diff --git a/.argocd-ignore b/.argocd-ignore new file mode 100644 index 0000000..e90b739 --- /dev/null +++ b/.argocd-ignore @@ -0,0 +1 @@ +.pre-commit-config.yaml diff --git a/.devenv.flake.nix b/.devenv.flake.nix new file mode 100644 index 0000000..cb97411 --- /dev/null +++ b/.devenv.flake.nix @@ -0,0 +1,163 @@ +{ + inputs = + let + version = "1.6.1"; +system = "x86_64-linux"; +devenv_root = "/home/gwg313/repos/homelab-gitops"; +devenv_dotfile = ./.devenv; +devenv_dotfile_string = ".devenv"; +container_name = null; +devenv_tmpdir = "/run/user/1000"; +devenv_runtime = "/run/user/1000/devenv-f22e6d0"; +devenv_istesting = false; +devenv_direnvrc_latest_version = 1; + + in { + git-hooks.url = "github:cachix/git-hooks.nix"; + git-hooks.inputs.nixpkgs.follows = "nixpkgs"; + pre-commit-hooks.follows = "git-hooks"; + nixpkgs.url = "github:cachix/devenv-nixpkgs/rolling"; + devenv.url = "github:cachix/devenv?dir=src/modules"; + } // (if builtins.pathExists (devenv_dotfile + "/flake.json") + then builtins.fromJSON (builtins.readFile (devenv_dotfile + "/flake.json")) + else { }); + + outputs = { nixpkgs, ... }@inputs: + let + version = "1.6.1"; +system = "x86_64-linux"; +devenv_root = "/home/gwg313/repos/homelab-gitops"; +devenv_dotfile = ./.devenv; +devenv_dotfile_string = ".devenv"; +container_name = null; +devenv_tmpdir = "/run/user/1000"; +devenv_runtime = "/run/user/1000/devenv-f22e6d0"; +devenv_istesting = false; +devenv_direnvrc_latest_version = 1; + + devenv = + if builtins.pathExists (devenv_dotfile + "/devenv.json") + then builtins.fromJSON (builtins.readFile (devenv_dotfile + "/devenv.json")) + else { }; + getOverlays = inputName: inputAttrs: + map + (overlay: + let + input = inputs.${inputName} or (throw "No such input `${inputName}` while trying to configure overlays."); + in + input.overlays.${overlay} or (throw "Input `${inputName}` has no overlay called `${overlay}`. Supported overlays: ${nixpkgs.lib.concatStringsSep ", " (builtins.attrNames input.overlays)}")) + inputAttrs.overlays or [ ]; + overlays = nixpkgs.lib.flatten (nixpkgs.lib.mapAttrsToList getOverlays (devenv.inputs or { })); + pkgs = import nixpkgs { + inherit system; + config = { + allowUnfree = devenv.allowUnfree or false; + allowBroken = devenv.allowBroken or false; + permittedInsecurePackages = devenv.permittedInsecurePackages or [ ]; + }; + inherit overlays; + }; + lib = pkgs.lib; + importModule = path: + if lib.hasPrefix "./" path + then if lib.hasSuffix ".nix" path + then ./. + (builtins.substring 1 255 path) + else ./. + (builtins.substring 1 255 path) + "/devenv.nix" + else if lib.hasPrefix "../" path + then throw "devenv: ../ is not supported for imports" + else + let + paths = lib.splitString "/" path; + name = builtins.head paths; + input = inputs.${name} or (throw "Unknown input ${name}"); + subpath = "/${lib.concatStringsSep "/" (builtins.tail paths)}"; + devenvpath = "${input}" + subpath; + devenvdefaultpath = devenvpath + "/devenv.nix"; + in + if lib.hasSuffix ".nix" devenvpath + then devenvpath + else if builtins.pathExists devenvdefaultpath + then devenvdefaultpath + else throw (devenvdefaultpath + " file does not exist for input ${name}."); + project = pkgs.lib.evalModules { + specialArgs = inputs // { inherit inputs; }; + modules = [ + ({ config, ... }: { + _module.args.pkgs = pkgs.appendOverlays (config.overlays or [ ]); + }) + (inputs.devenv.modules + /top-level.nix) + { + devenv.cliVersion = version; + devenv.root = devenv_root; + devenv.dotfile = devenv_root + "/" + devenv_dotfile_string; + } + (pkgs.lib.optionalAttrs (inputs.devenv.isTmpDir or false) { + devenv.tmpdir = devenv_tmpdir; + devenv.runtime = devenv_runtime; + }) + (pkgs.lib.optionalAttrs (inputs.devenv.hasIsTesting or false) { + devenv.isTesting = devenv_istesting; + }) + (pkgs.lib.optionalAttrs (container_name != null) { + container.isBuilding = pkgs.lib.mkForce true; + containers.${container_name}.isBuilding = true; + }) + ({ options, ... }: { + config.devenv = pkgs.lib.optionalAttrs (builtins.hasAttr "direnvrcLatestVersion" options.devenv) { + direnvrcLatestVersion = devenv_direnvrc_latest_version; + }; + }) + ] ++ (map importModule (devenv.imports or [ ])) ++ [ + (if builtins.pathExists ./devenv.nix then ./devenv.nix else { }) + (devenv.devenv or { }) + (if builtins.pathExists ./devenv.local.nix then ./devenv.local.nix else { }) + (if builtins.pathExists (devenv_dotfile + "/cli-options.nix") then import (devenv_dotfile + "/cli-options.nix") else { }) + ]; + }; + config = project.config; + + options = pkgs.nixosOptionsDoc { + options = builtins.removeAttrs project.options [ "_module" ]; + warningsAreErrors = false; + # Unpack Nix types, e.g. literalExpression, mDoc. + transformOptions = + let isDocType = v: builtins.elem v [ "literalDocBook" "literalExpression" "literalMD" "mdDoc" ]; + in lib.attrsets.mapAttrs (_: v: + if v ? _type && isDocType v._type then + v.text + else if v ? _type && v._type == "derivation" then + v.name + else + v + ); + }; + + build = options: config: + lib.concatMapAttrs + (name: option: + if builtins.hasAttr "type" option then + if option.type.name == "output" || option.type.name == "outputOf" then { + ${name} = config.${name}; + } else { } + else + let v = build option config.${name}; + in if v != { } then { + ${name} = v; + } else { } + ) + options; + + systems = [ "x86_64-linux" "aarch64-linux" "x86_64-darwin" "aarch64-darwin" ]; + in + { + devShell = lib.genAttrs systems (system: config.shell); + packages = lib.genAttrs systems (system: { + optionsJSON = options.optionsJSON; + # deprecated + inherit (config) info procfileScript procfileEnv procfile; + ci = config.ciDerivation; + }); + devenv = config; + build = build project.options project.config; + }; + } diff --git a/.gitleaks.toml b/.gitleaks.toml new file mode 100644 index 0000000..d077ace --- /dev/null +++ b/.gitleaks.toml @@ -0,0 +1,5 @@ +[allowlist] +description = "Ignore Kubernetes SealedSecrets" +regexes = [ + '''(?s)kind:\s*SealedSecret.*?encryptedData:.*?''' +] diff --git a/.yamllint b/.yamllint new file mode 100644 index 0000000..a9bdbc2 --- /dev/null +++ b/.yamllint @@ -0,0 +1,10 @@ +extends: default + +rules: + document-start: disable + line-length: + max: 80 + allow-non-breakable-words: false + +ignore: | + **/*sealed*.yaml diff --git a/apps/istio.yaml b/apps/audiobookshelf.yaml similarity index 76% rename from apps/istio.yaml rename to apps/audiobookshelf.yaml index 8e59932..a309f47 100644 --- a/apps/istio.yaml +++ b/apps/audiobookshelf.yaml @@ -1,20 +1,17 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: - name: istio + name: audiobookshelf namespace: argocd spec: project: default source: repoURL: https://github.com/gwg313/homelab-gitops targetRevision: main - path: istio - helm: - valueFiles: - - base-values.yaml + path: audiobookshelf destination: server: https://kubernetes.default.svc - namespace: istio-system + namespace: audiobookshelf syncPolicy: automated: selfHeal: true diff --git a/apps/bytestash.yaml b/apps/bytestash.yaml new file mode 100644 index 0000000..945c677 --- /dev/null +++ b/apps/bytestash.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: bytestash + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: main + path: bytestash + destination: + server: https://kubernetes.default.svc + namespace: bytestash + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/apps/cert-issuer.yaml b/apps/cert-issuer.yaml new file mode 100644 index 0000000..e3c961f --- /dev/null +++ b/apps/cert-issuer.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-issuer + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: main + path: cluster-issuer + destination: + server: https://kubernetes.default.svc + namespace: cert-manager + syncPolicy: + automated: + selfHeal: true + prune: true diff --git a/apps/cert-manager.yaml b/apps/cert-manager.yaml new file mode 100644 index 0000000..223a61b --- /dev/null +++ b/apps/cert-manager.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: cert-manager + namespace: argocd +spec: + project: default + source: + repoURL: https://charts.jetstack.io + chart: cert-manager + targetRevision: v1.15.0 + helm: + releaseName: cert-manager + values: | + installCRDs: true + destination: + server: https://kubernetes.default.svc + namespace: cert-manager + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/apps/forgejo.yaml b/apps/forgejo.yaml new file mode 100644 index 0000000..0410e0a --- /dev/null +++ b/apps/forgejo.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: forgejo + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: main + path: forgejo + destination: + server: https://kubernetes.default.svc + namespace: forgejo + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/apps/harbor-config.yaml b/apps/harbor-config.yaml new file mode 100644 index 0000000..728dc9c --- /dev/null +++ b/apps/harbor-config.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: harbor-config + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: main + path: harbor-config + destination: + server: https://kubernetes.default.svc + namespace: harbor + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/apps/harbor.yaml b/apps/harbor.yaml new file mode 100644 index 0000000..f077ad3 --- /dev/null +++ b/apps/harbor.yaml @@ -0,0 +1,51 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: harbor + namespace: argocd +spec: + project: default + destination: + server: https://kubernetes.default.svc + namespace: harbor + source: + repoURL: https://helm.goharbor.io + chart: harbor + targetRevision: 1.14.2 + helm: + releaseName: harbor + values: | + externalURL: https://registry.gwg313.xyz + expose: + type: clusterIP + tls: + enabled: false + certSource: secret + secret: + secretName: harbor-cert-nginx + nginx: + replicas: 0 + + persistence: + persistentVolumeClaim: + registry: + existingClaim: harbor-registry + jobservice: + existingClaim: harbor-jobservice + trivy: + existingClaim: harbor-trivy + database: + existingClaim: harbor-database + redis: + existingClaim: harbor-redis + core: + existingClaim: harbor-core + + ingress: + enabled: false + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/istio/istio-base.yaml b/apps/istio/istio-base.yaml new file mode 100644 index 0000000..3421a1b --- /dev/null +++ b/apps/istio/istio-base.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-base + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "0" +spec: + project: default + source: + repoURL: https://istio-release.storage.googleapis.com/charts + chart: base + targetRevision: 1.26.0 + destination: + server: https://kubernetes.default.svc + namespace: istio-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/istio/istio-cni.yaml b/apps/istio/istio-cni.yaml new file mode 100644 index 0000000..772c789 --- /dev/null +++ b/apps/istio/istio-cni.yaml @@ -0,0 +1,26 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-cni + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "1" +spec: + project: default + source: + repoURL: https://istio-release.storage.googleapis.com/charts + chart: cni + targetRevision: 1.26.0 + helm: + values: | + cni: + enabled: true + chained: false + logLevel: info + destination: + server: https://kubernetes.default.svc + namespace: istio-system + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/apps/istio/istio-gateway.yaml b/apps/istio/istio-gateway.yaml new file mode 100644 index 0000000..20d7d61 --- /dev/null +++ b/apps/istio/istio-gateway.yaml @@ -0,0 +1,50 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-gateway + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "2" +spec: + project: default + source: + repoURL: https://istio-release.storage.googleapis.com/charts + chart: gateway + targetRevision: 1.26.0 + helm: + values: | + replicaCount: 2 + + autoscaling: + enabled: false + + resources: + requests: + cpu: "500m" + memory: "512Mi" + limits: + cpu: "1000m" + memory: "1Gi" + + podDisruptionBudget: + enabled: true + minAvailable: 1 + + proxy: + logLevel: warning + componentLogLevel: "misc:error,config:debug" + + readinessProbe: + httpGet: + path: /healthz/ready + port: 15021 + initialDelaySeconds: 5 + periodSeconds: 5 + failureThreshold: 3 + destination: + server: https://kubernetes.default.svc + namespace: istio-system + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/apps/istio/istio-istiod.yaml b/apps/istio/istio-istiod.yaml new file mode 100644 index 0000000..55cbaf4 --- /dev/null +++ b/apps/istio/istio-istiod.yaml @@ -0,0 +1,43 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: istio-istiod + namespace: argocd + annotations: + argocd.argoproj.io/sync-wave: "1" +spec: + project: default + source: + repoURL: https://istio-release.storage.googleapis.com/charts + chart: istiod + targetRevision: 1.26.0 + helm: + values: | + global: + istioCNI: + enabled: true + + sidecarInjectorWebhook: + disableInitContainers: true + + pilot: + autoscaleEnabled: false + replicaCount: 2 + resources: + requests: + cpu: "500m" + memory: "512Mi" + limits: + cpu: "1000m" + memory: "1Gi" + + podDisruptionBudget: + enabled: true + minAvailable: 1 + destination: + server: https://kubernetes.default.svc + namespace: istio-system + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/apps/istio/istio-peer-auth.yaml b/apps/istio/istio-peer-auth.yaml new file mode 100644 index 0000000..5f4446a --- /dev/null +++ b/apps/istio/istio-peer-auth.yaml @@ -0,0 +1,9 @@ +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + annotations: + name: default + namespace: istio-system +spec: + mtls: + mode: PERMISSIVE diff --git a/apps/metallb-config.yaml b/apps/metallb-config.yaml new file mode 100644 index 0000000..06c86be --- /dev/null +++ b/apps/metallb-config.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: metallb-config + namespace: argocd +spec: + project: default + source: + path: metallb/config + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: HEAD + destination: + server: https://kubernetes.default.svc + namespace: metallb-system + syncPolicy: + automated: + prune: true + selfHeal: true diff --git a/apps/metallb.yaml b/apps/metallb.yaml new file mode 100644 index 0000000..bdf37ed --- /dev/null +++ b/apps/metallb.yaml @@ -0,0 +1,22 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: metallb + namespace: argocd +spec: + project: default + source: + repoURL: https://metallb.github.io/metallb + chart: metallb + targetRevision: 0.14.5 + helm: + releaseName: metallb + destination: + server: https://kubernetes.default.svc + namespace: metallb-system + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/minio-config.yaml b/apps/minio-config.yaml new file mode 100644 index 0000000..83e1911 --- /dev/null +++ b/apps/minio-config.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: minio-config + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: main + path: minio + destination: + server: https://kubernetes.default.svc + namespace: minio + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/apps/minio.yaml b/apps/minio.yaml new file mode 100644 index 0000000..ee9de30 --- /dev/null +++ b/apps/minio.yaml @@ -0,0 +1,37 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: minio + namespace: argocd +spec: + destination: + namespace: minio + server: https://kubernetes.default.svc + project: default + source: + repoURL: https://charts.bitnami.com/bitnami + chart: minio + targetRevision: 17.0.9 + helm: + releaseName: minio + values: | + auth: + existingSecret: minio-auth + + ingress: + enabled: false + + service: + type: ClusterIP + ports: + api: 9000 + console: 9001 + + persistence: + existingClaim: minio-data + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/navidrome.yaml b/apps/navidrome.yaml new file mode 100644 index 0000000..2962f82 --- /dev/null +++ b/apps/navidrome.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: navidrome + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: main + path: navidrome + destination: + server: https://kubernetes.default.svc + namespace: navidrome + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/apps/nfs-subdir.yaml b/apps/nfs-subdir.yaml new file mode 100644 index 0000000..dd612f0 --- /dev/null +++ b/apps/nfs-subdir.yaml @@ -0,0 +1,33 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: nfs-subdir-external-provisioner + namespace: argocd +spec: + project: default + source: + repoURL: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner + chart: nfs-subdir-external-provisioner + targetRevision: 4.0.18 + helm: + releaseName: nfs-subdir-external-provisioner + values: | + nfs: + server: truenas.local.gwg313.xyz + path: /mnt/tank/k8s/nfs-subdir + + storageClass: + name: nfs-client + defaultClass: true + accessModes: ["ReadWriteMany"] + reclaimPolicy: Delete + archiveOnDelete: false + destination: + server: https://kubernetes.default.svc + namespace: nfs-subdir-external-provisioner + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/sealed-secrets.yaml b/apps/sealed-secrets.yaml new file mode 100644 index 0000000..5e7463d --- /dev/null +++ b/apps/sealed-secrets.yaml @@ -0,0 +1,24 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: sealed-secrets + namespace: argocd +spec: + project: default + source: + repoURL: https://bitnami-labs.github.io/sealed-secrets + chart: sealed-secrets + targetRevision: 2.15.3 + helm: + releaseName: sealed-secrets + values: | + fullnameOverride: sealed-secrets-controller + destination: + server: https://kubernetes.default.svc + namespace: sealed-secrets + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/woodpecker-manifests.yaml b/apps/woodpecker-manifests.yaml new file mode 100644 index 0000000..8a36b56 --- /dev/null +++ b/apps/woodpecker-manifests.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: woodpecker-manifests + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: HEAD + path: woodpecker + destination: + server: https://kubernetes.default.svc + namespace: woodpecker + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/apps/woodpecker.yaml b/apps/woodpecker.yaml new file mode 100644 index 0000000..0a9f7a0 --- /dev/null +++ b/apps/woodpecker.yaml @@ -0,0 +1,23 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: woodpecker + namespace: argocd +spec: + project: default + source: + repoURL: https://woodpecker-ci.org/ + chart: woodpecker + targetRevision: 3.2.0 + helm: + releaseName: woodpecker + values: "server:\n env:\n WOODPECKER_HOST: \"https://ci.gwg313.xyz\"\n extraSecretNamesForEnvFrom:\n - woodpecker-server-secrets\n persistentVolume:\n enabled: true\n existingClaim: woodpecker-server-pvc5\n\nagent:\n enabled: true\n replicaCount: 1\n extraSecretNamesForEnvFrom:\n - woodpecker-agent-secrets\n env:\n WOODPECKER_SERVER: \"woodpecker-server:9000\"\n WOODPECKER_MAX_WORKFLOWS: \"5\"\n persistence:\n enabled: true\n existingClaim: woodpecker-agent-pvc5\n securityContext:\n privileged: true \n" + destination: + server: https://kubernetes.default.svc + namespace: woodpecker + syncPolicy: + automated: + prune: true + selfHeal: true + syncOptions: + - CreateNamespace=true diff --git a/apps/yopass.yaml b/apps/yopass.yaml new file mode 100644 index 0000000..491a828 --- /dev/null +++ b/apps/yopass.yaml @@ -0,0 +1,20 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: yopass + namespace: argocd +spec: + project: default + source: + repoURL: https://github.com/gwg313/homelab-gitops + targetRevision: main + path: yopass + destination: + server: https://kubernetes.default.svc + namespace: yopass + syncPolicy: + automated: + selfHeal: true + prune: true + syncOptions: + - CreateNamespace=true diff --git a/audiobookshelf/certificate.yaml b/audiobookshelf/certificate.yaml new file mode 100644 index 0000000..4af686f --- /dev/null +++ b/audiobookshelf/certificate.yaml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: audiobookshelf-cert + namespace: istio-system +spec: + secretName: audiobookshelf-cert + issuerRef: + name: letsencrypt-dns + kind: ClusterIssuer + dnsNames: + - audiobooks.gwg313.xyz diff --git a/audiobookshelf/deployment.yaml b/audiobookshelf/deployment.yaml new file mode 100644 index 0000000..01f20f9 --- /dev/null +++ b/audiobookshelf/deployment.yaml @@ -0,0 +1,42 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: audiobookshelf + namespace: audiobookshelf +spec: + replicas: 1 + selector: + matchLabels: + app: audiobookshelf + template: + metadata: + labels: + app: audiobookshelf + spec: + containers: + - name: audiobookshelf + image: registry.gwg313.xyz/library/audiobookshelf:latest + ports: + - containerPort: 8080 + volumeMounts: + - name: audiobooks-volume + mountPath: /audiobooks + - name: podcasts-volume + mountPath: /podcasts + - name: config-volume + mountPath: /config + - name: metadata-volume + mountPath: /metadata + volumes: + - name: audiobooks-volume + persistentVolumeClaim: + claimName: audiobookshelf-audiobooks + - name: podcasts-volume + persistentVolumeClaim: + claimName: audiobookshelf-podcasts + - name: config-volume + persistentVolumeClaim: + claimName: audiobookshelf-config + - name: metadata-volume + persistentVolumeClaim: + claimName: audiobookshelf-metadata diff --git a/audiobookshelf/gateway.yaml b/audiobookshelf/gateway.yaml new file mode 100644 index 0000000..7d9270d --- /dev/null +++ b/audiobookshelf/gateway.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: audiobookshelf-gateway + namespace: audiobookshelf +spec: + selector: + istio: gateway + servers: + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: audiobookshelf-cert + hosts: + - audiobooks.gwg313.xyz diff --git a/audiobookshelf/iscsi-sealed.yaml b/audiobookshelf/iscsi-sealed.yaml new file mode 100644 index 0000000..b0057c6 --- /dev/null +++ b/audiobookshelf/iscsi-sealed.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: audiobookshelf-iscsi-auth + namespace: audiobookshelf +spec: + encryptedData: + discovery.sendtargets.auth.password: AgBlREGUmNCv4V+AAsTN4xn1+CTIQspG86tK34CH8LbAQQtCwrldsyH/ZDnDEK2bmb7Eq0o4Lt9bYYdAFt/2d74ViMWVWyarIG5dU3kwMfzysQsu3lrWtIUwlFS08YaQJg+7Eipy1LbJvncTLY9ixZ3xA7Vx+rlyhXp0bt0Aet6ItzcxTbifA14xtCGDDDRcOjkBp+lhOY70tnqAkQ7NxLooPcNGSIqMPbIwhdc8Nq9Knz7ZqVTnVyl2QxdQSooUIcYBN0V97tiwtZUvwU0pb7LsxSEac2NbwzPMfoP8LnTETURK0JhqvO6Uvi7iMNBLw3sDzR2fCX1VhleLOM1JQgk93w5VA33GZOb+7iofJt+gVIs651G9+rCS2hN8XiQPiZnCVtZ9upxM4DnHz1GvuML0NRcXyIN2zOzcZdwMXBRAQ42XwcdbZIOubiVNbV/yEDoNmA6aR1ItRYDGyheRKwphLEDnbXlgWEDnKKHiUjrj833vNTXn9wtOZ2mnfzE//cr3fvaosQthfnviI/QRo8plpXI8y9BgjNToecsbQNzNIP17ZljCZB2HTBa8urX9A9vAOcFD51k6FugfE92tnBtSu42vGi3vkEuxM2blrFAWlpsChHkyQmONJchHgNsyKqZdlRzFLraZTtic9z8HBjmOyXgykGuoPzGf29vB8bwZ3mIUE8GSsF7WV9hAGdfGzE0VnUp3CKOIMFyrudVeWFOX + discovery.sendtargets.auth.username: AgBerGD4HXIRcJDdyknlztVIIfpLYyEnB5jIQV7tHksPPtDp4VxOQcOOnsgn2xcskpGbPP60iQJgTn9eNtHnRVylFhRDBr7ugn7LKWw0KGg/sexYx07Do6Sc7h7+MrzaoxV7kV7hOJrflALtKhSTmsiNLVnskmU+reckgLYFrFjSPOYJsDJlpq7WPXVBVW2nEJ0EMkCyfWAU1ADfpM5rvbtLu3geCAWAz557BASYgdvaBEWOT5sONC2rbl2MaSJeBVZX+Wr5IdzVd3K/VFJRSJ7xE5LAVKbuWGPpt18H86uU7mqXuyYUz7FR7nD21FT8rPvj4/rXKTR0W2U/hrH/53Jn5yFj30+iAcDhq9C4fRA8ZvI9KsESRZXq0dnInPkYpHzPIKdMwtEs/qycIMGwczRO9d6UDj3qJsJTO4E1btvzPQMt1kJ3d2U87/r7TCzcbIpLlMez8VTS0osnwVkD9/4oR074TX/0m9aMqLomsrw4oyXsetJL8O4R1A59NsjtBRvyeG00BmmJMlSrI+DF+wa131/4g/y6BsYP30QwxxxoOHH1clSdXGueHhQpttmc7le8FSJ+pyyPLR8BrFi76GojZG3GZScArJm/072WcUnsvxpitmtwKgihRFGr6V5yPU/vvPLWsV+swQ+zh6IZ1RPNn8QPk4oKqJnoAlDmMkdXhgqLucor322cxU+bNkE0v3RPBeynzEVpGSzrtYzOvw== + node.session.auth.password: AgB/lsTVb/3hrYtzpEydBfcesvDgZUi6Si4VNjlGRS1PfK9DSLpRBZazgLkrFSIhLOviWb9Rp9zQDNTJFAZkLbPGh8zNWyTzbANgsSziht7ljBArnsT3iMRQbFvZGUkI3QM95EURVXC7GhPEfr15bkEqq93ETzaDaBvZ3tKN2XqjRTFFAR2aFVVV6rPPea3FfAVhhcR700pfbW4YpLPfHuUFentEuMo5a3QRYo3VdzPYB7lzRx+YgD9Rv1rSffTdnPJzlE9IkUeBZKnuK9Xg80Q75aPHvb6MfT++LRZHUtsftQFjbJMcFKqqDu+JktjViyrTYG/2cfdQKsHbsQu4OW4XamU0isZiz42T8cj/Dpo0C+m2meZVXkSrsvyeHCA77vl9yd24O7CkDGKLnAqe5RLWAMJVBQwnVqiDhTdTvEItoyV9MZM079CsPKSpVZMJ4GQoJDjKN3L9Z0IIWHlrV5RJ65RJA3d8/9Ku+vFtxyfGWB3GtXAFvXYW/OZn1vuIEmA3U11mgnGKDIRETBMpuJSvzVKiTxCL4yrq5Ap0VRfBlJlNbDSlj78z6x9Pd8TsSoKUA5htpObLy3+Dx2Lm6SUflKvB6ywKnIbhlfFONlUrsxX6J02taDmqTzeAFT5sSM2Xl4yFveb7XLQQOJUIc32ZAFXOkYkvr9T8lbxXDE9mJG7abzwal7i1KWrxgVnmgN8oM6QDciHqElUb+z+tE69g + node.session.auth.username: AgCjON6B6NWGlbQsJvBLvy1SOgUt7fuIScFKqsnVLZf/AmUH6VJ70qAtjOr+MfoyhvGkpNLAb64LpUsEmxX/AI4pONZnNUVYgWSha+yEizCLsYCp2wL7PHbobg9nkYxL7vRcS/So5iIaHHS+3cHIHJI5O8Dhb6gqOz5kafNgdLu0TJ56n1Axe4QI3mz0m5/XjovzzImM3DiMaqtzJotENGxnnA/X0/zBbNZry94iWuXCTJ115+6cVn+h3SvVw0/rwcJgfNxgIJJW4Rukl6WCyC6MTKTjNnA65Z5R9oW4JviGNF/0PNGTjmkuCoJqSNZ+p5XebhTxn65ultLMxvJXZhVmSHo3es3x8wlmO49UOGhT1a38P+p/9DrrTg3xEdIeDHMmdLaZgOjjEfDh/2OP2S2ZHVEXQnFvG2VnKgmMYWyeylhBGyn4cEkLc1fFhy55g2EMCeF5zXNldTlT3Gh0ca1ipF0BBXgvuJCa9c5tNBK2QS66QVdehOLBOxrnjTnd4VPt05JXKqSQZ6S0ukNecL5hBju2nGHlXdYcVeI94/uZmpkNJC+mqRTJdXGwtUhF9F529Ln+DtkhTcGUAPBcZdP9eEc/lkAjp/lJyzW2jgTynVkqAyBZJsA7etAHAUlsFMgFOw6bG/oKXpJE7wFJ4J929/inpVj8J9rlLC7ruRlQy9gUT8A2uLwAXVmQufpjBTi2AVyS6wACG+eusvOHYg== + template: + metadata: + creationTimestamp: null + name: audiobookshelf-iscsi-auth + namespace: audiobookshelf + type: kubernetes.io/iscsi-chap diff --git a/audiobookshelf/pvcs.yaml b/audiobookshelf/pvcs.yaml new file mode 100644 index 0000000..8f8abbe --- /dev/null +++ b/audiobookshelf/pvcs.yaml @@ -0,0 +1,57 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: audiobookshelf-config + namespace: audiobookshelf +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + volumeName: audiobookshelf-config-pv + storageClassName: audiobookshelf-iscsi + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: audiobookshelf-metadata + namespace: audiobookshelf +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + volumeName: audiobookshelf-metadata-pv + storageClassName: audiobookshelf-iscsi + +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: audiobookshelf-audiobooks + namespace: audiobookshelf +spec: + accessModes: + - ReadOnlyMany + resources: + requests: + storage: 100Gi + volumeName: audiobookshelf-audiobooks-pv + storageClassName: audiobookshelf-nfs +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: audiobookshelf-podcasts + namespace: audiobookshelf +spec: + accessModes: + - ReadOnlyMany + resources: + requests: + storage: 100Gi + volumeName: audiobookshelf-podcasts-pv + storageClassName: audiobookshelf-nfs diff --git a/audiobookshelf/pvs.yaml b/audiobookshelf/pvs.yaml new file mode 100644 index 0000000..65b1e78 --- /dev/null +++ b/audiobookshelf/pvs.yaml @@ -0,0 +1,73 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: audiobookshelf-config-pv +spec: + capacity: + storage: 1Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: audiobookshelf-iscsi + iscsi: + targetPortal: truenas.local.gwg313.xyz:3260 + iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-config + lun: 0 + fsType: ext4 + readOnly: false + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: audiobookshelf-iscsi-auth +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: audiobookshelf-metadata-pv +spec: + capacity: + storage: 1Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: audiobookshelf-iscsi + iscsi: + targetPortal: truenas.local.gwg313.xyz:3260 + iqn: iqn.2005-10.org.freenas.ctl:audiobookshelf-metadata + lun: 1 + fsType: ext4 + readOnly: false + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: audiobookshelf-iscsi-auth +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: audiobookshelf-audiobooks-pv +spec: + capacity: + storage: 100Gi + accessModes: + - ReadOnlyMany + persistentVolumeReclaimPolicy: Retain + nfs: + server: truenas.local.gwg313.xyz + path: /mnt/tank/media/audiobooks + storageClassName: audiobookshelf-nfs +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: audiobookshelf-podcasts-pv +spec: + capacity: + storage: 100Gi + accessModes: + - ReadOnlyMany + persistentVolumeReclaimPolicy: Retain + nfs: + server: truenas.local.gwg313.xyz + path: /mnt/tank/media/podcasts + storageClassName: audiobookshelf-nfs diff --git a/audiobookshelf/service.yaml b/audiobookshelf/service.yaml new file mode 100644 index 0000000..f34268b --- /dev/null +++ b/audiobookshelf/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: audiobookshelf + namespace: audiobookshelf +spec: + selector: + app: audiobookshelf + ports: + - port: 80 + targetPort: 8080 diff --git a/audiobookshelf/virtualservice.yaml b/audiobookshelf/virtualservice.yaml new file mode 100644 index 0000000..f128e38 --- /dev/null +++ b/audiobookshelf/virtualservice.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: audiobookshelf + namespace: audiobookshelf +spec: + hosts: + - audiobooks.gwg313.xyz + gateways: + - audiobookshelf-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: audiobookshelf + port: + number: 80 diff --git a/bytestash/bytestash-peer-auth.yaml b/bytestash/bytestash-peer-auth.yaml new file mode 100644 index 0000000..8a3354a --- /dev/null +++ b/bytestash/bytestash-peer-auth.yaml @@ -0,0 +1,8 @@ +apiVersion: security.istio.io/v1beta1 +kind: PeerAuthentication +metadata: + name: strict-mtls + namespace: bytestash +spec: + mtls: + mode: STRICT diff --git a/bytestash/bytestash-secret-sealed.yaml b/bytestash/bytestash-secret-sealed.yaml new file mode 100644 index 0000000..255eb8a --- /dev/null +++ b/bytestash/bytestash-secret-sealed.yaml @@ -0,0 +1,15 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: bytestash-secret + namespace: bytestash +spec: + encryptedData: + JWT_SECRET_KEY: AgBhyqlrAr9hDaCZ7yPbZZuXtZMeqbMqd0LXWwT8nlEpTY0Tk7LLwjdv6DoY3gvj0Jbgcoa+Edgg6HywykouVAqe2i6HbDwWOPVjRw5K1GA7y7jlb8IOP2D7ZJN8sKW7MUfhmmraN0piuvpCMVl/NHbT1XfQq4mym/PChHcD4Ju+lNMfFWkHNZtXf/9tpYcTa3cmREf0uBFQRNQFP2TaUx8X+QmzIIdoGaqZA+Jud2HkTHymsRhn7fSK3smaJecw/y7IR4ohNcJ17FqOyaqbnQ/MUzB+aprFKjBOnVmZwbWSjJYWPN1nx6NPndmk8X3Q3XeB50WnoAhqNSwI6a58wo/zVHyM5B3Q+L9slCWd8t27z+Jv7Y8zRFl137dbhDBcrHf73miNnaK5x0b741Bv3yDakJG+DrU5YlmGH2/t4XBZjMMRxF4y0CgdT+DN+cZrkbkATHIQWZARmLTqYfig/2D+PfKhrniE4Tfq3V2gLN12Kwf09fqM02Uo2faOya6QF3fvGGZx3QXiDrzPMthLuvk1JqPqU98fNKniS8x7/q1LdHH6ga5wyXyGk76tl540p+kdY2sAi7K5/VAw0QM6A+6EHXJJgZ4bdd02eB0F1/lCKcCzZhs5lIjBu0r/d81wYlId6GtMvXZiMfsbMS9a7evGl20PXAn2C5KxWfyyyIX3wn7JIAxiOdGwPUOI6E4/LCJSnzlfBa7SWFrMHAjniNyQOLB0S9amtHwDDt6j + template: + metadata: + creationTimestamp: null + name: bytestash-secret + namespace: bytestash + type: Opaque diff --git a/bytestash/certificate.yaml b/bytestash/certificate.yaml new file mode 100644 index 0000000..a50a49e --- /dev/null +++ b/bytestash/certificate.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: bytestash-cert + namespace: istio-system +spec: + secretName: bytestash-cert + issuerRef: + name: letsencrypt-dns + kind: ClusterIssuer + commonName: bytestash.local.gwg313.xyz + dnsNames: + - bytestash.local.gwg313.xyz diff --git a/bytestash/configmap.yaml b/bytestash/configmap.yaml new file mode 100644 index 0000000..65e7119 --- /dev/null +++ b/bytestash/configmap.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: bytestash-config + namespace: bytestash +data: + BASE_PATH: "" + TOKEN_EXPIRY: "24h" + ALLOW_NEW_ACCOUNTS: "true" + DEBUG: "true" + DISABLE_ACCOUNTS: "false" + DISABLE_INTERNAL_ACCOUNTS: "false" + OIDC_ENABLED: "false" + OIDC_DISPLAY_NAME: "" + OIDC_ISSUER_URL: "" + OIDC_CLIENT_ID: "" + OIDC_CLIENT_SECRET: "" + OIDC_SCOPES: "" diff --git a/bytestash/deployment.yaml b/bytestash/deployment.yaml new file mode 100644 index 0000000..9408803 --- /dev/null +++ b/bytestash/deployment.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: bytestash + namespace: bytestash +spec: + replicas: 1 + selector: + matchLabels: + app: bytestash + template: + metadata: + labels: + app: bytestash + annotations: + sidecar.istio.io/inject: "true" + spec: + securityContext: + runAsNonRoot: false + seccompProfile: + type: RuntimeDefault + containers: + - name: bytestash + image: "ghcr.io/jordan-dalby/bytestash:latest" + ports: + - containerPort: 5000 + envFrom: + - configMapRef: + name: bytestash-config + - secretRef: + name: bytestash-secret + volumeMounts: + - name: bytestash-storage + mountPath: /data/snippets + securityContext: + allowPrivilegeEscalation: false + runAsNonRoot: false + capabilities: + drop: ["ALL"] + volumes: + - name: bytestash-storage + persistentVolumeClaim: + claimName: bytestash-pvc diff --git a/bytestash/gateway.yaml b/bytestash/gateway.yaml new file mode 100644 index 0000000..ca6ecee --- /dev/null +++ b/bytestash/gateway.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: bytestash-gateway + namespace: bytestash +spec: + selector: + istio: gateway + servers: + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - "bytestash.local.gwg313.xyz" + tls: + mode: SIMPLE + credentialName: bytestash-cert diff --git a/bytestash/namespace.yaml b/bytestash/namespace.yaml new file mode 100644 index 0000000..5288ac9 --- /dev/null +++ b/bytestash/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: bytestash diff --git a/bytestash/service.yaml b/bytestash/service.yaml new file mode 100644 index 0000000..4b305db --- /dev/null +++ b/bytestash/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: bytestash + namespace: bytestash +spec: + selector: + app: bytestash + ports: + - port: 80 + targetPort: 5000 diff --git a/bytestash/storage.yaml b/bytestash/storage.yaml new file mode 100644 index 0000000..585fc43 --- /dev/null +++ b/bytestash/storage.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: bytestash-pv +spec: + capacity: + storage: 1Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: manual + nfs: + path: /mnt/tank/docker-volumes/bytestash + server: truenas.local.gwg313.xyz +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: bytestash-pvc + namespace: bytestash +spec: + storageClassName: manual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi + volumeName: bytestash-pv diff --git a/bytestash/virtualservice.yaml b/bytestash/virtualservice.yaml new file mode 100644 index 0000000..095671b --- /dev/null +++ b/bytestash/virtualservice.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: bytestash + namespace: bytestash +spec: + hosts: + - "bytestash.local.gwg313.xyz" + gateways: + - bytestash/bytestash-gateway + http: + - route: + - destination: + host: bytestash + port: + number: 80 diff --git a/cert-manager/values.yaml b/cert-manager/values.yaml new file mode 100644 index 0000000..66e328a --- /dev/null +++ b/cert-manager/values.yaml @@ -0,0 +1,4 @@ +installCRDs: true +extraArgs: + - --dns01-recursive-nameservers-only + - --dns01-recursive-nameservers=1.1.1.1:53,8.8.8.8:53 diff --git a/cluster-issuer/01-sealedsecret.yaml b/cluster-issuer/01-sealedsecret.yaml new file mode 100644 index 0000000..e9586d9 --- /dev/null +++ b/cluster-issuer/01-sealedsecret.yaml @@ -0,0 +1,15 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: cloudflare-api-token + namespace: cert-manager +spec: + encryptedData: + api-token: AgC7jVHCCMGqv2ZcLxU13J2icxYM6pLCpy9ODRFtEZpjY4MGmja+ScRs00ziY8DeH9Ahhrc21VYTTZAmw1bCesHIys0y19KeXbO5HudWbSt02792kT5sPsjlNdkZyXT0Qmbz3i4OPcH1V1+oXJArTuicoJkAiVg05jGPuIcYM2zDaMvMjk4cq7L8PYc/HAusXlHI/ggozPqmohS4ACBYvsUvgyDEGAvwW0vFRjHb1z3IxyzVtbDdgae8okoQWCHlKRTeFRReB1AX9wml+kNpq2SeElh/5Grdiz4MEr8PsoKUIJg3n+KqjOFgHX7I5gDW7LQv2+W66sYzd3GFF0g6MUs1EjznX35J/e7uYSm3ERtomSIFx3FFx6fFXuN5QkCx79MgKZxP8F/PwBdusc8tDHocgK8V2hvSjxIU2J74rjcMw4ZUqwFvlZa0xAJcUAlkFQrN/b7ldlwQYyzsXhPyRIvIGvGSmBabq+yHE4nyjCVezy28h361O3zB2kCJUXi1k2rbD2+NI1Z+25q6JyRgnUelnfzyiPFJTKlFIiP1He1FC441OPjXILYhuaIenm0w9GQKUt2ndNJng4wRtsCPi6PcGHUIOjiT8ErZTkN4pJmm4/bRYPXumS9J0sTPNr2z564fsZjRpyCD97BJuntnXRnWxQRVbMb55f99Zu2j5jziEDegg6aCsXRLoATHLsBFlK5IiC95cMpkaAbY5FWwCCp4IMLkiPWGlR1dnCbBgF2P4NtxihNW9cPC + template: + metadata: + creationTimestamp: null + name: cloudflare-api-token + namespace: cert-manager + type: Opaque diff --git a/cluster-issuer/02-cluster-issuer.yaml b/cluster-issuer/02-cluster-issuer.yaml new file mode 100644 index 0000000..a168955 --- /dev/null +++ b/cluster-issuer/02-cluster-issuer.yaml @@ -0,0 +1,16 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: letsencrypt-dns +spec: + acme: + server: https://acme-v02.api.letsencrypt.org/directory + email: gwg313@pm.me + privateKeySecretRef: + name: letsencrypt-dns-key + solvers: + - dns01: + cloudflare: + apiTokenSecretRef: + name: cloudflare-api-token + key: api-token diff --git a/devenv.nix b/devenv.nix index 8aa55d1..bcd2d5d 100644 --- a/devenv.nix +++ b/devenv.nix @@ -4,19 +4,23 @@ config, inputs, ... -}: - -{ +}: { # https://devenv.sh/basics/ env.GREET = "devenv"; env = { - CONTROL_PLANE_IP = "192.168.10.10"; - WORKER_1_IP = "192.168.10.11"; - WORKER_2_IP = "192.168.10.12"; }; # https://devenv.sh/packages/ - packages = with pkgs; [ talosctl ]; + packages = with pkgs; [ + kubectl + talosctl + kubeseal + kubeconform + yamllint + shellcheck + gitleaks + yamlfmt + ]; # https://devenv.sh/languages/ # languages.rust.enable = true; @@ -50,6 +54,42 @@ ''; # https://devenv.sh/pre-commit-hooks/ + # git-hooks.hooks = { + # check-yaml.enable = true; + # end-of-file-fixer.enable = true; + # trim-trailing-whitespace.enable = true; + # yamlfmt = { + # enable = true; + # entry = "yamlfmt"; + # args = ["-in-place"]; + # files = "\\.ya?ml$"; + # language = "system"; + # }; + # yamllint.enable = true; + # shellcheck.enable = true; + # + # kubeconform = { + # enable = true; + # entry = "kubeconform"; + # args = [ + # "-strict" + # "-summary" + # "-ignore-missing-schemas" + # "-schema-location" + # "https://raw.githubusercontent.com/yannh/kubernetes-json-schema/master/{{.ResourceKind}}-{{.ResourceAPIVersion}}.json" + # "-schema-location" + # "default" + # ]; + # files = "\\.ya?ml$"; + # }; + # + # gitleaks = { + # enable = true; + # entry = "gitleaks detect --no-git -v --redact"; + # language = "system"; + # pass_filenames = false; + # }; + # }; # pre-commit.hooks.shellcheck.enable = true; # See full reference at https://devenv.sh/reference/options/ diff --git a/forgejo/certificate.yaml b/forgejo/certificate.yaml new file mode 100644 index 0000000..66c8e1f --- /dev/null +++ b/forgejo/certificate.yaml @@ -0,0 +1,14 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: forgejo-cert + namespace: istio-system +spec: + secretName: forgejo-cert + issuerRef: + name: letsencrypt-dns + kind: ClusterIssuer + dnsNames: + - git.local.gwg313.xyz + - git.gwg313.xyz + - git.zerotier.gwg313.xyz diff --git a/forgejo/deployment.yaml b/forgejo/deployment.yaml new file mode 100644 index 0000000..62ce0e3 --- /dev/null +++ b/forgejo/deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: forgejo + namespace: forgejo + labels: + app: forgejo +spec: + strategy: + type: Recreate + replicas: 1 + selector: + matchLabels: + app: forgejo + template: + metadata: + labels: + app: forgejo + spec: + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + fsGroup: 1000 + terminationGracePeriodSeconds: 30 + containers: + - name: forgejo + image: codeberg.org/forgejo/forgejo:11-rootless + ports: + - containerPort: 3000 + - containerPort: 2222 + env: + - name: FORGEJO__server__ROOT_URL + value: "https://git.gwg313.xyz/" + - name: FORGEJO__ssh__START_SSH_SERVER + value: "false" + - name: FORGEJO__webhook__ALLOWED_HOST_LIST + value: "ci.gwg313.xyz" + volumeMounts: + - name: forgejo-volume + mountPath: /var/lib/gitea + subPath: data + - name: forgejo-volume + mountPath: /etc/gitea + subPath: config + volumes: + - name: forgejo-volume + persistentVolumeClaim: + claimName: forgejo-pvc diff --git a/forgejo/destinationrule.yaml b/forgejo/destinationrule.yaml new file mode 100644 index 0000000..1ec42cc --- /dev/null +++ b/forgejo/destinationrule.yaml @@ -0,0 +1,12 @@ +apiVersion: networking.istio.io/v1beta1 +kind: DestinationRule +metadata: + name: forgejo + namespace: forgejo +spec: + host: forgejo.forgejo.svc.cluster.local + trafficPolicy: + outlierDetection: + consecutive5xxErrors: 1 + interval: 5s + baseEjectionTime: 30s diff --git a/forgejo/gateway.yaml b/forgejo/gateway.yaml new file mode 100644 index 0000000..4699a1a --- /dev/null +++ b/forgejo/gateway.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: forgejo-gateway + namespace: forgejo +spec: + selector: + istio: gateway + servers: + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: forgejo-cert + hosts: + - git.local.gwg313.xyz + - git.gwg313.xyz + - git.zerotier.gwg313.xyz diff --git a/forgejo/sealed-secret.yaml b/forgejo/sealed-secret.yaml new file mode 100644 index 0000000..a969f58 --- /dev/null +++ b/forgejo/sealed-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: forgejo-iscsi-auth + namespace: forgejo +spec: + encryptedData: + discovery.sendtargets.auth.password: AgAcRgPxIe/pBpeUWcSJzzf8HVUpFe8pl9U8qzs1eutcun91clbW5m/sra3oKV6KmmFgd69I2M3w38wtSGG7iztZdIPcCkVXZSqX3ANKrWIwiJXUBqfNtXAD0IxGu8SdkHRp7fGWR9NlynT7WDEZpTNNQrQE0O4GQrM7gMy9wzy22Foxk8hhUCOKW9o2q/HefBBp4BHHhdAmnaya26Cm2Fdji6U2bnORlY8SESRAyty7jkQFI4FcUlXXUhamVccFGVxufhRNkJP+90iPQbD48VDPSGHQS11EbfoSaoXlt+NTRt/FCwSMc2h5L5AtuZHTh72PGCk2+coYDLQb2IL0o+jujsf0hVlRAzMvHi5nDrwNVh+gbuV1MmC1SED3CA6nkevTeEj5mmK+kviZua1Ezi4LQ9daFPhOGjobCtPyZZsHwIzKceqWM5dULvckzgvNLecwkJgDOYRd9j3/G1wgsCUNZj4OhZZgO6rfG+XXMZfFnoRR1x0NK6jInaNm5oG+vYgBjN1WlR7dgEdUN8W0dC0uqmbpsoCTEyjOnumB7ecqknonh/syU8GqlB8KLBv5pZs9YR2fdMgDwh+RW/oPXcNCbbjsGi8N6+R6TdM7hp7NYh4yQaI/qkruCuUgGLEmziFUgrcWfjpwsmhNIuYG2lC0MC+oFlLiS1vF2mIkAM6AnbGgnwnWUU1FK6Y9q0aUjsPKp6Yv169oXgsyHqMk0EzD + discovery.sendtargets.auth.username: AgCCpqxtivSysp6XGnnh3xhyqg0I6/RLlwjJMsyQ5RJRoRSxKspKEuaW2+oIzVbCrCm6JS1Amrjk9MgR9jGNo+MtGNXTIWGcy3IAV+Cg6JZSyD/MGCHMQh/NIfZQnAPt2AuFAsXUUbcZbuVS5BYf+27KD8a9sCRH9McPv6IqSPC4tVSWOrdGD+FeL4oZhWhMuMiqAVwXi18tx+bu8TmCXjUUS/bYD64KnwBo+xyGAkiem+0NLqn9b85YMZQ68RWUepfFVZywbxWDuO0cQALHTUPPnVRCZPFImhz6vitlEY1dOkEmBYWQ9NoJZhTdiQA0pnnCvs7bDpGiqOK2qvlSyR6Bii5ZEUSBVfbtFDLQqcw+4mwOr1o+Zh1tSYZspHrm3ogAf3tzgEgHuZdWwXe/MFxDiaUviBjRwWAeCapl39+kn/PUSNQuta87DAOH9WecGE4vE5cvytDs21R+TXuY5IRtXngumEIuxex8Pm0CzjHt5JarWnhLs6kSMpJ2erI129mHh6OclC7ahACuKIMneQhVyWOHoGYdU3YuitRYPz9opYRi0tR1FilUmxKebHhOzu00FjtQTwIME4WIZpRXzvSHapNmx3k/aAX19Ow/lzr0fcszJNebc0p9cRsK+amxB9vIttpFTvhShd0+RQ5R/xAsoj49h0fyKT0Y/pNybZFRMtdMTbYLH2HxZj0DEz71HC5Y3bxGhWQS + node.session.auth.password: AgBfFtXL40WF/RcyVHRZ4LxDfFEpzaldSWjahyOQUJAKAgb5flbMdP99nEpL1Z+ZChMXMIn1hU5AbbbdYiMTeSAGyyg8/MHnikv5dvNzUWRYIT2jK++XvqfMWBvFC5Tc9TVFrsc2nFBeNgQ1E5a9W8vLv42sC4MTEHNvCsMxARCcDoxSzzmrZUV+RNy2ze20kp9pgWPxqcsaouynS2Kxdo0L3Tch6wcAOKewi6VKgtmsqrQjdl1wFCiHZrHl421c7Z18kQFsMnq8bF1tbELxm+KB2B78jaPQNHBYKM0aURmt6mnKI99XIIUf42s7fqlInceQwCRx7Q8HYOMWgI2FPwGVAOKRh4CS7woXfwbEga44uBRA91F5UV6i2VHkpfEnF7i6aZ/wKqnlVZQVvs5zZvumn+TuPDXibExTl///dCof7v2Q5xY8OLr2YUScfW3gokj7QUmCqfANG0sUxx+UqeNArXPaSRAw5gvTqRGtDAEZMBevPJSpcoWNJuKOkHST+lgF4T56s3KdyQoe10nrsgTmTEamOn9inkJOtNIlIpDjUHVHrTUgs24Tjfm9LKkrvP+/finuUbVJob6ltA6iU7tHDAAo2XgV2KfFTJC1ogv0hKltZA5TqPiqwUBF9w9iI1aEN2ghjc7+s1YcRtUFHCRnKdg9kU8LraxY166Iwajl1PESQ58LFMXqdLYRb2xIvZGATRYhG8qfhUYokMWTwpAj + node.session.auth.username: AgCKkZz7+v4qNvKCoxJUQK+ti3ptzvB3tQFrAhhtz14ifumuPhewFWwDMesWrzavnSm6jtD1U+8rnwgRvS1yyJ4ZtypohbJGWJlp1b/Pk0RT4lwxVLj0zRPvATYHTNSvRhFrnMeLBWMQbAfFNRdGUXN03qp3oq9uWr1I4jJ9fOHfCsqa4j7SH5raZ8qvDO1lPPrUioysbWkMjgP8DG+C8w+LEazgZu86WO/whCG4mEEHSaXs1aofSKfygYRxpd7GKcdmdflU9xbmIWdJMdQ6COWRZb9G8gJE1RsFum3pF5xfx6nxUOm6FkPbRBjtroMEKd4EWAGfl+P2AWWZ3xpA1WSoxjUztDRRvy7xGnU2QOZV3EEXqjG1/H4VUY9kd/3v10rFB9N1UgdatqRZpcxweNzaMJcUUGHMO5TsCjrwcPOD9gCLtWtsbYlvvUFTN2jfPiS2hzquEZI/hdr+qJC9sPJSu9OUvmFx+quT7DzVjvov/HjkdKd+N/dDpXHFVsL2oDq7mjUmT5mzqg3F/6/YkKn8b2X0LTgXUONXxF8xTUsI4HKCSBoANUuT/ePwBY3tVyz0AY+sUQd5Pxq708HeHC2edNTUwmY6ucuLWtTorXzFXSBXQXfeGZqjONtkYCE60CsTp7+RUtdNnG23CNDMFAUujVxLQVa1XfNFlfk9znBQ1IxUBLkU6JJm9kw3hYn6Bk06B/+mOOim + template: + metadata: + creationTimestamp: null + name: forgejo-iscsi-auth + namespace: forgejo + type: kubernetes.io/iscsi-chap diff --git a/forgejo/service.yaml b/forgejo/service.yaml new file mode 100644 index 0000000..be8a302 --- /dev/null +++ b/forgejo/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: forgejo + namespace: forgejo +spec: + selector: + app: forgejo + ports: + - name: http + port: 80 + targetPort: 3000 + type: ClusterIP diff --git a/forgejo/storage.yaml b/forgejo/storage.yaml new file mode 100644 index 0000000..376c165 --- /dev/null +++ b/forgejo/storage.yaml @@ -0,0 +1,36 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: forgejo-pv +spec: + capacity: + storage: 20Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + iscsi: + targetPortal: truenas.local.gwg313.xyz:3260 + iqn: iqn.2005-10.org.freenas.ctl:forgejo + lun: 0 + fsType: ext4 + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: forgejo-iscsi-auth + claimRef: + namespace: forgejo + name: forgejo-pvc +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: forgejo-pvc + namespace: forgejo +spec: + storageClassName: manual + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 20Gi + volumeName: forgejo-pv diff --git a/forgejo/virtualservice.yaml b/forgejo/virtualservice.yaml new file mode 100644 index 0000000..0efd103 --- /dev/null +++ b/forgejo/virtualservice.yaml @@ -0,0 +1,21 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: forgejo + namespace: forgejo +spec: + hosts: + - git.local.gwg313.xyz + - git.gwg313.xyz + - git.zerotier.gwg313.xyz + gateways: + - forgejo-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: forgejo + port: + number: 80 diff --git a/harbor-config/certificate-harbor.yaml b/harbor-config/certificate-harbor.yaml new file mode 100644 index 0000000..d541d5c --- /dev/null +++ b/harbor-config/certificate-harbor.yaml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: harbor-cert-nginx + namespace: harbor +spec: + secretName: harbor-cert-nginx + issuerRef: + name: letsencrypt-dns + kind: ClusterIssuer + dnsNames: + - harbor.gwg313.xyz diff --git a/harbor-config/certificate.yaml b/harbor-config/certificate.yaml new file mode 100644 index 0000000..0fb929a --- /dev/null +++ b/harbor-config/certificate.yaml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: harbor-cert + namespace: istio-system +spec: + secretName: harbor-cert + issuerRef: + name: letsencrypt-dns + kind: ClusterIssuer + dnsNames: + - registry.gwg313.xyz diff --git a/harbor-config/gateway.yaml b/harbor-config/gateway.yaml new file mode 100644 index 0000000..a5d3d1e --- /dev/null +++ b/harbor-config/gateway.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: harbor-gateway + namespace: harbor +spec: + selector: + istio: gateway + servers: + - port: + number: 443 + name: https + protocol: HTTPS + hosts: + - registry.gwg313.xyz + tls: + mode: SIMPLE + credentialName: harbor-cert diff --git a/harbor-config/harbor-iscsi-secrets-sealed.yaml b/harbor-config/harbor-iscsi-secrets-sealed.yaml new file mode 100644 index 0000000..e2f19b5 --- /dev/null +++ b/harbor-config/harbor-iscsi-secrets-sealed.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: harbor-iscsi-auth + namespace: harbor +spec: + encryptedData: + discovery.sendtargets.auth.password: AgAeJ3ODG8BmuWuPNj9VRVGJdi68V0NMTAdhF2Nhk8soW+l742UnEQNneZLEg2MBM4iHOit5Nsjw/0YRm8Yb8loTZInIDIXCi6LrP1NX58zANuoc/K8lovHL9BxwSeucfs+/Jh9vfM6tvuFExFz+yHeYhlufWSBkZIqF7LkX/yR7H1Yc5r4hXCJ2lDd/0TDssN8CjrIZ/2R/8rhKB7/14KfHifV/bXVwXUMtevXvbeEqeJxPPvRPb2fX6D3rrlbOLBnWBiRr4pLf76QrKG5ZgRiV2iXOKHfP3JBO5SCh5ftK8qIVgmAt7TcnEftzp4R6z6BvD2s5UNtUdzXSuwBuGW6Hc7jR8KszoziLI4LEVfU5YZtlc4U2NYuvrWUfzl7WB4c15saqr3ZK1jFxfzTQE4CPfY3HD4mQR0wQvzpDFrTI57sygXG5mRcpePnxu62i7rmx/RUSMAY6kt00YnrnSTafufdcFBA+RbFcJ7saDiidhC1R9nmanl1R2bOh0aZN6c5GPfGcaAvP4CqSVmns/e3s3Csm3OIMaKB+D3adkcMT3iDrpmaoN0eSCYFFKeIzUApVgEWMOWGoGRfeomAzJbpqwhfLecNkOAH2jgX3OTDYuKxik1oAwNOlH7s9ogTXtALG51x7brH1Hfcp5J36v0g+dZV4k2/z4V1R4GbQ9HvKiIA/zWDjZXUwh1/Jmf/n1J2tgK4DFnOpfA5+Hi27OFtQ + discovery.sendtargets.auth.username: AgAUXQyptx3bktJI+I6jvViwYvq1tETgA4z06HqAF9sCy7FA/tLnhmaDFOJBlsUUZdxKvybpL4gFfibfEGv0hrVb5yPhf2CZGPRnWEjqRBTzKwmtT8eeRnkR4WxNx/bsJhlNr3p1EAAVYJqot4qH6FuFh9zG/rwzAaLT883/p4HCGPf0vgCQmQYOrKT1tNVb7+hvDWLTkA+A45R86SznapYMT+awIHRO/ePngMYzpwmnBw82X+z7QubLSZyqEzyBoF7G1Bst81aiSlCeip/BWgS///EAvqvFTUMMHkRn48Qm4S4qRHepEJD3jpk28PcF4hs06e3NluEmxJ6cr7ejtFMoSu0vkw5FHHZN3U5YoafxvC8hc+5TotkFs4KIUnAsgFwTn68w7qwjmClUtFoughW3Ku5+7DEd1Klw1CBqSO7kURZI/777kyfcoEeXmkXbRzr8lOfvJoaMrHUsR5v9RZrsvWiuhXJjOdfVGw5p8RL137E4MxPwMAdlCW3Ry78AJnSAaIn+3Nuv0+lSpB1LFGGiuDPR5hKfA/dKX+FqFFF1CMn7q/DrLlcBlkjUHLR5sg0IBc4EReZLLa02USNwsisTkiQo+Wm5rwZ0ZvCCHOSmJjbLsbmqzSuAf5ffVcnEk2OWjxzZoMB8+d7HRqXumrA7vKK70sTpSNoMR1UuL0Kfgm8wvKvP3Fqd0dKEb/etLaGvL0RJ4ek= + node.session.auth.password: AgANvpN/nYqlyN7mZyIBE9aXRrOiINOTurXYDSwI9N9rc2SwBKvtUC9kvDE/5MZaU/Itk2SK4vFJEKuLkmomeyk9BFJJ0V3tqEDklgvGG2EMSt8Xlj9We8ujWnrN4GYSb047F3b0mBakczxcRNiJisPkvq/XyYrBVCgPPJqVhJIYKXjSXcthd1Jfd3kJzbippjCykmupRTbz7/Vk6QtKmQXfEcPDuOLPCaF/gFL2/3vVachJh7zON62lKCkuHE7QTeIEPFOCJib/oDSi2TG4ts5u8h+uTXoJCBpJwAGDhHly6cOOAiXR9BAp2nbprRb193Ga5aOGmR+qXmjQdMc3dLiJnWpMmGo0tbl5JD4bUOi/E9VFzOprKdGeYlGssGOTdAtmlrnKvaiSS6YiuCvFMFsHdo8jyC45dE4LNuiOI3MX6mkyLEGOYStiS8e/HzRPg5AGLQsuD33RVKE0+IpPGys4ScU44k+jclpcdS00eXI+ZSEfSUQA8di8rXgZfrJLvuVtRFCTjx3HA8kb4J68nHEdBeXJJEQp9Nx/Tc1ic/Iyi+Br/4Pw+UQHI3YYkUfwWaBuCqxOX5Yedcy3BHqxkdCARNVB9cRBcfFMhJJnS6WVaCgXa0qzZLt7RqutVCa7jtCOmMK3PiU4q09ML4OqyIg/HV+c2OMCJG9nBKL8wtE0Huz1ZNWDgFIWybKA4an1P2cULiMAMNQHGPrvL+o9v9CO + node.session.auth.username: AgA+bt5d5wiAHDmoV5fJExQIUFFy+WmJFFmZY5/WnulzC+/SRxssz/MtikNv8nkFdtvPfTXM57ic2SwPfSXULyQbDY/Kiwi0UejaC+9lN+weCKhks2UgaHYUtv3Inm6xLMHcvfxrwUERrfx7U70vl60WP3CYQ91l0d3fxbbRByw3TZuTZkuYnGmCsfJK0q+hd7GCa8cSxMvUf32MbRrVXecxsBKB4dtsMz0kHiZaH0wchmzWV/mBmAHV5oqkTyk3rAKZHd8D9uqy23fUr8BV6e5hSF67JicCgn94gJq8Z0hrDnu93zZl+mCFnkwPk9uA1jAuQOptHNdXEkZSjUKXFSp5pG5hgxCmwtJNBxUiZDc7IjPETCh/BzD3WLHIzfYAqW7LxDDr9IKlUEf5CUeBw2CULCq9wIaRhXqiJmV36XmMlAGJt+J2SCCKUbhKsJfyHL+PG19gDv2f75bcWc3U6646Pn5b3f0X+eJ9wIyW2Q1cqxo0yZJ+kQ3M7/ABOQfZBYoafi305fE5byecWBgz91ZrXDG/lXGat1rZBVpZ660iIZ9YvCHCC0Vb5LNEPwsfgodUnp1lXoSq8Fm6ggfLhKLL2JrlJhmou3fHsnovNmqTC9wJ026iGrwFNE8nRKvniK8aujK8IHfklodDSFWC4h/IpJf9oLWw8li0a4Ll/s0msFlWq+GABYJZW9CA0br0tp4Or8PwUwM= + template: + metadata: + creationTimestamp: null + name: harbor-iscsi-auth + namespace: harbor + type: kubernetes.io/iscsi-chap diff --git a/harbor-config/storage.yaml b/harbor-config/storage.yaml new file mode 100644 index 0000000..1125792 --- /dev/null +++ b/harbor-config/storage.yaml @@ -0,0 +1,197 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: harbor-registry-pv +spec: + capacity: + storage: 200Gi + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + persistentVolumeReclaimPolicy: Retain + storageClassName: harbor-iscsi + iscsi: + targetPortal: truenas.local.gwg313.xyz + iqn: iqn.2005-10.org.freenas.ctl:harbor-registry + lun: 1 + fsType: ext4 + readOnly: false + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: harbor-iscsi-auth + namespace: harbor +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: harbor-registry + namespace: harbor +spec: + accessModes: + - ReadWriteOnce + storageClassName: harbor-iscsi + volumeName: harbor-registry-pv + resources: + requests: + storage: 200Gi + +# Harbor: Jobservice +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: harbor-jobservice-pv +spec: + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + persistentVolumeReclaimPolicy: Retain + storageClassName: harbor-iscsi + iscsi: + targetPortal: truenas.local.gwg313.xyz + iqn: iqn.2005-10.org.freenas.ctl:harbor-jobservice + lun: 0 + fsType: ext4 + readOnly: false + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: harbor-iscsi-auth + namespace: harbor +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: harbor-jobservice + namespace: harbor +spec: + accessModes: + - ReadWriteOnce + storageClassName: harbor-iscsi + volumeName: harbor-jobservice-pv + resources: + requests: + storage: 10Gi + +# Harbor: Database +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: harbor-database-pv +spec: + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + persistentVolumeReclaimPolicy: Retain + storageClassName: harbor-iscsi + iscsi: + targetPortal: truenas.local.gwg313.xyz + iqn: iqn.2005-10.org.freenas.ctl:harbor-database + lun: 2 + fsType: ext4 + readOnly: false + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: harbor-iscsi-auth + namespace: harbor +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: harbor-database + namespace: harbor +spec: + accessModes: + - ReadWriteOnce + storageClassName: harbor-iscsi + volumeName: harbor-database-pv + resources: + requests: + storage: 10Gi + +# Harbor: Redis +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: harbor-redis-pv +spec: + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + persistentVolumeReclaimPolicy: Retain + storageClassName: harbor-iscsi + iscsi: + targetPortal: truenas.local.gwg313.xyz + iqn: iqn.2005-10.org.freenas.ctl:harbor-redis + lun: 3 + fsType: ext4 + readOnly: false + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: harbor-iscsi-auth + namespace: harbor +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: harbor-redis + namespace: harbor +spec: + accessModes: + - ReadWriteOnce + storageClassName: harbor-iscsi + volumeName: harbor-redis-pv + resources: + requests: + storage: 10Gi + +# Harbor: Trivy +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: harbor-trivy-pv +spec: + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + persistentVolumeReclaimPolicy: Retain + storageClassName: harbor-iscsi + iscsi: + targetPortal: truenas.local.gwg313.xyz + iqn: iqn.2005-10.org.freenas.ctl:harbor-trivy + lun: 4 + fsType: ext4 + readOnly: false + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: harbor-iscsi-auth + namespace: harbor +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: harbor-trivy + namespace: harbor +spec: + accessModes: + - ReadWriteOnce + storageClassName: harbor-iscsi + volumeName: harbor-trivy-pv + resources: + requests: + storage: 10Gi diff --git a/harbor-config/virtualservice.yaml b/harbor-config/virtualservice.yaml new file mode 100644 index 0000000..d28983e --- /dev/null +++ b/harbor-config/virtualservice.yaml @@ -0,0 +1,39 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: harbor + namespace: harbor +spec: + hosts: + - registry.gwg313.xyz + gateways: + - harbor-gateway + http: + - match: + - uri: + prefix: /api/ + - uri: + prefix: /service/ + - uri: + prefix: /chartrepo + - uri: + prefix: /c/ + - uri: + prefix: /v1/ + - uri: + prefix: /v2/ + route: + - destination: + host: harbor-core + port: + number: 80 + - match: + - uri: + prefix: / + name: portal + route: + - destination: + host: harbor-portal + port: + number: 80 + timeout: 30s diff --git a/istio/Chart.yaml b/istio/Chart.yaml deleted file mode 100644 index 0d41ce5..0000000 --- a/istio/Chart.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: v2 -name: istio -description: Istio base + control plane + ingress gateway -version: 0.1.0 -dependencies: - - name: base - version: 1.22.0 - repository: https://istio-release.storage.googleapis.com/charts - - name: istiod - version: 1.22.0 - repository: https://istio-release.storage.googleapis.com/charts - - name: gateway - version: 1.22.0 - repository: https://istio-release.storage.googleapis.com/charts diff --git a/istio/README.md b/istio/README.md deleted file mode 100644 index e69de29..0000000 diff --git a/istio/base-values.yaml b/istio/base-values.yaml deleted file mode 100644 index 6984770..0000000 --- a/istio/base-values.yaml +++ /dev/null @@ -1,17 +0,0 @@ -# Enable Istio base + control plane + ingress gateway -global: - istioNamespace: istio-system - -istiod: - enabled: true - meshConfig: - enablePrometheusMerge: true - accessLogFile: /dev/stdout - pilot: - autoscaleEnabled: false - -gateway: - enabled: true - name: istio-ingressgateway - service: - type: LoadBalancer diff --git a/metallb/Chart.yaml b/metallb/Chart.yaml new file mode 100644 index 0000000..4113c40 --- /dev/null +++ b/metallb/Chart.yaml @@ -0,0 +1,7 @@ +apiVersion: v2 +name: metallb +version: 0.1.0 +dependencies: + - name: metallb + version: 0.13.12 + repository: https://metallb.github.io/metallb diff --git a/metallb/config/ipaddresspool.yaml b/metallb/config/ipaddresspool.yaml new file mode 100644 index 0000000..bad9f9f --- /dev/null +++ b/metallb/config/ipaddresspool.yaml @@ -0,0 +1,8 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: default + namespace: metallb-system +spec: + addresses: + - 10.1.10.50-10.1.10.100 diff --git a/metallb/config/kustomization.yaml b/metallb/config/kustomization.yaml new file mode 100644 index 0000000..39e1e1d --- /dev/null +++ b/metallb/config/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - ipaddresspool.yaml + - l2advertisement.yaml diff --git a/metallb/config/l2advertisement.yaml b/metallb/config/l2advertisement.yaml new file mode 100644 index 0000000..6e56328 --- /dev/null +++ b/metallb/config/l2advertisement.yaml @@ -0,0 +1,5 @@ +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: default + namespace: metallb-system diff --git a/metallb/namespace.yaml b/metallb/namespace.yaml new file mode 100644 index 0000000..fe6f1d8 --- /dev/null +++ b/metallb/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: metallb-system diff --git a/metallb/values.yaml b/metallb/values.yaml new file mode 100644 index 0000000..85a0c56 --- /dev/null +++ b/metallb/values.yaml @@ -0,0 +1,46 @@ +metallb: + controller: + enabled: true + speaker: + enabled: true + hostNetwork: true + podAnnotations: + sidecar.istio.io/inject: "false" + tolerations: + - operator: Exists + securityContext: + allowPrivilegeEscalation: false + privileged: false + capabilities: + drop: ["ALL"] + # keep FRR disabled – GoBGP mode works fine and avoids NET_ADMIN + frr: + enabled: false + configInline: + peers: + - peer-address: 10.1.10.1 # OPNsense LAN IP + peer-asn: 65551 # ASN you set on OPNsense + my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense + hold-time: 90s + source-address: 10.1.10.3 # Talos node IP (optional but fine) + - peer-address: 10.1.10.1 # OPNsense LAN IP + peer-asn: 65551 # ASN you set on OPNsense + my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense + hold-time: 90s + source-address: 10.1.10.4 # Talos node IP (optional but fine) + - peer-address: 10.1.10.1 # OPNsense LAN IP + peer-asn: 65551 # ASN you set on OPNsense + my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense + hold-time: 90s + source-address: 10.1.10.5 # Talos node IP (optional but fine) + - peer-address: 10.1.10.1 # OPNsense LAN IP + peer-asn: 65551 # ASN you set on OPNsense + my-asn: 64512 # <<< MUST MATCH “Remote AS” on OPNsense + hold-time: 90s + source-address: 10.1.10.6 # Talos node IP (optional but fine) + # router-id optional – can omit or make unique per node + address-pools: + - name: default + protocol: bgp + addresses: + - 10.1.10.50-10.1.10.100 diff --git a/minio/certificate.yaml b/minio/certificate.yaml new file mode 100644 index 0000000..c96d7bf --- /dev/null +++ b/minio/certificate.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: minio-cert + namespace: istio-system +spec: + secretName: minio-cert + issuerRef: + name: letsencrypt-dns + kind: ClusterIssuer + dnsNames: + - s3.gwg313.xyz + - s3-console.gwg313.xyz diff --git a/minio/gateway.yaml b/minio/gateway.yaml new file mode 100644 index 0000000..912e8f2 --- /dev/null +++ b/minio/gateway.yaml @@ -0,0 +1,27 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: minio-gateway + namespace: minio +spec: + selector: + istio: gateway + servers: + - port: + number: 443 + name: minio-api + protocol: HTTPS + hosts: + - s3.gwg313.xyz + tls: + mode: SIMPLE + credentialName: minio-cert + - port: + number: 443 + name: minio-console + protocol: HTTPS + hosts: + - s3-console.gwg313.xyz + tls: + mode: SIMPLE + credentialName: minio-cert diff --git a/minio/minio-secrets-sealed.yaml b/minio/minio-secrets-sealed.yaml new file mode 100644 index 0000000..db7b22c --- /dev/null +++ b/minio/minio-secrets-sealed.yaml @@ -0,0 +1,15 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: minio-auth + namespace: minio +spec: + encryptedData: + root-password: AgCvWTrmBHyov/pb/N4PoK20fwAoH1zDh+MFUGqA60QYiXYLTMMax5fjbOd4NafbpFo18NKen0dEKuJGec2NrHTMq7oM+46+PnzrSIuw1If1PHeU5vi0tYSZSI6EeiwUOlz5HZUV19X4y/eHkFFTGjqxaIRRaelCFFwIFwRh17WgBrm2IfR5GUka9HFYPYYrDpXqlbSxV6en1UPOkzyLUqvS6QbdV5XP0Lb9Yd/3wybpIMtkLloMDQ4r8svYQCHlAHmpLDDQHr76060I5hSf4G7Sf7OtQL/ajfyXjPOHLpBNZjEhRGXkevaiBS75JqeJEBnJ2R1UmaA6sjU5kgcPy0ZsgcznI4Gga4e5lfOKIZz0P85WW6oZZKtKQ4HbZ2+nbrlgleYeWB1CqaqWyonK7GLMG8HpSwVEtUwKZD5AOs0IOC83jjDFfWcJbEsbkjIwN+LQzCzW2+3fkeJTZ/6oybIYXBjKfek9+l99oPhkGuqY0QTh7beFfo7EMqLP1kPiqKaMkYyVtL2l78hDtp0D+6urgF31c5bjUjs5wpWFxnmGwkj9prAjn5gqHetHT7jcob0Gj08wnRip7/gL17VwS++1e6DkInvWatU8I/R29VxEPV9GzsXHQmRCJp64am9VaNuFa13Ot5OgImrt4/zrDSz7ERazTuWeq3hE5swwMFRudW+d04PX7Hc2ypSSnNThhq1GGhRsnmNmN5YK0TcdqBhXvoj6/EXiBCrZ + root-user: AgC2+0bGtunOwD/FrXYlsVaAFguyzSkjikinYoAy8tUjskZQmiCukls/938JMdI0ZAFl9XEmAaEizDcyGBjxso+hxRO4A33WUoPyMx+2/JBCVNiCxtlszNk6c2+eIJ2khRE3JtY7lNPUcVJiJr7t9zLeVfzBeyBEO2STmLZcuqw1b55KuadMxbjkK6Zt+yH0sQsu6jtrfM0oo+dBHETI/1xIxq9kwn75fkAfHDU4Tz0bQ1HILr226Eo1NRHtLN5S+Thi0fDnhVSHTMPr1khr39eu9jQDegiKXl98Ps3iodM4cSb9ic+hn7bCsMBcM4Y+X9ZEBeAS/8S97Vi/1izuHDhK3a3gZYznl/8nor38GkuWx/c3oocy7fkFGe0dmvk4y+aXUal32su3gnG8mLK5GwCMoAE+CKh0skN/boXLYOahPAfNLTBpP4UJBP6sgf+oKktWMTgJ1NJuvIoEFZM+s6eo/8hbG+x9+ACKaco80UT1dd545eEppMVfjh05Z3fzWi0Ro096tw/qQZp+Me3MyWgX1KiLUxykhE80brZ7+NUVm/USpoHGY/jogHiF11mV/7hL2cKea/Tuz+BRXh9CgPGb4MYr+O5lGewEAmlJAFOjWqmVNG6eezvzJKug/uzXKNNblEYnVNXYYJanQFLQtDrXMvz18fULoT7EiV1THvV9bUOtxu5v5IF8eK7F+Vqma5itjUBq5t0= + template: + metadata: + creationTimestamp: null + name: minio-auth + namespace: minio diff --git a/minio/secrets-sealed.yaml b/minio/secrets-sealed.yaml new file mode 100644 index 0000000..2c373f1 --- /dev/null +++ b/minio/secrets-sealed.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: minio-iscsi-auth + namespace: minio +spec: + encryptedData: + discovery.sendtargets.auth.password: AgBmscqh2S8TPLgLJn+Wigsd0OAgPE4fHB9Me5dX6BTClvssIjg/fJJk0dFa3mxUcf44D6BkLpa6kquFHhYx7Ga7gNDB0SpLpL63jt8UVusEutE2+onTTh4saWGeQAmJHjdKvdWqdRFWSn+P1BWt6KqRAar+pPESCy010ZFC6Do/EJmxlKcwp2R/wlMg3VPOA25aHWwr8xjXgGIiAX3fHp8A5IWa3beqE26OfK1QixlVJUs4kr+VIIPLbyu8SlidcRNk0f7J5t+A6xwQTshjz3+BZiuvqU1vAfeVCbjtm0kTCohLlVTOw+TCCy28hd1rYdjUL1WNDy5+Z8AZdMyvQacwvuoygOZY2gQiuiA4dll51DIx3F+On43lAxg+UEMI2g8/Lk5G74+tHTm0xJ/UPVAg7aaru9j7XEoOtGuj1BvlFoQ04KDBynbMe9SRdkn7bC+ankKvs6tb9vaRGj8XNldd1zxWP3NX7cwEo4t2tvWJNtg9OKFrNRgajFNo/35N7NH0swtpLDLAOCGp4oQTvTEf74zniP5zaV9V7feO3F/t9Ha+N0PA/JdftQ++EHHnlI/eTRhJtH35vRHM1BYeVcNsrQMUIi7G3hx3Vwpu5iXNciMCFs3YDxwyYG6g4wSr1XLWT/zZW4R1jDx4ldYmGajF8f8lEAe5h/dilk44VVMsTAop5BXhlJykfEgCqf77hXIK8SQLpcWUvsgbaqeu/zGT + discovery.sendtargets.auth.username: AgBg+3rIcTT0tA479+DLobTdxmUZAkVfhcaweZlX5b8K4zRZFWuxFvZoVdJkL5O7dDR0F9lqp8MTdqWHyJ9uq5D/ei3cJb1CRHte5/Q7EkkcS1brMFP6sub+VXhDHMVZ8T4rC8XxdSZcGjyG3AH1wyqxNZ+C3vF7/Ngy6xBrukaS+6l9lwY/g4n7Q2+Up9i7s1nroBUM/nSgLCL5sVhvhgZ31r2aMxx8bXJT5/9JfAZL73hhInISCD8rjir0wj7mAFnrjfKxaNh2sEOZhXOyKPcgGk+ovDBeySZSF9mclV8iHXoHr/museX34oyvQejkkMGthMmL52PhZbXIlXwwIuf5n9bnPmMtPRQ/aovPHzmQDI+ks7ft4WfLnlX1Y16eQ/LVjT0ZD/0X7n4CE57utUAhdlVraxrFtr3YoPKsdLYfz/We3RGpeLWiW7JMYnmkc9j9XMHBwx91y0Ba3ssj9KSijtPVOzRqct3NoBJ+s1FpjbljIPS8iQKUYdHcSIhVjYIAebLMctZyxVG/cW1KbSPEeOo6MQ1drOFsvXOfUeYn0PiGcSmRWuJ8CJZxh+Y2YKUDf0eqJQCs8SlDucVcYvvjYM06tZXoGR6XuGqUnbzxguzTX6dbzR8mpfniAiQkIBkBVezdOvqh3OiOPfhFkVEX6V47UnZhfe9IA5RR9NehuUw9OVIZ6FGz1Adu1EeFJ6c0ikCSUg== + node.session.auth.password: AgCgA17eF7kgdTYGuBJ12HtWAdwQKluvmirOCpPWjIiGU7YHGfEQxIS3MEmuI7/Z0oNB/SYgqZwnS56AZ8OUEf6L90uYhfkN8VV79QJxZlk4EXSgu6EfiKjoYU0uwQSnqDVSOYG9VxEro+tgeYj4hpqag9MIfULX6kTbDll2bcuq/eXDl4QijNveU+wqMzRz5t/c7MSdcacJO9l3DvXvnZEUpKydw9TKyPBGyFB5Lsjlf9Lkxf8+kqScS7eC849LrDAUiFMktOrwKsK4gk7JX7Dvuc8n9iDOjGPjgv/mz1xOP9mEnQqpP7d9JIR7WLubl+MPeXwpTA4cR2/VA6TWV86hbmCuYGckPX80+DEW26jAHxmaSIk3U4ZOY11eiYGieTr7Irlx4L7TFukwB8g9Cf8io6pQJU2wA9vflF4s/yZOXiAqP4sit1qd4Z0/DR5n/7DbhOs0qKOHbiUTujmw36ewmfJ8IDxq6WzomjuJz2ezaVTVkdSXDcchyCg3yVutjqaAw+O1XNJdgtoAZXhh0dr6hiTLy1oi3nKyVy/EYn3mxZg8S/ixLyS3a6XcoAqsfpdXf2tirfrMG5OACZgLoi3+cYthgrpi1rrbIR23MSFuvAcDUjLKYiFbq2BJJUpuACeio2VMrgCC/Cb5xXS4Rprg4wUEz0wAB5vUH2NrkDTqMTofEw3EdhB5SfjLu5+HlBmasmlwgbyhmrSr0V609fog + node.session.auth.username: AgAUXhbc4OXDg1DgbJeJ3Q6ANfa6SKyQshDJeutnrHFJ8g5Ne59OzkMrbEafDEp+BmPtLA9gV/wYhieMWgsdtKQiYiEsBqqOwT4K/bxV0zTo1wUG5yfwC7QSPYssdOKTcDHix0sHB+V4e8n1HO8Y6gfZaqkrK65WairLtMWLF0fmCYZ7peMa8FGu94n0uDL1iglXdnp9CphFjMeaghHRDNUsvWKXnlP4wa+VsY3NQqGqiulfhRhFUyjCtR496VztD+JMtUdh4wp0xN0HRZxkTAfC0xcVuXBnTZgDv7OQ8lb1EOqjMmVaI9Xd9+JA1HYEwqSizkzP6EnOhQZgBviJfjYiLLqwZTqpIaaOtaQ0QO+ws65smG8TlRMfzsiW0NfpzwY3E3ZSUewp0Lq6wnKdB/7DeLQKbLJ2mUV/Xes1AHjJAcCgdVoVmNooepKTe9r6Ysvdab1UelYjbsgJB178Yohlhe0zAGNiBGjDwc9Y87ZzL8KTySiihl0u6/HIEJKYAhrivAXLDu/rwtFBGvpM0VjyOs3/2OhUIJ/a2ln8+xPXfqeGeAXzXmU4tRwoeS9df95gxyFnV+SrYT3Vv64CQvCbfnYtG+mlPznxiwRAdYBcjOuHm1GmfbeD0jgJeIMpLl91eg70pVa3RNYagA67bclF0ImXQQd7MFF2plUyH5DAq2yMxmVBs9Jx+7Adr60VomzVLr5ymw== + template: + metadata: + creationTimestamp: null + name: minio-iscsi-auth + namespace: minio + type: kubernetes.io/iscsi-chap diff --git a/minio/storage.yaml b/minio/storage.yaml new file mode 100644 index 0000000..b43c309 --- /dev/null +++ b/minio/storage.yaml @@ -0,0 +1,38 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: minio-pv +spec: + capacity: + storage: 100Gi + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + persistentVolumeReclaimPolicy: Retain + storageClassName: minio-iscsi + iscsi: + targetPortal: truenas.local.gwg313.xyz + iqn: iqn.2005-10.org.freenas.ctl:minio + lun: 0 + fsType: ext4 + readOnly: false + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: minio-iscsi-auth + namespace: minio +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: minio-data + namespace: minio +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 100Gi + volumeName: minio-pv + storageClassName: minio-iscsi diff --git a/minio/virtualservice.yaml b/minio/virtualservice.yaml new file mode 100644 index 0000000..638a2c2 --- /dev/null +++ b/minio/virtualservice.yaml @@ -0,0 +1,39 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: minio-console + namespace: minio +spec: + hosts: + - s3-console.gwg313.xyz + gateways: + - minio-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: minio-console + port: + number: 9090 +--- +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: minio-api + namespace: minio +spec: + hosts: + - s3.gwg313.xyz + gateways: + - minio-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: minio + port: + number: 9000 diff --git a/navidrome/certificate.yaml b/navidrome/certificate.yaml new file mode 100644 index 0000000..f320278 --- /dev/null +++ b/navidrome/certificate.yaml @@ -0,0 +1,15 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: navidrome-cert + namespace: istio-system +spec: + secretName: navidrome-cert + issuerRef: + name: letsencrypt-dns + kind: ClusterIssuer + # commonName: music.local.gwg313.xyz + dnsNames: + - music.local.gwg313.xyz + - music.gwg313.xyz + - music.zerotier.gwg313.xyz diff --git a/navidrome/configmap.yaml b/navidrome/configmap.yaml new file mode 100644 index 0000000..4d98e21 --- /dev/null +++ b/navidrome/configmap.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: navidrome-config + namespace: navidrome +data: + ND_SCANSCHEDULE: "1h" + ND_LOGLEVEL: "info" + ND_SESSIONTIMEOUT: "24h" + ND_BASEURL: "" + ND_DEVACTIVITYPANEL: "false" diff --git a/navidrome/deployment.yaml b/navidrome/deployment.yaml new file mode 100644 index 0000000..a2abd50 --- /dev/null +++ b/navidrome/deployment.yaml @@ -0,0 +1,38 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: navidrome + namespace: navidrome +spec: + replicas: 1 + selector: + matchLabels: + app: navidrome + template: + metadata: + labels: + app: navidrome + spec: + containers: + - name: navidrome + image: deluan/navidrome:latest + ports: + - containerPort: 4533 + envFrom: + - configMapRef: + name: navidrome-config + - secretRef: + name: navidrome-secrets + volumeMounts: + - mountPath: /data + name: navidrome-data + - mountPath: /music + name: navidrome-music + readOnly: true + volumes: + - name: navidrome-data + persistentVolumeClaim: + claimName: navidrome-data + - name: navidrome-music + persistentVolumeClaim: + claimName: navidrome-music diff --git a/navidrome/gateway.yaml b/navidrome/gateway.yaml new file mode 100644 index 0000000..03f70c9 --- /dev/null +++ b/navidrome/gateway.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: music-gateway +spec: + selector: + istio: gateway + servers: + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: navidrome-cert + hosts: + - music.local.gwg313.xyz + - music.gwg313.xyz + - music.zerotier.gwg313.xyz diff --git a/navidrome/iscsi-secret.yaml b/navidrome/iscsi-secret.yaml new file mode 100644 index 0000000..5bdc774 --- /dev/null +++ b/navidrome/iscsi-secret.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: navidrome-iscsi-auth + namespace: navidrome +spec: + encryptedData: + discovery.sendtargets.auth.password: AgCfQP4VjeYYMuHZn5ZOVrs3C9vm+kF0qiWfT1wTixwvvNA5I9mDFA7F2cR/SIT6NvDLpLVMaFku7tf88aJCjlQvhEoEJbeSEurLCfJcXDaQwFKaTeELrz6l1NbyusXlijblpLQYkupxl7ZNraY3mWJSAoBD0OdpQfP56+8NcoOHHEDDdBwYza/VkBdlYOYCFWtPCosbw+wjtLgSIRkiNbrWXEN0MkBAo9OWczvB0GKGyk5divHM8iDFTON34Rk1HMv41o3tvgHa7RvXFC8LJ3GB0NyFeawyrcQF7C3i+8P50zGmzUs3ie1il//8ICzkp+0zJk4hOG+9KBIu9sDInjjVhhwHcCZspvmuKOOqg9F2mjK8a6VGURoKdvxFX2HahqAB/FjFTp5diKKZQY+zfkd7mJ3OnPqhB9fIKmZnxWwtUq8AYI2jcDdERI4FeTrmkbcxAhMCgI7cCYStwDD11dQt4XRqWOeA3trOHubyslPjvjEkIDvoVj2BNHtFIwSNX16gAMs5HsRZnoo1SUc57+IRPH0v/ZaSfJXeE6Lrv2H7ZTSlHEusKkTAvAnVKAQyJmRTYCOMdYPePr169NUEhsAqWVmizjxN34VPiK7Y6kkwgGiQJpXZHHj1QxUQ63P4O4iuvYPEx40gCtR8cXBMesPE6XkH5udxmQ/zAHjjJSyodJgM6v2IO++0gYZb06AZjDPtqgp3sqrHnzlcNRh78oBz + discovery.sendtargets.auth.username: AgAY/IEE3LVt8co+pMWEppPD9RC2JnmL/qbFrZ5PKZc3XA33wrtzHGBoELDwWG4Lfc5Itg1Zr0t/Sh8aLNLGlgfa8Zd4KBmu6mi+sHnh4LKKEIEE3pMuyNUC6k4jWDz22XihEy9Qfs3fr4qOrDvn9OxzVSTogLQvvn2bG1jBauRawekN3bwln7B5eY2PVwYTxjdgDBIVe2DdJYoKquK2siFszXJzM9m+IpE7S1M5s1pzs6GdYH3qBiBoWnJ5vVZzx1h7O2Z+5yVrxC1T11gDsal6mOsqSP7XNerIy0G3/NcE/RkWPz0+/wqlWTv8kulnKYnKuG+m1lttnBLr7oc6xqRNQmcFlui+0R/FS0slDvoM52KU7ZBg9YSXoMjZsQziYVF8to2wxCNAvkNpATdsgqTfbj/ydUHNrXmtBgyVWyOmmJZYHw4rUIWqlgwOkEK1arsiHPWLbOEqY+MZAyqWO9s+/iTVhGckTwDACTavhWthEhZAaaW/mr42uDTQAapjnQ8/AYixuwK8pnL20j/89xNXdCIKiSPSx0i5F4vIv7jLRCuLSmyuhMk8yOrSFOMUnk2FHxdFrLMsP9q5L3+ZSU5pVe/pJJtYSM56TIg5sGKE4l8gEm+3aEVKQMhA1urzfEe8Gz1xxpd1qnViEWegaoAEqbfmDBGmnofxkpk6xK/27Y+DKWNtNpQTZ1Ss768sb6hsI1aidC/BcIo= + node.session.auth.password: AgCaw7xjK13WWHje8KBCyk9KJVvGsbwnZHcQZjl1OQlqpyPx2MuYt41z2jnReAieFwFJ0EUR0AcHWWVS1llrUl0v4URGLmFSX372s+Z1rZ0J/agFGgAIHwu+ksXRhG2rLtUk4YJ0RBJUaWOcIpFrHk3oGnUU55Nw1v5GtiYbgRTBehMkON6TXQt3PA0WLmVHxEoDoKy9kzQL643VnQ+jTiuFFcmmjVVAF+a+xEAwV0os6FgrO1okej2ucBTrNAmbFUl9dhzGidA50asSZimplrlRY8y1b2R9LUQOYZ/U4PgTsG9dAfM3wSjfhcWFlQ3D4pf4Y/pchUe0OkkFTLXnXCcY0MhdpMtDDWRU6JoBNkDsa4g36gzEL2s+dCcWa+ltA8XPdI1vpbOaFpZn1TZTgk00JQnnePOsL1bTObNY1Eh0Yl7g1zb2SgUzg7zp4C2rOz/0q9I4ftuNgMtAPtD+fbf53vxCOc6hHvEdCZN03uvbsGp2drF7R7xHOXbWNvJtXi1kCO/ddVP6hxKOLbg/5Ag07gf9p1scm+nDhsBvVaTJTI6Oc66MggAsHRkQVvdM6XJlmINVCIKPoqygXCkZwXrIJUXin6MTV3OTqIC/FdKUE4Or0hhQM4Gw6Dg3FE+zAENdPPQeEs6A7+KQbMw0NDA0WoyXDbOobEHpOU5IUcigycjklO/58sYOrQX7z8JlxyibtRunPHhiL7fBWi7p2PSG + node.session.auth.username: AgBGQxzefQTAt3/7O+1bqbt6XlqehG0Obc3+GH5V4dgDyZMcPGgq74Beh07j8ahe9i4T+tXY4DylnTaBoVBSrOW62ipwVYmiyxWRbQ7TJ0m4dcAJOddDFED2pmQ91S0xneIrHx7N8SZgXf2Gh9xabOrkqcTHx0n0KXjuQvrDO6DcckSdnvptS3PNniK9DogY1cOInHZdAX341wXY93U4DyQb1JsoKi3QvxjVGBlmPft9GiAfWTBj9Hj9q+AA6pymH69j7xhkUiv7b6XCgYdjOqE0D1/4hIMvJR7qybGYrwUbVv/xvfLcIKJFsAMkigi2VQaTvn4E+4MkmukM+FBDfuoJ64asvYlu8quJ5KwD/OHL8toYthjs/g3aq/EQBCn1hc3JNPq6ZZ52rfRKiPcjHKOdoFkPy8yXg6nb3HSqDlUv3i01CbQ841hQhJgFfnbqDYvI3xYH0ubXKiJsGlTbZVV8iDOiJJIPRiRKL9tt4PzR2J3GCnR4ZZVYYHWkE1wIYheLwklxBkKmg2lktc0MzBfCtbcCewmcfZ9bnQFy0TT9Bvzr5EA8UbYDVEiw7eqNiK8u//iwNPZvHyMXo0lKDQ0O8YuznUrZZ0g+RHALKwDPpYqhXvu5ARh3SnSkvonZ2STVDMJgeM4/p0Q2fKomfrzwJrzHth3ipR/9gScdInMvtrudcBpVhgULxsc9UxbwnW708N6kN5lo7fo= + template: + metadata: + creationTimestamp: null + name: navidrome-iscsi-auth + namespace: navidrome + type: kubernetes.io/iscsi-chap diff --git a/navidrome/navidrome-secrets.yaml b/navidrome/navidrome-secrets.yaml new file mode 100644 index 0000000..565ea8a --- /dev/null +++ b/navidrome/navidrome-secrets.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: navidrome-secrets + namespace: navidrome +spec: + encryptedData: + ND_LASTFM_APIKEY: AgBtbBJ+dQ30vpgr5lU6e94qa4wsxBHrs6zuD/HjC8SB5eqFk5u6FT6/7SPvKbrSxllFkOrpeUJpvmQvstEO1pqCil54gwxTmtq5eMpqee9wASbGSPOlGGOz6BT+38HX60x2A8jXmg7AnZWm5gTdjS2k3UxzIfNW/6jrNx2X+sZer2gH5ck1cISbZli68oDYgyYQ5sJYTiTSoBBJFjICZHzep2pKEaUV+4sp+PHmeBseXEajUJ3XcxEOPORr0AQX+uyqb0jYQQBMk9/EmSIisaCR2Xn4/bH0YioosSGSsPkQzT1E6fdeDuaiwjtf2Vt/0FmtBvkT2KeEqQIVbRL5AEjjgP33hmVD+PvBYm6TS1VlE8MpP/gHfQtNASw8PO5txroPdtlRCI3DgmmEMw1knoJcTQ0LNxPBit0IlBEiN8sVlXe5jWxBD0NrywZdufYrgvl7bxtcV32nGYj6ux+aaK/GS41rIvfHdh2mDyAXNWGXQbl+VPTzH5jBhvGZqlqhmVsbL8EA8nuG3sP4/AfWINUO8M4ru50lOUR1yr7XjFxO/I8LWch3qExQ9MRyjKbfphm/ge/9rdVNTN9aeE190LCrGiDI41OITEPq27pl3UavoYM2e6TEf1j8qLgZRmZb+cdf5qbE5uOyig1nlclRGX8eUwQTJWMrJaLJnSLidLHiRL8yHSRvnH9tWa10HMUe/KmTkusAvdfxiMdfOsgyA8HwyXKPljrg/MDOzu+PSsYa+w== + ND_LASTFM_SECRET: AgCa1zBHgJ7H5yRJqK6HE0c/x7mxS0PlENPJ6gryJyciqezSznr0ONAVDAtvVkWvbZrhpvTcI1SPaiqRUIF8x+7kWTYROnnCXlphoX8zMFCaw+LZxv4mC6GI4q9ciUZTRvCMKKlzTVbJIYcUaPh8zH4F0MlyWyWhpTLamkkLiPst+uArxqTw40qtqLpA9rZoshSlIXq84eeZmUuyMEhGXRspjwI7HINAaF3TfsSsuuHsqsKjbY2atwfOmeyddWh2GT1r1OtjchOq43thHHLqXH3KkKhprUK0m0b9unna9wO8Q274CeXpXME0+/qH3A14nmsYtFeyPRTuBM3iHoHR4gMaSIPcm6xZNYxSkEKglxWJztOJ6JvSsepgd37RQpDmzaZe67/9gJKTHL3pe+Id7+TQVeWqCUMQFywYE3VqJdGJWF60jc28pkCQPnbuUNgsfQySY+s65RwEqfJwJrM7orfS66vK8FDlJtH4e3bBVvZfUKjoH5mc6H9mNhJeYMAWG+RMsRvC8WRnOf9n+GTSm0j6MZ7IPpKn0xCrUaAuTAhQrSJ94exqLTGQ99RNN5RHuwMshdwr3uK3fpo33Y3xL6mFTW+GNDhRpyjlh1c6mRrMtWIfkUvWlpfFA15JTc9yR0lupZjIb3dUPrNCWQJh5J3f8k9wfiR8oQLvQesKh90zM2OYcqodwxPysRfMhxrZLmVytjCoFEcjXJy8u1PD9oTw1KaSvk5m4hUqLirNNyZ8ig== + ND_SPOTIFY_ID: AgBEOjEOVPO7L1Yg/5b7Lp47Lo/ZDALMypfaKoGlt6dPUVfUd7D3Ex9fdydNdcOZroRgYKi4j8gOYg+5JMJVw/TzGVlXiuhCBWYga9deeboAatgr4EuldvUgApfwKBFdoMLsOtGnSI+UoAX4pXyJXTCsjqnxtN+HfYmBu5oxbOkm65ztoiodwpjFVOBsgsCgCVwt6uI6H37ryKxxZ2nPS+X38VbMJAyo6dvD3jLB+wyUB1hemmdTyg/VbnBFaIMX+Ms6iUmLMggfOq0P3oLvc4sL5LSaZ5ZCIcwDrNvFc19xR7c265XgIUGiD2HyT+lqIoNq6V6duLQkQynRsbh3fS2KLGui+CiIskajM6RqtjncsutVEXPSsuRxUD1WU9IB6UwrNuuiJXnLgUhB8/av9ERDN+Un3cxNW78ytXClIxTCyB8Ndr6A6urwJIBogAo/bL8rNg7TlKqUnzpYa/GYQ6lBIN2SL9UTRyBfi8sE664ERs8nZkPlf/BQQBKQxJpYeSjTVDGpDNhuSE1LdLK6VM+vDueFlJ38d/YAz0gaV2Km1eWmfm4dTpG0zjZoFQbfRjGFIZYhLaju/cBpSW5qb7IoVN8TdQzJ6YFLy2lDEWfTqEcmu/Lbp1cvjU1MYeQ48x4eRK+SsLD+7ds4tiQLwhi52nC+uLi4YcqQayF2m/pSoMOOqarhP5g0ZRG2tcgJnynvCzAzks2zkGWyA+3FPg75eEc49IueaNTE6jT+/4fgww== + ND_SPOTIFY_SECRET: AgBpGvv+LZdybstbYW39F5dY2YZHqTVL80XJ8oVLyuvCljamzABlpYaoVw58OygdGRuyDJCrOPpyCxpDRx1MoQV4+qwE/a4K6JLjlFXCg6yR1vySHjO7l7zwJtWhf71wmvQ5WSrs/l54BbWh7Vfz18Dr4kuoNgk6F394XdKBZv3jhawQP94b4sykHhmSkXoqoPAESxLkPJ8M3rhxmdnerdRA3y4Y7m1fXy7yXqw1ojr0w2850hubK6YYxpcCqDwGi97//V/tWzz+Z7XZe8cf8cQ4+KvxpZQUpOfeCE8mVVaPAuHCDDXk9y8ObsUbwlcLstds+GFGfo16Llb2mwoTfifSrby1nbPEKAvGqa7eQavGpaeFEP9t5SftASGWeKflzYveCa9lkdrH5/8ZsieWrVJJv2K0YemaD3QqwL3ymyzehWzG7O/6bK98RkxdHGHFCH3HzFl+rHzQTPSLKof5YQU6+cMwbr3TCNTFnQVJ7O9+AFrOQVYn2/3fC3ZXq5SDObRYJYQRw5bGQcJPGZFC8uUzhT9KI+8gAVJYSwtTwNrZzEgCHviUlg6mKyV0I+7KdC8ghfl4GmjBIwscH2Ur2h20NDGQ1z22RsqSkxaYZBtLzaMLE3jZFMZTEYtjs2NjXSspSWVR2eplBmXez/kdkUOV5r9x8Z6vs3FEDyslzEEsuyutC1OGY7xi4Jiuq6P87y1R7fZttkuTIiUgyz7j9ZaLPu5qs/fjGonU1vvYe8OVVA== + template: + metadata: + creationTimestamp: null + name: navidrome-secrets + namespace: navidrome + type: Opaque diff --git a/navidrome/pv.yaml b/navidrome/pv.yaml new file mode 100644 index 0000000..e97aa9f --- /dev/null +++ b/navidrome/pv.yaml @@ -0,0 +1,42 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: navidrome-data-pv + namespace: navidrome +spec: + capacity: + storage: 20Gi + accessModes: + - ReadWriteOnce + persistentVolumeReclaimPolicy: Retain + storageClassName: manual + iscsi: + targetPortal: truenas.local.gwg313.xyz:3260 + iqn: iqn.2005-10.org.freenas.ctl:navidrome + lun: 0 + fsType: ext4 + readOnly: false + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: navidrome-iscsi-auth + claimRef: + namespace: navidrome + name: navidrome-data +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: navidrome-music-pv + namespace: navidrome +spec: + capacity: + storage: 10Gi + volumeMode: Filesystem + accessModes: + - ReadOnlyMany + persistentVolumeReclaimPolicy: Retain + storageClassName: manual + nfs: + path: /mnt/tank/music-ro + server: truenas.local.gwg313.xyz diff --git a/navidrome/pvc.yaml b/navidrome/pvc.yaml new file mode 100644 index 0000000..2156dfb --- /dev/null +++ b/navidrome/pvc.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: navidrome-data + namespace: navidrome +spec: + accessModes: + - ReadWriteOnce + storageClassName: manual + volumeMode: Block + volumeName: navidrome-data-pv + resources: + requests: + storage: 20Gi +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: navidrome-music + namespace: navidrome +spec: + accessModes: + - ReadOnlyMany + storageClassName: manual + volumeMode: Filesystem + volumeName: navidrome-music-pv + resources: + requests: + storage: 10Gi diff --git a/navidrome/service.yaml b/navidrome/service.yaml new file mode 100644 index 0000000..26ed577 --- /dev/null +++ b/navidrome/service.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: navidrome +spec: + selector: + app: navidrome + ports: + - name: http + port: 80 + targetPort: 4533 + type: ClusterIP diff --git a/navidrome/virtualservice.yaml b/navidrome/virtualservice.yaml new file mode 100644 index 0000000..5609a07 --- /dev/null +++ b/navidrome/virtualservice.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: navidrome +spec: + hosts: + - music.local.gwg313.xyz + - music.gwg313.xyz + - music.zerotier.gwg313.xyz + gateways: + - music-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: navidrome + port: + number: 80 diff --git a/sealed-secrets/values.yaml b/sealed-secrets/values.yaml new file mode 100644 index 0000000..94edb81 --- /dev/null +++ b/sealed-secrets/values.yaml @@ -0,0 +1 @@ +fullnameOverride: sealed-secrets-controller diff --git a/woodpecker/certificate.yaml b/woodpecker/certificate.yaml new file mode 100644 index 0000000..ebd064c --- /dev/null +++ b/woodpecker/certificate.yaml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: woodpecker-cert + namespace: istio-system +spec: + secretName: woodpecker-cert + issuerRef: + name: letsencrypt-dns + kind: ClusterIssuer + dnsNames: + - ci.gwg313.xyz diff --git a/woodpecker/gateway.yaml b/woodpecker/gateway.yaml new file mode 100644 index 0000000..c77e25f --- /dev/null +++ b/woodpecker/gateway.yaml @@ -0,0 +1,18 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: woodpecker-gateway + namespace: woodpecker +spec: + selector: + istio: gateway + servers: + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: woodpecker-cert + hosts: + - ci.gwg313.xyz diff --git a/woodpecker/iscsi-secret-sealed.yaml b/woodpecker/iscsi-secret-sealed.yaml new file mode 100644 index 0000000..8042b49 --- /dev/null +++ b/woodpecker/iscsi-secret-sealed.yaml @@ -0,0 +1,18 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: woodpecker-iscsi-auth + namespace: woodpecker +spec: + encryptedData: + discovery.sendtargets.auth.password: AgAXwKZ0NHUvgJVsV6yb7qFx/HlLXNGkQCRQh4u5PyVG3BJCIyJXBbvmRMDHSTpzJPsaWD4q56ZBhGsduNSJf/oBttS3wNNdEtv0xLcWL1umOntkEv7uus9KT+ig3TmxiYgzCBrdD2t29oFlVosJWFOmBCdh2IcYfnZSBCDQJz2pHlC/6cA7wn+ykPXYKurxBs6MNiUx7cSBLZuWcdvXtouJ/8wZkARZSBdppk2vGzw7pqXzVLN8HyiiM8Uf9Zz6ShTHDuvtFAbiyeuTOVa+P9jmQ+y/2iRZf2DCE7rLDKT04xQZFrHaCGHHQ7ynrGQBLN3d8oVE6iDdacZiow4txEWTbxJ0pbDR7m0T0Nk04Xfc2MLyhCJhR6AGR03aMFd4DJYLnqzFHFoK//qvfFpNwj6hcSPkqzCEliaSeCldLM3aoTw9IPc4lGMgrIHefNzucpYlYMJhxc/OvEmXCi3ZxT7fcE8oYasswjtsDfXzAKsJA2tjzIwJiab+kJyXXyDsmWnF+CkmCMZWspHafICorFSObPsSgAm49+c17gwCprl+VKZf1mEl/g+iFRM5XKqlD50nUvx1my6VHRqaKowxGKxv2m87urhPQYvRCwApzHsoVK3OR01Q2YwjyPneAbZomwY/P+yixlGXDTQx9oxrYvm1Qt95OFvGsI4I/VIgUBkLJqsVDYz616w9ljGViyh/udNezgvXw4Vz1taRSMjR6EeF + discovery.sendtargets.auth.username: AgAYnEFgZ4zi8mmqMLNAQP6e+Y0re23os1wbu5Xj3gDm+3qLyK1JzzAeeHHVyTqU27gr12ofVqKUqOMb/aXNGjA5Jzn9SgWrWg9SbLxFiV6sL1s9LhQUJ0708GXcLwN9bdU8pjiEhO3eh8RYoH1+mP5aHy7s+56xmZsiIzP6Vk8+WI38bMXBy2jIhTZHyFxABVtBb6eBU+JPaGitOgkoi6JCyUmsZbV6GzdJPD/H2wZJBxG4B5rKDdVgpBtaQyPPmKSI/NheqQgOneabS3Dyeq7SgP0bxPq9tTU6jEHsvKOOigu6px4Tt0hx0BZZqOFFsMQAtU3ymofVyNZg7F2Uf6NEuRNgI6GUv7Wykv9H4ZjPffrI1OPmEBC/o84ThaGi4161gXcL/+atvQa/RkVvRou7iRG3oLM4qQWVDStanE7+Jq0cATFdXyFWCfXZ2/8TftadQfC5oKmdkOjvOGtPJgRZMA8lNogScoFZtCprioOjKvEeirjBBmbGUC2Uc8eEUkAIlwernimno6y3Z6prlK5nzK+HKI0EWSFQxYG69vtGgzxvJP4G14FwfJKl3Za84iZoC5OGld18JQ6b4qDphrxHU4K/mE8L99YpzrahdECKATwSzmKU6seJq+TrbYIzkWqPpV/GxSh53kIbPPi+CeK0xpFtuOfQ75lxiaGcbwt1QVaLuQzgKmjDgRMmNXHYAxOFJqnmawI2DLaR + node.session.auth.password: AgAJfFaVcDzIUGbDIRlCiz3ROdtm80nDwLcYKzAwfLDs8Gbcq7o1EldWtArR+zEss40va672lWdIhUO46mT+l2NDLJRvdCCHfZOxmU058ba5G81Hd87kpd4Kz/jyNgwBV8VNjSVE1v6oJKlmj1gnSJwRYclgqTXcmhP20gQKEtONnuDC6SZkFtjQBCP5//Kt9LBQrrXIJHe6DgNlqsqLtXA26RKBRJlt7H+tu6SG5u9HZ0rdz/jpBymESihVUpRBp3v98aG69Vaa9xWIPAivtsvJUURlSGu0raN3ipvq0Fk54eWAbRmqTkC/JJVrRmZwskfSOU+DET8kjU7h7hA/5Z2NTqkjKNXmL8e1nn3ZWAI7hnf1wFcvRrqlVIiiRldr+IsT2wXp9d8jEHr/qwVl0emxoiXHVKjLnvhH+FKpt7GfCQa/1K11RGw7vkfEIWF6lvcECHcGQbf+0kuFWsCBwwQhQem+KqbHo2gmsc73XUVUVkkyBYG5FIzH5MuYBf8nHI/mt+bUSdT+4YU9Qj13pgpURX1bzIgXYMHWgtfWdxdy/pHsPZiOuBOsMkD1qUoDuV0/nc13zS/gsSFhdX0mdyXixQgXe9R+XzzuWmgV/mO+/6AsnkvD4KnTt5cv1Ft+f3FUqoW4NViigZ9URlX4xZ7zI/UJhXiPm4RCjNNZrefDua0bRzESTxnakyKe1XeylPQ+hEZRdPU0lYLrk3b3GZdg + node.session.auth.username: AgBz3hk4xbhTTSigqw2L0Truwe4iFkNCtbWRaJ7Vm9huG69RAyOg63+fg8UFk1rmmECo+OaEadexUS6JIo+g8yA+Mds6KE3kr+3kdDOOMFdXh40VtJGHYlqzeyRYwJ/PU2BHWPZi72WW9/A8bPFfVQMzIEinnRpxtV1otRmdfZSXviE24LPiClkCzbwPGZPDW56wtfuxVJjuQyhAJ7ote8F8yV7N7q7lz6tBTYA58pfKCbs4KQdK39h2afW3gVjevw+4kLeTlzu5Ynj446ZIUR7pID1SHLVEVXXIW7rKZ+cs4EWB34M1jJL/T/EAOYsh1vaTwxhoDR/98awbnZZ/Z6SWoARwBLDjk3Nez4N2FqzFhn1EjYiBYym2Xz7c+kwhyDApOY0D7ESK0W8efg1RrsJgVKhFO4AO/oI6/MYxur6ZdI5/xReJirmhN9HNf7tvZ+wwo3sW37H5v6FhcTCG6/bXsTYj8vZT/JmrH9AmeqDzKfi4NkWhfG7RC+2NQxA3X8OuXdbPFWv0YriL/yk88eUzi+orS5O2PV7o8a4c7BplV6K6XiWlV+1oUsfpF9r8t1x+AQj4G83aGLgYvpmSinpMbmO33bEor+QY+4s1Epa/VEF84grc+It55G+7DjE3o5couWVre96HDXqN9falXt2yvRS1YdYSzh25mY33wnEWMDBMUBR3NnkYU/3GCLz7dpeYwZbBtayzdmli + template: + metadata: + creationTimestamp: null + name: woodpecker-iscsi-auth + namespace: woodpecker + type: Opaque diff --git a/woodpecker/privileges.yaml b/woodpecker/privileges.yaml new file mode 100644 index 0000000..5f4d0c5 --- /dev/null +++ b/woodpecker/privileges.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: woodpecker + labels: + pod-security.kubernetes.io/enforce: privileged diff --git a/woodpecker/server-agent-sealed.yaml b/woodpecker/server-agent-sealed.yaml new file mode 100644 index 0000000..3a3fb35 --- /dev/null +++ b/woodpecker/server-agent-sealed.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: woodpecker-agent-secrets + namespace: woodpecker +spec: + encryptedData: + WOODPECKER_AGENT_SECRET: AgBmeIkpWWnoPxHam7X6V5/TTI2pu3DwzuvWySQuWewf1N72hl6Ljw6aFJEU6Mu02keLB2ECPPBg+kJ5Bh/d3rMPllSW/HyuepjyrnaWBgNkAWObjJ7oOmqVR1TlXORj8cLz/vHkhq75Cn0FLQ+/2FlAxX436YEIB92IVObdx6J006UM+HqlRn7TXXuD168pd/3L/DhQdGnyBcDH7u21o1nLl+gZvqe6L6v/Jz6Z5gDi9B8B7zwldQfGY/BKv5fKOJixqisXfteV+BbAzce4KgI5djqKUoaOOy8T7Sm3uGYckxtEkA+mMcX5SUKInsFRnfpTfbMZU+2GofpHKbHFLYiqsZ8HG6/9P8EZ3DBsPrGG/xyccnH/Ylwj+jJfkrlDPo2i42rqB4XwES5sxnUAdF8W9f8QTK/4wlbglUqBJf/g74hNrYIVw+YikGpBYHaRInYLXnsXReaIyhvG0UK9fjotTZJ5ptta/OZ04kvXqoxXGojBPtZc/0n9vI0ynbIlHCOO7dRawaG/Iefg7cCZvpzBCyL5dd1gtCXUYrPoFrn1UFc9kD6YzRtiPO4AnTZjXXuEMiVsyjFBeewiq9b4QchXO5zY/6DhnLv8HDCJwAZD3HiCFJ/O6wOzBTdqCmPXMpVGbJOOy3Vm8W16uyMOkwmYeq78oFQxMhkfnLReh3svdPGKV9Mr9sn+7NmPJmZ50TEuXF6LUGc0AcgDw9MZ8JsURp8wrA== + WOODPECKER_SERVER: AgCrhcONkNTohkwUFIQBi5KO2RLKN18CNNjPkEobv9KxTrTY38aPKltuMC6hxBeR05Wt7ySRe5aaXfLOKHs6mO16qzIaIkyduQxpfJge7BJOKtCzjzhb3sflUqT6XY+wXJp0kN9wVFHEwplzBZc0gd0rUD6Y4wIJcUjIGVcdu0Hx+nujfpvEdxB4b7qIDGDyED7yL4XKAK4XmLD3lDjuVpTGAoVOuISqAdfRLDEJRQnpsQxvYQTJ6CizkSLL+K4R7STcWZtxOw0qQ3Y71eoiaW/G+aT64Tnu1fvCX65T632Ij4yTxz6pdjAltegpvmLh/6zdLTBloIn+jEHcKqaXyTjtTDUIsNkdJYArSB9NdjTQpBZBbSEvxMQx4ebyi1O3brhJVa891fcEAXOWqDM3lgK/FQQCIjKoX1DQ0OWfJO8oa/pJyoV6ZOz7ivv/dOqsHP1WsuEM19Y3oNNnNVgH30rShNxt2Vnz9z1BIOoEe0HZ95lL9AcuIgS2i1pNYvjkn2cm+o0CQa3Va0flFINIlXKmnoISbQKXqOzySn2U1uuunjyoemh2bXgZ/8FcAFbX0AMLkeLeqi51tBU0QWIxXDIVNlCMEufLFnCl3S2Yj0r8Q6zKVq1U2bZqn62IHI9ffUP8Nvs8oNVhIuq/1QGx5MzXIXcI3KVBZw+jKrHWEmOOhxfkTEw/Wk2fZocJ7WjjNlyBrOiYAtnHAl/v0nSELLjZPop4tG76 + template: + metadata: + creationTimestamp: null + name: woodpecker-agent-secrets + namespace: woodpecker + type: Opaque diff --git a/woodpecker/server-secrets-sealed.yaml b/woodpecker/server-secrets-sealed.yaml new file mode 100644 index 0000000..7901687 --- /dev/null +++ b/woodpecker/server-secrets-sealed.yaml @@ -0,0 +1,22 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: woodpecker-server-secrets + namespace: woodpecker +spec: + encryptedData: + WOODPECKER_ADMIN: AgA7kUg81lyccXKPLhf+Zem/b+XnJad90CNPF+pbyGw01kzfu4E7Dp9cWyYZOvuuI5NA/PZueEavbS5TrTbuPU/pCuDMiYaceeRjTVwni6V536th+HqMh3kPCaoTYeAmiOJGJ2HRdLnM5MVDGCHGRtmf9czv2BOUwHFSeNm0n4bxCiTe6KbdKctscmombgrOsbY4mJOFyfsNiia3MjsQadKr0lMtXuairA3Gb8k+3F96mPHC1MitD0yHKJObAdJVFWbp/RpUJ+SdMvYOcTsQOnXDeTwTGBaBSwJOg1havXrAflpzbKlQPXeADICcDl1ZhdIJU4FUUA9x0FDGLmW36aSk2DGFVgGq4GaQtTdbLnK84DBBlsCqhbEy1k/x9XmVMdGxYaqIofaHwpOOxJ0EzEaiO2iXuXcOp0M3mLtY4id09yB2cIKqhQ1ADBA/EB4+hUxk/OV8uhNsdFgzAyIrbg2PkXZCUx2adhoPzi04j9x8ZirH35WCUm6bcnXyu8B7h8VkBVMk7gtS8jYCYkOJ1Q2pAilGOJBN12LNUCaHEWZ0FoGPwZpCsggWNHHilHQNYwx2AlapsjXetNBsm2+EytDBvOHxDtwGgm+aW92RmhTlxGRUTW5VgzaIzLgtqS8VFNhEJB5krDVgjzUGReJvswAdIhp8ydATJUTscovEjlBD9PESvRQoBCM3M1ftpxykpntW1bOOtvQ= + WOODPECKER_AGENT_SECRET: AgCiRmjxwTv+82/w979A35VyQVkN7blRM53bcC6qzdxQ6SUFYe5Ec6Us2tGS8wM3I0Jk1mBiuxoRqXsgfF2ZjQBhFx/cn2/n3BqgY2yO/qm8PFrylxmLbGQQxvqmql19VL9Z237lv1tKsfoMFW8KZPhwWN+48J4Og+Rp6XbYwalSALJz1GIQFeRaAkvMn9w9gpmVe9ageN7p2Jf9dOZSD5FCP02h8WnBxiF1SsQjoSUmzzeVDsJNAHwp4l9dTjBTsRW2EZQ7a8fQ8iFnweovG5ykceEI+7g5iGafD29Rkt2H/FC/9APWObbw9fTCLiClP93PsLCskvuPdgyBKiInEPT0pkd3hTzj+5/DZqSP0FQjN9xSOeeKLE7LlyzItsAAbu3YoGyvL6CjIsraMRFa9HENd5WYL59QMKhNT70vBC/zAcbSMYyugLnVZa84wY+LIL8GKUTpwo+GtI1LlmYmDzSIm9Yw+PN7JZF9Nkz3Iahlqpo+QVng2VBjcnKeQOwCsUx7f644hkGHGgmTO7uKUgo5jbBacp2RB6McSb2zmwuk/0if5/zJf+ugzvJjbvpbGtJB7OP1lZooj1fRFxes5gFn6VWGjYpg97zkEQqEndwAG1EhmR6ocs62hY/6PMHvT3pOFCFZ9cQ+hEtFBo9duHxcsC3n3vFmkxF5G+t1Ye2sKOZfZ3OfZT8jZYCdgTuD/xOIbqKsYNn8nXnjxePRjUgEWe57kg== + WOODPECKER_BACKEND: AgBbVv2hx1tUZloiQpNMHhelQJirKx2/ylnYke5U3dshC7eNwZ3pZSXlPLhPet/hpiul/VNpfksouhhpxDshzsXZ8F/U0rtCkCn7Ocz7esST9QT7l4PXHKEbkktCaBnuUt+xerZhRzyfgdRUHuXdtsZ9YBjCKuFB/5Oa52Jp2jknkyukvpCG9Ndhm1XvrzFJPhVlWHrg8KC8a2SKCzfWjHEwRkQxXxiLNLGyLIBgxo+EM/XliMio6nXijee4tKWa0MN2iQaptmU0GWjsHo8VDwJTbG2/q7PxfGdUMCf3IHvhDABWxdcTpnS0IQZ62vqTMQGew0xnjhMVUjfnpMqRbV/hIlq1kAcj+XNokkRgrhu29t28U4gB0qEIHjg3C6jCC1Yrx0uvfLD9WHjcR8J6HeOE3oCdIbOF3ew9raqI7vNyrmCREfoSx0RHDzfoo4uTXLjZaALvYopShZgi4Pj6I7SSU8KPmMHvZTp8qzAworbrUBs4SSHWjvIWkjy6xEj6XPBe3hO5FJoOviSi2BdsE0XaCnlbMEQGo66bBUTGYoZROgY/VmzFh/c0t1XwOpPqvWMiESUF6XtKNZeD4GxOvgqYfG8hsfYPapGLQy0Rwvg+8QgJbgns+MpiVVD+vJYPhS7ys7g/87B7mSPtnqeUZ1mTxZOuzHyjhCBx7++3ztOmwj4ZO/DM7GI++LpIZ0lsyw4dy3b/ZR4xBc0A + WOODPECKER_GITEA: AgC3EN7jhXB5dUOt4EPNV/Pu4c9IsB+m2CLkNu29P67L+nu9/PgNg/LKr3cy6oDYJk2ktiI732nXVY7mFK1/APS2F3yaut7cSPvCAYnDkwbjFf/kCl2ucmpTihigWUrSZ9io71EM8nTJBMqTBi9NozVljK4Nb+F63kIXvJQWk6tr9OJOeACY+wldZ/ggfY1YZSTn73hXigFzlVprP/RvGxRLPNxyFF6HwvrdZE4S0MQBDM7sDoC+FiZdjuNWslxYATOph4laOSgCvSa3qDD92b9p9dyO/BCWdME/mRc3S0+9qE8McaYsOIHFpgl49jTyGmf9K9DT6WSmbA2yjF1Yd2kFIN9jmuHF0jsSxi72ihyBTSIc3UJTTwvddAjq6NNMiw4NOgnRIxPPx9icUWYTxMTKcUsc7qrsHBL5X0E/V2UuiHzxMBgWGBSAaM2tl73wpuiBNL4o4fAcB3FHoxGC3J3ntGYaLR4g08XUR94DhBvA/owJ0lqKXI3tyU4h9rdZao/wt6d9sFMnUH3cJvfOg9iTPVzFSl7mlx/0zVKsnh2Rv9v61zsJZxXpNnTyevZUyB9HOh6ei49JI2vPleDyX834SyOqQnx/pIUGeuzMKV2XYtKGBf+5YECdHfo/zIld1j/PTviK1fXU47FbCE1mCi9YeV6UK+mYC2zbOfaro7sbPZ36uq/mNINp8OhdhCYX47WbSKLb + WOODPECKER_GITEA_CLIENT: AgCutj2N3sHx7OXltumsWO2rGNFN2CZhsF2OitQArYEyZo1dWg0hkP+0hEN4UCywwnQ8bKGDpJRLOFyHg1I+2EJNJekSEtOJLwf08qPPSMYETrT4dZw7BmaEe37bwTWBBAVrGgULcocb6LW0RU5e5/nLOF6CjUniKKeunulcvOYNCMuVuBOFnnr33br/iZE+eZfEbVu8781WfHIa1UH1qASwLZeW+ORU/qjn7q03iAEkocBcH/jysmyEHizPyj3MM/XFVUcZ5VrY8sSKEiIzNi3CQvBATGAjVMLTH+Fo/AhUYSirk0g3/gkgcHOYiuUbBJTFDkqPBoHvGRXdCQzgSwEK/hatddy+f2s7IE2ut/bbNvii6nXqy342wBlm28PCEsWgN5piNM0nb+zmIz7czhiC253ZtrxcOjkXlGVtDDgc31J+64BCO3Plbq6NFCCbNGfXTagCQtlKPEpz5l67wv8wOUeecOFzyzOTCOupmFYNWbms0rXNKLjUcHOvO8mkvvrZnCoGVjbVjcyl3SZ39sckVJ+8OA7Ji7Cdt647GcaYMbmsUM5dXPGA/Rsvonmi5viJ4KqR/yOCkzK9KFi+FL480FWDupfVcN3rsD3HEqFYJAU2gpSBW+xRJGSkzN5bl9JYvW+gMALXlpPlG478qBU72wIKdwMw5eoSzcGD7UHKa7ySrL5xQPhAOqWb0FUcQHyjVp+jQxi6E4WoILrCnfrjHOGDbAmNDbfVcl6XaXKDDKcSgRM= + WOODPECKER_GITEA_SECRET: AgB1JmxK+NeZIQrd7OcFNDzE3PI43+gyGAcgvfkrone1bl/O1/YIsDxvjTTR/+Y2HMKzs5jp0b2xwXuct56Y2xUpdA4uYZqCJW1QdiNJd+ytcKID3VaT3NkcPNWZ1Oedap/Guc+haMDdrzw2gPWUWBITVTReqeIF4DKHU8HKII+17Md2gyEo/wLnnt/gLOrYR+hzuLsjrtp/sK0Y2fvH5L+EGZjt7t+wqTRd1bV8qixcOQvINsGhoO+q+9M/vMOYlbk9Kr/xArTvTkpLDONzq9womY/oJ/xOB4BCRT82GopxYzDJJYDTSk9FSlfoelok2nxs3cy53+v3HVlAvbIIhBkiYXMIkUlj/AqMDTgfgx8wrRUe3ZUP9pA6lOC3Ff/3ZxhGBchCKsSbQ8kXiSCtGIHT0gYRyJQyipFDX3kJxu8Tq4h3MrqeXn/qoKaPZSf/eEXgymVhraGGj8x2CxN/I+cKP3PFXyLuMtxBk5QIfhGhqbe77XOC+TquOqfkto8kMb8ZmqMdbFiAhWyRx1HsoVoBtWUq8yGhC3dycd6EMjY5gxUqB6tg9XzdqEaMoaYzdNpAG+JP3Ueq31cVgpIhEjVyLviiIpWgeIhihMadu2oi5BJqA6Mqt+xLo0dyd4qUrUG6lbWKQf6fMc0XXeenLb8U+smOFbl170c5/hh5Pg0+P9KBPqUywiE7rDu7NjRxnk/4KDiJzHZ+C11rMParnU8ISi8jGwWWkksw489Lkoi/5Yl5Ukvxm6yU6gSecNJH59EFqrpw2Oqqeg== + WOODPECKER_GITEA_URL: AgBYHc/0fUUYN0wLhIKPyOAZOf2K4XKvCFbzxuQUb4VLKmDF2fU+a1UV+hiOYKcmz4IgtL+ypl9n6fWBkdzqVpbJRQMPPc0Q0XOC9GO13+HdFWHlN6qaC1uszMquhNf4q2erfKQ+HAXynD8SuqBNYjaCbXjsNrrG1tPY9coHsnIkdqmVMYJKagbq6P8JUOTLq+tBBZNf+l9vhfNRsfQRh0ivn4bHpgLBMCT2Hi8bEP9r5Ba3lA5/fm+AuQP8OPxvnQFMJYJUIGfiwkLjIptdOTUN6ChfvSrE7i26KepsjO0RtmPNGqUDvSsSja3aWW1Tlkaj8UoJkM46pzZfGAGX7FRHp6O6de5x+1nY6duJRVzzLB7npmSoYbPeSjc/Y+H+vAUoUpNuJ+5S7MNcF89W7HaWf7W8GzKIAcFy0Ko0ecf4asQ3f5EkQBAy+qb/+iPXIYzJu0Iyu32c77zF0fbBGbbK7KMnENy096St9bGBxfoMcMbeIj1/Bfd0pUpK4Fdd6VaKoJy3YIwkx3bpXfKaKx4hYHrITi6QF+14MZZosGjeBegm/VZM0gejKtLlC/YgCwTLO7zvihSrf1sipdWo9n9B88/2WJnLSHvA/5bnREhpy/CwStL9wOuY3eSVcWDGhMvXvVD83sH1cckAD8C+dGd/sKJrCTWvr8L+g3LNXkOtD14S8Ga38jR04ZegWKz6mB7ge0L7mnGp7wsmHaXptozlZ+WniBng + WOODPECKER_HOST: AgBvAmxzFEvZyl+uCZ49nr168nSwJ84vI8VJTzbT1d0zLdqwBNwSDOoMzo3qWMy/QDMqv3ECZYjWFmqYHTQjSbqO0+QRfIEPOfcyMRNmvH77Br7bTIaqj7fRZ/asz9dgfQjeoGnrkVMzuZ6QK6ZJGBvF2AEC2q2K7ZBpngRZCE32g9adA8al9yZX1FNVpoEjlwkroRFx26cs6+aD4GqjGFOgkVOxTo8eESTnOtBvGE024f4bdmOh01TTGncgUfZzBEaXTZn5gAJB5Nu1OvCez8lsDU6StyQ+T0FLt+vIqoqEy8SX8o3RoQ91wflu/1+mh6jjEPgDSaxvC2k0rECwVSty8csJsq4ACs+66Y1nLiXfqs0GM5kFXRAlbUQtdaOd8Bu2fSZWF6q+mSt5uNVCh0S5noRL/izmMfGuyqY4ZcnYi/9ed/+nWjJTZu1s7gcraIDc0i5qMVF10d9hNdye1lXSPjx7DCmgpEsZII6cSCC1VXFkt501YdhxPq0iALAhq433J8z5XLwWEvxqSDRH4SjTdDoXgp0t6YEvyQdhm+MjfGxe08pMIi53ejMo8B9fzRGZNzDAOrx4FNwdnxu0kD5WIdy16YOQNr87B/DH515hctbCz7pIKT9tywoarpmBBxFN2MtVh3rh8qWDHOzZRUhqY1exAMOInhiQOF3dZEG3o8xhgFxl63STu23C9dKzu1XQUnZSZAk50g8cTkiEVLfv42qz/kc= + template: + metadata: + creationTimestamp: null + name: woodpecker-server-secrets + namespace: woodpecker + type: Opaque diff --git a/woodpecker/service.yaml b/woodpecker/service.yaml new file mode 100644 index 0000000..3f0258e --- /dev/null +++ b/woodpecker/service.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: Service +metadata: + name: woodpecker + namespace: woodpecker +spec: + selector: + app: woodpecker + ports: + - port: 80 + targetPort: 8000 diff --git a/woodpecker/shared-pvc.yaml b/woodpecker/shared-pvc.yaml new file mode 100644 index 0000000..3075fdc --- /dev/null +++ b/woodpecker/shared-pvc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: woodpecker-shared-storage + namespace: woodpecker +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 20Gi + storageClassName: nfs-client diff --git a/woodpecker/storage.yaml b/woodpecker/storage.yaml new file mode 100644 index 0000000..640eaea --- /dev/null +++ b/woodpecker/storage.yaml @@ -0,0 +1,114 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: woodpecker-agent-pv5 +spec: + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + storageClassName: "" + persistentVolumeReclaimPolicy: Retain + volumeMode: Filesystem + iscsi: + targetPortal: truenas.local.gwg313.xyz + iqn: iqn.2005-10.org.freenas.ctl:woodpecker-agent + lun: 1 + fsType: ext4 + readOnly: false + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: woodpecker-iscsi-auth + namespace: woodpecker +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: woodpecker-agent-pvc5 + namespace: woodpecker +spec: + accessModes: + - ReadWriteOnce + storageClassName: "" + volumeName: woodpecker-agent-pv5 + resources: + requests: + storage: 10Gi +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: woodpecker-server-pv5 +spec: + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + storageClassName: "" + persistentVolumeReclaimPolicy: Retain + volumeMode: Filesystem + iscsi: + targetPortal: truenas.local.gwg313.xyz + iqn: iqn.2005-10.org.freenas.ctl:woodpecker-server + lun: 0 + fsType: ext4 + readOnly: false + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: woodpecker-iscsi-auth + namespace: woodpecker +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: woodpecker-server-pvc5 + namespace: woodpecker +spec: + accessModes: + - ReadWriteOnce + storageClassName: "" + volumeName: woodpecker-server-pv5 + resources: + requests: + storage: 10Gi +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: data-woodpecker-server-0 +spec: + capacity: + storage: 10Gi + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + storageClassName: "" + persistentVolumeReclaimPolicy: Retain + iscsi: + targetPortal: truenas.local.gwg313.xyz + iqn: iqn.2005-10.org.freenas.ctl:woodpecker-data + lun: 2 + fsType: ext4 + readOnly: false + chapAuthDiscovery: true + chapAuthSession: true + secretRef: + name: woodpecker-iscsi-auth + namespace: woodpecker +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: data-woodpecker-server-0 + namespace: woodpecker +spec: + accessModes: + - ReadWriteOnce + volumeMode: Filesystem + resources: + requests: + storage: 10Gi + volumeName: data-woodpecker-server-0 + storageClassName: "" # must match PV diff --git a/woodpecker/virtualservice.yaml b/woodpecker/virtualservice.yaml new file mode 100644 index 0000000..3168fb7 --- /dev/null +++ b/woodpecker/virtualservice.yaml @@ -0,0 +1,16 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: woodpecker + namespace: woodpecker +spec: + gateways: + - woodpecker-gateway + hosts: + - ci.gwg313.xyz + http: + - route: + - destination: + host: woodpecker-server + port: + number: 80 diff --git a/woodpecker/woodpecker-cache.yaml b/woodpecker/woodpecker-cache.yaml new file mode 100644 index 0000000..6a988dc --- /dev/null +++ b/woodpecker/woodpecker-cache.yaml @@ -0,0 +1,27 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: wp-cache-pv1 +spec: + capacity: + storage: 1Gi + accessModes: + - ReadWriteMany + persistentVolumeReclaimPolicy: Retain + storageClassName: manual-nfs + nfs: + server: truenas.local.gwg313.xyz + path: /mnt/tank/k8s/democratic/woodpecker-cache +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: wp-cache-pvc1 + namespace: woodpecker +spec: + accessModes: + - ReadWriteMany + storageClassName: manual-nfs + resources: + requests: + storage: 1Gi diff --git a/yopass/certificate.yaml b/yopass/certificate.yaml new file mode 100644 index 0000000..e9c905b --- /dev/null +++ b/yopass/certificate.yaml @@ -0,0 +1,13 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: yopass-cert + namespace: istio-system +spec: + secretName: yopass-cert + issuerRef: + name: letsencrypt-dns + kind: ClusterIssuer + dnsNames: + - pastebin.local.gwg313.xyz + - pastebin.gwg313.xyz diff --git a/yopass/deployment.yaml b/yopass/deployment.yaml new file mode 100644 index 0000000..2a26630 --- /dev/null +++ b/yopass/deployment.yaml @@ -0,0 +1,43 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: yopass +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: yopass + template: + metadata: + labels: + app.kubernetes.io/name: yopass + spec: + containers: + - name: yopass + image: jhaals/yopass + args: + - "--memcached=localhost:11211" + ports: + - name: http + containerPort: 1337 + resources: + limits: + cpu: 100m + memory: 50Mi + requests: + cpu: 100m + memory: 50Mi + - name: yopass-memcached + image: memcached + resources: + limits: + cpu: 100m + memory: 100Mi + requests: + cpu: 100m + memory: 100Mi + args: + - "-m 64" + ports: + - name: memcached + containerPort: 11211 diff --git a/yopass/gateway.yaml b/yopass/gateway.yaml new file mode 100644 index 0000000..5b7167a --- /dev/null +++ b/yopass/gateway.yaml @@ -0,0 +1,19 @@ +apiVersion: networking.istio.io/v1beta1 +kind: Gateway +metadata: + name: yopass-gateway + namespace: yopass +spec: + selector: + istio: gateway + servers: + - port: + number: 443 + name: https + protocol: HTTPS + tls: + mode: SIMPLE + credentialName: yopass-cert + hosts: + - pastebin.gwg313.xyz + - pastebin.local.gwg313.xyz diff --git a/yopass/service.yaml b/yopass/service.yaml new file mode 100644 index 0000000..97c5db4 --- /dev/null +++ b/yopass/service.yaml @@ -0,0 +1,11 @@ +kind: Service +apiVersion: v1 +metadata: + name: yopass +spec: + selector: + app.kubernetes.io/name: yopass + type: ClusterIP + ports: + - name: http + port: 1337 diff --git a/yopass/virtualservice.yaml b/yopass/virtualservice.yaml new file mode 100644 index 0000000..9827afa --- /dev/null +++ b/yopass/virtualservice.yaml @@ -0,0 +1,20 @@ +apiVersion: networking.istio.io/v1beta1 +kind: VirtualService +metadata: + name: yopass + namespace: yopass +spec: + hosts: + - pastebin.gwg313.xyz + - pastebin.local.gwg313.xyz + gateways: + - yopass-gateway + http: + - match: + - uri: + prefix: / + route: + - destination: + host: yopass + port: + number: 1337