diff --git a/.gitignore b/.gitignore index 1db5d124..3c8c282c 100644 --- a/.gitignore +++ b/.gitignore @@ -1,10 +1,18 @@ ignore/ +not-done/ +.local/ +.local/* kubeconfig talosconfig clusterconfig/ +**/clusterconfig +**/clusterconfig/* +**/cilium/app/bootstrap-install/charts/* .pem .key .pub .agekey Admins.txt GameUserSettings.ini +*.sops.*.tmp +*.code-workspace diff --git a/archive/kube/deploy/apps/zerotier/.sops.yaml b/archive/kube/deploy/apps/zerotier/.sops.yaml new file mode 100644 index 00000000..e5de3de3 --- /dev/null +++ b/archive/kube/deploy/apps/zerotier/.sops.yaml @@ -0,0 +1,7 @@ +creation_rules: + - path_regex: .*.yaml + encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$ + age: >- + age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj + pgp: >- + 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 diff --git a/archive/kube/deploy/apps/zerotier/1-namespace.yaml b/archive/kube/deploy/apps/zerotier/1-namespace.yaml new file mode 100644 index 00000000..b261277b --- /dev/null +++ b/archive/kube/deploy/apps/zerotier/1-namespace.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: zerotier + labels: + pod-security.kubernetes.io/enforce: privileged + pod-security.kubernetes.io/enforce-version: v1.26 + pod-security.kubernetes.io/audit: privileged + pod-security.kubernetes.io/audit-version: v1.26 + pod-security.kubernetes.io/warn: privileged + pod-security.kubernetes.io/warn-version: v1.26 diff --git a/archive/kube/deploy/apps/zerotier/2-certs.yaml b/archive/kube/deploy/apps/zerotier/2-certs.yaml new file mode 100644 index 00000000..46a0b0a3 --- /dev/null +++ b/archive/kube/deploy/apps/zerotier/2-certs.yaml @@ -0,0 +1,45 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: vpncert + namespace: zerotier +spec: + secretName: ENC[AES256_GCM,data:0hrZ,iv:xxUvw0q2Mu4DKn1+p6Y+mL68Y8D9o4zB/si7jeIYNO8=,tag:nKO3FoGWMOOSni+Dhn92tA==,type:str] + issuerRef: + name: letsencrypt-production + kind: ClusterIssuer + commonName: ENC[AES256_GCM,data:ID/wwJqSxffe,iv:9AMufuWk//7wI794F5G62Vv0IlvxDJPjAJh/z3epPVo=,tag:Lsrnu2vP6GpR91fRlkNvLA==,type:str] + dnsNames: + - ENC[AES256_GCM,data:K4uAzmvDrUU9,iv:iQe4azjqY7IoeXven6UnK/gPuVroibkio/Vph+QgBOI=,tag:c2W7rZSkwv3IwMsGLD9SgQ==,type:str] + - ENC[AES256_GCM,data:mJWJHXlj7pZ56xA=,iv:MsxCanR2cQNJmnWApwqxAmn45zQIxlROAVi0wqMhNc4=,tag:7psuoMpPu3kX1w6p3tiz2g==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBsNlhwWDgzSW1VSTIraGpQ + dGxpU3BjNy9qN3YzYVdKS1g4OEZCSzl1QnprCnErbDcyTmQ5ZTB2czNsbGFWbGcz + UlVlZC8yMzMxZ2ZpLzgvWEJsalowZ0EKLS0tIFJDbDg4SlFqZVRObHJTVFVMMjN1 + WWZzN0VORmh0SlNXWHZRdkNQTjFqOU0KWMCPoge9kKQdNCN3WeAx1QHhit0oEHFT + ZCudRntexd0Nrby2OC0KcXOXCH1fTJEQdPD29EjlXTig86QRp/aP7Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2023-03-01T15:32:38Z" + mac: ENC[AES256_GCM,data:h7eRRJEnFOLtxwPDO5isAeB8YlAnNuAr03KqkV0syH44Z+C4sXuCdx0LzxI97qLPrifvTFabCbx1gbfKXj0iWbarzaUKGjKVncvDOdqDicntz5XRLtxxr2/JRTiqQTshgGNoAN5gzpAD6yRmxjlGoZ76R87aed47mdchrzA3Jq0=,iv:Y+53dKQjK5JRfIkq4gsepHAx5oBHjVikGBcNY9Qk2nM=,tag:+iSBsZMzQaNZpUccRA4WCw==,type:str] + pgp: + - created_at: "2023-03-01T15:32:37Z" + enc: | + -----BEGIN PGP MESSAGE----- + + hF4DAAAAAAAAAAASAQdAhQox1ebxBCSRViomIaf2wSxH/2BtXiAk0wQBOnvwTHEw + Ji3mOrg7G4dPzVsiBTNRvhlB848J0+5dV9B2p85BLgyEKljYheG6L78BQp7QILEa + 0l4Bn9Ev6JtqZuj+9EyXAJJ9RUX9MBdftNOLu399qd4HxdAg4tV+l34SF0C8x/TG + ZOKtQYenHEQHygoXuPrip9bnYGruc0d4jNv96S0zeanQx/N/X7vSPAIjTjR9qMBg + =7MhE + -----END PGP MESSAGE----- + fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2 + encrypted_regex: ^(hosts|host|ZU_DEFAULT_USERNAME|ZU_DEFAULT_PASSWORD|ZU_CONTROLLER_ENDPOINT|nameservers|secretName|commonName|dnsNames|loadBalancerIP|externalIPs|ZT_ALLOW_MANAGEMENT_FROM)$ + version: 3.7.3 diff --git a/archive/kube/deploy/apps/zerotier/3-pvc.yaml b/archive/kube/deploy/apps/zerotier/3-pvc.yaml new file mode 100644 index 00000000..47e86121 --- /dev/null +++ b/archive/kube/deploy/apps/zerotier/3-pvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: zerotier-one + namespace: zerotier +spec: + accessModes: ["ReadWriteOnce"] + storageClassName: block + resources: + requests: + storage: 1Gi diff --git a/archive/kube/deploy/apps/zerotier/4-controller.yaml b/archive/kube/deploy/apps/zerotier/4-controller.yaml new file mode 100644 index 00000000..d75f1819 --- /dev/null +++ b/archive/kube/deploy/apps/zerotier/4-controller.yaml @@ -0,0 +1,85 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: zerotier-controller + namespace: zerotier + labels: + helm.flux.home.arpa/app-template: "true" +spec: + values: + controller: + type: statefulset + strategy: RollingUpdate + fullNameOverride: zerotier-controller + image: + repository: docker.io/zyclonite/zerotier + tag: 1.10.2 + env: + ZT_OVERRIDE_LOCAL_CONF: "true" + ZT_ALLOW_MANAGEMENT_FROM: 0.0.0.0/0 + dnsPolicy: ClusterFirstWithHostNet + dnsConfig: + options: + - name: ndots + value: "1" + securityContext: + capabilities: + add: + - NET_ADMIN + - NET_RAW + - SYS_ADMIN + nodeSelector: + node-restriction.kubernetes.io/nodeType: main + service: + main: + enabled: true + primary: true + # type: LoadBalancer + # externalTrafficPolicy: Local + # loadBalancerIP: "${APP_IP_ZEROTIER}" + # externalIPs: + # - "${APP_IP_ZEROTIER}" + # ports: + # http: + # enabled: false + # zerotier-udp: + # enabled: true + # protocol: UDP + # port: 9993 + # targetPort: 9993 + # zerotier-tcp: + # enabled: true + # protocol: TCP + # port: 9993 + # targetPort: 9993 + # peers: + # enabled: true + type: NodePort + externalTrafficPolicy: Local + ports: + http: + enabled: false + peers-udp: + enabled: true + protocol: UDP + port: 9993 + targetPort: 9993 + nodePort: 9993 + peers-tcp: + enabled: true + protocol: TCP + port: 9993 + targetPort: 9993 + nodePort: 9993 + persistence: + zerotier-one: + enabled: true + type: pvc + mountPath: /var/lib/zerotier-one + retain: true + existingClaim: zerotier-one + tun: + enabled: true + type: hostPath + hostPath: /dev/net/tun + readOnly: true diff --git a/archive/kube/deploy/apps/zerotier/5-ui.yaml b/archive/kube/deploy/apps/zerotier/5-ui.yaml new file mode 100644 index 00000000..32038ec6 --- /dev/null +++ b/archive/kube/deploy/apps/zerotier/5-ui.yaml @@ -0,0 +1,62 @@ +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: zerotier-ui + namespace: zerotier + labels: + helm.flux.home.arpa/app-template: "true" +spec: + values: + controller: + type: statefulset + strategy: RollingUpdate + fullNameOverride: zerotier-ui + image: + repository: docker.io/dec0dos/zero-ui + tag: 1.5.1 + env: + ZU_CONTROLLER_ENDPOINT: "${CONFIG_ZEROTIER_ENDPOINT}" + ZU_SECURE_HEADERS: "true" + ZU_DEFAULT_USERNAME: "${SECRET_ZEROTIER_UI_USERNAME}" + ZU_DEFAULT_PASSWORD: "${SECRET_ZEROTIER_UI_PASSWORD}" + nodeSelector: + node-restriction.kubernetes.io/nodeType: main + # dnsPolicy: None + dnsConfig: + options: + - name: ndots + value: "1" + service: + main: + ports: + http: + port: 4000 + ingress: + main: + enabled: true + ingressClassName: nginx + hosts: + - host: "${APP_DNS_ZEROTIER}" + paths: + - path: / + pathType: Prefix + tls: + - hosts: + - "${APP_DNS_ZEROTIER}" + secretName: vpn + persistence: + zerotier-one: + enabled: true + type: pvc + mountPath: /var/lib/zerotier-one + retain: true + existingClaim: zerotier-one + zerotier-ui-data: + enabled: true + type: pvc + mountPath: /app/backend/data + readOnly: false + accessMode: ReadWriteOnce + storageClass: block + size: 1Gi + retain: true diff --git a/archive/kube/deploy/apps/zerotier/ks-unfinished.yaml b/archive/kube/deploy/apps/zerotier/ks-unfinished.yaml new file mode 100644 index 00000000..7fe55dba --- /dev/null +++ b/archive/kube/deploy/apps/zerotier/ks-unfinished.yaml @@ -0,0 +1,10 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 +kind: Kustomization +metadata: + name: biohazard-2-apps-zerotier + namespace: flux-system +spec: + path: ./kube/3-deploy/2-apps/zerotier + dependsOn: + - name: biohazard-1-core-05-ingress-nginx \ No newline at end of file diff --git a/archive/kube/deploy/apps/zerotier/kustomization.yaml b/archive/kube/deploy/apps/zerotier/kustomization.yaml new file mode 100644 index 00000000..ea35c845 --- /dev/null +++ b/archive/kube/deploy/apps/zerotier/kustomization.yaml @@ -0,0 +1,9 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - 1-namespace.yaml + - 2-certs.yaml + - 3-pvc.yaml + - 4-controller.yaml + - 5-ui.yaml diff --git a/archive/kube/deploy/core/ingress/external/install.yaml b/archive/kube/deploy/core/ingress/external/install.yaml new file mode 100644 index 00000000..0d68ccd2 --- /dev/null +++ b/archive/kube/deploy/core/ingress/external/install.yaml @@ -0,0 +1,82 @@ +--- +apiVersion: helm.toolkit.fluxcd.io/v2beta1 +kind: HelmRelease +metadata: + name: external + namespace: ingress +spec: + chart: + spec: + chart: haproxy + version: 1.18.0 + sourceRef: + name: haproxytech + values: + image: + repository: haproxytech/haproxy-debian + tag: "2.6.9" + pullPolicy: IfNotPresent + kind: DaemonSet + nodeSelector: + node-restriction.kubernetes.io/nodeType: awsIngress + tolerations: + - key: nodeType.jj + operator: Equal + value: awsIngress + effect: NoSchedule + containerPorts: + http: 80 + https: 443 + config: | + global + log stdout format raw local0 debug + + defaults + mode tcp + log global + option tcplog + timeout client 30s + timeout connect 4s + timeout server 30s + retries 3 + + frontend https + mode tcp + bind :443 + default_backend https_servers + + backend https_servers + mode tcp + server internalnginx ingress-nginx-controller.ingress.svc.cluster.local:20443 send-proxy-v2 + + frontend http + mode tcp + bind :80 + default_backend http_servers + + backend http_servers + mode tcp + server internalnginx ingress-nginx-controller.ingress.svc.cluster.local:20080 send-proxy-v2 +--- +apiVersion: v1 +kind: Service +metadata: + name: external + namespace: ingress +spec: + externalTrafficPolicy: Local + ports: + - name: http + port: 80 + protocol: TCP + targetPort: 80 + nodePort: 80 + - name: https + port: 443 + protocol: TCP + targetPort: 443 + nodePort: 443 + selector: + app.kubernetes.io/instance: external + app.kubernetes.io/name: haproxy + type: NodePort diff --git a/kube/deploy/core/monitoring/_deps/netpol.yaml b/kube/deploy/core/monitoring/_deps/netpol.yaml new file mode 100644 index 00000000..51d8878a --- /dev/null +++ b/kube/deploy/core/monitoring/_deps/netpol.yaml @@ -0,0 +1,53 @@ +--- +apiVersion: cilium.io/v2 +kind: CiliumNetworkPolicy +metadata: + name: &app monitoring + namespace: *app +spec: + endpointSelector: {} + ingress: + # same namespace + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + # node-exporter + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: node-exporter + # kube-system + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + # ingress controller + - fromEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: ingress + app.kubernetes.io/instance: ingress-nginx + app.kubernetes.io/name: ingress-nginx + # home network + - fromCIDRSet: + - cidr: "10.0.0.0/8" + - cidr: "${IP_WG_USER_1_V4}" + # from kubernetes + - fromEntities: + - kube-apiserver + - host + - cluster # temporary + egress: + # same namespace + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: *app + # node-exporter + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: node-exporter + # kube-system + - toEndpoints: + - matchLabels: + io.kubernetes.pod.namespace: kube-system + # internet access & cluster access + - toEntities: + - world # temporary + - cluster # temporary