github-personal/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-01-27 18:18:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat!: organize repo

Browse Source 
cleaning up after myself, after 4 months of accumulated mess lmao
This commit is contained in:
JJGadgets
2023-06-26 23:58:22 +08:00
parent c4fd1f694d
commit 025995daaa
380 changed files with 1772 additions and 3171 deletions
Download Patch File Download Diff File Expand all files Collapse all files

508
kube/1-clusters/Biohazard/1-talos/cilium.yaml
View File

@@ -1,508 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
meta.helm.sh/release-name: cilium
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
name: cilium
namespace: kube-system
---
apiVersion: v1
kind: ServiceAccount
metadata:
annotations:
meta.helm.sh/release-name: cilium
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
name: cilium-operator
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
annotations:
meta.helm.sh/release-name: cilium
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: cilium
name: cilium-config-agent
namespace: kube-system
rules:
- apiGroups:
- ""
resources:
- configmaps
verbs:
- get
- list
- watch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-name: cilium
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: cilium
name: cilium
rules:
- apiGroups:
- networking.k8s.io
resources:
- networkpolicies
verbs:
- get
- list
- watch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- namespaces
- services
- pods
- endpoints
- nodes
verbs:
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- list
- watch
- get
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
- ciliumbgppeeringpolicies
- ciliumclusterwideenvoyconfigs
- ciliumclusterwidenetworkpolicies
- ciliumegressgatewaypolicies
- ciliumendpoints
- ciliumendpointslices
- ciliumenvoyconfigs
- ciliumidentities
- ciliumlocalredirectpolicies
- ciliumnetworkpolicies
- ciliumnodes
- ciliumnodeconfigs
verbs:
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumidentities
- ciliumendpoints
- ciliumnodes
verbs:
- create
- apiGroups:
- cilium.io
resources:
- ciliumidentities
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpoints
verbs:
- delete
- get
- apiGroups:
- cilium.io
resources:
- ciliumnodes
- ciliumnodes/status
verbs:
- get
- update
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
- ciliumendpoints/status
- ciliumendpoints
verbs:
- patch
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
annotations:
meta.helm.sh/release-name: cilium
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: cilium
name: cilium-operator
rules:
- apiGroups:
- ""
resources:
- pods
verbs:
- get
- list
- watch
- delete
- apiGroups:
- ""
resources:
- nodes
verbs:
- list
- watch
- apiGroups:
- ""
resources:
- nodes
- nodes/status
verbs:
- patch
- apiGroups:
- discovery.k8s.io
resources:
- endpointslices
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services/status
verbs:
- update
- patch
- apiGroups:
- ""
resources:
- namespaces
verbs:
- get
- list
- watch
- apiGroups:
- ""
resources:
- services
- endpoints
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies
- ciliumclusterwidenetworkpolicies
verbs:
- create
- update
- deletecollection
- patch
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumnetworkpolicies/status
- ciliumclusterwidenetworkpolicies/status
verbs:
- patch
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpoints
- ciliumidentities
verbs:
- delete
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumidentities
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumnodes
verbs:
- create
- update
- get
- list
- watch
- delete
- apiGroups:
- cilium.io
resources:
- ciliumnodes/status
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumendpointslices
- ciliumenvoyconfigs
verbs:
- create
- update
- get
- list
- watch
- delete
- patch
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
verbs:
- create
- get
- list
- watch
- apiGroups:
- apiextensions.k8s.io
resourceNames:
- ciliumloadbalancerippools.cilium.io
- ciliumbgppeeringpolicies.cilium.io
- ciliumclusterwideenvoyconfigs.cilium.io
- ciliumclusterwidenetworkpolicies.cilium.io
- ciliumegressgatewaypolicies.cilium.io
- ciliumendpoints.cilium.io
- ciliumendpointslices.cilium.io
- ciliumenvoyconfigs.cilium.io
- ciliumexternalworkloads.cilium.io
- ciliumidentities.cilium.io
- ciliumlocalredirectpolicies.cilium.io
- ciliumnetworkpolicies.cilium.io
- ciliumnodes.cilium.io
- ciliumnodeconfigs.cilium.io
resources:
- customresourcedefinitions
verbs:
- update
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools
verbs:
- get
- list
- watch
- apiGroups:
- cilium.io
resources:
- ciliumloadbalancerippools/status
verbs:
- patch
- apiGroups:
- coordination.k8s.io
resources:
- leases
verbs:
- create
- get
- update
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
annotations:
meta.helm.sh/release-name: cilium
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: cilium
name: cilium-config-agent
namespace: kube-system
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: cilium-config-agent
subjects:
- kind: ServiceAccount
name: cilium
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
meta.helm.sh/release-name: cilium
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: cilium
name: cilium
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cilium
subjects:
- kind: ServiceAccount
name: cilium
namespace: kube-system
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
annotations:
meta.helm.sh/release-name: cilium
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/part-of: cilium
name: cilium-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: cilium-operator
subjects:
- kind: ServiceAccount
name: cilium-operator
namespace: kube-system
---
apiVersion: v1
data:
agent-not-ready-taint-key: node.cilium.io/agent-not-ready
arping-refresh-period: 30s
auto-direct-node-routes: "false"
bpf-lb-algorithm: maglev
bpf-lb-external-clusterip: "false"
bpf-lb-map-max: "65536"
bpf-lb-mode: snat
bpf-lb-sock: "false"
bpf-map-dynamic-size-ratio: "0.0025"
bpf-policy-map-max: "16384"
bpf-root: /sys/fs/bpf
cgroup-root: /run/cilium/cgroupv2
cilium-endpoint-gc-interval: 5m0s
cluster-id: "1"
cluster-name: Biohazaard
custom-cni-conf: "false"
debug: "false"
debug-verbose: ""
disable-cnp-status-updates: "true"
disable-endpoint-crd: "false"
enable-auto-protect-node-port-range: "true"
enable-bgp-control-plane: "false"
enable-bpf-clock-probe: "true"
enable-endpoint-health-checking: "true"
enable-health-check-nodeport: "true"
enable-health-checking: "true"
enable-hubble: "true"
enable-ipv4: "true"
enable-ipv4-masquerade: "true"
enable-ipv6: "false"
enable-ipv6-big-tcp: "false"
enable-ipv6-masquerade: "true"
enable-k8s-terminating-endpoint: "true"
enable-l2-neigh-discovery: "true"
enable-l7-proxy: "true"
enable-local-redirect-policy: "true"
enable-policy: default
enable-remote-node-identity: "true"
enable-sctp: "false"
enable-svc-source-range-check: "true"
enable-vtep: "false"
enable-well-known-identities: "false"
enable-xt-socket-fallback: "true"
hubble-disable-tls: "false"
hubble-listen-address: :4244
hubble-socket-path: /var/run/cilium/hubble.sock
hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt
hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt
hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key
identity-allocation-mode: crd
identity-gc-interval: 15m0s
identity-heartbeat-timeout: 30m0s
install-iptables-rules: "true"
install-no-conntrack-iptables-rules: "false"
ipam: kubernetes
kube-proxy-replacement: strict
kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256
monitor-aggregation: medium
monitor-aggregation-flags: all
monitor-aggregation-interval: 5s
node-port-bind-protection: "true"
node-port-range: 80,32767
nodes-gc-interval: 5m0s
operator-api-serve-addr: 127.0.0.1:9234
preallocate-bpf-maps: "false"
remove-cilium-node-taints: "true"
set-cilium-is-up-condition: "true"
sidecar-istio-proxy-image: cilium/istio_proxy
skip-cnp-status-startup-clean: "false"
synchronize-k8s-nodes: "true"
tofqdns-dns-reject-response-code: refused
tofqdns-enable-dns-compression: "true"
tofqdns-endpoint-max-ip-per-hostname: "50"
tofqdns-idle-connection-grace-period: 0s
tofqdns-max-deferred-connection-deletes: "10000"
tofqdns-min-ttl: "3600"
tofqdns-proxy-response-max-delay: 100ms
tunnel: vxlan
unmanaged-pod-watcher-interval: "15"
vtep-cidr: ""
vtep-endpoint: ""
vtep-mac: ""
vtep-mask: ""
kind: ConfigMap
metadata:
annotations:
meta.helm.sh/release-name: cilium
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
name: cilium-config
namespace: kube-system
---
apiVersion: v1
kind: Service
metadata:
annotations:
meta.helm.sh/release-name: cilium
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: hubble-peer
app.kubernetes.io/part-of: cilium
k8s-app: cilium
name: hubble-peer
namespace: kube-system
spec:
ports:
- name: peer-service
port: 443
protocol: TCP
targetPort: 4244
selector:
app.kubernetes.io/managed-by: Helm
k8s-app: cilium

179
kube/1-clusters/Biohazard/2-config/3-secrets.yaml
View File

@@ -1,179 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: biohazard-flux-github-ssh-key
namespace: flux-system
data:
identity: ENC[AES256_GCM,data:RFsW4U172L+N9e2LsAlW5ESSYh1O2VjTZxTYY/OVPS9FvJcQSQStXSk21xIQ6PnxeNrjKR44/e20m6L4l59bRiLWaw/KAEPsdJAAHFzPU6gIfnvasbFAR/3ATc1RjctQGcKhkpsJtcqEpT3TPCZGOuEgDngc0xq5fQgztRtbu0JDXKb3fDHlvXmoN8lgtRwNqqcnpUCMg8Q64dmmhtuNcA==,iv:RI2KdjgYNuyNHgRzgWM6X7sUNu7bjJ1Zq8khbiOMmt4=,tag:THCUmBrpdadaqawf5iTo9Q==,type:str]
identity.pub: ENC[AES256_GCM,data:CXuK+5MEyGuVQNVlfNC699qdW2FmJDrUPZUuh2ZHe+tbKlTg3lgt5b0J1VjPO0TMUQpTitvgyjDV96JeRoCnUTkKcYGsCDZMX5M/t+K/S3SSgJMOYHV2+VGTwc5LC2kuK8wm/WxDARQmK3Rl,iv:1TZ9KKcKwJZDvm22qQcRfVWwYkmOXgek0mfZZInihCA=,tag:qh5hhjN8lBZC27usPpKNjA==,type:str]
known_hosts: ENC[AES256_GCM,data:JzFUDHL0EOi/WxL2hNloUgOFTXNv27On6OyMHHw6D0fp472dqyPrjrk4VtdVjTGDHSY1NVkLnNl7kZaNf3An5RwafjWqbjohueY8WsQ+044b7IZGskANmd8XCdyDwKM8g9U7uNWtviwgAhM2HkrzNJWSuIxvCpDXQQlEx3tiM1UVtFCVEnQGtcurVpk5Ijv4DhcrlyqofqOZwLC2H1eATyI6hW6Iqnt5FTic/5muteP9qN5926byid938RLWdrRqb3wNJU2xtuqZ4LhZlPmUfsC9glSk1OApYMKK/RfVGjLTd7TR,iv:wnOfzKaAskg+eVFNl0OcVAcqGWxg3KvjjdUKA+nNw5E=,tag:LcxIOc1z1A6+Ap7dF3VNHQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeXMrWE01RzBHSHlHaXNW
cE9KMG5jaEZEeG9LclRqOHIvT3QrRS9TTzM4Cjg4d0orK1d6QncrdjNrVDFNRm5p
b2ZwVUJUcG5jbWxoTG1RZ2NBSFM5RW8KLS0tIDBsd1R1MzR5WURLWEMrYTFjK0Ux
UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT
k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-27T04:21:43Z"
mac: ENC[AES256_GCM,data:K5nsP6Q9dwpGZSEXcko3Nzb9xW/UQfmYj8eeu9lj9/aznpKaugPUj1zfuDbVVDz4+whvfxidNnYJh4k9JtUtpoPdAXL8SIoW2cynMdtIRlg3gvU3+6wL69rkoUfAcdvmdW5lChHAmPdz56ap0/FcJ+eJpdSuwKJfr+mPzBH4yMY=,iv:DWo7n/m/70Xt3g3xOrIhG/WZsIAOB0Z5MuRoxdr8x98=,tag:nZx+6PfS3ydj4nM+uli4iA==,type:str]
pgp:
- created_at: "2023-02-26T18:12:43Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DAAAAAAAAAAASAQdAQUq9YeKzVuiJzH+x8GkoeSzzL9XDQh2P9oLHv1U/vEcw
7XSvNa6VkyDsST2+YLeja1TGyqiQUofHzTKmclN9QAFHyVcOjOs7gQ3dqwzEcA4Y
0l4Beu5Ek/6r99UrMxrmGzSyNUxrTc+41FKH1VVHobSnC1CO8Qfql+GdikUMoBWL
ZwoxmhuHZfO/1AvWb8EgwAJcfCB3GjKtCbUxGEcgRyVJm8hxnfsUottVtGUCsdtN
=v630
-----END PGP MESSAGE-----
fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
encrypted_regex: ^(NETBIRD_AUTH_AUDIENCE|NETBIRD_AUTH_CLIENT_ID|NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID|NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT|NETBIRD_DOMAIN|NETBIRD_MGMT_DNS_DOMAIN|WHOOGLE_CONFIG_URL|ZT_ALLOW_MANAGEMENT_FROM|ZU_CONTROLLER_ENDPOINT|ZU_DEFAULT_PASSWORD|ZU_DEFAULT_USERNAME|addresses|clusterDomain|commonName|config.yaml|data|dnsNames|dnsZones|domain|email|externalIPs|host|hosts|ip|ipv4NativeRoutingCIDR|k8sServiceHost|loadBalancerIP|my-asn|nameservers|peer-address|peer-asn|secretName|stringData|whitelist-source-range)$
version: 3.7.3
---
apiVersion: v1
kind: Secret
metadata:
name: biohazard-secrets-decrypt-sops-age
namespace: flux-system
data:
age.agekey: ENC[AES256_GCM,data:wv5tjeWMyGPVLO6Y0VEy46vzmdn35JI2HV1ltOX/PgP9yDcqTGvDPVQLD4PNWUZHFHA/87tm0A6g/t3tev/t5SotNuQyI9vM3hiz5IvEdk1kCh+X5wuD37sOwtsczkGBOnBUusFSqHFFJlb1aTrmqiA6LQUXSWSULs9BPq3kBtzU+gO+LJcL2XxviUMDz+mMSBiydXmAJESbSVlmtytz2l+vq5ce/ArTx7/CdhG2tr7AoiFk1aHwJ5lOy2V1mprpdfY5YJ8VPcBYocNd3jDDw8YxT8pG5t1V0LfhQAFxZI8kaIJ87C6JMYF3+xRw4OG0YYyqmdzFjeQIwWcw,iv:kTKRG6Nvs2MXOcnfBBbAha52xDnqe9HjG2AToXIB/k0=,tag:hPi27FQC5wPJtPfI8GKKVw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeXMrWE01RzBHSHlHaXNW
cE9KMG5jaEZEeG9LclRqOHIvT3QrRS9TTzM4Cjg4d0orK1d6QncrdjNrVDFNRm5p
b2ZwVUJUcG5jbWxoTG1RZ2NBSFM5RW8KLS0tIDBsd1R1MzR5WURLWEMrYTFjK0Ux
UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT
k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-27T04:21:43Z"
mac: ENC[AES256_GCM,data:K5nsP6Q9dwpGZSEXcko3Nzb9xW/UQfmYj8eeu9lj9/aznpKaugPUj1zfuDbVVDz4+whvfxidNnYJh4k9JtUtpoPdAXL8SIoW2cynMdtIRlg3gvU3+6wL69rkoUfAcdvmdW5lChHAmPdz56ap0/FcJ+eJpdSuwKJfr+mPzBH4yMY=,iv:DWo7n/m/70Xt3g3xOrIhG/WZsIAOB0Z5MuRoxdr8x98=,tag:nZx+6PfS3ydj4nM+uli4iA==,type:str]
pgp:
- created_at: "2023-02-26T18:12:43Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DAAAAAAAAAAASAQdAQUq9YeKzVuiJzH+x8GkoeSzzL9XDQh2P9oLHv1U/vEcw
7XSvNa6VkyDsST2+YLeja1TGyqiQUofHzTKmclN9QAFHyVcOjOs7gQ3dqwzEcA4Y
0l4Beu5Ek/6r99UrMxrmGzSyNUxrTc+41FKH1VVHobSnC1CO8Qfql+GdikUMoBWL
ZwoxmhuHZfO/1AvWb8EgwAJcfCB3GjKtCbUxGEcgRyVJm8hxnfsUottVtGUCsdtN
=v630
-----END PGP MESSAGE-----
fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
encrypted_regex: ^(NETBIRD_AUTH_AUDIENCE|NETBIRD_AUTH_CLIENT_ID|NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID|NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT|NETBIRD_DOMAIN|NETBIRD_MGMT_DNS_DOMAIN|WHOOGLE_CONFIG_URL|ZT_ALLOW_MANAGEMENT_FROM|ZU_CONTROLLER_ENDPOINT|ZU_DEFAULT_PASSWORD|ZU_DEFAULT_USERNAME|addresses|clusterDomain|commonName|config.yaml|data|dnsNames|dnsZones|domain|email|externalIPs|host|hosts|ip|ipv4NativeRoutingCIDR|k8sServiceHost|loadBalancerIP|my-asn|nameservers|peer-address|peer-asn|secretName|stringData|whitelist-source-range)$
version: 3.7.3
---
apiVersion: v1
kind: Secret
metadata:
name: biohazard-secrets
namespace: flux-system
stringData:
TEST: ENC[AES256_GCM,data:Hg7qUIV8/LcdFZT2,iv:jgNFUecJhj9EgkFCexym843VQUJQJVHW2Ne4H59BUa4=,tag:G/D7ZjLSkNQAJN4TOMSaaw==,type:str]
SECRET_SANDSTORM_ADMIN_PASSWORD: ENC[AES256_GCM,data:iYMzuIT3l8Na9R+ivzw/,iv:aSz/PDfnf5NjprFP0F/8MSCHbSNvW1jPKGO3OXM63wE=,tag:TXpMceEeEQMDpSpSwkihTA==,type:str]
SECRET_FLUX_WEBHOOK_GITHUB: ENC[AES256_GCM,data:rGaiLXNI7EyawuFcirkZlAXu2cdLRU1pwGWS2IgrKsyvcRmUMKXMmQ==,iv:sp8r4GmQJther8xiuDnXeGIkCSwXMEL8aadH12ZO5Hw=,tag:b7/CJ5k7Jy7sbYC4oA3mEQ==,type:str]
CLOUDFLARE_EMAIL: ENC[AES256_GCM,data:/1LlGIvbc3FbsOQ6AJV5/BWoHGmijg==,iv:xmSF9Pbx4cc5iAe1kkmcEzggKOdzoQLTp1d5DkIfyTM=,tag:4LyeHbV+nThNfhwAf1fyxg==,type:str]
CLOUDFLARE_API_KEY: ENC[AES256_GCM,data:IjhX7PRvlOrAZHhld4eUTnk0U6e+26ddBvDAzskqal68OKDhnYNGcQ==,iv:Jh+AZONqsY3nlpdG+mgwQNkHFTB38DOPCUhMZVHNIqI=,tag:PWRooXwDuDWZ8/oRfxKslA==,type:str]
SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:yPjiPwCwax7XEipMsVxMAYqc9zAX1mmXgvGsBjuxGc0/mj5R,iv:66hgExptGr8MFGErctzTx1apJbVaXqF4HD/SSSifc0k=,tag:l36AHL7VDK1MC6rbxa0LFA==,type:str]
SECRET_CLOUDFLARE_TUNNEL_CREDS: ENC[AES256_GCM,data:2CKmTAuYGngYVQ7bwwbPOYqSfGc8hFWWrHdnSeq6iIM0Kp/TALhcLSpuSICp8K75kEBapLzC2K6qhJeDPqGBaMORVSYOTSnlvohv14G7AS7Z4R2ehv2xVFoB5wswRJjmh5lrHmNxFfeY4IXINcb8KK/Lmv80P4BEzyxO0cL1KlKZ7gGCcaxQQzkdHMUszdrWUhJ992wGyJnJhAsV50g0Umc=,iv:hpmfzax4tMf+9NLFHfRJSFumN6TdfjTtmqd2tI+pN7o=,tag:bAQeLqQj1cj/389Rp7cnqg==,type:str]
SECRET_MULLVAD_PRIVKEY: ENC[AES256_GCM,data:8GwwB2KunIeIVoNtfLrJrQZyUq+HZcTDkchFLdwPb8R49T9PjgPAvldHEM0=,iv:CH2PhTJMkYyFmcPg7yP1CDPOBT64PBvieKSJfUAwSeY=,tag:lxIvIfanruO0GaBcCS+msg==,type:str]
SECRET_MULLVAD_PUBKEY: ENC[AES256_GCM,data:1cuPz4zCwzElNp5XqzQ6VBahV3w/okLxu31sfMZYndppMG9idRJ7rQd38Ao=,iv:KAT2zWYa0PCEtILRNWS0JYDplCZgwe6v4ZqLwhotKhI=,tag:/MXF+je7QzNd7w2WNeCNVA==,type:str]
SECRET_MULLVAD_IPV4: ENC[AES256_GCM,data:rCpJGTvXmmYv3/j8+g==,iv:NSnLVTRJM+iAlvSUTs7kP5OTMDptEzM+C211y5DHccg=,tag:PYSScVzPvuMBN+e6RejjYA==,type:str]
SECRET_MULLVAD_IPV6: ENC[AES256_GCM,data:DxZNUsqVFiNqlE1356xAW5pTzAiSg3eBEAb7,iv:kh3Z6/LIgjugmVQMQ6rwDXrvo569nZG/RMMNG+5xY2I=,tag:EHERxIQ4HAv9KfmFw4cExA==,type:str]
SECRET_PG_DEFAULT_SUPER_PASS: ENC[AES256_GCM,data:xfG2YEf6AmtmwUvXbHt/63zXt7fxbzUlBVlvlWmzuy5xg/TH+cXDTU0ojeCuVhhkFt4k/hrPpvfnWXTnKUc7QpykqXECZteGMMgh7ZScKpkwoppwcrnq9uVbUaSDFfgaJi3jjYm52krHoFC29KcNvA8CBeEqWaXNXTds5jsRT+fQGrJaqf962brHgPOhEFyqWm7K0KEREovl+dkjOFTTdGYLjSr7pyneCy2266hVjxKugDJ12SexsnG6k7k+Ky98aGPGA1ktt4NFEvXfm8v1Rmyn/9odgieQ/yrtV0ICdl+HZrbAOHg7V+ZhumExr40xuj4QNJE0EPeCKtuXKQmaFYLq2cSwBJLQxPq+Fg==,iv:WVuvHUmF9dnsJE2agcbuXSNmN7K5GCV8MZqgK1heh40=,tag:YhkKIh1ALMwFSFbrCMeEsg==,type:str]
SECRET_AUTHENTIK_SECRET_KEY: ENC[AES256_GCM,data:e4al+OdEsy1EoPr2ZZ9e/yGbmLXQiWr3sb9aHS3OYa4B9XKkDjHreC4iUMN9NQTvqm0=,iv:ACJlHndtryj5F5Sx9m3qoJqvd2czERJKGMaR1Z3Zd74=,tag:U+rzNgO9uUIUgW2spjIfrQ==,type:str]
SECRET_AUTHENTIK_PG_SUPER_PASS: ENC[AES256_GCM,data:T4h7z88+WFFt/0zG+6x8g+xvQM6XezBnrgyH88hocczaSNd7vTmrcFFMYHhuuDDDDnr9Ka4FauhoGIvKlll+4gTovv0V6WmYXMQIu2h4vBGretvaFWJuWmtHizv6d8Mq3g6wb2EoZsFAPR4SREMceAa+x/wcvau+P4yrgrzE19fiMEWerqiMYG/YpQVS6A3HghT53oRP7uIrnL1x112mgYZM23kdRfIs3kqz/LFLO3FGM/f4b4fu+BGndtVvVtzNyx99ZAt3z4DzPuhf9aolXZi4JemAGb0MB0dsECaJEVGLpdhHNytZoldvSXedRAyy7pAMKQbv5WNcFMzoRV+xKJXqKbKDXnO4bpGFQQ==,iv:u5xQamW55sYRL1FdDfyNAH9aX1kRj6+VdAm+vZ5PBnM=,tag:7kZXvqPQPOLbIe/nVa1kMQ==,type:str]
SECRET_AUTHENTIK_SMTP_HOST: ENC[AES256_GCM,data:Q4VLzc8EMfzmm7Bm+rKZyMauV7RKwFuW2EOnpiLv0vbCMSV7w9jX,iv:VLEo7xRn6aAxu1PlJzxhSeevMRZ+bxUo93h+VKRQKbU=,tag:Q3Fl0ph4U0XcqTAQfsR7oQ==,type:str]
SECRET_AUTHENTIK_SMTP_FROM: ENC[AES256_GCM,data:8Lb5Y591MubFOyUBj8wW+D58wQ==,iv:OdBXSFr9hiRZXKz9AAP5n8rRj26Zh2gubHNU4Az6GMI=,tag:tqe19b1kzY+jm5Lp/nq9Sw==,type:str]
SECRET_AUTHENTIK_SMTP_USERNAME: ENC[AES256_GCM,data:n+plMaxRcWA5Wt1ytJcLAcn+NN8=,iv:pP2s+5ZPX7xi595dBVq8p2iOAG9ytO+NTZbZLa4qdGY=,tag:hjGu6tU0nrBcRqCZ8xmI8Q==,type:str]
SECRET_AUTHENTIK_SMTP_PASSWORD: ENC[AES256_GCM,data:quqqaVHuZbam5XTrRor+D+iLWV0p+MPPtCN7eXE8fvr+gKe/1bmaHA==,iv:3Z91p0NO9V1FEc/wEpexQYjkP2rMujXQQ9p87Udkt2E=,tag:obxHpxfeWve2UywQZRFn5g==,type:str]
SECRET_AUTHENTIK_REMOTE_TOKEN: ENC[AES256_GCM,data:JJ/1cOCyXy87098S5TEEjh07t2oKRQ3iKdV5gFZYE5ijR50SYu0GuBT5282MLtDA8lfi0m1hdkJ1pWAB,iv:CdQCBYDRW/sosDoDu10LD2Hrsc6MPQ/upl+A2R0MuRY=,tag:+0e0w06ze085EMzuuErDzA==,type:str]
SECRET_AUTHENTIK_OIDC_URL_AUTHZ: ENC[AES256_GCM,data:RqG5PYN05DAMaAYRY/iIjX5cxhfDxXuIfAMxW3Q/BIYQJeyPNWQpstDs0cCh8nn6YKItWw==,iv:UpbF3TfOV7hn2cvo0eGOnctZ9Imta/g4MW+qp0gqpa4=,tag:2ICHiYgi6RH3IW4f9MBNcg==,type:str]
SECRET_AUTHENTIK_OIDC_URL_TOKEN: ENC[AES256_GCM,data:OWNANfS4KqphsIC0/o+Ax+7qn6E4B5J/a2JTdkGJdjr0N8bXznC5pq2NSHR7y9bR,iv:dKxvZSau2RnEMsyByGC9a47Ajzvs6cfSZpk3xOG4s6c=,tag:GEKvIA9rfoqgQPFL1H1qgA==,type:str]
SECRET_AUTHENTIK_OIDC_URL_USERINFO: ENC[AES256_GCM,data:pLpqYByHlGkadOspCgfkoIap1nN9cA2bTUkErsu/kxxynP0SJxrygbe7JCu5+5fsZpNt,iv:x8BdORu3Wmvmbz6++xf73sWLswHbAK2zLzBr8TAhyCs=,tag:/o4pxCMKrGUltZwiKqLIVA==,type:str]
SECRET_AUTHENTIK_OIDC_URL_JWKS: ENC[AES256_GCM,data:0BDv9VUz+9owf5yqvxYTg6NKZioX9dghVbvZEwkbA2qfVmT1avHqqHoiLDuRoyeiTyDfH/S5/Q==,iv:FFU+f9gJ5DgsT99cn+6F/baZme+W1Nrn3Wjy67kn1Ho=,tag:7rdcjP/IDoFqdot2RV/9RA==,type:str]
SECRET_ZEROTIER_UI_USERNAME: ENC[AES256_GCM,data:n3lq4WdMRg==,iv:5jq1lh6am9O8L472YLhef4BRvokIYqmpNY4MTnkADIs=,tag:+rmMEwzNWfQLEsnoms1Erw==,type:str]
SECRET_ZEROTIER_UI_PASSWORD: ENC[AES256_GCM,data:e1bY9uZlLmKVKatA6SRcd0iO/78OnQbM,iv:tR01q+o6YMgLdEavGaZY+IHR1SF/6lo48zcebgr9SRE=,tag:kf6Qcd/VuYTePyBp5rPW8A==,type:str]
SECRET_VOLSYNC_B2_PASSWORD: ENC[AES256_GCM,data:W3qJMgDu/VR4eOMs2awQWjEjv6rQ32QfOgwj1DMwr0SBeJTS/1Wk5UX/GEgykbnL9GDDbamLutuolfD8jGvFFHBuwweeI0pUHS06AF6GfMxzl6VJJLntka+gvAmhH6QksO9+3go7+96tgOJksgQuEF+4wDg/tYTXs0popeUsb6pDs5Lj9oYbLUgGdrvCEfRoPOvJqyd9ADRkBsYzP+7L/mShg6lgNjgPjkbT+Q==,iv:/DRHZMbfgxTNSn/sJ+XXPX8Os361lF1jM0LBTzF2uLs=,tag:RDGb7/ugBe6JTIceDHn+8Q==,type:str]
SECRET_VOLSYNC_B2_REPO: ENC[AES256_GCM,data:VZFF2zmZuMT6K35QTyaD+A==,iv:qw5BjEqDTWFD4La6FpCuNsNyQI5mgJd59tnxn54OaV4=,tag:AQvnxDADVS3wooW5QnfjaA==,type:str]
SECRET_VOLSYNC_B2_ID: ENC[AES256_GCM,data:kJ+Zrj8TtLec33N1LC1OR3ZKQSrmbERd2A==,iv:LNe8dQ3RWYfslAa9YV/8PDpI2q47JfzDvWokr75dw/M=,tag:tP7VAP8wZ8VblGLWiqOADA==,type:str]
SECRET_VOLSYNC_B2_KEY: ENC[AES256_GCM,data:8OhwlrZ7SHOjHMaAjXwTxcYuhQ84SouLW2kQ76tsWQ==,iv:JUnkcfHooHxmDaUlnZd5JW1tXwz2WMtSZGxG0tRC8Jo=,tag:4JhH4Bk8JGhRt1YS+Qhv8g==,type:str]
SECRET_VOLSYNC_PASSWORD: ENC[AES256_GCM,data:KuKSvK3ry8Z8ZWtjBgr6Gnkf8cwP68eAu5QK35lFewFtGlBnRmgouZzYppO3DdBRcK/RBSMjSnPqV/3nA6yACwKvFPNlADlHzGINddg15qtJhV5YY+ADXOV5HA/F9ZPVw5OuZ8SvCOr+7KdjOHWzwTHHb9Vu2L/5mgCvqvAcESb7T1E9ohdK+7RGS1UEqmFWv/QlIAoi3v8e8pjkWMgfM2nCxT3E9SLl3Sc3OA==,iv:lMSMCL0qROjMW7SFvB0lthpVB/khvQrpwjntCtPqJP4=,tag:+1vkMH3TJLSk8b2VpCm7/w==,type:str]
SECRET_VOLSYNC_R2_REPO: ENC[AES256_GCM,data:YZz9egO0rSK6rHazpNBQaighyvMf0J518dxq5IJGa/pg/iMcrVDNIdbrz5OCCpNVzagsutSvE5KElz29evaBtzgicgIT+JE0BwkLK0teF8up/Bmh5AKOP7ppbGRUXMRkUDg=,iv:d1cImYhhj4M3vJk5chAPWIu2ptxsM/V4I2Lw5k0A+Os=,tag:/u7fh9jMwKt3jQTAmflZsg==,type:str]
SECRET_VOLSYNC_R2_ID: ENC[AES256_GCM,data:EaXgFrsdiFTCv/07MMwf4EKKTnIfb7gOn9LEFc4AcEM=,iv:kT33F00xiXl5zBKMlgiGX7M6b2JZJQBZKN8jhyX4RmI=,tag:CbdXRxK9iMeFZo6fGABsyg==,type:str]
SECRET_VOLSYNC_R2_KEY: ENC[AES256_GCM,data:od+kJZ0If+81tSJkqGYJfrN50jHkkkWmyxeTitPTZFKnxF4uQblnIg00/bJRJm7jI1FnYhcqA06R7YIpU7ZhFg==,iv:ABtZEwdV7dnx5CDODWUJjkx4WfMrFntsf7/3XfJjHBA=,tag:zK+w7wHNCvs6uFzBPAH8SA==,type:str]
SECRET_GRAFANA_OIDC_ID: ENC[AES256_GCM,data:gD/HZo9XmhKeekLB+EDrL/Uk5RNbBOS1v1P238evCj5ySOYkp42SoQ==,iv:Xs+4KhQsVOsAn4XViUG5MOCGJWhrXhagw/I5Q1H2ACQ=,tag:nSFiVga3BWK/DNQNXHZexQ==,type:str]
SECRET_GRAFANA_OIDC_SECRET: ENC[AES256_GCM,data:lSCrImlvci3fUTDxMrHKmkgWZyyjE+7exmgCV/pIRI2ixLEm4qymBYJD7A4ZDXoLtwID9yOIBt023d/rR0kkq4GJXC5jfaN+lUPRw0r9vgp65qXxqCCn7m3SuzfxOAu9M3Q8LbFPiucZwNu4yMNx4pyHg0IoF3Gi/NJuL6RWIt0=,iv:Ts5BvuJ1Yr6VnTa4j+9Dt8bU5MyJyZdg/pXijKQ3Ass=,tag:W/NLN+nPJzZeHWfXDw+ZJA==,type:str]
SECRET_GRAFANA_OIDC_URL_SIGNOUT: ENC[AES256_GCM,data:P192MWyn3tqLL4FlO89nkRqsrFidQFkastpS4utjseyxkC8yO0dEhO7Llg8IaoAgoytuwvlrwMybUvrllCM=,iv:IOnOIJ435mPmC+XIKk9KPyRlXykbpOYlno/fgmXq+1I=,tag:ju8lSaDzfl49lP8kLiVbAw==,type:str]
SECRET_GTS_OIDC_ISSUER: ENC[AES256_GCM,data:VLn8iU0uoUILGS+vTyJA3CMFxr4BKXNWsqqUBOYPehkhtlC5NMYLxrO8amaIaRahfvtQIby1,iv:TgHfaw0OdtQKwsxVmr1vc88mNc+3jYA40Pab8MyURNk=,tag:nNXH/WIErXDkVy98crd73A==,type:str]
SECRET_GTS_OIDC_CLIENT_ID: ENC[AES256_GCM,data:97cm9sRp4pK5/bu+ZaIWCmK2hvH6ED35Gz0BUmA5kJ2Pi7v5DMYSrw==,iv:+NGUTnD+uyTOInKdCMwtPBe/CDJJZW5O2skiafTCn/k=,tag:CsbLOF8cEsUXvViK9yvzkg==,type:str]
SECRET_GTS_OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:Y4G055suXXfCBYUxzg/gpvgfH9O5AIiXnL46ZR8uzFYv0NGDDyuwZAb3DMSP0CbrNhI+GHzE7sZv5TDilJX+fK0HIhPS70gjBqCaQzyzUISpKRQma9CcBZFSauoCxmXR2xoWcIVoq4H048RNJnukRwgvX0NY6AZXxfA9IkdEHjM=,iv:M55oYzTzVCN03YqiOkD0ytG++SNdI0jri9F+Gt+lyGk=,tag:1Sa/h+oFTPj/DsA6v4NwyQ==,type:str]
SECRET_GTS_PG_DBNAME: ENC[AES256_GCM,data:VD4zwGfdK0PjHA==,iv:bnLNqeVSXgLmdCr/kiE6h96mIA39QHjq0ZQBVtOVuuc=,tag:GmnXmDjTVh6RPcoCvIX7LQ==,type:str]
SECRET_GTS_PG_USER: ENC[AES256_GCM,data:8VBf03pfmJY8LjGnn/KSaK36pOE=,iv:znSRNJPO0k4Hb+2zONYLJEehz1lDaridb7jhDMR6IYk=,tag:YIvI3LQh93nuWNYakXYICw==,type:str]
SECRET_GTS_PG_PASS: ENC[AES256_GCM,data:4CLtnpcvhljJe1l+OKI3Q++PN7C++9ZavFArGsuxkIW5hoE6FFsAgGngFqw2ck1LAVqdwalQedQdj0LvQmzRpGybGxFGB6/4KHuQVMIkX+HyDReItP0vEXHEaq7HitxlpI+CLmlFK4lCOUdGY5/JvhZPLo+PV5STHsNvmrVaQhTvih3p1G11coCTbo4A/VHHWUGCyQDUoHxs2Bo/iYH2kFKlw/RYGFODmk1ffVUHHRsUHREpb9f5YcRwblWFOpQvwEYINKzlwoM=,iv:3/htXyuzpDJrTFGM7Yy5wcEejXN3/Jl4oyJ1tzPih5Y=,tag:Aie4reRcph39N8mRih9lLw==,type:str]
SECRET_HEADSCALE_PRIVKEY: ENC[AES256_GCM,data:5cwm3FpMYlCxF6g+D0S0+Ti/UVSzJop5lu0Q53oT2+Gt5UVk0yhttjqrNZs5w3dnFJ0De+EGrXhaA5vsuUU1EgRq2t93NC/M,iv:Ny9T6kobbbEn94OLF6gAymCt5h9LlY7QL2GL36yuFAw=,tag:IsdV9wXyd8yTx5urHVef4Q==,type:str]
SECRET_HEADSCALE_NOISEKEY: ENC[AES256_GCM,data:w0LQ6auq0XPgXC6KIOuSBZ66avDH/1oM4yK1ruYK21m15A5Mw28yQc93Pp67XbT1P54JgsdUYIJMoz43+wF2Hw3w8VFK4QS0,iv:bMfM4S1UyQjhdX/0Mu2xpa/PkbuOe0eL4G8AviTb3iQ=,tag:4Rej1+iOtMd5abXFkuBiFg==,type:str]
SECRET_HEADSCALE_PG_DBNAME: ENC[AES256_GCM,data:Iyj7YpnEOjnuZ8W1iCYIuyxoNP0ATH6M0B/njRF8TDnjty//bHsx8Q==,iv:MfexUGI5k8BJNugTN9HkAwVbIaqTOeTCPgvsvRDgvAw=,tag:pVcBD4v7zCliXo44KG97Aw==,type:str]
SECRET_HEADSCALE_PG_USER: ENC[AES256_GCM,data:mu5YQK7hwKmdATLv4AsC71lo0n0JemZMPnxdJPV7HaOlMcNCsTq7AbEGrsQm9fQ9yYiJg/ZdoXMAGihCs3sLEw==,iv:ZC9is+M6KkCUkqEfxblxg4eHZn3Kgoruk0K6G/dV5N8=,tag:PdVAAZuL164zcsRHIQGwVA==,type:str]
SECRET_HEADSCALE_PG_PASS: ENC[AES256_GCM,data:IPXHgbtdhFhcRWyQ1u0710/8QVEG2uoPdetIRbRrPIRRhv3TpR04d6ypWos8WunqS5JJaNjm5RTr2O6+DP7ITizMIyUJaLL8jKs5u5nvr7tIB3GsrtU/qBQvZuT+yGjouuf/ezo4euno2L2VD5aKoQN6mdUfFt9K8beb3s7aSBWbMHdvB5KTwssbaMG9alir9/pZEVacsft4zNn1KpTBFQ==,iv:wKDHzaGH5azCBL8zWSt6JbSKeuZNODG5VfOWmwH1GU8=,tag:NShyDOIzSSv74WV5kvlXbw==,type:str]
SECRET_HEADSCALE_OIDC_URL: ENC[AES256_GCM,data:+Jy+NuSGcYXi+p7uOX6lyz3OacT9WaRvY4Ywyuz7dIP/larM6iKUJPSbpql7ZQUNIT6/Lq1998HF,iv:L7MpcUPSjeMcayj1z0J4tccXXdXou+O7IHpVBWtzeqk=,tag:+4f/U3sMpE4WE4mMwTlPLQ==,type:str]
SECRET_HEADSCALE_OIDC_ID: ENC[AES256_GCM,data:oDoZQFp5EEAqa39tMx/Kse427QmYyxUXXPU8dGlCNGtupVvAs+7rzA==,iv:1gVegFflZRsRoo93MNsNwVQT8YRWcNh06MOy5cMsb3M=,tag:1KEb+pRqd154BQdR4NhFhA==,type:str]
SECRET_HEADSCALE_OIDC_SECRET: ENC[AES256_GCM,data:4wwV9m+XmSIGXCzojw0Va8gH1L/E1VugXQc1N3adC6JitqOB7bvdqBxE0natU1mhrCUPdUViojV/IZJ/7qdluNNTakDiWWnL6rVI4xd1giywBc5taEWlQb7081zEExWm09wuRcjYVpfLakJFbM8fJJqTHZvyP5ED9VpNglBk6XU=,iv:RzgyFgOt9TwhRCysdf+gX7jhBQgA0Oo9b7xDCaDEBG4=,tag:AyDu6lImdsJpqEIDRPZ+hQ==,type:str]
SECRET_VELOCIRAPTOR_OIDC_URL: ENC[AES256_GCM,data:bZvEdeLjQp/G7mEdiejIevOR5FeMZhxWJE/BObP0ibffM3MADvr0lfsPTlaAx2EIRSQZ/bSQ,iv:NP/IetQojxS27UtjTstn01RtX4yFh07Rrwd8Jp6rgqQ=,tag:JTwJuSrJMr40Bq6PxHjqpw==,type:str]
SECRET_VELOCIRAPTOR_OIDC_ID: ENC[AES256_GCM,data:E2VX7NZ3k4bonCEe5nY4UlLukFLtTeBFvfq0ZSoSb8rl49Ai5aTQzA==,iv:xY46ft6JnMrQku+XU02J9HIZjReVA+YgaGcF3xkKgW4=,tag:WOfx4QTDFWAggV79AWhRTw==,type:str]
SECRET_VELOCIRAPTOR_OIDC_SECRET: ENC[AES256_GCM,data:3uQ1uIb4St7l+TpwsnmLjQX32MT3lEmMz9hyV50t7xqkKG6zk6vRevzNcwrAhOGnXhKSjcgFSP8JUSG11smoNdFzOijc43VnFc5kGlpZYRVt0CGql17X3KadFDuCDTqs8mAZrTB75B3+ZHCL8ECN/943gdwWiJX6tnKElqYCoig=,iv:jps5oDsDJCW3R1ZcTKUuGkYUbj30UuBS54JMkHnkeSM=,tag:MztE/HtsEv09SBWL+ydDVw==,type:str]
SECRET_VELOCIRAPTOR_OIDC_INIT_USER: ENC[AES256_GCM,data:k3JpBmcZRqLP0EqMmCva2W8=,iv:21IxGXPVidbYoPjNW+VMdj8uxXy1VL2jSv47MFKNRyQ=,tag:V1KMNqi4taHVIOJ52U98oA==,type:str]
SECRET_VELOCIRAPTOR_NONCE_CLIENT: ENC[AES256_GCM,data:D3UqAvGedyDOUs6l,iv:P22j8cQ3vFt0OR15J4CFDaJR6UELpj7F1CSSUGSdz5g=,tag:sHlapxVFoPaUhXoe5vg1kA==,type:str]
SECRET_VELOCIRAPTOR_NONCE_OBFUSCATION: ENC[AES256_GCM,data:cpkIbNmTkHD+b5yD,iv:CnyYk3i2vash+0SJ2/fyTM/AnVm7SEfA4dlZAUzonOQ=,tag:crz//WBVjeUTteWi2QNMhA==,type:str]
SECRET_VELOCIRAPTOR_PKI_CA_KEY: ENC[AES256_GCM,data:l7LDARbbn7ui0UvwmSt2EzCN6UvF5wUkix5snCm0KGvjWkxmvZhqI/olkM1ZZJpjCm7YRvAkBH8Ku4RKIkUhBls4GiOIXoptjSfDZloSbNZtx2AloNH+RKARX3SslukpQtBVZZ7ZZ/lWImNgT+qSwFHNtjxC02ioEfVzhFo43xdbWFctYITavx5q+3Y3V7bKHbmobN6HiBqB8TcVfY7Z+ZPmU2sfdK+cktYMP7dh1We3cJY4QjTjLIIBeMFh13sBlUO0mtQNCIlUTEC13Tz4WlwprqENDE0a/R/BGq+1qJdKAu54Qf7TjBmqGV5Jld1lkIleqWZHYkYNrcMOTVRxS/02CzIPOBzaTcLy2U0ZtNtYkXmslTzQq2yFRwreOBUXTR3EcsGFXw1VSKOFnUiVH5oBPdQS8G3uQHOForIDrCBNkH03fsXc9AyiYrGvQs7v3DjVEfFBdzEJnqMnaO0YDiMqPFZ3UoDzmQrJ+oHzfsNt8uIaYEzLgf2NbkZwFPgc3PIY88w00i9xUafeTmn8gWat/omQKJnoN4dPwAZogamlALQH56y/CRnpQaq54lk5MJLuErGccR1e5rNjoxmrWAMXyc/qp40Njm/UBOa5wSQxS6vVbYLy/ZYqrW6RR0ZLMXpM1un9hV+onoU/7qPddkAgIokJUd+Ucgyuy2ZYEGydUTLtWyvUVUcfwdkt4/k6h0br3NKzv0j/AqUAekhmEOaUKbUmjEhdfjPa988pdB0bBw6mr8kcDEyiz2Y0qrG+SEkBL6VlnRsyxqJxZrmykXUYX57Cc8oVCL5zV5VNN0kYklpsGhpP0X7989V+8jIwcpmwXaWK4oawY7bDcoxkh3uSUvNVWhe+yAjifuBxguUu7GEtUOByB3Cj0mQkbJDKDZvOnftbAXHGejH8AeFZKf2e0NMTgRgsVkW0KQsDwlo7czCD9/nmvgUfBGpSp32aHO3WVCFqX/hRblfUq3PHybB67KIVD6xKqjIGSyGzUPe7lZjI85RgVm288wR9fVJqKHRTBoLQ93iC1DD7XqbMoQJW4U/qw9dmo6NxiWWzRzrutslU8FsA+gTOKWNf0u7kW8Dbwa1jM0wbVp42HRmBB4QQ9CQu5ADLwyK8dy9fHJw6iDVtWEAbfvmSFu5ru7hwTBTzf5pFJ+xnmtGMNo/JaJJARllyuAPhqGusZC8SAPU+DEHrgym7ilMAinGs6NXiOme8RzL2gyjYzN36x6t+3QoDqAXWnvDHXIoci0LC197tmgQTqyQEWSSjAxiVJujAbKj+73UHTLd7n724wYgD9WlHw84DiejTjNGrYh7C3V841YGT2aZl4dD2PTQfCBxQe50a49F5CD98ZrCrcifmjTgPafHzFEtJQxHPeiqYFA0Y30waeJn7I5oX1fXCiq18i27nvnUM6lgXIQrDuP/KDTdsrcFkiEhs9xZGsm4zlsEjNmTYoerU7RgOrYorBCxJ7zhs3eMVC5JcTvB4DZV4H1/e2nxqUi32oBIGD6AxvemKiY8WyhFD3wkC7pmx+VIissFStiOd4q14ASMiHLn9+EekBYGj7JuTOWgEb6soTG2G1S6MhQ3RiLDmdN3bYMKJeJvdYSJC7S3NVIu1cD1iL1KvPiqoDrL/GaA5qDS1Uvhnl+B4bXFemgt4Cua40Rht5YhMkrc0MDeSKggCqwqOPwdIJJqon+odBnyjR0Ow1jloP/T+hy46k3Wfeok6B8xVVjiGWjTKEJ1TIf4ff3lTdJcu3PukBw329MOuabpA6kNh3Qch/MlfccfQfIhJGjAkSmIwTqrdhluRr72wsJHWAx/KcLj23OsRYcWUwwDPx3QJl3XUY5/siIdhLgQMyNFmnYzWG23Y25A8aRzORwCglXiWhLlDb2pSZhlvnJl1gOJ35uvIv+4fNpXGXlBmYwmBOvQYX8WBs+dYYRTi9JvPH5uIBDY6iBcQF/Li89PIb1kd3JZE3oTsWIwTZuO+Cm5s7cVoqWPx1nynDmGEarIJhxL0qPGcE74Ogx0CaA20hLAsdtfI3XM370bNC36jiIxTQ4F7SIDz5meUljZTcNm44OvkZt/vCjCjL5q/n/fR5SVhj0IyyEFf3p1nHhp0IwiiDnpuYZuJuKGiD3q3sO6T6hwRrYJWCLAkcmyaaqOI03r6hRFwblLJMO0OavFtRU67SlI4Kaw0vHpjMbjcCfVPiTuRHmLcH/mmkMyPrxmDzY8Ii5ZWnCoMCfjXlg==,iv:hiXMJNXv8ASXg9QJFiNNkHRGo+fD4vgibUcwVUKBr3I=,tag:POnk0afdIydY6Vm6lk5MyQ==,type:str]
SECRET_VELOCIRAPTOR_PKI_CA_CERT: ENC[AES256_GCM,data:+6YpxN6BWusL4i0dRhNTYxlp78GMPmABetGsh/TLbROa2MP33OcS7ctg/yJysMJ8wn9iXq0WS0TrGKgU5wz8Q6ITa/tuC266NdO3Uq9aK1m410ja6gd50cUjtFGE1gmbKtvQABOEEfMOY1KtOEzvOKHLCUpvHjYGFE2Fhbpn40aot3RQx4d06LnmAu5VbG6+d0DD3GFdLtXRL6FPzU/GwZXGJFgFqhr42oLbTKyidKDaR7km6R1ZGJOAfrJJnM99SO67XiTG37J5dWTWjW0zI/BdodvHFIMVf5DvG4D9iFKb0rFUtBPOdNQvc0y32cAAOVbzbe1BwCng9c7Myjj/6TUVRsIXgsmzdvD1YOBNMrz3tZNs9tiV65pxwAV6DY7dxV712rw7c6pSgTOF0n9yp1th6fXOQSfWt9Tk1RM606LjjRNQ5arCBP9QdS8WscIu0L4d2gb0p2PPzZd5zmfBj7tw+nSg35juFuiM+Gmm1HqFsxmmdQjEkdZYORQz9jc8z92kgTBAo/UhW5T1DIV33ahc8iyd0BNm7RZxgZyzZ/w1Mll+74mIGoIp94FAzLqaXQZKuOSBMFCc31REpOK3jyoPaJObZZ8V5w85yPPUpsC5Xoo/tT+8SdptLiJmbm2i2GC6OrfcVnXZpAkH8wYuRSRPB8kYvyS9jNjUs+CLav8ql4xus0c1T/eM2zQW0NvF+7gnRRjwCpYafWDYtP3nLThUT6nGWoq3JIdHqPPK/3+zAbYuOJKl9hB+qO8EvSLNl/8aRzuM4ZIblsx/ITsVbQEOQJbgnqLfO8hD/AF5pVRC389F7HImyAt5KCCggJAJY5jmLc9tWsxd5KbNSyR/L0tpQFeAB9/yOy4TnrpVhhxX04qmJtSal/AZ7GU/G42oo96O70Sm3KONR3gbMQyaB4O5AOiIrT08qinIwwwUkiBFhS1//usfF5sjUDJtc73eQ6H4EdV6TZ6rgd/zIqo3aN5OuTopTlJIIn3K262KAln+Mg2ihnGCOMoUDJYNm/yG7p1GQKhXnGUh8FjYi9awhbkx0qvapKcLPnPGQ8DM2ZmLme0LZiV6Rv34wsdEiwwo1m7RXhz7aPywRez10nBCQSLrPFcQFX1n9pVJQawz9HmWU0DJEIvRX1dDGnyfA3Of1au3KureAE1VJfcid/sqgdtANe3rr0Bgjjus4cJO+MHwWEdSBLDjHpRLGNLRe+Pv9LhJB07xiSonjXXvGNWRcwpuGbB+f3YyL1XeqAl26cscYCgeU/GxNox6b0YEhGT64vwiCTaCcjMVXEzUzvyR0Hc2aCrlphG3WqclC2/p8qIAeJadQTxBOo8Sfl4ycTnp0VqCK7lN44ZI0duYmVnrgayFtCPasaUDvH5HK/V5umRtWQB20Ps9UagybtoJikZx2cwKyExAYW+d22PkklUsbIvZe5XaaYXLu2UqL+Km/rWXaz+XQVroMSjkOLtO0bSopghnYpg7sXAqxOfj1BYA0LMJzBPtbKAg8xd7XSTZu08l9r3uBn3VA5jAbr+z9w9UiHJtBwKBL6eh/VGJl/vy5c7gjX2MCR/0519GwVkpquSgxc9CXv82A39GZvT6oP7vbHl2AA==,iv:4+uCcnbLYOiqhkyzoYvYCXl2WtQ6YDYv7xYx5kX4+HE=,tag:ORzEMa6rZHtn9a0B3RaIgw==,type:str]
SECRET_VELOCIRAPTOR_PKI_GUI_GW_CERT: ENC[AES256_GCM,data:DpyKqs8UgTiZMfqgHg5wJkL9aEWSeOWktgXw2+dhraljBZbtZ7pxlBtIUGR6GgrXKNpClHEEqxSb6MD3Ga/p5blG8Y/T8dVRf/2wvvQVmRlucZma790sIceG3d9ELH7kjU2fuX16WJm2YtFfr7XrfRzOoXuWIH7JmnKt0HhJLJcGvGzz7rlSXgft7hNi/M+lIiD3QhiaHpAGqkfB4yiWVlCvZovEJkX/unANN8/PMfNjoogCJcmNCzI+TuxKVCRjhFSgzTiG8hQClDhSGOz2WMvFxV6T5ciIzwI0bL1Gqe8DILeV0drA8iwVCVBIjiYNzlIZvHSu+JNk+1zC6VfUxanTmE3ccY48nPRqesn++bthqbn1eG7gBWVM+bAKavEhwqZzNkQTDa35Oz0jc+xCM3Dxeeuz9NoN7prTaNjbO7G78HNS+rOff+u4WIOj2SmcVw01fYy4lWOWQHMC97Mg0UfulDADWLuUqRKqHcIrZWWC43OEkcY+b+GDTbvODAd+2dTXM6pbAzamIa92OVEZ2RMELIluSTAO4WeIVBtnKJTiOzXc5MysfEKT2Ay7eF8NH3bPooM9XskgqbGaG2CgBMrtdrUaMuaMOORGsOkCjMyhQvBe7z0brAz9tRPaKm3tBi8hduNQFS4X1tTySp8XOY9habUPzBDW+H8W3Q0MLrIz1CFJxubcfBJVcLq+oEhFO8r3krOhCUwMDjicIKPfX8oqCgxCsefZGKm99ONFOIRoOKI2m0Kp7By3qhwh8oTYNhgQJ47gptqAHCFqmqDMLNNHZHsF1UAZNRnWSYUkGADBbC7CKyhc8SXCNObROrSl2aV9z7TS7qJI+Y3YrTws3uBOACCuHb5Q7i2nC43zJgxJQLR+RAY4mpTdkV+Sh1TSDYkQzCGVFBUH9V+TRH0g8HqIx5Bm18nLKET/0RKThrNZZQLFbqJbX1gAG/Gx8wxhrp7WHP5o0hPNuIbLZTp4GH/pWbNKu05DlLaZ8TAFGGZcV11WbeKOCO5G/Y2yTWSph/1GsZ83XifogUEqnUWgPwf7NkS0N/zwnBciCDxgq+H8CODxeoDM6BSOqGnh9A+aKVS1NcfyhbJC9DhMjclW/jlXRh0LlOJ5z5ifKW59CGdwlBfRSXuzNKTxU4ULtFjweshLHehhhDbi4OLKkxgTUZB3ee8D8DV0HaqFzYDcmbpFU09CFMH72TwpPjAk7mngXg4qUK20QZ3yefwWoz9bMnOYgPIRmOUR+UoSqQMp5r2Ct/t5PGtwjVo9zQIqrwAHk7nYmynVSsDgNZrCbxBdBkwW12tkUXDF1Zm+zECJ7pum0c+akhnbK21vtRgoizyQ0DSpm28cS09R6h8KQVzAHc7TCq/zj0pz/rLg68uQ6EL9DetQtzkpQLiS8/Tk+p73dOvJCOwrV2xRyOEMhX5OEwVPvbhb0YRq/+M8nY8kiZPDaKay22I/eC6pK0p4nVm1gudd4tcJM94wYifaVIVWrIt2u6w33b5jdDPM+Gb2Eyh3vFbTyoe8xIldLSnmkQRchulGURuBDoE2xlkEkrLD7tKGbhMt4+jnjchWQVCUB+hnOMLT,iv:9bj/z4PfeKb6p7YcUZzJYH4/hH864Y99G9oDnS5dDE4=,tag:uMQHKcS2cbaSvULzW+jM1w==,type:str]
SECRET_VELOCIRAPTOR_PKI_GUI_GW_KEY: ENC[AES256_GCM,data:r+/ezBT8BGooCRuk6CSNNtgS0zCJc1P19HxUbUXK78DAhwEHDMOTPup2MUINDmtl/oITyDmmt3UoDZlVms7v1W+sPUOhXQhxsIHz8U/Fp84aZdwWbbLLAoLmV73LLk9wOMB94kP+UfI7CMksWX1Hc1wsSUwBtA/y9sZ+jiB/qV15Q2IgmF0E0OWeENNHr9MQUnRnikVhkk4lXHVxrkEVqWcCGhzZFu5EWFbXUv0FCgor5j8sOMFsbDCEqftYvQeJrHbQW1b7e41Y5clzIugIJN33YenQ1XOBjlvszbCvQHhzZyznUgpwmXhQQZPoIBAztc8ADgphK6PZsSPXZHCcaWU9G2gqeoqUar2OrRKdG/VIbg//IVJe/LXPmJvm4sKEpIrXuz3dwfmJCmAyR5E6uEU3YRnecwrzwnOgFbjRNnGRLW3RWSh3ppTh+QquIZ2GZc4UHzudjmHtp7CnPW1PeQlg3UimJm1Sy/JNpkrqyt+n5DUha7KSv6YUNQcKTmtQNraSUmO46X41BJsyv+wmQQa4KG5tatyE6laVybHQ18HsVtweuPVy0QOsxMNxN6LAeZVlq+fqkZknHxegFPW8XjEP8Tj+E7bx9ufpq7vExCfiRqciNipIZq3mvpxf33fruZOozwMMA0fM+CVqnuNjGf4MYivhZ2D7Eoq4uZXE0iyb8HnpPisUgo2kRq7bZOtC3YrGj2+SNqw+4eFcetYtQ+XZyi1+VyqC5KGqiT8PPfHA8hMynj7ZmQB9iO7oebVFF9xK/TCD9B/nQo+3OpJN1enHZaOR3bis16xLLQSJjTV0NW4UnUClwMbPyCXV4bqK/mSeFgVzCpaCAaFZA2BXeQhN5wyz12eUjfJm0potzpEtLCTwmm+ewtA7NNzCiJfM7IjdPNr8mGhW5lizf62NYd5dXe9MeMSwvQljoVuNGZFUDgx2UHPIxVpLo7K0t9x2BOMigLq4r4TQQhQ5UVLEMK43gvJIGDWmDXtTFvArhg2pBZ+YwFzhlKC3DzKwPECRTRPD+QbPq3fWi2jB4w0SM1YjKLEfCx4xsVmajhk454N0qiy8fOX74bRMCy1XmRPXV0SIL+2Tpv+xulL4xZd5c7VD26zVvlDY2iIZUuiiex66g27A/sbjgvuPYfnq16ZFqTgDYuVppbypbxC0XOQtf2m0Hizc7JvWdAn5jUTARtYq2LzsbKExEb2XpDbMMmKfnhOq9DDknSfzWIaQBBLJgrCEkcoErZHhazS51htIWoCOhe5M2VGeO4IbbGa9cN3a8JQWtUcbOGzHp8luLjunhRk0S95hgiXdOpgxdkHjfPGJTyNkd7xMIWA5mjHOJ9GU11u9G7I19xEM5S5W9tCRP/IHX/v9fJh3aluZ5UrauIrZp1MlYQ7idh5KacJlV289QwqbcSB5Y1mH4VXFRMeuO5e3g5pZuiMDk8O16IhPEKkARCCc1ZYGjnni567/twmjlaeInMMiJuj4TAYe0SKNtLHMAoZ3t5cxELbOmYUEaZHoMqW16ZQa3Cvbto0k5uVnrY5XBgjsjOx8r4rGhz8l97XXowMSAqKXYF9LhUr9QYgRAXxckNFH4Co/23FhovpxF42hRLWFMVj7+u3ytObk6DaAWD4sDDGHmM+QsVYTbo5CKpfd1sgTLUIjQH1am2azGgosQQU66gsVP0qqDT3NFpdyqxKFKA7YOxeeYi4xXICEYTR5Af8a0n4NEsM4TrBYJdDI4K4t27OCCKsRu6NfkJyTzJ2SCZmvt02tpPSsvsxbSUNEPifjK9MwaPpH/ItRjngvRvotG0Fi1r46m0TZ45qIhw/dbgVV9YNIZ/iOxUaRF3yUCVCfrDRfXhdf8t/YnDS0EXBVg5WSsTcT/fm2zr2rYjNpzx9TgpZx2NBD8DtCTjNraEb2HQQdzkwRCQtnSe7V++9ZgCPD0Ogb3t36bLecvpTQEZAl6YK095XPwqbVg4eW8W1H3KouqhJreEh/MT5txjExLqGP2sNwzM6U18x1qjXsO/VdRmM6E48DoYQAPVR9HqprtJOtH3Rc2Ib5RVLhjT7TdRGg2DpRguUQAZWvgHONFvDrH0UB97AEUVlbyiIk9xoNahoPCQe4d2r7ODuphvpnzqt9C7evsFxvcnIzwCQAPdcNdaMmO3v+tAb2+uRfm/2a2osTo+eLLtm52DveFtNyge4j/Ws6KWeXDKx4Osntv4hrMnmHmCXp1/9BLee3Ct8nY5RbFQ==,iv:Su3xktOFE8JQ5eivyvyC+qWm1/5Bg/pW+5tcbmEF1xU=,tag:UAMfU1ZNMa9pDtCXNs1tfg==,type:str]
SECRET_VELOCIRAPTOR_PKI_FRONTEND_CERT: ENC[AES256_GCM,data:W5cj7F49/m7KuukafpENx/JWxWKT4+rJ5n/6OxINEbGeN5HNWEUrfgPkd3IzXAigFMwlvILenC6HZEpTW0GKAUnIFVZ6NjyquwadinVOq6YTAqSdkCN17DERAXiXOkYk3vNVcztCUxxVKC4qC8r9zbQ/u4THWJ0TsoWLQShC/SDF6L/UIUW30sumH/BouFut6ICOPAp3AauzRS6o3lmG6TYJ2tmFeembA48YMrrlHjWGGm49V5BIn4GBT/MExljIvPnZ55+ynJucltIxmMZNDqSaTG3d7kVib2aiWfGpm10q83g8oTcAEw91OAlNN1WpTDg8C4FBL4kmMnlgPRkvUq7lbPGTKtTsH7/C//ultizmjSDkivlT12S5M18CwXnTfRFvzf3c//OzC/3KTZjLzbcB5HL0sqexdu/eACHrXQNWwnrpyjjDyUc68j03MAAZ2tq9U0Fx+keSla7/w7hvJ5OOdUULXkN49wFA3ApDcn+fDe34El3UXzp9zuzThr9kIvTBDgf3/TMOnot3Buqibwg0lFQZtJ/TvkoW/a1yOEcVgpz3kFs9cD/9DfXhT2Wl4X+DxyZVZZ4sokaCtjvPNWQNMGQqKasa0nuKTcHrzLHD8hhS0e4uAn2JAF1Q8N7cpnjNUfgmi+LGqy+mlnNYd1J5yl71BaarzygYSXbA9Pe24qE1TgUfKxEs5c97myFscfQdz/Rt+DSZYcts8HVYTHTaOpQcOscqfPh7XfgmQ65uX3l4kkJmC6qO9B//39NY2qLdFRqyKI1ROWeyLwf86jr9ZPHLxT/9Mt+yqPRym4hR54LRfrgLA86UAjwSXRqvSSrKCiMkzW8pUO1NrvxUVm87m/IaHBQwqnQ7shZcWxo6FvKxuz8QXv2//bQVGNQ8YzXFWW34Rz/VQV+cqbLm++ZyX8nbCR0b7fsRzH9s1Ii3T1612+ysGf6GeMLOUry1ogLMVmNUZuNYquOjcMh9bYTmfD0uZQCCu+fVPqeN1lOGAVOUv2HEFoQDr/KPsiCELv3rpng4TSmieUkgCHf35NY996F4OceBsr0g6Sp+Q0Z4KuYpMWXhaz4iXhSno/KF6wy4TE9T51oh3NuOpLKsLZl6f2n9Iq5keIh9pHqKvQDp4hwKurYDJptICsFBefbLVPfG6ESFhFEnEwrrQ3ynFlWEOYUBrNO92PSzB8YdhTviXzWdbu5u/nlEXsFJfdfInm5nsPIWvMSR+1E9EYKw4Ki8E+wJ7abNaxF6FNGnHH0cZDNXbIR0UFog9KKZHf5FnMMTQ80Uf7o7Fih+WkoGeAY739ACNZ3vOfUgshVuBFtkQwLB3lYXhw1zkbRPUbqahiD2ORXFV3TnJhaw92+ct/bk3Lu7TYCMaNcfAcSnSgxaGC7j6Ch+ndFXp4hMu0Dw+yPlRvuQFZXDwmKXvzHci5btwB4FAQpsrxu9NVyOJZ1pibYXzxbnNj3+dC0pXI6WOV2JC8pSBNvttA0qExoBY2wDNNCetWTkvonsYpgV/yXMPyTbkgV3o34XoYNPE1BKru9UgE//H7bW/TYPhuhs8Xn6RX1Ik/NH3g902mV6hUIwWOkoGz4ww4JHsqo1VwuQhoGcD3g/WMsCAyOhv0VW6EYP7NE=,iv:fufMMWIpdQsz3mNhbGDaerzqJv26WiCN4f3Y3TevS1o=,tag:QB3Xsp7nglznr1pf96zq5w==,type:str]
SECRET_VELOCIRAPTOR_PKI_FRONTEND_KEY: ENC[AES256_GCM,data:BkPD5f2IkO9XCq2+B9pfn80cfRrIUNRL395qZNvEtympFW4t4wMgPCQr5HN67CHWNrCNTI8R0fMWHo5CNN2O/L7STlMOLqxjlKdlpiz2+F2g8IFq98RyyyYeiRcXh4WmWlMPnShLFp/HB9TdpUHxP/INkAGIBVB4fs1SDAp5JMwXcYrL4mYNFBQcPd35oEdTe4TsQDJWOOvg/+Ucmw7QezXkiuJPBlQUZASQHspzCt1SxSrecd17U4HlFVmN+39TNzV+7mE7jEqGAEBUSO45sgMO2EGuX5sudy5uwi1np+pb2f80STzLTNBUGyJsNKD+lym6bVfO3yelu3L/+CtR2UpkyvfIkdqIp+Ifn7pmU2aYKq84f/tukmR+b/gC5zEOOhrDXnlyCD+o1V0RtIIbWPy940rNfN90gMyDcZCMkxx3tkkjTEopdg6ERX9YUVtUBV0+GUKAWt+SvUFc+qZjFUX6tagyFnkrcoIpqBPDnTMjcILcXNLPHPFkf3+XONJq03p7tqDn3NcNmm9a3Q4VxDZWjytpUs7MdrqxQuIsKkHOVEZyq7cpc2q0UrBZmjyEzs7YhW251rvyPzo11hggJmg8TMNmrLKxengpfahTI9/pX5SJTrGYwqwiZ2/NTfLfWB9FEPsIQv/yhIibl2P9hU/RDzNnNnUTiaTu+Z5ZOdw0Fwj7+0H6/HHBnRp5+DEgURfbrcMio/rkA0UhS87wIgNXn8SVQ4zZ72LjHNpZvJ72MBKolmaYIY5rXAoCCinB76FyyqlrqUAjSKVHsxykRKE+3uLplwrRdmzXA/WqsiAFgPInY4SJdw2xi7oI/r6I1L7SvDSD+zcj3L2tFCaAHZNIuEHvc3Q2knADKGRR32BLqQLHRa8n4+x839j7LG7fvU+pLLFhpQUmdcZG8gLeWSK4HscKkM+hC+7xs6nTxNnOQP/cFX/gRT6+sfV47ziMEEj9ZlFhofFh6s+rasqzOUU4Zq2Ow3Cc6M41snO2qukviuFl0jCF9ppzKGi4xwWcB6QsysAnw0eb/UzBPyYJ2z5lU93FB43UTvdMdf71NoNKye2rha+NF+eDtN7W/ETZLIZ37cGyC5h/QgIjRoutYm1c4TWpPlGO0eJYjF+kXbDExSBJY5Rv4a0MO/eOouo0YQcLjius3uFFpOp1fhonBEuQy1r9lFmxJbWdX0RnB22dUWhLXXoGyIyfF8VgfnuIZvxSEUQIhVq3AianRVD6uMKDbJSgD48Y6aPOKuzjs/8cYGWweoQAcdNjuOxfr/SWDeIwg7imUEgg3zLf+T7DQwADRxfQVp2e55vusmkVSbm1QY0TzXhkGWtEF1P31KjgsuhgEYMv221IdGUkv8aY9wnMB1jYEjwXO41TJvRMm3FZcSgwmMjL+NB2Ft6vRc8YIyE8XA2sv/SCrd9aIudaudyd47VSY7IN8ls+8p/AJsFSihXDcyOLYZbsB5lIH2uXfx5dTbvszS/7wedeW+F0mF6DuVZCwK7XSm2uVBAwc3XVXDDynkl7qgTMw73A7vLx8x2jWpWYJq8EKIZ2NsRb05KZYsPNE6vLs3QD/mgqZ7eo3GVlqfXGUWemdHP1+tYWrbku0l9irMya5ozm6O0WfeI5ZIYLuU86XA1C3nroSmwofteygZtYjMJbiuPTm/WkS94N90y4LgF00xkHhlXz0XupZ7xW72E5nzmh+3GD23XhtwFclyusqQb5kcuey6oMPzFjO6YXBU+dUUNpidIg+Pz1X7kEMu4DicaDu/Cvq0/8qc4RhEncAL7W2Y9s/1n3TInyp8ygBFmH175gT/DE+/RFSwHlh6igMi72qhQS2aLoLSaz9KMH0lDTEZmAfklm65znIzSCnCXsrtscaXw/DQFK7vCG8W8jJuuh68r21Ns6KGxDE1mbto4nYb0pgrAd1uL8r+24w2macxMgwE5DNdKONqFrdMxnC3Y5vHQwcQafgeUjxm4G8KHF5CbBw7bpfKM7KBwSQ0FzXbkYSlAqBA/tAnGosVlque3pXWy1qMM/QrLTqpNC8tTavcGLy1OigOUWZnhBaNnomvoaeUfdnzdcxanSJX6veBWFVHR7bDA++7pVY7ydFUQ4Lu0AuRXoSqC7qSLOgw5sMSRK1R4O4nqNAr5Ed+GPUPM2lJ3KCGFkWwwKujeble68zpn7xniGySLnjZrXwz83+LDBM8B/gPXDdfxsS0jhqACHZYRPUR2ccO2OnoB6QrVxvRyDo0A=,iv:fYSu/ymBwcxMOI8sh/cmXw/S5rrlEcmohB/jpkyw4HU=,tag:NiQpWfVe0f2OlMcCEQ29WQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeXMrWE01RzBHSHlHaXNW
cE9KMG5jaEZEeG9LclRqOHIvT3QrRS9TTzM4Cjg4d0orK1d6QncrdjNrVDFNRm5p
b2ZwVUJUcG5jbWxoTG1RZ2NBSFM5RW8KLS0tIDBsd1R1MzR5WURLWEMrYTFjK0Ux
UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT
k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-27T04:21:43Z"
mac: ENC[AES256_GCM,data:K5nsP6Q9dwpGZSEXcko3Nzb9xW/UQfmYj8eeu9lj9/aznpKaugPUj1zfuDbVVDz4+whvfxidNnYJh4k9JtUtpoPdAXL8SIoW2cynMdtIRlg3gvU3+6wL69rkoUfAcdvmdW5lChHAmPdz56ap0/FcJ+eJpdSuwKJfr+mPzBH4yMY=,iv:DWo7n/m/70Xt3g3xOrIhG/WZsIAOB0Z5MuRoxdr8x98=,tag:nZx+6PfS3ydj4nM+uli4iA==,type:str]
pgp:
- created_at: "2023-02-26T18:12:43Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DAAAAAAAAAAASAQdAQUq9YeKzVuiJzH+x8GkoeSzzL9XDQh2P9oLHv1U/vEcw
7XSvNa6VkyDsST2+YLeja1TGyqiQUofHzTKmclN9QAFHyVcOjOs7gQ3dqwzEcA4Y
0l4Beu5Ek/6r99UrMxrmGzSyNUxrTc+41FKH1VVHobSnC1CO8Qfql+GdikUMoBWL
ZwoxmhuHZfO/1AvWb8EgwAJcfCB3GjKtCbUxGEcgRyVJm8hxnfsUottVtGUCsdtN
=v630
-----END PGP MESSAGE-----
fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
encrypted_regex: ^(NETBIRD_AUTH_AUDIENCE|NETBIRD_AUTH_CLIENT_ID|NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID|NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT|NETBIRD_DOMAIN|NETBIRD_MGMT_DNS_DOMAIN|WHOOGLE_CONFIG_URL|ZT_ALLOW_MANAGEMENT_FROM|ZU_CONTROLLER_ENDPOINT|ZU_DEFAULT_PASSWORD|ZU_DEFAULT_USERNAME|addresses|clusterDomain|commonName|config.yaml|data|dnsNames|dnsZones|domain|email|externalIPs|host|hosts|ip|ipv4NativeRoutingCIDR|k8sServiceHost|loadBalancerIP|my-asn|nameservers|peer-address|peer-asn|secretName|stringData|whitelist-source-range)$
version: 3.7.3

140
kube/1-clusters/Biohazard/2-config/4-vars.yaml
View File

@@ -1,140 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: biohazard-vars
namespace: flux-system
data:
CLUSTER_NAME: ENC[AES256_GCM,data:UTNoF7TkZ/Le,iv:mkA1AMzFXq0XEbprrqFCVWEyU37m/2y0P2SDzjDyTmw=,tag:bmh3LiqDrLEYuCzH1TnJzw==,type:str]
CLUSTER_NAME_LOWER: ENC[AES256_GCM,data:dxucmLtxUMJg,iv:tco3xaQ03sBsr845xNrJvrqBa06DN+UwCZZrQ7GHkhA=,tag:Q0EtxM/GSYPGGPHCL7loSw==,type:str]
CLUSTER_ID: ENC[AES256_GCM,data:SA==,iv:GFilkbJkxv2S3+DrAXKNsFSttBXk4HZpmyA4Jp+6JQs=,tag:4yyV6bwxbXqb/BJC5XcMMA==,type:str]
CONFIG_TZ: ENC[AES256_GCM,data:QU5C/D/cxN6t4t55/7A=,iv:Qt83MzR1mPAuKobVQZJQR72SXLAwWwI7HkDxOAkqofs=,tag:3FtJVBMHMSVMgiJWqmqf1g==,type:str]
USERS_1_UID: ENC[AES256_GCM,data:oxx0hA==,iv:5NnJorvwN9MibgQ9WFrb1AMYz5MGd5AfeDylb1RHe2k=,tag:MtZKpIZgqVbndY8Qk5J0og==,type:str]
USERS_1_ID: ENC[AES256_GCM,data:d+gVpZ2++zMJ,iv:EfKZSpKm9NsGTU4/lyVmueULkg/Dx2We3Wr2M1DkH6Y=,tag:Lq789OomRXAHKVO21Qj0Iw==,type:str]
USERS_1_NAME: ENC[AES256_GCM,data:HUBTvrZQh+cC,iv:9uE5OqV55E1mMPN1jV4RKgCwPh5FvQge1+oegL2TADY=,tag:DaDmQyg+w/yJ2RLFTcGyjA==,type:str]
USERS_1_EMAIL: ENC[AES256_GCM,data:NWF8aXnyB0p7hUro81SLeVk=,iv:Kt9la8dAKHso8blM8GTt2xdiKuE77NHw53y066zAZbk=,tag:grxCUlIVaMgs8shcZFI0bg==,type:str]
USERS_2_UID: ENC[AES256_GCM,data:ZA0Kzw==,iv:us+lwrUhPHRfapkcvw96TCUiiIq9Irk35niyO0xKWLc=,tag:85g8u9OApI1kH37bvcvT6g==,type:str]
USERS_2_ID: ENC[AES256_GCM,data:6Z/3XWU=,iv:7aoHN0pTeluYm/Rh2yjPKejFyKosIT5ntpXJZVbxY1s=,tag:neSexW5qCUSH0txXv37KTw==,type:str]
USERS_2_NAME: ENC[AES256_GCM,data:+i35bJLaW4w=,iv:zYvn5k22T91E88Yo8Z6uvuEHo24XBaARdOlKujvAWzs=,tag:SGGEHHVKmqXZwMhyRZIIhw==,type:str]
USERS_3_UID: ENC[AES256_GCM,data:mfTAwA==,iv:B5oBG7bKMYpUFrvcw/ux9dT6xqp519F5gK/WcQfmUS0=,tag:37q3oEokY/AVsy5o3TL/BA==,type:str]
USERS_3_ID: ENC[AES256_GCM,data:UJWthgQ=,iv:yP1SbGOkCTss5/RjNRFOLI1kxIDWMneiMwrBXt8lECw=,tag:KW+AtwPnChJTgWCrj9mIPw==,type:str]
USERS_3_NAME: ENC[AES256_GCM,data:89cfPpVUwIniXQ==,iv:Hrh3k31gtzJ9ZwRng2K5ExmEehMomrRw0Zaq/P9k3oc=,tag:OZc/mFYyx+7tiRMIMYqFDQ==,type:str]
ASN_CLUSTER: ENC[AES256_GCM,data:v1ltZfY=,iv:Ip1sIVFLw4j6qbqKYf0jANRglSlAnKZhqNdRunZdR24=,tag:fOsYxQObj0Wv664IoRtm9A==,type:str]
ASN_ROUTER: ENC[AES256_GCM,data:/7gZcwY=,iv:ldZNIACK5B4ZvMWYCzHN9zUlArkOIySHSTUrjlrEF1s=,tag:98OXCN+tI2BIt8CEo99QVA==,type:str]
ASN_EC2_INGRESS: ENC[AES256_GCM,data:TcMj7s8=,iv:aQ0lCtQWklJmGstOKeptKAmqHI1W9LrrK6dT2u/4ejs=,tag:WoQXlgdZjc7yMlirgVft8A==,type:str]
IP_ROUTER_LAN: ENC[AES256_GCM,data:xanezieQQCE=,iv:sz1ZvwmS3zfHUhgvLZjeyk9InAJ4nPovhRaMq3tE/EE=,tag:oELn/j4ZKlKg4v6SKZkNsg==,type:str]
IP_ROUTER_LAN_CIDR: ENC[AES256_GCM,data:533OOX4NiEO2QK0=,iv:Wcb1Wj4OO7ZnyEC7jcNXadQxQBm9V8DQkaJX9XoMVjA=,tag:uIB6K4G9hUGFNLQT55GKIg==,type:str]
IP_ROUTER_VLAN_K8S: ENC[AES256_GCM,data:ngwfmrXjohzP,iv:U5DSCUUCZbIhwVAgv2gW98t8d8QwDSOM2YybNQWpgAw=,tag:vPTdK0CHET13l3x2eWb7gA==,type:str]
IP_ROUTER_VLAN_K8S_CIDR: ENC[AES256_GCM,data:a6CelKuP9lYOjXHm,iv:hZxSfx0Nj2aCPxj9GeHpaiuKDa85pqxzx47v4zxOPHM=,tag:8xpQHvtXLDQ7C5KcjqMG0Q==,type:str]
IP_WG_USER_1_V4: ENC[AES256_GCM,data:V9jINBdQjtkYwd1YcKE=,iv:ozo245sBYp4JhPN8EFtrLLlsH5oYtR56sRmXSC9TApU=,tag:4onSK4qyLBW7wV1XQOrCnA==,type:str]
IP_WG_GUEST_V4: ENC[AES256_GCM,data:dhkFXxdMUpqrGyvRePI=,iv:to7XIY/iJUeZSfWZl4983Ageg4SquUasBLCsyxgo+m8=,tag:XUP4K1GuJhyFEy4By0aEFg==,type:str]
IP_CLUSTER_VIP: ENC[AES256_GCM,data:GxYFwPSJ60yN,iv:KfSez768cxxjiUi7SFUEBiecfpQ0If9dbvPJlK/SHdM=,tag:8wb4wfnh4+Pnu7GYIlSs4Q==,type:str]
IP_POD_CIDR_V4: ENC[AES256_GCM,data:8NQgsJ5G6NB3i5Z+oQ==,iv:gqvHClld24aRnLEVS+ZXTXEee5WKNux6DgOcNIStvLk=,tag:keMcbbSis5cjsi7L76TMbA==,type:str]
IP_LB_CIDR: ENC[AES256_GCM,data:/qxOk5Vn8Q1/isE+iw==,iv:BhOMIotgJEWcLJOfP/unKrjX72ZEY1RfBtt5P14hQko=,tag:BSCy1PquhSew/ofhyGOLFg==,type:str]
IP_LB_DNS_CIDR: ENC[AES256_GCM,data:WTztF0IxJyBNJ27ocAI=,iv:F7jUJgeAe+edLG64NjTXqujS6FG5Bp5pKlIvpOTuPOo=,tag:rJQmbPzqmwFrDUc5SToeog==,type:str]
IP_LB_DNS: ENC[AES256_GCM,data:EjqSz37GAhmunLI=,iv:IYQ46iJMT3A5JrfKM/+AmV9JIcYJ0uMXxWUKyinV5JQ=,tag:hWkC7U5zKvcxBp7oThYguQ==,type:str]
IP_HOME_DNS: ENC[AES256_GCM,data:vgSoWr2cIRU=,iv:xR+QBTE5PGri3u3PmDFEt4Y9CcDLou7TPtDbHjStOoU=,tag:NpepI2uYYpMXnf56+nLuow==,type:str]
IP_EC2_PRIVATE: ENC[AES256_GCM,data:h1fURs4vImzeM7V7,iv:vBouKgNUOU+5RwzIu5Nu4XZlTnYPc0NCuFxZAL7A+ZY=,tag:th3ZSftw2jhvgydpdJ0Aug==,type:str]
IP_EC2_NON_K8S: ENC[AES256_GCM,data:l5TXKSqsZrgU998=,iv:mu6amtzWpStZkF3VASVF15It+x3P3SS1p6K2Vz7tcA8=,tag:l3ICXl6t/nTKncGCjjeVSA==,type:str]
IP_EC2_INGRESS: ENC[AES256_GCM,data:Vet36CiEB0M0hw==,iv:TIRton/qZlehRvOH5pWBbuhqjdMJofYFriZ93pSPNic=,tag:uEXxhd9/ZKBfuaGOx02lpA==,type:str]
IP_OLD_DOCKER: ENC[AES256_GCM,data:+q2fSaAdgRIr,iv:9N2okAfqW093u4s1/8UbXtuaJr7QVhl2O0ulorZtfE0=,tag:a/5TMV+YPhpJ4GWrnL3uBw==,type:str]
IP_TRUENAS: ENC[AES256_GCM,data:HYQ0BxOcG2JY,iv:IRSY4sX0rqK7clCm1IyqI2rJc/ZSTNYnATsJ268fVfE=,tag:EIBHZURvYt+NOl5R9I0cAg==,type:str]
IP_PVE_CEPH_CIDR: ENC[AES256_GCM,data:uL5b7pXEasFjq6gr5g4=,iv:HG1HuMTUsFIjq2aw5NQfJa/Zs1Kfg8KL3XzgQErY5+U=,tag:b3P9aaHuy2obRoxG0rqIaQ==,type:str]
IP_PVE_CEPH_1: ENC[AES256_GCM,data:k+/fYQrxXzLUPTA=,iv:14r6kh+UEOnkw11kxUXgbKRRkHpoYcdEB4lex+BjDMA=,tag:WXziFucgkYyvbTfw0X3g2w==,type:str]
IP_PVE_CEPH_2: ENC[AES256_GCM,data:LTtBfHMenuBqbPI=,iv:B1tuxqSaIph63XUOstI0MnrJ+HZ1A430Q7BBX3ybz8Y=,tag:du4p3ez3O+mupvOSb56OMg==,type:str]
IP_PVE_CEPH_3: ENC[AES256_GCM,data:gxjoi4WkwLtHxns=,iv:rv8ine1GbF+F5WdN6l8P/jafiWvdnVqtdLuSQ9Qvi1w=,tag:ben6zFJc4S8lK59s0Uvfvg==,type:str]
DNS_CLUSTER: ENC[AES256_GCM,data:dVS38myraH4=,iv:WScCvhcW9C/qckIlbDDWR8tzIYZdG58lbYmThdPQpro=,tag:3RDQ97sbEganiHRf42A11g==,type:str]
DNS_SHORT: ENC[AES256_GCM,data:16FRvQx8,iv:5xVBGMf/Bp3XqHDwl9ZBb14nSVkTg3eWq5FU2cYoRyY=,tag:uzCrxTBEv/Iy+Ht0gK0kjQ==,type:str]
DNS_SHORT_CF: ENC[AES256_GCM,data:KIQsZOwPdbFchTAls1w=,iv:EGuLZDXAgYo3TMW6bwxBY7cxInsOirTN4MRIBC0ipT0=,tag:ou3/FHNn5NYKvqRJAl74kg==,type:str]
DNS_MAIN: ENC[AES256_GCM,data:V5QOelS0L9R9drkh/Pk=,iv:GTTFkC73534oXM3QR8J3kHrZb163Gel7eu3e2P1X2Yo=,tag:DUD006mJM/uEjkiRcn/HlA==,type:str]
DNS_MAIN_CF: ENC[AES256_GCM,data:nKv0vNdMkcHplJRN0+qUPl6uXgeZgA==,iv:pN/xBrDWlffHSmzYP59XJFKDozi6GmnmMSGNPuKe3GI=,tag:kIUX3F8yEJGu3dEE656xqg==,type:str]
DNS_VPN: ENC[AES256_GCM,data:8JxuF//vCDNq,iv:2WxWpAIdIxL+yvCirawdTtZO+BSZbturp7c3JAwItsw=,tag:jItEw4Mg4a+OY/hmxDt1/Q==,type:str]
DNS_NAS: ENC[AES256_GCM,data:grpo8AdSb+VFPQSx2Z/KE1YSIrs+ogdpGA==,iv:ZJqmNumTpuq0A3JeS8jVvJNl+M9CdvQnHj+mooh00oo=,tag:CLHf7w+fUtLQ5cpnof2cuQ==,type:str]
DNS_OLD_DOCKER: ENC[AES256_GCM,data:uDLk+qfZlM9FkJ7uWP1ZYWD0wdIG,iv:iHJojVMWN6cq2XdvQLMsODrVeLhhn/Cqt5ZGr/ONy2A=,tag:3WuGLTQirXUjfiY1rIYcgA==,type:str]
PATH_NAS_MEDIA: ENC[AES256_GCM,data:fzeT0pUx/geFxfnY67ZwUgAOF1r13bjSxFCCQz+1,iv:nYFnXgfJWl8ZPpxleet1Yq19t+6ncVkrmGyhGSchSxE=,tag:uj9grinnmKB1xKC2LwrPkA==,type:str]
PATH_NAS_PERSIST_K8S: ENC[AES256_GCM,data:2mrL25UEMNixYz1r3xKXbEujs8Q2v9gba7n1ZFE+K2+3xCYk,iv:li530rI54Gr4htjBqV1JQ/6HJy3R6s0lzDcvxddjuqg=,tag:vmkUlu2t1eoICzfkJ6q61Q==,type:str]
PATH_NAS_BACKUPS_K8S: ENC[AES256_GCM,data:71LMN1K0cALbMbFV+rpWFNNL4wKg39yRj/k2elyZLBB/x0PW,iv:EaxdXLHE0mTpBlgn5GLCUUDKSHAHJUOeRNbIHvco5VU=,tag:u6NR3fWy4ZjN8r+7xyw3lg==,type:str]
UID_NAS_BACKUPS_K8S: ENC[AES256_GCM,data:U0CwqA==,iv:suseYZlJ5hCHTAG3Nj7QLXwhS14FG5h27aNnZnJpnqs=,tag:OV9WCdBHizUl11FPU8TVbg==,type:str]
APP_IP_NGINX: ENC[AES256_GCM,data:9Kg5zjk+1XfUHg==,iv:dbO0hMMho8J3t0mz6Eb5uMDB3QUCjG5pXPdeuQUFbNE=,tag:ICGE5EVo27W0rUB+Jekf2Q==,type:str]
APP_IP_K8S_GATEWAY: ENC[AES256_GCM,data:oakciyUzwLlGJsc=,iv:leuHfW59gWSDaEpaOEMGbSpGFtbzAnoRp4spLxlTEq0=,tag:vltbWvNKa4QvEgXXo58d/A==,type:str]
APP_IP_HAPROXY_PROXY_X: ENC[AES256_GCM,data:xkHni8dSMhZ3WQ4=,iv:qSAn5AS/eTeoxHKm0jLE0UUacDWKn1zF3WwYRwgCrrA=,tag:aYASxzUU2eOpTEBZFe6fwg==,type:str]
APP_UID_HAPROXY_PROXY_X: ENC[AES256_GCM,data:mbTqeA==,iv:Rldvrqt/CCBDjkGjN5mYo6W/HS4KmbbyYQ/iM6gajXI=,tag:ZclSGas3/QO2vj0CSaEIoQ==,type:str]
APP_DNS_FLUX_WEBHOOK: ENC[AES256_GCM,data:k1MXnV8pY+jYV5OZBqAcehzbC2sk+07c,iv:MFcMyHJq4+spwnqi5L6/EaohuaotgYzNS4opOqXzElg=,tag:KBNuiwMEoc3cRuDHl4tBsw==,type:str]
APP_IP_RADOSGW: ENC[AES256_GCM,data:79oO927eM1X8MA==,iv:cbhtTynWbMIKM8yRGywO9OJWxyWabZzW8VgJQxpSZd8=,tag:OU5+0QEKqjvAwATFdIBwgg==,type:str]
APP_DNS_RGW_S3: ENC[AES256_GCM,data:fBY7hU4Fo2HX,iv:crGFgE9fg+kVHMc2NrwIPNjtYKI6vw3iZd0GaVYymp0=,tag:8xKHmECqb7J+lRC1BKAZUg==,type:str]
APP_DNS_INGRESS_WILDCARD: ENC[AES256_GCM,data:7OG0ww6rUzU=,iv:5ig0dQIfSVxbQS7nuqQygRcBKk8UmBFxX0unVT9bdzE=,tag:mCOMUNFEZs5IFvVrRNpFiQ==,type:str]
APP_DNS_HUBBLE: ENC[AES256_GCM,data:90bcM7y76gSJjw==,iv:JJc4oW8z9Yz+sYoa43c5AdQuxaxdg17C1S5ywIE5NJo=,tag:LMt18yKdpR+hA7e2OOzI0g==,type:str]
APP_IP_KANIDM: ENC[AES256_GCM,data:MoL8QlY+3Lu67bA=,iv:peKQUJaEVeij0r0mJR5kksz8zO8vBjLWolLFL8sWJbg=,tag:X4uvnVT/SnUzl4mAxQAl2A==,type:str]
APP_UID_KANIDM: ENC[AES256_GCM,data:iyQvyaY=,iv:2I+/oGDd0c7ghC0VbGpJafCTDw1PnLB0jXa06qdoI+M=,tag:EJz7ywUbTIoCMxJJOX10wQ==,type:str]
APP_DNS_KANIDM: ENC[AES256_GCM,data:S/xQjxjbfgCi,iv:ujrQitd5gfNVz6cV2j1hsJRB9J1js13na0ndBquxq3k=,tag:UOI5Pbi+oahrDtz+SVeH9w==,type:str]
APP_IP_ZEROTIER: ENC[AES256_GCM,data:GjIY+6p4+6milRg=,iv:agX8rov+AtECRVeOu3wmoQRVWMNutOc3a69fzWY6eoA=,tag:NS0yiFfBTWt7/P9an/3OQw==,type:str]
APP_DNS_ZEROTIER: ENC[AES256_GCM,data:On0V31SI96BRUOjQ,iv:H50ISSmHflDqOqURbwBrcWRkvOQGlVI3mnSXfY8pZ28=,tag:/VlnnoGna2H3L0LGMWF0dw==,type:str]
APP_UID_MINECRAFT: ENC[AES256_GCM,data:ArIA644=,iv:Q3SqB3O2nrPrOUcwhhbdXiegsty/TlHIllH/wRicYo8=,tag:yTGH0JEXPOCfqB5iU1azCA==,type:str]
APP_DNS_MINECRAFT: ENC[AES256_GCM,data:XYM4FJAjpDBg,iv:bmnvwvaKOKfY2+S7O0PyV8JOtOH9m94eUIQa2M97RfY=,tag:tvIllwZ72w4GbEqZJjZX7A==,type:str]
APP_IP_MINECRAFT: ENC[AES256_GCM,data:tU18Ee5Vi98mNRw=,iv:MSNHyroetvWu1wPdPE2+JtxDegZZj25QfcQVq8hcywE=,tag:wxhrsqA5lCPlRwjFgrtPHg==,type:str]
APP_DNS_WHOOGLE: ENC[AES256_GCM,data:dPOzY+3coD0=,iv:s9id6/x60GDrNm4mEuWx2qUKrDsgADVRXCKuwki7Ju8=,tag:mPTKni/0vH/lTSqnAr5gCA==,type:str]
APP_DNS_GOKAPI: ENC[AES256_GCM,data:1AI66ICh7pPsij2IpZJ7V9HcFMc6,iv:r+E2tkEPawLDWpE+OiJ6dNM/RrxhlP7NH+CjwAxhhYE=,tag:QfmCosR+J2fTV66AAelOjw==,type:str]
APP_IP_SANDSTORM: ENC[AES256_GCM,data:2V+Dy1c3hOepKEo=,iv:l1nv+BrnEjsrvdONhBY9EgA8lSO2Nmtdr7Ktl9twfT4=,tag:ls8DbeJnvdwZhUA+deP02Q==,type:str]
APP_DNS_SANDSTORM: ENC[AES256_GCM,data:dc/OufmvPkYMRg==,iv:8GUBWGGdEJ5A+wYFaLJljYYn3hUlpH9/cGy6641GDEw=,tag:gE3j/iytsqPKUm+R1g3suQ==,type:str]
APP_IP_SATISFACTORY: ENC[AES256_GCM,data:lpwAYR7CuX40NEI=,iv:OCSlGR42+Zpsi/CHuyFMIE2aY+jGN4E0slFf2/Ei3oU=,tag:cw1eROYU8V3rGG5ltyFvJQ==,type:str]
APP_UID_SATISFACTORY: ENC[AES256_GCM,data:eWxuUyI=,iv:Hs3xHdm/ewF0BnGOYK6XgQM43LDhngtZXvna7XTDiok=,tag:J7SDzgEroyl2wje9XsprQQ==,type:str]
APP_IP_SYNCTHING_USER_1: ENC[AES256_GCM,data:3jh9VglVsJCWzHF1,iv:dwpjZjETiFIuRXBSutygAyA2R4EpYas0oT8kI+YF320=,tag:DdA1SZ3DJKJ7tXsPJ6B/dw==,type:str]
APP_DNS_SYNCTHING_USER_1: ENC[AES256_GCM,data:xvLsX+wvGgOdQOc=,iv:/f77W1vUGI2FHvG4hsvzXCJWiinRKzapU0OHC8vZ1ac=,tag:oHjNluzCh7lDUEHaxW2YWg==,type:str]
APP_DNS_AUTH: ENC[AES256_GCM,data:A67gznl/VxXxPiMh9zH1fa8VQA==,iv:oCCxFDb7Uo+AfXtuOf8L8Cukm4VAWzL92w8VgJp40dM=,tag:xFCS9csJIFvJ9XufVrq4Rg==,type:str]
APP_DNS_AUTHENTIK_OUTPOST: ENC[AES256_GCM,data:gyg2UXx8JuSolbw=,iv:DV07474lwsPFmInv9GOh/BUAhkjWazM4bRSwymEja5Y=,tag:wBImn9uxDHnIIeiL3Z32Vw==,type:str]
APP_DNS_MATRIX_1: ENC[AES256_GCM,data:hxDtUQukIQ2yLWgRD5Jm80/wrA==,iv:REX9VFBnhZgBoUb17EEEGvoZFE+hDcXo2M8q2ZbBNcQ=,tag:K6Wuk+cymQBgvTOk1sZbAg==,type:str]
APP_DNS_MATRIX_2: ENC[AES256_GCM,data:biJhY9HmiWczBOYlS+2bZS7f37X1,iv:bLyvC6njEG9iiqFZs7M6KRKlKSIQ12oKYL6cR0WhZBg=,tag:tLjmT4kCjbnZ1b4j6r+CAw==,type:str]
APP_DNS_JELLYFIN: ENC[AES256_GCM,data:DdzpJ11t7OeuXnE=,iv:DYb0CnMrITi7RbhFuo0vrkSZ1hgx3Y26m0rrdSVqD6E=,tag:OYiYQJ5U0lokHq2/Fc6yyw==,type:str]
APP_DNS_KAVITA: ENC[AES256_GCM,data:DrM7k/xv53Kt3Qk=,iv:Kg5jGe+C1fYEX/S1tKrNDBjmPWNhXY4ZvKBR7Q/a/p8=,tag:53cOr/gGIY6D9liyCueTBw==,type:str]
APP_DNS_EXCALIDRAW: ENC[AES256_GCM,data:rfCxmnVhsMdrxpE=,iv:986z/C8JghEQa8+qUmWmZr6ozWSDl3NpC3YafJhX2gA=,tag:d8q+v1lXNkPok0uOdbzz1Q==,type:str]
APP_DNS_VELOCIRAPTOR: ENC[AES256_GCM,data:4hypG+kYPFeToA==,iv:+ku9GEG/Nom7khxBDmXUzrvOVTNXQ/OQupmtbW4Tqtg=,tag:0WlPdrThtEub98lXrfmcGA==,type:str]
APP_DNS_NTFY: ENC[AES256_GCM,data:zkcxMVvH4MljlHg5KQ==,iv:dWHWN+B6hoapuyb3gYSu3m7J4FBrvTBZjgtqSzNzP/w=,tag:B5NdF7VxdpJt2vNz28Tyfg==,type:str]
APP_DNS_NTFY_MX: ENC[AES256_GCM,data:TtNjgep7xFzO1GR0IbUA,iv:M6sWzxyQq3/5t9IeEFfy1z/7PT8xdO8co9dVQXcl0FY=,tag:BKS9gII+tqdSopzkWbHmYg==,type:str]
APP_IP_NTFY_MX: ENC[AES256_GCM,data:N0JkbFVQlpTewDw=,iv:vgN8UlfB3JiOdhl+orMv8OVP4Os3aRqN5v3VhrlQETE=,tag:83aPZlXh9nhDxlgUKxTm3A==,type:str]
APP_UID_NTFY: ENC[AES256_GCM,data:1vst7g==,iv:bvtaODmSDEQus5KJWZoHCrOK4XlTWIjpHCetKEmz4LE=,tag:kKYABpYz1kbcNchVG3BnwA==,type:str]
APP_DNS_HEADSCALE: ENC[AES256_GCM,data:o9EgucmBe0qLI3qo,iv:liuybypx7iY6+ghlJ8upWGQzKB+P0o023X7WX3MJTmM=,tag:5wd4D3cY64Y4Hv/ToGWAsQ==,type:str]
APP_IP_HEADSCALE: ENC[AES256_GCM,data:KMNHdUxhtJEJH/U=,iv:jaDP1wzBIBmy62eGOFfHNr9utLxmTvOEMdN+bwhlZUI=,tag:rwoun7n346WVpikQaaggBQ==,type:str]
APP_UID_HEADSCALE: ENC[AES256_GCM,data:ITXTwgA=,iv:Fm9Eap5qx/4PCf1k1cf89v6dE8qHqehEcClU4dfQEtE=,tag:vlrPEHVDLlk9LN2GZXb/PA==,type:str]
CONFIG_MINECRAFT_OPS: ENC[AES256_GCM,data:BKfjfUQQXd025nNZCHQki/SeqiMQVCUP9tCkmNwUgfvj7XK6,iv:7+tp1IJ06UfZt53HLnFOByrTWFY31AHiQwjrrUS4OqI=,tag:TSvw3notEqgPIORTWHwUBw==,type:str]
CONFIG_MINECRAFT_ICON: ENC[AES256_GCM,data:AINTGnjPbWZCVJKdL4Mx8bBhOUnQU2BEhqr0730/OJATkKBzcvxf7R9HlX37uFI=,iv:HsvxmHYUb350vSulAVdBHonB6cA+0pu03t5BaU8EuUs=,tag:gGr7OY++7+yuZ36TwXcbaA==,type:str]
CONFIG_MINECRAFT_NAME: ENC[AES256_GCM,data:zhsyGymdQKgeX58X2Q==,iv:dGbrb4ZytcRpj4ie9dzM2TUVnzC4YQvCey+/G9uFcGs=,tag:IpFutt4G5JMP4hUIOgbqqw==,type:str]
CONFIG_SANDSTORM_NAME: ENC[AES256_GCM,data:W2pYLk1bmtKjXfuJY4nv9HkqIBI4aRA3X+JJTw==,iv:UEWUAJYCdy2r5jYayTAh5uv5aq4XFkuD1IYSmf76TyE=,tag:J10gXb5idJazhtqA5QZL8A==,type:str]
CONFIG_SANDSTORM_MODS: ENC[AES256_GCM,data:JDJaT7SijJJtMlkSmkxAaDk4Hho/Agwo0ME8U1sFF28IM1BsVNKxwG1oqM67lQmcpn1+xfTtluYhITNnGQxxb5wGj88rcVbtJ6LOXSbs+b3zYQq6Poy+,iv:igN5kELq6f79dS1RQ6OyBP/TGqgqzoTE5TRZO1ZDO8I=,tag:UF0S5tvuFKDTDBlTw1EIWg==,type:str]
CONFIG_SANDSTORM_PORT: ENC[AES256_GCM,data:DCUpuGQ=,iv:EKQeHXHjI4L5VsBrTDAB6GH7QUWT3DV8ba/ENfKkKpY=,tag:KlgOgK9lPf/YvpTcJ6lpZw==,type:str]
CONFIG_SANDSTORM_QUERYPORT: ENC[AES256_GCM,data:qetg5l0=,iv:/1dHG7+XADC5Unur1C5TDjNqz1fOn67dPlkB0cEHAnI=,tag:uB/YmWsdLuwL0McI1PT0Pg==,type:str]
CONFIG_SANDSTORM_MUTATORS: ENC[AES256_GCM,data:HumP4HOeZ06JaFBHCl9PHza5orjTVWfmLBq3kSdW+ygD+Avf6dDM+BVm7GkoqRIPtWEJMyMcOOUyF1bzbzrNca/PkMsNsP6/YspRd+QsH+w6JxsGSMqxEpKzN4wbBuIRH7PYbp7PncBOmoOMAOaYW3BEnsdBcV4II7V0+sAKPNQ4zsi0y6LmLaCFtjAOQhi6MMSPfcl9JTD6UoLizD8=,iv:BwbTdDXi6nVqtF7TrSoDLxJKz3Xv6gKZFiU2D2bRgkY=,tag:atIZxrt/BJdijPf2fMDEvw==,type:str]
CONFIG_SANDSTORM_INIT_MAP: ENC[AES256_GCM,data:uaM2kX5hlN2BoQ==,iv:U2jmxP35cy/eWT1JTdfr6Z3b4NAzIHG55Kb4emoAin0=,tag:rNCaa5zwKHesrto092oUcg==,type:str]
CONFIG_SANDSTORM_INIT_SCENARIO: ENC[AES256_GCM,data:OJVCFbvqWXuYUPvdCiwRngUzfw==,iv:1NkA4VaF/xUdudDD2W5dHEDw55dkzwo2sof5krinJz0=,tag:rmD5eZpnHpOcSJXel3AQbg==,type:str]
CONFIG_ZEROTIER_ENDPOINT: ENC[AES256_GCM,data:We/k3H6tvdmYoZ+i27Lll3bLRhXquz3fvztDI9T4tPjRc4uhG6fkpoa04hEAJffZc7yWNFUzUycPAp0=,iv:B6QCm/4bR68QEudl5o9kwJ6OtQvn1RrWeS6/W+Iaf/Q=,tag:S5xCE5e97gsBId7tpQA/mQ==,type:str]
CONFIG_AUTHENTIK_REMOTE_HOST: ENC[AES256_GCM,data:RktEkjsMjW9XiP11sAyY5UvJ1s8/zOQLmavssvuoxqE=,iv:l8oEH8Yr8s4T+UW8J1lKjA8+ODfJQRjCTzlLZuPtQIk=,tag:0dpudjOZEDitQEyTDV1Hbg==,type:str]
CONFIG_HEADSCALE_IPV4: ENC[AES256_GCM,data:59Kw5W38xsYd9XqZHaQ=,iv:OZ2ja20Qn31Hh3AsjS9ckhd5CoLmyChE8WmeMhUjSzA=,tag:0qzxjVp/ce+kSMEc4QK4YQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2N0U5VDdoamlOeDNNVmVJ
R0ZDa0NPN2JsRUhNR0E3T3gyUmk5aUtnR0U0CmhRbCs4cFQzUW1MczB2MXJlSCtw
cWFIS0ZDVVpCMXo2VGl3Y1lCMXVnV00KLS0tIDg5ZHkydkZQY0kyd2N6d3NaNXpn
SnpvS3RUUlFMM1dUNGZQNkVqQ2VqNDAKywch6CgtS1AFLYxfML5dB7/5V6qZ0ob1
63vBpqjOza3EqvfNKo+UMtK/fRK0Q5jlpuI+0/z9VrxzKEWsgUCBVQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-05-29T05:19:33Z"
mac: ENC[AES256_GCM,data:nYDPgE2ajccGtYQs6iupY02Da/HwK6Jbl7T7H5gbpD/cxSSHEg8PIsulIuqwKE6bAK/SYyUN3IW1aYEuFq0o4P8Q7UWZcQRX8FHokpa4mz94nEe9hmk2PKvAuZobNuiciSeVs6Jibe48Vy88cqAsAibndkphwppJLgmg0FZbV74=,iv:KDNVCiipw78AgUgQg85/WwBrp6Z+ntwLUa5vggNz9Tc=,tag:FJ7dimSFdWbg6qU4yl/Uxw==,type:str]
pgp:
- created_at: "2023-02-22T08:12:31Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DAAAAAAAAAAASAQdApDZUJ8WE2m1xLAzsFWtOww4cq9F7IhyLDmyrQo4oeFYw
z+9ma/isaJwuYhztl3HXM3O8rUMJ/QPq254aejifMUbnNlMZyRhF/XV6MMNJQ8VV
0l4BYsXvxQ6J5vdjW0HE/2Il9tJNWdvVlDmF6fK9RV8zfqDeDU3fVRbWttE2d/Ad
njWniaItCTc2ueSfl3zyt88S4+qQn5lJOMuE+nYiF1Ip4TdoCkh88W/TGsQ/TbPi
=mQzo
-----END PGP MESSAGE-----
fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
encrypted_regex: ^(NETBIRD_AUTH_AUDIENCE|NETBIRD_AUTH_CLIENT_ID|NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID|NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT|NETBIRD_DOMAIN|NETBIRD_MGMT_DNS_DOMAIN|WHOOGLE_CONFIG_URL|ZT_ALLOW_MANAGEMENT_FROM|ZU_CONTROLLER_ENDPOINT|ZU_DEFAULT_PASSWORD|ZU_DEFAULT_USERNAME|addresses|clusterDomain|commonName|config.yaml|data|dnsNames|dnsZones|domain|email|externalIPs|host|hosts|ip|ipv4NativeRoutingCIDR|k8sServiceHost|loadBalancerIP|my-asn|nameservers|peer-address|peer-asn|secretName|stringData|whitelist-source-range)$
version: 3.7.3

452
kube/1-clusters/Biohazard/2-config/5-deploy.yaml
View File

@@ -1,452 +0,0 @@
---
# core components first
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: HelmRepository
metadata:
name: cilium-charts
namespace: flux-system
spec:
interval: 10m0s
timeout: 3m0s
url: https://helm.cilium.io/
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-01-networking-cilium
namespace: flux-system
labels:
kustomization.flux.home.arpa/name: "cilium"
kustomization.flux.home.arpa/helmpatches: "false"
spec:
path: ./kube/3-deploy/1-core/01-networking/cilium
dependsOn: []
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-02-storage-1-external-snapshotter
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/02-storage/1-external-snapshotter
dependsOn: []
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: rook-ceph-charts
namespace: flux-system
spec:
interval: 10m0s
timeout: 3m0s
url: https://charts.rook.io/release
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-02-storage-rook-ceph-crds
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/02-storage/rook-ceph/crds
dependsOn: []
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-02-storage-rook-ceph-app
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/02-storage/rook-ceph/app
dependsOn:
- name: biohazard-1-core-02-storage-1-external-snapshotter
- name: biohazard-1-core-02-storage-rook-ceph-crds
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-02-storage-rook-ceph
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/02-storage/rook-ceph/cluster
dependsOn:
- name: biohazard-1-core-02-storage-1-external-snapshotter
- name: biohazard-1-core-02-storage-rook-ceph-app
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: jetstack
namespace: flux-system
spec:
interval: 1h
url: https://charts.jetstack.io/
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-03-certs-cert-manager-crds
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/03-certs/cert-manager/crds
dependsOn: []
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-03-certs-cert-manager
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/03-certs/cert-manager/app
dependsOn:
- name: biohazard-1-core-03-certs-cert-manager-crds
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: k8s-gateway
namespace: flux-system
spec:
interval: 1h
url: https://ori-edge.github.io/k8s_gateway/
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-04-dns-internal
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/04-dns/internal
dependsOn: []
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: external-dns
namespace: flux-system
spec:
interval: 1h
url: https://kubernetes-sigs.github.io/external-dns/
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-04-dns-external
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/04-dns/external
dependsOn: []
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: ingress-nginx
namespace: flux-system
spec:
interval: 1h
url: https://kubernetes.github.io/ingress-nginx
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-05-ingress
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/05-ingress
dependsOn:
- name: biohazard-1-core-03-certs-cert-manager
- name: biohazard-1-core-04-dns-internal
# ---
# apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
# kind: Kustomization
# metadata:
# name: biohazard-1-core-05-ingress-nginx-svc
# namespace: flux-system
# spec:
# path: ./kube/3-deploy/1-core/05-ingress/nginx-svc
# dependsOn:
# - name: biohazard-1-core-05-ingress
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-05-ingress-nginx
namespace: flux-system
labels:
prune.flux.home.arpa/disabled: "true"
spec:
path: ./kube/3-deploy/1-core/05-ingress/nginx
dependsOn:
- name: biohazard-1-core-05-ingress
# - name: biohazard-1-core-05-ingress-nginx-svc
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: haproxytech
namespace: flux-system
spec:
interval: 1h
url: https://haproxytech.github.io/helm-charts
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-05-ingress-external
namespace: flux-system
labels:
prune.flux.home.arpa/disabled: "true"
spec:
path: ./kube/3-deploy/1-core/05-ingress/external
dependsOn:
- name: biohazard-1-core-05-ingress
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-06-monitoring-metrics-server
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/06-monitoring/metrics-server
dependsOn: []
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: prometheus-community
namespace: flux-system
spec:
interval: 10m0s
timeout: 3m0s
url: https://prometheus-community.github.io/helm-charts
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-06-monitoring-kube-state-metrics
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/06-monitoring/kube-state-metrics
dependsOn:
- name: monitoring-deps
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: victoria
namespace: flux-system
spec:
interval: 10m0s
timeout: 3m0s
url: https://victoriametrics.github.io/helm-charts/
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-06-monitoring-victoria-1-crds
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/06-monitoring/victoria/1-crds
dependsOn:
- name: monitoring-deps
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-06-monitoring-victoria-2-operator
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/06-monitoring/victoria/2-operator
dependsOn:
- name: monitoring-deps
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-06-monitoring-victoria-3-cluster
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/06-monitoring/victoria/3-cluster
dependsOn:
- name: monitoring-deps
- name: biohazard-1-core-06-monitoring-victoria-2-operator
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-06-monitoring-victoria-4-agent
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/06-monitoring/victoria/4-agent
dependsOn:
- name: monitoring-deps
- name: biohazard-1-core-06-monitoring-victoria-2-operator
- name: biohazard-1-core-06-monitoring-victoria-3-cluster
- name: biohazard-1-core-06-monitoring-kube-state-metrics
- name: monitoring-node-exporter-app
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-08-hardware-01-node-feature-discovery
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/08-hardware/01-node-feature-discovery
dependsOn: []
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-1-core-08-hardware-02-intel-device-plugins
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/08-hardware/02-intel-device-plugins
dependsOn:
- name: biohazard-1-core-08-hardware-01-node-feature-discovery
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-2-apps-volsync
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/volsync
dependsOn: []
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-2-apps-tetragon
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/tetragon
dependsOn:
- name: biohazard-1-core-01-networking-cilium
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-2-apps-kubevirt
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/kubevirt
dependsOn: []
---
# all apps hosted on this cluster below here
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: bjw-s
namespace: flux-system
spec:
interval: 1h
timeout: 3m0s
url: https://bjw-s.github.io/helm-charts/
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-2-apps-dns-dnsdist
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/dns/dnsdist
dependsOn: []
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-2-apps-whoogle
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/whoogle
dependsOn:
- name: biohazard-1-core-05-ingress-nginx
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-2-apps-gokapi
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/gokapi
dependsOn:
- name: biohazard-1-core-05-ingress-nginx
- name: biohazard-1-core-02-storage-rook-ceph
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-2-apps-minecraft
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/minecraft
dependsOn:
- name: biohazard-1-core-04-dns-internal
- name: biohazard-1-core-02-storage-rook-ceph
- name: biohazard-2-apps-volsync
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-2-apps-insurgency-sandstorm
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/insurgency-sandstorm
dependsOn:
- name: biohazard-1-core-04-dns-internal
- name: biohazard-1-core-02-storage-rook-ceph
- name: biohazard-2-apps-volsync
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-2-apps-zerotier
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/zerotier
dependsOn:
- name: biohazard-1-core-05-ingress-nginx
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-2-apps-hugo-test
namespace: flux-system
labels:
substitution.flux.home.arpa/disabled: "true"
spec:
path: ./kube/3-deploy/2-apps/hugo-test
dependsOn:
- name: biohazard-1-core-02-storage-rook-ceph
- name: biohazard-1-core-04-dns-internal
- name: biohazard-1-core-05-ingress-nginx
postBuild:
substituteFrom:
- kind: Secret
name: hugo-test-secrets
optional: false
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-2-apps-jellyfin
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/jellyfin
dependsOn:
- name: biohazard-1-core-02-storage-rook-ceph
- name: biohazard-1-core-04-dns-internal
- name: biohazard-1-core-05-ingress-nginx
- name: biohazard-1-core-08-hardware-02-intel-device-plugins
- name: biohazard-2-apps-volsync
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: biohazard-2-apps-kavita
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/kavita
dependsOn:
- name: biohazard-1-core-02-storage-rook-ceph
- name: biohazard-1-core-04-dns-internal
- name: biohazard-1-core-05-ingress-nginx

9
kube/1-clusters/Biohazard/2-config/ceph-rgw-ext-users.yaml
View File

@@ -1,9 +0,0 @@
---
apiVersion: ceph.rook.io/v1
kind: CephObjectStoreUser
metadata:
name: jjgadgets
namespace: rook-ceph
spec:
store: biohazard
displayName: "JJGadgets"

245
kube/1-clusters/Biohazard/2-config/kustomization.yaml
View File

@@ -1,245 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ../../../clusters/biohazard/flux/
- 1-flux-install.yaml
- 2-flux-repo.yaml
# - 3-secrets.yaml
# - 4-vars.yaml
- 5-deploy.yaml
- ceph-rgw-ext-users.yaml
- ../../../3-deploy/1-core/05-ingress/cloudflare/
- ../../../3-deploy/1-core/05-ingress/external-proxy-x/
- ../../../3-deploy/1-core/06-monitoring/1-deps/
- ../../../3-deploy/1-core/06-monitoring/node-exporter/
- ../../../3-deploy/1-core/db/pg/
- ../../../3-deploy/2-apps/default/
- ../../../3-deploy/2-apps/flux-system/
- ../../../3-deploy/2-apps/authentik/
- ../../../3-deploy/2-apps/kanidm/
- ../../../3-deploy/2-apps/syncthing/
- ../../../3-deploy/2-apps/excalidraw/
- ../../../3-deploy/2-apps/velociraptor/
- ../../../3-deploy/2-apps/gotosocial/
- ../../../3-deploy/2-apps/ntfy/
- ../../../3-deploy/2-apps/satisfactory/
- ../../../3-deploy/2-apps/headscale/
- ../../../3-deploy/2-apps/zipline/
- ../../../3-deploy/2-apps/kah/
patches:
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: not-used
spec:
interval: 1m0s
timeout: 10m0s
decryption:
provider: sops
secretRef:
name: biohazard-secrets-decrypt-sops-age
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
kind: Kustomization
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: not-used
spec:
sourceRef:
kind: GitRepository
name: flux-system
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
kind: Kustomization
labelSelector: kustomization.flux.home.arpa/default notin (false)
- patch: |
- op: add
path: /spec/dependsOn/-
value:
name: 2-biohazard-config
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
kind: Kustomization
labelSelector: kustomization.flux.home.arpa/default notin (false)
- patch: |
- op: add
path: /spec/dependsOn/-
value:
name: biohazard-1-core-01-networking-cilium
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
kind: Kustomization
labelSelector: kustomization.flux.home.arpa/name notin (cilium, flux, kubevirt)
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: not-used
spec:
postBuild:
substituteFrom:
- kind: ConfigMap
name: biohazard-vars
optional: false
- kind: Secret
name: biohazard-secrets
optional: false
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
kind: Kustomization
labelSelector: substitution.flux.home.arpa/disabled notin (true)
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: not-used
spec:
# prune: true
prune: false # disable prune for Flux restructure
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
kind: Kustomization
labelSelector: prune.flux.home.arpa/disabled notin (true)
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: not-used
spec:
prune: false
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
kind: Kustomization
labelSelector: prune.flux.home.arpa/disabled=true
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: not-used
spec:
wait: true
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
kind: Kustomization
labelSelector: wait.flux.home.arpa/disabled notin (true)
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: not-used
spec:
wait: false
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
kind: Kustomization
labelSelector: wait.flux.home.arpa/disabled=true
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: not-used
spec:
patches:
- patch: |-
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: not-used
spec:
chart:
spec:
sourceRef:
kind: HelmRepository
namespace: flux-system
interval: 5m
maxHistory: 5
install:
createNamespace: true
remediation:
retries: 5
upgrade:
cleanupOnFail: true
remediation:
retries: 5
uninstall:
keepHistory: false
target:
group: helm.toolkit.fluxcd.io
version: v2beta1
kind: HelmRelease
labelSelector: helm.flux.home.arpa/default notin (false)
- patch: |-
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: not-used
spec:
chart:
spec:
chart: app-template
version: 1.2.1
sourceRef:
name: bjw-s
target:
group: helm.toolkit.fluxcd.io
version: v2beta1
kind: HelmRelease
labelSelector: helm.flux.home.arpa/app-template=true
- patch: |-
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: not-used
spec:
values:
ingress:
main:
annotations:
nginx.ingress.kubernetes.io/auth-url: |-
http://ak-outpost-${CLUSTER_NAME_LOWER}.ingress.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
nginx.ingress.kubernetes.io/auth-response-headers: |-
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
nginx.ingress.kubernetes.io/auth-snippet: |
proxy_set_header X-Forwarded-Host $http_host;
target:
group: helm.toolkit.fluxcd.io
version: v2beta1
kind: HelmRelease
labelSelector: nginx.ingress.home.arpa/type in (auth, auth-external, auth-external-only)
- patch: |-
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: not-used
spec:
values:
ingress:
main:
annotations:
nginx.ingress.kubernetes.io/satisfy: "any"
nginx.ingress.kubernetes.io/whitelist-source-range: |
10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10
target:
group: helm.toolkit.fluxcd.io
version: v2beta1
kind: HelmRelease
labelSelector: nginx.ingress.home.arpa/type=auth-external-only
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
kind: Kustomization
labelSelector: kustomization.flux.home.arpa/helmpatches notin (false)

16
kube/2-bootstrap/flux/kustomization.yaml
View File

@@ -1,16 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- github.com/fluxcd/flux2/manifests/install?ref=v0.40.0
patches:
- patch: |-
$patch: delete
apiVersion: networking.k8s.io/v1
kind: NetworkPolicy
metadata:
name: not-used
target:
group: networking.k8s.io
version: v1
kind: NetworkPolicy

7
kube/3-deploy/1-core/01-networking/.sops.yaml
View File

@@ -1,7 +0,0 @@
creation_rules:
- path_regex: .*.yaml
encrypted_regex: ^(peer-address|peer-asn|my-asn|addresses|config.yaml|ipv4NativeRoutingCIDR|k8sServiceHost|clusterDomain)$
age: >-
age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
pgp: >-
31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2

59
kube/3-deploy/1-core/01-networking/2-aws-lb.yaml
View File

@@ -1,59 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: aws-lb
namespace: kube-system
annotations:
meta.helm.sh/release-name: aws-lb
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
spec:
interval: 5m
chart:
spec:
chart: aws-load-balancer-controller
version: 1.4.7
sourceRef:
kind: HelmRepository
name: aws-eks
namespace: flux-system
interval: 5m
install:
# perform remediation when helm install fails
remediation:
retries: 100
upgrade:
# perform remediation when helm upgrade fails
remediation:
retries: 100
# remediate the last failure, when no retries remain
remediateLastFailure: true
cleanupOnFail: true
values:
# hostNetwork used because Cilium is main CNI
hostNetwork: true
dnsPolicy: ClusterFirstWithHostNet
# auto create authz resources
serviceAccount:
create: true
rbac:
create: true
# select cluster and nodes
clusterName: Biohazard
nodeSelector:
kubernetes.io/hostname: aws1
tolerations:
tolerations:
- key: nodeType.jj
operator: Equal
value: awsingress
replicaCount: 1
# disable as much ingress stuff as possible, only TCP NLB will be used
ingressClassParams:
create: false
ingressClassConfig:
default: false
createIngressClassResource: false
disableIngressClassAnnotation: true
disableIngressGroupNameAnnotation: true

73
kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/rbac.yaml
View File

@@ -1,73 +0,0 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: snapshot-controller
namespace: rook-ceph
---
kind: ClusterRole
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: snapshot-controller-runner
rules:
- apiGroups: [""]
resources: ["persistentvolumes"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["persistentvolumeclaims"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["storage.k8s.io"]
resources: ["storageclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: [""]
resources: ["events"]
verbs: ["list", "watch", "create", "update", "patch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotclasses"]
verbs: ["get", "list", "watch"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshotcontents"]
verbs: ["create", "get", "list", "watch", "update", "delete"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots"]
verbs: ["get", "list", "watch", "update"]
- apiGroups: ["snapshot.storage.k8s.io"]
resources: ["volumesnapshots/status"]
verbs: ["update"]
---
kind: ClusterRoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: snapshot-controller-role
subjects:
- kind: ServiceAccount
name: snapshot-controller
namespace: rook-ceph
roleRef:
kind: ClusterRole
name: snapshot-controller-runner
apiGroup: rbac.authorization.k8s.io
---
kind: Role
apiVersion: rbac.authorization.k8s.io/v1
metadata:
namespace: rook-ceph
name: snapshot-controller-leaderelection
rules:
- apiGroups: ["coordination.k8s.io"]
resources: ["leases"]
verbs: ["get", "watch", "list", "delete", "update", "create"]
---
kind: RoleBinding
apiVersion: rbac.authorization.k8s.io/v1
metadata:
name: snapshot-controller-leaderelection
namespace: rook-ceph
subjects:
- kind: ServiceAccount
name: snapshot-controller
namespace: rook-ceph
roleRef:
kind: Role
name: snapshot-controller-leaderelection
apiGroup: rbac.authorization.k8s.io

25
kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/statefulset.yaml
View File

@@ -1,25 +0,0 @@
---
kind: StatefulSet
apiVersion: apps/v1
metadata:
name: snapshot-controller
namespace: rook-ceph
spec:
serviceName: "snapshot-controller"
replicas: 1
selector:
matchLabels:
app: snapshot-controller
template:
metadata:
labels:
app: snapshot-controller
spec:
serviceAccount: snapshot-controller
containers:
- name: snapshot-controller
image: k8s.gcr.io/sig-storage/snapshot-controller:v6.2.1
args:
- "--v=5"
- "--leader-election=false"
imagePullPolicy: IfNotPresent

7
kube/3-deploy/1-core/04-dns/.sops.yaml
View File

@@ -1,7 +0,0 @@
creation_rules:
- path_regex: .*.yaml
encrypted_regex: ^(data|stringData|domain|loadBalancerIP|externalIPs)$
age: >-
age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
pgp: >-
31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2

7
kube/3-deploy/1-core/04-dns/external/kustomization.yaml vendored
View File

@@ -1,7 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-namespace.yaml
- 2-secrets.yaml
- 3-external-dns.yaml

7
kube/3-deploy/1-core/05-ingress/.sops.yaml
View File

@@ -1,7 +0,0 @@
creation_rules:
- path_regex: .*.yaml
encrypted_regex: ^(data|stringData|commonName|dnsNames|externalIPs|loadBalancerIP|whitelist-source-range)$
age: >-
age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
pgp: >-
31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2

12
kube/3-deploy/1-core/05-ingress/1-namespace.yaml
View File

@@ -1,12 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: ingress
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: v1.26
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/audit-version: v1.26
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/warn-version: v1.26

24
kube/3-deploy/1-core/05-ingress/cloudflare/ks.yaml
View File

@@ -1,24 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: cloudflare-deps
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/05-ingress/cloudflare/deps
dependsOn: []
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: cloudflare-tunnel
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/05-ingress/cloudflare/tunnel
dependsOn:
- name: cloudflare-deps
healthChecks:
- name: cloudflared
namespace: cloudflare
kind: HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2beta1

14
kube/3-deploy/1-core/05-ingress/external-proxy-x/ks.yaml
View File

@@ -1,14 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: external-proxy-x-app
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/05-ingress/external-proxy-x/app
dependsOn: []
healthChecks:
- name: external-proxy-x
namespace: ingress
kind: HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2beta1

82
kube/3-deploy/1-core/05-ingress/external/install.yaml vendored
View File

@@ -1,82 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: external
namespace: ingress
spec:
chart:
spec:
chart: haproxy
version: 1.18.0
sourceRef:
name: haproxytech
values:
image:
repository: haproxytech/haproxy-debian
tag: "2.6.9"
pullPolicy: IfNotPresent
kind: DaemonSet
nodeSelector:
node-restriction.kubernetes.io/nodeType: awsIngress
tolerations:
- key: nodeType.jj
operator: Equal
value: awsIngress
effect: NoSchedule
containerPorts:
http: 80
https: 443
config: |
global
log stdout format raw local0 debug
defaults
mode tcp
log global
option tcplog
timeout client 30s
timeout connect 4s
timeout server 30s
retries 3
frontend https
mode tcp
bind :443
default_backend https_servers
backend https_servers
mode tcp
server internalnginx ingress-nginx-controller.ingress.svc.cluster.local:20443 send-proxy-v2
frontend http
mode tcp
bind :80
default_backend http_servers
backend http_servers
mode tcp
server internalnginx ingress-nginx-controller.ingress.svc.cluster.local:20080 send-proxy-v2
---
apiVersion: v1
kind: Service
metadata:
name: external
namespace: ingress
spec:
externalTrafficPolicy: Local
ports:
- name: http
port: 80
protocol: TCP
targetPort: 80
nodePort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
nodePort: 443
selector:
app.kubernetes.io/instance: external
app.kubernetes.io/name: haproxy
type: NodePort

8
kube/3-deploy/1-core/05-ingress/kustomization.yaml
View File

@@ -1,8 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-namespace.yaml
- 2-certs.yaml
# - 3-nginx.yaml
# - 4-nginx-external.yaml

6
kube/3-deploy/1-core/06-monitoring/1-deps/app/kustomization.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-namespace.yaml
- 2-crds-prometheus.yaml
- kube-prometheus.yaml

9
kube/3-deploy/1-core/06-monitoring/1-deps/ks.yaml
View File

@@ -1,9 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: monitoring-deps
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/06-monitoring/1-deps/app
dependsOn: []

6
kube/3-deploy/1-core/06-monitoring/metrics-server/kustomization.yaml
View File

@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-repo.yaml
- 2-install.yaml

19
kube/3-deploy/1-core/06-monitoring/node-exporter/ks.yaml
View File

@@ -1,19 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: monitoring-node-exporter-deps
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/06-monitoring/node-exporter/deps
dependsOn: []
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: monitoring-node-exporter-app
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/06-monitoring/node-exporter/app
dependsOn:
- name: monitoring-node-exporter-deps

72
kube/3-deploy/1-core/06-monitoring/victoria/1-crds/install.yaml
View File

@@ -1,72 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: crds-victoria
namespace: flux-system
spec:
interval: 30m
# renovate: datasource=github-releases
url: https://github.com/VictoriaMetrics/operator.git
ref:
tag: v0.30.4
ignore: |
# exclude all
/*
# path to crds
!/config/crd/
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: crds-victoria
namespace: flux-system
spec:
interval: 15m
prune: false
sourceRef:
kind: GitRepository
name: crds-victoria
healthChecks:
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmagents.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmalertmanagerconfigs.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmalertmanagers.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmalerts.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmauths.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmclusters.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmnodescrapes.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmpodscrapes.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmprobes.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmrules.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmservicescrapes.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmsingles.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmstaticscrapes.operator.victoriametrics.com
- apiVersion: apiextensions.k8s.io/v1
kind: CustomResourceDefinition
name: vmusers.operator.victoriametrics.com

7
kube/3-deploy/1-core/08-hardware/01-node-feature-discovery/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-repo.yaml
- 2-install.yaml
- 3-intel-gpu-rule.yaml

7
kube/3-deploy/1-core/08-hardware/02-intel-device-plugins/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-repo.yaml
- 2-operator.yaml
- 3-gpu.yaml

28
kube/3-deploy/2-apps/authentik/app/svc.yaml
View File

@@ -1,28 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
annotations:
coredns.io/hostname: "auth.jjgadgets.tech"
"io.cilium/lb-ipam-ips": ${APP_IP_AUTHENTIK}
labels:
app.kubernetes.io/instance: authentik
app.kubernetes.io/name: authentik
name: authentik-http
namespace: authentik
spec:
type: LoadBalancer
externalTrafficPolicy: Cluster
ports:
- name: http
port: 80
targetPort: 9000
protocol: TCP
- name: https
port: 443
targetPort: 9443
protocol: TCP
selector:
app.kubernetes.io/component: server
app.kubernetes.io/instance: authentik
app.kubernetes.io/name: authentik

10
kube/3-deploy/2-apps/default/ks.yaml
View File

@@ -1,10 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: default-deps
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/default/deps
dependsOn:
- name: ${CLUSTER_NAME_LOWER}-1-core-03-certs-cert-manager # change to shorter name

14
kube/3-deploy/2-apps/elk/ks.yaml
View File

@@ -1,14 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: elk-app
namespace: flux-system
labels:
wait.flux.home.arpa/disabled: "true"
spec:
path: ./kube/3-deploy/2-apps/elk/app
dependsOn:
- name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph
- name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx
- name: ${CLUSTER_NAME_LOWER}-2-apps-volsync

27
kube/3-deploy/2-apps/excalidraw/ks.yaml
View File

@@ -1,27 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: excalidraw-deps
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/excalidraw/deps
dependsOn:
- name: ${CLUSTER_NAME_LOWER}-1-core-03-certs-cert-manager # change to shorter name
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: excalidraw-app
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/excalidraw/app
dependsOn:
- name: excalidraw-deps
- name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal
- name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx
healthChecks:
- name: excalidraw
namespace: excalidraw
kind: HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2beta1

51
kube/3-deploy/2-apps/external/authentik/install.yaml vendored
View File

@@ -1,51 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: &app authentik
namespace: default
labels:
app.kubernetes.io/name: *app
app.kubernetes.io/instance: *app
spec:
type: ExternalName
externalName: ${DNS_OLD_DOCKER}
ports:
- name: http
port: &port 443
protocol: TCP
targetPort: *port
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: &app authentik
namespace: default
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# below is needed to reverse proxy to a HTTPS backend with SNI validation
# respective annotations don't work till this issue is fixed:
# https://github.com/kubernetes/ingress-nginx/issues/6728
nginx.ingress.kubernetes.io/server-snippet: |
proxy_ssl_name ${APP_DNS_AUTH};
proxy_ssl_server_name on;
labels:
app.kubernetes.io/name: *app
app.kubernetes.io/instance: *app
spec:
ingressClassName: nginx
rules:
- host: &host ${APP_DNS_AUTH}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: *app
port:
number: 443
tls:
- hosts:
- *host
secretName: long-domain-tls

99
kube/3-deploy/2-apps/external/matrix-synapse/install.yaml vendored
View File

@@ -1,99 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: &app matrix-synapse-1
namespace: ingress
labels:
app.kubernetes.io/name: *app
app.kubernetes.io/instance: *app
spec:
type: ExternalName
externalName: ${DNS_OLD_DOCKER}
ports:
- name: http
port: &port 443
protocol: TCP
targetPort: *port
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: &app matrix-synapse-1
namespace: ingress
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
# below is needed to reverse proxy to a HTTPS backend with SNI validation
# respective annotations don't work till this issue is fixed:
# https://github.com/kubernetes/ingress-nginx/issues/6728
nginx.ingress.kubernetes.io/server-snippet: |
proxy_ssl_name ${APP_DNS_MATRIX_1};
proxy_ssl_server_name on;
labels:
app.kubernetes.io/name: *app
app.kubernetes.io/instance: *app
spec:
ingressClassName: nginx
rules:
- host: &host ${APP_DNS_MATRIX_1}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: *app
port:
number: 443
tls:
- hosts:
- *host
secretName: long-domain-tls
---
apiVersion: v1
kind: Service
metadata:
name: &app matrix-synapse-2
namespace: ingress
labels:
app.kubernetes.io/name: *app
app.kubernetes.io/instance: *app
spec:
type: ExternalName
externalName: ${DNS_OLD_DOCKER}
ports:
- name: http
port: &port 443
protocol: TCP
targetPort: *port
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: &app matrix-synapse-2
namespace: ingress
annotations:
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/server-snippet: |
proxy_ssl_name ${APP_DNS_MATRIX_2};
proxy_ssl_server_name on;
labels:
app.kubernetes.io/name: *app
app.kubernetes.io/instance: *app
spec:
ingressClassName: nginx
rules:
- host: &host ${APP_DNS_MATRIX_2}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: *app
port:
number: 443
tls:
- hosts:
- *host
secretName: long-domain-tls

12
kube/3-deploy/2-apps/flux-system/ks.yaml
View File

@@ -1,12 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: 1-flux-webhook
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/flux-system/webhook
dependsOn:
- name: cloudflare-tunnel
- name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-external
- name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx

7
kube/3-deploy/2-apps/gokapi/.sops.yaml
View File

@@ -1,7 +0,0 @@
creation_rules:
- path_regex: .*.yaml
encrypted_regex: ^(hosts|host)$
age: >-
age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
pgp: >-
31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2

6
kube/3-deploy/2-apps/gokapi/kustomization.yaml
View File

@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-namespace.yaml
- 2-install.yaml

7
kube/3-deploy/2-apps/hugo-test/.sops.yaml
View File

@@ -1,7 +0,0 @@
creation_rules:
- path_regex: .*.yaml
encrypted_regex: ^(hosts|host|WHOOGLE_CONFIG_URL|nameservers)$
age: >-
age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
pgp: >-
31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2

5
kube/3-deploy/2-apps/hugo-test/1-namespace.yaml
View File

@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: hugo-test

74
kube/3-deploy/2-apps/hugo-test/3-install.yaml
View File

@@ -1,74 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: hugo-test
namespace: hugo-test
labels:
helm.flux.home.arpa/app-template: "true"
spec:
values:
controller:
strategy: RollingUpdate
fullNameOverride: hugo-test
image:
repository: docker.io/klakegg/hugo
tag: 0.107.0-ext-debian-ci
command: ["hugo"]
args: ["server"]
env:
TZ: "${CONFIG_TZ}"
persistence:
config:
enabled: true
type: pvc
retain: true
readOnly: false
storageClass: block
size: 5Gi
mountPath: /src
accessMode: ReadWriteOnce
addons:
codeserver:
enabled: true
args:
- --auth
- none
- --user-data-dir
- "/config/.vscode"
git:
deployKeySecret: codeserver
volumeMounts:
- name: config
mountPath: /config
ingress:
enabled: true
ingressClassName: nginx
hosts:
- host: "${APP_DNS_HUGO_TEST_VSCODE}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- "${APP_DNS_HUGO_TEST_VSCODE}"
env:
TZ: "${CONFIG_TZ}"
service:
main:
ports:
http:
port: 1313
ingress:
main:
enabled: true
primary: true
ingressClassName: nginx
hosts:
- host: "${APP_DNS_HUGO_TEST}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- "${APP_DNS_HUGO_TEST}"

54
kube/3-deploy/2-apps/hugo-test/4-cloudflared.yaml
View File

@@ -1,54 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: cloudflared
namespace: hugo-test
labels:
helm.flux.home.arpa/app-template: "true"
spec:
values:
controller:
strategy: RollingUpdate
image:
repository: cloudflare/cloudflared
tag: 2023.2.1-amd64
args:
- tunnel
- --config
- /etc/cloudflared/config.yaml
- run
service:
main:
enabled: false
persistence:
config:
enabled: true
type: configMap
name: cloudflared-config
mountPath: /etc/cloudflared/config.yaml
subPath: config.yaml
readOnly: true
credentials:
enabled: true
type: secret
name: cloudflared-credentials
mountPath: /etc/cloudflared/credentials.json
subPath: credentials.json
readOnly: true
configMaps:
config:
enabled: true
data:
config.yaml: |
tunnel: "${SECRET_CLOUDFLARE_TUNNEL_HUGO_TEST_ID}"
credentials-file: /etc/cloudflared/credentials.json
no-autoupdate: true
ingress:
- hostname: ${APP_DNS_CF_HUGO_TEST_HELLO}
service: hello_world
- hostname: ${APP_DNS_CF_HUGO_TEST}
service: http://hugo-test:1313
- hostname: ${APP_DNS_CF_HUGO_TEST_VSCODE}
service: http://hugo-test-addon-codeserver:12321
- service: http_status:200

8
kube/3-deploy/2-apps/hugo-test/kustomization.yaml
View File

@@ -1,8 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-namespace.yaml
- 3-install.yaml
- 4-cloudflared.yaml
- volsync.yaml

29
kube/3-deploy/2-apps/kanidm/ks.yaml
View File

@@ -1,29 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: kanidm-deps
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/kanidm/deps
dependsOn:
- name: ${CLUSTER_NAME_LOWER}-1-core-03-certs-cert-manager # change to shorter name
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: kanidm-app
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/kanidm/app
dependsOn:
- name: kanidm-deps
- name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph
- name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal
- name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx
#- name: ${CLUSTER_NAME_LOWER}-2-apps-volsync
healthChecks:
- name: kanidm
namespace: kanidm
kind: HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2beta1

8
kube/3-deploy/2-apps/kavita/kustomization.yaml
View File

@@ -1,8 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-namespace.yaml
- 2-nfs.yaml
- 3-install.yaml
- volsync.yaml

6
kube/3-deploy/2-apps/kubevirt/2-install/kustomization.yaml
View File

@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-operator.yaml
- 2-cr.yaml

6
kube/3-deploy/2-apps/kubevirt/kustomization.yaml
View File

@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-namespace.yaml
- 2-install

8
kube/3-deploy/2-apps/minecraft/kustomization.yaml
View File

@@ -1,8 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-namespace.yaml
- 2-repo.yaml
- 3-install.yaml
- volsync.yaml

18
kube/3-deploy/2-apps/ntfy/ks.yaml
View File

@@ -1,18 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: ntfy-app
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/ntfy/app
dependsOn:
- name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph
- name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal
- name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx
#- name: ${CLUSTER_NAME_LOWER}-2-apps-volsync
healthChecks:
- name: ntfy
namespace: ntfy
kind: HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2beta1

17
kube/3-deploy/2-apps/satisfactory/ks.yaml
View File

@@ -1,17 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: satisfactory-app
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/satisfactory/app
dependsOn:
- name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph
- name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal
#- name: ${CLUSTER_NAME_LOWER}-2-apps-volsync
healthChecks:
- name: satisfactory
namespace: satisfactory
kind: HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2beta1

7
kube/3-deploy/2-apps/test.yaml
View File

@@ -1,7 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: test
namespace: kube-system
stringData:
test: forPreCommit

41
kube/3-deploy/2-apps/velociraptor/app/config.sops.yaml
View File

File diff suppressed because one or more lines are too long

18
kube/3-deploy/2-apps/velociraptor/ks.yaml
View File

@@ -1,18 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: velociraptor-app
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/velociraptor/app
dependsOn:
- name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph
- name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal
- name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx
#- name: ${CLUSTER_NAME_LOWER}-2-apps-volsync
healthChecks:
- name: velociraptor
namespace: velociraptor
kind: HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2beta1

7
kube/3-deploy/2-apps/volsync/kustomization.yaml
View File

@@ -1,7 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-namespace.yaml
- 2-repo.yaml
- 3-install.yaml

7
kube/3-deploy/2-apps/whoogle/.sops.yaml
View File

@@ -1,7 +0,0 @@
creation_rules:
- path_regex: .*.yaml
encrypted_regex: ^(hosts|host|WHOOGLE_CONFIG_URL|nameservers)$
age: >-
age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
pgp: >-
31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2

6
kube/3-deploy/2-apps/whoogle/kustomization.yaml
View File

@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-namespace.yaml
- 2-install.yaml

7
kube/3-deploy/2-apps/zerotier/.sops.yaml
View File

@@ -1,7 +0,0 @@
creation_rules:
- path_regex: .*.yaml
encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$
age: >-
age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
pgp: >-
31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2

12
kube/3-deploy/2-apps/zerotier/1-namespace.yaml
View File

@@ -1,12 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: zerotier
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: v1.26
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/audit-version: v1.26
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/warn-version: v1.26

45
kube/3-deploy/2-apps/zerotier/2-certs.yaml
View File

@@ -1,45 +0,0 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: vpncert
namespace: zerotier
spec:
secretName: ENC[AES256_GCM,data:0hrZ,iv:xxUvw0q2Mu4DKn1+p6Y+mL68Y8D9o4zB/si7jeIYNO8=,tag:nKO3FoGWMOOSni+Dhn92tA==,type:str]
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: ENC[AES256_GCM,data:ID/wwJqSxffe,iv:9AMufuWk//7wI794F5G62Vv0IlvxDJPjAJh/z3epPVo=,tag:Lsrnu2vP6GpR91fRlkNvLA==,type:str]
dnsNames:
- ENC[AES256_GCM,data:K4uAzmvDrUU9,iv:iQe4azjqY7IoeXven6UnK/gPuVroibkio/Vph+QgBOI=,tag:c2W7rZSkwv3IwMsGLD9SgQ==,type:str]
- ENC[AES256_GCM,data:mJWJHXlj7pZ56xA=,iv:MsxCanR2cQNJmnWApwqxAmn45zQIxlROAVi0wqMhNc4=,tag:7psuoMpPu3kX1w6p3tiz2g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNlhwWDgzSW1VSTIraGpQ
dGxpU3BjNy9qN3YzYVdKS1g4OEZCSzl1QnprCnErbDcyTmQ5ZTB2czNsbGFWbGcz
UlVlZC8yMzMxZ2ZpLzgvWEJsalowZ0EKLS0tIFJDbDg4SlFqZVRObHJTVFVMMjN1
WWZzN0VORmh0SlNXWHZRdkNQTjFqOU0KWMCPoge9kKQdNCN3WeAx1QHhit0oEHFT
ZCudRntexd0Nrby2OC0KcXOXCH1fTJEQdPD29EjlXTig86QRp/aP7Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-01T15:32:38Z"
mac: ENC[AES256_GCM,data:h7eRRJEnFOLtxwPDO5isAeB8YlAnNuAr03KqkV0syH44Z+C4sXuCdx0LzxI97qLPrifvTFabCbx1gbfKXj0iWbarzaUKGjKVncvDOdqDicntz5XRLtxxr2/JRTiqQTshgGNoAN5gzpAD6yRmxjlGoZ76R87aed47mdchrzA3Jq0=,iv:Y+53dKQjK5JRfIkq4gsepHAx5oBHjVikGBcNY9Qk2nM=,tag:+iSBsZMzQaNZpUccRA4WCw==,type:str]
pgp:
- created_at: "2023-03-01T15:32:37Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DAAAAAAAAAAASAQdAhQox1ebxBCSRViomIaf2wSxH/2BtXiAk0wQBOnvwTHEw
Ji3mOrg7G4dPzVsiBTNRvhlB848J0+5dV9B2p85BLgyEKljYheG6L78BQp7QILEa
0l4Bn9Ev6JtqZuj+9EyXAJJ9RUX9MBdftNOLu399qd4HxdAg4tV+l34SF0C8x/TG
ZOKtQYenHEQHygoXuPrip9bnYGruc0d4jNv96S0zeanQx/N/X7vSPAIjTjR9qMBg
=7MhE
-----END PGP MESSAGE-----
fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$
version: 3.7.3

12
kube/3-deploy/2-apps/zerotier/3-pvc.yaml
View File

@@ -1,12 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: zerotier-one
namespace: zerotier
spec:
accessModes: ["ReadWriteOnce"]
storageClassName: block
resources:
requests:
storage: 1Gi

85
kube/3-deploy/2-apps/zerotier/4-controller.yaml
View File

@@ -1,85 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: zerotier-controller
namespace: zerotier
labels:
helm.flux.home.arpa/app-template: "true"
spec:
values:
controller:
type: statefulset
strategy: RollingUpdate
fullNameOverride: zerotier-controller
image:
repository: docker.io/zyclonite/zerotier
tag: 1.10.2
env:
ZT_OVERRIDE_LOCAL_CONF: "true"
ZT_ALLOW_MANAGEMENT_FROM: 0.0.0.0/0
dnsPolicy: ClusterFirstWithHostNet
dnsConfig:
options:
- name: ndots
value: "1"
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
nodeSelector:
node-restriction.kubernetes.io/nodeType: main
service:
main:
enabled: true
primary: true
# type: LoadBalancer
# externalTrafficPolicy: Local
# loadBalancerIP: "${APP_IP_ZEROTIER}"
# externalIPs:
# - "${APP_IP_ZEROTIER}"
# ports:
# http:
# enabled: false
# zerotier-udp:
# enabled: true
# protocol: UDP
# port: 9993
# targetPort: 9993
# zerotier-tcp:
# enabled: true
# protocol: TCP
# port: 9993
# targetPort: 9993
# peers:
# enabled: true
type: NodePort
externalTrafficPolicy: Local
ports:
http:
enabled: false
peers-udp:
enabled: true
protocol: UDP
port: 9993
targetPort: 9993
nodePort: 9993
peers-tcp:
enabled: true
protocol: TCP
port: 9993
targetPort: 9993
nodePort: 9993
persistence:
zerotier-one:
enabled: true
type: pvc
mountPath: /var/lib/zerotier-one
retain: true
existingClaim: zerotier-one
tun:
enabled: true
type: hostPath
hostPath: /dev/net/tun
readOnly: true

62
kube/3-deploy/2-apps/zerotier/5-ui.yaml
View File

@@ -1,62 +0,0 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: zerotier-ui
namespace: zerotier
labels:
helm.flux.home.arpa/app-template: "true"
spec:
values:
controller:
type: statefulset
strategy: RollingUpdate
fullNameOverride: zerotier-ui
image:
repository: docker.io/dec0dos/zero-ui
tag: 1.5.1
env:
ZU_CONTROLLER_ENDPOINT: "${CONFIG_ZEROTIER_ENDPOINT}"
ZU_SECURE_HEADERS: "true"
ZU_DEFAULT_USERNAME: "${SECRET_ZEROTIER_UI_USERNAME}"
ZU_DEFAULT_PASSWORD: "${SECRET_ZEROTIER_UI_PASSWORD}"
nodeSelector:
node-restriction.kubernetes.io/nodeType: main
# dnsPolicy: None
dnsConfig:
options:
- name: ndots
value: "1"
service:
main:
ports:
http:
port: 4000
ingress:
main:
enabled: true
ingressClassName: nginx
hosts:
- host: "${APP_DNS_ZEROTIER}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- "${APP_DNS_ZEROTIER}"
secretName: vpn
persistence:
zerotier-one:
enabled: true
type: pvc
mountPath: /var/lib/zerotier-one
retain: true
existingClaim: zerotier-one
zerotier-ui-data:
enabled: true
type: pvc
mountPath: /app/backend/data
readOnly: false
accessMode: ReadWriteOnce
storageClass: block
size: 1Gi
retain: true

9
kube/3-deploy/2-apps/zerotier/kustomization.yaml
View File

@@ -1,9 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- 1-namespace.yaml
- 2-certs.yaml
- 3-pvc.yaml
- 4-controller.yaml
- 5-ui.yaml

18
kube/3-deploy/2-apps/zipline/ks.yaml
View File

@@ -1,18 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: zipline-app
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/zipline/app
dependsOn:
- name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph
- name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal
- name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx
- name: 1-core-db-pg-clusters-default
healthChecks:
- name: zipline
namespace: zipline
kind: HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2beta1

5
kube/bootstrap/flux/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- github.com/fluxcd/flux2/manifests/install?ref=v2.0.0-rc.5

11
kube/clusters/biohazard/config/secrets.sops.env
View File

@@ -67,12 +67,13 @@ SECRET_MINIFLUX_PG_DBNAME=ENC[AES256_GCM,data:Gh38/ljUWkU=,iv:JPsEPf/aiDXFncN3og
SECRET_MINIFLUX_PG_USER=ENC[AES256_GCM,data:qMBC7e5KW98=,iv:wu2+CK0pRy+uwQzDng/WM4asUAkXu2EMU6cjSDPcccY=,tag:29+QVjETJ4jwP3x0nwjERQ==,type:str]
SECRET_MINIFLUX_PG_PASS=ENC[AES256_GCM,data:rLuVT8S9hkQTE/T0Z6M06qgmzIt8ufC8drdofL1n19uefnLsU4WqgLZ/KYGrxQ==,iv:oLcrZilIuQf+QHCJYiQllummr4yRz6aflDhNb21GNUE=,tag:H4XCkfmJl8jQogvGDCVZOw==,type:str]
SECRET_OVENMEDIAENGINE_SIGNEDPOLICY_SECRETKEY=ENC[AES256_GCM,data:5RF5A82+VFFBExTrY2QRRjUBuEq3peY/MAXDh7K/U6U3z6tzqqa+Cw==,iv:qz9k3l+Xi/O/13FPRTzIwozAVdRdGhjrFxxeo/YjUdE=,tag:aLNBq5qlxpJptIhGqLMCxg==,type:str]
sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n
SECRET_OVENMEDIAENGINE_ACCESSTOKEN=ENC[AES256_GCM,data:5wq3Eh0MR/yZ09VIOCoiPO4bxRHkMU3S8AVlsR0BZVQpm/q/8WBjh+E7rxb2NlX+D2Lsdsy2VkGVKlD7DU2ysOe+h40HmxmW66A9dZAS/IoQfxfE3QXquVmHrRvdd7GEPi36sw51ZDstfWiL1YRA0TV6mfAi+Z/1UgD3bMlL7QI=,iv:rczJrTn9trKCWd1qdw1DyZDdLhjEE8nfNysYtkiXV1s=,tag:Gnd8kEAGLScgRW5ffWiOpQ==,type:str]
sops_unencrypted_suffix=_unencrypted
sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z
sops_lastmodified=2023-06-24T19:59:03Z
sops_mac=ENC[AES256_GCM,data:S41QDYjY90ErJ9rguHqfhO0PCuo1ptHadJSWyTkVLMLZzrDeZOpHa5vzslcuzA0hC1sJ/D6VpTVM+kCY/SFRkdVgb8D8JlyJw/pHE4XJqMgFcbD+0FTiAtH4zX8WLC7vICUG1UlXLd4cxHpEsOKDtdBSWSxwErvm+woyNooP+Y8=,iv:Wrzr5kZjoBeZrXQq522wv7/BgW5ZbMiYQ2dqh1ljYuo=,tag:c+J81ePMAzGPelIFqdd78Q==,type:str]
sops_version=3.7.3
sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
sops_lastmodified=2023-06-24T22:17:31Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n
sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n
sops_mac=ENC[AES256_GCM,data:Q97o4w/Ge5ZNtrei4yuwqPhZcVGAVfyAgvaGSiUvb5Sav/u4+T2uxZSdbf5p+nlLgszVo5CmW7hw1dvn1edKTB/RqHCJk2U/Ue1cpWZ8M/3rj3IioR4GybHIxKpQiTNCmIBn00YJx8l+0new0ohxnaWfGxsXcYboHxPninSOkpI=,iv:GLzaZSJvMjEvLCWqKajP2x9qmE9mieiaSEOQngqB0Fc=,tag:iAtNDY7Zq9lpT0E/zZTZZw==,type:str]
sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2

24
kube/clusters/biohazard/config/vars.sops.env
View File

@@ -1,5 +1,5 @@
CLUSTER_NAME=ENC[AES256_GCM,data:QDlF0r9p4p9T,iv:SxkwuJ8B2RZqSwYaXgrsvMDp68RqF98O2X34sm2Xmg8=,tag:taosHI0ammrR9D7AQFR5qA==,type:str]
CLUSTER_NAME_LOWER=ENC[AES256_GCM,data:LOBnHj8XCXtQ,iv:fTr/bbL3VPM8ak6W6ajh2TYqs/L8E9xBcMRi9YP3ReI=,tag:30G22YNIgJAcKfQKJwhx9w==,type:str]
CLUSTER_NAME=ENC[AES256_GCM,data:VEDYOJ8ZUwrG,iv:Wr1n+LLZNiB0m9PHs+jjRJssXWpvNKV7n4lcOVcNd+E=,tag:W1ya32k6II9JO8g9JBw51A==,type:str]
CLUSTER_NAME_UPPER=ENC[AES256_GCM,data:brbPB3I9mZVo,iv:a4qpy23gX77lAhqtQ9Nj1YnPA420cqw+OknBEUURgDQ=,tag:jB+C2Oc2y9tUMNO881OKvw==,type:str]
CLUSTER_ID=ENC[AES256_GCM,data:Lw==,iv:64SEKTr0zvzlwV/FFZHRrmd76mkEaPzSgZqA9NnEk08=,tag:Utwnqxu14Mwm+glXsUPNSA==,type:str]
CONFIG_TZ=ENC[AES256_GCM,data:yjenwiH185SgIz1gDHs=,iv:zWulurvktdU7e+866iNrafkjqAuqZSnJtx8kq7RhNTM=,tag:M5IkAMqEep8dIIbHGXetIg==,type:str]
USERS_1_UID=ENC[AES256_GCM,data:DY9qIA==,iv:M0E4LpIkCL4gABzOEzLVBHjGfXpPtYXb1ssezvN4D9o=,tag:wopQ/2iWx7aoxnLaQrYgFg==,type:str]
@@ -19,10 +19,12 @@ IP_ROUTER_LAN=ENC[AES256_GCM,data:q+9MIIuBLPA=,iv:pzWM3e0qgyRLgYtXv3aoKqX6ZOnpQU
IP_ROUTER_LAN_CIDR=ENC[AES256_GCM,data:VBNZEYACQMQduOU=,iv:is1RkkLkgUYuNPypTFRm7krP9nb1rkrZ64pkQT+5LEM=,tag:opkUbEo8JR1Gp13pklKz7g==,type:str]
IP_ROUTER_VLAN_K8S=ENC[AES256_GCM,data:BF7rMLUGyiMb,iv:H+s1v1sl6ZNJEvF1QO5kIYE7jquhLrDXbPnpE2PywUY=,tag:Sux+8RhfEHfZDXT2z4S5Jw==,type:str]
IP_ROUTER_VLAN_K8S_CIDR=ENC[AES256_GCM,data:ofSpO4zPW15NjV5U,iv:NiFUvxTyLkN6pamnvvdDp4jrvIDyjUL29iytz6WtQ5o=,tag:J3EfAU0XGsyLM3LyJhqUXA==,type:str]
IP_ROUTER_VLAN_K8S_PREFIX=ENC[AES256_GCM,data:abED1u8guh0=,iv:Po4vQtJTEfBOFItiFzGp1F0YosLpYn97MBuRpEoHNEc=,tag:5RHzXYXjHbPdy8vLXsMM5w==,type:str]
IP_WG_USER_1_V4=ENC[AES256_GCM,data:6kwe/D0YVGEG7CMWhr8=,iv:B4Dk4AaljCym/cxatpO/5WMZ2E4KMiNH+tCLH+yVsf8=,tag:nqqze7vKrsWTBWG5/Ou/Ag==,type:str]
IP_WG_GUEST_V4=ENC[AES256_GCM,data:zNwOAgzou0T8cAduDBY=,iv:matZ/IhxDQ+CGO3IelqlszVfmAr12dgWXIH9YLGGDOs=,tag:/MJRFYmH69ldrHfdjSQSpA==,type:str]
IP_CLUSTER_VIP=ENC[AES256_GCM,data:ghu7xLzr91gN,iv:4KNr0G6tjdzsoyy8TLCIdCp4vvWNGHOJfob7XCLTDto=,tag:cO9O4nhuLR3hFtHJpdoE9Q==,type:str]
IP_POD_CIDR_V4=ENC[AES256_GCM,data:3SN16w9wO79Kt2OlZg==,iv:8Q+GVVGU6NZRHR5E3FZXpyev4CC6e7k1NYRb8GhpZUE=,tag:i9WluteN3JdWDePWEANzOw==,type:str]
IP_SVC_CIDR_V4=ENC[AES256_GCM,data:uHwTCCtbTpo4UwHgJw==,iv:+I2V+I0jffCJknDomBQ9Zw7btm2sJupbsKl5mnHka2Y=,tag:kxGqfwSEtRdMS/0CL5FpvA==,type:str]
IP_LB_CIDR=ENC[AES256_GCM,data:NHEFdMzcHnBca+8tgA==,iv:ZQLZfYJNmDrJOyW8OPG4fNL5KYylcJTPx6wYZDGYoFU=,tag:uQFBVjIhhddl+wZwnIgEBQ==,type:str]
IP_LB_DNS_CIDR=ENC[AES256_GCM,data:n++ZYPrjSQCEaNC6YVM=,iv:LnTTl2kaFgKK8HZLotkZBLqpCFEBH6GOAkTFihgXpHY=,tag:w4PLDrN/Ba/KAVEoOBn2wA==,type:str]
IP_LB_DNS=ENC[AES256_GCM,data:LX0wu1WB2Hj0Dyc=,iv:rxdCTNbgCvLmJ7MMz6O3E+BXcdKgT3atSM0pbYPOgQ4=,tag:oJmPV4avTj6qbyCRCxUC3Q==,type:str]
@@ -33,6 +35,7 @@ IP_EC2_INGRESS=ENC[AES256_GCM,data:omO7wXHHdXAMtw==,iv:CjT+gLZ1qXlojRhO4aqASOPN4
IP_OLD_DOCKER=ENC[AES256_GCM,data:P0UtR+GaYgiL,iv:4fUoNHCJNRPeKxdRTGIqTsCygXWzjNzLv+6j6M5HKTE=,tag:AvTs/+R6Z1gkZuSVwXLFBg==,type:str]
IP_TRUENAS=ENC[AES256_GCM,data:FmYxX0MfwAa5,iv:IQ2RDyFfWMB81+KWAdViSaI9wsG7ZeuWHqP8WHLxcjo=,tag:zKLAvj9Bv7LUxTzCgxzATw==,type:str]
IP_PVE_CEPH_CIDR=ENC[AES256_GCM,data:pZQiINu+zq+Eu817QSs=,iv:HNqO1t6CIYKYFu79ZIa7drta6nHrusbIAvDMZOqTjQ8=,tag:c7twZOYfyoWFtM7EsCQGYg==,type:str]
IP_PVE_CEPH_PREFIX=ENC[AES256_GCM,data:qTb2oGx0lYVYXg==,iv:LHvEoa8FOfyFgkbofpGL2Fxywh0IovaqDd4f/KuD5gA=,tag:toyC1fok90KGTSV/i+J3lA==,type:str]
IP_PVE_CEPH_1=ENC[AES256_GCM,data:4XniDxEiYapl8jE=,iv:tsUuu/zQRlpg3FP5D0xskegvri0Ff/gzIDhDEfMBSqI=,tag:ZyNRjxrcPFdwtVrOjzoQ0A==,type:str]
IP_PVE_CEPH_2=ENC[AES256_GCM,data:7grFGVPdQVfvWUw=,iv:wFUEr0oLNKh596/osnZFPEB2K2DrK9YJAQ1UGp6+Ro8=,tag:K0hI4bYhVWZ34OtDo20F4Q==,type:str]
IP_PVE_CEPH_3=ENC[AES256_GCM,data:gcpKOsqmtwse/y8=,iv:S6mFA3zgOjWia3H3yEiygaUNDz7mPaDjGhLOZuIb2kM=,tag:dwAzKWIxG+d6Cp1sMtBS2w==,type:str]
@@ -54,8 +57,9 @@ APP_IP_K8S_GATEWAY=ENC[AES256_GCM,data:mNfGiLFSLx4dpAo=,iv:CYo6xNLE+bunmdTbvCGMI
APP_IP_HAPROXY_PROXY_X=ENC[AES256_GCM,data:yBoLaUWZ1Ul/05o=,iv:AkmKj+GrlAyhl1/6w7WScRlzk5Fw/sFwy1ROvjjZyHw=,tag:a2/hZAf2UjJvWaVhzs/Z5g==,type:str]
APP_UID_HAPROXY_PROXY_X=ENC[AES256_GCM,data:B3G6nA==,iv:e5UIYZa52kQ8GFBD30d4/U8WMito6albh4CMgYhHOpg=,tag:8TBer2t4zGGYIC3bmO5FLA==,type:str]
APP_DNS_FLUX_WEBHOOK=ENC[AES256_GCM,data:LeEVKkgJzTyJGRqr+LMQynh7+pPqSaxd,iv:f4FPxbRGwAa359vlbqr7MTPYItIgcjNo6RwFSKf5T6k=,tag:k6yyN1FRRLKNW0Prdyc25A==,type:str]
APP_DNS_RADOSGW=ENC[AES256_GCM,data:f7vMFBNWRtQZ,iv:lAXYTkBTE4/PW/bm25c4ZzrIxlgQsOfpXJeyNYqtwr0=,tag:PDSUP4+4eHauhpORu+Z7Ig==,type:str]
APP_IP_RADOSGW=ENC[AES256_GCM,data:3ndMvS7qVTZxSg==,iv:n/5arRlOykLfrk8kGqPMaZegYI9FNHlkIPzmawdGsDc=,tag:+V6LDeK6U2sxJ5a+KNyxqw==,type:str]
APP_DNS_RGW_S3=ENC[AES256_GCM,data:3RkyzpijzJ6D,iv:QQceRsolcZoHUBz9WbECMHQk4/tHQNYEsHbPsZVsQLE=,tag:4qR2yWPV5MHLiWjPB3fqsA==,type:str]
APP_DNS_RGW_S3=ENC[AES256_GCM,data:X/DlP3vIFc07Sg==,iv:HlJ/AbTqCuOuszK8Lll8qsSNpuZOoty0lsnYCt1UF48=,tag:nFoxdgyYyZArPflmm2DwHQ==,type:str]
APP_DNS_INGRESS_WILDCARD=ENC[AES256_GCM,data:aPYf3BwPvNA=,iv:Kgey2Z4+1JFa9JOOzG98QmBBMIp4fTPm8VPLw5d9gLw=,tag:R8Hb5kcuLFlIP0m1Aopdpg==,type:str]
APP_DNS_HUBBLE=ENC[AES256_GCM,data:IcbmzSNwcLqbtg==,iv:qGuMNgCu39RMcdKjsGia8wCZ1Vpj8MVcDO2QQv4wONY=,tag:mqwjMLhKR4q0tjftCS25Lw==,type:str]
APP_IP_KANIDM=ENC[AES256_GCM,data:VGm8gzd5D5x3phU=,iv:yS1pT2TSGKsTeFB0ouYUyTYEGD88d3DebpwSJ6lJpSs=,tag:kpa8wKJm4gdyCWKJ1A4n1w==,type:str]
@@ -118,12 +122,12 @@ CONFIG_ZEROTIER_ENDPOINT=ENC[AES256_GCM,data:tOyIlrzdn8sck7um7OSicq5T0XWAmymaRLn
CONFIG_AUTHENTIK_REMOTE_HOST=ENC[AES256_GCM,data:Iv7k3CoKsLrQf0PRIfhGMCAjOU3AdweS+LFWMeEQoWc=,iv:TsRwWDUrI3zAgBgFRkZAYUNlZV0Q/gOlGjKFrheM0nE=,tag:38OGfWYEm/h/+FH7IsIH3Q==,type:str]
CONFIG_HEADSCALE_IPV4=ENC[AES256_GCM,data:EZ7GMHA6u1wWPS5g6Pg=,iv:W1hcseQ4Q6CisTXnDLI7hWTy18fIVKtZ46tudCyhfa4=,tag:2WnnNjuZhwUPG07OKTQt2g==,type:str]
CONFIG_OVENMEDIAENGINE_NAME=ENC[AES256_GCM,data:58CuH8bcUHWXBZA=,iv:BN7x6aAJPbzIn25sNoycsHRE5pugkubLS2VrM77+g/E=,tag:6JAsRjU0L6wbZtns3rk6KQ==,type:str]
sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n
sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
sops_version=3.7.3
sops_lastmodified=2023-06-24T19:56:52Z
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n
sops_unencrypted_suffix=_unencrypted
sops_mac=ENC[AES256_GCM,data:awiLqmtBM8LGXW9DN/0IrQ6bIRpyGMrORjr/1cO0uzpjjDRFoJWGgCRZCG7nBLDNO1RQ04tMrNDVHFA2+XK1XZV09znNr5QiycoAsREBvIcqs9omga4fTzV8/mpx7YVkT2yhz9dTgOGAGqyfz8swY4H2TqvSu+VP4OuHzYE8MVQ=,iv:ujhMqHV9fUGAYqhJvjq+IhrBRDtiLvG+6ie21B1V8yM=,tag:MX9nG6c/24QgvQqpGozhsw==,type:str]
sops_lastmodified=2023-06-26T17:29:49Z
sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z
sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
sops_unencrypted_suffix=_unencrypted
sops_version=3.7.3
sops_mac=ENC[AES256_GCM,data:LPxgvUiAB/j9ZDeMCAO+EeBionM/tTyDxhAjGgrKY1rnZYfBK8ocy3yVu+XLc1vkK+590QG5pcpcaEcM/RgSluD/z3xf58/7qADxjK3bh2J05lZwreFWP6PlsEW+N7w/do1ys1ZTW2cBo+BwpdBPS6OvowUpuAIRKBnsaE6IZD4=,iv:G3NRG6DtZZqyKMdDB11jwnSUfff/r0DcP32QHlV62rU=,tag:B5GSPUISp0y+9aJOghinRg==,type:str]
sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n
sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2

9
kube/1-clusters/Biohazard/2-config/1-flux-install.yaml → kube/clusters/biohazard/flux/flux-install.yaml
View File

@@ -1,5 +1,4 @@
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/ocirepository_v1beta2.json
# downloads and installs Flux manifests to cluster
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: OCIRepository
@@ -10,13 +9,13 @@ spec:
interval: 10m
url: oci://ghcr.io/fluxcd/flux-manifests
ref:
tag: v0.40.0
tag: v2.0.0-rc.5
---
# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: 1-flux
name: zzz-flux
# I don't wanna see it on the top lol
namespace: flux-system
labels:
kustomization.flux.home.arpa/name: "flux"

60
kube/1-clusters/Biohazard/2-config/2-flux-repo.yaml → kube/clusters/biohazard/flux/flux-repo.yaml
View File

@@ -1,5 +1,5 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
apiVersion: source.toolkit.fluxcd.io/v1
kind: GitRepository
metadata:
name: flux-system
@@ -17,10 +17,11 @@ spec:
# include Kubernetes
!/kube
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: 2-biohazard-config
name: 0-biohazard-config
# I wanna see it on the top lol
namespace: flux-system
labels:
kustomization.flux.home.arpa/name: "flux"
@@ -28,8 +29,8 @@ metadata:
wait.flux.home.arpa/disabled: "true"
kustomization.flux.home.arpa/helmpatches: "false"
spec:
interval: 1m0s
path: ./kube/1-clusters/Biohazard/2-config
interval: 5m0s
path: ./kube/clusters/biohazard/flux
prune: false
wait: false
sourceRef:
@@ -49,12 +50,12 @@ spec:
optional: false
patches:
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: not-used
spec:
interval: 1m0s
interval: 5m0s
timeout: 10m0s
decryption:
provider: sops
@@ -62,10 +63,10 @@ spec:
name: biohazard-secrets-decrypt-sops-age
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
version: v1
kind: Kustomization
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: not-used
@@ -75,31 +76,31 @@ spec:
name: flux-system
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
version: v1
kind: Kustomization
labelSelector: kustomization.flux.home.arpa/default notin (false)
- patch: |
- op: add
path: /spec/dependsOn/-
value:
name: 2-biohazard-config
name: 0-biohazard-config
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
version: v1
kind: Kustomization
labelSelector: kustomization.flux.home.arpa/default notin (false)
- patch: |
- op: add
path: /spec/dependsOn/-
value:
name: biohazard-1-core-01-networking-cilium
name: 1-core-1-networking-cilium-app
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
version: v1
kind: Kustomization
labelSelector: kustomization.flux.home.arpa/name notin (cilium, flux, kubevirt)
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: not-used
@@ -114,11 +115,11 @@ spec:
optional: false
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
version: v1
kind: Kustomization
labelSelector: substitution.flux.home.arpa/disabled notin (true)
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: not-used
@@ -127,11 +128,11 @@ spec:
prune: false # disable prune for Flux restructure
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
version: v1
kind: Kustomization
labelSelector: prune.flux.home.arpa/disabled notin (true)
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: not-used
@@ -139,11 +140,11 @@ spec:
prune: false
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
version: v1
kind: Kustomization
labelSelector: prune.flux.home.arpa/disabled=true
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: not-used
@@ -151,11 +152,11 @@ spec:
wait: true
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
version: v1
kind: Kustomization
labelSelector: wait.flux.home.arpa/disabled notin (true)
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: not-used
@@ -163,11 +164,11 @@ spec:
wait: false
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
version: v1
kind: Kustomization
labelSelector: wait.flux.home.arpa/disabled=true
- patch: |-
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: not-used
@@ -179,11 +180,6 @@ spec:
metadata:
name: not-used
spec:
chart:
spec:
sourceRef:
kind: HelmRepository
namespace: flux-system
interval: 5m
maxHistory: 5
install:
@@ -229,7 +225,7 @@ spec:
main:
annotations:
nginx.ingress.kubernetes.io/auth-url: |-
http://ak-outpost-${CLUSTER_NAME_LOWER}.ingress.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
http://ak-outpost-${CLUSTER_NAME}.ingress.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx
nginx.ingress.kubernetes.io/auth-response-headers: |-
Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid
nginx.ingress.kubernetes.io/auth-snippet: |
@@ -259,6 +255,6 @@ spec:
labelSelector: nginx.ingress.home.arpa/type=auth-external-only
target:
group: kustomize.toolkit.fluxcd.io
version: v1beta2
version: v1
kind: Kustomization
labelSelector: kustomization.flux.home.arpa/helmpatches notin (false)

69
kube/clusters/biohazard/flux/kustomization.yaml
View File

@@ -5,27 +5,52 @@ resources:
- secrets-age.sops.yaml
- secrets-ssh.sops.yaml
- ../config/
# - flux-install.yaml
# - flux-repo.yaml
- ../../../3-deploy/2-apps/atuin/
- ../../../3-deploy/2-apps/miniflux/
- ../../../3-deploy/2-apps/elk/
- flux-install.yaml
- flux-repo.yaml
- ../../../repos/helm/app-template/
- ../../../deploy/core/_networking/cilium/
- ../../../deploy/core/storage/_external-snapshotter/
- ../../../deploy/core/storage/rook-ceph/
- ../../../deploy/core/storage/volsync/
- ../../../deploy/core/tls/cert-manager/
- ../../../deploy/core/dns/internal/
- ../../../deploy/core/dns/internal/k8s-gateway/
- ../../../deploy/core/dns/external-dns/
- ../../../deploy/core/ingress/
- ../../../deploy/core/ingress/ingress-nginx/
- ../../../deploy/core/ingress/cloudflare/
- ../../../deploy/core/ingress/external-proxy-x/
- ../../../deploy/core/db/pg/
- ../../../deploy/core/monitoring/
- ../../../deploy/core/monitoring/metrics-server/
- ../../../deploy/core/monitoring/kube-state-metrics/
- ../../../deploy/core/monitoring/node-exporter/
- ../../../deploy/core/monitoring/victoria/
- ../../../deploy/core/hardware/node-feature-discovery/
- ../../../deploy/core/hardware/intel-device-plugins/
- ../../../deploy/apps/flux-system/
- ../../../deploy/apps/tetragon/
- ../../../deploy/apps/kubevirt/
- ../../../deploy/apps/default/
- ../../../deploy/apps/whoogle/
- ../../../deploy/apps/gokapi/
- ../../../deploy/apps/minecraft/
- ../../../deploy/apps/sandstorm/
- ../../../deploy/apps/jellyfin/
- ../../../deploy/apps/kavita/
- ../../../deploy/apps/authentik/
- ../../../deploy/apps/kanidm/
- ../../../deploy/apps/syncthing/
- ../../../deploy/apps/excalidraw/
- ../../../deploy/apps/velociraptor/
- ../../../deploy/apps/gotosocial/
- ../../../deploy/apps/ntfy/
- ../../../deploy/apps/satisfactory/
- ../../../deploy/apps/headscale/
- ../../../deploy/apps/zipline/
- ../../../deploy/apps/kah/
- ../../../deploy/apps/atuin/
- ../../../deploy/apps/miniflux/
- ../../../deploy/apps/elk/
- ../../../deploy/apps/livestream/
- ../../../deploy/apps/livestream/oven
# - ceph-rgw-ext-users.yaml
# - ../../../3-deploy/1-core/05-ingress/cloudflare/
# - ../../../3-deploy/1-core/05-ingress/external-proxy-x/
# - ../../../3-deploy/1-core/06-monitoring/1-deps/
# - ../../../3-deploy/1-core/06-monitoring/node-exporter/
# - ../../../3-deploy/1-core/db/pg/
# - ../../../3-deploy/2-apps/default/
# - ../../../3-deploy/2-apps/flux-system/
# - ../../../3-deploy/2-apps/authentik/
# - ../../../3-deploy/2-apps/kanidm/
# - ../../../3-deploy/2-apps/syncthing/
# - ../../../3-deploy/2-apps/excalidraw/
# - ../../../3-deploy/2-apps/velociraptor/
# - ../../../3-deploy/2-apps/gotosocial/
# - ../../../3-deploy/2-apps/ntfy/
# - ../../../3-deploy/2-apps/satisfactory/
# - ../../../3-deploy/2-apps/headscale/

222
kube/clusters/biohazard/talos/talconfig.yaml Executable file
View File

@@ -0,0 +1,222 @@
clusterName: biohazard
talosVersion: v1.4.5
kubernetesVersion: v1.27.3
endpoint: "https://c.${DNS_CLUSTER}:6443"
allowSchedulingOnMasters: true
dnsDomain: cluster.local
cniConfig:
name: none
clusterPodNets:
- "${IP_POD_CIDR_V4}"
clusterSvcNets:
- "${IP_SVC_CIDR_V4}"
additionalApiServerCertSans:
- "${IP_CLUSTER_VIP}"
- "${IP_ROUTER_VLAN_K8S}"
- "c.${DNS_CLUSTER}"
additionalMachineCertSans:
- "${IP_CLUSTER_VIP}"
- "${IP_ROUTER_VLAN_K8S}"
- "c.${DNS_CLUSTER}"
nodes:
- hostname: "thunderscreech.${DNS_CLUSTER}"
ipAddress: "${IP_ROUTER_VLAN_K8S_PREFIX}1"
controlPlane: true
installDisk: /dev/vda
nodeLabels:
node-restriction.kubernetes.io/nodeType: main
nodes.home.arpa/type: stable
nameservers:
- "${IP_HOME_DNS}"
disableSearchDomain: true
networkInterfaces:
- interface: eth0
mtu: 1500
dhcp: false
addresses:
- "${IP_ROUTER_VLAN_K8S_PREFIX}1/28"
routes:
- network: "${IP_ROUTER_VLAN_K8S_CIDR}"
metric: 1
- network: 0.0.0.0/0
gateway: "${IP_ROUTER_VLAN_K8S}"
vip:
ip: "${IP_CLUSTER_VIP}"
- interface: eth1
mtu: 9000
dncp: false
addresses:
- "${IP_PVE_CEPH_PREFIX}4/29"
routes:
- network: "${IP_PVE_CEPH_CIDR}"
metric: 1
- hostname: "humming.${DNS_CLUSTER}"
ipAddress: "${IP_ROUTER_VLAN_K8S_PREFIX}2"
controlPlane: true
installDisk: /dev/vda
nodeLabels:
node-restriction.kubernetes.io/nodeType: main
nodes.home.arpa/type: stable
nameservers:
- "${IP_HOME_DNS}"
disableSearchDomain: true
networkInterfaces:
- interface: eth0
mtu: 1500
dhcp: false
addresses:
- "${IP_ROUTER_VLAN_K8S_PREFIX}2/28"
routes:
- network: "${IP_ROUTER_VLAN_K8S_CIDR}"
metric: 1
- network: 0.0.0.0/0
gateway: "${IP_ROUTER_VLAN_K8S}"
vip:
ip: "${IP_CLUSTER_VIP}"
- interface: eth1
mtu: 9000
dncp: false
addresses:
- "${IP_PVE_CEPH_PREFIX}5/29"
routes:
- network: "${IP_PVE_CEPH_CIDR}"
metric: 1
patches:
# required for Talos to initialize i915 VFIO devices
- |-
machine:
install:
extensions:
- image: ghcr.io/siderolabs/i915-ucode:20230310
- hostname: "strato.${DNS_CLUSTER}"
ipAddress: "${IP_ROUTER_VLAN_K8S_PREFIX}3"
controlPlane: true
installDisk: /dev/vda
nodeLabels:
node-restriction.kubernetes.io/nodeType: main
nodes.home.arpa/type: unstable
nameservers:
- "${IP_HOME_DNS}"
disableSearchDomain: true
networkInterfaces:
- interface: eth0
mtu: 1500
dhcp: false
addresses:
- "${IP_ROUTER_VLAN_K8S_PREFIX}3/28"
routes:
- network: "${IP_ROUTER_VLAN_K8S_CIDR}"
metric: 1
- network: 0.0.0.0/0
gateway: "${IP_ROUTER_VLAN_K8S}"
vip:
ip: "${IP_CLUSTER_VIP}"
- interface: eth1
mtu: 9000
dncp: false
addresses:
- "${IP_PVE_CEPH_PREFIX}6/29"
routes:
- network: "${IP_PVE_CEPH_CIDR}"
metric: 1
controlPlane:
patches:
- |-
- op: add
path: /machine/kubelet/extraArgs
value:
feature-gates: CronJobTimeZone=true,GracefulNodeShutdown=true,MixedProtocolLBService=true,EphemeralContainers=true,ServerSideApply=true
- |-
- op: add
path: /cluster/apiServer/extraArgs
value:
feature-gates: CronJobTimeZone=true,GracefulNodeShutdown=true,MixedProtocolLBService=true,EphemeralContainers=true,ServerSideApply=true
# - |-
# - op: add
# path: /cluster/controllerManager/extraArgs
# value:
# node-cidr-mask-size: 22
- |-
machine:
install:
wipe: true
network:
extraHostEntries:
- ip: "${IP_CLUSTER_VIP}"
aliases:
- "c.${DNS_CLUSTER}"
time:
disabled: false
servers:
- "${IP_ROUTER_VLAN_K8S}"
- "${IP_ROUTER_LAN}"
bootTimeout: 2m0s
kubelet:
nodeIP:
validSubnets:
- "${IP_ROUTER_VLAN_K8S_CIDR}"
- |-
cluster:
allowSchedulingOnMasters: true
discovery:
enabled: true
registries:
kubernetes:
disabled: false
service:
disabled: true
proxy:
disabled: true
etcd:
advertisedSubnets:
- "${IP_ROUTER_VLAN_K8S_CIDR}"
worker:
patches:
- |-
- op: add
path: /machine/kubelet/extraArgs
value:
feature-gates: CronJobTimeZone=true,GracefulNodeShutdown=true,MixedProtocolLBService=true,EphemeralContainers=true,ServerSideApply=true
# - |-
# - op: add
# path: /cluster/controllerManager/extraArgs
# value:
# node-cidr-mask-size: 22
- |-
machine:
install:
wipe: true
network:
extraHostEntries:
- ip: "${IP_CLUSTER_VIP}"
aliases:
- "c.${DNS_CLUSTER}"
time:
disabled: false
servers:
- "${IP_ROUTER_VLAN_K8S}"
- "${IP_ROUTER_LAN}"
bootTimeout: 2m0s
- |-
cluster:
allowSchedulingOnMasters: true
discovery:
enabled: true
registries:
kubernetes:
disabled: false
service:
disabled: true
proxy:
disabled: true

45
kube/clusters/biohazard/talos/talsecret.sops.yaml Executable file
View File

@@ -0,0 +1,45 @@
cluster:
id: ENC[AES256_GCM,data:AWW6l4Zq4o9cmu7ZgWuhtv1u5+Rh3JtSQa75SIEOll7Wsj0yXce1t7k12GE=,iv:HV/zbB2EJpf5mtq27o870P8FbIMHKPYuB2LK7KlGyag=,tag:Yt3oSvYPPknkqdyEZ6w0Mw==,type:str]
secret: ENC[AES256_GCM,data:csdjYHizHtfUss0KVwxhue8P4oyYJTuAvC799t3xgrj6seR9gENH0SYR53k=,iv:TSWgOe2jpHNqesdvWBDjsnlIby8GVBflSNBPgPe1vME=,tag:XlHgOJSMPZNFhnkTTmc/5A==,type:str]
secrets:
bootstraptoken: ENC[AES256_GCM,data:NIo5x7/wbYwxGabMFXqjR68lb0gHQ00=,iv:ARs+532azj8VHxeoDQLW5xWEJAKhHcpZHB49XzJyL/0=,tag:l+bN780+0SjGsgv/qi9NTQ==,type:str]
secretboxencryptionsecret: ENC[AES256_GCM,data:YtbU4u7OjiEe+OE+jDNgOazSKLX4d0Dy7vHD2rFHAkX00PsP94ubtyohBH8=,iv:0qQ9tAkp1mEaCWjtAoK3aSOMm1ULQJzFqSUxmA8REeo=,tag:1RdI/WpmQlswngsJCumnKQ==,type:str]
trustdinfo:
token: ENC[AES256_GCM,data:BSuaFOLFN0U/GQ/fiia6N8FtdPPNUZA=,iv:4eZuVSWkH1znkoAtlY0dDnQUhtiAUFIMi5TJYCI8Go4=,tag:L9kmiiVwO4z9piTgkwfoMQ==,type:str]
certs:
etcd:
crt: ENC[AES256_GCM,data:sQN2wc5+YtIa4y45Qz02+Ry0rR/H9hbFNsUxWo6Az0f3dfw9udRue7esgAtsafrYl6yObAkjbra2mj54wntDCimji8gZMjmGXVmotM9FAAu2XkG0S7A1kR7ovZvp/j+p29TAQJwm2srLAXjdCOfhNMr2kNbI7XBWow3LtxfiiP+G2yn4I0xDqZF7eNRqK+b6aaEI0XLixj/G6Ajsq89U6mXgT5PfdrsbKtd9TpR/iYuFeKPIY86e1ghk1LZle1SxFByRDUKujYfLMotoOCbGYcIQgdrc7Tf3ylQyW2C2Q6dkJrYifsi/fs+6dbIS7o5GWccG2FJIr9GF4JW8HMZ6NU1HUncoGWMzBNfTRtZLEbu4XVGSaLA9KotLPuevWFjy8g4/9rVvZwjHmSrmSG/dAeKm/3/MAi/sLRbo3chsJk9gDWAqXAhsyH2gadInXw/o66k6NDFD6VBI1gfgp14/ylqbnYW5OlULJ+xYufIymJLVcKcuQELG5Emcyc92pDq25poK3g2MgOQcZu6rVNxmHvfKJpOnW6blAcZUeATGlppEAS5Iv5NLHsa5lHWQK7eSTzXer/L/3RXt5Mx93JWcBKZrK94eARZLF0Dp0qinZpSlcRmPmjaqlbCvNgM8/zPD27vzKudCWQoAw2GEx72Hilh99dCw/3uyzgQA3trnL2op07QWQf4y0qVUvPDH6wGjMmfMeLHbXIvtC80BV0VWemEDobUK+0vSxOWz69APZRXDcivB0XeVvZ5bhsYtVq8S10qEnYV5kEjY8WuhWMH/Cn/Mt0LhO2WOIRjcKOUQ5jV3C3WlbHhIboLAnoaJlXnAMr4IQveiUFN2ieobHT9oK5XZKhruIHW3StzoP7QH1H8Ec+F9B4/WI6p6C7Pv4TjWl+7x0z6F+quAR5cQy3+udxY9H4cRSAJTmb3b3MUZRs0IlY1ennggas+Wex/qiX4PyN93I1FAAcYtNdFLGeQrJQXcwEQaWXk1ZjO8GXMexe80ga9+FfdO2S7bAoL6seM+0N3rjQ==,iv:n5+hhUBZ9d6wrCEI6WorZmYS+ALX6FF8lbV9RJrWz78=,tag:TxgRSw4ZxmGNzFApiPvPgg==,type:str]
key: ENC[AES256_GCM,data:mgsZvF9lBLqAVEg6mutF+u2aY1JMqnclTAHFuSGu7m27XIoA8PcpkvXvCxKmPaBc6jMarQBZ2j0y1YN8KFqWQw4dKQmNkzRH8c9T33Na/zoD0Q71DXdmiYw4/boly8vAvfIIKUfTlMGA94IjkuAABK6xqTjDORNCvhl8PglwTL+Wz2CEBG6LG8jaq3/6JDHJON1tuT4w7CRKq9GyvDr7hm/zXsj7y8nH+79j89D3lxFs0CdBamZZNllt/s5PKzKLl9pu+RuvzkCorozKB+LYIvbLkbc9tT559H0yQwD6dFxFodcuYvLixvUlmHPd2+8m6LARMEqTNvFuPWCp9j+4EVMsdIekkPxh0sWbE5EoZR8n2Mqct7ft0anxROQEQXhJdQnnCQXbdAApFWj/QNCYIA==,iv:h+TPclqdI+ed9+9/puBu/kOI0qVS+mtAI43sHbJB4G0=,tag:w1WsXZLGaMszbNVhH60+PA==,type:str]
k8s:
crt: ENC[AES256_GCM,data:A95H0ogyIaQb9Y6mT4p8P53tFLaHQMOkad1vNycehgy4aVgq3NcHupNoJ/0+Bw+OOi3bgg8/xE+9G6i9ja9oDNhDyvt59vljwHlnfd+sWG+QPvrVKKSlgj7xqrOwYuTCFEnQsj7H9SVlncqrb/XmQ1m4DTxXwwSk2Gvu8tZFgtP7cwdo3pC7IyRorK6THuPs9HswsMOXkwCKLqF5KiRTPOYx7JoaG4lbY+i35Jjzi4Cwp30vnamNo9bVTAzm+HWGdS6QVrbNXjrLSXQSRoq07jYEgoLeg8Y14w4YmVtvG3FeqQKZJZFYRBEJfoJs5nNPpfqiCQYU84SNpQUjJw0wdt+v52mUXh0QRA/ewhUBFjSHIJqg8Pp3uno+jsuH7MPd5C98A0iiG4P+S2N437OQAZQADwPVJDetD3g6wkQLaqqSH4BeGV0xzQtwlvJozAxqtdTeQrxI+tdAJCJ98zuEgUWV7wGmeQdPPZ/XDFtk+KxZl9zEDG5NKxHq8YV6u5atSv//Hhaj4sHxMpSiqY796jPT6Ubb1yhR84rBAf87FppZ7P6fEdBgKwRWg5JeXZ951UM82R402cBBf6qFjrOUXZ+7bPxaU5oNRow6JM2z8ZKUTMD0DZrUgH7zClyKmkcLp1Bn9foAsx1TqRkPiILDALL6mqM0qRBz3UGOUzZz6MN2mHadd3kMasgKJN4RfSodbCMPlcSND8uc/pMhO2iUPJ2BI4L9DnuvLgaEpSz472dtb5IP7jVFRuv/EhykeQi1SW+lSvfiegxPntkj30LXbjotBWNhrqSyMcHPnyynAJamFCQrsr3z+yFj9Q0Eqi0tvySO3jBoDFd/SQEm7/uA1uRI2oYJP2t8Y8FOnjiVV8bWQDCY1WdVXTXmfujnVsHmxNXNlXt1CfSSLlpie+oBQtpKcpm8S8bof0GAUBK3DfmIHSCPXmazTR52jmLpRuCGY0QC5XY9shL3rTK3ml6/wi7HUXm+LjwFuSM8U7ELxsJKa+jaf4a572xTl4vt2Xkc7MejHL5IRoDwNpmuXjQ9PynVxPxJj2h5u4yDSA==,iv:RKmJsWoVKt/krl4wzHfAluqhSZ+0w+44NqPjWf1CmAw=,tag:UywGABmGbyz9DqXknYg01g==,type:str]
key: ENC[AES256_GCM,data:KxS1No/FIdEr8qr+DYmcIXDU2Hlo1WJOQbnPVblpVMui79752fn3CM7pMwCzVAX2jnTFsgPiKavTAG+wxZ7b148hrCHDaO1X+ISIo29cUbp2zOXrITSabaVvT30LlsmEjDG87apuSjl9VOo209OfIQDy6T73I7277WWNRZseeb0B9RXBHYYwsoJNPtnluDuJlyXjLbJgKIBChpQaydBAxJ8XcwAU36RoAWIr6+GPkEaOO7Md+JKrPG/VZpbwWIXZpLIPFshIEAB52DfgKbIKR2VwyZRe2qEBbH2SWqQLuLUETHj7USEXP3++Xm6uSdcWHqzjo8Cra1cTM59dQ0buIh8O+Ivin/NCcLIXO7+3CKHmxdCAWWUzXWUxx38NHnsw/fa1+csF/tkvK6kjoAzPHQ==,iv:B8lZKqLfl7cbUAyiW2+9RDWR+wZEUR/2bTgPEekpRp8=,tag:TMfZGCUqztTrO5cTGHhfsQ==,type:str]
k8saggregator:
crt: ENC[AES256_GCM,data:Ie4e5xP+WeoZ1s2yBcNm2BrjtlL/wlzc50I+/bHtfS3rMbnJWHUJfrZf+KL9Ouy7zwZI+bNACPWjVx1lygeUlp3h2U1wqBNx3iF8KjF6iKJd23zt9PunIR6CcgtyLqggeRc4f6OZKKU2nKoUN8p+JEnMP817isyNncBYSQtMp7KcSOYNfVXcknFY/cKzkhA6/pXKrQiwCl4ozaF+2wozSDQuRtz6ZJ7Zzhs3zF8x1efRxp0uzFhGft205SfcyGfeaib8z2UfcsZfOFCKAj+w7uCkrde0YjP61f7jOsunWIq5mpTJDLnTZw6GKe5VHbgfGRaUwlClqg7IQQbVMMld7hOzLxFR1q3vF11G5XH4YZfwqvSlWCNzQqs2ip4u8dFQvstMrU4umn59GRcMKuLZk3lbUdFSS1zzV/vuC3CC9Xm82E68ikuPwSMSvD69rs1lrvhNaUH1rRarxHRSA6PoM/qAbBN3Y8SV8S4QcYEY7rvsE1yBLco87cHlYG85UZSqU1WJrTXJaE5y+yOFFbGBY0kHHoYIOOIck3KIiSkW7aoQDpYFjLlCOsSQEmo90orDhRvvXZDAWZrYqup9f4HUbBW6QHYYZtPIbTekYwyffBHOB5zKyuJJoHz9IgmjjIN0n52yo+98mTwdPvlUe6HJ+jxyDg9aoKI6yDnWBNNEyT1tgajDSWwfh5+jXgROEMD20PbXvp60X5O789C0Vo2aJesnSGVHXjDzuO9aoXkOGanrbZCIw/p+JKg3KfQMzOy+uV1AZ52lOwPnfbVbBzIrs2PZjltQLCety6VNLm5tKOhphhj9C6hMTM6ZIujHenf6qCah5W2nv9jhqltokQx8Xs+XvjIL5ZNkn/26r/wZe4pNQCfdCg6ROKDRVs1x0MXu15NTDypB+w4de36KqIroBnp/8+iDyq65EbV0gUSdrBiwZm78KUcexckHxURJMahB,iv:sqwv+PsbLYDaiRVYPuTmkjIy+Vg4QSmrn/Bpb+byAaU=,tag:9BfVsNU2StmjMIg/HXDLPA==,type:str]
key: ENC[AES256_GCM,data:j7kUBNHQJgedBxJ32RFqfGfr4zdCZn1gU7cIv4sqaaQRHt5U6iQCIv1PY8pvy5+NyOJJC8rrCetoUpeFLohsQgWzCXmXNJglw81cT2cUy8wWwJLG2EdMFaf3NGBn7u4H7VWWooOu2fNlnrTSf8nxDURIWRJKhg1rX+MLIsOZAPUt1y3tuV7YItSsOLaiNdblA8MVloWZqFeFFS/EJ6TFNFO0msbIBQvHLuJaMlzCnpJMTNONHkMsixOIkJUsZQWCCggTnPuZHuE36r7O1dLYwjmRU+y//rj6TEJl6xeepu6UT58qGCbbI1qCFDJomQJWAEJjcSqRz8WMlQpkYBlUamuVKJSEx1CcEC0Lx6OL25R6Eb6Bm/rXmZ69JuSb1RFQi+p1dD2gtOEpWnl/DtJGgw==,iv:GW8smVoDuQU3yxUzkSidoLBB6b0V/0w7EciTdlRCB+Q=,tag:cO7QkC6mg+1dTYNRROnEvg==,type:str]
k8sserviceaccount:
key: ENC[AES256_GCM,data:4q6+DmYqytRp/spZKuxhBYl6LYrBsriZVo4807psBHZm/2OOcVnI58Palbpve9O+zSUl4fho2EqdP4rk+nQnbu+3P0u94QNxP9epzmhuLmdjskCKYn5P0993pXiruF8hiBTmMWbIYhR5crqPbKgjrjlBhgao1qr0i1BA3FxegDLPN+ehhQlcL9vNs5K6OqMdyh46nPNm+vTTemfcI6wdYuBYkrmMFy/g/3LyfJXvSwB6s8GGj230YZ5SAt3Kb0Gmn9O9IA+20bjdFc3lxuPtlDdlck+V4C9hjORnE8FDOFWPgtB+LdmO0c0Kp1j40x5CIY2aEQOx82hhvcQMBZ0oA2GkjKHrizgodSd0jchTbqDSe4qa8avrB5/mxM2fHDO74Q3XYZpcd0l+UZJo54bqfw==,iv:1Whh5UTUlbK7gctkpGQOs3IKxrcP1NOxtK75UQovpl0=,tag:P8PRlPQzzaCiL06BoRVHlQ==,type:str]
os:
crt: ENC[AES256_GCM,data:7/u5Q6Xjw8BnwAIh7JeZgWTvxHrLGBQxAjii5gr4B1JPIsGFagSXSxO7z/Ii9pL+YrWbVBDudG1UrAhmYfJbzMm28oi9V25AdkQ//vsTvG0Z+2kmLqdClFCN+Koc0DGidCD1f8+snOWHibwK82N5LK2m6D33yK7dXUkg4/XRAa+wGxR6GgHZPrleiesji4/hFbK4ZWbb+kHnYi8hBoqh2xkY4qSuEtfzZPHzO6PMsNDKtxA6xcH0I9k4ZoN69YYXxZkZGr3U+6agb/esuzTMprPLFmT3SBcgjJ97eogBqNQO2ME3DFmHchvqlX3EVV7OZONLHHwOf+E3U4spV06DnsNMxN7siraxyzEDkzy9VDHxEwM6A1gWDByofROoMStSuKXX2y/DdkWTK5YAadSaV6dFAiEk8zwR+cQGX5d51TCUTxg5VIubgQsNiJdhEGcLhFbDTAk9uUUkPatE9TRCDyljuVH4snFIyw2Sic0w/zcPs6+Ofn3yn4D75VtMnWsQTUtrdfYmrV0RmkeVr4yGpi/hM+mnz0SH90SResaQUClr3HQwkyR8KTyTi3vjVtaN63a4FDt1cPNY7kTTSjsq1ITjKqRwLTuHd7t0TGVYZcUvtWMqmXjZaZSNnCmU2TcOTkeS/Ge0qzR/Wg14sIwxD8HIqMoqnFiE80s94D0DZQ1cYeIF+fB3zT10bTUfOj77GSDCyop2eHRc8V/oAoe83aihx5vPW9n0EPoB+59UzjswploW5+mnS7AbDyNkZ5XLC/58RdlwgzXL3BzER75MwyDPocM3k1f7mSlcfY4hU7u9H35MiJGU/AcuaR20/r6It4Ycg69g+Go3CAgbr3U2u0VCzKzCCYoGTN8i2EcedyoLr6h5,iv:T+HYunjm/5OZ7r15u7/QwRsNOB/ZAOTJ18QBXoqgqdM=,tag:SSzv5IunkgiYpqCNuxtyTA==,type:str]
key: ENC[AES256_GCM,data:tQ92q4vh0XNWYMk2cL0gV6BZhcesRiPUmWIoPXRDKVHUsG8gaAxXDNRFApN/7q5BxYSllAy7/Du9RW6Ap0luFQpaRvrZF6jk5mwRedXBzpGtbAkDyrPQm9OBa/v34uZCw5zcqTB5wPiLYaJMmdUDXjd747V5wQBgBzbS5JpOIJXYRj7ZPbEyWdHHDeiwE02+teb25CNHfcRZSDLeSaeWfVoGS7qhIKMblDcf6dp0QMUKxA6e,iv:xnWvidkOS3y38cOSvn2AOU2Ndj5pJIQ3tHLkRkXc+is=,tag:FNZV033ea77ku2HBIIv3/Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2023-01-27T22:22:26Z"
mac: ENC[AES256_GCM,data:ki34oHeKj6Pj5iLQttO6Mc4kHsPgowLBfo6L9xQ7HBGYFpzS3dQbVSk2veJAeI3g4C5ixak6RiCtnwokUsm8+Ay48lIFFnaiUNq5jyiyp1u3xkFCCTsWE9ZDorFKeX+XrgzttyIxxMCP6z+k2f9r6qB/9aLCpZtBfvQBZrz+lP0=,iv:lIhMBTAfykz6+BthhsTyPynIPkBw0jPNP1M2nyJrXAw=,tag:fVMpz2UGYP8LL7isCyrrWg==,type:str]
pgp:
- created_at: "2023-01-27T22:22:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DAAAAAAAAAAASAQdAa6eYQ3sdOzCP/XGmuq+KANM5eVi57M4nnVmj2cDZ3iIw
PBdPbh6EYRDhpxzwmWPxEzq+mJAHJGmRs51N5qjeuXaI6pk/J6maZ1b2LI3E+YMX
0l4B6beXkzBIG8QU3RDL4h2+zilMO8E4viChKB+gpT8sHybz7BRysf5iyuJi2PCG
a4yC+6dhWjWXBjoEehcXcTnINXyKQMKW7Termn0nrl+u5A4eL4BimagMMFWYFCqu
=JxEq
-----END PGP MESSAGE-----
fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
unencrypted_suffix: _unencrypted
version: 3.7.3

0
kube/3-deploy/2-apps/README.md → kube/deploy/apps/README.md
View File

0
kube/3-deploy/2-apps/atuin/app/hr.yaml → kube/deploy/apps/atuin/app/hr.yaml
View File

0
kube/3-deploy/2-apps/atuin/app/secret.yaml → kube/deploy/apps/atuin/app/secret.yaml
View File

6
kube/3-deploy/2-apps/atuin/ks.yaml → kube/deploy/apps/atuin/ks.yaml
View File

@@ -1,5 +1,5 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: atuin-app
@@ -7,7 +7,7 @@ metadata:
labels:
wait.flux.home.arpa/disabled: "true"
spec:
path: ./kube/3-deploy/2-apps/atuin/app
path: ./kube/deploy/apps/atuin/app
dependsOn:
- name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx
- name: 1-core-ingress-nginx-app
- name: 1-core-db-pg-clusters-default

0
kube/3-deploy/2-apps/atuin/kustomization.yaml → kube/deploy/apps/atuin/kustomization.yaml
View File

0
kube/3-deploy/2-apps/atuin/ns.yaml → kube/deploy/apps/atuin/ns.yaml
View File

0
kube/3-deploy/2-apps/authentik/app/hr.yaml → kube/deploy/apps/authentik/app/hr.yaml
View File

0
kube/3-deploy/2-apps/authentik/app/netpol.yaml → kube/deploy/apps/authentik/app/netpol.yaml
View File

0
kube/3-deploy/2-apps/authentik/app/pg-superuser.yaml → kube/deploy/apps/authentik/app/pg-superuser.yaml
View File

0
kube/3-deploy/2-apps/authentik/app/tls.yaml → kube/deploy/apps/authentik/app/tls.yaml
View File

32
kube/3-deploy/2-apps/authentik/ks.yaml → kube/deploy/apps/authentik/ks.yaml
View File

@@ -1,28 +1,11 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: authentik-remote-cluster
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/authentik/remote-cluster
dependsOn:
- name: authentik-deps
- name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal
- name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx
healthChecks:
- name: remote-cluster
namespace: authentik
kind: HelmRelease
apiVersion: helm.toolkit.fluxcd.io/v2beta1
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: authentik-db
namespace: flux-system
spec:
path: ./kube/3-deploy/1-core/db/pg/clusters/template
path: ./kube/deploy/core/db/pg/clusters/template
dependsOn:
- name: 1-core-db-pg-app
postBuild:
@@ -47,25 +30,24 @@ spec:
kind: Cluster
apiVersion: postgresql.cnpg.io/v1
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: authentik-redis
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/authentik/redis
path: ./kube/deploy/apps/authentik/redis
dependsOn: []
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: authentik-app
namespace: flux-system
spec:
path: ./kube/3-deploy/2-apps/authentik/app
path: ./kube/deploy/apps/authentik/app
dependsOn:
- name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal
- name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx
- name: 1-core-ingress-nginx-app
- name: authentik-redis
- name: authentik-db
healthChecks:

0
kube/3-deploy/1-core/db/pg/kustomization.yaml → kube/deploy/apps/authentik/kustomization.yaml
View File

0
kube/3-deploy/2-apps/authentik/ns.yaml → kube/deploy/apps/authentik/ns.yaml
View File

0
kube/3-deploy/2-apps/authentik/redis/hr.yaml → kube/deploy/apps/authentik/redis/hr.yaml
View File

0
kube/3-deploy/2-apps/authentik/redis/secret-redis.yaml → kube/deploy/apps/authentik/redis/secret-redis.yaml
View File

0
kube/3-deploy/2-apps/authentik/remote-cluster/hr.yaml → kube/deploy/apps/authentik/remote-cluster/hr.yaml
View File

0
kube/3-deploy/2-apps/authentik/repo.yaml → kube/deploy/apps/authentik/repo.yaml
View File

0
kube/3-deploy/2-apps/default/deps/namespace.yaml → kube/deploy/apps/default/deps/namespace.yaml
View File

0
kube/3-deploy/2-apps/default/deps/tls.yaml → kube/deploy/apps/default/deps/tls.yaml
View File

10
kube/deploy/apps/default/ks.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: default-deps
namespace: flux-system
spec:
path: ./kube/deploy/apps/default/deps
dependsOn:
- name: 1-core-tls-cert-manager-config

0
kube/3-deploy/1-core/05-ingress/cloudflare/kustomization.yaml → kube/deploy/apps/default/kustomization.yaml
View File

0
kube/3-deploy/2-apps/dns/README.org → kube/deploy/apps/dns/README.org
View File

0
kube/3-deploy/2-apps/dns/dnsdist/install.yaml → kube/deploy/apps/dns/dnsdist/app/hr.yaml
View File

9
kube/deploy/apps/dns/dnsdist/ks.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: dns-dnsdist-app
namespace: flux-system
spec:
path: ./kube/deploy/apps/dns/dnsdist/app
dependsOn: []

0
kube/3-deploy/1-core/05-ingress/external-proxy-x/kustomization.yaml → kube/deploy/apps/dns/dnsdist/kustomization.yaml
View File

0
kube/3-deploy/2-apps/elk/app/hr.yaml → kube/deploy/apps/elk/app/hr.yaml
View File

0
kube/3-deploy/2-apps/elk/app/pvc.yaml → kube/deploy/apps/elk/app/pvc.yaml
View File

0
kube/3-deploy/2-apps/elk/app/volsync.yaml → kube/deploy/apps/elk/app/volsync.yaml
View File

14
kube/deploy/apps/elk/ks.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: elk-app
namespace: flux-system
labels:
wait.flux.home.arpa/disabled: "true"
spec:
path: ./kube/deploy/apps/elk/app
dependsOn:
- name: 1-core-storage-rook-ceph-cluster
- name: 1-core-ingress-nginx-app
- name: 1-core-storage-volsync-app

0
kube/3-deploy/1-core/06-monitoring/1-deps/kustomization.yaml → kube/deploy/apps/elk/kustomization.yaml
View File

0
kube/3-deploy/2-apps/excalidraw/app/hr.yaml → kube/deploy/apps/excalidraw/app/hr.yaml
View File

Some files were not shown because too many files have changed in this diff Show More