mirror of
https://github.com/outbackdingo/Biohazard.git
synced 2026-01-28 02:18:24 +00:00
236 lines
7.1 KiB
YAML
236 lines
7.1 KiB
YAML
---
|
|
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-4.1.2/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
|
|
apiVersion: helm.toolkit.fluxcd.io/v2
|
|
kind: HelmRelease
|
|
metadata:
|
|
name: &app code-server
|
|
namespace: *app
|
|
spec:
|
|
interval: 5m
|
|
chart:
|
|
spec:
|
|
chart: app-template
|
|
version: "4.1.2"
|
|
sourceRef:
|
|
name: bjw-s
|
|
kind: HelmRepository
|
|
namespace: flux-system
|
|
values:
|
|
controllers:
|
|
app:
|
|
type: deployment
|
|
replicas: 1
|
|
annotations: &anno
|
|
reloader.stakater.com/auto: "false"
|
|
secret.reloader.stakater.com/reload: "code-server-secrets"
|
|
pod:
|
|
labels:
|
|
tailscale.com/expose: "true"
|
|
ingress.home.arpa/jjgadgets: "allow"
|
|
ingress.home.arpa/nginx-internal: "allow"
|
|
egress.home.arpa/apiserver: "allow"
|
|
egress.home.arpa/world: "allow"
|
|
egress.home.arpa/cluster: "allow"
|
|
containers:
|
|
app:
|
|
image:
|
|
repository: "ghcr.io/coder/code-server"
|
|
tag: "4.106.2@sha256:cca5c0bbff928df75ba9344a878e4ca7a321c0d42c34b39e02722b29855a56ac"
|
|
command: ["dumb-init", "/bin/bash", "-c"]
|
|
args: ["/home/linuxbrew/.linuxbrew/sbin/sshd -p 2222 || true; /usr/bin/code-server --auth none --disable-telemetry --user-data-dir /home/coder/.vscode --extensions-dir /home/coder/.vscode --bind-addr 0.0.0.0:8080 --port 8080 /home/coder"]
|
|
env:
|
|
TZ: "${CONFIG_TZ}"
|
|
SSH_AUTH_SOCK: ""
|
|
SOPS_AGE_KEY:
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: "code-server-secrets"
|
|
key: "age.agekey"
|
|
securityContext: &sc
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
resources:
|
|
requests:
|
|
cpu: "10m"
|
|
limits:
|
|
cpu: "1" # I previously had a code-server that would eat cores
|
|
memory: "4Gi"
|
|
probes:
|
|
liveness:
|
|
enabled: true
|
|
readiness:
|
|
enabled: true
|
|
serviceAccount:
|
|
identifier: app
|
|
service:
|
|
app:
|
|
forceRename: *app
|
|
controller: app
|
|
ports:
|
|
http:
|
|
port: 8080
|
|
hugo:
|
|
port: 1313
|
|
test:
|
|
port: 8081
|
|
ssh:
|
|
primary: false
|
|
controller: app
|
|
type: LoadBalancer
|
|
annotations:
|
|
coredns.io/hostname: "vs-ssh.${DNS_SHORT:=internal}"
|
|
io.cilium/lb-ipam-ips: "${APP_IP_CODE_SERVER_SSH:=127.0.0.1}"
|
|
tailscale.com/expose: "true"
|
|
tailscale.com/hostname: "vs-ssh"
|
|
labels:
|
|
io.cilium/l2: "true"
|
|
ports:
|
|
http:
|
|
port: 22
|
|
targetPort: 2222
|
|
protocol: TCP
|
|
ssh2:
|
|
port: 22222
|
|
ingress:
|
|
app:
|
|
className: "nginx-internal"
|
|
annotations:
|
|
nginx.ingress.kubernetes.io/whitelist-source-range: |
|
|
${IP_JJ_V4}
|
|
hosts:
|
|
- host: &host "vs.${DNS_SHORT:=internal}"
|
|
paths:
|
|
- &path
|
|
path: /
|
|
pathType: Prefix
|
|
service: &http
|
|
identifier: app
|
|
port: http
|
|
- host: &host "hugo.${DNS_SHORT:=internal}"
|
|
paths:
|
|
- <<: *path
|
|
service: &hugo
|
|
identifier: app
|
|
port: hugo
|
|
- host: &host "vs-test.${DNS_SHORT:=internal}"
|
|
paths:
|
|
- <<: *path
|
|
service: &test
|
|
identifier: app
|
|
port: test
|
|
tls:
|
|
- hosts: [*host]
|
|
# tailscale:
|
|
# className: "tailscale"
|
|
# annotations:
|
|
# tailscale.com/tags: "tag:jjgadgets-apps"
|
|
# hosts:
|
|
# - host: &host "vs.${DNS_TS:=ts.net}"
|
|
# paths:
|
|
# - <<: *path
|
|
# service: *http
|
|
# - <<: *path
|
|
# path: /hugo
|
|
# service: *http
|
|
# - <<: *path
|
|
# path: /test
|
|
# service: *http
|
|
# tls:
|
|
# - hosts: [*host]
|
|
persistence:
|
|
config:
|
|
existingClaim: "code-server-data"
|
|
globalMounts:
|
|
- subPath: "data"
|
|
path: "/home/coder"
|
|
- subPath: "ssh"
|
|
path: "/home/coder/.ssh" # override secret mount perms
|
|
- subPath: "nix-var"
|
|
path: "/nix/var"
|
|
misc: # not backed up
|
|
existingClaim: "code-server-misc"
|
|
globalMounts:
|
|
- subPath: "ignore"
|
|
path: "/home/coder/ignore"
|
|
- subPath: "brew"
|
|
path: "/home/linuxbrew"
|
|
- subPath: "nix"
|
|
path: "/nix/store"
|
|
- subPath: "cache"
|
|
path: "/home/coder/.cache"
|
|
- subPath: "mise"
|
|
path: "/home/coder/.local/share/mise"
|
|
- subPath: "go"
|
|
path: "/home/coder/go"
|
|
secrets:
|
|
type: secret
|
|
name: "code-server-secrets"
|
|
defaultMode: 0600
|
|
advancedMounts:
|
|
app:
|
|
app:
|
|
- subPath: "ssh-privkey"
|
|
path: "/home/coder/.ssh/id_rsa"
|
|
readOnly: true
|
|
- subPath: "ssh-pubkey"
|
|
path: "/home/coder/.ssh/id_rsa.pub"
|
|
readOnly: true
|
|
talos-admin:
|
|
type: secret
|
|
name: "talos"
|
|
defaultMode: 0400
|
|
advancedMounts:
|
|
app:
|
|
app:
|
|
- path: "/var/run/secrets/talos.dev"
|
|
readOnly: true
|
|
- path: "/home/coder/.talos"
|
|
readOnly: true
|
|
tmp:
|
|
type: emptyDir
|
|
medium: Memory
|
|
globalMounts:
|
|
- subPath: "tmp"
|
|
path: "/tmp"
|
|
readOnly: false
|
|
defaultPodOptions:
|
|
automountServiceAccountToken: true
|
|
enableServiceLinks: true
|
|
hostname: "${CLUSTER_NAME:=biohazard}-code-server"
|
|
hostUsers: false
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: &uid 1000 # `coder` user
|
|
runAsGroup: *uid
|
|
fsGroup: *uid
|
|
fsGroupChangePolicy: "OnRootMismatch"
|
|
seccompProfile: { type: "RuntimeDefault" }
|
|
topologySpreadConstraints:
|
|
- maxSkew: 1
|
|
topologyKey: "kubernetes.io/hostname"
|
|
whenUnsatisfiable: "DoNotSchedule"
|
|
labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: *app
|
|
affinity:
|
|
nodeAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
nodeSelectorTerms:
|
|
- matchExpressions:
|
|
- key: "fuckoff.home.arpa/code-server"
|
|
operator: "DoesNotExist"
|
|
serviceAccount:
|
|
app: {}
|
|
rbac:
|
|
bindings:
|
|
app:
|
|
type: ClusterRoleBinding
|
|
roleRef:
|
|
kind: ClusterRole
|
|
name: cluster-admin
|
|
subjects:
|
|
- kind: ServiceAccount
|
|
identifier: app
|