feat: add satisfactory

kube/1-clusters/Biohazard/2-config/4-vars.yaml

@@ -74,6 +74,8 @@ data:
     APP_DNS_GOKAPI: ENC[AES256_GCM,data:1AI66ICh7pPsij2IpZJ7V9HcFMc6,iv:r+E2tkEPawLDWpE+OiJ6dNM/RrxhlP7NH+CjwAxhhYE=,tag:QfmCosR+J2fTV66AAelOjw==,type:str]
     APP_IP_SANDSTORM: ENC[AES256_GCM,data:2V+Dy1c3hOepKEo=,iv:l1nv+BrnEjsrvdONhBY9EgA8lSO2Nmtdr7Ktl9twfT4=,tag:ls8DbeJnvdwZhUA+deP02Q==,type:str]
     APP_DNS_SANDSTORM: ENC[AES256_GCM,data:dc/OufmvPkYMRg==,iv:8GUBWGGdEJ5A+wYFaLJljYYn3hUlpH9/cGy6641GDEw=,tag:gE3j/iytsqPKUm+R1g3suQ==,type:str]
+    APP_IP_SATISFACTORY: ENC[AES256_GCM,data:lpwAYR7CuX40NEI=,iv:OCSlGR42+Zpsi/CHuyFMIE2aY+jGN4E0slFf2/Ei3oU=,tag:cw1eROYU8V3rGG5ltyFvJQ==,type:str]
+    APP_UID_SATISFACTORY: ENC[AES256_GCM,data:eWxuUyI=,iv:Hs3xHdm/ewF0BnGOYK6XgQM43LDhngtZXvna7XTDiok=,tag:J7SDzgEroyl2wje9XsprQQ==,type:str]
     APP_IP_SYNCTHING_USER_1: ENC[AES256_GCM,data:3jh9VglVsJCWzHF1,iv:dwpjZjETiFIuRXBSutygAyA2R4EpYas0oT8kI+YF320=,tag:DdA1SZ3DJKJ7tXsPJ6B/dw==,type:str]
     APP_DNS_SYNCTHING_USER_1: ENC[AES256_GCM,data:xvLsX+wvGgOdQOc=,iv:/f77W1vUGI2FHvG4hsvzXCJWiinRKzapU0OHC8vZ1ac=,tag:oHjNluzCh7lDUEHaxW2YWg==,type:str]
     APP_DNS_AUTH: ENC[AES256_GCM,data:A67gznl/VxXxPiMh9zH1fa8VQA==,iv:oCCxFDb7Uo+AfXtuOf8L8Cukm4VAWzL92w8VgJp40dM=,tag:xFCS9csJIFvJ9XufVrq4Rg==,type:str]
@@ -115,8 +117,8 @@ sops:
             SnpvS3RUUlFMM1dUNGZQNkVqQ2VqNDAKywch6CgtS1AFLYxfML5dB7/5V6qZ0ob1
             63vBpqjOza3EqvfNKo+UMtK/fRK0Q5jlpuI+0/z9VrxzKEWsgUCBVQ==
             -----END AGE ENCRYPTED FILE-----
-    lastmodified: "2023-05-18T13:42:34Z"
-    mac: ENC[AES256_GCM,data:hKTOr/5GtEOA9iGZQI8zUNku3+KPvVXr8K3yoCzyLi8cDhvZnrsqw9AxHsvnUwoKrG3JfRlcN9JY9JTv7qBHFB1Vh/5yB4sdqFdf4d9gOJ5jo6X90yrZOvJnO4Eng2EljFS/NCfJTAjTokNWS0dt5eH6ve6Pi066Ut2PpNcgjIU=,iv:OXeEp2gFWvI/RWulrMo6R/B7shf4yp91Uec82o2gxZA=,tag:sAwo8w2LBlmflzROtVqovg==,type:str]
+    lastmodified: "2023-05-26T19:05:04Z"
+    mac: ENC[AES256_GCM,data:euvBtynehSA4dVwQ3CFuMoW3XNqLoTARdUawwNaWtobVNqu5G9WPkw5cY048qPkGvUPLzYGS/cURs1dKXFKPoKknjsR0K8AdbqI9jMHKy6wsnZ5aILmAQyO5FF7zS6q7TLCIDMA9BdjrEPp2RHT66SaN5W2qmImtm7724FC27p0=,iv:Cf4Up6FbbbpP9mZ8T6xPTbdgnefhDVnKixaYmQqj0hw=,tag:nhonVbmgWX5JQQDkzICX3Q==,type:str]
     pgp:
         - created_at: "2023-02-22T08:12:31Z"
           enc: |

kube/1-clusters/Biohazard/2-config/kustomization.yaml

@@ -22,6 +22,7 @@ resources:
   - ../../../3-deploy/2-apps/velociraptor/
   - ../../../3-deploy/2-apps/gotosocial/
   - ../../../3-deploy/2-apps/ntfy/
+  - ../../../3-deploy/2-apps/satisfactory/
 patches:
   - patch: |-
       apiVersion: kustomize.toolkit.fluxcd.io/v1beta2

kube/3-deploy/2-apps/satisfactory/app/hr.yaml

@@ -0,0 +1,87 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: &app satisfactory
+  namespace: *app
+spec:
+  chart:
+    spec:
+      chart: app-template
+      version: 1.5.0
+      sourceRef:
+        name: bjw-s
+        kind: HelmRepository
+        namespace: flux-system
+  values:
+    controller:
+      type: statefulset
+    image:
+      repository: docker.io/wolveix/satisfactory-server
+      tag: v1.4.8@sha256:56ca73cb8a64e7bedfe0b72c9490ce1d32e547a16c753ffcb7e96c8364e8c348
+    podSecurityContext:
+      runAsUser: &uid ${APP_UID_SATISFACTORY}
+      runAsGroup: *uid
+      fsGroup: *uid
+      fsGroupChangePolicy: Always
+    env:
+      TZ: "${CONFIG_TZ}"
+      AUTOPAUSE: "true"
+      AUTOSAVEINTERVAL: "60"
+      AUTOSAVENUM: "60"
+      AUTOSAVEONDISCONNECT: "true"
+      CRASHREPORT: "false"
+      MAXPLAYERS: "4"
+      MAXTICKRATE: "120" # default is a low 30
+      NETWORKQUALITY: "3" # 0-3, 3 is Ultra (default)
+      PGID: *uid
+      PUID: *uid
+      TIMEOUT: "300"
+    service:
+      main:
+        enabled: true
+        type: LoadBalancer
+        externalTrafficPolicy: Cluster
+        annotations:
+          "io.cilium/lb-ipam-ips": "${APP_IP_SATISFACTORY}"
+        ports:
+          http:
+            enabled: false
+            primary: false
+          query:
+            enabled: true
+            port: 15777
+            protocol: UDP
+          beacon:
+            enabled: true
+            port: 15000
+            protocol: UDP
+          game:
+            enabled: true
+            primary: true
+            port: 7777
+            protocol: UDP
+    probes:
+      startup:
+        enabled: false
+      liveness:
+        enabled: false
+      readiness:
+        enabled: false
+    volumeClaimTemplates:
+      - name: data
+        mountPath: /config
+        accessMode: ReadWriteOnce
+        size: 10Gi
+        storageClass: block
+      - name: runtime
+        mountPath: /config/gamefiles
+        accessMode: ReadWriteOnce
+        size: 50Gi
+        storageClass: block
+    resources:
+      requests:
+        cpu: 200m
+        memory: 6740Mi
+      # limits:
+      #   memory: 6000Mi

kube/3-deploy/2-apps/satisfactory/app/netpol.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: cilium.io/v2
+kind: CiliumNetworkPolicy
+metadata:
+  name: &app satisfactory
+  namespace: *app
+spec:
+  endpointSelector: {}
+  ingress:
+    # same namespace
+    - fromEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: *app
+    # players
+    - fromCIDRSet:
+        - cidr: "${IP_ROUTER_LAN_CIDR}"
+        - cidr: "${IP_WG_USER_1_V4}"
+        - cidr: "${IP_WG_GUEST_V4}"
+      toPorts:
+        - ports:
+            - port: "7777"
+              protocol: UDP
+            - port: "15000"
+              protocol: UDP
+            - port: "15777"
+              protocol: UDP
+  egress:
+    # same namespace
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: *app
+    # allow downloading game runtime files
+    - toEntities:
+        - world
+    # L7 DNS inspection & proxy
+    - toEndpoints:
+        - matchLabels:
+            io.kubernetes.pod.namespace: kube-system
+            k8s-app: kube-dns
+      toPorts:
+        - ports:
+            - port: "53"
+          rules:
+            dns:
+              - matchPattern: "*"

kube/3-deploy/2-apps/satisfactory/app/volsync.yaml

@@ -0,0 +1,36 @@
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: satisfactory-restic
+  namespace: satisfactory
+type: Opaque
+stringData:
+  RESTIC_REPOSITORY: ${SECRET_VOLSYNC_R2_REPO}/satisfactory
+  RESTIC_PASSWORD: ${SECRET_VOLSYNC_PASSWORD}
+  AWS_ACCESS_KEY_ID: ${SECRET_VOLSYNC_R2_ID}
+  AWS_SECRET_ACCESS_KEY: ${SECRET_VOLSYNC_R2_KEY}
+---
+apiVersion: volsync.backube/v1alpha1
+kind: ReplicationSource
+metadata:
+  name: satisfactory-restic
+  namespace: satisfactory
+spec:
+  sourcePVC: data-satisfactory-0
+  trigger:
+    schedule: "0 6 * * *"
+  restic:
+    copyMethod: Snapshot
+    pruneIntervalDays: 14
+    repository: satisfactory-restic
+    cacheCapacity: 2Gi
+    volumeSnapshotClassName: block
+    storageClassName: block
+    moverSecurityContext:
+      runAsUser: ${APP_UID_SATISFACTORY}
+      runAsGroup: ${APP_UID_SATISFACTORY}
+      fsGroup: ${APP_UID_SATISFACTORY}
+    retain:
+      daily: 14
+      within: 7d

kube/3-deploy/2-apps/satisfactory/ks.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
+kind: Kustomization
+metadata:
+  name: satisfactory-app
+  namespace: flux-system
+spec:
+  path: ./kube/3-deploy/2-apps/satisfactory/app
+  dependsOn:
+    - name: ${CLUSTER_NAME_LOWER}-1-core-02-storage-rook-ceph
+    - name: ${CLUSTER_NAME_LOWER}-1-core-04-dns-internal
+    #- name: ${CLUSTER_NAME_LOWER}-2-apps-volsync
+  healthChecks:
+    - name: satisfactory
+      namespace: satisfactory
+      kind: HelmRelease
+      apiVersion: helm.toolkit.fluxcd.io/v2beta1

kube/3-deploy/2-apps/satisfactory/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ns.yaml
+  - ks.yaml

kube/3-deploy/2-apps/satisfactory/ns.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: satisfactory