github-personal/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-01-27 10:18:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

chore: cleanup

Browse Source
This commit is contained in:
JJGadgets
2024-04-09 04:23:54 +08:00
parent 1aea3bc0c1
commit 0cd5fc3c94
12 changed files with 136 additions and 179 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
.renovate/groups.json5
View File

@@ -148,12 +148,12 @@
"versioning": "semver",
"versionCompatibility": "^(?<version>[^-]+)(?<compatibility>-.*)?$"
},
{
"description": "SearXNG versioning",
"matchPackagePatterns": ["searxng"],
"matchDatasources": ["docker"],
"versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-(:?<hash>.*)$"
},
// {
// "description": "SearXNG versioning",
// "matchPackagePatterns": ["searxng"],
// "matchDatasources": ["docker"],
// "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)-(:?<hash>.*)$"
// },
{
"description": "Configure more granular control for apps in ./kube/deploy/core",
"matchFileNames": ["kube/deploy/core/**"],

2
kube/deploy/apps/linkding/app/hr.yaml
View File

@@ -24,7 +24,7 @@ spec:
ingress.home.arpa/nginx-internal: "allow"
db.home.arpa/pg: "pg-home"
authentik.home.arpa/https: "allow"
# egress.home.arpa/internet: "allow"
egress.home.arpa/internet: "allow"
containers:
main:
image: &img

19
kube/deploy/apps/searxng/app/es.yaml Normal file
View File

@@ -0,0 +1,19 @@
---
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: &name searxng-secrets
namespace: searxng
spec:
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: 1p
dataFrom:
- extract:
key: "SearXNG - ${CLUSTER_NAME}"
target:
creationPolicy: Owner
deletionPolicy: Retain
name: *name

145
kube/deploy/apps/searxng/app/hr.yaml
View File

@@ -5,43 +5,65 @@ metadata:
name: &app searxng
namespace: *app
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 1.5.1
version: "2.6.0"
sourceRef:
name: bjw-s
kind: HelmRepository
namespace: flux-system
values:
global:
fullnameOverride: *app
automountServiceAccountToken: false
controller:
type: deployment
replicas: 1
image:
repository: docker.io/searxng/searxng
tag: 2023.7.22-65d8b1a31
command: ["uwsgi", "--master", "--http-socket", "0.0.0.0:8080", "/usr/local/searxng/dockerfiles/uwsgi.ini"]
podLabels:
ingress.home.arpa/nginx-internal: "allow"
egress.home.arpa/world: "allow"
env:
TZ: "${CONFIG_TZ}"
SEARXNG_BASE_URL: "https://{APP_DNS_SEARXNG}/"
SEARXNG_URL: "https://{APP_DNS_SEARXNG}"
SEARXNG_PORT: &http "8080"
SEARXNG_SECRET:
valueFrom:
secretKeyRef:
name: searxng-secrets
key: secret_key
SEARXNG_REDIS_URL:
valueFrom:
secretKeyRef:
name: searxng-secrets
key: redis
controllers:
main:
type: deployment
replicas: 1
pod:
labels:
ingress.home.arpa/nginx-internal: "allow"
egress.home.arpa/mullvad: "allow"
egress.home.arpa/internet-https: "allow"
containers:
main:
image: &img
repository: "docker.io/searxng/searxng"
tag: "latest@sha256:a46962557dce9ad029ef36b6717304c51803d73a8043b4a513b09204df6bc91c"
command: ["uwsgi", "--master", "--http-socket", "0.0.0.0:8080", "/usr/local/searxng/dockerfiles/uwsgi.ini"]
env:
TZ: "${CONFIG_TZ}"
SEARXNG_BASE_URL: "https://{APP_DNS_SEARXNG}/"
SEARXNG_URL: "https://{APP_DNS_SEARXNG}"
SEARXNG_PORT: &http "8080"
SEARXNG_REDIS_URL: "unix:///etc/searxng/redis.sock?db=0"
envFrom:
- secretRef:
name: "searxng-secrets"
securityContext: &sc
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
resources:
requests:
cpu: "50m"
memory: "1Gi"
limits:
cpu: "3000m"
memory: "2Gi"
redis:
image:
repository: "public.ecr.aws/docker/library/redis"
tag: "7.2.4-bookworm@sha256:3134997edb04277814aa51a4175a588d45eb4299272f8eff2307bbf8b39e4d43"
command: ["redis-server", "--save", "''", "--appendonly", "no", "--port", "0", "--bind", "127.0.0.1", "--unixsocket", "/etc/searxng/redis.sock", "--unixsocketperm", "700"] # save and appendonly options forcibly disable RDB and AOF persistence entirely
securityContext: *sc
resources:
requests:
cpu: "10m"
memory: "32Mi"
limits:
cpu: "1000m"
memory: "512Mi"
service:
main:
ports:
@@ -51,42 +73,45 @@ spec:
main:
enabled: true
primary: true
ingressClassName: "nginx-internal"
className: "nginx-internal"
hosts:
- host: &host "${APP_DNS_SEARXNG}"
paths:
paths: &paths
- path: /
pathType: Prefix
service:
name: main
port: http
tls:
- hosts:
- *host
- hosts: [*host]
dnsConfig:
options:
- name: ndots
value: "1" # Alpine base
podSecurityContext: # TODO: maybe build rootless container or Kyverno/patch entrypoint?
runAsUser: &uid ${APP_UID_SEARXNG}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: Always
value: "1"
persistence:
config:
enabled: true
type: configMap
name: searxng-config
subPath: settings.yml
mountPath: /etc/searxng/settings.yml
readOnly: true
name: "searxng-config"
advancedMounts:
main:
main:
- subPath: "settings.yml"
path: "/etc/searxng/settings.yml"
readOnly: true
tmp:
enabled: true
type: emptyDir
medium: Memory
mountPath: /etc/searxng
globalMounts:
- subPath: "etc"
path: "/etc/searxng"
readOnly: false
configMaps:
config:
enabled: true
data:
settings.yml: |-
server.toml: |-
use_default_settings:
engines:
keep_only:
@@ -225,9 +250,27 @@ spec:
'(.*\.)?redd\.it$': '${APP_DNS_LIBREDDIT}'
# NOTE: Search engines disabled:
# - archive.is (too many requests)
resources:
requests:
cpu: 50m
memory: 850Mi
limits:
memory: 2048Mi
defaultPodOptions:
automountServiceAccountToken: false
enableServiceLinks: false
securityContext:
runAsNonRoot: true
runAsUser: &uid ${APP_UID_SEARXNG}
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: "Always"
seccompProfile: { type: "RuntimeDefault" }
topologySpreadConstraints:
- maxSkew: 1
topologyKey: "kubernetes.io/hostname"
whenUnsatisfiable: "DoNotSchedule"
labelSelector:
matchLabels:
app.kubernetes.io/name: *app
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: "fuckoff.home.arpa/searxng"
operator: "DoesNotExist"

19
kube/deploy/apps/searxng/app/netpol.yaml
View File

@@ -1,19 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: &app searxng
namespace: *app
spec:
endpointSelector: {}
ingress:
# same namespace
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app
egress:
# same namespace
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app

10
kube/deploy/apps/searxng/app/secrets.yaml
View File

@@ -1,10 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: searxng-secrets
namespace: searxng
type: Opaque
stringData:
secret_key: "${SECRET_SEARXNG_SECRET_KEY}"
redis: "redis://:${SECRET_SEARXNG_REDIS_PASSWORD}@searxng-redis.searxng.svc.cluster.local:6379/0"

37
kube/deploy/apps/searxng/ks.yaml
View File

@@ -4,38 +4,11 @@ kind: Kustomization
metadata:
name: searxng-app
namespace: flux-system
labels: &l
app.kubernetes.io/name: "searxng"
spec:
commonMetadata:
labels: *l
path: ./kube/deploy/apps/searxng/app
dependsOn:
- name: 1-core-ingress-nginx-app
- name: searxng-redis
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: searxng-redis
namespace: flux-system
labels:
substitution.flux.home.arpa/disabled: "true"
spec:
path: ./kube/deploy/core/db/redis/template/standalone-mem
targetNamespace: "searxng"
dependsOn: []
postBuild:
substitute:
REDIS_APP_NAME: &app "searxng"
REDIS_APP_NS: *app
substituteFrom:
- kind: Secret
name: "searxng-redis"
optional: false
- kind: Secret
name: "${CLUSTER_NAME}-vars"
optional: false
- kind: Secret
name: "${CLUSTER_NAME}-secrets"
optional: false
healthChecks:
- name: searxng-redis
namespace: searxng
kind: Deployment
apiVersion: apps/v1

1
kube/deploy/apps/searxng/kustomization.yaml
View File

@@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ns.yaml
- secret-redis.yaml
- ks.yaml

5
kube/deploy/apps/searxng/ns.yaml
View File

@@ -3,3 +3,8 @@ apiVersion: v1
kind: Namespace
metadata:
name: searxng
labels:
kustomize.toolkit.fluxcd.io/prune: disabled
pod-security.kubernetes.io/enforce: &ps restricted
pod-security.kubernetes.io/audit: *ps
pod-security.kubernetes.io/warn: *ps

9
kube/deploy/apps/searxng/secret-redis.yaml
View File

@@ -1,9 +0,0 @@
---
apiVersion: v1
kind: Secret
metadata:
name: searxng-redis
namespace: flux-system
type: Opaque
stringData:
SECRET_REDIS_PASSWORD: "${SECRET_SEARXNG_REDIS_PASSWORD}"

11
kube/deploy/apps/whoogle/app/hr.yaml
View File

@@ -20,9 +20,9 @@ spec:
fullNameOverride: whoogle
podLabels:
ingress.home.arpa/nginx-internal: "allow"
egress.home.arpa/world-https: "allow"
egress.home.arpa/internet-https: "allow"
image:
repository: docker.io/benbusby/whoogle-search
repository: ghcr.io/benbusby/whoogle-search
tag: 0.8.4
env:
HTTPS_ONLY: 0
@@ -30,13 +30,13 @@ spec:
WHOOGLE_CONFIG_SAFE: 0
WHOOGLE_CONFIG_STYLE: 'body {max-width: 100% !important} :root { --whoogle-dark-logo: #6E6C7E; --whoogle-dark-page-bg: #1E1E2E; --whoogle-dark-element-bg: #302D41; --whoogle-dark-text: #D9E0EE; --whoogle-dark-contrast-text: #F2CDCD; --whoogle-dark-secondary-text: #988BA2; --whoogle-dark-result-bg: #302D41; --whoogle-dark-result-title: #F5E0DC; --whoogle-dark-result-url: #F5E0DC; --whoogle-dark-result-visited: #C9CBFF; } #whoogle-w { fill: #96CDFB; } #whoogle-h { fill: #F28FAD; } #whoogle-o-1 { fill: #FAE3B0; } #whoogle-o-2 { fill: #96CDFB; } #whoogle-g { fill: #ABE9B3; } #whoogle-l { fill: #F28FAD; } #whoogle-e { fill: #FAE3B0; }'
WHOOGLE_CONFIG_URL: "https://${APP_DNS_WHOOGLE}"
WHOOGLE_CONFIG_GET_ONLY: 1
WHOOGLE_CONFIG_GET_ONLY: 0
WHOOGLE_CONFIG_VIEW_IMAGE: 1
WHOOGLE_CONFIG_DISABLE: 1
WHOOGLE_CONFIG_TOR: 0
WHOOGLE_TOR_SERVICE: 0
WHOOGLE_PROXY_TYPE: "socks5"
WHOOGLE_PROXY_LOC: "10.64.0.1:1080"
# WHOOGLE_PROXY_TYPE: "socks5"
# WHOOGLE_PROXY_LOC: "10.64.0.1:1080"
service:
main:
ports:
@@ -59,4 +59,5 @@ spec:
cpu: 5m
memory: 100Mi
limits:
cpu: 3000m
memory: 250Mi

45
kube/deploy/apps/whoogle/app/netpol.yaml
View File

@@ -1,45 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: &app whoogle
namespace: *app
spec:
endpointSelector: {}
ingress:
# same namespace
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app
# ingress controller
- fromEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: ingress
app.kubernetes.io/instance: ingress-nginx
app.kubernetes.io/name: ingress-nginx
toPorts:
- ports:
- port: "5000"
protocol: TCP
rules:
http:
- {}
egress:
# same namespace
- toEndpoints:
- matchLabels:
io.kubernetes.pod.namespace: *app
# allow Whoogle to connect to public Internet
- toEntities:
- world
toPorts:
- ports:
- port: "80"
- port: "443"
# allow querying $IP_HOME_DNS
- toCIDRSet:
- cidr: "${IP_HOME_DNS}/32"
toPorts:
- ports:
- port: "53"