--wip-- [skipci]

Liana64 · Dec 10, 2024 · 7c8bb89 · 7c8bb89
1 parent 9b90a9c
commit 7c8bb89
Show file tree

Hide file tree

Showing 19 changed files with 333 additions and 63 deletions.
diff --git a/kubernetes/main/apps/bitwarden/bitwarden/app/helmrelease.yaml b/kubernetes/main/apps/bitwarden/bitwarden/app/helmrelease.yaml
@@ -0,0 +1,205 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: bitwarden
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: self-host
+      version: 2024.11.0
+      sourceRef:
+        kind: HelmRepository
+        name: bitwarden
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  values:
+    sharedStorageClassName: "cluster-nvme"
+    general:
+      admins: "${SECRET_ADMIN_EMAIL}"
+      disableUserRegistration: "false"
+      cloudRegion: US
+      enableCloudCommunication: true
+      sharedStorageClassName: "cluster-nvme"
+      volumeAccessMode: "ReadWriteOnce"
+      domain: "bitwarden.${SECRET_EXTERNAL_DOMAIN}"
+      ingress:
+        enabled: true
+        className: traefik
+        annotations:
+          gethomepage.dev/enabled: "true"
+          gethomepage.dev/group: Home
+          gethomepage.dev/name: Bitwarden
+          gethomepage.dev/description: Password management
+          gethomepage.dev/icon: bitwarden
+        tls:
+          name: bitwarden-tls
+          clusterIssuer: letsencrypt-production
+        paths:
+          web:
+            path: /
+            pathType: ImplementationSpecific
+          attachments:
+            path: /attachments/
+            pathType: ImplementationSpecific
+          api:
+            path: /api/
+            pathType: ImplementationSpecific
+          icons:
+            path: /icons/
+            pathType: ImplementationSpecific
+          notifications:
+            path: /notifications/
+            pathType: ImplementationSpecific
+          events:
+            path: /events/
+            pathType: ImplementationSpecific
+          scim:
+            path: /scim/
+            pathType: ImplementationSpecific
+          sso:
+            path: /sso/
+            pathType: ImplementationSpecific
+          identity:
+            path: /identity/
+            pathType: ImplementationSpecific
+          admin:
+            path: /admin/
+            pathType: ImplementationSpecific
+      email:
+        smtpSsl: "false"
+        smtpPort: "465"
+        smtpHost: "${SECRET_SMTP_HOST}"
+        replyToEmail: "${SECRET_SMTP_FROM}"
+    secrets:
+      secretName: bitwarden-secret
+    database:
+      enabled: false
+      #volume:
+      #  backups:
+      #    storageClass: "cluster-nvme"
+      #  data:
+      #    storageClass: "cluster-nvme"
+      #  log:
+      #    storageClass: "cluster-nvme"
+    volume:
+      dataprotection:
+        storageClass: "cluster-nvme"
+      attachments:
+        storageClass: "cluster-nvme"
+      licenses:
+        storageClass: "cluster-nvme"
+      logs:
+        enabled: true
+        storageClass: "cluster-nvme"
+    #    rawManifests:
+    #      preInstall: []
+    #      postInstall:
+    #        - apiVersion: traefik.io/v1alpha1
+    #          kind: Middleware
+    #          metadata:
+    #            name: "bitwarden-self-host-middleware-stripprefix"
+    #          spec:
+    #            stripPrefix:
+    #              prefixes:
+    #                - /api
+    #                - /attachements
+    #                - /icons
+    #                - /notifications
+    #                - /events
+    #                - /scim
+    #                ##### NOTE:  Admin, Identity, and SSO will not function correctly with path strip middleware
+    #        - apiVersion: traefik.io/v1alpha1
+    #          kind: IngressRoute
+    #          metadata:
+    #            name: "bitwarden-self-host-ingress"
+    #          spec:
+    #            entryPoints:
+    #              - websecure
+    #            routes:
+    #              - kind: Rule
+    #                match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/`)
+    #                services:
+    #                  - kind: Service
+    #                    name: bitwarden-self-host-web
+    #                    passHostHeader: true
+    #                    port: 5000
+    #              - kind: Rule
+    #                match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/api/`)
+    #                services:
+    #                  - kind: Service
+    #                    name: bitwarden-self-host-api
+    #                    port: 5000
+    #                middlewares:
+    #                  - name: "bitwarden-self-host-middleware-stripprefix"
+    #              - kind: Rule
+    #                match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/attachments/`)
+    #                services:
+    #                  - kind: Service
+    #                    name: bitwarden-self-host-api
+    #                    port: 5000
+    #                middlewares:
+    #                  - name: "bitwarden-self-host-middleware-stripprefix"
+    #              - kind: Rule
+    #                match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/icons/`)
+    #                services:
+    #                  - kind: Service
+    #                    name: bitwarden-self-host-icons
+    #                    port: 5000
+    #                middlewares:
+    #                  - name: "bitwarden-self-host-middleware-stripprefix"
+    #              - kind: Rule
+    #                match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/notifications/`)
+    #                services:
+    #                  - kind: Service
+    #                    name: bitwarden-self-host-notifications
+    #                    port: 5000
+    #                middlewares:
+    #                  - name: "bitwarden-self-host-middleware-stripprefix"
+    #              - kind: Rule
+    #                match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/events/`)
+    #                services:
+    #                  - kind: Service
+    #                    name: bitwarden-self-host-events
+    #                    port: 5000
+    #                middlewares:
+    #                  - name: "bitwarden-self-host-middleware-stripprefix"
+    #              - kind: Rule
+    #                match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/scim/`)
+    #                services:
+    #                  - kind: Service
+    #                    name: bitwarden-self-host-scim
+    #                    port: 5000
+    #                middlewares:
+    #                  - name: "bitwarden-self-host-middleware-stripprefix"
+    #              ##### NOTE:  SSO will not function correctly with path strip middleware
+    #              - kind: Rule
+    #                match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/sso/`)
+    #                services:
+    #                  - kind: Service
+    #                    name: bitwarden-self-host-sso
+    #                    port: 5000
+    #              ##### NOTE:  Identity will not function correctly with path strip middleware
+    #              - kind: Rule
+    #                match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/identity/`)
+    #                services:
+    #                  - kind: Service
+    #                    name: bitwarden-self-host-identity
+    #                    port: 5000
+    #              ##### NOTE:  Admin will not function correctly with path strip middleware
+    #              - kind: Rule
+    #                match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/admin`)
+    #                services:
+    #                  - kind: Service
+    #                    name: bitwarden-self-host-admin
+    #                    port: 5000
+    #            tls:
+    #              certResolver: letsencrypt-production
diff --git a/kubernetes/main/apps/bitwarden/bitwarden/app/kustomization.yaml b/kubernetes/main/apps/bitwarden/bitwarden/app/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml
diff --git a/kubernetes/main/apps/bitwarden/bitwarden/app/secret.sops.yaml b/kubernetes/main/apps/bitwarden/bitwarden/app/secret.sops.yaml
@@ -0,0 +1,34 @@
+# yamllint disable
+kind: Secret
+apiVersion: v1
+type: Opaque
+metadata:
+  name: bitwarden-secret
+stringData:
+  replyToEmail: ENC[AES256_GCM,data:7NR/XlAqsO4PtCNKQ890Njv6Qh2Jp6W/t0Lc8px7,iv:VznXZaMbwLda8LkrJDTc2UKurHRWqGTJ1T0/1C3VMus=,tag:Z+Wkfb7DqcaPam7AFrvWUw==,type:str]
+  globalSettings__installation__id: ENC[AES256_GCM,data:U091rHP2N4UjYgSdGrkDvSBZHQu9w8s75xWPCp6gfZ0773gW,iv:PZ2hBlqta/sclVQUtO6LYD/ZhL6e+Q+yDESxrt6CYjQ=,tag:1A/9gKzuflMqOktyoZ5adQ==,type:str]
+  globalSettings__installation__key: ENC[AES256_GCM,data:/pWJt9ElR+mgiv5m8I0Gdb5Z6H8=,iv:31bd6uhc45WMi41iACel8/YOjDjVTDxoR3Ok19+U43A=,tag:xtI3eCRActaFajUqVdxemw==,type:str]
+  globalSettings__mail__smtp__username: ENC[AES256_GCM,data:wGph7iTpKhvYXjsFKnPIFevGsJvgovvfNnIJPjFf,iv:o7l19Onw6PHMmk19e++zTArLmZrwSIAXgDpuwaDhjuo=,tag:ojY3lQFiP3G3oYeVQXri7A==,type:str]
+  globalSettings__mail__smtp__password: ENC[AES256_GCM,data:OQ3mROVpRAZ2MNFZtvRV0N74EPOaSdSvmaOJas1JCgEbHHNq0laLg5r2ufTYz9vA0aM=,iv:vB9ElILgqKyvY6wgQ8Nesg2pygGK9mcjIhEYGsHVWEQ=,tag:l84bsTR3twb3Al19FKezqA==,type:str]
+  globalSettings__sqlServer__connectionString: ENC[AES256_GCM,data:mJxp4MXvqV4T+/J7O0XX6+Z4kmo4IVFYvUPEBU0uaJ3w0YNcqPps+LH9pgFNOjwBWCAQ8QxvCH9ul2uSiYGhy41YjLsQD4X/UF1Hhimezc3IrexCDFkXXl4WIACAZjpQf6morvx9+/v0EvdxofP7auWQ2BGcid4lHYxO78gEAvPaueS+L0TerqEpEnxS26r2uMLOe2w5L0hxBKGQyWmWPx8mTAJXTgTaXAvKLT2G97JNa9a5EQSAPuBoi95F+CkQBEwbo6uwrcJS6DTWQmNefEdZ1D7Abp50zlpJfC7Tuf54tjnHyGya9EWEwc32mTadqCto047ySvDNNB2jgrG97HXvnqOo4LGpZn9jYGJsJZjVFibiy2+WHzgxDmU=,iv:Nq4LIbSDzk9WurGEPojUfRe8WqEOGO4t7WnfyYoupVo=,tag:yV7w9j9gRKuAsgsnxncUtA==,type:str]
+  #ENC[AES256_GCM,data:r7/63ugBvNNcFQGkau56LkG5lNH0NwvuA0OiRj0FOjAWlbf6sR7v5JOgIy97uMC+mBWy8A+OGZFO8p4bosrdrmzuomArHNnM4oWN498=,iv:2TaG5UkIEjLwPQpEZjOJdEviNNnSVi/e1lUUckJ+KqM=,tag:BPd/IOSUJvS1/mgPqqSlyQ==,type:comment]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFRGFTc01qRmdlMzZ0WE53
+        OWtoUzBaMUp4T3FoYnJuVGhGODVna1RHYkRZCk0xWEVjOWp2YW9NZmE0MnNFYnJX
+        OEdHbkdsOWM4Tk44aTRVZ0VoNWorWDAKLS0tIHp2SE9Wd1lmTmV2eUFYRmRYNDZn
+        NFR5QkpIaFQ5Tk1FdGV3aUtzNTZsRXcKyNl9cFicgjcTiGkoQK/StLd7FEHGUVWD
+        hs8+h4ak+r++3+KpUay4aNqY09RtAzvUd4Vl3VQ2tYt/TOlDrgErHQ==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2024-11-29T17:22:46Z"
+  mac: ENC[AES256_GCM,data:+KthNzUdXl/XgnupjWiEdk8EHvHldUvUwfWT7FNpR+Pysl/fdI1fAK02rXOlY0ABCKpejSIobHipy3RkxTXiF6PPGTC4R0aoqxRvZjyXDCUaHc3F4KdYBH4vkGoBchosHJnOX0qymSEGbzJERRSjxEZ3JDg0JRIEB8jQtObGivs=,iv:w7XSWHs1RaDAuxsImvxDHo96T6qwaaYlXGZUP2nfqLg=,tag:QNSjFrABn8tf8nQlu5MXkw==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData)$
+  version: 3.9.1
diff --git a/kubernetes/main/apps/bitwarden/bitwarden/ks.yaml b/kubernetes/main/apps/bitwarden/bitwarden/ks.yaml
@@ -0,0 +1,20 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app bitwarden
+  namespace: flux-system
+spec:
+  targetNamespace: bitwarden
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/main/apps/bitwarden/bitwarden/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: k8s-gitops
+  wait: true
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
diff --git a/kubernetes/main/apps/bitwarden/kustomization.yaml b/kubernetes/main/apps/bitwarden/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  #- ./bitwarden/ks.yaml
diff --git a/kubernetes/main/apps/bitwarden/namespace.yaml b/kubernetes/main/apps/bitwarden/namespace.yaml
@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: bitwarden
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled
diff --git a/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml
@@ -30,7 +30,7 @@ spec:
             fsGroup: 2000
             fsGroupChangePolicy: "OnRootMismatch"
             supplementalGroups:
-              - 65542 # gladius:external-services
+              - 3005
 
         containers:
           app:

diff --git a/kubernetes/main/apps/downloads/kustomization.yaml b/kubernetes/main/apps/downloads/kustomization.yaml
@@ -4,11 +4,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - ./namespace.yaml
-  - ./archivebox/ks.yaml
+  #- ./archivebox/ks.yaml
   - ./bazarr/ks.yaml
   - ./flaresolverr/ks.yaml
   - ./prowlarr/ks.yaml
   - ./radarr/ks.yaml
   - ./recyclarr/ks.yaml
   - ./sonarr/ks.yaml
-  - ./qbittorrent/ks.yaml
+  #- ./qbittorrent/ks.yaml
diff --git a/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml
@@ -22,10 +22,10 @@ spec:
           reloader.stakater.com/auto: "true"
         pod:
           securityContext:
-            runAsUser: 2000
-            runAsGroup: 2000
+            runAsUser: 600
+            runAsGroup: 3005
             runAsNonRoot: true
-            fsGroup: 2000
+            fsGroup: 3005
             fsGroupChangePolicy: OnRootMismatch
         containers:
           app:

diff --git a/kubernetes/main/apps/downloads/prowlarr/app/secret.sops.yaml b/kubernetes/main/apps/downloads/prowlarr/app/secret.sops.yaml
@@ -5,7 +5,7 @@ type: Opaque
 metadata:
   name: prowlarr-secret
 stringData:
-  API_KEY: ENC[AES256_GCM,data:5wzcM0WIHaUAWdo2oD2o0VA1xmW254yGIPbBs4IOvUdeLqMgvrQeELs7oFS9OSLP,iv:BdGNl7zWRm06Fi6oadjCcxwjWBr8egl6GerLx7JWq4g=,tag:leaytQdTWoRb7OJ8oMHM+w==,type:str]
+  API_KEY: ENC[AES256_GCM,data:3uj8j4U/UE3sF24NhaogvUOz1gFkjVZeX0d4IQQihEs=,iv:qklcOdRll6clgcVccLE7L4el31aOl1qToZPRkeWMpgU=,tag:LIrB555zX/EY7KXsDOJyow==,type:str]
 sops:
   kms: []
   gcp_kms: []
@@ -15,14 +15,14 @@ sops:
     - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p
       enc: |
         -----BEGIN AGE ENCRYPTED FILE-----
-        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2UGpkMUN3ZzNtVjJlcUJV
-        QU0wd05Xci9ydEZGbW1zMHBsNHV1ZUloZUdFCjVDMHdnMVF1bTZMYUc2Y0ZSUDFm
-        T2pqT0k4QUJIY3ZsZVVtcy9DNmYzSmMKLS0tIHIyanNSZmtkVkNrejhTaERaakJr
-        c1VKTWZJVUNPOFZUNjJ0eFpIMEYvNDQKtOOLotFwvPsq+dDgkIYzwNblHSoEYEi/
-        SSAzf32ufxFQRAEzIkIIwc7GKpcKkhF+8CoG+c/JE9VUeJ0+tty1Pg==
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2QlVhWXJnVEUyN0hTbFVO
+        eVJCWk9aYzIrcC9LcUNNOHVyRDZWTjdVVmdZCnBqWlJoZUZLdGZTdXg1emlTeWFM
+        UHdVWE50S3VPTklxOHRHZjlXUTlORTQKLS0tIHlMeW9VWnBFeTIyM3I4QnlsbFdQ
+        M3hXVklGUWhVSEdkbWdWOUJiS1RpQ0UKI/HPah2WCDhQZbD4bhGTLbWHfDdtdTPC
+        qfRVxSNBF/g7zPGWIRI0ujA/lh87OGjb4vM6dn5kFltR/plLz2g/jw==
         -----END AGE ENCRYPTED FILE-----
-  lastmodified: "2024-12-09T21:41:45Z"
-  mac: ENC[AES256_GCM,data:otC8H0PW9z1xNQfovLiQkzckWK5Pe26wDwSKk+B95NEvv9CjzZrYkHg7L03dP9EHBHB2uiEGexCi4Tq5Zrs+1r39II71NC3YinI14K4318yAMxWTzzbWy8jeUrvXXVbxEem7JIh3+foIqcbmMtb+VmO2fyzoB0ztByiSUTrfPnU=,iv:dDkPerAall8Ltub1RG4ubhg1cqPiPzA4MHSGIlRHCwA=,tag:fG+JRMuE6RlfImG3G8H6Nw==,type:str]
+  lastmodified: "2024-12-10T05:47:36Z"
+  mac: ENC[AES256_GCM,data:bb2QRSkFZxuiPve8RkfhJn4cfdA8t4v2wi5n8I6GOt+MNxHoG9UeRWyPhs2CszPyZh0qrFBGxhAOrFEIaJt24Jq57hhBurllFck3WUHHC9aE/I0ArQMtwELxg88BDhFreeWuxCCyx5vLYfyKbjwUtoDuDQ5nJTfaLfwdBqk+JKE=,iv:JPBp8GMJMNqlc4matmMaNwukktmB5kvh8NvMh1oh9YE=,tag:gH4P1Dt1fxIGqJBI+alx1w==,type:str]
   pgp: []
   encrypted_regex: ^(data|stringData)$
   version: 3.9.1