initial commit
This commit is contained in:
commit
471f30f0b1
13 changed files with 286 additions and 0 deletions
3
.envrc
Normal file
3
.envrc
Normal file
|
|
@ -0,0 +1,3 @@
|
||||||
|
source_url "https://raw.githubusercontent.com/cachix/devenv/82c0147677e510b247d8b9165c54f73d32dfd899/direnvrc" "sha256-7u4iDd1nZpxL4tCzmPG0dQgC5V+/44Ba+tHkPob1v2k="
|
||||||
|
|
||||||
|
use devenv
|
||||||
1
.gitignore
vendored
Normal file
1
.gitignore
vendored
Normal file
|
|
@ -0,0 +1 @@
|
||||||
|
.devenv
|
||||||
23
apps/istio.yaml
Normal file
23
apps/istio.yaml
Normal file
|
|
@ -0,0 +1,23 @@
|
||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: istio
|
||||||
|
namespace: argocd
|
||||||
|
spec:
|
||||||
|
project: default
|
||||||
|
source:
|
||||||
|
repoURL: https://github.com/gwg313/homelab-gitops
|
||||||
|
targetRevision: main
|
||||||
|
path: istio
|
||||||
|
helm:
|
||||||
|
valueFiles:
|
||||||
|
- base-values.yaml
|
||||||
|
destination:
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
namespace: istio-system
|
||||||
|
syncPolicy:
|
||||||
|
automated:
|
||||||
|
selfHeal: true
|
||||||
|
prune: true
|
||||||
|
syncOptions:
|
||||||
|
- CreateNamespace=true
|
||||||
18
apps/security.yaml
Normal file
18
apps/security.yaml
Normal file
|
|
@ -0,0 +1,18 @@
|
||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: cluster-security
|
||||||
|
namespace: argocd
|
||||||
|
spec:
|
||||||
|
project: default
|
||||||
|
source:
|
||||||
|
repoURL: https://github.com/gwg313/homelab-gitops
|
||||||
|
targetRevision: main
|
||||||
|
path: security
|
||||||
|
destination:
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
namespace: kube-system
|
||||||
|
syncPolicy:
|
||||||
|
automated:
|
||||||
|
selfHeal: true
|
||||||
|
prune: true
|
||||||
103
devenv.lock
Normal file
103
devenv.lock
Normal file
|
|
@ -0,0 +1,103 @@
|
||||||
|
{
|
||||||
|
"nodes": {
|
||||||
|
"devenv": {
|
||||||
|
"locked": {
|
||||||
|
"dir": "src/modules",
|
||||||
|
"lastModified": 1750529628,
|
||||||
|
"owner": "cachix",
|
||||||
|
"repo": "devenv",
|
||||||
|
"rev": "cee0466541d357356b8c1ee0a61f3e0b94c7a54e",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"dir": "src/modules",
|
||||||
|
"owner": "cachix",
|
||||||
|
"repo": "devenv",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"flake-compat": {
|
||||||
|
"flake": false,
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1747046372,
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "edolstra",
|
||||||
|
"repo": "flake-compat",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"git-hooks": {
|
||||||
|
"inputs": {
|
||||||
|
"flake-compat": "flake-compat",
|
||||||
|
"gitignore": "gitignore",
|
||||||
|
"nixpkgs": [
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1749636823,
|
||||||
|
"owner": "cachix",
|
||||||
|
"repo": "git-hooks.nix",
|
||||||
|
"rev": "623c56286de5a3193aa38891a6991b28f9bab056",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "cachix",
|
||||||
|
"repo": "git-hooks.nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"gitignore": {
|
||||||
|
"inputs": {
|
||||||
|
"nixpkgs": [
|
||||||
|
"git-hooks",
|
||||||
|
"nixpkgs"
|
||||||
|
]
|
||||||
|
},
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1709087332,
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "gitignore.nix",
|
||||||
|
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "hercules-ci",
|
||||||
|
"repo": "gitignore.nix",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"nixpkgs": {
|
||||||
|
"locked": {
|
||||||
|
"lastModified": 1750441195,
|
||||||
|
"owner": "cachix",
|
||||||
|
"repo": "devenv-nixpkgs",
|
||||||
|
"rev": "0ceffe312871b443929ff3006960d29b120dc627",
|
||||||
|
"type": "github"
|
||||||
|
},
|
||||||
|
"original": {
|
||||||
|
"owner": "cachix",
|
||||||
|
"ref": "rolling",
|
||||||
|
"repo": "devenv-nixpkgs",
|
||||||
|
"type": "github"
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": {
|
||||||
|
"inputs": {
|
||||||
|
"devenv": "devenv",
|
||||||
|
"git-hooks": "git-hooks",
|
||||||
|
"nixpkgs": "nixpkgs",
|
||||||
|
"pre-commit-hooks": [
|
||||||
|
"git-hooks"
|
||||||
|
]
|
||||||
|
}
|
||||||
|
}
|
||||||
|
},
|
||||||
|
"root": "root",
|
||||||
|
"version": 7
|
||||||
|
}
|
||||||
56
devenv.nix
Normal file
56
devenv.nix
Normal file
|
|
@ -0,0 +1,56 @@
|
||||||
|
{
|
||||||
|
pkgs,
|
||||||
|
lib,
|
||||||
|
config,
|
||||||
|
inputs,
|
||||||
|
...
|
||||||
|
}:
|
||||||
|
|
||||||
|
{
|
||||||
|
# https://devenv.sh/basics/
|
||||||
|
env.GREET = "devenv";
|
||||||
|
env = {
|
||||||
|
CONTROL_PLANE_IP = "192.168.10.10";
|
||||||
|
WORKER_1_IP = "192.168.10.11";
|
||||||
|
WORKER_2_IP = "192.168.10.12";
|
||||||
|
};
|
||||||
|
|
||||||
|
# https://devenv.sh/packages/
|
||||||
|
packages = with pkgs; [ talosctl ];
|
||||||
|
|
||||||
|
# https://devenv.sh/languages/
|
||||||
|
# languages.rust.enable = true;
|
||||||
|
|
||||||
|
# https://devenv.sh/processes/
|
||||||
|
# processes.cargo-watch.exec = "cargo-watch";
|
||||||
|
|
||||||
|
# https://devenv.sh/services/
|
||||||
|
# services.postgres.enable = true;
|
||||||
|
|
||||||
|
# https://devenv.sh/scripts/
|
||||||
|
scripts.hello.exec = ''
|
||||||
|
echo hello from $GREET
|
||||||
|
'';
|
||||||
|
|
||||||
|
enterShell = ''
|
||||||
|
hello
|
||||||
|
git --version
|
||||||
|
'';
|
||||||
|
|
||||||
|
# https://devenv.sh/tasks/
|
||||||
|
# tasks = {
|
||||||
|
# "myproj:setup".exec = "mytool build";
|
||||||
|
# "devenv:enterShell".after = [ "myproj:setup" ];
|
||||||
|
# };
|
||||||
|
|
||||||
|
# https://devenv.sh/tests/
|
||||||
|
enterTest = ''
|
||||||
|
echo "Running tests"
|
||||||
|
git --version | grep --color=auto "${pkgs.git.version}"
|
||||||
|
'';
|
||||||
|
|
||||||
|
# https://devenv.sh/pre-commit-hooks/
|
||||||
|
# pre-commit.hooks.shellcheck.enable = true;
|
||||||
|
|
||||||
|
# See full reference at https://devenv.sh/reference/options/
|
||||||
|
}
|
||||||
14
istio/Chart.yaml
Normal file
14
istio/Chart.yaml
Normal file
|
|
@ -0,0 +1,14 @@
|
||||||
|
apiVersion: v2
|
||||||
|
name: istio
|
||||||
|
description: Istio base + control plane + ingress gateway
|
||||||
|
version: 0.1.0
|
||||||
|
dependencies:
|
||||||
|
- name: base
|
||||||
|
version: 1.22.0
|
||||||
|
repository: https://istio-release.storage.googleapis.com/charts
|
||||||
|
- name: istiod
|
||||||
|
version: 1.22.0
|
||||||
|
repository: https://istio-release.storage.googleapis.com/charts
|
||||||
|
- name: gateway
|
||||||
|
version: 1.22.0
|
||||||
|
repository: https://istio-release.storage.googleapis.com/charts
|
||||||
0
istio/README.md
Normal file
0
istio/README.md
Normal file
17
istio/base-values.yaml
Normal file
17
istio/base-values.yaml
Normal file
|
|
@ -0,0 +1,17 @@
|
||||||
|
# Enable Istio base + control plane + ingress gateway
|
||||||
|
global:
|
||||||
|
istioNamespace: istio-system
|
||||||
|
|
||||||
|
istiod:
|
||||||
|
enabled: true
|
||||||
|
meshConfig:
|
||||||
|
enablePrometheusMerge: true
|
||||||
|
accessLogFile: /dev/stdout
|
||||||
|
pilot:
|
||||||
|
autoscaleEnabled: false
|
||||||
|
|
||||||
|
gateway:
|
||||||
|
enabled: true
|
||||||
|
name: istio-ingressgateway
|
||||||
|
service:
|
||||||
|
type: LoadBalancer
|
||||||
22
root-app.yaml
Normal file
22
root-app.yaml
Normal file
|
|
@ -0,0 +1,22 @@
|
||||||
|
apiVersion: argoproj.io/v1alpha1
|
||||||
|
kind: Application
|
||||||
|
metadata:
|
||||||
|
name: root-app
|
||||||
|
namespace: argocd
|
||||||
|
spec:
|
||||||
|
project: default
|
||||||
|
source:
|
||||||
|
repoURL: https://github.com/gwg313/homelab-gitops
|
||||||
|
targetRevision: main
|
||||||
|
path: apps
|
||||||
|
directory:
|
||||||
|
recurse: true
|
||||||
|
destination:
|
||||||
|
server: https://kubernetes.default.svc
|
||||||
|
namespace: argocd
|
||||||
|
syncPolicy:
|
||||||
|
automated:
|
||||||
|
selfHeal: true
|
||||||
|
prune: true
|
||||||
|
syncOptions:
|
||||||
|
- CreateNamespace=true
|
||||||
7
security/namespace-policies.yaml
Normal file
7
security/namespace-policies.yaml
Normal file
|
|
@ -0,0 +1,7 @@
|
||||||
|
apiVersion: v1
|
||||||
|
kind: Namespace
|
||||||
|
metadata:
|
||||||
|
name: secure-default
|
||||||
|
labels:
|
||||||
|
pod-security.kubernetes.io/enforce: "restricted"
|
||||||
|
pod-security.kubernetes.io/enforce-version: "latest"
|
||||||
10
security/network-policies.yaml
Normal file
10
security/network-policies.yaml
Normal file
|
|
@ -0,0 +1,10 @@
|
||||||
|
apiVersion: networking.k8s.io/v1
|
||||||
|
kind: NetworkPolicy
|
||||||
|
metadata:
|
||||||
|
name: default-deny-all
|
||||||
|
namespace: secure-default
|
||||||
|
spec:
|
||||||
|
podSelector: {}
|
||||||
|
policyTypes:
|
||||||
|
- Ingress
|
||||||
|
- Egress
|
||||||
12
security/rbac.yaml
Normal file
12
security/rbac.yaml
Normal file
|
|
@ -0,0 +1,12 @@
|
||||||
|
apiVersion: rbac.authorization.k8s.io/v1
|
||||||
|
kind: ClusterRoleBinding
|
||||||
|
metadata:
|
||||||
|
name: readonly-users
|
||||||
|
subjects:
|
||||||
|
- kind: Group
|
||||||
|
name: readonly
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
|
roleRef:
|
||||||
|
kind: ClusterRole
|
||||||
|
name: view
|
||||||
|
apiGroup: rbac.authorization.k8s.io
|
||||||
Loading…
Add table
Add a link
Reference in a new issue