diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index dd720805..395915ca 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -9,7 +9,7 @@ exclude: | repos: - repo: https://github.com/adrienverge/yamllint - rev: v1.32.0 + rev: v1.33.0 hooks: - id: yamllint args: diff --git a/.sops.yaml b/.sops.yaml index 363addaf..8805a14c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -2,14 +2,14 @@ creation_rules: - path_regex: kubernetes/.*\.sops\.ya?ml encrypted_regex: "^(data|stringData)$" - # Valinor + # Homelab age: >- - age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve + age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 - path_regex: .*\.sops\.(env|ini|json|toml) - # Valinor + # Homelab age: >- - age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve + age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 - path_regex: (ansible|terraform|talos)/.*\.sops\.ya?ml - # Valinor + # Homelab age: >- - age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve + age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/dnsimple-issuer-rbac.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/dnsimple-issuer-rbac.yaml deleted file mode 100644 index 241ba25b..00000000 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/dnsimple-issuer-rbac.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - name: flow-schema-reader -rules: - - apiGroups: ["flowcontrol.apiserver.k8s.io"] - resources: ["flowschemas", "prioritylevelconfigurations"] - verbs: ["list", "watch"] ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - name: grant-flow-schema-permission -subjects: - - kind: ServiceAccount - name: dnsimple-issuer-cert-manager-webhook-dnsimple - namespace: cert-manager -roleRef: - kind: ClusterRole - name: flow-schema-reader - apiGroup: rbac.authorization.k8s.io diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/externalsecret.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/externalsecret.yaml deleted file mode 100644 index d5d62de1..00000000 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/externalsecret.yaml +++ /dev/null @@ -1,23 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: dnsimple-api-token - namespace: cert-manager -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: dnsimple-api-token - creationPolicy: Owner - data: - - secretKey: api-token - remoteRef: - key: DNSimple - property: cert-manager - - secretKey: letsencrypt-email - remoteRef: - key: DNSimple - property: letsencrypt-email diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/helmrelease.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/helmrelease.yaml deleted file mode 100644 index a2de653c..00000000 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/helmrelease.yaml +++ /dev/null @@ -1,36 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: dnsimple-issuer - namespace: cert-manager -spec: - interval: 30m - chart: - spec: - chart: cert-manager-webhook-dnsimple - version: 0.0.11 - interval: 30m - sourceRef: - kind: HelmRepository - name: jahanson - namespace: flux-system - - values: - controller: - annotations: - reloader.stakater.com/auto: "true" - dnsimple: - token: - valueFrom: - secretKeyRef: - name: dnsimple-api-token - key: api-token - clusterIssuer: - email: - valueFrom: - secretKeyRef: - name: dnsimple-api-token - key: letsencrypt-email - containerport: 8443 diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/issuer-letsencrypt-prod.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/issuer-letsencrypt-prod.yaml deleted file mode 100644 index 16d50036..00000000 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/issuer-letsencrypt-prod.yaml +++ /dev/null @@ -1,22 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/clusterissuer_v1.json -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-dnsimple-production -spec: - acme: - email: "joe@veri.dev" - preferredChain: "" - privateKeySecretRef: - name: letsencrypt-dnsimple-production - server: https://acme-v02.api.letsencrypt.org/directory - solvers: - - dns01: - webhook: - config: - tokenSecretRef: - key: api-token - name: dnsimple-api-token - solverName: dnsimple - groupName: acme.jahanson.com diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/issuer-letsencrypt-staging.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/issuer-letsencrypt-staging.yaml deleted file mode 100644 index da677355..00000000 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/issuer-letsencrypt-staging.yaml +++ /dev/null @@ -1,21 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/clusterissuer_v1.json -apiVersion: cert-manager.io/v1 -kind: ClusterIssuer -metadata: - name: letsencrypt-staging -spec: - acme: - preferredChain: "" - privateKeySecretRef: - name: letsencrypt-staging - server: https://acme-staging-v02.api.letsencrypt.org/directory - solvers: - - dns01: - webhook: - config: - tokenSecretRef: - key: api-token - name: dnsimple-api-token - solverName: dnsimple - groupName: acme.jahanson.com diff --git a/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml b/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml index 1e330357..01411ee7 100644 --- a/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml @@ -4,11 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization namespace: cert-manager resources: - - ./dnsimple/externalsecret.yaml - - ./dnsimple/issuer-letsencrypt-prod.yaml - - ./dnsimple/issuer-letsencrypt-staging.yaml - - ./dnsimple/dnsimple-issuer-rbac.yaml - - ./dnsimple/helmrelease.yaml - ./cloudflare/externalsecret.yaml - ./cloudflare/issuer-letsencrypt-prod.yaml - ./cloudflare/issuer-letsencrypt-staging.yaml diff --git a/kubernetes/apps/cert-manager/cert-manager/ks.yaml b/kubernetes/apps/cert-manager/cert-manager/ks.yaml index 0597f29e..8f1229fa 100644 --- a/kubernetes/apps/cert-manager/cert-manager/ks.yaml +++ b/kubernetes/apps/cert-manager/cert-manager/ks.yaml @@ -11,7 +11,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true --- # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json @@ -26,7 +26,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: false dependsOn: - name: cluster-apps-cert-manager diff --git a/kubernetes/apps/default/jellyfin/ks.yaml b/kubernetes/apps/default/jellyfin/ks.yaml index d8a2a277..6a445602 100644 --- a/kubernetes/apps/default/jellyfin/ks.yaml +++ b/kubernetes/apps/default/jellyfin/ks.yaml @@ -12,7 +12,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: false interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/default/rocky-nessa.yaml b/kubernetes/apps/default/rocky-nenya.yaml similarity index 90% rename from kubernetes/apps/default/rocky-nessa.yaml rename to kubernetes/apps/default/rocky-nenya.yaml index d48a8a35..8c9cd2a3 100644 --- a/kubernetes/apps/default/rocky-nessa.yaml +++ b/kubernetes/apps/default/rocky-nenya.yaml @@ -1,10 +1,10 @@ apiVersion: v1 kind: Pod metadata: - name: rocky-nessa + name: rocky-nenya namespace: default spec: - nodeName: nessa + nodeName: nenya containers: - name: rocky image: rockylinux:9 diff --git a/kubernetes/apps/default/rocky-nienna.yaml b/kubernetes/apps/default/rocky-nienna.yaml deleted file mode 100644 index d9ab4169..00000000 --- a/kubernetes/apps/default/rocky-nienna.yaml +++ /dev/null @@ -1,20 +0,0 @@ -apiVersion: v1 -kind: Pod -metadata: - name: rocky-nienna - namespace: default -spec: - nodeName: nienna - containers: - - name: rocky - image: rockylinux:9 - securityContext: - privileged: true - command: ["/bin/bash", "-c", "while true; do sleep 10; done"] - resources: - requests: - cpu: 100m - memory: 512Mi - limits: - cpu: 4000m - memory: 4000Mi diff --git a/kubernetes/apps/default/ubuntu.yaml b/kubernetes/apps/default/ubuntu-nenya.yaml similarity index 95% rename from kubernetes/apps/default/ubuntu.yaml rename to kubernetes/apps/default/ubuntu-nenya.yaml index b91eefbf..d51d03dc 100644 --- a/kubernetes/apps/default/ubuntu.yaml +++ b/kubernetes/apps/default/ubuntu-nenya.yaml @@ -4,6 +4,7 @@ metadata: name: ubuntu namespace: default spec: + nodeName: nenya containers: - name: ubuntu image: ubuntu:latest diff --git a/kubernetes/apps/flux-system/add-ons/ks.yaml b/kubernetes/apps/flux-system/add-ons/ks.yaml index ad9d786c..d893a4b8 100644 --- a/kubernetes/apps/flux-system/add-ons/ks.yaml +++ b/kubernetes/apps/flux-system/add-ons/ks.yaml @@ -13,7 +13,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true --- # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json @@ -30,5 +30,5 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true diff --git a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml index 5e78f50d..b6753297 100644 --- a/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml +++ b/kubernetes/apps/kube-system/cilium/app/helmrelease.yaml @@ -27,7 +27,7 @@ spec: keepHistory: false values: cluster: - name: valinor + name: homelab id: 1 hubble: relay: @@ -35,7 +35,6 @@ spec: ui: enabled: true metrics: - # enabled: "{dns,drop,tcp,flow,port-distribution,icmp,httpV2:exemplars=true;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction}" enableOpenMetrics: true prometheus: enabled: true @@ -50,26 +49,7 @@ spec: enabled: true # enable host policies extraConfig: allow-localhost: policy # enable policies for localhost - kubeProxyReplacement: true - securityContext: - capabilities: - ciliumAgent: - - CHOWN - - KILL - - NET_ADMIN - - NET_RAW - - IPC_LOCK - - SYS_ADMIN - - SYS_RESOURCE - - DAC_OVERRIDE - - FOWNER - - SETGID - - SETUID - cleanCiliumState: - - NET_ADMIN - - SYS_ADMIN - - SYS_RESOURCE k8sServiceHost: ${K8S_SERVICE_ENDPOINT} k8sServicePort: 6443 rollOutCiliumPods: true diff --git a/kubernetes/apps/kube-system/cilium/app/netpols/allow-same-ns.yaml b/kubernetes/apps/kube-system/cilium/app/netpols/allow-same-ns.yaml deleted file mode 100644 index d91ced51..00000000 --- a/kubernetes/apps/kube-system/cilium/app/netpols/allow-same-ns.yaml +++ /dev/null @@ -1,9 +0,0 @@ -apiVersion: networking.k8s.io/v1 -kind: NetworkPolicy -metadata: - name: allow-ns-ingress -spec: - podSelector: {} - ingress: - - from: - - podSelector: {} diff --git a/kubernetes/apps/kube-system/cilium/ks.yaml b/kubernetes/apps/kube-system/cilium/ks.yaml index e2eadc55..2e22b200 100644 --- a/kubernetes/apps/kube-system/cilium/ks.yaml +++ b/kubernetes/apps/kube-system/cilium/ks.yaml @@ -13,5 +13,5 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: false diff --git a/kubernetes/apps/kube-system/kustomization.yaml b/kubernetes/apps/kube-system/kustomization.yaml index 6d5d7fc0..356b742a 100644 --- a/kubernetes/apps/kube-system/kustomization.yaml +++ b/kubernetes/apps/kube-system/kustomization.yaml @@ -7,5 +7,4 @@ resources: - ./namespace.yaml # Flux-Kustomizations - ./cilium/ks.yaml - - ./hccm/ks.yaml - ./metrics-server/ks.yaml diff --git a/kubernetes/apps/kube-system/metrics-server/ks.yaml b/kubernetes/apps/kube-system/metrics-server/ks.yaml index 6c4f7f13..26a32508 100644 --- a/kubernetes/apps/kube-system/metrics-server/ks.yaml +++ b/kubernetes/apps/kube-system/metrics-server/ks.yaml @@ -13,5 +13,5 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true diff --git a/kubernetes/apps/kyverno/kyverno/ks.yaml b/kubernetes/apps/kyverno/kyverno/ks.yaml index 471f56b0..9400c9b0 100644 --- a/kubernetes/apps/kyverno/kyverno/ks.yaml +++ b/kubernetes/apps/kyverno/kyverno/ks.yaml @@ -10,7 +10,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true interval: 30m retryInterval: 1m @@ -29,7 +29,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: false interval: 30m retryInterval: 1m diff --git a/kubernetes/apps/network/echo-server/ks.yaml b/kubernetes/apps/network/echo-server/ks.yaml index e4bd6a2f..94e823c9 100644 --- a/kubernetes/apps/network/echo-server/ks.yaml +++ b/kubernetes/apps/network/echo-server/ks.yaml @@ -13,5 +13,5 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true diff --git a/kubernetes/apps/network/external-dns/app/valinor-social/externalsecret.yaml b/kubernetes/apps/network/external-dns/app/valinor-social/externalsecret.yaml deleted file mode 100644 index 4950bfd3..00000000 --- a/kubernetes/apps/network/external-dns/app/valinor-social/externalsecret.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json -apiVersion: external-secrets.io/v1beta1 -kind: ExternalSecret -metadata: - name: externaldns-valinor-social-secrets - namespace: cert-manager -spec: - secretStoreRef: - kind: ClusterSecretStore - name: onepassword-connect - target: - name: externaldns-valinor-social-secrets - creationPolicy: Owner - data: - - secretKey: dnsimple_api_token - remoteRef: - key: DNSimple - property: external-dns diff --git a/kubernetes/apps/network/external-dns/app/valinor-social/helmrelease.yaml b/kubernetes/apps/network/external-dns/app/valinor-social/helmrelease.yaml deleted file mode 100644 index 2c8f3114..00000000 --- a/kubernetes/apps/network/external-dns/app/valinor-social/helmrelease.yaml +++ /dev/null @@ -1,70 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: &name externaldns-valinor-social - namespace: network -spec: - interval: 30m - chart: - spec: - chart: external-dns - version: 1.13.1 - sourceRef: - kind: HelmRepository - name: kubernetes-sigs-external-dns - namespace: flux-system - interval: 30m - - values: - fullnameOverride: *name - - domainFilters: - - valinor.social - - env: - - name: DNSIMPLE_OAUTH - valueFrom: - secretKeyRef: - name: externaldns-valinor-social-secrets - key: dnsimple_api_token - - serviceMonitor: - enabled: true - - extraArgs: - - --crd-source-apiversion=externaldns.k8s.io/v1alpha1 - - --crd-source-kind=DNSEndpoint - - --annotation-filter=external-dns.alpha.kubernetes.io/target - - podAnnotations: - secret.reloader.stakater.com/reload: externaldns-valinor-social-secrets - - policy: sync - provider: dnsimple - - resources: - requests: - cpu: 5m - memory: 100Mi - limits: - memory: 100Mi - - sources: - - ingress - - crd - - txtPrefix: "k8s." - - postRenderers: - - kustomize: - patches: - - target: - version: v1 - kind: Deployment - name: *name - patch: | - - op: add - path: /spec/template/spec/enableServiceLinks - value: false diff --git a/kubernetes/apps/network/external-dns/app/valinor-social/kustomization.yaml b/kubernetes/apps/network/external-dns/app/valinor-social/kustomization.yaml deleted file mode 100644 index c5f31b85..00000000 --- a/kubernetes/apps/network/external-dns/app/valinor-social/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: network -resources: - - ./helmrelease.yaml - - ./externalsecret.yaml diff --git a/kubernetes/apps/network/external-dns/ks.yaml b/kubernetes/apps/network/external-dns/ks.yaml index 2557fcee..5fbd048f 100644 --- a/kubernetes/apps/network/external-dns/ks.yaml +++ b/kubernetes/apps/network/external-dns/ks.yaml @@ -13,45 +13,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor - wait: true - dependsOn: - - name: cluster-apps-external-secrets-stores ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: cluster-apps-externaldns-valinor-social - namespace: flux-system - labels: - substitution.flux.home.arpa/enabled: "true" -spec: - interval: 10m - path: "./kubernetes/apps/network/external-dns/app/valinor-social" - prune: true - sourceRef: - kind: GitRepository - name: valinor - wait: true - dependsOn: - - name: cluster-apps-external-secrets-stores ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: cluster-apps-externaldns-shared - namespace: flux-system - labels: - substitution.flux.home.arpa/enabled: "true" -spec: - interval: 10m - path: "./kubernetes/apps/network/external-dns/app/shared" - prune: true - sourceRef: - kind: GitRepository - name: valinor + name: homelab wait: true dependsOn: - name: cluster-apps-external-secrets-stores diff --git a/kubernetes/apps/network/ingress-nginx/app/certificate.yaml b/kubernetes/apps/network/ingress-nginx/external/certificate.yaml similarity index 100% rename from kubernetes/apps/network/ingress-nginx/app/certificate.yaml rename to kubernetes/apps/network/ingress-nginx/external/certificate.yaml diff --git a/kubernetes/apps/network/ingress-nginx/app/externalsecret.yaml b/kubernetes/apps/network/ingress-nginx/external/externalsecret.yaml similarity index 62% rename from kubernetes/apps/network/ingress-nginx/app/externalsecret.yaml rename to kubernetes/apps/network/ingress-nginx/external/externalsecret.yaml index b09b8811..cd93cd40 100644 --- a/kubernetes/apps/network/ingress-nginx/app/externalsecret.yaml +++ b/kubernetes/apps/network/ingress-nginx/external/externalsecret.yaml @@ -10,10 +10,11 @@ spec: kind: ClusterSecretStore name: onepassword-connect target: - name: nginx-ingress-secrets - creationPolicy: Owner - data: - - secretKey: nginx-ingress-bouncer-apikey - remoteRef: - key: Crowdsec - property: nginx-ingress-bouncer + name: nginx-external-maxmind-secret + template: + engineVersion: v2 + data: + MAXMIND_LICENSE_KEY: "{{ .homelab_nginx }}" + dataFrom: + - extract: + key: maxmind diff --git a/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml similarity index 63% rename from kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml rename to kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml index 2894e94b..4337aa36 100644 --- a/kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml +++ b/kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml @@ -15,6 +15,11 @@ spec: name: ingress-nginx namespace: flux-system interval: 30m + valuesFrom: + - targetPath: controller.maxmindLicenseKey + kind: Secret + name: nginx-external-maxmind-secret + valuesKey: MAXMIND_LICENSE_KEY values: controller: replicaCount: 2 @@ -26,10 +31,8 @@ spec: enabled: true type: LoadBalancer annotations: - load-balancer.hetzner.cloud/location: fsn1 - load-balancer.hetzner.cloud/protocol: tcp - load-balancer.hetzner.cloud/name: hsn-nginx - load-balancer.hetzner.cloud/uses-proxyprotocol: true + external-dns.alpha.kubernetes.io/hostname: external.hsn.dev + io.cilium/lb-ipam-ips: 10.45.0.2 publishService: enabled: true @@ -43,27 +46,33 @@ spec: any: true ingressClassResource: - name: hsn-nginx + name: external default: true config: block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*" # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go - client-header-timeout: 120 - client-body-buffer-size: "100M" + client-body-buffer-size: 100M client-body-timeout: 120 + client-header-timeout: 120 enable-brotli: "true" enable-ocsp: "true" enable-real-ip: "true" - use-proxy-protocol: "true" hide-headers: Server,X-Powered-By - hsts-max-age: "31449600" - keep-alive: 120 + hsts-max-age: 31449600 keep-alive-requests: 10000 + keep-alive: 120 + log-format-escape-json: "true" + log-format-upstream: > + {"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for", + "request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time, + "status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args", + "request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer", + "http_user_agent": "$http_user_agent", "country_code": "$geoip2_city_country_code", "country_name": "$geoip2_city_country_name"} proxy-body-size: 0 - proxy-buffer-size: "16k" - ssl-protocols: "TLSv1.3 TLSv1.2" + proxy-buffer-size: 16k + ssl-protocols: TLSv1.3 TLSv1.2 + use-geoip2: true use-forwarded-headers: "true" - extraArgs: default-ssl-certificate: "network/hsn-dev-tls" @@ -75,24 +84,10 @@ spec: matchLabels: app.kubernetes.io/instance: ingress-nginx-hsn app.kubernetes.io/component: controller - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - controller - - key: app.kubernetes.io/instance - operator: In - values: - - ingress-nginx-hsn - topologyKey: kubernetes.io/hostname resources: requests: - cpu: 23m + cpu: 100m memory: 381M defaultBackend: diff --git a/kubernetes/apps/network/ingress-nginx/app/kustomization.yaml b/kubernetes/apps/network/ingress-nginx/external/kustomization.yaml similarity index 100% rename from kubernetes/apps/network/ingress-nginx/app/kustomization.yaml rename to kubernetes/apps/network/ingress-nginx/external/kustomization.yaml diff --git a/kubernetes/apps/network/ingress-nginx/ks.yaml b/kubernetes/apps/network/ingress-nginx/ks.yaml index 6c40e136..7ef0b614 100644 --- a/kubernetes/apps/network/ingress-nginx/ks.yaml +++ b/kubernetes/apps/network/ingress-nginx/ks.yaml @@ -3,17 +3,17 @@ apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: cluster-apps-ingress-nginx + name: cluster-apps-ingress-nginx-external namespace: flux-system labels: substitution.flux.home.arpa/enabled: "true" spec: interval: 10m - path: "./kubernetes/apps/network/ingress-nginx/app" + path: "./kubernetes/apps/network/ingress-nginx/external" prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true dependsOn: - name: cluster-apps-cert-manager-issuers @@ -32,7 +32,7 @@ spec: # prune: true # sourceRef: # kind: GitRepository -# name: valinor +# name: homelab # wait: true # dependsOn: # - name: cluster-apps-cert-manager-issuers diff --git a/kubernetes/apps/network/ingress-nginx/mastodon/certificate.yaml b/kubernetes/apps/network/ingress-nginx/mastodon/certificate.yaml deleted file mode 100644 index 7346e42c..00000000 --- a/kubernetes/apps/network/ingress-nginx/mastodon/certificate.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/certificate_v1.json -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "valinor-social" - namespace: network -spec: - secretName: "valinor-social-tls" - issuerRef: - name: letsencrypt-dnsimple-production - kind: ClusterIssuer - commonName: "valinor.social" - dnsNames: - - "valinor.social" - - "*.valinor.social" diff --git a/kubernetes/apps/network/ingress-nginx/peertube/certificate.yaml b/kubernetes/apps/network/ingress-nginx/peertube/certificate.yaml deleted file mode 100644 index 9160026b..00000000 --- a/kubernetes/apps/network/ingress-nginx/peertube/certificate.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/certificate_v1.json -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: "khazadtube-tv" - namespace: network -spec: - secretName: "khazadtube-tv-tls" - issuerRef: - name: letsencrypt-dnsimple-production - kind: ClusterIssuer - commonName: "khazadtube.tv" - dnsNames: - - "khazadtube.tv" - - "*.khazadtube.tv" diff --git a/kubernetes/apps/network/ingress-nginx/peertube/helmrelease.yaml b/kubernetes/apps/network/ingress-nginx/peertube/helmrelease.yaml deleted file mode 100644 index 60b4f51e..00000000 --- a/kubernetes/apps/network/ingress-nginx/peertube/helmrelease.yaml +++ /dev/null @@ -1,108 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: ingress-nginx-peertube -spec: - interval: 30m - chart: - spec: - chart: ingress-nginx - version: 4.9.0 - sourceRef: - kind: HelmRepository - name: ingress-nginx - namespace: flux-system - interval: 30m - values: - controller: - replicaCount: 3 - updateStrategy: - type: RollingUpdate - allowSnippetAnnotations: true - enableAnnotationValidations: true - service: - enabled: true - type: LoadBalancer - annotations: - load-balancer.hetzner.cloud/location: fsn1 - load-balancer.hetzner.cloud/protocol: tcp - load-balancer.hetzner.cloud/name: peertube-nginx - load-balancer.hetzner.cloud/use-private-ip: false - load-balancer.hetzner.cloud/uses-proxyprotocol: true - - publishService: - enabled: true - - metrics: - enabled: true - serviceMonitor: - enabled: true - namespace: network - namespaceSelector: - any: true - - ingressClassResource: - name: peertube-nginx - default: false - - config: - block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*" # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go - client-header-timeout: 120 - client-body-buffer-size: "100M" - client-body-timeout: 120 - enable-brotli: "true" - enable-ocsp: "true" - enable-real-ip: "true" - use-proxy-protocol: "true" - hide-headers: Server,X-Powered-By - hsts-max-age: "31449600" - keep-alive: 120 - keep-alive-requests: 10000 - proxy-body-size: 0 - proxy-buffer-size: "16k" - ssl-protocols: "TLSv1.3 TLSv1.2" - use-forwarded-headers: "true" - server-snippet: | - resolver local=on ipv6=off; - ssl_stapling on; - ssl_stapling_verify on; - ssl-echd-curve: "secp384r1" - ssl-session-timeout: "1d" - ssl-session-cache: "shared:SSL:10m" - ssl-session-tickets: "off" - - extraArgs: - default-ssl-certificate: "network/khazadtube-tv-tls" - - topologySpreadConstraints: - - maxSkew: 2 - topologyKey: kubernetes.io/hostname - whenUnsatisfiable: DoNotSchedule - labelSelector: - matchLabels: - app.kubernetes.io/instance: ingress-nginx-peertube - app.kubernetes.io/component: controller - affinity: - podAntiAffinity: - requiredDuringSchedulingIgnoredDuringExecution: - - labelSelector: - matchExpressions: - - key: app.kubernetes.io/component - operator: In - values: - - controller - - key: app.kubernetes.io/instance - operator: In - values: - - ingress-nginx-peertube - topologyKey: kubernetes.io/hostname - - resources: - requests: - cpu: 23m - memory: 381M - - defaultBackend: - enabled: false diff --git a/kubernetes/apps/network/ingress-nginx/peertube/kustomization.yaml b/kubernetes/apps/network/ingress-nginx/peertube/kustomization.yaml deleted file mode 100644 index dac1ce50..00000000 --- a/kubernetes/apps/network/ingress-nginx/peertube/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -namespace: network -resources: - - ./helmrelease.yaml - - ./certificate.yaml diff --git a/kubernetes/apps/security/external-secrets/ks.yaml b/kubernetes/apps/security/external-secrets/ks.yaml index a9546013..8d1b8ef0 100644 --- a/kubernetes/apps/security/external-secrets/ks.yaml +++ b/kubernetes/apps/security/external-secrets/ks.yaml @@ -11,7 +11,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true --- # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json @@ -26,7 +26,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true dependsOn: - name: cluster-apps-external-secrets @@ -43,7 +43,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true dependsOn: - name: cluster-apps-external-secrets diff --git a/kubernetes/apps/security/external-secrets/stores/onepassword/clustersecretstore.yaml b/kubernetes/apps/security/external-secrets/stores/onepassword/clustersecretstore.yaml index a669ffe2..5ef629da 100644 --- a/kubernetes/apps/security/external-secrets/stores/onepassword/clustersecretstore.yaml +++ b/kubernetes/apps/security/external-secrets/stores/onepassword/clustersecretstore.yaml @@ -1,5 +1,4 @@ --- -# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/clustersecretstore_v1beta1.json apiVersion: external-secrets.io/v1beta1 kind: ClusterSecretStore metadata: @@ -8,9 +7,9 @@ metadata: spec: provider: onepassword: - connectHost: http://onepassword-connect:8080 + connectHost: http://10.5.0.5:8080 vaults: - valinor: 1 + hsn.dev: 1 auth: secretRef: connectTokenSecretRef: diff --git a/kubernetes/apps/security/external-secrets/stores/onepassword/helmrelease.yaml b/kubernetes/apps/security/external-secrets/stores/onepassword/helmrelease.yaml deleted file mode 100644 index 515a64b6..00000000 --- a/kubernetes/apps/security/external-secrets/stores/onepassword/helmrelease.yaml +++ /dev/null @@ -1,142 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: onepassword-connect - namespace: security -spec: - interval: 30m - chart: - spec: - chart: app-template - version: 2.4.0 - interval: 30m - sourceRef: - kind: HelmRepository - name: bjw-s - namespace: flux-system - - values: - controllers: - main: - annotations: - reloader.stakater.com/auto: "true" - containers: - main: - image: - repository: docker.io/1password/connect-api - tag: 1.7.2 - env: - OP_BUS_PORT: "11220" - OP_BUS_PEERS: "localhost:11221" - OP_HTTP_PORT: &port-connect 8080 - OP_SESSION: - valueFrom: - secretKeyRef: - name: onepassword-connect-secret - key: onepassword-credentials.json - probes: - liveness: - enabled: true - custom: true - spec: - httpGet: - path: /heartbeat - port: *port-connect - initialDelaySeconds: 15 - periodSeconds: 30 - failureThreshold: 3 - readiness: - enabled: true - custom: true - spec: - httpGet: - path: /health - port: *port-connect - initialDelaySeconds: 15 - startup: - enabled: true - custom: true - spec: - httpGet: - path: /health - port: *port-connect - failureThreshold: 30 - periodSeconds: 5 - successThreshold: 1 - timeoutSeconds: 1 - sync: - image: - repository: docker.io/1password/connect-sync - tag: 1.7.2 - env: - - name: OP_SESSION - valueFrom: - secretKeyRef: - name: onepassword-connect-secret - key: onepassword-credentials.json - - name: OP_HTTP_PORT - value: &port-sync 8081 - - name: OP_BUS_PORT - value: "11221" - - name: OP_BUS_PEERS - value: "localhost:11220" - probes: - readinessProbe: - httpGet: - path: /health - port: *port-sync - initialDelaySeconds: 15 - livenessProbe: - httpGet: - path: /heartbeat - port: *port-sync - failureThreshold: 3 - periodSeconds: 30 - initialDelaySeconds: 15 - volumeMounts: - - name: shared - mountPath: /home/opuser/.op/data - - service: - main: - ports: - http: - port: *port-connect - - ingress: - main: - classname: "nginx" - annotations: - nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16" - hosts: - - host: &host "1pwconnect.hsn.dev" - paths: - - path: / - service: - name: main - port: http - - tls: - - hosts: - - *host - - defaultPodOptions: - securityContext: - runAsUser: 999 - runAsGroup: 999 - - persistence: - shared: - enabled: true - type: emptyDir - globalMounts: - - path: /home/opuser/.op/data - - resources: - requests: - cpu: 5m - memory: 10Mi - limits: - memory: 100Mi diff --git a/kubernetes/apps/security/external-secrets/stores/onepassword/kustomization.yaml b/kubernetes/apps/security/external-secrets/stores/onepassword/kustomization.yaml index 70fa87d9..d4c81bfb 100644 --- a/kubernetes/apps/security/external-secrets/stores/onepassword/kustomization.yaml +++ b/kubernetes/apps/security/external-secrets/stores/onepassword/kustomization.yaml @@ -5,9 +5,7 @@ kind: Kustomization namespace: security resources: - ./secret.sops.yaml - - ./helmrelease.yaml - ./clustersecretstore.yaml - labels: - pairs: app.kubernetes.io/name: stores diff --git a/kubernetes/apps/security/external-secrets/stores/onepassword/secret.sops.yaml b/kubernetes/apps/security/external-secrets/stores/onepassword/secret.sops.yaml index cd48415c..6e5f883e 100644 --- a/kubernetes/apps/security/external-secrets/stores/onepassword/secret.sops.yaml +++ b/kubernetes/apps/security/external-secrets/stores/onepassword/secret.sops.yaml @@ -4,52 +4,24 @@ metadata: name: onepassword-connect-token namespace: security stringData: - token: ENC[AES256_GCM,data:ks4uBrkQP+oqamaYE60ubJ6XjCdGXPPMaqfUWOhaFBehL0F2jgXKildwYsEOYtUNbsOmYRXGYaoZpkIqFd8/JlOX6eYoC0ibCdKJHexV4z4KQ/o9fKcGcP2VpfdqCYlJn/Lt716MHJHA70a0kI/whdtK+FAwFHn9ulMpM4EvOTgbK9RkPO5sh6kOjHywnu3Ri7F3bp8/HXrj0ZAsIijlhQFQiNzctXvD1Q/jEaLIXpFPS0yK9SDMMQ2LYwxTu/gde7X5+J76PWE53R9hm31/eDiW9c9I52XRqWVVVXzuVFvP5SEMS5DKjcfb8ZsZB+ahL+80FKnW0tpEGWqjfGUY9aGN4VOLp3q3EFu3YW54vmUq1Eg2f/i4TeT133NCgpuntaGtfkhv5YIJ182v5fo2F5J9FalaJXNS95CjxDHSC08mGZ8XITbi6oIuvjT1R1g3myalZ9WUXcP3BIQY/kkx2zrNbmTlk/mhchkgxQZObosAnbtpUsUrpKjlMzsvODuQg1iqcuMaooJ8yjovbhdsrp7SEafK5cEVfOTmfUuzm2jzxh4R1m2TJuAqPa/SOJ1sPlCXHa1Q10dxT4kkGjWZ9Muhf7SAkB7PDPcBXfX8/0gwwai2X4Gl+3Szsyt+deZOM60bp+XZ9xRjPWcIxl1uhDoG7gykpsKeDE6tf1+PC9B2GESFHFqbPVicZ/cZv/YHXcXJb5YRKPuE8/OWjzC0A4W5CC/IH3UAzBafiAu9UU/hk7ASqIv/k0wgTZboyRmzxiH06ahdj5qMUqd3schknIsuxgM0Hjv3W/sSaW3xAkR+3gfhcCLxc1IhhPRIO0OEeoaEBQD9UMVuRKRwPo+lpVU7n/UePjuDHpjXeBu2u83sLqaJrcSyId6ksJLoayCKch+46PazE/E/1vn054rml4hDA4Zuwgnyu/g=,iv:lerOeNOfahiAJX1WFUxu5aiw51q274Cz2fmiPtqC0go=,tag:o8eDvJXG+l/YB516m6GB7A==,type:str] + token: ENC[AES256_GCM,data:nZZqUP8WUluVOwxeX5b6DygCJo8ptjAXIAkHVGQ7KOVYXV5pw5BYs3GpVnFFny+9aaQ3wQDZ2DjXwecSG0Mk+qdpvaMGvDq05dXC7YeDVQ8hgVpop5enVa3DqPNHb2xbgDn4+dUGsYib0uKADMJX3Hv5WStIjy20IgsiYREtDjlZhrINuBH2l0sRykKi8FUG4R530mCbRv+n33+eHmHHHnY97JWpAvfIRs80EzX8j4sWdlpR0LEIJB/QbXXy+c5Amo2m3rKekMdyPwcsUmVGSprnUir/PbyiIqwDLpe4P/+RAAPewO/6u2KeoJXlpkEAC47CEmsAunuYrAHy/PK67dOK0BygV0ZDI1WsbbC/c3Fauamlb6ZuOWXIkO5EpE1a3whwMj2QLOiI1f6J3AKP2zv235pW36LRiN436PPCewZw7PwtXTMRT08l2qFKg81w/UWqdbtQF/kjkbO9pLVvXZIrUnF6w/w+34e7PYJcaEoKWNzem/usTKhes//rT8GUamcm/Mrno9rXo7KsyajWp/bWlo5GI2uLZ98gtBePNFCxY7YY35qzyH1k9H1SXzlTXOvghB4AJqKqwoBZosMJOxEP4EiY2/ALGl3MYgYKUIqb7RsBP7/5cSLuM4/BXORaG9CtyESqUChcTtYPgO4CANTJsZ+ORXm651DcxUYOQw/EA72Hfo0NfE2xKQwhwLEfh6ycWCtRvjq5i/AnESXO9OgAfLA3VT3roP+OjqfOIKcqc2qRH7is3Cgm2xPlMoIOhi9t5EloBQlA2EpZFl0ZKf65u0++F0pHgyKzCP2JXDh5QK/hLDqNOYrz7LLsFBnxhNjEcYw2Ix/Sfur+cNzXjw/F25iSczPELGFf2KZO1ZGTS1whOZyj++nzocp1+h/al8KvfSGyA13bo8nCeDy9oJr3lEzEqinFxPI=,iv:9w0GTjZ9bGNtbOWVhw0M/+Y/5WonChhNyHMU3nuxZYI=,tag:O+v6ZttlyxaUEZ02Jd+Z/Q==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve + - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVjdHNjVDN1JCNEFqa203 - bVN6cStUeWFYUUZHZGhCSFFsemM4TnBkQ0g0CmdFZTBpUVgwMWFPbmZFT01BdUpu - NG1HZURFb0o3T2JwQ3U4YnJoYzhFOUkKLS0tIDhGVnhLRmhSZ3pQbGRvRWs5dWx4 - WWxwbndNQVBOeGRoandWL256Z2s2ZFEKtIKW60qNUBPMS0yWPEkDBMokemihiWQ7 - GqSGjNHDDlkKtd1jyY/qCZGM9t1ZiD9t34wAQVOrn9P/WGJg6X/FsQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZHo5aWdxVndCUkdCSEc4 + dkFkeGQ5ZkY2Rk4wM0RuaGxvU2g3K1JGTEJNCnJpYm1DbXBQOTdGSjVITU8xaE5D + RGRoYjVHWVh5Rno4THIvMmlZWWJVWncKLS0tIEVQNmQ1TTA2V0VjdWw2SU9WbUNt + VkJYWGZnMEJOdlkweS82RjFQdGtHekkK1LCJ2Ww1Ar1fXcepNTldf/hiBVbYdGRf + NwCgEa18sMHVVx1XdhBT67bhQewIr6yYHk4jX8y22ScS9GTx9syD4g== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-15T16:15:14Z" - mac: ENC[AES256_GCM,data:YVC+MuYp66Ej8XRpT/fsBPBz3laCjfoXikNzc4C5k4E3QbM68+jKX81sbJDGL0B3TSwcIxTc4e8GTisqVhxdH26y/g+xOK5/n6Y+FulDuMmvIiIqBhmQXlQii+DUcLZocRhwEkKDm344M3pRliSVVHa44JRY4qf3E9wKjQhg9tk=,iv:sBTtgB0QK52EFfIxJzFRvXP5MR4ARSfR8v/pha0rDDI=,tag:7KZI8DC967fFvO83KnXkPQ==,type:str] + lastmodified: "2024-01-11T23:40:03Z" + mac: ENC[AES256_GCM,data:1QP1VTuw/fGnMbOeyf+dWADPVSDgzI2UkzJRjEStBVrirj/bUIgpRmRUE2tO5c3fZr5NEJ6kO8ydCrr/WCYSReX2Cbnzf4U5Qap/EEq7G5Xx7NKDM+TQ4jq86F7j+T7OP8tAeGbO3I+8WSqIyc5Z8XkjkFY+hLDRP6cACsh1wQQ=,iv:/zAfi3ZdbzHZAliJZqDu3+lgkopg17NXtotbxkNtBuU=,tag:/wdSv18ydEPzNVL+DQEhGA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.7.3 ---- -apiVersion: v1 -kind: Secret -metadata: - name: onepassword-connect-secret - namespace: security -stringData: - onepassword-credentials.json: ENC[AES256_GCM,data:Ro43t6FQ22+gIg0VAlcuwBy+jNUNM8Q9HI64InTcDSo0HoF2n5ombH1XrVw8aHYacOMM7WlNNsU5DeecC68HpSo45tOiIQTiXDNQyHDsCkoCEqgUZnEY0ggN2hpycnSmWFn7Kj8HoAnG+5q1aGsKI8PzjTAJYdbF36pmXAm01Ge2IaJAKXaWZ2WA+wUqUXtgr4wtIWgfDacQYMhonnlzzvjFFCkynOhRdCC35jiwJA5bX+OnXnN39ANZufYqlWdhoQHOVgBrrFTX5ooBp3Nvf0Ent3L+zDVvTpmmQm19gxc5jYUGHAlwUEbA/rE/Z6yvMMQhsRxTZtIR/f+ehpgd3OBYCy60ub0dTsbafinOvRJp4xcuhmNX333Li/b+OYOgmKY/vdEUn/2cxbA4Uo/PIRWXmwIaweDShRegHGBYzoCOndfLjfkOwtD7jsShPQ5Vu/aTXQCIFjl2zvcZeR2TT+3Oi3uIiLXlQsOWyU1asQz23PSFeXsiUV8G4P8eomZxiX8/k3D3okkknqvi3GfoRXY49vrewurybLBhBSvRNxYrGouk+Vxy/HtZCwUV7q2TwTlI0eGpBpnbJMGDiuzPV4LFy9SGuroHhKhrNyh2n72IovKLAh//ml+4QVFcUJw7HUP3D7VfYRuohItXi5DDZz4566gNf9a4QkPB/2GHkkcQduDVuDqIFIvxjG7vVpBxi+dbyO6zEt7kI7qo0yLoGsVX7t1laiKD28skgKBOiHyGsMwkjxLtcjjOLfYVM/BgN9BAN5nu9Wqm9HdVM8Rfbjc7U/ts/BtfxRgWNM3qvS7NFkKlYKTtD0JmnzUh7ddgi7HUOczltSl6OgdZcFLEmuQIGdtNeILdHSjp1D3wIT5vgfmKnkhwNqX14K6jLmFaxmtzgYa+65DyWnoYgA1QbvTAPQIfVFvCe2NhwBG5XFNcAKOQbwYdwjmhlKVh+Y5uUwaeTCP9VueUpnrxDzkWOsp33XixkcjCfvrQmY5HQs+sGwr+Be1T+t3ET/8p377CjUf0K3U4PIYvB6NeoD9TU+chYPwpToZoe6vwDEP+GEqhLOBBc6Kmd0VgI1vkShqGtLE/92L5xM+kVJTdUCdLZ9//jFwhfgFFITGhju5UiR4FsPY/IwLTqf+VzXI19aBzrEWN0R88KBk6koL4bORXdd4OEKX36S/Vw9NLGLxQzHxw5mihhBksPdh+kyiDgBgktL2levNF7PV/epdbNRvva/hNKSEaPRCzFV5xlVlMOqiC8wfkMnbatiOX3vGRIhzKjWOMKg3v7MUi6zPRZxs1N4l+V8mddIXsf+BGpGEK4vnlvXQFCP7g97pa6unGv+L9D1RKU4Mp9+AU7Oo82k54oWpgg5DqiCWfnQhXGJLRZabr48Hglp8tdoqKnPCLK+TalofreZxBrtlK3T8qY8g7uUYLTe2nSwU8KKJbgMCtHLtifdrvtyY/S6nN5EUHJpQA2eNqVFQwLDuwJ6crO6ipGbaQ2U36ujhuqJ1+9a8OT4PkJK/aE6/koVRzZe50K+H+rbxCVQEpPM+kG4ClSuT47vxLujEm78Npf+PeIyS36RWICxeNyHhdFtbKDyFriBVi+pEEpXFhtpgBTqmB6MQ7te/L9kglkPOIOjbF4/rnzffvDEWZW5XeKz3vYujZ6vTgosf+rDsqsnyRWU2RHbhPQ6U7aS0ujAiBYdMQY4Mtlz+sa8f/b5nCzNPuv2Y1KdwIzCLLjIcqa/UnuTPNPcI8k6arXFWXS2Mq0R5QYfPKFCStVvHzHITHvZNt8bV1g2j5gYvnJkauu66yzUSDvglJVjjvI55nJQTryUDFtZX+lpiAZxwrsepYcP/EygKdZEdg3f8KbZWNQXxt2njLeJmad7Le5UHBhiGqP9H8eCLbwi0gvGwkGkveQHtCsTswOuY3l9E2WG0R9iamwDSC,iv:9QuqDosuTy7OoTfcSJ2mTYLQY9yTa9krJvvzqA7tH30=,tag:wtN/GsxxKhYgipOz8FqsCw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVjdHNjVDN1JCNEFqa203 - bVN6cStUeWFYUUZHZGhCSFFsemM4TnBkQ0g0CmdFZTBpUVgwMWFPbmZFT01BdUpu - NG1HZURFb0o3T2JwQ3U4YnJoYzhFOUkKLS0tIDhGVnhLRmhSZ3pQbGRvRWs5dWx4 - WWxwbndNQVBOeGRoandWL256Z2s2ZFEKtIKW60qNUBPMS0yWPEkDBMokemihiWQ7 - GqSGjNHDDlkKtd1jyY/qCZGM9t1ZiD9t34wAQVOrn9P/WGJg6X/FsQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-15T16:15:14Z" - mac: ENC[AES256_GCM,data:YVC+MuYp66Ej8XRpT/fsBPBz3laCjfoXikNzc4C5k4E3QbM68+jKX81sbJDGL0B3TSwcIxTc4e8GTisqVhxdH26y/g+xOK5/n6Y+FulDuMmvIiIqBhmQXlQii+DUcLZocRhwEkKDm344M3pRliSVVHa44JRY4qf3E9wKjQhg9tk=,iv:sBTtgB0QK52EFfIxJzFRvXP5MR4ARSfR8v/pha0rDDI=,tag:7KZI8DC967fFvO83KnXkPQ==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 + version: 3.8.1 diff --git a/kubernetes/apps/system/kustomization.yaml b/kubernetes/apps/system/kustomization.yaml index 7d9520b8..bbfd6492 100644 --- a/kubernetes/apps/system/kustomization.yaml +++ b/kubernetes/apps/system/kustomization.yaml @@ -6,7 +6,6 @@ resources: # Pre Flux-Kustomizations - ./namespace.yaml # Flux-Kustomizations - - ./intel-device-plugins/ks.yaml - ./node-feature-discovery/ks.yaml - ./reloader/ks.yaml - ./snapshot-controller/ks.yaml diff --git a/kubernetes/apps/system/node-feature-discovery/ks.yaml b/kubernetes/apps/system/node-feature-discovery/ks.yaml index 39ecff43..6ca8d68f 100644 --- a/kubernetes/apps/system/node-feature-discovery/ks.yaml +++ b/kubernetes/apps/system/node-feature-discovery/ks.yaml @@ -15,5 +15,5 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true diff --git a/kubernetes/apps/system/reloader/ks.yaml b/kubernetes/apps/system/reloader/ks.yaml index cf784561..fd69eb10 100644 --- a/kubernetes/apps/system/reloader/ks.yaml +++ b/kubernetes/apps/system/reloader/ks.yaml @@ -13,5 +13,5 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true diff --git a/kubernetes/apps/system/snapshot-controller/ks.yaml b/kubernetes/apps/system/snapshot-controller/ks.yaml index 1fcd60f8..0354577b 100644 --- a/kubernetes/apps/system/snapshot-controller/ks.yaml +++ b/kubernetes/apps/system/snapshot-controller/ks.yaml @@ -15,7 +15,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab wait: true timeout: 2m dependsOn: diff --git a/kubernetes/bootstrap/flux/age-key.sops.yaml b/kubernetes/bootstrap/flux/age-key.sops.yaml index 2a2f81df..34349822 100644 --- a/kubernetes/bootstrap/flux/age-key.sops.yaml +++ b/kubernetes/bootstrap/flux/age-key.sops.yaml @@ -5,24 +5,24 @@ metadata: name: sops-age namespace: flux-system stringData: - age.agekey: ENC[AES256_GCM,data:DELuczoRtBQW58s5i8Nmb4Hp+XzZ35aiOfwBJDXaqgfQMFY63QXRzBVkTDS0GxFoGt3jvLILJPwde0OHiVrkNEZdDwRr3JZKnTs=,iv:DqAaHlJRT8SUItoceaIQ7smJUcmtTeu51AJt1WM0pKA=,tag:YGbmN4hRhWCCGLPvyDLsnA==,type:str] + age.agekey: ENC[AES256_GCM,data:f+9hVYtS9xNgh3KSpC7HtIzSWnFEEtKNijhT4NWi9Yx3dlRuX50vhc8exLYcjcIbytCwMtTCI4xAjUk4TkxlGaj5DzhU/rdvE+c=,iv:uzhwlqMG1F2rb4XM00EXCI8mpCcKMTn1a2KPH/NGYqo=,tag:Ao+cLYINlL1AfJGFR9EG/A==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve + - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMURBNzFadmc1ejZ4eStp - czlYTUtWUk52NzlaZ1NJSzU2R3R4VFB4TWtZCmc2SjZ1OVhNYXlXQ21WT1I0ZjU3 - V2RzRU5PUnYzMWlRcy9vTG5JNkIwVncKLS0tIHdjU0VSaVdBQ3A5ZDlybTBiUVB1 - YVE3NVptM1Q2ZjEyZHE3N2ZIaEtlRFUKQZEkNHDnlnZYXqK62SplHa7gEsEIBVNV - 4TYZQzf+fBmlxmDCwDLTNTJZZJfgLjYPfBStvGSx+VbW2HS6PoXMFQ== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cVRSZUZjR1Y2Q0U2RUJC + M05wdVdhWU1oTjZBeTliNDR1V29KN3hKMFN3ClJJQkx2RTRSL2V4ZjR2QmJQUGph + ZUo3UlpPaVc4YjdJbGRkaVhTQmpHVGsKLS0tIFlYMHY2a1FjZ2xobUpKNnRwSDhV + eE1VUmwxNjU0SVAvaWF1dVNKMlV6ZzAKrxZ1g+mkSBNECmd+sf5Z4L7xVDaFw1g/ + hUoFCpjo7fiGS0ru7lhkLzBAwRflWDkpjn75W/18ULaF69bsF9swPQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-15T16:24:05Z" - mac: ENC[AES256_GCM,data:QxME2bUjRTBpPpMR1ZWANlF+EskMRJuyylOiRHcPzWu9Bve1rz+4mkNdlUYzf0gdLi8psRc6ko0Jb6IH9lLZxOkMAh2YYaMrzAf3hMRBytiJKX/nUs9tIJv8Lft21nXibeaT/TcT5YNwNvd3nTZgBJcJ5nYwmU1sTn3/Lay5jrY=,iv:0uVxxRg+Dp8oZ43DnbtEx25rQcJ23Ag13eKfvvXukVk=,tag:/4Ufpkh8DCONTEWy4pc5bw==,type:str] + lastmodified: "2024-01-11T22:06:47Z" + mac: ENC[AES256_GCM,data:Sg8eZvpifFdLezfcQ8FFwCUzQpCzx+iOrje2E2fVM4AcIcVR/i3zrdCOzJ252W7Fe6mreVpZA0rKKePCEH1A6ZSvjnPKpMvAdhei7BMyIkDs/8VDJMjZOJOWmtLNIwCYIbkwA+cOnFfufnRdSp7/NsqVo+8STOcr4qWAyfDenVQ=,iv:FHFTiD1NtBHslxuTwdmxw3Xb31F9xK6hhKdw0szXfkk=,tag:MbNsGc1ZW1biUOEDFRTSMQ==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.7.3 + version: 3.8.1 diff --git a/kubernetes/bootstrap/flux/git-deploy-key.sops.yaml b/kubernetes/bootstrap/flux/git-deploy-key.sops.yaml index e7d705be..20ab619b 100644 --- a/kubernetes/bootstrap/flux/git-deploy-key.sops.yaml +++ b/kubernetes/bootstrap/flux/git-deploy-key.sops.yaml @@ -5,27 +5,27 @@ metadata: name: git-deploy-key namespace: flux-system stringData: - #ENC[AES256_GCM,data:O1eknYe94FguDRRTE4tIv0yQKVJcqHqrHe510i15Kw==,iv:aa5mj7DH/ZEXtqeG+7s/eThK8SYJDT8WmGtwDng9Zh4=,tag:kPuHF2ObA/8IlPzwsuuEqw==,type:comment] - identity: ENC[AES256_GCM,data:DSBU1rLXKta1xWzwagSPpHvT3f/j8ICa4iTkYkby63sYefFfQt9u0qFAYMQChfR9imjUtLmV4AvwF/c9pnOpyHTTLXdZMgkK/y8/17NAbmolUOFQfFvvU7WarxArOqk5QYon4vvIxI1d0Xtug46h7KXHQjJl3UWeBJ2IUnYWEfsPAoN4fNrAxI5DNtS+ppPcFZbJ6BMHx8rPadOhuKbgLR4KACg8PFKHW9RLvJ4s2Kykv9bYyHxUPaLMdL4UAC55i0+RGydZ/72CHokIXDKmwtQquf1vL5HVup/5aB9FQA4oLe0Pk5v2m001YfrvMaO+1GXodU3V2+VIWVcdjJciQsTk/IbbJbr0IIdLlT53WOKx1FNmb1HODUBAX8/mt1Kv5pNDm/BtZXk9ad0chheBB96GRyDTU+/qUzSh3WYGxGrLX+KTE3W8NCbzieOwVgwrDt5P09i0iBrAbXJzSwuDfF0mENzoNN1uRWgA+cm9FGbR+HjEv0UHHN8I9/BCBRMIeXXZ,iv:hn3PwE5mnIgzJNLw+ruu5/jUqFQOpQTYh2oZUdeOplM=,tag:2qttj/0hdChixM7rzaLr5g==,type:str] - #ENC[AES256_GCM,data:yG8yduTJrEB1oGbSQdLwFyDgjbmkT4fcbkvhMj0oCw3Yi9HvSdygq5Uo/2DQ0t+GRzpVqsedrLvB0yciVWpfEaKewXj6neGmMTcsT/llWbSvXS4dHWGBDL6Y/BXVNhyrYLRu,iv:K4dJKqM+AZE8giMcoBOlb9GDnLDCJSyhpWangKsNXkE=,tag:rfRpq8iv+2rwFRJY6sw19A==,type:comment] - known_hosts: ENC[AES256_GCM,data:Ej+HKpMCe/3FGSh/qd7cud4OyBAWpH9tAxP5lSq50kGdyNUz/pLWde4t8uxN6aLtV8Md0lewMtVQTIl3peQuOnroB+EOUnimJTTLLuno9G4zyzkcZRf1un9UY4Jvs9g1vT26DyE/paqIOvJ3u8pfotI4tyO1so60HpHc4lQoakp5L7VMzlPUY3g6hHlOGmqEMXfg8s07UUC0DRNyzBb5INXmL4YweGluI6ros1t1Rh0UKjfF7U0f/5xgzY80WvvcXmhd/NYuKaqUb5YMT7Gk/dUtD0RpxhH+iUi4WMaRyWcbwt+HvS4cUDrHi9ZypLBLxD0I6oiz8ZZYnbNAbe2vsqxiYOPbE+E+QXGY98B1eP18nVXe5YICMuclgAXV54Kcc+/Fw/25oNcJREgdvbxA0CGYwXooURan33kKAXFaBdGpGinj4mBXciepy+fPpxe3sa9YpY1pAF88lmBHzmBR77XltWebOmsagauI1gG/QEgItUaaMy3aDt1dNmrG1jzjkrXYJfCrmLdDXJ3kgd+ZS/95l+B0WfUralbZtQte1IzsgyCRTMhOv8NJ1okCetmi7i5kD2+hiZ7T90M4UMDczHfBXulq9mqlyqQKx1hzdKLP5CnmF0QLbupau+xOLvn8l8Qpt4pxZ6K/ul9jC6PlKZE2iTmgBb2WV1cXdG6sQfrxBFYKaibG4hv7jmIJAI+hzdFq9M+nQ0olIuU3FI3vQqSC05nzRMo0PH+408xnqAWKmY/43SfXpXzUa6eg1+GpoYZjK/BcWA7Nmcy1Fk1lf49JVu0eS3/dqxq+iBbPK9Zy/CQaaWXMg1wpu9y+13CwDuEYC/luz9SrryuY14T7hHldjSxDh+gp0qD2T2VrJA1f846Q7c2SWLcRSPuvYnRcGIS4gQpLjnNKLA14GqDhmFFA/cjkIkgnuILB08SxulMYFu0wu5s4p/vNYj+9BGj66CDvynyLZjCas0cT4ubfq8A=,iv:j1jftBGnQlln+7gECyaanotig27AzyHWLFOG5KWX53c=,tag:1NyHwqKx6RpruLKuYPYIxQ==,type:str] + #ENC[AES256_GCM,data:+GbB2yDDUQ4804/B/XphECCkAErDIe+JwXkhuXWDJw==,iv:EFYG8fEaGJt6ZVftO9px4cykuopjQcqNRTLPcT0vK+M=,tag:mPuA+9y+AZDA39/k1a4jmw==,type:comment] + identity: ENC[AES256_GCM,data:6ZByb2BqIDMe+sSnwfNlPkEcBbnlQbmYNzZcdAe+Uvi0OPKRTwuuw2sy+yBFlGdz0EpiqUV0GiuR+bVcWEHZZaSBpw//2oKKjR1AfK5E4BPGKR/saZ+6Rg8Xp2HgIjBh/wiLD/KDxYJ5qzE5OndUALmdsXvpnThgExyVGtD8KSWqgdnUY/UP0KMnSvakpaEAWnSC5O+YOKSH55UKAXGVBHSWpG4vedKwnQfdadu2sI2kg0G1MScqAD1Cx6OAZ05KF1AdbV1KDdeYwhGjQjtIob1LhozFqP20Wlhxr6ZwrrVQLOCIIQj2k1Tn0ilxsLA5G35BT/bPOTYIEGih1qF9ZfFGxjBtZJ80puf5DYo7QLow78o8Xe7SPGEKSuY8ryD0DG3GotYaExTaAHD8eTer+EJghYGrLoTgnPrSV1lrsKjMslAAWtrjOPd/1kH3wwrnHk1FauZ/Ft99yGpqXVOvHtmXnKiyoI79t8fq0kNLZ+e2/kd5ntMCJyFgh76lgdzb1knc,iv:OEJl0Oo56DsaOxbt43oaynYtUpUYCDaePBz3wGdqKDw=,tag:axW1M4UckNOmodsZWLLEzA==,type:str] + #ENC[AES256_GCM,data:x6ZbaxSmg8cybQLBN60EMMz3b7wcB6zAgcRcPQVr/Y7boCjbVlfdNumSu1/+f2OPJLZLpK+URTqAIhtwDlEwPRabe3MMpQfE3ifKobKPmvws4pvbdPeHG1UEPpGeqh3VJLN8,iv:65mO126WzjKiEJYhjpZnaWftQ2YMnRhak8E2J7X2CfE=,tag:Zof3hhjPzrmOPNWSWkGaEg==,type:comment] + known_hosts: ENC[AES256_GCM,data:yaBZz02NVnC34rNmR42CJN32++LO9gLohYOs8JiKE1z5cAL56RHAhwxtcSfuQOPvXyX3WLJvjmFHZL9TQmdCukdmzukBk1J/IaUQ9wCVL9+flRJwtsyf1Xd6SAIk4XwP7M0Rm9F91mPJ9Wdju6ALusSRLN5J7UOwTUoZVcjjSjmM4Q4Kchk0GyZNv3ozgSU5L5cuF620+RX6NlYx3Fk/GVvU468HN4wz4qr7g5NwVS2ZKcTNrZasekuwzohfjheK/4WcxYYHe90/NIr3CpCt1DI1ZTIftvVgodRnK+28p7ZT3hoI/Go7qukY+hXTJEd8gu0ZWjeAWhvtfasy6ZEMLNwo5Zg1IyHnrE9KfOPS/MG2P88V7ooIpvYSNXQP5g3mwm009GQ0yLNAMVmnTqiURTqUOlenI44UWQYmqrcMP28QE0XHR6Id1p1LA+ZRMEnvdvyrYi8FH9VvK1vxJIIBsLCJSvuBCM2Uy+MX1MJNXUzvAp8bDAbgPE4wPx7y/DgOzhyYRyaVQxPRm8IbA+ciBg/3t7dkjLWK6afbOVzE4OxtBwxDtbDcUmpZ7cVE7gKnSM3tywOzxkwXrUAuMkSIKH4pgSAn4BBf8NsA2qr/fzUdvkYl6OF8qRa6Yw7kCtZO9zZTLK3i9gzfJfZ9LlaRaLLSMbQdOIN2FQfYG7+F2OPADNjhCIDHHvMoBKFdAhcLFGdtRP8FuqYMHd3zprCr0F8XgaD3tWAfx3Cq7JDhElM4e3vuIiCwVHGtHvydI4OqKFeO5DKp4+ErOxDyMhaxF8Qd/IPsKgA8QQK2/HkgFZH+fwyf+uRoylmOuQo/8PeaKkag1SihcSzt/vMBroMw9ZbMF6MyYXPC+8IsLggNFh6O7EyoVMIYm1PqSGBckyLb7gHWJu7r2zsajx6TeRwAVlEoVq9ScC8sj2XkrUo8HNLX6lt7J5/RDchmjta5pdTCGvsV7SOQi7mMUFjxAp+RBFE=,iv:KsQ5SqWokEmwZPXCFuEVhV2X7c+6rC8ZhqEc7Tc+rT8=,tag:fA1se7HrUltBOGhIg7zG/w==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve + - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbkdZamFHbTVoYXpCdGpx - a214aFQvUUxWSW43SHV2QWFzVjJTeTNiSXhrCnF2VmR5eFlpc3JlcGY0R2J3aWdr - aEZSL0gvRzZiYi9ELzZOeVkyRExkM0EKLS0tIGczRVRZY2U3S3F1ZVY2RnJwTWlw - L0s5YXNFUlhmTS9GSkdZNWNJeDlCSm8K8j+Pvu+DUYLjQ27N2dPU8rGXYaZORK4I - n6U4KG2qiRAZn1eVp4t/8/2A5/0UupsrcYyKvXAiMLrpsf9kaq3Xmw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTeS83SmdkZ2daM05UVkpO + RG1jM1lNVDREUGdQZmFuREdOaVIzQkd6MzN3CmdaQnRDbUJwTG9tZ2treFJ2RFFU + NkVWUlVVNlVJd2xSRkU0bUUzZDY0ZGMKLS0tIG8wRzZCZ29Pc0tNb3dVcnVyYWl6 + MmVnNzdNWU83MGl6TzFwNFYydHQ0WFkKMy8Ew8clnoYcNR9qicauSBlLDp8N8qvg + jAMftEoS6bUhSozWW4zCpcRK6hCTi8X+IsHe0niTotGRUZgPgdXUWg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-08-21T21:51:49Z" - mac: ENC[AES256_GCM,data:lXLx3E5CrfeVN6/a9WDVie4Mfn0v7pcadSWmiKoge9B5obhgAIVChSG8d8KFPkAN6gCBi1D/O3ukSogAwASZ2q8t4yUes6YsD3t4aZrADw6YVgOjNDeJHMiaXMP6fQ0ze665NEgyGBnIRxDuaTXHpaNXsiqSHr+51rRHi0S6K2g=,iv:I616VwtsUKqqvDfmu2KiY9i2ODaTD0tZZHaYG8DjyZA=,tag:dKFmvDZWMBsfhnuqAyMm+g==,type:str] + lastmodified: "2024-01-11T22:06:54Z" + mac: ENC[AES256_GCM,data:P1ZUYJ+ZKO7y3ZC9qy/ODizNGohS6VlSLRzXFUw0dG4OSL/4G3lo+YzkOx/ly4oaLRKZAlW9dLONJYPldE1785A3DfUD3YjV+xrF4akxPAkCwer5ikmCEuG+jw+ihOxn+36s5KZhjVt7k+EVOqVAR60Oh62onq5IR608ND6zits=,iv:d3tdmEjvB/n/TquFRE8qs7Lr4O5q8zXaESvqHl5IiVk=,tag:AKo3NuJTDS0ov3jjHJTahA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.7.3 + version: 3.8.1 diff --git a/kubernetes/bootstrap/hcloud.sops.yaml b/kubernetes/bootstrap/hcloud.sops.yaml deleted file mode 100644 index 27e964d0..00000000 --- a/kubernetes/bootstrap/hcloud.sops.yaml +++ /dev/null @@ -1,30 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: hcloud - namespace: kube-system -stringData: - ROBOT_ENABLED: ENC[AES256_GCM,data:tTSnWw==,iv:rSrqYIiQSOv6G0QxSYVU6DtW7b3PT7XNF/1pWx68M1g=,tag:2m6YXewARCcyXTjZGimodQ==,type:str] - token: ENC[AES256_GCM,data:DzLwUiv5JH/S6OBrzgNp0NO5U/7w0Pq2YtQ7uOAfg7Iw90qzGlzc8CqzlQOw0jHv91LzCUgjpeZn9QP93Dgprw==,iv:T6rqz1HmdKATl+8ov5qclhAo/NzHQTIN6eRSiCEyiZU=,tag:39VZ8N96NEXgvXTPQ/vvBA==,type:str] - robot-password: ENC[AES256_GCM,data:OeITzLUpgj03MyQ2n+SYgwykcw==,iv:9ZdbQW4ZAtqmGEiR4KBsziRXMAoHGHcBYXiwjep5H2A=,tag:4eGKJTfn0+NARz1k7j8jXA==,type:str] - robot-user: ENC[AES256_GCM,data:Cy2ilSDCVNaxES0N,iv:fs/fu9OOhNPDwgnw1xV8SPtbzlbDkbynvL4Z5L6aO2o=,tag:n2+BeAx8HLtD4rFbKMdUqw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSaVJMaEQvSGw1Y3h1WXVi - TGFnM1dTaHRaUEtOaVl5anpKazZjbVRpckIwCi9Bc1BueHYvMUljdWRrZFVpQldJ - bkRVMWJIdmdubGJXL2NOeUloV3RXQ0EKLS0tIEZadWZJcytYZW5ZdmtFbGcrUjZN - SGkvdTBIM1hxMTREL1JDT0NCcXo0ckUKW3fJ509OnrgKxLvWHALLvA4Ha91pN+GM - JRdKi8tSlyVEpFgumeOsan3fIrsi9urgqYjMuW5e6ApMZ8/2522MWA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-12-12T18:16:51Z" - mac: ENC[AES256_GCM,data:m3jplww3Pv4UnCIdyJ2DEkA95U5+Ovddk2DhEG7KhVQ/PTtG31UFCHdoBIgHf0ZcYmAYRLeyvUfRmi19I+h0h1eDrlbTwpFSYByunLvJZqk2Dp9WWCyGnoJ2Wh/dzW/pcLRSJCZWPxUGPR48cyZTlzg+iZHm760kbXQmzAE+ZHc=,iv:xxyyd9IaTtd+Te+2T156/c+842GVeOoPEs+IBZibWrk=,tag:EruEq5+6kU+nme9NydF/bg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.8.1 diff --git a/kubernetes/flux/cluster-apps.yaml b/kubernetes/flux/cluster-apps.yaml index 63f48012..2bfa9a16 100644 --- a/kubernetes/flux/cluster-apps.yaml +++ b/kubernetes/flux/cluster-apps.yaml @@ -11,7 +11,7 @@ spec: prune: true sourceRef: kind: GitRepository - name: valinor + name: homelab decryption: provider: sops secretRef: diff --git a/kubernetes/flux/config/cluster.yaml b/kubernetes/flux/config/cluster.yaml index 87829e01..60ca0c55 100644 --- a/kubernetes/flux/config/cluster.yaml +++ b/kubernetes/flux/config/cluster.yaml @@ -3,7 +3,7 @@ apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: - name: valinor + name: homelab namespace: flux-system spec: interval: 30m @@ -31,7 +31,7 @@ spec: wait: false sourceRef: kind: GitRepository - name: valinor + name: homelab decryption: provider: sops secretRef: diff --git a/kubernetes/flux/vars/cluster-secrets.sops.yaml b/kubernetes/flux/vars/cluster-secrets.sops.yaml index d4d03f53..b94ff80e 100644 --- a/kubernetes/flux/vars/cluster-secrets.sops.yaml +++ b/kubernetes/flux/vars/cluster-secrets.sops.yaml @@ -4,28 +4,28 @@ metadata: name: cluster-secrets namespace: flux-system stringData: - SECRET_PUSHOVER_USERKEY: ENC[AES256_GCM,data:MeaD8iRbieNr5W9PqpjZ5ywdbMijX9nYQJbbVj6s,iv:42QymFlr47PYNjorJc5tgDjzZ9WHPVIk543GGChalVM=,tag:qyk1chI/IpPdfyEMdOqsbQ==,type:str] - SECRET_PUSHOVER_ALERT_MANAGER_APIKEY: ENC[AES256_GCM,data:4+9e/tWQBszoPakAo+1vNhWsdKz8qfoioeUz+dTb,iv:sY4dkzMEmvi8kCLesBiknmoYHWq3uqXpWs5Y4FeFSuk=,tag:rPxH+5m6rPiSnhm2JrrT4w==,type:str] - SECRET_HEALTHCHECKS_WEBHOOK: ENC[AES256_GCM,data:a6hjTy2HRy7s2+KHxfop8077CgAzzILCF/g5I9TIXdhRiziUrLpJVzC0mqNmfdooJsZyErrJ9ihamFKLFoK8S/PmD5IgWuZu,iv:l5JTxmiWct5nr7eJM/Rtl7AclhCoIQ4KW6nJK6Slhg0=,tag:K5yGxYBTNSSoxYJt8Kmhyw==,type:str] - SECRET_CLOUDFLARE_ACCOUNT_ID: ENC[AES256_GCM,data:X63a7aMBMyd9Be6bik0knOyMXnYx/Kg3SoOrG0bkAHU=,iv:POcU1kIRWekrzUdzqPopKDovviK+fMZRVuZVWp9Vuuc=,tag:n9UamxITJCiLbH37Ta2lTg==,type:str] - K8S_SERVICE_ENDPOINT: ENC[AES256_GCM,data:mons7ADYFZv+PjnGpAg=,iv:vRkH6yn+nr2azS+kWOCG9rayB/X/02OlmQVhaIsJDkQ=,tag:RyPwMRcWgQV2kKFa6YQtMg==,type:str] + SECRET_PUSHOVER_USERKEY: ENC[AES256_GCM,data:HknjiEQXIa1zntN4yOlTQ/buKx2xppiQV7faAxIe,iv:A9sMptT1QcgQvuP8jqPUZDjqTa56kbsLBjITQvPQyF8=,tag:Sa5PIweT7OYuoq5YG43rpA==,type:str] + SECRET_PUSHOVER_ALERT_MANAGER_APIKEY: ENC[AES256_GCM,data:n0cFsAwCX1/y5HhsNxr/c2KT/5dzt55Ygi17rX+OV7cwKPKMImmLinb6GhD9fDIz1AINGBijXuXvD8TL,iv:4nwdHlSJEUSyMEDvh+5mhONXCGTJ3qyTITwG6CxeG3A=,tag:kurCrF2rGQFBF2u7Hhinuw==,type:str] + SECRET_HEALTHCHECKS_WEBHOOK: ENC[AES256_GCM,data:YG8/g4i8inIQnCIsQyEkPdNyVmbFYU4bhixacOEEEcuJMl8ax8TH1yBRl5ziQmBggp/CETorWCmNiC3jkUXYYta/znlo76T5,iv:SGdg9htpyFP38jbAJDg+zq4Rs+axgM5m3SsgBG38Bu8=,tag:TTIVFki9e03rqVvNmtsFuw==,type:str] + SECRET_CLOUDFLARE_ACCOUNT_ID: ENC[AES256_GCM,data:bKGSKh/TxNtCMRa83/i44fX7XC5mRxBLVeZ94UltjOo=,iv:Ji0tUnrvDywxMeCvNwBrG/a8JVudfK4sXYL8q0i/cz8=,tag:j4Bwvcz73RdIInsiz0F0JA==,type:str] + K8S_SERVICE_ENDPOINT: ENC[AES256_GCM,data:3s9EeJwFzDQ=,iv:a4oU9bf7ESscw6o9YqhBx8kRm/rL1l2ydjjd1ngn/P0=,tag:TAwJ2UmFuEHeHsEhfiVH9g==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve + - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6 enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzNUJOSGgzempjQS9ZQVlo - citDR1Vta2ZHWHJYNElySzA4a1ZIdktQREhFCnZyQlYvYlhRbDlwYVkxZmZJYm5S - TEU0c2R4WkFWZGNEcjYyTHE3MmVLT0kKLS0tIHZwQWNGYks1alNnYVAyOWZsL1J2 - dDhWMDZYait3UzNRZy9oVk85cHBPdEUKa7e22jHlW1chaLDKBB1in8ZTFnfKMXug - QJQ/9z6z/RjmnnFam2FWg++Xg2A8LQ7XTZcfR97csf59DQ/xwu7sVw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwSC9CNFkwMHVLd0dWb0Jq + cnN0OUJzYVlYV2VRS3p2ek5UcHl4TXNQckhjCnlHQTVNNmdyZFF6RXhETlBzSW9v + S00ra2k2Y0VyWnJjcU9oWG5XVGJDQkkKLS0tIHB2bGxDOWhWci81aGViVFlsL0JE + ZGRUUFpKTXpjWW9HQ0R1VDk2RmVmQ2MKJwHW3q0vCZClJFfDrWSLw6C43vWVfyLr + 1ACvmNWml+xv/MOQwoRRMx6OVF74X83UyTFdVrXXk7SkzRcwQr4j+A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-01-02T23:49:24Z" - mac: ENC[AES256_GCM,data:OZzwxpqsXk2tfWmDRjWdmRZaP1pc0HRAuxt1om1Q0yN0R7LTafyRaKdWRdDYi7g76/C8qvSwgT72If5u+M10Q/KKNDy/PavDKn9yMHLkYkdmnXCbyxuWCFqlDoVoOQyPG3H4+ahZkYDnXwzcScR8klTZxdG2n5xO6FJc3PKJFlk=,iv:f2d0J2vG3amQ5UCowNU4U9X+siuWq43uq3nLndoy76A=,tag:ZbfWo82UhiR1AOh93WkpLQ==,type:str] + lastmodified: "2024-01-11T22:06:29Z" + mac: ENC[AES256_GCM,data:kpt0cEtZo9e2wRcnbp7VosxzVdRTUsnNOmCfjFW/6dAVt3PQuck4hoQ+5ZVO/kL02JDxfLFDaSrbEGwWyf3pwvWV0IQHPFH1W0DcgHe0bSHLBB1AAufISuaQ+OfrO6igYiUjJ1ijk8sErT64qY0WN1NTnMbhbGpXrmKl9jSxpbc=,iv:bVeu6F3V6dkx/VvHume/KdxVPArMzPCkTS+e5M9+ru8=,tag:u8MdtwtUcbk2/XFvdfvomw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.8.1 diff --git a/kubernetes/flux/vars/cluster-settings.yaml b/kubernetes/flux/vars/cluster-settings.yaml index 03797941..f9d9366c 100644 --- a/kubernetes/flux/vars/cluster-settings.yaml +++ b/kubernetes/flux/vars/cluster-settings.yaml @@ -5,4 +5,4 @@ metadata: name: cluster-settings namespace: flux-system data: - CLUSTER_NAME: valinor + CLUSTER_NAME: homelab