diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..25c5f83 --- /dev/null +++ b/.envrc @@ -0,0 +1,2 @@ +export KUBECONFIG="$PWD/kubeconfig" +export KUBE_CONFIG_PATH=$KUBECONFIG \ No newline at end of file diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index c71c918..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,23 +0,0 @@ -version: 2 -updates: - # Maintain dependencies for Cargo - - package-ecosystem: cargo - directory: "/" - schedule: - interval: weekly - open-pull-requests-limit: 10 - groups: - all-dependencies: - patterns: - - "*" - - # Maintain dependencies for GitHub Actions - - package-ecosystem: github-actions - directory: "/" - schedule: - interval: weekly - open-pull-requests-limit: 10 - groups: - all-dependencies: - patterns: - - "*" diff --git a/.github/workflows/auto-merge-helm-chart-bump.yml b/.github/workflows/auto-merge-helm-chart-bump.yml deleted file mode 100644 index dcae89d..0000000 --- a/.github/workflows/auto-merge-helm-chart-bump.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Auto Merge PR with Helm Chart Version Bump - -on: - pull_request: - types: - - labeled - -jobs: - merge: - if: ${{ github.event.label.name == 'bump-chart' && github.event.pull_request.user.login == 'Profiidev' }} - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v6 - - name: Enable auto-merge for PR - run: gh pr merge ${{ github.event.pull_request.number }} --auto --squash - env: - GITHUB_TOKEN: ${{ secrets.PERSONAL_TOKEN }} - GITHUB_REPOSITORY: ${{ github.repository }} diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml deleted file mode 100644 index c8b5b5e..0000000 --- a/.github/workflows/auto-merge.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Dependabot Auto Merge - -on: - pull_request_target: - -permissions: - contents: read - pull-requests: write - -jobs: - dependabot: - runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - name: Checkout code - uses: actions/checkout@v6 - - name: Enable auto-merge for PR - run: gh pr merge ${{ github.event.pull_request.number }} --auto --squash - env: - GITHUB_TOKEN: ${{ secrets.PERSONAL_TOKEN }} - GITHUB_REPOSITORY: ${{ github.repository }} diff --git a/.github/workflows/auto-unseal-cd.yml b/.github/workflows/auto-unseal-cd.yml deleted file mode 100644 index 928b2a3..0000000 --- a/.github/workflows/auto-unseal-cd.yml +++ /dev/null @@ -1,82 +0,0 @@ -name: VaultAutoUnseal Continuous Deployment - -on: - push: - branches: - - main - tags: - - "vault-auto-unseal-*" - pull_request: - -env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }}/vault_auto_unseal - -jobs: - build: - name: Build VaultAutoUnseal - runs-on: ubuntu-latest - - permissions: - contents: read - packages: write - attestations: write - id-token: write - security-events: write - - steps: - - name: Checkout repository - uses: actions/checkout@v6 - with: - fetch-depth: 0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - - name: Build and push - id: push - uses: docker/build-push-action@v6 - with: - context: ./ - file: apps/vault-auto-unseal/Dockerfile - push: ${{ github.event_name != 'pull_request' }} - load: ${{ github.event_name == 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Generate artifact attestation - uses: actions/attest-build-provenance@v3 - if: github.event_name != 'pull_request' - with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} - subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.33.1 - if: github.event_name == 'pull_request' - with: - image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} - format: "sarif" - output: "trivy-results.sarif" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4 - if: ${{ !cancelled() && github.event_name == 'pull_request' }} - with: - sarif_file: "trivy-results.sarif" diff --git a/.github/workflows/helm-chart-bump.yml b/.github/workflows/helm-chart-bump.yml deleted file mode 100644 index 09c1153..0000000 --- a/.github/workflows/helm-chart-bump.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Bump Helm Chart Version - -on: - repository_dispatch: - types: [bump-chart] - -jobs: - bump-chart: - runs-on: ubuntu-latest - steps: - - name: Checkout code - with: - token: ${{ secrets.PERSONAL_TOKEN }} - uses: actions/checkout@v6 - - - name: Bump chart version - id: bump_chart - run: | - chart_name=${{ github.event.client_payload.chart_name }} - chart_version=${{ github.event.client_payload.chart_version }} - echo "Bumping version for $chart_name to $chart_version" - sed -i "s/^version: .*/version: $chart_version/" charts/$chart_name/Chart.yaml - - - name: Create PR - uses: peter-evans/create-pull-request@v7 - with: - token: ${{ secrets.PERSONAL_TOKEN }} - commit-message: "Bump chart version for ${{ github.event.client_payload.chart_name }} to ${{ github.event.client_payload.chart_version }}" - branch: chore/bump-chart-version-${{ github.event.client_payload.chart_name }}-${{ github.event.client_payload.chart_version }} - title: "Bump chart version for ${{ github.event.client_payload.chart_name }} to ${{ github.event.client_payload.chart_version }}" - body: "This PR bumps the chart version for ${{ github.event.client_payload.chart_name }} to ${{ github.event.client_payload.chart_version }}." - base: main - sign-commits: true - labels: bump-chart diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml deleted file mode 100644 index 5781f1f..0000000 --- a/.github/workflows/helm-release.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Helm Continuous Deployment - -on: - push: - branches: - - main - -jobs: - release: - name: Release Helm Charts - runs-on: ubuntu-latest - - permissions: - contents: write - - steps: - - name: Checkout - uses: actions/checkout@v6 - with: - fetch-depth: 0 - token: ${{ secrets.PERSONAL_TOKEN }} - - - name: Configure Git user - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Run chart-releaser job - uses: helm/chart-releaser-action@v1 - env: - CR_TOKEN: "${{ secrets.PERSONAL_TOKEN }}" diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml deleted file mode 100644 index 3a27ca2..0000000 --- a/.github/workflows/linting.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: Checks and Validation -on: - pull_request: - -jobs: - linters: - name: Run linters - runs-on: ubuntu-latest - permissions: - checks: write - contents: write - steps: - - uses: actions/checkout@v6 - with: - token: ${{ secrets.PERSONAL_TOKEN }} - - uses: dtolnay/rust-toolchain@stable - with: - components: clippy,rustfmt - - - name: Cache cargo and rust files - id: rust_cache - uses: Swatinem/rust-cache@v2 - with: - cache-on-failure: true - shared-key: "linter_cache" - - - name: Run linters - uses: profiidev/rust-lint-action@v3 - with: - rustfmt: true - clippy: true - auto_fix: true diff --git a/.gitignore b/.gitignore index cc9ec15..8139be9 100644 --- a/.gitignore +++ b/.gitignore @@ -2,5 +2,9 @@ *.tfstate *.tfstate.backup *.lock.info -*.tfvars -target/ \ No newline at end of file +secrets.tfvars + +# direnv +.direnv + +/kubeconfig \ No newline at end of file diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl deleted file mode 100644 index c6988cf..0000000 --- a/.terraform.lock.hcl +++ /dev/null @@ -1,158 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.19.0" - constraints = "~> 1.0" - hashes = [ - "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", - "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", - "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", - "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", - "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", - "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", - "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", - "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", - "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", - "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", - "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", - "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", - "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", - "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", - ] -} - -provider "registry.terraform.io/hashicorp/external" { - version = "2.3.4" - hashes = [ - "h1:XWkRZOLKMjci9/JAtE8X8fWOt7A4u+9mgXSUjc4Wuyo=", - "zh:037fd82cd86227359bc010672cd174235e2d337601d4686f526d0f53c87447cb", - "zh:0ea1db63d6173d01f2fa8eb8989f0809a55135a0d8d424b08ba5dabad73095fa", - "zh:17a4d0a306566f2e45778fbac48744b6fd9c958aaa359e79f144c6358cb93af0", - "zh:298e5408ab17fd2e90d2cd6d406c6d02344fe610de5b7dae943a58b958e76691", - "zh:38ecfd29ee0785fd93164812dcbe0664ebbe5417473f3b2658087ca5a0286ecb", - "zh:59f6a6f31acf66f4ea3667a555a70eba5d406c6e6d93c2c641b81d63261eeace", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:ad0279dfd09d713db0c18469f585e58d04748ca72d9ada83883492e0dd13bd58", - "zh:c69f66fd21f5e2c8ecf7ca68d9091c40f19ad913aef21e3ce23836e91b8cbb5f", - "zh:d4a56f8c48aa86fc8e0c233d56850f5783f322d6336f3bf1916e293246b6b5d4", - "zh:f2b394ebd4af33f343835517e80fc876f79361f4688220833bc3c77655dd2202", - "zh:f31982f29f12834e5d21e010856eddd19d59cd8f449adf470655bfd19354377e", - ] -} - -provider "registry.terraform.io/hashicorp/helm" { - version = "2.17.0" - constraints = "~> 2.0" - hashes = [ - "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", - "zh:06fb4e9932f0afc1904d2279e6e99353c2ddac0d765305ce90519af410706bd4", - "zh:104eccfc781fc868da3c7fec4385ad14ed183eb985c96331a1a937ac79c2d1a7", - "zh:129345c82359837bb3f0070ce4891ec232697052f7d5ccf61d43d818912cf5f3", - "zh:3956187ec239f4045975b35e8c30741f701aa494c386aaa04ebabffe7749f81c", - "zh:66a9686d92a6b3ec43de3ca3fde60ef3d89fb76259ed3313ca4eb9bb8c13b7dd", - "zh:88644260090aa621e7e8083585c468c8dd5e09a3c01a432fb05da5c4623af940", - "zh:a248f650d174a883b32c5b94f9e725f4057e623b00f171936dcdcc840fad0b3e", - "zh:aa498c1f1ab93be5c8fbf6d48af51dc6ef0f10b2ea88d67bcb9f02d1d80d3930", - "zh:bf01e0f2ec2468c53596e027d376532a2d30feb72b0b5b810334d043109ae32f", - "zh:c46fa84cc8388e5ca87eb575a534ebcf68819c5a5724142998b487cb11246654", - "zh:d0c0f15ffc115c0965cbfe5c81f18c2e114113e7a1e6829f6bfd879ce5744fbb", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.36.0" - constraints = "~> 2.0" - hashes = [ - "h1:vdY0sxo7ahwuz/y7flXTE04tSwn0Zhxyg6n62aTmAHI=", - "zh:07f38fcb7578984a3e2c8cf0397c880f6b3eb2a722a120a08a634a607ea495ca", - "zh:1adde61769c50dbb799d8bf8bfd5c8c504a37017dfd06c7820f82bcf44ca0d39", - "zh:39707f23ab58fd0e686967c0f973c0f5a39c14d6ccfc757f97c345fdd0cd4624", - "zh:4cc3dc2b5d06cc22d1c734f7162b0a8fdc61990ff9efb64e59412d65a7ccc92a", - "zh:8382dcb82ba7303715b5e67939e07dd1c8ecddbe01d12f39b82b2b7d7357e1d9", - "zh:88e8e4f90034186b8bfdea1b8d394621cbc46a064ff2418027e6dba6807d5227", - "zh:a6276a75ad170f76d88263fdb5f9558998bf3a3f7650d7bd3387b396410e59f3", - "zh:bc816c7e0606e5df98a0c7634b240bb0c8100c3107b8b17b554af702edc6a0c5", - "zh:cb2f31d58f37020e840af52755c18afd1f09a833c4903ac59270ab440fab57b7", - "zh:ee0d103b8d0089fb1918311683110b4492a9346f0471b136af46d3b019576b22", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f688b9ec761721e401f6859c19c083e3be20a650426f4747cd359cdc079d212a", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.5.2" - hashes = [ - "h1:JlMZD6nYqJ8sSrFfEAH0Vk/SL8WLZRmFaMUF9PJK5wM=", - "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511", - "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea", - "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0", - "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b", - "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038", - "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4", - "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464", - "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b", - "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e", - "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.3" - hashes = [ - "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", - "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", - "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", - "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", - "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", - "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", - "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", - "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", - "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", - "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", - "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - hashes = [ - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", - ] -} - -provider "registry.terraform.io/hashicorp/template" { - version = "2.2.0" - hashes = [ - "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", - "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", - "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", - "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", - "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", - "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", - "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", - "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", - "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", - "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", - "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", - ] -} diff --git a/Cargo.lock b/Cargo.lock deleted file mode 100644 index b709b65..0000000 --- a/Cargo.lock +++ /dev/null @@ -1,872 +0,0 @@ -# This file is automatically @generated by Cargo. -# It is not intended for manual editing. -version = 4 - -[[package]] -name = "adler2" -version = "2.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627" - -[[package]] -name = "anyhow" -version = "1.0.100" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61" - -[[package]] -name = "base64" -version = "0.22.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" - -[[package]] -name = "bytes" -version = "1.10.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a" - -[[package]] -name = "cc" -version = "1.2.17" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1fcb57c740ae1daf453ae85f16e37396f672b039e00d9d866e07ddb24e328e3a" -dependencies = [ - "shlex", -] - -[[package]] -name = "cfg-if" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" - -[[package]] -name = "cookie" -version = "0.18.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747" -dependencies = [ - "percent-encoding", - "time", - "version_check", -] - -[[package]] -name = "cookie_store" -version = "0.22.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fc4bff745c9b4c7fb1e97b25d13153da2bc7796260141df62378998d070207f" -dependencies = [ - "cookie", - "document-features", - "idna", - "indexmap", - "log", - "serde", - "serde_derive", - "serde_json", - "time", - "url", -] - -[[package]] -name = "crc32fast" -version = "1.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a97769d94ddab943e4510d138150169a2758b5ef3eb191a9ee688de3e23ef7b3" -dependencies = [ - "cfg-if", -] - -[[package]] -name = "deranged" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28cfac68e08048ae1883171632c2aef3ebc555621ae56fbccce1cbf22dd7f058" -dependencies = [ - "powerfmt", -] - -[[package]] -name = "displaydoc" -version = "0.2.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] - -[[package]] -name = "document-features" -version = "0.2.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95249b50c6c185bee49034bcb378a49dc2b5dff0be90ff6616d31d64febab05d" -dependencies = [ - "litrs", -] - -[[package]] -name = "equivalent" -version = "1.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f" - -[[package]] -name = "flate2" -version = "1.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "11faaf5a5236997af9848be0bef4db95824b1d534ebc64d0f0c6cf3e67bd38dc" -dependencies = [ - "crc32fast", - "miniz_oxide", -] - -[[package]] -name = "fnv" -version = "1.0.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" - -[[package]] -name = "form_urlencoded" -version = "1.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456" -dependencies = [ - "percent-encoding", -] - -[[package]] -name = "getrandom" -version = "0.2.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7" -dependencies = [ - "cfg-if", - "libc", - "wasi", -] - -[[package]] -name = "hashbrown" -version = "0.15.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf151400ff0baff5465007dd2f3e717f3fe502074ca563069ce3a6629d07b289" - -[[package]] -name = "http" -version = "1.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f4a85d31aea989eead29a3aaf9e1115a180df8282431156e533de47660892565" -dependencies = [ - "bytes", - "fnv", - "itoa", -] - -[[package]] -name = "httparse" -version = "1.10.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87" - -[[package]] -name = "icu_collections" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db2fa452206ebee18c4b5c2274dbf1de17008e874b4dc4f0aea9d01ca79e4526" -dependencies = [ - "displaydoc", - "yoke", - "zerofrom", - "zerovec", -] - -[[package]] -name = "icu_locid" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13acbb8371917fc971be86fc8057c41a64b521c184808a698c02acc242dbf637" -dependencies = [ - "displaydoc", - "litemap", - "tinystr", - "writeable", - "zerovec", -] - -[[package]] -name = "icu_locid_transform" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01d11ac35de8e40fdeda00d9e1e9d92525f3f9d887cdd7aa81d727596788b54e" -dependencies = [ - "displaydoc", - "icu_locid", - "icu_locid_transform_data", - "icu_provider", - "tinystr", - "zerovec", -] - -[[package]] -name = "icu_locid_transform_data" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fdc8ff3388f852bede6b579ad4e978ab004f139284d7b28715f773507b946f6e" - -[[package]] -name = "icu_normalizer" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "19ce3e0da2ec68599d193c93d088142efd7f9c5d6fc9b803774855747dc6a84f" -dependencies = [ - "displaydoc", - "icu_collections", - "icu_normalizer_data", - "icu_properties", - "icu_provider", - "smallvec", - "utf16_iter", - "utf8_iter", - "write16", - "zerovec", -] - -[[package]] -name = "icu_normalizer_data" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8cafbf7aa791e9b22bec55a167906f9e1215fd475cd22adfcf660e03e989516" - -[[package]] -name = "icu_properties" -version = "1.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "93d6020766cfc6302c15dbbc9c8778c37e62c14427cb7f6e601d849e092aeef5" -dependencies = [ - "displaydoc", - "icu_collections", - "icu_locid_transform", - "icu_properties_data", - "icu_provider", - "tinystr", - "zerovec", -] - -[[package]] -name = "icu_properties_data" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67a8effbc3dd3e4ba1afa8ad918d5684b8868b3b26500753effea8d2eed19569" - -[[package]] -name = "icu_provider" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ed421c8a8ef78d3e2dbc98a973be2f3770cb42b606e3ab18d6237c4dfde68d9" -dependencies = [ - "displaydoc", - "icu_locid", - "icu_provider_macros", - "stable_deref_trait", - "tinystr", - "writeable", - "yoke", - "zerofrom", - "zerovec", -] - -[[package]] -name = "icu_provider_macros" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] - -[[package]] -name = "idna" -version = "1.0.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e" -dependencies = [ - "idna_adapter", - "smallvec", - "utf8_iter", -] - -[[package]] -name = "idna_adapter" -version = "1.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "daca1df1c957320b2cf139ac61e7bd64fed304c5040df000a745aa1de3b4ef71" -dependencies = [ - "icu_normalizer", - "icu_properties", -] - -[[package]] -name = "indexmap" -version = "2.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3954d50fe15b02142bf25d3b8bdadb634ec3948f103d04ffe3031bc8fe9d7058" -dependencies = [ - "equivalent", - "hashbrown", -] - -[[package]] -name = "itoa" -version = "1.0.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c" - -[[package]] -name = "libc" -version = "0.2.171" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c19937216e9d3aa9956d9bb8dfc0b0c8beb6058fc4f7a4dc4d850edf86a237d6" - -[[package]] -name = "litemap" -version = "0.7.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23fb14cb19457329c82206317a5663005a4d404783dc74f4252769b0d5f42856" - -[[package]] -name = "litrs" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4ce301924b7887e9d637144fdade93f9dfff9b60981d4ac161db09720d39aa5" - -[[package]] -name = "log" -version = "0.4.27" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94" - -[[package]] -name = "memchr" -version = "2.7.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" - -[[package]] -name = "miniz_oxide" -version = "0.8.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e3e04debbb59698c15bacbb6d93584a8c0ca9cc3213cb423d31f760d8843ce5" -dependencies = [ - "adler2", -] - -[[package]] -name = "num-conv" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9" - -[[package]] -name = "once_cell" -version = "1.21.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2806eaa3524762875e21c3dcd057bc4b7bfa01ce4da8d46be1cd43649e1cc6b" - -[[package]] -name = "percent-encoding" -version = "2.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" - -[[package]] -name = "powerfmt" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391" - -[[package]] -name = "proc-macro2" -version = "1.0.94" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a31971752e70b8b2686d7e46ec17fb38dad4051d94024c88df49b667caea9c84" -dependencies = [ - "unicode-ident", -] - -[[package]] -name = "quote" -version = "1.0.40" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d" -dependencies = [ - "proc-macro2", -] - -[[package]] -name = "ring" -version = "0.17.14" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7" -dependencies = [ - "cc", - "cfg-if", - "getrandom", - "libc", - "untrusted", - "windows-sys", -] - -[[package]] -name = "rustls" -version = "0.23.25" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "822ee9188ac4ec04a2f0531e55d035fb2de73f18b41a63c70c2712503b6fb13c" -dependencies = [ - "log", - "once_cell", - "ring", - "rustls-pki-types", - "rustls-webpki", - "subtle", - "zeroize", -] - -[[package]] -name = "rustls-pki-types" -version = "1.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "917ce264624a4b4db1c364dcc35bfca9ded014d0a958cd47ad3e960e988ea51c" - -[[package]] -name = "rustls-webpki" -version = "0.103.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fef8b8769aaccf73098557a87cd1816b4f9c7c16811c9c77142aa695c16f2c03" -dependencies = [ - "ring", - "rustls-pki-types", - "untrusted", -] - -[[package]] -name = "ryu" -version = "1.0.20" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f" - -[[package]] -name = "serde" -version = "1.0.228" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e" -dependencies = [ - "serde_core", - "serde_derive", -] - -[[package]] -name = "serde_core" -version = "1.0.228" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad" -dependencies = [ - "serde_derive", -] - -[[package]] -name = "serde_derive" -version = "1.0.228" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] - -[[package]] -name = "serde_json" -version = "1.0.140" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373" -dependencies = [ - "itoa", - "memchr", - "ryu", - "serde", -] - -[[package]] -name = "shlex" -version = "1.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" - -[[package]] -name = "signal-hook" -version = "0.3.18" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d881a16cf4426aa584979d30bd82cb33429027e42122b169753d6ef1085ed6e2" -dependencies = [ - "libc", - "signal-hook-registry", -] - -[[package]] -name = "signal-hook-registry" -version = "1.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a9e9e0b4211b72e7b8b6e85c807d36c212bdb33ea8587f7569562a84df5465b1" -dependencies = [ - "libc", -] - -[[package]] -name = "smallvec" -version = "1.14.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7fcf8323ef1faaee30a44a340193b1ac6814fd9b7b4e88e9d4519a3e4abe1cfd" - -[[package]] -name = "stable_deref_trait" -version = "1.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3" - -[[package]] -name = "subtle" -version = "2.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" - -[[package]] -name = "syn" -version = "2.0.100" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b09a44accad81e1ba1cd74a32461ba89dee89095ba17b32f5d03683b1b1fc2a0" -dependencies = [ - "proc-macro2", - "quote", - "unicode-ident", -] - -[[package]] -name = "synstructure" -version = "0.13.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] - -[[package]] -name = "time" -version = "0.3.41" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a7619e19bc266e0f9c5e6686659d394bc57973859340060a69221e57dbc0c40" -dependencies = [ - "deranged", - "itoa", - "num-conv", - "powerfmt", - "serde", - "time-core", - "time-macros", -] - -[[package]] -name = "time-core" -version = "0.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c9e9a38711f559d9e3ce1cdb06dd7c5b8ea546bc90052da6d06bb76da74bb07c" - -[[package]] -name = "time-macros" -version = "0.2.22" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3526739392ec93fd8b359c8e98514cb3e8e021beb4e5f597b00a0221f8ed8a49" -dependencies = [ - "num-conv", - "time-core", -] - -[[package]] -name = "tinystr" -version = "0.7.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9117f5d4db391c1cf6927e7bea3db74b9a1c1add8f7eda9ffd5364f40f57b82f" -dependencies = [ - "displaydoc", - "zerovec", -] - -[[package]] -name = "unicode-ident" -version = "1.0.18" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512" - -[[package]] -name = "untrusted" -version = "0.9.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" - -[[package]] -name = "ureq" -version = "3.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d39cb1dbab692d82a977c0392ffac19e188bd9186a9f32806f0aaa859d75585a" -dependencies = [ - "base64", - "cookie_store", - "flate2", - "log", - "percent-encoding", - "rustls", - "rustls-pki-types", - "serde", - "serde_json", - "ureq-proto", - "utf-8", - "webpki-roots", -] - -[[package]] -name = "ureq-proto" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "60b4531c118335662134346048ddb0e54cc86bd7e81866757873055f0e38f5d2" -dependencies = [ - "base64", - "http", - "httparse", - "log", -] - -[[package]] -name = "url" -version = "2.5.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60" -dependencies = [ - "form_urlencoded", - "idna", - "percent-encoding", -] - -[[package]] -name = "utf-8" -version = "0.7.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9" - -[[package]] -name = "utf16_iter" -version = "1.0.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246" - -[[package]] -name = "utf8_iter" -version = "1.0.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" - -[[package]] -name = "vault-auto-unseal" -version = "0.1.0" -dependencies = [ - "anyhow", - "serde", - "signal-hook", - "ureq", -] - -[[package]] -name = "version_check" -version = "0.9.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a" - -[[package]] -name = "wasi" -version = "0.11.0+wasi-snapshot-preview1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" - -[[package]] -name = "webpki-roots" -version = "1.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e8983c3ab33d6fb807cfcdad2491c4ea8cbc8ed839181c7dfd9c67c83e261b2" -dependencies = [ - "rustls-pki-types", -] - -[[package]] -name = "windows-sys" -version = "0.52.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" -dependencies = [ - "windows-targets", -] - -[[package]] -name = "windows-targets" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" -dependencies = [ - "windows_aarch64_gnullvm", - "windows_aarch64_msvc", - "windows_i686_gnu", - "windows_i686_gnullvm", - "windows_i686_msvc", - "windows_x86_64_gnu", - "windows_x86_64_gnullvm", - "windows_x86_64_msvc", -] - -[[package]] -name = "windows_aarch64_gnullvm" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" - -[[package]] -name = "windows_aarch64_msvc" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" - -[[package]] -name = "windows_i686_gnu" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" - -[[package]] -name = "windows_i686_gnullvm" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" - -[[package]] -name = "windows_i686_msvc" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" - -[[package]] -name = "windows_x86_64_gnu" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" - -[[package]] -name = "windows_x86_64_gnullvm" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" - -[[package]] -name = "windows_x86_64_msvc" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" - -[[package]] -name = "write16" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d1890f4022759daae28ed4fe62859b1236caebfc61ede2f63ed4e695f3f6d936" - -[[package]] -name = "writeable" -version = "0.5.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51" - -[[package]] -name = "yoke" -version = "0.7.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "120e6aef9aa629e3d4f52dc8cc43a015c7724194c97dfaf45180d2daf2b77f40" -dependencies = [ - "serde", - "stable_deref_trait", - "yoke-derive", - "zerofrom", -] - -[[package]] -name = "yoke-derive" -version = "0.7.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2380878cad4ac9aac1e2435f3eb4020e8374b5f13c296cb75b4620ff8e229154" -dependencies = [ - "proc-macro2", - "quote", - "syn", - "synstructure", -] - -[[package]] -name = "zerofrom" -version = "0.1.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5" -dependencies = [ - "zerofrom-derive", -] - -[[package]] -name = "zerofrom-derive" -version = "0.1.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502" -dependencies = [ - "proc-macro2", - "quote", - "syn", - "synstructure", -] - -[[package]] -name = "zeroize" -version = "1.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde" - -[[package]] -name = "zerovec" -version = "0.10.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa2b893d79df23bfb12d5461018d408ea19dfafe76c2c7ef6d4eba614f8ff079" -dependencies = [ - "yoke", - "zerofrom", - "zerovec-derive", -] - -[[package]] -name = "zerovec-derive" -version = "0.10.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] diff --git a/Cargo.toml b/Cargo.toml deleted file mode 100644 index a60cb7a..0000000 --- a/Cargo.toml +++ /dev/null @@ -1,3 +0,0 @@ -[workspace] -members = ["apps/vault-auto-unseal"] -resolver = "3" diff --git a/README.md b/README.md index 3815923..eed485c 100644 --- a/README.md +++ b/README.md @@ -1,76 +1,3 @@ # Server Config -## Setup - -- create rke2 config `/etc/rancher/rke2/config.yaml` - - ```yaml - cni: calico - profile: cis - pod-security-admission-config-file: /etc/rancher/rke2/rke2-pss-custom.yaml - etcd-expose-metrics: true - kube-controller-manager-arg: - - bind-address=0.0.0.0 - kube-scheduler-arg: - - bind-address=0.0.0.0 - kube-proxy-arg: - - metrics-bind-address=0.0.0.0 - kubelet-arg: - - max-pods=200 - ``` - -- create admission config `/etc/rancher/rke2/rke2-pss-custom.yaml` - - ```yaml - apiVersion: apiserver.config.k8s.io/v1 - kind: AdmissionConfiguration - plugins: - - name: PodSecurity - configuration: - apiVersion: pod-security.admission.config.k8s.io/v1beta1 - kind: PodSecurityConfiguration - defaults: - enforce: "privileged" - enforce-version: "latest" - exemptions: - usernames: [] - runtimeClasses: [] - namespaces: [] - ``` - -- install rke2 - - ```bash - curl -sfL https://get.rke2.io | sh -s - server - systemctl enable rke2-server.service - systemctl start rke2-server.service - ``` - -- add kernel params - - ```bash - cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf - systemctl restart systemd-sysctl - sysctl -p /usr/local/share/rke2/rke2-cis-sysctl.conf - ``` - -- Apply Terraform config - ```bash - terraform apply - ``` - -## Postgres - -Edit the postgres config with this cmd - -```bash -kubectl edit perconapgclusters.pgv2.percona.com -n everest postgresql -``` - -And replace/add to the spec > proxy > pgBouncer > config section - -```yaml -global: - stats_users: _crunchypgbouncer - max_user_connections: "1000" -``` +Terraform scripts for my personal server setup. diff --git a/apps/vault-auto-unseal/Cargo.toml b/apps/vault-auto-unseal/Cargo.toml deleted file mode 100644 index 668f9d7..0000000 --- a/apps/vault-auto-unseal/Cargo.toml +++ /dev/null @@ -1,14 +0,0 @@ -[package] -name = "vault-auto-unseal" -version = "0.1.0" -edition = "2024" - -[dependencies] -anyhow = "1.0.100" -serde = { version = "1.0.228", features = ["derive"] } -signal-hook = "0.3.18" -ureq = { version = "3.1.4", features = ["json"] } - -[[bin]] -name = "vault-auto-unseal" -path = "src/main.rs" diff --git a/apps/vault-auto-unseal/Dockerfile b/apps/vault-auto-unseal/Dockerfile deleted file mode 100644 index 3923374..0000000 --- a/apps/vault-auto-unseal/Dockerfile +++ /dev/null @@ -1,41 +0,0 @@ -ARG BIN=vault-auto-unseal - -FROM ghcr.io/profiidev/images/rust-musl-builder:main AS planner - -ARG BIN -ENV BIN=$BIN - -COPY apps/vault-auto-unseal/Cargo.toml ./Cargo.lock ./ - -RUN cargo chef prepare --recipe-path recipe.json --bin $BIN - -FROM ghcr.io/profiidev/images/rust-musl-builder:main AS builder - -ARG BIN -ENV BIN=$BIN - -COPY --from=planner /app/recipe.json . - -RUN cargo chef cook --release - -COPY apps/vault-auto-unseal/src ./src -COPY apps/vault-auto-unseal/Cargo.toml ./Cargo.lock ./ - -RUN cargo build --release --bin $BIN -RUN mv ./target/x86_64-unknown-linux-musl/release/$BIN ./app - -FROM alpine - -RUN addgroup -S user -RUN adduser -G user -S user - -WORKDIR /app -RUN chown -R user:user /app - -USER user - -COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ - -COPY --from=builder /app/app /usr/local/bin/ - -CMD ["app"] \ No newline at end of file diff --git a/apps/vault-auto-unseal/src/main.rs b/apps/vault-auto-unseal/src/main.rs deleted file mode 100644 index ddd4423..0000000 --- a/apps/vault-auto-unseal/src/main.rs +++ /dev/null @@ -1,73 +0,0 @@ -use std::{ - thread::{sleep, spawn}, - time::Duration, -}; - -use anyhow::Result; -use serde::Serialize; -use signal_hook::{consts::TERM_SIGNALS, iterator::Signals}; -use ureq::{ - Agent, - http::StatusCode, - tls::{Certificate, RootCerts, TlsConfig}, -}; - -fn main() { - let _ = if let Ok(mut s) = Signals::new(TERM_SIGNALS) { - spawn(move || { - let _ = s.forever().next(); - println!("Got exit signal"); - std::process::exit(0); - }) - } else { - println!("Failed to register signal"); - std::process::exit(1) - }; - - loop { - if let Err(err) = unseal() { - println!("Unseal error: {err}"); - } - sleep(Duration::from_secs(15)); - } -} - -fn unseal() -> Result<()> { - let cert = std::env::var("CA_CERT")?; - let cert = Certificate::from_pem(cert.as_bytes())?; - let tls = TlsConfig::builder() - .root_certs(RootCerts::new_with_certs(&[cert])) - .build(); - let config = Agent::config_builder() - .tls_config(tls) - .http_status_as_error(false) - .build(); - let agent = Agent::new_with_config(config); - - let vault_url = std::env::var("VAULT_URL")?; - let res = agent.get(format!("{vault_url}/v1/sys/health")).call()?; - - if res.status() != StatusCode::SERVICE_UNAVAILABLE { - return Ok(()); - } - - let key_1 = std::env::var("KEY_1")?; - let key_2 = std::env::var("KEY_2")?; - let key_3 = std::env::var("KEY_3")?; - let keys = [key_1, key_2, key_3]; - - for key in keys { - agent - .post(format!("{vault_url}/v1/sys/unseal")) - .send_json(&UnsealReq { key })?; - } - - println!("Unlock successful"); - - Ok(()) -} - -#[derive(Serialize)] -struct UnsealReq { - key: String, -} diff --git a/charts/auto-clean-bot/.helmignore b/charts/auto-clean-bot/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/charts/auto-clean-bot/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/auto-clean-bot/Chart.yaml b/charts/auto-clean-bot/Chart.yaml deleted file mode 100644 index 3501b91..0000000 --- a/charts/auto-clean-bot/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -name: auto-clean-bot -description: A Bot to automatically clean discord messages after a certain time. -type: application -version: v0.1.0 diff --git a/charts/auto-clean-bot/templates/bot-deployment.yaml b/charts/auto-clean-bot/templates/bot-deployment.yaml deleted file mode 100644 index 97036ed..0000000 --- a/charts/auto-clean-bot/templates/bot-deployment.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-bot - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.bot.replicaCount | default 1 }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-bot - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-bot - {{- with .Values.bot.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - containers: - - tty: true - envFrom: - - secretRef: - name: {{ .Chart.Name }}-bot - image: ghcr.io/profiidev/{{ .Chart.Name }}/bot:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-bot - resources: - limits: - cpu: 1000m - memory: 256Mi - requests: - cpu: 200m - memory: 128Mi - {{- with .Values.bot.extraVolumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 - {{- with .Values.bot.extraVolumes }} - volumes: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/auto-clean-bot/templates/bot-external-secret.yaml b/charts/auto-clean-bot/templates/bot-external-secret.yaml deleted file mode 100644 index af631d8..0000000 --- a/charts/auto-clean-bot/templates/bot-external-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .Chart.Name }}-bot - namespace: {{ .Release.Namespace }} -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secret.storeName }} - kind: ClusterSecretStore - target: - name: {{ .Chart.Name }}-bot - dataFrom: - - extract: - key: {{ .Values.secret.path }} diff --git a/charts/auto-clean-bot/values.yaml b/charts/auto-clean-bot/values.yaml deleted file mode 100644 index d1e4249..0000000 --- a/charts/auto-clean-bot/values.yaml +++ /dev/null @@ -1,19 +0,0 @@ -secret: - storeName: cluster-secret-store - path: apps/auto-clean-bot - -bot: - replicaCount: 1 - extraVolumes: - - name: cluster-ca-cert - secret: - defaultMode: 420 - secretName: cluster-ca-cert - extraVolumeMounts: - - mountPath: /etc/ssl/certs/e11529a0.0 - subPath: e11529a0.0 - name: cluster-ca-cert - readOnly: true - - podLabels: - postgres-access: "true" diff --git a/charts/charm/.helmignore b/charts/charm/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/charts/charm/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/charm/Chart.yaml b/charts/charm/Chart.yaml deleted file mode 100644 index 7dde8a8..0000000 --- a/charts/charm/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -name: charm -description: A Helm chart -type: application -version: v0.1.2 diff --git a/charts/charm/templates/backend-deployment.yaml b/charts/charm/templates/backend-deployment.yaml deleted file mode 100644 index c32d57f..0000000 --- a/charts/charm/templates/backend-deployment.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.backend.replicaCount | default 1 }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-backend - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-backend - {{- with .Values.backend.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - imagePullSecrets: - - name: {{ .Values.backend.imagePullSecret | default "ghcr-profidev" }} - containers: - - tty: true - envFrom: - - secretRef: - name: {{ .Chart.Name }}-backend - image: ghcr.io/profiidev/{{ .Chart.Name }}/{{ .Chart.Name }}-backend:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-backend - resources: - limits: - cpu: 1000m - memory: 256Mi - requests: - cpu: 200m - memory: 128Mi - {{- with .Values.backend.extraVolumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 - {{- with .Values.backend.extraVolumes }} - volumes: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/charm/templates/backend-external-secret.yaml b/charts/charm/templates/backend-external-secret.yaml deleted file mode 100644 index 2bbda39..0000000 --- a/charts/charm/templates/backend-external-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secret.storeName }} - kind: ClusterSecretStore - target: - name: {{ .Chart.Name }}-backend - dataFrom: - - extract: - key: {{ .Values.secret.path }} diff --git a/charts/charm/templates/backend-ingress.yaml b/charts/charm/templates/backend-ingress.yaml deleted file mode 100644 index a63039a..0000000 --- a/charts/charm/templates/backend-ingress.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} - labels: - name: {{ .Chart.Name }}-backend - {{- with .Values.backend.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.backend.ingress.className | default "nginx" }} - rules: - - host: {{ .Values.backend.ingress.host }} - http: - paths: - - pathType: ImplementationSpecific - path: "/backend/(.*)" - backend: - service: - name: {{ .Chart.Name }}-backend - port: - number: 8000 - - pathType: ImplementationSpecific - path: "/.well-known/(.*)" - backend: - service: - name: {{ .Chart.Name }}-backend - port: - number: 8000 - {{- with .Values.backend.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/charm/templates/backend-network-policy.yaml b/charts/charm/templates/backend-network-policy.yaml deleted file mode 100644 index 6adb6cc..0000000 --- a/charts/charm/templates/backend-network-policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-backend-ingress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-backend' - types: - - Ingress - - Egress - ingress: - - action: Allow - protocol: TCP - source: - namespaceSelector: kubernetes.io/metadata.name == 'kube-system' - selector: app.kubernetes.io/name == 'rke2-ingress-nginx' - destination: - ports: - - 8000 - egress: - - action: Allow - protocol: TCP - destination: - notNets: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - ports: - - 443 diff --git a/charts/charm/templates/backend-service.yaml b/charts/charm/templates/backend-service.yaml deleted file mode 100644 index 4f24fbd..0000000 --- a/charts/charm/templates/backend-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 8000 - protocol: TCP - targetPort: 8000 - selector: - app: {{ .Chart.Name }}-backend - type: ClusterIP diff --git a/charts/charm/templates/frontend-deployment.yaml b/charts/charm/templates/frontend-deployment.yaml deleted file mode 100644 index 92c9bf3..0000000 --- a/charts/charm/templates/frontend-deployment.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.frontend.replicaCount }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-frontend - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-frontend - spec: - imagePullSecrets: - - name: {{ .Values.frontend.imagePullSecret | default "ghcr-profidev" }} - containers: - - image: ghcr.io/profiidev/{{ .Chart.Name }}/{{ .Chart.Name }}-frontend:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-frontend - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 100m - memory: 128Mi - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 diff --git a/charts/charm/templates/frontend-ingress.yaml b/charts/charm/templates/frontend-ingress.yaml deleted file mode 100644 index 208efc4..0000000 --- a/charts/charm/templates/frontend-ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} - labels: - name: {{ .Chart.Name }}-frontend - {{- with .Values.frontend.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.frontend.ingress.className | default "nginx" }} - rules: - - host: {{ .Values.frontend.ingress.host }} - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: {{ .Chart.Name }}-frontend - port: - number: 3000 - {{- with .Values.frontend.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/charm/templates/frontend-network-policy.yaml b/charts/charm/templates/frontend-network-policy.yaml deleted file mode 100644 index 05d3214..0000000 --- a/charts/charm/templates/frontend-network-policy.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-frontend-ingress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-frontend' - types: - - Ingress - ingress: - - action: Allow - protocol: TCP - source: - namespaceSelector: kubernetes.io/metadata.name == 'kube-system' - selector: app.kubernetes.io/name == 'rke2-ingress-nginx' - destination: - ports: - - 3000 diff --git a/charts/charm/templates/frontend-service.yaml b/charts/charm/templates/frontend-service.yaml deleted file mode 100644 index ee22875..0000000 --- a/charts/charm/templates/frontend-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: {{ .Chart.Name }}-frontend - type: ClusterIP diff --git a/charts/charm/values.yaml b/charts/charm/values.yaml deleted file mode 100644 index 4d91e28..0000000 --- a/charts/charm/values.yaml +++ /dev/null @@ -1,46 +0,0 @@ -secret: - storeName: cluster-secret-store - path: apps/charm - -backend: - replicaCount: 1 - imagePullSecret: ghcr-profidev - extraVolumes: - - name: cluster-ca-cert - secret: - defaultMode: 420 - secretName: cluster-ca-cert - extraVolumeMounts: - - mountPath: /etc/ssl/certs/e11529a0.0 - subPath: e11529a0.0 - name: cluster-ca-cert - readOnly: true - - ingress: - className: ingress-nginx - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: charm/cloudflare-ca-cert - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - nginx.ingress.kubernetes.io/rewrite-target: "/$1" - host: charm.profidev.io - tls: - - hosts: - - profidev.io - - "*.profi.dev" - secretName: cloudflare-cert - -frontend: - replicaCount: 1 - imagePullSecret: ghcr-profidev - - ingress: - className: ingress-nginx - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: charm/cloudflare-ca-cert - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - host: charm.profidev.io - tls: - - hosts: - - profidev.io - - "*.profi.dev" - secretName: cloudflare-cert diff --git a/charts/higgs/.helmignore b/charts/higgs/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/charts/higgs/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/higgs/Chart.yaml b/charts/higgs/Chart.yaml deleted file mode 100644 index f8b6ee7..0000000 --- a/charts/higgs/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -name: higgs -description: A Portfolio Website -type: application -version: v0.1.1 diff --git a/charts/higgs/templates/frontend-deployment.yaml b/charts/higgs/templates/frontend-deployment.yaml deleted file mode 100644 index 257c748..0000000 --- a/charts/higgs/templates/frontend-deployment.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.frontend.replicaCount }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-frontend - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-frontend - spec: - containers: - - image: ghcr.io/profiidev/{{ .Chart.Name }}/{{ .Chart.Name }}-frontend:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-frontend - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 100m - memory: 128Mi - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 diff --git a/charts/higgs/templates/frontend-ingress.yaml b/charts/higgs/templates/frontend-ingress.yaml deleted file mode 100644 index 208efc4..0000000 --- a/charts/higgs/templates/frontend-ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} - labels: - name: {{ .Chart.Name }}-frontend - {{- with .Values.frontend.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.frontend.ingress.className | default "nginx" }} - rules: - - host: {{ .Values.frontend.ingress.host }} - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: {{ .Chart.Name }}-frontend - port: - number: 3000 - {{- with .Values.frontend.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/higgs/templates/frontend-network-policy.yaml b/charts/higgs/templates/frontend-network-policy.yaml deleted file mode 100644 index 05d3214..0000000 --- a/charts/higgs/templates/frontend-network-policy.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-frontend-ingress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-frontend' - types: - - Ingress - ingress: - - action: Allow - protocol: TCP - source: - namespaceSelector: kubernetes.io/metadata.name == 'kube-system' - selector: app.kubernetes.io/name == 'rke2-ingress-nginx' - destination: - ports: - - 3000 diff --git a/charts/higgs/templates/frontend-service.yaml b/charts/higgs/templates/frontend-service.yaml deleted file mode 100644 index ee22875..0000000 --- a/charts/higgs/templates/frontend-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: {{ .Chart.Name }}-frontend - type: ClusterIP diff --git a/charts/higgs/values.yaml b/charts/higgs/values.yaml deleted file mode 100644 index dff1aa1..0000000 --- a/charts/higgs/values.yaml +++ /dev/null @@ -1,14 +0,0 @@ -frontend: - replicaCount: 1 - - ingress: - className: ingress-nginx - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: higgs/cloudflare-ca-cert - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - host: higgs.profidev.io - tls: - - hosts: - - profidev.io - - "*.profi.dev" - secretName: cloudflare-cert diff --git a/charts/positron/.helmignore b/charts/positron/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/charts/positron/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/positron/Chart.yaml b/charts/positron/Chart.yaml deleted file mode 100644 index a01cc81..0000000 --- a/charts/positron/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -name: positron -description: A Personal Website -type: application -version: v0.1.22 diff --git a/charts/positron/templates/backend-deployment.yaml b/charts/positron/templates/backend-deployment.yaml deleted file mode 100644 index 3fa88f8..0000000 --- a/charts/positron/templates/backend-deployment.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.backend.replicaCount | default 1 }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-backend - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-backend - {{- with .Values.backend.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - containers: - - tty: true - envFrom: - - secretRef: - name: {{ .Chart.Name }}-backend - image: ghcr.io/profiidev/positron/{{ .Chart.Name }}-backend:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-backend - resources: - limits: - cpu: 1000m - memory: 512Mi - requests: - cpu: 200m - memory: 128Mi - {{- with .Values.backend.extraVolumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 - {{- with .Values.backend.extraVolumes }} - volumes: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/positron/templates/backend-external-secret.yaml b/charts/positron/templates/backend-external-secret.yaml deleted file mode 100644 index 2bbda39..0000000 --- a/charts/positron/templates/backend-external-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secret.storeName }} - kind: ClusterSecretStore - target: - name: {{ .Chart.Name }}-backend - dataFrom: - - extract: - key: {{ .Values.secret.path }} diff --git a/charts/positron/templates/backend-ingress.yaml b/charts/positron/templates/backend-ingress.yaml deleted file mode 100644 index a63039a..0000000 --- a/charts/positron/templates/backend-ingress.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} - labels: - name: {{ .Chart.Name }}-backend - {{- with .Values.backend.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.backend.ingress.className | default "nginx" }} - rules: - - host: {{ .Values.backend.ingress.host }} - http: - paths: - - pathType: ImplementationSpecific - path: "/backend/(.*)" - backend: - service: - name: {{ .Chart.Name }}-backend - port: - number: 8000 - - pathType: ImplementationSpecific - path: "/.well-known/(.*)" - backend: - service: - name: {{ .Chart.Name }}-backend - port: - number: 8000 - {{- with .Values.backend.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/positron/templates/backend-network-policy.yaml b/charts/positron/templates/backend-network-policy.yaml deleted file mode 100644 index 6adb6cc..0000000 --- a/charts/positron/templates/backend-network-policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-backend-ingress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-backend' - types: - - Ingress - - Egress - ingress: - - action: Allow - protocol: TCP - source: - namespaceSelector: kubernetes.io/metadata.name == 'kube-system' - selector: app.kubernetes.io/name == 'rke2-ingress-nginx' - destination: - ports: - - 8000 - egress: - - action: Allow - protocol: TCP - destination: - notNets: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - ports: - - 443 diff --git a/charts/positron/templates/backend-service.yaml b/charts/positron/templates/backend-service.yaml deleted file mode 100644 index 4f24fbd..0000000 --- a/charts/positron/templates/backend-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 8000 - protocol: TCP - targetPort: 8000 - selector: - app: {{ .Chart.Name }}-backend - type: ClusterIP diff --git a/charts/positron/templates/frontend-deployment.yaml b/charts/positron/templates/frontend-deployment.yaml deleted file mode 100644 index d513c6f..0000000 --- a/charts/positron/templates/frontend-deployment.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.frontend.replicaCount }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-frontend - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-frontend - spec: - containers: - - image: ghcr.io/profiidev/positron/{{ .Chart.Name }}-frontend:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-frontend - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 100m - memory: 128Mi - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 diff --git a/charts/positron/templates/frontend-ingress.yaml b/charts/positron/templates/frontend-ingress.yaml deleted file mode 100644 index 208efc4..0000000 --- a/charts/positron/templates/frontend-ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} - labels: - name: {{ .Chart.Name }}-frontend - {{- with .Values.frontend.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.frontend.ingress.className | default "nginx" }} - rules: - - host: {{ .Values.frontend.ingress.host }} - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: {{ .Chart.Name }}-frontend - port: - number: 3000 - {{- with .Values.frontend.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/positron/templates/frontend-network-policy.yaml b/charts/positron/templates/frontend-network-policy.yaml deleted file mode 100644 index 05d3214..0000000 --- a/charts/positron/templates/frontend-network-policy.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-frontend-ingress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-frontend' - types: - - Ingress - ingress: - - action: Allow - protocol: TCP - source: - namespaceSelector: kubernetes.io/metadata.name == 'kube-system' - selector: app.kubernetes.io/name == 'rke2-ingress-nginx' - destination: - ports: - - 3000 diff --git a/charts/positron/templates/frontend-service.yaml b/charts/positron/templates/frontend-service.yaml deleted file mode 100644 index ee22875..0000000 --- a/charts/positron/templates/frontend-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: {{ .Chart.Name }}-frontend - type: ClusterIP diff --git a/charts/positron/values.yaml b/charts/positron/values.yaml deleted file mode 100644 index c1f06e6..0000000 --- a/charts/positron/values.yaml +++ /dev/null @@ -1,49 +0,0 @@ -secret: - storeName: cluster-secret-store - path: apps/positron - -backend: - replicaCount: 1 - extraVolumes: - - name: cluster-ca-cert - secret: - defaultMode: 420 - secretName: cluster-ca-cert - extraVolumeMounts: - - mountPath: /etc/ssl/certs/e11529a0.0 - subPath: e11529a0.0 - name: cluster-ca-cert - readOnly: true - - podLabels: - nats-access: "true" - minio-access: "true" - postgres-access: "true" - - ingress: - className: ingress-nginx - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: positron/cloudflare-ca-cert - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - nginx.ingress.kubernetes.io/rewrite-target: "/$1" - host: profidev.io - tls: - - hosts: - - profidev.io - - "*.profi.dev" - secretName: cloudflare-cert - -frontend: - replicaCount: 1 - - ingress: - className: ingress-nginx - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: positron/cloudflare-ca-cert - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - host: profidev.io - tls: - - hosts: - - profidev.io - - "*.profi.dev" - secretName: cloudflare-cert diff --git a/charts/proton/.helmignore b/charts/proton/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/charts/proton/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/proton/Chart.yaml b/charts/proton/Chart.yaml deleted file mode 100644 index d89d2dc..0000000 --- a/charts/proton/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -name: proton -description: A Minecraft Launcher -type: application -version: v0.2.7 diff --git a/charts/proton/templates/backend-deployment.yaml b/charts/proton/templates/backend-deployment.yaml deleted file mode 100644 index e83e890..0000000 --- a/charts/proton/templates/backend-deployment.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.backend.replicaCount | default 1 }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-backend - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-backend - {{- with .Values.backend.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - containers: - - tty: true - envFrom: - - secretRef: - name: {{ .Chart.Name }}-backend - image: ghcr.io/profiidev/proton/{{ .Chart.Name }}-backend:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-backend - resources: - limits: - cpu: 1000m - memory: 256Mi - requests: - cpu: 200m - memory: 128Mi - {{- with .Values.backend.extraVolumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 - {{- with .Values.backend.extraVolumes }} - volumes: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/proton/templates/backend-external-secret.yaml b/charts/proton/templates/backend-external-secret.yaml deleted file mode 100644 index 2bbda39..0000000 --- a/charts/proton/templates/backend-external-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secret.storeName }} - kind: ClusterSecretStore - target: - name: {{ .Chart.Name }}-backend - dataFrom: - - extract: - key: {{ .Values.secret.path }} diff --git a/charts/proton/templates/backend-ingress.yaml b/charts/proton/templates/backend-ingress.yaml deleted file mode 100644 index 448c1cf..0000000 --- a/charts/proton/templates/backend-ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} - labels: - name: {{ .Chart.Name }}-backend - {{- with .Values.backend.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.backend.ingress.className | default "nginx" }} - rules: - - host: {{ .Values.backend.ingress.host }} - http: - paths: - - pathType: ImplementationSpecific - path: "/backend/(.*)" - backend: - service: - name: {{ .Chart.Name }}-backend - port: - number: 8000 - {{- with .Values.backend.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/proton/templates/backend-network-policy.yaml b/charts/proton/templates/backend-network-policy.yaml deleted file mode 100644 index 5c3577c..0000000 --- a/charts/proton/templates/backend-network-policy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-backend-ingress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-backend' - types: - - Ingress - ingress: - - action: Allow - protocol: TCP - source: - namespaceSelector: kubernetes.io/metadata.name == 'kube-system' - selector: app.kubernetes.io/name == 'rke2-ingress-nginx' - destination: - ports: - - 8000 diff --git a/charts/proton/templates/backend-service.yaml b/charts/proton/templates/backend-service.yaml deleted file mode 100644 index 4f24fbd..0000000 --- a/charts/proton/templates/backend-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 8000 - protocol: TCP - targetPort: 8000 - selector: - app: {{ .Chart.Name }}-backend - type: ClusterIP diff --git a/charts/proton/values.yaml b/charts/proton/values.yaml deleted file mode 100644 index 08af416..0000000 --- a/charts/proton/values.yaml +++ /dev/null @@ -1,31 +0,0 @@ -secret: - storeName: cluster-secret-store - path: apps/proton - -backend: - replicaCount: 1 - extraVolumeMounts: - - mountPath: /etc/ssl/certs/e11529a0.0 - subPath: e11529a0.0 - name: cluster-ca-cert - readOnly: true - extraVolumes: - - name: cluster-ca-cert - secret: - defaultMode: 420 - secretName: cluster-ca-cert - - podLabels: {} - - ingress: - className: ingress-nginx - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: proton/cloudflare-ca-cert - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - nginx.ingress.kubernetes.io/rewrite-target: "/$1" - host: proton.profidev.io - tls: - - hosts: - - profidev.io - - "*.profi.dev" - secretName: cloudflare-cert diff --git a/charts/vault-auto-unseal/.helmignore b/charts/vault-auto-unseal/.helmignore deleted file mode 100644 index 3e26371..0000000 --- a/charts/vault-auto-unseal/.helmignore +++ /dev/null @@ -1,24 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ -app/ diff --git a/charts/vault-auto-unseal/Chart.yaml b/charts/vault-auto-unseal/Chart.yaml deleted file mode 100644 index 3651c72..0000000 --- a/charts/vault-auto-unseal/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -name: vault-auto-unseal -description: Automatic unseal for HashiCorp Vault -type: application -version: v0.1.12 -maintainers: - - email: mail@profidev.io - name: ProfiDev diff --git a/charts/vault-auto-unseal/templates/deployment.yaml b/charts/vault-auto-unseal/templates/deployment.yaml deleted file mode 100644 index e323074..0000000 --- a/charts/vault-auto-unseal/templates/deployment.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }} - labels: - app: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" -spec: - selector: - matchLabels: - app: {{ .Chart.Name }} - replicas: {{ default 1 .Values.replicaCount | int }} - template: - metadata: - labels: - app: {{ .Chart.Name }} - spec: - containers: {{ $default_tag := replace " " "" (cat "vault-auto-unseal-" .Chart.Version) }} - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ default $default_tag .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - livenessProbe: - exec: - command: - - pgrep - - app - initialDelaySeconds: 10 - periodSeconds: 60 - env: - {{- range $key, $value := .Values.secrets }} - - name: {{ $key | upper }} - valueFrom: - secretKeyRef: - name: {{ $value.name }} - key: {{ $value.key }} - {{- end }} - - name: VAULT_URL - value: "{{ .Values.vault_url }}" diff --git a/charts/vault-auto-unseal/templates/network-policy.yaml b/charts/vault-auto-unseal/templates/network-policy.yaml deleted file mode 100644 index fcd51a6..0000000 --- a/charts/vault-auto-unseal/templates/network-policy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-vault - namespace: {{ .Release.Namespace }} -spec: - order: 10 - podSelector: - matchLabels: - app: {{ .Chart.Name }} - policyTypes: - - Egress - egress: - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace }} - podSelector: - matchLabels: - app.kubernetes.io/name: "vault" - ports: - - protocol: TCP - port: 8200 diff --git a/charts/vault-auto-unseal/values.yaml b/charts/vault-auto-unseal/values.yaml deleted file mode 100644 index 8d9ab87..0000000 --- a/charts/vault-auto-unseal/values.yaml +++ /dev/null @@ -1,33 +0,0 @@ -replicaCount: 1 - -image: - repository: ghcr.io/profiidev/server-config/vault_auto_unseal - pullPolicy: IfNotPresent - -# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/ -serviceAccount: - # Specifies whether a service account should be created - create: true - # Automatically mount a ServiceAccount's API credentials? - automount: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -secrets: - key_1: - name: key_1_secret - key: key - key_2: - name: key_2_secret - key: key - key_3: - name: key_3_secret - key: key - ca_cert: - name: ca_cert_secret - key: ca.crt - -vault_url: "https://vault.vault.svc:8200" diff --git a/justfile b/justfile new file mode 100644 index 0000000..14e51c3 --- /dev/null +++ b/justfile @@ -0,0 +1,35 @@ +pwd := source_dir() +config_path := pwd + "/terraform" +vars_path := pwd + "/vars.tfvars" +secret_path := pwd + "/secrets.tfvars" +kubeconfig_path := pwd + "/kubeconfig" +nix_path := pwd + "/nix" + +export KUBECONFIG := kubeconfig_path + +init CONFIG: + terraform -chdir={{config_path}}/{{CONFIG}} init + +apply CONFIG: + terraform -chdir={{config_path}}/{{CONFIG}} apply -var-file={{vars_path}} -var-file={{secret_path}} -auto-approve + +destroy CONFIG: + terraform -chdir={{config_path}}/{{CONFIG}} destroy -var-file={{vars_path}} -var-file={{secret_path}} + +plan CONFIG: + terraform -chdir={{config_path}}/{{CONFIG}} plan -var-file={{vars_path}} -var-file={{secret_path}} + +install CONFIG IP USER="root": + nix run github:nix-community/nixos-anywhere -- \ + --flake {{nix_path}}#{{CONFIG}} \ + --target-host {{USER}}@{{IP}} \ + --build-on remote + +rebuild CONFIG IP USER="root": + nixos-rebuild switch --flake {{nix_path}}#{{CONFIG}} \ + --target-host {{USER}}@{{IP}} \ + --build-host {{USER}}@{{IP}} + +copy-kubeconfig IP USER="root": + scp {{USER}}@{{IP}}:/etc/rancher/rke2/rke2.yaml {{kubeconfig_path}} + sed -i 's/127.0.0.1/{{IP}}/g' {{kubeconfig_path}} diff --git a/main.tf b/main.tf deleted file mode 100644 index 7eccbf5..0000000 --- a/main.tf +++ /dev/null @@ -1,42 +0,0 @@ -terraform { - required_providers { - kubernetes = { - source = "hashicorp/kubernetes" - version = "~> 2.0" - } - helm = { - source = "hashicorp/helm" - version = "~> 2.0" - } - local = { - source = "hashicorp/local" - version = "~> 2.0" - } - template = { - source = "hashicorp/template" - version = "~> 2.0" - } - null = { - source = "hashicorp/null" - version = "~> 3.0" - } - external = { - source = "hashicorp/external" - version = "~> 2.0" - } - } -} - -provider "kubernetes" { - config_path = "~/.kube/config" -} - -provider "helm" { - kubernetes { - config_path = "~/.kube/config" - } -} - -module "config" { - source = "./terraform" -} diff --git a/nix/config.nix b/nix/config.nix new file mode 100644 index 0000000..97a3c59 --- /dev/null +++ b/nix/config.nix @@ -0,0 +1,32 @@ +{ + inputs, + nix-config, + ... +}: + +{ + imports = [ + ./hardware-configuration.nix + ./disko-config.nix + { + _module.args = { + disk = "/dev/vda"; + withSwap = true; + swapSize = "2"; + }; + } + inputs.disko.nixosModules.disko + + ./docker.nix + ./host-specific.nix + ./nix.nix + ./rke2.nix + ./services.nix + ./starship.nix + ./tools.nix + ./user.nix + + "${nix-config}/modules/general.nix" + "${nix-config}/modules/locale.nix" + ]; +} diff --git a/nix/disko-config.nix b/nix/disko-config.nix new file mode 100644 index 0000000..e9afe4a --- /dev/null +++ b/nix/disko-config.nix @@ -0,0 +1,84 @@ +# NOTE: ... is needed because dikso passes diskoFile +{ + lib, + disk ? "/dev/vda", + withSwap ? false, + swapSize, + ... +}: +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = disk; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + priority = 1; + }; + ESP = { + size = "512M"; + type = "EF00"; + priority = 2; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "@root" = { + mountpoint = "/"; + mountOptions = [ + "defaults" + "subvol=root" + "compress=zstd" + "noatime" + "space_cache=v2" + "discard=async" + ]; + }; + "@persist" = { + mountpoint = "/persist"; + mountOptions = [ + "defaults" + "subvol=root" + "compress=zstd" + "noatime" + "space_cache=v2" + "discard=async" + ]; + }; + "@nix" = { + mountpoint = "/nix"; + mountOptions = [ + "defaults" + "subvol=root" + "compress=zstd" + "noatime" + "space_cache=v2" + "discard=async" + ]; + }; + "@swap" = lib.mkIf withSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = "${swapSize}G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/docker.nix b/nix/docker.nix new file mode 100644 index 0000000..0582d99 --- /dev/null +++ b/nix/docker.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + virtualisation.docker.enable = true; +} diff --git a/nix/flake.lock b/nix/flake.lock new file mode 100644 index 0000000..06b1d09 --- /dev/null +++ b/nix/flake.lock @@ -0,0 +1,87 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1763651264, + "narHash": "sha256-8vvwZbw0s7YvBMJeyPVpWke6lg6ROgtts5N2/SMCcv4=", + "owner": "nix-community", + "repo": "disko", + "rev": "e86a89079587497174ccab6d0d142a65811a4fd9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "nix-config": { + "flake": false, + "locked": { + "lastModified": 1763821135, + "narHash": "sha256-8BaXmalRskJgpsVh/gIef1GXxpUeG3Z5huHesyiwOMQ=", + "owner": "ProfiiDev", + "repo": "nix", + "rev": "294da482461b59a64611efe559ffa61b99ce225d", + "type": "github" + }, + "original": { + "owner": "ProfiiDev", + "ref": "main", + "repo": "nix", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1763421233, + "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "nix-config": "nix-config", + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1763607916, + "narHash": "sha256-VefBA1JWRXM929mBAFohFUtQJLUnEwZ2vmYUNkFnSjE=", + "owner": "mic92", + "repo": "sops-nix", + "rev": "877bb495a6f8faf0d89fc10bd142c4b7ed2bcc0b", + "type": "github" + }, + "original": { + "owner": "mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/flake.nix b/nix/flake.nix new file mode 100644 index 0000000..44b3065 --- /dev/null +++ b/nix/flake.nix @@ -0,0 +1,57 @@ +{ + description = "Cluster node config"; + nixConfig = { + extra-substituters = [ + "https://cache.garnix.io" + "https://nix-community.cachix.org" + ]; + extra-trusted-public-keys = [ + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + + inputs = { + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nix-config = { + url = "github:ProfiiDev/nix/main"; + flake = false; + }; + + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; + + sops-nix = { + url = "github:mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; + }; + + outputs = + inputs@{ self, nixpkgs-unstable, ... }: + { + nixosConfigurations = builtins.listToAttrs ( + map + (host: { + name = host; + value = nixpkgs-unstable.lib.nixosSystem { + specialArgs = { + lib = nixpkgs-unstable.lib; + nix-config = (builtins.toString inputs.nix-config); + inherit host inputs self; + }; + modules = [ + ./config.nix + ]; + }; + }) + [ + "node1" + "node2" + "node3" + ] + ); + }; +} diff --git a/nix/hardware-configuration.nix b/nix/hardware-configuration.nix new file mode 100644 index 0000000..6ca3eea --- /dev/null +++ b/nix/hardware-configuration.nix @@ -0,0 +1,14 @@ +{ + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + networking.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nix/host-specific.nix b/nix/host-specific.nix new file mode 100644 index 0000000..6195642 --- /dev/null +++ b/nix/host-specific.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + services.qemuGuest.enable = true; +} diff --git a/nix/nix.nix b/nix/nix.nix new file mode 100644 index 0000000..dec3986 --- /dev/null +++ b/nix/nix.nix @@ -0,0 +1,41 @@ +{ pkgs, ... }: + +{ + programs = { + nh = { + enable = true; + clean.enable = true; + clean.extraArgs = "--keep-since 1d --keep 10"; + clean.dates = "daily"; + flake = "/etc/nixos/nix-config"; + }; + }; + + environment.systemPackages = with pkgs; [ + nil + nixfmt-rfc-style + ]; + + nix.settings = { + experimental-features = [ + "nix-command" + "flakes" + ]; + trusted-users = [ + "root" + "profidev" + ]; + }; + + nix.extraOptions = '' + extra-substituters = https://cache.garnix.io https://nix-community.cachix.org + extra-trusted-public-keys = cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= + ''; + + nixpkgs = { + config = { + allowUnfree = true; + allowUnfreePredicate = _: true; + }; + }; +} diff --git a/nix/rke2.nix b/nix/rke2.nix new file mode 100644 index 0000000..cfabada --- /dev/null +++ b/nix/rke2.nix @@ -0,0 +1,56 @@ +{ pkgs, ... }: + +let + pssFile = pkgs.writeText "rke2-pss-custom.yaml" '' + apiVersion: apiserver.config.k8s.io/v1 + kind: AdmissionConfiguration + plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1beta1 + kind: PodSecurityConfiguration + defaults: + enforce: "privileged" + enforce-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [] + ''; + + configFile = pkgs.writeText "config.yaml" '' + cni: calico + profile: cis + pod-security-admission-config-file: ${pssFile} + etcd-expose-metrics: true + kube-controller-manager-arg: + - bind-address=0.0.0.0 + kube-scheduler-arg: + - bind-address=0.0.0.0 + kube-proxy-arg: + - metrics-bind-address=0.0.0.0 + kubelet-arg: + - max-pods=200 + ingress-controller: traefik + ''; +in +{ + services.openiscsi = { + enable = true; + name = "iqn.2020-08.org.linux-iscsi.initiatorhost:example"; + }; + + services.rke2 = { + enable = true; + + configPath = configFile; + }; + + users.groups.etcd = { }; + users.users.etcd = { + isSystemUser = true; + createHome = false; + description = "etcd user"; + group = "etcd"; + }; +} diff --git a/nix/services.nix b/nix/services.nix new file mode 100644 index 0000000..4a579f3 --- /dev/null +++ b/nix/services.nix @@ -0,0 +1,35 @@ +{ host, ... }: + +{ + boot.loader.grub.enable = true; + boot.loader.timeout = 0; + + networking.hostName = host; + networking.networkmanager.enable = true; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ + #6443 # Kubernetes API server + 593 + 594 + ]; + }; + + services.timesyncd.enable = true; + services.openssh = { + enable = true; + openFirewall = true; + settings = { + PermitRootLogin = "prohibit-password"; + PasswordAuthentication = false; + }; + }; + + services.fail2ban.enable = true; + + services.btrfs.autoScrub = { + enable = true; + interval = "weekly"; + }; +} diff --git a/nix/starship.nix b/nix/starship.nix new file mode 100644 index 0000000..496f789 --- /dev/null +++ b/nix/starship.nix @@ -0,0 +1,162 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + starship + ]; + + programs.starship = { + enable = true; + + settings = builtins.fromTOML '' + ## FIRST LINE/ROW: Info & Status + # First param \u2500\u250c + [username] + format = " [\u256d\u2500$user]($style)@" + show_always = true + style_root = "bold red" + style_user = "bold red" + + # Second param + [hostname] + disabled = false + format = "[$hostname]($style) in " + ssh_only = false + style = "bold dimmed red" + trim_at = "-" + + # Third param + [directory] + style = "purple" + truncate_to_repo = true + truncation_length = 0 + truncation_symbol = "repo: " + + # Fourth param + [sudo] + #disabled = false + disabled = true + format = "[$symbol]($style)" + + # Before all the version info (python, nodejs, php, etc.) + [git_status] + ahead = "\u21e1''${count}" + behind = "\u21e3''${count}" + deleted = "x" + diverged = "\u21d5\u21e1''${ahead_count}\u21e3''${behind_count}" + style = "white" + + # Last param in the first line/row + [cmd_duration] + disabled = false + format = "took [$duration]($style)" + min_time = 1 + + ## SECOND LINE/ROW: Prompt + # Somethere at the beginning + [battery] + charging_symbol = "\uf583" + disabled = true + discharging_symbol = "\uf582" + full_symbol = "\uf578" + + [[battery.display]] # "bold red" style when capacity is between 0% and 15% + disabled = false + style = "bold red" + threshold = 15 + + [[battery.display]] # "bold yellow" style when capacity is between 15% and 50% + disabled = true + style = "bold yellow" + threshold = 50 + + [[battery.display]] # "bold green" style when capacity is between 50% and 80% + disabled = true + style = "bold green" + threshold = 80 + + # Prompt: optional param 1 + [time] + disabled = true + format = " \U0001f559 $time($style)\n" + style = "bright-white" + time_format = "%T" + + # Prompt: param 2 + [character] + error_symbol = " [�](bold red)" + success_symbol = " [\u2570\u2500\u03bb](bold red)" + + # SYMBOLS + [status] + disabled = false + format = '[\[$symbol$status_common_meaning$status_signal_name$status_maybe_int\]]($style)' + map_symbol = true + pipestatus = true + symbol = "\U0001f534" + + [aws] + symbol = "\ue33d " + + [conda] + symbol = "\uf10c " + + [dart] + symbol = "\ue798 " + + [docker_context] + symbol = "\uf308 " + + [elixir] + symbol = "\ue275 " + + [elm] + symbol = "\ue62c " + + [git_branch] + symbol = "\uf418 " + + [golang] + symbol = "\ue627 " + + [hg_branch] + symbol = "\uf418 " + + [java] + symbol = "\ue256 " + + [julia] + symbol = "\ue624 " + + [nim] + symbol = "\uf6a4 " + + [nix_shell] + symbol = "\uf2dc " + + [nodejs] + symbol = "\ue24f " + + [package] + symbol = "\uf8d6 " + + [perl] + symbol = "\ue769 " + + [php] + symbol = "\ue608 " + + [python] + symbol = "\ue606 " + + [ruby] + symbol = "\ue23e " + + [rust] + symbol = "\ue7a8 " + + [swift] + symbol = "\ufbe3 " + ''; + }; +} diff --git a/nix/tools.nix b/nix/tools.nix new file mode 100644 index 0000000..d966bc0 --- /dev/null +++ b/nix/tools.nix @@ -0,0 +1,16 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + kubectl + k9s + helm + btop + fastfetch + ]; + + programs.neovim = { + enable = true; + defaultEditor = true; + }; +} diff --git a/nix/user.nix b/nix/user.nix new file mode 100644 index 0000000..8a69f6e --- /dev/null +++ b/nix/user.nix @@ -0,0 +1,51 @@ +{ pkgs, lib, ... }: + +{ + users = { + users.root = { + initialHashedPassword = "$y$j9T$egeObugZWCSrOzz6o8FUQ.$Xdxwp/BhUwGmgz.yfzKtJrRBe2.KtrGAVjVsmDEx6y2"; # Password.123 + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBz5wvNTdRAnh/sHFKlanUuY0n6+fLeNkzjtNTRguBdI profidev@laptop" + ]; + + shell = lib.mkForce pkgs.fish; + }; + + mutableUsers = false; + }; + + programs.fish = { + enable = true; + generateCompletions = true; + + shellInit = '' + set fish_greeting + set -U fish_color_command blue + ''; + + interactiveShellInit = '' + starship init fish | source + fastfetch + ''; + + shellAliases = { + nix-shell = "nix-shell --run fish"; + k = "kubectl"; + ls = "eza"; + }; + + shellAbbrs = { + l = "eza -l -a --icons --group-directories-first"; + rmf = "rm -rf"; + clr = "clear"; + k9s = "k9s -c ctx"; + n = "nvim"; + }; + }; + + environment.systemPackages = with pkgs; [ + eza + ]; + + documentation.man.generateCaches = lib.mkForce false; +} diff --git a/rustfmt.toml b/rustfmt.toml deleted file mode 100644 index b196eaa..0000000 --- a/rustfmt.toml +++ /dev/null @@ -1 +0,0 @@ -tab_spaces = 2 diff --git a/terraform/README.md b/terraform/README.md new file mode 100644 index 0000000..234a6f3 --- /dev/null +++ b/terraform/README.md @@ -0,0 +1,251 @@ +# Terraform Configuration + +## Required secrets + +secrets.tfvars file with the following variables: + +```hcl +k8s_api = "" +email = "" +smtp_password = "" +``` + +## Initial deployment order + +1. crd: Install Custom Resource Definitions (CRDs) and monitoring tools. +2. storage: Set up storage solutions required for the cluster. (add cloudflare cert to vault) +3. network: Configure networking components and services. +4. db: Deploy database services. (create buckets, dbs and access keys after this) +5. tools: Install auxiliary tools and services. +6. metrics: Set up monitoring and metrics collection services. +7. apps: Deploy application services. +8. docker: Deploy Docker-related services and configurations. + +## Required secrets in Vault + +### After Storage setup (step 2) + +docker/ghcr: + +- profidev: + +certs/cert-manager: + +- cloudflare: (token requires ip whitelist) + +certs/cloudflare: + +- ca.crt: +- tls.crt: +- tls.key: + +certs/crowdsec: + +- API_KEY: + +db/couchdb: + +- cookie_auth: +- erlang_cookie: +- password: +- username: + +db/postgres: + +- password: +- username: + +tools/argo: + +- oidc.positron.clientSecret: +- webhook.github.secret: + +tools/coder: + +- CODER_OIDC_CLIENT_ID: +- CODER_OIDC_CLIENT_SECRET: +- CODER_OIDC_EMAIL_DOMAIN: +- CODER_OIDC_ISSUER_URL: +- CODER_PG_CONNECTION_URL: + +tools/tailscale: + +- client_id: +- client_secret: + +tools/longhorn-proxy: + +- client-id: +- client-secret: +- secret: + +apps/alloy-proxy: + +- client-id: +- client-secret: +- secret: + +tools/traefik-proxy: + +- client-id: +- client-secret: +- secret: + +tools/auto-clean-bot: + +- RUST_LOG: +- DISCORD_TOKEN: +- DB_URL: + +apps/nextcloud: + +- collabora-password: +- collabora-username: +- db-host: +- db-name: +- db-password: +- db-username: +- password: +- smtp-host: +- smtp-password: +- smtp-username: +- username: + +apps/positron: + +- APOD_API_KEY: +- ASSETLINKS: +- AUTH_ISSUER: +- AUTH_JWT_EXPIRATION: +- AUTH_JWT_EXPIRATION_SHORT: +- AUTH_PEPPER: +- CORS_ORIGIN: +- CORS_ORIGIN_REGEX: +- DB_URL: +- FRONTEND_URL: +- LOG_LEVEL: +- NATS_UPDATE_SUBJECT: +- NATS_URL: +- OIDC_BACKEND_INTERNAL: +- OIDC_BACKEND_URL: +- OIDC_ISSUER: +- RUST_LOG: +- S3_ACCESS_KEY: +- S3_BUCKET: +- S3_HOST: +- S3_KEY_ID: +- SMTP_DOMAIN: +- SMTP_PASSWORD: +- SMTP_SENDER_EMAIL: +- SMTP_SENDER_NAME: +- SMTP_SITE_LINK: +- SMTP_USERNAME: +- WEBAUTHN_ADDITIONAL_ORIGINS: +- WEBAUTHN_ID: +- WEBAUTHN_NAME: +- WEBAUTHN_ORIGIN: + +apps/proton: + +- CORS_ORIGIN: +- RUST_LOG: + +db/rustfs: + +- RUSTFS_ACCESS_KEY: +- RUSTFS_SECRET_KEY: + +### After DB setup (step 4) + +apps/lgtm: + +- GRAFANA_LOKI_S3_ACCESS_KEY: +- GRAFANA_LOKI_S3_SECRET_KEY: +- GRAFANA_MIMIR_S3_ACCESS_KEY: +- GRAFANA_MIMIR_S3_SECRET_KEY: +- GRAFANA_S3_ENDPOINT: +- GRAFANA_TEMPO_S3_ACCESS_KEY: +- GRAFANA_TEMPO_S3_SECRET_KEY: + +apps/alert-bot: + +- proxy: +- url: + +tools/longhorn: + +- AWS_ACCESS_KEY_ID: +- AWS_ENDPOINTS: +- AWS_SECRET_ACCESS_KEY: + +## S3 resources to create + +### Buckets + +- loki-admin +- loki-chunk +- loki-ruler +- mimir-alert +- mimir-blocks +- mimir-ruler +- tempo +- longhorn +- positron + +### Access keys + +- loki: Access to loki-admin, loki-chunk, loki-ruler buckets +- mimir: Access to mimir-alert, mimir-blocks, mimir-ruler buckets +- tempo: Access to tempo bucket +- longhorn: Access to longhorn bucket +- positron: Access to positron bucket + +## Databases to create + +- positron +- nextcloud +- coder +- charm +- auto-clean-bot + +## Additional setup steps + +### Pterodactyl panel + +create user: + +```bash +docker exec -it panel php artisan p:user:make +``` + +copy ssl ca bundles to /mnt/ssl for wings because of symlinks + +### Vault OIDC setup + +role + +```bash +vault write auth/oidc/role/default \ + bound_audiences="7f25d29e-ff95-4161-b95a-ad5d918bd85f" \ + allowed_redirect_uris="https://vault.profidev.io/ui/vault/auth/oidc/oidc/callback" \ + user_claim="email" \ + groups_claim="groups" \ + token_policies="default" \ + oidc_scopes="email,profile" +``` + +policy + +```hcl +path "*" { + capabilities = ["create", "read", "update", "delete", "list"] +} +``` + +group: + +name: Vault Admin +type: external +policies: admin +add alias: Vault Admin diff --git a/terraform/apps/.terraform.lock.hcl b/terraform/apps/.terraform.lock.hcl new file mode 100644 index 0000000..dc8f5f7 --- /dev/null +++ b/terraform/apps/.terraform.lock.hcl @@ -0,0 +1,84 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.0" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.17.0" + constraints = "~> 2.0" + hashes = [ + "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", + "zh:06fb4e9932f0afc1904d2279e6e99353c2ddac0d765305ce90519af410706bd4", + "zh:104eccfc781fc868da3c7fec4385ad14ed183eb985c96331a1a937ac79c2d1a7", + "zh:129345c82359837bb3f0070ce4891ec232697052f7d5ccf61d43d818912cf5f3", + "zh:3956187ec239f4045975b35e8c30741f701aa494c386aaa04ebabffe7749f81c", + "zh:66a9686d92a6b3ec43de3ca3fde60ef3d89fb76259ed3313ca4eb9bb8c13b7dd", + "zh:88644260090aa621e7e8083585c468c8dd5e09a3c01a432fb05da5c4623af940", + "zh:a248f650d174a883b32c5b94f9e725f4057e623b00f171936dcdcc840fad0b3e", + "zh:aa498c1f1ab93be5c8fbf6d48af51dc6ef0f10b2ea88d67bcb9f02d1d80d3930", + "zh:bf01e0f2ec2468c53596e027d376532a2d30feb72b0b5b810334d043109ae32f", + "zh:c46fa84cc8388e5ca87eb575a534ebcf68819c5a5724142998b487cb11246654", + "zh:d0c0f15ffc115c0965cbfe5c81f18c2e114113e7a1e6829f6bfd879ce5744fbb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.38.0" + constraints = "~> 2.0" + hashes = [ + "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", + "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", + "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f", + "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b", + "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12", + "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2", + "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc", + "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15", + "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396", + "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d", + "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.6.1" + hashes = [ + "h1:LMoX85QLTgCCqRuy2aXoz47P7gZ4WRPSA00fUPC/Rho=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", + ] +} diff --git a/terraform/apps/main.tf b/terraform/apps/main.tf new file mode 100644 index 0000000..27cc956 --- /dev/null +++ b/terraform/apps/main.tf @@ -0,0 +1,23 @@ +terraform { + required_version = "~> 1.11" + + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.0" + } + helm = { + source = "hashicorp/helm" + version = "~> 2.0" + } + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.0" + } + } + + backend "kubernetes" { + namespace = "kube-system" + secret_suffix = "apps" + } +} diff --git a/terraform/apps/nextcloud.tf b/terraform/apps/nextcloud.tf new file mode 100644 index 0000000..8e2263c --- /dev/null +++ b/terraform/apps/nextcloud.tf @@ -0,0 +1,102 @@ +resource "kubernetes_namespace" "nextcloud" { + metadata { + name = var.nextcloud_ns + } +} + +resource "helm_release" "nextcloud" { + name = "nextcloud" + repository = "https://nextcloud.github.io/helm" + chart = "nextcloud" + version = "8.6.0" + namespace = var.nextcloud_ns + + values = [templatefile("${path.module}/templates/nextcloud.values.tftpl", { + ingress_class = var.ingress_class + cert_issuer = var.cert_issuer_prod + storage_class = var.storage_class + ca_hash = local.ca_hash + k8s_api = var.k8s_api + namespace = var.nextcloud_ns + })] + + depends_on = [kubernetes_namespace.nextcloud] +} + +resource "kubectl_manifest" "nextcloud_secret" { + yaml_body = < array( 0 => '127.0.0.1', 1 => '10.0.0.0/8', - 2 => '194.164.200.60', + 2 => '${k8s_api}', 3 => '::1', ), 'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'), @@ -101,8 +96,7 @@ persistence: nextcloudData: enabled: true storageClass: "${storage_class}" - size: "10Gi" - + size: "100Gi" collabora: enabled: true collabora: diff --git a/terraform/apps/variables.tf b/terraform/apps/variables.tf new file mode 100644 index 0000000..cab9ec3 --- /dev/null +++ b/terraform/apps/variables.tf @@ -0,0 +1,70 @@ +variable "proton_ns" { + description = "The namespace where Proton is deployed" + type = string + default = "proton" +} + +variable "positron_ns" { + description = "The namespace where Positron is deployed" + type = string + default = "positron" +} + +variable "nextcloud_ns" { + description = "The namespace where Nextcloud is deployed" + type = string + default = "nextcloud" +} + +variable "argo_ns" { + description = "The namespace where ArgoCD is deployed" + type = string +} + +variable "cluster_secret_store" { + description = "The name of the ClusterSecretStore to use for external secrets" + type = string +} + +variable "cloudflare_cert_var" { + description = "The Vault variable name for the Cloudflare certificate" + type = string +} + +variable "cloudflare_ca_cert_var" { + description = "The Vault variable name for the Cloudflare CA certificate" + type = string +} + +variable "ingress_class" { + description = "The ingress class to be used" + type = string +} + +variable "ghcr_profidev" { + description = "The GitHub Container Registry for ProfiDev images" + type = string +} + +variable "cert_issuer_prod" { + description = "The cert-manager issuer to use for production certificates" + type = string +} + +variable "storage_class" { + description = "The storage class to use for persistent volumes" + type = string +} + +variable "k8s_api" { + description = "The Kubernetes API server URL" + type = string +} + +data "local_file" "ca_hash" { + filename = "${path.module}/../storage/certs/ca.hash" +} + +locals { + ca_hash = data.local_file.ca_hash.content +} diff --git a/terraform/crd/.terraform.lock.hcl b/terraform/crd/.terraform.lock.hcl new file mode 100644 index 0000000..362f7ae --- /dev/null +++ b/terraform/crd/.terraform.lock.hcl @@ -0,0 +1,65 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.0" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.17.0" + constraints = "~> 2.0" + hashes = [ + "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", + "zh:06fb4e9932f0afc1904d2279e6e99353c2ddac0d765305ce90519af410706bd4", + "zh:104eccfc781fc868da3c7fec4385ad14ed183eb985c96331a1a937ac79c2d1a7", + "zh:129345c82359837bb3f0070ce4891ec232697052f7d5ccf61d43d818912cf5f3", + "zh:3956187ec239f4045975b35e8c30741f701aa494c386aaa04ebabffe7749f81c", + "zh:66a9686d92a6b3ec43de3ca3fde60ef3d89fb76259ed3313ca4eb9bb8c13b7dd", + "zh:88644260090aa621e7e8083585c468c8dd5e09a3c01a432fb05da5c4623af940", + "zh:a248f650d174a883b32c5b94f9e725f4057e623b00f171936dcdcc840fad0b3e", + "zh:aa498c1f1ab93be5c8fbf6d48af51dc6ef0f10b2ea88d67bcb9f02d1d80d3930", + "zh:bf01e0f2ec2468c53596e027d376532a2d30feb72b0b5b810334d043109ae32f", + "zh:c46fa84cc8388e5ca87eb575a534ebcf68819c5a5724142998b487cb11246654", + "zh:d0c0f15ffc115c0965cbfe5c81f18c2e114113e7a1e6829f6bfd879ce5744fbb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.38.0" + constraints = "~> 2.0" + hashes = [ + "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", + "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", + "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f", + "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b", + "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12", + "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2", + "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc", + "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15", + "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396", + "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d", + "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", + ] +} diff --git a/terraform/network/default-deny.tf b/terraform/crd/default-deny.tf similarity index 50% rename from terraform/network/default-deny.tf rename to terraform/crd/default-deny.tf index faad1b0..177ae47 100644 --- a/terraform/network/default-deny.tf +++ b/terraform/crd/default-deny.tf @@ -24,25 +24,36 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 - YAML -} - -resource "kubectl_manifest" "acme_allow" { - yaml_body = < ${path.module}/certs/ca.hash + EOT + } + + depends_on = [data.external.ca_hash] +} diff --git a/terraform/secrets/docker-registry.tf b/terraform/storage/docker-registry.tf similarity index 85% rename from terraform/secrets/docker-registry.tf rename to terraform/storage/docker-registry.tf index 68e66d7..5de592d 100644 --- a/terraform/secrets/docker-registry.tf +++ b/terraform/storage/docker-registry.tf @@ -1,14 +1,13 @@ resource "kubectl_manifest" "ghcr_profidev_secret" { yaml_body = <`__ to perform setup or configuration tasks before the main Tenant pods starts. - # - # Example of init container which waits for idenity provider to be reachable before starting MinIO Tenant: - # - # .. code-block:: yaml - # - # initContainers: - # - name: wait-for-idp - # image: busybox - # command: - # - sh - # - -c - # - | - # URL="https://idp-url" - # echo "Checking IdP reachability ($_{URL})" - # until $(wget -q -O "/dev/null" $_{URL}) ; do - # echo "IdP ($_{URL}) not reachable. Waiting to be reachable..." - # sleep 5 - # done - # echo "IdP ($_{URL}) reachable. Starting MinIO..." - # - initContainers: [] - ### - # The Kubernetes `Scheduler `__ to use for dispatching Tenant pods. - # - # Specify an empty dictionary ``{}`` to dispatch pods with the default scheduler. - scheduler: {} - ### - # The Kubernetes secret name that contains MinIO environment variable configurations. - # The secret is expected to have a key named config.env containing environment variables exports. - configuration: - name: ${minio_config} - ### - # Metadata that will be added to the statefulset and pods of all pools - poolsMetadata: - ### - # Specify `annotations `__ to associate to Tenant pods. - annotations: {} - ### - # Specify `labels `__ to associate to Tenant pods. - labels: {} - - ### - # If this variable is set to true, then enable the usage of an existing Kubernetes secret to set environment variables for the Tenant. - # The existing Kubernetes secret name must be placed under .tenant.configuration.name e.g. existing-minio-env-configuration - # The secret must contain a key ``config.env``. - # The values should be a series of export statements to set environment variables for the Tenant. - # For example: - # - # .. code-block:: shell - # - # stringData: - # config.env: |- - # export MINIO_ROOT_USER=ROOTUSERNAME - # export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD - # - # existingSecret: false - ### - # Top level key for configuring MinIO Pool(s) in this Tenant. - # - # See `Operator CRD: Pools `__ for more information on all subfields. - pools: - ### - # The number of MinIO Tenant Pods / Servers in this pool. - # For standalone mode, supply 1. For distributed mode, supply 4 or more. - # Note that the operator does not support upgrading from standalone to distributed mode. - - servers: 1 - ### - # Custom name for the pool - name: pool-1 - ### - # The number of volumes attached per MinIO Tenant Pod / Server. - volumesPerServer: 1 - ### - # The capacity per volume requested per MinIO Tenant Pod. - size: 150Gi - ### - # The `storageClass `__ to associate with volumes generated for this pool. - # - # If using Amazon Elastic Block Store (EBS) CSI driver - # Please make sure to set xfs for "csi.storage.k8s.io/fstype" parameter under StorageClass.parameters. - # Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md - storageClassName: ${storage_class} - ### - # Specify `storageAnnotations `__ to associate to PVCs. - storageAnnotations: {} - ### - # Specify `storageLabels `__ to associate to PVCs. - storageLabels: {} - ### - # Specify `annotations `__ to associate to Tenant pods. - annotations: {} - ### - # Specify `labels `__ to associate to Tenant pods. - labels: {} - ### - # - # An array of `Toleration labels `__ to associate to Tenant pods. - # - # These settings determine the distribution of pods across worker nodes. - tolerations: [] - ### - # Any `Node Selectors `__ to apply to Tenant pods. - # - # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Tenant pods. - # - # If no worker nodes match the specified selectors, the Tenant deployment will fail. - nodeSelector: {} - ### - # - # The `affinity `__ or anti-affinity settings to apply to Tenant pods. - # - # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes. - affinity: {} - ### - # - # The `Requests or Limits `__ for resources to associate to Tenant pods. - # - # These settings can control the minimum and maximum resources requested for each pod. - # If no worker nodes can meet the specified requests, the Operator may fail to deploy. - resources: {} - ### - # The Kubernetes `SecurityContext `__ to use for deploying Tenant resources. - # - # You may need to modify these values to meet your cluster's security and access settings. - # - # We recommend disabling recursive permission changes by setting ``fsGroupChangePolicy`` to ``OnRootMismatch`` as those operations can be expensive for certain workloads (e.g. large volumes with many small files). - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: "OnRootMismatch" - runAsNonRoot: true - ### - # The Kubernetes `SecurityContext `__ to use for deploying Tenant containers. - # You may need to modify these values to meet your cluster's security and access settings. - containerSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - ### - # - # An array of `Topology Spread Constraints `__ to associate to Operator Console pods. - # - # These settings determine the distribution of pods across worker nodes. - topologySpreadConstraints: [] - ### - # - # The name of a custom `Container Runtime `__ to use for the Operator Console pods. - # runtimeClassName: "" - ### - # The mount path where Persistent Volumes are mounted inside Tenant container(s). - mountPath: /export - ### - # The Sub path inside Mount path where MinIO stores data. - # - # .. warning:: - # - # Treat the ``mountPath`` and ``subPath`` values as immutable once you deploy the Tenant. - # If you change these values post-deployment, then you may have different paths for new and pre-existing data. - # This can vastly increase operational complexity and may result in unpredictable data states. - subPath: /data - ### - # Configures a Prometheus-compatible scraping endpoint at the specified port. - metrics: - enabled: true - port: 9000 - protocol: http - ### - # Configures external certificate settings for the Tenant. - certificate: - ### - # Specify an array of Kubernetes TLS secrets, where each entry corresponds to a secret the TLS private key and public certificate pair. - # - # This is used by MinIO to verify TLS connections from clients using those CAs - # If you omit this and have clients using TLS certificates minted by an external CA, those connections may fail with warnings around certificate verification. - # See `Operator CRD: TenantSpec `__. - externalCaCertSecret: [] - ### - # Specify an array of Kubernetes secrets, where each entry corresponds to a secret contains the TLS private key and public certificate pair. - # - # Omit this to use only the MinIO Operator autogenerated certificates. - # - # If you omit this field *and* set ``requestAutoCert`` to false, the Tenant starts without TLS. - # - # See `Operator CRD: TenantSpec `__. - # - # .. important:: - # - # The MinIO Operator may output TLS connectivity errors if it cannot trust the Certificate Authority (CA) which minted the custom certificates. - # - # You can pass the CA to the Operator to allow it to trust that cert. - # See `Self-Signed, Internal, and Private Certificates `__ for more information. - # This step may also be necessary for globally trusted CAs where you must provide intermediate certificates to the Operator to help build the full chain of trust. - externalCertSecret: [] - ### - # Enable automatic Kubernetes based `certificate generation and signing `__ - requestAutoCert: true - ### - # The minimum number of days to expiry before an alert for an expiring certificate is fired. - # In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry - # certExpiryAlertThreshold: 1 - ### - # This field is used only when ``requestAutoCert: true``. - # Use this field to set CommonName for the auto-generated certificate. - # MinIO defaults to using the internal Kubernetes DNS name for the pod - # The default DNS name format is typically ``*.minio.default.svc.cluster.local``. - # - # See `Operator CRD: CertificateConfig `__ - certConfig: {} - ### - # MinIO features to enable or disable in the MinIO Tenant - # See `Operator CRD: Features `__. - features: - bucketDNS: false - domains: {} - enableSFTP: false - ### - # Array of objects describing one or more buckets to create during tenant provisioning. - # Example: - # - # .. code-block:: yaml - # - # - name: my-minio-bucket - # objectLock: false # optional - # region: us-east-1 # optional - buckets: [] - ### - # Array of Kubernetes secrets from which the Operator generates MinIO users during tenant provisioning. - # - # Each secret should specify the ``CONSOLE_ACCESS_KEY`` and ``CONSOLE_SECRET_KEY`` as the access key and secret key for that user. - users: [] - ### - # The `PodManagement `__ policy for MinIO Tenant Pods. - # Can be "OrderedReady" or "Parallel" - podManagementPolicy: Parallel - # The `Liveness Probe `__ for monitoring Tenant pod liveness. - # Tenant pods will be restarted if the probe fails. - liveness: {} - ### - # `Readiness Probe `__ for monitoring Tenant container readiness. - # Tenant pods will be removed from service endpoints if the probe fails. - readiness: {} - ### - # `Startup Probe `__ for monitoring container startup. - # Tenant pods will be restarted if the probe fails. - # Refer - startup: {} - ### - # The `Lifecycle hooks `__ for container. - lifecycle: {} - ### - # Directs the Operator to deploy the MinIO S3 API and Console services as LoadBalancer objects. - # - # If the Kubernetes cluster has a configured LoadBalancer, it can attempt to route traffic to those services automatically. - # - # - Specify ``minio: true`` to expose the MinIO S3 API. - # - Specify ``console: true`` to expose the Console. - # - # Both fields default to ``false``. - exposeServices: {} - ### - # The `Kubernetes Service Account `__ associated with the Tenant. - serviceAccountName: "" - ### - # Directs the Operator to add the Tenant's metric scrape configuration to an existing Kubernetes Prometheus deployment managed by the Prometheus Operator. - prometheusOperator: false - ### - # Configure pod logging configuration for the MinIO Tenant. - # - # - Specify ``json`` for JSON-formatted logs. - # - Specify ``anonymous`` for anonymized logs. - # - Specify ``quiet`` to supress logging. - # - # An example of JSON-formatted logs is as follows: - # - # .. code-block:: shell - # - # $ k logs myminio-pool-0-0 -n default - # {"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"} - logging: {} - ### - # serviceMetadata allows passing additional labels and annotations to MinIO and Console specific - # services created by the operator. - serviceMetadata: - minioServiceLabels: - app: minio-metrics - ### - # Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config) - env: [] - ### - # PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods. - # This is applied to MinIO pods only. - # Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/ - priorityClassName: "" - ### - # An array of `Volumes `__ which the Operator can mount to Tenant pods. - # - # The volumes must exist *and* be accessible to the Tenant pods. - additionalVolumes: [] - ### - # An array of volume mount points associated to each Tenant container. - # - # Specify each item in the array as follows: - # - # .. code-block:: yaml - # - # volumeMounts: - # - name: volumename - # mountPath: /path/to/mount - # - # The ``name`` field must correspond to an entry in the ``additionalVolumes`` array. - additionalVolumeMounts: [] - # Define configuration for KES (stateless and distributed key-management system) - # Refer https://github.com/minio/kes - #kes: - # ## Image field: - # # Image from tag (original behavior), for example: - # # image: - # # repository: quay.io/minio/kes - # # tag: 2025-03-12T09-35-18Z - # # Image from digest (added after original behavior), for example: - # # image: - # # repository: quay.io/minio/kes@sha256 - # # digest: fb15af611149892f357a8a99d1bcd8bf5dae713bd64c15e6eb27fbdb88fc208b - # image: - # repository: quay.io/minio/kes - # tag: 2025-03-12T09-35-18Z - # pullPolicy: IfNotPresent - # env: [ ] - # replicas: 2 - # configuration: |- - # address: :7373 - # tls: - # key: /tmp/kes/server.key # Path to the TLS private key - # cert: /tmp/kes/server.crt # Path to the TLS certificate - # proxy: - # identities: [] - # header: - # cert: X-Tls-Client-Cert - # admin: - # identity: $_{MINIO_KES_IDENTITY} - # cache: - # expiry: - # any: 5m0s - # unused: 20s - # log: - # error: on - # audit: off - # keystore: - # # KES configured with fs (File System mode) doesn't work in Kubernetes environments and is not recommended - # # use a real KMS - # # fs: - # # path: "./keys" # Path to directory. Keys will be stored as files. Not Recommended for Production. - # vault: - # endpoint: "http://vault.default.svc.cluster.local:8200" # The Vault endpoint - # namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html - # prefix: "my-minio" # An optional K/V prefix. The server will store keys under this prefix. - # approle: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html - # id: "" # Your AppRole Role ID - # secret: "" # Your AppRole Secret ID - # retry: 15s # Duration until the server tries to re-authenticate after connection loss. - # tls: # The Vault client TLS configuration for mTLS authentication and certificate verification - # key: "" # Path to the TLS client private key for mTLS authentication to Vault - # cert: "" # Path to the TLS client certificate for mTLS authentication to Vault - # ca: "" # Path to one or multiple PEM root CA certificates - # status: # Vault status configuration. The server will periodically reach out to Vault to check its status. - # ping: 10s # Duration until the server checks Vault's status again. - # # aws: - # # # The AWS SecretsManager key store. The server will store - # # # secret keys at the AWS SecretsManager encrypted with - # # # AWS-KMS. See: https://aws.amazon.com/secrets-manager - # # secretsmanager: - # # endpoint: "" # The AWS SecretsManager endpoint - e.g.: secretsmanager.us-east-2.amazonaws.com - # # region: "" # The AWS region of the SecretsManager - e.g.: us-east-2 - # # kmskey: "" # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used. - # # credentials: # The AWS credentials for accessing secrets at the AWS SecretsManager. - # # accesskey: "" # Your AWS Access Key - # # secretkey: "" # Your AWS Secret Key - # # token: "" # Your AWS session token (usually optional) - # imagePullPolicy: "IfNotPresent" - # externalCertSecret: null - # clientCertSecret: null - # # Key name to be created on the KMS, default is "my-minio-key" - # keyName: "" - # resources: { } - # nodeSelector: { } - # affinity: - # nodeAffinity: { } - # podAffinity: { } - # podAntiAffinity: { } - # tolerations: [ ] - # annotations: { } - # labels: { } - # serviceAccountName: "" - # securityContext: - # runAsUser: 1000 - # runAsGroup: 1000 - # runAsNonRoot: true - # fsGroup: 1000 - # containerSecurityContext: - # runAsUser: 1000 - # runAsGroup: 1000 - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - ALL - # seccompProfile: - # type: RuntimeDefault - -### -# Configures `Ingress `__ for the Tenant S3 API and Console. -# -# Set the keys to conform to the Ingress controller and configuration of your choice. -ingress: - api: - enabled: true - ingressClassName: ${ingress_class} - labels: {} - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - cert-manager.io/cluster-issuer: ${cert_issuer} - tls: - - secretName: minio-api-tls - hosts: - - s3.profidev.io - host: s3.profidev.io - path: / - pathType: Prefix - console: - enabled: true - ingressClassName: ${ingress_class} - labels: {} - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: ${namespace}/${cloudflare_ca_cert_var} - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - tls: - - secretName: ${cloudflare_cert_var} - hosts: - - "*.profidev.io" - - profidev.io - host: minio.profidev.io - path: / - pathType: Prefix -# Use an extraResources template section to include additional Kubernetes resources -# with the Helm deployment. -#extraResources: -# - | -# apiVersion: v1 -# kind: Secret -# type: Opaque -# metadata: -# name: {{ dig "tenant" "configSecret" "name" "" (.Values | merge (dict)) }} -# stringData: -# config.env: |- -# export MINIO_ROOT_USER='minio' -# export MINIO_ROOT_PASSWORD='minio123' diff --git a/terraform/storage/templates/minio.values.tftpl b/terraform/storage/templates/minio.values.tftpl deleted file mode 100644 index d249ba4..0000000 --- a/terraform/storage/templates/minio.values.tftpl +++ /dev/null @@ -1,2 +0,0 @@ -operator: - replicaCount: 1 diff --git a/terraform/storage/templates/postgres-ui.values.tftpl b/terraform/storage/templates/postgres-ui.values.tftpl deleted file mode 100644 index 54044bb..0000000 --- a/terraform/storage/templates/postgres-ui.values.tftpl +++ /dev/null @@ -1,15 +0,0 @@ -telemetry: false -server: - rbac: - enabled: true - policy: | - g, admin, role:admin - g, "Everest Admin", role:admin - oidc: - issuerUrl: "https://profidev.io/backend/oauth" - client_id: "fccee7d1-a358-4b9c-8463-dbeb1e666309" - scopes: - - email - - profile - - openid - - groups diff --git a/terraform/storage/templates/postgres.values.tftpl b/terraform/storage/templates/postgres.values.tftpl deleted file mode 100644 index 8511532..0000000 --- a/terraform/storage/templates/postgres.values.tftpl +++ /dev/null @@ -1 +0,0 @@ -disableTelemetry: true \ No newline at end of file diff --git a/terraform/secrets/templates/vault-auto-unseal.values.tftpl b/terraform/storage/templates/vault-auto-unseal.values.tftpl similarity index 89% rename from terraform/secrets/templates/vault-auto-unseal.values.tftpl rename to terraform/storage/templates/vault-auto-unseal.values.tftpl index d42d665..7f648f2 100644 --- a/terraform/secrets/templates/vault-auto-unseal.values.tftpl +++ b/terraform/storage/templates/vault-auto-unseal.values.tftpl @@ -9,7 +9,7 @@ secrets: name: ${key_3_var} key: key ca_cert: - name: ${ca_cert_var} + name: kube-root-ca.crt key: ca.crt vault_url: https://vault.${secrets_ns}.svc:8200 diff --git a/terraform/secrets/templates/vault.values.tftpl b/terraform/storage/templates/vault.values.tftpl similarity index 68% rename from terraform/secrets/templates/vault.values.tftpl rename to terraform/storage/templates/vault.values.tftpl index b99f24d..f5b43a8 100644 --- a/terraform/secrets/templates/vault.values.tftpl +++ b/terraform/storage/templates/vault.values.tftpl @@ -5,8 +5,7 @@ global: prometheusOperator: true injector: - enabled: true - replicas: 1 + enabled: false server: networkPolicy: @@ -22,11 +21,28 @@ server: dataStorage: enabled: true size: 10Gi - storageClass: ${storage_class} auditStorage: size: 10Gi - storageClass: ${storage_class} + + service: + annotations: + traefik.ingress.kubernetes.io/service.serverstransport: ${namespace}-vault-transport@kubernetescrd + + ingress: + enabled: true + annotations: + nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" + traefik.ingress.kubernetes.io/router.tls.options: "${namespace}-vault-tls-options@kubernetescrd" + tls: + - secretName: ${cloudflare_cert_var} + hosts: + - "*.profidev.io" + - "profidev.io" + hosts: + - host: vault.profidev.io + paths: + - "/" standalone: enabled: true diff --git a/terraform/storage/variables.tf b/terraform/storage/variables.tf index 16c678e..92e2cc9 100644 --- a/terraform/storage/variables.tf +++ b/terraform/storage/variables.tf @@ -1,131 +1,73 @@ -variable "storage_class" { - type = string -} - -variable "minio_ns" { - type = string -} - -variable "everest_ns" { - type = string -} - -variable "everest_system_ns" { - type = string -} - -variable "everest_olm_ns" { - type = string - default = "everest-olm" -} - -variable "everest_monitoring_ns" { - type = string - default = "everest-monitoring" -} - variable "storage_ns" { - type = string + description = "The namespace for storage resources" + type = string } -variable "nats_ns" { - type = string +variable "secrets_ns" { + description = "The namespace for secrets management resources" + type = string } -variable "ingress_class" { - type = string +variable "k8s_api" { + description = "The Kubernetes API server address" + type = string + sensitive = true } -variable "cloudflare_cert_label" { - type = object({ - key = string - value = string - }) +variable "cluster_secret_store" { + description = "The name of the cluster secret store" + type = string } variable "cloudflare_ca_cert_var" { - type = string + description = "The name of the Cloudflare CA certificate secret" + type = string } variable "cloudflare_cert_var" { - type = string -} - -variable "secret_store_label" { - type = object({ - key = string - value = string - }) -} - -variable "minio_config" { - type = string - default = "minio-config" -} - -variable "minio_config_label" { - type = object({ - key = string - value = string - }) - default = { - key = "minio-admin" - value = "true" - } -} - -variable "cluster_secret_store" { - type = string + description = "The name of the Cloudflare certificate secret" + type = string } -variable "minio_access_label" { - type = object({ - key = string - value = string - }) +variable "ghcr_profidev" { + description = "The name of the GHCR Profidev secret" + type = string } -variable "postgres_access_label" { - type = object({ - key = string - value = string - }) -} -variable "nats_access_label" { - type = object({ - key = string - value = string - }) -} -variable "oidc_access_label" { - type = object({ - key = string - value = string - }) +variable "vault_svc" { + description = "The name of the Vault service" + type = string + default = "vault" } -variable "positron_ns" { - type = string +variable "vault_cert_var" { + description = "The name of the Vault TLS secret" + type = string + default = "vault-server-tls" } -variable "cert_issuer_prod" { - type = string +variable "vault_cert_prop" { + description = "The property name for the Vault TLS certificate" + type = string + default = "vault" } -variable "metrics_ns" { - type = string +variable "vault_csr" { + description = "The name of the Vault CSR" + type = string + default = "vault-csr" } -variable "couchdb_ns" { - type = string - default = "couchdb" +variable "vault_global_token" { + description = "The name of the Vault global token secret" + type = string + default = "vault-global-token" } -variable "cluster_ca_cert_label" { - type = object({ - key = string - value = string - }) +variable "vault_global_token_prop" { + description = "The property name for the Vault global token" + type = string + default = "token" } diff --git a/terraform/secrets/vault-tls.tf b/terraform/storage/vault-tls.tf similarity index 100% rename from terraform/secrets/vault-tls.tf rename to terraform/storage/vault-tls.tf diff --git a/terraform/secrets/vault-token.tf b/terraform/storage/vault-token.tf similarity index 100% rename from terraform/secrets/vault-token.tf rename to terraform/storage/vault-token.tf diff --git a/terraform/secrets/vault.tf b/terraform/storage/vault.tf similarity index 52% rename from terraform/secrets/vault.tf rename to terraform/storage/vault.tf index 4f9679a..f6eeac5 100644 --- a/terraform/secrets/vault.tf +++ b/terraform/storage/vault.tf @@ -2,38 +2,39 @@ resource "helm_release" "vault" { name = "vault" repository = "https://helm.releases.hashicorp.com" chart = "vault" - version = "0.29.1" + version = "0.31.0" namespace = var.secrets_ns values = [templatefile("${path.module}/templates/vault.values.tftpl", { - cert_var = var.vault_cert_var - cert_prop = var.vault_cert_prop - storage_class = var.storage_class + cert_var = var.vault_cert_var + cert_prop = var.vault_cert_prop + namespace = var.secrets_ns + cloudflare_ca_cert_var = var.cloudflare_ca_cert_var + cloudflare_cert_var = var.cloudflare_cert_var })] depends_on = [ - kubernetes_namespace.secrets_ns, + kubernetes_namespace.secrets, kubernetes_secret_v1.vault_tls_secret, ] } resource "helm_release" "vault_auto_unseal" { name = "vault-auto-unseal" - repository = "https://profiidev.github.io/server-config" + repository = "https://profiidev.github.io/helm-charts" chart = "vault-auto-unseal" - version = "0.1.9" + version = "0.1.12" namespace = var.secrets_ns values = [templatefile("${path.module}/templates/vault-auto-unseal.values.tftpl", { - key_1_var = "vault-unseal-key-1" - key_2_var = "vault-unseal-key-2" - key_3_var = "vault-unseal-key-3" - ca_cert_var = var.cluster_ca_cert_var - secrets_ns = var.secrets_ns + key_1_var = "vault-unseal-key-1" + key_2_var = "vault-unseal-key-2" + key_3_var = "vault-unseal-key-3" + secrets_ns = var.secrets_ns })] depends_on = [ - kubernetes_namespace.secrets_ns, + kubernetes_namespace.secrets, kubernetes_secret_v1.cluster_ca_cert_secret, kubernetes_secret_v1.vault_unseal_key ] @@ -116,113 +117,48 @@ resource "null_resource" "vault_init_kv" { depends_on = [null_resource.vault_initial_unseal] } -resource "kubectl_manifest" "vault_k8s_api_egress" { +module "k8s_api_np_vault" { + source = "../modules/k8s-api-np" + + namespace = var.secrets_ns + k8s_api = var.k8s_api + + depends_on = [kubernetes_namespace.secrets] +} + +module "external_np_vault" { + source = "../modules/external-np" + + namespace = var.secrets_ns +} + +resource "kubectl_manifest" "vault_transport" { yaml_body = < 0 - for: 10m - labels: - severity: warn - annotations: - summary: "Node down in MinIO deployment" - description: "Node(s) in cluster {{ $labels.instance }} offline for more than 5 minutes" - - - alert: DisksOffline - expr: avg_over_time(minio_cluster_drive_offline_total{job="minio-job"}[5m]) > 0 - for: 10m - labels: - severity: warn - annotations: - summary: "Disks down in MinIO deployment" - description: "Disks(s) in cluster {{ $labels.instance }} offline for more than 5 minutes" diff --git a/terraform/tools/mixin/pgbouncer.yaml b/terraform/tools/mixin/pgbouncer.yaml deleted file mode 100644 index 2d3f20b..0000000 --- a/terraform/tools/mixin/pgbouncer.yaml +++ /dev/null @@ -1,45 +0,0 @@ -groups: -- name: pgbouncer - rules: - - alert: PGBouncerHighNumberClientWaitingConnections - annotations: - description: | - The number of clients waiting for connections on {{ $labels.instance }} is now above 20. The current value is {{ $value | printf "%.2f" }}. - summary: May indicate a bottleneck in connection pooling where too many clients - are waiting for available server connections. - expr: | - pgbouncer_pools_client_waiting_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"} > 20 - for: 5m - labels: - severity: warning - - alert: PGBouncerHighClientWaitTime - annotations: - description: | - The wait time for user connections on {{ $labels.instance }}, is above 15. The current value is {{ $value | printf "%.2f" }}. - summary: Clients are experiencing significant delays, which could indicate issues - with connection pool saturation or server performance. - expr: | - pgbouncer_pools_client_maxwait_seconds{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"} > 15 - for: 5m - labels: - severity: warning - - alert: PGBouncerHighServerConnectionSaturationWarning - annotations: - description: | - User connection capacity on {{ $labels.instance }}, is above 80%. The current value is {{ $value | printf "%.2f" }}. - summary: PGBouncer is nearing user connection capacity. - expr: | - 100 * (sum without (database, user) (pgbouncer_pools_server_active_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"} + pgbouncer_pools_server_idle_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"} + pgbouncer_pools_server_used_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"}) / clamp_min(pgbouncer_config_max_user_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"},1)) > 80 - for: 5m - labels: - severity: warning - - alert: PGBouncerHighServerConnectionSaturationCritical - annotations: - description: | - User connection capacity on {{ $labels.instance }}, is above 90%. The current value is {{ $value | printf "%.2f" }}. - summary: PGBouncer is nearing critical levels of user connection capacity. - expr: | - 100 * (sum without (database, user) (pgbouncer_pools_server_active_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"} + pgbouncer_pools_server_idle_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"} + pgbouncer_pools_server_used_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"}) / clamp_min(pgbouncer_config_max_user_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"},1)) > 90 - for: 5m - labels: - severity: critical \ No newline at end of file diff --git a/terraform/tools/nextcloud.tf b/terraform/tools/nextcloud.tf deleted file mode 100644 index fd053cb..0000000 --- a/terraform/tools/nextcloud.tf +++ /dev/null @@ -1,76 +0,0 @@ -resource "kubernetes_namespace" "nextcloud_ns" { - metadata { - name = var.nextcloud_ns - labels = { - "${var.postgres_access_label.key}" = var.postgres_access_label.value - "${var.secret_store_label.key}" = var.secret_store_label.value - "${var.cluster_ca_cert_label.key}" = var.cluster_ca_cert_label.value - } - } -} - -resource "helm_release" "nextcloud" { - name = "nextcloud" - repository = "https://nextcloud.github.io/helm" - chart = "nextcloud" - version = "7.0.2" - namespace = var.nextcloud_ns - - values = [templatefile("${path.module}/templates/nextcloud.values.tftpl", { - ingress_class = var.ingress_class - cert_issuer = var.cert_issuer_prod - storage_class = var.storage_class - postgres_access_label_key = var.postgres_access_label.key - postgres_access_label_value = var.postgres_access_label.value - ca_hash = var.ca_hash - })] - - depends_on = [kubernetes_namespace.nextcloud_ns] -} - -resource "kubectl_manifest" "nextcloud_secret" { - yaml_body = <