diff --git a/installations/applications/helmfile.yaml b/installations/applications/helmfile.yaml index 52b95e9..9bfac1b 100644 --- a/installations/applications/helmfile.yaml +++ b/installations/applications/helmfile.yaml @@ -44,10 +44,10 @@ releases: - template: default-env-secrets - template: ext-database - - name: gitea + - name: gitea-archived chart: gitea/gitea version: 10.4.0 - namespace: applications + namespace: archive inherit: - template: default-env-values - template: default-env-secrets diff --git a/installations/platform/helmfile.yaml b/installations/platform/helmfile.yaml index 90f4d0e..95380e0 100644 --- a/installations/platform/helmfile.yaml +++ b/installations/platform/helmfile.yaml @@ -12,6 +12,8 @@ repositories: url: https://zotregistry.dev/helm-charts/ - name: bedag url: https://bedag.github.io/helm-charts/ + - name: percona + url: https://percona.github.io/percona-helm-charts/ releases: - name: argocd @@ -45,3 +47,10 @@ releases: inherit: - template: default-env-values - template: default-env-secrets + + - name: pg-operator + chart: percona/pg-operator + installed: false + version: 2.4.0 + createNamespace: false + namespace: platform diff --git a/installations/storage/helmfile.yaml b/installations/storage/helmfile.yaml index 834c0a7..0b3b16d 100644 --- a/installations/storage/helmfile.yaml +++ b/installations/storage/helmfile.yaml @@ -22,6 +22,8 @@ releases: installed: true namespace: rook-ceph version: v1.14.8 + needs: + - rook-ceph/rook-ceph inherit: - template: default-env-values diff --git a/values/badhouseplants/secrets.gitea-archived.yaml b/values/badhouseplants/secrets.gitea-archived.yaml new file mode 100644 index 0000000..035c88c --- /dev/null +++ b/values/badhouseplants/secrets.gitea-archived.yaml @@ -0,0 +1,48 @@ +gitea: + admin: + username: ENC[AES256_GCM,data:jWOKYLR8wEY=,iv:obfaa7iVArqZsfXI9glfNVhnEzNPnoPvA9WZrqzURd8=,tag:ZQykUfckAD6CcRsAxYLfww==,type:str] + password: ENC[AES256_GCM,data:ckwTYUA05SSl+3KD9G/XtQW+nnM=,iv:reeJTq7vWcfjggl9X+/t0yYzaz7xuiZLZM0xW7zlfcI=,tag:x0Dtf3ea53+1c0jhn2C5zw==,type:str] + config: + mailer: + PASSWD: ENC[AES256_GCM,data:ZXMbptf1Tn8QVf9H6gLuLIpI+gs=,iv:QsHjgoEWy4mEf/NNBnuPFpXBFHoACn8pfQmbF1wI2ZM=,tag:/T6PGia+mkzmcUkWANO25w==,type:str] + database: + PASSWD: ENC[AES256_GCM,data:mfMbZf7Kbn+5gwLi2JGMt6otMlQ=,iv:r2H7aSJKraBoDydV6N29hsRiH6bLUM0aJHPmo3dbSP4=,tag:WwBHKRYdJIv6IGQehO2yEg==,type:str] + session: + PROVIDER_CONFIG: ENC[AES256_GCM,data:YexjXlIj5mtwhv5HD2rmpzo3hqIXpZkyPk0njFYe3tceDV2uclpLCmIrZOumwo4TdWtIZ5Axs336vXtFvi4LFSyyrzSnqSPNxC1aNHwmj4keMY1qvPG0qRCoS7Q7JcCak41gRopbx+RLn7BENZ6s0e19u5PXLDSB,iv:pkY0LBpXhnSr40YoZpklytGWmKe7CdsgPpQySXfON5g=,tag:96UXoPksLxE+mJzyjzjqEA==,type:str] + cache: + HOST: ENC[AES256_GCM,data:C4GD2Nbb9Yi7TTKvipoPW3wM7e9BvQziBqweB/AUTq78pk20c2QoirNDETqcGaA002Phr8SwttdljnjVhCMr/w+Np/XkNy2rSB00A6R8t5/gDDoxUE92R2RLFIRB3Ao4UwKdL2X/YvzX1xDq/WC/i7VmvPTnLbas,iv:NMTgSxxvrut/Pxi5lZa6mbP/eOMt6rk2leFJESl5SJQ=,tag:bKJ1P6KXdjHC3bFmreD7OA==,type:str] + queue: + CONN_STR: ENC[AES256_GCM,data:28O5cVRnezFBWnyILjGxLf39SrS7nYNuI0km29qz5Q2qPGwojiLziyTsBb9AUlLZc5nLcGEUIJ5vnXONtw96aOobDwwyLmPE8X/QnpRvjRN4DmAF7LO98AuyTrTXEOSNMp3Dee88F9T9wdwr5ekh1Fb/gBSJpkkt,iv:PP0ZPxBulXce/bIUTuuQgiaOBWNcjMe2V/BgFGJm77Q=,tag:BDteA6nftpa6q6djyhivGg==,type:str] + oauth: + - name: ENC[AES256_GCM,data:DWCdEzwP,iv:fJrSGxRPSljBLSnRRRCjsa3QCa730NGRyKJCVJe8YNE=,tag:vQFTYVUQXPcB3Mx9/qGfVw==,type:str] + provider: ENC[AES256_GCM,data:mSnq2rOw,iv:XC1JS1oqZxbBZoraWemzXWGSnpvn9NTx8OA57HV1B8w=,tag:kPxdj8h8Qk9oGayi3Di7yQ==,type:str] + key: ENC[AES256_GCM,data:ft+Zqnu7oXHxMnMcRFpT934TGL0=,iv:qFj+BT37ZKIH69ikEf1YMwE1LC+dyAW7tBXhY5X6mYY=,tag:+p+3+GX5zakkXyi41H7Iog==,type:str] + secret: ENC[AES256_GCM,data:CSGrxpxfGoKs4wHKl25s37Nenw/0nuagCa6Ed++nE9lnQlZ8G193CQ==,iv:oTOGJmZi/26OvKG5gkrUoFVaJ8erkHfVi44FTy9kb1M=,tag:upHqogYqdVZlUyJT3BG0/g==,type:str] + - name: ENC[AES256_GCM,data:iZ2gRgmkZGcG,iv:N16HI6nVh8euitBKEq4yr3kr2cpLRb12XWKupXGR98A=,tag:L+rWF5wbrwWHhSus1JGP2Q==,type:str] + provider: ENC[AES256_GCM,data:2HlYsjvxnOx1sHuKlw==,iv:aXOjLsl1ZF3NCPpqyGrSM25lX3OLKoRpGzrRW47lGVg=,tag:LzGsYa36wqgch/nw+en6oA==,type:str] + skip_local_2fa: ENC[AES256_GCM,data:QYsYyg==,iv:tZt+yIvuDbFa9BWsoeUvcOpIonlufb9FO7YU59mGkVs=,tag:+2rr0Q7c9XfwjFR7C+ikuA==,type:str] + key: ENC[AES256_GCM,data:4/jJ0cc=,iv:iu8l1dGDIou4ytXhub7YKlIGs8WDEAAjKVbwd81m0Uc=,tag:D2BiWDfubzbK0cJl1Bk/0Q==,type:str] + secret: ENC[AES256_GCM,data:iRRUJl5r7wJQY4SWaSMF2ut2+I37CGPhXOpCkMENNRm6dvFp7YNyiHVQT61PsWnoyWz9lFJMkjCnY98JDjvjWuYCW8O30IEklq/N4KYSgD5TLEWu1OCcPC8A7yMZJSI8rxTLKcevuGJD7ZT8hWl3nZDTkUwTEJy0qREqyhc8caQ=,iv:KOLmK6UddEq9hv938m409ldxVpR8pQLiJwk7Sr0W4mA=,tag:ZDBZwa6ZAQw4qGU9C+Z/xQ==,type:str] + autoDiscoverUrl: ENC[AES256_GCM,data:YxqoKonuM10Fawz8qJiOVILsoJDKuRotf4SHw/Vvw0srWvc26rpwzKoP+kj1u/UFv6pDmnBvrAgYVPGyJt/e4TgmsPDYfH6D0IVngaFLI5KDRll5aIUaAeQ=,iv:4U9CIgObfPwuqi/vxky4pNkL9R4BbStJ3YQ3MBH8LYo=,tag:Ouwcj0tjKu7eykoT3Rnkwg==,type:str] + iconUrl: ENC[AES256_GCM,data:OmHXFvlKnclwjbTc9AXbcMZOb7qW7om7Tgf7b3uHLgOmakuyTq7QhXM3oFQN+T/+J+Cna8MP27coLBDW8TL7RefT1TapSA==,iv:py3p4kh90W6BgAHmI2MIBu92y90M8QhQDmic0pX3m5c=,tag:yqci0Lu7K16/JBlJGkoXng==,type:str] + scopes: ENC[AES256_GCM,data:IvNV7Q+7vPJn7EJZ7Q==,iv:S/aUhW0ASL4yAwe9IaeYdjokHrE+4MViEAGa+5wQlyY=,tag:OxkVQCSfjCQePnJqt+EcNg==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1vzkv97n2p7gfkw8dyx8ctz2kumattz89th2jq47zyjyrarmnssysdkw9v8 + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDeU9sbjV2b0JjcVZsbFUv + OWpSYVhBSlBrR2FOVWlDZnhTRk84YmlpK3hRClBZeTQvclE1VkhkMkltbjMrN3Vk + cko2M2VsNkpNSjhPZExUUTB4enV6WTQKLS0tIHdOV0FidU5wN0ltNTVlNVF6MVJB + ajlnQzNTK3NzcnJZN0FGVmx1VjhQVk0K2m9pzSB9gqIkOLBr/WwnrZfcj5633tFJ + PI+H+aXZwJtKuN4YOw0rlp5Jp4iQ9aD/9TLqYT6xQJbU1nibqCca1w== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-07-21T12:10:40Z" + mac: ENC[AES256_GCM,data:JlINn9gcMkhLNbCuOmfrnhB5f2K94KO+8qSOeKf5KjeJFv5AmGP/ssCPVRxko8Mi68l7JueggjTLJUgRRuLr2JdH9lI3URK8Oh63d5iYbn/y0LIPJC//mw/WWrNO15H5tR4dt1vPOzi0KwozvpLt0R8SYYwU+IIF3Ej/kG2KMyk=,iv:ZKsYYVkeCjvPptzH00V2SFKFQ0St/TOnxSAbqWpWWZI=,tag:NSG4lsk+Adglo3R/e8ZceA==,type:str] + pgp: [] + unencrypted_suffix: _unencrypted + version: 3.9.0 diff --git a/values/badhouseplants/values.argocd.yaml b/values/badhouseplants/values.argocd.yaml index 71cf854..327f027 100644 --- a/values/badhouseplants/values.argocd.yaml +++ b/values/badhouseplants/values.argocd.yaml @@ -63,6 +63,18 @@ server: servicePort: servicePortHttp: 80 servicePortHttps: 80 + ingressGrpc: + enabled: true + annotations: + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + ingressClassName: traefik + hostname: "argogrpc.badhouseplants.net" + path: / + pathType: Prefix + tls: true repoServer: metrics: diff --git a/values/badhouseplants/values.gitea-archived.yaml b/values/badhouseplants/values.gitea-archived.yaml new file mode 100644 index 0000000..4977baa --- /dev/null +++ b/values/badhouseplants/values.gitea-archived.yaml @@ -0,0 +1,151 @@ +# ------------------------------------------ +# -- Database extension is used to manage +# -- database with db-operator +# ------------------------------------------ +ext-database: + enabled: true + name: gitea-postgres16 + instance: postgres16-gitea + +traefik: + enabled: true + tcpRoutes: + - name: gitea-ssh + service: gitea-archived-ssh + match: HostSNI(`*`) + entrypoint: ssh + port: 22 +# ------------------------------------------ +# -- Kubernetes related values +# ------------------------------------------ +ingress: + enabled: true + annotations: + kubernetes.io/ingress.class: traefik + kubernetes.io/tls-acme: "true" + kubernetes.io/ingress.allow-http: "false" + kubernetes.io/ingress.global-static-ip-name: "" + cert-manager.io/cluster-issuer: badhouseplants-issuer-http01 + traefik.ingress.kubernetes.io/router.entrypoints: web,websecure + hosts: + - host: git.badhouseplants.net + paths: + - path: / + pathType: Prefix + tls: + - secretName: gitea-tls-secret + hosts: + - git.badhouseplants.net +replicaCount: 1 +clusterDomain: cluster.local + +resources: + limits: + cpu: 512m + memory: 1024Mi + requests: + cpu: 512m + memory: 256Mi + +persistence: + enabled: true + size: 15Gi + accessModes: + - ReadWriteOnce + +# ------------------------------------------ +# -- Main Gitea settings +# ------------------------------------------ +gitea: + metrics: + enabled: true + serviceMonitor: + # -- TODO(@allanger): Enable it once prometheus is configured + enabled: false + config: + database: + DB_TYPE: postgres + HOST: postgres16-gitea-postgresql.databases.svc.cluster.local + NAME: applications-gitea-postgres16 + USER: applications-gitea-postgres16 + APP_NAME: Bad Houseplants Gitea + ui: + meta: + AUTHOR: Bad Houseplants + DESCRIPTION: ...by allanger + repository: + DEFAULT_BRANCH: main + MAX_CREATION_LIMIT: 0 + DISABLED_REPO_UNITS: repo.wiki + service: + DISABLE_REGISTRATION: false + server: + DOMAIN: git.badhouseplants.net + ROOT_URL: https://git.badhouseplants.net + LFS_START_SERVER: true + LANDING_PAGE: explore + START_SSH_SERVER: true + admin: + DISABLE_REGULAR_ORG_CREATION: true + packages: + ENABLED: true + cron: + enabled: true + attachment: + MAX_SIZE: 100 + actions: + ENABLED: true + oauth2_client: + REGISTER_EMAIL_CONFIRM: false + ENABLE_AUTO_REGISTRATION: true + session: + PROVIDER: redis + cache: + ENABLED: true + ADAPTER: redis + queue: + TYPE: redis + mailer: + ENABLED: true + FROM: gitea@badhouseplants.net + PROTOCOL: smtp+startls + SMTP_ADDR: badhouseplants.net + SMTP_PORT: 587 + USER: overlord@badhouseplants.net + indexer: + REPO_INDEXER_ENABLED: true + REPO_INDEXER_PATH: indexers/repos.bleve + MAX_FILE_SIZE: 1048576 + REPO_INDEXER_EXCLUDE: resources/bin/** + picture: + ENABLE_FEDERATED_AVATAR: false +service: + ssh: + type: ClusterIP + port: 22 + clusterIP: +# ------------------------------------------ +# -- Disabled dependencies +# ------------------------------------------ +postgresql-ha: + enabled: false +redis-cluster: + enabled: false + + # extraDeploy: + # - | + # {{- if $.Capabilities.APIVersions.Has "traefik.io/v1alpha1/IngressRouteTCP" }} + # apiVersion: traefik.io/v1alpha1 + # kind: IngressRouteTCP + # metadata: + # name: {{ include "gitea.fullname" . }}-ssh + # spec: + # entryPoints: + # - ssh + # routes: + # - match: HostSNI('*') + # services: + # - name: "{{ include "gitea.fullname" . }}-ssh" + # port: 22 + # nativeLB: true + # {{- end }} diff --git a/values/badhouseplants/values.gitea.yaml b/values/badhouseplants/values.gitea.yaml index 3f2a0f0..3bd24d5 100644 --- a/values/badhouseplants/values.gitea.yaml +++ b/values/badhouseplants/values.gitea.yaml @@ -51,7 +51,7 @@ persistence: enabled: true size: 15Gi accessModes: - - ReadWriteOnce + - ReadWriteMany # ------------------------------------------ # -- Main Gitea settings diff --git a/values/badhouseplants/values.mailu.yaml b/values/badhouseplants/values.mailu.yaml index 9d4ea3f..eecaa03 100644 --- a/values/badhouseplants/values.mailu.yaml +++ b/values/badhouseplants/values.mailu.yaml @@ -91,6 +91,10 @@ front: value: "mail" - name: REAL_IP_FROM value: "192.168.0.0/16,10.43.0.0/16" + - name: AUTH_RATELIMIT_IP + value: 100/hour + - name: AUTH_RATELIMIT_USER + value: 50/day admin: resources: requests: diff --git a/values/badhouseplants/values.traefik.yaml b/values/badhouseplants/values.traefik.yaml index b879edf..ab08613 100644 --- a/values/badhouseplants/values.traefik.yaml +++ b/values/badhouseplants/values.traefik.yaml @@ -1,8 +1,5 @@ globalArguments: - "--serversTransport.insecureSkipVerify=true" -service: - spec: - externalTrafficPolicy: Local ports: web: redirectTo: