SeanOMik
/
k3s-cluster
1
0
Fork 0
Code Issues 2 Pull Requests 5 Packages Projects Releases Wiki Activity

Compare commits

base: SeanOMik:4fe6efbfc928b3b0ec3dedb0688b60b6bc35f6ab
Branches Tags
SeanOMik:main
SeanOMik:renovate/ghcr.io-onedr0p-tautulli-2.x
SeanOMik:renovate/app-template-3.x
SeanOMik:renovate/ghcr.io-onedr0p-qbittorrent-5.x
SeanOMik:renovate/postgresql-16.x
SeanOMik:renovate/mysql-12.x
SeanOMik:feat/thin-cluster
SeanOMik:feat/separate-huginn-agents
SeanOMik:wip/deluge
SeanOMik:renovate/configure
SeanOMik:feature/add-guacamole-again
SeanOMik:feature/readd-guacamole
SeanOMik:feature/zfs-alerts
SeanOMik:feature/bitnami-gitea-chart
..
compare: SeanOMik:5917341e269493c20dd555077935944c2ad0ae01
Branches Tags
SeanOMik:renovate/ghcr.io-onedr0p-tautulli-2.x
SeanOMik:main
SeanOMik:renovate/app-template-3.x
SeanOMik:renovate/ghcr.io-onedr0p-qbittorrent-5.x
SeanOMik:renovate/postgresql-16.x
SeanOMik:renovate/mysql-12.x
SeanOMik:feat/thin-cluster
SeanOMik:feat/separate-huginn-agents
SeanOMik:wip/deluge
SeanOMik:renovate/configure
SeanOMik:feature/add-guacamole-again
SeanOMik:feature/readd-guacamole
SeanOMik:feature/zfs-alerts
SeanOMik:feature/bitnami-gitea-chart

No commits in common. "4fe6efbfc928b3b0ec3dedb0688b60b6bc35f6ab" and "5917341e269493c20dd555077935944c2ad0ae01" have entirely different histories.
4fe6efbfc9 ... 5917341e26

127 changed files with 199 additions and 2062 deletions
Show Stats Expand all files Collapse all files

10
.taskfiles/Flux/Taskfile.yaml
View File

@ -3,20 +3,20 @@
version: "3" version: "3"
vars: vars:
CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/sops-key.sops.yaml" CLUSTER_SECRET_SOPS_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/sops-key.sops.yaml"
GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTERS_DIR}}/common/bootstrap/flux/forgejo-deploy-key.sops.yaml" GITHUB_DEPLOY_KEY_FILE: "{{.CLUSTER_DIR}}/bootstrap/flux/forgejo-deploy-key.sops.yaml"
tasks: tasks:
bootstrap: bootstrap:
desc: Bootstrap Flux into a Kubernetes cluster desc: Bootstrap Flux into a Kubernetes cluster
cmds: cmds:
- kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/common/bootstrap/flux - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/bootstrap/flux
- sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --server-side --filename - - sops --decrypt {{.CLUSTER_SECRET_SOPS_FILE}} | kubectl apply --server-side --filename -
- sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --server-side --filename - - sops --decrypt {{.GITHUB_DEPLOY_KEY_FILE}} | kubectl apply --server-side --filename -
- kubectl apply --server-side --kustomize {{.CLUSTERS_DIR}}/{{.CLUSTER}}/flux/config - kubectl apply --server-side --kustomize {{.CLUSTER_DIR}}/flux/config
preconditions: preconditions:
- { msg: "Missing cluster sops key", sh: "gpg -K 687802D4DFD8AA82EA55666CF7DADAC782D7663D" } - { msg: "Missing cluster sops key", sh: "gpg -K 687802D4DFD8AA82EA55666CF7DADAC782D7663D" }
reconcile: reconcile:
desc: Force update Flux to pull in changes from the Git repository desc: Force update Flux to pull in changes from your Git repository
cmd: flux reconcile --namespace flux-system kustomization cluster --with-source cmd: flux reconcile --namespace flux-system kustomization cluster --with-source

2
Taskfile.yaml
View File

@ -3,7 +3,7 @@
version: "3" version: "3"
vars: vars:
CLUSTERS_DIR: "{{.ROOT_DIR}}/kubernetes" CLUSTER_DIR: "{{.ROOT_DIR}}/cluster"
includes: includes:
flux: .taskfiles/Flux/Taskfile.yaml flux: .taskfiles/Flux/Taskfile.yaml

5
kubernetes/common/apps/cert-manager/app/files/kustomization.yaml
View File

@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helm-repository.yaml
- ./helm-release.yaml

25
kubernetes/common/apps/cert-manager/app/ks.yaml
View File

@ -1,25 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/common/apps/cert-manager/app/files
prune: true
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

28
kubernetes/common/apps/cert-manager/certs/ks.yaml
View File

@ -1,28 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cert-manager-certificates
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/common/apps/cert-manager/certs/files
prune: true
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
dependsOn:
- name: cert-manager
namespace: flux-system
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

28
kubernetes/common/apps/database/dbs/ks.yaml
View File

@ -1,28 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: postgresql
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/common/apps/database/dbs/postgresql
prune: true
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
dependsOn:
- name: openebs-sc
namespace: flux-system
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

42
kubernetes/common/apps/database/dbs/postgresql/helm-release.yaml
View File

@ -1,42 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: postgresql
namespace: database
spec:
interval: 5m
chart:
spec:
chart: postgresql
version: 14.3.x
sourceRef:
kind: HelmRepository
name: bitnami-charts
namespace: flux-system
values:
auth:
existingSecret: "pgsql-secrets"
secretKeys:
adminPasswordKey: "adminPassword"
replicationPasswordKey: "replicationPassword"
serviceMonitor:
enabled: true
labels:
release: kube-prometheus-stack
volumePermissions:
enabled: true
primary:
persistence:
existingClaim: "postgresql-pvc"
containerSecurityContext:
enabled: true
runAsUser: 655
readReplicas:
containerSecurityContext:
enabled: true
runAsUser: 655

7
kubernetes/common/apps/database/dbs/postgresql/kustomization.yaml
View File

@ -1,7 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./pgsql-pv.yaml
- ./pgsql.sops.yaml
- ./helm-release.yaml
#- ./pgadmin4

47
kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-release.yaml
View File

@ -1,47 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: pgadmin4
namespace: database
spec:
interval: 5m
chart:
spec:
chart: pgadmin4
version: "1.28.0"
sourceRef:
kind: HelmRepository
name: runix-charts
namespace: flux-system
values:
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
hosts:
- host: &host pgadm.${SECRET_NEW_DOMAIN}
paths:
- path: "/"
pathType: Prefix
tls:
- hosts:
- *host
# securityContext:
# runAsUser: 10000
# runAsGroup: 10000
# fsGroup: 10000
#
# containerSecurityContext:
# enabled: true
# allowPrivilegeEscalation: false
# envVarsFromConfigMaps:
# - pgadmin4-secret
persistentVolume:
enabled: false
volumePermissions:
enabled: true

8
kubernetes/common/apps/database/dbs/postgresql/pgadmin4/helm-repository.yaml
View File

@ -1,8 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: runix-charts
namespace: flux-system
spec:
interval: 1m
url: https://helm.runix.net

6
kubernetes/common/apps/database/dbs/postgresql/pgadmin4/kustomization.yaml
View File

@ -1,6 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./pgadmin4.sops.yaml
- ./helm-repository.yaml
- ./helm-release.yaml

12
kubernetes/common/apps/database/dbs/postgresql/pgsql-pv.yaml
View File

@ -1,12 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: postgresql-pvc
namespace: database
spec:
storageClassName: openebs-dual
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi

62
kubernetes/common/apps/database/dbs/postgresql/pgsql.sops.yaml
View File

@ -1,62 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: pgsql-secrets
namespace: database
stringData:
adminPassword: ENC[AES256_GCM,data:gJ7rl2V/VlbIIRvRHcwMaZKN87t5n8bVWZCj/tRv8Uw=,iv:b/5eEnOrHzJrtnO+E2IGwJLHy2AdJQwv9WfUR5fUHY4=,tag:nTtaDNHVfYpChQX9UWwdKA==,type:str]
userPassword: ENC[AES256_GCM,data:gR7q508lUaRDRJ/z5lH99JLJSS9zWfg0O+TAm2B9uvo=,iv:9DDQxwd/BGtLQDacAH/crfT+qU4Pn5sGkWuEtmMprUI=,tag:tK3WoUd7729LQDVqU7pckQ==,type:str]
replicationPassword: ENC[AES256_GCM,data:BSA5IfYhhvN445yp2i3BI5zlIXgdj+LejCPzvlTMnVo=,iv:Qku2NAQPLxt+NUnk2dSx1+WAoyx3aEuA3+piU2mubYk=,tag:MnI+atK6VLZUc3eGS1OE1w==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-10-22T16:25:15Z"
mac: ENC[AES256_GCM,data:uWVPfKwPpR212js7f2RnCzEsMnxk2JpGPcf2L5i4gJCddJCrRJkdhjWGyVVpp/ociP3JLRTI95+WSEUH0KkPZpY1ptQevCVsUemRytOCtBlR0yR4qsBwEisSu8m4B5dbAYsqlXAndrBNL2WGB7uBv+ILgNxkhlN58unseSWJBDM=,iv:e7QyZSlhpyQ+A8OmV4p1848itIUxyam6CJOI9/N7DDY=,tag:N28mfrAjUTTYkly1hu0OhA==,type:str]
pgp:
- created_at: "2023-06-19T18:35:15Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ//aQdUERyq3G7V29F5rpY6LdDgo8+hqrrZvdI3JnON0VUM
Tj3AAYg+xvYh8aPQywF9fJvn6qNw8fqrb2GiuuNTa9ZPCFsD+WXbuYHmQ9z6tAtV
opXe3QLNBuo9zEtUfGPbaCp8EH7f1TxQsTJoe9iE/1B2S69cHNUdgXZtfQyhpmlG
iyAk/G04kPazweIuFNjOYaN/12J/s2Cf5AZUeROkMxg8/GTPO68LeEBz9v4vl/1z
JlxmZyXR/9IeoBlO63asDrR85fcvSDb31K4qE3WVkag20bXClv1lehLVKO4bxA/F
lW1tXDR3odC9Ozme884Znd05L0NWkzYKYRta198IV6JuSCeMdjTscGGlMM9wqqKz
SZgs81FHXT16YCVupfI22CqMiD0EzQXrGEtJ4NqaBvhZu+MDxszNRzIl73b0HANc
8JQqQqOJh7ltrWnf39Xlv73yVC/pYbaV1LWGnMfqWvOcksa9QjOH9Ysfj/RxdaMw
VQhydU+21+xeuEQBL7OsiJQUzgJjFREnTRPXcorCtWxocCn5zwdct1SFchFzCOTp
H0ubpD+MP4RTWxuYbZRhE5ty6GJU9liRH7dUJtVaQiv8V+G1DungTqq36AbbnHzd
9cy+4cM3wZx2VYElL7DBom8nqqm7Xhffr0UaaY8VFuV5bBry3BmM5rOr8vDYqf7U
aAEJAhC/4yiBMuhEB+fwXIq/dBjMzW+p8SotK2QK03yaTFQchnBDknwVdqcKQxIZ
di3kupnjB+KllWOZhl121tT9L35ymL53BUu1FKCTFdIS2wXxy6UlIS98n0bvWJYN
c5WTfk81xmbT
=UE14
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-06-19T18:35:15Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAy5t8IMoPu4VAQ/9G2JDsJw6YJMjstWPrv07tnU0ErWZx5WGcNUGhw6T5tOJ
kXCAuaZax8NxoTtZnQ9Cd+WgJr7R0FuVPEPTc4G2RsfntSZq5rBgCpT0fgwyASFX
64b6YTbLcCL+G6sg/FwIi9SRqqCsaljATjoU685vrjaxYYfAdhyUoM3qSNjMMaMl
zVjn0kbWrQn4GqfuRMqcr+zCIQdHNTTJ12+c6UUo/zJp4zzjA68Yur9aiw1iHtR1
rYCPHX2/ZmQjADTHXqwpuMdb5j0VDcd5JcZabdcJkhn/6MRJiN+XryZN/Neq9UbF
5WrMaZz5v0iRnMUCr8HMw29P0ttu5Sma+RyCOZuWlpsXj+C84pJ8CjBbFhzSJzGP
cKI8Syn0CPLN3X6vKs+LJXEHg1jxJ9kuN+RgW+SQRctUX3A0JtFg2tWplkptNtLl
hN5rW+fWxk7BV9dP7wouwVJiKcW3Y/OMCF5H8YHwL/KVHvANBwNM+nmFPrHaqN2s
0RghznmZMVG+9IYedSM6d8ZJLnO/QsNTE0QTGM/3dmBAn9jcndCLTgcgThAtvcmw
lFJYaMN3W455Cccaif93xnb44yn47actgEuM6GOuP15GGJaHD2iBQ2atHcaQhNQR
mxhIIouu+Kaa6g34MA/VGDNoN0eNYI5RZIUSSBl7bgaOXs9/3j1Uvap9yesCaOTU
aAEJAhDDqjX7RUazeEByAiKjv5TxpQzsi8gR4zyrhf6tTx34jHzQNoVjYEtLMEVl
ZlAJ06RoxOj8O6+8RGYd/ZUE+TQPQ4jx+PgWrZPUQx8TSxevuduw5XZ1lKytUSCZ
GFDjOxp0lMGV
=LHSB
-----END PGP MESSAGE-----
fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
encrypted_regex: ^(data|stringData)$
version: 3.8.0

5
kubernetes/common/apps/database/kustomization.yaml
View File

@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./dbs/ks.yaml

4
kubernetes/common/apps/database/namespace.yaml
View File

@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: database

24
kubernetes/common/apps/intel-gpu/ks.yaml
View File

@ -1,24 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: intel-gpu
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/common/apps/intel-gpu/files
prune: true
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
dependsOn:
- name: nfd
namespace: flux-system
# requires certificates for communications between plugins
- name: cert-manager
namespace: flux-system

4
kubernetes/common/apps/metallb/app/files/kustomization.yaml
View File

@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helm-release.yaml

25
kubernetes/common/apps/metallb/app/ks.yaml
View File

@ -1,25 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: metallb
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/common/apps/metallb/app/files
prune: true
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

6
kubernetes/common/apps/metallb/kustomization.yaml
View File

@ -1,6 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./app/ks.yaml
- ./pool/ks.yaml

4
kubernetes/common/apps/metallb/pool/files/kustomization.yaml
View File

@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./metallb-static-ips.yaml

28
kubernetes/common/apps/metallb/pool/ks.yaml
View File

@ -1,28 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: metallb-pool
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/common/apps/metallb/pool/files
prune: true
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
dependsOn:
- name: metallb
namespace: flux-system
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

7
kubernetes/common/apps/traefik/app/files/kustomization.yaml
View File

@ -1,7 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./namespace.yaml
- ./helm-repository.yaml
- ./helm-release.yaml
- ./dashboard-ingress.yaml

25
kubernetes/common/apps/traefik/app/ks.yaml
View File

@ -1,25 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: traefik
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/common/apps/traefik/app/files
prune: true
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

4
kubernetes/common/apps/traefik/extra/files/kustomization.yaml
View File

@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./default-tls-store.yaml

30
kubernetes/common/apps/traefik/extra/ks.yaml
View File

@ -1,30 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: traefik-default-tls
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/common/apps/traefik/extra/files
prune: true
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
dependsOn:
- name: traefik
namespace: flux-system
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

5
kubernetes/common/apps/traefik/kustomization.yaml
View File

@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./app/ks.yaml
- ./extra/ks.yaml

0
kubernetes/common/bootstrap/flux/forgejo-deploy-key.sops.yaml → kubernetes/main/bootstrap/flux/forgejo-deploy-key.sops.yaml
View File

0
kubernetes/common/bootstrap/flux/kustomization.yaml → kubernetes/main/bootstrap/flux/kustomization.yaml
View File

0
kubernetes/common/bootstrap/flux/sops-key.sops.yaml → kubernetes/main/bootstrap/flux/sops-key.sops.yaml
View File

0
kubernetes/common/apps/cert-manager/certs/files/cloudflare-cred.sops.yaml → kubernetes/main/core/cert-manager/cloudflare-cred.sops.yaml
View File

12
kubernetes/common/apps/cert-manager/app/files/helm-release.yaml → kubernetes/main/core/cert-manager/helm-release.yaml
View File

@ -14,7 +14,7 @@ spec:
name: jetstack-charts name: jetstack-charts
namespace: flux-system namespace: flux-system
values: values:
installCRDs: true installCRDs: false
webhook: webhook:
enabled: true enabled: true
extraArgs: extraArgs:
@ -26,8 +26,8 @@ spec:
nameservers: nameservers:
- "1.1.1.1" - "1.1.1.1"
- "9.9.9.9" - "9.9.9.9"
# prometheus: prometheus:
# servicemonitor: servicemonitor:
# enabled: false enabled: true
# labels: labels:
# release: kube-prometheus-stack release: kube-prometheus-stack

0
kubernetes/common/apps/cert-manager/app/files/helm-repository.yaml → kubernetes/main/core/cert-manager/helm-repository.yaml
View File

3
kubernetes/common/apps/cert-manager/certs/files/kustomization.yaml → kubernetes/main/core/cert-manager/kustomization.yaml
View File

@ -1,7 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ./namespace.yaml
- ./cloudflare-cred.sops.yaml - ./cloudflare-cred.sops.yaml
- ./helm-repository.yaml
- ./helm-release.yaml
- ./letsencrypt-prod.yaml - ./letsencrypt-prod.yaml
- ./letsencrypt-stage.yaml - ./letsencrypt-stage.yaml
- ./wildcard-cert.yaml - ./wildcard-cert.yaml

5
kubernetes/common/apps/cert-manager/certs/files/letsencrypt-prod.yaml → kubernetes/main/core/cert-manager/letsencrypt-prod.yaml
View File

@ -10,6 +10,9 @@ spec:
privateKeySecretRef: privateKeySecretRef:
name: letsencrypt-production name: letsencrypt-production
solvers: solvers:
# - http01:
# ingress:
# class: traefik
- dns01: - dns01:
cloudflare: cloudflare:
email: "${SECRET_MY_EMAIL}" email: "${SECRET_MY_EMAIL}"
@ -19,5 +22,3 @@ spec:
selector: selector:
dnsZones: dnsZones:
- "${SECRET_NEW_DOMAIN}" - "${SECRET_NEW_DOMAIN}"
- "internal.${SECRET_NEW_DOMAIN}"
- "*.internal.${SECRET_NEW_DOMAIN}"

3
kubernetes/common/apps/cert-manager/certs/files/letsencrypt-stage.yaml → kubernetes/main/core/cert-manager/letsencrypt-stage.yaml
View File

@ -10,6 +10,9 @@ spec:
privateKeySecretRef: privateKeySecretRef:
name: letsencrypt-staging name: letsencrypt-staging
solvers: solvers:
# - http01:
# ingress:
# class: traefik
- dns01: - dns01:
cloudflare: cloudflare:
email: "${SECRET_MY_EMAIL}" email: "${SECRET_MY_EMAIL}"

0
kubernetes/common/apps/cert-manager/namespace.yaml → kubernetes/main/core/cert-manager/namespace.yaml
View File

10
kubernetes/common/apps/cert-manager/certs/files/wildcard-cert.yaml → kubernetes/main/core/cert-manager/wildcard-cert.yaml
View File

@ -2,10 +2,14 @@ apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: wildcard-main-cert name: wildcard-main-cert
namespace: nginx namespace: traefik #cert-manager
spec: spec:
secretName: wildcard-main-tls secretName: wildcard-main-tls
# secretTemplate:
# annotations:
# replicator.v1.mittwald.de/replicate-to: "traefik"
duration: 2160h # 90d duration: 2160h # 90d
renewBefore: 360h # 15d renewBefore: 360h # 15d
@ -16,4 +20,6 @@ spec:
dnsNames: dnsNames:
- "${SECRET_NEW_DOMAIN}" - "${SECRET_NEW_DOMAIN}"
- "*.${SECRET_NEW_DOMAIN}" - "*.${SECRET_NEW_DOMAIN}"
- "*.internal.${SECRET_NEW_DOMAIN}" # - "*.k3s.${SECRET_NEW_DOMAIN}"
# - "*.database.${SECRET_NEW_DOMAIN}"
# - "*.s3.${SECRET_NEW_DOMAIN}"

0
kubernetes/common/apps/intel-gpu/files/gpu-plugin.yaml → kubernetes/main/core/intel-gpu/files/gpu-plugin.yaml
View File

0
kubernetes/common/apps/intel-gpu/files/helm-repos.yaml → kubernetes/main/core/intel-gpu/files/helm-repos.yaml
View File

0
kubernetes/common/apps/intel-gpu/files/intel-device-plugins-operator.yaml → kubernetes/main/core/intel-gpu/files/intel-device-plugins-operator.yaml
View File

0
kubernetes/common/apps/intel-gpu/files/kustomization.yaml → kubernetes/main/core/intel-gpu/files/kustomization.yaml
View File

0
kubernetes/common/apps/intel-gpu/files/namespace.yaml → kubernetes/main/core/intel-gpu/files/namespace.yaml
View File

7
kubernetes/thin/apps/snapshot-system/ks.yaml → kubernetes/main/core/intel-gpu/ks.yaml
View File

@ -2,12 +2,12 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1 apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization kind: Kustomization
metadata: metadata:
name: snapshot-system name: intel-gpu
namespace: flux-system namespace: flux-system
spec: spec:
timeout: 5m timeout: 5m
interval: 10m interval: 10m
path: ./kubernetes/thin/apps/snapshot-system/app path: ./kubernetes/main/core/intel-gpu/files
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
@ -16,3 +16,6 @@ spec:
provider: sops provider: sops
secretRef: secretRef:
name: sops-gpg name: sops-gpg
dependsOn:
- name: nfd
namespace: flux-system

15
kubernetes/main/core/kustomization.yaml
View File

@ -3,14 +3,9 @@ kind: Kustomization
resources: resources:
- ./kube-system - ./kube-system
- ./helm-repositories.yaml - ./helm-repositories.yaml
- ../../common/apps/cert-manager - ./cert-manager
- ../../common/apps/metallb - ./networking
- ../../common/apps/traefik - ./storage
# storage
- ./longhorn
- ./openebs
- ./kube-replicator - ./kube-replicator
- ./nfd/ks.yaml
- ../../common/apps/nfd/ks.yaml - ./intel-gpu/ks.yaml
- ../../common/apps/intel-gpu/ks.yaml

3
kubernetes/thin/apps/nginx/external/kustomization.yaml → kubernetes/main/core/networking/kustomization.yaml
View File

@ -1,4 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ./helm-release.yaml - ./traefik
- ./metallb

2
kubernetes/common/apps/metallb/app/files/helm-release.yaml → kubernetes/main/core/networking/metallb/helm-release.yaml
View File

@ -24,4 +24,4 @@ spec:
namespace: flux-system namespace: flux-system
values: values:
crds: crds:
enabled: true enabled: false

3
kubernetes/thin/apps/traefik/app/files/kustomization.yaml → kubernetes/main/core/networking/metallb/kustomization.yaml
View File

@ -2,6 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ./namespace.yaml - ./namespace.yaml
- ./helm-repository.yaml
- ./helm-release.yaml - ./helm-release.yaml
- ./internal-hr.yaml - ./metallb-static-ips.yaml

0
kubernetes/common/apps/metallb/pool/files/metallb-static-ips.yaml → kubernetes/main/core/networking/metallb/metallb-static-ips.yaml
View File

0
kubernetes/common/apps/metallb/namespace.yaml → kubernetes/main/core/networking/metallb/namespace.yaml
View File

0
kubernetes/common/apps/traefik/app/files/dashboard-ingress.yaml → kubernetes/main/core/networking/traefik/dashboard-ingress.yaml
View File

0
kubernetes/common/apps/traefik/extra/files/default-tls-store.yaml → kubernetes/main/core/networking/traefik/default-tls-store.yaml
View File

1
kubernetes/common/apps/traefik/app/files/helm-release.yaml → kubernetes/main/core/networking/traefik/helm-release.yaml
View File

@ -17,6 +17,7 @@ spec:
values: values:
additionalArguments: additionalArguments:
- --api.insecure - --api.insecure
- --entryPoints.factorio.address=:34197/udp
logs: logs:
general: general:

0
kubernetes/common/apps/traefik/app/files/helm-repository.yaml → kubernetes/main/core/networking/traefik/helm-repository.yaml
View File

3
kubernetes/common/apps/openebs/kustomization.yaml → kubernetes/main/core/networking/traefik/kustomization.yaml
View File

@ -4,4 +4,5 @@ resources:
- ./namespace.yaml - ./namespace.yaml
- ./helm-repository.yaml - ./helm-repository.yaml
- ./helm-release.yaml - ./helm-release.yaml
- ./monitoring-helm-release.yaml - ./default-tls-store.yaml
- ./dashboard-ingress.yaml

0
kubernetes/common/apps/traefik/app/files/namespace.yaml → kubernetes/main/core/networking/traefik/namespace.yaml
View File

0
kubernetes/common/apps/nfd/files/helm-repos.yaml → kubernetes/main/core/nfd/files/helm-repos.yaml
View File

0
kubernetes/common/apps/nfd/files/kustomization.yaml → kubernetes/main/core/nfd/files/kustomization.yaml
View File

0
kubernetes/common/apps/nfd/files/nfd.yaml → kubernetes/main/core/nfd/files/nfd.yaml
View File

2
kubernetes/common/apps/nfd/ks.yaml → kubernetes/main/core/nfd/ks.yaml
View File

@ -7,7 +7,7 @@ metadata:
spec: spec:
timeout: 5m timeout: 5m
interval: 10m interval: 10m
path: ./kubernetes/common/apps/nfd/files path: ./kubernetes/main/core/nfd/files
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository

5
kubernetes/main/core/openebs/kustomization.yaml
View File

@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../common/apps/openebs
- ./mainpool-sc.yaml

6
kubernetes/common/apps/cert-manager/kustomization.yaml → kubernetes/main/core/storage/kustomization.yaml
View File

@ -1,6 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ./namespace.yaml - ./longhorn
- ./app/ks.yaml - ./openebs
- ./certs/ks.yaml #- ./local-path-provisioner

82
kubernetes/main/core/storage/local-path-provisioner/helm.yaml Normal file
View File

@ -0,0 +1,82 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: local-path-provisioner
namespace: flux-system
spec:
interval: 1m
url: https://github.com/rancher/local-path-provisioner.git
ref:
tag: v0.0.29
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: local-path-provisioner
namespace: kube-system
spec:
interval: 15m
chart:
spec:
chart: ./deploy/chart/local-path-provisioner
sourceRef:
kind: GitRepository
name: local-path-provisioner
namespace: flux-system
maxHistory: 3
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
helperImage:
repository: public.ecr.aws/docker/library/busybox
tag: latest
storageClass:
defaultClass: false
nodePathMap:
- node: DEFAULT_PATH_FOR_NON_LISTED_NODES
paths: ["/var/lib/rancher/k3s/storage"]
# Note: Do not enable Flux variable substitution on this HelmRelease
configmap:
setup: |-
#!/bin/sh
while getopts "m:s:p:" opt
do
case $opt in
p)
absolutePath=$OPTARG
;;
s)
sizeInBytes=$OPTARG
;;
m)
volMode=$OPTARG
;;
esac
done
mkdir -m 0777 -p ${absolutePath}
chmod 701 ${absolutePath}/..
teardown: |-
#!/bin/sh
while getopts "m:s:p:" opt
do
case $opt in
p)
absolutePath=$OPTARG
;;
s)
sizeInBytes=$OPTARG
;;
m)
volMode=$OPTARG
;;
esac
done
rm -rf ${absolutePath}

0
kubernetes/main/core/longhorn/alerts.yaml → kubernetes/main/core/storage/longhorn/alerts.yaml
View File

0
kubernetes/main/core/longhorn/helm-release.yaml → kubernetes/main/core/storage/longhorn/helm-release.yaml
View File

0
kubernetes/main/core/longhorn/helm-repository.yaml → kubernetes/main/core/storage/longhorn/helm-repository.yaml
View File

0
kubernetes/main/core/longhorn/kustomization.yaml → kubernetes/main/core/storage/longhorn/kustomization.yaml
View File

0
kubernetes/main/core/longhorn/namespace.yaml → kubernetes/main/core/storage/longhorn/namespace.yaml
View File

0
kubernetes/main/core/longhorn/service-monitor.yaml → kubernetes/main/core/storage/longhorn/service-monitor.yaml
View File

0
kubernetes/common/apps/openebs/helm-release.yaml → kubernetes/main/core/storage/openebs/helm-release.yaml
View File

0
kubernetes/common/apps/openebs/helm-repository.yaml → kubernetes/main/core/storage/openebs/helm-repository.yaml
View File

3
kubernetes/thin/apps/openebs/app/kustomization.yaml → kubernetes/main/core/storage/openebs/kustomization.yaml
View File

@ -4,4 +4,5 @@ resources:
- ./namespace.yaml - ./namespace.yaml
- ./helm-repository.yaml - ./helm-repository.yaml
- ./helm-release.yaml - ./helm-release.yaml
#- ./monitoring-helm-release.yaml - ./mainpool-sc.yaml
- ./monitoring-helm-release.yaml

0
kubernetes/main/core/openebs/mainpool-sc.yaml → kubernetes/main/core/storage/openebs/mainpool-sc.yaml
View File

0
kubernetes/common/apps/openebs/monitoring-helm-release.yaml → kubernetes/main/core/storage/openebs/monitoring-helm-release.yaml
View File

0
kubernetes/common/apps/openebs/namespace.yaml → kubernetes/main/core/storage/openebs/namespace.yaml
View File

1
kubernetes/main/secrets/kustomization.yaml
View File

@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- ./cluster-secrets.sops.yaml - ./cluster-secrets.sops.yaml
- ./orca-registry-puller.sops.yaml
- ./cluster-settings.yaml - ./cluster-settings.yaml

62
kubernetes/main/secrets/orca-registry-puller.sops.yaml Normal file
View File

@ -0,0 +1,62 @@
apiVersion: v1
kind: Secret
metadata:
name: orca-puller
namespace: default
annotations:
replicator.v1.mittwald.de/replication-allowed: "true"
replicator.v1.mittwald.de/replication-allowed-namespaces: '*'
data:
.dockerconfigjson: ENC[AES256_GCM,data:g58h5rYAEZu2W3CYnYHgajsp7wvnFdhyRCt1qWPHbVDC+nwD1TVqTGDga1b2/RTR5tdobqZ9FdP41/1dzZeNBe2lfXOsWhQYd87EhpchFYRgsb9u7ZL32sxERhAxSg+0/AaoIYSHbuBLgRwxqnHOojS7Hcg956L+6Kgh/uiaOGsUrKRjlMAI0aN4agx+n/nU,iv:ichMs+o/3ld90VVq/UatXpAtpD6qjrEIdt0ZRwyh0Gg=,tag:lxvZy9U6sGsndz3sAy3DTQ==,type:str]
type: kubernetes.io/dockerconfigjson
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-07-22T02:12:00Z"
mac: ENC[AES256_GCM,data:yFHVGwFdi2n4Ju6SqqxXDxqxZaHKROIsQZtF+AtJY52f0XJif9jP2fi05dnxULnQ+wWOq4FPwVXc/9GiCiYMItecEApS0+6C7sWxKCWzYYAiFyxSajECzNtr4/XN5yoZBJCgsgFAf42jy9Nr5xLHOAVomnNfmDheS/Pe+Uq9v9E=,iv:oFKca0hHR7ERNgJqDp3pOxzQDBlTCF9Fx1yIl3HCj2o=,tag:107vU6pOFE6Na4BO5C5tiA==,type:str]
pgp:
- created_at: "2023-07-22T02:12:00Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAzKleRwoSoixAQ//QEVgmHtcIVC1afYtQMgD3Kwb+n0nZid3d/enKN64D+fJ
bw0xXX9tjO4sy3To49k0EDETLW5paxcNApFYL+zajxNfa+EAZfdYxQqKWraQcxvL
/p8bNDyzYDrecWcIdcq4RqrVEA4Ga0K6MmPM0t5l+J/PgguDJWmAxEzlmTb/CdqI
MpUmO0RoLHb6m0vfAkEI0LT5E/37pTdqjAq4eMT9n7zxeHr3NmJBIetahENxTKDk
Ymw7DhBCLZBPvHyxw/kU7hS/yhJMxmLw9mjHuzWkYVYmZQDB/TwqWsL4cVLFNAVu
LqZBHtl2HmaeGefhDij4SfxCj3qTi1e3z1T5wch97XmFanabNizb2oezHYou4h5k
AVqWuxUd13am9YhmRMQ32TPPxyAWpV4W87C/XnIrMrfePH2xy54S2ISyL5lQ1I3K
5/a4ZMU8hBdCw7FxX6OSAXUd5cCfelJEaRopvwgXF5ZfQjARjQ7iGCedqBQbOsZM
vsf5WQvYxp8uivj7gKxhn+KkqJoM225OQKlSwCQ2bj20WsZ3SrjBuK41iO88urej
SJLAqG42e+nUjHXn/ql794kCHHG59uRES1wWLvgQ6Siu8TxJK6B+fjOrHBMOeSiD
oMKyqWIvziXN5KczkIpOWFCJzHb+AGTUn/a/jCLAqAxAqkWHwwbLdMiUv1053vHS
XgHkdbFnWqSekHCdLXu6q1lJhY+VAyzI55Ex2HvdxzBxWQKZAD4c1fFN/88j/Fb4
6/IVZvSU45coCyUR3O+py0s6XvBjrJL6W4haNXMl6nVcTxHgby1JTX5vickv400=
=cqEc
-----END PGP MESSAGE-----
fp: 2CC2B3631D5C3393901335DB68F95C5D753EE1E5
- created_at: "2023-07-22T02:12:00Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAy5t8IMoPu4VAQ//RAyoi7oTNza3klhojjvUXum9iH3pOl1eqNu3qdJc9L4A
rGeo7Q9NTgywAaHQA4N0WPjJfFNkKSFLBxbtRpzlVCNrfontoGoFr5fGFWDh2Kfe
LydY3Zz9yUfcQYuGm8onVM6B6ImYUtM9ZPix808jxfiuz7rvqNmxqTdCa9o5oMHK
TqQ5u26MBR9cFf+W7bxKdDsqm4vEhxxWpEf5wgX+iZboA4O/J8LCVwrp6pb2pJ1q
nMA5ElKk/WZbsB6C20DYNXJRsdHjC1Huye6NDt1Em2XY9qcfWkQskVtohlYCdDCp
TciHgOF32rmN7h1i4j5Ae58AaSQmNRpKZFc192z8+dHdiSlzQEno6XXV11pezz/i
0ALvy2Q+r7xFA8xXyrOf7xOU/j9T8XCEAeidtQoZzEcINtg93tKItakzqacxRa2C
4Yj3Wic3LGSX13dZ5cpQNT6P3F6UMVAlVEEu1lHdsAjShbmuFWSFNXVo473O3Nwu
1imHmfb1xnqbiWS0tKdUX9jMQg+xYPrsAXQESq/9PmPJxl4tsGPzzCu+rMKf9pmF
XqGBASdcf9WaB4Hojm6+4UKb7pPDKAC2vLnOV9ilGv/0z+DwxU0x9swPkAYBm9M9
KkcaEh8petqyU2J8f91ESU3OafMo2h5OsJvzB2Zte2XIZIZV0h0y8mo6LKOJ1hzS
XgFiMVicO02DFcMkSJXA7ZVnV+1qfJl5vPW6Sa0vDikz/k8jYoRSv2skwZcpFIYf
Kr6LbZskq2QVBDS50HdpbOfyF+N8/mYuSfjKkuVH8oOq0KrZ38eJROiygPgpUYk=
=i9P2
-----END PGP MESSAGE-----
fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
encrypted_regex: ^(data|stringData)$
version: 3.7.3

54
kubernetes/thin/apps/cilium/bgp.yaml
View File

@ -1,54 +0,0 @@
apiVersion: cilium.io/v2alpha1
kind: CiliumBGPClusterConfig
metadata:
name: cilium-bgp
spec:
nodeSelector:
matchExpressions:
- key: node-role.kubernetes.io/control-plane
operator: DoesNotExist
bgpInstances:
- name: "bgp-public"
localASN: 65552
peers:
- name: "router"
peerASN: 65551
peerAddress: 192.168.1.1
peerConfigRef:
name: "cilium-peer-router"
---
apiVersion: cilium.io/v2alpha1
kind: CiliumBGPPeerConfig
metadata:
name: cilium-peer-router
spec:
timers:
holdTimeSeconds: 9
keepAliveTimeSeconds: 3
gracefulRestart:
enabled: true
restartTimeSeconds: 15
families:
- afi: ipv4
safi: unicast
advertisements:
matchLabels:
advertise: "bgp-public"
---
apiVersion: cilium.io/v2alpha1
kind: CiliumBGPAdvertisement
metadata:
name: bgp-public-ad
labels:
advertise: "bgp-public"
spec:
advertisements:
- advertisementType: "Service"
service:
addresses:
#- ClusterIP
- ExternalIP
- LoadBalancerIP
selector:
matchLabels:
bgp/service-type: public

5
kubernetes/thin/apps/cilium/kustomization.yaml
View File

@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./main-ip-pool.yaml
- ./bgp.yaml

8
kubernetes/thin/apps/cilium/main-ip-pool.yaml
View File

@ -1,8 +0,0 @@
apiVersion: "cilium.io/v2alpha1"
kind: CiliumLoadBalancerIPPool
metadata:
name: "main-pool"
spec:
blocks:
- start: "192.168.2.50"
stop: "192.168.2.59"

128
kubernetes/thin/apps/default/home-assistant/files/helm-release.yaml
View File

@ -1,128 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: home-assistant
namespace: default
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 3.4.0
sourceRef:
kind: HelmRepository
name: bjws-charts
namespace: flux-system
dependsOn:
- name: openebs
namespace: openebs
values:
controllers:
main:
containers:
app:
image:
repository: ghcr.io/onedr0p/home-assistant
tag: 2024.9.1
env:
TZ: America/New_York #${SERVER_TIMEZONE}
HASS_HTTP_TRUSTED_PROXY_1: 192.168.0.0/16
HASS_HTTP_TRUSTED_PROXY_2: 10.0.0.0/8
HASS_SECRET_URL: &hassHost "hass.thin.seanomik.net" #${SECRET_NEW_DOMAIN}
HOME_ASSISTANT__HACS_INSTALL: "true"
envFrom:
- secretRef:
name: home-assistant
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities: { drop: ["ALL"] }
resources:
requests:
cpu: 10m
limits:
memory: 2Gi
code-server:
image:
repository: ghcr.io/coder/code-server
tag: 4.92.2
args: [
"--auth", "none",
"--user-data-dir", "/config/.vscode",
"--extensions-dir", "/config/.vscode",
"--port", "12321",
"/config"
]
resources:
requests:
cpu: 10m
limits:
memory: 512Mi
defaultPodOptions:
securityContext:
runAsNonRoot: true
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: OnRootMismatch
seccompProfile: { type: RuntimeDefault }
service:
app:
controller: main
ports:
http:
port: 8123
code-server:
port: 12321
ingress:
app:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
#traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
className: external
hosts:
- host: *hassHost
paths:
- path: /
service:
identifier: app
port: http
code-server:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
#traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
className: internal
hosts:
- host: "hass-code.internal.thin.seanomik.net"
paths:
- path: /
service:
identifier: app
port: code-server
persistence:
config:
existingClaim: home-assistant-config
globalMounts:
- path: /config
logs:
type: emptyDir
globalMounts:
- path: /config/logs
tts:
type: emptyDir
globalMounts:
- path: /config/tts
tmp:
type: emptyDir
globalMounts:
- path: /tmp

6
kubernetes/thin/apps/default/home-assistant/files/kustomization.yaml
View File

@ -1,6 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./pvc.yaml
- ./secret.sops.yaml
- ./helm-release.yaml

12
kubernetes/thin/apps/default/home-assistant/files/pvc.yaml
View File

@ -1,12 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: home-assistant-config
namespace: default
spec:
accessModes:
- ReadWriteOnce
storageClassName: openebs-dual
resources:
requests:
storage: 6Gi

75
kubernetes/thin/apps/default/home-assistant/files/secret.sops.yaml
View File

@ -1,75 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: home-assistant
namespace: default
type: Opaque
stringData:
HASS_SECRET_ELEVATION: ENC[AES256_GCM,data:+dg6fw==,iv:8YPS3cD/qnZcQCwjdSVYJ5x/z0rSR8jplZfxr1EPqJk=,tag:2S0JTIYBvxN5tAnLMLMwtQ==,type:str]
HASS_SECRET_LATITUDE: ENC[AES256_GCM,data:Kgq3N7fRG8Dn2g==,iv:7m7RQM1WcIKTLfMr1cjcFxqnYJ+7llKNY6Mdl9MdVmI=,tag:wtgsJsCov1BxN0LW3bn2cg==,type:str]
HASS_SECRET_LONGITUDE: ENC[AES256_GCM,data:fBTv0J7rNN6Tt5I=,iv:lU0J2Qd1rRzrIKhYUDeqcQfRidGvsBzby7a/9UiCKYU=,tag:Lyh1QS3WIpP0tl0g9NEQMg==,type:str]
HASS_SECRET_DB_URL: ENC[AES256_GCM,data:YXk+YKDlqnrn7hxGe4Q5cTaafK2ijRWf2NtAltdeJmQ3sAL3Z8N7yV3VwSUkL9Re181JRXeiIebEoIMx2DDlTaYMcnGPQyqjSWBMSt4/+WgmZ0Q=,iv:5N/dbYht2ts26GAh14BxNA3zq7US+s8WbmNWFJtO+jk=,tag:6sqa0kufUdkyMVdJ9rVCdA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2024-09-16T00:34:28Z"
mac: ENC[AES256_GCM,data:zoW6fr1LbCpxj+47BS7YSJtT8CF3QLdkYR+JsNmVNv+NZ5229TC+RGWbSwjyHtqb7Xxzhwzuna8kVR9Jg8dnJOZhEJM2uY7rTx0z0tpakdvUggxDiBH3W8nIc//DzxgbGZwtP9/LNpzE0ucvTKrqJsUW6/Idu815bLknNbeaPxo=,iv:KbbWZ17JQNsCuSI26nGKwKjoP4aULua3GBCJbQgNpyI=,tag:PvEhlwCpYMtJB8lx5vmVfQ==,type:str]
pgp:
- created_at: "2024-09-16T00:34:28Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAyqlIeyoxYovAQ//WFv9Y/YWKUUEV7ymMAqVpCdiVp1DiRBbsNVlBCi+x2lF
NO/AHTeTvJL+9uyavQsSQVuuIhCMG9R7uwTAQaLgZat8Q3ToC4ntEjoxQQfKsUTl
1qfsFTTGW8PJbekkvZmufTMTzmJ+8j0TGnQeCcI9D/XmE/fDP+P551YLCXJm/MtC
xGo1Wz27n0YYseWRjO6hAOU0/z3tQxgEYU40uWt/Wego3XaXVIAOC7E+uxbVIGfW
DsQQQi3E5mKGdWB6VvzozstneZuDNU+GiNCCHsYYCCSMwT4z1FFPTl3T4Qr+yRbQ
Ylh5y7LQsVmHnwzC2eDatxL2v7chSoYWczZMKTmNCcppZ1Lvas14Cd9MdC/yt2yD
jDrXtyw1jPho+A688EvB7E/nCEXnchL0xqCcCqa7IE3+hhZzxLWysfz4QM0Mg2rv
j7QLP2/ssuB9K2dOrudkE0MUzQyf5tu9Av7YD+KR0SEcuQ/Y2yvnScLf4SS/NEgG
erB8e44M/NG/CN38YOxPGtK9FcxjJKyDfk5S//TPteZBgtKwf18H5SDonu3E6WUU
Z61U/Vw31xtIuFVRPAQc5qzfCVQ9N0zJx28F3QJXcgMzmEVHQKyJ+/u9ytfTQpg5
CPfexvgNg9CR++p6MY0tie07iLkmoT23hq1A36Q+pnyqR1bZVu0vVIVtOIANG3qF
AgwDXjg0p2IN1X8BD/4oBsOiwYJYAPdsxtQyMoj92r6NUl+STRdvalSyweJqf9xK
RfQzlNtdN6ADTD7p6PKZxg/Bb9HGJe7eUto78Eqn9Uqu67pGPCUiaVk7JUUayGHd
Fay3OJYuLEgukEo1okq+yBDjj+dGwTJ17Cl8hYgNSyeGCAiXqUkktkRXkjvhI55X
lgOc3wiaRqcuLFG5h00qo3Wy4ESzuQSKFEimpSec8CSxuY/vTg8CFjekkmUerNmd
eKKW6q0IB2WUrxbvG4moF+4pK6F8zOgF1B94cFuFHoDQ1sOFkUI95v0/mEi6qIX4
gTD6DAbgmZCyFWrfH1ogU7vpa2aDrFDHYLFyjESX6zhMVnQwetQsgdQ3C2Q5HpD5
uWuzbVSOVpUzwOsgwP1bUn6Layxnk3cVtgLj5ODdUYSBJZ6/ReQ/aQjhUpNVQIUA
inqCuL6dSFDTKKwDpzdVTX105knBNP5pHaDVdFN+iUu9pbFGSqWAZQ/XtfznBSbl
QntMp70zVe5TlMtB7DCpkRcgI/oOLjciM+ITVW3mh7nX0tbBUZ/2T/KKPwFHNI/4
wU/TH13RW0l92eJRXYarYsOqsDsYzlkOoPupNQFK8UVu44cVe/jPJNNi9yU8EN5r
2VoKr2F7sYprbSunhFrOXFGngCs0pgk6lKcWKE6mP8b2AmmX0FHBjojTDRu3D9Rm
AQkCEHK/1D/N2aQA8WZBnz87r51MTQ+dqxTu9tAOjCGX2jP1NvQqnS2vL+iqsvlo
CxojBsFhFZXLpd/op2N+4nFMA0HAPl4pKj5hi6tUEzkXr9ltfvnIMdv0ZoZoM61r
B1xdW8jX
=HAf4
-----END PGP MESSAGE-----
fp: BD1AAF9D8170F4BEE437365FF6F0933799CFEBCD
- created_at: "2024-09-16T00:34:28Z"
enc: |-
-----BEGIN PGP MESSAGE-----
hQIMAy5t8IMoPu4VAQ//S4pP46cksxK/sNjHKP8A8uY3KNewuTd9URB605mXlaAA
iTMnujsimRREiYoxkcgCIuxoYgpXoi30XrlrSbdKwSt1flGRjVBtW62uvgFRn/Ya
qmZimGRyhSr0NWMZdsCoOGECCd21lGOwGeTmZzcsvYtzT0fgpYoRtQv0L44eBuFy
uzNIvDw7SvvjM2nGWI6VAlAg6CnAz3Fo9JbccZINqgfRTNhtkHU5R6M0M6EjmN6M
xkcr280dOdV3dWKfAtZld2aPb9QLj2vxYxcSqaqQ3jLpmy5JrCT+E4fxt6THyg4R
x9EGds30zUOUwB5hOJGF+dPPdb3M1imZZymDYZ65WDt6nttRVz9p1Vxu8BiMzMef
CPcrArf5ic+TDp4QydwAb3UjkT+b8/iHGLrFLn7E7s9xaWN8Y8wHxhABjEMKia/8
hhZozgapC7EIK10Qq4S+mce+pQrLdPrz++/jEL5enuh3vo8s6PSCAbM7sxjoNUV0
Sjbl3lOlbvRLMRJoxMgeHCYKR8HBKYX3lbPSOl0+D2rwibdrbuk1N4NMq0z9YU3O
PCEDpGxzj469yss1XbpoANG7EpS9uMdTN+ONE1Xx7AvsADMrNvdJeLvku93bknZw
6rD1aSBau98H/WGM1XGu0nOzQgxtfCoaFRnXf03lMldWlkQnwYuhZPs+3mwg8vfU
ZgEJAhD4mf23O6K9MUJFjoHABoZAQqX2UEc7TRjIc+YHGg8PekuK4yTWIKkHIvUL
WdiWaO8gB+QmoyHt6bg4+di1iqTujnKTPqPF6ehpoDlqWHXWs2mxl2UiC6DGUHlm
oIfC9MKtDA==
=uXt0
-----END PGP MESSAGE-----
fp: 687802D4DFD8AA82EA55666CF7DADAC782D7663D
encrypted_regex: ^(data|stringData)$
version: 3.9.0

30
kubernetes/thin/apps/default/home-assistant/ks.yaml
View File

@ -1,30 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: home-assistant
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/thin/apps/default/home-assistant/files
prune: true
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
dependsOn:
- name: openebs-sc
namespace: flux-system
- name: postgresql
namespace: flux-system
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

5
kubernetes/thin/apps/default/kustomization.yaml
View File

@ -1,5 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./whoami/ks.yaml
- ./home-assistant/ks.yaml

49
kubernetes/thin/apps/default/whoami/files/helm-release.yaml
View File

@ -1,49 +0,0 @@
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: whoami
namespace: default
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 3.1.0
sourceRef:
kind: HelmRepository
name: bjws-charts
namespace: flux-system
values:
controllers:
main:
containers:
main:
image:
repository: containous/whoami
tag: latest
service:
app:
controller: main
ports:
http:
port: 80
ingress:
main:
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
traefik.ingress.kubernetes.io/router.entrypoints: websecure
#traefik.ingress.kubernetes.io/router.middlewares: traefik-authentik@kubernetescrd
className: internal
hosts:
- host: "whoami.${SECRET_NEW_DOMAIN}"
paths:
- path: /
service:
identifier: app
port: http

4
kubernetes/thin/apps/default/whoami/files/kustomization.yaml
View File

@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helm-release.yaml

25
kubernetes/thin/apps/default/whoami/ks.yaml
View File

@ -1,25 +0,0 @@
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: whoami
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/thin/apps/default/whoami/files
prune: true
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

26
kubernetes/thin/apps/helm-repositories.yaml
View File

@ -1,26 +0,0 @@
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: bitnami-charts
namespace: flux-system
spec:
interval: 1m
url: https://charts.bitnami.com/bitnami
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: bjws-charts
namespace: flux-system
spec:
interval: 1m
url: https://bjw-s.github.io/helm-charts
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: ingress-nginx
namespace: flux-system
spec:
interval: 1m
url: https://kubernetes.github.io/ingress-nginx

7
kubernetes/thin/apps/kubevirt-cdi/cr/kustomization.yaml
View File

@ -1,7 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/kubevirt/containerized-data-importer/releases/download/v1.60.3/cdi-cr.yaml
# change namespace to kubevirt-cdi
transformers:
- ../namespace-transformer.yaml

62
kubernetes/thin/apps/kubevirt-cdi/ks.yaml
View File

@ -1,62 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kubevirt-cdi-operator
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/thin/apps/kubevirt-cdi/operator
prune: true
targetNamespace: kubevirt-cdi
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
dependsOn:
- name: kubevirt-operator
namespace: flux-system
- name: kubevirt-operator-cr
namespace: flux-system
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kubevirt-cdi-cr
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/thin/apps/kubevirt-cdi/cr
prune: true
targetNamespace: kubevirt-cdi
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
dependsOn:
- name: kubevirt-cdi-operator
namespace: flux-system
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

11
kubernetes/thin/apps/kubevirt-cdi/namespace-transformer.yaml
View File

@ -1,11 +0,0 @@
apiVersion: builtin
kind: NamespaceTransformer
metadata:
name: change-cdi-namespace
namespace: kubevirt-cdi
setRoleBindingSubjects: none
unsetOnly: false
fieldSpecs:
- path: metadata/name
kind: Namespace
create: true

7
kubernetes/thin/apps/kubevirt-cdi/operator/kustomization.yaml
View File

@ -1,7 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/kubevirt/containerized-data-importer/releases/download/v1.60.3/cdi-operator.yaml
# change namespace to kubevirt-cdi
transformers:
- ../namespace-transformer.yaml

4
kubernetes/thin/apps/kubevirt/cr/kustomization.yaml
View File

@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/kubevirt/kubevirt/releases/download/v1.3.1/kubevirt-cr.yaml

60
kubernetes/thin/apps/kubevirt/ks.yaml
View File

@ -1,60 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kubevirt-operator
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/thin/apps/kubevirt/operator
prune: true
targetNamespace: kubevirt
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
dependsOn:
- name: openebs
namespace: flux-system
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: kubevirt-operator-cr
namespace: flux-system
spec:
timeout: 5m
interval: 10m
path: ./kubernetes/thin/apps/kubevirt/cr
prune: true
targetNamespace: kubevirt
sourceRef:
kind: GitRepository
name: home-cluster
decryption:
provider: sops
secretRef:
name: sops-gpg
dependsOn:
- name: kubevirt-operator
namespace: flux-system
postBuild:
substitute: {}
substituteFrom:
- kind: ConfigMap
name: cluster-settings
- kind: Secret
name: cluster-secrets

4
kubernetes/thin/apps/kubevirt/operator/kustomization.yaml
View File

@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- https://github.com/kubevirt/kubevirt/releases/download/v1.3.1/kubevirt-operator.yaml

20
kubernetes/thin/apps/kustomization.yaml
View File

@ -1,20 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helm-repositories.yaml
# networking
- ./cilium
- ./nginx/ks.yaml
- ../../common/apps/cert-manager
# storage
- ./snapshot-system/ks.yaml
- ./openebs/ks.yaml
# hardware
- ../../common/apps/nfd/ks.yaml
- ../../common/apps/intel-gpu/ks.yaml
# VMs
- ./kubevirt/ks.yaml
- ./kubevirt-cdi/ks.yaml
- ../../common/apps/database
- ./default

102
kubernetes/thin/apps/nginx/external/helm-release.yaml vendored
View File

@ -1,102 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: nginx-external
spec:
interval: 30m
chart:
spec:
chart: ingress-nginx
version: 4.11.2
sourceRef:
kind: HelmRepository
name: ingress-nginx
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
values:
fullnameOverride: nginx-external
controller:
replicaCount: 2
service:
annotations:
io.cilium/lb-ipam-ips: 192.168.2.50
labels:
bgp/service-type: public
ingressClassResource:
name: external
default: false
controllerValue: k8s.io/external
admissionWebhooks:
objectSelector:
matchExpressions:
- key: ingress-class
operator: In
values: ["external"]
allowSnippetAnnotations: true
config:
# taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go
block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*"
client-body-buffer-size: 100M
client-body-timeout: 120
client-header-timeout: 120
enable-brotli: "true"
enable-ocsp: "true"
enable-real-ip: "true"
force-ssl-redirect: "true"
hide-headers: Server,X-Powered-By
hsts-max-age: 31449600
keep-alive-requests: 10000
keep-alive: 120
log-format-escape-json: "true"
log-format-upstream: >
{"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for",
"request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time,
"status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args",
"request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer",
"http_user_agent": "$http_user_agent"}
proxy-body-size: 0
proxy-buffer-size: 16k
ssl-protocols: TLSv1.3 TLSv1.2
use-forwarded-headers: "true"
metrics:
enabled: false # TODO
serviceMonitor:
enabled: true
namespaceSelector:
any: true
extraArgs:
default-ssl-certificate: nginx/wildcard-main-tls
terminationGracePeriodSeconds: 120
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: nginx-external
app.kubernetes.io/component: controller
resources:
requests:
cpu: 100m
limits:
memory: 500Mi
defaultBackend:
enabled: false

102
kubernetes/thin/apps/nginx/internal/helm-release.yaml
View File

@ -1,102 +0,0 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: nginx-internal
spec:
interval: 30m
chart:
spec:
chart: ingress-nginx
version: 4.11.2
sourceRef:
kind: HelmRepository
name: ingress-nginx
namespace: flux-system
install:
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
strategy: rollback
retries: 3
values:
fullnameOverride: nginx-internal
controller:
replicaCount: 2
service:
annotations:
io.cilium/lb-ipam-ips: 192.168.2.51
labels:
bgp/service-type: public
ingressClassResource:
name: internal
default: true
controllerValue: k8s.io/internal
admissionWebhooks:
objectSelector:
matchExpressions:
- key: ingress-class
operator: In
values: ["internal"]
allowSnippetAnnotations: true
config:
# taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go
block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*"
client-body-buffer-size: 100M
client-body-timeout: 120
client-header-timeout: 120
enable-brotli: "true"
enable-ocsp: "true"
enable-real-ip: "true"
force-ssl-redirect: "true"
hide-headers: Server,X-Powered-By
hsts-max-age: 31449600
keep-alive-requests: 10000
keep-alive: 120
log-format-escape-json: "true"
log-format-upstream: >
{"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for",
"request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time,
"status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args",
"request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer",
"http_user_agent": "$http_user_agent"}
proxy-body-size: 0
proxy-buffer-size: 16k
ssl-protocols: TLSv1.3 TLSv1.2
use-forwarded-headers: "true"
metrics:
enabled: false # TODO
serviceMonitor:
enabled: true
namespaceSelector:
any: true
extraArgs:
default-ssl-certificate: nginx/wildcard-main-tls
terminationGracePeriodSeconds: 120
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/instance: nginx-internal
app.kubernetes.io/component: controller
resources:
requests:
cpu: 100m
limits:
memory: 500Mi
defaultBackend:
enabled: false

4
kubernetes/thin/apps/nginx/internal/kustomization.yaml
View File

@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ./helm-release.yaml

Some files were not shown because too many files have changed in this diff Show More