infra
/
kubernetes
1
0
Fork 0
Code Pull Requests 4 Activity

Compare commits

base: infra:3254f57489d06675c3aeabf3e34ee75dc00e5b72
Branches Tags
infra:updatebot/authelia
infra:updatebot/paperless-ngx
infra:updatebot/firefly-iii
infra:updatebot/home-assistant
infra:master
infra:jenkins-buildroot
infra:xactmon-doc
infra:etcd
infra:dch-webhooks-secrets
..
compare: infra:4a197bf91ad883a2eeb8c6e0e2d63a07408b97a3
Branches Tags
infra:updatebot/authelia
infra:updatebot/paperless-ngx
infra:updatebot/firefly-iii
infra:updatebot/home-assistant
infra:master
infra:jenkins-buildroot
infra:xactmon-doc
infra:etcd
infra:dch-webhooks-secrets

5 Commits
3254f57489 ... 4a197bf91a

Author SHA1 Message Date
bot 4a197bf91a authelia: Update to 4.38.18 2025-01-11 12:32:12 +00:00
Dustin 94be854bd7 vaultwarden: Deploy, migrate Vaultwarden 
Vaultwarden requires basically no configuration anymore.  Older versions
needed some environment variables for configuring the WebSocket server,
but as of 1.31, WebSockets are handled by the same server as HTTP, so
even that is not necessary now.  The only other option that could
potentially be useful is `ADMIN_TOKEN`, but it's optional.  For added
security, we can leave it unset, which disables the administration
console; we can set it later if/when we actually need that feature.

Migrating data from the old server was pretty simple.  The database is
pretty small, and even the attachments and site icons don't take up much
space.  All-in-all, there was only about 20 MB to move, so the copy only
took a few seconds.

Aside from moving the Vaultwarden server itself, we will also need to
adjust the HAProxy configuration to proxy requests to the Kubernetes
ingress controller.
 2025-01-10 20:05:18 -06:00
Dustin 1392a7c181 jenkins: Add storage for Gentoo Portage/binpkgs 
Jenkins that build Gentoo-based systems, like Aimee OS, need a
persistent storage volume for the Gentoo ebuild repository. The Job
initially populates the repository using `emerge-webrsync`, and then the
CronJob keeps it up-to-date by running `emaint sync` daily.

In addition to the Portage repository, we also need a volume to store
built binary packages.  Jenkins job pods can mount this volume to make
binary packages they build available for subsequent runs.

Both of these volumes are exposed to use cases outside the cluster using
`rsync` in daemon mode.  This can be useful for e.g. local builds.
 2025-01-09 20:15:46 -06:00
Dustin 75e6f7ee16 home-assistant: Add trusted user for Kitchen kiosk 
The Raspberry Pi in the kitchen now has Firefox installed so we can use
it to control Home Assistant.  By listing its IP address as a trusted
network, and assigning it a trusted user, it can access the Home
Assistant UI without anyone having to type a password.  This is
particularly important since there's no keyboard (not even an on-screen
virtual one).

Moving the `trusted_networks` auth provider _before_ the `homeassistant`
provider changes the login screen to show a "log in as ..." dialog by
default on trusted devices.  It does not affect other devices at all,
but it does make the initial login a bit easier on kiosks.
 2025-01-04 07:19:39 -06:00
Dustin 252dcfedc8 sshca: Add machine ID for ctrl-pi-spellbind 2024-12-28 10:38:26 -06:00
13 changed files with 401 additions and 7 deletions
Show Stats Expand all files Collapse all files

16
argocd/applications/vaultwarden.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: vaultwarden
namespace: argocd
spec:
destination:
server: https://kubernetes.default.svc
project: default
source:
path: vaultwarden
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master
syncPolicy:
automated:
prune: true

5
home-assistant/configuration.yaml
View File

@ -39,13 +39,16 @@ recorder:
homeassistant: homeassistant:
auth_providers: auth_providers:
- type: homeassistant
- type: trusted_networks - type: trusted_networks
trusted_networks: trusted_networks:
- 172.31.1.81/32 - 172.31.1.81/32
- 172.31.1.244/32
trusted_users: trusted_users:
172.31.1.81: 172.31.1.81:
- 03a8b3528f1145ab908e20ed5687d893 - 03a8b3528f1145ab908e20ed5687d893
172.31.1.244:
- 03a8b3528f1145ab908e20ed5687d893
- type: homeassistant
allow_bypass_login: true allow_bypass_login: true
whitelist_external_dirs: whitelist_external_dirs:
- /config - /config

170
jenkins/gentoo-storage.yaml Normal file
View File

@ -0,0 +1,170 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: portage
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: portage
app.kubernetes.io/component: gentoo
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 4Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: binpkgs
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: binpkgs
app.kubernetes.io/component: gentoo
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: gentoo-dist
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
data:
rsyncd.conf: |+
[gentoo-portage]
path = /var/db/repos/gentoo
[binpkgs]
path = /var/cache/binpkgs
---
apiVersion: v1
kind: Service
metadata:
name: gentoo-dist
namespace: jenkins-jobs
spec:
selector:
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
ports:
- name: rsync
port: 873
targetPort: rsync
type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gentoo-dist
namespace: jenkins-jobs
labels: &labels
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
spec:
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
containers:
- name: rsync
image: docker.io/gentoo/stage3
command:
- /usr/bin/rsync
- --daemon
- --no-detach
- --port=8873
- --log-file=/dev/stderr
ports:
- name: rsync
containerPort: 8873
securityContext:
readOnlyRootFilesystem: true
runAsUser: 250
runAsGroup: 250
volumeMounts:
- mountPath: /etc/rsyncd.conf
name: config
subPath: rsyncd.conf
- mountPath: /var/db/repos/gentoo
name: portage
- mountPath: /var/cache/binpkgs
name: binpkgs
volumes:
- name: binpkgs
persistentVolumeClaim:
claimName: binpkgs
- name: config
configMap:
name: gentoo-dist
- name: portage
persistentVolumeClaim:
claimName: portage
---
apiVersion: batch/v1
kind: Job
metadata:
name: emerge-webrsync
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: emerge-webrsync
app.kubernetes.io/component: gentoo
spec:
template:
spec:
containers:
- name: sync
image: docker.io/gentoo/stage3
command:
- emerge-webrsync
volumeMounts:
- mountPath: /var/db/repos/gentoo
name: portage
restartPolicy: OnFailure
volumes:
- name: portage
persistentVolumeClaim:
claimName: portage
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: sync-portage
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: sync-portage
app.kubernetes.io/component: gentoo
spec:
schedule: 4 19 * * *
jobTemplate:
spec:
template:
spec:
containers:
- name: sync
image: docker.io/gentoo/stage3
command:
- emaint
- sync
volumeMounts:
- mountPath: /var/db/repos/gentoo
name: portage
restartPolicy: OnFailure
volumes:
- name: portage
persistentVolumeClaim:
claimName: portage

1
jenkins/kustomization.yaml
View File

@ -9,6 +9,7 @@ resources:
- jenkins.yaml - jenkins.yaml
- secrets.yaml - secrets.yaml
- iscsi.yaml - iscsi.yaml
- gentoo-storage.yaml
configMapGenerator: configMapGenerator:
- name: ssh-known-hosts - name: ssh-known-hosts

7
sshca/secrets.yaml
View File

@ -11,7 +11,6 @@ spec:
metadata: metadata:
name: sshca-host-key name: sshca-host-key
namespace: sshca namespace: sshca
--- ---
apiVersion: bitnami.com/v1alpha1 apiVersion: bitnami.com/v1alpha1
kind: SealedSecret kind: SealedSecret
@ -25,7 +24,6 @@ spec:
metadata: metadata:
name: sshca-host-passphrase name: sshca-host-passphrase
namespace: sshca namespace: sshca
--- ---
apiVersion: bitnami.com/v1alpha1 apiVersion: bitnami.com/v1alpha1
kind: SealedSecret kind: SealedSecret
@ -39,7 +37,6 @@ spec:
metadata: metadata:
name: sshca-libvirt-sshkey name: sshca-libvirt-sshkey
namespace: sshca namespace: sshca
--- ---
apiVersion: bitnami.com/v1alpha1 apiVersion: bitnami.com/v1alpha1
kind: SealedSecret kind: SealedSecret
@ -54,7 +51,6 @@ spec:
name: imagepull-gitea name: imagepull-gitea
namespace: sshca namespace: sshca
type: kubernetes.io/dockerconfigjson type: kubernetes.io/dockerconfigjson
--- ---
apiVersion: bitnami.com/v1alpha1 apiVersion: bitnami.com/v1alpha1
kind: SealedSecret kind: SealedSecret
@ -63,7 +59,7 @@ metadata:
namespace: sshca namespace: sshca
spec: spec:
encryptedData: encryptedData:
machine-ids.json: AgCb7/mfYysqkr5Lcu0xJQ15U2LKOuMTyej3IcIS1ZT/8iFbCStY3T/nc+RBtb6yzBzskikk1KXa95I4rOolh4PPgDP+toO77zjJDFPHMWUHSDlKcK2/k68cPenM/euo45tW9fBD2CbZZvZAlrEcknvYSE48Bkl4cNa1vn9tcjIA2PStn9UGTgbT8R3uJJEPJYaZ2QGCl2uFzI/laaQ7X/quXdxOd/E7c74VOsCx+uRwUdERqMSjFPCT9oI1CxzstR88SoaTqjywTw+j91qKrBJrNKdhhCZ9b7zciZO4TmWi36eq+qZS2rvgQG8HV93LiA7vl9H9U2GpA8P5pczlIm/lCvSDt/vLrTXNWKAuae9CaxYvUp38ilszbCnuA2cCa+nbNKcrIhVlWyRaObK9U7cmZLmx/VtuWF4MLXFU4I3getePVb3M86PWgbkYEZtUPRWzfEksggsWkedmEFagOuFKUnmlj69uXDxV+seBF9EFAQbJBjgEQ15ba/HafWsMF8z/5UznCBD7rOc2Wr6VZuTu3+Tr2AU6DhEcEaXqrMW8eqNEhNxYyoCnVSil6uW12AJdK6+4yJuDfbH0qh/TqWOoVxkpIqz6LLz7RIxxAHmeMascGLDwD5msMx6uz7vEKJPBvBk+FNScJ3w/bOUiDNIDeSEAKN30OnXVrgO+9KKpLsXAPHg+wu6f/F8CNKQ0DuRFIZgq13JC93G4kY4TRZ7vHc32fxLjfmo3A7MFiOWyyNLeKuvgjEgSptlw1jQZd0qaeYoniN+nvSKITGNKrc5VH/2sRoZ9GYwPq0ONx3DmOzJGe+sohwIXzDmK3GmLZ+syLo5GuimNiPfh2I/+JwHfBLwWBmCk9Xg1li2R7Eq3g1Rm+w+z4kwB2Mwt91jkgTD4Ug3hjj3ThX4uenYPAYYI7gktwYZUlmWAPjcS/SjW+FLegN9chya4/boIXxrXUMJ0zVj9gPhDB+p+n/8C2i2rgcOcliWHPcbfuQgcgLBxyrr0ymxsGXuJJraV/VjdjJMXhfOCtV6vvC27EgUIef1MzcHA7ZVyeNHo7XMKOA6Z0EshRCXnYzbqIKXHG2/ABuOEGwM6u/ttGlvRvpvt73hXSy4UlXyx3j5HFDVLi55xtLuO+2AM2pE+CdcgGUHx3LVhjKfZKbSxED8PcSHL6v+kV6RZSgxKI2VcBCtxeeSZsPRh67SEMzr6QVwoqQvwqeKqkCwwrbkyidWw1+dUjIVNCLYpA27u9yes6R2A5J8P0DgQn0Byp2Hu08Lve//gHRS4DPZMwnOLRndVmkTdpXoeykLKDXVLNP8A45hTi3ax4p9LNcs9TAIM8LtL5Ts1oj1WvoxxzEOz2GleDQck452VQYMHTkqg4TAQE8ER/MXY7tH+AL56KHRtNNSsZCbanxVaV2f68WeMZaRFBSNEOilSFhq0IVyMwcLTxgZb9pJXBCc36pT3xQOFYC0479Sm4doXYtvct85n8Ni8HXqgdjDKm7uzDziUJaLN5/Ok8eyuUVveyN/HPyT9bxmRUUECRGnzkA+LXZfsqiHG9f85OlHjxsHG1mfjylSOG7FSabkmTUs5IvT8L2eq6VfOfivOTAhmLuroqMkt6VVnjh0K+BV2wBB8tDByBEk3sZ3OprhWtZfZlKbb1H46DbAujaSCbOXiLiI6nybkzhNIoD1+H0fwhXq7I1pn2QEdqJDKKW2q3fwjufJMu01F1M+9Zi5oZXJchpbmRNd0TZpF machine-ids.json: AgA/rGsQ4sYYCgFyurPMa8GW5NnuekLpB6F4NGuAjEJkmEROFIpgZpPMuSvH+oMW4g4YCrSf03ou4c0jwV6f1/EXWu/qwDe+yJCuT2zknMdGduQEJjrBt+f3zskkHFRqp2inAZCPmObJOPQMwu53JhwN602MC8Tl9VGpg1a/lTmjNELotlkXEwJUmL80Q/pJ/1AK4eUR0BwL8asHKtH5Zt9Nq8X7YV/aL68Tf1u7UvZEX/P0ySBnfqCfQDyW7UjjTiZJlTYzl6Q8+oFd40E8BCNmF2lp8Swp0H/Ac+lNtMIwLdIi0I+E1AtRULnOULmCqmZGjzcMt/ZR9jQUlVRr+osfvUmS+Ed7E83/VIJhvWVTlhh/rEg+DNvpwX5gmg4Pag2SZ//fgAdWwqzIk5H+reSx7apX+eUh+eW9CpkDWNEXlvI8vQ3KneZjwvgTbt0YMSMLpF5jwGeo68Q1i03X65QwlZT2QhUTs6sho3wsO1g+9EMfg3iMwMpb2ui3jJNhK8Eelm5jqmSmvw+lFzSB9DPc9ADnNghUMPoGZIqG9lfjnMWbeION9EqMYjhJsN8Z9r4U/nB/OVLSsSAG4mLA/Rf5n0ih9kFOYcerrrvFWa63ruJpDzctQOoHvH6G9SnWqMppRcS47p6MTuhJL3NNsR3KgHw8Co4/SxJk2wYSAojgLIojICjxFC3EnuYrNNoD1lg+4GvyKyL3sFO8tL2HZ9Nm3q93dLvileL1nfMbvD8j560wfBcjjQ7ewl+9VIcp8KEgq00ofFEeO3MdMGpi/1vYQc5ordzE0+J2ErDlKGZuJv2addjlQ2LY78tw5VVwE85JUosL7KB8nEutJzL+mxGcCPPo/BGTp3GlSCydqNDcmVElvHWzLDjh8LjkydsEIMW1VQWW++OiXJMebadcUrPm9E/lTXAUuExhpnXq72Tt4RMDJZCDq0538DcVeIEKf3LoMM7xGnp/0Zg1MKCKLft8LA7PsBUh7ohIZFqKfHmca9zHEo1C+b9k6QQ3F0qK+0yJS3XIFLASHIxgmeCj3zKlz+bsApgG++OGGjt0Ga6rX/2O7nsGVV16b+cZgDhIDV7IdULtAhiQ0YdGunifNQ6Vo7HFawOfTiGrpHCZSslINLCEDpzAyANxaB65VwuL6pUJoGjRes8vWx3lp5Fimeo9jP9cb/vzrWswOVx0uPIxl8P4UENT1J8yNa9toG5CmGdPeHTNOOWOqWtcJoO8FZ/szRRzPfXCEo9dhh7USNw/bbwYxpBha5LScp3tBw3zHiIvf7n07iZjnzsipC/Fj4/7s3vnxwotgW6HluZho/ZEhl88tRNxmjgTAcQiYVLOc18XB+bKQQGmTstYVkLwAhkBPkArLg4q/HV6XpqByfc3i3Lp2mnS9QRf0lVwXo28RHBYKhy2E1oRDawCtc1K5u3RZuiHtRbifphwA34dZZ6JxUP9Ytorv6LS2BC+ev4b6QCuLWzFaJXZyzfmJ0FJo2wsvGPO/1vJ06Ic5WC2PlLerBI9d20iw0YcQKPJ9pG+LvfQ8X7JUnYj5Uos1MbOfZM9WBZUg6pPTH9bLWrp1fxS6sxqqBDzSHfthskSa/g8zbGUzf8KwSoqRky+EkVZ2loeYbIpIWOv2Q/50R2UwBrFsdfWvcoukSY772+gX04ISGY/ombcbZTC4dWkWWlaRhe/A3XW9LsR0BEZrM08MCkW/FSLkQj0zm2+GOVM/LX87dXl/y12lRIicqcNe1huwfrXyd2DMl5qrTR46P9qiHt222SggiLNN3ZdM9qWffZrFZI20RhkXnM/dWX13BcsKsquAya3pjPht6A4geayenC7riA3XmHGUlSEonH37pwviak=
template: template:
metadata: metadata:
name: sshca-data name: sshca-data
@ -81,7 +77,6 @@ spec:
metadata: metadata:
name: sshca-user-passphrase name: sshca-user-passphrase
namespace: sshca namespace: sshca
--- ---
apiVersion: bitnami.com/v1alpha1 apiVersion: bitnami.com/v1alpha1
kind: SealedSecret kind: SealedSecret

10
updatebot/config.yml
View File

@ -96,3 +96,13 @@ projects:
kind: github kind: github
organization: authelia organization: authelia
repo: authelia repo: authelia
- name: vaultwarden
kind: kustomize
images:
- name: authelia
image: ghcr.io/dani-garcia/vaultwarden
source:
kind: github
organization: dani-garcia
repo: vaultwarden

15
vaultwarden/README.md Normal file
View File

@ -0,0 +1,15 @@
# Vaultwarden (Bitwarden-rs)
## Migration
```sh
kubectl scale statefulset -n vaultwarden vaultwarden --replicas 0
kubectl create -f vaultwarden/migrate.yaml
kubectl exec -n vaultwarden vaultwarden-migration -- find /data -mindepth 1 -delete
ssh bw0 sudo systemctl stop vaultwarden
ssh bw0 sudo tar -C /var/lib/vaultwarden/data -c . \
| pv \
| kubectl exec -n vaultwarden -i vaultwarden-migration -- tar -C /data -x
kubectl delete pod -n vaultwarden vaultwarden-migration
kubectl scale statefulset -n vaultwarden vaultwarden --replicas 1
```

20
vaultwarden/ingress.yaml Normal file
View File

@ -0,0 +1,20 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vaultwarden
labels:
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/component: vaultwarden
spec:
ingressClassName: nginx
rules:
- host: bitwarden.pyrocufflink.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: vaultwarden
port:
name: http

30
vaultwarden/kustomization.yaml Normal file
View File

@ -0,0 +1,30 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: vaultwarden
labels:
- pairs:
app.kubernetes.io/instance: vaultwarden
includeSelectors: true
- pairs:
app.kubernetes.io/part-of: vaultwarden
includeTemplates: true
resources:
- namespace.yaml
- vaultwarden.yaml
- ingress.yaml
configMapGenerator:
- name: vaultwarden
envs:
- vaultwarden.env
options:
labels:
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/component: vaultwarden
images:
- name: ghcr.io/dani-garcia/vaultwarden
newTag: 1.32.7-alpine

34
vaultwarden/migrate.yaml Normal file
View File

@ -0,0 +1,34 @@
apiVersion: v1
kind: Pod
metadata:
name: vaultwarden-migration
namespace: vaultwarden
labels: &labels
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/component: migration
spec:
containers:
- name: migration
image: busybox
command:
- sh
- -c
- |
trap 'kill $!' TERM
sleep 99999 &
wait
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /data
name: data
subPath: data
securityContext:
runAsUser: 266
runAsGroup: 266
fsGroup: 266
fsGroupChangePolicy: OnRootMismatch
volumes:
- name: data
persistentVolumeClaim:
claimName: vaultwarden

4
vaultwarden/namespace.yaml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: vaultwarden

1
vaultwarden/vaultwarden.env Normal file
View File

@ -0,0 +1 @@
DOMAIN=https://bitwarden.pyrocufflink.net

95
vaultwarden/vaultwarden.yaml Normal file
View File

@ -0,0 +1,95 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vaultwarden
labels:
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/component: vaultwarden
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4Gi
---
apiVersion: v1
kind: Service
metadata:
name: vaultwarden
labels: &labels
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/component: vaultwarden
spec:
selector: *labels
ports:
- port: 8080
targetPort: http
name: http
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: vaultwarden
labels: &labels
app.kubernetes.io/name: vaultwarden
app.kubernetes.io/component: vaultwarden
spec:
serviceName: vaultwarden
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
containers:
- name: vaultwarden
image: ghcr.io/dani-garcia/vaultwarden
env:
- name: ROCKET_PORT
value: '8080'
envFrom:
- configMapRef:
name: vaultwarden
optional: true
- secretRef:
name: vaultwarden
optional: true
ports:
- name: http
containerPort: 8080
readinessProbe: &probe
httpGet:
port: http
path: /alive
failureThreshold: 1
periodSeconds: 60
timeoutSeconds: 5
startupProbe:
<<: *probe
failureThreshold: 60
initialDelaySeconds: 2
periodSeconds: 1
timeoutSeconds: 1
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /data
name: data
subPath: data
- mountPath: /tmp
name: tmp
subPath: tmp
securityContext:
runAsUser: 266
runAsGroup: 266
fsGroup: 266
fsGroupChangePolicy: OnRootMismatch
volumes:
- name: data
persistentVolumeClaim:
claimName: vaultwarden
- name: tmp
emptyDir:
medium: Memory