From 471f30f0b1912b77ec27c1fc571cae3be0e16397 Mon Sep 17 00:00:00 2001
From: gwg313 <gwg313@pm.me>
Date: Sat, 21 Jun 2025 15:47:08 -0400
Subject: [PATCH] initial commit

---
 .envrc                           |   3 +
 .gitignore                       |   1 +
 apps/istio.yaml                  |  23 +++++++
 apps/security.yaml               |  18 ++++++
 devenv.lock                      | 103 +++++++++++++++++++++++++++++++
 devenv.nix                       |  56 +++++++++++++++++
 istio/Chart.yaml                 |  14 +++++
 istio/README.md                  |   0
 istio/base-values.yaml           |  17 +++++
 root-app.yaml                    |  22 +++++++
 security/namespace-policies.yaml |   7 +++
 security/network-policies.yaml   |  10 +++
 security/rbac.yaml               |  12 ++++
 13 files changed, 286 insertions(+)
 create mode 100644 .envrc
 create mode 100644 .gitignore
 create mode 100644 apps/istio.yaml
 create mode 100644 apps/security.yaml
 create mode 100644 devenv.lock
 create mode 100644 devenv.nix
 create mode 100644 istio/Chart.yaml
 create mode 100644 istio/README.md
 create mode 100644 istio/base-values.yaml
 create mode 100644 root-app.yaml
 create mode 100644 security/namespace-policies.yaml
 create mode 100644 security/network-policies.yaml
 create mode 100644 security/rbac.yaml

diff --git a/.envrc b/.envrc
new file mode 100644
index 0000000..894571b
--- /dev/null
+++ b/.envrc
@@ -0,0 +1,3 @@
+source_url "https://raw.githubusercontent.com/cachix/devenv/82c0147677e510b247d8b9165c54f73d32dfd899/direnvrc" "sha256-7u4iDd1nZpxL4tCzmPG0dQgC5V+/44Ba+tHkPob1v2k="
+
+use devenv
diff --git a/.gitignore b/.gitignore
new file mode 100644
index 0000000..26d999e
--- /dev/null
+++ b/.gitignore
@@ -0,0 +1 @@
+.devenv
diff --git a/apps/istio.yaml b/apps/istio.yaml
new file mode 100644
index 0000000..8e59932
--- /dev/null
+++ b/apps/istio.yaml
@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: istio
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops
+    targetRevision: main
+    path: istio
+    helm:
+      valueFiles:
+        - base-values.yaml
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: istio-system
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/apps/security.yaml b/apps/security.yaml
new file mode 100644
index 0000000..5bcdeb1
--- /dev/null
+++ b/apps/security.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cluster-security
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops
+    targetRevision: main
+    path: security
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: kube-system
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
diff --git a/devenv.lock b/devenv.lock
new file mode 100644
index 0000000..43b0105
--- /dev/null
+++ b/devenv.lock
@@ -0,0 +1,103 @@
+{
+  "nodes": {
+    "devenv": {
+      "locked": {
+        "dir": "src/modules",
+        "lastModified": 1750529628,
+        "owner": "cachix",
+        "repo": "devenv",
+        "rev": "cee0466541d357356b8c1ee0a61f3e0b94c7a54e",
+        "type": "github"
+      },
+      "original": {
+        "dir": "src/modules",
+        "owner": "cachix",
+        "repo": "devenv",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1747046372,
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "9100a0f413b0c601e0533d1d94ffd501ce2e7885",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "git-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1749636823,
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "rev": "623c56286de5a3193aa38891a6991b28f9bab056",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "git-hooks.nix",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "git-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1750441195,
+        "owner": "cachix",
+        "repo": "devenv-nixpkgs",
+        "rev": "0ceffe312871b443929ff3006960d29b120dc627",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "ref": "rolling",
+        "repo": "devenv-nixpkgs",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "devenv": "devenv",
+        "git-hooks": "git-hooks",
+        "nixpkgs": "nixpkgs",
+        "pre-commit-hooks": [
+          "git-hooks"
+        ]
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}
diff --git a/devenv.nix b/devenv.nix
new file mode 100644
index 0000000..8aa55d1
--- /dev/null
+++ b/devenv.nix
@@ -0,0 +1,56 @@
+{
+  pkgs,
+  lib,
+  config,
+  inputs,
+  ...
+}:
+
+{
+  # https://devenv.sh/basics/
+  env.GREET = "devenv";
+  env = {
+    CONTROL_PLANE_IP = "192.168.10.10";
+    WORKER_1_IP = "192.168.10.11";
+    WORKER_2_IP = "192.168.10.12";
+  };
+
+  # https://devenv.sh/packages/
+  packages = with pkgs; [ talosctl ];
+
+  # https://devenv.sh/languages/
+  # languages.rust.enable = true;
+
+  # https://devenv.sh/processes/
+  # processes.cargo-watch.exec = "cargo-watch";
+
+  # https://devenv.sh/services/
+  # services.postgres.enable = true;
+
+  # https://devenv.sh/scripts/
+  scripts.hello.exec = ''
+    echo hello from $GREET
+  '';
+
+  enterShell = ''
+    hello
+    git --version
+  '';
+
+  # https://devenv.sh/tasks/
+  # tasks = {
+  #   "myproj:setup".exec = "mytool build";
+  #   "devenv:enterShell".after = [ "myproj:setup" ];
+  # };
+
+  # https://devenv.sh/tests/
+  enterTest = ''
+    echo "Running tests"
+    git --version | grep --color=auto "${pkgs.git.version}"
+  '';
+
+  # https://devenv.sh/pre-commit-hooks/
+  # pre-commit.hooks.shellcheck.enable = true;
+
+  # See full reference at https://devenv.sh/reference/options/
+}
diff --git a/istio/Chart.yaml b/istio/Chart.yaml
new file mode 100644
index 0000000..0d41ce5
--- /dev/null
+++ b/istio/Chart.yaml
@@ -0,0 +1,14 @@
+apiVersion: v2
+name: istio
+description: Istio base + control plane + ingress gateway
+version: 0.1.0
+dependencies:
+  - name: base
+    version: 1.22.0
+    repository: https://istio-release.storage.googleapis.com/charts
+  - name: istiod
+    version: 1.22.0
+    repository: https://istio-release.storage.googleapis.com/charts
+  - name: gateway
+    version: 1.22.0
+    repository: https://istio-release.storage.googleapis.com/charts
diff --git a/istio/README.md b/istio/README.md
new file mode 100644
index 0000000..e69de29
diff --git a/istio/base-values.yaml b/istio/base-values.yaml
new file mode 100644
index 0000000..6984770
--- /dev/null
+++ b/istio/base-values.yaml
@@ -0,0 +1,17 @@
+# Enable Istio base + control plane + ingress gateway
+global:
+  istioNamespace: istio-system
+
+istiod:
+  enabled: true
+  meshConfig:
+    enablePrometheusMerge: true
+    accessLogFile: /dev/stdout
+  pilot:
+    autoscaleEnabled: false
+
+gateway:
+  enabled: true
+  name: istio-ingressgateway
+  service:
+    type: LoadBalancer
diff --git a/root-app.yaml b/root-app.yaml
new file mode 100644
index 0000000..a0840f2
--- /dev/null
+++ b/root-app.yaml
@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: root-app
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://github.com/gwg313/homelab-gitops
+    targetRevision: main
+    path: apps
+    directory:
+      recurse: true
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      selfHeal: true
+      prune: true
+    syncOptions:
+      - CreateNamespace=true
diff --git a/security/namespace-policies.yaml b/security/namespace-policies.yaml
new file mode 100644
index 0000000..904d270
--- /dev/null
+++ b/security/namespace-policies.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: secure-default
+  labels:
+    pod-security.kubernetes.io/enforce: "restricted"
+    pod-security.kubernetes.io/enforce-version: "latest"
diff --git a/security/network-policies.yaml b/security/network-policies.yaml
new file mode 100644
index 0000000..62a67f1
--- /dev/null
+++ b/security/network-policies.yaml
@@ -0,0 +1,10 @@
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: default-deny-all
+  namespace: secure-default
+spec:
+  podSelector: {}
+  policyTypes:
+    - Ingress
+    - Egress
diff --git a/security/rbac.yaml b/security/rbac.yaml
new file mode 100644
index 0000000..49296ba
--- /dev/null
+++ b/security/rbac.yaml
@@ -0,0 +1,12 @@
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: readonly-users
+subjects:
+  - kind: Group
+    name: readonly
+    apiGroup: rbac.authorization.k8s.io
+roleRef:
+  kind: ClusterRole
+  name: view
+  apiGroup: rbac.authorization.k8s.io