diff --git a/.github/gitleaks.yaml b/.github/workflows/gitleaks.yaml similarity index 100% rename from .github/gitleaks.yaml rename to .github/workflows/gitleaks.yaml diff --git a/.github/kubeconform.yaml b/.github/workflows/kubeconform.yaml similarity index 100% rename from .github/kubeconform.yaml rename to .github/workflows/kubeconform.yaml diff --git a/Taskfile.yaml b/Taskfile.yaml index fc3b365..f937d15 100644 --- a/Taskfile.yaml +++ b/Taskfile.yaml @@ -7,7 +7,7 @@ vars: SCRIPTS_DIR: "{{.ROOT_DIR}}/scripts" SOPS_CONFIG_FILE: "{{.ROOT_DIR}}/.sops.yaml" AGE_DIR: ~/.config/sops/age - AGE_FILE: "{{.AGE_DIR}}/keys.txt" + AGE_FILE: "{{.AGE_DIR}}/rd350.key" #env: # KUBECONFIG: "{{.KUBECONFIG_FILE}}" diff --git a/kubernetes/lianalabs/apps/auth/lldap/app/secret.sops.yaml b/kubernetes/lianalabs/apps/auth/lldap/app/secret.sops.yaml index 815e00f..6f0c2cb 100644 --- a/kubernetes/lianalabs/apps/auth/lldap/app/secret.sops.yaml +++ b/kubernetes/lianalabs/apps/auth/lldap/app/secret.sops.yaml @@ -6,17 +6,17 @@ metadata: name: lldap-secret namespace: security stringData: - LLDAP_JWT_SECRET: ENC[AES256_GCM,data:voTjYoiA7D7xlJDc/YYtvAJZ4aBEhCeOlnjPY3BTWQzGcnEK+PrLld/+Y9b6a6nsu2ACG8PEXDpUKauVikETKw==,iv:5NvPfnZ7OqGokk7EpaFpaOSAftrJVPpFYMVZDE4RYxI=,tag:2V1maEf3GYGusUMHtxVLAQ==,type:str] - LLDAP_SERVER_KEY_SEED: ENC[AES256_GCM,data:wH5XrCk1lC5cl7xGn19t30wBuks3PQvZoMSRCEBBt9+Q1hXhK+r7GCDhVMgcE26rEGIzg9S0w9hzF8KKUpQYVg==,iv:9lo6e/KQ5lD24QzgXk+NF4SVisEFNPc4i/2zccEOtwo=,tag:33WhxVwnzOEA12k31TxOZA==,type:str] - LLDAP_USER_DN: ENC[AES256_GCM,data:MxbeegcOs1V5whCIqPrhQO7k5sA=,iv:xPDJCFLqd73hYWArEfk4noPx3N2mpplTfmyWDzWzy9I=,tag:Eeck7uLzncaUlww+0egAIA==,type:str] - LLDAP_LDAP_USER_EMAIL: ENC[AES256_GCM,data:vRsFqFkL6zFtBoaz0v22Aw==,iv:Dleghf2VK+3wIsM0uBUjuX0mKbu8Z7hI5pNXBmnAqWw=,tag:BEcobs4mHIimd2WdL4o84A==,type:str] - LLDAP_LDAP_USER_PASS: ENC[AES256_GCM,data:qOpjTJtrGeqwiqG2fVga+1+i/rTIYK/V,iv:CztV1Rdwzx0MMChi5wNq6WyTOzj+WfkOpjLCQpRlZic=,tag:UgrOH554wy4vqEnCICs6pQ==,type:str] - LLDAP_DATABASE_URL: ENC[AES256_GCM,data:I5MC0NvnA5iGpqPDPPSVhJpTv4a1CukKhnOBuqlpciIRbIWlVJ9mVcCHI5Pz77aBzmutzRtt4F1bBdatTb1u3Ok9bLLRwNqCmeT9TDU2rUsjK2zQauszkg==,iv:ez3s5ANWvjBzOLKO6cGdGl8OEkBBcxgp1HzHb9nJo18=,tag:EesfsmL+7PHtjL0vY/GX+Q==,type:str] - INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:dY0zFzQ=,iv:JwrVOVc2aW/3fgDtOfblD6dn5bSQFofQZwOui23GPu4=,tag:qZylFuBnj+8DiRL2Y5AkJA==,type:str] - INIT_POSTGRES_HOST: ENC[AES256_GCM,data:VGJvnQE3y41Ns0jsJtHcl7JviEYi1L4CV+0//Ii84m2XKfBZHQf5aA==,iv:sEltk+i+JP4F6zqQw02GIh/dqqgP9Ib0ZdleevEaZJU=,tag:4D+P7bzJcEVx1KTOMUGuCA==,type:str] - INIT_POSTGRES_USER: ENC[AES256_GCM,data:shHhp94=,iv:ihSJyT50YxhgqH5WN4c5ahwnElvr0zUBqDKsIWHgsi4=,tag:8iGoo/1Y5S+3jJBeiLf87w==,type:str] - INIT_POSTGRES_PASS: ENC[AES256_GCM,data:nb04tfLH5eLl2jNswKvTveST5WmvMrUC,iv:CXwgrgwS2XkE5CQJGlOOMLLtAIopsNrl280BLHlM+to=,tag:AZjdDsupBAmQEgD3Q62Osg==,type:str] - INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:3I32D1fKoZ31PKUVC/8NZcuW8nWsALdUwUabOw==,iv:4LgtT1nf+wNrE0g+Qwv4fjvSkUaao1uuryf0gAzY/S4=,tag:hAfhA5Il0DZJ3kKODXFw+A==,type:str] + LLDAP_JWT_SECRET: ENC[AES256_GCM,data:eO6ioFY+McP/Nv9kyH0M1/NJZw2y7zZurs350IJ8FJJ654J6Nl2dn5yI3mWoVD0R7UFhcUf6wfO62bm0pFbKoQ==,iv:WV93t3EVhl1bVU+UX3Fw0+3naA5UWX1G5v22/NGSHmQ=,tag:x+UsBhgBUZMLU4SPwC4tsw==,type:str] + LLDAP_SERVER_KEY_SEED: ENC[AES256_GCM,data:muCJlQdHQRJML22S/LRzyLPpnvLU+7Zo3Cw+VM9br1em4PzFyhVrcYQMI6Sha6igYMMlxirRMGGVCWOhQfdxeg==,iv:9OYljQ6ioZ45djSMlGv/wmvNh4JiBDgakzojYTIqwyQ=,tag:ehQJEhNsBnfcIXPk7lGZZA==,type:str] + LLDAP_USER_DN: ENC[AES256_GCM,data:bS7kEo9POWPLq6L8lrr2lw+2LNw=,iv://aQAD26HUekY6E5EH99w0SZR9D1Y76R3biICHhtGmY=,tag:SxDPwAd/6JVB0urUzf6yQg==,type:str] + LLDAP_LDAP_USER_EMAIL: ENC[AES256_GCM,data:7HOVsxWSoObmv3zDMA6MdQ==,iv:fYkr2LSrDIff8NP77THt7CEwvaj82Klh2b+0Y/ng+io=,tag:Ms4MKiJT5BN59ddSOzr76A==,type:str] + LLDAP_LDAP_USER_PASS: ENC[AES256_GCM,data:ZkT3joe7cQWYiOLBsHjln7fvT5b7pIY+,iv:0ioMo2Eec65+F0STOfcv0AGT9yyT7WOdb/Su2wnG8cg=,tag:j8qW+BARjZVVupBULKQwEQ==,type:str] + LLDAP_DATABASE_URL: ENC[AES256_GCM,data:crv56nHAel8l0+SlByna9KN1cg73LBesKcrO7LpsKAOZz0XPVz/SFRTzAs488beocSGXY9BjKThRJYFXCD7XAqQoqwoOO432TpE1slEIIclpv7kqOdEHiw==,iv:9YThfZC5J3fWSUYIJrYO19XBOquV2iL/rTiLzRGqOb8=,tag:Sb1SaqLwZxs+hCIuqoXKXA==,type:str] + INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:wtfx8QM=,iv:a2h7iJnr2pKJ+cOAKx5LCbq1oopq5ZdSIU8tru0o7CA=,tag:dhFgaqVxRruVhiidZ5o6ww==,type:str] + INIT_POSTGRES_HOST: ENC[AES256_GCM,data:u0rZ2u31+ogCNv6gCvz/uF7egaDdfhLzC0hql0/D0OxtYmYONuH2VA==,iv:QjJDlICShJ/IT0B90WrE6GBBgTwEdn61lyj7DeGcefM=,tag:u14YBAHgApNDUloH/E09ag==,type:str] + INIT_POSTGRES_USER: ENC[AES256_GCM,data:NdhPsyQ=,iv:ui2WTAu1rKrtDG5KJODTpJ8SQdw5zX+Hk8e3uINkWGo=,tag:t3XtCpmGKFSMczj65y1m0Q==,type:str] + INIT_POSTGRES_PASS: ENC[AES256_GCM,data:RtP7/6nAyobgUz7NiaH8d+pxn7mx8fCD,iv:WhApd9nrNyNO7IXxHLUd8aFNcj2ILvCj+L8X5ZXG3Us=,tag:vaJiQVmAQOR1aNJXIrMucA==,type:str] + INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:IU6WDTijXmSu8SZRqAH8b5x7v5vvR8/NMRMdSg==,iv:RddsUxHY/mNhQf5lV7jXe9TBMBedsnlSwrOVxNOvdH0=,tag:JhRcdtK5yovHW+A2VP3xhg==,type:str] sops: kms: [] gcp_kms: [] @@ -26,14 +26,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIdU0zYkY3ZEpYY3BPRmlX - NFY0cWVLQTQ3L24rUFl3WWR3YzY5c1NkTkZnCjl2MHRSeVBUM2J5UXBManVTWHla - RHBndGE3eWFETVRzQU92L2JGckJZVmMKLS0tIGt3QkREV0hhVWJxTDUwOWFlbm1Q - SE5aNDNyOW4rSFZreWZLMHFPWTZWQVEKTa7upAW/g6Gr9yRIgFqg2NLmcDgo6qkJ - 5a5riZF0rkNw7TLHPljgAxXXv3blfc9emUvvELT0803KM/4Rgl/X5g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLRkRpbmREYnljSkExMVVs + SmxTd0FNdGVOSWl6MVNOYm43c2xYWkdCRUVnCjM2bWMyc3lVT21FV0JpZVlFaFU1 + aExIemNQT1g4MDBlT2VRMDk3b2h5ZTQKLS0tIGNOODRYU1BCRmRNOC8vUUtGejlZ + UFhFN05tQlhiSHpWZ3JvSS9zWnVMeDQK5LUCRKI3Icmf2XTrowqbshZToNSKCXss + wGLAzx7efkPJKCLoMUKvvnA33JiKQEs7lKK/ycDsYlyPUNEbkB6TKA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-12T16:33:45Z" - mac: ENC[AES256_GCM,data:0nOctIyTEhV/tRz0bfcPM8hqr9qCSxDKcL/qk13sBLL8NIHV1Z9/e84vH6yikFgXCzg1MFOeacBqqL6L5QkYnWFDIQqjGF2KJs8gAocy1+XeJxyN2u1ZaZcekwMM2si7Acra3Y0zlxtLiC+ezU78u6p0ov9NhmC+EJdlzPNrBVM=,iv:N61M9+ICHkN0ffPXeZhft1qingQhHIVUM84Nb/G2jdI=,tag:Bvav75zeQbONAaW9rrRCEA==,type:str] + lastmodified: "2024-11-14T05:33:44Z" + mac: ENC[AES256_GCM,data:DivMUwY9PoVnfwbjRV0O1me9xstdzU0C6YMnHn1xIX3JOXDP5wL8Tkt+9+W+oRXYY5E7B7RF83mylg0saLilA8W0nupjM8kJGlLvoGYvhN0isETSG0k/3YK6TRWJ72CG/WiAZNLnSBBJiZx53Xety7rrfqEXfhwm5pK+KVpZbHk=,iv:Bn0U2LkJ5RzCavx//XMcCkUn9+cMNDhzHnKDvD55oB8=,tag:WYzhR04pevAEfBdsNMlbYw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/lianalabs/apps/database/minio/app/secret.sops.yaml b/kubernetes/lianalabs/apps/database/minio/app/secret.sops.yaml index 438cbfc..53e14de 100644 --- a/kubernetes/lianalabs/apps/database/minio/app/secret.sops.yaml +++ b/kubernetes/lianalabs/apps/database/minio/app/secret.sops.yaml @@ -5,8 +5,8 @@ metadata: name: minio namespace: storage stringData: - MINIO_ROOT_USER: ENC[AES256_GCM,data:9dZi+UY=,iv:7OwY8tKc98aYXuGPk3rRRyNg78PeiXRrFav0+WngS2I=,tag:kcqsDX+07lRlnTV3KdruOA==,type:str] - MINIO_ROOT_PASSWORD: ENC[AES256_GCM,data:wOZ7WGYCnjev+lsZNI5RN91n0q8dt0LaznKdXw==,iv:N1tAWXIObiGiuWNaIFQCJSl3VBDdGb6Qqxkhvh5X7/8=,tag:BOQt+a3TydPFCjxWr7OtYw==,type:str] + MINIO_ROOT_USER: ENC[AES256_GCM,data:LrebSHA=,iv:gawVYARJvesu/JFLPSiJxdAmzifRo87i7jz+bS97zno=,tag:vubz8vWNtNex5ma60je5Eg==,type:str] + MINIO_ROOT_PASSWORD: ENC[AES256_GCM,data:sFFPjiW/q+HmapZVZ8f7qaj8RYNbqDqmpuYSKw==,iv:SnxoTn7vwXyETgbdDy+VaBFtwWTZrOjm/gRlyz2WKbg=,tag:HsLjWILUpgUNB8MpKX9LEQ==,type:str] sops: kms: [] gcp_kms: [] @@ -16,14 +16,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlbFBYeVczeDZwT0VNUDgx - bUtidHVpVFdJODJMMHZPZWZFQWNlL0k0T2xvCnVzWStYNUlnRHdBR29sUzFRd2l2 - UlFRYjVFNEpUU2d5MW9PTkg0MU9mbUUKLS0tIFRIMzdDTG5uc3QzWGp6ZVUrSWJJ - ZEFUcDJKUm9KaFUrdDYyTHk3eThMMjAKgkotzWGfJJgY9qDM+XP/jHlyOxBO0AFg - f3gAMj5OGrNSEgF08ldeQaFHTRGfugz9Q6yS/TaJaJaBvbD4pi5tgg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6SFZrSjMxREtmNjlML2p1 + dFVWYkFqTk5vcGV6UE5UbWR5NXZqc1dqZUVrCmlaUnlyUDF5aVlvdXdZa3U3WW94 + enJSQXlMK2FBL0tMMm45K1AvNUtqdTgKLS0tIFhCTFR0RGlVL25DT1FVbTVUT04z + cEJHNHREcWNINlVHSTJucWxiQTBSKzgKsEW+bUpW6m6dEGvZEyzebjjX/m4+khrN + cjl40uIhOidKUv7XjPUwiAindaFuZYcbHDF7XcebXm0PBYtiC+RJAg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-11T16:54:24Z" - mac: ENC[AES256_GCM,data:lPuaYAB7oB9PCMPUkda9B7e6TDmQKGvhECkbECHAwgG8ZYqF5Dh9faQXjn67/AtiVDrbskq3xSIx7ZkPGcu9gZMip2kLex9C93iyXrMRoC1ktEYspMf9GnelqjZS6SWM+lbIhHIvL/09VXFNW0u2nzgP8KRV0u5T0pP/8x7rA8c=,iv:Sua0M5UW/TvGYSFRBddYzjdcmEokbxdglZJeedfDKLk=,tag:BmaOCusZ4vjxidWKVHPe7g==,type:str] + lastmodified: "2024-11-14T05:33:44Z" + mac: ENC[AES256_GCM,data:brdkOeahLXL51R/3Xqnfj3r57e6DX65o4Ln1L4Y9H/F+3lNSE+1HR/+RkLecZnmMFnQFTuz3tMvTnI4Bj0vgbGvVCMpfwxp7vhV++h3sdCjoF5Lme05Kq0i3qK+gt7ZZkrlCnhv9nGdLv5YHruafIZPg8SEJCOwIK1F7XaTkHmk=,iv:UwoBhenHPh1YcpL0s9jop5S7SbYua6VoUho6lM8AxRc=,tag:Oxu12rXr7wH7d84DYKN88Q==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/lianalabs/apps/labs/homepage/app/resources/services.yaml b/kubernetes/lianalabs/apps/labs/homepage/app/resources/services.yaml index d9fba7e..24ab465 100644 --- a/kubernetes/lianalabs/apps/labs/homepage/app/resources/services.yaml +++ b/kubernetes/lianalabs/apps/labs/homepage/app/resources/services.yaml @@ -1,2 +1,58 @@ --- +- Network: + # - OPNsense: + # href: https://opnsense.${SECRET_OLD_DOMAIN} + # siteMonitor: https://opnsense.${SECRET_OLD_DOMAIN} + # icon: opnsense + # description: RSS feed + # widget: + # type: opnsense + # url: https://opnsense.${SECRET_OLD_DOMAIN} + # key: "{{HOMEPAGE_VAR_OPNSENSE_TOKEN}}" - Services: + - Miniflux: + href: https://rss.${SECRET_INTERNAL_DOMAIN} + siteMonitor: http://miniflux.labs.svc.cluster.local/healthcheck + icon: miniflux + description: RSS feed + widget: + type: miniflux + url: http://miniflux.labs.svc.cluster.local + key: "{{HOMEPAGE_VAR_MINIFLUX_TOKEN}}" +- Media: + - Jellyfin: + href: https://${SECRET_MEDIA_DOMAIN} + siteMonitor: https://${SECRET_MEDIA_DOMAIN} + icon: jellyfin + description: Media streaming + widget: + type: jellyfin + url: https://${SECRET_MEDIA_DOMAIN} + key: "{{HOMEPAGE_VAR_JELLYFIN_TOKEN}}" + - Jellyfin: + href: https://jellyseerr.${SECRET_MEDIA_DOMAIN} + siteMonitor: https://jellyseerr.${SECRET_MEDIA_DOMAIN} + icon: jellyseerr + description: Media requests + widget: + type: jellyseerr + url: https://jellyseerr.${SECRET_MEDIA_DOMAIN} + key: "{{HOMEPAGE_VAR_JELLYSEERR_TOKEN}}" + - Sonarr: + href: https://sonarr.${SECRET_MEDIA_DOMAIN} + siteMonitor: https://sonarr.${SECRET_MEDIA_DOMAIN} + icon: sonarr + description: TV + widget: + type: sonarr + url: https://sonarr.${SECRET_MEDIA_DOMAIN} + key: "{{HOMEPAGE_VAR_SONARR_TOKEN}}" + - Radarr: + href: https://radarr.${SECRET_MEDIA_DOMAIN} + siteMonitor: https://radarr.${SECRET_MEDIA_DOMAIN} + icon: radarr + description: Movies + widget: + type: radarr + url: https://radarr.${SECRET_MEDIA_DOMAIN} + key: "{{HOMEPAGE_VAR_RADARR_TOKEN}}" diff --git a/kubernetes/lianalabs/apps/labs/homepage/app/resources/settings.yaml b/kubernetes/lianalabs/apps/labs/homepage/app/resources/settings.yaml index a718149..e9c9f10 100644 --- a/kubernetes/lianalabs/apps/labs/homepage/app/resources/settings.yaml +++ b/kubernetes/lianalabs/apps/labs/homepage/app/resources/settings.yaml @@ -17,6 +17,8 @@ layout: columns: 4 Services: tab: Main + Tools: + tab: Main Home: tab: Main Endpoints: diff --git a/kubernetes/lianalabs/apps/labs/homepage/app/secret.sops.yaml b/kubernetes/lianalabs/apps/labs/homepage/app/secret.sops.yaml index 98d11dc..5831858 100644 --- a/kubernetes/lianalabs/apps/labs/homepage/app/secret.sops.yaml +++ b/kubernetes/lianalabs/apps/labs/homepage/app/secret.sops.yaml @@ -5,10 +5,15 @@ type: Opaque metadata: name: homepage-secret stringData: - HOMEPAGE_VAR_LATITUDE: ENC[AES256_GCM,data:+OXZcv/saxs=,iv:Xa7i/EzlO9Mdp7XVoh4M7lvrjqVkMnytR4ZjEFc0zT0=,tag:rQL5ta1W7AvC00egR5rZDw==,type:str] - HOMEPAGE_VAR_LONGITUDE: ENC[AES256_GCM,data:KiITgqjCzUtL,iv:bJzB2ooYEA1F6ZkTQuq4oI/52jvar0xUcoSKVUGA1M4=,tag:2iA1tdp4qZuU5gzr9fJIAA==,type:str] - OPENWEATHERMAP_API_KEY: ENC[AES256_GCM,data:uVwEuwZ/dXVh8s0cG5kdf9yIoWUwRM8NMgMK26iQ3A==,iv:AZmxlaVbEzBOzqtjYVX57EJGSsOnTne6Viwoh9HLQz4=,tag:qkHjuZMPk0Pt8PawcyNufA==,type:str] - bookmarks.yaml: ENC[AES256_GCM,data:gJ8eKlgKRD85lv8BBJJrD/VAe6Fg5WPFRoL9cCawXqDtkvIk5v3vZiLAKerwOCB2DhWGKDxYClGII6LAy7L7wYmjYPZWMEHWSQjB4XcYv2cq8aMfOn85A2lLp0l3CEBoXMO4L4b5+ihXz95OHultv/2WZY8sKsHeEf3Cam+P1Ya35nO/UCC7ynAnc0nmPvG02h73CJvP0v01+0aFdZL04B6D8rPLSqb7AOp/Xpky6Ws0ecTSFjd4Q3nA2XZwHkmhLEppP7o/TrTRhbA/qbIpuvhAMlSmrpbcQ03KL8W0Tg5Vg5GztBXXyxMbZfmPils64jZUKG9f3SYQMmlurLAJi+Pl5plXOJ2Xz2IjysStl7LfgxYrJrhAXvAPHdXK0i89QIqt1wR+21vz0q2bni1KnwjwyTH4b0NxUb3cp+fVx/qnYMrAb9dBV9gNwblY+SyO/rZMjbt/vGSJnoJR+8RdHanZXWcQImdArYnn6l3CNOBo8OuPMN84vG0UzS1LTqfHciFfWfXjFDNUMMSlKQjZBmQNIKAJZtwhScXloozXl7cdXcqKjB+YrdH8LSR54nWVM/Ae+XhnxUG1yidqLAmG4+XiKatvAmL0sjxaiuNyS5q3efogW7v2GoT0kYFfXhxI6Vp09ayDucOJ1rpIx1wFkoEIXjC2sm5Np2xY5ZUpRQZQzM4Davac2PRzgHo5B1JBAOha9hLEzjKYzM3FsH9OF3f+TGinxIJWBVLhXGSb4M1AJy+PTAfDHLYfLrcFEC/622zX8R3B1L6yqZqqTooD6F51433Fs2z5OqigEYT5TVbQn1BEm3KqsxsmA8q7ZQj35ZFO8Jy/OwVClapscVf/kabE8bSPJ9OMmIqBWhE5pElP7UNij7jSt0c20id07f+9mae1e9Iq6rMe74aWCTsWHZo7labpqw7BXg==,iv:AKg+5H9CjHBOMeGZKQBE3KETVKEDykqO9yRAdRi3qrY=,tag:zqfGydIhn6yj7dSXrkcOTw==,type:str] + HOMEPAGE_VAR_LATITUDE: ENC[AES256_GCM,data:6/8msxUVD6Y=,iv:G0WCHGcj1k67KGcIc2bnNAJ6AweRGvfxfr8eEx/Fs7U=,tag:szQbnRCQdaYloJcUXFY4Wg==,type:str] + HOMEPAGE_VAR_LONGITUDE: ENC[AES256_GCM,data:Ewsx/BLnsfNu,iv:h3/XGHbpNJaw25L4Gx982M951qa22MX4uSwmrqn+sd0=,tag:nTqKsW5uHR0+xbMiW9vblA==,type:str] + HOMEPAGE_VAR_MINIFLUX_TOKEN: ENC[AES256_GCM,data:L+KfgG7vVcu9Wt3bjcHlgdRmYKoMrnUT6id3YCo5sVpyqgeYFGGKx/aU7A==,iv:zoVrriqZAGUysXpHofQ8MiBpATsN2lSa+35enaeuBWY=,tag:DhBi4Lf0Dt0/G7F08KsVhg==,type:str] + HOMEPAGE_VAR_JELLYFIN_TOKEN: ENC[AES256_GCM,data:pCPIZd3V5r2nRWvRuSxmQ8YFBx4stxFVxMtN1fMuZQ==,iv:4LpkpawRkhXmE5RUPkZak+eybUc8rpR4h9R9SoV5lQk=,tag:T5iFm1D7jY96Sgoc0EqtYw==,type:str] + HOMEPAGE_VAR_JELLYSEERR_TOKEN: ENC[AES256_GCM,data:ZAau0O5NxHnBIV/JNbUP9jy1bhvpjuR54vDQ7TPRXoWeuMpCVe+eaBpYCt/ayvewYvsibCOKOTJ4C9NpEzLyqGFDCA==,iv:QdaKjPdg7v+0kaZ8IF06sJbkl5yN0rPjV1jXeVzH57w=,tag:n/r0RavMr0Vv3vH4oJFiDg==,type:str] + HOMEPAGE_VAR_RADARR_TOKEN: ENC[AES256_GCM,data:F583uuAetTSXIbFUxu9vDnER8PLE0tXw7uo3EuAkmg==,iv:1lnx6lSMCoDSvMZl9rF7WIQlvGdw/zFRh+V8nm2CQxM=,tag:IhWlCfThuPXMHGFm5XfPww==,type:str] + HOMEPAGE_VAR_SONARR_TOKEN: ENC[AES256_GCM,data:Z4L8pwauevbWWixLWGT3x+ApRJrVPc+TBFWSwwE44w==,iv:8YrcrKDPRz5E17vhA0iR7cKQCNQEhjaTr4cvd4qbJYY=,tag:LWfTOQQr/FepJlRca7KRYQ==,type:str] + OPENWEATHERMAP_API_KEY: ENC[AES256_GCM,data:J+Rn2lVxOt6J8sFkVxgBYYl+fx7cOXVgdrBtp9rGYg==,iv:fsG90yVQL+GkLyaLyrpx1lNiYzUTmrSIiCcO/P5j4uA=,tag:XTmz1xFIx8xQLgXHdIXxEQ==,type:str] + bookmarks.yaml: ENC[AES256_GCM,data:zJZc7xR2sI0tNWDU8wMTwXzoV2I73hvRWFZ4bHxenOKSY0B3KuzNpaXxxURDIQZGtbxO9Bl4tEsqmzn5nKie0AoWBaTJGGDbBQoCatDsrW1Lt8xWXq1YxtKMNaf+ychSy7kDJZtJ5euf229DUBnx8kma5MYY2PmK5L+jvCf+uBeFZoIq7GeREkQpAAg2IvsznM5jC8b0x6Z1z0MawAHFAd5IoDc0A54j3YIYKjBuYuzawKNSWF7YUSiyA20l4qmj8tyvMymU+c11/O9k2dljbOzX+TB7bWrvYK2ZEJUXqIW47TFWTvrSJUrRv/OXcSMu6A6sB4PSL5pFU7zhgsCZCdOqqwZOdkRQJzC8n+oUwZTnDOOXnjE+kEdceHxQ2Yc8PpESt0/BOXxiVnt3KoXYs/V1j/TrvYcJannoR4Z314py4JlxBEgfOW/Bmut5WEX5mjwgSk7qQoHIAuVEoGtCT5/+m64eFcD5q2/WnC3M2v4M5tg28aite6alTGDM2pqQu6RCu7u1gLNcwsImey+BbC7OZhnNmwoBZVb/BX5jtk7OBQRbOV39qaJqCchjazVnN7y/8nPHQg7JaEdNuSSD6iI7sOQ7EcgdeoU0nzyTmBQ9I4F8ZNU+u5liLYPgC1c6LzzzMlGcnncPWUHSm2LGG94vQ9r12oNzH0Qif/FjIavanG1v3TyXKnfNXcB5fxZWL5Aq/hHIDXshKDF11u9vxodJ27N52tMfOf2oonronbZMyRIdmimTK46tGLNAbEy5Ph1Ak6fD3ITvmk6a0bin/LytWw+TosP9i9f88ZZx32jUa5JZo4XvTrMxOttQMEUJY0OalnQjRiWGJHTVIHBal/buhR55MgJTom+zlxHGCzXwAYqZXI+z/pntbCxunKjDZ+sDEMncN+mJJad/9mmJ1ivxffk4nzFTag==,iv:rhvKPEncOG7R05CEoZreJlImzW+6G6e0VWT25a9CA74=,tag:4/7t0I0cC2XAlq+QhHJyGA==,type:str] sops: kms: [] gcp_kms: [] @@ -18,14 +23,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5Y2V4bDZncEJOempPWkRt - RTF0Y0dnMFlSSlJjeTVUclUraDA0QWJ0SndzCjNWajZ5UWE4dUZwZFo0WlBwWUN2 - SHN2YWFRSi84QUhiOTc4WFNBSWdBMGsKLS0tIFlnQW9VWTJETHlnTnUwQWNycFZq - aGgrOXF4c2hvU3AzVHYydmgwNndCcFkKjPeLdIRcnd451sqnT9O6dLBf/HGM+uHX - UU0yvGCLz12dMgJEQL8m8phUV4gzXTC8owJLZkGHc1nmz/wd9qXNRg== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWRlhmYmx5eGdTNnZkNmU5 + T1dDYWR4SWNKU2VZZVF1V3FVQ0pxUlFCeVQ4CjR3TTZVbzhvbVREeVlSZzMvV3E0 + MVREci9jc3VSdlM5TWx3NmFWbVVQNzQKLS0tIHJVSjhqWW9QeXBIOVIwOUk5eWdC + dEpkYzB0K3o4bVRkOUF0R3NOSjRycUEKU05Q8EsSOZD5PoIPMtJr2xE/bQqAbmN+ + 0QGlae3ajfTmybwlX9X7zepxuBHpEwYCcrrCbifE4zyFIbuM8S9dfg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-09T05:35:53Z" - mac: ENC[AES256_GCM,data:91Mnhssi4yFbnr2wwqHx4pXl2OhNHAdG+3NkvnUyOLjLkEIgKXT1u2LaEgJPyAOPqquqO17m/qy2ZhDyFqsBeSFZFOMht6oVyPop21OhnTewhwPavPqYAxj+jw8Zgu9Wb3/zRSc5jj+JbOB6WG5KLsOtdCG4G+ka3vdWrBRdVgA=,iv:l3+7zmqDAkSScJ7v+hM0p/0RnVmtsgqr4Bj7MmhVaUU=,tag:VNN7J/p4aZ3DRBITQgQnvg==,type:str] + lastmodified: "2024-11-14T05:33:44Z" + mac: ENC[AES256_GCM,data:FC0n19/bco5FNUcjV4bjccXh7KI87tOuTecCW4RzcZHVjTr6d46POpFxDPVdLJnCVtKHG1d9hQM5NuzIj0z39bCR7uxMTtSt/ixXsMmSFcQix2dTKN6Nld5HxN2B/ZJ3nU/m34WpnB1B5nqdH8URvbhfEJmCSATy13tbj0mUfZE=,iv:z3dVL2miyPpX8IYnQglo09A4jlubfGLeJTezqd4TsV8=,tag:uFKLXQwx7gvRwqRf10KhUg==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/lianalabs/apps/labs/kustomization.yaml b/kubernetes/lianalabs/apps/labs/kustomization.yaml index 35690a6..46d4ffe 100644 --- a/kubernetes/lianalabs/apps/labs/kustomization.yaml +++ b/kubernetes/lianalabs/apps/labs/kustomization.yaml @@ -11,3 +11,4 @@ resources: - ./atuin/ks.yaml - ./it-tools/ks.yaml - ./cyberchef/ks.yaml + - ./redlib/ks.yaml diff --git a/kubernetes/lianalabs/apps/labs/redlib/app/helmrelease.yaml b/kubernetes/lianalabs/apps/labs/redlib/app/helmrelease.yaml new file mode 100644 index 0000000..12e1d3c --- /dev/null +++ b/kubernetes/lianalabs/apps/labs/redlib/app/helmrelease.yaml @@ -0,0 +1,99 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app redlib +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.2.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controllers: + redlib: + annotations: + reloader.stakater.com/auto: "true" + containers: + app: + image: + repository: quay.io/redlib/redlib + tag: latest + env: + LIBREDDIT_DEFAULT_THEME: laserwave + LIBREDDIT_DEFAULT_LAYOUT: compact + LIBREDDIT_DEFAULT_WIDE: on + LIBREDDIT_DEFAULT_USE_HLS: on + LIBREDDIT_DEFAULT_HIDE_HLS_NOTIFICATION: on + LIBREDDIT_DEFAULT_POST_SORT: "hot" + LIBREDDIT_DEFAULT_SHOW_NSFW: on + LIBREDDIT_DEFAULT_BLUR_NSFW: on + TZ: ${TIMEZONE} + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: &path /settings + port: &port 8080 + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + resources: + requests: + cpu: 12m + memory: 64Mi + limits: + memory: 256Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + ingress: + app: + className: traefik + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-production" + gethomepage.dev/enabled: "true" + gethomepage.dev/group: Services + gethomepage.dev/name: Redlib + gethomepage.dev/description: Reddit client with privacy features + gethomepage.dev/icon: reddit + hosts: + - host: &host "redlib.${SECRET_INTERNAL_DOMAIN}" + paths: &paths + - path: / + service: + identifier: app + port: http + - host: &customHost reddit.${SECRET_INTERNAL_DOMAIN} + paths: *paths + tls: + - secretName: redlib-tls + hosts: + - *host + - *customHost + service: + app: + controller: *app + ports: + http: + port: *port diff --git a/kubernetes/lianalabs/apps/labs/redlib/app/kustomization.yaml b/kubernetes/lianalabs/apps/labs/redlib/app/kustomization.yaml new file mode 100644 index 0000000..17cbc72 --- /dev/null +++ b/kubernetes/lianalabs/apps/labs/redlib/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/lianalabs/apps/labs/redlib/ks.yaml b/kubernetes/lianalabs/apps/labs/redlib/ks.yaml new file mode 100644 index 0000000..82fbccf --- /dev/null +++ b/kubernetes/lianalabs/apps/labs/redlib/ks.yaml @@ -0,0 +1,26 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app redlib + namespace: flux-system +spec: + targetNamespace: labs + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: traefik + path: ./kubernetes/lianalabs/apps/labs/redlib/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/lianalabs/apps/media/kustomization.yaml b/kubernetes/lianalabs/apps/media/kustomization.yaml index 51fca06..5e6d92a 100644 --- a/kubernetes/lianalabs/apps/media/kustomization.yaml +++ b/kubernetes/lianalabs/apps/media/kustomization.yaml @@ -4,3 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml + - ./piped/ks.yaml diff --git a/kubernetes/lianalabs/apps/media/piped/app/helmrelease.yaml b/kubernetes/lianalabs/apps/media/piped/app/helmrelease.yaml new file mode 100644 index 0000000..3cbd7aa --- /dev/null +++ b/kubernetes/lianalabs/apps/media/piped/app/helmrelease.yaml @@ -0,0 +1,112 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app piped + namespace: media +spec: + interval: 30m + chart: + spec: + chart: piped + version: 6.0.4 + sourceRef: + kind: HelmRepository + name: piped + namespace: flux-system + install: + createNamespace: true + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + crds: Skip + remediation: + strategy: rollback + retries: 3 + values: + postgresql: + enabled: false + frontend: + image: + repository: "docker.io/1337kavin/piped-frontend" + tag: "latest" + pullPolicy: Always + env: + BACKEND_HOSTNAME: &api api.yt.${SECRET_INTERNAL_DOMAIN} + TZ: ${TIMEZONE} + + backend: + podAnnotations: + configmap.reloader.stakater.com/reload: "piped-backend-config" + initContainers: + 01-init-db: + image: + repository: ghcr.io/onedr0p/postgres-init + tag: "16" + imagePullPolicy: IfNotPresent + envFrom: + - secretRef: + name: &secret piped-secret + image: + repository: "docker.io/1337kavin/piped" + tag: "latest" + pullPolicy: Always + env: + TZ: ${TIMEZONE} + config: + PORT: 8080 + HTTP_WORKERS: 4 + PROXY_PART: &proxy https://proxy.yt.${SECRET_INTERNAL_DOMAIN} + # DISABLE_REGISTRATION: false + database: + secret: + name: *secret + connection_url: CONNECTION_URL + username: INIT_POSTGRES_USER + password: INIT_POSTGRES_PASS + ingress: + main: + enabled: true + ingressClassName: traefik + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-production" + gethomepage.dev/enabled: "true" + gethomepage.dev/group: Tools + gethomepage.dev/name: Piped + gethomepage.dev/description: YouTube client + gethomepage.dev/icon: mdi-youtube + hosts: + - host: &host yt.${SECRET_INTERNAL_DOMAIN} + paths: + - path: "/" + tls: + - secretName: piped-frontend-tls + hosts: + - *api + backend: + enabled: true + ingressClassName: traefik + annotations: + hajimari.io/enable: "false" + hosts: + - host: *api + paths: + - path: "/" + tls: + - secretName: piped-api-tls + hosts: + - *api + ytproxy: + enabled: true + ingressClassName: traefik + annotations: + hajimari.io/enable: "false" + hosts: + - host: &proxy proxy.yt.${SECRET_INTERNAL_DOMAIN} + paths: + - path: "/" + tls: + - secretName: piped-proxy-tls + hosts: + - *api diff --git a/kubernetes/lianalabs/apps/media/piped/app/kustomization.yaml b/kubernetes/lianalabs/apps/media/piped/app/kustomization.yaml new file mode 100644 index 0000000..5ae7a45 --- /dev/null +++ b/kubernetes/lianalabs/apps/media/piped/app/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml + - ../../../database/cloudnative-pg/app/secret.sops.yaml diff --git a/kubernetes/lianalabs/apps/media/piped/app/secret.sops.yaml b/kubernetes/lianalabs/apps/media/piped/app/secret.sops.yaml new file mode 100644 index 0000000..a89c9c0 --- /dev/null +++ b/kubernetes/lianalabs/apps/media/piped/app/secret.sops.yaml @@ -0,0 +1,31 @@ +# yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: piped-secret +stringData: + INIT_POSTGRES_USER: ENC[AES256_GCM,data:PClMpCo=,iv:WswYV4g8v6yC9BBc+mRwqaW7uBlLYpB/IQP0/9Xa8uU=,tag:/4UO3l/iYn2G6tWsd/J7EA==,type:str] + INIT_POSTGRES_PASS: null + DATABASE_URL: ENC[AES256_GCM,data:qubN/jEvkx3VtuYvNJcihullUJWUYmISs2/vlQOSqQLhmq2fTbXLIb1loKFmpt9XK/za17EZRKh/cAHOEePR1nvpXcflULyMf89i8+7P0UxtOtVmEJEHDaCpGw==,iv:V5cfvsj12SVUjwZsNjM4RpMB7pnWUFr3ncfT6vNeDoU=,tag:HXUs60lmP9zanDABDJxRlA==,type:str] + CONNECTION_URL: ENC[AES256_GCM,data:Ml4MIn1tcLLbd9woL0wVPAem/MvGq5ZeUVo4XFeJt7iZsZxZInNk4ZlhP3hNQD7Tp4qoQvXatA6YToe6,iv:bFZSz0cFBnzCU56g12Usx6gfm9NHrxnPikVQPuUEI4A=,tag:Fr3kgiADMHUDDeAILoyUDQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBORHlmdTRudXlhQ0xwb1hv + QVZJMFhPUWJmOU5xZXdwbFhVdWxJTTdxSUdJCjdxYTVZU2ltTFMySkV6cFdqd0hH + VmlYUTRtQmh4L3dUb1gzNDY5Zlk3aG8KLS0tIG83ZVpwQk5pMSswMTRHczk3NTdF + YkI2MTZLamFIOTUyOUx2ZlZOVGw3b3cKzgoAlWBy9DBWFt3SJ6IJa5d1haTNEEmP + bY3ypNKP1yj0MFLDTfqnI3HtE8yRi93z551b2jFy8cViVUXlWzMWtA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-19T00:27:03Z" + mac: ENC[AES256_GCM,data:A1H/pyFlWoypT6NA69pUNDTxN3oI/pWuSQjmcvqytfDW/d9B1wbT2JuCa7KZu5P6FUC2cMk7y7gU8rj+g3WF6vPcGQm3bPXJJ0OX2ingztf/041gkZwooxaQTqOpZbsnbpDl3vGI1gnIwQuW18XqFVye34LxgdMmqf/9HsxQYPQ=,iv:KpBhyabXFD67gL33H7xGu0bzrZAkqMmIvMV/GkLbD5g=,tag:toFR3GZiRtZoPR4nPrph6g==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/lianalabs/apps/media/piped/ks.yaml b/kubernetes/lianalabs/apps/media/piped/ks.yaml new file mode 100644 index 0000000..5cd2035 --- /dev/null +++ b/kubernetes/lianalabs/apps/media/piped/ks.yaml @@ -0,0 +1,26 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app piped + namespace: flux-system +spec: + targetNamespace: media + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: traefik + path: ./kubernetes/lianalabs/apps/media/piped/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/lianalabs/apps/observability/gatus/app/helmrelease.yaml b/kubernetes/lianalabs/apps/observability/gatus/app/helmrelease.yaml new file mode 100644 index 0000000..1da9374 --- /dev/null +++ b/kubernetes/lianalabs/apps/observability/gatus/app/helmrelease.yaml @@ -0,0 +1,167 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: gatus +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controllers: + gatus: + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + initContainers: + init-db: + image: + repository: ghcr.io/onedr0p/postgres-init + tag: 16 + # https://github.com/onedr0p/containers/blob/main/apps/postgres-init/entrypoint.sh + env: + INIT_POSTGRES_HOST: postgres-1-rw.database.svc.cluster.local + INIT_POSTGRES_DBNAME: gatus + INIT_POSTGRES_USER: + valueFrom: + secretKeyRef: + name: gatus-secret + key: POSTGRES_USER + INIT_POSTGRES_PASS: + valueFrom: + secretKeyRef: + name: gatus-secret + key: POSTGRES_PASSWORD + INIT_POSTGRES_SUPER_PASS: + valueFrom: + secretKeyRef: + name: cloudnative-pg-secret + key: password + init-config: + dependsOn: init-db + image: + repository: ghcr.io/kiwigrid/k8s-sidecar + tag: 1.28.0 + env: + FOLDER: /config + LABEL: gatus.io/enabled + NAMESPACE: ALL + RESOURCE: both + UNIQUE_FILENAMES: true + METHOD: WATCH + restartPolicy: Always + resources: &resources + requests: + cpu: 10m + limits: + memory: 256Mi + containers: + app: + image: + repository: ghcr.io/twin/gatus + tag: v5.12.1 + env: + TZ: "${TIMEZONE}" + GATUS_CONFIG_PATH: /config + GATUS_DELAY_START_SECONDS: 5 + CUSTOM_WEB_PORT: &port 80 + POSTGRES_HOST: postgres-1-rw.database.svc.cluster.local + POSTGRES_DB: gatus + SECRET_EXTERNAL_DOMAIN: "${SECRET_EXTERNAL_DOMAIN}" + DISCORD_WEBHOOK_URL: "${SECRET_DISCORD_WEBHOOK_URL}" + envFrom: + - secretRef: + name: gatus-secret + probes: + liveness: &probes + enabled: true + custom: true + spec: + httpGet: + path: /health + port: *port + initialDelaySeconds: 0 + periodSeconds: 10 + timeoutSeconds: 1 + failureThreshold: 3 + readiness: *probes + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: *resources + defaultPodOptions: + dnsConfig: + options: + - { name: ndots, value: "1" } + securityContext: + runAsNonRoot: true + runAsUser: 65534 + runAsGroup: 65534 + fsGroup: 65534 + fsGroupChangePolicy: OnRootMismatch + seccompProfile: { type: RuntimeDefault } + service: + app: + controller: gatus + ports: + http: + port: *port + serviceMonitor: + app: + serviceName: gatus + endpoints: + - port: http + scheme: http + path: /metrics + interval: 1m + scrapeTimeout: 10s + ingress: + app: + # TODO: Add external ingress + className: traefik + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-production" + gethomepage.dev/enabled: "true" + gethomepage.dev/group: Services + gethomepage.dev/name: Gatus + gethomepage.dev/description: Status monitoring page + gethomepage.dev/icon: gatus + hosts: + - host: "status.${SECRET_EXTERNAL_DOMAIN}" + paths: + - path: / + service: + identifier: app + port: http + tls: + - secretName: gatus-tls + hosts: [*host] + serviceAccount: + create: true + name: gatus + persistence: + config: + type: emptyDir + config-file: + type: configMap + name: gatus-configmap + globalMounts: + - path: /config/config.yaml + subPath: config.yaml + readOnly: true diff --git a/kubernetes/lianalabs/apps/observability/gatus/app/kustomization.yaml b/kubernetes/lianalabs/apps/observability/gatus/app/kustomization.yaml new file mode 100644 index 0000000..341e678 --- /dev/null +++ b/kubernetes/lianalabs/apps/observability/gatus/app/kustomization.yaml @@ -0,0 +1,15 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ../../../database/cloudnative-pg/app/secret.sops.yaml + - ./rbac.yaml + - ./helmrelease.yaml +configMapGenerator: + - name: gatus-configmap + files: + - config.yaml=./resources/config.yaml +generatorOptions: + disableNameSuffixHash: true diff --git a/kubernetes/lianalabs/apps/observability/gatus/app/rbac.yaml b/kubernetes/lianalabs/apps/observability/gatus/app/rbac.yaml new file mode 100644 index 0000000..0f12c43 --- /dev/null +++ b/kubernetes/lianalabs/apps/observability/gatus/app/rbac.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: gatus +rules: + - apiGroups: [""] + resources: ["configmaps", "secrets"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: gatus +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: gatus +subjects: + - kind: ServiceAccount + name: gatus + namespace: observability diff --git a/kubernetes/lianalabs/apps/observability/gatus/app/resources/config.yaml b/kubernetes/lianalabs/apps/observability/gatus/app/resources/config.yaml new file mode 100644 index 0000000..088b808 --- /dev/null +++ b/kubernetes/lianalabs/apps/observability/gatus/app/resources/config.yaml @@ -0,0 +1,40 @@ +--- +# Note: Gatus vars should be escaped with $${VAR_NAME} to avoid interpolation by Flux +web: + port: $${CUSTOM_WEB_PORT} +storage: + type: postgres + path: postgres://$${POSTGRES_USER}:$${POSTGRES_PASSWORD}@$${POSTGRES_HOST}:5432/$${POSTGRES_DB}?sslmode=disable +metrics: true +debug: false +ui: + title: Status + header: Status +alerting: + discord: + webhook-url: $${DISCORD_WEBHOOK_URL} +connectivity: + checker: + target: 1.1.1.1:53 + interval: 1m +endpoints: + - name: status + group: external + url: https://status.$${SECRET_EXTERNAL_DOMAIN} + interval: 1m + client: + dns-resolver: tcp://1.1.1.1:53 + conditions: + - "[STATUS] == 200" + alerts: + - type: discord + - name: flux-webhook + group: external + url: https://flux-webhook.$${SECRET_EXTERNAL_DOMAIN} + interval: 1m + client: + dns-resolver: tcp://1.1.1.1:53 + conditions: + - "[STATUS] == 404" + alerts: + - type: discord diff --git a/kubernetes/lianalabs/apps/observability/gatus/app/secret.sops.yaml b/kubernetes/lianalabs/apps/observability/gatus/app/secret.sops.yaml new file mode 100644 index 0000000..ca2a0f7 --- /dev/null +++ b/kubernetes/lianalabs/apps/observability/gatus/app/secret.sops.yaml @@ -0,0 +1,30 @@ +# yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: gatus-secret +stringData: + SECRET_DISCORD_WEBHOOK_URL: ENC[AES256_GCM,data:so3BhTnLo59gvVKW/+RMCCLjuFvF57zVsSVFNrB8yAgxmpOEl4gj/gGvoxQT5LM8wNFQ5aXoyfW81R826d1c8SrcWHEUvdmPRsOvzrjiwjUhygAXUO/B3v5hlCbSMvK54erlcbUWZsUukc1Idt3DWConBLkDxa4H1g==,iv:41vIrSsS8J6Dr+egmSEeS+Wt9/wJZBZ7JMvDp2QEq9k=,tag:6wzRr6Kc0OPfSHHZJumVpg==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:fhDqwVY=,iv:4a/KmX8JGQ/BxpNSsFEVVpEcW8hHSuWf3pCsUo/6NTo=,tag:xfnxxUWp5TP5atKTUZwLFQ==,type:str] + POSTGRES_PASSWORD: ENC[AES256_GCM,data:izRoCbICYy5811nZgNaYiNKZhqsdNpxJ9Ne7FevqNMq2ccerv4sF,iv:dWQiE8xM8tyQPfgoTWNwXIqynev2mVBTLpPYLdAeBWg=,tag:VcEuRNYNVFvR0KVv7qiUrw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLMTlmY3hUaS8vMUpuRXVv + bDVNa05HMVBoMm5yWStOY3N3VFVGZWhOZ3hBClZPam40ODQ4ZCtOdjV3MHJ0Z0Yx + N3huQ0JLcUpDdTJnQ1RBbU9YdVdqVkUKLS0tIDhzMjJ3TTVsRjZ3aFJib1ZHQWpt + QlBmVFJIejJhUk9oVjZHOWZNUWpHcGsK3NmDs6wUnhEzLwG3BKbnX72abJcGFSLe + /ucD0QFzwVurpUZs1Y0TeSBokU10tkb72mhB0lbPzZAIvD96PQ0bsQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-19T00:27:03Z" + mac: ENC[AES256_GCM,data:R3KJjBu6uUrpL+a0TCa0ssqkTemlCj5CHIEFdc05sQ/zrOeVNHjsFwmBW+HWVOiSL5Depzjv34/yQiywp9tXp/3KPJFHzF5sTt363o108KtLHO7/Gj6ZSQ5pS+gp4Ubc9kgLKcMmdr+KX4yUs/Wz5Diz2DdvkuTmUrmTBm80g3I=,iv:5uduJOYoAObCcDfVoQaerssUN3OPkWX8MoAXgTQaFm4=,tag:H9NCduoOCjPVMJDCwKgqAA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/lianalabs/apps/observability/gatus/ks.yaml b/kubernetes/lianalabs/apps/observability/gatus/ks.yaml new file mode 100644 index 0000000..3ebb10e --- /dev/null +++ b/kubernetes/lianalabs/apps/observability/gatus/ks.yaml @@ -0,0 +1,23 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app gatus + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: cloudnative-pg-cluster + path: ./kubernetes/lianalabs/apps/observability/gatus/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/lianalabs/apps/observability/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/lianalabs/apps/observability/kube-prometheus-stack/app/helmrelease.yaml index e83f0ac..aeee96c 100644 --- a/kubernetes/lianalabs/apps/observability/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/lianalabs/apps/observability/kube-prometheus-stack/app/helmrelease.yaml @@ -106,6 +106,7 @@ spec: spec: storageClassName: "local-nvme" accessModes: ["ReadWriteOnce"] + retain: true resources: requests: storage: 75Gi @@ -137,6 +138,8 @@ spec: ingress: enabled: true ingressClassName: traefik + labels: + teleport: enabled annotations: cert-manager.io/cluster-issuer: "letsencrypt-production" gethomepage.dev/enabled: "true" diff --git a/kubernetes/lianalabs/apps/observability/kube-prometheus-stack/app/secret.sops.yaml b/kubernetes/lianalabs/apps/observability/kube-prometheus-stack/app/secret.sops.yaml index bdb6d92..33f2e0b 100644 --- a/kubernetes/lianalabs/apps/observability/kube-prometheus-stack/app/secret.sops.yaml +++ b/kubernetes/lianalabs/apps/observability/kube-prometheus-stack/app/secret.sops.yaml @@ -6,7 +6,7 @@ metadata: name: kube-prometheus-stack-secret namespace: security stringData: - GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:PKO1SyP4F/UaMvkkxTNuC6lq5MDjkbjYLNNOrF5Awa3JpuJX+tsl/4mlxbR0WkwQaopkdxUakXKpycBcwhYYokIbMzw0PX8=,iv:XRKdqyYLHNAjVoVCAc7xcsdCUk1mipu2McPZBzWY4iY=,tag:cYFLmXShlUXOpYQPO9RwpA==,type:str] + GRAFANA_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:BpaI1ZJj8VhXlZVv5FQlvp73Tb0mw2gL9BS6pBjHEUjjMK8vB/+h6OBoY1IE6annPXTCZpxcD1JKEuOI3SO9dSd+OWAoYpo=,iv:6ruZWpuYVE0RA8gfJKxV3w1R4f3qdJVScgXZ5XlU60s=,tag:aoP/qcLUFuzRXrJ5eog90A==,type:str] sops: kms: [] gcp_kms: [] @@ -16,14 +16,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2SkpOMFBWUjdIYlVreTVQ - RVpuTHBuckFsTXpXVWRTVzh3aTZ1WHU1akc4CjZyY0tVZVVxeFBpQXRHRFFRYjFV - OWJWVVZ4R0RVaUUxUDJOclFyUnpaZk0KLS0tIFowWWxqL0Y3ZkxMWlpDdlBvTEJU - OU9ISE1Dc2NsY2NmaktzSVMrR29KQVEKFObMGCxg34OzTmsR8rfXR+Whx+tGgvQP - F0xIa0HqzUvu9TA+5jLJCb6q+TjGLGxkF+3uqmsDhuK84o79fvNX2g== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWmRzd3pqTTZ6bW91NDFD + OFZoYWlhVlJjT1M0aEJwb28rQmZmUGxRdkRVCk5wMUdwTisrLzVvRmxvaHN5RDhW + MWJIVllTR1g1L2oxank2aVRCNWxMYmsKLS0tIEZocDFTVkhSc3pYNWV4aE5VL2Jl + cElIbVJjRlJuY1YyOFpvMmlUZDdnQmcKbJEdzQtNf8qMuI7hQj/1q7fT3Jek2zuC + sPDcyZZ865LpJ7fzICiIg8fwueJ8Yh1RDOZlHDHv1lwpXUoOHXTNNQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-13T18:04:15Z" - mac: ENC[AES256_GCM,data:h61/Sfw46SV2Z83Pvz1Sv4yJO4zxmPefQB+neX/kj/ER90jMcttxmkQsqYaAWL5h0Rxd2EEv71Rm7tjieU1a8XPjOWpnaEk0ke3DF6Kadzc1qLpxeHPWl5lha3mx7DTytGrlsjoWIaMworabAuQQtoojac/rXefHAz7Yu75lFyw=,iv:WgtLU0AVJExLomGDYn6dqEQW5UUocmLbgi4uW1CflzE=,tag:sRnQFRijSWEibDCwc7St+g==,type:str] + lastmodified: "2024-11-14T05:33:44Z" + mac: ENC[AES256_GCM,data:Oxuur4hDB1oK7T5C8Inx+Vm2CzOCPGGBTXGSvBb23b+IMg7Jtgtd/yrMApCw5Zzo0V3tglGu8C3kKbXotVV2+uGLOUTlQ6v1fbAyKXoV7DEqTGFlFo7X3wIKGA2Y5AA5+dCvoHlw3GM0dThWcbSNC5YTaXcUCNoUfa0FLirFhkA=,iv:Fl+fhvU2Oa4D75ZrNHLIbupRnljxZiEGbLaFZmb4c+M=,tag:+u40O3qc8TZQ8Q23w1J6/g==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/lianalabs/apps/observability/kustomization.yaml b/kubernetes/lianalabs/apps/observability/kustomization.yaml index 10defa5..73bf793 100644 --- a/kubernetes/lianalabs/apps/observability/kustomization.yaml +++ b/kubernetes/lianalabs/apps/observability/kustomization.yaml @@ -7,3 +7,4 @@ resources: - ./kube-prometheus-stack/ks.yaml - ./loki/ks.yaml - ./netshoot/ks.yaml + - ./gatus/ks.yaml diff --git a/kubernetes/lianalabs/apps/observability/loki/app/secret.sops.yaml b/kubernetes/lianalabs/apps/observability/loki/app/secret.sops.yaml index 59c8d73..49f741e 100644 --- a/kubernetes/lianalabs/apps/observability/loki/app/secret.sops.yaml +++ b/kubernetes/lianalabs/apps/observability/loki/app/secret.sops.yaml @@ -5,10 +5,10 @@ metadata: name: minio namespace: storage stringData: - BUCKET_NAME: ENC[AES256_GCM,data:cBKRwg==,iv:kPXCK5a5QKp61IK7K5XNrU+ittcnCFIh1Oq+q5FXH0Q=,tag:UGIuLkT8JMSMGXoCJSF3Mw==,type:str] - BUCKET_HOST: ENC[AES256_GCM,data:JDb1PoGlhia4wwYbsX/SWCLCLM3WF3XevJ5v9d2DDyg=,iv:SxvRUFrTJECxgw+u4RSoklBUM+jrU9z25V+Ual41swE=,tag:2mGyV2xMoHZMXpMgbzWjCQ==,type:str] - AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:YhHxECJYHLpQy9lZpJcOIkSyFOg=,iv:BIhXQxD9PDC4QJcCGFpQNNWHB3UBlGhhXV+ykCfRtrc=,tag:uSkRVM54a3gQMvPUvCabxQ==,type:str] - AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:ki2J85iRe9eGAHc3BG7hftSzpaIQ2YqoAIvlO/I6EAXYHzLfTAduwA==,iv:TIS8FLYAkffMwXQnQlImSi9CQAC3egfAQOh9319yUHc=,tag:OXLiQuW9Gi8JDDEHwXfl5Q==,type:str] + BUCKET_NAME: ENC[AES256_GCM,data:sXZExw==,iv:aGJfLV/EH9mFJ395P263lH9KL2CiQ2zI+jc13Ltj63Q=,tag:7p2BMYdaU8f0oFkiAZg4Kg==,type:str] + BUCKET_HOST: ENC[AES256_GCM,data:LU0IRsELB5TxX3jRxd+kCN9O120RiTZdxb+ulQTuNsQ=,iv:FZnuVvUDdiZUW64LJdclRdCFlsn5rFgRWMzHG7k9svk=,tag:8eInZg1pkRwNgRjmT8pJWQ==,type:str] + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:mlV4W4eIHYbzPuaMEYulAwq3MpQ=,iv:snI2cD94CT1qMiBcIkozkrd1EKb+NiuDKn76XXCVp8w=,tag:z1qU5XW7XzSG95I67hYgBg==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:LP/gsKBEwXJoZtc12+9mifrxZ6SjrAGf6e0kaU/2Mhoon0x2M7TXkA==,iv:qJpvNA/92fH780piikJ3QsoAbqkV7CU/qaL+CZMIkkA=,tag:MyJTDVqH6vGgyU2vbnG1WA==,type:str] sops: kms: [] gcp_kms: [] @@ -18,14 +18,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTS05mRDgzdkRBNE45S3JW - QXhxZEtmcm1RNi9yRGkrN0ZHUFJvOG1yQkFrCnVYN2VwaU1vcnlNMGJtcndGcFVV - amZTWWtvd2FUY1h6aHFOYmJkWlNZME0KLS0tIFBJVWV0WGorMTd4Rm9kZ3c2VzJS - N0VlZXc4QWx4Wm0yWGRpakszeFF4OFkK1eQSiuN/He2Kq6HqJ8zmDQCO7cMkX660 - 9ptkUV5GjGb0CeI33wLrKGD/PHR576qu4j5lNEP/Dkh41RHF9us9iA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKRmFDTUJPVi92a3lsYzJS + ZWJudXJ2UWJxMDZ5emtKdldzVWhEbjVpb2hBCmJHWVhLQ3JOdFNrZXNSOWh3cUtq + eGYzSHU0d0d2S1ovcmYwaWtnL2dKRmMKLS0tIFA0TkYyQXhYWjlhTnlrMG1tSFBV + b2pSREUzOGJNK21mdCt2Qm5PZG4yclkKm07K79dyLdlJX6Mu4XxE198Sua/p4b5j + jReXVAiw5ydc5TYKaQYyxoliK+DFIthfJfo5BwCTrPhbs9OKU4aVPw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-13T01:03:01Z" - mac: ENC[AES256_GCM,data:EU93Xx1QBZ3XLB5rUfkU6Y/il0xcbPh14omD4Cd6HFv/Cgr9QMn4M0B9QLE4OvjKP7AzJ8/HOe9jtZGL8azAmYIvKsRfPq8biFl64fBpSDbir61oqiy3xPFfqICqJsCqE2chsVetEnJ48nKIl0ZtKYGufoy0dps/tmivftQYLvI=,iv:ScQvat4NdNq26JYF6UCreDIwVXfH7m+pJTb9++AXKQU=,tag:I621abulel0nONoB7deVfg==,type:str] + lastmodified: "2024-11-14T05:33:44Z" + mac: ENC[AES256_GCM,data:IIa6tusW0BBXynK6nFixeLjPmTEIAO2cSi9uJF1T6jcQAGXwTMgSM5qQJ64uTtY9zfnHzCDcDTw7SHw6Z/WAHBYftX9gMolkJQzU7arEHtSAFrLtuli0DM4IodIAWNOTiULZ5fZRspl9yKXzjW8V8MrD1t8JvB224CbEwQCXQHQ=,iv:LEfRRmbIGpEV3I4m/mdjpVmf422PMAGko/FC8ZiuXqM=,tag:ppuNy0bBt/NhaCh65GV1zQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/lianalabs/apps/security/teleport/agent/helmrelease.yaml b/kubernetes/lianalabs/apps/security/teleport/agent/helmrelease.yaml new file mode 100644 index 0000000..cdad20a --- /dev/null +++ b/kubernetes/lianalabs/apps/security/teleport/agent/helmrelease.yaml @@ -0,0 +1,44 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app teleport-kube-agent +spec: + interval: 30m + chart: + spec: + chart: teleport-kube-agent + version: 17.0.1 + sourceRef: + kind: HelmRepository + name: teleport + namespace: flux-system + maxHistory: 2 + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + log: + level: INFO + output: stderr + format: text + extraFields: ["timestamp", "level", "component", "caller"] + roles: kube,app,discovery,node + insecureSkipProxyTLSVerify: true + proxyAddr: teleport.${SECRET_EXTERNAL_DOMAIN}:443 + joinParams: + method: kubernetes + tokenName: kubernetes-token + kubeClusterName: lianalabs + teleportConfig: + discovery_service: + kubernetes: + - types: ["app"] + namespaces: ["*"] + labels: + teleport: enabled diff --git a/kubernetes/lianalabs/apps/security/teleport/agent/kustomization.yaml b/kubernetes/lianalabs/apps/security/teleport/agent/kustomization.yaml new file mode 100644 index 0000000..17cbc72 --- /dev/null +++ b/kubernetes/lianalabs/apps/security/teleport/agent/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/lianalabs/apps/security/teleport/app/crt.yaml b/kubernetes/lianalabs/apps/security/teleport/app/crt.yaml new file mode 100644 index 0000000..a3be5b5 --- /dev/null +++ b/kubernetes/lianalabs/apps/security/teleport/app/crt.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: teleport-tls + namespace: security +spec: + secretName: teleport-tls + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + dnsNames: + - "teleport.${SECRET_EXTERNAL_DOMAIN}" + - "*.teleport.${SECRET_EXTERNAL_DOMAIN}" diff --git a/kubernetes/lianalabs/apps/security/teleport/app/helmrelease.yaml b/kubernetes/lianalabs/apps/security/teleport/app/helmrelease.yaml index f49b103..389e740 100644 --- a/kubernetes/lianalabs/apps/security/teleport/app/helmrelease.yaml +++ b/kubernetes/lianalabs/apps/security/teleport/app/helmrelease.yaml @@ -8,7 +8,7 @@ spec: chart: spec: chart: teleport-cluster - version: 16.4.6 + version: 17.0.1 sourceRef: kind: HelmRepository name: teleport @@ -19,12 +19,11 @@ spec: upgrade: cleanupOnFail: true remediation: - strategy: rollback retries: 3 values: clusterName: teleport.${SECRET_EXTERNAL_DOMAIN} chartMode: standalone - kubeClusterName: LianaLabs + kubeClusterName: lianalabs validateConfigOnDeploy: true enterprise: false auth: @@ -54,22 +53,32 @@ spec: enabled: true suppressAutomaticWildcards: false spec: - ingressClassName: traefik + ingressClassName: traefik-external annotations: ingress: + external-dns.alpha.kubernetes.io/hostname: "teleport.${SECRET_EXTERNAL_DOMAIN}" cert-manager.io/cluster-issuer: "letsencrypt-production" gethomepage.dev/enabled: "true" gethomepage.dev/group: Services - gethomepage.dev/name: *app - gethomepage.dev/icon: teleport.png - tls: - existingSecretName: "teleport-cluster-tls" + gethomepage.dev/name: Teleport + gethomepage.dev/description: Teleport dashboard + gethomepage.dev/icon: teleport + traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + service: + traefik.ingress.kubernetes.io/service.serversscheme: https + highAvailability: + certManager: + enabled: true + issuerName: "letsencrypt-production" + issuerKind: "ClusterIssuer" + # tls: + # existingSecretName: teleport-tls authentication: type: local proxyListenerMode: multiplex persistence: enabled: true - storageClassName: local-nvme + existingClaimName: teleport serviceAccount: create: true rbac: diff --git a/kubernetes/lianalabs/apps/security/teleport/app/kustomization.yaml b/kubernetes/lianalabs/apps/security/teleport/app/kustomization.yaml index 17cbc72..6d37a52 100644 --- a/kubernetes/lianalabs/apps/security/teleport/app/kustomization.yaml +++ b/kubernetes/lianalabs/apps/security/teleport/app/kustomization.yaml @@ -3,4 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ./pvc.yaml + #- ./crt.yaml + - ./roles.yaml - ./helmrelease.yaml diff --git a/kubernetes/lianalabs/apps/security/teleport/app/pvc.yaml b/kubernetes/lianalabs/apps/security/teleport/app/pvc.yaml new file mode 100644 index 0000000..6ce438b --- /dev/null +++ b/kubernetes/lianalabs/apps/security/teleport/app/pvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: teleport + namespace: security +spec: + storageClassName: local-nvme + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 8Gi diff --git a/kubernetes/lianalabs/apps/security/teleport/app/resources/admin.yaml b/kubernetes/lianalabs/apps/security/teleport/app/resources/admin.yaml new file mode 100644 index 0000000..8edfb24 --- /dev/null +++ b/kubernetes/lianalabs/apps/security/teleport/app/resources/admin.yaml @@ -0,0 +1,16 @@ +--- +kind: role +version: v7 +metadata: + name: admin + description: System administrator +spec: + allow: + kubernetes_groups: ["system:masters"] + kubernetes_labels: + "*": "*" + kubernetes_resources: + - kind: "*" + namespace: "*" + name: "*" + verbs: ["*"] diff --git a/kubernetes/lianalabs/apps/security/teleport/app/resources/token.yaml b/kubernetes/lianalabs/apps/security/teleport/app/resources/token.yaml new file mode 100644 index 0000000..9864a33 --- /dev/null +++ b/kubernetes/lianalabs/apps/security/teleport/app/resources/token.yaml @@ -0,0 +1,19 @@ +--- +kind: token +metadata: + expires: "2050-01-01T00:00:00Z" + name: kubernetes-token + revision: 8d372a54-3a88-4753-ad05-1a887958abba +spec: + join_method: kubernetes + kubernetes: + allow: + - service_account: security:teleport-kube-agent + type: in_cluster + roles: + - Kube + - App + - Discovery + - Node + - WindowsDesktop +version: v2 diff --git a/kubernetes/lianalabs/apps/security/teleport/app/roles.yaml b/kubernetes/lianalabs/apps/security/teleport/app/roles.yaml new file mode 100644 index 0000000..e15d187 --- /dev/null +++ b/kubernetes/lianalabs/apps/security/teleport/app/roles.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pod-viewer +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pod-shell +rules: + - apiGroups: [""] + resources: ["pods"] + verbs: ["get", "watch", "list", "delete"] + - apiGroups: [""] + resources: ["pods/exec"] + verbs: ["get", "list", "create"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pod-viewer +subjects: + - kind: Group + name: scientists + apiGroup: rbac.authorization.k8s.io +roleRef: + kind: ClusterRole + name: pod-shell + apiGroup: rbac.authorization.k8s.io diff --git a/kubernetes/lianalabs/apps/security/teleport/ks.yaml b/kubernetes/lianalabs/apps/security/teleport/ks.yaml index 3027f74..f9dd870 100644 --- a/kubernetes/lianalabs/apps/security/teleport/ks.yaml +++ b/kubernetes/lianalabs/apps/security/teleport/ks.yaml @@ -22,3 +22,27 @@ spec: postBuild: substitute: APP: *app +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app teleport-kube-agent + namespace: flux-system +spec: + targetNamespace: security + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/lianalabs/apps/security/teleport/agent + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/lianalabs/apps/traefik-ingress/traefik/app/helmrelease.yaml b/kubernetes/lianalabs/apps/traefik-ingress/traefik/app/helmrelease.yaml index 2200b17..77bffbb 100644 --- a/kubernetes/lianalabs/apps/traefik-ingress/traefik/app/helmrelease.yaml +++ b/kubernetes/lianalabs/apps/traefik-ingress/traefik/app/helmrelease.yaml @@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: traefik + name: &app traefik spec: interval: 30m chart: @@ -31,19 +31,69 @@ spec: service: annotations: io.cilium/lb-ipam-ips: ${LB_TRAEFIK} - # spec: - #externalTrafficPolicy: Local + env: + - name: TZ + value: "${TIMEZONE}" ingressClass: enabled: true isDefaultClass: true + ingressRoute: + dashboard: + enabled: false + globalArguments: + - "--serversTransport.insecureSkipVerify=true" + - "--global.sendanonymoususage=false" + additionalArguments: + - "--entrypoints.web.transport.respondingTimeouts.readTimeout=0" + - "--entrypoints.websecure.transport.respondingTimeouts.readTimeout=0" + ports: + traefik: + expose: + default: false + web: + redirectTo: + port: websecure + websecure: + tls: + enabled: true + options: default + forwardedHeaders: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + proxyProtocol: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + http3: + enabled: true + metrics: + expose: + default: false metrics: serviceMonitor: enabled: true namespaceSelector: any: true + pilot: + enabled: false + providers: + kubernetesCRD: + enabled: true + ingressClass: traefik + allowCrossNamespace: true + allowExternalNameServices: true + kubernetesIngress: + enabled: true + ingressClass: traefik + allowExternalNameServices: true + publishedService: + enabled: true resources: requests: - memory: 128Mi cpu: 100m + memory: 512Mi limits: memory: 1536Mi diff --git a/kubernetes/lianalabs/apps/traefik-ingress/traefik/app/kustomization.yaml b/kubernetes/lianalabs/apps/traefik-ingress/traefik/app/kustomization.yaml index 3505ff0..1889392 100644 --- a/kubernetes/lianalabs/apps/traefik-ingress/traefik/app/kustomization.yaml +++ b/kubernetes/lianalabs/apps/traefik-ingress/traefik/app/kustomization.yaml @@ -5,4 +5,3 @@ kind: Kustomization resources: - helmrelease.yaml - - middleware.yaml diff --git a/kubernetes/lianalabs/apps/traefik-ingress/traefik/app/middleware.yaml b/kubernetes/lianalabs/apps/traefik-ingress/traefik/app/middleware.yaml deleted file mode 100644 index 3585b40..0000000 --- a/kubernetes/lianalabs/apps/traefik-ingress/traefik/app/middleware.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: ip-whitelist-admins -spec: - headers: - frameDeny: true - browserXssFilter: true - ipWhiteList: - sourceRange: - - 10.28.11.0/24 - - 10.28.12.0/24 - - 10.99.100.0/24 - - 10.200.0.0/24 - ipStrategy: - depth: 2 ---- -apiVersion: traefik.io/v1alpha1 -kind: Middleware -metadata: - name: secure -spec: - headers: - browserXssFilter: true - contentTypeNosniff: true - frameDeny: true - forceSTSHeader: true - stsIncludeSubdomains: true - stsPreload: true - stsSeconds: 31536000 - referrerPolicy: "strict-origin-when-cross-origin" - customFrameOptionsValue: "SAMEORIGIN" - customResponseHeaders: - X-Robots-Tag: "noindex,nofollow" - server: "" - X-Forwarded-Proto: "https" - x-powered-by: "Immanence without hope" - sslProxyHeaders: - X-Forwarded-Proto: https diff --git a/kubernetes/lianalabs/apps/traefik-ingress/traefik/external/helmrelease.yaml b/kubernetes/lianalabs/apps/traefik-ingress/traefik/external/helmrelease.yaml new file mode 100644 index 0000000..b63c3c2 --- /dev/null +++ b/kubernetes/lianalabs/apps/traefik-ingress/traefik/external/helmrelease.yaml @@ -0,0 +1,154 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app traefik-external +spec: + interval: 30m + chart: + spec: + chart: traefik + version: 33.0.0 + sourceRef: + kind: HelmRepository + name: traefik + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + dependsOn: + - name: cert-manager + namespace: cert-manager + values: + deployment: + enabled: true + replicas: 1 + service: + enabled: true + type: LoadBalancer + annotations: + external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_EXTERNAL_DOMAIN}" + lbipam.cilium.io/ips: "${LB_TRAEFIK_EXTERNAL}" + spec: + externalTrafficPolicy: Cluster + env: + - name: TZ + value: "${TIMEZONE}" + logs: + general: + level: INFO + access: + enabled: true + ingressClass: + enabled: true + isDefaultClass: false + name: traefik-external + ingressRoute: + dashboard: + enabled: false + globalArguments: + - "--serversTransport.insecureSkipVerify=true" + - "--global.sendanonymoususage=false" + additionalArguments: + - "--entrypoints.web.transport.respondingTimeouts.readTimeout=0" + - "--entrypoints.websecure.transport.respondingTimeouts.readTimeout=0" + ports: + traefik: + expose: + default: false + web: + redirectTo: + port: websecure + websecure: + tls: + enabled: true + options: default + forwardedHeaders: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 103.21.244.0/22 + - 103.22.200.0/22 + - 103.31.4.0/22 + - 104.16.0.0/13 + - 104.24.0.0/14 + - 108.162.192.0/18 + - 131.0.72.0/22 + - 141.101.64.0/18 + - 162.158.0.0/15 + - 172.64.0.0/13 + - 173.245.48.0/20 + - 188.114.96.0/20 + - 190.93.240.0/20 + - 197.234.240.0/22 + - 198.41.128.0/17 + - 2400:cb00::/32 + - 2606:4700::/32 + - 2803:f800::/32 + - 2405:b500::/32 + - 2405:8100::/32 + - 2a06:98c0::/29 + - 2c0f:f248::/32 + proxyProtocol: + trustedIPs: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - 103.21.244.0/22 + - 103.22.200.0/22 + - 103.31.4.0/22 + - 104.16.0.0/13 + - 104.24.0.0/14 + - 108.162.192.0/18 + - 131.0.72.0/22 + - 141.101.64.0/18 + - 162.158.0.0/15 + - 172.64.0.0/13 + - 173.245.48.0/20 + - 188.114.96.0/20 + - 190.93.240.0/20 + - 197.234.240.0/22 + - 198.41.128.0/17 + - 2400:cb00::/32 + - 2606:4700::/32 + - 2803:f800::/32 + - 2405:b500::/32 + - 2405:8100::/32 + - 2a06:98c0::/29 + - 2c0f:f248::/32 + http3: + enabled: true + metrics: + expose: + default: false + metrics: + prometheus: + entryPoint: metrics + service: + enabled: true + pilot: + enabled: false + providers: + kubernetesCRD: + enabled: true + ingressClass: traefik-external + allowCrossNamespace: true + allowExternalNameServices: true + kubernetesIngress: + enabled: true + ingressClass: traefik-external + allowExternalNameServices: true + publishedService: + enabled: true + resources: + requests: + cpu: 100m + memory: 768Mi + limits: + memory: 768Mi diff --git a/kubernetes/lianalabs/apps/traefik-ingress/traefik/external/kustomization.yaml b/kubernetes/lianalabs/apps/traefik-ingress/traefik/external/kustomization.yaml new file mode 100644 index 0000000..1889392 --- /dev/null +++ b/kubernetes/lianalabs/apps/traefik-ingress/traefik/external/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - helmrelease.yaml diff --git a/kubernetes/lianalabs/apps/traefik-ingress/traefik/ks.yaml b/kubernetes/lianalabs/apps/traefik-ingress/traefik/ks.yaml index 8a9bb84..d731e8e 100644 --- a/kubernetes/lianalabs/apps/traefik-ingress/traefik/ks.yaml +++ b/kubernetes/lianalabs/apps/traefik-ingress/traefik/ks.yaml @@ -18,3 +18,23 @@ spec: interval: 30m retryInterval: 1m timeout: 5m +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app traefik-external + namespace: flux-system +spec: + targetNamespace: traefik-ingress + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/lianalabs/apps/traefik-ingress/traefik/external + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/lianalabs/apps/volsync-system/kustomization.yaml b/kubernetes/lianalabs/apps/volsync-system/kustomization.yaml new file mode 100644 index 0000000..775f204 --- /dev/null +++ b/kubernetes/lianalabs/apps/volsync-system/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./snapshot-controller/ks.yaml + - ./volsync/ks.yaml diff --git a/kubernetes/lianalabs/apps/volsync-system/namespace.yaml b/kubernetes/lianalabs/apps/volsync-system/namespace.yaml new file mode 100644 index 0000000..05df292 --- /dev/null +++ b/kubernetes/lianalabs/apps/volsync-system/namespace.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: volsync-system + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + volsync.backube/privileged-movers: "true" diff --git a/kubernetes/lianalabs/apps/volsync-system/snapshot-controller/app/helmrelease.yaml b/kubernetes/lianalabs/apps/volsync-system/snapshot-controller/app/helmrelease.yaml new file mode 100644 index 0000000..6ec363d --- /dev/null +++ b/kubernetes/lianalabs/apps/volsync-system/snapshot-controller/app/helmrelease.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: snapshot-controller +spec: + interval: 30m + chart: + spec: + chart: snapshot-controller + version: 3.0.6 + sourceRef: + kind: HelmRepository + name: piraeus + namespace: flux-system + maxHistory: 2 + install: + crds: CreateReplace + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + crds: CreateReplace + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + controller: + serviceMonitor: + create: true + webhook: + enabled: false diff --git a/kubernetes/lianalabs/apps/volsync-system/snapshot-controller/app/kustomization.yaml b/kubernetes/lianalabs/apps/volsync-system/snapshot-controller/app/kustomization.yaml new file mode 100644 index 0000000..17cbc72 --- /dev/null +++ b/kubernetes/lianalabs/apps/volsync-system/snapshot-controller/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/lianalabs/apps/volsync-system/snapshot-controller/ks.yaml b/kubernetes/lianalabs/apps/volsync-system/snapshot-controller/ks.yaml new file mode 100644 index 0000000..6d87452 --- /dev/null +++ b/kubernetes/lianalabs/apps/volsync-system/snapshot-controller/ks.yaml @@ -0,0 +1,24 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app snapshot-controller + namespace: flux-system +spec: + targetNamespace: volsync-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/lianalabs/apps/volsync-system/snapshot-controller/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/lianalabs/apps/volsync-system/volsync/app/helmrelease.yaml b/kubernetes/lianalabs/apps/volsync-system/volsync/app/helmrelease.yaml new file mode 100644 index 0000000..002b6d0 --- /dev/null +++ b/kubernetes/lianalabs/apps/volsync-system/volsync/app/helmrelease.yaml @@ -0,0 +1,31 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app volsync +spec: + interval: 30m + chart: + spec: + chart: volsync + version: 0.11.0 + sourceRef: + kind: HelmRepository + name: backube + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + dependsOn: + - name: snapshot-controller + namespace: volsync-system + values: + manageCRDs: true + metrics: + disableAuth: true diff --git a/kubernetes/lianalabs/apps/volsync-system/volsync/ks.yaml b/kubernetes/lianalabs/apps/volsync-system/volsync/ks.yaml new file mode 100644 index 0000000..10f2243 --- /dev/null +++ b/kubernetes/lianalabs/apps/volsync-system/volsync/ks.yaml @@ -0,0 +1,24 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app volsync + namespace: flux-system +spec: + targetNamespace: volsync-system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/lianalabs/apps/volsync-system/volsync/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/lianalabs/bootstrap/flux/github-deploy-key.sops.yaml b/kubernetes/lianalabs/bootstrap/flux/github-deploy-key.sops.yaml index 9ca1f86..ac01a31 100644 --- a/kubernetes/lianalabs/bootstrap/flux/github-deploy-key.sops.yaml +++ b/kubernetes/lianalabs/bootstrap/flux/github-deploy-key.sops.yaml @@ -4,9 +4,9 @@ metadata: name: github-deploy-key namespace: flux-system stringData: - identity.pub: ENC[AES256_GCM,data:L+VB1W87aXNj+tB2gZgWUrOmZrNaECd0YY63aKDpyeqrOcpbj+vuiWM2LaWl+8OBvBXXq5T/kV4FP2Nc0Gbgtx12DzjXgS+hL2Wpv6XpQMd9m0cMTGeoubDMKGOp/6gaMCuKURtcTs5T4W/nsZWlpsqnyT/La7qOyP8UWw==,iv:95YWwzRwbONDxXfhnHhd4bEu1YFegbslj+Ft2Ty26Q4=,tag:YL8fW4Kbj+YwS1qvv/sLhw==,type:str] - identity: ENC[AES256_GCM,data:8pjIdKGua5R/PpaZzdIRHCaYVSKbAX58hsPwcC8CxpLPtxeCJLCrk+TOGKJIiNdNg5sqUMkol93HM31279drvR8ULH0Z2vlxfQUJFdTLsZ7aAj1l2uwZ914WVFTMZt/kgZFt9yhdp2SEP9UE/DCDMYdl5q4pOHqyJ+Mw/f59zWQRm2DBF+Y8jbD5hXIydujP11su7m9Aa+nwo2yFZWxP6mQ82xsvEYQKPNjW6TPRovd28FF5VmhBIeJni505m2FF9Wr/WmMLPhQJzwa4dQ537FqTFzslHPk/sD1I1QOpnKIDv5HfpX/nOuIU9iGfGZNHcXS29X91jg5A/hQeB1XU+DmAVNJTFU44ajY7Ic/MVgHGBHOL0mF0bFr0QbR8BoxYhzcqECk6OnsGUtwuxNv33anc5wcrE5UEV1JQXjMeVdYtqRUassygkGq1g4LYvaguO42/bxv2wmyhcu6urd/6nUNi77YwHtxyRTCl2z51HFOK+8pABKu0UH+nLd92TjUc2/WKBxGKUlv5yFuyZb/LFWG2VOPU7TA39S/NpzbG3IRRfmnABsLNf4kPP/2hIN3NORG8TgRUJfsLiYALghvSUbw6DPcbmHGFU6LtKFNhQPeRd3rOZHkTyy6AgrAhuBtK2xsN5SbzVA5uNI5HK9FmSaJ1QJGJ9owGbLE4g56lZHpG0+MN2dVqDzPpCNJU3Jtlmfq7pQ==,iv:+MWVLc7Au9F0LR/LLY4Zjs62MHGloCjS+JJqwHMMrss=,tag:e85DsZ/l3o9cQygHuPt/xA==,type:str] - known_hosts: ENC[AES256_GCM,data:W//LZi3i2z8m4PPeL6Xvbi6rfxFyb4Z9HjXi48ayIeq3A1FJa8n79kpnOvbiYquaid+aQy9J90ZWHE9/UXeIj2UY/pjndghUDj7dolcXqBG4JinjZwgQuTdQ2+sbVo+p52EImQGGbV5GYcYTgkr8NdUf9bCP2j+lK3BNh2qeFdD/9O2gqdCYQJFetYd/Cp7K0+VLC0aqcUcpgwDWS8LLyNNH8mB/pHa/YR41tdkcYEUNH9p+txGDBNf9BZfV/V2m1hkCXu18ODo/FPFmFsdwKAADQL43UYnwk+n24XauSbBRIwBlQx5m9NwSuxWJaQM8+N04DMtTc9qV7ObRhLjFS/VFwgiGEc/Kh4DyvEIcB1+I+19nYWbP/ow7oRDmfoU5FssfP2ZE4z52vfVIO041gkX7F/BHRgwcFBF7roBhpZq9o9kFCM2ZYdkCG6E6lq5EVIs5GR6R3yBqfHzmL2/wa5dC7rIU3FdumPTDFV9soV2op0ti54Vsuo9utknhr3g6wuGk/zFE0q9LZjSsuHDpSScwfh6WSrI7VO/O1/qKNxGIONk5s8Qt00S/s1Uavx37+jB6SImIgiAICrLxGE9jYDrDvja0uKHAZlEC9/9aW5KaGfDvizHr4h2LpNbWBrmdV23rUhKlvUfqZutQ5f3P18mKdd2kQeJhBbTazXlT7HMc3f9BYPRuzuuEt+bSyYkBTxm7oa+1mHQmStOwD2Uq4uaiEs7sMDNoBUdEli5IrgumtRkmuMnfDdHIaaFr9ZMrsJZbEaeACgtPztaiEeWbfcyUBcBNVumbsklTO/UMvvY1k5SrVxf5ZUWTuf3S0BY5g4iPXla9n/0O7eDEi17z5MYCY0rC3H1rNG2JFni+Afsxa5fn2cVAjoi1/cZP5WepZjZgCBQf9QDh+tBa0TdbBvu7TdRvifwkIN0C3QwkYtQxDah9D1QVqOd70OUSxCnWrle2scqFWZSgvGHF13iYDDCrQaK1uvVCzD1i1aZgUpu181XXhCHioZ13Uqbjha0xWbFoikUcVyi7uGoPVjql0unGBnC+WJhdMfOPm4s2uvkAwoX10zw9PKbUstTQQKc5JRf81QkR/Z2VwijhkvyncRHlSKbNLtHePVFa3ufM2TtkBigVh5XFLPsnpqLZtgLGr0tc214GPtBNSPGtqQBaM/YzAwdZeiL9NSzcMP82yaFzNjzql3SR5W3mV7SOfWhHpHjOuo5AEAjYJrMkdFIzMkpeK4kiDhAoSquZHIEQnhLipyFOSSbalNIqa5Llo/COG/LC1NcCy+ufgZJEemRwekFiXFTMFsLWzj07vv6XcjpI/au0XjKLBnWhd8gHYi2T5U1PvWAwBtLJAls3dxsYI+wOtPMbk0wb4QP5BjAchLNf0UD5nMek9JgUUk/5lz+CZlRz+1YVv98ipERlxeX+dKInX55A3XN6HE3zNCyekGorWYcUj4UOe1kGjA1cHGF31a81YZzmvFekDKNccRKaPaqUL33Qo3NdxVY17Y0C/3jssNtCRqaH+OZH3pcSKE41KwEFIQAtVEhIfxuRdCBzi+HCkY3nMe5yT0i5dmt/WVkr7XoX4Mcn5OFP2wiFz+yrXoyDOzDlYvaRn1kE4ifxHbz6SkJlI4wbIc9s6unk3W/KvNwxQqkAgukYYx38TwJ5AZjAADClMTasvRl9VWSqpUWwbSwWC7RdO7bsBFgNtCaysFLZVR9pEo4tcvDZahVMcDlH4aQ2LLg9R8+6mDmDCwNLct+V3tMLNoQ6kCkky4lrEgVRHpW9nHe6V9wyolfdCEAlkxBz0l1RXEStTu9UNbzJjmUr37rAIDIny1Ko7z6n78g=,iv:vjHJwGE++1nVZeuxIIdfhJnvnDvW23rQxyYXN2n93ow=,tag:STgVMNt/7lbhSzCM8wpTxQ==,type:str] + identity.pub: ENC[AES256_GCM,data:yiIYKWt5dptZgU3Z/GDTpYtBdbnIR7+Hopq9SxZQrjhYzA0XA3fbAIZDPyoQd05cT41N6nLF7x9VVjt5ZLUffjJxFNCcS3s8Dx6bnhdOEfMm3K5XxL/MmgnfFWlhMw3i/CwfKRgZVNU4LQhKukIerSxYnkTD1CSzKKBIng==,iv:PVHOm+1Bs+rjC25Msa61wtJwqHiufcuqCYpD3ii4Jb8=,tag:8Z1PzF0aiX28Y6cyrnUp2A==,type:str] + identity: ENC[AES256_GCM,data:Bo+QWSQVKQGAuu20Ar5/Uv6GZJ1laYzgh3M/0oLRigr2xpX73YaOHkYurc6/+mvb+NwBm/BJF7xO8OkhwktaeBcVIHRllijIpkJoyxuZiKMuEbJSDSX+licFTU6IDRmOPqv1XAghR1ClJ5tJ2qbJRmozw5ENzLcKN7X6w5bb95jHWqWwD9ChmiSsC9YdQPUd9MEhJJzejymRPzDf27Kr+u+XXTCWMYNz0ufizOAFrvkdIcEiRTFMvPXyqVkq60mXsoRZWcBIb9A95Pk4XBNJ91t7xi7JdmAQQ0sUr3mfHxMFRykqnu2X3dnHSqAHf8kaPWABvwYE1ljNa+H53gUH0IA7l4bw/hCSqi7iAKRhlvLLD08imgAygLwl7lVu26mN0prW6R8yHgPkGAF2kekhNeYp5/17hqXhVt4dd8M4nW0609KOMOy7dUkhT0V6lqP713K9Z4Y+zIgIMiNp2Nvxrkt50nMGSekorClw24KFIzn7l3PQh3ig09Ix53qn6ATU82ENry5FysV3QNFUbu2kKCYnJfAnU+LMwT5G94PHIZkC0yvkW8XHNEz3KobZ5z/oGUVJyu/nfcnm34Dw6FIIuX7QcSxCjUiBo/kZDV1WjhtZ4dNWDy1W/8LMik9HO4mHj2eBSzxaB/upW90jY+cC/GQT9PdwXpgV7CiSvEUFYS7SlfwxYQZBzln+7Zjaw9eKc4zQQg==,iv:2Fn5QxJiMejMvWSmj0rn8qfICVlVPjaU+CmGBq/P8hg=,tag:jSqxhS5QL5pnl2AD4N8DfQ==,type:str] + known_hosts: ENC[AES256_GCM,data:epS/S+2BcvfgDDFZGh8wjIDJjM6QMvv0HshDvOtLTa0hsHrCXli+YbQp1NOHET02+zNQUDDXF+OJ76y/Fz9yNdL1UL1zvwUfs26xkhLpYquB9aVnm5yBLcabgm5Tmqo2jKrAnGreq2MYEJaEsH4ipevUc9jgvD2J8TX667ArzQ/Manfp5jOI9rjOq1P6MDdLLF+skdUClOglXsN+IO3psCOvHk09V3c+YIA9RAHd0mBEwd2iJre5FZXLoho6QHbCXV325UFzPZwa+VoXsRbiXo8rpcM74R1CK8aClaLOo0npp2l/35Rwiah7YX+Kp8WVRXJ+knjsswqbtYedNwTzht7m/XhitnX7aU7Uk125GbYpnraERtjsVmRljiceMz02u+stWpI+/rJb83w3lzFX2w6PJ6qw8G6eS5jz1jpnN//87x++tmingrNKcIbFXOle/BeKOYgFPPGSaeoV4OErAJLBQSdTxDqFMxSF+m1z0redegpYdhsSZH+B5U51VEcKK6aw2rzrd0kiTJCbayAc0rTGMucXfatYq0Fu5h5mwxdvn4YJlnzT3XSpbMjC9FW79pHkkNAUCbAF+8V3gQ9wNkOdQsnesJuRTXVnefv0QY2D7BUWFadHpS/DPLmKcBe3CXIafrNu1AJBBXj1O+5ojZSLAxfaaLv3XtIpDqSw1FXNF7/UedqtbDfWjqvkPKFH4ojYI4n9E0XyQZxaXGNoX0lmZklu4FR7lQPTJhGWkMpE40cuAySi7sb0VQQHwQIh6DX0ZsMMmJauH9Col/U7PHAdLLawzEqzXEMymW7RJdPya8N5coNuhh/gJlRB7qQAg+v005I1MrLTiDNwoHGpQEbnPdeB14PdcrWq+WjslhTuAw6ylxentMEihYNCmwL5CQPo7dQ74nHbUc0YQDCbjPXBItWvzm/cPx5NTDQQ5SQ/Cp6RW13Y66pVJlDyt41rkSrfvCEIsgHzf6yvKvZy2Q9p5KnKe1js+se06TPbrutYNBh0rQlbQ0Nr3vIZAz6S1s7vkyf2TsuHQPIYhpSCeRIGXpYgJeAwb3KeVygjj1bsiaU6JR8CYFOSvqBCLEbs81fH9wtiZq+fBViAK3gQq2kJWSNRJhHyUgGhcdwb4Nlb7eJJrjhx9LnP3xc8oPD/CxJ/LDqMD95PIRobMHXLVjxNA+LL2AMM841BpAyKnOVEvBfkm/bfty7+Uil8Fn5xHX588Fm0t9n0QiYc1fkelTwrvZc47fJC+hyEakwAbcHnP+bF5Icw9GDFW+KKElZm+twcQzSMuSVvnYDRE1uD74nNklNjmWD4coIiE5kck5ku3JAaJzgKQ5zoO6e60vuwpNeOjxqlxxqFVUOtpMFltGFAnUgP91O+KmB3s3IpXZ8sK5FR1f174yYqZCXAXG/YhKset0eFuOK4ZBd3am2zdpgodTfB0KFm2qsEAfb5sTSITPWPkQNSYyPzOFX8NLXSjsNnWabOJ0hl87LE+PFIKTubcoTc79VUUhOTsVMFr7wMFwo5Z94fHjz1DXoFTGeBx5tu6Ek+/wKEbeu2CBeiNGMLE+62udU160mlLY4UWw/sLacZBEr4YuHmYJRNlKoC2rZuCQPkG7ByLijlFCFK6FnnCVpZpAdU6bzhWQVzf4jdsW93+giabHCwB3cVDfandvDDGx3rwQTKeLtWRnfOnyn0rCJA7kKHbzssVRGGwktxOW4KKDP8gpRkchwygvgkyXJ14caowCZUC3DlIpp++QTRUBjyo93z7kKkIfxH3NUx1Dau3us9oCpETHQqoxRo6dNLjhHmLZFooe1+r5ZG5oTr5qdMxvGXPAASse8gmBZU5Nk=,iv:p6Kw42PTuwPdqTNNDJmMn8ZThNAaa3Ir6RU6FhfqOpM=,tag:gfYa8he/yHH+yNom3JDrRA==,type:str] sops: kms: [] gcp_kms: [] @@ -16,14 +16,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSGk1dXI3TWRDbVV3dHJ1 - bmdHZU81b0RWdkM3R1RKWEhvUlNvLzYrekI4CnZ6QmtCd0ozTU0vMjhFdFlKSG1H - R1YrM2VYTXlNLzQyc0t2bmhPZDVqaHMKLS0tIE5BYjNzbEcyeDVvcS9tTFpWNytI - OStsSTZLVC82d1psZ2RHMWsxU2cxZ2sKGA5mJrbyx0vP9hQN87ISPYGHW7/xYg/R - FBbioxztSkPM7iAZvzjvRJxuLlDk0+N/LYrv3b/zvIW9s1vwzmRSnQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBML1NZMHVtVnJ3Y3FUYzlI + ZEI4bzBlZXVKMUZLNDY3WG10SERaZjF4RVNRCm52bG1DU1JqVjFvTzJYL1IzNGg4 + aVArck53VGFRRHQ5MWlqM0RzOWpoNWsKLS0tIDhHQXI5VTkrL0tXbnFZbkhNQzlq + QjBKVkVWNVpaUmJGRzFMUUZJU1RocUkKHs5P3OCaweX+0dODyFKIM6sgg2NflZbX + +wmZCGq/sRIHV5IOg5uuTDas6uI2Xr5R6KKsrA8uQPhX4RZ2Et3fYQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-09T05:32:58Z" - mac: ENC[AES256_GCM,data:2jr7x6Uno0GBFvyN+4C/eGcBWgFI6MuSqSmpURF68ur0V/SledKckojQIfw6ySutJw3evmfTkUpcxDYoLxFK2oJT/RfIo+NTG7EkJrbCDNtu9Vg/nH1oMqWr533G6COV+tD3fE6cF51sC8jf09/4WVzMbzjX88UMyxC04aG5fVE=,iv:GLmcVLCWQko1C4i9yz7rZjOsjBEca+CeUone3HQYQzU=,tag:zWPeKe/hO+/W3AveO5fnbw==,type:str] + lastmodified: "2024-11-13T20:41:38Z" + mac: ENC[AES256_GCM,data:5p/IOfoOccfbT9YjxvAOYM9WnPV0SFE5/B498w2sFfyiyJI1jd6t5UXw5jzobx3LvgGwy88U+GYpL3rXB/IUcJDvkIyedUvb/agLUUqWvP7dL/vZQg/TlmJLnVYZVOmdRqT4Ipnn9Z0np9qxmiHiESDJgDOBGuD41+dR1UIJMSI=,iv:JA/2iC2/fjxRAN6BA90OmAmAv873lwvZAxgyJznfeq4=,tag:7O64pDSIM2g04kaSc98Trw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.1 diff --git a/kubernetes/lianalabs/flux/repositories/helm/backube.yaml b/kubernetes/lianalabs/flux/repositories/helm/backube.yaml new file mode 100644 index 0000000..4ba0742 --- /dev/null +++ b/kubernetes/lianalabs/flux/repositories/helm/backube.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: backube + namespace: flux-system +spec: + interval: 2h + url: https://backube.github.io/helm-charts/ diff --git a/kubernetes/lianalabs/flux/repositories/helm/kustomization.yaml b/kubernetes/lianalabs/flux/repositories/helm/kustomization.yaml index 9eb791b..0e44773 100644 --- a/kubernetes/lianalabs/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/lianalabs/flux/repositories/helm/kustomization.yaml @@ -3,6 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ./backube.yaml - ./bitnami.yaml - ./bjw-s.yaml - ./cilium.yaml @@ -10,10 +11,12 @@ resources: - ./coredns.yaml - ./grafana.yaml - ./jetstack.yaml + - ./piped.yaml - ./k8tz.yaml - ./metrics-server.yaml - ./node-feature-discovery.yaml - ./openebs.yaml + - ./piraeus.yaml - ./postfinance.yaml - ./prometheus-community.yaml - ./spegel.yaml diff --git a/kubernetes/lianalabs/flux/repositories/helm/piped.yaml b/kubernetes/lianalabs/flux/repositories/helm/piped.yaml new file mode 100644 index 0000000..355c832 --- /dev/null +++ b/kubernetes/lianalabs/flux/repositories/helm/piped.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: piped + namespace: flux-system +spec: + interval: 1h + url: https://helm.piped.video diff --git a/kubernetes/lianalabs/flux/repositories/helm/piraeus.yaml b/kubernetes/lianalabs/flux/repositories/helm/piraeus.yaml new file mode 100644 index 0000000..84f361a --- /dev/null +++ b/kubernetes/lianalabs/flux/repositories/helm/piraeus.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: piraeus + namespace: flux-system +spec: + interval: 2h + url: https://piraeus.io/helm-charts/ diff --git a/kubernetes/lianalabs/flux/vars/cluster-settings.yaml b/kubernetes/lianalabs/flux/vars/cluster-settings.yaml index e5ee918..4bd012e 100644 --- a/kubernetes/lianalabs/flux/vars/cluster-settings.yaml +++ b/kubernetes/lianalabs/flux/vars/cluster-settings.yaml @@ -20,4 +20,5 @@ data: NFS_PATH: /mnt/r720xd-nvme/r720xd-nfs LB_TRAEFIK: 10.28.12.100 - LB_POSTGRES: 10.28.12.101 + LB_TRAEFIK_EXTERNAL: 10.28.12.101 + LB_POSTGRES: 10.28.12.102 diff --git a/scripts/kubeconform.sh b/scripts/kubeconform.sh index a651496..033b515 100644 --- a/scripts/kubeconform.sh +++ b/scripts/kubeconform.sh @@ -1,4 +1,5 @@ #!/usr/bin/bash + set -o errexit set -o pipefail diff --git a/scripts/wip.sh b/scripts/wip.sh index 3cb85ca..38f15de 100755 --- a/scripts/wip.sh +++ b/scripts/wip.sh @@ -1,10 +1,40 @@ -#!/usr/bin/bash +#!/bin/bash +# Improved version of brettinternet's wip.sh +# https://github.com/brettinternet/homeops/blob/main/scripts/wip.sh +# +# Usage: +# create WIP commit +# push to current branch +# reconcile the cluster with flux +# remove previous WIP commit +# +# Options: +# -c, --cluster Specify the cluster to reconcile (default: lianalabs) +# -h, --help Show this help message # Usage: create WIP commit # push to current branch # reconcile the cluster with flux # remove previous WIP commit +CLUSTER="lianalabs" + +function show_help { + echo "Usage: $0 [options]" + echo "" + echo "Options:" + echo " -c, --cluster Specify the cluster to reconcile (default: lianalabs)" + echo " -h, --help Show this help message" + exit 0 +} + +# Ensure secrets can be encrypted before we push +function check_go_task { + if ! command -v task &> /dev/null; then + echo "Error: go-task is not installed. Please install it before running this script." + exit 1 + fi +} echo -n "Checking variables..." if [ ! -d "$ROOT_DIR" ]; then @@ -43,6 +73,22 @@ function gpcf { git push --force-with-lease origin "$(git_current_branch)" } +while [[ "$#" -gt 0 ]]; do + case $1 in + -c|--cluster) + CLUSTER="$2" + shift 2 + ;; + -h|--help) + show_help + ;; + *) + echo "Unknown parameter passed: $1" + exit 1 + ;; + esac +done + echo "Encrypting secrets" echo "" task sops:encrypt-all @@ -51,7 +97,7 @@ gwip gpcf echo "Reconciling flux" echo "" -task flux:reconcile cluster=lianalabs +task flux:reconcile cluster=$CLUSTER echo "" echo "Git Log:" gunwip