From 8518c44a17dad51a289ea3d5ac59a46231538d36 Mon Sep 17 00:00:00 2001 From: Nikolai Rodionov Date: Sat, 13 Jul 2024 22:21:59 +0200 Subject: [PATCH] First commit --- .sops.yaml | 6 + charts/issuer/.helmignore | 23 ++ charts/issuer/Chart.yaml | 24 +++ charts/issuer/templates/_helpers.tpl | 51 +++++ charts/issuer/templates/issuer.yaml | 10 + charts/issuer/values.yaml | 1 + charts/namespaces/chart/.helmignore | 23 ++ charts/namespaces/chart/Chart.yaml | 24 +++ .../namespaces/chart/templates/_helpers.tpl | 43 ++++ .../chart/templates/namespaces.yaml | 19 ++ charts/namespaces/chart/values.yaml | 20 ++ charts/namespaces/kustomize/flux-system.yml | 6 + .../namespaces/kustomize/giantswarm-flux.yml | 6 + charts/namespaces/kustomize/giantswarm.yml | 6 + .../namespaces/kustomize/kustomization.yaml | 5 + charts/namespaces/kustomize/monitoring.yml | 6 + .../namespaces/kustomize/org-giantswarm.yml | 6 + charts/roles/.helmignore | 23 ++ charts/roles/Chart.yaml | 6 + charts/roles/templates/_helpers.tpl | 43 ++++ charts/roles/templates/namespaces.yaml | 23 ++ charts/roles/values.yaml | 9 + charts/root/.helmignore | 23 ++ charts/root/Chart.yaml | 6 + charts/root/templates/_helpers.tpl | 62 ++++++ charts/root/templates/root.yaml | 25 +++ charts/root/templates/self.yaml | 25 +++ charts/root/values.yaml | 5 + common/environments.yaml | 5 + common/templates.yaml | 111 ++++++++++ installations/databases/helmfile.yaml | 45 ++++ installations/pipelines/helmfile.yaml | 18 ++ installations/platform/helmfile.yaml | 56 +++++ installations/system/helmfile.yaml | 114 ++++++++++ values/badhouseplants/secrets.argocd.yaml | 26 +++ values/badhouseplants/secrets.authentik.yaml | 24 +++ values/badhouseplants/secrets.bitwarden.yaml | 24 +++ .../badhouseplants/secrets.chartmuseum.yaml | 24 +++ .../badhouseplants/secrets.db-instances.yaml | 33 +++ .../secrets.drone-runner-docker.yaml | 22 ++ values/badhouseplants/secrets.drone.yaml | 24 +++ values/badhouseplants/secrets.funkwhale.yaml | 27 +++ values/badhouseplants/secrets.gitea.yaml | 48 +++++ values/badhouseplants/secrets.iredmail.yaml | 25 +++ values/badhouseplants/secrets.longhorn.yaml | 26 +++ values/badhouseplants/secrets.mailu.yaml | 38 ++++ values/badhouseplants/secrets.mariadb.yaml | 24 +++ values/badhouseplants/secrets.minio.yaml | 35 ++++ values/badhouseplants/secrets.mysql.yaml | 23 ++ values/badhouseplants/secrets.nrodionov.yaml | 22 ++ values/badhouseplants/secrets.postgres.yaml | 24 +++ .../secrets.postgres16-gitea.yaml | 24 +++ values/badhouseplants/secrets.postgres16.yaml | 24 +++ values/badhouseplants/secrets.prometheus.yaml | 26 +++ values/badhouseplants/secrets.redis.yaml | 26 +++ values/badhouseplants/secrets.tandoor.yaml | 22 ++ .../badhouseplants/secrets.vaultwarden.yaml | 27 +++ .../secrets.vaultwardentest.yaml | 27 +++ .../secrets.woodpecker-agent.yaml | 23 ++ .../badhouseplants/secrets.woodpecker-ci.yaml | 27 +++ values/badhouseplants/secrets.zot.yaml | 23 ++ values/badhouseplants/values.argocd.yaml | 113 ++++++++++ values/badhouseplants/values.authentik.yaml | 64 ++++++ values/badhouseplants/values.bitwarden.yaml | 40 ++++ values/badhouseplants/values.chartmuseum.yaml | 25 +++ values/badhouseplants/values.cilium.yaml | 10 + values/badhouseplants/values.coredns.yaml | 32 +++ .../badhouseplants/values.db-instances.yaml | 32 +++ .../values.docker-mailserver.yaml | 71 +++++++ .../values.drone-runner-docker.yaml | 16 ++ values/badhouseplants/values.drone.yaml | 18 ++ values/badhouseplants/values.funkwhale.yaml | 72 +++++++ values/badhouseplants/values.gitea.yaml | 151 ++++++++++++++ values/badhouseplants/values.iredmail.yaml | 4 + values/badhouseplants/values.issuer.yaml | 13 ++ .../values.istio-gateway-resources.yaml | 98 +++++++++ .../values.istio-ingressgateway.yaml | 72 +++++++ values/badhouseplants/values.istiod.yaml | 14 ++ .../values.local-path-provisioner.yaml | 3 + values/badhouseplants/values.loki.yaml | 99 +++++++++ values/badhouseplants/values.longhorn.yaml | 20 ++ values/badhouseplants/values.mailu.yaml | 196 ++++++++++++++++++ values/badhouseplants/values.mariadb.yaml | 19 ++ .../values.metallb-resources.yaml | 5 + values/badhouseplants/values.minio.yaml | 151 ++++++++++++++ values/badhouseplants/values.mysql.yaml | 6 + values/badhouseplants/values.namespaces.yaml | 9 + values/badhouseplants/values.nrodionov.yaml | 65 ++++++ values/badhouseplants/values.openvpn-xor.yaml | 46 ++++ values/badhouseplants/values.postgres.yaml | 10 + .../values.postgres16-gitea.yaml | 35 ++++ values/badhouseplants/values.postgres16.yaml | 35 ++++ values/badhouseplants/values.prometheus.yaml | 148 +++++++++++++ values/badhouseplants/values.promtail.yaml | 11 + values/badhouseplants/values.redis.yaml | 11 + values/badhouseplants/values.roles.yaml | 10 + values/badhouseplants/values.tandoor.yaml | 55 +++++ values/badhouseplants/values.traefik.yaml | 87 ++++++++ values/badhouseplants/values.vaultwarden.yaml | 81 ++++++++ .../values.vaultwardentest.yaml | 59 ++++++ .../badhouseplants/values.woodpecker-ci.yaml | 53 +++++ values/badhouseplants/values.zot.yaml | 48 +++++ values/common/values.certificate.yaml | 20 ++ values/common/values.database.yaml | 50 +++++ values/common/values.istio-gateway.yaml | 16 ++ values/common/values.istio.yaml | 36 ++++ values/common/values.metallb.yaml | 14 ++ values/common/values.metrics-server.yaml | 4 + values/common/values.ns.yaml | 8 + values/common/values.secret.yaml | 12 ++ values/common/values.service-monitor.yaml | 16 ++ values/common/values.tcp-route.yaml | 20 ++ values/common/values.tcproute.yaml | 13 ++ 113 files changed, 3912 insertions(+) create mode 100644 .sops.yaml create mode 100644 charts/issuer/.helmignore create mode 100644 charts/issuer/Chart.yaml create mode 100644 charts/issuer/templates/_helpers.tpl create mode 100644 charts/issuer/templates/issuer.yaml create mode 100644 charts/issuer/values.yaml create mode 100644 charts/namespaces/chart/.helmignore create mode 100644 charts/namespaces/chart/Chart.yaml create mode 100644 charts/namespaces/chart/templates/_helpers.tpl create mode 100644 charts/namespaces/chart/templates/namespaces.yaml create mode 100644 charts/namespaces/chart/values.yaml create mode 100644 charts/namespaces/kustomize/flux-system.yml create mode 100644 charts/namespaces/kustomize/giantswarm-flux.yml create mode 100644 charts/namespaces/kustomize/giantswarm.yml create mode 100644 charts/namespaces/kustomize/kustomization.yaml create mode 100644 charts/namespaces/kustomize/monitoring.yml create mode 100644 charts/namespaces/kustomize/org-giantswarm.yml create mode 100644 charts/roles/.helmignore create mode 100644 charts/roles/Chart.yaml create mode 100644 charts/roles/templates/_helpers.tpl create mode 100644 charts/roles/templates/namespaces.yaml create mode 100644 charts/roles/values.yaml create mode 100644 charts/root/.helmignore create mode 100644 charts/root/Chart.yaml create mode 100644 charts/root/templates/_helpers.tpl create mode 100644 charts/root/templates/root.yaml create mode 100644 charts/root/templates/self.yaml create mode 100644 charts/root/values.yaml create mode 100644 common/environments.yaml create mode 100644 common/templates.yaml create mode 100644 installations/databases/helmfile.yaml create mode 100644 installations/pipelines/helmfile.yaml create mode 100644 installations/platform/helmfile.yaml create mode 100644 installations/system/helmfile.yaml create mode 100644 values/badhouseplants/secrets.argocd.yaml create mode 100644 values/badhouseplants/secrets.authentik.yaml create mode 100644 values/badhouseplants/secrets.bitwarden.yaml create mode 100644 values/badhouseplants/secrets.chartmuseum.yaml create mode 100644 values/badhouseplants/secrets.db-instances.yaml create mode 100644 values/badhouseplants/secrets.drone-runner-docker.yaml create mode 100644 values/badhouseplants/secrets.drone.yaml create mode 100644 values/badhouseplants/secrets.funkwhale.yaml create mode 100644 values/badhouseplants/secrets.gitea.yaml create mode 100644 values/badhouseplants/secrets.iredmail.yaml create mode 100644 values/badhouseplants/secrets.longhorn.yaml create mode 100644 values/badhouseplants/secrets.mailu.yaml create mode 100644 values/badhouseplants/secrets.mariadb.yaml create mode 100644 values/badhouseplants/secrets.minio.yaml create mode 100644 values/badhouseplants/secrets.mysql.yaml create mode 100644 values/badhouseplants/secrets.nrodionov.yaml create mode 100644 values/badhouseplants/secrets.postgres.yaml create mode 100644 values/badhouseplants/secrets.postgres16-gitea.yaml create mode 100644 values/badhouseplants/secrets.postgres16.yaml create mode 100644 values/badhouseplants/secrets.prometheus.yaml create mode 100644 values/badhouseplants/secrets.redis.yaml create mode 100644 values/badhouseplants/secrets.tandoor.yaml create mode 100644 values/badhouseplants/secrets.vaultwarden.yaml create mode 100644 values/badhouseplants/secrets.vaultwardentest.yaml create mode 100644 values/badhouseplants/secrets.woodpecker-agent.yaml create mode 100644 values/badhouseplants/secrets.woodpecker-ci.yaml create mode 100644 values/badhouseplants/secrets.zot.yaml create mode 100644 values/badhouseplants/values.argocd.yaml create mode 100644 values/badhouseplants/values.authentik.yaml create mode 100644 values/badhouseplants/values.bitwarden.yaml create mode 100644 values/badhouseplants/values.chartmuseum.yaml create mode 100644 values/badhouseplants/values.cilium.yaml create mode 100644 values/badhouseplants/values.coredns.yaml create mode 100644 values/badhouseplants/values.db-instances.yaml create mode 100644 values/badhouseplants/values.docker-mailserver.yaml create mode 100644 values/badhouseplants/values.drone-runner-docker.yaml create mode 100644 values/badhouseplants/values.drone.yaml create mode 100644 values/badhouseplants/values.funkwhale.yaml create mode 100644 values/badhouseplants/values.gitea.yaml create mode 100644 values/badhouseplants/values.iredmail.yaml create mode 100644 values/badhouseplants/values.issuer.yaml create mode 100644 values/badhouseplants/values.istio-gateway-resources.yaml create mode 100644 values/badhouseplants/values.istio-ingressgateway.yaml create mode 100644 values/badhouseplants/values.istiod.yaml create mode 100644 values/badhouseplants/values.local-path-provisioner.yaml create mode 100644 values/badhouseplants/values.loki.yaml create mode 100644 values/badhouseplants/values.longhorn.yaml create mode 100644 values/badhouseplants/values.mailu.yaml create mode 100644 values/badhouseplants/values.mariadb.yaml create mode 100644 values/badhouseplants/values.metallb-resources.yaml create mode 100644 values/badhouseplants/values.minio.yaml create mode 100644 values/badhouseplants/values.mysql.yaml create mode 100644 values/badhouseplants/values.namespaces.yaml create mode 100644 values/badhouseplants/values.nrodionov.yaml create mode 100644 values/badhouseplants/values.openvpn-xor.yaml create mode 100644 values/badhouseplants/values.postgres.yaml create mode 100644 values/badhouseplants/values.postgres16-gitea.yaml create mode 100644 values/badhouseplants/values.postgres16.yaml create mode 100644 values/badhouseplants/values.prometheus.yaml create mode 100644 values/badhouseplants/values.promtail.yaml create mode 100644 values/badhouseplants/values.redis.yaml create mode 100644 values/badhouseplants/values.roles.yaml create mode 100644 values/badhouseplants/values.tandoor.yaml create mode 100644 values/badhouseplants/values.traefik.yaml create mode 100644 values/badhouseplants/values.vaultwarden.yaml create mode 100644 values/badhouseplants/values.vaultwardentest.yaml create mode 100644 values/badhouseplants/values.woodpecker-ci.yaml create mode 100644 values/badhouseplants/values.zot.yaml create mode 100644 values/common/values.certificate.yaml create mode 100644 values/common/values.database.yaml create mode 100644 values/common/values.istio-gateway.yaml create mode 100644 values/common/values.istio.yaml create mode 100644 values/common/values.metallb.yaml create mode 100644 values/common/values.metrics-server.yaml create mode 100644 values/common/values.ns.yaml create mode 100644 values/common/values.secret.yaml create mode 100644 values/common/values.service-monitor.yaml create mode 100644 values/common/values.tcp-route.yaml create mode 100644 values/common/values.tcproute.yaml diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..2f1e424 --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,6 @@ +creation_rules: + - path_regex: values/.*/secrets.* + key_groups: + - age: + - age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + diff --git a/charts/issuer/.helmignore b/charts/issuer/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/issuer/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/issuer/Chart.yaml b/charts/issuer/Chart.yaml new file mode 100644 index 0000000..58561ef --- /dev/null +++ b/charts/issuer/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: issuer +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/charts/issuer/templates/_helpers.tpl b/charts/issuer/templates/_helpers.tpl new file mode 100644 index 0000000..aa342c0 --- /dev/null +++ b/charts/issuer/templates/_helpers.tpl @@ -0,0 +1,51 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "issuer.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "issuer.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "issuer.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "issuer.labels" -}} +helm.sh/chart: {{ include "issuer.chart" . }} +{{ include "issuer.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "issuer.selectorLabels" -}} +app.kubernetes.io/name: {{ include "issuer.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} diff --git a/charts/issuer/templates/issuer.yaml b/charts/issuer/templates/issuer.yaml new file mode 100644 index 0000000..f9cc9bc --- /dev/null +++ b/charts/issuer/templates/issuer.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + labels: + {{- include "issuer.labels" . | nindent 4 }} + name: "{{ .Values.name }}" +spec: + acme: +{{ .Values.spec | toYaml | indent 2 }} diff --git a/charts/issuer/values.yaml b/charts/issuer/values.yaml new file mode 100644 index 0000000..9a347de --- /dev/null +++ b/charts/issuer/values.yaml @@ -0,0 +1 @@ +spec: {} diff --git a/charts/namespaces/chart/.helmignore b/charts/namespaces/chart/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/namespaces/chart/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/namespaces/chart/Chart.yaml b/charts/namespaces/chart/Chart.yaml new file mode 100644 index 0000000..0f737fe --- /dev/null +++ b/charts/namespaces/chart/Chart.yaml @@ -0,0 +1,24 @@ +apiVersion: v2 +name: namespaces +description: A Helm chart for Kubernetes + +# A chart can be either an 'application' or a 'library' chart. +# +# Application charts are a collection of templates that can be packaged into versioned archives +# to be deployed. +# +# Library charts provide useful utilities or functions for the chart developer. They're included as +# a dependency of application charts to inject those utilities and functions into the rendering +# pipeline. Library charts do not define any templates and therefore cannot be deployed. +type: application + +# This is the chart version. This version number should be incremented each time you make changes +# to the chart and its templates, including the app version. +# Versions are expected to follow Semantic Versioning (https://semver.org/) +version: 0.1.0 + +# This is the version number of the application being deployed. This version number should be +# incremented each time you make changes to the application. Versions are not expected to +# follow Semantic Versioning. They should reflect the version the application is using. +# It is recommended to use it with quotes. +appVersion: "1.16.0" diff --git a/charts/namespaces/chart/templates/_helpers.tpl b/charts/namespaces/chart/templates/_helpers.tpl new file mode 100644 index 0000000..a33714c --- /dev/null +++ b/charts/namespaces/chart/templates/_helpers.tpl @@ -0,0 +1,43 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "namespaces.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "namespaces.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "namespaces.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "namespaces.labels" -}} +helm.sh/chart: {{ include "namespaces.chart" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + diff --git a/charts/namespaces/chart/templates/namespaces.yaml b/charts/namespaces/chart/templates/namespaces.yaml new file mode 100644 index 0000000..3e87e83 --- /dev/null +++ b/charts/namespaces/chart/templates/namespaces.yaml @@ -0,0 +1,19 @@ +{{- if .Values.namespaces }} +{{- range $ns := .Values.namespaces }} +--- +apiVersion: v1 +kind: Namespace +metadata: + name: {{ $ns.name }} + labels: + {{- include "namespaces.labels" $ | nindent 4 }} + {{- with $ns.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + annotations: + "helm.sh/resource-policy": keep + {{- with $ns.annotations}} + {{- toYaml . | nindent 4 }} + {{- end }} +{{- end }} +{{- end }} diff --git a/charts/namespaces/chart/values.yaml b/charts/namespaces/chart/values.yaml new file mode 100644 index 0000000..cd5a239 --- /dev/null +++ b/charts/namespaces/chart/values.yaml @@ -0,0 +1,20 @@ +namespaces: + - name: giantswarm-flux + labels: + name: giantswarm-flux + - name: giantswarm + labels: + name: giantswarm + - name: monitoring + labels: + name: monitoring + - name: org-giantswarm + labels: + name: org-giantswarm + - name: flux-system + labels: + name: flux-system + - name: flux-giantswarm + labels: + name: flux-giantswarm + - name: policy-exception diff --git a/charts/namespaces/kustomize/flux-system.yml b/charts/namespaces/kustomize/flux-system.yml new file mode 100644 index 0000000..f44f3af --- /dev/null +++ b/charts/namespaces/kustomize/flux-system.yml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: flux-system + labels: + name: flux-system diff --git a/charts/namespaces/kustomize/giantswarm-flux.yml b/charts/namespaces/kustomize/giantswarm-flux.yml new file mode 100644 index 0000000..bd0e121 --- /dev/null +++ b/charts/namespaces/kustomize/giantswarm-flux.yml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: giantswarm-flux + labels: + name: giantswarm-flux diff --git a/charts/namespaces/kustomize/giantswarm.yml b/charts/namespaces/kustomize/giantswarm.yml new file mode 100644 index 0000000..31e7916 --- /dev/null +++ b/charts/namespaces/kustomize/giantswarm.yml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: giantswarm + labels: + name: giantswarm diff --git a/charts/namespaces/kustomize/kustomization.yaml b/charts/namespaces/kustomize/kustomization.yaml new file mode 100644 index 0000000..8159198 --- /dev/null +++ b/charts/namespaces/kustomize/kustomization.yaml @@ -0,0 +1,5 @@ +resources: + - ./giantswarm-flux.yml + - ./giantswarm.yml + - ./monitoring.yml + - ./org-giantswarm.yml diff --git a/charts/namespaces/kustomize/monitoring.yml b/charts/namespaces/kustomize/monitoring.yml new file mode 100644 index 0000000..90d12ef --- /dev/null +++ b/charts/namespaces/kustomize/monitoring.yml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: monitoring + labels: + name: monitoring diff --git a/charts/namespaces/kustomize/org-giantswarm.yml b/charts/namespaces/kustomize/org-giantswarm.yml new file mode 100644 index 0000000..f27e8c4 --- /dev/null +++ b/charts/namespaces/kustomize/org-giantswarm.yml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: org-giantswarm + labels: + name: org-giantswarm diff --git a/charts/roles/.helmignore b/charts/roles/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/roles/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/roles/Chart.yaml b/charts/roles/Chart.yaml new file mode 100644 index 0000000..c2d5cc6 --- /dev/null +++ b/charts/roles/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: roles +description: A Helm chart for Kubernetes +type: application +version: 0.1.0 +appVersion: "1.16.0" diff --git a/charts/roles/templates/_helpers.tpl b/charts/roles/templates/_helpers.tpl new file mode 100644 index 0000000..2927519 --- /dev/null +++ b/charts/roles/templates/_helpers.tpl @@ -0,0 +1,43 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "roles.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "roles.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "roles.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "roles.labels" -}} +helm.sh/chart: {{ include "roles.chart" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + diff --git a/charts/roles/templates/namespaces.yaml b/charts/roles/templates/namespaces.yaml new file mode 100644 index 0000000..7cb85dc --- /dev/null +++ b/charts/roles/templates/namespaces.yaml @@ -0,0 +1,23 @@ +{{- if .Values.roles }} +{{- range $roles := .Values.roles }} +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: {{ $roles.kind }} +metadata: + name: {{ $roles.name }} + namespace: {{ $roles.namespace }} + labels: + {{- include "roles.labels" $ | nindent 4 }} + {{- with $roles.labels }} + {{- toYaml . | nindent 4 }} + {{- end }} + {{- with $roles.annotations}} + annotations: + {{- toYaml . | nindent 4 }} + {{- end }} +rules: +{{- with $roles.rules }} +{{- toYaml . | nindent 2 }} +{{- end }} +{{- end }} +{{- end }} diff --git a/charts/roles/values.yaml b/charts/roles/values.yaml new file mode 100644 index 0000000..7fcd045 --- /dev/null +++ b/charts/roles/values.yaml @@ -0,0 +1,9 @@ +roles: + - name: minecraft-admin + namespace: minecraft-application + kind: Role + rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] + namespace: ["minecraft-application"] diff --git a/charts/root/.helmignore b/charts/root/.helmignore new file mode 100644 index 0000000..0e8a0eb --- /dev/null +++ b/charts/root/.helmignore @@ -0,0 +1,23 @@ +# Patterns to ignore when building packages. +# This supports shell glob matching, relative path matching, and +# negation (prefixed with !). Only one pattern per line. +.DS_Store +# Common VCS dirs +.git/ +.gitignore +.bzr/ +.bzrignore +.hg/ +.hgignore +.svn/ +# Common backup files +*.swp +*.bak +*.tmp +*.orig +*~ +# Various IDEs +.project +.idea/ +*.tmproj +.vscode/ diff --git a/charts/root/Chart.yaml b/charts/root/Chart.yaml new file mode 100644 index 0000000..59e507d --- /dev/null +++ b/charts/root/Chart.yaml @@ -0,0 +1,6 @@ +apiVersion: v2 +name: root +description: A Helm chart for Kubernetes +type: application +version: 0.1.5 +appVersion: "1.16.0" diff --git a/charts/root/templates/_helpers.tpl b/charts/root/templates/_helpers.tpl new file mode 100644 index 0000000..8a3cc9a --- /dev/null +++ b/charts/root/templates/_helpers.tpl @@ -0,0 +1,62 @@ +{{/* +Expand the name of the chart. +*/}} +{{- define "root.name" -}} +{{- default .Chart.Name .Values.nameOverride | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Create a default fully qualified app name. +We truncate at 63 chars because some Kubernetes name fields are limited to this (by the DNS naming spec). +If release name contains chart name it will be used as a full name. +*/}} +{{- define "root.fullname" -}} +{{- if .Values.fullnameOverride }} +{{- .Values.fullnameOverride | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- $name := default .Chart.Name .Values.nameOverride }} +{{- if contains $name .Release.Name }} +{{- .Release.Name | trunc 63 | trimSuffix "-" }} +{{- else }} +{{- printf "%s-%s" .Release.Name $name | trunc 63 | trimSuffix "-" }} +{{- end }} +{{- end }} +{{- end }} + +{{/* +Create chart name and version as used by the chart label. +*/}} +{{- define "root.chart" -}} +{{- printf "%s-%s" .Chart.Name .Chart.Version | replace "+" "_" | trunc 63 | trimSuffix "-" }} +{{- end }} + +{{/* +Common labels +*/}} +{{- define "root.labels" -}} +helm.sh/chart: {{ include "root.chart" . }} +{{ include "root.selectorLabels" . }} +{{- if .Chart.AppVersion }} +app.kubernetes.io/version: {{ .Chart.AppVersion | quote }} +{{- end }} +app.kubernetes.io/managed-by: {{ .Release.Service }} +{{- end }} + +{{/* +Selector labels +*/}} +{{- define "root.selectorLabels" -}} +app.kubernetes.io/name: {{ include "root.name" . }} +app.kubernetes.io/instance: {{ .Release.Name }} +{{- end }} + +{{/* +Create the name of the service account to use +*/}} +{{- define "root.serviceAccountName" -}} +{{- if .Values.serviceAccount.create }} +{{- default (include "root.fullname" .) .Values.serviceAccount.name }} +{{- else }} +{{- default "default" .Values.serviceAccount.name }} +{{- end }} +{{- end }} diff --git a/charts/root/templates/root.yaml b/charts/root/templates/root.yaml new file mode 100644 index 0000000..f542187 --- /dev/null +++ b/charts/root/templates/root.yaml @@ -0,0 +1,25 @@ +{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }} +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: root +spec: + interval: 30s + url: {{ .Values.url }} + ref: + branch: {{ .Values.branch }} +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: root +spec: + interval: 30s + targetNamespace: flux-system + sourceRef: + kind: GitRepository + name: root + path: "." + prune: false + timeout: 1m +{{- end }} diff --git a/charts/root/templates/self.yaml b/charts/root/templates/self.yaml new file mode 100644 index 0000000..0ddb8de --- /dev/null +++ b/charts/root/templates/self.yaml @@ -0,0 +1,25 @@ +{{ if .Capabilities.APIVersions.Has "source.toolkit.fluxcd.io/v1" }} +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: root-self +spec: + interval: 30s + url: {{ .Values.self.url }} + ref: + branch: {{ .Values.self.branch }} +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: root-self +spec: + interval: 30s + targetNamespace: flux-system + sourceRef: + kind: GitRepository + name: root-self + path: "." + prune: false + timeout: 1m +{{- end }} diff --git a/charts/root/values.yaml b/charts/root/values.yaml new file mode 100644 index 0000000..51850fa --- /dev/null +++ b/charts/root/values.yaml @@ -0,0 +1,5 @@ +url: https://git.badhouseplants.net/giantswarm/cluster-example.git +branch: main +self: + url: git@git.badhouseplants.net:giantswarm/root-config.git + branch: master diff --git a/common/environments.yaml b/common/environments.yaml new file mode 100644 index 0000000..13a3ca2 --- /dev/null +++ b/common/environments.yaml @@ -0,0 +1,5 @@ +environments: + badhouseplants: + kubeContext: badhouseplants + etersoft: + kubeContext: etersoft diff --git a/common/templates.yaml b/common/templates.yaml new file mode 100644 index 0000000..bbe1ade --- /dev/null +++ b/common/templates.yaml @@ -0,0 +1,111 @@ +templates: + # --------------------------- + # -- Hooks + # --------------------------- + crd-management-hook: + hooks: + - events: ["preapply"] + showlogs: true + command: "sh" + args: + - -c + - | + helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl replace -f - \ + || helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl create -f - \ + || true + - events: ["prepare"] + showlogs: true + command: "sh" + args: + - -c + - "helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl diff -f - || true" + - events: ["postuninstall"] + showlogs: true + command: "sh" + args: + - -c + - "helm show crds {{ .Release.Chart }} --version {{ .Release.Version }} | kubectl delete -f - || true" + # ---------------------------- + # -- Configs + # ---------------------------- + default-common-values: + values: + - '{{ requiredEnv "PWD" }}/values/common/values.{{ .Release.Name }}.yaml' + default-env-values: + values: + - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/values.{{ .Release.Name }}.yaml' + default-env-secrets: + secrets: + - '{{ requiredEnv "PWD" }}/values/{{ .Environment.Name }}/secrets.{{ .Release.Name }}.yaml' + # ---------------------------- + # -- Extensions + # ---------------------------- + ext-istio-gateway: + dependencies: + - chart: bedag/raw + version: 2.0.0 + alias: istio-gateway + values: + - '{{ requiredEnv "PWD" }}/values/common/values.istio-gateway.yaml' + + ext-tcp-routes: + dependencies: + - chart: bedag/raw + version: 2.0.0 + alias: traefik + values: + - '{{ requiredEnv "PWD" }}/values/common/values.tcp-route.yaml' + + ext-istio-resource: + dependencies: + - chart: bedag/raw + version: 2.0.0 + alias: istio + values: + - '{{ requiredEnv "PWD" }}/values/common/values.istio.yaml' + + ext-certificate: + dependencies: + - chart: bedag/raw + version: 2.0.0 + alias: certificate + values: + - '{{ requiredEnv "PWD" }}/values/common/values.certificate.yaml' + ext-metallb: + dependencies: + - chart: bedag/raw + version: 2.0.0 + alias: metallb + values: + - '{{ requiredEnv "PWD" }}/values/common/values.metallb.yaml' + service-monitor: + dependencies: + - chart: bedag/raw + version: 2.0.0 + alias: service-monitor + values: + - '{{ requiredEnv "PWD" }}/values/common/values.service-monitor.yaml' + namespace: + dependencies: + - chart: bedag/raw + version: 2.0.0 + alias: ns + inherit: + - template: default-values/common-values + - template: default-env-values + + ext-database: + dependencies: + - chart: bedag/raw + version: 2.0.0 + alias: ext-database + values: + - '{{ requiredEnv "PWD" }}/values/common/values.database.yaml' + + ext-secret: + dependencies: + - chart: bedag/raw + version: 2.0.0 + alias: ext-secret + values: + - '{{ requiredEnv "PWD" }}/values/common/values.secret.yaml' diff --git a/installations/databases/helmfile.yaml b/installations/databases/helmfile.yaml new file mode 100644 index 0000000..7aefd88 --- /dev/null +++ b/installations/databases/helmfile.yaml @@ -0,0 +1,45 @@ +{{ readFile "../../common/templates.yaml" }} + +bases: + - ../../common/environments.yaml + +repositories: + - name: bitnami + url: https://charts.bitnami.com/bitnami + +releases: + - name: mariadb + chart: bitnami/mariadb + namespace: databases + version: 19.0.0 + inherit: + - template: default-env-values + - template: default-env-secrets + + - name: redis + chart: bitnami/redis + namespace: databases + version: 19.6.1 + inherit: + - template: default-env-values + - template: default-env-secrets + + - name: postgres16 + labels: + bundle: postgres + namespace: databases + chart: bitnami/postgresql + version: 15.5.16 + inherit: + - template: default-env-values + - template: default-env-secrets + + - name: postgres16-gitea + labels: + bundle: postgres + namespace: databases + chart: bitnami/postgresql + version: 15.5.16 + inherit: + - template: default-env-values + - template: default-env-secrets diff --git a/installations/pipelines/helmfile.yaml b/installations/pipelines/helmfile.yaml new file mode 100644 index 0000000..0774da9 --- /dev/null +++ b/installations/pipelines/helmfile.yaml @@ -0,0 +1,18 @@ +{{ readFile "../../common/templates.yaml" }} + +bases: + - ../../common/environments.yaml + +repositories: + - name: woodpecker + url: https://woodpecker-ci.org + +releases: + - name: woodpecker-ci + chart: woodpecker/woodpecker + namespace: pipelines + version: 1.5.0 + inherit: + - template: ext-database + - template: default-env-values + - template: default-env-secrets diff --git a/installations/platform/helmfile.yaml b/installations/platform/helmfile.yaml new file mode 100644 index 0000000..d837a46 --- /dev/null +++ b/installations/platform/helmfile.yaml @@ -0,0 +1,56 @@ +{{ readFile "../../common/templates.yaml" }} + +bases: + - ../../common/environments.yaml + +repositories: + - name: argo + url: https://argoproj.github.io/argo-helm + - name: db-operator + url: https://db-operator.github.io/charts + - name: chartmuseum + url: https://chartmuseum.github.io/charts + - name: zot + url: https://zotregistry.dev/helm-charts/ + +releases: + - name: argocd + chart: argo/argo-cd + namespace: platform + version: 7.3.6 + inherit: + - template: default-env-values + - template: default-env-secrets + + - name: db-operator + namespace: platform + chart: db-operator/db-operator + version: 1.27.2 + + - name: db-instances + chart: db-operator/db-instances + namespace: platform + needs: + - platform/db-operator + version: 2.3.4 + inherit: + - template: default-env-values + - template: default-env-secrets + + - name: zot + chart: zot/zot + version: 0.1.57 + createNamespace: false + namespace: platform + inherit: + - template: default-env-values + - template: default-env-secrets + + - name: chartmuseum + chart: chartmuseum/chartmuseum + version: 3.10.3 + createNamespace: false + namespace: platform + inherit: + - template: default-env-values + - template: default-env-secrets diff --git a/installations/system/helmfile.yaml b/installations/system/helmfile.yaml new file mode 100644 index 0000000..7306403 --- /dev/null +++ b/installations/system/helmfile.yaml @@ -0,0 +1,114 @@ +{{ readFile "../../common/templates.yaml" }} + +bases: + - ../../common/environments.yaml + +repositories: + - name: metrics-server + url: https://kubernetes-sigs.github.io/metrics-server/ + - name: jetstack + url: https://charts.jetstack.io + - name: longhorn + url: https://charts.longhorn.io + - name: bedag + url: https://bedag.github.io/helm-charts/ + - name: metallb + url: https://metallb.github.io/metallb + - name: traefik + url: https://traefik.github.io/charts + - name: coredns + url: https://coredns.github.io/helm + - name: cilium + url: https://helm.cilium.io/ + +releases: + - name: namespaces + chart: '{{ requiredEnv "PWD" }}/charts/namespaces/chart' + namespace: kube-public + createNamespace: false + inherit: + - template: default-env-values + + - name: roles + chart: '{{ requiredEnv "PWD" }}/charts/roles' + namespace: kube-public + createNamespace: false + inherit: + - template: default-env-values + + - name: coredns + chart: coredns/coredns + version: 1.31.0 + namespace: kube-system + inherit: + - template: default-env-values + + - name: cilium + chart: cilium/cilium + version: 1.15.7 + namespace: kube-system + needs: + - kube-system/coredns + inherit: + - template: default-env-values + + - name: cert-manager + chart: jetstack/cert-manager + version: 1.15.1 + namespace: kube-system + needs: + - kube-system/cilium + set: + - name: crds.enabled + value: true + + - name: issuer + chart: '{{ requiredEnv "PWD" }}/charts/issuer' + namespace: kube-public + needs: + - kube-system/cert-manager + inherit: + - template: default-env-values + + - name: longhorn + chart: longhorn/longhorn + namespace: longhorn-system + version: 1.6.2 + needs: + - kube-system/cilium + - kube-public/namespaces + inherit: + - template: default-env-values + - template: default-env-secrets + - template: ext-secret + + - name: metrics-server + chart: metrics-server/metrics-server + version: 3.12.1 + namespace: kube-system + needs: + - kube-system/cilium + inherit: + - template: default-common-values + + - name: metallb + chart: metallb/metallb + namespace: kube-system + version: 0.14.5 + + - name: metallb-resources + chart: bedag/raw + version: 2.0.0 + namespace: kube-system + needs: + - kube-system/metallb + inherit: + - template: ext-metallb + - template: default-env-values + + - name: traefik + chart: traefik/traefik + version: 29.0.1 + namespace: kube-system + inherit: + - template: default-env-values diff --git a/values/badhouseplants/secrets.argocd.yaml b/values/badhouseplants/secrets.argocd.yaml new file mode 100644 index 0000000..de56ddc --- /dev/null +++ b/values/badhouseplants/secrets.argocd.yaml @@ -0,0 +1,26 @@ +configs: + cm: + dex.config: ENC[AES256_GCM,data:Gno9D77U/9pr9rVmiium0rOOfAvNOzWI58aY64YlKrZbTZw6901WPuUbc7Q1hhBD+M7/lFSxFHbHsczuIAcxYBLpiFu4XmT/NiWMjW/H39nRZlSbULOG4uR5oPuZMe0PK6sG1BRkVcgCQwIv9CqdGjobxFm0edyDKO/+nPHehIxIXe516YFLxEX0fktnVRjyQdnStyhIkx+HYu038pTTlzmRnwJR/zPeBMlBL8oLaN/uZAkxUXId2SEgG6LekVIHlq6THkv4BLskAIOYfMHCiKJbIECie6c41yGtp/UlrF58UAhw2T3SpK3LttRDhsfUSgV3wSRMgZe8cBWo/2hZmZM3G3XXCRdQ0nvkuaA7rECrIfJq3GQSsp60yShkyftbQ3oWNq+xkkFRaMHh5r7y/SVgOaX6XQ+AeGJ2klRQDlNap8PigmYAkl0njEOQT1C/G1y6cO2M569Cu4QEz0VdfAvKq0BfIdizf08MpZkfkvKDWOjHmcDPOaG219HOQN4YqMYuiYiNUqVv1TMJAOmaeqn3LFsVHdXJbDVgLkmRdSc5lGmYfzAfX004XIgcHkvatjxHma5H8MeLrpYhuyUFcURraXm0JPWF7devc9e4DxYIod4HtArUrtq41SCT4fIy2IDiwZeWlMGHdN5d1Pg9DjOJwAURd7eKhbFDs5t5tWKEnCt6GeWlBLLev+SGXgcmb1aCqbl0B6tqwevp9Uk++mRnPJRfcEavNZ2HHLe2g5a5bVfQ8OmMUiw6mPHtMjPR+ME8sDe05DwD0tdk8+o0p9CA2SYklkmUhRiSckzk3+XkRPq4bPxuetzUZd4EViXfVdAy8TteIju4Ke5jlWJmYuZheOm8qq0=,iv:+oFJiDrtgPF0MQ9zfgy6vL4xHmw3c5ZidBb90zFL2b4=,tag:UZBFNN7WVw4GRPGGCzaGgw==,type:str] + credentialTemplates: + ssh-creds: + sshPrivateKey: ENC[AES256_GCM,data:siaf1YrOopN63MRlFGsNiutvLJeZt2nl4dpm1LppJmV1k9OFxRFyEPGCL6lAzBSevoULHrYgzfTIr8QKGRnQtXOmj7oRwtZ0rhF+s92NG+C420miSDslizUifUl3ZVLeD031FweF/VZMP7zIg3D2HiwMOad2NkzZwwbPHDyXIWn+UtTIQtbfKoj3aB9VF8lZzrYDw2sKvhaAB/GzjVrsEhzp+lUyHadVImezk5LMQC/MYQPbGImCFzJKn5/FwC3ENsZRq5VpuKPhMwcWUHwoYoi8l1ELkY/A8WPOTN+uXrlpg4PzxLR8LefpCxL0/6HcvC1VdQxHhlm8vXMBIPNZwXHW1c0r5bX5oDQl0DlbOvwSKmi1qOcmKt6ANyg4asaI2y2KtQJxR3/3/D7tfw4HAxIj4FIgfZnU9qOocJH03apCJ6geLi8a/dULRCbGewuPlQ3zhyweJlGTI+y4oBWpncO4SfZT92zCIwBSu31iHoLTO6mTAahtW+xqp0FsJ1uvoYyyVz0y+Qbv7OV/6ydOMGVyBkaYUbbzfvQOv6LmPhmf3folY77vgJuTiybKo6t2UnH9lXPUUqzEIhffzjUjCBqrLUBoBz1/CB3Z+vwKcAHgM43SgNMbSFEPjKHlMqZiqrnOZ7y6ijzf9UvVlvH1oZNEYbMdPTGKV6Vidhu1NwSnAo5xcQkODo1RpMd1JBFIfrU2KvVTL/hw6CQ4o2Q8b/ljoz9L+8G39TxfYl82Vr6Q07Ocz2k/BpxLQLBS2GApP/Wxvazf7JsVxoBbFhNBKwWdWaop9DYTKpo0xB7j8zSlksoLWL0K9sRrF4fC5KLeGRjvTpGtRtAi8Afmg+A4W9QXU6WZRF679UtGcsLnM5KmQFJLsDn1KP5x8PqW2xU3lXoR+SzGDo7ogqUq5tQLD0kx70hq1X+KtNqK70eVTdylg19A/sXQMsfpsUtmDjYUMRycT16lzBn1yK5LpaD0QwArXFijBfsRnzWRjXQqov6UfiI4yyNt6Dwg+Mb8b0KeEOwSbTwbl0uOJabM4bT8NKFYCwJoEGQ8pZ6/vjCwKyp6DBsDv7ecLUXFtGmi2ew2r+cPrx7nwkWswI4rd63sbFPiGDfx6txA0l2LpAcp7rA3qIXaZBI/7t/pWGLtbrJ4LEQ2ozzmRZ/Xm6w7x4nCndksoakUk+9nncUYf0PxAh3kncJSceHcTPqtkYToVEBEyuwwOy/6QzBMbj/hcY+SoRVCmn6SQspojHhq+tsA1M0koRDotwCDMvmlkK/XcE2o9knszDKiytGdyvLdZlCCUJhdJbkW0wF+M0BIF+CD1DMgqFLCPP4J2IuGuMBQap5AoclPLSApgKpe/+9h6u9Iu/R5Rdevqc2jtzlJn8wV/Q0nyupyK0vh/iROrqMZFQKoMxXjz7BfCOBfnIWFKuRtDjPnyJTxrv+BZtslIbmjU0mhg15CHjIeDvT8sGQFj3Cpl3ft+CLUDXaK2GASQor7CjpQkLeszeBsO8oHKsAHgHQDICXnYRjiVT1fppQEd+DpudJ8hPMtRYSEd5ZDdSYFSGo1lW8TLOw+64PC3bQ/SZzvJ97EBgXf0c79Ogdg2OygPA3Wz1vPODHY40sspmUrZ7dcVU4CJYFb7xYAmR8L3TzxTOnvSqyUwd2+1jvE7N3svBQ4IpiyC8mKp0lem8Lw1IR8CFyJ0YQY+NZQwoZwRXbF1ADoRIK5mcf6kZwv+PMTs0hlqE3QnDpAWsgU3JGAHxOxC+rfId6thAYEHlMcVEdhYOx21lh6a2khY7v4vWdOYLJHN/oIHIIeV6DKjzKwct2484CIslz3lb3XzP1I6eGeHkD5jTiMs81AYmODxh1D8H6h0HNDaxtvlMb75UzIKpj+zCX9DopY/lckZeTaHQDOfoTr8N92gwM1dRY5XukunlM62QOW/dDYQw7zWSc8q5LDvP35UUBWB3Av8iIx8VaKvTrgZ62oI5GQlswozdgfuCvZQboQ+ex1AKqWhva4vOfWqAdEpsmMM9HKac70oXDiU1Db7o1QvyvYOHlV4mvfTlVJR1lZotXOTe1mlkDxNFOc1McbMH8ZcvU6FjxUsMG5TiKlBMKPohcHsLfb+iQaBHhvo5IkSqsoQqlNGVZDMCrr9U6oCN5guhm0sNGdkrh2IrP0Rfa4I8/vE/FQ+yiHo5T0o//bXnVOKPiCw+PDEFieme+J0V6kBK91y1pqN6YGgCEPxW1kHmY+L59R0N232G6q9rvH/2K8RrM9KVj0PahAl7yCA3SWaGNQewFd4K90DQFknYxlhNV+RT+E7pVufxG22sVK+He3jCRm9HBQairhf6s3TDnTtCO2sQJCR19ZIPerhDfKWAl7rIKHIqSB1r5xxI+B7hYlnEJ/aD6duJNRqt4AFbsptQuMovV7/f0RDHSrN9v0YXsWZ6sl42vKg/ru6bU2xBbYRlQwQhoolhV5urO/B1X5kxhiFlO/qH7TJXNyco2QG2F6kxkWVhGzxo+OmVAoOOpPYmAMkj1AlXJ8N15muAw4sWhY5LcSM5Cy8Uu4yih71sxPrEsN+xTbwvyV0kfVHNw+IiiD28onUSD70l1OXzL6x5arbB98r4yyQF+TlFfy8T4KIRW6XsBrqGNJW5zD1rmbNf9ikQeyF2Dwo7e96l0jHqRQHKtu4JcW++hxeZ2U5r14TiawOxbm5NNhiW122iSCLSsrqlKx+gfE0+vkSO1esU8Uvp1OlrFBTcse7m/v8rb5pwyMKmokWqJdmX3DzLzB1I0eXBbeYX4uV4SUs/G4ObTWf0WwB3+QcPLlALKaBcGikpdHvtwAJbXsiOdcLEDgAgfysXBFjNBx0Zg7iXl2lRiDkO+yQX9bbRx8lPmrHy2FYUabJwmw+Lg7qLMKEo6EPC2rDmYyZHpSix/DYHK9+busiTTqmHUHk2UXShaNUnL6s1h97xMAtEk3KRy1ZyjXX0LTW7MFa/g5Rzl8Icpcoxr2jFdegEQReKF3Uuq/fUNlNCN2F4Piukqt1QoVgllmi2zhMyggrUsniEEFjBm/Q70sOXnstjyQl4JfF6froqT9hZ1iQ67wB2xM/4TtFEsaPUWbCfsVfcnAxGDbgCeIgGm2y8eo+9zWYfWOLhZKhneWlcYIueHWxYLhU7cbK+GPste4Ovp5ER0iTYZzuZBVdCKEeSpk16uDdncwGNTTrwmNmoEj4D/IiScbka5igiatFATGCQPVcz0BGbu+MhHktbSXeLYUqe9QdF0PpMaRUmZAOGmE261aHmIO5wcFTJqAsWZrZFfcnSw1I36o28f+9RfOM8FEAn/VOaWVWfZtpSMAYSzg99oHeikclB51YFCXUZGHPmwmAU3lz06G2IunjIraQepvZmoFT5IcBCfgjJ0i8Y+z8HxxnNo4z7ZobMo5EcLlZSgxIf416JVlPKoo7v1TnloD0Kept6szfiEaaPeAbhLYunteGd36rmUvN251jw==,iv:Ep1EEN62y9yNXeDJVcup1snyv1W+6/71MulNNtWrnMY=,tag:9QxpLc3SoxuRJ7k4ndrPFA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxbDBUVUpjTHpVdDZpYVFy + bmpCbkkzZUpBOG1TcDVSb2N5MmNFUWZqUzFRCjg0QlFWTUp3QSs1TWlqK3k2bFcz + dU0wRzZHdkFrQjdiSXJaU2w2b210YW8KLS0tIGgvUTRmdlNHVGFHcFhocHpMcy85 + QnNlUzBwZnVYRUVpbGM2cEhTRXVUWUEKFOrBmRYTAAjEAvWpOP5f+KiuCEzK0sko + IwlBO0efKXOELMblI8qhnZT2SCG4Smis3XvnnpMbrutgK8gwFw105w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-11T13:17:07Z" + mac: ENC[AES256_GCM,data:cgKvMKIzbYU77A6BBJjYuf+oYt48riNzeRV4uhRMChnUsBUKacNKCBBSFc1PzuUFonFONKDesv8bFzluqcY5ZPf59WBMA2/hbTt+eGTrHCdb1i+QgyYnfVUhXKz4ckEjKkAJBKwcb4WNRsA2ULyuGc18D3e5RsAsD4oqGdS6lqI=,iv:OLYyE35E8apfQEKYcVm09O09iE4nnEXpSxFQyLUy724=,tag:hbS2uhN25Lk1ZvOBlRonrw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.authentik.yaml b/values/badhouseplants/secrets.authentik.yaml new file mode 100644 index 0000000..3dc49a2 --- /dev/null +++ b/values/badhouseplants/secrets.authentik.yaml @@ -0,0 +1,24 @@ +authentik: + email: + password: ENC[AES256_GCM,data:j5JFI7KqO2dOjl0xi4KhvnF04tc=,iv:/YH+XId24X69lRXrp73ZhKGOcuEtXn/ZvqlJwMTgdRk=,tag:YBh/slhCstFpXxE4y05Viw==,type:str] + secret_key: ENC[AES256_GCM,data:zbs2HX75h3rITd/JRPVa60AhrWgDp/syWFttnadRyDJFFM4/6YFOUhJNcGGQis6Tz5Q=,iv:1iYOTqBU3WHNPBa5TpSwi6+h6IT8Joc6Z4c2UKY7xQ8=,tag:DcRfBP69i17zKFobMA3WFQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBGK0hPSEY4d3N4QS9aM0h3 + NXRYZ1BMdXozVzdJWmlzWnIySXBwcHVrVUhrClgvRENGTHdJMnVsTjdSN2NseUtT + cjJ0emRObHdXTUhDejhhVEI1U0xvNlkKLS0tIHh2NGhzbGZDMm9ObDVxN1NYYS9u + WlhXbFVQbFZUNFlGWEhoVktxUXRuZUUKJNSS+vhG5McKrxvqCIT9dGivcReZOud7 + HEReDoZcf0+7c4JgnrcT0AvvTR5fHPnfveTkwHym3LHMYbZnIPueig== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-30T18:36:34Z" + mac: ENC[AES256_GCM,data:djXTiatawc1OuJ5VqfbR8wS2xKrvVZigGLyQa7tx6/zbgcP2yLQJvcYeZj6zHhQasFzaiNbD05Qz+9Td0ysxZuAnajQ+CaulnIOhy/FhaiiQFtqFTR7xEsFIiUBxTPEJkhVNlKTxzjJ1AX2dagiov75otC6jbueQqYTXaGGcdko=,iv:oWbWTUqlM1zQ7zfC5FZkNJJ8RxvM9+fvTWobgJCmLQE=,tag:7Jb9XBBq1OI0ghqOqxiJJA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.bitwarden.yaml b/values/badhouseplants/secrets.bitwarden.yaml new file mode 100644 index 0000000..4407926 --- /dev/null +++ b/values/badhouseplants/secrets.bitwarden.yaml @@ -0,0 +1,24 @@ +env: + ADMIN_TOKEN: ENC[AES256_GCM,data:ea2lgOEYMi8Dsvun00YZR3PCE3ycNC4Mpe+xye9YL5CTtnyrDwV9Tw==,iv:28Tcn1/qIquS4jCNBTtspB9c+5U3Ut1zoY6gIez8fcs=,tag:POmhoUY3t4w+iTJKK2eHVQ==,type:str] +smtp: + password: ENC[AES256_GCM,data:cs+2Ml3YfZCk8z/KmexGMqzFQRM=,iv:mg8e3oHbLT07pZEdDGwlBchPyT83xOdwKJg9CCaicnc=,tag:NPD+8gKERO8uCuwrFnn3bQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKL3M4VWJBQzZQdHRDcXVw + VWIwcjd0Zm44V01DTW1aV2FhV1QvT2hpcUVZClJ2dHdvcDYxalEvMXB2a1F1WlRy + K1VOYmg4cWprSHpLSVJVK1lYVXR5cWMKLS0tIGJ3bHNIZE9zR3RuZmpmMlZBQ1Qr + dzNYMlRnUDIxK2padTRCSzR4UUpWQjQKxex3RqZGU7ekdNC3qIiqdFs7d7a0Pxa1 + amLsaNnBfJ3OqjuD8atF2iCAXy1Q2BcXunkWi3wbzHb/DgYly3n9OQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-15T12:20:48Z" + mac: ENC[AES256_GCM,data:2yRwdYM32eESPuUz+d7m7pTcluDUeOrLgv7iJmhPEnowcU9WvypAZr73w4y4ewc3yvLmmu5uuFjJJhN1+yjwULGUtU1NPdcvXHsGwtlA7KDyYUqwIc4NrD6BAeR7tRQChNVD++2wB43kiGAWAMmieOMt+xHcaWlM2btuLoiwE34=,iv:ZMxA5eu0IJKTRBtoKhyIJiDe/W3zVjzlz3TbO7gpRnU=,tag:ErYqzleh87+wj0uBRah20g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.chartmuseum.yaml b/values/badhouseplants/secrets.chartmuseum.yaml new file mode 100644 index 0000000..8e14680 --- /dev/null +++ b/values/badhouseplants/secrets.chartmuseum.yaml @@ -0,0 +1,24 @@ +env: + secret: + BASIC_AUTH_USER: ENC[AES256_GCM,data:i+3uBSJ1yrA=,iv:bhB9fIPxR2y9sS4jfbuhAIyzMHgoIRLFGXzQJ4763Cg=,tag:7pv9IOcBXhaeRu3qChQP8A==,type:str] + BASIC_AUTH_PASS: ENC[AES256_GCM,data:zSb7cw==,iv:CL6ywqsc2hpTnBl7ndD0s49JNEmMNnu3X0gke4KT3qw=,tag:tSVaRdIZpkzsqp6n1RUB9A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBc2RwQk9OTS9GV0NOb2x2 + OE1YVEsveU1VMTArZEJ3a2tETis1N1FTTndJCm96bWtYMDdRNnVTZEk2b0JPQWFl + a1BTcWVyUWZKOEJSWDZEcWZydEc2b00KLS0tIEpWdTZGWUdCUHczWEZoR0dSTlRY + TlNpbDVHa1VDUk9wODJLaHZJT2JoWmsKUD7yk2jpDVHvP5B4soK7k834RI+ydHxg + H9/8nzPNwNbpq5ysHmYFChpfiOHrSKirVINUP7MmLGdPZ24FSHI4+g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-03-27T08:47:35Z" + mac: ENC[AES256_GCM,data:w72acY/GygiBVO/3/OQU1WJ90R+mbuCcGid9KzCAPOtdhBBbY5zZUtkZvkZkaugoiI+bpywoXQI/5JbY4+23D4MN2XHHG69DIkpR0eygeTHWc/id+LhfxIGHqvYzULshQuyVtPezoExWVwC3c3ZJYpkzRJhgOjA9TNg5ib4jnIw=,iv:srnydYWdQ352zeNzk/HJi5CyoQEqsDxbCV+1aT1qE8Y=,tag:zCRILWPmLcW0mN/IRpzazA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.db-instances.yaml b/values/badhouseplants/secrets.db-instances.yaml new file mode 100644 index 0000000..78e9831 --- /dev/null +++ b/values/badhouseplants/secrets.db-instances.yaml @@ -0,0 +1,33 @@ +dbinstances: + postgres16-gitea: + secrets: + adminUser: ENC[AES256_GCM,data:vMINVc9s2Es=,iv:Ry5so0+WPntFh6c3nMojw5b4vONdq+Ys5F7256psGaw=,tag:YbWaWwZ5SiYMOSXQ9n9t8A==,type:str] + adminPassword: ENC[AES256_GCM,data:xqlIJgMylef69LEC1M8s16UPCnaPlZuokO+rBPWC11ruBEkBD2FHOEvkCMsGcnPldmQ=,iv:WBO4LFIFGU8q9rWxFYdUac650QxOfmOT0b0PmOsdVZU=,tag:QpFfVINvBkrWW0+pPyj6Og==,type:str] + postgres16: + secrets: + adminUser: ENC[AES256_GCM,data:NsrkusJt+1c=,iv:MA8vXZRhOeO8XilEgpwiqvoJbNjghTcl4CJmHE5mjR0=,tag:awYDx0rT2HCIm6zDvG5L4w==,type:str] + adminPassword: ENC[AES256_GCM,data:cgEW0YTi5MRgGEVAfCvRjPmzLtzy,iv:I7+VS6pZGUrd9To8+eX7EoIoQg099kaYeWXMXKfkS50=,tag:n9LgvnvSa3JjyB+gwT3lQw==,type:str] + mariadb: + secrets: + adminUser: ENC[AES256_GCM,data:tZm9aQ==,iv:XmeasI4tGcws2SRoqKIyiDLoAx0UMBdtm8pXxivb0lI=,tag:vOwy193J2+FuzBgM0Y40Dg==,type:str] + adminPassword: ENC[AES256_GCM,data:tIozTmj3CYTGZUevJMo8R13D21c=,iv:VVD6VaYUrpV+WUaiRl7wD1mR0Nh35CscSdY1+Y8Skbw=,tag:KZUDpRSqUbkHX8UKHKYoEA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxSG10ditaUG8rTlhaVUhs + cXJHQ2JXaW9IalZHN21ZZGQrZzZ1T1FOWlRRCkZOc2JmNDh5M3YzSXNTa3R2U2hj + ckVRVklsRlh1RlFES3JDdjBPSkxVN2sKLS0tIHVzL2VQbnFnUklyamNvN1VmUW5W + d0xSNVM5OWxzbW9YRUE1ZEhZZ3dtR1EKI01GcMKUlu6mU237nGipXghGB/sduRjn + AKpwYgh9IN55ZrDRUsZOHBkded5IlQAwcmbJIjxJi1Ce5XMSQnKF4Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-11T15:30:32Z" + mac: ENC[AES256_GCM,data:bhwI1bycchie+CwNBVtSc2LKhfyGBJ6k0H5qupzo9pfQQ1MYpLKs/0oR/vvJf09LNAp1rS229si2BMhpiF7v002bfFNvz6C09l2q4q5SqySgV4O30mu9mXjmyWOiqgBgH0gBEEZRBmJfwlKQXuOpkd/uPi+M64WYpOHkjDrnKnw=,iv:GgC8woC4UT8B1fMJvS+MFm0mxg/42huOzaRzV2RVyjM=,tag:6+oTQDiH5KIp5iSBkG2i7g==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.drone-runner-docker.yaml b/values/badhouseplants/secrets.drone-runner-docker.yaml new file mode 100644 index 0000000..eb18677 --- /dev/null +++ b/values/badhouseplants/secrets.drone-runner-docker.yaml @@ -0,0 +1,22 @@ +env: + DRONE_RPC_SECRET: ENC[AES256_GCM,data:RAZbnTrv9PxiCLLqjKWBtFWd+Nzqma8Zw+NuKRLO,iv:IiFcTQGUmYa6UCBzx1yTDd0zwB6D1Cv0raXZxLXm1qA=,tag:83bnBW+MhkKehZfso3g+/g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBOVk0yaTlySHpuOWFFT3J5 + Z210NzJPTmV0akdFQ1REM1JzK0pwTC9XWjJJCm54QmQ3ODJwakZuamMzYTBIeEJi + aUxKNmQ3dU52V2N2cjl5VTJpTTAwWGsKLS0tIDFyR2o2VnQ4QWFCWWRzZGNMZnNQ + em1VMlhBNGRrVFhXVUVRdU16Q1Q4bUEKvZ6UbZsfdvfCk37FlEN4vg0RTnPO2nwh + DY4klzcan+9DBRT2qdIIy6pj94GuSoXKXEYc9X0AvYab/HoLithMWA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-05-21T09:27:21Z" + mac: ENC[AES256_GCM,data:U2JETtW0lbb2znJBupGMPsab13y5M1v1N0wkFxEBs+YVNFhnkvIqSZiY5mq9KTYiY4tRzw1kV+jqP0jNsODekCI1++4NBuQsGSZFUoTERHgTRlnz1aAS+nf39lvYnWyQxsQmw9vY/GQ/yluBJkOEV/EoIF3wHjxZe1HCBIViPyk=,iv:WMj7aSgW8LdNQbOgC4FcyOtR/3gjckiHO8vlZGdiTeY=,tag:Xty2QVLJ/D2dlzQY13od5w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/values/badhouseplants/secrets.drone.yaml b/values/badhouseplants/secrets.drone.yaml new file mode 100644 index 0000000..82877c3 --- /dev/null +++ b/values/badhouseplants/secrets.drone.yaml @@ -0,0 +1,24 @@ +env: + DRONE_RPC_SECRET: ENC[AES256_GCM,data:W1OAxQIUbVU8uYHtxujhPyww4jscNH4LwMAGOU5v,iv:ouToTniIMiy757x40MKMtmLFBVzpuGxSYOTMZmmN8ck=,tag:RZ/cb7cRXDQSAQwGqdX+zw==,type:str] + DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:7Ohn3nGR9VeIhAr9EdW1/juRFo3TXpKIwU07hD8mGoyBrbyn,iv:9/y3Ou8H/PL2hMsirJaqviKGQuzVlzL43iGAKQb9NII=,tag:EZoo2F4/HoOcacWOVU9yjA==,type:str] + DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:2wAbiSJdDb5lGUOocK14pZtwQI0EFmXGStAigKsPGAZUKyn7M0B6xBO1+B3wZYVnIKEohiNIZF7k,iv:Y9aCzdSH5cAIZfk84Clto/IrQMRaoH+bOkvbP+9CcLM=,tag:FVfLsEA56WGNCl/8ut4F/Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaREllV3RqUVg0anpIU1Rj + RFh3WkdGdEU5bWg0bWk3bWU5OHFkeFF6SGh3CmlOek9zL2w4a0ZHc0p0WTNucE1Q + dVpDeW93QlNHZGY1dWhOc0FneUFjQUUKLS0tIEhuZE1CMmZLZFIxbXJTZmIzcEE4 + QStxOG1iMWlxQ2dmOXRabXp4cm9NSU0K/+CRAc7DH4PgbQscXvDb7yLe8VoEpixr + icD3GL37kYE2D4h1cm+p+/b7BF4/yjNlCUvo5cITXRjZAuiWGwUixQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-05-18T17:11:19Z" + mac: ENC[AES256_GCM,data:d9G44MW63rUa/MQaW/rLQQ4dlgOOje6qaS1V7yWT3HrkRLOXRCfuK5E+XeWC1PuQwMk0ghaNYJDT0FTnBsoJbxlu+7Vb91qlItn+azvldOFDvtGTRpAK7bPjM+p+G4/gZsgarFxaTh7py6Z/HsoqP1RvaK8GWNhRl7VfTiFuUrA=,iv:e4IXbSSiHMTPc3WijuwgF8L5aG5iMMfu6P/IYD2cp5A=,tag:aGqcqjjrO+PfYxfIAgSmeQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/values/badhouseplants/secrets.funkwhale.yaml b/values/badhouseplants/secrets.funkwhale.yaml new file mode 100644 index 0000000..8ca3587 --- /dev/null +++ b/values/badhouseplants/secrets.funkwhale.yaml @@ -0,0 +1,27 @@ +djangoSecret: ENC[AES256_GCM,data:Usu+QgI7MLUmU1m3ExE=,iv:wv4i60NCuG13xBPSCZ3NDQI+z5h9ENPVQcZmqUUFvls=,tag:2SPu5TC4sDxXkxVdZ9j11Q==,type:str] +postgresql: + auth: + password: ENC[AES256_GCM,data:Ly65GeUvKfwKfRakpDZWftzzE11hw6/mQ/rP,iv:DUIGI68MyWF7H56QIjajgP9GRNwdirX4i1lNMP02vXw=,tag:bl0bHFIbMWG2gVns+Fvfiw==,type:str] +redis: + auth: + password: ENC[AES256_GCM,data:ZLhshhCqRR4ks/UoMIwSbHtwSE4yg5Kv6GvqUvq9,iv:urWADLANGZz/W35grDnaFuvkzFx71fcqWOzpvz/5fR8=,tag:MLUMmSkTSGCntlooOWtR/Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpT21wYkxzTnJpemJSUWty + dm5EYy8rcXVnT1dVSlhjbkgxZkdsdGV1WkFnCk9pNnU5U0FRL1l3NWwyMzc4Q1JG + SVlmRUwwalR2M3NwcjhJTlVTZWFIWXcKLS0tIDBtU1V4YlJxNVN4UVdscGM0RW1Y + ZXFURTlCWnJLNWtjOENSclIxbHZWeWcKPzZZsTcvVWbLCroJZWeI78H8cgoLfxjC + nXtzdPpaENY1k6XULtsMWmh73Yj1Ul0pRvGiYRetRV0LOo+JeLcJ1Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-09T09:33:11Z" + mac: ENC[AES256_GCM,data:OCvHNmxwe5pd/xZiwd1LKD/QvzLd7pEQxqhj6xREeq/VQHDapM580DS+BJYEYWRVJUxIJP05E5ZrzYqfmXbynNvY87f1SHNWLVsRTDsKVI5j3ND6mxXH658DcJKfPcJlc3bV8SYX8ATiWI4JIyV43jvhFZ0JFrWLMzPlc2wVdQI=,iv:stgL/nBiCh33GEkBTRvcVyoc8LtX4ZEHgVbsl8x2GII=,tag:grVO5PT8kOlbbF/FfXBPmA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.gitea.yaml b/values/badhouseplants/secrets.gitea.yaml new file mode 100644 index 0000000..cbd3692 --- /dev/null +++ b/values/badhouseplants/secrets.gitea.yaml @@ -0,0 +1,48 @@ +gitea: + admin: + username: ENC[AES256_GCM,data:3vMaczD5ogk=,iv:r1mcBtnCn9Rea94wxlJl2k9WOgBreSqhvC731ylzTyk=,tag:128Zocc29xbuiMeX6YsPfw==,type:str] + password: ENC[AES256_GCM,data:2dpL5krpBiANfPPUE1ESiVZZmsc=,iv:TrQxyzIrixeR6UcBN+pol6PPOHME+dKAzpB7S7LyTXE=,tag:gkwkU0tnVaA7w1ELvC8QrA==,type:str] + config: + mailer: + PASSWD: ENC[AES256_GCM,data:6j3SksBlJAHGdxYMakPlT5BiH2A=,iv:psdKPFPL//zxhzpIYoOYWRkXuRe3zvdWuEMmxhvdTUw=,tag:pD8GVh9CQwoRTQyYDDqYiw==,type:str] + database: + PASSWD: ENC[AES256_GCM,data:53PIleLwdXm19T5w3ia+NRZI6fGcIsc=,iv:Rzv2j5pRV/lZv6LOm9L52rZV80jB/X46kSugtPYSy9A=,tag:IZQsgKZ/rejAY/yqWZ7Ztg==,type:str] + session: + PROVIDER_CONFIG: ENC[AES256_GCM,data:pd+v0a7iN+FEHNTPTWQkqRqisFkhYx7Y+VEt14OiGwCtqWCyO/KhAYi+5M9sehLc4BlhkZqkQsNk03UtbRqh0N9FcceQDFurAT/UT6hqfLV0afpS2tBq1v6Oy8PPF+/xty43SalSFdmAJqmRWdxQ7MYdi5O/BFB9,iv:aghnx3uzAN88Z01OCLuKpQHfmhlz3QfSOKE1DLFcIRc=,tag:mByau0gklRRqdhqshNM1AQ==,type:str] + cache: + HOST: ENC[AES256_GCM,data:s0pp4tFpn+BSuptnNiF1DsUzCnKcSk5+6fg7dbeUXHk0v57sv3NU2A2enBIVXz3Q/x84iecThl2jJubv+WdaHcuyrojqIycxkCZBX3Qf1gGz6ntAEzLVrsqxBND2Q2Te7vh6sKkxNEfqIrxJ6gGUMVlBJuJEPTDQ,iv:DrEhNNhxlbmt20vHtHUUQefPthaDVi0iKHUlVncjCus=,tag:m5XtiUANaRcBniV5Zgb1JQ==,type:str] + queue: + CONN_STR: ENC[AES256_GCM,data:aOXNVddJsB7ivhZIz68Du7UovOH9txmWBp7hFTNDCX9iN0kQYFEFTsgo3CopaBraDN8Px9AkuoGoReFeeQmobBOoVhLh8uUDc4wh8vX0/7kQF0Y0nL+CvZX/ARdq+quVS2ezT3Q/L9//3i5/+c/JhoXjsnsjd5/3,iv:WGkgDxJvI5n3DmlEvTtTtXhtBLNbUCInoX65pf6xY2I=,tag:ffWgPiWY7aTP2t8a0vJHVQ==,type:str] + oauth: + - name: ENC[AES256_GCM,data:28rs8MIG,iv:1BMEey0O/bP6dn4AoyvQijYsGxgcgYL42Hg4cfZmoE0=,tag:fgINzelLtjMmoNFKMpDvlg==,type:str] + provider: ENC[AES256_GCM,data:7DgUWPMQ,iv:zl2CGsU3BVlv8/RWvZPbWuPTURqK4WP/7nossqToglM=,tag:1J0ocYVcuONp+fP/EkDGQQ==,type:str] + key: ENC[AES256_GCM,data:i2eFPPatiIdP48nDlS0daVVJJuQ=,iv:mA1BYXBbq/lN3VqltqJNr1xx5V/JCFm8WSpgwkl0NaE=,tag:vEhBiSUjcdnrTiuR1i6bOA==,type:str] + secret: ENC[AES256_GCM,data:z3ZnGxQgQUwd7tFhFoCOsfjKbuwEjxBXSCxYKmTgLC86Q85CnWuQ5A==,iv:bn06FAyDoLV8Cvl3p8Iwq8xN9Y/9aa8vWDYZ7QbBic8=,tag:ABBcxyv3DSRG+KUiZtWd4Q==,type:str] + - name: ENC[AES256_GCM,data:DRvxuHW5YHyd,iv:lmorxsp6UQXMGzDtTOxsk9Spt6PtQqBZXpGLjWPSfwc=,tag:c+Z8bTWIBMb0T9zUp43t/A==,type:str] + provider: ENC[AES256_GCM,data:bVFY/VZYbfttfSVH2w==,iv:zkvp53USluN03spZBnMjgQeWVJeX1AawOWP7ZFT8ghM=,tag:YD1DspS7NCpGdDaItllYCA==,type:str] + skip_local_2fa: ENC[AES256_GCM,data:5QYHsA==,iv:uFJpxGZJVj+HMGNGAvoEmvYKGO9m2F1KwGBDgr3X7Cc=,tag:7hO+Gl+Y4rJ3386z9H+uug==,type:str] + key: ENC[AES256_GCM,data:CkXCnBs=,iv:w5E3CBdi+Cbyd9PsLjkstKcJDqqh6p9Xy4CExk2YDgE=,tag:FYYVedUt4tmzpHdgn4mm0g==,type:str] + secret: ENC[AES256_GCM,data:8euQctcEMSlv4JR4fLgDAZlnRAKe2P8HD+GNBirWqonb9MoDZLaKQcM4w8Y1Ya2BhJaPfYK2mSizxT0QUhRtN8BMn1h2/b+UDHvGNxheM/5FbTUaSI88HYX7UUcb1bn/2LJIaLoDs59fCkoAWrBRWqoXE5KL/2ZXEDVB9mbtpZg=,iv:iv5U21TIAr+bPc5yi7lNaZonjbh52A5uxPWZCpN00Eg=,tag:NOOhDxyNnWemsRG0ttu/NA==,type:str] + autoDiscoverUrl: ENC[AES256_GCM,data:rWc8bAMGwtIq6Ywb8tVAy9vgxf5ReZ5yqJESlTMFgW0mHTRjLMt8TFijMBHT/FFnnFFN2xapf6rU2bfPmtQBUgnLLDAmalRk1YnzAl+xdjM0e/BLv4q+H4k=,iv:BEEuNh3NcX27/+pzQjKyPiY2IIK3FSsSt5+p/1p79h0=,tag:bNYgc7vYMTpVQ6XROaMwqw==,type:str] + iconUrl: ENC[AES256_GCM,data:o7ZGL3fIiuHSiEXZK0NzACq/qb66QoLEhhtjlSRtCl6t/4mVTKOAj6Extgfl4r9l7k9GRAKVFus9H1BkVmeZGC7cVNpcEw==,iv:vgJB5pRtElNuNOTL6vBTHV4f9m5dh4EtjqIZvaC5xTM=,tag:GpFqcnWJLq5nmukzu9CwnA==,type:str] + scopes: ENC[AES256_GCM,data:+et7Z/Hfd5kmpXyqCA==,iv:GfKUWYynq6CrDLmi6GiCwPN0m7xLgb/BxtUahn2qmhw=,tag:bSlFzz6eRhpy9r21iO6/6g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKby9xeUJBa3NuYzhGL0pY + QmVnNm9XR2E2MlRNTzhMUmQrdjdqS005djBRCnNGMHNhYzJEODZDUTdnVUJGTmhk + cFFVRTJFN3lwaWxBWHM3K3BZNVFqalkKLS0tIFl2OHVQRVJ2aDJuU0wraU5YcXlY + M25YSCttNGlBaTJyZTZlV1loampJK1UKoxw7UJF0Fv0BK8sQFePWT7GR00f50hMz + cC7b41VLLIVFF2ZmnS7eQEKPCcR8OjcjTo37RtqiTp9Perh4Cd0H3A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-11T13:24:17Z" + mac: ENC[AES256_GCM,data:4mPa4PInVeSKOA4VfC7gwYAcU1R3NCMBtn6oC2vLVHk192MBnMYnlLb8+bAYG2TVR38sdcVRfWugucijEouwWcCAixvPoPB55O2q0LtOS075PcmCiBUY2EQwYbfbgSXIvxm8pNa2izKFI6sabXFVhwP1Ofp/O9PVRUk7WYHuQgI=,iv:LNJ1mh5jZLum/kOZPfLIi9B7jSJxkWk0ZrY9yTy6KlE=,tag:XxeroRfGPXN3aJyIxUa50A==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.iredmail.yaml b/values/badhouseplants/secrets.iredmail.yaml new file mode 100644 index 0000000..e2f189e --- /dev/null +++ b/values/badhouseplants/secrets.iredmail.yaml @@ -0,0 +1,25 @@ +config: + env: + FIRST_MAIL_DOMAIN_ADMIN_PASSWORD: ENC[AES256_GCM,data:dcrMgiX2egbSllo4esVRcJ340oQBRpVkRA==,iv:NQpe96WmGRAnLmeAK0VT/zdJ8MS/8RfAJIwNsL8alHY=,tag:CjppOC4SEW7a9u4Q2xlm8g==,type:str] + MLMMJADMIN_API_TOKEN: ENC[AES256_GCM,data:OxsD/v9ACQuoyHrxZmIdq8TUqmbWCh8GhGaSQTBGfS+vp+v2rdfKIm4WTnI=,iv:68Vli4aaCOiFixooz5cHABuRLuOrw9/HNpBNQzVwAkg=,tag:RXBXFzGCOO6MhoeNhES/+w==,type:str] + ROUNDCUBE_DES_KEY: ENC[AES256_GCM,data:RZni9nCThb9xzzNrN6JTQsLetnMB9cSo1L7hwLERnbA=,iv:L3r0I8sQkoicwy6odvuF3HfIEDQVgnOtn/OMpF16Dis=,tag:ZFaoIywA+FJ/GHAZAGjU2g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrZlAvUXJBdzM3RjJMdHNG + SjRpSTBYNUs5NEoxRFdLZDN0a2IyQlp1ODB3CnQycFk3SkM2Ny82U1RZZmE1cWxG + TTQxUzhWRWlPQmxYUnN5dVJpb0FWa1EKLS0tIDZSK1NvSmNUQkZucFJCM3FiRHlI + L0VKb2JCc29XWjVkODJxTmxPZXZJc3MKyDy9BH0W1OgEONm3PLCskOWtIr2YW2V8 + 3Lc0Au6lLYetVCvSB82/uylZBHc9yQ2rNdLBUrm1zyDZJW/BmNpVLQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-17T05:06:27Z" + mac: ENC[AES256_GCM,data:WP9F1N5ZTYwJk3UfiSwf/QJHp06pawdbu6kUBOMTq1tWOZ/zhCRe0vJzU7alUxhw1RZu8f6tUNeh6qXxt/4mrSuy5dRjOKOJyRioIcRCdg4Z+2jVycDAA2VlPB1oDQj0CIdrW4hvM02KZKxcOy9KP8iRQaYqLlhvWrTAQZ9HAIA=,iv:d/wZUbaU9EkBPRIxqCDDXpp8AMjjHnXxej726q37Ni4=,tag:AC4FvAFBTYOcI02bFD+MHw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/values/badhouseplants/secrets.longhorn.yaml b/values/badhouseplants/secrets.longhorn.yaml new file mode 100644 index 0000000..65267b5 --- /dev/null +++ b/values/badhouseplants/secrets.longhorn.yaml @@ -0,0 +1,26 @@ +ext-secret: + name: ENC[AES256_GCM,data:4jH3h48Oeu9W8sgd+l5iUw==,iv:JNo5Tf6f+tGCPr/U34/bneEMwudmr8SWRpOwlJCV0AI=,tag:/K4o9qn35GePLKb9Fv97oQ==,type:str] + data: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:hlYynKiN,iv:rDL66gw8x0wckf04nUkSOQWp6KJ9nPKH6yaYpwvAC/I=,tag:nVc6H58vgxN4SS/28LAnGw==,type:str] + AWS_ENDPOINTS: ENC[AES256_GCM,data:L2WqNECWNHWRDpT6bSu8FqZ2b7m9R5k=,iv:nhhhrTImNU40+vMt36ZpE2w4gX1RoMnabP+mG1SGnIc=,tag:ioNkPx8195u0XoqD8qoSEg==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:aVaJV7mg6lKUWvL04Oo=,iv:Wf9HYaznYFWptMR9T63r+wrd340BSQOMpKosfvseaoY=,tag:SzkFOXOjiH2QcxSa/Y5Xxg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnSUs2OXBJbDFCYVhkUjdu + d2o4cXl4d2x3aXFSMm5HT0ZPMWI3YmhHRncwCmtWaDd5Q2d0cEVicE1MOW0xQ0li + aXZlbXBubVVoaTMwNCtiaUxRS3NUQlUKLS0tIGJuMlZZOWhxb0pCSy9wQkNNRk1o + WmwxN2NZRTNRK2dtU2pkMU9WZHkxSFEKUNcfWgzUU6LYxoQflAC6KZXINguTywjR + WJCBbihip0RfFeyiy9E1/O75OVnqwOUHgE7YWv9gekzm6GJhsuLTzQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-13T13:04:38Z" + mac: ENC[AES256_GCM,data:ncKEHKNJSSjAXa5T5pBJoRCht228MMOb63JfaRDiGxZKOxi8wSF/UUyq1Vs3OjiklHeUwvgxG+gIpJHf1Png7zTWRXdptNLZu04Bog/RWa5L2Ow9BXq2GQ9h/YVZkgSB9Hvzu/pfU6efAaPqE+at/5sF2TIYB8ezoVsFQk+kRoI=,iv:s3ebxJZeYnR7BqpG14h+52BtvChup9ohY1O2DQrh0tk=,tag:I+sRnkOYwcx1j4YQKb4Cjw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.mailu.yaml b/values/badhouseplants/secrets.mailu.yaml new file mode 100644 index 0000000..61e967f --- /dev/null +++ b/values/badhouseplants/secrets.mailu.yaml @@ -0,0 +1,38 @@ +secretKey: ENC[AES256_GCM,data:0LlGX1QG39jemZ8X2Itq2A==,iv:Dt1YoxrQ3yxJVZ3sc60kWXDvtwKCO7PrsZRMZUDOHpg=,tag:NY/8/xxnYcX/Hv1BCIKCjw==,type:str] +initialAccount: + enabled: ENC[AES256_GCM,data:rCMSGQ==,iv:mltQk4uc4jETPOimbRirrlxWxPsck6cLOM387chFtt4=,tag:3cy2sk+WPle9T96PcdWL+g==,type:bool] + username: ENC[AES256_GCM,data:2s3WINCPpAg=,iv:inUPAt/Q/lqSi88CKIEcexkbeJwSkS7pCWJqjDBbZ68=,tag:793MA/57fipWdODD2zcaUg==,type:str] + domain: ENC[AES256_GCM,data:IPoIY+yGxry3QQTRbdfbaRJU,iv:xG3mp+yAf+J2V0owRYi3XUCpQjtxAA+92bNiKTLvhvw=,tag:JogwzTxnImd4iKgJz76yaA==,type:str] + password: ENC[AES256_GCM,data:e2d9qYEUjkxbQRatzDslMTGDZhIqZwgr9t/olN2G,iv:uynCQDAKn7IoVpd1VLhWAI6dK2hN7LNC9PFNnOkYGOU=,tag:gqZSMCh3j/9lA7m6RQm6Ag==,type:str] +postgresql: + auth: + password: ENC[AES256_GCM,data:YHgy0iu0oaaRBiiO0FXCN2o9d76Vgdbxi3Mnoerj,iv:d0tOkZsXvbEVA8awiX3P9AMrctbvy2JIbGggua5dTzs=,tag:v8b7QHY+5urMsV53IL7wsA==,type:str] + postgresPassword: ENC[AES256_GCM,data:LJH0X2ptmy3xNOHcpWr1FQ0IA1v8q1GmzXrhRwZz,iv:kLh8rb/75uGQL4uFbNLxzD+U59LcKkDeY4uExgbfgoE=,tag:abbtDQZAdzzrMsw0ErnX9w==,type:str] + secretKeys: + adminPasswordKey: ENC[AES256_GCM,data:30CNkafy6P0F5UCvjxMus9Isi/FzDzyOqMT+VFk0,iv:1s7dFCEGD6soA+uwjAzKmvCltS+YUVY1/2Tk3ZOBemU=,tag:IO+YBBWmmUnyxbsigACRwA==,type:str] + replicationPasswordKey: ENC[AES256_GCM,data:pdBxjNmwcsDj0/dC5324XVUBpemUM8LbjxVlBwt/,iv:+wfSUgLgCORtSe1Vf02LZx0U9eEs6Bd9OgH3n6kK8BQ=,tag:E+FgJG2z8/TBAmy7+XlYSw==,type:str] + userPasswordKey: ENC[AES256_GCM,data:3s35K9e4RHRvpt85ft2Msb9GfC6TlGnjIT8B/obp,iv:KnuBW4b0LOuHwXNzgxVqpVDnijiV+DoyQfveHvgCsp8=,tag:G3FcSSPMJy/7IUsUPLbuSw==,type:str] +global: + database: + roundcube: + password: ENC[AES256_GCM,data:WUgeCqoWVRCdrA==,iv:5HO53lEArnIqRlWnQqlSKZ+hs7DxDAc9D3wHmbvb68M=,tag:nrjt2qnqGDmT/rv7JNR8Mg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvVlBCaDl3OHBxTnM4aWRS + L1Q2aC9uT20rUlgvQXFkVThsa1JBS3ZwdnlrCmwxQnNRazlENVFPUER4WEx2ODVu + Ukx1RHQ5c2NCZHptNm9IV2cxdHlmUFkKLS0tIG9kRUhzZDlocEhNQlFrYVpZdzVj + aXFnN08yR2JMVkNGcjE1UDFDWjBWSzAKQIt/5DQkW8FTQTQyWfU8QSxMQ8TV1J8i + l326pi2q+TuLoIvef8EKA+qax56OGnqESl2JcyHCAyT2T1tTzM1bpw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-02-04T09:30:41Z" + mac: ENC[AES256_GCM,data:5SE/XCKyCArO+AqhRJb8h3K1WYys5OHcOfZuRW8j8i3SMEtb+84D1KcsgEFBsJmvffbpxaKXcz7umEIKG+LWLeLjvCgqHwZa7Tidn1X07a9Dep74BfvTNZWVCKEAi/6YcHkLIsVM9Bkl0MOPZTxDjmzVsdiCR+3nfZ6RJ4AysxA=,iv:Yf8m6YNxycoZj+uYAe4rKRmzQiuZtmpLrYYmxDvwPbA=,tag:TcrPy/gj/je8gGOw3jiZ1w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.mariadb.yaml b/values/badhouseplants/secrets.mariadb.yaml new file mode 100644 index 0000000..d204007 --- /dev/null +++ b/values/badhouseplants/secrets.mariadb.yaml @@ -0,0 +1,24 @@ +auth: + rootPassword: ENC[AES256_GCM,data:nE9nrku/RxOBPrYiqMVcpKEbE8s=,iv:nUZGeUM7Ck0h72q5bPjH9UB3zAictnmOtsLQtNTVrYY=,tag:vm1DXjcDLgCnN5NzLRlKHw==,type:str] + password: ENC[AES256_GCM,data:4+moX6z5/JZNEM1FFwIudI3GKQ5b3+XoMw==,iv:Vn39GFekmWjbloTjkwuQVC0SmO37yBqNhUM9wHZS+H4=,tag:MTUv5GBnYprL2iEOhppXqA==,type:str] + replicationPassword: ENC[AES256_GCM,data:zP5+btuW+rgmhQoeOoaUBJ9rl2GpOhWmTw==,iv:GZW5ktMxg/zb+4ic8T6n36RQPkQxr4K+PM4DF+8gGF0=,tag:/GOK9ERmVHIE+Fv7UsXFLg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFYjhDNXp4bEZHL0xJVWdq + ZjJucFN1L2Z1K0xkOFRYWjhLYmVLUXdMV25VCnJOY1k3WXVxa1dFd1Btd2tJaTVK + NXZSaXpwSk1VaW44MFhlNzl0TzVKK3cKLS0tIE5oUlVqTlJoZUxZL0RkdDNmeHlw + OHcxamZOQnFlZlhOcVVNNDMzc2RlN00KSCeXWZUeGCPZ1MIJITojkpJSBDF228ll + Mq8DX7QS7BOsw7RcEq3omPV9hSvy900cWDNSeAk7y7hHvWFZbGfVcA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-11T15:30:38Z" + mac: ENC[AES256_GCM,data:wSANpRClDCeyHsFOdqrT3hyG8msqi5fl9DfCTxHSmMx9oOZ4x5Q3VX3nU3qg+M5cRKuJ9DAjpvYgmyTPWlX0RNAiJr9ygNW42H2lnU+yvdF+ZNHL6WQGQJPC2KTEPXGk5aUav+FA0E72D1yR6BrKpnR3OyUeltVOAnfAl60AZFI=,iv:0kHZs7ZiHzWIgCpHTEeWhP6B1uBrhOjw2/pm80LIlgA=,tag:B/sKy2TZEKfI9yNI/Tzwig==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.minio.yaml b/values/badhouseplants/secrets.minio.yaml new file mode 100644 index 0000000..edc3c06 --- /dev/null +++ b/values/badhouseplants/secrets.minio.yaml @@ -0,0 +1,35 @@ +rootPassword: ENC[AES256_GCM,data:Oo5/PfJwB0AEnrpuUeckcAlzbRA=,iv:3NRzi8zvELULy1swZckc0LGtY/TNxmVLT1a382cHHCI=,tag:PTBRor4RP0oTDPm2zshz8w==,type:str] +users: + - accessKey: ENC[AES256_GCM,data:ibVq8IGPYcA=,iv:UfKKJjWfPz25wcqDy+Ylwf3RU8ILDXXKGW4g8RrGr10=,tag:W4e+W+yYzCawbJJd9QkBpg==,type:str] + secretKey: ENC[AES256_GCM,data:Y+T302cB11+ETPqK+DrlyxQLvA==,iv:axTN9/NKUd+/cOmaxjcyXKrDsdDAvceFEplJ0dx7CX4=,tag:DXyavjkL0/rHMk+aRU+C/Q==,type:str] + policy: ENC[AES256_GCM,data:Yx/vVQPP+zk=,iv:89Ye85k5DQYUNAlMAtafG2dF2nDJ+oKWgs0ZSaUejDU=,tag:AMqm4HRq2+ujTFSNAGSrhw==,type:str] +oidc: + enabled: ENC[AES256_GCM,data:9O/KFw==,iv:GZQu0XFNhJGzMPeW19wzjthjNzPLpMilMfOEM1xZlww=,tag:6+asRMB15NubSSiSOgyFfQ==,type:bool] + configUrl: ENC[AES256_GCM,data:ka+Vs9Nm68MivBaOiWsRgVuoXTLMmvYU3zfBj1mPUxKwyyhE3/3baUrkb+k+29lRyFO0To7AbqXkTaNpENGmt1kgEf/XMN+OR3PSa84AUW5BWnj6sG2uyi4=,iv:+Ro/oVQNElXiiRi15rQMbEFIgaY2pGL+ucj6cPilLUs=,tag://nk5O0WGmLuotU+MIT7Tg==,type:str] + clientId: ENC[AES256_GCM,data:nLWv7as=,iv:RuRmQgRRNqj+Y9zr9Kj3UmJshCFp2elATiPixDN33Xk=,tag:cSH0nKOziWLi0OfOMGTvIA==,type:str] + clientSecret: ENC[AES256_GCM,data:X52lUtR7tmi1FoNoaBCF3G0il+6eWqlmHek6WsOb+lfrItBp6B6oQ6mJHfTduJNFJsTjQgWZek69mQuTB975DGwvqjtTeA8VLhYpkgVDgKFEFvFTwaMpwCJRi7DGR8ZgMtbHZXS9gP5XRldQScih9p8LCiyngjPgl2es4PwUvWo=,iv:W2mFxLwg4leJ61Xs8TKmC8AlN3Zn/C5y09SRUPCVLHk=,tag:4mRNTPTWinzTQBo8tmzmKg==,type:str] + claimName: ENC[AES256_GCM,data:3iUTjRDz,iv:tfdfUdI8rFd7AgHl3bylpyudLGPajAUd5hcUJ9W18dQ=,tag:DSITNrUU8pGuKr7yiMAlOQ==,type:str] + redirectUri: ENC[AES256_GCM,data:us0hp5Q4vfsDh5XrziJNPVlo27Azi8fWwbck4rtDyvzEPRVkjxFi0A6bITpQNoo=,iv:i+ZBQkp6QY8z7RL/3k8b+iVvsi/mzHvNG9W04V8s9ko=,tag:6d9XfSdR1Dqb9OpD3nAtWw==,type:str] + comment: ENC[AES256_GCM,data:w+sQ1MJZmjen7Xm0ywKPmNzbNig=,iv:dV3QrEHtXF19nRN0fbIKbVqnjbXqpZletWOmkZK0CSk=,tag:K+JKywqzBMyCvbk+/UDkow==,type:str] + claimPrefix: "" + scopes: ENC[AES256_GCM,data:DyWv6iCI1nv0mkLBQHWZ3Ir8YoKfp3AvDBMb,iv:KmtrRhEM7ynj8WeyuXr9WCLJj/hjvzAf6odvFrmBTWI=,tag:xGUcVCg6rbnC/rpLxfpvSg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFNjRVZ245ZEZZUThxSDZJ + bUpveURDSlNXUjhXanlOL21oanZlWlZMaFRvCjAzMEEvN2RZcUpMZVJXT0EyRURY + REcxQm55YVVUUHhGd2xsQWtvamNYN2sKLS0tIENIQktKcXJDV3dYM0NXWlMxQmVD + WGpGK0QvSGZXUGluR0xjbHRLWDhrQWsK8y9as6JrUSpHRf/01mD4ZWcc757E5sVY + U0W9/jGZ4+7FjXpEwJxBdTzGZ4VXO6vfeZeES+wTRoh8FnZN0+K7Bw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-09T21:36:38Z" + mac: ENC[AES256_GCM,data:LKhkC0+rIVgf8sp9UjP822GNCUcJaivflKsNv/7v7qazJ4vMv8B/xHx7fLf1bBFk47UneGw21ebjPKaBFxQlaIA/FenT5wsDgbTEg0eppu7W1BAotTGq95EOldRKjCIU2BcmsbDAFNIsPTd8Q5EFkybZHRJGlF/wZne0efx6nQk=,iv:Y4ioUh3zzbtgif3QWTw8Xsa2cDdYN830OdraHc+3JjY=,tag:bUZHrtkpMS382DWpUGwInA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.mysql.yaml b/values/badhouseplants/secrets.mysql.yaml new file mode 100644 index 0000000..52fd510 --- /dev/null +++ b/values/badhouseplants/secrets.mysql.yaml @@ -0,0 +1,23 @@ +auth: + rootPassword: ENC[AES256_GCM,data:X7htluDDokepRf8GVV4eu+pGM2o=,iv:DJ893dKr/4SFBEl8HnYv2PMb3Nb2AfL1RVgN2QmDRmA=,tag:W6QX7k92P7bgi3Ji/64xHg==,type:str] + password: ENC[AES256_GCM,data:hlXWCWbFnmbuUg==,iv:d9ZmklpwJa13wyNjrqNfFMEbJDSQ+NeyB4gj+59g09Q=,tag:Ps4oq5XWDIx7HnvCCnB/FQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbENvMm1YQzlSV3UrSEJ4 + VTZ1RWVKTlpsUDFzQlVjMlJEZmIvaldHVXlFCm9SVzN3Z0dwTGo1Y3dnaHhvSmpi + bDIrMlJhbHhKUmRZejdkTmJiSDYvY2MKLS0tIFpRbkwySVh2MDlNWEFNZHVtY2Ns + Wmh3Z29ZSlBhbmFJNkFQZlE3aXpMMk0K14rSXjSF08xkil+fFJpeMV+6XChTJ2/3 + OQecJtg+0NQPyvC+kR5qKq8roiSzNNJgTVg2wwKMdukKVVTbEGi0gA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-30T15:06:09Z" + mac: ENC[AES256_GCM,data:oiigjlyNoSm5hcdB58MWUxhqcYzE5XtA5LEDUCUX4r0inNd8UuLP029jz6bvQ7E/wFpiGNVTFAlFB1HA/YVwai/siovy5H2DL6g4LS3k+fxLKc3lwo3BvkaBi9X2aYu7vGBJpNe3KxBdWFyjkEQVoux1RD8JJBYNquMu9tW3K/g=,iv:1H7pF0Tr6GcgDt9ItXiTBOTFa55wb9pOdTF3jNJlPiY=,tag:dQ9nrAKr+qo4JpqD2wJXjg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/values/badhouseplants/secrets.nrodionov.yaml b/values/badhouseplants/secrets.nrodionov.yaml new file mode 100644 index 0000000..1422fb9 --- /dev/null +++ b/values/badhouseplants/secrets.nrodionov.yaml @@ -0,0 +1,22 @@ +wordpressPassword: ENC[AES256_GCM,data:yYE91wuc9uOzIQ==,iv:jLqs0BZcEIG73roA/wxtK74xX+osePoIaKhg6XvuAXE=,tag:9a3n1tbRAy4TaU0OE8uZcQ==,type:str] +wordpressEmail: ENC[AES256_GCM,data:Fy6mIfhu0DuO+MSp1TPN7On6cFZk,iv:bxYiJBYgbuQsWPRWKfubmNZ/jShMBLeiPDyw7XtOAkY=,tag:RyBuqoNGoTzKR68RNSgumA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA1V2tQdkFWenZWZU1pT1JY + cXpVV3UxNnN6and1R0lBd1NrcXdWNTdibkFnCkJxeERBYyt4ZUtabWl5dlIxNmJZ + blhSUHZWTk1PVS9RUThlNFRBREh0T1UKLS0tIENKK200NnRDNUJCeGNTeFB5Z1BI + a2l5SG4yTjhmUlorWlJNbmFDekN5LzgKCS8nqMu72GDYjuSrfgbp/KZbHfhOdpyu + WpT0T6pk/oOc9ohQKGD/jvcjrMW7OZ5uYpZc/4gPdLKcOnNB+BEo/g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-11T17:30:01Z" + mac: ENC[AES256_GCM,data:KWW440Ez01/kjq1TxLMZLLpyUmPluUJLvgPuY94/O56jz5/ewzkOY+yL4Wc20M++bITNBQUCw4y9HTC4jS2/vWITZnc9Dik8AcbpBrttMIE0fs+WeLudbt56lCCbcddoyOfAvGU+2t74da2uHQVpKBT1jsp/DVlZuFsHUuJeJP8=,iv:cnOqF84iRhDG04oWvWUyXxFmJbluM86TvwEVu7Z7hRA=,tag:nYXMxfm8drvklhSXcGSKNA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.postgres.yaml b/values/badhouseplants/secrets.postgres.yaml new file mode 100644 index 0000000..a3223c8 --- /dev/null +++ b/values/badhouseplants/secrets.postgres.yaml @@ -0,0 +1,24 @@ +global: + postgresql: + auth: + postgresPassword: ENC[AES256_GCM,data:NopZyPWiTKPPVzLcvVLN3JgMQjQ=,iv:rWVhR2wChvQSIa7eBPrvnWO2ydLZ2D8oF87INiy8NX4=,tag:Xb0qbED6QXu5QBgHY6hrOA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbENvMm1YQzlSV3UrSEJ4 + VTZ1RWVKTlpsUDFzQlVjMlJEZmIvaldHVXlFCm9SVzN3Z0dwTGo1Y3dnaHhvSmpi + bDIrMlJhbHhKUmRZejdkTmJiSDYvY2MKLS0tIFpRbkwySVh2MDlNWEFNZHVtY2Ns + Wmh3Z29ZSlBhbmFJNkFQZlE3aXpMMk0K14rSXjSF08xkil+fFJpeMV+6XChTJ2/3 + OQecJtg+0NQPyvC+kR5qKq8roiSzNNJgTVg2wwKMdukKVVTbEGi0gA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-21T12:58:01Z" + mac: ENC[AES256_GCM,data:ShHWH9RIL4rJ5X0IvThOtyM28AC+1bJLr4PJJdYSLtV9T7Wcs2LbmWxtM2tpRyzMeZjYKJrsstGYgxBevr1BpfGBIeR4+JCwrbdK4AOq2VbLMpH7nMOU/huuUpxOopweRBTwZOEMRBkSkEk4qPvebLHEqUi6aNGdtxOINmHv/fA=,iv:C/iJOSshanbhSQ9Be712aSN2B8aXndPpP4655SQONeQ=,tag:BAJIzrYfh8a59OzkxDOrbw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 \ No newline at end of file diff --git a/values/badhouseplants/secrets.postgres16-gitea.yaml b/values/badhouseplants/secrets.postgres16-gitea.yaml new file mode 100644 index 0000000..68d8cd1 --- /dev/null +++ b/values/badhouseplants/secrets.postgres16-gitea.yaml @@ -0,0 +1,24 @@ +global: + postgresql: + auth: + postgresPassword: ENC[AES256_GCM,data:8Tz+Ux23hup7fY13o36ISM0/7J7QBOnEKGp6HC4DCti2ZvvzLtMChgkjvD806Lp0ql4=,iv:O6zXIoWS71n+ZZ4d0JyfL1PEyLBPvt/JdWARc4yqc8Y=,tag:M63BInZTKXIFpIo3xbbOiQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBJRVE2L3h2QzBLbTJ2T3Ax + N1ZwYWlnOUQ4b1h5YWZ2a0ZiYXd3ZVNvQkhRClpVbnJVM3NaSi9MUVBUeVI2ZDkw + b3hrZlFvMjJTSlpLa0NhVDZvd2hHNDAKLS0tIEtCUDRWYUh6M1ZmMWFXUmpMZXlN + VmdDd0Vvb0R5VGlaL0VLWGwwdldrNHMKWzFjQo/VI0xTMBCKls+F8vyNsqPTINJQ + 8eBaaXQKtIXTLyqeFD9LogvKYAijIMlsky6hX3WG5ymx+0nqCPJFbw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-08T11:20:20Z" + mac: ENC[AES256_GCM,data:aTQ4h+VHLM4Qm+2ZMigCMr1mj06tfeOJQMDxe8dIDlPO6T3G9Tkj+iPTwXBprvEHjwVZPdMW+5TRsCwGBrg8gx/aIAlBpZyTQbR/wI2PW2HDjeKut/qDgHKJytRCUNHlQB3t426snI16ydRGCdqBO/5m4TG46QXuPRwIWej6SDA=,iv:bJ+708Tn1JkiED8sTfkqIat0XkxdM+3m5mzgf5gg3A8=,tag:EjOXTgcC1Kmc8PmHD3BWFA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.postgres16.yaml b/values/badhouseplants/secrets.postgres16.yaml new file mode 100644 index 0000000..e466bb1 --- /dev/null +++ b/values/badhouseplants/secrets.postgres16.yaml @@ -0,0 +1,24 @@ +global: + postgresql: + auth: + postgresPassword: ENC[AES256_GCM,data:O5Fvmjipcx7CZ4DKQjRW0isfzoUt,iv:sVl6TFRCKAL5ci+lC4DfX/vZkWwRVg559kq4GU67udY=,tag:dEsoEe1UfvD5rUrI+EYOsg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBVbENvMm1YQzlSV3UrSEJ4 + VTZ1RWVKTlpsUDFzQlVjMlJEZmIvaldHVXlFCm9SVzN3Z0dwTGo1Y3dnaHhvSmpi + bDIrMlJhbHhKUmRZejdkTmJiSDYvY2MKLS0tIFpRbkwySVh2MDlNWEFNZHVtY2Ns + Wmh3Z29ZSlBhbmFJNkFQZlE3aXpMMk0K14rSXjSF08xkil+fFJpeMV+6XChTJ2/3 + OQecJtg+0NQPyvC+kR5qKq8roiSzNNJgTVg2wwKMdukKVVTbEGi0gA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-04T02:27:48Z" + mac: ENC[AES256_GCM,data:yyvzDlqm3ZOGAMAWCbA4JBC2xs14dKJ4oGifHCvD6K3cBcLgQLS8MOoQJBVfAfL/lVqYDtQ8qwQl/NbCEAKdqw5mtGRwSGaCExSTfO8PIUZCT69q5lwhAxfSGkhjjup+88MhwdZbe2iqqr0nF/GBYT7exqu6Pj85ZKbeDVBTMUE=,iv:KVuyYWYvtVjFinkY82nPwKI/XX18t4purLInfjSxYlg=,tag:kD0G+keg4veTy+CN7KOo6Q==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.0 diff --git a/values/badhouseplants/secrets.prometheus.yaml b/values/badhouseplants/secrets.prometheus.yaml new file mode 100644 index 0000000..8e23981 --- /dev/null +++ b/values/badhouseplants/secrets.prometheus.yaml @@ -0,0 +1,26 @@ +grafana: + adminPassword: ENC[AES256_GCM,data:AuPGLXN861DvndWdecukXKzt91sGGIMBToj7tO3J,iv:gKmj0gurV77e/jbxdyxhaxkmmsp738vB6ZAfzRFf45M=,tag:rKOkedx87g4MlRk6npgXiA==,type:str] + adminUser: ENC[AES256_GCM,data:Esh/6bXMez8=,iv:cRdvkpnO8gNOaKy+4kPcq69ksdXxuZClnjSvBp4yto8=,tag:ZgycOsDXJIT1mrN6nJHw3g==,type:str] + grafana.ini: + auth.generic_oauth: + client_secret: ENC[AES256_GCM,data:+4Qfo4aR9TMZprWL9U6lFx4B86d3ywH2O5K6rM5hmv2gROeFinp7k5p9C2pgNubIK9W3TlWSZAw=,iv:uFX2Lz3s2/aR5rcwsDvfuUGbKHNxh43ZiuCNaT5b1dw=,tag:8YdsVMaHbP6wqjubb9Ab2w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBXeTlhQ2xpK0dvMU00ejh4 + bjZxZVMvMEFobGFqYU55a3dxcTlnRitkS2wwCmJVNHhQNHJHTVBxbk4xQ1RWbkFv + TUNGY3YvQUIyTUJYNEZmOWRYd3JaUHcKLS0tIHJ5STVXV0hxRUdYQmNXSFR2U0Vv + NXQ5SjNQUW9JOStDclZuYUlqV3FaWWsKvu2T2LmDjuJgnB0djjhJczsvDjFsH/D/ + QDPkkl2G1luDoIjBj21uoy0daqfyskd4Yw2ZsPsZU6zuEGdFj52Qbw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-05-29T11:41:00Z" + mac: ENC[AES256_GCM,data:7Xs7W6smDPr8fp4AapKcUvHUsYRKkTQ3wb4CuDmL0ziQs2d73ueezEembp7RRaBQ/Q5jACY1dHQg42+4YymcTt8NqJ6SE4G7f9iqJu3rr5g5lh8mYP8ft8J1/l2jrQtCSfxyzuG2CPZRycQIo+0Tq++w6iK0iy6ExPt8cDNR2Ao=,iv:v8m4CEW6FG5rWV8fKsqACh37X9yzsB/Bl1wh+4348rI=,tag:Up71zDf12JMDjK8uIxnsLA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/values/badhouseplants/secrets.redis.yaml b/values/badhouseplants/secrets.redis.yaml new file mode 100644 index 0000000..14b99c2 --- /dev/null +++ b/values/badhouseplants/secrets.redis.yaml @@ -0,0 +1,26 @@ +global: + redis: + #ENC[AES256_GCM,data:QRLnzdJ/lmaItppUMOZO33kySISWDfMdjr2nrEjBuhucnoglEVNF9Wy5IVbt5CNERajCADTVWNy/N40uCv+9n3PQVKl+Ki6YV+Q24Bzy,iv:8PvJ2yU7AW+/XkP+/9OQcrdCVAomnRexkNNw+2rjoho=,tag:U4gbrqqBwvXC63qn7jFmPQ==,type:comment] + #ENC[AES256_GCM,data:69gagNeejZaafGWo/Rll,iv:kW13FOrc/j//BxVj4JgEC0G/DQIOPHil0uNXpOM2/W0=,tag:sqviMlgQHiN397ukswoNsg==,type:comment] + #ENC[AES256_GCM,data:C8ta7Vtb3LpOotE=,iv:Kdat2trhQIQHxIpD7xhUoLRYo+a4PgzpB+S0w32somA=,tag:jgH656M8a14QhA//sN6MGg==,type:comment] + password: ENC[AES256_GCM,data:qdV5FH2K4w9gj4SFznfflY8Uw3ohSCO4lOE4Hea4,iv:/XYT2xiHlfRB1NLkw+Qm/QaWehvs9v8PUp2ZfMxeyRA=,tag:06XSi3K7y+9a50nZK1LAfQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxTWUxY2hYT0dId2hsR0x1 + MXFtRjlSelgwdUcyVnBUdlJ6Nng1UkNJaHg4Ckc5NXBORjBCZHQyc0lDTiswazNF + cGhKVFFNdlZnRWlxS05OTklOUDJDQjQKLS0tIDNWNDVVWXcxUW8yUHgrOTNkRkQ1 + MGNDV2cvUUF3dWZHSlZNeVFDNXhzalkKubKuiiZuqoZTvRMr2FiUxnFUu+Pvj3Wf + pZTfZg9rnUukmV+kmwqQKcfoPNfeShhoAsszWwPM628cV9pq87I2/A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-07-29T20:22:15Z" + mac: ENC[AES256_GCM,data:DIdcvQXu7rivXdPFPjfzs1AeJ5bRvUBD+Hq9mH7Hp/+iqrG03fWSF2NF1ra8KfEIg6TDsyMnQLWvipxBlA654BLBNrABFoGwLsdVsATBORz0kNNY862qfyhSOaaTBHTWhPVpbjGnYav+bi5pfvbLC9yJm3SjIRtUbnaNVWvqMq0=,iv:d7SaPZLb/px7fy+bGJnH3bfNBmqbhwMijyNB0jfYgLE=,tag:LT5hJoDcSiP5FVgj0M2sCA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/values/badhouseplants/secrets.tandoor.yaml b/values/badhouseplants/secrets.tandoor.yaml new file mode 100644 index 0000000..65d3703 --- /dev/null +++ b/values/badhouseplants/secrets.tandoor.yaml @@ -0,0 +1,22 @@ +env: + SECRET_KEY: ENC[AES256_GCM,data:vIzxdLGoKHEIGt451pZKwyFFQ7+g3ViryUHkhmzU,iv:JuSUmrUUgVL07y4mQ+z3lNRLpe0io4uDKndWpEgIVDU=,tag:6nsOuHbtgyGFJebOHChKxQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNYmNkcjVyR2o5R0dJTXZB + d2NBczgrTllrM3hWdHVIcmhmb1dlY1FzN2pjCndTSS83Wi9WcytrT04xY1dyNXVV + YzlxWmwxNkpnMk1oK25wcDJTUFQyYk0KLS0tIHR3R3did2hlMThOUEV1QjNma2pM + NnNxMC9vNStLQ1dadE13RmhLWExqeG8KpSUTbfxuZX+7L6SK55BJvY8KIfqt2ykz + qNmUpeC7YHzDfoXGF6+jklMCVcUJDRI5UeZejZ7KXnI9OR8VncIiqw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-06T15:16:21Z" + mac: ENC[AES256_GCM,data:qVocy+iBsjj45hLObpoxxo0ZyzxCITXR52NLfo5NZvJutRLs5SfKjmecYVth4j1t15qUJ3GIYG2t2lGxqptMyPK7SG4ln0G8p02LP4XdboKYeZNdWlHYf3cMZtnST4WdrpTCNWhLs3+8ittBb3AsR3QBtwoqzalC+VatAOJ2IDc=,iv:y3TspYIFS/eVJE8x+fAlPhFrWcH9PM0Rajgt8yUJLSc=,tag:nUt0xWqdjfoeemTk4xhr8w==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.vaultwarden.yaml b/values/badhouseplants/secrets.vaultwarden.yaml new file mode 100644 index 0000000..61f6e40 --- /dev/null +++ b/values/badhouseplants/secrets.vaultwarden.yaml @@ -0,0 +1,27 @@ +vaultwarden: + smtp: + username: ENC[AES256_GCM,data:j/y4Wzhb1obnLW9zHYqpM7/Glfd15hDAAn+6,iv:wNQgESf/0zbfcwFWrKgdSKcoCYVUJ3pnQYuMhfeergQ=,tag:/DPHJGrySeH9xZ9gfH7yFg==,type:str] + password: + value: ENC[AES256_GCM,data:lM5RLAEz5K2LqoCEt2KfOgVv+Dg8zDwUKg==,iv:tT/71iljjyCyBxVoAKOZgdC7BHxhQfjH7ECZUGTv8So=,tag:sd2+m7KyoJmEY3l6Qey6yQ==,type:str] + adminToken: + value: ENC[AES256_GCM,data:8+nwPIKqrzIHvfxzVvUx+hh6qz6c8lCTYzJQsbGFx3c/76wzgJZ08TVNRu2VNmlHBOE=,iv:U5Cv0rykPbBql6wu9HFuMIGoLMM40TlDp8MNM5OGzzw=,tag:++lPoZaKQD/RsVm1xZfMRA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhLzVRdW5ITFJmWHE5dkRr + R3pGbTh3UmFTTXR4VVVGRjlSUURudmxwM1hjCk16U3BKYkZTcmdwaFZtcTZNYk9C + M0ZBZk52bDBuNWZwa21SMU1mSnhmWEUKLS0tIGZVV01KQ3Z6OGltN1RFSks5MVJI + a2xWUGZpMmovY1Qya05nVXRZVUFDTFEKhF34OSdGZizs1/Rs9qvUOVtomQBvOFbS + hRsK3Orwig4HJdzj1UOZd8UMGwj6Mzhw+aKUJKL67igMwxbxVcaU1Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-01-30T18:44:39Z" + mac: ENC[AES256_GCM,data:1cpPRtzipDI0/fXlbcbuQQyjAZMk7MR005sJAIwfNVG4o1UdV6cIEG6096yeXGP8aKYXJwm1GUZ0NtdipQpieNnj59xClZHJ00m0K/0b6UHoGzSMY82t0nNrS3KvVEQP0a+LR5WVQEl7ac2m4FmbHpGtSWWMW6CYBnflfHQisFA=,iv:exvh14LUOeZnLrnvPrX9Hzfnv7wMd1Qfx37F0aVf2q8=,tag:62QX/P5K3U72O0zkgyyXhg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.vaultwardentest.yaml b/values/badhouseplants/secrets.vaultwardentest.yaml new file mode 100644 index 0000000..39b3c9b --- /dev/null +++ b/values/badhouseplants/secrets.vaultwardentest.yaml @@ -0,0 +1,27 @@ +vaultwarden: + smtp: + username: ENC[AES256_GCM,data:9bEvyZkXadW7Hx2iW6ByPDdnuIFPkeoUjoOyoQ==,iv:Y5M/16L16AWXeaWyKCSsV/c/l9JXmNzx/IsLBmMJuGg=,tag:nFN1ZssjtqZOG8Gvka9f3A==,type:str] + password: + value: ENC[AES256_GCM,data:CF2VgDpxlwHmvCDJhx0GDLT/yyw=,iv:t8JwQFeK9Te2zVdg+gPdMlh1E5g0vMG+ApAGKbGZ4WI=,tag:7UJuxFqS/hUTVunv0CJcTw==,type:str] + adminToken: + value: ENC[AES256_GCM,data:lrb99F1zn7AWlAttShQGGyMz5Ds=,iv:nas5hzd/XMQWFA2pTaTDkqXReoToBulf6s7tZraxM3s=,tag:UH/AXIWKbZOmu/W8XyuWNw==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhLzVRdW5ITFJmWHE5dkRr + R3pGbTh3UmFTTXR4VVVGRjlSUURudmxwM1hjCk16U3BKYkZTcmdwaFZtcTZNYk9C + M0ZBZk52bDBuNWZwa21SMU1mSnhmWEUKLS0tIGZVV01KQ3Z6OGltN1RFSks5MVJI + a2xWUGZpMmovY1Qya05nVXRZVUFDTFEKhF34OSdGZizs1/Rs9qvUOVtomQBvOFbS + hRsK3Orwig4HJdzj1UOZd8UMGwj6Mzhw+aKUJKL67igMwxbxVcaU1Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-06-06T15:15:43Z" + mac: ENC[AES256_GCM,data:9GsJoDWT1Onv6f8aUcwkbeTcpr0vF2MIgtJjKTbvvPHhzVeVev4FPFZ5R0YQXD1CmQycu/rnElktohgu9Xwum3j4hfs8Ga2qDqOk6heleBcptXDYwcBUAxg8QD5NNAkefsq5oJi+QsdD0nOeRjG6o5XYRccyoFiucTcpT9eASzw=,iv:7UJzUShRD+tzhIEeKygZlgaWHOYOS+L2Io69K0xW2MM=,tag:alOPQPbM6cex7kgQv8mqQQ==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.woodpecker-agent.yaml b/values/badhouseplants/secrets.woodpecker-agent.yaml new file mode 100644 index 0000000..f71db04 --- /dev/null +++ b/values/badhouseplants/secrets.woodpecker-agent.yaml @@ -0,0 +1,23 @@ +env: + WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:cJoxJw6c6FYZ337i5P6dGUzLmgUn9Z+/Ed9aUK76WYnB8m0D9h5IlAlOfCQ=,iv:1BgxKsaI3dhhPNkZbpHKBn6GXadn1RD+3Q4RwKLfmcU=,tag:y8qLWwpVAwKrOWN1cC2ulw==,type:str] + WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:VdWASwxPurzmfSjb2h8wBw3XbZSfG9UG0jmXSbTBPreZ+l7UQblI/wqr8Tw=,iv:APNuiqimA/ofCWsvywj+SJedQBMgRoCd65Gd3Ps2/fw=,tag:ATLGT4ACZ2GR46qD9ABUng==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTRFNvdnBsSHFBcjlGcGl1 + RnU1NEpZekpucTNCZHBGcXdBakhkU1drb2dZClVYZ2xMVUJiOXV2enlBbm1TS2Mz + ZnZ0UHpsVHVUU2ZkSGtwUXNMM0R6VjQKLS0tIFR4NEdTTGRIY3QycTFhRzJNSEY0 + SEs0Z3VjaTN2Y3Z0QmtEUEdQdmtwYnMKxQ3z1p2GulSOklUEolWeH20JeFwNpZqY + 870x5UtCJNVTMrIDgwMQK3hn+yywxPdgSRhkW3bqH4PJDxi78UUpXw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-10-05T08:06:51Z" + mac: ENC[AES256_GCM,data:pc4n/3MEP0GhmZ+wdbOiK2gj7ah/9IJ2hoXRtM1sAGy3UPNBrF5VE7hxnAi393YpWBank7crDTvg2aJjhVt7XqB8zcjiHtNMlcpxL6fJ+uWxeH4uVj/NBfSvoO410oYbtPuKMjZpPU7KACmTJ9tzVIZdZOScXx7fLQxNUq01Hu8=,iv:18MqueG9MHrTcXmu14Q8LPnMFT9lolDkCbXjjA2P1qg=,tag:6ETPd8vZ0CCGEUP5u8ZxNA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.0 diff --git a/values/badhouseplants/secrets.woodpecker-ci.yaml b/values/badhouseplants/secrets.woodpecker-ci.yaml new file mode 100644 index 0000000..56326be --- /dev/null +++ b/values/badhouseplants/secrets.woodpecker-ci.yaml @@ -0,0 +1,27 @@ +server: + env: + WOODPECKER_GITEA_SECRET: ENC[AES256_GCM,data:mGYEvlIeQC3mg+kxy3ZX6gAVf88DXLVdeSdgpQa8wixsb2rDoj4+l2ET2saquK+lVhjvv8ZKdvg=,iv:VlPgDYPj1xpxnpWnEHj+slBi0H2nWKeScclPItUaG9A=,tag:ox/Ur5vsOARXRT3g0hCgsg==,type:str] + WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:WXwsmLmb37clb5xgv+2DeKfhk7cwaIJpaCW8/Kq/CmgfwCmrarPDDQGXZoLwOjGj3mh/ciDj7V5WgHfyxuIDhA==,iv:NhGlPyPrTrTbz1DjOZEieWAfOQHqSqhdLiqMspex1j0=,tag:vOfo+XiCUW6MhtJemkZPMA==,type:str] +agent: + env: + WOODPECKER_AGENT_SECRET: ENC[AES256_GCM,data:4lTZ16jbrorU4B9gTAoWmgiGggrMWD7K5O/5R47OIDMdRInwXtaWviofFD8WJQMduiGvANxMVNs0J1DLvFKi9Q==,iv:Y0AsW63vdVEwKvpVYeMVLFmwYlsQSwnz602QjDgj/ZQ=,tag:aO9xh3psy/bRCCQEFUp75A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlQjZqNE9iMDl6MlhnSUp5 + QTBSOG83WFBqZFZIU2dEMzlpengrUFg4alZFCld4MkI4WW8xMUZnMm1SU2hmMCtn + bTZSVTIxTk5aZmo3OEJJdlJwL2xhV3MKLS0tIGJraERVZTNyMWFCVE1TbEhRR3J4 + WXh3NGd4UG9OODhHNEp0cDVoQkM5dWMKcz4h0O4J2WlB+L9+/U8Rl+zzd87hsJo8 + ThPZgnUNDGpdRrU2IYiXo03fZOhBoqBJe1ZG+Ol8z9bvTeyeMZxRIg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-11-18T17:43:53Z" + mac: ENC[AES256_GCM,data:u8iu+Ia1u5c5AkdyKbGT//G/Zp+yDNv3TQIElSBA6qCTBu0lKAii3ywXrqdpQ1kYtytjazcwkOa7vKmVy1UoCNda+8wGGHfhfOIQlll+TKBNvgUO73lF5P7X5q6CcgFMvTazXKElESEC3G04uVLEOdG1W6d0ArVRnh8gFOY6Jgg=,iv:VT0pFoOcLPK14I1doJi+52wtCfUuqh2nxdSVu0ufVOY=,tag:SwAOYLxOYaouteqXdgP2Hg==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/secrets.zot.yaml b/values/badhouseplants/secrets.zot.yaml new file mode 100644 index 0000000..25871e8 --- /dev/null +++ b/values/badhouseplants/secrets.zot.yaml @@ -0,0 +1,23 @@ +configFiles: + config.json: ENC[AES256_GCM,data:id5h3EObc18qFAYXYtVFAgJcp7IUS0QCSQZfKqy1fIoZUUYYIuKBDE9aL3OnqZkVJtXn5DNCRii/1ZYY/9Tg2IEK73twu5lDkM73APphI2GPw1ONQh6WBRp54AskuZizx3l1+PyKI/8WPVy/x1cbc7l5pGBziDzSbREor+YQQe4P3Og5KqkoWPeeO/GB/vCP+4CquBVwakyDPibrXtvEcIPxfu8b4H84fBQtlStuoT6Mdmj7NfBtK5SEl9yZ8R+kAJyjr4aM1XrtKtpBfituxi6OsXIQgKTWWZtFkousCkDuKxJf1EUCUR1J4ClmcF7UGUOxg3r3Csf1Y6ijhVgUqDlgNmRIq+qsEWrgWVixnO1RMnRcWmgJFDAs/QXY841lJTQJmVS4LRNZKu1ea8fDmF5KaxBdshizeA0RZGrdNlTUIB5AUsK3mmyPCvM4JYivQp4Hv8i1U9zlLpuPWR+7UgKbHjpQSVCem+dM76W4z9Wy463AS20EjwLUicSq7g8yLoCstuI1XsC8yNLZE6Z/nUkRysiGXa6iJnWez2tVOnIVVJ3c378U3U6tTr7ygae7v9PcvoGBTYTZA0OyrMeHrocKp4026yQJN+8Pj8CPdZX/nhC0gW08xI7EQnzK84ca4XuEZHWEtlmMBJyIGK07trq94BH6QwUaIg+nUv/gKvUA5CuMSAqECv+wCfQ+EU7mRClXR6RYJvEUxIEvGjb3CTOyV+gbj+CKaz3LZWWPETCAvOz0Cd8L56E7yUwFNhd+c7X8RuMy1vdoiCXdkzU5QCDmfv3ka4lKBPd3cvHduXeAh0wMNHSqLEVZblnt50tiZmo6vwiNGxlg3jL56Lfn3rkz+HVKRl6ArPBOdJhbgGj0bZFJMPGBU8kNDksQ6DMw371vAR7FwlzLKdz1Z3D1CvmBRUBIhr4TbnPuTL77fytVq9IdgGcTexs8QhcelXmoW5nA61PpYhYCU65m7BKC0koX4fjCjAksvjZaI0eeYPgKafAqKBlJslqKq9lNGH1orjgmXO0LWV7xv7D46BRrrfMqPwHUsPAGBP4VhfuIXc3keTmtFWjexyjMzvkxtoagATQZgbohjL4D4dzMTVhGH+Iw6AyM+9/NZeb7Cm2CmmJJXG0kmXGezuyRwNrChlhd4/HdeLvfBZbvXYLwr6pZn8dbJ7w0V77clsjN2QhsrPGh8VVf548KlkcfWp821pwmPxLme2TU4nJE+eU/7xK+LdSy8vpZ6wkxThTUdj5/A7DAszgdDed3aWfVIKz2DmLWR1iD6fC7n6OIIE+dcywNTU0sbYkMffpoYwU9Om9uPeer9rkzrnWHZX2btyfKUy8bnf0LuHuzRKyFl59nMUhlXbr1YsEKabNpsaxT50L0idoO5Phkx7os/qiqvxaPChMJngJQ9BXIoKARkg4hgvvjKpQwmjt/liA18COy58B2gjH3aKA6kye0/utQTih65DamYt8Wv4niVAZ3wm0rG5uaBvwZnj9N/xn2Klx5Iih2ZbobWVVR0MCAhe1nKIcnZxRrsm+GGRX2svYZg4ROLq7FagL8mn27/aG0UMdKQGpbXDQviNQgY+wB3jBmZAea54pWe5sgGBxXAZSYhGoOaWCLwWUtQWGdusjebEuqonW6PSE7whkbJxStNZOdAxATlCSe7jAkzuj5VBZbL8mIgnTltwKk3RcbnpL0j0pwousVZpSqg9KOqubxgk81YyMImA4LI3Fi0OFYIbDSw8zJJUgwASIWLQ2GxLM1Z1oxun7HpMV5lK8I+n70Vcqutn2N8URU0XOo6gcWCfknhClCwkOsZxU+DSVYyz5Aq49zwojSsd/CuS6WbFO82MMCO7dRLIz9ju43xAeCgFY7ZpbRyCR8U5IJKHPrHunYGwaRpolAE1V13XuBu0pOyaiU0sIeA44snU58DVMFyvA3PUl47FXvPMjGahbZoun7vi8J8KbRXlhHH/HFshi5eT16WOXK5SXBEiQDjhLa5RseWI121ARKtsvBRlhr9yRsZedlhmW7nqRw5hbVvHDQfUFIuiRHF1XAElP1C1hcb2GDE7r4anmoSRgcHYAI50HF4CPBSxiI+EAisKARIlUgRKt3gOfG8AH4mraUL8Lt+Eb0Clsd0z2GuysPHrEhy8WzGv4HW84ngNmZgznXP7ZFrtT31zAQr9QL/oirJf+ujPUdY03gJbr3jQXrQ1mfivlsaofgC0WL0xLma3Cuosb1nGmw0XmCGJNIOmgZJ/plQCWH05UzVR/QXhdEwlci3VNeYOSIUJwkv2eUyHsxHj45VRtLuxnrLx7BqR+kxBpRayJXWRBx1rcW7RTvS1a5Dk5PxsqjKcxKu+wRbPFmv77qOIroGg+XKTp8XeIxcSs4lx7AsfpTEvWpARwsydrUSKf/++F+3dL4yOrOyywul8gnTN3iLMoTjpze83ZFcJ2viiyqMWnHWQnuVveZTZi3NmoC63ZE/XLlztJcDT1UkrH3Tlvu1AxqMcm0SxK3TgEbvGmdWYo07E+qEMsUyoSpeE5MX2FESR9C67s/t5/rfThhvvjQNhydUVLrQL8O,iv:njFz+TX54d1Fy7QtrjFht7lyujuuIamNWEXquA6Q+jA=,tag:d+9rLYzYZf/0uuZ/VVys0Q==,type:str] +authHeader: ENC[AES256_GCM,data:IHFsb7dRNIMe8kv0sG6u/A==,iv:mc0MhVWKEz8ln2DvC9mwrYtqKCvOjudiUYETOBx3DAM=,tag:aktcOM3u4xNyZ4wTJZ1E3w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvMjkwcll5bkNzUE1lQkN0 + NXRCckdnUER0YlAwWG1wWVo5Mno2T1g5eWtZCnJGMkNScEthNHVqZnlvQnN6Q0du + RnpzNitYR1RpTnl4UDB3Zk5HMjU1MTQKLS0tIHNoZHRjdlU1SXl1c2pzemZsQzBB + M25WRjB6QUpkbURZVmNaWm9nd1U4RzAKan1bSzcDc2G+428vpnNDWYhQ3/nFKSUp + VLnfx3roZUrs0QV07O+AHobOvlLD4eo8wfHMUneKipAQ8ZAlhNFTBg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-05-05T17:37:17Z" + mac: ENC[AES256_GCM,data:vabfq3du2GfVkWQqdy2X/8pl/V/i+juyjIeGRia9cZ57SFPPmS/7n7rV6W+tpp402ov+16HHevVu+ZUZKxFPNq/8WiIVFCh3YMAFimzB+wOXziivAf1zAgYX5h5JHMV3FrXJT0yJAGmVbrZ7KP48CaB74PJGb++4Jr3qPE6VU/4=,iv:PApbvtdThsQyfD2db8GBrnrZL4jlx7qL8bHhAijXk0E=,tag:vIwECp7tomejqjGadIhudw==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.8.1 diff --git a/values/badhouseplants/values.argocd.yaml b/values/badhouseplants/values.argocd.yaml new file mode 100644 index 0000000..71cf854 --- /dev/null +++ b/values/badhouseplants/values.argocd.yaml @@ -0,0 +1,113 @@ +--- +controller: + resources: + limits: + memory: 512Mi + cpu: 200m + requests: + cpu: 100m + memory: 512Mi + metrics: + enabled: true + applicationLabels: + enabled: false + labels: [] + service: + annotations: {} + labels: {} + servicePort: 8082 + portName: http-metrics + serviceMonitor: + enabled: false + interval: 30s + relabelings: [] + metricRelabelings: [] + selector: {} + scheme: "" + tlsConfig: {} + additionalLabels: {} + rules: + enabled: false + spec: [] +dex: + metrics: + enabled: false + serviceMonitor: + enabled: false + +redis: + metrics: + enabled: false + serviceMonitor: + enabled: false + +global: + domain: argo.badhouseplants.net + +server: + ingress: + enabled: true + annotations: + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + ingressClassName: traefik + tls: true + metrics: + enabled: true + serviceMonitor: + enabled: false + extraArgs: + - --insecure + servicePort: + servicePortHttp: 80 + servicePortHttps: 80 + +repoServer: + metrics: + enabled: false + serviceMonitor: + enabled: false + + imagePullSecrets: + - name: regcred + +configs: + params: + server.insecure: true + rbac: + policy.default: role:readonly + scopes: "[email, group]" + policy.csv: | + g, allanger@zohomail.com, role:admin + g, allanger@badhouseplants.net, role:admin + g, rodion.n.rodionov@gmail.com, role:admin + p, drone, applications, *, badhouseplants/*,allow + cm: + exec.enabled: "true" + url: https://argo.badhouseplants.net + kustomize.buildOptions: "--enable-alpha-plugins" + accounts.drone: apiKey, login + accounts.drone.enabled: "true" + credentialTemplates: + ssh-creds: + url: git@github.com + +applicationSet: + metrics: + enabled: false + serviceMonitor: + enabled: false + + repositories: + argo-deployment: + url: git@github.com:allanger/argo-deployment.git + name: argo-deployment + insecure: "true" + type: git + cluster-config: + url: git@github.com:allanger/cluster-config.git + name: cluster-config + insecure: "true" + type: git diff --git a/values/badhouseplants/values.authentik.yaml b/values/badhouseplants/values.authentik.yaml new file mode 100644 index 0000000..f6ac6bc --- /dev/null +++ b/values/badhouseplants/values.authentik.yaml @@ -0,0 +1,64 @@ +--- +# ------------------------------------------ +# -- Database extension is used to manage +# -- database with db-operator +# ------------------------------------------ +ext-database: + enabled: true + name: authentik-postgres16 + instance: postgres16 + credentials: + host: "{{ .Hostname }}" + username: "{{ .Username }}" + password: "{{ .Password }}" + database: "{{ .Database }}" +authentik: + email: + host: email.badhouseplants.net + port: 587 + username: bot@badhouseplants.net + use_tls: false + use_ssl: false + timeout: 30 + from: bot@badhouseplants.net + postgresql: + host: file:///postgres-creds/host + user: file:///postgres-creds/username + password: file:///postgres-creds/password + name: file:///postgres-creds/database + secret_key: "2Scv6ivCfV6uGRTx9Kg5CYJ2KjBRHpR8GqSBearnBYvBFZBwR7" + # This sends anonymous usage-data, stack traces on errors and + # performance data to authentik.error-reporting.a7k.io, and is fully opt-in + error_reporting: + enabled: false +redis: + enabled: true +server: + ingress: + annotations: + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + enabled: true + hosts: + - authentik.badhouseplants.net + tls: + - secretName: authentik-tls-secret + hosts: + - authentik.badhouseplants.net + volumes: + - name: postgres-creds + secret: + secretName: authentik-postgres16-creds + volumeMounts: + - name: postgres-creds + mountPath: /postgres-creds + readOnly: true +worker: + volumes: + - name: postgres-creds + secret: + secretName: authentik-postgres16-creds + volumeMounts: + - name: postgres-creds + mountPath: /postgres-creds + readOnly: true + diff --git a/values/badhouseplants/values.bitwarden.yaml b/values/badhouseplants/values.bitwarden.yaml new file mode 100644 index 0000000..00e0898 --- /dev/null +++ b/values/badhouseplants/values.bitwarden.yaml @@ -0,0 +1,40 @@ +--- +image: + repository: vaultwarden/server + tag: 1.28.1 + +istio: + enabled: true + istio: + - name: bitwarden-http + gateway: istio-system/badhouseplants-net + kind: http + hostname: bitwarden.badhouseplants.net + service: bitwarden-vaultwarden + port: 80 + + # pathType is only for k8s >= 1.1= + pathType: Prefix + +env: + SIGNUPS_ALLOWED: false + DOMAIN: "https://bitwarden.badhouseplants.net" + WEB_VAULT_ENABLED: true + +persistence: + enabled: true + accessMode: ReadWriteOnce + size: 800Mi + storageClass: longhorn + +smtp: + host: badhouseplants.net + security: "starttls" + port: 587 + from: bitwarden@badhouseplants.net + fromName: bitwarden + username: + value: overlord@badhouseplants.net + authMechanism: "Plain" + acceptInvalidHostnames: "false" + acceptInvalidCerts: "false" \ No newline at end of file diff --git a/values/badhouseplants/values.chartmuseum.yaml b/values/badhouseplants/values.chartmuseum.yaml new file mode 100644 index 0000000..3073b19 --- /dev/null +++ b/values/badhouseplants/values.chartmuseum.yaml @@ -0,0 +1,25 @@ +env: + open: + AUTH_ANONYMOUS_GET: true + DISABLE_API: false + CORS_ALLOWORIGIN: "*" +persistence: + enabled: true + accessMode: ReadWriteOnce + size: 2Gi + path: /storage +ingress: + enabled: true + pathType: "ImplementationSpecific" + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + hosts: + - name: chartmuseum.badhouseplants.net + path: / + tls: true + tlsSecret: chartmuseum.badhouseplants.net diff --git a/values/badhouseplants/values.cilium.yaml b/values/badhouseplants/values.cilium.yaml new file mode 100644 index 0000000..6eae22c --- /dev/null +++ b/values/badhouseplants/values.cilium.yaml @@ -0,0 +1,10 @@ +operator: + replicas: 1 +endpointRoutes: + # -- Enable use of per endpoint routes instead of routing via + # the cilium_host interface. + enabled: true +ipam: + ciliumNodeUpdateRate: "15s" + operator: + clusterPoolIPv4PodCIDRList: ["10.244.0.0/16"] diff --git a/values/badhouseplants/values.coredns.yaml b/values/badhouseplants/values.coredns.yaml new file mode 100644 index 0000000..04d2b02 --- /dev/null +++ b/values/badhouseplants/values.coredns.yaml @@ -0,0 +1,32 @@ +service: + clusterIP: 10.43.0.10 + +servers: + - zones: + - zone: . + port: 53 + plugins: + - name: errors + # Serves a /health endpoint on :8080, required for livenessProbe + - name: health + configBlock: |- + lameduck 5s + # Serves a /ready endpoint on :8181, required for readinessProbe + - name: ready + # Required to query kubernetes API for data + - name: kubernetes + parameters: cluster.local in-addr.arpa ip6.arpa + configBlock: |- + pods insecure + fallthrough in-addr.arpa ip6.arpa + ttl 30 + # Serves a /metrics endpoint on :9153, required for serviceMonitor + - name: prometheus + parameters: 0.0.0.0:9153 + - name: forward + parameters: . 1.1.1.1 1.0.0.1 + - name: cache + parameters: 30 + - name: loop + - name: reload + - name: loadbalance diff --git a/values/badhouseplants/values.db-instances.yaml b/values/badhouseplants/values.db-instances.yaml new file mode 100644 index 0000000..223467d --- /dev/null +++ b/values/badhouseplants/values.db-instances.yaml @@ -0,0 +1,32 @@ +--- +dbinstances: + postgres16-gitea: + monitoring: + enabled: false + adminSecretRef: + Name: postgres16-gitea-secret + Namespace: databases + engine: postgres + generic: + host: postgres16-gitea-postgresql.databases.svc.cluster.local + port: 5432 + postgres16: + monitoring: + enabled: false + adminSecretRef: + Name: postgres16-secret + Namespace: databases + engine: postgres + generic: + host: postgres16-postgresql.databases.svc.cluster.local + port: 5432 + mariadb: + monitoring: + enabled: false + adminSecretRef: + Name: mariadb-secret + Namespace: databases + engine: mysql + generic: + host: mariadb.databases.svc.cluster.local + port: 3306 diff --git a/values/badhouseplants/values.docker-mailserver.yaml b/values/badhouseplants/values.docker-mailserver.yaml new file mode 100644 index 0000000..45b25ef --- /dev/null +++ b/values/badhouseplants/values.docker-mailserver.yaml @@ -0,0 +1,71 @@ +traefik: + enabled: true + tcpRoutes: + - name: docker-mailserver-smtp + service: docker-mailserver + match: HostSNI(`*`) + entrypoint: smtp + port: 25 + - name: docker-mailserver-smtps + match: HostSNI(`*`) + service: docker-mailserver + entrypoint: smtps + port: 465 + - name: docker-mailserver-smpt-startls + match: HostSNI(`*`) + service: docker-mailserver + entrypoint: smtp-startls + port: 587 + - name: docker-mailserver-imap + match: HostSNI(`*`) + service: docker-mailserver + entrypoint: imap + port: 143 + - name: docker-mailserver-imaps + match: HostSNI(`*`) + service: docker-mailserver + entrypoint: imaps + port: 993 + - name: docker-mailserver-pop3 + match: HostSNI(`*`) + service: docker-mailserver + entrypoint: pop3 + port: 110 + - name: docker-mailserver-pop3s + match: HostSNI(`*`) + service: docker-mailserver + entrypoint: pop3s + port: 993 + +rainloop: + enabled: true + ingress: + enabled: true + hosts: + - mail.badhouseplants.net + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + tls: + - secretName: mail-tls-secret + hosts: + - mail.badhouseplants.net + +demoMode: + enabled: false +domains: + - badhouseplants.net + - mail.badhouseplants.net +ssl: + useExisting: true + existingName: mail-tls-secret +pod: + dockermailserver: + enable_fail2ban: "0" + ssl_type: manual +service: + type: ClusterIP +spfTestsDisabled: true diff --git a/values/badhouseplants/values.drone-runner-docker.yaml b/values/badhouseplants/values.drone-runner-docker.yaml new file mode 100644 index 0000000..923e72d --- /dev/null +++ b/values/badhouseplants/values.drone-runner-docker.yaml @@ -0,0 +1,16 @@ +--- +env: + DRONE_RPC_HOST: drone.badhouseplants.net + DRONE_RPC_PROTO: https + DRONE_NAMESPACE_DEFAULT: drone-service +rbac: + buildNamespaces: + - drone-service +dind: + resources: + limits: + cpu: 2000m + memory: 2024Mi + requests: + cpu: 100m + memory: 512Mi \ No newline at end of file diff --git a/values/badhouseplants/values.drone.yaml b/values/badhouseplants/values.drone.yaml new file mode 100644 index 0000000..8a1eb82 --- /dev/null +++ b/values/badhouseplants/values.drone.yaml @@ -0,0 +1,18 @@ +# ------------------------------------------ +# -- Istio extenstion. Just because I'm +# -- not using ingress nginx +# ------------------------------------------ +istio: + enabled: true + istio: + - name: drone-http + gateway: istio-system/badhouseplants-net + kind: http + hostname: drone.badhouseplants.net + service: drone + port: 8080 +env: + DRONE_SERVER_HOST: drone.badhouseplants.net + DRONE_SERVER_PROTO: https + DRONE_GITEA_SERVER: https://git.badhouseplants.net + DRONE_USER_CREATE: username:allanger,admin:true diff --git a/values/badhouseplants/values.funkwhale.yaml b/values/badhouseplants/values.funkwhale.yaml new file mode 100644 index 0000000..5a4a38e --- /dev/null +++ b/values/badhouseplants/values.funkwhale.yaml @@ -0,0 +1,72 @@ +--- +# ------------------------------------------ +# -- Istio extenstion. Just because I'm +# -- not using ingress nginx +# ------------------------------------------ +istio: + enabled: true + istio: + - name: funkwhale-http + gateway: istio-system/badhouseplants-net + kind: http + hostname: funkwhale.badhouseplants.net + service: funkwhale + port: 80 + +ext-database: + enabled: true + name: funkwhale-postgres16 + instance: postgres16 + +replicaCount: 1 +celery: + worker: + replicaCount: 1 + beat: + resources: + limits: + cpu: 100m + memory: 512Mi + requests: + cpu: 10m + memory: 75Mi +ingress: + enabled: true + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + host: funkwhale.badhouseplants.net + protocol: http + + tls: + - secretName: funkwhale-tls-secret + hosts: + - funkwhale.badhouseplants.net + +extraEnv: + FUNKWHALE_HOSTNAME: funkwhale.badhouseplants.net + FUNKWHALE_PROTOCOL: https +persistence: + enabled: true + accessMode: ReadWriteMany + size: 10Gi +s3: + enabled: false + +postgresql: + enabled: false + host: postgres16-postgresql.databases.svc.cluster.local + auth: + username: funkwhale-application-funkwhale-postgres16 + database: funkwhale-application-funkwhale-postgres16 + +redis: + enabled: false + host: redis-master.databases.svc.cluster.local + auth: + enabled: true + database: 3 diff --git a/values/badhouseplants/values.gitea.yaml b/values/badhouseplants/values.gitea.yaml new file mode 100644 index 0000000..3f2a0f0 --- /dev/null +++ b/values/badhouseplants/values.gitea.yaml @@ -0,0 +1,151 @@ +# ------------------------------------------ +# -- Database extension is used to manage +# -- database with db-operator +# ------------------------------------------ +ext-database: + enabled: true + name: gitea-postgres16 + instance: postgres16-gitea + +traefik: + enabled: true + tcpRoutes: + - name: gitea-ssh + service: gitea-ssh + match: HostSNI(`*`) + entrypoint: ssh + port: 22 +# ------------------------------------------ +# -- Kubernetes related values +# ------------------------------------------ +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + hosts: + - host: git.badhouseplants.net + paths: + - path: / + pathType: Prefix + tls: + - secretName: gitea-tls-secret + hosts: + - git.badhouseplants.net +replicaCount: 1 +clusterDomain: cluster.local + +resources: + limits: + cpu: 512m + memory: 1024Mi + requests: + cpu: 512m + memory: 256Mi + +persistence: + enabled: true + size: 15Gi + accessModes: + - ReadWriteOnce + +# ------------------------------------------ +# -- Main Gitea settings +# ------------------------------------------ +gitea: + metrics: + enabled: true + serviceMonitor: + # -- TODO(@allanger): Enable it once prometheus is configured + enabled: false + config: + database: + DB_TYPE: postgres + HOST: postgres16-gitea-postgresql.databases.svc.cluster.local + NAME: applications-gitea-postgres16 + USER: applications-gitea-postgres16 + APP_NAME: Bad Houseplants Gitea + ui: + meta: + AUTHOR: Bad Houseplants + DESCRIPTION: ...by allanger + repository: + DEFAULT_BRANCH: main + MAX_CREATION_LIMIT: 0 + DISABLED_REPO_UNITS: repo.wiki + service: + DISABLE_REGISTRATION: false + server: + DOMAIN: git.badhouseplants.net + ROOT_URL: https://git.badhouseplants.net + LFS_START_SERVER: true + LANDING_PAGE: explore + START_SSH_SERVER: true + admin: + DISABLE_REGULAR_ORG_CREATION: true + packages: + ENABLED: true + cron: + enabled: true + attachment: + MAX_SIZE: 100 + actions: + ENABLED: true + oauth2_client: + REGISTER_EMAIL_CONFIRM: false + ENABLE_AUTO_REGISTRATION: true + session: + PROVIDER: redis + cache: + ENABLED: true + ADAPTER: redis + queue: + TYPE: redis + mailer: + ENABLED: true + FROM: gitea@badhouseplants.net + PROTOCOL: smtp+startls + SMTP_ADDR: badhouseplants.net + SMTP_PORT: 587 + USER: overlord@badhouseplants.net + indexer: + REPO_INDEXER_ENABLED: true + REPO_INDEXER_PATH: indexers/repos.bleve + MAX_FILE_SIZE: 1048576 + REPO_INDEXER_EXCLUDE: resources/bin/** + picture: + ENABLE_FEDERATED_AVATAR: false +service: + ssh: + type: ClusterIP + port: 22 + clusterIP: +# ------------------------------------------ +# -- Disabled dependencies +# ------------------------------------------ +postgresql-ha: + enabled: false +redis-cluster: + enabled: false + + # extraDeploy: + # - | + # {{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" }} + # apiVersion: traefik.io/v1alpha1 + # kind: IngressRouteTCP + # metadata: + # name: {{ include "gitea.fullname" . }}-ssh + # spec: + # entryPoints: + # - ssh + # routes: + # - match: HostSNI('*') + # services: + # - name: "{{ include "gitea.fullname" . }}-ssh" + # port: 22 + # nativeLB: true + # {{- end }} diff --git a/values/badhouseplants/values.iredmail.yaml b/values/badhouseplants/values.iredmail.yaml new file mode 100644 index 0000000..fd50394 --- /dev/null +++ b/values/badhouseplants/values.iredmail.yaml @@ -0,0 +1,4 @@ +config: + env: + HOSTNAME: mail.badhouseplants.net + FIRST_MAIL_DOMAIN: badhouseplants.net \ No newline at end of file diff --git a/values/badhouseplants/values.issuer.yaml b/values/badhouseplants/values.issuer.yaml new file mode 100644 index 0000000..040297a --- /dev/null +++ b/values/badhouseplants/values.issuer.yaml @@ -0,0 +1,13 @@ +--- +name: badhouseplants-issuer-http01 +spec: + acme: + email: allanger@badhouseplants.net + preferredChain: "" + privateKeySecretRef: + name: badhouseplants-http01-issuer-account-key + server: https://acme-v02.api.letsencrypt.org/directory + solvers: + - http01: + ingress: + ingressClassName: traefik diff --git a/values/badhouseplants/values.istio-gateway-resources.yaml b/values/badhouseplants/values.istio-gateway-resources.yaml new file mode 100644 index 0000000..acbca74 --- /dev/null +++ b/values/badhouseplants/values.istio-gateway-resources.yaml @@ -0,0 +1,98 @@ +certificate: + enabled: true + certificate: + - name: nrodionov-wildcard + secretName: nrodionov-wildcard-tls + issuer: + kind: ClusterIssuer + name: badhouseplants-issuer + dnsNames: + - nrodionov.info + - "*.nrodionov.info" + - name: badhouseplants-wildcard + secretName: badhouseplants-wildcard-tls + issuer: + kind: ClusterIssuer + name: badhouseplants-issuer + dnsNames: + - badhouseplants.net + - "*.badhouseplants.net" +istio-gateway: + enabled: true + gateways: + - name: badhouseplants-net + servers: + - hosts: + - badhouseplants.net + - '*.badhouseplants.net' + port: + name: grpc-web + number: 8080 + protocol: HTTPS + tls: + credentialName: badhouseplants-wildcard-tls + mode: SIMPLE + - hosts: + - badhouseplants.net + - '*.badhouseplants.net' + port: + name: http + number: 80 + protocol: HTTP2 + tls: + httpsRedirect: true + - hosts: + - badhouseplants.net + - '*.badhouseplants.net' + port: + name: https + number: 443 + protocol: HTTPS + tls: + credentialName: badhouseplants-wildcard-tls + mode: SIMPLE + - name: nrodionov-info + servers: + - hosts: + - nrodionov.info + - dev.nrodionov.info + port: + name: http + number: 80 + protocol: HTTP2 + tls: + httpsRedirect: true + - hosts: + - nrodionov.info + - dev.nrodionov.info + port: + name: https + number: 443 + protocol: HTTPS + tls: + credentialName: nrodionov-wildcard-tls + mode: SIMPLE + - name: badhouseplants-vpn + servers: + - hosts: + - '*' + port: + name: tcp + number: 1194 + protocol: TCP + - name: badhouseplants-ssh + servers: + - hosts: + - '*' + port: + name: ssh + number: 22 + protocol: TCP + - name: badhouseplants-minecraft + servers: + - hosts: + - '*' + port: + name: minecraft + number: 25565 + protocol: TCP diff --git a/values/badhouseplants/values.istio-ingressgateway.yaml b/values/badhouseplants/values.istio-ingressgateway.yaml new file mode 100644 index 0000000..b97223d --- /dev/null +++ b/values/badhouseplants/values.istio-ingressgateway.yaml @@ -0,0 +1,72 @@ +service: + type: LoadBalancer + externalTrafficPolicy: Local + ports: + - name: shadowsocks + port: 8388 + protocol: TCP + targetPort: 8388 + - name: minecraft + port: 25565 + protocol: TCP + targetPort: 25565 + - name: ssh-gitea + port: 22 + protocol: TCP + targetPort: 22 + - name: http2 + port: 80 + protocol: TCP + targetPort: 80 + - name: grpc-web + port: 8080 + protocol: TCP + targetPort: 8080 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + - name: tcp + port: 1194 + protocol: TCP + targetPort: 1194 + # ----------- + # -- Email + # ----------- + - name: smtp + port: 25 + protocol: TCP + targetPort: 25 + - name: smtps + port: 465 + protocol: TCP + targetPort: 465 + - name: smtp-startls + port: 587 + protocol: TCP + targetPort: 587 + - name: imap + port: 143 + protocol: TCP + targetPort: 143 + - name: imaps + port: 993 + protocol: TCP + targetPort: 993 + - name: pop3 + port: 110 + protocol: TCP + targetPort: 110 + - name: pop3s + port: 995 + protocol: TCP + targetPort: 995 +podAnnotations: + proxy.istio.io/config: '{"gatewayTopology" : { "numTrustedProxies": 0, "forwardClientCertDetails": SANITIZE } }' +resources: + requests: + cpu: 100m + memory: 128Mi + limits: + cpu: 200m + memory: 1024Mi diff --git a/values/badhouseplants/values.istiod.yaml b/values/badhouseplants/values.istiod.yaml new file mode 100644 index 0000000..d788392 --- /dev/null +++ b/values/badhouseplants/values.istiod.yaml @@ -0,0 +1,14 @@ +--- +pilot: + resources: + requests: + cpu: 50m + memory: 2048Mi +global: + proxy: + resources: + requests: + cpu: 20m + memory: 128Mi + limits: + memory: 128Mi diff --git a/values/badhouseplants/values.local-path-provisioner.yaml b/values/badhouseplants/values.local-path-provisioner.yaml new file mode 100644 index 0000000..aa1d3e2 --- /dev/null +++ b/values/badhouseplants/values.local-path-provisioner.yaml @@ -0,0 +1,3 @@ +storageClass: + create: true + defaultClass: false diff --git a/values/badhouseplants/values.loki.yaml b/values/badhouseplants/values.loki.yaml new file mode 100644 index 0000000..c160d28 --- /dev/null +++ b/values/badhouseplants/values.loki.yaml @@ -0,0 +1,99 @@ +--- +global: + dnsService: "coredns" + +loki: + auth_enabled: false + commonConfig: + replication_factor: 1 + storage: + type: 'filesystem' + commonConfig: + replication_factor: 1 + schemaConfig: + configs: + - from: 2024-04-01 + store: tsdb + object_store: s3 + schema: v13 + index: + prefix: loki_index_ + period: 24h + ingester: + chunk_encoding: snappy + tracing: + enabled: true + querier: + # Default is 4, if you have enough memory and CPU you can increase, reduce if OOMing + max_concurrent: 2 + +compactor: + retention_enabled: true +limits_config: + retention_period: 14d + +monitoring: + selfMonitoring: + enabled: false + lokiCanary: + enabled: false + +#gateway: +# ingress: +# enabled: true +# hosts: +# - host: FIXME +# paths: +# - path: / +# pathType: Prefix + +deploymentMode: SingleBinary +singleBinary: + persistence: + size: 5Gi + replicas: 1 + resources: + limits: + cpu: 1 + memory: 1Gi + requests: + cpu: 0.5 + memory: 512Mi + extraEnv: + # Keep a little bit lower than memory limits + - name: GOMEMLIMIT + value: 3750MiB + +chunksCache: + # default is 500MB, with limited memory keep this smaller + writebackSizeLimit: 10MB + +minio: + enabled: false + +# Zero out replica counts of other deployment modes +backend: + replicas: 0 +read: + replicas: 0 +write: + replicas: 0 + +ingester: + replicas: 0 +querier: + replicas: 0 +queryFrontend: + replicas: 0 +queryScheduler: + replicas: 0 +distributor: + replicas: 0 +compactor: + replicas: 0 +indexGateway: + replicas: 0 +bloomCompactor: + replicas: 0 +bloomGateway: + replicas: 0 diff --git a/values/badhouseplants/values.longhorn.yaml b/values/badhouseplants/values.longhorn.yaml new file mode 100644 index 0000000..03cd89c --- /dev/null +++ b/values/badhouseplants/values.longhorn.yaml @@ -0,0 +1,20 @@ +defaultSettings: + backupTarget: s3://longhorn@us-east1/backupstore + backupTargetCredentialSecret: s3-backup-secret + guaranteedEngineManagerCPU: 6 + guaranteedReplicaManagerCPU: 6 + storageOverProvisioningPercentage: 300 + storageMinimalAvailablePercentage: 5 + storageReservedPercentageForDefaultDisk: 1 + defaultDataPath: /media/longhorn +csi: + kubeletRootDir: /var/lib/kubelet/ + attacherReplicaCount: 1 + provisionerReplicaCount: 1 + resizerReplicaCount: 1 + snapshotterReplicaCount: 1 +persistence: + defaultClassReplicaCount: 1 +enablePSP: false +longhornUI: + replicas: 1 diff --git a/values/badhouseplants/values.mailu.yaml b/values/badhouseplants/values.mailu.yaml new file mode 100644 index 0000000..3f9516b --- /dev/null +++ b/values/badhouseplants/values.mailu.yaml @@ -0,0 +1,196 @@ + +# ------------------------------------------ +# -- Database extension is used to manage +# -- database with db-operator +# ------------------------------------------ +ext-database: + enabled: true + name: mailu-postgres16 + instance: postgres16 + extraDatabase: + enabled: true + name: roundcube-postgres16 + instance: postgres16 + +# ------------------------------------------ +# -- Istio extenstion. Just because I'm +# -- not using ingress nginx +# ------------------------------------------ +traefik: + enabled: true + tcpRoutes: + - name: mailu-smtp + service: mailu-front + match: HostSNI(`*`) + entrypoint: smtp + port: 25 + - name: mailu-smtps + match: HostSNI(`*`) + service: mailu-front + entrypoint: smtps + port: 465 + - name: mailu-smpt-startls + match: HostSNI(`*`) + service: mailu-front + entrypoint: smtp-startls + port: 587 + - name: mailu-imap + match: HostSNI(`*`) + service: mailu-front + entrypoint: imap + port: 143 + - name: mailu-imaps + match: HostSNI(`*`) + service: mailu-front + entrypoint: imaps + port: 993 + - name: mailu-pop3 + match: HostSNI(`*`) + service: mailu-front + entrypoint: pop3 + port: 110 + - name: mailu-pop3s + match: HostSNI(`*`) + service: mailu-front + entrypoint: pop3s + port: 993 +subnet: 10.244.0.0/16 +sessionCookieSecure: true +hostnames: + - email.badhouseplants.net +extraTls: + - hosts: + - badhouseplants.net + secretName: mailu-root-domain +domain: badhouseplants.net +persistence: + single_pvc: false +limits: + messageRatelimit: + value: "100/day" +tls: + outboundLevel: secure +ingress: + enabled: true + ingressClassName: traefik + tls: true + annotations: + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + tlsFlavorOverride: mail + # realIpFrom: traefik.kube-system.svc.cluster.local + # realIpHeader: "X-Real-IP" +front: + hostPort: + enabled: false + extraEnvVars: + - name: PROXY_PROTOCOL + value: "mail" + - name: REAL_IP_FROM + value: "10.244.0.0/16,10.43.0.0/16" +admin: + resources: + requests: + memory: 100Mi + cpu: 70m + limits: + memory: 700Mi + cpu: 600m + startupProbe: + enabled: true + failureThreshold: 10 + initialDelaySeconds: 10 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 5 + + persistence: + size: 1Gi +redis: + resources: + requests: + memory: 100Mi + cpu: 70m + limits: + memory: 200Mi + cpu: 200m + master: + persistence: + enabled: false +postfix: + resources: + requests: + memory: 1024Mi + cpu: 200m + limits: + memory: 1024Mi + cpu: 200m + persistence: + size: 1Gi +dovecot: + logLevel: DEBUG + resources: + requests: + memory: 100Mi + cpu: 70m + limits: + memory: 400Mi + cpu: 300m + persistence: + size: 1Gi +roundcube: + resources: + requests: + memory: 100Mi + cpu: 70m + limits: + memory: 200Mi + cpu: 200m + persistence: + size: 1Gi +mysql: + enabled: false +postgresql: + enabled: false +## If using the built-in MariaDB or PostgreSQL, the `roundcube` database will be created automatically. +externalDatabase: + ## @param externalDatabase.enabled Set to true to use an external database + enabled: true + type: postgresql + existingSecret: mailu-postgres16-creds + existingSecretDatabaseKey: POSTGRES_DB + existingSecretUsernameKey: POSTGRES_USER + existingSecretPasswordKey: POSTGRES_PASSWORD + host: postgres16-postgresql.databases.svc.cluster.local + port: 5432 +rspamd: + resources: + requests: + memory: 100Mi + cpu: 100m + limits: + memory: 500Mi + cpu: 400m + startupProbe: + periodSeconds: 30 + failureThreshold: 900 + timeoutSeconds: 20 + livenessProbe: {} + readinessProbe: {} +webmail: + persistence: + size: 2Gi + storageClass: "" + accessModes: [ReadWriteOnce] + claimNameOverride: "" + annotations: {} +global: + database: + roundcube: + database: applications-roundcube-postgres16 + username: applications-roundcube-postgres16 + existingSecret: roundcube-postgres16-creds + existingSecretPasswordKey: POSTGRES_PASSWORD diff --git a/values/badhouseplants/values.mariadb.yaml b/values/badhouseplants/values.mariadb.yaml new file mode 100644 index 0000000..ae964fc --- /dev/null +++ b/values/badhouseplants/values.mariadb.yaml @@ -0,0 +1,19 @@ +auth: + rootPassword: "" + database: "" + username: "" + password: "" + replicationUser: replicator + replicationPassword: "" + existingSecret: "" + forcePassword: false + usePasswordFiles: false + customPasswordFiles: {} +initdbScripts: {} +initdbScriptsConfigMap: "" + +primary: + persistence: + enabled: true + storageClass: longhorn + size: 1Gi diff --git a/values/badhouseplants/values.metallb-resources.yaml b/values/badhouseplants/values.metallb-resources.yaml new file mode 100644 index 0000000..94b681b --- /dev/null +++ b/values/badhouseplants/values.metallb-resources.yaml @@ -0,0 +1,5 @@ +metallb: + enabled: true + ippools: + - name: fuji + addresses: 195.201.249.91-195.201.249.91 diff --git a/values/badhouseplants/values.minio.yaml b/values/badhouseplants/values.minio.yaml new file mode 100644 index 0000000..c2011d7 --- /dev/null +++ b/values/badhouseplants/values.minio.yaml @@ -0,0 +1,151 @@ +--- +# ------------------------------------------ +# -- Istio extenstion. Just because I'm +# -- not using ingress nginx +# ------------------------------------------ +istio: + enabled: true + istio: + - name: minio-http + gateway: istio-system/badhouseplants-net + kind: http + hostname: minio.badhouseplants.net + service: minio-console + port: 9001 + - name: s3-http + gateway: istio-system/badhouseplants-net + kind: http + hostname: s3.badhouseplants.net + service: minio + port: 9000 + +ingress: + enabled: true + ingressClassName: ~ + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + path: / + hosts: + - s3.badhouseplants.net + tls: + - secretName: s3-tls-secret + hosts: + - s3.badhouseplants.net +consoleIngress: + enabled: true + ingressClassName: ~ + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + path: / + hosts: + - minio.badhouseplants.net + tls: + - secretName: minio-tls-secret + hosts: + - minio.badhouseplants.net + +rootUser: 'overlord' +replicas: 1 +mode: standalone +environment: + MINIO_SERVER_URL: "https://s3.badhouseplants.net:443" +tls: + enabled: false + certSecret: '' + publicCrt: public.crt + privateKey: private.key +persistence: + enabled: true + accessMode: ReadWriteOnce + size: 10Gi +service: + type: ClusterIP + clusterIP: ~ + port: '9000' +consoleService: + type: ClusterIP + clusterIP: ~ + port: '9001' +resources: + requests: + memory: 2Gi +buckets: + - name: badhouseplants-net + policy: download + purge: false + versioning: false + - name: badhouseplants-js + policy: download + purge: false + versioning: false + - name: badhouseplants-net-main + policy: download + purge: false + versioning: false + - name: sharing + policy: download + purge: false + versioning: false + - name: allanger-music + policy: download + purge: false +metrics: + serviceMonitor: + enabled: false + public: true + additionalLabels: {} +policies: + - name: allanger + statements: + - resources: + - 'arn:aws:s3:::*' + actions: + - "s3:*" + - resources: [] + actions: + - "admin:*" + - resources: [] + actions: + - "kms:*" + - name: Admins + statements: + - resources: + - 'arn:aws:s3:::*' + actions: + - "s3:*" + - resources: [] + actions: + - "admin:*" + - resources: [] + actions: + - "kms:*" + - name: DevOps + statements: + - resources: + - 'arn:aws:s3:::badhouseplants-net' + actions: + - "s3:*" + - resources: + - 'arn:aws:s3:::badhouseplants-net/*' + actions: + - "s3:*" + - name: sharing + statements: + - resources: + - 'arn:aws:s3:::sharing' + actions: + - "s3:*" + - resources: + - 'arn:aws:s3:::sharing/*' + actions: + - "s3:*" diff --git a/values/badhouseplants/values.mysql.yaml b/values/badhouseplants/values.mysql.yaml new file mode 100644 index 0000000..b2209a0 --- /dev/null +++ b/values/badhouseplants/values.mysql.yaml @@ -0,0 +1,6 @@ +primary: + persistence: + size: 500Mi + +auth: + createDatabase: false diff --git a/values/badhouseplants/values.namespaces.yaml b/values/badhouseplants/values.namespaces.yaml new file mode 100644 index 0000000..3f471f1 --- /dev/null +++ b/values/badhouseplants/values.namespaces.yaml @@ -0,0 +1,9 @@ +namespaces: + - name: longhorn-system + - name: databases + - name: applications + - name: development + - name: production + - name: platform + - name: games + - name: pipelines diff --git a/values/badhouseplants/values.nrodionov.yaml b/values/badhouseplants/values.nrodionov.yaml new file mode 100644 index 0000000..f3b7b81 --- /dev/null +++ b/values/badhouseplants/values.nrodionov.yaml @@ -0,0 +1,65 @@ +ext-database: + enabled: true + name: nrodionov-mariadb + instance: mariadb + credentials: + mariadb-password: "{{ .Password }}" + +ingress: + enabled: true + pathType: ImplementationSpecific + hostname: dev.nrodionov.info + path: / + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + tls: true + tlsWwwPrefix: false + selfSigned: false +wordpressBlogName: Николай Николаевич Родионов +wordpressUsername: admin +wordpressFirstName: Nikolai +wordpressLastName: Rodionov +wordpressTablePrefix: wp_ +wordpressScheme: http +existingWordPressConfigurationSecret: "" +resources: + requests: + memory: 300Mi + cpu: 10m +service: + type: ClusterIP + ports: + http: 8080 + https: 8443 + +persistence: + enabled: true + storageClass: "" + accessModes: + - ReadWriteOnce + accessMode: ReadWriteOnce + size: 2Gi + dataSource: {} + existingClaim: "" + selector: {} + +externalDatabase: + host: mariadb.databases.svc.cluster.local + port: 3306 + user: applications_nrodionov_mariadb + database: applications_nrodionov_mariadb + existingSecret: nrodionov-mariadb-creds +mariadb: + enabled: false + primary: + persistence: + enabled: true + storageClass: "" + accessModes: + - ReadWriteOnce + size: 3Gi + diff --git a/values/badhouseplants/values.openvpn-xor.yaml b/values/badhouseplants/values.openvpn-xor.yaml new file mode 100644 index 0000000..5827bde --- /dev/null +++ b/values/badhouseplants/values.openvpn-xor.yaml @@ -0,0 +1,46 @@ +--- +# ------------------------------------------ +# -- Istio extenstion. Just because I'm +# -- not using ingress nginx +# ------------------------------------------ +# istio: + # enabled: true + # istio: + # - name: openvpn-tcp-xor + # gateway: istio-system/badhouseplants-vpn + # kind: tcp + # port_match: 1194 + # hostname: "*" + # service: openvpn-xor + # port: 1194 +# ------------------------------------------ +traefik: + enabled: true + tcpRoutes: + - name: openvpn-xor + service: openvpn-xor + match: HostSNI(`*`) + entrypoint: openvpn + port: 1194 + +storage: + class: longhorn + size: 512Mi + +openvpn: + proto: tcp + host: 195.201.249.91 + +easyrsa: + cn: Bad Houseplants + country: Germany + province: NRW + city: Duesseldorf + org: Bad Houseplants + email: allanger@zohomail.com + +service: + type: ClusterIP + port: 1194 + targetPort: 1194 + protocol: TCP diff --git a/values/badhouseplants/values.postgres.yaml b/values/badhouseplants/values.postgres.yaml new file mode 100644 index 0000000..db7f7ab --- /dev/null +++ b/values/badhouseplants/values.postgres.yaml @@ -0,0 +1,10 @@ +architecture: standalone + +auth: + database: postgres + +persistence: + size: 1Gi + +metrics: + enabled: false \ No newline at end of file diff --git a/values/badhouseplants/values.postgres16-gitea.yaml b/values/badhouseplants/values.postgres16-gitea.yaml new file mode 100644 index 0000000..2851516 --- /dev/null +++ b/values/badhouseplants/values.postgres16-gitea.yaml @@ -0,0 +1,35 @@ +architecture: standalone + +auth: + database: postgres + +persistence: + size: 1Gi + +metrics: + enabled: false +primary: + resources: + limits: + ephemeral-storage: 1Gi + memory: 512Mi + requests: + cpu: 100m + ephemeral-storage: 50Mi + memory: 256Mi + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsNonRoot: false + privileged: false + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" diff --git a/values/badhouseplants/values.postgres16.yaml b/values/badhouseplants/values.postgres16.yaml new file mode 100644 index 0000000..844da46 --- /dev/null +++ b/values/badhouseplants/values.postgres16.yaml @@ -0,0 +1,35 @@ +architecture: standalone + +auth: + database: postgres + +persistence: + size: 1Gi + +metrics: + enabled: false +primary: + resources: + limits: + ephemeral-storage: 1Gi + memory: 512Mi + requests: + cpu: 512m + ephemeral-storage: 50Mi + memory: 128Mi + podSecurityContext: + enabled: true + fsGroupChangePolicy: Always + sysctls: [] + supplementalGroups: [] + containerSecurityContext: + enabled: true + seLinuxOptions: {} + runAsNonRoot: false + privileged: false + readOnlyRootFilesystem: false + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + seccompProfile: + type: "RuntimeDefault" diff --git a/values/badhouseplants/values.prometheus.yaml b/values/badhouseplants/values.prometheus.yaml new file mode 100644 index 0000000..2ee10c9 --- /dev/null +++ b/values/badhouseplants/values.prometheus.yaml @@ -0,0 +1,148 @@ +--- +# ------------------------------------------ +# -- Istio extenstion. Just because I'm +# -- not using ingress nginx +# ------------------------------------------ +istio: + enabled: true + istio: + - name: grafana-https + gateway: istio-system/badhouseplants-net + kind: http + hostname: "grafana.badhouseplants.net" + service: prometheus-grafana + port: 80 + +coreDns: + enabled: false +kubeEtcd: + enabled: false +kubelet: + enabled: false +kubeApiServer: + enabled: false + +prometheus-node-exporter: + prometheus: + monitor: + enabled: true + jobLabel: jobLabel + interval: 60s + +defaultRules: + create: true + rules: + alertmanager: true + etcd: false + configReloaders: false + general: true + k8s: true + kubeApiserverAvailability: false + kubeApiserverBurnrate: false + kubeApiserverHistogram: false + kubeApiserverSlos: false + kubeControllerManager: false + kubelet: false + kubeProxy: false + kubePrometheusGeneral: false + kubePrometheusNodeRecording: false + kubernetesApps: true + kubernetesResources: true + kubernetesStorage: true + kubernetesSystem: true + kubeSchedulerAlerting: false + kubeSchedulerRecording: true + kubeStateMetrics: true + network: false + node: true + nodeExporterAlerting: true + nodeExporterRecording: true + prometheus: true + prometheusOperator: true + windows: false + +prometheus: + prometheusSpec: + enableAdminAPI: true + retentionSize: 7GB + retention: 20d + podMonitorNamespaceSelector: + any: true + podMonitorSelector: {} + podMonitorSelectorNilUsesHelmValues: false + ruleNamespaceSelector: + any: true + ruleSelector: {} + ruleSelectorNilUsesHelmValues: false + serviceMonitorNamespaceSelector: + any: true + serviceMonitorSelector: {} + serviceMonitorSelectorNilUsesHelmValues: false + storageSpec: + volumeClaimTemplate: + spec: + accessModes: ["ReadWriteOnce"] + resources: + requests: + storage: 12Gi + +grafana: + assertNoLeakedSecrets: false + persistence: + enabled: true + size: 2Gi + grafana.ini: + server: + root_url: https://grafana.badhouseplants.net + auth.generic_oauth: + name: Gitea + icon: signin + enabled: true + allow_sign_up: true + auto_login: false + client_id: 0ce70a7d-f267-44cc-9686-71048277e51d + scopes: openid profile email groups + empty_scopes: false + auth_url: https://git.badhouseplants.net/login/oauth/authorize + token_url: https://git.badhouseplants.net/login/oauth/access_token + api_url: https://git.badhouseplants.net/login/oauth/userinfo + tls_skip_verify_insecure: false + use_pkce: true + role_attribute_path: contains(groups, 'badhouseplants:owners') && 'Admin' || 'Viewer' + + dashboardProviders: + dashboardproviders.yaml: + apiVersion: 1 + providers: + - name: 'default' + orgId: 1 + folder: '' + type: file + disableDeletion: true + editable: false + options: + path: /var/lib/grafana/dashboards/default + + dashboards: + default: + gitea-dashboard: + gnetId: 13192 + revision: 1 + datasource: Prometheus + argo-dashboard: + gnetId: 14584 + revision: 1 + datasource: Prometheus + + datasources: + loki.yaml: + apiVersion: 1 + datasources: + - name: Loki + type: loki + access: proxy + uid: loki + editable: false + url: http://loki.monitoring-system:3100/ + jsonData: + maxLines: 1000 diff --git a/values/badhouseplants/values.promtail.yaml b/values/badhouseplants/values.promtail.yaml new file mode 100644 index 0000000..4976174 --- /dev/null +++ b/values/badhouseplants/values.promtail.yaml @@ -0,0 +1,11 @@ +--- +config: + clients: + # - url: http://loki.monitoring-system:3100 + - url: http://loki-gateway/loki/api/v1/push + snippets: + pipelineStages: + - match: + pipeline_name: "drop-all" + selector: '{namespace!~"mail-service|woodpecker|minecraft-application"}' + action: drop diff --git a/values/badhouseplants/values.redis.yaml b/values/badhouseplants/values.redis.yaml new file mode 100644 index 0000000..77d5357 --- /dev/null +++ b/values/badhouseplants/values.redis.yaml @@ -0,0 +1,11 @@ +metrics: + enabled: false + +secretAnnotations: + reflector.v1.k8s.emberstack.com/reflection-allowed: "true" + reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true" + reflector.v1.k8s.emberstack.com/reflection-allowed-namespaces: "gitea-service,funkwhale-application" +architecture: standalone +master: + persistence: + enabled: false diff --git a/values/badhouseplants/values.roles.yaml b/values/badhouseplants/values.roles.yaml new file mode 100644 index 0000000..867a4c0 --- /dev/null +++ b/values/badhouseplants/values.roles.yaml @@ -0,0 +1,10 @@ +roles: + - name: minecraft-admin + namespace: games + kind: Role + rules: + - apiGroups: ["*"] + resources: ["*"] + verbs: ["*"] + namespace: + - games diff --git a/values/badhouseplants/values.tandoor.yaml b/values/badhouseplants/values.tandoor.yaml new file mode 100644 index 0000000..c30f79e --- /dev/null +++ b/values/badhouseplants/values.tandoor.yaml @@ -0,0 +1,55 @@ +istio: + enabled: true + istio: + - name: tandoor-http + gateway: istio-system/badhouseplants-net + kind: http + hostname: tandoor.badhouseplants.net + service: tandoor + port: 8080 + +ext-database: + enabled: true + name: tandoor-postgres16 + instance: postgres16 + credentials: + POSTGRES_HOST: |- + "{{ .Hostname }}" + POSTGRES_PORT: |- + "{{ .Port }}" + +envFrom: + - secretRef: + name: tandoor-postgres16-creds +env: + TZ: UTC + DB_ENGINE: django.db.backends.postgresql + EMAIL_HOST: badhouseplants.net + EMAIL_PORT: 587 + EMAIL_HOST_USER: overlord@badhouseplants.net + EMAIL_HOST_PASSWORD: nxVa8Xcf4jNvzNeE$JzBL&H8g + EMAIL_USE_TLS: 1 + EMAIL_USE_SSL: 0 + DEFAULT_FROM_EMAIL: tandoor@badhouseplants.net +persistence: + config: + enabled: true + retain: true + storageClass: longhorn + accessMode: ReadWriteOnce + size: 1Gi + media: + enabled: true + mountPath: /opt/recipes/mediafiles + retain: true + storageClass: longhorn + accessMode: ReadWriteOnce + size: 1Gi + static: + enabled: true + type: emptyDir + mountPath: /opt/recipes/staticfiles + django-js-reverse: + enabled: true + type: emptyDir + mountPath: /opt/recipes/cookbook/static/django_js_reverse diff --git a/values/badhouseplants/values.traefik.yaml b/values/badhouseplants/values.traefik.yaml new file mode 100644 index 0000000..55072e5 --- /dev/null +++ b/values/badhouseplants/values.traefik.yaml @@ -0,0 +1,87 @@ +globalArguments: + - "--serversTransport.insecureSkipVerify=true" + #service: + # spec: + # externalTrafficPolicy: Local +ports: + web: + redirectTo: + port: websecure + ssh: + port: 22 + expose: + default: true + exposedPort: 22 + protocol: TCP + openvpn: + port: 1194 + expose: + default: true + exposedPort: 1194 + protocol: TCP + valve-server: + port: 27015 + expose: + default: true + exposedPort: 27015 + protocol: UDP + valve-rcon: + port: 27015 + expose: + default: true + exposedPort: 27015 + protocol: TCP + smtp: + port: 25 + protocol: TCP + exposedPort: 25 + expose: + default: true + smtps: + port: 465 + protocol: TCP + exposedPort: 465 + expose: + default: true + smtp-startls: + port: 587 + protocol: TCP + exposedPort: 587 + expose: + default: true + imap: + port: 143 + protocol: TCP + exposedPort: 143 + expose: + default: true + imaps: + port: 993 + protocol: TCP + exposedPort: 993 + expose: + default: true + pop3: + port: 110 + protocol: TCP + exposedPort: 110 + expose: + default: true + pop3s: + port: 995 + protocol: TCP + exposedPort: 995 + expose: + default: true + minecraft: + port: 25565 + protocol: TCP + exposedPort: 25565 + expose: + default: true + shadowsocks: + port: 8388 + protocol: TCP + exposedPort: 8388 + expose: + default: true diff --git a/values/badhouseplants/values.vaultwarden.yaml b/values/badhouseplants/values.vaultwarden.yaml new file mode 100644 index 0000000..d3100a9 --- /dev/null +++ b/values/badhouseplants/values.vaultwarden.yaml @@ -0,0 +1,81 @@ +--- +# ------------------------------------------ +# -- Istio extenstion. Just because I'm +# -- not using ingress nginx +# ------------------------------------------ +istio: + enabled: true + istio: + - name: vaultwarden-http + kind: http + gateway: istio-system/badhouseplants-net + hostname: vault.badhouseplants.net + service: vaultwarden + port: 8080 +# ------------------------------------------ +# -- Database extension is used to manage +# -- database with db-operator +# ------------------------------------------ +ext-database: + enabled: true + name: vaultwarden-postgres16 + instance: postgres16 +service: + port: 8080 +vaultwarden: + smtp: + host: badhouseplants.net + security: "starttls" + port: 587 + from: vaultwarden@badhouseplants.net + fromName: Vault Warden + authMechanism: "Plain" + acceptInvalidHostnames: "false" + acceptInvalidCerts: "false" + debug: false + domain: https://vault.badhouseplants.net + websocket: + enabled: true + address: "0.0.0.0" + port: 3012 + rocket: + port: "8080" + workers: "10" + webVaultEnabled: "true" + signupsAllowed: false + invitationsAllowed: true + signupDomains: "https://vault.badhouseplants.com" + signupsVerify: "true" + showPassHint: "false" + database: + existingSecret: vaultwarden-postgres16-creds + existingSecretKey: CONNECTION_STRING + connectionRetries: 15 + maxConnections: 10 + storage: + enabled: true + size: 1Gi + class: longhorn + dataDir: /data + logging: + enabled: false + logfile: "/data/vaultwarden.log" + loglevel: "warn" +ingress: + enabled: true + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + hosts: + - host: vault.badhouseplants.net + paths: + - path: / + pathType: Prefix + tls: + - secretName: vault.badhouseplants.net + hosts: + - vault.badhouseplants.net diff --git a/values/badhouseplants/values.vaultwardentest.yaml b/values/badhouseplants/values.vaultwardentest.yaml new file mode 100644 index 0000000..cfa139b --- /dev/null +++ b/values/badhouseplants/values.vaultwardentest.yaml @@ -0,0 +1,59 @@ +service: + port: 8080 +vaultwarden: + smtp: + host: mail.badhouseplants.net + security: "starttls" + port: 587 + from: vaulttest@badhouseplants.net + fromName: Vault Warden + authMechanism: "Plain" + acceptInvalidHostnames: "false" + acceptInvalidCerts: "false" + debug: false + domain: https://vaulttest.badhouseplants.net + websocket: + enabled: true + address: "0.0.0.0" + port: 3012 + rocket: + port: "8080" + workers: "10" + webVaultEnabled: "true" + signupsAllowed: true + invitationsAllowed: true + signupDomains: "test.test" + signupsVerify: false + showPassHint: true + # database: + # existingSecret: vaultwarden-postgres16-creds + # existingSecretKey: CONNECTION_STRING + # connectionRetries: 15 + # maxConnections: 10 + storage: + enabled: true + size: 512Mi + class: longhorn + dataDir: /data + logging: + enabled: false + logfile: "/data/vaultwarden.log" + loglevel: "warn" +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: traefik + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + hosts: + - host: vaulttest.badhouseplants.net + paths: + - path: / + pathType: Prefix + tls: + - secretName: vaulttest.badhouseplants.net + hosts: + - vaulttest.badhouseplants.net diff --git a/values/badhouseplants/values.woodpecker-ci.yaml b/values/badhouseplants/values.woodpecker-ci.yaml new file mode 100644 index 0000000..03a27a2 --- /dev/null +++ b/values/badhouseplants/values.woodpecker-ci.yaml @@ -0,0 +1,53 @@ +# ------------------------------------------ +# -- Istio extenstion. Just because I'm +# -- not using ingress nginx +# ------------------------------------------ +ext-database: + enabled: true + name: woodpecker-postgres16 + instance: postgres16 + credentials: + WOODPECKER_DATABASE_DATASOURCE: "postgres://{{ .Username }}:{{ .Password }}@{{ .Hostname }}:{{ .Port }}/{{ .Database }}?sslmode=disable" +server: + ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + hosts: + - host: ci.badhouseplants.net + paths: + - path: / + tls: + - secretName: woodpecker-tls-secret + hosts: + - ci.badhouseplants.net + enabled: true + env: + WOODPECKER_GITEA: true + WOODPECKER_GITEA_URL: https://git.badhouseplants.net + WOODPECKER_DATABASE_DRIVER: postgres + WOODPECKER_GITEA_CLIENT: ab5e4687-a476-4668-9fbc-288d54095634 + WOODPECKER_OPEN: true + WOODPECKER_ADMIN: "woodpecker,allanger" + WOODPECKER_HOST: "https://ci.badhouseplants.net" + WOODPECKER_ESCALATE: true + WOODPECKER_BACKEND_K8S_NAMESPACE: platform + extraSecretNamesForEnvFrom: + - woodpecker-postgres16-creds +agent: + enabled: true + extraSecretNamesForEnvFrom: [] + env: + WOODPECKER_SERVER: woodpecker-ci-server:9000 + WOODPECKER_BACKEND_K8S_VOLUME_SIZE: 3Gi + WOODPECKER_BACKEND_K8S_NAMESPACE: platform + WOODPECKER_BACKEND_K8S_STORAGE_CLASS: longhorn + serviceAccount: + create: true + rbac: + create: true diff --git a/values/badhouseplants/values.zot.yaml b/values/badhouseplants/values.zot.yaml new file mode 100644 index 0000000..7638656 --- /dev/null +++ b/values/badhouseplants/values.zot.yaml @@ -0,0 +1,48 @@ +ingress: + enabled: true + className: ~ + annotations: + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + pathtype: ImplementationSpecific + hosts: + - host: registry.badhouseplants.net + paths: + - path: / + tls: + - secretName: registry.badhouseplants.net + hosts: + - registry.badhouseplants.net +service: + type: ClusterIP +persistence: true +pvc: + create: true + accessMode: "ReadWriteOnce" + storage: 5Gi + storageClassName: longhorn +mountConfig: true +mountSecret: true +strategy: + type: Recreate + #configFiles: + # ui.json: |- + # { + # "log": { + # "level": "info" + # }, + # "extensions": { + # "search": { + # "cve": { + # "updateInterval": "2h" + # } + # }, + # "ui": { + # "enable": true + # } + # } + # } diff --git a/values/common/values.certificate.yaml b/values/common/values.certificate.yaml new file mode 100644 index 0000000..21d1933 --- /dev/null +++ b/values/common/values.certificate.yaml @@ -0,0 +1,20 @@ +--- +certificate: + templates: + - | + {{ range .Values.certificate }} + --- + apiVersion: cert-manager.io/v1 + kind: Certificate + metadata: + name: {{ .name }} + spec: + dnsNames: + {{- range .dnsNames }} + - {{ . | quote }} + {{- end }} + issuerRef: + kind: {{ .issuer.kind }} + name: {{ .issuer.name }} + secretName: {{ .secretName }} + {{ end }} diff --git a/values/common/values.database.yaml b/values/common/values.database.yaml new file mode 100644 index 0000000..d4831e9 --- /dev/null +++ b/values/common/values.database.yaml @@ -0,0 +1,50 @@ +--- +ext-database: + templates: + - | + --- + apiVersion: kinda.rocks/v1beta1 + kind: Database + metadata: + name: "{{ .Values.name }}" + spec: + secretName: "{{ .Values.name }}-creds" + instance: "{{ .Values.instance }}" + deletionProtected: true + backup: + enable: false + cron: 0 0 * * * + {{- if .Values.credentials }} + credentials: + templates: + {{- range $key, $value := .Values.credentials }} + - name: {{ $key }} + template: {{ $value | quote }} + secret: true + {{- end }} + {{- end }} + + - | + {{- if (.Values.extraDatabase).enabled }} + --- + apiVersion: kinda.rocks/v1beta1 + kind: Database + metadata: + name: "{{ .Values.extraDatabase.name }}" + spec: + secretName: "{{ .Values.extraDatabase.name }}-creds" + instance: "{{ .Values.extraDatabase.instance }}" + deletionProtected: true + backup: + enable: false + cron: 0 0 * * * + {{- if .Values.extraDatabase.credentials }} + credentials: + templates: + {{- range $key, $value := .Values.extraDatabase.credentials }} + - name: {{ $key }} + template: {{ $value }} + secret: true + {{- end }} + {{- end }} + {{- end }} diff --git a/values/common/values.istio-gateway.yaml b/values/common/values.istio-gateway.yaml new file mode 100644 index 0000000..d54bfa7 --- /dev/null +++ b/values/common/values.istio-gateway.yaml @@ -0,0 +1,16 @@ +--- +istio-gateway: + templates: + - | + {{ range .Values.gateways }} + --- + apiVersion: networking.istio.io/v1beta1 + kind: Gateway + metadata: + name: {{ .name }} + spec: + selector: + istio: ingressgateway + servers: + {{ toYaml .servers | indent 4 }} + {{ end }} diff --git a/values/common/values.istio.yaml b/values/common/values.istio.yaml new file mode 100644 index 0000000..1c834bc --- /dev/null +++ b/values/common/values.istio.yaml @@ -0,0 +1,36 @@ +--- +istio: + templates: + - | + {{ range .Values.istio }} + --- + apiVersion: networking.istio.io/v1beta1 + kind: VirtualService + metadata: + name: {{ .name }} + spec: + gateways: + - "{{ .gateway }}" + hosts: + - {{ .hostname | quote }} + {{- if eq .kind "http" }} + http: + - match: + - uri: + prefix: / + route: + - destination: + host: {{ .service }} + port: + number: {{ .port }} + {{- else if eq .kind "tcp" }} + tcp: + - match: + - port: {{ .port_match }} + route: + - destination: + host: {{ .service }} + port: + number: {{ .port }} + {{ end }} + {{ end }} diff --git a/values/common/values.metallb.yaml b/values/common/values.metallb.yaml new file mode 100644 index 0000000..c35b944 --- /dev/null +++ b/values/common/values.metallb.yaml @@ -0,0 +1,14 @@ +--- +metallb: + templates: + - | + {{ range .Values.ippools }} + --- + apiVersion: metallb.io/v1beta1 + kind: IPAddressPool + metadata: + name: {{ .name }} + spec: + addresses: + - {{ .addresses }} + {{ end }} diff --git a/values/common/values.metrics-server.yaml b/values/common/values.metrics-server.yaml new file mode 100644 index 0000000..ad6879b --- /dev/null +++ b/values/common/values.metrics-server.yaml @@ -0,0 +1,4 @@ +apiService: + insecureSkipTLSVerify: true +args: + - --kubelet-insecure-tls diff --git a/values/common/values.ns.yaml b/values/common/values.ns.yaml new file mode 100644 index 0000000..02caabf --- /dev/null +++ b/values/common/values.ns.yaml @@ -0,0 +1,8 @@ +ns: + templates: + - | + apiVersion: v1 + kind: Namespace + metadata: + name: {{ .Values.name }} + diff --git a/values/common/values.secret.yaml b/values/common/values.secret.yaml new file mode 100644 index 0000000..3a51e5a --- /dev/null +++ b/values/common/values.secret.yaml @@ -0,0 +1,12 @@ +--- +ext-secret: + templates: + - | + --- + apiVersion: v1 + kind: Secret + metadata: + name: "{{ .Values.name }}" + type: Opaque + stringData: + {{ toYaml .Values.data | nindent 4 }} diff --git a/values/common/values.service-monitor.yaml b/values/common/values.service-monitor.yaml new file mode 100644 index 0000000..f44401a --- /dev/null +++ b/values/common/values.service-monitor.yaml @@ -0,0 +1,16 @@ +--- +service-monitor: + templates: + - | + {{ range .Values.service-monitor.resources }} + apiVersion: monitoring.coreos.com/v1 + kind: ServiceMonitor + metadata: + name: {{ .name }} + spec: + selector: + matchLabels: + app: {{ .label.app }} + endpoints: + - port: {{ .endpoints.port }} + {{ end }} diff --git a/values/common/values.tcp-route.yaml b/values/common/values.tcp-route.yaml new file mode 100644 index 0000000..5331ede --- /dev/null +++ b/values/common/values.tcp-route.yaml @@ -0,0 +1,20 @@ +--- +traefik: + templates: + - | + {{ range .Values.tcpRoutes }} + --- + apiVersion: traefik.io/v1alpha1 + kind: IngressRouteTCP + metadata: + name: {{ .name }} + spec: + entryPoints: + - {{ .entrypoint }} + routes: + - match: {{ .match }} + services: + - name: {{ .service }} + nativeLB: true + port: {{ .port }} + {{- end }} diff --git a/values/common/values.tcproute.yaml b/values/common/values.tcproute.yaml new file mode 100644 index 0000000..05e0d89 --- /dev/null +++ b/values/common/values.tcproute.yaml @@ -0,0 +1,13 @@ +--- +tcproute: + templates: + - | + --- + {{ range .Values.routes }} + apiVersion: traefik.io/v1alpha1 + kind: IngressRouteTCP + metadata: + name: {{ printf "%s-%s" .Release.Name .name }} + spec: + {{ tpl (.routes | toYaml | indent 2 | toString) $ }} + {{ end }}