diff --git a/kube/clusters/biohazard/config/secrets.sops.env b/kube/clusters/biohazard/config/secrets.sops.env index 1eace80f..bd48bed7 100644 --- a/kube/clusters/biohazard/config/secrets.sops.env +++ b/kube/clusters/biohazard/config/secrets.sops.env @@ -184,10 +184,12 @@ SECRET_YAGPDB_OWNER=ENC[AES256_GCM,data:/eWzNcpn/fvlpwjU4ab8wWYbiiYT,iv:6qKB1LCf SECRET_YAGPDB_ID=ENC[AES256_GCM,data:6qvYkZhTCey/l1jRSmM8lDnDGdvd,iv:AnxlfCnBP41Pdnlgoa++EhaXQvSQFee7qjrMEYL0U10=,tag:ttzpefe/vLJpiffcmG/OwA==,type:str] SECRET_YAGPDB_SECRET=ENC[AES256_GCM,data:caHhKYSSQRu+m0BeTVeu5E07OCquDdEVkXqIyJE+R6I=,iv:eW1Mp0x30+AEOYVJ8JhzsMdftXPwK54Fwq/CCNAg6sA=,tag:DIUOV/TUSLVd/5evx5fReQ==,type:str] SECRET_YAGPDB_TOKEN=ENC[AES256_GCM,data:pGiWOGGBAaDALNywDGLG/AIAi/WqUf6FR7GF2YkqE2TKrX2s7gHWl+Mbk7jMBold/p7Fv492Wl/UNm6rmqHKdxCzapRc0917,iv:vCa479jXjyj1zPvcxWAVeqTJtIEu4PJTkxVuOQVqO50=,tag:9aP8crUDMpnPPUVH4NTE8w==,type:str] +SECRET_REDBOT_TOKEN=ENC[AES256_GCM,data:8756RjZjQd873AQL39EQ0QFabSkR7vxXs8IJtS3DzJKVX3/hxln0KBLSO8FjNs6KQaE7LhMpTMm+5SIIdX6TFdFA7LtcrMHP,iv:uJzy4PSR6f2yB+6wZUaCsqn5ZbX0cNAwT7mPOvhrh2k=,tag:S3eb6r+4i4EAX1GeKMrbqw==,type:str] +SECRET_REDBOT_OWNER=ENC[AES256_GCM,data:pXaGCqAIS8pNxOuW55AN2uUTBU4=,iv:0baR7HxMO6/qFpEdQqkcO92o7cEajzLCxeOUfwnHA54=,tag:Mp8f+W78N1nTT+Df8QbhoQ==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxalh5ckhGWGxFTmFqSDQv\ndXlPOUlyYVNkWHA5VGN2TERvaWtWMHlJdFRNCnQ1NlJldEgxb2E0VEdVSDVpbHp5\nZEpTMEQ5dWU0Q2ZWTFBOZFp5Ti95ejQKLS0tIDF0c3VlazRzVWtVQ1JXT3hyTWNN\nWXpUSUNydGY4V04xZ2dTSzlvWmNOTGsKQ3rimeB7zqB4dYMp1pR1AOltXk+GhGsb\ns0jDxr/SiPUaiYoVCY4fqu9geXNRDGlPh3T2Lhs9Siif4Vnc8qTQBw==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_lastmodified=2024-02-01T17:40:30Z -sops_mac=ENC[AES256_GCM,data:kd59qQIRJgojoQqN2xLIIFZe4rJc72BbLy02NtjbmlvNXcflqycoidVNDQdoZmvbhJ8xbl2mF3WNMH/xncx8i9qeSM50yB3Dluw5Qs6yqT6tNHgRU8fAsMIn1MmpxdtwQMLeeJf29IhU3yFWXwTHavkyFB/ryZ0Dx6eBQeefMrs=,iv:MYc59e5QxRKiluTsl/yDO93sMZq+mST6i6GruExbcAQ=,tag:njWcyu7j44Ik1vpyQEj6zg==,type:str] +sops_lastmodified=2024-02-03T21:38:40Z +sops_mac=ENC[AES256_GCM,data:69+MLjP2GpjYkbWvrXEer/t5zL/3te1YomrjOdHlj4/fyMTPoP8xzHctxBreymDTMdn0Fe+XC2uBXpUrA5oH/7yuGqlqliZcuPNpyuQgKrVvr2pbd5hmQqLZWp3zBlyxtNDu4/ZLbk6dDWq+tndq4csOpV6cDenFYs1+Bla3pEc=,iv:0Mhs1D+M9Nh81jjbpFjEee0rDbARdmJPzf5a0ALUYCA=,tag:/UTK2hnpCK2tQiQCVrGi7g==,type:str] sops_pgp__list_0__map_created_at=2023-06-01T18:01:07Z sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdANDTQwVjZ/Ad3iqBe0LL2sGCrEvrl6W6VaMjFgJCUkzYw\nwASmi9Y/OqREXtEItA1rKZDTM38LuMfcU4vAeEV0SNWlW5CQquN8UpLwMATrBdXr\n0lwBcvIZFLbbnfqFAdJ1EzbRWvHuh+yn5DBMH+odm3ZLaJqiiV9EaWhfl2rdIOr4\nPJQf6Ev1hueWmc9H45a8nvwH8sOl9MH9hl3TW7o9JOOhGmZ4BBVaSJW6f0UiZw==\n=iSQg\n-----END PGP MESSAGE-----\n sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/clusters/biohazard/config/vars.sops.env b/kube/clusters/biohazard/config/vars.sops.env index 3cf0e7ce..58fae15f 100644 --- a/kube/clusters/biohazard/config/vars.sops.env +++ b/kube/clusters/biohazard/config/vars.sops.env @@ -197,6 +197,7 @@ APP_DNS_FINDMYDEVICESERVER=ENC[AES256_GCM,data:ursRHReJ+ww6DA==,iv:LWVxa8RBct1MU APP_UID_FINDMYDEVICESERVER=ENC[AES256_GCM,data:bZ4J+XM=,iv:8pNEcDNi16rgnWwGyKt/q8lfvREPXJQ17Wl6ocsCU20=,tag:9msc12+ceKiK3ZOsaAGhCQ==,type:str] APP_DNS_YAGPDB=ENC[AES256_GCM,data:4cELw9YVYpYi8oygHvFfS6wK,iv:dn2wUwSKWxBP3h4EzxWWSXs6APhDxsQox9giXU0yZXY=,tag:jaIrJXCef2+LSAy4eSyRAw==,type:str] APP_UID_YAGPDB=ENC[AES256_GCM,data:x2WMv5I=,iv:EfHl8Y+4HvkuNMh5OKHSObMVluuQJu2FwxcdtiXS6fo=,tag:dEtrqT3rfsCDU1h3NIqRaw==,type:str] +APP_UID_REDBOT=ENC[AES256_GCM,data:O3HqeQA=,iv:4DPKceXzLO6iYIRvqkBq5ZGV8l9TyGsIoceHxBmXyOs=,tag:nv18/3EvrJNLkN3+OAVpWQ==,type:str] CONFIG_TAILSCALE_NODE_PORT=ENC[AES256_GCM,data:5fOGZnU=,iv:ACISp8g5R65r4wfL9GPCenCqqszwalLiAa99BDVWS7w=,tag:ECJ5gRru2kd8ccGXEbj7yQ==,type:str] CONFIG_MINECRAFT_OPS=ENC[AES256_GCM,data:al3glJDrtuqtTM2z4W7n+tPNf6XVfK64Jdb9s5RAE5NUwxyK,iv:kYqlsOabsa2iBZKgqjOpFYJo0DMFuoo3ZWCqb/Xzi5c=,tag:nIqPXvBvxdi8crMj1CYsEw==,type:str] CONFIG_MINECRAFT_ICON=ENC[AES256_GCM,data:nNzsyRclLnPZ+8Td/WJg2u8V/QKf/xowrghmTaKRNb9a5BMOxtzmiyAt6Us8OoY=,iv:b7fHZQdOjc4oCCLtLhopNg6G7IS2u9NUdBLCN6CjSKc=,tag:+cPgP1oK/9+EK2tB9Y45zw==,type:str] @@ -225,8 +226,8 @@ VM_UUID_AD_DC1=ENC[AES256_GCM,data:IS+IhA/KhbFuv0XxIEzOyV9yLwaw2RpHoguMBKsfD4urY VM_UUID_AD_DC2=ENC[AES256_GCM,data:wdGQCok1cHLNfubTXA636+0FpKJex1MY9IRYvGX05Rrl+8E/,iv:DdGleAp8cT9xhsMmgFMnoJgb5Ctem9tVm6qI6xXgUBo=,tag:BmMdCbhCYOmOgi+NudfAgQ==,type:str] sops_age__list_0__map_enc=-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFSXFvLzFQaFJ0OVJKUFV5\nTWh2OUltUlpJWFlVVytFYU9VajBHSnQ4SGdjCnRVbEVXdDVyUHJrR05Ba0xvUm1l\nTkt2YmNUZy90ZFA2b3QrODFKZ01EVG8KLS0tIEw2dkd1cnFCbnI5eWxKL2o1aDVB\nN0hveXZ2dWdxQ2k2L0pGR0ROMStVTmsK4dV/hNyDjsYnVUiFQ7kqdmcVHfYyVckz\nh/rwLjcZgsup72WDVP3v6Eul8B3LKFrSb8CDFA54tyQmSdFDCQC+Zg==\n-----END AGE ENCRYPTED FILE-----\n sops_age__list_0__map_recipient=age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj -sops_lastmodified=2024-02-03T04:45:14Z -sops_mac=ENC[AES256_GCM,data:o7euiInJpDk5j6bEtmV/R4rXF+m8VoqVy90yPbNeFFWYxFKIG99clMklOj7Z+DoV4nZUr70eSWCvIWmLOCTR9rJ0T1KDJSYWVwCMN2DZ099P9UoAmAKSluWHTBSF4iy2W0/5lFCEE1mavpY20be0jOfbNjBXwqev1eX5DXRsUL0=,iv:O1cNkEqhpy56ABOc2h6SOsGwJ9S0GWJ1jAuFu3lsAXs=,tag:JC99l/gkKXDo5I0pZyurMQ==,type:str] +sops_lastmodified=2024-02-03T21:33:40Z +sops_mac=ENC[AES256_GCM,data:Q9zQEfBwX219b4y1NUK/jH9LLjIEY8EnMHR5LOFrpdHwCqQJ0sEkjogh4W6L5peALoct4rtqAkdi19yiKMkREYC18lvp4aWI9JNvNzUNyBFuCUFMWAt3YkBLFORdicn+7d7eJiofpxaVoTxV/TcI33HhbOrV0swR4bgTbM9NFl4=,iv:+NtPK1McTz9wTo6NKF0yRjds47VOyThZvpg50dT/I0Y=,tag:pF/0po1Q8axCinRk/h0W8w==,type:str] sops_pgp__list_0__map_created_at=2023-06-01T18:01:04Z sops_pgp__list_0__map_enc=-----BEGIN PGP MESSAGE-----\n\nhF4DAAAAAAAAAAASAQdAbA35718t0WVKrjQFYUPviCb0lVuh8NpfSdJCHjHcWWww\n8ak4q4VL69tZLSjQHx+VsMmKooknxWz6pw0lGxyDYlZMQ81bodInjaZGFZSz8Uuh\n0l4BhDCNDBBALTrnTliz6/DAHvmavI4UxMHost5alFio9JPkTDNmXZyvcy1/R6aw\n/uhQXLUBRvm0TSOhBZb7d0SLkLfe02Um40w1TibpKXsZz1GOMbPRNBMHHra0QIuQ\n=0jA+\n-----END PGP MESSAGE-----\n sops_pgp__list_0__map_fp=31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/kube/clusters/biohazard/flux/kustomization.yaml b/kube/clusters/biohazard/flux/kustomization.yaml index 701d9885..1ec198df 100644 --- a/kube/clusters/biohazard/flux/kustomization.yaml +++ b/kube/clusters/biohazard/flux/kustomization.yaml @@ -101,6 +101,7 @@ resources: - ../../../deploy/apps/go-discord-modtools/ - ../../../deploy/apps/findmydeviceserver/ - ../../../deploy/apps/yagpdb/ + - ../../../deploy/apps/redbot/ - ../../../deploy/apps/code-server/ - ../../../deploy/vm/_kubevirt/ #- ../../../deploy/vm/_base/ diff --git a/kube/deploy/apps/redbot/app/hr.yaml b/kube/deploy/apps/redbot/app/hr.yaml new file mode 100644 index 00000000..614103fe --- /dev/null +++ b/kube/deploy/apps/redbot/app/hr.yaml @@ -0,0 +1,126 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: &app redbot + namespace: *app +spec: + interval: 5m + chart: + spec: + chart: app-template + version: "2.5.0" + sourceRef: + name: bjw-s + kind: HelmRepository + namespace: flux-system + values: + controllers: + main: + type: deployment + replicas: 1 + pod: + labels: + db.home.arpa/pg: "pg-default" + egress.home.arpa/discord: "allow" + containers: + main: + image: &img + repository: "jank.ing/jjgadgets/redbot" + tag: "3.5.5@sha256:4c5309afa8d04e5ed63404b18933411cd06b5dd8fb7f122a60d853bd7b011a60" + env: + TZ: "${CONFIG_TZ}" + NAME: "JJGadgets" + PREFIX: "yui." + TOKEN_FILE: &token "/secrets/token" + OWNER_FILE: &owner "/secrets/owner" + BASE_PATH: &path "/config" + STORAGE_TYPE: "Postgres" + PGHOST: + valueFrom: + secretKeyRef: + name: &pgsec "pg-default-pguser-redbot" + key: "pgbouncer-host" + PGDATABASE: + valueFrom: + secretKeyRef: + name: *pgsec + key: "dbname" + PGUSER: + valueFrom: + secretKeyRef: + name: *pgsec + key: "user" + PGPASSFILE: &pgpass "/secrets/pgpass" + securityContext: + readOnlyRootFilesystem: true + allowPrivilegeEscalation: false + capabilities: + drop: ["ALL"] + resources: + requests: + cpu: "10m" + memory: "128Mi" + limits: + cpu: "3000m" + memory: "6000Mi" + service: + main: + enabled: false + persistence: + config: + enabled: true + type: emptyDir + medium: Memory + globalMounts: + - subPath: "config" + path: *path + secrets: + enabled: true + type: secret + name: "redbot-secrets" + defaultMode: 0400 + advancedMounts: + main: + main: + - subPath: "token" + path: *token + readOnly: true + - subPath: "owner" + path: *owner + readOnly: true + pg: + enabled: true + type: secret + name: *pgsec + defaultMode: 0400 + advancedMounts: + main: + main: + - subPath: "password" + path: *pgpass + readOnly: true + defaultPodOptions: + automountServiceAccountToken: false + enableServiceLinks: false + securityContext: + runAsNonRoot: true + runAsUser: &uid ${APP_UID_REDBOT} + runAsGroup: *uid + fsGroup: *uid + fsGroupChangePolicy: "Always" + seccompProfile: { type: "RuntimeDefault" } + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: "kubernetes.io/hostname" + whenUnsatisfiable: "DoNotSchedule" + labelSelector: + matchLabels: + app.kubernetes.io/name: *app + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: "fuckoff.home.arpa/redbot" + operator: "DoesNotExist" diff --git a/kube/deploy/apps/redbot/app/secrets.yaml b/kube/deploy/apps/redbot/app/secrets.yaml new file mode 100644 index 00000000..883c0c69 --- /dev/null +++ b/kube/deploy/apps/redbot/app/secrets.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Secret +metadata: + name: "redbot-secrets" + namespace: "redbot" +type: Opaque +stringData: + TOKEN: "${SECRET_REDBOT_TOKEN}" + OWNER: "${SECRET_REDBOT_OWNER}" diff --git a/kube/deploy/apps/redbot/ks.yaml b/kube/deploy/apps/redbot/ks.yaml new file mode 100644 index 00000000..24508eab --- /dev/null +++ b/kube/deploy/apps/redbot/ks.yaml @@ -0,0 +1,67 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: redbot-app + namespace: flux-system + labels: &l + app.kubernetes.io/name: "redbot" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/apps/redbot/app + targetNamespace: "redbot" + dependsOn: + - name: redbot-db + - name: redbot-pvc +# --- +# apiVersion: kustomize.toolkit.fluxcd.io/v1 +# kind: Kustomization +# metadata: +# name: redbot-pvc +# namespace: flux-system +# labels: &l +# app.kubernetes.io/name: "redbot" +# spec: +# commonMetadata: +# labels: *l +# path: ./kube/deploy/core/storage/volsync/template +# targetNamespace: "redbot" +# dependsOn: +# - name: 1-core-storage-volsync-app +# - name: 1-core-storage-rook-ceph-cluster +# postBuild: +# substitute: +# PVC: "redbot-data" +# SIZE: "10Gi" +# SC: &sc "file" +# SNAP: *sc +# RUID: !!str &uid | +# ${APP_UID_REDBOT} +# RGID: !!str | +# ${APP_UID_REDBOT} +# RFSG: !!str | +# ${APP_UID_REDBOT} +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: redbot-db + namespace: flux-system + labels: &l + prune.flux.home.arpa/enabled: "true" + db.home.arpa/pg: "pg-default" + app.kubernetes.io/name: "redbot" +spec: + commonMetadata: + labels: *l + path: ./kube/deploy/core/db/pg/clusters/template/pguser + targetNamespace: "pg" + dependsOn: + - name: 1-core-db-pg-clusters-default + - name: 1-core-secrets-es-k8s + postBuild: + substitute: + PG_NAME: "default" + PG_DB_USER: &app "redbot" + PG_APP_NS: *app diff --git a/kube/deploy/apps/redbot/kustomization.yaml b/kube/deploy/apps/redbot/kustomization.yaml new file mode 100644 index 00000000..5eeb2657 --- /dev/null +++ b/kube/deploy/apps/redbot/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ns.yaml + - ks.yaml diff --git a/kube/deploy/apps/redbot/ns.yaml b/kube/deploy/apps/redbot/ns.yaml new file mode 100644 index 00000000..447e04fe --- /dev/null +++ b/kube/deploy/apps/redbot/ns.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: redbot + labels: + kustomize.toolkit.fluxcd.io/prune: disabled + pod-security.kubernetes.io/enforce: &ps restricted + pod-security.kubernetes.io/audit: *ps + pod-security.kubernetes.io/warn: *ps