==,iv:jAqJyOz4aNZW5MD7H+d5n/xkwhN0gCqSTIXvuCAkX8k=,tag:pA9BidBDPFlvGvL2RMDTOw==,type:str]
+  SECRET_INTERNAL_DOMAIN: ENC[AES256_GCM,data:g8f1kzsuk/QuE7J8dxHR,iv:+/Q5Mu3aiyIClSLqw9dl/VKO9uo38B9YNAqf17bwIVM=,tag:qtkmF9F5suncqVY7zBufIg==,type:str]
+  SECRET_SMTP_FROM: ENC[AES256_GCM,data:UU9ASvi2Sw4bbs37t9sffNHVsYKonq2RIjBLNfI=,iv:fTjHWLqpxGRrc30P4r2ptNJEokqd5LP48VZJ7uFgzQA=,tag:ajc4YJOYAd11nhOybYOM9A==,type:str]
+  SECRET_SMTP_HOST: ENC[AES256_GCM,data:0vh4pa6ZdUVyj3j4HS0riA==,iv:XK2o8hU0/gse+nPqfYolo4n8A5ho3J0Xs15GEqVcxjQ=,tag:lspUaxBQ1jh3f2cNQNhxPw==,type:str]
 sops:
   kms: []
   gcp_kms: []
@@ -19,14 +19,14 @@ sops:
     - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNUTVIdUJETDRCY1ZTL0x6
-        aWlhM0V2SFJVZFMwd2xHTmg2WTA5aHQzR2s4CmtnVnBsQWtiWTFwNG85TnVNTWM4
-        M2JTaHNtck9zb1hIYmZDWHJNY2ROU2MKLS0tIHhmZThlUlVaSFFyUU1BTngvTHZq
-        aVl0aGtKKytFNmZmOGR0ZVFiVGw3aDgKNK0woIFslZWjoMk28c0XjPP0JnEBJeZG
-        cgf7H+hbRWy4YM/hxj50dSTpSMV+SYG4m9jKsBf8Eu5sO9jWlwDvGA==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1RFUzZWNjTTNlckltUmls
+        WVZXRkk3aHdHTDFLZXRhR3lrdmNUcFFLMFRZCkhVSFRFbjdBaWdOZ2tySVZ5dXEz
+        ZUJlMUJPT3FYQzJBcmNsWU1nNnBzN2MKLS0tIFVSWHRJNkZFdkl2WTlybmdPcFFa
+        YlNmMVNidFhhcStoT3ZkaWNPZG51OGsKur3SRLC8kEukW61Ib3mcJK8o/MYl5mz5
+        MN7MCes+xaHXsmXCuLMdwnV1xcuyWt5qJqOK4bg7Q94r9KLQ68rPyg==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-11-29T00:49:27Z"
-  mac: ENC[AES256_GCM,data:AF69YwawgAQbritL9b2sgH/Z6SuYIspqaZvohKLewIA6kop6mqeObzo192SmcQmuw8psSo922/Sb5CvgiaAVd3VsZZiCBeZl2K4QupbBvY8DJoFUXn4yb5XVfIVu8IBcLTldQBvcOfYNBBKbxB1IfuaTNN0G1ylpRaSUbqcceI4=,iv:t139OPoYpK0/jUO4fq8dN4bgvIXVQURbra/iMwHJ5U0=,tag:0nsb8KBE4xkA0zy3gVfOjA==,type:str]
+  lastmodified: "2024-11-29T02:11:12Z"
+  mac: ENC[AES256_GCM,data:xtvIPj2NxbI9B41IH7cca7Ub7DR6q/DGRPpJDEZb6CbP7bLYE82Oxn821OiLBtyVEv6ZJF6taw2LO/mgmJ3QDnkw3RI8GhargmXsbqobIbFcTzvcwvkCYi1mMm9Gr3vUryL4vanVUD+DOjDyyBWpkg8D/p5YJqttrG1AckiwWMs=,iv:DkwNHUbjdN43Rp3dlnLpO45T/G7Cto9VLmjPyX4lzx0=,tag:RuKZKXcse54ZcWsE3TEKLg==,type:str]
   pgp: []
   encrypted_regex: ^(data|stringData)$
   version: 3.9.1