From a2aa8b486e6c700bfee7c679e430a78076ca8d5b Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Mon, 27 Oct 2025 20:29:51 +0100 Subject: [PATCH 01/43] feat: added rke2 install script --- justfile | 15 +++++ terraform/rke2/.gitignore | 1 + terraform/rke2/.terraform.lock.hcl | 105 +++++++++++++++++++++++++++++ terraform/rke2/inputs.tf | 14 ++++ terraform/rke2/main.tf | 52 ++++++++++++++ terraform/rke2/versions.tf | 3 + 6 files changed, 190 insertions(+) create mode 100644 justfile create mode 100644 terraform/rke2/.gitignore create mode 100644 terraform/rke2/.terraform.lock.hcl create mode 100644 terraform/rke2/inputs.tf create mode 100644 terraform/rke2/main.tf create mode 100644 terraform/rke2/versions.tf diff --git a/justfile b/justfile new file mode 100644 index 0000000..dd99469 --- /dev/null +++ b/justfile @@ -0,0 +1,15 @@ +pwd := source_dir() +config_path := "terraform" +vars_path := pwd + "/vars.tfvars" + +init CONFIG: + terraform -chdir={{config_path}}/{{CONFIG}} init + +apply CONFIG: + terraform -chdir={{config_path}}/{{CONFIG}} apply -var-file={{vars_path}} -auto-approve + +destroy CONFIG: + terraform -chdir={{config_path}}/{{CONFIG}} destroy -var-file={{vars_path}} + +plan CONFIG: + terraform -chdir={{config_path}}/{{CONFIG}} plan -var-file={{vars_path}} \ No newline at end of file diff --git a/terraform/rke2/.gitignore b/terraform/rke2/.gitignore new file mode 100644 index 0000000..5fac628 --- /dev/null +++ b/terraform/rke2/.gitignore @@ -0,0 +1 @@ +/data/ \ No newline at end of file diff --git a/terraform/rke2/.terraform.lock.hcl b/terraform/rke2/.terraform.lock.hcl new file mode 100644 index 0000000..81abfb8 --- /dev/null +++ b/terraform/rke2/.terraform.lock.hcl @@ -0,0 +1,105 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/hashicorp/local" { + version = "2.5.3" + constraints = ">= 2.4.0" + hashes = [ + "h1:1Nkh16jQJMp0EuDmvP/96f5Unnir0z12WyDuoR6HjMo=", + "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", + "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", + "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", + "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", + "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", + "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", + "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", + "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", + "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", + "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.4" + constraints = ">= 3.2.0" + hashes = [ + "h1:hkf5w5B6q8e2A42ND2CjAvgvSN3puAosDmOJb3zCVQM=", + "zh:59f6b52ab4ff35739647f9509ee6d93d7c032985d9f8c6237d1f8a59471bbbe2", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:795c897119ff082133150121d39ff26cb5f89a730a2c8c26f3a9c1abf81a9c43", + "zh:7b9c7b16f118fbc2b05a983817b8ce2f86df125857966ad356353baf4bff5c0a", + "zh:85e33ab43e0e1726e5f97a874b8e24820b6565ff8076523cc2922ba671492991", + "zh:9d32ac3619cfc93eb3c4f423492a8e0f79db05fec58e449dee9b2d5873d5f69f", + "zh:9e15c3c9dd8e0d1e3731841d44c34571b6c97f5b95e8296a45318b94e5287a6e", + "zh:b4c2ab35d1b7696c30b64bf2c0f3a62329107bd1a9121ce70683dec58af19615", + "zh:c43723e8cc65bcdf5e0c92581dcbbdcbdcf18b8d2037406a5f2033b1e22de442", + "zh:ceb5495d9c31bfb299d246ab333f08c7fb0d67a4f82681fbf47f2a21c3e11ab5", + "zh:e171026b3659305c558d9804062762d168f50ba02b88b231d20ec99578a6233f", + "zh:ed0fe2acdb61330b01841fa790be00ec6beaac91d41f311fb8254f74eb6a711f", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.7.2" + constraints = ">= 3.5.1" + hashes = [ + "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", + "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", + "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", + "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", + "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", + "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", + "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", + "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", + "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", + "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", + "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + ] +} + +provider "registry.terraform.io/hashicorp/time" { + version = "0.13.1" + constraints = ">= 0.12.0" + hashes = [ + "h1:+W+DMrVoVnoXo3f3M4W+OpZbkCrUn6PnqDF33D2Cuf0=", + "zh:02cb9aab1002f0f2a94a4f85acec8893297dc75915f7404c165983f720a54b74", + "zh:04429b2b31a492d19e5ecf999b116d396dac0b24bba0d0fb19ecaefe193fdb8f", + "zh:26f8e51bb7c275c404ba6028c1b530312066009194db721a8427a7bc5cdbc83a", + "zh:772ff8dbdbef968651ab3ae76d04afd355c32f8a868d03244db3f8496e462690", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:898db5d2b6bd6ca5457dccb52eedbc7c5b1a71e4a4658381bcbb38cedbbda328", + "zh:8de913bf09a3fa7bedc29fec18c47c571d0c7a3d0644322c46f3aa648cf30cd8", + "zh:9402102c86a87bdfe7e501ffbb9c685c32bbcefcfcf897fd7d53df414c36877b", + "zh:b18b9bb1726bb8cfbefc0a29cf3657c82578001f514bcf4c079839b6776c47f0", + "zh:b9d31fdc4faecb909d7c5ce41d2479dd0536862a963df434be4b16e8e4edc94d", + "zh:c951e9f39cca3446c060bd63933ebb89cedde9523904813973fbc3d11863ba75", + "zh:e5b773c0d07e962291be0e9b413c7a22c044b8c7b58c76e8aa91d1659990dfb5", + ] +} + +provider "registry.terraform.io/integrations/github" { + version = "6.7.0" + constraints = ">= 5.32.0" + hashes = [ + "h1:644OkjJEt+cYgdurcYkS6uVk39DoShWil47vXRAz6gc=", + "zh:0d3d2ebfffce6d7c9d1a365a8fd136872f63ca6dcb3db8b9a9ad4e81a5b69fa7", + "zh:198ffb855d367a3d2371c2152dc80f977a4a880d5ce49747f9290c6ca411f1bc", + "zh:350c0e996e1650036beaaf2d3e063cb1e8d1693e7fcf7754df6e7453b49c089f", + "zh:544bb0ba8203d7caa688d46cb926e12142356236ab29b21afc54eb02652852c7", + "zh:8698340cd268e271f68cfb757d40b4a41efc1399deb7232ba2842c9d4c6ba6cd", + "zh:95d9da04a3a9f81edd1f3354ba98f2a39a17b7fd6ddf7671a7dcd6d422108d24", + "zh:9bd1e6e2930f9fa596a0498b79b33cf369211b4252bd88e7f2cb703fbcdb7051", + "zh:a1b9dbdc975743d95545bdeebb33c84963437b02f16a4ba52868a8a0ebe94763", + "zh:acbdb49609b17be783bec8069a833747bb03eb19b0cb0877bcbd4783bbf855ce", + "zh:ae23023b3f65cfcbd3d0291baf9215ab055a3b48f0d9a4a7c1b09ec4e56553d5", + "zh:c8fbd050b94f80cd69c3e331546a411611eef4f29b97fcb50b886de375f25cd9", + "zh:ce2832f39173e5f2906a8ab8822ec320085512381693bef2ba6ca8c6969e6085", + "zh:d15357ec50598afe3ae1e3c013f063a8bb9a86bc2e2f6d5bf2abee231b1aaeaa", + "zh:e77878043cfa9cdbf1e33b7f60a0b2d193dfe37a85da6b3fdfd4f95a6ff27255", + "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25", + ] +} diff --git a/terraform/rke2/inputs.tf b/terraform/rke2/inputs.tf new file mode 100644 index 0000000..fb4044c --- /dev/null +++ b/terraform/rke2/inputs.tf @@ -0,0 +1,14 @@ +variable "ssh_user" { + description = "SSH user for the nodes" + type = string +} + +variable "ssh_ip" { + description = "SSH IP address of the node" + type = string +} + +variable "rke2_id" { + description = "RKE2 node identifier" + type = string +} diff --git a/terraform/rke2/main.tf b/terraform/rke2/main.tf new file mode 100644 index 0000000..6fd4c7a --- /dev/null +++ b/terraform/rke2/main.tf @@ -0,0 +1,52 @@ +locals { + local_file_path = "${path.root}/data" +} + +module "download" { + source = "rancher/rke2-download/github" + version = "1.0.0" + path = local.local_file_path +} + + +module "config" { + depends_on = [module.download] + + source = "rancher/rke2-config/local" + version = "1.0.0" + local_file_path = local.local_file_path + + cni = ["calico"] + profile = "cis" + etcd-expose-metrics = true + kube-controller-manager-arg = [ + "bind-address=0.0.0.0" + ] + kube-scheduler-arg = [ + "bind-address=0.0.0.0" + ] + kube-proxy-arg = [ + "metrics-bind-address=0.0.0.0" + ] +} + +module "rke2-install" { + depends_on = [module.download, module.config] + + source = "rancher/rke2-install/null" + version = "1.3.2" + + ssh_user = var.ssh_user + ssh_ip = var.ssh_ip + release = "stable" + local_file_path = local.local_file_path + identifier = var.rke2_id + remote_workspace = "/home/${var.ssh_user}" + retrieve_kubeconfig = true + server_prep_script = <<-EOT + sudo cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf + sudo systemctl restart systemd-sysctl + sudo sysctl -p /usr/local/share/rke2/rke2-cis-sysctl.conf + sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U + EOT +} diff --git a/terraform/rke2/versions.tf b/terraform/rke2/versions.tf new file mode 100644 index 0000000..f847bb0 --- /dev/null +++ b/terraform/rke2/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">=1.13" +} From 8e120e1e905efb31bddff05b8b513c8104ce0276 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Mon, 27 Oct 2025 20:46:36 +0100 Subject: [PATCH 02/43] chore: added devenv --- .envrc | 3 + .gitignore | 9 ++- devenv.lock | 103 +++++++++++++++++++++++++++++++ devenv.nix | 5 ++ justfile | 3 + terraform/networking/main.tf | 0 terraform/networking/versions.tf | 3 + 7 files changed, 125 insertions(+), 1 deletion(-) create mode 100644 .envrc create mode 100644 devenv.lock create mode 100644 devenv.nix create mode 100644 terraform/networking/main.tf create mode 100644 terraform/networking/versions.tf diff --git a/.envrc b/.envrc new file mode 100644 index 0000000..cfe337f --- /dev/null +++ b/.envrc @@ -0,0 +1,3 @@ +export DIRENV_WARN_TIMEOUT=20s +eval "$(devenv direnvrc)" +use devenv \ No newline at end of file diff --git a/.gitignore b/.gitignore index cc9ec15..0939eba 100644 --- a/.gitignore +++ b/.gitignore @@ -3,4 +3,11 @@ *.tfstate.backup *.lock.info *.tfvars -target/ \ No newline at end of file +target/ + +# Devenv +.devenv* +devenv.local.nix + +# direnv +.direnv \ No newline at end of file diff --git a/devenv.lock b/devenv.lock new file mode 100644 index 0000000..4e1538c --- /dev/null +++ b/devenv.lock @@ -0,0 +1,103 @@ +{ + "nodes": { + "devenv": { + "locked": { + "dir": "src/modules", + "lastModified": 1761583935, + "owner": "cachix", + "repo": "devenv", + "rev": "b7e3b2aeb90ce37517fb8da09ceff8ab587a9fcf", + "type": "github" + }, + "original": { + "dir": "src/modules", + "owner": "cachix", + "repo": "devenv", + "type": "github" + } + }, + "flake-compat": { + "flake": false, + "locked": { + "lastModified": 1761588595, + "owner": "edolstra", + "repo": "flake-compat", + "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", + "type": "github" + }, + "original": { + "owner": "edolstra", + "repo": "flake-compat", + "type": "github" + } + }, + "git-hooks": { + "inputs": { + "flake-compat": "flake-compat", + "gitignore": "gitignore", + "nixpkgs": [ + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1760663237, + "owner": "cachix", + "repo": "git-hooks.nix", + "rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37", + "type": "github" + }, + "original": { + "owner": "cachix", + "repo": "git-hooks.nix", + "type": "github" + } + }, + "gitignore": { + "inputs": { + "nixpkgs": [ + "git-hooks", + "nixpkgs" + ] + }, + "locked": { + "lastModified": 1709087332, + "owner": "hercules-ci", + "repo": "gitignore.nix", + "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", + "type": "github" + }, + "original": { + "owner": "hercules-ci", + "repo": "gitignore.nix", + "type": "github" + } + }, + "nixpkgs": { + "locked": { + "lastModified": 1761313199, + "owner": "cachix", + "repo": "devenv-nixpkgs", + "rev": "d1c30452ebecfc55185ae6d1c983c09da0c274ff", + "type": "github" + }, + "original": { + "owner": "cachix", + "ref": "rolling", + "repo": "devenv-nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "devenv": "devenv", + "git-hooks": "git-hooks", + "nixpkgs": "nixpkgs", + "pre-commit-hooks": [ + "git-hooks" + ] + } + } + }, + "root": "root", + "version": 7 +} diff --git a/devenv.nix b/devenv.nix new file mode 100644 index 0000000..fc53d47 --- /dev/null +++ b/devenv.nix @@ -0,0 +1,5 @@ +{ + enterShell = '' + export KUBECONFIG="$DEVENV_ROOT/terraform/rke2/data/kubeconfig" + ''; +} diff --git a/justfile b/justfile index dd99469..101da70 100644 --- a/justfile +++ b/justfile @@ -1,6 +1,9 @@ pwd := source_dir() config_path := "terraform" vars_path := pwd + "/vars.tfvars" +kubeconfig_path := pwd + "/terraform/rke2/data/kubeconfig" + +export KUBECONFIG := kubeconfig_path init CONFIG: terraform -chdir={{config_path}}/{{CONFIG}} init diff --git a/terraform/networking/main.tf b/terraform/networking/main.tf new file mode 100644 index 0000000..e69de29 diff --git a/terraform/networking/versions.tf b/terraform/networking/versions.tf new file mode 100644 index 0000000..f847bb0 --- /dev/null +++ b/terraform/networking/versions.tf @@ -0,0 +1,3 @@ +terraform { + required_version = ">=1.13" +} From b54047c5ddf3c714f9edaa1483c7501782a146e9 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Mon, 27 Oct 2025 21:42:59 +0100 Subject: [PATCH 03/43] fix: added script for tmp no sudo prompt --- terraform/rke2/inputs.tf | 5 +++++ terraform/rke2/main.tf | 46 +++++++++++++++++++++++++++++++++++++++- 2 files changed, 50 insertions(+), 1 deletion(-) diff --git a/terraform/rke2/inputs.tf b/terraform/rke2/inputs.tf index fb4044c..04b4a81 100644 --- a/terraform/rke2/inputs.tf +++ b/terraform/rke2/inputs.tf @@ -12,3 +12,8 @@ variable "rke2_id" { description = "RKE2 node identifier" type = string } + +variable "ssh_user_pw" { + description = "SSH password for the nodes" + type = string +} diff --git a/terraform/rke2/main.tf b/terraform/rke2/main.tf index 6fd4c7a..ebc3896 100644 --- a/terraform/rke2/main.tf +++ b/terraform/rke2/main.tf @@ -1,5 +1,29 @@ locals { local_file_path = "${path.root}/data" + sudoers_file = "/etc/sudoers.d/temp_nopasswd" +} + +resource "null_resource" "initial-setup" { + connection { + type = "ssh" + agent = true + user = var.ssh_user + host = var.ssh_ip + } + provisioner "remote-exec" { + inline = [<<-EOT + #!/bin/bash + set -x + set -e + # disable sudo password prompt for ssh user + sudo -k && echo -e '${var.ssh_user_pw}\n${var.ssh_user} ALL=(ALL) NOPASSWD: ALL' | sudo -S tee ${local.sudoers_file} > /dev/null 2>&1 + + # install dependencies + sudo apt-get update && sudo apt-get upgrade -y + sudo apt-get install -y curl iptables + EOT + ] + } } module "download" { @@ -31,7 +55,7 @@ module "config" { } module "rke2-install" { - depends_on = [module.download, module.config] + depends_on = [module.download, module.config, null_resource.initial-setup] source = "rancher/rke2-install/null" version = "1.3.2" @@ -50,3 +74,23 @@ module "rke2-install" { sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U EOT } + +resource "null_resource" "disable-password-less-sudo" { + depends_on = [module.rke2-install] + + connection { + type = "ssh" + agent = true + user = var.ssh_user + host = var.ssh_ip + } + provisioner "remote-exec" { + inline = [<<-EOT + set -x + set -e + # re-enable sudo password prompt for ssh user + sudo rm -f ${local.sudoers_file} + EOT + ] + } +} From fb81003ce44a5b8960b0e3995a100fe7267be418 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Tue, 28 Oct 2025 22:54:45 +0100 Subject: [PATCH 04/43] feat: added longhorn --- devenv.nix | 1 + terraform/README.md | 7 + terraform/crd/.terraform.lock.hcl | 65 +++++++++ terraform/crd/default-deny.tf | 43 ++++++ terraform/crd/kube-prom-crd.tf | 56 +++++++ terraform/{modules/docker => crd}/main.tf | 0 .../templates/kube-prom.values.tftpl | 0 terraform/crd/variables.tf | 9 ++ terraform/main.tf | 135 ----------------- .../{access-policy => external-np}/main.tf | 0 terraform/modules/external-np/policy.tf | 24 +++ terraform/modules/external-np/variables.tf | 4 + .../{metrics-np => k8s-api-np}/main.tf | 0 terraform/modules/k8s-api-np/policy.tf | 22 +++ terraform/modules/k8s-api-np/variables.tf | 9 ++ terraform/modules/ns-np/main.tf | 10 ++ terraform/modules/ns-np/policy.tf | 25 ++++ terraform/modules/ns-np/variables.tf | 4 + terraform/modules_old/access-policy/main.tf | 10 ++ .../access-policy/policy.tf | 0 .../access-policy/variables.tf | 0 terraform/modules_old/docker/main.tf | 18 +++ .../docker/service.tf | 0 .../docker/variables.tf | 0 .../grafana-dashboard/dashboard.tf | 0 .../dashboards/alloy-controller.json | 0 .../dashboards/alloy-logs.json | 0 .../dashboards/alloy-otel.json | 0 .../dashboards/alloy-prom.json | 0 .../dashboards/alloy-resources.json | 0 .../dashboards/argo-cd-application.json | 0 .../dashboards/argo-cd-notifications.json | 0 .../dashboards/argo-cd-operational.json | 0 .../dashboards/cert-manager.json | 0 .../dashboards/coder-workspace-detail.json | 0 .../dashboards/coder-workspaces.json | 0 .../grafana-dashboard/dashboards/coderd.json | 0 .../dashboards/crowdsec-details.json | 0 .../dashboards/crowdsec-insight.json | 0 .../dashboards/crowdsec-overview.json | 0 .../dashboards/external-secrets.json | 0 .../dashboards/ingress-nginx-request.json | 0 .../dashboards/ingress-nginx.json | 0 .../dashboards/loki-chunks.json | 0 .../dashboards/loki-deletion.json | 0 .../dashboards/loki-logs.json | 0 .../dashboards/loki-operational.json | 0 .../dashboards/loki-reads-resources.json | 0 .../dashboards/loki-reads.json | 0 .../dashboards/loki-retention.json | 0 .../dashboards/loki-writes-resources.json | 0 .../dashboards/loki-writes.json | 0 .../dashboards/longhorn.json | 0 .../grafana-dashboard/dashboards/minio.json | 0 .../dashboards/nats-jetstream.json | 0 .../grafana-dashboard/dashboards/nats.json | 0 .../dashboards/pgbouncer-overview.json | 0 .../dashboards/pgbouncer.json | 0 .../dashboards/pod-logs.json | 0 .../dashboards/postgres.json | 0 .../dashboards/tempo-block-builder.json | 0 .../dashboards/tempo-operational.json | 0 .../dashboards/tempo-reads.json | 0 .../dashboards/tempo-resources.json | 0 .../dashboards/tempo-rollout-progress.json | 0 .../dashboards/tempo-tenants.json | 0 .../dashboards/tempo-writes.json | 0 .../grafana-dashboard/dashboards/vault.json | 0 .../grafana-dashboard/main.tf | 0 .../grafana-dashboard/variables.tf | 0 terraform/modules_old/metrics-np/main.tf | 10 ++ .../metrics-np/policy.tf | 0 .../metrics-np/variables.tf | 0 terraform/network/default-deny.tf | 15 ++ terraform/network/ingress-nginx.tf | 20 +++ terraform/networking/main.tf | 0 terraform/networking/versions.tf | 3 - terraform/rke2/.gitignore | 1 - terraform/rke2/data/pss-custom.yaml | 14 ++ terraform/rke2/main.tf | 1 + terraform/storage/.terraform.lock.hcl | 65 +++++++++ terraform/storage/longhorn.tf | 138 +++--------------- .../storage/templates/longhorn.values.tftpl | 6 +- terraform/storage/variables.tf | 132 +---------------- terraform/{storage => storage_old}/couchdb.tf | 0 terraform/{storage => storage_old}/minio.tf | 0 terraform/{storage => storage_old}/nats.tf | 0 .../{storage => storage_old}/postgres.tf | 0 terraform/storage_old/variables.tf | 133 +++++++++++++++++ terraform/tools/lgtm.tf | 79 ---------- terraform/tools/longhorn-proxy.tf | 60 ++++++++ .../longhorn-oauth2-proxy.values.tftpl | 0 92 files changed, 651 insertions(+), 468 deletions(-) create mode 100644 terraform/README.md create mode 100644 terraform/crd/.terraform.lock.hcl create mode 100644 terraform/crd/default-deny.tf create mode 100644 terraform/crd/kube-prom-crd.tf rename terraform/{modules/docker => crd}/main.tf (100%) rename terraform/{tools => crd}/templates/kube-prom.values.tftpl (100%) create mode 100644 terraform/crd/variables.tf delete mode 100644 terraform/main.tf rename terraform/modules/{access-policy => external-np}/main.tf (100%) create mode 100644 terraform/modules/external-np/policy.tf create mode 100644 terraform/modules/external-np/variables.tf rename terraform/modules/{metrics-np => k8s-api-np}/main.tf (100%) create mode 100644 terraform/modules/k8s-api-np/policy.tf create mode 100644 terraform/modules/k8s-api-np/variables.tf create mode 100644 terraform/modules/ns-np/main.tf create mode 100644 terraform/modules/ns-np/policy.tf create mode 100644 terraform/modules/ns-np/variables.tf create mode 100644 terraform/modules_old/access-policy/main.tf rename terraform/{modules => modules_old}/access-policy/policy.tf (100%) rename terraform/{modules => modules_old}/access-policy/variables.tf (100%) create mode 100644 terraform/modules_old/docker/main.tf rename terraform/{modules => modules_old}/docker/service.tf (100%) rename terraform/{modules => modules_old}/docker/variables.tf (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboard.tf (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/alloy-controller.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/alloy-logs.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/alloy-otel.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/alloy-prom.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/alloy-resources.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/argo-cd-application.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/argo-cd-notifications.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/argo-cd-operational.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/cert-manager.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/coder-workspace-detail.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/coder-workspaces.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/coderd.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/crowdsec-details.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/crowdsec-insight.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/crowdsec-overview.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/external-secrets.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/ingress-nginx-request.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/ingress-nginx.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/loki-chunks.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/loki-deletion.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/loki-logs.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/loki-operational.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/loki-reads-resources.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/loki-reads.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/loki-retention.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/loki-writes-resources.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/loki-writes.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/longhorn.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/minio.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/nats-jetstream.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/nats.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/pgbouncer-overview.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/pgbouncer.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/pod-logs.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/postgres.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/tempo-block-builder.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/tempo-operational.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/tempo-reads.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/tempo-resources.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/tempo-rollout-progress.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/tempo-tenants.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/tempo-writes.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/dashboards/vault.json (100%) rename terraform/{modules => modules_old}/grafana-dashboard/main.tf (100%) rename terraform/{modules => modules_old}/grafana-dashboard/variables.tf (100%) create mode 100644 terraform/modules_old/metrics-np/main.tf rename terraform/{modules => modules_old}/metrics-np/policy.tf (100%) rename terraform/{modules => modules_old}/metrics-np/variables.tf (100%) delete mode 100644 terraform/networking/main.tf delete mode 100644 terraform/networking/versions.tf delete mode 100644 terraform/rke2/.gitignore create mode 100644 terraform/rke2/data/pss-custom.yaml create mode 100644 terraform/storage/.terraform.lock.hcl rename terraform/{storage => storage_old}/couchdb.tf (100%) rename terraform/{storage => storage_old}/minio.tf (100%) rename terraform/{storage => storage_old}/nats.tf (100%) rename terraform/{storage => storage_old}/postgres.tf (100%) create mode 100644 terraform/storage_old/variables.tf create mode 100644 terraform/tools/longhorn-proxy.tf rename terraform/{storage => tools}/templates/longhorn-oauth2-proxy.values.tftpl (100%) diff --git a/devenv.nix b/devenv.nix index fc53d47..cc9e2fe 100644 --- a/devenv.nix +++ b/devenv.nix @@ -1,5 +1,6 @@ { enterShell = '' export KUBECONFIG="$DEVENV_ROOT/terraform/rke2/data/kubeconfig" + export KUBE_CONFIG_PATH=$KUBECONFIG ''; } diff --git a/terraform/README.md b/terraform/README.md new file mode 100644 index 0000000..af70a22 --- /dev/null +++ b/terraform/README.md @@ -0,0 +1,7 @@ +# Terraform Configuration + +## Initial deployment order + +1. rke2: Deploy RKE2 Kubernetes cluster on the target machine. +2. crd: Install Custom Resource Definitions (CRDs) and monitoring tools. +3. storage: Set up storage solutions required for the cluster. diff --git a/terraform/crd/.terraform.lock.hcl b/terraform/crd/.terraform.lock.hcl new file mode 100644 index 0000000..362f7ae --- /dev/null +++ b/terraform/crd/.terraform.lock.hcl @@ -0,0 +1,65 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.0" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.17.0" + constraints = "~> 2.0" + hashes = [ + "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", + "zh:06fb4e9932f0afc1904d2279e6e99353c2ddac0d765305ce90519af410706bd4", + "zh:104eccfc781fc868da3c7fec4385ad14ed183eb985c96331a1a937ac79c2d1a7", + "zh:129345c82359837bb3f0070ce4891ec232697052f7d5ccf61d43d818912cf5f3", + "zh:3956187ec239f4045975b35e8c30741f701aa494c386aaa04ebabffe7749f81c", + "zh:66a9686d92a6b3ec43de3ca3fde60ef3d89fb76259ed3313ca4eb9bb8c13b7dd", + "zh:88644260090aa621e7e8083585c468c8dd5e09a3c01a432fb05da5c4623af940", + "zh:a248f650d174a883b32c5b94f9e725f4057e623b00f171936dcdcc840fad0b3e", + "zh:aa498c1f1ab93be5c8fbf6d48af51dc6ef0f10b2ea88d67bcb9f02d1d80d3930", + "zh:bf01e0f2ec2468c53596e027d376532a2d30feb72b0b5b810334d043109ae32f", + "zh:c46fa84cc8388e5ca87eb575a534ebcf68819c5a5724142998b487cb11246654", + "zh:d0c0f15ffc115c0965cbfe5c81f18c2e114113e7a1e6829f6bfd879ce5744fbb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.38.0" + constraints = "~> 2.0" + hashes = [ + "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", + "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", + "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f", + "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b", + "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12", + "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2", + "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc", + "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15", + "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396", + "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d", + "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", + ] +} diff --git a/terraform/crd/default-deny.tf b/terraform/crd/default-deny.tf new file mode 100644 index 0000000..08dd03b --- /dev/null +++ b/terraform/crd/default-deny.tf @@ -0,0 +1,43 @@ +resource "kubectl_manifest" "default_deny" { + yaml_body = < Date: Wed, 29 Oct 2025 17:36:56 +0100 Subject: [PATCH 05/43] refactor: moved secret storage to new logic --- terraform/README.md | 2 +- terraform/modules/ingress-np/main.tf | 10 ++ terraform/modules/ingress-np/policy.tf | 20 +++ terraform/modules/ingress-np/variables.tf | 9 ++ terraform/network/cert-manager.tf | 2 +- terraform/network/crowd-sec.tf | 2 +- terraform/network/ingress-nginx.tf | 4 +- terraform/secrets/docker-registry.tf | 2 +- terraform/secrets/external-secrets.tf | 98 ------------- .../cluster-ca-cert-volume-mount.tftpl | 4 - .../templates/cluster-ca-cert-volume.tftpl | 3 - terraform/storage/.terraform.lock.hcl | 57 ++++++++ terraform/storage/certs/.gitignore | 5 + terraform/{utils => storage}/cloudflare.tf | 10 +- .../ca-cert.tf => storage/cluster-ca-cert.tf} | 14 +- terraform/storage/external-secrets.tf | 54 +++++++ terraform/storage/longhorn.tf | 8 -- .../templates/csr.conf.tftpl | 0 .../templates/external-secrets.values.tftpl | 8 +- .../templates/vault-auto-unseal.values.tftpl | 2 +- .../templates/vault.values.tftpl | 18 ++- terraform/storage/variables.tf | 58 ++++++++ terraform/{secrets => storage}/vault-tls.tf | 0 terraform/{secrets => storage}/vault-token.tf | 0 terraform/{secrets => storage}/vault.tf | 133 ++++-------------- terraform/storage_old/couchdb.tf | 2 +- .../couchdb.values.tftpl | 0 .../minio-tenant.values.tftpl | 0 terraform/storage_old/minio.tf | 4 +- .../minio.values.tftpl | 0 .../nats.values.tftpl | 0 .../postgres-ui.values.tftpl | 0 .../postgres.values.tftpl | 0 terraform/tools/argo.tf | 2 +- terraform/tools/coder.tf | 2 +- terraform/tools/lgtm.tf | 4 +- terraform/tools/longhorn-proxy.tf | 4 +- terraform/tools/metrics.tf | 4 +- terraform/tools/nextcloud.tf | 2 +- terraform/tools/stalwart.tf | 6 +- terraform/tools/tailscale.tf | 2 +- terraform/tools/vaultwarden.tf | 2 +- 42 files changed, 297 insertions(+), 260 deletions(-) create mode 100644 terraform/modules/ingress-np/main.tf create mode 100644 terraform/modules/ingress-np/policy.tf create mode 100644 terraform/modules/ingress-np/variables.tf delete mode 100644 terraform/secrets/external-secrets.tf delete mode 100644 terraform/secrets/templates/cluster-ca-cert-volume-mount.tftpl delete mode 100644 terraform/secrets/templates/cluster-ca-cert-volume.tftpl create mode 100644 terraform/storage/certs/.gitignore rename terraform/{utils => storage}/cloudflare.tf (85%) rename terraform/{secrets/ca-cert.tf => storage/cluster-ca-cert.tf} (85%) create mode 100644 terraform/storage/external-secrets.tf rename terraform/{secrets => storage}/templates/csr.conf.tftpl (100%) rename terraform/{secrets => storage}/templates/external-secrets.values.tftpl (51%) rename terraform/{secrets => storage}/templates/vault-auto-unseal.values.tftpl (89%) rename terraform/{secrets => storage}/templates/vault.values.tftpl (72%) rename terraform/{secrets => storage}/vault-tls.tf (100%) rename terraform/{secrets => storage}/vault-token.tf (100%) rename terraform/{secrets => storage}/vault.tf (56%) rename terraform/{storage/templates => storage_old}/couchdb.values.tftpl (100%) rename terraform/{storage/templates => storage_old}/minio-tenant.values.tftpl (100%) rename terraform/{storage/templates => storage_old}/minio.values.tftpl (100%) rename terraform/{storage/templates => storage_old}/nats.values.tftpl (100%) rename terraform/{storage/templates => storage_old}/postgres-ui.values.tftpl (100%) rename terraform/{storage/templates => storage_old}/postgres.values.tftpl (100%) diff --git a/terraform/README.md b/terraform/README.md index af70a22..37efcca 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -4,4 +4,4 @@ 1. rke2: Deploy RKE2 Kubernetes cluster on the target machine. 2. crd: Install Custom Resource Definitions (CRDs) and monitoring tools. -3. storage: Set up storage solutions required for the cluster. +3. storage: Set up storage solutions required for the cluster. (add cloudflare cert to vault) diff --git a/terraform/modules/ingress-np/main.tf b/terraform/modules/ingress-np/main.tf new file mode 100644 index 0000000..ce6bbdf --- /dev/null +++ b/terraform/modules/ingress-np/main.tf @@ -0,0 +1,10 @@ +terraform { + required_version = "~> 1.11" + + required_providers { + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.0" + } + } +} diff --git a/terraform/modules/ingress-np/policy.tf b/terraform/modules/ingress-np/policy.tf new file mode 100644 index 0000000..0e4a4d6 --- /dev/null +++ b/terraform/modules/ingress-np/policy.tf @@ -0,0 +1,20 @@ +resource "kubectl_manifest" "ingress_np" { + yaml_body = < Date: Wed, 29 Oct 2025 17:55:32 +0100 Subject: [PATCH 06/43] refactor: moved ghcr secret --- terraform/secrets/certs/.gitignore | 5 - terraform/secrets/main.tf | 34 ------ terraform/secrets/variables.tf | 101 ------------------ .../{secrets => storage}/docker-registry.tf | 3 +- terraform/storage/variables.tf | 5 + 5 files changed, 6 insertions(+), 142 deletions(-) delete mode 100644 terraform/secrets/certs/.gitignore delete mode 100644 terraform/secrets/main.tf delete mode 100644 terraform/secrets/variables.tf rename terraform/{secrets => storage}/docker-registry.tf (90%) diff --git a/terraform/secrets/certs/.gitignore b/terraform/secrets/certs/.gitignore deleted file mode 100644 index 7d948cf..0000000 --- a/terraform/secrets/certs/.gitignore +++ /dev/null @@ -1,5 +0,0 @@ -*.csr -*.key -*.conf -*.crt -*.json \ No newline at end of file diff --git a/terraform/secrets/main.tf b/terraform/secrets/main.tf deleted file mode 100644 index bfdc86f..0000000 --- a/terraform/secrets/main.tf +++ /dev/null @@ -1,34 +0,0 @@ -terraform { - required_version = "~> 1.11" - - required_providers { - kubernetes = { - source = "hashicorp/kubernetes" - version = "~> 2.0" - } - helm = { - source = "hashicorp/helm" - version = "~> 2.0" - } - kubectl = { - source = "gavinbunney/kubectl" - version = "~> 1.0" - } - external = { - source = "hashicorp/external" - version = "~> 2.0" - } - local = { - source = "hashicorp/local" - version = "~> 2.0" - } - null = { - source = "hashicorp/null" - version = "~> 3.0" - } - template = { - source = "hashicorp/template" - version = "~> 2.0" - } - } -} diff --git a/terraform/secrets/variables.tf b/terraform/secrets/variables.tf deleted file mode 100644 index 4308a95..0000000 --- a/terraform/secrets/variables.tf +++ /dev/null @@ -1,101 +0,0 @@ -variable "secrets_ns" { - type = string -} - -variable "vault_global_token" { - type = string - default = "vault-global-token" -} - -variable "vault_global_token_prop" { - type = string - default = "token" -} - -variable "storage_class" { - type = string -} - -variable "cluster_secret_store" { - type = string -} - -variable "secret_store_label" { - type = object({ - key = string - value = string - }) -} - -variable "vault_svc" { - type = string - default = "vault" -} - -variable "vault_cert_var" { - type = string - default = "vault-server-tls" -} - -variable "vault_cert_prop" { - type = string - default = "vault" -} - -variable "vault_csr" { - type = string - default = "vault-csr" -} - -variable "cluster_ca_cert_var" { - type = string - default = "cluster-ca-cert" -} - -variable "cluster_ca_cert_label" { - type = object({ - key = string - value = string - }) -} - -variable "oidc_access_label" { - type = object({ - key = string - value = string - }) -} - -variable "positron_ns" { - type = string -} - -variable "cloudflare_cert_label" { - type = object({ - key = string - value = string - }) -} - -variable "cloudflare_ca_cert_var" { - type = string -} - -variable "cloudflare_cert_var" { - type = string -} - -variable "ingress_class" { - type = string -} - -variable "ghcr_profidev" { - type = string -} - -variable "ghcr_profidev_label" { - type = object({ - key = string - value = string - }) -} \ No newline at end of file diff --git a/terraform/secrets/docker-registry.tf b/terraform/storage/docker-registry.tf similarity index 90% rename from terraform/secrets/docker-registry.tf rename to terraform/storage/docker-registry.tf index 80d5b7a..5de592d 100644 --- a/terraform/secrets/docker-registry.tf +++ b/terraform/storage/docker-registry.tf @@ -7,8 +7,7 @@ metadata: spec: externalSecretName: ${var.ghcr_profidev} namespaceSelectors: - - matchLabels: - ${var.ghcr_profidev_label.key}: "${var.ghcr_profidev_label.value}" + - matchLabels: {} refreshTime: 15s externalSecretSpec: target: diff --git a/terraform/storage/variables.tf b/terraform/storage/variables.tf index 3610137..52025d0 100644 --- a/terraform/storage/variables.tf +++ b/terraform/storage/variables.tf @@ -28,6 +28,11 @@ variable "cloudflare_cert_var" { type = string } +variable "ghcr_profidev" { + description = "The name of the GHCR Profidev secret" + type = string +} + variable "vault_svc" { From da465c89c1022b8507efd0a2688ccbcbdfb54ec8 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Wed, 29 Oct 2025 18:17:55 +0100 Subject: [PATCH 07/43] refactor: added network code back --- terraform/network/.terraform.lock.hcl | 85 +++++++++++++++++++ terraform/network/cert-manager.tf | 35 ++++++-- terraform/network/crowd-sec.tf | 70 ++------------- terraform/network/default-deny.tf | 63 -------------- terraform/network/ingress-nginx.tf | 28 ------ terraform/network/metallb.tf | 54 ++++-------- terraform/network/variables.tf | 37 ++++---- .../storage/templates/vault.values.tftpl | 3 +- 8 files changed, 161 insertions(+), 214 deletions(-) create mode 100644 terraform/network/.terraform.lock.hcl delete mode 100644 terraform/network/default-deny.tf diff --git a/terraform/network/.terraform.lock.hcl b/terraform/network/.terraform.lock.hcl new file mode 100644 index 0000000..fa9297c --- /dev/null +++ b/terraform/network/.terraform.lock.hcl @@ -0,0 +1,85 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.0" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", + ] +} + +provider "registry.terraform.io/hashicorp/external" { + version = "2.3.5" + constraints = "~> 2.0" + hashes = [ + "h1:smKSos4zs57pJjQrNuvGBpSWth2el9SgePPbPHo0aps=", + "zh:6e89509d056091266532fa64de8c06950010498adf9070bf6ff85bc485a82562", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:86868aec05b58dc0aa1904646a2c26b9367d69b890c9ad70c33c0d3aa7b1485a", + "zh:a2ce38fda83a62fa5fb5a70e6ca8453b168575feb3459fa39803f6f40bd42154", + "zh:a6c72798f4a9a36d1d1433c0372006cc9b904e8cfd60a2ae03ac5b7d2abd2398", + "zh:a8a3141d2fc71c86bf7f3c13b0b3be8a1b0f0144a47572a15af4dfafc051e28a", + "zh:aa20a1242eb97445ad26ebcfb9babf2cd675bdb81cac5f989268ebefa4ef278c", + "zh:b58a22445fb8804e933dcf835ab06c29a0f33148dce61316814783ee7f4e4332", + "zh:cb5626a661ee761e0576defb2a2d75230a3244799d380864f3089c66e99d0dcc", + "zh:d1acb00d20445f682c4e705c965e5220530209c95609194c2dc39324f3d4fcce", + "zh:d91a254ba77b69a29d8eae8ed0e9367cbf0ea6ac1a85b58e190f8cb096a40871", + "zh:f6592327673c9f85cdb6f20336faef240abae7621b834f189c4a62276ea5db41", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.17.0" + constraints = "~> 2.0" + hashes = [ + "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", + "zh:06fb4e9932f0afc1904d2279e6e99353c2ddac0d765305ce90519af410706bd4", + "zh:104eccfc781fc868da3c7fec4385ad14ed183eb985c96331a1a937ac79c2d1a7", + "zh:129345c82359837bb3f0070ce4891ec232697052f7d5ccf61d43d818912cf5f3", + "zh:3956187ec239f4045975b35e8c30741f701aa494c386aaa04ebabffe7749f81c", + "zh:66a9686d92a6b3ec43de3ca3fde60ef3d89fb76259ed3313ca4eb9bb8c13b7dd", + "zh:88644260090aa621e7e8083585c468c8dd5e09a3c01a432fb05da5c4623af940", + "zh:a248f650d174a883b32c5b94f9e725f4057e623b00f171936dcdcc840fad0b3e", + "zh:aa498c1f1ab93be5c8fbf6d48af51dc6ef0f10b2ea88d67bcb9f02d1d80d3930", + "zh:bf01e0f2ec2468c53596e027d376532a2d30feb72b0b5b810334d043109ae32f", + "zh:c46fa84cc8388e5ca87eb575a534ebcf68819c5a5724142998b487cb11246654", + "zh:d0c0f15ffc115c0965cbfe5c81f18c2e114113e7a1e6829f6bfd879ce5744fbb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.38.0" + constraints = "~> 2.0" + hashes = [ + "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", + "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", + "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f", + "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b", + "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12", + "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2", + "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc", + "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15", + "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396", + "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d", + "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", + ] +} diff --git a/terraform/network/cert-manager.tf b/terraform/network/cert-manager.tf index ccd6c17..d1ae18f 100644 --- a/terraform/network/cert-manager.tf +++ b/terraform/network/cert-manager.tf @@ -1,9 +1,6 @@ -resource "kubernetes_namespace" "cert_ns" { +resource "kubernetes_namespace" "cert" { metadata { name = var.cert_ns - labels = { - "${var.secret_store_label.key}" = var.secret_store_label.value - } } } @@ -11,12 +8,12 @@ resource "helm_release" "cert_manager" { name = "cert-manager" repository = "https://charts.jetstack.io" chart = "cert-manager" - version = "1.17.0" + version = "1.19.1" namespace = var.cert_ns values = [templatefile("${path.module}/templates/cert-manager.values.tftpl", {})] - depends_on = [kubernetes_namespace.cert_ns] + depends_on = [kubernetes_namespace.cert] } resource "kubectl_manifest" "cert_manager_secrets" { @@ -38,7 +35,7 @@ spec: key: certs/cert-manager YAML - depends_on = [kubernetes_namespace.cert_ns] + depends_on = [kubernetes_namespace.cert] } resource "kubectl_manifest" "cert_issuer" { @@ -105,7 +102,7 @@ spec: - 53 YAML - depends_on = [kubernetes_namespace.cert_ns] + depends_on = [kubernetes_namespace.cert] } resource "kubernetes_network_policy_v1" "cert_ns" { @@ -125,4 +122,26 @@ resource "kubernetes_network_policy_v1" "cert_ns" { } policy_types = ["Ingress"] } + + depends_on = [kubernetes_namespace.cert] +} + +resource "kubectl_manifest" "acme_allow" { + yaml_body = < Date: Wed, 29 Oct 2025 19:54:28 +0100 Subject: [PATCH 08/43] doc: added secrets list --- terraform/README.md | 27 +++++++++++++++++++++++++++ terraform/storage/vault.tf | 2 +- 2 files changed, 28 insertions(+), 1 deletion(-) diff --git a/terraform/README.md b/terraform/README.md index 37efcca..666b790 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -5,3 +5,30 @@ 1. rke2: Deploy RKE2 Kubernetes cluster on the target machine. 2. crd: Install Custom Resource Definitions (CRDs) and monitoring tools. 3. storage: Set up storage solutions required for the cluster. (add cloudflare cert to vault) +4. network: Configure networking components and services. + +## Required secrets in Vault + +docker/ghcr: + +- profidev: + +certs/cert-manager: + +- cloudflare: + +certs/cloudflare: + +- ca.crt: +- tls.crt: +- tls.key: + +certs/crowdsec: + +- API_KEY: + +certs/nginx: + +- API_KEY: +- CAPTCHA_KEY: +- CAPTCHA_SITE_KEY: diff --git a/terraform/storage/vault.tf b/terraform/storage/vault.tf index b99de32..93d1bda 100644 --- a/terraform/storage/vault.tf +++ b/terraform/storage/vault.tf @@ -21,7 +21,7 @@ resource "helm_release" "vault" { resource "helm_release" "vault_auto_unseal" { name = "vault-auto-unseal" - repository = "https://profiidev.github.io/server-config" + repository = "https://profiidev.github.io/helm-charts" chart = "vault-auto-unseal" version = "0.1.12" namespace = var.secrets_ns From 8562dbd2121857ffcbeb5033b931fe8a0a6b06c3 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Wed, 29 Oct 2025 19:57:59 +0100 Subject: [PATCH 09/43] reafctor: removed all code moved to different repos --- .github/dependabot.yml | 23 - .../workflows/auto-merge-helm-chart-bump.yml | 19 - .github/workflows/auto-merge.yml | 21 - .github/workflows/auto-unseal-cd.yml | 82 -- .github/workflows/helm-chart-bump.yml | 34 - .github/workflows/helm-release.yml | 30 - .github/workflows/linting.yml | 32 - .gitignore | 1 - .terraform.lock.hcl | 158 ---- Cargo.lock | 882 ------------------ Cargo.toml | 3 - README.md | 59 +- apps/vault-auto-unseal/Cargo.toml | 14 - apps/vault-auto-unseal/Dockerfile | 41 - apps/vault-auto-unseal/src/main.rs | 73 -- charts/auto-clean-bot/.helmignore | 23 - charts/auto-clean-bot/Chart.yaml | 5 - .../templates/bot-deployment.yaml | 53 -- .../templates/bot-external-secret.yaml | 16 - .../templates/bot-network-policy.yaml | 22 - charts/auto-clean-bot/values.yaml | 19 - charts/charm/.helmignore | 23 - charts/charm/Chart.yaml | 5 - .../charm/templates/backend-deployment.yaml | 55 -- .../templates/backend-external-secret.yaml | 16 - charts/charm/templates/backend-ingress.yaml | 36 - .../templates/backend-network-policy.yaml | 31 - charts/charm/templates/backend-service.yaml | 14 - .../charm/templates/frontend-deployment.yaml | 40 - charts/charm/templates/frontend-ingress.yaml | 29 - .../templates/frontend-network-policy.yaml | 20 - charts/charm/templates/frontend-service.yaml | 14 - charts/charm/values.yaml | 46 - charts/higgs/.helmignore | 23 - charts/higgs/Chart.yaml | 5 - .../higgs/templates/frontend-deployment.yaml | 38 - charts/higgs/templates/frontend-ingress.yaml | 29 - .../templates/frontend-network-policy.yaml | 20 - charts/higgs/templates/frontend-service.yaml | 14 - charts/higgs/values.yaml | 14 - charts/positron/.helmignore | 23 - charts/positron/Chart.yaml | 5 - .../templates/backend-deployment.yaml | 53 -- .../templates/backend-external-secret.yaml | 16 - .../positron/templates/backend-ingress.yaml | 36 - .../templates/backend-network-policy.yaml | 31 - .../positron/templates/backend-service.yaml | 14 - .../templates/frontend-deployment.yaml | 38 - .../positron/templates/frontend-ingress.yaml | 29 - .../templates/frontend-network-policy.yaml | 20 - .../positron/templates/frontend-service.yaml | 14 - charts/positron/values.yaml | 49 - charts/proton/.helmignore | 23 - charts/proton/Chart.yaml | 5 - .../proton/templates/backend-deployment.yaml | 53 -- .../templates/backend-external-secret.yaml | 16 - charts/proton/templates/backend-ingress.yaml | 29 - .../templates/backend-network-policy.yaml | 19 - charts/proton/templates/backend-service.yaml | 14 - charts/proton/values.yaml | 31 - charts/vault-auto-unseal/.helmignore | 24 - charts/vault-auto-unseal/Chart.yaml | 8 - .../templates/deployment.yaml | 37 - .../templates/network-policy.yaml | 23 - charts/vault-auto-unseal/values.yaml | 33 - main.tf | 42 - rustfmt.toml | 1 - 67 files changed, 1 insertion(+), 2767 deletions(-) delete mode 100644 .github/dependabot.yml delete mode 100644 .github/workflows/auto-merge-helm-chart-bump.yml delete mode 100644 .github/workflows/auto-merge.yml delete mode 100644 .github/workflows/auto-unseal-cd.yml delete mode 100644 .github/workflows/helm-chart-bump.yml delete mode 100644 .github/workflows/helm-release.yml delete mode 100644 .github/workflows/linting.yml delete mode 100644 .terraform.lock.hcl delete mode 100644 Cargo.lock delete mode 100644 Cargo.toml delete mode 100644 apps/vault-auto-unseal/Cargo.toml delete mode 100644 apps/vault-auto-unseal/Dockerfile delete mode 100644 apps/vault-auto-unseal/src/main.rs delete mode 100644 charts/auto-clean-bot/.helmignore delete mode 100644 charts/auto-clean-bot/Chart.yaml delete mode 100644 charts/auto-clean-bot/templates/bot-deployment.yaml delete mode 100644 charts/auto-clean-bot/templates/bot-external-secret.yaml delete mode 100644 charts/auto-clean-bot/templates/bot-network-policy.yaml delete mode 100644 charts/auto-clean-bot/values.yaml delete mode 100644 charts/charm/.helmignore delete mode 100644 charts/charm/Chart.yaml delete mode 100644 charts/charm/templates/backend-deployment.yaml delete mode 100644 charts/charm/templates/backend-external-secret.yaml delete mode 100644 charts/charm/templates/backend-ingress.yaml delete mode 100644 charts/charm/templates/backend-network-policy.yaml delete mode 100644 charts/charm/templates/backend-service.yaml delete mode 100644 charts/charm/templates/frontend-deployment.yaml delete mode 100644 charts/charm/templates/frontend-ingress.yaml delete mode 100644 charts/charm/templates/frontend-network-policy.yaml delete mode 100644 charts/charm/templates/frontend-service.yaml delete mode 100644 charts/charm/values.yaml delete mode 100644 charts/higgs/.helmignore delete mode 100644 charts/higgs/Chart.yaml delete mode 100644 charts/higgs/templates/frontend-deployment.yaml delete mode 100644 charts/higgs/templates/frontend-ingress.yaml delete mode 100644 charts/higgs/templates/frontend-network-policy.yaml delete mode 100644 charts/higgs/templates/frontend-service.yaml delete mode 100644 charts/higgs/values.yaml delete mode 100644 charts/positron/.helmignore delete mode 100644 charts/positron/Chart.yaml delete mode 100644 charts/positron/templates/backend-deployment.yaml delete mode 100644 charts/positron/templates/backend-external-secret.yaml delete mode 100644 charts/positron/templates/backend-ingress.yaml delete mode 100644 charts/positron/templates/backend-network-policy.yaml delete mode 100644 charts/positron/templates/backend-service.yaml delete mode 100644 charts/positron/templates/frontend-deployment.yaml delete mode 100644 charts/positron/templates/frontend-ingress.yaml delete mode 100644 charts/positron/templates/frontend-network-policy.yaml delete mode 100644 charts/positron/templates/frontend-service.yaml delete mode 100644 charts/positron/values.yaml delete mode 100644 charts/proton/.helmignore delete mode 100644 charts/proton/Chart.yaml delete mode 100644 charts/proton/templates/backend-deployment.yaml delete mode 100644 charts/proton/templates/backend-external-secret.yaml delete mode 100644 charts/proton/templates/backend-ingress.yaml delete mode 100644 charts/proton/templates/backend-network-policy.yaml delete mode 100644 charts/proton/templates/backend-service.yaml delete mode 100644 charts/proton/values.yaml delete mode 100644 charts/vault-auto-unseal/.helmignore delete mode 100644 charts/vault-auto-unseal/Chart.yaml delete mode 100644 charts/vault-auto-unseal/templates/deployment.yaml delete mode 100644 charts/vault-auto-unseal/templates/network-policy.yaml delete mode 100644 charts/vault-auto-unseal/values.yaml delete mode 100644 main.tf delete mode 100644 rustfmt.toml diff --git a/.github/dependabot.yml b/.github/dependabot.yml deleted file mode 100644 index c71c918..0000000 --- a/.github/dependabot.yml +++ /dev/null @@ -1,23 +0,0 @@ -version: 2 -updates: - # Maintain dependencies for Cargo - - package-ecosystem: cargo - directory: "/" - schedule: - interval: weekly - open-pull-requests-limit: 10 - groups: - all-dependencies: - patterns: - - "*" - - # Maintain dependencies for GitHub Actions - - package-ecosystem: github-actions - directory: "/" - schedule: - interval: weekly - open-pull-requests-limit: 10 - groups: - all-dependencies: - patterns: - - "*" diff --git a/.github/workflows/auto-merge-helm-chart-bump.yml b/.github/workflows/auto-merge-helm-chart-bump.yml deleted file mode 100644 index af9ef32..0000000 --- a/.github/workflows/auto-merge-helm-chart-bump.yml +++ /dev/null @@ -1,19 +0,0 @@ -name: Auto Merge PR with Helm Chart Version Bump - -on: - pull_request: - types: - - labeled - -jobs: - merge: - if: ${{ github.event.label.name == 'bump-chart' && github.event.pull_request.user.login == 'Profiidev' }} - runs-on: ubuntu-latest - steps: - - name: Checkout code - uses: actions/checkout@v5 - - name: Enable auto-merge for PR - run: gh pr merge ${{ github.event.pull_request.number }} --auto --squash - env: - GITHUB_TOKEN: ${{ secrets.PERSONAL_TOKEN }} - GITHUB_REPOSITORY: ${{ github.repository }} diff --git a/.github/workflows/auto-merge.yml b/.github/workflows/auto-merge.yml deleted file mode 100644 index 8c68b44..0000000 --- a/.github/workflows/auto-merge.yml +++ /dev/null @@ -1,21 +0,0 @@ -name: Dependabot Auto Merge - -on: - pull_request_target: - -permissions: - contents: read - pull-requests: write - -jobs: - dependabot: - runs-on: ubuntu-latest - if: ${{ github.actor == 'dependabot[bot]' }} - steps: - - name: Checkout code - uses: actions/checkout@v5 - - name: Enable auto-merge for PR - run: gh pr merge ${{ github.event.pull_request.number }} --auto --squash - env: - GITHUB_TOKEN: ${{ secrets.PERSONAL_TOKEN }} - GITHUB_REPOSITORY: ${{ github.repository }} diff --git a/.github/workflows/auto-unseal-cd.yml b/.github/workflows/auto-unseal-cd.yml deleted file mode 100644 index a3945f9..0000000 --- a/.github/workflows/auto-unseal-cd.yml +++ /dev/null @@ -1,82 +0,0 @@ -name: VaultAutoUnseal Continuous Deployment - -on: - push: - branches: - - main - tags: - - "vault-auto-unseal-*" - pull_request: - -env: - REGISTRY: ghcr.io - IMAGE_NAME: ${{ github.repository }}/vault_auto_unseal - -jobs: - build: - name: Build VaultAutoUnseal - runs-on: ubuntu-latest - - permissions: - contents: read - packages: write - attestations: write - id-token: write - security-events: write - - steps: - - name: Checkout repository - uses: actions/checkout@v5 - with: - fetch-depth: 0 - - - name: Set up Docker Buildx - uses: docker/setup-buildx-action@v3 - - - name: Login to DockerHub - uses: docker/login-action@v3 - with: - registry: ${{ env.REGISTRY }} - username: ${{ github.actor }} - password: ${{ secrets.GITHUB_TOKEN }} - - - name: Extract metadata (tags, labels) for Docker - id: meta - uses: docker/metadata-action@v5 - with: - images: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }} - - - name: Build and push - id: push - uses: docker/build-push-action@v6 - with: - context: ./ - file: apps/vault-auto-unseal/Dockerfile - push: ${{ github.event_name != 'pull_request' }} - load: ${{ github.event_name == 'pull_request' }} - tags: ${{ steps.meta.outputs.tags }} - labels: ${{ steps.meta.outputs.labels }} - cache-from: type=gha - cache-to: type=gha,mode=max - - - name: Generate artifact attestation - uses: actions/attest-build-provenance@v3 - if: github.event_name != 'pull_request' - with: - subject-name: ${{ env.REGISTRY }}/${{ env.IMAGE_NAME}} - subject-digest: ${{ steps.push.outputs.digest }} - push-to-registry: true - - - name: Run Trivy vulnerability scanner - uses: aquasecurity/trivy-action@0.33.1 - if: github.event_name == 'pull_request' - with: - image-ref: ${{ fromJSON(steps.meta.outputs.json).tags[0] }} - format: "sarif" - output: "trivy-results.sarif" - - - name: Upload Trivy scan results to GitHub Security tab - uses: github/codeql-action/upload-sarif@v4 - if: ${{ !cancelled() && github.event_name == 'pull_request' }} - with: - sarif_file: "trivy-results.sarif" diff --git a/.github/workflows/helm-chart-bump.yml b/.github/workflows/helm-chart-bump.yml deleted file mode 100644 index ba33281..0000000 --- a/.github/workflows/helm-chart-bump.yml +++ /dev/null @@ -1,34 +0,0 @@ -name: Bump Helm Chart Version - -on: - repository_dispatch: - types: [bump-chart] - -jobs: - bump-chart: - runs-on: ubuntu-latest - steps: - - name: Checkout code - with: - token: ${{ secrets.PERSONAL_TOKEN }} - uses: actions/checkout@v5 - - - name: Bump chart version - id: bump_chart - run: | - chart_name=${{ github.event.client_payload.chart_name }} - chart_version=${{ github.event.client_payload.chart_version }} - echo "Bumping version for $chart_name to $chart_version" - sed -i "s/^version: .*/version: $chart_version/" charts/$chart_name/Chart.yaml - - - name: Create PR - uses: peter-evans/create-pull-request@v7 - with: - token: ${{ secrets.PERSONAL_TOKEN }} - commit-message: "Bump chart version for ${{ github.event.client_payload.chart_name }} to ${{ github.event.client_payload.chart_version }}" - branch: chore/bump-chart-version-${{ github.event.client_payload.chart_name }}-${{ github.event.client_payload.chart_version }} - title: "Bump chart version for ${{ github.event.client_payload.chart_name }} to ${{ github.event.client_payload.chart_version }}" - body: "This PR bumps the chart version for ${{ github.event.client_payload.chart_name }} to ${{ github.event.client_payload.chart_version }}." - base: main - sign-commits: true - labels: bump-chart diff --git a/.github/workflows/helm-release.yml b/.github/workflows/helm-release.yml deleted file mode 100644 index a34ec0f..0000000 --- a/.github/workflows/helm-release.yml +++ /dev/null @@ -1,30 +0,0 @@ -name: Helm Continuous Deployment - -on: - push: - branches: - - main - -jobs: - release: - name: Release Helm Charts - runs-on: ubuntu-latest - - permissions: - contents: write - - steps: - - name: Checkout - uses: actions/checkout@v5 - with: - fetch-depth: 0 - token: ${{ secrets.PERSONAL_TOKEN }} - - - name: Configure Git user - run: | - git config user.name "$GITHUB_ACTOR" - git config user.email "$GITHUB_ACTOR@users.noreply.github.com" - - name: Run chart-releaser job - uses: helm/chart-releaser-action@v1 - env: - CR_TOKEN: "${{ secrets.PERSONAL_TOKEN }}" diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml deleted file mode 100644 index cf43b7e..0000000 --- a/.github/workflows/linting.yml +++ /dev/null @@ -1,32 +0,0 @@ -name: Checks and Validation -on: - pull_request: - -jobs: - linters: - name: Run linters - runs-on: ubuntu-latest - permissions: - checks: write - contents: write - steps: - - uses: actions/checkout@v5 - with: - token: ${{ secrets.PERSONAL_TOKEN }} - - uses: dtolnay/rust-toolchain@stable - with: - components: clippy,rustfmt - - - name: Cache cargo and rust files - id: rust_cache - uses: Swatinem/rust-cache@v2 - with: - cache-on-failure: true - shared-key: "linter_cache" - - - name: Run linters - uses: profiidev/rust-lint-action@v3 - with: - rustfmt: true - clippy: true - auto_fix: true diff --git a/.gitignore b/.gitignore index 0939eba..9119390 100644 --- a/.gitignore +++ b/.gitignore @@ -3,7 +3,6 @@ *.tfstate.backup *.lock.info *.tfvars -target/ # Devenv .devenv* diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl deleted file mode 100644 index c6988cf..0000000 --- a/.terraform.lock.hcl +++ /dev/null @@ -1,158 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.19.0" - constraints = "~> 1.0" - hashes = [ - "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", - "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", - "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", - "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", - "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", - "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", - "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", - "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", - "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", - "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", - "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", - "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", - "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", - "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", - "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", - "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", - ] -} - -provider "registry.terraform.io/hashicorp/external" { - version = "2.3.4" - hashes = [ - "h1:XWkRZOLKMjci9/JAtE8X8fWOt7A4u+9mgXSUjc4Wuyo=", - "zh:037fd82cd86227359bc010672cd174235e2d337601d4686f526d0f53c87447cb", - "zh:0ea1db63d6173d01f2fa8eb8989f0809a55135a0d8d424b08ba5dabad73095fa", - "zh:17a4d0a306566f2e45778fbac48744b6fd9c958aaa359e79f144c6358cb93af0", - "zh:298e5408ab17fd2e90d2cd6d406c6d02344fe610de5b7dae943a58b958e76691", - "zh:38ecfd29ee0785fd93164812dcbe0664ebbe5417473f3b2658087ca5a0286ecb", - "zh:59f6a6f31acf66f4ea3667a555a70eba5d406c6e6d93c2c641b81d63261eeace", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:ad0279dfd09d713db0c18469f585e58d04748ca72d9ada83883492e0dd13bd58", - "zh:c69f66fd21f5e2c8ecf7ca68d9091c40f19ad913aef21e3ce23836e91b8cbb5f", - "zh:d4a56f8c48aa86fc8e0c233d56850f5783f322d6336f3bf1916e293246b6b5d4", - "zh:f2b394ebd4af33f343835517e80fc876f79361f4688220833bc3c77655dd2202", - "zh:f31982f29f12834e5d21e010856eddd19d59cd8f449adf470655bfd19354377e", - ] -} - -provider "registry.terraform.io/hashicorp/helm" { - version = "2.17.0" - constraints = "~> 2.0" - hashes = [ - "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", - "zh:06fb4e9932f0afc1904d2279e6e99353c2ddac0d765305ce90519af410706bd4", - "zh:104eccfc781fc868da3c7fec4385ad14ed183eb985c96331a1a937ac79c2d1a7", - "zh:129345c82359837bb3f0070ce4891ec232697052f7d5ccf61d43d818912cf5f3", - "zh:3956187ec239f4045975b35e8c30741f701aa494c386aaa04ebabffe7749f81c", - "zh:66a9686d92a6b3ec43de3ca3fde60ef3d89fb76259ed3313ca4eb9bb8c13b7dd", - "zh:88644260090aa621e7e8083585c468c8dd5e09a3c01a432fb05da5c4623af940", - "zh:a248f650d174a883b32c5b94f9e725f4057e623b00f171936dcdcc840fad0b3e", - "zh:aa498c1f1ab93be5c8fbf6d48af51dc6ef0f10b2ea88d67bcb9f02d1d80d3930", - "zh:bf01e0f2ec2468c53596e027d376532a2d30feb72b0b5b810334d043109ae32f", - "zh:c46fa84cc8388e5ca87eb575a534ebcf68819c5a5724142998b487cb11246654", - "zh:d0c0f15ffc115c0965cbfe5c81f18c2e114113e7a1e6829f6bfd879ce5744fbb", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - ] -} - -provider "registry.terraform.io/hashicorp/kubernetes" { - version = "2.36.0" - constraints = "~> 2.0" - hashes = [ - "h1:vdY0sxo7ahwuz/y7flXTE04tSwn0Zhxyg6n62aTmAHI=", - "zh:07f38fcb7578984a3e2c8cf0397c880f6b3eb2a722a120a08a634a607ea495ca", - "zh:1adde61769c50dbb799d8bf8bfd5c8c504a37017dfd06c7820f82bcf44ca0d39", - "zh:39707f23ab58fd0e686967c0f973c0f5a39c14d6ccfc757f97c345fdd0cd4624", - "zh:4cc3dc2b5d06cc22d1c734f7162b0a8fdc61990ff9efb64e59412d65a7ccc92a", - "zh:8382dcb82ba7303715b5e67939e07dd1c8ecddbe01d12f39b82b2b7d7357e1d9", - "zh:88e8e4f90034186b8bfdea1b8d394621cbc46a064ff2418027e6dba6807d5227", - "zh:a6276a75ad170f76d88263fdb5f9558998bf3a3f7650d7bd3387b396410e59f3", - "zh:bc816c7e0606e5df98a0c7634b240bb0c8100c3107b8b17b554af702edc6a0c5", - "zh:cb2f31d58f37020e840af52755c18afd1f09a833c4903ac59270ab440fab57b7", - "zh:ee0d103b8d0089fb1918311683110b4492a9346f0471b136af46d3b019576b22", - "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", - "zh:f688b9ec761721e401f6859c19c083e3be20a650426f4747cd359cdc079d212a", - ] -} - -provider "registry.terraform.io/hashicorp/local" { - version = "2.5.2" - hashes = [ - "h1:JlMZD6nYqJ8sSrFfEAH0Vk/SL8WLZRmFaMUF9PJK5wM=", - "zh:136299545178ce281c56f36965bf91c35407c11897f7082b3b983d86cb79b511", - "zh:3b4486858aa9cb8163378722b642c57c529b6c64bfbfc9461d940a84cd66ebea", - "zh:4855ee628ead847741aa4f4fc9bed50cfdbf197f2912775dd9fe7bc43fa077c0", - "zh:4b8cd2583d1edcac4011caafe8afb7a95e8110a607a1d5fb87d921178074a69b", - "zh:52084ddaff8c8cd3f9e7bcb7ce4dc1eab00602912c96da43c29b4762dc376038", - "zh:71562d330d3f92d79b2952ffdda0dad167e952e46200c767dd30c6af8d7c0ed3", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:805f81ade06ff68fa8b908d31892eaed5c180ae031c77ad35f82cb7a74b97cf4", - "zh:8b6b3ebeaaa8e38dd04e56996abe80db9be6f4c1df75ac3cccc77642899bd464", - "zh:ad07750576b99248037b897de71113cc19b1a8d0bc235eb99173cc83d0de3b1b", - "zh:b9f1c3bfadb74068f5c205292badb0661e17ac05eb23bfe8bd809691e4583d0e", - "zh:cc4cbcd67414fefb111c1bf7ab0bc4beb8c0b553d01719ad17de9a047adff4d1", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.3" - hashes = [ - "h1:+AnORRgFbRO6qqcfaQyeX80W0eX3VmjadjnUFUJTiXo=", - "zh:22d062e5278d872fe7aed834f5577ba0a5afe34a3bdac2b81f828d8d3e6706d2", - "zh:23dead00493ad863729495dc212fd6c29b8293e707b055ce5ba21ee453ce552d", - "zh:28299accf21763ca1ca144d8f660688d7c2ad0b105b7202554ca60b02a3856d3", - "zh:55c9e8a9ac25a7652df8c51a8a9a422bd67d784061b1de2dc9fe6c3cb4e77f2f", - "zh:756586535d11698a216291c06b9ed8a5cc6a4ec43eee1ee09ecd5c6a9e297ac1", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:9d5eea62fdb587eeb96a8c4d782459f4e6b73baeece4d04b4a40e44faaee9301", - "zh:a6355f596a3fb8fc85c2fb054ab14e722991533f87f928e7169a486462c74670", - "zh:b5a65a789cff4ada58a5baffc76cb9767dc26ec6b45c00d2ec8b1b027f6db4ed", - "zh:db5ab669cf11d0e9f81dc380a6fdfcac437aea3d69109c7aef1a5426639d2d65", - "zh:de655d251c470197bcbb5ac45d289595295acb8f829f6c781d4a75c8c8b7c7dd", - "zh:f5c68199f2e6076bce92a12230434782bf768103a427e9bb9abee99b116af7b5", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - hashes = [ - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", - ] -} - -provider "registry.terraform.io/hashicorp/template" { - version = "2.2.0" - hashes = [ - "h1:94qn780bi1qjrbC3uQtjJh3Wkfwd5+tTtJHOb7KTg9w=", - "zh:01702196f0a0492ec07917db7aaa595843d8f171dc195f4c988d2ffca2a06386", - "zh:09aae3da826ba3d7df69efeb25d146a1de0d03e951d35019a0f80e4f58c89b53", - "zh:09ba83c0625b6fe0a954da6fbd0c355ac0b7f07f86c91a2a97849140fea49603", - "zh:0e3a6c8e16f17f19010accd0844187d524580d9fdb0731f675ffcf4afba03d16", - "zh:45f2c594b6f2f34ea663704cc72048b212fe7d16fb4cfd959365fa997228a776", - "zh:77ea3e5a0446784d77114b5e851c970a3dde1e08fa6de38210b8385d7605d451", - "zh:8a154388f3708e3df5a69122a23bdfaf760a523788a5081976b3d5616f7d30ae", - "zh:992843002f2db5a11e626b3fc23dc0c87ad3729b3b3cff08e32ffb3df97edbde", - "zh:ad906f4cebd3ec5e43d5cd6dc8f4c5c9cc3b33d2243c89c5fc18f97f7277b51d", - "zh:c979425ddb256511137ecd093e23283234da0154b7fa8b21c2687182d9aea8b2", - ] -} diff --git a/Cargo.lock b/Cargo.lock deleted file mode 100644 index bc24cf8..0000000 --- a/Cargo.lock +++ /dev/null @@ -1,882 +0,0 @@ -# This file is automatically @generated by Cargo. -# It is not intended for manual editing. -version = 4 - -[[package]] -name = "adler2" -version = "2.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "512761e0bb2578dd7380c6baaa0f4ce03e84f95e960231d1dec8bf4d7d6e2627" - -[[package]] -name = "anyhow" -version = "1.0.100" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a23eb6b1614318a8071c9b2521f36b424b2c83db5eb3a0fead4a6c0809af6e61" - -[[package]] -name = "base64" -version = "0.22.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "72b3254f16251a8381aa12e40e3c4d2f0199f8c6508fbecb9d91f575e0fbb8c6" - -[[package]] -name = "bytes" -version = "1.10.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d71b6127be86fdcfddb610f7182ac57211d4b18a3e9c82eb2d17662f2227ad6a" - -[[package]] -name = "cc" -version = "1.2.17" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1fcb57c740ae1daf453ae85f16e37396f672b039e00d9d866e07ddb24e328e3a" -dependencies = [ - "shlex", -] - -[[package]] -name = "cfg-if" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "baf1de4339761588bc0619e3cbc0120ee582ebb74b53b4efbf79117bd2da40fd" - -[[package]] -name = "cookie" -version = "0.18.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4ddef33a339a91ea89fb53151bd0a4689cfce27055c291dfa69945475d22c747" -dependencies = [ - "percent-encoding", - "time", - "version_check", -] - -[[package]] -name = "cookie_store" -version = "0.22.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3fc4bff745c9b4c7fb1e97b25d13153da2bc7796260141df62378998d070207f" -dependencies = [ - "cookie", - "document-features", - "idna", - "indexmap", - "log", - "serde", - "serde_derive", - "serde_json", - "time", - "url", -] - -[[package]] -name = "crc32fast" -version = "1.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a97769d94ddab943e4510d138150169a2758b5ef3eb191a9ee688de3e23ef7b3" -dependencies = [ - "cfg-if", -] - -[[package]] -name = "deranged" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28cfac68e08048ae1883171632c2aef3ebc555621ae56fbccce1cbf22dd7f058" -dependencies = [ - "powerfmt", -] - -[[package]] -name = "displaydoc" -version = "0.2.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "97369cbbc041bc366949bc74d34658d6cda5621039731c6310521892a3a20ae0" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] - -[[package]] -name = "document-features" -version = "0.2.11" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "95249b50c6c185bee49034bcb378a49dc2b5dff0be90ff6616d31d64febab05d" -dependencies = [ - "litrs", -] - -[[package]] -name = "equivalent" -version = "1.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "877a4ace8713b0bcf2a4e7eec82529c029f1d0619886d18145fea96c3ffe5c0f" - -[[package]] -name = "flate2" -version = "1.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "11faaf5a5236997af9848be0bef4db95824b1d534ebc64d0f0c6cf3e67bd38dc" -dependencies = [ - "crc32fast", - "miniz_oxide", -] - -[[package]] -name = "fnv" -version = "1.0.7" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3f9eec918d3f24069decb9af1554cad7c880e2da24a9afd88aca000531ab82c1" - -[[package]] -name = "form_urlencoded" -version = "1.2.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e13624c2627564efccf4934284bdd98cbaa14e79b0b5a141218e507b3a823456" -dependencies = [ - "percent-encoding", -] - -[[package]] -name = "getrandom" -version = "0.2.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c4567c8db10ae91089c99af84c68c38da3ec2f087c3f82960bcdbf3656b6f4d7" -dependencies = [ - "cfg-if", - "libc", - "wasi", -] - -[[package]] -name = "hashbrown" -version = "0.15.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "bf151400ff0baff5465007dd2f3e717f3fe502074ca563069ce3a6629d07b289" - -[[package]] -name = "http" -version = "1.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f4a85d31aea989eead29a3aaf9e1115a180df8282431156e533de47660892565" -dependencies = [ - "bytes", - "fnv", - "itoa", -] - -[[package]] -name = "httparse" -version = "1.10.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6dbf3de79e51f3d586ab4cb9d5c3e2c14aa28ed23d180cf89b4df0454a69cc87" - -[[package]] -name = "icu_collections" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "db2fa452206ebee18c4b5c2274dbf1de17008e874b4dc4f0aea9d01ca79e4526" -dependencies = [ - "displaydoc", - "yoke", - "zerofrom", - "zerovec", -] - -[[package]] -name = "icu_locid" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13acbb8371917fc971be86fc8057c41a64b521c184808a698c02acc242dbf637" -dependencies = [ - "displaydoc", - "litemap", - "tinystr", - "writeable", - "zerovec", -] - -[[package]] -name = "icu_locid_transform" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "01d11ac35de8e40fdeda00d9e1e9d92525f3f9d887cdd7aa81d727596788b54e" -dependencies = [ - "displaydoc", - "icu_locid", - "icu_locid_transform_data", - "icu_provider", - "tinystr", - "zerovec", -] - -[[package]] -name = "icu_locid_transform_data" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fdc8ff3388f852bede6b579ad4e978ab004f139284d7b28715f773507b946f6e" - -[[package]] -name = "icu_normalizer" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "19ce3e0da2ec68599d193c93d088142efd7f9c5d6fc9b803774855747dc6a84f" -dependencies = [ - "displaydoc", - "icu_collections", - "icu_normalizer_data", - "icu_properties", - "icu_provider", - "smallvec", - "utf16_iter", - "utf8_iter", - "write16", - "zerovec", -] - -[[package]] -name = "icu_normalizer_data" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "f8cafbf7aa791e9b22bec55a167906f9e1215fd475cd22adfcf660e03e989516" - -[[package]] -name = "icu_properties" -version = "1.5.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "93d6020766cfc6302c15dbbc9c8778c37e62c14427cb7f6e601d849e092aeef5" -dependencies = [ - "displaydoc", - "icu_collections", - "icu_locid_transform", - "icu_properties_data", - "icu_provider", - "tinystr", - "zerovec", -] - -[[package]] -name = "icu_properties_data" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "67a8effbc3dd3e4ba1afa8ad918d5684b8868b3b26500753effea8d2eed19569" - -[[package]] -name = "icu_provider" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6ed421c8a8ef78d3e2dbc98a973be2f3770cb42b606e3ab18d6237c4dfde68d9" -dependencies = [ - "displaydoc", - "icu_locid", - "icu_provider_macros", - "stable_deref_trait", - "tinystr", - "writeable", - "yoke", - "zerofrom", - "zerovec", -] - -[[package]] -name = "icu_provider_macros" -version = "1.5.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1ec89e9337638ecdc08744df490b221a7399bf8d164eb52a665454e60e075ad6" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] - -[[package]] -name = "idna" -version = "1.0.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "686f825264d630750a544639377bae737628043f20d38bbc029e8f29ea968a7e" -dependencies = [ - "idna_adapter", - "smallvec", - "utf8_iter", -] - -[[package]] -name = "idna_adapter" -version = "1.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "daca1df1c957320b2cf139ac61e7bd64fed304c5040df000a745aa1de3b4ef71" -dependencies = [ - "icu_normalizer", - "icu_properties", -] - -[[package]] -name = "indexmap" -version = "2.8.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3954d50fe15b02142bf25d3b8bdadb634ec3948f103d04ffe3031bc8fe9d7058" -dependencies = [ - "equivalent", - "hashbrown", -] - -[[package]] -name = "itoa" -version = "1.0.15" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "4a5f13b858c8d314ee3e8f639011f7ccefe71f97f96e50151fb991f267928e2c" - -[[package]] -name = "libc" -version = "0.2.171" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c19937216e9d3aa9956d9bb8dfc0b0c8beb6058fc4f7a4dc4d850edf86a237d6" - -[[package]] -name = "litemap" -version = "0.7.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "23fb14cb19457329c82206317a5663005a4d404783dc74f4252769b0d5f42856" - -[[package]] -name = "litrs" -version = "0.4.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b4ce301924b7887e9d637144fdade93f9dfff9b60981d4ac161db09720d39aa5" - -[[package]] -name = "log" -version = "0.4.27" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13dc2df351e3202783a1fe0d44375f7295ffb4049267b0f3018346dc122a1d94" - -[[package]] -name = "memchr" -version = "2.7.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "78ca9ab1a0babb1e7d5695e3530886289c18cf2f87ec19a575a0abdce112e3a3" - -[[package]] -name = "miniz_oxide" -version = "0.8.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e3e04debbb59698c15bacbb6d93584a8c0ca9cc3213cb423d31f760d8843ce5" -dependencies = [ - "adler2", -] - -[[package]] -name = "num-conv" -version = "0.1.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "51d515d32fb182ee37cda2ccdcb92950d6a3c2893aa280e540671c2cd0f3b1d9" - -[[package]] -name = "once_cell" -version = "1.21.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c2806eaa3524762875e21c3dcd057bc4b7bfa01ce4da8d46be1cd43649e1cc6b" - -[[package]] -name = "percent-encoding" -version = "2.3.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "e3148f5046208a5d56bcfc03053e3ca6334e51da8dfb19b6cdc8b306fae3283e" - -[[package]] -name = "powerfmt" -version = "0.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "439ee305def115ba05938db6eb1644ff94165c5ab5e9420d1c1bcedbba909391" - -[[package]] -name = "proc-macro2" -version = "1.0.94" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a31971752e70b8b2686d7e46ec17fb38dad4051d94024c88df49b667caea9c84" -dependencies = [ - "unicode-ident", -] - -[[package]] -name = "quote" -version = "1.0.40" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1885c039570dc00dcb4ff087a89e185fd56bae234ddc7f056a945bf36467248d" -dependencies = [ - "proc-macro2", -] - -[[package]] -name = "ring" -version = "0.17.14" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a4689e6c2294d81e88dc6261c768b63bc4fcdb852be6d1352498b114f61383b7" -dependencies = [ - "cc", - "cfg-if", - "getrandom", - "libc", - "untrusted", - "windows-sys", -] - -[[package]] -name = "rustls" -version = "0.23.25" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "822ee9188ac4ec04a2f0531e55d035fb2de73f18b41a63c70c2712503b6fb13c" -dependencies = [ - "log", - "once_cell", - "ring", - "rustls-pki-types", - "rustls-webpki", - "subtle", - "zeroize", -] - -[[package]] -name = "rustls-pemfile" -version = "2.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "dce314e5fee3f39953d46bb63bb8a46d40c2f8fb7cc5a3b6cab2bde9721d6e50" -dependencies = [ - "rustls-pki-types", -] - -[[package]] -name = "rustls-pki-types" -version = "1.11.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "917ce264624a4b4db1c364dcc35bfca9ded014d0a958cd47ad3e960e988ea51c" - -[[package]] -name = "rustls-webpki" -version = "0.103.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "fef8b8769aaccf73098557a87cd1816b4f9c7c16811c9c77142aa695c16f2c03" -dependencies = [ - "ring", - "rustls-pki-types", - "untrusted", -] - -[[package]] -name = "ryu" -version = "1.0.20" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "28d3b2b1366ec20994f1fd18c3c594f05c5dd4bc44d8bb0c1c632c8d6829481f" - -[[package]] -name = "serde" -version = "1.0.228" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9a8e94ea7f378bd32cbbd37198a4a91436180c5bb472411e48b5ec2e2124ae9e" -dependencies = [ - "serde_core", - "serde_derive", -] - -[[package]] -name = "serde_core" -version = "1.0.228" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "41d385c7d4ca58e59fc732af25c3983b67ac852c1a25000afe1175de458b67ad" -dependencies = [ - "serde_derive", -] - -[[package]] -name = "serde_derive" -version = "1.0.228" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d540f220d3187173da220f885ab66608367b6574e925011a9353e4badda91d79" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] - -[[package]] -name = "serde_json" -version = "1.0.140" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "20068b6e96dc6c9bd23e01df8827e6c7e1f2fddd43c21810382803c136b99373" -dependencies = [ - "itoa", - "memchr", - "ryu", - "serde", -] - -[[package]] -name = "shlex" -version = "1.3.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0fda2ff0d084019ba4d7c6f371c95d8fd75ce3524c3cb8fb653a3023f6323e64" - -[[package]] -name = "signal-hook" -version = "0.3.18" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d881a16cf4426aa584979d30bd82cb33429027e42122b169753d6ef1085ed6e2" -dependencies = [ - "libc", - "signal-hook-registry", -] - -[[package]] -name = "signal-hook-registry" -version = "1.4.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a9e9e0b4211b72e7b8b6e85c807d36c212bdb33ea8587f7569562a84df5465b1" -dependencies = [ - "libc", -] - -[[package]] -name = "smallvec" -version = "1.14.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7fcf8323ef1faaee30a44a340193b1ac6814fd9b7b4e88e9d4519a3e4abe1cfd" - -[[package]] -name = "stable_deref_trait" -version = "1.2.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "a8f112729512f8e442d81f95a8a7ddf2b7c6b8a1a6f509a95864142b30cab2d3" - -[[package]] -name = "subtle" -version = "2.6.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "13c2bddecc57b384dee18652358fb23172facb8a2c51ccc10d74c157bdea3292" - -[[package]] -name = "syn" -version = "2.0.100" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b09a44accad81e1ba1cd74a32461ba89dee89095ba17b32f5d03683b1b1fc2a0" -dependencies = [ - "proc-macro2", - "quote", - "unicode-ident", -] - -[[package]] -name = "synstructure" -version = "0.13.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8af7666ab7b6390ab78131fb5b0fce11d6b7a6951602017c35fa82800708971" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] - -[[package]] -name = "time" -version = "0.3.41" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8a7619e19bc266e0f9c5e6686659d394bc57973859340060a69221e57dbc0c40" -dependencies = [ - "deranged", - "itoa", - "num-conv", - "powerfmt", - "serde", - "time-core", - "time-macros", -] - -[[package]] -name = "time-core" -version = "0.1.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c9e9a38711f559d9e3ce1cdb06dd7c5b8ea546bc90052da6d06bb76da74bb07c" - -[[package]] -name = "time-macros" -version = "0.2.22" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "3526739392ec93fd8b359c8e98514cb3e8e021beb4e5f597b00a0221f8ed8a49" -dependencies = [ - "num-conv", - "time-core", -] - -[[package]] -name = "tinystr" -version = "0.7.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9117f5d4db391c1cf6927e7bea3db74b9a1c1add8f7eda9ffd5364f40f57b82f" -dependencies = [ - "displaydoc", - "zerovec", -] - -[[package]] -name = "unicode-ident" -version = "1.0.18" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "5a5f39404a5da50712a4c1eecf25e90dd62b613502b7e925fd4e4d19b5c96512" - -[[package]] -name = "untrusted" -version = "0.9.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8ecb6da28b8a351d773b68d5825ac39017e680750f980f3a1a85cd8dd28a47c1" - -[[package]] -name = "ureq" -version = "3.1.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "99ba1025f18a4a3fc3e9b48c868e9beb4f24f4b4b1a325bada26bd4119f46537" -dependencies = [ - "base64", - "cookie_store", - "flate2", - "log", - "percent-encoding", - "rustls", - "rustls-pemfile", - "rustls-pki-types", - "serde", - "serde_json", - "ureq-proto", - "utf-8", - "webpki-roots", -] - -[[package]] -name = "ureq-proto" -version = "0.5.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "60b4531c118335662134346048ddb0e54cc86bd7e81866757873055f0e38f5d2" -dependencies = [ - "base64", - "http", - "httparse", - "log", -] - -[[package]] -name = "url" -version = "2.5.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32f8b686cadd1473f4bd0117a5d28d36b1ade384ea9b5069a1c40aefed7fda60" -dependencies = [ - "form_urlencoded", - "idna", - "percent-encoding", -] - -[[package]] -name = "utf-8" -version = "0.7.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09cc8ee72d2a9becf2f2febe0205bbed8fc6615b7cb429ad062dc7b7ddd036a9" - -[[package]] -name = "utf16_iter" -version = "1.0.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "c8232dd3cdaed5356e0f716d285e4b40b932ac434100fe9b7e0e8e935b9e6246" - -[[package]] -name = "utf8_iter" -version = "1.0.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "b6c140620e7ffbb22c2dee59cafe6084a59b5ffc27a8859a5f0d494b5d52b6be" - -[[package]] -name = "vault-auto-unseal" -version = "0.1.0" -dependencies = [ - "anyhow", - "serde", - "signal-hook", - "ureq", -] - -[[package]] -name = "version_check" -version = "0.9.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0b928f33d975fc6ad9f86c8f283853ad26bdd5b10b7f1542aa2fa15e2289105a" - -[[package]] -name = "wasi" -version = "0.11.0+wasi-snapshot-preview1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9c8d87e72b64a3b4db28d11ce29237c246188f4f51057d65a7eab63b7987e423" - -[[package]] -name = "webpki-roots" -version = "1.0.2" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "7e8983c3ab33d6fb807cfcdad2491c4ea8cbc8ed839181c7dfd9c67c83e261b2" -dependencies = [ - "rustls-pki-types", -] - -[[package]] -name = "windows-sys" -version = "0.52.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "282be5f36a8ce781fad8c8ae18fa3f9beff57ec1b52cb3de0789201425d9a33d" -dependencies = [ - "windows-targets", -] - -[[package]] -name = "windows-targets" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "9b724f72796e036ab90c1021d4780d4d3d648aca59e491e6b98e725b84e99973" -dependencies = [ - "windows_aarch64_gnullvm", - "windows_aarch64_msvc", - "windows_i686_gnu", - "windows_i686_gnullvm", - "windows_i686_msvc", - "windows_x86_64_gnu", - "windows_x86_64_gnullvm", - "windows_x86_64_msvc", -] - -[[package]] -name = "windows_aarch64_gnullvm" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "32a4622180e7a0ec044bb555404c800bc9fd9ec262ec147edd5989ccd0c02cd3" - -[[package]] -name = "windows_aarch64_msvc" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "09ec2a7bb152e2252b53fa7803150007879548bc709c039df7627cabbd05d469" - -[[package]] -name = "windows_i686_gnu" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "8e9b5ad5ab802e97eb8e295ac6720e509ee4c243f69d781394014ebfe8bbfa0b" - -[[package]] -name = "windows_i686_gnullvm" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "0eee52d38c090b3caa76c563b86c3a4bd71ef1a819287c19d586d7334ae8ed66" - -[[package]] -name = "windows_i686_msvc" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "240948bc05c5e7c6dabba28bf89d89ffce3e303022809e73deaefe4f6ec56c66" - -[[package]] -name = "windows_x86_64_gnu" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "147a5c80aabfbf0c7d901cb5895d1de30ef2907eb21fbbab29ca94c5b08b1a78" - -[[package]] -name = "windows_x86_64_gnullvm" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "24d5b23dc417412679681396f2b49f3de8c1473deb516bd34410872eff51ed0d" - -[[package]] -name = "windows_x86_64_msvc" -version = "0.52.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "589f6da84c646204747d1270a2a5661ea66ed1cced2631d546fdfb155959f9ec" - -[[package]] -name = "write16" -version = "1.0.0" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d1890f4022759daae28ed4fe62859b1236caebfc61ede2f63ed4e695f3f6d936" - -[[package]] -name = "writeable" -version = "0.5.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "1e9df38ee2d2c3c5948ea468a8406ff0db0b29ae1ffde1bcf20ef305bcc95c51" - -[[package]] -name = "yoke" -version = "0.7.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "120e6aef9aa629e3d4f52dc8cc43a015c7724194c97dfaf45180d2daf2b77f40" -dependencies = [ - "serde", - "stable_deref_trait", - "yoke-derive", - "zerofrom", -] - -[[package]] -name = "yoke-derive" -version = "0.7.5" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "2380878cad4ac9aac1e2435f3eb4020e8374b5f13c296cb75b4620ff8e229154" -dependencies = [ - "proc-macro2", - "quote", - "syn", - "synstructure", -] - -[[package]] -name = "zerofrom" -version = "0.1.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "50cc42e0333e05660c3587f3bf9d0478688e15d870fab3346451ce7f8c9fbea5" -dependencies = [ - "zerofrom-derive", -] - -[[package]] -name = "zerofrom-derive" -version = "0.1.6" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "d71e5d6e06ab090c67b5e44993ec16b72dcbaabc526db883a360057678b48502" -dependencies = [ - "proc-macro2", - "quote", - "syn", - "synstructure", -] - -[[package]] -name = "zeroize" -version = "1.8.1" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "ced3678a2879b30306d323f4542626697a464a97c0a07c9aebf7ebca65cd4dde" - -[[package]] -name = "zerovec" -version = "0.10.4" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "aa2b893d79df23bfb12d5461018d408ea19dfafe76c2c7ef6d4eba614f8ff079" -dependencies = [ - "yoke", - "zerofrom", - "zerovec-derive", -] - -[[package]] -name = "zerovec-derive" -version = "0.10.3" -source = "registry+https://github.com/rust-lang/crates.io-index" -checksum = "6eafa6dfb17584ea3e2bd6e76e0cc15ad7af12b09abdd1ca55961bed9b1063c6" -dependencies = [ - "proc-macro2", - "quote", - "syn", -] diff --git a/Cargo.toml b/Cargo.toml deleted file mode 100644 index a60cb7a..0000000 --- a/Cargo.toml +++ /dev/null @@ -1,3 +0,0 @@ -[workspace] -members = ["apps/vault-auto-unseal"] -resolver = "3" diff --git a/README.md b/README.md index 3815923..d058c17 100644 --- a/README.md +++ b/README.md @@ -1,63 +1,6 @@ # Server Config -## Setup - -- create rke2 config `/etc/rancher/rke2/config.yaml` - - ```yaml - cni: calico - profile: cis - pod-security-admission-config-file: /etc/rancher/rke2/rke2-pss-custom.yaml - etcd-expose-metrics: true - kube-controller-manager-arg: - - bind-address=0.0.0.0 - kube-scheduler-arg: - - bind-address=0.0.0.0 - kube-proxy-arg: - - metrics-bind-address=0.0.0.0 - kubelet-arg: - - max-pods=200 - ``` - -- create admission config `/etc/rancher/rke2/rke2-pss-custom.yaml` - - ```yaml - apiVersion: apiserver.config.k8s.io/v1 - kind: AdmissionConfiguration - plugins: - - name: PodSecurity - configuration: - apiVersion: pod-security.admission.config.k8s.io/v1beta1 - kind: PodSecurityConfiguration - defaults: - enforce: "privileged" - enforce-version: "latest" - exemptions: - usernames: [] - runtimeClasses: [] - namespaces: [] - ``` - -- install rke2 - - ```bash - curl -sfL https://get.rke2.io | sh -s - server - systemctl enable rke2-server.service - systemctl start rke2-server.service - ``` - -- add kernel params - - ```bash - cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf - systemctl restart systemd-sysctl - sysctl -p /usr/local/share/rke2/rke2-cis-sysctl.conf - ``` - -- Apply Terraform config - ```bash - terraform apply - ``` +Terraform scripts for my personal server setup. ## Postgres diff --git a/apps/vault-auto-unseal/Cargo.toml b/apps/vault-auto-unseal/Cargo.toml deleted file mode 100644 index cc664b2..0000000 --- a/apps/vault-auto-unseal/Cargo.toml +++ /dev/null @@ -1,14 +0,0 @@ -[package] -name = "vault-auto-unseal" -version = "0.1.0" -edition = "2024" - -[dependencies] -anyhow = "1.0.100" -serde = { version = "1.0.228", features = ["derive"] } -signal-hook = "0.3.18" -ureq = { version = "3.1.2", features = ["json"] } - -[[bin]] -name = "vault-auto-unseal" -path = "src/main.rs" diff --git a/apps/vault-auto-unseal/Dockerfile b/apps/vault-auto-unseal/Dockerfile deleted file mode 100644 index 3923374..0000000 --- a/apps/vault-auto-unseal/Dockerfile +++ /dev/null @@ -1,41 +0,0 @@ -ARG BIN=vault-auto-unseal - -FROM ghcr.io/profiidev/images/rust-musl-builder:main AS planner - -ARG BIN -ENV BIN=$BIN - -COPY apps/vault-auto-unseal/Cargo.toml ./Cargo.lock ./ - -RUN cargo chef prepare --recipe-path recipe.json --bin $BIN - -FROM ghcr.io/profiidev/images/rust-musl-builder:main AS builder - -ARG BIN -ENV BIN=$BIN - -COPY --from=planner /app/recipe.json . - -RUN cargo chef cook --release - -COPY apps/vault-auto-unseal/src ./src -COPY apps/vault-auto-unseal/Cargo.toml ./Cargo.lock ./ - -RUN cargo build --release --bin $BIN -RUN mv ./target/x86_64-unknown-linux-musl/release/$BIN ./app - -FROM alpine - -RUN addgroup -S user -RUN adduser -G user -S user - -WORKDIR /app -RUN chown -R user:user /app - -USER user - -COPY --from=builder /etc/ssl/certs/ca-certificates.crt /etc/ssl/certs/ - -COPY --from=builder /app/app /usr/local/bin/ - -CMD ["app"] \ No newline at end of file diff --git a/apps/vault-auto-unseal/src/main.rs b/apps/vault-auto-unseal/src/main.rs deleted file mode 100644 index ddd4423..0000000 --- a/apps/vault-auto-unseal/src/main.rs +++ /dev/null @@ -1,73 +0,0 @@ -use std::{ - thread::{sleep, spawn}, - time::Duration, -}; - -use anyhow::Result; -use serde::Serialize; -use signal_hook::{consts::TERM_SIGNALS, iterator::Signals}; -use ureq::{ - Agent, - http::StatusCode, - tls::{Certificate, RootCerts, TlsConfig}, -}; - -fn main() { - let _ = if let Ok(mut s) = Signals::new(TERM_SIGNALS) { - spawn(move || { - let _ = s.forever().next(); - println!("Got exit signal"); - std::process::exit(0); - }) - } else { - println!("Failed to register signal"); - std::process::exit(1) - }; - - loop { - if let Err(err) = unseal() { - println!("Unseal error: {err}"); - } - sleep(Duration::from_secs(15)); - } -} - -fn unseal() -> Result<()> { - let cert = std::env::var("CA_CERT")?; - let cert = Certificate::from_pem(cert.as_bytes())?; - let tls = TlsConfig::builder() - .root_certs(RootCerts::new_with_certs(&[cert])) - .build(); - let config = Agent::config_builder() - .tls_config(tls) - .http_status_as_error(false) - .build(); - let agent = Agent::new_with_config(config); - - let vault_url = std::env::var("VAULT_URL")?; - let res = agent.get(format!("{vault_url}/v1/sys/health")).call()?; - - if res.status() != StatusCode::SERVICE_UNAVAILABLE { - return Ok(()); - } - - let key_1 = std::env::var("KEY_1")?; - let key_2 = std::env::var("KEY_2")?; - let key_3 = std::env::var("KEY_3")?; - let keys = [key_1, key_2, key_3]; - - for key in keys { - agent - .post(format!("{vault_url}/v1/sys/unseal")) - .send_json(&UnsealReq { key })?; - } - - println!("Unlock successful"); - - Ok(()) -} - -#[derive(Serialize)] -struct UnsealReq { - key: String, -} diff --git a/charts/auto-clean-bot/.helmignore b/charts/auto-clean-bot/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/charts/auto-clean-bot/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/auto-clean-bot/Chart.yaml b/charts/auto-clean-bot/Chart.yaml deleted file mode 100644 index 3501b91..0000000 --- a/charts/auto-clean-bot/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -name: auto-clean-bot -description: A Bot to automatically clean discord messages after a certain time. -type: application -version: v0.1.0 diff --git a/charts/auto-clean-bot/templates/bot-deployment.yaml b/charts/auto-clean-bot/templates/bot-deployment.yaml deleted file mode 100644 index 97036ed..0000000 --- a/charts/auto-clean-bot/templates/bot-deployment.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-bot - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.bot.replicaCount | default 1 }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-bot - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-bot - {{- with .Values.bot.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - containers: - - tty: true - envFrom: - - secretRef: - name: {{ .Chart.Name }}-bot - image: ghcr.io/profiidev/{{ .Chart.Name }}/bot:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-bot - resources: - limits: - cpu: 1000m - memory: 256Mi - requests: - cpu: 200m - memory: 128Mi - {{- with .Values.bot.extraVolumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 - {{- with .Values.bot.extraVolumes }} - volumes: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/auto-clean-bot/templates/bot-external-secret.yaml b/charts/auto-clean-bot/templates/bot-external-secret.yaml deleted file mode 100644 index af631d8..0000000 --- a/charts/auto-clean-bot/templates/bot-external-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .Chart.Name }}-bot - namespace: {{ .Release.Namespace }} -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secret.storeName }} - kind: ClusterSecretStore - target: - name: {{ .Chart.Name }}-bot - dataFrom: - - extract: - key: {{ .Values.secret.path }} diff --git a/charts/auto-clean-bot/templates/bot-network-policy.yaml b/charts/auto-clean-bot/templates/bot-network-policy.yaml deleted file mode 100644 index 6c56fae..0000000 --- a/charts/auto-clean-bot/templates/bot-network-policy.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-egress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-bot' - types: - - Ingress - - Egress - egress: - - action: Allow - protocol: TCP - destination: - notNets: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - ports: - - 443 diff --git a/charts/auto-clean-bot/values.yaml b/charts/auto-clean-bot/values.yaml deleted file mode 100644 index d1e4249..0000000 --- a/charts/auto-clean-bot/values.yaml +++ /dev/null @@ -1,19 +0,0 @@ -secret: - storeName: cluster-secret-store - path: apps/auto-clean-bot - -bot: - replicaCount: 1 - extraVolumes: - - name: cluster-ca-cert - secret: - defaultMode: 420 - secretName: cluster-ca-cert - extraVolumeMounts: - - mountPath: /etc/ssl/certs/e11529a0.0 - subPath: e11529a0.0 - name: cluster-ca-cert - readOnly: true - - podLabels: - postgres-access: "true" diff --git a/charts/charm/.helmignore b/charts/charm/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/charts/charm/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/charm/Chart.yaml b/charts/charm/Chart.yaml deleted file mode 100644 index 7dde8a8..0000000 --- a/charts/charm/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -name: charm -description: A Helm chart -type: application -version: v0.1.2 diff --git a/charts/charm/templates/backend-deployment.yaml b/charts/charm/templates/backend-deployment.yaml deleted file mode 100644 index c32d57f..0000000 --- a/charts/charm/templates/backend-deployment.yaml +++ /dev/null @@ -1,55 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.backend.replicaCount | default 1 }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-backend - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-backend - {{- with .Values.backend.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - imagePullSecrets: - - name: {{ .Values.backend.imagePullSecret | default "ghcr-profidev" }} - containers: - - tty: true - envFrom: - - secretRef: - name: {{ .Chart.Name }}-backend - image: ghcr.io/profiidev/{{ .Chart.Name }}/{{ .Chart.Name }}-backend:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-backend - resources: - limits: - cpu: 1000m - memory: 256Mi - requests: - cpu: 200m - memory: 128Mi - {{- with .Values.backend.extraVolumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 - {{- with .Values.backend.extraVolumes }} - volumes: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/charm/templates/backend-external-secret.yaml b/charts/charm/templates/backend-external-secret.yaml deleted file mode 100644 index 2bbda39..0000000 --- a/charts/charm/templates/backend-external-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secret.storeName }} - kind: ClusterSecretStore - target: - name: {{ .Chart.Name }}-backend - dataFrom: - - extract: - key: {{ .Values.secret.path }} diff --git a/charts/charm/templates/backend-ingress.yaml b/charts/charm/templates/backend-ingress.yaml deleted file mode 100644 index a63039a..0000000 --- a/charts/charm/templates/backend-ingress.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} - labels: - name: {{ .Chart.Name }}-backend - {{- with .Values.backend.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.backend.ingress.className | default "nginx" }} - rules: - - host: {{ .Values.backend.ingress.host }} - http: - paths: - - pathType: ImplementationSpecific - path: "/backend/(.*)" - backend: - service: - name: {{ .Chart.Name }}-backend - port: - number: 8000 - - pathType: ImplementationSpecific - path: "/.well-known/(.*)" - backend: - service: - name: {{ .Chart.Name }}-backend - port: - number: 8000 - {{- with .Values.backend.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/charm/templates/backend-network-policy.yaml b/charts/charm/templates/backend-network-policy.yaml deleted file mode 100644 index 6adb6cc..0000000 --- a/charts/charm/templates/backend-network-policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-backend-ingress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-backend' - types: - - Ingress - - Egress - ingress: - - action: Allow - protocol: TCP - source: - namespaceSelector: kubernetes.io/metadata.name == 'kube-system' - selector: app.kubernetes.io/name == 'rke2-ingress-nginx' - destination: - ports: - - 8000 - egress: - - action: Allow - protocol: TCP - destination: - notNets: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - ports: - - 443 diff --git a/charts/charm/templates/backend-service.yaml b/charts/charm/templates/backend-service.yaml deleted file mode 100644 index 4f24fbd..0000000 --- a/charts/charm/templates/backend-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 8000 - protocol: TCP - targetPort: 8000 - selector: - app: {{ .Chart.Name }}-backend - type: ClusterIP diff --git a/charts/charm/templates/frontend-deployment.yaml b/charts/charm/templates/frontend-deployment.yaml deleted file mode 100644 index 92c9bf3..0000000 --- a/charts/charm/templates/frontend-deployment.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.frontend.replicaCount }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-frontend - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-frontend - spec: - imagePullSecrets: - - name: {{ .Values.frontend.imagePullSecret | default "ghcr-profidev" }} - containers: - - image: ghcr.io/profiidev/{{ .Chart.Name }}/{{ .Chart.Name }}-frontend:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-frontend - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 100m - memory: 128Mi - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 diff --git a/charts/charm/templates/frontend-ingress.yaml b/charts/charm/templates/frontend-ingress.yaml deleted file mode 100644 index 208efc4..0000000 --- a/charts/charm/templates/frontend-ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} - labels: - name: {{ .Chart.Name }}-frontend - {{- with .Values.frontend.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.frontend.ingress.className | default "nginx" }} - rules: - - host: {{ .Values.frontend.ingress.host }} - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: {{ .Chart.Name }}-frontend - port: - number: 3000 - {{- with .Values.frontend.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/charm/templates/frontend-network-policy.yaml b/charts/charm/templates/frontend-network-policy.yaml deleted file mode 100644 index 05d3214..0000000 --- a/charts/charm/templates/frontend-network-policy.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-frontend-ingress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-frontend' - types: - - Ingress - ingress: - - action: Allow - protocol: TCP - source: - namespaceSelector: kubernetes.io/metadata.name == 'kube-system' - selector: app.kubernetes.io/name == 'rke2-ingress-nginx' - destination: - ports: - - 3000 diff --git a/charts/charm/templates/frontend-service.yaml b/charts/charm/templates/frontend-service.yaml deleted file mode 100644 index ee22875..0000000 --- a/charts/charm/templates/frontend-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: {{ .Chart.Name }}-frontend - type: ClusterIP diff --git a/charts/charm/values.yaml b/charts/charm/values.yaml deleted file mode 100644 index 4d91e28..0000000 --- a/charts/charm/values.yaml +++ /dev/null @@ -1,46 +0,0 @@ -secret: - storeName: cluster-secret-store - path: apps/charm - -backend: - replicaCount: 1 - imagePullSecret: ghcr-profidev - extraVolumes: - - name: cluster-ca-cert - secret: - defaultMode: 420 - secretName: cluster-ca-cert - extraVolumeMounts: - - mountPath: /etc/ssl/certs/e11529a0.0 - subPath: e11529a0.0 - name: cluster-ca-cert - readOnly: true - - ingress: - className: ingress-nginx - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: charm/cloudflare-ca-cert - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - nginx.ingress.kubernetes.io/rewrite-target: "/$1" - host: charm.profidev.io - tls: - - hosts: - - profidev.io - - "*.profi.dev" - secretName: cloudflare-cert - -frontend: - replicaCount: 1 - imagePullSecret: ghcr-profidev - - ingress: - className: ingress-nginx - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: charm/cloudflare-ca-cert - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - host: charm.profidev.io - tls: - - hosts: - - profidev.io - - "*.profi.dev" - secretName: cloudflare-cert diff --git a/charts/higgs/.helmignore b/charts/higgs/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/charts/higgs/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/higgs/Chart.yaml b/charts/higgs/Chart.yaml deleted file mode 100644 index f8b6ee7..0000000 --- a/charts/higgs/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -name: higgs -description: A Portfolio Website -type: application -version: v0.1.1 diff --git a/charts/higgs/templates/frontend-deployment.yaml b/charts/higgs/templates/frontend-deployment.yaml deleted file mode 100644 index 257c748..0000000 --- a/charts/higgs/templates/frontend-deployment.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.frontend.replicaCount }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-frontend - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-frontend - spec: - containers: - - image: ghcr.io/profiidev/{{ .Chart.Name }}/{{ .Chart.Name }}-frontend:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-frontend - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 100m - memory: 128Mi - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 diff --git a/charts/higgs/templates/frontend-ingress.yaml b/charts/higgs/templates/frontend-ingress.yaml deleted file mode 100644 index 208efc4..0000000 --- a/charts/higgs/templates/frontend-ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} - labels: - name: {{ .Chart.Name }}-frontend - {{- with .Values.frontend.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.frontend.ingress.className | default "nginx" }} - rules: - - host: {{ .Values.frontend.ingress.host }} - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: {{ .Chart.Name }}-frontend - port: - number: 3000 - {{- with .Values.frontend.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/higgs/templates/frontend-network-policy.yaml b/charts/higgs/templates/frontend-network-policy.yaml deleted file mode 100644 index 05d3214..0000000 --- a/charts/higgs/templates/frontend-network-policy.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-frontend-ingress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-frontend' - types: - - Ingress - ingress: - - action: Allow - protocol: TCP - source: - namespaceSelector: kubernetes.io/metadata.name == 'kube-system' - selector: app.kubernetes.io/name == 'rke2-ingress-nginx' - destination: - ports: - - 3000 diff --git a/charts/higgs/templates/frontend-service.yaml b/charts/higgs/templates/frontend-service.yaml deleted file mode 100644 index ee22875..0000000 --- a/charts/higgs/templates/frontend-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: {{ .Chart.Name }}-frontend - type: ClusterIP diff --git a/charts/higgs/values.yaml b/charts/higgs/values.yaml deleted file mode 100644 index dff1aa1..0000000 --- a/charts/higgs/values.yaml +++ /dev/null @@ -1,14 +0,0 @@ -frontend: - replicaCount: 1 - - ingress: - className: ingress-nginx - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: higgs/cloudflare-ca-cert - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - host: higgs.profidev.io - tls: - - hosts: - - profidev.io - - "*.profi.dev" - secretName: cloudflare-cert diff --git a/charts/positron/.helmignore b/charts/positron/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/charts/positron/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/positron/Chart.yaml b/charts/positron/Chart.yaml deleted file mode 100644 index 0399e30..0000000 --- a/charts/positron/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -name: positron -description: A Personal Website -type: application -version: v0.1.20 diff --git a/charts/positron/templates/backend-deployment.yaml b/charts/positron/templates/backend-deployment.yaml deleted file mode 100644 index 3fa88f8..0000000 --- a/charts/positron/templates/backend-deployment.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.backend.replicaCount | default 1 }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-backend - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-backend - {{- with .Values.backend.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - containers: - - tty: true - envFrom: - - secretRef: - name: {{ .Chart.Name }}-backend - image: ghcr.io/profiidev/positron/{{ .Chart.Name }}-backend:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-backend - resources: - limits: - cpu: 1000m - memory: 512Mi - requests: - cpu: 200m - memory: 128Mi - {{- with .Values.backend.extraVolumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 - {{- with .Values.backend.extraVolumes }} - volumes: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/positron/templates/backend-external-secret.yaml b/charts/positron/templates/backend-external-secret.yaml deleted file mode 100644 index 2bbda39..0000000 --- a/charts/positron/templates/backend-external-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secret.storeName }} - kind: ClusterSecretStore - target: - name: {{ .Chart.Name }}-backend - dataFrom: - - extract: - key: {{ .Values.secret.path }} diff --git a/charts/positron/templates/backend-ingress.yaml b/charts/positron/templates/backend-ingress.yaml deleted file mode 100644 index a63039a..0000000 --- a/charts/positron/templates/backend-ingress.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} - labels: - name: {{ .Chart.Name }}-backend - {{- with .Values.backend.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.backend.ingress.className | default "nginx" }} - rules: - - host: {{ .Values.backend.ingress.host }} - http: - paths: - - pathType: ImplementationSpecific - path: "/backend/(.*)" - backend: - service: - name: {{ .Chart.Name }}-backend - port: - number: 8000 - - pathType: ImplementationSpecific - path: "/.well-known/(.*)" - backend: - service: - name: {{ .Chart.Name }}-backend - port: - number: 8000 - {{- with .Values.backend.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/positron/templates/backend-network-policy.yaml b/charts/positron/templates/backend-network-policy.yaml deleted file mode 100644 index 6adb6cc..0000000 --- a/charts/positron/templates/backend-network-policy.yaml +++ /dev/null @@ -1,31 +0,0 @@ ---- -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-backend-ingress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-backend' - types: - - Ingress - - Egress - ingress: - - action: Allow - protocol: TCP - source: - namespaceSelector: kubernetes.io/metadata.name == 'kube-system' - selector: app.kubernetes.io/name == 'rke2-ingress-nginx' - destination: - ports: - - 8000 - egress: - - action: Allow - protocol: TCP - destination: - notNets: - - 10.0.0.0/8 - - 172.16.0.0/12 - - 192.168.0.0/16 - ports: - - 443 diff --git a/charts/positron/templates/backend-service.yaml b/charts/positron/templates/backend-service.yaml deleted file mode 100644 index 4f24fbd..0000000 --- a/charts/positron/templates/backend-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 8000 - protocol: TCP - targetPort: 8000 - selector: - app: {{ .Chart.Name }}-backend - type: ClusterIP diff --git a/charts/positron/templates/frontend-deployment.yaml b/charts/positron/templates/frontend-deployment.yaml deleted file mode 100644 index d513c6f..0000000 --- a/charts/positron/templates/frontend-deployment.yaml +++ /dev/null @@ -1,38 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.frontend.replicaCount }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-frontend - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-frontend - spec: - containers: - - image: ghcr.io/profiidev/positron/{{ .Chart.Name }}-frontend:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-frontend - resources: - limits: - cpu: 200m - memory: 256Mi - requests: - cpu: 100m - memory: 128Mi - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 diff --git a/charts/positron/templates/frontend-ingress.yaml b/charts/positron/templates/frontend-ingress.yaml deleted file mode 100644 index 208efc4..0000000 --- a/charts/positron/templates/frontend-ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} - labels: - name: {{ .Chart.Name }}-frontend - {{- with .Values.frontend.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.frontend.ingress.className | default "nginx" }} - rules: - - host: {{ .Values.frontend.ingress.host }} - http: - paths: - - pathType: Prefix - path: "/" - backend: - service: - name: {{ .Chart.Name }}-frontend - port: - number: 3000 - {{- with .Values.frontend.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/positron/templates/frontend-network-policy.yaml b/charts/positron/templates/frontend-network-policy.yaml deleted file mode 100644 index 05d3214..0000000 --- a/charts/positron/templates/frontend-network-policy.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-frontend-ingress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-frontend' - types: - - Ingress - ingress: - - action: Allow - protocol: TCP - source: - namespaceSelector: kubernetes.io/metadata.name == 'kube-system' - selector: app.kubernetes.io/name == 'rke2-ingress-nginx' - destination: - ports: - - 3000 diff --git a/charts/positron/templates/frontend-service.yaml b/charts/positron/templates/frontend-service.yaml deleted file mode 100644 index ee22875..0000000 --- a/charts/positron/templates/frontend-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-frontend - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 3000 - protocol: TCP - targetPort: 3000 - selector: - app: {{ .Chart.Name }}-frontend - type: ClusterIP diff --git a/charts/positron/values.yaml b/charts/positron/values.yaml deleted file mode 100644 index c1f06e6..0000000 --- a/charts/positron/values.yaml +++ /dev/null @@ -1,49 +0,0 @@ -secret: - storeName: cluster-secret-store - path: apps/positron - -backend: - replicaCount: 1 - extraVolumes: - - name: cluster-ca-cert - secret: - defaultMode: 420 - secretName: cluster-ca-cert - extraVolumeMounts: - - mountPath: /etc/ssl/certs/e11529a0.0 - subPath: e11529a0.0 - name: cluster-ca-cert - readOnly: true - - podLabels: - nats-access: "true" - minio-access: "true" - postgres-access: "true" - - ingress: - className: ingress-nginx - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: positron/cloudflare-ca-cert - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - nginx.ingress.kubernetes.io/rewrite-target: "/$1" - host: profidev.io - tls: - - hosts: - - profidev.io - - "*.profi.dev" - secretName: cloudflare-cert - -frontend: - replicaCount: 1 - - ingress: - className: ingress-nginx - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: positron/cloudflare-ca-cert - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - host: profidev.io - tls: - - hosts: - - profidev.io - - "*.profi.dev" - secretName: cloudflare-cert diff --git a/charts/proton/.helmignore b/charts/proton/.helmignore deleted file mode 100644 index 0e8a0eb..0000000 --- a/charts/proton/.helmignore +++ /dev/null @@ -1,23 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ diff --git a/charts/proton/Chart.yaml b/charts/proton/Chart.yaml deleted file mode 100644 index d89d2dc..0000000 --- a/charts/proton/Chart.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: v2 -name: proton -description: A Minecraft Launcher -type: application -version: v0.2.7 diff --git a/charts/proton/templates/backend-deployment.yaml b/charts/proton/templates/backend-deployment.yaml deleted file mode 100644 index e83e890..0000000 --- a/charts/proton/templates/backend-deployment.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - replicas: {{ .Values.backend.replicaCount | default 1 }} - revisionHistoryLimit: 0 - selector: - matchLabels: - app: {{ .Chart.Name }}-backend - strategy: - type: RollingUpdate - rollingUpdate: - maxSurge: 1 - maxUnavailable: 0 - template: - metadata: - labels: - app: {{ .Chart.Name }}-backend - {{- with .Values.backend.podLabels }} - {{- toYaml . | nindent 8 }} - {{- end }} - spec: - containers: - - tty: true - envFrom: - - secretRef: - name: {{ .Chart.Name }}-backend - image: ghcr.io/profiidev/proton/{{ .Chart.Name }}-backend:{{ .Chart.Version }} - imagePullPolicy: Always - name: {{ .Chart.Name }}-backend - resources: - limits: - cpu: 1000m - memory: 256Mi - requests: - cpu: 200m - memory: 128Mi - {{- with .Values.backend.extraVolumeMounts }} - volumeMounts: - {{- toYaml . | nindent 12 }} - {{- end }} - dnsPolicy: ClusterFirst - restartPolicy: Always - schedulerName: default-scheduler - securityContext: {} - terminationGracePeriodSeconds: 30 - {{- with .Values.backend.extraVolumes }} - volumes: - {{- toYaml . | nindent 8 }} - {{- end }} diff --git a/charts/proton/templates/backend-external-secret.yaml b/charts/proton/templates/backend-external-secret.yaml deleted file mode 100644 index 2bbda39..0000000 --- a/charts/proton/templates/backend-external-secret.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - refreshInterval: 15s - secretStoreRef: - name: {{ .Values.secret.storeName }} - kind: ClusterSecretStore - target: - name: {{ .Chart.Name }}-backend - dataFrom: - - extract: - key: {{ .Values.secret.path }} diff --git a/charts/proton/templates/backend-ingress.yaml b/charts/proton/templates/backend-ingress.yaml deleted file mode 100644 index 448c1cf..0000000 --- a/charts/proton/templates/backend-ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} - labels: - name: {{ .Chart.Name }}-backend - {{- with .Values.backend.ingress.annotations }} - annotations: - {{- toYaml . | nindent 4 }} - {{- end }} -spec: - ingressClassName: {{ .Values.backend.ingress.className | default "nginx" }} - rules: - - host: {{ .Values.backend.ingress.host }} - http: - paths: - - pathType: ImplementationSpecific - path: "/backend/(.*)" - backend: - service: - name: {{ .Chart.Name }}-backend - port: - number: 8000 - {{- with .Values.backend.ingress.tls }} - tls: - {{- toYaml . | nindent 4 }} - {{- end }} diff --git a/charts/proton/templates/backend-network-policy.yaml b/charts/proton/templates/backend-network-policy.yaml deleted file mode 100644 index 5c3577c..0000000 --- a/charts/proton/templates/backend-network-policy.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: crd.projectcalico.org/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-backend-ingress - namespace: {{ .Release.Namespace }} -spec: - order: 10 - selector: app == '{{ .Chart.Name }}-backend' - types: - - Ingress - ingress: - - action: Allow - protocol: TCP - source: - namespaceSelector: kubernetes.io/metadata.name == 'kube-system' - selector: app.kubernetes.io/name == 'rke2-ingress-nginx' - destination: - ports: - - 8000 diff --git a/charts/proton/templates/backend-service.yaml b/charts/proton/templates/backend-service.yaml deleted file mode 100644 index 4f24fbd..0000000 --- a/charts/proton/templates/backend-service.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: {{ .Chart.Name }}-backend - namespace: {{ .Release.Namespace }} -spec: - ports: - - port: 8000 - protocol: TCP - targetPort: 8000 - selector: - app: {{ .Chart.Name }}-backend - type: ClusterIP diff --git a/charts/proton/values.yaml b/charts/proton/values.yaml deleted file mode 100644 index 08af416..0000000 --- a/charts/proton/values.yaml +++ /dev/null @@ -1,31 +0,0 @@ -secret: - storeName: cluster-secret-store - path: apps/proton - -backend: - replicaCount: 1 - extraVolumeMounts: - - mountPath: /etc/ssl/certs/e11529a0.0 - subPath: e11529a0.0 - name: cluster-ca-cert - readOnly: true - extraVolumes: - - name: cluster-ca-cert - secret: - defaultMode: 420 - secretName: cluster-ca-cert - - podLabels: {} - - ingress: - className: ingress-nginx - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: proton/cloudflare-ca-cert - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - nginx.ingress.kubernetes.io/rewrite-target: "/$1" - host: proton.profidev.io - tls: - - hosts: - - profidev.io - - "*.profi.dev" - secretName: cloudflare-cert diff --git a/charts/vault-auto-unseal/.helmignore b/charts/vault-auto-unseal/.helmignore deleted file mode 100644 index 3e26371..0000000 --- a/charts/vault-auto-unseal/.helmignore +++ /dev/null @@ -1,24 +0,0 @@ -# Patterns to ignore when building packages. -# This supports shell glob matching, relative path matching, and -# negation (prefixed with !). Only one pattern per line. -.DS_Store -# Common VCS dirs -.git/ -.gitignore -.bzr/ -.bzrignore -.hg/ -.hgignore -.svn/ -# Common backup files -*.swp -*.bak -*.tmp -*.orig -*~ -# Various IDEs -.project -.idea/ -*.tmproj -.vscode/ -app/ diff --git a/charts/vault-auto-unseal/Chart.yaml b/charts/vault-auto-unseal/Chart.yaml deleted file mode 100644 index 3651c72..0000000 --- a/charts/vault-auto-unseal/Chart.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: v2 -name: vault-auto-unseal -description: Automatic unseal for HashiCorp Vault -type: application -version: v0.1.12 -maintainers: - - email: mail@profidev.io - name: ProfiDev diff --git a/charts/vault-auto-unseal/templates/deployment.yaml b/charts/vault-auto-unseal/templates/deployment.yaml deleted file mode 100644 index e323074..0000000 --- a/charts/vault-auto-unseal/templates/deployment.yaml +++ /dev/null @@ -1,37 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: {{ .Chart.Name }} - labels: - app: "{{ .Chart.Name }}-{{ .Chart.Version | replace "+" "_" }}" -spec: - selector: - matchLabels: - app: {{ .Chart.Name }} - replicas: {{ default 1 .Values.replicaCount | int }} - template: - metadata: - labels: - app: {{ .Chart.Name }} - spec: - containers: {{ $default_tag := replace " " "" (cat "vault-auto-unseal-" .Chart.Version) }} - - name: {{ .Chart.Name }} - image: "{{ .Values.image.repository }}:{{ default $default_tag .Values.image.tag }}" - imagePullPolicy: {{ .Values.image.pullPolicy }} - livenessProbe: - exec: - command: - - pgrep - - app - initialDelaySeconds: 10 - periodSeconds: 60 - env: - {{- range $key, $value := .Values.secrets }} - - name: {{ $key | upper }} - valueFrom: - secretKeyRef: - name: {{ $value.name }} - key: {{ $value.key }} - {{- end }} - - name: VAULT_URL - value: "{{ .Values.vault_url }}" diff --git a/charts/vault-auto-unseal/templates/network-policy.yaml b/charts/vault-auto-unseal/templates/network-policy.yaml deleted file mode 100644 index fcd51a6..0000000 --- a/charts/vault-auto-unseal/templates/network-policy.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: {{ .Chart.Name }}-vault - namespace: {{ .Release.Namespace }} -spec: - order: 10 - podSelector: - matchLabels: - app: {{ .Chart.Name }} - policyTypes: - - Egress - egress: - - to: - - namespaceSelector: - matchLabels: - kubernetes.io/metadata.name: {{ .Release.Namespace }} - podSelector: - matchLabels: - app.kubernetes.io/name: "vault" - ports: - - protocol: TCP - port: 8200 diff --git a/charts/vault-auto-unseal/values.yaml b/charts/vault-auto-unseal/values.yaml deleted file mode 100644 index 8d9ab87..0000000 --- a/charts/vault-auto-unseal/values.yaml +++ /dev/null @@ -1,33 +0,0 @@ -replicaCount: 1 - -image: - repository: ghcr.io/profiidev/server-config/vault_auto_unseal - pullPolicy: IfNotPresent - -# This section builds out the service account more information can be found here: https://kubernetes.io/docs/concepts/security/service-accounts/ -serviceAccount: - # Specifies whether a service account should be created - create: true - # Automatically mount a ServiceAccount's API credentials? - automount: true - # Annotations to add to the service account - annotations: {} - # The name of the service account to use. - # If not set and create is true, a name is generated using the fullname template - name: "" - -secrets: - key_1: - name: key_1_secret - key: key - key_2: - name: key_2_secret - key: key - key_3: - name: key_3_secret - key: key - ca_cert: - name: ca_cert_secret - key: ca.crt - -vault_url: "https://vault.vault.svc:8200" diff --git a/main.tf b/main.tf deleted file mode 100644 index 7eccbf5..0000000 --- a/main.tf +++ /dev/null @@ -1,42 +0,0 @@ -terraform { - required_providers { - kubernetes = { - source = "hashicorp/kubernetes" - version = "~> 2.0" - } - helm = { - source = "hashicorp/helm" - version = "~> 2.0" - } - local = { - source = "hashicorp/local" - version = "~> 2.0" - } - template = { - source = "hashicorp/template" - version = "~> 2.0" - } - null = { - source = "hashicorp/null" - version = "~> 3.0" - } - external = { - source = "hashicorp/external" - version = "~> 2.0" - } - } -} - -provider "kubernetes" { - config_path = "~/.kube/config" -} - -provider "helm" { - kubernetes { - config_path = "~/.kube/config" - } -} - -module "config" { - source = "./terraform" -} diff --git a/rustfmt.toml b/rustfmt.toml deleted file mode 100644 index b196eaa..0000000 --- a/rustfmt.toml +++ /dev/null @@ -1 +0,0 @@ -tab_spaces = 2 From d851d1b56d7dee2f2fab4e85b4d44f48d5a2ec31 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Wed, 29 Oct 2025 21:19:36 +0100 Subject: [PATCH 10/43] refactor: added db terraform script --- terraform/README.md | 15 ++ terraform/crd/default-deny.tf | 18 +- terraform/crd/kube-prom-crd.tf | 8 - terraform/{storage_old => db}/couchdb.tf | 13 +- terraform/db/main.tf | 22 ++ terraform/db/minio.tf | 120 ++++++++++ terraform/db/nats.tf | 18 ++ terraform/db/postgres.tf | 51 +++++ .../templates}/couchdb.values.tftpl | 0 .../templates}/minio-tenant.values.tftpl | 0 .../templates}/minio.values.tftpl | 0 .../templates}/nats.values.tftpl | 0 .../db/templates/postgres-ui.values.tftpl | 35 +++ .../templates}/postgres.values.tftpl | 0 terraform/db/variables.tf | 66 ++++++ terraform/modules/ingress-np/main.tf | 10 - terraform/modules/ingress-np/policy.tf | 20 -- terraform/modules/ingress-np/variables.tf | 9 - terraform/modules/ns-np/main.tf | 10 - terraform/modules/ns-np/policy.tf | 25 --- terraform/modules/ns-np/variables.tf | 4 - terraform/modules_old/access-policy/main.tf | 10 - terraform/modules_old/access-policy/policy.tf | 45 ---- .../modules_old/access-policy/variables.tf | 23 -- terraform/modules_old/metrics-np/main.tf | 10 - terraform/modules_old/metrics-np/policy.tf | 52 ----- terraform/modules_old/metrics-np/variables.tf | 26 --- terraform/network/crowd-sec.tf | 9 - terraform/storage/external-secrets.tf | 8 - terraform/storage/longhorn.tf | 8 - terraform/storage/vault.tf | 9 - terraform/storage_old/minio.tf | 212 ------------------ terraform/storage_old/nats.tf | 57 ----- .../storage_old/postgres-ui.values.tftpl | 15 -- terraform/storage_old/postgres.tf | 206 ----------------- terraform/storage_old/variables.tf | 133 ----------- 36 files changed, 348 insertions(+), 919 deletions(-) rename terraform/{storage_old => db}/couchdb.tf (66%) create mode 100644 terraform/db/main.tf create mode 100644 terraform/db/minio.tf create mode 100644 terraform/db/nats.tf create mode 100644 terraform/db/postgres.tf rename terraform/{storage_old => db/templates}/couchdb.values.tftpl (100%) rename terraform/{storage_old => db/templates}/minio-tenant.values.tftpl (100%) rename terraform/{storage_old => db/templates}/minio.values.tftpl (100%) rename terraform/{storage_old => db/templates}/nats.values.tftpl (100%) create mode 100644 terraform/db/templates/postgres-ui.values.tftpl rename terraform/{storage_old => db/templates}/postgres.values.tftpl (100%) create mode 100644 terraform/db/variables.tf delete mode 100644 terraform/modules/ingress-np/main.tf delete mode 100644 terraform/modules/ingress-np/policy.tf delete mode 100644 terraform/modules/ingress-np/variables.tf delete mode 100644 terraform/modules/ns-np/main.tf delete mode 100644 terraform/modules/ns-np/policy.tf delete mode 100644 terraform/modules/ns-np/variables.tf delete mode 100644 terraform/modules_old/access-policy/main.tf delete mode 100644 terraform/modules_old/access-policy/policy.tf delete mode 100644 terraform/modules_old/access-policy/variables.tf delete mode 100644 terraform/modules_old/metrics-np/main.tf delete mode 100644 terraform/modules_old/metrics-np/policy.tf delete mode 100644 terraform/modules_old/metrics-np/variables.tf delete mode 100644 terraform/storage_old/minio.tf delete mode 100644 terraform/storage_old/nats.tf delete mode 100644 terraform/storage_old/postgres-ui.values.tftpl delete mode 100644 terraform/storage_old/postgres.tf delete mode 100644 terraform/storage_old/variables.tf diff --git a/terraform/README.md b/terraform/README.md index 666b790..8cc77e4 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -32,3 +32,18 @@ certs/nginx: - API_KEY: - CAPTCHA_KEY: - CAPTCHA_SITE_KEY: + +db/minio_config: + +- config.env: + +db/minio_metrics: + +- token: + +db/couchdb: + +- cookie_auth: +- erlang_cookie: +- password: +- username: diff --git a/terraform/crd/default-deny.tf b/terraform/crd/default-deny.tf index 08dd03b..c9c9a0c 100644 --- a/terraform/crd/default-deny.tf +++ b/terraform/crd/default-deny.tf @@ -24,7 +24,7 @@ spec: selector: 'k8s-app == "kube-dns"' ports: - 53 - # allow all namespaces egress where the destination is not another pod (this does nothing as long as there is no rule for allowing ingress to a pod) + # allow all pods to communicate within private IP ranges - action: Allow protocol: TCP destination: @@ -39,5 +39,21 @@ spec: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 +ingress: + # allow all pods to communicate within private IP ranges + - action: Allow + protocol: TCP + source: + nets: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 + - action: Allow + protocol: UDP + source: + nets: + - 10.0.0.0/8 + - 172.16.0.0/12 + - 192.168.0.0/16 YAML } diff --git a/terraform/crd/kube-prom-crd.tf b/terraform/crd/kube-prom-crd.tf index 1a583d9..53152fa 100644 --- a/terraform/crd/kube-prom-crd.tf +++ b/terraform/crd/kube-prom-crd.tf @@ -46,11 +46,3 @@ spec: depends_on = [kubernetes_namespace.metrics] } - -module "ns_np_metrics" { - source = "../modules/ns-np" - - namespace = var.metrics_ns - - depends_on = [kubernetes_namespace.metrics] -} diff --git a/terraform/storage_old/couchdb.tf b/terraform/db/couchdb.tf similarity index 66% rename from terraform/storage_old/couchdb.tf rename to terraform/db/couchdb.tf index 5854c04..357f1e4 100644 --- a/terraform/storage_old/couchdb.tf +++ b/terraform/db/couchdb.tf @@ -1,11 +1,6 @@ -resource "kubernetes_namespace" "couchdb_ns" { +resource "kubernetes_namespace" "couchdb" { metadata { name = var.couchdb_ns - labels = { - "${var.cloudflare_cert_label.key}" = var.cloudflare_cert_label.value - "${var.secret_store_label.key}" = var.secret_store_label.value - "${var.cluster_ca_cert_label.key}" = var.cluster_ca_cert_label.value - } } } @@ -23,7 +18,7 @@ resource "helm_release" "couchdb" { cert_issuer = var.cert_issuer_prod })] - depends_on = [kubernetes_namespace.couchdb_ns] + depends_on = [kubernetes_namespace.couchdb] } resource "kubectl_manifest" "couchdb_secrets" { @@ -42,8 +37,8 @@ spec: name: couchdb dataFrom: - extract: - key: apps/couchdb + key: db/couchdb YAML - depends_on = [kubernetes_namespace.couchdb_ns] + depends_on = [kubernetes_namespace.couchdb] } diff --git a/terraform/db/main.tf b/terraform/db/main.tf new file mode 100644 index 0000000..2c3fc28 --- /dev/null +++ b/terraform/db/main.tf @@ -0,0 +1,22 @@ +terraform { + required_version = "~> 1.11" + + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.0" + } + helm = { + source = "hashicorp/helm" + version = "~> 2.0" + } + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.0" + } + external = { + source = "hashicorp/external" + version = "~> 2.0" + } + } +} diff --git a/terraform/db/minio.tf b/terraform/db/minio.tf new file mode 100644 index 0000000..abfff89 --- /dev/null +++ b/terraform/db/minio.tf @@ -0,0 +1,120 @@ +resource "kubernetes_namespace" "minio" { + metadata { + name = var.minio_ns + labels = { + "${var.minio_config_label.key}" = var.minio_config_label.value + } + } +} + +resource "helm_release" "minio" { + name = "minio" + repository = "https://operator.min.io" + chart = "operator" + version = "7.0.1" + namespace = var.minio_ns + + values = [templatefile("${path.module}/templates/minio.values.tftpl", { + })] + + depends_on = [kubernetes_namespace.minio] +} + +resource "helm_release" "minio_tenant" { + name = "minio-tenant" + repository = "https://operator.min.io" + chart = "tenant" + version = "7.0.1" + namespace = var.minio_ns + + values = [templatefile("${path.module}/templates/minio-tenant.values.tftpl", { + storage_class = var.storage_class + namespace = var.minio_ns + cloudflare_ca_cert_var = var.cloudflare_ca_cert_var + cloudflare_cert_var = var.cloudflare_cert_var + ingress_class = var.ingress_class + minio_config = var.minio_config + cert_issuer = var.cert_issuer_prod + })] + + depends_on = [kubernetes_namespace.minio] +} + +module "k8s_api_np_minio" { + source = "../modules/k8s-api-np" + + namespace = var.minio_ns + k8s_api = var.k8s_api + + depends_on = [kubernetes_namespace.minio] +} + +resource "kubectl_manifest" "minio_config" { + yaml_body = < Date: Wed, 29 Oct 2025 22:01:31 +0100 Subject: [PATCH 11/43] fix: db terraform script --- terraform/db/.terraform.lock.hcl | 123 ++++++++++++++++++ terraform/db/minio.tf | 7 +- terraform/db/postgres.tf | 8 ++ terraform/db/templates/nats.values.tftpl | 5 +- .../db/templates/postgres-ui.values.tftpl | 4 - 5 files changed, 135 insertions(+), 12 deletions(-) create mode 100644 terraform/db/.terraform.lock.hcl diff --git a/terraform/db/.terraform.lock.hcl b/terraform/db/.terraform.lock.hcl new file mode 100644 index 0000000..f925dac --- /dev/null +++ b/terraform/db/.terraform.lock.hcl @@ -0,0 +1,123 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.0" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", + ] +} + +provider "registry.terraform.io/hashicorp/external" { + version = "2.3.5" + constraints = "~> 2.0" + hashes = [ + "h1:smKSos4zs57pJjQrNuvGBpSWth2el9SgePPbPHo0aps=", + "zh:6e89509d056091266532fa64de8c06950010498adf9070bf6ff85bc485a82562", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:86868aec05b58dc0aa1904646a2c26b9367d69b890c9ad70c33c0d3aa7b1485a", + "zh:a2ce38fda83a62fa5fb5a70e6ca8453b168575feb3459fa39803f6f40bd42154", + "zh:a6c72798f4a9a36d1d1433c0372006cc9b904e8cfd60a2ae03ac5b7d2abd2398", + "zh:a8a3141d2fc71c86bf7f3c13b0b3be8a1b0f0144a47572a15af4dfafc051e28a", + "zh:aa20a1242eb97445ad26ebcfb9babf2cd675bdb81cac5f989268ebefa4ef278c", + "zh:b58a22445fb8804e933dcf835ab06c29a0f33148dce61316814783ee7f4e4332", + "zh:cb5626a661ee761e0576defb2a2d75230a3244799d380864f3089c66e99d0dcc", + "zh:d1acb00d20445f682c4e705c965e5220530209c95609194c2dc39324f3d4fcce", + "zh:d91a254ba77b69a29d8eae8ed0e9367cbf0ea6ac1a85b58e190f8cb096a40871", + "zh:f6592327673c9f85cdb6f20336faef240abae7621b834f189c4a62276ea5db41", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.17.0" + constraints = "~> 2.0" + hashes = [ + "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", + "zh:06fb4e9932f0afc1904d2279e6e99353c2ddac0d765305ce90519af410706bd4", + "zh:104eccfc781fc868da3c7fec4385ad14ed183eb985c96331a1a937ac79c2d1a7", + "zh:129345c82359837bb3f0070ce4891ec232697052f7d5ccf61d43d818912cf5f3", + "zh:3956187ec239f4045975b35e8c30741f701aa494c386aaa04ebabffe7749f81c", + "zh:66a9686d92a6b3ec43de3ca3fde60ef3d89fb76259ed3313ca4eb9bb8c13b7dd", + "zh:88644260090aa621e7e8083585c468c8dd5e09a3c01a432fb05da5c4623af940", + "zh:a248f650d174a883b32c5b94f9e725f4057e623b00f171936dcdcc840fad0b3e", + "zh:aa498c1f1ab93be5c8fbf6d48af51dc6ef0f10b2ea88d67bcb9f02d1d80d3930", + "zh:bf01e0f2ec2468c53596e027d376532a2d30feb72b0b5b810334d043109ae32f", + "zh:c46fa84cc8388e5ca87eb575a534ebcf68819c5a5724142998b487cb11246654", + "zh:d0c0f15ffc115c0965cbfe5c81f18c2e114113e7a1e6829f6bfd879ce5744fbb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.38.0" + constraints = "~> 2.0" + hashes = [ + "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", + "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", + "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f", + "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b", + "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12", + "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2", + "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc", + "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15", + "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396", + "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d", + "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", + ] +} + +provider "registry.terraform.io/hashicorp/null" { + version = "3.2.4" + hashes = [ + "h1:hkf5w5B6q8e2A42ND2CjAvgvSN3puAosDmOJb3zCVQM=", + "zh:59f6b52ab4ff35739647f9509ee6d93d7c032985d9f8c6237d1f8a59471bbbe2", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:795c897119ff082133150121d39ff26cb5f89a730a2c8c26f3a9c1abf81a9c43", + "zh:7b9c7b16f118fbc2b05a983817b8ce2f86df125857966ad356353baf4bff5c0a", + "zh:85e33ab43e0e1726e5f97a874b8e24820b6565ff8076523cc2922ba671492991", + "zh:9d32ac3619cfc93eb3c4f423492a8e0f79db05fec58e449dee9b2d5873d5f69f", + "zh:9e15c3c9dd8e0d1e3731841d44c34571b6c97f5b95e8296a45318b94e5287a6e", + "zh:b4c2ab35d1b7696c30b64bf2c0f3a62329107bd1a9121ce70683dec58af19615", + "zh:c43723e8cc65bcdf5e0c92581dcbbdcbdcf18b8d2037406a5f2033b1e22de442", + "zh:ceb5495d9c31bfb299d246ab333f08c7fb0d67a4f82681fbf47f2a21c3e11ab5", + "zh:e171026b3659305c558d9804062762d168f50ba02b88b231d20ec99578a6233f", + "zh:ed0fe2acdb61330b01841fa790be00ec6beaac91d41f311fb8254f74eb6a711f", + ] +} + +provider "registry.terraform.io/hashicorp/random" { + version = "3.7.2" + hashes = [ + "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", + "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", + "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", + "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", + "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", + "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", + "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", + "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", + "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", + "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", + "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + ] +} diff --git a/terraform/db/minio.tf b/terraform/db/minio.tf index abfff89..cf45e04 100644 --- a/terraform/db/minio.tf +++ b/terraform/db/minio.tf @@ -1,9 +1,6 @@ resource "kubernetes_namespace" "minio" { metadata { name = var.minio_ns - labels = { - "${var.minio_config_label.key}" = var.minio_config_label.value - } } } @@ -94,7 +91,7 @@ spec: key: token YAML - depends_on = [kubernetes_namespace.minio_ns] + depends_on = [kubernetes_namespace.minio] } resource "kubectl_manifest" "minio_metrics_secret" { @@ -116,5 +113,5 @@ spec: key: db/minio_metrics YAML - depends_on = [kubernetes_namespace.minio_ns] + depends_on = [kubernetes_namespace.minio] } diff --git a/terraform/db/postgres.tf b/terraform/db/postgres.tf index 559f086..d7f0d56 100644 --- a/terraform/db/postgres.tf +++ b/terraform/db/postgres.tf @@ -21,6 +21,14 @@ resource "helm_release" "postgres" { depends_on = [kubernetes_namespace.everest_system] } +module "everest_system_egress_np" { + source = "../modules/external-np" + + namespace = var.everest_system_ns + + depends_on = [kubernetes_namespace.everest_system] +} + module "k8s_api_np_everest_system" { source = "../modules/k8s-api-np" diff --git a/terraform/db/templates/nats.values.tftpl b/terraform/db/templates/nats.values.tftpl index c0a080a..2f50675 100644 --- a/terraform/db/templates/nats.values.tftpl +++ b/terraform/db/templates/nats.values.tftpl @@ -1,15 +1,14 @@ config: cluster: enabled: true - replicas: 2 + replicas: 1 merge: accounts: $SYS: users: - - {user: system, password: a} + - { user: system, password: a } promExporter: enabled: true podMonitor: enabled: true interval: 60s - \ No newline at end of file diff --git a/terraform/db/templates/postgres-ui.values.tftpl b/terraform/db/templates/postgres-ui.values.tftpl index e9e7b62..773a579 100644 --- a/terraform/db/templates/postgres-ui.values.tftpl +++ b/terraform/db/templates/postgres-ui.values.tftpl @@ -13,10 +13,6 @@ server: - profile - openid - groups -olm: - install: false -monitoring: - enabled: false ingress: enabled: true ingressClassName: "${ingress_class}" From aa070f1c1beef6ccb7c81a7d0019ed6e0ad1fe5b Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Fri, 21 Nov 2025 23:50:04 +0100 Subject: [PATCH 12/43] feat: added flake system config --- nix/config.nix | 29 ++++++++ nix/disko-config.nix | 84 ++++++++++++++++++++++ nix/flake.lock | 87 +++++++++++++++++++++++ nix/flake.nix | 57 +++++++++++++++ nix/hardware-configuration.nix | 14 ++++ nix/nix.nix | 41 +++++++++++ nix/rke2.nix | 50 +++++++++++++ nix/services.nix | 25 +++++++ nix/tools.nix | 14 ++++ nix/user.nix | 17 +++++ terraform/rke2/.terraform.lock.hcl | 105 ---------------------------- terraform/rke2/data/pss-custom.yaml | 14 ---- terraform/rke2/inputs.tf | 19 ----- terraform/rke2/main.tf | 97 ------------------------- terraform/rke2/versions.tf | 3 - 15 files changed, 418 insertions(+), 238 deletions(-) create mode 100644 nix/config.nix create mode 100644 nix/disko-config.nix create mode 100644 nix/flake.lock create mode 100644 nix/flake.nix create mode 100644 nix/hardware-configuration.nix create mode 100644 nix/nix.nix create mode 100644 nix/rke2.nix create mode 100644 nix/services.nix create mode 100644 nix/tools.nix create mode 100644 nix/user.nix delete mode 100644 terraform/rke2/.terraform.lock.hcl delete mode 100644 terraform/rke2/data/pss-custom.yaml delete mode 100644 terraform/rke2/inputs.tf delete mode 100644 terraform/rke2/main.tf delete mode 100644 terraform/rke2/versions.tf diff --git a/nix/config.nix b/nix/config.nix new file mode 100644 index 0000000..8a80735 --- /dev/null +++ b/nix/config.nix @@ -0,0 +1,29 @@ +{ + inputs, + nix-config, + ... +}: + +{ + imports = [ + ./hardware-configuration.nix + ./disko-config.nix + { + _module.args = { + disk = "/dev/sda"; + withSwap = true; + swapSize = "2"; + }; + } + inputs.disko.nixosModules.disko + + ./nix.nix + ./rke2.nix + ./services.nix + ./tools.nix + ./user.nix + + "${nix-config}/modules/general.nix" + "${nix-config}/modules/locale.nix" + ]; +} diff --git a/nix/disko-config.nix b/nix/disko-config.nix new file mode 100644 index 0000000..e9afe4a --- /dev/null +++ b/nix/disko-config.nix @@ -0,0 +1,84 @@ +# NOTE: ... is needed because dikso passes diskoFile +{ + lib, + disk ? "/dev/vda", + withSwap ? false, + swapSize, + ... +}: +{ + disko.devices = { + disk = { + main = { + type = "disk"; + device = disk; + content = { + type = "gpt"; + partitions = { + boot = { + size = "1M"; + type = "EF02"; + priority = 1; + }; + ESP = { + size = "512M"; + type = "EF00"; + priority = 2; + content = { + type = "filesystem"; + format = "vfat"; + mountpoint = "/boot"; + }; + }; + root = { + size = "100%"; + content = { + type = "btrfs"; + extraArgs = [ "-f" ]; + subvolumes = { + "@root" = { + mountpoint = "/"; + mountOptions = [ + "defaults" + "subvol=root" + "compress=zstd" + "noatime" + "space_cache=v2" + "discard=async" + ]; + }; + "@persist" = { + mountpoint = "/persist"; + mountOptions = [ + "defaults" + "subvol=root" + "compress=zstd" + "noatime" + "space_cache=v2" + "discard=async" + ]; + }; + "@nix" = { + mountpoint = "/nix"; + mountOptions = [ + "defaults" + "subvol=root" + "compress=zstd" + "noatime" + "space_cache=v2" + "discard=async" + ]; + }; + "@swap" = lib.mkIf withSwap { + mountpoint = "/.swapvol"; + swap.swapfile.size = "${swapSize}G"; + }; + }; + }; + }; + }; + }; + }; + }; + }; +} diff --git a/nix/flake.lock b/nix/flake.lock new file mode 100644 index 0000000..fe6293e --- /dev/null +++ b/nix/flake.lock @@ -0,0 +1,87 @@ +{ + "nodes": { + "disko": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1763651264, + "narHash": "sha256-8vvwZbw0s7YvBMJeyPVpWke6lg6ROgtts5N2/SMCcv4=", + "owner": "nix-community", + "repo": "disko", + "rev": "e86a89079587497174ccab6d0d142a65811a4fd9", + "type": "github" + }, + "original": { + "owner": "nix-community", + "repo": "disko", + "type": "github" + } + }, + "nix-config": { + "flake": false, + "locked": { + "lastModified": 1763745348, + "narHash": "sha256-FwxiYKQo6/mUG74x7GWizH8GlD9dt3Bf7JssbA6Z6EM=", + "owner": "ProfiiDev", + "repo": "nix", + "rev": "e29e68aa162018e143eb866bc5cd4fe967ffca0a", + "type": "github" + }, + "original": { + "owner": "ProfiiDev", + "ref": "main", + "repo": "nix", + "type": "github" + } + }, + "nixpkgs-unstable": { + "locked": { + "lastModified": 1763421233, + "narHash": "sha256-Stk9ZYRkGrnnpyJ4eqt9eQtdFWRRIvMxpNRf4sIegnw=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "89c2b2330e733d6cdb5eae7b899326930c2c0648", + "type": "github" + }, + "original": { + "owner": "nixos", + "ref": "nixos-unstable", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "disko": "disko", + "nix-config": "nix-config", + "nixpkgs-unstable": "nixpkgs-unstable", + "sops-nix": "sops-nix" + } + }, + "sops-nix": { + "inputs": { + "nixpkgs": [ + "nixpkgs-unstable" + ] + }, + "locked": { + "lastModified": 1763607916, + "narHash": "sha256-VefBA1JWRXM929mBAFohFUtQJLUnEwZ2vmYUNkFnSjE=", + "owner": "mic92", + "repo": "sops-nix", + "rev": "877bb495a6f8faf0d89fc10bd142c4b7ed2bcc0b", + "type": "github" + }, + "original": { + "owner": "mic92", + "repo": "sops-nix", + "type": "github" + } + } + }, + "root": "root", + "version": 7 +} diff --git a/nix/flake.nix b/nix/flake.nix new file mode 100644 index 0000000..44b3065 --- /dev/null +++ b/nix/flake.nix @@ -0,0 +1,57 @@ +{ + description = "Cluster node config"; + nixConfig = { + extra-substituters = [ + "https://cache.garnix.io" + "https://nix-community.cachix.org" + ]; + extra-trusted-public-keys = [ + "cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g=" + "nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs=" + ]; + }; + + inputs = { + nixpkgs-unstable.url = "github:nixos/nixpkgs/nixos-unstable"; + nix-config = { + url = "github:ProfiiDev/nix/main"; + flake = false; + }; + + disko = { + url = "github:nix-community/disko"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; + + sops-nix = { + url = "github:mic92/sops-nix"; + inputs.nixpkgs.follows = "nixpkgs-unstable"; + }; + }; + + outputs = + inputs@{ self, nixpkgs-unstable, ... }: + { + nixosConfigurations = builtins.listToAttrs ( + map + (host: { + name = host; + value = nixpkgs-unstable.lib.nixosSystem { + specialArgs = { + lib = nixpkgs-unstable.lib; + nix-config = (builtins.toString inputs.nix-config); + inherit host inputs self; + }; + modules = [ + ./config.nix + ]; + }; + }) + [ + "node1" + "node2" + "node3" + ] + ); + }; +} diff --git a/nix/hardware-configuration.nix b/nix/hardware-configuration.nix new file mode 100644 index 0000000..6ca3eea --- /dev/null +++ b/nix/hardware-configuration.nix @@ -0,0 +1,14 @@ +{ + lib, + modulesPath, + ... +}: + +{ + imports = [ + (modulesPath + "/profiles/qemu-guest.nix") + ]; + + networking.useDHCP = lib.mkDefault true; + nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux"; +} diff --git a/nix/nix.nix b/nix/nix.nix new file mode 100644 index 0000000..dec3986 --- /dev/null +++ b/nix/nix.nix @@ -0,0 +1,41 @@ +{ pkgs, ... }: + +{ + programs = { + nh = { + enable = true; + clean.enable = true; + clean.extraArgs = "--keep-since 1d --keep 10"; + clean.dates = "daily"; + flake = "/etc/nixos/nix-config"; + }; + }; + + environment.systemPackages = with pkgs; [ + nil + nixfmt-rfc-style + ]; + + nix.settings = { + experimental-features = [ + "nix-command" + "flakes" + ]; + trusted-users = [ + "root" + "profidev" + ]; + }; + + nix.extraOptions = '' + extra-substituters = https://cache.garnix.io https://nix-community.cachix.org + extra-trusted-public-keys = cache.garnix.io:CTFPyKSLcx5RMJKfLo5EEPUObbA78b0YQ2DTCJXqr9g= nix-community.cachix.org-1:mB9FSh9qf2dCimDSUo8Zy7bkq5CX+/rkCWyvRCYg3Fs= + ''; + + nixpkgs = { + config = { + allowUnfree = true; + allowUnfreePredicate = _: true; + }; + }; +} diff --git a/nix/rke2.nix b/nix/rke2.nix new file mode 100644 index 0000000..a631a8b --- /dev/null +++ b/nix/rke2.nix @@ -0,0 +1,50 @@ +{ pkgs, ... }: + +let + pssFile = pkgs.writeText "rke2-pss-custom.yaml" '' + apiVersion: apiserver.config.k8s.io/v1 + kind: AdmissionConfiguration + plugins: + - name: PodSecurity + configuration: + apiVersion: pod-security.admission.config.k8s.io/v1beta1 + kind: PodSecurityConfiguration + defaults: + enforce: "privileged" + enforce-version: "latest" + exemptions: + usernames: [] + runtimeClasses: [] + namespaces: [] + ''; + + configFile = pkgs.writeText "config.yaml" '' + cni: calico + profile: cis + pod-security-admission-config-file: ${pssFile} + etcd-expose-metrics: true + kube-controller-manager-arg: + - bind-address=0.0.0.0 + kube-scheduler-arg: + - bind-address=0.0.0.0 + kube-proxy-arg: + - metrics-bind-address=0.0.0.0 + kubelet-arg: + - max-pods=200 + ''; +in +{ + services.rke2 = { + enable = true; + + configPath = configFile; + }; + + users.groups.etcd = { }; + users.users.etcd = { + isSystemUser = true; + createHome = false; + description = "etcd user"; + group = "etcd"; + }; +} diff --git a/nix/services.nix b/nix/services.nix new file mode 100644 index 0000000..73b3556 --- /dev/null +++ b/nix/services.nix @@ -0,0 +1,25 @@ +{ host, ... }: + +{ + boot.loader.grub.enable = true; + boot.loader.timeout = 0; + + networking.hostName = host; + networking.networkmanager.enable = true; + networking.firewall.enable = true; + + services.timesyncd.enable = true; + services.openssh = { + enable = true; + openFirewall = true; + settings = { + PermitRootLogin = "no"; + PasswordAuthentication = false; + }; + }; + + services.btrfs.autoScrub = { + enable = true; + interval = "weekly"; + }; +} diff --git a/nix/tools.nix b/nix/tools.nix new file mode 100644 index 0000000..e51a9f2 --- /dev/null +++ b/nix/tools.nix @@ -0,0 +1,14 @@ +{ pkgs, ... }: + +{ + environment.systemPackages = with pkgs; [ + kubectl + k9s + helm + ]; + + programs.neovim = { + enable = true; + defaultEditor = true; + }; +} diff --git a/nix/user.nix b/nix/user.nix new file mode 100644 index 0000000..37b71a8 --- /dev/null +++ b/nix/user.nix @@ -0,0 +1,17 @@ +{ ... }: + +{ + users = { + users.profidev = { + isNormalUser = true; + extraGroups = [ "wheel" ]; + + initialHashedPassword = "$y$j9T$egeObugZWCSrOzz6o8FUQ.$Xdxwp/BhUwGmgz.yfzKtJrRBe2.KtrGAVjVsmDEx6y2"; # Password.123 + openssh.authorizedKeys.keys = [ + "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBz5wvNTdRAnh/sHFKlanUuY0n6+fLeNkzjtNTRguBdI profidev@laptop" + ]; + }; + + mutableUsers = false; + }; +} diff --git a/terraform/rke2/.terraform.lock.hcl b/terraform/rke2/.terraform.lock.hcl deleted file mode 100644 index 81abfb8..0000000 --- a/terraform/rke2/.terraform.lock.hcl +++ /dev/null @@ -1,105 +0,0 @@ -# This file is maintained automatically by "terraform init". -# Manual edits may be lost in future updates. - -provider "registry.terraform.io/hashicorp/local" { - version = "2.5.3" - constraints = ">= 2.4.0" - hashes = [ - "h1:1Nkh16jQJMp0EuDmvP/96f5Unnir0z12WyDuoR6HjMo=", - "zh:284d4b5b572eacd456e605e94372f740f6de27b71b4e1fd49b63745d8ecd4927", - "zh:40d9dfc9c549e406b5aab73c023aa485633c1b6b730c933d7bcc2fa67fd1ae6e", - "zh:6243509bb208656eb9dc17d3c525c89acdd27f08def427a0dce22d5db90a4c8b", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:885d85869f927853b6fe330e235cd03c337ac3b933b0d9ae827ec32fa1fdcdbf", - "zh:bab66af51039bdfcccf85b25fe562cbba2f54f6b3812202f4873ade834ec201d", - "zh:c505ff1bf9442a889ac7dca3ac05a8ee6f852e0118dd9a61796a2f6ff4837f09", - "zh:d36c0b5770841ddb6eaf0499ba3de48e5d4fc99f4829b6ab66b0fab59b1aaf4f", - "zh:ddb6a407c7f3ec63efb4dad5f948b54f7f4434ee1a2607a49680d494b1776fe1", - "zh:e0dafdd4500bec23d3ff221e3a9b60621c5273e5df867bc59ef6b7e41f5c91f6", - "zh:ece8742fd2882a8fc9d6efd20e2590010d43db386b920b2a9c220cfecc18de47", - "zh:f4c6b3eb8f39105004cf720e202f04f57e3578441cfb76ca27611139bc116a82", - ] -} - -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.4" - constraints = ">= 3.2.0" - hashes = [ - "h1:hkf5w5B6q8e2A42ND2CjAvgvSN3puAosDmOJb3zCVQM=", - "zh:59f6b52ab4ff35739647f9509ee6d93d7c032985d9f8c6237d1f8a59471bbbe2", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:795c897119ff082133150121d39ff26cb5f89a730a2c8c26f3a9c1abf81a9c43", - "zh:7b9c7b16f118fbc2b05a983817b8ce2f86df125857966ad356353baf4bff5c0a", - "zh:85e33ab43e0e1726e5f97a874b8e24820b6565ff8076523cc2922ba671492991", - "zh:9d32ac3619cfc93eb3c4f423492a8e0f79db05fec58e449dee9b2d5873d5f69f", - "zh:9e15c3c9dd8e0d1e3731841d44c34571b6c97f5b95e8296a45318b94e5287a6e", - "zh:b4c2ab35d1b7696c30b64bf2c0f3a62329107bd1a9121ce70683dec58af19615", - "zh:c43723e8cc65bcdf5e0c92581dcbbdcbdcf18b8d2037406a5f2033b1e22de442", - "zh:ceb5495d9c31bfb299d246ab333f08c7fb0d67a4f82681fbf47f2a21c3e11ab5", - "zh:e171026b3659305c558d9804062762d168f50ba02b88b231d20ec99578a6233f", - "zh:ed0fe2acdb61330b01841fa790be00ec6beaac91d41f311fb8254f74eb6a711f", - ] -} - -provider "registry.terraform.io/hashicorp/random" { - version = "3.7.2" - constraints = ">= 3.5.1" - hashes = [ - "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", - "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", - "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", - "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", - "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", - "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", - "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", - "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", - "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", - "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", - "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", - ] -} - -provider "registry.terraform.io/hashicorp/time" { - version = "0.13.1" - constraints = ">= 0.12.0" - hashes = [ - "h1:+W+DMrVoVnoXo3f3M4W+OpZbkCrUn6PnqDF33D2Cuf0=", - "zh:02cb9aab1002f0f2a94a4f85acec8893297dc75915f7404c165983f720a54b74", - "zh:04429b2b31a492d19e5ecf999b116d396dac0b24bba0d0fb19ecaefe193fdb8f", - "zh:26f8e51bb7c275c404ba6028c1b530312066009194db721a8427a7bc5cdbc83a", - "zh:772ff8dbdbef968651ab3ae76d04afd355c32f8a868d03244db3f8496e462690", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:898db5d2b6bd6ca5457dccb52eedbc7c5b1a71e4a4658381bcbb38cedbbda328", - "zh:8de913bf09a3fa7bedc29fec18c47c571d0c7a3d0644322c46f3aa648cf30cd8", - "zh:9402102c86a87bdfe7e501ffbb9c685c32bbcefcfcf897fd7d53df414c36877b", - "zh:b18b9bb1726bb8cfbefc0a29cf3657c82578001f514bcf4c079839b6776c47f0", - "zh:b9d31fdc4faecb909d7c5ce41d2479dd0536862a963df434be4b16e8e4edc94d", - "zh:c951e9f39cca3446c060bd63933ebb89cedde9523904813973fbc3d11863ba75", - "zh:e5b773c0d07e962291be0e9b413c7a22c044b8c7b58c76e8aa91d1659990dfb5", - ] -} - -provider "registry.terraform.io/integrations/github" { - version = "6.7.0" - constraints = ">= 5.32.0" - hashes = [ - "h1:644OkjJEt+cYgdurcYkS6uVk39DoShWil47vXRAz6gc=", - "zh:0d3d2ebfffce6d7c9d1a365a8fd136872f63ca6dcb3db8b9a9ad4e81a5b69fa7", - "zh:198ffb855d367a3d2371c2152dc80f977a4a880d5ce49747f9290c6ca411f1bc", - "zh:350c0e996e1650036beaaf2d3e063cb1e8d1693e7fcf7754df6e7453b49c089f", - "zh:544bb0ba8203d7caa688d46cb926e12142356236ab29b21afc54eb02652852c7", - "zh:8698340cd268e271f68cfb757d40b4a41efc1399deb7232ba2842c9d4c6ba6cd", - "zh:95d9da04a3a9f81edd1f3354ba98f2a39a17b7fd6ddf7671a7dcd6d422108d24", - "zh:9bd1e6e2930f9fa596a0498b79b33cf369211b4252bd88e7f2cb703fbcdb7051", - "zh:a1b9dbdc975743d95545bdeebb33c84963437b02f16a4ba52868a8a0ebe94763", - "zh:acbdb49609b17be783bec8069a833747bb03eb19b0cb0877bcbd4783bbf855ce", - "zh:ae23023b3f65cfcbd3d0291baf9215ab055a3b48f0d9a4a7c1b09ec4e56553d5", - "zh:c8fbd050b94f80cd69c3e331546a411611eef4f29b97fcb50b886de375f25cd9", - "zh:ce2832f39173e5f2906a8ab8822ec320085512381693bef2ba6ca8c6969e6085", - "zh:d15357ec50598afe3ae1e3c013f063a8bb9a86bc2e2f6d5bf2abee231b1aaeaa", - "zh:e77878043cfa9cdbf1e33b7f60a0b2d193dfe37a85da6b3fdfd4f95a6ff27255", - "zh:fbd1fee2c9df3aa19cf8851ce134dea6e45ea01cb85695c1726670c285797e25", - ] -} diff --git a/terraform/rke2/data/pss-custom.yaml b/terraform/rke2/data/pss-custom.yaml deleted file mode 100644 index 97f946d..0000000 --- a/terraform/rke2/data/pss-custom.yaml +++ /dev/null @@ -1,14 +0,0 @@ -apiVersion: apiserver.config.k8s.io/v1 -kind: AdmissionConfiguration -plugins: - - name: PodSecurity - configuration: - apiVersion: pod-security.admission.config.k8s.io/v1beta1 - kind: PodSecurityConfiguration - defaults: - enforce: "privileged" - enforce-version: "latest" - exemptions: - usernames: [] - runtimeClasses: [] - namespaces: [] diff --git a/terraform/rke2/inputs.tf b/terraform/rke2/inputs.tf deleted file mode 100644 index 04b4a81..0000000 --- a/terraform/rke2/inputs.tf +++ /dev/null @@ -1,19 +0,0 @@ -variable "ssh_user" { - description = "SSH user for the nodes" - type = string -} - -variable "ssh_ip" { - description = "SSH IP address of the node" - type = string -} - -variable "rke2_id" { - description = "RKE2 node identifier" - type = string -} - -variable "ssh_user_pw" { - description = "SSH password for the nodes" - type = string -} diff --git a/terraform/rke2/main.tf b/terraform/rke2/main.tf deleted file mode 100644 index bf553d2..0000000 --- a/terraform/rke2/main.tf +++ /dev/null @@ -1,97 +0,0 @@ -locals { - local_file_path = "${path.root}/data" - sudoers_file = "/etc/sudoers.d/temp_nopasswd" -} - -resource "null_resource" "initial-setup" { - connection { - type = "ssh" - agent = true - user = var.ssh_user - host = var.ssh_ip - } - provisioner "remote-exec" { - inline = [<<-EOT - #!/bin/bash - set -x - set -e - # disable sudo password prompt for ssh user - sudo -k && echo -e '${var.ssh_user_pw}\n${var.ssh_user} ALL=(ALL) NOPASSWD: ALL' | sudo -S tee ${local.sudoers_file} > /dev/null 2>&1 - - # install dependencies - sudo apt-get update && sudo apt-get upgrade -y - sudo apt-get install -y curl iptables - EOT - ] - } -} - -module "download" { - source = "rancher/rke2-download/github" - version = "1.0.0" - path = local.local_file_path -} - - -module "config" { - depends_on = [module.download] - - source = "rancher/rke2-config/local" - version = "1.0.0" - local_file_path = local.local_file_path - - cni = ["calico"] - profile = "cis" - etcd-expose-metrics = true - kube-controller-manager-arg = [ - "bind-address=0.0.0.0" - ] - kube-scheduler-arg = [ - "bind-address=0.0.0.0" - ] - kube-proxy-arg = [ - "metrics-bind-address=0.0.0.0" - ] - pod-security-admission-config-file = "/etc/rancher/rke2/config.yaml.d/pss-custom.yaml" -} - -module "rke2-install" { - depends_on = [module.download, module.config, null_resource.initial-setup] - - source = "rancher/rke2-install/null" - version = "1.3.2" - - ssh_user = var.ssh_user - ssh_ip = var.ssh_ip - release = "stable" - local_file_path = local.local_file_path - identifier = var.rke2_id - remote_workspace = "/home/${var.ssh_user}" - retrieve_kubeconfig = true - server_prep_script = <<-EOT - sudo cp -f /usr/local/share/rke2/rke2-cis-sysctl.conf /etc/sysctl.d/60-rke2-cis.conf - sudo systemctl restart systemd-sysctl - sudo sysctl -p /usr/local/share/rke2/rke2-cis-sysctl.conf - sudo useradd -r -c "etcd user" -s /sbin/nologin -M etcd -U - EOT -} - -resource "null_resource" "disable-password-less-sudo" { - depends_on = [module.rke2-install] - - connection { - type = "ssh" - agent = true - user = var.ssh_user - host = var.ssh_ip - } - provisioner "remote-exec" { - inline = [<<-EOT - set -x - set -e - # re-enable sudo password prompt for ssh user - sudo rm -f ${local.sudoers_file} - EOT - ] - } -} diff --git a/terraform/rke2/versions.tf b/terraform/rke2/versions.tf deleted file mode 100644 index f847bb0..0000000 --- a/terraform/rke2/versions.tf +++ /dev/null @@ -1,3 +0,0 @@ -terraform { - required_version = ">=1.13" -} From 59c4cf1b0f7b156b084f1c6b90584e35512df097 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Sat, 22 Nov 2025 15:34:20 +0100 Subject: [PATCH 13/43] feat: add missing tools to nixos config --- justfile | 14 ++++- nix/config.nix | 1 + nix/flake.lock | 6 +- nix/services.nix | 2 +- nix/starship.nix | 158 +++++++++++++++++++++++++++++++++++++++++++++++ nix/tools.nix | 2 + nix/user.nix | 40 ++++++++++-- 7 files changed, 213 insertions(+), 10 deletions(-) create mode 100644 nix/starship.nix diff --git a/justfile b/justfile index 101da70..a8df4a5 100644 --- a/justfile +++ b/justfile @@ -2,6 +2,7 @@ pwd := source_dir() config_path := "terraform" vars_path := pwd + "/vars.tfvars" kubeconfig_path := pwd + "/terraform/rke2/data/kubeconfig" +nix_path := pwd + "/nix" export KUBECONFIG := kubeconfig_path @@ -15,4 +16,15 @@ destroy CONFIG: terraform -chdir={{config_path}}/{{CONFIG}} destroy -var-file={{vars_path}} plan CONFIG: - terraform -chdir={{config_path}}/{{CONFIG}} plan -var-file={{vars_path}} \ No newline at end of file + terraform -chdir={{config_path}}/{{CONFIG}} plan -var-file={{vars_path}} + +install CONFIG IP USER="root": + nix run github:nix-community/nixos-anywhere -- \ + --flake {{nix_path}}#{{CONFIG}} \ + --target-host {{USER}}@{{IP}} \ + --build-on remote + +rebuild CONFIG IP USER="root": + nixos-rebuild switch --flake {{nix_path}}#{{CONFIG}} \ + --target-host {{USER}}@{{IP}} \ + --build-host {{USER}}@{{IP}} diff --git a/nix/config.nix b/nix/config.nix index 8a80735..d4b05b9 100644 --- a/nix/config.nix +++ b/nix/config.nix @@ -20,6 +20,7 @@ ./nix.nix ./rke2.nix ./services.nix + ./starship.nix ./tools.nix ./user.nix diff --git a/nix/flake.lock b/nix/flake.lock index fe6293e..06b1d09 100644 --- a/nix/flake.lock +++ b/nix/flake.lock @@ -23,11 +23,11 @@ "nix-config": { "flake": false, "locked": { - "lastModified": 1763745348, - "narHash": "sha256-FwxiYKQo6/mUG74x7GWizH8GlD9dt3Bf7JssbA6Z6EM=", + "lastModified": 1763821135, + "narHash": "sha256-8BaXmalRskJgpsVh/gIef1GXxpUeG3Z5huHesyiwOMQ=", "owner": "ProfiiDev", "repo": "nix", - "rev": "e29e68aa162018e143eb866bc5cd4fe967ffca0a", + "rev": "294da482461b59a64611efe559ffa61b99ce225d", "type": "github" }, "original": { diff --git a/nix/services.nix b/nix/services.nix index 73b3556..80e0a47 100644 --- a/nix/services.nix +++ b/nix/services.nix @@ -13,7 +13,7 @@ enable = true; openFirewall = true; settings = { - PermitRootLogin = "no"; + PermitRootLogin = "prohibit-password"; PasswordAuthentication = false; }; }; diff --git a/nix/starship.nix b/nix/starship.nix new file mode 100644 index 0000000..6f135e0 --- /dev/null +++ b/nix/starship.nix @@ -0,0 +1,158 @@ +{ ... }: + +{ + programs.starship = { + enable = true; + + settings = builtins.fromTOML '' + ## FIRST LINE/ROW: Info & Status + # First param \u2500\u250c + [username] + format = " [\u256d\u2500$user]($style)@" + show_always = true + style_root = "bold red" + style_user = "bold red" + + # Second param + [hostname] + disabled = false + format = "[$hostname]($style) in " + ssh_only = false + style = "bold dimmed red" + trim_at = "-" + + # Third param + [directory] + style = "purple" + truncate_to_repo = true + truncation_length = 0 + truncation_symbol = "repo: " + + # Fourth param + [sudo] + #disabled = false + disabled = true + format = "[$symbol]($style)" + + # Before all the version info (python, nodejs, php, etc.) + [git_status] + ahead = "\u21e1''${count}" + behind = "\u21e3''${count}" + deleted = "x" + diverged = "\u21d5\u21e1''${ahead_count}\u21e3''${behind_count}" + style = "white" + + # Last param in the first line/row + [cmd_duration] + disabled = false + format = "took [$duration]($style)" + min_time = 1 + + ## SECOND LINE/ROW: Prompt + # Somethere at the beginning + [battery] + charging_symbol = "\uf583" + disabled = true + discharging_symbol = "\uf582" + full_symbol = "\uf578" + + [[battery.display]] # "bold red" style when capacity is between 0% and 15% + disabled = false + style = "bold red" + threshold = 15 + + [[battery.display]] # "bold yellow" style when capacity is between 15% and 50% + disabled = true + style = "bold yellow" + threshold = 50 + + [[battery.display]] # "bold green" style when capacity is between 50% and 80% + disabled = true + style = "bold green" + threshold = 80 + + # Prompt: optional param 1 + [time] + disabled = true + format = " \U0001f559 $time($style)\n" + style = "bright-white" + time_format = "%T" + + # Prompt: param 2 + [character] + error_symbol = " [�](bold red)" + success_symbol = " [\u2570\u2500\u03bb](bold red)" + + # SYMBOLS + [status] + disabled = false + format = '[\[$symbol$status_common_meaning$status_signal_name$status_maybe_int\]]($style)' + map_symbol = true + pipestatus = true + symbol = "\U0001f534" + + [aws] + symbol = "\ue33d " + + [conda] + symbol = "\uf10c " + + [dart] + symbol = "\ue798 " + + [docker_context] + symbol = "\uf308 " + + [elixir] + symbol = "\ue275 " + + [elm] + symbol = "\ue62c " + + [git_branch] + symbol = "\uf418 " + + [golang] + symbol = "\ue627 " + + [hg_branch] + symbol = "\uf418 " + + [java] + symbol = "\ue256 " + + [julia] + symbol = "\ue624 " + + [nim] + symbol = "\uf6a4 " + + [nix_shell] + symbol = "\uf2dc " + + [nodejs] + symbol = "\ue24f " + + [package] + symbol = "\uf8d6 " + + [perl] + symbol = "\ue769 " + + [php] + symbol = "\ue608 " + + [python] + symbol = "\ue606 " + + [ruby] + symbol = "\ue23e " + + [rust] + symbol = "\ue7a8 " + + [swift] + symbol = "\ufbe3 " + ''; + }; +} diff --git a/nix/tools.nix b/nix/tools.nix index e51a9f2..d966bc0 100644 --- a/nix/tools.nix +++ b/nix/tools.nix @@ -5,6 +5,8 @@ kubectl k9s helm + btop + fastfetch ]; programs.neovim = { diff --git a/nix/user.nix b/nix/user.nix index 37b71a8..3c5c038 100644 --- a/nix/user.nix +++ b/nix/user.nix @@ -1,17 +1,47 @@ -{ ... }: +{ pkgs, lib, ... }: { users = { - users.profidev = { - isNormalUser = true; - extraGroups = [ "wheel" ]; - + users.root = { initialHashedPassword = "$y$j9T$egeObugZWCSrOzz6o8FUQ.$Xdxwp/BhUwGmgz.yfzKtJrRBe2.KtrGAVjVsmDEx6y2"; # Password.123 openssh.authorizedKeys.keys = [ "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIBz5wvNTdRAnh/sHFKlanUuY0n6+fLeNkzjtNTRguBdI profidev@laptop" ]; + + shell = lib.mkForce pkgs.fish; }; mutableUsers = false; }; + + programs.fish = { + enable = true; + generateCompletions = true; + + shellInit = '' + set fish_greeting + set -U fish_color_command blue + ''; + + interactiveShellInit = '' + starship init fish | source + fastfetch + ''; + + shellAliases = { + nix-shell = "nix-shell --run fish"; + k = "kubectl"; + ls = "eza"; + }; + + shellAbbrs = { + l = "eza -l -a --icons --group-directories-first"; + rmf = "rm -rf"; + clr = "clear"; + k9s = "k9s -c ctx"; + n = "nvim"; + }; + }; + + documentation.man.generateCaches = lib.mkForce false; } From 2d5ace00b1dc744f6732b8d3526ca2f05e721d9b Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Sat, 22 Nov 2025 16:55:28 +0100 Subject: [PATCH 14/43] fix: firewall k8s api --- .envrc | 5 +-- .gitignore | 8 ++-- devenv.lock | 103 -------------------------------------------- devenv.nix | 6 --- justfile | 6 ++- nix/rke2.nix | 1 + nix/services.nix | 8 +++- terraform/README.md | 7 ++- 8 files changed, 21 insertions(+), 123 deletions(-) delete mode 100644 devenv.lock delete mode 100644 devenv.nix diff --git a/.envrc b/.envrc index cfe337f..25c5f83 100644 --- a/.envrc +++ b/.envrc @@ -1,3 +1,2 @@ -export DIRENV_WARN_TIMEOUT=20s -eval "$(devenv direnvrc)" -use devenv \ No newline at end of file +export KUBECONFIG="$PWD/kubeconfig" +export KUBE_CONFIG_PATH=$KUBECONFIG \ No newline at end of file diff --git a/.gitignore b/.gitignore index 9119390..9474dde 100644 --- a/.gitignore +++ b/.gitignore @@ -4,9 +4,7 @@ *.lock.info *.tfvars -# Devenv -.devenv* -devenv.local.nix - # direnv -.direnv \ No newline at end of file +.direnv + +/kubeconfig \ No newline at end of file diff --git a/devenv.lock b/devenv.lock deleted file mode 100644 index 4e1538c..0000000 --- a/devenv.lock +++ /dev/null @@ -1,103 +0,0 @@ -{ - "nodes": { - "devenv": { - "locked": { - "dir": "src/modules", - "lastModified": 1761583935, - "owner": "cachix", - "repo": "devenv", - "rev": "b7e3b2aeb90ce37517fb8da09ceff8ab587a9fcf", - "type": "github" - }, - "original": { - "dir": "src/modules", - "owner": "cachix", - "repo": "devenv", - "type": "github" - } - }, - "flake-compat": { - "flake": false, - "locked": { - "lastModified": 1761588595, - "owner": "edolstra", - "repo": "flake-compat", - "rev": "f387cd2afec9419c8ee37694406ca490c3f34ee5", - "type": "github" - }, - "original": { - "owner": "edolstra", - "repo": "flake-compat", - "type": "github" - } - }, - "git-hooks": { - "inputs": { - "flake-compat": "flake-compat", - "gitignore": "gitignore", - "nixpkgs": [ - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1760663237, - "owner": "cachix", - "repo": "git-hooks.nix", - "rev": "ca5b894d3e3e151ffc1db040b6ce4dcc75d31c37", - "type": "github" - }, - "original": { - "owner": "cachix", - "repo": "git-hooks.nix", - "type": "github" - } - }, - "gitignore": { - "inputs": { - "nixpkgs": [ - "git-hooks", - "nixpkgs" - ] - }, - "locked": { - "lastModified": 1709087332, - "owner": "hercules-ci", - "repo": "gitignore.nix", - "rev": "637db329424fd7e46cf4185293b9cc8c88c95394", - "type": "github" - }, - "original": { - "owner": "hercules-ci", - "repo": "gitignore.nix", - "type": "github" - } - }, - "nixpkgs": { - "locked": { - "lastModified": 1761313199, - "owner": "cachix", - "repo": "devenv-nixpkgs", - "rev": "d1c30452ebecfc55185ae6d1c983c09da0c274ff", - "type": "github" - }, - "original": { - "owner": "cachix", - "ref": "rolling", - "repo": "devenv-nixpkgs", - "type": "github" - } - }, - "root": { - "inputs": { - "devenv": "devenv", - "git-hooks": "git-hooks", - "nixpkgs": "nixpkgs", - "pre-commit-hooks": [ - "git-hooks" - ] - } - } - }, - "root": "root", - "version": 7 -} diff --git a/devenv.nix b/devenv.nix deleted file mode 100644 index cc9e2fe..0000000 --- a/devenv.nix +++ /dev/null @@ -1,6 +0,0 @@ -{ - enterShell = '' - export KUBECONFIG="$DEVENV_ROOT/terraform/rke2/data/kubeconfig" - export KUBE_CONFIG_PATH=$KUBECONFIG - ''; -} diff --git a/justfile b/justfile index a8df4a5..2cc4891 100644 --- a/justfile +++ b/justfile @@ -1,7 +1,7 @@ pwd := source_dir() config_path := "terraform" vars_path := pwd + "/vars.tfvars" -kubeconfig_path := pwd + "/terraform/rke2/data/kubeconfig" +kubeconfig_path := pwd + "/kubeconfig" nix_path := pwd + "/nix" export KUBECONFIG := kubeconfig_path @@ -28,3 +28,7 @@ rebuild CONFIG IP USER="root": nixos-rebuild switch --flake {{nix_path}}#{{CONFIG}} \ --target-host {{USER}}@{{IP}} \ --build-host {{USER}}@{{IP}} + +copy-kubeconfig IP USER="root": + scp {{USER}}@{{IP}}:/etc/rancher/rke2/rke2.yaml {{kubeconfig_path}} + sed -i 's/127.0.0.1/{{IP}}/g' {{kubeconfig_path}} diff --git a/nix/rke2.nix b/nix/rke2.nix index a631a8b..79ca9d2 100644 --- a/nix/rke2.nix +++ b/nix/rke2.nix @@ -31,6 +31,7 @@ let - metrics-bind-address=0.0.0.0 kubelet-arg: - max-pods=200 + ingress-controller: traefik ''; in { diff --git a/nix/services.nix b/nix/services.nix index 80e0a47..86ad763 100644 --- a/nix/services.nix +++ b/nix/services.nix @@ -6,7 +6,13 @@ networking.hostName = host; networking.networkmanager.enable = true; - networking.firewall.enable = true; + + networking.firewall = { + enable = true; + allowedTCPPorts = [ + 6443 # Kubernetes API server + ]; + }; services.timesyncd.enable = true; services.openssh = { diff --git a/terraform/README.md b/terraform/README.md index 8cc77e4..42deed3 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -2,10 +2,9 @@ ## Initial deployment order -1. rke2: Deploy RKE2 Kubernetes cluster on the target machine. -2. crd: Install Custom Resource Definitions (CRDs) and monitoring tools. -3. storage: Set up storage solutions required for the cluster. (add cloudflare cert to vault) -4. network: Configure networking components and services. +1. crd: Install Custom Resource Definitions (CRDs) and monitoring tools. +2. storage: Set up storage solutions required for the cluster. (add cloudflare cert to vault) +3. network: Configure networking components and services. ## Required secrets in Vault From 138d053fac8d824f4df088749bb1bad075a02f2b Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Sat, 22 Nov 2025 19:32:16 +0100 Subject: [PATCH 15/43] refactor: moved to traefik --- justfile | 2 +- nix/rke2.nix | 5 + nix/services.nix | 2 + terraform/README.md | 6 - terraform/crd/default-deny.tf | 2 +- terraform/crd/main.tf | 5 + terraform/network/.terraform.lock.hcl | 19 +++ terraform/network/crowd-sec.tf | 9 ++ terraform/network/ingress-nginx.tf | 133 ------------------ terraform/network/main.tf | 5 + .../network/templates/crowdsec.values.tftpl | 8 +- terraform/network/traefik.tf | 47 +++++++ terraform/storage/main.tf | 5 + 13 files changed, 104 insertions(+), 144 deletions(-) delete mode 100644 terraform/network/ingress-nginx.tf create mode 100644 terraform/network/traefik.tf diff --git a/justfile b/justfile index 2cc4891..a6af722 100644 --- a/justfile +++ b/justfile @@ -1,5 +1,5 @@ pwd := source_dir() -config_path := "terraform" +config_path := pwd + "/terraform" vars_path := pwd + "/vars.tfvars" kubeconfig_path := pwd + "/kubeconfig" nix_path := pwd + "/nix" diff --git a/nix/rke2.nix b/nix/rke2.nix index 79ca9d2..cfabada 100644 --- a/nix/rke2.nix +++ b/nix/rke2.nix @@ -35,6 +35,11 @@ let ''; in { + services.openiscsi = { + enable = true; + name = "iqn.2020-08.org.linux-iscsi.initiatorhost:example"; + }; + services.rke2 = { enable = true; diff --git a/nix/services.nix b/nix/services.nix index 86ad763..edba746 100644 --- a/nix/services.nix +++ b/nix/services.nix @@ -24,6 +24,8 @@ }; }; + services.fail2ban.enable = true; + services.btrfs.autoScrub = { enable = true; interval = "weekly"; diff --git a/terraform/README.md b/terraform/README.md index 42deed3..78ae934 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -26,12 +26,6 @@ certs/crowdsec: - API_KEY: -certs/nginx: - -- API_KEY: -- CAPTCHA_KEY: -- CAPTCHA_SITE_KEY: - db/minio_config: - config.env: diff --git a/terraform/crd/default-deny.tf b/terraform/crd/default-deny.tf index c9c9a0c..177ae47 100644 --- a/terraform/crd/default-deny.tf +++ b/terraform/crd/default-deny.tf @@ -39,7 +39,7 @@ spec: - 10.0.0.0/8 - 172.16.0.0/12 - 192.168.0.0/16 -ingress: + ingress: # allow all pods to communicate within private IP ranges - action: Allow protocol: TCP diff --git a/terraform/crd/main.tf b/terraform/crd/main.tf index a7a1b35..755068e 100644 --- a/terraform/crd/main.tf +++ b/terraform/crd/main.tf @@ -15,4 +15,9 @@ terraform { version = "~> 1.0" } } + + backend "kubernetes" { + namespace = "kube-system" + secret_suffix = "crd" + } } diff --git a/terraform/network/.terraform.lock.hcl b/terraform/network/.terraform.lock.hcl index fa9297c..4d0751f 100644 --- a/terraform/network/.terraform.lock.hcl +++ b/terraform/network/.terraform.lock.hcl @@ -83,3 +83,22 @@ provider "registry.terraform.io/hashicorp/kubernetes" { "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", ] } + +provider "registry.terraform.io/hashicorp/random" { + version = "3.7.2" + hashes = [ + "h1:356j/3XnXEKr9nyicLUufzoF4Yr6hRy481KIxRVpK0c=", + "zh:14829603a32e4bc4d05062f059e545a91e27ff033756b48afbae6b3c835f508f", + "zh:1527fb07d9fea400d70e9e6eb4a2b918d5060d604749b6f1c361518e7da546dc", + "zh:1e86bcd7ebec85ba336b423ba1db046aeaa3c0e5f921039b3f1a6fc2f978feab", + "zh:24536dec8bde66753f4b4030b8f3ef43c196d69cccbea1c382d01b222478c7a3", + "zh:29f1786486759fad9b0ce4fdfbbfece9343ad47cd50119045075e05afe49d212", + "zh:4d701e978c2dd8604ba1ce962b047607701e65c078cb22e97171513e9e57491f", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:7b8434212eef0f8c83f5a90c6d76feaf850f6502b61b53c329e85b3b281cba34", + "zh:ac8a23c212258b7976e1621275e3af7099e7e4a3d4478cf8d5d2a27f3bc3e967", + "zh:b516ca74431f3df4c6cf90ddcdb4042c626e026317a33c53f0b445a3d93b720d", + "zh:dc76e4326aec2490c1600d6871a95e78f9050f9ce427c71707ea412a2f2f1a62", + "zh:eac7b63e86c749c7d48f527671c7aee5b4e26c10be6ad7232d6860167f99dbb0", + ] +} diff --git a/terraform/network/crowd-sec.tf b/terraform/network/crowd-sec.tf index 69c42f2..33c364f 100644 --- a/terraform/network/crowd-sec.tf +++ b/terraform/network/crowd-sec.tf @@ -4,6 +4,14 @@ resource "kubernetes_namespace" "crowdsec" { } } +resource "random_password" "bouncer_key" { + min_lower = 1 + min_upper = 1 + min_numeric = 1 + min_special = 1 + length = 32 +} + resource "helm_release" "crowdsec" { name = "crowdsec" repository = "https://crowdsecurity.github.io/helm-charts" @@ -13,6 +21,7 @@ resource "helm_release" "crowdsec" { values = [ templatefile("${path.module}/templates/crowdsec.values.tftpl", { + traefik_bouncer_key = random_password.bouncer_key.result }) ] diff --git a/terraform/network/ingress-nginx.tf b/terraform/network/ingress-nginx.tf deleted file mode 100644 index dcd2246..0000000 --- a/terraform/network/ingress-nginx.tf +++ /dev/null @@ -1,133 +0,0 @@ -resource "kubectl_manifest" "ingress_nginx_config" { - yaml_body = < Date: Sat, 22 Nov 2025 19:58:44 +0100 Subject: [PATCH 16/43] fix: db tf script --- terraform/README.md | 5 + terraform/db/.terraform.lock.hcl | 19 -- terraform/db/main.tf | 5 + terraform/db/postgres.tf | 77 ++--- .../db/templates/postgres-ui.values.tftpl | 31 -- terraform/db/templates/postgres.values.tftpl | 18 +- terraform/db/variables.tf | 10 +- terraform/tools/stalwart.tf | 315 ------------------ .../tools/templates/vaultwarden.values.tftpl | 29 -- terraform/tools/vaultwarden.tf | 108 ------ terraform/utils/main.tf | 22 -- terraform/utils/variables.tf | 18 - 12 files changed, 58 insertions(+), 599 deletions(-) delete mode 100644 terraform/db/templates/postgres-ui.values.tftpl delete mode 100644 terraform/tools/stalwart.tf delete mode 100644 terraform/tools/templates/vaultwarden.values.tftpl delete mode 100644 terraform/tools/vaultwarden.tf delete mode 100644 terraform/utils/main.tf delete mode 100644 terraform/utils/variables.tf diff --git a/terraform/README.md b/terraform/README.md index 78ae934..fcdf425 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -40,3 +40,8 @@ db/couchdb: - erlang_cookie: - password: - username: + +db/postgres: + +- password: +- username: diff --git a/terraform/db/.terraform.lock.hcl b/terraform/db/.terraform.lock.hcl index f925dac..4d0751f 100644 --- a/terraform/db/.terraform.lock.hcl +++ b/terraform/db/.terraform.lock.hcl @@ -84,25 +84,6 @@ provider "registry.terraform.io/hashicorp/kubernetes" { ] } -provider "registry.terraform.io/hashicorp/null" { - version = "3.2.4" - hashes = [ - "h1:hkf5w5B6q8e2A42ND2CjAvgvSN3puAosDmOJb3zCVQM=", - "zh:59f6b52ab4ff35739647f9509ee6d93d7c032985d9f8c6237d1f8a59471bbbe2", - "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", - "zh:795c897119ff082133150121d39ff26cb5f89a730a2c8c26f3a9c1abf81a9c43", - "zh:7b9c7b16f118fbc2b05a983817b8ce2f86df125857966ad356353baf4bff5c0a", - "zh:85e33ab43e0e1726e5f97a874b8e24820b6565ff8076523cc2922ba671492991", - "zh:9d32ac3619cfc93eb3c4f423492a8e0f79db05fec58e449dee9b2d5873d5f69f", - "zh:9e15c3c9dd8e0d1e3731841d44c34571b6c97f5b95e8296a45318b94e5287a6e", - "zh:b4c2ab35d1b7696c30b64bf2c0f3a62329107bd1a9121ce70683dec58af19615", - "zh:c43723e8cc65bcdf5e0c92581dcbbdcbdcf18b8d2037406a5f2033b1e22de442", - "zh:ceb5495d9c31bfb299d246ab333f08c7fb0d67a4f82681fbf47f2a21c3e11ab5", - "zh:e171026b3659305c558d9804062762d168f50ba02b88b231d20ec99578a6233f", - "zh:ed0fe2acdb61330b01841fa790be00ec6beaac91d41f311fb8254f74eb6a711f", - ] -} - provider "registry.terraform.io/hashicorp/random" { version = "3.7.2" hashes = [ diff --git a/terraform/db/main.tf b/terraform/db/main.tf index 2c3fc28..fc842fd 100644 --- a/terraform/db/main.tf +++ b/terraform/db/main.tf @@ -19,4 +19,9 @@ terraform { version = "~> 2.0" } } + + backend "kubernetes" { + namespace = "kube-system" + secret_suffix = "db" + } } diff --git a/terraform/db/postgres.tf b/terraform/db/postgres.tf index d7f0d56..84c11bd 100644 --- a/terraform/db/postgres.tf +++ b/terraform/db/postgres.tf @@ -1,59 +1,40 @@ -resource "kubernetes_namespace" "everest_system" { +resource "kubernetes_namespace" "pg" { metadata { - name = var.everest_system_ns + name = var.pg_ns } } resource "helm_release" "postgres" { - name = "postgres-ui" - repository = "https://percona.github.io/percona-helm-charts" - chart = "everest" - version = "1.9.0" - namespace = var.everest_system_ns + name = "postgres" + repository = "oci://registry-1.docker.io/bitnamicharts" + chart = "postgresql" + version = "18.1.11" + namespace = var.pg_ns - values = [templatefile("${path.module}/templates/postgres-ui.values.tftpl", { - ingress_class = var.ingress_class - everest_system_ns = var.everest_system_ns - cloudflare_ca_cert_var = var.cloudflare_ca_cert_var - cloudflare_cert_var = var.cloudflare_cert_var + values = [templatefile("${path.module}/templates/postgres.values.tftpl", { })] - depends_on = [kubernetes_namespace.everest_system] + depends_on = [kubernetes_namespace.pg] } -module "everest_system_egress_np" { - source = "../modules/external-np" - - namespace = var.everest_system_ns - - depends_on = [kubernetes_namespace.everest_system] -} - -module "k8s_api_np_everest_system" { - source = "../modules/k8s-api-np" - - namespace = var.everest_system_ns - k8s_api = var.k8s_api - - depends_on = [kubernetes_namespace.everest_system] -} - -resource "null_resource" "wait_for_everest_ns" { - provisioner "local-exec" { - command = < Date: Sat, 22 Nov 2025 21:03:32 +0100 Subject: [PATCH 17/43] feat: added metrics tf script --- terraform/README.md | 15 ++ terraform/metrics/.terraform.lock.hcl | 104 ++++++++++ terraform/metrics/alert-bot.tf | 35 ++++ terraform/metrics/alloy.tf | 11 + .../auto-clean-bot.tf.} | 23 +-- terraform/metrics/grafana.tf | 15 ++ terraform/metrics/loki.tf | 11 + terraform/metrics/main.tf | 27 +++ terraform/metrics/mimir.tf | 12 ++ terraform/metrics/secret.tf | 19 ++ .../templates/alert-bot.values.tftpl | 0 .../templates/alloy.values.tftpl | 0 .../templates/grafana.values.tftpl | 0 .../templates/loki.values.tftpl | 70 +------ .../templates/mimir.values.tftpl | 2 +- .../metrics/templates/tempo.values.tftpl | 30 +++ terraform/metrics/tempo.tf | 11 + terraform/metrics/variables.tf | 37 ++++ terraform/storage/certs/.gitignore | 3 +- terraform/storage/cluster-ca-cert.tf | 10 + terraform/tools/lgtm.tf | 191 ------------------ terraform/tools/templates/tempo.values.tftpl | 65 ------ 22 files changed, 349 insertions(+), 342 deletions(-) create mode 100644 terraform/metrics/.terraform.lock.hcl create mode 100644 terraform/metrics/alert-bot.tf create mode 100644 terraform/metrics/alloy.tf rename terraform/{tools/auto-clean-bot.tf => metrics/auto-clean-bot.tf.} (60%) create mode 100644 terraform/metrics/grafana.tf create mode 100644 terraform/metrics/loki.tf create mode 100644 terraform/metrics/main.tf create mode 100644 terraform/metrics/mimir.tf create mode 100644 terraform/metrics/secret.tf rename terraform/{tools => metrics}/templates/alert-bot.values.tftpl (100%) rename terraform/{tools => metrics}/templates/alloy.values.tftpl (100%) rename terraform/{tools => metrics}/templates/grafana.values.tftpl (100%) rename terraform/{tools => metrics}/templates/loki.values.tftpl (62%) rename terraform/{tools => metrics}/templates/mimir.values.tftpl (98%) create mode 100644 terraform/metrics/templates/tempo.values.tftpl create mode 100644 terraform/metrics/tempo.tf create mode 100644 terraform/metrics/variables.tf delete mode 100644 terraform/tools/lgtm.tf delete mode 100644 terraform/tools/templates/tempo.values.tftpl diff --git a/terraform/README.md b/terraform/README.md index fcdf425..4326371 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -45,3 +45,18 @@ db/postgres: - password: - username: + +apps/lgtm: + +- GRAFANA_LOKI_S3_ACCESS_KEY: +- GRAFANA_LOKI_S3_SECRET_KEY: +- GRAFANA_MIMIR_S3_ACCESS_KEY: +- GRAFANA_MIMIR_S3_SECRET_KEY: +- GRAFANA_S3_ENDPOINT: +- GRAFANA_TEMPO_S3_ACCESS_KEY: +- GRAFANA_TEMPO_S3_SECRET_KEY: + +apps/metrics: + +- proxy: +- url: diff --git a/terraform/metrics/.terraform.lock.hcl b/terraform/metrics/.terraform.lock.hcl new file mode 100644 index 0000000..c6aeed5 --- /dev/null +++ b/terraform/metrics/.terraform.lock.hcl @@ -0,0 +1,104 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.0" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", + ] +} + +provider "registry.terraform.io/hashicorp/external" { + version = "2.3.5" + constraints = "~> 2.0" + hashes = [ + "h1:smKSos4zs57pJjQrNuvGBpSWth2el9SgePPbPHo0aps=", + "zh:6e89509d056091266532fa64de8c06950010498adf9070bf6ff85bc485a82562", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:86868aec05b58dc0aa1904646a2c26b9367d69b890c9ad70c33c0d3aa7b1485a", + "zh:a2ce38fda83a62fa5fb5a70e6ca8453b168575feb3459fa39803f6f40bd42154", + "zh:a6c72798f4a9a36d1d1433c0372006cc9b904e8cfd60a2ae03ac5b7d2abd2398", + "zh:a8a3141d2fc71c86bf7f3c13b0b3be8a1b0f0144a47572a15af4dfafc051e28a", + "zh:aa20a1242eb97445ad26ebcfb9babf2cd675bdb81cac5f989268ebefa4ef278c", + "zh:b58a22445fb8804e933dcf835ab06c29a0f33148dce61316814783ee7f4e4332", + "zh:cb5626a661ee761e0576defb2a2d75230a3244799d380864f3089c66e99d0dcc", + "zh:d1acb00d20445f682c4e705c965e5220530209c95609194c2dc39324f3d4fcce", + "zh:d91a254ba77b69a29d8eae8ed0e9367cbf0ea6ac1a85b58e190f8cb096a40871", + "zh:f6592327673c9f85cdb6f20336faef240abae7621b834f189c4a62276ea5db41", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.17.0" + constraints = "~> 2.0" + hashes = [ + "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", + "zh:06fb4e9932f0afc1904d2279e6e99353c2ddac0d765305ce90519af410706bd4", + "zh:104eccfc781fc868da3c7fec4385ad14ed183eb985c96331a1a937ac79c2d1a7", + "zh:129345c82359837bb3f0070ce4891ec232697052f7d5ccf61d43d818912cf5f3", + "zh:3956187ec239f4045975b35e8c30741f701aa494c386aaa04ebabffe7749f81c", + "zh:66a9686d92a6b3ec43de3ca3fde60ef3d89fb76259ed3313ca4eb9bb8c13b7dd", + "zh:88644260090aa621e7e8083585c468c8dd5e09a3c01a432fb05da5c4623af940", + "zh:a248f650d174a883b32c5b94f9e725f4057e623b00f171936dcdcc840fad0b3e", + "zh:aa498c1f1ab93be5c8fbf6d48af51dc6ef0f10b2ea88d67bcb9f02d1d80d3930", + "zh:bf01e0f2ec2468c53596e027d376532a2d30feb72b0b5b810334d043109ae32f", + "zh:c46fa84cc8388e5ca87eb575a534ebcf68819c5a5724142998b487cb11246654", + "zh:d0c0f15ffc115c0965cbfe5c81f18c2e114113e7a1e6829f6bfd879ce5744fbb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.38.0" + constraints = "~> 2.0" + hashes = [ + "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", + "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", + "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f", + "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b", + "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12", + "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2", + "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc", + "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15", + "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396", + "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d", + "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.6.1" + hashes = [ + "h1:LMoX85QLTgCCqRuy2aXoz47P7gZ4WRPSA00fUPC/Rho=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", + ] +} diff --git a/terraform/metrics/alert-bot.tf b/terraform/metrics/alert-bot.tf new file mode 100644 index 0000000..e318215 --- /dev/null +++ b/terraform/metrics/alert-bot.tf @@ -0,0 +1,35 @@ +resource "helm_release" "alert_bot" { + name = "alert-bot" + repository = "https://k8s-at-home.com/charts" + chart = "alertmanager-discord" + version = "1.3.2" + namespace = var.metrics_ns + + values = [templatefile("${path.module}/templates/alert-bot.values.tftpl", {})] +} + +resource "kubectl_manifest" "discord_webhook" { + yaml_body = < ${path.module}/certs/ca.hash + EOT + } + + depends_on = [data.external.ca_hash] +} diff --git a/terraform/tools/lgtm.tf b/terraform/tools/lgtm.tf deleted file mode 100644 index 614a09a..0000000 --- a/terraform/tools/lgtm.tf +++ /dev/null @@ -1,191 +0,0 @@ - -resource "kubernetes_namespace" "metrics_ns" { - metadata { - name = var.metrics_ns - labels = { - "${var.oidc_access_label.key}" = var.oidc_access_label.value - "${var.cloudflare_cert_label.key}" = var.cloudflare_cert_label.value - "${var.secret_store_label.key}" = var.secret_store_label.value - "${var.cluster_ca_cert_label.key}" = var.cluster_ca_cert_label.value - "${var.minio_access_label.key}" = var.minio_access_label.value - } - } -} - -resource "helm_release" "loki" { - name = "loki" - repository = "https://grafana.github.io/helm-charts" - chart = "loki" - version = "6.29.0" - namespace = var.metrics_ns - - values = [templatefile("${path.module}/templates/loki.values.tftpl", { - ca_hash = var.ca_hash - })] - - depends_on = [kubernetes_namespace.metrics_ns] -} - -resource "helm_release" "mimir" { - name = "mimir" - repository = "https://grafana.github.io/helm-charts" - chart = "mimir-distributed" - version = "5.6.0" - namespace = var.metrics_ns - - values = [templatefile("${path.module}/templates/mimir.values.tftpl", { - ca_hash = var.ca_hash - namespace = var.metrics_ns - })] - - depends_on = [kubernetes_namespace.metrics_ns] -} - -resource "helm_release" "tempo" { - name = "tempo" - repository = "https://grafana.github.io/helm-charts" - chart = "tempo-distributed" - version = "1.34.0" - namespace = var.metrics_ns - - values = [templatefile("${path.module}/templates/tempo.values.tftpl", { - ca_hash = var.ca_hash - })] - - depends_on = [kubernetes_namespace.metrics_ns] -} - -resource "helm_release" "alloy" { - name = "alloy" - repository = "https://grafana.github.io/helm-charts" - chart = "alloy" - version = "0.12.6" - namespace = var.metrics_ns - - values = [templatefile("${path.module}/templates/alloy.values.tftpl", { - ca_hash = var.ca_hash - })] - - depends_on = [kubernetes_namespace.metrics_ns] -} - -resource "helm_release" "grafana" { - name = "grafana" - repository = "https://grafana.github.io/helm-charts" - chart = "grafana" - version = "8.11.3" - namespace = var.metrics_ns - - values = [templatefile("${path.module}/templates/grafana.values.tftpl", { - namespace = var.metrics_ns - storage_class = var.storage_class - ingress_class = var.ingress_class - cloudflare_ca_cert_var = var.cloudflare_ca_cert_var - cloudflare_cert_var = var.cloudflare_cert_var - })] - - depends_on = [kubernetes_namespace.metrics_ns] -} - -resource "helm_release" "alert_bot" { - name = "alert-bot" - repository = "https://k8s-at-home.com/charts" - chart = "alertmanager-discord" - version = "1.3.2" - namespace = var.metrics_ns - - values = [templatefile("${path.module}/templates/alert-bot.values.tftpl", {})] -} - -resource "kubectl_manifest" "metrics_ingress" { - yaml_body = < Date: Sat, 22 Nov 2025 22:49:53 +0100 Subject: [PATCH 18/43] feat: added rustfs --- terraform/README.md | 1 + terraform/db/minio.tf | 117 ---- terraform/db/rustfs.tf | 19 + .../db/templates/minio-tenant.values.tftpl | 506 ------------------ terraform/db/templates/minio.values.tftpl | 2 - terraform/db/templates/rustfs.values.tftpl | 14 + terraform/db/variables.tf | 2 +- .../metrics/templates/tempo.values.tftpl | 2 +- 8 files changed, 36 insertions(+), 627 deletions(-) delete mode 100644 terraform/db/minio.tf create mode 100644 terraform/db/rustfs.tf delete mode 100644 terraform/db/templates/minio-tenant.values.tftpl delete mode 100644 terraform/db/templates/minio.values.tftpl create mode 100644 terraform/db/templates/rustfs.values.tftpl diff --git a/terraform/README.md b/terraform/README.md index 4326371..45f359a 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -5,6 +5,7 @@ 1. crd: Install Custom Resource Definitions (CRDs) and monitoring tools. 2. storage: Set up storage solutions required for the cluster. (add cloudflare cert to vault) 3. network: Configure networking components and services. +4. db: Deploy database services. ## Required secrets in Vault diff --git a/terraform/db/minio.tf b/terraform/db/minio.tf deleted file mode 100644 index cf45e04..0000000 --- a/terraform/db/minio.tf +++ /dev/null @@ -1,117 +0,0 @@ -resource "kubernetes_namespace" "minio" { - metadata { - name = var.minio_ns - } -} - -resource "helm_release" "minio" { - name = "minio" - repository = "https://operator.min.io" - chart = "operator" - version = "7.0.1" - namespace = var.minio_ns - - values = [templatefile("${path.module}/templates/minio.values.tftpl", { - })] - - depends_on = [kubernetes_namespace.minio] -} - -resource "helm_release" "minio_tenant" { - name = "minio-tenant" - repository = "https://operator.min.io" - chart = "tenant" - version = "7.0.1" - namespace = var.minio_ns - - values = [templatefile("${path.module}/templates/minio-tenant.values.tftpl", { - storage_class = var.storage_class - namespace = var.minio_ns - cloudflare_ca_cert_var = var.cloudflare_ca_cert_var - cloudflare_cert_var = var.cloudflare_cert_var - ingress_class = var.ingress_class - minio_config = var.minio_config - cert_issuer = var.cert_issuer_prod - })] - - depends_on = [kubernetes_namespace.minio] -} - -module "k8s_api_np_minio" { - source = "../modules/k8s-api-np" - - namespace = var.minio_ns - k8s_api = var.k8s_api - - depends_on = [kubernetes_namespace.minio] -} - -resource "kubectl_manifest" "minio_config" { - yaml_body = <`__ to perform setup or configuration tasks before the main Tenant pods starts. - # - # Example of init container which waits for idenity provider to be reachable before starting MinIO Tenant: - # - # .. code-block:: yaml - # - # initContainers: - # - name: wait-for-idp - # image: busybox - # command: - # - sh - # - -c - # - | - # URL="https://idp-url" - # echo "Checking IdP reachability ($_{URL})" - # until $(wget -q -O "/dev/null" $_{URL}) ; do - # echo "IdP ($_{URL}) not reachable. Waiting to be reachable..." - # sleep 5 - # done - # echo "IdP ($_{URL}) reachable. Starting MinIO..." - # - initContainers: [] - ### - # The Kubernetes `Scheduler `__ to use for dispatching Tenant pods. - # - # Specify an empty dictionary ``{}`` to dispatch pods with the default scheduler. - scheduler: {} - ### - # The Kubernetes secret name that contains MinIO environment variable configurations. - # The secret is expected to have a key named config.env containing environment variables exports. - configuration: - name: ${minio_config} - ### - # Metadata that will be added to the statefulset and pods of all pools - poolsMetadata: - ### - # Specify `annotations `__ to associate to Tenant pods. - annotations: {} - ### - # Specify `labels `__ to associate to Tenant pods. - labels: {} - - ### - # If this variable is set to true, then enable the usage of an existing Kubernetes secret to set environment variables for the Tenant. - # The existing Kubernetes secret name must be placed under .tenant.configuration.name e.g. existing-minio-env-configuration - # The secret must contain a key ``config.env``. - # The values should be a series of export statements to set environment variables for the Tenant. - # For example: - # - # .. code-block:: shell - # - # stringData: - # config.env: |- - # export MINIO_ROOT_USER=ROOTUSERNAME - # export MINIO_ROOT_PASSWORD=ROOTUSERPASSWORD - # - # existingSecret: false - ### - # Top level key for configuring MinIO Pool(s) in this Tenant. - # - # See `Operator CRD: Pools `__ for more information on all subfields. - pools: - ### - # The number of MinIO Tenant Pods / Servers in this pool. - # For standalone mode, supply 1. For distributed mode, supply 4 or more. - # Note that the operator does not support upgrading from standalone to distributed mode. - - servers: 1 - ### - # Custom name for the pool - name: pool-1 - ### - # The number of volumes attached per MinIO Tenant Pod / Server. - volumesPerServer: 1 - ### - # The capacity per volume requested per MinIO Tenant Pod. - size: 100Gi - ### - # The `storageClass `__ to associate with volumes generated for this pool. - # - # If using Amazon Elastic Block Store (EBS) CSI driver - # Please make sure to set xfs for "csi.storage.k8s.io/fstype" parameter under StorageClass.parameters. - # Docs: https://github.com/kubernetes-sigs/aws-ebs-csi-driver/blob/master/docs/parameters.md - storageClassName: ${storage_class} - ### - # Specify `storageAnnotations `__ to associate to PVCs. - storageAnnotations: {} - ### - # Specify `storageLabels `__ to associate to PVCs. - storageLabels: {} - ### - # Specify `annotations `__ to associate to Tenant pods. - annotations: {} - ### - # Specify `labels `__ to associate to Tenant pods. - labels: {} - ### - # - # An array of `Toleration labels `__ to associate to Tenant pods. - # - # These settings determine the distribution of pods across worker nodes. - tolerations: [] - ### - # Any `Node Selectors `__ to apply to Tenant pods. - # - # The Kubernetes scheduler uses these selectors to determine which worker nodes onto which it can deploy Tenant pods. - # - # If no worker nodes match the specified selectors, the Tenant deployment will fail. - nodeSelector: {} - ### - # - # The `affinity `__ or anti-affinity settings to apply to Tenant pods. - # - # These settings determine the distribution of pods across worker nodes and can help prevent or allow colocating pods onto the same worker nodes. - affinity: {} - ### - # - # The `Requests or Limits `__ for resources to associate to Tenant pods. - # - # These settings can control the minimum and maximum resources requested for each pod. - # If no worker nodes can meet the specified requests, the Operator may fail to deploy. - resources: {} - ### - # The Kubernetes `SecurityContext `__ to use for deploying Tenant resources. - # - # You may need to modify these values to meet your cluster's security and access settings. - # - # We recommend disabling recursive permission changes by setting ``fsGroupChangePolicy`` to ``OnRootMismatch`` as those operations can be expensive for certain workloads (e.g. large volumes with many small files). - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - fsGroupChangePolicy: "OnRootMismatch" - runAsNonRoot: true - ### - # The Kubernetes `SecurityContext `__ to use for deploying Tenant containers. - # You may need to modify these values to meet your cluster's security and access settings. - containerSecurityContext: - runAsUser: 1000 - runAsGroup: 1000 - runAsNonRoot: true - allowPrivilegeEscalation: false - capabilities: - drop: - - ALL - seccompProfile: - type: RuntimeDefault - ### - # - # An array of `Topology Spread Constraints `__ to associate to Operator Console pods. - # - # These settings determine the distribution of pods across worker nodes. - topologySpreadConstraints: [] - ### - # - # The name of a custom `Container Runtime `__ to use for the Operator Console pods. - # runtimeClassName: "" - ### - # The mount path where Persistent Volumes are mounted inside Tenant container(s). - mountPath: /export - ### - # The Sub path inside Mount path where MinIO stores data. - # - # .. warning:: - # - # Treat the ``mountPath`` and ``subPath`` values as immutable once you deploy the Tenant. - # If you change these values post-deployment, then you may have different paths for new and pre-existing data. - # This can vastly increase operational complexity and may result in unpredictable data states. - subPath: /data - ### - # Configures a Prometheus-compatible scraping endpoint at the specified port. - metrics: - enabled: true - port: 9000 - protocol: http - ### - # Configures external certificate settings for the Tenant. - certificate: - ### - # Specify an array of Kubernetes TLS secrets, where each entry corresponds to a secret the TLS private key and public certificate pair. - # - # This is used by MinIO to verify TLS connections from clients using those CAs - # If you omit this and have clients using TLS certificates minted by an external CA, those connections may fail with warnings around certificate verification. - # See `Operator CRD: TenantSpec `__. - externalCaCertSecret: [] - ### - # Specify an array of Kubernetes secrets, where each entry corresponds to a secret contains the TLS private key and public certificate pair. - # - # Omit this to use only the MinIO Operator autogenerated certificates. - # - # If you omit this field *and* set ``requestAutoCert`` to false, the Tenant starts without TLS. - # - # See `Operator CRD: TenantSpec `__. - # - # .. important:: - # - # The MinIO Operator may output TLS connectivity errors if it cannot trust the Certificate Authority (CA) which minted the custom certificates. - # - # You can pass the CA to the Operator to allow it to trust that cert. - # See `Self-Signed, Internal, and Private Certificates `__ for more information. - # This step may also be necessary for globally trusted CAs where you must provide intermediate certificates to the Operator to help build the full chain of trust. - externalCertSecret: [] - ### - # Enable automatic Kubernetes based `certificate generation and signing `__ - requestAutoCert: true - ### - # The minimum number of days to expiry before an alert for an expiring certificate is fired. - # In the below example, if a given certificate will expire in 7 days then expiration events will only be triggered 1 day before expiry - # certExpiryAlertThreshold: 1 - ### - # This field is used only when ``requestAutoCert: true``. - # Use this field to set CommonName for the auto-generated certificate. - # MinIO defaults to using the internal Kubernetes DNS name for the pod - # The default DNS name format is typically ``*.minio.default.svc.cluster.local``. - # - # See `Operator CRD: CertificateConfig `__ - certConfig: {} - ### - # MinIO features to enable or disable in the MinIO Tenant - # See `Operator CRD: Features `__. - features: - bucketDNS: false - domains: {} - enableSFTP: false - ### - # Array of objects describing one or more buckets to create during tenant provisioning. - # Example: - # - # .. code-block:: yaml - # - # - name: my-minio-bucket - # objectLock: false # optional - # region: us-east-1 # optional - buckets: [] - ### - # Array of Kubernetes secrets from which the Operator generates MinIO users during tenant provisioning. - # - # Each secret should specify the ``CONSOLE_ACCESS_KEY`` and ``CONSOLE_SECRET_KEY`` as the access key and secret key for that user. - users: [] - ### - # The `PodManagement `__ policy for MinIO Tenant Pods. - # Can be "OrderedReady" or "Parallel" - podManagementPolicy: Parallel - # The `Liveness Probe `__ for monitoring Tenant pod liveness. - # Tenant pods will be restarted if the probe fails. - liveness: {} - ### - # `Readiness Probe `__ for monitoring Tenant container readiness. - # Tenant pods will be removed from service endpoints if the probe fails. - readiness: {} - ### - # `Startup Probe `__ for monitoring container startup. - # Tenant pods will be restarted if the probe fails. - # Refer - startup: {} - ### - # The `Lifecycle hooks `__ for container. - lifecycle: {} - ### - # Directs the Operator to deploy the MinIO S3 API and Console services as LoadBalancer objects. - # - # If the Kubernetes cluster has a configured LoadBalancer, it can attempt to route traffic to those services automatically. - # - # - Specify ``minio: true`` to expose the MinIO S3 API. - # - Specify ``console: true`` to expose the Console. - # - # Both fields default to ``false``. - exposeServices: {} - ### - # The `Kubernetes Service Account `__ associated with the Tenant. - serviceAccountName: "" - ### - # Directs the Operator to add the Tenant's metric scrape configuration to an existing Kubernetes Prometheus deployment managed by the Prometheus Operator. - prometheusOperator: false - ### - # Configure pod logging configuration for the MinIO Tenant. - # - # - Specify ``json`` for JSON-formatted logs. - # - Specify ``anonymous`` for anonymized logs. - # - Specify ``quiet`` to supress logging. - # - # An example of JSON-formatted logs is as follows: - # - # .. code-block:: shell - # - # $ k logs myminio-pool-0-0 -n default - # {"level":"INFO","errKind":"","time":"2022-04-07T21:49:33.740058549Z","message":"All MinIO sub-systems initialized successfully"} - logging: {} - ### - # serviceMetadata allows passing additional labels and annotations to MinIO and Console specific - # services created by the operator. - serviceMetadata: - minioServiceLabels: - app: minio-metrics - ### - # Add environment variables to be set in MinIO container (https://github.com/minio/minio/tree/master/docs/config) - env: [] - ### - # PriorityClassName indicates the Pod priority and hence importance of a Pod relative to other Pods. - # This is applied to MinIO pods only. - # Refer Kubernetes documentation for details https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass/ - priorityClassName: "" - ### - # An array of `Volumes `__ which the Operator can mount to Tenant pods. - # - # The volumes must exist *and* be accessible to the Tenant pods. - additionalVolumes: [] - ### - # An array of volume mount points associated to each Tenant container. - # - # Specify each item in the array as follows: - # - # .. code-block:: yaml - # - # volumeMounts: - # - name: volumename - # mountPath: /path/to/mount - # - # The ``name`` field must correspond to an entry in the ``additionalVolumes`` array. - additionalVolumeMounts: [] - # Define configuration for KES (stateless and distributed key-management system) - # Refer https://github.com/minio/kes - #kes: - # ## Image field: - # # Image from tag (original behavior), for example: - # # image: - # # repository: quay.io/minio/kes - # # tag: 2025-03-12T09-35-18Z - # # Image from digest (added after original behavior), for example: - # # image: - # # repository: quay.io/minio/kes@sha256 - # # digest: fb15af611149892f357a8a99d1bcd8bf5dae713bd64c15e6eb27fbdb88fc208b - # image: - # repository: quay.io/minio/kes - # tag: 2025-03-12T09-35-18Z - # pullPolicy: IfNotPresent - # env: [ ] - # replicas: 2 - # configuration: |- - # address: :7373 - # tls: - # key: /tmp/kes/server.key # Path to the TLS private key - # cert: /tmp/kes/server.crt # Path to the TLS certificate - # proxy: - # identities: [] - # header: - # cert: X-Tls-Client-Cert - # admin: - # identity: $_{MINIO_KES_IDENTITY} - # cache: - # expiry: - # any: 5m0s - # unused: 20s - # log: - # error: on - # audit: off - # keystore: - # # KES configured with fs (File System mode) doesn't work in Kubernetes environments and is not recommended - # # use a real KMS - # # fs: - # # path: "./keys" # Path to directory. Keys will be stored as files. Not Recommended for Production. - # vault: - # endpoint: "http://vault.default.svc.cluster.local:8200" # The Vault endpoint - # namespace: "" # An optional Vault namespace. See: https://www.vaultproject.io/docs/enterprise/namespaces/index.html - # prefix: "my-minio" # An optional K/V prefix. The server will store keys under this prefix. - # approle: # AppRole credentials. See: https://www.vaultproject.io/docs/auth/approle.html - # id: "" # Your AppRole Role ID - # secret: "" # Your AppRole Secret ID - # retry: 15s # Duration until the server tries to re-authenticate after connection loss. - # tls: # The Vault client TLS configuration for mTLS authentication and certificate verification - # key: "" # Path to the TLS client private key for mTLS authentication to Vault - # cert: "" # Path to the TLS client certificate for mTLS authentication to Vault - # ca: "" # Path to one or multiple PEM root CA certificates - # status: # Vault status configuration. The server will periodically reach out to Vault to check its status. - # ping: 10s # Duration until the server checks Vault's status again. - # # aws: - # # # The AWS SecretsManager key store. The server will store - # # # secret keys at the AWS SecretsManager encrypted with - # # # AWS-KMS. See: https://aws.amazon.com/secrets-manager - # # secretsmanager: - # # endpoint: "" # The AWS SecretsManager endpoint - e.g.: secretsmanager.us-east-2.amazonaws.com - # # region: "" # The AWS region of the SecretsManager - e.g.: us-east-2 - # # kmskey: "" # The AWS-KMS key ID used to en/decrypt secrets at the SecretsManager. By default (if not set) the default AWS-KMS key will be used. - # # credentials: # The AWS credentials for accessing secrets at the AWS SecretsManager. - # # accesskey: "" # Your AWS Access Key - # # secretkey: "" # Your AWS Secret Key - # # token: "" # Your AWS session token (usually optional) - # imagePullPolicy: "IfNotPresent" - # externalCertSecret: null - # clientCertSecret: null - # # Key name to be created on the KMS, default is "my-minio-key" - # keyName: "" - # resources: { } - # nodeSelector: { } - # affinity: - # nodeAffinity: { } - # podAffinity: { } - # podAntiAffinity: { } - # tolerations: [ ] - # annotations: { } - # labels: { } - # serviceAccountName: "" - # securityContext: - # runAsUser: 1000 - # runAsGroup: 1000 - # runAsNonRoot: true - # fsGroup: 1000 - # containerSecurityContext: - # runAsUser: 1000 - # runAsGroup: 1000 - # runAsNonRoot: true - # allowPrivilegeEscalation: false - # capabilities: - # drop: - # - ALL - # seccompProfile: - # type: RuntimeDefault - -### -# Configures `Ingress `__ for the Tenant S3 API and Console. -# -# Set the keys to conform to the Ingress controller and configuration of your choice. -ingress: - api: - enabled: true - ingressClassName: ${ingress_class} - labels: {} - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - cert-manager.io/cluster-issuer: ${cert_issuer} - tls: - - secretName: minio-api-tls - hosts: - - s3.profidev.io - host: s3.profidev.io - path: / - pathType: Prefix - console: - enabled: true - ingressClassName: ${ingress_class} - labels: {} - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: ${namespace}/${cloudflare_ca_cert_var} - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - tls: - - secretName: ${cloudflare_cert_var} - hosts: - - "*.profidev.io" - - profidev.io - host: minio.profidev.io - path: / - pathType: Prefix -# Use an extraResources template section to include additional Kubernetes resources -# with the Helm deployment. -#extraResources: -# - | -# apiVersion: v1 -# kind: Secret -# type: Opaque -# metadata: -# name: {{ dig "tenant" "configSecret" "name" "" (.Values | merge (dict)) }} -# stringData: -# config.env: |- -# export MINIO_ROOT_USER='minio' -# export MINIO_ROOT_PASSWORD='minio123' diff --git a/terraform/db/templates/minio.values.tftpl b/terraform/db/templates/minio.values.tftpl deleted file mode 100644 index d249ba4..0000000 --- a/terraform/db/templates/minio.values.tftpl +++ /dev/null @@ -1,2 +0,0 @@ -operator: - replicaCount: 1 diff --git a/terraform/db/templates/rustfs.values.tftpl b/terraform/db/templates/rustfs.values.tftpl new file mode 100644 index 0000000..645ce88 --- /dev/null +++ b/terraform/db/templates/rustfs.values.tftpl @@ -0,0 +1,14 @@ +replicaCount: 1 + +mode: + standalone: + enabled: true + distributed: + enabled: false + +ingress: + className: "nginx" + +storageclass: + name: ${storage_class} + size: 20Gi diff --git a/terraform/db/variables.tf b/terraform/db/variables.tf index 729cdec..360b61e 100644 --- a/terraform/db/variables.tf +++ b/terraform/db/variables.tf @@ -13,7 +13,7 @@ variable "cluster_secret_store" { type = string } -variable "minio_ns" { +variable "rustfs_ns" { description = "The namespace where MinIO will be deployed" type = string } diff --git a/terraform/metrics/templates/tempo.values.tftpl b/terraform/metrics/templates/tempo.values.tftpl index 8f34efb..3fd6339 100644 --- a/terraform/metrics/templates/tempo.values.tftpl +++ b/terraform/metrics/templates/tempo.values.tftpl @@ -18,7 +18,7 @@ tempo: name: cluster-ca-cert readOnly: true extraArgs: - - "-config.expand-env=true" + "config.expand-env": "true" extraEnvFrom: - secretRef: name: lgtm From 0838416645bdc56e3cce6bfc0b292dfdd31f76f9 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Sat, 22 Nov 2025 23:10:07 +0100 Subject: [PATCH 19/43] fix: metrics not working correctly --- terraform/README.md | 25 ++++++++++++++++++- .../metrics/templates/alloy.values.tftpl | 2 +- .../metrics/templates/grafana.values.tftpl | 4 +-- terraform/metrics/templates/loki.values.tftpl | 18 +++++++++++-- .../metrics/templates/mimir.values.tftpl | 1 + .../metrics/templates/tempo.values.tftpl | 1 + 6 files changed, 45 insertions(+), 6 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index 45f359a..1549ac2 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -5,10 +5,13 @@ 1. crd: Install Custom Resource Definitions (CRDs) and monitoring tools. 2. storage: Set up storage solutions required for the cluster. (add cloudflare cert to vault) 3. network: Configure networking components and services. -4. db: Deploy database services. +4. db: Deploy database services. (create buckets and access keys after this) +5. metrics: Set up monitoring and metrics collection services. ## Required secrets in Vault +### After Storage setup (step 2) + docker/ghcr: - profidev: @@ -47,6 +50,8 @@ db/postgres: - password: - username: +### After DB setup (step 4) + apps/lgtm: - GRAFANA_LOKI_S3_ACCESS_KEY: @@ -61,3 +66,21 @@ apps/metrics: - proxy: - url: + +## S3 resources to create + +### Buckets + +- loki-admin +- loki-chunk +- loki-ruler +- mimir-alert +- mimir-blocks +- mimir-ruler +- tempo + +### Access keys + +- loki: Access to loki-admin, loki-chunk, loki-ruler buckets +- mimir: Access to mimir-alert, mimir-blocks, mimir-ruler buckets +- tempo: Access to tempo bucket diff --git a/terraform/metrics/templates/alloy.values.tftpl b/terraform/metrics/templates/alloy.values.tftpl index d1712e7..9acd202 100644 --- a/terraform/metrics/templates/alloy.values.tftpl +++ b/terraform/metrics/templates/alloy.values.tftpl @@ -132,7 +132,7 @@ alloy: loki.write "loki" { endpoint { - url = "http://loki-gateway/loki/api/v1/push" + url = "http://loki:3100/loki/api/v1/push" } } diff --git a/terraform/metrics/templates/grafana.values.tftpl b/terraform/metrics/templates/grafana.values.tftpl index 42c1eaa..6aae31c 100644 --- a/terraform/metrics/templates/grafana.values.tftpl +++ b/terraform/metrics/templates/grafana.values.tftpl @@ -35,7 +35,7 @@ datasources: - name: Loki uid: loki type: loki - url: http://loki-gateway + url: http://loki:3100 jsonData: httpHeaderName1: X-Scope-OrgID secureJsonData: @@ -53,7 +53,7 @@ datasources: - name: Tempo uid: tempo type: tempo - url: http://tempo-query-frontend:3100 + url: http://tempo:3200 isDefault: false jsonData: tracesToLogsV2: diff --git a/terraform/metrics/templates/loki.values.tftpl b/terraform/metrics/templates/loki.values.tftpl index 92aafe0..a919195 100644 --- a/terraform/metrics/templates/loki.values.tftpl +++ b/terraform/metrics/templates/loki.values.tftpl @@ -59,6 +59,7 @@ loki: endpoint: "$${GRAFANA_S3_ENDPOINT}" accessKeyId: "$${GRAFANA_LOKI_S3_ACCESS_KEY}" secretAccessKey: "$${GRAFANA_LOKI_S3_SECRET_KEY}" + insecure: true s3ForcePathStyle: true deploymentMode: SingleBinary @@ -66,5 +67,18 @@ deploymentMode: SingleBinary gateway: enabled: false -singleBinary: - replicas: 1 +resultsCache: + resources: + requests: + cpu: 100m + memory: 1229Mi + limits: + memory: 1229Mi + +chunksCache: + resources: + requests: + cpu: 100m + memory: 1229Mi + limits: + memory: 1500Mi diff --git a/terraform/metrics/templates/mimir.values.tftpl b/terraform/metrics/templates/mimir.values.tftpl index 8ab74fd..ae8060e 100644 --- a/terraform/metrics/templates/mimir.values.tftpl +++ b/terraform/metrics/templates/mimir.values.tftpl @@ -25,6 +25,7 @@ mimir: endpoint: "$${GRAFANA_S3_ENDPOINT}" access_key_id: "$${GRAFANA_MIMIR_S3_ACCESS_KEY}" secret_access_key: "$${GRAFANA_MIMIR_S3_SECRET_KEY}" + insecure: true alertmanager: sharding_ring: diff --git a/terraform/metrics/templates/tempo.values.tftpl b/terraform/metrics/templates/tempo.values.tftpl index 3fd6339..dde5486 100644 --- a/terraform/metrics/templates/tempo.values.tftpl +++ b/terraform/metrics/templates/tempo.values.tftpl @@ -11,6 +11,7 @@ tempo: endpoint: "$${GRAFANA_S3_ENDPOINT}" access_key: "$${GRAFANA_TEMPO_S3_ACCESS_KEY}" secret_key: "$${GRAFANA_TEMPO_S3_SECRET_KEY}" + insecure: true forcepathstyle: true extraVolumeMounts: - mountPath: /etc/ssl/certs/${ca_hash}.0 From fe716596f08453309242ffdaaca3bcb66be03427 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Sat, 22 Nov 2025 23:17:54 +0100 Subject: [PATCH 20/43] refactor: moved dashboards to new config --- terraform/metrics/grafana.tf | 76 + terraform/{tools => metrics}/mixin/alloy.yaml | 0 .../{tools => metrics}/mixin/argocd.yaml | 0 .../mixin/cert-manager.yaml | 0 terraform/{tools => metrics}/mixin/coder.yaml | 0 .../{tools => metrics}/mixin/longhorn.yaml | 0 .../{tools => metrics}/mixin/pgbouncer.yaml | 0 .../{tools => metrics}/mixin/postgres.yaml | 0 terraform/{tools => metrics}/mixin/tempo.yaml | 0 .../grafana-dashboard/dashboard.tf | 0 .../dashboards/alloy-controller.json | 0 .../dashboards/alloy-logs.json | 0 .../dashboards/alloy-otel.json | 0 .../dashboards/alloy-prom.json | 0 .../dashboards/alloy-resources.json | 0 .../dashboards/argo-cd-application.json | 0 .../dashboards/argo-cd-notifications.json | 0 .../dashboards/argo-cd-operational.json | 0 .../dashboards/cert-manager.json | 0 .../dashboards/coder-workspace-detail.json | 0 .../dashboards/coder-workspaces.json | 0 .../grafana-dashboard/dashboards/coderd.json | 0 .../dashboards/crowdsec-details.json | 0 .../dashboards/crowdsec-insight.json | 0 .../dashboards/crowdsec-overview.json | 0 .../dashboards/external-secrets.json | 0 .../dashboards/ingress-nginx-request.json | 0 .../dashboards/ingress-nginx.json | 0 .../dashboards/loki-chunks.json | 0 .../dashboards/loki-deletion.json | 0 .../dashboards/loki-logs.json | 0 .../dashboards/loki-operational.json | 0 .../dashboards/loki-reads-resources.json | 0 .../dashboards/loki-reads.json | 0 .../dashboards/loki-retention.json | 0 .../dashboards/loki-writes-resources.json | 0 .../dashboards/loki-writes.json | 0 .../dashboards/longhorn.json | 0 .../dashboards/nats-jetstream.json | 0 .../grafana-dashboard/dashboards/nats.json | 0 .../dashboards/pod-logs.json | 0 .../dashboards/postgres.json | 0 .../dashboards/tempo-block-builder.json | 0 .../dashboards/tempo-operational.json | 0 .../dashboards/tempo-reads.json | 0 .../dashboards/tempo-resources.json | 0 .../dashboards/tempo-rollout-progress.json | 0 .../dashboards/tempo-tenants.json | 0 .../dashboards/tempo-writes.json | 0 .../grafana-dashboard/dashboards/vault.json | 0 .../grafana-dashboard/main.tf | 0 .../grafana-dashboard/variables.tf | 0 .../grafana-dashboard/dashboards/minio.json | 3804 ----------------- .../dashboards/pgbouncer-overview.json | 883 ---- .../dashboards/pgbouncer.json | 312 -- terraform/tools/higgs.tf | 57 - terraform/tools/metrics.tf | 310 -- terraform/tools/mixin/minio.yaml | 20 - .../templates/pgbouncer-exporter.values.tftpl | 16 - 59 files changed, 76 insertions(+), 5402 deletions(-) rename terraform/{tools => metrics}/mixin/alloy.yaml (100%) rename terraform/{tools => metrics}/mixin/argocd.yaml (100%) rename terraform/{tools => metrics}/mixin/cert-manager.yaml (100%) rename terraform/{tools => metrics}/mixin/coder.yaml (100%) rename terraform/{tools => metrics}/mixin/longhorn.yaml (100%) rename terraform/{tools => metrics}/mixin/pgbouncer.yaml (100%) rename terraform/{tools => metrics}/mixin/postgres.yaml (100%) rename terraform/{tools => metrics}/mixin/tempo.yaml (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboard.tf (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/alloy-controller.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/alloy-logs.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/alloy-otel.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/alloy-prom.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/alloy-resources.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/argo-cd-application.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/argo-cd-notifications.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/argo-cd-operational.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/cert-manager.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/coder-workspace-detail.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/coder-workspaces.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/coderd.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/crowdsec-details.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/crowdsec-insight.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/crowdsec-overview.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/external-secrets.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/ingress-nginx-request.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/ingress-nginx.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/loki-chunks.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/loki-deletion.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/loki-logs.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/loki-operational.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/loki-reads-resources.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/loki-reads.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/loki-retention.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/loki-writes-resources.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/loki-writes.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/longhorn.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/nats-jetstream.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/nats.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/pod-logs.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/postgres.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/tempo-block-builder.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/tempo-operational.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/tempo-reads.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/tempo-resources.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/tempo-rollout-progress.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/tempo-tenants.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/tempo-writes.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/dashboards/vault.json (100%) rename terraform/{modules_old => modules}/grafana-dashboard/main.tf (100%) rename terraform/{modules_old => modules}/grafana-dashboard/variables.tf (100%) delete mode 100644 terraform/modules_old/grafana-dashboard/dashboards/minio.json delete mode 100644 terraform/modules_old/grafana-dashboard/dashboards/pgbouncer-overview.json delete mode 100644 terraform/modules_old/grafana-dashboard/dashboards/pgbouncer.json delete mode 100644 terraform/tools/higgs.tf delete mode 100644 terraform/tools/metrics.tf delete mode 100644 terraform/tools/mixin/minio.yaml delete mode 100644 terraform/tools/templates/pgbouncer-exporter.values.tftpl diff --git a/terraform/metrics/grafana.tf b/terraform/metrics/grafana.tf index dfb3bd2..51d8079 100644 --- a/terraform/metrics/grafana.tf +++ b/terraform/metrics/grafana.tf @@ -13,3 +13,79 @@ resource "helm_release" "grafana" { cloudflare_cert_var = var.cloudflare_cert_var })] } + +module "dashboards" { + for_each = toset([ + "ingress-nginx", + "ingress-nginx-request", + "cert-manager", + "external-secrets", + "vault", "longhorn", + "postgres", + "nats", + "nats-jetstream", + "coderd", + "coder-workspaces", + "coder-workspace-detail", + "crowdsec-details", + "crowdsec-insight", + "crowdsec-overview", + "pod-logs", + "tempo-block-builder", + "tempo-operational", + "tempo-reads", + "tempo-resources", + "tempo-rollout-progress", + "tempo-tenants", + "tempo-writes", + "alloy-controller", + "alloy-logs", + "alloy-otel", + "alloy-prom", + "alloy-resources", + "loki-chunks", + "loki-deletion", + "loki-logs", + "loki-operational", + "loki-reads-resources", + "loki-reads", + "loki-retention", + "loki-writes-resources", + "loki-writes", + "argo-cd-application", + "argo-cd-notifications", + "argo-cd-operational", + ]) + + source = "../modules/grafana-dashboard" + + name = each.key + namespace = var.metrics_ns +} + +resource "kubectl_manifest" "alert_configs" { + for_each = toset([ + "cert-manager", + "longhorn", + "postgres", + "pgbouncer", + "coder", + "tempo", + "alloy", + "argocd", + ]) + + yaml_body = yamlencode({ + apiVersion = "monitoring.coreos.com/v1" + kind = "PrometheusRule" + metadata = { + name = each.key + namespace = var.metrics_ns + labels = { + prometheus = each.key + role = "alert-rules" + } + } + spec = yamldecode(file("${path.module}/mixin/${each.key}.yaml")) + }) +} diff --git a/terraform/tools/mixin/alloy.yaml b/terraform/metrics/mixin/alloy.yaml similarity index 100% rename from terraform/tools/mixin/alloy.yaml rename to terraform/metrics/mixin/alloy.yaml diff --git a/terraform/tools/mixin/argocd.yaml b/terraform/metrics/mixin/argocd.yaml similarity index 100% rename from terraform/tools/mixin/argocd.yaml rename to terraform/metrics/mixin/argocd.yaml diff --git a/terraform/tools/mixin/cert-manager.yaml b/terraform/metrics/mixin/cert-manager.yaml similarity index 100% rename from terraform/tools/mixin/cert-manager.yaml rename to terraform/metrics/mixin/cert-manager.yaml diff --git a/terraform/tools/mixin/coder.yaml b/terraform/metrics/mixin/coder.yaml similarity index 100% rename from terraform/tools/mixin/coder.yaml rename to terraform/metrics/mixin/coder.yaml diff --git a/terraform/tools/mixin/longhorn.yaml b/terraform/metrics/mixin/longhorn.yaml similarity index 100% rename from terraform/tools/mixin/longhorn.yaml rename to terraform/metrics/mixin/longhorn.yaml diff --git a/terraform/tools/mixin/pgbouncer.yaml b/terraform/metrics/mixin/pgbouncer.yaml similarity index 100% rename from terraform/tools/mixin/pgbouncer.yaml rename to terraform/metrics/mixin/pgbouncer.yaml diff --git a/terraform/tools/mixin/postgres.yaml b/terraform/metrics/mixin/postgres.yaml similarity index 100% rename from terraform/tools/mixin/postgres.yaml rename to terraform/metrics/mixin/postgres.yaml diff --git a/terraform/tools/mixin/tempo.yaml b/terraform/metrics/mixin/tempo.yaml similarity index 100% rename from terraform/tools/mixin/tempo.yaml rename to terraform/metrics/mixin/tempo.yaml diff --git a/terraform/modules_old/grafana-dashboard/dashboard.tf b/terraform/modules/grafana-dashboard/dashboard.tf similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboard.tf rename to terraform/modules/grafana-dashboard/dashboard.tf diff --git a/terraform/modules_old/grafana-dashboard/dashboards/alloy-controller.json b/terraform/modules/grafana-dashboard/dashboards/alloy-controller.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/alloy-controller.json rename to terraform/modules/grafana-dashboard/dashboards/alloy-controller.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/alloy-logs.json b/terraform/modules/grafana-dashboard/dashboards/alloy-logs.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/alloy-logs.json rename to terraform/modules/grafana-dashboard/dashboards/alloy-logs.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/alloy-otel.json b/terraform/modules/grafana-dashboard/dashboards/alloy-otel.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/alloy-otel.json rename to terraform/modules/grafana-dashboard/dashboards/alloy-otel.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/alloy-prom.json b/terraform/modules/grafana-dashboard/dashboards/alloy-prom.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/alloy-prom.json rename to terraform/modules/grafana-dashboard/dashboards/alloy-prom.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/alloy-resources.json b/terraform/modules/grafana-dashboard/dashboards/alloy-resources.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/alloy-resources.json rename to terraform/modules/grafana-dashboard/dashboards/alloy-resources.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/argo-cd-application.json b/terraform/modules/grafana-dashboard/dashboards/argo-cd-application.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/argo-cd-application.json rename to terraform/modules/grafana-dashboard/dashboards/argo-cd-application.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/argo-cd-notifications.json b/terraform/modules/grafana-dashboard/dashboards/argo-cd-notifications.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/argo-cd-notifications.json rename to terraform/modules/grafana-dashboard/dashboards/argo-cd-notifications.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/argo-cd-operational.json b/terraform/modules/grafana-dashboard/dashboards/argo-cd-operational.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/argo-cd-operational.json rename to terraform/modules/grafana-dashboard/dashboards/argo-cd-operational.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/cert-manager.json b/terraform/modules/grafana-dashboard/dashboards/cert-manager.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/cert-manager.json rename to terraform/modules/grafana-dashboard/dashboards/cert-manager.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/coder-workspace-detail.json b/terraform/modules/grafana-dashboard/dashboards/coder-workspace-detail.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/coder-workspace-detail.json rename to terraform/modules/grafana-dashboard/dashboards/coder-workspace-detail.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/coder-workspaces.json b/terraform/modules/grafana-dashboard/dashboards/coder-workspaces.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/coder-workspaces.json rename to terraform/modules/grafana-dashboard/dashboards/coder-workspaces.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/coderd.json b/terraform/modules/grafana-dashboard/dashboards/coderd.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/coderd.json rename to terraform/modules/grafana-dashboard/dashboards/coderd.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/crowdsec-details.json b/terraform/modules/grafana-dashboard/dashboards/crowdsec-details.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/crowdsec-details.json rename to terraform/modules/grafana-dashboard/dashboards/crowdsec-details.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/crowdsec-insight.json b/terraform/modules/grafana-dashboard/dashboards/crowdsec-insight.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/crowdsec-insight.json rename to terraform/modules/grafana-dashboard/dashboards/crowdsec-insight.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/crowdsec-overview.json b/terraform/modules/grafana-dashboard/dashboards/crowdsec-overview.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/crowdsec-overview.json rename to terraform/modules/grafana-dashboard/dashboards/crowdsec-overview.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/external-secrets.json b/terraform/modules/grafana-dashboard/dashboards/external-secrets.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/external-secrets.json rename to terraform/modules/grafana-dashboard/dashboards/external-secrets.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/ingress-nginx-request.json b/terraform/modules/grafana-dashboard/dashboards/ingress-nginx-request.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/ingress-nginx-request.json rename to terraform/modules/grafana-dashboard/dashboards/ingress-nginx-request.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/ingress-nginx.json b/terraform/modules/grafana-dashboard/dashboards/ingress-nginx.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/ingress-nginx.json rename to terraform/modules/grafana-dashboard/dashboards/ingress-nginx.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/loki-chunks.json b/terraform/modules/grafana-dashboard/dashboards/loki-chunks.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/loki-chunks.json rename to terraform/modules/grafana-dashboard/dashboards/loki-chunks.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/loki-deletion.json b/terraform/modules/grafana-dashboard/dashboards/loki-deletion.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/loki-deletion.json rename to terraform/modules/grafana-dashboard/dashboards/loki-deletion.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/loki-logs.json b/terraform/modules/grafana-dashboard/dashboards/loki-logs.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/loki-logs.json rename to terraform/modules/grafana-dashboard/dashboards/loki-logs.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/loki-operational.json b/terraform/modules/grafana-dashboard/dashboards/loki-operational.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/loki-operational.json rename to terraform/modules/grafana-dashboard/dashboards/loki-operational.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/loki-reads-resources.json b/terraform/modules/grafana-dashboard/dashboards/loki-reads-resources.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/loki-reads-resources.json rename to terraform/modules/grafana-dashboard/dashboards/loki-reads-resources.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/loki-reads.json b/terraform/modules/grafana-dashboard/dashboards/loki-reads.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/loki-reads.json rename to terraform/modules/grafana-dashboard/dashboards/loki-reads.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/loki-retention.json b/terraform/modules/grafana-dashboard/dashboards/loki-retention.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/loki-retention.json rename to terraform/modules/grafana-dashboard/dashboards/loki-retention.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/loki-writes-resources.json b/terraform/modules/grafana-dashboard/dashboards/loki-writes-resources.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/loki-writes-resources.json rename to terraform/modules/grafana-dashboard/dashboards/loki-writes-resources.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/loki-writes.json b/terraform/modules/grafana-dashboard/dashboards/loki-writes.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/loki-writes.json rename to terraform/modules/grafana-dashboard/dashboards/loki-writes.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/longhorn.json b/terraform/modules/grafana-dashboard/dashboards/longhorn.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/longhorn.json rename to terraform/modules/grafana-dashboard/dashboards/longhorn.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/nats-jetstream.json b/terraform/modules/grafana-dashboard/dashboards/nats-jetstream.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/nats-jetstream.json rename to terraform/modules/grafana-dashboard/dashboards/nats-jetstream.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/nats.json b/terraform/modules/grafana-dashboard/dashboards/nats.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/nats.json rename to terraform/modules/grafana-dashboard/dashboards/nats.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/pod-logs.json b/terraform/modules/grafana-dashboard/dashboards/pod-logs.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/pod-logs.json rename to terraform/modules/grafana-dashboard/dashboards/pod-logs.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/postgres.json b/terraform/modules/grafana-dashboard/dashboards/postgres.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/postgres.json rename to terraform/modules/grafana-dashboard/dashboards/postgres.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/tempo-block-builder.json b/terraform/modules/grafana-dashboard/dashboards/tempo-block-builder.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/tempo-block-builder.json rename to terraform/modules/grafana-dashboard/dashboards/tempo-block-builder.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/tempo-operational.json b/terraform/modules/grafana-dashboard/dashboards/tempo-operational.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/tempo-operational.json rename to terraform/modules/grafana-dashboard/dashboards/tempo-operational.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/tempo-reads.json b/terraform/modules/grafana-dashboard/dashboards/tempo-reads.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/tempo-reads.json rename to terraform/modules/grafana-dashboard/dashboards/tempo-reads.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/tempo-resources.json b/terraform/modules/grafana-dashboard/dashboards/tempo-resources.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/tempo-resources.json rename to terraform/modules/grafana-dashboard/dashboards/tempo-resources.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/tempo-rollout-progress.json b/terraform/modules/grafana-dashboard/dashboards/tempo-rollout-progress.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/tempo-rollout-progress.json rename to terraform/modules/grafana-dashboard/dashboards/tempo-rollout-progress.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/tempo-tenants.json b/terraform/modules/grafana-dashboard/dashboards/tempo-tenants.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/tempo-tenants.json rename to terraform/modules/grafana-dashboard/dashboards/tempo-tenants.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/tempo-writes.json b/terraform/modules/grafana-dashboard/dashboards/tempo-writes.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/tempo-writes.json rename to terraform/modules/grafana-dashboard/dashboards/tempo-writes.json diff --git a/terraform/modules_old/grafana-dashboard/dashboards/vault.json b/terraform/modules/grafana-dashboard/dashboards/vault.json similarity index 100% rename from terraform/modules_old/grafana-dashboard/dashboards/vault.json rename to terraform/modules/grafana-dashboard/dashboards/vault.json diff --git a/terraform/modules_old/grafana-dashboard/main.tf b/terraform/modules/grafana-dashboard/main.tf similarity index 100% rename from terraform/modules_old/grafana-dashboard/main.tf rename to terraform/modules/grafana-dashboard/main.tf diff --git a/terraform/modules_old/grafana-dashboard/variables.tf b/terraform/modules/grafana-dashboard/variables.tf similarity index 100% rename from terraform/modules_old/grafana-dashboard/variables.tf rename to terraform/modules/grafana-dashboard/variables.tf diff --git a/terraform/modules_old/grafana-dashboard/dashboards/minio.json b/terraform/modules_old/grafana-dashboard/dashboards/minio.json deleted file mode 100644 index 63e8bd5..0000000 --- a/terraform/modules_old/grafana-dashboard/dashboards/minio.json +++ /dev/null @@ -1,3804 +0,0 @@ -{ - "annotations": { - "list": [ - { - "builtIn": 1, - "datasource": { - "type": "datasource", - "uid": "grafana" - }, - "enable": true, - "hide": true, - "iconColor": "rgba(0, 211, 255, 1)", - "name": "Annotations & Alerts", - "target": { - "limit": 100, - "matchAny": false, - "tags": [], - "type": "dashboard" - }, - "type": "dashboard" - } - ] - }, - "__inputs": [ - { - "name": "DS_PROMETHEUS", - "label": "Prometheus", - "description": "", - "type": "datasource", - "pluginId": "prometheus", - "pluginName": "Prometheus" - } - ], - "description": "MinIO Grafana Dashboard - https://min.io/", - "editable": true, - "fiscalYearStartMonth": 0, - "gnetId": 13502, - "graphTooltip": 0, - "id": 292, - "links": [ - { - "icon": "external link", - "includeVars": true, - "keepTime": true, - "tags": ["minio"], - "type": "dashboards" - } - ], - "liveNow": false, - "panels": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "", - "fieldConfig": { - "defaults": { - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "percentage", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "dtdurations" - }, - "overrides": [] - }, - "gridPos": { - "h": 6, - "w": 3, - "x": 0, - "y": 0 - }, - "id": 1, - "maxDataPoints": 100, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": ["mean"], - "fields": "", - "values": false - }, - "showPercentChange": false, - "text": {}, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "time() - max(minio_node_process_starttime_seconds{job=~\"$scrape_jobs\"})", - "format": "time_series", - "instant": true, - "interval": "", - "intervalFactor": 1, - "legendFormat": "{{instance}}", - "metric": "process_start_time_seconds", - "refId": "A", - "step": 60 - } - ], - "title": "Uptime", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "", - "fieldConfig": { - "defaults": { - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "bytes" - }, - "overrides": [] - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 3, - "y": 0 - }, - "id": 65, - "maxDataPoints": 100, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": ["last"], - "fields": "", - "values": false - }, - "showPercentChange": false, - "text": {}, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "sum by (instance) (minio_s3_traffic_received_bytes{job=~\"$scrape_jobs\"})", - "format": "table", - "hide": false, - "instant": false, - "interval": "", - "intervalFactor": 1, - "legendFormat": "{{instance}}", - "metric": "process_start_time_seconds", - "refId": "A", - "step": 60 - } - ], - "title": "Total S3 Ingress", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - } - }, - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "unit": "bytes" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "Free" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "green", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Used" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "orange", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 6, - "w": 4, - "x": 6, - "y": 0 - }, - "id": 50, - "interval": "1m", - "maxDataPoints": 100, - "options": { - "displayLabels": [], - "legend": { - "displayMode": "table", - "placement": "bottom", - "showLegend": true, - "values": ["percent"] - }, - "pieType": "donut", - "reduceOptions": { - "calcs": ["lastNotNull"], - "fields": "", - "values": false - }, - "tooltip": { - "mode": "single", - "sort": "none" - } - }, - "pluginVersion": "8.2.1", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "topk(1, sum(minio_cluster_capacity_usable_total_bytes{job=~\"$scrape_jobs\"}) by (instance)) - topk(1, sum(minio_cluster_capacity_usable_free_bytes{job=~\"$scrape_jobs\"}) by (instance))", - "format": "time_series", - "instant": false, - "interval": "1m", - "intervalFactor": 1, - "legendFormat": "Used", - "refId": "A", - "step": 300 - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "topk(1, sum(minio_cluster_capacity_usable_free_bytes{job=~\"$scrape_jobs\"}) by (instance)) ", - "hide": false, - "interval": "1m", - "legendFormat": "Free", - "refId": "B" - } - ], - "title": "Capacity", - "type": "piechart" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": true, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "bytes" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "Objects" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "blue", - "mode": "fixed" - } - } - ] - }, - { - "__systemRef": "hideSeriesFrom", - "matcher": { - "id": "byNames", - "options": { - "mode": "exclude", - "names": ["Usage"], - "prefix": "All except:", - "readOnly": true - } - }, - "properties": [ - { - "id": "custom.hideFrom", - "value": { - "legend": false, - "tooltip": false, - "viz": true - } - } - ] - } - ] - }, - "gridPos": { - "h": 6, - "w": 6, - "x": 10, - "y": 0 - }, - "id": 68, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": false - }, - "tooltip": { - "mode": "single", - "sort": "none" - } - }, - "pluginVersion": "8.2.1", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "editorMode": "code", - "exemplar": true, - "expr": "max(minio_cluster_usage_total_bytes{job=~\"$scrape_jobs\"})", - "interval": "", - "legendFormat": "Usage", - "range": true, - "refId": "A" - } - ], - "title": "Data Usage Growth", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "continuous-GrYlRd" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 6, - "w": 5, - "x": 16, - "y": 0 - }, - "id": 52, - "options": { - "displayMode": "lcd", - "maxVizHeight": 300, - "minVizHeight": 16, - "minVizWidth": 8, - "namePlacement": "auto", - "orientation": "horizontal", - "reduceOptions": { - "calcs": ["lastNotNull"], - "fields": "", - "values": false - }, - "showUnfilled": true, - "sizing": "auto", - "valueMode": "color" - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": true, - "expr": "minio_cluster_objects_size_distribution{job=~\"$scrape_jobs\"}", - "format": "time_series", - "fullMetaSearch": false, - "includeNullMetadata": true, - "instant": false, - "interval": "", - "intervalFactor": 1, - "legendFormat": "{{range}}", - "refId": "A", - "step": 300, - "useBackend": false - } - ], - "title": "Object Size Distribution", - "type": "bargauge" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 25, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "normal" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 21, - "y": 0 - }, - "id": 61, - "maxDataPoints": 100, - "options": { - "legend": { - "calcs": [], - "displayMode": "hidden", - "placement": "right", - "showLegend": false - }, - "tooltip": { - "mode": "single", - "sort": "none" - } - }, - "pluginVersion": "10.3.1", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "editorMode": "code", - "exemplar": true, - "expr": "minio_node_file_descriptor_open_total{job=~\"$scrape_jobs\"}", - "format": "time_series", - "hide": false, - "instant": false, - "interval": "", - "intervalFactor": 1, - "legendFormat": "{{server}}", - "metric": "process_start_time_seconds", - "refId": "A", - "step": 60 - } - ], - "title": "Open FDs ", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "", - "fieldConfig": { - "defaults": { - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "bytes" - }, - "overrides": [] - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 3, - "y": 3 - }, - "id": 64, - "maxDataPoints": 100, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": ["last"], - "fields": "", - "values": false - }, - "showPercentChange": false, - "text": {}, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "sum by (instance) (minio_s3_traffic_sent_bytes{job=~\"$scrape_jobs\"})", - "format": "table", - "hide": false, - "instant": false, - "interval": "", - "intervalFactor": 1, - "legendFormat": "", - "metric": "process_start_time_seconds", - "refId": "A", - "step": 60 - } - ], - "title": "Total S3 Egress", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 25, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "normal" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 21, - "y": 3 - }, - "id": 62, - "maxDataPoints": 100, - "options": { - "legend": { - "calcs": [], - "displayMode": "hidden", - "placement": "right", - "showLegend": false - }, - "tooltip": { - "mode": "single", - "sort": "none" - } - }, - "pluginVersion": "10.3.1", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "editorMode": "code", - "exemplar": true, - "expr": "minio_node_go_routine_total{job=~\"$scrape_jobs\"}", - "format": "time_series", - "hide": false, - "instant": false, - "interval": "", - "intervalFactor": 1, - "legendFormat": "{{server}}", - "metric": "process_start_time_seconds", - "refId": "A", - "step": 60 - } - ], - "title": "Goroutines", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "bool_on_off" - }, - "overrides": [] - }, - "gridPos": { - "h": 2, - "w": 3, - "x": 0, - "y": 6 - }, - "id": 94, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": ["lastNotNull"], - "fields": "", - "values": false - }, - "showPercentChange": false, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "disableTextWrap": false, - "editorMode": "code", - "exemplar": true, - "expr": "minio_cluster_health_status{job=~\"$scrape_jobs\"}", - "fullMetaSearch": false, - "includeNullMetadata": true, - "interval": "", - "legendFormat": "Pool: {{pool}} Set: {{set}}", - "range": true, - "refId": "A", - "useBackend": false - } - ], - "title": "Cluster Health Status", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "", - "fieldConfig": { - "defaults": { - "mappings": [], - "thresholds": { - "mode": "percentage", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 3, - "x": 3, - "y": 6 - }, - "id": 78, - "maxDataPoints": 100, - "options": { - "minVizHeight": 75, - "minVizWidth": 75, - "orientation": "auto", - "reduceOptions": { - "calcs": ["lastNotNull"], - "fields": "", - "values": false - }, - "showThresholdLabels": false, - "showThresholdMarkers": true, - "sizing": "auto" - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "editorMode": "code", - "exemplar": false, - "expr": "max(minio_cluster_drive_online_total{job=~\"$scrape_jobs\"})", - "format": "time_series", - "hide": false, - "instant": true, - "interval": "", - "intervalFactor": 1, - "legendFormat": ".", - "metric": "process_start_time_seconds", - "range": false, - "refId": "A", - "step": 60 - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "editorMode": "code", - "exemplar": false, - "expr": "max(minio_cluster_drive_offline_total{job=~\"$scrape_jobs\"})", - "format": "time_series", - "hide": false, - "instant": true, - "legendFormat": ".", - "range": false, - "refId": "B" - } - ], - "title": "Total Online/Offline Drives", - "type": "gauge" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "dark-yellow", - "value": 75000000 - }, - { - "color": "dark-red", - "value": 100000000 - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 6, - "y": 6 - }, - "id": 66, - "maxDataPoints": 100, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "horizontal", - "reduceOptions": { - "calcs": ["lastNotNull"], - "fields": "", - "values": false - }, - "showPercentChange": false, - "text": {}, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "editorMode": "code", - "exemplar": true, - "expr": "max(minio_cluster_bucket_total{job=~\"$scrape_jobs\"})", - "format": "time_series", - "instant": false, - "interval": "1m", - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "title": "Number of Buckets", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 25, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "normal" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "binBps" - }, - "overrides": [] - }, - "gridPos": { - "h": 6, - "w": 7, - "x": 9, - "y": 6 - }, - "id": 63, - "options": { - "legend": { - "calcs": [], - "displayMode": "hidden", - "placement": "right", - "showLegend": false - }, - "tooltip": { - "mode": "single", - "sort": "none" - } - }, - "pluginVersion": "10.3.1", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "sum by (server) (rate(minio_s3_traffic_received_bytes{job=~\"$scrape_jobs\"}[$__rate_interval]))", - "interval": "1m", - "intervalFactor": 2, - "legendFormat": "Data Received [{{server}}]", - "refId": "A" - } - ], - "title": "S3 API Ingress Rate ", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 25, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "normal" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "binBps" - }, - "overrides": [] - }, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 6 - }, - "id": 70, - "options": { - "legend": { - "calcs": [], - "displayMode": "hidden", - "placement": "right", - "showLegend": false - }, - "tooltip": { - "mode": "single", - "sort": "none" - } - }, - "pluginVersion": "10.3.1", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "sum by (server) (rate(minio_s3_traffic_sent_bytes{job=~\"$scrape_jobs\"}[$__rate_interval]))", - "interval": "1m", - "intervalFactor": 2, - "legendFormat": "Data Sent [{{server}}]", - "refId": "A" - } - ], - "title": "S3 API Egress Rate ", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "", - "fieldConfig": { - "defaults": { - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 2, - "w": 3, - "x": 0, - "y": 8 - }, - "id": 53, - "maxDataPoints": 100, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": ["mean"], - "fields": "", - "values": false - }, - "showPercentChange": false, - "text": {}, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "max(minio_cluster_nodes_online_total{job=~\"$scrape_jobs\"})", - "format": "table", - "hide": false, - "instant": true, - "interval": "", - "intervalFactor": 1, - "legendFormat": "", - "metric": "process_start_time_seconds", - "refId": "A", - "step": 60 - } - ], - "title": "Total Online Servers", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "dark-yellow", - "value": 75000000 - }, - { - "color": "dark-red", - "value": 100000000 - } - ] - }, - "unit": "short" - }, - "overrides": [] - }, - "gridPos": { - "h": 3, - "w": 3, - "x": 6, - "y": 9 - }, - "id": 44, - "maxDataPoints": 100, - "options": { - "colorMode": "value", - "graphMode": "area", - "justifyMode": "auto", - "orientation": "horizontal", - "reduceOptions": { - "calcs": ["lastNotNull"], - "fields": "", - "values": false - }, - "showPercentChange": false, - "text": {}, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "editorMode": "code", - "exemplar": true, - "expr": "max(minio_cluster_usage_object_total{job=~\"$scrape_jobs\"})", - "format": "time_series", - "instant": false, - "interval": "1m", - "intervalFactor": 1, - "legendFormat": "", - "refId": "A" - } - ], - "title": "Number of Objects", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "ns" - }, - "overrides": [] - }, - "gridPos": { - "h": 2, - "w": 3, - "x": 0, - "y": 10 - }, - "id": 80, - "maxDataPoints": 100, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": ["last"], - "fields": "", - "values": false - }, - "showPercentChange": false, - "text": {}, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "max(minio_heal_time_last_activity_nano_seconds{job=~\"$scrape_jobs\"})", - "format": "time_series", - "instant": true, - "interval": "", - "intervalFactor": 1, - "legendFormat": "", - "metric": "process_start_time_seconds", - "refId": "A", - "step": 60 - } - ], - "title": "Time Since Last Heal", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "thresholds" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "ns" - }, - "overrides": [] - }, - "gridPos": { - "h": 2, - "w": 3, - "x": 3, - "y": 10 - }, - "id": 81, - "maxDataPoints": 100, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": ["last"], - "fields": "", - "values": false - }, - "showPercentChange": false, - "text": {}, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "max(minio_usage_last_activity_nano_seconds{job=~\"$scrape_jobs\"})", - "format": "time_series", - "instant": true, - "interval": "", - "intervalFactor": 1, - "legendFormat": "", - "metric": "process_start_time_seconds", - "refId": "A", - "step": 60 - } - ], - "title": "Time Since Last Scan", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "S3 Errors" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "light-red", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "S3 Requests" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "light-green", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 6, - "w": 9, - "x": 0, - "y": 12 - }, - "id": 60, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "sum by (server,api) (increase(minio_s3_requests_total{job=~\"$scrape_jobs\"}[$__rate_interval]))", - "interval": "1m", - "intervalFactor": 2, - "legendFormat": "{{server,api}}", - "refId": "A" - } - ], - "title": "S3 API Request Rate", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "S3 Errors" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "light-red", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "S3 Requests" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "light-green", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 6, - "w": 7, - "x": 9, - "y": 12 - }, - "id": 88, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "sum by (server,api) (increase(minio_s3_requests_4xx_errors_total{job=~\"$scrape_jobs\"}[$__rate_interval]))", - "interval": "1m", - "intervalFactor": 2, - "legendFormat": "{{server,api}}", - "refId": "A" - } - ], - "title": "S3 API Request Error Rate (4xx)", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "S3 Errors" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "light-red", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "S3 Requests" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "light-green", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 12 - }, - "id": 86, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "sum by (server,api) (increase(minio_s3_requests_5xx_errors_total{job=~\"$scrape_jobs\"}[$__rate_interval]))", - "interval": "1m", - "intervalFactor": 2, - "legendFormat": "{{server,api}}", - "refId": "A" - } - ], - "title": "S3 API Request Error Rate (5xx)", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "fixed" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - } - ] - } - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 0, - "y": 18 - }, - "id": 99, - "options": { - "displayMode": "lcd", - "maxVizHeight": 300, - "minVizHeight": 16, - "minVizWidth": 8, - "namePlacement": "auto", - "orientation": "horizontal", - "reduceOptions": { - "calcs": ["lastNotNull"], - "fields": "", - "values": false - }, - "showUnfilled": true, - "sizing": "auto", - "valueMode": "color" - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "disableTextWrap": false, - "editorMode": "builder", - "expr": "minio_cluster_health_erasure_set_online_drives{job=~\"$scrape_jobs\"}", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": false, - "legendFormat": "Pool {{pool}} / Set {{set}} - Online Drives", - "range": true, - "refId": "A", - "useBackend": false - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "disableTextWrap": false, - "editorMode": "builder", - "expr": "minio_cluster_health_erasure_set_read_quorum{job=~\"$scrape_jobs\"}", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": false, - "legendFormat": "Pool {{pool}} / Set {{set}} - Read Quorum", - "range": true, - "refId": "B", - "useBackend": false - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "disableTextWrap": false, - "editorMode": "builder", - "expr": "minio_cluster_health_erasure_set_write_quorum{job=~\"$scrape_jobs\"}", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": false, - "legendFormat": "Pool {{pool}} / Set {{set}} - Write Quorum", - "range": true, - "refId": "C", - "useBackend": false - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "disableTextWrap": false, - "editorMode": "builder", - "expr": "minio_cluster_health_erasure_set_healing_drives{job=~\"$scrape_jobs\"}", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": false, - "legendFormat": "Pool {{pool}} / Set {{set}} - Healing Drives", - "range": true, - "refId": "D", - "useBackend": false - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "disableTextWrap": false, - "editorMode": "builder", - "expr": "minio_cluster_health_erasure_set_status{job=~\"$scrape_jobs\"}", - "fullMetaSearch": false, - "hide": false, - "includeNullMetadata": true, - "instant": false, - "legendFormat": "Pool {{pool}} / Set {{set}} - Status", - "range": true, - "refId": "E", - "useBackend": false - } - ], - "title": "Health Breakdown", - "type": "bargauge" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "continuous-GrYlRd" - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "bytes" - }, - "overrides": [] - }, - "gridPos": { - "h": 8, - "w": 12, - "x": 12, - "y": 18 - }, - "id": 76, - "options": { - "displayMode": "lcd", - "maxVizHeight": 300, - "minVizHeight": 16, - "minVizWidth": 8, - "namePlacement": "auto", - "orientation": "horizontal", - "reduceOptions": { - "calcs": ["lastNotNull"], - "fields": "", - "values": false - }, - "showUnfilled": true, - "sizing": "auto", - "valueMode": "color" - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "editorMode": "code", - "exemplar": false, - "expr": "minio_node_process_resident_memory_bytes{job=~\"$scrape_jobs\"}", - "format": "time_series", - "instant": false, - "interval": "", - "legendFormat": "{{server}}", - "range": true, - "refId": "A" - } - ], - "title": "Memory Usage ", - "type": "bargauge" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "bars", - "fillOpacity": 100, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "bytes" - }, - "overrides": [] - }, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 26 - }, - "id": 73, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "rate(minio_node_io_rchar_bytes{job=~\"$scrape_jobs\"}[$__rate_interval])", - "format": "time_series", - "instant": false, - "interval": "", - "legendFormat": "Node RChar [{{server}}]", - "refId": "A" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "rate(minio_node_io_wchar_bytes{job=~\"$scrape_jobs\"}[$__rate_interval])", - "interval": "", - "legendFormat": "Node WChar [{{server}}]", - "refId": "B" - } - ], - "title": "Read, Write I/O", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "mappings": [], - "thresholds": { - "mode": "percentage", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "orange", - "value": 70 - }, - { - "color": "red", - "value": 85 - } - ] - }, - "unit": "s" - }, - "overrides": [] - }, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 26 - }, - "id": 77, - "options": { - "minVizHeight": 75, - "minVizWidth": 75, - "orientation": "auto", - "reduceOptions": { - "calcs": ["lastNotNull"], - "fields": "", - "values": false - }, - "showThresholdLabels": false, - "showThresholdMarkers": true, - "sizing": "auto" - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "editorMode": "code", - "exemplar": true, - "expr": "rate(minio_node_process_cpu_total_seconds{job=~\"$scrape_jobs\"}[$__rate_interval])", - "interval": "", - "legendFormat": "{{server}}", - "range": true, - "refId": "A" - } - ], - "title": "CPU Usage", - "type": "gauge" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "Total number of bytes received and sent on MinIO cluster", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 25, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "auto", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "normal" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "bytes" - }, - "overrides": [] - }, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 33 - }, - "id": 17, - "options": { - "legend": { - "calcs": [], - "displayMode": "hidden", - "placement": "right", - "showLegend": false - }, - "tooltip": { - "mode": "single", - "sort": "none" - } - }, - "pluginVersion": "10.3.1", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "editorMode": "code", - "exemplar": true, - "expr": "rate(minio_inter_node_traffic_sent_bytes{job=~\"$scrape_jobs\"}[$__rate_interval])", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "Internode Bytes Received [{{server}}]", - "metric": "minio_http_requests_duration_seconds_count", - "range": true, - "refId": "A", - "step": 4 - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "rate(minio_inter_node_traffic_received_bytes{job=~\"$scrape_jobs\"}[$__rate_interval])", - "interval": "", - "legendFormat": "Internode Bytes Sent [{{server}}]", - "refId": "B" - } - ], - "title": "Internode Traffic", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "links": [], - "mappings": [], - "min": 0, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "available 10.13.1.25:9000" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "green", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "used 10.13.1.25:9000" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "blue", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 33 - }, - "id": 8, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "minio_node_file_descriptor_open_total{job=~\"$scrape_jobs\"}", - "interval": "", - "legendFormat": "Open FDs [{{server}}]", - "refId": "B" - } - ], - "title": "File Descriptors", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "Number of online drives per MinIO Server", - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "bars", - "fillOpacity": 100, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "decimals": 0, - "links": [], - "mappings": [], - "min": 0, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "short" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "Offline 10.13.1.25:9000" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "dark-red", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "Total 10.13.1.25:9000" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "blue", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 40 - }, - "id": 11, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "rate(minio_node_syscall_read_total{job=~\"$scrape_jobs\"}[$__rate_interval])", - "format": "time_series", - "interval": "", - "intervalFactor": 2, - "legendFormat": "Read Syscalls [{{server}}]", - "metric": "process_start_time_seconds", - "refId": "A", - "step": 60 - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "rate(minio_node_syscall_write_total{job=~\"$scrape_jobs\"}[$__rate_interval])", - "interval": "", - "legendFormat": "Write Syscalls [{{server}}]", - "refId": "B" - } - ], - "title": "Syscalls", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "min": 0, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [] - }, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 40 - }, - "id": 95, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "rate(minio_node_scanner_objects_scanned{job=~\"$scrape_jobs\"}[$__rate_interval])", - "interval": "1m", - "legendFormat": "[{{server}}]", - "refId": "A" - } - ], - "title": "Scanned Objects", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "min": 0, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [] - }, - "gridPos": { - "h": 7, - "w": 12, - "x": 0, - "y": 47 - }, - "id": 75, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "rate(minio_node_scanner_versions_scanned{job=~\"$scrape_jobs\"}[$__rate_interval])", - "interval": "1m", - "legendFormat": "[{{server}}]", - "refId": "A" - } - ], - "title": "Scanned Versions", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "min": 0, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [] - }, - "gridPos": { - "h": 7, - "w": 12, - "x": 12, - "y": 47 - }, - "id": 96, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "rate(minio_node_scanner_directories_scanned{job=~\"$scrape_jobs\"}[$__rate_interval])", - "interval": "1m", - "legendFormat": "[{{server}}]", - "refId": "A" - } - ], - "title": "Scanned Directories", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "description": "", - "fieldConfig": { - "defaults": { - "mappings": [ - { - "options": { - "match": "null", - "result": { - "text": "N/A" - } - }, - "type": "special" - } - ], - "thresholds": { - "mode": "percentage", - "steps": [ - { - "color": "green", - "value": null - } - ] - }, - "unit": "dtdurations" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 0, - "y": 54 - }, - "id": 89, - "maxDataPoints": 100, - "options": { - "colorMode": "value", - "graphMode": "none", - "justifyMode": "auto", - "orientation": "auto", - "reduceOptions": { - "calcs": ["mean"], - "fields": "", - "values": false - }, - "showPercentChange": false, - "text": {}, - "textMode": "auto", - "wideLayout": true - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "minio_cluster_kms_uptime{job=~\"$scrape_jobs\"}", - "format": "time_series", - "instant": true, - "interval": "", - "intervalFactor": 1, - "legendFormat": "{{instance}}", - "metric": "minio_cluster_kms_uptime", - "refId": "A", - "step": 60 - } - ], - "title": "KMS Uptime", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "S3 Errors" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "light-red", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "S3 Requests" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "light-green", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 4, - "y": 54 - }, - "id": 91, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "sum by (server) (increase(minio_cluster_kms_request_error{job=~\"$scrape_jobs\"}[$__rate_interval]))", - "interval": "1m", - "intervalFactor": 2, - "legendFormat": "{{server}}", - "refId": "A" - } - ], - "title": "KMS Request 4xx Error Rate", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "min": 0, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "bool_on_off" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 8, - "y": 54 - }, - "id": 90, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "sum by (server) (minio_cluster_kms_online{job=~\"$scrape_jobs\"})", - "interval": "1m", - "legendFormat": "{{server}}", - "refId": "A" - } - ], - "title": "KMS Online(1)/Offline(0)", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "min": 0, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [] - }, - "gridPos": { - "h": 4, - "w": 12, - "x": 12, - "y": 54 - }, - "id": 98, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "rate(minio_node_scanner_bucket_scans_finished{job=~\"$scrape_jobs\"}[$__rate_interval])", - "interval": "1m", - "legendFormat": "[{{server}}]", - "refId": "A" - } - ], - "title": "Bucket Scans Finished", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "S3 Errors" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "light-red", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "S3 Requests" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "light-green", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 5, - "w": 6, - "x": 0, - "y": 58 - }, - "id": 92, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "sum by (server) (increase(minio_cluster_kms_request_failure{job=~\"$scrape_jobs\"}[$__rate_interval]))", - "interval": "1m", - "intervalFactor": 2, - "legendFormat": "{{server}}", - "refId": "A" - } - ], - "title": "KMS Request 5xx Error Rate", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [ - { - "matcher": { - "id": "byName", - "options": "S3 Errors" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "light-red", - "mode": "fixed" - } - } - ] - }, - { - "matcher": { - "id": "byName", - "options": "S3 Requests" - }, - "properties": [ - { - "id": "color", - "value": { - "fixedColor": "light-green", - "mode": "fixed" - } - } - ] - } - ] - }, - "gridPos": { - "h": 5, - "w": 6, - "x": 6, - "y": 58 - }, - "id": 93, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "sum by (server) (rate(minio_cluster_kms_request_success{job=~\"$scrape_jobs\"}[$__rate_interval]))", - "interval": "1m", - "intervalFactor": 2, - "legendFormat": "KMS Request Success [{{server}}]", - "refId": "A" - } - ], - "title": "KMS Request Success Rate ", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "fieldConfig": { - "defaults": { - "color": { - "mode": "palette-classic" - }, - "custom": { - "axisBorderShow": false, - "axisCenteredZero": false, - "axisColorMode": "text", - "axisLabel": "", - "axisPlacement": "auto", - "barAlignment": 0, - "drawStyle": "line", - "fillOpacity": 10, - "gradientMode": "none", - "hideFrom": { - "legend": false, - "tooltip": false, - "viz": false - }, - "insertNulls": false, - "lineInterpolation": "linear", - "lineWidth": 1, - "pointSize": 5, - "scaleDistribution": { - "type": "linear" - }, - "showPoints": "never", - "spanNulls": false, - "stacking": { - "group": "A", - "mode": "none" - }, - "thresholdsStyle": { - "mode": "off" - } - }, - "mappings": [], - "min": 0, - "thresholds": { - "mode": "absolute", - "steps": [ - { - "color": "green", - "value": null - }, - { - "color": "red", - "value": 80 - } - ] - }, - "unit": "none" - }, - "overrides": [] - }, - "gridPos": { - "h": 5, - "w": 12, - "x": 12, - "y": 61 - }, - "id": 97, - "options": { - "legend": { - "calcs": [], - "displayMode": "list", - "placement": "bottom", - "showLegend": true - }, - "tooltip": { - "mode": "multi", - "sort": "none" - } - }, - "pluginVersion": "10.4.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "" - }, - "exemplar": true, - "expr": "rate(minio_node_scanner_bucket_scans_started{job=~\"$scrape_jobs\"}[$__rate_interval])", - "interval": "1m", - "legendFormat": "[{{server}}]", - "refId": "A" - } - ], - "title": "Bucket Scans Started", - "type": "timeseries" - } - ], - "refresh": "", - "schemaVersion": 39, - "tags": ["minio"], - "templating": { - "list": [ - { - "current": { - "selected": false, - "text": "All", - "value": "$__all" - }, - "datasource": { - "type": "prometheus", - "uid": "" - }, - "definition": "label_values(job)", - "hide": 0, - "includeAll": true, - "multi": true, - "name": "scrape_jobs", - "options": [], - "query": { - "query": "label_values(job)", - "refId": "StandardVariableQuery" - }, - "refresh": 1, - "regex": "", - "skipUrlSync": false, - "sort": 0, - "type": "query" - } - ] - }, - "time": { - "from": "now-6h", - "to": "now" - }, - "timepicker": { - "refresh_intervals": ["10s", "30s", "1m", "5m", "15m", "30m", "1h", "2h", "1d"], - "time_options": ["5m", "15m", "1h", "6h", "12h", "24h", "2d", "7d", "30d"] - }, - "timezone": "", - "title": "MinIO Dashboard", - "uid": "TgmJnqnnk", - "version": 1, - "weekStart": "" -} diff --git a/terraform/modules_old/grafana-dashboard/dashboards/pgbouncer-overview.json b/terraform/modules_old/grafana-dashboard/dashboards/pgbouncer-overview.json deleted file mode 100644 index 06f40e7..0000000 --- a/terraform/modules_old/grafana-dashboard/dashboards/pgbouncer-overview.json +++ /dev/null @@ -1,883 +0,0 @@ -{ - "links": [ - { - "keepTime": true, - "title": "PgBouncer cluster overview", - "type": "link", - "url": "/d/pgbouncer-cluster-overview" - } - ], - "panels": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Current number of client connections waiting on a server connection.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "thresholds" - }, - "thresholds": { - "steps": [ - { - "color": "super-light-green", - "value": 0 - }, - { - "color": "super-light-orange", - "value": 10 - }, - { - "color": "super-light-red", - "value": 20 - } - ] - } - } - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 0, - "y": 0 - }, - "id": 1, - "options": { - "graphMode": "none" - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "sum(pgbouncer_pools_client_waiting_connections{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"})" - } - ], - "title": "Client waiting connections", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Current number of active client connections.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - } - } - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 4, - "y": 0 - }, - "id": 2, - "options": { - "colorMode": "fixed", - "graphMode": "none", - "reduceOptions": { - "calcs": ["lastNotNull"] - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "sum(pgbouncer_pools_client_active_connections{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"})" - } - ], - "title": "Active client connections", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Current number of client connections that are linked to a server connection and able to process queries.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - } - } - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 8, - "y": 0 - }, - "id": 3, - "options": { - "colorMode": "fixed", - "graphMode": "none", - "reduceOptions": { - "calcs": ["lastNotNull"] - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "sum(pgbouncer_pools_server_active_connections{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"})" - } - ], - "title": "Active server connections", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Maximum number of allowed connections for database.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - } - } - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 12, - "y": 0 - }, - "id": 4, - "options": { - "colorMode": "fixed", - "graphMode": "none", - "reduceOptions": { - "calcs": ["lastNotNull"] - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "sum(pgbouncer_databases_max_connections{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"})" - } - ], - "title": "Max database connections", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Maximum number of server connections per user allowed.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - } - } - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 16, - "y": 0 - }, - "id": 5, - "options": { - "colorMode": "fixed", - "graphMode": "none", - "reduceOptions": { - "calcs": ["lastNotNull"] - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "sum(pgbouncer_config_max_user_connections{job=~\"$job\",instance=~\"$instance\"})" - } - ], - "title": "Max user connections", - "type": "stat" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Maximum number of client connections allowed.", - "fieldConfig": { - "defaults": { - "color": { - "fixedColor": "text", - "mode": "fixed" - } - } - }, - "gridPos": { - "h": 4, - "w": 4, - "x": 20, - "y": 0 - }, - "id": 6, - "options": { - "colorMode": "fixed", - "graphMode": "none", - "reduceOptions": { - "calcs": ["lastNotNull"] - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "sum(pgbouncer_config_max_client_connections{job=~\"$job\",instance=~\"$instance\"})" - } - ], - "title": "Max client connections", - "type": "stat" - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 0, - "x": 24, - "y": 4 - }, - "id": 7, - "title": "Queries", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Rate of SQL queries pooled by PgBouncer.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "unit": "ops" - } - }, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 5 - }, - "id": 8, - "options": { - "legend": { - "calcs": [], - "displayMode": "list" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "rate(pgbouncer_stats_queries_pooled_total{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}[$__rate_interval])", - "legendFormat": "{{database}}" - } - ], - "title": "Queries processed", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Average duration of queries being processed by PgBouncer.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "unit": "ms" - } - }, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 5 - }, - "id": 9, - "interval": "1m", - "options": { - "legend": { - "calcs": [], - "displayMode": "list" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "1000 * increase(pgbouncer_stats_queries_duration_seconds_total{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}[$__interval:]) / clamp_min(increase(pgbouncer_stats_queries_pooled_total{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}[$__interval:]), 1)", - "legendFormat": "{{database}}" - } - ], - "title": "Queries average duration / $__interval", - "type": "timeseries" - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 0, - "x": 24, - "y": 11 - }, - "id": 10, - "title": "Network", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Volume in bytes of network traffic received by PgBouncer.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "decimals": 1, - "noValue": "No traffic", - "unit": "Bps" - } - }, - "gridPos": { - "h": 6, - "w": 24, - "x": 0, - "y": 12 - }, - "id": 11, - "options": { - "legend": { - "calcs": [], - "displayMode": "table", - "placement": "right" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "rate(pgbouncer_stats_received_bytes_total{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}[$__rate_interval])", - "legendFormat": "{{database}} - received" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "rate(pgbouncer_stats_sent_bytes_total{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}[$__rate_interval])", - "legendFormat": "{{database}} - sent" - } - ], - "title": "Network traffic", - "type": "timeseries" - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 0, - "x": 24, - "y": 18 - }, - "id": 12, - "title": "Transactions", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Rate of SQL transactions pooled.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "unit": "ops" - } - }, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 19 - }, - "id": 13, - "options": { - "legend": { - "calcs": [], - "displayMode": "list" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "rate(pgbouncer_stats_sql_transactions_pooled_total{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}[$__rate_interval])", - "legendFormat": "{{database}}" - } - ], - "title": "SQL transaction rate", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Average duration of SQL transactions pooled.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "unit": "ms" - } - }, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 19 - }, - "id": 14, - "interval": "1m", - "options": { - "legend": { - "calcs": [], - "displayMode": "list" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "1000 * increase(pgbouncer_stats_server_in_transaction_seconds_total{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}[$__interval:]) / clamp_min(increase(pgbouncer_stats_sql_transactions_pooled_total{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}[$__interval:]), 1)", - "legendFormat": "{{database}}" - } - ], - "title": "SQL average transaction duration / $__interval", - "type": "timeseries" - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 0, - "x": 24, - "y": 25 - }, - "id": 15, - "title": "Server", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Number of various server connection states.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "unit": "conn" - } - }, - "gridPos": { - "h": 6, - "w": 24, - "x": 0, - "y": 26 - }, - "id": 16, - "options": { - "legend": { - "calcs": [], - "displayMode": "table", - "placement": "right" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "pgbouncer_pools_server_idle_connections{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}", - "legendFormat": "{{database}} - idle" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "pgbouncer_pools_server_used_connections{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}", - "legendFormat": "{{database}} - used" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "pgbouncer_pools_server_login_connections{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}", - "legendFormat": "{{database}} - login" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "pgbouncer_pools_server_testing_connections{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}", - "legendFormat": "{{database}} - testing" - } - ], - "title": "Server connections", - "type": "timeseries" - }, - { - "collapsed": false, - "gridPos": { - "h": 1, - "w": 0, - "x": 24, - "y": 32 - }, - "id": 17, - "title": "Client", - "type": "row" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Current number of active client connections.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "unit": "conn" - } - }, - "gridPos": { - "h": 6, - "w": 8, - "x": 0, - "y": 33 - }, - "id": 18, - "options": { - "legend": { - "calcs": [], - "displayMode": "list" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "pgbouncer_pools_client_active_connections{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}", - "legendFormat": "{{database}}" - } - ], - "title": "Active client connections", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Current number of client connections waiting on a server connection.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "unit": "clients" - } - }, - "gridPos": { - "h": 6, - "w": 8, - "x": 8, - "y": 33 - }, - "id": 19, - "options": { - "legend": { - "calcs": [], - "displayMode": "list" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "pgbouncer_pools_client_waiting_connections{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}", - "legendFormat": "{{database}}" - } - ], - "title": "Waiting clients", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Age of the oldest unserved client connection in seconds.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "unit": "s" - } - }, - "gridPos": { - "h": 6, - "w": 8, - "x": 16, - "y": 33 - }, - "id": 20, - "options": { - "legend": { - "calcs": [], - "displayMode": "list" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "pgbouncer_pools_client_maxwait_seconds{job=~\"$job\",instance=~\"$instance\",database=~\"$database\"}", - "legendFormat": "{{database}}" - } - ], - "title": "Max client wait time", - "type": "timeseries" - } - ], - "refresh": "1m", - "schemaVersion": 36, - "tags": ["pgbouncer"], - "templating": { - "list": [ - { - "label": "Prometheus data source", - "name": "prometheus_datasource", - "query": "prometheus", - "regex": "", - "type": "datasource" - }, - { - "allValue": ".+", - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "includeAll": true, - "label": "Job", - "multi": true, - "name": "job", - "query": "label_values(pgbouncer_databases_current_connections{job=\"pgbouncer-exporter-prometheus-pgbouncer-exporter\"}, job)", - "refresh": 2, - "sort": 1, - "type": "query" - }, - { - "allValue": ".+", - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "includeAll": false, - "label": "Instance", - "multi": false, - "name": "instance", - "query": "label_values(pgbouncer_databases_current_connections{job=~\"$job\"}, instance)", - "refresh": 2, - "sort": 1, - "type": "query" - }, - { - "allValue": ".+", - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "includeAll": true, - "label": "Database", - "multi": true, - "name": "database", - "query": "label_values(pgbouncer_databases_current_connections{job=\"pgbouncer-exporter-prometheus-pgbouncer-exporter\"}, database)", - "refresh": 2, - "sort": 1, - "type": "query" - }, - { - "hide": 2, - "label": "Loki data source", - "name": "loki_datasource", - "query": "loki", - "regex": "", - "type": "datasource" - } - ] - }, - "time": { - "from": "now-1h", - "to": "now" - }, - "timezone": "default", - "title": "PgBouncer overview", - "uid": "pgbouncer-overview" -} diff --git a/terraform/modules_old/grafana-dashboard/dashboards/pgbouncer.json b/terraform/modules_old/grafana-dashboard/dashboards/pgbouncer.json deleted file mode 100644 index d64d6ae..0000000 --- a/terraform/modules_old/grafana-dashboard/dashboards/pgbouncer.json +++ /dev/null @@ -1,312 +0,0 @@ -{ - "links": [ - { - "keepTime": true, - "title": "PgBouncer overview", - "type": "link", - "url": "/d/pgbouncer-overview" - } - ], - "panels": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Top databases by current number of active client connections.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "unit": "conn" - } - }, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 0 - }, - "id": 1, - "options": { - "legend": { - "calcs": [], - "displayMode": "list" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "topk by(database, instance)($top_database_count, pgbouncer_pools_client_active_connections{job=~\"$job\"})", - "legendFormat": "{{instance}} - {{database}}" - } - ], - "title": "Top databases by active connections", - "type": "timeseries" - }, - { - "datasource": { - "type": "datasource", - "uid": "-- Mixed --" - }, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 0 - }, - "id": 2, - "options": { - "alertInstanceLabelFilter": "job=~\"${job:regex}\"" - }, - "pluginVersion": "v10.0.0", - "title": "PgBouncer alerts", - "type": "alertlist" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Top databases by rate of SQL queries pooled by PgBouncer.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "unit": "ops" - } - }, - "gridPos": { - "h": 6, - "w": 12, - "x": 0, - "y": 6 - }, - "id": 3, - "options": { - "legend": { - "calcs": [], - "displayMode": "list" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "topk by(database, instance)($top_database_count, rate(pgbouncer_stats_queries_pooled_total{job=~\"$job\"}[$__rate_interval]))", - "legendFormat": "{{instance}} - {{database}}" - } - ], - "title": "Top databases by queries processed", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Top databases by average duration of queries being processed by PgBouncer.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "unit": "s" - } - }, - "gridPos": { - "h": 6, - "w": 12, - "x": 12, - "y": 6 - }, - "id": 4, - "interval": "1m", - "options": { - "legend": { - "calcs": [], - "displayMode": "list" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "topk by(database, instance)($top_database_count, 1000 * increase(pgbouncer_stats_queries_duration_seconds_total{job=~\"$job\"}[$__interval:]) / clamp_min(increase(pgbouncer_stats_queries_pooled_total{job=~\"$job\"}[$__interval:]), 1))", - "legendFormat": "{{instance}} - {{database}}" - } - ], - "title": "Top databases by average query duration", - "type": "timeseries" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "description": "Top databases by volume of network traffic.\n", - "fieldConfig": { - "defaults": { - "custom": { - "fillOpacity": 30, - "gradientMode": "opacity", - "lineInterpolation": "smooth", - "lineWidth": 2, - "showPoints": "never" - }, - "unit": "Bps" - } - }, - "gridPos": { - "h": 6, - "w": 24, - "x": 0, - "y": 12 - }, - "id": 5, - "options": { - "legend": { - "calcs": [], - "displayMode": "table", - "placement": "right" - }, - "tooltip": { - "mode": "multi", - "sort": "desc" - } - }, - "pluginVersion": "v11.0.0", - "targets": [ - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "topk by(database, instance)($top_database_count, rate(pgbouncer_stats_received_bytes_total{job=~\"$job\"}[$__rate_interval]))", - "legendFormat": "{{instance}} - {{database}} - received" - }, - { - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "expr": "topk by(database, instance)($top_database_count, rate(pgbouncer_stats_sent_bytes_total{job=~\"$job\"}[$__rate_interval]))", - "legendFormat": "{{instance}} - {{database}} - sent" - } - ], - "title": "Top databases by network traffic", - "type": "timeseries" - } - ], - "refresh": "1m", - "schemaVersion": 36, - "tags": ["pgbouncer"], - "templating": { - "list": [ - { - "label": "Prometheus data source", - "name": "prometheus_datasource", - "query": "prometheus", - "regex": "", - "type": "datasource" - }, - { - "allValue": ".+", - "datasource": { - "type": "prometheus", - "uid": "${prometheus_datasource}" - }, - "includeAll": true, - "label": "Job", - "multi": true, - "name": "job", - "query": "label_values(pgbouncer_databases_current_connections{job=\"pgbouncer-exporter-prometheus-pgbouncer-exporter\"}, job)", - "refresh": 2, - "sort": 1, - "type": "query" - }, - { - "current": { - "selected": false, - "text": "2", - "value": "2" - }, - "description": "This variable allows for modification of top database value.", - "label": "Top database count", - "name": "top_database_count", - "options": [ - { - "selected": true, - "text": "2", - "value": "2" - }, - { - "selected": false, - "text": "4", - "value": "4" - }, - { - "selected": false, - "text": "6", - "value": "6" - }, - { - "selected": false, - "text": "8", - "value": "8" - }, - { - "selected": false, - "text": "10", - "value": "10" - } - ], - "query": "2 : 2,4 : 4,6 : 6,8 : 8,10 : 10", - "type": "custom" - } - ] - }, - "time": { - "from": "now-1h", - "to": "now" - }, - "timezone": "default", - "title": "PgBouncer cluster overview", - "uid": "pgbouncer-cluster-overview" -} diff --git a/terraform/tools/higgs.tf b/terraform/tools/higgs.tf deleted file mode 100644 index a177a21..0000000 --- a/terraform/tools/higgs.tf +++ /dev/null @@ -1,57 +0,0 @@ -resource "kubernetes_namespace" "higgs_ns" { - metadata { - name = var.higgs_ns - labels = { - "${var.cloudflare_cert_label.key}" = var.cloudflare_cert_label.value - "${var.secret_store_label.key}" = var.secret_store_label.value - } - } -} - -resource "kubectl_manifest" "higgs_app" { - yaml_body = < 0 - for: 10m - labels: - severity: warn - annotations: - summary: "Node down in MinIO deployment" - description: "Node(s) in cluster {{ $labels.instance }} offline for more than 5 minutes" - - - alert: DisksOffline - expr: avg_over_time(minio_cluster_drive_offline_total{job="minio-job"}[5m]) > 0 - for: 10m - labels: - severity: warn - annotations: - summary: "Disks down in MinIO deployment" - description: "Disks(s) in cluster {{ $labels.instance }} offline for more than 5 minutes" diff --git a/terraform/tools/templates/pgbouncer-exporter.values.tftpl b/terraform/tools/templates/pgbouncer-exporter.values.tftpl deleted file mode 100644 index 3c9887d..0000000 --- a/terraform/tools/templates/pgbouncer-exporter.values.tftpl +++ /dev/null @@ -1,16 +0,0 @@ -postgresql: - enabled: false -serviceMonitor: - enabled: true - interval: 60s - namespace: ${namespace} -config: - datasource: - host: postgresql-pgbouncer.everest.svc - user: _crunchypgbouncer - passwordSecret: - name: pgbouncer-exporter - key: password - sslmode: require - logLevel: "debug" - logFormat: "logfmt" From 2f3913359a37bf11c157c988e44551f88c911bee Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Sun, 23 Nov 2025 22:41:24 +0100 Subject: [PATCH 21/43] feat: added tools script --- nix/config.nix | 2 +- terraform/README.md | 39 +++- terraform/{tools => apps}/charm.tf | 0 terraform/{tools => apps}/docker.tf | 0 .../{ => apps}/modules_old/docker/main.tf | 0 .../{ => apps}/modules_old/docker/service.tf | 0 .../modules_old/docker/variables.tf | 0 terraform/{tools => apps}/nextcloud.tf | 0 terraform/{tools => apps}/portainer.tf | 0 terraform/{tools => apps}/positron.tf | 0 terraform/{tools => apps}/proton.tf | 0 .../templates/nextcloud.values.tftpl | 0 .../templates/portainer.values.tftpl | 0 .../{auto-clean-bot.tf. => auto-clean-bot.tf} | 6 +- terraform/metrics/variables.tf | 5 + terraform/tools/.terraform.lock.hcl | 65 ++++++ terraform/tools/argo.tf | 84 ++------ terraform/tools/coder.tf | 78 ++----- terraform/tools/longhorn-proxy.tf | 18 +- terraform/tools/main.tf | 5 + terraform/tools/tailscale.tf | 19 +- .../templates/postgres-exporter.values.tftpl | 8 - terraform/tools/variables.tf | 195 +++--------------- 23 files changed, 200 insertions(+), 324 deletions(-) rename terraform/{tools => apps}/charm.tf (100%) rename terraform/{tools => apps}/docker.tf (100%) rename terraform/{ => apps}/modules_old/docker/main.tf (100%) rename terraform/{ => apps}/modules_old/docker/service.tf (100%) rename terraform/{ => apps}/modules_old/docker/variables.tf (100%) rename terraform/{tools => apps}/nextcloud.tf (100%) rename terraform/{tools => apps}/portainer.tf (100%) rename terraform/{tools => apps}/positron.tf (100%) rename terraform/{tools => apps}/proton.tf (100%) rename terraform/{tools => apps}/templates/nextcloud.values.tftpl (100%) rename terraform/{tools => apps}/templates/portainer.values.tftpl (100%) rename terraform/metrics/{auto-clean-bot.tf. => auto-clean-bot.tf} (89%) create mode 100644 terraform/tools/.terraform.lock.hcl delete mode 100644 terraform/tools/templates/postgres-exporter.values.tftpl diff --git a/nix/config.nix b/nix/config.nix index d4b05b9..57e3aff 100644 --- a/nix/config.nix +++ b/nix/config.nix @@ -10,7 +10,7 @@ ./disko-config.nix { _module.args = { - disk = "/dev/sda"; + disk = "/dev/vda"; withSwap = true; swapSize = "2"; }; diff --git a/terraform/README.md b/terraform/README.md index 1549ac2..2565ad1 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -6,7 +6,8 @@ 2. storage: Set up storage solutions required for the cluster. (add cloudflare cert to vault) 3. network: Configure networking components and services. 4. db: Deploy database services. (create buckets and access keys after this) -5. metrics: Set up monitoring and metrics collection services. +5. tools: Install auxiliary tools and services. +6. metrics: Set up monitoring and metrics collection services. ## Required secrets in Vault @@ -50,6 +51,42 @@ db/postgres: - password: - username: +tools/argo: + +- oidc.positron.clientSecret: +- webhook.github.secret: + +tools/coder: + +- CODER_OIDC_CLIENT_ID: +- CODER_OIDC_CLIENT_SECRET: +- CODER_OIDC_EMAIL_DOMAIN: +- CODER_OIDC_ISSUER_URL: +- CODER_PG_CONNECTION_URL: + +tools/tailscale: + +- client_id: +- client_secret: + +tools/longhorn: + +- AWS_ACCESS_KEY_ID: +- AWS_ENDPOINTS: +- AWS_SECRET_ACCESS_KEY: + +tools/longhorn-proxy: + +- client-id: +- client-secret: +- cookie-secret: + +tools/auto-clean-bot: + +- RUST_LOG: +- DISCORD_TOKEN: +- DB_URL: + ### After DB setup (step 4) apps/lgtm: diff --git a/terraform/tools/charm.tf b/terraform/apps/charm.tf similarity index 100% rename from terraform/tools/charm.tf rename to terraform/apps/charm.tf diff --git a/terraform/tools/docker.tf b/terraform/apps/docker.tf similarity index 100% rename from terraform/tools/docker.tf rename to terraform/apps/docker.tf diff --git a/terraform/modules_old/docker/main.tf b/terraform/apps/modules_old/docker/main.tf similarity index 100% rename from terraform/modules_old/docker/main.tf rename to terraform/apps/modules_old/docker/main.tf diff --git a/terraform/modules_old/docker/service.tf b/terraform/apps/modules_old/docker/service.tf similarity index 100% rename from terraform/modules_old/docker/service.tf rename to terraform/apps/modules_old/docker/service.tf diff --git a/terraform/modules_old/docker/variables.tf b/terraform/apps/modules_old/docker/variables.tf similarity index 100% rename from terraform/modules_old/docker/variables.tf rename to terraform/apps/modules_old/docker/variables.tf diff --git a/terraform/tools/nextcloud.tf b/terraform/apps/nextcloud.tf similarity index 100% rename from terraform/tools/nextcloud.tf rename to terraform/apps/nextcloud.tf diff --git a/terraform/tools/portainer.tf b/terraform/apps/portainer.tf similarity index 100% rename from terraform/tools/portainer.tf rename to terraform/apps/portainer.tf diff --git a/terraform/tools/positron.tf b/terraform/apps/positron.tf similarity index 100% rename from terraform/tools/positron.tf rename to terraform/apps/positron.tf diff --git a/terraform/tools/proton.tf b/terraform/apps/proton.tf similarity index 100% rename from terraform/tools/proton.tf rename to terraform/apps/proton.tf diff --git a/terraform/tools/templates/nextcloud.values.tftpl b/terraform/apps/templates/nextcloud.values.tftpl similarity index 100% rename from terraform/tools/templates/nextcloud.values.tftpl rename to terraform/apps/templates/nextcloud.values.tftpl diff --git a/terraform/tools/templates/portainer.values.tftpl b/terraform/apps/templates/portainer.values.tftpl similarity index 100% rename from terraform/tools/templates/portainer.values.tftpl rename to terraform/apps/templates/portainer.values.tftpl diff --git a/terraform/metrics/auto-clean-bot.tf. b/terraform/metrics/auto-clean-bot.tf similarity index 89% rename from terraform/metrics/auto-clean-bot.tf. rename to terraform/metrics/auto-clean-bot.tf index d08a383..4bc7c53 100644 --- a/terraform/metrics/auto-clean-bot.tf. +++ b/terraform/metrics/auto-clean-bot.tf @@ -4,7 +4,7 @@ apiVersion: argoproj.io/v1alpha1 kind: Application metadata: name: auto-clean-bot - namespace: ${var.metrics_ns} + namespace: ${var.argo_ns} finalizers: - resources-finalizer.argocd.argoproj.io spec: @@ -27,8 +27,8 @@ spec: extraVolumeMounts: - name: cluster-ca-cert readOnly: true - subPath: ${var.ca_hash}.0 - mountPath: /etc/ssl/certs/${var.ca_hash}.0 + subPath: ${local.ca_hash}.0 + mountPath: /etc/ssl/certs/${local.ca_hash}.0 destination: server: https://kubernetes.default.svc diff --git a/terraform/metrics/variables.tf b/terraform/metrics/variables.tf index 4f72f9c..b1a86ad 100644 --- a/terraform/metrics/variables.tf +++ b/terraform/metrics/variables.tf @@ -28,6 +28,11 @@ variable "cloudflare_ca_cert_var" { type = string } +variable "argo_ns" { + description = "The namespace where ArgoCD is deployed" + type = string +} + data "local_file" "ca_hash" { filename = "${path.module}/../storage/certs/ca.hash" } diff --git a/terraform/tools/.terraform.lock.hcl b/terraform/tools/.terraform.lock.hcl new file mode 100644 index 0000000..362f7ae --- /dev/null +++ b/terraform/tools/.terraform.lock.hcl @@ -0,0 +1,65 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.0" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.17.0" + constraints = "~> 2.0" + hashes = [ + "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", + "zh:06fb4e9932f0afc1904d2279e6e99353c2ddac0d765305ce90519af410706bd4", + "zh:104eccfc781fc868da3c7fec4385ad14ed183eb985c96331a1a937ac79c2d1a7", + "zh:129345c82359837bb3f0070ce4891ec232697052f7d5ccf61d43d818912cf5f3", + "zh:3956187ec239f4045975b35e8c30741f701aa494c386aaa04ebabffe7749f81c", + "zh:66a9686d92a6b3ec43de3ca3fde60ef3d89fb76259ed3313ca4eb9bb8c13b7dd", + "zh:88644260090aa621e7e8083585c468c8dd5e09a3c01a432fb05da5c4623af940", + "zh:a248f650d174a883b32c5b94f9e725f4057e623b00f171936dcdcc840fad0b3e", + "zh:aa498c1f1ab93be5c8fbf6d48af51dc6ef0f10b2ea88d67bcb9f02d1d80d3930", + "zh:bf01e0f2ec2468c53596e027d376532a2d30feb72b0b5b810334d043109ae32f", + "zh:c46fa84cc8388e5ca87eb575a534ebcf68819c5a5724142998b487cb11246654", + "zh:d0c0f15ffc115c0965cbfe5c81f18c2e114113e7a1e6829f6bfd879ce5744fbb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.38.0" + constraints = "~> 2.0" + hashes = [ + "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", + "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", + "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f", + "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b", + "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12", + "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2", + "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc", + "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15", + "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396", + "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d", + "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", + ] +} diff --git a/terraform/tools/argo.tf b/terraform/tools/argo.tf index 6560c3e..917d1f2 100644 --- a/terraform/tools/argo.tf +++ b/terraform/tools/argo.tf @@ -1,10 +1,6 @@ -resource "kubernetes_namespace" "argo_ns" { +resource "kubernetes_namespace" "argo" { metadata { name = var.argo_ns - labels = { - "${var.cloudflare_cert_label.key}" = var.cloudflare_cert_label.value - "${var.secret_store_label.key}" = var.secret_store_label.value - } } } @@ -12,7 +8,7 @@ resource "helm_release" "argocd" { name = "argocd" repository = "https://argoproj.github.io/argo-helm" chart = "argo-cd" - version = "7.8.28" + version = "9.1.4" namespace = var.argo_ns values = [templatefile("${path.module}/templates/argocd.values.tftpl", { @@ -20,68 +16,16 @@ resource "helm_release" "argocd" { cert_issuer = var.cert_issuer_prod })] - depends_on = [kubernetes_namespace.argo_ns] + depends_on = [kubernetes_namespace.argo] } -resource "kubectl_manifest" "argo_k8s_api_egress" { - yaml_body = < Date: Sun, 23 Nov 2025 23:07:43 +0100 Subject: [PATCH 22/43] feat: added apps tf script --- .gitignore | 1 - terraform/README.md | 61 ++++++ terraform/apps/.terraform.lock.hcl | 84 ++++++++ terraform/apps/charm.tf | 19 +- terraform/apps/main.tf | 23 +++ terraform/apps/{ => modules_old}/docker.tf | 0 terraform/apps/{ => modules_old}/portainer.tf | 0 .../portainer.values.tftpl | 0 terraform/apps/nextcloud.tf | 17 +- terraform/apps/positron.tf | 34 +--- terraform/apps/proton.tf | 15 +- .../apps/templates/nextcloud.values.tftpl | 5 +- terraform/apps/variables.tf | 71 +++++++ terraform/db/variables.tf | 4 + terraform/network/variables.tf | 3 + terraform/tools/variables.tf | 2 + terraform/variables.tf | 182 ------------------ vars.tfvars | 23 +++ 18 files changed, 292 insertions(+), 252 deletions(-) create mode 100644 terraform/apps/.terraform.lock.hcl create mode 100644 terraform/apps/main.tf rename terraform/apps/{ => modules_old}/docker.tf (100%) rename terraform/apps/{ => modules_old}/portainer.tf (100%) rename terraform/apps/{templates => modules_old}/portainer.values.tftpl (100%) create mode 100644 terraform/apps/variables.tf delete mode 100644 terraform/variables.tf create mode 100644 vars.tfvars diff --git a/.gitignore b/.gitignore index 9474dde..8788378 100644 --- a/.gitignore +++ b/.gitignore @@ -2,7 +2,6 @@ *.tfstate *.tfstate.backup *.lock.info -*.tfvars # direnv .direnv diff --git a/terraform/README.md b/terraform/README.md index 2565ad1..3d2364f 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -87,6 +87,67 @@ tools/auto-clean-bot: - DISCORD_TOKEN: - DB_URL: +apps/nextcloud: + +- collabora-password: +- collabora-username: +- db-host: +- db-name: +- db-password: +- db-username: +- password: +- smtp-host: +- smtp-password: +- smtp-username: +- username: + +apps/positron: + +- APOD_API_KEY: +- ASSETLINKS: +- AUTH_ISSUER: +- AUTH_JWT_EXPIRATION: +- AUTH_JWT_EXPIRATION_SHORT: +- AUTH_PEPPER: +- CORS_ORIGIN: +- CORS_ORIGIN_REGEX: +- DB_URL: +- FRONTEND_URL: +- LOG_LEVEL: +- NATS_UPDATE_SUBJECT: +- NATS_URL: +- OIDC_BACKEND_INTERNAL: +- OIDC_BACKEND_URL: +- OIDC_ISSUER: +- RUST_LOG: +- S3_ACCESS_KEY: +- S3_BUCKET: +- S3_HOST: +- S3_KEY_ID: +- SMTP_DOMAIN: +- SMTP_PASSWORD: +- SMTP_SENDER_EMAIL: +- SMTP_SENDER_NAME: +- SMTP_SITE_LINK: +- SMTP_USERNAME: +- WEBAUTHN_ADDITIONAL_ORIGINS: +- WEBAUTHN_ID: +- WEBAUTHN_NAME: +- WEBAUTHN_ORIGIN: + +apps/proton: + +- CORS_ORIGIN: +- RUST_LOG: + +apps/charm: + +- CORS_ORIGIN: +- DB_URL: +- RUST_LOG: +- DB_LOGGING: + ### After DB setup (step 4) apps/lgtm: diff --git a/terraform/apps/.terraform.lock.hcl b/terraform/apps/.terraform.lock.hcl new file mode 100644 index 0000000..dc8f5f7 --- /dev/null +++ b/terraform/apps/.terraform.lock.hcl @@ -0,0 +1,84 @@ +# This file is maintained automatically by "terraform init". +# Manual edits may be lost in future updates. + +provider "registry.terraform.io/gavinbunney/kubectl" { + version = "1.19.0" + constraints = "~> 1.0" + hashes = [ + "h1:9QkxPjp0x5FZFfJbE+B7hBOoads9gmdfj9aYu5N4Sfc=", + "zh:1dec8766336ac5b00b3d8f62e3fff6390f5f60699c9299920fc9861a76f00c71", + "zh:43f101b56b58d7fead6a511728b4e09f7c41dc2e3963f59cf1c146c4767c6cb7", + "zh:4c4fbaa44f60e722f25cc05ee11dfaec282893c5c0ffa27bc88c382dbfbaa35c", + "zh:51dd23238b7b677b8a1abbfcc7deec53ffa5ec79e58e3b54d6be334d3d01bc0e", + "zh:5afc2ebc75b9d708730dbabdc8f94dd559d7f2fc5a31c5101358bd8d016916ba", + "zh:6be6e72d4663776390a82a37e34f7359f726d0120df622f4a2b46619338a168e", + "zh:72642d5fcf1e3febb6e5d4ae7b592bb9ff3cb220af041dbda893588e4bf30c0c", + "zh:9b12af85486a96aedd8d7984b0ff811a4b42e3d88dad1a3fb4c0b580d04fa425", + "zh:a1da03e3239867b35812ee031a1060fed6e8d8e458e2eaca48b5dd51b35f56f7", + "zh:b98b6a6728fe277fcd133bdfa7237bd733eae233f09653523f14460f608f8ba2", + "zh:bb8b071d0437f4767695c6158a3cb70df9f52e377c67019971d888b99147511f", + "zh:dc89ce4b63bfef708ec29c17e85ad0232a1794336dc54dd88c3ba0b77e764f71", + "zh:dd7dd18f1f8218c6cd19592288fde32dccc743cde05b9feeb2883f37c2ff4b4e", + "zh:ec4bd5ab3872dedb39fe528319b4bba609306e12ee90971495f109e142d66310", + "zh:f610ead42f724c82f5463e0e71fa735a11ffb6101880665d93f48b4a67b9ad82", + ] +} + +provider "registry.terraform.io/hashicorp/helm" { + version = "2.17.0" + constraints = "~> 2.0" + hashes = [ + "h1:K5FEjxvDnxb1JF1kG1xr8J3pNGxoaR3Z0IBG9Csm/Is=", + "zh:06fb4e9932f0afc1904d2279e6e99353c2ddac0d765305ce90519af410706bd4", + "zh:104eccfc781fc868da3c7fec4385ad14ed183eb985c96331a1a937ac79c2d1a7", + "zh:129345c82359837bb3f0070ce4891ec232697052f7d5ccf61d43d818912cf5f3", + "zh:3956187ec239f4045975b35e8c30741f701aa494c386aaa04ebabffe7749f81c", + "zh:66a9686d92a6b3ec43de3ca3fde60ef3d89fb76259ed3313ca4eb9bb8c13b7dd", + "zh:88644260090aa621e7e8083585c468c8dd5e09a3c01a432fb05da5c4623af940", + "zh:a248f650d174a883b32c5b94f9e725f4057e623b00f171936dcdcc840fad0b3e", + "zh:aa498c1f1ab93be5c8fbf6d48af51dc6ef0f10b2ea88d67bcb9f02d1d80d3930", + "zh:bf01e0f2ec2468c53596e027d376532a2d30feb72b0b5b810334d043109ae32f", + "zh:c46fa84cc8388e5ca87eb575a534ebcf68819c5a5724142998b487cb11246654", + "zh:d0c0f15ffc115c0965cbfe5c81f18c2e114113e7a1e6829f6bfd879ce5744fbb", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + ] +} + +provider "registry.terraform.io/hashicorp/kubernetes" { + version = "2.38.0" + constraints = "~> 2.0" + hashes = [ + "h1:5CkveFo5ynsLdzKk+Kv+r7+U9rMrNjfZPT3a0N/fhgE=", + "zh:0af928d776eb269b192dc0ea0f8a3f0f5ec117224cd644bdacdc682300f84ba0", + "zh:1be998e67206f7cfc4ffe77c01a09ac91ce725de0abaec9030b22c0a832af44f", + "zh:326803fe5946023687d603f6f1bab24de7af3d426b01d20e51d4e6fbe4e7ec1b", + "zh:4a99ec8d91193af961de1abb1f824be73df07489301d62e6141a656b3ebfff12", + "zh:5136e51765d6a0b9e4dbcc3b38821e9736bd2136cf15e9aac11668f22db117d2", + "zh:63fab47349852d7802fb032e4f2b6a101ee1ce34b62557a9ad0f0f0f5b6ecfdc", + "zh:924fb0257e2d03e03e2bfe9c7b99aa73c195b1f19412ca09960001bee3c50d15", + "zh:b63a0be5e233f8f6727c56bed3b61eb9456ca7a8bb29539fba0837f1badf1396", + "zh:d39861aa21077f1bc899bc53e7233262e530ba8a3a2d737449b100daeb303e4d", + "zh:de0805e10ebe4c83ce3b728a67f6b0f9d18be32b25146aa89116634df5145ad4", + "zh:f569b65999264a9416862bca5cd2a6177d94ccb0424f3a4ef424428912b9cb3c", + "zh:faf23e45f0090eef8ba28a8aac7ec5d4fdf11a36c40a8d286304567d71c1e7db", + ] +} + +provider "registry.terraform.io/hashicorp/local" { + version = "2.6.1" + hashes = [ + "h1:LMoX85QLTgCCqRuy2aXoz47P7gZ4WRPSA00fUPC/Rho=", + "zh:10050d08f416de42a857e4b6f76809aae63ea4ec6f5c852a126a915dede814b4", + "zh:2df2a3ebe9830d4759c59b51702e209fe053f47453cb4688f43c063bac8746b7", + "zh:2e759568bcc38c86ca0e43701d34cf29945736fdc8e429c5b287ddc2703c7b18", + "zh:6a62a34e48500ab4aea778e355e162ebde03260b7a9eb9edc7e534c84fbca4c6", + "zh:74373728ba32a1d5450a3a88ac45624579e32755b086cd4e51e88d9aca240ef6", + "zh:78d5eefdd9e494defcb3c68d282b8f96630502cac21d1ea161f53cfe9bb483b3", + "zh:8dddae588971a996f622e7589cd8b9da7834c744ac12bfb59c97fa77ded95255", + "zh:946f82f66353bb97aefa8d95c4ca86db227f9b7c50b82415289ac47e4e74d08d", + "zh:e9a5c09e6f35e510acf15b666fd0b34a30164cecdcd81ce7cda0f4b2dade8d91", + "zh:eafe5b873ef42b32feb2f969c38ff8652507e695620cbaf03b9db714bee52249", + "zh:ec146289fa27650c9d433bb5c7847379180c0b7a323b1b94e6e7ad5d2a7dbe71", + "zh:fc882c35ce05631d76c0973b35adde26980778fc81d9da81a2fade2b9d73423b", + ] +} diff --git a/terraform/apps/charm.tf b/terraform/apps/charm.tf index e219a8f..d2c703c 100644 --- a/terraform/apps/charm.tf +++ b/terraform/apps/charm.tf @@ -1,13 +1,6 @@ -resource "kubernetes_namespace" "charm_ns" { +resource "kubernetes_namespace" "charm" { metadata { name = var.charm_ns - labels = { - "${var.cloudflare_cert_label.key}" = var.cloudflare_cert_label.value - "${var.secret_store_label.key}" = var.secret_store_label.value - "${var.cluster_ca_cert_label.key}" = var.cluster_ca_cert_label.value - "${var.ghcr_profidev_label.key}" = var.ghcr_profidev_label.value - "${var.postgres_access_label.key}" = var.postgres_access_label.value - } } } @@ -38,14 +31,12 @@ spec: - name: cluster-ca-cert secret: defaultMode: 420 - secretName: cluster-ca-cert + secretName: kube-root-ca.crt extraVolumeMounts: - name: cluster-ca-cert readOnly: true - subPath: ${var.ca_hash}.0 - mountPath: /etc/ssl/certs/${var.ca_hash}.0 - podLabels: - ${var.postgres_access_label.key}: "${var.postgres_access_label.value}" + subPath: ${local.ca_hash}.0 + mountPath: /etc/ssl/certs/${local.ca_hash}.0 ingress: className: ${var.ingress_class} annotations: @@ -87,5 +78,5 @@ spec: - PrunePropagationPolicy=foreground YAML - depends_on = [kubernetes_namespace.charm_ns] + depends_on = [kubernetes_namespace.charm] } diff --git a/terraform/apps/main.tf b/terraform/apps/main.tf new file mode 100644 index 0000000..27cc956 --- /dev/null +++ b/terraform/apps/main.tf @@ -0,0 +1,23 @@ +terraform { + required_version = "~> 1.11" + + required_providers { + kubernetes = { + source = "hashicorp/kubernetes" + version = "~> 2.0" + } + helm = { + source = "hashicorp/helm" + version = "~> 2.0" + } + kubectl = { + source = "gavinbunney/kubectl" + version = "~> 1.0" + } + } + + backend "kubernetes" { + namespace = "kube-system" + secret_suffix = "apps" + } +} diff --git a/terraform/apps/docker.tf b/terraform/apps/modules_old/docker.tf similarity index 100% rename from terraform/apps/docker.tf rename to terraform/apps/modules_old/docker.tf diff --git a/terraform/apps/portainer.tf b/terraform/apps/modules_old/portainer.tf similarity index 100% rename from terraform/apps/portainer.tf rename to terraform/apps/modules_old/portainer.tf diff --git a/terraform/apps/templates/portainer.values.tftpl b/terraform/apps/modules_old/portainer.values.tftpl similarity index 100% rename from terraform/apps/templates/portainer.values.tftpl rename to terraform/apps/modules_old/portainer.values.tftpl diff --git a/terraform/apps/nextcloud.tf b/terraform/apps/nextcloud.tf index 8c42324..4659678 100644 --- a/terraform/apps/nextcloud.tf +++ b/terraform/apps/nextcloud.tf @@ -1,11 +1,6 @@ -resource "kubernetes_namespace" "nextcloud_ns" { +resource "kubernetes_namespace" "nextcloud" { metadata { name = var.nextcloud_ns - labels = { - "${var.postgres_access_label.key}" = var.postgres_access_label.value - "${var.secret_store_label.key}" = var.secret_store_label.value - "${var.cluster_ca_cert_label.key}" = var.cluster_ca_cert_label.value - } } } @@ -20,12 +15,10 @@ resource "helm_release" "nextcloud" { ingress_class = var.ingress_class cert_issuer = var.cert_issuer_prod storage_class = var.storage_class - postgres_access_label_key = var.postgres_access_label.key - postgres_access_label_value = var.postgres_access_label.value - ca_hash = var.ca_hash + ca_hash = local.ca_hash })] - depends_on = [kubernetes_namespace.nextcloud_ns] + depends_on = [kubernetes_namespace.nextcloud] } resource "kubectl_manifest" "nextcloud_secret" { @@ -47,7 +40,7 @@ spec: key: apps/nextcloud YAML - depends_on = [kubernetes_namespace.nextcloud_ns] + depends_on = [kubernetes_namespace.nextcloud] } resource "kubectl_manifest" "nextcloud_egress" { @@ -72,5 +65,5 @@ spec: - 465 YAML - depends_on = [kubernetes_namespace.nextcloud_ns] + depends_on = [kubernetes_namespace.nextcloud] } diff --git a/terraform/apps/positron.tf b/terraform/apps/positron.tf index 9b60124..f40262b 100644 --- a/terraform/apps/positron.tf +++ b/terraform/apps/positron.tf @@ -1,14 +1,6 @@ -resource "kubernetes_namespace" "positron_ns" { +resource "kubernetes_namespace" "positron" { metadata { name = var.positron_ns - labels = { - "${var.cloudflare_cert_label.key}" = var.cloudflare_cert_label.value - "${var.secret_store_label.key}" = var.secret_store_label.value - "${var.cluster_ca_cert_label.key}" = var.cluster_ca_cert_label.value - "${var.minio_access_label.key}" = var.minio_access_label.value - "${var.postgres_access_label.key}" = var.postgres_access_label.value - "${var.nats_access_label.key}" = var.nats_access_label.value - } } } @@ -37,16 +29,12 @@ spec: - name: cluster-ca-cert secret: defaultMode: 420 - secretName: cluster-ca-cert + secretName: kube-root-ca.crt extraVolumeMounts: - name: cluster-ca-cert readOnly: true - subPath: ${var.ca_hash}.0 - mountPath: /etc/ssl/certs/${var.ca_hash}.0 - podLabels: - ${var.nats_access_label.key}: "${var.nats_access_label.value}" - ${var.minio_access_label.key}: "${var.minio_access_label.value}" - ${var.postgres_access_label.key}: "${var.postgres_access_label.value}" + subPath: ${local.ca_hash}.0 + mountPath: /etc/ssl/certs/${local.ca_hash}.0 ingress: className: ${var.ingress_class} annotations: @@ -86,17 +74,5 @@ spec: - PrunePropagationPolicy=foreground YAML - depends_on = [kubernetes_namespace.positron_ns] -} - -module "oidc_access" { - source = "../modules/access-policy" - - namespace = var.positron_ns - namespace_label = var.oidc_access_label - selector = "app == 'positron-backend'" - port = 8000 - target_selector = "all()" - - depends_on = [kubernetes_namespace.positron_ns] + depends_on = [kubernetes_namespace.positron] } diff --git a/terraform/apps/proton.tf b/terraform/apps/proton.tf index 5f37cad..9c461fb 100644 --- a/terraform/apps/proton.tf +++ b/terraform/apps/proton.tf @@ -1,11 +1,6 @@ -resource "kubernetes_namespace" "proton_ns" { +resource "kubernetes_namespace" "proton" { metadata { name = var.proton_ns - labels = { - "${var.cloudflare_cert_label.key}" = var.cloudflare_cert_label.value - "${var.secret_store_label.key}" = var.secret_store_label.value - "${var.cluster_ca_cert_label.key}" = var.cluster_ca_cert_label.value - } } } @@ -34,12 +29,12 @@ spec: - name: cluster-ca-cert secret: defaultMode: 420 - secretName: cluster-ca-cert + secretName: kube-root-ca.crt extraVolumeMounts: - name: cluster-ca-cert readOnly: true - subPath: ${var.ca_hash}.0 - mountPath: /etc/ssl/certs/${var.ca_hash}.0 + subPath: ${local.ca_hash}.0 + mountPath: /etc/ssl/certs/${local.ca_hash}.0 ingress: className: ${var.ingress_class} annotations: @@ -66,5 +61,5 @@ spec: - PrunePropagationPolicy=foreground YAML - depends_on = [kubernetes_namespace.proton_ns] + depends_on = [kubernetes_namespace.proton] } diff --git a/terraform/apps/templates/nextcloud.values.tftpl b/terraform/apps/templates/nextcloud.values.tftpl index 8b9c8e2..90cb256 100644 --- a/terraform/apps/templates/nextcloud.values.tftpl +++ b/terraform/apps/templates/nextcloud.values.tftpl @@ -14,9 +14,6 @@ ingress: hosts: - "buerger-ts.com" -podLabels: - ${postgres_access_label_key}: "${postgres_access_label_value}" - nextcloud: host: "buerger-ts.com" extraEnv: @@ -26,7 +23,7 @@ nextcloud: - name: cluster-ca-cert secret: defaultMode: 420 - secretName: cluster-ca-cert + secretName: kube-root-ca.crt extraVolumeMounts: - name: cluster-ca-cert readOnly: true diff --git a/terraform/apps/variables.tf b/terraform/apps/variables.tf new file mode 100644 index 0000000..dce4629 --- /dev/null +++ b/terraform/apps/variables.tf @@ -0,0 +1,71 @@ +variable "proton_ns" { + description = "The namespace where Proton is deployed" + type = string + default = "proton" +} + +variable "positron_ns" { + description = "The namespace where Positron is deployed" + type = string + default = "positron" +} + +variable "charm_ns" { + description = "The namespace where Charm is deployed" + type = string + default = "charm" +} + +variable "nextcloud_ns" { + description = "The namespace where Nextcloud is deployed" + type = string + default = "nextcloud" +} + +variable "argo_ns" { + description = "The namespace where ArgoCD is deployed" + type = string +} + +variable "cluster_secret_store" { + description = "The name of the ClusterSecretStore to use for external secrets" + type = string +} + +variable "cloudflare_cert_var" { + description = "The Vault variable name for the Cloudflare certificate" + type = string +} + +variable "cloudflare_ca_cert_var" { + description = "The Vault variable name for the Cloudflare CA certificate" + type = string +} + +variable "ingress_class" { + description = "The ingress class to be used" + type = string +} + +variable "ghcr_profidev" { + description = "The GitHub Container Registry for ProfiDev images" + type = string +} + +variable "cert_issuer_prod" { + description = "The cert-manager issuer to use for production certificates" + type = string +} + +variable "storage_class" { + description = "The storage class to use for persistent volumes" + type = string +} + +data "local_file" "ca_hash" { + filename = "${path.module}/../storage/certs/ca.hash" +} + +locals { + ca_hash = data.local_file.ca_hash.content +} diff --git a/terraform/db/variables.tf b/terraform/db/variables.tf index 360b61e..bedacc8 100644 --- a/terraform/db/variables.tf +++ b/terraform/db/variables.tf @@ -1,6 +1,7 @@ variable "couchdb_ns" { description = "The namespace where CouchDB will be deployed" type = string + default = "couchdb" } variable "cert_issuer_prod" { @@ -16,6 +17,7 @@ variable "cluster_secret_store" { variable "rustfs_ns" { description = "The namespace where MinIO will be deployed" type = string + default = "rustfs" } variable "storage_class" { @@ -52,9 +54,11 @@ variable "minio_config" { variable "nats_ns" { description = "The namespace where NATS will be deployed" type = string + default = "nats" } variable "pg_ns" { description = "The namespace where PostgreSQL will be deployed" type = string + default = "postgres" } diff --git a/terraform/network/variables.tf b/terraform/network/variables.tf index 3cfcb1f..eaf9731 100644 --- a/terraform/network/variables.tf +++ b/terraform/network/variables.tf @@ -7,6 +7,7 @@ variable "lb_address_pool" { variable "lb_ns" { description = "Load Balancer Namespace" type = string + default = "metallb" } variable "ingress_class" { @@ -17,6 +18,7 @@ variable "ingress_class" { variable "cert_ns" { description = "Certificate Manager Namespace" type = string + default = "cert-manager" } variable "cert_issuer_staging" { @@ -42,6 +44,7 @@ variable "cluster_secret_store" { variable "crowdsec_ns" { description = "CrowdSec Namespace" type = string + default = "crowdsec" } variable "k8s_api" { diff --git a/terraform/tools/variables.tf b/terraform/tools/variables.tf index ff63cae..068f178 100644 --- a/terraform/tools/variables.tf +++ b/terraform/tools/variables.tf @@ -26,11 +26,13 @@ variable "k8s_api" { variable "coder_ns" { description = "The namespace for Coder resources" type = string + default = "coder" } variable "tailscale_ns" { description = "The namespace for Tailscale resources" type = string + default = "tailscale" } variable "storage_ns" { diff --git a/terraform/variables.tf b/terraform/variables.tf deleted file mode 100644 index 5a138f1..0000000 --- a/terraform/variables.tf +++ /dev/null @@ -1,182 +0,0 @@ -variable "email" { - type = string - default = "mail@profidev.io" -} - -variable "ingress_class" { - type = string - default = "ingress-nginx" -} - -variable "storage_class" { - type = string - default = "longhorn" -} - -variable "cloudflare_ca_cert_var" { - type = string - default = "cloudflare-ca-cert" -} - -variable "cloudflare_cert_var" { - type = string - default = "cloudflare-cert" -} - -variable "cloudflare_cert_label" { - type = object({ - key = string - value = string - }) - default = { - key = "cloudflare-cert-secret" - value = "true" - } -} - -variable "cluster_secret_store" { - type = string - default = "cluster-secret-store" -} - -variable "secret_store_label" { - type = object({ - key = string - value = string - }) - default = { - key = "secret-store" - value = "true" - } -} - -variable "minio_access_label" { - type = object({ - key = string - value = string - }) - default = { - key = "minio-access" - value = "true" - } -} - -variable "postgres_access_label" { - type = object({ - key = string - value = string - }) - default = { - key = "postgres-access" - value = "true" - } -} - -variable "everest_ns" { - type = string - default = "everest" -} - -variable "minio_ns" { - type = string - default = "minio-system" -} - -variable "cluster_ca_cert_label" { - type = object({ - key = string - value = string - }) - default = { - key = "cluster-ca-cert" - value = "true" - } -} - -variable "oidc_access_label" { - type = object({ - key = string - value = string - }) - default = { - key = "oidc-access" - value = "true" - } -} - -variable "nats_access_label" { - type = object({ - key = string - value = string - }) - default = { - key = "nats-access" - value = "true" - } -} - -variable "positron_ns" { - type = string - default = "positron" -} - -variable "cert_issuer_staging" { - type = string - default = "letsencrypt-staging" -} - -variable "cert_issuer_prod" { - type = string - default = "letsencrypt-prod" -} - -variable "cert_ns" { - type = string - default = "cert-system" -} - -variable "secrets_ns" { - type = string - default = "secrets-system" -} - -variable "storage_ns" { - type = string - default = "longhorn-system" -} - -variable "metrics_ns" { - type = string - default = "metrics-system" -} - -variable "everest_system_ns" { - type = string - default = "everest-system" -} - -variable "nats_ns" { - type = string - default = "nats-system" -} - -variable "ghcr_profidev" { - type = string - default = "ghcr-profidev" -} - -variable "ghcr_profidev_label" { - type = object({ - key = string - value = string - }) - default = { - key = "ghcr-profidev-secret" - value = "true" - } -} - -variable "crowdsec_ns" { - type = string - default = "crowdsec" -} diff --git a/vars.tfvars b/vars.tfvars new file mode 100644 index 0000000..c2d2f77 --- /dev/null +++ b/vars.tfvars @@ -0,0 +1,23 @@ +# general +k8s_api = "192.168.122.94" +email = "mail@profidev.io" + +# network +cert_issuer_staging = "letsencrypt-staging" +cert_issuer_prod = "letsencrypt-prod" +ingress_class = "nginx" +cloudflare_ca_cert_var = "cloudflare-ca-cert" +cloudflare_cert_var = "cloudflare-cert" + +# storage +storage_ns = "longhorn" +secrets_ns = "secrets" +cluster_secret_store = "vault" +ghcr_profidev = "ghcr-profidev" +storage_class = "longhorn" + +# tools +argo_ns = "argo" + +# metrics +metrics_ns = "metrics" From 521ef377d0a7ee66a44f0c333762e2d1590b4dcb Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Mon, 24 Nov 2025 17:23:43 +0100 Subject: [PATCH 23/43] fix: use new helm repo for charts --- terraform/apps/charm.tf | 2 +- terraform/apps/positron.tf | 2 +- terraform/apps/proton.tf | 2 +- 3 files changed, 3 insertions(+), 3 deletions(-) diff --git a/terraform/apps/charm.tf b/terraform/apps/charm.tf index d2c703c..f53acff 100644 --- a/terraform/apps/charm.tf +++ b/terraform/apps/charm.tf @@ -16,7 +16,7 @@ metadata: spec: project: default source: - repoURL: https://profiidev.github.io/server-config + repoURL: https://profiidev.github.io/helm-charts chart: charm targetRevision: "*" helm: diff --git a/terraform/apps/positron.tf b/terraform/apps/positron.tf index f40262b..787d96d 100644 --- a/terraform/apps/positron.tf +++ b/terraform/apps/positron.tf @@ -16,7 +16,7 @@ metadata: spec: project: default source: - repoURL: https://profiidev.github.io/server-config + repoURL: https://profiidev.github.io/helm-charts chart: positron targetRevision: "*" helm: diff --git a/terraform/apps/proton.tf b/terraform/apps/proton.tf index 9c461fb..39ad1a1 100644 --- a/terraform/apps/proton.tf +++ b/terraform/apps/proton.tf @@ -16,7 +16,7 @@ metadata: spec: project: default source: - repoURL: https://profiidev.github.io/server-config + repoURL: https://profiidev.github.io/helm-charts chart: proton targetRevision: "*" helm: From 0b1542d37be1af4c92e0d2f008524f69737c508c Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Mon, 24 Nov 2025 19:12:37 +0100 Subject: [PATCH 24/43] feat: added docker to system --- nix/config.nix | 1 + nix/docker.nix | 5 +++++ 2 files changed, 6 insertions(+) create mode 100644 nix/docker.nix diff --git a/nix/config.nix b/nix/config.nix index 57e3aff..ce024df 100644 --- a/nix/config.nix +++ b/nix/config.nix @@ -17,6 +17,7 @@ } inputs.disko.nixosModules.disko + ./docker.nix ./nix.nix ./rke2.nix ./services.nix diff --git a/nix/docker.nix b/nix/docker.nix new file mode 100644 index 0000000..0582d99 --- /dev/null +++ b/nix/docker.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + virtualisation.docker.enable = true; +} From e1eb492066853fe13aaf51f5825d9f5d9a52718c Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Mon, 24 Nov 2025 20:32:51 +0100 Subject: [PATCH 25/43] feat: added docker config --- .gitignore | 1 + justfile | 7 +- terraform/README.md | 20 +++ terraform/apps/modules_old/portainer.tf | 88 ------------ .../apps/modules_old/portainer.values.tftpl | 22 --- terraform/crd/variables.tf | 1 + terraform/db/variables.tf | 1 + terraform/docker/.terraform.lock.hcl | 105 +++++++++++++++ .../docker.tf => docker/k8s_bridge.tf} | 31 +---- terraform/docker/main.tf | 23 ++++ terraform/docker/pterodactyl.tf | 126 ++++++++++++++++++ terraform/docker/variables.tf | 37 +++++ terraform/docker/wings.tf | 62 +++++++++ .../modules_old => modules}/docker/main.tf | 0 .../modules_old => modules}/docker/service.tf | 28 ---- .../docker/variables.tf | 0 terraform/modules/k8s-api-np/variables.tf | 1 + terraform/network/variables.tf | 1 + terraform/storage/variables.tf | 1 + terraform/tools/variables.tf | 1 + vars.tfvars | 4 - 21 files changed, 387 insertions(+), 173 deletions(-) delete mode 100644 terraform/apps/modules_old/portainer.tf delete mode 100644 terraform/apps/modules_old/portainer.values.tftpl create mode 100644 terraform/docker/.terraform.lock.hcl rename terraform/{apps/modules_old/docker.tf => docker/k8s_bridge.tf} (52%) create mode 100644 terraform/docker/main.tf create mode 100644 terraform/docker/pterodactyl.tf create mode 100644 terraform/docker/variables.tf create mode 100644 terraform/docker/wings.tf rename terraform/{apps/modules_old => modules}/docker/main.tf (100%) rename terraform/{apps/modules_old => modules}/docker/service.tf (72%) rename terraform/{apps/modules_old => modules}/docker/variables.tf (100%) diff --git a/.gitignore b/.gitignore index 8788378..8139be9 100644 --- a/.gitignore +++ b/.gitignore @@ -2,6 +2,7 @@ *.tfstate *.tfstate.backup *.lock.info +secrets.tfvars # direnv .direnv diff --git a/justfile b/justfile index a6af722..14e51c3 100644 --- a/justfile +++ b/justfile @@ -1,6 +1,7 @@ pwd := source_dir() config_path := pwd + "/terraform" vars_path := pwd + "/vars.tfvars" +secret_path := pwd + "/secrets.tfvars" kubeconfig_path := pwd + "/kubeconfig" nix_path := pwd + "/nix" @@ -10,13 +11,13 @@ init CONFIG: terraform -chdir={{config_path}}/{{CONFIG}} init apply CONFIG: - terraform -chdir={{config_path}}/{{CONFIG}} apply -var-file={{vars_path}} -auto-approve + terraform -chdir={{config_path}}/{{CONFIG}} apply -var-file={{vars_path}} -var-file={{secret_path}} -auto-approve destroy CONFIG: - terraform -chdir={{config_path}}/{{CONFIG}} destroy -var-file={{vars_path}} + terraform -chdir={{config_path}}/{{CONFIG}} destroy -var-file={{vars_path}} -var-file={{secret_path}} plan CONFIG: - terraform -chdir={{config_path}}/{{CONFIG}} plan -var-file={{vars_path}} + terraform -chdir={{config_path}}/{{CONFIG}} plan -var-file={{vars_path}} -var-file={{secret_path}} install CONFIG IP USER="root": nix run github:nix-community/nixos-anywhere -- \ diff --git a/terraform/README.md b/terraform/README.md index 3d2364f..3441f0f 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -1,5 +1,15 @@ # Terraform Configuration +## Required secrets + +secrets.tfvars file with the following variables: + +```hcl +k8s_api = "" +email = "" +smtp_password = "" +``` + ## Initial deployment order 1. crd: Install Custom Resource Definitions (CRDs) and monitoring tools. @@ -182,3 +192,13 @@ apps/metrics: - loki: Access to loki-admin, loki-chunk, loki-ruler buckets - mimir: Access to mimir-alert, mimir-blocks, mimir-ruler buckets - tempo: Access to tempo bucket + +## Additional setup steps + +### Pterodactyl panel + +create user: + +```bash +docker exec -it panel php artisan p:user:make +``` diff --git a/terraform/apps/modules_old/portainer.tf b/terraform/apps/modules_old/portainer.tf deleted file mode 100644 index 3f73159..0000000 --- a/terraform/apps/modules_old/portainer.tf +++ /dev/null @@ -1,88 +0,0 @@ -resource "kubernetes_namespace" "portainer_ns" { - metadata { - name = var.portainer_ns - labels = { - "${var.cloudflare_cert_label.key}" = var.cloudflare_cert_label.value - "${var.secret_store_label.key}" = var.secret_store_label.value - "${var.oidc_access_label.key}" = var.oidc_access_label.value - } - } -} - -resource "helm_release" "portainer" { - name = "portainer" - repository = "https://portainer.github.io/k8s" - chart = "portainer" - version = "1.0.63" - namespace = var.portainer_ns - - values = [templatefile("${path.module}/templates/portainer.values.tftpl", { - namespace = var.portainer_ns - cloudflare_ca_cert_var = var.cloudflare_ca_cert_var - cloudflare_cert_var = var.cloudflare_cert_var - ingress_class = var.ingress_class - })] - - depends_on = [kubernetes_namespace.portainer_ns] -} - -resource "kubectl_manifest" "portainer_ingress" { - yaml_body = < Date: Fri, 28 Nov 2025 18:10:21 +0100 Subject: [PATCH 26/43] fix: added qemu guest agent --- nix/config.nix | 1 + nix/host-specific.nix | 5 +++++ nix/starship.nix | 6 +++++- 3 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 nix/host-specific.nix diff --git a/nix/config.nix b/nix/config.nix index ce024df..97a3c59 100644 --- a/nix/config.nix +++ b/nix/config.nix @@ -18,6 +18,7 @@ inputs.disko.nixosModules.disko ./docker.nix + ./host-specific.nix ./nix.nix ./rke2.nix ./services.nix diff --git a/nix/host-specific.nix b/nix/host-specific.nix new file mode 100644 index 0000000..6195642 --- /dev/null +++ b/nix/host-specific.nix @@ -0,0 +1,5 @@ +{ ... }: + +{ + services.qemuGuest.enable = true; +} diff --git a/nix/starship.nix b/nix/starship.nix index 6f135e0..496f789 100644 --- a/nix/starship.nix +++ b/nix/starship.nix @@ -1,6 +1,10 @@ -{ ... }: +{ pkgs, ... }: { + environment.systemPackages = with pkgs; [ + starship + ]; + programs.starship = { enable = true; From 93f09a3224c346a12b80382b6db570d34dbf1468 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Fri, 28 Nov 2025 18:13:26 +0100 Subject: [PATCH 27/43] fix: added eza --- nix/user.nix | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/nix/user.nix b/nix/user.nix index 3c5c038..8a69f6e 100644 --- a/nix/user.nix +++ b/nix/user.nix @@ -43,5 +43,9 @@ }; }; + environment.systemPackages = with pkgs; [ + eza + ]; + documentation.man.generateCaches = lib.mkForce false; } From 9969c9e69f716d658b92cf35609b4b8fb094f975 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Fri, 28 Nov 2025 20:04:46 +0100 Subject: [PATCH 28/43] fix: some minor fixes --- README.md | 16 ---- terraform/README.md | 45 ++++++---- terraform/apps/charm.tf | 82 ------------------- .../apps/{nextcloud.tf => nextcloud.tf.} | 9 +- .../apps/templates/nextcloud.values.tftpl | 2 +- terraform/apps/variables.tf | 5 ++ terraform/db/templates/rustfs.values.tftpl | 9 ++ terraform/network/cert-manager.tf | 7 +- terraform/network/traefik.tf | 3 - terraform/tools/coder.tf | 2 +- 10 files changed, 51 insertions(+), 129 deletions(-) delete mode 100644 terraform/apps/charm.tf rename terraform/apps/{nextcloud.tf => nextcloud.tf.} (87%) diff --git a/README.md b/README.md index d058c17..eed485c 100644 --- a/README.md +++ b/README.md @@ -1,19 +1,3 @@ # Server Config Terraform scripts for my personal server setup. - -## Postgres - -Edit the postgres config with this cmd - -```bash -kubectl edit perconapgclusters.pgv2.percona.com -n everest postgresql -``` - -And replace/add to the spec > proxy > pgBouncer > config section - -```yaml -global: - stats_users: _crunchypgbouncer - max_user_connections: "1000" -``` diff --git a/terraform/README.md b/terraform/README.md index 3441f0f..35c72db 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -15,9 +15,11 @@ smtp_password = "" 1. crd: Install Custom Resource Definitions (CRDs) and monitoring tools. 2. storage: Set up storage solutions required for the cluster. (add cloudflare cert to vault) 3. network: Configure networking components and services. -4. db: Deploy database services. (create buckets and access keys after this) +4. db: Deploy database services. (create buckets, dbs and access keys after this) 5. tools: Install auxiliary tools and services. 6. metrics: Set up monitoring and metrics collection services. +7. apps: Deploy application services. +8. docker: Deploy Docker-related services and configurations. ## Required secrets in Vault @@ -29,7 +31,7 @@ docker/ghcr: certs/cert-manager: -- cloudflare: +- cloudflare: (token requires ip whitelist) certs/cloudflare: @@ -41,14 +43,6 @@ certs/crowdsec: - API_KEY: -db/minio_config: - -- config.env: - -db/minio_metrics: - -- token: - db/couchdb: - cookie_auth: @@ -79,12 +73,6 @@ tools/tailscale: - client_id: - client_secret: -tools/longhorn: - -- AWS_ACCESS_KEY_ID: -- AWS_ENDPOINTS: -- AWS_SECRET_ACCESS_KEY: - tools/longhorn-proxy: - client-id: @@ -170,11 +158,17 @@ apps/lgtm: - GRAFANA_TEMPO_S3_ACCESS_KEY: - GRAFANA_TEMPO_S3_SECRET_KEY: -apps/metrics: +apps/alert-bot: - proxy: - url: +tools/longhorn: + +- AWS_ACCESS_KEY_ID: +- AWS_ENDPOINTS: +- AWS_SECRET_ACCESS_KEY: + ## S3 resources to create ### Buckets @@ -186,12 +180,24 @@ apps/metrics: - mimir-blocks - mimir-ruler - tempo +- longhorn +- positron ### Access keys - loki: Access to loki-admin, loki-chunk, loki-ruler buckets - mimir: Access to mimir-alert, mimir-blocks, mimir-ruler buckets - tempo: Access to tempo bucket +- longhorn: Access to longhorn bucket +- positron: Access to positron bucket + +## Databases to create + +- positron +- nextcloud +- coder +- charm +- auto-clean-bot ## Additional setup steps @@ -202,3 +208,8 @@ create user: ```bash docker exec -it panel php artisan p:user:make ``` + +to migrate: +nextcloud + +longhorn backup diff --git a/terraform/apps/charm.tf b/terraform/apps/charm.tf deleted file mode 100644 index f53acff..0000000 --- a/terraform/apps/charm.tf +++ /dev/null @@ -1,82 +0,0 @@ -resource "kubernetes_namespace" "charm" { - metadata { - name = var.charm_ns - } -} - -resource "kubectl_manifest" "charm_app" { - yaml_body = < array( 0 => '127.0.0.1', 1 => '10.0.0.0/8', - 2 => '194.164.200.60', + 2 => '${k8s_api}', 3 => '::1', ), 'forwarded_for_headers' => array('HTTP_X_FORWARDED_FOR'), diff --git a/terraform/apps/variables.tf b/terraform/apps/variables.tf index dce4629..79e60d1 100644 --- a/terraform/apps/variables.tf +++ b/terraform/apps/variables.tf @@ -62,6 +62,11 @@ variable "storage_class" { type = string } +variable "k8s_api" { + description = "The Kubernetes API server URL" + type = string +} + data "local_file" "ca_hash" { filename = "${path.module}/../storage/certs/ca.hash" } diff --git a/terraform/db/templates/rustfs.values.tftpl b/terraform/db/templates/rustfs.values.tftpl index 645ce88..c9d7eeb 100644 --- a/terraform/db/templates/rustfs.values.tftpl +++ b/terraform/db/templates/rustfs.values.tftpl @@ -8,6 +8,15 @@ mode: ingress: className: "nginx" + hosts: + - host: "rustfs.profidev.io" + paths: + - path: "/" + pathType: ImplementationSpecific + tls: + - secretName: rustfs-tls + hosts: + - "rustfs.profidev.io" storageclass: name: ${storage_class} diff --git a/terraform/network/cert-manager.tf b/terraform/network/cert-manager.tf index d1ae18f..fd679bc 100644 --- a/terraform/network/cert-manager.tf +++ b/terraform/network/cert-manager.tf @@ -56,9 +56,6 @@ spec: privateKeySecretRef: name: letsencrypt-${each.key}-issuer-account-key solvers: - - http01: - ingress: - ingressClassName: ${var.ingress_class} - dns01: cloudflare: apiTokenSecretRef: @@ -78,7 +75,7 @@ metadata: namespace: ${var.cert_ns} spec: order: 10 - selector: app.kubernetes.io/name == 'cainjector' || app.kubernetes.io/name == 'cert-manager' || app.kubernetes.io/name == 'webhook' + selector: app.kubernetes.io/name == 'cainjector' || app.kubernetes.io/name == 'cert-manager' || app.kubernetes.io/name == 'webhook' || app.kubernetes.io/name == 'startupapicheck' types: - Egress egress: @@ -86,7 +83,7 @@ spec: protocol: TCP destination: nets: - - 194.164.200.60/32 + - ${var.k8s_api}/32 ports: - 6443 - action: Allow diff --git a/terraform/network/traefik.tf b/terraform/network/traefik.tf index 6f30ca4..cc14acf 100644 --- a/terraform/network/traefik.tf +++ b/terraform/network/traefik.tf @@ -22,9 +22,6 @@ spec: prometheus: serviceMonitor: enabled: true - prometheusRule: - enabled: true - YAML } diff --git a/terraform/tools/coder.tf b/terraform/tools/coder.tf index 5c3f1cd..b13862b 100644 --- a/terraform/tools/coder.tf +++ b/terraform/tools/coder.tf @@ -46,7 +46,7 @@ spec: protocol: TCP destination: nets: - - 194.164.200.60/32 + - ${var.k8s_api}/32 ports: - 6443 - action: Allow From d2fd8f4d4af70e64f2bc20d989327250a505d120 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Fri, 28 Nov 2025 22:05:18 +0100 Subject: [PATCH 29/43] fix: correct ingress name --- terraform/README.md | 2 + terraform/apps/positron.tf | 55 ++++++++-------------- terraform/db/rustfs.tf | 1 + terraform/db/templates/rustfs.values.tftpl | 2 +- vars.tfvars | 2 +- 5 files changed, 25 insertions(+), 37 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index 35c72db..79bad39 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -213,3 +213,5 @@ to migrate: nextcloud longhorn backup + +ingress nginx annotations diff --git a/terraform/apps/positron.tf b/terraform/apps/positron.tf index 787d96d..8c67361 100644 --- a/terraform/apps/positron.tf +++ b/terraform/apps/positron.tf @@ -24,41 +24,26 @@ spec: valuesObject: secret: storeName: ${var.cluster_secret_store} - backend: - extraVolumes: - - name: cluster-ca-cert - secret: - defaultMode: 420 - secretName: kube-root-ca.crt - extraVolumeMounts: - - name: cluster-ca-cert - readOnly: true - subPath: ${local.ca_hash}.0 - mountPath: /etc/ssl/certs/${local.ca_hash}.0 - ingress: - className: ${var.ingress_class} - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: ${var.positron_ns}/${var.cloudflare_ca_cert_var} - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - nginx.ingress.kubernetes.io/rewrite-target: "/$1" - tls: - - hosts: - - profidev.io - - "*.profidev.io" - secretName: ${var.cloudflare_cert_var} - - frontend: - ingress: - className: ${var.ingress_class} - annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: ${var.positron_ns}/${var.cloudflare_ca_cert_var} - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - tls: - - hosts: - - profidev.io - - "*.profidev.io" - secretName: ${var.cloudflare_cert_var} - + extraVolumes: + - name: cluster-ca-cert + secret: + defaultMode: 420 + secretName: kube-root-ca.crt + extraVolumeMounts: + - name: cluster-ca-cert + readOnly: true + subPath: ${local.ca_hash}.0 + mountPath: /etc/ssl/certs/${local.ca_hash}.0 + ingress: + className: ${var.ingress_class} + annotations: + nginx.ingress.kubernetes.io/auth-tls-secret: ${var.positron_ns}/${var.cloudflare_ca_cert_var} + nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + tls: + - hosts: + - profidev.io + - "*.profidev.io" + secretName: ${var.cloudflare_cert_var} destination: server: https://kubernetes.default.svc namespace: ${var.positron_ns} diff --git a/terraform/db/rustfs.tf b/terraform/db/rustfs.tf index 7045663..709afad 100644 --- a/terraform/db/rustfs.tf +++ b/terraform/db/rustfs.tf @@ -13,6 +13,7 @@ resource "helm_release" "minio" { values = [templatefile("${path.module}/templates/rustfs.values.tftpl", { storage_class = var.storage_class + ingress_class = var.ingress_class })] depends_on = [kubernetes_namespace.rustfs] diff --git a/terraform/db/templates/rustfs.values.tftpl b/terraform/db/templates/rustfs.values.tftpl index c9d7eeb..9a0b861 100644 --- a/terraform/db/templates/rustfs.values.tftpl +++ b/terraform/db/templates/rustfs.values.tftpl @@ -7,7 +7,7 @@ mode: enabled: false ingress: - className: "nginx" + className: "${ingress_class}" hosts: - host: "rustfs.profidev.io" paths: diff --git a/vars.tfvars b/vars.tfvars index 8299e5b..1b92abb 100644 --- a/vars.tfvars +++ b/vars.tfvars @@ -1,7 +1,7 @@ # network cert_issuer_staging = "letsencrypt-staging" cert_issuer_prod = "letsencrypt-prod" -ingress_class = "nginx" +ingress_class = "traefik" cloudflare_ca_cert_var = "cloudflare-ca-cert" cloudflare_cert_var = "cloudflare-cert" From 1f0b91e87d46ee5018cf7b1c62d9890b8aa4c87f Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Fri, 28 Nov 2025 23:26:32 +0100 Subject: [PATCH 30/43] feat: added traefik dashboard --- terraform/network/traefik.tf | 56 +++++++++++++++++++ terraform/tools/argo.tf | 15 +++++ terraform/tools/templates/argocd.values.tftpl | 6 +- 3 files changed, 76 insertions(+), 1 deletion(-) diff --git a/terraform/network/traefik.tf b/terraform/network/traefik.tf index cc14acf..8b7ccf1 100644 --- a/terraform/network/traefik.tf +++ b/terraform/network/traefik.tf @@ -10,6 +10,10 @@ spec: experimental: fastProxy: enabled: true + plugins: + traefik-oidc-auth: + moduleName: "github.com/sevensolutions/traefik-oidc-auth" + version: "v0.17.0" providers: kubernetesIngressNginx: @@ -22,6 +26,15 @@ spec: prometheus: serviceMonitor: enabled: true + + ingressRoute: + dashboard: + enabled: true + matchRule: "Host(`traefik.profidev.io`)" + entryPoints: + - websecure + middlewares: + - name: oidc-traefik YAML } @@ -42,3 +55,46 @@ spec: corwdsecLapiKey: ${random_password.bouncer_key.result} YAML } + +resource "kubectl_manifest" "traefik_proxy_secrets" { + yaml_body = < Date: Sat, 29 Nov 2025 01:07:57 +0100 Subject: [PATCH 31/43] fix: routing not working --- terraform/apps/proton.tf | 17 ++++++++++++++++- terraform/storage/templates/vault.values.tftpl | 4 ++++ terraform/storage/vault.tf | 14 ++++++++++++++ terraform/tools/templates/argocd.values.tftpl | 2 +- 4 files changed, 35 insertions(+), 2 deletions(-) diff --git a/terraform/apps/proton.tf b/terraform/apps/proton.tf index 39ad1a1..5c95efd 100644 --- a/terraform/apps/proton.tf +++ b/terraform/apps/proton.tf @@ -40,7 +40,7 @@ spec: annotations: nginx.ingress.kubernetes.io/auth-tls-secret: ${var.proton_ns}/${var.cloudflare_ca_cert_var} nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" - nginx.ingress.kubernetes.io/rewrite-target: "/$1" + traefik.ingress.kubernetes.io/router.middlewares: ${var.proton_ns}-proton@kubernetescrd tls: - hosts: - profidev.io @@ -63,3 +63,18 @@ spec: depends_on = [kubernetes_namespace.proton] } + +resource "kubectl_manifest" "proton_middleware" { + yaml_body = < Date: Sat, 29 Nov 2025 01:45:49 +0100 Subject: [PATCH 32/43] refactor: use builtin oidc for longhorn --- terraform/apps/proton.tf | 1 - terraform/db/rustfs.tf | 2 + terraform/db/templates/rustfs.values.tftpl | 8 +- terraform/db/variables.tf | 5 ++ terraform/network/longhorn-proxy.tf | 84 +++++++++++++++++++ terraform/network/traefik.tf | 1 - terraform/network/variables.tf | 16 ++++ terraform/tools/longhorn-proxy.tf | 60 ------------- .../longhorn-oauth2-proxy.values.tftpl | 27 ------ terraform/tools/variables.tf | 4 - 10 files changed, 114 insertions(+), 94 deletions(-) create mode 100644 terraform/network/longhorn-proxy.tf delete mode 100644 terraform/tools/longhorn-proxy.tf delete mode 100644 terraform/tools/templates/longhorn-oauth2-proxy.values.tftpl diff --git a/terraform/apps/proton.tf b/terraform/apps/proton.tf index 5c95efd..ffaece8 100644 --- a/terraform/apps/proton.tf +++ b/terraform/apps/proton.tf @@ -73,7 +73,6 @@ metadata: namespace: ${var.proton_ns} spec: stripPrefix: - forceSlash: false prefixes: - /backend YAML diff --git a/terraform/db/rustfs.tf b/terraform/db/rustfs.tf index 709afad..ea2b275 100644 --- a/terraform/db/rustfs.tf +++ b/terraform/db/rustfs.tf @@ -14,6 +14,8 @@ resource "helm_release" "minio" { values = [templatefile("${path.module}/templates/rustfs.values.tftpl", { storage_class = var.storage_class ingress_class = var.ingress_class + cert_issuer = var.cert_issuer_prod + password = var.rustfs_password })] depends_on = [kubernetes_namespace.rustfs] diff --git a/terraform/db/templates/rustfs.values.tftpl b/terraform/db/templates/rustfs.values.tftpl index 9a0b861..1142b86 100644 --- a/terraform/db/templates/rustfs.values.tftpl +++ b/terraform/db/templates/rustfs.values.tftpl @@ -6,8 +6,12 @@ mode: distributed: enabled: false +secret: + rustfs: + secret_key: "${password}" + ingress: - className: "${ingress_class}" + className: "nginx" # must be nginx be cause this chart sucks ass hosts: - host: "rustfs.profidev.io" paths: @@ -17,6 +21,8 @@ ingress: - secretName: rustfs-tls hosts: - "rustfs.profidev.io" + nginxAnnotations: + cert-manager.io/cluster-issuer: "${cert_issuer}" storageclass: name: ${storage_class} diff --git a/terraform/db/variables.tf b/terraform/db/variables.tf index cee3480..d520a84 100644 --- a/terraform/db/variables.tf +++ b/terraform/db/variables.tf @@ -63,3 +63,8 @@ variable "pg_ns" { type = string default = "postgres" } + +variable "rustfs_password" { + description = "Rustfs password" + type = string +} diff --git a/terraform/network/longhorn-proxy.tf b/terraform/network/longhorn-proxy.tf new file mode 100644 index 0000000..166021a --- /dev/null +++ b/terraform/network/longhorn-proxy.tf @@ -0,0 +1,84 @@ + +resource "kubectl_manifest" "longhorn_proxy_secrets" { + yaml_body = < Date: Sat, 29 Nov 2025 01:53:32 +0100 Subject: [PATCH 33/43] fix: vault egress --- terraform/storage/vault.tf | 6 ++++++ 1 file changed, 6 insertions(+) diff --git a/terraform/storage/vault.tf b/terraform/storage/vault.tf index fa0876f..73c2605 100644 --- a/terraform/storage/vault.tf +++ b/terraform/storage/vault.tf @@ -126,6 +126,12 @@ module "k8s_api_np_vault" { depends_on = [kubernetes_namespace.secrets] } +module "external_np_vault" { + source = "../modules/external-np" + + namespace = var.secrets_ns +} + resource "kubectl_manifest" "vault_transport" { yaml_body = < Date: Sat, 29 Nov 2025 19:37:43 +0100 Subject: [PATCH 34/43] feat: added nextcloud back --- nix/services.nix | 2 +- terraform/README.md | 8 ++++++++ .../apps/{nextcloud.tf. => nextcloud.tf} | 19 ++++++++++++++++++- .../apps/templates/nextcloud.values.tftpl | 9 +++------ terraform/network/cert-manager.tf | 3 +++ 5 files changed, 33 insertions(+), 8 deletions(-) rename terraform/apps/{nextcloud.tf. => nextcloud.tf} (78%) diff --git a/nix/services.nix b/nix/services.nix index edba746..644884b 100644 --- a/nix/services.nix +++ b/nix/services.nix @@ -10,7 +10,7 @@ networking.firewall = { enable = true; allowedTCPPorts = [ - 6443 # Kubernetes API server + #6443 # Kubernetes API server ]; }; diff --git a/terraform/README.md b/terraform/README.md index 79bad39..c430ae1 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -215,3 +215,11 @@ nextcloud longhorn backup ingress nginx annotations + +vault oidc +proton path +argocd app process +docker +alerts +argo traefik config +traefik metrics endpoints 80 \ No newline at end of file diff --git a/terraform/apps/nextcloud.tf. b/terraform/apps/nextcloud.tf similarity index 78% rename from terraform/apps/nextcloud.tf. rename to terraform/apps/nextcloud.tf index df4fd5e..6918f26 100644 --- a/terraform/apps/nextcloud.tf. +++ b/terraform/apps/nextcloud.tf @@ -8,7 +8,7 @@ resource "helm_release" "nextcloud" { name = "nextcloud" repository = "https://nextcloud.github.io/helm" chart = "nextcloud" - version = "7.0.2" + version = "8.6.0" namespace = var.nextcloud_ns values = [templatefile("${path.module}/templates/nextcloud.values.tftpl", { @@ -17,6 +17,7 @@ resource "helm_release" "nextcloud" { storage_class = var.storage_class ca_hash = local.ca_hash k8s_api = var.k8s_api + namespace = var.nextcloud_ns })] depends_on = [kubernetes_namespace.nextcloud] @@ -68,3 +69,19 @@ spec: depends_on = [kubernetes_namespace.nextcloud] } + +resource "kubectl_manifest" "nextcloud_middleware" { + yaml_body = < Date: Sat, 29 Nov 2025 20:03:28 +0100 Subject: [PATCH 35/43] refactor: update nginx annotations --- terraform/README.md | 4 ---- terraform/apps/positron.tf | 19 ++++++++++++++++-- terraform/apps/proton.tf | 20 +++++++++++++++++-- terraform/metrics/grafana.tf | 14 +++++++++++++ .../metrics/templates/grafana.values.tftpl | 3 +-- terraform/modules/docker/service.tf | 18 +++++++++++++++-- terraform/network/longhorn-proxy.tf | 18 +++++++++++++++-- .../storage/templates/vault.values.tftpl | 3 +-- terraform/storage/vault.tf | 17 ++++++++++++++++ 9 files changed, 100 insertions(+), 16 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index c430ae1..6bf1cc2 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -209,9 +209,6 @@ create user: docker exec -it panel php artisan p:user:make ``` -to migrate: -nextcloud - longhorn backup ingress nginx annotations @@ -221,5 +218,4 @@ proton path argocd app process docker alerts -argo traefik config traefik metrics endpoints 80 \ No newline at end of file diff --git a/terraform/apps/positron.tf b/terraform/apps/positron.tf index 8c67361..c0597d9 100644 --- a/terraform/apps/positron.tf +++ b/terraform/apps/positron.tf @@ -37,8 +37,7 @@ spec: ingress: className: ${var.ingress_class} annotations: - nginx.ingress.kubernetes.io/auth-tls-secret: ${var.positron_ns}/${var.cloudflare_ca_cert_var} - nginx.ingress.kubernetes.io/auth-tls-verify-client: "on" + traefik.ingress.kubernetes.io/router.tls.options: ${var.positron_ns}-positron-tls-options@kubernetescrd tls: - hosts: - profidev.io @@ -61,3 +60,19 @@ spec: depends_on = [kubernetes_namespace.positron] } +resource "kubectl_manifest" "positron_tls_options" { + yaml_body = < Date: Sat, 29 Nov 2025 20:39:32 +0100 Subject: [PATCH 36/43] feat: increased body size limit --- terraform/README.md | 6 ++---- terraform/apps/nextcloud.tf | 15 +++++++++++++++ terraform/apps/proton.tf | 1 + terraform/apps/templates/nextcloud.values.tftpl | 2 +- terraform/db/couchdb.tf | 16 ++++++++++++++++ terraform/db/rustfs.tf | 2 +- terraform/db/templates/couchdb.values.tftpl | 2 +- terraform/network/traefik.tf | 1 + 8 files changed, 38 insertions(+), 7 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index 6bf1cc2..2e66752 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -211,11 +211,9 @@ docker exec -it panel php artisan p:user:make longhorn backup -ingress nginx annotations - vault oidc -proton path argocd app process docker alerts -traefik metrics endpoints 80 \ No newline at end of file +traefik metrics endpoints 80 +alloy ingress \ No newline at end of file diff --git a/terraform/apps/nextcloud.tf b/terraform/apps/nextcloud.tf index 6918f26..8e2263c 100644 --- a/terraform/apps/nextcloud.tf +++ b/terraform/apps/nextcloud.tf @@ -85,3 +85,18 @@ YAML depends_on = [kubernetes_namespace.nextcloud] } + +resource "kubectl_manifest" "nextcloud_middleware_buffering" { + yaml_body = < Date: Sat, 29 Nov 2025 21:18:18 +0100 Subject: [PATCH 37/43] feat: added alloy ingress --- terraform/README.md | 3 +- terraform/db/templates/rustfs.values.tftpl | 8 ++ terraform/metrics/alloy.tf | 99 +++++++++++++++++++ terraform/network/traefik.tf | 5 + terraform/tools/templates/argocd.values.tftpl | 7 ++ 5 files changed, 120 insertions(+), 2 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index 2e66752..246e08f 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -212,8 +212,7 @@ docker exec -it panel php artisan p:user:make longhorn backup vault oidc -argocd app process docker alerts traefik metrics endpoints 80 -alloy ingress \ No newline at end of file +rustfs ingress \ No newline at end of file diff --git a/terraform/db/templates/rustfs.values.tftpl b/terraform/db/templates/rustfs.values.tftpl index 1142b86..bdacb7f 100644 --- a/terraform/db/templates/rustfs.values.tftpl +++ b/terraform/db/templates/rustfs.values.tftpl @@ -27,3 +27,11 @@ ingress: storageclass: name: ${storage_class} size: 20Gi + +containerSecurityContext: + readOnlyRootFilesystem: false + +resources: + limits: + cpu: 1000m + memory: 1024Mi diff --git a/terraform/metrics/alloy.tf b/terraform/metrics/alloy.tf index 22ce1f8..f687033 100644 --- a/terraform/metrics/alloy.tf +++ b/terraform/metrics/alloy.tf @@ -9,3 +9,102 @@ resource "helm_release" "alloy" { ca_hash = local.ca_hash })] } + +resource "kubectl_manifest" "alloy_proxy_secrets" { + yaml_body = < Date: Sat, 29 Nov 2025 21:26:08 +0100 Subject: [PATCH 38/43] fix: rustfs ingress --- terraform/README.md | 3 +- terraform/db/rustfs.tf | 44 ++++++++++++++++++++++ terraform/db/templates/rustfs.values.tftpl | 13 +------ 3 files changed, 46 insertions(+), 14 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index 246e08f..7e19613 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -214,5 +214,4 @@ longhorn backup vault oidc docker alerts -traefik metrics endpoints 80 -rustfs ingress \ No newline at end of file +traefik metrics endpoints 80 \ No newline at end of file diff --git a/terraform/db/rustfs.tf b/terraform/db/rustfs.tf index e17b181..5b6a778 100644 --- a/terraform/db/rustfs.tf +++ b/terraform/db/rustfs.tf @@ -20,3 +20,47 @@ resource "helm_release" "minio" { depends_on = [kubernetes_namespace.rustfs] } + +resource "kubernetes_ingress_v1" "rustfs" { + metadata { + name = "rustfs" + namespace = var.rustfs_ns + annotations = { + "cert-manager.io/cluster-issuer" = var.cert_issuer_prod, + "traefik.ingress.kubernetes.io/service.sticky.cookie" = "true", + "traefik.ingress.kubernetes.io/service.sticky.cookie.httponly" = "true", + "traefik.ingress.kubernetes.io/service.sticky.cookie.name" = "rustfs", + "traefik.ingress.kubernetes.io/service.sticky.cookie.samesite" = "none", + "traefik.ingress.kubernetes.io/service.sticky.cookie.secure" = "true", + } + } + + spec { + ingress_class_name = var.ingress_class + + rule { + host = "rustfs.profidev.io" + + http { + path { + path = "/" + path_type = "ImplementationSpecific" + + backend { + service { + name = "rustfs-svc" + port { + name = "console" + } + } + } + } + } + } + + tls { + hosts = ["rustfs.profidev.io"] + secret_name = "rustfs-tls" + } + } +} diff --git a/terraform/db/templates/rustfs.values.tftpl b/terraform/db/templates/rustfs.values.tftpl index bdacb7f..be13cb1 100644 --- a/terraform/db/templates/rustfs.values.tftpl +++ b/terraform/db/templates/rustfs.values.tftpl @@ -11,18 +11,7 @@ secret: secret_key: "${password}" ingress: - className: "nginx" # must be nginx be cause this chart sucks ass - hosts: - - host: "rustfs.profidev.io" - paths: - - path: "/" - pathType: ImplementationSpecific - tls: - - secretName: rustfs-tls - hosts: - - "rustfs.profidev.io" - nginxAnnotations: - cert-manager.io/cluster-issuer: "${cert_issuer}" + enabled: false storageclass: name: ${storage_class} From 9220ad3817de3952a5011c1d2ff79d330d6878a2 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Sat, 29 Nov 2025 23:16:35 +0100 Subject: [PATCH 39/43] fix: alerts --- terraform/README.md | 5 +- terraform/db/rustfs.tf | 2 +- terraform/db/templates/postgres.values.tftpl | 2 - terraform/db/templates/rustfs.values.tftpl | 2 +- terraform/metrics/alloy.tf | 78 +++++++++++++++++++- terraform/metrics/grafana.tf | 1 - terraform/metrics/mixin/pgbouncer.yaml | 45 ----------- terraform/metrics/variables.tf | 5 ++ terraform/network/traefik.tf | 50 +++++++++++++ 9 files changed, 135 insertions(+), 55 deletions(-) delete mode 100644 terraform/metrics/mixin/pgbouncer.yaml diff --git a/terraform/README.md b/terraform/README.md index 7e19613..764f916 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -209,9 +209,6 @@ create user: docker exec -it panel php artisan p:user:make ``` -longhorn backup - vault oidc docker -alerts -traefik metrics endpoints 80 \ No newline at end of file +refresh token diff --git a/terraform/db/rustfs.tf b/terraform/db/rustfs.tf index 5b6a778..65f5bb1 100644 --- a/terraform/db/rustfs.tf +++ b/terraform/db/rustfs.tf @@ -8,7 +8,7 @@ resource "helm_release" "minio" { name = "rustfs" repository = "https://charts.rustfs.com" chart = "rustfs" - version = "0.0.70" + version = "0.0.68" namespace = var.rustfs_ns values = [templatefile("${path.module}/templates/rustfs.values.tftpl", { diff --git a/terraform/db/templates/postgres.values.tftpl b/terraform/db/templates/postgres.values.tftpl index 30bf7ad..ebf1569 100644 --- a/terraform/db/templates/postgres.values.tftpl +++ b/terraform/db/templates/postgres.values.tftpl @@ -13,5 +13,3 @@ metrics: enabled: true serviceMonitor: enabled: true - prometheusRule: - enabled: true diff --git a/terraform/db/templates/rustfs.values.tftpl b/terraform/db/templates/rustfs.values.tftpl index be13cb1..3cf15f6 100644 --- a/terraform/db/templates/rustfs.values.tftpl +++ b/terraform/db/templates/rustfs.values.tftpl @@ -23,4 +23,4 @@ containerSecurityContext: resources: limits: cpu: 1000m - memory: 1024Mi + memory: 5Gi diff --git a/terraform/metrics/alloy.tf b/terraform/metrics/alloy.tf index f687033..eb4853f 100644 --- a/terraform/metrics/alloy.tf +++ b/terraform/metrics/alloy.tf @@ -58,7 +58,7 @@ resource "kubernetes_ingress_v1" "alloy_ingress" { namespace = var.metrics_ns annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "${var.metrics_ns}-alloy@kubernetescrd" + "traefik.ingress.kubernetes.io/router.middlewares" = "${var.metrics_ns}-alloy@kubernetescrd" "traefik.ingress.kubernetes.io/router.tls.options" = "${var.metrics_ns}-alloy-tls-options@kubernetescrd" } } @@ -108,3 +108,79 @@ spec: YAML } +module "k8s_api_np_alloy" { + source = "../modules/k8s-api-np" + + namespace = var.metrics_ns + k8s_api = var.k8s_api +} + +resource "kubernetes_service_v1" "kubelet" { + metadata { + name = "prometheus-kube-prometheus-kubelet" + namespace = "kube-system" + + labels = { + "k8s-app" = "kubelet", + "app.kubernetes.io/name" = "kubelet" + } + } + + spec { + internal_traffic_policy = "Cluster" + ip_families = ["IPv4", "IPv6"] + ip_family_policy = "RequireDualStack" + port { + name = "https-metrics" + port = 10250 + protocol = "TCP" + target_port = 10250 + } + port { + name = "http-metrics" + port = 10255 + protocol = "TCP" + target_port = 10255 + } + port { + name = "cadvisor" + port = 4194 + protocol = "TCP" + target_port = 4194 + } + type = "ClusterIP" + cluster_ip = "None" + cluster_ips = ["None"] + session_affinity = "None" + } +} + +resource "kubectl_manifest" "kubelet_endpoints" { + yaml_body = < 20 - for: 5m - labels: - severity: warning - - alert: PGBouncerHighClientWaitTime - annotations: - description: | - The wait time for user connections on {{ $labels.instance }}, is above 15. The current value is {{ $value | printf "%.2f" }}. - summary: Clients are experiencing significant delays, which could indicate issues - with connection pool saturation or server performance. - expr: | - pgbouncer_pools_client_maxwait_seconds{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"} > 15 - for: 5m - labels: - severity: warning - - alert: PGBouncerHighServerConnectionSaturationWarning - annotations: - description: | - User connection capacity on {{ $labels.instance }}, is above 80%. The current value is {{ $value | printf "%.2f" }}. - summary: PGBouncer is nearing user connection capacity. - expr: | - 100 * (sum without (database, user) (pgbouncer_pools_server_active_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"} + pgbouncer_pools_server_idle_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"} + pgbouncer_pools_server_used_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"}) / clamp_min(pgbouncer_config_max_user_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"},1)) > 80 - for: 5m - labels: - severity: warning - - alert: PGBouncerHighServerConnectionSaturationCritical - annotations: - description: | - User connection capacity on {{ $labels.instance }}, is above 90%. The current value is {{ $value | printf "%.2f" }}. - summary: PGBouncer is nearing critical levels of user connection capacity. - expr: | - 100 * (sum without (database, user) (pgbouncer_pools_server_active_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"} + pgbouncer_pools_server_idle_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"} + pgbouncer_pools_server_used_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"}) / clamp_min(pgbouncer_config_max_user_connections{job="pgbouncer-exporter-prometheus-pgbouncer-exporter"},1)) > 90 - for: 5m - labels: - severity: critical \ No newline at end of file diff --git a/terraform/metrics/variables.tf b/terraform/metrics/variables.tf index b1a86ad..8c846da 100644 --- a/terraform/metrics/variables.tf +++ b/terraform/metrics/variables.tf @@ -33,6 +33,11 @@ variable "argo_ns" { type = string } +variable "k8s_api" { + description = "The Kubernetes API endpoint" + type = string +} + data "local_file" "ca_hash" { filename = "${path.module}/../storage/certs/ca.hash" } diff --git a/terraform/network/traefik.tf b/terraform/network/traefik.tf index 86d1faa..fcc37f9 100644 --- a/terraform/network/traefik.tf +++ b/terraform/network/traefik.tf @@ -32,6 +32,8 @@ spec: prometheus: serviceMonitor: enabled: true + service: + enabled: true ingressRoute: dashboard: @@ -103,3 +105,51 @@ spec: - "email" YAML } + +resource "kubernetes_network_policy_v1" "traefik_metrics" { + metadata { + name = "traefik-metrics" + namespace = "kube-system" + } + + spec { + pod_selector { + match_labels = { + "app.kubernetes.io/name" = "rke2-traefik" + } + } + + policy_types = ["Ingress"] + + ingress { + ports { + protocol = "TCP" + port = 9100 + } + } + } +} + +resource "kubernetes_network_policy_v1" "coredns_metrics" { + metadata { + name = "coredns-metrics" + namespace = "kube-system" + } + + spec { + pod_selector { + match_labels = { + "k8s-app" = "kube-dns" + } + } + + policy_types = ["Ingress"] + + ingress { + ports { + protocol = "TCP" + port = 9153 + } + } + } +} From 107dd0bff3316ab1c70f36cde1a2735320b08c2a Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Sun, 30 Nov 2025 15:25:19 +0100 Subject: [PATCH 40/43] fix: minor changes --- terraform/README.md | 54 +++++++++++++++---- terraform/apps/variables.tf | 6 --- terraform/db/templates/postgres.values.tftpl | 9 ++++ terraform/metrics/templates/loki.values.tftpl | 17 ++++++ terraform/storage/longhorn.tf | 22 ++++++++ terraform/storage/vault.tf | 11 ---- 6 files changed, 93 insertions(+), 26 deletions(-) diff --git a/terraform/README.md b/terraform/README.md index 764f916..0b9e172 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -77,7 +77,19 @@ tools/longhorn-proxy: - client-id: - client-secret: -- cookie-secret: +- secret: + +apps/alloy-proxy: + +- client-id: +- client-secret: +- secret: + +tools/traefik-proxy: + +- client-id: +- client-secret: +- secret: tools/auto-clean-bot: @@ -139,13 +151,6 @@ apps/proton: - CORS_ORIGIN: - RUST_LOG: -apps/charm: - -- CORS_ORIGIN: -- DB_URL: -- RUST_LOG: -- DB_LOGGING: - ### After DB setup (step 4) apps/lgtm: @@ -209,6 +214,37 @@ create user: docker exec -it panel php artisan p:user:make ``` -vault oidc +### Vault OIDC setup + +role + +```bash +vault write auth/oidc/role/default \ + bound_audiences="7f25d29e-ff95-4161-b95a-ad5d918bd85f" \ + allowed_redirect_uris="https://vault.profidev.io/ui/vault/auth/oidc/oidc/callback" \ + user_claim="email" \ + groups_claim="groups" \ + token_policies="default" \ + oidc_scopes="email,profile" +``` + +policy + +```hcl +path "*" { + capabilities = ["create", "read", "update", "delete", "list"] +} +``` + +group: + +name: Vault Admin +type: external +policies: admin +add alias: Vault Admin + docker refresh token +rustfs custom + +look at everything diff --git a/terraform/apps/variables.tf b/terraform/apps/variables.tf index 79e60d1..cab9ec3 100644 --- a/terraform/apps/variables.tf +++ b/terraform/apps/variables.tf @@ -10,12 +10,6 @@ variable "positron_ns" { default = "positron" } -variable "charm_ns" { - description = "The namespace where Charm is deployed" - type = string - default = "charm" -} - variable "nextcloud_ns" { description = "The namespace where Nextcloud is deployed" type = string diff --git a/terraform/db/templates/postgres.values.tftpl b/terraform/db/templates/postgres.values.tftpl index ebf1569..ebe8e44 100644 --- a/terraform/db/templates/postgres.values.tftpl +++ b/terraform/db/templates/postgres.values.tftpl @@ -13,3 +13,12 @@ metrics: enabled: true serviceMonitor: enabled: true + +primary: + resources: + limits: + cpu: "500m" + memory: "1Gi" + requests: + cpu: "250m" + memory: "256Mi" diff --git a/terraform/metrics/templates/loki.values.tftpl b/terraform/metrics/templates/loki.values.tftpl index a919195..97a4eae 100644 --- a/terraform/metrics/templates/loki.values.tftpl +++ b/terraform/metrics/templates/loki.values.tftpl @@ -67,6 +67,23 @@ deploymentMode: SingleBinary gateway: enabled: false +singleBinary: + extraVolumes: + - name: cluster-ca-cert + secret: + defaultMode: 420 + secretName: kube-root-ca.crt + extraVolumeMounts: + - mountPath: /etc/ssl/certs/${ca_hash}.0 + subPath: ${ca_hash}.0 + name: cluster-ca-cert + readOnly: true + extraArgs: + - "-config.expand-env=true" + extraEnvFrom: + - secretRef: + name: lgtm + resultsCache: resources: requests: diff --git a/terraform/storage/longhorn.tf b/terraform/storage/longhorn.tf index 0e1bca0..cdc0131 100644 --- a/terraform/storage/longhorn.tf +++ b/terraform/storage/longhorn.tf @@ -27,3 +27,25 @@ module "k8s_api_np_longhorn" { depends_on = [kubernetes_namespace.storage] } + +resource "kubectl_manifest" "longhorn_secret" { + yaml_body = < Date: Sun, 30 Nov 2025 18:44:47 +0100 Subject: [PATCH 41/43] refactor: use custom rustfs config --- terraform/README.md | 9 +- terraform/db/rustfs.tf | 298 ++++++++++++++++++++- terraform/db/templates/rustfs.values.tftpl | 26 -- 3 files changed, 291 insertions(+), 42 deletions(-) delete mode 100644 terraform/db/templates/rustfs.values.tftpl diff --git a/terraform/README.md b/terraform/README.md index 0b9e172..02b74ad 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -151,6 +151,11 @@ apps/proton: - CORS_ORIGIN: - RUST_LOG: +db/rustfs: + +- RUSTFS_ACCESS_KEY: +- RUSTFS_SECRET_KEY: + ### After DB setup (step 4) apps/lgtm: @@ -245,6 +250,4 @@ add alias: Vault Admin docker refresh token -rustfs custom - -look at everything +positron restore diff --git a/terraform/db/rustfs.tf b/terraform/db/rustfs.tf index 65f5bb1..f3b60e7 100644 --- a/terraform/db/rustfs.tf +++ b/terraform/db/rustfs.tf @@ -4,19 +4,290 @@ resource "kubernetes_namespace" "rustfs" { } } -resource "helm_release" "minio" { - name = "rustfs" - repository = "https://charts.rustfs.com" - chart = "rustfs" - version = "0.0.68" - namespace = var.rustfs_ns - - values = [templatefile("${path.module}/templates/rustfs.values.tftpl", { - storage_class = var.storage_class - ingress_class = var.ingress_class - cert_issuer = var.cert_issuer_prod - password = var.rustfs_password - })] +resource "kubectl_manifest" "rustfs_secret" { + yaml_body = < Date: Sun, 30 Nov 2025 22:40:48 +0100 Subject: [PATCH 42/43] fix: docker config --- nix/services.nix | 4 +++- terraform/README.md | 3 +++ terraform/docker/k8s_bridge.tf | 8 ++++---- terraform/docker/pterodactyl.tf | 1 - terraform/docker/wings.tf | 3 +-- terraform/modules/docker/service.tf | 2 ++ 6 files changed, 13 insertions(+), 8 deletions(-) diff --git a/nix/services.nix b/nix/services.nix index 644884b..cb5bf0f 100644 --- a/nix/services.nix +++ b/nix/services.nix @@ -10,7 +10,9 @@ networking.firewall = { enable = true; allowedTCPPorts = [ - #6443 # Kubernetes API server + 6443 # Kubernetes API server + 593 + 594 ]; }; diff --git a/terraform/README.md b/terraform/README.md index 02b74ad..c554468 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -219,6 +219,8 @@ create user: docker exec -it panel php artisan p:user:make ``` +copy ssl ca bundles to /mnt/ssl for wings because of symlinks + ### Vault OIDC setup role @@ -251,3 +253,4 @@ add alias: Vault Admin docker refresh token positron restore +close port diff --git a/terraform/docker/k8s_bridge.tf b/terraform/docker/k8s_bridge.tf index 883baf4..b55e388 100644 --- a/terraform/docker/k8s_bridge.tf +++ b/terraform/docker/k8s_bridge.tf @@ -8,12 +8,12 @@ module "wings" { source = "../modules/docker" name = "wings" - port = 443 + port = 594 cert_issuer = var.cert_issuer_prod cloudflare = false cloudflare_ca_cert_var = var.cloudflare_ca_cert_var cloudflare_cert_var = var.cloudflare_cert_var - ip = "192.168.202.10" + ip = "159.195.58.52" domain = "wings.profidev.io" ingress_class = var.ingress_class namespace = var.docker_ns @@ -26,12 +26,12 @@ module "panel" { source = "../modules/docker" name = "panel" - port = 80 + port = 593 cert_issuer = var.cert_issuer_prod cloudflare = true cloudflare_ca_cert_var = var.cloudflare_ca_cert_var cloudflare_cert_var = var.cloudflare_cert_var - ip = "192.168.201.10" + ip = "159.195.58.52" domain = "panel.profidev.io" ingress_class = var.ingress_class namespace = var.docker_ns diff --git a/terraform/docker/pterodactyl.tf b/terraform/docker/pterodactyl.tf index d5b04b3..1491bd7 100644 --- a/terraform/docker/pterodactyl.tf +++ b/terraform/docker/pterodactyl.tf @@ -75,7 +75,6 @@ resource "docker_container" "pt_panel" { ports { internal = 80 external = 593 - ip = "127.0.0.1" } volumes { volume_name = docker_volume.pt_var.name diff --git a/terraform/docker/wings.tf b/terraform/docker/wings.tf index e51da3e..884d781 100644 --- a/terraform/docker/wings.tf +++ b/terraform/docker/wings.tf @@ -21,7 +21,6 @@ resource "docker_container" "wings" { ports { external = 594 internal = 443 - ip = "127.0.0.1" } tty = true env = [ @@ -55,7 +54,7 @@ resource "docker_container" "wings" { container_path = "/tmp/pterodactyl/" } volumes { - host_path = "/etc/ssl/certs" + host_path = "/mnt/ssl" container_path = "/etc/ssl/certs" read_only = true } diff --git a/terraform/modules/docker/service.tf b/terraform/modules/docker/service.tf index 14cc9b8..a537300 100644 --- a/terraform/modules/docker/service.tf +++ b/terraform/modules/docker/service.tf @@ -51,6 +51,8 @@ spec: secretNames: - ${var.cloudflare_ca_cert_var} YAML + + count = var.cloudflare ? 1 : 0 } resource "kubernetes_service_v1" "service" { From 2f3c74c841dc935d1bbe6d4e43f913e7c518be98 Mon Sep 17 00:00:00 2001 From: ProfiiDev <92174452+Profiidev@users.noreply.github.com> Date: Mon, 1 Dec 2025 00:16:32 +0100 Subject: [PATCH 43/43] fix: close k8s ports --- nix/services.nix | 2 +- terraform/README.md | 5 ----- 2 files changed, 1 insertion(+), 6 deletions(-) diff --git a/nix/services.nix b/nix/services.nix index cb5bf0f..4a579f3 100644 --- a/nix/services.nix +++ b/nix/services.nix @@ -10,7 +10,7 @@ networking.firewall = { enable = true; allowedTCPPorts = [ - 6443 # Kubernetes API server + #6443 # Kubernetes API server 593 594 ]; diff --git a/terraform/README.md b/terraform/README.md index c554468..234a6f3 100644 --- a/terraform/README.md +++ b/terraform/README.md @@ -249,8 +249,3 @@ name: Vault Admin type: external policies: admin add alias: Vault Admin - -docker -refresh token -positron restore -close port