fix: cleanup

.gitignore

@@ -1,10 +1,18 @@
 ignore/
+not-done/
+.local/
+.local/*
 kubeconfig
 talosconfig
 clusterconfig/
+**/clusterconfig
+**/clusterconfig/*
+**/cilium/app/bootstrap-install/charts/*
 .pem
 .key
 .pub
 .agekey
 Admins.txt
 GameUserSettings.ini
+*.sops.*.tmp
+*.code-workspace

archive/kube/deploy/apps/zerotier/.sops.yaml

@@ -0,0 +1,7 @@
+creation_rules:
+  - path_regex: .*.yaml
+    encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$
+    age: >-
+      age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
+    pgp: >-
+      31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2

archive/kube/deploy/apps/zerotier/1-namespace.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: zerotier
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/enforce-version: v1.26
+    pod-security.kubernetes.io/audit: privileged
+    pod-security.kubernetes.io/audit-version: v1.26
+    pod-security.kubernetes.io/warn: privileged
+    pod-security.kubernetes.io/warn-version: v1.26

archive/kube/deploy/apps/zerotier/2-certs.yaml

@@ -0,0 +1,45 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+    name: vpncert
+    namespace: zerotier
+spec:
+    secretName: ENC[AES256_GCM,data:0hrZ,iv:xxUvw0q2Mu4DKn1+p6Y+mL68Y8D9o4zB/si7jeIYNO8=,tag:nKO3FoGWMOOSni+Dhn92tA==,type:str]
+    issuerRef:
+        name: letsencrypt-production
+        kind: ClusterIssuer
+    commonName: ENC[AES256_GCM,data:ID/wwJqSxffe,iv:9AMufuWk//7wI794F5G62Vv0IlvxDJPjAJh/z3epPVo=,tag:Lsrnu2vP6GpR91fRlkNvLA==,type:str]
+    dnsNames:
+        - ENC[AES256_GCM,data:K4uAzmvDrUU9,iv:iQe4azjqY7IoeXven6UnK/gPuVroibkio/Vph+QgBOI=,tag:c2W7rZSkwv3IwMsGLD9SgQ==,type:str]
+        - ENC[AES256_GCM,data:mJWJHXlj7pZ56xA=,iv:MsxCanR2cQNJmnWApwqxAmn45zQIxlROAVi0wqMhNc4=,tag:7psuoMpPu3kX1w6p3tiz2g==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNlhwWDgzSW1VSTIraGpQ
+            dGxpU3BjNy9qN3YzYVdKS1g4OEZCSzl1QnprCnErbDcyTmQ5ZTB2czNsbGFWbGcz
+            UlVlZC8yMzMxZ2ZpLzgvWEJsalowZ0EKLS0tIFJDbDg4SlFqZVRObHJTVFVMMjN1
+            WWZzN0VORmh0SlNXWHZRdkNQTjFqOU0KWMCPoge9kKQdNCN3WeAx1QHhit0oEHFT
+            ZCudRntexd0Nrby2OC0KcXOXCH1fTJEQdPD29EjlXTig86QRp/aP7Q==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-03-01T15:32:38Z"
+    mac: ENC[AES256_GCM,data:h7eRRJEnFOLtxwPDO5isAeB8YlAnNuAr03KqkV0syH44Z+C4sXuCdx0LzxI97qLPrifvTFabCbx1gbfKXj0iWbarzaUKGjKVncvDOdqDicntz5XRLtxxr2/JRTiqQTshgGNoAN5gzpAD6yRmxjlGoZ76R87aed47mdchrzA3Jq0=,iv:Y+53dKQjK5JRfIkq4gsepHAx5oBHjVikGBcNY9Qk2nM=,tag:+iSBsZMzQaNZpUccRA4WCw==,type:str]
+    pgp:
+        - created_at: "2023-03-01T15:32:37Z"
+          enc: |
+            -----BEGIN PGP MESSAGE-----
+
+            hF4DAAAAAAAAAAASAQdAhQox1ebxBCSRViomIaf2wSxH/2BtXiAk0wQBOnvwTHEw
+            Ji3mOrg7G4dPzVsiBTNRvhlB848J0+5dV9B2p85BLgyEKljYheG6L78BQp7QILEa
+            0l4Bn9Ev6JtqZuj+9EyXAJJ9RUX9MBdftNOLu399qd4HxdAg4tV+l34SF0C8x/TG
+            ZOKtQYenHEQHygoXuPrip9bnYGruc0d4jNv96S0zeanQx/N/X7vSPAIjTjR9qMBg
+            =7MhE
+            -----END PGP MESSAGE-----
+          fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
+    encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$
+    version: 3.7.3

archive/kube/deploy/apps/zerotier/3-pvc.yaml

@@ -0,0 +1,12 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: zerotier-one
+  namespace: zerotier
+spec:
+  accessModes: ["ReadWriteOnce"]
+  storageClassName: block
+  resources:
+    requests:
+      storage: 1Gi

archive/kube/deploy/apps/zerotier/4-controller.yaml

@@ -0,0 +1,85 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: zerotier-controller
+  namespace: zerotier
+  labels:
+    helm.flux.home.arpa/app-template: "true"
+spec:
+  values:
+    controller:
+      type: statefulset
+      strategy: RollingUpdate
+    fullNameOverride: zerotier-controller
+    image:
+      repository: docker.io/zyclonite/zerotier
+      tag: 1.10.2
+    env:
+      ZT_OVERRIDE_LOCAL_CONF: "true"
+      ZT_ALLOW_MANAGEMENT_FROM: 0.0.0.0/0
+    dnsPolicy: ClusterFirstWithHostNet
+    dnsConfig:
+      options:
+        - name: ndots
+          value: "1"
+    securityContext:
+      capabilities:
+        add:
+          - NET_ADMIN
+          - NET_RAW
+          - SYS_ADMIN
+    nodeSelector:
+      node-restriction.kubernetes.io/nodeType: main
+    service:
+      main:
+        enabled: true
+        primary: true
+      #   type: LoadBalancer
+      #   externalTrafficPolicy: Local
+      #   loadBalancerIP: "${APP_IP_ZEROTIER}"
+      #   externalIPs:
+      #     - "${APP_IP_ZEROTIER}"
+      #   ports:
+      #     http:
+      #       enabled: false
+      #     zerotier-udp:
+      #       enabled: true
+      #       protocol: UDP
+      #       port: 9993
+      #       targetPort: 9993
+      #     zerotier-tcp:
+      #       enabled: true
+      #       protocol: TCP
+      #       port: 9993
+      #       targetPort: 9993
+      # peers:
+      #   enabled: true
+        type: NodePort
+        externalTrafficPolicy: Local
+        ports:
+          http:
+            enabled: false
+          peers-udp:
+            enabled: true
+            protocol: UDP
+            port: 9993
+            targetPort: 9993
+            nodePort: 9993
+          peers-tcp:
+            enabled: true
+            protocol: TCP
+            port: 9993
+            targetPort: 9993
+            nodePort: 9993
+    persistence:
+      zerotier-one:
+        enabled: true
+        type: pvc
+        mountPath: /var/lib/zerotier-one
+        retain: true
+        existingClaim: zerotier-one
+      tun:
+        enabled: true
+        type: hostPath
+        hostPath: /dev/net/tun
+        readOnly: true

archive/kube/deploy/apps/zerotier/5-ui.yaml

@@ -0,0 +1,62 @@
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: zerotier-ui
+  namespace: zerotier
+  labels:
+    helm.flux.home.arpa/app-template: "true"
+spec:
+  values:
+    controller:
+      type: statefulset
+      strategy: RollingUpdate
+    fullNameOverride: zerotier-ui
+    image:
+      repository: docker.io/dec0dos/zero-ui
+      tag: 1.5.1
+    env:
+      ZU_CONTROLLER_ENDPOINT: "${CONFIG_ZEROTIER_ENDPOINT}"
+      ZU_SECURE_HEADERS: "true"
+      ZU_DEFAULT_USERNAME: "${SECRET_ZEROTIER_UI_USERNAME}"
+      ZU_DEFAULT_PASSWORD: "${SECRET_ZEROTIER_UI_PASSWORD}"
+    nodeSelector:
+      node-restriction.kubernetes.io/nodeType: main
+    # dnsPolicy: None
+    dnsConfig:
+      options:
+        - name: ndots
+          value: "1"
+    service:
+      main:
+        ports:
+          http:
+            port: 4000
+    ingress:
+      main:
+        enabled: true
+        ingressClassName: nginx
+        hosts:
+          - host: "${APP_DNS_ZEROTIER}"
+            paths:
+            - path: /
+              pathType: Prefix
+        tls:
+          - hosts:
+            - "${APP_DNS_ZEROTIER}"
+            secretName: vpn
+    persistence:
+      zerotier-one:
+        enabled: true
+        type: pvc
+        mountPath: /var/lib/zerotier-one
+        retain: true
+        existingClaim: zerotier-one
+      zerotier-ui-data:
+        enabled: true
+        type: pvc
+        mountPath: /app/backend/data
+        readOnly: false
+        accessMode: ReadWriteOnce
+        storageClass: block
+        size: 1Gi
+        retain: true

archive/kube/deploy/apps/zerotier/ks-unfinished.yaml

@@ -0,0 +1,10 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: biohazard-2-apps-zerotier
+  namespace: flux-system
+spec:
+  path: ./kube/3-deploy/2-apps/zerotier
+  dependsOn:
+    - name: biohazard-1-core-05-ingress-nginx

archive/kube/deploy/apps/zerotier/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - 1-namespace.yaml
+  - 2-certs.yaml
+  - 3-pvc.yaml
+  - 4-controller.yaml
+  - 5-ui.yaml

archive/kube/deploy/core/ingress/external/install.yaml

@@ -0,0 +1,82 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: external
+  namespace: ingress
+spec:
+  chart:
+    spec:
+      chart: haproxy
+      version: 1.18.0
+      sourceRef:
+        name: haproxytech
+  values:
+    image:
+      repository: haproxytech/haproxy-debian
+      tag: "2.6.9"
+      pullPolicy: IfNotPresent
+    kind: DaemonSet
+    nodeSelector:
+      node-restriction.kubernetes.io/nodeType: awsIngress
+    tolerations:
+      - key: nodeType.jj
+        operator: Equal
+        value: awsIngress
+        effect: NoSchedule
+    containerPorts:
+      http: 80
+      https: 443
+    config: |
+      global
+        log stdout format raw local0 debug
+
+      defaults
+        mode tcp
+        log global
+        option tcplog
+        timeout client 30s
+        timeout connect 4s
+        timeout server 30s
+        retries 3
+
+      frontend https
+         mode tcp
+         bind :443
+         default_backend https_servers
+
+      backend https_servers
+         mode tcp
+         server internalnginx ingress-nginx-controller.ingress.svc.cluster.local:20443 send-proxy-v2
+
+      frontend http
+         mode tcp
+         bind :80
+         default_backend http_servers
+
+      backend http_servers
+         mode tcp
+         server internalnginx ingress-nginx-controller.ingress.svc.cluster.local:20080 send-proxy-v2
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: external
+  namespace: ingress
+spec:
+  externalTrafficPolicy: Local
+  ports:
+    - name: http
+      port: 80
+      protocol: TCP
+      targetPort: 80
+      nodePort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+      nodePort: 443
+  selector:
+    app.kubernetes.io/instance: external
+    app.kubernetes.io/name: haproxy
+  type: NodePort

kube/deploy/core/monitoring/_deps/netpol.yaml

@@ -0,0 +1,53 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: &app monitoring
+  namespace: *app
+spec:
+  endpointSelector: {}
+  ingress:
+    # same namespace
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: *app
+    # node-exporter
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: node-exporter
+    # kube-system
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+    # ingress controller
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: ingress
+            app.kubernetes.io/instance: ingress-nginx
+            app.kubernetes.io/name: ingress-nginx
+    # home network
+    - fromCIDRSet:
+        - cidr: "10.0.0.0/8"
+        - cidr: "${IP_WG_USER_1_V4}"
+    # from kubernetes
+    - fromEntities:
+        - kube-apiserver
+        - host
+        - cluster # temporary
+  egress:
+    # same namespace
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: *app
+    # node-exporter
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: node-exporter
+    # kube-system
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+    # internet access & cluster access
+    - toEntities:
+        - world # temporary
+        - cluster # temporary