jahanson/theshire
1
0
Fork 0
Code Issues 1 Pull requests 3 Projects Releases Packages Wiki Activity Actions

More scaffolding for homelab.

Browse source
This commit is contained in:
Joseph Hanson 2024-01-11 17:50:28 -06:00
parent 645ed81c88
commit 08ac08c6a8
50 changed files with 115 additions and 784 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

2
.pre-commit-config.yaml
View file

@ -9,7 +9,7 @@ exclude: |
repos: repos:
- repo: https://github.com/adrienverge/yamllint - repo: https://github.com/adrienverge/yamllint
rev: v1.32.0 rev: v1.33.0
hooks: hooks:
- id: yamllint - id: yamllint
args: args:

12
.sops.yaml
View file

@ -2,14 +2,14 @@
creation_rules: creation_rules:
- path_regex: kubernetes/.*\.sops\.ya?ml - path_regex: kubernetes/.*\.sops\.ya?ml
encrypted_regex: "^(data|stringData)$" encrypted_regex: "^(data|stringData)$"
# Valinor # Homelab
age: >- age: >-
age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6
- path_regex: .*\.sops\.(env|ini|json|toml) - path_regex: .*\.sops\.(env|ini|json|toml)
# Valinor # Homelab
age: >- age: >-
age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6
- path_regex: (ansible|terraform|talos)/.*\.sops\.ya?ml - path_regex: (ansible|terraform|talos)/.*\.sops\.ya?ml
# Valinor # Homelab
age: >- age: >-
age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6

22
kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/dnsimple-issuer-rbac.yaml
View file

@ -1,22 +0,0 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: flow-schema-reader
rules:
- apiGroups: ["flowcontrol.apiserver.k8s.io"]
resources: ["flowschemas", "prioritylevelconfigurations"]
verbs: ["list", "watch"]
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: grant-flow-schema-permission
subjects:
- kind: ServiceAccount
name: dnsimple-issuer-cert-manager-webhook-dnsimple
namespace: cert-manager
roleRef:
kind: ClusterRole
name: flow-schema-reader
apiGroup: rbac.authorization.k8s.io

23
kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/externalsecret.yaml
View file

@ -1,23 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: dnsimple-api-token
namespace: cert-manager
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: dnsimple-api-token
creationPolicy: Owner
data:
- secretKey: api-token
remoteRef:
key: DNSimple
property: cert-manager
- secretKey: letsencrypt-email
remoteRef:
key: DNSimple
property: letsencrypt-email

36
kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/helmrelease.yaml
View file

@ -1,36 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: dnsimple-issuer
namespace: cert-manager
spec:
interval: 30m
chart:
spec:
chart: cert-manager-webhook-dnsimple
version: 0.0.11
interval: 30m
sourceRef:
kind: HelmRepository
name: jahanson
namespace: flux-system
values:
controller:
annotations:
reloader.stakater.com/auto: "true"
dnsimple:
token:
valueFrom:
secretKeyRef:
name: dnsimple-api-token
key: api-token
clusterIssuer:
email:
valueFrom:
secretKeyRef:
name: dnsimple-api-token
key: letsencrypt-email
containerport: 8443

22
kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/issuer-letsencrypt-prod.yaml
View file

@ -1,22 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/clusterissuer_v1.json
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-dnsimple-production
spec:
acme:
email: "joe@veri.dev"
preferredChain: ""
privateKeySecretRef:
name: letsencrypt-dnsimple-production
server: https://acme-v02.api.letsencrypt.org/directory
solvers:
- dns01:
webhook:
config:
tokenSecretRef:
key: api-token
name: dnsimple-api-token
solverName: dnsimple
groupName: acme.jahanson.com

21
kubernetes/apps/cert-manager/cert-manager/issuers/dnsimple/issuer-letsencrypt-staging.yaml
View file

@ -1,21 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/clusterissuer_v1.json
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: letsencrypt-staging
spec:
acme:
preferredChain: ""
privateKeySecretRef:
name: letsencrypt-staging
server: https://acme-staging-v02.api.letsencrypt.org/directory
solvers:
- dns01:
webhook:
config:
tokenSecretRef:
key: api-token
name: dnsimple-api-token
solverName: dnsimple
groupName: acme.jahanson.com

5
kubernetes/apps/cert-manager/cert-manager/issuers/kustomization.yaml
View file

@ -4,11 +4,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
namespace: cert-manager namespace: cert-manager
resources: resources:
- ./dnsimple/externalsecret.yaml
- ./dnsimple/issuer-letsencrypt-prod.yaml
- ./dnsimple/issuer-letsencrypt-staging.yaml
- ./dnsimple/dnsimple-issuer-rbac.yaml
- ./dnsimple/helmrelease.yaml
- ./cloudflare/externalsecret.yaml - ./cloudflare/externalsecret.yaml
- ./cloudflare/issuer-letsencrypt-prod.yaml - ./cloudflare/issuer-letsencrypt-prod.yaml
- ./cloudflare/issuer-letsencrypt-staging.yaml - ./cloudflare/issuer-letsencrypt-staging.yaml

4
kubernetes/apps/cert-manager/cert-manager/ks.yaml
View file

@ -11,7 +11,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true
--- ---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
@ -26,7 +26,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: false wait: false
dependsOn: dependsOn:
- name: cluster-apps-cert-manager - name: cluster-apps-cert-manager

2
kubernetes/apps/default/jellyfin/ks.yaml
View file

@ -12,7 +12,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: false wait: false
interval: 30m interval: 30m
retryInterval: 1m retryInterval: 1m

4
kubernetes/apps/default/rocky-nessa.yaml → kubernetes/apps/default/rocky-nenya.yaml
View file

@ -1,10 +1,10 @@
apiVersion: v1 apiVersion: v1
kind: Pod kind: Pod
metadata: metadata:
name: rocky-nessa name: rocky-nenya
namespace: default namespace: default
spec: spec:
nodeName: nessa nodeName: nenya
containers: containers:
- name: rocky - name: rocky
image: rockylinux:9 image: rockylinux:9

20
kubernetes/apps/default/rocky-nienna.yaml
View file

@ -1,20 +0,0 @@
apiVersion: v1
kind: Pod
metadata:
name: rocky-nienna
namespace: default
spec:
nodeName: nienna
containers:
- name: rocky
image: rockylinux:9
securityContext:
privileged: true
command: ["/bin/bash", "-c", "while true; do sleep 10; done"]
resources:
requests:
cpu: 100m
memory: 512Mi
limits:
cpu: 4000m
memory: 4000Mi

1
kubernetes/apps/default/ubuntu.yaml → kubernetes/apps/default/ubuntu-nenya.yaml
View file

@ -4,6 +4,7 @@ metadata:
name: ubuntu name: ubuntu
namespace: default namespace: default
spec: spec:
nodeName: nenya
containers: containers:
- name: ubuntu - name: ubuntu
image: ubuntu:latest image: ubuntu:latest

4
kubernetes/apps/flux-system/add-ons/ks.yaml
View file

@ -13,7 +13,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true
--- ---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
@ -30,5 +30,5 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true

22
kubernetes/apps/kube-system/cilium/app/helmrelease.yaml
View file

@ -27,7 +27,7 @@ spec:
keepHistory: false keepHistory: false
values: values:
cluster: cluster:
name: valinor name: homelab
id: 1 id: 1
hubble: hubble:
relay: relay:
@ -35,7 +35,6 @@ spec:
ui: ui:
enabled: true enabled: true
metrics: metrics:
# enabled: "{dns,drop,tcp,flow,port-distribution,icmp,httpV2:exemplars=true;labelsContext=source_ip,source_namespace,source_workload,destination_ip,destination_namespace,destination_workload,traffic_direction}"
enableOpenMetrics: true enableOpenMetrics: true
prometheus: prometheus:
enabled: true enabled: true
@ -50,26 +49,7 @@ spec:
enabled: true # enable host policies enabled: true # enable host policies
extraConfig: extraConfig:
allow-localhost: policy # enable policies for localhost allow-localhost: policy # enable policies for localhost
kubeProxyReplacement: true kubeProxyReplacement: true
securityContext:
capabilities:
ciliumAgent:
- CHOWN
- KILL
- NET_ADMIN
- NET_RAW
- IPC_LOCK
- SYS_ADMIN
- SYS_RESOURCE
- DAC_OVERRIDE
- FOWNER
- SETGID
- SETUID
cleanCiliumState:
- NET_ADMIN
- SYS_ADMIN
- SYS_RESOURCE
k8sServiceHost: ${K8S_SERVICE_ENDPOINT} k8sServiceHost: ${K8S_SERVICE_ENDPOINT}
k8sServicePort: 6443 k8sServicePort: 6443
rollOutCiliumPods: true rollOutCiliumPods: true

9
kubernetes/apps/kube-system/cilium/app/netpols/allow-same-ns.yaml
View file

@ -1,9 +0,0 @@
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: allow-ns-ingress
spec:
podSelector: {}
ingress:
- from:
- podSelector: {}

2
kubernetes/apps/kube-system/cilium/ks.yaml
View file

@ -13,5 +13,5 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: false wait: false

1
kubernetes/apps/kube-system/kustomization.yaml
View file

@ -7,5 +7,4 @@ resources:
- ./namespace.yaml - ./namespace.yaml
# Flux-Kustomizations # Flux-Kustomizations
- ./cilium/ks.yaml - ./cilium/ks.yaml
- ./hccm/ks.yaml
- ./metrics-server/ks.yaml - ./metrics-server/ks.yaml

2
kubernetes/apps/kube-system/metrics-server/ks.yaml
View file

@ -13,5 +13,5 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true

4
kubernetes/apps/kyverno/kyverno/ks.yaml
View file

@ -10,7 +10,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true
interval: 30m interval: 30m
retryInterval: 1m retryInterval: 1m
@ -29,7 +29,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: false wait: false
interval: 30m interval: 30m
retryInterval: 1m retryInterval: 1m

2
kubernetes/apps/network/echo-server/ks.yaml
View file

@ -13,5 +13,5 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true

19
kubernetes/apps/network/external-dns/app/valinor-social/externalsecret.yaml
View file

@ -1,19 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: externaldns-valinor-social-secrets
namespace: cert-manager
spec:
secretStoreRef:
kind: ClusterSecretStore
name: onepassword-connect
target:
name: externaldns-valinor-social-secrets
creationPolicy: Owner
data:
- secretKey: dnsimple_api_token
remoteRef:
key: DNSimple
property: external-dns

70
kubernetes/apps/network/external-dns/app/valinor-social/helmrelease.yaml
View file

@ -1,70 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: &name externaldns-valinor-social
namespace: network
spec:
interval: 30m
chart:
spec:
chart: external-dns
version: 1.13.1
sourceRef:
kind: HelmRepository
name: kubernetes-sigs-external-dns
namespace: flux-system
interval: 30m
values:
fullnameOverride: *name
domainFilters:
- valinor.social
env:
- name: DNSIMPLE_OAUTH
valueFrom:
secretKeyRef:
name: externaldns-valinor-social-secrets
key: dnsimple_api_token
serviceMonitor:
enabled: true
extraArgs:
- --crd-source-apiversion=externaldns.k8s.io/v1alpha1
- --crd-source-kind=DNSEndpoint
- --annotation-filter=external-dns.alpha.kubernetes.io/target
podAnnotations:
secret.reloader.stakater.com/reload: externaldns-valinor-social-secrets
policy: sync
provider: dnsimple
resources:
requests:
cpu: 5m
memory: 100Mi
limits:
memory: 100Mi
sources:
- ingress
- crd
txtPrefix: "k8s."
postRenderers:
- kustomize:
patches:
- target:
version: v1
kind: Deployment
name: *name
patch: |
- op: add
path: /spec/template/spec/enableServiceLinks
value: false

8
kubernetes/apps/network/external-dns/app/valinor-social/kustomization.yaml
View file

@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: network
resources:
- ./helmrelease.yaml
- ./externalsecret.yaml

40
kubernetes/apps/network/external-dns/ks.yaml
View file

@ -13,45 +13,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true
dependsOn:
- name: cluster-apps-external-secrets-stores
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cluster-apps-externaldns-valinor-social
namespace: flux-system
labels:
substitution.flux.home.arpa/enabled: "true"
spec:
interval: 10m
path: "./kubernetes/apps/network/external-dns/app/valinor-social"
prune: true
sourceRef:
kind: GitRepository
name: valinor
wait: true
dependsOn:
- name: cluster-apps-external-secrets-stores
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: cluster-apps-externaldns-shared
namespace: flux-system
labels:
substitution.flux.home.arpa/enabled: "true"
spec:
interval: 10m
path: "./kubernetes/apps/network/external-dns/app/shared"
prune: true
sourceRef:
kind: GitRepository
name: valinor
wait: true wait: true
dependsOn: dependsOn:
- name: cluster-apps-external-secrets-stores - name: cluster-apps-external-secrets-stores

0
kubernetes/apps/network/ingress-nginx/app/certificate.yaml → kubernetes/apps/network/ingress-nginx/external/certificate.yaml vendored
View file

15
kubernetes/apps/network/ingress-nginx/app/externalsecret.yaml → kubernetes/apps/network/ingress-nginx/external/externalsecret.yaml vendored
View file

@ -10,10 +10,11 @@ spec:
kind: ClusterSecretStore kind: ClusterSecretStore
name: onepassword-connect name: onepassword-connect
target: target:
name: nginx-ingress-secrets name: nginx-external-maxmind-secret
creationPolicy: Owner template:
data: engineVersion: v2
- secretKey: nginx-ingress-bouncer-apikey data:
remoteRef: MAXMIND_LICENSE_KEY: "{{ .homelab_nginx }}"
key: Crowdsec dataFrom:
property: nginx-ingress-bouncer - extract:
key: maxmind

51
kubernetes/apps/network/ingress-nginx/app/helmrelease.yaml → kubernetes/apps/network/ingress-nginx/external/helmrelease.yaml vendored
View file

@ -15,6 +15,11 @@ spec:
name: ingress-nginx name: ingress-nginx
namespace: flux-system namespace: flux-system
interval: 30m interval: 30m
valuesFrom:
- targetPath: controller.maxmindLicenseKey
kind: Secret
name: nginx-external-maxmind-secret
valuesKey: MAXMIND_LICENSE_KEY
values: values:
controller: controller:
replicaCount: 2 replicaCount: 2
@ -26,10 +31,8 @@ spec:
enabled: true enabled: true
type: LoadBalancer type: LoadBalancer
annotations: annotations:
load-balancer.hetzner.cloud/location: fsn1 external-dns.alpha.kubernetes.io/hostname: external.hsn.dev
load-balancer.hetzner.cloud/protocol: tcp io.cilium/lb-ipam-ips: 10.45.0.2
load-balancer.hetzner.cloud/name: hsn-nginx
load-balancer.hetzner.cloud/uses-proxyprotocol: true
publishService: publishService:
enabled: true enabled: true
@ -43,27 +46,33 @@ spec:
any: true any: true
ingressClassResource: ingressClassResource:
name: hsn-nginx name: external
default: true default: true
config: config:
block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*" # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*" # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go
client-header-timeout: 120 client-body-buffer-size: 100M
client-body-buffer-size: "100M"
client-body-timeout: 120 client-body-timeout: 120
client-header-timeout: 120
enable-brotli: "true" enable-brotli: "true"
enable-ocsp: "true" enable-ocsp: "true"
enable-real-ip: "true" enable-real-ip: "true"
use-proxy-protocol: "true"
hide-headers: Server,X-Powered-By hide-headers: Server,X-Powered-By
hsts-max-age: "31449600" hsts-max-age: 31449600
keep-alive: 120
keep-alive-requests: 10000 keep-alive-requests: 10000
keep-alive: 120
log-format-escape-json: "true"
log-format-upstream: >
{"time": "$time_iso8601", "remote_addr": "$proxy_protocol_addr", "x_forwarded_for": "$proxy_add_x_forwarded_for",
"request_id": "$req_id", "remote_user": "$remote_user", "bytes_sent": $bytes_sent, "request_time": $request_time,
"status": $status, "vhost": "$host", "request_proto": "$server_protocol", "path": "$uri", "request_query": "$args",
"request_length": $request_length, "duration": $request_time, "method": "$request_method", "http_referrer": "$http_referer",
"http_user_agent": "$http_user_agent", "country_code": "$geoip2_city_country_code", "country_name": "$geoip2_city_country_name"}
proxy-body-size: 0 proxy-body-size: 0
proxy-buffer-size: "16k" proxy-buffer-size: 16k
ssl-protocols: "TLSv1.3 TLSv1.2" ssl-protocols: TLSv1.3 TLSv1.2
use-geoip2: true
use-forwarded-headers: "true" use-forwarded-headers: "true"
extraArgs: extraArgs:
default-ssl-certificate: "network/hsn-dev-tls" default-ssl-certificate: "network/hsn-dev-tls"
@ -75,24 +84,10 @@ spec:
matchLabels: matchLabels:
app.kubernetes.io/instance: ingress-nginx-hsn app.kubernetes.io/instance: ingress-nginx-hsn
app.kubernetes.io/component: controller app.kubernetes.io/component: controller
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- controller
- key: app.kubernetes.io/instance
operator: In
values:
- ingress-nginx-hsn
topologyKey: kubernetes.io/hostname
resources: resources:
requests: requests:
cpu: 23m cpu: 100m
memory: 381M memory: 381M
defaultBackend: defaultBackend:

0
kubernetes/apps/network/ingress-nginx/app/kustomization.yaml → kubernetes/apps/network/ingress-nginx/external/kustomization.yaml vendored
View file

8
kubernetes/apps/network/ingress-nginx/ks.yaml
View file

@ -3,17 +3,17 @@
apiVersion: kustomize.toolkit.fluxcd.io/v1 apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization kind: Kustomization
metadata: metadata:
name: cluster-apps-ingress-nginx name: cluster-apps-ingress-nginx-external
namespace: flux-system namespace: flux-system
labels: labels:
substitution.flux.home.arpa/enabled: "true" substitution.flux.home.arpa/enabled: "true"
spec: spec:
interval: 10m interval: 10m
path: "./kubernetes/apps/network/ingress-nginx/app" path: "./kubernetes/apps/network/ingress-nginx/external"
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true
dependsOn: dependsOn:
- name: cluster-apps-cert-manager-issuers - name: cluster-apps-cert-manager-issuers
@ -32,7 +32,7 @@ spec:
# prune: true # prune: true
# sourceRef: # sourceRef:
# kind: GitRepository # kind: GitRepository
# name: valinor # name: homelab
# wait: true # wait: true
# dependsOn: # dependsOn:
# - name: cluster-apps-cert-manager-issuers # - name: cluster-apps-cert-manager-issuers

16
kubernetes/apps/network/ingress-nginx/mastodon/certificate.yaml
View file

@ -1,16 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/certificate_v1.json
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "valinor-social"
namespace: network
spec:
secretName: "valinor-social-tls"
issuerRef:
name: letsencrypt-dnsimple-production
kind: ClusterIssuer
commonName: "valinor.social"
dnsNames:
- "valinor.social"
- "*.valinor.social"

16
kubernetes/apps/network/ingress-nginx/peertube/certificate.yaml
View file

@ -1,16 +0,0 @@
---
# yaml-language-server: $schema=https://ks.hsn.dev/cert-manager.io/certificate_v1.json
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: "khazadtube-tv"
namespace: network
spec:
secretName: "khazadtube-tv-tls"
issuerRef:
name: letsencrypt-dnsimple-production
kind: ClusterIssuer
commonName: "khazadtube.tv"
dnsNames:
- "khazadtube.tv"
- "*.khazadtube.tv"

108
kubernetes/apps/network/ingress-nginx/peertube/helmrelease.yaml
View file

@ -1,108 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: ingress-nginx-peertube
spec:
interval: 30m
chart:
spec:
chart: ingress-nginx
version: 4.9.0
sourceRef:
kind: HelmRepository
name: ingress-nginx
namespace: flux-system
interval: 30m
values:
controller:
replicaCount: 3
updateStrategy:
type: RollingUpdate
allowSnippetAnnotations: true
enableAnnotationValidations: true
service:
enabled: true
type: LoadBalancer
annotations:
load-balancer.hetzner.cloud/location: fsn1
load-balancer.hetzner.cloud/protocol: tcp
load-balancer.hetzner.cloud/name: peertube-nginx
load-balancer.hetzner.cloud/use-private-ip: false
load-balancer.hetzner.cloud/uses-proxyprotocol: true
publishService:
enabled: true
metrics:
enabled: true
serviceMonitor:
enabled: true
namespace: network
namespaceSelector:
any: true
ingressClassResource:
name: peertube-nginx
default: false
config:
block-user-agents: "GPTBot,~*GPTBot*,ChatGPT-User,~*ChatGPT-User*,Google-Extended,~*Google-Extended*,CCBot,~*CCBot*,Omgilibot,~*Omgilibot*,FacebookBot,~*FacebookBot*" # taken from https://github.com/superseriousbusiness/gotosocial/blob/main/internal/web/robots.go
client-header-timeout: 120
client-body-buffer-size: "100M"
client-body-timeout: 120
enable-brotli: "true"
enable-ocsp: "true"
enable-real-ip: "true"
use-proxy-protocol: "true"
hide-headers: Server,X-Powered-By
hsts-max-age: "31449600"
keep-alive: 120
keep-alive-requests: 10000
proxy-body-size: 0
proxy-buffer-size: "16k"
ssl-protocols: "TLSv1.3 TLSv1.2"
use-forwarded-headers: "true"
server-snippet: |
resolver local=on ipv6=off;
ssl_stapling on;
ssl_stapling_verify on;
ssl-echd-curve: "secp384r1"
ssl-session-timeout: "1d"
ssl-session-cache: "shared:SSL:10m"
ssl-session-tickets: "off"
extraArgs:
default-ssl-certificate: "network/khazadtube-tv-tls"
topologySpreadConstraints:
- maxSkew: 2
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/instance: ingress-nginx-peertube
app.kubernetes.io/component: controller
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/component
operator: In
values:
- controller
- key: app.kubernetes.io/instance
operator: In
values:
- ingress-nginx-peertube
topologyKey: kubernetes.io/hostname
resources:
requests:
cpu: 23m
memory: 381M
defaultBackend:
enabled: false

8
kubernetes/apps/network/ingress-nginx/peertube/kustomization.yaml
View file

@ -1,8 +0,0 @@
---
# yaml-language-server: $schema=https://json.schemastore.org/kustomization.json
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: network
resources:
- ./helmrelease.yaml
- ./certificate.yaml

6
kubernetes/apps/security/external-secrets/ks.yaml
View file

@ -11,7 +11,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true
--- ---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json # yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
@ -26,7 +26,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true
dependsOn: dependsOn:
- name: cluster-apps-external-secrets - name: cluster-apps-external-secrets
@ -43,7 +43,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true
dependsOn: dependsOn:
- name: cluster-apps-external-secrets - name: cluster-apps-external-secrets

5
kubernetes/apps/security/external-secrets/stores/onepassword/clustersecretstore.yaml
View file

@ -1,5 +1,4 @@
--- ---
# yaml-language-server: $schema=https://ks.hsn.dev/external-secrets.io/clustersecretstore_v1beta1.json
apiVersion: external-secrets.io/v1beta1 apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore kind: ClusterSecretStore
metadata: metadata:
@ -8,9 +7,9 @@ metadata:
spec: spec:
provider: provider:
onepassword: onepassword:
connectHost: http://onepassword-connect:8080 connectHost: http://10.5.0.5:8080
vaults: vaults:
valinor: 1 hsn.dev: 1
auth: auth:
secretRef: secretRef:
connectTokenSecretRef: connectTokenSecretRef:

142
kubernetes/apps/security/external-secrets/stores/onepassword/helmrelease.yaml
View file

@ -1,142 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2beta2.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: onepassword-connect
namespace: security
spec:
interval: 30m
chart:
spec:
chart: app-template
version: 2.4.0
interval: 30m
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
values:
controllers:
main:
annotations:
reloader.stakater.com/auto: "true"
containers:
main:
image:
repository: docker.io/1password/connect-api
tag: 1.7.2
env:
OP_BUS_PORT: "11220"
OP_BUS_PEERS: "localhost:11221"
OP_HTTP_PORT: &port-connect 8080
OP_SESSION:
valueFrom:
secretKeyRef:
name: onepassword-connect-secret
key: onepassword-credentials.json
probes:
liveness:
enabled: true
custom: true
spec:
httpGet:
path: /heartbeat
port: *port-connect
initialDelaySeconds: 15
periodSeconds: 30
failureThreshold: 3
readiness:
enabled: true
custom: true
spec:
httpGet:
path: /health
port: *port-connect
initialDelaySeconds: 15
startup:
enabled: true
custom: true
spec:
httpGet:
path: /health
port: *port-connect
failureThreshold: 30
periodSeconds: 5
successThreshold: 1
timeoutSeconds: 1
sync:
image:
repository: docker.io/1password/connect-sync
tag: 1.7.2
env:
- name: OP_SESSION
valueFrom:
secretKeyRef:
name: onepassword-connect-secret
key: onepassword-credentials.json
- name: OP_HTTP_PORT
value: &port-sync 8081
- name: OP_BUS_PORT
value: "11221"
- name: OP_BUS_PEERS
value: "localhost:11220"
probes:
readinessProbe:
httpGet:
path: /health
port: *port-sync
initialDelaySeconds: 15
livenessProbe:
httpGet:
path: /heartbeat
port: *port-sync
failureThreshold: 3
periodSeconds: 30
initialDelaySeconds: 15
volumeMounts:
- name: shared
mountPath: /home/opuser/.op/data
service:
main:
ports:
http:
port: *port-connect
ingress:
main:
classname: "nginx"
annotations:
nginx.ingress.kubernetes.io/whitelist-source-range: "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16"
hosts:
- host: &host "1pwconnect.hsn.dev"
paths:
- path: /
service:
name: main
port: http
tls:
- hosts:
- *host
defaultPodOptions:
securityContext:
runAsUser: 999
runAsGroup: 999
persistence:
shared:
enabled: true
type: emptyDir
globalMounts:
- path: /home/opuser/.op/data
resources:
requests:
cpu: 5m
memory: 10Mi
limits:
memory: 100Mi

2
kubernetes/apps/security/external-secrets/stores/onepassword/kustomization.yaml
View file

@ -5,9 +5,7 @@ kind: Kustomization
namespace: security namespace: security
resources: resources:
- ./secret.sops.yaml - ./secret.sops.yaml
- ./helmrelease.yaml
- ./clustersecretstore.yaml - ./clustersecretstore.yaml
labels: labels:
- pairs: - pairs:
app.kubernetes.io/name: stores app.kubernetes.io/name: stores

48
kubernetes/apps/security/external-secrets/stores/onepassword/secret.sops.yaml
View file

@ -4,52 +4,24 @@ metadata:
name: onepassword-connect-token name: onepassword-connect-token
namespace: security namespace: security
stringData: stringData:
token: ENC[AES256_GCM,data:ks4uBrkQP+oqamaYE60ubJ6XjCdGXPPMaqfUWOhaFBehL0F2jgXKildwYsEOYtUNbsOmYRXGYaoZpkIqFd8/JlOX6eYoC0ibCdKJHexV4z4KQ/o9fKcGcP2VpfdqCYlJn/Lt716MHJHA70a0kI/whdtK+FAwFHn9ulMpM4EvOTgbK9RkPO5sh6kOjHywnu3Ri7F3bp8/HXrj0ZAsIijlhQFQiNzctXvD1Q/jEaLIXpFPS0yK9SDMMQ2LYwxTu/gde7X5+J76PWE53R9hm31/eDiW9c9I52XRqWVVVXzuVFvP5SEMS5DKjcfb8ZsZB+ahL+80FKnW0tpEGWqjfGUY9aGN4VOLp3q3EFu3YW54vmUq1Eg2f/i4TeT133NCgpuntaGtfkhv5YIJ182v5fo2F5J9FalaJXNS95CjxDHSC08mGZ8XITbi6oIuvjT1R1g3myalZ9WUXcP3BIQY/kkx2zrNbmTlk/mhchkgxQZObosAnbtpUsUrpKjlMzsvODuQg1iqcuMaooJ8yjovbhdsrp7SEafK5cEVfOTmfUuzm2jzxh4R1m2TJuAqPa/SOJ1sPlCXHa1Q10dxT4kkGjWZ9Muhf7SAkB7PDPcBXfX8/0gwwai2X4Gl+3Szsyt+deZOM60bp+XZ9xRjPWcIxl1uhDoG7gykpsKeDE6tf1+PC9B2GESFHFqbPVicZ/cZv/YHXcXJb5YRKPuE8/OWjzC0A4W5CC/IH3UAzBafiAu9UU/hk7ASqIv/k0wgTZboyRmzxiH06ahdj5qMUqd3schknIsuxgM0Hjv3W/sSaW3xAkR+3gfhcCLxc1IhhPRIO0OEeoaEBQD9UMVuRKRwPo+lpVU7n/UePjuDHpjXeBu2u83sLqaJrcSyId6ksJLoayCKch+46PazE/E/1vn054rml4hDA4Zuwgnyu/g=,iv:lerOeNOfahiAJX1WFUxu5aiw51q274Cz2fmiPtqC0go=,tag:o8eDvJXG+l/YB516m6GB7A==,type:str] token: ENC[AES256_GCM,data:nZZqUP8WUluVOwxeX5b6DygCJo8ptjAXIAkHVGQ7KOVYXV5pw5BYs3GpVnFFny+9aaQ3wQDZ2DjXwecSG0Mk+qdpvaMGvDq05dXC7YeDVQ8hgVpop5enVa3DqPNHb2xbgDn4+dUGsYib0uKADMJX3Hv5WStIjy20IgsiYREtDjlZhrINuBH2l0sRykKi8FUG4R530mCbRv+n33+eHmHHHnY97JWpAvfIRs80EzX8j4sWdlpR0LEIJB/QbXXy+c5Amo2m3rKekMdyPwcsUmVGSprnUir/PbyiIqwDLpe4P/+RAAPewO/6u2KeoJXlpkEAC47CEmsAunuYrAHy/PK67dOK0BygV0ZDI1WsbbC/c3Fauamlb6ZuOWXIkO5EpE1a3whwMj2QLOiI1f6J3AKP2zv235pW36LRiN436PPCewZw7PwtXTMRT08l2qFKg81w/UWqdbtQF/kjkbO9pLVvXZIrUnF6w/w+34e7PYJcaEoKWNzem/usTKhes//rT8GUamcm/Mrno9rXo7KsyajWp/bWlo5GI2uLZ98gtBePNFCxY7YY35qzyH1k9H1SXzlTXOvghB4AJqKqwoBZosMJOxEP4EiY2/ALGl3MYgYKUIqb7RsBP7/5cSLuM4/BXORaG9CtyESqUChcTtYPgO4CANTJsZ+ORXm651DcxUYOQw/EA72Hfo0NfE2xKQwhwLEfh6ycWCtRvjq5i/AnESXO9OgAfLA3VT3roP+OjqfOIKcqc2qRH7is3Cgm2xPlMoIOhi9t5EloBQlA2EpZFl0ZKf65u0++F0pHgyKzCP2JXDh5QK/hLDqNOYrz7LLsFBnxhNjEcYw2Ix/Sfur+cNzXjw/F25iSczPELGFf2KZO1ZGTS1whOZyj++nzocp1+h/al8KvfSGyA13bo8nCeDy9oJr3lEzEqinFxPI=,iv:9w0GTjZ9bGNtbOWVhw0M/+Y/5WonChhNyHMU3nuxZYI=,tag:O+v6ZttlyxaUEZ02Jd+Z/Q==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVjdHNjVDN1JCNEFqa203 YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5ZHo5aWdxVndCUkdCSEc4
bVN6cStUeWFYUUZHZGhCSFFsemM4TnBkQ0g0CmdFZTBpUVgwMWFPbmZFT01BdUpu dkFkeGQ5ZkY2Rk4wM0RuaGxvU2g3K1JGTEJNCnJpYm1DbXBQOTdGSjVITU8xaE5D
NG1HZURFb0o3T2JwQ3U4YnJoYzhFOUkKLS0tIDhGVnhLRmhSZ3pQbGRvRWs5dWx4 RGRoYjVHWVh5Rno4THIvMmlZWWJVWncKLS0tIEVQNmQ1TTA2V0VjdWw2SU9WbUNt
WWxwbndNQVBOeGRoandWL256Z2s2ZFEKtIKW60qNUBPMS0yWPEkDBMokemihiWQ7 VkJYWGZnMEJOdlkweS82RjFQdGtHekkK1LCJ2Ww1Ar1fXcepNTldf/hiBVbYdGRf
GqSGjNHDDlkKtd1jyY/qCZGM9t1ZiD9t34wAQVOrn9P/WGJg6X/FsQ== NwCgEa18sMHVVx1XdhBT67bhQewIr6yYHk4jX8y22ScS9GTx9syD4g==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-15T16:15:14Z" lastmodified: "2024-01-11T23:40:03Z"
mac: ENC[AES256_GCM,data:YVC+MuYp66Ej8XRpT/fsBPBz3laCjfoXikNzc4C5k4E3QbM68+jKX81sbJDGL0B3TSwcIxTc4e8GTisqVhxdH26y/g+xOK5/n6Y+FulDuMmvIiIqBhmQXlQii+DUcLZocRhwEkKDm344M3pRliSVVHa44JRY4qf3E9wKjQhg9tk=,iv:sBTtgB0QK52EFfIxJzFRvXP5MR4ARSfR8v/pha0rDDI=,tag:7KZI8DC967fFvO83KnXkPQ==,type:str] mac: ENC[AES256_GCM,data:1QP1VTuw/fGnMbOeyf+dWADPVSDgzI2UkzJRjEStBVrirj/bUIgpRmRUE2tO5c3fZr5NEJ6kO8ydCrr/WCYSReX2Cbnzf4U5Qap/EEq7G5Xx7NKDM+TQ4jq86F7j+T7OP8tAeGbO3I+8WSqIyc5Z8XkjkFY+hLDRP6cACsh1wQQ=,iv:/zAfi3ZdbzHZAliJZqDu3+lgkopg17NXtotbxkNtBuU=,tag:/wdSv18ydEPzNVL+DQEhGA==,type:str]
pgp: [] pgp: []
encrypted_regex: ^(data|stringData)$ encrypted_regex: ^(data|stringData)$
version: 3.7.3 version: 3.8.1
---
apiVersion: v1
kind: Secret
metadata:
name: onepassword-connect-secret
namespace: security
stringData:
onepassword-credentials.json: ENC[AES256_GCM,data:Ro43t6FQ22+gIg0VAlcuwBy+jNUNM8Q9HI64InTcDSo0HoF2n5ombH1XrVw8aHYacOMM7WlNNsU5DeecC68HpSo45tOiIQTiXDNQyHDsCkoCEqgUZnEY0ggN2hpycnSmWFn7Kj8HoAnG+5q1aGsKI8PzjTAJYdbF36pmXAm01Ge2IaJAKXaWZ2WA+wUqUXtgr4wtIWgfDacQYMhonnlzzvjFFCkynOhRdCC35jiwJA5bX+OnXnN39ANZufYqlWdhoQHOVgBrrFTX5ooBp3Nvf0Ent3L+zDVvTpmmQm19gxc5jYUGHAlwUEbA/rE/Z6yvMMQhsRxTZtIR/f+ehpgd3OBYCy60ub0dTsbafinOvRJp4xcuhmNX333Li/b+OYOgmKY/vdEUn/2cxbA4Uo/PIRWXmwIaweDShRegHGBYzoCOndfLjfkOwtD7jsShPQ5Vu/aTXQCIFjl2zvcZeR2TT+3Oi3uIiLXlQsOWyU1asQz23PSFeXsiUV8G4P8eomZxiX8/k3D3okkknqvi3GfoRXY49vrewurybLBhBSvRNxYrGouk+Vxy/HtZCwUV7q2TwTlI0eGpBpnbJMGDiuzPV4LFy9SGuroHhKhrNyh2n72IovKLAh//ml+4QVFcUJw7HUP3D7VfYRuohItXi5DDZz4566gNf9a4QkPB/2GHkkcQduDVuDqIFIvxjG7vVpBxi+dbyO6zEt7kI7qo0yLoGsVX7t1laiKD28skgKBOiHyGsMwkjxLtcjjOLfYVM/BgN9BAN5nu9Wqm9HdVM8Rfbjc7U/ts/BtfxRgWNM3qvS7NFkKlYKTtD0JmnzUh7ddgi7HUOczltSl6OgdZcFLEmuQIGdtNeILdHSjp1D3wIT5vgfmKnkhwNqX14K6jLmFaxmtzgYa+65DyWnoYgA1QbvTAPQIfVFvCe2NhwBG5XFNcAKOQbwYdwjmhlKVh+Y5uUwaeTCP9VueUpnrxDzkWOsp33XixkcjCfvrQmY5HQs+sGwr+Be1T+t3ET/8p377CjUf0K3U4PIYvB6NeoD9TU+chYPwpToZoe6vwDEP+GEqhLOBBc6Kmd0VgI1vkShqGtLE/92L5xM+kVJTdUCdLZ9//jFwhfgFFITGhju5UiR4FsPY/IwLTqf+VzXI19aBzrEWN0R88KBk6koL4bORXdd4OEKX36S/Vw9NLGLxQzHxw5mihhBksPdh+kyiDgBgktL2levNF7PV/epdbNRvva/hNKSEaPRCzFV5xlVlMOqiC8wfkMnbatiOX3vGRIhzKjWOMKg3v7MUi6zPRZxs1N4l+V8mddIXsf+BGpGEK4vnlvXQFCP7g97pa6unGv+L9D1RKU4Mp9+AU7Oo82k54oWpgg5DqiCWfnQhXGJLRZabr48Hglp8tdoqKnPCLK+TalofreZxBrtlK3T8qY8g7uUYLTe2nSwU8KKJbgMCtHLtifdrvtyY/S6nN5EUHJpQA2eNqVFQwLDuwJ6crO6ipGbaQ2U36ujhuqJ1+9a8OT4PkJK/aE6/koVRzZe50K+H+rbxCVQEpPM+kG4ClSuT47vxLujEm78Npf+PeIyS36RWICxeNyHhdFtbKDyFriBVi+pEEpXFhtpgBTqmB6MQ7te/L9kglkPOIOjbF4/rnzffvDEWZW5XeKz3vYujZ6vTgosf+rDsqsnyRWU2RHbhPQ6U7aS0ujAiBYdMQY4Mtlz+sa8f/b5nCzNPuv2Y1KdwIzCLLjIcqa/UnuTPNPcI8k6arXFWXS2Mq0R5QYfPKFCStVvHzHITHvZNt8bV1g2j5gYvnJkauu66yzUSDvglJVjjvI55nJQTryUDFtZX+lpiAZxwrsepYcP/EygKdZEdg3f8KbZWNQXxt2njLeJmad7Le5UHBhiGqP9H8eCLbwi0gvGwkGkveQHtCsTswOuY3l9E2WG0R9iamwDSC,iv:9QuqDosuTy7OoTfcSJ2mTYLQY9yTa9krJvvzqA7tH30=,tag:wtN/GsxxKhYgipOz8FqsCw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRVjdHNjVDN1JCNEFqa203
bVN6cStUeWFYUUZHZGhCSFFsemM4TnBkQ0g0CmdFZTBpUVgwMWFPbmZFT01BdUpu
NG1HZURFb0o3T2JwQ3U4YnJoYzhFOUkKLS0tIDhGVnhLRmhSZ3pQbGRvRWs5dWx4
WWxwbndNQVBOeGRoandWL256Z2s2ZFEKtIKW60qNUBPMS0yWPEkDBMokemihiWQ7
GqSGjNHDDlkKtd1jyY/qCZGM9t1ZiD9t34wAQVOrn9P/WGJg6X/FsQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-15T16:15:14Z"
mac: ENC[AES256_GCM,data:YVC+MuYp66Ej8XRpT/fsBPBz3laCjfoXikNzc4C5k4E3QbM68+jKX81sbJDGL0B3TSwcIxTc4e8GTisqVhxdH26y/g+xOK5/n6Y+FulDuMmvIiIqBhmQXlQii+DUcLZocRhwEkKDm344M3pRliSVVHa44JRY4qf3E9wKjQhg9tk=,iv:sBTtgB0QK52EFfIxJzFRvXP5MR4ARSfR8v/pha0rDDI=,tag:7KZI8DC967fFvO83KnXkPQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

1
kubernetes/apps/system/kustomization.yaml
View file

@ -6,7 +6,6 @@ resources:
# Pre Flux-Kustomizations # Pre Flux-Kustomizations
- ./namespace.yaml - ./namespace.yaml
# Flux-Kustomizations # Flux-Kustomizations
- ./intel-device-plugins/ks.yaml
- ./node-feature-discovery/ks.yaml - ./node-feature-discovery/ks.yaml
- ./reloader/ks.yaml - ./reloader/ks.yaml
- ./snapshot-controller/ks.yaml - ./snapshot-controller/ks.yaml

2
kubernetes/apps/system/node-feature-discovery/ks.yaml
View file

@ -15,5 +15,5 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true

2
kubernetes/apps/system/reloader/ks.yaml
View file

@ -13,5 +13,5 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true

2
kubernetes/apps/system/snapshot-controller/ks.yaml
View file

@ -15,7 +15,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
wait: true wait: true
timeout: 2m timeout: 2m
dependsOn: dependsOn:

20
kubernetes/bootstrap/flux/age-key.sops.yaml
View file

@ -5,24 +5,24 @@ metadata:
name: sops-age name: sops-age
namespace: flux-system namespace: flux-system
stringData: stringData:
age.agekey: ENC[AES256_GCM,data:DELuczoRtBQW58s5i8Nmb4Hp+XzZ35aiOfwBJDXaqgfQMFY63QXRzBVkTDS0GxFoGt3jvLILJPwde0OHiVrkNEZdDwRr3JZKnTs=,iv:DqAaHlJRT8SUItoceaIQ7smJUcmtTeu51AJt1WM0pKA=,tag:YGbmN4hRhWCCGLPvyDLsnA==,type:str] age.agekey: ENC[AES256_GCM,data:f+9hVYtS9xNgh3KSpC7HtIzSWnFEEtKNijhT4NWi9Yx3dlRuX50vhc8exLYcjcIbytCwMtTCI4xAjUk4TkxlGaj5DzhU/rdvE+c=,iv:uzhwlqMG1F2rb4XM00EXCI8mpCcKMTn1a2KPH/NGYqo=,tag:Ao+cLYINlL1AfJGFR9EG/A==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxMURBNzFadmc1ejZ4eStp YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5cVRSZUZjR1Y2Q0U2RUJC
czlYTUtWUk52NzlaZ1NJSzU2R3R4VFB4TWtZCmc2SjZ1OVhNYXlXQ21WT1I0ZjU3 M05wdVdhWU1oTjZBeTliNDR1V29KN3hKMFN3ClJJQkx2RTRSL2V4ZjR2QmJQUGph
V2RzRU5PUnYzMWlRcy9vTG5JNkIwVncKLS0tIHdjU0VSaVdBQ3A5ZDlybTBiUVB1 ZUo3UlpPaVc4YjdJbGRkaVhTQmpHVGsKLS0tIFlYMHY2a1FjZ2xobUpKNnRwSDhV
YVE3NVptM1Q2ZjEyZHE3N2ZIaEtlRFUKQZEkNHDnlnZYXqK62SplHa7gEsEIBVNV eE1VUmwxNjU0SVAvaWF1dVNKMlV6ZzAKrxZ1g+mkSBNECmd+sf5Z4L7xVDaFw1g/
4TYZQzf+fBmlxmDCwDLTNTJZZJfgLjYPfBStvGSx+VbW2HS6PoXMFQ== hUoFCpjo7fiGS0ru7lhkLzBAwRflWDkpjn75W/18ULaF69bsF9swPQ==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-15T16:24:05Z" lastmodified: "2024-01-11T22:06:47Z"
mac: ENC[AES256_GCM,data:QxME2bUjRTBpPpMR1ZWANlF+EskMRJuyylOiRHcPzWu9Bve1rz+4mkNdlUYzf0gdLi8psRc6ko0Jb6IH9lLZxOkMAh2YYaMrzAf3hMRBytiJKX/nUs9tIJv8Lft21nXibeaT/TcT5YNwNvd3nTZgBJcJ5nYwmU1sTn3/Lay5jrY=,iv:0uVxxRg+Dp8oZ43DnbtEx25rQcJ23Ag13eKfvvXukVk=,tag:/4Ufpkh8DCONTEWy4pc5bw==,type:str] mac: ENC[AES256_GCM,data:Sg8eZvpifFdLezfcQ8FFwCUzQpCzx+iOrje2E2fVM4AcIcVR/i3zrdCOzJ252W7Fe6mreVpZA0rKKePCEH1A6ZSvjnPKpMvAdhei7BMyIkDs/8VDJMjZOJOWmtLNIwCYIbkwA+cOnFfufnRdSp7/NsqVo+8STOcr4qWAyfDenVQ=,iv:FHFTiD1NtBHslxuTwdmxw3Xb31F9xK6hhKdw0szXfkk=,tag:MbNsGc1ZW1biUOEDFRTSMQ==,type:str]
pgp: [] pgp: []
encrypted_regex: ^(data|stringData)$ encrypted_regex: ^(data|stringData)$
version: 3.7.3 version: 3.8.1

26
kubernetes/bootstrap/flux/git-deploy-key.sops.yaml
View file

@ -5,27 +5,27 @@ metadata:
name: git-deploy-key name: git-deploy-key
namespace: flux-system namespace: flux-system
stringData: stringData:
#ENC[AES256_GCM,data:O1eknYe94FguDRRTE4tIv0yQKVJcqHqrHe510i15Kw==,iv:aa5mj7DH/ZEXtqeG+7s/eThK8SYJDT8WmGtwDng9Zh4=,tag:kPuHF2ObA/8IlPzwsuuEqw==,type:comment] #ENC[AES256_GCM,data:+GbB2yDDUQ4804/B/XphECCkAErDIe+JwXkhuXWDJw==,iv:EFYG8fEaGJt6ZVftO9px4cykuopjQcqNRTLPcT0vK+M=,tag:mPuA+9y+AZDA39/k1a4jmw==,type:comment]
identity: ENC[AES256_GCM,data:DSBU1rLXKta1xWzwagSPpHvT3f/j8ICa4iTkYkby63sYefFfQt9u0qFAYMQChfR9imjUtLmV4AvwF/c9pnOpyHTTLXdZMgkK/y8/17NAbmolUOFQfFvvU7WarxArOqk5QYon4vvIxI1d0Xtug46h7KXHQjJl3UWeBJ2IUnYWEfsPAoN4fNrAxI5DNtS+ppPcFZbJ6BMHx8rPadOhuKbgLR4KACg8PFKHW9RLvJ4s2Kykv9bYyHxUPaLMdL4UAC55i0+RGydZ/72CHokIXDKmwtQquf1vL5HVup/5aB9FQA4oLe0Pk5v2m001YfrvMaO+1GXodU3V2+VIWVcdjJciQsTk/IbbJbr0IIdLlT53WOKx1FNmb1HODUBAX8/mt1Kv5pNDm/BtZXk9ad0chheBB96GRyDTU+/qUzSh3WYGxGrLX+KTE3W8NCbzieOwVgwrDt5P09i0iBrAbXJzSwuDfF0mENzoNN1uRWgA+cm9FGbR+HjEv0UHHN8I9/BCBRMIeXXZ,iv:hn3PwE5mnIgzJNLw+ruu5/jUqFQOpQTYh2oZUdeOplM=,tag:2qttj/0hdChixM7rzaLr5g==,type:str] identity: ENC[AES256_GCM,data:6ZByb2BqIDMe+sSnwfNlPkEcBbnlQbmYNzZcdAe+Uvi0OPKRTwuuw2sy+yBFlGdz0EpiqUV0GiuR+bVcWEHZZaSBpw//2oKKjR1AfK5E4BPGKR/saZ+6Rg8Xp2HgIjBh/wiLD/KDxYJ5qzE5OndUALmdsXvpnThgExyVGtD8KSWqgdnUY/UP0KMnSvakpaEAWnSC5O+YOKSH55UKAXGVBHSWpG4vedKwnQfdadu2sI2kg0G1MScqAD1Cx6OAZ05KF1AdbV1KDdeYwhGjQjtIob1LhozFqP20Wlhxr6ZwrrVQLOCIIQj2k1Tn0ilxsLA5G35BT/bPOTYIEGih1qF9ZfFGxjBtZJ80puf5DYo7QLow78o8Xe7SPGEKSuY8ryD0DG3GotYaExTaAHD8eTer+EJghYGrLoTgnPrSV1lrsKjMslAAWtrjOPd/1kH3wwrnHk1FauZ/Ft99yGpqXVOvHtmXnKiyoI79t8fq0kNLZ+e2/kd5ntMCJyFgh76lgdzb1knc,iv:OEJl0Oo56DsaOxbt43oaynYtUpUYCDaePBz3wGdqKDw=,tag:axW1M4UckNOmodsZWLLEzA==,type:str]
#ENC[AES256_GCM,data:yG8yduTJrEB1oGbSQdLwFyDgjbmkT4fcbkvhMj0oCw3Yi9HvSdygq5Uo/2DQ0t+GRzpVqsedrLvB0yciVWpfEaKewXj6neGmMTcsT/llWbSvXS4dHWGBDL6Y/BXVNhyrYLRu,iv:K4dJKqM+AZE8giMcoBOlb9GDnLDCJSyhpWangKsNXkE=,tag:rfRpq8iv+2rwFRJY6sw19A==,type:comment] #ENC[AES256_GCM,data:x6ZbaxSmg8cybQLBN60EMMz3b7wcB6zAgcRcPQVr/Y7boCjbVlfdNumSu1/+f2OPJLZLpK+URTqAIhtwDlEwPRabe3MMpQfE3ifKobKPmvws4pvbdPeHG1UEPpGeqh3VJLN8,iv:65mO126WzjKiEJYhjpZnaWftQ2YMnRhak8E2J7X2CfE=,tag:Zof3hhjPzrmOPNWSWkGaEg==,type:comment]
known_hosts: ENC[AES256_GCM,data:Ej+HKpMCe/3FGSh/qd7cud4OyBAWpH9tAxP5lSq50kGdyNUz/pLWde4t8uxN6aLtV8Md0lewMtVQTIl3peQuOnroB+EOUnimJTTLLuno9G4zyzkcZRf1un9UY4Jvs9g1vT26DyE/paqIOvJ3u8pfotI4tyO1so60HpHc4lQoakp5L7VMzlPUY3g6hHlOGmqEMXfg8s07UUC0DRNyzBb5INXmL4YweGluI6ros1t1Rh0UKjfF7U0f/5xgzY80WvvcXmhd/NYuKaqUb5YMT7Gk/dUtD0RpxhH+iUi4WMaRyWcbwt+HvS4cUDrHi9ZypLBLxD0I6oiz8ZZYnbNAbe2vsqxiYOPbE+E+QXGY98B1eP18nVXe5YICMuclgAXV54Kcc+/Fw/25oNcJREgdvbxA0CGYwXooURan33kKAXFaBdGpGinj4mBXciepy+fPpxe3sa9YpY1pAF88lmBHzmBR77XltWebOmsagauI1gG/QEgItUaaMy3aDt1dNmrG1jzjkrXYJfCrmLdDXJ3kgd+ZS/95l+B0WfUralbZtQte1IzsgyCRTMhOv8NJ1okCetmi7i5kD2+hiZ7T90M4UMDczHfBXulq9mqlyqQKx1hzdKLP5CnmF0QLbupau+xOLvn8l8Qpt4pxZ6K/ul9jC6PlKZE2iTmgBb2WV1cXdG6sQfrxBFYKaibG4hv7jmIJAI+hzdFq9M+nQ0olIuU3FI3vQqSC05nzRMo0PH+408xnqAWKmY/43SfXpXzUa6eg1+GpoYZjK/BcWA7Nmcy1Fk1lf49JVu0eS3/dqxq+iBbPK9Zy/CQaaWXMg1wpu9y+13CwDuEYC/luz9SrryuY14T7hHldjSxDh+gp0qD2T2VrJA1f846Q7c2SWLcRSPuvYnRcGIS4gQpLjnNKLA14GqDhmFFA/cjkIkgnuILB08SxulMYFu0wu5s4p/vNYj+9BGj66CDvynyLZjCas0cT4ubfq8A=,iv:j1jftBGnQlln+7gECyaanotig27AzyHWLFOG5KWX53c=,tag:1NyHwqKx6RpruLKuYPYIxQ==,type:str] known_hosts: ENC[AES256_GCM,data:yaBZz02NVnC34rNmR42CJN32++LO9gLohYOs8JiKE1z5cAL56RHAhwxtcSfuQOPvXyX3WLJvjmFHZL9TQmdCukdmzukBk1J/IaUQ9wCVL9+flRJwtsyf1Xd6SAIk4XwP7M0Rm9F91mPJ9Wdju6ALusSRLN5J7UOwTUoZVcjjSjmM4Q4Kchk0GyZNv3ozgSU5L5cuF620+RX6NlYx3Fk/GVvU468HN4wz4qr7g5NwVS2ZKcTNrZasekuwzohfjheK/4WcxYYHe90/NIr3CpCt1DI1ZTIftvVgodRnK+28p7ZT3hoI/Go7qukY+hXTJEd8gu0ZWjeAWhvtfasy6ZEMLNwo5Zg1IyHnrE9KfOPS/MG2P88V7ooIpvYSNXQP5g3mwm009GQ0yLNAMVmnTqiURTqUOlenI44UWQYmqrcMP28QE0XHR6Id1p1LA+ZRMEnvdvyrYi8FH9VvK1vxJIIBsLCJSvuBCM2Uy+MX1MJNXUzvAp8bDAbgPE4wPx7y/DgOzhyYRyaVQxPRm8IbA+ciBg/3t7dkjLWK6afbOVzE4OxtBwxDtbDcUmpZ7cVE7gKnSM3tywOzxkwXrUAuMkSIKH4pgSAn4BBf8NsA2qr/fzUdvkYl6OF8qRa6Yw7kCtZO9zZTLK3i9gzfJfZ9LlaRaLLSMbQdOIN2FQfYG7+F2OPADNjhCIDHHvMoBKFdAhcLFGdtRP8FuqYMHd3zprCr0F8XgaD3tWAfx3Cq7JDhElM4e3vuIiCwVHGtHvydI4OqKFeO5DKp4+ErOxDyMhaxF8Qd/IPsKgA8QQK2/HkgFZH+fwyf+uRoylmOuQo/8PeaKkag1SihcSzt/vMBroMw9ZbMF6MyYXPC+8IsLggNFh6O7EyoVMIYm1PqSGBckyLb7gHWJu7r2zsajx6TeRwAVlEoVq9ScC8sj2XkrUo8HNLX6lt7J5/RDchmjta5pdTCGvsV7SOQi7mMUFjxAp+RBFE=,iv:KsQ5SqWokEmwZPXCFuEVhV2X7c+6rC8ZhqEc7Tc+rT8=,tag:fA1se7HrUltBOGhIg7zG/w==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnbkdZamFHbTVoYXpCdGpx YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTeS83SmdkZ2daM05UVkpO
a214aFQvUUxWSW43SHV2QWFzVjJTeTNiSXhrCnF2VmR5eFlpc3JlcGY0R2J3aWdr RG1jM1lNVDREUGdQZmFuREdOaVIzQkd6MzN3CmdaQnRDbUJwTG9tZ2treFJ2RFFU
aEZSL0gvRzZiYi9ELzZOeVkyRExkM0EKLS0tIGczRVRZY2U3S3F1ZVY2RnJwTWlw NkVWUlVVNlVJd2xSRkU0bUUzZDY0ZGMKLS0tIG8wRzZCZ29Pc0tNb3dVcnVyYWl6
L0s5YXNFUlhmTS9GSkdZNWNJeDlCSm8K8j+Pvu+DUYLjQ27N2dPU8rGXYaZORK4I MmVnNzdNWU83MGl6TzFwNFYydHQ0WFkKMy8Ew8clnoYcNR9qicauSBlLDp8N8qvg
n6U4KG2qiRAZn1eVp4t/8/2A5/0UupsrcYyKvXAiMLrpsf9kaq3Xmw== jAMftEoS6bUhSozWW4zCpcRK6hCTi8X+IsHe0niTotGRUZgPgdXUWg==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2023-08-21T21:51:49Z" lastmodified: "2024-01-11T22:06:54Z"
mac: ENC[AES256_GCM,data:lXLx3E5CrfeVN6/a9WDVie4Mfn0v7pcadSWmiKoge9B5obhgAIVChSG8d8KFPkAN6gCBi1D/O3ukSogAwASZ2q8t4yUes6YsD3t4aZrADw6YVgOjNDeJHMiaXMP6fQ0ze665NEgyGBnIRxDuaTXHpaNXsiqSHr+51rRHi0S6K2g=,iv:I616VwtsUKqqvDfmu2KiY9i2ODaTD0tZZHaYG8DjyZA=,tag:dKFmvDZWMBsfhnuqAyMm+g==,type:str] mac: ENC[AES256_GCM,data:P1ZUYJ+ZKO7y3ZC9qy/ODizNGohS6VlSLRzXFUw0dG4OSL/4G3lo+YzkOx/ly4oaLRKZAlW9dLONJYPldE1785A3DfUD3YjV+xrF4akxPAkCwer5ikmCEuG+jw+ihOxn+36s5KZhjVt7k+EVOqVAR60Oh62onq5IR608ND6zits=,iv:d3tdmEjvB/n/TquFRE8qs7Lr4O5q8zXaESvqHl5IiVk=,tag:AKo3NuJTDS0ov3jjHJTahA==,type:str]
pgp: [] pgp: []
encrypted_regex: ^(data|stringData)$ encrypted_regex: ^(data|stringData)$
version: 3.7.3 version: 3.8.1

30
kubernetes/bootstrap/hcloud.sops.yaml
View file

@ -1,30 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: hcloud
namespace: kube-system
stringData:
ROBOT_ENABLED: ENC[AES256_GCM,data:tTSnWw==,iv:rSrqYIiQSOv6G0QxSYVU6DtW7b3PT7XNF/1pWx68M1g=,tag:2m6YXewARCcyXTjZGimodQ==,type:str]
token: ENC[AES256_GCM,data:DzLwUiv5JH/S6OBrzgNp0NO5U/7w0Pq2YtQ7uOAfg7Iw90qzGlzc8CqzlQOw0jHv91LzCUgjpeZn9QP93Dgprw==,iv:T6rqz1HmdKATl+8ov5qclhAo/NzHQTIN6eRSiCEyiZU=,tag:39VZ8N96NEXgvXTPQ/vvBA==,type:str]
robot-password: ENC[AES256_GCM,data:OeITzLUpgj03MyQ2n+SYgwykcw==,iv:9ZdbQW4ZAtqmGEiR4KBsziRXMAoHGHcBYXiwjep5H2A=,tag:4eGKJTfn0+NARz1k7j8jXA==,type:str]
robot-user: ENC[AES256_GCM,data:Cy2ilSDCVNaxES0N,iv:fs/fu9OOhNPDwgnw1xV8SPtbzlbDkbynvL4Z5L6aO2o=,tag:n2+BeAx8HLtD4rFbKMdUqw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSaVJMaEQvSGw1Y3h1WXVi
TGFnM1dTaHRaUEtOaVl5anpKazZjbVRpckIwCi9Bc1BueHYvMUljdWRrZFVpQldJ
bkRVMWJIdmdubGJXL2NOeUloV3RXQ0EKLS0tIEZadWZJcytYZW5ZdmtFbGcrUjZN
SGkvdTBIM1hxMTREL1JDT0NCcXo0ckUKW3fJ509OnrgKxLvWHALLvA4Ha91pN+GM
JRdKi8tSlyVEpFgumeOsan3fIrsi9urgqYjMuW5e6ApMZ8/2522MWA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-12-12T18:16:51Z"
mac: ENC[AES256_GCM,data:m3jplww3Pv4UnCIdyJ2DEkA95U5+Ovddk2DhEG7KhVQ/PTtG31UFCHdoBIgHf0ZcYmAYRLeyvUfRmi19I+h0h1eDrlbTwpFSYByunLvJZqk2Dp9WWCyGnoJ2Wh/dzW/pcLRSJCZWPxUGPR48cyZTlzg+iZHm760kbXQmzAE+ZHc=,iv:xxyyd9IaTtd+Te+2T156/c+842GVeOoPEs+IBZibWrk=,tag:EruEq5+6kU+nme9NydF/bg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.8.1

2
kubernetes/flux/cluster-apps.yaml
View file

@ -11,7 +11,7 @@ spec:
prune: true prune: true
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
decryption: decryption:
provider: sops provider: sops
secretRef: secretRef:

4
kubernetes/flux/config/cluster.yaml
View file

@ -3,7 +3,7 @@
apiVersion: source.toolkit.fluxcd.io/v1 apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository kind: GitRepository
metadata: metadata:
name: valinor name: homelab
namespace: flux-system namespace: flux-system
spec: spec:
interval: 30m interval: 30m
@ -31,7 +31,7 @@ spec:
wait: false wait: false
sourceRef: sourceRef:
kind: GitRepository kind: GitRepository
name: valinor name: homelab
decryption: decryption:
provider: sops provider: sops
secretRef: secretRef:

26
kubernetes/flux/vars/cluster-secrets.sops.yaml
View file

@ -4,28 +4,28 @@ metadata:
name: cluster-secrets name: cluster-secrets
namespace: flux-system namespace: flux-system
stringData: stringData:
SECRET_PUSHOVER_USERKEY: ENC[AES256_GCM,data:MeaD8iRbieNr5W9PqpjZ5ywdbMijX9nYQJbbVj6s,iv:42QymFlr47PYNjorJc5tgDjzZ9WHPVIk543GGChalVM=,tag:qyk1chI/IpPdfyEMdOqsbQ==,type:str] SECRET_PUSHOVER_USERKEY: ENC[AES256_GCM,data:HknjiEQXIa1zntN4yOlTQ/buKx2xppiQV7faAxIe,iv:A9sMptT1QcgQvuP8jqPUZDjqTa56kbsLBjITQvPQyF8=,tag:Sa5PIweT7OYuoq5YG43rpA==,type:str]
SECRET_PUSHOVER_ALERT_MANAGER_APIKEY: ENC[AES256_GCM,data:4+9e/tWQBszoPakAo+1vNhWsdKz8qfoioeUz+dTb,iv:sY4dkzMEmvi8kCLesBiknmoYHWq3uqXpWs5Y4FeFSuk=,tag:rPxH+5m6rPiSnhm2JrrT4w==,type:str] SECRET_PUSHOVER_ALERT_MANAGER_APIKEY: ENC[AES256_GCM,data:n0cFsAwCX1/y5HhsNxr/c2KT/5dzt55Ygi17rX+OV7cwKPKMImmLinb6GhD9fDIz1AINGBijXuXvD8TL,iv:4nwdHlSJEUSyMEDvh+5mhONXCGTJ3qyTITwG6CxeG3A=,tag:kurCrF2rGQFBF2u7Hhinuw==,type:str]
SECRET_HEALTHCHECKS_WEBHOOK: ENC[AES256_GCM,data:a6hjTy2HRy7s2+KHxfop8077CgAzzILCF/g5I9TIXdhRiziUrLpJVzC0mqNmfdooJsZyErrJ9ihamFKLFoK8S/PmD5IgWuZu,iv:l5JTxmiWct5nr7eJM/Rtl7AclhCoIQ4KW6nJK6Slhg0=,tag:K5yGxYBTNSSoxYJt8Kmhyw==,type:str] SECRET_HEALTHCHECKS_WEBHOOK: ENC[AES256_GCM,data:YG8/g4i8inIQnCIsQyEkPdNyVmbFYU4bhixacOEEEcuJMl8ax8TH1yBRl5ziQmBggp/CETorWCmNiC3jkUXYYta/znlo76T5,iv:SGdg9htpyFP38jbAJDg+zq4Rs+axgM5m3SsgBG38Bu8=,tag:TTIVFki9e03rqVvNmtsFuw==,type:str]
SECRET_CLOUDFLARE_ACCOUNT_ID: ENC[AES256_GCM,data:X63a7aMBMyd9Be6bik0knOyMXnYx/Kg3SoOrG0bkAHU=,iv:POcU1kIRWekrzUdzqPopKDovviK+fMZRVuZVWp9Vuuc=,tag:n9UamxITJCiLbH37Ta2lTg==,type:str] SECRET_CLOUDFLARE_ACCOUNT_ID: ENC[AES256_GCM,data:bKGSKh/TxNtCMRa83/i44fX7XC5mRxBLVeZ94UltjOo=,iv:Ji0tUnrvDywxMeCvNwBrG/a8JVudfK4sXYL8q0i/cz8=,tag:j4Bwvcz73RdIInsiz0F0JA==,type:str]
K8S_SERVICE_ENDPOINT: ENC[AES256_GCM,data:mons7ADYFZv+PjnGpAg=,iv:vRkH6yn+nr2azS+kWOCG9rayB/X/02OlmQVhaIsJDkQ=,tag:RyPwMRcWgQV2kKFa6YQtMg==,type:str] K8S_SERVICE_ENDPOINT: ENC[AES256_GCM,data:3s9EeJwFzDQ=,iv:a4oU9bf7ESscw6o9YqhBx8kRm/rL1l2ydjjd1ngn/P0=,tag:TAwJ2UmFuEHeHsEhfiVH9g==,type:str]
sops: sops:
kms: [] kms: []
gcp_kms: [] gcp_kms: []
azure_kv: [] azure_kv: []
hc_vault: [] hc_vault: []
age: age:
- recipient: age1g786w8t40g9y29l33rfd4jqlwhrgsxsc7ped6uju60k54j0q3enql3kfve - recipient: age1eqlaq205y5jre9hu5hvulywa7w3d4qyxwmafneamxcn7nejesedsf4q9g6
enc: | enc: |
-----BEGIN AGE ENCRYPTED FILE----- -----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzNUJOSGgzempjQS9ZQVlo YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBwSC9CNFkwMHVLd0dWb0Jq
citDR1Vta2ZHWHJYNElySzA4a1ZIdktQREhFCnZyQlYvYlhRbDlwYVkxZmZJYm5S cnN0OUJzYVlYV2VRS3p2ek5UcHl4TXNQckhjCnlHQTVNNmdyZFF6RXhETlBzSW9v
TEU0c2R4WkFWZGNEcjYyTHE3MmVLT0kKLS0tIHZwQWNGYks1alNnYVAyOWZsL1J2 S00ra2k2Y0VyWnJjcU9oWG5XVGJDQkkKLS0tIHB2bGxDOWhWci81aGViVFlsL0JE
dDhWMDZYait3UzNRZy9oVk85cHBPdEUKa7e22jHlW1chaLDKBB1in8ZTFnfKMXug ZGRUUFpKTXpjWW9HQ0R1VDk2RmVmQ2MKJwHW3q0vCZClJFfDrWSLw6C43vWVfyLr
QJQ/9z6z/RjmnnFam2FWg++Xg2A8LQ7XTZcfR97csf59DQ/xwu7sVw== 1ACvmNWml+xv/MOQwoRRMx6OVF74X83UyTFdVrXXk7SkzRcwQr4j+A==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2024-01-02T23:49:24Z" lastmodified: "2024-01-11T22:06:29Z"
mac: ENC[AES256_GCM,data:OZzwxpqsXk2tfWmDRjWdmRZaP1pc0HRAuxt1om1Q0yN0R7LTafyRaKdWRdDYi7g76/C8qvSwgT72If5u+M10Q/KKNDy/PavDKn9yMHLkYkdmnXCbyxuWCFqlDoVoOQyPG3H4+ahZkYDnXwzcScR8klTZxdG2n5xO6FJc3PKJFlk=,iv:f2d0J2vG3amQ5UCowNU4U9X+siuWq43uq3nLndoy76A=,tag:ZbfWo82UhiR1AOh93WkpLQ==,type:str] mac: ENC[AES256_GCM,data:kpt0cEtZo9e2wRcnbp7VosxzVdRTUsnNOmCfjFW/6dAVt3PQuck4hoQ+5ZVO/kL02JDxfLFDaSrbEGwWyf3pwvWV0IQHPFH1W0DcgHe0bSHLBB1AAufISuaQ+OfrO6igYiUjJ1ijk8sErT64qY0WN1NTnMbhbGpXrmKl9jSxpbc=,iv:bVeu6F3V6dkx/VvHume/KdxVPArMzPCkTS+e5M9+ru8=,tag:u8MdtwtUcbk2/XFvdfvomw==,type:str]
pgp: [] pgp: []
encrypted_regex: ^(data|stringData)$ encrypted_regex: ^(data|stringData)$
version: 3.8.1 version: 3.8.1

2
kubernetes/flux/vars/cluster-settings.yaml
View file

@ -5,4 +5,4 @@ metadata:
name: cluster-settings name: cluster-settings
namespace: flux-system namespace: flux-system
data: data:
CLUSTER_NAME: valinor CLUSTER_NAME: homelab