From 9b932c7e439fa7aace6346f1c18b2796b97594c5 Mon Sep 17 00:00:00 2001 From: JJGadgets Date: Mon, 17 Feb 2025 12:32:17 +0800 Subject: [PATCH] chore: cleanup --- .mise.toml | 4 ++-- .taskfiles/talos/Taskfile.dist.yaml | 8 +++---- README.md | 2 +- dots/nvim/lazy-lock.json | 3 +++ dots/vimrc | 23 +++++++++++++++---- kube/deploy/apps/actual/app/hr.yaml | 4 +++- kube/deploy/apps/gotosocial/app/hr.yaml | 3 ++- .../apps/insurgency-sandstorm/app/hr.yaml | 3 ++- .../apps/insurgency-sandstorm/app/netpol.yaml | 1 + kube/deploy/apps/radicale/app/es.yaml | 10 +------- kube/deploy/apps/radicale/app/hr.yaml | 1 - kube/deploy/apps/soft-serve/ks.yaml | 3 ++- .../_networking/cilium/netpols/kubevirt.yaml | 22 ++++++++++++++++++ .../core/dns/external-dns/kustomization.yaml | 1 - .../core/dns/internal/k8s-gateway/ks.yaml | 3 ++- kube/deploy/core/monitoring/karma/app/hr.yaml | 7 +++--- kube/repos/flux/helm/keda.yaml | 10 ++++++++ kube/repos/flux/helm/spegel.yaml | 2 +- kube/templates/test/{ => app}/ns.yaml | 0 kube/templates/test/ks.yaml | 22 ++++-------------- kube/templates/test/kustomization.yaml | 2 +- 21 files changed, 82 insertions(+), 52 deletions(-) create mode 100644 kube/repos/flux/helm/keda.yaml rename kube/templates/test/{ => app}/ns.yaml (100%) diff --git a/.mise.toml b/.mise.toml index 06095562..9cefe3e8 100644 --- a/.mise.toml +++ b/.mise.toml @@ -28,7 +28,7 @@ pipx_uvx = true helm = ["3.16.3"] "aqua:fluxcd/flux2" = ["2.4.0"] "aqua:siderolabs/talos" = ["1.9.1"] -"aqua:budimanjojo/talhelper" = ["3.0.13"] +talhelper = ["3.0.16"] "aqua:go-task/task" = ["3.39.2"] "aqua:cilium/cilium-cli"= ["0.16.21"] "aqua:1password/cli" = ["2.24.0"] @@ -41,7 +41,7 @@ soft-serve = ["0.7.4"] "ubi:CrunchyData/postgres-operator-client" = ["0.5.1"] # experimental backends, use `mise up` to install because `mise install` is currently broken for these https://github.com/jdx/mise/issues/2458 python = ["3.11"] -"aqua:astral-sh/uv" = ["0.4.1"] # faster than pipx, and can be installed with mise directly +"aqua:astral-sh/uv" = ["0.5.27"] # faster than pipx, and can be installed with mise directly "pipx:flux-local" = ["6.0.2", "5.5.1"] "pipx:robusta-dev/krr" = ["v1.17.0"] "pipx:markitdown" = "latest" diff --git a/.taskfiles/talos/Taskfile.dist.yaml b/.taskfiles/talos/Taskfile.dist.yaml index 57a85cb4..6978af46 100644 --- a/.taskfiles/talos/Taskfile.dist.yaml +++ b/.taskfiles/talos/Taskfile.dist.yaml @@ -16,7 +16,7 @@ vars: C: '{{.C | default "biohazard"}}' tasks: - genconfig: + run: desc: Decrypt cluster vars from .env to .yaml for talhelper to consume. dir: "/{{.ROOT_DIR}}/kube/clusters/{{.C}}/talos" vars: @@ -39,9 +39,9 @@ tasks: certs_os_crt: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_os_crt" certs_os_key: "op://{{.C}}/.{{.C}}-talos/Secrets/certs_os_key" cmds: - - pwd - - op user get --me # check signin status, fail if not signed in - - op --cache=false run -- task --taskfile /{{.ROOT_DIR}}/.taskfiles/bootstrap/Taskfile.dist.yaml 1p-vars-env-run C={{.C}} -- talhelper genconfig + - pwd 1>&2 + - op user get --me 1>&2 # check signin status, fail if not signed in + - op --cache=false run -- task --taskfile /{{.ROOT_DIR}}/.taskfiles/bootstrap/Taskfile.dist.yaml 1p-vars-env-run C={{.C}} -- talhelper {{.CLI_ARGS}} bootstrap: aliases: [bs] diff --git a/README.md b/README.md index 085f3a25..ff7c6300 100644 --- a/README.md +++ b/README.md @@ -1,6 +1,6 @@ # Biohazard - JJ's Homelab Monorepo -**Glorifying jank that works.** +**Glorifying jank that *works*.** Powered by Flux, Kubernetes, Cilium, Talos, and jank. Amongst others. diff --git a/dots/nvim/lazy-lock.json b/dots/nvim/lazy-lock.json index cb3125a8..fe5a34d6 100644 --- a/dots/nvim/lazy-lock.json +++ b/dots/nvim/lazy-lock.json @@ -12,6 +12,7 @@ "cmp-nvim-lsp-signature-help": { "branch": "main", "commit": "031e6ba70b0ad5eee49fd2120ff7a2e325b17fa7" }, "cmp-path": { "branch": "main", "commit": "91ff86cd9c29299a64f968ebb45846c485725f23" }, "gitsigns.nvim": { "branch": "main", "commit": "5f808b5e4fef30bd8aca1b803b4e555da07fc412" }, + "go.nvim": { "branch": "master", "commit": "c6d5ca26377d01c4de1f7bff1cd62c8b43baa6bc" }, "headlines.nvim": { "branch": "master", "commit": "bf17c96a836ea27c0a7a2650ba385a7783ed322e" }, "himalaya-vim": { "branch": "master", "commit": "0e5d3395441301538c1830366f3212ed55b1d315" }, "indent-blankline.nvim": { "branch": "master", "commit": "7871a88056f7144defca9c931e311a3134c5d509" }, @@ -19,6 +20,7 @@ "kubernetes.nvim": { "branch": "main", "commit": "101e63f8f92b2ae9cf6a78560bc2b2321d1264af" }, "lazy.nvim": { "branch": "main", "commit": "56ead98e05bb37a4ec28930a54d836d033cf00f2" }, "lsp_signature.nvim": { "branch": "master", "commit": "fc38521ea4d9ec8dbd4c2819ba8126cea743943b" }, + "marks.nvim": { "branch": "master", "commit": "bb25ae3f65f504379e3d08c8a02560b76eaf91e8" }, "mason-lspconfig.nvim": { "branch": "main", "commit": "8e46de9241d3997927af12196bd8faa0ed08c29a" }, "mason.nvim": { "branch": "main", "commit": "e2f7f9044ec30067bc11800a9e266664b88cda22" }, "nui.nvim": { "branch": "main", "commit": "b58e2bfda5cea347c9d58b7f11cf3012c7b3953f" }, @@ -33,6 +35,7 @@ "org-bullets.nvim": { "branch": "main", "commit": "46ae687e22192fb806b5977d664ec98af9cf74f6" }, "orgmode": { "branch": "master", "commit": "1d8c9b9417f8c8e9fb146d4f54fb1e90a4f7e534" }, "plenary.nvim": { "branch": "master", "commit": "2d9b06177a975543726ce5c73fca176cedbffe9d" }, + "precognition.nvim": { "branch": "main", "commit": "24f2cc51dccecec4cf3de04bfbd14f5b9e79df0b" }, "promise-async": { "branch": "main", "commit": "119e8961014c9bfaf1487bf3c2a393d254f337e2" }, "rainbow-delimiters.nvim": { "branch": "master", "commit": "d803ba7668ba390aa4cfd3580183c982cac36fd8" }, "schemastore.nvim": { "branch": "main", "commit": "80b0243371163258e6eb3f0932f717b2d732b64e" }, diff --git a/dots/vimrc b/dots/vimrc index 31138f65..b994d5a4 100644 --- a/dots/vimrc +++ b/dots/vimrc @@ -63,6 +63,15 @@ set history=500 filetype plugin on filetype indent on autocmd BufNewFile,BufRead *.json5 set filetype=jsonc +function DetectGoHtmlTmpl() + if expand('%:e') == "html" && search("{{") != 0 + setfiletype gohtmltmpl + endif +endfunction +augroup filetypedetect + " gohtmltmpl + au BufRead,BufNewFile *.html call DetectGoHtmlTmpl() +augroup END " Set to auto read when a file is changed from the outside set autoread @@ -195,16 +204,20 @@ endif " Set colorscheme based on availability, from Neovim-only, to Vim custom/plugin, to Vim preinstalled try + colorscheme catppuccin + catch + try colorscheme tokyonight catch try - colorscheme dracula + colorscheme dracula + catch + try + colorscheme slate catch - try - colorscheme slate - catch - endtry + endtry endtry + endtry endtry set background=dark diff --git a/kube/deploy/apps/actual/app/hr.yaml b/kube/deploy/apps/actual/app/hr.yaml index 27d1bf20..867e9cd8 100644 --- a/kube/deploy/apps/actual/app/hr.yaml +++ b/kube/deploy/apps/actual/app/hr.yaml @@ -66,7 +66,9 @@ spec: env: *env envFrom: *envFrom securityContext: *sc - command: ["npm", "run", "enable-openid", "--prefix", "/app"] + # command: ["npm", "run", "enable-openid", "--prefix", "/app"] + command: ["tini", "-g", "--", "/bin/sh", "-c"] + args: ["npm run enable-openid --prefix /app || true"] service: actual: controller: actual diff --git a/kube/deploy/apps/gotosocial/app/hr.yaml b/kube/deploy/apps/gotosocial/app/hr.yaml index da069781..4e64e7d1 100644 --- a/kube/deploy/apps/gotosocial/app/hr.yaml +++ b/kube/deploy/apps/gotosocial/app/hr.yaml @@ -122,7 +122,7 @@ spec: appProtocol: http ingress: main: - className: nginx-internal # public traffic goes direct via cloudflared + className: nginx-public annotations: external-dns.alpha.kubernetes.io/target: "${DNS_CF:=cf}" external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" @@ -141,6 +141,7 @@ spec: tmp: type: emptyDir medium: Memory + sizeLimit: 128Mi globalMounts: - subPath: tmp path: /tmp # ffmpeg WASM stuff diff --git a/kube/deploy/apps/insurgency-sandstorm/app/hr.yaml b/kube/deploy/apps/insurgency-sandstorm/app/hr.yaml index 5801bd4c..c89286bc 100644 --- a/kube/deploy/apps/insurgency-sandstorm/app/hr.yaml +++ b/kube/deploy/apps/insurgency-sandstorm/app/hr.yaml @@ -79,7 +79,7 @@ spec: cpu: "300m" limits: cpu: "1" - memory: "256Mi" + memory: "512Mi" service: insurgency-sandstorm: controller: insurgency-sandstorm @@ -127,6 +127,7 @@ spec: options: - name: ndots value: "1" + # runtimeClassName: gvisor hostUsers: false securityContext: runAsNonRoot: true diff --git a/kube/deploy/apps/insurgency-sandstorm/app/netpol.yaml b/kube/deploy/apps/insurgency-sandstorm/app/netpol.yaml index 9475aa8e..48c171a3 100644 --- a/kube/deploy/apps/insurgency-sandstorm/app/netpol.yaml +++ b/kube/deploy/apps/insurgency-sandstorm/app/netpol.yaml @@ -11,3 +11,4 @@ spec: - toFQDNs: - matchPattern: "*.mod.io" - matchPattern: "*.modapi.io" + - matchPattern: "*.modcdn.io" diff --git a/kube/deploy/apps/radicale/app/es.yaml b/kube/deploy/apps/radicale/app/es.yaml index 2b94900e..2353db75 100644 --- a/kube/deploy/apps/radicale/app/es.yaml +++ b/kube/deploy/apps/radicale/app/es.yaml @@ -29,15 +29,7 @@ spec: stock = utf-8 [auth] type = http_x_remote_user - #type = radicale_auth_ldap - #realm = Radicale - Password Required - #ldap_url = ldaps://{{ .LDAP_SERVER }}:636 - #ldap_base = {{ .LDAP_BASE }} - #ldap_attribute = cn - #ldap_filter = {{ .LDAP_FILTER }} - #ldap_binddn = {{ .LDAP_BINDDN }} - #ldap_password = {{ .LDAP_PASSWORD }} - #ldap_scope = SUBTREE + realm = Radicale - Password Required [rights] type = owner_only [storage] diff --git a/kube/deploy/apps/radicale/app/hr.yaml b/kube/deploy/apps/radicale/app/hr.yaml index f5c2500d..9b7c8da9 100644 --- a/kube/deploy/apps/radicale/app/hr.yaml +++ b/kube/deploy/apps/radicale/app/hr.yaml @@ -22,7 +22,6 @@ spec: pod: labels: ingress.home.arpa/nginx-internal: allow - authentik.home.arpa/ldap: allow containers: main: image: &img diff --git a/kube/deploy/apps/soft-serve/ks.yaml b/kube/deploy/apps/soft-serve/ks.yaml index 19d1a768..a450c38c 100644 --- a/kube/deploy/apps/soft-serve/ks.yaml +++ b/kube/deploy/apps/soft-serve/ks.yaml @@ -12,7 +12,7 @@ spec: path: ./kube/deploy/apps/soft-serve/app targetNamespace: "soft-serve" dependsOn: - - name: soft-serve-db + #- name: soft-serve-db - name: soft-serve-pvc --- apiVersion: kustomize.toolkit.fluxcd.io/v1 @@ -22,6 +22,7 @@ metadata: namespace: flux-system labels: &l app.kubernetes.io/name: "soft-serve" + pvc.home.arpa/volsync: "true" spec: commonMetadata: labels: *l diff --git a/kube/deploy/core/_networking/cilium/netpols/kubevirt.yaml b/kube/deploy/core/_networking/cilium/netpols/kubevirt.yaml index 27393e54..c7586b57 100644 --- a/kube/deploy/core/_networking/cilium/netpols/kubevirt.yaml +++ b/kube/deploy/core/_networking/cilium/netpols/kubevirt.yaml @@ -10,6 +10,28 @@ spec: - key: app.kubernetes.io/managed-by operator: In values: [virt-operator] + ingress: + - fromEntities: + - kube-apiserver + - host + - remote-node + egress: + # kube-apiserver + - toEntities: + - kube-apiserver + - host + toPorts: + - ports: + - port: "6443" +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumclusterwidenetworkpolicy_v2.json +apiVersion: cilium.io/v2 +kind: CiliumClusterWideNetworkPolicy +metadata: + name: &app kubevirt-operator +spec: + endpointSelector: + matchExpressions: - key: kubevirt.io operator: In values: [virt-operator] diff --git a/kube/deploy/core/dns/external-dns/kustomization.yaml b/kube/deploy/core/dns/external-dns/kustomization.yaml index 593ffe6f..5eeb2657 100644 --- a/kube/deploy/core/dns/external-dns/kustomization.yaml +++ b/kube/deploy/core/dns/external-dns/kustomization.yaml @@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ns.yaml - - crds.yaml - ks.yaml diff --git a/kube/deploy/core/dns/internal/k8s-gateway/ks.yaml b/kube/deploy/core/dns/internal/k8s-gateway/ks.yaml index 24ec5105..b8b10e5f 100644 --- a/kube/deploy/core/dns/internal/k8s-gateway/ks.yaml +++ b/kube/deploy/core/dns/internal/k8s-gateway/ks.yaml @@ -9,4 +9,5 @@ spec: dependsOn: [] postBuild: substitute: - UPSTREAM: "${IP_ROUTER_VLAN_K8S} 1.0.0.1 1.0.0.2 1.0.0.3 1.1.1.1 1.1.1.2 1.1.1.3" \ No newline at end of file + UPSTREAM: "${IP_ROUTER_VLAN_K8S} 1.0.0.1 1.0.0.2 1.0.0.3 1.1.1.1 1.1.1.2 1.1.1.3" + CFDOT: "tls://1.0.0.1 tls://1.0.0.2 tls://1.0.0.3 tls://1.1.1.1 tls://1.1.1.2 tls://1.1.1.3" diff --git a/kube/deploy/core/monitoring/karma/app/hr.yaml b/kube/deploy/core/monitoring/karma/app/hr.yaml index 14874f08..d44f6b03 100644 --- a/kube/deploy/core/monitoring/karma/app/hr.yaml +++ b/kube/deploy/core/monitoring/karma/app/hr.yaml @@ -34,7 +34,7 @@ spec: ALERTMANAGER_URI: "http://alertmanager-local.monitoring.svc:9093" ALERTMANAGER_EXTERNAL_URI: "https://${APP_DNS_ALERTMANAGER}" ALERTMANAGER_PROXY: "true" - FILTERS_DEFAULT: "@state!=suppressed" + FILTERS_DEFAULT: "@state!=suppressed,alertname!=Watchdog" securityContext: &sc readOnlyRootFilesystem: true allowPrivilegeEscalation: false @@ -43,10 +43,9 @@ spec: resources: requests: cpu: "10m" - memory: "128Mi" limits: - cpu: "3000m" - memory: "500Mi" + cpu: "1" + memory: "128Mi" service: main: ports: diff --git a/kube/repos/flux/helm/keda.yaml b/kube/repos/flux/helm/keda.yaml new file mode 100644 index 00000000..8959d262 --- /dev/null +++ b/kube/repos/flux/helm/keda.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: source.toolkit.fluxcd.io/v1beta2 +kind: HelmRepository +metadata: + name: keda + namespace: flux-system +spec: + interval: 10m0s + timeout: 3m0s + url: https://kedacore.github.io/charts diff --git a/kube/repos/flux/helm/spegel.yaml b/kube/repos/flux/helm/spegel.yaml index a9788365..9d4351ae 100644 --- a/kube/repos/flux/helm/spegel.yaml +++ b/kube/repos/flux/helm/spegel.yaml @@ -8,4 +8,4 @@ spec: interval: 10m0s timeout: 3m0s type: oci - url: oci://ghcr.io/spegel-org/helm-charts \ No newline at end of file + url: oci://ghcr.io/spegel-org/helm-charts diff --git a/kube/templates/test/ns.yaml b/kube/templates/test/app/ns.yaml similarity index 100% rename from kube/templates/test/ns.yaml rename to kube/templates/test/app/ns.yaml diff --git a/kube/templates/test/ks.yaml b/kube/templates/test/ks.yaml index d082195c..208d4c56 100644 --- a/kube/templates/test/ks.yaml +++ b/kube/templates/test/ks.yaml @@ -7,30 +7,16 @@ metadata: labels: &l app.kubernetes.io/name: "${APPNAME}" spec: + targetNamespace: "${APPNAME}" commonMetadata: labels: *l path: ./kube/deploy/apps/${APPNAME}/app - targetNamespace: "${APPNAME}" + components: + - ../../../core/storage/volsync/component/ + - ../../../core/flux-system/alerts/template/ dependsOn: - name: ${APPNAME}-db - - name: ${APPNAME}-pvc ---- -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: ${APPNAME}-pvc - namespace: flux-system - labels: &l - app.kubernetes.io/name: "${APPNAME}" - pvc.home.arpa/volsync: "true" -spec: - commonMetadata: - labels: *l - path: ./kube/deploy/core/storage/volsync/template - targetNamespace: "${APPNAME}" - dependsOn: - name: 1-core-storage-volsync-app - - name: 1-core-storage-snapscheduler-app - name: 1-core-storage-rook-ceph-cluster postBuild: substitute: diff --git a/kube/templates/test/kustomization.yaml b/kube/templates/test/kustomization.yaml index 5eeb2657..45bc3673 100644 --- a/kube/templates/test/kustomization.yaml +++ b/kube/templates/test/kustomization.yaml @@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ns.yaml + # - ns.yaml - ks.yaml