From 025995daaa9da706dee8292bc8eb4014dbc0ab59 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Mon, 26 Jun 2023 23:58:22 +0800 Subject: [PATCH] feat!: organize repo cleaning up after myself, after 4 months of accumulated mess lmao --- kube/1-clusters/Biohazard/1-talos/cilium.yaml | 508 ------------------ .../Biohazard/2-config/3-secrets.yaml | 179 ------ .../1-clusters/Biohazard/2-config/4-vars.yaml | 140 ----- .../Biohazard/2-config/5-deploy.yaml | 452 ---------------- .../2-config/ceph-rgw-ext-users.yaml | 9 - .../Biohazard/2-config/kustomization.yaml | 245 --------- kube/2-bootstrap/flux/kustomization.yaml | 16 - kube/3-deploy/1-core/01-networking/.sops.yaml | 7 - .../1-core/01-networking/2-aws-lb.yaml | 59 -- .../rook-ceph/snapshot-controller/rbac.yaml | 73 --- .../snapshot-controller/statefulset.yaml | 25 - kube/3-deploy/1-core/04-dns/.sops.yaml | 7 - .../1-core/04-dns/external/kustomization.yaml | 7 - kube/3-deploy/1-core/05-ingress/.sops.yaml | 7 - .../1-core/05-ingress/1-namespace.yaml | 12 - .../1-core/05-ingress/cloudflare/ks.yaml | 24 - .../05-ingress/external-proxy-x/ks.yaml | 14 - .../1-core/05-ingress/external/install.yaml | 82 --- .../1-core/05-ingress/kustomization.yaml | 8 - .../1-deps/app/kustomization.yaml | 6 - .../1-core/06-monitoring/1-deps/ks.yaml | 9 - .../metrics-server/kustomization.yaml | 6 - .../06-monitoring/node-exporter/ks.yaml | 19 - .../victoria/1-crds/install.yaml | 72 --- .../kustomization.yaml | 7 - .../kustomization.yaml | 7 - kube/3-deploy/2-apps/authentik/app/svc.yaml | 28 - kube/3-deploy/2-apps/default/ks.yaml | 10 - kube/3-deploy/2-apps/elk/ks.yaml | 14 - kube/3-deploy/2-apps/excalidraw/ks.yaml | 27 - .../2-apps/external/authentik/install.yaml | 51 -- .../external/matrix-synapse/install.yaml | 99 ---- kube/3-deploy/2-apps/flux-system/ks.yaml | 12 - kube/3-deploy/2-apps/gokapi/.sops.yaml | 7 - .../3-deploy/2-apps/gokapi/kustomization.yaml | 6 - kube/3-deploy/2-apps/hugo-test/.sops.yaml | 7 - .../2-apps/hugo-test/1-namespace.yaml | 5 - kube/3-deploy/2-apps/hugo-test/3-install.yaml | 74 --- .../2-apps/hugo-test/4-cloudflared.yaml | 54 -- .../2-apps/hugo-test/kustomization.yaml | 8 - kube/3-deploy/2-apps/kanidm/ks.yaml | 29 - .../3-deploy/2-apps/kavita/kustomization.yaml | 8 - .../kubevirt/2-install/kustomization.yaml | 6 - .../2-apps/kubevirt/kustomization.yaml | 6 - .../2-apps/minecraft/kustomization.yaml | 8 - kube/3-deploy/2-apps/ntfy/ks.yaml | 18 - kube/3-deploy/2-apps/satisfactory/ks.yaml | 17 - kube/3-deploy/2-apps/test.yaml | 7 - .../2-apps/velociraptor/app/config.sops.yaml | 41 -- kube/3-deploy/2-apps/velociraptor/ks.yaml | 18 - .../2-apps/volsync/kustomization.yaml | 7 - kube/3-deploy/2-apps/whoogle/.sops.yaml | 7 - .../2-apps/whoogle/kustomization.yaml | 6 - kube/3-deploy/2-apps/zerotier/.sops.yaml | 7 - .../3-deploy/2-apps/zerotier/1-namespace.yaml | 12 - kube/3-deploy/2-apps/zerotier/2-certs.yaml | 45 -- kube/3-deploy/2-apps/zerotier/3-pvc.yaml | 12 - .../2-apps/zerotier/4-controller.yaml | 85 --- kube/3-deploy/2-apps/zerotier/5-ui.yaml | 62 --- .../2-apps/zerotier/kustomization.yaml | 9 - kube/3-deploy/2-apps/zipline/ks.yaml | 18 - kube/bootstrap/flux/kustomization.yaml | 5 + .../biohazard/config/secrets.sops.env | 11 +- kube/clusters/biohazard/config/vars.sops.env | 24 +- .../biohazard/flux/flux-install.yaml} | 9 +- .../biohazard/flux/flux-repo.yaml} | 60 +-- .../biohazard/flux/kustomization.yaml | 69 ++- kube/clusters/biohazard/talos/talconfig.yaml | 222 ++++++++ .../biohazard/talos/talsecret.sops.yaml | 45 ++ .../2-apps => deploy/apps}/README.md | 0 .../2-apps => deploy/apps}/atuin/app/hr.yaml | 0 .../apps}/atuin/app/secret.yaml | 0 .../2-apps => deploy/apps}/atuin/ks.yaml | 6 +- .../apps}/atuin/kustomization.yaml | 0 .../2-apps => deploy/apps}/atuin/ns.yaml | 0 .../apps}/authentik/app/hr.yaml | 0 .../apps}/authentik/app/netpol.yaml | 0 .../apps}/authentik/app/pg-superuser.yaml | 0 .../apps}/authentik/app/tls.yaml | 0 .../2-apps => deploy/apps}/authentik/ks.yaml | 32 +- .../apps/authentik}/kustomization.yaml | 0 .../2-apps => deploy/apps}/authentik/ns.yaml | 0 .../apps}/authentik/redis/hr.yaml | 0 .../apps}/authentik/redis/secret-redis.yaml | 0 .../apps}/authentik/remote-cluster/hr.yaml | 0 .../apps}/authentik/repo.yaml | 0 .../apps}/default/deps/namespace.yaml | 0 .../apps}/default/deps/tls.yaml | 0 kube/deploy/apps/default/ks.yaml | 10 + .../apps/default}/kustomization.yaml | 0 .../2-apps => deploy/apps}/dns/README.org | 0 .../apps/dns/dnsdist/app/hr.yaml} | 0 kube/deploy/apps/dns/dnsdist/ks.yaml | 9 + .../apps/dns/dnsdist}/kustomization.yaml | 0 .../2-apps => deploy/apps}/elk/app/hr.yaml | 0 .../2-apps => deploy/apps}/elk/app/pvc.yaml | 0 .../apps}/elk/app/volsync.yaml | 0 kube/deploy/apps/elk/ks.yaml | 14 + .../apps/elk}/kustomization.yaml | 0 .../apps}/excalidraw/app/hr.yaml | 0 .../apps}/excalidraw/deps/namespace.yaml | 0 kube/deploy/apps/excalidraw/ks.yaml | 26 + .../apps/excalidraw}/kustomization.yaml | 0 kube/deploy/apps/flux-system/ks.yaml | 12 + .../apps/flux-system}/kustomization.yaml | 0 .../apps}/flux-system/webhook/ingress.yaml | 0 .../apps}/flux-system/webhook/receiver.yaml | 0 .../flux-system/webhook/secret-token.yaml | 0 .../apps/gokapi/app/hr.yaml} | 10 +- .../apps/gokapi/app}/netpol.yaml | 0 kube/deploy/apps/gokapi/ks.yaml | 11 + .../apps/gokapi}/kustomization.yaml | 0 .../apps/gokapi/ns.yaml} | 0 .../apps}/gotosocial/app/hr.yaml | 4 +- .../apps}/gotosocial/deps/nfs.yaml | 0 .../apps}/gotosocial/deps/s3.yaml | 2 +- .../apps}/gotosocial/deps/secret-oidc.yaml | 0 .../apps}/gotosocial/deps/secret-pg.yaml | 0 .../apps}/gotosocial/deps/tls.yaml | 0 .../2-apps => deploy/apps}/gotosocial/ks.yaml | 15 +- .../apps/gotosocial}/kustomization.yaml | 0 .../2-apps => deploy/apps}/gotosocial/ns.yaml | 0 .../apps}/headscale/app/hr.yaml | 0 .../apps}/headscale/app/netpol.yaml | 0 .../apps}/headscale/app/secrets.yaml | 0 .../apps}/headscale/app/tls.yaml | 0 .../2-apps => deploy/apps}/headscale/ks.yaml | 7 +- .../apps/headscale}/kustomization.yaml | 0 .../2-apps => deploy/apps}/headscale/ns.yaml | 0 .../apps/jellyfin/app/_nfs.yaml} | 0 .../apps/jellyfin/app/hr.yaml} | 11 +- .../apps/jellyfin}/app/kustomization.yaml | 7 +- .../apps/jellyfin/app}/volsync.yaml | 0 kube/deploy/apps/jellyfin/ks.yaml | 13 + .../apps/jellyfin}/kustomization.yaml | 0 .../apps/jellyfin/ns.yaml} | 0 .../2-apps => deploy/apps}/kah/deps/tls.yaml | 0 .../apps}/kah/inspircd/hr.yaml | 0 .../apps}/kah/inspircd/netpol.yaml | 0 .../2-apps => deploy/apps}/kah/ks.yaml | 12 +- .../apps/kah}/kustomization.yaml | 0 .../2-apps => deploy/apps}/kah/ns.yaml | 0 .../2-apps => deploy/apps}/kanidm/app/hr.yaml | 5 +- .../apps}/kanidm/app/netpol.yaml | 0 .../apps}/kanidm/app/volsync.yaml | 0 .../apps}/kanidm/deps/namespace.yaml | 0 .../apps}/kanidm/deps/tls.yaml | 0 kube/deploy/apps/kanidm/ks.yaml | 28 + .../apps/kanidm}/kustomization.yaml | 0 .../apps/kavita/app/_nfs.yaml} | 0 .../apps/kavita/app/hr.yaml} | 11 +- .../apps/kavita/app}/kustomization.yaml | 6 +- .../apps/kavita/app}/volsync.yaml | 0 kube/deploy/apps/kavita/ks.yaml | 11 + .../apps/kavita}/kustomization.yaml | 0 .../apps/kavita/ns.yaml} | 0 .../apps/kubevirt/cr.yaml} | 4 +- .../apps/kubevirt}/kustomization.yaml | 5 +- kube/deploy/apps/kubevirt/netpol.yaml | 22 + .../apps/kubevirt/operator.yaml} | 4 +- kube/deploy/apps/livestream/ks.yaml | 4 +- kube/deploy/apps/livestream/oven/ks.yaml | 6 +- .../apps/minecraft/app/hr.yaml} | 4 +- kube/deploy/apps/minecraft/app/netpol.yaml | 35 ++ .../apps/minecraft/app}/volsync.yaml | 0 kube/deploy/apps/minecraft/ks.yaml | 11 + .../apps/minecraft}/kustomization.yaml | 5 +- .../apps/minecraft/ns.yaml} | 0 .../apps/minecraft/repo.yaml} | 0 .../apps}/miniflux/app/hr.yaml | 0 .../apps}/miniflux/app/secret.yaml | 0 .../2-apps => deploy/apps}/miniflux/ks.yaml | 6 +- .../apps/miniflux}/kustomization.yaml | 0 .../2-apps => deploy/apps}/miniflux/ns.yaml | 0 .../2-apps => deploy/apps}/ntfy/app/hr.yaml | 16 +- .../apps}/ntfy/app/netpol.yaml | 0 kube/deploy/apps/ntfy/ks.yaml | 17 + .../apps/ntfy}/kustomization.yaml | 0 .../2-apps => deploy/apps}/ntfy/ns.yaml | 0 .../apps/sandstorm/app}/config/Engine.ini | 0 .../apps/sandstorm/app}/config/Game.ini | 0 .../apps/sandstorm/app}/config/MapCycle.txt | 0 .../apps/sandstorm/app}/config/Mods.txt | 0 .../apps/sandstorm/app}/config/secrets.yaml | 0 .../apps/sandstorm/app/hr.yaml} | 29 +- .../apps/sandstorm/app}/kustomization.yaml | 4 +- kube/deploy/apps/sandstorm/app/netpol.yaml | 29 + kube/deploy/apps/sandstorm/ks.yaml | 10 + kube/deploy/apps/sandstorm/kustomization.yaml | 6 + .../apps/sandstorm/ns.yaml} | 0 .../apps}/satisfactory/app/hr.yaml | 6 +- .../apps}/satisfactory/app/netpol.yaml | 0 .../apps}/satisfactory/app/volsync.yaml | 0 kube/deploy/apps/satisfactory/ks.yaml | 16 + .../apps/satisfactory}/kustomization.yaml | 1 + .../apps}/satisfactory/ns.yaml | 0 .../apps}/syncthing/deps/kustomization.yaml | 0 .../apps}/syncthing/deps/namespace.yaml | 0 .../2-apps => deploy/apps}/syncthing/ks.yaml | 8 +- .../apps/syncthing}/kustomization.yaml | 0 .../apps}/syncthing/user1/install.yaml | 10 +- .../apps}/syncthing/user1/networkpolicy.yaml | 0 .../apps/syncthing/user1}/volsync.yaml | 20 +- .../apps/tetragon/app/hr.yaml} | 2 + kube/deploy/apps/tetragon/ks.yaml | 10 + .../apps/tetragon}/kustomization.yaml | 2 +- .../apps}/velociraptor/app/.sops.yaml | 0 .../apps/velociraptor/app/config.sops.yaml | 41 ++ .../apps}/velociraptor/app/hr.yaml | 0 .../apps}/velociraptor/app/kustomization.yaml | 0 .../apps}/velociraptor/app/netpol.yaml | 0 kube/deploy/apps/velociraptor/ks.yaml | 17 + .../apps/velociraptor}/kustomization.yaml | 1 + .../apps}/velociraptor/ns.yaml | 0 .../apps/whoogle/app/hr.yaml} | 11 +- .../apps/whoogle/app}/netpol.yaml | 0 kube/deploy/apps/whoogle/ks.yaml | 10 + kube/deploy/apps/whoogle/kustomization.yaml | 6 + .../apps/whoogle/ns.yaml} | 0 .../apps}/zipline/app/hr.yaml | 4 +- .../apps}/zipline/app/s3.yaml | 2 +- .../apps}/zipline/app/secret.yaml | 0 kube/deploy/apps/zipline/ks.yaml | 17 + kube/deploy/apps/zipline/kustomization.yaml | 6 + .../2-apps => deploy/apps}/zipline/ns.yaml | 0 .../1-core => deploy/core}/README.md | 0 .../core/_networking}/cilium/README.md | 0 .../cilium/app}/bootstrap-install/README.org | 0 .../app}/bootstrap-install/base-values.yaml | 0 .../cilium/app}/bootstrap-install/install.sh | 2 +- .../app}/bootstrap-install/kustomization.yaml | 0 .../core/_networking/cilium/app/hr.yaml} | 70 --- .../cilium/app}/kustomization.yaml | 5 +- .../cilium/app}/kustomizeconfig.yaml | 0 .../core/_networking/cilium/config/BGP.yaml | 50 ++ .../_networking/cilium/config/LB-IPs.yaml | 19 + kube/deploy/core/_networking/cilium/ks.yaml | 38 ++ .../_networking/cilium/kustomization.yaml | 6 + .../netpols/cluster-default-kube-dns.yaml | 0 .../_networking}/cilium/netpols/flux.yaml | 0 .../cilium/netpols/kube-system-allow-all.yaml | 0 .../cilium/netpols/labelled-allow-egress.yaml | 0 kube/deploy/core/_networking/cilium/repo.yaml | 10 + .../1-core => deploy/core}/db/pg/app/hr.yaml | 0 .../core}/db/pg/app/netpol.yaml | 0 .../core}/db/pg/clusters/default/.sops.yaml | 0 .../core}/db/pg/clusters/default/cluster.yaml | 4 +- .../db/pg/clusters/default/dump-local.yaml | 0 .../db/pg/clusters/default/kustomization.yaml | 0 .../core}/db/pg/clusters/default/netpol.yaml | 4 +- .../core}/db/pg/clusters/default/s3.yaml | 2 +- .../pg/clusters/default/scheduledbackup.yaml | 0 .../pg/clusters/default/superuser.sops.yaml | 0 .../core}/db/pg/clusters/template/.sops.yaml | 0 .../db/pg/clusters/template/cluster.yaml | 4 +- .../db/pg/clusters/template/dump-local.yaml | 0 .../pg/clusters/template/kustomization.yaml | 0 .../core}/db/pg/clusters/template/netpol.yaml | 4 +- .../core}/db/pg/clusters/template/s3.yaml | 2 +- .../pg/clusters/template/scheduledbackup.yaml | 0 .../clusters/template/secret-superuser.yaml | 11 + .../1-core => deploy/core}/db/pg/ks.yaml | 8 +- .../core/db/pg}/kustomization.yaml | 0 .../1-core => deploy/core}/db/pg/ns.yaml | 0 .../1-core => deploy/core}/db/pg/repo.yaml | 0 .../core/dns/external-dns/app/hr.yaml} | 0 .../core/dns/external-dns/app/netpol.yaml | 28 + .../core/dns/external-dns/app/secrets.yaml} | 0 kube/deploy/core/dns/external-dns/crds.yaml | 36 ++ kube/deploy/core/dns/external-dns/ks.yaml | 10 + .../core/dns/external-dns/kustomization.yaml | 8 + .../core/dns/external-dns/ns.yaml} | 0 kube/deploy/core/dns/external-dns/repo.yaml | 9 + .../dns/internal/k8s-gateway/app/hr.yaml} | 2 + .../dns/internal/k8s-gateway/app}/netpol.yaml | 0 .../core/dns/internal/k8s-gateway/ks.yaml | 9 + .../internal/k8s-gateway/kustomization.yaml | 6 + .../core/dns/internal/k8s-gateway/repo.yaml | 9 + .../core/dns/internal}/kustomization.yaml | 2 +- .../core/dns/internal/ns.yaml} | 0 kube/deploy/core/hardware/README.md | 1 + .../intel-device-plugins/app/_operator.yaml} | 0 .../intel-device-plugins/app/gpu.yaml} | 0 .../app/talos-intel-gpu-nfd-rule.yaml} | 0 .../hardware/intel-device-plugins/ks.yaml | 10 + .../intel-device-plugins/kustomization.yaml | 6 + .../hardware/intel-device-plugins/repo.yaml} | 0 .../node-feature-discovery/app/hr.yaml} | 0 .../hardware/node-feature-discovery/ks.yaml | 9 + .../node-feature-discovery/kustomization.yaml | 5 + .../node-feature-discovery/repo.yaml} | 0 .../core/ingress/_deps/certs.yaml} | 0 kube/deploy/core/ingress/cloudflare/ks.yaml | 9 + .../ingress/cloudflare/kustomization.yaml | 6 + .../core/ingress/cloudflare/ns.yaml} | 0 .../core/ingress}/cloudflare/tunnel/hr.yaml | 0 .../ingress}/cloudflare/tunnel/netpol.yaml | 0 .../ingress}/cloudflare/tunnel/secret.yaml | 0 .../core/ingress}/external-proxy-x/README.md | 0 .../ingress}/external-proxy-x/app/hr.yaml | 2 + .../core/ingress/external-proxy-x/ks.yaml | 9 + .../external-proxy-x/kustomization.yaml | 6 + .../core/ingress/external-proxy-x/repo.yaml | 9 + .../app/default-backend-ingress.yaml | 50 ++ .../ingress-nginx/app}/default-backend.yaml | 0 .../core/ingress/ingress-nginx/app/hr.yaml} | 0 .../ingress/ingress-nginx/app}/netpol.yaml | 4 +- .../deploy/core/ingress/ingress-nginx/ks.yaml | 12 + .../ingress/ingress-nginx/kustomization.yaml | 6 + .../core/ingress/ingress-nginx/repo.yaml | 9 + kube/deploy/core/ingress/ks.yaml | 10 + kube/deploy/core/ingress/kustomization.yaml | 6 + .../core/ingress/ns.yaml} | 2 +- .../monitoring/_deps/_crds-prometheus.yaml} | 6 +- .../monitoring/_deps}/kube-prometheus.yaml | 6 +- .../_deps/prometheus-community-charts.yaml | 10 + kube/deploy/core/monitoring/ks.yaml | 9 + .../kube-state-metrics/app/hr.yaml} | 0 .../monitoring/kube-state-metrics/ks.yaml | 10 + .../kube-state-metrics/kustomization.yaml | 5 + .../deploy/core/monitoring/kustomization.yaml | 6 + .../monitoring/metrics-server/app/hr.yaml} | 2 + .../core/monitoring/metrics-server/ks.yaml | 9 + .../metrics-server/kustomization.yaml | 6 + .../core/monitoring/metrics-server/repo.yaml} | 0 .../node-exporter/app/install.yaml | 0 .../core/monitoring/node-exporter/ks.yaml | 11 + .../node-exporter}/kustomization.yaml | 0 .../core/monitoring/node-exporter/ns.yaml} | 0 .../core/monitoring/ns.yaml} | 0 .../deploy/core/monitoring/victoria/README.md | 5 + .../monitoring/victoria/agent}/vmagent.yaml | 4 +- .../victoria/cluster}/vmcluster.yaml | 2 +- .../deploy/core/monitoring/victoria/crds.yaml | 37 ++ kube/deploy/core/monitoring/victoria/ks.yaml | 37 ++ .../monitoring/victoria/kustomization.yaml | 7 + .../victoria/operator}/install.yaml | 0 .../deploy/core/monitoring/victoria/repo.yaml | 10 + .../_external-snapshotter}/1-crds.yaml | 6 +- .../_external-snapshotter}/2-controller.yaml | 8 +- .../_external-snapshotter}/kustomization.yaml | 0 .../core/storage/rook-ceph/app/hr.yaml} | 0 .../storage}/rook-ceph/app/kustomization.yaml | 3 +- .../core/storage}/rook-ceph/app/netpol.yaml | 10 +- .../core/storage}/rook-ceph/app/rbac.yaml | 0 .../storage}/rook-ceph/cluster/.sops.yaml | 0 .../rook-ceph/cluster/ceph-cluster.sops.yaml | 0 .../rook-ceph/cluster/ceph-monitor.yaml | 0 .../rook-ceph/cluster/ceph-prometheus.yaml | 0 .../rook-ceph/cluster/create-secrets.sh | 0 .../rook-ceph/cluster/kustomization.yaml | 0 .../cluster/object-radosgw-certs.yaml | 0 .../storage}/rook-ceph/cluster/object.yaml | 28 +- .../rook-ceph/cluster/pveceph-object.sh | 9 + .../rook-ceph/cluster/secret.sops.yaml | 0 .../rook-ceph/cluster/storage-class.yaml | 0 .../cluster/volume-snapshot-class.yaml | 0 kube/deploy/core/storage/rook-ceph/ks.yaml | 21 + .../storage/rook-ceph}/kustomization.yaml | 4 +- .../core/storage/rook-ceph/ns.yaml} | 2 +- kube/deploy/core/storage/rook-ceph/repo.yaml | 10 + .../core/storage/volsync/app/hr.yaml} | 0 .../core/storage/volsync/app/netpol.yaml | 34 ++ kube/deploy/core/storage/volsync/ks.yaml | 9 + .../core/storage/volsync/kustomization.yaml | 7 + .../core/storage/volsync/ns.yaml} | 0 .../core/storage/volsync/repo.yaml} | 0 .../03-certs => deploy/core/tls}/.sops.yaml | 0 .../core/tls/cert-manager/app/hr.yaml} | 0 .../core/tls/cert-manager/app/netpol.yaml | 35 ++ .../core/tls/cert-manager/config/issuer.yaml} | 0 .../core/tls/cert-manager/crds.yaml} | 13 +- kube/deploy/core/tls/cert-manager/ks.yaml | 21 + .../core/tls/cert-manager/kustomization.yaml | 8 + .../core/tls/cert-manager/ns.yaml} | 0 kube/deploy/core/tls/cert-manager/repo.yaml | 9 + kube/repos/helm/app-template/helmrepo.yaml | 10 + .../helm/app-template}/kustomization.yaml | 2 +- kube/templates/test/app/hr.yaml | 28 +- kube/templates/test/ks.yaml | 11 +- 380 files changed, 1772 insertions(+), 3171 deletions(-) delete mode 100644 kube/1-clusters/Biohazard/1-talos/cilium.yaml delete mode 100644 kube/1-clusters/Biohazard/2-config/3-secrets.yaml delete mode 100644 kube/1-clusters/Biohazard/2-config/4-vars.yaml delete mode 100644 kube/1-clusters/Biohazard/2-config/5-deploy.yaml delete mode 100644 kube/1-clusters/Biohazard/2-config/ceph-rgw-ext-users.yaml delete mode 100644 kube/1-clusters/Biohazard/2-config/kustomization.yaml delete mode 100644 kube/2-bootstrap/flux/kustomization.yaml delete mode 100644 kube/3-deploy/1-core/01-networking/.sops.yaml delete mode 100644 kube/3-deploy/1-core/01-networking/2-aws-lb.yaml delete mode 100644 kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/rbac.yaml delete mode 100644 kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/statefulset.yaml delete mode 100644 kube/3-deploy/1-core/04-dns/.sops.yaml delete mode 100644 kube/3-deploy/1-core/04-dns/external/kustomization.yaml delete mode 100644 kube/3-deploy/1-core/05-ingress/.sops.yaml delete mode 100644 kube/3-deploy/1-core/05-ingress/1-namespace.yaml delete mode 100644 kube/3-deploy/1-core/05-ingress/cloudflare/ks.yaml delete mode 100644 kube/3-deploy/1-core/05-ingress/external-proxy-x/ks.yaml delete mode 100644 kube/3-deploy/1-core/05-ingress/external/install.yaml delete mode 100644 kube/3-deploy/1-core/05-ingress/kustomization.yaml delete mode 100644 kube/3-deploy/1-core/06-monitoring/1-deps/app/kustomization.yaml delete mode 100644 kube/3-deploy/1-core/06-monitoring/1-deps/ks.yaml delete mode 100644 kube/3-deploy/1-core/06-monitoring/metrics-server/kustomization.yaml delete mode 100644 kube/3-deploy/1-core/06-monitoring/node-exporter/ks.yaml delete mode 100644 kube/3-deploy/1-core/06-monitoring/victoria/1-crds/install.yaml delete mode 100644 kube/3-deploy/1-core/08-hardware/01-node-feature-discovery/kustomization.yaml delete mode 100644 kube/3-deploy/1-core/08-hardware/02-intel-device-plugins/kustomization.yaml delete mode 100644 kube/3-deploy/2-apps/authentik/app/svc.yaml delete mode 100644 kube/3-deploy/2-apps/default/ks.yaml delete mode 100644 kube/3-deploy/2-apps/elk/ks.yaml delete mode 100644 kube/3-deploy/2-apps/excalidraw/ks.yaml delete mode 100644 kube/3-deploy/2-apps/external/authentik/install.yaml delete mode 100644 kube/3-deploy/2-apps/external/matrix-synapse/install.yaml delete mode 100644 kube/3-deploy/2-apps/flux-system/ks.yaml delete mode 100644 kube/3-deploy/2-apps/gokapi/.sops.yaml delete mode 100644 kube/3-deploy/2-apps/gokapi/kustomization.yaml delete mode 100644 kube/3-deploy/2-apps/hugo-test/.sops.yaml delete mode 100644 kube/3-deploy/2-apps/hugo-test/1-namespace.yaml delete mode 100644 kube/3-deploy/2-apps/hugo-test/3-install.yaml delete mode 100644 kube/3-deploy/2-apps/hugo-test/4-cloudflared.yaml delete mode 100644 kube/3-deploy/2-apps/hugo-test/kustomization.yaml delete mode 100644 kube/3-deploy/2-apps/kanidm/ks.yaml delete mode 100644 kube/3-deploy/2-apps/kavita/kustomization.yaml delete mode 100644 kube/3-deploy/2-apps/kubevirt/2-install/kustomization.yaml delete mode 100644 kube/3-deploy/2-apps/kubevirt/kustomization.yaml delete mode 100644 kube/3-deploy/2-apps/minecraft/kustomization.yaml delete mode 100644 kube/3-deploy/2-apps/ntfy/ks.yaml delete mode 100644 kube/3-deploy/2-apps/satisfactory/ks.yaml delete mode 100644 kube/3-deploy/2-apps/test.yaml delete mode 100644 kube/3-deploy/2-apps/velociraptor/app/config.sops.yaml delete mode 100644 kube/3-deploy/2-apps/velociraptor/ks.yaml delete mode 100644 kube/3-deploy/2-apps/volsync/kustomization.yaml delete mode 100644 kube/3-deploy/2-apps/whoogle/.sops.yaml delete mode 100644 kube/3-deploy/2-apps/whoogle/kustomization.yaml delete mode 100644 kube/3-deploy/2-apps/zerotier/.sops.yaml delete mode 100644 kube/3-deploy/2-apps/zerotier/1-namespace.yaml delete mode 100644 kube/3-deploy/2-apps/zerotier/2-certs.yaml delete mode 100644 kube/3-deploy/2-apps/zerotier/3-pvc.yaml delete mode 100644 kube/3-deploy/2-apps/zerotier/4-controller.yaml delete mode 100644 kube/3-deploy/2-apps/zerotier/5-ui.yaml delete mode 100644 kube/3-deploy/2-apps/zerotier/kustomization.yaml delete mode 100644 kube/3-deploy/2-apps/zipline/ks.yaml create mode 100644 kube/bootstrap/flux/kustomization.yaml rename kube/{1-clusters/Biohazard/2-config/1-flux-install.yaml => clusters/biohazard/flux/flux-install.yaml} (81%) rename kube/{1-clusters/Biohazard/2-config/2-flux-repo.yaml => clusters/biohazard/flux/flux-repo.yaml} (84%) create mode 100755 kube/clusters/biohazard/talos/talconfig.yaml create mode 100755 kube/clusters/biohazard/talos/talsecret.sops.yaml rename kube/{3-deploy/2-apps => deploy/apps}/README.md (100%) rename kube/{3-deploy/2-apps => deploy/apps}/atuin/app/hr.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/atuin/app/secret.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/atuin/ks.yaml (56%) rename kube/{3-deploy/2-apps => deploy/apps}/atuin/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/atuin/ns.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/authentik/app/hr.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/authentik/app/netpol.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/authentik/app/pg-superuser.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/authentik/app/tls.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/authentik/ks.yaml (55%) rename kube/{3-deploy/1-core/db/pg => deploy/apps/authentik}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/authentik/ns.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/authentik/redis/hr.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/authentik/redis/secret-redis.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/authentik/remote-cluster/hr.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/authentik/repo.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/default/deps/namespace.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/default/deps/tls.yaml (100%) create mode 100644 kube/deploy/apps/default/ks.yaml rename kube/{3-deploy/1-core/05-ingress/cloudflare => deploy/apps/default}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/dns/README.org (100%) rename kube/{3-deploy/2-apps/dns/dnsdist/install.yaml => deploy/apps/dns/dnsdist/app/hr.yaml} (100%) create mode 100644 kube/deploy/apps/dns/dnsdist/ks.yaml rename kube/{3-deploy/1-core/05-ingress/external-proxy-x => deploy/apps/dns/dnsdist}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/elk/app/hr.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/elk/app/pvc.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/elk/app/volsync.yaml (100%) create mode 100644 kube/deploy/apps/elk/ks.yaml rename kube/{3-deploy/1-core/06-monitoring/1-deps => deploy/apps/elk}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/excalidraw/app/hr.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/excalidraw/deps/namespace.yaml (100%) create mode 100644 kube/deploy/apps/excalidraw/ks.yaml rename kube/{3-deploy/1-core/06-monitoring/node-exporter => deploy/apps/excalidraw}/kustomization.yaml (100%) create mode 100644 kube/deploy/apps/flux-system/ks.yaml rename kube/{3-deploy/2-apps/default => deploy/apps/flux-system}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/flux-system/webhook/ingress.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/flux-system/webhook/receiver.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/flux-system/webhook/secret-token.yaml (100%) rename kube/{3-deploy/2-apps/gokapi/2-install.yaml => deploy/apps/gokapi/app/hr.yaml} (85%) rename kube/{3-deploy/2-apps/gokapi => deploy/apps/gokapi/app}/netpol.yaml (100%) create mode 100644 kube/deploy/apps/gokapi/ks.yaml rename kube/{3-deploy/2-apps/gotosocial => deploy/apps/gokapi}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps/gokapi/1-namespace.yaml => deploy/apps/gokapi/ns.yaml} (100%) rename kube/{3-deploy/2-apps => deploy/apps}/gotosocial/app/hr.yaml (96%) rename kube/{3-deploy/2-apps => deploy/apps}/gotosocial/deps/nfs.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/gotosocial/deps/s3.yaml (77%) rename kube/{3-deploy/2-apps => deploy/apps}/gotosocial/deps/secret-oidc.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/gotosocial/deps/secret-pg.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/gotosocial/deps/tls.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/gotosocial/ks.yaml (52%) rename kube/{3-deploy/2-apps/headscale => deploy/apps/gotosocial}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/gotosocial/ns.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/headscale/app/hr.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/headscale/app/netpol.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/headscale/app/secrets.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/headscale/app/tls.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/headscale/ks.yaml (57%) rename kube/{3-deploy/2-apps/kah => deploy/apps/headscale}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/headscale/ns.yaml (100%) rename kube/{3-deploy/2-apps/jellyfin/2-nfs.yaml => deploy/apps/jellyfin/app/_nfs.yaml} (100%) rename kube/{3-deploy/2-apps/jellyfin/3-install.yaml => deploy/apps/jellyfin/app/hr.yaml} (88%) rename kube/{3-deploy/1-core/03-certs/cert-manager => deploy/apps/jellyfin}/app/kustomization.yaml (56%) rename kube/{3-deploy/2-apps/jellyfin => deploy/apps/jellyfin/app}/volsync.yaml (100%) create mode 100644 kube/deploy/apps/jellyfin/ks.yaml rename kube/{3-deploy/2-apps/miniflux => deploy/apps/jellyfin}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps/jellyfin/1-namespace.yaml => deploy/apps/jellyfin/ns.yaml} (100%) rename kube/{3-deploy/2-apps => deploy/apps}/kah/deps/tls.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/kah/inspircd/hr.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/kah/inspircd/netpol.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/kah/ks.yaml (51%) rename kube/{3-deploy/2-apps/ntfy => deploy/apps/kah}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/kah/ns.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/kanidm/app/hr.yaml (98%) rename kube/{3-deploy/2-apps => deploy/apps}/kanidm/app/netpol.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/kanidm/app/volsync.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/kanidm/deps/namespace.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/kanidm/deps/tls.yaml (100%) create mode 100644 kube/deploy/apps/kanidm/ks.yaml rename kube/{3-deploy/2-apps/elk => deploy/apps/kanidm}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps/kavita/2-nfs.yaml => deploy/apps/kavita/app/_nfs.yaml} (100%) rename kube/{3-deploy/2-apps/kavita/3-install.yaml => deploy/apps/kavita/app/hr.yaml} (84%) rename kube/{3-deploy/2-apps/jellyfin => deploy/apps/kavita/app}/kustomization.yaml (63%) rename kube/{3-deploy/2-apps/kavita => deploy/apps/kavita/app}/volsync.yaml (100%) create mode 100644 kube/deploy/apps/kavita/ks.yaml rename kube/{3-deploy/2-apps/satisfactory => deploy/apps/kavita}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps/kavita/1-namespace.yaml => deploy/apps/kavita/ns.yaml} (100%) rename kube/{3-deploy/2-apps/kubevirt/2-install/2-cr.yaml => deploy/apps/kubevirt/cr.yaml} (90%) rename kube/{3-deploy/1-core/04-dns/internal => deploy/apps/kubevirt}/kustomization.yaml (63%) create mode 100644 kube/deploy/apps/kubevirt/netpol.yaml rename kube/{3-deploy/2-apps/kubevirt/2-install/1-operator.yaml => deploy/apps/kubevirt/operator.yaml} (90%) rename kube/{3-deploy/2-apps/minecraft/3-install.yaml => deploy/apps/minecraft/app/hr.yaml} (95%) create mode 100644 kube/deploy/apps/minecraft/app/netpol.yaml rename kube/{3-deploy/2-apps/minecraft => deploy/apps/minecraft/app}/volsync.yaml (100%) create mode 100644 kube/deploy/apps/minecraft/ks.yaml rename kube/{3-deploy/1-core/02-storage/rook-ceph/snapshot-controller => deploy/apps/minecraft}/kustomization.yaml (68%) rename kube/{3-deploy/2-apps/minecraft/1-namespace.yaml => deploy/apps/minecraft/ns.yaml} (100%) rename kube/{3-deploy/2-apps/minecraft/2-repo.yaml => deploy/apps/minecraft/repo.yaml} (100%) rename kube/{3-deploy/2-apps => deploy/apps}/miniflux/app/hr.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/miniflux/app/secret.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/miniflux/ks.yaml (56%) rename kube/{3-deploy/2-apps/velociraptor => deploy/apps/miniflux}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/miniflux/ns.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/ntfy/app/hr.yaml (80%) rename kube/{3-deploy/2-apps => deploy/apps}/ntfy/app/netpol.yaml (100%) create mode 100644 kube/deploy/apps/ntfy/ks.yaml rename kube/{3-deploy/2-apps/zipline => deploy/apps/ntfy}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/ntfy/ns.yaml (100%) rename kube/{3-deploy/2-apps/insurgency-sandstorm => deploy/apps/sandstorm/app}/config/Engine.ini (100%) rename kube/{3-deploy/2-apps/insurgency-sandstorm => deploy/apps/sandstorm/app}/config/Game.ini (100%) rename kube/{3-deploy/2-apps/insurgency-sandstorm => deploy/apps/sandstorm/app}/config/MapCycle.txt (100%) rename kube/{3-deploy/2-apps/insurgency-sandstorm => deploy/apps/sandstorm/app}/config/Mods.txt (100%) rename kube/{3-deploy/2-apps/insurgency-sandstorm => deploy/apps/sandstorm/app}/config/secrets.yaml (100%) rename kube/{3-deploy/2-apps/insurgency-sandstorm/2-install.yaml => deploy/apps/sandstorm/app/hr.yaml} (92%) rename kube/{3-deploy/2-apps/insurgency-sandstorm => deploy/apps/sandstorm/app}/kustomization.yaml (95%) create mode 100644 kube/deploy/apps/sandstorm/app/netpol.yaml create mode 100644 kube/deploy/apps/sandstorm/ks.yaml create mode 100644 kube/deploy/apps/sandstorm/kustomization.yaml rename kube/{3-deploy/2-apps/insurgency-sandstorm/1-namespace.yaml => deploy/apps/sandstorm/ns.yaml} (100%) rename kube/{3-deploy/2-apps => deploy/apps}/satisfactory/app/hr.yaml (97%) rename kube/{3-deploy/2-apps => deploy/apps}/satisfactory/app/netpol.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/satisfactory/app/volsync.yaml (100%) create mode 100644 kube/deploy/apps/satisfactory/ks.yaml rename kube/{3-deploy/2-apps/syncthing => deploy/apps/satisfactory}/kustomization.yaml (88%) rename kube/{3-deploy/2-apps => deploy/apps}/satisfactory/ns.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/syncthing/deps/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/syncthing/deps/namespace.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/syncthing/ks.yaml (67%) rename kube/{3-deploy/2-apps/excalidraw => deploy/apps/syncthing}/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/syncthing/user1/install.yaml (91%) rename kube/{3-deploy/2-apps => deploy/apps}/syncthing/user1/networkpolicy.yaml (100%) rename kube/{3-deploy/2-apps/hugo-test => deploy/apps/syncthing/user1}/volsync.yaml (56%) rename kube/{3-deploy/2-apps/tetragon/install.yaml => deploy/apps/tetragon/app/hr.yaml} (92%) create mode 100644 kube/deploy/apps/tetragon/ks.yaml rename kube/{2-bootstrap/flux/repos => deploy/apps/tetragon}/kustomization.yaml (87%) rename kube/{3-deploy/2-apps => deploy/apps}/velociraptor/app/.sops.yaml (100%) create mode 100644 kube/deploy/apps/velociraptor/app/config.sops.yaml rename kube/{3-deploy/2-apps => deploy/apps}/velociraptor/app/hr.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/velociraptor/app/kustomization.yaml (100%) rename kube/{3-deploy/2-apps => deploy/apps}/velociraptor/app/netpol.yaml (100%) create mode 100644 kube/deploy/apps/velociraptor/ks.yaml rename kube/{3-deploy/2-apps/kanidm => deploy/apps/velociraptor}/kustomization.yaml (88%) rename kube/{3-deploy/2-apps => deploy/apps}/velociraptor/ns.yaml (100%) rename kube/{3-deploy/2-apps/whoogle/2-install.yaml => deploy/apps/whoogle/app/hr.yaml} (90%) rename kube/{3-deploy/2-apps/whoogle => deploy/apps/whoogle/app}/netpol.yaml (100%) create mode 100644 kube/deploy/apps/whoogle/ks.yaml create mode 100644 kube/deploy/apps/whoogle/kustomization.yaml rename kube/{3-deploy/2-apps/whoogle/1-namespace.yaml => deploy/apps/whoogle/ns.yaml} (100%) rename kube/{3-deploy/2-apps => deploy/apps}/zipline/app/hr.yaml (97%) rename kube/{3-deploy/2-apps => deploy/apps}/zipline/app/s3.yaml (76%) rename kube/{3-deploy/2-apps => deploy/apps}/zipline/app/secret.yaml (100%) create mode 100644 kube/deploy/apps/zipline/ks.yaml create mode 100644 kube/deploy/apps/zipline/kustomization.yaml rename kube/{3-deploy/2-apps => deploy/apps}/zipline/ns.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/README.md (100%) rename kube/{3-deploy/1-core/01-networking => deploy/core/_networking}/cilium/README.md (100%) rename kube/{3-deploy/1-core/01-networking/cilium => deploy/core/_networking/cilium/app}/bootstrap-install/README.org (100%) rename kube/{3-deploy/1-core/01-networking/cilium => deploy/core/_networking/cilium/app}/bootstrap-install/base-values.yaml (100%) rename kube/{3-deploy/1-core/01-networking/cilium => deploy/core/_networking/cilium/app}/bootstrap-install/install.sh (77%) rename kube/{3-deploy/1-core/01-networking/cilium => deploy/core/_networking/cilium/app}/bootstrap-install/kustomization.yaml (100%) rename kube/{3-deploy/1-core/01-networking/cilium/install.yaml => deploy/core/_networking/cilium/app/hr.yaml} (51%) rename kube/{3-deploy/1-core/01-networking/cilium => deploy/core/_networking/cilium/app}/kustomization.yaml (83%) rename kube/{3-deploy/1-core/01-networking/cilium => deploy/core/_networking/cilium/app}/kustomizeconfig.yaml (100%) create mode 100644 kube/deploy/core/_networking/cilium/config/BGP.yaml create mode 100644 kube/deploy/core/_networking/cilium/config/LB-IPs.yaml create mode 100644 kube/deploy/core/_networking/cilium/ks.yaml create mode 100644 kube/deploy/core/_networking/cilium/kustomization.yaml rename kube/{3-deploy/1-core/01-networking => deploy/core/_networking}/cilium/netpols/cluster-default-kube-dns.yaml (100%) rename kube/{3-deploy/1-core/01-networking => deploy/core/_networking}/cilium/netpols/flux.yaml (100%) rename kube/{3-deploy/1-core/01-networking => deploy/core/_networking}/cilium/netpols/kube-system-allow-all.yaml (100%) rename kube/{3-deploy/1-core/01-networking => deploy/core/_networking}/cilium/netpols/labelled-allow-egress.yaml (100%) create mode 100644 kube/deploy/core/_networking/cilium/repo.yaml rename kube/{3-deploy/1-core => deploy/core}/db/pg/app/hr.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/app/netpol.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/default/.sops.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/default/cluster.yaml (91%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/default/dump-local.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/default/kustomization.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/default/netpol.yaml (97%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/default/s3.yaml (75%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/default/scheduledbackup.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/default/superuser.sops.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/template/.sops.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/template/cluster.yaml (93%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/template/dump-local.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/template/kustomization.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/template/netpol.yaml (94%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/template/s3.yaml (78%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/clusters/template/scheduledbackup.yaml (100%) create mode 100644 kube/deploy/core/db/pg/clusters/template/secret-superuser.yaml rename kube/{3-deploy/1-core => deploy/core}/db/pg/ks.yaml (72%) rename kube/{3-deploy/2-apps/authentik => deploy/core/db/pg}/kustomization.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/ns.yaml (100%) rename kube/{3-deploy/1-core => deploy/core}/db/pg/repo.yaml (100%) rename kube/{3-deploy/1-core/04-dns/external/3-external-dns.yaml => deploy/core/dns/external-dns/app/hr.yaml} (100%) create mode 100644 kube/deploy/core/dns/external-dns/app/netpol.yaml rename kube/{3-deploy/1-core/04-dns/external/2-secrets.yaml => deploy/core/dns/external-dns/app/secrets.yaml} (100%) create mode 100644 kube/deploy/core/dns/external-dns/crds.yaml create mode 100644 kube/deploy/core/dns/external-dns/ks.yaml create mode 100644 kube/deploy/core/dns/external-dns/kustomization.yaml rename kube/{3-deploy/1-core/04-dns/external/1-namespace.yaml => deploy/core/dns/external-dns/ns.yaml} (100%) create mode 100644 kube/deploy/core/dns/external-dns/repo.yaml rename kube/{3-deploy/1-core/04-dns/internal/2-k8s-gateway.yaml => deploy/core/dns/internal/k8s-gateway/app/hr.yaml} (95%) rename kube/{3-deploy/1-core/04-dns/internal => deploy/core/dns/internal/k8s-gateway/app}/netpol.yaml (100%) create mode 100644 kube/deploy/core/dns/internal/k8s-gateway/ks.yaml create mode 100644 kube/deploy/core/dns/internal/k8s-gateway/kustomization.yaml create mode 100644 kube/deploy/core/dns/internal/k8s-gateway/repo.yaml rename kube/{3-deploy/1-core/03-certs/cert-manager/crds => deploy/core/dns/internal}/kustomization.yaml (82%) rename kube/{3-deploy/1-core/04-dns/internal/1-namespace.yaml => deploy/core/dns/internal/ns.yaml} (100%) create mode 100644 kube/deploy/core/hardware/README.md rename kube/{3-deploy/1-core/08-hardware/02-intel-device-plugins/2-operator.yaml => deploy/core/hardware/intel-device-plugins/app/_operator.yaml} (100%) rename kube/{3-deploy/1-core/08-hardware/02-intel-device-plugins/3-gpu.yaml => deploy/core/hardware/intel-device-plugins/app/gpu.yaml} (100%) rename kube/{3-deploy/1-core/08-hardware/01-node-feature-discovery/3-intel-gpu-rule.yaml => deploy/core/hardware/intel-device-plugins/app/talos-intel-gpu-nfd-rule.yaml} (100%) create mode 100644 kube/deploy/core/hardware/intel-device-plugins/ks.yaml create mode 100644 kube/deploy/core/hardware/intel-device-plugins/kustomization.yaml rename kube/{3-deploy/1-core/08-hardware/02-intel-device-plugins/1-repo.yaml => deploy/core/hardware/intel-device-plugins/repo.yaml} (100%) rename kube/{3-deploy/1-core/08-hardware/01-node-feature-discovery/2-install.yaml => deploy/core/hardware/node-feature-discovery/app/hr.yaml} (100%) create mode 100644 kube/deploy/core/hardware/node-feature-discovery/ks.yaml create mode 100644 kube/deploy/core/hardware/node-feature-discovery/kustomization.yaml rename kube/{3-deploy/1-core/08-hardware/01-node-feature-discovery/1-repo.yaml => deploy/core/hardware/node-feature-discovery/repo.yaml} (100%) rename kube/{3-deploy/1-core/05-ingress/2-certs.yaml => deploy/core/ingress/_deps/certs.yaml} (100%) create mode 100644 kube/deploy/core/ingress/cloudflare/ks.yaml create mode 100644 kube/deploy/core/ingress/cloudflare/kustomization.yaml rename kube/{3-deploy/1-core/05-ingress/cloudflare/deps/namespace.yaml => deploy/core/ingress/cloudflare/ns.yaml} (100%) rename kube/{3-deploy/1-core/05-ingress => deploy/core/ingress}/cloudflare/tunnel/hr.yaml (100%) rename kube/{3-deploy/1-core/05-ingress => deploy/core/ingress}/cloudflare/tunnel/netpol.yaml (100%) rename kube/{3-deploy/1-core/05-ingress => deploy/core/ingress}/cloudflare/tunnel/secret.yaml (100%) rename kube/{3-deploy/1-core/05-ingress => deploy/core/ingress}/external-proxy-x/README.md (100%) rename kube/{3-deploy/1-core/05-ingress => deploy/core/ingress}/external-proxy-x/app/hr.yaml (98%) create mode 100644 kube/deploy/core/ingress/external-proxy-x/ks.yaml create mode 100644 kube/deploy/core/ingress/external-proxy-x/kustomization.yaml create mode 100644 kube/deploy/core/ingress/external-proxy-x/repo.yaml create mode 100644 kube/deploy/core/ingress/ingress-nginx/app/default-backend-ingress.yaml rename kube/{3-deploy/1-core/05-ingress/nginx => deploy/core/ingress/ingress-nginx/app}/default-backend.yaml (100%) rename kube/{3-deploy/1-core/05-ingress/nginx/install.yaml => deploy/core/ingress/ingress-nginx/app/hr.yaml} (100%) rename kube/{3-deploy/1-core/05-ingress/nginx => deploy/core/ingress/ingress-nginx/app}/netpol.yaml (98%) create mode 100644 kube/deploy/core/ingress/ingress-nginx/ks.yaml create mode 100644 kube/deploy/core/ingress/ingress-nginx/kustomization.yaml create mode 100644 kube/deploy/core/ingress/ingress-nginx/repo.yaml create mode 100644 kube/deploy/core/ingress/ks.yaml create mode 100644 kube/deploy/core/ingress/kustomization.yaml rename kube/{3-deploy/2-apps/kubevirt/1-namespace.yaml => deploy/core/ingress/ns.yaml} (72%) rename kube/{3-deploy/1-core/06-monitoring/1-deps/app/2-crds-prometheus.yaml => deploy/core/monitoring/_deps/_crds-prometheus.yaml} (88%) rename kube/{3-deploy/1-core/06-monitoring/1-deps/app => deploy/core/monitoring/_deps}/kube-prometheus.yaml (87%) create mode 100644 kube/deploy/core/monitoring/_deps/prometheus-community-charts.yaml create mode 100644 kube/deploy/core/monitoring/ks.yaml rename kube/{3-deploy/1-core/06-monitoring/kube-state-metrics/install.yaml => deploy/core/monitoring/kube-state-metrics/app/hr.yaml} (100%) create mode 100644 kube/deploy/core/monitoring/kube-state-metrics/ks.yaml create mode 100644 kube/deploy/core/monitoring/kube-state-metrics/kustomization.yaml create mode 100644 kube/deploy/core/monitoring/kustomization.yaml rename kube/{3-deploy/1-core/06-monitoring/metrics-server/2-install.yaml => deploy/core/monitoring/metrics-server/app/hr.yaml} (90%) create mode 100644 kube/deploy/core/monitoring/metrics-server/ks.yaml create mode 100644 kube/deploy/core/monitoring/metrics-server/kustomization.yaml rename kube/{3-deploy/1-core/06-monitoring/metrics-server/1-repo.yaml => deploy/core/monitoring/metrics-server/repo.yaml} (100%) rename kube/{3-deploy/1-core/06-monitoring => deploy/core/monitoring}/node-exporter/app/install.yaml (100%) create mode 100644 kube/deploy/core/monitoring/node-exporter/ks.yaml rename kube/{3-deploy/2-apps/flux-system => deploy/core/monitoring/node-exporter}/kustomization.yaml (100%) rename kube/{3-deploy/1-core/06-monitoring/node-exporter/deps/namespace.yaml => deploy/core/monitoring/node-exporter/ns.yaml} (100%) rename kube/{3-deploy/1-core/06-monitoring/1-deps/app/1-namespace.yaml => deploy/core/monitoring/ns.yaml} (100%) create mode 100644 kube/deploy/core/monitoring/victoria/README.md rename kube/{3-deploy/1-core/06-monitoring/victoria/4-agent => deploy/core/monitoring/victoria/agent}/vmagent.yaml (83%) rename kube/{3-deploy/1-core/06-monitoring/victoria/3-cluster => deploy/core/monitoring/victoria/cluster}/vmcluster.yaml (96%) create mode 100644 kube/deploy/core/monitoring/victoria/crds.yaml create mode 100644 kube/deploy/core/monitoring/victoria/ks.yaml create mode 100644 kube/deploy/core/monitoring/victoria/kustomization.yaml rename kube/{3-deploy/1-core/06-monitoring/victoria/2-operator => deploy/core/monitoring/victoria/operator}/install.yaml (100%) create mode 100644 kube/deploy/core/monitoring/victoria/repo.yaml rename kube/{3-deploy/1-core/02-storage/1-external-snapshotter => deploy/core/storage/_external-snapshotter}/1-crds.yaml (86%) rename kube/{3-deploy/1-core/02-storage/1-external-snapshotter => deploy/core/storage/_external-snapshotter}/2-controller.yaml (83%) rename kube/{3-deploy/1-core/02-storage/1-external-snapshotter => deploy/core/storage/_external-snapshotter}/kustomization.yaml (100%) rename kube/{3-deploy/1-core/02-storage/rook-ceph/app/helm-release.yaml => deploy/core/storage/rook-ceph/app/hr.yaml} (100%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/app/kustomization.yaml (77%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/app/netpol.yaml (94%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/app/rbac.yaml (100%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/cluster/.sops.yaml (100%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/cluster/ceph-cluster.sops.yaml (100%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/cluster/ceph-monitor.yaml (100%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/cluster/ceph-prometheus.yaml (100%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/cluster/create-secrets.sh (100%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/cluster/kustomization.yaml (100%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/cluster/object-radosgw-certs.yaml (100%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/cluster/object.yaml (78%) create mode 100644 kube/deploy/core/storage/rook-ceph/cluster/pveceph-object.sh rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/cluster/secret.sops.yaml (100%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/cluster/storage-class.yaml (100%) rename kube/{3-deploy/1-core/02-storage => deploy/core/storage}/rook-ceph/cluster/volume-snapshot-class.yaml (100%) create mode 100644 kube/deploy/core/storage/rook-ceph/ks.yaml rename kube/{3-deploy/1-core/02-storage/rook-ceph/crds => deploy/core/storage/rook-ceph}/kustomization.yaml (81%) rename kube/{3-deploy/1-core/02-storage/rook-ceph/app/namespace.yaml => deploy/core/storage/rook-ceph/ns.yaml} (89%) create mode 100644 kube/deploy/core/storage/rook-ceph/repo.yaml rename kube/{3-deploy/2-apps/volsync/3-install.yaml => deploy/core/storage/volsync/app/hr.yaml} (100%) create mode 100644 kube/deploy/core/storage/volsync/app/netpol.yaml create mode 100644 kube/deploy/core/storage/volsync/ks.yaml create mode 100644 kube/deploy/core/storage/volsync/kustomization.yaml rename kube/{3-deploy/2-apps/volsync/1-namespace.yaml => deploy/core/storage/volsync/ns.yaml} (100%) rename kube/{3-deploy/2-apps/volsync/2-repo.yaml => deploy/core/storage/volsync/repo.yaml} (100%) rename kube/{3-deploy/1-core/03-certs => deploy/core/tls}/.sops.yaml (100%) rename kube/{3-deploy/1-core/03-certs/cert-manager/app/2-install.yaml => deploy/core/tls/cert-manager/app/hr.yaml} (100%) create mode 100644 kube/deploy/core/tls/cert-manager/app/netpol.yaml rename kube/{3-deploy/1-core/03-certs/cert-manager/app/3-issuer.yaml => deploy/core/tls/cert-manager/config/issuer.yaml} (100%) rename kube/{3-deploy/1-core/03-certs/cert-manager/crds/install.yaml => deploy/core/tls/cert-manager/crds.yaml} (74%) create mode 100644 kube/deploy/core/tls/cert-manager/ks.yaml create mode 100644 kube/deploy/core/tls/cert-manager/kustomization.yaml rename kube/{3-deploy/1-core/03-certs/cert-manager/app/1-namespace.yaml => deploy/core/tls/cert-manager/ns.yaml} (100%) create mode 100644 kube/deploy/core/tls/cert-manager/repo.yaml create mode 100644 kube/repos/helm/app-template/helmrepo.yaml rename kube/{3-deploy/2-apps/dns/dnsdist => repos/helm/app-template}/kustomization.yaml (82%) diff --git a/kube/1-clusters/Biohazard/1-talos/cilium.yaml b/kube/1-clusters/Biohazard/1-talos/cilium.yaml deleted file mode 100644 index 9a742d1b..00000000 --- a/kube/1-clusters/Biohazard/1-talos/cilium.yaml +++ /dev/null @@ -1,508 +0,0 @@ -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm - name: cilium - namespace: kube-system ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm - name: cilium-operator - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: Role -metadata: - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: cilium - name: cilium-config-agent - namespace: kube-system -rules: -- apiGroups: - - "" - resources: - - configmaps - verbs: - - get - - list - - watch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: cilium - name: cilium -rules: -- apiGroups: - - networking.k8s.io - resources: - - networkpolicies - verbs: - - get - - list - - watch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - namespaces - - services - - pods - - endpoints - - nodes - verbs: - - get - - list - - watch -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - list - - watch - - get -- apiGroups: - - cilium.io - resources: - - ciliumloadbalancerippools - - ciliumbgppeeringpolicies - - ciliumclusterwideenvoyconfigs - - ciliumclusterwidenetworkpolicies - - ciliumegressgatewaypolicies - - ciliumendpoints - - ciliumendpointslices - - ciliumenvoyconfigs - - ciliumidentities - - ciliumlocalredirectpolicies - - ciliumnetworkpolicies - - ciliumnodes - - ciliumnodeconfigs - verbs: - - list - - watch -- apiGroups: - - cilium.io - resources: - - ciliumidentities - - ciliumendpoints - - ciliumnodes - verbs: - - create -- apiGroups: - - cilium.io - resources: - - ciliumidentities - verbs: - - update -- apiGroups: - - cilium.io - resources: - - ciliumendpoints - verbs: - - delete - - get -- apiGroups: - - cilium.io - resources: - - ciliumnodes - - ciliumnodes/status - verbs: - - get - - update -- apiGroups: - - cilium.io - resources: - - ciliumnetworkpolicies/status - - ciliumclusterwidenetworkpolicies/status - - ciliumendpoints/status - - ciliumendpoints - verbs: - - patch ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRole -metadata: - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: cilium - name: cilium-operator -rules: -- apiGroups: - - "" - resources: - - pods - verbs: - - get - - list - - watch - - delete -- apiGroups: - - "" - resources: - - nodes - verbs: - - list - - watch -- apiGroups: - - "" - resources: - - nodes - - nodes/status - verbs: - - patch -- apiGroups: - - discovery.k8s.io - resources: - - endpointslices - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services/status - verbs: - - update - - patch -- apiGroups: - - "" - resources: - - namespaces - verbs: - - get - - list - - watch -- apiGroups: - - "" - resources: - - services - - endpoints - verbs: - - get - - list - - watch -- apiGroups: - - cilium.io - resources: - - ciliumnetworkpolicies - - ciliumclusterwidenetworkpolicies - verbs: - - create - - update - - deletecollection - - patch - - get - - list - - watch -- apiGroups: - - cilium.io - resources: - - ciliumnetworkpolicies/status - - ciliumclusterwidenetworkpolicies/status - verbs: - - patch - - update -- apiGroups: - - cilium.io - resources: - - ciliumendpoints - - ciliumidentities - verbs: - - delete - - list - - watch -- apiGroups: - - cilium.io - resources: - - ciliumidentities - verbs: - - update -- apiGroups: - - cilium.io - resources: - - ciliumnodes - verbs: - - create - - update - - get - - list - - watch - - delete -- apiGroups: - - cilium.io - resources: - - ciliumnodes/status - verbs: - - update -- apiGroups: - - cilium.io - resources: - - ciliumendpointslices - - ciliumenvoyconfigs - verbs: - - create - - update - - get - - list - - watch - - delete - - patch -- apiGroups: - - apiextensions.k8s.io - resources: - - customresourcedefinitions - verbs: - - create - - get - - list - - watch -- apiGroups: - - apiextensions.k8s.io - resourceNames: - - ciliumloadbalancerippools.cilium.io - - ciliumbgppeeringpolicies.cilium.io - - ciliumclusterwideenvoyconfigs.cilium.io - - ciliumclusterwidenetworkpolicies.cilium.io - - ciliumegressgatewaypolicies.cilium.io - - ciliumendpoints.cilium.io - - ciliumendpointslices.cilium.io - - ciliumenvoyconfigs.cilium.io - - ciliumexternalworkloads.cilium.io - - ciliumidentities.cilium.io - - ciliumlocalredirectpolicies.cilium.io - - ciliumnetworkpolicies.cilium.io - - ciliumnodes.cilium.io - - ciliumnodeconfigs.cilium.io - resources: - - customresourcedefinitions - verbs: - - update -- apiGroups: - - cilium.io - resources: - - ciliumloadbalancerippools - verbs: - - get - - list - - watch -- apiGroups: - - cilium.io - resources: - - ciliumloadbalancerippools/status - verbs: - - patch -- apiGroups: - - coordination.k8s.io - resources: - - leases - verbs: - - create - - get - - update ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: RoleBinding -metadata: - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: cilium - name: cilium-config-agent - namespace: kube-system -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: Role - name: cilium-config-agent -subjects: -- kind: ServiceAccount - name: cilium - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: cilium - name: cilium -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cilium -subjects: -- kind: ServiceAccount - name: cilium - namespace: kube-system ---- -apiVersion: rbac.authorization.k8s.io/v1 -kind: ClusterRoleBinding -metadata: - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/part-of: cilium - name: cilium-operator -roleRef: - apiGroup: rbac.authorization.k8s.io - kind: ClusterRole - name: cilium-operator -subjects: -- kind: ServiceAccount - name: cilium-operator - namespace: kube-system ---- -apiVersion: v1 -data: - agent-not-ready-taint-key: node.cilium.io/agent-not-ready - arping-refresh-period: 30s - auto-direct-node-routes: "false" - bpf-lb-algorithm: maglev - bpf-lb-external-clusterip: "false" - bpf-lb-map-max: "65536" - bpf-lb-mode: snat - bpf-lb-sock: "false" - bpf-map-dynamic-size-ratio: "0.0025" - bpf-policy-map-max: "16384" - bpf-root: /sys/fs/bpf - cgroup-root: /run/cilium/cgroupv2 - cilium-endpoint-gc-interval: 5m0s - cluster-id: "1" - cluster-name: Biohazaard - custom-cni-conf: "false" - debug: "false" - debug-verbose: "" - disable-cnp-status-updates: "true" - disable-endpoint-crd: "false" - enable-auto-protect-node-port-range: "true" - enable-bgp-control-plane: "false" - enable-bpf-clock-probe: "true" - enable-endpoint-health-checking: "true" - enable-health-check-nodeport: "true" - enable-health-checking: "true" - enable-hubble: "true" - enable-ipv4: "true" - enable-ipv4-masquerade: "true" - enable-ipv6: "false" - enable-ipv6-big-tcp: "false" - enable-ipv6-masquerade: "true" - enable-k8s-terminating-endpoint: "true" - enable-l2-neigh-discovery: "true" - enable-l7-proxy: "true" - enable-local-redirect-policy: "true" - enable-policy: default - enable-remote-node-identity: "true" - enable-sctp: "false" - enable-svc-source-range-check: "true" - enable-vtep: "false" - enable-well-known-identities: "false" - enable-xt-socket-fallback: "true" - hubble-disable-tls: "false" - hubble-listen-address: :4244 - hubble-socket-path: /var/run/cilium/hubble.sock - hubble-tls-cert-file: /var/lib/cilium/tls/hubble/server.crt - hubble-tls-client-ca-files: /var/lib/cilium/tls/hubble/client-ca.crt - hubble-tls-key-file: /var/lib/cilium/tls/hubble/server.key - identity-allocation-mode: crd - identity-gc-interval: 15m0s - identity-heartbeat-timeout: 30m0s - install-iptables-rules: "true" - install-no-conntrack-iptables-rules: "false" - ipam: kubernetes - kube-proxy-replacement: strict - kube-proxy-replacement-healthz-bind-address: 0.0.0.0:10256 - monitor-aggregation: medium - monitor-aggregation-flags: all - monitor-aggregation-interval: 5s - node-port-bind-protection: "true" - node-port-range: 80,32767 - nodes-gc-interval: 5m0s - operator-api-serve-addr: 127.0.0.1:9234 - preallocate-bpf-maps: "false" - remove-cilium-node-taints: "true" - set-cilium-is-up-condition: "true" - sidecar-istio-proxy-image: cilium/istio_proxy - skip-cnp-status-startup-clean: "false" - synchronize-k8s-nodes: "true" - tofqdns-dns-reject-response-code: refused - tofqdns-enable-dns-compression: "true" - tofqdns-endpoint-max-ip-per-hostname: "50" - tofqdns-idle-connection-grace-period: 0s - tofqdns-max-deferred-connection-deletes: "10000" - tofqdns-min-ttl: "3600" - tofqdns-proxy-response-max-delay: 100ms - tunnel: vxlan - unmanaged-pod-watcher-interval: "15" - vtep-cidr: "" - vtep-endpoint: "" - vtep-mac: "" - vtep-mask: "" -kind: ConfigMap -metadata: - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm - name: cilium-config - namespace: kube-system ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - meta.helm.sh/release-name: cilium - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm - app.kubernetes.io/name: hubble-peer - app.kubernetes.io/part-of: cilium - k8s-app: cilium - name: hubble-peer - namespace: kube-system -spec: - ports: - - name: peer-service - port: 443 - protocol: TCP - targetPort: 4244 - selector: - app.kubernetes.io/managed-by: Helm - k8s-app: cilium diff --git a/kube/1-clusters/Biohazard/2-config/3-secrets.yaml b/kube/1-clusters/Biohazard/2-config/3-secrets.yaml deleted file mode 100644 index 18d307a6..00000000 --- a/kube/1-clusters/Biohazard/2-config/3-secrets.yaml +++ /dev/null @@ -1,179 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: biohazard-flux-github-ssh-key - namespace: flux-system -data: - identity: ENC[AES256_GCM,data:RFsW4U172L+N9e2LsAlW5ESSYh1O2VjTZxTYY/OVPS9FvJcQSQStXSk21xIQ6PnxeNrjKR44/e20m6L4l59bRiLWaw/KAEPsdJAAHFzPU6gIfnvasbFAR/3ATc1RjctQGcKhkpsJtcqEpT3TPCZGOuEgDngc0xq5fQgztRtbu0JDXKb3fDHlvXmoN8lgtRwNqqcnpUCMg8Q64dmmhtuNcA==,iv:RI2KdjgYNuyNHgRzgWM6X7sUNu7bjJ1Zq8khbiOMmt4=,tag:THCUmBrpdadaqawf5iTo9Q==,type:str] - identity.pub: ENC[AES256_GCM,data:CXuK+5MEyGuVQNVlfNC699qdW2FmJDrUPZUuh2ZHe+tbKlTg3lgt5b0J1VjPO0TMUQpTitvgyjDV96JeRoCnUTkKcYGsCDZMX5M/t+K/S3SSgJMOYHV2+VGTwc5LC2kuK8wm/WxDARQmK3Rl,iv:1TZ9KKcKwJZDvm22qQcRfVWwYkmOXgek0mfZZInihCA=,tag:qh5hhjN8lBZC27usPpKNjA==,type:str] - known_hosts: ENC[AES256_GCM,data:JzFUDHL0EOi/WxL2hNloUgOFTXNv27On6OyMHHw6D0fp472dqyPrjrk4VtdVjTGDHSY1NVkLnNl7kZaNf3An5RwafjWqbjohueY8WsQ+044b7IZGskANmd8XCdyDwKM8g9U7uNWtviwgAhM2HkrzNJWSuIxvCpDXQQlEx3tiM1UVtFCVEnQGtcurVpk5Ijv4DhcrlyqofqOZwLC2H1eATyI6hW6Iqnt5FTic/5muteP9qN5926byid938RLWdrRqb3wNJU2xtuqZ4LhZlPmUfsC9glSk1OApYMKK/RfVGjLTd7TR,iv:wnOfzKaAskg+eVFNl0OcVAcqGWxg3KvjjdUKA+nNw5E=,tag:LcxIOc1z1A6+Ap7dF3VNHQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeXMrWE01RzBHSHlHaXNW - cE9KMG5jaEZEeG9LclRqOHIvT3QrRS9TTzM4Cjg4d0orK1d6QncrdjNrVDFNRm5p - b2ZwVUJUcG5jbWxoTG1RZ2NBSFM5RW8KLS0tIDBsd1R1MzR5WURLWEMrYTFjK0Ux - UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT - k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-27T04:21:43Z" - mac: ENC[AES256_GCM,data:K5nsP6Q9dwpGZSEXcko3Nzb9xW/UQfmYj8eeu9lj9/aznpKaugPUj1zfuDbVVDz4+whvfxidNnYJh4k9JtUtpoPdAXL8SIoW2cynMdtIRlg3gvU3+6wL69rkoUfAcdvmdW5lChHAmPdz56ap0/FcJ+eJpdSuwKJfr+mPzBH4yMY=,iv:DWo7n/m/70Xt3g3xOrIhG/WZsIAOB0Z5MuRoxdr8x98=,tag:nZx+6PfS3ydj4nM+uli4iA==,type:str] - pgp: - - created_at: "2023-02-26T18:12:43Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdAQUq9YeKzVuiJzH+x8GkoeSzzL9XDQh2P9oLHv1U/vEcw - 7XSvNa6VkyDsST2+YLeja1TGyqiQUofHzTKmclN9QAFHyVcOjOs7gQ3dqwzEcA4Y - 0l4Beu5Ek/6r99UrMxrmGzSyNUxrTc+41FKH1VVHobSnC1CO8Qfql+GdikUMoBWL - ZwoxmhuHZfO/1AvWb8EgwAJcfCB3GjKtCbUxGEcgRyVJm8hxnfsUottVtGUCsdtN - =v630 - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(NETBIRD_AUTH_AUDIENCE|NETBIRD_AUTH_CLIENT_ID|NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID|NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT|NETBIRD_DOMAIN|NETBIRD_MGMT_DNS_DOMAIN|WHOOGLE_CONFIG_URL|ZT_ALLOW_MANAGEMENT_FROM|ZU_CONTROLLER_ENDPOINT|ZU_DEFAULT_PASSWORD|ZU_DEFAULT_USERNAME|addresses|clusterDomain|commonName|config.yaml|data|dnsNames|dnsZones|domain|email|externalIPs|host|hosts|ip|ipv4NativeRoutingCIDR|k8sServiceHost|loadBalancerIP|my-asn|nameservers|peer-address|peer-asn|secretName|stringData|whitelist-source-range)$ - version: 3.7.3 ---- -apiVersion: v1 -kind: Secret -metadata: - name: biohazard-secrets-decrypt-sops-age - namespace: flux-system -data: - age.agekey: ENC[AES256_GCM,data:wv5tjeWMyGPVLO6Y0VEy46vzmdn35JI2HV1ltOX/PgP9yDcqTGvDPVQLD4PNWUZHFHA/87tm0A6g/t3tev/t5SotNuQyI9vM3hiz5IvEdk1kCh+X5wuD37sOwtsczkGBOnBUusFSqHFFJlb1aTrmqiA6LQUXSWSULs9BPq3kBtzU+gO+LJcL2XxviUMDz+mMSBiydXmAJESbSVlmtytz2l+vq5ce/ArTx7/CdhG2tr7AoiFk1aHwJ5lOy2V1mprpdfY5YJ8VPcBYocNd3jDDw8YxT8pG5t1V0LfhQAFxZI8kaIJ87C6JMYF3+xRw4OG0YYyqmdzFjeQIwWcw,iv:kTKRG6Nvs2MXOcnfBBbAha52xDnqe9HjG2AToXIB/k0=,tag:hPi27FQC5wPJtPfI8GKKVw==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeXMrWE01RzBHSHlHaXNW - cE9KMG5jaEZEeG9LclRqOHIvT3QrRS9TTzM4Cjg4d0orK1d6QncrdjNrVDFNRm5p - b2ZwVUJUcG5jbWxoTG1RZ2NBSFM5RW8KLS0tIDBsd1R1MzR5WURLWEMrYTFjK0Ux - UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT - k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-27T04:21:43Z" - mac: ENC[AES256_GCM,data:K5nsP6Q9dwpGZSEXcko3Nzb9xW/UQfmYj8eeu9lj9/aznpKaugPUj1zfuDbVVDz4+whvfxidNnYJh4k9JtUtpoPdAXL8SIoW2cynMdtIRlg3gvU3+6wL69rkoUfAcdvmdW5lChHAmPdz56ap0/FcJ+eJpdSuwKJfr+mPzBH4yMY=,iv:DWo7n/m/70Xt3g3xOrIhG/WZsIAOB0Z5MuRoxdr8x98=,tag:nZx+6PfS3ydj4nM+uli4iA==,type:str] - pgp: - - created_at: "2023-02-26T18:12:43Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdAQUq9YeKzVuiJzH+x8GkoeSzzL9XDQh2P9oLHv1U/vEcw - 7XSvNa6VkyDsST2+YLeja1TGyqiQUofHzTKmclN9QAFHyVcOjOs7gQ3dqwzEcA4Y - 0l4Beu5Ek/6r99UrMxrmGzSyNUxrTc+41FKH1VVHobSnC1CO8Qfql+GdikUMoBWL - ZwoxmhuHZfO/1AvWb8EgwAJcfCB3GjKtCbUxGEcgRyVJm8hxnfsUottVtGUCsdtN - =v630 - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(NETBIRD_AUTH_AUDIENCE|NETBIRD_AUTH_CLIENT_ID|NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID|NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT|NETBIRD_DOMAIN|NETBIRD_MGMT_DNS_DOMAIN|WHOOGLE_CONFIG_URL|ZT_ALLOW_MANAGEMENT_FROM|ZU_CONTROLLER_ENDPOINT|ZU_DEFAULT_PASSWORD|ZU_DEFAULT_USERNAME|addresses|clusterDomain|commonName|config.yaml|data|dnsNames|dnsZones|domain|email|externalIPs|host|hosts|ip|ipv4NativeRoutingCIDR|k8sServiceHost|loadBalancerIP|my-asn|nameservers|peer-address|peer-asn|secretName|stringData|whitelist-source-range)$ - version: 3.7.3 ---- -apiVersion: v1 -kind: Secret -metadata: - name: biohazard-secrets - namespace: flux-system -stringData: - TEST: ENC[AES256_GCM,data:Hg7qUIV8/LcdFZT2,iv:jgNFUecJhj9EgkFCexym843VQUJQJVHW2Ne4H59BUa4=,tag:G/D7ZjLSkNQAJN4TOMSaaw==,type:str] - SECRET_SANDSTORM_ADMIN_PASSWORD: ENC[AES256_GCM,data:iYMzuIT3l8Na9R+ivzw/,iv:aSz/PDfnf5NjprFP0F/8MSCHbSNvW1jPKGO3OXM63wE=,tag:TXpMceEeEQMDpSpSwkihTA==,type:str] - SECRET_FLUX_WEBHOOK_GITHUB: ENC[AES256_GCM,data:rGaiLXNI7EyawuFcirkZlAXu2cdLRU1pwGWS2IgrKsyvcRmUMKXMmQ==,iv:sp8r4GmQJther8xiuDnXeGIkCSwXMEL8aadH12ZO5Hw=,tag:b7/CJ5k7Jy7sbYC4oA3mEQ==,type:str] - CLOUDFLARE_EMAIL: ENC[AES256_GCM,data:/1LlGIvbc3FbsOQ6AJV5/BWoHGmijg==,iv:xmSF9Pbx4cc5iAe1kkmcEzggKOdzoQLTp1d5DkIfyTM=,tag:4LyeHbV+nThNfhwAf1fyxg==,type:str] - CLOUDFLARE_API_KEY: ENC[AES256_GCM,data:IjhX7PRvlOrAZHhld4eUTnk0U6e+26ddBvDAzskqal68OKDhnYNGcQ==,iv:Jh+AZONqsY3nlpdG+mgwQNkHFTB38DOPCUhMZVHNIqI=,tag:PWRooXwDuDWZ8/oRfxKslA==,type:str] - SECRET_CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:yPjiPwCwax7XEipMsVxMAYqc9zAX1mmXgvGsBjuxGc0/mj5R,iv:66hgExptGr8MFGErctzTx1apJbVaXqF4HD/SSSifc0k=,tag:l36AHL7VDK1MC6rbxa0LFA==,type:str] - SECRET_CLOUDFLARE_TUNNEL_CREDS: ENC[AES256_GCM,data:2CKmTAuYGngYVQ7bwwbPOYqSfGc8hFWWrHdnSeq6iIM0Kp/TALhcLSpuSICp8K75kEBapLzC2K6qhJeDPqGBaMORVSYOTSnlvohv14G7AS7Z4R2ehv2xVFoB5wswRJjmh5lrHmNxFfeY4IXINcb8KK/Lmv80P4BEzyxO0cL1KlKZ7gGCcaxQQzkdHMUszdrWUhJ992wGyJnJhAsV50g0Umc=,iv:hpmfzax4tMf+9NLFHfRJSFumN6TdfjTtmqd2tI+pN7o=,tag:bAQeLqQj1cj/389Rp7cnqg==,type:str] - SECRET_MULLVAD_PRIVKEY: ENC[AES256_GCM,data:8GwwB2KunIeIVoNtfLrJrQZyUq+HZcTDkchFLdwPb8R49T9PjgPAvldHEM0=,iv:CH2PhTJMkYyFmcPg7yP1CDPOBT64PBvieKSJfUAwSeY=,tag:lxIvIfanruO0GaBcCS+msg==,type:str] - SECRET_MULLVAD_PUBKEY: ENC[AES256_GCM,data:1cuPz4zCwzElNp5XqzQ6VBahV3w/okLxu31sfMZYndppMG9idRJ7rQd38Ao=,iv:KAT2zWYa0PCEtILRNWS0JYDplCZgwe6v4ZqLwhotKhI=,tag:/MXF+je7QzNd7w2WNeCNVA==,type:str] - SECRET_MULLVAD_IPV4: ENC[AES256_GCM,data:rCpJGTvXmmYv3/j8+g==,iv:NSnLVTRJM+iAlvSUTs7kP5OTMDptEzM+C211y5DHccg=,tag:PYSScVzPvuMBN+e6RejjYA==,type:str] - SECRET_MULLVAD_IPV6: ENC[AES256_GCM,data:DxZNUsqVFiNqlE1356xAW5pTzAiSg3eBEAb7,iv:kh3Z6/LIgjugmVQMQ6rwDXrvo569nZG/RMMNG+5xY2I=,tag:EHERxIQ4HAv9KfmFw4cExA==,type:str] - SECRET_PG_DEFAULT_SUPER_PASS: ENC[AES256_GCM,data:xfG2YEf6AmtmwUvXbHt/63zXt7fxbzUlBVlvlWmzuy5xg/TH+cXDTU0ojeCuVhhkFt4k/hrPpvfnWXTnKUc7QpykqXECZteGMMgh7ZScKpkwoppwcrnq9uVbUaSDFfgaJi3jjYm52krHoFC29KcNvA8CBeEqWaXNXTds5jsRT+fQGrJaqf962brHgPOhEFyqWm7K0KEREovl+dkjOFTTdGYLjSr7pyneCy2266hVjxKugDJ12SexsnG6k7k+Ky98aGPGA1ktt4NFEvXfm8v1Rmyn/9odgieQ/yrtV0ICdl+HZrbAOHg7V+ZhumExr40xuj4QNJE0EPeCKtuXKQmaFYLq2cSwBJLQxPq+Fg==,iv:WVuvHUmF9dnsJE2agcbuXSNmN7K5GCV8MZqgK1heh40=,tag:YhkKIh1ALMwFSFbrCMeEsg==,type:str] - SECRET_AUTHENTIK_SECRET_KEY: ENC[AES256_GCM,data:e4al+OdEsy1EoPr2ZZ9e/yGbmLXQiWr3sb9aHS3OYa4B9XKkDjHreC4iUMN9NQTvqm0=,iv:ACJlHndtryj5F5Sx9m3qoJqvd2czERJKGMaR1Z3Zd74=,tag:U+rzNgO9uUIUgW2spjIfrQ==,type:str] - SECRET_AUTHENTIK_PG_SUPER_PASS: ENC[AES256_GCM,data:T4h7z88+WFFt/0zG+6x8g+xvQM6XezBnrgyH88hocczaSNd7vTmrcFFMYHhuuDDDDnr9Ka4FauhoGIvKlll+4gTovv0V6WmYXMQIu2h4vBGretvaFWJuWmtHizv6d8Mq3g6wb2EoZsFAPR4SREMceAa+x/wcvau+P4yrgrzE19fiMEWerqiMYG/YpQVS6A3HghT53oRP7uIrnL1x112mgYZM23kdRfIs3kqz/LFLO3FGM/f4b4fu+BGndtVvVtzNyx99ZAt3z4DzPuhf9aolXZi4JemAGb0MB0dsECaJEVGLpdhHNytZoldvSXedRAyy7pAMKQbv5WNcFMzoRV+xKJXqKbKDXnO4bpGFQQ==,iv:u5xQamW55sYRL1FdDfyNAH9aX1kRj6+VdAm+vZ5PBnM=,tag:7kZXvqPQPOLbIe/nVa1kMQ==,type:str] - SECRET_AUTHENTIK_SMTP_HOST: ENC[AES256_GCM,data:Q4VLzc8EMfzmm7Bm+rKZyMauV7RKwFuW2EOnpiLv0vbCMSV7w9jX,iv:VLEo7xRn6aAxu1PlJzxhSeevMRZ+bxUo93h+VKRQKbU=,tag:Q3Fl0ph4U0XcqTAQfsR7oQ==,type:str] - SECRET_AUTHENTIK_SMTP_FROM: ENC[AES256_GCM,data:8Lb5Y591MubFOyUBj8wW+D58wQ==,iv:OdBXSFr9hiRZXKz9AAP5n8rRj26Zh2gubHNU4Az6GMI=,tag:tqe19b1kzY+jm5Lp/nq9Sw==,type:str] - SECRET_AUTHENTIK_SMTP_USERNAME: ENC[AES256_GCM,data:n+plMaxRcWA5Wt1ytJcLAcn+NN8=,iv:pP2s+5ZPX7xi595dBVq8p2iOAG9ytO+NTZbZLa4qdGY=,tag:hjGu6tU0nrBcRqCZ8xmI8Q==,type:str] - SECRET_AUTHENTIK_SMTP_PASSWORD: ENC[AES256_GCM,data:quqqaVHuZbam5XTrRor+D+iLWV0p+MPPtCN7eXE8fvr+gKe/1bmaHA==,iv:3Z91p0NO9V1FEc/wEpexQYjkP2rMujXQQ9p87Udkt2E=,tag:obxHpxfeWve2UywQZRFn5g==,type:str] - SECRET_AUTHENTIK_REMOTE_TOKEN: ENC[AES256_GCM,data:JJ/1cOCyXy87098S5TEEjh07t2oKRQ3iKdV5gFZYE5ijR50SYu0GuBT5282MLtDA8lfi0m1hdkJ1pWAB,iv:CdQCBYDRW/sosDoDu10LD2Hrsc6MPQ/upl+A2R0MuRY=,tag:+0e0w06ze085EMzuuErDzA==,type:str] - SECRET_AUTHENTIK_OIDC_URL_AUTHZ: ENC[AES256_GCM,data:RqG5PYN05DAMaAYRY/iIjX5cxhfDxXuIfAMxW3Q/BIYQJeyPNWQpstDs0cCh8nn6YKItWw==,iv:UpbF3TfOV7hn2cvo0eGOnctZ9Imta/g4MW+qp0gqpa4=,tag:2ICHiYgi6RH3IW4f9MBNcg==,type:str] - SECRET_AUTHENTIK_OIDC_URL_TOKEN: ENC[AES256_GCM,data:OWNANfS4KqphsIC0/o+Ax+7qn6E4B5J/a2JTdkGJdjr0N8bXznC5pq2NSHR7y9bR,iv:dKxvZSau2RnEMsyByGC9a47Ajzvs6cfSZpk3xOG4s6c=,tag:GEKvIA9rfoqgQPFL1H1qgA==,type:str] - SECRET_AUTHENTIK_OIDC_URL_USERINFO: ENC[AES256_GCM,data:pLpqYByHlGkadOspCgfkoIap1nN9cA2bTUkErsu/kxxynP0SJxrygbe7JCu5+5fsZpNt,iv:x8BdORu3Wmvmbz6++xf73sWLswHbAK2zLzBr8TAhyCs=,tag:/o4pxCMKrGUltZwiKqLIVA==,type:str] - SECRET_AUTHENTIK_OIDC_URL_JWKS: ENC[AES256_GCM,data:0BDv9VUz+9owf5yqvxYTg6NKZioX9dghVbvZEwkbA2qfVmT1avHqqHoiLDuRoyeiTyDfH/S5/Q==,iv:FFU+f9gJ5DgsT99cn+6F/baZme+W1Nrn3Wjy67kn1Ho=,tag:7rdcjP/IDoFqdot2RV/9RA==,type:str] - SECRET_ZEROTIER_UI_USERNAME: ENC[AES256_GCM,data:n3lq4WdMRg==,iv:5jq1lh6am9O8L472YLhef4BRvokIYqmpNY4MTnkADIs=,tag:+rmMEwzNWfQLEsnoms1Erw==,type:str] - SECRET_ZEROTIER_UI_PASSWORD: ENC[AES256_GCM,data:e1bY9uZlLmKVKatA6SRcd0iO/78OnQbM,iv:tR01q+o6YMgLdEavGaZY+IHR1SF/6lo48zcebgr9SRE=,tag:kf6Qcd/VuYTePyBp5rPW8A==,type:str] - SECRET_VOLSYNC_B2_PASSWORD: ENC[AES256_GCM,data:W3qJMgDu/VR4eOMs2awQWjEjv6rQ32QfOgwj1DMwr0SBeJTS/1Wk5UX/GEgykbnL9GDDbamLutuolfD8jGvFFHBuwweeI0pUHS06AF6GfMxzl6VJJLntka+gvAmhH6QksO9+3go7+96tgOJksgQuEF+4wDg/tYTXs0popeUsb6pDs5Lj9oYbLUgGdrvCEfRoPOvJqyd9ADRkBsYzP+7L/mShg6lgNjgPjkbT+Q==,iv:/DRHZMbfgxTNSn/sJ+XXPX8Os361lF1jM0LBTzF2uLs=,tag:RDGb7/ugBe6JTIceDHn+8Q==,type:str] - SECRET_VOLSYNC_B2_REPO: ENC[AES256_GCM,data:VZFF2zmZuMT6K35QTyaD+A==,iv:qw5BjEqDTWFD4La6FpCuNsNyQI5mgJd59tnxn54OaV4=,tag:AQvnxDADVS3wooW5QnfjaA==,type:str] - SECRET_VOLSYNC_B2_ID: ENC[AES256_GCM,data:kJ+Zrj8TtLec33N1LC1OR3ZKQSrmbERd2A==,iv:LNe8dQ3RWYfslAa9YV/8PDpI2q47JfzDvWokr75dw/M=,tag:tP7VAP8wZ8VblGLWiqOADA==,type:str] - SECRET_VOLSYNC_B2_KEY: ENC[AES256_GCM,data:8OhwlrZ7SHOjHMaAjXwTxcYuhQ84SouLW2kQ76tsWQ==,iv:JUnkcfHooHxmDaUlnZd5JW1tXwz2WMtSZGxG0tRC8Jo=,tag:4JhH4Bk8JGhRt1YS+Qhv8g==,type:str] - SECRET_VOLSYNC_PASSWORD: ENC[AES256_GCM,data:KuKSvK3ry8Z8ZWtjBgr6Gnkf8cwP68eAu5QK35lFewFtGlBnRmgouZzYppO3DdBRcK/RBSMjSnPqV/3nA6yACwKvFPNlADlHzGINddg15qtJhV5YY+ADXOV5HA/F9ZPVw5OuZ8SvCOr+7KdjOHWzwTHHb9Vu2L/5mgCvqvAcESb7T1E9ohdK+7RGS1UEqmFWv/QlIAoi3v8e8pjkWMgfM2nCxT3E9SLl3Sc3OA==,iv:lMSMCL0qROjMW7SFvB0lthpVB/khvQrpwjntCtPqJP4=,tag:+1vkMH3TJLSk8b2VpCm7/w==,type:str] - SECRET_VOLSYNC_R2_REPO: ENC[AES256_GCM,data:YZz9egO0rSK6rHazpNBQaighyvMf0J518dxq5IJGa/pg/iMcrVDNIdbrz5OCCpNVzagsutSvE5KElz29evaBtzgicgIT+JE0BwkLK0teF8up/Bmh5AKOP7ppbGRUXMRkUDg=,iv:d1cImYhhj4M3vJk5chAPWIu2ptxsM/V4I2Lw5k0A+Os=,tag:/u7fh9jMwKt3jQTAmflZsg==,type:str] - SECRET_VOLSYNC_R2_ID: ENC[AES256_GCM,data:EaXgFrsdiFTCv/07MMwf4EKKTnIfb7gOn9LEFc4AcEM=,iv:kT33F00xiXl5zBKMlgiGX7M6b2JZJQBZKN8jhyX4RmI=,tag:CbdXRxK9iMeFZo6fGABsyg==,type:str] - SECRET_VOLSYNC_R2_KEY: ENC[AES256_GCM,data:od+kJZ0If+81tSJkqGYJfrN50jHkkkWmyxeTitPTZFKnxF4uQblnIg00/bJRJm7jI1FnYhcqA06R7YIpU7ZhFg==,iv:ABtZEwdV7dnx5CDODWUJjkx4WfMrFntsf7/3XfJjHBA=,tag:zK+w7wHNCvs6uFzBPAH8SA==,type:str] - SECRET_GRAFANA_OIDC_ID: ENC[AES256_GCM,data:gD/HZo9XmhKeekLB+EDrL/Uk5RNbBOS1v1P238evCj5ySOYkp42SoQ==,iv:Xs+4KhQsVOsAn4XViUG5MOCGJWhrXhagw/I5Q1H2ACQ=,tag:nSFiVga3BWK/DNQNXHZexQ==,type:str] - SECRET_GRAFANA_OIDC_SECRET: ENC[AES256_GCM,data:lSCrImlvci3fUTDxMrHKmkgWZyyjE+7exmgCV/pIRI2ixLEm4qymBYJD7A4ZDXoLtwID9yOIBt023d/rR0kkq4GJXC5jfaN+lUPRw0r9vgp65qXxqCCn7m3SuzfxOAu9M3Q8LbFPiucZwNu4yMNx4pyHg0IoF3Gi/NJuL6RWIt0=,iv:Ts5BvuJ1Yr6VnTa4j+9Dt8bU5MyJyZdg/pXijKQ3Ass=,tag:W/NLN+nPJzZeHWfXDw+ZJA==,type:str] - SECRET_GRAFANA_OIDC_URL_SIGNOUT: ENC[AES256_GCM,data:P192MWyn3tqLL4FlO89nkRqsrFidQFkastpS4utjseyxkC8yO0dEhO7Llg8IaoAgoytuwvlrwMybUvrllCM=,iv:IOnOIJ435mPmC+XIKk9KPyRlXykbpOYlno/fgmXq+1I=,tag:ju8lSaDzfl49lP8kLiVbAw==,type:str] - SECRET_GTS_OIDC_ISSUER: ENC[AES256_GCM,data:VLn8iU0uoUILGS+vTyJA3CMFxr4BKXNWsqqUBOYPehkhtlC5NMYLxrO8amaIaRahfvtQIby1,iv:TgHfaw0OdtQKwsxVmr1vc88mNc+3jYA40Pab8MyURNk=,tag:nNXH/WIErXDkVy98crd73A==,type:str] - SECRET_GTS_OIDC_CLIENT_ID: ENC[AES256_GCM,data:97cm9sRp4pK5/bu+ZaIWCmK2hvH6ED35Gz0BUmA5kJ2Pi7v5DMYSrw==,iv:+NGUTnD+uyTOInKdCMwtPBe/CDJJZW5O2skiafTCn/k=,tag:CsbLOF8cEsUXvViK9yvzkg==,type:str] - SECRET_GTS_OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:Y4G055suXXfCBYUxzg/gpvgfH9O5AIiXnL46ZR8uzFYv0NGDDyuwZAb3DMSP0CbrNhI+GHzE7sZv5TDilJX+fK0HIhPS70gjBqCaQzyzUISpKRQma9CcBZFSauoCxmXR2xoWcIVoq4H048RNJnukRwgvX0NY6AZXxfA9IkdEHjM=,iv:M55oYzTzVCN03YqiOkD0ytG++SNdI0jri9F+Gt+lyGk=,tag:1Sa/h+oFTPj/DsA6v4NwyQ==,type:str] - SECRET_GTS_PG_DBNAME: ENC[AES256_GCM,data:VD4zwGfdK0PjHA==,iv:bnLNqeVSXgLmdCr/kiE6h96mIA39QHjq0ZQBVtOVuuc=,tag:GmnXmDjTVh6RPcoCvIX7LQ==,type:str] - SECRET_GTS_PG_USER: ENC[AES256_GCM,data:8VBf03pfmJY8LjGnn/KSaK36pOE=,iv:znSRNJPO0k4Hb+2zONYLJEehz1lDaridb7jhDMR6IYk=,tag:YIvI3LQh93nuWNYakXYICw==,type:str] - SECRET_GTS_PG_PASS: ENC[AES256_GCM,data:4CLtnpcvhljJe1l+OKI3Q++PN7C++9ZavFArGsuxkIW5hoE6FFsAgGngFqw2ck1LAVqdwalQedQdj0LvQmzRpGybGxFGB6/4KHuQVMIkX+HyDReItP0vEXHEaq7HitxlpI+CLmlFK4lCOUdGY5/JvhZPLo+PV5STHsNvmrVaQhTvih3p1G11coCTbo4A/VHHWUGCyQDUoHxs2Bo/iYH2kFKlw/RYGFODmk1ffVUHHRsUHREpb9f5YcRwblWFOpQvwEYINKzlwoM=,iv:3/htXyuzpDJrTFGM7Yy5wcEejXN3/Jl4oyJ1tzPih5Y=,tag:Aie4reRcph39N8mRih9lLw==,type:str] - SECRET_HEADSCALE_PRIVKEY: ENC[AES256_GCM,data:5cwm3FpMYlCxF6g+D0S0+Ti/UVSzJop5lu0Q53oT2+Gt5UVk0yhttjqrNZs5w3dnFJ0De+EGrXhaA5vsuUU1EgRq2t93NC/M,iv:Ny9T6kobbbEn94OLF6gAymCt5h9LlY7QL2GL36yuFAw=,tag:IsdV9wXyd8yTx5urHVef4Q==,type:str] - SECRET_HEADSCALE_NOISEKEY: ENC[AES256_GCM,data:w0LQ6auq0XPgXC6KIOuSBZ66avDH/1oM4yK1ruYK21m15A5Mw28yQc93Pp67XbT1P54JgsdUYIJMoz43+wF2Hw3w8VFK4QS0,iv:bMfM4S1UyQjhdX/0Mu2xpa/PkbuOe0eL4G8AviTb3iQ=,tag:4Rej1+iOtMd5abXFkuBiFg==,type:str] - SECRET_HEADSCALE_PG_DBNAME: ENC[AES256_GCM,data:Iyj7YpnEOjnuZ8W1iCYIuyxoNP0ATH6M0B/njRF8TDnjty//bHsx8Q==,iv:MfexUGI5k8BJNugTN9HkAwVbIaqTOeTCPgvsvRDgvAw=,tag:pVcBD4v7zCliXo44KG97Aw==,type:str] - SECRET_HEADSCALE_PG_USER: ENC[AES256_GCM,data:mu5YQK7hwKmdATLv4AsC71lo0n0JemZMPnxdJPV7HaOlMcNCsTq7AbEGrsQm9fQ9yYiJg/ZdoXMAGihCs3sLEw==,iv:ZC9is+M6KkCUkqEfxblxg4eHZn3Kgoruk0K6G/dV5N8=,tag:PdVAAZuL164zcsRHIQGwVA==,type:str] - SECRET_HEADSCALE_PG_PASS: ENC[AES256_GCM,data:IPXHgbtdhFhcRWyQ1u0710/8QVEG2uoPdetIRbRrPIRRhv3TpR04d6ypWos8WunqS5JJaNjm5RTr2O6+DP7ITizMIyUJaLL8jKs5u5nvr7tIB3GsrtU/qBQvZuT+yGjouuf/ezo4euno2L2VD5aKoQN6mdUfFt9K8beb3s7aSBWbMHdvB5KTwssbaMG9alir9/pZEVacsft4zNn1KpTBFQ==,iv:wKDHzaGH5azCBL8zWSt6JbSKeuZNODG5VfOWmwH1GU8=,tag:NShyDOIzSSv74WV5kvlXbw==,type:str] - SECRET_HEADSCALE_OIDC_URL: ENC[AES256_GCM,data:+Jy+NuSGcYXi+p7uOX6lyz3OacT9WaRvY4Ywyuz7dIP/larM6iKUJPSbpql7ZQUNIT6/Lq1998HF,iv:L7MpcUPSjeMcayj1z0J4tccXXdXou+O7IHpVBWtzeqk=,tag:+4f/U3sMpE4WE4mMwTlPLQ==,type:str] - SECRET_HEADSCALE_OIDC_ID: ENC[AES256_GCM,data:oDoZQFp5EEAqa39tMx/Kse427QmYyxUXXPU8dGlCNGtupVvAs+7rzA==,iv:1gVegFflZRsRoo93MNsNwVQT8YRWcNh06MOy5cMsb3M=,tag:1KEb+pRqd154BQdR4NhFhA==,type:str] - SECRET_HEADSCALE_OIDC_SECRET: ENC[AES256_GCM,data:4wwV9m+XmSIGXCzojw0Va8gH1L/E1VugXQc1N3adC6JitqOB7bvdqBxE0natU1mhrCUPdUViojV/IZJ/7qdluNNTakDiWWnL6rVI4xd1giywBc5taEWlQb7081zEExWm09wuRcjYVpfLakJFbM8fJJqTHZvyP5ED9VpNglBk6XU=,iv:RzgyFgOt9TwhRCysdf+gX7jhBQgA0Oo9b7xDCaDEBG4=,tag:AyDu6lImdsJpqEIDRPZ+hQ==,type:str] - SECRET_VELOCIRAPTOR_OIDC_URL: ENC[AES256_GCM,data:bZvEdeLjQp/G7mEdiejIevOR5FeMZhxWJE/BObP0ibffM3MADvr0lfsPTlaAx2EIRSQZ/bSQ,iv:NP/IetQojxS27UtjTstn01RtX4yFh07Rrwd8Jp6rgqQ=,tag:JTwJuSrJMr40Bq6PxHjqpw==,type:str] - SECRET_VELOCIRAPTOR_OIDC_ID: ENC[AES256_GCM,data:E2VX7NZ3k4bonCEe5nY4UlLukFLtTeBFvfq0ZSoSb8rl49Ai5aTQzA==,iv:xY46ft6JnMrQku+XU02J9HIZjReVA+YgaGcF3xkKgW4=,tag:WOfx4QTDFWAggV79AWhRTw==,type:str] - SECRET_VELOCIRAPTOR_OIDC_SECRET: ENC[AES256_GCM,data:3uQ1uIb4St7l+TpwsnmLjQX32MT3lEmMz9hyV50t7xqkKG6zk6vRevzNcwrAhOGnXhKSjcgFSP8JUSG11smoNdFzOijc43VnFc5kGlpZYRVt0CGql17X3KadFDuCDTqs8mAZrTB75B3+ZHCL8ECN/943gdwWiJX6tnKElqYCoig=,iv:jps5oDsDJCW3R1ZcTKUuGkYUbj30UuBS54JMkHnkeSM=,tag:MztE/HtsEv09SBWL+ydDVw==,type:str] - SECRET_VELOCIRAPTOR_OIDC_INIT_USER: ENC[AES256_GCM,data:k3JpBmcZRqLP0EqMmCva2W8=,iv:21IxGXPVidbYoPjNW+VMdj8uxXy1VL2jSv47MFKNRyQ=,tag:V1KMNqi4taHVIOJ52U98oA==,type:str] - SECRET_VELOCIRAPTOR_NONCE_CLIENT: ENC[AES256_GCM,data:D3UqAvGedyDOUs6l,iv:P22j8cQ3vFt0OR15J4CFDaJR6UELpj7F1CSSUGSdz5g=,tag:sHlapxVFoPaUhXoe5vg1kA==,type:str] - SECRET_VELOCIRAPTOR_NONCE_OBFUSCATION: ENC[AES256_GCM,data:cpkIbNmTkHD+b5yD,iv:CnyYk3i2vash+0SJ2/fyTM/AnVm7SEfA4dlZAUzonOQ=,tag:crz//WBVjeUTteWi2QNMhA==,type:str] - SECRET_VELOCIRAPTOR_PKI_CA_KEY: ENC[AES256_GCM,data:l7LDARbbn7ui0UvwmSt2EzCN6UvF5wUkix5snCm0KGvjWkxmvZhqI/olkM1ZZJpjCm7YRvAkBH8Ku4RKIkUhBls4GiOIXoptjSfDZloSbNZtx2AloNH+RKARX3SslukpQtBVZZ7ZZ/lWImNgT+qSwFHNtjxC02ioEfVzhFo43xdbWFctYITavx5q+3Y3V7bKHbmobN6HiBqB8TcVfY7Z+ZPmU2sfdK+cktYMP7dh1We3cJY4QjTjLIIBeMFh13sBlUO0mtQNCIlUTEC13Tz4WlwprqENDE0a/R/BGq+1qJdKAu54Qf7TjBmqGV5Jld1lkIleqWZHYkYNrcMOTVRxS/02CzIPOBzaTcLy2U0ZtNtYkXmslTzQq2yFRwreOBUXTR3EcsGFXw1VSKOFnUiVH5oBPdQS8G3uQHOForIDrCBNkH03fsXc9AyiYrGvQs7v3DjVEfFBdzEJnqMnaO0YDiMqPFZ3UoDzmQrJ+oHzfsNt8uIaYEzLgf2NbkZwFPgc3PIY88w00i9xUafeTmn8gWat/omQKJnoN4dPwAZogamlALQH56y/CRnpQaq54lk5MJLuErGccR1e5rNjoxmrWAMXyc/qp40Njm/UBOa5wSQxS6vVbYLy/ZYqrW6RR0ZLMXpM1un9hV+onoU/7qPddkAgIokJUd+Ucgyuy2ZYEGydUTLtWyvUVUcfwdkt4/k6h0br3NKzv0j/AqUAekhmEOaUKbUmjEhdfjPa988pdB0bBw6mr8kcDEyiz2Y0qrG+SEkBL6VlnRsyxqJxZrmykXUYX57Cc8oVCL5zV5VNN0kYklpsGhpP0X7989V+8jIwcpmwXaWK4oawY7bDcoxkh3uSUvNVWhe+yAjifuBxguUu7GEtUOByB3Cj0mQkbJDKDZvOnftbAXHGejH8AeFZKf2e0NMTgRgsVkW0KQsDwlo7czCD9/nmvgUfBGpSp32aHO3WVCFqX/hRblfUq3PHybB67KIVD6xKqjIGSyGzUPe7lZjI85RgVm288wR9fVJqKHRTBoLQ93iC1DD7XqbMoQJW4U/qw9dmo6NxiWWzRzrutslU8FsA+gTOKWNf0u7kW8Dbwa1jM0wbVp42HRmBB4QQ9CQu5ADLwyK8dy9fHJw6iDVtWEAbfvmSFu5ru7hwTBTzf5pFJ+xnmtGMNo/JaJJARllyuAPhqGusZC8SAPU+DEHrgym7ilMAinGs6NXiOme8RzL2gyjYzN36x6t+3QoDqAXWnvDHXIoci0LC197tmgQTqyQEWSSjAxiVJujAbKj+73UHTLd7n724wYgD9WlHw84DiejTjNGrYh7C3V841YGT2aZl4dD2PTQfCBxQe50a49F5CD98ZrCrcifmjTgPafHzFEtJQxHPeiqYFA0Y30waeJn7I5oX1fXCiq18i27nvnUM6lgXIQrDuP/KDTdsrcFkiEhs9xZGsm4zlsEjNmTYoerU7RgOrYorBCxJ7zhs3eMVC5JcTvB4DZV4H1/e2nxqUi32oBIGD6AxvemKiY8WyhFD3wkC7pmx+VIissFStiOd4q14ASMiHLn9+EekBYGj7JuTOWgEb6soTG2G1S6MhQ3RiLDmdN3bYMKJeJvdYSJC7S3NVIu1cD1iL1KvPiqoDrL/GaA5qDS1Uvhnl+B4bXFemgt4Cua40Rht5YhMkrc0MDeSKggCqwqOPwdIJJqon+odBnyjR0Ow1jloP/T+hy46k3Wfeok6B8xVVjiGWjTKEJ1TIf4ff3lTdJcu3PukBw329MOuabpA6kNh3Qch/MlfccfQfIhJGjAkSmIwTqrdhluRr72wsJHWAx/KcLj23OsRYcWUwwDPx3QJl3XUY5/siIdhLgQMyNFmnYzWG23Y25A8aRzORwCglXiWhLlDb2pSZhlvnJl1gOJ35uvIv+4fNpXGXlBmYwmBOvQYX8WBs+dYYRTi9JvPH5uIBDY6iBcQF/Li89PIb1kd3JZE3oTsWIwTZuO+Cm5s7cVoqWPx1nynDmGEarIJhxL0qPGcE74Ogx0CaA20hLAsdtfI3XM370bNC36jiIxTQ4F7SIDz5meUljZTcNm44OvkZt/vCjCjL5q/n/fR5SVhj0IyyEFf3p1nHhp0IwiiDnpuYZuJuKGiD3q3sO6T6hwRrYJWCLAkcmyaaqOI03r6hRFwblLJMO0OavFtRU67SlI4Kaw0vHpjMbjcCfVPiTuRHmLcH/mmkMyPrxmDzY8Ii5ZWnCoMCfjXlg==,iv:hiXMJNXv8ASXg9QJFiNNkHRGo+fD4vgibUcwVUKBr3I=,tag:POnk0afdIydY6Vm6lk5MyQ==,type:str] - SECRET_VELOCIRAPTOR_PKI_CA_CERT: ENC[AES256_GCM,data:+6YpxN6BWusL4i0dRhNTYxlp78GMPmABetGsh/TLbROa2MP33OcS7ctg/yJysMJ8wn9iXq0WS0TrGKgU5wz8Q6ITa/tuC266NdO3Uq9aK1m410ja6gd50cUjtFGE1gmbKtvQABOEEfMOY1KtOEzvOKHLCUpvHjYGFE2Fhbpn40aot3RQx4d06LnmAu5VbG6+d0DD3GFdLtXRL6FPzU/GwZXGJFgFqhr42oLbTKyidKDaR7km6R1ZGJOAfrJJnM99SO67XiTG37J5dWTWjW0zI/BdodvHFIMVf5DvG4D9iFKb0rFUtBPOdNQvc0y32cAAOVbzbe1BwCng9c7Myjj/6TUVRsIXgsmzdvD1YOBNMrz3tZNs9tiV65pxwAV6DY7dxV712rw7c6pSgTOF0n9yp1th6fXOQSfWt9Tk1RM606LjjRNQ5arCBP9QdS8WscIu0L4d2gb0p2PPzZd5zmfBj7tw+nSg35juFuiM+Gmm1HqFsxmmdQjEkdZYORQz9jc8z92kgTBAo/UhW5T1DIV33ahc8iyd0BNm7RZxgZyzZ/w1Mll+74mIGoIp94FAzLqaXQZKuOSBMFCc31REpOK3jyoPaJObZZ8V5w85yPPUpsC5Xoo/tT+8SdptLiJmbm2i2GC6OrfcVnXZpAkH8wYuRSRPB8kYvyS9jNjUs+CLav8ql4xus0c1T/eM2zQW0NvF+7gnRRjwCpYafWDYtP3nLThUT6nGWoq3JIdHqPPK/3+zAbYuOJKl9hB+qO8EvSLNl/8aRzuM4ZIblsx/ITsVbQEOQJbgnqLfO8hD/AF5pVRC389F7HImyAt5KCCggJAJY5jmLc9tWsxd5KbNSyR/L0tpQFeAB9/yOy4TnrpVhhxX04qmJtSal/AZ7GU/G42oo96O70Sm3KONR3gbMQyaB4O5AOiIrT08qinIwwwUkiBFhS1//usfF5sjUDJtc73eQ6H4EdV6TZ6rgd/zIqo3aN5OuTopTlJIIn3K262KAln+Mg2ihnGCOMoUDJYNm/yG7p1GQKhXnGUh8FjYi9awhbkx0qvapKcLPnPGQ8DM2ZmLme0LZiV6Rv34wsdEiwwo1m7RXhz7aPywRez10nBCQSLrPFcQFX1n9pVJQawz9HmWU0DJEIvRX1dDGnyfA3Of1au3KureAE1VJfcid/sqgdtANe3rr0Bgjjus4cJO+MHwWEdSBLDjHpRLGNLRe+Pv9LhJB07xiSonjXXvGNWRcwpuGbB+f3YyL1XeqAl26cscYCgeU/GxNox6b0YEhGT64vwiCTaCcjMVXEzUzvyR0Hc2aCrlphG3WqclC2/p8qIAeJadQTxBOo8Sfl4ycTnp0VqCK7lN44ZI0duYmVnrgayFtCPasaUDvH5HK/V5umRtWQB20Ps9UagybtoJikZx2cwKyExAYW+d22PkklUsbIvZe5XaaYXLu2UqL+Km/rWXaz+XQVroMSjkOLtO0bSopghnYpg7sXAqxOfj1BYA0LMJzBPtbKAg8xd7XSTZu08l9r3uBn3VA5jAbr+z9w9UiHJtBwKBL6eh/VGJl/vy5c7gjX2MCR/0519GwVkpquSgxc9CXv82A39GZvT6oP7vbHl2AA==,iv:4+uCcnbLYOiqhkyzoYvYCXl2WtQ6YDYv7xYx5kX4+HE=,tag:ORzEMa6rZHtn9a0B3RaIgw==,type:str] - SECRET_VELOCIRAPTOR_PKI_GUI_GW_CERT: ENC[AES256_GCM,data:DpyKqs8UgTiZMfqgHg5wJkL9aEWSeOWktgXw2+dhraljBZbtZ7pxlBtIUGR6GgrXKNpClHEEqxSb6MD3Ga/p5blG8Y/T8dVRf/2wvvQVmRlucZma790sIceG3d9ELH7kjU2fuX16WJm2YtFfr7XrfRzOoXuWIH7JmnKt0HhJLJcGvGzz7rlSXgft7hNi/M+lIiD3QhiaHpAGqkfB4yiWVlCvZovEJkX/unANN8/PMfNjoogCJcmNCzI+TuxKVCRjhFSgzTiG8hQClDhSGOz2WMvFxV6T5ciIzwI0bL1Gqe8DILeV0drA8iwVCVBIjiYNzlIZvHSu+JNk+1zC6VfUxanTmE3ccY48nPRqesn++bthqbn1eG7gBWVM+bAKavEhwqZzNkQTDa35Oz0jc+xCM3Dxeeuz9NoN7prTaNjbO7G78HNS+rOff+u4WIOj2SmcVw01fYy4lWOWQHMC97Mg0UfulDADWLuUqRKqHcIrZWWC43OEkcY+b+GDTbvODAd+2dTXM6pbAzamIa92OVEZ2RMELIluSTAO4WeIVBtnKJTiOzXc5MysfEKT2Ay7eF8NH3bPooM9XskgqbGaG2CgBMrtdrUaMuaMOORGsOkCjMyhQvBe7z0brAz9tRPaKm3tBi8hduNQFS4X1tTySp8XOY9habUPzBDW+H8W3Q0MLrIz1CFJxubcfBJVcLq+oEhFO8r3krOhCUwMDjicIKPfX8oqCgxCsefZGKm99ONFOIRoOKI2m0Kp7By3qhwh8oTYNhgQJ47gptqAHCFqmqDMLNNHZHsF1UAZNRnWSYUkGADBbC7CKyhc8SXCNObROrSl2aV9z7TS7qJI+Y3YrTws3uBOACCuHb5Q7i2nC43zJgxJQLR+RAY4mpTdkV+Sh1TSDYkQzCGVFBUH9V+TRH0g8HqIx5Bm18nLKET/0RKThrNZZQLFbqJbX1gAG/Gx8wxhrp7WHP5o0hPNuIbLZTp4GH/pWbNKu05DlLaZ8TAFGGZcV11WbeKOCO5G/Y2yTWSph/1GsZ83XifogUEqnUWgPwf7NkS0N/zwnBciCDxgq+H8CODxeoDM6BSOqGnh9A+aKVS1NcfyhbJC9DhMjclW/jlXRh0LlOJ5z5ifKW59CGdwlBfRSXuzNKTxU4ULtFjweshLHehhhDbi4OLKkxgTUZB3ee8D8DV0HaqFzYDcmbpFU09CFMH72TwpPjAk7mngXg4qUK20QZ3yefwWoz9bMnOYgPIRmOUR+UoSqQMp5r2Ct/t5PGtwjVo9zQIqrwAHk7nYmynVSsDgNZrCbxBdBkwW12tkUXDF1Zm+zECJ7pum0c+akhnbK21vtRgoizyQ0DSpm28cS09R6h8KQVzAHc7TCq/zj0pz/rLg68uQ6EL9DetQtzkpQLiS8/Tk+p73dOvJCOwrV2xRyOEMhX5OEwVPvbhb0YRq/+M8nY8kiZPDaKay22I/eC6pK0p4nVm1gudd4tcJM94wYifaVIVWrIt2u6w33b5jdDPM+Gb2Eyh3vFbTyoe8xIldLSnmkQRchulGURuBDoE2xlkEkrLD7tKGbhMt4+jnjchWQVCUB+hnOMLT,iv:9bj/z4PfeKb6p7YcUZzJYH4/hH864Y99G9oDnS5dDE4=,tag:uMQHKcS2cbaSvULzW+jM1w==,type:str] - SECRET_VELOCIRAPTOR_PKI_GUI_GW_KEY: ENC[AES256_GCM,data:r+/ezBT8BGooCRuk6CSNNtgS0zCJc1P19HxUbUXK78DAhwEHDMOTPup2MUINDmtl/oITyDmmt3UoDZlVms7v1W+sPUOhXQhxsIHz8U/Fp84aZdwWbbLLAoLmV73LLk9wOMB94kP+UfI7CMksWX1Hc1wsSUwBtA/y9sZ+jiB/qV15Q2IgmF0E0OWeENNHr9MQUnRnikVhkk4lXHVxrkEVqWcCGhzZFu5EWFbXUv0FCgor5j8sOMFsbDCEqftYvQeJrHbQW1b7e41Y5clzIugIJN33YenQ1XOBjlvszbCvQHhzZyznUgpwmXhQQZPoIBAztc8ADgphK6PZsSPXZHCcaWU9G2gqeoqUar2OrRKdG/VIbg//IVJe/LXPmJvm4sKEpIrXuz3dwfmJCmAyR5E6uEU3YRnecwrzwnOgFbjRNnGRLW3RWSh3ppTh+QquIZ2GZc4UHzudjmHtp7CnPW1PeQlg3UimJm1Sy/JNpkrqyt+n5DUha7KSv6YUNQcKTmtQNraSUmO46X41BJsyv+wmQQa4KG5tatyE6laVybHQ18HsVtweuPVy0QOsxMNxN6LAeZVlq+fqkZknHxegFPW8XjEP8Tj+E7bx9ufpq7vExCfiRqciNipIZq3mvpxf33fruZOozwMMA0fM+CVqnuNjGf4MYivhZ2D7Eoq4uZXE0iyb8HnpPisUgo2kRq7bZOtC3YrGj2+SNqw+4eFcetYtQ+XZyi1+VyqC5KGqiT8PPfHA8hMynj7ZmQB9iO7oebVFF9xK/TCD9B/nQo+3OpJN1enHZaOR3bis16xLLQSJjTV0NW4UnUClwMbPyCXV4bqK/mSeFgVzCpaCAaFZA2BXeQhN5wyz12eUjfJm0potzpEtLCTwmm+ewtA7NNzCiJfM7IjdPNr8mGhW5lizf62NYd5dXe9MeMSwvQljoVuNGZFUDgx2UHPIxVpLo7K0t9x2BOMigLq4r4TQQhQ5UVLEMK43gvJIGDWmDXtTFvArhg2pBZ+YwFzhlKC3DzKwPECRTRPD+QbPq3fWi2jB4w0SM1YjKLEfCx4xsVmajhk454N0qiy8fOX74bRMCy1XmRPXV0SIL+2Tpv+xulL4xZd5c7VD26zVvlDY2iIZUuiiex66g27A/sbjgvuPYfnq16ZFqTgDYuVppbypbxC0XOQtf2m0Hizc7JvWdAn5jUTARtYq2LzsbKExEb2XpDbMMmKfnhOq9DDknSfzWIaQBBLJgrCEkcoErZHhazS51htIWoCOhe5M2VGeO4IbbGa9cN3a8JQWtUcbOGzHp8luLjunhRk0S95hgiXdOpgxdkHjfPGJTyNkd7xMIWA5mjHOJ9GU11u9G7I19xEM5S5W9tCRP/IHX/v9fJh3aluZ5UrauIrZp1MlYQ7idh5KacJlV289QwqbcSB5Y1mH4VXFRMeuO5e3g5pZuiMDk8O16IhPEKkARCCc1ZYGjnni567/twmjlaeInMMiJuj4TAYe0SKNtLHMAoZ3t5cxELbOmYUEaZHoMqW16ZQa3Cvbto0k5uVnrY5XBgjsjOx8r4rGhz8l97XXowMSAqKXYF9LhUr9QYgRAXxckNFH4Co/23FhovpxF42hRLWFMVj7+u3ytObk6DaAWD4sDDGHmM+QsVYTbo5CKpfd1sgTLUIjQH1am2azGgosQQU66gsVP0qqDT3NFpdyqxKFKA7YOxeeYi4xXICEYTR5Af8a0n4NEsM4TrBYJdDI4K4t27OCCKsRu6NfkJyTzJ2SCZmvt02tpPSsvsxbSUNEPifjK9MwaPpH/ItRjngvRvotG0Fi1r46m0TZ45qIhw/dbgVV9YNIZ/iOxUaRF3yUCVCfrDRfXhdf8t/YnDS0EXBVg5WSsTcT/fm2zr2rYjNpzx9TgpZx2NBD8DtCTjNraEb2HQQdzkwRCQtnSe7V++9ZgCPD0Ogb3t36bLecvpTQEZAl6YK095XPwqbVg4eW8W1H3KouqhJreEh/MT5txjExLqGP2sNwzM6U18x1qjXsO/VdRmM6E48DoYQAPVR9HqprtJOtH3Rc2Ib5RVLhjT7TdRGg2DpRguUQAZWvgHONFvDrH0UB97AEUVlbyiIk9xoNahoPCQe4d2r7ODuphvpnzqt9C7evsFxvcnIzwCQAPdcNdaMmO3v+tAb2+uRfm/2a2osTo+eLLtm52DveFtNyge4j/Ws6KWeXDKx4Osntv4hrMnmHmCXp1/9BLee3Ct8nY5RbFQ==,iv:Su3xktOFE8JQ5eivyvyC+qWm1/5Bg/pW+5tcbmEF1xU=,tag:UAMfU1ZNMa9pDtCXNs1tfg==,type:str] - SECRET_VELOCIRAPTOR_PKI_FRONTEND_CERT: ENC[AES256_GCM,data:W5cj7F49/m7KuukafpENx/JWxWKT4+rJ5n/6OxINEbGeN5HNWEUrfgPkd3IzXAigFMwlvILenC6HZEpTW0GKAUnIFVZ6NjyquwadinVOq6YTAqSdkCN17DERAXiXOkYk3vNVcztCUxxVKC4qC8r9zbQ/u4THWJ0TsoWLQShC/SDF6L/UIUW30sumH/BouFut6ICOPAp3AauzRS6o3lmG6TYJ2tmFeembA48YMrrlHjWGGm49V5BIn4GBT/MExljIvPnZ55+ynJucltIxmMZNDqSaTG3d7kVib2aiWfGpm10q83g8oTcAEw91OAlNN1WpTDg8C4FBL4kmMnlgPRkvUq7lbPGTKtTsH7/C//ultizmjSDkivlT12S5M18CwXnTfRFvzf3c//OzC/3KTZjLzbcB5HL0sqexdu/eACHrXQNWwnrpyjjDyUc68j03MAAZ2tq9U0Fx+keSla7/w7hvJ5OOdUULXkN49wFA3ApDcn+fDe34El3UXzp9zuzThr9kIvTBDgf3/TMOnot3Buqibwg0lFQZtJ/TvkoW/a1yOEcVgpz3kFs9cD/9DfXhT2Wl4X+DxyZVZZ4sokaCtjvPNWQNMGQqKasa0nuKTcHrzLHD8hhS0e4uAn2JAF1Q8N7cpnjNUfgmi+LGqy+mlnNYd1J5yl71BaarzygYSXbA9Pe24qE1TgUfKxEs5c97myFscfQdz/Rt+DSZYcts8HVYTHTaOpQcOscqfPh7XfgmQ65uX3l4kkJmC6qO9B//39NY2qLdFRqyKI1ROWeyLwf86jr9ZPHLxT/9Mt+yqPRym4hR54LRfrgLA86UAjwSXRqvSSrKCiMkzW8pUO1NrvxUVm87m/IaHBQwqnQ7shZcWxo6FvKxuz8QXv2//bQVGNQ8YzXFWW34Rz/VQV+cqbLm++ZyX8nbCR0b7fsRzH9s1Ii3T1612+ysGf6GeMLOUry1ogLMVmNUZuNYquOjcMh9bYTmfD0uZQCCu+fVPqeN1lOGAVOUv2HEFoQDr/KPsiCELv3rpng4TSmieUkgCHf35NY996F4OceBsr0g6Sp+Q0Z4KuYpMWXhaz4iXhSno/KF6wy4TE9T51oh3NuOpLKsLZl6f2n9Iq5keIh9pHqKvQDp4hwKurYDJptICsFBefbLVPfG6ESFhFEnEwrrQ3ynFlWEOYUBrNO92PSzB8YdhTviXzWdbu5u/nlEXsFJfdfInm5nsPIWvMSR+1E9EYKw4Ki8E+wJ7abNaxF6FNGnHH0cZDNXbIR0UFog9KKZHf5FnMMTQ80Uf7o7Fih+WkoGeAY739ACNZ3vOfUgshVuBFtkQwLB3lYXhw1zkbRPUbqahiD2ORXFV3TnJhaw92+ct/bk3Lu7TYCMaNcfAcSnSgxaGC7j6Ch+ndFXp4hMu0Dw+yPlRvuQFZXDwmKXvzHci5btwB4FAQpsrxu9NVyOJZ1pibYXzxbnNj3+dC0pXI6WOV2JC8pSBNvttA0qExoBY2wDNNCetWTkvonsYpgV/yXMPyTbkgV3o34XoYNPE1BKru9UgE//H7bW/TYPhuhs8Xn6RX1Ik/NH3g902mV6hUIwWOkoGz4ww4JHsqo1VwuQhoGcD3g/WMsCAyOhv0VW6EYP7NE=,iv:fufMMWIpdQsz3mNhbGDaerzqJv26WiCN4f3Y3TevS1o=,tag:QB3Xsp7nglznr1pf96zq5w==,type:str] - SECRET_VELOCIRAPTOR_PKI_FRONTEND_KEY: ENC[AES256_GCM,data:BkPD5f2IkO9XCq2+B9pfn80cfRrIUNRL395qZNvEtympFW4t4wMgPCQr5HN67CHWNrCNTI8R0fMWHo5CNN2O/L7STlMOLqxjlKdlpiz2+F2g8IFq98RyyyYeiRcXh4WmWlMPnShLFp/HB9TdpUHxP/INkAGIBVB4fs1SDAp5JMwXcYrL4mYNFBQcPd35oEdTe4TsQDJWOOvg/+Ucmw7QezXkiuJPBlQUZASQHspzCt1SxSrecd17U4HlFVmN+39TNzV+7mE7jEqGAEBUSO45sgMO2EGuX5sudy5uwi1np+pb2f80STzLTNBUGyJsNKD+lym6bVfO3yelu3L/+CtR2UpkyvfIkdqIp+Ifn7pmU2aYKq84f/tukmR+b/gC5zEOOhrDXnlyCD+o1V0RtIIbWPy940rNfN90gMyDcZCMkxx3tkkjTEopdg6ERX9YUVtUBV0+GUKAWt+SvUFc+qZjFUX6tagyFnkrcoIpqBPDnTMjcILcXNLPHPFkf3+XONJq03p7tqDn3NcNmm9a3Q4VxDZWjytpUs7MdrqxQuIsKkHOVEZyq7cpc2q0UrBZmjyEzs7YhW251rvyPzo11hggJmg8TMNmrLKxengpfahTI9/pX5SJTrGYwqwiZ2/NTfLfWB9FEPsIQv/yhIibl2P9hU/RDzNnNnUTiaTu+Z5ZOdw0Fwj7+0H6/HHBnRp5+DEgURfbrcMio/rkA0UhS87wIgNXn8SVQ4zZ72LjHNpZvJ72MBKolmaYIY5rXAoCCinB76FyyqlrqUAjSKVHsxykRKE+3uLplwrRdmzXA/WqsiAFgPInY4SJdw2xi7oI/r6I1L7SvDSD+zcj3L2tFCaAHZNIuEHvc3Q2knADKGRR32BLqQLHRa8n4+x839j7LG7fvU+pLLFhpQUmdcZG8gLeWSK4HscKkM+hC+7xs6nTxNnOQP/cFX/gRT6+sfV47ziMEEj9ZlFhofFh6s+rasqzOUU4Zq2Ow3Cc6M41snO2qukviuFl0jCF9ppzKGi4xwWcB6QsysAnw0eb/UzBPyYJ2z5lU93FB43UTvdMdf71NoNKye2rha+NF+eDtN7W/ETZLIZ37cGyC5h/QgIjRoutYm1c4TWpPlGO0eJYjF+kXbDExSBJY5Rv4a0MO/eOouo0YQcLjius3uFFpOp1fhonBEuQy1r9lFmxJbWdX0RnB22dUWhLXXoGyIyfF8VgfnuIZvxSEUQIhVq3AianRVD6uMKDbJSgD48Y6aPOKuzjs/8cYGWweoQAcdNjuOxfr/SWDeIwg7imUEgg3zLf+T7DQwADRxfQVp2e55vusmkVSbm1QY0TzXhkGWtEF1P31KjgsuhgEYMv221IdGUkv8aY9wnMB1jYEjwXO41TJvRMm3FZcSgwmMjL+NB2Ft6vRc8YIyE8XA2sv/SCrd9aIudaudyd47VSY7IN8ls+8p/AJsFSihXDcyOLYZbsB5lIH2uXfx5dTbvszS/7wedeW+F0mF6DuVZCwK7XSm2uVBAwc3XVXDDynkl7qgTMw73A7vLx8x2jWpWYJq8EKIZ2NsRb05KZYsPNE6vLs3QD/mgqZ7eo3GVlqfXGUWemdHP1+tYWrbku0l9irMya5ozm6O0WfeI5ZIYLuU86XA1C3nroSmwofteygZtYjMJbiuPTm/WkS94N90y4LgF00xkHhlXz0XupZ7xW72E5nzmh+3GD23XhtwFclyusqQb5kcuey6oMPzFjO6YXBU+dUUNpidIg+Pz1X7kEMu4DicaDu/Cvq0/8qc4RhEncAL7W2Y9s/1n3TInyp8ygBFmH175gT/DE+/RFSwHlh6igMi72qhQS2aLoLSaz9KMH0lDTEZmAfklm65znIzSCnCXsrtscaXw/DQFK7vCG8W8jJuuh68r21Ns6KGxDE1mbto4nYb0pgrAd1uL8r+24w2macxMgwE5DNdKONqFrdMxnC3Y5vHQwcQafgeUjxm4G8KHF5CbBw7bpfKM7KBwSQ0FzXbkYSlAqBA/tAnGosVlque3pXWy1qMM/QrLTqpNC8tTavcGLy1OigOUWZnhBaNnomvoaeUfdnzdcxanSJX6veBWFVHR7bDA++7pVY7ydFUQ4Lu0AuRXoSqC7qSLOgw5sMSRK1R4O4nqNAr5Ed+GPUPM2lJ3KCGFkWwwKujeble68zpn7xniGySLnjZrXwz83+LDBM8B/gPXDdfxsS0jhqACHZYRPUR2ccO2OnoB6QrVxvRyDo0A=,iv:fYSu/ymBwcxMOI8sh/cmXw/S5rrlEcmohB/jpkyw4HU=,tag:NiQpWfVe0f2OlMcCEQ29WQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNeXMrWE01RzBHSHlHaXNW - cE9KMG5jaEZEeG9LclRqOHIvT3QrRS9TTzM4Cjg4d0orK1d6QncrdjNrVDFNRm5p - b2ZwVUJUcG5jbWxoTG1RZ2NBSFM5RW8KLS0tIDBsd1R1MzR5WURLWEMrYTFjK0Ux - UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT - k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-27T04:21:43Z" - mac: ENC[AES256_GCM,data:K5nsP6Q9dwpGZSEXcko3Nzb9xW/UQfmYj8eeu9lj9/aznpKaugPUj1zfuDbVVDz4+whvfxidNnYJh4k9JtUtpoPdAXL8SIoW2cynMdtIRlg3gvU3+6wL69rkoUfAcdvmdW5lChHAmPdz56ap0/FcJ+eJpdSuwKJfr+mPzBH4yMY=,iv:DWo7n/m/70Xt3g3xOrIhG/WZsIAOB0Z5MuRoxdr8x98=,tag:nZx+6PfS3ydj4nM+uli4iA==,type:str] - pgp: - - created_at: "2023-02-26T18:12:43Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdAQUq9YeKzVuiJzH+x8GkoeSzzL9XDQh2P9oLHv1U/vEcw - 7XSvNa6VkyDsST2+YLeja1TGyqiQUofHzTKmclN9QAFHyVcOjOs7gQ3dqwzEcA4Y - 0l4Beu5Ek/6r99UrMxrmGzSyNUxrTc+41FKH1VVHobSnC1CO8Qfql+GdikUMoBWL - ZwoxmhuHZfO/1AvWb8EgwAJcfCB3GjKtCbUxGEcgRyVJm8hxnfsUottVtGUCsdtN - =v630 - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(NETBIRD_AUTH_AUDIENCE|NETBIRD_AUTH_CLIENT_ID|NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID|NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT|NETBIRD_DOMAIN|NETBIRD_MGMT_DNS_DOMAIN|WHOOGLE_CONFIG_URL|ZT_ALLOW_MANAGEMENT_FROM|ZU_CONTROLLER_ENDPOINT|ZU_DEFAULT_PASSWORD|ZU_DEFAULT_USERNAME|addresses|clusterDomain|commonName|config.yaml|data|dnsNames|dnsZones|domain|email|externalIPs|host|hosts|ip|ipv4NativeRoutingCIDR|k8sServiceHost|loadBalancerIP|my-asn|nameservers|peer-address|peer-asn|secretName|stringData|whitelist-source-range)$ - version: 3.7.3 diff --git a/kube/1-clusters/Biohazard/2-config/4-vars.yaml b/kube/1-clusters/Biohazard/2-config/4-vars.yaml deleted file mode 100644 index 779a9966..00000000 --- a/kube/1-clusters/Biohazard/2-config/4-vars.yaml +++ /dev/null @@ -1,140 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: biohazard-vars - namespace: flux-system -data: - CLUSTER_NAME: ENC[AES256_GCM,data:UTNoF7TkZ/Le,iv:mkA1AMzFXq0XEbprrqFCVWEyU37m/2y0P2SDzjDyTmw=,tag:bmh3LiqDrLEYuCzH1TnJzw==,type:str] - CLUSTER_NAME_LOWER: ENC[AES256_GCM,data:dxucmLtxUMJg,iv:tco3xaQ03sBsr845xNrJvrqBa06DN+UwCZZrQ7GHkhA=,tag:Q0EtxM/GSYPGGPHCL7loSw==,type:str] - CLUSTER_ID: ENC[AES256_GCM,data:SA==,iv:GFilkbJkxv2S3+DrAXKNsFSttBXk4HZpmyA4Jp+6JQs=,tag:4yyV6bwxbXqb/BJC5XcMMA==,type:str] - CONFIG_TZ: ENC[AES256_GCM,data:QU5C/D/cxN6t4t55/7A=,iv:Qt83MzR1mPAuKobVQZJQR72SXLAwWwI7HkDxOAkqofs=,tag:3FtJVBMHMSVMgiJWqmqf1g==,type:str] - USERS_1_UID: ENC[AES256_GCM,data:oxx0hA==,iv:5NnJorvwN9MibgQ9WFrb1AMYz5MGd5AfeDylb1RHe2k=,tag:MtZKpIZgqVbndY8Qk5J0og==,type:str] - USERS_1_ID: ENC[AES256_GCM,data:d+gVpZ2++zMJ,iv:EfKZSpKm9NsGTU4/lyVmueULkg/Dx2We3Wr2M1DkH6Y=,tag:Lq789OomRXAHKVO21Qj0Iw==,type:str] - USERS_1_NAME: ENC[AES256_GCM,data:HUBTvrZQh+cC,iv:9uE5OqV55E1mMPN1jV4RKgCwPh5FvQge1+oegL2TADY=,tag:DaDmQyg+w/yJ2RLFTcGyjA==,type:str] - USERS_1_EMAIL: ENC[AES256_GCM,data:NWF8aXnyB0p7hUro81SLeVk=,iv:Kt9la8dAKHso8blM8GTt2xdiKuE77NHw53y066zAZbk=,tag:grxCUlIVaMgs8shcZFI0bg==,type:str] - USERS_2_UID: ENC[AES256_GCM,data:ZA0Kzw==,iv:us+lwrUhPHRfapkcvw96TCUiiIq9Irk35niyO0xKWLc=,tag:85g8u9OApI1kH37bvcvT6g==,type:str] - USERS_2_ID: ENC[AES256_GCM,data:6Z/3XWU=,iv:7aoHN0pTeluYm/Rh2yjPKejFyKosIT5ntpXJZVbxY1s=,tag:neSexW5qCUSH0txXv37KTw==,type:str] - USERS_2_NAME: ENC[AES256_GCM,data:+i35bJLaW4w=,iv:zYvn5k22T91E88Yo8Z6uvuEHo24XBaARdOlKujvAWzs=,tag:SGGEHHVKmqXZwMhyRZIIhw==,type:str] - USERS_3_UID: ENC[AES256_GCM,data:mfTAwA==,iv:B5oBG7bKMYpUFrvcw/ux9dT6xqp519F5gK/WcQfmUS0=,tag:37q3oEokY/AVsy5o3TL/BA==,type:str] - USERS_3_ID: ENC[AES256_GCM,data:UJWthgQ=,iv:yP1SbGOkCTss5/RjNRFOLI1kxIDWMneiMwrBXt8lECw=,tag:KW+AtwPnChJTgWCrj9mIPw==,type:str] - USERS_3_NAME: ENC[AES256_GCM,data:89cfPpVUwIniXQ==,iv:Hrh3k31gtzJ9ZwRng2K5ExmEehMomrRw0Zaq/P9k3oc=,tag:OZc/mFYyx+7tiRMIMYqFDQ==,type:str] - ASN_CLUSTER: ENC[AES256_GCM,data:v1ltZfY=,iv:Ip1sIVFLw4j6qbqKYf0jANRglSlAnKZhqNdRunZdR24=,tag:fOsYxQObj0Wv664IoRtm9A==,type:str] - ASN_ROUTER: ENC[AES256_GCM,data:/7gZcwY=,iv:ldZNIACK5B4ZvMWYCzHN9zUlArkOIySHSTUrjlrEF1s=,tag:98OXCN+tI2BIt8CEo99QVA==,type:str] - ASN_EC2_INGRESS: ENC[AES256_GCM,data:TcMj7s8=,iv:aQ0lCtQWklJmGstOKeptKAmqHI1W9LrrK6dT2u/4ejs=,tag:WoQXlgdZjc7yMlirgVft8A==,type:str] - IP_ROUTER_LAN: ENC[AES256_GCM,data:xanezieQQCE=,iv:sz1ZvwmS3zfHUhgvLZjeyk9InAJ4nPovhRaMq3tE/EE=,tag:oELn/j4ZKlKg4v6SKZkNsg==,type:str] - IP_ROUTER_LAN_CIDR: ENC[AES256_GCM,data:533OOX4NiEO2QK0=,iv:Wcb1Wj4OO7ZnyEC7jcNXadQxQBm9V8DQkaJX9XoMVjA=,tag:uIB6K4G9hUGFNLQT55GKIg==,type:str] - IP_ROUTER_VLAN_K8S: ENC[AES256_GCM,data:ngwfmrXjohzP,iv:U5DSCUUCZbIhwVAgv2gW98t8d8QwDSOM2YybNQWpgAw=,tag:vPTdK0CHET13l3x2eWb7gA==,type:str] - IP_ROUTER_VLAN_K8S_CIDR: ENC[AES256_GCM,data:a6CelKuP9lYOjXHm,iv:hZxSfx0Nj2aCPxj9GeHpaiuKDa85pqxzx47v4zxOPHM=,tag:8xpQHvtXLDQ7C5KcjqMG0Q==,type:str] - IP_WG_USER_1_V4: ENC[AES256_GCM,data:V9jINBdQjtkYwd1YcKE=,iv:ozo245sBYp4JhPN8EFtrLLlsH5oYtR56sRmXSC9TApU=,tag:4onSK4qyLBW7wV1XQOrCnA==,type:str] - IP_WG_GUEST_V4: ENC[AES256_GCM,data:dhkFXxdMUpqrGyvRePI=,iv:to7XIY/iJUeZSfWZl4983Ageg4SquUasBLCsyxgo+m8=,tag:XUP4K1GuJhyFEy4By0aEFg==,type:str] - IP_CLUSTER_VIP: ENC[AES256_GCM,data:GxYFwPSJ60yN,iv:KfSez768cxxjiUi7SFUEBiecfpQ0If9dbvPJlK/SHdM=,tag:8wb4wfnh4+Pnu7GYIlSs4Q==,type:str] - IP_POD_CIDR_V4: ENC[AES256_GCM,data:8NQgsJ5G6NB3i5Z+oQ==,iv:gqvHClld24aRnLEVS+ZXTXEee5WKNux6DgOcNIStvLk=,tag:keMcbbSis5cjsi7L76TMbA==,type:str] - IP_LB_CIDR: ENC[AES256_GCM,data:/qxOk5Vn8Q1/isE+iw==,iv:BhOMIotgJEWcLJOfP/unKrjX72ZEY1RfBtt5P14hQko=,tag:BSCy1PquhSew/ofhyGOLFg==,type:str] - IP_LB_DNS_CIDR: ENC[AES256_GCM,data:WTztF0IxJyBNJ27ocAI=,iv:F7jUJgeAe+edLG64NjTXqujS6FG5Bp5pKlIvpOTuPOo=,tag:rJQmbPzqmwFrDUc5SToeog==,type:str] - IP_LB_DNS: ENC[AES256_GCM,data:EjqSz37GAhmunLI=,iv:IYQ46iJMT3A5JrfKM/+AmV9JIcYJ0uMXxWUKyinV5JQ=,tag:hWkC7U5zKvcxBp7oThYguQ==,type:str] - IP_HOME_DNS: ENC[AES256_GCM,data:vgSoWr2cIRU=,iv:xR+QBTE5PGri3u3PmDFEt4Y9CcDLou7TPtDbHjStOoU=,tag:NpepI2uYYpMXnf56+nLuow==,type:str] - IP_EC2_PRIVATE: ENC[AES256_GCM,data:h1fURs4vImzeM7V7,iv:vBouKgNUOU+5RwzIu5Nu4XZlTnYPc0NCuFxZAL7A+ZY=,tag:th3ZSftw2jhvgydpdJ0Aug==,type:str] - IP_EC2_NON_K8S: ENC[AES256_GCM,data:l5TXKSqsZrgU998=,iv:mu6amtzWpStZkF3VASVF15It+x3P3SS1p6K2Vz7tcA8=,tag:l3ICXl6t/nTKncGCjjeVSA==,type:str] - IP_EC2_INGRESS: ENC[AES256_GCM,data:Vet36CiEB0M0hw==,iv:TIRton/qZlehRvOH5pWBbuhqjdMJofYFriZ93pSPNic=,tag:uEXxhd9/ZKBfuaGOx02lpA==,type:str] - IP_OLD_DOCKER: ENC[AES256_GCM,data:+q2fSaAdgRIr,iv:9N2okAfqW093u4s1/8UbXtuaJr7QVhl2O0ulorZtfE0=,tag:a/5TMV+YPhpJ4GWrnL3uBw==,type:str] - IP_TRUENAS: ENC[AES256_GCM,data:HYQ0BxOcG2JY,iv:IRSY4sX0rqK7clCm1IyqI2rJc/ZSTNYnATsJ268fVfE=,tag:EIBHZURvYt+NOl5R9I0cAg==,type:str] - IP_PVE_CEPH_CIDR: ENC[AES256_GCM,data:uL5b7pXEasFjq6gr5g4=,iv:HG1HuMTUsFIjq2aw5NQfJa/Zs1Kfg8KL3XzgQErY5+U=,tag:b3P9aaHuy2obRoxG0rqIaQ==,type:str] - IP_PVE_CEPH_1: ENC[AES256_GCM,data:k+/fYQrxXzLUPTA=,iv:14r6kh+UEOnkw11kxUXgbKRRkHpoYcdEB4lex+BjDMA=,tag:WXziFucgkYyvbTfw0X3g2w==,type:str] - IP_PVE_CEPH_2: ENC[AES256_GCM,data:LTtBfHMenuBqbPI=,iv:B1tuxqSaIph63XUOstI0MnrJ+HZ1A430Q7BBX3ybz8Y=,tag:du4p3ez3O+mupvOSb56OMg==,type:str] - IP_PVE_CEPH_3: ENC[AES256_GCM,data:gxjoi4WkwLtHxns=,iv:rv8ine1GbF+F5WdN6l8P/jafiWvdnVqtdLuSQ9Qvi1w=,tag:ben6zFJc4S8lK59s0Uvfvg==,type:str] - DNS_CLUSTER: ENC[AES256_GCM,data:dVS38myraH4=,iv:WScCvhcW9C/qckIlbDDWR8tzIYZdG58lbYmThdPQpro=,tag:3RDQ97sbEganiHRf42A11g==,type:str] - DNS_SHORT: ENC[AES256_GCM,data:16FRvQx8,iv:5xVBGMf/Bp3XqHDwl9ZBb14nSVkTg3eWq5FU2cYoRyY=,tag:uzCrxTBEv/Iy+Ht0gK0kjQ==,type:str] - DNS_SHORT_CF: ENC[AES256_GCM,data:KIQsZOwPdbFchTAls1w=,iv:EGuLZDXAgYo3TMW6bwxBY7cxInsOirTN4MRIBC0ipT0=,tag:ou3/FHNn5NYKvqRJAl74kg==,type:str] - DNS_MAIN: ENC[AES256_GCM,data:V5QOelS0L9R9drkh/Pk=,iv:GTTFkC73534oXM3QR8J3kHrZb163Gel7eu3e2P1X2Yo=,tag:DUD006mJM/uEjkiRcn/HlA==,type:str] - DNS_MAIN_CF: ENC[AES256_GCM,data:nKv0vNdMkcHplJRN0+qUPl6uXgeZgA==,iv:pN/xBrDWlffHSmzYP59XJFKDozi6GmnmMSGNPuKe3GI=,tag:kIUX3F8yEJGu3dEE656xqg==,type:str] - DNS_VPN: ENC[AES256_GCM,data:8JxuF//vCDNq,iv:2WxWpAIdIxL+yvCirawdTtZO+BSZbturp7c3JAwItsw=,tag:jItEw4Mg4a+OY/hmxDt1/Q==,type:str] - DNS_NAS: ENC[AES256_GCM,data:grpo8AdSb+VFPQSx2Z/KE1YSIrs+ogdpGA==,iv:ZJqmNumTpuq0A3JeS8jVvJNl+M9CdvQnHj+mooh00oo=,tag:CLHf7w+fUtLQ5cpnof2cuQ==,type:str] - DNS_OLD_DOCKER: ENC[AES256_GCM,data:uDLk+qfZlM9FkJ7uWP1ZYWD0wdIG,iv:iHJojVMWN6cq2XdvQLMsODrVeLhhn/Cqt5ZGr/ONy2A=,tag:3WuGLTQirXUjfiY1rIYcgA==,type:str] - PATH_NAS_MEDIA: ENC[AES256_GCM,data:fzeT0pUx/geFxfnY67ZwUgAOF1r13bjSxFCCQz+1,iv:nYFnXgfJWl8ZPpxleet1Yq19t+6ncVkrmGyhGSchSxE=,tag:uj9grinnmKB1xKC2LwrPkA==,type:str] - PATH_NAS_PERSIST_K8S: ENC[AES256_GCM,data:2mrL25UEMNixYz1r3xKXbEujs8Q2v9gba7n1ZFE+K2+3xCYk,iv:li530rI54Gr4htjBqV1JQ/6HJy3R6s0lzDcvxddjuqg=,tag:vmkUlu2t1eoICzfkJ6q61Q==,type:str] - PATH_NAS_BACKUPS_K8S: ENC[AES256_GCM,data:71LMN1K0cALbMbFV+rpWFNNL4wKg39yRj/k2elyZLBB/x0PW,iv:EaxdXLHE0mTpBlgn5GLCUUDKSHAHJUOeRNbIHvco5VU=,tag:u6NR3fWy4ZjN8r+7xyw3lg==,type:str] - UID_NAS_BACKUPS_K8S: ENC[AES256_GCM,data:U0CwqA==,iv:suseYZlJ5hCHTAG3Nj7QLXwhS14FG5h27aNnZnJpnqs=,tag:OV9WCdBHizUl11FPU8TVbg==,type:str] - APP_IP_NGINX: ENC[AES256_GCM,data:9Kg5zjk+1XfUHg==,iv:dbO0hMMho8J3t0mz6Eb5uMDB3QUCjG5pXPdeuQUFbNE=,tag:ICGE5EVo27W0rUB+Jekf2Q==,type:str] - APP_IP_K8S_GATEWAY: ENC[AES256_GCM,data:oakciyUzwLlGJsc=,iv:leuHfW59gWSDaEpaOEMGbSpGFtbzAnoRp4spLxlTEq0=,tag:vltbWvNKa4QvEgXXo58d/A==,type:str] - APP_IP_HAPROXY_PROXY_X: ENC[AES256_GCM,data:xkHni8dSMhZ3WQ4=,iv:qSAn5AS/eTeoxHKm0jLE0UUacDWKn1zF3WwYRwgCrrA=,tag:aYASxzUU2eOpTEBZFe6fwg==,type:str] - APP_UID_HAPROXY_PROXY_X: ENC[AES256_GCM,data:mbTqeA==,iv:Rldvrqt/CCBDjkGjN5mYo6W/HS4KmbbyYQ/iM6gajXI=,tag:ZclSGas3/QO2vj0CSaEIoQ==,type:str] - APP_DNS_FLUX_WEBHOOK: ENC[AES256_GCM,data:k1MXnV8pY+jYV5OZBqAcehzbC2sk+07c,iv:MFcMyHJq4+spwnqi5L6/EaohuaotgYzNS4opOqXzElg=,tag:KBNuiwMEoc3cRuDHl4tBsw==,type:str] - APP_IP_RADOSGW: ENC[AES256_GCM,data:79oO927eM1X8MA==,iv:cbhtTynWbMIKM8yRGywO9OJWxyWabZzW8VgJQxpSZd8=,tag:OU5+0QEKqjvAwATFdIBwgg==,type:str] - APP_DNS_RGW_S3: ENC[AES256_GCM,data:fBY7hU4Fo2HX,iv:crGFgE9fg+kVHMc2NrwIPNjtYKI6vw3iZd0GaVYymp0=,tag:8xKHmECqb7J+lRC1BKAZUg==,type:str] - APP_DNS_INGRESS_WILDCARD: ENC[AES256_GCM,data:7OG0ww6rUzU=,iv:5ig0dQIfSVxbQS7nuqQygRcBKk8UmBFxX0unVT9bdzE=,tag:mCOMUNFEZs5IFvVrRNpFiQ==,type:str] - APP_DNS_HUBBLE: ENC[AES256_GCM,data:90bcM7y76gSJjw==,iv:JJc4oW8z9Yz+sYoa43c5AdQuxaxdg17C1S5ywIE5NJo=,tag:LMt18yKdpR+hA7e2OOzI0g==,type:str] - APP_IP_KANIDM: ENC[AES256_GCM,data:MoL8QlY+3Lu67bA=,iv:peKQUJaEVeij0r0mJR5kksz8zO8vBjLWolLFL8sWJbg=,tag:X4uvnVT/SnUzl4mAxQAl2A==,type:str] - APP_UID_KANIDM: ENC[AES256_GCM,data:iyQvyaY=,iv:2I+/oGDd0c7ghC0VbGpJafCTDw1PnLB0jXa06qdoI+M=,tag:EJz7ywUbTIoCMxJJOX10wQ==,type:str] - APP_DNS_KANIDM: ENC[AES256_GCM,data:S/xQjxjbfgCi,iv:ujrQitd5gfNVz6cV2j1hsJRB9J1js13na0ndBquxq3k=,tag:UOI5Pbi+oahrDtz+SVeH9w==,type:str] - APP_IP_ZEROTIER: ENC[AES256_GCM,data:GjIY+6p4+6milRg=,iv:agX8rov+AtECRVeOu3wmoQRVWMNutOc3a69fzWY6eoA=,tag:NS0yiFfBTWt7/P9an/3OQw==,type:str] - APP_DNS_ZEROTIER: ENC[AES256_GCM,data:On0V31SI96BRUOjQ,iv:H50ISSmHflDqOqURbwBrcWRkvOQGlVI3mnSXfY8pZ28=,tag:/VlnnoGna2H3L0LGMWF0dw==,type:str] - APP_UID_MINECRAFT: ENC[AES256_GCM,data:ArIA644=,iv:Q3SqB3O2nrPrOUcwhhbdXiegsty/TlHIllH/wRicYo8=,tag:yTGH0JEXPOCfqB5iU1azCA==,type:str] - APP_DNS_MINECRAFT: ENC[AES256_GCM,data:XYM4FJAjpDBg,iv:bmnvwvaKOKfY2+S7O0PyV8JOtOH9m94eUIQa2M97RfY=,tag:tvIllwZ72w4GbEqZJjZX7A==,type:str] - APP_IP_MINECRAFT: ENC[AES256_GCM,data:tU18Ee5Vi98mNRw=,iv:MSNHyroetvWu1wPdPE2+JtxDegZZj25QfcQVq8hcywE=,tag:wxhrsqA5lCPlRwjFgrtPHg==,type:str] - APP_DNS_WHOOGLE: ENC[AES256_GCM,data:dPOzY+3coD0=,iv:s9id6/x60GDrNm4mEuWx2qUKrDsgADVRXCKuwki7Ju8=,tag:mPTKni/0vH/lTSqnAr5gCA==,type:str] - APP_DNS_GOKAPI: ENC[AES256_GCM,data:1AI66ICh7pPsij2IpZJ7V9HcFMc6,iv:r+E2tkEPawLDWpE+OiJ6dNM/RrxhlP7NH+CjwAxhhYE=,tag:QfmCosR+J2fTV66AAelOjw==,type:str] - APP_IP_SANDSTORM: ENC[AES256_GCM,data:2V+Dy1c3hOepKEo=,iv:l1nv+BrnEjsrvdONhBY9EgA8lSO2Nmtdr7Ktl9twfT4=,tag:ls8DbeJnvdwZhUA+deP02Q==,type:str] - APP_DNS_SANDSTORM: ENC[AES256_GCM,data:dc/OufmvPkYMRg==,iv:8GUBWGGdEJ5A+wYFaLJljYYn3hUlpH9/cGy6641GDEw=,tag:gE3j/iytsqPKUm+R1g3suQ==,type:str] - APP_IP_SATISFACTORY: ENC[AES256_GCM,data:lpwAYR7CuX40NEI=,iv:OCSlGR42+Zpsi/CHuyFMIE2aY+jGN4E0slFf2/Ei3oU=,tag:cw1eROYU8V3rGG5ltyFvJQ==,type:str] - APP_UID_SATISFACTORY: ENC[AES256_GCM,data:eWxuUyI=,iv:Hs3xHdm/ewF0BnGOYK6XgQM43LDhngtZXvna7XTDiok=,tag:J7SDzgEroyl2wje9XsprQQ==,type:str] - APP_IP_SYNCTHING_USER_1: ENC[AES256_GCM,data:3jh9VglVsJCWzHF1,iv:dwpjZjETiFIuRXBSutygAyA2R4EpYas0oT8kI+YF320=,tag:DdA1SZ3DJKJ7tXsPJ6B/dw==,type:str] - APP_DNS_SYNCTHING_USER_1: ENC[AES256_GCM,data:xvLsX+wvGgOdQOc=,iv:/f77W1vUGI2FHvG4hsvzXCJWiinRKzapU0OHC8vZ1ac=,tag:oHjNluzCh7lDUEHaxW2YWg==,type:str] - APP_DNS_AUTH: ENC[AES256_GCM,data:A67gznl/VxXxPiMh9zH1fa8VQA==,iv:oCCxFDb7Uo+AfXtuOf8L8Cukm4VAWzL92w8VgJp40dM=,tag:xFCS9csJIFvJ9XufVrq4Rg==,type:str] - APP_DNS_AUTHENTIK_OUTPOST: ENC[AES256_GCM,data:gyg2UXx8JuSolbw=,iv:DV07474lwsPFmInv9GOh/BUAhkjWazM4bRSwymEja5Y=,tag:wBImn9uxDHnIIeiL3Z32Vw==,type:str] - APP_DNS_MATRIX_1: ENC[AES256_GCM,data:hxDtUQukIQ2yLWgRD5Jm80/wrA==,iv:REX9VFBnhZgBoUb17EEEGvoZFE+hDcXo2M8q2ZbBNcQ=,tag:K6Wuk+cymQBgvTOk1sZbAg==,type:str] - APP_DNS_MATRIX_2: ENC[AES256_GCM,data:biJhY9HmiWczBOYlS+2bZS7f37X1,iv:bLyvC6njEG9iiqFZs7M6KRKlKSIQ12oKYL6cR0WhZBg=,tag:tLjmT4kCjbnZ1b4j6r+CAw==,type:str] - APP_DNS_JELLYFIN: ENC[AES256_GCM,data:DdzpJ11t7OeuXnE=,iv:DYb0CnMrITi7RbhFuo0vrkSZ1hgx3Y26m0rrdSVqD6E=,tag:OYiYQJ5U0lokHq2/Fc6yyw==,type:str] - APP_DNS_KAVITA: ENC[AES256_GCM,data:DrM7k/xv53Kt3Qk=,iv:Kg5jGe+C1fYEX/S1tKrNDBjmPWNhXY4ZvKBR7Q/a/p8=,tag:53cOr/gGIY6D9liyCueTBw==,type:str] - APP_DNS_EXCALIDRAW: ENC[AES256_GCM,data:rfCxmnVhsMdrxpE=,iv:986z/C8JghEQa8+qUmWmZr6ozWSDl3NpC3YafJhX2gA=,tag:d8q+v1lXNkPok0uOdbzz1Q==,type:str] - APP_DNS_VELOCIRAPTOR: ENC[AES256_GCM,data:4hypG+kYPFeToA==,iv:+ku9GEG/Nom7khxBDmXUzrvOVTNXQ/OQupmtbW4Tqtg=,tag:0WlPdrThtEub98lXrfmcGA==,type:str] - APP_DNS_NTFY: ENC[AES256_GCM,data:zkcxMVvH4MljlHg5KQ==,iv:dWHWN+B6hoapuyb3gYSu3m7J4FBrvTBZjgtqSzNzP/w=,tag:B5NdF7VxdpJt2vNz28Tyfg==,type:str] - APP_DNS_NTFY_MX: ENC[AES256_GCM,data:TtNjgep7xFzO1GR0IbUA,iv:M6sWzxyQq3/5t9IeEFfy1z/7PT8xdO8co9dVQXcl0FY=,tag:BKS9gII+tqdSopzkWbHmYg==,type:str] - APP_IP_NTFY_MX: ENC[AES256_GCM,data:N0JkbFVQlpTewDw=,iv:vgN8UlfB3JiOdhl+orMv8OVP4Os3aRqN5v3VhrlQETE=,tag:83aPZlXh9nhDxlgUKxTm3A==,type:str] - APP_UID_NTFY: ENC[AES256_GCM,data:1vst7g==,iv:bvtaODmSDEQus5KJWZoHCrOK4XlTWIjpHCetKEmz4LE=,tag:kKYABpYz1kbcNchVG3BnwA==,type:str] - APP_DNS_HEADSCALE: ENC[AES256_GCM,data:o9EgucmBe0qLI3qo,iv:liuybypx7iY6+ghlJ8upWGQzKB+P0o023X7WX3MJTmM=,tag:5wd4D3cY64Y4Hv/ToGWAsQ==,type:str] - APP_IP_HEADSCALE: ENC[AES256_GCM,data:KMNHdUxhtJEJH/U=,iv:jaDP1wzBIBmy62eGOFfHNr9utLxmTvOEMdN+bwhlZUI=,tag:rwoun7n346WVpikQaaggBQ==,type:str] - APP_UID_HEADSCALE: ENC[AES256_GCM,data:ITXTwgA=,iv:Fm9Eap5qx/4PCf1k1cf89v6dE8qHqehEcClU4dfQEtE=,tag:vlrPEHVDLlk9LN2GZXb/PA==,type:str] - CONFIG_MINECRAFT_OPS: ENC[AES256_GCM,data:BKfjfUQQXd025nNZCHQki/SeqiMQVCUP9tCkmNwUgfvj7XK6,iv:7+tp1IJ06UfZt53HLnFOByrTWFY31AHiQwjrrUS4OqI=,tag:TSvw3notEqgPIORTWHwUBw==,type:str] - CONFIG_MINECRAFT_ICON: ENC[AES256_GCM,data:AINTGnjPbWZCVJKdL4Mx8bBhOUnQU2BEhqr0730/OJATkKBzcvxf7R9HlX37uFI=,iv:HsvxmHYUb350vSulAVdBHonB6cA+0pu03t5BaU8EuUs=,tag:gGr7OY++7+yuZ36TwXcbaA==,type:str] - CONFIG_MINECRAFT_NAME: ENC[AES256_GCM,data:zhsyGymdQKgeX58X2Q==,iv:dGbrb4ZytcRpj4ie9dzM2TUVnzC4YQvCey+/G9uFcGs=,tag:IpFutt4G5JMP4hUIOgbqqw==,type:str] - CONFIG_SANDSTORM_NAME: ENC[AES256_GCM,data:W2pYLk1bmtKjXfuJY4nv9HkqIBI4aRA3X+JJTw==,iv:UEWUAJYCdy2r5jYayTAh5uv5aq4XFkuD1IYSmf76TyE=,tag:J10gXb5idJazhtqA5QZL8A==,type:str] - CONFIG_SANDSTORM_MODS: ENC[AES256_GCM,data:JDJaT7SijJJtMlkSmkxAaDk4Hho/Agwo0ME8U1sFF28IM1BsVNKxwG1oqM67lQmcpn1+xfTtluYhITNnGQxxb5wGj88rcVbtJ6LOXSbs+b3zYQq6Poy+,iv:igN5kELq6f79dS1RQ6OyBP/TGqgqzoTE5TRZO1ZDO8I=,tag:UF0S5tvuFKDTDBlTw1EIWg==,type:str] - CONFIG_SANDSTORM_PORT: ENC[AES256_GCM,data:DCUpuGQ=,iv:EKQeHXHjI4L5VsBrTDAB6GH7QUWT3DV8ba/ENfKkKpY=,tag:KlgOgK9lPf/YvpTcJ6lpZw==,type:str] - CONFIG_SANDSTORM_QUERYPORT: ENC[AES256_GCM,data:qetg5l0=,iv:/1dHG7+XADC5Unur1C5TDjNqz1fOn67dPlkB0cEHAnI=,tag:uB/YmWsdLuwL0McI1PT0Pg==,type:str] - CONFIG_SANDSTORM_MUTATORS: ENC[AES256_GCM,data:HumP4HOeZ06JaFBHCl9PHza5orjTVWfmLBq3kSdW+ygD+Avf6dDM+BVm7GkoqRIPtWEJMyMcOOUyF1bzbzrNca/PkMsNsP6/YspRd+QsH+w6JxsGSMqxEpKzN4wbBuIRH7PYbp7PncBOmoOMAOaYW3BEnsdBcV4II7V0+sAKPNQ4zsi0y6LmLaCFtjAOQhi6MMSPfcl9JTD6UoLizD8=,iv:BwbTdDXi6nVqtF7TrSoDLxJKz3Xv6gKZFiU2D2bRgkY=,tag:atIZxrt/BJdijPf2fMDEvw==,type:str] - CONFIG_SANDSTORM_INIT_MAP: ENC[AES256_GCM,data:uaM2kX5hlN2BoQ==,iv:U2jmxP35cy/eWT1JTdfr6Z3b4NAzIHG55Kb4emoAin0=,tag:rNCaa5zwKHesrto092oUcg==,type:str] - CONFIG_SANDSTORM_INIT_SCENARIO: ENC[AES256_GCM,data:OJVCFbvqWXuYUPvdCiwRngUzfw==,iv:1NkA4VaF/xUdudDD2W5dHEDw55dkzwo2sof5krinJz0=,tag:rmD5eZpnHpOcSJXel3AQbg==,type:str] - CONFIG_ZEROTIER_ENDPOINT: ENC[AES256_GCM,data:We/k3H6tvdmYoZ+i27Lll3bLRhXquz3fvztDI9T4tPjRc4uhG6fkpoa04hEAJffZc7yWNFUzUycPAp0=,iv:B6QCm/4bR68QEudl5o9kwJ6OtQvn1RrWeS6/W+Iaf/Q=,tag:S5xCE5e97gsBId7tpQA/mQ==,type:str] - CONFIG_AUTHENTIK_REMOTE_HOST: ENC[AES256_GCM,data:RktEkjsMjW9XiP11sAyY5UvJ1s8/zOQLmavssvuoxqE=,iv:l8oEH8Yr8s4T+UW8J1lKjA8+ODfJQRjCTzlLZuPtQIk=,tag:0dpudjOZEDitQEyTDV1Hbg==,type:str] - CONFIG_HEADSCALE_IPV4: ENC[AES256_GCM,data:59Kw5W38xsYd9XqZHaQ=,iv:OZ2ja20Qn31Hh3AsjS9ckhd5CoLmyChE8WmeMhUjSzA=,tag:0qzxjVp/ce+kSMEc4QK4YQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2N0U5VDdoamlOeDNNVmVJ - R0ZDa0NPN2JsRUhNR0E3T3gyUmk5aUtnR0U0CmhRbCs4cFQzUW1MczB2MXJlSCtw - cWFIS0ZDVVpCMXo2VGl3Y1lCMXVnV00KLS0tIDg5ZHkydkZQY0kyd2N6d3NaNXpn - SnpvS3RUUlFMM1dUNGZQNkVqQ2VqNDAKywch6CgtS1AFLYxfML5dB7/5V6qZ0ob1 - 63vBpqjOza3EqvfNKo+UMtK/fRK0Q5jlpuI+0/z9VrxzKEWsgUCBVQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-29T05:19:33Z" - mac: ENC[AES256_GCM,data:nYDPgE2ajccGtYQs6iupY02Da/HwK6Jbl7T7H5gbpD/cxSSHEg8PIsulIuqwKE6bAK/SYyUN3IW1aYEuFq0o4P8Q7UWZcQRX8FHokpa4mz94nEe9hmk2PKvAuZobNuiciSeVs6Jibe48Vy88cqAsAibndkphwppJLgmg0FZbV74=,iv:KDNVCiipw78AgUgQg85/WwBrp6Z+ntwLUa5vggNz9Tc=,tag:FJ7dimSFdWbg6qU4yl/Uxw==,type:str] - pgp: - - created_at: "2023-02-22T08:12:31Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdApDZUJ8WE2m1xLAzsFWtOww4cq9F7IhyLDmyrQo4oeFYw - z+9ma/isaJwuYhztl3HXM3O8rUMJ/QPq254aejifMUbnNlMZyRhF/XV6MMNJQ8VV - 0l4BYsXvxQ6J5vdjW0HE/2Il9tJNWdvVlDmF6fK9RV8zfqDeDU3fVRbWttE2d/Ad - njWniaItCTc2ueSfl3zyt88S4+qQn5lJOMuE+nYiF1Ip4TdoCkh88W/TGsQ/TbPi - =mQzo - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(NETBIRD_AUTH_AUDIENCE|NETBIRD_AUTH_CLIENT_ID|NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID|NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT|NETBIRD_DOMAIN|NETBIRD_MGMT_DNS_DOMAIN|WHOOGLE_CONFIG_URL|ZT_ALLOW_MANAGEMENT_FROM|ZU_CONTROLLER_ENDPOINT|ZU_DEFAULT_PASSWORD|ZU_DEFAULT_USERNAME|addresses|clusterDomain|commonName|config.yaml|data|dnsNames|dnsZones|domain|email|externalIPs|host|hosts|ip|ipv4NativeRoutingCIDR|k8sServiceHost|loadBalancerIP|my-asn|nameservers|peer-address|peer-asn|secretName|stringData|whitelist-source-range)$ - version: 3.7.3 diff --git a/kube/1-clusters/Biohazard/2-config/5-deploy.yaml b/kube/1-clusters/Biohazard/2-config/5-deploy.yaml deleted file mode 100644 index c300c0ca..00000000 --- a/kube/1-clusters/Biohazard/2-config/5-deploy.yaml +++ /dev/null @@ -1,452 +0,0 @@ ---- -# core components first -apiVersion: source.toolkit.fluxcd.io/v1beta1 -kind: HelmRepository -metadata: - name: cilium-charts - namespace: flux-system -spec: - interval: 10m0s - timeout: 3m0s - url: https://helm.cilium.io/ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-01-networking-cilium - namespace: flux-system - labels: - kustomization.flux.home.arpa/name: "cilium" - kustomization.flux.home.arpa/helmpatches: "false" -spec: - path: ./kube/3-deploy/1-core/01-networking/cilium - dependsOn: [] ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-02-storage-1-external-snapshotter - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/02-storage/1-external-snapshotter - dependsOn: [] ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: rook-ceph-charts - namespace: flux-system -spec: - interval: 10m0s - timeout: 3m0s - url: https://charts.rook.io/release ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-02-storage-rook-ceph-crds - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/02-storage/rook-ceph/crds - dependsOn: [] ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-02-storage-rook-ceph-app - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/02-storage/rook-ceph/app - dependsOn: - - name: biohazard-1-core-02-storage-1-external-snapshotter - - name: biohazard-1-core-02-storage-rook-ceph-crds ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-02-storage-rook-ceph - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/02-storage/rook-ceph/cluster - dependsOn: - - name: biohazard-1-core-02-storage-1-external-snapshotter - - name: biohazard-1-core-02-storage-rook-ceph-app ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: jetstack - namespace: flux-system -spec: - interval: 1h - url: https://charts.jetstack.io/ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-03-certs-cert-manager-crds - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/03-certs/cert-manager/crds - dependsOn: [] ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-03-certs-cert-manager - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/03-certs/cert-manager/app - dependsOn: - - name: biohazard-1-core-03-certs-cert-manager-crds ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: k8s-gateway - namespace: flux-system -spec: - interval: 1h - url: https://ori-edge.github.io/k8s_gateway/ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-04-dns-internal - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/04-dns/internal - dependsOn: [] ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: external-dns - namespace: flux-system -spec: - interval: 1h - url: https://kubernetes-sigs.github.io/external-dns/ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-04-dns-external - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/04-dns/external - dependsOn: [] ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: ingress-nginx - namespace: flux-system -spec: - interval: 1h - url: https://kubernetes.github.io/ingress-nginx ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-05-ingress - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/05-ingress - dependsOn: - - name: biohazard-1-core-03-certs-cert-manager - - name: biohazard-1-core-04-dns-internal -# --- -# apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -# kind: Kustomization -# metadata: -# name: biohazard-1-core-05-ingress-nginx-svc -# namespace: flux-system -# spec: -# path: ./kube/3-deploy/1-core/05-ingress/nginx-svc -# dependsOn: -# - name: biohazard-1-core-05-ingress ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-05-ingress-nginx - namespace: flux-system - labels: - prune.flux.home.arpa/disabled: "true" -spec: - path: ./kube/3-deploy/1-core/05-ingress/nginx - dependsOn: - - name: biohazard-1-core-05-ingress - # - name: biohazard-1-core-05-ingress-nginx-svc ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: haproxytech - namespace: flux-system -spec: - interval: 1h - url: https://haproxytech.github.io/helm-charts ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-05-ingress-external - namespace: flux-system - labels: - prune.flux.home.arpa/disabled: "true" -spec: - path: ./kube/3-deploy/1-core/05-ingress/external - dependsOn: - - name: biohazard-1-core-05-ingress ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-06-monitoring-metrics-server - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/06-monitoring/metrics-server - dependsOn: [] ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: prometheus-community - namespace: flux-system -spec: - interval: 10m0s - timeout: 3m0s - url: https://prometheus-community.github.io/helm-charts ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-06-monitoring-kube-state-metrics - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/06-monitoring/kube-state-metrics - dependsOn: - - name: monitoring-deps ---- -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: victoria - namespace: flux-system -spec: - interval: 10m0s - timeout: 3m0s - url: https://victoriametrics.github.io/helm-charts/ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-06-monitoring-victoria-1-crds - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/06-monitoring/victoria/1-crds - dependsOn: - - name: monitoring-deps ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-06-monitoring-victoria-2-operator - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/06-monitoring/victoria/2-operator - dependsOn: - - name: monitoring-deps ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-06-monitoring-victoria-3-cluster - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/06-monitoring/victoria/3-cluster - dependsOn: - - name: monitoring-deps - - name: biohazard-1-core-06-monitoring-victoria-2-operator ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-06-monitoring-victoria-4-agent - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/06-monitoring/victoria/4-agent - dependsOn: - - name: monitoring-deps - - name: biohazard-1-core-06-monitoring-victoria-2-operator - - name: biohazard-1-core-06-monitoring-victoria-3-cluster - - name: biohazard-1-core-06-monitoring-kube-state-metrics - - name: monitoring-node-exporter-app ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-08-hardware-01-node-feature-discovery - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/08-hardware/01-node-feature-discovery - dependsOn: [] ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-1-core-08-hardware-02-intel-device-plugins - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/08-hardware/02-intel-device-plugins - dependsOn: - - name: biohazard-1-core-08-hardware-01-node-feature-discovery ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-2-apps-volsync - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/volsync - dependsOn: [] ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-2-apps-tetragon - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/tetragon - dependsOn: - - name: biohazard-1-core-01-networking-cilium ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-2-apps-kubevirt - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/kubevirt - dependsOn: [] ---- -# all apps hosted on this cluster below here -apiVersion: source.toolkit.fluxcd.io/v1beta2 -kind: HelmRepository -metadata: - name: bjw-s - namespace: flux-system -spec: - interval: 1h - timeout: 3m0s - url: https://bjw-s.github.io/helm-charts/ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-2-apps-dns-dnsdist - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/dns/dnsdist - dependsOn: [] ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-2-apps-whoogle - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/whoogle - dependsOn: - - name: biohazard-1-core-05-ingress-nginx ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-2-apps-gokapi - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/gokapi - dependsOn: - - name: biohazard-1-core-05-ingress-nginx - - name: biohazard-1-core-02-storage-rook-ceph ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-2-apps-minecraft - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/minecraft - dependsOn: - - name: biohazard-1-core-04-dns-internal - - name: biohazard-1-core-02-storage-rook-ceph - - name: biohazard-2-apps-volsync ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-2-apps-insurgency-sandstorm - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/insurgency-sandstorm - dependsOn: - - name: biohazard-1-core-04-dns-internal - - name: biohazard-1-core-02-storage-rook-ceph - - name: biohazard-2-apps-volsync ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-2-apps-zerotier - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/zerotier - dependsOn: - - name: biohazard-1-core-05-ingress-nginx ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-2-apps-hugo-test - namespace: flux-system - labels: - substitution.flux.home.arpa/disabled: "true" -spec: - path: ./kube/3-deploy/2-apps/hugo-test - dependsOn: - - name: biohazard-1-core-02-storage-rook-ceph - - name: biohazard-1-core-04-dns-internal - - name: biohazard-1-core-05-ingress-nginx - postBuild: - substituteFrom: - - kind: Secret - name: hugo-test-secrets - optional: false ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-2-apps-jellyfin - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/jellyfin - dependsOn: - - name: biohazard-1-core-02-storage-rook-ceph - - name: biohazard-1-core-04-dns-internal - - name: biohazard-1-core-05-ingress-nginx - - name: biohazard-1-core-08-hardware-02-intel-device-plugins - - name: biohazard-2-apps-volsync ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: biohazard-2-apps-kavita - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/kavita - dependsOn: - - name: biohazard-1-core-02-storage-rook-ceph - - name: biohazard-1-core-04-dns-internal - - name: biohazard-1-core-05-ingress-nginx diff --git a/kube/1-clusters/Biohazard/2-config/ceph-rgw-ext-users.yaml b/kube/1-clusters/Biohazard/2-config/ceph-rgw-ext-users.yaml deleted file mode 100644 index fe6974f8..00000000 --- a/kube/1-clusters/Biohazard/2-config/ceph-rgw-ext-users.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: ceph.rook.io/v1 -kind: CephObjectStoreUser -metadata: - name: jjgadgets - namespace: rook-ceph -spec: - store: biohazard - displayName: "JJGadgets" diff --git a/kube/1-clusters/Biohazard/2-config/kustomization.yaml b/kube/1-clusters/Biohazard/2-config/kustomization.yaml deleted file mode 100644 index f1e41c57..00000000 --- a/kube/1-clusters/Biohazard/2-config/kustomization.yaml +++ /dev/null @@ -1,245 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - ../../../clusters/biohazard/flux/ - - 1-flux-install.yaml - - 2-flux-repo.yaml - # - 3-secrets.yaml - # - 4-vars.yaml - - 5-deploy.yaml - - ceph-rgw-ext-users.yaml - - ../../../3-deploy/1-core/05-ingress/cloudflare/ - - ../../../3-deploy/1-core/05-ingress/external-proxy-x/ - - ../../../3-deploy/1-core/06-monitoring/1-deps/ - - ../../../3-deploy/1-core/06-monitoring/node-exporter/ - - ../../../3-deploy/1-core/db/pg/ - - ../../../3-deploy/2-apps/default/ - - ../../../3-deploy/2-apps/flux-system/ - - ../../../3-deploy/2-apps/authentik/ - - ../../../3-deploy/2-apps/kanidm/ - - ../../../3-deploy/2-apps/syncthing/ - - ../../../3-deploy/2-apps/excalidraw/ - - ../../../3-deploy/2-apps/velociraptor/ - - ../../../3-deploy/2-apps/gotosocial/ - - ../../../3-deploy/2-apps/ntfy/ - - ../../../3-deploy/2-apps/satisfactory/ - - ../../../3-deploy/2-apps/headscale/ - - ../../../3-deploy/2-apps/zipline/ - - ../../../3-deploy/2-apps/kah/ - -patches: - - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 - kind: Kustomization - metadata: - name: not-used - spec: - interval: 1m0s - timeout: 10m0s - decryption: - provider: sops - secretRef: - name: biohazard-secrets-decrypt-sops-age - target: - group: kustomize.toolkit.fluxcd.io - version: v1beta2 - kind: Kustomization - - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 - kind: Kustomization - metadata: - name: not-used - spec: - sourceRef: - kind: GitRepository - name: flux-system - target: - group: kustomize.toolkit.fluxcd.io - version: v1beta2 - kind: Kustomization - labelSelector: kustomization.flux.home.arpa/default notin (false) - - patch: | - - op: add - path: /spec/dependsOn/- - value: - name: 2-biohazard-config - target: - group: kustomize.toolkit.fluxcd.io - version: v1beta2 - kind: Kustomization - labelSelector: kustomization.flux.home.arpa/default notin (false) - - patch: | - - op: add - path: /spec/dependsOn/- - value: - name: biohazard-1-core-01-networking-cilium - target: - group: kustomize.toolkit.fluxcd.io - version: v1beta2 - kind: Kustomization - labelSelector: kustomization.flux.home.arpa/name notin (cilium, flux, kubevirt) - - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 - kind: Kustomization - metadata: - name: not-used - spec: - postBuild: - substituteFrom: - - kind: ConfigMap - name: biohazard-vars - optional: false - - kind: Secret - name: biohazard-secrets - optional: false - target: - group: kustomize.toolkit.fluxcd.io - version: v1beta2 - kind: Kustomization - labelSelector: substitution.flux.home.arpa/disabled notin (true) - - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 - kind: Kustomization - metadata: - name: not-used - spec: - # prune: true - prune: false # disable prune for Flux restructure - target: - group: kustomize.toolkit.fluxcd.io - version: v1beta2 - kind: Kustomization - labelSelector: prune.flux.home.arpa/disabled notin (true) - - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 - kind: Kustomization - metadata: - name: not-used - spec: - prune: false - target: - group: kustomize.toolkit.fluxcd.io - version: v1beta2 - kind: Kustomization - labelSelector: prune.flux.home.arpa/disabled=true - - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 - kind: Kustomization - metadata: - name: not-used - spec: - wait: true - target: - group: kustomize.toolkit.fluxcd.io - version: v1beta2 - kind: Kustomization - labelSelector: wait.flux.home.arpa/disabled notin (true) - - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 - kind: Kustomization - metadata: - name: not-used - spec: - wait: false - target: - group: kustomize.toolkit.fluxcd.io - version: v1beta2 - kind: Kustomization - labelSelector: wait.flux.home.arpa/disabled=true - - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 - kind: Kustomization - metadata: - name: not-used - spec: - patches: - - patch: |- - apiVersion: helm.toolkit.fluxcd.io/v2beta1 - kind: HelmRelease - metadata: - name: not-used - spec: - chart: - spec: - sourceRef: - kind: HelmRepository - namespace: flux-system - interval: 5m - maxHistory: 5 - install: - createNamespace: true - remediation: - retries: 5 - upgrade: - cleanupOnFail: true - remediation: - retries: 5 - uninstall: - keepHistory: false - target: - group: helm.toolkit.fluxcd.io - version: v2beta1 - kind: HelmRelease - labelSelector: helm.flux.home.arpa/default notin (false) - - patch: |- - apiVersion: helm.toolkit.fluxcd.io/v2beta1 - kind: HelmRelease - metadata: - name: not-used - spec: - chart: - spec: - chart: app-template - version: 1.2.1 - sourceRef: - name: bjw-s - target: - group: helm.toolkit.fluxcd.io - version: v2beta1 - kind: HelmRelease - labelSelector: helm.flux.home.arpa/app-template=true - - patch: |- - apiVersion: helm.toolkit.fluxcd.io/v2beta1 - kind: HelmRelease - metadata: - name: not-used - spec: - values: - ingress: - main: - annotations: - nginx.ingress.kubernetes.io/auth-url: |- - http://ak-outpost-${CLUSTER_NAME_LOWER}.ingress.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx - nginx.ingress.kubernetes.io/auth-response-headers: |- - Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid - nginx.ingress.kubernetes.io/auth-snippet: | - proxy_set_header X-Forwarded-Host $http_host; - target: - group: helm.toolkit.fluxcd.io - version: v2beta1 - kind: HelmRelease - labelSelector: nginx.ingress.home.arpa/type in (auth, auth-external, auth-external-only) - - patch: |- - apiVersion: helm.toolkit.fluxcd.io/v2beta1 - kind: HelmRelease - metadata: - name: not-used - spec: - values: - ingress: - main: - annotations: - nginx.ingress.kubernetes.io/satisfy: "any" - nginx.ingress.kubernetes.io/whitelist-source-range: | - 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,100.64.0.0/10 - target: - group: helm.toolkit.fluxcd.io - version: v2beta1 - kind: HelmRelease - labelSelector: nginx.ingress.home.arpa/type=auth-external-only - target: - group: kustomize.toolkit.fluxcd.io - version: v1beta2 - kind: Kustomization - labelSelector: kustomization.flux.home.arpa/helmpatches notin (false) diff --git a/kube/2-bootstrap/flux/kustomization.yaml b/kube/2-bootstrap/flux/kustomization.yaml deleted file mode 100644 index 1ab8d0c6..00000000 --- a/kube/2-bootstrap/flux/kustomization.yaml +++ /dev/null @@ -1,16 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - github.com/fluxcd/flux2/manifests/install?ref=v0.40.0 -patches: - - patch: |- - $patch: delete - apiVersion: networking.k8s.io/v1 - kind: NetworkPolicy - metadata: - name: not-used - target: - group: networking.k8s.io - version: v1 - kind: NetworkPolicy diff --git a/kube/3-deploy/1-core/01-networking/.sops.yaml b/kube/3-deploy/1-core/01-networking/.sops.yaml deleted file mode 100644 index d3d9bf5f..00000000 --- a/kube/3-deploy/1-core/01-networking/.sops.yaml +++ /dev/null @@ -1,7 +0,0 @@ -creation_rules: - - path_regex: .*.yaml - encrypted_regex: ^(peer-address|peer-asn|my-asn|addresses|config.yaml|ipv4NativeRoutingCIDR|k8sServiceHost|clusterDomain)$ - age: >- - age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - pgp: >- - 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/3-deploy/1-core/01-networking/2-aws-lb.yaml b/kube/3-deploy/1-core/01-networking/2-aws-lb.yaml deleted file mode 100644 index ea63e456..00000000 --- a/kube/3-deploy/1-core/01-networking/2-aws-lb.yaml +++ /dev/null @@ -1,59 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: aws-lb - namespace: kube-system - annotations: - meta.helm.sh/release-name: aws-lb - meta.helm.sh/release-namespace: kube-system - labels: - app.kubernetes.io/managed-by: Helm -spec: - interval: 5m - chart: - spec: - chart: aws-load-balancer-controller - version: 1.4.7 - sourceRef: - kind: HelmRepository - name: aws-eks - namespace: flux-system - interval: 5m - install: - # perform remediation when helm install fails - remediation: - retries: 100 - upgrade: - # perform remediation when helm upgrade fails - remediation: - retries: 100 - # remediate the last failure, when no retries remain - remediateLastFailure: true - cleanupOnFail: true - values: - # hostNetwork used because Cilium is main CNI - hostNetwork: true - dnsPolicy: ClusterFirstWithHostNet - # auto create authz resources - serviceAccount: - create: true - rbac: - create: true - # select cluster and nodes - clusterName: Biohazard - nodeSelector: - kubernetes.io/hostname: aws1 - tolerations: - tolerations: - - key: nodeType.jj - operator: Equal - value: awsingress - replicaCount: 1 - # disable as much ingress stuff as possible, only TCP NLB will be used - ingressClassParams: - create: false - ingressClassConfig: - default: false - createIngressClassResource: false - disableIngressClassAnnotation: true - disableIngressGroupNameAnnotation: true diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/rbac.yaml b/kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/rbac.yaml deleted file mode 100644 index 16a66053..00000000 --- a/kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/rbac.yaml +++ /dev/null @@ -1,73 +0,0 @@ ---- -apiVersion: v1 -kind: ServiceAccount -metadata: - name: snapshot-controller - namespace: rook-ceph ---- -kind: ClusterRole -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: snapshot-controller-runner -rules: - - apiGroups: [""] - resources: ["persistentvolumes"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["persistentvolumeclaims"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["storage.k8s.io"] - resources: ["storageclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: [""] - resources: ["events"] - verbs: ["list", "watch", "create", "update", "patch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotclasses"] - verbs: ["get", "list", "watch"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshotcontents"] - verbs: ["create", "get", "list", "watch", "update", "delete"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots"] - verbs: ["get", "list", "watch", "update"] - - apiGroups: ["snapshot.storage.k8s.io"] - resources: ["volumesnapshots/status"] - verbs: ["update"] ---- -kind: ClusterRoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: snapshot-controller-role -subjects: - - kind: ServiceAccount - name: snapshot-controller - namespace: rook-ceph -roleRef: - kind: ClusterRole - name: snapshot-controller-runner - apiGroup: rbac.authorization.k8s.io ---- -kind: Role -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - namespace: rook-ceph - name: snapshot-controller-leaderelection -rules: - - apiGroups: ["coordination.k8s.io"] - resources: ["leases"] - verbs: ["get", "watch", "list", "delete", "update", "create"] ---- -kind: RoleBinding -apiVersion: rbac.authorization.k8s.io/v1 -metadata: - name: snapshot-controller-leaderelection - namespace: rook-ceph -subjects: - - kind: ServiceAccount - name: snapshot-controller - namespace: rook-ceph -roleRef: - kind: Role - name: snapshot-controller-leaderelection - apiGroup: rbac.authorization.k8s.io diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/statefulset.yaml b/kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/statefulset.yaml deleted file mode 100644 index d0ce1122..00000000 --- a/kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/statefulset.yaml +++ /dev/null @@ -1,25 +0,0 @@ ---- -kind: StatefulSet -apiVersion: apps/v1 -metadata: - name: snapshot-controller - namespace: rook-ceph -spec: - serviceName: "snapshot-controller" - replicas: 1 - selector: - matchLabels: - app: snapshot-controller - template: - metadata: - labels: - app: snapshot-controller - spec: - serviceAccount: snapshot-controller - containers: - - name: snapshot-controller - image: k8s.gcr.io/sig-storage/snapshot-controller:v6.2.1 - args: - - "--v=5" - - "--leader-election=false" - imagePullPolicy: IfNotPresent diff --git a/kube/3-deploy/1-core/04-dns/.sops.yaml b/kube/3-deploy/1-core/04-dns/.sops.yaml deleted file mode 100644 index 9d2fa390..00000000 --- a/kube/3-deploy/1-core/04-dns/.sops.yaml +++ /dev/null @@ -1,7 +0,0 @@ -creation_rules: - - path_regex: .*.yaml - encrypted_regex: ^(data|stringData|domain|loadBalancerIP|externalIPs)$ - age: >- - age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - pgp: >- - 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/3-deploy/1-core/04-dns/external/kustomization.yaml b/kube/3-deploy/1-core/04-dns/external/kustomization.yaml deleted file mode 100644 index 277d1107..00000000 --- a/kube/3-deploy/1-core/04-dns/external/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-namespace.yaml - - 2-secrets.yaml - - 3-external-dns.yaml diff --git a/kube/3-deploy/1-core/05-ingress/.sops.yaml b/kube/3-deploy/1-core/05-ingress/.sops.yaml deleted file mode 100644 index f40d653f..00000000 --- a/kube/3-deploy/1-core/05-ingress/.sops.yaml +++ /dev/null @@ -1,7 +0,0 @@ -creation_rules: - - path_regex: .*.yaml - encrypted_regex: ^(data|stringData|commonName|dnsNames|externalIPs|loadBalancerIP|whitelist-source-range)$ - age: >- - age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - pgp: >- - 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/3-deploy/1-core/05-ingress/1-namespace.yaml b/kube/3-deploy/1-core/05-ingress/1-namespace.yaml deleted file mode 100644 index 17f4d175..00000000 --- a/kube/3-deploy/1-core/05-ingress/1-namespace.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: ingress - labels: - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/enforce-version: v1.26 - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/audit-version: v1.26 - pod-security.kubernetes.io/warn: privileged - pod-security.kubernetes.io/warn-version: v1.26 diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/ks.yaml b/kube/3-deploy/1-core/05-ingress/cloudflare/ks.yaml deleted file mode 100644 index b420fe5e..00000000 --- a/kube/3-deploy/1-core/05-ingress/cloudflare/ks.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: cloudflare-deps - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/05-ingress/cloudflare/deps - dependsOn: [] ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: cloudflare-tunnel - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/05-ingress/cloudflare/tunnel - dependsOn: - - name: cloudflare-deps - healthChecks: - - name: cloudflared - namespace: cloudflare - kind: HelmRelease - apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/3-deploy/1-core/05-ingress/external-proxy-x/ks.yaml b/kube/3-deploy/1-core/05-ingress/external-proxy-x/ks.yaml deleted file mode 100644 index 0f2e7fc1..00000000 --- a/kube/3-deploy/1-core/05-ingress/external-proxy-x/ks.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: external-proxy-x-app - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/05-ingress/external-proxy-x/app - dependsOn: [] - healthChecks: - - name: external-proxy-x - namespace: ingress - kind: HelmRelease - apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/3-deploy/1-core/05-ingress/external/install.yaml b/kube/3-deploy/1-core/05-ingress/external/install.yaml deleted file mode 100644 index 0d68ccd2..00000000 --- a/kube/3-deploy/1-core/05-ingress/external/install.yaml +++ /dev/null @@ -1,82 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: external - namespace: ingress -spec: - chart: - spec: - chart: haproxy - version: 1.18.0 - sourceRef: - name: haproxytech - values: - image: - repository: haproxytech/haproxy-debian - tag: "2.6.9" - pullPolicy: IfNotPresent - kind: DaemonSet - nodeSelector: - node-restriction.kubernetes.io/nodeType: awsIngress - tolerations: - - key: nodeType.jj - operator: Equal - value: awsIngress - effect: NoSchedule - containerPorts: - http: 80 - https: 443 - config: | - global - log stdout format raw local0 debug - - defaults - mode tcp - log global - option tcplog - timeout client 30s - timeout connect 4s - timeout server 30s - retries 3 - - frontend https - mode tcp - bind :443 - default_backend https_servers - - backend https_servers - mode tcp - server internalnginx ingress-nginx-controller.ingress.svc.cluster.local:20443 send-proxy-v2 - - frontend http - mode tcp - bind :80 - default_backend http_servers - - backend http_servers - mode tcp - server internalnginx ingress-nginx-controller.ingress.svc.cluster.local:20080 send-proxy-v2 ---- -apiVersion: v1 -kind: Service -metadata: - name: external - namespace: ingress -spec: - externalTrafficPolicy: Local - ports: - - name: http - port: 80 - protocol: TCP - targetPort: 80 - nodePort: 80 - - name: https - port: 443 - protocol: TCP - targetPort: 443 - nodePort: 443 - selector: - app.kubernetes.io/instance: external - app.kubernetes.io/name: haproxy - type: NodePort diff --git a/kube/3-deploy/1-core/05-ingress/kustomization.yaml b/kube/3-deploy/1-core/05-ingress/kustomization.yaml deleted file mode 100644 index a2579ee8..00000000 --- a/kube/3-deploy/1-core/05-ingress/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-namespace.yaml - - 2-certs.yaml - # - 3-nginx.yaml - # - 4-nginx-external.yaml diff --git a/kube/3-deploy/1-core/06-monitoring/1-deps/app/kustomization.yaml b/kube/3-deploy/1-core/06-monitoring/1-deps/app/kustomization.yaml deleted file mode 100644 index 284baf08..00000000 --- a/kube/3-deploy/1-core/06-monitoring/1-deps/app/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: -- 1-namespace.yaml -- 2-crds-prometheus.yaml -- kube-prometheus.yaml diff --git a/kube/3-deploy/1-core/06-monitoring/1-deps/ks.yaml b/kube/3-deploy/1-core/06-monitoring/1-deps/ks.yaml deleted file mode 100644 index b73256e2..00000000 --- a/kube/3-deploy/1-core/06-monitoring/1-deps/ks.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: monitoring-deps - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/06-monitoring/1-deps/app - dependsOn: [] diff --git a/kube/3-deploy/1-core/06-monitoring/metrics-server/kustomization.yaml b/kube/3-deploy/1-core/06-monitoring/metrics-server/kustomization.yaml deleted file mode 100644 index b7abb737..00000000 --- a/kube/3-deploy/1-core/06-monitoring/metrics-server/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-repo.yaml - - 2-install.yaml diff --git a/kube/3-deploy/1-core/06-monitoring/node-exporter/ks.yaml b/kube/3-deploy/1-core/06-monitoring/node-exporter/ks.yaml deleted file mode 100644 index d403f598..00000000 --- a/kube/3-deploy/1-core/06-monitoring/node-exporter/ks.yaml +++ /dev/null @@ -1,19 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: monitoring-node-exporter-deps - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/06-monitoring/node-exporter/deps - dependsOn: [] ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: monitoring-node-exporter-app - namespace: flux-system -spec: - path: ./kube/3-deploy/1-core/06-monitoring/node-exporter/app - dependsOn: - - name: monitoring-node-exporter-deps diff --git a/kube/3-deploy/1-core/06-monitoring/victoria/1-crds/install.yaml b/kube/3-deploy/1-core/06-monitoring/victoria/1-crds/install.yaml deleted file mode 100644 index fd5fa9e1..00000000 --- a/kube/3-deploy/1-core/06-monitoring/victoria/1-crds/install.yaml +++ /dev/null @@ -1,72 +0,0 @@ ---- -apiVersion: source.toolkit.fluxcd.io/v1beta1 -kind: GitRepository -metadata: - name: crds-victoria - namespace: flux-system -spec: - interval: 30m - # renovate: datasource=github-releases - url: https://github.com/VictoriaMetrics/operator.git - ref: - tag: v0.30.4 - ignore: | - # exclude all - /* - # path to crds - !/config/crd/ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: crds-victoria - namespace: flux-system -spec: - interval: 15m - prune: false - sourceRef: - kind: GitRepository - name: crds-victoria - healthChecks: - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmagents.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmalertmanagerconfigs.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmalertmanagers.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmalerts.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmauths.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmclusters.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmnodescrapes.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmpodscrapes.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmprobes.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmrules.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmservicescrapes.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmsingles.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmstaticscrapes.operator.victoriametrics.com - - apiVersion: apiextensions.k8s.io/v1 - kind: CustomResourceDefinition - name: vmusers.operator.victoriametrics.com diff --git a/kube/3-deploy/1-core/08-hardware/01-node-feature-discovery/kustomization.yaml b/kube/3-deploy/1-core/08-hardware/01-node-feature-discovery/kustomization.yaml deleted file mode 100644 index 375c851c..00000000 --- a/kube/3-deploy/1-core/08-hardware/01-node-feature-discovery/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-repo.yaml - - 2-install.yaml - - 3-intel-gpu-rule.yaml diff --git a/kube/3-deploy/1-core/08-hardware/02-intel-device-plugins/kustomization.yaml b/kube/3-deploy/1-core/08-hardware/02-intel-device-plugins/kustomization.yaml deleted file mode 100644 index b94e6645..00000000 --- a/kube/3-deploy/1-core/08-hardware/02-intel-device-plugins/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-repo.yaml - - 2-operator.yaml - - 3-gpu.yaml diff --git a/kube/3-deploy/2-apps/authentik/app/svc.yaml b/kube/3-deploy/2-apps/authentik/app/svc.yaml deleted file mode 100644 index 3d8aa301..00000000 --- a/kube/3-deploy/2-apps/authentik/app/svc.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - annotations: - coredns.io/hostname: "auth.jjgadgets.tech" - "io.cilium/lb-ipam-ips": ${APP_IP_AUTHENTIK} - labels: - app.kubernetes.io/instance: authentik - app.kubernetes.io/name: authentik - name: authentik-http - namespace: authentik -spec: - type: LoadBalancer - externalTrafficPolicy: Cluster - ports: - - name: http - port: 80 - targetPort: 9000 - protocol: TCP - - name: https - port: 443 - targetPort: 9443 - protocol: TCP - selector: - app.kubernetes.io/component: server - app.kubernetes.io/instance: authentik - app.kubernetes.io/name: authentik diff --git a/kube/3-deploy/2-apps/default/ks.yaml b/kube/3-deploy/2-apps/default/ks.yaml deleted file mode 100644 index 1939884c..00000000 --- a/kube/3-deploy/2-apps/default/ks.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: default-deps - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/default/deps - dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-03-certs-cert-manager # change to shorter name diff --git a/kube/3-deploy/2-apps/elk/ks.yaml b/kube/3-deploy/2-apps/elk/ks.yaml deleted file mode 100644 index c307bc3e..00000000 --- a/kube/3-deploy/2-apps/elk/ks.yaml +++ /dev/null @@ -1,14 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: elk-app - namespace: flux-system - labels: - wait.flux.home.arpa/disabled: "true" -spec: - path: ./kube/3-deploy/2-apps/elk/app - dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx - - name: ${CLUSTER_NAME_LOWER}-2-apps-volsync diff --git a/kube/3-deploy/2-apps/excalidraw/ks.yaml b/kube/3-deploy/2-apps/excalidraw/ks.yaml deleted file mode 100644 index f43c8e89..00000000 --- a/kube/3-deploy/2-apps/excalidraw/ks.yaml +++ /dev/null @@ -1,27 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: excalidraw-deps - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/excalidraw/deps - dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-03-certs-cert-manager # change to shorter name ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: excalidraw-app - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/excalidraw/app - dependsOn: - - name: excalidraw-deps - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx - healthChecks: - - name: excalidraw - namespace: excalidraw - kind: HelmRelease - apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/3-deploy/2-apps/external/authentik/install.yaml b/kube/3-deploy/2-apps/external/authentik/install.yaml deleted file mode 100644 index a1c0e8f0..00000000 --- a/kube/3-deploy/2-apps/external/authentik/install.yaml +++ /dev/null @@ -1,51 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: &app authentik - namespace: default - labels: - app.kubernetes.io/name: *app - app.kubernetes.io/instance: *app -spec: - type: ExternalName - externalName: ${DNS_OLD_DOCKER} - ports: - - name: http - port: &port 443 - protocol: TCP - targetPort: *port ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: &app authentik - namespace: default - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - # below is needed to reverse proxy to a HTTPS backend with SNI validation - # respective annotations don't work till this issue is fixed: - # https://github.com/kubernetes/ingress-nginx/issues/6728 - nginx.ingress.kubernetes.io/server-snippet: | - proxy_ssl_name ${APP_DNS_AUTH}; - proxy_ssl_server_name on; - labels: - app.kubernetes.io/name: *app - app.kubernetes.io/instance: *app -spec: - ingressClassName: nginx - rules: - - host: &host ${APP_DNS_AUTH} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: *app - port: - number: 443 - tls: - - hosts: - - *host - secretName: long-domain-tls diff --git a/kube/3-deploy/2-apps/external/matrix-synapse/install.yaml b/kube/3-deploy/2-apps/external/matrix-synapse/install.yaml deleted file mode 100644 index 4c62f292..00000000 --- a/kube/3-deploy/2-apps/external/matrix-synapse/install.yaml +++ /dev/null @@ -1,99 +0,0 @@ ---- -apiVersion: v1 -kind: Service -metadata: - name: &app matrix-synapse-1 - namespace: ingress - labels: - app.kubernetes.io/name: *app - app.kubernetes.io/instance: *app -spec: - type: ExternalName - externalName: ${DNS_OLD_DOCKER} - ports: - - name: http - port: &port 443 - protocol: TCP - targetPort: *port ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: &app matrix-synapse-1 - namespace: ingress - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - # below is needed to reverse proxy to a HTTPS backend with SNI validation - # respective annotations don't work till this issue is fixed: - # https://github.com/kubernetes/ingress-nginx/issues/6728 - nginx.ingress.kubernetes.io/server-snippet: | - proxy_ssl_name ${APP_DNS_MATRIX_1}; - proxy_ssl_server_name on; - labels: - app.kubernetes.io/name: *app - app.kubernetes.io/instance: *app -spec: - ingressClassName: nginx - rules: - - host: &host ${APP_DNS_MATRIX_1} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: *app - port: - number: 443 - tls: - - hosts: - - *host - secretName: long-domain-tls ---- -apiVersion: v1 -kind: Service -metadata: - name: &app matrix-synapse-2 - namespace: ingress - labels: - app.kubernetes.io/name: *app - app.kubernetes.io/instance: *app -spec: - type: ExternalName - externalName: ${DNS_OLD_DOCKER} - ports: - - name: http - port: &port 443 - protocol: TCP - targetPort: *port ---- -apiVersion: networking.k8s.io/v1 -kind: Ingress -metadata: - name: &app matrix-synapse-2 - namespace: ingress - annotations: - nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" - nginx.ingress.kubernetes.io/server-snippet: | - proxy_ssl_name ${APP_DNS_MATRIX_2}; - proxy_ssl_server_name on; - labels: - app.kubernetes.io/name: *app - app.kubernetes.io/instance: *app -spec: - ingressClassName: nginx - rules: - - host: &host ${APP_DNS_MATRIX_2} - http: - paths: - - path: / - pathType: Prefix - backend: - service: - name: *app - port: - number: 443 - tls: - - hosts: - - *host - secretName: long-domain-tls diff --git a/kube/3-deploy/2-apps/flux-system/ks.yaml b/kube/3-deploy/2-apps/flux-system/ks.yaml deleted file mode 100644 index 167a4c0b..00000000 --- a/kube/3-deploy/2-apps/flux-system/ks.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: 1-flux-webhook - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/flux-system/webhook - dependsOn: - - name: cloudflare-tunnel - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-external - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx diff --git a/kube/3-deploy/2-apps/gokapi/.sops.yaml b/kube/3-deploy/2-apps/gokapi/.sops.yaml deleted file mode 100644 index 0031ba3c..00000000 --- a/kube/3-deploy/2-apps/gokapi/.sops.yaml +++ /dev/null @@ -1,7 +0,0 @@ -creation_rules: - - path_regex: .*.yaml - encrypted_regex: ^(hosts|host)$ - age: >- - age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - pgp: >- - 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/3-deploy/2-apps/gokapi/kustomization.yaml b/kube/3-deploy/2-apps/gokapi/kustomization.yaml deleted file mode 100644 index d1fb4076..00000000 --- a/kube/3-deploy/2-apps/gokapi/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-namespace.yaml - - 2-install.yaml diff --git a/kube/3-deploy/2-apps/hugo-test/.sops.yaml b/kube/3-deploy/2-apps/hugo-test/.sops.yaml deleted file mode 100644 index f7c96bca..00000000 --- a/kube/3-deploy/2-apps/hugo-test/.sops.yaml +++ /dev/null @@ -1,7 +0,0 @@ -creation_rules: - - path_regex: .*.yaml - encrypted_regex: ^(hosts|host|WHOOGLE_CONFIG_URL|nameservers)$ - age: >- - age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - pgp: >- - 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/3-deploy/2-apps/hugo-test/1-namespace.yaml b/kube/3-deploy/2-apps/hugo-test/1-namespace.yaml deleted file mode 100644 index 402ce9b2..00000000 --- a/kube/3-deploy/2-apps/hugo-test/1-namespace.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: hugo-test diff --git a/kube/3-deploy/2-apps/hugo-test/3-install.yaml b/kube/3-deploy/2-apps/hugo-test/3-install.yaml deleted file mode 100644 index 667bcb2b..00000000 --- a/kube/3-deploy/2-apps/hugo-test/3-install.yaml +++ /dev/null @@ -1,74 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: hugo-test - namespace: hugo-test - labels: - helm.flux.home.arpa/app-template: "true" -spec: - values: - controller: - strategy: RollingUpdate - fullNameOverride: hugo-test - image: - repository: docker.io/klakegg/hugo - tag: 0.107.0-ext-debian-ci - command: ["hugo"] - args: ["server"] - env: - TZ: "${CONFIG_TZ}" - persistence: - config: - enabled: true - type: pvc - retain: true - readOnly: false - storageClass: block - size: 5Gi - mountPath: /src - accessMode: ReadWriteOnce - addons: - codeserver: - enabled: true - args: - - --auth - - none - - --user-data-dir - - "/config/.vscode" - git: - deployKeySecret: codeserver - volumeMounts: - - name: config - mountPath: /config - ingress: - enabled: true - ingressClassName: nginx - hosts: - - host: "${APP_DNS_HUGO_TEST_VSCODE}" - paths: - - path: / - pathType: Prefix - tls: - - hosts: - - "${APP_DNS_HUGO_TEST_VSCODE}" - env: - TZ: "${CONFIG_TZ}" - service: - main: - ports: - http: - port: 1313 - ingress: - main: - enabled: true - primary: true - ingressClassName: nginx - hosts: - - host: "${APP_DNS_HUGO_TEST}" - paths: - - path: / - pathType: Prefix - tls: - - hosts: - - "${APP_DNS_HUGO_TEST}" diff --git a/kube/3-deploy/2-apps/hugo-test/4-cloudflared.yaml b/kube/3-deploy/2-apps/hugo-test/4-cloudflared.yaml deleted file mode 100644 index 1736d68b..00000000 --- a/kube/3-deploy/2-apps/hugo-test/4-cloudflared.yaml +++ /dev/null @@ -1,54 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: cloudflared - namespace: hugo-test - labels: - helm.flux.home.arpa/app-template: "true" -spec: - values: - controller: - strategy: RollingUpdate - image: - repository: cloudflare/cloudflared - tag: 2023.2.1-amd64 - args: - - tunnel - - --config - - /etc/cloudflared/config.yaml - - run - service: - main: - enabled: false - persistence: - config: - enabled: true - type: configMap - name: cloudflared-config - mountPath: /etc/cloudflared/config.yaml - subPath: config.yaml - readOnly: true - credentials: - enabled: true - type: secret - name: cloudflared-credentials - mountPath: /etc/cloudflared/credentials.json - subPath: credentials.json - readOnly: true - configMaps: - config: - enabled: true - data: - config.yaml: | - tunnel: "${SECRET_CLOUDFLARE_TUNNEL_HUGO_TEST_ID}" - credentials-file: /etc/cloudflared/credentials.json - no-autoupdate: true - ingress: - - hostname: ${APP_DNS_CF_HUGO_TEST_HELLO} - service: hello_world - - hostname: ${APP_DNS_CF_HUGO_TEST} - service: http://hugo-test:1313 - - hostname: ${APP_DNS_CF_HUGO_TEST_VSCODE} - service: http://hugo-test-addon-codeserver:12321 - - service: http_status:200 diff --git a/kube/3-deploy/2-apps/hugo-test/kustomization.yaml b/kube/3-deploy/2-apps/hugo-test/kustomization.yaml deleted file mode 100644 index 42e22691..00000000 --- a/kube/3-deploy/2-apps/hugo-test/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-namespace.yaml - - 3-install.yaml - - 4-cloudflared.yaml - - volsync.yaml diff --git a/kube/3-deploy/2-apps/kanidm/ks.yaml b/kube/3-deploy/2-apps/kanidm/ks.yaml deleted file mode 100644 index 2ae7af71..00000000 --- a/kube/3-deploy/2-apps/kanidm/ks.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: kanidm-deps - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/kanidm/deps - dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-03-certs-cert-manager # change to shorter name ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: kanidm-app - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/kanidm/app - dependsOn: - - name: kanidm-deps - - name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx - #- name: ${CLUSTER_NAME_LOWER}-2-apps-volsync - healthChecks: - - name: kanidm - namespace: kanidm - kind: HelmRelease - apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/3-deploy/2-apps/kavita/kustomization.yaml b/kube/3-deploy/2-apps/kavita/kustomization.yaml deleted file mode 100644 index 7386a88c..00000000 --- a/kube/3-deploy/2-apps/kavita/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-namespace.yaml - - 2-nfs.yaml - - 3-install.yaml - - volsync.yaml diff --git a/kube/3-deploy/2-apps/kubevirt/2-install/kustomization.yaml b/kube/3-deploy/2-apps/kubevirt/2-install/kustomization.yaml deleted file mode 100644 index 75a39cf7..00000000 --- a/kube/3-deploy/2-apps/kubevirt/2-install/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-operator.yaml - - 2-cr.yaml diff --git a/kube/3-deploy/2-apps/kubevirt/kustomization.yaml b/kube/3-deploy/2-apps/kubevirt/kustomization.yaml deleted file mode 100644 index 039ec139..00000000 --- a/kube/3-deploy/2-apps/kubevirt/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-namespace.yaml - - 2-install diff --git a/kube/3-deploy/2-apps/minecraft/kustomization.yaml b/kube/3-deploy/2-apps/minecraft/kustomization.yaml deleted file mode 100644 index ef49f6d4..00000000 --- a/kube/3-deploy/2-apps/minecraft/kustomization.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-namespace.yaml - - 2-repo.yaml - - 3-install.yaml - - volsync.yaml diff --git a/kube/3-deploy/2-apps/ntfy/ks.yaml b/kube/3-deploy/2-apps/ntfy/ks.yaml deleted file mode 100644 index d6c41133..00000000 --- a/kube/3-deploy/2-apps/ntfy/ks.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: ntfy-app - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/ntfy/app - dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx - #- name: ${CLUSTER_NAME_LOWER}-2-apps-volsync - healthChecks: - - name: ntfy - namespace: ntfy - kind: HelmRelease - apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/3-deploy/2-apps/satisfactory/ks.yaml b/kube/3-deploy/2-apps/satisfactory/ks.yaml deleted file mode 100644 index 587ac031..00000000 --- a/kube/3-deploy/2-apps/satisfactory/ks.yaml +++ /dev/null @@ -1,17 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: satisfactory-app - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/satisfactory/app - dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal - #- name: ${CLUSTER_NAME_LOWER}-2-apps-volsync - healthChecks: - - name: satisfactory - namespace: satisfactory - kind: HelmRelease - apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/3-deploy/2-apps/test.yaml b/kube/3-deploy/2-apps/test.yaml deleted file mode 100644 index 208f6afb..00000000 --- a/kube/3-deploy/2-apps/test.yaml +++ /dev/null @@ -1,7 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: test - namespace: kube-system -stringData: - test: forPreCommit diff --git a/kube/3-deploy/2-apps/velociraptor/app/config.sops.yaml b/kube/3-deploy/2-apps/velociraptor/app/config.sops.yaml deleted file mode 100644 index 258539a4..00000000 --- a/kube/3-deploy/2-apps/velociraptor/app/config.sops.yaml +++ /dev/null @@ -1,41 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: velociraptor-config - namespace: velociraptor - labels: - app.kubernetes.io/instance: velociraptor - app.kubernetes.io/name: velociraptor -data: - server.config.yaml: ENC[AES256_GCM,data:Es8OgdgCtUQT2Q/hVk1SNWmf+djuy/j2X7aXJ/NBpvEq05os980YO7bNYX2KQIPJq4kC0c00yaSJ+SVTjLjmWW+8J9COecFFF+CfzpvlLvkFmOx4rF4mUtUTDKWs/MKr4XxrQrQuBWKYRAdRd9tyY0O5xZ0y4KIjO33NstQBWvmT0HIXOviPKHqX8/vxilsoqUUhz89Pg0STGkJGu9x/WVsCZaAAK9FoRzJIm5MXyh2Cwm/N5Py3+cUHJTWHfsCawe775DpBWQFhS6wzVh9oO23jtt13B0lq+4IiDbIfnkzknJnbkXFzjKz1/HDH0QRRqNr+yvKEa5BMS6ERVE8ANjsM1WPPbuNIy8Rsk9tyZ59LvQl6tYdr6Xm2jUEnFfCYeJ2sJbvEpAlxB/C1GSHnfH9EVOt4E+MMWyADrfiEGk8kPc/xkBedrKOxBQTfNmqI5ohN5BTHfbwwA+8c/81FSLvBEImdSAGe0Y9TElKuqeihr29N+3udxRwp7szG6o0WcCNmdnm0qyQUkY8nedu6S9A/b7HPMFe8NMTePGfKfk4hpQcnjcV3pK5hriQbFvCfgZl0WRUBSMSuWWTqYBztOC2rr6cq7FUg+Ml3B6I4Cz5UbdN6XxWT96ISYQmVEn09c0rLnXLWMwfZC55JyWzzMg+xzPVazwrlBBS8Azm2lwSWCAuWYuWWTIfIs3rXReMh9TV9R9SL6E9vGWPSjvRcAOerD0olTVU5z8nVEbjTYuc2dG4UsccSj4ICay2ZaTI8V/DfBpvr64DE3ggOQisMKqZ1ZbyFLD9C+u+N6qSyPzQqmyE/Ik7PBdDMk/gmkIp8ZgSV1viT+/qhBPKAlOAQ65DZQrZFjnmgwxR/KM0n2FfMXcYLJdkUrU10hgK4klvP02yUHPPWCkWqiOeGOxqY8Ry7VM/3/3fSh5w/CH41dwp63AL1GxEc9hKorufo+naw674+cUZItVIF7gZGsJYHZ03sCKu/9wn1MYe37YA0OxjHoXuVMRekTjxqrF3vd89JuqdnajSHH8AsmJNy9q0iJrkM7HQJKk4l67dt1xV0NFexLEdDuanOhT0fnDeK+bjV9c1TBjtkxi9Q2ZpkGyoq28vN5cdsQ57tAiUoG/+oNkL2doCktdLlHrAxmN0zaIm2MFijB7oAI+1vjrwu78+3Fy70m1f3S0VcUqP/3IkC6pw4w3sfRrstNlKDVVcfWtcJie9RISRc9AMpnAmQkwibVAsdRjOPzi/vUsvSRRXl6fqo0tRKbwK7YaEVH9Wns14lOmNcvs7powTxK0/vRybGUVpl7CU3x2JQvp0ZyWbyfjn6AXQhZutUR28eEKl1y5CKxRptV+uF3lYwaA0q2ZQNrMoyyhOulZ1WzsGmPChzz209nodHYeIMEUyzN/KFRF46mR+zVqWj35ZndKHwGQGbd2c17rdWKqMDvd6w9FM4hQP4wEUMfBTesO1ILznM1cQdEVJQ6GcX5Vzh6pnYwqe/Su00c0/no6HdevOKh6A+/jeDGO9tuleYsqJGjNZH4FmaWMd8god2I26zFESwaifQ0xb1S/lTS7Br8335ct+NFRXZNdHtHkTnntOmaYnKhonSj9CjI6HBJgpXMNZb6lrtuDYCNhGZ3XGx+Av/YTLBaAumK7IzfDdE9aGbEhLBFI8atZsCB1J1Zqvu/9AxcP4t7P44Pi+76df1JmE8FVvR7zFHUOi392DMIOLFa9M3Up4cyv6r+vpa+lmZwzOB/mQkHiIK+TF3YvCRrU/rJ+0ads4TKLTdvpf0dydC7mOHeIOsgk7qwm7WbRF4JEPpHjWFYRQJo6kc+vrkkNcLYRaS9Q4nRuIZ2kAzYUuLyX2+sV8l6nE/5bfriOI4H6D6qygaTpqn4Hi+mOBtBkKvjz9E+3snxNWfAWEC/LBfJd1mPS9pt4RzrwVMBZkPLmNlXsTM4Sz8ak6pcc/1dbDHk+PWGDmLzmc06A/fnxK4I/aSuxXZBLE2yS6e2S9Yoy00skhg1jDHGhY2n968Dcc6UqY5s1Ef4B1WoSlq5g/riyVGfFsUJVjzXrh0uInpHBeiduXlF18KxwhTyHLKmt6yOqrWl8NZV03ZqMPOg+lVMRXkACl+K+mJk76yy40b/hqwlEVJokdiQFYziegrBM8ce2QgnCyLAJwNOFsNM+Z+PQnHmgfrC/MOUiIRevAsWYjnKlcGW8vU8ZYXYuopAn2MrKXYD5UqaQMzz36EWTJHm5FN86+Geg2SZRhIsFBLAnS6CtL1kG/tB/Pbe39bVGkh+vIm07ffThW5bceJXy4qgPfpqEqO+ULaxN722GH9xrJAyAc3+Gm+f0JrnNkgmQvtRnxaeIx5jmp4WQsbSRvQC65DoQP50UzU0XWh0lq3VU2msB3kCDlSLlzeUnCYi7oEnwmtT0rP0fzOaQtqyAyGPGWTLp2zPOGOVo2A4d+nda8vOQv3iL6e686wmgqcwjTYSzf4tcuerDjP5OWpQpJx7zdmDlh6Z69D2ku299zEH4iGJ2fu8F5xSX4Kg4ikdAuxjJC2I4tW6W1FrKAJPVf3M5lN+e+lHlepUmKn3I7dHRKkj29KkfshhFnDU3nrvR6tnIGyCazhGqawKyCb/8j/PyJqX8HVKjfMYfAvzZTdKHu4iKuP7/qkOY8TMb0GlQHdaVfjj7gPjJPwZ8W23X0DIPxUXgnCO/MilGw4Krv/08AWf/wvmVY8WgKOoCr0yD61ZHtKRLYRCFuONt2gODkiuqQiXOYHuQRWd+7tFq+hCMu4BjO32XC6ywTJlOmWR3oTuW0E1oHTX24xPCFy/3oMXwzpLfDAGGemJzGSMLOjrDwfwVmWC3737XTfvSG/wiOq5hffqYGKN02wsVSeF0NohOH0+68pfJGqLS+2n/2di+QqnXzDQM9HiLimQnrCfstvdeigN+CD42Sc9a8OoB7p2LQqRKkJ94yzqkhaU8ks+Djp6WFj83YUrNKJlpPVjvHXrwUc+EKaUKDeVR5ZQfi1kzxApYhdJbIo1RjMAkRBfrn1l4eTzxrVLpfZQtCLDaA5yIqJk+YQLtj4XYti2n84W3nzDaEOn3rdi3vWRjCogu/oHzwhoU85VSeyrzyUWnAjdNrZ+e60Y/0nGBwhfY73hJ1QmLiacoZ1YixjHirbK/LkPIHEB3ul87doFq1Wx9FmtV+4HZSMq8nIfYay0Cp4G2Tvu+adCc2tV0BHBW2cTrS0PS7kFGgjESFzQC9ZRqAaNmZhLcF/C+OD7mo+wT8yict8w/q1Jo3n7toG1KQNeVTWFbBnufcYU0kJTPv/XPhIkBuIyXxNUX1fTRLMRZc3aWQsTsD5wRG9ShEVJnlXxoKGvNLv+weeyHH9KN6hFEb7+CoRvdXZyH16a8/RhKXfmU/8QQ2eKcM/ziVg+HiZ4eSTUBCJ5VO/p0G2SauBUqjwHMENDcaNoTjkTx7zLkuUgl0M5FNFtmJPDFkpKGffjggPB3WD8cNdM0bvCF9kLNGlR5DHE0KREtFkkUOALpoBoD3MGKrpnmqqPWvUqwqjipTBBj9rkrUO3cWXcPVDZLzUbN5VNhq3FyWHo5adItE4CLxDE5dhE3kkb02gsGOG6XHPhPsBckRsUrYTMQhYEp520/+hs1xnbEQHtJqcmyB/m00iBBdTXYys8oXOF8mUV3laRLknXTJH+uV9yxmRp6l/88KSt0waJ12q6YJhpHY5r/34n++SfD6BgZU+fK8a5YRyyRD2CGMIHaNIq5gsPPxGDD6y0tMOZEtoPBlczuzRBXbbuGd7fCrsuMJGm6q7mgpQfn6SyQhe+UFu55t1APWar20RBhsKbr9oRLLcx9Pw6ymTL+JC/dkiJLkbLLHJc9V2XlL7U98/KyAP0med48MVnZpk+GgDA29R6L7qdQ7pqpXrgam0zlckq1s3UVY2LrmlPAsnYuXZgfdpvJPbuU5WN+FTn46UECoADvLtTEptNxBx3NLCxV5gF4OkzNNt0F8V6cdz0+kHhWKAOdEYpTiQppzeya2ssqrdNfpsdlgoATbXPdh+HcsfeoKu02RU8K499BuezWbXqwwB3Xxt+dYFiAkXNZwv0vgJD0ztW9+jqEF75X7ju41u4V/SBCEMoK1e7N64T8YkfNniBalrTHUr01r4g7B25OuSKW+H/9fIO4W2uWq9R46sSXSb4UIqTj5g87xitL9m3MkeuadKsG/qoVY0lfEA/7djToZ2JR23NGVfbTNu4nKhf/fE8aTZAE+gfw4D44mgZ3Ykibci04vzn8+NBvcBrzjdOtpzFVYwYibin7p1ExQ5w7yvuC+AJlW5r2xeNvrVNr061f/pGgbhCkbOoP5YxxOkpCdoEBAzPRYvVttcstTGU87VBHy2XVL9juWRvE/lPh5FmXKIbm/rwjRPa+RCsnU+Wh5wpJWZq3D1tWCAmxNxUq/xMj47pDUqlsa++RyotPCBxAxCSULNVfK3f6e+Z6YnE/3R5OKdjrx52BEpdmL6wkkOypPHJQ4Hfvin+HZvmtleCrmzOT0gr1cJbiw9hGEUxWQIkMKjLqCi3tTTX9upBnG6zjz0PlaHXzJHsV4PzmaXHFhvG3cSKfRvilNYwKHl8ZsRFFfjpgDhCHgozv7ghzJJvwtmkK6EnDO4WPt8Ulhx8JzaJxwJRpsXW7IAqIn+WnkiLZ74AbeGO/h0XgbHMym5/OyHTEOghNHTHBnzE48M7wwmMA14GnfQCf0bVy3t0jL9ka9+ldhzR/nKmg1IFrjPFLCV3fT9+QYReA9MumBQ011VX4jY99B+jwGs4/odxXtf/49pq37O2Wzz6qy1lIs5KlPKBgb6NMBRsGxbACVqafdlP3ZqHWkr1oO4dROmGQYIBHvdTBWbJIy/wAVLLmEWDFOAER5v5/4R+yv3iSTaYd2wX0HikxF6BOxx/4f6644f5dkSEzeDUqNBbrGburVnJSHimXCr3bMzCCFktmt2kMRKEJcuEW7YRP1KN6fHjn7euaMUt+n6AxSiOydkikOYSJOFVisjzPpnl2ZJm4XucwfQsZ6ak+g37q0ZCchBxVot8XXaKd/bybsBna1To+0NJZC710ZS9xflt4ZolSsp3DSFJCcD1RITjKyMZwy5so4yBjR8S7/au3C9tRrmjnYM8xvCudKI+EiTtmz6UiUHmaxTS3LZ2U2YWeTnaxSA5Qr5OnseayjwVE2gYJnivoec0NhFE2vEBQQ+UAFV2PxkbQErp6X4XJOFIs5c/PkuDrkPB278o/WnU0assLTS9IKH7uGwCA8Vy4nQzd8aEWDYb/t6y6Tfow+Dmzoiy56ORPQOixWbUdiXjS4blUk0RhzSdI5B8AV3P5X2nSDqPoHhDeD8l/5WRC2sGecRNdEhHQV+qIe7uj3ywX2A/qBUHfUw+zXBiDYH2MYiPVSEn7qQd1fqbJ2pAbRl/aJna926saiCrYLSsSyRNnr1kVglcuhPqlwci2p1wJgWhglhFTxtB8JPVuW2zEX5jOdH7R44PIO8VByGkYr5U74LiomiMX21GxIr0tBWENLqF1QdgAR36iAlBpswc0K0tkwAPaxX+1mE76oKCx7ajT5fWTOVAAiwXw9bopjbjRWOxKp2pDHPbfmV6GxnIQmO0qrpe/mowz4qbXKZB3Ftd0kos8xrdOPb6+Cm5aV4Lj3+IYGJVJfvB3WXzY2vAGK8+oPmA39DZH40nrBkBKHMyePKjfku/eM4gwmL8JmztG8TeuCoG3wTjQRWAQc5U8DGtej+2OvgCiyfJ2CIcfyGNufC32rt+UzZnosonOnaSJAPVfqEP6k63GO/Ldn3oebDhrD8drKnz90Gc1tjTlHHcWyHnJ5One6pCOXEsffMTWy4AI1Rwd1i5dxG3g6tuXwh9mQAwmeiKNLX9SpHKgmJAZEhlBl19CbrfNDE6L9uynUWICmsc8lowGMb9L4ElfgZpI9ZEhG/nj7Dt8qpoWYeC6x0mtxf/IBaA8PNZG6H8EAoBWkUiioNYipbJZjiE7PwVD2k8EzFuNB9bMJKmvbAMFMnmKc+L3PJpUfPXN/Ul1eImxolVhyq7Xl3MpfIM3sdh8vw6xtn7NGanj4n1PqmDOerhU1tJLaWL40cV1xze2xTtnXH8/SPlpYSdaMpFtH8eXGpuZ3kOZnhRPdCuTZJrgDfaKyw53h9uHnZoxPnspj7UamEiaec2xMq7rZ0vPex/plYnX1Lq8Wp9kvTB8U0mJNY9CwYY2OG5St6s4kFqAlq7z4k9GWo1remEORWsRy5EG2GKbkWf0yBKNBcA0FnqScx7+eSzmNQ2Rua1/ey0x4qVdyruXSHXvLEoPk5jmIjy0pasrQfKVfI5EAsCoDViPKXR6AsKippBVfkZJOQIhMeIJMBma/TGdrwra/G0/WsMjUVXVnnGf9JDWkBywDOanPppz0mx1VYBUIS6/Lp9FES14KBpRY4xhbyJdQvpaleJFW1Q/PEdv5C8vebPw9wwmuzDiY8mjByPBDtP6M8Tvjky7Zj5x0LsAS4xBAhE1cqy1PhtA4DLS0bnRhwWHZkEpAQPDF7mB22QYs8Jqr35CtxC44d0o7Ll8wnYD/JK9EkbLYT1qmctv0mcAAoB3l+U49Tc6smmTWN3aNc3/RPKfCXdTJVzvNAnc7ysyOppwzNUdzD+o8QBzFO+3KoUJSgkIiG89QdeOnkq4nMr6Sz8qrl/8m0iGV5NWI63Q+i6ydcYMS/4eN6fQDP+g5k17KZ8cxCojt4s2Yinnr7IceHVglgQ7NIHY82AXUzEBJa6fpJMJWWHvNzFseoRL+2M8ly8aKQ5iT2mpR5y1H2QfUv3DtcCyLVgxKdMgz+k1YJDs5+QpGEsLwWdm7rkDUWPinZJLlbDFlDeI1P9LTCONJHksngfUewNX6AiLhun+trDK1GkroG6kCrk64T72v9E7V/pjYynlM07ApqUEkDIxk3S0X9QqG0TddURoa6yVjAh4cgto1ep/98aW3VzBFAVhYzp3XFyBPUsQGAnw1rOiwHXHiEkiTBcAeif6HadmoU35yE7yRuuOXPNtgr7zLSa4MDDWe2UvmVcq6j784hK+CS1JkipIxpgARJOsM2a6jhsPgETIyoLgFZ57e9Ke9D0dY1b1CjxX1LQDnGITG9i5v/1MkolBfr7+T7vwpVYqWPqPIvlso8plk8nQmX2aHBx1klettxa0cggtqTF/mUutzguXyaQyoOPMb38jZQU69EmGymEQP+IH0orwnql2gZKjb7rSUDMDG7P2fiUVIBcj0ANngCWKPXGhc+IX6Zn7ci3n6fym/LFfmtRhAL1h5q2765sblsSNDFLCeFVQ939sQ2YigsLMPWLexyMwR4u7iiNzHRaTyduwFBoz9ShQcyzrRtEk/2s5cqieaC0bJbpMvUWiyj6GjRLfZiiCEG8832qJiyy9tFjztvrYBMkG9yrxlDzvFblbttwUFLDrqOUvQaksFDwUnSsQTy1FEc8J4kljWn/NO4DiKR5ZNq6Oam9x2KBceoc70/O6O8tErEfBrKMBjC7WGaWMyJ6332HYqJMXhvHusULsulWFeWJB0Qq7bsFw8mRgqssX1HjskWW4bunAioGfTCibUCA5ncYVulzxGsgEt0VsqUqiXSwSJpZE6kFnsgaekK2XCnxA+InrwrF9nxt0OwjM4qQ2Lo/DbqYy+5XtrAkHywmk/zkoSldzqiOA+oBBmvNaoqIgvST9aQMCvXkjRfFxDNTYZkrTaPJiF9DzADhCPOcCALDtsXLZUZ3zNZIaKQQ7X1k7vhAlOCKIe0AkAWXwe1B5gT6mlxPKBoVJPk5bFKsoeOHKmN/cosU2IC/nbNvL3qXZ42CXqmQwodaMldBN/LA9o8mU/79jLPwkjjINkvJkTPinDHo8PiQ0nkZQyAfugpD+9UUDGec/bvKDzRP6lvy+GNrg4R4gJM282gNB6GCUXfn4p+dzj8TX8VrvPZIQaA5rYKOO8dpkRGJe0/N29znpxe7FHlSRSpE5bkxPidzdxUkqhod8SQFA0rRSdKE9NPTuOUPXmgNNYO5IMzijq60dVZ2xM3jYKZUnfaidHoFAqirkiByUs58ioCVjk6sfGQcI0uJVBQ5xfBGJrXiQqOBsKt5Y2fHzBqrL3GpEqzIiIZ2Ay1AqbYeJA+efubnoSoPMdnQ1O8CWhBk0ESMm+4PICVG+j7B/d0BPQb0CozsLvAzgEQLvLhcknAgvofSN70KhMkGin3b2/95zTuoCtvwIREOkD2A2bMa/NPNRBKpQPBGldDp9dIgru6cZ5DTyfAbCh5gGq4QTSSIbh18gQW8j26PI9KAWc49crRpL6mc8BIyzURLGzuXM2ssMOHLeZLuj9qvM8Os9ozu530X81AWveRgn6pNXHnz7HwTAXh7ttwlF5Xyylq2p8h7RFI3G57SyKRmC4I6e6MpRtMW0tr4Fp2cUgkyAMsr/M1JLUwsOCy/SsSA16tvG1hc28s6SlXGbWXbhFVpl9fUkEYm8eh2XYPu/Mx6IwtbBI4m8ZGu8xr2HRG5oiivVnyq7CmQhMaciCkfvAXXmdS05/R6Y7ljb+ZuhQsVLwg2lnUEuwk2E7shR8LrrXhRrZjZQbyCraGFb6tVD2RNx5yJEfQplyXEX2r/tWidGZgYblJoTA+2JV+ov9lSWQ6EZLRGGPG17y5ZgfzqvYrV4spORHh8E2cYb4SyQrxe4R2IQzqyHrTWbphT8iDg+anYwn56tXsNvtMZQkSgU+LNNCm7+gSi8sQfFX3qo26hvLTc2VbGWqB9FLcNWdryHozo2P9ceyBHnd4aspnb1rDdsW+xgqg4qGzztPvWHJGxsTMrrtSXD87Vj+1Mef4fJRVXk8TaYvEnKXbzKyo/RRDGc0tN1sLGCuitZAzzxwt3M4e6KqLU1MSZrZfTHhIuGLevABgQEk1sjAKEuWPoiBsV0e6B7fmThegv1sjClw23bv83y06ePhIINC9I8dRYsEU55785V4c/adhy0z2NNsBt47dJaAQOKGAcOUOE0Hd7wKlIx3XQoweWOxsoGZ60gJMZ/8UbjQFHmbL49Ctm5+TpVI6rXZ6MnZqODVWpMctV/5xDTZUUgGyWY/QWc0ztwCnlesTOpBUSy3d8GYxC38piHy/mjyMkGi2RwOQbkwDSEGEnvogkLA4JkI6sbZkJkyd4Ib174ds/izAqMilUQYbjNZPzAzsjpy46vpbSzXMtZB+OBvPZZBhyoD4KLtIyQUtfEZFRSzyzHxQ4tKvLZT9zAJ7wS+Yvb5HqPcxwzs6l1EUqnOqjdOtkbXainf+dlVCubbmteyj/nJlaeNcNwNY0FAk55FM9cB8qJF8brnw5IfFqWXkCJjYFOo15KNiAzbkBVZuS1T1JQYIiYTDTiYXSHRhM29qdq4C7+yTZ+CNnOGQYjRhVOxigu8Vpjgz0oM1v2N/lSEBfRmO7UanNowH7S26ncMatLQjomPBTfAzN5cfctJ8NJHSO3WfvS9UM0kGQ5RoBsVcNvfxyEPZZIGJLP+++j2hc8F2LtkqA1mqrKsokgwS/gOBZtMt4DZClgMBvHMK7Ym5NmQ1hdbUfxjLHzqnas7oeugTSiU/aRvZajvGK/kVjMCMaCw+i2GXlDkIZWElkzlC/12lLycL/2w37PXP4ESKUnFlRtPgeS9wjxAlT9JOd6++GuO02wfc+YvR2wfDH/JBGInAFP0BejS3VgJN4J/p5srk7ST2oaR8xEa4EaoRacoIkdhiAOidJgMS+3Lj2qWvrMvPUXYvqsaq5V1a1f3MuiGX1Z2vsDGFTsvjkQJpm+SxrGQZPOoZ9gU4JTvqh8qrivJ5wL0IhJ4Y2i4/EHFJIuoLDtW+Ca5IXzP7cxjOJQ2FUq9y9SrRLtNEwtLWb+WJdP2YWpvns5z/gawg5Ge8a6/vh2H1PdAQ/Ihi3DkBzs/k5YFhUqBYvHj/8dyzEg9hkF6IRolDOy8RuDi0CJBXgnWeJYByB8zDO0wEn5a0ekXz5jxAcNR22cl3MVIha7syX0Y5EzGvh58/1Km9pBxd9TWy0BLvxa7UA+z++4UYCPNybIYlSuDs4tKzIcuX08ZJRnz/E9nMDe2Q9kDGhQ8J+WkZYazqPABUBbbdlAG36Rignt/qmNcL0PzVFiuFaxhc3hABPVo8c8XVzYOSZLBxQQIXDOb8xHNu8CDCDRTYLpmRIMBVz1iBnOwF37h6eKHgQOnAvVDFUWSvZF5XCrcKG1waoNzotPS5i34U9i7BzdwccVmQEoN5TZnEFgY/0lqj1BLMUNIyY7Hqch5przCD82EQfN6tlyNM0no3GC/crV4kUGhiPChzSQRftOhEBtJUMxgNUcZbRfrRIoUdcND/vy7shZR4TTy+skQC3Ghse/BlgMVPF5Puo6VP+lNmDOyyJ255GmyqDSqZ7rL6JFJ0AopGUIeutDe4UVnD43CtSxsLA8+LBXxXj7jlmpVZfWYWvFEc/raXTmDMNg0QMBQJDzEz5U7YDvi49f/DS1dysWjCazHvY91G6Z1Y72WJmDoMLKEUVchXCtKG/jbMXEVRfI7j7Gni6uS3ewStRNokvsOtt3rbPpjem3Qt/AC/+iyWl2B061Tca/AsEzedHA1Dyq90Je+ZpFrYw0F1WYIKGlfJpoxiRFqWAILF1yZmiMJBrj6Dj9NEAVJnPFMdroKOLBmhnnsxNWwpCrJ6g5UDxvGFik7IK09EH4b2g/8DL+aVR7rcNBp4Bom85wjyjjZ5lTr4YIhL+myS1L0mdLgljhz9Z3GIs9YjXZ3Bl29r75KwPoD58uoTpvxO33UVd12D/AfNU03B4haxk1Wph3uK+Q/cF5MReK1XXcnNuzOKe4zBAJicxbIGfi5JwwX7u0eN+Ybd9vvGxTbLxC/nnXFnPf/lvdpjkeCTI6EyWU6WR89RWKnAGHm5gijOJuPJQU/FMqALE6uihj9gRZdwGlxbn4FVjyQbDR4lO5Wwelg+RjhsLX7y2mf3JtYbSMK1Rl6H1jDVu5DWEm1I/Wx7HKeMR3f53OuN4TKpkICCZ0LO1qTIN9YKoqw8kvYkxX+//Cp+TlH5fTYhqQQHnu/8nlp9RYoOUJC3MGYHw91zepcIhtc+PwmUL0m9q5PvQI96wjiFc7TocSTMJDSNDZ9yn0UXvJ0w62D5N5gBVDUQcKzrgaIdOnU8IiKp+FgBPDIT74m8OsjB+6t7KE4+ElRK1tNMnADb3/pTQdCvSxC7y43A5Gye8DevQNas4vi/p0TN/vGovFEnouaQ89kRKFL+NplkVwL2ZxWT9EBz1EXrlEYTmH+1MaTc8TEUGkFA52ZYYf/JH7+D1Cs3tQDXCSqhRCsd9TQYGLz8kl3GyxC0gQwNLKBp5uktYWCZx7fgz15Nt93OQSAdGVhhjVblWsdmgK8anv02QyEbO/iS59p7V/aZN+BMpX4Seaev1tUxGBjmFb0d8flXyW68qnTC+FW/H5a2LPgOMZgDroRQ7CdxRC1QgoE/IoTFKteCr47WcH4HntJQDaMcPKMzOCEJGfb7YS1PXKuBQ8doXyQZ3JRZVWkuv+7xvAMprZS7FlAdPC0RU7hIMeBHA7UdufYht5/A6UEZLMaWmHoMKTilOVKb5TvkwfeYFmwnywRVI2hf8hY3+9pi9G1n/Oav8z/uV+A/SbtZN2fniVEkoBIvQXdwsy646wQZDVEQnfF7O525LGP1DarnH+NWFA8iX/ZD1mVZETZ03tUPABHADz2R103JPBNA3yxtOhTgKKwhP3bve8wSkw3AVTzaktr87MNaFcoaEkuqDsCzP3uI1JBt65Aq+rz5He5m52Skhj5Ot5LXSp5zDegw06z9T2b26lbhOcmoZftLPeCKxBpRZ5xHPy4K07hErNoBqFNuVE27kDBvY7kl9ru9E2ihXEe3dwlTf64nKp2tgrDYNZZ8zEtfpPFDNnpM39uwv6t1p8MgZQ+nJSWiceVpi9lbc99zC+Bfpb8RGK/5YFBgylhp1JxxNjikoC+xpNe3YCjZgPEKXLY3NpPFVhu0Wn4VVBaC+f/usd3tsnQKwZ3Q2EnGcBD09FCSeqcYLVlwArtWLsCFyYyVKTvaNMxkrno9SMvvb0FfuQecNop8Cly+azffGDSJ71yX2fyVAs4aQ//FfhdErYLv9wanMARSrpDTrVlusOM3w16tKKb9zJ5eqFMmfNHh8VzxiwimazDqzwJzYoDXhDwGgKWCEllV08aXEcHp4d+OtxhudZhof8RpYvgofRefHENwQWtZ5wr371Q8Ao4l2oiQAkQyYeQvYYLkqbZ6T7gENsqfOxDpKd8jr/s9gZfLfedgX2/5ON239kV86viSGIQwdWbT173dJzDzN9qjizX7mQNGmgdX4oUs4zFMRmqAh1PSPh3/Cr3xWNW/fO0YOfnu2avX3TZ9SuAHNEJtj91sbqULTQW68HnnVSuDYWx7PV2gT1HE7SQPLNSTIwZpF8IQ+jHQ1sNxFt83BQBxhqEuiK8YTyfwTA06GEvef4l0/TNi3/eWNNlUj36eQU2bTrGbiK/j1DWBQ7z5czhL/3vDN3y73Bxiv1NWIEz1nxN/cc9csorSeoNwjfaBw3jn247ugUGIP2ciFK/pW75kSyBnZJ/SZQJ8F8vAwJWIDt6t3b2RkKNDkgZ7R1ZwdmaMweJe59o/fvlWhM3x7LS5ZPc8J+l2ifWqKtrW+lXWtxsb4TivFj8LO7eqhEvFm4qNWYMB5BkwYLYWZq+xhFdfz7iZlAeco3DYvsZwsKYAyOCrXgCZ2AONK1eMAhbmAfw78dUi+gCKNeQsgqIEt4QcpaMqH4iyFr2LmtnxrXerS2JcZENHrBikkDVgCBEXvmo0l3dnfymdeb2bi85pKkLSeEgzNmTSHu7Yqx4UggjcqOdiDk8rvV1zWUwcvxtcEDp7weOwjpyXwlSFi6cJE7/7Dkcdu17QWqpfeEJKC6m5ja+xbHBPxSxEUd3LNQzIms3zb/6ANFHmny8oJlc0xeNdpjEvZMx1/1/ZEm0KBvhbt0ddPhKiumsYViACbSfwzFc1kxqRTRH829BBoU4ar673zAHtgTMMEQZB4OAiOhThvnbNh3mBq7PktBDAf+Nxem+tewPuy+4TCYPEQs/TBtDlO8JqbTaIZmX7tD3qk7/jwcHCQidN90lRoNp+VF2OXNc9yyJzA+1hZrIcN0ywUDnmesFNHPejCF0uajaSFnifEDzo8oKnmlim+ipJOOJA06JuI2z4OjEvdKXwbyjhgL82hOyLRFy9BcAG0N8wdHloWh5a3+LiqhVUuODa2YQZ4La1Y+1ra9nNV2uGVdHMuBXoGZmJacdb+/Fhai3dLgFR/YadiJ3qiWYr7nhg5AhLQdXlJc+9tWnamRAnyIFExRPF+Y96lurohdQGi/8cvWsfDBJ3cLSev0kraOAF184mAPphsOQaNBoocLZZw6M3AGVq5jANA02sKRJYhaGKXrrKX0x/oQm3HPkbK8duhcL19SuqyVfILObvMOxmTmABOioAaKGKTOQa1nc67LIrTNrrxMe89a1hl+LMZy+nZAIj8St51HVUTmvcWi0bzunC5uy8wqKZhbilNQ2h/uBiwKxZ+DgVuhHh6Kbzo7pocSXHkMESxVy65nsF92MlEhhzEygeAtE4bFwr5dDqnYyUJEwz/0PS5xV56lWBdEbi6MpKCkGpaATgCLNLYFdcDNC+VHd386UbGhGVf5NWTQur6NKisqtyOVbWUkO8DfAtvJX9IXcmvA+PAJ1693puilbuTG/H88dIM2tq1K0xoQ8EtFQH3lqOUvCGLo8Qeziz49Hl2HSxh+BcCIBQ9Lwu0jWZfXoTUZJldg6qJTaldwiPwiM/6I04laCK17N2OipJpUc2/RaDXx9qIpcwAXvVVaVKGe0mBO80VGd+ht7mYvnhI4Eifl23jcFPm83cFFCTnukF4IgC/cPchvCAzkOlCwBJxpeV1aJ2HY2+cABQIlydrMk3PiSQbK/k1jKcyAnyzioEjt9X+7Zs5x7DNVh9HiDYj2p06eJYzOJyMOt2nnJ/bUDEVuq3L3wsJioIn9te9mHbo+HOg88mwlng/+o5PPes/MmBYoHh5sxEqPL+wE4vYnxJdb9p+xCfdUL6dSj3hRefMMXZ+0lc37EhKs5cvTog0dnCGDlOZeJ/vkw3ws1J50LdlNzFoaqBkNjKH6PIoVBfgu+PkDbB1qttaHDJLT7BgIyU/vAepRQFUeeoY3KkecDXaqje8owQrRlr/cAJFFIiCro+bhdNfqdkeIY7kCAu8NWus+T6oBoi1/zEiYFQnNPid/Lau2VZkKLPy+7H0CWQ29JiMpeSE6QG/WGO+yVFRKdCYvaWG+GXG4zWMjx83gBX50w9hI1FdSfT4LUj8+DDa35qfBJ5ejRxYji4VvXVYisY5EnA/7EyAZ3xIe27O1xh45GKRRjBoody/MfxNzV9lsFK2Mum072lO6//xensxK/IncjMuHu0xWgc7FBByPshwWB6dTYQj8dyj1kSNhsNapFo+oPrqJ6EZHuMHehEBtAWLkB1EXMdgoORSKlMS0DvQ8pT7qe1W9GtnNsSO4EG10KYlg5VbT4lh+vhII2+BPYahDSbww4HSUnxYBgrWOoGY0EAJB5TSovFW5BBRz5CdHsNALSH3XyXqRhQ+cdEHD1r5YaPvTd09eI+CMPqjiJYJ6FRW2HX/uiieB2cA4r24yyCdSZh03T/OnwRN21LBpVBksz0M7S5usMwyuQRSlpzHzW0Hl6pCj9LhRjtwf1wOM1n2lffEDFHDdZemo3LpBrlz7gcbMw90M3xDSKx7mpkU+E1gU05zIiMb5/2ynOA+0BhlmQ4+HwHpZ6ozkP5p5p/JNkJRmEAcmpoYMQ72hhd9L4SvNwbj0uTtAgGWK5U4bLmReFNNEho2opjE7mCkBioE8ujuaqgG/ELAJyZG2k7grDhvd2aBDpBE5X8Vd45gXOw8eeON1vPLGBiAYxUnvQa2LSXuJY2WEH2PXaU6+O5NV7GTEeDcDjj/6tnL3FzXaRkNWzFfQmoOr6bGQQIrWYT9bZJ6sW+7juAx5Ag6BQXA8HV5RyA3GHWSAJyAPQ7/pf2NSTWYXJtnfcm9IM8H57rZ7ttxK+TD6WxLLH3Z/DiUxyIP3gKF41enXq4B0JKGQjxquznrfFKLHvEtVF98uFN4sPGs6q4ZKcJiqTU7uPfTMl+MgDzPoAbJ/5thlHpTpLAm+D8cu530W7pzmCxTczpoilIeznSG86LNcVDepecsjQuVbYeeskGibRmts4jnLpxyDEzp5T3G3htYwnTRwfCoAPLmCoal2CZBonHOslDJ+zHLYWScbtsXpvOMJX7L/cxFwaH3R5q05MFlKJtPm4D5JzNh46rVzWQYKGF+vo3COsOOvlvyaP5UkeU3BAYL7gQVa4l+im+L/SHNXlqrPHAKDOI8Sv+qiYjGVb5/QF1WH4Sdny56s1pBEKptm//o1RrivnPvriZWW/LR7R71DDUPISdWAAV9FnHH2xam29crV4UsP3w+pHCpiUMTc06oDuC/0GrazPgSlRqUr4jl9agVb04YbxGqoDml7zsmjaDzDlh5PzJgTZrIgaVMgKqPlF0JrQXTy7tkuc0msr0FKAum7BweuENc7Aa4lES10vRzH7BV+WvZxHfZdYzZpU3yCEslYI6U2qmTgvY833c4NUTSTPu7CXA7WEzugCpk0wxPKRUal7cVJc6r8Bkn6rtdAR4LzBq42Le3tFlnTfz5/RCA3o++Q2jgKcIx78AbsvjA9JtUfNWzp7Qwijph/yXN7CIx9pJak8suULg6vf5jStxtL6OiSh9x3PaBhFoQsg/uSyfSn+7vVdfA8XrVyXW8p4WS3WESn0slkwvjSSE4uKc6IZ8fyb9uB59+IxHuLrh4rYO583tBedr7B9r9U+4RYLIfSh2LS2oIYhhPHwzR3w3PeHgSRnV1qmV9hcFhO3bozUIxjWqyeRcUoxfCrF17AD2gREmi9tLD8CY4ZfIDOIIlStRlfy5TmRFpygwGfRXVG+Zrd92XMAUJQ28Sk+EJN015le6LbuIaaI0tJfWBRqFvdXl/Fk4nO0HSWUHG2ym4LWXzIP0WBBF09+5NNcW41fT9kZd0HLYvIfEGTaHTc6S+NA5RsoY1+f36+Oh5SzLkKeuMYDFWklQsi38hgpM4GWtNPSbhXNKFBBthyO9myc0iDiI8LbCddqxzbWstT4oYrlIVaIb/wXaVDpqVR2jNP3Oi26ztWPNVll4a2pIvZhH2gRVNrfax1ja/N9+GqpApWKIyeJiDGq2jDR8s9HbEkvsFPM+UPiPjHbPkYp/RjSQDvW7IJxYcxcD9nWzKviwWTLm1BNmWCKJ3SYxPjJE7LgAb+2yG8OTMxeXndh6xycENpk2vRctej8sygqbw6G3OmXrl8eIJhgMaLDY7ZmyGP3INwD4EO+FweMCpc5IpvQR2JSi/y7FATljkfcruj3bZRpI5VUGW79I56d2ee4Y4xaSm9W/jg3kS4O5TJQeuwBVwWG26ZcDYakKEYd1nkHOO2fPBIwUpqZsQPqcLPc4XZ04/JWHT+X1efZ6MZeRkwV+vOT71kjOM23BhLhhMoF16ueroyK+YwLYlvYlnV4daYVPnbOjbVzKlK4+ksWSEOElRwhyGYxLHjIvEoEVA92qsHUlP6cFgT5yqDHr1lrcp//wsDNU7BeQKCaNb+NmfXjVFpzUGLnwghMjwPynzoMlNlXQarkFA4PU9C3SYseE1jqv9SFoTrgid5KYcX3nknwzsI85Z836r5ulVhSJmyb+OARlo960EPyrQGvMWqYaqsfxoFNZx/Vvtq1q5xus0we4fALZmJqwq+BnX6xoGi8iJnUAcH/LdQkl5ZgjT1rrWX8v6sBjU/S6wGK4m2R/5bSKgCK2hb54NdOlkJeZqk4TBihEVevOFbFZy+Ct1g1eEHTJUXYjLAFPUGmLx+0ra8E6AL92i7toZ2+3EL2EWcBFKo6pnZZBJhAMlOFA+0GTxFpotkGExnhKSYEKoaNSOLwhMDbkG6EPx35/jau2Z1FnMKPnuVBUYKgTLAEXm0MUE9H9GvVBX98pI1kCU/IU2Q3MgZOEiwEOoiUMXwQTQZaFuWjECE6JgMyWbX2ceQUzGVzP+k+QTeexN8qxJVZnQceUvMCWYybMkeABBnkaS/h0OwaOQFCD8K7isa0RLLPHJwEUb9XfJLo2/rwzo8Jdfx7GOEiHAdUMJtgRpiJbehuzoRrcjps/7x+HhMyFVjsjlmTQKnTRQ67IBPmJDE241xTIprA1yglBfscNMszspRd+GdKXmBXgxHWdy/MteYnpFHYWsTjmJ6kySBzSYtyYbHl4BId7wsy203jrAYYVlwda+JBSFJMxU/QRNgidMWGyZJrFt8KAgvv9Xve7FvKt3nQ5XQiKvStmrYTD2bYID9XOWVfYdR2x3bXONUoqQk2g3cQi51bk1HYZdZyPTOcxyqOOYJuX4jtnbILqBzt8CDemiDXxfqzCKX+P2ctgdkcfdtZK/9VN5ZsAEmxt65A4xF/LQTGORf4MpdrgnfwXLidRy+Wkk8s0oCaKDWT/0vKyz2yUy53Z8x4XYo2b5xOV6Y9pOxLCwfQeMvON2P5XXJ6xHRBoAzpOkPvyn2wybEjTnMS1nLDAC6x+0+HOt/8M72tBPLnvTqUNd7OUbre+kQ843IjAxUh+Ogth+UO4s1gtUoip8njVdMbbo3EemF8KLBr4anLU1tpTfonXHrB8Od8TJDxv6QExYLmBbpcfnNBcIbTzxpma3nIBSQWt6G457z5niPcXMK34Nv0dj5CBXHY+cqmS2BqwTRaXviss+k0KXk4YSdlMDCopfbKqRo8y7KMUdmY1B1qrlLBq2JQ+4duRgH/rH7/GaWqTlRYAvBA8L3X1qp1tmkcYC2HPJDx3+Lz5imePrkrkjqgNGC/dq3QX9nxylQ==,iv:x/nHoaM9lT0OQeR5+bLYMduGOx5Mpq8MTwxbod2ZXGI=,tag:ovXdEQlBC95KQrM5CN79eg==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQ3VWVGNyZVRFZWttZXB6 - SzN6UWw3VkpGazJzaHp2ZG9tckdWK0V4b1R3ClhOTElPdmJsa1ZPRzZkZWJtM2pB - dWU3UG1iaVNZOFVMazk5WWdtMkNzU0kKLS0tIE82eC9EbzJuejJ0cjNwc2ZUMTlx - a0Y5T1lDRitjeGZnRHl5cUJaOVRBczgK3B05LRMylgh3q9w19GQcP1gx0KYf+erR - YqvjF2SXtbO3IFFfTgtubKYA+kmzAeJy21UO+5ro/BddRfUq2jfWcw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-05-08T11:28:50Z" - mac: ENC[AES256_GCM,data:pDoSJSDZsiRI+EmtZexiCrM9anMFFJApKt8B3mWjfUS2iF10ky8QJrGx69cYgU/AUOUJWoODxo1Jv/7YTBYcuOU1637ff5mhLDREGTB7cfo3qOk+QzxYPmwgF1D9DuAXSVLxyxwrATYcaatLlLy3dDGtyKPM8rMIvPUiLi6wTUU=,iv:2jiQnw96h0cHJ2mfx/JCApnEbfF9fhSVTXU7qNqPseU=,tag:ZfBzbjdMRw3YrzYiAMDEow==,type:str] - pgp: - - created_at: "2023-05-08T00:47:34Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdAPR/d4AH9qKsA0hdhl71Ai5dpP7GfdlUibG5C7X6e2XUw - PcVDZCJK7xHeDveaERB6spYjytpqfCya+vePGxHrs9EjTPzFA/7IvNFpj6rDvzll - 0l4BwApjc6Rvo9hPNmSukErwnLQVvpDuUnVOIz18VjWN+pKgVoalK1wF+o5nPihl - B934hwYQt1RVYQ3qBT3qXeHYEtRxo1W+/ms3f04WsSSAQe5kyan1wwaDad5oDmzA - =eYHn - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(data|stringData)$ - version: 3.7.3 diff --git a/kube/3-deploy/2-apps/velociraptor/ks.yaml b/kube/3-deploy/2-apps/velociraptor/ks.yaml deleted file mode 100644 index 0a51b20c..00000000 --- a/kube/3-deploy/2-apps/velociraptor/ks.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: velociraptor-app - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/velociraptor/app - dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx - #- name: ${CLUSTER_NAME_LOWER}-2-apps-volsync - healthChecks: - - name: velociraptor - namespace: velociraptor - kind: HelmRelease - apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/3-deploy/2-apps/volsync/kustomization.yaml b/kube/3-deploy/2-apps/volsync/kustomization.yaml deleted file mode 100644 index 0fb6c8d7..00000000 --- a/kube/3-deploy/2-apps/volsync/kustomization.yaml +++ /dev/null @@ -1,7 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-namespace.yaml - - 2-repo.yaml - - 3-install.yaml diff --git a/kube/3-deploy/2-apps/whoogle/.sops.yaml b/kube/3-deploy/2-apps/whoogle/.sops.yaml deleted file mode 100644 index f7c96bca..00000000 --- a/kube/3-deploy/2-apps/whoogle/.sops.yaml +++ /dev/null @@ -1,7 +0,0 @@ -creation_rules: - - path_regex: .*.yaml - encrypted_regex: ^(hosts|host|WHOOGLE_CONFIG_URL|nameservers)$ - age: >- - age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - pgp: >- - 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/3-deploy/2-apps/whoogle/kustomization.yaml b/kube/3-deploy/2-apps/whoogle/kustomization.yaml deleted file mode 100644 index d1fb4076..00000000 --- a/kube/3-deploy/2-apps/whoogle/kustomization.yaml +++ /dev/null @@ -1,6 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-namespace.yaml - - 2-install.yaml diff --git a/kube/3-deploy/2-apps/zerotier/.sops.yaml b/kube/3-deploy/2-apps/zerotier/.sops.yaml deleted file mode 100644 index e5de3de3..00000000 --- a/kube/3-deploy/2-apps/zerotier/.sops.yaml +++ /dev/null @@ -1,7 +0,0 @@ -creation_rules: - - path_regex: .*.yaml - encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$ - age: >- - age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - pgp: >- - 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/3-deploy/2-apps/zerotier/1-namespace.yaml b/kube/3-deploy/2-apps/zerotier/1-namespace.yaml deleted file mode 100644 index b261277b..00000000 --- a/kube/3-deploy/2-apps/zerotier/1-namespace.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: zerotier - labels: - pod-security.kubernetes.io/enforce: privileged - pod-security.kubernetes.io/enforce-version: v1.26 - pod-security.kubernetes.io/audit: privileged - pod-security.kubernetes.io/audit-version: v1.26 - pod-security.kubernetes.io/warn: privileged - pod-security.kubernetes.io/warn-version: v1.26 diff --git a/kube/3-deploy/2-apps/zerotier/2-certs.yaml b/kube/3-deploy/2-apps/zerotier/2-certs.yaml deleted file mode 100644 index 46a0b0a3..00000000 --- a/kube/3-deploy/2-apps/zerotier/2-certs.yaml +++ /dev/null @@ -1,45 +0,0 @@ -apiVersion: cert-manager.io/v1 -kind: Certificate -metadata: - name: vpncert - namespace: zerotier -spec: - secretName: ENC[AES256_GCM,data:0hrZ,iv:xxUvw0q2Mu4DKn1+p6Y+mL68Y8D9o4zB/si7jeIYNO8=,tag:nKO3FoGWMOOSni+Dhn92tA==,type:str] - issuerRef: - name: letsencrypt-production - kind: ClusterIssuer - commonName: ENC[AES256_GCM,data:ID/wwJqSxffe,iv:9AMufuWk//7wI794F5G62Vv0IlvxDJPjAJh/z3epPVo=,tag:Lsrnu2vP6GpR91fRlkNvLA==,type:str] - dnsNames: - - ENC[AES256_GCM,data:K4uAzmvDrUU9,iv:iQe4azjqY7IoeXven6UnK/gPuVroibkio/Vph+QgBOI=,tag:c2W7rZSkwv3IwMsGLD9SgQ==,type:str] - - ENC[AES256_GCM,data:mJWJHXlj7pZ56xA=,iv:MsxCanR2cQNJmnWApwqxAmn45zQIxlROAVi0wqMhNc4=,tag:7psuoMpPu3kX1w6p3tiz2g==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNlhwWDgzSW1VSTIraGpQ - dGxpU3BjNy9qN3YzYVdKS1g4OEZCSzl1QnprCnErbDcyTmQ5ZTB2czNsbGFWbGcz - UlVlZC8yMzMxZ2ZpLzgvWEJsalowZ0EKLS0tIFJDbDg4SlFqZVRObHJTVFVMMjN1 - WWZzN0VORmh0SlNXWHZRdkNQTjFqOU0KWMCPoge9kKQdNCN3WeAx1QHhit0oEHFT - ZCudRntexd0Nrby2OC0KcXOXCH1fTJEQdPD29EjlXTig86QRp/aP7Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2023-03-01T15:32:38Z" - mac: ENC[AES256_GCM,data:h7eRRJEnFOLtxwPDO5isAeB8YlAnNuAr03KqkV0syH44Z+C4sXuCdx0LzxI97qLPrifvTFabCbx1gbfKXj0iWbarzaUKGjKVncvDOdqDicntz5XRLtxxr2/JRTiqQTshgGNoAN5gzpAD6yRmxjlGoZ76R87aed47mdchrzA3Jq0=,iv:Y+53dKQjK5JRfIkq4gsepHAx5oBHjVikGBcNY9Qk2nM=,tag:+iSBsZMzQaNZpUccRA4WCw==,type:str] - pgp: - - created_at: "2023-03-01T15:32:37Z" - enc: | - -----BEGIN PGP MESSAGE----- - - hF4DAAAAAAAAAAASAQdAhQox1ebxBCSRViomIaf2wSxH/2BtXiAk0wQBOnvwTHEw - Ji3mOrg7G4dPzVsiBTNRvhlB848J0+5dV9B2p85BLgyEKljYheG6L78BQp7QILEa - 0l4Bn9Ev6JtqZuj+9EyXAJJ9RUX9MBdftNOLu399qd4HxdAg4tV+l34SF0C8x/TG - ZOKtQYenHEQHygoXuPrip9bnYGruc0d4jNv96S0zeanQx/N/X7vSPAIjTjR9qMBg - =7MhE - -----END PGP MESSAGE----- - fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 - encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$ - version: 3.7.3 diff --git a/kube/3-deploy/2-apps/zerotier/3-pvc.yaml b/kube/3-deploy/2-apps/zerotier/3-pvc.yaml deleted file mode 100644 index 47e86121..00000000 --- a/kube/3-deploy/2-apps/zerotier/3-pvc.yaml +++ /dev/null @@ -1,12 +0,0 @@ ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: zerotier-one - namespace: zerotier -spec: - accessModes: ["ReadWriteOnce"] - storageClassName: block - resources: - requests: - storage: 1Gi diff --git a/kube/3-deploy/2-apps/zerotier/4-controller.yaml b/kube/3-deploy/2-apps/zerotier/4-controller.yaml deleted file mode 100644 index d75f1819..00000000 --- a/kube/3-deploy/2-apps/zerotier/4-controller.yaml +++ /dev/null @@ -1,85 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: zerotier-controller - namespace: zerotier - labels: - helm.flux.home.arpa/app-template: "true" -spec: - values: - controller: - type: statefulset - strategy: RollingUpdate - fullNameOverride: zerotier-controller - image: - repository: docker.io/zyclonite/zerotier - tag: 1.10.2 - env: - ZT_OVERRIDE_LOCAL_CONF: "true" - ZT_ALLOW_MANAGEMENT_FROM: 0.0.0.0/0 - dnsPolicy: ClusterFirstWithHostNet - dnsConfig: - options: - - name: ndots - value: "1" - securityContext: - capabilities: - add: - - NET_ADMIN - - NET_RAW - - SYS_ADMIN - nodeSelector: - node-restriction.kubernetes.io/nodeType: main - service: - main: - enabled: true - primary: true - # type: LoadBalancer - # externalTrafficPolicy: Local - # loadBalancerIP: "${APP_IP_ZEROTIER}" - # externalIPs: - # - "${APP_IP_ZEROTIER}" - # ports: - # http: - # enabled: false - # zerotier-udp: - # enabled: true - # protocol: UDP - # port: 9993 - # targetPort: 9993 - # zerotier-tcp: - # enabled: true - # protocol: TCP - # port: 9993 - # targetPort: 9993 - # peers: - # enabled: true - type: NodePort - externalTrafficPolicy: Local - ports: - http: - enabled: false - peers-udp: - enabled: true - protocol: UDP - port: 9993 - targetPort: 9993 - nodePort: 9993 - peers-tcp: - enabled: true - protocol: TCP - port: 9993 - targetPort: 9993 - nodePort: 9993 - persistence: - zerotier-one: - enabled: true - type: pvc - mountPath: /var/lib/zerotier-one - retain: true - existingClaim: zerotier-one - tun: - enabled: true - type: hostPath - hostPath: /dev/net/tun - readOnly: true diff --git a/kube/3-deploy/2-apps/zerotier/5-ui.yaml b/kube/3-deploy/2-apps/zerotier/5-ui.yaml deleted file mode 100644 index 32038ec6..00000000 --- a/kube/3-deploy/2-apps/zerotier/5-ui.yaml +++ /dev/null @@ -1,62 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2beta1 -kind: HelmRelease -metadata: - name: zerotier-ui - namespace: zerotier - labels: - helm.flux.home.arpa/app-template: "true" -spec: - values: - controller: - type: statefulset - strategy: RollingUpdate - fullNameOverride: zerotier-ui - image: - repository: docker.io/dec0dos/zero-ui - tag: 1.5.1 - env: - ZU_CONTROLLER_ENDPOINT: "${CONFIG_ZEROTIER_ENDPOINT}" - ZU_SECURE_HEADERS: "true" - ZU_DEFAULT_USERNAME: "${SECRET_ZEROTIER_UI_USERNAME}" - ZU_DEFAULT_PASSWORD: "${SECRET_ZEROTIER_UI_PASSWORD}" - nodeSelector: - node-restriction.kubernetes.io/nodeType: main - # dnsPolicy: None - dnsConfig: - options: - - name: ndots - value: "1" - service: - main: - ports: - http: - port: 4000 - ingress: - main: - enabled: true - ingressClassName: nginx - hosts: - - host: "${APP_DNS_ZEROTIER}" - paths: - - path: / - pathType: Prefix - tls: - - hosts: - - "${APP_DNS_ZEROTIER}" - secretName: vpn - persistence: - zerotier-one: - enabled: true - type: pvc - mountPath: /var/lib/zerotier-one - retain: true - existingClaim: zerotier-one - zerotier-ui-data: - enabled: true - type: pvc - mountPath: /app/backend/data - readOnly: false - accessMode: ReadWriteOnce - storageClass: block - size: 1Gi - retain: true diff --git a/kube/3-deploy/2-apps/zerotier/kustomization.yaml b/kube/3-deploy/2-apps/zerotier/kustomization.yaml deleted file mode 100644 index ea35c845..00000000 --- a/kube/3-deploy/2-apps/zerotier/kustomization.yaml +++ /dev/null @@ -1,9 +0,0 @@ ---- -apiVersion: kustomize.config.k8s.io/v1beta1 -kind: Kustomization -resources: - - 1-namespace.yaml - - 2-certs.yaml - - 3-pvc.yaml - - 4-controller.yaml - - 5-ui.yaml diff --git a/kube/3-deploy/2-apps/zipline/ks.yaml b/kube/3-deploy/2-apps/zipline/ks.yaml deleted file mode 100644 index b2c12a39..00000000 --- a/kube/3-deploy/2-apps/zipline/ks.yaml +++ /dev/null @@ -1,18 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: zipline-app - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/zipline/app - dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx - - name: 1-core-db-pg-clusters-default - healthChecks: - - name: zipline - namespace: zipline - kind: HelmRelease - apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/bootstrap/flux/kustomization.yaml b/kube/bootstrap/flux/kustomization.yaml new file mode 100644 index 00000000..3076a9f6 --- /dev/null +++ b/kube/bootstrap/flux/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - github.com/fluxcd/flux2/manifests/install?ref=v2.0.0-rc.5 diff --git a/kube/clusters/biohazard/config/secrets.sops.env b/kube/clusters/biohazard/config/secrets.sops.env index 1f8b1e67..fcde7d2b 100644 --- a/kube/clusters/biohazard/config/secrets.sops.env +++ b/kube/clusters/biohazard/config/secrets.sops.env @@ -67,12 +67,13 @@ SECRET_MINIFLUX_PG_DBNAME=ENC[AES256_GCM,data:Gh38/ljUWkU=,iv:JPsEPf/aiDXFncN3og SECRET_MINIFLUX_PG_USER=ENC[AES256_GCM,data:qMBC7e5KW98=,iv:wu2+CK0pRy+uwQzDng/WM4asUAkXu2EMU6cjSDPcccY=,tag:29+QVjETJ4jwP3x0nwjERQ==,type:str] SECRET_MINIFLUX_PG_PASS=ENC[AES256_GCM,data:rLuVT8S9hkQTE/T0Z6M06qgmzIt8ufC8drdofL1n19uefnLsU4WqgLZ/KYGrxQ==,iv:oLcrZilIuQf+QHCJYiQllummr4yRz6aflDhNb21GNUE=,tag:H4XCkfmJl8jQogvGDCVZOw==,type:str] SECRET_OVENMEDIAENGINE_SIGNEDPOLICY_SECRETKEY=ENC[AES256_GCM,data:5RF5A82+VFFBExTrY2QRRjUBuEq3peY/MAXDh7K/U6U3z6tzqqa+Cw==,iv:qz9k3l+Xi/O/13FPRTzIwozAVdRdGhjrFxxeo/YjUdE=,tag:aLNBq5qlxpJptIhGqLMCxg==,type:str] -sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n +SECRET_OVENMEDIAENGINE_ACCESSTOKEN=ENC[AES256_GCM,data:5wq3Eh0MR/yZ09VIOCoiPO4bxRHkMU3S8AVlsR0BZVQpm/q/8WBjh+E7rxb2NlX+D2Lsdsy2VkGVKlD7DU2ysOe+h40HmxmW66A9dZAS/IoQfxfE3QXquVmHrRvdd7GEPi36sw51ZDstfWiL1YRA0TV6mfAi+Z/1UgD3bMlL7QI=,iv:rczJrTn9trKCWd1qdw1DyZDdLhjEE8nfNysYtkiXV1s=,tag:Gnd8kEAGLScgRW5ffWiOpQ==,type:str] sops_unencrypted_suffix=_unencrypted -sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z -sops_lastmodified=2023-06-24T19:59:03Z -sops_mac=ENC[AES256_GCM,data:S41QDYjY90ErJ9rguHqfhO0PCuo1ptHadJSWyTkVLMLZzrDeZOpHa5vzslcuzA0hC1sJ/D6VpTVM+kCY/SFRkdVgb8D8JlyJw/pHE4XJqMgFcbD+0FTiAtH4zX8WLC7vICUG1UlXLd4cxHpEsOKDtdBSWSxwErvm+woyNooP+Y8=,iv:Wrzr5kZjoBeZrXQq522wv7/BgW5ZbMiYQ2dqh1ljYuo=,tag:c+J81ePMAzGPelIFqdd78Q==,type:str] sops_version=3.7.3 +sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj +sops_lastmodified=2023-06-24T22:17:31Z +sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n +sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n +sops_mac=ENC[AES256_GCM,data:Q97o4w/Ge5ZNtrei4yuwqPhZcVGAVfyAgvaGSiUvb5Sav/u4+T2uxZSdbf5p+nlLgszVo5CmW7hw1dvn1edKTB/RqHCJk2U/Ue1cpWZ8M/3rj3IioR4GybHIxKpQiTNCmIBn00YJx8l+0new0ohxnaWfGxsXcYboHxPninSOkpI=,iv:GLzaZSJvMjEvLCWqKajP2x9qmE9mieiaSEOQngqB0Fc=,tag:iAtNDY7Zq9lpT0E/zZTZZw==,type:str] sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/clusters/biohazard/config/vars.sops.env b/kube/clusters/biohazard/config/vars.sops.env index 83010f4b..d5b5e4d0 100644 --- a/kube/clusters/biohazard/config/vars.sops.env +++ b/kube/clusters/biohazard/config/vars.sops.env @@ -1,5 +1,5 @@ -CLUSTER_NAME=ENC[AES256_GCM,data:QDlF0r9p4p9T,iv:SxkwuJ8B2RZqSwYaXgrsvMDp68RqF98O2X34sm2Xmg8=,tag:taosHI0ammrR9D7AQFR5qA==,type:str] -CLUSTER_NAME_LOWER=ENC[AES256_GCM,data:LOBnHj8XCXtQ,iv:fTr/bbL3VPM8ak6W6ajh2TYqs/L8E9xBcMRi9YP3ReI=,tag:30G22YNIgJAcKfQKJwhx9w==,type:str] +CLUSTER_NAME=ENC[AES256_GCM,data:VEDYOJ8ZUwrG,iv:Wr1n+LLZNiB0m9PHs+jjRJssXWpvNKV7n4lcOVcNd+E=,tag:W1ya32k6II9JO8g9JBw51A==,type:str] +CLUSTER_NAME_UPPER=ENC[AES256_GCM,data:brbPB3I9mZVo,iv:a4qpy23gX77lAhqtQ9Nj1YnPA420cqw+OknBEUURgDQ=,tag:jB+C2Oc2y9tUMNO881OKvw==,type:str] CLUSTER_ID=ENC[AES256_GCM,data:Lw==,iv:64SEKTr0zvzlwV/FFZHRrmd76mkEaPzSgZqA9NnEk08=,tag:Utwnqxu14Mwm+glXsUPNSA==,type:str] CONFIG_TZ=ENC[AES256_GCM,data:yjenwiH185SgIz1gDHs=,iv:zWulurvktdU7e+866iNrafkjqAuqZSnJtx8kq7RhNTM=,tag:M5IkAMqEep8dIIbHGXetIg==,type:str] USERS_1_UID=ENC[AES256_GCM,data:DY9qIA==,iv:M0E4LpIkCL4gABzOEzLVBHjGfXpPtYXb1ssezvN4D9o=,tag:wopQ/2iWx7aoxnLaQrYgFg==,type:str] @@ -19,10 +19,12 @@ IP_ROUTER_LAN=ENC[AES256_GCM,data:q+9MIIuBLPA=,iv:pzWM3e0qgyRLgYtXv3aoKqX6ZOnpQU IP_ROUTER_LAN_CIDR=ENC[AES256_GCM,data:VBNZEYACQMQduOU=,iv:is1RkkLkgUYuNPypTFRm7krP9nb1rkrZ64pkQT+5LEM=,tag:opkUbEo8JR1Gp13pklKz7g==,type:str] IP_ROUTER_VLAN_K8S=ENC[AES256_GCM,data:BF7rMLUGyiMb,iv:H+s1v1sl6ZNJEvF1QO5kIYE7jquhLrDXbPnpE2PywUY=,tag:Sux+8RhfEHfZDXT2z4S5Jw==,type:str] IP_ROUTER_VLAN_K8S_CIDR=ENC[AES256_GCM,data:ofSpO4zPW15NjV5U,iv:NiFUvxTyLkN6pamnvvdDp4jrvIDyjUL29iytz6WtQ5o=,tag:J3EfAU0XGsyLM3LyJhqUXA==,type:str] +IP_ROUTER_VLAN_K8S_PREFIX=ENC[AES256_GCM,data:abED1u8guh0=,iv:Po4vQtJTEfBOFItiFzGp1F0YosLpYn97MBuRpEoHNEc=,tag:5RHzXYXjHbPdy8vLXsMM5w==,type:str] IP_WG_USER_1_V4=ENC[AES256_GCM,data:6kwe/D0YVGEG7CMWhr8=,iv:B4Dk4AaljCym/cxatpO/5WMZ2E4KMiNH+tCLH+yVsf8=,tag:nqqze7vKrsWTBWG5/Ou/Ag==,type:str] IP_WG_GUEST_V4=ENC[AES256_GCM,data:zNwOAgzou0T8cAduDBY=,iv:matZ/IhxDQ+CGO3IelqlszVfmAr12dgWXIH9YLGGDOs=,tag:/MJRFYmH69ldrHfdjSQSpA==,type:str] IP_CLUSTER_VIP=ENC[AES256_GCM,data:ghu7xLzr91gN,iv:4KNr0G6tjdzsoyy8TLCIdCp4vvWNGHOJfob7XCLTDto=,tag:cO9O4nhuLR3hFtHJpdoE9Q==,type:str] IP_POD_CIDR_V4=ENC[AES256_GCM,data:3SN16w9wO79Kt2OlZg==,iv:8Q+GVVGU6NZRHR5E3FZXpyev4CC6e7k1NYRb8GhpZUE=,tag:i9WluteN3JdWDePWEANzOw==,type:str] +IP_SVC_CIDR_V4=ENC[AES256_GCM,data:uHwTCCtbTpo4UwHgJw==,iv:+I2V+I0jffCJknDomBQ9Zw7btm2sJupbsKl5mnHka2Y=,tag:kxGqfwSEtRdMS/0CL5FpvA==,type:str] IP_LB_CIDR=ENC[AES256_GCM,data:NHEFdMzcHnBca+8tgA==,iv:ZQLZfYJNmDrJOyW8OPG4fNL5KYylcJTPx6wYZDGYoFU=,tag:uQFBVjIhhddl+wZwnIgEBQ==,type:str] IP_LB_DNS_CIDR=ENC[AES256_GCM,data:n++ZYPrjSQCEaNC6YVM=,iv:LnTTl2kaFgKK8HZLotkZBLqpCFEBH6GOAkTFihgXpHY=,tag:w4PLDrN/Ba/KAVEoOBn2wA==,type:str] IP_LB_DNS=ENC[AES256_GCM,data:LX0wu1WB2Hj0Dyc=,iv:rxdCTNbgCvLmJ7MMz6O3E+BXcdKgT3atSM0pbYPOgQ4=,tag:oJmPV4avTj6qbyCRCxUC3Q==,type:str] @@ -33,6 +35,7 @@ IP_EC2_INGRESS=ENC[AES256_GCM,data:omO7wXHHdXAMtw==,iv:CjT+gLZ1qXlojRhO4aqASOPN4 IP_OLD_DOCKER=ENC[AES256_GCM,data:P0UtR+GaYgiL,iv:4fUoNHCJNRPeKxdRTGIqTsCygXWzjNzLv+6j6M5HKTE=,tag:AvTs/+R6Z1gkZuSVwXLFBg==,type:str] IP_TRUENAS=ENC[AES256_GCM,data:FmYxX0MfwAa5,iv:IQ2RDyFfWMB81+KWAdViSaI9wsG7ZeuWHqP8WHLxcjo=,tag:zKLAvj9Bv7LUxTzCgxzATw==,type:str] IP_PVE_CEPH_CIDR=ENC[AES256_GCM,data:pZQiINu+zq+Eu817QSs=,iv:HNqO1t6CIYKYFu79ZIa7drta6nHrusbIAvDMZOqTjQ8=,tag:c7twZOYfyoWFtM7EsCQGYg==,type:str] +IP_PVE_CEPH_PREFIX=ENC[AES256_GCM,data:qTb2oGx0lYVYXg==,iv:LHvEoa8FOfyFgkbofpGL2Fxywh0IovaqDd4f/KuD5gA=,tag:toyC1fok90KGTSV/i+J3lA==,type:str] IP_PVE_CEPH_1=ENC[AES256_GCM,data:4XniDxEiYapl8jE=,iv:tsUuu/zQRlpg3FP5D0xskegvri0Ff/gzIDhDEfMBSqI=,tag:ZyNRjxrcPFdwtVrOjzoQ0A==,type:str] IP_PVE_CEPH_2=ENC[AES256_GCM,data:7grFGVPdQVfvWUw=,iv:wFUEr0oLNKh596/osnZFPEB2K2DrK9YJAQ1UGp6+Ro8=,tag:K0hI4bYhVWZ34OtDo20F4Q==,type:str] IP_PVE_CEPH_3=ENC[AES256_GCM,data:gcpKOsqmtwse/y8=,iv:S6mFA3zgOjWia3H3yEiygaUNDz7mPaDjGhLOZuIb2kM=,tag:dwAzKWIxG+d6Cp1sMtBS2w==,type:str] @@ -54,8 +57,9 @@ APP_IP_K8S_GATEWAY=ENC[AES256_GCM,data:mNfGiLFSLx4dpAo=,iv:CYo6xNLE+bunmdTbvCGMI APP_IP_HAPROXY_PROXY_X=ENC[AES256_GCM,data:yBoLaUWZ1Ul/05o=,iv:AkmKj+GrlAyhl1/6w7WScRlzk5Fw/sFwy1ROvjjZyHw=,tag:a2/hZAf2UjJvWaVhzs/Z5g==,type:str] APP_UID_HAPROXY_PROXY_X=ENC[AES256_GCM,data:B3G6nA==,iv:e5UIYZa52kQ8GFBD30d4/U8WMito6albh4CMgYhHOpg=,tag:8TBer2t4zGGYIC3bmO5FLA==,type:str] APP_DNS_FLUX_WEBHOOK=ENC[AES256_GCM,data:LeEVKkgJzTyJGRqr+LMQynh7+pPqSaxd,iv:f4FPxbRGwAa359vlbqr7MTPYItIgcjNo6RwFSKf5T6k=,tag:k6yyN1FRRLKNW0Prdyc25A==,type:str] +APP_DNS_RADOSGW=ENC[AES256_GCM,data:f7vMFBNWRtQZ,iv:lAXYTkBTE4/PW/bm25c4ZzrIxlgQsOfpXJeyNYqtwr0=,tag:PDSUP4+4eHauhpORu+Z7Ig==,type:str] APP_IP_RADOSGW=ENC[AES256_GCM,data:3ndMvS7qVTZxSg==,iv:n/5arRlOykLfrk8kGqPMaZegYI9FNHlkIPzmawdGsDc=,tag:+V6LDeK6U2sxJ5a+KNyxqw==,type:str] -APP_DNS_RGW_S3=ENC[AES256_GCM,data:3RkyzpijzJ6D,iv:QQceRsolcZoHUBz9WbECMHQk4/tHQNYEsHbPsZVsQLE=,tag:4qR2yWPV5MHLiWjPB3fqsA==,type:str] +APP_DNS_RGW_S3=ENC[AES256_GCM,data:X/DlP3vIFc07Sg==,iv:HlJ/AbTqCuOuszK8Lll8qsSNpuZOoty0lsnYCt1UF48=,tag:nFoxdgyYyZArPflmm2DwHQ==,type:str] APP_DNS_INGRESS_WILDCARD=ENC[AES256_GCM,data:aPYf3BwPvNA=,iv:Kgey2Z4+1JFa9JOOzG98QmBBMIp4fTPm8VPLw5d9gLw=,tag:R8Hb5kcuLFlIP0m1Aopdpg==,type:str] APP_DNS_HUBBLE=ENC[AES256_GCM,data:IcbmzSNwcLqbtg==,iv:qGuMNgCu39RMcdKjsGia8wCZ1Vpj8MVcDO2QQv4wONY=,tag:mqwjMLhKR4q0tjftCS25Lw==,type:str] APP_IP_KANIDM=ENC[AES256_GCM,data:VGm8gzd5D5x3phU=,iv:yS1pT2TSGKsTeFB0ouYUyTYEGD88d3DebpwSJ6lJpSs=,tag:kpa8wKJm4gdyCWKJ1A4n1w==,type:str] @@ -118,12 +122,12 @@ CONFIG_ZEROTIER_ENDPOINT=ENC[AES256_GCM,data:tOyIlrzdn8sck7um7OSicq5T0XWAmymaRLn CONFIG_AUTHENTIK_REMOTE_HOST=ENC[AES256_GCM,data:Iv7k3CoKsLrQf0PRIfhGMCAjOU3AdweS+LFWMeEQoWc=,iv:TsRwWDUrI3zAgBgFRkZAYUNlZV0Q/gOlGjKFrheM0nE=,tag:38OGfWYEm/h/+FH7IsIH3Q==,type:str] CONFIG_HEADSCALE_IPV4=ENC[AES256_GCM,data:EZ7GMHA6u1wWPS5g6Pg=,iv:W1hcseQ4Q6CisTXnDLI7hWTy18fIVKtZ46tudCyhfa4=,tag:2WnnNjuZhwUPG07OKTQt2g==,type:str] CONFIG_OVENMEDIAENGINE_NAME=ENC[AES256_GCM,data:58CuH8bcUHWXBZA=,iv:BN7x6aAJPbzIn25sNoycsHRE5pugkubLS2VrM77+g/E=,tag:6JAsRjU0L6wbZtns3rk6KQ==,type:str] -sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n -sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 -sops_version=3.7.3 -sops_lastmodified=2023-06-24T19:56:52Z -sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n -sops_unencrypted_suffix=_unencrypted -sops_mac=ENC[AES256_GCM,data:awiLqmtBM8LGXW9DN/0IrQ6bIRpyGMrORjr/1cO0uzpjjDRFoJWGgCRZCG7nBLDNO1RQ04tMrNDVHFA2+XK1XZV09znNr5QiycoAsREBvIcqs9omga4fTzV8/mpx7YVkT2yhz9dTgOGAGqyfz8swY4H2TqvSu+VP4OuHzYE8MVQ=,iv:ujhMqHV9fUGAYqhJvjq+IhrBRDtiLvG+6ie21B1V8yM=,tag:MX9nG6c/24QgvQqpGozhsw==,type:str] +sops_lastmodified=2023-06-26T17:29:49Z sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z +sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj +sops_unencrypted_suffix=_unencrypted +sops_version=3.7.3 +sops_mac=ENC[AES256_GCM,data:LPxgvUiAB/j9ZDeMCAO+EeBionM/tTyDxhAjGgrKY1rnZYfBK8ocy3yVu+XLc1vkK+590QG5pcpcaEcM/RgSluD/z3xf58/7qADxjK3bh2J05lZwreFWP6PlsEW+N7w/do1ys1ZTW2cBo+BwpdBPS6OvowUpuAIRKBnsaE6IZD4=,iv:G3NRG6DtZZqyKMdDB11jwnSUfff/r0DcP32QHlV62rU=,tag:B5GSPUISp0y+9aJOghinRg==,type:str] +sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n +sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/1-clusters/Biohazard/2-config/1-flux-install.yaml b/kube/clusters/biohazard/flux/flux-install.yaml similarity index 81% rename from kube/1-clusters/Biohazard/2-config/1-flux-install.yaml rename to kube/clusters/biohazard/flux/flux-install.yaml index d6cf0dab..275aa8fb 100644 --- a/kube/1-clusters/Biohazard/2-config/1-flux-install.yaml +++ b/kube/clusters/biohazard/flux/flux-install.yaml @@ -1,5 +1,4 @@ --- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/ocirepository_v1beta2.json # downloads and installs Flux manifests to cluster apiVersion: source.toolkit.fluxcd.io/v1beta2 kind: OCIRepository @@ -10,13 +9,13 @@ spec: interval: 10m url: oci://ghcr.io/fluxcd/flux-manifests ref: - tag: v0.40.0 + tag: v2.0.0-rc.5 --- -# yaml-language-server: $schema=https://kubernetes-schemas.devbu.io/kustomization_v1beta2.json -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: 1-flux + name: zzz-flux + # I don't wanna see it on the top lol namespace: flux-system labels: kustomization.flux.home.arpa/name: "flux" diff --git a/kube/1-clusters/Biohazard/2-config/2-flux-repo.yaml b/kube/clusters/biohazard/flux/flux-repo.yaml similarity index 84% rename from kube/1-clusters/Biohazard/2-config/2-flux-repo.yaml rename to kube/clusters/biohazard/flux/flux-repo.yaml index 7fe7aec1..3ef621b3 100644 --- a/kube/1-clusters/Biohazard/2-config/2-flux-repo.yaml +++ b/kube/clusters/biohazard/flux/flux-repo.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: flux-system @@ -17,10 +17,11 @@ spec: # include Kubernetes !/kube --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: 2-biohazard-config + name: 0-biohazard-config + # I wanna see it on the top lol namespace: flux-system labels: kustomization.flux.home.arpa/name: "flux" @@ -28,8 +29,8 @@ metadata: wait.flux.home.arpa/disabled: "true" kustomization.flux.home.arpa/helmpatches: "false" spec: - interval: 1m0s - path: ./kube/1-clusters/Biohazard/2-config + interval: 5m0s + path: ./kube/clusters/biohazard/flux prune: false wait: false sourceRef: @@ -49,12 +50,12 @@ spec: optional: false patches: - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: not-used spec: - interval: 1m0s + interval: 5m0s timeout: 10m0s decryption: provider: sops @@ -62,10 +63,10 @@ spec: name: biohazard-secrets-decrypt-sops-age target: group: kustomize.toolkit.fluxcd.io - version: v1beta2 + version: v1 kind: Kustomization - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: not-used @@ -75,31 +76,31 @@ spec: name: flux-system target: group: kustomize.toolkit.fluxcd.io - version: v1beta2 + version: v1 kind: Kustomization labelSelector: kustomization.flux.home.arpa/default notin (false) - patch: | - op: add path: /spec/dependsOn/- value: - name: 2-biohazard-config + name: 0-biohazard-config target: group: kustomize.toolkit.fluxcd.io - version: v1beta2 + version: v1 kind: Kustomization labelSelector: kustomization.flux.home.arpa/default notin (false) - patch: | - op: add path: /spec/dependsOn/- value: - name: biohazard-1-core-01-networking-cilium + name: 1-core-1-networking-cilium-app target: group: kustomize.toolkit.fluxcd.io - version: v1beta2 + version: v1 kind: Kustomization labelSelector: kustomization.flux.home.arpa/name notin (cilium, flux, kubevirt) - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: not-used @@ -114,11 +115,11 @@ spec: optional: false target: group: kustomize.toolkit.fluxcd.io - version: v1beta2 + version: v1 kind: Kustomization labelSelector: substitution.flux.home.arpa/disabled notin (true) - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: not-used @@ -127,11 +128,11 @@ spec: prune: false # disable prune for Flux restructure target: group: kustomize.toolkit.fluxcd.io - version: v1beta2 + version: v1 kind: Kustomization labelSelector: prune.flux.home.arpa/disabled notin (true) - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: not-used @@ -139,11 +140,11 @@ spec: prune: false target: group: kustomize.toolkit.fluxcd.io - version: v1beta2 + version: v1 kind: Kustomization labelSelector: prune.flux.home.arpa/disabled=true - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: not-used @@ -151,11 +152,11 @@ spec: wait: true target: group: kustomize.toolkit.fluxcd.io - version: v1beta2 + version: v1 kind: Kustomization labelSelector: wait.flux.home.arpa/disabled notin (true) - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: not-used @@ -163,11 +164,11 @@ spec: wait: false target: group: kustomize.toolkit.fluxcd.io - version: v1beta2 + version: v1 kind: Kustomization labelSelector: wait.flux.home.arpa/disabled=true - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 + apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: not-used @@ -179,11 +180,6 @@ spec: metadata: name: not-used spec: - chart: - spec: - sourceRef: - kind: HelmRepository - namespace: flux-system interval: 5m maxHistory: 5 install: @@ -229,7 +225,7 @@ spec: main: annotations: nginx.ingress.kubernetes.io/auth-url: |- - http://ak-outpost-${CLUSTER_NAME_LOWER}.ingress.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx + http://ak-outpost-${CLUSTER_NAME}.ingress.svc.cluster.local:9000/outpost.goauthentik.io/auth/nginx nginx.ingress.kubernetes.io/auth-response-headers: |- Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid nginx.ingress.kubernetes.io/auth-snippet: | @@ -259,6 +255,6 @@ spec: labelSelector: nginx.ingress.home.arpa/type=auth-external-only target: group: kustomize.toolkit.fluxcd.io - version: v1beta2 + version: v1 kind: Kustomization labelSelector: kustomization.flux.home.arpa/helmpatches notin (false) diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index 7bf5eeba..14e15edb 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -5,27 +5,52 @@ resources: - secrets-age.sops.yaml - secrets-ssh.sops.yaml - ../config/ - # - flux-install.yaml - # - flux-repo.yaml - - ../../../3-deploy/2-apps/atuin/ - - ../../../3-deploy/2-apps/miniflux/ - - ../../../3-deploy/2-apps/elk/ + - flux-install.yaml + - flux-repo.yaml + - ../../../repos/helm/app-template/ + - ../../../deploy/core/_networking/cilium/ + - ../../../deploy/core/storage/_external-snapshotter/ + - ../../../deploy/core/storage/rook-ceph/ + - ../../../deploy/core/storage/volsync/ + - ../../../deploy/core/tls/cert-manager/ + - ../../../deploy/core/dns/internal/ + - ../../../deploy/core/dns/internal/k8s-gateway/ + - ../../../deploy/core/dns/external-dns/ + - ../../../deploy/core/ingress/ + - ../../../deploy/core/ingress/ingress-nginx/ + - ../../../deploy/core/ingress/cloudflare/ + - ../../../deploy/core/ingress/external-proxy-x/ + - ../../../deploy/core/db/pg/ + - ../../../deploy/core/monitoring/ + - ../../../deploy/core/monitoring/metrics-server/ + - ../../../deploy/core/monitoring/kube-state-metrics/ + - ../../../deploy/core/monitoring/node-exporter/ + - ../../../deploy/core/monitoring/victoria/ + - ../../../deploy/core/hardware/node-feature-discovery/ + - ../../../deploy/core/hardware/intel-device-plugins/ + - ../../../deploy/apps/flux-system/ + - ../../../deploy/apps/tetragon/ + - ../../../deploy/apps/kubevirt/ + - ../../../deploy/apps/default/ + - ../../../deploy/apps/whoogle/ + - ../../../deploy/apps/gokapi/ + - ../../../deploy/apps/minecraft/ + - ../../../deploy/apps/sandstorm/ + - ../../../deploy/apps/jellyfin/ + - ../../../deploy/apps/kavita/ + - ../../../deploy/apps/authentik/ + - ../../../deploy/apps/kanidm/ + - ../../../deploy/apps/syncthing/ + - ../../../deploy/apps/excalidraw/ + - ../../../deploy/apps/velociraptor/ + - ../../../deploy/apps/gotosocial/ + - ../../../deploy/apps/ntfy/ + - ../../../deploy/apps/satisfactory/ + - ../../../deploy/apps/headscale/ + - ../../../deploy/apps/zipline/ + - ../../../deploy/apps/kah/ + - ../../../deploy/apps/atuin/ + - ../../../deploy/apps/miniflux/ + - ../../../deploy/apps/elk/ - ../../../deploy/apps/livestream/ - ../../../deploy/apps/livestream/oven - # - ceph-rgw-ext-users.yaml - # - ../../../3-deploy/1-core/05-ingress/cloudflare/ - # - ../../../3-deploy/1-core/05-ingress/external-proxy-x/ - # - ../../../3-deploy/1-core/06-monitoring/1-deps/ - # - ../../../3-deploy/1-core/06-monitoring/node-exporter/ - # - ../../../3-deploy/1-core/db/pg/ - # - ../../../3-deploy/2-apps/default/ - # - ../../../3-deploy/2-apps/flux-system/ - # - ../../../3-deploy/2-apps/authentik/ - # - ../../../3-deploy/2-apps/kanidm/ - # - ../../../3-deploy/2-apps/syncthing/ - # - ../../../3-deploy/2-apps/excalidraw/ - # - ../../../3-deploy/2-apps/velociraptor/ - # - ../../../3-deploy/2-apps/gotosocial/ - # - ../../../3-deploy/2-apps/ntfy/ - # - ../../../3-deploy/2-apps/satisfactory/ - # - ../../../3-deploy/2-apps/headscale/ diff --git a/kube/clusters/biohazard/talos/talconfig.yaml b/kube/clusters/biohazard/talos/talconfig.yaml new file mode 100755 index 00000000..89943a82 --- /dev/null +++ b/kube/clusters/biohazard/talos/talconfig.yaml @@ -0,0 +1,222 @@ +clusterName: biohazard +talosVersion: v1.4.5 +kubernetesVersion: v1.27.3 +endpoint: "https://c.${DNS_CLUSTER}:6443" +allowSchedulingOnMasters: true +dnsDomain: cluster.local + +cniConfig: + name: none + +clusterPodNets: + - "${IP_POD_CIDR_V4}" +clusterSvcNets: + - "${IP_SVC_CIDR_V4}" + +additionalApiServerCertSans: + - "${IP_CLUSTER_VIP}" + - "${IP_ROUTER_VLAN_K8S}" + - "c.${DNS_CLUSTER}" + +additionalMachineCertSans: + - "${IP_CLUSTER_VIP}" + - "${IP_ROUTER_VLAN_K8S}" + - "c.${DNS_CLUSTER}" + +nodes: + + - hostname: "thunderscreech.${DNS_CLUSTER}" + ipAddress: "${IP_ROUTER_VLAN_K8S_PREFIX}1" + controlPlane: true + installDisk: /dev/vda + nodeLabels: + node-restriction.kubernetes.io/nodeType: main + nodes.home.arpa/type: stable + nameservers: + - "${IP_HOME_DNS}" + disableSearchDomain: true + networkInterfaces: + - interface: eth0 + mtu: 1500 + dhcp: false + addresses: + - "${IP_ROUTER_VLAN_K8S_PREFIX}1/28" + routes: + - network: "${IP_ROUTER_VLAN_K8S_CIDR}" + metric: 1 + - network: 0.0.0.0/0 + gateway: "${IP_ROUTER_VLAN_K8S}" + vip: + ip: "${IP_CLUSTER_VIP}" + - interface: eth1 + mtu: 9000 + dncp: false + addresses: + - "${IP_PVE_CEPH_PREFIX}4/29" + routes: + - network: "${IP_PVE_CEPH_CIDR}" + metric: 1 + + - hostname: "humming.${DNS_CLUSTER}" + ipAddress: "${IP_ROUTER_VLAN_K8S_PREFIX}2" + controlPlane: true + installDisk: /dev/vda + nodeLabels: + node-restriction.kubernetes.io/nodeType: main + nodes.home.arpa/type: stable + nameservers: + - "${IP_HOME_DNS}" + disableSearchDomain: true + networkInterfaces: + - interface: eth0 + mtu: 1500 + dhcp: false + addresses: + - "${IP_ROUTER_VLAN_K8S_PREFIX}2/28" + routes: + - network: "${IP_ROUTER_VLAN_K8S_CIDR}" + metric: 1 + - network: 0.0.0.0/0 + gateway: "${IP_ROUTER_VLAN_K8S}" + vip: + ip: "${IP_CLUSTER_VIP}" + - interface: eth1 + mtu: 9000 + dncp: false + addresses: + - "${IP_PVE_CEPH_PREFIX}5/29" + routes: + - network: "${IP_PVE_CEPH_CIDR}" + metric: 1 + patches: + # required for Talos to initialize i915 VFIO devices + - |- + machine: + install: + extensions: + - image: ghcr.io/siderolabs/i915-ucode:20230310 + + - hostname: "strato.${DNS_CLUSTER}" + ipAddress: "${IP_ROUTER_VLAN_K8S_PREFIX}3" + controlPlane: true + installDisk: /dev/vda + nodeLabels: + node-restriction.kubernetes.io/nodeType: main + nodes.home.arpa/type: unstable + nameservers: + - "${IP_HOME_DNS}" + disableSearchDomain: true + networkInterfaces: + - interface: eth0 + mtu: 1500 + dhcp: false + addresses: + - "${IP_ROUTER_VLAN_K8S_PREFIX}3/28" + routes: + - network: "${IP_ROUTER_VLAN_K8S_CIDR}" + metric: 1 + - network: 0.0.0.0/0 + gateway: "${IP_ROUTER_VLAN_K8S}" + vip: + ip: "${IP_CLUSTER_VIP}" + - interface: eth1 + mtu: 9000 + dncp: false + addresses: + - "${IP_PVE_CEPH_PREFIX}6/29" + routes: + - network: "${IP_PVE_CEPH_CIDR}" + metric: 1 + +controlPlane: + patches: + - |- + - op: add + path: /machine/kubelet/extraArgs + value: + feature-gates: CronJobTimeZone=true,GracefulNodeShutdown=true,MixedProtocolLBService=true,EphemeralContainers=true,ServerSideApply=true + - |- + - op: add + path: /cluster/apiServer/extraArgs + value: + feature-gates: CronJobTimeZone=true,GracefulNodeShutdown=true,MixedProtocolLBService=true,EphemeralContainers=true,ServerSideApply=true + # - |- + # - op: add + # path: /cluster/controllerManager/extraArgs + # value: + # node-cidr-mask-size: 22 + - |- + machine: + install: + wipe: true + network: + extraHostEntries: + - ip: "${IP_CLUSTER_VIP}" + aliases: + - "c.${DNS_CLUSTER}" + time: + disabled: false + servers: + - "${IP_ROUTER_VLAN_K8S}" + - "${IP_ROUTER_LAN}" + bootTimeout: 2m0s + kubelet: + nodeIP: + validSubnets: + - "${IP_ROUTER_VLAN_K8S_CIDR}" + + - |- + cluster: + allowSchedulingOnMasters: true + discovery: + enabled: true + registries: + kubernetes: + disabled: false + service: + disabled: true + proxy: + disabled: true + etcd: + advertisedSubnets: + - "${IP_ROUTER_VLAN_K8S_CIDR}" + +worker: + patches: + - |- + - op: add + path: /machine/kubelet/extraArgs + value: + feature-gates: CronJobTimeZone=true,GracefulNodeShutdown=true,MixedProtocolLBService=true,EphemeralContainers=true,ServerSideApply=true + # - |- + # - op: add + # path: /cluster/controllerManager/extraArgs + # value: + # node-cidr-mask-size: 22 + - |- + machine: + install: + wipe: true + network: + extraHostEntries: + - ip: "${IP_CLUSTER_VIP}" + aliases: + - "c.${DNS_CLUSTER}" + time: + disabled: false + servers: + - "${IP_ROUTER_VLAN_K8S}" + - "${IP_ROUTER_LAN}" + bootTimeout: 2m0s + - |- + cluster: + allowSchedulingOnMasters: true + discovery: + enabled: true + registries: + kubernetes: + disabled: false + service: + disabled: true + proxy: + disabled: true diff --git a/kube/clusters/biohazard/talos/talsecret.sops.yaml b/kube/clusters/biohazard/talos/talsecret.sops.yaml new file mode 100755 index 00000000..4cfb8e30 --- /dev/null +++ b/kube/clusters/biohazard/talos/talsecret.sops.yaml @@ -0,0 +1,45 @@ +cluster: + id: ENC[AES256_GCM,data:AWW6l4Zq4o9cmu7ZgWuhtv1u5+Rh3JtSQa75SIEOll7Wsj0yXce1t7k12GE=,iv:HV/zbB2EJpf5mtq27o870P8FbIMHKPYuB2LK7KlGyag=,tag:Yt3oSvYPPknkqdyEZ6w0Mw==,type:str] + secret: ENC[AES256_GCM,data:csdjYHizHtfUss0KVwxhue8P4oyYJTuAvC799t3xgrj6seR9gENH0SYR53k=,iv:TSWgOe2jpHNqesdvWBDjsnlIby8GVBflSNBPgPe1vME=,tag:XlHgOJSMPZNFhnkTTmc/5A==,type:str] +secrets: + bootstraptoken: ENC[AES256_GCM,data:NIo5x7/wbYwxGabMFXqjR68lb0gHQ00=,iv:ARs+532azj8VHxeoDQLW5xWEJAKhHcpZHB49XzJyL/0=,tag:l+bN780+0SjGsgv/qi9NTQ==,type:str] + secretboxencryptionsecret: ENC[AES256_GCM,data:YtbU4u7OjiEe+OE+jDNgOazSKLX4d0Dy7vHD2rFHAkX00PsP94ubtyohBH8=,iv:0qQ9tAkp1mEaCWjtAoK3aSOMm1ULQJzFqSUxmA8REeo=,tag:1RdI/WpmQlswngsJCumnKQ==,type:str] +trustdinfo: + token: ENC[AES256_GCM,data:BSuaFOLFN0U/GQ/fiia6N8FtdPPNUZA=,iv:4eZuVSWkH1znkoAtlY0dDnQUhtiAUFIMi5TJYCI8Go4=,tag:L9kmiiVwO4z9piTgkwfoMQ==,type:str] +certs: + etcd: + crt: ENC[AES256_GCM,data:sQN2wc5+YtIa4y45Qz02+Ry0rR/H9hbFNsUxWo6Az0f3dfw9udRue7esgAtsafrYl6yObAkjbra2mj54wntDCimji8gZMjmGXVmotM9FAAu2XkG0S7A1kR7ovZvp/j+p29TAQJwm2srLAXjdCOfhNMr2kNbI7XBWow3LtxfiiP+G2yn4I0xDqZF7eNRqK+b6aaEI0XLixj/G6Ajsq89U6mXgT5PfdrsbKtd9TpR/iYuFeKPIY86e1ghk1LZle1SxFByRDUKujYfLMotoOCbGYcIQgdrc7Tf3ylQyW2C2Q6dkJrYifsi/fs+6dbIS7o5GWccG2FJIr9GF4JW8HMZ6NU1HUncoGWMzBNfTRtZLEbu4XVGSaLA9KotLPuevWFjy8g4/9rVvZwjHmSrmSG/dAeKm/3/MAi/sLRbo3chsJk9gDWAqXAhsyH2gadInXw/o66k6NDFD6VBI1gfgp14/ylqbnYW5OlULJ+xYufIymJLVcKcuQELG5Emcyc92pDq25poK3g2MgOQcZu6rVNxmHvfKJpOnW6blAcZUeATGlppEAS5Iv5NLHsa5lHWQK7eSTzXer/L/3RXt5Mx93JWcBKZrK94eARZLF0Dp0qinZpSlcRmPmjaqlbCvNgM8/zPD27vzKudCWQoAw2GEx72Hilh99dCw/3uyzgQA3trnL2op07QWQf4y0qVUvPDH6wGjMmfMeLHbXIvtC80BV0VWemEDobUK+0vSxOWz69APZRXDcivB0XeVvZ5bhsYtVq8S10qEnYV5kEjY8WuhWMH/Cn/Mt0LhO2WOIRjcKOUQ5jV3C3WlbHhIboLAnoaJlXnAMr4IQveiUFN2ieobHT9oK5XZKhruIHW3StzoP7QH1H8Ec+F9B4/WI6p6C7Pv4TjWl+7x0z6F+quAR5cQy3+udxY9H4cRSAJTmb3b3MUZRs0IlY1ennggas+Wex/qiX4PyN93I1FAAcYtNdFLGeQrJQXcwEQaWXk1ZjO8GXMexe80ga9+FfdO2S7bAoL6seM+0N3rjQ==,iv:n5+hhUBZ9d6wrCEI6WorZmYS+ALX6FF8lbV9RJrWz78=,tag:TxgRSw4ZxmGNzFApiPvPgg==,type:str] + key: ENC[AES256_GCM,data:mgsZvF9lBLqAVEg6mutF+u2aY1JMqnclTAHFuSGu7m27XIoA8PcpkvXvCxKmPaBc6jMarQBZ2j0y1YN8KFqWQw4dKQmNkzRH8c9T33Na/zoD0Q71DXdmiYw4/boly8vAvfIIKUfTlMGA94IjkuAABK6xqTjDORNCvhl8PglwTL+Wz2CEBG6LG8jaq3/6JDHJON1tuT4w7CRKq9GyvDr7hm/zXsj7y8nH+79j89D3lxFs0CdBamZZNllt/s5PKzKLl9pu+RuvzkCorozKB+LYIvbLkbc9tT559H0yQwD6dFxFodcuYvLixvUlmHPd2+8m6LARMEqTNvFuPWCp9j+4EVMsdIekkPxh0sWbE5EoZR8n2Mqct7ft0anxROQEQXhJdQnnCQXbdAApFWj/QNCYIA==,iv:h+TPclqdI+ed9+9/puBu/kOI0qVS+mtAI43sHbJB4G0=,tag:w1WsXZLGaMszbNVhH60+PA==,type:str] + k8s: + crt: ENC[AES256_GCM,data:A95H0ogyIaQb9Y6mT4p8P53tFLaHQMOkad1vNycehgy4aVgq3NcHupNoJ/0+Bw+OOi3bgg8/xE+9G6i9ja9oDNhDyvt59vljwHlnfd+sWG+QPvrVKKSlgj7xqrOwYuTCFEnQsj7H9SVlncqrb/XmQ1m4DTxXwwSk2Gvu8tZFgtP7cwdo3pC7IyRorK6THuPs9HswsMOXkwCKLqF5KiRTPOYx7JoaG4lbY+i35Jjzi4Cwp30vnamNo9bVTAzm+HWGdS6QVrbNXjrLSXQSRoq07jYEgoLeg8Y14w4YmVtvG3FeqQKZJZFYRBEJfoJs5nNPpfqiCQYU84SNpQUjJw0wdt+v52mUXh0QRA/ewhUBFjSHIJqg8Pp3uno+jsuH7MPd5C98A0iiG4P+S2N437OQAZQADwPVJDetD3g6wkQLaqqSH4BeGV0xzQtwlvJozAxqtdTeQrxI+tdAJCJ98zuEgUWV7wGmeQdPPZ/XDFtk+KxZl9zEDG5NKxHq8YV6u5atSv//Hhaj4sHxMpSiqY796jPT6Ubb1yhR84rBAf87FppZ7P6fEdBgKwRWg5JeXZ951UM82R402cBBf6qFjrOUXZ+7bPxaU5oNRow6JM2z8ZKUTMD0DZrUgH7zClyKmkcLp1Bn9foAsx1TqRkPiILDALL6mqM0qRBz3UGOUzZz6MN2mHadd3kMasgKJN4RfSodbCMPlcSND8uc/pMhO2iUPJ2BI4L9DnuvLgaEpSz472dtb5IP7jVFRuv/EhykeQi1SW+lSvfiegxPntkj30LXbjotBWNhrqSyMcHPnyynAJamFCQrsr3z+yFj9Q0Eqi0tvySO3jBoDFd/SQEm7/uA1uRI2oYJP2t8Y8FOnjiVV8bWQDCY1WdVXTXmfujnVsHmxNXNlXt1CfSSLlpie+oBQtpKcpm8S8bof0GAUBK3DfmIHSCPXmazTR52jmLpRuCGY0QC5XY9shL3rTK3ml6/wi7HUXm+LjwFuSM8U7ELxsJKa+jaf4a572xTl4vt2Xkc7MejHL5IRoDwNpmuXjQ9PynVxPxJj2h5u4yDSA==,iv:RKmJsWoVKt/krl4wzHfAluqhSZ+0w+44NqPjWf1CmAw=,tag:UywGABmGbyz9DqXknYg01g==,type:str] + key: ENC[AES256_GCM,data:KxS1No/FIdEr8qr+DYmcIXDU2Hlo1WJOQbnPVblpVMui79752fn3CM7pMwCzVAX2jnTFsgPiKavTAG+wxZ7b148hrCHDaO1X+ISIo29cUbp2zOXrITSabaVvT30LlsmEjDG87apuSjl9VOo209OfIQDy6T73I7277WWNRZseeb0B9RXBHYYwsoJNPtnluDuJlyXjLbJgKIBChpQaydBAxJ8XcwAU36RoAWIr6+GPkEaOO7Md+JKrPG/VZpbwWIXZpLIPFshIEAB52DfgKbIKR2VwyZRe2qEBbH2SWqQLuLUETHj7USEXP3++Xm6uSdcWHqzjo8Cra1cTM59dQ0buIh8O+Ivin/NCcLIXO7+3CKHmxdCAWWUzXWUxx38NHnsw/fa1+csF/tkvK6kjoAzPHQ==,iv:B8lZKqLfl7cbUAyiW2+9RDWR+wZEUR/2bTgPEekpRp8=,tag:TMfZGCUqztTrO5cTGHhfsQ==,type:str] + k8saggregator: + crt: ENC[AES256_GCM,data:Ie4e5xP+WeoZ1s2yBcNm2BrjtlL/wlzc50I+/bHtfS3rMbnJWHUJfrZf+KL9Ouy7zwZI+bNACPWjVx1lygeUlp3h2U1wqBNx3iF8KjF6iKJd23zt9PunIR6CcgtyLqggeRc4f6OZKKU2nKoUN8p+JEnMP817isyNncBYSQtMp7KcSOYNfVXcknFY/cKzkhA6/pXKrQiwCl4ozaF+2wozSDQuRtz6ZJ7Zzhs3zF8x1efRxp0uzFhGft205SfcyGfeaib8z2UfcsZfOFCKAj+w7uCkrde0YjP61f7jOsunWIq5mpTJDLnTZw6GKe5VHbgfGRaUwlClqg7IQQbVMMld7hOzLxFR1q3vF11G5XH4YZfwqvSlWCNzQqs2ip4u8dFQvstMrU4umn59GRcMKuLZk3lbUdFSS1zzV/vuC3CC9Xm82E68ikuPwSMSvD69rs1lrvhNaUH1rRarxHRSA6PoM/qAbBN3Y8SV8S4QcYEY7rvsE1yBLco87cHlYG85UZSqU1WJrTXJaE5y+yOFFbGBY0kHHoYIOOIck3KIiSkW7aoQDpYFjLlCOsSQEmo90orDhRvvXZDAWZrYqup9f4HUbBW6QHYYZtPIbTekYwyffBHOB5zKyuJJoHz9IgmjjIN0n52yo+98mTwdPvlUe6HJ+jxyDg9aoKI6yDnWBNNEyT1tgajDSWwfh5+jXgROEMD20PbXvp60X5O789C0Vo2aJesnSGVHXjDzuO9aoXkOGanrbZCIw/p+JKg3KfQMzOy+uV1AZ52lOwPnfbVbBzIrs2PZjltQLCety6VNLm5tKOhphhj9C6hMTM6ZIujHenf6qCah5W2nv9jhqltokQx8Xs+XvjIL5ZNkn/26r/wZe4pNQCfdCg6ROKDRVs1x0MXu15NTDypB+w4de36KqIroBnp/8+iDyq65EbV0gUSdrBiwZm78KUcexckHxURJMahB,iv:sqwv+PsbLYDaiRVYPuTmkjIy+Vg4QSmrn/Bpb+byAaU=,tag:9BfVsNU2StmjMIg/HXDLPA==,type:str] + key: ENC[AES256_GCM,data:j7kUBNHQJgedBxJ32RFqfGfr4zdCZn1gU7cIv4sqaaQRHt5U6iQCIv1PY8pvy5+NyOJJC8rrCetoUpeFLohsQgWzCXmXNJglw81cT2cUy8wWwJLG2EdMFaf3NGBn7u4H7VWWooOu2fNlnrTSf8nxDURIWRJKhg1rX+MLIsOZAPUt1y3tuV7YItSsOLaiNdblA8MVloWZqFeFFS/EJ6TFNFO0msbIBQvHLuJaMlzCnpJMTNONHkMsixOIkJUsZQWCCggTnPuZHuE36r7O1dLYwjmRU+y//rj6TEJl6xeepu6UT58qGCbbI1qCFDJomQJWAEJjcSqRz8WMlQpkYBlUamuVKJSEx1CcEC0Lx6OL25R6Eb6Bm/rXmZ69JuSb1RFQi+p1dD2gtOEpWnl/DtJGgw==,iv:GW8smVoDuQU3yxUzkSidoLBB6b0V/0w7EciTdlRCB+Q=,tag:cO7QkC6mg+1dTYNRROnEvg==,type:str] + k8sserviceaccount: + key: ENC[AES256_GCM,data:4q6+DmYqytRp/spZKuxhBYl6LYrBsriZVo4807psBHZm/2OOcVnI58Palbpve9O+zSUl4fho2EqdP4rk+nQnbu+3P0u94QNxP9epzmhuLmdjskCKYn5P0993pXiruF8hiBTmMWbIYhR5crqPbKgjrjlBhgao1qr0i1BA3FxegDLPN+ehhQlcL9vNs5K6OqMdyh46nPNm+vTTemfcI6wdYuBYkrmMFy/g/3LyfJXvSwB6s8GGj230YZ5SAt3Kb0Gmn9O9IA+20bjdFc3lxuPtlDdlck+V4C9hjORnE8FDOFWPgtB+LdmO0c0Kp1j40x5CIY2aEQOx82hhvcQMBZ0oA2GkjKHrizgodSd0jchTbqDSe4qa8avrB5/mxM2fHDO74Q3XYZpcd0l+UZJo54bqfw==,iv:1Whh5UTUlbK7gctkpGQOs3IKxrcP1NOxtK75UQovpl0=,tag:P8PRlPQzzaCiL06BoRVHlQ==,type:str] + os: + crt: ENC[AES256_GCM,data:7/u5Q6Xjw8BnwAIh7JeZgWTvxHrLGBQxAjii5gr4B1JPIsGFagSXSxO7z/Ii9pL+YrWbVBDudG1UrAhmYfJbzMm28oi9V25AdkQ//vsTvG0Z+2kmLqdClFCN+Koc0DGidCD1f8+snOWHibwK82N5LK2m6D33yK7dXUkg4/XRAa+wGxR6GgHZPrleiesji4/hFbK4ZWbb+kHnYi8hBoqh2xkY4qSuEtfzZPHzO6PMsNDKtxA6xcH0I9k4ZoN69YYXxZkZGr3U+6agb/esuzTMprPLFmT3SBcgjJ97eogBqNQO2ME3DFmHchvqlX3EVV7OZONLHHwOf+E3U4spV06DnsNMxN7siraxyzEDkzy9VDHxEwM6A1gWDByofROoMStSuKXX2y/DdkWTK5YAadSaV6dFAiEk8zwR+cQGX5d51TCUTxg5VIubgQsNiJdhEGcLhFbDTAk9uUUkPatE9TRCDyljuVH4snFIyw2Sic0w/zcPs6+Ofn3yn4D75VtMnWsQTUtrdfYmrV0RmkeVr4yGpi/hM+mnz0SH90SResaQUClr3HQwkyR8KTyTi3vjVtaN63a4FDt1cPNY7kTTSjsq1ITjKqRwLTuHd7t0TGVYZcUvtWMqmXjZaZSNnCmU2TcOTkeS/Ge0qzR/Wg14sIwxD8HIqMoqnFiE80s94D0DZQ1cYeIF+fB3zT10bTUfOj77GSDCyop2eHRc8V/oAoe83aihx5vPW9n0EPoB+59UzjswploW5+mnS7AbDyNkZ5XLC/58RdlwgzXL3BzER75MwyDPocM3k1f7mSlcfY4hU7u9H35MiJGU/AcuaR20/r6It4Ycg69g+Go3CAgbr3U2u0VCzKzCCYoGTN8i2EcedyoLr6h5,iv:T+HYunjm/5OZ7r15u7/QwRsNOB/ZAOTJ18QBXoqgqdM=,tag:SSzv5IunkgiYpqCNuxtyTA==,type:str] + key: ENC[AES256_GCM,data:tQ92q4vh0XNWYMk2cL0gV6BZhcesRiPUmWIoPXRDKVHUsG8gaAxXDNRFApN/7q5BxYSllAy7/Du9RW6Ap0luFQpaRvrZF6jk5mwRedXBzpGtbAkDyrPQm9OBa/v34uZCw5zcqTB5wPiLYaJMmdUDXjd747V5wQBgBzbS5JpOIJXYRj7ZPbEyWdHHDeiwE02+teb25CNHfcRZSDLeSaeWfVoGS7qhIKMblDcf6dp0QMUKxA6e,iv:xnWvidkOS3y38cOSvn2AOU2Ndj5pJIQ3tHLkRkXc+is=,tag:FNZV033ea77ku2HBIIv3/Q==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: [] + lastmodified: "2023-01-27T22:22:26Z" + mac: ENC[AES256_GCM,data:ki34oHeKj6Pj5iLQttO6Mc4kHsPgowLBfo6L9xQ7HBGYFpzS3dQbVSk2veJAeI3g4C5ixak6RiCtnwokUsm8+Ay48lIFFnaiUNq5jyiyp1u3xkFCCTsWE9ZDorFKeX+XrgzttyIxxMCP6z+k2f9r6qB/9aLCpZtBfvQBZrz+lP0=,iv:lIhMBTAfykz6+BthhsTyPynIPkBw0jPNP1M2nyJrXAw=,tag:fVMpz2UGYP8LL7isCyrrWg==,type:str] + pgp: + - created_at: "2023-01-27T22:22:25Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DAAAAAAAAAAASAQdAa6eYQ3sdOzCP/XGmuq+KANM5eVi57M4nnVmj2cDZ3iIw + PBdPbh6EYRDhpxzwmWPxEzq+mJAHJGmRs51N5qjeuXaI6pk/J6maZ1b2LI3E+YMX + 0l4B6beXkzBIG8QU3RDL4h2+zilMO8E4viChKB+gpT8sHybz7BRysf5iyuJi2PCG + a4yC+6dhWjWXBjoEehcXcTnINXyKQMKW7Termn0nrl+u5A4eL4BimagMMFWYFCqu + =JxEq + -----END PGP MESSAGE----- + fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 + unencrypted_suffix: _unencrypted + version: 3.7.3 diff --git a/kube/3-deploy/2-apps/README.md b/kube/deploy/apps/README.md similarity index 100% rename from kube/3-deploy/2-apps/README.md rename to kube/deploy/apps/README.md diff --git a/kube/3-deploy/2-apps/atuin/app/hr.yaml b/kube/deploy/apps/atuin/app/hr.yaml similarity index 100% rename from kube/3-deploy/2-apps/atuin/app/hr.yaml rename to kube/deploy/apps/atuin/app/hr.yaml diff --git a/kube/3-deploy/2-apps/atuin/app/secret.yaml b/kube/deploy/apps/atuin/app/secret.yaml similarity index 100% rename from kube/3-deploy/2-apps/atuin/app/secret.yaml rename to kube/deploy/apps/atuin/app/secret.yaml diff --git a/kube/3-deploy/2-apps/atuin/ks.yaml b/kube/deploy/apps/atuin/ks.yaml similarity index 56% rename from kube/3-deploy/2-apps/atuin/ks.yaml rename to kube/deploy/apps/atuin/ks.yaml index 4e404c3b..a703c28d 100644 --- a/kube/3-deploy/2-apps/atuin/ks.yaml +++ b/kube/deploy/apps/atuin/ks.yaml @@ -1,5 +1,5 @@ --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: atuin-app @@ -7,7 +7,7 @@ metadata: labels: wait.flux.home.arpa/disabled: "true" spec: - path: ./kube/3-deploy/2-apps/atuin/app + path: ./kube/deploy/apps/atuin/app dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx + - name: 1-core-ingress-nginx-app - name: 1-core-db-pg-clusters-default diff --git a/kube/3-deploy/2-apps/atuin/kustomization.yaml b/kube/deploy/apps/atuin/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/atuin/kustomization.yaml rename to kube/deploy/apps/atuin/kustomization.yaml diff --git a/kube/3-deploy/2-apps/atuin/ns.yaml b/kube/deploy/apps/atuin/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/atuin/ns.yaml rename to kube/deploy/apps/atuin/ns.yaml diff --git a/kube/3-deploy/2-apps/authentik/app/hr.yaml b/kube/deploy/apps/authentik/app/hr.yaml similarity index 100% rename from kube/3-deploy/2-apps/authentik/app/hr.yaml rename to kube/deploy/apps/authentik/app/hr.yaml diff --git a/kube/3-deploy/2-apps/authentik/app/netpol.yaml b/kube/deploy/apps/authentik/app/netpol.yaml similarity index 100% rename from kube/3-deploy/2-apps/authentik/app/netpol.yaml rename to kube/deploy/apps/authentik/app/netpol.yaml diff --git a/kube/3-deploy/2-apps/authentik/app/pg-superuser.yaml b/kube/deploy/apps/authentik/app/pg-superuser.yaml similarity index 100% rename from kube/3-deploy/2-apps/authentik/app/pg-superuser.yaml rename to kube/deploy/apps/authentik/app/pg-superuser.yaml diff --git a/kube/3-deploy/2-apps/authentik/app/tls.yaml b/kube/deploy/apps/authentik/app/tls.yaml similarity index 100% rename from kube/3-deploy/2-apps/authentik/app/tls.yaml rename to kube/deploy/apps/authentik/app/tls.yaml diff --git a/kube/3-deploy/2-apps/authentik/ks.yaml b/kube/deploy/apps/authentik/ks.yaml similarity index 55% rename from kube/3-deploy/2-apps/authentik/ks.yaml rename to kube/deploy/apps/authentik/ks.yaml index 7d126583..526fe376 100644 --- a/kube/3-deploy/2-apps/authentik/ks.yaml +++ b/kube/deploy/apps/authentik/ks.yaml @@ -1,28 +1,11 @@ --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 -kind: Kustomization -metadata: - name: authentik-remote-cluster - namespace: flux-system -spec: - path: ./kube/3-deploy/2-apps/authentik/remote-cluster - dependsOn: - - name: authentik-deps - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx - healthChecks: - - name: remote-cluster - namespace: authentik - kind: HelmRelease - apiVersion: helm.toolkit.fluxcd.io/v2beta1 ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: authentik-db namespace: flux-system spec: - path: ./kube/3-deploy/1-core/db/pg/clusters/template + path: ./kube/deploy/core/db/pg/clusters/template dependsOn: - name: 1-core-db-pg-app postBuild: @@ -47,25 +30,24 @@ spec: kind: Cluster apiVersion: postgresql.cnpg.io/v1 --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: authentik-redis namespace: flux-system spec: - path: ./kube/3-deploy/2-apps/authentik/redis + path: ./kube/deploy/apps/authentik/redis dependsOn: [] --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: authentik-app namespace: flux-system spec: - path: ./kube/3-deploy/2-apps/authentik/app + path: ./kube/deploy/apps/authentik/app dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx + - name: 1-core-ingress-nginx-app - name: authentik-redis - name: authentik-db healthChecks: diff --git a/kube/3-deploy/1-core/db/pg/kustomization.yaml b/kube/deploy/apps/authentik/kustomization.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/kustomization.yaml rename to kube/deploy/apps/authentik/kustomization.yaml diff --git a/kube/3-deploy/2-apps/authentik/ns.yaml b/kube/deploy/apps/authentik/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/authentik/ns.yaml rename to kube/deploy/apps/authentik/ns.yaml diff --git a/kube/3-deploy/2-apps/authentik/redis/hr.yaml b/kube/deploy/apps/authentik/redis/hr.yaml similarity index 100% rename from kube/3-deploy/2-apps/authentik/redis/hr.yaml rename to kube/deploy/apps/authentik/redis/hr.yaml diff --git a/kube/3-deploy/2-apps/authentik/redis/secret-redis.yaml b/kube/deploy/apps/authentik/redis/secret-redis.yaml similarity index 100% rename from kube/3-deploy/2-apps/authentik/redis/secret-redis.yaml rename to kube/deploy/apps/authentik/redis/secret-redis.yaml diff --git a/kube/3-deploy/2-apps/authentik/remote-cluster/hr.yaml b/kube/deploy/apps/authentik/remote-cluster/hr.yaml similarity index 100% rename from kube/3-deploy/2-apps/authentik/remote-cluster/hr.yaml rename to kube/deploy/apps/authentik/remote-cluster/hr.yaml diff --git a/kube/3-deploy/2-apps/authentik/repo.yaml b/kube/deploy/apps/authentik/repo.yaml similarity index 100% rename from kube/3-deploy/2-apps/authentik/repo.yaml rename to kube/deploy/apps/authentik/repo.yaml diff --git a/kube/3-deploy/2-apps/default/deps/namespace.yaml b/kube/deploy/apps/default/deps/namespace.yaml similarity index 100% rename from kube/3-deploy/2-apps/default/deps/namespace.yaml rename to kube/deploy/apps/default/deps/namespace.yaml diff --git a/kube/3-deploy/2-apps/default/deps/tls.yaml b/kube/deploy/apps/default/deps/tls.yaml similarity index 100% rename from kube/3-deploy/2-apps/default/deps/tls.yaml rename to kube/deploy/apps/default/deps/tls.yaml diff --git a/kube/deploy/apps/default/ks.yaml b/kube/deploy/apps/default/ks.yaml new file mode 100644 index 00000000..32ab5c76 --- /dev/null +++ b/kube/deploy/apps/default/ks.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: default-deps + namespace: flux-system +spec: + path: ./kube/deploy/apps/default/deps + dependsOn: + - name: 1-core-tls-cert-manager-config diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/kustomization.yaml b/kube/deploy/apps/default/kustomization.yaml similarity index 100% rename from kube/3-deploy/1-core/05-ingress/cloudflare/kustomization.yaml rename to kube/deploy/apps/default/kustomization.yaml diff --git a/kube/3-deploy/2-apps/dns/README.org b/kube/deploy/apps/dns/README.org similarity index 100% rename from kube/3-deploy/2-apps/dns/README.org rename to kube/deploy/apps/dns/README.org diff --git a/kube/3-deploy/2-apps/dns/dnsdist/install.yaml b/kube/deploy/apps/dns/dnsdist/app/hr.yaml similarity index 100% rename from kube/3-deploy/2-apps/dns/dnsdist/install.yaml rename to kube/deploy/apps/dns/dnsdist/app/hr.yaml diff --git a/kube/deploy/apps/dns/dnsdist/ks.yaml b/kube/deploy/apps/dns/dnsdist/ks.yaml new file mode 100644 index 00000000..8af2d300 --- /dev/null +++ b/kube/deploy/apps/dns/dnsdist/ks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: dns-dnsdist-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/dns/dnsdist/app + dependsOn: [] \ No newline at end of file diff --git a/kube/3-deploy/1-core/05-ingress/external-proxy-x/kustomization.yaml b/kube/deploy/apps/dns/dnsdist/kustomization.yaml similarity index 100% rename from kube/3-deploy/1-core/05-ingress/external-proxy-x/kustomization.yaml rename to kube/deploy/apps/dns/dnsdist/kustomization.yaml diff --git a/kube/3-deploy/2-apps/elk/app/hr.yaml b/kube/deploy/apps/elk/app/hr.yaml similarity index 100% rename from kube/3-deploy/2-apps/elk/app/hr.yaml rename to kube/deploy/apps/elk/app/hr.yaml diff --git a/kube/3-deploy/2-apps/elk/app/pvc.yaml b/kube/deploy/apps/elk/app/pvc.yaml similarity index 100% rename from kube/3-deploy/2-apps/elk/app/pvc.yaml rename to kube/deploy/apps/elk/app/pvc.yaml diff --git a/kube/3-deploy/2-apps/elk/app/volsync.yaml b/kube/deploy/apps/elk/app/volsync.yaml similarity index 100% rename from kube/3-deploy/2-apps/elk/app/volsync.yaml rename to kube/deploy/apps/elk/app/volsync.yaml diff --git a/kube/deploy/apps/elk/ks.yaml b/kube/deploy/apps/elk/ks.yaml new file mode 100644 index 00000000..0b8f7c56 --- /dev/null +++ b/kube/deploy/apps/elk/ks.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: elk-app + namespace: flux-system + labels: + wait.flux.home.arpa/disabled: "true" +spec: + path: ./kube/deploy/apps/elk/app + dependsOn: + - name: 1-core-storage-rook-ceph-cluster + - name: 1-core-ingress-nginx-app + - name: 1-core-storage-volsync-app diff --git a/kube/3-deploy/1-core/06-monitoring/1-deps/kustomization.yaml b/kube/deploy/apps/elk/kustomization.yaml similarity index 100% rename from kube/3-deploy/1-core/06-monitoring/1-deps/kustomization.yaml rename to kube/deploy/apps/elk/kustomization.yaml diff --git a/kube/3-deploy/2-apps/excalidraw/app/hr.yaml b/kube/deploy/apps/excalidraw/app/hr.yaml similarity index 100% rename from kube/3-deploy/2-apps/excalidraw/app/hr.yaml rename to kube/deploy/apps/excalidraw/app/hr.yaml diff --git a/kube/3-deploy/2-apps/excalidraw/deps/namespace.yaml b/kube/deploy/apps/excalidraw/deps/namespace.yaml similarity index 100% rename from kube/3-deploy/2-apps/excalidraw/deps/namespace.yaml rename to kube/deploy/apps/excalidraw/deps/namespace.yaml diff --git a/kube/deploy/apps/excalidraw/ks.yaml b/kube/deploy/apps/excalidraw/ks.yaml new file mode 100644 index 00000000..5e97ea35 --- /dev/null +++ b/kube/deploy/apps/excalidraw/ks.yaml @@ -0,0 +1,26 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: excalidraw-deps + namespace: flux-system +spec: + path: ./kube/deploy/apps/excalidraw/deps + dependsOn: + - name: 1-core-tls-cert-manager-config +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: excalidraw-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/excalidraw/app + dependsOn: + - name: excalidraw-deps + - name: 1-core-ingress-nginx-app + healthChecks: + - name: excalidraw + namespace: excalidraw + kind: HelmRelease + apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/3-deploy/1-core/06-monitoring/node-exporter/kustomization.yaml b/kube/deploy/apps/excalidraw/kustomization.yaml similarity index 100% rename from kube/3-deploy/1-core/06-monitoring/node-exporter/kustomization.yaml rename to kube/deploy/apps/excalidraw/kustomization.yaml diff --git a/kube/deploy/apps/flux-system/ks.yaml b/kube/deploy/apps/flux-system/ks.yaml new file mode 100644 index 00000000..f95ad2e4 --- /dev/null +++ b/kube/deploy/apps/flux-system/ks.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: zzz-flux-webhook + namespace: flux-system +spec: + path: ./kube/deploy/apps/flux-system/webhook + dependsOn: + - name: 1-core-ingress-cloudflare-tunnel + - name: 1-core-dns-external-dns-app + - name: 1-core-ingress-nginx-app diff --git a/kube/3-deploy/2-apps/default/kustomization.yaml b/kube/deploy/apps/flux-system/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/default/kustomization.yaml rename to kube/deploy/apps/flux-system/kustomization.yaml diff --git a/kube/3-deploy/2-apps/flux-system/webhook/ingress.yaml b/kube/deploy/apps/flux-system/webhook/ingress.yaml similarity index 100% rename from kube/3-deploy/2-apps/flux-system/webhook/ingress.yaml rename to kube/deploy/apps/flux-system/webhook/ingress.yaml diff --git a/kube/3-deploy/2-apps/flux-system/webhook/receiver.yaml b/kube/deploy/apps/flux-system/webhook/receiver.yaml similarity index 100% rename from kube/3-deploy/2-apps/flux-system/webhook/receiver.yaml rename to kube/deploy/apps/flux-system/webhook/receiver.yaml diff --git a/kube/3-deploy/2-apps/flux-system/webhook/secret-token.yaml b/kube/deploy/apps/flux-system/webhook/secret-token.yaml similarity index 100% rename from kube/3-deploy/2-apps/flux-system/webhook/secret-token.yaml rename to kube/deploy/apps/flux-system/webhook/secret-token.yaml diff --git a/kube/3-deploy/2-apps/gokapi/2-install.yaml b/kube/deploy/apps/gokapi/app/hr.yaml similarity index 85% rename from kube/3-deploy/2-apps/gokapi/2-install.yaml rename to kube/deploy/apps/gokapi/app/hr.yaml index 04d03f98..438e5c11 100644 --- a/kube/3-deploy/2-apps/gokapi/2-install.yaml +++ b/kube/deploy/apps/gokapi/app/hr.yaml @@ -4,9 +4,15 @@ kind: HelmRelease metadata: name: gokapi namespace: gokapi - labels: - helm.flux.home.arpa/app-template: "true" spec: + chart: + spec: + chart: app-template + version: 1.5.1 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system values: controller: strategy: RollingUpdate diff --git a/kube/3-deploy/2-apps/gokapi/netpol.yaml b/kube/deploy/apps/gokapi/app/netpol.yaml similarity index 100% rename from kube/3-deploy/2-apps/gokapi/netpol.yaml rename to kube/deploy/apps/gokapi/app/netpol.yaml diff --git a/kube/deploy/apps/gokapi/ks.yaml b/kube/deploy/apps/gokapi/ks.yaml new file mode 100644 index 00000000..6f1b4b52 --- /dev/null +++ b/kube/deploy/apps/gokapi/ks.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: gokapi-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/gokapi/app + dependsOn: + - name: 1-core-ingress-nginx-app + - name: 1-core-storage-rook-ceph-cluster \ No newline at end of file diff --git a/kube/3-deploy/2-apps/gotosocial/kustomization.yaml b/kube/deploy/apps/gokapi/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/gotosocial/kustomization.yaml rename to kube/deploy/apps/gokapi/kustomization.yaml diff --git a/kube/3-deploy/2-apps/gokapi/1-namespace.yaml b/kube/deploy/apps/gokapi/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/gokapi/1-namespace.yaml rename to kube/deploy/apps/gokapi/ns.yaml diff --git a/kube/3-deploy/2-apps/gotosocial/app/hr.yaml b/kube/deploy/apps/gotosocial/app/hr.yaml similarity index 96% rename from kube/3-deploy/2-apps/gotosocial/app/hr.yaml rename to kube/deploy/apps/gotosocial/app/hr.yaml index ea1e4a30..47d861de 100644 --- a/kube/3-deploy/2-apps/gotosocial/app/hr.yaml +++ b/kube/deploy/apps/gotosocial/app/hr.yaml @@ -27,7 +27,7 @@ spec: ingress.home.arpa/nginx: "allow" ingress.home.arpa/cloudflare: "allow" db.home.arpa/pg: "pg-default" - s3.home.arpa/store: "rgw-${CLUSTER_NAME_LOWER}" + s3.home.arpa/store: "rgw-${CLUSTER_NAME}" env: TZ: "${CONFIG_TZ}" GTS_APPLICATION_NAME: "The JJGadgets Hut" @@ -43,7 +43,7 @@ spec: GTS_STORAGE_BACKEND: "s3" GTS_STORAGE_S3_PROXY: "true" GTS_STORAGE_S3_USE_SSL: "false" - GTS_STORAGE_S3_ENDPOINT: "rook-ceph-rgw-${CLUSTER_NAME_LOWER}.rook-ceph.svc.cluster.local.:6953" + GTS_STORAGE_S3_ENDPOINT: "rook-ceph-rgw-${CLUSTER_NAME}.rook-ceph.svc.cluster.local.:6953" GTS_STORAGE_S3_BUCKET: "gotosocial-media" GTS_STORAGE_S3_ACCESS_KEY: valueFrom: diff --git a/kube/3-deploy/2-apps/gotosocial/deps/nfs.yaml b/kube/deploy/apps/gotosocial/deps/nfs.yaml similarity index 100% rename from kube/3-deploy/2-apps/gotosocial/deps/nfs.yaml rename to kube/deploy/apps/gotosocial/deps/nfs.yaml diff --git a/kube/3-deploy/2-apps/gotosocial/deps/s3.yaml b/kube/deploy/apps/gotosocial/deps/s3.yaml similarity index 77% rename from kube/3-deploy/2-apps/gotosocial/deps/s3.yaml rename to kube/deploy/apps/gotosocial/deps/s3.yaml index 88440b30..fbb183c7 100644 --- a/kube/3-deploy/2-apps/gotosocial/deps/s3.yaml +++ b/kube/deploy/apps/gotosocial/deps/s3.yaml @@ -6,4 +6,4 @@ metadata: namespace: gotosocial spec: bucketName: "gotosocial-media" - storageClassName: "rgw-${CLUSTER_NAME_LOWER}" + storageClassName: "rgw-${CLUSTER_NAME}" diff --git a/kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml b/kube/deploy/apps/gotosocial/deps/secret-oidc.yaml similarity index 100% rename from kube/3-deploy/2-apps/gotosocial/deps/secret-oidc.yaml rename to kube/deploy/apps/gotosocial/deps/secret-oidc.yaml diff --git a/kube/3-deploy/2-apps/gotosocial/deps/secret-pg.yaml b/kube/deploy/apps/gotosocial/deps/secret-pg.yaml similarity index 100% rename from kube/3-deploy/2-apps/gotosocial/deps/secret-pg.yaml rename to kube/deploy/apps/gotosocial/deps/secret-pg.yaml diff --git a/kube/3-deploy/2-apps/gotosocial/deps/tls.yaml b/kube/deploy/apps/gotosocial/deps/tls.yaml similarity index 100% rename from kube/3-deploy/2-apps/gotosocial/deps/tls.yaml rename to kube/deploy/apps/gotosocial/deps/tls.yaml diff --git a/kube/3-deploy/2-apps/gotosocial/ks.yaml b/kube/deploy/apps/gotosocial/ks.yaml similarity index 52% rename from kube/3-deploy/2-apps/gotosocial/ks.yaml rename to kube/deploy/apps/gotosocial/ks.yaml index 76f5da0c..94034df2 100644 --- a/kube/3-deploy/2-apps/gotosocial/ks.yaml +++ b/kube/deploy/apps/gotosocial/ks.yaml @@ -1,5 +1,5 @@ --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: gotosocial-deps @@ -8,11 +8,11 @@ metadata: wait.flux.home.arpa/disabled: "false" wait.flux.home.arpa/enabled: "true" spec: - path: ./kube/3-deploy/2-apps/gotosocial/deps + path: ./kube/deploy/apps/gotosocial/deps dependsOn: [] wait: true --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: gotosocial-app @@ -20,11 +20,10 @@ metadata: labels: wait.flux.home.arpa/disabled: "true" spec: - path: ./kube/3-deploy/2-apps/gotosocial/app + path: ./kube/deploy/apps/gotosocial/app dependsOn: - name: gotosocial-deps - - name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx - - name: cloudflare-tunnel + - name: 1-core-storage-rook-ceph-cluster + - name: 1-core-ingress-nginx-app + - name: 1-core-ingress-cloudflare-tunnel - name: 1-core-db-pg-clusters-default diff --git a/kube/3-deploy/2-apps/headscale/kustomization.yaml b/kube/deploy/apps/gotosocial/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/headscale/kustomization.yaml rename to kube/deploy/apps/gotosocial/kustomization.yaml diff --git a/kube/3-deploy/2-apps/gotosocial/ns.yaml b/kube/deploy/apps/gotosocial/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/gotosocial/ns.yaml rename to kube/deploy/apps/gotosocial/ns.yaml diff --git a/kube/3-deploy/2-apps/headscale/app/hr.yaml b/kube/deploy/apps/headscale/app/hr.yaml similarity index 100% rename from kube/3-deploy/2-apps/headscale/app/hr.yaml rename to kube/deploy/apps/headscale/app/hr.yaml diff --git a/kube/3-deploy/2-apps/headscale/app/netpol.yaml b/kube/deploy/apps/headscale/app/netpol.yaml similarity index 100% rename from kube/3-deploy/2-apps/headscale/app/netpol.yaml rename to kube/deploy/apps/headscale/app/netpol.yaml diff --git a/kube/3-deploy/2-apps/headscale/app/secrets.yaml b/kube/deploy/apps/headscale/app/secrets.yaml similarity index 100% rename from kube/3-deploy/2-apps/headscale/app/secrets.yaml rename to kube/deploy/apps/headscale/app/secrets.yaml diff --git a/kube/3-deploy/2-apps/headscale/app/tls.yaml b/kube/deploy/apps/headscale/app/tls.yaml similarity index 100% rename from kube/3-deploy/2-apps/headscale/app/tls.yaml rename to kube/deploy/apps/headscale/app/tls.yaml diff --git a/kube/3-deploy/2-apps/headscale/ks.yaml b/kube/deploy/apps/headscale/ks.yaml similarity index 57% rename from kube/3-deploy/2-apps/headscale/ks.yaml rename to kube/deploy/apps/headscale/ks.yaml index f2444f06..ead2a806 100644 --- a/kube/3-deploy/2-apps/headscale/ks.yaml +++ b/kube/deploy/apps/headscale/ks.yaml @@ -1,14 +1,13 @@ --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: headscale-app namespace: flux-system spec: - path: ./kube/3-deploy/2-apps/headscale/app + path: ./kube/deploy/apps/headscale/app dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx + - name: 1-core-ingress-nginx-app - name: 1-core-db-pg-clusters-default healthChecks: - name: headscale diff --git a/kube/3-deploy/2-apps/kah/kustomization.yaml b/kube/deploy/apps/headscale/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/kah/kustomization.yaml rename to kube/deploy/apps/headscale/kustomization.yaml diff --git a/kube/3-deploy/2-apps/headscale/ns.yaml b/kube/deploy/apps/headscale/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/headscale/ns.yaml rename to kube/deploy/apps/headscale/ns.yaml diff --git a/kube/3-deploy/2-apps/jellyfin/2-nfs.yaml b/kube/deploy/apps/jellyfin/app/_nfs.yaml similarity index 100% rename from kube/3-deploy/2-apps/jellyfin/2-nfs.yaml rename to kube/deploy/apps/jellyfin/app/_nfs.yaml diff --git a/kube/3-deploy/2-apps/jellyfin/3-install.yaml b/kube/deploy/apps/jellyfin/app/hr.yaml similarity index 88% rename from kube/3-deploy/2-apps/jellyfin/3-install.yaml rename to kube/deploy/apps/jellyfin/app/hr.yaml index 022ead1b..605615d0 100644 --- a/kube/3-deploy/2-apps/jellyfin/3-install.yaml +++ b/kube/deploy/apps/jellyfin/app/hr.yaml @@ -4,10 +4,17 @@ kind: HelmRelease metadata: name: jellyfin namespace: jellyfin - labels: - helm.flux.home.arpa/app-template: "true" spec: + chart: + spec: + chart: app-template + version: 1.5.1 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system values: + automountServiceAccountToken: false controller: type: statefulset image: diff --git a/kube/3-deploy/1-core/03-certs/cert-manager/app/kustomization.yaml b/kube/deploy/apps/jellyfin/app/kustomization.yaml similarity index 56% rename from kube/3-deploy/1-core/03-certs/cert-manager/app/kustomization.yaml rename to kube/deploy/apps/jellyfin/app/kustomization.yaml index 6c69d8b4..1f9e3f41 100644 --- a/kube/3-deploy/1-core/03-certs/cert-manager/app/kustomization.yaml +++ b/kube/deploy/apps/jellyfin/app/kustomization.yaml @@ -2,6 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - 1-namespace.yaml - - 2-install.yaml - - 3-issuer.yaml + - _nfs.yaml + - hr.yaml + # - netpol.yaml + - volsync.yaml \ No newline at end of file diff --git a/kube/3-deploy/2-apps/jellyfin/volsync.yaml b/kube/deploy/apps/jellyfin/app/volsync.yaml similarity index 100% rename from kube/3-deploy/2-apps/jellyfin/volsync.yaml rename to kube/deploy/apps/jellyfin/app/volsync.yaml diff --git a/kube/deploy/apps/jellyfin/ks.yaml b/kube/deploy/apps/jellyfin/ks.yaml new file mode 100644 index 00000000..cc7b04c0 --- /dev/null +++ b/kube/deploy/apps/jellyfin/ks.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: jellyfin-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/jellyfin/app + dependsOn: + - name: 1-core-storage-rook-ceph-cluster + - name: 1-core-ingress-nginx-app + - name: 1-core-hardware-intel-device-plugins-app + - name: 1-core-storage-volsync-app \ No newline at end of file diff --git a/kube/3-deploy/2-apps/miniflux/kustomization.yaml b/kube/deploy/apps/jellyfin/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/miniflux/kustomization.yaml rename to kube/deploy/apps/jellyfin/kustomization.yaml diff --git a/kube/3-deploy/2-apps/jellyfin/1-namespace.yaml b/kube/deploy/apps/jellyfin/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/jellyfin/1-namespace.yaml rename to kube/deploy/apps/jellyfin/ns.yaml diff --git a/kube/3-deploy/2-apps/kah/deps/tls.yaml b/kube/deploy/apps/kah/deps/tls.yaml similarity index 100% rename from kube/3-deploy/2-apps/kah/deps/tls.yaml rename to kube/deploy/apps/kah/deps/tls.yaml diff --git a/kube/3-deploy/2-apps/kah/inspircd/hr.yaml b/kube/deploy/apps/kah/inspircd/hr.yaml similarity index 100% rename from kube/3-deploy/2-apps/kah/inspircd/hr.yaml rename to kube/deploy/apps/kah/inspircd/hr.yaml diff --git a/kube/3-deploy/2-apps/kah/inspircd/netpol.yaml b/kube/deploy/apps/kah/inspircd/netpol.yaml similarity index 100% rename from kube/3-deploy/2-apps/kah/inspircd/netpol.yaml rename to kube/deploy/apps/kah/inspircd/netpol.yaml diff --git a/kube/3-deploy/2-apps/kah/ks.yaml b/kube/deploy/apps/kah/ks.yaml similarity index 51% rename from kube/3-deploy/2-apps/kah/ks.yaml rename to kube/deploy/apps/kah/ks.yaml index e407affe..4978e5f9 100644 --- a/kube/3-deploy/2-apps/kah/ks.yaml +++ b/kube/deploy/apps/kah/ks.yaml @@ -1,23 +1,23 @@ --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: kah-deps namespace: flux-system spec: - path: ./kube/3-deploy/2-apps/kah/deps + path: ./kube/deploy/apps/kah/deps dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-03-certs-cert-manager + - name: 1-core-tls-cert-manager-config --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: kah-irc namespace: flux-system spec: - path: ./kube/3-deploy/2-apps/kah/inspircd + path: ./kube/deploy/apps/kah/inspircd dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal + - name: kah-deps healthChecks: - name: inspircd namespace: kah diff --git a/kube/3-deploy/2-apps/ntfy/kustomization.yaml b/kube/deploy/apps/kah/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/ntfy/kustomization.yaml rename to kube/deploy/apps/kah/kustomization.yaml diff --git a/kube/3-deploy/2-apps/kah/ns.yaml b/kube/deploy/apps/kah/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/kah/ns.yaml rename to kube/deploy/apps/kah/ns.yaml diff --git a/kube/3-deploy/2-apps/kanidm/app/hr.yaml b/kube/deploy/apps/kanidm/app/hr.yaml similarity index 98% rename from kube/3-deploy/2-apps/kanidm/app/hr.yaml rename to kube/deploy/apps/kanidm/app/hr.yaml index 1872ac97..f1395f69 100644 --- a/kube/3-deploy/2-apps/kanidm/app/hr.yaml +++ b/kube/deploy/apps/kanidm/app/hr.yaml @@ -8,12 +8,13 @@ spec: chart: spec: chart: app-template - version: 1.3.2 + version: 1.5.1 sourceRef: - kind: HelmRepository name: bjw-s + kind: HelmRepository namespace: flux-system values: + automountServiceAccountToken: false controller: type: statefulset image: diff --git a/kube/3-deploy/2-apps/kanidm/app/netpol.yaml b/kube/deploy/apps/kanidm/app/netpol.yaml similarity index 100% rename from kube/3-deploy/2-apps/kanidm/app/netpol.yaml rename to kube/deploy/apps/kanidm/app/netpol.yaml diff --git a/kube/3-deploy/2-apps/kanidm/app/volsync.yaml b/kube/deploy/apps/kanidm/app/volsync.yaml similarity index 100% rename from kube/3-deploy/2-apps/kanidm/app/volsync.yaml rename to kube/deploy/apps/kanidm/app/volsync.yaml diff --git a/kube/3-deploy/2-apps/kanidm/deps/namespace.yaml b/kube/deploy/apps/kanidm/deps/namespace.yaml similarity index 100% rename from kube/3-deploy/2-apps/kanidm/deps/namespace.yaml rename to kube/deploy/apps/kanidm/deps/namespace.yaml diff --git a/kube/3-deploy/2-apps/kanidm/deps/tls.yaml b/kube/deploy/apps/kanidm/deps/tls.yaml similarity index 100% rename from kube/3-deploy/2-apps/kanidm/deps/tls.yaml rename to kube/deploy/apps/kanidm/deps/tls.yaml diff --git a/kube/deploy/apps/kanidm/ks.yaml b/kube/deploy/apps/kanidm/ks.yaml new file mode 100644 index 00000000..bf34ba0d --- /dev/null +++ b/kube/deploy/apps/kanidm/ks.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kanidm-deps + namespace: flux-system +spec: + path: ./kube/deploy/apps/kanidm/deps + dependsOn: + - name: 1-core-tls-cert-manager-config +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kanidm-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/kanidm/app + dependsOn: + - name: kanidm-deps + - name: 1-core-storage-rook-ceph-cluster + - name: 1-core-ingress-nginx-app + #- name: 1-core-storage-volsync-app + healthChecks: + - name: kanidm + namespace: kanidm + kind: HelmRelease + apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/3-deploy/2-apps/elk/kustomization.yaml b/kube/deploy/apps/kanidm/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/elk/kustomization.yaml rename to kube/deploy/apps/kanidm/kustomization.yaml diff --git a/kube/3-deploy/2-apps/kavita/2-nfs.yaml b/kube/deploy/apps/kavita/app/_nfs.yaml similarity index 100% rename from kube/3-deploy/2-apps/kavita/2-nfs.yaml rename to kube/deploy/apps/kavita/app/_nfs.yaml diff --git a/kube/3-deploy/2-apps/kavita/3-install.yaml b/kube/deploy/apps/kavita/app/hr.yaml similarity index 84% rename from kube/3-deploy/2-apps/kavita/3-install.yaml rename to kube/deploy/apps/kavita/app/hr.yaml index 3f96618e..1a82516f 100644 --- a/kube/3-deploy/2-apps/kavita/3-install.yaml +++ b/kube/deploy/apps/kavita/app/hr.yaml @@ -4,10 +4,17 @@ kind: HelmRelease metadata: name: kavita namespace: kavita - labels: - helm.flux.home.arpa/app-template: "true" spec: + chart: + spec: + chart: app-template + version: 1.5.1 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system values: + automountServiceAccountToken: false controller: type: statefulset image: diff --git a/kube/3-deploy/2-apps/jellyfin/kustomization.yaml b/kube/deploy/apps/kavita/app/kustomization.yaml similarity index 63% rename from kube/3-deploy/2-apps/jellyfin/kustomization.yaml rename to kube/deploy/apps/kavita/app/kustomization.yaml index 7386a88c..5f95cd42 100644 --- a/kube/3-deploy/2-apps/jellyfin/kustomization.yaml +++ b/kube/deploy/apps/kavita/app/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - 1-namespace.yaml - - 2-nfs.yaml - - 3-install.yaml + - _nfs.yaml + - hr.yaml + # - netpol.yaml - volsync.yaml diff --git a/kube/3-deploy/2-apps/kavita/volsync.yaml b/kube/deploy/apps/kavita/app/volsync.yaml similarity index 100% rename from kube/3-deploy/2-apps/kavita/volsync.yaml rename to kube/deploy/apps/kavita/app/volsync.yaml diff --git a/kube/deploy/apps/kavita/ks.yaml b/kube/deploy/apps/kavita/ks.yaml new file mode 100644 index 00000000..8ec253a4 --- /dev/null +++ b/kube/deploy/apps/kavita/ks.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: kavita-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/kavita/app + dependsOn: + - name: 1-core-storage-rook-ceph-cluster + - name: 1-core-ingress-nginx-app diff --git a/kube/3-deploy/2-apps/satisfactory/kustomization.yaml b/kube/deploy/apps/kavita/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/satisfactory/kustomization.yaml rename to kube/deploy/apps/kavita/kustomization.yaml diff --git a/kube/3-deploy/2-apps/kavita/1-namespace.yaml b/kube/deploy/apps/kavita/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/kavita/1-namespace.yaml rename to kube/deploy/apps/kavita/ns.yaml diff --git a/kube/3-deploy/2-apps/kubevirt/2-install/2-cr.yaml b/kube/deploy/apps/kubevirt/cr.yaml similarity index 90% rename from kube/3-deploy/2-apps/kubevirt/2-install/2-cr.yaml rename to kube/deploy/apps/kubevirt/cr.yaml index 6a9a50e6..1da46252 100644 --- a/kube/3-deploy/2-apps/kubevirt/2-install/2-cr.yaml +++ b/kube/deploy/apps/kubevirt/cr.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: kubevirt-cr @@ -17,7 +17,7 @@ spec: # include CR !/kubevirt-cr.yaml --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: kubevirt-cr diff --git a/kube/3-deploy/1-core/04-dns/internal/kustomization.yaml b/kube/deploy/apps/kubevirt/kustomization.yaml similarity index 63% rename from kube/3-deploy/1-core/04-dns/internal/kustomization.yaml rename to kube/deploy/apps/kubevirt/kustomization.yaml index 070d9990..0b464c4d 100644 --- a/kube/3-deploy/1-core/04-dns/internal/kustomization.yaml +++ b/kube/deploy/apps/kubevirt/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - 1-namespace.yaml - - 2-k8s-gateway.yaml + - operator.yaml + - cr.yaml + - netpol.yaml \ No newline at end of file diff --git a/kube/deploy/apps/kubevirt/netpol.yaml b/kube/deploy/apps/kubevirt/netpol.yaml new file mode 100644 index 00000000..c64be58a --- /dev/null +++ b/kube/deploy/apps/kubevirt/netpol.yaml @@ -0,0 +1,22 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app kubevirt + namespace: *app +spec: + endpointSelector: {} + ingress: + - fromEntities: + - world + - fromEndpoints: + - {} + - fromEntities: + - cluster + egress: + - toEntities: + - world + - toEndpoints: + - {} + - toEntities: + - cluster diff --git a/kube/3-deploy/2-apps/kubevirt/2-install/1-operator.yaml b/kube/deploy/apps/kubevirt/operator.yaml similarity index 90% rename from kube/3-deploy/2-apps/kubevirt/2-install/1-operator.yaml rename to kube/deploy/apps/kubevirt/operator.yaml index d9ff4a5c..6e0c7240 100644 --- a/kube/3-deploy/2-apps/kubevirt/2-install/1-operator.yaml +++ b/kube/deploy/apps/kubevirt/operator.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: kubevirt-operator @@ -17,7 +17,7 @@ spec: # include operator !/kubevirt-operator.yaml --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: kubevirt-operator diff --git a/kube/deploy/apps/livestream/ks.yaml b/kube/deploy/apps/livestream/ks.yaml index 294f48c5..6296f705 100644 --- a/kube/deploy/apps/livestream/ks.yaml +++ b/kube/deploy/apps/livestream/ks.yaml @@ -1,5 +1,5 @@ --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: livestream-deps @@ -7,4 +7,4 @@ metadata: spec: path: ./kube/deploy/apps/livestream/deps dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-03-certs-cert-manager # change to shorter name + - name: 1-core-tls-cert-manager-config diff --git a/kube/deploy/apps/livestream/oven/ks.yaml b/kube/deploy/apps/livestream/oven/ks.yaml index 859f8d7a..89181f72 100644 --- a/kube/deploy/apps/livestream/oven/ks.yaml +++ b/kube/deploy/apps/livestream/oven/ks.yaml @@ -1,5 +1,5 @@ --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: ovenmediaengine @@ -12,7 +12,7 @@ spec: - name: livestream-deps wait: false --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: ovenplayer @@ -24,5 +24,5 @@ spec: dependsOn: - name: livestream-deps - name: ovenmediaengine - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx + - name: 1-core-ingress-nginx-app wait: false diff --git a/kube/3-deploy/2-apps/minecraft/3-install.yaml b/kube/deploy/apps/minecraft/app/hr.yaml similarity index 95% rename from kube/3-deploy/2-apps/minecraft/3-install.yaml rename to kube/deploy/apps/minecraft/app/hr.yaml index 53e6136a..82285fd8 100644 --- a/kube/3-deploy/2-apps/minecraft/3-install.yaml +++ b/kube/deploy/apps/minecraft/app/hr.yaml @@ -12,6 +12,8 @@ spec: version: 4.5.0 sourceRef: name: minecraft + kind: HelmRepository + namespace: flux-system values: replicaCount: 1 strategyType: Recreate @@ -23,7 +25,7 @@ spec: "io.cilium/lb-ipam-ips": "${APP_IP_MINECRAFT}" minecraftServer: serviceType: LoadBalancer - externalTrafficPolicy: Local + externalTrafficPolicy: Cluster externalIPs: - "${APP_IP_MINECRAFT}" eula: "TRUE" diff --git a/kube/deploy/apps/minecraft/app/netpol.yaml b/kube/deploy/apps/minecraft/app/netpol.yaml new file mode 100644 index 00000000..ba6d8dee --- /dev/null +++ b/kube/deploy/apps/minecraft/app/netpol.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app minecraft + namespace: *app +spec: + endpointSelector: {} + ingress: + # same namespace + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + # players + - fromCIDRSet: + - cidr: "${IP_ROUTER_LAN_CIDR}" + - cidr: "${IP_WG_USER_1_V4}" + - cidr: "${IP_WG_GUEST_V4}" + toPorts: + - ports: + - port: "25565" + egress: + # same namespace + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + # internet access + - toEntities: + - world + # Fabric mods download + - toFQDNs: + - matchName: maven.fabricmc.net + toPorts: + - ports: + - port: "443" diff --git a/kube/3-deploy/2-apps/minecraft/volsync.yaml b/kube/deploy/apps/minecraft/app/volsync.yaml similarity index 100% rename from kube/3-deploy/2-apps/minecraft/volsync.yaml rename to kube/deploy/apps/minecraft/app/volsync.yaml diff --git a/kube/deploy/apps/minecraft/ks.yaml b/kube/deploy/apps/minecraft/ks.yaml new file mode 100644 index 00000000..73c8816d --- /dev/null +++ b/kube/deploy/apps/minecraft/ks.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: minecraft-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/minecraft/app + dependsOn: + - name: 1-core-storage-rook-ceph-cluster + - name: 1-core-storage-volsync-app \ No newline at end of file diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/kustomization.yaml b/kube/deploy/apps/minecraft/kustomization.yaml similarity index 68% rename from kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/kustomization.yaml rename to kube/deploy/apps/minecraft/kustomization.yaml index f17a44ee..f0c81fc7 100644 --- a/kube/3-deploy/1-core/02-storage/rook-ceph/snapshot-controller/kustomization.yaml +++ b/kube/deploy/apps/minecraft/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - rbac.yaml - - statefulset.yaml + - ns.yaml + - repo.yaml + - ks.yaml \ No newline at end of file diff --git a/kube/3-deploy/2-apps/minecraft/1-namespace.yaml b/kube/deploy/apps/minecraft/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/minecraft/1-namespace.yaml rename to kube/deploy/apps/minecraft/ns.yaml diff --git a/kube/3-deploy/2-apps/minecraft/2-repo.yaml b/kube/deploy/apps/minecraft/repo.yaml similarity index 100% rename from kube/3-deploy/2-apps/minecraft/2-repo.yaml rename to kube/deploy/apps/minecraft/repo.yaml diff --git a/kube/3-deploy/2-apps/miniflux/app/hr.yaml b/kube/deploy/apps/miniflux/app/hr.yaml similarity index 100% rename from kube/3-deploy/2-apps/miniflux/app/hr.yaml rename to kube/deploy/apps/miniflux/app/hr.yaml diff --git a/kube/3-deploy/2-apps/miniflux/app/secret.yaml b/kube/deploy/apps/miniflux/app/secret.yaml similarity index 100% rename from kube/3-deploy/2-apps/miniflux/app/secret.yaml rename to kube/deploy/apps/miniflux/app/secret.yaml diff --git a/kube/3-deploy/2-apps/miniflux/ks.yaml b/kube/deploy/apps/miniflux/ks.yaml similarity index 56% rename from kube/3-deploy/2-apps/miniflux/ks.yaml rename to kube/deploy/apps/miniflux/ks.yaml index 7fd154eb..49843dae 100644 --- a/kube/3-deploy/2-apps/miniflux/ks.yaml +++ b/kube/deploy/apps/miniflux/ks.yaml @@ -1,5 +1,5 @@ --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: miniflux-app @@ -7,7 +7,7 @@ metadata: labels: wait.flux.home.arpa/disabled: "true" spec: - path: ./kube/3-deploy/2-apps/miniflux/app + path: ./kube/deploy/apps/miniflux/app dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx + - name: 1-core-ingress-nginx-app - name: 1-core-db-pg-clusters-default diff --git a/kube/3-deploy/2-apps/velociraptor/kustomization.yaml b/kube/deploy/apps/miniflux/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/velociraptor/kustomization.yaml rename to kube/deploy/apps/miniflux/kustomization.yaml diff --git a/kube/3-deploy/2-apps/miniflux/ns.yaml b/kube/deploy/apps/miniflux/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/miniflux/ns.yaml rename to kube/deploy/apps/miniflux/ns.yaml diff --git a/kube/3-deploy/2-apps/ntfy/app/hr.yaml b/kube/deploy/apps/ntfy/app/hr.yaml similarity index 80% rename from kube/3-deploy/2-apps/ntfy/app/hr.yaml rename to kube/deploy/apps/ntfy/app/hr.yaml index 689e7527..0ae2b997 100644 --- a/kube/3-deploy/2-apps/ntfy/app/hr.yaml +++ b/kube/deploy/apps/ntfy/app/hr.yaml @@ -8,12 +8,13 @@ spec: chart: spec: chart: app-template - version: 1.5.0 + version: 1.5.1 sourceRef: - kind: HelmRepository name: bjw-s + kind: HelmRepository namespace: flux-system values: + automountServiceAccountToken: false controller: type: statefulset image: @@ -80,3 +81,14 @@ spec: memory: 50Mi limits: memory: 150Mi + initContainers: + 01-init-unifiedpush: + command: ["ntfy", "access", "*", "up*", "write-only"] + env: + NTFY_AUTH_FILE: "/authfile/user.db" + NTFY_AUTH_DEFAULT_ACCESS: "write-only" + image: docker.io/binwiederhier/ntfy:v2.4.0@sha256:be59d51a83e265d5945bf8b1e2286b0ab4de6d61f0348e057155533995bbcc40 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /authfile + name: authfile diff --git a/kube/3-deploy/2-apps/ntfy/app/netpol.yaml b/kube/deploy/apps/ntfy/app/netpol.yaml similarity index 100% rename from kube/3-deploy/2-apps/ntfy/app/netpol.yaml rename to kube/deploy/apps/ntfy/app/netpol.yaml diff --git a/kube/deploy/apps/ntfy/ks.yaml b/kube/deploy/apps/ntfy/ks.yaml new file mode 100644 index 00000000..d39d574c --- /dev/null +++ b/kube/deploy/apps/ntfy/ks.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: ntfy-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/ntfy/app + dependsOn: + - name: 1-core-storage-rook-ceph-cluster + - name: 1-core-ingress-nginx-app + #- name: 1-core-storage-volsync-app + healthChecks: + - name: ntfy + namespace: ntfy + kind: HelmRelease + apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/3-deploy/2-apps/zipline/kustomization.yaml b/kube/deploy/apps/ntfy/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/zipline/kustomization.yaml rename to kube/deploy/apps/ntfy/kustomization.yaml diff --git a/kube/3-deploy/2-apps/ntfy/ns.yaml b/kube/deploy/apps/ntfy/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/ntfy/ns.yaml rename to kube/deploy/apps/ntfy/ns.yaml diff --git a/kube/3-deploy/2-apps/insurgency-sandstorm/config/Engine.ini b/kube/deploy/apps/sandstorm/app/config/Engine.ini similarity index 100% rename from kube/3-deploy/2-apps/insurgency-sandstorm/config/Engine.ini rename to kube/deploy/apps/sandstorm/app/config/Engine.ini diff --git a/kube/3-deploy/2-apps/insurgency-sandstorm/config/Game.ini b/kube/deploy/apps/sandstorm/app/config/Game.ini similarity index 100% rename from kube/3-deploy/2-apps/insurgency-sandstorm/config/Game.ini rename to kube/deploy/apps/sandstorm/app/config/Game.ini diff --git a/kube/3-deploy/2-apps/insurgency-sandstorm/config/MapCycle.txt b/kube/deploy/apps/sandstorm/app/config/MapCycle.txt similarity index 100% rename from kube/3-deploy/2-apps/insurgency-sandstorm/config/MapCycle.txt rename to kube/deploy/apps/sandstorm/app/config/MapCycle.txt diff --git a/kube/3-deploy/2-apps/insurgency-sandstorm/config/Mods.txt b/kube/deploy/apps/sandstorm/app/config/Mods.txt similarity index 100% rename from kube/3-deploy/2-apps/insurgency-sandstorm/config/Mods.txt rename to kube/deploy/apps/sandstorm/app/config/Mods.txt diff --git a/kube/3-deploy/2-apps/insurgency-sandstorm/config/secrets.yaml b/kube/deploy/apps/sandstorm/app/config/secrets.yaml similarity index 100% rename from kube/3-deploy/2-apps/insurgency-sandstorm/config/secrets.yaml rename to kube/deploy/apps/sandstorm/app/config/secrets.yaml diff --git a/kube/3-deploy/2-apps/insurgency-sandstorm/2-install.yaml b/kube/deploy/apps/sandstorm/app/hr.yaml similarity index 92% rename from kube/3-deploy/2-apps/insurgency-sandstorm/2-install.yaml rename to kube/deploy/apps/sandstorm/app/hr.yaml index de2e3a42..213dce25 100644 --- a/kube/3-deploy/2-apps/insurgency-sandstorm/2-install.yaml +++ b/kube/deploy/apps/sandstorm/app/hr.yaml @@ -4,9 +4,15 @@ kind: HelmRelease metadata: name: insurgency-sandstorm namespace: sandstorm - labels: - helm.flux.home.arpa/app-template: "true" spec: + chart: + spec: + chart: app-template + version: 1.5.1 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system values: controller: strategy: Recreate @@ -19,8 +25,8 @@ spec: args: ["-hostname=\"${CONFIG_SANDSTORM_NAME}\"", "-Log", "-Port=${CONFIG_SANDSTORM_PORT}", "-QueryPort=${CONFIG_SANDSTORM_QUERYPORT}", "-MapCycle=MapCycle", "-NoEAC", "-EnableCheats", "-Mods", "-CmdModList=\"${CONFIG_SANDSTORM_MODS}\"", "-mutators=${CONFIG_SANDSTORM_MUTATORS}", "-ModDownloadTravelTo=${CONFIG_SANDSTORM_INIT_MAP}?Scenario=Scenario_${CONFIG_SANDSTORM_INIT_MAP}_${CONFIG_SANDSTORM_INIT_SCENARIO}"] env: HOSTNAME: "${CONFIG_SANDSTORM_NAME}" - PORT: "${CONFIG_SANDSTORM_PORT}" - QUERYPORT: "${CONFIG_SANDSTORM_QUERYPORT}" + PORT: &port "27102" + QUERYPORT: &query "27131" LAUNCH_SERVER_ENV: "-hostname=\"${CONFIG_SANDSTORM_NAME}\" -Log -Port=${CONFIG_SANDSTORM_PORT} -QueryPort=${CONFIG_SANDSTORM_QUERYPORT} -MapCycle=MapCycle -NoEAC -EnableCheats -Mods -mutators=${CONFIG_SANDSTORM_MUTATORS} -ModDownloadTravelTo=${CONFIG_SANDSTORM_INIT_MAP}?Scenario=Scenario_${CONFIG_SANDSTORM_INIT_MAP}_${CONFIG_SANDSTORM_INIT_SCENARIO}" dnsPolicy: ClusterFirstWithHostNet dnsConfig: @@ -41,25 +47,20 @@ spec: enabled: true # type: ClusterIP type: LoadBalancer - externalTrafficPolicy: Local - loadBalancerIP: "${APP_IP_SANDSTORM}" - externalIPs: - - "${APP_IP_SANDSTORM}" + externalTrafficPolicy: Cluster + annotations: + "io.cilium/lb-ipam-ips": "${APP_IP_SANDSTORM}" ports: http: enabled: false primary: false gameudp: enabled: true - port: ${CONFIG_SANDSTORM_PORT} - targetPort: ${CONFIG_SANDSTORM_PORT} - nodePort: ${CONFIG_SANDSTORM_PORT} + port: *port protocol: UDP queryudp: enabled: true - port: ${CONFIG_SANDSTORM_QUERYPORT} - targetPort: ${CONFIG_SANDSTORM_QUERYPORT} - nodePort: ${CONFIG_SANDSTORM_QUERYPORT} + port: *query protocol: UDP initContainers: init-permission: diff --git a/kube/3-deploy/2-apps/insurgency-sandstorm/kustomization.yaml b/kube/deploy/apps/sandstorm/app/kustomization.yaml similarity index 95% rename from kube/3-deploy/2-apps/insurgency-sandstorm/kustomization.yaml rename to kube/deploy/apps/sandstorm/app/kustomization.yaml index 12510131..891e223e 100644 --- a/kube/3-deploy/2-apps/insurgency-sandstorm/kustomization.yaml +++ b/kube/deploy/apps/sandstorm/app/kustomization.yaml @@ -2,9 +2,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - 1-namespace.yaml - config/secrets.yaml - - 2-install.yaml + - hr.yaml + - netpol.yaml configMapGenerator: - name: insurgency-sandstorm-gameini namespace: sandstorm diff --git a/kube/deploy/apps/sandstorm/app/netpol.yaml b/kube/deploy/apps/sandstorm/app/netpol.yaml new file mode 100644 index 00000000..b69e11bc --- /dev/null +++ b/kube/deploy/apps/sandstorm/app/netpol.yaml @@ -0,0 +1,29 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app sandstorm + namespace: *app +spec: + endpointSelector: {} + ingress: + # same namespace + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + # players + - fromCIDRSet: + - cidr: "${IP_ROUTER_LAN_CIDR}" + - cidr: "${IP_WG_USER_1_V4}" + - cidr: "${IP_WG_GUEST_V4}" + toPorts: + - ports: + - port: "27102" + - port: "27131" + egress: + # same namespace + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + - toEntities: + - world diff --git a/kube/deploy/apps/sandstorm/ks.yaml b/kube/deploy/apps/sandstorm/ks.yaml new file mode 100644 index 00000000..e12a3f44 --- /dev/null +++ b/kube/deploy/apps/sandstorm/ks.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: sandstorm-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/sandstorm/app + dependsOn: + - name: 1-core-storage-rook-ceph-cluster \ No newline at end of file diff --git a/kube/deploy/apps/sandstorm/kustomization.yaml b/kube/deploy/apps/sandstorm/kustomization.yaml new file mode 100644 index 00000000..b439d858 --- /dev/null +++ b/kube/deploy/apps/sandstorm/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml \ No newline at end of file diff --git a/kube/3-deploy/2-apps/insurgency-sandstorm/1-namespace.yaml b/kube/deploy/apps/sandstorm/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/insurgency-sandstorm/1-namespace.yaml rename to kube/deploy/apps/sandstorm/ns.yaml diff --git a/kube/3-deploy/2-apps/satisfactory/app/hr.yaml b/kube/deploy/apps/satisfactory/app/hr.yaml similarity index 97% rename from kube/3-deploy/2-apps/satisfactory/app/hr.yaml rename to kube/deploy/apps/satisfactory/app/hr.yaml index cbd946f1..b90533a8 100644 --- a/kube/3-deploy/2-apps/satisfactory/app/hr.yaml +++ b/kube/deploy/apps/satisfactory/app/hr.yaml @@ -82,6 +82,6 @@ spec: resources: requests: cpu: 200m - memory: 6740Mi - # limits: - # memory: 6000Mi + memory: 11000Mi + limits: + memory: 20000Mi diff --git a/kube/3-deploy/2-apps/satisfactory/app/netpol.yaml b/kube/deploy/apps/satisfactory/app/netpol.yaml similarity index 100% rename from kube/3-deploy/2-apps/satisfactory/app/netpol.yaml rename to kube/deploy/apps/satisfactory/app/netpol.yaml diff --git a/kube/3-deploy/2-apps/satisfactory/app/volsync.yaml b/kube/deploy/apps/satisfactory/app/volsync.yaml similarity index 100% rename from kube/3-deploy/2-apps/satisfactory/app/volsync.yaml rename to kube/deploy/apps/satisfactory/app/volsync.yaml diff --git a/kube/deploy/apps/satisfactory/ks.yaml b/kube/deploy/apps/satisfactory/ks.yaml new file mode 100644 index 00000000..bc935472 --- /dev/null +++ b/kube/deploy/apps/satisfactory/ks.yaml @@ -0,0 +1,16 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: satisfactory-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/satisfactory/app + dependsOn: + - name: 1-core-storage-rook-ceph-cluster + #- name: 1-core-storage-volsync-app + healthChecks: + - name: satisfactory + namespace: satisfactory + kind: HelmRelease + apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/3-deploy/2-apps/syncthing/kustomization.yaml b/kube/deploy/apps/satisfactory/kustomization.yaml similarity index 88% rename from kube/3-deploy/2-apps/syncthing/kustomization.yaml rename to kube/deploy/apps/satisfactory/kustomization.yaml index 70a77029..5eeb2657 100644 --- a/kube/3-deploy/2-apps/syncthing/kustomization.yaml +++ b/kube/deploy/apps/satisfactory/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ns.yaml - ks.yaml diff --git a/kube/3-deploy/2-apps/satisfactory/ns.yaml b/kube/deploy/apps/satisfactory/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/satisfactory/ns.yaml rename to kube/deploy/apps/satisfactory/ns.yaml diff --git a/kube/3-deploy/2-apps/syncthing/deps/kustomization.yaml b/kube/deploy/apps/syncthing/deps/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/syncthing/deps/kustomization.yaml rename to kube/deploy/apps/syncthing/deps/kustomization.yaml diff --git a/kube/3-deploy/2-apps/syncthing/deps/namespace.yaml b/kube/deploy/apps/syncthing/deps/namespace.yaml similarity index 100% rename from kube/3-deploy/2-apps/syncthing/deps/namespace.yaml rename to kube/deploy/apps/syncthing/deps/namespace.yaml diff --git a/kube/3-deploy/2-apps/syncthing/ks.yaml b/kube/deploy/apps/syncthing/ks.yaml similarity index 67% rename from kube/3-deploy/2-apps/syncthing/ks.yaml rename to kube/deploy/apps/syncthing/ks.yaml index 5dcd10f8..6c767336 100644 --- a/kube/3-deploy/2-apps/syncthing/ks.yaml +++ b/kube/deploy/apps/syncthing/ks.yaml @@ -1,20 +1,20 @@ --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: syncthing-deps namespace: flux-system spec: - path: ./kube/3-deploy/2-apps/syncthing/deps + path: ./kube/deploy/apps/syncthing/deps dependsOn: [] --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: syncthing-${USERS_1_ID}-app namespace: flux-system spec: - path: ./kube/3-deploy/2-apps/syncthing/user1 + path: ./kube/deploy/apps/syncthing/user1 dependsOn: - name: syncthing-deps healthChecks: diff --git a/kube/3-deploy/2-apps/excalidraw/kustomization.yaml b/kube/deploy/apps/syncthing/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/excalidraw/kustomization.yaml rename to kube/deploy/apps/syncthing/kustomization.yaml diff --git a/kube/3-deploy/2-apps/syncthing/user1/install.yaml b/kube/deploy/apps/syncthing/user1/install.yaml similarity index 91% rename from kube/3-deploy/2-apps/syncthing/user1/install.yaml rename to kube/deploy/apps/syncthing/user1/install.yaml index 3035d903..613b0371 100644 --- a/kube/3-deploy/2-apps/syncthing/user1/install.yaml +++ b/kube/deploy/apps/syncthing/user1/install.yaml @@ -4,9 +4,15 @@ kind: HelmRelease metadata: name: syncthing-${USERS_1_ID} namespace: syncthing-${USERS_1_ID} - labels: - helm.flux.home.arpa/app-template: "true" spec: + chart: + spec: + chart: app-template + version: 1.5.1 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system values: controller: type: statefulset diff --git a/kube/3-deploy/2-apps/syncthing/user1/networkpolicy.yaml b/kube/deploy/apps/syncthing/user1/networkpolicy.yaml similarity index 100% rename from kube/3-deploy/2-apps/syncthing/user1/networkpolicy.yaml rename to kube/deploy/apps/syncthing/user1/networkpolicy.yaml diff --git a/kube/3-deploy/2-apps/hugo-test/volsync.yaml b/kube/deploy/apps/syncthing/user1/volsync.yaml similarity index 56% rename from kube/3-deploy/2-apps/hugo-test/volsync.yaml rename to kube/deploy/apps/syncthing/user1/volsync.yaml index 43cfd568..cf301a42 100644 --- a/kube/3-deploy/2-apps/hugo-test/volsync.yaml +++ b/kube/deploy/apps/syncthing/user1/volsync.yaml @@ -2,11 +2,11 @@ apiVersion: v1 kind: Secret metadata: - name: hugo-test-restic - namespace: hugo-test + name: syncthing-${USERS_1_ID}-restic + namespace: syncthing-${USERS_1_ID} type: Opaque stringData: - RESTIC_REPOSITORY: ${SECRET_VOLSYNC_R2_REPO}/hugo-test + RESTIC_REPOSITORY: ${SECRET_VOLSYNC_R2_REPO}/syncthing-${USERS_1_ID} RESTIC_PASSWORD: ${SECRET_VOLSYNC_PASSWORD} AWS_ACCESS_KEY_ID: ${SECRET_VOLSYNC_R2_ID} AWS_SECRET_ACCESS_KEY: ${SECRET_VOLSYNC_R2_KEY} @@ -14,23 +14,23 @@ stringData: apiVersion: volsync.backube/v1alpha1 kind: ReplicationSource metadata: - name: hugo-test-restic - namespace: hugo-test + name: syncthing-${USERS_1_ID}-restic + namespace: syncthing-${USERS_1_ID} spec: - sourcePVC: hugo-test-config + sourcePVC: user1-ceph-rbd-syncthing-${USERS_1_ID}-0 trigger: schedule: "0 6 * * *" restic: copyMethod: Snapshot pruneIntervalDays: 14 - repository: hugo-test-restic + repository: syncthing-${USERS_1_ID}-restic cacheCapacity: 2Gi volumeSnapshotClassName: block storageClassName: block moverSecurityContext: - runAsUser: 0 - runAsGroup: 0 - fsGroup: 0 + runAsUser: ${USERS_1_UID} + runAsGroup: ${USERS_1_UID} + fsGroup: ${USERS_1_UID} retain: daily: 14 within: 7d diff --git a/kube/3-deploy/2-apps/tetragon/install.yaml b/kube/deploy/apps/tetragon/app/hr.yaml similarity index 92% rename from kube/3-deploy/2-apps/tetragon/install.yaml rename to kube/deploy/apps/tetragon/app/hr.yaml index ae0ab701..d2be0758 100644 --- a/kube/3-deploy/2-apps/tetragon/install.yaml +++ b/kube/deploy/apps/tetragon/app/hr.yaml @@ -11,6 +11,8 @@ spec: version: 0.8.3 sourceRef: name: cilium-charts + kind: HelmRepository + namespace: flux-system values: enabled: true imagePullPolicy: IfNotPresent diff --git a/kube/deploy/apps/tetragon/ks.yaml b/kube/deploy/apps/tetragon/ks.yaml new file mode 100644 index 00000000..3549d20b --- /dev/null +++ b/kube/deploy/apps/tetragon/ks.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: tetragon-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/tetragon/app + dependsOn: + - name: 1-core-1-networking-cilium-app \ No newline at end of file diff --git a/kube/2-bootstrap/flux/repos/kustomization.yaml b/kube/deploy/apps/tetragon/kustomization.yaml similarity index 87% rename from kube/2-bootstrap/flux/repos/kustomization.yaml rename to kube/deploy/apps/tetragon/kustomization.yaml index 96b157b7..60c07d50 100644 --- a/kube/2-bootstrap/flux/repos/kustomization.yaml +++ b/kube/deploy/apps/tetragon/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - helm + - ks.yaml \ No newline at end of file diff --git a/kube/3-deploy/2-apps/velociraptor/app/.sops.yaml b/kube/deploy/apps/velociraptor/app/.sops.yaml similarity index 100% rename from kube/3-deploy/2-apps/velociraptor/app/.sops.yaml rename to kube/deploy/apps/velociraptor/app/.sops.yaml diff --git a/kube/deploy/apps/velociraptor/app/config.sops.yaml b/kube/deploy/apps/velociraptor/app/config.sops.yaml new file mode 100644 index 00000000..fd9f2bb1 --- /dev/null +++ b/kube/deploy/apps/velociraptor/app/config.sops.yaml @@ -0,0 +1,41 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: velociraptor-config + namespace: velociraptor + labels: + app.kubernetes.io/instance: velociraptor + app.kubernetes.io/name: velociraptor +data: + server.config.yaml: ENC[AES256_GCM,data:ZVrNkcRQwmLMwefSvMmlD7x4Tfv6NRhREsSTqeEofWmqLzEHVqC8khAVzmEH7llh7ai8PER2LG/OiO+706+DhphoRImO/+x4WydaTpAVebghZws9yTsXCdTxjafrQ8cOsMaDqg/ViEvBiU51NPE7xPe0Q9T/CuZ5ETjB7YbLfJVkDifS6LOTyJiQ8eoQUyilB0mFBgFPSSIp5rqaY2HxQKItPqK7vNidm//hu0wBQzTO0WzgRYZ+wZOqMixTRbz/ZNrR/IJ1vgLRXHtgXN9sx2M3sBnGlrd1sVKXM8IGdK8tjgUYCJ8Zlq3hfYvrA2aHWayjOp6FL7vd0M1UnTPy2YMjZRQfrgH7pdacWRtZvPlnlnC2F5aXUBL0HakD6pCCyFM+S8ujJngNPp2b1WCTXiWIH2Xd/eMrfvqwuj4lgkDXMSvgjvEMsjg7mZZDRCKCUGhByKCYUKyriDhYlX69OPYMzEgg07iWxip+5tjMNnFHsT3YDpgg02nCQVY8v9FlU9DzNo6P24PaBqSf+FU6mT83XjE5ihARw3JhSp9Tw0DKj8OQTGlGxknK9xk88ShHSy14sf+4oFPQBaLjXVez2BGSC2tcZ9RcDGjizNjToZrFXjofqcCFa02QfQd8tRR4sq/xcaGRsyY6/5snJBolbw820i74uhqnixFl6DF97cosebWl0+gm1qmbbULnMnhx7yeZor1QfIWQyPLKmpbHO1zTTdX+Jq75TKCvX2rjR0rdHh1vbQE5gd4Wa29MOPSj9wvNUxhKByOktugFE7wb3iPwNRnOYQANxSE62ya6tvV4SsW8FSKx5Imd5OJqZQce4JYS167fYI8Xj3X84eaDKuRGT9QVnc2gnAu80Ogsl1SGP4HYcro6gz3xKZBEdwt5o8WOy1MVKpn/Xfdoi4jqXojtZJFuTnlbbppBfZ/hg+oLiJYcOPH9v3XuIN5yYGndBReTej9adrrfNT1d9nuC47HuXq6haMW1yS2cyJTW3rY+JdUaXfmhO/qQ1Rb1KPCGZy6jnrDAb13ow7f4pNQM66Q9Gxih/UEqeJGi2BqYkd9RQFg5adBPRsSJvgvEyGlr5vtxCBpcwKpjVbNeB4P7rBPr/uW0Matprbx87w+J2YixasbjFgFznd2fV2UMngAdex5X1RyiajcYYr1J02bv+aXhWQI1vzc4wRJaWOqQvT5lh8oqxm2pDPNj4LrfGMINfmemLBEhyJA2A7+o3N+Han43Gh+TLhwXAkjkOz1FUINzS5/MAbh/9QcXYmJK1KshIq71ma4EDZyiqULmxZtSiR9gmMD32hItGDQ88gwtMMU0MKuf7kWNbmLPMZ04/ut4VwF10l7HF8GbYHOxJdAQQcpccBG1Ne6vjmOe52iIFRnIHJIrvB2ZfJmY3Q1v04LvP6b2ej/hbZrTosSjd+HGhux7k7crdjgW/QZxfv8NIZdUyRXA38HliWEIYl3fPkvI3w7NQAIjd0mOR0LaIOE177qT8RfcwPs+N7FX153J0vpK060Tt4D4Kw6YgzvvB11FgutvIynr9+9hjDP4yHhlAZrQLfmd2qb8CY3LCDONzCrXuDokp+fQkRhRNcIzUe0L3e2wIU3r+VMxjGjPA8u6ps0C/jyboYyX/hI/V0mM21UxkUA5lId4Xtn+CPZC8zneqaSi5YI4eP0WnsKf++PZFT1Ut442wjO/jLXLncH62UghC6K4K5g7BaCVNPiGsvDdHh9x9uj+iot8XPll74c8mXFhVsj6cvksRo+vgzB3pywTXRfCJdohJoL74wws0biD8iQ15jYR6OCxNgs+QkXKTj/hY/WYoF9iTk7D28ysllOMs11sMntHW7o1zDhjEzaS2L6HdqybVTqx/l97PO7iLK9/fP+5hRR0meLRhp/Wl9LeISvFYfzJT5UL7QFKEnHQZaujaZDoruCZJ719rf7zPIogbmzSahJBcybcJM3B4KVAi8jl/p/Bc1j5R5xia0HYAfTv8oweCigbMNuCnB9taEl1+vZwt29qrse56YJ72HEoVl8xqSrha86d53/iZJuB3aif+GB5xHjzwK7tYRpahaHKA+SlegujxtKwuRilug0+ADHBgKljkMcYysJIr2dq++CtWYlgWg7z/Yafvns3gHuKwQ258UtCRk49+covU93xJuoQ1yByJzixQg5iMFGEguODhDG2l9DpwwwuAB+wJt150417f2kUNhrPdnjEvCy1xIkWIxyZK4n2DJLATaFuN2KteVfL3MTFiYNfpi0VRymGMD28qR6hbqTcOuEhHYZQid6Oo+5C8sotEs20RcyFjgVl6Qme0VQ9+lNKKj4cVAnxYWva5cmza5xiUAU+SLnp8sQ7YA/pLcC5og23hGcffabN7nMC3uqQgBHqmvLefFEWGTsOLbJuJIyaatBZCm0m0BCkXp2EuxnKSJ2ZbECqJUBCg7gdpAAJkE1NJ7lkksIaVCdO+Kw3QBM0+IyS8lbS4Qcsav9qJh+59cv8T/RX6uK8ponKBFowVFcWiEoMtG4nk/wl7ObKrrXDw6FbI4Krz7f5x9DFv30HXZvDVGyRuX2QXsUeVJw9pWXumbQGJ9pAhE1ibxCdhlbOSzfgCtHtNM94nb4Xswy31TN6MOhuZexljOCumLIw5JIehnnsxfLlC+tGqPm3SBNTxOlQiyI4N/1BPFyHu+04f0bSdYEz9bke6eObDMUoDX+aBJUnqA/mk2GBwEGy5lW9C1sH6RmH19FUIahORweD04wzn5V0LE0+1/cvtCXpvP2zeSDzCGD6k13/s690tcypkYlBQKEMygiqY9yinwg76HnSOYTpcIeE/1+5lREQkS3tuRuzqUz/f/0OOuFxkn4Ahr/YqjoeGvKaPfuiwpkpHCDUJnJdz/IZVDHEI+qXdIVtWuevGV3CjuHI1U9nVP5ZGoUHBPQzf1Ouqtyb4XVjMO/JShmFr0o7BZN2V5drHkKDooR0X8ACNLUC3CpIWKDZOnmdqMJ+gYqM4EDRgGaAodE36UEobazQBiD4RfnFdxKlSvkUG/fIU37vlyq9OR9uk6lnggUjWZ4aMA9kQVXAzZq1Xj3uSRm+3CtH9jdnA12/A6SqLUMs5SVhRzvKEwreIRMQ+R/ial/SHlN/Lpf1UIzRwM1h902Nqa6NPo+XNuUmV2Z4VYHsH4RTwbh1qNbqzA0ii7DN8oU4o6f+Om5V4Eq8y//wtHfm03rITou/2tuol9eLdnqGhXUJau6PQgbp9brhBh2NQ8z9idGiF1j/3a4IFnQJNNI+cuAbNmpATkz9gX+dm+zFINg4ViPx7GKh5ZwQ+KpyeM9rM5AM77SP3b1vAOPgff2b9lvlhzKUDolx+p/CK2XZzZjLefG6OzS7gWvLw4lIBRDxTlQOUoy1rpSzmEu/pPOYYPqxSZBRW+lUl2mBgICWEXdWC6Op7kQ9pANfSYYWX1mdNrBT7gnl4rOdRXEbbxbwnzD43b6i8s85LiX1kpMcbc+FlY/mSYXF1PUO0zEW7PH18bAcPrBHKZnysaH0aB8U7iMTsZaONDVcnPvI/pmoFGSoGXjyRAb1yHaWpxHPnC2dzaGaJ6cISRD0h/sgKdiNk0VANy149JRdFMxXWmBNUzKO/XcweyZask/fKCikCL0kj5NdylGNuNVnnMI9r6ety1ErS6Nqut9ATi1soqugv+RIeMR7/vR4yBBvNU1Pyq4R17Tm0OYRtO1xRoD4Yh6ps83G9OazUVtUfxCTQFrWfjViCVJ2sEl8Pjnhs9zngCaRnCHTqjV0cXcIb/TJyDothThQsZJUu2mAspTqNlDOJdQW2dm2v7AW1Bdl+GQ+s1pgETMv4fttvkAnl9Rn7/VRYVrJAB4v0Qsff8bwHKTKjtcKrp4tOGHIjmmxDm51GV2Os/PtIjk5rwLQBqBwpbCgLSfSfrdiuZL/nEaJQP2P5Bbc5xEN54K31Pz9GtSv+8mTod5RWf4KnYbDHeVlJ7I3QfCc68j6QNMHm591nqruxAZhABSAuuWzmOnVS7S8WehN5e3EklYGFQ/MDiuPGJ1gkJz+Ick/iixhvIcdZwh0tzAyc+psSKR3ofYWqBqSVenjth/DEry+hoLwKEiYeNVPFW4rGJmsRFEtq3AIfUvAGBKOc1CULKA7KTFgyz94g3Tu0YU2sQ5xwiCSuyQtxAhc5Qnu14E2tmlTgjcntaAl4TI4vg5Ad589qBuVN81q+DW5PXV/BqxfwpIx/aBMif99/pChw4C2UYjhYKWe7M/20XU6Zuzw/sGWCIR2cRZGrjuSoEL9ghtLpnUGaQ6vuwQit8fWYmar6Nlwo4q1iTKFAbfyK36z3Zr5mcoGl/BsvqS0TrVHIGWpps9j2IpG/dmJV6xFClj4YRH0r+THhJ53dxoaqy1DsM23n1hupqIK7XDhH+r0E6E14OlJBuu/ywrTysO82q6T1qN13j5xMEz5cGjdg0t8gX+ndScEPrCL4znVfJoVAtl3ndVxUt5OCVlpmArdTf/lf8ddE/A6FnJFxnpCpGQN+c37rWNQlO4Kbd8X6xVUIXBxJrQ0rfVJ4GVyItvy8LnEk2huD5DFj8C6CjqggBlXBvtnSTjQzA6OPIEYeILYPEYVYsweq+qcxFhc5EbjT7Qx8Z1y8mqoSAotQb/MR/S+478vNvktklDgk+ardbe4BWw1YXW8cuyziS2Mcnf2CoQ3OyaFi7EXSK/rgLBEQVlYyJYZ7IlvRGI9DsBjzSyVr1OwchSh3RV281IP2MKZZZDFx2/1CgB+fmkqvJ3Rp24NUD1TW087iF1iIpVKTQoMMmRC3C2GMFJvx7OlGK5L2PlYiOGoa6P6qjXtd1Dn59PYVDV1pHzdlfZ5iNv0jukv5t1YnHYNE6bF8QGHGN0KeBCLpsPO0ciWDrdk2JZqUQhDnaUmlt7uEOrODU9v42ZlayoPkTz+YmIUK3rrbW6sVJV9t2NWdjp3xZA00Lu0uJqijCyt0dJ5h/FfRnY/2GvCoAUbWPNtEYayVekuaM1j7L6GeReMY66yXwtUlatL3zpOXvJeOn3d1X2ecn/ZUA0o+NzWbOijz0GrU1fp8PTPcjk6jiX/WoETpKVNLs+dfspASzDCdqP/K5UmzT81AobPvjupt3lk6qm1PY0cooHdedZ+m1FRyfUM01+9AronWcRh8C0KgGFSjQca7Jk/EkpyWyffeqH9dK5DbD/7HXcSg8paMHIZn6//UkYL6DQBl5JRe6dIoma0mqaH66ARM7QJ1u0IQumntw/IQlzrR4/cuRc/3bMnh7Dj5vI+ZXoSDhijXSYy4+8oD/IZ+sr9NPm8KSs9IGZyyoOPBsP1af0MLPakMxybM8/JwXk5/jAe/OaiBfu9bCOcjDLF5jLcxFCb9uja67HmPccZs/xWvhQENUZ3Og0Yw62jCvwSpJQT4mjhdugGH7lAD9vDQJYRt7e3tNYIFRCEx+cJtWHwU7NY7q0k2xMRxwZEf1hX4y3hXgTuYyl8sZuW3G/0+bm9fbk8sY969pwLKfAxQjA10W4w7vT1mScPERpW3qBr8xCuTsJEEa8t7DVVvPk6PdEoon5kM1CWX/VQIr2UeguCsAfb+tFhkSqaEEZlWeisCcy3JUnmFxZBwMjRfhfwisYM7GYuunEKoFKIZdbYC+F7HODidyFK7YZorhCP5GLsUEXYBosqnssq3HulQdgvxy2Ce1YbIC3JAbbt/q4yaw8RkTNh/ljAp85CdC+7vp7/NZbdD92kMQqpAuudhp7fMOh4S3Ax01Z/qPWML7QqUvlTrAu2xvtci4l+s93DHfrjtHhN4H/ownsFRjE2/xZrkS0WNEQjLxFqTQvZoVHgxvr7c38xTG/7QZZ4VH2woQ7sbKxthpNxc2KoH8gUkPFYwSzVFc10Jm2ys9sqZjqN3WeLJyn5/UBEg2iH02HHIxDcJfHE6i38gOGolp3PFLDtNyYgDZUKtNHbOVbnFmewaahaVAlDg47I2bDFKn5CYxmDSqGuHtaUb17UL47nKER7u66CccJu/08bLz/n1Ir9ynOHfbr+a8Nx0zwnZ6TZBqrH0/NtTK1umQ5lcJ5hCY8rEbMfVSxgoWeFYRYrANN611lDZQdi+VcRRCA8I3pv7hTeCkOSZi3nvKFn5+VtXB8ujQYwmKsSiN4+QUjYAebnA4IGUaB3dvljQsJ718yM8lxat5nY73iFxjt5Sa6xzB9EVqpmVKbJgfVPcjoRY8klXeJ4OKnXettjx5Gqw9i1ZRL9GpXAdygEHvMFdceYpC8ooE/Sslgr7Q/L4B8e5JfcAACZpisXLlcv838AjBl7YbB9SqMjSoe5oGXoc1o0fFq+x+1pBVO9tbQspyXo9/2fc1IWP32Iodh2W8uG2NQwcOYuEqOdcN0ILbaRr1KrCbT10nH2CCf2Rde4+GE8ia3qhfX/aD//Rw6GakC7EYpVhhOpJmv9kzomp88SNCNhrd2+WEEA2Wwgf6AMp7etZKbfdOdqZ1HyuhvFxfa9PfIGwSYUF3oVhs17nBCHhMR82KK3JxyWF9tiS26415ht1Ez/WJBZnVeEtXijXxQn+7I6sLfP60Kwv9tD2IcTS6IV4EJcDDygtljLYp9a2zC3VAuKaxER84K983GzPAPbniNrCs+kzNBe0QrcNTDK4WVVN6AG+bRCm8k4BdmElhyqpWjxbumtf9GFHUxUVeuNlt7rpkygDZwfjd+djb1z3Kc/wNA/qSB1iaNqA27mXCqnT0NGlJtL8qxJ+iXg1Eb2aLi0HdQc5LIqCP9eO9wuJgN7rnR0vqLNLjJDJqLGVeNiRMik3YRGcxXmg1tVc4POQWh4ULUt8kUo6Jvidb2FSVq6g0dTbEHhmbZ0hElrfmlQBzT85aNW5uCg2Os0gdIL1G8bBRlwZYlBWac2aWhCevDd8MqZL/Wv/+BrN89uz87gJwz8VrroUXTm9w2mHyiU8JJhnW0QYO3UrZaS9Jgz3Uaycu26KM3hdu9ZU0KsTrfQbtFBt/nblMdkW5qg9chFSzeCuOvsNDyjRA5wdCjth3/u/9a0u7Wz92t5bIC7wUcbppiUhMgM37J1HJTciz4NV0EeF6LGgoHYCFjQoBOTwJKvSZcr5rgG46fB55LvUKTWT5PXwOy0DrsuHrHBP1nXZeJQDohWU+zoHQ1N1Ki07OXzAG8bFWVDIhcSQubJ4Gy/kRx1HSV1c8w7G2ZnIzqVvLrrzVXnVsp0w2qsVLgQOPY7dD5iYWyEINuSpWO9uZ8yswCz0yw0uNozb0nyjhxJwg/ZiJcMGhmCTXp04H5czJECAm2XkFY8nJhciogCr9HDfToDw3WE7tWjlo0+Kmbbu0pH8ZI3TGb5sb33HZ3isLVK80s2j8uTW59Kf4wy9Ici21R/Z+X0djTget1xLNqyerbWq/EMOAOAAUXPDxycennIpEszK+KzWVdTVyD3PmNIoesX5Nx7O5SC/a2donFt8fm5/iPBRJfA+1inmMcd8ZsX1qBlpAJINVcvrWvbN9bDvuPhkB2StRziF5xi6/oqoCVSUHgobzpZ1zAFLvu7OZ9ZakqQU0y9zcsGw/GiwLIIUrHHzKnMQypzO6j73C7s3UIEoV6oR3+A2Ly7pn56qghxmxD8ag0EZC2zh1RtC48eOGr5SCD0VdZoT+Wxx2fFuYBSACqc8ii2Q1S6IgDzY02mnNq8G9zR4v32q6q3NjNbIezKkepXzSDfFhKlFOJAjd2nO6CArtw9kRUKYSb72EaMM1VMzEMz1hSHYencakGMF/khJPMV7baY1j3BhBxzulbECzU71udcmrx64urH7Rx7lvUDAS3Tb2Kj260TftX3yb72+pFLNf0fWNspBxyBzzM1JziSo30JBmA5rsNM605J8lPMGbmVXQ4Bi45UyGE2okuGOtsKbVZWTWuQy/tSvrT/TqAjzDM19cEalH1rtG2X973gP0gqUvWnKrQfCQaDU0lib7VU4FtofrZtVsW+vPpd5f1u0bmo69CCsqU88Vm4WKuiHFKoRT7yQNeKxEf+kWdsTCti6S59i0QKleIVp96ECL/TW9AoHYHUxiDV/XdF5sKMMyN+T8/yxy2rwTEwvma0Dn+kjmGR87ohz+8T82PmfyaFe6Sqo/Y+vQibc1hY91ToR3UdZsEoNDq2m+ti7QLcRWZ9xdP/ihOeyNClsQ6hLva97Jx48fMMHKW/O3iWQzqV9J2r5RgQNYubzuh5hA09ph+kQ7K57IkkS0OnTO1x83d2fFBuVtdvhaCjD9+MxNW3658PEJn4S3BUgKZfOyODBfd7JmvLv9AsZLSHFQaUwNMzkmh4kbmRWZVcGguLIKvx24AjxYH3qqbZQQKXjiJJH+xfax+19ObJQxLkSdVHhZGEaqE4c8kW7Pqm/BzW5nN3OMd3Of/laD3dVNP2wTfncHTOz+xPNN4pMf6tOipyLs2BN/IU0wOeisrdhmllPFYddaLtX2Eb/GxbyouSuJUMj5SkHDKnbxgkfKoc3NTuEbTjsbQMELQPATj/eZ/zw1gjRK2Wm25Qp0ed1mSik0sdPyh86O8WZ38tc7S+zA9aX6o6S7m8KQt2eF+Bl4Ng+KS0fZugNg+1+hihUkQmSCLKH3gD+BeuEif0vwQviptPBGplBGvkpR65SeOY8Q+IF7FcTRkV+c8xQIpMfMGZXYPl3OyX7R7G4OQIgQm7vElVJGPhvqlgm2ECRXf7uOlJvk16y2qu/JGae94Npt9wTdldwpi/CnTT7OAv5e8ZvACZYTB/KGxqqLQddr3FdEWUMGKV8+QmMQmJgl7dcD1UbdA7H0vgtj3Z1TCqrwgUqt/iyCm3Q5yIy63VgE7dB/NoBA3eYbq9zIxCBADrVrwsJRypTF08j6Y3iXbsOgnSktO8kvlz65BrEi5SjYwGG0eMOxLwCAg5esCBOWQ8Nb0qcD+/0/cx5h72MNfSxKDgSa+/QiNo4Wr/VgWnfhvnThIg4dSUw1qgGUG8sV6BEodoWhX4iVekhtMfbLGNL1qvO2FpDPDM56lckCa+kHlarKhEaF0CZMxjfzlp+TJ7CZcAuC94UcxB/uSfn48lBvVUpNDt90rQcUy6NqDGNh3jkWDxhIRy1Ww/hWasOpQ1qjeHl8i2dXM6j+oYypCeybZshwpml5GX3jPWY0stx5JmWyfDg7b4cbYN8ezkOLlEAul4E5/BNrCBb/bCsbRYYL6mSru5Kv51pmdXeLgsF3MEdoi+Pvz09ts99Tihrt6zupfp0BOBqBeZp0S0JylLWza2ZPcqBaHIrG6FT+9kezt9x/XkvbaYSLXuyGo1OihHpcmpZUKTJM1o+T/ylsyQsIJLKci5bfPO9tV6lZ3jkqLmZDA4VWO4IU5I8n+tTrxtusV4/U2NHsvG3rT018+Loo1tTNtQPMndTL19pGv+5hnldpEAun8dcaQPa2v8sGGYdWiubwN2O5MxfMhDCWeXNsQsbUCX3thD0zPZGdzez7cssbeRITDUEBFlqfRfzZHPy2+cR7B7L5TsUIQrKBj5HwoepYUvDsZRNHWgPV0Us/E9jHlOJKluvbPHqsbIY6Fj5STq7wEAQ4F3px43QoZe6TNVVcubhV3Qh0MvxlXy3miblYU9Zu6w359JaL+aO/RE+Ytcjpr2Oyv/8FV9GkzpVY19ehb0v+9oXIXjZBgeisKEidd2YDosEvKUSzYsEywyWQF/Kzk5s83QYhaU4AnbyXISjtm2yLwkhAcoO7/okkbFVkC/PbvbwnyJaqKRy724MT+gsbyk+Kai5Zwv1B51keYrKR8YuCBqHEA8rHWQ7SD9v6oGS7Eo1cAdYepewEgh0G976lv7w3H3n1eFHjY/9RC51AAvzzT3QvBEhyoJVtcIui5kv0cUyJus7OOcGvW6DNDyrQbTfPIsvJseVVQDuarOM9iqPrBx6jvAOgvS8LZk6+0Uk0LQoyhn4QK280ojrpChXODviAixfkTPCNKHXpF2lKWALbXt334ZpKryejKVFP1/YWeIcuYBf+vGppb/1yYZcWSrE/ETdcqHCzWAJ7ZfIHyFdZspfLcDq2GoGfkuJ1nvj1RcUvErx56W8ftgrW/wNSU4MbNB1EOPHgLCPLrDcFg8LtDXVxTTjHxa5byE2m5RmC/OuhbgEh+frrIBuRmQ9TQr9fFEFnx3QLIl67wRkTvZz4q38Wz06k8N4g8FSo2zSJjVypm5xBK2pBd3jgOpOeW9ViS0yjXlnQTNrww0sU8ih7a1MLSnJ1xhmrz0Rbs2w2aKjML9TsyH+gwDX3na//gFBfZjW49+83Z+gATUzcm02OSnWYsjrSOLWq/UJl54VmLajTkha9BaB7tH0dJcySMkLDpNh/T2P5CIBDRS9z+rs571VrFqzCBMfLgOI58n9L2P0utW+QAK/LwGmH8wUFn4e6uDxnaYH6jKFrK3KpkojBCWj+rfr+moWvUAFe2wb9mKNUuwWXG5SoqYQSu/sznnXGKuA8nnRsnlRIpgbna9aL0PYDscAt9yGNFYdNaZfk6Z4TIkSNVsB2zFVIlrfBQokj72R9/CZL4os6cvLR2DlhTKUZkI/yDr2keIILRO7SDzBALf+rV29I+aiCDA5xC5CYL9br86Zt0GOSAxaQf+AV5qtzCt0kwGDWddAMtrP/jegZcNuSDCDDpIWTDz0mlX6pTuFbBIRRqrYh3dYbhdYrsrOcc1a1Bf3zfUWn7ashxXHnceU8SJaqo0EpPTxnY+/uYDaP39nc9zyuLblAVxfqiMspdSj7Zf+RE+yG41lz0/yweaDgyJS8KgBWIBnG/TIdHLpKKKGEYufvaylte983nP5tcMYb8glYem1L14DevE+60AvkBsvgBGLCxJgiIz7hsiYDsI4O8sY6+qDU83pVmenixJ5z8cgi+23ZWTbiXU+jyORMFyfAWjQD1UckOsyXcaUcPtiUj2gnoSZDG9jGMaW5wpNmTLIC9t8alZy1GgSgOHR87B74KYuvVO9cKzVhRHH5XMgRlWz1YCrZAQpo9wegBeMvtG+hzjz59nYmByfsN2lF/TfJZW6b1WrCpv61nCdSZVfFwcS4SD2CS0ykt5FqBimkNJ1ONA4Q0dtXiAIkb8+gseqHoHT+CWn1zWOjLhvRnS9p/YfuPN7jcxrsWfLRHZgKeyr3J0vvCiTl/Fpqf+xrp261tHLZesBo1/gyFqb68f1F8btAn8LrqgRl1h699EIyVwpGu25Z3tsA5DyK9ca9sRW+oHW8X+Ylh+FHG7wfhGEdTIhuB1BpM9u5GiyzKRyZ102tGr6ZQrvDLtHU/xVVfEE9+QkVW34HDfMiKXUNaOlTN7pPZA+XhbMkYDoqz7blZH5fWa/TZM1vjN6g8Exy3QOnU3mlW6K800Gk1bQd3vDP51//6b9RpZX0DZUwtRZer3HOmSFdUFeR/NSJ/JoIhJ3Ret4CvW1hsTM24BIUFNA6OpCqo66oZhFOQ67NxoifTdrjCSXW4IimtkIuFdpO3wUdRR3L8zUU39YPrjmdgNrPCvTosWqdGljPp8MXLwvPOO9ZB5WFEEOTCFb2Q+6dV0JmGWhaUTgLa4g04jt9OM07kRE1KQDVWj4CbUmWyvbm6bW/uhMHpoEw2n8uLLQUlzeVomzx8fuzh0AFdb6fuTLoEjxQ8c0oO/80OB2Lq8jzxnWw4kQYthGFzFAs5QvKuFioMmC0ge3GyR2UMrY0HnTLHSpTTX3/otF+sXp7Sxsoczq2c6zYSGO+UTOXLPthF0PdMdFUTMAAHMuM0S754o+M0XD1TdKBty+0ewod87d3pPJcG0mPnZvrSMhj9UbMGnbbdXcXU3L00nnuADoaMPgf4KSEDA3eCSvCZM5Wnwcbs5WNEakGOn4bvx1mbdUcu6Yq/NSjLNy3c2+P7sq8hr0XuFUs9DalT1vpqeDg2PzzW+OQj/5MJb1OP+0x9nh4BFN4SOL0TVS+HQ/jkhr86GgYqkNNOOf71BrRxBnE347tGO9I3FlyhwqqOayweKRctU30NEgXBy9dVJfxSX4+6RE3yWyFU56JwWUdA2Wawo5XDZJ5xYKY/UHqOTGNm9u+mip//XDqaYBYMau83ej+j3yn+3AXY6RsQnpiThlcVtzZXzlNEBQ6FA2gFLZTApYfSQMXdOpcIHwdtNJVubU0it+ywKfMOkJyw76R9M7CDxeFVe5jGX6vJg+43SVde8zD34Zg7KOgS9vsEM8EmfcIOnOPcKLVw4SpbXKT6V2fXz70WgbAbOUjgvP78TM2ogGackEvIvdsdySMZxnwiptXgh/4eI57VWwuGKcOHECM4J5NWtwcLvLsRTkbKS4lG4O4n2paoBgxG45s9jz3Ac0uvsMQVdF0Unm/YH2bE2TSh6ERpNTCsFVJDso+cVL7a4uL4yiWEsW4zlipyD+0nhbAbxA3cgY/tm46VTZUATdSTuvIZG+auqgqW6D6TWxc2ey5oyR6T7E61huEajr7dQBLY2cKLjzyMQkN/34wboJ+wpdQfru4urpqfJh5hcfypeVF4xURBwvZG93Ch/z0xBa9Qui+Qx9eLQP5a/codXBir9QP+WXSyg9/tn7LYJtO/7i2Fjj2guq75TVve43mIa515YltuOSMLA+yiiKHfJjixiGQBWr733UBFuVIwLQEAGatQBvLRAjppeRH5SVnq+DRdm6RAuSILZV7/+oJjT64OULfBFyIxZ9hBt2bf3YTCzhRnjMUN09icJJYlpHxzIUJIGFcHS0wKVp9hUWUtM0NG2AY3QIHaMOtURQD5GHCuf2Nk5bLAEE/BCLPNuyvqbwN3unusQWpnCDOfH7gokG8rIvhPlZuMMdJnM6ZwaL5XMoNiDTnzfSqc/3VxFq3sBEOoH6Dtq2tPDk95sSEnp1FUpSo9bsWlhGhjEVcYYdoJubseNohJzUX60zL+HPQKyN95sV7/TTtuf3YYZENTRr3LsB0czTZGafIw8Im1ECywmtuwGXLW/9Yvi2MJnpw4itn8HK7N2bBq45JURYf9Bo+8ywJ5BDKDTOXNKk+4zNGY3kw9E88oJjuBqN42gsRinh+Bjkh8uSavMAijz9Bq5dD4vDMe9zPG3pD/Y1Wn4xpJlxQb+8nzBzB9SVmwp16hH7mC68VePWOZH0yzElILQ0L0ScRtTBQ/SZfExL3KTJI4aEeIgyjaSO0Iiq+bRQUUgjLS1cUC0JhZkmpFP6FjoQtOB3OcbfBx7xCP+X96cifhVseqKVwIvGeYjFBH+POspLv4YpIwRD0lOPb99jXyLsOHgtr9DXyuLZbaWKL8lOGGfDCtVe5sWNGfWQ+Xm2iDIYPI6wIYFJ37yaFP2jl5NGcuXoft7EkUdEGw/e15SDIDPjpyeYBj+OTxXAbF/K4klbPpp3IOR04yweGoGs0UTsQRaawLIAzlWrB3gM/omYjj8IZFz81vM1xJD54tTvD5eqaW1vc47+kzifpSouc1TzBQMAKeE+nrPcCDumRsAb98u6wmHHDVwFxSMsWV/Ba76lIPgZ9f3ORQ80Bwk/xKnjaIBvlacImAzQwaaalwJCGbgxJKgpr1K/mEe8ggLdKNJpJbUG2jIfzorbimHuh/DhzzmQ9YReLr7+i9vyICX51zFBWXddk3HA5dNnKI12ICCV6Hmr6ds3u5YwEGEkSS2/IcbxyPlEVhdifTAC2LLqtILdXeGKRJB67+nWJlS95lgiWJIsVaURVxjWACOdHa+ZhkuVZa8Di6gjHqL8dCmApbxsSpZtyQb+LYFQiqxWSNzzZoqDiNBOkf9dfgAvapl21G+xrV6WTx8fqHJIexLhxCFe8a83xRHteATwDSKL9uaAeQwkuUQt4K0yiySKwajSSu/RF6G2NjrYUujFT9IzN7BoY1NYwQymu5ecPjTBLxjYVoSwCj5dslHYpA09KzWNvXJTky6XXaOv3ag7LdlRjn3GOAEaxXTgR+0V8Y8NUFYJGyp0J0jgW2UsyMnmauB1GYqSEBY2H9BB8HnbkucA+pvn7nF6BTDIBK6eQpZP7CFbrv/oVu6LIC17RDZOM98BKoVUIOiBbPg0FdHJxYsGofzvpJMFxG8FfNloPGCO6IEQJAmRJ4ILy0sHb8wBoVy8Sg4m62tdeVrt3nXLIZo4jRSuSWU+KWHL+NOdShySCDKHlNV2JVXooFRCGqAfS0JLv3C6i7OO+tSB+79KP75zdgjAnjgBnVaHmFEEZ1fltLzqv0QTR497eGpXn2WvfkMRe7zpk2P/KXth1X2Nn+Y0J//kxRB4hKlsltqhvh55K3NlW1+g5NU4DuAfqAfA8m7zhvjTz0coteZsFPyR6WWHPx12L0j+/pNLHpbL7g57Znj7/E2TspgNgbpCbVFSaayuUwMqUYwQrpogjlIomsAuU0UmC3V8IJ/XWxZr5jzTQw4j4qJg0I005icDQJ4Ml+0DRSNGx0aZ59lle+pcBeQc+J8vXGlsdRWmNnVqjJRF5oYoT+EiZYgDV0xsNlEUwkb9Yih1DQyiysFaGqx2cK8QfIIHs1PSaFt087bLJYOIfKeStp44+cqYyML9mVpu77lcSQZoykwwhC0ixfSEfXTP0UVmaxMxqt8MiA52JCIFGMU6laPdRaT7lCautGCBCoHROK7BzzkqXm1G2Cjs/EnYlxVuUnUSHcuPePlH8VUTmtoF/6Jq18AEpWmRywI78QaZsQgwZbPgwRD16g+TnEhodnd/3vLfvHVtNWW7M8g7si6Ty5JXbZT5RLB63//+zlxsDvEcdvLJqkP07mqM7PTh66MWFVA5JNnjj0L6Y9ktvSCwEr5+iDhBvYo4Nhzp7cfK3N5UYMqE4XR9wlxn8nTKNKyBQRuNjBkaHkN9qGVXTrQ34LJOS/z61Shc2gCd5XdXYw46eSjTTRHoeq15CErmXcP3+siHCE7XvMLp+5JLZbGqqyWtGry/scktA1oWeU76w0meZbJjE5TtNwJ9D3Wyg5zIDWswY73/w1fx55iwKHXzYSfFDJP7fb2YMe9lrvSxL/TDYUrKj1nJcMlhVPCF29DuwCQN0KYLi1aK0gfCQwp7PtAVO54+NlTPeetc3rcgfyrybzdMeH6fh3wcx9Fl6zkDTHX3Q/EQczbAQC3ITdd9RSSnZlParhYDKq+eFFRkxod4It1Qhp2on5xphX6FaSWJUNY+3lj6HXUxSAUsFV+4ug/sJEGCkROtH+CkVRq45v3di+DYKo1uFMmfdUXVptqTGYgBXQHhdo1kDjzNnR8nBq8U4fVOwFTcy7WGzpd/RAk2IouXn+M0Zc+sVGrtNuoeiJQBwpUi3opBwQh01CdQ/rP7gLK/7yBQfvFUzxoaYIqmdOHJmpVlVozWBQNJYlpng3OZpjyNtUVZWHeOdqvjvbvlVEVax0EuhhiDyPB8QqyRvGRLJPbVfyBVifJX7czrtagvqw+znd/kxiLavQVsg9xbYC401RPZAjhDuj+KFQaQ/jOj3mFN/9qExAtgvK5qgNkcgGeyH7Pfv9vox8SRn6Bl/Bqp6AID0rT1A3PLzG4ZFKkdlZTy7ILpmFQlmngv0kWpcY+S2Yht0Q+GV/wfKOiexDIx4MQHzzTKV0WvnPANadGKczI1pPi+0tn57CniXQnyQdVOcXSdIFT6c4C41vp6JtT91htSIkrPVROLt69vKNKfN7ySHy4CWMZeRwUAjg96PGPCYe3xlq+7dKupjOiTAkP0KpZafxTwChVt9JtyXni3rXpAdgfs/MFZMOSgHGD2EdIF51jtwIcjV5dIxysHmLEwGaBe/6NBlwh8Xh7q9kPYzk2UZcESmOu12KNsLLjIXn6Hw8wQIgGRdcjYYOkcj02HG7xtjfK9qy7SSEAVs3IHIp1lcbdgxEfbdtvmGKB1SAlCO+GA4FFtKFB+a3hR35OtHmNF8Dbq5GbF2iXiIzYs/PV+RDmf0liOKZAnVNwOsLERWyacCHK/dAXcQTydS5g8FNmOPxQifCY3VhcyLPbxXs92Kwvgc3/Gx5LS18RJvsAuJ1yLOTN+1HPzPbfxHTBJTzcSaK2h0c9sO59Ta7pZyHv8inUODWSyizhbv7Cn5JLzIeSC0EEKZUF1xpC34IISq7ulqfmor8fRfe/6DZMH3y/Vu5Rx2jbRUtX1qeBUpMk/DRdvPD7DHO8mwUKnF4p0tUg/B0wP5le+BZIi6sZ9TeKL1umGzk8avK7GdIcoJYYYxu66RHX9Dx+PQnWKjuhb4dVlwOWijeLUQoHqAxpwCB94coYjJ6yh/7/Ba0s8rlCKAYietjZTqch8c93huCBNgnZok1kObKihJlkLx7ENhdUeL0woPtSJyrGssQHoqBOLVFZTt2pa0/Ypcy84EtNbACBBS38nrIxmteglwb//9ruguYUgstZFvnM0IGuK4NT07fMJwh2XpZIAg1Nibb3yZWYrqQ2EZ7U3f+KLpIe6OOvJvLzN2iuUEitTe+ijUB3aVo9B6fxagm4Uue2jyUCwkPnYySAmxsP12nVnrLsTHoa/0UwgoXZWEMeI9KKQmVxjJ9ZLbgl6sE56wcmZcnH0O+qzJthFUEMO1FC5LHTmnxCQ9bUc7xQ/XBOlxuBHT3am1VMePKJJ5Kzk5g7jBJkEkBKe7YjgnATV4oTPTSBgqDFzD1g0FLwrdazVjHFxecprZuQxc+b3noyQ0JF0K2/zDiV5aczSvvz/JL4hgQLOmAbjeN0im/+ne6EULXw6NY7AT2P0QWrCuez5gEdoE28MBtmcbbbgScwuv/v/1dtPexQmB0aJKJdpceD+SHELRvUE4y86UQUlKOajOSyumtkGnH3xCYmljiyqo/2qthS+lX1BJVzZ1ptNP22Poo5rI4FAc+ZHiWoVS3Sw1dbw2PmRAe8pLMzKqiv8Hgfb6jvRYCM/tcIOV78/xdL42jtOaqjP88chEplMLpyd1ruwT4mliGzpfrLEgzDM8WTaGu1KOdECAU+0iSV0uO6vfLZSLrmBLLSa4RDowjiuhUN0L2FhONr6GaJNqvEdSUJlUW6FNPJsY5JvOGlCZd1YqDCoF3FcHjBa339KItI6pKwwZvhuD6MF2STSAIZ83Naoe2v5TknnbTZpQIaj3ho5hwct4+RLuRD/YC19j0tBFa3D4hYlDlCBuW17CIMk6WHe2RRy6GpeoipLaM0Fk2/fyzw+AjMLUEKX5ZpqhkLxKj8rP0miSc6jHgaHBqKAWTvNqden8AIK/4/uUHe4e0pu05FvOO9Sv4N5QHEE6HiXhKpsSRXeJVpU3h4IAGjBUmdYDq0wH4m4klletrCqV9c/AjNiXz8FlpKEBvUhizWcoqVS+lF2Qi/spEZByd0PqZ+z6Pd2O8FYpKYs6Z8LC5nE1i/4VX2fL7/ujBP6PqF2FnhIV5M+VofQ2mG08htqVjRPgpH9zTiBgAN0ooeS7fHsl+PPKnMERTCFXlkZsXy8oPm6hnvoen80oJ4FMYuahOGHipoZbEy7GwKV//JA/QcBd4jZCaptWffN4eMA02IwrQyBLA3JAzyQcb9mZjl4VbDScW+vey+BqqzjhuzPJuPRO1n9FJ89vdwZCfV0D61b/ExbYp6PZeRiUnfKl3gVGYwmBO20+2WBshSptUy6xl+UKpH9x9oGket74RX/KMws0U47ycgJUwEIruOM0dP2H1h7cqB750TvYxTzhRYzZQYmPdsGoItkyA+RFm9i5mjJJvgFcnTVpTEZxtFBaVYpLhVbuMOzX4tP/BrihcKPnEjIt/jf54IaB6swaLJQKKliCy2Ly+JFkyypvjNsUk9bQtq7YPlT7wU1t1wb8N/ryOYb1A/G+bH+QqYWOymV1rpAEpeN4DDFx8nBA5hzF0T3FFZd03rLahc+K+EDPQfEcCR+s/ptWrfLrBnaVWEuo9gGL70GHWzj0FhRjZCp/HdFwFJqoRTa7y0xtj5ZPa5J5irPHtRM+2fhdCX6JVG20ik1JgkNGvmbneH3BnLmb81wFIxKutzen9K5v29YhIoRw7Bblmd6dDAeMR6WzUe1US6,iv:7tlksoc5P63BsmiZvqmd/wQUH4KX1gJwrizsbnztYgc=,tag:5cPnGJz1afR9HgRITDqCRQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjQ3VWVGNyZVRFZWttZXB6 + SzN6UWw3VkpGazJzaHp2ZG9tckdWK0V4b1R3ClhOTElPdmJsa1ZPRzZkZWJtM2pB + dWU3UG1iaVNZOFVMazk5WWdtMkNzU0kKLS0tIE82eC9EbzJuejJ0cjNwc2ZUMTlx + a0Y5T1lDRitjeGZnRHl5cUJaOVRBczgK3B05LRMylgh3q9w19GQcP1gx0KYf+erR + YqvjF2SXtbO3IFFfTgtubKYA+kmzAeJy21UO+5ro/BddRfUq2jfWcw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-05-08T11:41:59Z" + mac: ENC[AES256_GCM,data:/p1ul94TK0QRd3jTcVENfcIg9PMpJW5YskvwwT9Xxj6nZ9Qq8Z9hc1aYB74d2TLnGQwUxeKlURnNHRHZXd0AvBrFovtYEsYpQyl9U2RidlvmjJSSBpvtGCARCOxsZFMU6cR6PeWEN0uujWKMfVamNTBz42tKDBU4d3yost92g0s=,iv:6FuhJSdzuaLx6cUD8RRvMvPcQgSU/QHlzo9tWOL5mbw=,tag:5KOcZtUaVRM71b0wYkjy7g==,type:str] + pgp: + - created_at: "2023-05-08T00:47:34Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DAAAAAAAAAAASAQdAPR/d4AH9qKsA0hdhl71Ai5dpP7GfdlUibG5C7X6e2XUw + PcVDZCJK7xHeDveaERB6spYjytpqfCya+vePGxHrs9EjTPzFA/7IvNFpj6rDvzll + 0l4BwApjc6Rvo9hPNmSukErwnLQVvpDuUnVOIz18VjWN+pKgVoalK1wF+o5nPihl + B934hwYQt1RVYQ3qBT3qXeHYEtRxo1W+/ms3f04WsSSAQe5kyan1wwaDad5oDmzA + =eYHn + -----END PGP MESSAGE----- + fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/kube/3-deploy/2-apps/velociraptor/app/hr.yaml b/kube/deploy/apps/velociraptor/app/hr.yaml similarity index 100% rename from kube/3-deploy/2-apps/velociraptor/app/hr.yaml rename to kube/deploy/apps/velociraptor/app/hr.yaml diff --git a/kube/3-deploy/2-apps/velociraptor/app/kustomization.yaml b/kube/deploy/apps/velociraptor/app/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/velociraptor/app/kustomization.yaml rename to kube/deploy/apps/velociraptor/app/kustomization.yaml diff --git a/kube/3-deploy/2-apps/velociraptor/app/netpol.yaml b/kube/deploy/apps/velociraptor/app/netpol.yaml similarity index 100% rename from kube/3-deploy/2-apps/velociraptor/app/netpol.yaml rename to kube/deploy/apps/velociraptor/app/netpol.yaml diff --git a/kube/deploy/apps/velociraptor/ks.yaml b/kube/deploy/apps/velociraptor/ks.yaml new file mode 100644 index 00000000..130026c2 --- /dev/null +++ b/kube/deploy/apps/velociraptor/ks.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: velociraptor-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/velociraptor/app + dependsOn: + - name: 1-core-storage-rook-ceph-cluster + - name: 1-core-ingress-nginx-app + #- name: 1-core-storage-volsync-app + healthChecks: + - name: velociraptor + namespace: velociraptor + kind: HelmRelease + apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/3-deploy/2-apps/kanidm/kustomization.yaml b/kube/deploy/apps/velociraptor/kustomization.yaml similarity index 88% rename from kube/3-deploy/2-apps/kanidm/kustomization.yaml rename to kube/deploy/apps/velociraptor/kustomization.yaml index 70a77029..5eeb2657 100644 --- a/kube/3-deploy/2-apps/kanidm/kustomization.yaml +++ b/kube/deploy/apps/velociraptor/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ns.yaml - ks.yaml diff --git a/kube/3-deploy/2-apps/velociraptor/ns.yaml b/kube/deploy/apps/velociraptor/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/velociraptor/ns.yaml rename to kube/deploy/apps/velociraptor/ns.yaml diff --git a/kube/3-deploy/2-apps/whoogle/2-install.yaml b/kube/deploy/apps/whoogle/app/hr.yaml similarity index 90% rename from kube/3-deploy/2-apps/whoogle/2-install.yaml rename to kube/deploy/apps/whoogle/app/hr.yaml index c5cafb83..d2a9ae0d 100644 --- a/kube/3-deploy/2-apps/whoogle/2-install.yaml +++ b/kube/deploy/apps/whoogle/app/hr.yaml @@ -4,10 +4,17 @@ kind: HelmRelease metadata: name: whoogle namespace: whoogle - labels: - helm.flux.home.arpa/app-template: "true" spec: + chart: + spec: + chart: app-template + version: 1.5.1 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system values: + automountServiceAccountToken: false controller: strategy: RollingUpdate fullNameOverride: whoogle diff --git a/kube/3-deploy/2-apps/whoogle/netpol.yaml b/kube/deploy/apps/whoogle/app/netpol.yaml similarity index 100% rename from kube/3-deploy/2-apps/whoogle/netpol.yaml rename to kube/deploy/apps/whoogle/app/netpol.yaml diff --git a/kube/deploy/apps/whoogle/ks.yaml b/kube/deploy/apps/whoogle/ks.yaml new file mode 100644 index 00000000..a928594f --- /dev/null +++ b/kube/deploy/apps/whoogle/ks.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: whoogle-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/whoogle/app + dependsOn: + - name: 1-core-ingress-nginx-app \ No newline at end of file diff --git a/kube/deploy/apps/whoogle/kustomization.yaml b/kube/deploy/apps/whoogle/kustomization.yaml new file mode 100644 index 00000000..b439d858 --- /dev/null +++ b/kube/deploy/apps/whoogle/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml \ No newline at end of file diff --git a/kube/3-deploy/2-apps/whoogle/1-namespace.yaml b/kube/deploy/apps/whoogle/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/whoogle/1-namespace.yaml rename to kube/deploy/apps/whoogle/ns.yaml diff --git a/kube/3-deploy/2-apps/zipline/app/hr.yaml b/kube/deploy/apps/zipline/app/hr.yaml similarity index 97% rename from kube/3-deploy/2-apps/zipline/app/hr.yaml rename to kube/deploy/apps/zipline/app/hr.yaml index 95d83a88..08ac3240 100644 --- a/kube/3-deploy/2-apps/zipline/app/hr.yaml +++ b/kube/deploy/apps/zipline/app/hr.yaml @@ -26,7 +26,7 @@ spec: podLabels: ingress.home.arpa/nginx: "allow" db.home.arpa/pg: "pg-default" - s3.home.arpa/store: "rgw-${CLUSTER_NAME_LOWER}" + s3.home.arpa/store: "rgw-${CLUSTER_NAME}" env: TZ: "${CONFIG_TZ}" CORE_SECRET: @@ -52,7 +52,7 @@ spec: key: AWS_SECRET_ACCESS_KEY DATASOURCE_TYPE: "s3" DATASOURCE_S3_BUCKET: "zipline-data" - DATASOURCE_S3_ENDPOINT: "rook-ceph-rgw-${CLUSTER_NAME_LOWER}.rook-ceph.svc.cluster.local." + DATASOURCE_S3_ENDPOINT: "rook-ceph-rgw-${CLUSTER_NAME}.rook-ceph.svc.cluster.local." DATASOURCE_S3_PORT: "6953" DATASOURCE_S3_REGION: "us-west-1" DATASOURCE_S3_FORCE_S3_PATH: "true" # TODO: 2023-06-03 current in-cluster RGW doesn't use subdomain (VirtualHost) based S3 buckets yet, it uses path-based diff --git a/kube/3-deploy/2-apps/zipline/app/s3.yaml b/kube/deploy/apps/zipline/app/s3.yaml similarity index 76% rename from kube/3-deploy/2-apps/zipline/app/s3.yaml rename to kube/deploy/apps/zipline/app/s3.yaml index dc38e23b..14992f6c 100644 --- a/kube/3-deploy/2-apps/zipline/app/s3.yaml +++ b/kube/deploy/apps/zipline/app/s3.yaml @@ -6,4 +6,4 @@ metadata: namespace: zipline spec: bucketName: "zipline-data" - storageClassName: "rgw-${CLUSTER_NAME_LOWER}" + storageClassName: "rgw-${CLUSTER_NAME}" diff --git a/kube/3-deploy/2-apps/zipline/app/secret.yaml b/kube/deploy/apps/zipline/app/secret.yaml similarity index 100% rename from kube/3-deploy/2-apps/zipline/app/secret.yaml rename to kube/deploy/apps/zipline/app/secret.yaml diff --git a/kube/deploy/apps/zipline/ks.yaml b/kube/deploy/apps/zipline/ks.yaml new file mode 100644 index 00000000..03d6ba41 --- /dev/null +++ b/kube/deploy/apps/zipline/ks.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: zipline-app + namespace: flux-system +spec: + path: ./kube/deploy/apps/zipline/app + dependsOn: + - name: 1-core-storage-rook-ceph-cluster + - name: 1-core-ingress-nginx-app + - name: 1-core-db-pg-clusters-default + healthChecks: + - name: zipline + namespace: zipline + kind: HelmRelease + apiVersion: helm.toolkit.fluxcd.io/v2beta1 diff --git a/kube/deploy/apps/zipline/kustomization.yaml b/kube/deploy/apps/zipline/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/apps/zipline/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/3-deploy/2-apps/zipline/ns.yaml b/kube/deploy/apps/zipline/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/zipline/ns.yaml rename to kube/deploy/apps/zipline/ns.yaml diff --git a/kube/3-deploy/1-core/README.md b/kube/deploy/core/README.md similarity index 100% rename from kube/3-deploy/1-core/README.md rename to kube/deploy/core/README.md diff --git a/kube/3-deploy/1-core/01-networking/cilium/README.md b/kube/deploy/core/_networking/cilium/README.md similarity index 100% rename from kube/3-deploy/1-core/01-networking/cilium/README.md rename to kube/deploy/core/_networking/cilium/README.md diff --git a/kube/3-deploy/1-core/01-networking/cilium/bootstrap-install/README.org b/kube/deploy/core/_networking/cilium/app/bootstrap-install/README.org similarity index 100% rename from kube/3-deploy/1-core/01-networking/cilium/bootstrap-install/README.org rename to kube/deploy/core/_networking/cilium/app/bootstrap-install/README.org diff --git a/kube/3-deploy/1-core/01-networking/cilium/bootstrap-install/base-values.yaml b/kube/deploy/core/_networking/cilium/app/bootstrap-install/base-values.yaml similarity index 100% rename from kube/3-deploy/1-core/01-networking/cilium/bootstrap-install/base-values.yaml rename to kube/deploy/core/_networking/cilium/app/bootstrap-install/base-values.yaml diff --git a/kube/3-deploy/1-core/01-networking/cilium/bootstrap-install/install.sh b/kube/deploy/core/_networking/cilium/app/bootstrap-install/install.sh similarity index 77% rename from kube/3-deploy/1-core/01-networking/cilium/bootstrap-install/install.sh rename to kube/deploy/core/_networking/cilium/app/bootstrap-install/install.sh index b7d38b0d..fee36f64 100755 --- a/kube/3-deploy/1-core/01-networking/cilium/bootstrap-install/install.sh +++ b/kube/deploy/core/_networking/cilium/app/bootstrap-install/install.sh @@ -3,4 +3,4 @@ set -euo pipefail GITROOT=$(git rev-parse --show-toplevel) source <(sops -d $1 | yq .data | sed -re 's/^/export /g' | sed -e 's/: /="/g' | sed -re 's/$/"/g') -kustomize build $2 --enable-helm | envsubst | kubectl apply -f - +kustomize build $2 --enable-helm | envsubst diff --git a/kube/3-deploy/1-core/01-networking/cilium/bootstrap-install/kustomization.yaml b/kube/deploy/core/_networking/cilium/app/bootstrap-install/kustomization.yaml similarity index 100% rename from kube/3-deploy/1-core/01-networking/cilium/bootstrap-install/kustomization.yaml rename to kube/deploy/core/_networking/cilium/app/bootstrap-install/kustomization.yaml diff --git a/kube/3-deploy/1-core/01-networking/cilium/install.yaml b/kube/deploy/core/_networking/cilium/app/hr.yaml similarity index 51% rename from kube/3-deploy/1-core/01-networking/cilium/install.yaml rename to kube/deploy/core/_networking/cilium/app/hr.yaml index 42b0718f..5892e8b5 100644 --- a/kube/3-deploy/1-core/01-networking/cilium/install.yaml +++ b/kube/deploy/core/_networking/cilium/app/hr.yaml @@ -1,73 +1,4 @@ --- -apiVersion: cilium.io/v2alpha1 -kind: CiliumBGPPeeringPolicy -# MAKE SURE CRDs ARE INSTALLED IN CLUSTER VIA cilium-config ConfigMap OR Cilium HelmRelease/values.yaml (bgpControlPlane.enabled: true), BEFORE THIS IS APPLIED! -# "CiliumBGPPeeringPolicy" Custom Resource will replace the old MetalLB BGP's "bgp-config" ConfigMap -# "CiliumBGPPeeringPolicy" is used with `bgpControlPlane.enabled: true` which uses GoBGP, NOT the old `bgp.enabled: true` which uses MetalLB -metadata: - name: bgp-loadbalancer-ip-main -spec: - nodeSelector: - matchLabels: - kubernetes.io/os: "linux" # match all Linux nodes, change this to match more granularly if more than 1 PeeringPolicy is to be used throughout cluster - virtualRouters: - - localASN: ${ASN_ROUTER} # ASNs are processed in uint32 - exportPodCIDR: false - serviceSelector: # this replaces address-pools, instead of defining the range of IPs that can be assigned to LoadBalancer services, now services have to match below selectors for their LB IPs to be announced - matchExpressions: - - {key: thisFakeSelector, operator: NotIn, values: ['will-match-and-announce-all-services']} - neighbors: - - peerAddress: "${IP_ROUTER_VLAN_K8S}/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation - peerASN: ${ASN_ROUTER} - - localASN: ${ASN_EC2_INGRESS} - exportPodCIDR: false - serviceSelector: - matchExpressions: - - {key: thisFakeSelector, operator: NotIn, values: ['will-match-and-announce-all-services']} - neighbors: - - peerAddress: "${IP_EC2_NON_K8S}/32" - peerASN: ${ASN_EC2_INGRESS} ---- -apiVersion: "cilium.io/v2alpha1" -kind: CiliumLoadBalancerIPPool -metadata: - name: main-pool -spec: - cidrs: - - cidr: "${IP_LB_CIDR}" ---- -apiVersion: "cilium.io/v2alpha1" -kind: CiliumLoadBalancerIPPool -metadata: - name: dns -spec: - cidrs: - - cidr: "${IP_LB_DNS_CIDR}" - serviceSelector: - matchLabels: - exposeSvc: dns ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: bgp-config # this "bgp-config" ConfigMap is used for the old `bgp.enabled: true` which is the old MetalLB BGP, this will be deprecated in future releases - namespace: kube-system -data: - config.yaml: | - peers: - - peer-address: "${IP_ROUTER_VLAN_K8S}" - peer-asn: ${ASN_ROUTER} - my-asn: ${ASN_ROUTER} - - peer-address: "${IP_EC2_NON_K8S}" - peer-asn: ${ASN_EC2_INGRESS} - my-asn: ${ASN_EC2_INGRESS} - address-pools: - - name: main-addr-pool - protocol: bgp - avoid-buggy-ips: true - addresses: - - "${IP_LB_CIDR}" ---- apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: @@ -105,7 +36,6 @@ spec: name: cilium-base-install-values values: securityContext: # required for Talos - privileged: true capabilities: ciliumAgent: "{CHOWN,KILL,NET_ADMIN,NET_RAW,IPC_LOCK,SYS_ADMIN,SYS_RESOURCE,DAC_OVERRIDE,FOWNER,SETGID,SETUID}" cleanCiliumState: "{NET_ADMIN,SYS_ADMIN,SYS_RESOURCE}" diff --git a/kube/3-deploy/1-core/01-networking/cilium/kustomization.yaml b/kube/deploy/core/_networking/cilium/app/kustomization.yaml similarity index 83% rename from kube/3-deploy/1-core/01-networking/cilium/kustomization.yaml rename to kube/deploy/core/_networking/cilium/app/kustomization.yaml index 7cb139c6..65f2e1cd 100644 --- a/kube/3-deploy/1-core/01-networking/cilium/kustomization.yaml +++ b/kube/deploy/core/_networking/cilium/app/kustomization.yaml @@ -1,12 +1,11 @@ ---- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - install.yaml + - hr.yaml configMapGenerator: - name: cilium-base-install-values namespace: kube-system files: - values.yaml=bootstrap-install/base-values.yaml configurations: - - kustomizeconfig.yaml + - kustomizeconfig.yaml \ No newline at end of file diff --git a/kube/3-deploy/1-core/01-networking/cilium/kustomizeconfig.yaml b/kube/deploy/core/_networking/cilium/app/kustomizeconfig.yaml similarity index 100% rename from kube/3-deploy/1-core/01-networking/cilium/kustomizeconfig.yaml rename to kube/deploy/core/_networking/cilium/app/kustomizeconfig.yaml diff --git a/kube/deploy/core/_networking/cilium/config/BGP.yaml b/kube/deploy/core/_networking/cilium/config/BGP.yaml new file mode 100644 index 00000000..eb618731 --- /dev/null +++ b/kube/deploy/core/_networking/cilium/config/BGP.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPPeeringPolicy +# MAKE SURE CRDs ARE INSTALLED IN CLUSTER VIA cilium-config ConfigMap OR Cilium HelmRelease/values.yaml (bgpControlPlane.enabled: true), BEFORE THIS IS APPLIED! +# "CiliumBGPPeeringPolicy" Custom Resource will replace the old MetalLB BGP's "bgp-config" ConfigMap +# "CiliumBGPPeeringPolicy" is used with `bgpControlPlane.enabled: true` which uses GoBGP, NOT the old `bgp.enabled: true` which uses MetalLB +metadata: + name: bgp-loadbalancer-ip-main +spec: + nodeSelector: + matchLabels: + kubernetes.io/os: "linux" # match all Linux nodes, change this to match more granularly if more than 1 PeeringPolicy is to be used throughout cluster + virtualRouters: + - localASN: ${ASN_ROUTER} # ASNs are processed in uint32 + exportPodCIDR: false + serviceSelector: # this replaces address-pools, instead of defining the range of IPs that can be assigned to LoadBalancer services, now services have to match below selectors for their LB IPs to be announced + matchExpressions: + - {key: thisFakeSelector, operator: NotIn, values: ['will-match-and-announce-all-services']} + neighbors: + - peerAddress: "${IP_ROUTER_VLAN_K8S}/32" # unlike bgp-config ConfigMap, peerAddress needs to be in CIDR notation + peerASN: ${ASN_ROUTER} + - localASN: ${ASN_EC2_INGRESS} + exportPodCIDR: false + serviceSelector: + matchExpressions: + - {key: thisFakeSelector, operator: NotIn, values: ['will-match-and-announce-all-services']} + neighbors: + - peerAddress: "${IP_EC2_NON_K8S}/32" + peerASN: ${ASN_EC2_INGRESS} +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: bgp-config # this "bgp-config" ConfigMap is used for the old `bgp.enabled: true` which is the old MetalLB BGP, this will be deprecated in future releases + namespace: kube-system +data: + config.yaml: | + peers: + - peer-address: "${IP_ROUTER_VLAN_K8S}" + peer-asn: ${ASN_ROUTER} + my-asn: ${ASN_ROUTER} + - peer-address: "${IP_EC2_NON_K8S}" + peer-asn: ${ASN_EC2_INGRESS} + my-asn: ${ASN_EC2_INGRESS} + address-pools: + - name: main-addr-pool + protocol: bgp + avoid-buggy-ips: true + addresses: + - "${IP_LB_CIDR}" diff --git a/kube/deploy/core/_networking/cilium/config/LB-IPs.yaml b/kube/deploy/core/_networking/cilium/config/LB-IPs.yaml new file mode 100644 index 00000000..471bda6a --- /dev/null +++ b/kube/deploy/core/_networking/cilium/config/LB-IPs.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: "cilium.io/v2alpha1" +kind: CiliumLoadBalancerIPPool +metadata: + name: main-pool +spec: + cidrs: + - cidr: "${IP_LB_CIDR}" +--- +apiVersion: "cilium.io/v2alpha1" +kind: CiliumLoadBalancerIPPool +metadata: + name: dns +spec: + cidrs: + - cidr: "${IP_LB_DNS_CIDR}" + serviceSelector: + matchLabels: + exposeSvc: dns \ No newline at end of file diff --git a/kube/deploy/core/_networking/cilium/ks.yaml b/kube/deploy/core/_networking/cilium/ks.yaml new file mode 100644 index 00000000..9e38e0b7 --- /dev/null +++ b/kube/deploy/core/_networking/cilium/ks.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-1-networking-cilium-app + namespace: flux-system + labels: + kustomization.flux.home.arpa/name: "cilium" + kustomization.flux.home.arpa/helmpatches: "false" +spec: + path: ./kube/deploy/core/_networking/cilium/app + dependsOn: [] +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-1-networking-cilium-config + namespace: flux-system + labels: + kustomization.flux.home.arpa/name: "cilium" + kustomization.flux.home.arpa/helmpatches: "false" +spec: + path: ./kube/deploy/core/_networking/cilium/config + dependsOn: + - name: 1-core-1-networking-cilium-app +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-1-networking-cilium-netpols + namespace: flux-system + labels: + kustomization.flux.home.arpa/name: "cilium" + kustomization.flux.home.arpa/helmpatches: "false" +spec: + path: ./kube/deploy/core/_networking/cilium/netpols + dependsOn: + - name: 1-core-1-networking-cilium-app diff --git a/kube/deploy/core/_networking/cilium/kustomization.yaml b/kube/deploy/core/_networking/cilium/kustomization.yaml new file mode 100644 index 00000000..fc69935c --- /dev/null +++ b/kube/deploy/core/_networking/cilium/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - repo.yaml + - ks.yaml \ No newline at end of file diff --git a/kube/3-deploy/1-core/01-networking/cilium/netpols/cluster-default-kube-dns.yaml b/kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml similarity index 100% rename from kube/3-deploy/1-core/01-networking/cilium/netpols/cluster-default-kube-dns.yaml rename to kube/deploy/core/_networking/cilium/netpols/cluster-default-kube-dns.yaml diff --git a/kube/3-deploy/1-core/01-networking/cilium/netpols/flux.yaml b/kube/deploy/core/_networking/cilium/netpols/flux.yaml similarity index 100% rename from kube/3-deploy/1-core/01-networking/cilium/netpols/flux.yaml rename to kube/deploy/core/_networking/cilium/netpols/flux.yaml diff --git a/kube/3-deploy/1-core/01-networking/cilium/netpols/kube-system-allow-all.yaml b/kube/deploy/core/_networking/cilium/netpols/kube-system-allow-all.yaml similarity index 100% rename from kube/3-deploy/1-core/01-networking/cilium/netpols/kube-system-allow-all.yaml rename to kube/deploy/core/_networking/cilium/netpols/kube-system-allow-all.yaml diff --git a/kube/3-deploy/1-core/01-networking/cilium/netpols/labelled-allow-egress.yaml b/kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml similarity index 100% rename from kube/3-deploy/1-core/01-networking/cilium/netpols/labelled-allow-egress.yaml rename to kube/deploy/core/_networking/cilium/netpols/labelled-allow-egress.yaml diff --git a/kube/deploy/core/_networking/cilium/repo.yaml b/kube/deploy/core/_networking/cilium/repo.yaml new file mode 100644 index 00000000..6e31b26e --- /dev/null +++ b/kube/deploy/core/_networking/cilium/repo.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta1 +kind: HelmRepository +metadata: + name: cilium-charts + namespace: flux-system +spec: + interval: 10m0s + timeout: 3m0s + url: https://helm.cilium.io/ diff --git a/kube/3-deploy/1-core/db/pg/app/hr.yaml b/kube/deploy/core/db/pg/app/hr.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/app/hr.yaml rename to kube/deploy/core/db/pg/app/hr.yaml diff --git a/kube/3-deploy/1-core/db/pg/app/netpol.yaml b/kube/deploy/core/db/pg/app/netpol.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/app/netpol.yaml rename to kube/deploy/core/db/pg/app/netpol.yaml diff --git a/kube/3-deploy/1-core/db/pg/clusters/default/.sops.yaml b/kube/deploy/core/db/pg/clusters/default/.sops.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/clusters/default/.sops.yaml rename to kube/deploy/core/db/pg/clusters/default/.sops.yaml diff --git a/kube/3-deploy/1-core/db/pg/clusters/default/cluster.yaml b/kube/deploy/core/db/pg/clusters/default/cluster.yaml similarity index 91% rename from kube/3-deploy/1-core/db/pg/clusters/default/cluster.yaml rename to kube/deploy/core/db/pg/clusters/default/cluster.yaml index b8cda78c..437a0700 100644 --- a/kube/3-deploy/1-core/db/pg/clusters/default/cluster.yaml +++ b/kube/deploy/core/db/pg/clusters/default/cluster.yaml @@ -27,7 +27,7 @@ spec: compression: bzip2 maxParallel: 8 destinationPath: s3://pg-default/ - endpointURL: http://rook-ceph-rgw-${CLUSTER_NAME_LOWER}.rook-ceph.svc:6953 + endpointURL: http://rook-ceph-rgw-${CLUSTER_NAME}.rook-ceph.svc:6953 serverName: pg-default-v1 s3Credentials: accessKeyId: @@ -49,7 +49,7 @@ spec: # compression: bzip2 # maxParallel: 8 # destinationPath: s3://pg-default-v1/ -# endpointURL: http://rook-ceph-rgw-${CLUSTER_NAME_LOWER}.rook-ceph.svc:6953 +# endpointURL: http://rook-ceph-rgw-${CLUSTER_NAME}.rook-ceph.svc:6953 # serverName: pg-default-v1 # s3Credentials: # accessKeyId: diff --git a/kube/3-deploy/1-core/db/pg/clusters/default/dump-local.yaml b/kube/deploy/core/db/pg/clusters/default/dump-local.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/clusters/default/dump-local.yaml rename to kube/deploy/core/db/pg/clusters/default/dump-local.yaml diff --git a/kube/3-deploy/1-core/db/pg/clusters/default/kustomization.yaml b/kube/deploy/core/db/pg/clusters/default/kustomization.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/clusters/default/kustomization.yaml rename to kube/deploy/core/db/pg/clusters/default/kustomization.yaml diff --git a/kube/3-deploy/1-core/db/pg/clusters/default/netpol.yaml b/kube/deploy/core/db/pg/clusters/default/netpol.yaml similarity index 97% rename from kube/3-deploy/1-core/db/pg/clusters/default/netpol.yaml rename to kube/deploy/core/db/pg/clusters/default/netpol.yaml index ee11e359..112ca486 100644 --- a/kube/3-deploy/1-core/db/pg/clusters/default/netpol.yaml +++ b/kube/deploy/core/db/pg/clusters/default/netpol.yaml @@ -83,7 +83,7 @@ spec: - k8sServiceSelector: selector: matchLabels: - rook_object_store: "${CLUSTER_NAME_LOWER}" + rook_object_store: "${CLUSTER_NAME}" namespace: rook-ceph toPorts: - ports: @@ -97,7 +97,7 @@ spec: protocol: UDP - toEndpoints: - matchLabels: - rook_object_store: "${CLUSTER_NAME_LOWER}" + rook_object_store: "${CLUSTER_NAME}" io.kubernetes.pod.namespace: rook-ceph toPorts: - ports: diff --git a/kube/3-deploy/1-core/db/pg/clusters/default/s3.yaml b/kube/deploy/core/db/pg/clusters/default/s3.yaml similarity index 75% rename from kube/3-deploy/1-core/db/pg/clusters/default/s3.yaml rename to kube/deploy/core/db/pg/clusters/default/s3.yaml index 3652251a..99529550 100644 --- a/kube/3-deploy/1-core/db/pg/clusters/default/s3.yaml +++ b/kube/deploy/core/db/pg/clusters/default/s3.yaml @@ -6,4 +6,4 @@ metadata: namespace: pg spec: bucketName: "pg-default" - storageClassName: "rgw-${CLUSTER_NAME_LOWER}" + storageClassName: "rgw-${CLUSTER_NAME}" diff --git a/kube/3-deploy/1-core/db/pg/clusters/default/scheduledbackup.yaml b/kube/deploy/core/db/pg/clusters/default/scheduledbackup.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/clusters/default/scheduledbackup.yaml rename to kube/deploy/core/db/pg/clusters/default/scheduledbackup.yaml diff --git a/kube/3-deploy/1-core/db/pg/clusters/default/superuser.sops.yaml b/kube/deploy/core/db/pg/clusters/default/superuser.sops.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/clusters/default/superuser.sops.yaml rename to kube/deploy/core/db/pg/clusters/default/superuser.sops.yaml diff --git a/kube/3-deploy/1-core/db/pg/clusters/template/.sops.yaml b/kube/deploy/core/db/pg/clusters/template/.sops.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/clusters/template/.sops.yaml rename to kube/deploy/core/db/pg/clusters/template/.sops.yaml diff --git a/kube/3-deploy/1-core/db/pg/clusters/template/cluster.yaml b/kube/deploy/core/db/pg/clusters/template/cluster.yaml similarity index 93% rename from kube/3-deploy/1-core/db/pg/clusters/template/cluster.yaml rename to kube/deploy/core/db/pg/clusters/template/cluster.yaml index 65d2c024..509b5198 100644 --- a/kube/3-deploy/1-core/db/pg/clusters/template/cluster.yaml +++ b/kube/deploy/core/db/pg/clusters/template/cluster.yaml @@ -37,7 +37,7 @@ spec: compression: bzip2 maxParallel: 8 destinationPath: "s3://pg-${PG_APP_NAME}/" - endpointURL: "http://rook-ceph-rgw-${CLUSTER_NAME_LOWER}.rook-ceph.svc:6953" + endpointURL: "http://rook-ceph-rgw-${CLUSTER_NAME}.rook-ceph.svc:6953" serverName: "pg-${PG_APP_NAME}-v${PG_DB_REBUILD}" s3Credentials: accessKeyId: @@ -59,7 +59,7 @@ spec: # compression: bzip2 # maxParallel: 8 # destinationPath: s3://pg-default-v1/ -# endpointURL: http://rook-ceph-rgw-${CLUSTER_NAME_LOWER}.rook-ceph.svc:6953 +# endpointURL: http://rook-ceph-rgw-${CLUSTER_NAME}.rook-ceph.svc:6953 # serverName: pg-default-v1 # s3Credentials: # accessKeyId: diff --git a/kube/3-deploy/1-core/db/pg/clusters/template/dump-local.yaml b/kube/deploy/core/db/pg/clusters/template/dump-local.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/clusters/template/dump-local.yaml rename to kube/deploy/core/db/pg/clusters/template/dump-local.yaml diff --git a/kube/3-deploy/1-core/db/pg/clusters/template/kustomization.yaml b/kube/deploy/core/db/pg/clusters/template/kustomization.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/clusters/template/kustomization.yaml rename to kube/deploy/core/db/pg/clusters/template/kustomization.yaml diff --git a/kube/3-deploy/1-core/db/pg/clusters/template/netpol.yaml b/kube/deploy/core/db/pg/clusters/template/netpol.yaml similarity index 94% rename from kube/3-deploy/1-core/db/pg/clusters/template/netpol.yaml rename to kube/deploy/core/db/pg/clusters/template/netpol.yaml index 2c4f5f1f..aeed7224 100644 --- a/kube/3-deploy/1-core/db/pg/clusters/template/netpol.yaml +++ b/kube/deploy/core/db/pg/clusters/template/netpol.yaml @@ -48,7 +48,7 @@ spec: - k8sServiceSelector: selector: matchLabels: - rook_object_store: "${CLUSTER_NAME_LOWER}" + rook_object_store: "${CLUSTER_NAME}" namespace: rook-ceph toPorts: - ports: @@ -62,7 +62,7 @@ spec: protocol: UDP - toEndpoints: - matchLabels: - rook_object_store: "${CLUSTER_NAME_LOWER}" + rook_object_store: "${CLUSTER_NAME}" io.kubernetes.pod.namespace: rook-ceph toPorts: - ports: diff --git a/kube/3-deploy/1-core/db/pg/clusters/template/s3.yaml b/kube/deploy/core/db/pg/clusters/template/s3.yaml similarity index 78% rename from kube/3-deploy/1-core/db/pg/clusters/template/s3.yaml rename to kube/deploy/core/db/pg/clusters/template/s3.yaml index 2922de09..006a925d 100644 --- a/kube/3-deploy/1-core/db/pg/clusters/template/s3.yaml +++ b/kube/deploy/core/db/pg/clusters/template/s3.yaml @@ -6,4 +6,4 @@ metadata: namespace: "${PG_APP_NS}" spec: bucketName: "pg-${PG_APP_NAME}" - storageClassName: "rgw-${CLUSTER_NAME_LOWER}" + storageClassName: "rgw-${CLUSTER_NAME}" diff --git a/kube/3-deploy/1-core/db/pg/clusters/template/scheduledbackup.yaml b/kube/deploy/core/db/pg/clusters/template/scheduledbackup.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/clusters/template/scheduledbackup.yaml rename to kube/deploy/core/db/pg/clusters/template/scheduledbackup.yaml diff --git a/kube/deploy/core/db/pg/clusters/template/secret-superuser.yaml b/kube/deploy/core/db/pg/clusters/template/secret-superuser.yaml new file mode 100644 index 00000000..88d12e86 --- /dev/null +++ b/kube/deploy/core/db/pg/clusters/template/secret-superuser.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: "pg-${PG_APP_NAME}-superuser" + namespace: "${PG_APP_NS}" +type: Opaque +stringData: + # username MUST BE 'postgres'! + username: "postgres" + password: "${PG_SUPER_PASS}" diff --git a/kube/3-deploy/1-core/db/pg/ks.yaml b/kube/deploy/core/db/pg/ks.yaml similarity index 72% rename from kube/3-deploy/1-core/db/pg/ks.yaml rename to kube/deploy/core/db/pg/ks.yaml index f718b1ae..a80ae0f3 100644 --- a/kube/3-deploy/1-core/db/pg/ks.yaml +++ b/kube/deploy/core/db/pg/ks.yaml @@ -1,11 +1,11 @@ --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: 1-core-db-pg-app namespace: flux-system spec: - path: ./kube/3-deploy/1-core/db/pg/app + path: ./kube/deploy/core/db/pg/app dependsOn: [] healthChecks: - name: cloudnative-pg @@ -13,13 +13,13 @@ spec: kind: HelmRelease apiVersion: helm.toolkit.fluxcd.io/v2beta1 --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: 1-core-db-pg-clusters-default namespace: flux-system spec: - path: ./kube/3-deploy/1-core/db/pg/clusters/default + path: ./kube/deploy/core/db/pg/clusters/default dependsOn: - name: 1-core-db-pg-app healthChecks: diff --git a/kube/3-deploy/2-apps/authentik/kustomization.yaml b/kube/deploy/core/db/pg/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/authentik/kustomization.yaml rename to kube/deploy/core/db/pg/kustomization.yaml diff --git a/kube/3-deploy/1-core/db/pg/ns.yaml b/kube/deploy/core/db/pg/ns.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/ns.yaml rename to kube/deploy/core/db/pg/ns.yaml diff --git a/kube/3-deploy/1-core/db/pg/repo.yaml b/kube/deploy/core/db/pg/repo.yaml similarity index 100% rename from kube/3-deploy/1-core/db/pg/repo.yaml rename to kube/deploy/core/db/pg/repo.yaml diff --git a/kube/3-deploy/1-core/04-dns/external/3-external-dns.yaml b/kube/deploy/core/dns/external-dns/app/hr.yaml similarity index 100% rename from kube/3-deploy/1-core/04-dns/external/3-external-dns.yaml rename to kube/deploy/core/dns/external-dns/app/hr.yaml diff --git a/kube/deploy/core/dns/external-dns/app/netpol.yaml b/kube/deploy/core/dns/external-dns/app/netpol.yaml new file mode 100644 index 00000000..ba579d55 --- /dev/null +++ b/kube/deploy/core/dns/external-dns/app/netpol.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app external-dns + namespace: *app +spec: + endpointSelector: {} + ingress: + - {} + egress: + - toEntities: + - world + - toEntities: + - kube-apiserver + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + k8s-app: kube-dns + toPorts: + - ports: + - port: "53" + protocol: UDP + - port: "53" + protocol: TCP + rules: + dns: + - {} diff --git a/kube/3-deploy/1-core/04-dns/external/2-secrets.yaml b/kube/deploy/core/dns/external-dns/app/secrets.yaml similarity index 100% rename from kube/3-deploy/1-core/04-dns/external/2-secrets.yaml rename to kube/deploy/core/dns/external-dns/app/secrets.yaml diff --git a/kube/deploy/core/dns/external-dns/crds.yaml b/kube/deploy/core/dns/external-dns/crds.yaml new file mode 100644 index 00000000..c52f860a --- /dev/null +++ b/kube/deploy/core/dns/external-dns/crds.yaml @@ -0,0 +1,36 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: external-dns-git + namespace: flux-system +spec: + interval: 30m + url: https://github.com/kubernetes-sigs/external-dns.git + ref: + tag: v0.13.5 + ignore: | + # exclude all + /* + # include deploy crds dir + !/docs/contributing/crd-source/crd-manifest.yaml +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-dns-external-dns-crds + namespace: flux-system + labels: # for my repo's Fluxtomization patching, can be ignored for those passing by + kustomization.flux.home.arpa/name: "kubevirt" + kustomization.flux.home.arpa/default: "false" + kustomization.flux.home.arpa/helmpatches: "false" + substitution.flux.home.arpa/disabled: "true" + prune.flux.home.arpa/disabled: "true" +spec: + interval: 5m + prune: false + wait: true + dependsOn: [] + sourceRef: + kind: GitRepository + name: external-dns-git \ No newline at end of file diff --git a/kube/deploy/core/dns/external-dns/ks.yaml b/kube/deploy/core/dns/external-dns/ks.yaml new file mode 100644 index 00000000..27b950a6 --- /dev/null +++ b/kube/deploy/core/dns/external-dns/ks.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-dns-external-dns-app + namespace: flux-system +spec: + path: ./kube/deploy/core/dns/external-dns/app + dependsOn: + - name: 1-core-dns-external-dns-crds \ No newline at end of file diff --git a/kube/deploy/core/dns/external-dns/kustomization.yaml b/kube/deploy/core/dns/external-dns/kustomization.yaml new file mode 100644 index 00000000..04f7071c --- /dev/null +++ b/kube/deploy/core/dns/external-dns/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - repo.yaml + - crds.yaml + - ks.yaml \ No newline at end of file diff --git a/kube/3-deploy/1-core/04-dns/external/1-namespace.yaml b/kube/deploy/core/dns/external-dns/ns.yaml similarity index 100% rename from kube/3-deploy/1-core/04-dns/external/1-namespace.yaml rename to kube/deploy/core/dns/external-dns/ns.yaml diff --git a/kube/deploy/core/dns/external-dns/repo.yaml b/kube/deploy/core/dns/external-dns/repo.yaml new file mode 100644 index 00000000..9ebcdced --- /dev/null +++ b/kube/deploy/core/dns/external-dns/repo.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: external-dns + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes-sigs.github.io/external-dns/ \ No newline at end of file diff --git a/kube/3-deploy/1-core/04-dns/internal/2-k8s-gateway.yaml b/kube/deploy/core/dns/internal/k8s-gateway/app/hr.yaml similarity index 95% rename from kube/3-deploy/1-core/04-dns/internal/2-k8s-gateway.yaml rename to kube/deploy/core/dns/internal/k8s-gateway/app/hr.yaml index fb55f702..6b88c3cc 100644 --- a/kube/3-deploy/1-core/04-dns/internal/2-k8s-gateway.yaml +++ b/kube/deploy/core/dns/internal/k8s-gateway/app/hr.yaml @@ -11,6 +11,8 @@ spec: version: 2.0.1 sourceRef: name: k8s-gateway + kind: HelmRepository + namespace: flux-system values: fullnameOverride: k8s-gateway domain: "${DNS_SHORT} ${DNS_MAIN} ${DNS_VPN} ${DNS_STREAM}" diff --git a/kube/3-deploy/1-core/04-dns/internal/netpol.yaml b/kube/deploy/core/dns/internal/k8s-gateway/app/netpol.yaml similarity index 100% rename from kube/3-deploy/1-core/04-dns/internal/netpol.yaml rename to kube/deploy/core/dns/internal/k8s-gateway/app/netpol.yaml diff --git a/kube/deploy/core/dns/internal/k8s-gateway/ks.yaml b/kube/deploy/core/dns/internal/k8s-gateway/ks.yaml new file mode 100644 index 00000000..67fc52d5 --- /dev/null +++ b/kube/deploy/core/dns/internal/k8s-gateway/ks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-dns-internal-k8s-gateway-app + namespace: flux-system +spec: + path: ./kube/deploy/core/dns/internal/k8s-gateway/app + dependsOn: [] \ No newline at end of file diff --git a/kube/deploy/core/dns/internal/k8s-gateway/kustomization.yaml b/kube/deploy/core/dns/internal/k8s-gateway/kustomization.yaml new file mode 100644 index 00000000..fc69935c --- /dev/null +++ b/kube/deploy/core/dns/internal/k8s-gateway/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - repo.yaml + - ks.yaml \ No newline at end of file diff --git a/kube/deploy/core/dns/internal/k8s-gateway/repo.yaml b/kube/deploy/core/dns/internal/k8s-gateway/repo.yaml new file mode 100644 index 00000000..1dabf116 --- /dev/null +++ b/kube/deploy/core/dns/internal/k8s-gateway/repo.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: k8s-gateway + namespace: flux-system +spec: + interval: 1h + url: https://ori-edge.github.io/k8s_gateway/ \ No newline at end of file diff --git a/kube/3-deploy/1-core/03-certs/cert-manager/crds/kustomization.yaml b/kube/deploy/core/dns/internal/kustomization.yaml similarity index 82% rename from kube/3-deploy/1-core/03-certs/cert-manager/crds/kustomization.yaml rename to kube/deploy/core/dns/internal/kustomization.yaml index 6300b0b7..8a167488 100644 --- a/kube/3-deploy/1-core/03-certs/cert-manager/crds/kustomization.yaml +++ b/kube/deploy/core/dns/internal/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - install.yaml + - ns.yaml diff --git a/kube/3-deploy/1-core/04-dns/internal/1-namespace.yaml b/kube/deploy/core/dns/internal/ns.yaml similarity index 100% rename from kube/3-deploy/1-core/04-dns/internal/1-namespace.yaml rename to kube/deploy/core/dns/internal/ns.yaml diff --git a/kube/deploy/core/hardware/README.md b/kube/deploy/core/hardware/README.md new file mode 100644 index 00000000..adcccec3 --- /dev/null +++ b/kube/deploy/core/hardware/README.md @@ -0,0 +1 @@ +Intel Device Plugins depends on Node Feature Discovery \ No newline at end of file diff --git a/kube/3-deploy/1-core/08-hardware/02-intel-device-plugins/2-operator.yaml b/kube/deploy/core/hardware/intel-device-plugins/app/_operator.yaml similarity index 100% rename from kube/3-deploy/1-core/08-hardware/02-intel-device-plugins/2-operator.yaml rename to kube/deploy/core/hardware/intel-device-plugins/app/_operator.yaml diff --git a/kube/3-deploy/1-core/08-hardware/02-intel-device-plugins/3-gpu.yaml b/kube/deploy/core/hardware/intel-device-plugins/app/gpu.yaml similarity index 100% rename from kube/3-deploy/1-core/08-hardware/02-intel-device-plugins/3-gpu.yaml rename to kube/deploy/core/hardware/intel-device-plugins/app/gpu.yaml diff --git a/kube/3-deploy/1-core/08-hardware/01-node-feature-discovery/3-intel-gpu-rule.yaml b/kube/deploy/core/hardware/intel-device-plugins/app/talos-intel-gpu-nfd-rule.yaml similarity index 100% rename from kube/3-deploy/1-core/08-hardware/01-node-feature-discovery/3-intel-gpu-rule.yaml rename to kube/deploy/core/hardware/intel-device-plugins/app/talos-intel-gpu-nfd-rule.yaml diff --git a/kube/deploy/core/hardware/intel-device-plugins/ks.yaml b/kube/deploy/core/hardware/intel-device-plugins/ks.yaml new file mode 100644 index 00000000..8bf29b13 --- /dev/null +++ b/kube/deploy/core/hardware/intel-device-plugins/ks.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-hardware-intel-device-plugins-app + namespace: flux-system +spec: + path: ./kube/deploy/core/hardware/intel-device-plugins/app + dependsOn: + - name: 1-core-hardware-node-feature-discovery-app \ No newline at end of file diff --git a/kube/deploy/core/hardware/intel-device-plugins/kustomization.yaml b/kube/deploy/core/hardware/intel-device-plugins/kustomization.yaml new file mode 100644 index 00000000..eab801a8 --- /dev/null +++ b/kube/deploy/core/hardware/intel-device-plugins/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - repo.yaml + - ks.yaml diff --git a/kube/3-deploy/1-core/08-hardware/02-intel-device-plugins/1-repo.yaml b/kube/deploy/core/hardware/intel-device-plugins/repo.yaml similarity index 100% rename from kube/3-deploy/1-core/08-hardware/02-intel-device-plugins/1-repo.yaml rename to kube/deploy/core/hardware/intel-device-plugins/repo.yaml diff --git a/kube/3-deploy/1-core/08-hardware/01-node-feature-discovery/2-install.yaml b/kube/deploy/core/hardware/node-feature-discovery/app/hr.yaml similarity index 100% rename from kube/3-deploy/1-core/08-hardware/01-node-feature-discovery/2-install.yaml rename to kube/deploy/core/hardware/node-feature-discovery/app/hr.yaml diff --git a/kube/deploy/core/hardware/node-feature-discovery/ks.yaml b/kube/deploy/core/hardware/node-feature-discovery/ks.yaml new file mode 100644 index 00000000..b02a91a8 --- /dev/null +++ b/kube/deploy/core/hardware/node-feature-discovery/ks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-hardware-node-feature-discovery-app + namespace: flux-system +spec: + path: ./kube/deploy/core/hardware/node-feature-discovery/app + dependsOn: [] \ No newline at end of file diff --git a/kube/deploy/core/hardware/node-feature-discovery/kustomization.yaml b/kube/deploy/core/hardware/node-feature-discovery/kustomization.yaml new file mode 100644 index 00000000..60c07d50 --- /dev/null +++ b/kube/deploy/core/hardware/node-feature-discovery/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ks.yaml \ No newline at end of file diff --git a/kube/3-deploy/1-core/08-hardware/01-node-feature-discovery/1-repo.yaml b/kube/deploy/core/hardware/node-feature-discovery/repo.yaml similarity index 100% rename from kube/3-deploy/1-core/08-hardware/01-node-feature-discovery/1-repo.yaml rename to kube/deploy/core/hardware/node-feature-discovery/repo.yaml diff --git a/kube/3-deploy/1-core/05-ingress/2-certs.yaml b/kube/deploy/core/ingress/_deps/certs.yaml similarity index 100% rename from kube/3-deploy/1-core/05-ingress/2-certs.yaml rename to kube/deploy/core/ingress/_deps/certs.yaml diff --git a/kube/deploy/core/ingress/cloudflare/ks.yaml b/kube/deploy/core/ingress/cloudflare/ks.yaml new file mode 100644 index 00000000..c10e655d --- /dev/null +++ b/kube/deploy/core/ingress/cloudflare/ks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-ingress-cloudflare-tunnel + namespace: flux-system +spec: + path: ./kube/deploy/core/ingress/cloudflare/tunnel + dependsOn: [] \ No newline at end of file diff --git a/kube/deploy/core/ingress/cloudflare/kustomization.yaml b/kube/deploy/core/ingress/cloudflare/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/core/ingress/cloudflare/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/deps/namespace.yaml b/kube/deploy/core/ingress/cloudflare/ns.yaml similarity index 100% rename from kube/3-deploy/1-core/05-ingress/cloudflare/deps/namespace.yaml rename to kube/deploy/core/ingress/cloudflare/ns.yaml diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml b/kube/deploy/core/ingress/cloudflare/tunnel/hr.yaml similarity index 100% rename from kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/hr.yaml rename to kube/deploy/core/ingress/cloudflare/tunnel/hr.yaml diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/netpol.yaml b/kube/deploy/core/ingress/cloudflare/tunnel/netpol.yaml similarity index 100% rename from kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/netpol.yaml rename to kube/deploy/core/ingress/cloudflare/tunnel/netpol.yaml diff --git a/kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/secret.yaml b/kube/deploy/core/ingress/cloudflare/tunnel/secret.yaml similarity index 100% rename from kube/3-deploy/1-core/05-ingress/cloudflare/tunnel/secret.yaml rename to kube/deploy/core/ingress/cloudflare/tunnel/secret.yaml diff --git a/kube/3-deploy/1-core/05-ingress/external-proxy-x/README.md b/kube/deploy/core/ingress/external-proxy-x/README.md similarity index 100% rename from kube/3-deploy/1-core/05-ingress/external-proxy-x/README.md rename to kube/deploy/core/ingress/external-proxy-x/README.md diff --git a/kube/3-deploy/1-core/05-ingress/external-proxy-x/app/hr.yaml b/kube/deploy/core/ingress/external-proxy-x/app/hr.yaml similarity index 98% rename from kube/3-deploy/1-core/05-ingress/external-proxy-x/app/hr.yaml rename to kube/deploy/core/ingress/external-proxy-x/app/hr.yaml index 742d42ae..d679fa1d 100644 --- a/kube/3-deploy/1-core/05-ingress/external-proxy-x/app/hr.yaml +++ b/kube/deploy/core/ingress/external-proxy-x/app/hr.yaml @@ -11,6 +11,8 @@ spec: version: 1.18.0 sourceRef: name: haproxytech + kind: HelmRepository + namespace: flux-system values: image: repository: haproxytech/haproxy-debian diff --git a/kube/deploy/core/ingress/external-proxy-x/ks.yaml b/kube/deploy/core/ingress/external-proxy-x/ks.yaml new file mode 100644 index 00000000..3f1250a4 --- /dev/null +++ b/kube/deploy/core/ingress/external-proxy-x/ks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-ingress-external-proxy-x-app + namespace: flux-system +spec: + path: ./kube/deploy/core/ingress/external-proxy-x/app + dependsOn: [] diff --git a/kube/deploy/core/ingress/external-proxy-x/kustomization.yaml b/kube/deploy/core/ingress/external-proxy-x/kustomization.yaml new file mode 100644 index 00000000..eab801a8 --- /dev/null +++ b/kube/deploy/core/ingress/external-proxy-x/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - repo.yaml + - ks.yaml diff --git a/kube/deploy/core/ingress/external-proxy-x/repo.yaml b/kube/deploy/core/ingress/external-proxy-x/repo.yaml new file mode 100644 index 00000000..d2b4005d --- /dev/null +++ b/kube/deploy/core/ingress/external-proxy-x/repo.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: haproxytech + namespace: flux-system +spec: + interval: 1h + url: https://haproxytech.github.io/helm-charts \ No newline at end of file diff --git a/kube/deploy/core/ingress/ingress-nginx/app/default-backend-ingress.yaml b/kube/deploy/core/ingress/ingress-nginx/app/default-backend-ingress.yaml new file mode 100644 index 00000000..37864dc4 --- /dev/null +++ b/kube/deploy/core/ingress/ingress-nginx/app/default-backend-ingress.yaml @@ -0,0 +1,50 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: "default-error-page-${DNS_SHORT//./-}" + namespace: default + annotations: + external-dns.alpha.kubernetes.io/target: "${DNS_SHORT_CF}" + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" +spec: + ingressClassName: nginx + rules: + - host: &host "error.${DNS_SHORT}" + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: default-backend + port: + number: 80 + tls: + - hosts: + - *host +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: "default-error-page-${DNS_MAIN//./-}" + namespace: default + annotations: + external-dns.alpha.kubernetes.io/target: "${DNS_MAIN_CF}" + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" +spec: + ingressClassName: nginx + rules: + - host: &host "error.${DNS_MAIN}" + http: + paths: + - pathType: Prefix + path: / + backend: + service: + name: default-backend + port: + number: 80 + tls: + - hosts: + - *host diff --git a/kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml b/kube/deploy/core/ingress/ingress-nginx/app/default-backend.yaml similarity index 100% rename from kube/3-deploy/1-core/05-ingress/nginx/default-backend.yaml rename to kube/deploy/core/ingress/ingress-nginx/app/default-backend.yaml diff --git a/kube/3-deploy/1-core/05-ingress/nginx/install.yaml b/kube/deploy/core/ingress/ingress-nginx/app/hr.yaml similarity index 100% rename from kube/3-deploy/1-core/05-ingress/nginx/install.yaml rename to kube/deploy/core/ingress/ingress-nginx/app/hr.yaml diff --git a/kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml similarity index 98% rename from kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml rename to kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml index c114c699..9a7c1438 100644 --- a/kube/3-deploy/1-core/05-ingress/nginx/netpol.yaml +++ b/kube/deploy/core/ingress/ingress-nginx/app/netpol.yaml @@ -115,7 +115,7 @@ spec: - k8sServiceSelector: selector: matchLabels: - rook_object_store: "${CLUSTER_NAME_LOWER}" + rook_object_store: "${CLUSTER_NAME}" namespace: rook-ceph toPorts: - ports: @@ -129,7 +129,7 @@ spec: protocol: UDP - toEndpoints: - matchLabels: - rook_object_store: "${CLUSTER_NAME_LOWER}" + rook_object_store: "${CLUSTER_NAME}" io.kubernetes.pod.namespace: rook-ceph toPorts: - ports: diff --git a/kube/deploy/core/ingress/ingress-nginx/ks.yaml b/kube/deploy/core/ingress/ingress-nginx/ks.yaml new file mode 100644 index 00000000..5f59df7a --- /dev/null +++ b/kube/deploy/core/ingress/ingress-nginx/ks.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-ingress-nginx-app + namespace: flux-system + labels: + prune.flux.home.arpa/disabled: "true" +spec: + path: ./kube/deploy/core/ingress/ingress-nginx/app + dependsOn: + - name: 1-core-ingress-deps \ No newline at end of file diff --git a/kube/deploy/core/ingress/ingress-nginx/kustomization.yaml b/kube/deploy/core/ingress/ingress-nginx/kustomization.yaml new file mode 100644 index 00000000..fc69935c --- /dev/null +++ b/kube/deploy/core/ingress/ingress-nginx/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - repo.yaml + - ks.yaml \ No newline at end of file diff --git a/kube/deploy/core/ingress/ingress-nginx/repo.yaml b/kube/deploy/core/ingress/ingress-nginx/repo.yaml new file mode 100644 index 00000000..486af248 --- /dev/null +++ b/kube/deploy/core/ingress/ingress-nginx/repo.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: ingress-nginx + namespace: flux-system +spec: + interval: 1h + url: https://kubernetes.github.io/ingress-nginx \ No newline at end of file diff --git a/kube/deploy/core/ingress/ks.yaml b/kube/deploy/core/ingress/ks.yaml new file mode 100644 index 00000000..74c34c94 --- /dev/null +++ b/kube/deploy/core/ingress/ks.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-ingress-deps + namespace: flux-system +spec: + path: ./kube/deploy/core/ingress/_deps + dependsOn: + - name: 1-core-tls-cert-manager-config \ No newline at end of file diff --git a/kube/deploy/core/ingress/kustomization.yaml b/kube/deploy/core/ingress/kustomization.yaml new file mode 100644 index 00000000..b439d858 --- /dev/null +++ b/kube/deploy/core/ingress/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml \ No newline at end of file diff --git a/kube/3-deploy/2-apps/kubevirt/1-namespace.yaml b/kube/deploy/core/ingress/ns.yaml similarity index 72% rename from kube/3-deploy/2-apps/kubevirt/1-namespace.yaml rename to kube/deploy/core/ingress/ns.yaml index f51a87dc..eb7dfc14 100644 --- a/kube/3-deploy/2-apps/kubevirt/1-namespace.yaml +++ b/kube/deploy/core/ingress/ns.yaml @@ -2,4 +2,4 @@ apiVersion: v1 kind: Namespace metadata: - name: kubevirt + name: ingress diff --git a/kube/3-deploy/1-core/06-monitoring/1-deps/app/2-crds-prometheus.yaml b/kube/deploy/core/monitoring/_deps/_crds-prometheus.yaml similarity index 88% rename from kube/3-deploy/1-core/06-monitoring/1-deps/app/2-crds-prometheus.yaml rename to kube/deploy/core/monitoring/_deps/_crds-prometheus.yaml index 3d5e08ee..35483f15 100644 --- a/kube/3-deploy/1-core/06-monitoring/1-deps/app/2-crds-prometheus.yaml +++ b/kube/deploy/core/monitoring/_deps/_crds-prometheus.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: crds-prometheus @@ -16,10 +16,10 @@ spec: # include crd directory !/charts/kube-prometheus-stack/crds --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: crds-prometheus + name: 1-core-monitoring-prom-crds namespace: flux-system labels: # for my repo's Fluxtomization patching, can be ignored for those passing by kustomization.flux.home.arpa/name: "kubevirt" diff --git a/kube/3-deploy/1-core/06-monitoring/1-deps/app/kube-prometheus.yaml b/kube/deploy/core/monitoring/_deps/kube-prometheus.yaml similarity index 87% rename from kube/3-deploy/1-core/06-monitoring/1-deps/app/kube-prometheus.yaml rename to kube/deploy/core/monitoring/_deps/kube-prometheus.yaml index e207ab25..09294eab 100644 --- a/kube/3-deploy/1-core/06-monitoring/1-deps/app/kube-prometheus.yaml +++ b/kube/deploy/core/monitoring/_deps/kube-prometheus.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: kube-prometheus @@ -17,10 +17,10 @@ spec: # include KPS default Grafana dashboards !/manifests/grafana-dashboardDefinitions.yaml --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: kube-prometheus + name: 1-core-monitoring-prom-rules-dashboards namespace: flux-system labels: # for my repo's Fluxtomization patching, can be ignored for those passing by kustomization.flux.home.arpa/name: "flux" diff --git a/kube/deploy/core/monitoring/_deps/prometheus-community-charts.yaml b/kube/deploy/core/monitoring/_deps/prometheus-community-charts.yaml new file mode 100644 index 00000000..a9b4d47e --- /dev/null +++ b/kube/deploy/core/monitoring/_deps/prometheus-community-charts.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: prometheus-community + namespace: flux-system +spec: + interval: 10m0s + timeout: 3m0s + url: https://prometheus-community.github.io/helm-charts \ No newline at end of file diff --git a/kube/deploy/core/monitoring/ks.yaml b/kube/deploy/core/monitoring/ks.yaml new file mode 100644 index 00000000..10f0003a --- /dev/null +++ b/kube/deploy/core/monitoring/ks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-monitoring-deps + namespace: flux-system +spec: + path: ./kube/deploy/core/monitoring/_deps + dependsOn: [] diff --git a/kube/3-deploy/1-core/06-monitoring/kube-state-metrics/install.yaml b/kube/deploy/core/monitoring/kube-state-metrics/app/hr.yaml similarity index 100% rename from kube/3-deploy/1-core/06-monitoring/kube-state-metrics/install.yaml rename to kube/deploy/core/monitoring/kube-state-metrics/app/hr.yaml diff --git a/kube/deploy/core/monitoring/kube-state-metrics/ks.yaml b/kube/deploy/core/monitoring/kube-state-metrics/ks.yaml new file mode 100644 index 00000000..bd945807 --- /dev/null +++ b/kube/deploy/core/monitoring/kube-state-metrics/ks.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-monitoring-kube-state-metrics-app + namespace: flux-system +spec: + path: ./kube/deploy/core/monitoring/kube-state-metrics/app + dependsOn: + - name: 1-core-monitoring-deps \ No newline at end of file diff --git a/kube/deploy/core/monitoring/kube-state-metrics/kustomization.yaml b/kube/deploy/core/monitoring/kube-state-metrics/kustomization.yaml new file mode 100644 index 00000000..60c07d50 --- /dev/null +++ b/kube/deploy/core/monitoring/kube-state-metrics/kustomization.yaml @@ -0,0 +1,5 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ks.yaml \ No newline at end of file diff --git a/kube/deploy/core/monitoring/kustomization.yaml b/kube/deploy/core/monitoring/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/core/monitoring/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/3-deploy/1-core/06-monitoring/metrics-server/2-install.yaml b/kube/deploy/core/monitoring/metrics-server/app/hr.yaml similarity index 90% rename from kube/3-deploy/1-core/06-monitoring/metrics-server/2-install.yaml rename to kube/deploy/core/monitoring/metrics-server/app/hr.yaml index 16f2d5d1..d3d7755f 100644 --- a/kube/3-deploy/1-core/06-monitoring/metrics-server/2-install.yaml +++ b/kube/deploy/core/monitoring/metrics-server/app/hr.yaml @@ -11,6 +11,8 @@ spec: version: 3.8.3 sourceRef: name: metrics-server + kind: HelmRepository + namespace: flux-system values: args: - --kubelet-insecure-tls diff --git a/kube/deploy/core/monitoring/metrics-server/ks.yaml b/kube/deploy/core/monitoring/metrics-server/ks.yaml new file mode 100644 index 00000000..ed5f9a45 --- /dev/null +++ b/kube/deploy/core/monitoring/metrics-server/ks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-monitoring-metrics-server-app + namespace: flux-system +spec: + path: ./kube/deploy/core/monitoring/metrics-server/app + dependsOn: [] \ No newline at end of file diff --git a/kube/deploy/core/monitoring/metrics-server/kustomization.yaml b/kube/deploy/core/monitoring/metrics-server/kustomization.yaml new file mode 100644 index 00000000..eab801a8 --- /dev/null +++ b/kube/deploy/core/monitoring/metrics-server/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - repo.yaml + - ks.yaml diff --git a/kube/3-deploy/1-core/06-monitoring/metrics-server/1-repo.yaml b/kube/deploy/core/monitoring/metrics-server/repo.yaml similarity index 100% rename from kube/3-deploy/1-core/06-monitoring/metrics-server/1-repo.yaml rename to kube/deploy/core/monitoring/metrics-server/repo.yaml diff --git a/kube/3-deploy/1-core/06-monitoring/node-exporter/app/install.yaml b/kube/deploy/core/monitoring/node-exporter/app/install.yaml similarity index 100% rename from kube/3-deploy/1-core/06-monitoring/node-exporter/app/install.yaml rename to kube/deploy/core/monitoring/node-exporter/app/install.yaml diff --git a/kube/deploy/core/monitoring/node-exporter/ks.yaml b/kube/deploy/core/monitoring/node-exporter/ks.yaml new file mode 100644 index 00000000..683aa916 --- /dev/null +++ b/kube/deploy/core/monitoring/node-exporter/ks.yaml @@ -0,0 +1,11 @@ + +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-monitoring-node-exporter-app + namespace: flux-system +spec: + path: ./kube/deploy/core/monitoring/node-exporter/app + dependsOn: + - name: 1-core-monitoring-deps diff --git a/kube/3-deploy/2-apps/flux-system/kustomization.yaml b/kube/deploy/core/monitoring/node-exporter/kustomization.yaml similarity index 100% rename from kube/3-deploy/2-apps/flux-system/kustomization.yaml rename to kube/deploy/core/monitoring/node-exporter/kustomization.yaml diff --git a/kube/3-deploy/1-core/06-monitoring/node-exporter/deps/namespace.yaml b/kube/deploy/core/monitoring/node-exporter/ns.yaml similarity index 100% rename from kube/3-deploy/1-core/06-monitoring/node-exporter/deps/namespace.yaml rename to kube/deploy/core/monitoring/node-exporter/ns.yaml diff --git a/kube/3-deploy/1-core/06-monitoring/1-deps/app/1-namespace.yaml b/kube/deploy/core/monitoring/ns.yaml similarity index 100% rename from kube/3-deploy/1-core/06-monitoring/1-deps/app/1-namespace.yaml rename to kube/deploy/core/monitoring/ns.yaml diff --git a/kube/deploy/core/monitoring/victoria/README.md b/kube/deploy/core/monitoring/victoria/README.md new file mode 100644 index 00000000..b609844c --- /dev/null +++ b/kube/deploy/core/monitoring/victoria/README.md @@ -0,0 +1,5 @@ +# Dependency order +1. CRDs +2. Operator +3. Cluster +4. Agent \ No newline at end of file diff --git a/kube/3-deploy/1-core/06-monitoring/victoria/4-agent/vmagent.yaml b/kube/deploy/core/monitoring/victoria/agent/vmagent.yaml similarity index 83% rename from kube/3-deploy/1-core/06-monitoring/victoria/4-agent/vmagent.yaml rename to kube/deploy/core/monitoring/victoria/agent/vmagent.yaml index a224c6ca..b07517e8 100644 --- a/kube/3-deploy/1-core/06-monitoring/victoria/4-agent/vmagent.yaml +++ b/kube/deploy/core/monitoring/victoria/agent/vmagent.yaml @@ -2,11 +2,11 @@ apiVersion: operator.victoriametrics.com/v1beta1 kind: VMAgent metadata: - name: ${CLUSTER_NAME_LOWER} + name: ${CLUSTER_NAME} namespace: monitoring spec: remoteWrite: - - url: "http://vminsert-${CLUSTER_NAME_LOWER}:8480/insert/0/prometheus" + - url: "http://vminsert-${CLUSTER_NAME}:8480/insert/0/prometheus" selectAllByDefault: true replicaCount: 1 serviceScrapeNamespaceSelector: {} diff --git a/kube/3-deploy/1-core/06-monitoring/victoria/3-cluster/vmcluster.yaml b/kube/deploy/core/monitoring/victoria/cluster/vmcluster.yaml similarity index 96% rename from kube/3-deploy/1-core/06-monitoring/victoria/3-cluster/vmcluster.yaml rename to kube/deploy/core/monitoring/victoria/cluster/vmcluster.yaml index 73bb1b34..c150d701 100644 --- a/kube/3-deploy/1-core/06-monitoring/victoria/3-cluster/vmcluster.yaml +++ b/kube/deploy/core/monitoring/victoria/cluster/vmcluster.yaml @@ -2,7 +2,7 @@ apiVersion: operator.victoriametrics.com/v1beta1 kind: VMCluster metadata: - name: ${CLUSTER_NAME_LOWER} + name: ${CLUSTER_NAME} namespace: monitoring spec: clusterVersion: "v1.90.0-cluster" diff --git a/kube/deploy/core/monitoring/victoria/crds.yaml b/kube/deploy/core/monitoring/victoria/crds.yaml new file mode 100644 index 00000000..f88efe94 --- /dev/null +++ b/kube/deploy/core/monitoring/victoria/crds.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1 +kind: GitRepository +metadata: + name: crds-victoria + namespace: flux-system +spec: + interval: 30m + # renovate: datasource=github-releases + url: https://github.com/VictoriaMetrics/operator.git + ref: + tag: v0.30.4 + ignore: | + # exclude all + /* + # path to crds + !/config/crd/ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-monitoring-victoria-crds + namespace: flux-system + labels: # for my repo's Fluxtomization patching, can be ignored for those passing by + kustomization.flux.home.arpa/name: "kubevirt" + kustomization.flux.home.arpa/default: "false" + kustomization.flux.home.arpa/helmpatches: "false" + substitution.flux.home.arpa/disabled: "true" + prune.flux.home.arpa/disabled: "true" +spec: + interval: 15m + prune: false + wait: true + dependsOn: [] + sourceRef: + kind: GitRepository + name: crds-victoria diff --git a/kube/deploy/core/monitoring/victoria/ks.yaml b/kube/deploy/core/monitoring/victoria/ks.yaml new file mode 100644 index 00000000..96677079 --- /dev/null +++ b/kube/deploy/core/monitoring/victoria/ks.yaml @@ -0,0 +1,37 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-monitoring-victoria + namespace: flux-system +spec: + path: ./kube/deploy/core/monitoring/victoria/operator + dependsOn: + - name: 1-core-monitoring-deps +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-monitoring-victoria-cluster + namespace: flux-system +spec: + path: ./kube/deploy/core/monitoring/victoria/cluster + dependsOn: + - name: 1-core-monitoring-deps + - name: 1-core-monitoring-victoria-crds + - name: 1-core-monitoring-victoria +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-monitoring-victoria-agent + namespace: flux-system +spec: + path: ./kube/deploy/core/monitoring/victoria/agent + dependsOn: + - name: 1-core-monitoring-deps + - name: 1-core-monitoring-victoria-crds + - name: 1-core-monitoring-victoria + - name: 1-core-monitoring-victoria-cluster + - name: 1-core-monitoring-kube-state-metrics-app + - name: 1-core-monitoring-node-exporter-app \ No newline at end of file diff --git a/kube/deploy/core/monitoring/victoria/kustomization.yaml b/kube/deploy/core/monitoring/victoria/kustomization.yaml new file mode 100644 index 00000000..d92e434d --- /dev/null +++ b/kube/deploy/core/monitoring/victoria/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - crds.yaml + - repo.yaml + - ks.yaml diff --git a/kube/3-deploy/1-core/06-monitoring/victoria/2-operator/install.yaml b/kube/deploy/core/monitoring/victoria/operator/install.yaml similarity index 100% rename from kube/3-deploy/1-core/06-monitoring/victoria/2-operator/install.yaml rename to kube/deploy/core/monitoring/victoria/operator/install.yaml diff --git a/kube/deploy/core/monitoring/victoria/repo.yaml b/kube/deploy/core/monitoring/victoria/repo.yaml new file mode 100644 index 00000000..ec6e7bb6 --- /dev/null +++ b/kube/deploy/core/monitoring/victoria/repo.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: victoria + namespace: flux-system +spec: + interval: 10m0s + timeout: 3m0s + url: https://victoriametrics.github.io/helm-charts/ \ No newline at end of file diff --git a/kube/3-deploy/1-core/02-storage/1-external-snapshotter/1-crds.yaml b/kube/deploy/core/storage/_external-snapshotter/1-crds.yaml similarity index 86% rename from kube/3-deploy/1-core/02-storage/1-external-snapshotter/1-crds.yaml rename to kube/deploy/core/storage/_external-snapshotter/1-crds.yaml index c560f0f8..5886707d 100644 --- a/kube/3-deploy/1-core/02-storage/1-external-snapshotter/1-crds.yaml +++ b/kube/deploy/core/storage/_external-snapshotter/1-crds.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: external-snapshotter-crds @@ -15,10 +15,10 @@ spec: # include CR !/client/config/crd --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: external-snapshotter-crds + name: 1-core-storage-ext-snapshot-crds namespace: flux-system labels: # for my repo's Fluxtomization patching, can be ignored for those passing by kustomization.flux.home.arpa/name: "flux" diff --git a/kube/3-deploy/1-core/02-storage/1-external-snapshotter/2-controller.yaml b/kube/deploy/core/storage/_external-snapshotter/2-controller.yaml similarity index 83% rename from kube/3-deploy/1-core/02-storage/1-external-snapshotter/2-controller.yaml rename to kube/deploy/core/storage/_external-snapshotter/2-controller.yaml index 9fad2b52..bc819dfd 100644 --- a/kube/3-deploy/1-core/02-storage/1-external-snapshotter/2-controller.yaml +++ b/kube/deploy/core/storage/_external-snapshotter/2-controller.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: external-snapshotter-controller @@ -15,10 +15,10 @@ spec: # include controller !/deploy/kubernetes/snapshot-controller --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: external-snapshotter-controller + name: 1-core-storage-ext-snapshot-controller namespace: flux-system labels: # for my repo's Fluxtomization patching, can be ignored for those passing by kustomization.flux.home.arpa/name: "flux" @@ -34,4 +34,4 @@ spec: kind: GitRepository name: external-snapshotter-controller dependsOn: - - name: external-snapshotter-crds + - name: 1-core-storage-ext-snapshot-crds diff --git a/kube/3-deploy/1-core/02-storage/1-external-snapshotter/kustomization.yaml b/kube/deploy/core/storage/_external-snapshotter/kustomization.yaml similarity index 100% rename from kube/3-deploy/1-core/02-storage/1-external-snapshotter/kustomization.yaml rename to kube/deploy/core/storage/_external-snapshotter/kustomization.yaml diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/app/helm-release.yaml b/kube/deploy/core/storage/rook-ceph/app/hr.yaml similarity index 100% rename from kube/3-deploy/1-core/02-storage/rook-ceph/app/helm-release.yaml rename to kube/deploy/core/storage/rook-ceph/app/hr.yaml diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/app/kustomization.yaml b/kube/deploy/core/storage/rook-ceph/app/kustomization.yaml similarity index 77% rename from kube/3-deploy/1-core/02-storage/rook-ceph/app/kustomization.yaml rename to kube/deploy/core/storage/rook-ceph/app/kustomization.yaml index 35596962..7deda954 100644 --- a/kube/3-deploy/1-core/02-storage/rook-ceph/app/kustomization.yaml +++ b/kube/deploy/core/storage/rook-ceph/app/kustomization.yaml @@ -2,8 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - namespace.yaml - - helm-release.yaml + - hr.yaml - rbac.yaml - netpol.yaml # - volumesnapshotclass.yaml diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml b/kube/deploy/core/storage/rook-ceph/app/netpol.yaml similarity index 94% rename from kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml rename to kube/deploy/core/storage/rook-ceph/app/netpol.yaml index e15dc387..dbd02b06 100644 --- a/kube/3-deploy/1-core/02-storage/rook-ceph/app/netpol.yaml +++ b/kube/deploy/core/storage/rook-ceph/app/netpol.yaml @@ -29,11 +29,11 @@ spec: apiVersion: cilium.io/v2 kind: CiliumClusterwideNetworkPolicy metadata: - name: ceph-rgw-${CLUSTER_NAME_LOWER} + name: ceph-rgw-${CLUSTER_NAME} spec: endpointSelector: matchLabels: - s3.home.arpa/store: rgw-${CLUSTER_NAME_LOWER} + s3.home.arpa/store: rgw-${CLUSTER_NAME} egress: - toServices: - k8sService: @@ -59,7 +59,7 @@ spec: protocol: UDP - toEndpoints: - matchLabels: - rook_object_store: "${CLUSTER_NAME_LOWER}" + rook_object_store: "${CLUSTER_NAME}" io.kubernetes.pod.namespace: rook-ceph toPorts: - ports: @@ -89,7 +89,7 @@ spec: endpointSelector: matchLabels: app.kubernetes.io/name: *app - rook_object_store: "${CLUSTER_NAME_LOWER}" + rook_object_store: "${CLUSTER_NAME}" ingress: # ingress controller - fromEndpoints: @@ -145,7 +145,7 @@ spec: # allow pods with rgw label to connect - fromEndpoints: - matchLabels: - s3.home.arpa/store: rgw-${CLUSTER_NAME_LOWER} + s3.home.arpa/store: rgw-${CLUSTER_NAME} - matchExpressions: - key: io.kubernetes.pod.namespace operator: Exists diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/app/rbac.yaml b/kube/deploy/core/storage/rook-ceph/app/rbac.yaml similarity index 100% rename from kube/3-deploy/1-core/02-storage/rook-ceph/app/rbac.yaml rename to kube/deploy/core/storage/rook-ceph/app/rbac.yaml diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/cluster/.sops.yaml b/kube/deploy/core/storage/rook-ceph/cluster/.sops.yaml similarity index 100% rename from kube/3-deploy/1-core/02-storage/rook-ceph/cluster/.sops.yaml rename to kube/deploy/core/storage/rook-ceph/cluster/.sops.yaml diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/cluster/ceph-cluster.sops.yaml b/kube/deploy/core/storage/rook-ceph/cluster/ceph-cluster.sops.yaml similarity index 100% rename from kube/3-deploy/1-core/02-storage/rook-ceph/cluster/ceph-cluster.sops.yaml rename to kube/deploy/core/storage/rook-ceph/cluster/ceph-cluster.sops.yaml diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/cluster/ceph-monitor.yaml b/kube/deploy/core/storage/rook-ceph/cluster/ceph-monitor.yaml similarity index 100% rename from kube/3-deploy/1-core/02-storage/rook-ceph/cluster/ceph-monitor.yaml rename to kube/deploy/core/storage/rook-ceph/cluster/ceph-monitor.yaml diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/cluster/ceph-prometheus.yaml b/kube/deploy/core/storage/rook-ceph/cluster/ceph-prometheus.yaml similarity index 100% rename from kube/3-deploy/1-core/02-storage/rook-ceph/cluster/ceph-prometheus.yaml rename to kube/deploy/core/storage/rook-ceph/cluster/ceph-prometheus.yaml diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/cluster/create-secrets.sh b/kube/deploy/core/storage/rook-ceph/cluster/create-secrets.sh similarity index 100% rename from kube/3-deploy/1-core/02-storage/rook-ceph/cluster/create-secrets.sh rename to kube/deploy/core/storage/rook-ceph/cluster/create-secrets.sh diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/cluster/kustomization.yaml b/kube/deploy/core/storage/rook-ceph/cluster/kustomization.yaml similarity index 100% rename from kube/3-deploy/1-core/02-storage/rook-ceph/cluster/kustomization.yaml rename to kube/deploy/core/storage/rook-ceph/cluster/kustomization.yaml diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/cluster/object-radosgw-certs.yaml b/kube/deploy/core/storage/rook-ceph/cluster/object-radosgw-certs.yaml similarity index 100% rename from kube/3-deploy/1-core/02-storage/rook-ceph/cluster/object-radosgw-certs.yaml rename to kube/deploy/core/storage/rook-ceph/cluster/object-radosgw-certs.yaml diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/cluster/object.yaml b/kube/deploy/core/storage/rook-ceph/cluster/object.yaml similarity index 78% rename from kube/3-deploy/1-core/02-storage/rook-ceph/cluster/object.yaml rename to kube/deploy/core/storage/rook-ceph/cluster/object.yaml index 0f6f8068..02546e60 100644 --- a/kube/3-deploy/1-core/02-storage/rook-ceph/cluster/object.yaml +++ b/kube/deploy/core/storage/rook-ceph/cluster/object.yaml @@ -2,24 +2,24 @@ apiVersion: ceph.rook.io/v1 kind: CephObjectRealm metadata: - name: ${CLUSTER_NAME_LOWER} + name: ${CLUSTER_NAME} namespace: rook-ceph --- apiVersion: ceph.rook.io/v1 kind: CephObjectZoneGroup metadata: - name: ${CLUSTER_NAME_LOWER} + name: ${CLUSTER_NAME} namespace: rook-ceph spec: - realm: "${CLUSTER_NAME_LOWER}" + realm: "${CLUSTER_NAME}" --- apiVersion: ceph.rook.io/v1 kind: CephObjectZone metadata: - name: ${CLUSTER_NAME_LOWER} + name: ${CLUSTER_NAME} namespace: rook-ceph spec: - zoneGroup: "${CLUSTER_NAME_LOWER}" + zoneGroup: "${CLUSTER_NAME}" metadataPool: failureDomain: host replicated: @@ -38,11 +38,11 @@ spec: apiVersion: ceph.rook.io/v1 kind: CephObjectStore metadata: - name: ${CLUSTER_NAME_LOWER} + name: ${CLUSTER_NAME} namespace: rook-ceph spec: zone: - name: "${CLUSTER_NAME_LOWER}" + name: "${CLUSTER_NAME}" preservePoolsOnDelete: true gateway: # sslCertificateRef: radosgw-tls @@ -51,6 +51,7 @@ spec: instances: 2 service: annotations: + "coredns.io/hostname": "${APP_DNS_RADOSGW}" "io.cilium/lb-ipam-ips": "${APP_IP_RADOSGW}" resources: limits: @@ -60,10 +61,21 @@ spec: memory: "1024Mi" priorityClassName: system-cluster-critical --- +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: "rgw-${CLUSTER_NAME}" +provisioner: rook-ceph.ceph.rook.io/bucket +parameters: + objectStoreName: "${CLUSTER_NAME}" + objectStoreNamespace: rook-ceph + region: us-west-1 +reclaimPolicy: Delete +--- apiVersion: networking.k8s.io/v1 kind: Ingress metadata: - name: &app "rgw-${CLUSTER_NAME_LOWER}" + name: &app "rgw-${CLUSTER_NAME}" namespace: rook-ceph annotations: nginx.ingress.kubernetes.io/proxy-body-size: 100m diff --git a/kube/deploy/core/storage/rook-ceph/cluster/pveceph-object.sh b/kube/deploy/core/storage/rook-ceph/cluster/pveceph-object.sh new file mode 100644 index 00000000..dcb3252a --- /dev/null +++ b/kube/deploy/core/storage/rook-ceph/cluster/pveceph-object.sh @@ -0,0 +1,9 @@ +#!/bin/bash +pveceph pool create ".rgw.root" --add_storages 0 --application rgw --size 3 --min_size 2 --pg_autoscale_mode on --pg_num 4 +pveceph pool create "${CLUSTER_NAME}.rgw.control" --add_storages 0 --application rgw --size 3 --min_size 2 --pg_autoscale_mode on --pg_num 32 +pveceph pool create "${CLUSTER_NAME}.rgw.meta" --add_storages 0 --application rgw --size 3 --min_size 2 --pg_autoscale_mode on --pg_num 32 +pveceph pool create "${CLUSTER_NAME}.rgw.log" --add_storages 0 --application rgw --size 3 --min_size 2 --pg_autoscale_mode on --pg_num 4 +pveceph pool create "${CLUSTER_NAME}.rgw.otp" --add_storages 0 --application rgw --size 3 --min_size 2 --pg_autoscale_mode on --pg_num 4 +pveceph pool create "${CLUSTER_NAME}.rgw.buckets.index" --add_storages 0 --application rgw --size 3 --min_size 2 --pg_autoscale_mode on --pg_num 32 +pveceph pool create "${CLUSTER_NAME}.rgw.buckets.non-ec" --add_storages 0 --application rgw --size 3 --min_size 2 --pg_autoscale_mode on --pg_num 32 +pveceph pool create "${CLUSTER_NAME}.rgw.buckets.data" --add_storages 0 --application rgw --size 3 --min_size 2 --pg_autoscale_mode on --pg_num 64 diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/cluster/secret.sops.yaml b/kube/deploy/core/storage/rook-ceph/cluster/secret.sops.yaml similarity index 100% rename from kube/3-deploy/1-core/02-storage/rook-ceph/cluster/secret.sops.yaml rename to kube/deploy/core/storage/rook-ceph/cluster/secret.sops.yaml diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/cluster/storage-class.yaml b/kube/deploy/core/storage/rook-ceph/cluster/storage-class.yaml similarity index 100% rename from kube/3-deploy/1-core/02-storage/rook-ceph/cluster/storage-class.yaml rename to kube/deploy/core/storage/rook-ceph/cluster/storage-class.yaml diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/cluster/volume-snapshot-class.yaml b/kube/deploy/core/storage/rook-ceph/cluster/volume-snapshot-class.yaml similarity index 100% rename from kube/3-deploy/1-core/02-storage/rook-ceph/cluster/volume-snapshot-class.yaml rename to kube/deploy/core/storage/rook-ceph/cluster/volume-snapshot-class.yaml diff --git a/kube/deploy/core/storage/rook-ceph/ks.yaml b/kube/deploy/core/storage/rook-ceph/ks.yaml new file mode 100644 index 00000000..ac509cec --- /dev/null +++ b/kube/deploy/core/storage/rook-ceph/ks.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-storage-rook-ceph-app + namespace: flux-system +spec: + path: ./kube/deploy/core/storage/rook-ceph/app + dependsOn: + - name: 0-${CLUSTER_NAME}-config +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-storage-rook-ceph-cluster + namespace: flux-system +spec: + path: ./kube/deploy/core/storage/rook-ceph/cluster + dependsOn: + - name: 0-${CLUSTER_NAME}-config + - name: 1-core-storage-rook-ceph-app \ No newline at end of file diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/crds/kustomization.yaml b/kube/deploy/core/storage/rook-ceph/kustomization.yaml similarity index 81% rename from kube/3-deploy/1-core/02-storage/rook-ceph/crds/kustomization.yaml rename to kube/deploy/core/storage/rook-ceph/kustomization.yaml index c67b3332..851fce3c 100644 --- a/kube/3-deploy/1-core/02-storage/rook-ceph/crds/kustomization.yaml +++ b/kube/deploy/core/storage/rook-ceph/kustomization.yaml @@ -2,5 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: + - ns.yaml + - repo.yaml - https://raw.githubusercontent.com/rook/rook/v1.10.10/deploy/examples/crds.yaml - + - ks.yaml \ No newline at end of file diff --git a/kube/3-deploy/1-core/02-storage/rook-ceph/app/namespace.yaml b/kube/deploy/core/storage/rook-ceph/ns.yaml similarity index 89% rename from kube/3-deploy/1-core/02-storage/rook-ceph/app/namespace.yaml rename to kube/deploy/core/storage/rook-ceph/ns.yaml index 696024bf..596745d2 100644 --- a/kube/3-deploy/1-core/02-storage/rook-ceph/app/namespace.yaml +++ b/kube/deploy/core/storage/rook-ceph/ns.yaml @@ -5,4 +5,4 @@ metadata: labels: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce-version: latest - name: rook-ceph + name: rook-ceph \ No newline at end of file diff --git a/kube/deploy/core/storage/rook-ceph/repo.yaml b/kube/deploy/core/storage/rook-ceph/repo.yaml new file mode 100644 index 00000000..a0b58aae --- /dev/null +++ b/kube/deploy/core/storage/rook-ceph/repo.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: rook-ceph-charts + namespace: flux-system +spec: + interval: 10m0s + timeout: 3m0s + url: https://charts.rook.io/release \ No newline at end of file diff --git a/kube/3-deploy/2-apps/volsync/3-install.yaml b/kube/deploy/core/storage/volsync/app/hr.yaml similarity index 100% rename from kube/3-deploy/2-apps/volsync/3-install.yaml rename to kube/deploy/core/storage/volsync/app/hr.yaml diff --git a/kube/deploy/core/storage/volsync/app/netpol.yaml b/kube/deploy/core/storage/volsync/app/netpol.yaml new file mode 100644 index 00000000..2bc0dff8 --- /dev/null +++ b/kube/deploy/core/storage/volsync/app/netpol.yaml @@ -0,0 +1,34 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app volsync + namespace: *app +spec: + endpointSelector: {} + ingress: + # same namespace + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + egress: + # same namespace + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + - toEntities: + - kube-apiserver +--- +apiVersion: cilium.io/v2 +kind: CiliumClusterwideNetworkPolicy +metadata: + name: volsync-mover +spec: + description: "Allow VolSync Mover pods to access network outside cluster for Mover operations" + endpointSelector: + matchLabels: + app.kubernetes.io/created-by: volsync + egress: + # allow all to public Internet + - toEntities: + - world diff --git a/kube/deploy/core/storage/volsync/ks.yaml b/kube/deploy/core/storage/volsync/ks.yaml new file mode 100644 index 00000000..949fa449 --- /dev/null +++ b/kube/deploy/core/storage/volsync/ks.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-storage-volsync-app + namespace: flux-system +spec: + path: ./kube/deploy/core/storage/volsync/app + dependsOn: [] \ No newline at end of file diff --git a/kube/deploy/core/storage/volsync/kustomization.yaml b/kube/deploy/core/storage/volsync/kustomization.yaml new file mode 100644 index 00000000..ed061416 --- /dev/null +++ b/kube/deploy/core/storage/volsync/kustomization.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - repo.yaml + - ks.yaml diff --git a/kube/3-deploy/2-apps/volsync/1-namespace.yaml b/kube/deploy/core/storage/volsync/ns.yaml similarity index 100% rename from kube/3-deploy/2-apps/volsync/1-namespace.yaml rename to kube/deploy/core/storage/volsync/ns.yaml diff --git a/kube/3-deploy/2-apps/volsync/2-repo.yaml b/kube/deploy/core/storage/volsync/repo.yaml similarity index 100% rename from kube/3-deploy/2-apps/volsync/2-repo.yaml rename to kube/deploy/core/storage/volsync/repo.yaml diff --git a/kube/3-deploy/1-core/03-certs/.sops.yaml b/kube/deploy/core/tls/.sops.yaml similarity index 100% rename from kube/3-deploy/1-core/03-certs/.sops.yaml rename to kube/deploy/core/tls/.sops.yaml diff --git a/kube/3-deploy/1-core/03-certs/cert-manager/app/2-install.yaml b/kube/deploy/core/tls/cert-manager/app/hr.yaml similarity index 100% rename from kube/3-deploy/1-core/03-certs/cert-manager/app/2-install.yaml rename to kube/deploy/core/tls/cert-manager/app/hr.yaml diff --git a/kube/deploy/core/tls/cert-manager/app/netpol.yaml b/kube/deploy/core/tls/cert-manager/app/netpol.yaml new file mode 100644 index 00000000..42f39e98 --- /dev/null +++ b/kube/deploy/core/tls/cert-manager/app/netpol.yaml @@ -0,0 +1,35 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app cert-manager + namespace: *app +spec: + endpointSelector: {} + ingress: + # same namespace + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + egress: + # same namespace + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + - toEntities: + - kube-apiserver + - world +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: cert-manager-webhook + namespace: cert-manager +spec: + endpointSelector: {} + ingress: + - fromEntities: + - cluster + toPorts: + - ports: + - port: "10250" diff --git a/kube/3-deploy/1-core/03-certs/cert-manager/app/3-issuer.yaml b/kube/deploy/core/tls/cert-manager/config/issuer.yaml similarity index 100% rename from kube/3-deploy/1-core/03-certs/cert-manager/app/3-issuer.yaml rename to kube/deploy/core/tls/cert-manager/config/issuer.yaml diff --git a/kube/3-deploy/1-core/03-certs/cert-manager/crds/install.yaml b/kube/deploy/core/tls/cert-manager/crds.yaml similarity index 74% rename from kube/3-deploy/1-core/03-certs/cert-manager/crds/install.yaml rename to kube/deploy/core/tls/cert-manager/crds.yaml index 6fe60f29..727418f2 100644 --- a/kube/3-deploy/1-core/03-certs/cert-manager/crds/install.yaml +++ b/kube/deploy/core/tls/cert-manager/crds.yaml @@ -1,5 +1,5 @@ --- -apiVersion: source.toolkit.fluxcd.io/v1beta2 +apiVersion: source.toolkit.fluxcd.io/v1 kind: GitRepository metadata: name: cert-manager-source @@ -19,15 +19,22 @@ spec: /deploy/crds/*.md /deploy/crds/*.bazel --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: - name: crds-cert-manager + name: 1-core-tls-cert-manager-crds namespace: flux-system + labels: # for my repo's Fluxtomization patching, can be ignored for those passing by + kustomization.flux.home.arpa/name: "flux" + kustomization.flux.home.arpa/default: "false" + kustomization.flux.home.arpa/helmpatches: "false" + substitution.flux.home.arpa/disabled: "true" + prune.flux.home.arpa/disabled: "true" spec: interval: 30m prune: false wait: true + dependsOn: [] sourceRef: kind: GitRepository name: cert-manager-source diff --git a/kube/deploy/core/tls/cert-manager/ks.yaml b/kube/deploy/core/tls/cert-manager/ks.yaml new file mode 100644 index 00000000..46550fd6 --- /dev/null +++ b/kube/deploy/core/tls/cert-manager/ks.yaml @@ -0,0 +1,21 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-tls-cert-manager-app + namespace: flux-system +spec: + path: ./kube/deploy/core/tls/cert-manager/app + dependsOn: + - name: 1-core-tls-cert-manager-crds +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: 1-core-tls-cert-manager-config + namespace: flux-system +spec: + path: ./kube/deploy/core/tls/cert-manager/config + dependsOn: + - name: 1-core-tls-cert-manager-crds + - name: 1-core-tls-cert-manager-app \ No newline at end of file diff --git a/kube/deploy/core/tls/cert-manager/kustomization.yaml b/kube/deploy/core/tls/cert-manager/kustomization.yaml new file mode 100644 index 00000000..04f7071c --- /dev/null +++ b/kube/deploy/core/tls/cert-manager/kustomization.yaml @@ -0,0 +1,8 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - repo.yaml + - crds.yaml + - ks.yaml \ No newline at end of file diff --git a/kube/3-deploy/1-core/03-certs/cert-manager/app/1-namespace.yaml b/kube/deploy/core/tls/cert-manager/ns.yaml similarity index 100% rename from kube/3-deploy/1-core/03-certs/cert-manager/app/1-namespace.yaml rename to kube/deploy/core/tls/cert-manager/ns.yaml diff --git a/kube/deploy/core/tls/cert-manager/repo.yaml b/kube/deploy/core/tls/cert-manager/repo.yaml new file mode 100644 index 00000000..1f86c3c9 --- /dev/null +++ b/kube/deploy/core/tls/cert-manager/repo.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: jetstack + namespace: flux-system +spec: + interval: 1h + url: https://charts.jetstack.io/ \ No newline at end of file diff --git a/kube/repos/helm/app-template/helmrepo.yaml b/kube/repos/helm/app-template/helmrepo.yaml new file mode 100644 index 00000000..b485a29f --- /dev/null +++ b/kube/repos/helm/app-template/helmrepo.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: bjw-s + namespace: flux-system +spec: + interval: 1h + timeout: 3m0s + url: https://bjw-s.github.io/helm-charts/ \ No newline at end of file diff --git a/kube/3-deploy/2-apps/dns/dnsdist/kustomization.yaml b/kube/repos/helm/app-template/kustomization.yaml similarity index 82% rename from kube/3-deploy/2-apps/dns/dnsdist/kustomization.yaml rename to kube/repos/helm/app-template/kustomization.yaml index 6300b0b7..ba92dc25 100644 --- a/kube/3-deploy/2-apps/dns/dnsdist/kustomization.yaml +++ b/kube/repos/helm/app-template/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - install.yaml + - helmrepo.yaml \ No newline at end of file diff --git a/kube/templates/test/app/hr.yaml b/kube/templates/test/app/hr.yaml index 7556bb31..8e7e4035 100644 --- a/kube/templates/test/app/hr.yaml +++ b/kube/templates/test/app/hr.yaml @@ -8,17 +8,26 @@ spec: chart: spec: chart: app-template - version: 1.5.0 + version: 1.5.1 sourceRef: name: bjw-s kind: HelmRepository namespace: flux-system values: + global: + fullnameOverride: *app + automountServiceAccountToken: false controller: type: statefulset + # type: deployment + # replicas: 1 image: repository: docker.io/${APPNAME}/server tag: latest@sha256:c10a2938d3a8c15169a3ed2f6d08d25430d22cef3d5749d57ab3a9052d60354c + podLabels: + ingress.home.arpa/nginx: "allow" + db.home.arpa/pg: "pg-default" + s3.home.arpa/store: "rgw-${CLUSTER_NAME}" env: TZ: "${CONFIG_TZ}" service: @@ -28,8 +37,8 @@ spec: # eTP can be Cluster (for HA & failover) instead of Local since Cilium is configured in DSR mode, so proper source IP will still work externalTrafficPolicy: Cluster annotations: - coredns.io/hostname: "${APP_DNS_${APPNAME}}" - "io.cilium/lb-ipam-ips": "${APP_IP_${APPNAME}}" + coredns.io/hostname: "${APP_DNS_APPNAME}" + "io.cilium/lb-ipam-ips": "${APP_IP_APPNAME}" ports: http: enabled: true @@ -52,11 +61,12 @@ spec: primary: true ingressClassName: nginx annotations: - external-dns.alpha.kubernetes.io/target: "${IP_EC2_INGRESS}" + external-dns.alpha.kubernetes.io/target: "${DNS_SHORT_CF}" + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" # https://github.com/kubernetes/ingress-nginx/issues/6728 nginx.ingress.kubernetes.io/server-snippet: | - proxy_ssl_name ${APP_DNS_${APPNAME}}; + proxy_ssl_name ${APP_DNS_APPNAME}; proxy_ssl_server_name on; large_client_header_buffers 4 8k; client_header_buffer_size 8k; @@ -64,7 +74,7 @@ spec: # HTTP1.1 /v1/auth/valid: 400 Request Header Or Cookie Too Large # HTTP2 /v1/auth/valid: HTTP/2 stream was not closed cleanly before end of the underlying stream hosts: - - host: &host "${APP_DNS_${APPNAME}}" + - host: &host "${APP_DNS_APPNAME}" paths: - path: / pathType: Prefix @@ -76,7 +86,7 @@ spec: # - name: ndots # value: "1" podSecurityContext: - runAsUser: &uid ${APP_UID_${APPNAME}} + runAsUser: &uid ${APP_UID_APPNAME} runAsGroup: *uid fsGroup: *uid fsGroupChangePolicy: Always @@ -118,8 +128,8 @@ spec: enabled: true data: server.toml: |- - domain = "${APP_DNS_${APPNAME}}" - origin = "https://${APP_DNS_${APPNAME}}" + domain = "${APP_DNS_APPNAME}" + origin = "https://${APP_DNS_APPNAME}" tls_chain = "/tls/fullchain.pem" tls_key = "/tls/privkey.pem" role = "WriteReplica" diff --git a/kube/templates/test/ks.yaml b/kube/templates/test/ks.yaml index 48d66ef3..d3f02000 100644 --- a/kube/templates/test/ks.yaml +++ b/kube/templates/test/ks.yaml @@ -1,16 +1,15 @@ --- -apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +apiVersion: kustomize.toolkit.fluxcd.io/v1 kind: Kustomization metadata: name: ${APPNAME}-app namespace: flux-system spec: - path: ./kube/3-deploy/2-apps/${APPNAME}/app + path: ./kube/deploy/apps/${APPNAME}/app dependsOn: - - name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph - - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal - - name: ${CLUSTER_NAME_LOWER}-1-core-05-ingress-nginx - #- name: ${CLUSTER_NAME_LOWER}-2-apps-volsync + - name: 1-core-storage-rook-ceph-cluster + - name: 1-core-ingress-nginx-app + #- name: 1-core-storage-volsync-app healthChecks: - name: ${APPNAME} namespace: ${APPNAME}