diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index 61e88c9c..628a5dfc 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -98,7 +98,7 @@ resources: - ../../../deploy/apps/miniflux/ - ../../../deploy/apps/elk/ - ../../../deploy/apps/firefly/ - - ../../../deploy/apps/libreddit/ + - ../../../deploy/apps/redlib/ #- ../../../deploy/apps/livestream/ #- ../../../deploy/apps/livestream/oven - ../../../deploy/apps/soft-serve/ diff --git a/kube/deploy/apps/libreddit/app/hr.yaml b/kube/deploy/apps/libreddit/app/hr.yaml deleted file mode 100644 index c4ab462b..00000000 --- a/kube/deploy/apps/libreddit/app/hr.yaml +++ /dev/null @@ -1,75 +0,0 @@ ---- -apiVersion: helm.toolkit.fluxcd.io/v2beta2 -kind: HelmRelease -metadata: - name: &app libreddit - namespace: *app -spec: - chart: - spec: - chart: app-template - version: 1.5.1 - sourceRef: - name: bjw-s - kind: HelmRepository - namespace: flux-system - values: - global: - fullnameOverride: *app - automountServiceAccountToken: false - controller: - type: deployment - replicas: 1 - image: - repository: ghcr.io/auricom/libreddit - tag: 0.30.1@sha256:58108c7aaf963cd7903c0e35f6af041f9ed77fdf8bd7019f79b9a989846ee97a - podLabels: - ingress.home.arpa/nginx-internal: "allow" - env: - TZ: "${CONFIG_TZ}" - LIBREDDIT_SFW_ONLY: "off" - LIBREDDIT_BANNER: "JJGadgets" - LIBREDDIT_ROBOTS_DISABLE_INDEXING: "on" - LIBREDDIT_DEFAULT_THEME: "dracula" - LIBREDDIT_DEFAULT_FRONT_PAGE: "default" - LIBREDDIT_DEFAULT_LAYOUT: "card" - LIBREDDIT_DEFAULT_WIDE: "on" - LIBREDDIT_DEFAULT_POST_SORT: "hot" - LIBREDDIT_DEFAULT_COMMENT_SORT: "confidence" - LIBREDDIT_DEFAULT_SHOW_NSFW: "on" - LIBREDDIT_DEFAULT_BLUR_NSFW: "on" - LIBREDDIT_DEFAULT_AUTOPLAY_VIDEOS: "off" - LIBREDDIT_DEFAULT_DISABLE_VISIT_REDDIT_CONFIRMATION: "false" - service: - main: - ports: - http: - port: 8080 - ingress: - main: - enabled: true - primary: true - ingressClassName: "nginx-internal" - hosts: - - host: &host "${APP_DNS_LIBREDDIT}" - paths: - - path: / - pathType: Prefix - tls: - - hosts: - - *host - dnsConfig: - options: - - name: ndots - value: "1" - podSecurityContext: - runAsUser: &uid ${APP_UID_LIBREDDIT} - runAsGroup: *uid - fsGroup: *uid - fsGroupChangePolicy: Always - resources: - requests: - cpu: 10m - memory: 128Mi - limits: - memory: 300Mi \ No newline at end of file diff --git a/kube/deploy/apps/libreddit/app/netpol.yaml b/kube/deploy/apps/libreddit/app/netpol.yaml deleted file mode 100644 index dc888ab2..00000000 --- a/kube/deploy/apps/libreddit/app/netpol.yaml +++ /dev/null @@ -1,30 +0,0 @@ ---- -# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json -apiVersion: cilium.io/v2 -kind: CiliumNetworkPolicy -metadata: - name: &app libreddit - namespace: *app -spec: - endpointSelector: {} - ingress: - # same namespace - - fromEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: *app - # ingress controller - - fromEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: ingress - app.kubernetes.io/instance: ingress-nginx - app.kubernetes.io/name: ingress-nginx - toPorts: - - ports: - - port: "8080" - egress: - # same namespace - - toEndpoints: - - matchLabels: - io.kubernetes.pod.namespace: *app - - toEntities: - - world diff --git a/kube/deploy/apps/libreddit/ks.yaml b/kube/deploy/apps/libreddit/ks.yaml deleted file mode 100644 index 91131013..00000000 --- a/kube/deploy/apps/libreddit/ks.yaml +++ /dev/null @@ -1,10 +0,0 @@ ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: libreddit-app - namespace: flux-system -spec: - path: ./kube/deploy/apps/libreddit/app - dependsOn: - - name: 1-core-ingress-nginx-app \ No newline at end of file diff --git a/kube/deploy/apps/libreddit/ns.yaml b/kube/deploy/apps/libreddit/ns.yaml deleted file mode 100644 index ea0bd412..00000000 --- a/kube/deploy/apps/libreddit/ns.yaml +++ /dev/null @@ -1,5 +0,0 @@ ---- -apiVersion: v1 -kind: Namespace -metadata: - name: libreddit diff --git a/kube/deploy/apps/redlib/app/es.yaml b/kube/deploy/apps/redlib/app/es.yaml new file mode 100644 index 00000000..dc6e2dda --- /dev/null +++ b/kube/deploy/apps/redlib/app/es.yaml @@ -0,0 +1,23 @@ +--- +# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name redlib-secrets + namespace: redlib +spec: + refreshInterval: 1m + secretStoreRef: + kind: ClusterSecretStore + name: 1p + dataFrom: + - extract: + key: "redlib - ${CLUSTER_NAME}" + target: + creationPolicy: Owner + deletionPolicy: Retain + name: *name + # template: + # type: Opaque + # data: + # age.agekey: '{{ .agekey }}' \ No newline at end of file diff --git a/kube/deploy/apps/redlib/app/hr.yaml b/kube/deploy/apps/redlib/app/hr.yaml new file mode 100644 index 00000000..ab75d8f1 --- /dev/null +++ b/kube/deploy/apps/redlib/app/hr.yaml @@ -0,0 +1,112 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/common-3.4.0/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2beta2 +kind: HelmRelease +metadata: + name: &app redlib + namespace: *app +spec: + interval: 5m + chart: + spec: + chart: app-template + version: 3.4.0 + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + redlib: + type: deployment + replicas: 1 + strategy: RollingUpdate + pod: + labels: + ingress.home.arpa/nginx-internal: allow + egress.home.arpa/internet: allow + containers: + main: + image: &img + repository: quay.io/redlib/redlib + tag: latest@sha256:42db7afd24d3e55ceccb38f6e91ecfd44d78f381a04848bb4de67dae1836a3e4 # for JSON HTTP2 fix + env: &env + TZ: "${CONFIG_TZ}" + REDLIB_SFW_ONLY: "off" + REDLIB_BANNER: "JJGadgets" + REDLIB_ROBOTS_DISABLE_INDEXING: "on" + REDLIB_DEFAULT_THEME: "dracula" + REDLIB_DEFAULT_FRONT_PAGE: "default" + REDLIB_DEFAULT_LAYOUT: "card" + REDLIB_DEFAULT_WIDE: "on" + REDLIB_DEFAULT_POST_SORT: "hot" + REDLIB_DEFAULT_COMMENT_SORT: "confidence" + REDLIB_DEFAULT_SHOW_NSFW: "on" + REDLIB_DEFAULT_BLUR_NSFW: "on" + REDLIB_DEFAULT_AUTOPLAY_VIDEOS: "off" + REDLIB_DEFAULT_DISABLE_VISIT_REDDIT_CONFIRMATION: "false" + REDLIB_ENABLE_RSS: "on" + REDLIB_FULL_URL: "https://${APP_DNS_REDLIB}" + REDLIB_SUBSCRIPTIONS: + valueFrom: + secretKeyRef: + name: redlib-secrets + key: subscriptions + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + limits: + cpu: "1" + memory: "256Mi" + probes: + liveness: + enabled: true + readiness: + enabled: true + service: + redlib: + controller: redlib + ports: + http: + port: 8080 + protocol: HTTP + appProtocol: http + ingress: + main: + className: nginx-internal + hosts: + - host: &host "${APP_DNS_REDLIB:=redlib}" + paths: &paths + - path: / + pathType: Prefix + service: + identifier: redlib + port: http + tls: + - hosts: [*host] + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + dnsConfig: + options: + - name: ndots + value: "1" + securityContext: + runAsNonRoot: true + runAsUser: &uid ${APP_UID_REDLIB:=1000} + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: Always + seccompProfile: { type: "RuntimeDefault" } + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: fuckoff.home.arpa/redlib + operator: DoesNotExist diff --git a/kube/deploy/apps/redlib/ks.yaml b/kube/deploy/apps/redlib/ks.yaml new file mode 100644 index 00000000..802321a1 --- /dev/null +++ b/kube/deploy/apps/redlib/ks.yaml @@ -0,0 +1,14 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: redlib-app + namespace: flux-system + labels: &l + app.kubernetes.io/name: "redlib" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/apps/redlib/app + targetNamespace: "redlib" + dependsOn: [] diff --git a/kube/deploy/apps/libreddit/kustomization.yaml b/kube/deploy/apps/redlib/kustomization.yaml similarity index 100% rename from kube/deploy/apps/libreddit/kustomization.yaml rename to kube/deploy/apps/redlib/kustomization.yaml diff --git a/kube/deploy/apps/redlib/ns.yaml b/kube/deploy/apps/redlib/ns.yaml new file mode 100644 index 00000000..70d61f2d --- /dev/null +++ b/kube/deploy/apps/redlib/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: redlib + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps