infra/kubernetes
1
0
Fork 0
Code Pull Requests 3 Activity

Compare commits

base: infra:3b4e57afcce136ab7c25abc252e2ea2f53549307
Branches Tags
infra:master infra:updatebot/music-assistant infra:updatebot/paperless-ngx infra:updatebot/home-assistant infra:jenkins-buildroot infra:xactmon-doc infra:etcd infra:dch-webhooks-secrets
..
compare: infra:etcd
Branches Tags
infra:updatebot/music-assistant infra:updatebot/paperless-ngx infra:updatebot/home-assistant infra:master infra:jenkins-buildroot infra:xactmon-doc infra:etcd infra:dch-webhooks-secrets

1 Commits
3b4e57afcc ... etcd

Author SHA1 Message Date
Dustin C. Hatch
05608f843e wip: etcd: Deploy etcd 2024-07-26 21:11:40 -05:00
160 changed files with 1730 additions and 3583 deletions
Expand all files Collapse all files

86
20125/config.yml
View File

@@ -1,86 +0,0 @@
alertmanager:
url: http://alertmanager.victoria-metrics:9093
system_wide:
alerts:
- alertgoup: Active Directory
- alertgoup: Longhorn
- alertgoup: PostgreSQL
- alertgoup: Restic
- alertgoup: Temperature
- job: authelia
- job: blackbox
- job: dns_pyrocufflink
- job: dns_recursive
- job: kubelet
- job: kubernetes
- instance: db0.pyrocufflink.blue
- instance: gw1.pyrocufflink.blue
- instance: vmhost0.pyrocufflink.blue
- instance: vmhost1.pyrocufflink.blue
applications:
- name: Home Assistant
url: https://homeassistant.pyrocufflink.blue/
icon:
url: icons/home-assistant.svg
alerts:
- alertgroup: Home Assistant
- alertgroup: Frigate
- job: homeassistant
- instance: homeassistant.pyrocufflink.blue
- name: Nextcloud
url: &url https://nextcloud.pyrocufflink.net/index.php
icon:
url: icons/nextcloud.png
alerts:
- instance: *url
- instance: cloud0.pyrocufflink.blue
- name: Invoice Ninja
url: &url https://invoiceninja.pyrocufflink.net/
icon:
url: icons/invoiceninja.svg
class: light-bg
alerts:
- instance: *url
- name: Jellyfin
url: &url https://jellyfin.pyrocufflink.net/
icon:
url: icons/jellyfin.svg
alerts:
- instance: *url
- name: Vaultwarden
url: &url https://bitwarden.pyrocufflink.net/
icon:
url: icons/vaultwarden.svg
class: light-bg
alerts:
- instance: *url
- alertgroup: Bitwarden
- name: Paperless-ngx
url: &url https://paperless.pyrocufflink.blue/
icon:
url: icons/paperless-ngx.svg
alerts:
- instance: *url
- alertgroup: Paperless-ngx
- job: paperless-ngx
- name: Firefly III
url: &url https://firefly.pyrocufflink.blue/
icon:
url: icons/firefly-iii.svg
alerts:
- instance: *url
- name: Receipts
url: &url https://receipts.pyrocufflink.blue/
icon:
url: https://receipts.pyrocufflink.blue/static/icons/icon-512.png
alerts:
- instance: *url

25
20125/ingress.yaml
View File

@@ -1,25 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
cert-manager.io/issuer: status-server-ca
labels: &labels
app.kubernetes.io/name: status-server
name: status-server
spec:
tls:
- hosts:
- 20125.home
secretName: status-server-cert
rules:
- host: 20125.home
http:
paths:
- backend:
service:
name: status-server
port:
number: 80
path: /
pathType: Prefix

26
20125/kustomization.yaml
View File

@@ -1,26 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: '20125'
labels:
- pairs:
app.kubernetes.io/instance: '20125'
app.kubernetes.io/part-of: '20125'
includeSelectors: true
resources:
- namespace.yaml
- secrets.yaml
- status-server-ca.yaml
- status-server.yaml
- ingress.yaml
configMapGenerator:
- name: 20125-config
files:
- config.yml
images:
- name: git.pyrocufflink.net/packages/20125.home
newTag: dev

6
20125/namespace.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: "20125"
labels:
app.kubernetes.io/name: '20125'

13
20125/secrets.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: imagepull-gitea
namespace: "20125"
spec:
encryptedData:
.dockerconfigjson: AgAXY5XsnGF9E3RU9dnKXK9fWjqK0khCDf7n0vuJCLACrcM01aoWVSjl26+j7oSTTyc7t5C+EKPJnuKdlkNfh2Omw9Lh3dn8rPRYcBRmUEAyt0TvBVkxBIiP+49y39QEV1opYY+b1gLVJ5ZEC92u5uI9y8xovwx9wqtKLfQ+KCfc5m93AYaQJ9EcnV1DSEkv/HdtWNikQes2hO6pTLF/GHrh/s79eIeXMTm5oG/OyJWTOGQdy1SdoGWLLf31dsjhsJyGMYOtWx42Nou20lWqmdoy4Dd8OXuuhcfeDNzkH187mI4XpVjbS0M+P5teJsGiTwx+VyJlGQnEaquIiHy3KLt3YH/ltGeNeCNbFmSDa70A3IdP/t0cAXN20rlIFGVzqNrAOhMYtiTDEgaKOrL7mwM4i4NTCnLTA2nXU7gLEcLGPRqO7LKIhc1/6d1xWMT58SFjHAVklFt/lq1udY6zE8gXHp+RQ+7hIIEu500YiaKubvh2MsOKIqYOaX99Q4BW7PQhwjjwtFHFuwNjZn8wAbDq+3gsDSqgeFPgHAs7nPIImcBne/fTobsHhUVvxEnBNLCRtSqpkvOLzpgC+dRNsD6ZTcXPhFWTEOvjBMcUWqOTcRmd8DCsdxalM42x/ZQjlNlubZeuaNki+4pA80bYlsLWt3A2nWtcVbO/aAYrT1qiK/d8NZsPNidD0HE1rkUkCNv5KgXVWUfVU7ptX1YFpYXXuEIFeWzulH3gWmdW4q+t2nGHAqwkszZfijtpsexBttff1ym3rgBTGHFmQRkmSMbNHIAq29ehuVrxkH7uM8Q1cXXmMnGgre0ijtUfW9zMlx92jR86187xOLM3/hxANhfyt4eZVMwx8D42facMxxAngCi01vYTwqihA9mtBFkKlkQdKCH1NxgWQqwAJi87utgHoFivxeM+Pck7Zeottr0yzUEisdoBAdQR99hijR2C5SnC4iURnqfi9sloj0Uuo74SxiTGapA7pg77LmvpV9Wzu6QiEm944tftcZHwaMg=
template:
metadata:
name: imagepull-gitea
namespace: "20125"
type: kubernetes.io/dockerconfigjson

32
20125/status-server-ca.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-ca
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: status-server-ca
spec:
isCA: true
commonName: 20125 CA
secretName: status-server-ca-secret
privateKey:
algorithm: ECDSA
size: 256
issuerRef:
name: selfsigned-ca
kind: Issuer
group: cert-manager.io
---
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: status-server-ca
spec:
ca:
secretName: status-server-ca-secret

46
20125/status-server.yaml
View File

@@ -1,46 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels: &labels
app.kubernetes.io/name: status-server
app.kubernetes.io/component: status-server
name: status-server
spec:
ports:
- port: 80
protocol: TCP
targetPort: 20125
selector: *labels
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels: &labels
app.kubernetes.io/name: status-server
app.kubernetes.io/component: status-server
name: status-server
spec:
replicas: 1
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
containers:
- name: status-server
image: git.pyrocufflink.net/packages/20125.home
imagePullPolicy: Always
volumeMounts:
- mountPath: /usr/local/share/20125.home/config.yml
name: config
subPath: config.yml
readOnly: True
imagePullSecrets:
- name: imagepull-gitea
volumes:
- name: config
configMap:
name: 20125-config

2
ansible/.gitignore vendored
View File

@@ -1,2 +0,0 @@
ara/.secrets.toml
host-provisioner.key

87
ansible/ara.yaml
View File

@@ -1,87 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: ara
labels: &labels
app.kubernetes.io/name: ara
app.kubernetes.io/component: ara
spec:
selector: *labels
type: ClusterIP
ports:
- name: http
port: 8000
targetPort: 8000
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ara
labels: &labels
app.kubernetes.io/name: ara
app.kubernetes.io/component: ara
spec:
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
enableServiceLinks: false
containers:
- name: ara-api
image: quay.io/recordsansible/ara-api
env:
- name: ARA_BASE_DIR
value: /etc/ara
- name: ARA_SETTINGS
value: /etc/ara/settings.toml
- name: SECRETS_FOR_DYNACONF
value: /etc/ara/.secrets.toml
ports:
- containerPort: 8000
name: http
readinessProbe: &probe
httpGet:
port: 8000
path: /api/
httpHeaders:
- name: Host
value: ara.ansible.pyrocufflink.blue
failureThreshold: 3
periodSeconds: 60
successThreshold: 1
timeoutSeconds: 5
startupProbe:
<<: *probe
failureThreshold: 30
initialDelaySeconds: 1
periodSeconds: 1
timeoutSeconds: 1
volumeMounts:
- mountPath: /etc/ara/settings.toml
name: config
subPath: settings.toml
readOnly: true
- mountPath: /etc/ara/.secrets.toml
name: secrets
subPath: .secrets.toml
readOnly: true
- mountPath: /tmp
name: tmp
subPath: tmp
securityContext:
runAsNonRoot: true
runAsUser: 7653
runAsGroup: 7653
volumes:
- name: config
configMap:
name: ara
- name: secrets
secret:
secretName: ara
- name: tmp
emptyDir:
medium: Memory

38
ansible/ara/settings.toml
View File

@@ -1,38 +0,0 @@
[default]
ALLOWED_HOSTS = [
'ara.ansible.pyrocufflink.blue',
]
LOG_LEVEL = 'INFO'
TIME_ZONE = 'UTC'
EXTERNAL_AUTH = true
READ_LOGIN_REQUIRED = false
WRITE_LOGIN_REQUIRED = false
DATABASE_ENGINE = 'django.db.backends.postgresql'
DATABASE_HOST = 'postgresql.pyrocufflink.blue'
DATABASE_NAME = 'ara'
DATABASE_USER = 'ara'
[default.DATABASE_OPTIONS]
sslmode = 'verify-full'
sslcert = '/run/secrets/ara/postgresql/tls.crt'
sslkey = '/run/secrets/ara/postgresql/tls.key'
sslrootcert = '/run/dch-ca/dch-root-ca.crt'
[default.LOGGING]
version = 1
disable_existing_loggers = false
[default.LOGGING.formatters.normal]
format = '%(levelname)s %(name)s: %(message)s'
[default.LOGGING.handlers.console]
class = 'logging.StreamHandler'
formatter = 'normal'
level = 'INFO'
[default.LOGGING.loggers.ara]
handlers = ['console']
level = 'INFO'
propagate = false

1
ansible/host-provisioner.key.pub
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAICoOO/ZYMxRgmyvqZwGN3NM5pHyh3NBdC7iZrXIopt93 Host Provisioner

32
ansible/ingress.yaml
View File

@@ -1,32 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ara
labels:
app.kubernetes.io/name: ara
app.kubernetes.io/component: ara
annotations:
cert-manager.io/cluster-issuer: dch-ca
nginx.ingress.kubernetes.io/proxy-buffer-size: "8k"
nginx.ingress.kubernetes.io/auth-method: GET
nginx.ingress.kubernetes.io/auth-url: http://authelia.authelia.svc.cluster.local:9091/api/verify
nginx.ingress.kubernetes.io/auth-signin: https://auth.pyrocufflink.blue/?rm=$request_method
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Method $request_method;
spec:
ingressClassName: nginx
tls:
- hosts:
- ara.ansible.pyrocufflink.blue
secretName: ara-cert
rules:
- host: ara.ansible.pyrocufflink.blue
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: ara
port:
name: http

60
ansible/kustomization.yaml
View File

@@ -1,60 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
labels:
- pairs:
app.kubernetes.io/instance: ansible
includeSelectors: true
includeTemplates: true
- pairs:
app.kubernetes.io/part-of: ansible
namespace: ansible
resources:
- ../dch-root-ca
- ../ssh-host-keys
- rbac.yaml
- secrets.yaml
- namespace.yaml
- ara.yaml
- postgres-cert.yaml
- ingress.yaml
configMapGenerator:
- name: ara
files:
- ara/settings.toml
options:
labels:
app.kubernetes.io/name: ara
patches:
- patch: |-
apiVersion: apps/v1
kind: Deployment
metadata:
name: ara
spec:
template:
spec:
containers:
- name: ara-api
volumeMounts:
- mountPath: /run/dch-ca/dch-root-ca.crt
name: dch-root-ca
subPath: dch-root-ca.crt
readOnly: true
- mountPath: /run/secrets/ara/postgresql
name: postgresql-cert
readOnly: true
securityContext:
fsGroup: 7653
volumes:
- name: postgresql-cert
secret:
secretName: ara-postgres-cert
defaultMode: 0640
- name: dch-root-ca
configMap:
name: dch-root-ca

6
ansible/namespace.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: ansible
labels:
app.kubernetes.io/name: ansible

12
ansible/postgres-cert.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ara-postgres-cert
spec:
commonName: ara
privateKey:
algorithm: ECDSA
secretName: ara-postgres-cert
issuerRef:
name: postgresql-ca
kind: ClusterIssuer

25
ansible/rbac.yaml
View File

@@ -1,25 +0,0 @@
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dch-webhooks
rules:
- apiGroups:
- batch
resources:
- jobs
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dch-webhooks
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dch-webhooks
subjects:
- kind: ServiceAccount
name: dch-webhooks
namespace: default

37
ansible/secrets.yaml
View File

@@ -1,37 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: ara
namespace: ansible
labels:
app.kubernetes.io/name: ara
app.kubernetes.io/component: ara
spec:
encryptedData:
.secrets.toml: AgAiObM2t8Cmr87pMRhZN4RBqb4soEdG0OJeAmaUCl//in2LihZyOHKu5RDeLBaPneoX5G/t5eQX7KkPCW7hffjBSngVbPMZ+U8Txb1IY3uFFHGAPnJBXwHo6FgRq5uKt3LQ6UmtWLoIF4ZB4K0f/g5BHR3N6FIah/x5pKrnU9lOltVgDFSEd7Ewgrj8AorASdE7ZxBAGuUPNktQZZ9MS0d2YiOhgfZiGHDnLZoqk0osDOZzKJX47yiYg5SR4NHoGzd7gfSvBtbrU4SIQCUGZJYtOKeUGaNtCgKnLe3oCphqV3izUY1JudVF8eN5MDgUH5vG2GcqDqMYTX2oRuk+rgRjiMJTkxQ/OZlbrXGxUocTR51EoM01vgjvvCsqaE3R5MhcKE7oOHrqTXzhDY6UzBPUu6QWrkWWMegBeIVCWA2ID3m8CPljyA0oZuClqVZpx/23cs3aHcyl2vye5ey3ca5QzLkkmKK7826H3przUYdwti9gMNp0sPszsDOTzfmN9iZD33a+WvEPfbf7+ZBXBAnoH06pLXeCGc43Q2S619xdHRw4caVGeczZAWYVjlnq8BUQGmHU2Ra5W6dzYM+i3vUimJRiuzeaG+APgY4KIdZNEjPguiwg93g9NtDWgap1h5rF3Yx4nEQelEN0pNAqT8CP67gW1Kp+wjNRNHkz45Ld3mJbMsvFqjZG5cCqk1s67mBNxhani0HBJM3vEV36wnDBzWwSmemuMUdjrG0zFwQHHeZwQe7oR+9XNz1DLPxvvp6KfEbHA3YMagQa2RYxN/C9APBBC+dmk6+TJn1n
template:
metadata:
name: ara
namespace: ansible
labels:
app.kubernetes.io/name: ara
app.kubernetes.io/component: ara
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: provisioner-ssh-key
namespace: ansible
labels: &labels
app.kubernetes.io/name: provisioner-ssh-key
app.kubernetes.io/component: host-provisioner
spec:
encryptedData:
host-provisioner.key: AgCiBQEtPmzQO9GHoVxZNQmjFn9GjeKWlHmG2lz4uqeva77QByqnejUg8CbpQnoT61ct9o39tVtrrHgC8WjseXKGKkd+YELRaWENXBNBFlv4YN6id2iPzf4xHrgfowXLjzly7s4s4Fg3QntXFglQxwG009Z7K5HQmAvgCFzGm6y+fyLoNd2v2eNc9pGurynnm7wKQFuBBpBtoDVfYMNSS+tp9D3MFVMwEG8kU/kszv5OEEwVkipG4v2LeY86HXIQnHyeE3vITz0TFPoQjpjusBNg7MxBVHcz/ZruqF43DZ+uz2aRFL6D5udm86hsxZGSi3yVq8PSCUANtWoTicIpSc5yxpB+5FLsc3Q380vQPrRYvx8luAZwMGQPDv2NpGoSRUmutb/+4vpQbCBwaP9s8WHaYNDByUeoQKAX2o+RYp+/csfxmSy1/pK93RUjMnsWGYiyI7jpNdTqWkakDN+cM0Lrje9+VqcZge3FYp/4y78AI75pWEiEMy1VSXeqE2pgu5vZzyRdw9zORC2sAWhnTeu+Obbly1UdptpXPmGclmRbpwAPM1F7m7pDsCQ9SYAhoGg251Yu0sF3Nnc0uOElmP0KSn1bt/Jca9M0syg9DMntHo41dn40+Aihujej0ll4h3GXVZ0auUuzSLZEMe0dHQY0YCaq3JdeOa6AJuNyo63/0BmvmWP2T06INtVw4EqBsmvNl/YJIlZiRGhIOGaRyJllu21L6QBtToYjxI7fhTxZaCG6fyPbvCd1hu+IchoMr86rl7W0+k6d/lkamx9dg+PtWjjThOGyeLYwSRhMcsvQPsSdTl8BEmB9TRgRIk42txVRQkb+ei1+1y9nBYCOV9P540lDXQVbqgyb0j2cccWOa/AG7l3P3s8haDs2OujUaVkBJWJ489nsLsC33972wwAQbOk+uTKmXKL6nWSNL31rivW9R8ea+vfdcyN2/tLsI0mE9XTR/kRmS12qdLmDbzeX/scqSKaWFQZwnLHak5Xaqkd25ZGHqB3zrnTBIryDaXSzgC1CPCv7QNqbKvd6vmH+16j1DWqLycbUeorx5O9nwpEZ+GzQm8q62PJEO8xdvqr3nu5OvFgGrnX/Y6giV8Cv8ogyAxbmNrq0cC5VYxDlt4VvzlOpmWUlfxD/wd+gaHQoibhhHRbGtsJCX9AFclVQrY3kmduTi/iJlTTJjMQKm9JJRXKbNDxH+B25Zj/hUIC1/NNZOSDn654Pi/yOGXITp86j9unfnIXdJPg=
template:
metadata:
name: provisioner-ssh-key
namespace: ansible
labels: *labels

3
argocd/applications/authelia.yaml
View File

@@ -11,6 +11,3 @@ spec:
path: authelia path: authelia
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master targetRevision: master
syncPolicy:
automated:
prune: true

3
argocd/applications/firefly-iii.yaml
View File

@@ -11,6 +11,3 @@ spec:
path: firefly-iii path: firefly-iii
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master targetRevision: master
syncPolicy:
automated:
prune: true

3
argocd/applications/grafana.yaml
View File

@@ -11,6 +11,3 @@ spec:
path: grafana path: grafana
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master targetRevision: master
syncPolicy:
automated:
prune: true

3
argocd/applications/home-assistant.yaml
View File

@@ -11,6 +11,3 @@ spec:
path: home-assistant path: home-assistant
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master targetRevision: master
syncPolicy:
automated:
prune: true

3
argocd/applications/ntfy.yaml
View File

@@ -11,6 +11,3 @@ spec:
path: ntfy path: ntfy
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master targetRevision: master
syncPolicy:
automated:
prune: true

3
argocd/applications/paperless-ngx.yaml
View File

@@ -11,6 +11,3 @@ spec:
path: paperless-ngx path: paperless-ngx
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master targetRevision: master
syncPolicy:
automated:
prune: true

7
argocd/applications/vaultwarden.yaml → argocd/applications/postgresql.yaml
View File

@@ -1,16 +1,13 @@
apiVersion: argoproj.io/v1alpha1 apiVersion: argoproj.io/v1alpha1
kind: Application kind: Application
metadata: metadata:
name: vaultwarden name: postgresql
namespace: argocd namespace: argocd
spec: spec:
destination: destination:
server: https://kubernetes.default.svc server: https://kubernetes.default.svc
project: default project: default
source: source:
path: vaultwarden path: postgresql
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master targetRevision: master
syncPolicy:
automated:
prune: true

18
argocd/applications/receipts.yaml
View File

@@ -1,18 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: &name receipts
namespace: argocd
labels:
vendor: dustin
spec:
destination:
server: https://kubernetes.default.svc
project: default
source:
path: *name
repoURL: https://git.pyrocufflink.blue/infra/kubernetes.git
targetRevision: master
syncPolicy:
automated:
prune: true

2
authelia/authelia.yaml
View File

@@ -54,7 +54,7 @@ spec:
- name: authelia - name: authelia
image: ghcr.io/authelia/authelia image: ghcr.io/authelia/authelia
env: env:
- name: AUTHELIA_IDENTITY_VALIDATION_RESET_PASSWORD_JWT_SECRET_FILE - name: AUTHELIA_JWT_SECRET_FILE
value: /run/authelia/secrets/jwt.secret value: /run/authelia/secrets/jwt.secret
- name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE - name: AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD_FILE
value: /run/authelia/secrets/ldap.password value: /run/authelia/secrets/ldap.password

82
authelia/configuration.yml
View File

@@ -5,9 +5,6 @@ access_control:
networks: networks:
- 172.30.0.0/26 - 172.30.0.0/26
- 172.31.1.0/24 - 172.31.1.0/24
- name: cluster
networks:
- 10.149.0.0/16
rules: rules:
- domain: paperless.pyrocufflink.blue - domain: paperless.pyrocufflink.blue
policy: two_factor policy: two_factor
@@ -39,10 +36,6 @@ access_control:
networks: networks:
- internal - internal
policy: bypass policy: bypass
- domain: metrics.pyrocufflink.blue
resources:
- '^/insert/.*'
policy: bypass
- domain: metrics.pyrocufflink.blue - domain: metrics.pyrocufflink.blue
networks: networks:
- internal - internal
@@ -57,16 +50,6 @@ access_control:
resources: resources:
- '^/submit/.*' - '^/submit/.*'
policy: bypass policy: bypass
- domain: ara.ansible.pyrocufflink.blue
networks:
- internal
- cluster
resources:
- '^/api/.*'
methods:
- POST
- PATCH
policy: bypass
authentication_backend: authentication_backend:
ldap: ldap:
@@ -74,30 +57,20 @@ authentication_backend:
implementation: activedirectory implementation: activedirectory
tls: tls:
minimum_version: TLS1.2 minimum_version: TLS1.2
address: ldaps://pyrocufflink.blue url: ldaps://pyrocufflink.blue
user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue user: CN=svc.authelia,CN=Users,DC=pyrocufflink,DC=blue
certificates_directory: /run/authelia/certs certificates_directory: /run/authelia/certs
identity_providers: identity_providers:
oidc: oidc:
claims_policies:
default:
id_token:
- groups
- email
- email_verified
- preferred_username
- name
clients: clients:
- client_id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89 - id: e20a50c2-55eb-4cb1-96ce-fe71c61c1d89
client_name: Jenkins description: Jenkins
client_secret: >- secret: >-
$argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44 $argon2id$v=19$m=65536,t=3,p=4$qoo6+3ToLbsZOI/BxcppGw$srNBfpIHqpxLh+VfVNNe27A1Ci9dCKLfB8rWXLNkv44
redirect_uris: redirect_uris:
- https://jenkins.pyrocufflink.blue/securityRealm/finishLogin - https://jenkins.pyrocufflink.blue/securityRealm/finishLogin
response_types:
- code
scopes: scopes:
- openid - openid
- groups - groups
@@ -107,58 +80,50 @@ identity_providers:
authorization_policy: one_factor authorization_policy: one_factor
pre_configured_consent_duration: 8h pre_configured_consent_duration: 8h
token_endpoint_auth_method: client_secret_post token_endpoint_auth_method: client_secret_post
- client_id: kubernetes - id: kubernetes
client_name: Kubernetes description: Kubernetes
public: true public: true
claims_policy: default
redirect_uris: redirect_uris:
- http://localhost:8000 - http://localhost:8000
- http://localhost:18000 - http://localhost:18000
authorization_policy: one_factor authorization_policy: one_factor
pre_configured_consent_duration: 8h pre_configured_consent_duration: 8h
- client_id: 1b6adbfc-d9e0-4cab-b780-e410639dc420 - id: 1b6adbfc-d9e0-4cab-b780-e410639dc420
client_name: MinIO description: MinIO
client_secret: >- secret: >-
$pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A $pbkdf2-sha512$310000$TkQ1BwLrr.d8AVGWk2rLhA$z4euAPhkkZdjcxKFD3tZRtNQ/R78beW7epJ.BGFWSwQdAme5TugNj9Ba.aL5TEqrBDmXRW0xiI9EbxSszckG5A
redirect_uris: redirect_uris:
- https://burp.pyrocufflink.blue:9090/oauth_callback - https://burp.pyrocufflink.blue:9090/oauth_callback
- https://minio.backups.pyrocufflink.blue/oauth_callback - id: step-ca
- client_id: step-ca description: step-ca
client_name: step-ca
public: true public: true
claims_policy: default
redirect_uris: redirect_uris:
- http://127.0.0.1 - http://127.0.0.1
pre_configured_consent_duration: 8h pre_configured_consent_duration: 8h
- client_id: argocd - id: argocd
client_name: Argo CD description: Argo CD
claims_policy: default
pre_configured_consent_duration: 8h pre_configured_consent_duration: 8h
redirect_uris: redirect_uris:
- https://argocd.pyrocufflink.blue/auth/callback - https://argocd.pyrocufflink.blue/auth/callback
client_secret: >- secret: >-
$pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw $pbkdf2-sha512$310000$l/uOezgWjqe3boGLYAnKcg$uqn1FC8Lj2y1NG5Q91PeLfLLUQ.qtlKFLd0AWJ56owLME9mV/Zx8kQ2x7OS/MOoMLmUgKd4zogYKab2HGFr0kw
- client_id: argocd-cli - id: argocd-cli
client_name: argocd CLI description: argocd CLI
public: true public: true
claims_policy: default
pre_configured_consent_duration: 8h pre_configured_consent_duration: 8h
audience: audience:
- argocd-cli - argocd-cli
redirect_uris: redirect_uris:
- http://localhost:8085/auth/callback - http://localhost:8085/auth/callback
response_types:
- code
scopes: scopes:
- openid - openid
- groups
- profile - profile
- email - email
- groups
- offline_access - offline_access
- client_id: sshca - id: sshca
client_name: SSHCA description: SSHCA
public: true public: true
claims_policy: default
pre_configured_consent_duration: 4h pre_configured_consent_duration: 4h
redirect_uris: redirect_uris:
- http://127.0.0.1 - http://127.0.0.1
@@ -174,18 +139,17 @@ log:
notifier: notifier:
smtp: smtp:
disable_require_tls: true disable_require_tls: true
address: 'mail.pyrocufflink.blue:25' host: mail.pyrocufflink.blue
port: 25
sender: auth@pyrocufflink.net sender: auth@pyrocufflink.net
session: session:
domain: pyrocufflink.blue
expiration: 1d expiration: 1d
inactivity: 4h inactivity: 4h
redis: redis:
host: redis host: redis
port: 6379 port: 6379
cookies:
- domain: pyrocufflink.blue
authelia_url: 'https://auth.pyrocufflink.blue'
server: server:
buffers: buffers:
@@ -193,7 +157,7 @@ server:
storage: storage:
postgres: postgres:
address: postgresql.pyrocufflink.blue host: postgresql.pyrocufflink.blue
database: authelia database: authelia
username: authelia username: authelia
password: unused password: unused

3
authelia/kustomization.yaml
View File

@@ -55,6 +55,3 @@ patches:
- name: dch-root-ca - name: dch-root-ca
configMap: configMap:
name: dch-root-ca name: dch-root-ca
images:
- name: ghcr.io/authelia/authelia
newTag: 4.39.4

41
cert-manager/cert-exporter.config.yml
View File

@@ -1,41 +0,0 @@
git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
certs:
- name: pyrocufflink-cert
namespace: default
key: certificates/_.pyrocufflink.net.key
cert: certificates/_.pyrocufflink.net.crt
bundle: certificates/_.pyrocufflink.net.pem
- name: dustinhatchname-cert
namespace: default
key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
cert: acme.sh/dustin.hatch.name/fullchain.cer
- name: hatchchat-cert
namespace: default
key: certificates/hatch.chat.key
cert: certificates/hatch.chat.crt
bundle: certificates/hatch.chat.pem
- name: tabitha-cert
namespace: default
key: certificates/tabitha.biz.key
cert: certificates/tabitha.biz.crt
bundle: certificates/tabitha.biz.pem
- name: chmod777-cert
namespace: default
key: certificates/chmod777.sh.key
cert: certificates/chmod777.sh.crt
bundle: certificates/chmod777.sh.pem
- name: dustinandtabitha-cert
namespace: default
key: certificates/dustinandtabitha.com.key
cert: certificates/dustinandtabitha.com.crt
bundle: certificates/dustinandtabitha.com.pem
- name: hlc-cert
namespace: default
key: certificates/hatchlearningcenter.org.key
cert: certificates/hatchlearningcenter.org.crt
bundle: certificates/hatchlearningcenter.org.pem
- name: appsxyz-cert
namespace: default
key: certificates/apps.du5t1n.xyz.key
cert: certificates/apps.du5t1n.xyz.crt
bundle: certificates/apps.du5t1n.xyz.pem

52
cert-manager/cert-exporter.yaml
View File

@@ -4,6 +4,56 @@ metadata:
name: cert-exporter name: cert-exporter
namespace: cert-manager namespace: cert-manager
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cert-exporter
namespace: cert-manager
data:
config.yml: |
git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git
certs:
- name: pyrocufflink-cert
namespace: default
key: certificates/_.pyrocufflink.net.key
cert: certificates/_.pyrocufflink.net.crt
bundle: certificates/_.pyrocufflink.net.pem
- name: dustinhatchname-cert
namespace: default
key: acme.sh/dustin.hatch.name/dustin.hatch.name.key
cert: acme.sh/dustin.hatch.name/fullchain.cer
- name: hatchchat-cert
namespace: default
key: certificates/hatch.chat.key
cert: certificates/hatch.chat.crt
bundle: certificates/hatch.chat.pem
- name: tabitha-cert
namespace: default
key: certificates/tabitha.biz.key
cert: certificates/tabitha.biz.crt
bundle: certificates/tabitha.biz.pem
- name: dcow-cert
namespace: default
key: certificates/darkchestofwonders.us.key
cert: certificates/darkchestofwonders.us.crt
bundle: certificates/darkchestofwonders.us.pem
- name: chmod777-cert
namespace: default
key: certificates/chmod777.sh.key
cert: certificates/chmod777.sh.crt
bundle: certificates/chmod777.sh.pem
- name: dustinandtabitha-cert
namespace: default
key: certificates/dustinandtabitha.com.key
cert: certificates/dustinandtabitha.com.crt
bundle: certificates/dustinandtabitha.com.pem
- name: hlc-cert
namespace: default
key: certificates/hatchlearningcenter.org.key
cert: certificates/hatchlearningcenter.org.crt
bundle: certificates/hatchlearningcenter.org.pem
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1
kind: Role kind: Role
@@ -21,10 +71,10 @@ rules:
- dustinhatchname-cert - dustinhatchname-cert
- hatchchat-cert - hatchchat-cert
- tabitha-cert - tabitha-cert
- dcow-cert
- chmod777-cert - chmod777-cert
- dustinandtabitha-cert - dustinandtabitha-cert
- hlc-cert - hlc-cert
- appsxyz-cert
--- ---
apiVersion: rbac.authorization.k8s.io/v1 apiVersion: rbac.authorization.k8s.io/v1

35
cert-manager/certificates.yaml
View File

@@ -71,6 +71,24 @@ spec:
algorithm: ECDSA algorithm: ECDSA
rotationPolicy: Always rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: dcow-cert
spec:
secretName: dcow-cert
dnsNames:
- darkchestofwonders.us
- '*.darkchestofwonders.us'
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always
--- ---
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
@@ -136,20 +154,3 @@ spec:
privateKey: privateKey:
algorithm: ECDSA algorithm: ECDSA
rotationPolicy: Always rotationPolicy: Always
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: appsxyz-cert
spec:
secretName: appsxyz-cert
dnsNames:
- apps.du5t1n.xyz
issuerRef:
group: cert-manager.io
kind: ClusterIssuer
name: zerossl
privateKey:
algorithm: ECDSA
rotationPolicy: Always

12
cert-manager/dch-ca-issuer.yaml
View File

@@ -12,18 +12,6 @@ spec:
LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K LS0tLS1CRUdJTiBDRVJUSUZJQ0FURS0tLS0tCk1JSUJ4RENDQVdxZ0F3SUJBZ0lVYkh6MnRzc2EwOXpzSGsrRWRHRDNRS3ByTUtRd0NnWUlLb1pJemowRUF3UXcKUURFTE1Ba0dBMVVFQmhNQ1ZWTXhHREFXQmdOVkJBb01EMFIxYzNScGJpQkRMaUJJWVhSamFERVhNQlVHQTFVRQpBd3dPUkVOSUlGSnZiM1FnUTBFZ1VqSXdIaGNOTWpNd09USTBNakExTXpBNVdoY05ORE13T1RFNU1qQTFNekE1CldqQkFNUXN3Q1FZRFZRUUdFd0pWVXpFWU1CWUdBMVVFQ2d3UFJIVnpkR2x1SUVNdUlFaGhkR05vTVJjd0ZRWUQKVlFRRERBNUVRMGdnVW05dmRDQkRRU0JTTWpCWk1CTUdCeXFHU000OUFnRUdDQ3FHU000OUF3RUhBMElBQkUyRApOSkhSY2p1QTE5Wm9wckJLYXhJZlV4QWJ6NkxpZ003ZGd0TzYraXNhTWx4UkFWSm1zSVRBRElFLzIyUnJVRGdECk9ma3QyaVpUVWpNcnozQXhYaFdqUWpCQU1CMEdBMVVkRGdRV0JCVE0rZDhrYjFrb0dtS1J0SnM0Z045ellhKzYKb1RBU0JnTlZIUk1CQWY4RUNEQUdBUUgvQWdFQk1Bc0dBMVVkRHdRRUF3SUJCakFLQmdncWhrak9QUVFEQkFOSQpBREJGQWlFQTJLYThtTWlBRkxtckZXdDBkQW1sMjQ3cmUyK2k0VVBoeUhjT0JmTksrZ29DSUh2K3ZFdzdDSFpRCmlySWE2OTduZmU0S2lYSU13SGxBTVMxKzFRWm9oRkRDCi0tLS0tRU5EIENFUlRJRklDQVRFLS0tLS0K
solvers: solvers:
- dns01:
cnameStrategy: Follow
rfc2136:
nameserver: 172.30.0.1
tsigSecretSecretRef:
name: pyrocufflink-tsig
key: cert-manager.tsig.key
tsigKeyName: cert-manager
tsigAlgorithm: HMACSHA512
selector:
dnsNames:
- rabbitmq.pyrocufflink.blue
- http01: - http01:
ingress: ingress:
ingressClassName: nginx ingressClassName: nginx

36
cert-manager/kustomization.yaml
View File

@@ -2,20 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- https://github.com/cert-manager/cert-manager/releases/download/v1.16.4/cert-manager.yaml - https://github.com/cert-manager/cert-manager/releases/download/v1.14.5/cert-manager.yaml
- cluster-issuer.yaml - cluster-issuer.yaml
- certificates.yaml - certificates.yaml
- cert-exporter.yaml - cert-exporter.yaml
- dch-ca-issuer.yaml - dch-ca-issuer.yaml
- secrets.yaml
configMapGenerator:
- name: cert-exporter
namespace: cert-manager
files:
- config.yml=cert-exporter.config.yml
options:
disableNameSuffixHash: True
secretGenerator: secretGenerator:
- name: zerossl-eab - name: zerossl-eab
@@ -37,28 +28,3 @@ secretGenerator:
- cloudflare.api-token - cloudflare.api-token
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
patches:
- patch: |
apiVersion: apps/v1
kind: Deployment
metadata:
name: cert-manager
namespace: cert-manager
spec:
template:
spec:
dnsConfig:
nameservers:
- 172.30.0.1
dnsPolicy: None
- patch: |
- op: add
path: /spec/template/spec/containers/0/args/-
value: >-
--dns01-recursive-nameservers-only
target:
group: apps
version: v1
kind: Deployment
name: cert-manager

13
cert-manager/secrets.yaml
View File

@@ -1,13 +0,0 @@
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: pyrocufflink-tsig
namespace: cert-manager
spec:
encryptedData:
cert-manager.tsig.key: AgAf1dVezJ0ytOdGI5rzCJ35rAVpY114pQJgIzqAKsKkRVE6kwWXjoFj94ZgDsjpOedAp1zdNB1UQnu0n10ayuz/NUYb74wkXcu0RRy6Ve06SJjI01f7lHP2/a4cnW+0et/Xzin0RQ/3hHmZUk5aCwV/FCLs0D5LdFixHf+sbMCzhyIYrQ64x0YH9YqBTRgXkEx94+PUuxi9ZyLuKiepd/K4UF+L5rF2zWt9DVKOmdbilzd5RqdQSgEyoOOpmcbDKHm1s17KHWSJb44rvxj7vg2fmXXwEvEW5SiQdrhmywOcqqhXEbE1ZEvBrVt3GgrjZHeTyL0Gx4jugiqSR/WulY7ak4+ZkDF80OS5RzciYeVMDdNxst48Xdkc2F7E93GGWCeIN5gig0oCFcB18BRF3aO4AB+fqh0IWBSiBCGinbjvX684TF9BGPuKMj01ORW3fFnRfbeE4gYTrdBKFi1ltG6VxJ6X9i5ztLIQBcH48btf7uMjQsC79GPq35CCWBprqnNBvi81lJtGVaVqY6hNIvyQIO+fEReMk/Mp0N+KxWlWVY/vK+ck2KWkgXaui3xkM4jbB6RiXWZXrUW4y+XyDs+sTziwYRRz03MU9NC58do9MBnOeM+fJqioMyQq81/mXKtcxIsvJadJ7WsYQKdqa/gVE5D/ybJ2qrtbEQqgCXnyowIIIOVvvWilhzh/zjQgtRiLHlsbLmvRX5aZm1Z048CMDFPh8CxcHlVwz7FUviJzbNoqENh1PE6HhKwFqpGxtjjR6X3LEi8iLvLNg05EUzLNJD1+SCi0imhQPGesJZtr/h1xqI9utB4NjA==
template:
metadata:
name: pyrocufflink-tsig
namespace: cert-manager

2
dch-root-ca/kustomization.yaml
View File

@@ -5,5 +5,3 @@ configMapGenerator:
- name: dch-root-ca - name: dch-root-ca
files: files:
- dch-root-ca.crt - dch-root-ca.crt
options:
disableNameSuffixHash: true

117
dch-webhooks/ansible-job.yaml
View File

@@ -1,117 +0,0 @@
apiVersion: batch/v1
kind: Job
metadata:
generateName: host-provision-
labels: &labels
app.kubernetes.io/name: host-provisioner
app.kubernetes.io/component: host-provisioner
spec:
backoffLimit: 0
template:
metadata:
labels: *labels
spec:
restartPolicy: Never
initContainers:
- name: ssh-agent
image: &image git.pyrocufflink.net/infra/host-provisioner
imagePullPolicy: Always
command:
- tini
- ssh-agent
- --
- -D
- -a
- /run/ssh/agent.sock
restartPolicy: Always
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /run/ssh
name: tmp
subPath: run/ssh
- name: ssh-add
image: *image
command:
- ssh-add
- -t
- 30m
- /run/secrets/ssh/host-provisioner.key
env:
- name: SSH_AUTH_SOCK
value: /run/ssh/agent.sock
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /run/ssh
name: tmp
subPath: run/ssh
- mountPath: /run/secrets/ssh
name: provisioner-key
readOnly: true
containers:
- name: host-provisioner
image: *image
env:
- name: SSH_AUTH_SOCK
value: /run/ssh/agent.sock
- name: AMQP_HOST
value: rabbitmq.pyrocufflink.blue
- name: AMQP_PORT
value: '5671'
- name: AMQP_CA_CERT
value: /run/dch-ca/dch-root-ca.crt
- name: AMQP_CLIENT_CERT
value: /run/secrets/host-provisioner/rabbitmq/tls.crt
- name: AMQP_CLIENT_KEY
value: /run/secrets/host-provisioner/rabbitmq/tls.key
- name: AMQP_EXTERNAL_CREDENTIALS
value: '1'
- name: PYROCUFFLINK_EXCLUDE_TEST
value: 'false'
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/ssh/ssh_known_hosts
name: ssh-known-hosts
subPath: ssh_known_hosts
readOnly: true
- mountPath: /home/jenkins
name: workspace
- mountPath: /run/dch-ca
name: dch-root-ca
readOnly: true
- mountPath: /run/ssh
name: tmp
subPath: run/ssh
- mountPath: /run/secrets/host-provisioner/rabbitmq
name: rabbitmq-cert
readOnly: true
- mountPath: /tmp
name: tmp
subPath: tmp
securityContext:
runAsNonRoot: true
runAsUser: 1000
runAsGroup: 1000
fsGroup: 1000
volumes:
- name: dch-root-ca
configMap:
name: dch-root-ca
- name: provisioner-key
secret:
secretName: provisioner-ssh-key
defaultMode: 0440
- name: ssh-known-hosts
configMap:
name: ssh-known-hosts
- name: rabbitmq-cert
secret:
secretName: rabbitmq-cert
defaultMode: 0440
- name: tmp
emptyDir:
medium: Memory
- name: workspace
emptyDir: {}

7
dch-webhooks/dch-webhooks.env
View File

@@ -7,10 +7,3 @@ STEP_CA_URL=https://ca.pyrocufflink.blue:32599
STEP_ROOT=/run/dch-root-ca.crt STEP_ROOT=/run/dch-root-ca.crt
STEP_PROVISIONER=host-bootstrap STEP_PROVISIONER=host-bootstrap
STEP_PROVISIONER_PASSWORD_FILE=/run/secrets/du5t1n.me/step-ca/provisioner.password STEP_PROVISIONER_PASSWORD_FILE=/run/secrets/du5t1n.me/step-ca/provisioner.password
AMQP_HOST=rabbitmq.pyrocufflink.blue
AMQP_PORT=5671
AMQP_EXTERNAL_CREDENTIALS=1
AMQP_CA_CERT=/run/dch-root-ca.crt
AMQP_CLIENT_CERT=/run/secrets/du5t1n.me/rabbitmq/tls.crt
AMQP_CLIENT_KEY=/run/secrets/du5t1n.me/rabbitmq/tls.key

29
dch-webhooks/dch-webhooks.yaml
View File

@@ -1,14 +1,4 @@
apiVersion: v1 apiVersion: v1
kind: ServiceAccount
metadata:
name: dch-webhooks
labels:
app.kubernetes.io/name: dch-webhooks
app.kubernetes.io/component: dch-webhooks
app.kubernetes.io/part-of: dch-webhooks
---
apiVersion: v1
kind: Service kind: Service
metadata: metadata:
labels: labels:
@@ -52,14 +42,12 @@ spec:
spec: spec:
containers: containers:
- name: dch-webhooks - name: dch-webhooks
image: git.pyrocufflink.net/infra/dch-webhooks image: git.pyrocufflink.net/containerimages/dch-webhooks
env: env:
- name: UVICORN_HOST - name: UVICORN_HOST
value: 0.0.0.0 value: 0.0.0.0
- name: UVICORN_LOG_LEVEL - name: UVICORN_LOG_LEVEL
value: debug value: debug
- name: ANSIBLE_JOB_YAML
value: /etc/dch-webhooks/ansible-job.yaml
envFrom: envFrom:
- configMapRef: - configMapRef:
name: dch-webhooks name: dch-webhooks
@@ -88,37 +76,22 @@ spec:
name: firefly-token name: firefly-token
- mountPath: /run/secrets/du5t1n.me/paperless - mountPath: /run/secrets/du5t1n.me/paperless
name: paperless-token name: paperless-token
- mountPath: /run/secrets/du5t1n.me/rabbitmq
name: rabbitmq-cert
readOnly: true
- mountPath: /run/secrets/du5t1n.me/step-ca - mountPath: /run/secrets/du5t1n.me/step-ca
name: step-ca-password name: step-ca-password
- mountPath: /tmp - mountPath: /tmp
name: tmp name: tmp
subPath: tmp subPath: tmp
- mountPath: /etc/dch-webhooks
name: host-provisioner
readOnly: true
securityContext: securityContext:
runAsNonRoot: true runAsNonRoot: true
serviceAccountName: dch-webhooks
volumes: volumes:
- name: firefly-token - name: firefly-token
secret: secret:
secretName: firefly-token secretName: firefly-token
optional: true optional: true
- name: host-provisioner
configMap:
name: host-provisioner
optional: true
- name: paperless-token - name: paperless-token
secret: secret:
secretName: paperless-token secretName: paperless-token
optional: true optional: true
- name: rabbitmq-cert
secret:
secretName: rabbitmq-cert
optional: true
- name: root-ca - name: root-ca
configMap: configMap:
name: dch-root-ca name: dch-root-ca

14
dch-webhooks/kustomization.yaml
View File

@@ -1,29 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
labels:
- pairs:
app.kubernetes.io/instance: dch-webhooks
includeSelectors: true
includeTemplates: true
- pairs:
app.kubernetes.io/part-of: dch-webhooks
resources: resources:
- ../dch-root-ca - ../dch-root-ca
- dch-webhooks.yaml - dch-webhooks.yaml
- certificate.yaml
- ingress.yaml - ingress.yaml
configMapGenerator: configMapGenerator:
- name: dch-webhooks - name: dch-webhooks
envs: envs:
- dch-webhooks.env - dch-webhooks.env
- name: host-provisioner
files:
- ansible-job.yaml
options:
disableNameSuffixHash: true
secretGenerator: secretGenerator:
- name: firefly-token - name: firefly-token

1
dynk8s-provisioner/.gitignore vendored
View File

@@ -1 +0,0 @@
wireguard-config

227
dynk8s-provisioner/dynk8s-provisioner.yaml
View File

@@ -1,3 +1,179 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: dynk8s
labels:
kubernetes.io/metadata.name: dynk8s
app.kubernetes.io/instance: dynk8s-provisioner
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynk8s-provisioner
namespace: kube-system
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynk8s-provisioner
namespace: kube-public
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- configmaps
resourceNames:
- cluster-info
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dynk8s-provisioner
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- nodes
verbs:
- list
- get
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynk8s-provisioner
namespace: kube-system
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
namespace: dynk8s
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynk8s-provisioner
namespace: kube-public
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
namespace: dynk8s
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dynk8s-provisioner
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
namespace: dynk8s
---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
@@ -92,3 +268,54 @@ spec:
ports: ports:
- port: 8000 - port: 8000
name: http name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
spec:
ingressClassName: nginx
tls:
- hosts:
- dynk8s-provisioner.pyrocufflink.net
rules:
- host: dynk8s-provisioner.pyrocufflink.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dynk8s-provisioner
port:
name: http
---
apiVersion: v1
kind: Secret
metadata:
name: wireguard-config-0
namespace: dynk8s
labels:
app.kubernetes.io/part-of: dynk8s-provisioner
dynk8s.du5t1n.me/ec2-instance-id: ''
type: dynk8s.du5t1n.me/wireguard-config
stringData:
wireguard-config: |+
[Interface]
Address = 172.30.0.178/28
DNS = 172.30.0.1
PrivateKey = gGieVWS8SUQxC7L0NKmHlpvBTANNNaucsm9K1ioHPXU=
[Peer]
PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
PresharedKey = bZgUN82zDW7Q+558omOyRrZ0rw3bUohmIjEaxgtZCv8=
Endpoint = vpn.pyrocufflink.net:19998
AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24

26
dynk8s-provisioner/ingress.yaml
View File

@@ -1,26 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
spec:
ingressClassName: nginx
tls:
- hosts:
- dynk8s-provisioner.pyrocufflink.net
rules:
- host: dynk8s-provisioner.pyrocufflink.net
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: dynk8s-provisioner
port:
name: http

14
dynk8s-provisioner/kustomization.yaml
View File

@@ -1,14 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
labels:
- pairs:
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
resources:
- namespace.yaml
- rbac.yaml
- dynk8s-provisioner.yaml
- ingress.yaml
- secrets.yaml

7
dynk8s-provisioner/namespace.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: dynk8s
labels:
kubernetes.io/metadata.name: dynk8s
app.kubernetes.io/instance: dynk8s-provisioner

164
dynk8s-provisioner/rbac.yaml
View File

@@ -1,164 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
automountServiceAccountToken: true
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynk8s-provisioner
namespace: kube-system
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- secrets
verbs:
- '*'
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
name: dynk8s-provisioner
namespace: kube-public
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- configmaps
resourceNames:
- cluster-info
verbs:
- get
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: dynk8s-provisioner
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/component: http-api
app.kubernetes.io/part-of: dynk8s-provisioner
rules:
- apiGroups:
- ''
resources:
- nodes
verbs:
- list
- get
- delete
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynk8s-provisioner
namespace: dynk8s
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynk8s-provisioner
namespace: kube-system
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
namespace: dynk8s
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: dynk8s-provisioner
namespace: kube-public
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
namespace: dynk8s
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: dynk8s-provisioner
labels:
app.kubernetes.io/name: dynk8s-provisioner
app.kubernetes.io/instance: dynk8s-provisioner
app.kubernetes.io/part-of: dynk8s-provisioner
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: dynk8s-provisioner
subjects:
- kind: ServiceAccount
name: dynk8s-provisioner
namespace: dynk8s

16
dynk8s-provisioner/secrets.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: wireguard-config-0
namespace: dynk8s
spec:
encryptedData:
wireguard-config: AgCRjcXhRNtDg/LSmDKFxbSunGGNBu6GrHGYIPG+DMXCbAIiRnnjxpeu/7Vh0WrYcHCHoLdm0NAr7M9G7S8aS8XUDZ7ANphGk56t8Mrrv9ZzOwHyCnxm3QM6q7RNus2+PgKJ/zNe8j5M1u4v3wGk1XzXPtYQ4dRp6op5X+ILGUu16Y2/hcfHEtW9IupqCKgteo1GAyHY4I86ldsTSIvEtcriVhXrEIYYRwYzEpR06y15dbz4qC86nTDp0RuhO+eU4hEzu/c80IJIjTz5CbDundSYRLqafZgs+LwL2fo5wnVyDy1KfP5X2o2mbZFz/5fhwj3M27/g+4KLh08NY5DJTMN1CFrHYGcWUbpIqWYCEJd8c40jRzzDVhcHA3WJjOd0KZv0oRfwmjbBlf0mMxDcJhG/h8tngQBs6aNEpq69RbABbL0bBkIQBokmib4bSfppHTBYNhzbdLwDQJD072qqNGKbDufHkcK4bBwuvmeE00EKxqFoqz++6EQMRkuNN7UtpFDKyDxElOMlo09KKGMUqz/JkFPb4YRJhF31+CskWmU1AVFge7Z5sVe5lMiDpoH62Zg5sxRSaHbdYvsS1vxsTfdG3rmhOAMxxYc+Kvt3u3eNkzEV3lUosorspZhBnEzyHHcap1QUd19vVarjv77g9Br7PATOl3SmuK58JqW2dyOiMQvjLNUAZ27q3uEZGAzRZ8yg5RoejFpueFJjSjTnV1UFdH/OseHXgvFd60syg/mviIA9IGzaxCjoZfxL1GlfjGDYsetnnIDCcQR8K915Qh0PfMdwHKsPBmmDGAxP7k/DHEM3tYC66SQAD4mpMH4Ri8jDD3ijpq8ud93CZX5S32rU0yrXIWCM4ByXks32HACCEOIdfHuGuys6FRQTCPFJuYlpwsVTSJKLjy59rTz5B6nLKxtaOuRULh8MrDR7KlhMiE7gl5waiIlYaiecVn/sNfu4q9UfgwGUntKIovmrwcBPjMRmLgs3IQH4p02G4OemPaByXkPD1JROk2epNkLMwH+IsUxAveGy/hCmrLa9fRaJWSlfuAQtqOihf34YBudsfqwr0UGLI8VsVe+p+tF+AYftUGDf1trJTI8TJUB/91CwrC6c61EFbQCJc90w+lL+oJueDZdGXzoYvkCsDpfFMA==
template:
metadata:
name: wireguard-config-0
namespace: dynk8s
labels:
app.kubernetes.io/part-of: dynk8s-provisioner
dynk8s.du5t1n.me/ec2-instance-id: ''
type: dynk8s.du5t1n.me/wireguard-config

11
dynk8s-provisioner/wireguard-config.new
View File

@@ -1,11 +0,0 @@
# vim: set ft=dosini :
[Interface]
Address = 172.30.0.194/29
DNS = 172.30.0.1
PrivateKey = WJb4G0EL5xc0VMHZeiqJE3G0OlFhe1Q5CEJkMg8hTkE=
[Peer]
PublicKey = 85BW2bagvhOZnvFD6gmjnT+uUj5NaF4z+YFBV/br9BA=
PresharedKey = gVRSPVLZMx1maIfecFIcAeesrireopaKqs0jDj9muS0=
Endpoint = vpn.pyrocufflink.net:19998
AllowedIPs = 172.30.0.0/26, 172.30.0.160/28, 172.31.1.0/24

9
dch-webhooks/certificate.yaml → etcd/certificate.yaml
View File

@@ -1,14 +1,15 @@
apiVersion: cert-manager.io/v1 apiVersion: cert-manager.io/v1
kind: Certificate kind: Certificate
metadata: metadata:
name: rabbitmq name: etcd
spec: spec:
secretName: rabbitmq-cert secretName: etcd-cert
commonName: dch-webhooks dnsNames:
- etcd.pyrocufflink.blue
issuerRef: issuerRef:
group: cert-manager.io group: cert-manager.io
kind: ClusterIssuer kind: ClusterIssuer
name: rabbitmq-ca name: dch-ca
privateKey: privateKey:
algorithm: ECDSA algorithm: ECDSA
rotationPolicy: Always rotationPolicy: Always

116
etcd/etcd.yaml Normal file
View File

@@ -0,0 +1,116 @@
apiVersion: v1
kind: Service
metadata:
name: etcd
labels: &labels
app.kubernetes.io/name: etcd
app.kubernetes.io/component: etcd
spec:
type: NodePort
selector: *labels
ports:
- name: etcd
port: 2379
nodePort: 32379
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: etcd
labels: &labels
app.kubernetes.io/name: etcd
app.kubernetes.io/component: etcd
spec:
replicas: 3
serviceName: etcd
podManagementPolicy: Parallel
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
enableServiceLinks: false
containers:
- name: etcd
image: gcr.io/etcd-development/etcd:v3.5.15
command:
- etcd
args:
- --name=$(HOSTNAME)
- --listen-client-urls=https://0.0.0.0:2379
- --advertise-client-urls=https://0.0.0.0:32379
- --listen-peer-urls=https://0.0.0.0:2380
- --initial-advertise-peer-urls=https://$(POD_IP):2380
- --initial-cluster=etcd-0=https://etcd-0.etcd:2380,etcd-1=https://etcd-1.etcd:2380,etcd-2=https://etcd-2.etcd:2380
- --initial-cluster-state=new
- --peer-auto-tls
- --client-cert-auth
- --cert-file=/run/secrets/etcd/certificate/tls.crt
- --key-file=/run/secrets/etcd/certificate/tls.key
- --trusted-ca-file=/run/dch-ca/dch-root-ca.crt
env:
- name: HOSTNAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_IP
valueFrom:
fieldRef:
fieldPath: status.podIP
ports:
- name: etcd-client
containerPort: 2379
- name: etcd-peer
containerPort: 2380
readinessProbe: &probe
tcpSocket:
port: 2379
periodSeconds: 60
timeoutSeconds: 5
failureThreshold: 3
successThreshold: 1
startupProbe:
<<: *probe
periodSeconds: 1
timeoutSeconds: 1
failureThreshold: 30
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /run/dch-ca
name: dch-ca
readOnly: true
- mountPath: /run/secrets/etcd/certificate
name: cert
readOnly: true
- mountPath: /var/lib/etcd
name: data
subPath: data
securityContext:
fsGroup: 2379
fsGroupChangePolicy: OnRootMismatch
runAsGroup: 2379
runAsNonRoot: true
runAsUser: 2379
volumes:
- name: cert
secret:
secretName: etcd-cert
defaultMode: 0440
- name: dch-ca
configMap:
name: dch-root-ca
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
labels: *labels
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 4G

15
etcd/kustomization.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
labels:
- pairs:
app.kubernetes.io/instance: etcd
app.kubernetes.io/part-of: etcd
namespace: etcd
resources:
- namespace.yaml
- certificate.yaml
- etcd.yaml
- ../dch-root-ca

7
etcd/namespace.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: Namespace
metadata:
name: etcd
labels:
app.kubernetes.io/name: etcd
app.kubernetes.io/component: etcd

2
firefly-iii/firefly-iii-importer.env
View File

@@ -1,6 +1,6 @@
TZ=America/Chicago TZ=America/Chicago
TRUSTED_PROXIES=10.149.0.0/16 TRUSTED_PROXIES=172.30.0.160/28
VANITY_URL=https://firefly.pyrocufflink.blue VANITY_URL=https://firefly.pyrocufflink.blue
CAN_POST_FILES=true CAN_POST_FILES=true

2
firefly-iii/firefly-iii.env
View File

@@ -4,7 +4,7 @@ SITE_OWNER=dustin@hatch.name
TZ=America/Chicago TZ=America/Chicago
TRUSTED_PROXIES=10.149.0.0/16 TRUSTED_PROXIES=172.30.0.160/28
DB_CONNECTION=pgsql DB_CONNECTION=pgsql
DB_HOST=postgresql.pyrocufflink.blue DB_HOST=postgresql.pyrocufflink.blue

5
firefly-iii/kustomization.yaml
View File

@@ -15,7 +15,7 @@ resources:
- ingress.yaml - ingress.yaml
- importer.yaml - importer.yaml
- importer-ingress.yaml - importer-ingress.yaml
- ../dch-root-ca - ../dch-root-ca
configMapGenerator: configMapGenerator:
- name: firefly-iii - name: firefly-iii
@@ -53,6 +53,3 @@ patches:
secret: secret:
secretName: postgres-client-cert secretName: postgres-client-cert
defaultMode: 0640 defaultMode: 0640
images:
- name: docker.io/fireflyiii/core
newTag: version-6.2.19

5
fleetlock/kustomization.yaml
View File

@@ -19,8 +19,3 @@ patches:
name: fleetlock name: fleetlock
spec: spec:
clusterIP: 10.96.1.15 clusterIP: 10.96.1.15
images:
- name: quay.io/poseidon/fleetlock
newName: git.pyrocufflink.net/containerimages/fleetlock
newTag: vadimberezniker-wait_evictions

14
grafana/datasources/victoria-logs.yml
View File

@@ -1,14 +0,0 @@
apiVersion: 1
datasources:
- name: Victoria Logs
type: victoriametrics-logs-datasource
access: proxy
url: https://logs.pyrocufflink.blue
jsonData:
tlsAuth: true
tlsAuthWithCACert: true
secureJsonData:
tlsCACert: $__file{/run/dch-ca/dch-root-ca.crt}
tlsClientCert: $__file{/run/secrets/du5t1n.me/loki/tls.crt}
tlsClientKey: $__file{/run/secrets/du5t1n.me/loki/tls.key}

36
grafana/grafana.ini
View File

@@ -594,6 +594,42 @@ global_api_key = -1
# global limit on number of logged in users. # global limit on number of logged in users.
global_session = -1 global_session = -1
#################################### Alerting ############################
[alerting]
# Disable alerting engine & UI features
enabled = true
# Makes it possible to turn off alert rule execution but alerting UI is visible
execute_alerts = true
# Default setting for new alert rules. Defaults to categorize error and timeouts as alerting. (alerting, keep_state)
error_or_timeout = alerting
# Default setting for how Grafana handles nodata or null values in alerting. (alerting, no_data, keep_state, ok)
nodata_or_nullvalues = no_data
# Alert notifications can include images, but rendering many images at the same time can overload the server
# This limit will protect the server from render overloading and make sure notifications are sent out quickly
concurrent_render_limit = 5
# Default setting for alert calculation timeout. Default value is 30
evaluation_timeout_seconds = 30
# Default setting for alert notification timeout. Default value is 30
notification_timeout_seconds = 30
# Default setting for max attempts to sending alert notifications. Default value is 3
max_attempts = 3
# Makes it possible to enforce a minimal interval between evaluations, to reduce load on the backend
min_interval_seconds = 1
# Configures for how long alert annotations are stored. Default is 0, which keeps them forever.
# This setting should be expressed as an duration. Ex 6h (hours), 10d (days), 2w (weeks), 1M (month).
max_annotation_age =
# Configures max number of alert annotations that Grafana stores. Default value is 0, which keeps all alert annotations.
max_annotations_to_keep =
#################################### Annotations ######################### #################################### Annotations #########################
[annotations.dashboard] [annotations.dashboard]

5
grafana/grafana.yaml
View File

@@ -76,8 +76,6 @@ spec:
- mountPath: /etc/grafana/provisioning/datasources - mountPath: /etc/grafana/provisioning/datasources
name: datasources name: datasources
readOnly: true readOnly: true
- mountPath: /tmp
name: tmp
- mountPath: /run/secrets/grafana - mountPath: /run/secrets/grafana
name: secrets name: secrets
readOnly: true readOnly: true
@@ -98,9 +96,6 @@ spec:
- name: grafana - name: grafana
persistentVolumeClaim: persistentVolumeClaim:
claimName: grafana claimName: grafana
- name: tmp
emptyDir:
medium: Memory
- name: secrets - name: secrets
secret: secret:
secretName: grafana secretName: grafana

5
grafana/kustomization.yaml
View File

@@ -28,7 +28,6 @@ configMapGenerator:
- name: datasources - name: datasources
files: files:
- datasources/loki.yml - datasources/loki.yml
- datasources/victoria-logs.yml
patches: patches:
- patch: |- - patch: |-
@@ -55,7 +54,3 @@ patches:
- name: loki-client-cert - name: loki-client-cert
secret: secret:
secretName: loki-client-cert secretName: loki-client-cert
images:
- name: docker.io/grafana/grafana
newTag: 11.5.5

1
home-assistant/.gitignore vendored
View File

@@ -1,2 +1 @@
mosquitto.passwd mosquitto.passwd
secrets.yaml.in

62
home-assistant/configuration.yaml
View File

@@ -12,6 +12,7 @@ input_number:
input_select: input_select:
input_text: input_text:
logbook: logbook:
map:
media_source: media_source:
mobile_app: mobile_app:
person: person:
@@ -28,7 +29,7 @@ zone:
http: http:
trusted_proxies: trusted_proxies:
- 10.149.0.0/16 - 172.30.0.160/28
use_x_forwarded_for: true use_x_forwarded_for: true
recorder: recorder:
@@ -38,18 +39,6 @@ recorder:
commit_interval: 0 commit_interval: 0
homeassistant: homeassistant:
auth_providers:
- type: trusted_networks
trusted_networks:
- 172.31.1.81/32
- 172.31.1.115/32
trusted_users:
172.31.1.81:
- 03a8b3528f1145ab908e20ed5687d893
172.31.1.115:
- 03a8b3528f1145ab908e20ed5687d893
- type: homeassistant
allow_bypass_login: true
whitelist_external_dirs: whitelist_external_dirs:
- /config - /config
- /tmp - /tmp
@@ -87,7 +76,25 @@ light:
- light.light_6 - light.light_6
- light.light_7 - light.light_7
matrix:
homeserver: https://hatch.chat
username: '@homeassistant:hatch.chat'
password: !secret matrix_password
rooms:
- '!DdgnpVhlRqeTeNqSEM:hatch.chat'
- '!oyDXJxjUeJkEFshmAn:hatch.chat'
commands:
- word: snapshot
name: snapshot
- word: bunnies
name: bunnies
- expression: 'lights (?P<scene>.*)'
name: lights
notify: notify:
- platform: matrix
name: matrix
default_room: '!DdgnpVhlRqeTeNqSEM:hatch.chat'
- platform: group - platform: group
name: mobile_apps_group name: mobile_apps_group
services: services:
@@ -114,8 +121,37 @@ sensor:
max_age: max_age:
hours: 24 hours: 24
- platform: seventeentrack
username: gyrfalcon@ebonfire.com
password: !secret seventeentrack_password
template: template:
- sensor: - sensor:
- name: 'Thermostat Temperature'
device_class: temperature
unit_of_measurement: °C
state: >-
{% if is_state('sensor.season', 'winter') %}
{{ states('sensor.living_room_temperature') }}
{% else %}
{{ states('sensor.bedroom_temperature') }}
{% endif %}
- name: "Tonight's Forecast"
device_class: temperature
unit_of_measurement: °C
state: >-
{{ state_attr('weather.kojc_daynight', 'forecast')
| rejectattr('is_daytime')
| map(attribute='temperature')
| first }}
- name: Cost per Mow
device_class: monetary
unit_of_measurement: USD
state: >-
{{ 3072.21 / states('counter.mow_count')|int }}
- name: Apc1500 Load - name: Apc1500 Load
device_class: power device_class: power
unit_of_measurement: W unit_of_measurement: W

6
home-assistant/home-assistant.yaml
View File

@@ -74,11 +74,15 @@ spec:
failureThreshold: 300 failureThreshold: 300
periodSeconds: 3 periodSeconds: 3
initialDelaySeconds: 3 initialDelaySeconds: 3
securityContext:
runAsUser: 300
runAsGroup: 300
volumeMounts: volumeMounts:
- name: home-assistant-data - name: home-assistant-data
mountPath: /config mountPath: /config
subPath: data subPath: data
hostUsers: false securityContext:
fsGroup: 300
volumes: volumes:
- name: home-assistant-data - name: home-assistant-data
persistentVolumeClaim: persistentVolumeClaim:

56
home-assistant/kustomization.yaml
View File

@@ -18,9 +18,8 @@ resources:
- zwavejs2mqtt.yaml - zwavejs2mqtt.yaml
- piper.yaml - piper.yaml
- whisper.yaml - whisper.yaml
- mqtt2vl.yaml
- ingress.yaml - ingress.yaml
- ../dch-root-ca - ../dch-root-ca
configMapGenerator: configMapGenerator:
- name: home-assistant - name: home-assistant
@@ -29,10 +28,7 @@ configMapGenerator:
- event-snapshot.sh - event-snapshot.sh
- groups.yaml - groups.yaml
- restart-diddy-mopidy.sh - restart-diddy-mopidy.sh
- restart-kitchen-mqttmarionette.sh
- shell-command.yaml - shell-command.yaml
- shutdown-kiosk.sh
- ssh_known_hosts
- rest-command.yaml - rest-command.yaml
options: options:
disableNameSuffixHash: true disableNameSuffixHash: true
@@ -45,14 +41,6 @@ configMapGenerator:
files: files:
- mosquitto.conf - mosquitto.conf
- name: mqtt2vl
files:
- mqtt2vl.toml
- name: zigbee2mqtt
envs:
- zigbee2mqtt.env
patches: patches:
- patch: |- - patch: |-
apiVersion: apps/v1 apiVersion: apps/v1
@@ -121,45 +109,3 @@ patches:
- name: dch-root-ca - name: dch-root-ca
configMap: configMap:
name: dch-root-ca name: dch-root-ca
- patch: |-
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: mqtt2vl
spec:
template:
spec:
containers:
- name: mqtt2vl
env:
- name: SSL_CERT_FILE
value: /run/dch-ca/dch-root-ca.crt
volumeMounts:
- mountPath: /run/dch-ca/
name: dch-root-ca
readOnly: true
- mountPath: /run/secrets/du51tn.xyz/mqtt2vl
name: secrets
readOnly: true
volumes:
- name: dch-root-ca
configMap:
name: dch-root-ca
- name: secrets
secret:
secretName: mqtt2vl
defaultMode: 0640
images:
- name: ghcr.io/home-assistant/home-assistant
newTag: 2025.7.1
- name: docker.io/rhasspy/wyoming-whisper
newTag: 2.5.0
- name: docker.io/rhasspy/wyoming-piper
newTag: 1.6.2
- name: docker.io/koenkk/zigbee2mqtt
newTag: 2.5.1
- name: docker.io/zwavejs/zwave-js-ui
newTag: 10.7.0
- name: docker.io/library/eclipse-mosquitto
newTag: 2.0.21

5
home-assistant/mosquitto.yaml
View File

@@ -26,12 +26,11 @@ spec:
ports: ports:
- port: 8883 - port: 8883
name: mqtt name: mqtt
nodePort: 30783
selector: selector:
app.kubernetes.io/component: mosquitto app.kubernetes.io/component: mosquitto
app.kubernetes.io/name: mosquitto app.kubernetes.io/name: mosquitto
type: ClusterIP type: NodePort
externalIPs:
- 172.30.0.148
--- ---
apiVersion: apps/v1 apiVersion: apps/v1

11
home-assistant/mqtt2vl.toml
View File

@@ -1,11 +0,0 @@
[mqtt]
url = "mqtts://mqtt.pyrocufflink.blue"
username = "mqtt2vl"
password_file = "/run/secrets/du51tn.xyz/mqtt2vl/mqtt.password"
topics = [
"poolsensor/debug",
"garden1/debug",
]
[http]
url = "https://logs.pyrocufflink.blue/insert/jsonline?_stream_fields=topic"

43
home-assistant/mqtt2vl.yaml
View File

@@ -1,43 +0,0 @@
apiVersion: apps/v1
kind: StatefulSet
metadata:
labels:
app.kubernetes.io/component: mqtt2vl
app.kubernetes.io/name: mqtt2vl
app.kubernetes.io/part-of: home-assistant
name: mqtt2vl
spec:
selector:
matchLabels:
app.kubernetes.io/component: mqtt2vl
app.kubernetes.io/name: mqtt2vl
template:
metadata:
labels:
app.kubernetes.io/component: mqtt2vl
app.kubernetes.io/name: mqtt2vl
app.kubernetes.io/part-of: home-assistant
spec:
containers:
- name: mqtt2vl
image: git.pyrocufflink.net/containerimages/mqtt2vl
imagePullPolicy: Always
args:
- /etc/mqtt2vl/mqtt2vl.toml
env:
- name: RUST_LOG
value: info,mqtt2vl=debug
securityContext:
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/mqtt2vl
name: config
readOnly: true
securityContext:
runAsUser: 29734
runAsGroup: 29734
fsGroup: 29734
volumes:
- name: config
configMap:
name: mqtt2vl

1
home-assistant/restart-kitchen-mqttmarionette.sh
View File

@@ -1 +0,0 @@
ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kitchen@kitchen.pyrocufflink.red restart-mqttmarionette

26
home-assistant/secrets.yaml
View File

@@ -7,7 +7,7 @@ metadata:
namespace: home-assistant namespace: home-assistant
spec: spec:
encryptedData: encryptedData:
passwd: AgBbjHLTpEZlxT1KH90K9LtkyqrhmpUSC/komksX+lZZYxqa9qqTFE5DFSqqPf/M2cxEmZSrQfn5lkKUHZRaCT8tHmCULRvxFNPnmucLxyilQcbF6serER78kr85KdZI30LSY9WxIyJcElIL2BUdsKEZwhwdjTn3FDHUxhysMuIZBEXnigwZ16LzpC4bqWEZrohgU043gPffFL51kT4l0c6atEgAoqlhjeHmOix8a6jUwxO6fJvDfyxGskY2lVAmmlbuFKBkJnYp1NF10nhimwDl6R0yy7du8Vlg50lqE5MvIiIGuG0d+Ly5ePT5qRy+Si9JiFHrtIG7LKXuAB/dztxayRnzEw4wiXfCDA2UGoL/EdbxorcIcol9HfjHwpWtvLBUES3UIMv86GGE9L4R83rQf7geLWpYRD7O7mZ8E3N+59xO8WOlMo9wjnymYOkkUmSSxdR1Zj08W2gvjXf1pWW4dEn7nNVLG56+/8nChgAY7d3EOKC0cQflrc3TpU6Fh2DDEA+uBASgvJi8ZxDb2hTPbXEBxsMrtSU+s0NqiTm425HeqINpElOBhdP1KgXbhFVUG+ET5mzcwnY4HicakiFq882kBI5rB9+SgTSS5GxQyzFDjLH2HPURF2JEpugWgJa/YcHrX1pa8ksbymJOz63Zi2197V/k25eiJI9imOOMAvIm7xYhOuPeV9Gy7yEU7Pyli82M2Q+MDLCk3PbQirJOA1Ja/B/vBXCNdByoW1RUo5K+6Pd6qxlMvHvlBiHhH2XKYZec14bJNkynwv1Su07AJgaoznMglJm+kEvFyIOPnJQ1yIkdgT5uO/9VC6JNhgHtqd0EVoADZZl8tdgU3wGZpK9xNkRyn7Edxcpq5cl+JmTLUcbLtMfFSlS9fOycJaivyKsScRTHl9mC+kzSGEMZYKVlZN/ualVoQ+jOYuFOdth/Uq5ZpDXPeSdThE90fSj5Gg8BiRW4BL7E8/A1LBeiZQITRajhsIwyjmum7EVXQEQ+xKPlV8etI0XixuUZrXEc8V7wyFtX43D64VQOVlDegx3WbdLGc1Qh24rej1NnK+v8d9XBlgsSSmuwp5udMTQ7kXNyWdgkb7qVk1mmXTD0SHagNzsWSHCOlfvY8XFeVkLe1XlxES7wR/Q7bKeSAtOA8i41/u9q7b2099g4J/skIDa/QYQEotFsCyqSLxxtJ/gng8cX3yesZmite2M//v2nnhsGd+qTHLyEmL+2aE0xDDJzommQhDPKg6u2ML6OkmBNYK7WrdSZ1dQJz+ForM9pOPkf4TX3ZT9SU8caxMhuQ8AfG4tQt5hgdM/F9+iu2d5tz0+MP+n5oFiFDQ8uDm1N6vEhPNxqeH2kCyZMdD8wLYt2rNKs6TcKkOMUZcehBZdefSHBoWpl3NciIek/lyZ0tV4AM1uMO/jUViS+xVDIDSpyQvy3ru3UJV/poiNbzO2eAH2RmA5+WlJsKc2ihP5ZQ/BAYw+N7/pM97Qqes9J0yf+7Rny6EBnB5vlIBrbz6B6A3246pbGg7AXCTd0V9QEFgk+PrvLyEzYmJL75JV3UvU1qEVIg68a2sXYHRTSCoKYoy70pqIgP5MxM8THTyiDg1bRsItI/CxTZsHRbJ6w2kCCV/f8oORIjF/eufh1iuKnPVc9HqEnymtocnuRIZUrk3f0LtRLktR45++pKgjZkmcrj3yeQknmof/4s3zf5m53CXCOgX6OBtI+RxMZe6f+uA1gBXYK+RfFBYOgFXWxFwEzLrpSVj4IeBw79aenZUX8Wh4HEjsmX/XHFJeZbzV9fOheapXwLk/76pwYt7pHyMRTXtHT0pL+NTd+NndVZtlZDMD/IqWNuRw1v+CetmPWxIQUDnTw5iBiWr92AhvT20YuVsigszEDYsp/pSO3kshfrLoWMFIqS1in39dwh1jYgqJnNMljX5nfkc9R/fOU8y85bxFUWi7iCa3a/IN+4tl7F5J1IHkAIEOjNu5hWbGLFvHS0AK347a9A9lqVF0ZC7BGTJTJe+umEM1tOol7C9F5BRV1SDlAp+x9eGHegzGkU99nZl5AVxgtdmhFooC1AlAVcyawKKpUhEWxnVfPFq5WWvPj9ePCaMAK7iaLyEsU3Sm7tc1QEI2wyP57UiW7tBPwi/ILwnrpCMKSoqg2m2ZOwTw69pLsos2IS61sUw64GX2dQ1VojPcohhuNHuxLKwXGbROw3Bk7E1+4ItYarxWhxjeAGNhwKn1h95WV78sVsG8qdQbd9SZOCHy8WXU0JYKe0oAxrRMozsJePJ07xxClIKx8EBiEioHQRBUExQpgqR2I8FPpCvklEPK5kdca/c8UwfZ5uwRU passwd: AgB2pNlStPqi5gg6OMCcEg9RIyZms+w/MP20viWdi18vlvLHUXGvNASY2YJJ7r9S+OwI+cd9x+v4Bd3uVWwaivoPOUn+fFlKuY9rljal2+WMc99NFbZNXzZ798FMtd+z1jsRG/be0P+1TnpZXp/yxZIfGw+SHuiPtn713X+T9aqgY5HHMckwgvMweQuPLggDxcu/mwlHA4mZLh0up3PekvIRhsvZT0QaFOgBqtSEb0gJauiZj+QAcKHeQR9SeRNr8OI9O/n+coOgoXFxKVJZN5ftja5bmMXhA4zo6i624BMtYQLPBiCkaHt/Xg9/m38JDuyWaMWRv4QyPPkEp1RvxheMIQMW8CwDfaH9rtjnRy9Apbt0CsRFSabFcVPxIEBqwp6twWm8GbCcosLvIPpjYBZzW1R/2VdvMF0D57+UvzX9/yMNiA+d1sl6v7ffsrqirWUPDeCLOYP6EA5k3OhUzJBeZAG5SC+8v0IfW9Q32yClwYyeyVKn4osaHlPbgH61jocKhfQq0a7JINauhjW3fHYB9GM9WitxSMLNEEhVOpRsVCb+vMGMEtPsZiLzjEe8FXsi09kgREQ//lGEFWD8mLXZvusTsqFlxFF1YWMpC2tqMOxC4Gui9U7bQo1qklejFf0xkFnlgJz2mTK8V4mk1ZCXMmtk44MNojnj4sweFLaSECxi7ISy8t4zCwbIJiIbumMvYkMleBMhV1Bd1LggYFYQ3qWzl6dhShPRgnGIJkf96yK/2rq7XW3NstIaN7LnjSNzlY89EQ2ctUHrRjFE3N4Y42Y/8Hpd003IzX8SrnbitMBphxTzzHxbTGs9yGlGQUtvttzenQblUgylystYELR/647nDGnLM/D1Xfpo2BvckyN0s1tNOzMgqOPAYbrh4K/nIfzEK0z2NX8j5crlhen+DVARK6AmTaprZWMksN20b5Ict/FiZddA3fBYB8Nj55S5Mal4yQxIbVITPhBBPB+58Qw+VeaMb7Jaqbt2KNHJDvgLgSVYnXVqlyCgl9ONv6iiR9sAqAvY6wZ5Rm6xeIJGExfshoRRZlyFCPZneNMm/kTTeINMNL5/kUXMCpCmsaD0iV9VTG7kg0QbFa2zXGsPtRwFffv09E2gtDTtYd1X7ChG5Sv9ek/owBUIpNWsHjw3Cxb8IegBBIQAxR4T6f2UP1trja+zS1ARdKfer8HTgxKLsk/baMFckdyqa45TUqz+DSgnG3lIeOq3HcLqJ6OWC9GHs661/3SGxRJL0QVY9iwQjZqg9bYG6ULvdCbKe85HMyuz/8yPh+Qrhth8EsW5fydIcwO9OHLKsCYWD0Nv3cUDGQmT2FLFph6xbC6XGLi0ZvqU3zyqRLbmbaRglU+jjBh6kXSvUjWqYFwS7QuyLdGtFnX0qB5rQOLjAGlDfaTHUooUcRYKw9pNuHqaoTLC+dqwXiGvnxEbwGvWC/Y1f0y4qCM5mMdfd1V8vjJ7GZs2+3+8B3x7Rbwh3dn66nkknoPLFSkx6XCmNV2dm4beU111IahBO0I2YUKCTyczVPusz0AMQbvPJoPXFLn4IRTKTN1vWNigMFP9hZk+DI2yeX0RWq8Rb9rBF949PY/v2VoCe7LW02zzkjd7OT/Ws3p5PQNGtOcutsMJcq78RhET311s7cw+Wv5ivd1DGIHzR3mqqeUvS2LgS4dnYyqIaWvqXkV1Hh8cv96T/bDadFc6hIesrX5/wALzehNlJDeeKlxk/iYemypZ/ACpFr3385LQ6SGEsO0XKnb1hAxV09H086EPCsTniEaitlmZdl0CWqTq21eMERCvOzfGlR0WTc4NuFJU00n9Pr3z7UvRDiHzqO4fcH7BCeokvNek554bepU1iE1sKyZ/QoXSPjQ+W+K1YwyVcPaAoSF5NhyDteKTltD31qejNWWFvBqgiwKJWVP3dy+lHkHKyKdjy9y9sbbcs4ljVqPXllsju7RnEF02VbNRKE2li6drjNsJ/9+/QIo3vE2fnObOQ9441ftwA0IEFLM2/um8itM0pZGZCh6zHAYRychgx3RF1cJXF+DOnnSDmef3A84FNyqi5AVbwLRXQ7nF+U9CGGTYelcZ6qoAMj5hdn0t00UWEuTa9r6G2B7R4lUNEQQRnhR+iFHZW7Xg7zKfI/k6x4zqR9H9Gjwqf0vkwc7Zu5oG2vvjK2L+2zo=
template: template:
metadata: metadata:
creationTimestamp: null creationTimestamp: null
@@ -32,27 +32,3 @@ spec:
metadata: metadata:
name: home-assistant name: home-assistant
namespace: home-assistant namespace: home-assistant
---
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: mqtt2vl
namespace: home-assistant
labels:
app.kubernetes.io/name: mqtt2vl
app.kubernetes.io/component: mqtt2vl
app.kubernetes.io/part-of: home-assistant
spec:
encryptedData:
mqtt.password: AgBOYdOxapXUPTAtiKaHDIrY1yo9IFBP2CtcuLy66jl7kBvhlervt2Xru+AWoapTVcZ3Jj4VgfKwiEJVw+g9Zn6xyklNobCkmT4XREnjSxtVDSDRRVDF/uIOqEWLldKRwXPldjDw5OYzTB8/P1e/ndiDV5InmbIcsvGRsSd+GG9CVy/toK2iQMQfiN+pAGv4DdqI0g7uwaLWxVWdnx3k0i64cdW3ZxmxS1E/686DJu311aKGpXJkTUOyIpPCdWs02lJdt/zMdfHCf+6nZKs/In5KK4+/uEGxP1crtGlrhGI+za/bBfKQcsIr8JU26ARfbWP2W//p+8h4zen4uel+NCRvRrYsJW4AsZGOzX8Ti++x8SQIcaSDTcuk4/Y93XWO8+6zuETc4sJ85jkyEXQPKYUrQQeRcWEdi3RqNlKY2YvzC8GWWmTJ3k2KU9yoqiYrWoqucixKzJg/wPTluKyD053d/j8dbLziJ4KDahPa50gSP1D9v6jQc8wrj8oQCWuNi6O5TssCAhaHe13xXH5XscoGDiezp5+M2rfWOR0xBHx4LRLldI75Qyb12yvbZ1+p+DYD+JnQyc/Yoq7emfzJOPItGY3f+bXFe8PWO0etKY0BLpoI5PlLk0hIqKZOu5VcAwZVU9vbr4cyKoLEsGPxLf8l/VAmULp8Wm4a2Wbm02qcOXJPP3ZAF6nJJSHS+iz/i13nRG7ZyXL4OA77THuLElKGehQ0456S8g5+s7Y6h5hspg==
template:
metadata:
creationTimestamp: null
name: mqtt2vl
namespace: home-assistant
labels:
app.kubernetes.io/name: mqtt2vl
app.kubernetes.io/component: mqtt2vl
app.kubernetes.io/part-of: home-assistant

6
home-assistant/shell-command.yaml
View File

@@ -3,9 +3,3 @@ event_snapshot: >-
restart_diddy_mopidy: >- restart_diddy_mopidy: >-
sh /run/config/restart-diddy-mopidy.sh sh /run/config/restart-diddy-mopidy.sh
restart_kitchen_mqttmarionette: >-
sh /run/config/restart-kitchen-mqttmarionette.sh
shutdown_kiosk: >-
sh /run/config/shutdown-kiosk.sh

4
home-assistant/shutdown-kiosk.sh
View File

@@ -1,4 +0,0 @@
#!/bin/sh
set -e
ssh -i /run/secrets/home-assistant/sshkey.pem -oUserKnownHostsFile=/run/config/ssh_known_hosts -oBatchMode=yes kiosk@deskpanel.pyrocufflink.red doas systemctl poweroff

3
home-assistant/ssh_known_hosts
View File

@@ -1,3 +0,0 @@
diddy.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAILx6gRqlVnvdqTIJTH16NBLJ4ORfTsBaUIEpt5ZMkkNW
kitchen.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBLzMLOlFXPiovBwYLmXCVV8Md/xR36zwPj6egT9V3O7
deskpanel.pyrocufflink.red ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIEcvO0jsZ8U2mw/HHs0BHbbEI48W0fxti8f5DuNyFS2L

8
home-assistant/whisper.yaml
View File

@@ -42,9 +42,6 @@ spec:
args: args:
- --model=base - --model=base
- --language=en - --language=en
env:
- name: HF_HOME
value: /data/hf.cache
ports: ports:
- containerPort: 10300 - containerPort: 10300
name: wyoming name: wyoming
@@ -65,17 +62,12 @@ spec:
runAsUser: 300 runAsUser: 300
runAsGroup: 300 runAsGroup: 300
volumeMounts: volumeMounts:
- mountPath: /tmp
name: tmp
subPath: tmp
- name: whisper-data - name: whisper-data
mountPath: /data mountPath: /data
subPath: data subPath: data
securityContext: securityContext:
fsGroup: 300 fsGroup: 300
volumes: volumes:
- name: tmp
emptyDir: {}
- name: whisper-data - name: whisper-data
ephemeral: ephemeral:
volumeClaimTemplate: volumeClaimTemplate:

1
home-assistant/zigbee2mqtt.env
View File

@@ -1 +0,0 @@
ZIGBEE2MQTT_CONFIG_MQTT_SERVER=mqtts://mqtt.pyrocufflink.blue:8883

6
home-assistant/zigbee2mqtt.yaml
View File

@@ -61,10 +61,6 @@ spec:
containers: containers:
- name: zigbee2mqtt - name: zigbee2mqtt
image: docker.io/koenkk/zigbee2mqtt:1.33.1 image: docker.io/koenkk/zigbee2mqtt:1.33.1
envFrom:
- configMapRef:
name: zigbee2mqtt
optional: true
ports: ports:
- containerPort: 8080 - containerPort: 8080
name: http name: http
@@ -93,8 +89,6 @@ spec:
name: zigbee-device name: zigbee-device
securityContext: securityContext:
fsGroup: 302 fsGroup: 302
supplementalGroups:
- 18
volumes: volumes:
- name: zigbee2mqtt-data - name: zigbee2mqtt-data
persistentVolumeClaim: persistentVolumeClaim:

650
ingress/ingress-nginx.yaml Normal file
View File

@@ -0,0 +1,650 @@
apiVersion: v1
kind: Namespace
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
name: ingress-nginx
---
apiVersion: v1
automountServiceAccountToken: true
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: v1
kind: ServiceAccount
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- apiGroups:
- ""
resources:
- configmaps
- pods
- secrets
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resourceNames:
- ingress-controller-leader
resources:
- configmaps
verbs:
- get
- update
- apiGroups:
- ""
resources:
- configmaps
verbs:
- create
- apiGroups:
- coordination.k8s.io
resourceNames:
- ingress-controller-leader
resources:
- leases
verbs:
- get
- update
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission
namespace: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- secrets
verbs:
- get
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx
rules:
- apiGroups:
- ""
resources:
- configmaps
- endpoints
- nodes
- pods
- secrets
- namespaces
verbs:
- list
- watch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
verbs:
- get
- apiGroups:
- ""
resources:
- services
verbs:
- get
- list
- watch
- apiGroups:
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- events
verbs:
- create
- patch
- apiGroups:
- networking.k8s.io
resources:
- ingresses/status
verbs:
- update
- apiGroups:
- networking.k8s.io
resources:
- ingressclasses
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission
rules:
- apiGroups:
- admissionregistration.k8s.io
resources:
- validatingwebhookconfigurations
verbs:
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission
namespace: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx
subjects:
- kind: ServiceAccount
name: ingress-nginx
namespace: ingress-nginx
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: ingress-nginx-admission
subjects:
- kind: ServiceAccount
name: ingress-nginx-admission
namespace: ingress-nginx
---
apiVersion: v1
data:
allow-snippet-annotations: "true"
kind: ConfigMap
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-controller
namespace: ingress-nginx
# We will be using `hostNetwork: true` for nginx ingress controller
# pods, so no Service object is required. All nodes run a copy of the
# ingress controller (it is configured as a DaemonSet); traffic from
# outside the cluster is sent to an arbitrary node and routed from
# there to the appropriate Service.
# ---
# apiVersion: v1
# kind: Service
# metadata:
# labels:
# app.kubernetes.io/component: controller
# app.kubernetes.io/instance: ingress-nginx
# app.kubernetes.io/name: ingress-nginx
# app.kubernetes.io/part-of: ingress-nginx
# app.kubernetes.io/version: 1.3.0
# name: ingress-nginx-controller
# namespace: ingress-nginx
# spec:
# ports:
# - appProtocol: http
# name: http
# port: 80
# protocol: TCP
# targetPort: http
# - appProtocol: https
# name: https
# port: 443
# protocol: TCP
# targetPort: https
# selector:
# app.kubernetes.io/component: controller
# app.kubernetes.io/instance: ingress-nginx
# app.kubernetes.io/name: ingress-nginx
# type: NodePort
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-controller-admission
namespace: ingress-nginx
spec:
ports:
- appProtocol: https
name: https-webhook
port: 443
targetPort: webhook
selector:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
type: ClusterIP
---
apiVersion: apps/v1
kind: DaemonSet
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
minReadySeconds: 0
revisionHistoryLimit: 10
selector:
matchLabels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
template:
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
spec:
# nginx ingress controller listens on the "real" IP address of
# the node.
hostNetwork: true
containers:
- args:
- /nginx-ingress-controller
- --election-id=ingress-controller-leader
- --controller-class=k8s.io/ingress-nginx
- --ingress-class=nginx
- --configmap=$(POD_NAMESPACE)/ingress-nginx-controller
- --validating-webhook=:8443
- --validating-webhook-certificate=/usr/local/certificates/cert
- --validating-webhook-key=/usr/local/certificates/key
# Publish the node's IP address as the ingress External IP
- --report-node-internal-ip-address
- --default-ssl-certificate=default/pyrocufflink-cert
- --tcp-services-configmap=ingress-nginx/tcp-services
env:
- name: POD_NAME
valueFrom:
fieldRef:
fieldPath: metadata.name
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: LD_PRELOAD
value: /usr/local/lib/libmimalloc.so
image: registry.k8s.io/ingress-nginx/controller:v1.3.0@sha256:d1707ca76d3b044ab8a28277a2466a02100ee9f58a86af1535a3edf9323ea1b5
imagePullPolicy: IfNotPresent
lifecycle:
preStop:
exec:
command:
- /wait-shutdown
livenessProbe:
failureThreshold: 5
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
name: controller
ports:
- containerPort: 80
name: http
protocol: TCP
- containerPort: 443
name: https
protocol: TCP
- containerPort: 8443
name: webhook
protocol: TCP
readinessProbe:
failureThreshold: 3
httpGet:
path: /healthz
port: 10254
scheme: HTTP
initialDelaySeconds: 10
periodSeconds: 10
successThreshold: 1
timeoutSeconds: 1
resources:
requests:
cpu: 100m
memory: 90Mi
securityContext:
allowPrivilegeEscalation: true
capabilities:
add:
- NET_BIND_SERVICE
drop:
- ALL
runAsUser: 101
volumeMounts:
- mountPath: /usr/local/certificates/
name: webhook-cert
readOnly: true
dnsPolicy: ClusterFirstWithHostNet
nodeSelector:
kubernetes.io/os: linux
kubernetes.io/role: ingress
serviceAccountName: ingress-nginx
terminationGracePeriodSeconds: 300
volumes:
- name: webhook-cert
secret:
secretName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission-create
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission-create
spec:
containers:
- args:
- create
- --host=ingress-nginx-controller-admission,ingress-nginx-controller-admission.$(POD_NAMESPACE).svc
- --namespace=$(POD_NAMESPACE)
- --secret-name=ingress-nginx-admission
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
imagePullPolicy: IfNotPresent
name: create
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: batch/v1
kind: Job
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission-patch
namespace: ingress-nginx
spec:
template:
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission-patch
spec:
containers:
- args:
- patch
- --webhook-name=ingress-nginx-admission
- --namespace=$(POD_NAMESPACE)
- --patch-mutating=false
- --secret-name=ingress-nginx-admission
- --patch-failure-policy=Fail
env:
- name: POD_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
image: registry.k8s.io/ingress-nginx/kube-webhook-certgen:v1.1.1@sha256:64d8c73dca984af206adf9d6d7e46aa550362b1d7a01f3a0a91b20cc67868660
imagePullPolicy: IfNotPresent
name: patch
securityContext:
allowPrivilegeEscalation: false
nodeSelector:
kubernetes.io/os: linux
restartPolicy: OnFailure
securityContext:
fsGroup: 2000
runAsNonRoot: true
runAsUser: 2000
serviceAccountName: ingress-nginx-admission
---
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
labels:
app.kubernetes.io/component: controller
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: nginx
spec:
controller: k8s.io/ingress-nginx
---
apiVersion: admissionregistration.k8s.io/v1
kind: ValidatingWebhookConfiguration
metadata:
labels:
app.kubernetes.io/component: admission-webhook
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/part-of: ingress-nginx
app.kubernetes.io/version: 1.3.0
name: ingress-nginx-admission
webhooks:
- admissionReviewVersions:
- v1
clientConfig:
service:
name: ingress-nginx-controller-admission
namespace: ingress-nginx
path: /networking/v1/ingresses
failurePolicy: Fail
matchPolicy: Equivalent
name: validate.nginx.ingress.kubernetes.io
rules:
- apiGroups:
- networking.k8s.io
apiVersions:
- v1
operations:
- CREATE
- UPDATE
resources:
- ingresses
sideEffects: None

38
ingress/kustomization.yaml
View File

@@ -4,39 +4,5 @@ kind: Kustomization
namespace: ingress-nginx namespace: ingress-nginx
resources: resources:
- https://raw.githubusercontent.com/kubernetes/ingress-nginx/controller-v1.3.0/deploy/static/provider/cloud/deploy.yaml - ingress-nginx.yaml
- tcp-services.yaml
replicas:
- name: ingress-nginx-controller
count: 2
patches:
- patch: |-
apiVersion: v1
kind: Service
metadata:
name: ingress-nginx-controller
namespace: ingress-nginx
spec:
externalIPs:
- 172.30.0.147
externalTrafficPolicy: Local
- patch: |-
- op: add
path: /spec/template/spec/containers/0/args/-
value: >-
--default-ssl-certificate=default/pyrocufflink-cert
target:
group: apps
kind: Deployment
name: ingress-nginx-controller
version: v1
- patch: |-
apiVersion: networking.k8s.io/v1
kind: IngressClass
metadata:
name: nginx
annotations:
ingressclass.kubernetes.io/is-default-class: "true"

7
ingress/tcp-services.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: tcp-services
data:
'8883': home-assistant/mosquitto:8883
'5671': rabbitmq/rabbitmq:5671

18
invoice-ninja/ingress.yaml
View File

@@ -5,11 +5,9 @@ metadata:
labels: labels:
app.kubernetes.io/name: invoice-ninja app.kubernetes.io/name: invoice-ninja
app.kubernetes.io/component: invoice-ninja app.kubernetes.io/component: invoice-ninja
annotations:
nginx.ingress.kubernetes.io/proxy-body-size: 40m
spec: spec:
rules: rules:
- host: invoiceninja.pyrocufflink.net - host: invoiceninja.pyrocufflink.blue
http: http:
paths: paths:
- path: / - path: /
@@ -46,17 +44,3 @@ spec:
name: invoice-ninja name: invoice-ninja
port: port:
name: http name: http
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: invoice-ninja-redirect
labels:
app.kubernetes.io/name: invoice-ninja-redirect
app.kubernetes.io/component: invoice-ninja
annotations:
nginx.ingress.kubernetes.io/permanent-redirect: https://invoiceninja.pyrocufflink.net
spec:
rules:
- host: invoiceninja.pyrocufflink.blue

18
invoice-ninja/init.sh Normal file
View File

@@ -0,0 +1,18 @@
#!/bin/sh
set -e
cp -r /var/www/app/. /app
# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
# server, despite the APP_URL setting.
sed -i \
-e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
/app/app/Utils/HtmlEngine.php
chown -R invoiceninja:invoiceninja /app
if [ "$(stat -c %u /storage)" -ne "$(id -u invoiceninja)" ]; then
chown -R invoiceninja:invoiceninja /storage
chmod -R u=rwx,go= /storage
fi

6
invoice-ninja/invoice-ninja.env
View File

@@ -1,6 +1,6 @@
APP_LOGO=https://invoiceninja.pyrocufflink.net/images/logo.png APP_LOGO=https://invoiceninja.pyrocufflink.blue/images/logo.png
APP_URL=https://invoiceninja.pyrocufflink.net APP_URL=https://invoiceninja.pyrocufflink.blue
TRUSTED_PROXIES=10.149.0.0/16 TRUSTED_PROXIES=172.30.0.171,172.30.0.172,172.30.0.173
MAIL_MAILER=smtp MAIL_MAILER=smtp
MAIL_HOST=mail.pyrocufflink.blue MAIL_HOST=mail.pyrocufflink.blue

42
invoice-ninja/invoice-ninja.yaml
View File

@@ -54,11 +54,33 @@ spec:
app.kubernetes.io/component: invoice-ninja app.kubernetes.io/component: invoice-ninja
app.kubernetes.io/part-of: invoice-ninja app.kubernetes.io/part-of: invoice-ninja
spec: spec:
containers: initContainers:
- name: invoice-ninja - name: init
image: &image docker.io/invoiceninja/invoiceninja:5.8.16 image: &image docker.io/invoiceninja/invoiceninja:5.8.16
command: command:
- /start.sh - /init.sh
securityContext:
capabilities:
drop:
- ALL
add:
- CHOWN
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
volumeMounts:
- mountPath: /app
name: app
- mountPath: /init.sh
name: init
subPath: init.sh
- mountPath: /storage
name: data
subPath: storage
containers:
- name: invoice-ninja
image: *image
env: &env env: &env
- name: DB_HOST - name: DB_HOST
value: invoice-ninja-db value: invoice-ninja-db
@@ -85,19 +107,17 @@ spec:
<<: *probe <<: *probe
periodSeconds: 1 periodSeconds: 1
failureThreshold: 60 failureThreshold: 60
securityContext:
readOnlyRootFilesystem: true
volumeMounts: &mounts volumeMounts: &mounts
- mountPath: /run/secrets/invoiceninja - mountPath: /run/secrets/invoiceninja
name: secrets name: secrets
readOnly: true readOnly: true
- mountPath: /start.sh
name: init
subPath: start.sh
- mountPath: /tmp - mountPath: /tmp
name: tmp name: tmp
subPath: tmp subPath: tmp
- mountPath: /var/www/app/public - mountPath: /var/www/app
name: data name: app
subPath: public
- mountPath: /var/www/app/public/storage - mountPath: /var/www/app/public/storage
name: data name: data
subPath: storage-public subPath: storage-public
@@ -136,7 +156,7 @@ spec:
- mountPath: /var/cache/nginx - mountPath: /var/cache/nginx
name: nginx-cache name: nginx-cache
- mountPath: /var/www/app/public - mountPath: /var/www/app/public
name: data name: app
subPath: public subPath: public
readOnly: true readOnly: true
- mountPath: /var/www/app/public/storage - mountPath: /var/www/app/public/storage
@@ -172,8 +192,6 @@ spec:
- invoice-ninja-db - invoice-ninja-db
securityContext: securityContext:
runAsNonRoot: True runAsNonRoot: True
fsGroup: 1500
fsGroupChangePolicy: OnRootMismatch
seccompProfile: seccompProfile:
type: RuntimeDefault type: RuntimeDefault
volumes: volumes:

2
invoice-ninja/kustomization.yaml
View File

@@ -19,7 +19,7 @@ resources:
configMapGenerator: configMapGenerator:
- name: invoice-ninja-init - name: invoice-ninja-init
files: files:
- start.sh - init.sh
- name: invoice-ninja - name: invoice-ninja
envs: envs:

5
invoice-ninja/network-policy.yaml
View File

@@ -29,9 +29,8 @@ spec:
ports: ports:
- port: 25 - port: 25
- to: - to:
- namespaceSelector: - ipBlock:
matchLabels: cidr: 172.30.0.160/28
kubernetes.io/metadata.name: ingress-nginx
ports: ports:
- port: 80 - port: 80
- port: 443 - port: 443

2
invoice-ninja/nginx.conf
View File

@@ -37,8 +37,6 @@ http {
charset utf-8; charset utf-8;
client_max_body_size 0;
location / { location / {
try_files $uri $uri/ /index.php?$query_string; try_files $uri $uri/ /index.php?$query_string;
} }

11
invoice-ninja/start.sh
View File

@@ -1,11 +0,0 @@
#!/bin/sh
set -e
# The Invoice Ninja logo on PDF invoices is always loaded from upstream's
# server, despite the APP_URL setting.
sed -i \
-e 's@invoicing.co/images/new_logo.png@invoiceninja.pyrocufflink.blue/images/logo.png@' \
/var/www/app/app/Utils/HtmlEngine.php
exec /usr/local/bin/docker-entrypoint supervisord

170
jenkins/gentoo-storage.yaml
View File

@@ -1,170 +0,0 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: portage
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: portage
app.kubernetes.io/component: gentoo
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 4Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: binpkgs
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: binpkgs
app.kubernetes.io/component: gentoo
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: ConfigMap
metadata:
name: gentoo-dist
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
data:
rsyncd.conf: |+
[gentoo-portage]
path = /var/db/repos/gentoo
[binpkgs]
path = /var/cache/binpkgs
---
apiVersion: v1
kind: Service
metadata:
name: gentoo-dist
namespace: jenkins-jobs
spec:
selector:
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
ports:
- name: rsync
port: 873
targetPort: rsync
type: NodePort
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gentoo-dist
namespace: jenkins-jobs
labels: &labels
app.kubernetes.io/name: gentoo-dist
app.kubernetes.io/component: gentoo
spec:
selector:
matchLabels: *labels
template:
metadata:
labels: *labels
spec:
containers:
- name: rsync
image: docker.io/gentoo/stage3
command:
- /usr/bin/rsync
- --daemon
- --no-detach
- --port=8873
- --log-file=/dev/stderr
ports:
- name: rsync
containerPort: 8873
securityContext:
readOnlyRootFilesystem: true
runAsUser: 250
runAsGroup: 250
volumeMounts:
- mountPath: /etc/rsyncd.conf
name: config
subPath: rsyncd.conf
- mountPath: /var/db/repos/gentoo
name: portage
- mountPath: /var/cache/binpkgs
name: binpkgs
volumes:
- name: binpkgs
persistentVolumeClaim:
claimName: binpkgs
- name: config
configMap:
name: gentoo-dist
- name: portage
persistentVolumeClaim:
claimName: portage
---
apiVersion: batch/v1
kind: Job
metadata:
name: emerge-webrsync
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: emerge-webrsync
app.kubernetes.io/component: gentoo
spec:
template:
spec:
containers:
- name: sync
image: docker.io/gentoo/stage3
command:
- emerge-webrsync
volumeMounts:
- mountPath: /var/db/repos/gentoo
name: portage
restartPolicy: OnFailure
volumes:
- name: portage
persistentVolumeClaim:
claimName: portage
---
apiVersion: batch/v1
kind: CronJob
metadata:
name: sync-portage
namespace: jenkins-jobs
labels:
app.kubernetes.io/name: sync-portage
app.kubernetes.io/component: gentoo
spec:
schedule: 4 19 * * *
jobTemplate:
spec:
template:
spec:
containers:
- name: sync
image: docker.io/gentoo/stage3
command:
- emaint
- sync
volumeMounts:
- mountPath: /var/db/repos/gentoo
name: portage
restartPolicy: OnFailure
volumes:
- name: portage
persistentVolumeClaim:
claimName: portage

10
jenkins/kustomization.yaml
View File

@@ -9,8 +9,14 @@ resources:
- jenkins.yaml - jenkins.yaml
- secrets.yaml - secrets.yaml
- iscsi.yaml - iscsi.yaml
- gentoo-storage.yaml
- ../ssh-host-keys configMapGenerator:
- name: ssh-known-hosts
namespace: jenkins-jobs
files:
- ssh_known_hosts
options:
disableNameSuffixHash: true
patches: patches:
- patch: | - patch: |

4
ssh-host-keys/ssh_known_hosts → jenkins/ssh_known_hosts
View File

@@ -1,5 +1,4 @@
@cert-authority *.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII24CZGosLMTny0a2eDB6KOG47FhlwVkTEFQNAYzKV0t @cert-authority *.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII24CZGosLMTny0a2eDB6KOG47FhlwVkTEFQNAYzKV0t
@cert-authority *.pyrocufflink.black ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAII24CZGosLMTny0a2eDB6KOG47FhlwVkTEFQNAYzKV0t
files.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH+S6aTqXJ15DV3NczbPXVQKXxbvMVtaHToShsrhxps1GGWcJU/pbZtpAQcN4OGth7DQ1Q/1RvrFS+Fd/5U4wv4= files.pyrocufflink.blue ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBH+S6aTqXJ15DV3NczbPXVQKXxbvMVtaHToShsrhxps1GGWcJU/pbZtpAQcN4OGth7DQ1Q/1RvrFS+Fd/5U4wv4=
files.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzOkLdjAJDPyja2o4+Km52VNM4t7jeYTyMVYl4gtudq files.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFzOkLdjAJDPyja2o4+Km52VNM4t7jeYTyMVYl4gtudq
files.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbgN04bblL95EStM+wpGF1asvEOL6vmH/oNTIBRd0HbTz8jRa3CMOGWWG7/xGIRjrXglAGURGZ/EOqkyGIsciVtC53lwLuyZT18sqHrmp8S5uq/rNaY3rSVfc7kW/fXsNksjtwnQ/sNtawSZ6UFv+p/X47qOGv0XPAwAzoXDwDpQ27wOz1YnbBa+5itThLh6QvxgM1DKnb78uZ1TBpaCCdtL2iH1IVo3FLmah9bNWvUU1QECKyOUDw3IiwIS6owtHIrpdCiZTlPSJhBLPvv7P/L9V0bTfREP+MMDBT1hhj2NUgmDxC4sDd8k1Qy/qxeyU/FA+7dn7K8YVIEe9rNbs/ files.pyrocufflink.blue ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDbgN04bblL95EStM+wpGF1asvEOL6vmH/oNTIBRd0HbTz8jRa3CMOGWWG7/xGIRjrXglAGURGZ/EOqkyGIsciVtC53lwLuyZT18sqHrmp8S5uq/rNaY3rSVfc7kW/fXsNksjtwnQ/sNtawSZ6UFv+p/X47qOGv0XPAwAzoXDwDpQ27wOz1YnbBa+5itThLh6QvxgM1DKnb78uZ1TBpaCCdtL2iH1IVo3FLmah9bNWvUU1QECKyOUDw3IiwIS6owtHIrpdCiZTlPSJhBLPvv7P/L9V0bTfREP+MMDBT1hhj2NUgmDxC4sDd8k1Qy/qxeyU/FA+7dn7K8YVIEe9rNbs/
@@ -11,6 +10,3 @@ git.pyrocufflink.net ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIHEF/IXycjT/sSIpFLRDEVZ
git.pyrocufflink.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9 git.pyrocufflink.net ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQDF1tB0KeyMStHKbnuminTQ2xwjjxyES/DBSlZZH0c7F25Lu6TfvxEEs/7YUtZKAnwFGLfuqW5gaS3eWV1eA3w7WtEGYoBAD6VFZUjN0vfmhNYWC85DMcY+gqkOkBQy1/SvyYSPHrtkgTJRPMG/MdWGaYEN+w/znr1HETPnj4qm7bFC8yxXKU2PXzKlUeY+ynY3hhlzAVwG4Ay7hgH+nO071eoAQtYq9zBdYTifXxoTzatLgU8ib3EYuC3/LDNXkFhYhxDhfp9iwPCNZRi49AccMlL323/Vp8x/Jy/iY5A60Fk8cIYtneEihRkIpzpyTudEK0MXyJ+FJ0vmjiEX5ZY9
mtrcs0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFklfgYwVlea/FbFNguKEY2hMXw9iOneNveLVws8dd9 mtrcs0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIIFklfgYwVlea/FbFNguKEY2hMXw9iOneNveLVws8dd9
serial0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABidV03uxUtikscJfA3qZ+mgXW9KP2QWJBLhlDOleHQ serial0.pyrocufflink.blue ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIABidV03uxUtikscJfA3qZ+mgXW9KP2QWJBLhlDOleHQ
vps-04485add.vps.ovh.us ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIPmQD73UDTO8Yv4sZgSKbwzMpHt3XayubSkWe2ACQrnS
vps-04485add.vps.ovh.us,15.204.240.219 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBIm1WdNspEcqQpQLTPB1ZD45bOA1zI/EFDkkdLjj9USK30TrcN0zN3oDN/+G7L+0det785q3jWS2bwQGmY3eXPI=
vps-04485add.vps.ovh.us,15.204.240.219 ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQChqxu5hTEMVNwJhNbcUEBJUCddCcVkB17leNx5AhqX9CCWBplRp2Eoy65NhV1nH+NITrK7jCDaKPIhKe9uVzGZbJKphD1DYXqJ3rvug4Db0RY8mU8wSXQoNaRTIy0W1My1sPzqgVVdYMPa+UyR+oqer+GAma1gi9yxgQsfGACRHhQpsN0N9jC1XtLAnMWGWJL+mHXgolFjhNJlqDVn+EkBCh7HiSydofaM9nUvCLVxYcVpao3twYwiRm2gX2xzQUdkYqqLKoKV2diaTSvt1C703Ui1vS+yXKo//WGCXHaJQ+uEHK7se6MUt3+3qLT64jHR0XTPcSMUtd2lecnZTSyxFPAIBBPP5AYqyJApyH9UBFf/uxdzLZc5B4WpVOFUcAcio1FqwVbMb8mb91oq3Z43OAOd7kMx+Et0vvxUon6anxAUy6+vtdFsY9VlsF0PvNptD/Y4EWkJIRr86WwO+kkdOCZKBn2izLbdrdmF/VkFwlB9VqJGUXvV6PVqN4n4/b8=

60
keepalived/keepalived.conf
View File

@@ -1,60 +0,0 @@
# vim: set sw=4 ts=4 sts=4 et:
includea /run/keepalived.interface
global_defs {
max_auto_priority 79
}
vrrp_track_process ingress-nginx {
process nginx-ingress-c
weight 90
}
vrrp_track_process mosquitto {
process mosquitto
weight 90
}
vrrp_track_process rabbitmq {
process rabbitmq-server
weight 90
}
vrrp_instance ingress-nginx {
state BACKUP
priority 100
interface ${INTERFACE}
virtual_router_id 51
virtual_ipaddress {
172.30.0.147/28
}
track_process {
ingress-nginx
}
}
vrrp_instance mosquitto {
state BACKUP
priority 100
interface ${INTERFACE}
virtual_router_id 52
virtual_ipaddress {
172.30.0.148/28
}
track_process {
mosquitto
}
}
vrrp_instance rabbitmq {
state BACKUP
priority 100
interface ${INTERFACE}
virtual_router_id 53
virtual_ipaddress {
172.30.0.149/28
}
track_process {
rabbitmq
}
}

54
keepalived/keepalived.yaml
View File

@@ -1,54 +0,0 @@
apiVersion: apps/v1
kind: DaemonSet
metadata:
name: keepalived
labels: &labels
app.kubernetes.io/name: keepalived
spec:
selector:
matchLabels: *labels
minReadySeconds: 10
template:
metadata:
labels: *labels
spec:
initContainers:
- name: init
image: docker.io/library/busybox
command:
- sh
- -c
- |
printf '$INTERFACE=%s\n' \
$(ip route | awk '/^default via/{print $5}') \
> /run/keepalived.interface
volumeMounts:
- mountPath: /run
name: tmp
subPath: run
containers:
- name: keepalived
image: git.pyrocufflink.net/containerimages/keepalived:dev
imagePullPolicy: Always
command:
- keepalived
- -nGlD
securityContext:
privileged: true
readOnlyRootFilesystem: true
volumeMounts:
- mountPath: /etc/keepalived
name: config
readOnly: true
- mountPath: /run
name: tmp
subPath: run
hostNetwork: true
hostPID: true
volumes:
- name: config
configMap:
name: keepalived
- name: tmp
emptyDir:
medium: Memory

24
keepalived/kustomization.yaml
View File

@@ -1,24 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
labels:
- pairs:
app.kubernetes.io/component: keepalived
app.kubernetes.io/instance: keepalived
includeSelectors: true
includeTemplates: true
- pairs:
app.kubernetes.io/part-of: keepalived
namespace: keepalived
resources:
- keepalived.yaml
configMapGenerator:
- name: keepalived
files:
- keepalived.conf
options:
labels:
app.kubernetes.io/name: keepalived

6
keepalived/namespace.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: keepalived
labels:
app.kubernetes.io/name: keepalived

23
ntfy/kustomization.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: ntfy
resources:
- ntfy.yaml
configMapGenerator:
- name: ntfy
namespace: ntfy
files:
- server.yml
options:
labels:
app.kubernetes.io/name: ntfy
app.kubernetes.io/component: ntfy
app.kubernetes.io/instance: ntfy
app.kubernetes.io/part-of: ntfy
images:
- name: docker.io/binwiederhier/ntfy
newTag: v2.12.0

24
ntfy/ntfy.yaml
View File

@@ -5,6 +5,25 @@ metadata:
labels: labels:
app.kubernetes.io/instance: ntfy app.kubernetes.io/instance: ntfy
---
apiVersion: v1
kind: ConfigMap
metadata:
name: ntfy
namespace: ntfy
labels:
app.kubernetes.io/name: ntfy
app.kubernetes.io/component: ntfy
app.kubernetes.io/instance: ntfy
app.kubernetes.io/part-of: ntfy
data:
server.yml: |+
base-url: https://ntfy.pyrocufflink.net
behind-proxy: true
listen-http: '[::]:2586'
attachment-cache-dir: /var/cache/ntfy/attachments
attachment-file-size-limit: 100M
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -110,7 +129,7 @@ spec:
ingressClassName: nginx ingressClassName: nginx
rules: rules:
- host: ntfy.pyrocufflink.blue - host: ntfy.pyrocufflink.blue
http: &http http:
paths: paths:
- path: / - path: /
pathType: Prefix pathType: Prefix
@@ -119,9 +138,6 @@ spec:
name: ntfy name: ntfy
port: port:
name: http name: http
- host: ntfy.pyrocufflink.net
http: *http
tls: tls:
- hosts: - hosts:
- ntfy.pyrocufflink.blue - ntfy.pyrocufflink.blue
- ntfy.pyrocufflink.net

6
ntfy/server.yml
View File

@@ -1,6 +0,0 @@
base-url: https://ntfy.pyrocufflink.net
behind-proxy: true
listen-http: '[::]:2586'
attachment-cache-dir: /var/cache/ntfy/attachments
attachment-file-size-limit: 100M
enable-metrics: true

69
paperless-ngx/gotenberg.yaml
View File

@@ -1,69 +0,0 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
name: gotenberg
namespace: paperless-ngx
spec:
ports:
- name: gotenberg
port: 3000
selector:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
type: ClusterIP
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gotenberg
namespace: paperless-ngx
labels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
spec:
selector:
matchLabels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
template:
metadata:
labels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
spec:
containers:
- name: gotenberg
image: docker.io/gotenberg/gotenberg:7.5.4
imagePullPolicy: IfNotPresent
command:
- gotenberg
- --chromium-disable-javascript=true
- --chromium-allow-list=file:///tmp/.*
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 1001
runAsGroup: 1001
volumeMounts:
- mountPath: /home/gotenberg
name: tmp
subPath: home
- mountPath: /tmp
name: tmp
subPath: tmp
securityContext:
fsGroup: 1001
volumes:
- name: tmp
emptyDir:

28
paperless-ngx/kustomization.yaml
View File

@@ -1,31 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: paperless-ngx
labels:
- pairs:
app.kubernetes.io/instance: paperless-ngx
resources: resources:
- namespace.yaml
- redis.yaml
- gotenberg.yaml
- tika.yaml
- paperless-ngx.yaml - paperless-ngx.yaml
- ingress.yaml - ingress.yaml
configMapGenerator:
- name: paperless-cmd
files:
- paperless_cmd.sh
options:
labels:
app.kubernetes.io/name: paperless_cmd.sh
app.kubernetes.io/component: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
disableNameSuffixHash: true
patches: patches:
- target: - target:
kind: StatefulSet kind: StatefulSet
@@ -43,10 +22,3 @@ patches:
- name: PAPERLESS_URL - name: PAPERLESS_URL
value: https://paperless.pyrocufflink.blue value: https://paperless.pyrocufflink.blue
images:
- name: ghcr.io/paperless-ngx/paperless-ngx
newTag: 2.17.1
- name: docker.io/gotenberg/gotenberg
newTag: 8.21.1
- name: docker.io/apache/tika
newTag: 3.2.0.0

4
paperless-ngx/namespace.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
name: paperless-ngx

245
paperless-ngx/paperless-ngx.yaml
View File

@@ -1,4 +1,29 @@
apiVersion: v1 apiVersion: v1
kind: Namespace
metadata:
name: paperless-ngx
labels:
app.kubernetes.io/instance: paperless-ngx
---
apiVersion: v1
kind: ConfigMap
metadata:
name: paperless-cmd
namespace: paperless-ngx
labels:
app.kubernetes.io/name: paperless_cmd.sh
app.kubernetes.io/component: paperless-ngx
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
data:
paperless_cmd.sh: |+
#!/bin/sh
exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless
---
apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: paperless-ngx name: paperless-ngx
@@ -15,6 +40,27 @@ spec:
requests: requests:
storage: 20Gi storage: 20Gi
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
name: redis
namespace: paperless-ngx
spec:
ports:
- name: redis
port: 6379
selector:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
type: ClusterIP
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
@@ -36,6 +82,113 @@ spec:
app.kubernetes.io/instance: paperless-ngx app.kubernetes.io/instance: paperless-ngx
type: ClusterIP type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
name: gotenberg
namespace: paperless-ngx
spec:
ports:
- name: gotenberg
port: 3000
selector:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
name: tika
namespace: paperless-ngx
spec:
ports:
- name: tika
port: 9998
selector:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
type: ClusterIP
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: redis
namespace: paperless-ngx
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
spec:
serviceName: redis
selector:
matchLabels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
template:
metadata:
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/instance: paperless-ngx
spec:
containers:
- name: redis
image: docker.io/library/redis:7
imagePullPolicy: IfNotPresent
ports:
- name: redis
containerPort: 6379
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: data
mountPath: /data
subPath: data
- name: tmp
mountPath: /tmp
securityContext:
fsGroup: 1000
volumes:
- name: tmp
emptyDir:
volumeClaimTemplates:
- apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: data
labels:
app.kubernetes.io/name: redis
app.kubernetes.io/component: redis
app.kubernetes.io/part-of: paperless-ngx
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2Gi
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
@@ -80,8 +233,6 @@ spec:
value: '1' value: '1'
- name: PAPERLESS_ENABLE_FLOWER - name: PAPERLESS_ENABLE_FLOWER
value: 'true' value: 'true'
- name: PAPERLESS_OCR_USER_ARGS
value: '{"continue_on_soft_render_error": true}'
ports: ports:
- name: http - name: http
containerPort: 8000 containerPort: 8000
@@ -126,7 +277,7 @@ spec:
- name: tmp - name: tmp
mountPath: /tmp mountPath: /tmp
- name: run - name: run
mountPath: /run mountPath: /run/supervisord
- name: logs - name: logs
mountPath: /var/log/supervisord mountPath: /var/log/supervisord
subPath: supervisord subPath: supervisord
@@ -148,3 +299,91 @@ spec:
- name: run - name: run
emptyDir: emptyDir:
medium: Memory medium: Memory
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: gotenberg
namespace: paperless-ngx
labels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
spec:
selector:
matchLabels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
template:
metadata:
labels:
app.kubernetes.io/name: gotenberg
app.kubernetes.io/component: gotenberg
app.kubernetes.io/instance: paperless-ngx
spec:
containers:
- name: gotenberg
image: docker.io/gotenberg/gotenberg:7.5.4
imagePullPolicy: IfNotPresent
command:
- gotenberg
- --chromium-disable-javascript=true
- --chromium-allow-list=file:///tmp/.*
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: tmp
mountPath: /tmp
securityContext:
fsGroup: 1000
volumes:
- name: tmp
emptyDir:
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: tika
namespace: paperless-ngx
labels:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
app.kubernetes.io/part-of: paperless-ngx
spec:
selector:
matchLabels:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
template:
metadata:
labels:
app.kubernetes.io/name: tika
app.kubernetes.io/component: tika
app.kubernetes.io/instance: paperless-ngx
spec:
containers:
- name: tika
image: ghcr.io/paperless-ngx/tika:2.5.0-minimal
imagePullPolicy: IfNotPresent
securityContext:
runAsNonRoot: true
readOnlyRootFilesystem: true
runAsUser: 1000
runAsGroup: 1000
volumeMounts:
- name: tmp
mountPath: /tmp
securityContext:
fsGroup: 1000
volumes:
- name: tmp
emptyDir:

4
paperless-ngx/paperless_cmd.sh
View File

@@ -1,4 +0,0 @@
#!/bin/sh
exec /usr/local/bin/supervisord -c /etc/supervisord.conf --user paperless

Some files were not shown because too many files have changed in this diff Show More