From c18e799d4ab34d9ec4262dcc27c2928a0d156aeb Mon Sep 17 00:00:00 2001 From: Liana Date: Sun, 29 Dec 2024 15:02:00 -0600 Subject: [PATCH] Lots --- .../kubernetes-schemas/app/helmrelease.yaml | 77 +++++++++ .../app}/kustomization.yaml | 3 +- .archive/kubernetes-schemas/ks.yaml | 26 +++ .../mataroa/app/helmrelease.yaml | 5 +- .../mataroa/app/kustomization.yaml | 0 .../mataroa/app/secret.sops.yaml | 0 .../apps/public => .archive}/mataroa/ks.yaml | 0 .../windmill/app/helmrelease.yaml | 1 + .../windmill/app/kustomization.yaml | 0 .../windmill/app/secret.sops.yaml | 0 .../apps/dev => .archive}/windmill/ks.yaml | 0 .../apps/auth/authelia/app/secret.sops.yaml | 44 ++--- .../database/dragonfly/app/secret.sops.yaml | 18 +-- .../main/apps/database/kustomization.yaml | 2 + .../apps/database/mysql/app/helmrelease.yaml | 61 +++++++ .../database/mysql/app/kustomization.yaml | 7 + .../apps/database/mysql/app/secret.sops.yaml | 28 ++++ kubernetes/main/apps/database/mysql/ks.yaml | 26 +++ .../database/rabbitmq/app/helmrelease.yaml | 33 ++++ .../database/rabbitmq/app/kustomization.yaml | 7 + .../database/rabbitmq/app/secret.sops.yaml | 28 ++++ .../main/apps/database/rabbitmq/ks.yaml | 24 +++ kubernetes/main/apps/dev/namespace.yaml | 7 - .../downloads/archivebox/app/helmrelease.yaml | 10 ++ .../downloads/bazarr/app/helmrelease.yaml | 2 +- .../downloads/prowlarr/app/helmrelease.yaml | 2 +- .../downloads/radarr/app/helmrelease.yaml | 2 +- .../downloads/sonarr/app/helmrelease.yaml | 2 +- .../main/apps/home-office/kustomization.yaml | 1 + .../home-office/plane/app/helmrelease.yaml | 152 ++++++++++++++++++ .../home-office/plane/app/kustomization.yaml | 7 + .../home-office/plane/app/secret.sops.yaml | 37 +++++ .../main/apps/home-office/plane/ks.yaml | 27 ++++ .../apps/home/homepage/app/helmrelease.yaml | 3 + .../home/homepage/app/resources/services.yaml | 2 +- .../home/homepage/app/resources/settings.yaml | 8 +- .../apps/home/homepage/app/secret.sops.yaml | 32 ++-- .../kube-system/cilium/app/helm-values.yaml | 13 +- .../apps/kube-system/cilium/config/bgp.yaml | 28 ++++ .../cilium/config/kustomization.yaml | 1 + .../apps/media/jellyfin/app/helmrelease.yaml | 2 +- .../media/jellyseerr/app/helmrelease.yaml | 2 +- .../blackbox-exporter/app/helmrelease.yaml | 82 ++++++++++ .../blackbox-exporter/app/kustomization.yaml | 6 + .../observability/blackbox-exporter/ks.yaml | 26 +++ .../grafana/app/helmrelease.yaml | 15 +- .../grafana/app/secret.sops.yaml | 23 ++- .../apps/observability/kustomization.yaml | 2 +- .../main/apps/public/kustomization.yaml | 2 +- .../public/writefreely/app/helmrelease.yaml | 111 +++++++++++++ .../public/writefreely/app/kustomization.yaml | 7 + .../public/writefreely/app/secret.sops.yaml | 29 ++++ .../main/apps/public/writefreely/ks.yaml | 24 +++ .../csi-driver-smb/app/helmrelease.yaml | 25 +++ .../csi-driver-smb/app/kustomization.yaml | 7 + .../csi-driver-smb/app/secret.sops.yaml | 29 ++++ .../csi-driver-smb/app/storageclass.yaml | 20 +++ .../main/apps/system/csi-driver-smb/ks.yaml | 20 +++ .../main/apps/system/kustomization.yaml | 1 + .../talos/patches/control/cluster.yaml | 3 + .../talos/patches/global/hostdns.yaml | 4 +- .../repositories/helm/csi-driver-smb.yaml | 10 ++ .../flux/repositories/helm/kustomization.yaml | 2 + .../main/flux/repositories/helm/plane.yaml | 10 ++ .../main/flux/vars/cluster-settings.yaml | 1 + 65 files changed, 1099 insertions(+), 90 deletions(-) create mode 100644 .archive/kubernetes-schemas/app/helmrelease.yaml rename {kubernetes/main/apps/dev => .archive/kubernetes-schemas/app}/kustomization.yaml (77%) create mode 100644 .archive/kubernetes-schemas/ks.yaml rename {kubernetes/main/apps/public => .archive}/mataroa/app/helmrelease.yaml (94%) rename {kubernetes/main/apps/public => .archive}/mataroa/app/kustomization.yaml (100%) rename {kubernetes/main/apps/public => .archive}/mataroa/app/secret.sops.yaml (100%) rename {kubernetes/main/apps/public => .archive}/mataroa/ks.yaml (100%) rename {kubernetes/main/apps/dev => .archive}/windmill/app/helmrelease.yaml (97%) rename {kubernetes/main/apps/dev => .archive}/windmill/app/kustomization.yaml (100%) rename {kubernetes/main/apps/dev => .archive}/windmill/app/secret.sops.yaml (100%) rename {kubernetes/main/apps/dev => .archive}/windmill/ks.yaml (100%) create mode 100644 kubernetes/main/apps/database/mysql/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/database/mysql/app/kustomization.yaml create mode 100644 kubernetes/main/apps/database/mysql/app/secret.sops.yaml create mode 100644 kubernetes/main/apps/database/mysql/ks.yaml create mode 100644 kubernetes/main/apps/database/rabbitmq/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/database/rabbitmq/app/kustomization.yaml create mode 100644 kubernetes/main/apps/database/rabbitmq/app/secret.sops.yaml create mode 100644 kubernetes/main/apps/database/rabbitmq/ks.yaml delete mode 100644 kubernetes/main/apps/dev/namespace.yaml create mode 100644 kubernetes/main/apps/home-office/plane/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/home-office/plane/app/kustomization.yaml create mode 100644 kubernetes/main/apps/home-office/plane/app/secret.sops.yaml create mode 100644 kubernetes/main/apps/home-office/plane/ks.yaml create mode 100644 kubernetes/main/apps/kube-system/cilium/config/bgp.yaml create mode 100644 kubernetes/main/apps/observability/blackbox-exporter/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml create mode 100644 kubernetes/main/apps/observability/blackbox-exporter/ks.yaml create mode 100644 kubernetes/main/apps/public/writefreely/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/public/writefreely/app/kustomization.yaml create mode 100644 kubernetes/main/apps/public/writefreely/app/secret.sops.yaml create mode 100644 kubernetes/main/apps/public/writefreely/ks.yaml create mode 100644 kubernetes/main/apps/system/csi-driver-smb/app/helmrelease.yaml create mode 100644 kubernetes/main/apps/system/csi-driver-smb/app/kustomization.yaml create mode 100644 kubernetes/main/apps/system/csi-driver-smb/app/secret.sops.yaml create mode 100644 kubernetes/main/apps/system/csi-driver-smb/app/storageclass.yaml create mode 100644 kubernetes/main/apps/system/csi-driver-smb/ks.yaml create mode 100644 kubernetes/main/flux/repositories/helm/csi-driver-smb.yaml create mode 100644 kubernetes/main/flux/repositories/helm/plane.yaml diff --git a/.archive/kubernetes-schemas/app/helmrelease.yaml b/.archive/kubernetes-schemas/app/helmrelease.yaml new file mode 100644 index 0000000..10da4cd --- /dev/null +++ b/.archive/kubernetes-schemas/app/helmrelease.yaml @@ -0,0 +1,77 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app kubernetes-schemas +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controllers: + kubernetes-schemas: + containers: + app: + image: + repository: ghcr.io/budimanjojo/kubernetes-schemas-web + tag: latest@sha256:6798cb1435f9928d93398b5ea00c6dd5ecc0aae0889278e17db1fa1b14117b5b + resources: + requests: + cpu: 10m + memory: 50Mi + limits: + cpu: 200m + memory: 128Mi + probes: + startup: + enabled: true + spec: + failureThreshold: 30 + periodSeconds: 5 + liveness: + enabled: true + readiness: + enabled: true + + service: + app: + controller: *app + ports: + http: + port: 8080 + + ingress: + app: + enabled: true + className: traefik + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-production" + gethomepage.dev/enabled: "true" + gethomepage.dev/name: Kubernetes Schemas + gethomepage.dev/group: Tools + gethomepage.dev/icon: mdi-file-document + hosts: + - host: &host "k8s.${SECRET_INTERNAL_DOMAIN}" + paths: + - path: / + service: + identifier: main + port: http + tls: + - secretName: "{{ .Release.Name }}-secret" + hosts: [*host] diff --git a/kubernetes/main/apps/dev/kustomization.yaml b/.archive/kubernetes-schemas/app/kustomization.yaml similarity index 77% rename from kubernetes/main/apps/dev/kustomization.yaml rename to .archive/kubernetes-schemas/app/kustomization.yaml index d3a01e6..17cbc72 100644 --- a/kubernetes/main/apps/dev/kustomization.yaml +++ b/.archive/kubernetes-schemas/app/kustomization.yaml @@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./namespace.yaml - #- ./windmill/ks.yaml + - ./helmrelease.yaml diff --git a/.archive/kubernetes-schemas/ks.yaml b/.archive/kubernetes-schemas/ks.yaml new file mode 100644 index 0000000..fb4ee61 --- /dev/null +++ b/.archive/kubernetes-schemas/ks.yaml @@ -0,0 +1,26 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kubernetes-schemas + namespace: flux-system +spec: + targetNamespace: dev + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: traefik + path: ./kubernetes/main/apps/dev/kubernetes-schemas/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/main/apps/public/mataroa/app/helmrelease.yaml b/.archive/mataroa/app/helmrelease.yaml similarity index 94% rename from kubernetes/main/apps/public/mataroa/app/helmrelease.yaml rename to .archive/mataroa/app/helmrelease.yaml index 326f2f8..bc8793e 100644 --- a/kubernetes/main/apps/public/mataroa/app/helmrelease.yaml +++ b/.archive/mataroa/app/helmrelease.yaml @@ -33,9 +33,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/onedr0p/postgres-init + repository: ghcr.io/liana64/postgres-init tag: 16 - # https://github.com/onedr0p/containers/blob/main/apps/postgres-init/entrypoint.sh env: INIT_POSTGRES_HOST: &dbHost postgres-1-rw.database.svc.cluster.local INIT_POSTGRES_DBNAME: &dbName mataroa @@ -62,7 +61,7 @@ spec: tag: rolling@sha256:702eae37414c0b492b766771a50b9c8490b4a34259699eae3a7bdf284f2abad6 env: DEBUG: 1 - DATABASE_URL: "postgres://${PGUSER}:${PGPASSWORD}@mataroa:5432/mataroa" + DATABASE_URL: "postgres://${PGUSER}:${PGPASSWORD}@postgres-1-rw.database.svc.cluster.local:5432/mataroa" envFrom: - secretRef: name: *secret diff --git a/kubernetes/main/apps/public/mataroa/app/kustomization.yaml b/.archive/mataroa/app/kustomization.yaml similarity index 100% rename from kubernetes/main/apps/public/mataroa/app/kustomization.yaml rename to .archive/mataroa/app/kustomization.yaml diff --git a/kubernetes/main/apps/public/mataroa/app/secret.sops.yaml b/.archive/mataroa/app/secret.sops.yaml similarity index 100% rename from kubernetes/main/apps/public/mataroa/app/secret.sops.yaml rename to .archive/mataroa/app/secret.sops.yaml diff --git a/kubernetes/main/apps/public/mataroa/ks.yaml b/.archive/mataroa/ks.yaml similarity index 100% rename from kubernetes/main/apps/public/mataroa/ks.yaml rename to .archive/mataroa/ks.yaml diff --git a/kubernetes/main/apps/dev/windmill/app/helmrelease.yaml b/.archive/windmill/app/helmrelease.yaml similarity index 97% rename from kubernetes/main/apps/dev/windmill/app/helmrelease.yaml rename to .archive/windmill/app/helmrelease.yaml index b5d3fff..034b293 100644 --- a/kubernetes/main/apps/dev/windmill/app/helmrelease.yaml +++ b/.archive/windmill/app/helmrelease.yaml @@ -74,6 +74,7 @@ spec: enabled: true className: traefik annotations: + cert-manager.io/cluster-issuer: "letsencrypt-production" gethomepage.dev/enabled: "true" gethomepage.dev/name: Windmill gethomepage.dev/description: Workflow engine diff --git a/kubernetes/main/apps/dev/windmill/app/kustomization.yaml b/.archive/windmill/app/kustomization.yaml similarity index 100% rename from kubernetes/main/apps/dev/windmill/app/kustomization.yaml rename to .archive/windmill/app/kustomization.yaml diff --git a/kubernetes/main/apps/dev/windmill/app/secret.sops.yaml b/.archive/windmill/app/secret.sops.yaml similarity index 100% rename from kubernetes/main/apps/dev/windmill/app/secret.sops.yaml rename to .archive/windmill/app/secret.sops.yaml diff --git a/kubernetes/main/apps/dev/windmill/ks.yaml b/.archive/windmill/ks.yaml similarity index 100% rename from kubernetes/main/apps/dev/windmill/ks.yaml rename to .archive/windmill/ks.yaml diff --git a/kubernetes/main/apps/auth/authelia/app/secret.sops.yaml b/kubernetes/main/apps/auth/authelia/app/secret.sops.yaml index 8c21bcb..a14fd89 100644 --- a/kubernetes/main/apps/auth/authelia/app/secret.sops.yaml +++ b/kubernetes/main/apps/auth/authelia/app/secret.sops.yaml @@ -6,20 +6,20 @@ metadata: name: authelia-secret namespace: security stringData: - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ENC[AES256_GCM,data:FXVNmAF4uYvAl8C5TmLcqrSf0N212FvxC7prP0x0L9WRtYxNia7tl0SOXNiviT8Iuf3OQEdG451RXFKLgqcpHQ==,iv:Lsb9ljoxbN6iyiFG7TTqPTHtc5OOrl+TR/8pz83kCMc=,tag:NqnPayIgRN5FqY9IMb8V2w==,type:str] - AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:Jd+xXGRUp/1JvSeIHMFkZEiIXNF6Og8i78EfNwKrLwv0haU1bAsX+DGXLz6YxqdwrrCBsJ+W9VNggPUa05Ky5w==,iv:iw+tNb67iXC/M0d6ihuiJFsCUYN0jxBERhpRwb3dc6M=,tag:KbJUDzNf1aSmK3JHl/41Dw==,type:str] - AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:12MJ1XuuSj2ysNdlL238aVrGFrkXbVqvo/Y46V9fKdtcV5lU4PwiFJwZt2m71YNITpdfJjCm9EZRBA3GYcpJQA==,iv:BqRYbwc7dkPbwuG9hrCHRwfVOwmnVvpSm8YbGAb6G48=,tag:HlzCRAj3Mpi2ZUh9N5VSKA==,type:str] - AUTHELIA_STORAGE_POSTGRES_USERNAME: ENC[AES256_GCM,data:DUQa97EzMUY=,iv:l7EFj4pwQGGfFrt8CLwuylKzbFh6UNBe9/ARFaz5LTU=,tag:+ODryqYm1NWMrGktVi0NDA==,type:str] - AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:OUpIuVKtLGu37mxLYFmtWlPZxeh/NFNbkgE8tw==,iv:tr5nrRsgSBZ3F72IBIGHIh58R7RAMhjG+LT7JVyTGw4=,tag:NxSiCOAcBsQECRt+dsIXcA==,type:str] - AUTHELIA_NOTIFIER_SMTP_ADDRESS: ENC[AES256_GCM,data:GTGJKrhAjahAR3oSVfSySB8ZVZQ=,iv:Iz4m693bspgYRgWPtMe4eJwhuzURa94S3QgyreJCCbs=,tag:KlA3Hvircl5I4qt13gvFhA==,type:str] - AUTHELIA_NOTIFIER_SMTP_USERNAME: ENC[AES256_GCM,data:nS602NajWVfnDbsxp/+SSmoIdrrH773/txM5IlA=,iv:80JGSZ+I49LGUm2/uVuDuHxjhMMhStKgct3384Kkkgw=,tag:Kf21b45hGlkgaHJzHHyO7w==,type:str] - AUTHELIA_NOTIFIER_SMTP_PASSWORD: ENC[AES256_GCM,data:B21x05gGOxXyjP9o/LQR+H5tp1maILt0DwG59DVlal42XmxyLZXOEJmD4qRod6R8P04=,iv:fo3yX7km0gKhtq6zblGvwFk56Msjnu5NxnwI4drlxYg=,tag:Tz/pvTTrUHLNMwPSJGT0lA==,type:str] - #ENC[AES256_GCM,data:GS7H8x+FRf+Xx5ANHWXveW4U0QXNBZ5InOO8jaTi4EEos5ok9vinWmPu22h9gj6y+wgIv8GX1O2Sc7CNemQ4hr23fP3uwgKD369JSDb3U7M9xhsh8mA7jA==,iv:MsKk+Hlur9shsxwQXcZGAFEIAUZYxDxlSO4s/y7Bk28=,tag:A1rOym1+mTCYoeYHJztGXw==,type:comment] - GRAFANA_OAUTH_CLIENT_HASHED_SECRET: ENC[AES256_GCM,data:gGcK16/Evyv5XaOk0ITTrbsNdCuNoP2JUuAAk9gL/meLNNR44jAkWn8eBUe0ZIcucTAgo4DgtEfOIPzee5PA/TndSCEroivX+4vFkUh4slJ5y9NAN/yzcuC2P0JfydhE6Wl4WK0b25gm8mlUiTDPrGzhlYxshRxdmfxC52zslg+vaxOTqRUsReHJsqldyxhnctdzxgZ5FQylrMkI92piqRJV7cYKR6w2jy96n2F0lp4=,iv:rI+iQqOW0qTL6izm3MPLW4Bb58yeU9LXehLF3TioZlo=,tag:kKbGVG+MwnWeDkJ6TMk6Rw==,type:str] - #ENC[AES256_GCM,data:8qjPhCQZZE4LCKYbgtjiN6ABICxKR0rp74ZIbkQdVgPAdlzJQ2Ktz79xImtiEKNPsJUqXpI5pU8ojFvMRzQqR0GQ286/UEVbAfL05L8+3gIi6TFYKLKGbdQ=,iv:vM5/ouScE93c3PEMFl1tAVAfAo7MQiHgFlaItxm2gHo=,tag:u8SWmgA/Y7yAJpPSwNiZ+w==,type:comment] - MINIFLUX_OAUTH_CLIENT_HASHED_SECRET: ENC[AES256_GCM,data:cRDIaFBfjEGiGecAGvNErVcSreHL4JRP9BMiewhCzGoSr85MirnSy5kWZZs4VdTnkH73oQW1dvM9lcHqBYNECMssfoBzjobkWP4kOPzN+tIt5x3Y9iUGmzp8Ax80JBYxLhDZABrc4R3V4vTi8hcM92fzDGmUQqtP1h/8TwMh85o6m6xM/R1ww4W1UsTHzAPkBk3xltTFBTk9B3K97+B1Hbr2vUTnEDsxPqp6EjyeRLM=,iv:KtB3Jz/OvgwW0HDlvDaLQZKyrxxuKjmb0SrZdqHjPfo=,tag:NSePCkYujTp4lSNticzolg==,type:str] - OIDC_JWKS_KEY: ENC[AES256_GCM,data:GnKzzhqilCHF1Zi1NNfchRRyAMZvaTaSJMDdlVF59m373W0kFeD1LgKKc/Vk46T7NHEHWXxZ8TDm+pxLUsxzaWtSWxRQ2syk7CcepJbteX8d1+1tUEfNjWhU2GrYnjXHneQIlQkW+1eFV43WupibB45n3frKuBv+Ixj6b5MDCwVpWXCO8OuSkU48gCZP1wUbnoIKAJ7qUUCniU+PQH8uDhD2k6hFkjbTvDtK9FK1JMHUwiQbp/kj510WaSu7I57XsC/XdzEfe6uIZScvtOeF1fP0DZCFc9oLVajLcpe90f1ZBX+967etDn4qpNxaguDOe7/XoefZLHwl8CkwcnxDGZIn0yg/I/C5cx+LWQFOCtbqWluYP+OAThTWx/sIYFylMz/9b9gL7z+VvnnwgRAgSqe5kVJg7PWB1s73Svq1V/mnVyGJ6Ul+TMHOkokKrAN2IKayrlqdUoB9mMBu+LyH9oedrNs7dFC1gRmwzy1fGnDnNqM325S3EdwkN2wXM25mnfOScgpSxREUWV9CI0kwnXSpG5VQSwgetYbr5QWpQonylPoslKlSVi/I95PFwL25JGzEai/yVe+lV4MUa/w6/89gPGPDbFobkQL3GQfHTPPAxXa+2wUN6Fh1tDTTWZCUdsRs3hvmPXGO8qxJkEoBTt+XapnbOXSsCxRyy5KD2j1TPTUAK3UHfBhD+t/pmCrR2O4KdgJdNqUfqgIJhEBYyOZvLhnClnctDDZrvmV9c8sJEG2VFq3tN9rDeB9NKES3JRIfNAVsA8olAzHiDW5vvtUQ0KNB33CDGI3ramFtyQf6Jf17fVY2xklfBE8Sy91DUgF+UP/LpRs6nrpPPsx4HP983tAxbSA0C8wo+4p7lOaMjvIcvwcS4RR0Wqa7hprp2luhCMXk+cIm9ZjRFfTEZ7J8fFHfhHYI7kzxhlbO6TzATk5IlbecImW75q+9Gj6FyanFcj63FvIm5lGfh1jo+4iprKAcE9Px6aCVggplWsH3ypOukQzf35wm4qc2sLhtMOMo+Psazv4f9XPVwgdBsoK+Oy86Jhj6aoWOnxtkphC7+rmwSA1GhQ/EMlod7JoRmwvgeBf0PCe8Y7xSY0jn58yk9xhgKKMcotW8uVuSwzEfSUSJ7YMW4Gv/ZKPQferaKEb3VoYcCiPtDi1KvzBd9hJ6SXLJEBjg+j9m4NKLJlJayi+zASRo0o1RLjYpPqpqMpkcEYvLIo6b/EevdpbSY+gtj8ear1YpTocb/DEaCUMQZii4hJQaISOjXfTxIexM1PKnIFHNsj2Syw8K3Nq7EYezbQ6QQnSFOLwZ2Nxi7A4VmADk9rsYkPsFfa/p+7X7bvGu9OKWbZkduULJ7DRbQ3kR46SC5Ra5PlfwLk8p1hmey36CgpLaJcA3xbXv4DH+QCzpYbwaRcknHzD/cxjACKganTuzTVD2W6j1MAiqaO6gL9re4Oi2wuASexdsyvO8wx6gwDT0AE4Q3fAr14R7LVkGY51D68RusqHS5OfjLPIhZ4J48/11MQFL+D06EJOU7WQYzvDEhmzJeJywqJnWY1/k7/sSB8kNgzSS+91tZZKxAl8GCqIvcoLFecl88ZmJKX3hVkvKpxlzdBA3mZdelsYvGR+CsEJPgqIjYri+u3sqKFJjf1lWvQAHklReyIoifSZGW/OybkT5qjwq6Kud9cxh+LTRTKdXza+l7S95p9UAV96eZZuk65W0RTtR+vY98+BqOvwpcqLjLZmOIPVqQOEwzT17bnGthmFZ7ZlxuKhde3i5+T95arWTIs3UPSv0xNBXhJLV4uVdUaR7jl9RR+miHa6mH2KrTk+CUdzNXtICtS5ukaidHKQsvJYk5F1m4XY7Sli1r4faTiX7cIYf2hzONUSJlLwrARQdKJRN/p6GUT2TvwpFPIzmwsPOH8y1djsm91D5wdfj16teHJz4mBUNHprkhODz/DXQJsrqVNwegiPX4yWCLYzlqrKF4pxs//TteKcRGHflvCmgvqWNW22A//vPMstP/klV/o8qK3bByGd19dSJxDG7AKC+qwKmf+N02/JZbxvKnGyVnlUFwIXmRAC2i970lZXJspoPEoiSz9o1RYb+6V9W1bOvb3wnfEeqW0I7Ur6fDNlQnnYsTQAolayZSfKNowk3nidUWibYo9C7WWE8Ds+IXH31kvi3iY5KXT6vNapKqBKjb4LOJY2YpuqKz6ygDZZhYppC/FdRD9HDdj+ZJnXqeaHqQmlrfu6uzCj/uTDIrrGTmnq0M0X8Mj9DAa06LNPzGpx0IySJA6rRX+OMk2V0G4l/bUxs0Dt+D4SB51rnoaEOv/Y1OKhuHO0lJNoj1sdfNalABk7Frgi0kqiOfv31QLGEcKnC9euLddY5e4EdGxUOaSBoJZkzsZ0RpAmw2lfnNJU4i2pgh5VTGcCvrQl2O6QpIJGfoBSAb/kfeqhVLwYHeHJDh5AS2C3q76lY/TT4/WShOGYMSqWoe5VjhqEFf+ruYgCUcU4Xf7V6N3J8zSF+oylV1tBJQDqFBhZvfZKkOqWSW8FwCBgSI6Yjl3SJaepqSaaqPn9JSQC/epqOtBq8Jk0yDeeLLRJbrcCSia3o+AqWhVFNaHDWplEaR4hmnbGIXc3+YJ+uzMF8dL0V/rqZwksN/k4N6z1qHz8UtVY/f8jDdiQWO+IMLhx4aICDPwNX/LA5++R4N4jLFBLpkHNU/JJ86BR3sWG6pD4L8dCsMO2NDHvjJJ3sGOoea6Dh0+Zpw5HyurOjhH5qafhZ/rkc5Q8l/dp7RjwOWp1hRT1BBJG/yaMVjpIWZiq/4fLFrapUROcgJOSM+iRjRlMF2X9pDOi7y/VSVKa4eIS+VPw/p9PZrf01h3yCLIKWzGbPtFsE8+sfRRCzdPNwsfxm/9VAnPhe2QyJ6+Gw1NplnJW9O9oPxiZVRrKxCIldB2wKiZ2cqjIDJkvWW2gvOhkZEwkdH9eHIDTGlWcrj7k33wM56Gna250eBjzYbh+8DhcrCxXVJjCyz0aOmct3x7NukpHbUVk8EpqOPzK3BVh+RuLraVEH0cXUr5FzoqVHO3CjJ0TEN1K2pKO9sXAnZRAbHacePdXj0w3ygrNc9kBUoboB6NH0O+WnoBccW5Hvh/DP7zeb+5MPlU0vW9qcLEitMfL6lTlmf66Y+a6ogOWoE+BQB3Lk1DfKGKpmGPtmejEpjstz+H1/5DSOW7khQqfri3SbXnrE7V40qMx9epqvuWl+4v908sYtTcIe8ImN/OvFskXXi7oJU00kOXGFPkCYWoI4TV2LDrocrV0r332AFn/lhE9s4mMR5bhAh42M913T3NURTkIPccSg22mGnNoEEbnIyUza9Q/sdNPZ+p9YR8L+yyo6Yg2FCsT1egEkmayBgdyVLLY2nw+UrSs1Iec4LAY8D/ixSFXFHk+wXiXbFnN1i0LYXOWG+YDvOWMSWhyEyjom7fKq9UgXC+Rz+n0msP3G6GT+V5doX4JwUbCQiMaAoKjeVyKijx4xMKeIwTy3Q8b8s50gR5tHHYD1O1oE8bBXGL0lGD6qDkzMVPHqP5DRW0RJIjhjCRpLKqWm/e1aYIdl9E3VXNjdX2SlJsRnEuoFyJL2nexdMw9Bf39v0W5dbp/zoZAA8qBTJ+Kw+DIDM/aMtqXgt2cwii/Qexk3ImpTrF6+4q448Ie7ey4gikN0y8x3FXOrk7oualGLUUMh6pwV+ht5ONr2YJIrqMHx97x7TDNSEyQZKOqQM1LQQ6GT1ZGplGREVY2Yw03J8sV2PtL/qhRAtLG7415qohpe/iezIFUU4rTzNvPuduzRyjdiQkOv+6hODfust6t7r0JCucLf/dvvjPVOK/tsIAxUE2nJKtxBxSjWl3EmAd7FHHFlDhmddwCg7D5IPvSaIHaC8aPjUpvqcNjGAgj45MxvRYyOsxIX1oy9aBIiyYL/fBdvcHuNXQaN6M1JGS2fpIvX0Znah87vxbnjkyNtXJQsKP297DYXfQKM0LSrg01JL5Xwne8+L+VgpOh+/jdkBg64u+yAGBSnk/gbxE1UL/IqOXgtqbWpMDk0FErMz8dTJ0qKtJwfoo9fZMEUx/IxHGwRJuG09taNYWtIm4Sy5zYaOA6pro0iaTan+0FNDYSuQAoOpX+9qDjBJMQeWod/WVovTPdZYcKPmYnF6k/znKHRhmmdN/S83+Z+oPpAw/Q1JXEyolX8HnnsV4ACoPkOnEb0TCoucS+wPp4ATpW1r7SMZbZM7o+r83D7IVg9yA7aVcNM4UWIzmgykeZe28vjDmhOJ/3BbFaAb//zueWtQdPSMr/UXlpxg5dPGevpSbSyoO3FPMRpvnXEHy6+ZhbH/9b6h8xuFy8LjZkrtA==,iv:AL5stW2E6N+Xc9iJAwy4a+HmoNRx2KglBMO82PXnkO8=,tag:+aovjQZaxewz7kDPOXZFnw==,type:str] - OIDC_JWKS_CERTIFICATE: ENC[AES256_GCM,data:qPXCl0mz+mNO36EgexG7up/asCGzB66xeGbLoOle9shRW7FGDHSeQaYApgFlAH69iCNHH+ujSXP+qa6WwsBv31NP5qEoZCK7QEA+RrYEcu8ZsxUaSWaSH3sSLCWfWOyWpns+8sjDsj/ChTeokOG2TvVqQODAl4ZAlV77rsysldd9yfr8g/belK2a2rRjh7cCZ3oEwU9W5fA+bkBujxbAQ1CfKLiKIPUF4aTpm+tu6f90ojpHd0YDPX74OLRUmGi+UIvMf5/x39ukQezvLg0MRcqOHYJE/fpwpHlWwsAC+SNf0n8P+/P2F+7s7j7HzuCIMkL/IGYjTtj5Csuq3f+FuOweG5RwxWzpTo7upJdN1L3gVgV+O+R7i5QzM0+r4zb7OoVPdC5WJ8uG84SUQ6EdcX78mezBBt2QOKa9iBMY8SxEq0KEqLR2Y7YTfgZdq68QO1+wYfosClyMiWrMxDre1XyFTdMoTuNTJ//z1Yg+m5jz+FVuj97Em7LoRph8/fD0j+h52MK95n3mRGtGvAOFv7vm0skKmTbbQcaqPsBCvsj8Z4cvaOpePBcFVo8SXoLjrXnGxVm11G9YRJWtb/pjoc/hL//wqEgpa/AD8i/psJbanUga+IGCk3+UhDQKKQnQGAmlyWcVgSdZ1FLK20rr8vjoG/SPaCxV45vDZy1+wRFzFT7o76uVugRua5GUBQGftKHGKV2DiO5Rydyc0BzNVaueib+203kOa8SD1lZrSS680NJPaFrt9kakhFKGNsY2wWRW1pW0tEgmdNGFyWF5is9BC2qodfu4ZJZScsAnCqJXV1qqZWV2DipjQ11SJvB15GBO0Ly5eZVN6wyaZbISzBkTTmpLRJNVpqcdmSdXZxoCOTnNEIGpSjSXCwiksgBKpTokrInI78gB8mS+gXH72W6hYMm6zgQ3031rQZq9hixz+MAmyNMqL2Y/vldZiVVSaiBfbGDgwiODJffxfa9NqP1WLF7bEiZxvuBh+LSIsJ3Zf51TXbB9/1DmIUglvkAsIWp7wHRnL0qVFAf9PB+NSjxRjBpFBEixdADKJwVN+CTv4i/H+dU/6WRnmCFadGRSxyFiUNXyISaE7+iDk0xGs8wbTsb9AYeffmhyhXjRpqCxZBjTCNQOdHv8of+Qes52UTaHYn7SKo/7ij9maEgr4VVJq6YNrs5H+PcPZRhYTCN1vuMorZx7J7iXhiQhjXUYUkxcePKVE7I6PV+L2V/4vIyZfk7ax8w1AkXv78Ovyp0H9yTPVLmxqkHg3s1qXptAQtIS5/XvAW1tixLS+lNIcZtit73j4yImA3euaa0VhoTJNQ2c1oG5W4oa9Fk+5K34jB5tMHwHCWksIwm4iKYX+/zV/cQRgWxaEqkVNjWZ0eiWm+oVssWZs5BkINXBwNF4LHeIvQ5pbyNuR9W8VruNDaJDle3EeBH/pAtTmD+iCFcXcdsKus/xPkxJD+woejqUCZ5pwnFmdntdINQVdNCxFgoYuHIZSaPd0IOyTXUwgfuDhQnCGvrvB5gsZQrnqUPt/TULlgb7Et2gcZ6yYexILbiHeEQwMvt8N3hByk0gstXY9cv4Qg+GMA5g471/RQVa+z+P0dVFdAAfgA7yd8PUPCqF6+oz5n3UOY9fz1xUV2xWW3H/gbn1UTwVNEXBzCuA0bmbavFZG1ob8kCc1ERKmkqIetJQeC0aS3jD3cfhtYxPziowfdVz2nNWvERtEQ0hjeuliekSOjJJ9AZSmL7XXGNGQe0oHYP2hF1O2NDQTV/+LuEAeHNwkENEOS2Xhzkm1kgqlmxpxedLZlVEbd18MqhUZa40DV31nGDDIlSyls9bC5ee2+9UGFtlMbTs0gBVOMuCyXwf39c9UVuoaqepV4l/FHsrj7wjCTWNpY/vFzUSiHJ0hcEUn4OXgJPizOxXA9tIlD9rzhKVtbCzNIHbbeobfwjHltI+isBaXUFM64VwXjqlkyNCxr9N+SEl/Z01dw1nz2GN3fg4l1J/y4nYEfJNPE0QrlK0HEVX+OFHJP5ADm0J/CVBcKau/1gFhvtr+UIklq37rJ4RiUxWE8iXK8GK08ERLh26uNpAio152PA0ewiAqBUpU6n5eF8savH/BwEBzM2H7aVINCQ1KlFyaSs4YOcDD5JQ1wbp0j+wFfgH4qlpY82Zs3flhSYcAuYoy0vfN64J97hvHqPZyVsHzZCY9ZoeWbrliTu42lHdjKfMoMsYYwq4t/AmsAXM+s09NAxu2bjzp9o7AoWiZmOToNQkP6tz/x4CeDh5mpdsG2ilaErDofnrfP/TopDkojsFpMFAkBirTwNgvt5QdIiuPNcg9pVebY9G8CwASnJKSbopCREoc4GP5VyOSX417d2qgfP/1QmXoxtVChPytU3ZgBTjPKl7qc2aqtCwYBOsIrnEO4bWdrae8BOUy0mRc0FQnAMyCfphT/HBVltXqnVtaC6HLlUAUSSDeNGX9f3IBrMCEzp7RNM=,iv:JhsVfRZsp/+HjM+8sesoD1E8cvy3PUzOE17/6JGiqUs=,tag:c8r8YZtTFq02sRdakTCc9g==,type:str] + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ENC[AES256_GCM,data:fSj36g21uZ3o1T1gMLiJB00atgY0XkGrS/i2UUBfnZOLyHLEFwjezUY6hj3IHtr1d3WGkkd0f3szIMfNX7Ar1g==,iv:tWzKcW+piwuiXZtqTpHrdPA2nzDMKiBdEjr+kHTdoeM=,tag:FG2pikcDBBEnOxIRYJmebw==,type:str] + AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:WmAFNbE+Vw8Hd66VfYcgEbr0M+FetqwOALatgEbTQv166tm7e1wwoo22EkKF9IzpOs8IEQ0Nrr1MChugd/7Pcw==,iv:D1RWLkS0Z4JdoDF9Pk03IWOpC5cmJP6BAkJ7M+V224c=,tag:BKeyjKkHGl+tRoWzdiZXfQ==,type:str] + AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:VOqGiqIy6LRhjjQubS2MCWwiO7pxOzRQCwqcO/CuobxNbsP5voAaH4FA3tJAqADbRdQ6EJzqqiGFRmQZjcyNfw==,iv:TRHulGnl9J0poJGkIB0hmGKnNKuHC30ExtnaCIewBrI=,tag:5seAMHOBXFB6sAZhI1VfUw==,type:str] + AUTHELIA_STORAGE_POSTGRES_USERNAME: ENC[AES256_GCM,data:x0e2Udwrlgw=,iv:shqpMXVK6FbdtCk2bmgFwWLI6UOQ8JadQsSlzdJ8O8U=,tag:gBcQLfmmqcTvx0fNZQV/ug==,type:str] + AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:Fo3memwrN4Y/3D3Sh6pNWZlJN3qp8iMAgjt5RA==,iv:2HqOK3zt7AZLzT9Cxrs1ztWs9YaNxGMBZNagNEBgJ10=,tag:jGt6vCUlYfqzZOY2Y32aWg==,type:str] + AUTHELIA_NOTIFIER_SMTP_ADDRESS: ENC[AES256_GCM,data:LA45EKObYX40kiDJFRrxjF72ap4=,iv:gKgxo54Vzvfa4S9Mf15Tg1KqBr7ifoLDn2x4wvVh+Zs=,tag:defx3kG0HaLOmt/2qpl7Vw==,type:str] + AUTHELIA_NOTIFIER_SMTP_USERNAME: ENC[AES256_GCM,data:Pa3x89QOEzxtVDrVf3zBl1nEj31w0LGKxyC6Rng=,iv:0TQeuIdNNmOFjt8wIwoaanycuz5sMZ/TzdpzlgOOddk=,tag:ZzQY0OuuSAO6ri4KbISUig==,type:str] + AUTHELIA_NOTIFIER_SMTP_PASSWORD: ENC[AES256_GCM,data:Iif673bqxdMPwtcSYRDCgCEPwGW8PJf9KED/uOIC6Kp0mg8dwyMnVo6GKswyzfmDCgA=,iv:H8FWx0+wUIzTKmTY532x2rTnzJTUvOZldHJ6RX5LS/Y=,tag:zydn2bpMf5qwQAxxSunrdg==,type:str] + #ENC[AES256_GCM,data:V0LfayajrGp7RS9Z1Hm6Ri7YDpCOuokfQH2Uqto02sokF1oVttb0DmsmmFr+3hYq2PFmAapXcRCX9YzCU0mCRGGF5iMhv4PTClthCTW4bH6wm5/UIWZE3w==,iv:dR+n+75T0a7ZxYOb4iDWaiEPbWGVrhMMdQBeCUJGnlU=,tag:5TOqh2HUaxmCqcAUGDV9Qg==,type:comment] + GRAFANA_OAUTH_CLIENT_HASHED_SECRET: ENC[AES256_GCM,data:uoETUYsB7OytGPXxpwk9vSwmlYNiLMcjIFKUirzpxcJoxUV9C36BTYqOZGUNJAXf/EGxoCB5bq3LOxdQJeWC1QHHQFoh00B8WWNM/aq3aOqRyeNyFkGC7mV+qh5IM17V8x1JSie9ERVC6WzT29ESCdOAo0Sw4dbWTiNEEdHqLcARinV0wsZls6DN3CFY16pyR6fCQbK17E9k0cIz36LcabFRTTfyrBN/a0eF5ZjU42s=,iv:Ln99e981bTirguT2ef+B5VY58nD7byL70m64XY6nJj8=,tag:8lKnVUAqL4fWxyuwiGOdCw==,type:str] + #ENC[AES256_GCM,data:QLlurNRDJBvi4s1fxoKqgwMsFCsa+SaOzrgPQ6A81y1TgizRINusUtOlpPUNH2voTb9vz75qySAN1i679nMnL2qJL5KS2+s9mLsOn3dEN3AuibOZlL/BF58=,iv:c6aZGU/CnkTVkUXM64YELelItc8CRec68JFE+0IesLk=,tag:9lBnD3OSoi2NLW8Ijiys4w==,type:comment] + MINIFLUX_OAUTH_CLIENT_HASHED_SECRET: ENC[AES256_GCM,data:yW8Om3vTpN1vNWoozPNhHkZ9h/teDx3sOQ2lC4tDvvft9xWW2qXo/s4ldjQVzcB+8O37qFlqK+n//+04qW8Rwvk51naVpkxOmP2AB+NL4u3f7tOv2iwnZonl85jsXtlzdytzLz4GFD16r6kez6aCj40AKYWaPSOfcEDGLv4Tma1ZE/gP8kKCaaALBw6zpVR20K9qzLWcf+9JwNytdY27cSwQgjqcUwR6rap5fInRbi4=,iv:Tc2/hffDpAJXVXVJfPfteHNderPeIpNjDFPy9nF6s/k=,tag:O82h5y4C5ZF8Wa0gWkCn1g==,type:str] + OIDC_JWKS_KEY: ENC[AES256_GCM,data:xNE9UeEWgiROb5iCnZJfCM/soyY2yH4/wxafOz/AcG9FSnTObXQv0rDCj3rdVxbIx5HOketBrm7f0W31XDZ0UEbkfqyJYhO3CnINsdKQCvL6H31+Tkq90EXftLGdRVshY3k7v8G1XUTFluJSXohZveIXKkmN55Dc1xU+Vs81EZqjienlUPppfPxue/GZbjf2qKoqvOh2NjW+Vg7ZNp3MBPsGc8W86xvXzsKk0dDL9JopdC/Xo5ajcmW1jCAa0P+zAw5I5Mxe0TEjGxo7pUhUhBSe7dL1djkDqcWUgveHJrDAV3aPoWNHtfQoVIiRavr9sS7zuUxqnIKun9cjwIh3X4b0Byf5pYYgsgLYCd5+sAO0wwpiNQ4XEfopVkkY7JMIOi7CqRW/TpgxaMNy5peBHNiAUygluIEi4fAPddk19AjGJ54Zkr5sidYEVKLNRheU24B4crRJ+ClVSHuAdlEizcklx8fjni9OoPvDeW3lhnfPLMLNBvVV/ZVxp3ztWxdzMdcKsPhb+mXIGp4sLfhvb9AD2vkkRHZITxdpLiNcu++ViEAy0pdD1w8o7caHVeM68/WGeP7TxhbH/yx30noMOJF62utV+J0RIAgb24TblfagieK/vls/46n8Me2k7Xe1mRDV3p15PaRQHpRzPLGkl7gq1NQr/Hl59CXN0/QHMbOHZ5H7Z7DFYouIEt9ZgZE/Ef5IYZ7EcVto90xnApju/IW2VVxV1RPA8/yf0Ns1dPl5P9rRwJ/EpMny84Wf5b3anM2Yr9RuPuqFZFOeN/NEePmo1llF/c3sYCI62e3KJF4o2zLJCOsi2rZLzzhi0T0j1rnAN4hc6204EuDPI2ZKc6bmnjRa3dYGKHyxvu2MEf2TxSZLOC+LOyNlsgNoCjci0ZxW5SDuX33i6xIBU+AXkbt2hdjrl9uqJNqcMtzRpngE+fuq0GaR0zNFK5Dn0+jona5Dyi1fIdereUFa/bsT8o0bBNUpEtsh81sfuIgNVuIu62EFYEMmo7cREbqJZqfVmH1r0MWPBNeMH+wPDRB+i6BnEjIoZExs48DhJgggfrA79kqbwxHHaLrngXNoeLf/TLu8e2WxPrzfip/bzQpIr2K4lKQYXsahvWn23DVBqTKnQsPEl0bBz7O5t/V/tGs+TiYEE9nuOcCSYcMynWbgGNMSB4A2xlgMHYspcgJIHMVlAp/lS92jNwNc1J+/mtvtsdfQ23C4OJ4/7Nc/OEa1TKVWNkexhSXblkajOLcpnzSrz529rRDV7qMysSyrrc7axOuSPzLUZlB/MXeLAKibZfUfQCMIQxZfSFHXmk6sEjr/yBL9CuGlwZpB7yL8gTovd41UH67x2SZNlbfNi+GQ1YMi5SeSZB4S18etpBp7b32YgdJBH96sIZrwTMGTxCjIXNtkLqLVCwKKYL3f/S98p6U7iAnmxgg/xyitq/WhylVj903FTSqo5KOVyZ5tcCHfWf8oUh8Q/bRekTk20+8JpRhikDaH5lEzvGsbLZ6F+4W6aL9eSePLSpIU5o8F81pdqIffNJ4NwHcPraHVXq9YsiO9UwlMVYhcijY2zKnaZMWfv7yHN9QWm5SVPiGZtp4+iQGl3z7CjVZnqTD/QDa0ZBMU2DE3ajZciuGzpuR9aaCypu3txlhinS0t4yMPi6N32wKsNBemtMgasfywQ6jC2Sc4N4FolydoEdgh5hfCDyfZaEZdel/WL7UCdE5aY9OXwTJvmcl6yjQ8ZhXsuCXGG2z7WcWyAHYWrvI4Ke32/2N9dhpXGRupeS/B2JxH29SCkYj1ftvrXSnXi5zs9npbXGFO+knLjfZD7HktO3E3pbKUsgZnIadDG1mDXcOIVcqYeb08Aoz8oGAVZIMWKth7wnQTbZ84dNMZArxmI/V5GfcoM4r5mkH5AMb3T00lxM4apYOA+2ae20P0biKuMZOQXhb2f3bftNEOaFbOYboNQic96cwLKeoT3aPdHU8xp2pIfMpG9AskzZ0i0Fp4x0n2xoHtfACbEjNlkANkIbZKj5HH/9EfrUu22YXfBu46tEG2FuhQC4mgj97d93BCZ/8f5yvajy6LQjacjJQ3tafoG2DfZhHEtJ+4lPlPhpnnKpWadUEG5jCtfu1mZa0LxeObkBN+6tOY/g7bJW4vlyLIthLUrglevkIkIuqRmi31Pm2t8NTXRknDo6Iy1x07Ip2ewI/2P0sVQSTxozSqLcXMpyyUTfuPAR+fvRDLEYpD+/dZCwCdGaeLr3B9HFY/A5IcQeWp5kL27bPTYkpvVNUHLkYRILjkMprsyk4WhgreroE3Xur8dmQ3mh0lUZ9ZhWRqd+M0439WObgly3obTwSd4YGGf3mjzLRo8eNq1I1iUMXsVqAFGzLnRCDoI65EWfQ+kme5gvDBPC/lnO7TwUJFVyFuWU2spgeB6tlFQptX9ZVQlMOnTayKF0NH0bH/ng2SBct1rlO0WEjI0xnnky5K24l2cryRFBjbRF/x6qVC4PkKbsCYfl2dCh20ItPMonCI14634zIGzszEt5BJitmyF0iGse/EBBIHQ1EGkERDUd4g1ZInAJToXuE1pxdb6IJKp47QmTZRd59uQr1172oo4GsvOO7FGs7XDD/ihAwXWWbayN0rKdt+myJpJHs5qj2/Vq3d1p5SWt9aETGG9kDuJLQkeyieTueaKva2pqECB+WebcYqx4NmjkWMyhrJv018djk3jGG9JTl4hHdSV3MJWtrQGKvMhNrqfawyH/P100xlNZTKivWkIl3O08JiaHy0Xq7VxWjv2Uf5rpGlKn3jQuKameHiRslVpveS9jenapr/sJM/uLvANqSVTXl0tbXrLqn7GHi9IoJKGYAj9Eqw6iLT1V1KJFN9P4RP7ErzfHG3D1Ur112U0S0qThbsCsJvN8sRAUMnFqKVaTkNNQaO1zV5tlI0Pc4RJVAYY3Z62xMTEuLwWU952k5qLG13KW4QZlusIyIJwiqvxsk7gXyJClWWUs554WdILlmYyBOxHEH46LDEaJ5it88AMnjJBEFxIm/LnUSPaSNZ0TlfQsZ8nMWzpxfDYM60anSJqeRhkc5EIJtORbqFDggmJjLCp2TLbBq5DTMoJ0c/lL6/JzSiRnQQBxFSahGh9raBjHDXTC+T1volv3YPXov9hrN/Oej/MwJnlUxIZo6PSNfDLNpzEpCwPV02aezQ/tR4S7Ea5DbAjaBmi5A3Crp/6u3Gf/3fNmqANbbl/Ks+EMk6Vovd432ICo/ZcojAvrp2DWdXgBg0P/CGsuIjurWT9etyDmi5aIVpI7IKNi9dFcgWgpTYimxr/lp1xE9fsrsE5fRcwegt45asySZM12r9vS/u8pt8Cl1K8C3nXmhjwHNlMkgKAxdP8bSBrDGwiHw2quiT5kpd5bGUrc0zu1/5PwgskiS4DIhhDhSTLwd102CS7bpLzf2iB0ljZQ/TmRLjisn/+sZ1TEeosEXoGlICih7/FjWM+hPd1/I67DajC5LTlM9Qu22+ASUlW2Y8jLam4Bnsz9xEIE2EdnYRw3d2aH+ZwRjSsO1AmBP+J9HgaYlyyYB6y7epVB23qGogOwH1N7EpqK/bg9rxOQSTVketk3dWzGMwvFISP6QIpSZMqhkWQsvK+DOLrJRiq7KWbk2+fwU6IcW3en63kwR4cO1D+niUgTSsGIf65xKsn1Z8O7dudeUUKvU/pGsAHnpVLTHxc+yhT+YDKGMRs1OediIbpGkLgVLmdm4V3a3Fa09fXMPiulm7vZj6vAQ74iuW4t4flOAW31NJEA1CBSeOMuoozo1gW0F8Ot/2kOWJjhEfb9FWFadpelaB5lCPWlrsgYN6U0TH7TxpVAXIyt8m2sAkrvWJ9kNgLy5H8EReX/OD2MqdkEOnQFNq1YoavnOEFImW0Vv6jEVABjQkzhdsaa4ay6gh0CuiQtPJ+UfOrwdTybwi0dh8a/SOBssz1SARWz7Ly5sGUx4Jwg37YfgJn7r7Grpz25pbql1IqCzKAF+aBWc2mKUeONe3qMpiP9gMaQZlQQuDYOfdHwoeXo4kPWdNn71Z3DE+kLA4xPutYwzSGa622ONH0ajo5z0XHRTFdERX/7wszFctbnTpsOYE7M8ZMdWEsC78dg3jlMywhTDjfEaLDWdH2QAbCsPGZTxNOWRE+fX5lZ1/L/8KiND/ujofYolgx9HQELZA6O/ypso0Ar49JD2iRfbJiHUBecBJ1rviK5XggRhJXFmF7lQPAgmk7vdB+AQBHCKUrZTUflGv2Nc6NfoaMzQS/db7TxLfjx0xopSAnCe/nxOup9cooQXG3sRU5BfEY/Qloza/Opffqs+Gq6bnOzWzfknWPv02bMbCERU61b2oxISYVA==,iv:Ph6kbILKlKrx6ISwsWmANj+ht8QcGDJcu0n3KHLe5Po=,tag:w/sF3EUj0miklK6O29BO3w==,type:str] + OIDC_JWKS_CERTIFICATE: ENC[AES256_GCM,data:ETU0+nm261uIackSZnfOaV9ukKUcfDCyjOBxEjoE3EPHwxZqvS/iX6O9KSTUAy7tZzNBdh6pNali+njcIG6HiWMgrC2XrUlg8Bo3O2WK0Dbmbyxi6g25hOu7dMT4a2IMYxoFdxJgiRFJNSVsJHuFl/gLmZ8cL9cfzsRx4VRmm0+ocSZM8EJhck/LV2Nw8C0lmtYYDXO6M2JqHSJNYOZFhFmtcR/uIo1/v6mLyqIh6p0GuHm7etHi0cMiiqJMQituAd3Toi8JWg7xg6CFu4o2UPt8ddejIpMzAZeLxz8ZWxAME/AH1ZghgU0O5xJe2ti5gp5oPvFuxVcuYxkwfFrRhm34cRCyeCHKwHWmGv5GUexNb2AZtXBhtaVo41ABE4o023sbQFrJQFy+hNuaTEzfxXAtkkGelnphh78h3CCWB2Ssir9N1ASni077NeC9dX6zaPZQ6Rz3T5O7yBbxFZ0gDMputJENk2iJe6sKZEKOZ5VrIF+xRsjA0uDusoy3+WDg9Q8gyaMZzMLmJBpDlW69IIoYeDtr3u68ik5ehPuKUUrgIRVZb4m5H8FpWn37Tm/01zyQG9kz5ZgSjlzqfDHnd1DXtIgqmx34j4KJEWszMMkLDr9pxcQJfU9xHD3iENErr3onZIe5pUtRJzvQgWJb9pWra9yqWNrghXrzHxJfwwz4NUGJOPVJXNYyRaWLZZUKqfkkb9EJEZiAqj9ROcg4QtzLLkoW/q5DqPX/6jrhv3ZLf9ky+jkpnwbu0R8HCMA4uYqcI8YizdZtspxsixlDeJkEpC9hmxzRiDS/2vvKOojVoQJD7MhSY8M4tCYqyKPQMFd6BUH5dPXjlLEdQK2Y49Zw+xsXyoQJhTuhLBp15lb8gt/PF1atuOuhe6t+mFXPV+OmUESXPV0L8pyhrJFkklaD9J4+YoPCjUZXQpcEtu7SN88BJnkpAIQW4+zswOwNyIJELO+ztbb8TKvBVeEC/aFTpDqpbW2yx+6KkiO10tqA7kYaOu46oXtCENXpcTqFv+vhle14dwIqxkRXL7cWXvJfX4hOueGLfH5V8DiEYmiPM8tlxvRinQfm0Pwh7SSgjes4x0dBCUUkca3InSnsR1m21CwW3/vJmwKD/mbl/ABy6r45pfE9BOv7MLIgv7Ffay0PE4tA97ZdoKrV85KZtNYmn3I4dXAvgsmW1hKKR5xAwTBZCEhDVlenqVzGW766ruwsgdMXO7lzxOfvNCoOGzGWu2pkdCONhdOZTLHWKgE9eLFdUqRlpIFRPXhBWZ0L2YEu3Z8ODRUR+1kqNJMuYh8wogCnd2ruLXMRGLAcH/nipwJ3trXBtXrIA9N3GPl77chNL4fDaMvAnTrIsKoGR0kHX6t81YBw+20RFUS+X3p7fAn527jy1lWPvhzmyNa0x5J1T6fOz6rdX4tMHn/8bNH16llgI5D4P4zYvhmgbtMR75zbwxEkFDDwaVaE7z5L6T/sbMGaNtVJQntnM5cDWO4LrgAqQT2k5rFcSEYNCfC9K7opaaZszixe/x4gdyobq2jVd5x/nMTgatrdsS4BiOnS7nFkZrTMbEKtfyee0VjWltz5ltBpXiezu7LorxQVWgtG9xkMgPryR6oyVbIO/YsbvZaJpa4DWnCHZLy16qLdZmVsiaNArt1pm/zJLWhZhZ8IrLMWQCTPX5JSJp4T0xEu7X/KGtE77nao4xPnit0NfxIU9UwNUWUXuXcoKQgbGAcqTnJi0glYczhNKjVIIcDvFJlfzs5OG0R/TiBJLFXUOohwLfOcdSGKBqYqvKQXHg5MNXCZankrv5g0akewnT7f4ZjW7ZGS0jFYDn9J6f4jcMhN1ctfai51uVncbJUInez4YEYwBnLQ3DkJVyEcDImTZtnpoUkTwWfWSc2PPvO1wTzC/QqCdCp9oyPcaVZYh2G55D7jGuAVQS1FcnR1Q0gNlmOOSYm9HRq64V7pEErWSTfqL7AjEr1c0WgJqLd7xxsNJjY+ERoL0sTNBuP8JaI60/apR0HCuQRlk4Ys4EwT6h9LoMiq6lxKIe3rk4pYve5wJsx6MtwOQYGxtxBzX4wNf7JOH1eh4dRQRLfbbACfOzaVoZjfBkxMeOI/sUwl19K6nVHokhgd9E/6L6XnFzwWCXrtThS66SxlKb3/e97buuMBskxk0odkWuALrpF491DlohoTvvYbfueVKx6Gow7gXVLm1eThzVRP2EPOz6R/UQfxEoNyHRNRQc+KM/sOfZ039QDGjrOzmSM2apXqGd6G8wo8JAwiUCUOe34vxYVoeIpWV9jNOD6yCpmKvlKXK6KShNW69RnUqjbc4lxeECqEIpOy3gSquW05vKDahf1hSylNaHD/VyV355xu49gmir1nYdHPGZIO/ERWGF+Vshn6rEezsQDlw643xDxtIuft5X6pqV8xLwDzudY7jYZfkZ6/RMdJV8q8An6yQyKSbw4m6qBo7ABiyXQK5XgNWFKj1mG7G3c=,iv:haZFJpgGzuLB8JMkM2tI9ItWAH47PQS+wa5gOJBZBek=,tag:UYG7F7ElMHDMG8DJP8nsvA==,type:str] sops: kms: [] gcp_kms: [] @@ -29,14 +29,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ekhUM3RpNk5NM0V2M2Nj - b1ljV0xtMWp2d3gxazAyNCtiTURncHl2cVRZCkMzUU82N05WcUVxUGd6MXd4N21N - enU4TFBwc0ovOGJlQldHa2doTnQxcHcKLS0tIGVaT25yZENPWDZoaWg5ZWZ2dkFi - eUV4NFlTL3NkMTVycW5lQW5tb2NLd0UKx5u3VW+NR62DhnAYh50OAWdMaULtdSZc - YOZYsu7EzV2ssO+Q+g/2neUdTIpUuv3NZ2/U3JwfsqRY54bkkboijA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBON1N3SGQ1VWVDcjAzV2Zp + Sm1LdHVJR1BjZzBRWXltVjRxYUY2UGdBeGtNCjUyUjJQZFVoWm9XT2xzZGdXNlo2 + RWZVdjMxak9CV1ZTRnpqV2xOcks0ZGMKLS0tIG1SUUtBdDF3djlDazdXZkVVQmRo + bTBwUnVwWEU3WnZYOVFPT3BCVy9lQlkK9SgI2StPa5TGRX9noHeupyLvETEcbxFh + LeNV+w1cDI2jkUTtDfrwiFOEDopMbagrbsu/A4UHn8ImnqVoW0Y6XQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-09T19:28:26Z" - mac: ENC[AES256_GCM,data:RnimgNedU+/rebVqoqOGE0H/lZuC2+TrHLSac7I1fRvgL+dMy+5F+TZ1Fmi6IQmBykhZE2kAUC5gyqeyefQByUjulPtnFI5/oqCt2i3XGpv9+t4uS28uuHDHpKAyF6NiuSBxpAu7VC+6vDxDS2hRafZmEYGQqnRkz1LmcHsHx6U=,iv:irTRihWnyVBvN1u4BbNjPnfgi3/0VyC0ufgs5eQLuJU=,tag:r7dXETjHKyFlF+R61MqsKw==,type:str] + lastmodified: "2024-12-22T21:11:58Z" + mac: ENC[AES256_GCM,data:UEXDi50bC/9Tad3Nxh9Jx4pesqfJ7jWBpD7gxUs2t4xVtrnKkVGe0Ul1qV1ZYxFeAYB7fmrMKehlJ+U/y1f0BjKklGkKuCjPWRQLwCAmvOIKHGyt0kIl7HrMQSqfJvCxVeL1xv4/MxK+MJUQCnUPrUo/MYKebEixj3fcEREHhR8=,iv:DUzhUHMTpwHArz8nJhz4O9L0RqCEmv1iuMCJBsyBQ3Y=,tag:JqNNHk5uWc1+gp071xlTQA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.9.1 + version: 3.9.2 diff --git a/kubernetes/main/apps/database/dragonfly/app/secret.sops.yaml b/kubernetes/main/apps/database/dragonfly/app/secret.sops.yaml index 4a624a8..2caf5a8 100644 --- a/kubernetes/main/apps/database/dragonfly/app/secret.sops.yaml +++ b/kubernetes/main/apps/database/dragonfly/app/secret.sops.yaml @@ -5,7 +5,7 @@ metadata: name: dragonfly-secret type: Opaque stringData: - password: ENC[AES256_GCM,data:g2neVjzuv69zVQWlCok6hjuSh5XG/qudxGpgeQ==,iv:7cmGSzTFNau8tPo/EAM3E8mJnq6S/vqA6T87YuOA1MM=,tag:CCiD1h/EKPpM4ti5q5GV9Q==,type:str] + password: ENC[AES256_GCM,data:EEMYJWhxZOWnATeymCYkGHSsQ4dYmNuD3dSXUw==,iv:+UsOgHNBrV6SxLjkCVJSF2yI5xV5jcNxGl6KXhpo350=,tag:IAG4kpjquroXgJGmr3B4NQ==,type:str] sops: kms: [] gcp_kms: [] @@ -15,14 +15,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHcXlTSGVDa214ZWJiSHpi - TXptQ2hvMVdhMGpyMlgwMkkyMExZb01jK1E0Ck0xa0I0Q1U3Ky9pRGZia3pBbnpT - RlpLWTNldGdZVExHcnZZTjFYZkxuY1EKLS0tIExOWHRTcVNYZHNzRlBDZzVUeldE - R3FWUEFYazVNQUJDQnlXVzVTYkJFOTQK+RRCpx4EgiXUwttpuDa/rNeIMM1ku7Og - bOJsEBRxGdd9ALeAbxswnd7PuADgAuq383EnQmZWPsKwtnWnbVUcMQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIZ1ZDL0s0cHNPckRjdElz + Q3dQOFN4cXc4R3pKRHhRUHFlK2E5YUE1SVhzCmVRZ0s2bUZnc1hXSkZUV20zZVg1 + eFBXOTBEKzNaWk0rQVoraGF4S0YzWGcKLS0tIDNaUHFrbEU4LzFoaTRSMStXVjRH + OCswdUcxSGFHbjRMKzVDWjA5R294SkUK6/6px/dIwi6NlFjQiSz9vLO+kqQQdTw9 + lg83rpk7qtjL6pH4N/nSzR/64NkBgvulUSDwP9flO/me4Vp1vMETaQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-11-23T01:03:25Z" - mac: ENC[AES256_GCM,data:w7CUzV2NoD50UpehusXqXGnVFkPrQMGJ4qufzPs/9WRj4oOoQ0z+jGytap+qo1P3ulJosvu1Y1DpYZKanhVrAVlGvX3sYOmS8iQ4YrHP3BTsG74ep5cQpjQAPas5aZg14X9ww2OGfhQk0u6nQB3VGETtklRptNIrJw2yB/2Qyso=,iv:pjrnV2iX84nvr7n/Nzj/SSZtJZTqOV+TJKFtIsB6fbU=,tag:d+NT+tWfQ+N3CWdWrWbpDQ==,type:str] + lastmodified: "2024-12-29T19:28:29Z" + mac: ENC[AES256_GCM,data:dnqn2Ig9TNL0WxTyhDh9ZhlYlZa8Dfmi3tRk1krreR9oaKPCrj9vc7apGZuF1Hv8z6y5G0ukH0+cahPkwv3mVaHSELhyYhJE8RwW/1GMvwTzHgMOsny9g2CrrmZ8d4vdfiIz2/0EFJL07Ou865uklggRq+4xW/K49Fhv7SkHofo=,iv:bLoSmgxkNMC6VooX/tX9SFDV7h6tuSkq7Hjx3ApM6kE=,tag:bCpkqdOu7QmWfFJUxhP2tg==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.9.1 + version: 3.9.2 diff --git a/kubernetes/main/apps/database/kustomization.yaml b/kubernetes/main/apps/database/kustomization.yaml index 0f79200..a57a982 100644 --- a/kubernetes/main/apps/database/kustomization.yaml +++ b/kubernetes/main/apps/database/kustomization.yaml @@ -8,4 +8,6 @@ resources: - ./cloudnative-pg/ks.yaml - ./pgadmin/ks.yaml - ./minio/ks.yaml + - ./rabbitmq/ks.yaml + #- ./mysql/ks.yaml #- ./mssql/ks.yaml diff --git a/kubernetes/main/apps/database/mysql/app/helmrelease.yaml b/kubernetes/main/apps/database/mysql/app/helmrelease.yaml new file mode 100644 index 0000000..b66355e --- /dev/null +++ b/kubernetes/main/apps/database/mysql/app/helmrelease.yaml @@ -0,0 +1,61 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app mysql +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + defaultPodOptions: + imagePullSecrets: + - name: github + controllers: + mysql: + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + containers: + mysql: + image: + repository: ghcr.io/linuxserver/mariadb + tag: 10.11.10 + env: + PUID: "1000" + PGID: "1000" + MYSQL_ROOT_PASSWORD: password + service: + mysql: + controller: mysql + type: LoadBalancer + annotations: + io.cilium/lb-ipam-ips: "${LB_MYSQL}" + external-dns.alpha.kubernetes.io/target: "external.${SECRET_EXTERNAL_DOMAIN}" + ports: + mysql: + port: 3306 + persistence: + data: + type: persistentVolumeClaim + storageClass: cluster-nvme + accessMode: ReadWriteOnce + size: 8Gi + retain: true + globalMounts: + - path: /config diff --git a/kubernetes/main/apps/database/mysql/app/kustomization.yaml b/kubernetes/main/apps/database/mysql/app/kustomization.yaml new file mode 100644 index 0000000..8b3cc1a --- /dev/null +++ b/kubernetes/main/apps/database/mysql/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml + - ./secret.sops.yaml diff --git a/kubernetes/main/apps/database/mysql/app/secret.sops.yaml b/kubernetes/main/apps/database/mysql/app/secret.sops.yaml new file mode 100644 index 0000000..b7dd9e5 --- /dev/null +++ b/kubernetes/main/apps/database/mysql/app/secret.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: mysql-secret +stringData: + MYSQL_ROOT_PASSWORD: ENC[AES256_GCM,data:itJLu2+bK6F4039pm+ygnm+4lXySO6oaF6E0PymgVljNxFOSQBX4iYVjc0P0ogxaseATaSPGFww=,iv:UmLA+Y+N9UPksuL70R/MWRsTNsqCuzmBK1UIMQ2s7v4=,tag:C9cukU/Daqkd4cI8rO3fBA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMb1Q3THBzTnBNSUJDN3ky + dEFCeTlJWkFvMWFnV092ZmZ3ZG1PbEg4b1ZjCm9wK0s4ekdJK0VSaU5FQUdJdjdp + dmppZytiRThhQUhhU2JiYVVDTSthTjgKLS0tIEJFeHlIdGJFM1pJL042WEsrL1pp + SFlGZDcyNDQyR084bC9XYTBGRjMrYkEK0z0CF6EZPd8cniJTtCZNy26wRYXUs13c + F2wPUaGydg88EsYNaQYx6unQVj0QgwN5wgLpAh/Y0SnNXFetS2jkNA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-24T05:03:04Z" + mac: ENC[AES256_GCM,data:sbyMYCS+X+h2hJEQYV5S47IZ7qk8YxK20aCWEU7WkcSZP7kMvbxjhyptpoMeihU3PFbQjBLveYxWF2hdsUY/p1WZ3rihLSD5QluMhtn5ha0CZIj8B21aLtHohVq5QUI0Os5a4rxWfh3/rI8ayuS/zcbtAouFkV05cPZ8z2vu7W0=,iv:6baoBg2UyvrXjrxHM6klGcxm5ze3j/0mhT46ca8UpUM=,tag:NXek+0VfPz2T9GSztheOtw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.2 diff --git a/kubernetes/main/apps/database/mysql/ks.yaml b/kubernetes/main/apps/database/mysql/ks.yaml new file mode 100644 index 0000000..bda67ba --- /dev/null +++ b/kubernetes/main/apps/database/mysql/ks.yaml @@ -0,0 +1,26 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app mysql + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: traefik + path: ./kubernetes/main/apps/database/mysql/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/main/apps/database/rabbitmq/app/helmrelease.yaml b/kubernetes/main/apps/database/rabbitmq/app/helmrelease.yaml new file mode 100644 index 0000000..c8d37f0 --- /dev/null +++ b/kubernetes/main/apps/database/rabbitmq/app/helmrelease.yaml @@ -0,0 +1,33 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app rabbitmq +spec: + interval: 30m + chart: + spec: + chart: *app + reconcileStrategy: ChartVersion + sourceRef: + kind: HelmRepository + name: bitnami + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + persistence: + storageClass: cluster-nvme + size: 6Gi + auth: + username: *app + existingPasswordSecret: rabbitmq-secret + existingSecretPasswordKey: "RABBITMQ_PASSWORD" + metrics: + enabled: true diff --git a/kubernetes/main/apps/database/rabbitmq/app/kustomization.yaml b/kubernetes/main/apps/database/rabbitmq/app/kustomization.yaml new file mode 100644 index 0000000..16a6ce3 --- /dev/null +++ b/kubernetes/main/apps/database/rabbitmq/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/database/rabbitmq/app/secret.sops.yaml b/kubernetes/main/apps/database/rabbitmq/app/secret.sops.yaml new file mode 100644 index 0000000..4ce95b6 --- /dev/null +++ b/kubernetes/main/apps/database/rabbitmq/app/secret.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: rabbitmq-secret +stringData: + RABBITMQ_PASSWORD: ENC[AES256_GCM,data:sK2UkcCAXG7n/d2fp+skIAmot/EOpDCRYJn+9PNSsY4=,iv:6vmeRQlZ88ckih28P23nGJzVpW2BKLExx1wuKtXPubw=,tag:Hb5IISsrr9Nq3ziv/kV/EQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDSW96N3M2aXpiL3pCOEli + Z2VlaW9zZ2RWbDZtUW5BMDhrcTJBT2lEczFjCjJnUGJiNC93Z2dDdEV3UkFCejEr + MDlrRlRBU3BZanE5Ymd3QktHbFFjTU0KLS0tIEJpYTl0TS9RbmxJc1NqZDV5bWFr + cTFQZlNyRnJ3TW5IeTkydFlkMzNzNk0KEGlybL2SZO2SWkFFCZQLDBK7PtiIVcnY + KiTgrJu/5ocSxBSHNx9800el/0X7WF+B26dNVOBn6qciTTa77Nvj4A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-29T20:12:02Z" + mac: ENC[AES256_GCM,data:zTmPD99kd/9feW6LRWxSvoUf5wf+2uUtuS2MhRjFq7VUL8aLs9p1/CwpTLhacR8p/0MoZSlO1rYU4suHwtIzFfKC/ZNlVaJhB+kiypcKE5YvkZDMH71iYeS4Zd3M9OwagMIZB7w80HwKxDdIOJ95DSDiKhUKRA/R85ibgKv7LfE=,iv:T4pYNJbM4WggnGu+dboEfP/fG3xdd6ksFbwZXWF6dRM=,tag:Luf8fpBpnTa2Wcxmv/E8Kg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.2 diff --git a/kubernetes/main/apps/database/rabbitmq/ks.yaml b/kubernetes/main/apps/database/rabbitmq/ks.yaml new file mode 100644 index 0000000..b5d1666 --- /dev/null +++ b/kubernetes/main/apps/database/rabbitmq/ks.yaml @@ -0,0 +1,24 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app rabbitmq + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/database/rabbitmq/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/main/apps/dev/namespace.yaml b/kubernetes/main/apps/dev/namespace.yaml deleted file mode 100644 index b237971..0000000 --- a/kubernetes/main/apps/dev/namespace.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: dev - labels: - kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/main/apps/downloads/archivebox/app/helmrelease.yaml b/kubernetes/main/apps/downloads/archivebox/app/helmrelease.yaml index c95d843..8183054 100644 --- a/kubernetes/main/apps/downloads/archivebox/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/archivebox/app/helmrelease.yaml @@ -119,3 +119,13 @@ spec: app: - path: /data subPath: ./data + nfs-media: + type: nfs + server: ${NFS_HOST} + path: ${NFS_MEDIA} + advancedMounts: + archivebox: + app: + - path: /data/r720xd-media + readOnly: false + #- path: "/data/r720xd-media/M Media/00-09 Archives/01 Backups/01.10 ArchiveBox" diff --git a/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml index 42d1e92..dedea96 100644 --- a/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml @@ -76,7 +76,7 @@ spec: cert-manager.io/cluster-issuer: "letsencrypt-production" external-dns.alpha.kubernetes.io/target: "external.${SECRET_EXTERNAL_DOMAIN}" gethomepage.dev/enabled: "true" - gethomepage.dev/group: Downloads + gethomepage.dev/group: Media gethomepage.dev/name: Bazarr gethomepage.dev/description: Subtitles gethomepage.dev/icon: bazarr diff --git a/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml index 8986cc0..b9faf1c 100644 --- a/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml @@ -79,7 +79,7 @@ spec: cert-manager.io/cluster-issuer: "letsencrypt-production" external-dns.alpha.kubernetes.io/target: "external.${SECRET_EXTERNAL_DOMAIN}" gethomepage.dev/enabled: "true" - gethomepage.dev/group: Downloads + gethomepage.dev/group: Media gethomepage.dev/name: Prowlarr gethomepage.dev/description: Torrent proxy gethomepage.dev/icon: prowlarr diff --git a/kubernetes/main/apps/downloads/radarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/radarr/app/helmrelease.yaml index 12f1aaa..414aabf 100644 --- a/kubernetes/main/apps/downloads/radarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/radarr/app/helmrelease.yaml @@ -84,7 +84,7 @@ spec: cert-manager.io/cluster-issuer: "letsencrypt-production" external-dns.alpha.kubernetes.io/target: "external.${SECRET_EXTERNAL_DOMAIN}" gethomepage.dev/enabled: "true" - gethomepage.dev/group: Downloads + gethomepage.dev/group: Media gethomepage.dev/name: Radarr gethomepage.dev/description: Movies gethomepage.dev/icon: radarr diff --git a/kubernetes/main/apps/downloads/sonarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/sonarr/app/helmrelease.yaml index 171e286..8741c38 100644 --- a/kubernetes/main/apps/downloads/sonarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/sonarr/app/helmrelease.yaml @@ -85,7 +85,7 @@ spec: cert-manager.io/cluster-issuer: "letsencrypt-production" external-dns.alpha.kubernetes.io/target: "external.${SECRET_EXTERNAL_DOMAIN}" gethomepage.dev/enabled: "true" - gethomepage.dev/group: Downloads + gethomepage.dev/group: Media gethomepage.dev/name: Sonarr gethomepage.dev/description: Shows gethomepage.dev/icon: sonarr diff --git a/kubernetes/main/apps/home-office/kustomization.yaml b/kubernetes/main/apps/home-office/kustomization.yaml index a44683c..1dade5a 100644 --- a/kubernetes/main/apps/home-office/kustomization.yaml +++ b/kubernetes/main/apps/home-office/kustomization.yaml @@ -5,3 +5,4 @@ kind: Kustomization resources: - ./namespace.yaml - ./actual/ks.yaml + - ./plane/ks.yaml diff --git a/kubernetes/main/apps/home-office/plane/app/helmrelease.yaml b/kubernetes/main/apps/home-office/plane/app/helmrelease.yaml new file mode 100644 index 0000000..632ced6 --- /dev/null +++ b/kubernetes/main/apps/home-office/plane/app/helmrelease.yaml @@ -0,0 +1,152 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.ok8.sh/helm.toolkit.fluxcd.io/helmrelease_v2beta1.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app plane +spec: + interval: 30m + chart: + spec: + chart: plane-ce + version: 1.0.27 + sourceRef: + kind: HelmRepository + name: *app + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + uninstall: + keepHistory: false + values: + planeVersion: stable + + ingress: + enabled: true + appHost: "plane.${SECRET_INTERNAL_DOMAIN}" + ingressClass: traefik + ingress_annotations: + cert-manager.io/cluster-issuer: "letsencrypt-production" + gethomepage.dev/enabled: "true" + gethomepage.dev/group: Home + gethomepage.dev/name: Plane + gethomepage.dev/description: Project management + gethomepage.dev/icon: "/icons/plane.png" + + ssl: + generateCerts: true + issuer: "letsencrypt-production" + + redis: + local_setup: false + + postgres: + local_setup: false + + minio: + local_setup: false + + rabbitmq: + local_setup: false + + web: + replicas: 1 + memoryLimit: 1Gi + cpuLimit: 500m + image: makeplane/plane-frontend + pullPolicy: IfNotPresent + assign_cluster_ip: true + + space: + replicas: 1 + memoryLimit: 1Gi + cpuLimit: 500m + image: makeplane/plane-space + pullPolicy: IfNotPresent + assign_cluster_ip: true + + admin: + replicas: 1 + memoryLimit: 1Gi + cpuLimit: 500m + image: makeplane/plane-admin + pullPolicy: IfNotPresent + assign_cluster_ip: true + + api: + replicas: 1 + memoryLimit: 1Gi + cpuLimit: 500m + image: makeplane/plane-backend + pullPolicy: IfNotPresent + assign_cluster_ip: false + + worker: + replicas: 1 + memoryLimit: 8Gi + cpuLimit: "6" + image: makeplane/plane-backend + pullPolicy: IfNotPresent + + beatworker: + replicas: 1 + memoryLimit: 1Gi + cpuLimit: 500m + image: makeplane/plane-backend + pullPolicy: IfNotPresent + + env: + docstore_bucket: "uploads" + doc_upload_size_limit: "5242880" # 5MB + sentry_dsn: "" + sentry_environment: "" + + cors_allowed_origins: "" + default_cluster_domain: cluster.local + + valuesFrom: + - targetPath: rabbitmq.external_rabbitmq_url + kind: Secret + name: plane-secret + valuesKey: RABBITMQ_URL + - targetPath: env.pgdb_username + kind: Secret + name: plane-secret + valuesKey: POSTGRES_USER + - targetPath: env.pgdb_password + kind: Secret + name: plane-secret + valuesKey: POSTGRES_PASSWORD + - targetPath: env.pgdb_name + kind: Secret + name: plane-secret + valuesKey: POSTGRES_DB + - targetPath: env.pgdb_remote_url + kind: Secret + name: plane-secret + valuesKey: POSTGRES_URL + - targetPath: env.remote_redis_url + kind: Secret + name: plane-secret + valuesKey: REDIS_URL + - targetPath: env.aws_access_key + kind: Secret + name: plane-secret + valuesKey: MINIO_ACCESS_KEY + - targetPath: env.aws_secret_access_key + kind: Secret + name: plane-secret + valuesKey: MINIO_SECRET_KEY + - targetPath: env.aws_s3_endpoint_url + kind: Secret + name: plane-secret + valuesKey: MINIO_URL + - targetPath: env.secret_key + kind: Secret + name: plane-secret + valuesKey: SECRET_KEY diff --git a/kubernetes/main/apps/home-office/plane/app/kustomization.yaml b/kubernetes/main/apps/home-office/plane/app/kustomization.yaml new file mode 100644 index 0000000..16a6ce3 --- /dev/null +++ b/kubernetes/main/apps/home-office/plane/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/home-office/plane/app/secret.sops.yaml b/kubernetes/main/apps/home-office/plane/app/secret.sops.yaml new file mode 100644 index 0000000..f596dcf --- /dev/null +++ b/kubernetes/main/apps/home-office/plane/app/secret.sops.yaml @@ -0,0 +1,37 @@ +# yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: plane-secret +stringData: + SECRET_KEY: ENC[AES256_GCM,data:Hlge8nCQC8cAwBAhKhOSIQDFqPCl0q8lp14Lrb1Ha1xfimzv0FYtWTHVGjP50cu5Kr1qv6SPSsU0rvHOdPvfuw==,iv:qY++THG8PWRGJb5qURyzV5C+022eBKOWdf19vdu3Stg=,tag:XhCcjURlz6xtFNzXehe1gw==,type:str] + POSTGRES_USER: ENC[AES256_GCM,data:XQVJU+0=,iv:8dc07OmRZA/PTyIsK8zHnLKa+HFeaQ4h09nNiWTNPlY=,tag:pmRJXHtSngQmTpUtY4xzmA==,type:str] + POSTGRES_DB: ENC[AES256_GCM,data:RtBCCWw=,iv:BpRYcn2BpIRcLmQcAIrunvtB4MDuDYkmJOnAsmPtat0=,tag:xvUhN8ixC5jY8ykAQwzjNQ==,type:str] + POSTGRES_PASSWORD: ENC[AES256_GCM,data:iiGNnq0jK1/1zYZG9xKh6FpHYwHynQ+0/bFW6ecrIcA=,iv:xQfhOf8DjSKU+5YE4OeaKBFojL8dx6EUAg9mIkPiKTk=,tag:+0OmSsaTRbIMDxiRtNo28w==,type:str] + POSTGRES_URL: ENC[AES256_GCM,data:tiUR01NTwPZvOaH3AewUl2DwMe6C1p+t/RwcnbHHGPtMv6LDUlszTJq5b3OODmNrCZql+FPmNretO+UWNKHRFB0+PbrtDLVR6Aia91PBVlWvYUwmHXIwLGkJWyTmQ6yQK3n0hHUhhA==,iv:x5bhArp40eaO7UrFVTT8dw89OaQRyJTAOH2VyQSmgbs=,tag:zsjobWSyB7a4CUvREBTNzw==,type:str] + REDIS_URL: ENC[AES256_GCM,data:ZVjRw2T2QvxentteSyAC5tzoc4VJM4U01JpLxvx9d+3kiRwhImYXhhDbzFvetfD52V3Z/Z+upOQhCaiFPxwBW2gSrNiQ/rxOiJoB65fKNg90NoIn,iv:VxmX6waqWRyre6nbM63K5sUrxbDmbyXaakIqZFkKVjg=,tag:dgxCagZKumzE8w4QK4mrYQ==,type:str] + RABBITMQ_URL: ENC[AES256_GCM,data:fsKrT7di5yPxRkSF1AmWsjvqBeSZHuBUx7MzfXdM+uXa9t+BSOjRN1P+oUYGj09jRY/PEsYjouTJKTCCCkD3noC88j4IkwcxhEJrbIgvgZKhH3yzsjQBzJDevCE=,iv:I1wUED3rLlu4Mds9jk3Io2vt2iCdEoUu9U7d6g0Xgnk=,tag:jFfA1WN3HoA+4PexBy9ByA==,type:str] + MINIO_URL: ENC[AES256_GCM,data:AHOPIiRJrX/6UAaTGpVhMMhLzugupdi7o2GZjTVl1n7td5Z8naNiNUp/UVKP2ge9K6XLyZZIYwV+VoPEaD54IYRdlL7aE/XH6bMrY3btxdYakplkesktT/kIWBLWsYC8vI3yoWuust/5LO3lZMw/x6w=,iv:W4FyvWVqCKdrofH4fgPiqADgz+PAHYiM9HX5s3dt5RA=,tag:FgdSBWTiCkw/hmsPNWKdQw==,type:str] + MINIO_ACCESS_KEY: ENC[AES256_GCM,data:i8hXPpjmov8WfOL8OkafOaRgPgU=,iv:A2pk8x5LxHLldMD61O/bvb5G7Jdt/m3I4/aShUs88Ao=,tag:27gEOSWw2x/1oEYh/k85JQ==,type:str] + MINIO_SECRET_KEY: ENC[AES256_GCM,data:YG7/kjI65vmvzBj7XuuGbSlNg3ZfmJn5UtwZCK8he6BbIXvw1Tu5JA==,iv:vj/UOmOpRB99143VwdOOvf79kMNA7SRx0CdgMEv9938=,tag:K+1AauPt+SHTq1rfecDAhg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cUNsRW9PaWtFTEJORDZx + eDBRdXg3QkhzMzFGVHJpTkZaK0wyYlNMdzJvCk1XZTUrNzJpZlZpWHRuUEVvekFF + QU12aVRoR3N6eUR6aHEwTWlIOU9SazQKLS0tIGU2ZmloNWxHRGFEQ1YwUjBONENS + bGxqQmhESjY2L01mSUVtYUdxVlpzR28KlXVdYP1I98OeiUi+h1+JHpm4/SS1OwiI + 4FfbygAqlk5xDMc7+rGvkeN82MMJTJf2FnIqtnYUlIBa+sh3A8L20Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-29T20:57:38Z" + mac: ENC[AES256_GCM,data:bTm/uac73fcZLlWKqRCtjdKTeHlwMcAnPiWBSOxs+BqXn0EeV65BL9oEJ/qpXPLyupvO2neUUnsrQawEo2G71m0voRrCxV3tAVfYgStQ+Ek/lJFdIlQxRrt9rIoSIc/eEeC6VYx90HHWO7gXT06B46fN66emxotY0IoG1BbWVRY=,iv:+d79pdiiRFxulpSn+4X5WTQo4xArwTHZjfYdW3s8YLE=,tag:V+WVxVWbY+hnpObNr63aCg==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.2 diff --git a/kubernetes/main/apps/home-office/plane/ks.yaml b/kubernetes/main/apps/home-office/plane/ks.yaml new file mode 100644 index 0000000..2d0a7cc --- /dev/null +++ b/kubernetes/main/apps/home-office/plane/ks.yaml @@ -0,0 +1,27 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app plane + namespace: flux-system +spec: + targetNamespace: home-office + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: rabbitmq + - name: traefik + path: ./kubernetes/main/apps/home-office/plane/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/main/apps/home/homepage/app/helmrelease.yaml b/kubernetes/main/apps/home/homepage/app/helmrelease.yaml index 6f8df6b..cfe1db2 100644 --- a/kubernetes/main/apps/home/homepage/app/helmrelease.yaml +++ b/kubernetes/main/apps/home/homepage/app/helmrelease.yaml @@ -111,6 +111,9 @@ spec: - subPath: atuin.png path: /app/public/icons/atuin.png readOnly: true + - subPath: plane.png + path: /app/public/icons/plane.png + readOnly: true bookmarks: type: secret name: homepage-secret diff --git a/kubernetes/main/apps/home/homepage/app/resources/services.yaml b/kubernetes/main/apps/home/homepage/app/resources/services.yaml index 16cd21a..86b5905 100644 --- a/kubernetes/main/apps/home/homepage/app/resources/services.yaml +++ b/kubernetes/main/apps/home/homepage/app/resources/services.yaml @@ -1,5 +1,5 @@ --- -- Network: +- Overview: - OPNsense: href: https://opnsense.${SECRET_OLD_DOMAIN} siteMonitor: https://opnsense.${SECRET_OLD_DOMAIN} diff --git a/kubernetes/main/apps/home/homepage/app/resources/settings.yaml b/kubernetes/main/apps/home/homepage/app/resources/settings.yaml index f442228..45f5286 100644 --- a/kubernetes/main/apps/home/homepage/app/resources/settings.yaml +++ b/kubernetes/main/apps/home/homepage/app/resources/settings.yaml @@ -11,7 +11,7 @@ background: providers: openweathermap: "{{OPENWEATHERMAP_API_KEY}}" layout: - Network: + Overview: tab: Main style: row columns: 4 @@ -21,12 +21,14 @@ layout: tab: Main Services: tab: Main + Media: + tab: Main + Downloads: + tab: Main Tools: tab: Main Research: tab: Main - Downloads: - tab: Main Endpoints: tab: Admin IPMIs: diff --git a/kubernetes/main/apps/home/homepage/app/secret.sops.yaml b/kubernetes/main/apps/home/homepage/app/secret.sops.yaml index bd2ca2c..2f9c3d4 100644 --- a/kubernetes/main/apps/home/homepage/app/secret.sops.yaml +++ b/kubernetes/main/apps/home/homepage/app/secret.sops.yaml @@ -5,15 +5,15 @@ type: Opaque metadata: name: homepage-secret stringData: - HOMEPAGE_VAR_LATITUDE: ENC[AES256_GCM,data:+oayJpU0x7E=,iv:k+VHqGsbvS0DlTMpNXObZGJurJ3vrs4kEjNHXMnbdV4=,tag:+jcXAEylIXrjSGIFGVt/bw==,type:str] - HOMEPAGE_VAR_LONGITUDE: ENC[AES256_GCM,data:kQvg6M1AD3YX,iv:ZYJs9ghlZzFNOcqYJRlBysmWWmf2N7uo3G9UUiaNe1k=,tag:JKAkVg6S91I07Ka7oqLm8w==,type:str] - HOMEPAGE_VAR_OPNSENSE_API_KEY: ENC[AES256_GCM,data:EAWnYyMHXFWuO7iefrueR04kkTa9iy84SJfeZv2Lujvl8DpHRhF9a7q7dcJKhHLyoiZAAvvQC4IeENiGZTMe8voWs3YRR7Y9+iC9xTz7cYc=,iv:KiUIF31YYINue8mxz8NHLiCa1AyF3pjCknBYUmE0O4c=,tag:m9NhvBKWLMR9A3GpV0mvnA==,type:str] - HOMEPAGE_VAR_OPNSENSE_API_SECRET: ENC[AES256_GCM,data:TWPzdZqSa8UsU3B6wkx8XLDmUylHcEBjk83XYpP7nP3a2UZKYPST3mnJGf1Yqas5ZB3PCu56/rheObj6al/naek76RJxnTukE2oC/xGBxKc=,iv:qeCnqJDHmg+jF8c8MYLEjiXh7l/TrnVmvS29CXXPgp8=,tag:uPZC5NkzZQBBRiXdGgwMOA==,type:str] - HOMEPAGE_VAR_JELLYFIN_API_KEY: ENC[AES256_GCM,data:SpvFcmYuQf8FQ77urujzH1Jpx4gFiaf5bq3TE6vUmt4=,iv:q3riCnHKzhhmXGyip3Y4FPZTWV0AkGgxqdSjHkPb5wM=,tag:3n6zztaeklwGszsTDna/aA==,type:str] - HOMEPAGE_VAR_JELLYSEERR_API_KEY: ENC[AES256_GCM,data:FvXp+1uIfEYFhhy3RbyOdFgWD8yauBCoCvgaxegjbvikDDdwZ9+2aM+9nff7heeDn55uAR5R5RvxQ7UxlfTfG/BR7oU=,iv:x4y9ngDELtKehiVwIr/VAnvTP0IowjSDi39Ed6kSVd4=,tag:C1CaLA8Yy/shVIDyV0uOdw==,type:str] - HOMEPAGE_VAR_MINIFLUX_TOKEN: ENC[AES256_GCM,data:iqjEel0RpvXxNxVCO5bCcA48vc0ikPyODlKP5cnY8qDz2OQb/XkTBDB5QQ==,iv:vpnxC/3BMgmA1zXfjqBYPKLeB6ZnyxQMvTQ68f17tZc=,tag:C+ljve0qNz3W9YK4EyBT4Q==,type:str] - OPENWEATHERMAP_API_KEY: ENC[AES256_GCM,data:1rBsPkGTX0gpfW8+3aRSCafKsDo7uELpAvXs8oqLlw==,iv:MurRgocr1IhsNT5Euc6aEzIg4P89Q7bJBMORahIB7kg=,tag:yIxMRDPZ3DNI/rx5yYoi1Q==,type:str] - bookmarks.yaml: ENC[AES256_GCM,data:JAiTH0yhaDgHZoMhED17GV/A2m/CSgSiRNsuY0Yne/wP0a0ADBMEb6OOroT/wCRyyS7Fr0slF3sGwT+XOwiC9pwC+t42e11uEdtnD+iRdxwu4O6QNl/dwlwNzvyTCB3evGBcE+4P06SdKhIiWl9080oe0cw/pUCp1KosHsoui2S/74ga9kH9Ost+S3rH354QoO23OIQ2yEuRNvaiR6lURGu6LOXmVF9r2oAU4RX7oO1HHFn1SqeOP5k3Z0XbaiRd4mb5SgnPzlEjy4KhynsxHgcMINO8367/FZIorKg/MfJnIqvLr3zdedwsa7TQdzyOT0YMCiR2sqwUQgEFAahR2RKeAlrLt+ZJFls+sqMfLEkHeaXQZRvgWmYZx48manSqzeeNNfY0M2uS2BuCWmejBqJtnmY4+YjM+B4Tp/5+BCnkRgeWheNAbMOOwT+6pimBxx2CKH+blxQSLj0tuXRlht6GFggXN0sKcNCfTHQZTF90hdsXypmnLlbf+tC0QTZM27TPX5OBbBvvT+HLJUTiOmFwY/nToT7pzAX/rJOLdIfLDqFkAqbSPwAfpG85DOF481XJi1gibzPGlpNJWaxgE2u4MMGz4TlOxzOpfH5XwFE8rMh/fitYdQvLBRYc3d/rhOQ8g3F0355BJD/oWru2hBGWqYN7quE0FcDcMXi7yXOrhk+mZRXoh5xpVEeo4Bb9IaPLhL+5JWEVwASbXitdLFVCenSbfCQ/S9W28EIkTlqAgWnsrQwb3BsOzmafz5F0Mkhzd1c6IaaB1n0GxUx9BJlvNG5lR/Lvj5Oqr1NeBsWqLASoavoY5XaMrdFzKwafWCA9YpJ7iZwxd1Todu7XvPQQT7W/a8ycGKdxqYf5vlvtfTpYCTQ+xMQPNHFq1rVhykJcslcTcAol/VSFjMqGKT6KRnNquIAjlZ6qvnnrL/jfJl/z7bjRNMWsktp9kY8JtmTAWtCtbkhL04lhXwYUfb56LKMs060Prl5HSxC3LKIoZIre1AL4pbBhzxYJLUoBWABPfSFP,iv:Z5OUC11huYzfPP/fx0z3MS6pC3KRcHySDtpdc+n2+SQ=,tag:MN+NLCw9dARa2onNARgD9w==,type:str] + HOMEPAGE_VAR_LATITUDE: ENC[AES256_GCM,data:teu5Iya1hz4=,iv:CXabbI8kVv2X4uoYb7QBq5OOnLlP9EPRyc00rG1UU68=,tag:NlyaiMHCmazmS5l4w4ewGA==,type:str] + HOMEPAGE_VAR_LONGITUDE: ENC[AES256_GCM,data:JOB3jKdcTeIk,iv:dKyXV/lq1PDaC88t2Dva41XE4dF+w0J1v18BCMB4sBU=,tag:hwyzS9g91J7qeGxzzOS2cw==,type:str] + HOMEPAGE_VAR_OPNSENSE_API_KEY: ENC[AES256_GCM,data:xSj1O6znu2YyRNUo+aVdjWIR+4ODeA92ZtiA5VENY8GJczzF27vDXcOMSsLMUHmvFEFBdSxJSRIX+SghgnVxEtl6N5moMfYgAf/OR69Dm3g=,iv:PCwX8Gwc19xgfhaRKtD5l4d6fZaE7mgsTGKmyd7ICKE=,tag:ORBR41NJF2Gb7CnO04GrRA==,type:str] + HOMEPAGE_VAR_OPNSENSE_API_SECRET: ENC[AES256_GCM,data:Awa7d1YjadmYV1EH8hmkyQzUxOue3mQEj7A7ZIQesjH6TXxrc483/vWg6N2Gjaat73i5dPY7gd6XirxqDL9GpTjJ8kPnHl9a/EFyelV/tDI=,iv:wEhpovpIii0hfqe0ThIomlqWaPltKu9zGzKT8BESTkE=,tag:eT8wivNLmgMYeSXfomNr+Q==,type:str] + HOMEPAGE_VAR_JELLYFIN_API_KEY: ENC[AES256_GCM,data:ZuoFl6hao96WU/tErmEuKX2dyejiiZ1WubZCIEizJyg=,iv:9+0nsjUlAplvreL7SgdzsbKjWWgXz4PPJDiiVVVtMOQ=,tag:3djuZ5Pr2s3rk3n4hGWO9g==,type:str] + HOMEPAGE_VAR_JELLYSEERR_API_KEY: ENC[AES256_GCM,data:xa1Oe2ppsLNDbCTFKqBJc3K+7GjvyTdvmZ/xrVehwE7/vXGHCzpTPsgzeAOtTWiHuqmG//e9G2pVjgPUOTr+Ps44qd0=,iv:bM8Q2PCzwocgh7JtIWeZSFv/T5XAORXbrpaUB8EjwS8=,tag:90NyPW0gNSclBNbwfR8t0Q==,type:str] + HOMEPAGE_VAR_MINIFLUX_TOKEN: ENC[AES256_GCM,data:5yoOUHqyoucxokJO+Xm4ovi8dIo6t0ZM6i3YpmOEH1q7iMn/wMjo1JsZqw==,iv:6hZ91KDKzHp19fJT2NJPeRFN/cKaidAV1+so/ZBXOSw=,tag:ZaOvASxLMYpKxihwiBigog==,type:str] + OPENWEATHERMAP_API_KEY: ENC[AES256_GCM,data:et/vw+MqQQqnBb9eBuv9srdT4y2ePyKlny8Tw4zvYQ==,iv:RAhut9E/zoa2IULMRgEpd2ijzQbg7jqRzx9XsimRCo0=,tag:fD/SoU8T37/4VOhF/T1Mfw==,type:str] + bookmarks.yaml: ENC[AES256_GCM,data:C3VxowJMsToWtByYmiwbrAr/FoZjS0KlzH1hnvyEB4rz+lxat07iFOYIey6PkBQ3SPkjfcaVhxd4nYBITz4W9fbUI3/H6k6Itg8L1gkTvGEYR0IAx6RlxRKdyAgP8iuwZC87p209MfUDLg6jBKM7YvanPAaUSqYh0tYi+sTusvp524HNIEkn0VvWYsIpAVSfPlkILsniwWZ9l/7/ozkKvWAM58AaKkz8YEplKqkvy7Rlx5r2chcyhQpNBETy8XA5+U+GCgSTzqwnVhOB0d1L+w3OvG4Js0hvl5xy8UOi7uBjHcZkcCdNUlidGhFlI1NQ0APcm14nYVBejSsexrhKkScfcqdR4uV+XKn2ryBcSkWrsBD6Ky+LOMsahCbVo+OCki/YK5FJ8EsHCJn1Z6JL1B7uREizt4fhyARAHlQndJVCRT7g0SlLZ7OqHymN2a5YcIR0atiBu/Ht0ZWG1zEY+HOc9LrwYuHoTjDql0oGaKF6KIQOI6wA5JLceBgLqV60FeWV1N19W+g6PDFSNYMS3f0kvJyJf4888vJpZI1XC5wr6KDLD38ChMHCMRzAuI0wN28HYx4+wmjk88cuax2u2f6a92/92weYLWMZ0X1ebXUf+13mnROU2N9vI5yuU24H3gmJbBkMpXNoI/R7NzFiF3rlRs0r4rUke9a+qITjOoM3e624hds/eCbsiv/hdY8Njb6N9jMIX7fReurHcV4XYPl7oWZKd0PUS4j4gCWTiKGqCzhR8UQxV/6lHNXIAOBmmJfoTJ+YnIwcSovDamDkqZZKC3PiO3/7tfqsJds228mNK61/XHspFiJU0hRfPWwtVWhzwhFkLyWq4A2sHOiIyaEWKkmfYUGcAmHbIU/oCoPxfcQVQNPghUVLRJwAtt0UdYoJWvyNqRGriuzGkasXkxv94srKlH7BebTnnlnGeujX4Dt2R6vPipX8fVMHiHfO8hosPOuQprXy58DXleN2ckRpeNIUBvjFJTO40Kg89yXgXLYjQjZZh6Wqx0jwlU6j8baMAt5x,iv:J+REbDBl0p98/D8VsjfAD72sYeXKS9xSIPFhxkpe9M8=,tag:8YeenqnIA5GYi/+ParOzCg==,type:str] sops: kms: [] gcp_kms: [] @@ -23,14 +23,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUFBNdk5xSTI2bTdNR2Nk - bmw1T2tROXB5cDdJdWU4SGNuai9WVEhHeXhFCnVtWkNYVG9LZGtJWFFqWXExVzFv - eTlQYWhlOUJLR0tzN3VZS2NvTitRQ2sKLS0tIExSSnlLNlRXSkJETmthYzk3Qnhy - Q1UwcUtNMXNtcWsyaDltMlBOOFpIS0kKOfyKmMwnRI0lSftf4PonTPAtnMK5Lv8p - FZNW4t4CiDTKHuRmOceiKHLrKwacozxT0qyF5NTFoABIJ6uQltZwhw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkc1hyV3pxdVRvVTI0TEx5 + QXR0akcvWWUrdjBEWlU2ZXMxM2xOMTdhWEZ3Ckg2M3VIRFcvQUFxSDVyMHd6QWFp + b3RWeG5RSVBrYWp1WVJTK0ZSeFFINjQKLS0tIHN3VG5qTUVpMkpKMW9WR2VqVHZ5 + L2tTZTZrK1U1N3NWK0dKM1NDTjB2Y2cK/Pi/9Rhd8lAueoplZOnZUguhnliFPpkn + ccGD1S3bz459b4b4+0GqlZQBx2o3WJApsj5Oxuxkp4YwJoUIa04OPA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-17T02:13:26Z" - mac: ENC[AES256_GCM,data:e7gB7qbrJYszp66B7ApoUl+2kHzfMnw1sf984mLZAbhtm+tegN+/9vrFL8dWteNWvhxKWr92jhyElqnYeimsWTqJc9lSmYD1ZTS1NbW/X944dH9+ozoyfoaoN16vRMxRgPoIO6RgjRzMC7ULOnQMAjMVn6cImden6NzrMmskqsQ=,iv:VoBtD8UODfCqQTjAZra4cT664DOJM1CO7AghH+IFTvw=,tag:gEunp12cSythclZc0McFrA==,type:str] + lastmodified: "2024-12-28T01:33:39Z" + mac: ENC[AES256_GCM,data:hDvD9EuRjLC5VyewkdMCYRLHhhtHF9v+PeudNVqaO+0qScz1/NGqhBAPbHqj5oq7EMhVAdbevDJl1jmm3fjseJi15s45AIdmskLIA+hUzdcy8eZenpEfebjFgIPWqDLJDVbqcjLtgrCqXWbnWZdMyz/FvoPCjUAQeE28OuZhZGY=,iv:BJ7aOL2r+Mb4PFHtu+bmKGQF6Pgub8Foyn/zGwhcIMA=,tag:xugZkDi+hLDOldcIF60yDw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.2 diff --git a/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml b/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml index 7b73c08..0593bed 100644 --- a/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml +++ b/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml @@ -2,7 +2,10 @@ ## BPF Masquerade should be enabled for use with Talos and host DNS (`machine.features.hostDNS.forwardKubeDNSToHost`) ## CNI exclusivity should be false and endpoint routes enabled for use with Istio ## -######## +## Sizing the client rate limit (`k8sClientRateLimit.qps` and `k8sClientRateLimit.burst`) is important when using L2 announcements due to increased API usage +## See: https://docs.cilium.io/en/latest/network/l2-announcements/#sizing-client-rate-limit +## +############# --- autoDirectNodeRoutes: true @@ -30,9 +33,11 @@ k8sServiceHost: 127.0.0.1 k8sServicePort: 7445 kubeProxyReplacement: true kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 -bgp: - announce: - loadbalancerIP: true +k8sClientRateLimit: + qps: 50 + burst: 200 +#bgpControlPlane: +# enabled: true l2announcements: enabled: true loadBalancer: diff --git a/kubernetes/main/apps/kube-system/cilium/config/bgp.yaml b/kubernetes/main/apps/kube-system/cilium/config/bgp.yaml new file mode 100644 index 0000000..3b8723b --- /dev/null +++ b/kubernetes/main/apps/kube-system/cilium/config/bgp.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPPeeringPolicy +metadata: + name: bgp-peering-policy + spec: + virtualRouters: + - localASN: 64801 + exportPodCIDR: true + neighbors: + - peerAddress: "10.0.0.1" + peerASN: 64800 + eBGPMultihopTTL: 10 + connectRetryTimeSeconds: 120 + holdTimeSeconds: 90 + keepAliveTimeSeconds: 30 + gracefulRestart: + enabled: true + restartTimeSeconds: 120 +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumLoadBalancerIPPool +metadata: + name: bgp-pool + spec: + allowFirstLastIPs: "Yes" + cidrs: + - cidr: 172.28.0.0/24 diff --git a/kubernetes/main/apps/kube-system/cilium/config/kustomization.yaml b/kubernetes/main/apps/kube-system/cilium/config/kustomization.yaml index a3562ae..2b4a6d4 100644 --- a/kubernetes/main/apps/kube-system/cilium/config/kustomization.yaml +++ b/kubernetes/main/apps/kube-system/cilium/config/kustomization.yaml @@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./policy.yaml + #- ./bgp.yaml diff --git a/kubernetes/main/apps/media/jellyfin/app/helmrelease.yaml b/kubernetes/main/apps/media/jellyfin/app/helmrelease.yaml index 2cb9a5b..c182477 100644 --- a/kubernetes/main/apps/media/jellyfin/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/jellyfin/app/helmrelease.yaml @@ -77,7 +77,7 @@ spec: cert-manager.io/cluster-issuer: "letsencrypt-production" external-dns.alpha.kubernetes.io/target: "external.${SECRET_EXTERNAL_DOMAIN}" gethomepage.dev/enabled: "true" - gethomepage.dev/group: Home + gethomepage.dev/group: Overview gethomepage.dev/name: Jellyfin gethomepage.dev/description: Media server gethomepage.dev/icon: jellyfin diff --git a/kubernetes/main/apps/media/jellyseerr/app/helmrelease.yaml b/kubernetes/main/apps/media/jellyseerr/app/helmrelease.yaml index 78ef54e..a140a31 100644 --- a/kubernetes/main/apps/media/jellyseerr/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/jellyseerr/app/helmrelease.yaml @@ -74,7 +74,7 @@ spec: cert-manager.io/cluster-issuer: "letsencrypt-production" external-dns.alpha.kubernetes.io/target: "external.${SECRET_EXTERNAL_DOMAIN}" gethomepage.dev/enabled: "true" - gethomepage.dev/group: Home + gethomepage.dev/group: Overview gethomepage.dev/name: Jellyseerr gethomepage.dev/description: Media requests gethomepage.dev/icon: jellyseerr diff --git a/kubernetes/main/apps/observability/blackbox-exporter/app/helmrelease.yaml b/kubernetes/main/apps/observability/blackbox-exporter/app/helmrelease.yaml new file mode 100644 index 0000000..cddd241 --- /dev/null +++ b/kubernetes/main/apps/observability/blackbox-exporter/app/helmrelease.yaml @@ -0,0 +1,82 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: blackbox-exporter +spec: + interval: 30m + chart: + spec: + chart: prometheus-blackbox-exporter + version: 9.0.1 + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: blackbox-exporter + config: + modules: + http_2xx: + prober: http + timeout: 5s + http: + valid_http_versions: ["HTTP/1.1", "HTTP/2.0"] + follow_redirects: true + preferred_ip_protocol: ip4 + icmp: + prober: icmp + timeout: 30s + icmp: + preferred_ip_protocol: ip4 + ingress: + enabled: true + className: traefik + annotations: + gethomepage.dev/enabled: "true" + gethomepage.dev/group: Observability + gethomepage.dev/name: Blackbox Exporter + gethomepage.dev/icon: mdi-box + hosts: + - host: "blackbox-exporter.${SECRET_INTERNAL_DOMAIN}" + paths: + - path: / + pathType: Prefix + prometheusRule: + enabled: true + rules: + - alert: BlackboxProbeFailed + expr: probe_success == 0 + for: 15m + labels: + severity: critical + annotations: + summary: |- + The host {{ $labels.target }} is currently unreachable + pspEnabled: false + securityContext: + capabilities: + add: ["NET_RAW"] + podSecurityContext: + sysctls: + - name: net.ipv4.ping_group_range + value: "0 2147483647" + serviceMonitor: + enabled: true + defaults: + interval: 1m + targets: + - { + name: &name "opnsense.${SECRET_OLD_DOMAIN}", + module: icmp, + url: *name, + } diff --git a/kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml b/kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml new file mode 100644 index 0000000..17cbc72 --- /dev/null +++ b/kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/observability/blackbox-exporter/ks.yaml b/kubernetes/main/apps/observability/blackbox-exporter/ks.yaml new file mode 100644 index 0000000..05338ba --- /dev/null +++ b/kubernetes/main/apps/observability/blackbox-exporter/ks.yaml @@ -0,0 +1,26 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app blackbox-exporter + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: traefik + path: ./kubernetes/main/apps/observability/blackbox-exporter/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml index 6b04250..f4f2772 100644 --- a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml @@ -212,6 +212,18 @@ spec: gnetId: 763 # https://grafana.com/grafana/dashboards/763?tab=revisions revision: 5 datasource: Prometheus + rabbitmq-overview: + url: https://raw.githubusercontent.com/rabbitmq/rabbitmq-server/b836ca1d0824d8d4c24a62985ce869c388697c79/deps/rabbitmq_prometheus/docker/grafana/dashboards/RabbitMQ-Overview.json + datasource: Prometheus + rabbitmq-perftest: + url: https://raw.githubusercontent.com/rabbitmq/rabbitmq-server/b836ca1d0824d8d4c24a62985ce869c388697c79/deps/rabbitmq_prometheus/docker/grafana/dashboards/RabbitMQ-PerfTest.json + datasource: Prometheus + rabbitmq-quorum: + url: https://raw.githubusercontent.com/rabbitmq/rabbitmq-server/b836ca1d0824d8d4c24a62985ce869c388697c79/deps/rabbitmq_prometheus/docker/grafana/dashboards/RabbitMQ-Quorum-Queues-Raft.json + datasource: Prometheus + rabbitmq-stream: + url: https://raw.githubusercontent.com/rabbitmq/rabbitmq-server/b836ca1d0824d8d4c24a62985ce869c388697c79/deps/rabbitmq_prometheus/docker/grafana/dashboards/RabbitMQ-Stream.json + datasource: Prometheus prometheus: # renovate: depName="Prometheus" gnetId: 19105 @@ -244,8 +256,9 @@ spec: annotations: cert-manager.io/cluster-issuer: "letsencrypt-production" gethomepage.dev/enabled: "true" - gethomepage.dev/group: Services + gethomepage.dev/group: Observability gethomepage.dev/name: Grafana + gethomepage.dev/description: Observability dashboard gethomepage.dev/icon: grafana ingressClassName: traefik hosts: ["grafana.${SECRET_INTERNAL_DOMAIN}"] diff --git a/kubernetes/main/apps/observability/grafana/app/secret.sops.yaml b/kubernetes/main/apps/observability/grafana/app/secret.sops.yaml index 59a39c6..197b6d7 100644 --- a/kubernetes/main/apps/observability/grafana/app/secret.sops.yaml +++ b/kubernetes/main/apps/observability/grafana/app/secret.sops.yaml @@ -5,26 +5,25 @@ type: Opaque metadata: name: grafana-secret stringData: - GF_DATABASE_USER: ENC[AES256_GCM,data:hhUyQv0mTQ==,iv:G+NXYesVuxohciWRyC8tlFQZWdkFsuPIbV2JhfFwwJo=,tag:Ct9qBpTWi7utSuwuLuZhaQ==,type:str] - GF_DATABASE_PASSWORD: ENC[AES256_GCM,data:pxk3OSuny5FvgNEFyQux+wi8Rc/7JiI015J2ODZuWq3/WEpOpMgLtkUFxrWKNlrJTP2kyIY27w==,iv:72TF7uDSRUI9R7CsXBW0RXrMmXm8CJjFp6KT/E4hcCM=,tag:xQ0IGtRQxter8osUPOV6pQ==,type:str] - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:kjPp9GxuoIE3NUBYz0dqTESwgr4/NVdlpabCcGfsIzN5/wqrQj16gGtfVLz0wXjiLzVUjG0AyGVtUyhDvIrJGccaOkHqF3b2,iv:yWkEbw69BHr5znZkp9/Y5gIpAHlnDkamc8RdsMr2YfU=,tag:vVlr37fZYUib2lKC1tRAWA==,type:str] + GF_DATABASE_USER: ENC[AES256_GCM,data:Pk6/JYszCw==,iv:IBVA+R+lvuTPb3dHfDETfTc9kSqIkNLCckZ5vUWkXho=,tag:DiHxJEmJj+idYki04RsMeg==,type:str] + GF_DATABASE_PASSWORD: ENC[AES256_GCM,data:va8Sj4xtFPFddgzHBSLL6PdeE3tVKTmVo56APK19PSkMSHyVPsY0JeI+fkQ=,iv:wbOJI6/deB6+UhUOPKMUmXACCy+X5Es+pojZEwb0GDA=,tag:eQ7+UHiqOh46M17ygbSwmA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1ey3reuxyffqynll464r4q3tlhq5v73nxesyktr44lfez8jzxm94s0644n7 + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUmt5Q08yekNBOEQwa0FB - bDB4cm1hTXM0U3piajRYaGxzc0FOalc3dEg0Clc5ZFBYYkhZNlVHbU9YeEZyM0N4 - SVRNWENobThXUjJLOW94bTBKbWFNTmcKLS0tIHZSbEdtZ0lQRHF0STVWV2JISHVv - VlhqUnZvTlRpajBNd05OUzdtTXNka2cKronvjmWA/Lk4tu8jgMe4SQQmXXkqfG9z - BxDbUxlBp8sze8Eh2zMiHicNEJkXQcFrdWoYywT11mkiUX9ZcMElWw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdmV5V0sxc2xxL1ZxVzR2 + U0dvL0trM2ZKVmYvZXZib1JNcjRFM1NZMVhVCmcwZEt0Z2wrYTVCTFRwclk1U0M5 + ZCtZUksrNllEQ0gvcXZaRm5CSVBtM0kKLS0tIDcxanRlcW51eWltaTZIaTJOSmdP + aXM1bmRLaVNoTE11QnhMelcweG42TXMKKL7YbGj54ufXWmKoMYGljYX5ZFCmrZPJ + qPb3DVL0CumTMPYOFfKAPUixo7/MS6syU8eeQd3cKPH6HzDIaMkK/A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-22T21:19:34Z" - mac: ENC[AES256_GCM,data:qAc9w/gsAg7hA7kliwQWAwEY2IyQp4BHztWmZiFrvnNJQeen3QDAbu7GtIgI08q/A08R3VWCctVZt1L32Mbxwp9jKu48zebZgcdJHLYXd0X0CqoQaCjIiD9tZPHOkAKQcpK+ladaz2bGaP1embg5xzQWWoAxQP0qtDARp81mIpQ=,iv:6gyRVKxoq14Iv07C31/YsAj1liKTwjLTQ8ua5+nYCq4=,tag:xyNQ6YHcKG+eNeCialWCaw==,type:str] + lastmodified: "2024-12-23T04:39:29Z" + mac: ENC[AES256_GCM,data:Dd+RpphBbTB1VTaICgIU50HpL3oWaA0pBCYkysu35hWcIokZ5OilGk/wivGlFcsAXIHdYoFyRu8yVwD6mUKSed3c8Wh750F9vR4JvB3oRB1tULAwUjBTgQ+OgDteqJgnGI8oXrDNQxtNbELr5cuUA0HdtxdgK62+zpmTJbFtNQU=,iv:DKZryemko/3ye1AXhWbdw4DaB0gIBDRTsX+dBKlFsCk=,tag:hk3BmQ8jfheyzmNIv6Kw+Q==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.9.2 + version: 3.9.1 diff --git a/kubernetes/main/apps/observability/kustomization.yaml b/kubernetes/main/apps/observability/kustomization.yaml index dded5ef..ce10dfe 100644 --- a/kubernetes/main/apps/observability/kustomization.yaml +++ b/kubernetes/main/apps/observability/kustomization.yaml @@ -6,8 +6,8 @@ resources: - ./prometheus-operator-crds/ks.yaml - ./kube-prometheus-stack/ks.yaml - ./grafana/ks.yaml - #- ./kube-state-metrics/ks.yaml - ./loki/ks.yaml - ./speedtest-exporter/ks.yaml - ./changedetection/ks.yaml + - ./blackbox-exporter/ks.yaml #- ./gatus/ks.yaml diff --git a/kubernetes/main/apps/public/kustomization.yaml b/kubernetes/main/apps/public/kustomization.yaml index ca99c00..39a0f35 100644 --- a/kubernetes/main/apps/public/kustomization.yaml +++ b/kubernetes/main/apps/public/kustomization.yaml @@ -6,4 +6,4 @@ resources: - ./namespace.yaml - ./excalidraw/ks.yaml - ./echo-server/ks.yaml - #- ./mataroa/ks.yaml + - ./writefreely/ks.yaml diff --git a/kubernetes/main/apps/public/writefreely/app/helmrelease.yaml b/kubernetes/main/apps/public/writefreely/app/helmrelease.yaml new file mode 100644 index 0000000..e6c11ca --- /dev/null +++ b/kubernetes/main/apps/public/writefreely/app/helmrelease.yaml @@ -0,0 +1,111 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app writefreely +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controllers: + writefreely: + replicas: 1 + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + secret.reloader.stakater.com/reload: writefreely-secret + containers: + app: + image: + repository: ghcr.io/liana64/writefreely + tag: 0.15.1@sha256:77d92d89555f51d9c9733b58e9ae9397b799d21fd7793b1f33f19c383c6ad027 + resources: + requests: + cpu: 32m + memory: 10Mi + limits: + cpu: 512m + memory: 280Mi + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: + drop: + - ALL + pod: + securityContext: + runAsNonRoot: true + runAsUser: 2 + runAsGroup: 2 + fsGroup: 2 + fsGroupChangePolicy: "OnRootMismatch" + seccompProfile: { type: RuntimeDefault } + + service: + app: + controller: writefreely + ports: + http: + port: 8080 + + ingress: + app: + className: traefik-external + annotations: + external-dns.alpha.kubernetes.io/target: external.${SECRET_EXTERNAL_DOMAIN} + cert-manager.io/cluster-issuer: "letsencrypt-production" + gethomepage.dev/enabled: "true" + gethomepage.dev/group: Services + gethomepage.dev/name: Writefreely + gethomepage.dev/description: Blog + gethomepage.dev/icon: *app + hosts: + - host: &host "blog.${SECRET_EXTERNAL_DOMAIN}" + paths: + - path: / + pathType: Prefix + service: + identifier: app + port: http + tls: + - secretName: writefreely-tls + hosts: [*host] + + persistence: + data: + storageClass: cluster-nvme + accessMode: ReadWriteOnce + size: 2Gi + retain: true + globalMounts: + - path: /config + config: + type: secret + name: writefreely-secret + globalMounts: + - subPath: config.ini + path: /go/config.ini + readOnly: true + keys: + storageClass: cluster-nvme + accessMode: ReadWriteOnce + size: 128Mi + retain: true + globalMounts: + - path: /go/keys diff --git a/kubernetes/main/apps/public/writefreely/app/kustomization.yaml b/kubernetes/main/apps/public/writefreely/app/kustomization.yaml new file mode 100644 index 0000000..16a6ce3 --- /dev/null +++ b/kubernetes/main/apps/public/writefreely/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/public/writefreely/app/secret.sops.yaml b/kubernetes/main/apps/public/writefreely/app/secret.sops.yaml new file mode 100644 index 0000000..90e2942 --- /dev/null +++ b/kubernetes/main/apps/public/writefreely/app/secret.sops.yaml @@ -0,0 +1,29 @@ +# yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: writefreely-secret +stringData: + #ENC[AES256_GCM,data:sXSDApj2D2HA5QJWS+TtsFbpa0vVibl9XPTG2XFw2529Y0hGi9Y7rk970yS6eoxjs7lV6bdNqJ9qZK2HkjOG/C3jaU72HVA=,iv:76nZKtD6oklRZXfS+XYrK1OOnT4Qn/IxQvJmk3cFCQ8=,tag:6Lfo3q0/krv54EI5darYKg==,type:comment] + config.ini: ENC[AES256_GCM,data:5rSJ4YUa/tPal4cpPeCIxgtD8JYSEb6TsIxlf45dKPUMzpfO9vphcyDYptLRGc7x7OU+vhUT7i2pARbI9bL40El0xGEcYNDaWaqiSS129sJmAGg9xLo6NOeXRDXJFaw10/Bq725EfEnU+QWhvuhY403MHzXtt6cdzS5uoJ1RhCrXHY9hE+iozxB0RKGqamZ6CgYATs8+hR6t6To63jbeX+lk3hSMX3Gemv+vIFJyJSAYPZ2381OGoEIrMPCpsQnrlTWz5VLxcZk6RjyLB9GZRHojq1iqMuBKOWq2v1qFKR1QSaVZoL7WIYNxZU5JFAZqgTU5kSWJNBBZ5/LwfNfc/M61MEhIWmEHPmNAMYwUCDHcL/2xNBcid6I7HHqbSfWgUzk0yZkfp9QgX6EkFjtta5uD7R14TO97nMW1GjRJiYducyr40fCCihdH+J5sSy6yL058Rq4z9rdZeVMG6YAs/PvrWCGW24OdN+HttMNhSZrnOA8M6+60+qZnfVjvYToYD2/4hopK+Mnxy2e16k0TyQeouw1IQT5TZPMWWrKNsUPeA1EdW+bJIbjfhvskP1O7/yjYwLRWxAjbmAkg4uSRzhJHTukMK+pRZ4Wtmsna88Djn36/14cMJ3tlHnKDObHWYN1mADyTufAxB2GpnWG+8Ay7OfJpiWB5JVmtAns6mkakFq4/BPX8pZ+icZq9mekYWgEch1mrVW6ggeuiqNyrBs9gUHEchm7bCX8q8Mo0x9hKZYzApZr0xYjE23OxDyJrtByOh2a1W22sroU1uCr2z7OAJgDTvGznwGJqb5PXZoIc+5VhTFuFpgWnEnSCmis6J6NcP8kV0p5rNR7k4MYoANzQo+mhX6KvQYIaJouULpZdH24u31+C4kKdkLlu8npFmh/08bzXjEcn3gY3HqU=,iv:cAa8SAe/klpU2VekNNGy0iulcy7+IeqqmbclVEiTL90=,tag:pQd038lUs6lsRrvJDuTYkg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNT1RKY2c0ZmprYmhla05m + cm5TM0tUdWw3YmJQWm44VkU0WW4wODdMaW1zCndLSkxaTzZjTjBkZTY3NGp3YmFD + NEl4UWswOTdwZGtCWFlRRVNtOEdKalkKLS0tIFFGQ1VOZXpJd3F1aWZGZTBIcEp2 + QyszemtaVTVmWGg1NURPcHFhOHR4NHMKaJoWR1BVXx/uqEucQMcNZU94FgtV6k/g + Z2wc3HuNQxn1NoUTRnhdTdea2RgiqAlleCny9fZEJtd9+LJApXtgpg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-28T02:48:27Z" + mac: ENC[AES256_GCM,data:7RHoZYs+xQVt51up3pfAhNGgI8vfcY+v4O95OtTBGncIPKrHOi1+5RyQBYDtg7bJak+yQr+lW5Y0hniQVtLg7PLPFQgcdYvAeVoyWY7y0dA49ISmDdlEfnJP7Gi0GBIjE8zTmT0S4+qwrGieCcP78KJVif3/R7jhIWEQaWVuZeo=,iv:1Ws1JViW3K/CGTcr/3gexSnB6hM6/uvi2NbzkBCedFg=,tag:Ph2BOvlzPpGRu842GlKziw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.2 diff --git a/kubernetes/main/apps/public/writefreely/ks.yaml b/kubernetes/main/apps/public/writefreely/ks.yaml new file mode 100644 index 0000000..563e4ee --- /dev/null +++ b/kubernetes/main/apps/public/writefreely/ks.yaml @@ -0,0 +1,24 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app writefreely + namespace: flux-system +spec: + targetNamespace: public + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/public/writefreely/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/main/apps/system/csi-driver-smb/app/helmrelease.yaml b/kubernetes/main/apps/system/csi-driver-smb/app/helmrelease.yaml new file mode 100644 index 0000000..eb6c450 --- /dev/null +++ b/kubernetes/main/apps/system/csi-driver-smb/app/helmrelease.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: csi-driver-smb +spec: + interval: 30m + chart: + spec: + chart: csi-driver-smb + version: v1.16.0 + sourceRef: + kind: HelmRepository + name: csi-driver-smb + namespace: flux-system + driftDetection: + mode: enabled + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 diff --git a/kubernetes/main/apps/system/csi-driver-smb/app/kustomization.yaml b/kubernetes/main/apps/system/csi-driver-smb/app/kustomization.yaml new file mode 100644 index 0000000..82a1e6e --- /dev/null +++ b/kubernetes/main/apps/system/csi-driver-smb/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./storageclass.yaml + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/system/csi-driver-smb/app/secret.sops.yaml b/kubernetes/main/apps/system/csi-driver-smb/app/secret.sops.yaml new file mode 100644 index 0000000..0f23129 --- /dev/null +++ b/kubernetes/main/apps/system/csi-driver-smb/app/secret.sops.yaml @@ -0,0 +1,29 @@ +## yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: smb-secret +stringData: + username: ENC[AES256_GCM,data:XPxoFBZZ4g4=,iv:XKKNwYbODEj2PogwpxYPILnJfdfBG2hR0ISWUA3hGoM=,tag:wwhXiKo87vB1sbFifdpKEQ==,type:str] + password: ENC[AES256_GCM,data:jRCIBRJnc6SoBDhKRzToRrYvQ5PYX9nG,iv:AEMK1W1fzwsYviQSaELq0m5EUzXwyGqSh2QxsPzCg/M=,tag:NffqyMPsqF6iYwtOVyiIzw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpRE8wZHJRa0Q4S1RkaXBI + dURVRncxRTVDK2Y5TjZuVXVFTHlRR2FNWnlnCmIxaW04Nkh2WFZlTWlXdXh2UDMr + TG54dE8rM3JhV0hoRDhPMGtpMEdlTlkKLS0tIFFDNmZYYlFOdmZPcW5DTFZzaW9a + LzdQTk9adGtyQWpYaFRjRU5PSmxNL0kKJJH6XiYAlUlGbo2QlbOEW6LLbaP1ucXk + 8txnkoO4vA+vffpnDoiTKnprbVTqjk8cSn65VkeWYYGIuTMcE+KU5g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-29T04:52:56Z" + mac: ENC[AES256_GCM,data:tufnSq0oJFYYe5i1ojiMHxFyltnITKq+QnkMdW6U3nq8uDUHOLPI1MZ1oUUTk7ZUjs9HsUK6sMMkhtbcndpNsWYZWWgvmX+ZqhVpyd7h4v3VHyC4y9snsrePCz7tky2x3esWViKVC0/TvCBpSEGwdR2tFXaiuKJuD0Ns6xCE8HU=,iv:c90sXeAAwGkeLdSI7pFImYv2TRB5m0tsVh5jMJb3Rz4=,tag:fQOPRAZ0ENP2G7qN423UAQ==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/main/apps/system/csi-driver-smb/app/storageclass.yaml b/kubernetes/main/apps/system/csi-driver-smb/app/storageclass.yaml new file mode 100644 index 0000000..13e93a5 --- /dev/null +++ b/kubernetes/main/apps/system/csi-driver-smb/app/storageclass.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: smb +provisioner: smb.csi.k8s.io +parameters: + source: "//${NFS_HOST}" + csi.storage.k8s.io/provisioner-secret-name: smb-secret + csi.storage.k8s.io/provisioner-secret-namespace: system + csi.storage.k8s.io/node-stage-secret-name: smb-secret + csi.storage.k8s.io/node-stage-secret-namespace: system +reclaimPolicy: Delete +volumeBindingMode: Immediate +allowVolumeExpansion: true +mountOptions: + - dir_mode=0777 + - file_mode=0777 + - uid=600 + - gid=3005 diff --git a/kubernetes/main/apps/system/csi-driver-smb/ks.yaml b/kubernetes/main/apps/system/csi-driver-smb/ks.yaml new file mode 100644 index 0000000..16cd9e2 --- /dev/null +++ b/kubernetes/main/apps/system/csi-driver-smb/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app csi-driver-smb + namespace: flux-system +spec: + targetNamespace: system + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/system/csi-driver-smb/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/main/apps/system/kustomization.yaml b/kubernetes/main/apps/system/kustomization.yaml index b2a08dd..d81ed12 100644 --- a/kubernetes/main/apps/system/kustomization.yaml +++ b/kubernetes/main/apps/system/kustomization.yaml @@ -10,3 +10,4 @@ resources: - ./reloader/ks.yaml - ./spegel/ks.yaml - ./volsync/ks.yaml + #- ./csi-driver-smb/ks.yaml diff --git a/kubernetes/main/bootstrap/talos/patches/control/cluster.yaml b/kubernetes/main/bootstrap/talos/patches/control/cluster.yaml index 947ee44..f6d4c7e 100644 --- a/kubernetes/main/bootstrap/talos/patches/control/cluster.yaml +++ b/kubernetes/main/bootstrap/talos/patches/control/cluster.yaml @@ -8,6 +8,9 @@ cluster: disabled: true proxy: disabled: true + controllerManager: + extraArgs: + bind-address: 0.0.0.0 scheduler: extraArgs: bind-address: 0.0.0.0 diff --git a/kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml b/kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml index ca0f986..f9847f6 100644 --- a/kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml +++ b/kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml @@ -4,8 +4,8 @@ machine: hostDNS: enabled: true resolveMemberNames: true - # For BGP mode, set to true - forwardKubeDNSToHost: true # Requires Cilium `bpf.masquerade: false` + # For BGP mode, set to true and `bpf.masquerade` to false + forwardKubeDNSToHost: false kubePrism: enabled: true port: 7445 diff --git a/kubernetes/main/flux/repositories/helm/csi-driver-smb.yaml b/kubernetes/main/flux/repositories/helm/csi-driver-smb.yaml new file mode 100644 index 0000000..b07f57b --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/csi-driver-smb.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: csi-driver-smb + namespace: flux-system +spec: + interval: 5m + url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts diff --git a/kubernetes/main/flux/repositories/helm/kustomization.yaml b/kubernetes/main/flux/repositories/helm/kustomization.yaml index 2b99075..011bbe7 100644 --- a/kubernetes/main/flux/repositories/helm/kustomization.yaml +++ b/kubernetes/main/flux/repositories/helm/kustomization.yaml @@ -29,3 +29,5 @@ resources: - ./teleport.yaml - ./traefik.yaml - ./windmill.yaml + - ./csi-driver-smb.yaml + - ./plane.yaml diff --git a/kubernetes/main/flux/repositories/helm/plane.yaml b/kubernetes/main/flux/repositories/helm/plane.yaml new file mode 100644 index 0000000..9cf06f3 --- /dev/null +++ b/kubernetes/main/flux/repositories/helm/plane.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.ok8.sh/source.toolkit.fluxcd.io/helmrepository_v1beta2.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: plane + namespace: flux-system +spec: + interval: 1h + url: https://helm.plane.so/ diff --git a/kubernetes/main/flux/vars/cluster-settings.yaml b/kubernetes/main/flux/vars/cluster-settings.yaml index fa75f3b..bb7325d 100644 --- a/kubernetes/main/flux/vars/cluster-settings.yaml +++ b/kubernetes/main/flux/vars/cluster-settings.yaml @@ -24,3 +24,4 @@ data: LB_TRAEFIK_EXTERNAL: "10.28.12.101" LB_POSTGRES: "10.28.12.102" LB_MINECRAFT: "10.28.12.103" + LB_MYSQL: "10.28.12.104"