diff --git a/.gitignore b/.gitignore index f927764f..6fe688a3 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1,24 @@ -dnsendpoint.yaml +# Trash +.DS_Store +Thumbs.db +tmp +# k8s +kubeconfig +talosconfig +# vscode-sops +.decrypted~*.yaml +*.agekey +*.pub +*.key +# Taskfile +.task +Brewfile.lock.json +# Output +megalinter-reports +# scripts +node_modules +*.log +*.pem +# Python +.venv* +_out diff --git a/AGENTS.md b/AGENTS.md new file mode 100644 index 00000000..7d50bb7a --- /dev/null +++ b/AGENTS.md @@ -0,0 +1,221 @@ +# AGENTS.md - AI Coding Agent Guidelines + +## Repository Overview + +This is a **Kubernetes GitOps homelab infrastructure** repository using [FluxCD](https://fluxcd.io/) to manage cluster state. It runs on [Talos Linux](https://www.talos.dev/) with applications deployed via Helm and Kustomize. + +**Key Technologies:** +- FluxCD (GitOps continuous delivery) +- Kustomize (configuration management) +- SOPS + age (secrets encryption) +- Helm (application packaging) +- Talos Linux (immutable Kubernetes OS) + +## Build / Lint / Test Commands + +### Validate All Kustomizations +```bash +# Validate all kustomize builds across the cluster +find kubernetes/main/apps -name "kustomization.yaml" -exec dirname {} \; | \ + xargs -I {} sh -c 'echo "Building {}" && kustomize build {} > /dev/null || exit 1' +``` + +### Validate Single Application +```bash +# Test a specific application's kustomization +kustomize build kubernetes/main/apps//app + +# Example: Test audiobookshelf +kustomize build kubernetes/main/apps/audiobookshelf/app +``` + +### YAML Validation (if yamllint installed) +```bash +# Lint all YAML files +yamllint kubernetes/ + +# Lint specific file +yamllint kubernetes/main/apps//app/.yaml +``` + +### Kubernetes Schema Validation (if kubeconform installed) +```bash +# Validate Kubernetes manifests against schemas +kustomize build kubernetes/main/apps//app | kubeconform -strict +``` + +### Check SOPS Encryption +```bash +# Verify secrets are properly encrypted +sops -d kubernetes/main/apps//app/.sops.yaml > /dev/null && echo "Valid" +``` + +### Flux Validation +```bash +# Validate Flux Kustomization resources +flux get kustomizations + +# Reconcile specific app manually +flux reconcile kustomization +``` + +## Code Style Guidelines + +### File Naming Conventions +- Use **kebab-case** for all filenames: `my-config.yaml`, `deployment.yaml` +- Secrets must use `.sops.yaml` extension: `secret.sops.yaml` +- Kustomization files must be named exactly: `kustomization.yaml` +- Application entry point: `ks.yaml` (Flux Kustomization resource) + +### Directory Structure +``` +apps// +├── ks.yaml # Flux Kustomization (root resource) +└── app/ + ├── kustomization.yaml # Lists all resources + ├── namespace.yaml # App namespace + ├── repository.yaml # HelmRepository (if needed) + ├── release.yaml # HelmRelease + ├── *.sops.yaml # Encrypted secrets + └── ... # Additional manifests +``` + +### YAML Formatting +- **Indentation:** 2 spaces (no tabs) +- **Document separators:** Use `---` at start of each file +- **Line endings:** Unix (LF) +- **Trailing whitespace:** Remove trailing whitespace +- **Empty lines:** Single blank line between resources +- **Quotes:** Use double quotes for strings with special characters + +### Kubernetes Resource Standards + +**Namespace Labels (Required):** +```yaml +metadata: + labels: + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged + goldilocks.fairwinds.com/enabled: "true" +``` + +**Common Metadata (Required in ks.yaml):** +```yaml +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app # Anchor reference +``` + +**Flux Kustomization Template:** +```yaml +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app + namespace: flux-system +spec: + targetNamespace: + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps//app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m +``` + +### Secrets Management (SOPS) + +**ALWAYS encrypt sensitive values:** +- All secrets must be stored in files ending with `.sops.yaml` +- Use `sops` CLI to edit: `sops .sops.yaml` +- Never commit plaintext secrets +- Follow the encryption regex pattern: `^(data|stringData)$` + +**Creating New Encrypted Secret:** +```bash +cat < secret.sops.yaml +apiVersion: v1 +kind: Secret +metadata: + name: + namespace: +stringData: + KEY: "value" # Will be encrypted +EOF +sops -e -i secret.sops.yaml +``` + +### HelmRelease Conventions + +**Standard HelmRelease Structure:** +```yaml +--- +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: + namespace: +spec: + interval: 30m + chart: + spec: + chart: + version: "x.x.x" # Pin version + sourceRef: + kind: HelmRepository + name: + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + # App-specific values +``` + +### Variable References +- Use `${SECRET_EXTERNAL_DOMAIN}` for external domain references +- Use anchors (`&app`) and aliases (`*app`) for consistent naming +- Store cluster-wide vars in `kubernetes/main/flux-system/vars/` + +## Error Handling + +**No Automated Tests:** This repo has no traditional test suite. Validation is done via: +1. `kustomize build` success +2. Flux reconciliation status +3. Kubernetes manifest schema validation + +**Debugging Tips:** +- Check Flux reconciliation: `flux get kustomizations --watch` +- Check pod status: `kubectl get pods -n ` +- View logs: `kubectl logs -n flux-system -l app=kustomize-controller` + +## PR Workflow + +Before submitting changes: +1. Run `kustomize build` on affected app(s) +2. Ensure secrets are encrypted with `.sops.yaml` extension +3. Verify YAML indentation (2 spaces) +4. Check that namespaces include required labels +5. Validate syntax with `yamllint` if available + +## Resources + +- [Flux Documentation](https://fluxcd.io/flux/) +- [Kustomize Reference](https://kubectl.docs.kubernetes.io/references/kustomize/) +- [SOPS Documentation](https://github.com/mozilla/sops) +- [Talos Linux Docs](https://www.talos.dev/v1.9/) +- Based on [flux-cluster-template](https://github.com/onedr0p/flux-cluster-template) diff --git a/kubernetes/main/avto-masini/avto-masini-web/ks.yaml b/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml similarity index 71% rename from kubernetes/main/avto-masini/avto-masini-web/ks.yaml rename to kubernetes/apps/avto-masini/avto-masini-web/ks.yaml index 46cec0fd..5e17ed87 100644 --- a/kubernetes/main/avto-masini/avto-masini-web/ks.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/ks.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -9,11 +10,12 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/avto-masini/avto-masini-web/staging + path: ./kubernetes/apps/avto-masini/avto-masini-web/staging prune: true sourceRef: kind: GitRepository name: flux-system + namespace: flux-system wait: false interval: 30m retryInterval: 1m @@ -29,12 +31,13 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/avto-masini/avto-masini-web/production + path: ./kubernetes/apps/avto-masini/avto-masini-web/production prune: true sourceRef: kind: GitRepository name: flux-system + namespace: flux-system wait: false interval: 30m retryInterval: 1m - timeout: 5m \ No newline at end of file + timeout: 5m diff --git a/kubernetes/main/avto-masini/avto-masini-web/production/deployment.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/deployment.yaml similarity index 98% rename from kubernetes/main/avto-masini/avto-masini-web/production/deployment.yaml rename to kubernetes/apps/avto-masini/avto-masini-web/production/deployment.yaml index a2fe91a5..4a09adf7 100644 --- a/kubernetes/main/avto-masini/avto-masini-web/production/deployment.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/deployment.yaml @@ -29,7 +29,7 @@ spec: image: ghcr.io/avto-masini/avto-masini-web:v2.0.10 imagePullPolicy: Always ports: - - name: prod-svc + - name: http containerPort: 80 livenessProbe: httpGet: diff --git a/kubernetes/main/avto-masini/avto-masini-web/production/ingress.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml similarity index 78% rename from kubernetes/main/avto-masini/avto-masini-web/production/ingress.yaml rename to kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml index 23a63fd3..9fb419ca 100644 --- a/kubernetes/main/avto-masini/avto-masini-web/production/ingress.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/ingress.yaml @@ -5,10 +5,10 @@ metadata: name: avto-masini-web-production-ingress namespace: avto-masini annotations: - external-dns.alpha.kubernetes.io/target: "${SECRET_PROD_DOMAIN}" + external-dns.alpha.kubernetes.io/target: "${SECRET_AVTO_MASINI_TUNNEL_ID}.cfargotunnel.com" external-dns.alpha.kubernetes.io/hostname: "${SECRET_PROD_DOMAIN}, www.${SECRET_PROD_DOMAIN}" spec: - ingressClassName: avto-masini + ingressClassName: traefik-avto-masini rules: - host: "${SECRET_PROD_DOMAIN}" http: @@ -19,7 +19,7 @@ spec: service: name: avto-masini-web-production port: - name: prod-svc + number: 80 - host: "www.${SECRET_PROD_DOMAIN}" http: paths: @@ -29,4 +29,4 @@ spec: service: name: avto-masini-web-production port: - name: prod-svc + number: 80 diff --git a/kubernetes/main/avto-masini/avto-masini-web/staging/kustomization.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/kustomization.yaml similarity index 67% rename from kubernetes/main/avto-masini/avto-masini-web/staging/kustomization.yaml rename to kubernetes/apps/avto-masini/avto-masini-web/production/kustomization.yaml index 0935db4a..46fd9653 100644 --- a/kubernetes/main/avto-masini/avto-masini-web/staging/kustomization.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/kustomization.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/kubernetes/main/avto-masini/avto-masini-web/production/secret.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/secret.yaml similarity index 100% rename from kubernetes/main/avto-masini/avto-masini-web/production/secret.yaml rename to kubernetes/apps/avto-masini/avto-masini-web/production/secret.yaml diff --git a/kubernetes/main/avto-masini/avto-masini-web/production/service.yaml b/kubernetes/apps/avto-masini/avto-masini-web/production/service.yaml similarity index 74% rename from kubernetes/main/avto-masini/avto-masini-web/production/service.yaml rename to kubernetes/apps/avto-masini/avto-masini-web/production/service.yaml index 2e7c4e54..d396e1e4 100644 --- a/kubernetes/main/avto-masini/avto-masini-web/production/service.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/production/service.yaml @@ -5,9 +5,9 @@ metadata: namespace: avto-masini spec: ports: - - name: avto-masini-web-production + - name: http port: 80 - targetPort: prod-svc + targetPort: 80 selector: app: avto-masini-web-production type: ClusterIP diff --git a/kubernetes/main/avto-masini/avto-masini-web/staging/deployment.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/deployment.yaml similarity index 98% rename from kubernetes/main/avto-masini/avto-masini-web/staging/deployment.yaml rename to kubernetes/apps/avto-masini/avto-masini-web/staging/deployment.yaml index 1c49efc9..7558a5ab 100644 --- a/kubernetes/main/avto-masini/avto-masini-web/staging/deployment.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/deployment.yaml @@ -27,7 +27,7 @@ spec: image: ghcr.io/avto-masini/avto-masini-web:9ff0c4c imagePullPolicy: Always ports: - - name: staging-svc + - name: http containerPort: 80 livenessProbe: httpGet: diff --git a/kubernetes/main/avto-masini/avto-masini-web/staging/ingress.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml similarity index 80% rename from kubernetes/main/avto-masini/avto-masini-web/staging/ingress.yaml rename to kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml index 4ac9fa52..b0893523 100644 --- a/kubernetes/main/avto-masini/avto-masini-web/staging/ingress.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/ingress.yaml @@ -5,8 +5,8 @@ metadata: name: avto-masini-web-staging-ingress namespace: avto-masini annotations: - external-dns.alpha.kubernetes.io/target: "${SECRET_PROD_DOMAIN}" - external-dns.alpha.kubernetes.io/hostname: "${SECRET_PROD_DOMAIN}" + external-dns.alpha.kubernetes.io/target: "${SECRET_AVTO_MASINI_TUNNEL_ID}.cfargotunnel.com" + external-dns.alpha.kubernetes.io/hostname: "staging.${SECRET_PROD_DOMAIN}" # nginx.ingress.kubernetes.io/auth-url: |- # http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx # nginx.ingress.kubernetes.io/auth-signin: |- @@ -16,7 +16,7 @@ metadata: # nginx.ingress.kubernetes.io/auth-snippet: | # proxy_set_header X-Forwarded-Host $http_host; spec: - ingressClassName: avto-masini + ingressClassName: traefik-avto-masini rules: - host: "staging.${SECRET_PROD_DOMAIN}" http: @@ -27,4 +27,4 @@ spec: service: name: avto-masini-web-staging port: - name: staging-svc + number: 80 diff --git a/kubernetes/main/avto-masini/avto-masini-web/production/kustomization.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/kustomization.yaml similarity index 67% rename from kubernetes/main/avto-masini/avto-masini-web/production/kustomization.yaml rename to kubernetes/apps/avto-masini/avto-masini-web/staging/kustomization.yaml index 0935db4a..46fd9653 100644 --- a/kubernetes/main/avto-masini/avto-masini-web/production/kustomization.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/kustomization.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/kubernetes/main/avto-masini/avto-masini-web/staging/secret.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/secret.yaml similarity index 100% rename from kubernetes/main/avto-masini/avto-masini-web/staging/secret.yaml rename to kubernetes/apps/avto-masini/avto-masini-web/staging/secret.yaml diff --git a/kubernetes/main/avto-masini/avto-masini-web/staging/service.yaml b/kubernetes/apps/avto-masini/avto-masini-web/staging/service.yaml similarity index 74% rename from kubernetes/main/avto-masini/avto-masini-web/staging/service.yaml rename to kubernetes/apps/avto-masini/avto-masini-web/staging/service.yaml index 5014eb64..ff56f640 100644 --- a/kubernetes/main/avto-masini/avto-masini-web/staging/service.yaml +++ b/kubernetes/apps/avto-masini/avto-masini-web/staging/service.yaml @@ -5,9 +5,9 @@ metadata: namespace: avto-masini spec: ports: - - name: avto-masini-web-staging + - name: http port: 80 - targetPort: staging-svc + targetPort: 80 selector: app: avto-masini-web-staging type: ClusterIP diff --git a/kubernetes/apps/avto-masini/cloudflared/app/config/config.yaml b/kubernetes/apps/avto-masini/cloudflared/app/config/config.yaml new file mode 100644 index 00000000..99e067ab --- /dev/null +++ b/kubernetes/apps/avto-masini/cloudflared/app/config/config.yaml @@ -0,0 +1,10 @@ +--- +originRequest: + noTLSVerify: true + +ingress: + - hostname: "${SECRET_PROD_DOMAIN}" + service: https://traefik.avto-masini.svc.cluster.local:443 + - hostname: "*.${SECRET_PROD_DOMAIN}" + service: https://traefik.avto-masini.svc.cluster.local:443 + - service: http_status:404 diff --git a/kubernetes/main/avto-masini/cloudflared/app/dnsendpoint.yaml b/kubernetes/apps/avto-masini/cloudflared/app/dnsendpoint.yaml similarity index 75% rename from kubernetes/main/avto-masini/cloudflared/app/dnsendpoint.yaml rename to kubernetes/apps/avto-masini/cloudflared/app/dnsendpoint.yaml index cb592c20..c40a4a94 100644 --- a/kubernetes/main/avto-masini/cloudflared/app/dnsendpoint.yaml +++ b/kubernetes/apps/avto-masini/cloudflared/app/dnsendpoint.yaml @@ -8,4 +8,4 @@ spec: endpoints: - dnsName: "external.${SECRET_PROD_DOMAIN}" recordType: CNAME - targets: ["${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com"] + targets: ["${SECRET_AVTO_MASINI_TUNNEL_ID}.cfargotunnel.com"] diff --git a/kubernetes/main/apps/cloudflared/app/release.yaml b/kubernetes/apps/avto-masini/cloudflared/app/helmrelease.yaml similarity index 67% rename from kubernetes/main/apps/cloudflared/app/release.yaml rename to kubernetes/apps/avto-masini/cloudflared/app/helmrelease.yaml index 946d1fb5..d9f0166e 100644 --- a/kubernetes/main/apps/cloudflared/app/release.yaml +++ b/kubernetes/apps/avto-masini/cloudflared/app/helmrelease.yaml @@ -4,7 +4,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: cloudflared - namespace: cloudflared + namespace: avto-masini spec: interval: 30m chart: @@ -14,8 +14,7 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - namespace: cloudflared - # DEPENDS ON EXTERNAL-DNS ?, EXTERNAL-DNS DEPENDS ON NGINX-INGRESS + namespace: flux-system install: remediation: retries: 3 @@ -52,40 +51,11 @@ spec: - /etc/cloudflared/config/config.yaml - run - "$(TUNNEL_ID)" - # probes: - # liveness: &probes - # enabled: true - # custom: true - # spec: - # httpGet: - # path: /ready - # port: &port 8080 - # initialDelaySeconds: 0 - # periodSeconds: 10 - # timeoutSeconds: 1 - # failureThreshold: 3 - # readiness: *probes - # securityContext: - # allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - # capabilities: { drop: ["ALL"] } - # sysctls: - # - name: net.ipv4.ping_group_range - # value: "0 2147483647" resources: requests: cpu: 10m limits: memory: 256Mi - # defaultPodOptions: - # securityContext: - # runAsNonRoot: true - # runAsUser: 65534 - # runAsGroup: 65534 - # seccompProfile: { type: RuntimeDefault } - # sysctls: - # - name: net.ipv4.ping_group_range - # value: "0 2147483647" service: app: controller: cloudflared diff --git a/kubernetes/main/apps/cloudflared/app/kustomization.yaml b/kubernetes/apps/avto-masini/cloudflared/app/kustomization.yaml similarity index 67% rename from kubernetes/main/apps/cloudflared/app/kustomization.yaml rename to kubernetes/apps/avto-masini/cloudflared/app/kustomization.yaml index 36506d48..2532525a 100644 --- a/kubernetes/main/apps/cloudflared/app/kustomization.yaml +++ b/kubernetes/apps/avto-masini/cloudflared/app/kustomization.yaml @@ -1,16 +1,15 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./namespace.yaml - - ./repository.yaml - ./secret.sops.yaml - ./dnsendpoint.yaml - - ./release.yaml + - ./helmrelease.yaml configMapGenerator: - name: cloudflared-configmap namespace: cloudflared files: - - ./configs/config.yaml + - ./config/config.yaml generatorOptions: disableNameSuffixHash: true diff --git a/kubernetes/apps/avto-masini/cloudflared/app/secret.sops.yaml b/kubernetes/apps/avto-masini/cloudflared/app/secret.sops.yaml new file mode 100644 index 00000000..4a379d43 --- /dev/null +++ b/kubernetes/apps/avto-masini/cloudflared/app/secret.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloudflared-secret + namespace: avto-masini +stringData: + TUNNEL_ID: ENC[AES256_GCM,data:gk3nDGz2p9ARbp7HmF8uECKWs+3eDv3Er2dFYlwLZtT2PyCx,iv:/KA0QlNWFYrnAMMUWpN+dGW3dd9t+35XS2bg+QH4cU8=,tag:I3dLa4jHeXTA29lmNxMDcg==,type:str] + credentials.json: ENC[AES256_GCM,data:RmOGx7g5HvdO7qicfp7P6XuNzGFtGm4tyt8AyBWzuJes+9b5kKj6AfvbntFl7Xqxp4JgINbWo5zx36O1D382bSdA/BoGVYpkqhzVDgNH4foCcliNdLny1LDTTSZf921bvH9T0leREcszZBPGRafQfAABSUHaSAWOGkzXydYFUFl8QWe4icABsCaKvF21Z1kBmO1eNbz/AW017qsfXvrvDN03x96aU5CBgMfHJb87/r0=,iv:yZsLTXC+SKisdcPeXhDs5EgjMWuzzx7Si2q6RocVacQ=,tag:xKpGc1zz4AsN6ZB1ec0XDw==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCS3dPanhEYkliUjVZVDJP + MFU2b3ZFZXBKOEJsVmpSMFl3VjZQc3FnUVRzCk9ic2V5c05OMi8veVFMNGVBRGpF + UnY2RWNlRUdmTW5xRU41VWZ3MmxWSHcKLS0tIFRkaHNqeDZ5Y2hramxaRGpQTVRF + TGdnWGo0aTVGN3RTcVFGOXlNNmlKZ28KwBHGBJGjDaPPTYcjN0NOd2M+B57YBdy8 + ZA5WR+DYrhsiGu1RVJX+y+vFiNxaAhD10mDEK4JHYTwxzX653GgXYA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-31T08:32:42Z" + mac: ENC[AES256_GCM,data:1khBCLC0R0Kh2VtSBMbm6oeQurpd+ck97TTXEoJsDF5s2X5HxTZ7t4p4CeDSQJp1hqb1l8yL7iOL/wFyUWm2zGw/VCTLy3Qley+JZxW6FpHbsPg7iomtDn+AIqMIdA8UOxUfvepajNu3YDutjr20jxzXzLrojZdknM4Dx8HhZ9I=,iv:3uY1cfu8FwvStXbn4zADLEggqz8xsCAsFoR5pC86KZY=,tag:vHRYpfdlKhIQ6kp4dOgULw==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/main/avto-masini/cloudflared/ks.yaml b/kubernetes/apps/avto-masini/cloudflared/ks.yaml similarity index 67% rename from kubernetes/main/avto-masini/cloudflared/ks.yaml rename to kubernetes/apps/avto-masini/cloudflared/ks.yaml index 7cf75af2..64106956 100644 --- a/kubernetes/main/avto-masini/cloudflared/ks.yaml +++ b/kubernetes/apps/avto-masini/cloudflared/ks.yaml @@ -1,21 +1,20 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app cloudflared-avto-masini namespace: flux-system spec: - targetNamespace: avto-masini commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/avto-masini/cloudflared/app + interval: 30m + path: ./kubernetes/apps/avto-masini/cloudflared/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m + targetNamespace: avto-masini + wait: true diff --git a/kubernetes/main/avto-masini/external-dns/app/release.yaml b/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml similarity index 67% rename from kubernetes/main/avto-masini/external-dns/app/release.yaml rename to kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml index e3c8f3e9..12c66594 100644 --- a/kubernetes/main/avto-masini/external-dns/app/release.yaml +++ b/kubernetes/apps/avto-masini/external-dns/app/helmrelease.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: @@ -9,21 +10,11 @@ spec: chart: spec: chart: external-dns - version: 1.15.0 + version: 1.20.0 sourceRef: kind: HelmRepository name: external-dns - namespace: avto-masini - # install: - # crds: CreateReplace - # remediation: - # retries: 3 - # upgrade: - # cleanupOnFail: true - # crds: CreateReplace - # remediation: - # strategy: rollback - # retries: 3 + namespace: flux-system values: fullnameOverride: *app provider: cloudflare @@ -34,13 +25,14 @@ spec: name: external-dns-secret key: api-token extraArgs: - - --ingress-class=avto-masini + - --ingress-class=traefik-avto-masini - --cloudflare-proxied - --default-targets=${SECRET_AVTO_MASINI_TUNNEL_ID}.cfargotunnel.com + - --force-default-targets policy: sync sources: ["crd", "ingress"] domainFilters: ["${SECRET_PROD_DOMAIN}"] serviceMonitor: enabled: true podAnnotations: - secret.reloader.stakater.com/reload: external-dns-secret + secret.reloader.stakater.com/reload: external-dns-secret diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/kustomization.yaml b/kubernetes/apps/avto-masini/external-dns/app/kustomization.yaml similarity index 68% rename from kubernetes/main/apps/database/cloudnative-pg/cluster/kustomization.yaml rename to kubernetes/apps/avto-masini/external-dns/app/kustomization.yaml index 7fe26b4f..16a6ce30 100644 --- a/kubernetes/main/apps/database/cloudnative-pg/cluster/kustomization.yaml +++ b/kubernetes/apps/avto-masini/external-dns/app/kustomization.yaml @@ -3,6 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - s3-creds.sops.yaml - - cluster18.yaml - - scheduledbackup.yaml + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/avto-masini/external-dns/app/secret.sops.yaml b/kubernetes/apps/avto-masini/external-dns/app/secret.sops.yaml new file mode 100644 index 00000000..79cf4530 --- /dev/null +++ b/kubernetes/apps/avto-masini/external-dns/app/secret.sops.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Secret +metadata: + name: external-dns-secret + namespace: avto-masini +stringData: + api-token: ENC[AES256_GCM,data:O623ud/31zbI+fqmyuDhjerfJo68A3Ga0UII+DGVE/BalZdrwI2TAA==,iv:UYIRQryd2mk8t/W+ydWoLBkQMQ0WeWU+9BkjMR49PoM=,tag:pz6vmyOLaPGoGwvFJhRtFQ==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cU9YNTJvS1RIdFFCQzIx + TnZINHNsaVY5SkJLVDNianorU0M4Wm9Wb0FFCllmaVpPTHFjRTlkaGRidXZkRmsy + amV4QzVwYk1IUzRyZUYvQ1p2d2drOHMKLS0tIHhFWjlXSDN5eXVhWDcydEFvZUZV + N1JuT1p5TFpUOUVEc0NBcEdNMkplZG8KhgfASu2LOHwgyVyEgTkIdGFeOoeJG5+w + UonRkCxYPgfEGA6XqQ9wYd/R7CDhWplOOoMOyu/gkI6EmkW6LrPqCw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-31T08:35:54Z" + mac: ENC[AES256_GCM,data:wYKGg++YRjaTqwDOie1/foY3vDQUpMg+IJZk7UQjqJkIiZdcqxIeRWuTgVymexPGV6hfq2nTk6vRPAqPL08XpGW+0tTHPLR8BXINgtUtd5Dy2iTphpo+9BDq8LnMUCRGUaiEVdrpZhwsOr4nkFXmiRe06wuCPIvy3E+P1daKn7c=,iv:eiuuwab+OIyaZsIhr3utpcIX58src9vIj5vESOjNpJA=,tag:4SIUk+5eSTp/FAotQAw3Tg==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/main/avto-masini/external-dns/ks.yaml b/kubernetes/apps/avto-masini/external-dns/ks.yaml similarity index 66% rename from kubernetes/main/avto-masini/external-dns/ks.yaml rename to kubernetes/apps/avto-masini/external-dns/ks.yaml index 0ee051a9..caca9ee1 100644 --- a/kubernetes/main/avto-masini/external-dns/ks.yaml +++ b/kubernetes/apps/avto-masini/external-dns/ks.yaml @@ -1,21 +1,22 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app external-dns-avto-masini namespace: flux-system spec: - targetNamespace: avto-masini commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/avto-masini/external-dns/app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/avto-masini/external-dns/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m + targetNamespace: avto-masini + wait: true diff --git a/kubernetes/main/avto-masini/kustomization.yaml b/kubernetes/apps/avto-masini/kustomization.yaml similarity index 65% rename from kubernetes/main/avto-masini/kustomization.yaml rename to kubernetes/apps/avto-masini/kustomization.yaml index 5d6ed6b9..b1c95a4e 100644 --- a/kubernetes/main/avto-masini/kustomization.yaml +++ b/kubernetes/apps/avto-masini/kustomization.yaml @@ -1,9 +1,10 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml + - ./traefik/ks.yaml - ./cloudflared/ks.yaml - ./external-dns/ks.yaml - - ./ingress-nginx/ks.yaml - ./avto-masini-web/ks.yaml diff --git a/kubernetes/apps/avto-masini/namespace.yaml b/kubernetes/apps/avto-masini/namespace.yaml new file mode 100644 index 00000000..36a67646 --- /dev/null +++ b/kubernetes/apps/avto-masini/namespace.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: avto-masini + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged diff --git a/kubernetes/apps/avto-masini/traefik/app/helmrelease.yaml b/kubernetes/apps/avto-masini/traefik/app/helmrelease.yaml new file mode 100644 index 00000000..46cccded --- /dev/null +++ b/kubernetes/apps/avto-masini/traefik/app/helmrelease.yaml @@ -0,0 +1,29 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app traefik + namespace: avto-masini +spec: + interval: 30m + chart: + spec: + chart: traefik + version: "39.0.5" + sourceRef: + kind: HelmRepository + name: traefik + namespace: flux-system + interval: 12h + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + ingressClass: + enabled: true + name: traefik-avto-masini diff --git a/kubernetes/main/apps/database/cloudnative-pg/operator/kustomization.yaml b/kubernetes/apps/avto-masini/traefik/app/kustomization.yaml similarity index 64% rename from kubernetes/main/apps/database/cloudnative-pg/operator/kustomization.yaml rename to kubernetes/apps/avto-masini/traefik/app/kustomization.yaml index 2367cc38..17cbc72b 100644 --- a/kubernetes/main/apps/database/cloudnative-pg/operator/kustomization.yaml +++ b/kubernetes/apps/avto-masini/traefik/app/kustomization.yaml @@ -2,8 +2,5 @@ # yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization -namespace: cnpg-system resources: - - repository.yaml - - secret.sops.yaml - - release.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/avto-masini/traefik/ks.yaml b/kubernetes/apps/avto-masini/traefik/ks.yaml new file mode 100644 index 00000000..775d2b41 --- /dev/null +++ b/kubernetes/apps/avto-masini/traefik/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app traefik-avto-masini + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/avto-masini/traefik/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: avto-masini + wait: true diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/cluster18.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml similarity index 55% rename from kubernetes/main/apps/database/cloudnative-pg/cluster/cluster18.yaml rename to kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml index 80f8bb7a..297b4f38 100644 --- a/kubernetes/main/apps/database/cloudnative-pg/cluster/cluster18.yaml +++ b/kubernetes/apps/database/cloudnative-pg/cluster/cluster18.yaml @@ -9,9 +9,16 @@ spec: primaryUpdateStrategy: unsupervised primaryUpdateMethod: switchover + # Bootstrap from latest backup - restore to latest available point in time + bootstrap: + recovery: + source: postgres18-restore + recoveryTarget: + targetTime: "" # Empty = restore to latest available + storage: storageClass: longhorn - size: 20Gi + size: 100Gi superuserSecret: name: cloudnative-pg-secret @@ -22,6 +29,23 @@ spec: parameters: max_connections: "400" shared_buffers: 256MB + + externalClusters: + - name: postgres18-restore + barmanObjectStore: + destinationPath: 's3://talos-lj-backup/' + serverName: postgres18 # Specify the source cluster name + s3Credentials: + accessKeyId: + name: s3-creds + key: ACCESS_KEY_ID + secretAccessKey: + name: s3-creds + key: SECRET_ACCESS_KEY + wal: + compression: gzip + maxParallel: 4 + encryption: AES256 nodeMaintenanceWindow: inProgress: false reusePVC: true @@ -39,6 +63,7 @@ spec: retentionPolicy: 7d barmanObjectStore: destinationPath: 's3://talos-lj-backup/' + serverName: postgres18-restored # Use different name to avoid WAL archive conflict s3Credentials: accessKeyId: name: s3-creds diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml new file mode 100644 index 00000000..3541a0dc --- /dev/null +++ b/kubernetes/apps/database/cloudnative-pg/cluster/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./s3-creds.sops.yaml + - ./cluster18.yaml + - ./scheduledbackup.yaml diff --git a/kubernetes/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml new file mode 100644 index 00000000..ab3dadd4 --- /dev/null +++ b/kubernetes/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: s3-creds + namespace: database +stringData: + ACCESS_KEY_ID: ENC[AES256_GCM,data:6deABkqAccFGHMk6t8GOX2z1/a8=,iv:J6lhlaXbVtM+kW3klLaJx0QYU1HVZ0ffo3mjqpr5eVo=,tag:3UVLAFZ/YwqJuOJREhR2WQ==,type:str] + SECRET_ACCESS_KEY: ENC[AES256_GCM,data:rd4cRP461Sh5I7GR5+RmL7GWvq7jPVsKIjoNOH8QwnmRMJluPJArtQ==,iv:0zGoTblmM8UctaxnI9H2cTDeh8bIkhBizMRO9AmQTVQ=,tag:JOX/Fh74LB2yFU9UDEdrbQ==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkazIxWlNHc0toMFhuQmtj + d2FUakdiVmJnZ1E4dVBiUkc2dVV3bjlPQUFzCnc2T1RySUVQamlCci9naGJzMnQ1 + cjRVWDNlbVA5NFo0VGh3Ly9wUENUa00KLS0tIEJ1RndnNG5CY0ZrbDZ6STdJNVVC + bXUzOHNXQUt0MEEvYUFkbkJMY2xFeVEKTHX6Hp510uDZYZ/JbIt7ugTjZSm4Uykx + svj1q4j/9STmNQCEIIVSB/NtWrgckUzftjOaiJQ0W6Ib1LixxXqgbw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T17:47:28Z" + mac: ENC[AES256_GCM,data:wOTR6t16UbtfXV25QXL9f7fQc8kk40vqNZ/c9guODR5c1NJBep+8mU/GNCaG8TsE6fnD9Dd0R8/tXJ5HAN4Le8u3UJayvcJ8xHcmsoBuvHXDFRfSemQlVpDsPCUbMJvUtjqLbG4zjI22L16ulFBgnkrPobTlq+lT+zwyf9P1nFA=,iv:W/m6l0w9slR8qF9X1qms82AXN4bfykLlZT+F1H5Qds8=,tag:HvQkhQ44YKy06/802b4Ulw==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml b/kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml similarity index 82% rename from kubernetes/main/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml rename to kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml index 670f31ed..094ca301 100644 --- a/kubernetes/main/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml +++ b/kubernetes/apps/database/cloudnative-pg/cluster/scheduledbackup.yaml @@ -1,13 +1,12 @@ - apiVersion: postgresql.cnpg.io/v1 kind: ScheduledBackup metadata: name: postgres18-backup - namespace: cnpg-system + namespace: database spec: schedule: "0 0 0 * * *" suspend: false - immediate: true + immediate: false backupOwnerReference: self cluster: name: postgres18 diff --git a/kubernetes/main/apps/database/cloudnative-pg/ks.yaml b/kubernetes/apps/database/cloudnative-pg/ks.yaml similarity index 69% rename from kubernetes/main/apps/database/cloudnative-pg/ks.yaml rename to kubernetes/apps/database/cloudnative-pg/ks.yaml index 037340b4..e2b14fbd 100644 --- a/kubernetes/main/apps/database/cloudnative-pg/ks.yaml +++ b/kubernetes/apps/database/cloudnative-pg/ks.yaml @@ -1,24 +1,21 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app cloudnative-pg namespace: flux-system spec: - targetNamespace: cnpg-system + targetNamespace: database commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/database/cloudnative-pg/operator + path: ./kubernetes/apps/database/cloudnative-pg/operator prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - decryption: - provider: sops - secretRef: - name: sops-age wait: true interval: 30m retryInterval: 1m @@ -32,21 +29,17 @@ metadata: spec: dependsOn: - name: cloudnative-pg - targetNamespace: cnpg-system + targetNamespace: database commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/database/cloudnative-pg/cluster + path: ./kubernetes/apps/database/cloudnative-pg/cluster prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - decryption: - provider: sops - secretRef: - name: sops-age wait: true interval: 30m retryInterval: 1m - timeout: 5m + timeout: 5m \ No newline at end of file diff --git a/kubernetes/main/apps/database/cloudnative-pg/operator/release.yaml b/kubernetes/apps/database/cloudnative-pg/operator/helmrelease.yaml similarity index 77% rename from kubernetes/main/apps/database/cloudnative-pg/operator/release.yaml rename to kubernetes/apps/database/cloudnative-pg/operator/helmrelease.yaml index a7802216..c4ad6d6d 100644 --- a/kubernetes/main/apps/database/cloudnative-pg/operator/release.yaml +++ b/kubernetes/apps/database/cloudnative-pg/operator/helmrelease.yaml @@ -1,8 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app cnpg - namespace: cnpg-system + namespace: database spec: interval: 30m chart: @@ -12,7 +14,7 @@ spec: sourceRef: kind: HelmRepository name: cnpg - namespace: cnpg-system + namespace: flux-system interval: 12h install: remediation: diff --git a/kubernetes/main/apps/external-dns/external/kustomization.yaml b/kubernetes/apps/database/cloudnative-pg/operator/kustomization.yaml similarity index 51% rename from kubernetes/main/apps/external-dns/external/kustomization.yaml rename to kubernetes/apps/database/cloudnative-pg/operator/kustomization.yaml index 92c244fb..ab439e40 100644 --- a/kubernetes/main/apps/external-dns/external/kustomization.yaml +++ b/kubernetes/apps/database/cloudnative-pg/operator/kustomization.yaml @@ -1,10 +1,8 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./namespace.yaml - - ./repository.yaml - ./secret.sops.yaml -# - ./dnsendpoint.yaml - - ./release.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/database/cloudnative-pg/operator/secret.sops.yaml b/kubernetes/apps/database/cloudnative-pg/operator/secret.sops.yaml new file mode 100644 index 00000000..2ecbb6ea --- /dev/null +++ b/kubernetes/apps/database/cloudnative-pg/operator/secret.sops.yaml @@ -0,0 +1,25 @@ +# yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: cloudnative-pg-secret + namespace: database +stringData: + username: ENC[AES256_GCM,data:8Rg3WEWmcR8=,iv:qR//wo4/rTXMkLzq+U1Iug16QKPAFoINEgFPSteLRwY=,tag:ouYiFKaf/Itk2zEBXnhRuw==,type:str] + password: ENC[AES256_GCM,data:sxdm9K65ruo+5btDdSw=,iv:QhLeBQN8+OtcCeNWZ6wc+UPGPl8T2ncTLBlj3ZOii6U=,tag:B9vlfEOREKj6axGIhaTHvA==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Y3pwL3ZEMWg5dVFuU0hl + REFHQ3dDeHdUdWlHcXRjRFNtVWpqeE5uNVU4CngzV3phMzMvM25BMzFSbWorUXlM + QUM1SmxLQlRuNyttZ3ZISjllYTl4QjQKLS0tIG5oQk9nM0tnNXFldFk3RUlnenQ5 + cWxJcVZBSG8vNEN1MHhIOTR2eXB4Q1kK2lmTkf5wkG1/K8xJVLihrwzSrSk3rmIz + 8IZ0E8W7bxNnPLixJAmuJchpgY/yNVgwew3W2Lot1hf6hecLkhHlPg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T17:45:14Z" + mac: ENC[AES256_GCM,data:9W7TVMLhg1p7Gv1dJ8ccXQz1pf1KpajEuvUM40ECxinJOxaP8u7YPXfOjIc31TqAVNHuggzHUAkfzBmJwsrikXkAoWvKg8/qMWnTpZtRg+jTkCau757FxAinr33y386x4CmbTsxDBy3nY59H3rKp7N+6Qcg6PLtJXCgp2GFLQtU=,iv:lCaiL0txUeudel3QH0vXl5OAGU4YCT1BOiDDOSai7jE=,tag:WBBROUtk+/t3tr5u7s5dUQ==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/main/apps/network/k8tz/app/kustomization.yaml b/kubernetes/apps/database/kustomization.yaml similarity index 75% rename from kubernetes/main/apps/network/k8tz/app/kustomization.yaml rename to kubernetes/apps/database/kustomization.yaml index 35e07a4d..0f442ddc 100644 --- a/kubernetes/main/apps/network/k8tz/app/kustomization.yaml +++ b/kubernetes/apps/database/kustomization.yaml @@ -4,6 +4,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml - - ./repository.yaml - - ./pki.yaml - - ./release.yaml + - ./cloudnative-pg/ks.yaml diff --git a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/namespace.yaml b/kubernetes/apps/database/namespace.yaml similarity index 75% rename from kubernetes/main/apps/goriva-si/goriva-si-influxdb/namespace.yaml rename to kubernetes/apps/database/namespace.yaml index c9658e48..417aa86b 100644 --- a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/namespace.yaml +++ b/kubernetes/apps/database/namespace.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: Namespace metadata: - name: goriva-si + name: database labels: + kustomize.toolkit.fluxcd.io/prune: disabled pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/infrastructure/kustomization.yaml b/kubernetes/apps/default/kustomization.yaml similarity index 55% rename from kubernetes/main/apps/infrastructure/kustomization.yaml rename to kubernetes/apps/default/kustomization.yaml index 739c69bb..3f4f0da9 100644 --- a/kubernetes/main/apps/infrastructure/kustomization.yaml +++ b/kubernetes/apps/default/kustomization.yaml @@ -1,8 +1,6 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./external-secrets/ks.yaml - - ./weave-gitops/ks.yaml - - ./longhorn/ks.yaml - ./reloader/ks.yaml diff --git a/kubernetes/main/apps/infrastructure/reloader/app/reloader.yaml b/kubernetes/apps/default/reloader/app/reloader.yaml similarity index 100% rename from kubernetes/main/apps/infrastructure/reloader/app/reloader.yaml rename to kubernetes/apps/default/reloader/app/reloader.yaml diff --git a/kubernetes/main/apps/infrastructure/reloader/ks.yaml b/kubernetes/apps/default/reloader/ks.yaml similarity index 71% rename from kubernetes/main/apps/infrastructure/reloader/ks.yaml rename to kubernetes/apps/default/reloader/ks.yaml index 878ff7ea..e3297c60 100644 --- a/kubernetes/main/apps/infrastructure/reloader/ks.yaml +++ b/kubernetes/apps/default/reloader/ks.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -9,7 +10,7 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/infrastructure/reloader/app + path: ./kubernetes/apps/default/reloader/app prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/main/apps/cert-manager/app/release.yaml b/kubernetes/apps/infrastructure/cert-manager/app/helmrelease.yaml similarity index 92% rename from kubernetes/main/apps/cert-manager/app/release.yaml rename to kubernetes/apps/infrastructure/cert-manager/app/helmrelease.yaml index 976a54e2..38544325 100644 --- a/kubernetes/main/apps/cert-manager/app/release.yaml +++ b/kubernetes/apps/infrastructure/cert-manager/app/helmrelease.yaml @@ -3,7 +3,7 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: cert-manager - namespace: cert-manager + namespace: infrastructure spec: interval: 30m chart: @@ -13,7 +13,7 @@ spec: sourceRef: kind: HelmRepository name: jetstack - namespace: cert-manager + namespace: flux-system install: remediation: retries: 3 diff --git a/kubernetes/apps/infrastructure/cert-manager/app/kustomization.yaml b/kubernetes/apps/infrastructure/cert-manager/app/kustomization.yaml new file mode 100644 index 00000000..17cbc72b --- /dev/null +++ b/kubernetes/apps/infrastructure/cert-manager/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/cert-manager/issuers/issuers.yaml b/kubernetes/apps/infrastructure/cert-manager/issuers/issuers.yaml similarity index 100% rename from kubernetes/main/apps/cert-manager/issuers/issuers.yaml rename to kubernetes/apps/infrastructure/cert-manager/issuers/issuers.yaml diff --git a/kubernetes/main/apps/cert-manager/issuers/kustomization.yaml b/kubernetes/apps/infrastructure/cert-manager/issuers/kustomization.yaml similarity index 50% rename from kubernetes/main/apps/cert-manager/issuers/kustomization.yaml rename to kubernetes/apps/infrastructure/cert-manager/issuers/kustomization.yaml index 448b0f64..1f556e2c 100644 --- a/kubernetes/main/apps/cert-manager/issuers/kustomization.yaml +++ b/kubernetes/apps/infrastructure/cert-manager/issuers/kustomization.yaml @@ -1,6 +1,7 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./issuers.yaml - - ./secret.sops.yaml + - ./secret.sops.yaml \ No newline at end of file diff --git a/kubernetes/apps/infrastructure/cert-manager/issuers/secret.sops.yaml b/kubernetes/apps/infrastructure/cert-manager/issuers/secret.sops.yaml new file mode 100644 index 00000000..b3a78175 --- /dev/null +++ b/kubernetes/apps/infrastructure/cert-manager/issuers/secret.sops.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cert-manager-secret + namespace: infrastructure +stringData: + api-token: ENC[AES256_GCM,data:Wi0Mv1x6c99DUxmaJ/cEVp4nkBX3bxPz9abT6Gyi8QKs00ZMy0RmLw==,iv:eepyXwJtmn7bK5vzyzGzgZNnhxzvoaJwPLAltBNe8iM=,tag:8SIwwxJngPr4kfCSToiqNA==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZTZSeG8zSUdySWxuazRG + WGZJdTE0TFA0Umo3SnA4bG0yUGMya2FOeUVJCnVUdHZKOWs4cE8rbWRmSVUvSkQ2 + UGRjTDh3UXl3b2FxeFcvbC9Zeklja00KLS0tIHhWR0ZadWMweWRvTGlVdWN4RDlw + VTk5Z0NVNFVEczNNdWJlaUJiZzk0YVkKEgrljM9QR4dWIdHRVdSF1ldWvmMctA2N + WriKJLs7yQDgsKC10dRB64Jzwbakl8OU8G3KpnIX8HWR/+cdupoYCw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T20:33:09Z" + mac: ENC[AES256_GCM,data:bBNTS1LW9zkeonbYRxpam64dI/auSD381XU44qZulxnAwTCZ0gZQDIskxV6eOXem9cAaOe6kC0ldEx0a4OaU7xUZ7wT4VWFOxWpPr9B1nTl0gONr3cgy/m+2SKUE17sxHeEdLfFGE9y4CxjWnQQjgNSFW6r50RMbOOGKvjla+gA=,iv:jnpGmd70d1wd51zh0tVP+ZP2kkK9yMhBsd/l9LJfr4s=,tag:kgIqZ33t/5ve5s/V7IA/2g==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/main/apps/cert-manager/ks.yaml b/kubernetes/apps/infrastructure/cert-manager/ks.yaml similarity index 61% rename from kubernetes/main/apps/cert-manager/ks.yaml rename to kubernetes/apps/infrastructure/cert-manager/ks.yaml index 4adb7b12..d679b9fb 100644 --- a/kubernetes/main/apps/cert-manager/ks.yaml +++ b/kubernetes/apps/infrastructure/cert-manager/ks.yaml @@ -1,44 +1,43 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app cert-manager namespace: flux-system spec: - targetNamespace: cert-manager commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/cert-manager/app + interval: 30m + path: ./kubernetes/apps/infrastructure/cert-manager/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system + targetNamespace: infrastructure wait: true - interval: 30m - retryInterval: 1m - timeout: 5m --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app cert-manager-issuers namespace: flux-system spec: - targetNamespace: cert-manager commonMetadata: labels: app.kubernetes.io/name: *app dependsOn: - name: cert-manager - path: ./kubernetes/main/apps/cert-manager/issuers + namespace: flux-system + interval: 30m + path: ./kubernetes/apps/infrastructure/cert-manager/issuers prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system + targetNamespace: infrastructure wait: true - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/external-dns/external/release.yaml b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml similarity index 69% rename from kubernetes/main/apps/external-dns/external/release.yaml rename to kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml index 7953f532..8b076eca 100644 --- a/kubernetes/main/apps/external-dns/external/release.yaml +++ b/kubernetes/apps/infrastructure/external-dns/app/helmrelease.yaml @@ -1,31 +1,27 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app external-dns - namespace: external-dns + namespace: infrastructure spec: interval: 30m chart: spec: chart: external-dns - version: 1.15.0 + version: 1.20.0 sourceRef: kind: HelmRepository name: external-dns - namespace: external-dns - # install: - # crds: CreateReplace - # remediation: - # retries: 3 - # upgrade: - # cleanupOnFail: true - # crds: CreateReplace - # remediation: - # strategy: rollback - # retries: 3 + namespace: flux-system values: fullnameOverride: *app + rbac: + create: true + serviceAccount: + create: true + name: "external-dns" provider: cloudflare env: - name: CF_API_TOKEN @@ -34,22 +30,24 @@ spec: name: external-dns-secret key: api-token extraArgs: - - --ingress-class=external + - --ingress-class=traefik - --cloudflare-proxied - --default-targets=${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com + - --force-default-targets policy: sync sources: ["crd", "ingress"] domainFilters: ["${SECRET_EXTERNAL_DOMAIN}"] serviceMonitor: enabled: true podAnnotations: - secret.reloader.stakater.com/reload: external-dns-secret + secret.reloader.stakater.com/reload: external-dns-secret --- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app external-dns-pihole - namespace: external-dns + namespace: infrastructure spec: interval: 30m chart: @@ -59,7 +57,7 @@ spec: sourceRef: kind: HelmRepository name: external-dns - namespace: external-dns + namespace: flux-system values: fullnameOverride: *app provider: pihole @@ -69,7 +67,7 @@ spec: - name: EXTERNAL_DNS_PIHOLE_PASSWORD value: ${PIHOLE_PASSWORD} - name: EXTERNAL_DNS_PIHOLE_SERVER - value: http://pihole-web.pihole-system.svc.cluster.local + value: http://pihole-web.network.svc.cluster.local extraArgs: - --pihole-api-version=6 - --ingress-class=internal @@ -79,5 +77,5 @@ spec: sources: ["service", "ingress"] serviceMonitor: enabled: true - securityContext: + podSecurityContext: fsGroup: 65534 diff --git a/kubernetes/apps/infrastructure/external-dns/app/kustomization.yaml b/kubernetes/apps/infrastructure/external-dns/app/kustomization.yaml new file mode 100644 index 00000000..16a6ce30 --- /dev/null +++ b/kubernetes/apps/infrastructure/external-dns/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/infrastructure/external-dns/app/secret.sops.yaml b/kubernetes/apps/infrastructure/external-dns/app/secret.sops.yaml new file mode 100644 index 00000000..5156fb70 --- /dev/null +++ b/kubernetes/apps/infrastructure/external-dns/app/secret.sops.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Secret +metadata: + name: external-dns-secret + namespace: external-dns +stringData: + api-token: ENC[AES256_GCM,data:O623ud/31zbI+fqmyuDhjerfJo68A3Ga0UII+DGVE/BalZdrwI2TAA==,iv:UYIRQryd2mk8t/W+ydWoLBkQMQ0WeWU+9BkjMR49PoM=,tag:pz6vmyOLaPGoGwvFJhRtFQ==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3cU9YNTJvS1RIdFFCQzIx + TnZINHNsaVY5SkJLVDNianorU0M4Wm9Wb0FFCllmaVpPTHFjRTlkaGRidXZkRmsy + amV4QzVwYk1IUzRyZUYvQ1p2d2drOHMKLS0tIHhFWjlXSDN5eXVhWDcydEFvZUZV + N1JuT1p5TFpUOUVEc0NBcEdNMkplZG8KhgfASu2LOHwgyVyEgTkIdGFeOoeJG5+w + UonRkCxYPgfEGA6XqQ9wYd/R7CDhWplOOoMOyu/gkI6EmkW6LrPqCw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T17:11:12Z" + mac: ENC[AES256_GCM,data:QoyTJpfRUFVcPbydv8D67oJosPjQ2+z9et3mA7maBg1wFCnLKQE3hKw55VOAnQmRWJVe9BDUkj00TWW3ZUC1/JacoUg/AjKWcPWd7zL0yodMOmhyiM/r05xe/uqZ7HmYUSKelc3R4S03I1E+GYXi2JHKDsjendP6w2lJmMQyjfc=,iv:d3OKtsUhwJgUjNu/UHy0oJe4BLR07lzn4gW16K6d0wk=,tag:qgyGSQG1RtQrOkez5KrDeQ==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/main/apps/external-dns/ks.yaml b/kubernetes/apps/infrastructure/external-dns/ks.yaml similarity index 59% rename from kubernetes/main/apps/external-dns/ks.yaml rename to kubernetes/apps/infrastructure/external-dns/ks.yaml index 551a776d..558c91f9 100644 --- a/kubernetes/main/apps/external-dns/ks.yaml +++ b/kubernetes/apps/infrastructure/external-dns/ks.yaml @@ -1,22 +1,22 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app external-dns namespace: flux-system spec: - targetNamespace: external-dns commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/external-dns/external + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/infrastructure/external-dns/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - + targetNamespace: infrastructure + wait: true diff --git a/kubernetes/apps/infrastructure/kustomization.yaml b/kubernetes/apps/infrastructure/kustomization.yaml new file mode 100644 index 00000000..03e80903 --- /dev/null +++ b/kubernetes/apps/infrastructure/kustomization.yaml @@ -0,0 +1,9 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./longhorn/ks.yaml + - ./external-dns/ks.yaml + - ./cert-manager/ks.yaml diff --git a/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml b/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml new file mode 100644 index 00000000..c9efa1c6 --- /dev/null +++ b/kubernetes/apps/infrastructure/longhorn/app/helmrelease.yaml @@ -0,0 +1,35 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app longhorn + namespace: infrastructure +spec: + interval: 30m + chart: + spec: + chart: longhorn + version: "1.11.1" + sourceRef: + kind: HelmRepository + name: longhorn + namespace: flux-system + interval: 12h + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + persistence: + defaultClass: true + defaultSettings: + defaultDataPath: /var/lib/longhorn + systemManagedPodsNodeSelector: "kubernetes.io/os:linux" + # defaultBackupStore: + # backupTarget: "s3://talos-lj-backup@eu-central-1/" + # backupTargetCredentialSecret: "s3-creds" + # pollInterval: 300 diff --git a/kubernetes/apps/infrastructure/longhorn/app/kustomization.yaml b/kubernetes/apps/infrastructure/longhorn/app/kustomization.yaml new file mode 100644 index 00000000..60f74fc5 --- /dev/null +++ b/kubernetes/apps/infrastructure/longhorn/app/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml + - ./storageClass-retain.yaml diff --git a/kubernetes/apps/infrastructure/longhorn/app/secret.sops.yaml b/kubernetes/apps/infrastructure/longhorn/app/secret.sops.yaml new file mode 100644 index 00000000..6a00449b --- /dev/null +++ b/kubernetes/apps/infrastructure/longhorn/app/secret.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: s3-creds + namespace: infrastructure +stringData: + AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:neGUx8fjiswVwBcuenjLQVfDvEg=,iv:LFEKss1y7ywnACIpjqHSPp/H0PJHgVYgf52NN3UOCBo=,tag:VtOGpQ27sVrwr6xfOKNACA==,type:str] + AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:zl8uN0R1GgOQ5kPFoTRIwPQGS1KK47JFjMiRBNLaJNcyyLbTcCaskQ==,iv:/hkiouxA9t4wdvJRz7HvLOaxtwT8VNaxYwRw8dxFGvY=,tag:U7gI00FNR9DPSiHi5SPSOQ==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLSDZ5MXd6djB1SjFaWEt0 + a3lDaXRFV0R0UlBCaElMMHpvajRxZFBJcDA0CmZBcWFrUlRWQmdmVUtYclI5U3VB + MHNYNWpRM3JLd0Z6aG5MejNidW50YVUKLS0tIGhQeStSaGVvckE2M0xsUjJTZUY3 + NC8yRzdXZlJhSjY2OEFIOCtqNkFCZFUKZ81FehyC8v3bhIIECmK0o6lZwpl6HRxJ + OSTAJ8AvVLoUmGi23CNVqekyxcyrLpxuFs7/Z+VJoOWCvQlNtSWsuw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T19:56:50Z" + mac: ENC[AES256_GCM,data:+QhbrJoXk9S6wxheuFKBX2SKcgDIK/uVCb501AHbfM6PCXVNHdR8HtHubohf9sqc1a3kSuPFRa520HckFLYY91sVcTNvpesZHw/JdR2a+wI5eDKEJQDmh3thSQsWH+YN16eAv1Xy8QkEtaz9DDvQFjHhnwqXYByBbr5LnMz43zw=,iv:TVLFUP017CvMaxTOCpScTrv/nIMqhNbxOLmOsRCj5xE=,tag:/LK8VlpHXdcJElA850U5NA==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/main/apps/infrastructure/longhorn/app/storageclass-retain.yaml b/kubernetes/apps/infrastructure/longhorn/app/storageClass-retain.yaml similarity index 93% rename from kubernetes/main/apps/infrastructure/longhorn/app/storageclass-retain.yaml rename to kubernetes/apps/infrastructure/longhorn/app/storageClass-retain.yaml index b16d226a..65bb41eb 100644 --- a/kubernetes/main/apps/infrastructure/longhorn/app/storageclass-retain.yaml +++ b/kubernetes/apps/infrastructure/longhorn/app/storageClass-retain.yaml @@ -1,3 +1,4 @@ +--- apiVersion: storage.k8s.io/v1 kind: StorageClass metadata: @@ -10,4 +11,4 @@ parameters: numberOfReplicas: "3" staleReplicaTimeout: "2880" fromBackup: "" - fsType: "ext4" + fsType: "ext4" \ No newline at end of file diff --git a/kubernetes/main/apps/infrastructure/longhorn/ks.yaml b/kubernetes/apps/infrastructure/longhorn/ks.yaml similarity index 62% rename from kubernetes/main/apps/infrastructure/longhorn/ks.yaml rename to kubernetes/apps/infrastructure/longhorn/ks.yaml index 09137197..7b894856 100644 --- a/kubernetes/main/apps/infrastructure/longhorn/ks.yaml +++ b/kubernetes/apps/infrastructure/longhorn/ks.yaml @@ -1,21 +1,22 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app longhorn namespace: flux-system spec: - targetNamespace: longhorn-system commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/infrastructure/longhorn/app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/infrastructure/longhorn/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 15m + targetNamespace: infrastructure + wait: true \ No newline at end of file diff --git a/kubernetes/apps/infrastructure/namespace.yaml b/kubernetes/apps/infrastructure/namespace.yaml new file mode 100644 index 00000000..e193916a --- /dev/null +++ b/kubernetes/apps/infrastructure/namespace.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: infrastructure + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged \ No newline at end of file diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml new file mode 100644 index 00000000..dfbd84be --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -0,0 +1,62 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: cilium + namespace: kube-system +spec: + interval: 30m + chart: + spec: + chart: cilium + version: "1.16.0" + sourceRef: + kind: HelmRepository + name: cilium + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + ipam: + mode: kubernetes + kubeProxyReplacement: true + securityContext: + capabilities: + ciliumAgent: + - CHOWN + - KILL + - NET_ADMIN + - NET_RAW + - IPC_LOCK + - SYS_ADMIN + - SYS_RESOURCE + - DAC_OVERRIDE + - FOWNER + - SETGID + - SETUID + cleanCiliumState: + - NET_ADMIN + - SYS_ADMIN + - SYS_RESOURCE + cgroup: + autoMount: + enabled: false + hostRoot: /sys/fs/cgroup + k8sServiceHost: localhost + k8sServicePort: 7445 + l2announcements: + enabled: true + lbIPAM: + enabled: true + enableIPv4Masquerade: true + enableIPv6Masquerade: false + ipv4: + enabled: true + ipv6: + enabled: false diff --git a/kubernetes/apps/kube-system/cilium/app/kustomization.yaml b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml new file mode 100644 index 00000000..17cbc72b --- /dev/null +++ b/kubernetes/apps/kube-system/cilium/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/infrastructure/external-secrets/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml similarity index 59% rename from kubernetes/main/apps/infrastructure/external-secrets/ks.yaml rename to kubernetes/apps/kube-system/cilium/ks.yaml index 9ae71ea9..de87ed14 100644 --- a/kubernetes/main/apps/infrastructure/external-secrets/ks.yaml +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -1,21 +1,20 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app external-secrets + name: &app cilium namespace: flux-system spec: - targetNamespace: external-secrets commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/infrastructure/external-secrets/app + interval: 30m + path: ./kubernetes/apps/kube-system/cilium/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system + targetNamespace: kube-system wait: true - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml new file mode 100644 index 00000000..4cee79e6 --- /dev/null +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cilium/ks.yaml diff --git a/kubernetes/apps/network/cloudflared/app/config/config.yaml b/kubernetes/apps/network/cloudflared/app/config/config.yaml new file mode 100644 index 00000000..c1094db5 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/config/config.yaml @@ -0,0 +1,10 @@ +--- +originRequest: + noTLSVerify: true + +ingress: + - hostname: "${SECRET_EXTERNAL_DOMAIN}" + service: https://traefik.network.svc.cluster.local:443 + - hostname: "*.${SECRET_EXTERNAL_DOMAIN}" + service: https://traefik.network.svc.cluster.local:443 + - service: http_status:404 diff --git a/kubernetes/main/apps/cloudflared/app/dnsendpoint.yaml b/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml similarity index 91% rename from kubernetes/main/apps/cloudflared/app/dnsendpoint.yaml rename to kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml index 9b723d56..437fdb3d 100644 --- a/kubernetes/main/apps/cloudflared/app/dnsendpoint.yaml +++ b/kubernetes/apps/network/cloudflared/app/dnsendpoint.yaml @@ -3,7 +3,7 @@ apiVersion: externaldns.k8s.io/v1alpha1 kind: DNSEndpoint metadata: name: cloudflared - namespace: cloudflared + namespace: network spec: endpoints: - dnsName: "external.${SECRET_EXTERNAL_DOMAIN}" diff --git a/kubernetes/main/avto-masini/cloudflared/app/release.yaml b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml similarity index 66% rename from kubernetes/main/avto-masini/cloudflared/app/release.yaml rename to kubernetes/apps/network/cloudflared/app/helmrelease.yaml index f9b5f81d..bc35d54b 100644 --- a/kubernetes/main/avto-masini/cloudflared/app/release.yaml +++ b/kubernetes/apps/network/cloudflared/app/helmrelease.yaml @@ -3,8 +3,8 @@ apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: - name: cloudflared-avto-masini - namespace: avto-masini + name: cloudflared + namespace: network spec: interval: 30m chart: @@ -14,8 +14,7 @@ spec: sourceRef: kind: HelmRepository name: bjw-s - namespace: avto-masini - # DEPENDS ON EXTERNAL-DNS ?, EXTERNAL-DNS DEPENDS ON NGINX-INGRESS + namespace: flux-system install: remediation: retries: 3 @@ -52,40 +51,11 @@ spec: - /etc/cloudflared/config/config.yaml - run - "$(TUNNEL_ID)" - # probes: - # liveness: &probes - # enabled: true - # custom: true - # spec: - # httpGet: - # path: /ready - # port: &port 8080 - # initialDelaySeconds: 0 - # periodSeconds: 10 - # timeoutSeconds: 1 - # failureThreshold: 3 - # readiness: *probes - # securityContext: - # allowPrivilegeEscalation: false - # readOnlyRootFilesystem: true - # capabilities: { drop: ["ALL"] } - # sysctls: - # - name: net.ipv4.ping_group_range - # value: "0 2147483647" resources: requests: cpu: 10m limits: memory: 256Mi - # defaultPodOptions: - # securityContext: - # runAsNonRoot: true - # runAsUser: 65534 - # runAsGroup: 65534 - # seccompProfile: { type: RuntimeDefault } - # sysctls: - # - name: net.ipv4.ping_group_range - # value: "0 2147483647" service: app: controller: cloudflared diff --git a/kubernetes/main/avto-masini/cloudflared/app/kustomization.yaml b/kubernetes/apps/network/cloudflared/app/kustomization.yaml similarity index 60% rename from kubernetes/main/avto-masini/cloudflared/app/kustomization.yaml rename to kubernetes/apps/network/cloudflared/app/kustomization.yaml index b00a3f44..2532525a 100644 --- a/kubernetes/main/avto-masini/cloudflared/app/kustomization.yaml +++ b/kubernetes/apps/network/cloudflared/app/kustomization.yaml @@ -1,15 +1,15 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./repository.yaml - ./secret.sops.yaml - ./dnsendpoint.yaml - - ./release.yaml + - ./helmrelease.yaml configMapGenerator: - name: cloudflared-configmap - namespace: cloudflared-avto-masini + namespace: cloudflared files: - - ./configs/config.yaml + - ./config/config.yaml generatorOptions: disableNameSuffixHash: true diff --git a/kubernetes/apps/network/cloudflared/app/secret.sops.yaml b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml new file mode 100644 index 00000000..fa966821 --- /dev/null +++ b/kubernetes/apps/network/cloudflared/app/secret.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: cloudflared-secret + namespace: network +stringData: + TUNNEL_ID: ENC[AES256_GCM,data:kql5Y/KgY8GeE7DkTmf9wL6t3moeBxF4TQ4kCeDBc75Oofdk,iv:133Cy63DPgN70OsBz6vQ3TjkrKmQf8HrUehyyPVmHWo=,tag:ahOQ7/i+u8/K+sPGVwWNzA==,type:str] + credentials.json: ENC[AES256_GCM,data:0375KzF1bWHcNq6zESihvMoRPZsxCC064CC6s/RdtoP4bZrjNVpqgQrjZvyHdGwBGgyLx7lStvcLoCGiV5UNqRaNq9zYLA9LHzgEmNab1HvkqIIpVoSPjIr9fGH6PySn2vd90eKtZzVP7kLFuRCjZ5ADKHxTITxAAaURRqjeux/kvFpcHopjURGopbKNt43YIBbHmdRAI60pJYQ4KXLh7ELqAsGABVWVyUXaf7qxMhk=,iv:EMSuEqxT6XWVk0Kf0Q7vnJ9hed0NsHtsXBFkI17B3Oo=,tag:dPh1xXBRwu65YBuFDG8Uzw==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCS3dPanhEYkliUjVZVDJP + MFU2b3ZFZXBKOEJsVmpSMFl3VjZQc3FnUVRzCk9ic2V5c05OMi8veVFMNGVBRGpF + UnY2RWNlRUdmTW5xRU41VWZ3MmxWSHcKLS0tIFRkaHNqeDZ5Y2hramxaRGpQTVRF + TGdnWGo0aTVGN3RTcVFGOXlNNmlKZ28KwBHGBJGjDaPPTYcjN0NOd2M+B57YBdy8 + ZA5WR+DYrhsiGu1RVJX+y+vFiNxaAhD10mDEK4JHYTwxzX653GgXYA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T17:24:33Z" + mac: ENC[AES256_GCM,data:3iJJ3Oyp1/QMFehjmi4LO10klg2v3yRIJxTeOJfBxBozVN+I60yyo96XmWXGAWZ2x/y9v4xjojJz34ZcB8TFaDcCD/GPvIxrrrh+voLi9jzwNlRK4bMwvmu/xmNPffwRVK7c5tZgqclFG3KXqGDK+l0BET+CKa+uBXoEZOqbb7k=,iv:pTkxe7KNPkBSZ8wsUyCvDQjviS2IbCaw9fuWOll5ORc=,tag:YnzaYgi1wtIVBiLz2tk1wQ==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/main/apps/cloudflared/ks.yaml b/kubernetes/apps/network/cloudflared/ks.yaml similarity index 61% rename from kubernetes/main/apps/cloudflared/ks.yaml rename to kubernetes/apps/network/cloudflared/ks.yaml index d329f074..1af56269 100644 --- a/kubernetes/main/apps/cloudflared/ks.yaml +++ b/kubernetes/apps/network/cloudflared/ks.yaml @@ -1,21 +1,20 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app cloudflared namespace: flux-system spec: - targetNamespace: cloudflared commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/cloudflared/app + interval: 30m + path: ./kubernetes/apps/network/cloudflared/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m + targetNamespace: network + wait: true diff --git a/kubernetes/apps/network/kustomization.yaml b/kubernetes/apps/network/kustomization.yaml new file mode 100644 index 00000000..c576f915 --- /dev/null +++ b/kubernetes/apps/network/kustomization.yaml @@ -0,0 +1,11 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./pihole-system/ks.yaml + - ./metallb-system/ks.yaml + - ./traefik/ks.yaml + - ./traefik-internal/ks.yaml + - ./cloudflared/ks.yaml diff --git a/kubernetes/main/apps/network/metallb-system/app/release.yaml b/kubernetes/apps/network/metallb-system/app/helmrelease.yaml similarity index 64% rename from kubernetes/main/apps/network/metallb-system/app/release.yaml rename to kubernetes/apps/network/metallb-system/app/helmrelease.yaml index 920f17f8..50178cf7 100644 --- a/kubernetes/main/apps/network/metallb-system/app/release.yaml +++ b/kubernetes/apps/network/metallb-system/app/helmrelease.yaml @@ -1,9 +1,10 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app metallb - namespace: metallb-system + namespace: network spec: interval: 30m chart: @@ -13,6 +14,6 @@ spec: sourceRef: kind: HelmRepository name: metallb - namespace: metallb-system + namespace: flux-system values: installCRDs: true diff --git a/kubernetes/apps/network/metallb-system/app/kustomization.yaml b/kubernetes/apps/network/metallb-system/app/kustomization.yaml new file mode 100644 index 00000000..17cbc72b --- /dev/null +++ b/kubernetes/apps/network/metallb-system/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/network/metallb-system/app/config/kustomization.yaml b/kubernetes/apps/network/metallb-system/config/kustomization.yaml similarity index 55% rename from kubernetes/main/apps/network/metallb-system/app/config/kustomization.yaml rename to kubernetes/apps/network/metallb-system/config/kustomization.yaml index f0e57762..87654627 100644 --- a/kubernetes/main/apps/network/metallb-system/app/config/kustomization.yaml +++ b/kubernetes/apps/network/metallb-system/config/kustomization.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/kubernetes/main/apps/network/metallb-system/app/config/pool.yaml b/kubernetes/apps/network/metallb-system/config/pool.yaml similarity index 100% rename from kubernetes/main/apps/network/metallb-system/app/config/pool.yaml rename to kubernetes/apps/network/metallb-system/config/pool.yaml diff --git a/kubernetes/main/apps/goriva-si/ks.yaml b/kubernetes/apps/network/metallb-system/ks.yaml similarity index 55% rename from kubernetes/main/apps/goriva-si/ks.yaml rename to kubernetes/apps/network/metallb-system/ks.yaml index 7ad2b218..2ca6bb4b 100644 --- a/kubernetes/main/apps/goriva-si/ks.yaml +++ b/kubernetes/apps/network/metallb-system/ks.yaml @@ -1,48 +1,43 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app goriva-si-influxdb + name: &app metallb-system namespace: flux-system spec: - targetNamespace: goriva-si commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/goriva-si/goriva-si-influxdb + interval: 30m + path: ./kubernetes/apps/network/metallb-system/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - dependsOn: - - name: grafana - namespace: flux-system + targetNamespace: network + wait: true --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app goriva-si-scraper + name: &app metallb-system-config namespace: flux-system spec: - targetNamespace: goriva-si commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/goriva-si/goriva-si-scraper + dependsOn: + - name: metallb-system + namespace: flux-system + interval: 30m + path: ./kubernetes/apps/network/metallb-system/config prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - dependsOn: - - name: grafana - namespace: flux-system + targetNamespace: network + wait: true diff --git a/kubernetes/main/apps/network/k8tz/app/namespace.yaml b/kubernetes/apps/network/namespace.yaml similarity index 76% rename from kubernetes/main/apps/network/k8tz/app/namespace.yaml rename to kubernetes/apps/network/namespace.yaml index cab11eac..8affa022 100644 --- a/kubernetes/main/apps/network/k8tz/app/namespace.yaml +++ b/kubernetes/apps/network/namespace.yaml @@ -2,9 +2,9 @@ apiVersion: v1 kind: Namespace metadata: - name: k8tz + name: network labels: + kustomize.toolkit.fluxcd.io/prune: disabled pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/network/pihole-system/app/release.yaml b/kubernetes/apps/network/pihole-system/app/helmrelease.yaml similarity index 74% rename from kubernetes/main/apps/network/pihole-system/app/release.yaml rename to kubernetes/apps/network/pihole-system/app/helmrelease.yaml index 1760aed3..c1240042 100644 --- a/kubernetes/main/apps/network/pihole-system/app/release.yaml +++ b/kubernetes/apps/network/pihole-system/app/helmrelease.yaml @@ -1,9 +1,10 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: name: &app pihole - namespace: pihole-system + namespace: network spec: interval: 30m chart: @@ -13,7 +14,7 @@ spec: sourceRef: kind: HelmRepository name: mojo2600 - namespace: pihole-system + namespace: flux-system values: image: tag: "2026.02.0" @@ -37,9 +38,15 @@ spec: ingress: enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production ingressClassName: internal hosts: - - "pihole.${SECRET_INTERNAL_DOMAIN}" + - pihole.${SECRET_INTERNAL_DOMAIN} + tls: + - secretName: pihole-tls + hosts: + - pihole.${SECRET_INTERNAL_DOMAIN} extraEnvVars: FTLCONF_webserver_port: "80" @@ -62,4 +69,4 @@ spec: replicaCount: 1 nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 \ No newline at end of file + kubernetes.io/hostname: talos-worker-eu-01 \ No newline at end of file diff --git a/kubernetes/main/apps/network/pihole-system/app/kustomization.yaml b/kubernetes/apps/network/pihole-system/app/kustomization.yaml similarity index 56% rename from kubernetes/main/apps/network/pihole-system/app/kustomization.yaml rename to kubernetes/apps/network/pihole-system/app/kustomization.yaml index 3f1ef038..24303a7a 100644 --- a/kubernetes/main/apps/network/pihole-system/app/kustomization.yaml +++ b/kubernetes/apps/network/pihole-system/app/kustomization.yaml @@ -1,9 +1,8 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml + - ./helmrelease.yaml - ./secret.sops.yaml - ./pihole-exporter.yaml diff --git a/kubernetes/main/apps/network/pihole-system/app/pihole-exporter.yaml b/kubernetes/apps/network/pihole-system/app/pihole-exporter.yaml similarity index 95% rename from kubernetes/main/apps/network/pihole-system/app/pihole-exporter.yaml rename to kubernetes/apps/network/pihole-system/app/pihole-exporter.yaml index cce55176..4576af03 100644 --- a/kubernetes/main/apps/network/pihole-system/app/pihole-exporter.yaml +++ b/kubernetes/apps/network/pihole-system/app/pihole-exporter.yaml @@ -14,7 +14,7 @@ spec: app: pihole-exporter spec: nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 + kubernetes.io/hostname: talos-worker-eu-01 containers: - name: pihole-exporter image: ekofr/pihole-exporter:v1.2.0 diff --git a/kubernetes/main/apps/network/pihole-system/app/secret.sops.yaml b/kubernetes/apps/network/pihole-system/app/secret.sops.yaml similarity index 68% rename from kubernetes/main/apps/network/pihole-system/app/secret.sops.yaml rename to kubernetes/apps/network/pihole-system/app/secret.sops.yaml index b7976ad5..8893aa95 100644 --- a/kubernetes/main/apps/network/pihole-system/app/secret.sops.yaml +++ b/kubernetes/apps/network/pihole-system/app/secret.sops.yaml @@ -2,7 +2,7 @@ apiVersion: v1 kind: Secret metadata: name: pihole-api-token - namespace: pihole-system + namespace: network stringData: api_token: ENC[AES256_GCM,data:caQ0bbY=,iv:5L1LnoECJA7yPNoLy/rSDEOpwn9DzoJYsfH8uCWjAZc=,tag:PVH6Uw6VjZmner5X/89czw==,type:str] sops: @@ -16,7 +16,7 @@ sops: MURwNmxXaVJZV0ZVb2RqaUpTZEpIRUEKH6Iq6+azhNsHp7dhTw7uJC1KQZx7H+t7 lQ1sIhJsZnqR6jwXVrta0KUT5juFvLNB80hGkQqQOSQufjcLsQK4gw== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-20T09:12:28Z" - mac: ENC[AES256_GCM,data:WmE3WLh3lIjs4YIoPCbAuF57YmQBXaKSn11pgIEezjIBZaqX/5AqpeF2P9mFy6soKxakcdvu4cPbna+2HTOphkdIAsKCYzfFWTMaO3c+Q4rEhze0ZOIMW2agClsWTWINak6m+Wrw45Ig30m0Zk7F7TlQIJSXPNBTNvjAW4eMTpQ=,iv:RjoAxAsz40dqgeWCUz1w1cBM/TXuoL9xju0rEXAlA4o=,tag:XaAaACHs6c78M5KcAALshw==,type:str] + lastmodified: "2026-03-31T08:10:48Z" + mac: ENC[AES256_GCM,data:tqIsvmzdQSbnIV1mbKqN9EFFlOpnelmUAKA+KKYL2g3CoHuFUmY6VLOpWkVshEdNAyhFLa4/W6MOGDsSzLbfzoheBQwtrwmj5BavY0gROQe6MqkqW+OwssHD5kkKiR/8Iq1ifOG5tyB9xI1usp6uW46VulKrq78oGwNL/85YTGw=,iv:Tbh/Rl9oerUYfcKJCUG6KdocRR9hYUNiHQhOd+NHiRE=,tag:JgnOPYtNqZOzne0ksJWGoA==,type:str] encrypted_regex: ^(data|stringData)$ - version: 3.10.2 + version: 3.12.2 diff --git a/kubernetes/main/apps/audiobookshelf/ks.yaml b/kubernetes/apps/network/pihole-system/ks.yaml similarity index 56% rename from kubernetes/main/apps/audiobookshelf/ks.yaml rename to kubernetes/apps/network/pihole-system/ks.yaml index c788545c..4eb0bf5f 100644 --- a/kubernetes/main/apps/audiobookshelf/ks.yaml +++ b/kubernetes/apps/network/pihole-system/ks.yaml @@ -1,21 +1,20 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app audiobookshelf + name: &app pihole-system namespace: flux-system spec: - targetNamespace: audiobookshelf commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/audiobookshelf/app + interval: 30m + path: ./kubernetes/apps/network/pihole-system/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m + targetNamespace: network + wait: true \ No newline at end of file diff --git a/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml b/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml new file mode 100644 index 00000000..e3548a65 --- /dev/null +++ b/kubernetes/apps/network/traefik-internal/app/helmrelease.yaml @@ -0,0 +1,99 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app traefik-internal + namespace: network +spec: + interval: 30m + chart: + spec: + chart: traefik + version: "39.0.5" + sourceRef: + kind: HelmRepository + name: traefik + namespace: flux-system + interval: 12h + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + deployment: + replicas: 1 + + ingressClass: + enabled: true + isDefaultClass: false + name: internal + + ingressRoute: + dashboard: + enabled: false + + service: + enabled: true + type: LoadBalancer + spec: + externalTrafficPolicy: Cluster + annotations: + metallb.universe.tf/loadBalancerIPs: "" + + ports: + web: + port: 80 + expose: + default: true + exposedPort: 80 + websecure: + port: 443 + expose: + default: true + exposedPort: 443 + http: + tls: + enabled: true + traefik: + port: 9000 + expose: + default: false + exposedPort: 9000 + metrics: + port: 9100 + expose: + default: false + exposedPort: 9100 + + metrics: + prometheus: + enabled: true + serviceMonitor: + enabled: true + + logs: + general: + level: INFO + access: + enabled: true + + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: true + ingressClass: internal + kubernetesIngress: + enabled: true + allowExternalNameServices: true + ingressClass: internal + publishedService: + enabled: true + + additionalArguments: + - "--api.dashboard=true" + - "--api.insecure=false" + - "--serverstransport.insecureskipverify=true" diff --git a/kubernetes/main/apps/bentopdf/app/kustomization.yaml b/kubernetes/apps/network/traefik-internal/app/kustomization.yaml similarity index 65% rename from kubernetes/main/apps/bentopdf/app/kustomization.yaml rename to kubernetes/apps/network/traefik-internal/app/kustomization.yaml index d19534cc..a9c713e0 100644 --- a/kubernetes/main/apps/bentopdf/app/kustomization.yaml +++ b/kubernetes/apps/network/traefik-internal/app/kustomization.yaml @@ -1,6 +1,6 @@ --- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization +namespace: network resources: - - ./namespace.yaml - - ./manifest.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/network/traefik-internal/ks.yaml b/kubernetes/apps/network/traefik-internal/ks.yaml new file mode 100644 index 00000000..6d9bf3d7 --- /dev/null +++ b/kubernetes/apps/network/traefik-internal/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app traefik-internal + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/network/traefik-internal/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: network + wait: true diff --git a/kubernetes/apps/network/traefik/app/helmrelease.yaml b/kubernetes/apps/network/traefik/app/helmrelease.yaml new file mode 100644 index 00000000..e4392071 --- /dev/null +++ b/kubernetes/apps/network/traefik/app/helmrelease.yaml @@ -0,0 +1,37 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app traefik + namespace: network +spec: + interval: 30m + chart: + spec: + chart: traefik + version: "39.0.5" + sourceRef: + kind: HelmRepository + name: traefik + namespace: flux-system + interval: 12h + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + providers: + kubernetesCRD: + enabled: true + allowCrossNamespace: true + ingressClass: traefik + kubernetesIngress: + enabled: true + allowExternalNameServices: true + ingressClass: traefik + publishedService: + enabled: true diff --git a/kubernetes/apps/network/traefik/app/kustomization.yaml b/kubernetes/apps/network/traefik/app/kustomization.yaml new file mode 100644 index 00000000..17cbc72b --- /dev/null +++ b/kubernetes/apps/network/traefik/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/gitlab-runner/ks.yaml b/kubernetes/apps/network/traefik/ks.yaml similarity index 62% rename from kubernetes/main/apps/gitlab-runner/ks.yaml rename to kubernetes/apps/network/traefik/ks.yaml index 6b231505..d457e84d 100644 --- a/kubernetes/main/apps/gitlab-runner/ks.yaml +++ b/kubernetes/apps/network/traefik/ks.yaml @@ -1,21 +1,22 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app gitlab-runner + name: &app traefik namespace: flux-system spec: - targetNamespace: gitlab-runner commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/gitlab-runner/app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/network/traefik/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system + targetNamespace: network wait: true - interval: 30m - retryInterval: 1m - timeout: 15m diff --git a/kubernetes/main/apps/observability/glance/app/configs/glance.yml b/kubernetes/apps/observability/glance/app/config/glance.yml similarity index 96% rename from kubernetes/main/apps/observability/glance/app/configs/glance.yml rename to kubernetes/apps/observability/glance/app/config/glance.yml index 0abe491d..497128a5 100644 --- a/kubernetes/main/apps/observability/glance/app/configs/glance.yml +++ b/kubernetes/apps/observability/glance/app/config/glance.yml @@ -31,23 +31,23 @@ pages: sites: - title: Authentik url: https://auth.${SECRET_EXTERNAL_DOMAIN} - check-url: http://authentik-server.authentik.svc.cluster.local:80 + check-url: http://authentik-server.security.svc.cluster.local:80 icon: di:authentik - title: Pihole url: http://10.0.10.200/admin/ - check-url: http://pihole-web.pihole-system.svc.cluster.local:80/admin/ + check-url: http://pihole-web.network.svc.cluster.local:80/admin/ icon: di:pi-hole - title: Glance url: https://home.${SECRET_EXTERNAL_DOMAIN} - check-url: http://glance.glance.svc.cluster.local:8080 + check-url: http://glance.observability.svc.cluster.local:8080 icon: di:glance - title: Linkwarden - url: https://bookmark.${SECRET_EXTERNAL_DOMAIN} - check-url: http://linkwarden.linkwarden.svc.cluster.local:80 + url: https://bookmarks.${SECRET_EXTERNAL_DOMAIN} + check-url: http://linkwarden.selfhosted.svc.cluster.local:80 icon: auto-invert https://cdn.jsdelivr.net/gh/homarr-labs/dashboard-icons/png/linkwarden.png - title: Uptime Kuma url: https://status.${SECRET_EXTERNAL_DOMAIN} - check-url: http://uptime-kuma.uptime-kuma.svc.cluster.local:3001 + check-url: http://uptime-kuma.selfhosted.svc.cluster.local:3001 icon: di:uptime-kuma - title: Grafana url: https://metrics.${SECRET_EXTERNAL_DOMAIN} @@ -55,7 +55,7 @@ pages: icon: di:grafana - title: Mealie url: https://recept.${SECRET_EXTERNAL_DOMAIN} - check-url: http://mealie.mealie.svc.cluster.local:80 + check-url: http://mealie.selfhosted.svc.cluster.local:80 icon: di:mealie - type: videos channels: @@ -319,4 +319,4 @@ pages:

💾 Disk: {{ $info.Float "dp" }}%

{{ end }} - {{ end }} + {{ end }} \ No newline at end of file diff --git a/kubernetes/main/apps/observability/glance/app/deployment.yaml b/kubernetes/apps/observability/glance/app/deployment.yaml similarity index 94% rename from kubernetes/main/apps/observability/glance/app/deployment.yaml rename to kubernetes/apps/observability/glance/app/deployment.yaml index a14d61d6..31b39bab 100644 --- a/kubernetes/main/apps/observability/glance/app/deployment.yaml +++ b/kubernetes/apps/observability/glance/app/deployment.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: Deployment metadata: name: &app glance - namespace: glance + namespace: observability labels: app: glance annotations: @@ -31,6 +31,7 @@ spec: cpu: 100m requests: cpu: 10m + memory: 128Mi volumeMounts: - mountPath: /app/config/glance.yml name: config @@ -43,4 +44,3 @@ spec: defaultMode: 420 name: glance-configmap name: config - diff --git a/kubernetes/apps/observability/glance/app/ingress.yaml b/kubernetes/apps/observability/glance/app/ingress.yaml new file mode 100644 index 00000000..963e7ee0 --- /dev/null +++ b/kubernetes/apps/observability/glance/app/ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: glance + namespace: observability + annotations: + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" + cert-manager.io/cluster-issuer: letsencrypt-production +spec: + ingressClassName: traefik + rules: + - host: home.${SECRET_EXTERNAL_DOMAIN} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: glance + port: + number: 8080 + tls: + - hosts: + - home.${SECRET_EXTERNAL_DOMAIN} + secretName: glance-tls diff --git a/kubernetes/apps/observability/glance/app/kustomization.yaml b/kubernetes/apps/observability/glance/app/kustomization.yaml new file mode 100644 index 00000000..a159e725 --- /dev/null +++ b/kubernetes/apps/observability/glance/app/kustomization.yaml @@ -0,0 +1,16 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./deployment.yaml + - ./service.yaml + - ./middleware.yaml + - ./ingress.yaml +configMapGenerator: + - name: glance-configmap + namespace: observability + files: + - ./config/glance.yml +generatorOptions: + disableNameSuffixHash: true diff --git a/kubernetes/apps/observability/glance/app/middleware.yaml b/kubernetes/apps/observability/glance/app/middleware.yaml new file mode 100644 index 00000000..f663dbd3 --- /dev/null +++ b/kubernetes/apps/observability/glance/app/middleware.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: authentik-forwardauth + namespace: observability +spec: + forwardAuth: + address: http://ak-outpost-domain-forward-auth-provider.security.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/kubernetes/main/apps/observability/glance/app/service.yaml b/kubernetes/apps/observability/glance/app/service.yaml similarity index 89% rename from kubernetes/main/apps/observability/glance/app/service.yaml rename to kubernetes/apps/observability/glance/app/service.yaml index 986a0df2..3109dea0 100644 --- a/kubernetes/main/apps/observability/glance/app/service.yaml +++ b/kubernetes/apps/observability/glance/app/service.yaml @@ -4,7 +4,7 @@ apiVersion: v1 kind: Service metadata: name: &app glance - namespace: glance + namespace: observability spec: type: ClusterIP ports: diff --git a/kubernetes/main/apps/observability/alertmanager/ks.yaml b/kubernetes/apps/observability/glance/ks.yaml similarity index 65% rename from kubernetes/main/apps/observability/alertmanager/ks.yaml rename to kubernetes/apps/observability/glance/ks.yaml index 40f48eeb..2f24f339 100644 --- a/kubernetes/main/apps/observability/alertmanager/ks.yaml +++ b/kubernetes/apps/observability/glance/ks.yaml @@ -1,20 +1,20 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: &app alertmanager + name: &app glance namespace: flux-system spec: targetNamespace: observability commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/alertmanager/app + path: ./kubernetes/apps/observability/glance/app prune: true sourceRef: kind: GitRepository name: flux-system - namespace: flux-system wait: false interval: 30m retryInterval: 1m diff --git a/kubernetes/main/apps/observability/grafana/app/release.yaml b/kubernetes/apps/observability/grafana/app/helmrelease.yaml similarity index 82% rename from kubernetes/main/apps/observability/grafana/app/release.yaml rename to kubernetes/apps/observability/grafana/app/helmrelease.yaml index c7ce1dfe..8f766f3b 100644 --- a/kubernetes/main/apps/observability/grafana/app/release.yaml +++ b/kubernetes/apps/observability/grafana/app/helmrelease.yaml @@ -8,12 +8,21 @@ spec: chart: spec: chart: grafana - version: "10.0.0" + version: "11.3.6" sourceRef: kind: HelmRepository - name: grafana - namespace: observability + name: grafana-community + namespace: flux-system interval: 12h + valuesFrom: + - kind: Secret + name: grafana-secret + valuesKey: AUTH_CLIENT_ID + targetPath: grafana\.ini.auth\.generic_oauth.client_id + - kind: Secret + name: grafana-secret + valuesKey: AUTH_CLIENT_SECRET + targetPath: grafana\.ini.auth\.generic_oauth.client_secret values: # alerting: # contactpoints.yaml: @@ -67,6 +76,22 @@ spec: # {{ end -}} # ` }} + assertNoLeakedSecrets: false + + grafana.ini: + server: + root_url: "https://metrics.${SECRET_EXTERNAL_DOMAIN}" + auth: + signout_redirect_url: "https://auth.${SECRET_EXTERNAL_DOMAIN}/application/o/grafana/end-session/" + oauth_auto_login: true + auth.generic_oauth: + name: authentik + enabled: true + scopes: "openid profile email" + auth_url: "https://auth.${SECRET_EXTERNAL_DOMAIN}/application/o/authorize/" + token_url: "https://auth.${SECRET_EXTERNAL_DOMAIN}/application/o/token/" + api_url: "https://auth.${SECRET_EXTERNAL_DOMAIN}/application/o/userinfo/" + role_attribute_path: contains(groups, 'Grafana Admins') && 'Admin' || contains(groups, 'Grafana Editors') && 'Editor' || 'Viewer' dashboardProviders: dashboardproviders.yaml: @@ -211,10 +236,15 @@ spec: ingress: enabled: true - ingressClassName: external + ingressClassName: traefik annotations: - external-dns.alpha.kubernetes.io/target: "metrics.${SECRET_EXTERNAL_DOMAIN}" + cert-manager.io/cluster-issuer: letsencrypt-production + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" path: / pathType: Prefix hosts: - metrics.${SECRET_EXTERNAL_DOMAIN} + tls: + - hosts: + - metrics.${SECRET_EXTERNAL_DOMAIN} + secretName: grafana-tls \ No newline at end of file diff --git a/kubernetes/apps/observability/grafana/app/kustomization.yaml b/kubernetes/apps/observability/grafana/app/kustomization.yaml new file mode 100644 index 00000000..16a6ce30 --- /dev/null +++ b/kubernetes/apps/observability/grafana/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/observability/grafana/app/secret.sops.yaml b/kubernetes/apps/observability/grafana/app/secret.sops.yaml new file mode 100644 index 00000000..e7f6b7c7 --- /dev/null +++ b/kubernetes/apps/observability/grafana/app/secret.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: grafana-secret + namespace: observability +stringData: + AUTH_CLIENT_ID: ENC[AES256_GCM,data:odyXdpMKdHonvAG8CIkvPIP90l31q2JXE9J8hyhE3rP+D7TrmBF4sA==,iv:SUdsqIlEc+I1z+SZDYhKQMrFcIYZ8N9zxlAm8XoeP7w=,tag:beOSH5NSladuXX1KovMxng==,type:str] + AUTH_CLIENT_SECRET: ENC[AES256_GCM,data:QhRPm4gsvSUQq3JDw1hjK0b9UqHyOoyjm3Hqo/CLWToGUFNUpQH+GOQPac05VMYbEszbZ8t93rAFc6c3Ut+tOyHuhKg7kU1jOlu+iuFEM9PLmmOt/CkuiU4Al/1a/0YSO0PNoN3JWnIjB17NKW5Abn/bxrz/MtxgLRC0rqGXLMg=,iv:hVr22mewynSdAkTFpD9Z5ujtA/VCcCSM4wq0WPBlhYw=,tag:fUQ1Lf2oAXNSQ01yf8fWrg==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDZGlVWElFQnZOYVlXckww + ZHVVNExNN2xZUkNsaklNVjlGQ3dMU0ptam1vCk5OQnFPZmhoNjd3ODJvZ202Q29Z + a2tYc1MyamFKeWpZbkF1ZmNsWkh2OE0KLS0tIGpKKzdmN1BJQ3NsM2lHMHFXSjlB + NDZxaGM1WGhuc1R2c0liNE1KV0o3eGsKEKL1KgZydxm6iz/46zUeoZq9488YRFta + mPjBjLGxQjJfIemJa4N/kZaZHuxhqpwHWcUp7Xfzp63NfNF3uaeBHA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-04-03T14:18:03Z" + mac: ENC[AES256_GCM,data:wNTCzr8jog9zJheQkhPb4v8POkWJYq9sBKzxT5agZzEa7/FMSlaLZioCTPyMhWuc5MQSOLG5P2wJHRwAMD6pqw/sdID4rGY6UVYcTncrbCi690c1mJJ3dHKH2tKj+AWL2n84dYnnSBCdxrwvKn3qRbE6oYWAwgJo4hgBL/qEXTQ=,iv:siNoS4xh5fpfCZP5zJg/wSxK9/1jrPvdNtR3MQVngmM=,tag:15yWSqm2OsPRTNJz7PcwDA==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/main/apps/observability/grafana/ks.yaml b/kubernetes/apps/observability/grafana/ks.yaml similarity index 71% rename from kubernetes/main/apps/observability/grafana/ks.yaml rename to kubernetes/apps/observability/grafana/ks.yaml index 23f80a7e..9f7af25b 100644 --- a/kubernetes/main/apps/observability/grafana/ks.yaml +++ b/kubernetes/apps/observability/grafana/ks.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -9,7 +10,7 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/grafana/app + path: ./kubernetes/apps/observability/grafana/app prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/release.yaml b/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml similarity index 99% rename from kubernetes/main/apps/observability/kube-prometheus-stack/app/release.yaml rename to kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml index 41967ab2..801818c9 100644 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/release.yaml +++ b/kubernetes/apps/observability/kube-prometheus-stack/app/helmrelease.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json apiVersion: helm.toolkit.fluxcd.io/v2 kind: HelmRelease metadata: @@ -11,8 +13,8 @@ spec: version: "69.3.0" sourceRef: kind: HelmRepository - name: kube-prometheus-stack - namespace: observability + name: prometheus-community + namespace: flux-system interval: 12h upgrade: cleanupOnFail: true @@ -53,7 +55,7 @@ spec: additionalScrapeConfigs: - job_name: "pihole" static_configs: - - targets: ["pihole-exporter.pihole-system.svc.cluster.local:9617"] + - targets: ["pihole-exporter.network.svc.cluster.local:9617"] prometheusOperator: nodeSelector: diff --git a/kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml b/kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml new file mode 100644 index 00000000..17cbc72b --- /dev/null +++ b/kubernetes/apps/observability/kube-prometheus-stack/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/ks.yaml b/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml similarity index 70% rename from kubernetes/main/apps/observability/kube-prometheus-stack/ks.yaml rename to kubernetes/apps/observability/kube-prometheus-stack/ks.yaml index c35f9d10..9a6f92f7 100644 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/ks.yaml +++ b/kubernetes/apps/observability/kube-prometheus-stack/ks.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: @@ -9,7 +10,7 @@ spec: commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/kube-prometheus-stack/app + path: ./kubernetes/apps/observability/kube-prometheus-stack/app prune: true sourceRef: kind: GitRepository diff --git a/kubernetes/main/apps/observability/kustomization.yaml b/kubernetes/apps/observability/kustomization.yaml similarity index 56% rename from kubernetes/main/apps/observability/kustomization.yaml rename to kubernetes/apps/observability/kustomization.yaml index e71a8538..a1a54ae8 100644 --- a/kubernetes/main/apps/observability/kustomization.yaml +++ b/kubernetes/apps/observability/kustomization.yaml @@ -1,12 +1,9 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./glance/ks.yaml - - ./grafana/ks.yaml + - ./namespace.yaml - ./kube-prometheus-stack/ks.yaml - # - ./alertmanager/ks.yaml - - ./blackbox-exporter/ks.yaml - - ./alloy/ks.yaml - - ./loki/ks.yaml - - ./crucix/ks.yaml + - ./grafana/ks.yaml + - ./glance/ks.yaml diff --git a/kubernetes/apps/observability/namespace.yaml b/kubernetes/apps/observability/namespace.yaml new file mode 100644 index 00000000..85aaab89 --- /dev/null +++ b/kubernetes/apps/observability/namespace.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: observability + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/warn: privileged \ No newline at end of file diff --git a/kubernetes/apps/security/authentik/app/helmrelease.yaml b/kubernetes/apps/security/authentik/app/helmrelease.yaml new file mode 100644 index 00000000..2c3ac306 --- /dev/null +++ b/kubernetes/apps/security/authentik/app/helmrelease.yaml @@ -0,0 +1,128 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app authentik + namespace: security +spec: + releaseName: authentik + chart: + spec: + chart: authentik + version: "2025.12.0" + sourceRef: + kind: HelmRepository + name: goauthentik + namespace: flux-system + interval: 30m + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + + values: + global: + deploymentAnnotations: + reloader.stakater.com/auto: "true" + + # env: + # - name: AUTHENTIK_REDIS__HOST + # value: "authentik-redis.security.svc.cluster.local" + + envFrom: + - secretRef: + name: authentik + + # Authentik configuration + authentik: + # Don't create a secret - we provide credentials via global.envFrom + enabled: false + log_level: info + error_reporting: + enabled: false + + # Database config (actual values come from secret via env vars) + postgresql: + host: "postgres18-rw.database.svc.cluster.local" + port: 5432 + name: "authentik" + user: "authentik" + + # Server configuration + server: + replicas: 1 + + # Init containers + initContainers: + # Ensure database exists + - name: init-db + image: ghcr.io/home-operations/postgres-init:18.3@sha256:6fa1f331cddd2eb0b6afa7b8d3685c864127a81ab01c3d9400bc3ff5263a51cf + envFrom: + - secretRef: + name: authentik + + resources: + requests: + cpu: 100m + memory: 512Mi + limits: + memory: 1536Mi + + # Enable metrics for monitoring + metrics: + enabled: true + serviceMonitor: + enabled: false + + # Use standard Kubernetes Ingress + ingress: + enabled: true + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" + ingressClassName: traefik + hosts: + - "auth.${SECRET_EXTERNAL_DOMAIN}" + paths: + - / + pathType: Prefix + tls: + - secretName: authentik-tls + hosts: + - "auth.${SECRET_EXTERNAL_DOMAIN}" + + service: + type: ClusterIP + + # Worker configuration + worker: + replicas: 1 + + resources: + requests: + cpu: 100m + memory: 512Mi + limits: + memory: 1536Mi + + metrics: + enabled: true + serviceMonitor: + enabled: false + + # Redis configuration (bundled) + redis: + enabled: false + + # Disable bundled PostgreSQL (using external postgres18) + postgresql: + enabled: false + + # Prometheus rules + prometheus: + rules: + enabled: false diff --git a/kubernetes/apps/security/authentik/app/kustomization.yaml b/kubernetes/apps/security/authentik/app/kustomization.yaml new file mode 100644 index 00000000..77256996 --- /dev/null +++ b/kubernetes/apps/security/authentik/app/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml +# - ./redis.yaml + - ./helmrelease.yaml diff --git a/kubernetes/apps/security/authentik/app/redis.yaml b/kubernetes/apps/security/authentik/app/redis.yaml new file mode 100644 index 00000000..b4c48d9c --- /dev/null +++ b/kubernetes/apps/security/authentik/app/redis.yaml @@ -0,0 +1,41 @@ +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authentik-redis + namespace: security +spec: + replicas: 1 + selector: + matchLabels: + app: authentik-redis + template: + metadata: + labels: + app: authentik-redis + spec: + containers: + - name: redis + image: docker.io/library/redis:8.2-alpine + ports: + - containerPort: 6379 + name: redis + resources: + requests: + cpu: 50m + memory: 64Mi + limits: + memory: 128Mi +--- +apiVersion: v1 +kind: Service +metadata: + name: authentik-redis + namespace: security +spec: + selector: + app: authentik-redis + ports: + - port: 6379 + targetPort: 6379 + name: redis diff --git a/kubernetes/apps/security/authentik/app/secret.sops.yaml b/kubernetes/apps/security/authentik/app/secret.sops.yaml new file mode 100644 index 00000000..946cce70 --- /dev/null +++ b/kubernetes/apps/security/authentik/app/secret.sops.yaml @@ -0,0 +1,39 @@ +apiVersion: v1 +kind: Secret +metadata: + name: authentik + namespace: security +type: Opaque +stringData: + #ENC[AES256_GCM,data:dyh+A4itWODSXNU2IKsViaPSTWEwkhwjvn2JFvU=,iv:mrn4ez1SMl2FMd3oD2hl1Gg60YGNKZ4kG3cmRLOg624=,tag:S7MOWAmIiNZq5HGckHY8dQ==,type:comment] + AUTHENTIK_SECRET_KEY: ENC[AES256_GCM,data:oS4RegSuHhuMKeJlReO2K/vf445DA+0k5eeGsQdJupEkAoXlc2xp3DEewrr0y7PYW0t/NH7h34C2ygfQTCoFUGcxiW8I31ZSjpFN8fVhv2s=,iv:2yVy+vWNmjL5pfBq0/irquoKMFmOaRXS8XG7qRMVTJ8=,tag:/lnI/WwSKX5eFgH2pjXAFw==,type:str] + AUTHENTIK_ERROR_REPORTING__ENABLED: ENC[AES256_GCM,data:Tfzv/Rc=,iv:0T5W8fZLqzZFr3dm062jxYcanaSCyyXcbVSag4Eyzm0=,tag:2amR9X97SQXU6ey9wnN9ew==,type:str] + #ENC[AES256_GCM,data:+doMcYJB7hSi5phJidNOvYmMEoRJnQ==,iv:GqR929SwpJMQRWh7Ax3ijjX66nuM6q/8VsH30Y2eIbA=,tag:efGLZQRbVyhFZ/BE2qvnoA==,type:comment] + AUTHENTIK_POSTGRESQL__HOST: ENC[AES256_GCM,data:c47FS7/e1NqwVpYLFvIh6xJwj8/vibCVLY/TQhdMWxwak4bHlOsCOw==,iv:Wxat6SHJwq9k0XQ30hld8lZvaCJbhot7PyamxzEhoSM=,tag:YIIq+irz8fsSzPYL8xcXfA==,type:str] + AUTHENTIK_POSTGRESQL__PORT: ENC[AES256_GCM,data:U/dLYQ==,iv:51fmk425B92+pbxHrgcst+0TKshQZc44K067KO4Sf8g=,tag:hPqkRYeiA8hXdlLLURcgXQ==,type:str] + AUTHENTIK_POSTGRESQL__NAME: ENC[AES256_GCM,data:D95mbI33DEnt,iv:gk3yol5khd83+WfhNVOvae+TMzex4lHr+r30JHFYaSs=,tag:1gQSFXLCp0XO7X3/aHfW/A==,type:str] + AUTHENTIK_POSTGRESQL__USER: ENC[AES256_GCM,data:f4xUcDDLnBxd,iv:MHn4R5sKIjqkHf6BVzueKGTkEKYzG/XvtNDMZPunGu4=,tag:sfaFoFa0K3rA0/4WVtXh5A==,type:str] + AUTHENTIK_POSTGRESQL__PASSWORD: ENC[AES256_GCM,data:Zg4We4jErOQt9YB3jjs5W0gApSEtag0YBIbZgscUQm0=,iv:/1pJpG9eALKy9van3mpn7ycJXslGMgW6RJoovcqN4EA=,tag:e9HtlbP5oiY80L8VGhgB2Q==,type:str] + #ENC[AES256_GCM,data:+zMW3gJxJW5YFOwxOslB0i3TzoQfwl7gv9Sif5qzpQ1n2g==,iv:9+TQ0hhF450BytUH9QbOk7CT0vKfXigEp+hey3n9HEc=,tag:8SQ77qd+BkNGhKaVLz5OGQ==,type:comment] + INIT_POSTGRES_HOST: ENC[AES256_GCM,data:t4uzs9N4oOphT0nDEShZ07AkmRWTTnRtcLjU1jU0TrI0MN8UlkBmFQ==,iv:mtLEG8fOtifryyBIQ6UwY+3Wb2ACDSpcv0fZq6oKxt8=,tag:wgJNkLx+AjWDPkj5i5Kbyg==,type:str] + INIT_POSTGRES_PORT: ENC[AES256_GCM,data:Isvimg==,iv:ytpzlnC0pPq1Pt/tQQk8f0I71q+gjGV1+4L7QdZJpaA=,tag:o0jw7ZkuedyqM2o89O8SSw==,type:str] + INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:CqVBGieWyDSS,iv:wptRGEUeEkE5xUSl4c94F8jcyiU2WQjaB7v9UZ8E+qE=,tag:GikwPsu0JMRGgeIJS0HwZA==,type:str] + INIT_POSTGRES_USER: ENC[AES256_GCM,data:h99OVscZTc4+,iv:EqWm0U7VBXai+tzk6/GIdktEg58YFhRXgnLOxQlW658=,tag:vtHv+um1nlIWOgLvW6KG/Q==,type:str] + INIT_POSTGRES_PASS: ENC[AES256_GCM,data:iTQr19mm8zwychykRvcgP9Z377M5wVA13Gh+Tqm7Iuw=,iv:/KN+wE9xJINjrrBxW9+tCeEBEFcYjOaTwliWbgccnlE=,tag:STPrb4MhF2mBN/lvq1QMQA==,type:str] + INIT_POSTGRES_SUPER_USER: ENC[AES256_GCM,data:GCo+Cq62ODY=,iv:tYkbqI6vj5vhx+KQ54wGtPcd2Wh6XZWKOjddznKd/nc=,tag:1GxhF2F9gBr54nVCjQHY6A==,type:str] + INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:Qg1+pZPOM0OSOKOiK78=,iv:IYy6Ky9gXCmKxEv/QxBbUX7Ya/coo/qw7DDJsu9UNkA=,tag:7dgLwajov9el1eEaqJFISw==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIcitjZUhuT0s5ek53RWxo + M3U0aFlHN1Z6ZU90bUhHN2hmN0xOWWFCWmxBCm12SmxSR2pZbVdJY2VISjBDRm5y + T2tjWHhkSks5VnhIRFl0NGY0VkZ0blUKLS0tICs2VEoyWE1kbUk5MzZ3RnErRG5D + bEdYV2dwZUcyZnJuN1lpMDVVVVk4dTQK/eRkn4jd7CQPO4hGe8QjVlfxF/yTvx/h + BLilN3oAkFyU1DiQCV6kaqecN2DIoTCwAjyCQgCOX7RzBWdczvKdSQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-03-28T20:42:23Z" + mac: ENC[AES256_GCM,data:mGCdtoPFz5S+wrBS4fflboP9BdLssJEh35v4wb02E0aHSQZh7w0zKwA3WPDgSK/GVyUBYuNfsvh/giPCT5kMUejIin+1D2YdICj4cmpxNXcCzJz8i5EjcmqOrn1lfjdpVKQNJLwv9bvwCIcstLySux1h+5Wn8iAq4WVLFR7Fy4g=,iv:A4rJST84DQT5nYcnl2qMTlOBSaP7Dk4jRyYM/syucrQ=,tag:dACNiqGqO6CUpnXujCqMFQ==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/apps/security/authentik/ks.yaml b/kubernetes/apps/security/authentik/ks.yaml new file mode 100644 index 00000000..5890c46c --- /dev/null +++ b/kubernetes/apps/security/authentik/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app authentik + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/security/authentik/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: security + wait: false diff --git a/kubernetes/main/apps/blog/app/kustomization.yaml b/kubernetes/apps/security/kustomization.yaml similarity index 50% rename from kubernetes/main/apps/blog/app/kustomization.yaml rename to kubernetes/apps/security/kustomization.yaml index ffa602dc..2b19a1eb 100644 --- a/kubernetes/main/apps/blog/app/kustomization.yaml +++ b/kubernetes/apps/security/kustomization.yaml @@ -1,8 +1,7 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./namespace.yaml - - ./deployment.yaml - - ./service.yaml - - ./ingress.yaml + - ./authentik/ks.yaml \ No newline at end of file diff --git a/kubernetes/main/apps/bentopdf/app/namespace.yaml b/kubernetes/apps/security/namespace.yaml similarity index 74% rename from kubernetes/main/apps/bentopdf/app/namespace.yaml rename to kubernetes/apps/security/namespace.yaml index 483ccb92..d7f327d1 100644 --- a/kubernetes/main/apps/bentopdf/app/namespace.yaml +++ b/kubernetes/apps/security/namespace.yaml @@ -1,9 +1,10 @@ +--- apiVersion: v1 kind: Namespace metadata: - name: bentopdf + name: security labels: + kustomize.toolkit.fluxcd.io/prune: disabled pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/apps/selfhosted/kustomization.yaml b/kubernetes/apps/selfhosted/kustomization.yaml new file mode 100644 index 00000000..08f48cb6 --- /dev/null +++ b/kubernetes/apps/selfhosted/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + - ./linkwarden/ks.yaml + - ./uptime-kuma/ks.yaml diff --git a/kubernetes/main/apps/linkwarden/app/deployment.yaml b/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml similarity index 50% rename from kubernetes/main/apps/linkwarden/app/deployment.yaml rename to kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml index c94062d3..cb0a5e87 100644 --- a/kubernetes/main/apps/linkwarden/app/deployment.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/deployment.yaml @@ -1,34 +1,55 @@ +--- apiVersion: apps/v1 kind: Deployment metadata: + name: linkwarden + namespace: selfhosted labels: app: linkwarden - name: linkwarden-deployment - namespace: linkwarden spec: replicas: 1 + strategy: + type: Recreate selector: matchLabels: app: linkwarden - strategy: - type: Recreate template: metadata: labels: app: linkwarden spec: + initContainers: + # Ensure database exists before app starts + - name: init-db + image: ghcr.io/home-operations/postgres-init:18.3@sha256:6fa1f331cddd2eb0b6afa7b8d3685c864127a81ab01c3d9400bc3ff5263a51cf + envFrom: + - secretRef: + name: linkwarden-secret + + # Fix data directory permissions + - name: init-permissions + image: busybox:latest + command: ['sh', '-c', 'chown -R 1000:1000 /data/data'] + volumeMounts: + - name: data + mountPath: /data/data + containers: - name: linkwarden - image: ghcr.io/linkwarden/linkwarden:v2.13.5 + image: ghcr.io/linkwarden/linkwarden:v2.14.0 + imagePullPolicy: IfNotPresent ports: - containerPort: 3000 name: http - imagePullPolicy: IfNotPresent env: + # Database connection - name: DATABASE_URL - value: "${DATABASE_URL}" - - name: NEXT_PUBLIC_AUTHENTIK_ENABLED - value: "true" + valueFrom: + secretKeyRef: + name: linkwarden-secret + key: DATABASE_URL + + # NextAuth configuration - name: NEXTAUTH_URL valueFrom: secretKeyRef: @@ -39,6 +60,10 @@ spec: secretKeyRef: name: linkwarden-secret key: NEXTAUTH_SECRET + + # Authentik SSO configuration + - name: NEXT_PUBLIC_AUTHENTIK_ENABLED + value: "true" - name: AUTHENTIK_ISSUER valueFrom: secretKeyRef: @@ -54,24 +79,55 @@ spec: secretKeyRef: name: linkwarden-secret key: AUTHENTIK_CLIENT_SECRET + + # S3 storage for screenshots/PDFs (optional) + - name: SPACES_KEY + valueFrom: + secretKeyRef: + name: linkwarden-secret + key: ACCESS_KEY_ID + optional: true + - name: SPACES_SECRET + valueFrom: + secretKeyRef: + name: linkwarden-secret + key: SECRET_ACCESS_KEY + optional: true + + # Storage folder + - name: STORAGE_FOLDER + value: /data/data + volumeMounts: - - mountPath: /pfs - name: data + - name: data + mountPath: /data/data + resources: requests: cpu: 250m memory: 256Mi limits: memory: 4Gi + livenessProbe: httpGet: path: / port: http + initialDelaySeconds: 30 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 6 + readinessProbe: httpGet: path: / port: http + initialDelaySeconds: 10 + periodSeconds: 5 + timeoutSeconds: 3 + failureThreshold: 3 + volumes: - name: data persistentVolumeClaim: - claimName: linkwarden + claimName: linkwarden-data diff --git a/kubernetes/apps/selfhosted/linkwarden/app/ingress.yaml b/kubernetes/apps/selfhosted/linkwarden/app/ingress.yaml new file mode 100644 index 00000000..0da707ad --- /dev/null +++ b/kubernetes/apps/selfhosted/linkwarden/app/ingress.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: linkwarden + namespace: selfhosted + annotations: + cert-manager.io/cluster-issuer: letsencrypt-production + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" +spec: + ingressClassName: traefik + tls: + - hosts: + - bookmarks.${SECRET_EXTERNAL_DOMAIN} + secretName: linkwarden-tls + rules: + - host: bookmarks.${SECRET_EXTERNAL_DOMAIN} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: linkwarden + port: + number: 3000 diff --git a/kubernetes/main/apps/garmin/garmin-fetch-data/kustomization.yaml b/kubernetes/apps/selfhosted/linkwarden/app/kustomization.yaml similarity index 62% rename from kubernetes/main/apps/garmin/garmin-fetch-data/kustomization.yaml rename to kubernetes/apps/selfhosted/linkwarden/app/kustomization.yaml index c41e6ccf..68d19710 100644 --- a/kubernetes/main/apps/garmin/garmin-fetch-data/kustomization.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/kustomization.yaml @@ -1,9 +1,10 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./namespace.yaml - ./secret.sops.yaml - ./pvc.yaml - ./deployment.yaml - ./service.yaml + - ./ingress.yaml diff --git a/kubernetes/main/apps/observability/crucix/app/pvc.yaml b/kubernetes/apps/selfhosted/linkwarden/app/pvc.yaml similarity index 78% rename from kubernetes/main/apps/observability/crucix/app/pvc.yaml rename to kubernetes/apps/selfhosted/linkwarden/app/pvc.yaml index 48d1e100..63e13eac 100644 --- a/kubernetes/main/apps/observability/crucix/app/pvc.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/pvc.yaml @@ -2,12 +2,12 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: crucix-runs - namespace: observability + name: linkwarden-data + namespace: selfhosted spec: accessModes: - ReadWriteOnce + storageClassName: longhorn resources: requests: storage: 5Gi - storageClassName: longhorn diff --git a/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml new file mode 100644 index 00000000..06f1cec3 --- /dev/null +++ b/kubernetes/apps/selfhosted/linkwarden/app/secret.sops.yaml @@ -0,0 +1,42 @@ +apiVersion: v1 +kind: Secret +metadata: + name: linkwarden-secret + namespace: selfhosted +stringData: + POSTGRES_USERNAME: ENC[AES256_GCM,data:ZCCQmryeHj0lzA==,iv:oXU0BuEKI6ABV5unMWqaV9Rga6eYhjJC+yix98du844=,tag:i/JPR2yGg25+AC96RJep6g==,type:str] + POSTGRES_PASSWORD: ENC[AES256_GCM,data:0gNsa1050CB+bA==,iv:inKV6P8maOPSjdWpZOta930mBn1AcgpR5MaAG8xQ33I=,tag:mJqLpaWV5/HFgYQLYy4Ynw==,type:str] + POSTGRES_HOST: ENC[AES256_GCM,data:ayOUoi12jcmU+6KPjxKC6epXIkcjvgbcls/O5L0+Mh3OW3PRP8p7zg==,iv:EdgbU0ZEOUjIKVgjwjtZc9ShPdGCW/ZhWrPFUI5VimU=,tag:hEo9HN9LlQgjGi1S7ru0zQ==,type:str] + POSTGRES_PORT: ENC[AES256_GCM,data:AHrkwpb3c9U=,iv:AjT8vTIzsDTPAwYZqyUjU2Ge2U8mlaMeLCPQQSUlzQs=,tag:DXGfA37M8P4vpkF0mBMpMg==,type:str] + POSTGRES_DATABASE: ENC[AES256_GCM,data:w4v9dJpw4ow00A==,iv:zLVBXUCPw/1eArdo5tFEXqDRs4NVqpRSYOAwPx0fNDM=,tag:37Q94xEDu7DTQG71g/Y2Ig==,type:str] + DATABASE_URL: ENC[AES256_GCM,data:XuVVACh9IBctfinWVJQIvUB7Vd7d/6MqHR99juXJ3nfz8PMcDUc7gBzD5BhBNTk55ICXWNGXlG/QQ9P0na0eVLXEf5rxgoRhcX9mvXKW5pwEz6fsKcD1LdDvbQ==,iv:jAqtX+5agqbSay4mC7xxBpqLbd7JZ1o+vC1SI5ReU5U=,tag:HtvcRqDTWfYBY4JTnzBVqg==,type:str] + NEXTAUTH_SECRET: ENC[AES256_GCM,data:tg0wq+M1BefA2Dm0pd5E,iv:bwCrHwhfVPcY1ruf/yDqm+w7fwzK3zZ4POUh4+o5Kmc=,tag:3GU/Nttw3jFtGvLNEKWtrw==,type:str] + ACCESS_KEY_ID: ENC[AES256_GCM,data:Y7kL8Iy0AV2zzLfBS+CN0BzDCoQ=,iv:wxH6OrHUuq3xn6Jq8sfVRM4uQRh0YMah+EiyT/vSBDs=,tag:6IEFhDHqXzAzz6dHUBdtuA==,type:str] + SECRET_ACCESS_KEY: ENC[AES256_GCM,data:ncQiB3S+L/Ny+0ategFNLasyo5BZkHTwj6E2arSgX7RkUqjFpCpFGw==,iv:nxARPDnAmMzkJ3AFiWdIlDlAK8UXK3z4EYbFEte6C48=,tag:nul9yHRYsW0UGrUPH46anQ==,type:str] + NEXT_PUBLIC_AUTHENTIK_ENABLED: ENC[AES256_GCM,data:qS2UTA==,iv:t1ltfjEEPVWilI7RvOxSkbctVdwybs14qTZD0hwUwzM=,tag:4r8jdAqvdfagczlA6F3wFA==,type:str] + NEXTAUTH_URL: ENC[AES256_GCM,data:sSmzQIQ2AK/dKB4TjUXkJuYjZNZhJJU9Ik65tf4xHQXNbla8fzEFLPu0037KiQ==,iv:tXVn6gMjzi0jpKzEK9oj5lBeiyXT1E45VepqHBMbPrw=,tag:yFvgxYt7WdUNceiVYsdIuA==,type:str] + AUTHENTIK_ISSUER: ENC[AES256_GCM,data:qfiGTgm7XJtjfZL+cQfyGgkJVAf94B0ROizpuXr3lU0gAkF7Ykv+wlys8nHyms26zSeTCQ2b,iv:0EuzVgvP7bwyJfYOnJIIDeNviEy+5u900xydlrpRBm0=,tag:lLcvuqAn5WkPtwhdSy2riw==,type:str] + AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:VXfUahvwuTx/QvggGIeASXTY3etF83CqgTj5e+92Wb750F2tad64Aw==,iv:PoRc4pfA76Z/IeuWQfiCwT7fto5t+8gwqffAX+gtdL4=,tag:S8M9U5b3knrxOxQDMgem1g==,type:str] + AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:TjFHj9KZyy9FTntzVE3kmPhzrjc8ll1rEcd2AFab5oeWbbA7A2UH63c4nrXa6wvn4mmJFBQdbU5P49RmNoX5U/VIDoexFrX1cXJDHan82RRyMdRA3tuLXgQMA0JwaCz4m2moxp54jF4b7Cc9O4UOhjtR5N+ptuts1W61ZB161y0=,iv:8sP+RT/32rn7l4gY5/Jz4IqdKKZh65Rr5Dxw2OUphbE=,tag:0F02W3SIF10lmBALmSQk+Q==,type:str] + INIT_POSTGRES_HOST: ENC[AES256_GCM,data:dZqk8kkUMpzI7O+ZAsBJ3hkqh+ju9siFnCvdrRsom88DThAoXr9S2A==,iv:ERcAN5Fz4umjE37smFENrwr1hEsNUSQ9JsKevSxlXsQ=,tag:05l0HEcpfrCRop3TurxSbg==,type:str] + INIT_POSTGRES_PORT: ENC[AES256_GCM,data:EdWFQg==,iv:D6YmV0MxI/KcLAwRT3yPdzpTjKdTTgpNzoAihDAn6uc=,tag:Ct9uKTwt5KwrHOC83z+kKw==,type:str] + INIT_POSTGRES_DBNAME: ENC[AES256_GCM,data:DABnObLGFgHAEg==,iv:9A3KO9XOC/VDpgyLfTZGmN8zM87mzCmQGRoJUQp6MOI=,tag:uM97TFJ5NjLYEdDIGQPZqQ==,type:str] + INIT_POSTGRES_USER: ENC[AES256_GCM,data:5N8/J1n6Ba9Vdw==,iv:aiSDp1g/fik+OqG1YyCTOU1AL6vi0SatYnjQ1mRYaw4=,tag:rqYSDWJMHs9kas3aMyD7Rg==,type:str] + INIT_POSTGRES_PASS: ENC[AES256_GCM,data:GHH/te6byeogBA==,iv:uuvttfms5Xv7T8QgW/a5zco0iU/yK4BNeCZ7z2nWb58=,tag:mhSNY93mY0H+Y9xItc6fDQ==,type:str] + INIT_POSTGRES_SUPER_USER: ENC[AES256_GCM,data:UUojx4FeMSU=,iv:dNiCNOf1LqFRpBx75p/DzoHCH4oU0hjqVpgBM390ymg=,tag:ylbA3ERKKox8sOzepsavaA==,type:str] + INIT_POSTGRES_SUPER_PASS: ENC[AES256_GCM,data:guyk8BwGsZ63ouQSGDM=,iv:bC3dXZPm1JHXsVTclQjl/R/0WSoVDO3fCz/3yL2AR6g=,tag:WxfzgbYREAOua+vU/mjl+g==,type:str] +sops: + age: + - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBdVhqT2xEYU5razdWbmha + UWVGQit5SHliTjdibkJPYkIwSTNBNUt6bkZZCk4xK2pLcUFNRVltUkQxOHc5MHRx + cGJqanVQNXFDZTNHUzlOeFNrRWY5UG8KLS0tIFVzdGk4Tlh3M2pvMFZkUUVldFo3 + Ujl4VFM5VHNMRGlnamVRRjV5bTVEVXMKNwmaVoz7Jm9X4Irmtl9Rx1yXYfS+kUGT + U/hFAimAUXS2if/DASgTqP6B8W6+LnpcRchSX4rVA5HwBdvd9nfc8Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-04-03T12:07:11Z" + mac: ENC[AES256_GCM,data:nWOHM3n+cLhVaOkGrOmasEGv+1Y+q5oRK/sFU5BismO3jZ6nkgPgSlJPX2AMyJgWeFgRdM6aSL+qJWVZRPympWkQ09qWFDhMoFx5kHYxtnFgEWZzLXjvj2KgaiGDE8R7LqGxK3tr1yJ/Z2iJUx3jkrGx0cH4P76bgI7kELl2TUI=,iv:EGlLLGR89BFq4flxe1fW+Jqfc/Aa8t72/LSMk8kOohU=,tag:d868lGfLpYKSZ5DdGWbawg==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.12.2 diff --git a/kubernetes/main/apps/linkwarden/app/service.yaml b/kubernetes/apps/selfhosted/linkwarden/app/service.yaml similarity index 59% rename from kubernetes/main/apps/linkwarden/app/service.yaml rename to kubernetes/apps/selfhosted/linkwarden/app/service.yaml index d51a2766..d82b0788 100644 --- a/kubernetes/main/apps/linkwarden/app/service.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/app/service.yaml @@ -1,16 +1,17 @@ +--- apiVersion: v1 kind: Service metadata: + name: linkwarden + namespace: selfhosted labels: app: linkwarden - name: linkwarden - namespace: linkwarden spec: + type: ClusterIP ports: - - name: http - port: 80 - protocol: TCP - targetPort: http + - port: 3000 + targetPort: http + protocol: TCP + name: http selector: app: linkwarden - type: ClusterIP diff --git a/kubernetes/main/apps/linkwarden/ks.yaml b/kubernetes/apps/selfhosted/linkwarden/ks.yaml similarity index 62% rename from kubernetes/main/apps/linkwarden/ks.yaml rename to kubernetes/apps/selfhosted/linkwarden/ks.yaml index 0dc9ccbf..610eb130 100644 --- a/kubernetes/main/apps/linkwarden/ks.yaml +++ b/kubernetes/apps/selfhosted/linkwarden/ks.yaml @@ -1,21 +1,22 @@ --- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: &app linkwarden namespace: flux-system spec: - targetNamespace: linkwarden commonMetadata: labels: app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/linkwarden/app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/selfhosted/linkwarden/app prune: true sourceRef: kind: GitRepository name: flux-system namespace: flux-system + targetNamespace: selfhosted wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/audiobookshelf/app/namespace.yaml b/kubernetes/apps/selfhosted/namespace.yaml similarity index 73% rename from kubernetes/main/apps/audiobookshelf/app/namespace.yaml rename to kubernetes/apps/selfhosted/namespace.yaml index c1c97a18..6c5a9834 100644 --- a/kubernetes/main/apps/audiobookshelf/app/namespace.yaml +++ b/kubernetes/apps/selfhosted/namespace.yaml @@ -1,9 +1,10 @@ +--- apiVersion: v1 kind: Namespace metadata: - name: audiobookshelf + name: selfhosted labels: + kustomize.toolkit.fluxcd.io/prune: disabled pod-security.kubernetes.io/audit: privileged pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml new file mode 100644 index 00000000..e129c190 --- /dev/null +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/ingress.yaml @@ -0,0 +1,26 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: &app uptime-kuma-ingress + namespace: selfhosted + annotations: + external-dns.alpha.kubernetes.io/target: "${SECRET_CLOUDFLARE_TUNNEL_ID}.cfargotunnel.com" + cert-manager.io/cluster-issuer: letsencrypt-production + traefik.ingress.kubernetes.io/router.middlewares: selfhosted-authentik-forwardauth@kubernetescrd +spec: + ingressClassName: traefik + rules: + - host: status.${SECRET_EXTERNAL_DOMAIN} + http: + paths: + - backend: + service: + name: uptime-kuma + port: + number: 3001 + path: / + pathType: Prefix + tls: + - hosts: + - status.${SECRET_EXTERNAL_DOMAIN} + secretName: uptime-kuma-tls diff --git a/kubernetes/main/apps/uptime-kuma/app/kustomization.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/kustomization.yaml similarity index 56% rename from kubernetes/main/apps/uptime-kuma/app/kustomization.yaml rename to kubernetes/apps/selfhosted/uptime-kuma/app/kustomization.yaml index 5b4d9345..a67c5dd6 100644 --- a/kubernetes/main/apps/uptime-kuma/app/kustomization.yaml +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/kustomization.yaml @@ -1,10 +1,11 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./namespace.yaml - - ./serviceAccount.yaml - ./storage.yaml + - ./serviceaccount.yaml - ./statefulSet.yaml - ./service.yaml + - ./middleware.yaml - ./ingress.yaml diff --git a/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml new file mode 100644 index 00000000..7bad49ad --- /dev/null +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/middleware.yaml @@ -0,0 +1,23 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: authentik-forwardauth + namespace: selfhosted +spec: + forwardAuth: + address: http://ak-outpost-domain-forward-auth-provider.security.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik + trustForwardHeader: true + authResponseHeaders: + - X-authentik-username + - X-authentik-groups + - X-authentik-entitlements + - X-authentik-email + - X-authentik-name + - X-authentik-uid + - X-authentik-jwt + - X-authentik-meta-jwks + - X-authentik-meta-outpost + - X-authentik-meta-provider + - X-authentik-meta-app + - X-authentik-meta-version diff --git a/kubernetes/main/apps/uptime-kuma/app/service.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/service.yaml similarity index 69% rename from kubernetes/main/apps/uptime-kuma/app/service.yaml rename to kubernetes/apps/selfhosted/uptime-kuma/app/service.yaml index 09b36b58..0c9fe9b8 100644 --- a/kubernetes/main/apps/uptime-kuma/app/service.yaml +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/service.yaml @@ -1,19 +1,19 @@ --- -# Source: uptime-kuma/templates/service.yaml apiVersion: v1 kind: Service metadata: - name: &app uptime-kuma - namespace: uptime-kuma + name: uptime-kuma + namespace: selfhosted labels: app.kubernetes.io/name: uptime-kuma app.kubernetes.io/instance: uptime-kuma spec: type: ClusterIP ports: - - name: web - port: 3001 + - port: 3001 targetPort: web + protocol: TCP + name: web selector: app.kubernetes.io/name: uptime-kuma app.kubernetes.io/instance: uptime-kuma diff --git a/kubernetes/main/apps/uptime-kuma/app/serviceAccount.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/serviceaccount.yaml similarity index 64% rename from kubernetes/main/apps/uptime-kuma/app/serviceAccount.yaml rename to kubernetes/apps/selfhosted/uptime-kuma/app/serviceaccount.yaml index 8305a0e2..87df38a5 100644 --- a/kubernetes/main/apps/uptime-kuma/app/serviceAccount.yaml +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/serviceaccount.yaml @@ -3,7 +3,7 @@ apiVersion: v1 kind: ServiceAccount metadata: name: &app uptime-kuma - namespace: uptime-kuma + namespace: selfhosted labels: app.kubernetes.io/name: uptime-kuma - app.kubernetes.io/instance: uptime-kuma + app.kubernetes.io/instance: uptime-kuma \ No newline at end of file diff --git a/kubernetes/main/apps/uptime-kuma/app/statefulSet.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/statefulSet.yaml similarity index 98% rename from kubernetes/main/apps/uptime-kuma/app/statefulSet.yaml rename to kubernetes/apps/selfhosted/uptime-kuma/app/statefulSet.yaml index 8e64ba0c..8d76146b 100644 --- a/kubernetes/main/apps/uptime-kuma/app/statefulSet.yaml +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/statefulSet.yaml @@ -3,7 +3,7 @@ apiVersion: apps/v1 kind: StatefulSet metadata: name: &app uptime-kuma - namespace: uptime-kuma + namespace: selfhosted labels: app.kubernetes.io/name: uptime-kuma app.kubernetes.io/instance: uptime-kuma diff --git a/kubernetes/main/apps/uptime-kuma/app/storage.yaml b/kubernetes/apps/selfhosted/uptime-kuma/app/storage.yaml similarity index 87% rename from kubernetes/main/apps/uptime-kuma/app/storage.yaml rename to kubernetes/apps/selfhosted/uptime-kuma/app/storage.yaml index 6a873fe0..43873b86 100644 --- a/kubernetes/main/apps/uptime-kuma/app/storage.yaml +++ b/kubernetes/apps/selfhosted/uptime-kuma/app/storage.yaml @@ -3,10 +3,11 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: name: uptime-storage-pvc - namespace: uptime-kuma + namespace: selfhosted spec: accessModes: - ReadWriteOnce resources: requests: - storage: 1Gi \ No newline at end of file + storage: 1Gi + storageClassName: longhorn diff --git a/kubernetes/apps/selfhosted/uptime-kuma/ks.yaml b/kubernetes/apps/selfhosted/uptime-kuma/ks.yaml new file mode 100644 index 00000000..30fb110c --- /dev/null +++ b/kubernetes/apps/selfhosted/uptime-kuma/ks.yaml @@ -0,0 +1,22 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app uptime-kuma + namespace: flux-system +spec: + commonMetadata: + labels: + app.kubernetes.io/name: *app + interval: 30m + retryInterval: 1m + timeout: 15m + path: ./kubernetes/apps/selfhosted/uptime-kuma/app + prune: true + sourceRef: + kind: GitRepository + name: flux-system + namespace: flux-system + targetNamespace: selfhosted + wait: false diff --git a/kubernetes/main/flux-system/apps.yaml b/kubernetes/flux-system/apps.yaml similarity index 92% rename from kubernetes/main/flux-system/apps.yaml rename to kubernetes/flux-system/apps.yaml index c4374995..b63ca439 100644 --- a/kubernetes/main/flux-system/apps.yaml +++ b/kubernetes/flux-system/apps.yaml @@ -6,11 +6,11 @@ metadata: spec: interval: 10m0s retryInterval: 1m - timeout: 5m + timeout: 15m sourceRef: kind: GitRepository name: flux-system - path: ./kubernetes/main/apps + path: ./kubernetes/apps prune: true decryption: provider: sops @@ -20,6 +20,7 @@ spec: substituteFrom: - kind: Secret name: cluster-secrets + optional: true # temp fix patches: - patch: |- apiVersion: kustomize.toolkit.fluxcd.io/v1 diff --git a/kubernetes/main/flux-system/flux-instance.yaml b/kubernetes/flux-system/flux-instance.yaml similarity index 85% rename from kubernetes/main/flux-system/flux-instance.yaml rename to kubernetes/flux-system/flux-instance.yaml index d63ded2a..68813924 100644 --- a/kubernetes/main/flux-system/flux-instance.yaml +++ b/kubernetes/flux-system/flux-instance.yaml @@ -22,10 +22,9 @@ spec: domain: "cluster.local" sync: kind: GitRepository - url: "https://github.com/dnikoloski/infrastructure-as-code.git" - ref: "refs/heads/main" - path: "kubernetes/main/flux-system" - pullSecret: "flux-system" + url: "https://github.com/cloudwithdan/infrastructure-as-code.git" + ref: "refs/heads/cluster-v2" + path: "kubernetes/flux-system" interval: 1m kustomize: patches: diff --git a/kubernetes/main/flux-system/flux-operator/app/kustomization.yaml b/kubernetes/flux-system/flux-operator/app/kustomization.yaml similarity index 57% rename from kubernetes/main/flux-system/flux-operator/app/kustomization.yaml rename to kubernetes/flux-system/flux-operator/app/kustomization.yaml index 965defa1..c3ed2ce5 100644 --- a/kubernetes/main/flux-system/flux-operator/app/kustomization.yaml +++ b/kubernetes/flux-system/flux-operator/app/kustomization.yaml @@ -1,4 +1,5 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/kubernetes/main/flux-system/flux-operator/app/resourceset.yaml b/kubernetes/flux-system/flux-operator/app/resourceset.yaml similarity index 100% rename from kubernetes/main/flux-system/flux-operator/app/resourceset.yaml rename to kubernetes/flux-system/flux-operator/app/resourceset.yaml diff --git a/kubernetes/main/flux-system/flux-operator/ks.yaml b/kubernetes/flux-system/flux-operator/ks.yaml similarity index 85% rename from kubernetes/main/flux-system/flux-operator/ks.yaml rename to kubernetes/flux-system/flux-operator/ks.yaml index e5b027f2..e7ff507d 100644 --- a/kubernetes/main/flux-system/flux-operator/ks.yaml +++ b/kubernetes/flux-system/flux-operator/ks.yaml @@ -13,6 +13,6 @@ spec: sourceRef: kind: GitRepository name: flux-system - path: ./kubernetes/main/flux-system/flux-operator/app + path: ./kubernetes/flux-system/flux-operator/app prune: true wait: true diff --git a/kubernetes/main/flux-system/kustomization.yaml b/kubernetes/flux-system/kustomization.yaml similarity index 53% rename from kubernetes/main/flux-system/kustomization.yaml rename to kubernetes/flux-system/kustomization.yaml index cadb5a48..bb493df0 100644 --- a/kubernetes/main/flux-system/kustomization.yaml +++ b/kubernetes/flux-system/kustomization.yaml @@ -1,8 +1,10 @@ --- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./apps.yaml - - ./avto-masini.yaml + - ./repositories +# - ./avto-masini.yaml - ./flux-operator/ks.yaml - ./vars diff --git a/kubernetes/flux-system/repositories/git/kustomization.yaml b/kubernetes/flux-system/repositories/git/kustomization.yaml new file mode 100644 index 00000000..8fb7c142 --- /dev/null +++ b/kubernetes/flux-system/repositories/git/kustomization.yaml @@ -0,0 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: [] diff --git a/kubernetes/main/avto-masini/cloudflared/app/repository.yaml b/kubernetes/flux-system/repositories/helm/bjw-s.yaml similarity index 52% rename from kubernetes/main/avto-masini/cloudflared/app/repository.yaml rename to kubernetes/flux-system/repositories/helm/bjw-s.yaml index cdfaa3a1..84fbbe07 100644 --- a/kubernetes/main/avto-masini/cloudflared/app/repository.yaml +++ b/kubernetes/flux-system/repositories/helm/bjw-s.yaml @@ -1,8 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: bjw-s - namespace: avto-masini + namespace: flux-system spec: type: oci interval: 5m diff --git a/kubernetes/flux-system/repositories/helm/cilium.yaml b/kubernetes/flux-system/repositories/helm/cilium.yaml new file mode 100644 index 00000000..bb938f41 --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/cilium.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: cilium + namespace: flux-system +spec: + interval: 30m + url: https://helm.cilium.io/ diff --git a/kubernetes/main/apps/database/cloudnative-pg/operator/repository.yaml b/kubernetes/flux-system/repositories/helm/cnpg.yaml similarity index 53% rename from kubernetes/main/apps/database/cloudnative-pg/operator/repository.yaml rename to kubernetes/flux-system/repositories/helm/cnpg.yaml index 8d653530..a2983039 100644 --- a/kubernetes/main/apps/database/cloudnative-pg/operator/repository.yaml +++ b/kubernetes/flux-system/repositories/helm/cnpg.yaml @@ -1,8 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: cnpg - namespace: cnpg-system + namespace: flux-system spec: interval: 24h url: https://cloudnative-pg.github.io/charts diff --git a/kubernetes/main/apps/external-dns/external/repository.yaml b/kubernetes/flux-system/repositories/helm/external-dns.yaml similarity index 91% rename from kubernetes/main/apps/external-dns/external/repository.yaml rename to kubernetes/flux-system/repositories/helm/external-dns.yaml index a7ff8d16..f38c48ad 100644 --- a/kubernetes/main/apps/external-dns/external/repository.yaml +++ b/kubernetes/flux-system/repositories/helm/external-dns.yaml @@ -4,7 +4,7 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: external-dns - namespace: external-dns + namespace: flux-system spec: interval: 1h url: https://kubernetes-sigs.github.io/external-dns diff --git a/kubernetes/main/apps/security/authentik/app/repository.yaml b/kubernetes/flux-system/repositories/helm/goauthentik.yaml similarity index 52% rename from kubernetes/main/apps/security/authentik/app/repository.yaml rename to kubernetes/flux-system/repositories/helm/goauthentik.yaml index 5e354060..9b3daa29 100644 --- a/kubernetes/main/apps/security/authentik/app/repository.yaml +++ b/kubernetes/flux-system/repositories/helm/goauthentik.yaml @@ -1,8 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: goauthentik - namespace: authentik + namespace: flux-system spec: interval: 1h url: https://charts.goauthentik.io/ diff --git a/kubernetes/flux-system/repositories/helm/grafana.yaml b/kubernetes/flux-system/repositories/helm/grafana.yaml new file mode 100644 index 00000000..43a28fd2 --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/grafana.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: grafana-community + namespace: flux-system +spec: + interval: 1h + url: https://grafana-community.github.io/helm-charts \ No newline at end of file diff --git a/kubernetes/main/apps/cert-manager/app/repository.yaml b/kubernetes/flux-system/repositories/helm/jetstack.yaml similarity index 91% rename from kubernetes/main/apps/cert-manager/app/repository.yaml rename to kubernetes/flux-system/repositories/helm/jetstack.yaml index 87edf2b7..b513441b 100644 --- a/kubernetes/main/apps/cert-manager/app/repository.yaml +++ b/kubernetes/flux-system/repositories/helm/jetstack.yaml @@ -4,7 +4,7 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: jetstack - namespace: cert-manager + namespace: flux-system spec: interval: 1h url: https://charts.jetstack.io diff --git a/kubernetes/flux-system/repositories/helm/kustomization.yaml b/kubernetes/flux-system/repositories/helm/kustomization.yaml new file mode 100644 index 00000000..8a531c4e --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/kustomization.yaml @@ -0,0 +1,17 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./cilium.yaml + - ./longhorn.yaml + - ./pihole.yaml + - ./metallb-system.yaml + - ./traefik.yaml + - ./external-dns.yaml + - ./prometheus-community.yaml + - ./bjw-s.yaml + - ./cnpg.yaml + - ./goauthentik.yaml + - ./jetstack.yaml + - ./grafana.yaml diff --git a/kubernetes/main/apps/infrastructure/longhorn/app/repository.yaml b/kubernetes/flux-system/repositories/helm/longhorn.yaml similarity index 51% rename from kubernetes/main/apps/infrastructure/longhorn/app/repository.yaml rename to kubernetes/flux-system/repositories/helm/longhorn.yaml index d5c5c9d6..3ebb76f1 100644 --- a/kubernetes/main/apps/infrastructure/longhorn/app/repository.yaml +++ b/kubernetes/flux-system/repositories/helm/longhorn.yaml @@ -1,8 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: longhorn - namespace: longhorn-system + namespace: flux-system spec: interval: 24h url: https://charts.longhorn.io diff --git a/kubernetes/main/apps/network/metallb-system/app/repository.yaml b/kubernetes/flux-system/repositories/helm/metallb-system.yaml similarity index 52% rename from kubernetes/main/apps/network/metallb-system/app/repository.yaml rename to kubernetes/flux-system/repositories/helm/metallb-system.yaml index 90d8df17..d3a9e1fb 100644 --- a/kubernetes/main/apps/network/metallb-system/app/repository.yaml +++ b/kubernetes/flux-system/repositories/helm/metallb-system.yaml @@ -1,8 +1,12 @@ + +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: metallb - namespace: metallb-system + namespace: flux-system spec: interval: 5m url: https://metallb.github.io/metallb + \ No newline at end of file diff --git a/kubernetes/main/apps/network/pihole-system/app/repository.yaml b/kubernetes/flux-system/repositories/helm/pihole.yaml similarity index 54% rename from kubernetes/main/apps/network/pihole-system/app/repository.yaml rename to kubernetes/flux-system/repositories/helm/pihole.yaml index 916430dd..02190ea7 100644 --- a/kubernetes/main/apps/network/pihole-system/app/repository.yaml +++ b/kubernetes/flux-system/repositories/helm/pihole.yaml @@ -1,8 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json apiVersion: source.toolkit.fluxcd.io/v1 kind: HelmRepository metadata: name: mojo2600 - namespace: pihole-system + namespace: flux-system spec: interval: 5m url: https://mojo2600.github.io/pihole-kubernetes/ diff --git a/kubernetes/flux-system/repositories/helm/prometheus-community.yaml b/kubernetes/flux-system/repositories/helm/prometheus-community.yaml new file mode 100644 index 00000000..55d163e6 --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/prometheus-community.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: prometheus-community + namespace: flux-system +spec: + interval: 12h + url: https://prometheus-community.github.io/helm-charts diff --git a/kubernetes/flux-system/repositories/helm/traefik.yaml b/kubernetes/flux-system/repositories/helm/traefik.yaml new file mode 100644 index 00000000..4d5ef3b4 --- /dev/null +++ b/kubernetes/flux-system/repositories/helm/traefik.yaml @@ -0,0 +1,10 @@ +--- +# yaml-language-server: $schema=https://crd.movishell.pl/source.toolkit.fluxcd.io/helmrepository_v1.json +apiVersion: source.toolkit.fluxcd.io/v1 +kind: HelmRepository +metadata: + name: traefik + namespace: flux-system +spec: + interval: 5m + url: https://traefik.github.io/charts diff --git a/kubernetes/flux-system/repositories/kustomization.yaml b/kubernetes/flux-system/repositories/kustomization.yaml new file mode 100644 index 00000000..ae7e0ad4 --- /dev/null +++ b/kubernetes/flux-system/repositories/kustomization.yaml @@ -0,0 +1,8 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./git + - ./helm + - ./oci diff --git a/kubernetes/flux-system/repositories/oci/kustomization.yaml b/kubernetes/flux-system/repositories/oci/kustomization.yaml new file mode 100644 index 00000000..8fb7c142 --- /dev/null +++ b/kubernetes/flux-system/repositories/oci/kustomization.yaml @@ -0,0 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: [] diff --git a/kubernetes/main/flux-system/vars/cluster-secrets.sops.yaml b/kubernetes/flux-system/vars/cluster-secrets.sops.yaml similarity index 100% rename from kubernetes/main/flux-system/vars/cluster-secrets.sops.yaml rename to kubernetes/flux-system/vars/cluster-secrets.sops.yaml diff --git a/kubernetes/main/flux-system/vars/kustomization.yaml b/kubernetes/flux-system/vars/kustomization.yaml similarity index 57% rename from kubernetes/main/flux-system/vars/kustomization.yaml rename to kubernetes/flux-system/vars/kustomization.yaml index ccb20388..81aa03d1 100644 --- a/kubernetes/main/flux-system/vars/kustomization.yaml +++ b/kubernetes/flux-system/vars/kustomization.yaml @@ -1,3 +1,5 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/kubernetes/main/apps/audiobookshelf/app/audiobooks-pvc.yaml b/kubernetes/main/apps/audiobookshelf/app/audiobooks-pvc.yaml deleted file mode 100644 index bc56fb59..00000000 --- a/kubernetes/main/apps/audiobookshelf/app/audiobooks-pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: audiobooks - namespace: audiobookshelf -spec: - accessModes: - - ReadWriteOnce - storageClassName: longhorn - resources: - requests: - storage: 50Gi diff --git a/kubernetes/main/apps/audiobookshelf/app/audiobookshelf-filebrowser.yaml b/kubernetes/main/apps/audiobookshelf/app/audiobookshelf-filebrowser.yaml deleted file mode 100644 index 7b9f7927..00000000 --- a/kubernetes/main/apps/audiobookshelf/app/audiobookshelf-filebrowser.yaml +++ /dev/null @@ -1,102 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: filebrowser-database - namespace: audiobookshelf -spec: - accessModes: - - ReadWriteOnce - storageClassName: longhorn - resources: - requests: - storage: 256Mi ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: filebrowser-config - namespace: audiobookshelf -spec: - accessModes: - - ReadWriteOnce - storageClassName: longhorn - resources: - requests: - storage: 100Mi ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: audiobooks-filebrowser - namespace: audiobookshelf -spec: - replicas: 1 - selector: - matchLabels: - app: audiobooks-filebrowser - template: - metadata: - labels: - app: audiobooks-filebrowser - spec: - securityContext: - runAsUser: 0 - runAsGroup: 0 - fsGroup: 0 - containers: - - name: filebrowser - image: filebrowser/filebrowser - args: - - --baseURL=/filebrowser - ports: - - containerPort: 80 - volumeMounts: - - name: audiobooks - mountPath: /srv - - name: database - mountPath: /database - - name: config - mountPath: /config - volumes: - - name: audiobooks - persistentVolumeClaim: - claimName: audiobooks - - name: database - persistentVolumeClaim: - claimName: filebrowser-database - - name: config - persistentVolumeClaim: - claimName: filebrowser-config ---- -apiVersion: v1 -kind: Service -metadata: - name: audiobooks-filebrowser - namespace: audiobookshelf -spec: - selector: - app: audiobooks-filebrowser - ports: - - port: 80 - targetPort: 80 ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: audiobooks-filebrowser-ingress - namespace: audiobookshelf - annotations: - nginx.ingress.kubernetes.io/rewrite-target: /$2 -spec: - ingressClassName: external - rules: - - host: "books.cloudwithdan.com" - http: - paths: - - path: /filebrowser(/|$)(.*) - pathType: ImplementationSpecific - backend: - service: - name: audiobooks-filebrowser - port: - number: 80 diff --git a/kubernetes/main/apps/audiobookshelf/app/kustomization.yaml b/kubernetes/main/apps/audiobookshelf/app/kustomization.yaml deleted file mode 100644 index ef8ab737..00000000 --- a/kubernetes/main/apps/audiobookshelf/app/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./audiobooks-pvc.yaml - - ./release.yaml - - ./audiobookshelf-filebrowser.yaml diff --git a/kubernetes/main/apps/audiobookshelf/app/release.yaml b/kubernetes/main/apps/audiobookshelf/app/release.yaml deleted file mode 100644 index 29924c69..00000000 --- a/kubernetes/main/apps/audiobookshelf/app/release.yaml +++ /dev/null @@ -1,67 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: audiobookshelf - namespace: audiobookshelf -spec: - interval: 30m - chart: - spec: - chart: audiobookshelf - version: 0.0.2-nightly.49 - sourceRef: - kind: HelmRepository - name: audiobookshelf - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - persistence: - config: - enabled: true - size: 1Gi - storageClass: "longhorn" - metadata: - enabled: true - size: 10Gi - storageClass: "longhorn" - - persistentVolumeClaims: - - name: audiobooks - mountPath: /audiobooks - readOnly: false - - volumes: - - name: audiobooks - persistentVolumeClaim: - claimName: audiobooks-pvc - - volumeMounts: - - name: audiobooks - mountPath: "/audiobooks" - readOnly: false - - ingress: - enabled: true - annotations: - external-dns.alpha.kubernetes.io/target: books.${SECRET_EXTERNAL_DOMAIN} - # nginx.ingress.kubernetes.io/auth-url: |- - # http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - # nginx.ingress.kubernetes.io/auth-signin: |- - # https://auth.${SECRET_EXTERNAL_DOMAIN}/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri - # nginx.ingress.kubernetes.io/auth-response-headers: |- - # Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - # nginx.ingress.kubernetes.io/auth-snippet: | - # proxy_set_header X-Forwarded-Host $http_host; - kubernetes.io/ingress.class: external - hosts: - - host: books.${SECRET_EXTERNAL_DOMAIN} - paths: - - path: / - pathType: Prefix diff --git a/kubernetes/main/apps/audiobookshelf/app/repository.yaml b/kubernetes/main/apps/audiobookshelf/app/repository.yaml deleted file mode 100644 index 0a2ab943..00000000 --- a/kubernetes/main/apps/audiobookshelf/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: audiobookshelf - namespace: flux-system -spec: - interval: 1h - url: https://gitlab.com/api/v4/projects/57546317/packages/helm/nightly \ No newline at end of file diff --git a/kubernetes/main/apps/bentopdf/app/manifest.yaml b/kubernetes/main/apps/bentopdf/app/manifest.yaml deleted file mode 100644 index 55ffb4cc..00000000 --- a/kubernetes/main/apps/bentopdf/app/manifest.yaml +++ /dev/null @@ -1,77 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: bentopdf - namespace: bentopdf -spec: - replicas: 1 - revisionHistoryLimit: 1 - selector: - matchLabels: - app.kubernetes.io/name: bentopdf - strategy: - # Restrict to a Single bentopdf instance, on redeploys it will tear down the old one before bring a new one up. - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: bentopdf - spec: - containers: - - name: bentopdf - image: bentopdf/bentopdf-simple:latest - imagePullPolicy: IfNotPresent - ports: - - containerPort: 8080 - name: http - protocol: TCP - # Use the http server for pod health checks - livenessProbe: - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: http - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: http ---- -apiVersion: v1 -kind: Service -metadata: - name: bentopdf - namespace: bentopdf -spec: - selector: - app.kubernetes.io/name: bentopdf - ports: - - port: 8080 - name: http - targetPort: 8080 - protocol: TCP - type: ClusterIP ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: bentopdf-ingress - namespace: bentopdf - annotations: - external-dns.alpha.kubernetes.io/target: "ilovepdf.${SECRET_EXTERNAL_DOMAIN}" -spec: - ingressClassName: external - rules: - - host: ilovepdf.${SECRET_EXTERNAL_DOMAIN} - http: - paths: - - backend: - service: - name: bentopdf - port: - name: http - path: / - pathType: Prefix diff --git a/kubernetes/main/apps/bentopdf/ks.yaml b/kubernetes/main/apps/bentopdf/ks.yaml deleted file mode 100644 index e3cffc19..00000000 --- a/kubernetes/main/apps/bentopdf/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app bentopdf - namespace: flux-system -spec: - targetNamespace: bentopdf - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/bentopdf/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/blog/app/deployment.yaml b/kubernetes/main/apps/blog/app/deployment.yaml deleted file mode 100644 index 0117403f..00000000 --- a/kubernetes/main/apps/blog/app/deployment.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: blog - namespace: blog - labels: - app: blog -spec: - replicas: 1 - selector: - matchLabels: - app: blog - template: - metadata: - labels: - app: blog - spec: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - containers: - - name: blog - resources: - limits: - memory: "128Mi" - cpu: "500m" - requests: - memory: "64Mi" - cpu: "250m" - image: ghcr.io/cloudwithdan/blog:latest - imagePullPolicy: Always - ports: - - name: blog - containerPort: 8080 - livenessProbe: - httpGet: - path: / - port: 8080 - readinessProbe: - httpGet: - path: / - port: 8080 diff --git a/kubernetes/main/apps/blog/app/ingress.yaml b/kubernetes/main/apps/blog/app/ingress.yaml deleted file mode 100644 index ff77101d..00000000 --- a/kubernetes/main/apps/blog/app/ingress.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: blog-ingress - namespace: blog - annotations: - external-dns.alpha.kubernetes.io/target: "cloudwithdan.com" - nginx.ingress.kubernetes.io/use-forwarded-headers: "true" -spec: - ingressClassName: external - rules: - - host: cloudwithdan.com - http: - paths: - - path: /posts - pathType: Prefix - backend: - service: - name: blog - port: - name: blog diff --git a/kubernetes/main/apps/blog/app/namespace.yaml b/kubernetes/main/apps/blog/app/namespace.yaml deleted file mode 100644 index 7fa851fc..00000000 --- a/kubernetes/main/apps/blog/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: blog - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/blog/app/service.yaml b/kubernetes/main/apps/blog/app/service.yaml deleted file mode 100644 index 8a6001f9..00000000 --- a/kubernetes/main/apps/blog/app/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: blog - namespace: blog -spec: - ports: - - name: blog - port: 8080 - targetPort: blog - selector: - app: blog - type: ClusterIP diff --git a/kubernetes/main/apps/blog/ks.yaml b/kubernetes/main/apps/blog/ks.yaml deleted file mode 100644 index ddd438fd..00000000 --- a/kubernetes/main/apps/blog/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app web - namespace: flux-system -spec: - targetNamespace: web - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/web/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/cert-manager/app/kustomization.yaml b/kubernetes/main/apps/cert-manager/app/kustomization.yaml deleted file mode 100644 index c00b6bbb..00000000 --- a/kubernetes/main/apps/cert-manager/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/cert-manager/app/namespace.yaml b/kubernetes/main/apps/cert-manager/app/namespace.yaml deleted file mode 100644 index e385fcfd..00000000 --- a/kubernetes/main/apps/cert-manager/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: cert-manager - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/cert-manager/issuers/secret.sops.yaml b/kubernetes/main/apps/cert-manager/issuers/secret.sops.yaml deleted file mode 100644 index 31c5fff4..00000000 --- a/kubernetes/main/apps/cert-manager/issuers/secret.sops.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cert-manager-secret - namespace: cert-manager -stringData: - api-token: ENC[AES256_GCM,data:TTq56YNQ27hy3dPaj9oVV6DxxtM/hVbjQh0y39ryVFnsFxMdKACoSg==,iv:TY9knIP7YG3FAxIYTzmnVe6GfT4zdOCJKX+leqIrc0g=,tag:6Fy0kiC1klgOSHwlyVx4jA==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBaQzVNWEVRTTM1OFhnZzMv - MFVPNUNpV3BlNFc2NXRoL1hRRzIvYVdLUWhRCnFOT3A0cGtjekJwZURwWG0zdURy - Y2hVY1VFcTZpQStzelNVWVF3M0xEUGMKLS0tIFN2YldhY0hGdlBJb1R1UXp2blRy - bG5EOFhML2VScGkwVlY3alpJY1oyL1kKB0c8QBNT14iP1AEfektDO7ZY0iHhQnOi - AsYRaxv9JoR+k+ADJy94DLLij8zM6ac12vqMgyyQDAEjTbsXWNCU2g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-31T21:21:13Z" - mac: ENC[AES256_GCM,data:frGKZrkZjO+inq8nlxWiKhNAAPBmZTXNh1dkNQVviViObmzaeHWcEOdaigKgFSMQ/gqfvjPNxxU6YH1zOXjLqdPKGv7UkcBqvcSfpky9L7Vh01nxmasVUtlZiM45Rez6gb9SPLMUrxesFfRa5+LgsTsRsK5Ah0sSkgUFNe7BKzs=,iv:fEXsguSCCL+GjJiLAwQmfBnugBZFS4i3gXk52natmio=,tag:liZLdrc6f4zHjqvhr0M5vA==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.11.0 diff --git a/kubernetes/main/apps/cloudflared/app/configs/config.yaml b/kubernetes/main/apps/cloudflared/app/configs/config.yaml deleted file mode 100644 index 63dd3dd5..00000000 --- a/kubernetes/main/apps/cloudflared/app/configs/config.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -originRequest: - noTLSVerify: true - -ingress: - - hostname: "${SECRET_EXTERNAL_DOMAIN}" - service: https://ingress-nginx-external-controller.ingress-nginx.svc.cluster.local:443 - - hostname: "*.${SECRET_EXTERNAL_DOMAIN}" - service: https://ingress-nginx-external-controller.ingress-nginx.svc.cluster.local:443 - - service: http_status:404 diff --git a/kubernetes/main/apps/cloudflared/app/deployment.yaml b/kubernetes/main/apps/cloudflared/app/deployment.yaml deleted file mode 100644 index a6c43d3c..00000000 --- a/kubernetes/main/apps/cloudflared/app/deployment.yaml +++ /dev/null @@ -1,35 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: cloudflared - name: &app cloudflared - namespace: cloudflared -spec: - selector: - matchLabels: - app: cloudflared - template: - metadata: - labels: - app: cloudflared - spec: - containers: - - name: cloudflared - image: cloudflare/cloudflared:latest - imagePullPolicy: Always - args: - [ - "tunnel", - "--no-autoupdate", - "run", - "--token=$(token)", - ] - env: - - name: token - valueFrom: - secretKeyRef: - name: cloudflared-token - key: token - restartPolicy: Always - terminationGracePeriodSeconds: 60 diff --git a/kubernetes/main/apps/cloudflared/app/namespace.yaml b/kubernetes/main/apps/cloudflared/app/namespace.yaml deleted file mode 100644 index b7740ac3..00000000 --- a/kubernetes/main/apps/cloudflared/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: cloudflared - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - kustomize.toolkit.fluxcd.io/prune: disabled - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/cloudflared/app/repository.yaml b/kubernetes/main/apps/cloudflared/app/repository.yaml deleted file mode 100644 index 63063cf8..00000000 --- a/kubernetes/main/apps/cloudflared/app/repository.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: bjw-s - namespace: cloudflared -spec: - type: oci - interval: 5m - url: oci://ghcr.io/bjw-s/helm diff --git a/kubernetes/main/apps/cloudflared/app/secret.sops.yaml b/kubernetes/main/apps/cloudflared/app/secret.sops.yaml deleted file mode 100644 index 363186be..00000000 --- a/kubernetes/main/apps/cloudflared/app/secret.sops.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cloudflared-secret - namespace: cloudflared -stringData: - TUNNEL_ID: ENC[AES256_GCM,data:68DrzuJQl+ctdxQuvXPMggC3rvGUHKPRiBGwtcVqZSNfQ0yO,iv:GzzmEGPE84/9E/wBSn23Z1TXe0EtAoLLdi+yUZ3ra1k=,tag:+WFngzuY4Z7oJU1L5yefBw==,type:str] - credentials.json: ENC[AES256_GCM,data:2J4ZNFlgLoH6ehZUQ0v9oAP5YSCxtuXb80v7KrW9zOzdJAnAH1eP7lz3fXIHH8UEP4MCTKLRd0IjMiniM3OFQABVfPxkluwjHBdUMgvPI7sy/sXJ3jMarLixEdeKWM2vMJ8Vif+cKYn74kjliDnKiBsNM6MID2aQtdtgEONjf0ZP/1qNhyuvyAdQKS7oGK+Rr48mhZh4e4OiS2WzeRjVTMvoqWMcphw/+DK4iKTQO6Y=,iv:xu4Zvca2z4hNXsncUh25Ml3uVj4V0edCIbm37+7gL/k=,tag:MLqjggs1ggLdh5gJtU8p9Q==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYZDZoN0tYS1lsQStlcjNr - ZEFjKy85bmdFcEdER2EwRWJ0cDVKWUdZeTFzCm10L21aaE82dCtsS2E3eEpaZm85 - U1oxREd4YWVEbXl1d3ZJQThLVkM4YWsKLS0tIFRNQ2ErQk9JSGNDcytBSHBxUlYv - aVVMODRlWUV3MWZmUGI5ZXluMytESU0KRXR4ju/86wNTOx6EKc2sVMM3ChHaWAB5 - aSnTDb88vaegs5lGJKvienxn0t27ropq9FFMwGgOWMWHcz9RdwnPUA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-23T20:22:39Z" - mac: ENC[AES256_GCM,data:kD5qsfnn7dEfGEegVjPgwO/z0F7TEfPsthuJBIeUNo3BmzhSC9/pvy+gIl+mntcdAEP4z0FY34SLelS0mpBo0pjnA96rWsvrsjdMAmJgZ1oNZlrKswVlDgTu0LYeBYPzFq9QkcOVUye1GuvkUQp4fIwUVVgAJXOQoTECS+UFbRw=,iv:CwutYyx9GobsykEkobb9ZZXb1mqmI0GBsRZf20tmBW8=,tag:rENd/dCNteOY571o4Al3ZA==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.9.4 diff --git a/kubernetes/main/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml b/kubernetes/main/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml deleted file mode 100644 index dd607dce..00000000 --- a/kubernetes/main/apps/database/cloudnative-pg/cluster/s3-creds.sops.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: s3-creds - namespace: cnpg-system -stringData: - ACCESS_KEY_ID: ENC[AES256_GCM,data:lBKXulaxXfgzvqkRfTx2CaPIyMc=,iv:mTvf40lrtJWcYRi37yxYVci5PDg8FCaFy42yndsXiQQ=,tag:oGRIY0+lx6Honpfyx3Uz5Q==,type:str] - SECRET_ACCESS_KEY: ENC[AES256_GCM,data:dBauVdZaxubgBHpZVS/cGcArNLgXtf6eeUBqmOpYWdkXEtxphl6MjA==,iv:+PgcVrUNmQWjJ9TiNS+9/jL3HJ+BR0p52CTIW86EIIk=,tag:Vt9tnjTtjWoN2huaITEkfg==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjaVQxUk1xZEIxZFRLOGto - a2hrRG1rZk1oeGd4NktuNUtTUkhJelU5ekJ3Cmx4azlaKzBwOUFudDRuYnkvQjly - ellyREd4djU4OTBON2ljMWwyWGtnWDAKLS0tIGcrMlp3UCtoL0Y3V2lrTkpyc3M5 - MzhBUGRGa1NyOE9ia0hNZDR2T3pFcVEKg4W0L//J2m7izP1rlejS46TLKpss3Ijv - TVZ3eJmTce6y/IsQbiJ7kaDHBFouYv3waDUMkxkDkgbeX3hgC32j1Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-12T22:13:36Z" - mac: ENC[AES256_GCM,data:vWobFFmQL1tLCjUC4fqOqHsZegCxGJeG9q/iNdCwuyTDqEsowx4SPCj1Vz33Ri9XQ7tG/uKgY5caQgN8m+vmIvCe56iZ4l5EUNbNe3fPrZo/1Krnqulv+zfepAyuw7rideq7UrPu6Uvd7W4IkgpWzcyKi+97y9QhRkfr/gmS1B8=,iv:mTeYjKECcX6lkdWNuhdSyMSJx1evgir2tEnFWaqZJsA=,tag:OmB37YMVx4iPCNjmpop89g==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.12.1 diff --git a/kubernetes/main/apps/database/cloudnative-pg/operator/secret.sops.yaml b/kubernetes/main/apps/database/cloudnative-pg/operator/secret.sops.yaml deleted file mode 100644 index 0d55a38e..00000000 --- a/kubernetes/main/apps/database/cloudnative-pg/operator/secret.sops.yaml +++ /dev/null @@ -1,25 +0,0 @@ -# yamllint disable -kind: Secret -apiVersion: v1 -type: Opaque -metadata: - name: cloudnative-pg-secret - namespace: cnpg-system -stringData: - username: ENC[AES256_GCM,data:zsQ739He39Y=,iv:HR+37xHAdjzCn16tYbMhl78OvdSBMA7/oSgExHHrGb8=,tag:8BtN53W3OfBmvY467as1ig==,type:str] - password: ENC[AES256_GCM,data:iakn5nzVdggPgACVrUo=,iv:I3N44IK3M/qKSlfYz6QgSTaUJUQDsnHxxno3aiC4hW8=,tag:AKKl0TqsO/krpqYKcS8Y6g==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQWnRLQVg4Y0N1cEJqeHhY - YTZ2UmZsOFRGV1VJQlhCeVBxVkF5YmU3WDBVCm13bkNjNUg5RHozbFYvR29DZjFk - ZXlIT0RidDNubFVPbkkzcW4yRkRFcUUKLS0tIEJEY05xMHpqY2h6akN4cUkwa0dz - ZlJJLzRQRjFjbDhaVm12QUxjd3BpcHcKhHVQAWXYky4XXxJJnCqKnGUYkBakMZfc - Gs/xgDG7WgO6h6CxMjaUahZUcZZA/6R9wm++1xxdzSZou0b0XXco5w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-13T10:01:32Z" - mac: ENC[AES256_GCM,data:JlV2tomDu6IDiltrVIbFc0jlqYGMtDOJn9N4ib9+E6aZ1yHYl8qRe2kd9uGmhEPiPoUj9kWn1n9mTmnThj7Yp4FOuMKn8b2cWfmyni8tM0E8qUXSDvZWZdTYb2A8aU7/DdCYQBiI1dDViXF511D/CBr1UWxa/hornxan63XU/Tc=,iv:VGb53J7uImZmWYyv9MsPDtITHsT96ZWPCl3hWWcYzdQ=,tag:Vrvuc43GeEpPcc5ZjOkyww==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.12.1 diff --git a/kubernetes/main/apps/database/kustomization.yaml b/kubernetes/main/apps/database/kustomization.yaml deleted file mode 100644 index 17c3814f..00000000 --- a/kubernetes/main/apps/database/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./cloudnative-pg/ks.yaml diff --git a/kubernetes/main/apps/database/namespace.yaml b/kubernetes/main/apps/database/namespace.yaml deleted file mode 100644 index 9f2cf3f8..00000000 --- a/kubernetes/main/apps/database/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: cnpg-system - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/external-dns/external/namespace.yaml b/kubernetes/main/apps/external-dns/external/namespace.yaml deleted file mode 100644 index dbd211d5..00000000 --- a/kubernetes/main/apps/external-dns/external/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: external-dns - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/external-dns/external/secret.sops.yaml b/kubernetes/main/apps/external-dns/external/secret.sops.yaml deleted file mode 100644 index 63cd98dd..00000000 --- a/kubernetes/main/apps/external-dns/external/secret.sops.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: external-dns-secret - namespace: external-dns -stringData: - api-token: ENC[AES256_GCM,data:lBmBhVzUuXSLQL/yHDf5LpF2RKfI0CY3XkJwTzYoICfHvyrqbKgiGg==,iv:Kn4DLY4eGKAzwJG6DPhLMkoedNkVbv4B9EdkhnoIwpw=,tag:QXXChKY/+f3LXlf/uXAqtg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBKOEhzMkZndUFwNm5FTUtU - L1p2bG5zSWd1am93RVhwZHZvbEVNZEJhbTBRCkZQeUlwY1FTV2h1RWs4MWVjYlcy - amE5WGZUMXVWWlc3Z2ZCUlRNM1dUa1kKLS0tIG91ODVaV21jaFBOOUQ5RFN2S29t - UUZSM2tLQ3hNRmVmYkdsTk0yRTBEUnMKi+PWiVO/m7C3/e5qz66jYWA6Bt6SxyEh - /6+K/znmBYtKgm/IYcJNaIlXB0F/Oukl1c7BcFnPjB/glu3PwxR0vg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-03-23T20:35:07Z" - mac: ENC[AES256_GCM,data:8RS31dDuxM02Q909qrQTtfv6ThLDHKdVq2KkQXKm/8TpD9Cgm5GkKnCkeztG58AU/2XUR3FRxP3JhMRzvgplYR6cWn8D902k9ulSFUBqZRkBnzoVZugTe4g7rpqB8LPma3Yc0GFyWNM3CxaoTIy/ZAHU/IlO+8eAWuzS7JEdTXc=,iv:qTnTFxsakTHqaAZowPA/SpyrKYVWQ4S/BfXdfrNnY0Y=,tag:CI0DrjMYDDeBCQbpZ67+LA==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.9.4 diff --git a/kubernetes/main/apps/garmin/garmin-fetch-data/deployment.yaml b/kubernetes/main/apps/garmin/garmin-fetch-data/deployment.yaml deleted file mode 100644 index feb47325..00000000 --- a/kubernetes/main/apps/garmin/garmin-fetch-data/deployment.yaml +++ /dev/null @@ -1,61 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: garmin-fetch-data - namespace: garmin -spec: - replicas: 1 - selector: - matchLabels: - app: garmin-fetch-data - template: - metadata: - labels: - app: garmin-fetch-data - spec: - securityContext: - runAsUser: 0 # 0 is the UID for root - runAsGroup: 0 - containers: - - name: garmin-fetch-data - image: thisisarpanghosh/garmin-fetch-data:latest - env: - - name: INFLUXDB_HOST - value: "influxdb.garmin.svc.cluster.local" - - name: INFLUXDB_PORT - value: "8086" - - name: INFLUXDB_USERNAME - value: "influxdb_user" - - name: INFLUXDB_PASSWORD - value: "influxdb_secret_password" - - name: INFLUXDB_DATABASE - value: "GarminStats" - - name: GARMINCONNECT_IS_CN - value: "False" - volumeMounts: - - name: oauth1-token - mountPath: /root/.garminconnect/oauth1_token.json - subPath: oauth1_token.json - - name: oauth2-token - mountPath: /root/.garminconnect/oauth2_token.json - subPath: oauth2_token.json - resources: - limits: - cpu: 500m - memory: 1000Mi - requests: - cpu: 100m - memory: 256Mi - volumes: - - name: oauth1-token - secret: - secretName: garmin-secret - items: - - key: oauth1_token.json - path: oauth1_token.json - - name: oauth2-token - secret: - secretName: garmin-secret - items: - - key: oauth2_token.json - path: oauth2_token.json diff --git a/kubernetes/main/apps/garmin/garmin-fetch-data/namespace.yaml b/kubernetes/main/apps/garmin/garmin-fetch-data/namespace.yaml deleted file mode 100644 index d866a48f..00000000 --- a/kubernetes/main/apps/garmin/garmin-fetch-data/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: garmin - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/garmin/garmin-fetch-data/pvc.yaml b/kubernetes/main/apps/garmin/garmin-fetch-data/pvc.yaml deleted file mode 100644 index 18a11e0e..00000000 --- a/kubernetes/main/apps/garmin/garmin-fetch-data/pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: garminconnect-tokens-pvc - namespace: garmin -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 500Mi diff --git a/kubernetes/main/apps/garmin/garmin-fetch-data/secret.sops.yaml b/kubernetes/main/apps/garmin/garmin-fetch-data/secret.sops.yaml deleted file mode 100644 index d2afdc86..00000000 --- a/kubernetes/main/apps/garmin/garmin-fetch-data/secret.sops.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: garmin-secret - namespace: garmin -stringData: - oauth1_token.json: ENC[AES256_GCM,data:DaIH/X+vGjD633AQauW+V8ouvRCN477rYtSxhtj9cSyKeCNbAegb5chHG/qhwXbYuyFUChBMV2xodGZYM0WF6+os72uWDS9nenU18JEUO72b5EUXLj1eUoCoMv2Tyw527rpFeybEkkPjMiupty91QJKaBZHEut1kdEM4gHLk1KICTE5h7e3C0TBlw6Y8nfMHs8UtF/L0gJCwLgwyP5QsbRlw3PIcdzE85zA5WuNVbpMBjWkVKBpMXpSEl+fP/VNGE8iUk16d4wKGY+r/62vHHX3qQnQ9Pl9efGshcpCjDEgPQuLZeL3+tcAZER3OVAdqLR1Tl6qcLCuXHZYMLTHExNG4pDDXvHvAhmteU+0=,iv:J5ZqQhbZgGrG5LHE0S2QEV7QotBNM/075zIDXYwFzLk=,tag:4YMrdGg+z4OqVZ4WkrRw1g==,type:str] - oauth2_token.json: ENC[AES256_GCM,data:g0DfW93SSP28qB+/l7pGjV9b6jTalBSSRP0crEZPWQkT3iL9pu/DshjPy+ji+V1lquWRIylC3RGB7+3BSsTbsUiKSBfZlhOTOtKcDMWXmgcAR8605WPq9z4fMs6azasYkNqNbFEqS9u8CyiOE8eefI7I4rk9BBQI/PDheFB6Q3U57XR+OzU+H5P4MDiuBPw3k5u3jI9pYuChO7ZjlhJ+VJaMrdiac/ti2XPfz6Zl4NyHdE5hfVY+jZt5n3aPRcnkZdjU1eIxTwptsOOXtL3SUViVgpMq2yAwFDX9lx7WpTRXS8dBAUdX2IEIq9YOGjNZQ4ZH/tI7Fa5fE3GNFaRHDsFN3ljTQcNqmwQGD7a6HeAYcAhIj1e/XlM+Z1fuZDo9XjnedumLCnzHeEhmNkWP85vq7xCgNA172zp95a66UFQA1Ppnf1d9gsHCSkp0/RXJeOz78miAXV4p2EoruU5p4iweEMtvgd6HDjm6DeoWQpvMysg0wBzfxRqYDo112oBlxtVVrWMXejKUqivnn1IQXf3CXfCrS2Wv5lu76oXhlU0EZjT20WAk1jdpwtLTeB6DbzH3iJCGyoJYqJem49cYWT44hY3Qby3QdkKACbFyQhVpF3jExmrYKg6XGNo1yUjjHx/Iqx+c6v26B+zgbt6wt0oObvlK2tw04rdud3vOZVUUGex5/NglOgyzPGDxc62PowD6TBt0IZ8Z6OdVPsmDHCmi1T8edgOkNoaUqIaHL/BlzWt9kDQ/FyarN5/4tCztAi5NObDVFVGzsHyu6NGpV9N7wWwM266kVqZa7sJrQRkGRF2MMUyNIFdqEiDIH/qTrfwImaT+kPOBUBsdQrn2GZTUJtbhxrSCBZ+NZyn6TpUA6unYVgCL2qDwkkhDlKl6QdpyGJx5pTBE65FqDkJ6fTgJasmXFr/IcE7XzibauN4kro18vckF2qH84nM87u39Kzt4p8fsz7QSSrCSMk/yUjBwu31MhqSZpuV92DzTEJqByFtsTJWbKGWrbeXJgMMwqNhr+doKzOpxyFF1D/LGzN80G+pdU6BK/LvM/m8n14xr+4+TtHHsnnhtQ+4md256189V99mMIiZ+KVPvIdVYEUYkqL7PnhxoQsf0O/bsDYHAf/9K2ifqnLBuxrLkU6ccOJApMvOHJXTQLgTu2geFvz6dm7ofWmloiHlOypzovpHto0OT88NdybYEdiZQP+2lcw6AQ7od8Kml5ICLBYDkuba+BoqQHGydDodhh8Hnn27Y8MNXpyqfhRDBUDz/lhZvy3unoMd6mHhU5cdBurvUQZLXTMFapeqEIDEY0Qhw0uYRm9dLNM6oOcbJVgwVYRvN4FHPalvFMztAQa8PkP6oPpD/Rd44FWXSlaTByFwimsA2k0/9bi8VBe0Sk8/96SL9iTGAXX/l+DPA8UHPbXuJ12zhjcuVWaBRLBlD1QlK0kuRQsk3QiN1OIyqpVH/4MSeP6+2mg4re36k152fhxC6sBYn9FxgmTi62GaHPX0ENXsxnQrbRLfp4l+wZlzMqDGbJVBQFPKsCkzafC6c6lT4qNi+ia3ofGwetmY5XOPGZ303cYOZdecZyso73LRmx9Y7o1aRnN+GLLiCcGNIZpx+vrQmco/Io6EU9ebngq/x+rvUtRPNGt/ewzJnNPbEmxOkKmcUPQzunOJIpj0ekRp3Yi54NHA75HqyaFUNBvbbxr02f5vABKUu7JqM2qp9nHM5leIr7K/LLfDk3A8OF8HbQPoLx4Ww33xpdfOyNs7UeKiKC98TCVBnH78FTyttH28a21WuzGU+tng6Ict0LI0HxNEht+hpj6KgC//vm9m5JHv9oVpFDLJ1MJvKbDZuO0tK+9B+nDUkPON/SqFzvJRStcM0N8XnDAcSr4WH+DqwBdWCwvuWaiSMMngTctQdt9+qWFv3+EEkvkaQlK/VTL01ZwQXdyjWh50a/lupwZ5gqF34rkywdOh9UFyzimiRVQzUlmBP/7iZ8HxcHLjL4tl3oYwFkDlxg1v6uNd/HfSpAXjPpa+3dUH4488pC7bQjkI3FPXiiNDfwhmylhV7hlcBMrd6N6O11G1YozSGUFFSP3MQcCAqRnUDTIqbJjLY1gYZGLGbU6bDqQ9JnGByDXb7+01PPaPzsAcPwZV8zxTW0CXk6lvQQ8NxhiJaTK4KiFChThJMM6o7QXfwteEski0OL+lSgIqbRvayFUUmTqs13CjI8x3wnIJ8L0l2YvStQ6jBNnDdqNMZ5K5a6YTFyz9wFJI1qpWosZjULA6YS6S5taXF97p8W7WaZ+3E+6+uMCGngjjOYYx+Ymq84rbsAMoGzJuZCk6I052fy3byxIIjlpuL12ybMd+4oP8SOECgln9RNrHRGagagAfH4+hhW7RWkMoC0a6jfdHEeHbjvNV09oge/S7YF64KFrT+nhrk4fgSW/S9RFYcYwr2ItrZYDQqSeLv0kLwzfIo9oFQPEIy89bW84uhb0cqcJ6Eq1jpkUe0J1rxodKx4FTwwy59onyTjQ89pW949wR766KSJR/fevD0QyAs4J/dPKgWN6A8lqClM1f8RZxU39VeYluIyw+fDw5qBMbSKerq4Z+0RqPiJlNp10HNoYbLjC9AnECw/IKRzVXn+TihS1GQ99UpFVpYk9EUANmY/RleWsYuJx8SFiTKF12SkldAdSOSad4TrswbrykVapkqhx5DjS9ldLGu1ZP+8/ihO+r5VxSpVRfVtOszFrj4IUh8cldDvzuYFZwxlkOtgzI5TOH3RnQIhsPzGHgywQUNHJQbb5Eq5aruiX60JQkZrxQMW/sq2jHEZNCr1+U3z+xrmCrA+GBA03bdmrRymhbbpraTCyc=,iv:fRrrj+bT7cq84c9Gh2tVKBpW7hv8wgtMXU/JVldvKB4=,tag:qhQBCXKCI7jO4KEzYrwo1g==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2T3lkOUtMRGlEaXJoVTgv - Nyt4S3VJcS9xYmJuY01XU2cvQWptWEZsa1EwCkwyYzVQTFE2N2dxYzYvR3pIcUxC - QjRUMy9Qb0NiTFNrdHBqUnJSbVRSOEEKLS0tIFI5NElWR1BsSWFFaVZwbmdoSWdr - bGdKNnErUlZoRjFNYTRNUlhOSlFDUkUKw4wF06QZW7RUuUAUu3reyR0azEssw9RO - 9mdF5djBhw7XyWWvHqm9Qo/I6aoYeArSrR0Aa7va2hH58N54PrlRUg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-15T12:12:36Z" - mac: ENC[AES256_GCM,data:c/7rrZc0loNGuPRK2HkEqf+wFxgG7c1LsXhfqQeuF9cMIzeGBHXZJuNaCu0fpT3e+3RYtN3nLkiRWZbT1TpG6LDnWqTpTygFaLlQEx+enflYA+CzN+t/ssb+GxDA3uyB/6dP6Qimp6CNsvyeRzcAIlvxQVQepIKmvmW1T5+Q+40=,iv:/JJUpkdzly19vSpX819GSVrFlQzAzIq7oSZcu7qlTs0=,tag:xjRGaJASA4zZPfNiwPfKRQ==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/kubernetes/main/apps/garmin/garmin-fetch-data/service.yaml b/kubernetes/main/apps/garmin/garmin-fetch-data/service.yaml deleted file mode 100644 index 587fad92..00000000 --- a/kubernetes/main/apps/garmin/garmin-fetch-data/service.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: garmin-fetch-data - namespace: garmin -spec: - ports: - - port: 8086 - targetPort: 8086 - selector: - app: garmin-fetch-data diff --git a/kubernetes/main/apps/garmin/ks.yaml b/kubernetes/main/apps/garmin/ks.yaml deleted file mode 100644 index 80e64e92..00000000 --- a/kubernetes/main/apps/garmin/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app garmin-fetch-data - namespace: flux-system -spec: - targetNamespace: garmin - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/garmin/garmin-fetch-data - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/gitlab-runner/app/kustomization.yaml b/kubernetes/main/apps/gitlab-runner/app/kustomization.yaml deleted file mode 100644 index c00b6bbb..00000000 --- a/kubernetes/main/apps/gitlab-runner/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/gitlab-runner/app/namespace.yaml b/kubernetes/main/apps/gitlab-runner/app/namespace.yaml deleted file mode 100644 index ff097eca..00000000 --- a/kubernetes/main/apps/gitlab-runner/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: gitlab-runner - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/gitlab-runner/app/release.yaml b/kubernetes/main/apps/gitlab-runner/app/release.yaml deleted file mode 100644 index f91d1b0e..00000000 --- a/kubernetes/main/apps/gitlab-runner/app/release.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app gitlab-runner - namespace: gitlab-runner -spec: - interval: 30m - chart: - spec: - chart: gitlab-runner - version: "0.84.1" - sourceRef: - kind: HelmRepository - name: gitlab - namespace: gitlab-runner - interval: 12h - values: - gitlabUrl: "https://gitlab.com/" - runnerToken: "${GITLAB_RUNNER_REGISTRATION_TOKEN}" diff --git a/kubernetes/main/apps/gitlab-runner/app/repository.yaml b/kubernetes/main/apps/gitlab-runner/app/repository.yaml deleted file mode 100644 index 4b770218..00000000 --- a/kubernetes/main/apps/gitlab-runner/app/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: gitlab - namespace: gitlab-runner -spec: - interval: 24h - url: https://charts.gitlab.io diff --git a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/kustomization.yaml b/kubernetes/main/apps/goriva-si/goriva-si-influxdb/kustomization.yaml deleted file mode 100644 index 28cc4e0d..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./secret.sops.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/release.yaml b/kubernetes/main/apps/goriva-si/goriva-si-influxdb/release.yaml deleted file mode 100644 index de4a9ee1..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/release.yaml +++ /dev/null @@ -1,47 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: goriva-si-influxdb - namespace: goriva-si -spec: - interval: 30m - chart: - spec: - chart: influxdb2 - version: "2.1.2" - sourceRef: - kind: HelmRepository - name: influxdata - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - persistence: - enabled: true - size: 5Gi - storageClass: longhorn - resources: - requests: - cpu: 100m - memory: 256Mi - limits: - cpu: 500m - memory: 512Mi - adminUser: - organization: "gorivasi" - bucket: "gorivasi" - user: "admin" - existingSecret: "influxdb-admin-credentials" - service: - type: ClusterIP - port: 8086 - ingress: - enabled: false diff --git a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/repository.yaml b/kubernetes/main/apps/goriva-si/goriva-si-influxdb/repository.yaml deleted file mode 100644 index dca0f97b..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: influxdata - namespace: flux-system -spec: - interval: 1h - url: https://helm.influxdata.com/ diff --git a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/secret.sops.yaml b/kubernetes/main/apps/goriva-si/goriva-si-influxdb/secret.sops.yaml deleted file mode 100644 index c7e97f9f..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-influxdb/secret.sops.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: influxdb-admin-credentials - namespace: goriva-si -type: Opaque -stringData: - admin-password: ENC[AES256_GCM,data:OKVOKd4cxF3ImHa769C6Zff9poU=,iv:4wYjARUFIquocx76Yady4TT3cjB8dma3M1X6sgaBgO0=,tag:yygUSzlSy6Do/GZG2OvrAQ==,type:str] - admin-token: ENC[AES256_GCM,data:K2J+qucHRGEnSBJ1k6uV+FMsXVDETq3sK6nHnNPdRd+YNwFilxxq1AsEYwLu7apCWt2tsolrY6ZjTmS7/Q==,iv:1Tz2aPRMwvLjVORr1E61HtRj8Lz4k7ZRPCWVSllPZx0=,tag:hqe4M0Q1jka9ib/d4szeiA==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBZYmtwNE14UTYwejZrTmdC - SVlib0trWnJSYlk0TGlqcE1BUmM4QXJCTFJZCkVmMzFGRFdKY2NlWm41dkZMc2JP - Tjlqb0M4c3JyUStkUWlia2l2R2xzZjQKLS0tIGtUc0dENmhhTU1YVFo4MWlpSTJr - S2lBMzd2NHo2Z2xsbW1vNWFMZWxxalUKt/FPpZZAyDBnxcaJpzhWCepxbXyQvo80 - fYwl/pRx9T7h93XRV+odjQYINNNJN3njtEZmSOr30qsH6wrBmBLnrQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-26T20:02:19Z" - mac: ENC[AES256_GCM,data:iHQDqf2tyUlIFWGFFi8E6PL0/j4SY235qMAJaIuzhdgDtGE/RGR20eN4K/t9jVO8ka//Ymq57vE5e6KoNdLk1hOC+mv3W/9VPNZvg1trdvy/hG6cR7gxpI6zNIibee3sJA2OoE7W82B5BpaMy45WahRoll6S/5Cs9xUXSmpRwzg=,iv:rVojmJJxmMrDBKNnl8Fie53NdJZ6DU6K6tlxhUDv62o=,tag:tMEloj2HUk2vp3hOJm3nVg==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.12.2 diff --git a/kubernetes/main/apps/goriva-si/goriva-si-scraper/cronjob.yaml b/kubernetes/main/apps/goriva-si/goriva-si-scraper/cronjob.yaml deleted file mode 100644 index f985beb8..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-scraper/cronjob.yaml +++ /dev/null @@ -1,53 +0,0 @@ ---- -apiVersion: batch/v1 -kind: CronJob -metadata: - name: goriva-si-scraper - namespace: goriva-si -spec: - schedule: "0 */6 * * *" - concurrencyPolicy: Forbid - successfulJobsHistoryLimit: 3 - failedJobsHistoryLimit: 3 - jobTemplate: - spec: - template: - spec: - restartPolicy: OnFailure - containers: - - name: goriva-si-scraper - image: ghcr.io/cloudwithdan/goriva-si-scraper:latest - imagePullPolicy: Always - env: - - name: INFLUXDB_URL - value: "http://goriva-si-influxdb-influxdb2.goriva-si.svc.cluster.local:8086" - - name: INFLUXDB_TOKEN - valueFrom: - secretKeyRef: - name: influxdb-scraper-credentials - key: token - - name: INFLUXDB_ORG - value: "gorivasi" - - name: INFLUXDB_BUCKET - value: "gorivasi" - - name: LOG_LEVEL - value: "INFO" - resources: - requests: - cpu: 50m - memory: 128Mi - limits: - cpu: 200m - memory: 256Mi - securityContext: - allowPrivilegeEscalation: false - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - runAsGroup: 1000 - seccompProfile: - type: RuntimeDefault - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - securityContext: - fsGroup: 1000 diff --git a/kubernetes/main/apps/goriva-si/goriva-si-scraper/kustomization.yaml b/kubernetes/main/apps/goriva-si/goriva-si-scraper/kustomization.yaml deleted file mode 100644 index c894206f..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-scraper/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./secret.sops.yaml - - ./cronjob.yaml diff --git a/kubernetes/main/apps/goriva-si/goriva-si-scraper/secret.sops.yaml b/kubernetes/main/apps/goriva-si/goriva-si-scraper/secret.sops.yaml deleted file mode 100644 index b8f6af6d..00000000 --- a/kubernetes/main/apps/goriva-si/goriva-si-scraper/secret.sops.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: influxdb-scraper-credentials - namespace: goriva-si -type: Opaque -stringData: - token: ENC[AES256_GCM,data:h7bs7VjcNYuzr+tjuvAlN9A2jfTj7JnIQGeH8UDkBddV+XmsKCDEU8lhKyG4KsQMAmUeWIirUFFPQ68Z8A==,iv:RZenm9HlRBLcrKs/dIW21EBjSf4O7nlQWjsiU8OrkGo=,tag:V+V2jQZCw4xY2sE+ltTS+g==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDVktSMVNSQ08rY0ZUU3Na - MmdJczY2WS81a2ljZzZhWW9GU0lZeExyZmxJCmVCcVlmWWoyTEdEWU1JZ2N4c0Ni - WlZRRU1HMnVzRXVsK0Jhc1ArVDJRR00KLS0tIGZ1Y2pJM0VsdVRRZGFnTWNOaHJi - QkQ1dU4vajh2OHdKTTBnRWVZbXo5dW8KIvi3mWEV2A+debNc5tp9X/r8wQCKZuah - aXc5T08j/tWtZGLQnTN3f58235dvzHyiVDaDzERMc2jWmNCPF/pCzw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-26T20:02:56Z" - mac: ENC[AES256_GCM,data:mYVx6ytBwNo+vb+bzA3ujmW/vV/kC2uNHbnPBDdnTboXJW2u9fDrpxcpw4TZqlMy7pqVs+u4lNFiXPtfHaTd+eZAqURKzupHsh7czJ5CZRnqA4fYi94WZG42NbutLTZNT+G7SEYqqV3QUg+V3r4HUDF8sdP5qKDZRJCd/L/OrvE=,iv:mmOPiqdBsyDQB3QlYBsW3IVOGKOmKAPEIrvetuXOTRY=,tag:Lx19Uq/96SoXxLp8z3I9kg==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.12.2 diff --git a/kubernetes/main/apps/infrastructure/external-secrets/app/kustomization.yaml b/kubernetes/main/apps/infrastructure/external-secrets/app/kustomization.yaml deleted file mode 100644 index c00b6bbb..00000000 --- a/kubernetes/main/apps/infrastructure/external-secrets/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/infrastructure/external-secrets/app/namespace.yaml b/kubernetes/main/apps/infrastructure/external-secrets/app/namespace.yaml deleted file mode 100644 index 12b63726..00000000 --- a/kubernetes/main/apps/infrastructure/external-secrets/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: external-secrets - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/infrastructure/external-secrets/app/release.yaml b/kubernetes/main/apps/infrastructure/external-secrets/app/release.yaml deleted file mode 100644 index bf75122e..00000000 --- a/kubernetes/main/apps/infrastructure/external-secrets/app/release.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app external-secrets - namespace: external-secrets -spec: - interval: 30m - chart: - spec: - chart: external-secrets - version: "0.10.5" - sourceRef: - kind: HelmRepository - name: external-secrets - namespace: external-secrets - interval: 12h - values: - installCRDs: true \ No newline at end of file diff --git a/kubernetes/main/apps/infrastructure/external-secrets/app/repository.yaml b/kubernetes/main/apps/infrastructure/external-secrets/app/repository.yaml deleted file mode 100644 index f847a754..00000000 --- a/kubernetes/main/apps/infrastructure/external-secrets/app/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: external-secrets - namespace: external-secrets -spec: - interval: 24h - url: https://charts.external-secrets.io diff --git a/kubernetes/main/apps/infrastructure/longhorn/app/kustomization.yaml b/kubernetes/main/apps/infrastructure/longhorn/app/kustomization.yaml deleted file mode 100644 index 8c8db5a8..00000000 --- a/kubernetes/main/apps/infrastructure/longhorn/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml - - ./storageclass-retain.yaml diff --git a/kubernetes/main/apps/infrastructure/longhorn/app/namespace.yaml b/kubernetes/main/apps/infrastructure/longhorn/app/namespace.yaml deleted file mode 100644 index f80ab852..00000000 --- a/kubernetes/main/apps/infrastructure/longhorn/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: longhorn-system - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/infrastructure/longhorn/app/release.yaml b/kubernetes/main/apps/infrastructure/longhorn/app/release.yaml deleted file mode 100644 index 78ceb8ab..00000000 --- a/kubernetes/main/apps/infrastructure/longhorn/app/release.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app longhorn - namespace: longhorn-system -spec: - interval: 30m - chart: - spec: - chart: longhorn - version: "1.8.0" - sourceRef: - kind: HelmRepository - name: longhorn - namespace: longhorn-system - interval: 12h diff --git a/kubernetes/main/apps/infrastructure/weave-gitops/app/release.yaml b/kubernetes/main/apps/infrastructure/weave-gitops/app/release.yaml deleted file mode 100644 index ba8858e2..00000000 --- a/kubernetes/main/apps/infrastructure/weave-gitops/app/release.yaml +++ /dev/null @@ -1,38 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - annotations: - metadata.weave.works/description: - This is the Weave GitOps Dashboard. It provides - a simple way to get insights into your GitOps workloads. - name: &app ww-gitops - namespace: flux-system -spec: - chart: - spec: - chart: weave-gitops - sourceRef: - kind: HelmRepository - name: ww-gitops - interval: 1h0m0s - values: - resources: - requests: - cpu: 100m - memory: 64Mi - limits: - cpu: 1 - memory: 512Mi - securityContext: - capabilities: - drop: - - ALL - readOnlyRootFilesystem: true - runAsNonRoot: true - runAsUser: 1000 - adminUser: - create: true - passwordHash: $2a$12$/xzvyuZsUFacrXul.j14dOiAeZBECAO9m5.g1f9XsF1SUk4soH9DK - username: admin - metrics: - enabled: true \ No newline at end of file diff --git a/kubernetes/main/apps/infrastructure/weave-gitops/app/repository.yaml b/kubernetes/main/apps/infrastructure/weave-gitops/app/repository.yaml deleted file mode 100644 index cd2ec222..00000000 --- a/kubernetes/main/apps/infrastructure/weave-gitops/app/repository.yaml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - annotations: - metadata.weave.works/description: - This is the source location for the Weave GitOps - Dashboard's helm chart. - labels: - app.kubernetes.io/component: ui - app.kubernetes.io/created-by: weave-gitops-cli - app.kubernetes.io/name: weave-gitops-dashboard - app.kubernetes.io/part-of: weave-gitops - name: &app ww-gitops - namespace: flux-system -spec: - interval: 1h0m0s - type: oci - url: oci://ghcr.io/weaveworks/charts diff --git a/kubernetes/main/apps/infrastructure/weave-gitops/ks.yaml b/kubernetes/main/apps/infrastructure/weave-gitops/ks.yaml deleted file mode 100644 index 35766c96..00000000 --- a/kubernetes/main/apps/infrastructure/weave-gitops/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app ww-gitops - namespace: flux-system -spec: - targetNamespace: flux-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/infrastructure/weave-gitops/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/ingress-nginx/certificates/certificate.yaml b/kubernetes/main/apps/ingress-nginx/certificates/certificate.yaml deleted file mode 100644 index 53a42b15..00000000 --- a/kubernetes/main/apps/ingress-nginx/certificates/certificate.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "${SECRET_EXTERNAL_DOMAIN/./-}-production" - namespace: ingress-nginx -spec: - secretName: "${SECRET_EXTERNAL_DOMAIN/./-}-production-tls" - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "${SECRET_EXTERNAL_DOMAIN}" - dnsNames: - - "${SECRET_EXTERNAL_DOMAIN}" - - "*.${SECRET_EXTERNAL_DOMAIN}" diff --git a/kubernetes/main/apps/ingress-nginx/certificates/kustomization.yaml b/kubernetes/main/apps/ingress-nginx/certificates/kustomization.yaml deleted file mode 100644 index 93654906..00000000 --- a/kubernetes/main/apps/ingress-nginx/certificates/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./certificate.yaml - diff --git a/kubernetes/main/apps/ingress-nginx/external/kustomization.yaml b/kubernetes/main/apps/ingress-nginx/external/kustomization.yaml deleted file mode 100644 index c00b6bbb..00000000 --- a/kubernetes/main/apps/ingress-nginx/external/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/ingress-nginx/external/namespace.yaml b/kubernetes/main/apps/ingress-nginx/external/namespace.yaml deleted file mode 100644 index 5ee4d44d..00000000 --- a/kubernetes/main/apps/ingress-nginx/external/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: ingress-nginx - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/ingress-nginx/external/release.yaml b/kubernetes/main/apps/ingress-nginx/external/release.yaml deleted file mode 100644 index f75a38dd..00000000 --- a/kubernetes/main/apps/ingress-nginx/external/release.yaml +++ /dev/null @@ -1,81 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: ingress-nginx-external - namespace: ingress-nginx -spec: - interval: 30m - chart: - spec: - chart: ingress-nginx - version: 4.11.3 - sourceRef: - kind: HelmRepository - name: ingress-nginx - namespace: ingress-nginx - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - dependsOn: - - name: cloudflared - namespace: cloudflared - values: - fullnameOverride: ingress-nginx-external - controller: - allowSnippetAnnotations: true - service: - annotations: - external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_EXTERNAL_DOMAIN}" - metallb.io/allow-shared-ip: ingress-nginx-external - metallb.io/ip-allocated-from-pool: pool - externalTrafficPolicy: Cluster - ingressClassResource: - name: external - default: false - controllerValue: k8s.io/external - admissionWebhooks: - objectSelector: - matchExpressions: - - key: ingress-class - operator: In - values: ["external"] - config: - annotations-risk-level: "Critical" - use-forwarded-headers: "true" - strict-validate-path-type: "false" - client-body-buffer-size: 100M - client-body-timeout: 120 - client-header-timeout: 120 - enable-brotli: "true" - enable-real-ip: "true" - hsts-max-age: 31449600 - keep-alive-requests: 10000 - keep-alive: 120 - log-format-escape-json: "true" - log-format-upstream: > - {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", - "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, - "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", - "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", - "http_user_agent": "$http_user_agent"} - proxy-body-size: 0 - proxy-buffer-size: 16k - ssl-protocols: TLSv1.3 TLSv1.2 - metrics: - enabled: true - serviceMonitor: - enabled: true - namespaceSelector: - any: true - extraArgs: - default-ssl-certificate: "ingress-nginx/${SECRET_EXTERNAL_DOMAIN/./-}-production-tls" - resources: - requests: - cpu: 100m - limits: - memory: 500Mi diff --git a/kubernetes/main/apps/ingress-nginx/external/repository.yaml b/kubernetes/main/apps/ingress-nginx/external/repository.yaml deleted file mode 100644 index 988da8ba..00000000 --- a/kubernetes/main/apps/ingress-nginx/external/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: ingress-nginx - namespace: ingress-nginx -spec: - interval: 1h - url: https://kubernetes.github.io/ingress-nginx diff --git a/kubernetes/main/apps/ingress-nginx/internal/kustomization.yaml b/kubernetes/main/apps/ingress-nginx/internal/kustomization.yaml deleted file mode 100644 index 4ec97219..00000000 --- a/kubernetes/main/apps/ingress-nginx/internal/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./release.yaml diff --git a/kubernetes/main/apps/ingress-nginx/internal/release.yaml b/kubernetes/main/apps/ingress-nginx/internal/release.yaml deleted file mode 100644 index 7ab0a657..00000000 --- a/kubernetes/main/apps/ingress-nginx/internal/release.yaml +++ /dev/null @@ -1,77 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: ingress-nginx-internal - namespace: ingress-nginx -spec: - interval: 30m - chart: - spec: - chart: ingress-nginx - version: 4.11.3 - sourceRef: - kind: HelmRepository - name: ingress-nginx - namespace: ingress-nginx - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - fullnameOverride: ingress-nginx-internal - controller: - allowSnippetAnnotations: true - service: - annotations: - metallb.io/allow-shared-ip: ingress-nginx-internal - metallb.io/ip-allocated-from-pool: pool - externalTrafficPolicy: Cluster - ingressClassResource: - name: internal - default: true - controllerValue: k8s.io/internal - admissionWebhooks: - objectSelector: - matchExpressions: - - key: ingress-class - operator: In - values: ["internal"] - config: - annotations-risk-level: "Critical" - use-forwarded-headers: "true" - strict-validate-path-type: "false" - client-body-buffer-size: 100M - client-body-timeout: 120 - client-header-timeout: 120 - enable-brotli: "true" - enable-real-ip: "true" - hsts-max-age: 31449600 - keep-alive-requests: 10000 - keep-alive: 120 - log-format-escape-json: "true" - log-format-upstream: > - {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", - "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, - "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", - "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", - "http_user_agent": "$http_user_agent"} - proxy-body-size: 0 - proxy-buffer-size: 16k - ssl-protocols: TLSv1.3 TLSv1.2 - metrics: - enabled: true - serviceMonitor: - enabled: true - namespaceSelector: - any: true - extraArgs: - default-ssl-certificate: "ingress-nginx/${SECRET_EXTERNAL_DOMAIN/./-}-production-tls" - resources: - requests: - cpu: 100m - limits: - memory: 500Mi diff --git a/kubernetes/main/apps/ingress-nginx/ks.yaml b/kubernetes/main/apps/ingress-nginx/ks.yaml deleted file mode 100644 index 7e62a88e..00000000 --- a/kubernetes/main/apps/ingress-nginx/ks.yaml +++ /dev/null @@ -1,70 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app ingress-nginx-certificates - namespace: flux-system -spec: - targetNamespace: ingress-nginx - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: cert-manager-issuers - path: ./kubernetes/main/apps/ingress-nginx/certificates - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app ingress-nginx-external - namespace: flux-system -spec: - targetNamespace: ingress-nginx - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: ingress-nginx-certificates - path: ./kubernetes/main/apps/ingress-nginx/external - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app ingress-nginx-internal - namespace: flux-system -spec: - targetNamespace: ingress-nginx - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: ingress-nginx-certificates - path: ./kubernetes/main/apps/ingress-nginx/internal - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - diff --git a/kubernetes/main/apps/k8s-gateway/app/kustomization.yaml b/kubernetes/main/apps/k8s-gateway/app/kustomization.yaml deleted file mode 100644 index c00b6bbb..00000000 --- a/kubernetes/main/apps/k8s-gateway/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/k8s-gateway/app/namespace.yaml b/kubernetes/main/apps/k8s-gateway/app/namespace.yaml deleted file mode 100644 index be391b42..00000000 --- a/kubernetes/main/apps/k8s-gateway/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: k8s-gateway - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/k8s-gateway/app/release.yaml b/kubernetes/main/apps/k8s-gateway/app/release.yaml deleted file mode 100644 index 6bc3c28c..00000000 --- a/kubernetes/main/apps/k8s-gateway/app/release.yaml +++ /dev/null @@ -1,35 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: k8s-gateway - namespace: k8s-gateway -spec: - interval: 30m - chart: - spec: - chart: k8s-gateway - version: 2.4.0 - sourceRef: - kind: HelmRepository - name: k8s-gateway - namespace: flux-system - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - values: - fullnameOverride: k8s-gateway - domain: "${SECRET_EXTERNAL_DOMAIN}" - ttl: 1 - service: - type: LoadBalancer - port: 53 - annotations: - metallb.io/allow-shared-ip: lb-k8s-gateway - metallb.io/ip-allocated-from-pool: pool - externalTrafficPolicy: Cluster - watchedResources: ["Ingress", "Service"] diff --git a/kubernetes/main/apps/k8s-gateway/app/repository.yaml b/kubernetes/main/apps/k8s-gateway/app/repository.yaml deleted file mode 100644 index d7723106..00000000 --- a/kubernetes/main/apps/k8s-gateway/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: k8s-gateway - namespace: flux-system -spec: - interval: 1h - url: https://ori-edge.github.io/k8s_gateway \ No newline at end of file diff --git a/kubernetes/main/apps/k8s-gateway/ks.yaml b/kubernetes/main/apps/k8s-gateway/ks.yaml deleted file mode 100644 index 5694735c..00000000 --- a/kubernetes/main/apps/k8s-gateway/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app k8s-gateway - namespace: flux-system -spec: - targetNamespace: k8s-gateway - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/k8s-gateway/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m \ No newline at end of file diff --git a/kubernetes/main/apps/linkwarden/app/cluster-pg.yaml b/kubernetes/main/apps/linkwarden/app/cluster-pg.yaml deleted file mode 100644 index d29f24c7..00000000 --- a/kubernetes/main/apps/linkwarden/app/cluster-pg.yaml +++ /dev/null @@ -1,40 +0,0 @@ ---- -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: linkwarden-db - namespace: linkwarden -spec: - imageName: ghcr.io/cloudnative-pg/postgresql:16.9 - instances: 1 - - bootstrap: - initdb: - database: ${POSTGRES_DATABASE} - owner: ${POSTGRES_USERNAME} - secret: - name: pg-cluster-secret - - enableSuperuserAccess: true - superuserSecret: - name: pg-cluster-secret - - storage: - storageClass: longhorn - size: 1Gi - - backup: - retentionPolicy: 30d - barmanObjectStore: - destinationPath: 's3://talos-lj-backup/linkwarden-pg/' - s3Credentials: - accessKeyId: - name: s3-creds - key: ACCESS_KEY_ID - secretAccessKey: - name: s3-creds - key: SECRET_ACCESS_KEY - wal: - compression: gzip - maxParallel: 4 - encryption: AES256 diff --git a/kubernetes/main/apps/linkwarden/app/ingress.yaml b/kubernetes/main/apps/linkwarden/app/ingress.yaml deleted file mode 100644 index 91aeb963..00000000 --- a/kubernetes/main/apps/linkwarden/app/ingress.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: linkwarden-ingress - namespace: linkwarden - annotations: - external-dns.alpha.kubernetes.io/target: "bookmark.${SECRET_EXTERNAL_DOMAIN}" -spec: - ingressClassName: external - rules: - - host: "bookmark.${SECRET_EXTERNAL_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: linkwarden - port: - name: http diff --git a/kubernetes/main/apps/linkwarden/app/kustomization.yaml b/kubernetes/main/apps/linkwarden/app/kustomization.yaml deleted file mode 100644 index 99c75563..00000000 --- a/kubernetes/main/apps/linkwarden/app/kustomization.yaml +++ /dev/null @@ -1,13 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./storage.yaml - - ./secret.sops.yaml - - ./pg-secret.sops.yaml - - ./cluster-pg.yaml - - ./pg-backup.yaml - - ./deployment.yaml - - ./service.yaml - - ./ingress.yaml diff --git a/kubernetes/main/apps/linkwarden/app/namespace.yaml b/kubernetes/main/apps/linkwarden/app/namespace.yaml deleted file mode 100644 index 38094843..00000000 --- a/kubernetes/main/apps/linkwarden/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: linkwarden - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/linkwarden/app/pg-backup.yaml b/kubernetes/main/apps/linkwarden/app/pg-backup.yaml deleted file mode 100644 index 9dd3a722..00000000 --- a/kubernetes/main/apps/linkwarden/app/pg-backup.yaml +++ /dev/null @@ -1,13 +0,0 @@ - -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: linkwarden-db-backup - namespace: linkwarden -spec: - schedule: "0 0 0 * * *" - suspend: false - immediate: true - backupOwnerReference: self - cluster: - name: linkwarden-db diff --git a/kubernetes/main/apps/linkwarden/app/pg-secret.sops.yaml b/kubernetes/main/apps/linkwarden/app/pg-secret.sops.yaml deleted file mode 100644 index 44d58046..00000000 --- a/kubernetes/main/apps/linkwarden/app/pg-secret.sops.yaml +++ /dev/null @@ -1,25 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: pg-cluster-secret - namespace: linkwarden -stringData: - username: ENC[AES256_GCM,data:/DW6,iv:bSqXmW2HcNLIz2TQs4/n1oIZyNH1T+UZzSNCDVmiT38=,tag:wx9BHm1i1lvUemHxPeDJqQ==,type:str] - password: ENC[AES256_GCM,data:SFknfyV0q1RU9A==,iv:x7R4Fnpd03fvIELm4QkAcWWVDboTkymtODipczTsPDE=,tag:tPxQ149+WiKoJltKZUOr9w==,type:str] - ACCESS_KEY_ID: ENC[AES256_GCM,data:c/QTRveVnN0nXCu8Ijc1YmX4JI4=,iv:UNuk4QxYnBIbwqBcw26V2JeBK9KS9vQGunPbqOmptxo=,tag:QdPqfglDM93THHhlGXNE2A==,type:str] - SECRET_ACCESS_KEY: ENC[AES256_GCM,data:qALvmxnZyNxPoTwbkNgvZSZ8QFOpaPHyd7O6lSiTtFx26dwuZH0cxw==,iv:vWrA2TY6UCVHaG1R9N9eoiolqetano0BbkCbE9ekCRU=,tag:Zb+slrQ7yDPgSwM3H+JT3g==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxMU9rRGhkMXFoc0w1d2RK - UlVSblZKejJ4YTIycG9ETEVVTVJGekQ2SjBFCnhFbEhsTC9sSEUwSWM2eWNJSjdu - N0t1UVlYMXd5WGdUZUFhNnN5SjhUd00KLS0tIGdPcUtkVjU3WXFoREFCS1NXaHhl - cWJLdmI4MWIzMzNtQWZwbk9EMkxPTE0Kl6A0U/jjdSurED3QrlvrSpv4uAM8yyuk - 9xUI00tZ4/YWwB6A9nScLQADA73Rtr0aO0Va7RVtfYV2lbAejKfkIA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-10T09:42:29Z" - mac: ENC[AES256_GCM,data:bu/ofcjwgT1zjqsW344YsP3a7m+7Z4Ec9AXEa9e+5FmEbCMBaAZm+Xg2EQu+AKDjoni2DL/QLyENgr1qiOJc1N9RRpc1WkB09ekALrd4LB8vkhu8hKE/Qw+1Oqa7HVo4+LnZMgQ/9qfEalknbdwuK2CcGtFSz+yl7/GWK7yVEGI=,iv:TBVkDLbX45S1bl4NVu3JOeCMZHXzXpdA2v36glyntgE=,tag:XhSOW97gXJi5MyKrBM/3jA==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/kubernetes/main/apps/linkwarden/app/secret.sops.yaml b/kubernetes/main/apps/linkwarden/app/secret.sops.yaml deleted file mode 100644 index b4ddd33b..00000000 --- a/kubernetes/main/apps/linkwarden/app/secret.sops.yaml +++ /dev/null @@ -1,34 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: linkwarden-secret - namespace: linkwarden -stringData: - POSTGRES_USERNAME: ENC[AES256_GCM,data:g5vR,iv:YrKG/Jlwh626fR07sEr0QYWv6Ow+IKcFL+85QQLudB8=,tag:qSac4Ayb7DzdyfT901aFPQ==,type:str] - POSTGRES_PASSWORD: ENC[AES256_GCM,data:QQRYvXVUKPvagA==,iv:C1YRIYBkwtEgjpShEGPlePBIaykyHkOvV8xUimWjudk=,tag:Jxkudnlbjjb97PMFrCnrwQ==,type:str] - POSTGRES_HOST: ENC[AES256_GCM,data:T3eiKNdoydSW2Uy6qUGPTGjtkzhDD8mtBsLMFmEGlaC6qoVY8xmBWArDQo2V,iv:0+1UVZ/O/ru8E+MM+xu9Ej51UN5v7bTzGuJl4S7CK7Y=,tag:Vq55i7JJNElgek1fOxgbZQ==,type:str] - POSTGRES_PORT: ENC[AES256_GCM,data:XRCCLx6PGRw=,iv:8292LhFa7msxUqMMkMNsfKNvjgpi+vUWezN4qhyVhVk=,tag:Uth8wgrUXv8sIxv37smHmA==,type:str] - POSTGRES_DATABASE: ENC[AES256_GCM,data:I9Yz,iv:5rK1PqbQgHFAOkmwe1dUAbh49FZkbxB/3j74HtE1iK0=,tag:DFL/GCgooIV+VDWBJNHv+A==,type:str] - DATABASE_URL: ENC[AES256_GCM,data:Chs7GD/UMq+61ze8JqTLCB63QP2puK98j/zsSGwbGwDujBefeyl1vK9tzofTx+8m3hZGxQit+cLo2JvWm0m8RI+vhy91eAXlpxez2WJBVTgPkQ==,iv:B7QZVs9HrkpCZvzg/lAEy6SF9YKMMVZfEizQlOw+Rjg=,tag:Io/voUBn7PsFQ9/cawgSpA==,type:str] - NEXTAUTH_SECRET: ENC[AES256_GCM,data:/4l0E72ZCkBkYQmmbFCs,iv:QXJp4wStkXNhKrN1EJjicRuJsBm7wrfwSTtLubgX9cw=,tag:lCVFzCvMcBxwTzftcETp1w==,type:str] - ACCESS_KEY_ID: ENC[AES256_GCM,data:Q/c1ehUXF/3XxHcf8/o2jKB+wfY=,iv:TlxQgMpRz/Z0qjxFg8SE03vTPHIXQFqKwHWn1DkiIHc=,tag:ke7ywXcb5gsWrgr3BIITKg==,type:str] - SECRET_ACCESS_KEY: ENC[AES256_GCM,data:z2Lg4yvalcL2Iaril7bcFigCszqzcuAApok41x4xIcHTR6gqFHn0NA==,iv:+1F7JvpIPATPcx6LtvqucpvJOH2ICG1Q4tU+ag24hcQ=,tag:yLpkVK3S9BT+F/RP8C8NHw==,type:str] - NEXTAUTH_URL: ENC[AES256_GCM,data:QmfFe8nMZI3fEudMNogPcFwZrIRhw7L8tcyr6mJOPoU0+aCFe51qmJruu2Us,iv:b5bjnlRxSFG8H0pgjFhDCpCDORQu0K+Ipn3zSgxZDcA=,tag:YsHpRNnMaIoPfW8A/vtVkw==,type:str] - AUTHENTIK_ISSUER: ENC[AES256_GCM,data:0fxbDx55pwj+w350d6cWK1STKgk3faE2cyYrTnstwB0Z9AWgL3okH2VJ/vtmmM7h8g3o2yAk,iv:+bquvug+OpponyUH4a7DM4ymuO1W5vuYG9hYpCmfmnQ=,tag:64KgxbTp+BLH7hAtofIsSA==,type:str] - AUTHENTIK_CLIENT_ID: ENC[AES256_GCM,data:U3MplBoN5zxRXzQveBT9taZJ9pfvvZwuTouA+UiQTxNrHwNe8jTUMQ==,iv:bkWI7GIha4ZEVJzjOYTCyEI+eKBoG7CZD+KvFLrS5Bk=,tag:MWdlBBqMPS/YX/RMv1gOeQ==,type:str] - AUTHENTIK_CLIENT_SECRET: ENC[AES256_GCM,data:LEOt7BzHtF3HBw6TyaCLdUJkmKZpv7fc9zvkZkHLrc298ReOKm5243zxJqOinA2WvzyktXoaGcZ+E6s427wttelHCpAImYe9ISCkap0l0+bTyvDL2irViIelZlszaYLzehOUqvJDcmK9+iFW8b6DGMPDg/Mg6ullytHJReiZtow=,iv:wwIMoYHyE1yYf4ercR8yzOZZ4GDYeO4o5olQQ9xBXaw=,tag:zoTIhBV12+MVJUZm/ho8wA==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWHEwdnEvS0VSalhGRWl0 - N205dTNRVkFaWUNwY28zd09vWUlkWlk3ZW1ZCisvVjBTaDNkeEpFRit2OTNvWktT - U05rdjVVdGRxdUwxMkFwVHpmV0pWSnMKLS0tIDVwUThnNmc1UVpmR3hHQ1c1UHRs - dFZSNUE2MERxbjZsUTk0eGNnTlNNVEkKii2XiumYBDlCtUmg27ZhNK+IIQAn+0oD - ToQqymMlwcTFl7ccUNtvmh07HwOsL3rUA88yrvJ+m+RkuUyVNDBQ3w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-10T11:23:16Z" - mac: ENC[AES256_GCM,data:oQSMRBWwibLOeXkBRdn7LYWEgfFoBR+3AQjFpTzVy5ioqgBs3sTVQRELf+8353hZppAf0VgIAXgdS++qGbPaujb67GBt1UJ14XoeAqOT7GCoBy3nVR1guBJ65H4MMLIjEZv2+FXbldQeW/lJXMIiHn03nRjaeofwVpdkbIQXnHQ=,iv:DSVa8NN51nayleUR1G3Sy/Sf/DLyDrrZnjdp+E6W96s=,tag:L0ObYePX9Lw5XRiyBlx0Ow==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/kubernetes/main/apps/linkwarden/app/storage.yaml b/kubernetes/main/apps/linkwarden/app/storage.yaml deleted file mode 100644 index 3c0ce690..00000000 --- a/kubernetes/main/apps/linkwarden/app/storage.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: linkwarden - namespace: linkwarden -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi diff --git a/kubernetes/main/apps/mealie/app/deployment.yaml b/kubernetes/main/apps/mealie/app/deployment.yaml deleted file mode 100644 index 3d206e12..00000000 --- a/kubernetes/main/apps/mealie/app/deployment.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - labels: - app: mealie - name: mealie-deployment - namespace: mealie -spec: - replicas: 1 - selector: - matchLabels: - app: mealie - strategy: - type: Recreate - template: - metadata: - labels: - app: mealie - spec: - containers: - - env: - - name: TZ - value: Europe/Ljubljana - - name: ALLOW_SIGNUP - value: "false" - - name: BASE_URL - value: "https://recept.${SECRET_EXTERNAL_DOMAIN}" - image: ghcr.io/mealie-recipes/mealie:v3.13.1 - ports: - - containerPort: 9000 - name: http - imagePullPolicy: IfNotPresent - name: mealie - volumeMounts: - - mountPath: /app/data - name: data - resources: - limits: - cpu: 500m - memory: 1000Mi - requests: - cpu: 100m - memory: 256Mi - volumes: - - name: data - persistentVolumeClaim: - claimName: mealie diff --git a/kubernetes/main/apps/mealie/app/ingress.yaml b/kubernetes/main/apps/mealie/app/ingress.yaml deleted file mode 100644 index e565fbc2..00000000 --- a/kubernetes/main/apps/mealie/app/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: mealie-ingress - namespace: mealie - annotations: - external-dns.alpha.kubernetes.io/target: "recept.${SECRET_EXTERNAL_DOMAIN}" - nginx.ingress.kubernetes.io/auth-url: |- - http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - nginx.ingress.kubernetes.io/auth-signin: |- - https://auth.${SECRET_EXTERNAL_DOMAIN}/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; -spec: - ingressClassName: external - rules: - - host: "recept.${SECRET_EXTERNAL_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: mealie - port: - name: http diff --git a/kubernetes/main/apps/mealie/app/kustomization.yaml b/kubernetes/main/apps/mealie/app/kustomization.yaml deleted file mode 100644 index 5bf81147..00000000 --- a/kubernetes/main/apps/mealie/app/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./storage.yaml - - ./deployment.yaml - - ./service.yaml - - ./ingress.yaml diff --git a/kubernetes/main/apps/mealie/app/namespace.yaml b/kubernetes/main/apps/mealie/app/namespace.yaml deleted file mode 100644 index e2f14e65..00000000 --- a/kubernetes/main/apps/mealie/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: mealie - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/mealie/app/service.yaml b/kubernetes/main/apps/mealie/app/service.yaml deleted file mode 100644 index 881bd19c..00000000 --- a/kubernetes/main/apps/mealie/app/service.yaml +++ /dev/null @@ -1,16 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - labels: - app: mealie - name: mealie - namespace: mealie -spec: - ports: - - name: http - port: 80 - protocol: TCP - targetPort: http - selector: - app: mealie - type: ClusterIP diff --git a/kubernetes/main/apps/mealie/app/storage.yaml b/kubernetes/main/apps/mealie/app/storage.yaml deleted file mode 100644 index 7158a159..00000000 --- a/kubernetes/main/apps/mealie/app/storage.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: mealie - namespace: mealie -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 5Gi \ No newline at end of file diff --git a/kubernetes/main/apps/mealie/ks.yaml b/kubernetes/main/apps/mealie/ks.yaml deleted file mode 100644 index 1949f7a3..00000000 --- a/kubernetes/main/apps/mealie/ks.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app mealie - namespace: flux-system -spec: - targetNamespace: mealie - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/mealie/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m - diff --git a/kubernetes/main/apps/network/k8tz/app/pki.yaml b/kubernetes/main/apps/network/k8tz/app/pki.yaml deleted file mode 100644 index 498982e0..00000000 --- a/kubernetes/main/apps/network/k8tz/app/pki.yaml +++ /dev/null @@ -1,32 +0,0 @@ ---- -# Create a selfsigned Issuer, in order to create a root CA certificate for -# signing webhook serving certificates -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: k8tz-webhook-selfsign -spec: - selfSigned: {} ---- -# Generate a CA Certificate used to sign certificates for the webhook -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: k8tz-webhook-ca -spec: - secretName: k8tz-webhook-ca - duration: 43800h # 5y - issuerRef: - name: k8tz-webhook-selfsign - kind: Issuer - commonName: "ca.k8tz.cert-manager" - isCA: true ---- -# Create an Issuer that uses the above generated CA certificate to issue certs -apiVersion: cert-manager.io/v1 -kind: Issuer -metadata: - name: k8tz-webhook-ca -spec: - ca: - secretName: k8tz-webhook-ca diff --git a/kubernetes/main/apps/network/k8tz/app/release.yaml b/kubernetes/main/apps/network/k8tz/app/release.yaml deleted file mode 100644 index 7887ea71..00000000 --- a/kubernetes/main/apps/network/k8tz/app/release.yaml +++ /dev/null @@ -1,49 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: k8tz -spec: - chart: - spec: - chart: k8tz - version: 0.18.0 - interval: 30m - sourceRef: - kind: HelmRepository - name: k8tz - namespace: k8tz - interval: 30m - values: - namespace: k8tz - replicaCount: 2 - timezone: "${TIMEZONE}" - cronJobTimeZone: true - webhook: - certManager: - enabled: true - issuerRef: - name: k8tz-webhook-selfsign - kind: Issuer - affinity: - podAntiAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - podAffinityTerm: - labelSelector: - matchLabels: - app.kubernetes.io/name: k8tz - topologyKey: kubernetes.io/hostname - postRenderers: - - kustomize: - patches: - - target: - version: v1 - kind: Namespace - patch: |- - $patch: delete - apiVersion: v1 - kind: Namespace - metadata: - name: not-used diff --git a/kubernetes/main/apps/network/k8tz/app/repository.yaml b/kubernetes/main/apps/network/k8tz/app/repository.yaml deleted file mode 100644 index affd710f..00000000 --- a/kubernetes/main/apps/network/k8tz/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: k8tz - namespace: k8tz -spec: - interval: 1h - url: https://k8tz.github.io/k8tz/ diff --git a/kubernetes/main/apps/network/k8tz/ks.yaml b/kubernetes/main/apps/network/k8tz/ks.yaml deleted file mode 100644 index b15cc51f..00000000 --- a/kubernetes/main/apps/network/k8tz/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app k8tz - namespace: flux-system -spec: - targetNamespace: k8tz - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/network/k8tz/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/network/kustomization.yaml b/kubernetes/main/apps/network/kustomization.yaml deleted file mode 100644 index c2b3a395..00000000 --- a/kubernetes/main/apps/network/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./metallb-system/ks.yaml - - ./pihole-system/ks.yaml - - ./k8tz/ks.yaml diff --git a/kubernetes/main/apps/network/metallb-system/app/kustomization.yaml b/kubernetes/main/apps/network/metallb-system/app/kustomization.yaml deleted file mode 100644 index c00b6bbb..00000000 --- a/kubernetes/main/apps/network/metallb-system/app/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/network/metallb-system/app/namespace.yaml b/kubernetes/main/apps/network/metallb-system/app/namespace.yaml deleted file mode 100644 index 9e56c5ac..00000000 --- a/kubernetes/main/apps/network/metallb-system/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: metallb-system - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/network/metallb-system/ks.yaml b/kubernetes/main/apps/network/metallb-system/ks.yaml deleted file mode 100644 index 0c1b273e..00000000 --- a/kubernetes/main/apps/network/metallb-system/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app metallb - namespace: flux-system -spec: - targetNamespace: metallb-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/network/metallb-system/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/network/pihole-system/app/namespace.yaml b/kubernetes/main/apps/network/pihole-system/app/namespace.yaml deleted file mode 100644 index 9384217d..00000000 --- a/kubernetes/main/apps/network/pihole-system/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: pihole-system - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/network/pihole-system/ks.yaml b/kubernetes/main/apps/network/pihole-system/ks.yaml deleted file mode 100644 index 202f2989..00000000 --- a/kubernetes/main/apps/network/pihole-system/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app pihole - namespace: flux-system -spec: - targetNamespace: pihole-system - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/network/pihole-system/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/network/wg-easy/app/manifest.yaml b/kubernetes/main/apps/network/wg-easy/app/manifest.yaml deleted file mode 100644 index f0526083..00000000 --- a/kubernetes/main/apps/network/wg-easy/app/manifest.yaml +++ /dev/null @@ -1,147 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: wg-easy - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: wg-easy - namespace: wg-easy -spec: - replicas: 1 - revisionHistoryLimit: 1 - selector: - matchLabels: - app.kubernetes.io/name: wg-easy - strategy: - # Restrict to a Single wg-easy instance, on redeploys it will tear down the old one before bring a new one up. - type: Recreate - template: - metadata: - labels: - app.kubernetes.io/name: wg-easy - spec: - containers: - - name: wg-easy - # Specify external hostname and port as environment variables - env: - - name: WG_HOST - value: wg.cloudwithdan.com - - name: WG_PORT - value: "30000" - image: ghcr.io/wg-easy/wg-easy - imagePullPolicy: IfNotPresent - ports: - - containerPort: 51820 - name: wg - protocol: UDP - - containerPort: 51821 - name: http - protocol: TCP - # Use the http server for pod health checks - livenessProbe: - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: http - timeoutSeconds: 1 - readinessProbe: - failureThreshold: 3 - periodSeconds: 10 - successThreshold: 1 - tcpSocket: - port: http - timeoutSeconds: 1 - startupProbe: - failureThreshold: 30 - periodSeconds: 5 - successThreshold: 1 - tcpSocket: - port: http - timeoutSeconds: 1 - # Give pod permissions to modify iptables and load the wireguard kernel module - securityContext: - privileged: true - capabilities: - add: - - NET_ADMIN - # Persistent storage location - volumeMounts: - - mountPath: /etc/wireguard - name: config - restartPolicy: Always - volumes: - - name: config - persistentVolumeClaim: - claimName: wg-easy-storage-claim ---- -apiVersion: v1 -kind: Service -metadata: - name: wg-easy-wg - namespace: wg-easy - annotations: - metallb.io/allow-shared-ip: lb-wg-easy - metallb.io/ip-allocated-from-pool: pool -spec: - ports: - - name: wg - port: 30000 - nodePort: 30000 - protocol: UDP - targetPort: wg - selector: - app.kubernetes.io/name: wg-easy - type: LoadBalancer ---- -apiVersion: v1 -kind: Service -metadata: - name: wg-easy-http - namespace: wg-easy -spec: - ports: - - name: http - port: 51821 - protocol: TCP - targetPort: http - selector: - app.kubernetes.io/name: wg-easy - type: ClusterIP ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: wg-easy - namespace: wg-easy -spec: - rules: - - host: wg.cloudwithdan.com - http: - paths: - - backend: - service: - name: wg-easy-http - port: - name: http - path: / - pathType: Prefix ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: wg-easy-storage-claim - namespace: wg-easy -spec: - accessModes: - - ReadWriteOnce - resources: - requests: - storage: 256Mi diff --git a/kubernetes/main/apps/network/wg-easy/ks.yaml b/kubernetes/main/apps/network/wg-easy/ks.yaml deleted file mode 100644 index e69de29b..00000000 diff --git a/kubernetes/main/apps/observability/alertmanager/app/kustomization.yaml b/kubernetes/main/apps/observability/alertmanager/app/kustomization.yaml deleted file mode 100644 index 74e73708..00000000 --- a/kubernetes/main/apps/observability/alertmanager/app/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - repository.yaml - - release.yaml diff --git a/kubernetes/main/apps/observability/alertmanager/app/release.yaml b/kubernetes/main/apps/observability/alertmanager/app/release.yaml deleted file mode 100644 index e7ac3fe6..00000000 --- a/kubernetes/main/apps/observability/alertmanager/app/release.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: alertmanager - namespace: observability -spec: - interval: 30m - chart: - spec: - chart: alertmanager - version: "1.19.0" - sourceRef: - kind: HelmRepository - name: alertmanager - namespace: observability - interval: 12h - values: - config: - route: - group_wait: 10s - group_interval: 5m - receiver: discord - repeat_interval: 3h - receivers: - - name: discord - discord_configs: - - webhook_url: ${SECRET_DISCORD_WEBHOOK_URL} diff --git a/kubernetes/main/apps/observability/alertmanager/app/repository.yaml b/kubernetes/main/apps/observability/alertmanager/app/repository.yaml deleted file mode 100644 index bebfb507..00000000 --- a/kubernetes/main/apps/observability/alertmanager/app/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: alertmanager - namespace: observability -spec: - interval: 12h - url: https://prometheus-community.github.io/helm-charts diff --git a/kubernetes/main/apps/observability/alloy/app/kustomization.yaml b/kubernetes/main/apps/observability/alloy/app/kustomization.yaml deleted file mode 100644 index ad4414d8..00000000 --- a/kubernetes/main/apps/observability/alloy/app/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - release.yaml diff --git a/kubernetes/main/apps/observability/alloy/app/release.yaml b/kubernetes/main/apps/observability/alloy/app/release.yaml deleted file mode 100644 index 80958a5a..00000000 --- a/kubernetes/main/apps/observability/alloy/app/release.yaml +++ /dev/null @@ -1,338 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: alloy - namespace: observability -spec: - interval: 30m - chart: - spec: - chart: alloy - version: "1.4.0" - sourceRef: - kind: HelmRepository - name: grafana - namespace: observability - interval: 12h - upgrade: - cleanupOnFail: true - crds: Skip - remediation: - strategy: rollback - retries: 3 - values: - controller: - type: daemonset - nodeSelector: - node-role.kubernetes.io/control-plane: "" - tolerations: - - operator: Exists - volumes: - extra: - - name: auditlog - hostPath: - path: /var/log/audit/kube - type: DirectoryOrCreate - alloy: - configMap: - create: true - name: alloy-config - key: config.alloy - content: |- - // ==================== - // DISCOVERY - // ==================== - discovery.kubernetes "pod" { - role = "pod" - } - - // ==================== - // RELABELING - // ==================== - discovery.relabel "pod_logs" { - targets = discovery.kubernetes.pod.targets - - rule { - source_labels = ["__meta_kubernetes_namespace"] - action = "replace" - target_label = "namespace" - } - - rule { - source_labels = ["__meta_kubernetes_pod_name"] - action = "replace" - target_label = "pod" - } - - rule { - source_labels = ["__meta_kubernetes_pod_container_name"] - action = "replace" - target_label = "container" - } - - rule { - source_labels = ["__meta_kubernetes_pod_label_app_kubernetes_io_name"] - action = "replace" - target_label = "app" - } - - rule { - source_labels = ["__meta_kubernetes_namespace", "__meta_kubernetes_pod_container_name"] - action = "replace" - target_label = "job" - separator = "/" - replacement = "$1" - } - - rule { - source_labels = ["__meta_kubernetes_pod_uid", "__meta_kubernetes_pod_container_name"] - action = "replace" - target_label = "__path__" - separator = "/" - replacement = "/var/log/pods/*$1/*.log" - } - - rule { - source_labels = ["__meta_kubernetes_pod_container_id"] - action = "replace" - target_label = "container_runtime" - regex = "^(\\S+):\\/\\/.+$" - replacement = "$1" - } - } - - // ==================== - // LOG SOURCE - // ==================== - loki.source.kubernetes "pod_logs" { - targets = discovery.relabel.pod_logs.output - forward_to = [loki.process.pod_logs.receiver] - } - - // ==================== - // LOG PROCESSING + DROP FILTERS - // ==================== - loki.process "pod_logs" { - // --- Static labels --- - stage.static_labels { - values = { - cluster = "talos-lj-eu", - } - } - - // === AIRFLOW METADATA NOISE === - stage.match { - selector = "{namespace=\"airflow\"}" - - stage.drop { - expression = ".*computeMetadata/v1.*" - drop_counter_reason = "airflow_metadata" - } - stage.drop { - expression = ".*metadata\\.go:\\d+\\].*" - drop_counter_reason = "airflow_metadata_go" - } - } - - // === KUBERNETES SYSTEM === - stage.match { - selector = "{namespace=\"kube-system\"}" - - stage.drop { - expression = ".*(healthz|readyz|livez|kube-probe).*" - drop_counter_reason = "kube_health_probes" - } - stage.drop { - expression = ".*level=debug.*" - drop_counter_reason = "kube_debug" - } - } - - // === INGRESS ACCESS LOGS (keep errors only) === - stage.match { - selector = "{namespace=\"ingress-nginx\"}" - - stage.drop { - expression = ".*\" (200|204|301|302|304) \\d+.*" - drop_counter_reason = "ingress_2xx_3xx" - } - } - - // === EXTERNAL-DNS === - stage.match { - selector = "{namespace=\"external-dns\"}" - - stage.drop { - expression = ".*All records are already up to date.*" - drop_counter_reason = "externaldns_noop" - } - } - - // === FLUX SYSTEM === - stage.match { - selector = "{namespace=\"flux-system\"}" - - stage.drop { - expression = ".*no changes since last reconcil.*" - drop_counter_reason = "flux_no_changes" - } - stage.drop { - expression = ".*level=debug.*" - drop_counter_reason = "flux_debug" - } - } - - // === GATEKEEPER === - stage.match { - selector = "{namespace=\"gatekeeper-system\"}" - - stage.drop { - expression = ".*level=debug.*" - drop_counter_reason = "gatekeeper_debug" - } - } - - // === OBSERVABILITY STACK === - stage.match { - selector = "{namespace=\"observability\"}" - - stage.drop { - expression = ".*level=debug.*" - drop_counter_reason = "observability_debug" - } - stage.drop { - expression = ".*msg=\"successful series query\".*" - drop_counter_reason = "observability_series_query" - } - } - - // === GITLAB RUNNER === - stage.match { - selector = "{namespace=\"gitlab-runner-shared\"}" - - stage.drop { - expression = ".*Downloading artifacts.*" - drop_counter_reason = "gitlab_artifacts" - } - stage.drop { - expression = ".*Uploading artifacts.*" - drop_counter_reason = "gitlab_artifacts" - } - } - - // === GLOBAL: HEALTH CHECKS (all namespaces) === - stage.drop { - expression = ".*GET /(health|ready|readyz|healthz|livez|metrics).*\" (200|204).*" - drop_counter_reason = "global_health_probes" - } - stage.drop { - expression = ".*kube-probe/.*" - drop_counter_reason = "global_kube_probe" - } - - // === GLOBAL: DEBUG LOGS === - stage.drop { - expression = ".*\"level\":\"debug\".*" - drop_counter_reason = "global_debug_json" - } - stage.drop { - expression = ".*level=debug.*" - drop_counter_reason = "global_debug_logfmt" - } - - // --- Forward to Loki --- - forward_to = [loki.write.loki.receiver] - } - - // ==================== - // LOKI DESTINATION - // ==================== - loki.write "loki" { - endpoint { - url = "http://loki-gateway.observability.svc.cluster.local/loki/api/v1/push" - } - } - - // ==================== - // K8s Audit Logs - // ==================== - - local.file_match "k8s_audit" { - path_targets = [{ - __address__ = "localhost", - __path__ = "/var/log/audit/kube/kube-apiserver*.log", - }] - } - - loki.source.file "audit" { - targets = local.file_match.k8s_audit.targets - forward_to = [loki.process.audit.receiver] - tail_from_end = true - } - - loki.process "audit" { - forward_to = [loki.write.loki.receiver] - - stage.static_labels { - values = { - job = "k8s-audit", - stream = "k8s-audit", - source = "apiserver-audit", - node = constants.hostname, - } - } - - stage.json { - expressions = { - stage = "stage", - verb = "verb", - user = "user.username", - namespace = "objectRef.namespace", - resource = "objectRef.resource", - code = "responseStatus.code", - uri = "requestURI", - } - } - - // Keep only final outcome (drops RequestReceived/ResponseStarted duplicates) - stage.drop { - source = "stage" - expression = "^(RequestReceived|ResponseStarted)$" - drop_counter_reason = "audit_non_final_stage" - } - - // Drop leader-election / coordination noise (successful lease operations) - stage.drop { - source = "resource" - expression = "^leases$" - drop_counter_reason = "audit_leases" - } - - // Drop successful WATCH (biggest remaining volume) - stage.drop { - source = "verb" - expression = "^watch$" - drop_counter_reason = "audit_watch" - } - - // Drop successful reads (get/list) - stage.drop { - source = "verb" - expression = "^(get|list)$" - drop_counter_reason = "audit_reads" - } - - // LOW-cardinality labels only (prevents stream/cardinality explosion) - stage.labels { - values = { - verb = "verb", - code = "code", - } - } - } - - mounts: - extra: - - name: auditlog - mountPath: /var/log/audit/kube - readOnly: true diff --git a/kubernetes/main/apps/observability/alloy/ks.yaml b/kubernetes/main/apps/observability/alloy/ks.yaml deleted file mode 100644 index 8c9606a1..00000000 --- a/kubernetes/main/apps/observability/alloy/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app alloy - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/alloy/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml b/kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml deleted file mode 100644 index 74e73708..00000000 --- a/kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - repository.yaml - - release.yaml diff --git a/kubernetes/main/apps/observability/blackbox-exporter/app/release.yaml b/kubernetes/main/apps/observability/blackbox-exporter/app/release.yaml deleted file mode 100644 index 80740542..00000000 --- a/kubernetes/main/apps/observability/blackbox-exporter/app/release.yaml +++ /dev/null @@ -1,66 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: blackbox-exporter -spec: - interval: 30m - chart: - spec: - chart: prometheus-blackbox-exporter - version: 9.0.1 - sourceRef: - kind: HelmRepository - name: prometheus-community - namespace: observability - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - strategy: rollback - retries: 3 - values: - fullnameOverride: blackbox-exporter - config: - modules: - http_2xx: - prober: http - timeout: 5s - http: - method: GET - preferred_ip_protocol: "ip4" - fail_if_ssl: false - tls_config: - insecure_skip_verify: false - - http_post_2xx: - prober: http - timeout: 5s - http: - method: POST - headers: - Content-Type: application/json - body: '{}' - icmp: - prober: icmp - timeout: 30s - icmp: - preferred_ip_protocol: ip4 - pspEnabled: false - securityContext: - capabilities: - add: ["NET_RAW"] - podSecurityContext: - sysctls: - - name: net.ipv4.ping_group_range - value: "0 2147483647" - serviceMonitor: - enabled: true - defaults: - interval: 1m - targets: - - { name: &name avto-masini.mk, module: http_2xx, url: https://avto-masini.mk } - - { name: &name cloudwithdan.com, module: http_2xx, url: https://cloudwithdan.com } diff --git a/kubernetes/main/apps/observability/blackbox-exporter/app/repository.yaml b/kubernetes/main/apps/observability/blackbox-exporter/app/repository.yaml deleted file mode 100644 index 51875066..00000000 --- a/kubernetes/main/apps/observability/blackbox-exporter/app/repository.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: prometheus-community - namespace: observability -spec: - type: oci - interval: 5m - url: oci://ghcr.io/prometheus-community/charts diff --git a/kubernetes/main/apps/observability/blackbox-exporter/ks.yaml b/kubernetes/main/apps/observability/blackbox-exporter/ks.yaml deleted file mode 100644 index ce34cc38..00000000 --- a/kubernetes/main/apps/observability/blackbox-exporter/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app blackbox-exporter - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/blackbox-exporter/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/observability/crucix/app/deployment.yaml b/kubernetes/main/apps/observability/crucix/app/deployment.yaml deleted file mode 100644 index b0796ef5..00000000 --- a/kubernetes/main/apps/observability/crucix/app/deployment.yaml +++ /dev/null @@ -1,50 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: &app crucix - namespace: observability - labels: - app: crucix - annotations: - reloader.stakater.com/auto: "true" -spec: - replicas: 1 - selector: - matchLabels: - app: crucix - template: - metadata: - labels: - app: crucix - spec: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - containers: - - name: crucix - image: ghcr.io/calesthio/crucix:2d040cb - ports: - - name: web - containerPort: 3117 - imagePullPolicy: Always - resources: - limits: - memory: 500Mi - cpu: 100m - requests: - cpu: 10m - memory: 256Mi - envFrom: - - secretRef: - name: crucix-apis - volumeMounts: - - name: runs - mountPath: /app/runs - volumes: - - name: runs - persistentVolumeClaim: - claimName: crucix-runs - restartPolicy: Always - terminationGracePeriodSeconds: 60 - - diff --git a/kubernetes/main/apps/observability/crucix/app/ingress.yaml b/kubernetes/main/apps/observability/crucix/app/ingress.yaml deleted file mode 100644 index 80443dfc..00000000 --- a/kubernetes/main/apps/observability/crucix/app/ingress.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: &app crucix-ingress - namespace: observability - annotations: - external-dns.alpha.kubernetes.io/target: crucix.${SECRET_EXTERNAL_DOMAIN} -spec: - ingressClassName: external - rules: - - host: crucix.${SECRET_EXTERNAL_DOMAIN} - http: - paths: - - backend: - service: - name: crucix - port: - number: 3117 - path: / - pathType: Prefix diff --git a/kubernetes/main/apps/observability/crucix/app/kustomization.yaml b/kubernetes/main/apps/observability/crucix/app/kustomization.yaml deleted file mode 100644 index 69877ca8..00000000 --- a/kubernetes/main/apps/observability/crucix/app/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - deployment.yaml - - service.yaml - - ingress.yaml - - secret.sops.yaml - - pvc.yaml diff --git a/kubernetes/main/apps/observability/crucix/app/secret.sops.yaml b/kubernetes/main/apps/observability/crucix/app/secret.sops.yaml deleted file mode 100644 index 8d457e82..00000000 --- a/kubernetes/main/apps/observability/crucix/app/secret.sops.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: crucix-apis - namespace: observability -stringData: - FRED_API_KEY: ENC[AES256_GCM,data:pF11wUAK4riZuuhuPmBMGe1UCD2Yw3NAhtTuyIrEIb8=,iv:DrB3oR04lw2TmUbrlL5uDKSueDrFVZrh6a+lRrcEwaQ=,tag:u8p52/zKMXX+0PjTamadqA==,type:str] - FIRMS_MAP_KEY: ENC[AES256_GCM,data:CfoURrOBN8TITGUmNQlQgo2+ohjiaeBpcAYHju4FkxE=,iv:FHGHQQFALLLZ1jpbLQnhNl2uOX7jzgtQPPKLVHA+eWw=,tag:O//beJ/RZ7X+hImmJiesHg==,type:str] - EIA_API_KEY: ENC[AES256_GCM,data:gPVMjBAzv0mTbFnRU8SYUWcA5QLXTzEKNSpjbJ9GkdCFm3s1Yxy28w==,iv:F9uhVZ/6x3TLcNSTq+YjzVkmjeffbbYcbNsBLT8C/dQ=,tag:fHQBYSX4vSbtatQAvSxcwQ==,type:str] - AISSTREAM_API_KEY: ENC[AES256_GCM,data:5pgTH/tnZt3NsECsFJYB1A3CQuM9s4sm0FXFAz2ZvTRtVfnb+RbaAg==,iv:PTlSjzWER0+0a9eKeTF819jbLNnxx3y1FzxxycWYDG4=,tag:AVz1nMxMOXEvCSllxuMFwA==,type:str] - ACLED_EMAIL: ENC[AES256_GCM,data:IioSL+lBvBKAR+Ghx3SZ3rPigGP0Ezt6RiESLpyl,iv:mz8tKFEPwJn43nkGW8x54+gyMjHv9EL04SGQrgps+9g=,tag:IBZZmgLHIYxzvuKoEUBLtg==,type:str] - ACLED_PASSWORD: ENC[AES256_GCM,data:CQ9oOpkZI/dp3u3/cyub,iv:wnnLXtKYN8oXLDHIRFJ7T80Jib1w/Y0syc5HngHRL1Q=,tag:99q2kFBE1UV676Cyai18QQ==,type:str] - DISCORD_BOT_TOKEN: ENC[AES256_GCM,data:QWtdB8oICEEl7eMuOPKkFTgC34mnCOM/h95USGvhnADM6IX3xlyLmMyydi1ANkrmr+Iowr1Sp3ZwLD6IOZck2HALnpqqeaVt,iv:i2POcSzb/ldIhFccTpEPOScrysskSJQZUSmHeEK28qc=,tag:2ekq49nDwZv+75wEMd1clA==,type:str] - DISCORD_CHANNEL_ID: ENC[AES256_GCM,data:RzPF3wHb3zEsZMP0qgd4i0YxHA==,iv:F/xLoZv0xLisfn2CMyfVLEwCJVLMRXTtxbuwiXJHz7w=,tag:ihpWbNyiMuyvjrPYCYgZig==,type:str] - DISCORD_GUILD_ID: ENC[AES256_GCM,data:Xou5wmrCRJSeru4YWTXai7vxNg==,iv:N0zqnB1fwqz1+fEOmgzUPIm9P1LWan82FSLmJpsf/gI=,tag:2dxMSndnG6ppMTno/p3ClA==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6T1NqYXRJaVo0UFJ6dUF6 - ZFY0cHNqSlF3Mk9JNGIyUmJuVUdpSFowY2hFCjl3ZVJSZ3JNZVA0RmxjaHVlSFh0 - OXRoTzVmV3p3VWpzeG96QmtvSlhjTlEKLS0tIC9PRFhoUnNzdElGVjdIMDlpZGlO - b2ZiWmc2M3h1eUlyV29hSHVHeFJPZG8KQqK3o/BujZXfjnSDf/+FeotWbAYUWEfJ - kO3eg6eoyVxmOqjPvQmXkhLDfBKaVrikDfyrZFW3sAkupoDLAk/n+A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-21T20:28:50Z" - mac: ENC[AES256_GCM,data:DXe4cFAyDWh317LrX50ezHOhZ2nOH7VyLiREJutIuPVDcihPrtfujZbdQfz/j4lTIxQosBXINZ3VqdmxzM8NPajrH2hau9m6ELlVqGdDdnrteaSeDej2ZPtUNJ4s507Rwprq+Q4QSOJqNqS8nXgGWBD2C56GoBWAjsRsS/Es6II=,iv:/6GjLLWZ9WYkJbwTLq5YLmF+99sw8jAuirvY1lmvmKQ=,tag:dL7jAi5iTuddKvTGNmtHsA==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.12.2 diff --git a/kubernetes/main/apps/observability/crucix/app/service.yaml b/kubernetes/main/apps/observability/crucix/app/service.yaml deleted file mode 100644 index 19ca43cf..00000000 --- a/kubernetes/main/apps/observability/crucix/app/service.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -# Source: crucix/templates/service.yaml -apiVersion: v1 -kind: Service -metadata: - name: &app crucix - namespace: observability -spec: - type: ClusterIP - ports: - - name: web - port: 3117 - targetPort: web - selector: - app: crucix diff --git a/kubernetes/main/apps/observability/crucix/ks.yaml b/kubernetes/main/apps/observability/crucix/ks.yaml deleted file mode 100644 index b70d9808..00000000 --- a/kubernetes/main/apps/observability/crucix/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app crucix - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/crucix/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/observability/glance/app/ingress.yaml b/kubernetes/main/apps/observability/glance/app/ingress.yaml deleted file mode 100644 index b349dfb2..00000000 --- a/kubernetes/main/apps/observability/glance/app/ingress.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: &app glance-ingress - namespace: glance - annotations: - external-dns.alpha.kubernetes.io/target: home.${SECRET_EXTERNAL_DOMAIN} - nginx.ingress.kubernetes.io/auth-url: |- - http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - nginx.ingress.kubernetes.io/auth-signin: |- - https://auth.${SECRET_EXTERNAL_DOMAIN}/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; -spec: - ingressClassName: external - rules: - - host: home.${SECRET_EXTERNAL_DOMAIN} - http: - paths: - - backend: - service: - name: glance - port: - number: 8080 - path: / - pathType: Prefix diff --git a/kubernetes/main/apps/observability/glance/app/kustomization.yaml b/kubernetes/main/apps/observability/glance/app/kustomization.yaml deleted file mode 100644 index 706e571b..00000000 --- a/kubernetes/main/apps/observability/glance/app/kustomization.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - deployment.yaml - - service.yaml - - ingress.yaml -configMapGenerator: - - name: glance-configmap - namespace: glance - files: - - ./configs/glance.yml -generatorOptions: - disableNameSuffixHash: true diff --git a/kubernetes/main/apps/observability/glance/app/namespace.yaml b/kubernetes/main/apps/observability/glance/app/namespace.yaml deleted file mode 100644 index c0fb3c0c..00000000 --- a/kubernetes/main/apps/observability/glance/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: glance - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - kustomize.toolkit.fluxcd.io/prune: disabled - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/observability/glance/ks.yaml b/kubernetes/main/apps/observability/glance/ks.yaml deleted file mode 100644 index f867c448..00000000 --- a/kubernetes/main/apps/observability/glance/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app glance - namespace: flux-system -spec: - targetNamespace: glance - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/glance/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/observability/grafana/app/kustomization.yaml b/kubernetes/main/apps/observability/grafana/app/kustomization.yaml deleted file mode 100644 index 1658c0fd..00000000 --- a/kubernetes/main/apps/observability/grafana/app/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - namespace.yaml - - repository.yaml - - release.yaml \ No newline at end of file diff --git a/kubernetes/main/apps/observability/grafana/app/namespace.yaml b/kubernetes/main/apps/observability/grafana/app/namespace.yaml deleted file mode 100644 index bd2714f4..00000000 --- a/kubernetes/main/apps/observability/grafana/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: observability - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - app.kubernetes.io/component: observability - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/observability/grafana/app/repository.yaml b/kubernetes/main/apps/observability/grafana/app/repository.yaml deleted file mode 100644 index 2cea471f..00000000 --- a/kubernetes/main/apps/observability/grafana/app/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: grafana - namespace: observability -spec: - interval: 24h - url: https://grafana.github.io/helm-charts diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/kustomization.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/app/kustomization.yaml deleted file mode 100644 index 9e8fe6fb..00000000 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - repository.yaml - - release.yaml \ No newline at end of file diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/repository.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/app/repository.yaml deleted file mode 100644 index f1dbc08d..00000000 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: kube-prometheus-stack - namespace: observability -spec: - interval: 12h - url: https://prometheus-community.github.io/helm-charts diff --git a/kubernetes/main/apps/observability/loki/app/kustomization.yaml b/kubernetes/main/apps/observability/loki/app/kustomization.yaml deleted file mode 100644 index ad4414d8..00000000 --- a/kubernetes/main/apps/observability/loki/app/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - release.yaml diff --git a/kubernetes/main/apps/observability/loki/app/release.yaml b/kubernetes/main/apps/observability/loki/app/release.yaml deleted file mode 100644 index fdf02d6d..00000000 --- a/kubernetes/main/apps/observability/loki/app/release.yaml +++ /dev/null @@ -1,135 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: loki - namespace: observability -spec: - interval: 30m - chart: - spec: - chart: loki - version: "6.40.0" - sourceRef: - kind: HelmRepository - name: grafana - namespace: observability - interval: 12h - upgrade: - cleanupOnFail: true - crds: Skip - remediation: - strategy: rollback - retries: 3 - values: - nodeSelector: - kubernetes.io/hostname: talos-worker-eu-02 - - chunksCache: - enabled: false - - deploymentMode: SingleBinary - - loki: - # ingestion limits (prevents dropped audit logs during bursts) - limitsConfig: - ingestion_rate_mb: 16 - ingestion_burst_size_mb: 32 - - # guaranteed config (this is what ends up in the loki ConfigMap) - structuredConfig: - auth_enabled: false - - common: - replication_factor: 1 - path_prefix: /var/loki - storage: - s3: - endpoint: loki-minio.observability.svc:9000 - bucketnames: loki-chunks - s3forcepathstyle: true - insecure: true - - schema_config: - configs: - - from: "2024-04-01" - store: tsdb - object_store: s3 - schema: v13 - index: - prefix: loki_index_ - period: 24h - - storage_config: - tsdb_shipper: - active_index_directory: /var/loki/index - cache_location: /var/loki/cache - - ruler: - storage: - type: s3 - s3: - bucketnames: loki-ruler - wal: - dir: /var/loki/ruler-wal - - minio: - enabled: true - - extraEnvFrom: - - secretRef: - name: loki-minio - - persistence: - enabled: true - storageClass: longhorn-retain - size: 20Gi - - buckets: - - name: loki-chunks - - name: loki-ruler - - name: loki-admin - - singleBinary: - replicas: 1 - resources: - requests: - cpu: 200m - memory: 1Gi - limits: - cpu: 1000m - memory: 2Gi - - sidecar: - resources: - requests: - cpu: 50m - memory: 128Mi - limits: - cpu: 200m - memory: 256Mi - - # Zero out replica counts of other modes (important!) - backend: - replicas: 0 - read: - replicas: 0 - write: - replicas: 0 - ingester: - replicas: 0 - querier: - replicas: 0 - queryFrontend: - replicas: 0 - queryScheduler: - replicas: 0 - distributor: - replicas: 0 - compactor: - replicas: 0 - indexGateway: - replicas: 0 - bloomCompactor: - replicas: 0 - bloomGateway: - replicas: 0 \ No newline at end of file diff --git a/kubernetes/main/apps/observability/loki/app/secret.sops.yaml b/kubernetes/main/apps/observability/loki/app/secret.sops.yaml deleted file mode 100644 index 14449b45..00000000 --- a/kubernetes/main/apps/observability/loki/app/secret.sops.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: loki-minio-root - namespace: observability -stringData: - rootUser: ENC[AES256_GCM,data:0+aY7RQ=,iv:PcD8emdnzrCnkLI4axsEiwN/aE7AcPrGA2DFpaiSbYY=,tag:gOhVm8DNbhZFkKgROZ31mw==,type:str] - rootPassword: ENC[AES256_GCM,data:nqnnmes7ehSbKZqFXlzzxNs=,iv:Ji/BtXm/1wkYS+8VQ5z3T1bmqTFKmnOUNt/RvYslaZs=,tag:zFAxZ561u2geGNrFoEIQ6w==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBvSXlBRUZCK0NHMnd6ZkF0 - bi9ydTdENnE3a014SXZvRTVnWWJ6ektQN0ZjCk9NNDErQUljNHdkeWlBSHJxK1k1 - T1dqNzlpaGF6a3FTdERCT0VJN0hGajgKLS0tIHk2Yk5sN0lYUS9xTXZ1U29EcjlW - RUZMR2ViTmJGdUc1OWVkM1hka3ZITWMK4kswfM9qLOGmAWPEkiAg13/xi2U4xRcw - Y5sOwnES4U5GGl4g8Aj+xEiIocnoeI4Y9EVmQakZGg3YbGyCsxXZqg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2026-03-21T10:37:17Z" - mac: ENC[AES256_GCM,data:zmoiYWyJqryf/HC2fKx53DJw5tWKad+wPYI9Q+JjKz8BGS1foVQnqkDMzcFURVzoQGtXzIk9iSTInx+fBxYhb6r5j5JiEzAWTldiRjV4u5c9avr81owZY/mRbrztPU0MlvhVMPTzP442aSxkpanAcx8B8MFHoV7I/0XI7aMyGkQ=,iv:11NQx6X9a2JnQlTEejW7xFPxWF9J/eVsGosmNpioxdM=,tag:PLUQTvQDIZPUBfSGkpkJuQ==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.12.1 diff --git a/kubernetes/main/apps/observability/loki/ks.yaml b/kubernetes/main/apps/observability/loki/ks.yaml deleted file mode 100644 index db180735..00000000 --- a/kubernetes/main/apps/observability/loki/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app loki - namespace: flux-system -spec: - targetNamespace: observability - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/observability/loki/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/paperless-ngx/app/kustomization.yaml b/kubernetes/main/apps/paperless-ngx/app/kustomization.yaml deleted file mode 100644 index 28cc4e0d..00000000 --- a/kubernetes/main/apps/paperless-ngx/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./secret.sops.yaml - - ./release.yaml diff --git a/kubernetes/main/apps/paperless-ngx/app/namespace.yaml b/kubernetes/main/apps/paperless-ngx/app/namespace.yaml deleted file mode 100644 index 151391fb..00000000 --- a/kubernetes/main/apps/paperless-ngx/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: paperless-ngx - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/paperless-ngx/app/release.yaml b/kubernetes/main/apps/paperless-ngx/app/release.yaml deleted file mode 100644 index 7222c8aa..00000000 --- a/kubernetes/main/apps/paperless-ngx/app/release.yaml +++ /dev/null @@ -1,86 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: &app paperless-ngx - namespace: paperless-ngx -spec: - interval: 30m - chart: - spec: - chart: paperless-ngx - version: 0.24.1 - sourceRef: - kind: HelmRepository - name: paperless-ngx - namespace: paperless-ngx - # install: - # crds: CreateReplace - # remediation: - # retries: 3 - # upgrade: - # cleanupOnFail: true - # crds: CreateReplace - # remediation: - # strategy: rollback - # retries: 3 - values: - env: - TZ: Europe/Berlin - PAPERLESS_ADMIN_USER: "${PAPERLESS_ADMIN_USER}" - PAPERLESS_ADMIN_PASSWORD: "${PAPERLESS_ADMIN_PASSWORD}" - PAPERLESS_URL: "https://docs.${SECRET_EXTERNAL_DOMAIN}" - PAPERLESS_DBHOST: paperless-ngx-postgresql.paperless-ngx.svc.cluster.local - PAPERLESS_DBENGINE: postgresql - PAPERLESS_DBNAME: "${PAPERLESS_POSTGRES_DATABASE}" - PAPERLESS_DBUSER: "${PAPERLESS_POSTGRES_USER}" - PAPERLESS_DBPASS: "${PAPERLESS_POSTGRES_PASSWORD}" - postgresql: - enabled: true - auth: - postgresPassword: "${PAPERLESS_POSTGRES_PASSWORD}" - password: "${PAPERLESS_POSTGRES_PASSWORD}" - primary: - persistence: - size: 4Gi - storageClass: longhorn - persistence: - # data: - # enabled: false - # retain: true - # mountPath: /usr/src/paperless/data - # storageClass: "longhorn" - # accessMode: ReadWriteOnce - # size: 1Gi - media: - enabled: true - retain: true - mountPath: /usr/src/paperless/media - storageClass: "longhorn" - accessMode: ReadWriteOnce - size: 4Gi - export: - enabled: true - retain: true - mountPath: /usr/src/paperless/export - storageClass: "longhorn" - accessMode: ReadWriteOnce - size: 1Gi - consume: - enabled: true - retain: true - mountPath: /usr/src/paperless/consume - storageClass: "longhorn" - accessMode: ReadWriteOnce - size: 4Gi - ingress: - main: - enabled: enabled - annotations: - nginx.ingress.kubernetes.io/proxy-body-size: 64m - external-dns.alpha.kubernetes.io/target: "docs.${SECRET_EXTERNAL_DOMAIN}" - ingressClassName: external - hosts: - - host: "docs.${SECRET_EXTERNAL_DOMAIN}" - paths: - - path: / diff --git a/kubernetes/main/apps/paperless-ngx/app/repository.yaml b/kubernetes/main/apps/paperless-ngx/app/repository.yaml deleted file mode 100644 index 88bd532c..00000000 --- a/kubernetes/main/apps/paperless-ngx/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: paperless-ngx - namespace: paperless-ngx -spec: - interval: 1h - url: https://charts.gabe565.com diff --git a/kubernetes/main/apps/paperless-ngx/app/secret.sops.yaml b/kubernetes/main/apps/paperless-ngx/app/secret.sops.yaml deleted file mode 100644 index 864db984..00000000 --- a/kubernetes/main/apps/paperless-ngx/app/secret.sops.yaml +++ /dev/null @@ -1,28 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: paperless-ngx-secret - namespace: paperless-ngx -stringData: - POSTGRES_DATABASE: ENC[AES256_GCM,data:a1wyb0cFjj99mqWb,iv:huFoVP5xDy70rgccF8oICcBR1NAuU6e8uvpyT1BgBk4=,tag:iODoKwowQDn5HL4YdnOMuw==,type:str] - POSTGRES_PASSWORD: ENC[AES256_GCM,data:wXjD1VHGUcA31A4dd1RENfen,iv:H3u7HRO75kJCndGwk6pd5E2f/b5buTCm25IRYh922lc=,tag:iYeL6t4LgqL3QBoM1wWNMw==,type:str] - POSTGRES_USERNAME: ENC[AES256_GCM,data:73xvsRJqH6sU,iv:v6a5MdwwNzH6E/6sBa1YHhtVy/fpY9k9r5M7Or2BtsY=,tag:UL1o8cdiZ5V//BHqMQlNHA==,type:str] - username: ENC[AES256_GCM,data:ez610nippRTn,iv:sf16DOHHKCC3jYBPYXOarMKob46mul6SqgqzVk4d908=,tag:zAoXfwalnds8yofIfgPHvw==,type:str] - password: ENC[AES256_GCM,data:HYpkWgD2Zv7+Y8XJwwQnPpqB,iv:vm7OJkBr4RFwFFNb35sWPfmKWbIZTa3tJaFehxMASoE=,tag:XEtnryGihrYHAwVPWy+eBQ==,type:str] - PAPERLESS_ADMIN_USER: ENC[AES256_GCM,data:HBohKE9KkrGgGA==,iv:r9uvmk4lErfByZQpZq1qtl6JkmOzVVzR9lFjECFjqmM=,tag:AxI7HWWf1P+WnCviXfe4gg==,type:str] - PAPERLESS_ADMIN_PASSWORD: ENC[AES256_GCM,data:sShinPhbuB9nJA==,iv:qSrB5YltmOVOQL9jR+kxZrFQqTkCpFiUmyJkLBCLwKg=,tag:lD4WfskcnLCYs/5tQX7HQQ==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoUDFNL3lrYXVkbFBPZ29h - eGt1WW9Ia0JSSGQ5NXoxcGhpdGVpd3Vld0FRCmVqbC9pclJGK3hCV1V1aXlicnlz - c1hWR1B5YWUzcFdFRnRkSUlLYWUvREEKLS0tIGJ0ai83eTZtejlsdDNkNnp3amlM - cUJ2Y2MvOEZuY29qZnZHcStpYkxoQWsKdmivQRw5D6C3MO+ZHIMh3h0NYO/4tvLB - lZCUkkJcRwgRhbxleQSYLghiPaYld/2suj7l/bbZ6p6s9o5wKkEhEw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-27T22:03:41Z" - mac: ENC[AES256_GCM,data:WxgF4nS3d7mICZPy+vIE3Hwjo0Wp6QuYJ4XpO1HiQkTBpc8WgsrTmqEGpuuSmdMllzl3nvqbaCOCVCpaJsZ8QOK4YBewz26VcZM9ouF8sU5nrqtzaE5Gr7qTzFx6O7aEqNWEWtz2N2LOnMghbz74BxF9SPYi4F9c1hmAwqQA/cs=,iv:Mkr9XAF3801hstbXWnsxNUw2EEZRSQ/WkKLDEfNKWbA=,tag:GA97+c2wq4fMg6n11XbDuA==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/kubernetes/main/apps/paperless-ngx/ks.yaml b/kubernetes/main/apps/paperless-ngx/ks.yaml deleted file mode 100644 index 44224c62..00000000 --- a/kubernetes/main/apps/paperless-ngx/ks.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app paperless-ngx - namespace: flux-system -spec: - targetNamespace: paperless-ngx - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/paperless-ngx/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/security/authentik/app/kustomization.yaml b/kubernetes/main/apps/security/authentik/app/kustomization.yaml deleted file mode 100644 index 9dca9ce7..00000000 --- a/kubernetes/main/apps/security/authentik/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./repository.yaml - - ./release.yaml - - ./pg-backup.yaml diff --git a/kubernetes/main/apps/security/authentik/app/namespace.yaml b/kubernetes/main/apps/security/authentik/app/namespace.yaml deleted file mode 100644 index a9cd9432..00000000 --- a/kubernetes/main/apps/security/authentik/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: authentik - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/security/authentik/app/pg-backup.yaml b/kubernetes/main/apps/security/authentik/app/pg-backup.yaml deleted file mode 100644 index cbbc58a2..00000000 --- a/kubernetes/main/apps/security/authentik/app/pg-backup.yaml +++ /dev/null @@ -1,36 +0,0 @@ -apiVersion: batch/v1 -kind: CronJob -metadata: - name: authentik-pg-backup - namespace: authentik -spec: - schedule: "0 0 * * *" # this runs on 00:00 every day. see https://kubernetes.io/docs/concepts/workloads/controllers/cron-jobs/#schedule-syntax - jobTemplate: - spec: - template: - spec: - containers: - - name: postgres-backup - image: th0th/postgres-s3-backup:0.3 - env: - - name: AWS_ACCESS_KEY_ID - value: "${AWS_ACCESS_KEY_ID}" - - name: AWS_REGION - value: "${AWS_REGION}" - - name: AWS_S3_ENDPOINT - value: "${AWS_S3_ENDPOINT}" - - name: AWS_SECRET_ACCESS_KEY - value: "${AWS_SECRET_ACCESS_KEY}" - - name: POSTGRES_DB - value: "${AUTHENTIK_POSTGRES_DATABASE}" - - name: POSTGRES_HOST - value: "authentik-postgresql.authentik.svc.cluster.local" - - name: POSTGRES_PASSWORD - value: "${AUTHENTIK_POSTGRES_PASSWORD}" - - name: POSTGRES_PORT - value: "5432" - - name: POSTGRES_USER - value: "${AUTHENTIK_POSTGRES_USER}" - - name: POSTGRES_VERSION - value: "16" - restartPolicy: OnFailure diff --git a/kubernetes/main/apps/security/authentik/app/release.yaml b/kubernetes/main/apps/security/authentik/app/release.yaml deleted file mode 100644 index 807204a7..00000000 --- a/kubernetes/main/apps/security/authentik/app/release.yaml +++ /dev/null @@ -1,48 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: authentik - namespace: authentik -spec: - releaseName: authentik - chart: - spec: - chart: authentik - version: "2025.2.2" - sourceRef: - kind: HelmRepository - name: goauthentik - namespace: authentik - interval: 5m - install: - remediation: - retries: 3 - values: - authentik: - secret_key: "${AUTHENTIK_KEY}" - error_reporting: - enabled: false - postgresql: - password: "${AUTHENTIK_POSTGRES_PASSWORD}" - server: - ingress: - enabled: true - annotations: - external-dns.alpha.kubernetes.io/target: "auth.${SECRET_EXTERNAL_DOMAIN}" - ingressClassName: external - hosts: - - &host "auth.${SECRET_EXTERNAL_DOMAIN}" - postgresql: - enabled: true - auth: - password: "${AUTHENTIK_POSTGRES_PASSWORD}" - primary: - persistence: - size: 4Gi - storageClass: longhorn - redis: - enabled: true - master: - persistence: - size: 1Gi - storageClass: longhorn \ No newline at end of file diff --git a/kubernetes/main/apps/security/authentik/ks.yaml b/kubernetes/main/apps/security/authentik/ks.yaml deleted file mode 100644 index 220969a0..00000000 --- a/kubernetes/main/apps/security/authentik/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app authentik - namespace: flux-system -spec: - targetNamespace: authentik - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/security/authentik/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/uptime-kuma/app/ingress.yaml b/kubernetes/main/apps/uptime-kuma/app/ingress.yaml deleted file mode 100644 index 0ec219a0..00000000 --- a/kubernetes/main/apps/uptime-kuma/app/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: uptime-kuma-ingress - namespace: uptime-kuma - annotations: - external-dns.alpha.kubernetes.io/target: "status.${SECRET_EXTERNAL_DOMAIN}" - nginx.ingress.kubernetes.io/auth-url: |- - http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - nginx.ingress.kubernetes.io/auth-signin: |- - https://auth.${SECRET_EXTERNAL_DOMAIN}/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; -spec: - ingressClassName: external - rules: - - host: "status.${SECRET_EXTERNAL_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: uptime-kuma - port: - number: 3001 diff --git a/kubernetes/main/apps/uptime-kuma/app/namespace.yaml b/kubernetes/main/apps/uptime-kuma/app/namespace.yaml deleted file mode 100644 index c9ac5f63..00000000 --- a/kubernetes/main/apps/uptime-kuma/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: uptime-kuma - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/uptime-kuma/ks.yaml b/kubernetes/main/apps/uptime-kuma/ks.yaml deleted file mode 100644 index 547dac4e..00000000 --- a/kubernetes/main/apps/uptime-kuma/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app uptime-kuma - namespace: flux-system -spec: - targetNamespace: uptime-kuma - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/uptime-kuma/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m \ No newline at end of file diff --git a/kubernetes/main/apps/web/app/deployment.yaml b/kubernetes/main/apps/web/app/deployment.yaml deleted file mode 100644 index 86ff9f54..00000000 --- a/kubernetes/main/apps/web/app/deployment.yaml +++ /dev/null @@ -1,56 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: web - namespace: web - labels: - app: web -spec: - replicas: 1 - selector: - matchLabels: - app: web - template: - metadata: - labels: - app: web - spec: - containers: - - name: web - resources: - limits: - memory: "128Mi" - cpu: "500m" - requests: - memory: "64Mi" - cpu: "250m" - image: ghcr.io/cloudwithdan/world-wide-web:latest - imagePullPolicy: Always - ports: - - name: web - containerPort: 8080 - livenessProbe: - httpGet: - path: / - port: 8080 - readinessProbe: - httpGet: - path: / - port: 8080 - volumeMounts: - - name: tmp - mountPath: /tmp/ - securityContext: - runAsUser: 1000 # Non-root user - runAsGroup: 3000 # Non-root group - readOnlyRootFilesystem: true # Read-only filesystem - allowPrivilegeEscalation: false # No privilege escalation - privileged: false - capabilities: - drop: - - ALL # Drop all capabilities - add: - - NET_BIND_SERVICE # Allow only required capabilities - volumes: - - name: tmp - emptyDir: {} diff --git a/kubernetes/main/apps/web/app/ingress.yaml b/kubernetes/main/apps/web/app/ingress.yaml deleted file mode 100644 index 19e4611a..00000000 --- a/kubernetes/main/apps/web/app/ingress.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: web-ingress - namespace: web - annotations: - external-dns.alpha.kubernetes.io/target: "${SECRET_EXTERNAL_DOMAIN}" - nginx.ingress.kubernetes.io/use-forwarded-headers: "true" - nginx.ingress.kubernetes.io/compute-full-forwarded-for: "true" -spec: - ingressClassName: external - rules: - - host: "${SECRET_EXTERNAL_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: web - port: - name: web diff --git a/kubernetes/main/apps/web/app/kustomization.yaml b/kubernetes/main/apps/web/app/kustomization.yaml deleted file mode 100644 index ffa602dc..00000000 --- a/kubernetes/main/apps/web/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./namespace.yaml - - ./deployment.yaml - - ./service.yaml - - ./ingress.yaml diff --git a/kubernetes/main/apps/web/app/namespace.yaml b/kubernetes/main/apps/web/app/namespace.yaml deleted file mode 100644 index 940f59b7..00000000 --- a/kubernetes/main/apps/web/app/namespace.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: web - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/web/app/service.yaml b/kubernetes/main/apps/web/app/service.yaml deleted file mode 100644 index d0624126..00000000 --- a/kubernetes/main/apps/web/app/service.yaml +++ /dev/null @@ -1,13 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: web - namespace: web -spec: - ports: - - name: web - port: 8080 - targetPort: web - selector: - app: web - type: ClusterIP diff --git a/kubernetes/main/apps/web/ks.yaml b/kubernetes/main/apps/web/ks.yaml deleted file mode 100644 index 8922fc6a..00000000 --- a/kubernetes/main/apps/web/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app blog - namespace: flux-system -spec: - targetNamespace: blog - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/blog/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/apps/whoami/app/deployment.yaml b/kubernetes/main/apps/whoami/app/deployment.yaml deleted file mode 100644 index 036c9671..00000000 --- a/kubernetes/main/apps/whoami/app/deployment.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: &app whoami - namespace: whoami - labels: - app: whoami -spec: - replicas: 1 - selector: - matchLabels: - app: whoami - template: - metadata: - labels: - app: whoami - spec: - containers: - - name: whoami - resources: {} - image: traefik/whoami - ports: - - name: web - containerPort: 80 diff --git a/kubernetes/main/apps/whoami/app/ingress.yaml b/kubernetes/main/apps/whoami/app/ingress.yaml deleted file mode 100644 index 341c95aa..00000000 --- a/kubernetes/main/apps/whoami/app/ingress.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: whoami-ingress - namespace: whoami - annotations: - external-dns.alpha.kubernetes.io/target: "whoami.${SECRET_EXTERNAL_DOMAIN}" - nginx.ingress.kubernetes.io/auth-url: |- - http://ak-outpost-authentik-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - nginx.ingress.kubernetes.io/auth-signin: |- - https://auth.${SECRET_EXTERNAL_DOMAIN}/outpost.goauthentik.io/start?rd=$scheme%3A%2F%2F$host$escaped_request_uri - nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; -spec: - ingressClassName: external - rules: - - host: "whoami.${SECRET_EXTERNAL_DOMAIN}" - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: whoami - port: - number: 80 diff --git a/kubernetes/main/apps/whoami/app/namespace.yaml b/kubernetes/main/apps/whoami/app/namespace.yaml deleted file mode 100644 index 4070dff3..00000000 --- a/kubernetes/main/apps/whoami/app/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: whoami - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/apps/whoami/app/service.yaml b/kubernetes/main/apps/whoami/app/service.yaml deleted file mode 100644 index 73410f12..00000000 --- a/kubernetes/main/apps/whoami/app/service.yaml +++ /dev/null @@ -1,12 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: &app whoami - namespace: whoami -spec: - ports: - - name: web - port: 80 - targetPort: web - selector: - app: whoami diff --git a/kubernetes/main/apps/whoami/ks.yaml b/kubernetes/main/apps/whoami/ks.yaml deleted file mode 100644 index 18bb32b5..00000000 --- a/kubernetes/main/apps/whoami/ks.yaml +++ /dev/null @@ -1,20 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app whoami - namespace: flux-system -spec: - targetNamespace: whoami - commonMetadata: - labels: - app.kubernetes.io/name: *app - path: ./kubernetes/main/apps/whoami/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m \ No newline at end of file diff --git a/kubernetes/main/avto-masini/cloudflared/app/configs/config.yaml b/kubernetes/main/avto-masini/cloudflared/app/configs/config.yaml deleted file mode 100644 index ec972810..00000000 --- a/kubernetes/main/avto-masini/cloudflared/app/configs/config.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -originRequest: - noTLSVerify: true - -ingress: - - hostname: "${SECRET_PROD_DOMAIN}" - service: https://ingress-nginx-avto-masini-controller.avto-masini.svc.cluster.local:443 - - hostname: "*.${SECRET_PROD_DOMAIN}" - service: https://ingress-nginx-avto-masini-controller.avto-masini.svc.cluster.local:443 - - service: http_status:404 diff --git a/kubernetes/main/avto-masini/cloudflared/app/secret.sops.yaml b/kubernetes/main/avto-masini/cloudflared/app/secret.sops.yaml deleted file mode 100644 index e941b00d..00000000 --- a/kubernetes/main/avto-masini/cloudflared/app/secret.sops.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cloudflared-secret - namespace: avto-masini -stringData: - TUNNEL_ID: ENC[AES256_GCM,data:rZaQEBasiK7loTZmgk8OGpvJvqh+TbZkXzUjAtP1xLY7nmfH,iv:t9Rn+rlYDC9RApuLBKqA34DFDMJqe0RCXt+JAtsSjFg=,tag:F2xGG0Iq+XBhQ+u5SjLmkA==,type:str] - credentials.json: ENC[AES256_GCM,data:FB6MBHmXGqyO9+usE1QmmDKgAvkdUTi5W56AlLf67vdY5ihUT7xh3e0Y+hA1A/M/aEzcZEAc9nj82cuyHZ5yujxcszzqChDkBeDkF+RnOhpQw58auRZ7/W0YD8KtU6YE8MvWoN5th1v7Q3y96AJdlkyLC9dqvhUmWGZppTODYu6DgRyj0LbGyEjs9DsXcJC+cyAQDWQk2c1sE7AM+PcAFl6R8/aNshhWAvFqUNLpIk0=,iv:43aWcwONsjxtkn4BXMUjzwjDi6yS0OIP/QpDcimhYhY=,tag:4Doj44YQIJNhJ2J7zSbt1g==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1V05tdE96S2RBVmZydWhZ - dzMwdzlzTU5QRWtTWFlROGN2c0J0NTRUSlJrCkJOVXJBaFFPY2RPN2RsQUxTYkcw - eUZIb1hTL1hpWXdjd1FwWTVvRkN5ZUkKLS0tIExrMDB5MkRCSkZXMDM1bTdXU1VK - eDJVWWI0SkxaMmJuR2dUbWpEOHFKOE0KoOwrVst6HQ7fRFWOz7/9Ack1Ete9+/EU - 4dU9veoIBudoezm0D00J6RLNX0kLm2WuDFIvPEHbXeWh9sjtdTB28g== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-09T20:33:48Z" - mac: ENC[AES256_GCM,data:Dh5SSSrqzkWObMVcpLwFEbGLzWcJqVtIHoraKbj3ALSG/WQzQZNNJy9cZef65xP2YqOGd41hvUzMUlgTGKzzSCwo3k9YYz9PjF8To23Ix1fO4zRs3QJ9L1ogWeQymSOdq6fiacV7Mkj23aI01+4IQrHf+zn/sgvAG+kbgLWGDsw=,iv:nu765SXAgd7zJCfMFOqiBJcCIOlGajnNc7/09DmSTrQ=,tag:/dfSwtF3Pew54k0bQuJpSw==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.1 diff --git a/kubernetes/main/avto-masini/external-dns/app/kustomization.yaml b/kubernetes/main/avto-masini/external-dns/app/kustomization.yaml deleted file mode 100644 index d21557a2..00000000 --- a/kubernetes/main/avto-masini/external-dns/app/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./repository.yaml - - ./secret.sops.yaml - - ./release.yaml - diff --git a/kubernetes/main/avto-masini/external-dns/app/repository.yaml b/kubernetes/main/avto-masini/external-dns/app/repository.yaml deleted file mode 100644 index a7ff8d16..00000000 --- a/kubernetes/main/avto-masini/external-dns/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: external-dns - namespace: external-dns -spec: - interval: 1h - url: https://kubernetes-sigs.github.io/external-dns diff --git a/kubernetes/main/avto-masini/external-dns/app/secret.sops.yaml b/kubernetes/main/avto-masini/external-dns/app/secret.sops.yaml deleted file mode 100644 index 13189bc9..00000000 --- a/kubernetes/main/avto-masini/external-dns/app/secret.sops.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: external-dns-secret - namespace: avto-masini -stringData: - api-token: ENC[AES256_GCM,data:ivGrW18/EISMvs2VEFSABuz6fHBpelohSGMiFgegKvHdPPjB3/sw8A==,iv:lAli7rfR2qvJZFcqrKranriKeJ4jygn8FPnFeyxa6NA=,tag:u/SmJCPTk828FXE1ygxcWA==,type:str] -sops: - age: - - recipient: age13swsp40tstrqluer6arm5skldvg5ucw4t390a87qcdzcj0r2jscqrraxnv - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByWjhaWHJRSm1CdWdLRE9T - TGdsUVphWnNuTkVTcXhUbzZSM2lTc3pMa0YwCitqcUowd3FEcGRCS3NCSmVjSmc4 - eXFjT0V6aTVMZVpqMW9wWGxlVmpoNTgKLS0tIC82ZnI2OHdPMllNNzJzckczVnV0 - REdBd2pZTEttRCtHMS93VmhZWVMvMk0KeRQeFjlriw5jHwFKYDvNpl+BmsIJrWYn - 3nck23G8Cw96Iu7agtqhZ5Lt9UfIn/2tAcP4YjF25H2y209VMXOA5A== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-10T12:31:17Z" - mac: ENC[AES256_GCM,data:5ROGDBVyb4U8M//v4gJWWlbn72I0YagNfdjyPLeGzD7EeQZHS5E74ZQsfnt/fnlHzhdq4uRMunZS7yQS0Lc1cdaYnMQRNocbti/HILVCXfT93N6ff78xa/G+C1+2lVWBBNWm+Qa55nfsEbx3FdMs6kpXwnmZb7B1NSw5ORXbkAk=,iv:jqHzul0FgbjXJoquwkGOb6RB3NvgqoXpJP7kzn7IMWQ=,tag:VZd9EEQh3JqU06Mzx3nedA==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.1 diff --git a/kubernetes/main/avto-masini/ingress-nginx/app/kustomization.yaml b/kubernetes/main/avto-masini/ingress-nginx/app/kustomization.yaml deleted file mode 100644 index 700918c8..00000000 --- a/kubernetes/main/avto-masini/ingress-nginx/app/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./repository.yaml - - ./release.yaml diff --git a/kubernetes/main/avto-masini/ingress-nginx/app/release.yaml b/kubernetes/main/avto-masini/ingress-nginx/app/release.yaml deleted file mode 100644 index 7b404500..00000000 --- a/kubernetes/main/avto-masini/ingress-nginx/app/release.yaml +++ /dev/null @@ -1,81 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: ingress-nginx-avto-masini - namespace: avto-masini -spec: - interval: 30m - chart: - spec: - chart: ingress-nginx - version: 4.11.3 - sourceRef: - kind: HelmRepository - name: ingress-nginx - namespace: avto-masini - install: - remediation: - retries: 3 - upgrade: - cleanupOnFail: true - remediation: - retries: 3 - dependsOn: - - name: cloudflared-avto-masini - namespace: avto-masini - values: - fullnameOverride: ingress-nginx-avto-masini - controller: - allowSnippetAnnotations: true - service: - annotations: - external-dns.alpha.kubernetes.io/hostname: "external.${SECRET_PROD_DOMAIN}" - metallb.io/allow-shared-ip: ingress-nginx-avto-masini - metallb.io/ip-allocated-from-pool: pool - externalTrafficPolicy: Cluster - ingressClassResource: - name: avto-masini - default: false - controllerValue: k8s.io/avto-masini - admissionWebhooks: - objectSelector: - matchExpressions: - - key: ingress-class - operator: In - values: ["avto-masini"] - config: - annotations-risk-level: "Critical" - use-forwarded-headers: "true" - strict-validate-path-type: "false" - client-body-buffer-size: 100M - client-body-timeout: 120 - client-header-timeout: 120 - enable-brotli: "true" - enable-real-ip: "true" - hsts-max-age: 31449600 - keep-alive-requests: 10000 - keep-alive: 120 - log-format-escape-json: "true" - log-format-upstream: > - {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", - "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, - "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", - "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", - "http_user_agent": "$http_user_agent"} - proxy-body-size: 0 - proxy-buffer-size: 16k - ssl-protocols: TLSv1.3 TLSv1.2 - metrics: - enabled: true - serviceMonitor: - enabled: true - namespaceSelector: - any: true - extraArgs: - default-ssl-certificate: "avto-masini/${SECRET_PROD_DOMAIN/./-}-production-tls" - resources: - requests: - cpu: 100m - limits: - memory: 500Mi diff --git a/kubernetes/main/avto-masini/ingress-nginx/app/repository.yaml b/kubernetes/main/avto-masini/ingress-nginx/app/repository.yaml deleted file mode 100644 index fba4dd94..00000000 --- a/kubernetes/main/avto-masini/ingress-nginx/app/repository.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1.json -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: ingress-nginx - namespace: avto-masini -spec: - interval: 1h - url: https://kubernetes.github.io/ingress-nginx \ No newline at end of file diff --git a/kubernetes/main/avto-masini/ingress-nginx/certificates/avto-masini-production.yaml b/kubernetes/main/avto-masini/ingress-nginx/certificates/avto-masini-production.yaml deleted file mode 100644 index 6d814017..00000000 --- a/kubernetes/main/avto-masini/ingress-nginx/certificates/avto-masini-production.yaml +++ /dev/null @@ -1,15 +0,0 @@ ---- -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "${SECRET_PROD_DOMAIN/./-}-production" - namespace: avto-masini -spec: - secretName: "${SECRET_PROD_DOMAIN/./-}-production-tls" - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: "${SECRET_PROD_DOMAIN}" - dnsNames: - - "${SECRET_PROD_DOMAIN}" - - "*.${SECRET_PROD_DOMAIN}" diff --git a/kubernetes/main/avto-masini/ingress-nginx/certificates/kustomization.yaml b/kubernetes/main/avto-masini/ingress-nginx/certificates/kustomization.yaml deleted file mode 100644 index a4dea79f..00000000 --- a/kubernetes/main/avto-masini/ingress-nginx/certificates/kustomization.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ./avto-masini-production.yaml \ No newline at end of file diff --git a/kubernetes/main/avto-masini/ingress-nginx/ks.yaml b/kubernetes/main/avto-masini/ingress-nginx/ks.yaml deleted file mode 100644 index 7a14fb8e..00000000 --- a/kubernetes/main/avto-masini/ingress-nginx/ks.yaml +++ /dev/null @@ -1,46 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app avto-masini-ingress-nginx-certificates - namespace: flux-system -spec: - targetNamespace: avto-masini - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: cert-manager-issuers - path: ./kubernetes/main/avto-masini/ingress-nginx/certificates - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: true - interval: 30m - retryInterval: 1m - timeout: 5m ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: &app ingress-nginx-avto-masini - namespace: flux-system -spec: - targetNamespace: avto-masini - commonMetadata: - labels: - app.kubernetes.io/name: *app - dependsOn: - - name: avto-masini-ingress-nginx-certificates - path: ./kubernetes/main/avto-masini/ingress-nginx/app - prune: true - sourceRef: - kind: GitRepository - name: flux-system - namespace: flux-system - wait: false - interval: 30m - retryInterval: 1m - timeout: 5m diff --git a/kubernetes/main/avto-masini/namespace.yaml b/kubernetes/main/avto-masini/namespace.yaml deleted file mode 100644 index 803b957b..00000000 --- a/kubernetes/main/avto-masini/namespace.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: avto-masini - labels: - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/warn: privileged - goldilocks.fairwinds.com/enabled: "true" diff --git a/kubernetes/main/flux-system/avto-masini.yaml b/kubernetes/main/flux-system/avto-masini.yaml deleted file mode 100644 index 262360f9..00000000 --- a/kubernetes/main/flux-system/avto-masini.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: avto-masini - namespace: flux-system -spec: - interval: 10m0s - retryInterval: 1m - timeout: 5m - sourceRef: - kind: GitRepository - name: flux-system - path: ./kubernetes/main/avto-masini - prune: true - decryption: - provider: sops - secretRef: - name: sops-age - postBuild: - substituteFrom: - - kind: Secret - name: cluster-secrets - patches: - - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1 - kind: Kustomization - metadata: - name: not-used - spec: - decryption: - provider: sops - secretRef: - name: sops-age - postBuild: - substituteFrom: - - kind: Secret - name: cluster-secrets - target: - group: kustomize.toolkit.fluxcd.io - kind: Kustomization - labelSelector: substitution.flux.home.arpa/disabled notin (true) diff --git a/scripts/restore-linkwarden-db.sh b/scripts/restore-linkwarden-db.sh new file mode 100755 index 00000000..0f942307 --- /dev/null +++ b/scripts/restore-linkwarden-db.sh @@ -0,0 +1,108 @@ +#!/usr/bin/env bash +set -euo pipefail + +# Linkwarden Database Restore Script - Version 2 +# This script uses pg_dump/pg_restore via psql since the backup is a barman base backup + +# Color output +RED='\033[0;31m' +GREEN='\033[0;32m' +YELLOW='\033[1;33m' +NC='\033[0m' # No Color + +log_info() { + echo -e "${GREEN}[INFO]${NC} $1" +} + +log_warn() { + echo -e "${YELLOW}[WARN]${NC} $1" +} + +log_error() { + echo -e "${RED}[ERROR]${NC} $1" +} + +# Configuration +NAMESPACE="database" +POSTGRES_HOST="postgres18-rw.database.svc.cluster.local" +POSTGRES_PORT="5432" +DB_NAME="linkwarden" +DB_USER="linkwarden" +DB_PASSWORD="linkwarden" # This should match the secret +POSTGRES_SUPER_USER="postgres" +POSTGRES_SUPER_PASS="x088Fi7OU1LOVr" # From cloudnative-pg-secret + +log_warn "The S3 backup is a physical PGDATA backup (barman format)." +log_warn "Since we're migrating to postgres18 cluster, we'll create an empty database." +log_warn "Linkwarden will run its own migrations on first startup." +log_info "" + +# Create a temporary pod to access postgres +SETUP_POD_NAME="linkwarden-dbsetup-$(date +%s)" + +log_info "Creating database setup pod: ${SETUP_POD_NAME}" + +cat < /dev/null + +log_info "Application user can connect successfully" + +# Cleanup +log_info "Cleaning up setup pod..." +kubectl delete pod ${SETUP_POD_NAME} -n ${NAMESPACE} + +log_info "✅ Database setup completed successfully!" +log_info "" +log_info "Database Details:" +log_info " Host: ${POSTGRES_HOST}" +log_info " Port: ${POSTGRES_PORT}" +log_info " Database: ${DB_NAME}" +log_info " User: ${DB_USER}" +log_info "" +log_info "Note: Database is empty. Linkwarden will run Prisma migrations on first startup." +log_info "If you need to import old data, you'll need to use pg_dump from the old cluster" +log_info "and pg_restore it into this new database."