github-personal/home-ops
1
0
Fork 0
mirror of https://github.com/outbackdingo/home-ops.git synced 2026-01-27 10:19:11 +00:00
Code Issues Packages Projects Releases Wiki Activity

update: initial cluster redeploy

Browse Source
This commit is contained in:
Toboshii Nakama
2022-07-01 05:52:45 -05:00
parent 86ba9574d4
commit 1cfd9bcb63
143 changed files with 1950 additions and 5698 deletions
Download Patch File Download Diff File Expand all files Collapse all files

28
.pre-commit-config.yaml Normal file
View File

@@ -0,0 +1,28 @@
fail_fast: false
repos:
- repo: https://github.com/adrienverge/yamllint
rev: v1.26.3
hooks:
- args:
- -c
- .github/yamllint.config.yaml
id: yamllint
- repo: https://github.com/pre-commit/pre-commit-hooks
rev: v4.0.1
hooks:
- id: trailing-whitespace
- id: end-of-file-fixer
- id: mixed-line-ending
- repo: https://github.com/Lucas-C/pre-commit-hooks
rev: v1.1.10
hooks:
- id: remove-crlf
- id: remove-tabs
- repo: https://github.com/sirosen/fix-smartquotes
rev: 0.2.0
hooks:
- id: fix-smartquotes
- repo: https://github.com/k8s-at-home/sops-pre-commit
rev: v2.0.3
hooks:
- id: forbid-secrets

14
.sops.yaml
View File

@@ -1,6 +1,12 @@
---
creation_rules:
- encrypted_regex: '^(data|stringData)$'
pgp: >-
CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B,
0E883B2F1196288130061C6BA8B44BCF50372B6B
- path_regex: provision/.*\.sops\.ya?ml
unencrypted_regex: "^(kind)$"
key_groups:
- age:
- age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc
- path_regex: cluster/.*\.sops\.ya?ml
encrypted_regex: "^(data|stringData)$"
key_groups:
- age:
- age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc

2
cluster/apps/ext-gateway/kustomization.yaml
View File

@@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- secret.yaml
- secret.sops.yaml
- netshoot.yaml

28
cluster/apps/ext-gateway/secret.sops.yaml Normal file
View File

@@ -0,0 +1,28 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: ext-gateway-vpnconfig
namespace: ext-gateway
stringData:
vpnConfigfile: ENC[AES256_GCM,data:gsIU74jNgR4JRphs/BeJOiXYjxk9ILhIx3IJmsPi9pmsB052TssFcTF2VxgwaKg0XjrIMZ25UtxNy+0YF91IEFE85mPfdQIQUA4Hn0Ql6sitCGSL1BN2Jh6jlC9ddoVsxlSuFBmu9WTB6a3N4B+ewxwq8oOirSWa/treIvCtpHfnuMGbC5hU3sPEMIVeGo5Ws6I8kY24HyGjmqEGWCRpNyFw06CRJTm+mdwsyRXKSFgHOAobJr8wcVg5MpszwpB6cMskZlUo2UTpBX3PjJuKicCAh7v69Ta0hiZSKcYCajhR4c3Ij0zQw9+lbugS3oq+1DIN2GnAYh7cZJ5oKZJN/NmavZzTu89Ie84MTjeWrW9/bQPWjPC8bB9W/F0LqRGsqvsDoYGcAvlV4sl2uvuw1ngfqiexPP7cB2PboO3PyyIt,iv:BeuAVcIhYU65wuC+zXuhveEaGbmP92xfyjyun5pW+7s=,tag:v/lrrmzWX+wxD6/LEqnPDA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPWXd2VnRGNFRJRWlZUTg0
T1NzL0hiRW80SzEzUkFLNUtUd0MxcFBWMGw0CitnQW5QUmpsZ3ZyV0NCQyszTFBx
YysyNTZnNWJFTkphUGxadUQ0WmFZSG8KLS0tIFBOZi8va2ZlVDljWWlBYnFrNDlG
eTVQNUIrNm1TT0p1SFFSZTQwQWhsbFEKnMTwxp2SU5RUTFFDfzGomJbKKpAw8ZzQ
43/W1ZjvSCrLqkqWGPOhQfo3gM6v9cwYgkXS5qopcNrsEWRGWLGtpA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-06-05T00:28:20Z"
mac: ENC[AES256_GCM,data:1ulxBabn+jEMHNqxJN67/8com+5PXrSm45kYOQZQUXISL6QNN5cWXyzjIX18jzceseYB6H4dNd5O+dyvZx1/TJHKH0dVbweMkF8/k2g/YUHHjlcNCbzq/ZgDVu0sc4wOSyGAakfVOHWtNWFjLWkxe67jpQZ7KN9zHSdQnDKdmVs=,iv:MI+XGkRFqW/t2bXRpN/isC2XeWW15vBpopQ1QDNOtkY=,tag:/hXBBErzHQAuL4XSP/hFqg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.1

59
cluster/apps/ext-gateway/secret.yaml
View File

@@ -1,59 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: ext-gateway-vpnconfig
namespace: ext-gateway
stringData:
vpnConfigfile: ENC[AES256_GCM,data:gsIU74jNgR4JRphs/BeJOiXYjxk9ILhIx3IJmsPi9pmsB052TssFcTF2VxgwaKg0XjrIMZ25UtxNy+0YF91IEFE85mPfdQIQUA4Hn0Ql6sitCGSL1BN2Jh6jlC9ddoVsxlSuFBmu9WTB6a3N4B+ewxwq8oOirSWa/treIvCtpHfnuMGbC5hU3sPEMIVeGo5Ws6I8kY24HyGjmqEGWCRpNyFw06CRJTm+mdwsyRXKSFgHOAobJr8wcVg5MpszwpB6cMskZlUo2UTpBX3PjJuKicCAh7v69Ta0hiZSKcYCajhR4c3Ij0zQw9+lbugS3oq+1DIN2GnAYh7cZJ5oKZJN/NmavZzTu89Ie84MTjeWrW9/bQPWjPC8bB9W/F0LqRGsqvsDoYGcAvlV4sl2uvuw1ngfqiexPP7cB2PboO3PyyIt,iv:BeuAVcIhYU65wuC+zXuhveEaGbmP92xfyjyun5pW+7s=,tag:v/lrrmzWX+wxD6/LEqnPDA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-06-05T00:28:20Z"
mac: ENC[AES256_GCM,data:1ulxBabn+jEMHNqxJN67/8com+5PXrSm45kYOQZQUXISL6QNN5cWXyzjIX18jzceseYB6H4dNd5O+dyvZx1/TJHKH0dVbweMkF8/k2g/YUHHjlcNCbzq/ZgDVu0sc4wOSyGAakfVOHWtNWFjLWkxe67jpQZ7KN9zHSdQnDKdmVs=,iv:MI+XGkRFqW/t2bXRpN/isC2XeWW15vBpopQ1QDNOtkY=,tag:/hXBBErzHQAuL4XSP/hFqg==,type:str]
pgp:
- created_at: "2021-05-23T04:25:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAw1XfxK/K1q7AQ//d/yXAKPJqcIRrjmW8Ft3juKGcDfGfMBNcPreMCfY0L9M
NgiRQ1TEfAJ50VI4B5DVotL3s+S/8CZEsnMd0xCmHLcZHsZH6CyoDzwlPaiMOCjV
Cyy5xWg2iRa3YS0NYIogZgfXzDSrpTjblBynj9qLZjzUm+V/3utzcSN2zYjYx4jE
C/tLN8a/oLQArH5NWPUBoKE+9OX90/DpdfwBti8nGqIlVgIKQ57hBFPfnu4Cfjtj
B6K9clgxmNvIs6TIAIOpHD5hcG7oUuAhOChtJMSH+krVVnJnG/k5PK7rrGtQNUq5
Zt2mKljW6FpmZkfqkoHIhIrnnQoJizJ9Mgab/Kw5m2p1CnJlfocvOt6u9YE80RUl
5RaF9+eKtYhn9eTozhd31HogvykZcZ/SiZ/jHfgGy3x9HnCn8/mXanwoEnaSDwal
AH7tAxD5+oDkpdyt37kyAhVEhtnhTjuS90pDpeOsyh4sWC/0Se/m3RYi//if5MUt
pKhfsLq2fOTaL2pBMpmjN2s80CCqw5PDwlUCzKr8tOwPxR1TY9HogjZA9/x5xLVv
tOxj06eoCFk5w5hsdfd1i/omc7T2p2IGP7myZ+iYTga9L0iVYdC3/32Th/XxFTMI
td2HXZdPXvQXYoi9ft6NMUbgn129aL5rT7DI8DC8JhCIW3GYDLG3un1A8qMcBz3S
XgFBREX39nBz3ZEa5Q7D9o/Q2zZ1VVw3srDnJUi2HyW4MoH6/iMlL5fhdUR0874K
caJ37bJdIeavwoq28LYpzdl1H2siSmotHnWqpYo9V0BqBGbKMtBdsDAPgAj6CDo=
=3ulM
-----END PGP MESSAGE-----
fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B
- created_at: "2021-05-23T04:25:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAySEZvKqXwiCARAAiOusqNF8lAlCSDHsz5qFTspDoW3diCnl3tGRC2bNPxhu
K+wfvmJzqQpd0Nn3lEhZ5SxpTorwBrDZePllmvSIwaMTVg47G+MUFUeTEH8EacUx
4K2Nh11RgZppyM1C00cAiaytSVV5S8pNi/cizFJvGblc5sZiasFry8QsUVVD9fZm
zf9i/OfHh1NOH1FpM7mE1UYiLofJaGM1ADtsGYlsZlsImeEGth9ZRWOOONeRl/r3
Og8TG6yaPSjnu7WeC2yxO0fBqWE8dmYdQ8JXyDI/2ZsugiEJmdgR9KptzAWckjyY
RSmu6G2pnIaYNDimzm7Tt/lqgpmN7HI/hjVC14Iv/amuzC620HmH4gefpR6Czvz3
1bngkKQ0X3jAmDgROEUZpYv8F2MMipXsG3K89aicVdTXcBxfiiKk+2HTJWMZyk9E
iy/JA9OMqjhRE6+hY7GbC+BFkRbIUw/Oe04DqWcY9LBQeJ1pnCZelzJosSc53peA
l2kf1ff5mqvI4JsvO5ENM3HeXVGOYARhZqMPu9Vto4xhYNi1KKhi5I1TKhan+i5z
2qsFy7AtXvDYghkMEROsyJqTZRcLMJwDrCU0B1R8YG2VOz/8+MI3F7qJrILDDiDb
nezozUZOCOIEAklSz0UQAteWW0j/6lBytP6Yr3sMc0zg6/HSnHzLmU4eVioifYfS
XgFOa7Ud91Unrgyf+SeupPJW0+rH1TNDBiOOSkWdGDBgkcWWngqz1qgnmf0xFYX0
xUiRuTs8Goyp0slwxmFEHXiiWfrGsD+tdeYJWBWoxBm75wqiejfHEchln2saSEU=
=c0ve
-----END PGP MESSAGE-----
fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B
encrypted_regex: ^(data|stringData)$
version: 3.7.1

2
cluster/apps/flux-system/notifications/discord/kustomization.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.enc.yaml
- secret.sops.yaml
- notification.yaml

59
cluster/apps/flux-system/notifications/discord/secret.enc.yaml
View File

@@ -1,59 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: discord-webhook-url
namespace: flux-system
stringData:
address: ENC[AES256_GCM,data:M6wToVAFMlFXKzIedBjSUms6q7dU/5yOOwtaBe9s37hn+v71ssWIj0hQ/2WdBDskniyDPbJRcRJkalB2XyiryFc5xUJYS/YM6y1/l5jaRmc4FrLRaT9Q4ZWUk44Cvd+kQNRP90W+Yei7zfalHKZRsutpdLndCiJC,iv:Nr5s9qwfkXI+Khkb6wDIcdCWsE0qw1xSzyLdrg3zkMw=,tag:9aPFafkKEw34u38rjfqb/A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-05-13T08:22:46Z"
mac: ENC[AES256_GCM,data:F2vwsbM8GZJK2J0MFJbnHNLEi68sqTSNb2r3m/V66b123R87h+6JbxGqzYvhqAQydCODHGWRFO9wei4vR3934l9z9Q2Tfk+IE60u2bMOt4LgyM+JjBwFvYb5VffwrZwu48qua2snEDEGtkyMqrjcLyDx0YdMbzkZrTFp1cn2vj4=,iv:MHunMu8x/nm4ZXc8zaAcy5WWFRmDLoiE88i0k9O6Y2k=,tag:bnqP0uSHl2KhqHnNKpnQ7Q==,type:str]
pgp:
- created_at: "2021-05-13T06:16:13Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAw1XfxK/K1q7AQ/9GDtA2hTWsJJDOmRRBbKI1s5i3fXlhz5i6lP27UJ0d6Ba
KBgb0Lg/rSrcgOaje/LTp0lpLlkHvxeLq7QgT0zVBWTqDOYaLpSnuVAJAdb0ZRW8
qzTDKCEI6qX0YioduXN8BY8n02sWwthIlI18KEA06w0znmRUzyHQgHTGGrspZNmu
y2GcXSg96fpJYgPFSM+HMcImoOD58OYZK9neJeaqviWphLyeegg3Hb1ihkbueSSq
ln00yrev+FdrzY44IDgJ0q1+2J6/4B16FGtdEHDaCWfqDojnFpfJ8baFHid+rL0/
puK92ecx52IFq6o/sE7iLfUUWVM460EVybrE8mVqtN21lU3HBuJegULN/QfNv5s1
GXfGDRgojw/+Pr25N9vk10lCv2Nd5OopkmjEmrSvAMR3cYdH9SKdRUzv5qrrq2iA
+TV7+yP7I9QFGz3hNAmAXd7iYj4cTkobZBQug1gSCnrP6UUrgMIOUnyeW5ZB3sQs
wGI6aaCGhhsaU7ZtQlS89OfE1m+QYfRNtT863QuchxYypl827k6mmW1tdVu3mwjT
i0Wtqr35kaLrdWE/2cnHPGz+EFTlptAggTi5cKhP1+SCUe1TUp5grYycDU8BeWep
wTNEXbT12F52S2YfWDTS++dT82XsGxtUevSOtqiW7pB27L744e/NCKjhQAAVYN7S
XgF/FVxzqc+RXQxiycF4Mhl2Bdtp4G6gVPuETImTeRWarwbFQ0Wzq9F5p+XX+LB2
sjIooFZJ3m4p8+Apc/S/bOwpbq9p74c0ZiuCkHqUSmCcWb789RUN5sjHGVmvLMY=
=YLf0
-----END PGP MESSAGE-----
fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B
- created_at: "2021-05-13T06:16:13Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAySEZvKqXwiCAQ/+Id7QlunUUgM+yCOlAGTsu7PfFIJNCvI4v5b7N0hbpDkp
KAnDQPtsUPPIkqX8JnBa+k2fDqf+Al+303x0z4UJqTxdTBdiL5nLW015hCbi7ZhA
kLflRQxt9Xb9No/3H5wTuNIa2edH5pTkZFoo9o7VBznbMi1vwy6MueaYGuFX/r4M
FznlU6P+/BUx/+Vo9h7THgzoeKYapaZipzz5fjhitN4dp5l04tao9vKZqhkl7Bw8
9Au51r87BFzrPC+cU6m95tlkyuy51o8NgpMYB9ceJTa0FEalyYgfEdfYQavlYGjb
XuPQLi9szW1gK5f9J/iy036vfO2oKk1hBjlh42RrAAc5eidgIAcJ7NRZDdwMVWw2
uWYttaQRfaRW1xs4r6ejEhqKIaTnGUM0rEk7OSGS98r0qoHYv2XWVIO2Pvp8dNwv
HGRs4pKYsfw/Qhji4ptoc4kzuZhjhCVrdne2kGhi9jxCUs8tQr3oXc1FNQGOwAFD
pAt846a7447O+XUrjOv5jDzzl8McrrnrEB3rniiRcT4uY7AyFMGQyJyJq7fTh3aj
L5FnhnRFnvqozbMo/KwVDdk8E04CrjIqiFIbMFiFjrPKfYhvz3EztI0tV2yexr7L
fj9hfRuEsRzNc5Gyl3tPLaadnQWt5/3ZQwxp2mhqHhRTs06OOQTZS00CiCy4Ds7S
XgGxpk4z37+Abr5iWqSja91/uCz0KbyndEBJSkpDLRXhlhPWpPODlk0qZ2DXGwN3
QVtEhWR5lMreqSoZ4kSuqlrTxJfV9Ya6jQQBJsDQrpQlJ9ATWpDdhwZY3zCwaSQ=
=XtmZ
-----END PGP MESSAGE-----
fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B
encrypted_regex: ^(data|stringData)$
version: 3.7.1

28
cluster/apps/flux-system/notifications/discord/secret.sops.yaml Normal file
View File

@@ -0,0 +1,28 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: discord-webhook-url
namespace: flux-system
stringData:
address: ENC[AES256_GCM,data:M6wToVAFMlFXKzIedBjSUms6q7dU/5yOOwtaBe9s37hn+v71ssWIj0hQ/2WdBDskniyDPbJRcRJkalB2XyiryFc5xUJYS/YM6y1/l5jaRmc4FrLRaT9Q4ZWUk44Cvd+kQNRP90W+Yei7zfalHKZRsutpdLndCiJC,iv:Nr5s9qwfkXI+Khkb6wDIcdCWsE0qw1xSzyLdrg3zkMw=,tag:9aPFafkKEw34u38rjfqb/A==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0N0hTaTBNdDhZRlpnRko5
SkZHUnVpM3UyQm9vOUdpalpzTzJ0aVFOVkRrClNZWkdBNVpweXBoOEtLZSs3VVRr
QWxLUVY3K0VUVlZDRS9oTmNDNEEwaGsKLS0tICtFZHpkb3Z0WlI5bmU3SDJhTDd2
VXpQVHFMWEh2U3R2ak9hL2MrNnB6S2cKyh+bnBU/8EwjFqrKLjOfhI60IkLla5rG
a6kvDHyL57+lf9F/B/UOOPCKVRw0gyFUfGv6gwlFpjjVl8DizvPawQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-05-13T08:22:46Z"
mac: ENC[AES256_GCM,data:F2vwsbM8GZJK2J0MFJbnHNLEi68sqTSNb2r3m/V66b123R87h+6JbxGqzYvhqAQydCODHGWRFO9wei4vR3934l9z9Q2Tfk+IE60u2bMOt4LgyM+JjBwFvYb5VffwrZwu48qua2snEDEGtkyMqrjcLyDx0YdMbzkZrTFp1cn2vj4=,iv:MHunMu8x/nm4ZXc8zaAcy5WWFRmDLoiE88i0k9O6Y2k=,tag:bnqP0uSHl2KhqHnNKpnQ7Q==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.1

2
cluster/apps/flux-system/notifications/github/kustomization.yaml
View File

@@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- notification.yaml
- secret.enc.yaml
- secret.sops.yaml

59
cluster/apps/flux-system/notifications/github/secret.enc.yaml
View File

@@ -1,59 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: github-token
namespace: flux-system
stringData:
token: ENC[AES256_GCM,data:oBrTsOP6dY3v9KgIXGRqgQEnq2Xme+T1dbXlrR32yNP/H9aixZZUdQ==,iv:hT5s0OcfOiSIPOVX8LQM2bCOgKT/TZ+66kG4YPQGFe4=,tag:bZ9ZCVMmP+NCEcfiCm6XLA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-05-13T08:05:42Z"
mac: ENC[AES256_GCM,data:IvEucy+WKU9oUn4lxgGOZ7OfM6cuQ+Ta+Ikbltpbm4dxX6TOjoREYRGCxHiMvEnsHsn9QZQO+amKteqamC/161AtrCED+hkDLUa6wctOMZbKbwTkPcJ3DRMFw9J6AnsDc0pHd3dlelPL41by1PYXZUl8jyqxOBfoMTBREOQtISs=,iv:DccbIC4U+hWvX5f4pNS+CycK9bVQCgU9dZCZskLFgaM=,tag:XX6SkLCLpaycX79EqQU2vg==,type:str]
pgp:
- created_at: "2021-05-13T07:57:32Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAw1XfxK/K1q7ARAAnA05MxPFk5Dnz0dnk7I6P1J27BGnvCIfGJvFtVXr1ohZ
x/AvU81lloi8hN6FtL4zw+aPM+t8e63sk0djfNUzvApJpTuqa3PuNBiQ9QJOzP6q
k4p/RrMuNCPG3IV4/jkAmDRpuuLeCGjbfzUqS8qjz5yNRvlqtncLjjTA/uZOuua2
Zt1/vPnh589Azlavpe7SypYe8Lkrx2UR1iPiUNMMl25v0wckrCpti+Q+NFSDct1/
Cx6Vsr5oslAU6kN97oWychi3odWpDivQMv8Bt87hi/dKce6HWwDqWs4dQor/t/87
es+VahEkNkS0IYMK4briqG6Jbr4mB+IiWLEZ4Tu6LHwE1WPOu5b56WwpVycXxXkc
yOwcq7a0Q6khNLA1zGzrQooeNyTa4PgHxi32MZQJS+CPwM789dODQfr5FV8lIRPR
kDZqTtY+J+qONaFKJ8A0R7jkBOWcCbkyOPT6UriRS6MQiQceDRLHn+whRMxXWdlJ
ZZYbNZ9AMJMLJ1d0VUiSp4WnHluPZ5eTtoKfYk7i5igbYCO5eDwGxg1QGRdUawro
ShcGfL1+POUG0z/m9m0pFivHWWeOnvqiXhGUUXiOjrpSLNZ3uc75JzeAAJ+tGTQx
QpHm9fnZtIeVEwBP/pMahr0qUkOadLdGfsRvRsIX0zEYD+zzU58ZbcfK7S6xzJvS
XgHhcl0UPsZl1com4pqNYUxuR6ae5LLUwlJv08t1fFMNPg1ZpMYz1BgczT2jV+CW
uRLci8OAo5il1meC6YWI2E8Db6+5PfIWdfPUVV7VTmwQoayHR/UkfZfubwPOZL4=
=/gYw
-----END PGP MESSAGE-----
fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B
- created_at: "2021-05-13T07:57:32Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAySEZvKqXwiCAQ//cXFuMc8IAANp/ISi3SRc8qiIf8a2ll6AeHRNCR2OvTjM
lI3BfzowlOC/IHSnouP+3gwARlulRSW+tyc7GsJ/1frIyB3la3UFwh0iF72M7Lca
Vdun0v6QcLlundZzcwwKrPlxgBC8aHdxHjnM9FXqVMGEqunhksh/A12AMQRGKA3k
OcnxBb98uBln7r1As0dD+WRXNDBOBTqDZFWNCwUwGdlz4H4GnDdoiitOQhdI5bwU
ZbHwJPydzKQ85kwJxyxWv3ve7YOd9nv6AlH3a8bFDHhMcPxJFXXXhuycW3WybZZN
srVJyIHWluG8zPMb/DdgxkpIUv1UZJbowJ2EP+zzvmcdwgTm5SvvQz5FjW2hXzTq
zuvL0oZc2PrXgK+oUonVuEk6CkTw4t1UH2rBZDjnNIxVPKwBzeWBDSJOvSIH/I0J
Y/ENYdYignx72ox5M7ojL47ECWjoH8ODzh44HQGWvcM140cSff7dtaf4gBNhtZ1h
wXPXG1gEydciD9w0Dz9Hr21HHRWqldBsCzMpejK5rjqYBfnbmEL0m2D9fJc7akxX
XdNxzu6ZTTwfwmDvzaAc/hWdf6zN2o2b5rGF7pIjGX0lURwyA1yZ70TC5s3Jh+uf
RDx1YrEp7gko+shFJGldeTsRcR5B24Y86guo5sWGTAQXMy7+RN2Zw62Fq/HBPCvS
XgGrGv77hwNwjC6FyeAYTISKCdrys+uA7Mjr5XOFphA0MHnaW+U7jp4XA2atbMS9
tmx13wWplDgvNWdR13UlDdDsTxanm7LvJUiBx3pHChWppoX0V6oU5mXr+36c0+M=
=SLdP
-----END PGP MESSAGE-----
fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B
encrypted_regex: ^(data|stringData)$
version: 3.7.1

28
cluster/apps/flux-system/notifications/github/secret.sops.yaml Normal file
View File

@@ -0,0 +1,28 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: github-token
namespace: flux-system
stringData:
token: ENC[AES256_GCM,data:oBrTsOP6dY3v9KgIXGRqgQEnq2Xme+T1dbXlrR32yNP/H9aixZZUdQ==,iv:hT5s0OcfOiSIPOVX8LQM2bCOgKT/TZ+66kG4YPQGFe4=,tag:bZ9ZCVMmP+NCEcfiCm6XLA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTQjVvUHNGRHhRUGxPcTMx
Q1ZuV2RwVWxNa2tENmtmbnRyZmtSS2pzU1c4Cm5oQVh2NXJVQkZqZ09WaGlrQ2F6
VHUrZ1ZOaUJQWEJheUdwd1FYSVQ1aW8KLS0tIEI4MFFYdFBQaHAyUElhRnhFUU9w
MzZSbDlHR0VkU3A1K2xoemJLVGlqcG8KuwpNRILxBupANyaIU2veLpR/mO+b9Wlw
guVoSZK1PTUHbvGernnoI0vY2FXtgldAXV/VEfQASRYJBHhekqV8/Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-05-13T08:05:42Z"
mac: ENC[AES256_GCM,data:IvEucy+WKU9oUn4lxgGOZ7OfM6cuQ+Ta+Ikbltpbm4dxX6TOjoREYRGCxHiMvEnsHsn9QZQO+amKteqamC/161AtrCED+hkDLUa6wctOMZbKbwTkPcJ3DRMFw9J6AnsDc0pHd3dlelPL41by1PYXZUl8jyqxOBfoMTBREOQtISs=,iv:DccbIC4U+hWvX5f4pNS+CycK9bVQCgU9dZCZskLFgaM=,tag:XX6SkLCLpaycX79EqQU2vg==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.1

2
cluster/apps/flux-system/webhook/github/kustomization.yaml
View File

@@ -1,6 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.enc.yaml
- secret.sops.yaml
- ingress.yaml
- receiver.yaml

59
cluster/apps/flux-system/webhook/github/secret.enc.yaml
View File

@@ -1,59 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: github-webhook-token
namespace: flux-system
stringData:
token: ENC[AES256_GCM,data:hU5SWjRRxnyV2iw+qBU+era0uQwogOvMgtjYiQOm8JRC31xDwCvyCQ==,iv:8gd3N6bcJpjaZ7XHMShhl5YdjWC0Ix3pbC02BGUC5Fo=,tag:qlM3fXu9BUTexWnqLuWgWg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-05-13T08:06:04Z"
mac: ENC[AES256_GCM,data:ByfQs8DDN/PoLYyjh+IvkrxFx0EmdnMYNNlOqimJIKBNL7J3p6PVyebI4yCBZonJNF0pJp6d8syB7okhWmYme48jS9PBdPjahCW14icKq8jGpJafB2q64FTXuvYkaCvo40JPtL7eaHFZ1Jy0M4wAFNO/Ll+mWxekD7u43ASHdU4=,iv:twr7r1v5NlqK0GFf987J6iNt+g4UDNz5TZEu399jZqI=,tag:fNhNvmC1RyQtbWzNx0beSQ==,type:str]
pgp:
- created_at: "2021-05-13T06:19:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAw1XfxK/K1q7AQ//WWV2S8x8FkqMndbo2RaImJv2Bz20U+sEciAlMaZHs2aM
jPZ4pRwhF8rsoTu+7cIeR6XUOIKpr2nYXcT18aLgiHLFTfxzTU85q3zxLmPy3BPh
u0OT8j46/RK5xInExmVMzj4XNBnFQ/VOmPquBxbK0/YMPc9k0W2jGXMQ3QwwgF36
buyXem4MeWl4aspukbzf7ZlVS5Si/yvdBftFA5g9EJDB/rxGl2KbiU9geKViBDhW
YN4eS9rrJWqwYrXobFLm+3Mr2M7r5kZzLyTSiC4AXDpySbXVV9wAQ71r0ClRAp49
R4F7VTBnO6b83G9S44y/jAP41BpMdQyv/qHUAGH7Z106LAnV/g17/3dphh/+WzWc
aYDjb0XftpyxDQGpF9+oE5rV7Uj3VBxVOVsL0vCHpEEzpCt9rVSMZSS4x1XWX4HB
M9RgUzDlbCesR8KxUtXbzYN5Bz9gubYpgFUz1THI2pX4yIOXllFxLzJY2lG1bVn4
ptZz6+IP5kc+z/xRNfNNjtUejVLaSU9vxHBiPpqwyfjtHtYLbgsACkEVUY7p1xvN
7r93VI1YKSLqW/LhUo8E2ApdtrSyKuJiiR6qNjMPKa5FZGlThY2QE++pHaDklIC8
DzJbKhxpx3snWoGebtijqIHiharA/NdhRThza3benqd4+WYpeuuvYypjJS4nBgnS
XAE7Hgi2nMUIaAQ3qxMcSS7BAp48JQcKE1rOcWV/RcaaOyfjX8629agHFts3DO1/
Zi0a7Di1siVuwW+ppFoh0UbpWNw/qhjdwCCZ1G04/6TKqdLmy7NCpnMOvcER
=RtsT
-----END PGP MESSAGE-----
fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B
- created_at: "2021-05-13T06:19:22Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAySEZvKqXwiCARAAhnLLbSJ6C4byU8Tv/QUJHQsSp6O5FnYzxAfKeIAJCDPg
Yxd6ERMrIg+6gsLk6pDkc56CE7woGvT+VVQPcO+WWad8QP1AyM9Cw355U+0HTsBx
9iCpWo1tpfZBvYC/EDVc+z8ElBjCLCo9NGWizZeEpwFqsMXqheSiOYhyEbOmq5fT
7N+2xSWyHI+kHYIr3gWTPhERmQEc4f+CUjmYauHXpPPy7kzSeL/14FsBDO7fMIl8
DsDIOQR0gZ4u90DTAkU7TMD6sXYEBTjRUr9jB6mA9cD5wH8Q7ehSTc+KIpNBkLhr
VkJKPOyWQHzvAjv4XdD2i2Wl0V+1WG+Xus/tbXNxECg8KKYH/jNCWv0++MQoVPlM
fo+w9dMTuAH8Y2kj+Xm+H+KXKb8roBLbSgUV4R+T7HzE759bNbLlhDHXcuTQbd4D
VSXaGsN4wmC9s3Wq0y4S+kvlAhw6XTb5Fzf2Y+jR4eYZDB0DJQoUsL7EmWIfHKgQ
xIfdjqq3KBhMv62qJFj20H23wf20vxcHTBRPFtlrLT5Z+GOLXfvfGXuqeuaNwb5W
q6u6s/pEsGTNvP8Z3NwiffdrtVpLmJaO6vFAY7PDg4YMDF4irZ9WobNMMLNpou1a
nvaPJrClh/UbQVt+KtVSKcKoY1rgCmmsy296w8Hsxjr5+3NoY92AA8nTbrgsvFXS
XAEi4l46CHsWt1cgc6WHiVZ32f5TKt6YULsqcxwM7+YbmCFQHSxn9nkoi02wofcf
8sJyXpjLXQoQGxYZCShADlvouNSuD265KDL9o9D5lJYV0UoF78pSvHiMqQPn
=UvVU
-----END PGP MESSAGE-----
fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B
encrypted_regex: ^(data|stringData)$
version: 3.7.1

28
cluster/apps/flux-system/webhook/github/secret.sops.yaml Normal file
View File

@@ -0,0 +1,28 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: github-webhook-token
namespace: flux-system
stringData:
token: ENC[AES256_GCM,data:hU5SWjRRxnyV2iw+qBU+era0uQwogOvMgtjYiQOm8JRC31xDwCvyCQ==,iv:8gd3N6bcJpjaZ7XHMShhl5YdjWC0Ix3pbC02BGUC5Fo=,tag:qlM3fXu9BUTexWnqLuWgWg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMd09CYzVmU0VpbjF1ZEow
ckdGU2tXNGhmQm5UemdoVDk4Mmo1NTc2N0JzCkJYZ0plZ3Y2M1Uya0Zua0hGYWpO
RFdkMWpiTWNFcWo0K1M0eWgvUVZwTTQKLS0tIFVOTnBSVC9LMW8rV1R2OHJodEhv
VU42OGFyQkRRM0lhKzA2WC9lbGNOTXMKZ7tslckDP8/5fdTXNYiTfo6n1Yjbi5yM
mIYtc/JZbpyrZnHd/fthEm6oF2VHOCVGXl+MeXWkleCAL9NhWDNPxw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-05-13T08:06:04Z"
mac: ENC[AES256_GCM,data:ByfQs8DDN/PoLYyjh+IvkrxFx0EmdnMYNNlOqimJIKBNL7J3p6PVyebI4yCBZonJNF0pJp6d8syB7okhWmYme48jS9PBdPjahCW14icKq8jGpJafB2q64FTXuvYkaCvo40JPtL7eaHFZ1Jy0M4wAFNO/Ll+mWxekD7u43ASHdU4=,iv:twr7r1v5NlqK0GFf987J6iNt+g4UDNz5TZEu399jZqI=,tag:fNhNvmC1RyQtbWzNx0beSQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.1

13
cluster/core/cert-manager/helm-release.yaml → cluster/apps/kube-system/cert-manager/helm-release.yaml
View File

@@ -5,12 +5,12 @@ metadata:
name: cert-manager
namespace: cert-manager
spec:
interval: 5m
interval: 15m
chart:
spec:
# renovate: registryUrl=https://charts.jetstack.io/
chart: cert-manager
version: v1.5.4
version: v1.8.2
sourceRef:
kind: HelmRepository
name: jetstack-charts
@@ -20,7 +20,7 @@ spec:
webhook:
enabled: true
extraArgs:
- --dns01-recursive-nameservers=1.1.1.1:53
- --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
- --dns01-recursive-nameservers-only
cainjector:
replicaCount: 1
@@ -28,4 +28,9 @@ spec:
podDnsConfig:
nameservers:
- "1.1.1.1"
- "8.8.8.8"
- "9.9.9.9"
prometheus:
enabled: true
servicemonitor:
enabled: true
prometheusInstance: monitoring

3
cluster/apps/networking/traefik/dashboard/kustomization.yaml → cluster/apps/kube-system/cert-manager/kustomization.yaml
View File

@@ -2,4 +2,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ingress.yaml
- prometheus-rule.yaml
- helm-release.yaml

68
cluster/apps/kube-system/cert-manager/prometheus-rule.yaml Normal file
View File

@@ -0,0 +1,68 @@
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
name: cert-manager.rules
namespace: kube-system
spec:
groups:
- name: cert-manager
rules:
- alert: CertManagerAbsent
expr: |
absent(up{job="cert-manager"})
for: 15m
labels:
severity: critical
annotations:
description:
"New certificates will not be able to be minted, and existing
ones can't be renewed until cert-manager is back."
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerabsent
summary: "Cert Manager has dissapeared from Prometheus service discovery."
- name: certificates
rules:
- alert: CertManagerCertExpirySoon
expr: |
avg by (exported_namespace, namespace, name) (
certmanager_certificate_expiration_timestamp_seconds - time())
< (21 * 24 * 3600)
for: 15m
labels:
severity: warning
annotations:
description:
"The domain that this cert covers will be unavailable after
{{ $value | humanizeDuration }}. Clients using endpoints that this cert
protects will start to fail in {{ $value | humanizeDuration }}."
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertexpirysoon
summary:
"The cert {{ $labels.name }} is {{ $value | humanizeDuration }}
from expiry, it should have renewed over a week ago."
- alert: CertManagerCertNotReady
expr: |
max by (name, exported_namespace, namespace, condition) (
certmanager_certificate_ready_status{condition!="True"} == 1)
for: 15m
labels:
severity: critical
annotations:
description:
"This certificate has not been ready to serve traffic for at least
10m. If the cert is being renewed or there is another valid cert, the ingress
controller _may_ be able to serve that instead."
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagercertnotready
summary: "The cert {{ $labels.name }} is not ready to serve traffic."
- alert: CertManagerHittingRateLimits
expr: |
sum by (host) (rate(certmanager_http_acme_client_request_count{status="429"}[5m]))
> 0
for: 15m
labels:
severity: critical
annotations:
description:
"Depending on the rate limit, cert-manager may be unable to generate
certificates for up to a week."
runbook_url: https://gitlab.com/uneeq-oss/cert-manager-mixin/-/blob/master/RUNBOOK.md#certmanagerhittingratelimits
summary: "Cert manager hitting LetsEncrypt rate limits."

26
cluster/apps/kube-system/cilium/helm-release.yaml
View File

@@ -4,18 +4,32 @@ kind: HelmRelease
metadata:
name: cilium
namespace: kube-system
annotations:
meta.helm.sh/release-name: cilium
meta.helm.sh/release-namespace: kube-system
labels:
app.kubernetes.io/managed-by: Helm
spec:
interval: 5m
chart:
spec:
# renovate: registryUrl=https://helm.cilium.io
chart: cilium
version: 1.10.5
version: 1.11.6
sourceRef:
kind: HelmRepository
name: cilium-charts
namespace: flux-system
interval: 5m
install:
createNamespace: true
remediation:
retries: 3
upgrade:
remediation:
retries: 3
remediateLastFailure: true
cleanupOnFail: true
values:
cluster:
name: "${CLUSTER_NAME}"
@@ -59,14 +73,16 @@ spec:
rollOutPods: true
ingress:
enabled: true
ingressClassName: "nginx"
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
traefik.ingress.kubernetes.io/router.middlewares: "networking-rfc1918@kubernetescrd"
hajimari.io/enable: "true"
hajimari.io/appName: hubble
hajimari.io/icon: lan
hosts:
- "hubble.${SECRET_DOMAIN}"
- &host "hubble.${SECRET_DOMAIN}"
tls:
- hosts:
- "hubble.${SECRET_DOMAIN}"
- *host
bgp:
enabled: true
announce:

29
cluster/apps/kube-system/kube-cleanup-operator/helm-release.yaml
View File

@@ -1,29 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kube-cleanup-operator
namespace: kube-system
spec:
interval: 5m
chart:
spec:
# renovate: registryUrl=https://charts.lwolf.org
chart: kube-cleanup-operator
version: 1.0.1
sourceRef:
kind: HelmRepository
name: lwolf-charts
namespace: flux-system
interval: 5m
values:
rbac:
create: true
global: true
args:
- --delete-failed-after=60m
- --delete-successful-after=0
- --delete-pending-pods-after=0
- --delete-evicted-pods-after=0
- --delete-orphaned-pods-after=0
- --legacy-mode=false

35
cluster/apps/kube-system/kured/helm-release.yaml
View File

@@ -1,35 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: kured
namespace: kube-system
spec:
interval: 5m
chart:
spec:
# renovate: registryUrl=https://weaveworks.github.io/kured
chart: kured
version: 2.10.0
sourceRef:
kind: HelmRepository
name: weaveworks-kured-charts
namespace: flux-system
interval: 5m
values:
updateStrategy: RollingUpdate
extraEnvVars:
- name: slackHookUrl
valueFrom:
secretKeyRef:
name: kured-discord-secret
key: webhook
configuration:
startTime: "3:00"
endTime: "6:00"
timeZone: "America/Chicago"
tolerations:
- operator: "Exists"
effect: "NoSchedule"
metrics:
create: true

6
cluster/apps/kube-system/kured/kustomization.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.enc.yaml
- helm-release.yaml
- prometheus-rule.yaml

29
cluster/apps/kube-system/kured/prometheus-rule.yaml
View File

@@ -1,29 +0,0 @@
---
apiVersion: monitoring.coreos.com/v1
kind: PrometheusRule
metadata:
labels:
prometheus: k8s
role: alert-rules
name: kured-rules
namespace: kube-system
spec:
groups:
- name: kured.rules
rules:
- alert: RebootRequired
annotations:
description: Node(s) require a manual reboot
summary: Reboot daemon has failed to do so for 24 hours
expr: max(kured_reboot_required) != 0
for: 24h
labels:
severity: warning
- alert: RebootScheduled
annotations:
description: Node Reboot Scheduled
summary: Node {{$labels.node}} has been scheduled to reboot
expr: kured_reboot_required > 0
for: 5m
labels:
severity: warning

59
cluster/apps/kube-system/kured/secret.enc.yaml
View File

@@ -1,59 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: kured-discord-secret
namespace: kube-system
stringData:
webhook: ENC[AES256_GCM,data:fCxlfMDvUsd1/yNbNTXFL7XovFhLx0nJ4nLYj6axVtUYiqVqDKKpnTrl/RzKotfqnIFPDi6kjgk0mYloMvDB1baHp5U4U25PGqK13EWxEW4Rv4NvqCLeK6jorRuMcBVA+ev/K5wVBTUHeVWB1otT9KrdCLgWzpowODmkbZe2nShXIuV1nw==,iv:bF5gQop7VlhSYB5Rp/ABp3xdQoCb/DYQRrsEbtZBdlI=,tag:PhPC8udFrSARz1R5FS+txQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-05-16T03:12:40Z"
mac: ENC[AES256_GCM,data:vxP4H3m2q3Bxr6mf7KVU9iWx/49whZ9eYapFI0MrvjuNltSTKPGNlhqvtxuwq0Vu51/+LhO4F6m9JKkIRrWUbKKnYPXCV30MSUyZbPGLdG/9nq5n5wbwNnKOy39mM6d+KlcFKUgIAcp/pZMGiMiobGkiML60fAiysWMyS9Hji68=,iv:7PyP0N9YsxYC9Zp6FO4q6ay0twOsmkK+NwtsgjOB1p4=,tag:CvwHS7CAVG5E7KLxZPWs/w==,type:str]
pgp:
- created_at: "2021-05-16T03:12:39Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAw1XfxK/K1q7ARAAiuZc0Vi2vFbhO92iCBWYPZUHANvmNhNf2ncKWO4pFZYX
mopOMqA2w2DQuFrenF+bIsudKh0pyfE2tC4yhSQbPptSscSVJ9TqzYP6Ewp2No8X
e4wStr8GQwy4HkRFwUJH1EpbbtkL8YegwnuJsvZwotSwlLc5t9f3fEY1oo/nvO1k
WUmAC7+ib/huv12fVmFBoWQOqqQvyBNZzHbnhrgsZf0S0xvrw8euu4sNBtauMb5+
W3FEJ1E7nP7TrKCblEtoLpL4krs18KltTS2s9NnjrSLW7G2PSkWqtu7t8GqhXrBE
laTOJsD7id2KHiiyCWfeV6TDiw4pA0zf1Lodr/ZJbnrC4LIKm/3GAXsknWOyP6wY
4OuZh6lbe+ZLQc+tRnUxBkdqDoG740Qrv+bz7B2aXGr96eyw1P92WTTQAPIKtUFq
H3uUFJNPdLvZWq65erX6kHXdVSxfKWkQZJj6LB7u3JLkno729moia6dfqJSJaa9e
aL68BK9bnCxkrkRKULSohKuHWYfaRJqoHUju4iEZQqoLioS336Pap8WJU67SWfoR
5hzPTG5qhj5wjsCwK91ZjDa93mAvqCefpjY+aUQkOVMJyuWFC7K4UYheUyFRE38Z
XRkouJVen/AJU1Dj0HHo90+VsonE95atr+VYRW6u/pq3cgNoY2NnvFMFK416b3PS
XAFyycwL7XX38xsIZfnW3146P0FfF6kaIa1aS3kJDsPNZQw1TAqeBfP4eohXoVGT
FQDi9vH1qhO69jsjEPoLZKiuh6mzSfQBbf/m9Iv4yUq1tdpg2LlJsBKwWGqi
=yz9z
-----END PGP MESSAGE-----
fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B
- created_at: "2021-05-16T03:12:39Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAySEZvKqXwiCAQ/9HbYit+0Wc9O8I9PkJRxDuOhmvMoXrbWhO1VDOWmJK4fr
IEqP3zxsqOQ8fhxtfDAuhOzK6aV94cx9ZkzDafdjez6wk0wMBDPlVDv6zCS98yPi
9AQF/psRUTC+LPx2EqsNnwSMD9lHublHRdoiSmcaeWnm1qEEeokAbyObD1n5V+C9
U5PVhY1rcqqewHRc5s6vXy6AyTP838+hoBwPWyqrp3AdFwOYsDXzOa+5fsGfXtbZ
+aNMNzhR47y2+qbbzCpsF3qNjM7eWQiNIm40/Ue/5lC5wEAzAbz4SIJkcqIxNNvu
MaPiXYaxHRs2CWGlGEikPp+uxHT4jkhMVdyJTlC3KfKhKR2ozWzyIQML5GdcX/0Z
b5QXHYGM4V1rv6VuW5/W+T12KSyAgvT1FdN6TwPdVwAWkDUJzQgFxaShR3r0AW5L
EoVdLRq+zBq96USBrybTDO8C3gZ2LA82KdmO5vT7JDDhrBdIyLqdEvcCazRwWyV6
DJPS7ZNPhwt+8RgQrWCd2a98KXdPHvzoi1R+n49OngzK3Pdl6yQbzoNqRO10/kPW
0Y1f1Bbvca1gh1YpVQc48+c9RPfwxIs4NGqYjh8ayTlM8Cp1X7dy+RhnWWNpvWon
yPoRvIwgmfjHN54Y5Qe7DKT7r1W4CoDcJ9bSAdQthLFQcIN77UOvRiV1oGtIy+nS
XAFaC4A/lpALvgeKwK5xuTYWWvN241irVOOTfbIdXZcccffWTuV0iGpViIizbAJt
4ZERscb6OuS/HpoO49pBYtIdyd9sNzjf42MP9MmKcta/iMrrVqJsvchWcCxq
=BTAL
-----END PGP MESSAGE-----
fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B
encrypted_regex: ^(data|stringData)$
version: 3.7.1

18
cluster/apps/kube-system/kustomization.yaml
View File

@@ -2,13 +2,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cilium
- descheduler
- intel-gpu-plugin
- kube-cleanup-operator
# - kured
- metrics-server
- node-feature-discovery
- node-problem-detector
# - nvidia-device-plugin
- reloader
- namespace.yaml
- cert-manager
- cilium
- descheduler
- intel-gpu-plugin
- metrics-server
- node-feature-discovery
- reloader

29
cluster/apps/kube-system/metrics-server/helm-release.yaml
View File

@@ -5,19 +5,30 @@ metadata:
name: metrics-server
namespace: kube-system
spec:
interval: 5m
interval: 15m
chart:
spec:
# renovate: registryUrl=https://charts.bitnami.com/bitnami
chart: metrics-server
version: 5.10.11
version: 3.8.2
sourceRef:
kind: HelmRepository
name: bitnami-charts
name: metrics-server-charts
namespace: flux-system
interval: 15m
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
values:
apiService:
create: true
extraArgs:
kubelet-insecure-tls: true
kubelet-preferred-address-types: InternalIP,ExternalIP,Hostname
args:
- --kubelet-insecure-tls
- --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname
- --kubelet-use-node-status-port
- --metric-resolution=15s
metrics:
enabled: true
serviceMonitor:
enabled: true

41
cluster/apps/kube-system/node-problem-detector/helm-release.yaml
View File

@@ -1,41 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: node-problem-detector
namespace: kube-system
spec:
interval: 5m
chart:
spec:
# renovate: registryUrl=https://charts.deliveryhero.io/
chart: node-problem-detector
version: 2.0.9
sourceRef:
kind: HelmRepository
name: deliveryhero-charts
namespace: flux-system
interval: 5m
values:
image:
repository: k8s.gcr.io/node-problem-detector/node-problem-detector
tag: v0.8.10
metrics:
serviceMonitor:
enabled: true
postRenderers:
- kustomize:
patchesJson6902:
- target:
kind: DaemonSet
name: node-problem-detector
patch:
- op: replace
path: /spec/template/spec/containers/0/volumeMounts
value:
- name: log
readOnly: true
mountPath: /var/log/
- name: custom-config
readOnly: true
mountPath: /custom-config

27
cluster/apps/kube-system/nvidia-device-plugin/helm-release.yaml
View File

@@ -1,27 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: nvidia-device-plugin
namespace: kube-system
spec:
interval: 5m
chart:
spec:
# renovate: registryUrl=https://nvidia.github.io/k8s-device-plugin
chart: nvidia-device-plugin
version: 0.9.0
sourceRef:
kind: HelmRepository
name: nvidia-charts
namespace: flux-system
interval: 5m
values:
image:
repository: nvcr.io/nvidia/k8s-device-plugin
tag: v0.9.0
nodeSelector:
feature.node.kubernetes.io/pci-0300_10de.present: "true"
tolerations:
- key: nvidia.com/gpu
operator: Exists

28
cluster/apps/kustomization.yaml
View File

@@ -2,16 +2,18 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- backup-system
- downloads
- ext-gateway
# - falco-system
- flux-system
- home
- kube-system
- mail
- media
- monitoring
- networking
- security
- vpn-gateway
- kube-system
- networking
# - flux-system
# - home
# - backup-system
# - downloads
# - ext-gateway
# - falco-system
# - kube-system
# - mail
# - media
# - monitoring
# - networking
# - security
# - vpn-gateway

2
cluster/apps/mail/mailu/kustomization.yaml
View File

@@ -4,4 +4,4 @@ kind: Kustomization
resources:
- data-pvc.yaml
- helm-release.yaml
- secret.yaml
- secret.sops.yaml

28
cluster/apps/mail/mailu/secret.sops.yaml Normal file
View File

@@ -0,0 +1,28 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: mailu-vpnconfig
namespace: mail
stringData:
vpnConfigfile: ENC[AES256_GCM,data:R59Efd7kY7Hxn/Jd9nDZJ4Qo1AWWVule5i1HFUIrehyBnEZZWeI9AMlcp1dS5Zn4x9oN4rDNLrRnB8feD4pWRGPMeuksuX4knamwAkF0SLb9uw9rFY9tPx6J5YjoGVsaNC2jGiLSRt8Lwi6SLRNgbxM54kbD5gEJIGkHQy4TiipkRHSviWWP8G6i8JjSSxLQjku8mbzUIygoGpTRWHSiOga4uTYZp0NXbfzYPFYzSl0b/VvbgJdaIhNQSBct2wy8TUSbX8N8XxBrb9SL/blw12DAVEbRSJyBioMxfYm7WtXweu+o7azb/OxGw2n7Etgf3YH/AGgeSzmiw3BA1gUBzV3KWcMrDOk0Yb1NsUJwJhABjwxeCYTwT1mQ8jebbaupVNv5WTv/+ZfcaiM=,iv:L984T15Xvgin9/+f7dqb8DrSGFANn0pXeWtYYrbpPaA=,tag:Djr6ZxIqHy01iBOMQnZrwQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDMmJJZ1N4OUxlWm1TcHBl
alJRaWkzcVVIci9oanpMYmY5NTMzRGRDa1drCjZDbWtkR0d4cVZUaEtjNXp6M1J3
TGE0RW9BdXhwQW14dEw2dVNSaXBwTlkKLS0tIEhPVHgybVlOdSsvenFFS1NZNWVB
MXFZVUJ4c1F4TkM5V3Q4QVM5YXdUR2sK5pRgLx+4I0lY3CyyPw9oHpBbg+v/aNHa
ZyLrBu8SIchYKoWMW9ybgxqW7ANjE7xI/dPK2O3xYaXenjPp+XhEqw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-06-03T15:09:58Z"
mac: ENC[AES256_GCM,data:e/u4pZX4vmWquDezPASHc0FtA4Tk4G+lBRRsQ+fOSt9t+Z17ZxOoywwtNWkY3eWcPkFidDZ8Ya2PPh3V8Cqj8Cbj+RfQ4JvbW/7wKMcHURexpDCjxsFYdrc1r/fkBSqpdbhJVcq1PIA67XDsnIei0FA1h+v58IF50sqHwg3gfNw=,iv:gjHLmdyFeztWv+9ODRfv/uTR7KxutCPGhKhJ80jFdwk=,tag:w3q+TjLpGlPhR8yBPxKABQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.1

59
cluster/apps/mail/mailu/secret.yaml
View File

@@ -1,59 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: mailu-vpnconfig
namespace: mail
stringData:
vpnConfigfile: ENC[AES256_GCM,data:R59Efd7kY7Hxn/Jd9nDZJ4Qo1AWWVule5i1HFUIrehyBnEZZWeI9AMlcp1dS5Zn4x9oN4rDNLrRnB8feD4pWRGPMeuksuX4knamwAkF0SLb9uw9rFY9tPx6J5YjoGVsaNC2jGiLSRt8Lwi6SLRNgbxM54kbD5gEJIGkHQy4TiipkRHSviWWP8G6i8JjSSxLQjku8mbzUIygoGpTRWHSiOga4uTYZp0NXbfzYPFYzSl0b/VvbgJdaIhNQSBct2wy8TUSbX8N8XxBrb9SL/blw12DAVEbRSJyBioMxfYm7WtXweu+o7azb/OxGw2n7Etgf3YH/AGgeSzmiw3BA1gUBzV3KWcMrDOk0Yb1NsUJwJhABjwxeCYTwT1mQ8jebbaupVNv5WTv/+ZfcaiM=,iv:L984T15Xvgin9/+f7dqb8DrSGFANn0pXeWtYYrbpPaA=,tag:Djr6ZxIqHy01iBOMQnZrwQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-06-03T15:09:58Z"
mac: ENC[AES256_GCM,data:e/u4pZX4vmWquDezPASHc0FtA4Tk4G+lBRRsQ+fOSt9t+Z17ZxOoywwtNWkY3eWcPkFidDZ8Ya2PPh3V8Cqj8Cbj+RfQ4JvbW/7wKMcHURexpDCjxsFYdrc1r/fkBSqpdbhJVcq1PIA67XDsnIei0FA1h+v58IF50sqHwg3gfNw=,iv:gjHLmdyFeztWv+9ODRfv/uTR7KxutCPGhKhJ80jFdwk=,tag:w3q+TjLpGlPhR8yBPxKABQ==,type:str]
pgp:
- created_at: "2021-05-23T04:25:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAw1XfxK/K1q7AQ//d/yXAKPJqcIRrjmW8Ft3juKGcDfGfMBNcPreMCfY0L9M
NgiRQ1TEfAJ50VI4B5DVotL3s+S/8CZEsnMd0xCmHLcZHsZH6CyoDzwlPaiMOCjV
Cyy5xWg2iRa3YS0NYIogZgfXzDSrpTjblBynj9qLZjzUm+V/3utzcSN2zYjYx4jE
C/tLN8a/oLQArH5NWPUBoKE+9OX90/DpdfwBti8nGqIlVgIKQ57hBFPfnu4Cfjtj
B6K9clgxmNvIs6TIAIOpHD5hcG7oUuAhOChtJMSH+krVVnJnG/k5PK7rrGtQNUq5
Zt2mKljW6FpmZkfqkoHIhIrnnQoJizJ9Mgab/Kw5m2p1CnJlfocvOt6u9YE80RUl
5RaF9+eKtYhn9eTozhd31HogvykZcZ/SiZ/jHfgGy3x9HnCn8/mXanwoEnaSDwal
AH7tAxD5+oDkpdyt37kyAhVEhtnhTjuS90pDpeOsyh4sWC/0Se/m3RYi//if5MUt
pKhfsLq2fOTaL2pBMpmjN2s80CCqw5PDwlUCzKr8tOwPxR1TY9HogjZA9/x5xLVv
tOxj06eoCFk5w5hsdfd1i/omc7T2p2IGP7myZ+iYTga9L0iVYdC3/32Th/XxFTMI
td2HXZdPXvQXYoi9ft6NMUbgn129aL5rT7DI8DC8JhCIW3GYDLG3un1A8qMcBz3S
XgFBREX39nBz3ZEa5Q7D9o/Q2zZ1VVw3srDnJUi2HyW4MoH6/iMlL5fhdUR0874K
caJ37bJdIeavwoq28LYpzdl1H2siSmotHnWqpYo9V0BqBGbKMtBdsDAPgAj6CDo=
=3ulM
-----END PGP MESSAGE-----
fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B
- created_at: "2021-05-23T04:25:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAySEZvKqXwiCARAAiOusqNF8lAlCSDHsz5qFTspDoW3diCnl3tGRC2bNPxhu
K+wfvmJzqQpd0Nn3lEhZ5SxpTorwBrDZePllmvSIwaMTVg47G+MUFUeTEH8EacUx
4K2Nh11RgZppyM1C00cAiaytSVV5S8pNi/cizFJvGblc5sZiasFry8QsUVVD9fZm
zf9i/OfHh1NOH1FpM7mE1UYiLofJaGM1ADtsGYlsZlsImeEGth9ZRWOOONeRl/r3
Og8TG6yaPSjnu7WeC2yxO0fBqWE8dmYdQ8JXyDI/2ZsugiEJmdgR9KptzAWckjyY
RSmu6G2pnIaYNDimzm7Tt/lqgpmN7HI/hjVC14Iv/amuzC620HmH4gefpR6Czvz3
1bngkKQ0X3jAmDgROEUZpYv8F2MMipXsG3K89aicVdTXcBxfiiKk+2HTJWMZyk9E
iy/JA9OMqjhRE6+hY7GbC+BFkRbIUw/Oe04DqWcY9LBQeJ1pnCZelzJosSc53peA
l2kf1ff5mqvI4JsvO5ENM3HeXVGOYARhZqMPu9Vto4xhYNi1KKhi5I1TKhan+i5z
2qsFy7AtXvDYghkMEROsyJqTZRcLMJwDrCU0B1R8YG2VOz/8+MI3F7qJrILDDiDb
nezozUZOCOIEAklSz0UQAteWW0j/6lBytP6Yr3sMc0zg6/HSnHzLmU4eVioifYfS
XgFOa7Ud91Unrgyf+SeupPJW0+rH1TNDBiOOSkWdGDBgkcWWngqz1qgnmf0xFYX0
xUiRuTs8Goyp0slwxmFEHXiiWfrGsD+tdeYJWBWoxBm75wqiejfHEchln2saSEU=
=c0ve
-----END PGP MESSAGE-----
fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B
encrypted_regex: ^(data|stringData)$
version: 3.7.1

53
cluster/apps/monitoring/thanos/secret.sops.yaml
View File

@@ -11,49 +11,18 @@ sops:
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
age:
- recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6OGkxcnZscnJ1TitwQXgv
ZnkwcmdnVWJLbFFGSmRHV2pqbitYQW5IWWtFCjNNdVBwTEQ0VDk2OEtHKzkwSi9h
cVpOR3NONE9HQXB6VDlwMUp0WUYzRGMKLS0tIGRlY0UrOVhzMndJTWFyclg3ZHBV
bk1tZmFPUy9FUEtiMkVHcDBGaUZwdmsKdv0wD5JNfdBN45ba8bbjpVIEHop4AqKX
R+Vp9//6wTxsiafO0Bp0RUls1gHuRUYKhgAcH9PP8TIjZCwbUpHEpg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-08-11T23:27:44Z"
mac: ENC[AES256_GCM,data:2z0BgAwz408+gSDfuxGtt75mF++qOSgKb/RGdm0fqTORrFB+a/Yc/alXS0NVOl43WAkxY8HpUozQooa6VhdA88OcoNFUUtz8uhpeymBj1t/xXL4gE85Be2FXmhGFHKOaIulgPIiRScwxvaYG4C289QjIHZ8T3E9ykiYnrl1/bQk=,iv:MehdXoE4gTDoF+mG9SRatebR8LHxoy+g+709/I+LHII=,tag:q97WqxBWqRHLmAekD9IzWw==,type:str]
pgp:
- created_at: "2021-08-11T16:45:16Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAw1XfxK/K1q7AQ//W3HMMNXuYZ0ET4cezjUunygCWxtarUJVXngpjQ6bnLqd
drG0E4aI/iLl6xk5S4cTIVeq9b19ygsoOxRbIR0BXKvZ+l8SL18fkt8eFytkcy6/
fNNrlBXwdI1IqP2my7KZagMN4Ali5ULBGr+XK7Ggf4eG5e8LDY9x1anxVWfdrJ3N
EAxWaAFScs8fh9M0NfbtZK/wyF/wSAarCFvQoJ8UqRd/IIMLnj/Ks5IiDxj/09fv
QwP/4P1eOZKF5TfyIL1+EEdC9ZmXnM+E9sVRAm8NKz5gP/Mmtx4HcJa01TAtHFxq
7i5N9uYaAQ1JRoqVtuGg4SKuqTqnGDKbhgnXNj0ESXC0GSBQ+GXLHLKTQLe+lxu7
PSd88Kkyr8bFUTJxQvSigm0BoFcIapeO53qF9+3AeWm/A0lmJ/pABaSl17nmr+IM
n5TcNrmHDvZS25Og2PPLHRKbBllbffe8/YhHv6Oi/STCyMeg+6IqdGvJ8I7tHfxy
ISi00Gc+Z0Bdq+MCOK4OSQiX5oJpDDvJzVE38u2WRDG5xQyB6oStXvj/IoxGH5DR
trWjVgQG4x+vTiPkfRCx2ZYKAeGLm3UK5RMbSbUu598KlmYZJ8aP9Yo/vku08HCB
XjVA1zdjVGmIYx2SSn/EWHS2vaSJyGd45MVKjM6TJzyElRmyExUENQeuRBL4/5jS
XAEp38n+q5FT/xI9yU5vxnrUwFUNnVT5JTiDdLRtdwA9vVM9C0vcjJ8FewujFoM6
dJaqiZTe65RPRrtrPgBFHir++O4xPdJyGwhUtfniXzUTg35ajIpjPTfnHPnC
=Kbhk
-----END PGP MESSAGE-----
fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B
- created_at: "2021-08-11T16:45:16Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAySEZvKqXwiCAQ//QQszC7rRYuxGvKIE6ZN9aIIVLiRD5YeV2yNghgwpTrbd
279piWAlrlRQhhoTJppQ+qBzLsK8wpUJnXuM8bMQ1oHj6E+gMIkGRFevC+m0of7t
KLSjnm5dnle9pPGZMQVTxTfr1Cf7mv8CYLM+w+zFLOxgTEPQJKG5X5EhfoQb4hXR
QKFxjSqJVzj3QQ6loufTwMPGEYhQ7P0Y1XPjJJs6aZiPNvGK/8ayNCQpRo3E7NF3
KqEGsLHQGSEeuWoOhb6Mnike5rox6p4hb7TPl7JHZbCJIP2YwWd3ERGBfLL2pgCg
RLLG/nZwucnxb7lGZRYMN8krGtcdRYKSD0FY9EPoVvQDZ3fGtkwkbBfT9kjD4XPg
6NGKDrTY/FJTOMIhY0shRBmFx3KHi0dnBKrfBvXyaY4yzgafC5s1p6QooJXMz+Vp
YtfzsiZIESwhfKRdiuZ/eeMYyAedeW2mEd2zZbAfw0QNM4bSWwtQ2Iogh96nwQDL
2Nt8kN2J+YrUFiyCeECEreUUIlqvMxhymMou/FAFsUPYQXPdTYX5tvrls4AM5PcI
AbYvat4R7du5CKNM6uU3pY/C2Ufam2oSiikQs8HuwT8UnJ1qHxN5N89jlkjL8Esf
bZ+HiTLM+AXvnhnTdnSLUwCiXfEq8lBOrhYMuijdAu1b3AbVH0DxDk94rBndoo/S
XAEaUggPJtMqmxuDudXnoM1vedLyTKJaBaOFh1S0koTgspw3tVotyxFZMkO3F8Wf
TTznEnF/6+dyQ0du9q/ldyT34pP9JRVvQ24w+Fs7zvZM4kcUJSggOnMcqT58
=oBkN
-----END PGP MESSAGE-----
fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.1

2
cluster/apps/monitoring/uptimerobot-heartbeat/kustomization.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cron-job.yaml
- secret.enc.yaml
- secret.sops.yaml
namespace: monitoring
configMapGenerator:
- name: uptimerobot-heartbeat

59
cluster/apps/monitoring/uptimerobot-heartbeat/secret.enc.yaml
View File

@@ -1,59 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: uptimerobot-heartbeat-url
namespace: monitoring
stringData:
UPTIMEROBOT_HEARTBEAT_URL: ENC[AES256_GCM,data:m3b/ofgV6nF8+WrUnEmfJI1ZeMU8sd0OB2n846Cu6pTGUAf6Ox89pa67iOMKZvlNt0C40QWcO6bsDfCrg88IE5FQUU7Nop7U+A6NIELjsG0d1HTgNg==,iv:ixqKnjIpD/fb49maF+gU+eeOP1vqnsPxjHf8q/oKJ1U=,tag:Oo7CzCda3u6N2uRORIvAqg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-05-14T21:07:51Z"
mac: ENC[AES256_GCM,data:tbtw+vy/xMIMIa/2DN4ZcWEcohfqrC4+9NbF0CpSObFSxa8ZKIoIIQNeUcDz/9liGW4CkuhFqnIRTJWjyjCZC2PlzowpRUv4pv1fRP6w45z4R+6TyaoAkWHboJE8pE/mjQU4Pz28E/TAUm0NKLWUBtRI/w8hyk/g+6PeFzqODuk=,iv:trYVyCT9yukbY7U2Ab9N/xpujFNSOUjbV5DZZjGWpfo=,tag:c0eLaDB7C8EsZSMpSFlSKQ==,type:str]
pgp:
- created_at: "2021-05-14T21:07:49Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAw1XfxK/K1q7AQ//XZbM/b8aWMm6iDh2JWxtrnbSkgsL3lGpjm+M5s1xJh08
qxRjcgulSyFdaYj1eY20lGzs2QuhXxwGBhwUVRfkV4HWheJoIrJoDJr8wS4jxC3e
ESztT2cVJn6m3/paN/TVHC9ceftR1K/VfYRfOUcpByAUQ4ThSQQxbR5TeDnb4GgL
upK5khiLVt5Ii/j1lOvLZqSo0dW7kWDiF/NlitdEz6m361SqdCrm8GdpNOOiT+Ts
AXrIDJxJwSimVcM9ytRSohBS1Impk6XrigRwevRukIFELvUy6PY+UzMlRft/Fce/
RDucYTbhMAO5UfMUimbMr+lZrQCs2bNyxa7hzYzlqIZzWjsnu2q2zF0GEOmnQkQw
/0O42R0xHSidOWAFBr+fIqO8Ab5XgYhkVcktwzlmkhyX3TYJK/cZQhB8F3rhRoAM
NCkY6lldQSPJRDhRsStGl0uiHXJ2PiUka2lpmfVrlbX9PYAICTv1ZkKVarXdNp4L
3BydC3lyRvUK/k1dEBT538gyADiOYwYX9r4c44qvgTUy1KFHfb0GbufZjEgK/s3S
7VqcMfUEfTtNpOQzqHMr3MIS3idL0j3X6a1qX1z+OOEEX0Ydat2WH30hQCbuOnJz
MgJ8WBPdPeWRiDNUJeSjqUdu1OtSA44gIs1c8Zn2equr9yAG7JtBYCGzHDMnQ+bS
XgFgnpcuCopylkdki8PWEhhoS6a6JoU2LRhqKp9roWOITVy4gGi8edYUrebt9Ggj
WSkAReZJpfcpr6bMKJ2BLZ7spvxy1RI0oxaUxh4UwjeO+0XUHaXUZp0TlEkoO+k=
=Ro8B
-----END PGP MESSAGE-----
fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B
- created_at: "2021-05-14T21:07:49Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAySEZvKqXwiCAQ/+JOx7mf1TncTkvIhsohvCPrFmPhLrkhE3DBUEhu8ko3JN
3KHraOxbKiEBsM7dCTJZ1GpGZm/WrHYvlXMVKx8gyPpfFiD66i19mgeQ4X519NK1
mUQfSdLTGIwgM9bX/NOO6OhxVdSX7cJpbDNw7/a+72/P9tJCdI7n3QrM+HNcj1fa
mcKu2feZoHrtmWpNjgDzKaxWTtxydIosLDoytUI7M7NyBdLjlrRJL8BiFRa97HRu
0SCHIwDkHQTgjPgdRMuEdT81GI+gPql/QMe8c1xe4k7rOuyEIJj248evYmiEwazX
cXzePvP1zaP/0eVX2R5mMmX9j6nHN+IzYMiwF64guVgL+nwJrtJaZU8yW8Dxclb+
BxHr9MvjgHpqzRpFkzHCTWtJ60vLUXhyqcK6JmrOhDFloYyyRSSOaQhNoyAJSwV5
9Oa6AMqDBj+L7NAzUBLU/3xQj6kBFXI+T8rWHSg4dtGOuDwa8uNjXhw256DXOlJ+
qABxVI413t3RWsKYo1/3uG6KWX9X81kSHDyWcwTaxU4Sc3Tf4tBxXZP+W/LXt1Sz
jj0izN2h4f1MVJ45wqWCBP0dx5pIpq7AMJ/y0TD+gGlR9OYxXV3dA1PjpZ2LZ9t1
C4hI18B3ddDoZ3eLTt32h98KaCbnn7QBBFAaEcZ9/6HUjpQcF31O0CJzm+tK5kzS
XgFv+PZ4aa6RvRnf3kIYocrx6+KlaejDiSXw7QVtRGBXuYktzGhvdpxhtzgG/MuJ
2JnuCnL8JhDUeO7Wa9JF7qNCzrVaRNTTMa+Y+cSnXCWADPpiGlprDkM+IZa6E2Q=
=1OR5
-----END PGP MESSAGE-----
fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B
encrypted_regex: ^(data|stringData)$
version: 3.7.1

28
cluster/apps/monitoring/uptimerobot-heartbeat/secret.sops.yaml Normal file
View File

@@ -0,0 +1,28 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: uptimerobot-heartbeat-url
namespace: monitoring
stringData:
UPTIMEROBOT_HEARTBEAT_URL: ENC[AES256_GCM,data:m3b/ofgV6nF8+WrUnEmfJI1ZeMU8sd0OB2n846Cu6pTGUAf6Ox89pa67iOMKZvlNt0C40QWcO6bsDfCrg88IE5FQUU7Nop7U+A6NIELjsG0d1HTgNg==,iv:ixqKnjIpD/fb49maF+gU+eeOP1vqnsPxjHf8q/oKJ1U=,tag:Oo7CzCda3u6N2uRORIvAqg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxUy9aSThsQzcweEtpbHNq
QmYrZXhtdVVMazQxeHMvZDdyL2x1cWd1VTJBCk5iVFBmRmhqLzl4Q0ZPdEt5QTNS
Wm42bnV0Z2p3SzRsWGJpZTljb3ZTb0EKLS0tIG1BdnI5SU43NDdsek1kaU1YZnVJ
aW1MdDJIbklSeGZ5T1hCOUlSbnJoWXMKZh95987xS/3g5LXhCb0yLJeEC6JcdbWz
Nn/ssgiBBkoy8yvo6yqSOlpLtgWevDPRqjg8z/mihxf6g80V+Kqbgg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-05-14T21:07:51Z"
mac: ENC[AES256_GCM,data:tbtw+vy/xMIMIa/2DN4ZcWEcohfqrC4+9NbF0CpSObFSxa8ZKIoIIQNeUcDz/9liGW4CkuhFqnIRTJWjyjCZC2PlzowpRUv4pv1fRP6w45z4R+6TyaoAkWHboJE8pE/mjQU4Pz28E/TAUm0NKLWUBtRI/w8hyk/g+6PeFzqODuk=,iv:trYVyCT9yukbY7U2Ab9N/xpujFNSOUjbV5DZZjGWpfo=,tag:c0eLaDB7C8EsZSMpSFlSKQ==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.1

0
cluster/core/monitoring/uptimerobot-operator/helm-release.yaml → cluster/apps/monitoring/uptimerobot-operator/helm-release.yaml
View File

0
cluster/apps/kube-system/node-problem-detector/kustomization.yaml → cluster/apps/monitoring/uptimerobot-operator/kustomization.yaml
View File

112
cluster/apps/networking/blocky/helm-release.yaml
View File

@@ -1,112 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: blocky
namespace: networking
spec:
interval: 5m
chart:
spec:
# renovate: registryUrl=https://k8s-at-home.com/charts/
chart: blocky
version: 9.1.0
sourceRef:
kind: HelmRepository
name: k8s-at-home-charts
namespace: flux-system
interval: 5m
values:
image:
repository: ghcr.io/0xerr0r/blocky
tag: v0.16
env:
TZ: "America/Chicago"
controller:
enabled: true
type: deployment
strategy: RollingUpdate
replicas: 3
service:
main:
ports:
http:
port: 4000
dns-tcp:
enabled: true
type: LoadBalancer
loadBalancerIP: ${LB_BLOCKY_IP}"
externalTrafficPolicy: Local
ports:
dns-tcp:
enabled: true
port: 53
protocol: TCP
targetPort: 53
dns-udp:
enabled: true
type: LoadBalancer
loadBalancerIP: "${LB_BLOCKY_IP}"
externalTrafficPolicy: Local
ports:
dns-tcp:
enabled: true
port: 53
protocol: UDP
targetPort: 53
ingress:
main:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
hosts:
- host: "blocky.${SECRET_DOMAIN}"
paths:
- path: /
pathType: Prefix
tls:
- hosts:
- "blocky.${SECRET_DOMAIN}"
config: |
upstream:
externalResolvers:
- udp:${GATEWAY_IP}
blocking:
blackLists:
ads:
# https://oisd.nl/
- https://raw.githubusercontent.com/ookangzheng/dbl-oisd-nl/master/dbl.txt
whiteLists:
ads:
- https://raw.githubusercontent.com/anudeepND/whitelist/master/domains/whitelist.txt
clientGroupsBlock:
default:
- ads
clientLookup:
upstream: udp:${GATEWAY_IP}
prometheus:
enable: true
path: /metrics
httpPort: 4000
logLevel: info
prometheus:
serviceMonitor:
enabled: true
podAnnotations:
configmap.reloader.stakater.com/reload: "blocky-config"
affinity:
podAntiAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
- labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- blocky
topologyKey: "kubernetes.io/hostname"
resources:
requests:
memory: 100Mi
cpu: 100m
limits:
memory: 750Mi

4
cluster/apps/networking/blocky/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml

2
cluster/apps/networking/external-dns/kustomization.yaml
View File

@@ -1,5 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- secret.enc.yaml
- secret.sops.yaml
- helm-release.yaml

60
cluster/apps/networking/external-dns/secret.enc.yaml
View File

@@ -1,60 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: cloudflare-api-key
namespace: networking
stringData:
cloudflare_api_key: ENC[AES256_GCM,data:27GLFDiPCUKD2Kykafrtb+rnmIzlBLySg9x1bB6oo/nOYCJz2Q==,iv:Z0Q6Nogdo2/aa+SOl79rjUShA28Cm3PkpWD64NexVS0=,tag:rswURlC0GXhKrgYcbVGClg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-05-14T01:49:38Z"
mac: ENC[AES256_GCM,data:+AxMVyTaGtXeKT2kldCSb3tKQzL2MtPmUNoCYHzFpMcBjaustkPeEo67eEaHcnzL0mTZbHQNnyinOP+uCnNkjTe/QMuScm+Pwr7ZFNGj+OrVVOTzHRe2NSuDa1PXwZlG1CuBzmZysFDwyOhj5hiS6387Gpi4tcqYAJSDaL6B2hs=,iv:SFuHIuniSPIcYmBPq/1k6F2ZOKVC4kW5rZoji39lWfc=,tag:pMAmjvzMkTR3Zavd9n2fxw==,type:str]
pgp:
- created_at: "2021-05-14T01:49:36Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAw1XfxK/K1q7ARAAnCh13ASgSSfXgABIaRe0poS+qut8OFTdRjmUr/H6cJSP
2WjvSfOSSkFMhzO9PoJS9qWjHb0dkLo/se+awdhHbeLrleF6CrlPWpYEo2nTpzN5
7KmIp4zJrwu1h5BeylNhnGgyGw34jwstht/cq0qS0yeu+XUpTl9GxaVFJJoIbneN
/lb6Xpy4XQUM2SCDszkjCc4kO4TtZAGCnaqZYW4DeyFo3qoOes2TMI3QBAYPQFWN
T1bRHm2jCOYp2jhrYG7X5H5L0KtGt7fwx14TrnfZ34/vw/XHXPYav8Mmf0EE7I+y
9ZeKkxe1VHltTlFItv5wDdnusKiTIRoCVscoYQkPl+miB+Tnci4NPN+8nCgz26vF
m6vS7B8j4czFmWQwl3nYcWZRRec35nhwBcr7BEqsFlaJLNenZfJj+imm3iCYUYpj
Q+U/d6Pyub6TvpIzoy1r/uaRnb7QXM/E3A2Sh/astQW5EYgPqkTIdEbbLpWn3bKn
DZhIpHWea0eSmclzUCOMIAYxqHMLoHmktMfI62TIHqWwRTPsIMko2l4IzXCfoUWR
V9fvy979EJY5IhO8MqpNcp4Arw11nlZ+0p4aUglkfqLet+cvJ5Wurz+GnXkss17s
eh01c62bkIHp78RCLk+qah7DSk1xQGHro7sR5MOxDa/lSPSPWDTo5E9Q569vFOnS
XAGSZ8nU+1ZVn2jDsZP4fWlTLlkQEQYDIn3Sthl3USyJDJf+nYjgY0s1b59w6uw7
m9RUdHTKqq9SxwOBYpQ4lJITcElJLpRW+LTDR8YVhC2vyNtVxaRiPJwdthwW
=W6Sy
-----END PGP MESSAGE-----
fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B
- created_at: "2021-05-14T01:49:36Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAySEZvKqXwiCAQ//aykTcpDPcay5AdNXwgF3knbnjkEa0nRe2vLRNFLYel+c
i+XpceBlHXGSH3cMFi1mBLjB6dlBNC9Yu8cxa0WAePKGCrKHOcfc0HcUXrhDSCp7
9uxyXG7yx6Oirq2+T8eAqzU8DO7jinGlxZeXCQyn/1wWiuXD6FvSoqO54+pWabIl
ZpCPVqIzK7RZyRXHN03psPRNv11UBzjBLRI9ebkZSuaqsrIsc7s0ptTHcCNCbhha
O7iOXS1gAH8P436SCnfkP0VPTnV3De+PdfCSADoR7GPw2PdCZPJhU8gIANQTqU8v
vgI21Vr1XoPd6wPtbNL1dva/Xzx0jIAzkykGiwTE/oPJNVnep64dGC+3SpuXeIKv
9QN/5xfe/0zyoMN3CLMjMSWS6NNWpGyw3C85fhnCDFMC8+lpnZKkCDCxhm4op/Rx
cNEbVBRuQHJaCqoj6HxnGR+JjUWzs8Lf/RX6wvOZZ2fr+NhByK4ZN4cVlAoiWE/s
zQ68VebcTXX3MwEChrKBn09W7Fqwcjd/wqE2mYtCjFZtgql86O597NsiXVoSUxQP
GWA9+rYHwyuRI6gkGzuxGvjrFuevqr/szKX7vy5a6MUAYGrNirZKeNk5XVUk7fU7
LT9rS7PD8eHcAAg29zdXIUZv3cM4ZQtzV3uKpVtViDebajsk5i7dDJBB+FcqDB3S
XAHfYbhCK2cCoIgd+os5uzg5zjHeSRoXa9V1aOSm79+tzWv6z5vIHIoxXmGatb8T
YhfMz3Ue3dgGPkhpS35KPrWhagzxrxNMrV4TlfKVqrKWBcaHQpsjlkHLiXnH
=Pvda
-----END PGP MESSAGE-----
fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B
encrypted_regex: ^(data|stringData)$
version: 3.7.1

29
cluster/apps/networking/external-dns/secret.sops.yaml Normal file
View File

@@ -0,0 +1,29 @@
# yamllint disable
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: cloudflare-api-key
namespace: networking
stringData:
cloudflare_api_key: ENC[AES256_GCM,data:27GLFDiPCUKD2Kykafrtb+rnmIzlBLySg9x1bB6oo/nOYCJz2Q==,iv:Z0Q6Nogdo2/aa+SOl79rjUShA28Cm3PkpWD64NexVS0=,tag:rswURlC0GXhKrgYcbVGClg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBDWlREN2VZd1JuOS83SmNK
OUNMSnd0NEs1c0dMMjBoM3hWTFhGZVlZT2dzCm1UTXd6Y1U1S090b1FqUWI2VHhS
NHdVSWpKblZVQTZMazFiUkhDVjJEdzgKLS0tIFhKRVJqT2ozOXdYVFpOSHNwMlFZ
aTNMbXV0R3lhclNGYUFGTlR0bmUyblUKvOPRUvUHwOQ20w3eqqloUY1CmCiXgAOX
LAIqWs5P9AXYvbPPFFBGRBEc7zLW1lUS1OaGIRIpZeaUI7dGiWTVtg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2021-05-14T01:49:38Z"
mac: ENC[AES256_GCM,data:+AxMVyTaGtXeKT2kldCSb3tKQzL2MtPmUNoCYHzFpMcBjaustkPeEo67eEaHcnzL0mTZbHQNnyinOP+uCnNkjTe/QMuScm+Pwr7ZFNGj+OrVVOTzHRe2NSuDa1PXwZlG1CuBzmZysFDwyOhj5hiS6387Gpi4tcqYAJSDaL6B2hs=,iv:SFuHIuniSPIcYmBPq/1k6F2ZOKVC4kW5rZoji39lWfc=,tag:pMAmjvzMkTR3Zavd9n2fxw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.1

4
cluster/apps/networking/wildcard-certificate/certificate.yaml → cluster/apps/networking/ingress-nginx/certificate.yaml
View File

@@ -5,6 +5,10 @@ metadata:
name: "${SECRET_DOMAIN/./-}"
namespace: networking
spec:
secretTemplate:
annotations:
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
reflector.v1.k8s.emberstack.com/reflection-auto-namespaces: "kasten-io"
secretName: "${SECRET_DOMAIN/./-}-tls"
issuerRef:
name: letsencrypt-production

1
cluster/apps/networking/ingress-nginx/cloudflare-proxied-networks.txt Normal file
View File

@@ -0,0 +1 @@
173.245.48.0/20\,103.21.244.0/22\,103.22.200.0/22\,103.31.4.0/22\,141.101.64.0/18\,108.162.192.0/18\,190.93.240.0/20\,188.114.96.0/20\,197.234.240.0/22\,198.41.128.0/17\,162.158.0.0/15\,104.16.0.0/13\,104.24.0.0/14\,172.64.0.0/13\,131.0.72.0/22\,2400:cb00::/32\,2606:4700::/32\,2803:f800::/32\,2405:b500::/32\,2405:8100::/32\,2a06:98c0::/29\,2c0f:f248::/32

114
cluster/apps/networking/ingress-nginx/helm-release.yaml Normal file
View File

@@ -0,0 +1,114 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: ingress-nginx
namespace: networking
spec:
interval: 15m
chart:
spec:
chart: ingress-nginx
version: 4.1.4
sourceRef:
kind: HelmRepository
name: ingress-nginx-charts
namespace: flux-system
interval: 15m
install:
createNamespace: true
remediation:
retries: 5
upgrade:
remediation:
retries: 5
dependsOn:
- name: cert-manager
namespace: kube-system
values:
controller:
replicaCount: 3
extraEnvs:
- name: TZ
value: "${TIMEZONE}"
service:
externalIPs:
- "${SVC_NGINX_ADDR}"
externalTrafficPolicy: Local
publishService:
enabled: true
ingressClassResource:
default: true
config:
client-header-timeout: 120
client-body-buffer-size: "100M"
client-body-timeout: 120
custom-http-errors: |-
401,403,404,500,501,502,503
enable-brotli: "true"
forwarded-for-header: "CF-Connecting-IP"
hsts-max-age: "31449600"
keep-alive: 120
keep-alive-requests: 10000
proxy-body-size: "100M"
ssl-protocols: "TLSv1.3 TLSv1.2"
use-forwarded-headers: "true"
metrics:
enabled: true
serviceMonitor:
enabled: true
namespace: networking
namespaceSelector:
any: true
extraArgs:
default-ssl-certificate: "networking/${SECRET_DOMAIN/./-}-tls"
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app.kubernetes.io/name: ingress-nginx
app.kubernetes.io/component: controller
podAnnotations:
configmap.reloader.stakater.com/reload: "cloudflare-proxied-networks"
resources:
requests:
cpu: 10m
memory: 250Mi
limits:
memory: 500Mi
defaultBackend:
enabled: true
image:
repository: ghcr.io/tarampampam/error-pages
tag: 2.16.0
replicaCount: 3
extraEnvs:
- name: TEMPLATE_NAME
value: ghost
- name: SHOW_DETAILS
value: "false"
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- ingress-nginx
- key: app.kubernetes.io/component
operator: In
values:
- default-backend
topologyKey: kubernetes.io/hostname
valuesFrom:
# Cloudflare Networks
# https://www.cloudflare.com/ips/
- targetPath: controller.config.proxy-real-ip-cidr
kind: ConfigMap
name: cloudflare-proxied-networks
valuesKey: cloudflare-proxied-networks.txt

14
cluster/apps/networking/ingress-nginx/kustomization.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: networking
resources:
- dashboard
- helm-release.yaml
- certificate.yaml
configMapGenerator:
- name: cloudflare-proxied-networks
files:
- cloudflare-proxied-networks.txt
generatorOptions:
disableNameSuffixHash: true

7
cluster/apps/networking/kustomization.yaml
View File

@@ -1,7 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- blocky
- external-dns
- traefik
- wildcard-certificate
- namespace.yaml
- ingress-nginx
- external-dns

9
cluster/apps/networking/namespace.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: networking
labels:
kustomize.toolkit.fluxcd.io/prune: disabled
goldilocks.fairwinds.com/enabled: "true"
k10.kasten.io/ignorebackuppolicy: "true"

25
cluster/apps/networking/traefik/dashboard/ingress.yaml
View File

@@ -1,25 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: dashboard
namespace: networking
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: "websecure"
traefik.ingress.kubernetes.io/router.middlewares: "networking-rfc1918@kubernetescrd"
spec:
tls:
- hosts:
- "traefik.${SECRET_DOMAIN}"
secretName: "${SECRET_DOMAIN/./-}-tls"
rules:
- host: traefik.${SECRET_DOMAIN}
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: traefik
port:
number: 9000

40
cluster/apps/networking/traefik/external/minio.yaml vendored
View File

@@ -1,40 +0,0 @@
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: minio
namespace: networking
spec:
entryPoints:
- websecure
routes:
- match: Host(`s.${SECRET_DOMAIN}`)
kind: Rule
services:
- name: minio
port: 443
middlewares:
- name: cloudflare
tls:
secretName: "${SECRET_DOMAIN/./-}-tls"
---
kind: Service
apiVersion: v1
metadata:
name: minio
namespace: networking
spec:
type: ExternalName
externalName: s3.${SECRET_DOMAIN}
---
apiVersion: externaldns.k8s.io/v1alpha1
kind: DNSEndpoint
metadata:
name: minio
namespace: networking
spec:
endpoints:
- dnsName: "s.${SECRET_DOMAIN}"
recordType: CNAME
targets:
- "ipv4.${SECRET_DOMAIN}"

101
cluster/apps/networking/traefik/helm-release.yaml
View File

@@ -1,101 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta1
kind: HelmRelease
metadata:
name: traefik
namespace: networking
spec:
interval: 5m
chart:
spec:
# renovate: registryUrl=https://helm.traefik.io/traefik
chart: traefik
version: 10.6.2
sourceRef:
kind: HelmRepository
name: traefik-charts
namespace: flux-system
interval: 5m
dependsOn:
- name: cert-manager
namespace: cert-manager
values:
image:
name: ghcr.io/k8s-at-home/traefik
deployment:
kind: Deployment
replicas: 2
service:
enabled: true
type: LoadBalancer
spec:
loadBalancerIP: "${LB_TRAEFIK_IP}"
externalTrafficPolicy: Local
annotations:
external-dns.alpha.kubernetes.io/hostname: "ipv4.${SECRET_DOMAIN},ipv4.${SECRET_DOMAIN_2}"
logs:
general:
format: json
level: DEBUG
access:
enabled: true
format: json
ingressClass:
enabled: true
isDefaultClass: true
fallbackApiVersion: v1
ingressRoute:
dashboard:
enabled: false
globalArguments:
- "--api.insecure=true"
- "--serverstransport.insecureskipverify=true"
- "--metrics.prometheus=true"
- "--metrics.prometheus.entryPoint=metrics"
- "--entryPoints.websecure.forwardedHeaders.trustedIPs=10.0.0.0/8,192.168.0.0/16,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,104.16.0.0/13,104.24.0.0/14,108.162.192.0/18,131.0.72.0/22,141.101.64.0/18,162.158.0.0/15,172.64.0.0/13,173.245.48.0/20,188.114.96.0/20,190.93.240.0/20,197.234.240.0/22,198.41.128.0/17,2400:cb00::/32,2606:4700::/32,2803:f800::/32,2405:b500::/32,2405:8100::/32,2a06:98c0::/29,2c0f:f248::/32"
additionalArguments:
- "--providers.kubernetesingress.ingressendpoint.ip=${LB_TRAEFIK_IP}"
- "--providers.kubernetesingress.allowexternalnameservices=true"
- "--providers.kubernetescrd.allowexternalnameservices=true"
ports:
traefik:
expose: true
web:
redirectTo: websecure
websecure:
tls:
enabled: true
options: "default"
metrics:
port: 8082
expose: true
exposedPort: 8082
tlsOptions:
default:
minVersion: VersionTLS12
maxVersion: VersionTLS13
sniStrict: true
pilot:
enabled: false
token: "${SECRET_TRAEFIK_PILOT_TOKEN}"
experimental:
plugins:
enabled: false
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- traefik
topologyKey: kubernetes.io/hostname
resources:
requests:
memory: 100Mi
cpu: 500m
limits:
memory: 500Mi

10
cluster/apps/networking/traefik/kustomization.yaml
View File

@@ -1,10 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- service-monitor.yaml
- tls-store
- dashboard
- external
- middlewares

9
cluster/apps/networking/traefik/middlewares/basic-auth.yaml
View File

@@ -1,9 +0,0 @@
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: basic-auth
namespace: networking
spec:
basicAuth:
secret: basic-auth

45
cluster/apps/networking/traefik/middlewares/cloudflare.yaml
View File

@@ -1,45 +0,0 @@
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: cloudflare-ips
namespace: networking
spec:
ipWhiteList:
sourceRange:
- 103.21.244.0/22
- 103.22.200.0/22
- 103.31.4.0/22
- 104.16.0.0/13
- 104.24.0.0/14
- 108.162.192.0/18
- 131.0.72.0/22
- 141.101.64.0/18
- 162.158.0.0/15
- 172.64.0.0/13
- 173.245.48.0/20
- 188.114.96.0/20
- 190.93.240.0/20
- 197.234.240.0/22
- 198.41.128.0/17
- 2400:cb00::/32
- 2606:4700::/32
- 2803:f800::/32
- 2405:b500::/32
- 2405:8100::/32
- 2a06:98c0::/29
- 2c0f:f248::/32
# include rfc1918 ranges since traefik chains don't support OR operations
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: cloudflare
namespace: networking
spec:
chain:
middlewares:
- name: cloudflare-ips

11
cluster/apps/networking/traefik/middlewares/external-auth.yaml
View File

@@ -1,11 +0,0 @@
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: external-auth
namespace: networking
spec:
chain:
middlewares:
- name: cloudflare-ips
- name: security-ak-outpost-traefik@kubernetescrd

11
cluster/apps/networking/traefik/middlewares/internal-auth.yaml
View File

@@ -1,11 +0,0 @@
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: internal-auth
namespace: networking
spec:
chain:
middlewares:
- name: rfc1918-ips
- name: security-ak-outpost-traefik@kubernetescrd

11
cluster/apps/networking/traefik/middlewares/kustomization.yaml
View File

@@ -1,11 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- cloudflare.yaml
- external-auth.yaml
- internal-auth.yaml
- rfc1918.yaml
- redirect-path.yaml
- secret.enc.yaml
- basic-auth.yaml

32
cluster/apps/networking/traefik/middlewares/redirect-path.yaml
View File

@@ -1,32 +0,0 @@
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-regex
namespace: networking
spec:
redirectRegex:
regex: "^(https?://[^/]+/[a-z0-9_]+)$"
replacement: "${1}/"
permanent: true
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: strip-prefix-regex
namespace: networking
spec:
stripPrefixRegex:
regex:
- "/[a-z0-9_]+"
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: redirect-path
namespace: networking
spec:
chain:
middlewares:
- name: redirect-regex
- name: strip-prefix-regex

22
cluster/apps/networking/traefik/middlewares/rfc1918.yaml
View File

@@ -1,22 +0,0 @@
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: rfc1918-ips
namespace: networking
spec:
ipWhiteList:
sourceRange:
- 10.0.0.0/8
- 172.16.0.0/12
- 192.168.0.0/16
---
apiVersion: traefik.containo.us/v1alpha1
kind: Middleware
metadata:
name: rfc1918
namespace: networking
spec:
chain:
middlewares:
- name: rfc1918-ips

60
cluster/apps/networking/traefik/middlewares/secret.enc.yaml
View File

@@ -1,60 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
type: Opaque
metadata:
name: basic-auth
namespace: networking
data:
users: ENC[AES256_GCM,data:Dmf2Is/oY27z0DGI24g8zeCm3t/vmhv2KK7O//4xKEQQOkERY68XfqdaYiOhXVxAuJGtjQzsZ9vX34c/K8bmyw==,iv:kIeKds7aNt0WpMihc4B/o4N2EDa3vwAcEtQ51ImFwzQ=,tag:QDO9hqA4bhp9qz9aKyDURg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2021-05-12T07:03:13Z"
mac: ENC[AES256_GCM,data:rscAMwjW5JskPWVhEnb4VcYgXo4XEsjx/xysgKEFkJOR0tj/DQ4avpiVcojP830c2g0n2OPpISlzBTXutPMJ1bPfsvvRJiCYLGuP5NnGaZNww8XraOO0vjgQJgqehhVPNn1ZVfrbrC1UoD1619F220AoCZiLEMdFxLiebDoz9kU=,iv:dB6FmcICT6iMcP4dhYsJizPdR473m93iXB8RXYqYtWE=,tag:3GCFXy0+GBAORTN5AEXsAQ==,type:str]
pgp:
- created_at: "2021-05-12T07:03:12Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAw1XfxK/K1q7AQ//ZhcPN23gHCK3IvHubnVrU99cno9/ogHTT+ufzniI3TSu
8HnP+QCz+1Sulfbn/USPiiF3CE+9XNBiRAWiMBw7l25nZmeK9hZ4F0t1yxwUZ/Cz
RrSMJjrxg9QYmp8nmY/1BGvrg+KKlFo/IGg25/l391XD7kWIi54ZjwwQDQri4H+f
LB/398LN6gH+Ztydpf1CHkDAYkdgFA1oHKJ5X04oC8iwFAjTzVzGlF64ffO3VANb
gWiAWv7cJe0u5r2EKup/4LLeqi2suV7t5aJwZ1NjuIFDWQqBV6z9gdJydHQ4Ucdd
ngeM7hWAyREPf1FA2MVTSia37WUCjFT/Gz89vdSB5uP6QuKUXauERUixAjovAG6J
kZjkFa3BzRIeBMhdQ320BgJyA24W0FBzykux8bN6lgmUmcybaPlGysjVPJeaH6hD
rImTJb6AEmn1FSKqOneogqOOAnnU05+spAHcz5pv2fehS2K0Vw5fh5wqUW3mhMq3
E7fIKYB7JjJ1yNz2KFP+54EB0LwK00dpHy2oiScb/B29lBtAsyWGUXMd+9xEZn2F
eDlKCOwG7oUK7ujdi93+krIalSkAQRMHj7k7CyOXTXTP3PXy7x4NIEj5Rv1mItRs
bOZZ3smMOopZ/8YX/fH0n8yFaRXHoBoRCdyUCZoFbLxTZX0yJqEJ3xpHVfxYwCzS
XgGs+JGlEHxTn4Bo5H7luxKQC7S616g0Qxw2ngDxI3uOQN0/f/MCYGOxvv1Arp42
rdKu+3IgXxak3OcnPitvit94RFW3EzTSKm6L77hy0nnpWfqbswkEbOyVM3io4Sw=
=K8gY
-----END PGP MESSAGE-----
fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B
- created_at: "2021-05-12T07:03:12Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAySEZvKqXwiCAQ/9HxJPyqYR/K7HVIhHgmDdojQPDVb+89X6vpLPHt1kqh2t
nxHMFM9/l3OUPqDu7TSwFrPIiZIn41tGeAxGaGyCCov7NYu8zZS9nDrU6CSbtUwm
ESyQvngC6oSxR+51JFZ8z4fm7W+ueWjPq0JhQh8HZwu14G3behvhKDs2kAYQcrwl
kHlb5Iy6BHOGyn8Ebm1E3GXkbJrAaojqOhiPs7tM/YSsW609zAoQiI3s6s0inSFK
ygDWWG9RHbt0Av+uuHXTom2ck8eDYWzvFOjsAzSfH0qygBFLZClaJczCixIbyiCS
WDn3VNO+R54LN5xdvUseec4C9wl5K18gSWeqdWtvMOSdLUI6WxJFFBzhF4k7Wxq8
b5AVIip9DXDR+QdB+3CYsUYN4h1PwYJdZnvHOLhxQIP7hD8lOFPqmWXMPfm80ygh
fcU0D2R3WG85n0USo+ilx47aL32fuwDBUZbE7ioR3oDUAtCNUG3KyeBM70u2xa4o
ioAoI2/+8bMUWzfTjT1JB6dVFcbsRavPBsKYp4KmylrUWbdXbEPs8zsmcDjYP18S
IKyLto+gf8mxzsoHZiW7Hi/ahDv2VTo404udeg4wYFvXJ3vfHySy6voy/mW2hQqB
wogpaV45Vq7SogR0Zwtwj5GAkmPBX9FmKTcPQuT8goHRz8HqRytscaDmgI/4OqfS
XgEfWsuCwDomk0TfBRo/VPWUh0uQSsEbhOgg5U8MbAC57CKKDQXHacwNQcR6Mm18
TKmNYtIzen//P9RtEci6yq1JMZ7RzWkoHqRMx93KUZoyE3jWU/dkdmMR6pCZTgY=
=BDTE
-----END PGP MESSAGE-----
fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B
encrypted_regex: ^(data|stringData)$
version: 3.7.1

19
cluster/apps/networking/traefik/service-monitor.yaml
View File

@@ -1,19 +0,0 @@
---
apiVersion: monitoring.coreos.com/v1
kind: ServiceMonitor
metadata:
name: traefik
namespace: networking
labels:
app.kubernetes.io/name: traefik
spec:
endpoints:
- path: /metrics
targetPort: metrics
jobLabel: traefik
namespaceSelector:
matchNames:
- networking
selector:
matchLabels:
app.kubernetes.io/name: traefik

9
cluster/apps/networking/traefik/tls-store/default.yaml
View File

@@ -1,9 +0,0 @@
---
apiVersion: traefik.containo.us/v1alpha1
kind: TLSStore
metadata:
name: default
namespace: networking
spec:
defaultCertificate:
secretName: "${SECRET_DOMAIN/./-}-tls"

4
cluster/apps/networking/traefik/tls-store/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- default.yaml

4
cluster/apps/networking/wildcard-certificate/kustomization.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- certificate.yaml

2
cluster/apps/vpn-gateway/kustomization.yaml
View File

@@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- helm-release.yaml
- secret.yaml
- secret.sops.yaml

28
cluster/apps/vpn-gateway/secret.sops.yaml Normal file
View File

@@ -0,0 +1,28 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: vpn-gateway-vpnconfig
namespace: vpn-gateway
stringData:
vpnConfigfile: ENC[AES256_GCM,data:mSNClcqSUJH8X2TmyKu2BxnmNNUM1a9uef4FBdHEGi8iyc2RD/Icyf4NMqVYwvtcb/qOM6Tpke+0/OxgI9kylSCZhwTFg9wyDoCrxCS1IZqxTrZKA9o5HzFuTTJtNRBD+pckuOL3WCXs6ghgq+1Y4eTITqYU2MgmVzIC6QTMMjr8WFPbfULpCQD3vje+8PVklEMLaXlQoz2xwEMO/XrsRWL/Juz4zMa/XP+lZbPKWPC3fm4W/vQltevkdW2uZsDMnYFcK2kQoaGcc0fzczStv9bU9vgcfKIQ1ECdxz2ExE4NSscy36ShHOBYDbcWZgKVcZYGqJrLQfUfp95etVtoRZDFqRExgKq0iK8=,iv:4fJ8tJ8hJOMTEyASQ7sZU5Sv4LlJqTSrhdZOZqi9PPA=,tag:9QK3YXW04nZsjofw0lDTLA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWcWUvRlovRG44K1NvMmJZ
eFF0TzRWaHdLQmY1cXJ5TE1iZ2JpNkdmcFJNCkNacVhNNldqUWNyekk4bkJSOXAw
bGM1YS9BYnpHUG9aZnpFVkRHRWxPa0EKLS0tIHdsam1zSWtIQ1BOUHBXeXlKUHpt
cGdHQ1p2czZOQ2FiUS93NCtPMEM2WEkKrH2EcprBiC3VFVHjN4iqxwQ0DDpdcgWB
RfXKGltH3ldip1DFyosTq3Rmn1C/1b2NbeNmTXUA+mzp1CvSgpEa+A==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2022-06-23T05:18:19Z"
mac: ENC[AES256_GCM,data:4x37lj39c2Q0FR/5One7xJkgekRk5HVAUTA4JhdNDt19YEUPrZaCVB2LM2OS0ThZOetp8aGywmdSJPuOqFf9AN1hMx1tgXfdNHljEV30YiIBwEpNcjK1AktoZZ63jrV67wA+CB2ax16vtAEMaUn2/e8P2ogbJPR76eRIQZBH6n0=,iv:v2eQdi88JzqvQsYcPBL4I8lvG+StzEnns39sstTNpf4=,tag:xHQ9EzjVmH37dasok8lLMw==,type:str]
pgp: []
encrypted_regex: ^(data|stringData)$
version: 3.7.3

59
cluster/apps/vpn-gateway/secret.yaml
View File

@@ -1,59 +0,0 @@
# yamllint disable
apiVersion: v1
kind: Secret
metadata:
name: vpn-gateway-vpnconfig
namespace: vpn-gateway
stringData:
vpnConfigfile: ENC[AES256_GCM,data:mSNClcqSUJH8X2TmyKu2BxnmNNUM1a9uef4FBdHEGi8iyc2RD/Icyf4NMqVYwvtcb/qOM6Tpke+0/OxgI9kylSCZhwTFg9wyDoCrxCS1IZqxTrZKA9o5HzFuTTJtNRBD+pckuOL3WCXs6ghgq+1Y4eTITqYU2MgmVzIC6QTMMjr8WFPbfULpCQD3vje+8PVklEMLaXlQoz2xwEMO/XrsRWL/Juz4zMa/XP+lZbPKWPC3fm4W/vQltevkdW2uZsDMnYFcK2kQoaGcc0fzczStv9bU9vgcfKIQ1ECdxz2ExE4NSscy36ShHOBYDbcWZgKVcZYGqJrLQfUfp95etVtoRZDFqRExgKq0iK8=,iv:4fJ8tJ8hJOMTEyASQ7sZU5Sv4LlJqTSrhdZOZqi9PPA=,tag:9QK3YXW04nZsjofw0lDTLA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age: []
lastmodified: "2022-06-23T05:18:19Z"
mac: ENC[AES256_GCM,data:4x37lj39c2Q0FR/5One7xJkgekRk5HVAUTA4JhdNDt19YEUPrZaCVB2LM2OS0ThZOetp8aGywmdSJPuOqFf9AN1hMx1tgXfdNHljEV30YiIBwEpNcjK1AktoZZ63jrV67wA+CB2ax16vtAEMaUn2/e8P2ogbJPR76eRIQZBH6n0=,iv:v2eQdi88JzqvQsYcPBL4I8lvG+StzEnns39sstTNpf4=,tag:xHQ9EzjVmH37dasok8lLMw==,type:str]
pgp:
- created_at: "2021-05-23T04:25:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAw1XfxK/K1q7AQ//d/yXAKPJqcIRrjmW8Ft3juKGcDfGfMBNcPreMCfY0L9M
NgiRQ1TEfAJ50VI4B5DVotL3s+S/8CZEsnMd0xCmHLcZHsZH6CyoDzwlPaiMOCjV
Cyy5xWg2iRa3YS0NYIogZgfXzDSrpTjblBynj9qLZjzUm+V/3utzcSN2zYjYx4jE
C/tLN8a/oLQArH5NWPUBoKE+9OX90/DpdfwBti8nGqIlVgIKQ57hBFPfnu4Cfjtj
B6K9clgxmNvIs6TIAIOpHD5hcG7oUuAhOChtJMSH+krVVnJnG/k5PK7rrGtQNUq5
Zt2mKljW6FpmZkfqkoHIhIrnnQoJizJ9Mgab/Kw5m2p1CnJlfocvOt6u9YE80RUl
5RaF9+eKtYhn9eTozhd31HogvykZcZ/SiZ/jHfgGy3x9HnCn8/mXanwoEnaSDwal
AH7tAxD5+oDkpdyt37kyAhVEhtnhTjuS90pDpeOsyh4sWC/0Se/m3RYi//if5MUt
pKhfsLq2fOTaL2pBMpmjN2s80CCqw5PDwlUCzKr8tOwPxR1TY9HogjZA9/x5xLVv
tOxj06eoCFk5w5hsdfd1i/omc7T2p2IGP7myZ+iYTga9L0iVYdC3/32Th/XxFTMI
td2HXZdPXvQXYoi9ft6NMUbgn129aL5rT7DI8DC8JhCIW3GYDLG3un1A8qMcBz3S
XgFBREX39nBz3ZEa5Q7D9o/Q2zZ1VVw3srDnJUi2HyW4MoH6/iMlL5fhdUR0874K
caJ37bJdIeavwoq28LYpzdl1H2siSmotHnWqpYo9V0BqBGbKMtBdsDAPgAj6CDo=
=3ulM
-----END PGP MESSAGE-----
fp: CABC84E79A7718BEBFBCD3C4AD11DC94E06CCA1B
- created_at: "2021-05-23T04:25:25Z"
enc: |
-----BEGIN PGP MESSAGE-----
hQIMAySEZvKqXwiCARAAiOusqNF8lAlCSDHsz5qFTspDoW3diCnl3tGRC2bNPxhu
K+wfvmJzqQpd0Nn3lEhZ5SxpTorwBrDZePllmvSIwaMTVg47G+MUFUeTEH8EacUx
4K2Nh11RgZppyM1C00cAiaytSVV5S8pNi/cizFJvGblc5sZiasFry8QsUVVD9fZm
zf9i/OfHh1NOH1FpM7mE1UYiLofJaGM1ADtsGYlsZlsImeEGth9ZRWOOONeRl/r3
Og8TG6yaPSjnu7WeC2yxO0fBqWE8dmYdQ8JXyDI/2ZsugiEJmdgR9KptzAWckjyY
RSmu6G2pnIaYNDimzm7Tt/lqgpmN7HI/hjVC14Iv/amuzC620HmH4gefpR6Czvz3
1bngkKQ0X3jAmDgROEUZpYv8F2MMipXsG3K89aicVdTXcBxfiiKk+2HTJWMZyk9E
iy/JA9OMqjhRE6+hY7GbC+BFkRbIUw/Oe04DqWcY9LBQeJ1pnCZelzJosSc53peA
l2kf1ff5mqvI4JsvO5ENM3HeXVGOYARhZqMPu9Vto4xhYNi1KKhi5I1TKhan+i5z
2qsFy7AtXvDYghkMEROsyJqTZRcLMJwDrCU0B1R8YG2VOz/8+MI3F7qJrILDDiDb
nezozUZOCOIEAklSz0UQAteWW0j/6lBytP6Yr3sMc0zg6/HSnHzLmU4eVioifYfS
XgFOa7Ud91Unrgyf+SeupPJW0+rH1TNDBiOOSkWdGDBgkcWWngqz1qgnmf0xFYX0
xUiRuTs8Goyp0slwxmFEHXiiWfrGsD+tdeYJWBWoxBm75wqiejfHEchln2saSEU=
=c0ve
-----END PGP MESSAGE-----
fp: 0E883B2F1196288130061C6BA8B44BCF50372B6B
encrypted_regex: ^(data|stringData)$
version: 3.7.3

16
cluster/base/flux-system/charts/git/benji-charts.yaml
View File

@@ -1,16 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: benji-charts
namespace: flux-system
spec:
interval: 10m
url: https://github.com/elemental-lf/benji
ref:
tag: v0.15.0
ignore: |
# exclude all
/*
# include charts directory
!/charts/

5
cluster/base/flux-system/charts/git/kustomization.yaml
View File

@@ -1,5 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- benji-charts.yaml

34
cluster/base/flux-system/charts/helm/kustomization.yaml
View File

@@ -1,34 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ananace-charts.yaml
- authentik-charts.yaml
- bitnami-charts.yaml
- blakeshome-charts.yaml
- cilium-charts.yaml
- coredns-charts.yaml
- deliveryhero-charts.yaml
- drone-charts.yaml
- fairwinds-charts.yaml
- falco-security-charts.yaml
- grafana-charts.yaml
- infracloudio-charts.yaml
- ingress-nginx-charts.yaml
- jetstack-charts.yaml
- k8s-at-home-charts.yaml
- kubernetes-sigs-descheduler-charts.yaml
- lwolf-charts.yaml
- mailu-charts.yaml
- nfs-subdir-external-provisioner-charts.yaml
- node-feature-discovery-charts.yaml
- nvidia-charts.yaml
- prometheus-community-charts.yaml
- rook-ceph-charts.yaml
- stakater-charts.yaml
- hajimari-charts.yaml
- toboshii-charts.yaml
- traefik-charts.yaml
- uptimerobot-operator-charts.yaml
- vernemq-charts.yaml
- weaveworks-kured-charts.yaml

6
cluster/base/flux-system/charts/kustomization.yaml
View File

@@ -1,6 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- git
- helm

4054
cluster/base/flux-system/gotk-components.yaml
View File

File diff suppressed because it is too large Load Diff

28
cluster/base/flux-system/gotk-sync.yaml
View File

@@ -1,28 +0,0 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta1
kind: GitRepository
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 1m0s
ref:
branch: main
url: https://github.com/toboshii/home-cluster
---
apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
kind: Kustomization
metadata:
name: flux-system
namespace: flux-system
spec:
interval: 10m0s
path: ./cluster/base
prune: true
sourceRef:
kind: GitRepository
name: flux-system
decryption:
provider: sops
secretRef:
name: sops-gpg

6
cluster/base/flux-system/kustomization.yaml
View File

@@ -1,6 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gotk-components.yaml
- gotk-sync.yaml
- charts

2
cluster/apps/networking/traefik/external/kustomization.yaml → cluster/bootstrap/kustomization.yaml
View File

@@ -2,4 +2,4 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- minio.yaml
- github.com/fluxcd/flux2/manifests/install?ref=v0.31.3

0
cluster/base/flux-system/charts/helm/ananace-charts.yaml → cluster/charts/ananace-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/authentik-charts.yaml → cluster/charts/authentik-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/bitnami-charts.yaml → cluster/charts/bitnami-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/blakeshome-charts.yaml → cluster/charts/blakeshome-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/cilium-charts.yaml → cluster/charts/cilium-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/coredns-charts.yaml → cluster/charts/coredns-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/deliveryhero-charts.yaml → cluster/charts/deliveryhero-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/drone-charts.yaml → cluster/charts/drone-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/fairwinds-charts.yaml → cluster/charts/fairwinds-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/falco-security-charts.yaml → cluster/charts/falco-security-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/gitea-charts.yaml → cluster/charts/gitea-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/grafana-charts.yaml → cluster/charts/grafana-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/hajimari-charts.yaml → cluster/charts/hajimari-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/infracloudio-charts.yaml → cluster/charts/infracloudio-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/ingress-nginx-charts.yaml → cluster/charts/ingress-nginx-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/jetstack-charts.yaml → cluster/charts/jetstack-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/k8s-at-home-charts.yaml → cluster/charts/k8s-at-home-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/kubernetes-sigs-descheduler-charts.yaml → cluster/charts/kubernetes-sigs-descheduler-charts.yaml
View File

35
cluster/charts/kustomization.yaml Normal file
View File

@@ -0,0 +1,35 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ananace-charts.yaml
- authentik-charts.yaml
- bitnami-charts.yaml
- blakeshome-charts.yaml
- cilium-charts.yaml
- coredns-charts.yaml
- deliveryhero-charts.yaml
- drone-charts.yaml
- fairwinds-charts.yaml
- falco-security-charts.yaml
- grafana-charts.yaml
- infracloudio-charts.yaml
- ingress-nginx-charts.yaml
- jetstack-charts.yaml
- k8s-at-home-charts.yaml
- kubernetes-sigs-descheduler-charts.yaml
- lwolf-charts.yaml
- mailu-charts.yaml
- metrics-server-charts.yaml
- nfs-subdir-external-provisioner-charts.yaml
- node-feature-discovery-charts.yaml
- nvidia-charts.yaml
- prometheus-community-charts.yaml
- rook-ceph-charts.yaml
- stakater-charts.yaml
- hajimari-charts.yaml
- toboshii-charts.yaml
- traefik-charts.yaml
- uptimerobot-operator-charts.yaml
- vernemq-charts.yaml
- weaveworks-kured-charts.yaml

0
cluster/base/flux-system/charts/helm/lwolf-charts.yaml → cluster/charts/lwolf-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/mailu-charts.yaml → cluster/charts/mailu-charts.yaml
View File

9
cluster/charts/metrics-server-charts.yaml Normal file
View File

@@ -0,0 +1,9 @@
---
apiVersion: source.toolkit.fluxcd.io/v1beta2
kind: HelmRepository
metadata:
name: metrics-server-charts
namespace: flux-system
spec:
interval: 1h
url: https://kubernetes-sigs.github.io/metrics-server

0
cluster/base/flux-system/charts/helm/nfs-subdir-external-provisioner-charts.yaml → cluster/charts/nfs-subdir-external-provisioner-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/node-feature-discovery-charts.yaml → cluster/charts/node-feature-discovery-charts.yaml
View File

0
cluster/base/flux-system/charts/helm/nvidia-charts.yaml → cluster/charts/nvidia-charts.yaml
View File

Some files were not shown because too many files have changed in this diff Show More