gwg313/homelab-gitops
1
0
Fork 0
mirror of https://github.com/gwg313/homelab-gitops.git synced 2026-06-27 12:00:10 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

update

Browse source 
Signed-off-by: gwg313 <gwg313@pm.me>
This commit is contained in:
gwg313 2026-05-17 12:44:19 -04:00
parent bfe8435665
commit 8d74a625bc
Signed by: gwg313
GPG key ID: 60FF63B4826B7400
37 changed files with 224 additions and 103 deletions
Download patch file Download diff file Expand all files Collapse all files

0
apps/bytestash.yaml → apps_bak/bytestash.yaml
View file

0
apps/cert-issuer.yaml → apps_bak/cert-issuer.yaml
View file

0
apps/cert-manager.yaml → apps_bak/cert-manager.yaml
View file

0
apps/focalboard.yaml → apps_bak/focalboard.yaml
View file

0
apps/harbor-config.yaml → apps_bak/harbor-config.yaml
View file

0
apps/harbor.yaml → apps_bak/harbor.yaml
View file

0
apps/hedgedoc.yaml → apps_bak/hedgedoc.yaml
View file

0
apps/karakeep.yaml → apps_bak/karakeep.yaml
View file

0
apps/kube-prometheus-stack-config.yaml → apps_bak/kube-prometheus-stack-config.yaml
View file

0
apps/kube-prometheus-stack.yaml → apps_bak/kube-prometheus-stack.yaml
View file

0
apps/minio-config.yaml → apps_bak/minio-config.yaml
View file

0
apps/minio.yaml → apps_bak/minio.yaml
View file

0
apps/nfs-subdir.yaml → apps_bak/nfs-subdir.yaml
View file

0
apps/sealed-secrets.yaml → apps_bak/sealed-secrets.yaml
View file

0
apps/security.yaml → apps_bak/security.yaml
View file

0
apps/stirling-pdf.yaml → apps_bak/stirling-pdf.yaml
View file

0
apps/woodpecker-manifests.yaml → apps_bak/woodpecker-manifests.yaml
View file

0
apps/woodpecker.yaml → apps_bak/woodpecker.yaml
View file

0
apps/yopass.yaml → apps_bak/yopass.yaml
View file

8
platform/infra-root.yaml → bootstrap/root-app-of-apps.yaml
View file

@ -1,16 +1,14 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: infra-root name: root-app-of-apps
namespace: argocd namespace: argocd
spec: spec:
project: default project: default
source: source:
repoURL: https://github.com/gwg313/homelab-gitops repoURL: https://github.com/gwg313/homelab-gitops.git
targetRevision: main targetRevision: main
path: infra path: management/platform-apps
directory:
recurse: true
destination: destination:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
namespace: argocd namespace: argocd

9
management/platform-apps/kustomization.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- kyverno-core.yaml
- kyverno-policies.yaml
- tetragon-core.yaml
- tetragon-policies.yaml

31
management/platform-apps/kyverno-core.yaml Normal file
View file

@ -0,0 +1,31 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kyverno-core
namespace: argocd
annotations:
argoproj.io/sync-wave: "-10"
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops.git
targetRevision: main
path: platform/kyverno/core
destination:
server: https://kubernetes.default.svc
namespace: kyverno
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- ServerSideApply=true
- RespectIgnoreDifferences=true
ignoreDifferences:
- group: apiextensions.k8s.io
kind: CustomResourceDefinition
jsonPointers:
- /metadata/labels
- /metadata/annotations

23
management/platform-apps/kyverno-policies.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kyverno-policies
namespace: argocd
annotations:
argoproj.io/sync-wave: "-5"
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops.git
targetRevision: main
path: platform/kyverno/policies
destination:
server: https://kubernetes.default.svc
namespace: kyverno
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=false
- ServerSideApply=true

32
management/platform-apps/tetragon-core.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: tetragon-core
namespace: argocd
annotations:
argoproj.io/sync-wave: "-10"
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops.git
targetRevision: main
path: platform/tetragon/core
destination:
server: https://kubernetes.default.svc
namespace: kube-system
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=false
- ServerSideApply=true
- RespectIgnoreDifferences=true
ignoreDifferences:
- group: apiextensions.k8s.io
kind: CustomResourceDefinition
namespace: ""
jsonPointers:
- /metadata/labels
- /metadata/annotations

23
management/platform-apps/tetragon-policies.yaml Normal file
View file

@ -0,0 +1,23 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: tetragon-policies
namespace: argocd
annotations:
argoproj.io/sync-wave: "-5"
spec:
project: default
source:
repoURL: https://github.com/gwg313/homelab-gitops.git
targetRevision: main
path: platform/tetragon/policies
destination:
server: https://kubernetes.default.svc
namespace: kube-system
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=false
- ServerSideApply=true

28
platform/default-network-policies/kube-system-baseline.yaml
View file

@ -1,28 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: kube-system-baseline
namespace: kube-system
spec:
endpointSelector: {}
ingress:
- fromEntities:
- cluster
- host
- remote-node
egress:
- toEntities:
- kube-apiserver
- cluster
- toEndpoints:
- matchLabels:
k8s:k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP

40
platform/default-network-policies/kube-system-hardening.yaml
View file

@ -1,40 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: kube-system-hardening
namespace: kube-system
spec:
endpointSelector: {}
ingress:
# Allow cluster-internal communication (required for DNS, CNI, etc.)
- fromEntities:
- cluster
- host
- remote-node
# Allow kube-apiserver to talk to system components
- fromEntities:
- kube-apiserver
egress:
# Core dependency: Kubernetes API
- toEntities:
- kube-apiserver
# CoreDNS access
- toEndpoints:
- matchLabels:
k8s:k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP
# Allow internal cluster communication (important for CNI + service mesh)
- toEntities:
- cluster
- host
- remote-node

30
platform/default-network-policies/kube-system-restrict-external-egress.yaml
View file

@ -1,30 +0,0 @@
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: kube-system-restrict-external-egress
namespace: kube-system
spec:
endpointSelector: {}
egress:
# Allow Kubernetes API
- toEntities:
- kube-apiserver
# Allow internal cluster communication
- toEntities:
- cluster
- host
- remote-node
# Allow DNS
- toEndpoints:
- matchLabels:
k8s:k8s-app: kube-dns
toPorts:
- ports:
- port: "53"
protocol: UDP
- port: "53"
protocol: TCP

10
platform/kyverno/core/Chart.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v2
name: kyverno-core
description: Kyverno Helm
type: application
version: 1.0.0
appVersion: 1.0.0
dependencies:
- name: kyverno
repository: https://kyverno.github.io/kyverno
version: 3.8.0

7
platform/kyverno/core/values.yaml Normal file
View file

@ -0,0 +1,7 @@
kyverno:
admissionController:
replicas: 2
features:
loggingFormat: text
telemetry:
enabled: false

10
platform/kyverno/policies/cleanup-rbac.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: kyverno:cleanup-pods
labels:
rbac.kyverno.io/aggregate-to-cleanup-controller: "true"
rules:
- apiGroups: [""]
resources: ["pods"]
verbs: ["get", "list", "watch", "delete"]

6
platform/kyverno/policies/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- purge-terminal-pods.yaml
- cleanup-rbac.yaml

21
platform/kyverno/policies/purge-terminal-pods.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: kyverno.io/v2beta1
kind: ClusterCleanupPolicy
metadata:
name: purge-terminal-pods
spec:
match:
any:
- resources:
kinds:
- Pod
schedule: "*/15 * * * *"
conditions:
all:
- key: "{{ request.object.status.phase }}"
operator: AnyIn
value:
- Succeeded
- Failed
- key: "{{ request.object.metadata.creationTimestamp }}"
operator: DurationGreaterThan
value: 30m

10
platform/tetragon/core/Chart.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v2
name: tetragon
description: Setup Tetrgon
type: application
version: 1.0.0
appVersion: 1.0.0
dependencies:
- name: tetragon
repository: https://helm.cilium.io
version: 1.7.0

13
platform/tetragon/core/values.yaml Normal file
View file

@ -0,0 +1,13 @@
tetragon:
enabled: true
export:
enabled: true
# --- TALOS OS KERNEL MOUNT TUNING ---
btf: /sys/kernel/btf/vmlinux
bpf:
mountPath: /sys/fs/bpf
hostNetwork: true
hostPID: true

21
platform/tetragon/policies/example.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: cilium.io/v1alpha1
kind: TracingPolicy
metadata:
name: "fd-install"
spec:
kprobes:
- call: "fd_install"
syscall: false
args:
- index: 0
type: "int"
- index: 1
type: "file"
selectors:
- matchArgs:
- index: 1
operator: "Equal"
values:
- "/tmp/tetragon"
matchActions:
- action: Sigkill

5
platform/tetragon/policies/kustomization.yaml Normal file
View file

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- example.yaml