From 71b52e4c6f0463f5e31690ac0983ff9d9337cf32 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 2 Nov 2024 19:50:13 -0500 Subject: [PATCH] 20125: Deploy Status server https://20125.home/ is the URL the Status Android application loads in its main WebView. This site is powered by a server that generates a custom page showing the status of our self-hosted applications, based on alerts retrieved from the AlertManager API. Android WebView does not allow cleartext HTTP connections. It does, however, allow connecting an HTTPS server and ignoring the certificate it presents, which is effectively the same thing. Thus, we generate a self-signed certificate for the Ingress for this site. --- 20125/config.yml | 79 +++++++++++++++++++++++++++++++++++++ 20125/ingress.yaml | 25 ++++++++++++ 20125/kustomization.yaml | 26 ++++++++++++ 20125/namespace.yaml | 6 +++ 20125/secrets.yaml | 13 ++++++ 20125/status-server-ca.yaml | 32 +++++++++++++++ 20125/status-server.yaml | 46 +++++++++++++++++++++ 7 files changed, 227 insertions(+) create mode 100644 20125/config.yml create mode 100644 20125/ingress.yaml create mode 100644 20125/kustomization.yaml create mode 100644 20125/namespace.yaml create mode 100644 20125/secrets.yaml create mode 100644 20125/status-server-ca.yaml create mode 100644 20125/status-server.yaml diff --git a/20125/config.yml b/20125/config.yml new file mode 100644 index 0000000..7a06670 --- /dev/null +++ b/20125/config.yml @@ -0,0 +1,79 @@ +alertmanager: + url: http://alertmanager.victoria-metrics:9093 + +system_wide: + alerts: + - alertgoup: Active Directory + - alertgoup: Longhorn + - alertgoup: PostgreSQL + - alertgoup: Restic + - alertgoup: Temperature + - job: authelia + - job: blackbox + - job: dns_pyrocufflink + - job: dns_recursive + - job: kubelet + - job: kubernetes + - instance: db0.pyrocufflink.blue + - instance: gw1.pyrocufflink.blue + - instance: vmhost0.pyrocufflink.blue + - instance: vmhost1.pyrocufflink.blue + +applications: +- name: Home Assistant + url: https://homeassistant.pyrocufflink.blue/ + icon: + url: icons/home-assistant.svg + alerts: + - alertgroup: Home Assistant + - alertgroup: Frigate + - job: homeassistant + - instance: homeassistant.pyrocufflink.blue + +- name: Nextcloud + url: &url https://nextcloud.pyrocufflink.net/ + icon: + url: icons/nextcloud.png + alerts: + - instance: *url + - instance: cloud0.pyrocufflink.blue + +- name: Invoice Ninja + url: &url https://invoiceninja.pyrocufflink.net/ + icon: + url: icons/invoiceninja.svg + class: light-bg + alerts: + - instance: *url + +- name: Jellyfin + url: &url https://jellyfin.pyrocufflink.net/ + icon: + url: icons/jellyfin.svg + alerts: + - instance: *url + +- name: Vaultwarden + url: &url https://bitwarden.pyrocufflink.net/ + icon: + url: icons/vaultwarden.svg + class: light-bg + alerts: + - instance: *url + - alertgroup: Bitwarden + +- name: Paperless-ngx + url: &url https://paperless.pyrocufflink.blue/ + icon: + url: icons/paperless-ngx.svg + alerts: + - instance: *url + - alertgroup: Paperless-ngx + - job: paperless-ngx + +- name: Firefly III + url: &url https://firefly.pyrocufflink.blue/ + icon: + url: icons/firefly-iii.svg + alerts: + - instance: *url diff --git a/20125/ingress.yaml b/20125/ingress.yaml new file mode 100644 index 0000000..acb274b --- /dev/null +++ b/20125/ingress.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + cert-manager.io/issuer: status-server-ca + labels: &labels + app.kubernetes.io/name: status-server + name: status-server +spec: + tls: + - hosts: + - 20125.home + secretName: status-server-cert + rules: + - host: 20125.home + http: + paths: + - backend: + service: + name: status-server + port: + number: 80 + path: / + pathType: Prefix diff --git a/20125/kustomization.yaml b/20125/kustomization.yaml new file mode 100644 index 0000000..2be0fb3 --- /dev/null +++ b/20125/kustomization.yaml @@ -0,0 +1,26 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: '20125' + +labels: +- pairs: + app.kubernetes.io/instance: '20125' + app.kubernetes.io/part-of: '20125' + includeSelectors: true + +resources: +- namespace.yaml +- secrets.yaml +- status-server-ca.yaml +- status-server.yaml +- ingress.yaml + +configMapGenerator: +- name: 20125-config + files: + - config.yml + +images: +- name: git.pyrocufflink.net/packages/20125.home + newTag: dev diff --git a/20125/namespace.yaml b/20125/namespace.yaml new file mode 100644 index 0000000..fae9930 --- /dev/null +++ b/20125/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: "20125" + labels: + app.kubernetes.io/name: '20125' diff --git a/20125/secrets.yaml b/20125/secrets.yaml new file mode 100644 index 0000000..2fec0b2 --- /dev/null +++ b/20125/secrets.yaml @@ -0,0 +1,13 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: imagepull-gitea + namespace: "20125" +spec: + encryptedData: + .dockerconfigjson: AgAXY5XsnGF9E3RU9dnKXK9fWjqK0khCDf7n0vuJCLACrcM01aoWVSjl26+j7oSTTyc7t5C+EKPJnuKdlkNfh2Omw9Lh3dn8rPRYcBRmUEAyt0TvBVkxBIiP+49y39QEV1opYY+b1gLVJ5ZEC92u5uI9y8xovwx9wqtKLfQ+KCfc5m93AYaQJ9EcnV1DSEkv/HdtWNikQes2hO6pTLF/GHrh/s79eIeXMTm5oG/OyJWTOGQdy1SdoGWLLf31dsjhsJyGMYOtWx42Nou20lWqmdoy4Dd8OXuuhcfeDNzkH187mI4XpVjbS0M+P5teJsGiTwx+VyJlGQnEaquIiHy3KLt3YH/ltGeNeCNbFmSDa70A3IdP/t0cAXN20rlIFGVzqNrAOhMYtiTDEgaKOrL7mwM4i4NTCnLTA2nXU7gLEcLGPRqO7LKIhc1/6d1xWMT58SFjHAVklFt/lq1udY6zE8gXHp+RQ+7hIIEu500YiaKubvh2MsOKIqYOaX99Q4BW7PQhwjjwtFHFuwNjZn8wAbDq+3gsDSqgeFPgHAs7nPIImcBne/fTobsHhUVvxEnBNLCRtSqpkvOLzpgC+dRNsD6ZTcXPhFWTEOvjBMcUWqOTcRmd8DCsdxalM42x/ZQjlNlubZeuaNki+4pA80bYlsLWt3A2nWtcVbO/aAYrT1qiK/d8NZsPNidD0HE1rkUkCNv5KgXVWUfVU7ptX1YFpYXXuEIFeWzulH3gWmdW4q+t2nGHAqwkszZfijtpsexBttff1ym3rgBTGHFmQRkmSMbNHIAq29ehuVrxkH7uM8Q1cXXmMnGgre0ijtUfW9zMlx92jR86187xOLM3/hxANhfyt4eZVMwx8D42facMxxAngCi01vYTwqihA9mtBFkKlkQdKCH1NxgWQqwAJi87utgHoFivxeM+Pck7Zeottr0yzUEisdoBAdQR99hijR2C5SnC4iURnqfi9sloj0Uuo74SxiTGapA7pg77LmvpV9Wzu6QiEm944tftcZHwaMg= + template: + metadata: + name: imagepull-gitea + namespace: "20125" + type: kubernetes.io/dockerconfigjson diff --git a/20125/status-server-ca.yaml b/20125/status-server-ca.yaml new file mode 100644 index 0000000..0c96fa8 --- /dev/null +++ b/20125/status-server-ca.yaml @@ -0,0 +1,32 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-ca +spec: + selfSigned: {} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: status-server-ca +spec: + isCA: true + commonName: 20125 CA + secretName: status-server-ca-secret + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-ca + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: status-server-ca +spec: + ca: + secretName: status-server-ca-secret diff --git a/20125/status-server.yaml b/20125/status-server.yaml new file mode 100644 index 0000000..82d7fbe --- /dev/null +++ b/20125/status-server.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: Service +metadata: + labels: &labels + app.kubernetes.io/name: status-server + app.kubernetes.io/component: status-server + name: status-server +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 20125 + selector: *labels + type: ClusterIP + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: &labels + app.kubernetes.io/name: status-server + app.kubernetes.io/component: status-server + name: status-server +spec: + replicas: 1 + selector: + matchLabels: *labels + template: + metadata: + labels: *labels + spec: + containers: + - name: status-server + image: git.pyrocufflink.net/packages/20125.home + imagePullPolicy: Always + volumeMounts: + - mountPath: /usr/local/share/20125.home/config.yml + name: config + subPath: config.yml + readOnly: True + imagePullSecrets: + - name: imagepull-gitea + volumes: + - name: config + configMap: + name: 20125-config