diff --git a/common/environments.yaml b/common/environments.yaml index 88f8586..e192519 100644 --- a/common/environments.yaml +++ b/common/environments.yaml @@ -8,6 +8,10 @@ environments: enabled: true - backups: enabled: false + - localpath: + enabled: false + - openebs: + enabled: true etersoft: kubeContext: etersoft values: @@ -19,3 +23,5 @@ environments: enabled: true - openebs: enabled: false + - localpath: + enabled: true diff --git a/installations/applications/helmfile.yaml b/installations/applications/helmfile-badhouseplants.yaml similarity index 100% rename from installations/applications/helmfile.yaml rename to installations/applications/helmfile-badhouseplants.yaml diff --git a/installations/applications/helmfile-etersoft.yaml b/installations/applications/helmfile-etersoft.yaml new file mode 100644 index 0000000..bb956db --- /dev/null +++ b/installations/applications/helmfile-etersoft.yaml @@ -0,0 +1,26 @@ +bases: + - ../../common/environments.yaml + - ../../common/templates.yaml +repositories: + - name: allangers-charts + url: ghcr.io/allanger/allangers-charts + oci: true + - name: gabe565 + url: ghcr.io/gabe565/charts + oci: true +releases: + - name: openvpn + chart: allangers-charts/openvpn + version: 0.0.2 + namespace: applications + inherit: + - template: default-env-values + - template: ext-tcp-routes + - name: qbittorrent + chart: gabe565/qbittorrent + version: 0.3.7 + namespace: applications + inherit: + - template: default-env-values + - template: ext-secret + - template: ext-traefik-middleware diff --git a/installations/platform/helmfile.yaml b/installations/platform/helmfile.yaml index d05d5a5..c0f26e6 100644 --- a/installations/platform/helmfile.yaml +++ b/installations/platform/helmfile.yaml @@ -66,6 +66,7 @@ releases: version: 2024.8.3 namespace: platform createNamespace: false + condition: workload.enabled needs: - platform/db-operator inherit: @@ -82,12 +83,14 @@ releases: - name: kyverno chart: kyverno/kyverno namespace: kyverno + condition: workload.enabled labels: bootstrap: true version: 3.2.7 - name: kyverno-policies chart: kyverno/kyverno-policies namespace: kyverno + condition: workload.enabled labels: bootstrap: true version: 3.2.6 @@ -96,6 +99,7 @@ releases: - name: custom-kyverno-policies chart: ../../kustomizations/kyverno/ namespace: kyverno + condition: workload.enabled labels: bootstrap: true needs: diff --git a/installations/system/helmfile.yaml b/installations/system/helmfile.yaml index 7122111..ee435a1 100644 --- a/installations/system/helmfile.yaml +++ b/installations/system/helmfile.yaml @@ -24,6 +24,8 @@ repositories: url: https://vmware-tanzu.github.io/helm-charts/ - name: openebs url: https://openebs.github.io/openebs + - name: local-path-provisioner + url: git+https://github.com/rancher/local-path-provisioner@deploy/chart?ref=master releases: - name: namespaces chart: '{{ requiredEnv "PWD" }}/charts/namespaces/chart' @@ -131,3 +133,12 @@ releases: - kube-system/cilium inherit: - template: default-env-values + # -- Not versions since it's installed from git + - name: local-path-provisioner + chart: local-path-provisioner/local-path-provisioner + condition: localpath.enabled + namespace: kube-system + needs: + - kube-system/cilium + inherit: + - template: default-env-values diff --git a/manifests/debug.yaml b/manifests/debug.yaml index 5e3bba6..97bfb22 100644 --- a/manifests/debug.yaml +++ b/manifests/debug.yaml @@ -1,11 +1,7 @@ apiVersion: v1 kind: Pod metadata: - labels: - app.kubernetes.io/instance: server-xray-public - app.kubernetes.io/name: server-xray name: debug - namespace: public-xray spec: containers: - args: diff --git a/values/badhouseplants/secrets.velero.yaml b/values/badhouseplants/secrets.velero.yaml index 342b012..0c106f5 100644 --- a/values/badhouseplants/secrets.velero.yaml +++ b/values/badhouseplants/secrets.velero.yaml @@ -1,8 +1,8 @@ credentials: - useSecret: ENC[AES256_GCM,data:jaRt6g==,iv:tFJ1xXlSvzdmGk32IxNoygKkOTYg1uhWiTQ+Fb4vxho=,tag:w7eY7ByCOnR2yx5hnoeL7Q==,type:bool] - name: ENC[AES256_GCM,data:iXPmDVTNHwQKNpUbqjWI,iv:6ykrI3VcYPKInFAPsYl0TzynEdl/PQvCKQp0UCtytXM=,tag:LuTomLPweH/e5Ubr4O8LOw==,type:str] + useSecret: ENC[AES256_GCM,data:aeEoxA==,iv:OGb9hAy+LJuH2ZPVVAyEkLUXpiqsYat1vFvHfxnnz+k=,tag:DLkOF+a4QWcjiNnDmQsrNg==,type:bool] + name: ENC[AES256_GCM,data:f68NZYuDiN4uQUGA6JFl,iv:ugx3j6xxplh9nD/gWo56FfZ7UNB3m2Ta5vXpuvJTOhs=,tag:we/ZrIa6wYicsfhDL2seqQ==,type:str] secretContents: - data: ENC[AES256_GCM,data:DC9XGNH0Q1PYEs2AesQWsYCIUS8iXWc7UsU+Y6e2Mt04vWFNpPMHxFUgMVHU4X7BChoyW/vXF3EPPORga99Xdf8q4+LprOZ4,iv:+poyt47TO3+lVzkK8L32OJreylYPJlZslBGpnNlO+aE=,tag:5qzH/6FHcIsMI7SKLadSgA==,type:str] + data: ENC[AES256_GCM,data:I+of51MXK+TXvGODqqk3xJ4yLFf516Acvr5HjfBJ1RNQKLP8kJ2w/6djOz6iF57WThl12Q3Nj68P8+uC6ZZ8uyS9P/AD5UVeDCeeTF0bSBdDoK0=,iv:+LdjdMyFB8xN61DxD5zEUGFbTJsGX5rRsqtZB+xwJno=,tag:ANV7UaZ839PIh+frj1UGkQ==,type:str] sops: kms: [] gcp_kms: [] @@ -12,14 +12,14 @@ sops: - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnZG1RaForN3gwd081UzM5 - SkZCVVNjVjFMRzRLbmI0VGV3QlZUdk9pT3hJCklsL0dIcDg1d0xsL2tYTlZBNDVY - Ykp6THppMERGNm5FTUg5NFgyMkRBN1EKLS0tIE1Uclk0bnZibko1aHI0WXlpSFFQ - WjVKZ1RCQzJwM04rYmQ5Q0x5SHJrdjQK/Y3T0XyH6JKG8OXip25W4EJBQlF6obbe - GPv/C5IfnquKv4rGwrLxZuIKYBHmHrwmu5fj/5ls9i+Mr4FbaJt9NA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhZVREdnRXcm1KSXFXR1Zx + VTlNMnFyTy8waDZuVTJ3ckphcFdxQ1pZNEFBCm1TcTlDTWhjMFdnZWN2RXNhN1RH + QmNJTWRneko4Ui9IMlExYVJMZlExZ1UKLS0tIDhLcytJY3NJR1g0MTQ3dlNtU2M3 + dWFFUWt0UnAyTTBxNVVhNGxQY01XWnMKPSBtx7LUUX/hRkCvJHn2d42M8FaNtUPY + 0hUgS8ySUx7avpijvvBQYxLhGj9qzpMdfEX/4jQzM9Q5E9LviOA63w== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-10-11T12:09:20Z" - mac: ENC[AES256_GCM,data:o6jRT/fyR25ChKrfWnx5AapVpiPxJYLJy9NbOTv/CBv0iO9/CKTh0HpeHkvkechPuBlQexI06f1bjqXUkKNFefrh/EIS82it0WGHpUwL+UUsh+g0ZfvZ23NvhFvYCUzxG48E+VxXV2Pt3VsqwxczNb4LCCBf6Nv2ljE4T0eezlA=,iv:5Ed9ZjdotnlWLq6cos3zwmvxRdibYPmXifKwj4eiDY0=,tag:Ct9fbr9aLz3jXl16Sk9LaQ==,type:str] + lastmodified: "2024-10-11T12:28:10Z" + mac: ENC[AES256_GCM,data:f3KDO0lqWydj2RS36Ak3Ml6IixNUvSbwDboFGsg7GDju839xIAJFS1RzoW9As67MBL0YLSh9t9uI0566oPmRr0SEW1/sWQpp0BXA3EQB2jzejnnPRbZnWesFJZL5qNSOGIXmacWXMDzNNAD83mxUsRj2DxfIiKJuI4fKFgmCzCg=,iv:XlFo8+wJtjBaGcM7EW1I1lRTttcijq1u/gE2dX3x2iw=,tag:6kkMBGG8UQy4e7jMcBCBFQ==,type:str] pgp: [] unencrypted_suffix: _unencrypted - version: 3.9.0 + version: 3.9.1 diff --git a/values/etersoft/secrets.minio.yaml b/values/etersoft/secrets.minio.yaml new file mode 100644 index 0000000..c7191ed --- /dev/null +++ b/values/etersoft/secrets.minio.yaml @@ -0,0 +1,38 @@ +rootPassword: ENC[AES256_GCM,data:JF0ZjTiuvYzO9Ol7ma268WS/VugWW/2Jaw==,iv:VBxzVeCLB74en8BiybMZHvrB9FIyssrGtDpsaXqCtBQ=,tag:DOhQwg7D+tEqcikrcv88FQ==,type:str] +users: + - accessKey: ENC[AES256_GCM,data:4vsyrmk6clo=,iv:lcDiS+AFB3yAzsrKbfyDQnYuT2twGpd0kC/z7YhpsbQ=,tag:fpBGkAVPNiTrxDCE1pXR3A==,type:str] + secretKey: ENC[AES256_GCM,data:3kqn1s4wqGLURlfrhNYMGjaoZAw+HF4rwg==,iv:0xLW4f6N0g3h8FfOUGfbVOhnSTKLsy71Ubt+2z4dSC0=,tag:HkEJ/LSbn+8RfGF8FAYqHQ==,type:str] + policy: ENC[AES256_GCM,data:FJEdDNqZA30=,iv:ZI7Nbzwi3RtIuadt3/UBA5AbQJjjiB2M/uoj2AFA/10=,tag:U3BZ6cFRS09fnKkA7kROJA==,type:str] + - accessKey: ENC[AES256_GCM,data:0poCmmka,iv:O51Mx43yigleqadiR7b8i7uxOT+38C88efa/TUbYBj0=,tag:r9ZwW5pxvPxLSyQTezAN1Q==,type:str] + secretKey: ENC[AES256_GCM,data:fRpbe2HbTNactZx+60jtd0YL1pCmhWMYgw==,iv:tmZbhzQxx8+Tyxpx+jQ0YCXBVfR74BM3yGlai8IXZHE=,tag:xk9l8Rse9Hnj0Qcmnm/cmA==,type:str] + policy: ENC[AES256_GCM,data:oxr+5V8C,iv:EHFqChAYnZP9PqejnpA9coJIlO9s9VllMIXUM1HLSpY=,tag:/Al9G92TUtxWAcwkTaQJCA==,type:str] +oidc: + enabled: ENC[AES256_GCM,data:lMx4vU8=,iv:J2/vLve9rjzAS6IGFEMixfSTa+0bRTxKcy8iRUuhvSY=,tag:Xz5/xmyUgLmW9YLXRc/D4A==,type:bool] + configUrl: ENC[AES256_GCM,data:eGE12HZTCzRkC4I+chRrk/GZjN4uBf6BEkrfgj4w3AKoe/zRfn5fbfOeZcYswJxmemf5jV0/Z8Xf7qRAOfogF0j/oAGPr6Ljf1xmJ37W72Giz9AJGBOWOnk=,iv:Fxwb59KoX/+xsbAJ4Gimxs5EbFaJf47KIosexsg6+xw=,tag:hWh/HbR8Re0F79amQhprmw==,type:str] + clientId: ENC[AES256_GCM,data:HV3Na7c=,iv:J+zpkI6f24cjnETRcIIv9M7ZcYf59TSIui05TOQJvJU=,tag:F3nmBGoW2lZ8GR09hRZ6YQ==,type:str] + clientSecret: ENC[AES256_GCM,data:gIGqUq1CAl+Y6EBBhWW8qjsUnUpuril/eH+gZBWG9J3O8dJjX3Z4MA8Q4HZPVdz5Q+6cZlIQ8nf5xbDQsGKFJgE0IqlM2B+pLd+toCpstP2irwHbx5z1RSHo8az70al87AaAKeAlWF0xVbVhpN5JrAQcjALOUbgeBg72QLQZOUw=,iv:bwc677iXUyX4R37j25iuKS37H8hwwEleEIArrQLNfhU=,tag:guPzIqsD+4s51rTK61fx2A==,type:str] + claimName: ENC[AES256_GCM,data:wXZh3m5M,iv:0iuETRNlJeiAwgeMbXuECh1EYuHQ+FI+++aL7jgMU9s=,tag:BBwQbNfPmwnjx5Hrk68sZQ==,type:str] + redirectUri: ENC[AES256_GCM,data:FSeRB5+TscUcZCwJhpaDHGbpUa49yF/eW4vjN036hfCJ2r0jdSiDrU2CjVTqcl8=,iv:4ap8l61BRye4K0imsF34zXiEmN13uwe86PTxcnTOEm0=,tag:k62A6DGt0n1Ra/NJoss+FQ==,type:str] + comment: ENC[AES256_GCM,data:U9F6nifLDU9DkfVXoCOHUJC7H2M=,iv:xR4P03dfn1OXGD4zx3OXOPwHGh4/rJHVqDp0Qn+Oacw=,tag:AXfM+5M2ZdtNJ6oJgeyqZw==,type:str] + claimPrefix: "" + scopes: ENC[AES256_GCM,data:rkal2ggLfUTsMu739T5aXWM7MF4ny+k6m6D5,iv:Xl1siRhxvWlqlAcZzV5N1hZTH3hg+HsEujwn9kLFovM=,tag:LKza7MMkC2x6ZeYVKIop5w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvMHA0bUNTVnlHWU03UWhn + eHJ0Y2xzREVxTlhWbk5GRzhSa3RoV2lValY0CkcxbEZyc1VQNnozcTRteVlVQXNy + cUlyNDFtMTRPMnF1TmNIRjB4RkdZK28KLS0tIFBJdG05MklnV3IyYVJ5VDF6VE9n + VkVEQitNb0VOa1BJNkZ5d0E2czNtRXcKby+2hCLGWWKVsQeb5rLdl/LOvh9zQOyr + c1Spv2k7duos1MNnbQvRtRbJyYCRdo9Q7ZjbXiJL+Wb5//MGCfJi0w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-10-14T05:40:46Z" + mac: ENC[AES256_GCM,data:yFMVr4gztundDVhLKENNfn+/WS/n8kJFXJ52aF7vAZtJ3UYibUBJh88BWYQn2euBUiPZXu2xNp0/SBUTKocJE9a9g9O+mjLemTzCOsHD7mMmKwHc9BSUnzPpKne+hdfNaWW8V0LP5hnlDeIT+75dcqu9f4I/v/ipsOk+C1WeKU4=,iv:gkDc7bqtoFrz6GG7NiBY8PUn1etWEAomhI8mf9b5jD0=,tag:1m2Ysku6FMlceILUisK5bw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.1 diff --git a/values/etersoft/values.minio.yaml b/values/etersoft/values.minio.yaml index 3dcac88..8b0f932 100644 --- a/values/etersoft/values.minio.yaml +++ b/values/etersoft/values.minio.yaml @@ -1,9 +1,7 @@ ---- ingress: enabled: true - ingressClassName: ~ + ingressClassName: traefik annotations: - kubernetes.io/ingress.class: traefik kubernetes.io/tls-acme: "true" kubernetes.io/ingress.allow-http: "false" kubernetes.io/ingress.global-static-ip-name: "" @@ -11,16 +9,15 @@ ingress: traefik.ingress.kubernetes.io/router.entrypoints: web,websecure path: / hosts: - - s3.3.badhouseplants.net + - s3.e.badhouseplants.net tls: - secretName: s3.e.badhouseplants.net hosts: - s3.e.badhouseplants.net consoleIngress: enabled: true - ingressClassName: ~ + ingressClassName: traefik annotations: - kubernetes.io/ingress.class: traefik kubernetes.io/tls-acme: "true" kubernetes.io/ingress.allow-http: "false" kubernetes.io/ingress.global-static-ip-name: "" @@ -28,12 +25,11 @@ consoleIngress: traefik.ingress.kubernetes.io/router.entrypoints: web,websecure path: / hosts: - - minio.e.badhouseplants.net + - min.e.badhouseplants.net tls: - - secretName: minio.e.badhouseplants.net + - secretName: min.e.badhouseplants.net hosts: - - minio.e.badhouseplants.net - + - min.e.badhouseplants.net rootUser: 'overlord' replicas: 1 mode: standalone @@ -45,9 +41,12 @@ tls: publicCrt: public.crt privateKey: private.key persistence: + annotations: + volume.kubernetes.io/selected-node: yekaterinburg + storageClass: local-path enabled: true accessMode: ReadWriteOnce - size: 100Gi + size: 10Gi service: type: ClusterIP clusterIP: ~ @@ -60,25 +59,10 @@ resources: requests: memory: 2Gi buckets: - - name: badhouseplants-net - policy: download - purge: false - versioning: false - - name: badhouseplants-js - policy: download - purge: false - versioning: false - - name: badhouseplants-net-main - policy: download - purge: false - versioning: false - - name: sharing - policy: download - purge: false - versioning: false - - name: allanger-music - policy: download + - name: velero + policy: none purge: false + versioning: fase metrics: serviceMonitor: enabled: false @@ -97,35 +81,13 @@ policies: - resources: [] actions: - "kms:*" - - name: Admins + - name: velero statements: - resources: - - 'arn:aws:s3:::*' - actions: - - "s3:*" - - resources: [] - actions: - - "admin:*" - - resources: [] - actions: - - "kms:*" - - name: DevOps - statements: - - resources: - - 'arn:aws:s3:::badhouseplants-net' + - 'arn:aws:s3:::velero' actions: - "s3:*" - resources: - - 'arn:aws:s3:::badhouseplants-net/*' - actions: - - "s3:*" - - name: sharing - statements: - - resources: - - 'arn:aws:s3:::sharing' - actions: - - "s3:*" - - resources: - - 'arn:aws:s3:::sharing/*' + - 'arn:aws:s3:::velero/*' actions: - "s3:*" diff --git a/values/etersoft/values.openvpn.yaml b/values/etersoft/values.openvpn.yaml index 0c9d951..b809613 100644 --- a/values/etersoft/values.openvpn.yaml +++ b/values/etersoft/values.openvpn.yaml @@ -1,35 +1,47 @@ +image: + repository: zot.badhouseplants.net/allanger/container-openvpn + # ------------------------------------------ + # -- Istio extenstion. Just because I'm + # -- not using ingress nginx + # ------------------------------------------ + # istio: +# enabled: true +# istio: +# - name: openvpn-tcp-xor +# gateway: istio-system/badhouseplants-vpn +# kind: tcp +# port_match: 1194 +# hostname: "*" +# service: openvpn-xor +# port: 1194 + +# ------------------------------------------ +traefik: + enabled: true + tcpRoutes: + - name: openvpn + service: openvpn + match: HostSNI(`*`) + entrypoint: openvpn + port: 1194 +tcproute: + enabled: false storage: - class: microk8s-hostpath - size: 5Gi + annotations: + volume.kubernetes.io/selected-node: yekaterinburg + size: 128Mi openvpn: proto: tcp host: 91.232.225.63 +easyrsa: + cn: Bad Houseplants + country: Germany + province: Hamburg + city: Hamburg + org: Bad Houseplants + email: allanger@badhouseplants.net.com service: type: ClusterIP port: 1194 targetPort: 1194 protocol: TCP -easyrsa: - cn: Bad Houseplants - country: Germany - province: NRW - city: Duesseldorf - org: Bad Houseplants - email: allanger@zohomail.com -istio-resources: - enabled: true - gateways: - - metadata: - name: etersoft-vpn - namespace: istio-system - spec: - selector: - istio: ingressgateway - servers: - - hosts: - - '*' - port: - name: openvpn - number: 1194 - protocol: TCP - diff --git a/values/etersoft/values.qbittorrent.yaml b/values/etersoft/values.qbittorrent.yaml new file mode 100644 index 0000000..4487d80 --- /dev/null +++ b/values/etersoft/values.qbittorrent.yaml @@ -0,0 +1,45 @@ +ext-secret: + enabled: true + name: torrent-basic-auth + data: + users: | + allanger:$apr1$kNwkQ0S.$9q29sib/xWEp3NDp.tquw/ +middleware: + enabled: true + middlewares: + - name: torrentauth + spec: + basicAuth: + secret: torrent-basic-auth +ingress: + # -- Enable and configure ingress settings for the chart under this key. + # @default -- See [values.yaml](./values.yaml) + main: + ingressClassName: traefik + annotations: + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + traefik.ingress.kubernetes.io/router.middlewares: applications-torrentauth@kubernetescrd + enabled: true + hosts: + - host: tor.e.badhouseplants.net + paths: + - path: / + tls: + - secretName: tor.e.badhouseplants.net + hosts: + - tor.e.badhouseplants.net +persistence: + config: + annotations: + volume.kubernetes.io/selected-node: yekaterinburg + enabled: true + size: 1Gi + downloads: + annotations: + volume.kubernetes.io/selected-node: yekaterinburg + enabled: true + size: 10Gi + accessMode: ReadWriteOnce diff --git a/values/etersoft/values.traefik.yaml b/values/etersoft/values.traefik.yaml index c17aaec..b47cdbc 100644 --- a/values/etersoft/values.traefik.yaml +++ b/values/etersoft/values.traefik.yaml @@ -4,87 +4,9 @@ ports: web: redirectTo: port: websecure - ssh: - port: 22 - expose: - default: true - exposedPort: 22 - protocol: TCP openvpn: port: 1194 expose: default: true exposedPort: 1194 protocol: TCP - # valve-server: - # port: 27015 - # expose: - # default: true - # exposedPort: 27015 - # protocol: UDP - # valve-rcon: - # port: 27015 - # expose: - # default: true - # exposedPort: 27015 - # protocol: TCP - smtp: - port: 25 - protocol: TCP - exposedPort: 25 - expose: - default: true - smtps: - port: 465 - protocol: TCP - exposedPort: 465 - expose: - default: true - smtp-startls: - port: 587 - protocol: TCP - exposedPort: 587 - expose: - default: true - imap: - port: 143 - protocol: TCP - exposedPort: 143 - expose: - default: true - imaps: - port: 993 - protocol: TCP - exposedPort: 993 - expose: - default: true - pop3: - port: 110 - protocol: TCP - exposedPort: 110 - expose: - default: true - pop3s: - port: 995 - protocol: TCP - exposedPort: 995 - expose: - default: true - minecraft: - port: 25565 - protocol: TCP - exposedPort: 25565 - expose: - default: true - shadowsocks: - port: 8388 - protocol: TCP - exposedPort: 8388 - expose: - default: true - shadowsocks-udp: - port: 8389 - protocol: UDP - exposedPort: 8389 - expose: - default: true