From 86260e548498af3d806ae033dd45d212ed54115b Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Fri, 2 Feb 2024 01:32:23 +0800 Subject: [PATCH] feat: add yagpdb --- .../biohazard/config/secrets.sops.env | 8 +- kube/clusters/biohazard/config/vars.sops.env | 6 +- .../biohazard/flux/kustomization.yaml | 1 + kube/deploy/apps/yagpdb/app/hr.yaml | 133 ++++++++++++++++++ kube/deploy/apps/yagpdb/app/secrets.yaml | 12 ++ kube/deploy/apps/yagpdb/ks.yaml | 38 +++++ kube/deploy/apps/yagpdb/kustomization.yaml | 6 + kube/deploy/apps/yagpdb/ns.yaml | 10 ++ .../core/db/pg/clusters/default/ks.yaml | 2 + 9 files changed, 212 insertions(+), 4 deletions(-) create mode 100644 kube/deploy/apps/yagpdb/app/hr.yaml create mode 100644 kube/deploy/apps/yagpdb/app/secrets.yaml create mode 100644 kube/deploy/apps/yagpdb/ks.yaml create mode 100644 kube/deploy/apps/yagpdb/kustomization.yaml create mode 100644 kube/deploy/apps/yagpdb/ns.yaml diff --git a/kube/clusters/biohazard/config/secrets.sops.env b/kube/clusters/biohazard/config/secrets.sops.env index 999492b6..10ae6281 100644 --- a/kube/clusters/biohazard/config/secrets.sops.env +++ b/kube/clusters/biohazard/config/secrets.sops.env @@ -180,10 +180,14 @@ SECRET_ELK_CF_KV_NS=ENC[AES256_GCM,data:NGwN9S0aFxLNBynHlkhnSVv0z5M6AXLukwh0VufE SECRET_RELOADER_ALERT_WEBHOOK_URL=ENC[AES256_GCM,data:EPXH2C0ZN+EjihlFRLzFseN73wJtoHQ8DcPrJ5STovPXTMor+4hspyhNhc3qUMZTUZj6w3beT/LVwU01pomp0Q8iDwwRLMvP+ZclREFx11T1vdkM69HxxduuO/0WA1EoRj1BcLDKhDU36wEhob6NlWaCfnFvIt505Q==,iv:t0gBgyEJS/gr/nybtbUqiZWWTLKPeeVSx+vWLVXa39M=,tag:dNE5oFGPG78s5Yfag+wCkg==,type:str] SECRET_GO_DISCORD_MODTOOLS_TOKEN=ENC[AES256_GCM,data:eY0q6vbLEdcanSnHqlzLCKgZ9loCY4AJlo5WPGp1sZO/+TS9wPNrHDgGahkH7sHcqyk0s/VLPGwua+d5/0UfOSrMS3Tw+2ei,iv:cL/fDYtMQPB122iaVl0wMmPUlQdjgQemx6DaoCLxTIw=,tag:aSWuxt89cc4dVRMd3WEGGg==,type:str] SECRET_FINDMYDEVICESERVER_TOKEN=ENC[AES256_GCM,data:DqaXvO2WfdQGKVdiHHBCN5FNg84eEUDSQObj3972Hani0tSwzhJSpXwosSPUmta+YpgEngb1dyOPUVtBlhy1tw5nhUd4,iv:WOywgrWdDykRDu4iAbCt2lAkxZILU7v1SzzfwAyWJLQ=,tag:lGUZfA3nfQ91eTRQnxQvLQ==,type:str] +SECRET_YAGPDB_OWNER=ENC[AES256_GCM,data:s5e8EJr+u2UsSTGRFRaD5Jwmbw==,iv:B+kixgI0Fn0MbaNE+KYILP+wPvwrF4YGYISKruSAxJw=,tag:QoDWE7nxAt0IbjZpUUnfLQ==,type:str] +SECRET_YAGPDB_ID=ENC[AES256_GCM,data:Ox21MTwzjcaNl2Z3ehCqZ1LoTA==,iv:gOuRV7QqMfEvWAw0ydjjg3ODgEU6YlGR/nZIP462ux4=,tag:MDL2LPD3ftcH4ld7JZfRUg==,type:str] +SECRET_YAGPDB_SECRET=ENC[AES256_GCM,data:caHhKYSSQRu+m0BeTVeu5E07OCquDdEVkXqIyJE+R6I=,iv:eW1Mp0x30+AEOYVJ8JhzsMdftXPwK54Fwq/CCNAg6sA=,tag:DIUOV/TUSLVd/5evx5fReQ==,type:str] +SECRET_YAGPDB_TOKEN=ENC[AES256_GCM,data:pGiWOGGBAaDALNywDGLG/AIAi/WqUf6FR7GF2YkqE2TKrX2s7gHWl+Mbk7jMBold/p7Fv492Wl/UNm6rmqHKdxCzapRc0917,iv:vCa479jXjyj1zPvcxWAVeqTJtIEu4PJTkxVuOQVqO50=,tag:9aP8crUDMpnPPUVH4NTE8w==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_lastmodified=2024-01-30T13:46:36Z -sops_mac=ENC[AES256_GCM,data:mjx4dPFSNCi69UEA/cWUNqRjlE0eifCFi2ZSa2swnXJQsVE6j2I4b7b+3ti6TSTlkmQK9IoLq9ppOro5KY8wF0P49gESJBWAf1VrDaTaEwMidLoWDJNcwN7LAt+nJOsNGJdxvQtPlGfKnjFvNcMsJK3imw5Opr7ShmelcwEgpe4=,iv:WDyT5NQ80N/Jtc8e/keInCtL/toj42Pww7+gwoUNRGI=,tag:H0H6ZZLLdacbBuT/fWiPcA==,type:str] +sops_lastmodified=2024-02-01T17:24:44Z +sops_mac=ENC[AES256_GCM,data:vsHcUDAPWhXXKnPQdjNQuTE9d2Nu4A/oElFNEWS0pp5XgfxznfIiGp9PCKwtxvncZaqvQ+zRNgT3qF8KCkAw6nhHCYvkTC/A2eKWhaoy50qzjm6IrzisecUi9VcNnTmbxwsltjF3e90ui54oBLG41GTyxiF0eSFOMUEqXPnhx50=,iv:BzsVF8VfB3quhzwYPBVGQXEnN0VA0qhQSpe2n00YfZI=,tag:4dn+ByWVw4EezuPGcvgUVg==,type:str] sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/clusters/biohazard/config/vars.sops.env b/kube/clusters/biohazard/config/vars.sops.env index 1888c618..1434e5ce 100644 --- a/kube/clusters/biohazard/config/vars.sops.env +++ b/kube/clusters/biohazard/config/vars.sops.env @@ -193,6 +193,8 @@ APP_UID_HOME_ASSISTANT=ENC[AES256_GCM,data:siSvWIQ=,iv:yKE4QR0OZ2Ebjr9Itrl2ArE8K APP_DNS_K8S_SCHEMAS=ENC[AES256_GCM,data:dHuRdq+6XS8e5jDASQ==,iv:ldh4b30ZFgeKSjks/O+Uosv+6teiR/nttqm5CVVwfpM=,tag:2OVl+Pv3kXbc7L6g9VA69w==,type:str] APP_DNS_FINDMYDEVICESERVER=ENC[AES256_GCM,data:ursRHReJ+ww6DA==,iv:LWVxa8RBct1MUpND8HzFszyYepb7WUMIsb/54nDfh5M=,tag:O52BKAx2GauNqs94NfQuJQ==,type:str] APP_UID_FINDMYDEVICESERVER=ENC[AES256_GCM,data:bZ4J+XM=,iv:8pNEcDNi16rgnWwGyKt/q8lfvREPXJQ17Wl6ocsCU20=,tag:9msc12+ceKiK3ZOsaAGhCQ==,type:str] +APP_DNS_YAGPDB=ENC[AES256_GCM,data:ztvzqxWMHHJxyQ==,iv:amCviGu67jC3C7OptVzCuUlM6z9bRB6Y1LdtibFN/k0=,tag:Ltde1XGGGjLy+T/tsl/M5g==,type:str] +APP_UID_YAGPDB=ENC[AES256_GCM,data:x2WMv5I=,iv:EfHl8Y+4HvkuNMh5OKHSObMVluuQJu2FwxcdtiXS6fo=,tag:dEtrqT3rfsCDU1h3NIqRaw==,type:str] CONFIG_TAILSCALE_NODE_PORT=ENC[AES256_GCM,data:5fOGZnU=,iv:ACISp8g5R65r4wfL9GPCenCqqszwalLiAa99BDVWS7w=,tag:ECJ5gRru2kd8ccGXEbj7yQ==,type:str] CONFIG_MINECRAFT_OPS=ENC[AES256_GCM,data:al3glJDrtuqtTM2z4W7n+tPNf6XVfK64Jdb9s5RAE5NUwxyK,iv:kYqlsOabsa2iBZKgqjOpFYJo0DMFuoo3ZWCqb/Xzi5c=,tag:nIqPXvBvxdi8crMj1CYsEw==,type:str] CONFIG_MINECRAFT_ICON=ENC[AES256_GCM,data:nNzsyRclLnPZ+8Td/WJg2u8V/QKf/xowrghmTaKRNb9a5BMOxtzmiyAt6Us8OoY=,iv:b7fHZQdOjc4oCCLtLhopNg6G7IS2u9NUdBLCN6CjSKc=,tag:+cPgP1oK/9+EK2tB9Y45zw==,type:str] @@ -221,8 +223,8 @@ VM_UUID_AD_DC1=ENC[AES256_GCM,data:IS+IhA/KhbFuv0XxIEzOyV9yLwaw2RpHoguMBKsfD4urY VM_UUID_AD_DC2=ENC[AES256_GCM,data:wdGQCok1cHLNfubTXA636+0FpKJex1MY9IRYvGX05Rrl+8E/,iv:DdGleAp8cT9xhsMmgFMnoJgb5Ctem9tVm6qI6xXgUBo=,tag:BmMdCbhCYOmOgi+NudfAgQ==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_lastmodified=2024-01-30T13:47:31Z -sops_mac=ENC[AES256_GCM,data:g5TqK/yrww4HCjiP1FQ4FWx2+1bhJUrJsJrNeivuwaV91fNiHERY9JLc6mU+ZhRjfxq0pac7MIPelew1JQP9BDYdm3X5Yw18IycPPENbmkBsy0sIRdoIXA3vm6y2aayoAMZlEfJxqf1v4xexstYCK7Selaja8Ua745L5PqtPc0s=,iv:JB6/PCCe0gZ/bKpXfUWxOrHMjeZDQ+j0eNsqVP78oFg=,tag:JL6hnqUfNK8JqXkkixVssg==,type:str] +sops_lastmodified=2024-02-01T17:25:40Z +sops_mac=ENC[AES256_GCM,data:F4i0v+An3TRfMF5BqUlbDY5PpUbtj/A89lWZAgEX29DC9rhaEGvjDOFwaNyWD55WkWMIXWbsyni+KvZ7VDsLDF1xiSVHrFLrrn1gundJQAW2nWp+3hV4Eq4rzcFhEaLbprrKlspUrjAWCss4oJhVbxn40EoGlbB15HzBiMxSpRY=,iv:JUjzRWkmasDdPPMjra0zTPv+SwJoZV349Qh8pJFq/b8=,tag:3o8yY89Y/71rnkOQrG4mLA==,type:str] sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index 509c9c57..f2193862 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -100,6 +100,7 @@ resources: - ../../../deploy/apps/home-assistant/ - ../../../deploy/apps/go-discord-modtools/ - ../../../deploy/apps/findmydeviceserver/ + - ../../../deploy/apps/yagpdb/ - ../../../deploy/vm/_kubevirt/ #- ../../../deploy/vm/_base/ - ../../../deploy/vm/ad/ diff --git a/kube/deploy/apps/yagpdb/app/hr.yaml b/kube/deploy/apps/yagpdb/app/hr.yaml new file mode 100644 index 00000000..ae83c93d --- /dev/null +++ b/kube/deploy/apps/yagpdb/app/hr.yaml @@ -0,0 +1,133 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app yagpdb + namespace: *app +spec: + interval: 5m + chart: + spec: + chart: app-template + version: "2.5.0" + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + main: + type: deployment + replicas: 1 + pod: + labels: + ingress.home.arpa/nginx-public: "allow" + db.home.arpa/pg: "pg-default" + egress.home.arpa/discord: "allow" + containers: + main: + image: &img + repository: "jank.ing/jjgadgets/yagpdb" + tag: "2.33.1" + env: + TZ: "${CONFIG_TZ}" + YAGPDB_HOST: "${APP_DNS_YAGPDB}" + YAGPDB_REDIS: "localhost:6379" + YAGPDB_PQHOST: + valueFrom: + secretKeyRef: + name: "pg-default-pguser-yagpdb" + key: "pgbouncer-host" + YAGPDB_PQDB: + valueFrom: + secretKeyRef: + name: "pg-default-pguser-yagpdb" + key: "dbname" + YAGPDB_PQUSERNAME: + valueFrom: + secretKeyRef: + name: "pg-default-pguser-yagpdb" + key: "user" + YAGPDB_PQPASSWORD: + valueFrom: + secretKeyRef: + name: "pg-default-pguser-yagpdb" + key: "password" + envFrom: + - secretRef: + name: "yagpdb-secrets" + securityContext: &sc + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "3000m" + memory: "6000Mi" + redis: + image: + repository: "public.ecr.aws/docker/library/redis" + tag: "7.2.4-bookworm@sha256:b5ddcd52d425a8e354696c022f392fe45fca928f68d6289e6bb4a709c3a74668" + command: ["redis-server", "--save", "''", "--appendonly", "no", "--port", "6379", "--bind", "127.0.0.1"] + securityContext: *sc + resources: + requests: + cpu: "10m" + memory: "32Mi" + limits: + cpu: "1000m" + memory: "512Mi" + service: + main: + ports: + http: + port: 5000 + ingress: + main: + enabled: true + primary: true + className: "nginx-public" + annotations: + external-dns.alpha.kubernetes.io/target: "${DNS_SHORT_CF}" + external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" + hosts: + - host: &host "${APP_DNS_YAGPDB}" + paths: &paths + - path: / + pathType: Prefix + service: + name: main + port: http + tls: + - hosts: [*host] + persistence: + config: + enabled: false + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + securityContext: + runAsNonRoot: true + runAsUser: &uid ${APP_UID_YAGPDB} + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: "Always" + seccompProfile: { type: "RuntimeDefault" } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "fuckoff.home.arpa/yagpdb" + operator: "DoesNotExist" diff --git a/kube/deploy/apps/yagpdb/app/secrets.yaml b/kube/deploy/apps/yagpdb/app/secrets.yaml new file mode 100644 index 00000000..d4f469b8 --- /dev/null +++ b/kube/deploy/apps/yagpdb/app/secrets.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: "yagpdb-secrets" + namespace: "yagpdb" +type: Opaque +stringData: + YAGPDB_OWNER: "${SECRET_YAGPDB_OWNER}" + YAGPDB_CLIENTID: "${SECRET_YAGPDB_ID}" + YAGPDB_CLIENTSECRET: "${SECRET_YAGPDB_SECRET}" + YAGPDB_BOTTOKEN: "Bot ${SECRET_YAGPDB_TOKEN}" diff --git a/kube/deploy/apps/yagpdb/ks.yaml b/kube/deploy/apps/yagpdb/ks.yaml new file mode 100644 index 00000000..d542d11c --- /dev/null +++ b/kube/deploy/apps/yagpdb/ks.yaml @@ -0,0 +1,38 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: yagpdb-app + namespace: flux-system + labels: &l + app.kubernetes.io/name: "yagpdb" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/apps/yagpdb/app + targetNamespace: "yagpdb" + dependsOn: + - name: yagpdb-db +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: yagpdb-db + namespace: flux-system + labels: &l + prune.flux.home.arpa/enabled: "true" + db.home.arpa/pg: "pg-default" + app.kubernetes.io/name: "yagpdb" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/core/db/pg/clusters/template/pguser + targetNamespace: "pg" + dependsOn: + - name: 1-core-db-pg-clusters-default + - name: 1-core-secrets-es-k8s + postBuild: + substitute: + PG_NAME: "default" + PG_DB_USER: &app "yagpdb" + PG_APP_NS: *app diff --git a/kube/deploy/apps/yagpdb/kustomization.yaml b/kube/deploy/apps/yagpdb/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/apps/yagpdb/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/deploy/apps/yagpdb/ns.yaml b/kube/deploy/apps/yagpdb/ns.yaml new file mode 100644 index 00000000..c0cd5f9a --- /dev/null +++ b/kube/deploy/apps/yagpdb/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: yagpdb + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps diff --git a/kube/deploy/core/db/pg/clusters/default/ks.yaml b/kube/deploy/core/db/pg/clusters/default/ks.yaml index 2222ab50..b4aa71cf 100644 --- a/kube/deploy/core/db/pg/clusters/default/ks.yaml +++ b/kube/deploy/core/db/pg/clusters/default/ks.yaml @@ -51,6 +51,8 @@ spec: databases: ["readeck"] - name: "godiscordmodtools" databases: ["godiscordmodtools"] + - name: "yagpdb" + databases: ["yagpdb"] backups: pgbackrest: global: