From 022938e805be121d14776a359acf0c419595fc64 Mon Sep 17 00:00:00 2001 From: SeanOMik Date: Sun, 15 Sep 2024 20:35:30 -0400 Subject: [PATCH] feat: add home-assistant to thin cluster --- .../home-assistant/files/helm-release.yaml | 98 +++++++++++++++++-- .../home-assistant/files/kustomization.yaml | 2 + .../default/home-assistant/files/pvc.yaml | 12 +++ .../home-assistant/files/secret.sops.yaml | 75 ++++++++++++++ .../thin/apps/default/home-assistant/ks.yaml | 9 +- .../thin/apps/default/kustomization.yaml | 3 +- 6 files changed, 187 insertions(+), 12 deletions(-) create mode 100644 kubernetes/thin/apps/default/home-assistant/files/pvc.yaml create mode 100644 kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml diff --git a/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml b/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml index 8efa6d8..409959c 100644 --- a/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml +++ b/kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml @@ -2,27 +2,72 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: whoami + name: home-assistant namespace: default spec: interval: 5m chart: spec: chart: app-template - version: 3.1.0 + version: 3.4.0 sourceRef: kind: HelmRepository name: bjws-charts namespace: flux-system - + dependsOn: + - name: openebs + namespace: openebs values: controllers: main: containers: - main: + app: image: - repository: containous/whoami - tag: latest + repository: ghcr.io/onedr0p/home-assistant + tag: 2024.9.1 + env: + TZ: America/New_York #${SERVER_TIMEZONE} + HASS_HTTP_TRUSTED_PROXY_1: 192.168.0.0/16 + HASS_HTTP_TRUSTED_PROXY_2: 10.0.0.0/8 + HASS_SECRET_URL: &hassHost "hass.thin.seanomik.net" #${SECRET_NEW_DOMAIN} + HOME_ASSISTANT__HACS_INSTALL: "true" + envFrom: + - secretRef: + name: home-assistant + securityContext: + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + capabilities: { drop: ["ALL"] } + resources: + requests: + cpu: 10m + limits: + memory: 2Gi + code-server: + image: + repository: ghcr.io/coder/code-server + tag: 4.92.2 + args: [ + "--auth", "none", + "--user-data-dir", "/config/.vscode", + "--extensions-dir", "/config/.vscode", + "--port", "12321", + "/config" + ] + resources: + requests: + cpu: 10m + limits: + memory: 512Mi + + defaultPodOptions: + securityContext: + runAsNonRoot: true + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: OnRootMismatch + seccompProfile: { type: RuntimeDefault } service: app: @@ -30,19 +75,54 @@ spec: ports: http: - port: 80 + port: 8123 + code-server: + port: 12321 ingress: - main: + app: annotations: cert-manager.io/cluster-issuer: letsencrypt-production traefik.ingress.kubernetes.io/router.entrypoints: websecure #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + className: external hosts: - - host: "whoami.${SECRET_NEW_DOMAIN}" + - host: *hassHost paths: - path: / service: identifier: app port: http + code-server: + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.entrypoints: websecure + #traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd + + className: internal + hosts: + - host: "hass-code.internal.thin.seanomik.net" + paths: + - path: / + service: + identifier: app + port: code-server + + persistence: + config: + existingClaim: home-assistant-config + globalMounts: + - path: /config + logs: + type: emptyDir + globalMounts: + - path: /config/logs + tts: + type: emptyDir + globalMounts: + - path: /config/tts + tmp: + type: emptyDir + globalMounts: + - path: /tmp diff --git a/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml b/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml index ea3145d..7d3f7a7 100644 --- a/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml +++ b/kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml @@ -1,4 +1,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: +- ./pvc.yaml +- ./secret.sops.yaml - ./helm-release.yaml \ No newline at end of file diff --git a/kubernetes/thin/apps/default/home-assistant/files/pvc.yaml b/kubernetes/thin/apps/default/home-assistant/files/pvc.yaml new file mode 100644 index 0000000..11fc25a --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/files/pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: home-assistant-config + namespace: default +spec: + accessModes: + - ReadWriteOnce + storageClassName: openebs-dual + resources: + requests: + storage: 6Gi \ No newline at end of file diff --git a/kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml b/kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml new file mode 100644 index 0000000..7c3abe3 --- /dev/null +++ b/kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml @@ -0,0 +1,75 @@ +apiVersion: v1 +kind: Secret +metadata: + name: home-assistant + namespace: default +type: Opaque +stringData: + HASS_SECRET_ELEVATION: ENC[AES256_GCM,data:+dg6fw==,iv:8YPS3cD/qnZcQCwjdSVYJ5x/z0rSR8jplZfxr1EPqJk=,tag:2S0JTIYBvxN5tAnLMLMwtQ==,type:str] + HASS_SECRET_LATITUDE: ENC[AES256_GCM,data:Kgq3N7fRG8Dn2g==,iv:7m7RQM1WcIKTLfMr1cjcFxqnYJ+7llKNY6Mdl9MdVmI=,tag:wtgsJsCov1BxN0LW3bn2cg==,type:str] + HASS_SECRET_LONGITUDE: ENC[AES256_GCM,data:fBTv0J7rNN6Tt5I=,iv:lU0J2Qd1rRzrIKhYUDeqcQfRidGvsBzby7a/9UiCKYU=,tag:Lyh1QS3WIpP0tl0g9NEQMg==,type:str] + HASS_SECRET_DB_URL: ENC[AES256_GCM,data:YXk+YKDlqnrn7hxGe4Q5cTaafK2ijRWf2NtAltdeJmQ3sAL3Z8N7yV3VwSUkL9Re181JRXeiIebEoIMx2DDlTaYMcnGPQyqjSWBMSt4/+WgmZ0Q=,iv:5N/dbYht2ts26GAh14BxNA3zq7US+s8WbmNWFJtO+jk=,tag:6sqa0kufUdkyMVdJ9rVCdA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2024-09-16T00:34:28Z" + mac: ENC[AES256_GCM,data:zoW6fr1LbCpxj+47BS7YSJtT8CF3QLdkYR+JsNmVNv+NZ5229TC+RGWbSwjyHtqb7Xxzhwzuna8kVR9Jg8dnJOZhEJM2uY7rTx0z0tpakdvUggxDiBH3W8nIc//DzxgbGZwtP9/LNpzE0ucvTKrqJsUW6/Idu815bLknNbeaPxo=,iv:KbbWZ17JQNsCuSI26nGKwKjoP4aULua3GBCJbQgNpyI=,tag:PvEhlwCpYMtJB8lx5vmVfQ==,type:str] + pgp: + - created_at: "2024-09-16T00:34:28Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAyqlIeyoxYovAQ//WFv9Y/YWKUUEV7ymMAqVpCdiVp1DiRBbsNVlBCi+x2lF + NO/AHTeTvJL+9uyavQsSQVuuIhCMG9R7uwTAQaLgZat8Q3ToC4ntEjoxQQfKsUTl + 1qfsFTTGW8PJbekkvZmufTMTzmJ+8j0TGnQeCcI9D/XmE/fDP+P551YLCXJm/MtC + xGo1Wz27n0YYseWRjO6hAOU0/z3tQxgEYU40uWt/Wego3XaXVIAOC7E+uxbVIGfW + DsQQQi3E5mKGdWB6VvzozstneZuDNU+GiNCCHsYYCCSMwT4z1FFPTl3T4Qr+yRbQ + Ylh5y7LQsVmHnwzC2eDatxL2v7chSoYWczZMKTmNCcppZ1Lvas14Cd9MdC/yt2yD + jDrXtyw1jPho+A688EvB7E/nCEXnchL0xqCcCqa7IE3+hhZzxLWysfz4QM0Mg2rv + j7QLP2/ssuB9K2dOrudkE0MUzQyf5tu9Av7YD+KR0SEcuQ/Y2yvnScLf4SS/NEgG + erB8e44M/NG/CN38YOxPGtK9FcxjJKyDfk5S//TPteZBgtKwf18H5SDonu3E6WUU + Z61U/Vw31xtIuFVRPAQc5qzfCVQ9N0zJx28F3QJXcgMzmEVHQKyJ+/u9ytfTQpg5 + CPfexvgNg9CR++p6MY0tie07iLkmoT23hq1A36Q+pnyqR1bZVu0vVIVtOIANG3qF + AgwDXjg0p2IN1X8BD/4oBsOiwYJYAPdsxtQyMoj92r6NUl+STRdvalSyweJqf9xK + RfQzlNtdN6ADTD7p6PKZxg/Bb9HGJe7eUto78Eqn9Uqu67pGPCUiaVk7JUUayGHd + Fay3OJYuLEgukEo1okq+yBDjj+dGwTJ17Cl8hYgNSyeGCAiXqUkktkRXkjvhI55X + lgOc3wiaRqcuLFG5h00qo3Wy4ESzuQSKFEimpSec8CSxuY/vTg8CFjekkmUerNmd + eKKW6q0IB2WUrxbvG4moF+4pK6F8zOgF1B94cFuFHoDQ1sOFkUI95v0/mEi6qIX4 + gTD6DAbgmZCyFWrfH1ogU7vpa2aDrFDHYLFyjESX6zhMVnQwetQsgdQ3C2Q5HpD5 + uWuzbVSOVpUzwOsgwP1bUn6Layxnk3cVtgLj5ODdUYSBJZ6/ReQ/aQjhUpNVQIUA + inqCuL6dSFDTKKwDpzdVTX105knBNP5pHaDVdFN+iUu9pbFGSqWAZQ/XtfznBSbl + QntMp70zVe5TlMtB7DCpkRcgI/oOLjciM+ITVW3mh7nX0tbBUZ/2T/KKPwFHNI/4 + wU/TH13RW0l92eJRXYarYsOqsDsYzlkOoPupNQFK8UVu44cVe/jPJNNi9yU8EN5r + 2VoKr2F7sYprbSunhFrOXFGngCs0pgk6lKcWKE6mP8b2AmmX0FHBjojTDRu3D9Rm + AQkCEHK/1D/N2aQA8WZBnz87r51MTQ+dqxTu9tAOjCGX2jP1NvQqnS2vL+iqsvlo + CxojBsFhFZXLpd/op2N+4nFMA0HAPl4pKj5hi6tUEzkXr9ltfvnIMdv0ZoZoM61r + B1xdW8jX + =HAf4 + -----END PGP MESSAGE----- + fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD + - created_at: "2024-09-16T00:34:28Z" + enc: |- + -----BEGIN PGP MESSAGE----- + + hQIMAy5t8IMoPu4VAQ//S4pP46cksxK/sNjHKP8A8uY3KNewuTd9URB605mXlaAA + iTMnujsimRREiYoxkcgCIuxoYgpXoi30XrlrSbdKwSt1flGRjVBtW62uvgFRn/Ya + qmZimGRyhSr0NWMZdsCoOGECCd21lGOwGeTmZzcsvYtzT0fgpYoRtQv0L44eBuFy + uzNIvDw7SvvjM2nGWI6VAlAg6CnAz3Fo9JbccZINqgfRTNhtkHU5R6M0M6EjmN6M + xkcr280dOdV3dWKfAtZld2aPb9QLj2vxYxcSqaqQ3jLpmy5JrCT+E4fxt6THyg4R + x9EGds30zUOUwB5hOJGF+dPPdb3M1imZZymDYZ65WDt6nttRVz9p1Vxu8BiMzMef + CPcrArf5ic+TDp4QydwAb3UjkT+b8/iHGLrFLn7E7s9xaWN8Y8wHxhABjEMKia/8 + hhZozgapC7EIK10Qq4S+mce+pQrLdPrz++/jEL5enuh3vo8s6PSCAbM7sxjoNUV0 + Sjbl3lOlbvRLMRJoxMgeHCYKR8HBKYX3lbPSOl0+D2rwibdrbuk1N4NMq0z9YU3O + PCEDpGxzj469yss1XbpoANG7EpS9uMdTN+ONE1Xx7AvsADMrNvdJeLvku93bknZw + 6rD1aSBau98H/WGM1XGu0nOzQgxtfCoaFRnXf03lMldWlkQnwYuhZPs+3mwg8vfU + ZgEJAhD4mf23O6K9MUJFjoHABoZAQqX2UEc7TRjIc+YHGg8PekuK4yTWIKkHIvUL + WdiWaO8gB+QmoyHt6bg4+di1iqTujnKTPqPF6ehpoDlqWHXWs2mxl2UiC6DGUHlm + oIfC9MKtDA== + =uXt0 + -----END PGP MESSAGE----- + fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D + encrypted_regex: ^(data|stringData)$ + version: 3.9.0 diff --git a/kubernetes/thin/apps/default/home-assistant/ks.yaml b/kubernetes/thin/apps/default/home-assistant/ks.yaml index a92aa63..424c719 100644 --- a/kubernetes/thin/apps/default/home-assistant/ks.yaml +++ b/kubernetes/thin/apps/default/home-assistant/ks.yaml @@ -2,12 +2,12 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: whoami + name: home-assistant namespace: flux-system spec: timeout: 5m interval: 10m - path: ./kubernetes/thin/apps/default/whoami/files + path: ./kubernetes/thin/apps/default/home-assistant/files prune: true sourceRef: kind: GitRepository @@ -16,6 +16,11 @@ spec: provider: sops secretRef: name: sops-gpg + dependsOn: + - name: openebs-sc + namespace: flux-system + - name: postgresql + namespace: flux-system postBuild: substitute: {} substituteFrom: diff --git a/kubernetes/thin/apps/default/kustomization.yaml b/kubernetes/thin/apps/default/kustomization.yaml index c7dcc20..d037f75 100644 --- a/kubernetes/thin/apps/default/kustomization.yaml +++ b/kubernetes/thin/apps/default/kustomization.yaml @@ -1,4 +1,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- ./whoami/ks.yaml \ No newline at end of file +- ./whoami/ks.yaml +- ./home-assistant/ks.yaml \ No newline at end of file