Compare commits

..

107 commits
main ... dev

Author SHA1 Message Date
pipeline
3a4e96aaf0 Update Chart 2024-09-28 21:44:17 +00:00
pipeline
f196ed4fbb Update Chart 2024-09-08 10:42:20 +00:00
pipeline
86e50e6ed8 Update Chart 2024-09-04 23:52:49 +00:00
pipeline
0bb5570668 Update Chart 2024-09-02 12:10:58 +00:00
34950703ca update chart 2024-08-27 04:50:42 -05:00
0ff4cc5bad update 2024-08-27 04:47:51 -05:00
6e4ae08a5c update 2024-08-27 04:46:57 -05:00
df62890043 update 2024-08-25 20:12:35 -05:00
8a9004d456 update 2024-08-25 20:11:49 -05:00
00969f8183 update 2024-08-25 20:10:08 -05:00
b90fdc1991 update 2024-08-25 13:10:41 -05:00
b6e7d5065c update 2024-08-24 18:44:38 -05:00
pipeline
1bab20668d Update Chart 2024-07-14 23:09:00 +00:00
pipeline
750889d58c Update Chart 2024-06-22 17:50:38 +00:00
pipeline
f6da30f4f4 Update Chart 2024-06-16 23:34:26 +00:00
01e75840d3 update 2024-06-08 13:40:49 -05:00
cb2798e201 update 2024-06-08 13:36:03 -05:00
2978aee67a update 2024-06-08 13:32:58 -05:00
6d7e5d6956 update 2024-06-08 13:32:27 -05:00
pipeline
6c3e9ba781 Update Chart 2024-05-29 03:27:44 +00:00
pipeline
5811b6ecbf Update Chart 2024-05-29 03:22:44 +00:00
pipeline
3b05002fcf Update Chart 2024-05-29 03:16:45 +00:00
pipeline
911398e73f Update Chart 2024-05-29 03:06:48 +00:00
pipeline
3254fda226 Update Chart 2024-05-29 03:01:14 +00:00
pipeline
ef8c5e6ba2 Update Chart 2024-05-29 02:45:48 +00:00
pipeline
01c8cd9e38 Update Chart 2024-05-29 02:29:24 +00:00
pipeline
f761405a7f Update Chart 2024-05-29 02:25:50 +00:00
8a3104684e update 2024-05-25 18:18:18 -05:00
6aaafd3a7e update 2024-05-25 10:55:13 -05:00
78e6bd6b8e update 2024-05-25 08:48:13 -05:00
338e3c23c2 update 2024-05-25 08:43:43 -05:00
f4f02d9147 update 2024-05-25 08:33:40 -05:00
2256f76caa update 2024-05-25 07:22:52 -05:00
5915b5b7a3 update 2024-05-25 07:21:53 -05:00
1e19df0c7a update 2024-05-24 05:01:05 -05:00
43486b4ab4 update 2024-05-23 04:58:42 -05:00
9e1debe339 update 2024-05-23 04:54:11 -05:00
f349a1c43a update 2024-05-23 04:49:54 -05:00
a0f384a428 update 2024-05-19 08:40:40 -05:00
1ef48ae879 update 2024-05-19 08:19:42 -05:00
9c35356c5d update 2024-05-19 08:17:52 -05:00
0d4ec2c08a update 2024-05-19 08:13:28 -05:00
ed970283ae update 2024-05-19 08:12:42 -05:00
6bebb64c41 update 2024-05-19 08:08:17 -05:00
bf6d929398 update 2024-05-19 08:07:48 -05:00
475ccd6576 update 2024-05-19 08:06:59 -05:00
8461a4e818 update 2024-05-19 08:03:37 -05:00
d6b5a05352 update 2024-05-19 08:02:12 -05:00
bd9af60728 update 2024-05-19 08:00:18 -05:00
b30297b951 update 2024-05-19 07:36:05 -05:00
81384297be update 2024-05-19 07:35:10 -05:00
8e585ed7b0 update 2024-05-19 07:27:58 -05:00
1017d6a834 update 2024-05-19 07:26:18 -05:00
db7e629fed update 2024-05-19 07:25:59 -05:00
d01ee2da24 update 2024-05-19 07:18:52 -05:00
083bbe5af5 update 2024-05-19 07:04:28 -05:00
c45d239b8c update 2024-05-19 07:00:51 -05:00
1b1d9178d3 update 2024-05-19 06:59:23 -05:00
ca4d492882 update 2024-05-19 06:55:17 -05:00
b7c14e18b2 update 2024-05-19 06:54:35 -05:00
6ad1f067e4 update 2024-05-19 06:54:06 -05:00
3babb5db29 update 2024-05-19 06:50:32 -05:00
b03642cd1d update 2024-05-19 06:49:33 -05:00
f95e7539f0 update 2024-05-19 06:47:54 -05:00
540a9c6f8a update 2024-05-19 06:47:17 -05:00
ce256ff51a update 2024-05-19 06:38:52 -05:00
d0ec1a9909 update 2024-05-19 06:36:12 -05:00
ec8111c239 update 2024-05-18 09:26:47 -05:00
54e51af63f update 2024-05-18 08:57:04 -05:00
6a57946a53 update 2024-05-18 08:53:43 -05:00
2fe3df9227 update 2024-05-18 08:48:37 -05:00
fd9731b7e1 update 2024-05-18 07:45:43 -05:00
0aeccd39b8 update 2024-05-18 07:43:15 -05:00
d63ee6027d update 2024-05-18 07:42:26 -05:00
dd91465e44 update 2024-05-18 07:33:42 -05:00
d42cf229bf update 2024-05-18 07:18:46 -05:00
ec8afdb6bc update 2024-05-18 07:14:11 -05:00
8568d5e4c0 update 2024-05-18 07:08:59 -05:00
2b4e117ba3 update 2024-05-17 05:09:10 -05:00
9f45c8b145 update 2024-05-17 05:07:52 -05:00
38846d58f3 update 2024-05-17 04:57:51 -05:00
43160a8da1 update 2024-05-17 04:57:22 -05:00
690c9e40c9 update 2024-05-17 04:54:23 -05:00
29136dd395 update 2024-05-17 04:53:44 -05:00
bf6314e914 update 2024-05-17 04:52:41 -05:00
a669676e8b update 2024-05-14 06:12:36 -05:00
f69d3babfc update 2024-05-14 06:11:09 -05:00
6059303fcf update 2024-05-14 05:11:27 -05:00
1a0458354b update 2024-05-14 05:10:37 -05:00
a63fe8cb3f update 2024-05-14 05:10:12 -05:00
c47dba6dc6 update 2024-05-14 05:08:32 -05:00
77faed876d update 2024-05-14 05:07:12 -05:00
b105b7004c update 2024-05-14 05:06:44 -05:00
9c59677594 update 2024-05-14 04:54:36 -05:00
2ef82bd70f update 2024-05-14 04:53:37 -05:00
f0ca5ec41f update 2024-05-14 04:51:35 -05:00
c3411b7f93 update 2024-05-14 04:51:07 -05:00
7beeb5c86f update 2024-05-14 04:44:51 -05:00
aed1ff9556 update 2024-05-13 08:21:10 -05:00
76449c7ccd update 2024-05-13 07:39:25 -05:00
2f9dca4bc7 update 2024-05-13 07:38:09 -05:00
583c548900 update 2024-05-13 07:36:54 -05:00
8ff8705a2f update 2024-05-13 07:17:14 -05:00
d0e7fd57ed update 2024-05-13 06:52:13 -05:00
1be8492f4c update 2024-05-13 06:50:24 -05:00
e06a35f1a2 update 2024-05-13 05:08:56 -05:00
ea811669c3 move everything to dev branch 2024-05-13 04:54:27 -05:00
294 changed files with 5844 additions and 8194 deletions

2
.gitignore vendored
View file

@ -1,3 +1 @@
*/.terraform
*/.terraform.lock.hcl
.idea .idea

View file

@ -1,4 +0,0 @@
VAULT_HELM_SECRET_NAME=$(kubectl get secrets -n vault --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')
TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)
KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')

View file

@ -9,4 +9,6 @@ appVersion: "1.16.0"
dependencies: dependencies:
- name: argo-cd - name: argo-cd
repository: https://argoproj.github.io/argo-helm repository: https://argoproj.github.io/argo-helm
version: 8.6.4 version: 6.7.11

View file

@ -0,0 +1,23 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: internalproxy
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: internalproxy
directory:
recurse: true
destination:
server: https://kubernetes.default.svc
namespace: internalproxy
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -1,16 +1,16 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: nebula-sync name: argocd
namespace: argocd namespace: argocd
spec: spec:
project: default project: default
source: source:
repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main targetRevision: dev
path: infra/nebula-sync path: argocd
destination: destination:
namespace: nebula-sync namespace: argocd
name: in-cluster name: in-cluster
syncPolicy: syncPolicy:
automated: automated:

View file

@ -1,17 +1,17 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: internal-proxy name: authentik
namespace: argocd namespace: argocd
spec: spec:
project: default project: default
source: source:
repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main targetRevision: dev
path: dmz/internalproxy path: authentik
destination: destination:
namespace: internalproxy namespace: authentik
name: dmz name: in-cluster
syncPolicy: syncPolicy:
automated: automated:
prune: true prune: true

View file

@ -6,15 +6,18 @@ metadata:
spec: spec:
project: default project: default
source: source:
repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main targetRevision: dev
path: infra/bitwarden path: bitwarden
directory:
recurse: true
destination: destination:
server: https://kubernetes.default.svc
namespace: bitwarden namespace: bitwarden
name: in-cluster
syncPolicy: syncPolicy:
automated: automated:
prune: true prune: true
selfHeal: true selfHeal: false
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true

View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: cert-manager
destination:
namespace: cert-manager
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: crossplane
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: crossplane
destination:
namespace: crossplane
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: durpapi
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: durpapi
destination:
namespace: durpapi
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: durpot
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: durpot
destination:
namespace: durpot
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -1,21 +1,20 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: external-dns-dmz name: external-dns
namespace: argocd namespace: argocd
spec: spec:
project: default project: default
source: source:
repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main targetRevision: dev
path: dmz/external-dns path: external-dns
destination: destination:
namespace: external-dns namespace: external-dns
name: dmz name: in-cluster
syncPolicy: syncPolicy:
automated: automated:
prune: true prune: true
selfHeal: true selfHeal: true
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true

View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: external-secrets
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: external-secrets
destination:
namespace: external-secrets
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: gatekeeper
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: gatekeeper
destination:
namespace: gatekeeper
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -1,18 +1,21 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: nfs name: gitlab-runner
namespace: argocd namespace: argocd
spec: spec:
project: default project: default
source: source:
repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main targetRevision: dev
path: infra/nfs path: gitlab-runner
destination: destination:
namespace: kube-system namespace: gitlab-runner
name: in-cluster name: in-cluster
syncPolicy: syncPolicy:
automated: automated:
prune: true prune: true
selfHeal: true selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: heimdall
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: heimdall
destination:
namespace: heimdall
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -0,0 +1,36 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: argocd-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
entryPoints:
- websecure
routes:
- match: Host(`argocd.internal.dev.durp.info`)
middlewares:
- name: internal-only
namespace: traefik
kind: Rule
services:
- name: argocd-server
port: 443
scheme: https
tls:
secretName: argocd-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argocd-tls
spec:
secretName: argocd-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "argocd.internal.dev.durp.info"
dnsNames:
- "argocd.internal.dev.durp.info"

View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: krakend
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: krakend
destination:
namespace: krakend
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -6,15 +6,16 @@ metadata:
spec: spec:
project: default project: default
source: source:
repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main targetRevision: dev
path: infra/kube-prometheus-stack path: kube-prometheus-stack
destination: destination:
namespace: kube-prometheus-stack namespace: kube-prometheus-stack
name: in-cluster name: in-cluster
syncPolicy: syncPolicy:
automated: automated:
prune: true prune: true
selfHeal: true selfHeal: true
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true

View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubeclarity
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: kubeclarity
destination:
namespace: kubeclarity
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -6,17 +6,17 @@ metadata:
spec: spec:
project: default project: default
source: source:
repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main targetRevision: dev
path: dmz/littlelink path: littlelink
directory: directory:
recurse: true recurse: true
destination: destination:
name: dmz server: https://kubernetes.default.svc
namespace: littlelink namespace: littlelink
syncPolicy: syncPolicy:
automated: automated:
prune: true prune: true
selfHeal: true selfHeal: true
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true

View file

@ -1,17 +1,17 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: gitlab-runner-dmz name: longhorn-system
namespace: argocd namespace: argocd
spec: spec:
project: default project: default
source: source:
repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main targetRevision: dev
path: dmz/gitlab-runner path: longhorn
destination: destination:
namespace: gitlab-runner namespace: longhorn-system
name: dmz name: in-cluster
syncPolicy: syncPolicy:
automated: automated:
prune: true prune: true

View file

@ -0,0 +1,21 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metallb-system
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: metallb-system
destination:
namespace: metallb-system
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -0,0 +1,23 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: nfs-client
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: nfs-client
directory:
recurse: true
destination:
namespace: nfs-client
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: open-webui
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: open-webui
destination:
namespace: open-webui
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -0,0 +1,17 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-argocd
labels:
app.kubernetes.io/part-of: argocd
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: client-secret
data:
- secretKey: clientSecret
remoteRef:
key: secrets/argocd/authentik
property: clientsecret

View file

@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: traefik
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: traefik
destination:
namespace: traefik
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

View file

@ -1,22 +1,23 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: openspeedtest name: uptimekuma
namespace: argocd namespace: argocd
spec: spec:
project: default project: default
source: source:
repoURL: https://gitlab.durp.info/durfy/homelab/gitops.git repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main targetRevision: dev
path: dmz/openspeedtest path: uptimekuma
directory: directory:
recurse: true recurse: true
destination: destination:
name: dmz server: https://kubernetes.default.svc
namespace: openspeedtest namespace: uptimekuma
syncPolicy: syncPolicy:
automated: automated:
prune: true prune: true
selfHeal: true selfHeal: true
syncOptions: syncOptions:
- CreateNamespace=true - CreateNamespace=true

View file

@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: vault
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: vault
destination:
namespace: vault
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
jqPathExpressions:
- .webhooks[]?.clientConfig.caBundle

44
argocd/values.yaml Normal file
View file

@ -0,0 +1,44 @@
argo-cd:
global:
revisionHistoryLimit: 1
image:
repository: registry.internal.durp.info/argoproj/argocd
imagePullPolicy: Always
dex:
enabled: true
image:
repository: registry.internal.durp.info/dexidp/dex
imagePullPolicy: Always
configs:
cm:
create: true
annotations: {}
url: https://argocd.dev.durp.info
oidc.tls.insecure.skip.verify: "true"
dex.config: |
connectors:
- config:
issuer: https://authentik.dev.durp.info/application/o/argocd/
clientID: lKuMgyYaOlQMNAUSjsRVYgkwZG9UT6CeFWeTLAcl
clientSecret: $client-secret:clientSecret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
- groups
name: authentik
type: oidc
id: authentik
rbac:
create: true
policy.csv: |
g, ArgoCD Admins, role:admin
scopes: "[groups]"
server:
route:
enabled: false

View file

@ -7,7 +7,6 @@ version: 0.1.0
appVersion: "1.16.0" appVersion: "1.16.0"
dependencies: dependencies:
- name: authentik - name: authentik
repository: https://charts.goauthentik.io repository: https://charts.goauthentik.io
version: 2025.4.1 version: 2024.4.1

View file

@ -0,0 +1,24 @@
#apiVersion: v1
#kind: PersistentVolume
#metadata:
# annotations:
# pv.kubernetes.io/provisioned-by: durp.info/nfs
# finalizers:
# - kubernetes.io/pv-protection
# name: authentik-pv
#spec:
# accessModes:
# - ReadWriteMany
# capacity:
# storage: 10Gi
# claimRef:
# apiVersion: v1
# kind: PersistentVolumeClaim
# name: authentik-pvc
# namespace: authentik
# nfs:
# path: /mnt/user/k3s/authentik
# server: 192.168.20.253
# persistentVolumeReclaimPolicy: Retain
# storageClassName: nfs-storage
# volumeMode: Filesystem

View file

@ -0,0 +1,18 @@
#apiVersion: v1
#kind: PersistentVolumeClaim
#metadata:
# labels:
# app.kubernetes.io/component: app
# app.kubernetes.io/instance: authentik
# app.kubernetes.io/managed-by: Helm
# app.kubernetes.io/name: authentik
# helm.sh/chart: authentik-2.14.4
# name: authentik-pvc
# namespace: authentik
#spec:
# accessModes:
# - ReadWriteMany
# resources:
# requests:
# storage: 10Gi
# storageClassName: nfs-storage

View file

@ -1,18 +1,4 @@
apiVersion: cert-manager.io/v1 apiVersion: traefik.containo.us/v1alpha1
kind: Certificate
metadata:
name: authentik-tls
spec:
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
secretName: authentik-tls
commonName: "authentik.durp.info"
dnsNames:
- "authentik.durp.info"
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute kind: IngressRoute
metadata: metadata:
name: authentik-ingress name: authentik-ingress
@ -20,15 +6,31 @@ spec:
entryPoints: entryPoints:
- websecure - websecure
routes: routes:
- match: Host(`authentik.durp.info`) && PathPrefix(`/`) - match: Host(`authentik.dev.durp.info`) && PathPrefix(`/`)
kind: Rule kind: Rule
services: services:
- name: infra-cluster - name: authentik-server
port: 443 port: 80
tls: tls:
secretName: authentik-tls secretName: authentik-tls
--- ---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: authentik-tls
spec:
secretName: authentik-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "authentik.dev.durp.info"
dnsNames:
- "authentik.dev.durp.info"
---
kind: Service kind: Service
apiVersion: v1 apiVersion: v1
metadata: metadata:
@ -37,4 +39,4 @@ metadata:
external-dns.alpha.kubernetes.io/hostname: authentik.durp.info external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
spec: spec:
type: ExternalName type: ExternalName
externalName: durp.info externalName: durp.info

View file

@ -1,4 +1,4 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: authentik-secret name: authentik-secret
@ -11,25 +11,18 @@ spec:
data: data:
- secretKey: dbpass - secretKey: dbpass
remoteRef: remoteRef:
key: kv/authentik/database key: secrets/authentik/database
property: dbpass property: dbpass
- secretKey: secretkey - secretKey: secretkey
remoteRef: remoteRef:
key: kv/authentik/database key: secrets/authentik/database
property: secretkey property: secretkey
- secretKey: postgresql-postgres-password - secretKey: postgresql-postgres-password
remoteRef: remoteRef:
key: kv/authentik/database key: secrets/authentik/database
property: dbpass property: dbpass
- secretKey: postgresql-password - secretKey: postgresql-password
remoteRef: remoteRef:
key: kv/authentik/database key: secrets/authentik/database
property: dbpass property: dbpass
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

View file

@ -1,8 +1,8 @@
authentik: authentik:
global: global:
security: env:
allowInsecureImages: true - name: AUTHENTIK_REDIS__DB
env: value: "1"
- name: AUTHENTIK_POSTGRESQL__PASSWORD - name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
@ -15,44 +15,45 @@ authentik:
key: secretkey key: secretkey
revisionHistoryLimit: 1 revisionHistoryLimit: 1
image: image:
repository: registry.durp.info/goauthentik/server repository: registry.internal.durp.info/goauthentik/server
pullPolicy: Always pullPolicy: Always
authentik: authentik:
outposts: outposts:
container_image_base: registry.durp.info/goauthentik/%(type)s:%(version)s container_image_base: registry.internal.durp.info/goauthentik/%(type)s:%(version)s
postgresql: postgresql:
host: "{{ .Release.Name }}-postgresql-hl" host: '{{ .Release.Name }}-postgresql-hl'
name: "authentik" name: "authentik"
user: "authentik" user: "authentik"
port: 5432 port: 5432
server: server:
name: server name: server
replicas: 3 replicas: 3
worker:
replicas: 3
postgresql: postgresql:
enabled: true enabled: true
image: image:
registry: registry.durp.info registry: registry.internal.durp.info
repository: bitnamilegacy/postgresql repository: bitnami/postgresql
pullPolicy: Always pullPolicy: Always
postgresqlUsername: "authentik" auth:
postgresqlDatabase: "authentik" username: "authentik"
existingSecret: db-pass existingSecret: db-pass
secretKeys:
adminPasswordKey: dbpass
userPasswordKey: dbpass
#postgresqlUsername: "authentik"
#postgresqlDatabase: "authentik"
#existingSecret: db-pass
persistence: persistence:
enabled: true enabled: true
storageClass: longhorn storageClass: longhorn
size: 16Gi
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
redis: redis:
enabled: true enabled: true
master:
persistence:
enabled: false
image: image:
registry: registry.durp.info registry: registry.internal.durp.info
repository: bitnamilegacy/redis repository: bitnami/redis
pullPolicy: Always pullPolicy: Always
architecture: standalone architecture: standalone
auth: auth:

View file

@ -0,0 +1,25 @@
#apiVersion: v1
#kind: PersistentVolume
#metadata:
# annotations:
# pv.kubernetes.io/provisioned-by: durp.info/nfs
# finalizers:
# - kubernetes.io/pv-protection
# name: bitwarden-pv
#spec:
# accessModes:
# - ReadWriteMany
# capacity:
# storage: 10Gi
# claimRef:
# apiVersion: v1
# kind: PersistentVolumeClaim
# name: bitwarden-pvc
# namespace: bitwarden
# nfs:
# path: /mnt/user/k3s/bitwarden
# server: 192.168.20.253
# persistentVolumeReclaimPolicy: Retain
# storageClassName: nfs-storage
# volumeMode: Filesystem
#

View file

@ -0,0 +1,50 @@
apiVersion: apps/v1
kind: Deployment
metadata:
namespace: bitwarden
name: bitwarden
labels:
app: bitwarden
spec:
selector:
matchLabels:
app: bitwarden
replicas: 1
template:
metadata:
labels:
app: bitwarden
spec:
containers:
- name: bitwarden
image: registry.internal.durp.info/vaultwarden/server:1.30.5
imagePullPolicy: Always
volumeMounts:
- name: bitwarden-pvc
mountPath: /data
subPath: bitwaren-data
ports:
- name: http
containerPort: 80
env:
- name: SIGNUPS_ALLOWED
value: "TRUE"
- name: INVITATIONS_ALLOWED
value: "FALSE"
- name: WEBSOCKET_ENABLED
value: "TRUE"
- name: ROCKET_ENV
value: "staging"
- name: ROCKET_PORT
value: "80"
- name: ROCKET_WORKERS
value: "10"
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: bitwarden-secret
key: ADMIN_TOKEN
volumes:
- name: bitwarden-pvc
persistentVolumeClaim:
claimName: bitwarden-pvc

View file

@ -0,0 +1,63 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: bitwarden-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`bitwarden.dev.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: bitwarden
port: 80
tls:
secretName: bitwarden-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: bitwarden-tls
spec:
secretName: bitwarden-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "bitwarden.dev.durp.info"
dnsNames:
- "bitwarden.dev.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: bitwarden-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: bitwarden.dev.durp.info
spec:
type: ExternalName
externalName: dev.durp.info
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: bitwarden-admin-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`bitwarden.dev.durp.info`) && PathPrefix(`/admin`)
kind: Rule
middlewares:
- name: whitelist
namespace: traefik
services:
- name: bitwarden
port: 80
tls:
secretName: bitwarden-tls

View file

@ -1,4 +1,4 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: bitwarden-secret name: bitwarden-secret
@ -11,13 +11,6 @@ spec:
data: data:
- secretKey: ADMIN_TOKEN - secretKey: ADMIN_TOKEN
remoteRef: remoteRef:
key: kv/bitwarden key: secrets/bitwarden/admin
property: admin_token property: ADMIN_TOKEN
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

View file

@ -8,4 +8,4 @@ appVersion: 0.0.1
dependencies: dependencies:
- name: cert-manager - name: cert-manager
repository: https://charts.jetstack.io repository: https://charts.jetstack.io
version: v1.17.2 version: 1.*.*

View file

@ -0,0 +1,16 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-production
spec:
acme:
server: https://acme-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-production
solvers:
- dns01:
cloudflare:
email: developerdurp@durp.info
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: cloudflare-api-token-secret

View file

@ -0,0 +1,16 @@
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
server: https://acme-staging-v02.api.letsencrypt.org/directory
privateKeySecretRef:
name: letsencrypt-staging
solvers:
- dns01:
cloudflare:
email: developerdurp@durp.info
apiTokenSecretRef:
name: cloudflare-api-token-secret
key: cloudflare-api-token-secret

View file

@ -1,4 +1,4 @@
apiVersion: external-secrets.io/v1 apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret kind: ExternalSecret
metadata: metadata:
name: cloudflare-api-token-secret name: cloudflare-api-token-secret
@ -11,12 +11,6 @@ spec:
data: data:
- secretKey: cloudflare-api-token-secret - secretKey: cloudflare-api-token-secret
remoteRef: remoteRef:
key: kv/cert-manager key: secrets/cert-manager
property: cloudflare-api-token-secret property: cloudflare-api-token-secret
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

View file

@ -0,0 +1,13 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
spec:
selfSigned: {}

View file

@ -1,10 +1,9 @@
cert-manager: cert-manager:
crds:
enabled: true
image: image:
registry: registry.internal.durp.info registry: registry.internal.durp.info
repository: jetstack/cert-manager-controller repository: jetstack/cert-manager-controller
pullPolicy: Always pullPolicy: Always
installCRDs: true
replicaCount: 3 replicaCount: 3
extraArgs: extraArgs:
- --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
@ -23,4 +22,4 @@ cert-manager:
image: image:
registry: registry.internal.durp.info registry: registry.internal.durp.info
repository: jetstack/cert-manager-cainjector repository: jetstack/cert-manager-cainjector
pullPolicy: Always pullPolicy: Always

View file

@ -1,5 +1,5 @@
apiVersion: v2 apiVersion: v2
name: longhorn-system name: crossplane
description: A Helm chart for Kubernetes description: A Helm chart for Kubernetes
type: application type: application
@ -7,6 +7,6 @@ version: 0.1.0
appVersion: "1.16.0" appVersion: "1.16.0"
dependencies: dependencies:
- name: longhorn - name: crossplane
repository: https://charts.longhorn.io repository: https://charts.crossplane.io/stable
version: 1.9.0 version: 1.16.0

View file

@ -0,0 +1,55 @@
apiVersion: pkg.crossplane.io/v1
kind: Provider
metadata:
name: provider-gitlab
spec:
package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.7.0
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitlab-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: gitlab-secret
data:
- secretKey: accesstoken
remoteRef:
key: secrets/gitlab/token
property: accesstoken
---
#apiVersion: gitlab.crossplane.io/v1beta1
#kind: ProviderConfig
#metadata:
# name: gitlab-provider
#spec:
# baseURL: https://gitlab.com/
# credentials:
# source: Secret
# secretRef:
# namespace: crossplane
# name: gitlab-secret
# key: accesstoken
#
#---
#
#apiVersion: projects.gitlab.crossplane.io/v1alpha1
#kind: Project
#metadata:
# name: example-project
#spec:
# deletionPolicy: Orphan
# forProvider:
# name: "Example Project"
# description: "example project description"
# providerConfigRef:
# name: gitlab-provider
# policy:
# resolution: Optional
# resolve: Always

186
crossplane/values.yaml Normal file
View file

@ -0,0 +1,186 @@
# helm-docs renders these comments into markdown. Use markdown formatting where
# appropiate.
#
# -- The number of Crossplane pod `replicas` to deploy.
replicas: 1
# -- The deployment strategy for the Crossplane and RBAC Manager pods.
deploymentStrategy: RollingUpdate
image:
# -- Repository for the Crossplane pod image.
repository: xpkg.upbound.io/crossplane/crossplane
# -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`.
tag: ""
# -- The image pull policy used for Crossplane and RBAC Manager pods.
pullPolicy: IfNotPresent
# -- Add `nodeSelectors` to the Crossplane pod deployment.
nodeSelector: {}
# -- Add `tolerations` to the Crossplane pod deployment.
tolerations: []
# -- Add `affinities` to the Crossplane pod deployment.
affinity: {}
# -- Enable `hostNetwork` for the Crossplane deployment. Caution: enabling `hostNetwork` grants the Crossplane Pod access to the host network namespace. Consider setting `dnsPolicy` to `ClusterFirstWithHostNet`.
hostNetwork: false
# -- Specify the `dnsPolicy` to be used by the Crossplane pod.
dnsPolicy: ""
# -- Add custom `labels` to the Crossplane pod deployment.
customLabels: {}
# -- Add custom `annotations` to the Crossplane pod deployment.
customAnnotations: {}
serviceAccount:
# -- Add custom `annotations` to the Crossplane ServiceAccount.
customAnnotations: {}
# -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the Crossplane pod.
leaderElection: true
# -- Add custom arguments to the Crossplane pod.
args: []
provider:
# -- A list of Provider packages to install.
packages: []
configuration:
# -- A list of Configuration packages to install.
packages: []
function:
# -- A list of Function packages to install
packages: []
# -- The imagePullSecret names to add to the Crossplane ServiceAccount.
imagePullSecrets: []
registryCaBundleConfig:
# -- The ConfigMap name containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates.
name: ""
# -- The ConfigMap key containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates.
key: ""
service:
# -- Configure annotations on the service object. Only enabled when webhooks.enabled = true
customAnnotations: {}
webhooks:
# -- Enable webhooks for Crossplane and installed Provider packages.
enabled: true
rbacManager:
# -- Deploy the RBAC Manager pod and its required roles.
deploy: true
# -- Don't install aggregated Crossplane ClusterRoles.
skipAggregatedClusterRoles: false
# -- The number of RBAC Manager pod `replicas` to deploy.
replicas: 1
# -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the RBAC Manager pod.
leaderElection: true
# -- Add custom arguments to the RBAC Manager pod.
args: []
# -- Add `nodeSelectors` to the RBAC Manager pod deployment.
nodeSelector: {}
# -- Add `tolerations` to the RBAC Manager pod deployment.
tolerations: []
# -- Add `affinities` to the RBAC Manager pod deployment.
affinity: {}
# -- The PriorityClass name to apply to the Crossplane and RBAC Manager pods.
priorityClassName: ""
resourcesCrossplane:
limits:
# -- CPU resource limits for the Crossplane pod.
cpu: 500m
# -- Memory resource limits for the Crossplane pod.
memory: 1024Mi
requests:
# -- CPU resource requests for the Crossplane pod.
cpu: 100m
# -- Memory resource requests for the Crossplane pod.
memory: 256Mi
securityContextCrossplane:
# -- The user ID used by the Crossplane pod.
runAsUser: 65532
# -- The group ID used by the Crossplane pod.
runAsGroup: 65532
# -- Enable `allowPrivilegeEscalation` for the Crossplane pod.
allowPrivilegeEscalation: false
# -- Set the Crossplane pod root file system as read-only.
readOnlyRootFilesystem: true
packageCache:
# -- Set to `Memory` to hold the package cache in a RAM backed file system. Useful for Crossplane development.
medium: ""
# -- The size limit for the package cache. If medium is `Memory` the `sizeLimit` can't exceed Node memory.
sizeLimit: 20Mi
# -- The name of a PersistentVolumeClaim to use as the package cache. Disables the default package cache `emptyDir` Volume.
pvc: ""
# -- The name of a ConfigMap to use as the package cache. Disables the default package cache `emptyDir` Volume.
configMap: ""
resourcesRBACManager:
limits:
# -- CPU resource limits for the RBAC Manager pod.
cpu: 100m
# -- Memory resource limits for the RBAC Manager pod.
memory: 512Mi
requests:
# -- CPU resource requests for the RBAC Manager pod.
cpu: 100m
# -- Memory resource requests for the RBAC Manager pod.
memory: 256Mi
securityContextRBACManager:
# -- The user ID used by the RBAC Manager pod.
runAsUser: 65532
# -- The group ID used by the RBAC Manager pod.
runAsGroup: 65532
# -- Enable `allowPrivilegeEscalation` for the RBAC Manager pod.
allowPrivilegeEscalation: false
# -- Set the RBAC Manager pod root file system as read-only.
readOnlyRootFilesystem: true
metrics:
# -- Enable Prometheus path, port and scrape annotations and expose port 8080 for both the Crossplane and RBAC Manager pods.
enabled: false
# -- Add custom environmental variables to the Crossplane pod deployment.
# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`.
extraEnvVarsCrossplane: {}
# -- Add custom environmental variables to the RBAC Manager pod deployment.
# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`.
extraEnvVarsRBACManager: {}
# -- Add a custom `securityContext` to the Crossplane pod.
podSecurityContextCrossplane: {}
# -- Add a custom `securityContext` to the RBAC Manager pod.
podSecurityContextRBACManager: {}
# -- Add custom `volumes` to the Crossplane pod.
extraVolumesCrossplane: {}
# -- Add custom `volumeMounts` to the Crossplane pod.
extraVolumeMountsCrossplane: {}
# -- To add arbitrary Kubernetes Objects during a Helm Install
extraObjects: []
# - apiVersion: pkg.crossplane.io/v1alpha1
# kind: ControllerConfig
# metadata:
# name: aws-config
# annotations:
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789101:role/example
# helm.sh/hook: post-install
# spec:
# podSecurityContext:
# fsGroup: 2000

File diff suppressed because it is too large Load diff

View file

@ -1,95 +0,0 @@
stages:
- plan
- apply
- destroy
variables:
WORKDIR: $CI_PROJECT_DIR/dev/terraform
GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dev
image:
name: registry.durp.info/opentofu/opentofu:latest
entrypoint: [""]
.tf-init:
before_script:
- cd $WORKDIR
- tofu init
-reconfigure
-backend-config="address=${GITLAB_TF_ADDRESS}"
-backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock"
-backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock"
-backend-config="username=gitlab-ci-token"
-backend-config="password=${CI_JOB_TOKEN}"
-backend-config="lock_method=POST"
-backend-config="unlock_method=DELETE"
-backend-config="retry_wait_min=5"
format:
stage: .pre
allow_failure: false
script:
- cd $WORKDIR
- tofu fmt -diff -check -write=false
rules:
- changes:
- "dev/terraform/*.tf"
validate:
stage: .pre
allow_failure: false
extends: .tf-init
script:
- tofu validate
rules:
- changes:
- "dev/terraform/*.tf"
plan-dev-infrastructure:
stage: plan
variables:
PLAN: plan.tfplan
JSON_PLAN_FILE: tfplan.json
ENVIRONMENT_NAME: dev
allow_failure: false
extends: .tf-init
script:
- apk add --update curl jq
- alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
- tofu plan -out=$PLAN $ARGUMENTS
- tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE
artifacts:
reports:
terraform: $WORKDIR/$JSON_PLAN_FILE
needs: ["validate","format"]
rules:
- changes:
- "dev/terraform/*.tf"
apply-dev-infrastructure:
stage: apply
variables:
ENVIRONMENT_NAME: dev
allow_failure: false
extends: .tf-init
script:
- tofu apply -auto-approve $ARGUMENTS
rules:
- changes:
- "dev/terraform/*.tf"
when: manual
needs: ["plan-dev-infrastructure"]
destroy-dev-infrastructure:
stage: destroy
variables:
ENVIRONMENT_NAME: dev
allow_failure: false
extends: .tf-init
script:
- tofu destroy -auto-approve $ARGUMENTS
rules:
- changes:
- "dev/terraform/*.tf"
when: manual
needs: ["plan-dev-infrastructure"]

View file

@ -1,16 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: issuer
secrets:
- name: issuer-token-lmzpj
---
apiVersion: v1
kind: Secret
metadata:
name: issuer-token-lmzpj
annotations:
kubernetes.io/service-account.name: issuer
type: kubernetes.io/service-account-token

File diff suppressed because one or more lines are too long

View file

@ -1,30 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: external-dns-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: external-dns
data:
- secretKey: cloudflare_api_email
remoteRef:
key: kv/cloudflare
property: cloudflare_api_email
- secretKey: cloudflare_api_key
remoteRef:
key: kv/cloudflare
property: cloudflare_api_key
- secretKey: cloudflare_api_token
remoteRef:
key: kv/cloudflare
property: cloudflare_api_token
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

View file

@ -1,81 +0,0 @@
apiVersion: v1
data:
vault.pem: |
-----BEGIN CERTIFICATE-----
MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy
MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq
scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW
2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I
jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr
XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS
1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB
o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2
dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6
Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo
dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw
MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp
L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy
cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu
Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx
L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k
dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L
5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k
/vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6
GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj
tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo
1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9
+Q/cdsO5lg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy
MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH
4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/
S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk
U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3
6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ
+SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V
55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0
BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw
LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt
dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC
hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF
BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br
aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0
cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz
Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq
hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE
QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB
ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN
Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9
zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls
AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy
MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox
p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb
/08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ
l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7
GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE
N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1
8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R
BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k
r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1
AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y
rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD
dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx
Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv
55Fn
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
name: ca-pemstore

View file

@ -1,94 +0,0 @@
external-secrets:
replicaCount: 3
revisionHistoryLimit: 1
leaderElect: true
installCRDs: true
crds:
createClusterExternalSecret: true
createClusterSecretStore: true
createClusterGenerator: true
createPushSecret: true
conversion:
enabled: false
image:
repository: registry.durp.info/external-secrets/external-secrets
pullPolicy: Always
extraVolumes:
- name: ca-pemstore
configMap:
name: ca-pemstore
extraVolumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/vault.pem
subPath: vault.pem
readOnly: true
resources:
requests:
memory: 32Mi
cpu: 10m
limits:
memory: 32Mi
cpu: 10m
webhook:
create: false
failurePolicy: Ignore
log:
level: debug
image:
repository: registry.durp.info/external-secrets/external-secrets
pullPolicy: Always
extraVolumes:
- name: ca-pemstore
configMap:
name: ca-pemstore
extraVolumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/vault.pem
subPath: vault.pem
readOnly: true
resources:
requests:
memory: 32Mi
cpu: 10m
limits:
memory: 32Mi
cpu: 10m
certController:
create: false
revisionHistoryLimit: 1
log:
level: debug
image:
repository: registry.durp.info/external-secrets/external-secrets
pullPolicy: Always
tag: ""
resources:
requests:
memory: 32Mi
cpu: 10m
limits:
memory: 32Mi
cpu: 10m
extraVolumes:
- name: ca-pemstore
configMap:
name: ca-pemstore
extraVolumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/vault.pem
subPath: vault.pem
readOnly: true

View file

@ -1,17 +0,0 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: cheap
spec:
addresses:
- 192.168.10.130-192.168.10.140
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: pool
namespace: metallb-system
spec:
ipAddressPools:
- cheap

View file

@ -1,58 +0,0 @@
traefik:
image:
# registry: registry.durp.info
# repository: traefik
pullPolicy: Always
providers:
kubernetesCRD:
allowCrossNamespace: true
allowExternalNameServices: true
allowEmptyServices: false
deployment:
replicas: 3
revisionHistoryLimit: 1
# volumes:
# - name: traefik-configmap
# mountPath: "/config"
# type: configMap
ingressRoute:
dashboard:
enabled: true
additionalArguments:
# - "--providers.file.filename=/config/config.yml"
- "--serversTransport.insecureSkipVerify=true"
- "--log.level=DEBUG"
- --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
- --experimental.plugins.jwt.version=v0.7.0
autoscaling:
enabled: true
minReplicas: 3
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
behavior:
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Pods
value: 1
periodSeconds: 60
# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
resources:
requests:
cpu: "100m"
memory: "512Mi"
limits:
memory: "512Mi"

View file

@ -1,12 +0,0 @@
apiVersion: v2
name: vault
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: vault
repository: https://helm.releases.hashicorp.com
version: 0.30.0

View file

@ -1,23 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
name: vault
spec:
provider:
vault:
server: "https://vault.infra.durp.info"
path: "kv"
version: "v2"
auth:
kubernetes:
mountPath: "dmz-cluster"
role: "external-secrets"
serviceAccountRef:
name: "vault"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

View file

@ -1,13 +0,0 @@
vault:
global:
enabled: true
tlsDisable: false
externalVaultAddr: "https://vault.infra.durp.info"
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 256Mi
cpu: 250m

View file

@ -1,95 +0,0 @@
stages:
- plan
- apply
- destroy
variables:
WORKDIR: $CI_PROJECT_DIR/dmz/terraform
GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dmz
image:
name: registry.durp.info/opentofu/opentofu:latest
entrypoint: [""]
.tf-init:
before_script:
- cd $WORKDIR
- tofu init
-reconfigure
-backend-config="address=${GITLAB_TF_ADDRESS}"
-backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock"
-backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock"
-backend-config="username=gitlab-ci-token"
-backend-config="password=${CI_JOB_TOKEN}"
-backend-config="lock_method=POST"
-backend-config="unlock_method=DELETE"
-backend-config="retry_wait_min=5"
format:
stage: .pre
allow_failure: false
script:
- cd $WORKDIR
- tofu fmt -diff -check -write=false
rules:
- changes:
- "dmz/terraform/*.tf"
validate:
stage: .pre
allow_failure: false
extends: .tf-init
script:
- tofu validate
rules:
- changes:
- "dmz/terraform/*.tf"
plan-dmz-infrastructure:
stage: plan
variables:
PLAN: plan.tfplan
JSON_PLAN_FILE: tfplan.json
ENVIRONMENT_NAME: dmz
allow_failure: false
extends: .tf-init
script:
- apk add --update curl jq
- alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
- tofu plan -out=$PLAN $ARGUMENTS
- tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE
artifacts:
reports:
terraform: $WORKDIR/$JSON_PLAN_FILE
needs: ["validate","format"]
rules:
- changes:
- "dmz/terraform/*.tf"
apply-dmz-infrastructure:
stage: apply
variables:
ENVIRONMENT_NAME: dmz
allow_failure: false
extends: .tf-init
script:
- tofu apply -auto-approve $ARGUMENTS
rules:
- changes:
- "dmz/terraform/*.tf"
when: manual
needs: ["plan-dmz-infrastructure"]
destroy-dmz-infrastructure:
stage: destroy
variables:
ENVIRONMENT_NAME: dmz
allow_failure: false
extends: .tf-init
script:
- tofu destroy -auto-approve $ARGUMENTS
rules:
- changes:
- "dmz/terraform/*.tf"
when: manual
needs: ["plan-dmz-infrastructure"]

View file

@ -1,12 +0,0 @@
apiVersion: v2
name: authentik
description: A Helm chart for Kubernetes
type: application
version: 0.1.0
appVersion: "1.16.0"
dependencies:
- name: authentik-remote-cluster
repository: https://charts.goauthentik.io
version: 2.1.0

View file

@ -1,30 +0,0 @@
authentik-remote-cluster:
# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible
nameOverride: ""
# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible
fullnameOverride: ""
# -- Override the Kubernetes version, which is used to evaluate certain manifests
kubeVersionOverride: ""
## Globally shared configuration for authentik components.
global:
# -- Provide a name in place of `authentik`
nameOverride: ""
# -- String to fully override `"authentik.fullname"`
fullnameOverride: ""
# -- A custom namespace to override the default namespace for the deployed resources.
namespaceOverride: ""
# -- Common labels for all resources.
additionalLabels: {}
# app: authentik
# -- Annotations to apply to all resources
annotations: {}
serviceAccountSecret:
# -- Create a secret with the service account credentials
enabled: true
clusterRole:
# -- Create a clusterole in addition to a namespaced role.
enabled: true

View file

@ -1,11 +0,0 @@
apiVersion: v2
name: cert-manager
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.17.2

View file

@ -1,16 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: issuer
secrets:
- name: issuer-token-lmzpj
---
apiVersion: v1
kind: Secret
metadata:
name: issuer-token-lmzpj
annotations:
kubernetes.io/service-account.name: issuer
type: kubernetes.io/service-account-token

File diff suppressed because one or more lines are too long

View file

@ -1,22 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: cloudflare-api-token-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: cloudflare-api-token-secret
data:
- secretKey: cloudflare-api-token-secret
remoteRef:
key: kv/cert-manager
property: cloudflare-api-token-secret
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

View file

@ -1,31 +0,0 @@
cert-manager:
crds:
enabled: true
image:
registry: registry.durp.info
repository: jetstack/cert-manager-controller
pullPolicy: Always
replicaCount: 3
extraArgs:
- --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
- --dns01-recursive-nameservers-only
podDnsPolicy: None
podDnsConfig:
nameservers:
- "1.1.1.1"
- "1.0.0.1"
webhook:
image:
registry: registry.durp.info
repository: jetstack/cert-manager-webhook
pullPolicy: Always
cainjector:
image:
registry: registry.durp.info
repository: jetstack/cert-manager-cainjector
pullPolicy: Always
hostAliases:
- ip: 192.168.12.130
hostnames:
- vault.infra.durp.info

View file

@ -1,11 +0,0 @@
apiVersion: v2
name: crowdsec
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: crowdsec
repository: https://crowdsecurity.github.io/helm-charts
version: 0.19.4

View file

@ -1,29 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: enroll-key
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: enroll-key
data:
- secretKey: ENROLL_INSTANCE_NAME
remoteRef:
key: kv/crowdsec/dmz-enroll
property: ENROLL_INSTANCE_NAME
- secretKey: ENROLL_KEY
remoteRef:
key: kv/crowdsec/dmz-enroll
property: ENROLL_KEY
- secretKey: ENROLL_TAGS
remoteRef:
key: kv/crowdsec/dmz-enroll
property: ENROLL_TAGS
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

View file

@ -1,24 +0,0 @@
crowdsec:
#
image:
repository: registry.durp.info/crowdsecurity/crowdsec
pullPolicy: Always
# for raw logs format: json or cri (docker|containerd)
container_runtime: containerd
agent:
# Specify each pod whose logs you want to process
acquisition:
# The namespace where the pod is located
- namespace: traefik
# The pod name
podName: traefik-*
# as in crowdsec configuration, we need to specify the program name to find a matching parser
program: traefik
env:
- name: COLLECTIONS
value: "crowdsecurity/traefik"
lapi:
envFrom:
- secretRef:
name: enroll-key

View file

@ -1,30 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: external-dns-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: external-dns
data:
- secretKey: cloudflare_api_email
remoteRef:
key: kv/cloudflare
property: cloudflare_api_email
- secretKey: cloudflare_api_key
remoteRef:
key: kv/cloudflare
property: cloudflare_api_key
- secretKey: cloudflare_api_token
remoteRef:
key: kv/cloudflare
property: cloudflare_api_token
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

View file

@ -1,20 +0,0 @@
external-dns:
global:
imageRegistry: "registry.durp.info"
security:
allowInsecureImages: true
image:
pullPolicy: Always
txtPrefix: "dmz-"
sources:
- service
provider: cloudflare
cloudflare:
secretName: "external-dns"
proxied: false
policy: sync

View file

@ -1,11 +0,0 @@
apiVersion: v2
name: external-secrets
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: external-secrets
repository: https://charts.external-secrets.io
version: 0.17.0

View file

@ -1,81 +0,0 @@
apiVersion: v1
data:
vault.pem: |
-----BEGIN CERTIFICATE-----
MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy
MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq
scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW
2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I
jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr
XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS
1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB
o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2
dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6
Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo
dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw
MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp
L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy
cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu
Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx
L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k
dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L
5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k
/vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6
GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj
tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo
1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9
+Q/cdsO5lg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy
MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH
4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/
S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk
U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3
6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ
+SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V
55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0
BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw
LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt
dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC
hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF
BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br
aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0
cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz
Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq
hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE
QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB
ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN
Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9
zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls
AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy
MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox
p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb
/08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ
l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7
GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE
N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1
8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R
BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k
r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1
AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y
rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD
dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx
Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv
55Fn
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
name: ca-pemstore

View file

@ -1,100 +0,0 @@
external-secrets:
global:
security:
allowInsecureImages: true
log:
level: debug
replicaCount: 1
revisionHistoryLimit: 1
leaderElect: false
installCRDs: true
crds:
createClusterExternalSecret: true
createClusterSecretStore: true
createClusterGenerator: true
createPushSecret: true
conversion:
enabled: false
image:
repository: registry.durp.info/external-secrets/external-secrets
pullPolicy: Always
extraVolumes:
- name: ca-pemstore
configMap:
name: ca-pemstore
extraVolumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/vault.pem
subPath: vault.pem
readOnly: true
# resources:
# requests:
# memory: 32Mi
# cpu: 10m
# limits:
# memory: 32Mi
# cpu: 10m
webhook:
create: false
failurePolicy: Ignore
log:
level: debug
image:
repository: registry.durp.info/external-secrets/external-secrets
pullPolicy: Always
extraVolumes:
- name: ca-pemstore
configMap:
name: ca-pemstore
extraVolumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/vault.pem
subPath: vault.pem
readOnly: true
# resources:
# requests:
# memory: 32Mi
# cpu: 10m
# limits:
# memory: 32Mi
# cpu: 10m
certController:
create: false
revisionHistoryLimit: 1
log:
level: debug
image:
repository: registry.durp.info/external-secrets/external-secrets
pullPolicy: Always
tag: ""
resources:
requests:
memory: 32Mi
cpu: 10m
limits:
memory: 32Mi
cpu: 10m
extraVolumes:
- name: ca-pemstore
configMap:
name: ca-pemstore
extraVolumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/vault.pem
subPath: vault.pem
readOnly: true

View file

@ -1,48 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitlab-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: gitlab-secret
data:
- secretKey: runner-registration-token
remoteRef:
key: kv/gitlab/runner
property: runner-registration-token
- secretKey: runner-token
remoteRef:
key: kv/gitlab/runner
property: runner-token
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: gitlab-secret-personal
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: gitlab-secret-personal
data:
- secretKey: runner-token
remoteRef:
key: kv/gitlab/runner
property: personal-runner-token
- secretKey: runner-registration-token
remoteRef:
key: kv/gitlab/runner
property: personal-runner-token

View file

@ -1,34 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: argocd-infra-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`argocd.infra.durp.info`)
middlewares:
- name: whitelist
namespace: traefik
kind: Rule
services:
- name: infra-cluster
port: 443
scheme: https
tls:
secretName: argocd-infra-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argocd-infra-tls
spec:
secretName: argocd-infra-tls
issuerRef:
name: vault-issuer
kind: ClusterIssuer
commonName: "argocd.infra.durp.info"
dnsNames:
- "argocd.infra.durp.info"

View file

@ -1,42 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: bitwarden-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`bitwarden.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: infra-cluster
port: 443
tls:
secretName: bitwarden-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: bitwarden-tls
spec:
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
secretName: bitwarden-tls
commonName: "bitwarden.durp.info"
dnsNames:
- "bitwarden.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: bitwarden-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: bitwarden.durp.info
spec:
type: ExternalName
externalName: durp.info

View file

@ -1,35 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: duplicati-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`)
middlewares:
- name: whitelist
namespace: traefik
- name: authentik-proxy-provider
namespace: traefik
kind: Rule
services:
- name: unraid
port: 8200
tls:
secretName: duplicati-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: duplicati-tls
spec:
secretName: duplicati-tls
issuerRef:
name: vault-issuer
kind: ClusterIssuer
commonName: "duplicati.internal.durp.info"
dnsNames:
- "duplicati.internal.durp.info"

View file

@ -1,230 +0,0 @@
apiVersion: v1
kind: Endpoints
metadata:
name: master-cluster
subsets:
- addresses:
- ip: 192.168.20.130
ports:
- port: 443
---
apiVersion: v1
kind: Service
metadata:
name: master-cluster
spec:
ports:
- protocol: TCP
port: 443
targetPort: 443
---
apiVersion: v1
kind: Endpoints
metadata:
name: infra-cluster
subsets:
- addresses:
- ip: 192.168.12.130
ports:
- port: 443
---
apiVersion: v1
kind: Service
metadata:
name: infra-cluster
spec:
ports:
- protocol: TCP
port: 443
targetPort: 443
---
apiVersion: v1
kind: Service
metadata:
name: unraid
spec:
ports:
- name: https
protocol: TCP
port: 443
targetPort: 443
- name: tdarr
port: 8267
protocol: TCP
targetPort: 8267
- name: duplicati
port: 8200
protocol: TCP
targetPort: 8200
- name: forgejo
port: 3000
protocol: TCP
- name: kuma
port: 3001
protocol: TCP
targetPort: 3000
- name: freshrss
port: 8085
protocol: TCP
targetPort: 8085
- name: gitlab-ssh
port: 9022
protocol: TCP
targetPort: 9022
- name: gitlab
port: 9443
protocol: TCP
targetPort: 9443
- name: minio
port: 9769
protocol: TCP
targetPort: 9769
- name: nextcloud
port: 11000
protocol: TCP
targetPort: 11000
- name: nexus
port: 8081
protocol: TCP
targetPort: 8081
- name: openweb-ui
port: 8089
protocol: TCP
targetPort: 8089
- name: plex
port: 32400
protocol: TCP
targetPort: 32400
- name: registry
port: 5000
protocol: TCP
targetPort: 5000
- name: gitlab-registry
port: 5002
protocol: TCP
targetPort: 5002
- name: root-vault
port: 8201
protocol: TCP
targetPort: 8201
- name: s3
port: 9768
protocol: TCP
targetPort: 9768
- name: smokeping
port: 81
protocol: TCP
targetPort: 81
- name: gotify
port: 8070
protocol: TCP
---
apiVersion: v1
kind: Endpoints
metadata:
name: unraid
subsets:
- addresses:
- ip: 192.168.21.200
ports:
- name: https
port: 443
protocol: TCP
- name: tdarr
port: 8267
protocol: TCP
- name: duplicati
port: 8200
protocol: TCP
- name: forgejo
port: 3000
protocol: TCP
- name: kuma
port: 3001
protocol: TCP
- name: freshrss
port: 8085
protocol: TCP
- name: gitlab-ssh
port: 9022
protocol: TCP
- name: gitlab
port: 9443
protocol: TCP
- name: minio
port: 9769
protocol: TCP
- name: nextcloud
port: 11000
protocol: TCP
- name: nexus
port: 8081
protocol: TCP
- name: openweb-ui
port: 8089
protocol: TCP
- name: plex
port: 32400
protocol: TCP
- name: registry
port: 5000
protocol: TCP
- name: gitlab-registry
port: 5002
protocol: TCP
- name: root-vault
port: 8201
protocol: TCP
- name: s3
port: 9768
protocol: TCP
- name: smokeping
port: 81
protocol: TCP
- name: gotify
port: 8070
protocol: TCP
---
apiVersion: v1
kind: Endpoints
metadata:
name: ubuntu
subsets:
- addresses:
- ip: 192.168.20.104
ports:
- name: https
port: 443
protocol: TCP
- name: litellm
port: 4000
protocol: TCP
- name: ollama
port: 11435
protocol: TCP
---
apiVersion: v1
kind: Service
metadata:
name: ubuntu
spec:
ports:
- name: https
port: 443
protocol: TCP
targetPort: 443
- name: litellm
port: 4000
protocol: TCP
targetPort: 4000
- name: ollama
port: 11435
protocol: TCP
targetPort: 11435

View file

@ -1,43 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: forgejo-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`forgejo.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: unraid
port: 3000
scheme: http
tls:
secretName: forgejo-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: forgejo-tls
spec:
secretName: forgejo-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "forgejo.durp.info"
dnsNames:
- "forgejo.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: forgejo-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: forgejo.durp.info
spec:
type: ExternalName
externalName: durp.info

View file

@ -1,30 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: freshrss-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`freshrss.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: unraid
port: 8085
tls:
secretName: freshrss-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: freshrss-tls
spec:
secretName: freshrss-tls
issuerRef:
name: vault-issuer
kind: ClusterIssuer
commonName: "freshrss.durp.info"
dnsNames:
- "freshrss.durp.info"

View file

@ -1,125 +0,0 @@
#apiVersion: v1
#kind: Service
#metadata:
# name: gitlab-ssh
#spec:
# ports:
# - name: app
# port: 9022
# protocol: TCP
# targetPort: 9022
# clusterIP: None
# type: ClusterIP
#
#---
#apiVersion: v1
#kind: Endpoints
#metadata:
# name: gitlab-ssh
#subsets:
# - addresses:
# - ip: 192.168.21.200
# ports:
# - name: app
# port: 9022
# protocol: TCP
#
#---
apiVersion: traefik.io/v1alpha1
kind: IngressRouteTCP
metadata:
name: gitlab-ssh
spec:
entryPoints:
- gitlab-ssh
routes:
- match: HostSNI(`*`)
services:
- name: unraid
port: 9022
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: gitlab-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`gitlab.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: unraid
port: 9443
scheme: https
tls:
secretName: gitlab-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gitlab-tls
spec:
secretName: gitlab-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "gitlab.durp.info"
dnsNames:
- "gitlab.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: gitlab-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info
spec:
type: ExternalName
externalName: durp.info
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: gitlab-registry
spec:
entryPoints:
- websecure
routes:
- match: Host(`images.durp.info`)
kind: Rule
services:
- name: unraid
port: 5002
scheme: http
tls:
secretName: gitlab-images-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gitlab-images-tls
spec:
secretName: gitlab-images-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "images.durp.info"
dnsNames:
- "images.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: gitlab-images-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: images.durp.info
spec:
type: ExternalName
externalName: durp.info

View file

@ -1,41 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: gotify-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`gotify.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: unraid
port: 8070
scheme: http
tls:
secretName: gotify-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gotify-tls
spec:
secretName: gotify-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "gotify.durp.info"
dnsNames:
- "gotify.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: gotify-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: gotify.durp.info
spec:
type: ExternalName
externalName: durp.info

View file

@ -1,40 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: grafana-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`grafana.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: infra-cluster
port: 443
tls:
secretName: grafana-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: grafana-tls
spec:
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
secretName: grafana-tls
commonName: "grafana.durp.info"
dnsNames:
- "grafana.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: grafana-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
spec:
type: ExternalName
externalName: durp.info

View file

@ -1,75 +0,0 @@
#apiVersion: v1
#kind: Service
#metadata:
# name: invidious
#spec:
# ports:
# - name: app
# port: 3000
# protocol: TCP
# targetPort: 3000
# clusterIP: None
# type: ClusterIP
#
#---
#
#apiVersion: v1
#kind: Endpoints
#metadata:
# name: invidious
#subsets:
#- addresses:
# - ip: 192.168.20.104
# ports:
# - name: app
# port: 3000
# protocol: TCP
#
#---
#
#apiVersion: traefik.io/v1alpha1
#kind: IngressRoute
#metadata:
# name: invidious-ingress
#spec:
# entryPoints:
# - websecure
# routes:
# - match: Host(`invidious.durp.info`) && PathPrefix(`/`)
# middlewares:
# - name: authentik-proxy-provider
# namespace: traefik
# kind: Rule
# services:
# - name: invidious
# port: 3000
# tls:
# secretName: invidious-tls
#
#---
#
#apiVersion: cert-manager.io/v1
#kind: Certificate
#metadata:
# name: invidious-tls
#spec:
# secretName: invidious-tls
# issuerRef:
# name: letsencrypt-production
# kind: ClusterIssuer
# commonName: "invidious.durp.info"
# dnsNames:
# - "invidious.durp.info"
#
#---
#
#kind: Service
#apiVersion: v1
#metadata:
# name: invidious-external-dns
# annotations:
# external-dns.alpha.kubernetes.io/hostname: invidious.durp.info
#spec:
# type: ExternalName
# externalName: durp.info
#

View file

@ -1,43 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: kasm-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`kasm.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: ubuntu
port: 443
scheme: https
tls:
secretName: kasm-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kasm-tls
spec:
secretName: kasm-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "kasm.durp.info"
dnsNames:
- "kasm.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: kasm-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: kasm.durp.info
spec:
type: ExternalName
externalName: durp.info

View file

@ -1,41 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: kuma-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`kuma.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: unraid
port: 3001
scheme: http
tls:
secretName: kuma-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kuma-tls
spec:
secretName: kuma-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "kuma.durp.info"
dnsNames:
- "kuma.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: kuma-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: kuma.durp.info
spec:
type: ExternalName
externalName: durp.info

View file

@ -1,42 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: litellm-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`litellm.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: ubuntu
port: 4000
tls:
secretName: litellm-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: litellm-tls
spec:
secretName: litellm-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "litellm.durp.info"
dnsNames:
- "litellm.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: litellm-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: litellm.durp.info
spec:
type: ExternalName
externalName: durp.info

View file

@ -1,34 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: longhorn-infra-ingress
annotations:
cert-manager.io/cluster-issuer: vault-issuer
spec:
entryPoints:
- websecure
routes:
- match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`)
kind: Rule
middlewares:
- name: authentik-proxy-provider
namespace: traefik
services:
- name: infra-cluster
port: 443
tls:
secretName: longhorn-infra-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: longhorn-infra-tls
spec:
secretName: longhorn-infra-tls
issuerRef:
name: vault-issuer
kind: ClusterIssuer
commonName: "longhorn.infra.durp.info"
dnsNames:
- "longhorn.infra.durp.info"

View file

@ -1,34 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: minio-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`minio.internal.durp.info`) && PathPrefix(`/`)
middlewares:
- name: whitelist
namespace: traefik
kind: Rule
services:
- name: unraid
port: 9769
scheme: http
tls:
secretName: minio-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: minio-tls
spec:
secretName: minio-tls
issuerRef:
name: vault-issuer
kind: ClusterIssuer
commonName: "minio.internal.durp.info"
dnsNames:
- "minio.internal.durp.info"

View file

@ -1,68 +0,0 @@
#apiVersion: v1
#kind: Service
#metadata:
# name: n8n
#spec:
# ports:
# - name: app
# port: 5678
# protocol: TCP
# targetPort: 5678
# clusterIP: None
# type: ClusterIP
#
#---
#apiVersion: v1
#kind: Endpoints
#metadata:
# name: n8n
#subsets:
# - addresses:
# - ip: 192.168.21.200
# ports:
# - name: app
# port: 5678
# protocol: TCP
#
#---
#apiVersion: traefik.io/v1alpha1
#kind: IngressRoute
#metadata:
# name: n8n-ingress
#spec:
# entryPoints:
# - websecure
# routes:
# - match: Host(`n8n.durp.info`) && PathPrefix(`/`)
# kind: Rule
# services:
# - name: n8n
# port: 5678
# scheme: http
# tls:
# secretName: n8n-tls
#
#---
#apiVersion: cert-manager.io/v1
#kind: Certificate
#metadata:
# name: n8n-tls
#spec:
# secretName: n8n-tls
# issuerRef:
# name: letsencrypt-production
# kind: ClusterIssuer
# commonName: "n8n.durp.info"
# dnsNames:
# - "n8n.durp.info"
#
#---
#kind: Service
#apiVersion: v1
#metadata:
# name: n8n-dns
# annotations:
# dns.alpha.kubernetes.io/hostname: n8n.durp.info
#spec:
# type: ExternalName
# externalName: durp.info

View file

@ -1,74 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: nextcloud-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`nextcloud.durp.info`) && PathPrefix(`/`)
kind: Rule
middlewares:
- name: nextcloud-chain
services:
- name: unraid
port: 11000
scheme: http
tls:
secretName: nextcloud-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nextcloud-tls
spec:
secretName: nextcloud-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "nextcloud.durp.info"
dnsNames:
- "nextcloud.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: nextcloud-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: nextcloud.durp.info
spec:
type: ExternalName
externalName: durp.info
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: nextcloud-secure-headers
spec:
headers:
hostsProxyHeaders:
- "X-Forwarded-Host"
referrerPolicy: "same-origin"
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: https-redirect
spec:
redirectScheme:
scheme: https
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: nextcloud-chain
spec:
chain:
middlewares:
- name: https-redirect
- name: nextcloud-secure-headers

Some files were not shown because too many files have changed in this diff Show more