github-personal/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-01-27 18:18:26 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix(zerotier): change to envsubst

Browse Source 
Signed-off-by: JJGadgets <git@jjgadgets.tech>
This commit is contained in:
JJGadgets
2023-03-01 23:58:28 +08:00
parent 0cfc83073e
commit 3140f7d67d
6 changed files with 173 additions and 267 deletions
Download Patch File Download Diff File Expand all files Collapse all files

14
kube/1-clusters/Biohazard/2-config/3-secrets.yaml
View File

@@ -22,8 +22,8 @@ sops:
UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT
k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-01T03:29:52Z"
mac: ENC[AES256_GCM,data:rZhGcMDGdcKm0XOQnVXLW7wOYH4mVAMn7l7mOpF3rCP0iSLfPD4Gy2PsC3GeaUyo3DAj40xUWgRuPpnyQzk1Ow9rp7zl+mzTMeFt6nfhYBUcHD5qYcpbrXIKFYksgL5I48SXcf/1KLmU2uTgGWPa8Sb5t+aqUcCUBJBH0UMDXZo=,iv:Pm2ULbnInwptIbDZGda121vrp7QqDVAdSszwW5nvM/4=,tag:N/CNkC7VPxkjTGMF+ERkww==,type:str]
lastmodified: "2023-03-01T15:50:39Z"
mac: ENC[AES256_GCM,data:zKALrWw0gp8MCMck3kAe0Bbk3aqG6cpn6fOwwPqmdEiYiv5jgnqo/k9Z3K1D4U5e9dFj0Lo9tdKeZJuS6c+asA4Ya7prjTbmTCXhfd9hOQZpehB9v4BZAOfymRBmBRS0WkNdLDoO4C7ePC6nLAi7rP0Xzo9TSuf76z2S3el+uDs=,iv:SfATUbdferXkBAPka6b29u5nk2M/j8E4rVx5WsdLxrM=,tag:FAuJs0EHFnh7Ftz3up7joQ==,type:str]
pgp:
- created_at: "2023-02-26T18:12:43Z"
enc: |
@@ -61,8 +61,8 @@ sops:
UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT
k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-01T03:29:52Z"
mac: ENC[AES256_GCM,data:rZhGcMDGdcKm0XOQnVXLW7wOYH4mVAMn7l7mOpF3rCP0iSLfPD4Gy2PsC3GeaUyo3DAj40xUWgRuPpnyQzk1Ow9rp7zl+mzTMeFt6nfhYBUcHD5qYcpbrXIKFYksgL5I48SXcf/1KLmU2uTgGWPa8Sb5t+aqUcCUBJBH0UMDXZo=,iv:Pm2ULbnInwptIbDZGda121vrp7QqDVAdSszwW5nvM/4=,tag:N/CNkC7VPxkjTGMF+ERkww==,type:str]
lastmodified: "2023-03-01T15:50:39Z"
mac: ENC[AES256_GCM,data:zKALrWw0gp8MCMck3kAe0Bbk3aqG6cpn6fOwwPqmdEiYiv5jgnqo/k9Z3K1D4U5e9dFj0Lo9tdKeZJuS6c+asA4Ya7prjTbmTCXhfd9hOQZpehB9v4BZAOfymRBmBRS0WkNdLDoO4C7ePC6nLAi7rP0Xzo9TSuf76z2S3el+uDs=,iv:SfATUbdferXkBAPka6b29u5nk2M/j8E4rVx5WsdLxrM=,tag:FAuJs0EHFnh7Ftz3up7joQ==,type:str]
pgp:
- created_at: "2023-02-26T18:12:43Z"
enc: |
@@ -87,6 +87,8 @@ stringData:
TEST: ENC[AES256_GCM,data:Hg7qUIV8/LcdFZT2,iv:jgNFUecJhj9EgkFCexym843VQUJQJVHW2Ne4H59BUa4=,tag:G/D7ZjLSkNQAJN4TOMSaaw==,type:str]
SECRET_SANDSTORM_ADMIN_PASSWORD: ENC[AES256_GCM,data:iYMzuIT3l8Na9R+ivzw/,iv:aSz/PDfnf5NjprFP0F/8MSCHbSNvW1jPKGO3OXM63wE=,tag:TXpMceEeEQMDpSpSwkihTA==,type:str]
CLOUDFLARE_API_KEY: ENC[AES256_GCM,data:IjhX7PRvlOrAZHhld4eUTnk0U6e+26ddBvDAzskqal68OKDhnYNGcQ==,iv:Jh+AZONqsY3nlpdG+mgwQNkHFTB38DOPCUhMZVHNIqI=,tag:PWRooXwDuDWZ8/oRfxKslA==,type:str]
SECRET_ZEROTIER_UI_USERNAME: ENC[AES256_GCM,data:n3lq4WdMRg==,iv:5jq1lh6am9O8L472YLhef4BRvokIYqmpNY4MTnkADIs=,tag:+rmMEwzNWfQLEsnoms1Erw==,type:str]
SECRET_ZEROTIER_UI_PASSWORD: ENC[AES256_GCM,data:e1bY9uZlLmKVKatA6SRcd0iO/78OnQbM,iv:tR01q+o6YMgLdEavGaZY+IHR1SF/6lo48zcebgr9SRE=,tag:kf6Qcd/VuYTePyBp5rPW8A==,type:str]
sops:
kms: []
gcp_kms: []
@@ -102,8 +104,8 @@ sops:
UmFEd0UveklMeHpwYmJWcG91cU4xUUUKYKm5ZiuBX5d4oadXp8mNt+v0MASMRbqT
k6WGNihbkfA5z8aLnx4vR7tA4ORv70s7ALXvzZCD0m/fMnG8e9ssdA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-01T03:29:52Z"
mac: ENC[AES256_GCM,data:rZhGcMDGdcKm0XOQnVXLW7wOYH4mVAMn7l7mOpF3rCP0iSLfPD4Gy2PsC3GeaUyo3DAj40xUWgRuPpnyQzk1Ow9rp7zl+mzTMeFt6nfhYBUcHD5qYcpbrXIKFYksgL5I48SXcf/1KLmU2uTgGWPa8Sb5t+aqUcCUBJBH0UMDXZo=,iv:Pm2ULbnInwptIbDZGda121vrp7QqDVAdSszwW5nvM/4=,tag:N/CNkC7VPxkjTGMF+ERkww==,type:str]
lastmodified: "2023-03-01T15:50:39Z"
mac: ENC[AES256_GCM,data:zKALrWw0gp8MCMck3kAe0Bbk3aqG6cpn6fOwwPqmdEiYiv5jgnqo/k9Z3K1D4U5e9dFj0Lo9tdKeZJuS6c+asA4Ya7prjTbmTCXhfd9hOQZpehB9v4BZAOfymRBmBRS0WkNdLDoO4C7ePC6nLAi7rP0Xzo9TSuf76z2S3el+uDs=,iv:SfATUbdferXkBAPka6b29u5nk2M/j8E4rVx5WsdLxrM=,tag:FAuJs0EHFnh7Ftz3up7joQ==,type:str]
pgp:
- created_at: "2023-02-26T18:12:43Z"
enc: |

8
kube/1-clusters/Biohazard/2-config/4-vars.yaml
View File

@@ -22,6 +22,8 @@ data:
APP_DNS_INGRESS_WILDCARD: ENC[AES256_GCM,data:7OG0ww6rUzU=,iv:5ig0dQIfSVxbQS7nuqQygRcBKk8UmBFxX0unVT9bdzE=,tag:mCOMUNFEZs5IFvVrRNpFiQ==,type:str]
APP_IP_NGINX: ENC[AES256_GCM,data:9Kg5zjk+1XfUHg==,iv:dbO0hMMho8J3t0mz6Eb5uMDB3QUCjG5pXPdeuQUFbNE=,tag:ICGE5EVo27W0rUB+Jekf2Q==,type:str]
APP_IP_K8S_GATEWAY: ENC[AES256_GCM,data:oakciyUzwLlGJsc=,iv:leuHfW59gWSDaEpaOEMGbSpGFtbzAnoRp4spLxlTEq0=,tag:vltbWvNKa4QvEgXXo58d/A==,type:str]
APP_IP_ZEROTIER: ENC[AES256_GCM,data:GjIY+6p4+6milRg=,iv:agX8rov+AtECRVeOu3wmoQRVWMNutOc3a69fzWY6eoA=,tag:NS0yiFfBTWt7/P9an/3OQw==,type:str]
APP_DNS_ZEROTIER: ENC[AES256_GCM,data:On0V31SI96BRUOjQ,iv:H50ISSmHflDqOqURbwBrcWRkvOQGlVI3mnSXfY8pZ28=,tag:/VlnnoGna2H3L0LGMWF0dw==,type:str]
APP_UID_MINECRAFT: ENC[AES256_GCM,data:ArIA644=,iv:Q3SqB3O2nrPrOUcwhhbdXiegsty/TlHIllH/wRicYo8=,tag:yTGH0JEXPOCfqB5iU1azCA==,type:str]
APP_DNS_MINECRAFT: ENC[AES256_GCM,data:XYM4FJAjpDBg,iv:bmnvwvaKOKfY2+S7O0PyV8JOtOH9m94eUIQa2M97RfY=,tag:tvIllwZ72w4GbEqZJjZX7A==,type:str]
APP_IP_MINECRAFT: ENC[AES256_GCM,data:tU18Ee5Vi98mNRw=,iv:MSNHyroetvWu1wPdPE2+JtxDegZZj25QfcQVq8hcywE=,tag:wxhrsqA5lCPlRwjFgrtPHg==,type:str]
@@ -40,6 +42,8 @@ data:
CONFIG_SANDSTORM_MUTATORS: ENC[AES256_GCM,data:HumP4HOeZ06JaFBHCl9PHza5orjTVWfmLBq3kSdW+ygD+Avf6dDM+BVm7GkoqRIPtWEJMyMcOOUyF1bzbzrNca/PkMsNsP6/YspRd+QsH+w6JxsGSMqxEpKzN4wbBuIRH7PYbp7PncBOmoOMAOaYW3BEnsdBcV4II7V0+sAKPNQ4zsi0y6LmLaCFtjAOQhi6MMSPfcl9JTD6UoLizD8=,iv:BwbTdDXi6nVqtF7TrSoDLxJKz3Xv6gKZFiU2D2bRgkY=,tag:atIZxrt/BJdijPf2fMDEvw==,type:str]
CONFIG_SANDSTORM_INIT_MAP: ENC[AES256_GCM,data:uaM2kX5hlN2BoQ==,iv:U2jmxP35cy/eWT1JTdfr6Z3b4NAzIHG55Kb4emoAin0=,tag:rNCaa5zwKHesrto092oUcg==,type:str]
CONFIG_SANDSTORM_INIT_SCENARIO: ENC[AES256_GCM,data:OJVCFbvqWXuYUPvdCiwRngUzfw==,iv:1NkA4VaF/xUdudDD2W5dHEDw55dkzwo2sof5krinJz0=,tag:rmD5eZpnHpOcSJXel3AQbg==,type:str]
CONFIG_ZEROTIER_ENDPOINT: ENC[AES256_GCM,data:We/k3H6tvdmYoZ+i27Lll3bLRhXquz3fvztDI9T4tPjRc4uhG6fkpoa04hEAJffZc7yWNFUzUycPAp0=,iv:B6QCm/4bR68QEudl5o9kwJ6OtQvn1RrWeS6/W+Iaf/Q=,tag:S5xCE5e97gsBId7tpQA/mQ==,type:str]
CLUSTER_NAME: ENC[AES256_GCM,data:UTNoF7TkZ/Le,iv:mkA1AMzFXq0XEbprrqFCVWEyU37m/2y0P2SDzjDyTmw=,tag:bmh3LiqDrLEYuCzH1TnJzw==,type:str]
sops:
kms: []
gcp_kms: []
@@ -55,8 +59,8 @@ sops:
SnpvS3RUUlFMM1dUNGZQNkVqQ2VqNDAKywch6CgtS1AFLYxfML5dB7/5V6qZ0ob1
63vBpqjOza3EqvfNKo+UMtK/fRK0Q5jlpuI+0/z9VrxzKEWsgUCBVQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-27T19:05:44Z"
mac: ENC[AES256_GCM,data:EjwdMQr5oeoQl159Djtc896Mywd0CJ8m2xL/IrZAtRJtlBHeYJG+/7Iolo12vav079loAXWf0s0HOOcjjkB1VARgbPq8qjA8fokEPNyUHBNI5QU2CTV8t07yYWIXe2C8y117vTUDRj2LRsH4ACS88MerFaTEJQOxD0jHQQclIHc=,iv:gDBWUs84iNNP/aTW1U7bcHu1sNUm+78Eliis/xN/Czo=,tag:IzPdGWKUwo5izx1p1LPYlw==,type:str]
lastmodified: "2023-03-01T15:51:06Z"
mac: ENC[AES256_GCM,data:3FTlFbBF/lUxKYqd4jepWC3elJfvKoLkmcXPAa+Myym+IYJ1v0GD32ysAS/t4J2x+Dk7MKgn1JL2nFq3qbVl4Vgg1qpfudw8GGASvEKFotdBtKG1JEsfsE2ihPqAXlyfEvSuQDEFrc99vGnWOvW2Yr6t+2/BMYIwYCTFEGGXKa4=,iv:ZUEf3VnlEB8VWggBjfci2tjU3rDDApwLv9HxWI5WkHA=,tag:L97F+DujKhxAcb9Mofn6Zg==,type:str]
pgp:
- created_at: "2023-02-22T08:12:31Z"
enc: |

2
kube/3-deploy/2-apps/zerotier/.sops.yaml
View File

@@ -2,6 +2,6 @@ creation_rules:
- path_regex: .*.yaml
encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$
age: >-
age1xl3fcwdw56k73lraxsjhde4ygwn7jw0js5l5qw7vsp54vc5czuwstcejxu
age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
pgp: >-
31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2

38
kube/3-deploy/2-apps/zerotier/2-certs.yaml
View File

@@ -4,42 +4,42 @@ metadata:
name: vpncert
namespace: zerotier
spec:
secretName: vpn
secretName: ENC[AES256_GCM,data:0hrZ,iv:xxUvw0q2Mu4DKn1+p6Y+mL68Y8D9o4zB/si7jeIYNO8=,tag:nKO3FoGWMOOSni+Dhn92tA==,type:str]
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: ENC[AES256_GCM,data:F33BisRxtWnR,iv:QF/RZ60g3x7TLx1DWRol7oI5xMGgoqxcfMVq97tcIZs=,tag:Uv9joDxvT3GNKvO4pGDxFw==,type:str]
commonName: ENC[AES256_GCM,data:ID/wwJqSxffe,iv:9AMufuWk//7wI794F5G62Vv0IlvxDJPjAJh/z3epPVo=,tag:Lsrnu2vP6GpR91fRlkNvLA==,type:str]
dnsNames:
- ENC[AES256_GCM,data:PkL7qPL20fen,iv:TjKzrublOKuIjFb+o8A7m4QYKmmpEJwOfzCR+Gh+/1w=,tag:17Gx2VaK3vseajY6RLOHAA==,type:str]
- ENC[AES256_GCM,data:1ukzW7igCwNVIOc=,iv:tSTBly5j9v5LDU7+bPJkHPolH6nCU6tx6BFQNPSPWQk=,tag:AOo2zH0stZGwlnvwQLwN5A==,type:str]
- ENC[AES256_GCM,data:K4uAzmvDrUU9,iv:iQe4azjqY7IoeXven6UnK/gPuVroibkio/Vph+QgBOI=,tag:c2W7rZSkwv3IwMsGLD9SgQ==,type:str]
- ENC[AES256_GCM,data:mJWJHXlj7pZ56xA=,iv:MsxCanR2cQNJmnWApwqxAmn45zQIxlROAVi0wqMhNc4=,tag:7psuoMpPu3kX1w6p3tiz2g==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1xl3fcwdw56k73lraxsjhde4ygwn7jw0js5l5qw7vsp54vc5czuwstcejxu
- recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSaW51TS93b0JoaDhYSDJN
Ym9FL0lxZnZJNHJBcENDNDhwWlA3RGY5SzNVCmkyOXBFME9leEx2RVlaWTJDMXM3
TVJqb0F3QlpnZmVTMnV2R243LzBjbTQKLS0tIEgzY1F5TTQzSCtZUG1ralJRdXBF
RWlFUkJWQmJ4REQ0dEJ1encydFlGamsKSi0qRECk9btBSszv3fVW6/vXhbmq3sqR
chGfT4Ot5JnRWarC9EfeXWStc6zTfGd2hXksTltJS4IADLlUrkpmMA==
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNlhwWDgzSW1VSTIraGpQ
dGxpU3BjNy9qN3YzYVdKS1g4OEZCSzl1QnprCnErbDcyTmQ5ZTB2czNsbGFWbGcz
UlVlZC8yMzMxZ2ZpLzgvWEJsalowZ0EKLS0tIFJDbDg4SlFqZVRObHJTVFVMMjN1
WWZzN0VORmh0SlNXWHZRdkNQTjFqOU0KWMCPoge9kKQdNCN3WeAx1QHhit0oEHFT
ZCudRntexd0Nrby2OC0KcXOXCH1fTJEQdPD29EjlXTig86QRp/aP7Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-09T02:46:50Z"
mac: ENC[AES256_GCM,data:FWwBePlkgSsqkRnG/z9pFN0fA0zXPZyORPXGcVsN4J3FgqyIiGHmVxXo+dkbPGlTg6W8PA3q816BqKVU3DRKnql9K4XYVaMJaonmkPYrumzVeYOn7Kp0ButPogTQ6oRnogtBHxPZIDHf0AjXlu2GeoJF+OiFkSy4sXEJnbB/1ok=,iv:rzy1fl8X1u+Fr1j+M1B3qEyvcgHZn7/ajbZW5oRlxi8=,tag:u8QT77mGcp2FqRRCuW96IQ==,type:str]
lastmodified: "2023-03-01T15:32:38Z"
mac: ENC[AES256_GCM,data:h7eRRJEnFOLtxwPDO5isAeB8YlAnNuAr03KqkV0syH44Z+C4sXuCdx0LzxI97qLPrifvTFabCbx1gbfKXj0iWbarzaUKGjKVncvDOdqDicntz5XRLtxxr2/JRTiqQTshgGNoAN5gzpAD6yRmxjlGoZ76R87aed47mdchrzA3Jq0=,iv:Y+53dKQjK5JRfIkq4gsepHAx5oBHjVikGBcNY9Qk2nM=,tag:+iSBsZMzQaNZpUccRA4WCw==,type:str]
pgp:
- created_at: "2023-01-29T08:02:26Z"
- created_at: "2023-03-01T15:32:37Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DAAAAAAAAAAASAQdA81QJphfeu8v+QdqR2+TGj/+lGg5zDEGyiBx79dHJQHkw
FxBYeRRjCyEFGAFtmhOw5ZEOWaDaS3TofQfBhXBevO8xouEQqW5F8YcKCBLrH6tl
0lwBIGHtZjpAklRejcj/QzuVt9clWIKcl1cy92P/AzsNNQ0mb4h6MoO+83lIEI57
/7vP0M3zPef7huZHV+Kfb7C4MMo+LNl59EwvhrTB+0BmHA9ZexffMuvE8VnfGA==
=m/wv
hF4DAAAAAAAAAAASAQdAhQox1ebxBCSRViomIaf2wSxH/2BtXiAk0wQBOnvwTHEw
Ji3mOrg7G4dPzVsiBTNRvhlB848J0+5dV9B2p85BLgyEKljYheG6L78BQp7QILEa
0l4Bn9Ev6JtqZuj+9EyXAJJ9RUX9MBdftNOLu399qd4HxdAg4tV+l34SF0C8x/TG
ZOKtQYenHEQHygoXuPrip9bnYGruc0d4jNv96S0zeanQx/N/X7vSPAIjTjR9qMBg
=7MhE
-----END PGP MESSAGE-----
fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
encrypted_regex: ^(data|stringData|commonName|dnsNames|externalIPs)$
encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$
version: 3.7.3

213
kube/3-deploy/2-apps/zerotier/4-controller.yaml
View File

@@ -1,136 +1,85 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: zerotier-controller
namespace: zerotier
name: zerotier-controller
namespace: zerotier
labels:
helm.flux.home.arpa/app-template: "true"
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.2.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
controller:
type: statefulset
strategy: RollingUpdate
fullNameOverride: zerotier-controller
image:
repository: docker.io/zyclonite/zerotier
tag: 1.10.2
env:
ZT_OVERRIDE_LOCAL_CONF: "true"
ZT_ALLOW_MANAGEMENT_FROM: ENC[AES256_GCM,data:VH9ehVW2Gsx0,iv:cGaRGaaiCfiu1eab2nOZlTF+nMrzDZfmDQlKaQpr40Q=,tag:M9bdtwAXDmq2X04q9lH5Uw==,type:str]
dnsPolicy: ClusterFirstWithHostNet
dnsConfig:
options:
- name: ndots
value: "1"
# nameservers:
# - fake.ip
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
nodeSelector:
node-restriction.kubernetes.io/nodeType: awsIngress
service:
main:
enabled: true
primary: true
type: LoadBalancer
externalTrafficPolicy: Local
loadBalancerIP: ENC[AES256_GCM,data:jCBcilAyQp6zh0w=,iv:TEcZcmRUjmceJWnK6trGPobjzJX2b10JQs66LzcEqo4=,tag:J+vHaQz+c8zsB+AG6MAMDA==,type:str]
externalIPs:
- ENC[AES256_GCM,data:IljGes300xWBgCU=,iv:gmrYURklq16DO3RIUZWiPdYs5iBU0znUhbj+CvwO4WA=,tag:OshcQs1DnlGVtyVNPZLJMA==,type:str]
ports:
http:
enabled: false
zerotier-udp:
enabled: true
protocol: UDP
port: 9993
targetPort: 9993
zerotier-tcp:
enabled: true
protocol: TCP
port: 9993
targetPort: 9993
peers:
enabled: true
type: NodePort
externalTrafficPolicy: Local
ports:
http:
enabled: false
peers-udp:
enabled: true
protocol: UDP
port: 9993
targetPort: 9993
nodePort: 9993
peers-tcp:
enabled: true
protocol: TCP
port: 9993
targetPort: 9993
nodePort: 9993
persistence:
zerotier-one:
enabled: true
type: pvc
mountPath: /var/lib/zerotier-one
retain: true
existingClaim: zerotier-one
tun:
enabled: true
type: hostPath
hostPath: /dev/net/tun
readOnly: true
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1xl3fcwdw56k73lraxsjhde4ygwn7jw0js5l5qw7vsp54vc5czuwstcejxu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB4WnhlQXBxdnFDeTdBTytu
cy9PemM4Q3R4R1Z0NkZGa1l6RFNpdG84dkVNCktocVMrcEtkRUtteHlRbmFYcDhE
d29KMklMQmRXN05NWVZvQ3MzcUtQd28KLS0tIDd2NWNPay9OdUY2M3crQjR0L0dj
UkM0WGxFNVlsQ2J6ZEkwaE0zK3FybTQKgfMnTou0TApYFiECmXVg7PVOQst2m6B1
4tvRYJL7lOztp+Cs4hWqMxrBnWtYTxRkuiGTAW5MK3Zmu4I2A2wDmQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-03-01T03:11:52Z"
mac: ENC[AES256_GCM,data:Y4oqNB7jL/5LiOVzFhdjCBIg5srvxaC432c7aOovxOM2+aDGQfkfcnEli4Lrvzsxabbu99hwb3q83YNHLzzEubuoAra+PxfnNT9Uzvg7mmlxcIr7d1kV6ue7KvIoXNdnoNtyhQND41SbvYzmVt8Dd1hHOOVAVvMg2QVdIHf77Po=,iv:2TPYuipTlloNAlBz3CJ6GGYb9IVLGXKr6WBcDmXJnIE=,tag:0IO3YPwwTlbd8Bz27upXsQ==,type:str]
pgp:
- created_at: "2023-02-09T03:25:06Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DAAAAAAAAAAASAQdAHyfug5pftJG3pIFJjTtawQpD3r9oszgqgQj+nlMlr0Yw
bch6ktVJjrJ0w9or7wwgz0ssPYXy076/HF9C2qu3LAyoVBLSAF3QscZXvgFG8pua
0l4B7kXiw8Mnf6KdtjRaEJ9bbJA3dXxwpdlRA0Mi+9EpOfidsrjRvfsdzNmAV4lq
OvRpr+6Q/KV0fOrhT+snxymFaoOtaclq1ZZLpEGCaH+b5R+oeJ2SiqOB437k+zLE
=5/3C
-----END PGP MESSAGE-----
fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$
version: 3.7.3
values:
controller:
type: statefulset
strategy: RollingUpdate
fullNameOverride: zerotier-controller
image:
repository: docker.io/zyclonite/zerotier
tag: 1.10.2
env:
ZT_OVERRIDE_LOCAL_CONF: "true"
ZT_ALLOW_MANAGEMENT_FROM: 0.0.0.0/0
dnsPolicy: ClusterFirstWithHostNet
dnsConfig:
options:
- name: ndots
value: "1"
securityContext:
capabilities:
add:
- NET_ADMIN
- NET_RAW
- SYS_ADMIN
nodeSelector:
node-restriction.kubernetes.io/nodeType: main
service:
main:
enabled: true
primary: true
# type: LoadBalancer
# externalTrafficPolicy: Local
# loadBalancerIP: "${APP_IP_ZEROTIER}"
# externalIPs:
# - "${APP_IP_ZEROTIER}"
# ports:
# http:
# enabled: false
# zerotier-udp:
# enabled: true
# protocol: UDP
# port: 9993
# targetPort: 9993
# zerotier-tcp:
# enabled: true
# protocol: TCP
# port: 9993
# targetPort: 9993
# peers:
# enabled: true
type: NodePort
externalTrafficPolicy: Local
ports:
http:
enabled: false
peers-udp:
enabled: true
protocol: UDP
port: 9993
targetPort: 9993
nodePort: 9993
peers-tcp:
enabled: true
protocol: TCP
port: 9993
targetPort: 9993
nodePort: 9993
persistence:
zerotier-one:
enabled: true
type: pvc
mountPath: /var/lib/zerotier-one
retain: true
existingClaim: zerotier-one
tun:
enabled: true
type: hostPath
hostPath: /dev/net/tun
readOnly: true

165
kube/3-deploy/2-apps/zerotier/5-ui.yaml
View File

@@ -1,111 +1,62 @@
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: zerotier-ui
namespace: zerotier
name: zerotier-ui
namespace: zerotier
labels:
helm.flux.home.arpa/app-template: "true"
spec:
interval: 15m
chart:
spec:
chart: app-template
version: 1.2.1
sourceRef:
kind: HelmRepository
name: bjw-s
namespace: flux-system
maxHistory: 3
install:
createNamespace: true
remediation:
retries: 3
upgrade:
cleanupOnFail: true
remediation:
retries: 3
uninstall:
keepHistory: false
values:
controller:
type: statefulset
strategy: RollingUpdate
fullNameOverride: zerotier-ui
image:
repository: docker.io/dec0dos/zero-ui
tag: 1.5.1
env:
ZU_CONTROLLER_ENDPOINT: ENC[AES256_GCM,data:zAhu03Pf5dtJVcOovxDULhRQg3IrsoGD5ggbA+1f9M98UkTGWiVY2CjZVaPg9FXjjJQLW+wH7eNGH6Q=,iv:XRfEtIvdoGYbOR2iR+Y+LsxdSyWP7m0Lb5xKGus5SxQ=,tag:VyQ9jP+K1hTYu3uuoTLYcA==,type:str]
ZU_SECURE_HEADERS: "true"
ZU_DEFAULT_USERNAME: ENC[AES256_GCM,data:9bSzd2KLzw==,iv:e47uZg9rCjkgs4216ZMN0+TuDjeDOo0/B7Sw19cIdt4=,tag:2foh8j4h5y7mRJ9N0UY9ZA==,type:str]
ZU_DEFAULT_PASSWORD: ENC[AES256_GCM,data:u9qF0eVeyqM0muEEcsH2tiULAOmBLI8H,iv:KkrS2Vj95a+s0gW8qSVztlyEy03FmztgOJNL+lMA/lk=,tag:XKH3h6To2y/XtAYymwDxDg==,type:str]
# dnsPolicy: None
dnsConfig:
options:
- name: ndots
value: "1"
# nameservers:
# - fake.ip
service:
main:
ports:
http:
port: 4000
ingress:
main:
enabled: true
ingressClassName: nginx
hosts:
- host: ENC[AES256_GCM,data:T1zkZ4qRSQCqeFfR,iv:9qE3EspO4omI9sWuX1u2J5O9GuOtQaVLfBAf/jeT2u0=,tag:YqUvoT5dwx63UM/htbrRJw==,type:str]
paths:
- path: ENC[AES256_GCM,data:ag==,iv:sWpz7xwLy7njFZXW4rVFgHp0QesZ8XcEGxm7UW5vccs=,tag:970D7QvBxzQ67aboS3N1Qg==,type:str]
pathType: ENC[AES256_GCM,data:XbEbgilh,iv:WNXxaiA5P2/uHOsFviGZT/raLO+hc5NbIpCT+YA5n/c=,tag:P0q3wauFUKXUPQFgmPbn/Q==,type:str]
tls:
- hosts:
- ENC[AES256_GCM,data:eUL5pUezplowjyci,iv:eVvP9njgYh2uVnrSiQ9xtFJQ2XkPRlyiwuhO2K+0Fw0=,tag:XtxJAUsmmIsDvPy+8W/j7w==,type:str]
secretName: ENC[AES256_GCM,data:i8GW,iv:B+b4MPSwGBZRAsABbly1t8XgL0AVRuDbi8cfw1OjX1M=,tag:vA0m8jFfQux4MKcJ12TIiw==,type:str]
persistence:
zerotier-one:
enabled: true
type: pvc
mountPath: /var/lib/zerotier-one
retain: true
existingClaim: zerotier-one
zerotier-ui-data:
enabled: true
type: pvc
mountPath: /app/backend/data
readOnly: false
accessMode: ReadWriteOnce
storageClass: block
size: 1Gi
retain: true
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1xl3fcwdw56k73lraxsjhde4ygwn7jw0js5l5qw7vsp54vc5czuwstcejxu
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxdTJzZjRZSExQWm5rSGxQ
YS9IYk1zMEFmUGtzckN2N0t5SnE5a1hSOG1FCnNPUkgyVlNXdlZBQlNqVkF3Qm56
L0xoSVVtUjdpenp4RlF5ZERpWkRybzQKLS0tIDRQU2Q3SUQwTXltMTNTTDFPVGdX
eWRxUUpKdGJybHVnZG1TamtlWUtLZE0K0YlJVZbj/18ARi5+KsoEZZV4TiWlOGRh
uCwFK2znj1m8Q9ErCFSXLc1MVtVfhcXx8JgNZhtoz7V9l8p9dyKPhg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-10T16:02:23Z"
mac: ENC[AES256_GCM,data:D1E7pktkIqCvTyY4uIEvI/W+TUMGeKKOAhXDkXoBUBCIorWsOl05l4iZE03bUBL+YERwD2KwOgP3gEdC4lDrXqD6uF22u4DvywXlkPiMoIMWFq6UN6M4XNqUKKTq+JlojTdwItZC4O+lIBEbz5iteoj3IN+qsLbVen0qCy3vWXE=,iv:cbAZQufjBsn7LIrMjHSMDfdwB2UXG5lzx9ZmnncRb1o=,tag:zRcKKv2lLfcPxia+Nfr3FA==,type:str]
pgp:
- created_at: "2023-02-08T19:24:20Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DAAAAAAAAAAASAQdACIaRZaDeWUhEc3JZV3/IDGRn8EVhCdZwZdQnONhmUzAw
glSkslUmetrcdwAbucn5s+SXC2PBt3gIz7OV7EahbBPNf56NBi5b0O+HCKNc8LRj
0l4B75cK4zS8g82hx7gazdnG33S7L1d4m7G7FE5MOZ+UhOeeM2CF7prmXNUQ87iL
0CWCTpOlu1bLU8EktGQh1hfoIzTxnIJHcC4JZM8EfMH5b1dJDSC3HGbo2Qw9p6R8
=2zwW
-----END PGP MESSAGE-----
fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$
version: 3.7.3
values:
controller:
type: statefulset
strategy: RollingUpdate
fullNameOverride: zerotier-ui
image:
repository: docker.io/dec0dos/zero-ui
tag: 1.5.1
env:
ZU_CONTROLLER_ENDPOINT: "${CONFIG_ZEROTIER_ENDPOINT}"
ZU_SECURE_HEADERS: "true"
ZU_DEFAULT_USERNAME: "${SECRET_ZEROTIER_UI_USERNAME}"
ZU_DEFAULT_PASSWORD: "${SECRET_ZEROTIER_UI_PASSWORD}"
nodeSelector:
node-restriction.kubernetes.io/nodeType: main
# dnsPolicy: None
dnsConfig:
options:
- name: ndots
value: "1"
service:
main:
ports:
http:
port: 4000
ingress:
main:
enabled: true
ingressClassName: nginx
hosts:
- host: "${APP_DNS_ZEROTIER}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- "${APP_DNS_ZEROTIER}"
secretName: vpn
persistence:
zerotier-one:
enabled: true
type: pvc
mountPath: /var/lib/zerotier-one
retain: true
existingClaim: zerotier-one
zerotier-ui-data:
enabled: true
type: pvc
mountPath: /app/backend/data
readOnly: false
accessMode: ReadWriteOnce
storageClass: block
size: 1Gi
retain: true