diff --git a/.gitattributes b/.gitattributes index 1a44d425..af37c0fd 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1,2 +1 @@ -secret.enc.yaml diff=sopsdiffer -cluster-secrets.yaml diff=sopsdiffer +*.sops.* diff=sopsdiffer diff --git a/.github/CODEOWNERS b/.github/CODEOWNERS index 9c858678..43db9f6e 100644 --- a/.github/CODEOWNERS +++ b/.github/CODEOWNERS @@ -1,2 +1,2 @@ # https://docs.github.com/en/github/creating-cloning-and-archiving-repositories/about-code-owners -* @onedr0p +* @toboshii diff --git a/.github/ISSUE_TEMPLATE/config.yml b/.github/ISSUE_TEMPLATE/config.yml index b7fa73a6..e54e04ec 100644 --- a/.github/ISSUE_TEMPLATE/config.yml +++ b/.github/ISSUE_TEMPLATE/config.yml @@ -1,5 +1,6 @@ +--- blank_issues_enabled: false contact_links: -- name: Discuss on Discord - url: https://discord.com/invite/sTMX7Vh - about: Join our Discord community + - name: Discuss on Discord + url: https://discord.gg/k8s-at-home + about: Join our Discord community diff --git a/.github/labeler.yaml b/.github/labeler.yaml new file mode 100644 index 00000000..e66efc01 --- /dev/null +++ b/.github/labeler.yaml @@ -0,0 +1,11 @@ +--- +area/ansible: + - "ansible/**/*" +area/github: + - ".github/**/*" +area/cluster: + - "cluster/**/*" +area/hack: + - "hack/**/*" +area/terraform: + - "terraform/**/*" diff --git a/.github/labels.yaml b/.github/labels.yaml new file mode 100644 index 00000000..2ecd5109 --- /dev/null +++ b/.github/labels.yaml @@ -0,0 +1,80 @@ +--- +# Area +- name: area/ansible + color: "72ccf3" + description: >- + Changes made in the ansible directory +- name: area/github + color: "72ccf3" + description: >- + Changes made in the github directory +- name: area/cluster + color: "72ccf3" + description: >- + Changes made in the cluster directory +- name: area/hack + color: "72ccf3" + description: >- + Changes made in the hack directory +- name: area/terraform + color: "72ccf3" + description: >- + Changes made in the terraform directory +# Renovate +- name: renovate/ansible + color: "ffc300" +- name: renovate/container + color: "ffc300" +- name: renovate/github-action + color: "ffc300" +- name: renovate/github-release + color: "ffc300" +- name: renovate/helm + color: "ffc300" +- name: renovate/terraform + color: "ffc300" +# Semantic Type +- name: type/patch + color: "FFEC19" +- name: type/minor + color: "FF9800" +- name: type/major + color: "F6412D" +# Size +- name: size/XS + color: "009900" + description: >- + Denotes a PR that changes 0-9 lines, ignoring generated files. +- name: size/S + color: "77bb00" + description: >- + Denotes a PR that changes 10-29 lines, ignoring generated files. +- name: size/M + color: "eebb00" + description: >- + Denotes a PR that changes 30-99 lines, ignoring generated files. +- name: size/L + color: "ee9900" + description: >- + Denotes a PR that changes 100-499 lines, ignoring generated files. +- name: size/XL + color: "ee5500" + description: >- + Denotes a PR that changes 500-999 lines, ignoring generated files. +- name: size/XXL + color: "ee0000" + description: >- + Denotes a PR that changes 1000+ lines, ignoring generated files. +# Uncategorized +- name: bug + color: "ee0701" +- name: do-not-merge + color: "ee0701" +- name: docs + color: "F4D1B7" +- name: enhancement + color: "84b6eb" +- name: link-checker + color: "7B55D7" +- name: question + color: "cc317c" diff --git a/.github/linters/.ansible-lint b/.github/linters/.ansible-lint new file mode 100644 index 00000000..1a8e36ab --- /dev/null +++ b/.github/linters/.ansible-lint @@ -0,0 +1,3 @@ +# .ansible-lint +warn_list: + - unnamed-task diff --git a/.github/linters/.markdownlint.yaml b/.github/linters/.markdownlint.yaml new file mode 100644 index 00000000..3443fa75 --- /dev/null +++ b/.github/linters/.markdownlint.yaml @@ -0,0 +1,23 @@ +--- +default: true + +# MD013/line-length - Line length +MD013: + # Number of characters + line_length: 240 + # Number of characters for headings + heading_line_length: 80 + # Number of characters for code blocks + code_block_line_length: 80 + # Include code blocks + code_blocks: true + # Include tables + tables: true + # Include headings + headings: true + # Include headings + headers: true + # Strict length checking + strict: false + # Stern length checking + stern: false diff --git a/.github/linters/.prettierignore b/.github/linters/.prettierignore new file mode 100644 index 00000000..c189f02b --- /dev/null +++ b/.github/linters/.prettierignore @@ -0,0 +1,7 @@ +charts/ +docs/ +.private/ +.terraform/ +.vscode/ +*.sops.* +talos/cni/install.yaml diff --git a/.github/linters/.prettierrc.yaml b/.github/linters/.prettierrc.yaml new file mode 100644 index 00000000..2e643f08 --- /dev/null +++ b/.github/linters/.prettierrc.yaml @@ -0,0 +1,7 @@ +--- +trailingComma: "es5" +tabWidth: 2 +semi: false +singleQuote: false +bracketSpacing: false +useTabs: false diff --git a/server/terraform/outputs.tf b/.github/linters/.tflint.hcl similarity index 100% rename from server/terraform/outputs.tf rename to .github/linters/.tflint.hcl diff --git a/.github/yamllint.config.yaml b/.github/linters/.yamllint.yaml similarity index 64% rename from .github/yamllint.config.yaml rename to .github/linters/.yamllint.yaml index e82fee5f..fc09698c 100644 --- a/.github/yamllint.config.yaml +++ b/.github/linters/.yamllint.yaml @@ -1,10 +1,16 @@ +--- ignore: | - .github/ - crds.yaml + charts/ + docs/ + .private/ + .terraform/ + .vscode/ + *.sops.* + talos/cni/install.yaml extends: default rules: truthy: - allowed-values: ['true', 'false', 'on', 'yes'] + allowed-values: ["true", "false", "on"] comments: min-spaces-from-content: 1 line-length: disable diff --git a/.github/renovate.json5 b/.github/renovate.json5 index cc386227..6d8a5533 100644 --- a/.github/renovate.json5 +++ b/.github/renovate.json5 @@ -1,210 +1,95 @@ { - "enabled": true, - "timezone": "America/Chicago", - "semanticCommits": "enabled", - "dependencyDashboard": true, - "dependencyDashboardTitle": "Renovate Dashboard", - "commitBody": "Signed-off-by: Toboshii Nakama ", - // do not notify on closed unmerged PRs + "extends": [ + "config:base", + "docker:enableMajor", + ":disableRateLimiting", + ":dependencyDashboard", + ":semanticCommits", + ":enablePreCommit", + ":automergeDigest", + ":automergeBranchPush", + "github>toboshii/home-ops//.github/renovate/allowedVersions.json5", + "github>toboshii/home-ops//.github/renovate/autoMerge.json5", + "github>toboshii/home-ops//.github/renovate/commitMessage.json5", + "github>toboshii/home-ops//.github/renovate/groups.json5", + "github>toboshii/home-ops//.github/renovate/labels.json5", + "github>toboshii/home-ops//.github/renovate/semanticCommits.json5" + ], + "platform": "github", + "username": "chii-bot[bot]", + "repositories": ["toboshii/home-ops"], + "onboarding": false, + "requireConfig": false, + "gitAuthor": "chii-bot <109454249+chii-bot[bot]@users.noreply.github.com>", + "dependencyDashboardTitle": "Renovate Dashboard 🤖", "suppressNotifications": ["prIgnoreNotification"], - // only rebase PRs when there's a conflict "rebaseWhen": "conflicted", + "commitBodyTable": true, + "ignoreDeps": [ + "ghcr.io/fluxcd/helm-controller", + "ghcr.io/fluxcd/image-automation-controller", + "ghcr.io/fluxcd/image-reflector-controller", + "ghcr.io/fluxcd/kustomize-controller", + "ghcr.io/fluxcd/notification-controller", + "ghcr.io/fluxcd/source-controller" + ], + "docker-compose": { + "fileMatch": ["ansible/.+/docker-compose.*\\.ya?ml(\\.j2)?$"] + }, + "flux": { + "fileMatch": ["cluster/.+\\.ya?ml$"] + }, "helm-values": { - "fileMatch": [ - "cluster/.+/helm-release\\.yaml$", - ], + "fileMatch": ["cluster/.+\\.ya?ml$"] }, "kubernetes": { - "fileMatch": [ - "cluster/.+\\.yaml$", - ], - "ignorePaths": [ - "cluster/base/", - ], + "fileMatch": ["cluster/.+\\.ya?ml$"] }, "regexManagers": [ - // regexManager to read and process HelmRelease files { + "description": "Process CRD dependencies", + "fileMatch": ["cluster/crds/.+\\.ya?ml$"], + "matchStrings": [ + // GitRepository where 'Git release/tag' matches 'Helm' version + "registryUrl=(?\\S+) chart=(?\\S+)\n.*?(?[^-\\s]*)\n", + // Kustomization where 'GitHub release artifact URL' matches 'Docker image' version + "datasource=(?\\S+) image=(?\\S+)\n.*?-\\s(.*?)\/(?[^/]+)\/[^/]+\n" + ], + "datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}helm{{/if}}" + }, + { + "description": "Process various dependencies", "fileMatch": [ - "cluster/.+\\.yaml$" + "ansible/.+\\.ya?ml$", + "cluster/.+\\.ya?ml$" ], "matchStrings": [ - // helm releases - "registryUrl=(?.*?)\n *chart: (?.*?)\n *version: (?.*)\n", + "datasource=(?\\S+) depName=(?\\S+)( versioning=(?\\S+))?\n.*?\"(?.*)\"\n" ], - "datasourceTemplate": "helm" + "datasourceTemplate": "{{#if datasource}}{{{datasource}}}{{else}}github-releases{{/if}}", + "versioningTemplate": "{{#if versioning}}{{{versioning}}}{{else}}semver{{/if}}" }, - // regexManager to read and process cert-manager CRD's { - "fileMatch": [ - "cluster/crds/cert-manager/.+\\.yaml$" - ], + "description": "Process raw GitHub URLs", + "fileMatch": ["cluster/.+\\.ya?ml$"], "matchStrings": [ - "registryUrl=(?.*?) chart=(?.*?)\n.*\\/(?.*?)\\/", + "https:\\/\\/raw.githubusercontent.com\\/(?[\\w\\d\\-_]+\\/[\\w\\d\\-_]+)\\/(?[\\w\\d\\.\\-_]+)\\/.*" ], - "datasourceTemplate": "helm" - }, - // regexManager to read and process kube-prometheus-stack CRD's - { - "fileMatch": [ - "cluster/crds/kube-prometheus-stack/.+\\.yaml$" - ], - "matchStrings": [ - "registryUrl=(?.*?)\n *tag: (?[a-zA-Z-]+)-(?.*)\n", - ], - "datasourceTemplate": "helm" - }, - // regexManager to read and process Traefik CRD's - { - "fileMatch": [ - "cluster/crds/traefik/.+\\.yaml$" - ], - "matchStrings": [ - "registryUrl=(?.*?) chart=(?.*?)\n *tag: v(?.*)\n", - ], - "datasourceTemplate": "helm" - }, - // regexManager to read and process Rook-Ceph CRD's - { - "fileMatch": [ - "cluster/crds/rook-ceph/.+\\.yaml$" - ], - "matchStrings": [ - "registryUrl=(?.*?) chart=(?.*?)\n *tag: (?.*)\n", - ], - "datasourceTemplate": "helm" - }, + "datasourceTemplate": "github-releases", + "versioningTemplate": "semver" + } ], "packageRules": [ - // Setup datasources { - "matchDatasources": ["helm"], - "semanticCommitScope": "charts", - "commitMessageTopic": "{{depName}}", - "commitMessageExtra": "to {{{newValue}}}", - "separateMinorPatch": true, - "ignoreDeprecated": true, - }, - { - "matchDatasources": ["docker"], - "enabled": true, - "matchUpdateTypes": ["major", "minor", "patch"], - }, - { - "matchDatasources": ["docker"], - "semanticCommitScope": "images", - "commitMessageTopic": "{{depName}}", - "commitMessageExtra": "to {{{newValue}}}", - "separateMinorPatch": true, - }, - // Add labels according to package and update types - { - "matchDatasources": ["docker"], - "matchUpdateTypes": ["major"], - "commitMessagePrefix": "feat(images)!: ", - "labels": ["renovate/image", "dep/major"], - }, - { - "matchDatasources": ["docker"], - "matchUpdateTypes": ["minor"], - "semanticCommitType": "feat", - "labels": ["renovate/image", "dep/minor"], - }, - { - "matchDatasources": ["docker"], - "matchUpdateTypes": ["patch"], - "semanticCommitType": "fix", - "labels": ["renovate/image", "dep/patch"], - }, - { - "matchDatasources": ["helm"], - "matchUpdateTypes": ["major"], - "commitMessagePrefix": "feat(charts)!: ", - "labels": ["renovate/helm", "dep/major"], - }, - { - "matchDatasources": ["helm"], - "matchUpdateTypes": ["minor"], - "semanticCommitType": "feat", - "labels": ["renovate/helm", "dep/minor"], - }, - { - "matchDatasources": ["helm"], - "matchUpdateTypes": ["patch"], - "semanticCommitType": "fix", - "labels": ["renovate/helm", "dep/patch"], - }, - // custom version schemes - { - "matchDatasources": ["docker"], - "versioning": "regex:^(?\\d+)\\.(?\\d+)\\.(?\\d+)-(?.*)$", - "matchPackageNames": ["blakeblackshear/frigate"], - }, - { - "matchDatasources": ["docker"], - "versioning": "regex:^RELEASE\\.(?\\d+)-(?\\d+)-(?\\d+)T.*Z(-(?.*))?$", - "matchPackageNames": ["minio/minio"], - }, - // pin package versions - { - "matchDatasources": ["docker"], - "allowedVersions": "<13", - "matchPackageNames": [ - "postgres", - "prodrigestivill/postgres-backup-local", - ], - }, - { - "matchDatasources": ["docker"], - "allowedVersions": "<2", - "matchPackageNames": [ - "influxdb", - ] - }, - // { - // "matchDatasources": ["helm"], - // "allowedVersions": "<15", - // "matchPackageNames": ["kube-prometheus-stack"] - // }, - // version strategies - { - "matchDatasources": ["docker"], + "description": "Use loose versioning for certain dependencies", + "matchDatasources": ["docker", "github-releases"], "versioning": "loose", "matchPackageNames": [ - "ghcr.io/k8s-at-home/plex", - "ghcr.io/k8s-at-home/qbittorrent", - ], - }, - // enable auto-merge - { - "matchDatasources": ["docker"], - "automerge": true, - "automergeType": "branch", - "requiredStatusChecks": null, - "matchUpdateTypes": ["minor", "patch"], - "matchPackageNames": [ - "ghcr.io/k8s-at-home/jackett", - "ghcr.io/k8s-at-home/prowlarr", - ], - }, - { - "matchDatasources": ["helm", "docker"], - "matchPackagePatterns": ["^rook.ceph"], - "groupName": "rook-ceph-suite", - "additionalBranchPrefix": "", - }, - { - "matchDatasources": ["docker"], - "allowedVersions": "16.2.5", - "matchPackageNames": ["ceph/ceph"], - }, - { - "matchPackageNames": [ - "rancher/system-upgrade-controller" - ], - "groupName": "rancher/system-upgrade-controller", - "additionalBranchPrefix": "", - "separateMinorPatch": true, - }, - ], + "ghcr.io/onedr0p/emby", + "ghcr.io/onedr0p/plex", + "ghcr.io/onedr0p/qbittorrent", + "Hypfer/Valetudo" + ] + } + ] } diff --git a/.github/renovate/allowedVersions.json5 b/.github/renovate/allowedVersions.json5 new file mode 100644 index 00000000..57e8a3d0 --- /dev/null +++ b/.github/renovate/allowedVersions.json5 @@ -0,0 +1,9 @@ +{ + "packageRules": [ + { + "matchDatasources": ["docker"], + "matchPackageNames": ["docker.io/kopia/kopia"], + "allowedVersions": "<10" + } + ] +} diff --git a/.github/renovate/autoMerge.json5 b/.github/renovate/autoMerge.json5 new file mode 100644 index 00000000..2fff2327 --- /dev/null +++ b/.github/renovate/autoMerge.json5 @@ -0,0 +1,40 @@ +{ + "packageRules": [ + { + "description": "Auto merge container digests", + "matchDatasources": ["docker"], + "automerge": true, + "automergeType": "branch", + "requiredStatusChecks": null, + "matchUpdateTypes": ["digest"], + "matchPackagePattern": ["ghcr.io/k8s-at-home","ghcr.io/onedr0p"] + }, + { + "description": "Auto merge containers", + "matchDatasources": ["docker"], + "automerge": true, + "automergeType": "branch", + "requiredStatusChecks": null, + "matchUpdateTypes": ["minor", "patch"], + "matchPackageNames": ["ghcr.io/onedr0p/prowlarr-nightly"] + }, + { + "description": "Auto merge GitHub Actions", + "matchDatasources": ["github-tags"], + "automerge": true, + "automergeType": "branch", + "requiredStatusChecks": null, + "matchUpdateTypes": ["minor", "patch"], + "matchPackageNames": ["lycheeverse/lychee-action", "renovatebot/github-action"] + }, + { + "description": "Auto merge Helm charts", + "matchDatasources": ["helm"], + "automerge": true, + "automergeType": "branch", + "requiredStatusChecks": null, + "matchUpdateTypes": ["minor", "patch"], + "matchPackageNames": ["minio"] + } + ] +} diff --git a/.github/renovate/commitMessage.json5 b/.github/renovate/commitMessage.json5 new file mode 100644 index 00000000..a69173fe --- /dev/null +++ b/.github/renovate/commitMessage.json5 @@ -0,0 +1,15 @@ +{ + "commitMessageTopic": "{{depName}}", + "commitMessageExtra": "to {{newVersion}}", + "commitMessageSuffix": "", + "packageRules": [ + { + "matchDatasources": ["helm"], + "commitMessageTopic": "chart {{depName}}" + }, + { + "matchDatasources": ["docker"], + "commitMessageTopic": "image {{depName}}" + } + ] +} diff --git a/.github/renovate/groups.json5 b/.github/renovate/groups.json5 new file mode 100644 index 00000000..95844df7 --- /dev/null +++ b/.github/renovate/groups.json5 @@ -0,0 +1,54 @@ +{ + "packageRules": [ + { + "description": "Cert-Manager image (for CRDs) and chart", + "groupName": "Cert-Manager", + "matchPackagePatterns": ["cert-manager"], + "matchDatasources": ["docker", "helm"], + "group": { "commitMessageTopic": "{{{groupName}}} group" }, + "separateMinorPatch": true + }, + { + "description": "External Snapshotter kustomization (for CRDs) and chart", + "groupName": "External Snapshotter", + "matchPackagePatterns": ["external-snapshotter", "snapshot-controller"], + "matchDatasources": ["docker", "github-tags"], + "group": { "commitMessageTopic": "{{{groupName}}} group" }, + "separateMinorPatch": true + }, + { + "description": "Node Feature Discovery kustomization (for CRDs) and chart", + "groupName": "Node Feature Discovery", + "matchPackagePatterns": ["node-feature-discovery"], + "matchDatasources": ["helm", "github-tags"], + "group": { "commitMessageTopic": "{{{groupName}}} group" }, + "separateMinorPatch": true + }, + { + "description": "Rook-Ceph image and chart", + "groupName": "Rook-Ceph", + "matchPackagePatterns": ["rook.ceph"], + "matchDatasources": ["docker", "helm"], + "group": { "commitMessageTopic": "{{{groupName}}} group" }, + "separateMinorPatch": true + }, + { + "description": "Thanos image and chart - mismatched versions", + "groupName": "Thanos", + "matchPackagePatterns": ["thanos"], + "matchDatasources": ["docker", "github-releases", "helm"], + "matchUpdateTypes": ["minor", "patch"], + "group": { "commitMessageTopic": "{{{groupName}}} group" }, + "separateMinorPatch": false + }, + { + "description": "Vector image and chart - mismatched versions", + "groupName": "Vector", + "matchPackagePatterns": ["vector"], + "matchDatasources": ["docker", "github-releases", "helm"], + "matchUpdateTypes": ["minor", "patch"], + "group": { "commitMessageTopic": "{{{groupName}}} group" }, + "separateMinorPatch": false + } + ] +} diff --git a/.github/renovate/labels.json5 b/.github/renovate/labels.json5 new file mode 100644 index 00000000..be4f539e --- /dev/null +++ b/.github/renovate/labels.json5 @@ -0,0 +1,44 @@ +{ + "packageRules": [ + { + "matchUpdateTypes": ["major"], + "labels": ["type/major"] + }, + { + "matchUpdateTypes": ["minor"], + "labels": ["type/minor"] + }, + { + "matchUpdateTypes": ["patch"], + "labels": ["type/patch"] + }, + { + "matchDatasources": ["docker"], + "addLabels": ["renovate/container"] + }, + { + "matchDatasources": ["helm"], + "addLabels": ["renovate/helm"] + }, + { + "matchDatasources": ["galaxy", "galaxy-collection"], + "addLabels": ["renovate/ansible"] + }, + { + "matchDatasources": ["terraform-provider"], + "addLabels": ["renovate/terraform"] + }, + { + "matchDatasources": ["github-releases", "github-tags"], + "addLabels": ["renovate/github-release"] + }, + { + "matchManagers": ["github-actions"], + "addLabels": ["renovate/github-action"] + }, + { + "matchDatasources": ["pypi"], + "addLabels": ["renovate/pip"] + } + ] +} diff --git a/.github/renovate/semanticCommits.json5 b/.github/renovate/semanticCommits.json5 new file mode 100644 index 00000000..5c454b03 --- /dev/null +++ b/.github/renovate/semanticCommits.json5 @@ -0,0 +1,125 @@ +{ + "packageRules": [ + { + "matchDatasources": ["docker"], + "matchUpdateTypes": ["major"], + "commitMessagePrefix": "feat(container)!: " + }, + { + "matchDatasources": ["docker"], + "matchUpdateTypes": ["minor"], + "semanticCommitType": "feat", + "semanticCommitScope": "container" + }, + { + "matchDatasources": ["docker"], + "matchUpdateTypes": ["digest", "patch"], + "semanticCommitType": "fix", + "semanticCommitScope": "container" + }, + { + "matchDatasources": ["helm"], + "matchUpdateTypes": ["major"], + "commitMessagePrefix": "feat(helm)!: " + }, + { + "matchDatasources": ["helm"], + "matchUpdateTypes": ["minor"], + "semanticCommitType": "feat", + "semanticCommitScope": "helm" + }, + + { + "matchDatasources": ["helm"], + "matchUpdateTypes": ["patch"], + "semanticCommitType": "fix", + "semanticCommitScope": "helm" + }, + { + "matchDatasources": ["galaxy", "galaxy-collection"], + "matchUpdateTypes": ["major"], + "commitMessagePrefix": "feat(ansible)!: " + }, + { + "matchDatasources": ["galaxy", "galaxy-collection"], + "matchUpdateTypes": ["minor"], + "semanticCommitType": "feat", + "semanticCommitScope": "ansible" + }, + + { + "matchDatasources": ["galaxy", "galaxy-collection"], + "matchUpdateTypes": ["patch"], + "semanticCommitType": "fix", + "semanticCommitScope": "ansible" + }, + { + "matchDatasources": ["terraform-provider"], + "matchUpdateTypes": ["major"], + "commitMessagePrefix": "feat(terraform)!: " + }, + { + "matchDatasources": ["terraform-provider"], + "matchUpdateTypes": ["minor"], + "semanticCommitType": "feat", + "semanticCommitScope": "terraform" + }, + { + "matchDatasources": ["terraform-provider"], + "matchUpdateTypes": ["patch"], + "semanticCommitType": "fix", + "semanticCommitScope": "terraform" + }, + { + "matchDatasources": ["github-releases", "github-tags"], + "matchUpdateTypes": ["major"], + "commitMessagePrefix": "feat(github-release)!: " + }, + { + "matchDatasources": ["github-releases", "github-tags"], + "matchUpdateTypes": ["minor"], + "semanticCommitType": "feat", + "semanticCommitScope": "github-release" + }, + { + "matchDatasources": ["github-releases", "github-tags"], + "matchUpdateTypes": ["patch"], + "semanticCommitType": "fix", + "semanticCommitScope": "github-release" + }, + { + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["major"], + "commitMessagePrefix": "feat(github-action)!: " + }, + { + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["minor"], + "semanticCommitType": "feat", + "semanticCommitScope": "github-action" + }, + { + "matchManagers": ["github-actions"], + "matchUpdateTypes": ["patch"], + "semanticCommitType": "fix", + "semanticCommitScope": "github-action" + }, + { + "matchDatasources": ["pypi"], + "matchUpdateTypes": ["major"], + "commitMessagePrefix": "feat(pip)!: " + }, + { + "matchDatasources": ["pypi"], + "matchUpdateTypes": ["minor"], + "semanticCommitType": "feat", + "semanticCommitScope": "pip" + }, + { + "matchDatasources": ["pypi"], + "matchUpdateTypes": ["patch"], + "semanticCommitType": "fix", + "semanticCommitScope": "pip" + } + ] +} diff --git a/.github/scripts/cloudflare-proxied-networks.sh b/.github/scripts/cloudflare-proxied-networks.sh new file mode 100755 index 00000000..0461af06 --- /dev/null +++ b/.github/scripts/cloudflare-proxied-networks.sh @@ -0,0 +1,26 @@ +#!/usr/bin/env bash + +# Get all local networks +# ipv4_rfc1918='[ "10.0.0.0/8", "172.16.0.0/12", "192.168.0.0/16" ]' + +# Get all cloudflare ipv4 ranges in an array +ipv4_cloudflare="$(curl -sL https://www.cloudflare.com/ips-v4 | jq --raw-input --slurp 'split("\n")')" +if [[ -z "${ipv4_cloudflare}" ]]; then + exit 1 +fi + +# Get all cloudflare ipv6 ranges in an array +ipv6_cloudflare="$(curl -sL https://www.cloudflare.com/ips-v6 | jq --raw-input --slurp 'split("\n")')" +if [[ -z "${ipv6_cloudflare}" ]]; then + exit 1 +fi + +# Merge rfc1918 ipv4, cloudflare ipv4, and cloudflare ipv6 ranges into one array +combined=$(jq \ + --argjson ipv4_cloudflare "${ipv4_cloudflare}" \ + --argjson ipv6_cloudflare "${ipv6_cloudflare}" \ + -n '$ipv4_cloudflare + $ipv6_cloudflare' \ +) + +# Output array as a string with \, as delimiter +echo "${combined}" | jq --raw-output '. | join("\\,")' diff --git a/.github/scripts/container-parser.sh b/.github/scripts/container-parser.sh new file mode 100755 index 00000000..473a06c4 --- /dev/null +++ b/.github/scripts/container-parser.sh @@ -0,0 +1,124 @@ +#!/usr/bin/env bash + +# shellcheck source=/dev/null +source "$(dirname "${0}")/lib/functions.sh" + +set -o errexit +set -o nounset +set -o pipefail +shopt -s lastpipe + +show_help() { +cat << EOF +Usage: $(basename "$0") + -h, --help Display help + -f, --file File to scan for container images + --nothing Enable nothing mode +EOF +} + +main() { + local file= + local nothing= + parse_command_line "$@" + check "jo" + check "jq" + check "yq" + entry +} + +parse_command_line() { + while :; do + case "${1:-}" in + -h|--help) + show_help + exit + ;; + -f|--file) + if [[ -n "${2:-}" ]]; then + file="$2" + shift + else + echo "ERROR: '-f|--file' cannot be empty." >&2 + show_help + exit 1 + fi + ;; + --nothing) + nothing=1 + ;; + *) + break + ;; + esac + shift + done + + if [[ -z "$file" ]]; then + echo "ERROR: '-f|--file' is required." >&2 + show_help + exit 1 + fi + + if [[ -z "$nothing" ]]; then + nothing=0 + fi +} + +entry() { + # create new array to hold the images + images=() + + # look in hydrated flux helm releases + chart_registry_url=$(chart_registry_url "${file}") + chart_name=$(yq eval-all .spec.chart.spec.chart "${file}" 2>/dev/null) + if [[ -n ${chart_registry_url} && -n "${chart_name}" && ! "${chart_name}" =~ "null" ]]; then + chart_version=$(yq eval .spec.chart.spec.version "${file}" 2>/dev/null) + chart_values=$(yq eval .spec.values "${file}" 2>/dev/null) + pushd "$(mktemp -d)" > /dev/null 2>&1 + helm repo add main "${chart_registry_url}" > /dev/null 2>&1 + helm pull "main/${chart_name}" --untar --version "${chart_version}" + resources=$(echo "${chart_values}" | helm template "${chart_name}" "${chart_name}" --version "${chart_version}" -f -) + popd > /dev/null 2>&1 + images+=("$(echo "${resources}" | yq eval-all '.spec.template.spec.containers.[].image' -)") + helm repo remove main > /dev/null 2>&1 + fi + + # look in helm values + images+=("$(yq eval-all '[.. | select(has("repository")) | select(has("tag"))] | .[] | .repository + ":" + .tag' "${file}" 2>/dev/null)") + + # look in kubernetes deployments, statefulsets and daemonsets + images+=("$(yq eval-all '.spec.template.spec.containers.[].image' "${file}" 2>/dev/null)") + + # look in kubernetes pods + images+=("$(yq eval-all '.spec.containers.[].image' "${file}" 2>/dev/null)") + + # look in kubernetes cronjobs + images+=("$(yq eval-all '.spec.jobTemplate.spec.template.spec.containers.[].image' "${file}" 2>/dev/null)") + + # look in docker compose + images+=("$(yq eval-all '.services.*.image' "${file}" 2>/dev/null)") + + # remove duplicate values xD + IFS=" " read -r -a images <<< "$(tr ' ' '\n' <<< "${images[@]}" | sort -u | tr '\n' ' ')" + + # create new array to hold the parsed images + parsed_images=() + # loop thru the images removing any invalid items + for i in "${images[@]}"; do + # loop thru each image and split on new lines (for when yq finds multiple containers in the same file) + for b in ${i//\\n/ }; do + if [[ -z "${b}" || "${b}" == "null" || "${b}" == "---" ]]; then + continue + fi + parsed_images+=("${b}") + done + done + # check if parsed_images array has items + if (( ${#parsed_images[@]} )); then + # convert the bash array to json and wrap array in an containers object + jo -a "${parsed_images[@]}" | jq -c '{containers: [(.[])]}' + fi +} + +main "$@" diff --git a/.github/scripts/helm-release-differ.sh b/.github/scripts/helm-release-differ.sh new file mode 100755 index 00000000..8d7543ef --- /dev/null +++ b/.github/scripts/helm-release-differ.sh @@ -0,0 +1,175 @@ +#!/usr/bin/env bash + +# shellcheck source=/dev/null +source "$(dirname "${0}")/lib/functions.sh" + +set -o errexit +set -o nounset +set -o pipefail +shopt -s lastpipe + +show_help() { +cat << EOF +Usage: $(basename "$0") + -h, --help Display help + --source-file Original helm release + --target-file New helm release + --remove-common-labels Remove common labels from manifests +EOF +} + +main() { + local source_file= + local target_file= + local remove_common_labels= + parse_command_line "$@" + check "helm" + check "yq" + entry +} + +parse_command_line() { + while :; do + case "${1:-}" in + -h|--help) + show_help + exit + ;; + --source-file) + if [[ -n "${2:-}" ]]; then + source_file="$2" + shift + else + echo "ERROR: '--source-file' cannot be empty." >&2 + show_help + exit 1 + fi + ;; + --target-file) + if [[ -n "${2:-}" ]]; then + target_file="$2" + shift + else + echo "ERROR: '--target-file' cannot be empty." >&2 + show_help + exit 1 + fi + ;; + --remove-common-labels) + remove_common_labels=true + ;; + *) + break + ;; + esac + shift + done + + if [[ -z "${source_file}" ]]; then + echo "ERROR: '--source-file' is required." >&2 + show_help + exit 1 + fi + + if [[ $(yq eval .kind "${source_file}" 2>/dev/null) != "HelmRelease" ]]; then + echo "ERROR: '--source-file' is not a HelmRelease" + show_help + exit 1 + fi + + if [[ -z "${target_file}" ]]; then + echo "ERROR: '--target-file' is required." >&2 + show_help + exit 1 + fi + + if [[ $(yq eval .kind "${target_file}" 2>/dev/null) != "HelmRelease" ]]; then + echo "ERROR: '--target-file' is not a HelmRelease" + show_help + exit 1 + fi + + if [[ -z "$remove_common_labels" ]]; then + remove_common_labels=false + fi +} + +_resources() { + local chart_name=${1} + local chart_version=${2} + local chart_registry_url=${3} + local chart_values=${4} + local resources= + + helm repo add main "${chart_registry_url}" > /dev/null 2>&1 + pushd "$(mktemp -d)" > /dev/null 2>&1 + helm pull "main/${chart_name}" --untar --version "${chart_version}" + resources=$(echo "${chart_values}" | helm template "${chart_name}" "${chart_name}" --version "${chart_version}" -f -) + if [[ "${remove_common_labels}" == "true" ]]; then + labels='.metadata.labels."helm.sh/chart"' + labels+=',.metadata.labels.chart' + labels+=',.metadata.labels."app.kubernetes.io/version"' + labels+=',.spec.template.metadata.labels."helm.sh/chart"' + labels+=',.spec.template.metadata.labels.chart' + labels+=',.spec.template.metadata.labels."app.kubernetes.io/version"' + echo "${resources}" | yq eval "del($labels)" - + else + echo "${resources}" + fi + popd > /dev/null 2>&1 + helm repo remove main > /dev/null 2>&1 +} + +entry() { + local comments= + + source_chart_name=$(chart_name "${source_file}") + source_chart_version=$(chart_version "${source_file}") + source_chart_registry_url=$(chart_registry_url "${source_file}") + source_chart_values=$(chart_values "${source_file}") + source_resources=$(_resources "${source_chart_name}" "${source_chart_version}" "${source_chart_registry_url}" "${source_chart_values}") + echo "${source_resources}" > /tmp/source_resources + + target_chart_version=$(chart_version "${target_file}") + target_chart_name=$(chart_name "${target_file}") + target_chart_registry_url=$(chart_registry_url "${target_file}") + target_chart_values=$(chart_values "${target_file}") + target_resources=$(_resources "${target_chart_name}" "${target_chart_version}" "${target_chart_registry_url}" "${target_chart_values}") + echo "${target_resources}" > /tmp/target_resources + + # Diff the files and always return true + diff -u /tmp/source_resources /tmp/target_resources > /tmp/diff || true + # Remove the filenames + sed -i -e '1,2d' /tmp/diff + + # Store the comment in an array + comments=() + + # shellcheck disable=SC2016 + comments+=( "$(printf 'Path: `%s`' "${target_file}")" ) + if [[ "${source_chart_name}" != "${target_chart_name}" ]]; then + # shellcheck disable=SC2016 + comments+=( "$(printf 'Chart: `%s` -> `%s`' "${source_chart_name}" "${target_chart_name}")" ) + fi + if [[ "${source_chart_version}" != "${target_chart_version}" ]]; then + # shellcheck disable=SC2016 + comments+=( "$(printf 'Version: `%s` -> `%s`' "${source_chart_version}" "${target_chart_version}")" ) + fi + if [[ "${source_chart_registry_url}" != "${target_chart_registry_url}" ]]; then + # shellcheck disable=SC2016 + comments+=( "$(printf 'Registry URL: `%s` -> `%s`' "${source_chart_registry_url}" "${target_chart_registry_url}")" ) + fi + comments+=( "$(printf '\n\n')" ) + if [[ -f /tmp/diff && -s /tmp/diff ]]; then + # shellcheck disable=SC2016 + comments+=( "$(printf '```diff\n%s\n```' "$(cat /tmp/diff)")" ) + else + # shellcheck disable=SC2016 + comments+=( "$(printf '```\nNo changes in detected in resources\n```')" ) + fi + + # Join the array with a new line and print it + printf "%s\n" "${comments[@]}" +} + +main "$@" diff --git a/.github/scripts/lib/functions.sh b/.github/scripts/lib/functions.sh new file mode 100644 index 00000000..d0f68953 --- /dev/null +++ b/.github/scripts/lib/functions.sh @@ -0,0 +1,47 @@ +#!/usr/bin/env bash + +set -o errexit +set -o nounset +set -o pipefail +shopt -s lastpipe + +check() { + command -v "${1}" >/dev/null 2>&1 || { + echo >&2 "ERROR: ${1} is not installed or not found in \$PATH" >&2 + exit 1 + } +} + +chart_registry_url() { + local helm_release= + local chart_id= + helm_release="${1}" + chart_id=$(yq eval .spec.chart.spec.sourceRef.name "${helm_release}" 2>/dev/null) + # Discover all HelmRepository + find . -iname '*-charts.yaml' -type f -print0 | while IFS= read -r -d '' file; do + # Skip non HelmRepository + [[ $(yq eval .kind "${file}" 2>/dev/null) != "HelmRepository" ]] && continue + # Skip unrelated HelmRepository + [[ "${chart_id}" != $(yq eval .metadata.name "${file}" 2>/dev/null) ]] && continue + yq eval .spec.url "${file}" + break + done +} + +chart_name() { + local helm_release= + helm_release="${1}" + yq eval .spec.chart.spec.chart "${helm_release}" 2>/dev/null +} + +chart_version() { + local helm_release= + helm_release="${1}" + yq eval .spec.chart.spec.version "${helm_release}" 2>/dev/null +} + +chart_values() { + local helm_release= + helm_release="${1}" + yq eval .spec.values "${helm_release}" 2>/dev/null +} diff --git a/.github/workflows/diff-hr-on-pr.yaml b/.github/workflows/diff-hr-on-pr.yaml deleted file mode 100644 index 48e1b033..00000000 --- a/.github/workflows/diff-hr-on-pr.yaml +++ /dev/null @@ -1,122 +0,0 @@ ---- -name: Create diff on updated HelmReleases - -on: - pull_request: - branches: - - main - paths: - - "cluster/**.yaml" - -env: - conf_live_branch: main - conf_allow_repeating_same_comment: true - -jobs: - changes: - name: Detect changes - runs-on: ubuntu-latest - outputs: - files: "${{ steps.extract.outputs.files }}" - steps: - - name: Checkout - uses: actions/checkout@v2 - - name: Get changes - uses: dorny/paths-filter@v2 - id: filter - with: - list-files: shell - filters: | - changed: - - '**' - - name: Keep HelmReleases only - id: extract - run: | - filtered=$(grep -zl "kind: HelmRelease.*registryUrl=" ${{ steps.filter.outputs.changed_files }} | \ - jq -R '[.]' | \ - jq -s -c add) - echo ::set-output name=files::${filtered} - - helm: - name: Template HelmReleases - runs-on: ubuntu-latest - needs: - - changes - strategy: - matrix: - file: ${{ fromJson(needs.changes.outputs.files) }} - fail-fast: false - steps: - - name: Setup Kubernetes Tools - uses: yokawasa/action-setup-kube-tools@v0.8.0 - with: - setup-tools: | - helmv3 - yq - - name: Checkout live branch - uses: actions/checkout@v2 - with: - ref: ${{ env.conf_live_branch }} - path: live - - name: Checkout PR branch - uses: actions/checkout@v2 - with: - path: pr - - name: Create diff - id: diff - run: | - hr_live_url=$(sed -nr 's|.*registryUrl=(.+)$|\1|p' live/${{ matrix.file }}) - hr_live_chart=$(yq e .spec.chart.spec.chart live/${{ matrix.file }}) - hr_live_version=$(yq e .spec.chart.spec.version live/${{ matrix.file }}) - hr_live_values=$(yq e .spec.values live/${{ matrix.file }}) - - hr_pr_url=$(sed -nr 's|.*registryUrl=(.+)$|\1|p' pr/${{ matrix.file }}) - hr_pr_chart=$(yq e .spec.chart.spec.chart pr/${{ matrix.file }}) - hr_pr_version=$(yq e .spec.chart.spec.version pr/${{ matrix.file }}) - hr_pr_values=$(yq e .spec.values pr/${{ matrix.file }}) - - helm repo add live "$hr_live_url" - helm repo add pr "$hr_pr_url" - - resources_live=$(echo "$hr_live_values" | \ - helm template "$hr_live_chart" \ - live/"$hr_live_chart" \ - --version "$hr_live_version" -f -) - echo "$resources_live" - echo "#####################################################" - - resources_pr=$(echo "$hr_pr_values" | \ - helm template "$hr_pr_chart" \ - pr/"$hr_pr_chart" \ - --version "$hr_pr_version" -f -) - echo "$resources_pr" - echo "#####################################################" - - diff=$((diff -u <(echo "$resources_live") <(echo "$resources_pr") || true) | tail +3) - echo "$diff" - - message="Path: \`${{ matrix.file }}\`" - if [ "$hr_live_chart" != "$hr_pr_chart" ]; then - message="$message"$'\n'"Chart: \`$hr_live_chart\` -> \`$hr_pr_chart\`" - fi - if [ "$hr_live_version" != "$hr_pr_version" ]; then - message="$message"$'\n'"Version: \`$hr_live_version\` -> \`$hr_pr_version\`" - fi - if [ "$hr_live_url" != "$hr_pr_url" ]; then - message="$message"$'\n'"Repo: \`$hr_live_url\` -> \`$hr_pr_url\`" - fi - message="$message"$'\n'$'\n' - if [ -z "$diff" ]; then - message="$message"'```'$'\n'"No changes in detected in resources"$'\n''```' - else - message="$message"'```diff'$'\n'"$diff"$'\n''```' - fi - - echo "::set-output name=message::$(echo "$message" | jq --raw-input --slurp)" - - - name: Add PR Comment - uses: mshick/add-pr-comment@v1 - with: - repo-token: ${{ secrets.GITHUB_TOKEN }} - allow-repeats: ${{ env.conf_allow_repeating_same_comment }} - message: "${{ fromJSON(steps.diff.outputs.message) }}" diff --git a/.github/workflows/flux-schedule.yaml b/.github/workflows/flux-schedule.yaml deleted file mode 100644 index 1fc4b8ac..00000000 --- a/.github/workflows/flux-schedule.yaml +++ /dev/null @@ -1,44 +0,0 @@ ---- - -name: Schedule - Update Flux - -on: # yamllint disable-line rule:truthy - workflow_dispatch: - schedule: - - cron: '0 12 * * *' - -jobs: - flux-upgrade: - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - with: - fetch-depth: 1 - - - name: Setup Flux CLI - uses: fluxcd/flux2/action@main - - - name: Upgrade Flux - id: upgrade - run: | - CLI_VERSION="$(flux -v)" - VERSION="v${CLI_VERSION#*flux version }" - flux install --version="${VERSION}" \ - --network-policy=false \ - --export > ./cluster/base/flux-system/gotk-components.yaml - echo "::set-output name=flux_version::$VERSION" - - - name: Create pull request for Flux upgrade - uses: peter-evans/create-pull-request@v3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - branch: "flux/upgrade-${{ steps.upgrade.outputs.flux_version }}" - delete-branch: true - title: "chore(deps): upgrade flux components to ${{ steps.upgrade.outputs.flux_version }}" - signoff: false - committer: GitHub - author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> - commit-message: "chore(deps): upgrade flux components to ${{ steps.upgrade.outputs.flux_version }}" - body: | - Release notes: https://github.com/fluxcd/flux2/releases/tag/${{ steps.upgrade.outputs.flux_version }} - labels: flux/upgrade diff --git a/.github/workflows/helm-release-differ.yaml b/.github/workflows/helm-release-differ.yaml new file mode 100644 index 00000000..017dfdea --- /dev/null +++ b/.github/workflows/helm-release-differ.yaml @@ -0,0 +1,79 @@ +--- +name: Helm Release Differ + +on: # yamllint disable-line rule:truthy + pull_request: + branches: + - main + paths: + - "cluster/**.yaml" + +env: + # Currently no way to detect automatically + DEFAULT_BRANCH: main + BOT_USERNAME: "chii-bot[bot]" + +jobs: + detect-file-changes: + name: Detect File Changes + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: dorny/paths-filter@v2 + id: filter + with: + list-files: json + filters: | + yaml: + - added|modified: "**/helm-release.yaml" + outputs: + yaml_files: ${{ steps.filter.outputs.yaml_files }} + helm-release-differ: + name: Helm Release Differ + runs-on: ubuntu-latest + needs: detect-file-changes + strategy: + matrix: + file: ${{ fromJSON(needs.detect-file-changes.outputs.yaml_files) }} + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Generate Token + uses: tibdex/github-app-token@v1 + id: generate-token + with: + app_id: ${{ secrets.BOT_APP_ID }} + private_key: ${{ secrets.BOT_APP_PRIVATE_KEY }} + - name: Checkout default branch + uses: actions/checkout@v3 + with: + ref: "${{ env.DEFAULT_BRANCH }}" + path: default + - name: Install Helm + uses: azure/setup-helm@v3 + with: + version: v3.6.3 + - name: Helm Release Differ + id: diff + run: | + diff=$(.github/scripts/helm-release-differ.sh --source-file "default/${{ matrix.file }}" --target-file "${{ matrix.file }}" --remove-common-labels) + echo "${diff}" + diff="${diff//'%'/'%25'}" + diff="${diff//$'\n'/'%0A'}" + diff="${diff//$'\r'/'%0D'}" + echo "::set-output name=diff::$(echo ${diff})" + - name: Find Comment + uses: peter-evans/find-comment@v2 + id: find-comment + with: + issue-number: "${{ github.event.pull_request.number }}" + comment-author: "${{ env.BOT_USERNAME }}" + body-includes: "${{ matrix.file }}" + - name: Create or update comment + uses: peter-evans/create-or-update-comment@v2 + with: + token: "${{ steps.generate-token.outputs.token }}" + comment-id: "${{ steps.find-comment.outputs.comment-id }}" + issue-number: "${{ github.event.pull_request.number }}" + body: "${{ steps.diff.outputs.diff }}" + edit-mode: replace diff --git a/.github/workflows/invalid-template.yaml b/.github/workflows/invalid-template.yaml deleted file mode 100644 index ba17f3d4..00000000 --- a/.github/workflows/invalid-template.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- - -name: Invalid Template - -on: - issues: - types: - - labeled - - unlabeled - - reopened - -jobs: - support: - runs-on: ubuntu-20.04 - steps: - - uses: dessant/support-requests@v2 - with: - github-token: ${{ github.token }} - support-label: 'template-incomplete' - issue-comment: > - :wave: @{issue-author}, please follow the template provided. - close-issue: true - lock-issue: true - issue-lock-reason: 'resolved' diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml index 97546a1b..8058bfa5 100644 --- a/.github/workflows/lint.yaml +++ b/.github/workflows/lint.yaml @@ -1,19 +1,66 @@ --- - name: Lint on: # yamllint disable-line rule:truthy workflow_dispatch: pull_request: + branches: + - main + +concurrency: + group: ${{ github.ref }}-${{ github.workflow }} + cancel-in-progress: true jobs: - yaml: - runs-on: ubuntu-20.04 + build: + name: MegaLinter + runs-on: ubuntu-latest steps: - - uses: actions/checkout@v2 - - name: yamllint - uses: reviewdog/action-yamllint@v1 - with: - github_token: ${{ secrets.github_token }} - reporter: github-pr-review - yamllint_flags: '-c .github/yamllint.config.yaml ./cluster/' + - name: Checkout + uses: actions/checkout@v3 + with: + fetch-depth: 0 + + - name: Generate Token + uses: tibdex/github-app-token@v1 + id: generate-token + with: + app_id: "${{ secrets.BOT_APP_ID }}" + private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" + + - name: MegaLinter + uses: oxsecurity/megalinter@v6.0.5 + env: + GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" + PRINT_ALPACA: false + VALIDATE_ALL_CODEBASE: ${{ github.event_name == 'workflow_dispatch' }} + ENABLE_LINTERS: |- + ${{ + join( + fromJSON(' + [ + "ACTION_ACTIONLINT", + "ANSIBLE_ANSIBLE_LINT", + "COPYPASTE_JSCPD", + "KUBERNETES_KUBEVAL", + "MARKDOWN_MARKDOWNLINT", + "REPOSITORY_GIT_DIFF", + "REPOSITORY_SECRETLINT", + "TERRAFORM_TERRAFORM_FMT", + "YAML_PRETTIER", + "YAML_YAMLLINT" + ] + '), + ',' + ) + }} + ANSIBLE_DIRECTORY: ansible + ANSIBLE_ANSIBLE_LINT_CONFIG_FILE: .ansible-lint + KUBERNETES_DIRECTORY: cluster + KUBERNETES_KUBEVAL_ARGUMENTS: --ignore-missing-schemas + KUBERNETES_KUBEVAL_FILTER_REGEX_INCLUDE: "(kubernetes)" + MARKDOWN_MARKDOWNLINT_CONFIG_FILE: .github/linters/.markdownlint.yaml + MARKDOWN_MARKDOWNLINT_RULES_PATH: .github/ + YAML_YAMLLINT_CONFIG_FILE: .github/linters/.yamllint.yaml + YAML_PRETTIER_CONFIG_FILE: .github/linters/.prettierrc.yaml + YAML_PRETTIER_FILTER_REGEX_EXCLUDE: "(.*\\.sops\\.ya?ml)" diff --git a/.github/workflows/meta-label-size.yaml b/.github/workflows/meta-label-size.yaml new file mode 100644 index 00000000..51327d88 --- /dev/null +++ b/.github/workflows/meta-label-size.yaml @@ -0,0 +1,33 @@ +--- +name: Meta - Label Size + +on: # yamllint disable-line rule:truthy + pull_request: + branches: + - main + +jobs: + label-size: + name: Label Size + runs-on: ubuntu-latest + steps: + - name: Generate Token + uses: tibdex/github-app-token@v1 + id: generate-token + with: + app_id: "${{ secrets.BOT_APP_ID }}" + private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" + - name: Label Size + uses: pascalgn/size-label-action@v0.4.3 + env: + GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" + with: + sizes: > + { + "0": "XS", + "20": "S", + "50": "M", + "200": "L", + "800": "XL", + "2000": "XXL" + } diff --git a/.github/workflows/meta-labeler.yml b/.github/workflows/meta-labeler.yml new file mode 100644 index 00000000..751e3b3e --- /dev/null +++ b/.github/workflows/meta-labeler.yml @@ -0,0 +1,24 @@ +--- +name: Meta - Labeler + +on: # yamllint disable-line rule:truthy + pull_request: + branches: + - main + +jobs: + labeler: + name: Labeler + runs-on: ubuntu-latest + steps: + - name: Generate Token + uses: tibdex/github-app-token@v1 + id: generate-token + with: + app_id: "${{ secrets.BOT_APP_ID }}" + private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" + - name: Labeler + uses: actions/labeler@v4 + with: + configuration-path: .github/labeler.yaml + repo-token: "${{ steps.generate-token.outputs.token }}" diff --git a/.github/workflows/meta-sync-labels.yaml b/.github/workflows/meta-sync-labels.yaml new file mode 100644 index 00000000..85345316 --- /dev/null +++ b/.github/workflows/meta-sync-labels.yaml @@ -0,0 +1,30 @@ +--- +name: Meta - Sync labels + +on: # yamllint disable-line rule:truthy + workflow_dispatch: + push: + branches: + - main + paths: + - ".github/labels.yaml" + +jobs: + labels: + name: Sync Labels + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Generate Token + uses: tibdex/github-app-token@v1 + id: generate-token + with: + app_id: "${{ secrets.BOT_APP_ID }}" + private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" + - name: Sync Labels + uses: EndBug/label-sync@v2 + with: + config-file: .github/labels.yaml + token: "${{ steps.generate-token.outputs.token }}" + delete-other-labels: true diff --git a/.github/workflows/renovate-schedule.yaml b/.github/workflows/renovate-schedule.yaml deleted file mode 100644 index ae1e40f7..00000000 --- a/.github/workflows/renovate-schedule.yaml +++ /dev/null @@ -1,38 +0,0 @@ - ---- - -name: Schedule - Renovate Helm Releases - -on: # yamllint disable-line rule:truthy - workflow_dispatch: - schedule: - - cron: '0 */12 * * *' - -jobs: - renovate-helm-releases: - runs-on: ubuntu-20.04 - steps: - - uses: actions/checkout@v2 - with: - token: ${{ secrets.GITHUB_TOKEN }} - fetch-depth: 1 - - - name: Renovate Helm Releases - uses: k8s-at-home/renovate-helm-releases@v1 - with: - cluster-path: "./cluster" - - - name: Create pull request for renovatebot helm-release annotations - uses: peter-evans/create-pull-request@v3 - with: - token: ${{ secrets.GITHUB_TOKEN }} - branch: renovate-annotations - delete-branch: true - title: "chore(deps): update renovate annotations" - signoff: false - committer: GitHub - author: ${{ github.actor }} <${{ github.actor }}@users.noreply.github.com> - commit-message: "chore(deps): update renovate annotations" - body: | - Update HelmReleases inorder for Renovate to pick up new versions of Helm charts - labels: renovate/annotations diff --git a/.github/workflows/scan-containers.yaml b/.github/workflows/scan-containers.yaml new file mode 100644 index 00000000..6b9ad821 --- /dev/null +++ b/.github/workflows/scan-containers.yaml @@ -0,0 +1,72 @@ +--- +name: Scan Containers + +on: # yamllint disable-line rule:truthy + pull_request: + branches: + - main + paths: + - "cluster/**.yaml" + - "ansible/**.yml.j2" + +jobs: + detect-file-changes: + name: Detect File Changes + runs-on: ubuntu-latest + steps: + - uses: actions/checkout@v3 + - uses: dorny/paths-filter@v2 + id: filter + with: + list-files: json + filters: | + yaml: + - added|modified: "**.yaml" + - added|modified: "**.yml" + - added|modified: "**.yaml.j2" + - added|modified: "**.yml.j2" + outputs: + yaml_files: ${{ steps.filter.outputs.yaml_files }} + detect-containers: + name: Detect Containers + runs-on: ubuntu-latest + needs: detect-file-changes + strategy: + matrix: + file: ${{ fromJSON(needs.detect-file-changes.outputs.yaml_files) }} + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Install Jo + run: | + sudo apt-get install jo + - name: Detect Containers in Files + id: containers + run: | + containers=$(.github/scripts/container-parser.sh --file "${{ matrix.file }}") + echo "${containers}" + echo ::set-output name=containers::${containers} + outputs: + containers: ${{ steps.containers.outputs.containers }} + scan-containers: + name: Scan Containers + runs-on: ubuntu-latest + needs: detect-containers + strategy: + matrix: ${{ fromJSON(needs.detect-containers.outputs.containers) }} + fail-fast: false + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Scan Container + uses: aquasecurity/trivy-action@0.5.1 + with: + image-ref: ${{ matrix.containers }} + vuln-type: os,library + severity: CRITICAL,HIGH + format: sarif + output: trivy-results.sarif + - name: Upload Trivy scan results to GitHub Security tab + uses: github/codeql-action/upload-sarif@v2 + with: + sarif_file: trivy-results.sarif diff --git a/.github/workflows/schedule-cloudflare-proxied-networks-update.yaml b/.github/workflows/schedule-cloudflare-proxied-networks-update.yaml new file mode 100644 index 00000000..40704ece --- /dev/null +++ b/.github/workflows/schedule-cloudflare-proxied-networks-update.yaml @@ -0,0 +1,41 @@ +--- +name: Schedule - Cloudflare Proxied Networks Update + +on: # yamllint disable-line rule:truthy + workflow_dispatch: + schedule: + - cron: "0 0 * * *" + +env: + CLOUDFLARE_PROXIED_NETWORKS_FILE: >- + cluster/apps/networking/ingress-nginx/cloudflare-proxied-networks.txt + +jobs: + cloudflare-proxied-networks-update: + name: Cloudflare Proxied Networks + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Generate Token + uses: tibdex/github-app-token@v1 + id: generate-token + with: + app_id: "${{ secrets.BOT_APP_ID }}" + private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" + - name: Cloudflare Proxied Networks + run: | + bash ./.github/scripts/cloudflare-proxied-networks.sh > ${{ env.CLOUDFLARE_PROXIED_NETWORKS_FILE }} + - name: Create pull request + uses: peter-evans/create-pull-request@v4 + with: + token: "${{ steps.generate-token.outputs.token }}" + branch: github-action/update-cloudflare-proxied-networks + delete-branch: true + title: "chore(github-action): update cloudflare proxied networks" + signoff: true + commit-message: "chore(github-action): update cloudflare proxied networks" + body: | + Update cloudflare proxy networks configmap from https://www.cloudflare.com/ips/ + labels: | + renovate/github-action diff --git a/.github/workflows/schedule-link-checker.yaml b/.github/workflows/schedule-link-checker.yaml new file mode 100644 index 00000000..4d5c7f43 --- /dev/null +++ b/.github/workflows/schedule-link-checker.yaml @@ -0,0 +1,42 @@ +--- +name: Schedule - Link Checker + +on: # yamllint disable-line rule:truthy + workflow_dispatch: + schedule: + - cron: "0 0 * * *" + +jobs: + link-checker: + name: Link Checker + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Generate Token + uses: tibdex/github-app-token@v1 + id: generate-token + with: + app_id: "${{ secrets.BOT_APP_ID }}" + private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" + - name: Link Checker + uses: lycheeverse/lychee-action@v1.5.0 + id: lychee + env: + GITHUB_TOKEN: "${{ steps.generate-token.outputs.token }}" + - name: Find Link Checker Issue + id: link-checker-issue + uses: micalevisk/last-issue-action@v2 + with: + state: open + labels: | + link-checker + - name: Update Issue + uses: peter-evans/create-issue-from-file@v4 + with: + title: Broken links detected in docs 🔗 + issue-number: "${{ steps.link-checker-issue.outputs.issue-number }}" + content-filepath: ./lychee/out.md + token: "${{ steps.generate-token.outputs.token }}" + labels: | + link-checker diff --git a/.github/workflows/schedule-renovate.yaml b/.github/workflows/schedule-renovate.yaml new file mode 100644 index 00000000..40a54a97 --- /dev/null +++ b/.github/workflows/schedule-renovate.yaml @@ -0,0 +1,50 @@ +--- +name: Schedule - Renovate + +on: # yamllint disable-line rule:truthy + workflow_dispatch: + inputs: + dryRun: + description: "Dry-Run" + default: "false" + required: false + logLevel: + description: "Log-Level" + default: "debug" + required: false + schedule: + - cron: "0 * * * *" + push: + branches: + - main + paths: + - ".github/renovate.json5" + - ".github/renovate/**.json5" + +env: + LOG_LEVEL: debug + DRY_RUN: false + RENOVATE_CONFIG_FILE: .github/renovate.json5 + +jobs: + renovate: + name: Renovate + runs-on: ubuntu-latest + steps: + - name: Checkout + uses: actions/checkout@v3 + - name: Generate Token + uses: tibdex/github-app-token@v1 + id: generate-token + with: + app_id: "${{ secrets.BOT_APP_ID }}" + private_key: "${{ secrets.BOT_APP_PRIVATE_KEY }}" + - name: Override default config from dispatch variables + run: | + echo "DRY_RUN=${{ github.event.inputs.dryRun || env.DRY_RUN }}" >> "${GITHUB_ENV}" + echo "LOG_LEVEL=${{ github.event.inputs.logLevel || env.LOG_LEVEL }}" >> "${GITHUB_ENV}" + - name: Renovate + uses: renovatebot/github-action@v32.117.3 + with: + configurationFile: "${{ env.RENOVATE_CONFIG_FILE }}" + token: "x-access-token:${{ steps.generate-token.outputs.token }}" diff --git a/.github/workflows/support.yaml b/.github/workflows/support.yaml deleted file mode 100644 index 3730f8fd..00000000 --- a/.github/workflows/support.yaml +++ /dev/null @@ -1,28 +0,0 @@ ---- - -name: 'Support requests' - -on: - issues: - types: - - labeled - - unlabeled - - reopened - -jobs: - support: - runs-on: ubuntu-20.04 - steps: - - uses: dessant/support-requests@v2 - with: - github-token: ${{ secrets.GITHUB_TOKEN }} - support-label: 'support' - issue-comment: > - :wave: @{issue-author}, we use the issue tracker exclusively - for bug reports and feature requests. However, this issue appears - to be a support request. Please use our support channels - to get help with. - - [Discord](https://discord.gg/sTMX7Vh) - close-issue: true - lock-issue: false - issue-lock-reason: 'off-topic' diff --git a/.gitignore b/.gitignore index 4d558b5e..4e12d4e5 100644 --- a/.gitignore +++ b/.gitignore @@ -1,5 +1,6 @@ # Editors .vscode/ +.fttemplates/ # Trash .DS_Store Thumbs.db @@ -16,11 +17,24 @@ bin .private/ .logs/ .task/ -# Terraform -.terraform* -terraform.tfstate* # Ansible -server/ansible/inventory/e2e/hosts.yml +ansible/inventory/e2e/hosts.yml xanmanning.k3s* nvidia.nvidia_driver* -node_modules \ No newline at end of file +node_modules +# Terraform +.terraform* +.terraform.tfstate* +terraform.tfstate* +# Sops +.decrypted~* +*.agekey +# Kubernetes +kubeconfig* +talosconfig* +*.pub +*.key +# Extras +config.xml +*.pid +kubernetes diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e1d354e0..38872dce 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,28 +1,29 @@ +--- fail_fast: false repos: -- repo: https://github.com/adrienverge/yamllint - rev: v1.26.3 - hooks: - - args: - - -c - - .github/yamllint.config.yaml - id: yamllint -- repo: https://github.com/pre-commit/pre-commit-hooks - rev: v4.0.1 - hooks: - - id: trailing-whitespace - - id: end-of-file-fixer - - id: mixed-line-ending -- repo: https://github.com/Lucas-C/pre-commit-hooks - rev: v1.1.10 - hooks: - - id: remove-crlf - - id: remove-tabs -- repo: https://github.com/sirosen/fix-smartquotes - rev: 0.2.0 - hooks: - - id: fix-smartquotes -- repo: https://github.com/k8s-at-home/sops-pre-commit - rev: v2.0.3 - hooks: - - id: forbid-secrets + - repo: https://github.com/adrienverge/yamllint + rev: v1.27.1 + hooks: + - args: + - --config-file + - .github/linters/.yamllint.yaml + id: yamllint + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v4.3.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: mixed-line-ending + - repo: https://github.com/Lucas-C/pre-commit-hooks + rev: v1.3.0 + hooks: + - id: remove-crlf + - id: remove-tabs + - repo: https://github.com/sirosen/texthooks + rev: 0.3.1 + hooks: + - id: fix-smartquotes + - repo: https://github.com/k8s-at-home/sops-pre-commit + rev: v2.1.1 + hooks: + - id: forbid-secrets diff --git a/.sops.yaml b/.sops.yaml index 1a6e6447..af1bca8c 100644 --- a/.sops.yaml +++ b/.sops.yaml @@ -9,4 +9,4 @@ creation_rules: encrypted_regex: "^(data|stringData)$" key_groups: - age: - - age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc \ No newline at end of file + - age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc diff --git a/.sourceignore b/.sourceignore new file mode 100644 index 00000000..06218596 --- /dev/null +++ b/.sourceignore @@ -0,0 +1,18 @@ +# See https://toolkit.fluxcd.io/components/source/gitrepositories/#excluding-files +.github/ +.taskfiles/ +.vscode/ +ansible/ +docs/ +hack/ +shared/ +terraform/ +talos/ +.envrc +.gitattributes +.gitignore +.pre-commit-config.yaml +.sops.yaml +LICENSE +README.md +Taskfile.yaml diff --git a/.taskfiles/AnsibleTasks.yml b/.taskfiles/AnsibleTasks.yml new file mode 100644 index 00000000..3973a9f7 --- /dev/null +++ b/.taskfiles/AnsibleTasks.yml @@ -0,0 +1,11 @@ +--- +version: "3" + +tasks: + + init: + desc: install/upgrade ansible deps + dir: ansible + cmds: + - "ansible-galaxy install -r requirements.yml --roles-path ~/.ansible/roles --force" + - "ansible-galaxy collection install -r requirements.yml --collections-path ~/.ansible/collections --force" diff --git a/.taskfiles/ClusterTasks.yml b/.taskfiles/ClusterTasks.yml new file mode 100644 index 00000000..0ee4b50b --- /dev/null +++ b/.taskfiles/ClusterTasks.yml @@ -0,0 +1,20 @@ +--- +version: "3" + +tasks: + + list-dockerhub: + desc: What dockerhub images are running in my cluster + cmds: + - kubectl get pods --all-namespaces -o=jsonpath="{range .items[*]}{'\n'}{range .spec.containers[*]}{.image}{'\n'}{end}{end}" | sort | uniq | grep -Ev 'quay|gcr|ghcr|ecr|us-docker' | grep -Ev 'bitnami|rook|intel|grafana' | sed -e 's/docker\.io\///g' | sort | uniq + + delete-failed-pods: + desc: Deletes failed pods + cmds: + - kubectl delete pods --field-selector status.phase=Failed -A --ignore-not-found=true + + hr-restart: + desc: Restart all failed Helm Releases + cmds: + - kubectl get hr --all-namespaces | grep False | awk '{print $2, $1}' | xargs -l bash -c 'flux suspend hr $0 -n $1' + - kubectl get hr --all-namespaces | grep False | awk '{print $2, $1}' | xargs -l bash -c 'flux resume hr $0 -n $1' diff --git a/.taskfiles/DebugTasks.yml b/.taskfiles/DebugTasks.yml new file mode 100644 index 00000000..d323ba8f --- /dev/null +++ b/.taskfiles/DebugTasks.yml @@ -0,0 +1,75 @@ +--- +version: "3" + +tasks: + + network: + desc: Create a netshoot container for debugging + cmds: + - kubectl run netshoot --rm -i --tty --image ghcr.io/nicolaka/netshoot:latest {{.CLI_ARGS}} + + volume: + desc: |- + Create a container for debugging a PVC (ex. task PVC=plex-config-v1 debug:volume) + interactive: true + cmds: + - | + kubectl run -n $(kubectl get pvc -A | grep {{.PVC}} | awk '{print $1}') debug-{{.PVC}} -i --tty --rm --image=null --privileged --overrides=' + { + "apiVersion": "v1", + "spec": { + "containers": [ + { + "name": "debug", + "image": "ghcr.io/onedr0p/alpine:rolling", + "command": [ + "/bin/bash" + ], + "stdin": true, + "stdinOnce": true, + "tty": true, + "volumeMounts": [ + { + "name": "config", + "mountPath": "/data/config" + }, + { + "name": "backups", + "mountPath": "/data/backups" + } + ] + } + ], + "volumes": [ + { + "name": "config", + "persistentVolumeClaim": { + "claimName": "{{.PVC}}" + } + }, + { + "name": "backups", + "nfs": { + "server": "{{.NAS_ADDRESS | default "nas01"}}", + "path": "{{.NAS_PATH | default "/tank/data/backups"}}" + } + } + ], + "restartPolicy": "Never" + } + }' + node: + desc: |- + Create a privileged container on a node for debugging (ex. task NODE=k8s-control01 debug:node) + interactive: true + cmds: + - | + kubectl run debug-{{.NODE}} -i --tty --rm --image="docker.io/library/alpine:3.16" --privileged --overrides=' + { + "spec": { + "nodeSelector": { + "kubernetes.io/hostname": "{{.NODE}}" + }, + "restartPolicy": "Never" + } + }' diff --git a/.taskfiles/PreCommitTasks.yml b/.taskfiles/PreCommitTasks.yml new file mode 100644 index 00000000..bcd05946 --- /dev/null +++ b/.taskfiles/PreCommitTasks.yml @@ -0,0 +1,19 @@ +--- +version: "3" + +tasks: + + init: + desc: Install pre-commit hooks + cmds: + - pre-commit install --install-hooks + + update: + desc: Update pre-commit hooks + cmds: + - pre-commit autoupdate + + run: + desc: Run pre-commit on all files + cmds: + - pre-commit run --all-files diff --git a/.taskfiles/RestoreTasks.yml b/.taskfiles/RestoreTasks.yml new file mode 100644 index 00000000..097825ae --- /dev/null +++ b/.taskfiles/RestoreTasks.yml @@ -0,0 +1,31 @@ +--- +version: "3" + +tasks: + + volume: + desc: Create a job to restore a kopia snapshot (ex. task PVC=plex-config-v1 restore:volume) + interactive: true + cmds: + - flux -n {{.NAMESPACE}} suspend helmrelease {{.APP}} + - kubectl -n {{.NAMESPACE}} scale deployment {{.APP}} --replicas 0 + - kubectl -n {{.NAMESPACE}} wait --for delete pod --selector="app.kubernetes.io/name={{.APP}}" --timeout=2m + - envsubst < <(cat ./hack/restore-job.yaml) | kubectl apply -f - + - kubectl -n {{.NAMESPACE}} wait --for condition=complete job {{.APP}}-restore --timeout=60m + - flux -n {{.NAMESPACE}} resume helmrelease {{.APP}} + - kubectl -n {{.NAMESPACE}} logs job/{{.APP}}-restore + - defer: kubectl -n {{.NAMESPACE}} delete job/{{.APP}}-restore + vars: + NAMESPACE: + sh: kubectl get pvc -A | grep {{.PVC}} | awk '{print $1}' + APP: + sh: kubectl -n {{.NAMESPACE}} get pvc {{.PVC}} -o jsonpath='{.metadata.labels.app\.kubernetes\.io\/name}' + env: + PVC: "{{.PVC}}" + NAMESPACE: + sh: kubectl get pvc -A | grep {{.PVC}} | awk '{print $1}' + APP: + sh: kubectl -n {{.NAMESPACE}} get pvc {{.PVC}} -o jsonpath='{.metadata.labels.app\.kubernetes\.io\/name}' + preconditions: + - sh: kubectl -n {{.NAMESPACE}} get pvc {{.PVC}} + msg: "Error: pvc/{{.PVC}} in namespace/{{.NAMESPACE}} not found" diff --git a/.taskfiles/RookTasks.yml b/.taskfiles/RookTasks.yml new file mode 100644 index 00000000..6e65cdf0 --- /dev/null +++ b/.taskfiles/RookTasks.yml @@ -0,0 +1,15 @@ +--- +version: "3" + +tasks: + + toolbox: + desc: Exec into the Rook Ceph toolbox + interactive: true + cmds: + - kubectl -n rook-ceph exec -it $(kubectl -n rook-ceph get pod -l "app=rook-direct-mount" -o jsonpath='{.items[0].metadata.name}') -- bash + + password: + desc: Retrieve the rook-ceph dashboard password + cmds: + - kubectl -n rook-ceph get secret rook-ceph-dashboard-password -o jsonpath="{['data']['password']}" | base64 --decode && echo diff --git a/.taskfiles/TerraformTasks.yml b/.taskfiles/TerraformTasks.yml new file mode 100644 index 00000000..ece8edf1 --- /dev/null +++ b/.taskfiles/TerraformTasks.yml @@ -0,0 +1,23 @@ +--- +version: "3" + +tasks: + + init: + desc: Initialize terraform dependencies + dir: terraform + cmds: + - find . -maxdepth 1 -type d \( ! -name . \) -exec bash -c "cd '{}' && terraform init {{.CLI_ARGS}}" \; + + plan: + desc: Show the terraform plan + dir: terraform + cmds: + - find . -maxdepth 1 -type d \( ! -name . \) -exec bash -c "cd '{}' && terraform plan {{.CLI_ARGS}}" \; + + apply: + desc: Apply the terraform changes + dir: terraform + interactive: true + cmds: + - find . -maxdepth 1 -type d \( ! -name . \) -exec bash -c "cd '{}' && terraform apply {{.CLI_ARGS}}" \; diff --git a/.taskfiles/ansible.yml b/.taskfiles/ansible.yml deleted file mode 100644 index 74ceec85..00000000 --- a/.taskfiles/ansible.yml +++ /dev/null @@ -1,72 +0,0 @@ ---- -version: '3' - -env: - ANSIBLE_CONFIG: "{{.PROJECT_DIR}}/server/ansible/ansible.cfg" - -vars: - ANSIBLE_PLAYBOOK_DIR: "{{.ANSIBLE_DIR}}/playbooks" - ANSIBLE_INVENTORY_DIR: "{{.ANSIBLE_DIR}}/inventory" - ANSIBLE_MASTER_GROUP: "master-nodes" - ANSIBLE_WORKER_GROUP: "worker-nodes" - -tasks: - - list: - desc: List all the k8s nodes - cmds: - - "ansible {{.ANSIBLE_MASTER_GROUP}}:{{.ANSIBLE_WORKER_GROUP}} -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --list-hosts" - silent: true - - ping: - desc: Ping all the k8s nodes - cmds: - - "ansible {{.ANSIBLE_MASTER_GROUP}}:{{.ANSIBLE_WORKER_GROUP}} -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --one-line -m 'ping'" - silent: true - - uptime: - desc: Uptime of all the k8s nodes - cmds: - - "ansible {{.ANSIBLE_MASTER_GROUP}}:{{.ANSIBLE_WORKER_GROUP}} -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --one-line -a 'uptime -p'" - silent: true - - clean-images: - desc: Clean up stale container images - cmds: - - "ansible {{.ANSIBLE_MASTER_GROUP}}:{{.ANSIBLE_WORKER_GROUP}} -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --one-line -a 'k3s crictl rmi --prune' --become" - silent: true - - purge-manifests: - desc: Delete all manifests under /var/lib/rancher/k3s/server/manifests - cmds: - - "ansible {{.ANSIBLE_MASTER_GROUP}} -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --one-line -a 'rm /var/lib/rancher/k3s/server/manifests/*' --become" - - playbook:ubuntu-prepare: - desc: Prepare all the k8s nodes for running k3s - cmds: - - "ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/ubuntu/prepare.yml" - silent: true - - playbook:ubuntu-upgrade: - desc: Upgrade all the k8s nodes operating system - cmds: - - "ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/ubuntu/upgrade.yml" - silent: true - - playbook:ubuntu-reboot: - desc: Reboot all the k8s nodes - cmds: - - "ansible {{.ANSIBLE_MASTER_GROUP}}:{{.ANSIBLE_WORKER_GROUP}} -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml -m reboot" - silent: true - - playbook:k3s-install: - desc: Install k3s on the nodes - cmds: - - "ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/k3s/install.yml" - silent: true - - playbook:k3s-upgrade: - desc: Install k3s on the nodes - cmds: - - "ansible-playbook -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml {{.ANSIBLE_PLAYBOOK_DIR}}/k3s/upgrade.yml" - silent: true diff --git a/.taskfiles/blocky.yml b/.taskfiles/blocky.yml deleted file mode 100644 index dc3dfdc7..00000000 --- a/.taskfiles/blocky.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- -version: '3' - -tasks: - - enable: - desc: Enable adblocking in blocky - cmds: - - "{{.PROJECT_DIR}}/hack/blocky.sh enable" - preconditions: - - "test -f {{.PROJECT_DIR}}/hack/blocky.sh" - silent: true - - disable: - desc: Disable adblocking in blocky - cmds: - - "{{.PROJECT_DIR}}/hack/blocky.sh disable" - preconditions: - - "test -f {{.PROJECT_DIR}}/hack/blocky.sh" - silent: true diff --git a/.taskfiles/flux.yml b/.taskfiles/flux.yml deleted file mode 100644 index acdf641f..00000000 --- a/.taskfiles/flux.yml +++ /dev/null @@ -1,10 +0,0 @@ ---- -version: '3' - -tasks: - - sync: - desc: Sync flux-system with the Git Repository - cmds: - - flux reconcile source git flux-system - silent: true diff --git a/Taskfile.yml b/Taskfile.yml index fa313ff2..8649f55a 100644 --- a/Taskfile.yml +++ b/Taskfile.yml @@ -1,26 +1,10 @@ --- -version: '3' - -vars: - PROJECT_DIR: - sh: "git rev-parse --show-toplevel" - CLUSTER_DIR: "{{.PROJECT_DIR}}/cluster" - ANSIBLE_DIR: "{{.PROJECT_DIR}}/server/ansible" - -env: - KUBECONFIG: "{{.PROJECT_DIR}}/kubeconfig" +version: "3" includes: - ansible: .taskfiles/ansible.yml - blocky: .taskfiles/blocky.yml - flux: .taskfiles/flux.yml - -tasks: - - kubeconfig: - desc: Remotely fetch kubeconfig from k3s - cmds: - - rsync --verbose --progress --partial --rsync-path="sudo rsync" ubuntu@10.75.40.10:/etc/rancher/k3s/k3s.yaml ./kubeconfig - - sed -i '' 's/127.0.0.1/10.75.45.5/g' ./kubeconfig - - chmod go-r kubeconfig - silent: true + ansible: .taskfiles/AnsibleTasks.yml + cluster: .taskfiles/ClusterTasks.yml + debug: .taskfiles/DebugTasks.yml + precommit: .taskfiles/PreCommitTasks.yml + restore: .taskfiles/RestoreTasks.yml + terraform: .taskfiles/TerraformTasks.yml diff --git a/server/ansible/ansible.cfg b/ansible/ansible.cfg similarity index 100% rename from server/ansible/ansible.cfg rename to ansible/ansible.cfg diff --git a/server/ansible/inventory/home-cluster/group_vars/all/calico.yml b/ansible/inventory/home-cluster/group_vars/all/calico.yml similarity index 100% rename from server/ansible/inventory/home-cluster/group_vars/all/calico.yml rename to ansible/inventory/home-cluster/group_vars/all/calico.yml diff --git a/server/ansible/inventory/home-cluster/group_vars/all/k3s.yml b/ansible/inventory/home-cluster/group_vars/all/k3s.yml similarity index 70% rename from server/ansible/inventory/home-cluster/group_vars/all/k3s.yml rename to ansible/inventory/home-cluster/group_vars/all/k3s.yml index fd47ea5a..1d0796c8 100644 --- a/server/ansible/inventory/home-cluster/group_vars/all/k3s.yml +++ b/ansible/inventory/home-cluster/group_vars/all/k3s.yml @@ -1,5 +1,4 @@ --- - # # Below vars are for the xanmanning.k3s role # ...see https://github.com/PyratLabs/ansible-role-k3s#globalcluster-variables @@ -24,13 +23,13 @@ k3s_registration_address: 10.75.45.5 k3s_registration_domain: k8s-api.dfw.56k.sh k3s_server_manifests_templates: -- "calico/calico-installation.yaml.j2" -- "calico/calico-bgpconfiguration.yaml.j2" -- "calico/calico-bgppeer.yaml.j2" -- "kube-vip/kube-vip-rbac.yaml.j2" -- "kube-vip/kube-vip-daemonset.yaml.j2" + - "calico/calico-installation.yaml.j2" + - "calico/calico-bgpconfiguration.yaml.j2" + - "calico/calico-bgppeer.yaml.j2" + - "kube-vip/kube-vip-rbac.yaml.j2" + - "kube-vip/kube-vip-daemonset.yaml.j2" # Custom manifest URLs k3s_server_manifests_urls: -- url: https://docs.projectcalico.org/archive/v3.19/manifests/tigera-operator.yaml - filename: tigera-operator.yaml + - url: https://docs.projectcalico.org/archive/v3.19/manifests/tigera-operator.yaml + filename: tigera-operator.yaml diff --git a/server/ansible/inventory/home-cluster/group_vars/all/kube-vip.yml b/ansible/inventory/home-cluster/group_vars/all/kube-vip.yml similarity index 100% rename from server/ansible/inventory/home-cluster/group_vars/all/kube-vip.yml rename to ansible/inventory/home-cluster/group_vars/all/kube-vip.yml diff --git a/server/ansible/inventory/home-cluster/group_vars/all/rsyslog.yml b/ansible/inventory/home-cluster/group_vars/all/rsyslog.yml similarity index 100% rename from server/ansible/inventory/home-cluster/group_vars/all/rsyslog.yml rename to ansible/inventory/home-cluster/group_vars/all/rsyslog.yml diff --git a/server/ansible/inventory/home-cluster/group_vars/all/ubuntu.yml b/ansible/inventory/home-cluster/group_vars/all/ubuntu.yml similarity index 66% rename from server/ansible/inventory/home-cluster/group_vars/all/ubuntu.yml rename to ansible/inventory/home-cluster/group_vars/all/ubuntu.yml index 2332e844..d207d47c 100644 --- a/server/ansible/inventory/home-cluster/group_vars/all/ubuntu.yml +++ b/ansible/inventory/home-cluster/group_vars/all/ubuntu.yml @@ -1,5 +1,4 @@ --- - # Enable to skip apt upgrade skip_upgrade_packages: false # Enable to skip removing crufty packages @@ -11,12 +10,11 @@ timezone: "America/Chicago" # Set custom ntp servers ntp_servers: primary: - - "gw.dfw.56k.sh" + - "gw.dfw.56k.sh" fallback: - - "0.us.pool.ntp.org" - - "1.us.pool.ntp.org" - - "2.us.pool.ntp.org" - - "3.us.pool.ntp.org" - + - "0.us.pool.ntp.org" + - "1.us.pool.ntp.org" + - "2.us.pool.ntp.org" + - "3.us.pool.ntp.org" # Additional ssh public keys to add to the nodes -#ssh_authorized_keys: +# ssh_authorized_keys: diff --git a/server/ansible/inventory/home-cluster/group_vars/gpu-nodes/nvidia-settings.yml b/ansible/inventory/home-cluster/group_vars/gpu-nodes/nvidia-settings.yml similarity index 92% rename from server/ansible/inventory/home-cluster/group_vars/gpu-nodes/nvidia-settings.yml rename to ansible/inventory/home-cluster/group_vars/gpu-nodes/nvidia-settings.yml index 906ed492..240e3e09 100644 --- a/server/ansible/inventory/home-cluster/group_vars/gpu-nodes/nvidia-settings.yml +++ b/ansible/inventory/home-cluster/group_vars/gpu-nodes/nvidia-settings.yml @@ -6,4 +6,4 @@ nvidia_driver: nvidia_patch: version: "d5d564b888aaef99fdd45e23f2fc3eae8e337a39" - checksum: "sha256:d80928c381d141734c13463d69bfaecff77ac66ee6f9036b2f0348b8602989d8" \ No newline at end of file + checksum: "sha256:d80928c381d141734c13463d69bfaecff77ac66ee6f9036b2f0348b8602989d8" diff --git a/server/ansible/inventory/home-cluster/group_vars/master-nodes/k3s-settings.yml b/ansible/inventory/home-cluster/group_vars/master-nodes/k3s-settings.yml similarity index 64% rename from server/ansible/inventory/home-cluster/group_vars/master-nodes/k3s-settings.yml rename to ansible/inventory/home-cluster/group_vars/master-nodes/k3s-settings.yml index 894cceb9..db5b0ea2 100644 --- a/server/ansible/inventory/home-cluster/group_vars/master-nodes/k3s-settings.yml +++ b/ansible/inventory/home-cluster/group_vars/master-nodes/k3s-settings.yml @@ -1,5 +1,4 @@ --- - # https://rancher.com/docs/k3s/latest/en/installation/install-options/server-config/ # https://github.com/PyratLabs/ansible-role-k3s#server-control-plane-configuration @@ -10,16 +9,16 @@ k3s_control_node: true k3s_server: node-ip: "{{ ansible_host }}" tls-san: - - "{{ k3s_registration_domain }}" - - "{{ k3s_registration_address }}" + - "{{ k3s_registration_domain }}" + - "{{ k3s_registration_address }}" docker: false - flannel-backend: 'none' # This needs to be in quotes + flannel-backend: "none" # This needs to be in quotes disable: - - flannel - - traefik - - servicelb - - metrics-server - - local-storage + - flannel + - traefik + - servicelb + - metrics-server + - local-storage disable-network-policy: true disable-cloud-controller: true write-kubeconfig-mode: "644" @@ -28,14 +27,14 @@ k3s_server: # Network CIDR to use for service IPs service-cidr: "172.24.0.0/16" kubelet-arg: - - "feature-gates=GracefulNodeShutdown=true" + - "feature-gates=GracefulNodeShutdown=true" # Required to use kube-prometheus-stack kube-controller-manager-arg: - - "address=0.0.0.0" - - "bind-address=0.0.0.0" + - "address=0.0.0.0" + - "bind-address=0.0.0.0" kube-proxy-arg: - - "metrics-bind-address=0.0.0.0" + - "metrics-bind-address=0.0.0.0" kube-scheduler-arg: - - "address=0.0.0.0" - - "bind-address=0.0.0.0" + - "address=0.0.0.0" + - "bind-address=0.0.0.0" etcd-expose-metrics: true diff --git a/server/ansible/inventory/home-cluster/group_vars/worker-nodes/k3s-settings.yml b/ansible/inventory/home-cluster/group_vars/worker-nodes/k3s-settings.yml similarity index 87% rename from server/ansible/inventory/home-cluster/group_vars/worker-nodes/k3s-settings.yml rename to ansible/inventory/home-cluster/group_vars/worker-nodes/k3s-settings.yml index 7b16c328..8584868b 100644 --- a/server/ansible/inventory/home-cluster/group_vars/worker-nodes/k3s-settings.yml +++ b/ansible/inventory/home-cluster/group_vars/worker-nodes/k3s-settings.yml @@ -1,5 +1,4 @@ --- - # https://rancher.com/docs/k3s/latest/en/installation/install-options/agent-config/ # https://github.com/PyratLabs/ansible-role-k3s#agent-worker-configuration @@ -10,4 +9,4 @@ k3s_control_node: false k3s_agent: node-ip: "{{ ansible_host }}" kubelet-arg: - - "feature-gates=GracefulNodeShutdown=true" + - "feature-gates=GracefulNodeShutdown=true" diff --git a/server/ansible/inventory/home-cluster/host_vars/k8s-cuda01.yml b/ansible/inventory/home-cluster/host_vars/k8s-cuda01.yml similarity index 94% rename from server/ansible/inventory/home-cluster/host_vars/k8s-cuda01.yml rename to ansible/inventory/home-cluster/host_vars/k8s-cuda01.yml index a9e062e5..87437932 100644 --- a/server/ansible/inventory/home-cluster/host_vars/k8s-cuda01.yml +++ b/ansible/inventory/home-cluster/host_vars/k8s-cuda01.yml @@ -1,5 +1,4 @@ --- - # IP address of node ansible_host: "10.75.40.24" @@ -13,4 +12,4 @@ ansible_become_pass: "ubuntu" rook_ceph: enabled: false devices: - - /dev/nvme0n1 + - /dev/nvme0n1 diff --git a/server/ansible/inventory/home-cluster/host_vars/k8s-master01.yml b/ansible/inventory/home-cluster/host_vars/k8s-master01.yml similarity index 100% rename from server/ansible/inventory/home-cluster/host_vars/k8s-master01.yml rename to ansible/inventory/home-cluster/host_vars/k8s-master01.yml diff --git a/server/ansible/inventory/home-cluster/host_vars/k8s-master02.yml b/ansible/inventory/home-cluster/host_vars/k8s-master02.yml similarity index 100% rename from server/ansible/inventory/home-cluster/host_vars/k8s-master02.yml rename to ansible/inventory/home-cluster/host_vars/k8s-master02.yml diff --git a/server/ansible/inventory/home-cluster/host_vars/k8s-master03.yml b/ansible/inventory/home-cluster/host_vars/k8s-master03.yml similarity index 100% rename from server/ansible/inventory/home-cluster/host_vars/k8s-master03.yml rename to ansible/inventory/home-cluster/host_vars/k8s-master03.yml diff --git a/server/ansible/inventory/home-cluster/host_vars/k8s-worker01.yml b/ansible/inventory/home-cluster/host_vars/k8s-worker01.yml similarity index 94% rename from server/ansible/inventory/home-cluster/host_vars/k8s-worker01.yml rename to ansible/inventory/home-cluster/host_vars/k8s-worker01.yml index c0c185a3..d2b311d3 100644 --- a/server/ansible/inventory/home-cluster/host_vars/k8s-worker01.yml +++ b/ansible/inventory/home-cluster/host_vars/k8s-worker01.yml @@ -1,5 +1,4 @@ --- - # IP address of node ansible_host: "10.75.40.20" @@ -13,4 +12,4 @@ ansible_become_pass: "ubuntu" rook_ceph: enabled: false devices: - - /dev/nvme0n1 + - /dev/nvme0n1 diff --git a/server/ansible/inventory/home-cluster/host_vars/k8s-worker02.yml b/ansible/inventory/home-cluster/host_vars/k8s-worker02.yml similarity index 94% rename from server/ansible/inventory/home-cluster/host_vars/k8s-worker02.yml rename to ansible/inventory/home-cluster/host_vars/k8s-worker02.yml index 292f888b..28a69c52 100644 --- a/server/ansible/inventory/home-cluster/host_vars/k8s-worker02.yml +++ b/ansible/inventory/home-cluster/host_vars/k8s-worker02.yml @@ -1,5 +1,4 @@ --- - # IP address of node ansible_host: "10.75.40.21" @@ -13,4 +12,4 @@ ansible_become_pass: "ubuntu" rook_ceph: enabled: false devices: - - /dev/nvme0n1 + - /dev/nvme0n1 diff --git a/server/ansible/inventory/home-cluster/host_vars/k8s-worker03.yml b/ansible/inventory/home-cluster/host_vars/k8s-worker03.yml similarity index 94% rename from server/ansible/inventory/home-cluster/host_vars/k8s-worker03.yml rename to ansible/inventory/home-cluster/host_vars/k8s-worker03.yml index 8c0834d0..706e01e8 100644 --- a/server/ansible/inventory/home-cluster/host_vars/k8s-worker03.yml +++ b/ansible/inventory/home-cluster/host_vars/k8s-worker03.yml @@ -1,5 +1,4 @@ --- - # IP address of node ansible_host: "10.75.40.22" @@ -13,4 +12,4 @@ ansible_become_pass: "ubuntu" rook_ceph: enabled: false devices: - - /dev/nvme0n1 + - /dev/nvme0n1 diff --git a/server/ansible/inventory/home-cluster/host_vars/k8s-worker04.yml b/ansible/inventory/home-cluster/host_vars/k8s-worker04.yml similarity index 94% rename from server/ansible/inventory/home-cluster/host_vars/k8s-worker04.yml rename to ansible/inventory/home-cluster/host_vars/k8s-worker04.yml index e0d21ea1..e045ddcb 100644 --- a/server/ansible/inventory/home-cluster/host_vars/k8s-worker04.yml +++ b/ansible/inventory/home-cluster/host_vars/k8s-worker04.yml @@ -1,5 +1,4 @@ --- - # IP address of node ansible_host: "10.75.40.23" @@ -13,4 +12,4 @@ ansible_become_pass: "ubuntu" rook_ceph: enabled: false devices: - - /dev/nvme0n1 + - /dev/nvme0n1 diff --git a/server/ansible/inventory/home-cluster/host_vars/nas-franxx.yml b/ansible/inventory/home-cluster/host_vars/nas-franxx.yml similarity index 100% rename from server/ansible/inventory/home-cluster/host_vars/nas-franxx.yml rename to ansible/inventory/home-cluster/host_vars/nas-franxx.yml diff --git a/server/ansible/inventory/home-cluster/hosts.yml b/ansible/inventory/home-cluster/hosts.yml similarity index 100% rename from server/ansible/inventory/home-cluster/hosts.yml rename to ansible/inventory/home-cluster/hosts.yml diff --git a/ansible/playbooks/k3s/install.yml b/ansible/playbooks/k3s/install.yml new file mode 100644 index 00000000..3f2b3e8d --- /dev/null +++ b/ansible/playbooks/k3s/install.yml @@ -0,0 +1,26 @@ +--- +- hosts: + - master-nodes + - worker-nodes + - gpu-nodes + become: true + gather_facts: true + any_errors_fatal: true + pre_tasks: + - name: Pausing for 5 seconds... + pause: + seconds: 5 + roles: + - k3s + +- hosts: + - gpu-nodes + become: true + gather_facts: true + any_errors_fatal: true + pre_tasks: + - name: Pausing for 5 seconds... + pause: + seconds: 5 + roles: + - nvidia diff --git a/ansible/playbooks/k3s/nuke.yml b/ansible/playbooks/k3s/nuke.yml new file mode 100644 index 00000000..f9523f14 --- /dev/null +++ b/ansible/playbooks/k3s/nuke.yml @@ -0,0 +1,33 @@ +--- +- hosts: + - master-nodes + - worker-nodes + - gpu-nodes + become: true + gather_facts: true + any_errors_fatal: true + pre_tasks: + - name: Pausing for 5 seconds... + pause: + seconds: 5 + tasks: + - name: kill k3s + ansible.builtin.command: /usr/local/bin/k3s-killall.sh + - name: uninstall k3s + ansible.builtin.command: + cmd: /usr/local/bin/k3s-uninstall.sh + removes: /usr/local/bin/k3s-uninstall.sh + - name: uninstall k3s agent + ansible.builtin.command: + cmd: /usr/local/bin/k3s-agent-uninstall.sh + removes: /usr/local/bin/k3s-agent-uninstall.sh + - name: gather list of CNI files to delete + find: + paths: /etc/cni/net.d + patterns: "*" + register: files_to_delete + - name: delete CNI files + ansible.builtin.file: + path: "{{ item.path }}" + state: absent + loop: "{{ files_to_delete.files }}" diff --git a/ansible/playbooks/k3s/upgrade.yml b/ansible/playbooks/k3s/upgrade.yml new file mode 100644 index 00000000..63a1e529 --- /dev/null +++ b/ansible/playbooks/k3s/upgrade.yml @@ -0,0 +1,14 @@ +--- +- hosts: + - master-nodes + - worker-nodes + - gpu-nodes + become: true + gather_facts: true + any_errors_fatal: true + pre_tasks: + - name: Pausing for 5 seconds... + pause: + seconds: 5 + roles: + - k3s diff --git a/ansible/playbooks/ubuntu/prepare.yml b/ansible/playbooks/ubuntu/prepare.yml new file mode 100644 index 00000000..e9fe88c1 --- /dev/null +++ b/ansible/playbooks/ubuntu/prepare.yml @@ -0,0 +1,14 @@ +--- +- hosts: + - master-nodes + - worker-nodes + - gpu-nodes + become: true + gather_facts: true + any_errors_fatal: true + pre_tasks: + - name: Pausing for 5 seconds... + pause: + seconds: 5 + roles: + - ubuntu diff --git a/ansible/playbooks/ubuntu/upgrade.yml b/ansible/playbooks/ubuntu/upgrade.yml new file mode 100644 index 00000000..dfc98c69 --- /dev/null +++ b/ansible/playbooks/ubuntu/upgrade.yml @@ -0,0 +1,23 @@ +--- +- hosts: + - master-nodes + - worker-nodes + - gpu-nodes + become: true + gather_facts: true + any_errors_fatal: true + pre_tasks: + - name: Pausing for 5 seconds... + pause: + seconds: 5 + tasks: + - name: upgrade + ansible.builtin.apt: + upgrade: full + update_cache: true + cache_valid_time: 3600 + autoclean: true + autoremove: true + register: apt_upgrade + retries: 5 + until: apt_upgrade is success diff --git a/server/ansible/requirements.txt b/ansible/requirements.txt similarity index 100% rename from server/ansible/requirements.txt rename to ansible/requirements.txt diff --git a/ansible/requirements.yml b/ansible/requirements.yml new file mode 100644 index 00000000..d1fa4490 --- /dev/null +++ b/ansible/requirements.yml @@ -0,0 +1,6 @@ +--- +roles: + - src: xanmanning.k3s + version: v2.11.1 +collections: + - name: community.general diff --git a/server/ansible/roles/k3s/tasks/addons.yml b/ansible/roles/k3s/tasks/addons.yml similarity index 100% rename from server/ansible/roles/k3s/tasks/addons.yml rename to ansible/roles/k3s/tasks/addons.yml diff --git a/server/ansible/roles/k3s/tasks/cleanup.yml b/ansible/roles/k3s/tasks/cleanup.yml similarity index 100% rename from server/ansible/roles/k3s/tasks/cleanup.yml rename to ansible/roles/k3s/tasks/cleanup.yml diff --git a/server/ansible/roles/k3s/tasks/main.yml b/ansible/roles/k3s/tasks/main.yml similarity index 74% rename from server/ansible/roles/k3s/tasks/main.yml rename to ansible/roles/k3s/tasks/main.yml index fc7c81e7..1df3a716 100644 --- a/server/ansible/roles/k3s/tasks/main.yml +++ b/ansible/roles/k3s/tasks/main.yml @@ -1,18 +1,17 @@ --- - - include: addons.yml tags: - - addons + - addons - name: k3s | cluster configuration include_role: name: xanmanning.k3s - public: yes + public: true - include: cleanup.yml tags: - - cleanup + - cleanup - include: kubeconfig.yml tags: - - kubeconfig + - kubeconfig diff --git a/server/ansible/roles/k3s/templates/calico/calico-bgpconfiguration.yaml.j2 b/ansible/roles/k3s/templates/calico/calico-bgpconfiguration.yaml.j2 similarity index 100% rename from server/ansible/roles/k3s/templates/calico/calico-bgpconfiguration.yaml.j2 rename to ansible/roles/k3s/templates/calico/calico-bgpconfiguration.yaml.j2 diff --git a/server/ansible/roles/k3s/templates/calico/calico-bgppeer.yaml.j2 b/ansible/roles/k3s/templates/calico/calico-bgppeer.yaml.j2 similarity index 100% rename from server/ansible/roles/k3s/templates/calico/calico-bgppeer.yaml.j2 rename to ansible/roles/k3s/templates/calico/calico-bgppeer.yaml.j2 diff --git a/server/ansible/roles/k3s/templates/calico/calico-installation.yaml.j2 b/ansible/roles/k3s/templates/calico/calico-installation.yaml.j2 similarity index 100% rename from server/ansible/roles/k3s/templates/calico/calico-installation.yaml.j2 rename to ansible/roles/k3s/templates/calico/calico-installation.yaml.j2 diff --git a/server/ansible/roles/k3s/templates/kube-vip/kube-vip-daemonset.yaml.j2 b/ansible/roles/k3s/templates/kube-vip/kube-vip-daemonset.yaml.j2 similarity index 100% rename from server/ansible/roles/k3s/templates/kube-vip/kube-vip-daemonset.yaml.j2 rename to ansible/roles/k3s/templates/kube-vip/kube-vip-daemonset.yaml.j2 diff --git a/server/ansible/roles/k3s/templates/kube-vip/kube-vip-rbac.yaml.j2 b/ansible/roles/k3s/templates/kube-vip/kube-vip-rbac.yaml.j2 similarity index 100% rename from server/ansible/roles/k3s/templates/kube-vip/kube-vip-rbac.yaml.j2 rename to ansible/roles/k3s/templates/kube-vip/kube-vip-rbac.yaml.j2 diff --git a/ansible/roles/nvidia/files/blacklist-nouveau.conf b/ansible/roles/nvidia/files/blacklist-nouveau.conf new file mode 100644 index 00000000..c9b9bfcf --- /dev/null +++ b/ansible/roles/nvidia/files/blacklist-nouveau.conf @@ -0,0 +1,2 @@ +blacklist nouveau +options nouveau modeset=0 diff --git a/server/ansible/roles/nvidia/files/config.toml.tmpl b/ansible/roles/nvidia/files/config.toml.tmpl similarity index 99% rename from server/ansible/roles/nvidia/files/config.toml.tmpl rename to ansible/roles/nvidia/files/config.toml.tmpl index aa2b3eb3..c4778987 100644 --- a/server/ansible/roles/nvidia/files/config.toml.tmpl +++ b/ansible/roles/nvidia/files/config.toml.tmpl @@ -50,4 +50,4 @@ {{ if $v.TLS.InsecureSkipVerify }}insecure_skip_verify = true{{end}} {{end}} {{end}} -{{end}} \ No newline at end of file +{{end}} diff --git a/server/ansible/roles/nvidia/tasks/container-runtime.yml b/ansible/roles/nvidia/tasks/container-runtime.yml similarity index 58% rename from server/ansible/roles/nvidia/tasks/container-runtime.yml rename to ansible/roles/nvidia/tasks/container-runtime.yml index 7e392468..fe08c8b3 100644 --- a/server/ansible/roles/nvidia/tasks/container-runtime.yml +++ b/ansible/roles/nvidia/tasks/container-runtime.yml @@ -1,5 +1,4 @@ --- - - name: container-runtime | add apt key ansible.builtin.apt_key: url: https://nvidia.github.io/nvidia-container-runtime/gpgkey @@ -10,13 +9,13 @@ repo: "{{ item }}" state: present mode: 0644 - update_cache: yes + update_cache: true filename: nvidia-container-runtime with_items: - - "deb https://nvidia.github.io/libnvidia-container/stable/{{ ansible_distribution | lower }}{{ ansible_distribution_version }}/$(ARCH) /" - - "deb https://nvidia.github.io/nvidia-container-runtime/stable/{{ ansible_distribution | lower }}{{ ansible_distribution_version }}/$(ARCH) /" + - "deb https://nvidia.github.io/libnvidia-container/stable/{{ ansible_distribution | lower }}{{ ansible_distribution_version }}/$(ARCH) /" + - "deb https://nvidia.github.io/nvidia-container-runtime/stable/{{ ansible_distribution | lower }}{{ ansible_distribution_version }}/$(ARCH) /" - name: container-runtime | install nvidia-container-runtime ansible.builtin.apt: name: "nvidia-container-runtime" - state: present \ No newline at end of file + state: present diff --git a/server/ansible/roles/nvidia/tasks/driver.yml b/ansible/roles/nvidia/tasks/driver.yml similarity index 95% rename from server/ansible/roles/nvidia/tasks/driver.yml rename to ansible/roles/nvidia/tasks/driver.yml index eb9d4240..4cd27b8c 100644 --- a/server/ansible/roles/nvidia/tasks/driver.yml +++ b/ansible/roles/nvidia/tasks/driver.yml @@ -1,5 +1,4 @@ --- - - name: driver | blacklist nouveau driver ansible.builtin.copy: src: files/blacklist-nouveau.conf @@ -19,15 +18,15 @@ name: "{{ item }}" state: present with_items: - - "dkms" - - "build-essential" + - "dkms" + - "build-essential" - name: driver | download nvidia driver ansible.builtin.get_url: url: https://international.download.nvidia.com/XFree86/Linux-x86_64/{{ nvidia_driver.version }}/NVIDIA-Linux-x86_64-{{ nvidia_driver.version }}.run dest: /tmp/NVIDIA-Linux-x86_64-{{ nvidia_driver.version }}.run checksum: "{{ nvidia_driver.checksum }}" - mode: '0755' + mode: "0755" - name: driver | install nvidia driver ansible.builtin.command: diff --git a/server/ansible/roles/nvidia/tasks/k3s-agent.yml b/ansible/roles/nvidia/tasks/k3s-agent.yml similarity index 100% rename from server/ansible/roles/nvidia/tasks/k3s-agent.yml rename to ansible/roles/nvidia/tasks/k3s-agent.yml diff --git a/server/ansible/roles/nvidia/tasks/main.yml b/ansible/roles/nvidia/tasks/main.yml similarity index 91% rename from server/ansible/roles/nvidia/tasks/main.yml rename to ansible/roles/nvidia/tasks/main.yml index 21806beb..15b318fc 100644 --- a/server/ansible/roles/nvidia/tasks/main.yml +++ b/ansible/roles/nvidia/tasks/main.yml @@ -7,11 +7,11 @@ - include: patch.yml tags: - patch - + - include: container-runtime.yml tags: - container-runtime - include: k3s-agent.yml tags: - - k3s-agent \ No newline at end of file + - k3s-agent diff --git a/server/ansible/roles/nvidia/tasks/patch.yml b/ansible/roles/nvidia/tasks/patch.yml similarity index 100% rename from server/ansible/roles/nvidia/tasks/patch.yml rename to ansible/roles/nvidia/tasks/patch.yml diff --git a/ansible/roles/ubuntu/defaults/main.yml b/ansible/roles/ubuntu/defaults/main.yml new file mode 100644 index 00000000..e1fb1945 --- /dev/null +++ b/ansible/roles/ubuntu/defaults/main.yml @@ -0,0 +1,46 @@ +--- +packages: + apt_install: + - apt-transport-https + - arptables + - ca-certificates + - curl + - ebtables + - gdisk + - hdparm + - htop + - iputils-ping + - ipvsadm + - net-tools + - nfs-common + - nano + - ntpdate + - open-iscsi + - psmisc + - socat + - software-properties-common + - unattended-upgrades + - unzip + apt_remove: + - apport + - bcache-tools + - btrfs-progs + - byobu + - cloud-init + - cloud-guest-utils + - cloud-initramfs-copymods + - cloud-initramfs-dyn-netconf + - friendly-recovery + - fwupd + - landscape-common + - lxd-agent-loader + - ntfs-3g + - open-vm-tools + - plymouth + - plymouth-theme-ubuntu-text + - popularity-contest + - snapd + - sosreport + - tmux + - ubuntu-advantage-tools + - ufw diff --git a/server/ansible/roles/ubuntu/handlers/main.yml b/ansible/roles/ubuntu/handlers/main.yml similarity index 100% rename from server/ansible/roles/ubuntu/handlers/main.yml rename to ansible/roles/ubuntu/handlers/main.yml diff --git a/server/ansible/roles/ubuntu/tasks/boot.yml b/ansible/roles/ubuntu/tasks/boot.yml similarity index 91% rename from server/ansible/roles/ubuntu/tasks/boot.yml rename to ansible/roles/ubuntu/tasks/boot.yml index 5f0643fe..760f8c67 100644 --- a/server/ansible/roles/ubuntu/tasks/boot.yml +++ b/ansible/roles/ubuntu/tasks/boot.yml @@ -1,5 +1,4 @@ --- - - name: boot | grub | check for existence of grub ansible.builtin.stat: path: /etc/default/grub @@ -14,7 +13,7 @@ option: apparmor value: 0 when: - - grub_result.stat.exists + - grub_result.stat.exists notify: reboot - name: boot | grub | set mitigations=off @@ -26,7 +25,7 @@ option: mitigations value: "off" when: - - grub_result.stat.exists + - grub_result.stat.exists notify: reboot - name: boot | grub | set pti=off @@ -38,10 +37,10 @@ option: pti value: "off" when: - - grub_result.stat.exists + - grub_result.stat.exists notify: reboot - name: boot | grub | run grub-mkconfig ansible.builtin.command: grub-mkconfig -o /boot/grub/grub.cfg when: - - grub_result.stat.exists + - grub_result.stat.exists diff --git a/server/ansible/roles/ubuntu/tasks/filesystem.yml b/ansible/roles/ubuntu/tasks/filesystem.yml similarity index 100% rename from server/ansible/roles/ubuntu/tasks/filesystem.yml rename to ansible/roles/ubuntu/tasks/filesystem.yml diff --git a/server/ansible/roles/ubuntu/tasks/host.yml b/ansible/roles/ubuntu/tasks/host.yml similarity index 74% rename from server/ansible/roles/ubuntu/tasks/host.yml rename to ansible/roles/ubuntu/tasks/host.yml index 21c08dca..3582ba57 100644 --- a/server/ansible/roles/ubuntu/tasks/host.yml +++ b/ansible/roles/ubuntu/tasks/host.yml @@ -1,7 +1,6 @@ --- - - name: host | hostname | update inventory hostname ansible.builtin.hostname: name: "{{ inventory_hostname }}" when: - - ansible_hostname != inventory_hostname + - ansible_hostname != inventory_hostname diff --git a/server/ansible/roles/ubuntu/tasks/kernel.yml b/ansible/roles/ubuntu/tasks/kernel.yml similarity index 77% rename from server/ansible/roles/ubuntu/tasks/kernel.yml rename to ansible/roles/ubuntu/tasks/kernel.yml index eaed8aa7..a26592b5 100644 --- a/server/ansible/roles/ubuntu/tasks/kernel.yml +++ b/ansible/roles/ubuntu/tasks/kernel.yml @@ -1,13 +1,12 @@ --- - - name: kernel | modules | enable at runtime community.general.modprobe: name: "{{ item }}" state: present loop: - - br_netfilter - - overlay - - rbd + - br_netfilter + - overlay + - rbd - name: kernel | modules | enable on boot ansible.builtin.copy: @@ -15,6 +14,6 @@ content: "{{ item }}" dest: "/etc/modules-load.d/{{ item }}.conf" loop: - - br_netfilter - - overlay - - rbd + - br_netfilter + - overlay + - rbd diff --git a/server/ansible/roles/ubuntu/tasks/locale.yml b/ansible/roles/ubuntu/tasks/locale.yml similarity index 77% rename from server/ansible/roles/ubuntu/tasks/locale.yml rename to ansible/roles/ubuntu/tasks/locale.yml index 65a2a8d0..ab3e19a4 100644 --- a/server/ansible/roles/ubuntu/tasks/locale.yml +++ b/ansible/roles/ubuntu/tasks/locale.yml @@ -1,5 +1,4 @@ --- - - name: locale | set timezone community.general.timezone: name: "{{ timezone | default('America/Chicago') }}" @@ -13,12 +12,12 @@ FallbackNTP={{ ntp_servers.fallback | join(" ") }} dest: /etc/systemd/timesyncd.conf when: - - ntp_servers.primary is defined - - ntp_servers.primary is iterable - - ntp_servers.primary | length > 0 - - ntp_servers.fallback is defined - - ntp_servers.fallback is iterable - - ntp_servers.fallback | length > 0 + - ntp_servers.primary is defined + - ntp_servers.primary is iterable + - ntp_servers.primary | length > 0 + - ntp_servers.fallback is defined + - ntp_servers.fallback is iterable + - ntp_servers.fallback | length > 0 - name: locale | start systemd service ansible.builtin.systemd: @@ -42,4 +41,4 @@ - name: locale | enable ntp ansible.builtin.command: /usr/bin/timedatectl set-ntp true when: - - "'NTP=no' in timedatectl_result.stdout" + - "'NTP=no' in timedatectl_result.stdout" diff --git a/server/ansible/roles/ubuntu/tasks/main.yml b/ansible/roles/ubuntu/tasks/main.yml similarity index 100% rename from server/ansible/roles/ubuntu/tasks/main.yml rename to ansible/roles/ubuntu/tasks/main.yml diff --git a/server/ansible/roles/ubuntu/tasks/network.yml b/ansible/roles/ubuntu/tasks/network.yml similarity index 86% rename from server/ansible/roles/ubuntu/tasks/network.yml rename to ansible/roles/ubuntu/tasks/network.yml index 0bba700a..9224bd3d 100644 --- a/server/ansible/roles/ubuntu/tasks/network.yml +++ b/ansible/roles/ubuntu/tasks/network.yml @@ -1,5 +1,4 @@ --- - - name: network | check for bridge-nf-call-iptables ansible.builtin.stat: path: /proc/sys/net/bridge/bridge-nf-call-iptables @@ -14,14 +13,14 @@ net.ipv4.ip_forward = 1 net.bridge.bridge-nf-call-iptables = 1 when: - - bridge_nf_call_iptables_result.stat.exists + - bridge_nf_call_iptables_result.stat.exists register: sysctl_network - name: network | sysctl | reload ansible.builtin.shell: sysctl -p /etc/sysctl.d/99-kubernetes-cri.conf when: - - sysctl_network.changed - - bridge_nf_call_iptables_result.stat.exists + - sysctl_network.changed + - bridge_nf_call_iptables_result.stat.exists - name: network | check for vm cloud-init config ansible.builtin.stat: @@ -33,7 +32,7 @@ path: /etc/netplan/50-cloud-init.yaml regexp: '^\s*mtu' insertafter: '^\s*set-name: eth1' - line: ' mtu: 9000' + line: " mtu: 9000" register: netplan_apply when: cloud_init_result.stat.exists diff --git a/ansible/roles/ubuntu/tasks/packages.yml b/ansible/roles/ubuntu/tasks/packages.yml new file mode 100644 index 00000000..af98dded --- /dev/null +++ b/ansible/roles/ubuntu/tasks/packages.yml @@ -0,0 +1,94 @@ +--- +- name: packages | disable recommends + ansible.builtin.blockinfile: + path: /etc/apt/apt.conf.d/02norecommends + mode: 0644 + create: true + block: | + APT::Install-Recommends "false"; + APT::Install-Suggests "false"; + APT::Get::Install-Recommends "false"; + APT::Get::Install-Suggests "false"; + +- name: packages | upgrade all packages + ansible.builtin.apt: + upgrade: full + update_cache: true + cache_valid_time: 3600 + autoclean: true + autoremove: true + register: apt_upgrade + retries: 5 + until: apt_upgrade is success + when: + - (skip_upgrade_packages is not defined or (skip_upgrade_packages is defined and not skip_upgrade_packages)) + +- name: packages | install common + ansible.builtin.apt: + name: "{{ packages.apt_install }}" + install_recommends: false + update_cache: true + cache_valid_time: 3600 + autoclean: true + autoremove: true + register: apt_install_common + retries: 5 + until: apt_install_common is success + when: + - packages.apt_install is defined + - packages.apt_install is iterable + - packages.apt_install | length > 0 + +- name: packages | remove crufty packages + block: + - name: packages | remove crufty packages | gather install packages + ansible.builtin.package_facts: + manager: auto + when: + - "'snapd' in packages.apt_remove" + - name: packages | remove crufty packages | check if snap is installed + ansible.builtin.debug: + msg: "snapd is installed" + register: snapd_check + when: + - "'snapd' in packages.apt_remove" + - "'snapd' in ansible_facts.packages" + - name: packages | remove crufty packages | remove snap packages + + ansible.builtin.command: snap remove {{ item }} + loop: + - lxd + - core18 + - snapd + when: + - "'snapd' in packages.apt_remove" + - "'snapd' in ansible_facts.packages" + - snapd_check.failed is defined + - name: packages | remove crufty packages | remove packages + + ansible.builtin.apt: + name: "{{ packages.apt_remove }}" + state: absent + autoremove: true + - name: packages | remove crufty packages | remove crufty files + + ansible.builtin.file: + state: absent + path: "{{ item }}" + loop: + - "/home/{{ ansible_user }}/.snap" + - "/snap" + - "/var/snap" + - "/var/lib/snapd" + - "/var/cache/snapd" + - "/usr/lib/snapd" + - "/etc/cloud" + - "/var/lib/cloud" + when: + - "'snapd' in packages.apt_remove" + - "'cloud-init' in packages.apt_remove" + when: + - packages.apt_remove is defined + - packages.apt_remove is iterable + - packages.apt_remove | length > 0 + - (skip_remove_packages is not defined or (skip_remove_packages is defined and not skip_remove_packages)) diff --git a/server/ansible/roles/ubuntu/tasks/power-button.yml b/ansible/roles/ubuntu/tasks/power-button.yml similarity index 89% rename from server/ansible/roles/ubuntu/tasks/power-button.yml rename to ansible/roles/ubuntu/tasks/power-button.yml index c5bd0172..18d93524 100644 --- a/server/ansible/roles/ubuntu/tasks/power-button.yml +++ b/ansible/roles/ubuntu/tasks/power-button.yml @@ -1,12 +1,11 @@ --- - - name: power-button | disable single power button press shutdown ansible.builtin.lineinfile: path: /etc/systemd/logind.conf regexp: "{{ item.setting }}" line: "{{ item.setting }}={{ item.value }}" loop: - - { setting: HandlePowerKey, value: ignore } + - { setting: HandlePowerKey, value: ignore } - name: power-button | restart logind systemd service ansible.builtin.systemd: diff --git a/server/ansible/roles/ubuntu/tasks/rsyslog.yml b/ansible/roles/ubuntu/tasks/rsyslog.yml similarity index 100% rename from server/ansible/roles/ubuntu/tasks/rsyslog.yml rename to ansible/roles/ubuntu/tasks/rsyslog.yml diff --git a/server/ansible/roles/ubuntu/tasks/unattended-upgrades.yml b/ansible/roles/ubuntu/tasks/unattended-upgrades.yml similarity index 100% rename from server/ansible/roles/ubuntu/tasks/unattended-upgrades.yml rename to ansible/roles/ubuntu/tasks/unattended-upgrades.yml diff --git a/server/ansible/roles/ubuntu/tasks/user.yml b/ansible/roles/ubuntu/tasks/user.yml similarity index 85% rename from server/ansible/roles/ubuntu/tasks/user.yml rename to ansible/roles/ubuntu/tasks/user.yml index 26fce196..b930082b 100644 --- a/server/ansible/roles/ubuntu/tasks/user.yml +++ b/ansible/roles/ubuntu/tasks/user.yml @@ -1,5 +1,4 @@ --- - - name: user | add to sudoers ansible.builtin.copy: content: "{{ ansible_user }} ALL=(ALL:ALL) NOPASSWD:ALL" @@ -12,9 +11,9 @@ key: "{{ item }}" loop: "{{ ssh_authorized_keys }}" when: - - ssh_authorized_keys is defined - - ssh_authorized_keys is iterable - - ssh_authorized_keys | length > 0 + - ssh_authorized_keys is defined + - ssh_authorized_keys is iterable + - ssh_authorized_keys | length > 0 - name: user | check if hushlogin exists ansible.builtin.stat: diff --git a/server/ansible/roles/ubuntu/templates/rsyslog-50-promtail.conf.j2 b/ansible/roles/ubuntu/templates/rsyslog-50-promtail.conf.j2 similarity index 100% rename from server/ansible/roles/ubuntu/templates/rsyslog-50-promtail.conf.j2 rename to ansible/roles/ubuntu/templates/rsyslog-50-promtail.conf.j2 diff --git a/cluster/apps/database/cloudnative-pg/clusters/kustomization.yaml b/cluster/apps/database/cloudnative-pg/clusters/kustomization.yaml index de294dde..aea60927 100644 --- a/cluster/apps/database/cloudnative-pg/clusters/kustomization.yaml +++ b/cluster/apps/database/cloudnative-pg/clusters/kustomization.yaml @@ -4,4 +4,4 @@ kind: Kustomization namespace: database resources: - - postgres-default \ No newline at end of file + - postgres-default diff --git a/cluster/apps/database/cloudnative-pg/clusters/postgres-default/kustomization.yaml b/cluster/apps/database/cloudnative-pg/clusters/postgres-default/kustomization.yaml index 760d97a1..1982f519 100644 --- a/cluster/apps/database/cloudnative-pg/clusters/postgres-default/kustomization.yaml +++ b/cluster/apps/database/cloudnative-pg/clusters/postgres-default/kustomization.yaml @@ -4,4 +4,4 @@ kind: Kustomization namespace: database resources: - - postgres-default.yaml \ No newline at end of file + - postgres-default.yaml diff --git a/cluster/apps/database/cloudnative-pg/clusters/postgres-default/postgres-default.yaml b/cluster/apps/database/cloudnative-pg/clusters/postgres-default/postgres-default.yaml index 4a691215..b365f1f8 100644 --- a/cluster/apps/database/cloudnative-pg/clusters/postgres-default/postgres-default.yaml +++ b/cluster/apps/database/cloudnative-pg/clusters/postgres-default/postgres-default.yaml @@ -9,4 +9,4 @@ spec: storage: size: 50Gi monitoring: - enablePodMonitor: true \ No newline at end of file + enablePodMonitor: true diff --git a/cluster/apps/database/cloudnative-pg/helm-release.yaml b/cluster/apps/database/cloudnative-pg/helm-release.yaml index b9613841..327b08a2 100644 --- a/cluster/apps/database/cloudnative-pg/helm-release.yaml +++ b/cluster/apps/database/cloudnative-pg/helm-release.yaml @@ -21,4 +21,4 @@ spec: retries: 5 upgrade: remediation: - retries: 5 \ No newline at end of file + retries: 5 diff --git a/cluster/apps/database/cloudnative-pg/kustomization.yaml b/cluster/apps/database/cloudnative-pg/kustomization.yaml index 9201051b..0227c5b4 100644 --- a/cluster/apps/database/cloudnative-pg/kustomization.yaml +++ b/cluster/apps/database/cloudnative-pg/kustomization.yaml @@ -5,4 +5,4 @@ namespace: database resources: - helm-release.yaml - - clusters \ No newline at end of file + - clusters diff --git a/cluster/apps/database/kustomization.yaml b/cluster/apps/database/kustomization.yaml index 902e5b7e..ce3d001b 100644 --- a/cluster/apps/database/kustomization.yaml +++ b/cluster/apps/database/kustomization.yaml @@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- namespace.yaml -- cloudnative-pg -- ext-postgres-operator \ No newline at end of file + - namespace.yaml + - cloudnative-pg + - ext-postgres-operator diff --git a/cluster/apps/default/hajimari/data-pvc.yaml b/cluster/apps/default/hajimari/data-pvc.yaml index e8f2f08d..4425269d 100644 --- a/cluster/apps/default/hajimari/data-pvc.yaml +++ b/cluster/apps/default/hajimari/data-pvc.yaml @@ -6,7 +6,7 @@ metadata: namespace: default spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 1Gi diff --git a/cluster/apps/default/hajimari/helm-release.yaml b/cluster/apps/default/hajimari/helm-release.yaml index ae2e0bb4..3effbe9b 100644 --- a/cluster/apps/default/hajimari/helm-release.yaml +++ b/cluster/apps/default/hajimari/helm-release.yaml @@ -23,94 +23,95 @@ spec: env: TZ: "America/Chicago" hajimari: + defaultEnable: true namespaceSelector: matchNames: - - downloads - - kube-system - - media - - monitoring - - security + - downloads + - kube-system + - media + - monitoring + - security customApps: - - name: Mail - url: "https://mail.${SECRET_DOMAIN}" - icon: email + - name: Mail + url: "https://mail.${SECRET_DOMAIN}" + icon: email groups: - - name: Communicate - links: - - name: Discord - url: 'https://discord.com' - - name: Gmail - url: 'https://gmail.com' - - name: Slack - url: 'https://slack.com/signin' - - name: Cloud - links: - - name: Box - url: 'https://box.com' - - name: Dropbox - url: 'https://dropbox.com' - - name: Drive - url: 'https://drive.google.com' - - name: Design - links: - - name: Awwwards - url: 'https://awwwards.com' - - name: Dribbble - url: 'https://dribbble.com' - - name: Muz.li - url: 'https://medium.muz.li/' - - name: Dev - links: - - name: Codepen - url: 'https://codepen.io/' - - name: Devdocs - url: 'https://devdocs.io' - - name: Devhints - url: 'https://devhints.io' - - name: Lifestyle - links: - - name: Design Milk - url: 'https://design-milk.com/category/interior-design/' - - name: Dwell - url: 'https://www.dwell.com/' - - name: Freshome - url: 'https://www.mymove.com/freshome/' - - name: Media - links: - - name: Spotify - url: 'http://browse.spotify.com' - - name: Trakt - url: 'http://trakt.tv' - - name: YouTube - url: 'https://youtube.com/feed/subscriptions' - - name: Reading - links: - - name: Instapaper - url: 'https://www.instapaper.com/u' - - name: Medium - url: 'http://medium.com' - - name: Reddit - url: 'http://reddit.com' - - name: Tech - links: - - name: Hacker News - url: 'https://news.ycombinator.com/' - - name: The Verge - url: 'https://theverge.com/' - - name: MIT Technology Review - url: 'https://www.technologyreview.com/' + - name: Communicate + links: + - name: Discord + url: "https://discord.com" + - name: Gmail + url: "https://gmail.com" + - name: Slack + url: "https://slack.com/signin" + - name: Cloud + links: + - name: Box + url: "https://box.com" + - name: Dropbox + url: "https://dropbox.com" + - name: Drive + url: "https://drive.google.com" + - name: Design + links: + - name: Awwwards + url: "https://awwwards.com" + - name: Dribbble + url: "https://dribbble.com" + - name: Muz.li + url: "https://medium.muz.li/" + - name: Dev + links: + - name: Codepen + url: "https://codepen.io/" + - name: Devdocs + url: "https://devdocs.io" + - name: Devhints + url: "https://devhints.io" + - name: Lifestyle + links: + - name: Design Milk + url: "https://design-milk.com/category/interior-design/" + - name: Dwell + url: "https://www.dwell.com/" + - name: Freshome + url: "https://www.mymove.com/freshome/" + - name: Media + links: + - name: Spotify + url: "http://browse.spotify.com" + - name: Trakt + url: "http://trakt.tv" + - name: YouTube + url: "https://youtube.com/feed/subscriptions" + - name: Reading + links: + - name: Instapaper + url: "https://www.instapaper.com/u" + - name: Medium + url: "http://medium.com" + - name: Reddit + url: "http://reddit.com" + - name: Tech + links: + - name: Hacker News + url: "https://news.ycombinator.com/" + - name: The Verge + url: "https://theverge.com/" + - name: MIT Technology Review + url: "https://www.technologyreview.com/" ingress: main: enabled: true ingressClassName: "nginx" hosts: - - host: &host "start.${SECRET_DOMAIN}" - paths: - - path: / - pathType: Prefix + - host: &host "start.${SECRET_DOMAIN}" + paths: + - path: / + pathType: Prefix tls: - - hosts: - - *host + - hosts: + - *host persistence: data: enabled: true diff --git a/cluster/apps/default/hajimari/kustomization.yaml b/cluster/apps/default/hajimari/kustomization.yaml index 17bd978c..1b271a68 100644 --- a/cluster/apps/default/hajimari/kustomization.yaml +++ b/cluster/apps/default/hajimari/kustomization.yaml @@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- data-pvc.yaml -- helm-release.yaml \ No newline at end of file + - data-pvc.yaml + - helm-release.yaml diff --git a/cluster/apps/default/kustomization.yaml b/cluster/apps/default/kustomization.yaml index c17591df..635affe1 100644 --- a/cluster/apps/default/kustomization.yaml +++ b/cluster/apps/default/kustomization.yaml @@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- namespace.yaml -- hajimari -- theme-park \ No newline at end of file + - namespace.yaml + - hajimari + - theme-park diff --git a/cluster/apps/default/namespace.yaml b/cluster/apps/default/namespace.yaml index 5ae59369..596957ea 100644 --- a/cluster/apps/default/namespace.yaml +++ b/cluster/apps/default/namespace.yaml @@ -6,4 +6,4 @@ metadata: labels: kustomize.toolkit.fluxcd.io/prune: disabled goldilocks.fairwinds.com/enabled: "true" - k10.kasten.io/ignorebackuppolicy: "true" \ No newline at end of file + k10.kasten.io/ignorebackuppolicy: "true" diff --git a/cluster/apps/default/theme-park/kustomization.yaml b/cluster/apps/default/theme-park/kustomization.yaml index 4fc26769..2fa2de20 100644 --- a/cluster/apps/default/theme-park/kustomization.yaml +++ b/cluster/apps/default/theme-park/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helm-release.yaml \ No newline at end of file + - helm-release.yaml diff --git a/cluster/apps/downloads/kustomization.yaml b/cluster/apps/downloads/kustomization.yaml index 37997817..76e712de 100644 --- a/cluster/apps/downloads/kustomization.yaml +++ b/cluster/apps/downloads/kustomization.yaml @@ -3,11 +3,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - namespace.yaml - # - lidarr - # - overseerr - # - prowlarr - # - qbittorrent - # - radarr - # - sabnzbd + - lidarr + - overseerr + - prowlarr + - qbittorrent + - radarr + - sabnzbd - scripts - sonarr diff --git a/cluster/apps/downloads/lidarr/config-pvc.yaml b/cluster/apps/downloads/lidarr/config-pvc.yaml index b09a0f02..2fd2dcea 100644 --- a/cluster/apps/downloads/lidarr/config-pvc.yaml +++ b/cluster/apps/downloads/lidarr/config-pvc.yaml @@ -4,9 +4,13 @@ kind: PersistentVolumeClaim metadata: name: lidarr-config-v1 namespace: downloads + labels: + app.kubernetes.io/name: &name lidarr + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 10Gi diff --git a/cluster/apps/downloads/lidarr/helm-release.yaml b/cluster/apps/downloads/lidarr/helm-release.yaml index b2d717be..7d8dec8d 100644 --- a/cluster/apps/downloads/lidarr/helm-release.yaml +++ b/cluster/apps/downloads/lidarr/helm-release.yaml @@ -2,99 +2,99 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: lidarr + name: &app lidarr namespace: downloads spec: - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://k8s-at-home.com/charts/ - chart: lidarr - version: 13.1.0 + chart: kah-common-chart + version: 1.1.2 sourceRef: kind: HelmRepository name: k8s-at-home-charts namespace: flux-system - interval: 5m + interval: 15m + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 values: + global: + nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "lidarr-config-v1" image: - repository: ghcr.io/k8s-at-home/lidarr - tag: v1.0.0.2255 + repository: ghcr.io/onedr0p/lidarr + tag: 1.0.2.2592@sha256:bc8b15eca2f4982f06d145b559d670f2a89f8361355320451593b2298ba9f023 env: - TZ: "America/Chicago" + TZ: "${TIMEZONE}" + LIDARR__INSTANCE_NAME: Lidarr + LIDARR__PORT: &port 80 + LIDARR__BRANCH: master + LIDARR__LOG_LEVEL: info + envFrom: + - secretRef: + name: *app + service: + main: + ports: + http: + port: *port ingress: main: enabled: true - ingressClassName: "traefik" + ingressClassName: "nginx" annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: "networking-internal-auth@kubernetescrd" - hajimari.io/enable: "true" + 56k/forward-auth: "true" hajimari.io/icon: "music-box" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header Accept-Encoding ""; + sub_filter '' ''; + sub_filter_once on; hosts: - - host: "lidarr.${SECRET_DOMAIN}" - paths: - - path: / - pathType: Prefix + - host: &host "{{ .Release.Name }}.${SECRET_PUBLIC_DOMAIN}" + paths: + - path: / + pathType: Prefix tls: - - hosts: - - "lidarr.${SECRET_DOMAIN}" + - hosts: + - *host api: enabled: true - ingressClassName: "traefik" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: "networking-rfc1918@kubernetescrd" + ingressClassName: "nginx" hosts: - - host: "lidarr.${SECRET_DOMAIN}" - paths: - - path: /api - pathType: Prefix + - host: *host + paths: + - path: /api + pathType: Prefix tls: - - hosts: - - "lidarr.${SECRET_DOMAIN}" + - hosts: + - *host + podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" + supplementalGroups: + - 5600 persistence: config: enabled: true - existingClaim: lidarr-config-v1 - media-franxx: + existingClaim: *claimName + media: enabled: true - existingClaim: nfs-downloads-franxx-pvc - podSecurityContext: - supplementalGroups: - - 100 + type: nfs + server: "nas01.${SECRET_PRIVATE_DOMAIN}" + path: /tank/share + mountPath: /media resources: requests: - memory: 650Mi - cpu: 1000m + cpu: 10m + memory: 250Mi limits: - memory: 1500Mi - prometheus: - podMonitor: - enabled: true - interval: 3m - scrapeTimeout: 1m30s - additionalContainers: - exportarr: - name: exportarr - image: ghcr.io/onedr0p/exportarr:v0.6.1 - imagePullPolicy: IfNotPresent - args: ["exportarr", "lidarr"] - env: - - name: PORT - value: "32123" - - name: URL - value: "http://localhost" - - name: CONFIG - value: "/config/config.xml" - - name: ENABLE_UNKNOWN_QUEUE_ITEMS - value: "true" - - name: ENABLE_ADDITIONAL_METRICS - value: "false" - ports: - - name: exportarr - containerPort: 32123 - volumeMounts: - - name: config - mountPath: /config - readOnly: true + memory: 2000Mi diff --git a/cluster/apps/downloads/lidarr/kustomization.yaml b/cluster/apps/downloads/lidarr/kustomization.yaml index 19572cb7..135614e2 100644 --- a/cluster/apps/downloads/lidarr/kustomization.yaml +++ b/cluster/apps/downloads/lidarr/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml + - config-pvc.yaml + - secret.sops.yaml + - helm-release.yaml diff --git a/cluster/apps/downloads/lidarr/secret.sops.yaml b/cluster/apps/downloads/lidarr/secret.sops.yaml new file mode 100644 index 00000000..c097a0ab --- /dev/null +++ b/cluster/apps/downloads/lidarr/secret.sops.yaml @@ -0,0 +1,29 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: lidarr + namespace: media +type: Opaque +stringData: + LIDARR__API_KEY: ENC[AES256_GCM,data:PKgxJ+4SyAdZ62Y5ZX0wV8Ug47DU3Cqc+AYhl3ouo/w=,iv:hISUycyeZjcJ4DVzedKw3Yc3UEct7eObQwyH7K0zhM8=,tag:uFDtjjjdqh0I7psWBZEloQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMWhlSzcwNmswUkdKNjZQ + N2dqUmpaanVUWVZHUDBWTHppMDhJS2E0dFU0CklzMGgyNkNteHZWY2VScDBlRGpN + amZhL3QzU3hyUE4yZFVlTHJWVnJYZk0KLS0tIEY3c0QrTUcxQy9tcXl1bllUTGQz + aXdBeUdxVTYrL0d4ZjJYa0pyeVFwY1UKMTU2h9H90OUuwz5QmhZFOhJyKS1SYaiQ + MZhUK1JLiWO+Vxvv9KwMwErjjO8ChSQEsyq4bElcxI8tQxXU6CEkCA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-07-17T03:30:34Z" + mac: ENC[AES256_GCM,data:UrZbbMYhomCBkWaqOKsa803rrHFjXKZRh9Y14YcV+WxLjlL5dSj1wCQ7dtua+KX/u6wvNCcV70b2ygNsuxAJ6qa9rjzDwoqzyFAke7SJAoJbwK3czSXP0YAukde3LQUYv6IEeE+XdQEIz1HjCu1/7ipNNO13q4z/dXsnPNLTU5Q=,iv:EleNuBw8gNsJy/qJGW29QlMUCiH5eROIs+xNsPoresc=,tag:XGN3rG6fhJx+cFHoHMz7dA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/downloads/namespace.yaml b/cluster/apps/downloads/namespace.yaml index 309a5c2d..2bf33515 100644 --- a/cluster/apps/downloads/namespace.yaml +++ b/cluster/apps/downloads/namespace.yaml @@ -5,4 +5,5 @@ metadata: name: downloads labels: kustomize.toolkit.fluxcd.io/prune: disabled - goldilocks.fairwinds.com/enabled: "true" \ No newline at end of file + goldilocks.fairwinds.com/enabled: "true" + vpn-routed-gateway: "true" diff --git a/cluster/apps/downloads/overseerr/config-pvc.yaml b/cluster/apps/downloads/overseerr/config-pvc.yaml index a31ff683..f669e8e9 100644 --- a/cluster/apps/downloads/overseerr/config-pvc.yaml +++ b/cluster/apps/downloads/overseerr/config-pvc.yaml @@ -4,9 +4,13 @@ kind: PersistentVolumeClaim metadata: name: overseerr-config-v1 namespace: downloads + labels: + app.kubernetes.io/name: &name overseerr + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 1Gi diff --git a/cluster/apps/downloads/overseerr/helm-release.yaml b/cluster/apps/downloads/overseerr/helm-release.yaml index 7468a805..f0e3efb0 100644 --- a/cluster/apps/downloads/overseerr/helm-release.yaml +++ b/cluster/apps/downloads/overseerr/helm-release.yaml @@ -2,53 +2,81 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: overseerr + name: &app overseerr namespace: downloads spec: - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://k8s-at-home.com/charts/ - chart: overseerr - version: 5.0.2 + chart: kah-common-chart + version: 1.1.2 sourceRef: kind: HelmRepository name: k8s-at-home-charts namespace: flux-system - interval: 5m + interval: 15m + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 values: + global: + nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "overseerr-config-v1" image: repository: ghcr.io/sct/overseerr - tag: 1.27.0 + tag: 1.29.1 env: - TZ: "America/Chicago" + TZ: "${TIMEZONE}" LOG_LEVEL: "info" + PORT: &port 80 + service: + main: + ports: + http: + port: *port ingress: main: enabled: true - ingressClassName: "traefik" + ingressClassName: "nginx" annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" + external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_PUBLIC_DOMAIN}" external-dns/is-public: "true" - external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" - hajimari.io/enable: "true" - hajimari.io/icon: "eye-circle" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header Accept-Encoding ""; + sub_filter '' ''; + sub_filter_once on; hosts: - - host: "requests.${SECRET_DOMAIN}" - paths: - - path: / - pathType: Prefix + - host: &host-release "{{ .Release.Name }}.${SECRET_PUBLIC_DOMAIN}" + paths: + - path: / + pathType: Prefix + - host: &host-custom "requests.${SECRET_PUBLIC_DOMAIN}" + paths: + - path: / + pathType: Prefix tls: - - hosts: - - "requests.${SECRET_DOMAIN}" + - hosts: + - *host-release + - *host-custom + podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" persistence: config: enabled: true - existingClaim: overseerr-config-v1 + existingClaim: *claimName mountPath: /app/config resources: requests: + cpu: 10m memory: 250Mi - cpu: 500m limits: - memory: 1500Mi + memory: 500Mi diff --git a/cluster/apps/downloads/overseerr/kustomization.yaml b/cluster/apps/downloads/overseerr/kustomization.yaml index 19572cb7..e06d74e5 100644 --- a/cluster/apps/downloads/overseerr/kustomization.yaml +++ b/cluster/apps/downloads/overseerr/kustomization.yaml @@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml + - config-pvc.yaml + - helm-release.yaml diff --git a/cluster/apps/downloads/prowlarr/config-pvc.yaml b/cluster/apps/downloads/prowlarr/config-pvc.yaml index d65cef35..9481bfad 100644 --- a/cluster/apps/downloads/prowlarr/config-pvc.yaml +++ b/cluster/apps/downloads/prowlarr/config-pvc.yaml @@ -4,10 +4,14 @@ kind: PersistentVolumeClaim metadata: name: prowlarr-config-v1 namespace: downloads + labels: + app.kubernetes.io/name: &name prowlarr + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: - storage: 1Gi + storage: 2Gi storageClassName: ceph-block diff --git a/cluster/apps/downloads/prowlarr/helm-release.yaml b/cluster/apps/downloads/prowlarr/helm-release.yaml index b36e0367..50589203 100644 --- a/cluster/apps/downloads/prowlarr/helm-release.yaml +++ b/cluster/apps/downloads/prowlarr/helm-release.yaml @@ -2,56 +2,80 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: prowlarr + name: &app prowlarr namespace: downloads spec: - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://k8s-at-home.com/charts/ - chart: prowlarr - version: 4.0.1 + chart: kah-common-chart + version: 1.1.2 sourceRef: kind: HelmRepository name: k8s-at-home-charts namespace: flux-system - interval: 5m + interval: 15m + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 values: + global: + nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "prowlarr-config-v1" image: - repository: ghcr.io/k8s-at-home/prowlarr - tag: v0.4.0.1802 + repository: ghcr.io/onedr0p/prowlarr-nightly + tag: 0.4.3.1898@sha256:4fcca511b8198deb79afdbf9edefadb44ef1bce0058b789f261dd158fc234ba5 env: - TZ: "America/Chicago" - podAnnotations: - setGateway: "true" + TZ: "${TIMEZONE}" + PROWLARR__INSTANCE_NAME: Prowlarr + PROWLARR__PORT: &port 80 + PROWLARR__BRANCH: nightly + PROWLARR__LOG_LEVEL: info + envFrom: + - secretRef: + name: *app + service: + main: + ports: + http: + port: *port ingress: main: enabled: true - ingressClassName: "traefik" + ingressClassName: "nginx" annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: "networking-internal-auth@kubernetescrd" - hajimari.io/enable: "true" + 56k/forward-auth: "true" hajimari.io/icon: "cloud-search" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header Accept-Encoding ""; + sub_filter '' ''; + sub_filter_once on; hosts: - - host: "prowlarr.${SECRET_DOMAIN}" - paths: - - path: / - pathType: Prefix + - host: &host "{{ .Release.Name }}.${SECRET_PUBLIC_DOMAIN}" + paths: + - path: / + pathType: Prefix tls: - - hosts: - - "prowlarr.${SECRET_DOMAIN}" + - hosts: + - *host + podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" persistence: config: enabled: true - existingClaim: prowlarr-config-v1 - shared: - enabled: true - emptyDir: - enabled: true + existingClaim: *claimName resources: requests: - memory: 250Mi - cpu: 500m + cpu: 10m + memory: 100Mi limits: - memory: 1000Mi + memory: 500Mi diff --git a/cluster/apps/downloads/prowlarr/kustomization.yaml b/cluster/apps/downloads/prowlarr/kustomization.yaml index 19572cb7..135614e2 100644 --- a/cluster/apps/downloads/prowlarr/kustomization.yaml +++ b/cluster/apps/downloads/prowlarr/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml + - config-pvc.yaml + - secret.sops.yaml + - helm-release.yaml diff --git a/cluster/apps/downloads/prowlarr/secret.sops.yaml b/cluster/apps/downloads/prowlarr/secret.sops.yaml new file mode 100644 index 00000000..b5d8fc50 --- /dev/null +++ b/cluster/apps/downloads/prowlarr/secret.sops.yaml @@ -0,0 +1,29 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: prowlarr + namespace: media +type: Opaque +stringData: + PROWLARR__API_KEY: ENC[AES256_GCM,data:PEJl29qwDCCqLhqgwt2xSn/Mjv64IUukIxZj91BVUxA=,iv:D3JP76r+D2lzTMg1omyI8PW8ExEPa1ZyI/TLZFCo+20=,tag:jCkfMbvTcLSxEamSKs0S0A==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjUjFSMEZ2UGJieThuc2I0 + ZmhxVVlYVWNpc2k4WkFnVVhmT3IyeTZPaGdZCnRuOUcweWQ1Tlo4eTFDcWNRS0ZG + MUU3WXpSYW5HTzI2N0o1RXFuTnp6L0EKLS0tIGt3NnYyT1prbGFMa1dkb3VUcWs2 + UjNodkRnWDh5TTNLVUZrNHc4OGo0aWsKvT3D5YTOCOdNKY3giqchtfibp/K//1zX + 3uDoqm3aB3w2fInJrTRpr8hm+IYvWLsi3a/FYJlp4uiMwFeg+Rvczg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-07-17T03:21:54Z" + mac: ENC[AES256_GCM,data:Euf93NiSGfimNIhA8g0pZvPCE8J0Nwhhm/D20piu6DmtXN5PDnN93NkRobw1LoNr67REnMaUndisdvYlY9H+BC37X3iWaU43FSJ1oAe9L2WH7ub2GPDBns9LaJrRIUZ4Y16bqpe973LXEd/CuYdL1OBCiwEYVFS36k6BDodxQWQ=,iv:n0L20TjyBkyJWL+xvG8J2Z+TU13cXP7FlvGZKiYpIm0=,tag:6OcW6+vpcBRGm/MYoOjALw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/downloads/qbittorrent/config-pvc.yaml b/cluster/apps/downloads/qbittorrent/config-pvc.yaml index f368709d..6e522090 100644 --- a/cluster/apps/downloads/qbittorrent/config-pvc.yaml +++ b/cluster/apps/downloads/qbittorrent/config-pvc.yaml @@ -4,9 +4,13 @@ kind: PersistentVolumeClaim metadata: name: qbittorrent-config-v1 namespace: downloads + labels: + app.kubernetes.io/name: &name qbittorrent + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 1Gi diff --git a/cluster/apps/downloads/qbittorrent/helm-release.yaml b/cluster/apps/downloads/qbittorrent/helm-release.yaml index 4ae6d487..bff31fd7 100644 --- a/cluster/apps/downloads/qbittorrent/helm-release.yaml +++ b/cluster/apps/downloads/qbittorrent/helm-release.yaml @@ -2,73 +2,110 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: qbittorrent - namespace: downloads + name: &app qbittorrent + namespace: media spec: - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://k8s-at-home.com/charts/ - chart: qbittorrent - version: 13.1.0 + chart: kah-common-chart + version: 1.1.2 sourceRef: kind: HelmRepository name: k8s-at-home-charts namespace: flux-system - interval: 5m + interval: 15m + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 values: + global: + nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "qbittorrent-config-v1" image: - repository: ghcr.io/k8s-at-home/qbittorrent - tag: v4.3.9 - env: - TZ: "America/Chicago" + repository: ghcr.io/onedr0p/qbittorrent + tag: 4.4.3.1@sha256:624ff630e3e921b7e257b592ef3af2a943f2c4f07ebdbbcc79806fdcb166f40d hostname: qbittorrent podAnnotations: setGateway: "true" + env: + TZ: "${TIMEZONE}" + QBITTORRENT__PORT: &port 80 + QBITTORRENT__BT_PORT: ${SECRET_VPN_FORWARDED_PORT_1} + service: + main: + ports: + http: + port: *port ingress: main: enabled: true - ingressClassName: "traefik" + ingressClassName: "nginx" annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: "networking-internal-auth@kubernetescrd" - hajimari.io/enable: "true" - hajimari.io/icon: "cloud-download" + 56k/forward-auth: "true" + hajimari.io/icon: "download-network" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_hide_header "x-webkit-csp"; + proxy_hide_header "content-security-policy"; + proxy_hide_header "X-Frame-Options"; + proxy_set_header Accept-Encoding ""; + sub_filter '' ''; + sub_filter_once on; hosts: - - host: "qbittorrent.${SECRET_DOMAIN}" - paths: - - path: / - pathType: Prefix + - host: &host-release "{{ .Release.Name }}.${SECRET_PUBLIC_DOMAIN}" + paths: + - path: / + pathType: Prefix + - host: &host-custom "qb.${SECRET_PUBLIC_DOMAIN}" + paths: + - path: / + pathType: Prefix tls: - - hosts: - - "qbittorrent.${SECRET_DOMAIN}" + - hosts: + - *host-release + - *host-custom api: enabled: true - ingressClassName: "traefik" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: "networking-rfc1918@kubernetescrd" + ingressClassName: "nginx" hosts: - - host: "qbittorrent.${SECRET_DOMAIN}" - paths: - - path: /api - pathType: Prefix + - host: *host-release + paths: + - path: /api + pathType: Prefix + - host: *host-custom + paths: + - path: /api + pathType: Prefix tls: - - hosts: - - "qbittorrent.${SECRET_DOMAIN}" + - hosts: + - *host-release + - *host-custom + podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" + supplementalGroups: + - 5600 persistence: config: enabled: true - existingClaim: qbittorrent-config-v1 - media-franxx: + existingClaim: *claimName + media: enabled: true - existingClaim: nfs-downloads-franxx-pvc - podSecurityContext: - supplementalGroups: - - 5600 + type: nfs + server: "nas01.${SECRET_PRIVATE_DOMAIN}" + path: /tank/share + mountPath: /media resources: requests: - cpu: 500m - memory: 1000Mi + cpu: 10m + memory: 250Mi limits: memory: 6000Mi diff --git a/cluster/apps/downloads/qbittorrent/kustomization.yaml b/cluster/apps/downloads/qbittorrent/kustomization.yaml index 19572cb7..e06d74e5 100644 --- a/cluster/apps/downloads/qbittorrent/kustomization.yaml +++ b/cluster/apps/downloads/qbittorrent/kustomization.yaml @@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml + - config-pvc.yaml + - helm-release.yaml diff --git a/cluster/apps/downloads/radarr/config-pvc.yaml b/cluster/apps/downloads/radarr/config-pvc.yaml index a6b709a3..06a72507 100644 --- a/cluster/apps/downloads/radarr/config-pvc.yaml +++ b/cluster/apps/downloads/radarr/config-pvc.yaml @@ -4,9 +4,13 @@ kind: PersistentVolumeClaim metadata: name: radarr-config-v1 namespace: downloads + labels: + app.kubernetes.io/name: &name radarr + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 15Gi diff --git a/cluster/apps/downloads/radarr/helm-release.yaml b/cluster/apps/downloads/radarr/helm-release.yaml index 35c11a07..b304e58f 100644 --- a/cluster/apps/downloads/radarr/helm-release.yaml +++ b/cluster/apps/downloads/radarr/helm-release.yaml @@ -2,105 +2,112 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: radarr + name: &app radarr namespace: downloads spec: - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://k8s-at-home.com/charts/ - chart: radarr - version: 15.1.0 + chart: kah-common-chart + version: 1.1.2 sourceRef: kind: HelmRepository name: k8s-at-home-charts namespace: flux-system - interval: 5m + interval: 15m + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 values: + global: + nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "radarr-config-v1" image: - repository: ghcr.io/k8s-at-home/radarr - tag: v3.2.2.5080 + repository: ghcr.io/onedr0p/radarr + tag: 4.1.0.6175@sha256:6a232a1c0acd4eac59afefb6b336e8b9737976357d4263e4c322d55b16e9320c env: - TZ: "America/Chicago" + TZ: "${TIMEZONE}" + RADARR__INSTANCE_NAME: Radarr + RADARR__PORT: &port 80 + RADARR__APPLICATION_URL: "https://{{ .Release.Name }}.${SECRET_PUBLIC_DOMAIN}" + RADARR__LOG_LEVEL: info + PUSHOVER_DEBUG: "false" + PUSHOVER_APP_URL: &host "{{ .Release.Name }}.${SECRET_PUBLIC_DOMAIN}" + envFrom: + - secretRef: + name: *app + service: + main: + ports: + http: + port: *port ingress: main: enabled: true - ingressClassName: "traefik" + ingressClassName: "nginx" annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: "networking-internal-auth@kubernetescrd" - hajimari.io/enable: "true" - hajimari.io/icon: "filmstrip" + 56k/forward-auth: "true" + hajimari.io/icon: "movie" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header Accept-Encoding ""; + sub_filter '' ''; + sub_filter_once on; hosts: - - host: "radarr.${SECRET_DOMAIN}" - paths: - - path: / - pathType: Prefix + - host: *host + paths: + - path: / + pathType: Prefix tls: - - hosts: - - "radarr.${SECRET_DOMAIN}" + - hosts: + - *host api: enabled: true - ingressClassName: "traefik" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: "networking-rfc1918@kubernetescrd" + ingressClassName: "nginx" hosts: - - host: "radarr.${SECRET_DOMAIN}" - paths: - - path: /api - pathType: Prefix + - host: *host + paths: + - path: /api + pathType: Prefix tls: - - hosts: - - "radarr.${SECRET_DOMAIN}" + - hosts: + - *host + podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" + supplementalGroups: + - 5600 persistence: config: enabled: true - existingClaim: radarr-config-v1 - media-franxx: + existingClaim: *claimName + media: enabled: true - existingClaim: nfs-downloads-franxx-pvc - podSecurityContext: - supplementalGroups: - - 5600 + type: nfs + server: "nas01.${SECRET_PRIVATE_DOMAIN}" + path: /tank/share + mountPath: /media + scripts: + enabled: true + type: configMap + name: radarr-pushover + subPath: notify.sh + mountPath: /scripts/pushover-notify.sh + defaultMode: 0775 + readOnly: true + podAnnotations: + configmap.reloader.stakater.com/reload: radarr-pushover + secret.reloader.stakater.com/reload: *app resources: requests: - cpu: 500m - memory: 1800M + cpu: 10m + memory: 250Mi limits: - memory: 2850M - prometheus: - podMonitor: - enabled: true - interval: 3m - scrapeTimeout: 1m30s - additionalContainers: - exportarr: - name: exportarr - image: ghcr.io/onedr0p/exportarr:v0.6.1 - imagePullPolicy: IfNotPresent - args: ["exportarr", "radarr"] - env: - - name: PORT - value: "32123" - - name: URL - value: "http://localhost" - - name: CONFIG - value: "/config/config.xml" - - name: ENABLE_UNKNOWN_QUEUE_ITEMS - value: "true" - - name: ENABLE_ADDITIONAL_METRICS - value: "true" - ports: - - name: exportarr - containerPort: 32123 - volumeMounts: - - name: config - mountPath: /config - readOnly: true - resources: - requests: - cpu: 100m - memory: 60M - limits: - memory: 100M + memory: 2000Mi diff --git a/cluster/apps/downloads/radarr/kustomization.yaml b/cluster/apps/downloads/radarr/kustomization.yaml index 19572cb7..135614e2 100644 --- a/cluster/apps/downloads/radarr/kustomization.yaml +++ b/cluster/apps/downloads/radarr/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml + - config-pvc.yaml + - secret.sops.yaml + - helm-release.yaml diff --git a/cluster/apps/downloads/radarr/secret.sops.yaml b/cluster/apps/downloads/radarr/secret.sops.yaml new file mode 100644 index 00000000..d519f499 --- /dev/null +++ b/cluster/apps/downloads/radarr/secret.sops.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Secret +metadata: + name: radarr + namespace: downloads +type: Opaque +stringData: + PUSHOVER_USER_KEY: ENC[AES256_GCM,data:tW2WMKM147Wc8Fqv41k4JGAb4lY1Cbe7Bzh2i+2B,iv:GhAxauIXAr4eB9ZdbVy9HyP0FincuNVmY2OUD/jRxg8=,tag:BYEfNMWmK0UJYXkzyUEpMA==,type:str] + PUSHOVER_TOKEN: ENC[AES256_GCM,data:reFkPTLFK+o1LRyuat0J+OYvpB+xUJdzhjaLdLaE,iv:IWoWix3HMtqhWmVyyhn9KaHx707DX6nc4C6A6RniE40=,tag:VQO07bVJa4/huIzLH93opg==,type:str] + RADARR__API_KEY: ENC[AES256_GCM,data:9onz9w2ZYN23AIjtEODhWkmENZ19gcpIoHc96EKkY5I=,iv:XZF+zz3vlMFfmQUKpQdWOuu82X1Tp+QV5EctyZghkHE=,tag:7yAgeBzxrvRoXhWn5r2VtQ==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3VlE3eGJRanM4bkdLaTkx + djA5TTkrYjJGQURyc2dTZzJxSXZWNml0Vkh3CjRzakdpUit1YnpTb2FDRzhhc3NN + dlVqeG11TEZvL2k4dFVqYVB5UWRRRm8KLS0tIFNqUUdWVk0zVVFwZUVhd2Z6SnlO + VllWbWdqYmlGbm1GUlYzL0d1UGE2TWcKs759AHIQ7EP9UQSUJisdeg3CAEGCteFJ + ziEjj0kMumja6I0zRakr/6xXn4CQQOdhq39t+dmIK8OXgN7owrEDgQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-07-17T03:24:25Z" + mac: ENC[AES256_GCM,data:IZRTxQSw/ojLOl5WseojFmPSIj5bYYltU4vxr83ivQUp3gfQt3mjYNAwbBdHes6G0SIQ5r06Fzr1AF0VihHOLNK5AZFKjlV+TW8pecVYctizkfCmRFWlfUtgyhsvhyNHjS/rAkohhU8/NXCU0Olr2RJxB1G0buAM93JcSD9ct+Y=,iv:QIVOANeq2/1llJMcLiqN9o67U2YdGHs8DjiyDTZHvcU=,tag:Gk3nfBMGfCbYmc7IdJe6Lw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/downloads/sabnzbd/config-pvc.yaml b/cluster/apps/downloads/sabnzbd/config-pvc.yaml index 5d1fb188..5ec5e924 100644 --- a/cluster/apps/downloads/sabnzbd/config-pvc.yaml +++ b/cluster/apps/downloads/sabnzbd/config-pvc.yaml @@ -4,9 +4,13 @@ kind: PersistentVolumeClaim metadata: name: sabnzbd-config-v1 namespace: downloads + labels: + app.kubernetes.io/name: &name sabnzbd + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 1Gi diff --git a/cluster/apps/downloads/sabnzbd/helm-release.yaml b/cluster/apps/downloads/sabnzbd/helm-release.yaml index 5b515d3a..1b602e6c 100644 --- a/cluster/apps/downloads/sabnzbd/helm-release.yaml +++ b/cluster/apps/downloads/sabnzbd/helm-release.yaml @@ -2,69 +2,106 @@ apiVersion: helm.toolkit.fluxcd.io/v2beta1 kind: HelmRelease metadata: - name: sabnzbd + name: &app sabnzbd namespace: downloads spec: - interval: 5m + interval: 15m chart: spec: - # renovate: registryUrl=https://k8s-at-home.com/charts/ - chart: sabnzbd - version: 9.0.1 + chart: kah-common-chart + version: 1.1.2 sourceRef: kind: HelmRepository name: k8s-at-home-charts namespace: flux-system - interval: 5m + interval: 15m + install: + createNamespace: true + remediation: + retries: 5 + upgrade: + remediation: + retries: 5 values: + global: + nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "sabnzbd-config-v1" image: - repository: ghcr.io/k8s-at-home/sabnzbd - tag: v3.4.2 + repository: ghcr.io/onedr0p/sabnzbd + tag: 3.6.0@sha256:47de9cea07d6dc96a31be2e5a069665c09342016cbaf683ab5303d7b7a5154e2 env: - TZ: "America/Chicago" - HOST_WHITELIST_ENTRIES: "sabnzbd.${SECRET_DOMAIN}, sabnzbd" + TZ: "${TIMEZONE}" + SABNZBD__PORT: &port 80 + SABNZBD__HOST_WHITELIST_ENTRIES: >- + sabnzbd, + sabnzbd.downloads, + sabnzbd.downloads.svc, + sabnzbd.downloads.svc.cluster, + sabnzbd.downloads.svc.cluster.local, + sabnzbd.${SECRET_PUBLIC_DOMAIN} + envFrom: + - secretRef: + name: *app + service: + main: + ports: + http: + port: *port ingress: main: enabled: true - ingressClassName: "traefik" + ingressClassName: "nginx" annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: "networking-internal-auth@kubernetescrd" - hajimari.io/enable: "true" + 56k/forward-auth: "true" hajimari.io/icon: "download-box" + nginx.ingress.kubernetes.io/configuration-snippet: | + proxy_set_header Accept-Encoding ""; + sub_filter '' ''; + sub_filter_once on; hosts: - - host: "sabnzbd.${SECRET_DOMAIN}" - paths: - - path: / - pathType: Prefix + - host: &host "{{ .Release.Name }}.${SECRET_PUBLIC_DOMAIN}" + paths: + - path: / + pathType: Prefix tls: - - hosts: - - "sabnzbd.${SECRET_DOMAIN}" + - hosts: + - *host api: enabled: true - ingressClassName: "traefik" - annotations: - traefik.ingress.kubernetes.io/router.entrypoints: "websecure" - traefik.ingress.kubernetes.io/router.middlewares: "networking-rfc1918@kubernetescrd" + ingressClassName: "nginx" hosts: - - host: "sabnzbd.${SECRET_DOMAIN}" - paths: - - path: /api - pathType: Prefix + - host: *host + paths: + - path: /api + pathType: Prefix tls: - - hosts: - - "sabnzbd.${SECRET_DOMAIN}" + - hosts: + - *host + podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" + supplementalGroups: + - 5600 persistence: config: enabled: true - existingClaim: sabnzbd-config-v1 - media-franxx: + existingClaim: *claimName + media: enabled: true - existingClaim: nfs-downloads-franxx-pvc - podSecurityContext: - supplementalGroups: - - 5600 + type: nfs + server: "nas01.${SECRET_PRIVATE_DOMAIN}" + path: /tank/share + mountPath: /media + incomplete: + enabled: true + type: emptyDir resources: requests: - cpu: 1500m - memory: 2000Mi + cpu: 10m + memory: 250Mi + limits: + memory: 8000Mi diff --git a/cluster/apps/downloads/sabnzbd/kustomization.yaml b/cluster/apps/downloads/sabnzbd/kustomization.yaml index 19572cb7..135614e2 100644 --- a/cluster/apps/downloads/sabnzbd/kustomization.yaml +++ b/cluster/apps/downloads/sabnzbd/kustomization.yaml @@ -2,5 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml + - config-pvc.yaml + - secret.sops.yaml + - helm-release.yaml diff --git a/cluster/apps/downloads/sabnzbd/secret.sops.yaml b/cluster/apps/downloads/sabnzbd/secret.sops.yaml new file mode 100644 index 00000000..00a921c4 --- /dev/null +++ b/cluster/apps/downloads/sabnzbd/secret.sops.yaml @@ -0,0 +1,30 @@ +# yamllint disable +apiVersion: v1 +kind: Secret +metadata: + name: sabnzbd + namespace: media +type: Opaque +stringData: + SABNZBD__API_KEY: ENC[AES256_GCM,data:HiCQIAmOy9dtIQm9RqQXk4xHngn43WBDjmSs+hQgVuE=,iv:QbMphWbF07XRtg3zJ9Y0NL7Y2pScsDq1I3IGZeqJAQ4=,tag:4XI0EUsw+vzDnzaSN/BGTA==,type:str] + SABNZBD__NZB_KEY: ENC[AES256_GCM,data:HFtQe7H43UtJW/Hfwjz9GAvXw+69a/XTDwvw4aUI040=,iv:1VHYQd0TMZr3gtoe6MmGI+OFl1JkYon2UaONLucDkac=,tag:Vnvaww7ZS5M8xESG79QXHA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age1nfn3vxpsgm49ljgs8kxevga9makhh9aply6ddgf9wplsfuwpcv2qzmqatc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBNTkQ0WUJzNUtyZ0JDUGJh + SC81cm9BcWszK2xHbDdpT1BobzRPZ1RsTlFFCldLblI3WlM2cFRKU3UveWxLSFFV + Rkh5elpreWt2a0VwVlp2bVFmRnhxYU0KLS0tIGdOaTNEQVJpYnFJR3o2ZVhGV0Yx + VmUzSmMxN0hXbmNmTVdsVXB1RFEyNWsKgZwXuYGDkW1ZmJ61VtCskjnM3AdM6Gpl + bEvsh9093tys58Srb2K1qfj1BH7mHxVqbCwLz+9JopnYlYGsL7A+IQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2022-07-17T04:05:06Z" + mac: ENC[AES256_GCM,data:73pMuoj+y+rgHUCesFRNVjyudqkZrY0H2eBIeb3jz4VFKIBMlA5/KjfHpO7QcsUO+V6feD02yID0myKqYDPU0pOfzD7vAIhWQvbbcLOD3ozhjvzVcLnGHNohcZLdEv0b3CbmPlwrlk/rYot2GKYi3JxdG8DgEdweh417Dmi2qjs=,iv:FGC6jKt1JWdViim/1W+a2mZu6/sWhD5E5YRXQjQ9XIE=,tag:qIQ8YQcDytTS5asqXLJ0mA==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.7.3 diff --git a/cluster/apps/downloads/scripts/kustomization.yaml b/cluster/apps/downloads/scripts/kustomization.yaml index e5a4f619..0b0128d2 100644 --- a/cluster/apps/downloads/scripts/kustomization.yaml +++ b/cluster/apps/downloads/scripts/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - radarr-pushover - - sonarr-pushover \ No newline at end of file + - sonarr-pushover diff --git a/cluster/apps/downloads/scripts/radarr-pushover/kustomization.yaml b/cluster/apps/downloads/scripts/radarr-pushover/kustomization.yaml index e25d31c7..68af25ab 100644 --- a/cluster/apps/downloads/scripts/radarr-pushover/kustomization.yaml +++ b/cluster/apps/downloads/scripts/radarr-pushover/kustomization.yaml @@ -9,4 +9,4 @@ configMapGenerator: generatorOptions: disableNameSuffixHash: true annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled \ No newline at end of file + kustomize.toolkit.fluxcd.io/substitute: disabled diff --git a/cluster/apps/downloads/scripts/sonarr-pushover/kustomization.yaml b/cluster/apps/downloads/scripts/sonarr-pushover/kustomization.yaml index dd5b1f2a..838afdca 100644 --- a/cluster/apps/downloads/scripts/sonarr-pushover/kustomization.yaml +++ b/cluster/apps/downloads/scripts/sonarr-pushover/kustomization.yaml @@ -9,4 +9,4 @@ configMapGenerator: generatorOptions: disableNameSuffixHash: true annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled \ No newline at end of file + kustomize.toolkit.fluxcd.io/substitute: disabled diff --git a/cluster/apps/downloads/sonarr/config-pvc.yaml b/cluster/apps/downloads/sonarr/config-pvc.yaml index a560cb86..514bd6a1 100644 --- a/cluster/apps/downloads/sonarr/config-pvc.yaml +++ b/cluster/apps/downloads/sonarr/config-pvc.yaml @@ -5,10 +5,12 @@ metadata: name: sonarr-config-v1 namespace: downloads labels: - kasten.io/backup-volume: "enabled" + app.kubernetes.io/name: &name sonarr + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 10Gi diff --git a/cluster/apps/downloads/sonarr/helm-release.yaml b/cluster/apps/downloads/sonarr/helm-release.yaml index cea8650c..4a9b9675 100644 --- a/cluster/apps/downloads/sonarr/helm-release.yaml +++ b/cluster/apps/downloads/sonarr/helm-release.yaml @@ -25,12 +25,16 @@ spec: values: global: nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "sonarr-config-v1" image: - repository: ghcr.io/k8s-at-home/sonarr - tag: v3.0.8.1507@sha256:605b635a083c6055382cd0efe729e99f6e0af7f48a35a2406892a50c2221caeb + repository: ghcr.io/onedr0p/sonarr + tag: v3.0.8.1507@sha256:0b737320b6400e1a2e16aca64458b337950589c5bdc4e1270614345a6ed0f326 env: TZ: "${TIMEZONE}" SONARR__INSTANCE_NAME: Sonarr + SONARR__PORT: &port 80 SONARR__APPLICATION_URL: "https://{{ .Release.Name }}.${SECRET_PUBLIC_DOMAIN}" SONARR__LOG_LEVEL: info PUSHOVER_DEBUG: "false" @@ -42,14 +46,13 @@ spec: main: ports: http: - port: 8989 + port: *port ingress: main: enabled: true ingressClassName: "nginx" annotations: 56k/forward-auth: "true" - hajimari.io/enable: "true" hajimari.io/icon: "television-box" nginx.ingress.kubernetes.io/configuration-snippet: | proxy_set_header Accept-Encoding ""; @@ -75,25 +78,22 @@ spec: - hosts: - *host podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" supplementalGroups: - 5600 persistence: config: enabled: true - existingClaim: sonarr-config-v1 + existingClaim: *claimName media: enabled: true type: nfs server: "nas01.${SECRET_PRIVATE_DOMAIN}" path: /tank/share mountPath: /media - backup: - enabled: true - type: nfs - server: "nas01.${SECRET_PRIVATE_DOMAIN}" - path: /tank/data/backups/sonarr - mountPath: /config/Backups - readOnly: false scripts: enabled: true type: configMap diff --git a/cluster/apps/downloads/sonarr/kustomization.yaml b/cluster/apps/downloads/sonarr/kustomization.yaml index db15012e..135614e2 100644 --- a/cluster/apps/downloads/sonarr/kustomization.yaml +++ b/cluster/apps/downloads/sonarr/kustomization.yaml @@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml -- secret.sops.yaml + - config-pvc.yaml + - secret.sops.yaml + - helm-release.yaml diff --git a/cluster/apps/ext-gateway/kustomization.yaml b/cluster/apps/ext-gateway/kustomization.yaml index 8d5c83f9..73941365 100644 --- a/cluster/apps/ext-gateway/kustomization.yaml +++ b/cluster/apps/ext-gateway/kustomization.yaml @@ -2,6 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helm-release.yaml -- secret.sops.yaml -- netshoot.yaml + - helm-release.yaml + - secret.sops.yaml diff --git a/cluster/apps/ext-gateway/netshoot.yaml b/cluster/apps/ext-gateway/netshoot.yaml deleted file mode 100644 index 5ecc7b8a..00000000 --- a/cluster/apps/ext-gateway/netshoot.yaml +++ /dev/null @@ -1,29 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: netshoot - namespace: mail - labels: - app: netshoot -spec: - replicas: 1 - selector: - matchLabels: - app: netshoot - template: - metadata: - labels: - app: netshoot - spec: - containers: - - name: netshoot - image: nicolaka/netshoot - command: - - /bin/sh - - -c - - sleep infinity - securityContext: - capabilities: - add: - - NET_ADMIN diff --git a/cluster/apps/falco-system/falco-exporter/helm-release.yaml b/cluster/apps/falco-system/falco-exporter/helm-release.yaml index 2b7bcb0e..00ff29fb 100644 --- a/cluster/apps/falco-system/falco-exporter/helm-release.yaml +++ b/cluster/apps/falco-system/falco-exporter/helm-release.yaml @@ -23,5 +23,5 @@ spec: enabled: true namespace: falco-system tolerations: - - effect: NoSchedule - operator: Exists + - effect: NoSchedule + operator: Exists diff --git a/cluster/apps/falco-system/falco-exporter/kustomization.yaml b/cluster/apps/falco-system/falco-exporter/kustomization.yaml index 761d2252..2fa2de20 100644 --- a/cluster/apps/falco-system/falco-exporter/kustomization.yaml +++ b/cluster/apps/falco-system/falco-exporter/kustomization.yaml @@ -1,4 +1,5 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helm-release.yaml + - helm-release.yaml diff --git a/cluster/apps/falco-system/falco/helm-release.yaml b/cluster/apps/falco-system/falco/helm-release.yaml index 01aa6a33..71df13c9 100644 --- a/cluster/apps/falco-system/falco/helm-release.yaml +++ b/cluster/apps/falco-system/falco/helm-release.yaml @@ -33,8 +33,8 @@ spec: grpcOutput: enabled: true tolerations: - - effect: NoSchedule - operator: Exists + - effect: NoSchedule + operator: Exists # https://securityhub.dev/ customRules: rules-admin-activities.yaml: |- diff --git a/cluster/apps/falco-system/falco/kustomization.yaml b/cluster/apps/falco-system/falco/kustomization.yaml index 761d2252..2fa2de20 100644 --- a/cluster/apps/falco-system/falco/kustomization.yaml +++ b/cluster/apps/falco-system/falco/kustomization.yaml @@ -1,4 +1,5 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helm-release.yaml + - helm-release.yaml diff --git a/cluster/apps/falco-system/kustomization.yaml b/cluster/apps/falco-system/kustomization.yaml index 2b0beaae..2a1c3446 100644 --- a/cluster/apps/falco-system/kustomization.yaml +++ b/cluster/apps/falco-system/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- falco -- falco-exporter + - falco + - falco-exporter diff --git a/cluster/apps/flux-system/kustomization.yaml b/cluster/apps/flux-system/kustomization.yaml index 1ab7f4cb..cc385572 100644 --- a/cluster/apps/flux-system/kustomization.yaml +++ b/cluster/apps/flux-system/kustomization.yaml @@ -1,8 +1,9 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- dashboard -- namespace.yaml -- monitoring -- notifications -- webhook + - dashboard + - namespace.yaml + - monitoring + - notifications + - webhook diff --git a/cluster/apps/flux-system/monitoring/kustomization.yaml b/cluster/apps/flux-system/monitoring/kustomization.yaml index 553ba8ec..18aa738d 100644 --- a/cluster/apps/flux-system/monitoring/kustomization.yaml +++ b/cluster/apps/flux-system/monitoring/kustomization.yaml @@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- pod-monitor.yaml -- prometheus-rule.yaml + - pod-monitor.yaml + - prometheus-rule.yaml diff --git a/cluster/apps/flux-system/namespace.yaml b/cluster/apps/flux-system/namespace.yaml index 64a1eead..b9c519ad 100644 --- a/cluster/apps/flux-system/namespace.yaml +++ b/cluster/apps/flux-system/namespace.yaml @@ -6,4 +6,4 @@ metadata: labels: kustomize.toolkit.fluxcd.io/prune: disabled goldilocks.fairwinds.com/enabled: "true" - k10.kasten.io/ignorebackuppolicy: "true" \ No newline at end of file + k10.kasten.io/ignorebackuppolicy: "true" diff --git a/cluster/apps/flux-system/notifications/discord/kustomization.yaml b/cluster/apps/flux-system/notifications/discord/kustomization.yaml index c7aa74e1..42774891 100644 --- a/cluster/apps/flux-system/notifications/discord/kustomization.yaml +++ b/cluster/apps/flux-system/notifications/discord/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- secret.sops.yaml -- notification.yaml + - secret.sops.yaml + - notification.yaml diff --git a/cluster/apps/flux-system/notifications/discord/notification.yaml b/cluster/apps/flux-system/notifications/discord/notification.yaml index 277471ad..b81d3bf3 100644 --- a/cluster/apps/flux-system/notifications/discord/notification.yaml +++ b/cluster/apps/flux-system/notifications/discord/notification.yaml @@ -21,12 +21,12 @@ spec: name: discord eventSeverity: error eventSources: - - kind: GitRepository - name: '*' - - kind: Kustomization - name: '*' - - kind: HelmRepository - name: '*' - - kind: HelmRelease - name: '*' + - kind: GitRepository + name: "*" + - kind: Kustomization + name: "*" + - kind: HelmRepository + name: "*" + - kind: HelmRelease + name: "*" suspend: false diff --git a/cluster/apps/flux-system/notifications/github/kustomization.yaml b/cluster/apps/flux-system/notifications/github/kustomization.yaml index 21a09f72..ad5c67ab 100644 --- a/cluster/apps/flux-system/notifications/github/kustomization.yaml +++ b/cluster/apps/flux-system/notifications/github/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- notification.yaml -- secret.sops.yaml + - notification.yaml + - secret.sops.yaml diff --git a/cluster/apps/flux-system/notifications/github/notification.yaml b/cluster/apps/flux-system/notifications/github/notification.yaml index 2746c4d3..95e13320 100644 --- a/cluster/apps/flux-system/notifications/github/notification.yaml +++ b/cluster/apps/flux-system/notifications/github/notification.yaml @@ -20,7 +20,7 @@ spec: name: github eventSeverity: info eventSources: - - kind: Kustomization - name: '*' - - kind: HelmRelease - name: '*' + - kind: Kustomization + name: "*" + - kind: HelmRelease + name: "*" diff --git a/cluster/apps/flux-system/notifications/kustomization.yaml b/cluster/apps/flux-system/notifications/kustomization.yaml index 4bcab6c9..8d28834a 100644 --- a/cluster/apps/flux-system/notifications/kustomization.yaml +++ b/cluster/apps/flux-system/notifications/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- discord -- github + - discord + - github diff --git a/cluster/apps/flux-system/webhook/github/ingress.yaml b/cluster/apps/flux-system/webhook/github/ingress.yaml index f862a670..72083fb6 100644 --- a/cluster/apps/flux-system/webhook/github/ingress.yaml +++ b/cluster/apps/flux-system/webhook/github/ingress.yaml @@ -10,16 +10,16 @@ metadata: spec: ingressClassName: "nginx" rules: - - host: "flux-webhook.${SECRET_DOMAIN}" - http: - paths: - - path: /hook/ - pathType: Prefix - backend: - service: - name: webhook-receiver - port: - number: 80 + - host: "flux-webhook.${SECRET_DOMAIN}" + http: + paths: + - path: /hook/ + pathType: Prefix + backend: + service: + name: webhook-receiver + port: + number: 80 tls: - - hosts: - - "flux-webhook.${SECRET_DOMAIN}" + - hosts: + - "flux-webhook.${SECRET_DOMAIN}" diff --git a/cluster/apps/flux-system/webhook/github/kustomization.yaml b/cluster/apps/flux-system/webhook/github/kustomization.yaml index b93474fc..66896b5e 100644 --- a/cluster/apps/flux-system/webhook/github/kustomization.yaml +++ b/cluster/apps/flux-system/webhook/github/kustomization.yaml @@ -1,6 +1,7 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- secret.sops.yaml -- ingress.yaml -- receiver.yaml + - secret.sops.yaml + - ingress.yaml + - receiver.yaml diff --git a/cluster/apps/flux-system/webhook/github/receiver.yaml b/cluster/apps/flux-system/webhook/github/receiver.yaml index 3c572338..c43d70e0 100644 --- a/cluster/apps/flux-system/webhook/github/receiver.yaml +++ b/cluster/apps/flux-system/webhook/github/receiver.yaml @@ -7,8 +7,8 @@ metadata: spec: type: github events: - - "ping" - - "push" + - "ping" + - "push" secretRef: name: github-webhook-token resources: @@ -55,4 +55,4 @@ spec: - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 kind: Kustomization name: crds-kyverno - namespace: flux-system \ No newline at end of file + namespace: flux-system diff --git a/cluster/apps/flux-system/webhook/kustomization.yaml b/cluster/apps/flux-system/webhook/kustomization.yaml index 23ba2527..2c23d3de 100644 --- a/cluster/apps/flux-system/webhook/kustomization.yaml +++ b/cluster/apps/flux-system/webhook/kustomization.yaml @@ -1,4 +1,5 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- github + - github diff --git a/cluster/apps/kube-system/cert-manager/dashboard/kustomization.yaml b/cluster/apps/kube-system/cert-manager/dashboard/kustomization.yaml index c8b05c14..823f260f 100644 --- a/cluster/apps/kube-system/cert-manager/dashboard/kustomization.yaml +++ b/cluster/apps/kube-system/cert-manager/dashboard/kustomization.yaml @@ -11,4 +11,4 @@ generatorOptions: annotations: kustomize.toolkit.fluxcd.io/substitute: disabled labels: - grafana_dashboard: "true" \ No newline at end of file + grafana_dashboard: "true" diff --git a/cluster/apps/kube-system/cert-manager/helm-release.yaml b/cluster/apps/kube-system/cert-manager/helm-release.yaml index 10e33b41..d73131e3 100644 --- a/cluster/apps/kube-system/cert-manager/helm-release.yaml +++ b/cluster/apps/kube-system/cert-manager/helm-release.yaml @@ -27,15 +27,15 @@ spec: webhook: enabled: true extraArgs: - - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53 - - --dns01-recursive-nameservers-only + - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53 + - --dns01-recursive-nameservers-only cainjector: replicaCount: 1 podDnsPolicy: "None" podDnsConfig: nameservers: - - "1.1.1.1" - - "9.9.9.9" + - "1.1.1.1" + - "9.9.9.9" prometheus: enabled: true servicemonitor: diff --git a/cluster/apps/kube-system/cert-manager/kustomization.yaml b/cluster/apps/kube-system/cert-manager/kustomization.yaml index 46acf9ef..9acf5686 100644 --- a/cluster/apps/kube-system/cert-manager/kustomization.yaml +++ b/cluster/apps/kube-system/cert-manager/kustomization.yaml @@ -4,4 +4,4 @@ kind: Kustomization resources: - dashboard - prometheus-rule.yaml - - helm-release.yaml \ No newline at end of file + - helm-release.yaml diff --git a/cluster/apps/kube-system/descheduler/kustomization.yaml b/cluster/apps/kube-system/descheduler/kustomization.yaml index 34a8531c..2fa2de20 100644 --- a/cluster/apps/kube-system/descheduler/kustomization.yaml +++ b/cluster/apps/kube-system/descheduler/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/cluster/apps/kube-system/kube-cleanup-operator/helm-release.yaml b/cluster/apps/kube-system/kube-cleanup-operator/helm-release.yaml index b00748e4..9d872ceb 100644 --- a/cluster/apps/kube-system/kube-cleanup-operator/helm-release.yaml +++ b/cluster/apps/kube-system/kube-cleanup-operator/helm-release.yaml @@ -26,4 +26,4 @@ spec: - --delete-pending-pods-after=0 - --delete-evicted-pods-after=0 - --delete-orphaned-pods-after=0 - - --legacy-mode=false \ No newline at end of file + - --legacy-mode=false diff --git a/cluster/apps/kube-system/kube-cleanup-operator/kustomization.yaml b/cluster/apps/kube-system/kube-cleanup-operator/kustomization.yaml index bfe696aa..2fa2de20 100644 --- a/cluster/apps/kube-system/kube-cleanup-operator/kustomization.yaml +++ b/cluster/apps/kube-system/kube-cleanup-operator/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - helm-release.yaml \ No newline at end of file + - helm-release.yaml diff --git a/cluster/apps/kube-system/kyverno/helm-release.yaml b/cluster/apps/kube-system/kyverno/helm-release.yaml index f141fb36..18b841da 100644 --- a/cluster/apps/kube-system/kyverno/helm-release.yaml +++ b/cluster/apps/kube-system/kyverno/helm-release.yaml @@ -25,5 +25,16 @@ spec: values: installCRDs: false replicaCount: 3 + extraArgs: + - --autogenInternals=false + - --clientRateLimitQPS=30 + - --clientRateLimitBurst=60 serviceMonitor: - enabled: true \ No newline at end of file + enabled: true + topologySpreadConstraints: + - maxSkew: 1 + topologyKey: kubernetes.io/hostname + whenUnsatisfiable: DoNotSchedule + labelSelector: + matchLabels: + app.kubernetes.io/instance: kyverno diff --git a/cluster/apps/kube-system/kyverno/kustomization.yaml b/cluster/apps/kube-system/kyverno/kustomization.yaml index bfe696aa..59ef6129 100644 --- a/cluster/apps/kube-system/kyverno/kustomization.yaml +++ b/cluster/apps/kube-system/kyverno/kustomization.yaml @@ -2,4 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - helm-release.yaml \ No newline at end of file + - helm-release.yaml + - rbac.yaml diff --git a/cluster/apps/kube-system/kyverno/rbac.yaml b/cluster/apps/kube-system/kyverno/rbac.yaml new file mode 100644 index 00000000..75680058 --- /dev/null +++ b/cluster/apps/kube-system/kyverno/rbac.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: kyverno:admin +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: admin +subjects: + - kind: ServiceAccount + name: kyverno + namespace: kube-system diff --git a/cluster/apps/kube-system/metrics-server/kustomization.yaml b/cluster/apps/kube-system/metrics-server/kustomization.yaml index 761d2252..2fa2de20 100644 --- a/cluster/apps/kube-system/metrics-server/kustomization.yaml +++ b/cluster/apps/kube-system/metrics-server/kustomization.yaml @@ -1,4 +1,5 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helm-release.yaml + - helm-release.yaml diff --git a/cluster/apps/kube-system/namespace.yaml b/cluster/apps/kube-system/namespace.yaml index cfd9f2dd..0a43f625 100644 --- a/cluster/apps/kube-system/namespace.yaml +++ b/cluster/apps/kube-system/namespace.yaml @@ -6,4 +6,4 @@ metadata: labels: kustomize.toolkit.fluxcd.io/prune: disabled goldilocks.fairwinds.com/enabled: "true" - k10.kasten.io/ignorebackuppolicy: "true" \ No newline at end of file + k10.kasten.io/ignorebackuppolicy: "true" diff --git a/cluster/apps/kube-system/node-feature-discovery/kustomization.yaml b/cluster/apps/kube-system/node-feature-discovery/kustomization.yaml index 34a8531c..2fa2de20 100644 --- a/cluster/apps/kube-system/node-feature-discovery/kustomization.yaml +++ b/cluster/apps/kube-system/node-feature-discovery/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/cluster/apps/kube-system/reflector/kustomization.yaml b/cluster/apps/kube-system/reflector/kustomization.yaml index bfe696aa..2fa2de20 100644 --- a/cluster/apps/kube-system/reflector/kustomization.yaml +++ b/cluster/apps/kube-system/reflector/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - helm-release.yaml \ No newline at end of file + - helm-release.yaml diff --git a/cluster/apps/kube-system/reloader/kustomization.yaml b/cluster/apps/kube-system/reloader/kustomization.yaml index 761d2252..2fa2de20 100644 --- a/cluster/apps/kube-system/reloader/kustomization.yaml +++ b/cluster/apps/kube-system/reloader/kustomization.yaml @@ -1,4 +1,5 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helm-release.yaml + - helm-release.yaml diff --git a/cluster/apps/kube-system/trivy-operator/kustomization.yaml b/cluster/apps/kube-system/trivy-operator/kustomization.yaml index bfe696aa..2fa2de20 100644 --- a/cluster/apps/kube-system/trivy-operator/kustomization.yaml +++ b/cluster/apps/kube-system/trivy-operator/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - helm-release.yaml \ No newline at end of file + - helm-release.yaml diff --git a/cluster/apps/kustomization.yaml b/cluster/apps/kustomization.yaml index 8715a0ae..af362319 100644 --- a/cluster/apps/kustomization.yaml +++ b/cluster/apps/kustomization.yaml @@ -11,15 +11,4 @@ resources: - monitoring - networking - security - # - home - # - backup-system - # - downloads - # - ext-gateway - # - falco-system - # - kube-system - # - mail - # - media - # - monitoring - # - networking - # - security - # - vpn-gateway + - vpn-gateway diff --git a/cluster/apps/mail/mailu/data-pvc.yaml b/cluster/apps/mail/mailu/data-pvc.yaml index f9fd9553..425f1d71 100644 --- a/cluster/apps/mail/mailu/data-pvc.yaml +++ b/cluster/apps/mail/mailu/data-pvc.yaml @@ -6,7 +6,7 @@ metadata: namespace: mail spec: accessModes: - - ReadWriteMany + - ReadWriteMany resources: requests: storage: 50Gi diff --git a/cluster/apps/mail/mailu/kustomization.yaml b/cluster/apps/mail/mailu/kustomization.yaml index 314d1f35..f77f5575 100644 --- a/cluster/apps/mail/mailu/kustomization.yaml +++ b/cluster/apps/mail/mailu/kustomization.yaml @@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- data-pvc.yaml -- helm-release.yaml -- secret.sops.yaml + - data-pvc.yaml + - helm-release.yaml + - secret.sops.yaml diff --git a/cluster/apps/mail/network-policy.yaml b/cluster/apps/mail/network-policy.yaml index e7686194..04affb69 100644 --- a/cluster/apps/mail/network-policy.yaml +++ b/cluster/apps/mail/network-policy.yaml @@ -7,15 +7,15 @@ metadata: spec: podSelector: {} ingress: - - from: - # Only allow ingress from K8S - - ipBlock: - cidr: 172.16.0.0/12 + - from: + # Only allow ingress from K8S + - ipBlock: + cidr: 172.16.0.0/12 egress: - - to: - # Only allow egress to K8S - - ipBlock: - cidr: 172.16.0.0/12 + - to: + # Only allow egress to K8S + - ipBlock: + cidr: 172.16.0.0/12 policyTypes: - - Ingress - - Egress + - Ingress + - Egress diff --git a/cluster/apps/media/calibre-web-fic/config-pvc.yaml b/cluster/apps/media/calibre-web-fic/config-pvc.yaml index 5bc0a619..b8949f0f 100644 --- a/cluster/apps/media/calibre-web-fic/config-pvc.yaml +++ b/cluster/apps/media/calibre-web-fic/config-pvc.yaml @@ -4,9 +4,13 @@ kind: PersistentVolumeClaim metadata: name: calibre-web-fic-config-v1 namespace: media + labels: + app.kubernetes.io/name: &name calibre-web-fic + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 1Gi diff --git a/cluster/apps/media/calibre-web-fic/helm-release.yaml b/cluster/apps/media/calibre-web-fic/helm-release.yaml index add1bbff..c0d80003 100644 --- a/cluster/apps/media/calibre-web-fic/helm-release.yaml +++ b/cluster/apps/media/calibre-web-fic/helm-release.yaml @@ -25,6 +25,9 @@ spec: values: global: nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "calibre-web-fic-config-v1" image: repository: linuxserver/calibre-web tag: version-0.6.18 @@ -60,12 +63,16 @@ spec: - hosts: - *host podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" supplementalGroups: - 5600 persistence: config: enabled: true - existingClaim: calibre-web-fic-config-v1 + existingClaim: *claimName media: enabled: true type: nfs @@ -80,4 +87,3 @@ spec: startup: spec: periodSeconds: 15 - diff --git a/cluster/apps/media/calibre-web-fic/kustomization.yaml b/cluster/apps/media/calibre-web-fic/kustomization.yaml index 97b3a7ee..e06d74e5 100644 --- a/cluster/apps/media/calibre-web-fic/kustomization.yaml +++ b/cluster/apps/media/calibre-web-fic/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml + - config-pvc.yaml + - helm-release.yaml diff --git a/cluster/apps/media/calibre-web/config-pvc.yaml b/cluster/apps/media/calibre-web/config-pvc.yaml index 899077a9..c0cae3a5 100644 --- a/cluster/apps/media/calibre-web/config-pvc.yaml +++ b/cluster/apps/media/calibre-web/config-pvc.yaml @@ -4,9 +4,13 @@ kind: PersistentVolumeClaim metadata: name: calibre-web-config-v1 namespace: media + labels: + app.kubernetes.io/name: &name calibre-web + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 1Gi diff --git a/cluster/apps/media/calibre-web/helm-release.yaml b/cluster/apps/media/calibre-web/helm-release.yaml index e805451c..fecba1ff 100644 --- a/cluster/apps/media/calibre-web/helm-release.yaml +++ b/cluster/apps/media/calibre-web/helm-release.yaml @@ -25,6 +25,9 @@ spec: values: global: nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "calibre-web-config-v1" image: repository: linuxserver/calibre-web tag: version-0.6.18 @@ -60,12 +63,16 @@ spec: - hosts: - *host podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" supplementalGroups: - 5600 persistence: config: enabled: true - existingClaim: calibre-web-config-v1 + existingClaim: *claimName media: enabled: true type: nfs @@ -80,4 +87,3 @@ spec: startup: spec: periodSeconds: 15 - diff --git a/cluster/apps/media/calibre-web/kustomization.yaml b/cluster/apps/media/calibre-web/kustomization.yaml index 97b3a7ee..e06d74e5 100644 --- a/cluster/apps/media/calibre-web/kustomization.yaml +++ b/cluster/apps/media/calibre-web/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml + - config-pvc.yaml + - helm-release.yaml diff --git a/cluster/apps/media/jellyfin/config-pvc.yaml b/cluster/apps/media/jellyfin/config-pvc.yaml index 43d0268d..8b1e63b3 100644 --- a/cluster/apps/media/jellyfin/config-pvc.yaml +++ b/cluster/apps/media/jellyfin/config-pvc.yaml @@ -4,9 +4,13 @@ kind: PersistentVolumeClaim metadata: name: jellyfin-config-v1 namespace: media + labels: + app.kubernetes.io/name: &name jellyfin + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 100Gi diff --git a/cluster/apps/media/jellyfin/helm-release.yaml b/cluster/apps/media/jellyfin/helm-release.yaml index 0398e211..acc55e3b 100644 --- a/cluster/apps/media/jellyfin/helm-release.yaml +++ b/cluster/apps/media/jellyfin/helm-release.yaml @@ -29,12 +29,14 @@ spec: values: global: nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "jellyfin-config-v1" image: - repository: docker.io/jellyfin/jellyfin - tag: 10.8.0 + repository: ghcr.io/onedr0p/jellyfin + tag: 10.8.1@sha256:2394e5ee4b31872bed3c0e72dfb20e6b73029243fece8702e2cbd59b8480be1c env: TZ: "${TIMEZONE}" - JELLYFIN_CACHE_DIR: "/config/cache" service: main: type: LoadBalancer @@ -66,7 +68,7 @@ spec: persistence: config: enabled: true - existingClaim: jellyfin-config-v1 + existingClaim: *claimName media: enabled: true type: nfs diff --git a/cluster/apps/media/jellyfin/kustomization.yaml b/cluster/apps/media/jellyfin/kustomization.yaml index 97b3a7ee..e06d74e5 100644 --- a/cluster/apps/media/jellyfin/kustomization.yaml +++ b/cluster/apps/media/jellyfin/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml + - config-pvc.yaml + - helm-release.yaml diff --git a/cluster/apps/media/kustomization.yaml b/cluster/apps/media/kustomization.yaml index d70b325e..c746083c 100644 --- a/cluster/apps/media/kustomization.yaml +++ b/cluster/apps/media/kustomization.yaml @@ -2,11 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- namespace.yaml -- calibre-web -- calibre-web-fic -- jellyfin -# - owncast -- plex -- szurubooru -- tautulli + - namespace.yaml + - calibre-web + - calibre-web-fic + - jellyfin + # - owncast + - plex + - szurubooru + - tautulli diff --git a/cluster/apps/media/owncast/config-pvc.yaml b/cluster/apps/media/owncast/config-pvc.yaml index 7017dbd4..290775c4 100644 --- a/cluster/apps/media/owncast/config-pvc.yaml +++ b/cluster/apps/media/owncast/config-pvc.yaml @@ -4,9 +4,13 @@ kind: PersistentVolumeClaim metadata: name: owncast-config-v1 namespace: media + labels: + app.kubernetes.io/name: &name owncast + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 5Gi diff --git a/cluster/apps/media/owncast/helm-release.yaml b/cluster/apps/media/owncast/helm-release.yaml index 0dc6e102..fd8e8643 100644 --- a/cluster/apps/media/owncast/helm-release.yaml +++ b/cluster/apps/media/owncast/helm-release.yaml @@ -30,6 +30,9 @@ spec: values: global: nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "owncast-config-v1" image: repository: gabekangas/owncast tag: 0.0.11 @@ -68,13 +71,17 @@ spec: - hosts: - *host podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" supplementalGroups: - 44 - 5600 persistence: config: enabled: true - existingClaim: owncast-config-v1 + existingClaim: *claimName resources: requests: gpu.intel.com/i915: 1 diff --git a/cluster/apps/media/owncast/kustomization.yaml b/cluster/apps/media/owncast/kustomization.yaml index 97b3a7ee..e06d74e5 100644 --- a/cluster/apps/media/owncast/kustomization.yaml +++ b/cluster/apps/media/owncast/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml + - config-pvc.yaml + - helm-release.yaml diff --git a/cluster/apps/media/plex/config-pvc.yaml b/cluster/apps/media/plex/config-pvc.yaml index 4d7146f8..2e2f7ccb 100644 --- a/cluster/apps/media/plex/config-pvc.yaml +++ b/cluster/apps/media/plex/config-pvc.yaml @@ -4,6 +4,10 @@ kind: PersistentVolumeClaim metadata: name: plex-config-v1 namespace: media + labels: + app.kubernetes.io/name: &name plex + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - ReadWriteOnce diff --git a/cluster/apps/media/plex/helm-release.yaml b/cluster/apps/media/plex/helm-release.yaml index 1be9df58..31ee2d13 100644 --- a/cluster/apps/media/plex/helm-release.yaml +++ b/cluster/apps/media/plex/helm-release.yaml @@ -30,9 +30,12 @@ spec: values: global: nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "plex-config-v1" image: - repository: ghcr.io/k8s-at-home/plex - tag: v1.27.1.5916-6b0e31a64 + repository: ghcr.io/onedr0p/plex + tag: 1.27.2.5929-a806c5905@sha256:9bbc8235eba37b537c972d5f3326c4cdd4f9c2223109361515cc879e9a3a9f03 env: TZ: "${TIMEZONE}" ADVERTISE_IP: "http://${SVC_PLEX_ADDR}:32400/" @@ -72,7 +75,7 @@ spec: persistence: config: enabled: true - existingClaim: plex-config-v1 + existingClaim: *claimName media: enabled: true type: nfs @@ -80,13 +83,6 @@ spec: path: /tank/share mountPath: /media readOnly: true - backup: - enabled: true - type: nfs - server: "nas01.${SECRET_PRIVATE_DOMAIN}" - path: /tank/data/backups/plex - mountPath: /config/Backups - readOnly: false transcode: enabled: true type: emptyDir diff --git a/cluster/apps/media/plex/kustomization.yaml b/cluster/apps/media/plex/kustomization.yaml index 97b3a7ee..e06d74e5 100644 --- a/cluster/apps/media/plex/kustomization.yaml +++ b/cluster/apps/media/plex/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml + - config-pvc.yaml + - helm-release.yaml diff --git a/cluster/apps/media/szurubooru/config.yaml b/cluster/apps/media/szurubooru/config.yaml index 2a8d8942..b0b9879c 100644 --- a/cluster/apps/media/szurubooru/config.yaml +++ b/cluster/apps/media/szurubooru/config.yaml @@ -1,7 +1,8 @@ +# yamllint disable name: Taboobooru domain: "https://${SECRET_PUBLIC_DOMAIN_3}" secret: "${SECRET_BOORU_SECRET}" debug: True data_url: data/ data_dir: /data/ -show_sql: False \ No newline at end of file +show_sql: False diff --git a/cluster/apps/media/szurubooru/database.yaml b/cluster/apps/media/szurubooru/database.yaml index 33a82a2a..bb7e3a0b 100644 --- a/cluster/apps/media/szurubooru/database.yaml +++ b/cluster/apps/media/szurubooru/database.yaml @@ -16,4 +16,4 @@ spec: role: szurubooru database: szurubooru-db secretName: database - privileges: OWNER \ No newline at end of file + privileges: OWNER diff --git a/cluster/apps/media/szurubooru/helm-release.yaml b/cluster/apps/media/szurubooru/helm-release.yaml index 91b1c22f..5c5531e6 100644 --- a/cluster/apps/media/szurubooru/helm-release.yaml +++ b/cluster/apps/media/szurubooru/helm-release.yaml @@ -65,36 +65,43 @@ spec: hajimari.io/icon: "file-image" hajimari.io/appName: "Booru" hosts: - - host: &host "${SECRET_PUBLIC_DOMAIN_3}" - paths: - - path: / - pathType: Prefix + - host: &host "${SECRET_PUBLIC_DOMAIN_3}" + paths: + - path: / + pathType: Prefix tls: - - hosts: - - *host + - hosts: + - *host additionalContainers: server: name: server image: ghcr.io/toboshii/szurubooru-server:2.5-edge imagePullPolicy: Always env: - - name: TZ - value: "${TIMEZONE}" - - name: POSTGRES_URL - valueFrom: - secretKeyRef: - name: database-szurubooru-user - key: POSTGRES_URL + - name: TZ + value: "${TIMEZONE}" + - name: POSTGRES_URL + valueFrom: + secretKeyRef: + name: database-szurubooru-user + key: POSTGRES_URL ports: - - name: server-http - containerPort: 6666 - protocol: TCP + - name: server-http + containerPort: 6666 + protocol: TCP volumeMounts: - - name: media - mountPath: /data - - name: config - mountPath: /opt/app/config.yaml - subPath: config.yaml + - name: media + mountPath: /data + - name: config + mountPath: /opt/app/config.yaml + subPath: config.yaml + podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" + supplementalGroups: + - 5600 persistence: config: enabled: true @@ -110,6 +117,3 @@ spec: server: "nas01.${SECRET_PRIVATE_DOMAIN}" path: /tank/share/Images/Booru mountPath: /data - podSecurityContext: - supplementalGroups: - - 5600 diff --git a/cluster/apps/media/szurubooru/kustomization.yaml b/cluster/apps/media/szurubooru/kustomization.yaml index 4f707cab..c02d8e39 100644 --- a/cluster/apps/media/szurubooru/kustomization.yaml +++ b/cluster/apps/media/szurubooru/kustomization.yaml @@ -10,4 +10,4 @@ configMapGenerator: files: - config.yaml generatorOptions: - disableNameSuffixHash: true \ No newline at end of file + disableNameSuffixHash: true diff --git a/cluster/apps/media/tautulli/config-pvc.yaml b/cluster/apps/media/tautulli/config-pvc.yaml index 381ecd9c..0142a255 100644 --- a/cluster/apps/media/tautulli/config-pvc.yaml +++ b/cluster/apps/media/tautulli/config-pvc.yaml @@ -4,9 +4,13 @@ kind: PersistentVolumeClaim metadata: name: tautulli-config-v1 namespace: media + labels: + app.kubernetes.io/name: &name tautulli + app.kubernetes.io/instance: *name + pmb.home.arpa/backup: "true" spec: accessModes: - - ReadWriteOnce + - ReadWriteOnce resources: requests: storage: 10Gi diff --git a/cluster/apps/media/tautulli/helm-release.yaml b/cluster/apps/media/tautulli/helm-release.yaml index d75f1df4..28af4014 100644 --- a/cluster/apps/media/tautulli/helm-release.yaml +++ b/cluster/apps/media/tautulli/helm-release.yaml @@ -25,9 +25,12 @@ spec: values: global: nameOverride: *app + controller: + labels: + pmb.home.arpa/backup-claim: &claimName "tautulli-config-v1" image: - repository: ghcr.io/k8s-at-home/tautulli - tag: v2.10.2@sha256:e41ec08eac00f4d6bea10aa234289bbe73ac78c97f2ca3a21136791b4a55a4c3 + repository: ghcr.io/onedr0p/tautulli + tag: 2.10.2@sha256:5321a6ea24ffd5463e9758d64c478595dd74d50b53fe8693e4a5e07f9b5fd238 env: TZ: "${TIMEZONE}" service: @@ -54,17 +57,17 @@ spec: tls: - hosts: - *host + podSecurityContext: + runAsUser: 568 + runAsGroup: 568 + fsGroup: 568 + fsGroupChangePolicy: "OnRootMismatch" + supplementalGroups: + - 5600 persistence: config: enabled: true - existingClaim: tautulli-config-v1 - backup: - enabled: true - type: nfs - server: "nas01.${SECRET_PRIVATE_DOMAIN}" - path: /tank/data/backups/tautulli - mountPath: /config/backups - readOnly: false + existingClaim: *claimName resources: requests: cpu: 10m diff --git a/cluster/apps/media/tautulli/kustomization.yaml b/cluster/apps/media/tautulli/kustomization.yaml index 97b3a7ee..e06d74e5 100644 --- a/cluster/apps/media/tautulli/kustomization.yaml +++ b/cluster/apps/media/tautulli/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- config-pvc.yaml -- helm-release.yaml + - config-pvc.yaml + - helm-release.yaml diff --git a/cluster/apps/monitoring/generic-rules/kustomization.yaml b/cluster/apps/monitoring/generic-rules/kustomization.yaml index 42cbdd6c..8660645b 100644 --- a/cluster/apps/monitoring/generic-rules/kustomization.yaml +++ b/cluster/apps/monitoring/generic-rules/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - zfs \ No newline at end of file + - zfs diff --git a/cluster/apps/monitoring/generic-rules/zfs/kustomization.yaml b/cluster/apps/monitoring/generic-rules/zfs/kustomization.yaml index e7c7f591..4cfba80c 100644 --- a/cluster/apps/monitoring/generic-rules/zfs/kustomization.yaml +++ b/cluster/apps/monitoring/generic-rules/zfs/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - prometheus-rule.yaml \ No newline at end of file + - prometheus-rule.yaml diff --git a/cluster/apps/monitoring/goldilocks/kustomization.yaml b/cluster/apps/monitoring/goldilocks/kustomization.yaml index bfe696aa..2fa2de20 100644 --- a/cluster/apps/monitoring/goldilocks/kustomization.yaml +++ b/cluster/apps/monitoring/goldilocks/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - helm-release.yaml \ No newline at end of file + - helm-release.yaml diff --git a/cluster/apps/monitoring/grafana/helm-release.yaml b/cluster/apps/monitoring/grafana/helm-release.yaml index 415ab3e5..d8294ba4 100644 --- a/cluster/apps/monitoring/grafana/helm-release.yaml +++ b/cluster/apps/monitoring/grafana/helm-release.yaml @@ -67,33 +67,33 @@ spec: dashboardproviders.yaml: apiVersion: 1 providers: - - name: 'default' - orgId: 1 - folder: '' - type: file - disableDeletion: false - editable: true - options: - path: /var/lib/grafana/dashboards/default + - name: "default" + orgId: 1 + folder: "" + type: file + disableDeletion: false + editable: true + options: + path: /var/lib/grafana/dashboards/default datasources: deleteDatasources: - - name: Loki - orgId: 1 + - name: Loki + orgId: 1 datasources.yaml: apiVersion: 1 deleteDatasources: - name: Loki orgId: 1 datasources: - - name: Prometheus - type: prometheus - url: http://thanos-query:9090 - access: proxy - isDefault: true - - name: Loki - type: loki - access: proxy - url: http://loki-gateway:80 + - name: Prometheus + type: prometheus + url: http://thanos-query:9090 + access: proxy + isDefault: true + - name: Loki + type: loki + access: proxy + url: http://loki-gateway:80 dashboards: default: # Ref: https://grafana.com/grafana/dashboards/7845 @@ -114,12 +114,12 @@ spec: enabled: true searchNamespace: ALL plugins: - - natel-discrete-panel - - pr0ps-trackmap-panel - - grafana-piechart-panel - - vonage-status-panel - - grafana-worldmap-panel - - grafana-clock-panel + - natel-discrete-panel + - pr0ps-trackmap-panel + - grafana-piechart-panel + - vonage-status-panel + - grafana-worldmap-panel + - grafana-clock-panel serviceMonitor: enabled: true ingress: @@ -131,10 +131,10 @@ spec: nginx.ingress.kubernetes.io/session-cookie-expires: "172800" nginx.ingress.kubernetes.io/session-cookie-max-age: "172800" hosts: - - &host "grafana.${SECRET_PUBLIC_DOMAIN}" + - &host "grafana.${SECRET_PUBLIC_DOMAIN}" tls: - - hosts: - - *host + - hosts: + - *host serviceAccount: create: true autoMount: true diff --git a/cluster/apps/monitoring/grafana/kustomization.yaml b/cluster/apps/monitoring/grafana/kustomization.yaml index 2d4a1b6e..545e5413 100644 --- a/cluster/apps/monitoring/grafana/kustomization.yaml +++ b/cluster/apps/monitoring/grafana/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml b/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml index 5d3dda25..5fd85913 100644 --- a/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml +++ b/cluster/apps/monitoring/kube-prometheus-stack/helm-release.yaml @@ -29,7 +29,7 @@ spec: slack_api_url: "${SECRET_ALERT_MANAGER_DISCORD_WEBHOOK}" resolve_timeout: 5m receivers: - - name: 'null' + - name: "null" - name: "pushover" pushover_configs: - token: "${SECRET_PUSHOVER_ALERT_MANAGER_APIKEY}" @@ -65,30 +65,30 @@ spec: {{- end }} {{- end }} route: - group_by: ['alertname', 'job'] + group_by: ["alertname", "job"] group_wait: 30s group_interval: 5m repeat_interval: 6h - receiver: 'pushover' + receiver: "pushover" routes: - - receiver: 'null' + - receiver: "null" matchers: - alertname =~ "InfoInhibitor|Watchdog" - - receiver: 'pushover' + - receiver: "pushover" matchers: - severity =~ "critical|warning|error" continue: true inhibit_rules: - - source_match: - alertname: 'InfoInhibitor' - target_match: - severity: 'info' - equal: ['namespace'] - - source_match: - severity: 'critical' - target_match: - severity: 'warning' - equal: ['alertname', 'namespace'] + - source_match: + alertname: "InfoInhibitor" + target_match: + severity: "info" + equal: ["namespace"] + - source_match: + severity: "critical" + target_match: + severity: "warning" + equal: ["alertname", "namespace"] ingress: enabled: true pathType: Prefix @@ -96,10 +96,10 @@ spec: annotations: traefik.ingress.kubernetes.io/router.entrypoints: "websecure" hosts: - - &host "alert-manager.${SECRET_PUBLIC_DOMAIN}" + - &host "alert-manager.${SECRET_PUBLIC_DOMAIN}" tls: - - hosts: - - *host + - hosts: + - *host alertmanagerSpec: replicas: 3 podAntiAffinity: hard @@ -113,12 +113,12 @@ spec: nodeExporter: serviceMonitor: relabelings: - - action: replace - regex: (.*) - replacement: $1 - sourceLabels: - - __meta_kubernetes_pod_node_name - targetLabel: kubernetes_node + - action: replace + regex: (.*) + replacement: $1 + sourceLabels: + - __meta_kubernetes_pod_node_name + targetLabel: kubernetes_node kube-state-metrics: metricLabelsAllowlist: - "persistentvolumeclaims=[*]" @@ -144,10 +144,10 @@ spec: enabled: true serviceMonitor: metricRelabelings: - - action: replace - sourceLabels: - - node - targetLabel: instance + - action: replace + sourceLabels: + - node + targetLabel: instance kubeApiServer: enabled: true kubeControllerManager: @@ -180,10 +180,10 @@ spec: pathType: Prefix ingressClassName: "nginx" hosts: - - &host "prometheus.${SECRET_DOMAIN}" + - &host "prometheus.${SECRET_DOMAIN}" tls: - - hosts: - - *host + - hosts: + - *host thanosService: enabled: true thanosServiceMonitor: @@ -233,28 +233,28 @@ spec: name: thanos-objstore-secret key: objstore.yml additionalScrapeConfigs: - - job_name: 'node-exporter' - scrape_interval: 1m - scrape_timeout: 10s - honor_timestamps: true - static_configs: - - targets: - # # opnsense - # - 10.75.1.1:9100 - # franxx nas - - 10.75.30.15:9100 - - job_name: 'minio-job' - scrape_interval: 1m - scrape_timeout: 10s - honor_timestamps: true - metrics_path: /minio/v2/metrics/cluster - static_configs: - - targets: - - 10.75.30.15:9000 - - job_name: "coredns" - scrape_interval: 1m - scrape_timeout: 10s - honor_timestamps: true - static_configs: - - targets: - - "${GATEWAY_IP}:9153" + - job_name: "node-exporter" + scrape_interval: 1m + scrape_timeout: 10s + honor_timestamps: true + static_configs: + - targets: + # # opnsense + # - 10.75.1.1:9100 + # franxx nas + - 10.75.30.15:9100 + - job_name: "minio-job" + scrape_interval: 1m + scrape_timeout: 10s + honor_timestamps: true + metrics_path: /minio/v2/metrics/cluster + static_configs: + - targets: + - 10.75.30.15:9000 + - job_name: "coredns" + scrape_interval: 1m + scrape_timeout: 10s + honor_timestamps: true + static_configs: + - targets: + - "${GATEWAY_IP}:9153" diff --git a/cluster/apps/monitoring/kube-prometheus-stack/kustomization.yaml b/cluster/apps/monitoring/kube-prometheus-stack/kustomization.yaml index 34a8531c..2fa2de20 100644 --- a/cluster/apps/monitoring/kube-prometheus-stack/kustomization.yaml +++ b/cluster/apps/monitoring/kube-prometheus-stack/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/cluster/apps/monitoring/loki/config-map.yaml b/cluster/apps/monitoring/loki/config-map.yaml index f3d31e95..4dfcc1f5 100644 --- a/cluster/apps/monitoring/loki/config-map.yaml +++ b/cluster/apps/monitoring/loki/config-map.yaml @@ -44,4 +44,3 @@ data: category: logs annotations: summary: "{{ $labels.app }} is experiencing malformed database disk image issues" - diff --git a/cluster/apps/monitoring/loki/kustomization.yaml b/cluster/apps/monitoring/loki/kustomization.yaml index ebcaa309..5c85f96e 100644 --- a/cluster/apps/monitoring/loki/kustomization.yaml +++ b/cluster/apps/monitoring/loki/kustomization.yaml @@ -4,4 +4,4 @@ kind: Kustomization resources: - object-bucket-claim.yaml - config-map.yaml - - helm-release.yaml \ No newline at end of file + - helm-release.yaml diff --git a/cluster/apps/monitoring/loki/object-bucket-claim.yaml b/cluster/apps/monitoring/loki/object-bucket-claim.yaml index 6af8cae9..6da1fabc 100644 --- a/cluster/apps/monitoring/loki/object-bucket-claim.yaml +++ b/cluster/apps/monitoring/loki/object-bucket-claim.yaml @@ -6,4 +6,4 @@ metadata: namespace: monitoring spec: bucketName: loki-chunks-v1 - storageClassName: ceph-bucket \ No newline at end of file + storageClassName: ceph-bucket diff --git a/cluster/apps/monitoring/namespace.yaml b/cluster/apps/monitoring/namespace.yaml index 516de485..f71e2ad7 100644 --- a/cluster/apps/monitoring/namespace.yaml +++ b/cluster/apps/monitoring/namespace.yaml @@ -7,4 +7,4 @@ metadata: pod-security.kubernetes.io/enforce: privileged pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled - goldilocks.fairwinds.com/enabled: "true" \ No newline at end of file + goldilocks.fairwinds.com/enabled: "true" diff --git a/cluster/apps/monitoring/snmp-exporter/apc-ups/dashboard/dashboard.json b/cluster/apps/monitoring/snmp-exporter/apc-ups/dashboard/dashboard.json index 7d2c27db..3070442a 100644 --- a/cluster/apps/monitoring/snmp-exporter/apc-ups/dashboard/dashboard.json +++ b/cluster/apps/monitoring/snmp-exporter/apc-ups/dashboard/dashboard.json @@ -1103,4 +1103,3 @@ "uid": "000000012", "version": 9 } - \ No newline at end of file diff --git a/cluster/apps/monitoring/snmp-exporter/apc-ups/dashboard/kustomization.yaml b/cluster/apps/monitoring/snmp-exporter/apc-ups/dashboard/kustomization.yaml index 30e8ad46..40104072 100644 --- a/cluster/apps/monitoring/snmp-exporter/apc-ups/dashboard/kustomization.yaml +++ b/cluster/apps/monitoring/snmp-exporter/apc-ups/dashboard/kustomization.yaml @@ -11,4 +11,4 @@ generatorOptions: annotations: kustomize.toolkit.fluxcd.io/substitute: disabled labels: - grafana_dashboard: "true" \ No newline at end of file + grafana_dashboard: "true" diff --git a/cluster/apps/monitoring/snmp-exporter/apc-ups/kustomization.yaml b/cluster/apps/monitoring/snmp-exporter/apc-ups/kustomization.yaml index a1766fd6..bab61e4d 100644 --- a/cluster/apps/monitoring/snmp-exporter/apc-ups/kustomization.yaml +++ b/cluster/apps/monitoring/snmp-exporter/apc-ups/kustomization.yaml @@ -2,7 +2,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- dashboard -- prometheus-rule.yaml -- config-map.yaml -- helm-release.yaml + - dashboard + - prometheus-rule.yaml + - config-map.yaml + - helm-release.yaml diff --git a/cluster/apps/monitoring/snmp-exporter/apc-ups/prometheus-rule.yaml b/cluster/apps/monitoring/snmp-exporter/apc-ups/prometheus-rule.yaml index a12c4c74..59e7f72b 100644 --- a/cluster/apps/monitoring/snmp-exporter/apc-ups/prometheus-rule.yaml +++ b/cluster/apps/monitoring/snmp-exporter/apc-ups/prometheus-rule.yaml @@ -9,18 +9,18 @@ metadata: namespace: monitoring spec: groups: - - name: ups.rules - rules: - - alert: UPSOnBattery - annotations: - summary: ZPM {{$labels.instance}} is running on batteries + - name: ups.rules + rules: + - alert: UPSOnBattery + annotations: + summary: ZPM {{$labels.instance}} is running on batteries and has less than 20 minutes of battery left - expr: | + expr: | ( upsAdvBatteryRunTimeRemaining/60/100 <= 20 and upsBasicBatteryTimeOnBattery > 0 ) - for: 1m - labels: - severity: critical + for: 1m + labels: + severity: critical diff --git a/cluster/apps/monitoring/snmp-exporter/brocade/dashboard/dashboard.json b/cluster/apps/monitoring/snmp-exporter/brocade/dashboard/dashboard.json index 54664420..592b33bf 100644 --- a/cluster/apps/monitoring/snmp-exporter/brocade/dashboard/dashboard.json +++ b/cluster/apps/monitoring/snmp-exporter/brocade/dashboard/dashboard.json @@ -954,4 +954,4 @@ "uid": "7qKD6I1Wk", "version": 1, "weekStart": "" -} \ No newline at end of file +} diff --git a/cluster/apps/monitoring/snmp-exporter/brocade/dashboard/kustomization.yaml b/cluster/apps/monitoring/snmp-exporter/brocade/dashboard/kustomization.yaml index d8e905c0..bad667c8 100644 --- a/cluster/apps/monitoring/snmp-exporter/brocade/dashboard/kustomization.yaml +++ b/cluster/apps/monitoring/snmp-exporter/brocade/dashboard/kustomization.yaml @@ -11,4 +11,4 @@ generatorOptions: annotations: kustomize.toolkit.fluxcd.io/substitute: disabled labels: - grafana_dashboard: "true" \ No newline at end of file + grafana_dashboard: "true" diff --git a/cluster/apps/monitoring/snmp-exporter/brocade/kustomization.yaml b/cluster/apps/monitoring/snmp-exporter/brocade/kustomization.yaml index d972fd72..8a3bce84 100644 --- a/cluster/apps/monitoring/snmp-exporter/brocade/kustomization.yaml +++ b/cluster/apps/monitoring/snmp-exporter/brocade/kustomization.yaml @@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- dashboard -- config-map.yaml -- helm-release.yaml + - dashboard + - config-map.yaml + - helm-release.yaml diff --git a/cluster/apps/monitoring/snmp-exporter/kustomization.yaml b/cluster/apps/monitoring/snmp-exporter/kustomization.yaml index 450dcc34..e0700b7c 100644 --- a/cluster/apps/monitoring/snmp-exporter/kustomization.yaml +++ b/cluster/apps/monitoring/snmp-exporter/kustomization.yaml @@ -7,4 +7,4 @@ resources: - brocade # - apc-pdu # - dell-idrac - # - supermicro-ipmi \ No newline at end of file + # - supermicro-ipmi diff --git a/cluster/apps/monitoring/speedtest-exporter/helm-release.yaml b/cluster/apps/monitoring/speedtest-exporter/helm-release.yaml index 2135cec7..d231e12a 100644 --- a/cluster/apps/monitoring/speedtest-exporter/helm-release.yaml +++ b/cluster/apps/monitoring/speedtest-exporter/helm-release.yaml @@ -39,4 +39,4 @@ spec: downloadLimit: 2500 uploadLimit: 2500 pingLimit: 10 - jitterLimit: 30 \ No newline at end of file + jitterLimit: 30 diff --git a/cluster/apps/monitoring/thanos/helm-release.yaml b/cluster/apps/monitoring/thanos/helm-release.yaml index 01a6fcff..6905d493 100644 --- a/cluster/apps/monitoring/thanos/helm-release.yaml +++ b/cluster/apps/monitoring/thanos/helm-release.yaml @@ -149,4 +149,4 @@ spec: - targetPath: objstoreConfig.config.secret_key kind: Secret name: thanos-ceph-bucket-v1 - valuesKey: AWS_SECRET_ACCESS_KEY \ No newline at end of file + valuesKey: AWS_SECRET_ACCESS_KEY diff --git a/cluster/apps/monitoring/thanos/object-bucket-claim.yaml b/cluster/apps/monitoring/thanos/object-bucket-claim.yaml index 6cf4a8c6..8f044506 100644 --- a/cluster/apps/monitoring/thanos/object-bucket-claim.yaml +++ b/cluster/apps/monitoring/thanos/object-bucket-claim.yaml @@ -6,4 +6,4 @@ metadata: namespace: monitoring spec: bucketName: thanos-v1 - storageClassName: ceph-bucket \ No newline at end of file + storageClassName: ceph-bucket diff --git a/cluster/apps/monitoring/uptimerobot-heartbeat/kustomization.yaml b/cluster/apps/monitoring/uptimerobot-heartbeat/kustomization.yaml index b9dee128..94b153b7 100644 --- a/cluster/apps/monitoring/uptimerobot-heartbeat/kustomization.yaml +++ b/cluster/apps/monitoring/uptimerobot-heartbeat/kustomization.yaml @@ -12,4 +12,4 @@ configMapGenerator: generatorOptions: disableNameSuffixHash: true annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled \ No newline at end of file + kustomize.toolkit.fluxcd.io/substitute: disabled diff --git a/cluster/apps/monitoring/uptimerobot-heartbeat/uptimerobot-heartbeat.sh b/cluster/apps/monitoring/uptimerobot-heartbeat/uptimerobot-heartbeat.sh index e4552e9f..43db06c8 100644 --- a/cluster/apps/monitoring/uptimerobot-heartbeat/uptimerobot-heartbeat.sh +++ b/cluster/apps/monitoring/uptimerobot-heartbeat/uptimerobot-heartbeat.sh @@ -12,4 +12,4 @@ if [[ ! ${status_code} =~ ^[2|3][0-9]{2}$ ]]; then fi printf "%s - Success - Heartbeat request received and processed successfully" "$(date -u)" -exit 0 \ No newline at end of file +exit 0 diff --git a/cluster/apps/monitoring/vector/agent/kustomization.yaml b/cluster/apps/monitoring/vector/agent/kustomization.yaml index bfe696aa..2fa2de20 100644 --- a/cluster/apps/monitoring/vector/agent/kustomization.yaml +++ b/cluster/apps/monitoring/vector/agent/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - helm-release.yaml \ No newline at end of file + - helm-release.yaml diff --git a/cluster/apps/monitoring/vector/aggregator/helm-release.yaml b/cluster/apps/monitoring/vector/aggregator/helm-release.yaml index 88ec2833..052430a4 100644 --- a/cluster/apps/monitoring/vector/aggregator/helm-release.yaml +++ b/cluster/apps/monitoring/vector/aggregator/helm-release.yaml @@ -98,13 +98,13 @@ spec: inputs: - vector_metrics address: 0.0.0.0:9090 - # console_debug: - # type: console - # inputs: - # - opnsense_filterlog_logs - # target: stdout - # encoding: - # codec: json + # console_debug: + # type: console + # inputs: + # - opnsense_filterlog_logs + # target: stdout + # encoding: + # codec: json image: repository: timberio/vector tag: 0.22.3-debian diff --git a/cluster/apps/monitoring/vector/aggregator/kustomization.yaml b/cluster/apps/monitoring/vector/aggregator/kustomization.yaml index bfe696aa..2fa2de20 100644 --- a/cluster/apps/monitoring/vector/aggregator/kustomization.yaml +++ b/cluster/apps/monitoring/vector/aggregator/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - helm-release.yaml \ No newline at end of file + - helm-release.yaml diff --git a/cluster/apps/monitoring/vector/kustomization.yaml b/cluster/apps/monitoring/vector/kustomization.yaml index d012532e..f7bee82f 100644 --- a/cluster/apps/monitoring/vector/kustomization.yaml +++ b/cluster/apps/monitoring/vector/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - agent - - aggregator \ No newline at end of file + - aggregator diff --git a/cluster/apps/monitoring/vpa/helm-release.yaml b/cluster/apps/monitoring/vpa/helm-release.yaml index 7d911054..4bce5fdd 100644 --- a/cluster/apps/monitoring/vpa/helm-release.yaml +++ b/cluster/apps/monitoring/vpa/helm-release.yaml @@ -32,4 +32,4 @@ spec: updater: enabled: false admissionController: - enabled: false \ No newline at end of file + enabled: false diff --git a/cluster/apps/monitoring/vpa/kustomization.yaml b/cluster/apps/monitoring/vpa/kustomization.yaml index 6d83a9ed..6e934fb9 100644 --- a/cluster/apps/monitoring/vpa/kustomization.yaml +++ b/cluster/apps/monitoring/vpa/kustomization.yaml @@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - helm-release.yaml \ No newline at end of file + - helm-release.yaml diff --git a/cluster/apps/networking/external-dns/kustomization.yaml b/cluster/apps/networking/external-dns/kustomization.yaml index 19a127bc..545e5413 100644 --- a/cluster/apps/networking/external-dns/kustomization.yaml +++ b/cluster/apps/networking/external-dns/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- secret.sops.yaml -- helm-release.yaml + - secret.sops.yaml + - helm-release.yaml diff --git a/cluster/apps/networking/ingress-nginx/certificate.yaml b/cluster/apps/networking/ingress-nginx/certificate.yaml index 845b151c..a3310a9e 100644 --- a/cluster/apps/networking/ingress-nginx/certificate.yaml +++ b/cluster/apps/networking/ingress-nginx/certificate.yaml @@ -15,5 +15,5 @@ spec: kind: ClusterIssuer commonName: "${SECRET_DOMAIN}" dnsNames: - - "${SECRET_DOMAIN}" - - "*.${SECRET_DOMAIN}" + - "${SECRET_DOMAIN}" + - "*.${SECRET_DOMAIN}" diff --git a/cluster/apps/networking/ingress-nginx/cloudflare-proxied-networks.txt b/cluster/apps/networking/ingress-nginx/cloudflare-proxied-networks.txt index 251d1a13..d6e3abd1 100644 --- a/cluster/apps/networking/ingress-nginx/cloudflare-proxied-networks.txt +++ b/cluster/apps/networking/ingress-nginx/cloudflare-proxied-networks.txt @@ -1 +1 @@ -173.245.48.0/20\,103.21.244.0/22\,103.22.200.0/22\,103.31.4.0/22\,141.101.64.0/18\,108.162.192.0/18\,190.93.240.0/20\,188.114.96.0/20\,197.234.240.0/22\,198.41.128.0/17\,162.158.0.0/15\,104.16.0.0/13\,104.24.0.0/14\,172.64.0.0/13\,131.0.72.0/22\,2400:cb00::/32\,2606:4700::/32\,2803:f800::/32\,2405:b500::/32\,2405:8100::/32\,2a06:98c0::/29\,2c0f:f248::/32 \ No newline at end of file +173.245.48.0/20\,103.21.244.0/22\,103.22.200.0/22\,103.31.4.0/22\,141.101.64.0/18\,108.162.192.0/18\,190.93.240.0/20\,188.114.96.0/20\,197.234.240.0/22\,198.41.128.0/17\,162.158.0.0/15\,104.16.0.0/13\,104.24.0.0/14\,172.64.0.0/13\,131.0.72.0/22\,2400:cb00::/32\,2606:4700::/32\,2803:f800::/32\,2405:b500::/32\,2405:8100::/32\,2a06:98c0::/29\,2c0f:f248::/32 diff --git a/cluster/apps/networking/ingress-nginx/kustomization.yaml b/cluster/apps/networking/ingress-nginx/kustomization.yaml index d52e330a..a4b045dc 100644 --- a/cluster/apps/networking/ingress-nginx/kustomization.yaml +++ b/cluster/apps/networking/ingress-nginx/kustomization.yaml @@ -11,4 +11,4 @@ configMapGenerator: files: - cloudflare-proxied-networks.txt generatorOptions: - disableNameSuffixHash: true \ No newline at end of file + disableNameSuffixHash: true diff --git a/cluster/apps/networking/kustomization.yaml b/cluster/apps/networking/kustomization.yaml index 29602b40..790cb178 100644 --- a/cluster/apps/networking/kustomization.yaml +++ b/cluster/apps/networking/kustomization.yaml @@ -1,3 +1,4 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: diff --git a/cluster/apps/networking/namespace.yaml b/cluster/apps/networking/namespace.yaml index 63a2c4e8..900fdfcc 100644 --- a/cluster/apps/networking/namespace.yaml +++ b/cluster/apps/networking/namespace.yaml @@ -6,4 +6,4 @@ metadata: labels: kustomize.toolkit.fluxcd.io/prune: disabled goldilocks.fairwinds.com/enabled: "true" - k10.kasten.io/ignorebackuppolicy: "true" \ No newline at end of file + k10.kasten.io/ignorebackuppolicy: "true" diff --git a/cluster/apps/security/authentik/helm-release.yaml b/cluster/apps/security/authentik/helm-release.yaml index 4a640901..325e7f45 100644 --- a/cluster/apps/security/authentik/helm-release.yaml +++ b/cluster/apps/security/authentik/helm-release.yaml @@ -46,13 +46,13 @@ spec: external-dns/is-public: "true" external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" hosts: - - host: "id.${SECRET_DOMAIN}" - paths: - - path: "/" - pathType: Prefix + - host: "id.${SECRET_DOMAIN}" + paths: + - path: "/" + pathType: Prefix tls: - - hosts: - - "id.${SECRET_DOMAIN}" + - hosts: + - "id.${SECRET_DOMAIN}" postgresql: enabled: true postgresqlPassword: "${SECRET_AUTHENTIK_POSTGRES_PASSWORD}" diff --git a/cluster/apps/security/authentik/kustomization.yaml b/cluster/apps/security/authentik/kustomization.yaml index 4990550b..2fa2de20 100644 --- a/cluster/apps/security/authentik/kustomization.yaml +++ b/cluster/apps/security/authentik/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helm-release.yaml + - helm-release.yaml diff --git a/cluster/apps/security/kustomization.yaml b/cluster/apps/security/kustomization.yaml index fa5e8918..3dc7caaf 100644 --- a/cluster/apps/security/kustomization.yaml +++ b/cluster/apps/security/kustomization.yaml @@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- namespace.yaml -- authentik -- vaultwarden + - namespace.yaml + - authentik + - vaultwarden diff --git a/cluster/apps/security/namespace.yaml b/cluster/apps/security/namespace.yaml index 495b8bb5..764a8cec 100644 --- a/cluster/apps/security/namespace.yaml +++ b/cluster/apps/security/namespace.yaml @@ -5,4 +5,4 @@ metadata: name: security labels: kustomize.toolkit.fluxcd.io/prune: disabled - goldilocks.fairwinds.com/enabled: "true" \ No newline at end of file + goldilocks.fairwinds.com/enabled: "true" diff --git a/cluster/apps/security/vaultwarden/helm-release.yaml b/cluster/apps/security/vaultwarden/helm-release.yaml index 1700ffa1..505afd53 100644 --- a/cluster/apps/security/vaultwarden/helm-release.yaml +++ b/cluster/apps/security/vaultwarden/helm-release.yaml @@ -47,18 +47,18 @@ spec: external-dns/is-public: "true" external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}" hosts: - - host: "warden.${SECRET_DOMAIN}" - paths: - - path: / - pathType: Prefix - - path: /notifications/hub/negotiate - pathType: Prefix - - path: /notifications/hub - pathType: Prefix - servicePort: 3012 + - host: "warden.${SECRET_DOMAIN}" + paths: + - path: / + pathType: Prefix + - path: /notifications/hub/negotiate + pathType: Prefix + - path: /notifications/hub + pathType: Prefix + servicePort: 3012 tls: - - hosts: - - "warden.${SECRET_DOMAIN}" + - hosts: + - "warden.${SECRET_DOMAIN}" persistence: config: enabled: true @@ -74,5 +74,5 @@ spec: enabled: true storageClass: ceph-block accessModes: - - ReadWriteOnce + - ReadWriteOnce size: 10Gi diff --git a/cluster/apps/security/vaultwarden/kustomization.yaml b/cluster/apps/security/vaultwarden/kustomization.yaml index db69d001..2fa2de20 100644 --- a/cluster/apps/security/vaultwarden/kustomization.yaml +++ b/cluster/apps/security/vaultwarden/kustomization.yaml @@ -1,4 +1,5 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helm-release.yaml \ No newline at end of file + - helm-release.yaml diff --git a/cluster/apps/vpn-gateway/kustomization.yaml b/cluster/apps/vpn-gateway/kustomization.yaml index 42b2f544..73941365 100644 --- a/cluster/apps/vpn-gateway/kustomization.yaml +++ b/cluster/apps/vpn-gateway/kustomization.yaml @@ -2,5 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- helm-release.yaml -- secret.sops.yaml + - helm-release.yaml + - secret.sops.yaml diff --git a/cluster/charts/aqua-charts.yaml b/cluster/charts/aqua-charts.yaml index 7b024a81..31b39f29 100644 --- a/cluster/charts/aqua-charts.yaml +++ b/cluster/charts/aqua-charts.yaml @@ -6,4 +6,4 @@ metadata: namespace: flux-system spec: interval: 1h - url: https://aquasecurity.github.io/helm-charts \ No newline at end of file + url: https://aquasecurity.github.io/helm-charts diff --git a/cluster/charts/cloudnative-pg-charts.yaml b/cluster/charts/cloudnative-pg-charts.yaml index 98fb54e2..1bf186cd 100644 --- a/cluster/charts/cloudnative-pg-charts.yaml +++ b/cluster/charts/cloudnative-pg-charts.yaml @@ -6,4 +6,4 @@ metadata: namespace: flux-system spec: interval: 1h - url: https://cloudnative-pg.github.io/charts \ No newline at end of file + url: https://cloudnative-pg.github.io/charts diff --git a/cluster/charts/emberstack-charts.yaml b/cluster/charts/emberstack-charts.yaml index 2786e14f..3d5f57e2 100644 --- a/cluster/charts/emberstack-charts.yaml +++ b/cluster/charts/emberstack-charts.yaml @@ -6,4 +6,4 @@ metadata: namespace: flux-system spec: interval: 1h - url: https://emberstack.github.io/helm-charts/ \ No newline at end of file + url: https://emberstack.github.io/helm-charts/ diff --git a/cluster/charts/external-dns-charts.yaml b/cluster/charts/external-dns-charts.yaml index 2452d970..2109d9e1 100644 --- a/cluster/charts/external-dns-charts.yaml +++ b/cluster/charts/external-dns-charts.yaml @@ -6,4 +6,4 @@ metadata: namespace: flux-system spec: interval: 1h - url: https://kubernetes-sigs.github.io/external-dns \ No newline at end of file + url: https://kubernetes-sigs.github.io/external-dns diff --git a/cluster/charts/kyverno-charts.yaml b/cluster/charts/kyverno-charts.yaml index 81611656..7257a920 100644 --- a/cluster/charts/kyverno-charts.yaml +++ b/cluster/charts/kyverno-charts.yaml @@ -6,4 +6,4 @@ metadata: namespace: flux-system spec: interval: 1h - url: https://kyverno.github.io/kyverno/ \ No newline at end of file + url: https://kyverno.github.io/kyverno/ diff --git a/cluster/charts/metrics-server-charts.yaml b/cluster/charts/metrics-server-charts.yaml index fd6282f3..50c80c1b 100644 --- a/cluster/charts/metrics-server-charts.yaml +++ b/cluster/charts/metrics-server-charts.yaml @@ -6,4 +6,4 @@ metadata: namespace: flux-system spec: interval: 1h - url: https://kubernetes-sigs.github.io/metrics-server \ No newline at end of file + url: https://kubernetes-sigs.github.io/metrics-server diff --git a/cluster/charts/vector-charts.yaml b/cluster/charts/vector-charts.yaml index 3e1e7059..07d511e4 100644 --- a/cluster/charts/vector-charts.yaml +++ b/cluster/charts/vector-charts.yaml @@ -6,4 +6,4 @@ metadata: namespace: flux-system spec: interval: 1h - url: https://helm.vector.dev \ No newline at end of file + url: https://helm.vector.dev diff --git a/cluster/config/cluster-settings.yaml b/cluster/config/cluster-settings.yaml index dc55c683..a1611acc 100644 --- a/cluster/config/cluster-settings.yaml +++ b/cluster/config/cluster-settings.yaml @@ -21,5 +21,5 @@ data: SVC_PLEX_ADDR: 10.75.45.103 SVC_JELLYFIN_ADDR: 10.75.45.104 LB_BLOCKY_IP: 10.75.45.105 - LB_QBITTORRENT_IP: 10.75.45.106 + SVC_QBITTORRENT_ADDR: 10.75.45.106 SVC_OWNCAST_ADDR: 10.75.45.107 diff --git a/cluster/core/cluster-issuers/kustomization.yaml b/cluster/core/cluster-issuers/kustomization.yaml index f437dd62..c6a23456 100644 --- a/cluster/core/cluster-issuers/kustomization.yaml +++ b/cluster/core/cluster-issuers/kustomization.yaml @@ -2,6 +2,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- secret.sops.yaml -- letsencrypt-staging.yaml -- letsencrypt-production.yaml \ No newline at end of file + - secret.sops.yaml + - letsencrypt-staging.yaml + - letsencrypt-production.yaml diff --git a/cluster/core/cluster-issuers/letsencrypt-production.yaml b/cluster/core/cluster-issuers/letsencrypt-production.yaml index 943854df..a41666ca 100644 --- a/cluster/core/cluster-issuers/letsencrypt-production.yaml +++ b/cluster/core/cluster-issuers/letsencrypt-production.yaml @@ -10,9 +10,9 @@ spec: privateKeySecretRef: name: letsencrypt-production solvers: - - dns01: - cloudflare: - email: "${SECRET_CLOUDFLARE_EMAIL}" - apiTokenSecretRef: - name: cloudflare-token-secret - key: cloudflare-token + - dns01: + cloudflare: + email: "${SECRET_CLOUDFLARE_EMAIL}" + apiTokenSecretRef: + name: cloudflare-token-secret + key: cloudflare-token diff --git a/cluster/core/cluster-issuers/letsencrypt-staging.yaml b/cluster/core/cluster-issuers/letsencrypt-staging.yaml index 8e074534..e7ceb8f2 100644 --- a/cluster/core/cluster-issuers/letsencrypt-staging.yaml +++ b/cluster/core/cluster-issuers/letsencrypt-staging.yaml @@ -10,9 +10,9 @@ spec: privateKeySecretRef: name: letsencrypt-staging solvers: - - dns01: - cloudflare: - email: "${SECRET_CLOUDFLARE_EMAIL}" - apiTokenSecretRef: - name: cloudflare-token-secret - key: cloudflare-token + - dns01: + cloudflare: + email: "${SECRET_CLOUDFLARE_EMAIL}" + apiTokenSecretRef: + name: cloudflare-token-secret + key: cloudflare-token diff --git a/cluster/core/cluster-policies/ingress.yaml b/cluster/core/cluster-policies/ingress.yaml index a3eba274..2a20dbaa 100644 --- a/cluster/core/cluster-policies/ingress.yaml +++ b/cluster/core/cluster-policies/ingress.yaml @@ -42,4 +42,4 @@ spec: +(nginx.ingress.kubernetes.io/auth-response-headers): |- Set-Cookie,X-authentik-username,X-authentik-groups,X-authentik-email,X-authentik-name,X-authentik-uid +(nginx.ingress.kubernetes.io/auth-snippet): | - proxy_set_header X-Forwarded-Host $http_host; \ No newline at end of file + proxy_set_header X-Forwarded-Host $http_host; diff --git a/cluster/core/cluster-policies/kustomization.yaml b/cluster/core/cluster-policies/kustomization.yaml index 63dc003c..5f398adc 100644 --- a/cluster/core/cluster-policies/kustomization.yaml +++ b/cluster/core/cluster-policies/kustomization.yaml @@ -3,4 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ingress.yaml - - resources.yaml \ No newline at end of file + # - pmb-operator.yaml + - resources.yaml diff --git a/cluster/core/cluster-policies/pmb-operator.yaml b/cluster/core/cluster-policies/pmb-operator.yaml new file mode 100644 index 00000000..24ebc912 --- /dev/null +++ b/cluster/core/cluster-policies/pmb-operator.yaml @@ -0,0 +1,107 @@ +--- +apiVersion: kyverno.io/v1 +kind: ClusterPolicy +metadata: + name: pmb-operator + annotations: + policies.kyverno.io/title: pmb-operator + policies.kyverno.io/subject: Deployment + policies.kyverno.io/description: >- + This policy generates a backup CronJob for Deployments + with the 'pmb.home.arpa/backup-claim' label +spec: + generateExistingOnPolicyUpdate: true + mutateExistingOnPolicyUpdate: true + rules: + - name: create-cronjob + match: + any: + - resources: + kinds: + - Deployment + selector: + matchLabels: + pmb.home.arpa/backup-claim: "*" + context: + - name: appName + variable: + jmesPath: request.object.metadata.name + - name: claimName + variable: + jmesPath: request.object.metadata.labels."pmb.home.arpa/backup-claim" + generate: + synchronize: true + apiVersion: batch/v1 + kind: CronJob + name: "{{ appName }}-backup" + namespace: "{{ request.object.metadata.namespace }}" + data: + metadata: + ownerReferences: + - apiVersion: "{{ request.object.apiVersion }}" + kind: "{{ request.object.kind }}" + name: "{{ request.object.metadata.name }}" + uid: "{{ request.object.metadata.uid }}" + spec: + schedule: "0 3 * * *" + suspend: false + concurrencyPolicy: Forbid + successfulJobsHistoryLimit: 1 + failedJobsHistoryLimit: 2 + jobTemplate: + spec: + ttlSecondsAfterFinished: 86400 + template: + spec: + automountServiceAccountToken: false + restartPolicy: OnFailure + # Stagger jobs to run randomly within X seconds to avoid bringing down all apps at once + initContainers: + - name: wait + image: ghcr.io/onedr0p/alpine:3.16.0@sha256:e2d3ff4b577f9a3740f2fa4d1f129b83c04a4af0160311d2bb854e71bd56d980 + command: ["/scripts/sleep.sh"] + args: ["1", "900"] + containers: + - name: backup + image: ghcr.io/onedr0p/kopia:0.11.3@sha256:db13525a2779b77e4c1db2e14470a369a2c8c9ebac575706c1141f0a786c7f62 + env: + - name: KOPIA_CACHE_DIRECTORY + value: /data/backups/{{ appName }}/cache + - name: KOPIA_LOG_DIR + value: /data/backups/{{ appName }}/logs + - name: KOPIA_PASSWORD + value: "none" + command: + - /bin/bash + - -c + - |- + printf "\e[1;32m%-6s\e[m\n" "[01/09] Create repo ..." && [[ ! -f /data/backups/kopia.repository.f ]] && kopia repository create filesystem --path=/data/backups + printf "\e[1;32m%-6s\e[m\n" "[02/09] Connect to repo ..." && kopia repo connect filesystem --path=/data/backups --override-hostname=cluster --override-username=root + printf "\e[1;32m%-6s\e[m\n" "[03/09] Set policies ..." && kopia policy set /{{ appName }} --compression=zstd --keep-latest 14 --keep-hourly 0 --keep-daily 7 --keep-weekly 2 --keep-monthly 0 --keep-annual 0 + printf "\e[1;32m%-6s\e[m\n" "[04/09] Freeze config vol ..." && fsfreeze -f /{{ appName }} + printf "\e[1;32m%-6s\e[m\n" "[05/09] Back up config vol ..." && kopia snap create /{{ appName }} + printf "\e[1;32m%-6s\e[m\n" "[06/09] Unfreeze config vol ..." && fsfreeze -u /{{ appName }} + printf "\e[1;32m%-6s\e[m\n" "[07/09] List snaps ..." && kopia snap list /{{ appName }} + printf "\e[1;32m%-6s\e[m\n" "[08/09] Show stats ..." && kopia content stats + printf "\e[1;32m%-6s\e[m\n" "[09/09] Disconnect from repo ..." && kopia repo disconnect + volumeMounts: + - name: config + mountPath: "/{{ appName }}" + - name: backups + mountPath: /data/backups + securityContext: + privileged: true + volumes: + - name: config + persistentVolumeClaim: + claimName: "{{ claimName }}" + - name: backups + nfs: + server: "nas01.${SECRET_PRIVATE_DOMAIN}" + path: /tank/data/backups/kopia + affinity: + podAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + - labelSelector: + matchExpressions: "{{ items(request.object.spec.selector.matchLabels, 'key', 'value')[].{key: key, operator: 'In', values: [value] } }}" + topologyKey: kubernetes.io/hostname diff --git a/cluster/core/kustomization.yaml b/cluster/core/kustomization.yaml index bf1be804..8936b16e 100644 --- a/cluster/core/kustomization.yaml +++ b/cluster/core/kustomization.yaml @@ -4,4 +4,4 @@ kind: Kustomization resources: - cluster-issuers - cluster-policies - - rook-ceph \ No newline at end of file + - rook-ceph diff --git a/cluster/core/namespaces/kustomization.yaml b/cluster/core/namespaces/kustomization.yaml index 7fa951c0..18b9ba0f 100644 --- a/cluster/core/namespaces/kustomization.yaml +++ b/cluster/core/namespaces/kustomization.yaml @@ -2,18 +2,18 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- backup-system.yaml -- cert-manager.yaml -- downloads.yaml -- ext-gateway.yaml -- falco-system.yaml -- flux-system.yaml -- home.yaml -- kube-system.yaml -- mail.yaml -- media.yaml -- monitoring.yaml -- networking.yaml -- rook-ceph.yaml -- security.yaml -- vpn-gateway.yaml + - backup-system.yaml + - cert-manager.yaml + - downloads.yaml + - ext-gateway.yaml + - falco-system.yaml + - flux-system.yaml + - home.yaml + - kube-system.yaml + - mail.yaml + - media.yaml + - monitoring.yaml + - networking.yaml + - rook-ceph.yaml + - security.yaml + - vpn-gateway.yaml diff --git a/cluster/core/rook-ceph/cluster/helm-release.yaml b/cluster/core/rook-ceph/cluster/helm-release.yaml index 4ebd48d2..da86e032 100644 --- a/cluster/core/rook-ceph/cluster/helm-release.yaml +++ b/cluster/core/rook-ceph/cluster/helm-release.yaml @@ -123,4 +123,3 @@ spec: name: csi-rbdplugin-snapclass annotations: k10.kasten.io/is-snapshot-class: "true" - diff --git a/cluster/core/rook-ceph/kustomization.yaml b/cluster/core/rook-ceph/kustomization.yaml index c2f4d8b1..3ae3f0f4 100644 --- a/cluster/core/rook-ceph/kustomization.yaml +++ b/cluster/core/rook-ceph/kustomization.yaml @@ -5,4 +5,4 @@ resources: - namespace.yaml - rook-direct-mount - cluster - - operator \ No newline at end of file + - operator diff --git a/cluster/core/rook-ceph/namespace.yaml b/cluster/core/rook-ceph/namespace.yaml index 73020c64..35df7cf0 100644 --- a/cluster/core/rook-ceph/namespace.yaml +++ b/cluster/core/rook-ceph/namespace.yaml @@ -8,4 +8,4 @@ metadata: pod-security.kubernetes.io/enforce-version: latest kustomize.toolkit.fluxcd.io/prune: disabled goldilocks.fairwinds.com/enabled: "true" - k10.kasten.io/ignorebackuppolicy: "true" \ No newline at end of file + k10.kasten.io/ignorebackuppolicy: "true" diff --git a/cluster/core/rook-ceph/rook-direct-mount/kustomization.yaml b/cluster/core/rook-ceph/rook-direct-mount/kustomization.yaml index eecc6f18..eedc1bad 100644 --- a/cluster/core/rook-ceph/rook-direct-mount/kustomization.yaml +++ b/cluster/core/rook-ceph/rook-direct-mount/kustomization.yaml @@ -11,4 +11,4 @@ configMapGenerator: generatorOptions: disableNameSuffixHash: true annotations: - kustomize.toolkit.fluxcd.io/substitute: disabled \ No newline at end of file + kustomize.toolkit.fluxcd.io/substitute: disabled diff --git a/cluster/crds/cert-manager/kustomization.yaml b/cluster/crds/cert-manager/kustomization.yaml index 745ca9c9..0293cb83 100644 --- a/cluster/crds/cert-manager/kustomization.yaml +++ b/cluster/crds/cert-manager/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -# renovate: registryUrl=https://charts.jetstack.io chart=cert-manager -- https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml + # renovate: registryUrl=https://charts.jetstack.io chart=cert-manager + - https://github.com/cert-manager/cert-manager/releases/download/v1.8.2/cert-manager.crds.yaml diff --git a/cluster/crds/external-dns/crds.yaml b/cluster/crds/external-dns/crds.yaml index 5953c3f3..6e242057 100644 --- a/cluster/crds/external-dns/crds.yaml +++ b/cluster/crds/external-dns/crds.yaml @@ -27,6 +27,6 @@ spec: kind: GitRepository name: external-dns-source healthChecks: - - apiVersion: apiextensions.k8s.io/v1beta1 - kind: CustomResourceDefinition - name: dnsendpoints.externaldns.k8s.io + - apiVersion: apiextensions.k8s.io/v1beta1 + kind: CustomResourceDefinition + name: dnsendpoints.externaldns.k8s.io diff --git a/cluster/crds/external-dns/kustomization.yaml b/cluster/crds/external-dns/kustomization.yaml index 93185d08..7d6dc05e 100644 --- a/cluster/crds/external-dns/kustomization.yaml +++ b/cluster/crds/external-dns/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- crds.yaml + - crds.yaml diff --git a/cluster/crds/external-snapshotter/kustomization.yaml b/cluster/crds/external-snapshotter/kustomization.yaml index 226f5100..e6eee538 100644 --- a/cluster/crds/external-snapshotter/kustomization.yaml +++ b/cluster/crds/external-snapshotter/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - github.com/kubernetes-csi/external-snapshotter//client/config/crd?ref=v6.0.1 \ No newline at end of file + - github.com/kubernetes-csi/external-snapshotter//client/config/crd?ref=v6.0.1 diff --git a/cluster/crds/kube-prometheus-stack/crds.yaml b/cluster/crds/kube-prometheus-stack/crds.yaml index 24d0e940..49b68885 100644 --- a/cluster/crds/kube-prometheus-stack/crds.yaml +++ b/cluster/crds/kube-prometheus-stack/crds.yaml @@ -27,4 +27,4 @@ spec: wait: true sourceRef: kind: GitRepository - name: kube-prometheus-stack-source \ No newline at end of file + name: kube-prometheus-stack-source diff --git a/cluster/crds/kube-prometheus-stack/kustomization.yaml b/cluster/crds/kube-prometheus-stack/kustomization.yaml index 3f1d1cbb..7d6dc05e 100644 --- a/cluster/crds/kube-prometheus-stack/kustomization.yaml +++ b/cluster/crds/kube-prometheus-stack/kustomization.yaml @@ -1,4 +1,5 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- crds.yaml + - crds.yaml diff --git a/cluster/crds/kustomization.yaml b/cluster/crds/kustomization.yaml index 717fc9a9..4e5365b4 100644 --- a/cluster/crds/kustomization.yaml +++ b/cluster/crds/kustomization.yaml @@ -1,8 +1,9 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- cert-manager -- external-snapshotter -- kube-prometheus-stack -- kyverno -- rook-ceph + - cert-manager + - external-snapshotter + - kube-prometheus-stack + - kyverno + - rook-ceph diff --git a/cluster/crds/kyverno/kustomization.yaml b/cluster/crds/kyverno/kustomization.yaml index d9c6a483..7d6dc05e 100644 --- a/cluster/crds/kyverno/kustomization.yaml +++ b/cluster/crds/kyverno/kustomization.yaml @@ -2,4 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - crds.yaml \ No newline at end of file + - crds.yaml diff --git a/cluster/crds/rook-ceph/crds.yaml b/cluster/crds/rook-ceph/crds.yaml index f2bc24d8..ac2d7814 100644 --- a/cluster/crds/rook-ceph/crds.yaml +++ b/cluster/crds/rook-ceph/crds.yaml @@ -27,4 +27,4 @@ spec: wait: true sourceRef: kind: GitRepository - name: rook-ceph-source \ No newline at end of file + name: rook-ceph-source diff --git a/cluster/crds/rook-ceph/kustomization.yaml b/cluster/crds/rook-ceph/kustomization.yaml index 3f1d1cbb..7d6dc05e 100644 --- a/cluster/crds/rook-ceph/kustomization.yaml +++ b/cluster/crds/rook-ceph/kustomization.yaml @@ -1,4 +1,5 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- crds.yaml + - crds.yaml diff --git a/cluster/crds/traefik/crds.yaml b/cluster/crds/traefik/crds.yaml index 4ac21fc4..4ffd6e5a 100644 --- a/cluster/crds/traefik/crds.yaml +++ b/cluster/crds/traefik/crds.yaml @@ -28,30 +28,30 @@ spec: kind: GitRepository name: traefik-crd-source healthChecks: - - apiVersion: apiextensions.k8s.io/v1beta1 - kind: CustomResourceDefinition - name: ingressroutes.traefik.containo.us - - apiVersion: apiextensions.k8s.io/v1beta1 - kind: CustomResourceDefinition - name: ingressroutetcps.traefik.containo.us - - apiVersion: apiextensions.k8s.io/v1beta1 - kind: CustomResourceDefinition - name: ingressrouteudps.traefik.containo.us - - apiVersion: apiextensions.k8s.io/v1beta1 - kind: CustomResourceDefinition - name: ingressrouteudps.traefik.containo.us - - apiVersion: apiextensions.k8s.io/v1beta1 - kind: CustomResourceDefinition - name: middlewares.traefik.containo.us - - apiVersion: apiextensions.k8s.io/v1beta1 - kind: CustomResourceDefinition - name: serverstransports.traefik.containo.us - - apiVersion: apiextensions.k8s.io/v1beta1 - kind: CustomResourceDefinition - name: tlsoptions.traefik.containo.us - - apiVersion: apiextensions.k8s.io/v1beta1 - kind: CustomResourceDefinition - name: tlsstores.traefik.containo.us - - apiVersion: apiextensions.k8s.io/v1beta1 - kind: CustomResourceDefinition - name: traefikservices.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1beta1 + kind: CustomResourceDefinition + name: ingressroutes.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1beta1 + kind: CustomResourceDefinition + name: ingressroutetcps.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1beta1 + kind: CustomResourceDefinition + name: ingressrouteudps.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1beta1 + kind: CustomResourceDefinition + name: ingressrouteudps.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1beta1 + kind: CustomResourceDefinition + name: middlewares.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1beta1 + kind: CustomResourceDefinition + name: serverstransports.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1beta1 + kind: CustomResourceDefinition + name: tlsoptions.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1beta1 + kind: CustomResourceDefinition + name: tlsstores.traefik.containo.us + - apiVersion: apiextensions.k8s.io/v1beta1 + kind: CustomResourceDefinition + name: traefikservices.traefik.containo.us diff --git a/cluster/crds/traefik/kustomization.yaml b/cluster/crds/traefik/kustomization.yaml index 3f1d1cbb..7d6dc05e 100644 --- a/cluster/crds/traefik/kustomization.yaml +++ b/cluster/crds/traefik/kustomization.yaml @@ -1,4 +1,5 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- crds.yaml + - crds.yaml diff --git a/cluster/flux/apps.yaml b/cluster/flux/apps.yaml index bcf70f72..2a6ee1a0 100644 --- a/cluster/flux/apps.yaml +++ b/cluster/flux/apps.yaml @@ -9,7 +9,7 @@ spec: path: ./cluster/apps prune: true dependsOn: - - name: core + - name: core sourceRef: kind: GitRepository name: flux-cluster @@ -19,7 +19,7 @@ spec: name: sops-age postBuild: substituteFrom: - - kind: ConfigMap - name: cluster-settings - - kind: Secret - name: cluster-secrets + - kind: ConfigMap + name: cluster-settings + - kind: Secret + name: cluster-secrets diff --git a/cluster/flux/charts.yaml b/cluster/flux/charts.yaml index 5d9ac21b..02733619 100644 --- a/cluster/flux/charts.yaml +++ b/cluster/flux/charts.yaml @@ -10,4 +10,4 @@ spec: prune: true sourceRef: kind: GitRepository - name: flux-cluster \ No newline at end of file + name: flux-cluster diff --git a/cluster/flux/config.yaml b/cluster/flux/config.yaml index 83934449..e8285d28 100644 --- a/cluster/flux/config.yaml +++ b/cluster/flux/config.yaml @@ -14,4 +14,4 @@ spec: decryption: provider: sops secretRef: - name: sops-age \ No newline at end of file + name: sops-age diff --git a/cluster/flux/flux-system/kustomization.yaml b/cluster/flux/flux-system/kustomization.yaml index 79c81776..e0eaeda3 100644 --- a/cluster/flux/flux-system/kustomization.yaml +++ b/cluster/flux/flux-system/kustomization.yaml @@ -1,5 +1,6 @@ +--- apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - flux-installation.yaml - - flux-cluster.yaml \ No newline at end of file + - flux-cluster.yaml diff --git a/hack/blocky.sh b/hack/blocky.sh deleted file mode 100755 index 64dc10b4..00000000 --- a/hack/blocky.sh +++ /dev/null @@ -1,25 +0,0 @@ -#!/usr/bin/env bash - -ACTION="${1}" -DURATION="${2}" - -NAMESPACE="networking" -BLOCKY_PODS=$(kubectl get pods -n "${NAMESPACE}" -o=jsonpath="{range .items[*]}{.metadata.name} " -l app.kubernetes.io/name=blocky) - -for pod in $BLOCKY_PODS; do - case "${ACTION}" in - status) - kubectl -n "${NAMESPACE}" exec -it "${pod}" -- /app/blocky blocking status - ;; - enable) - kubectl -n "${NAMESPACE}" exec -it "${pod}" -- /app/blocky blocking enable - ;; - disable) - if [ -z "${DURATION}" ]; then - kubectl -n "${NAMESPACE}" exec -it "${pod}" -- /app/blocky blocking disable - else - kubectl -n "${NAMESPACE}" exec -it "${pod}" -- /app/blocky blocking disable --duration "${DURATION}" - fi - ;; - esac -done diff --git a/hack/delete-stuck-ns.sh b/hack/delete-stuck-ns.sh new file mode 100644 index 00000000..784486a2 --- /dev/null +++ b/hack/delete-stuck-ns.sh @@ -0,0 +1,16 @@ +#!/usr/bin/env bash + +function delete_namespace () { + echo "Deleting namespace $1" + kubectl get namespace $1 -o json > tmp.json + sed -i 's/"kubernetes"//g' tmp.json + kubectl replace --raw "/api/v1/namespaces/$1/finalize" -f ./tmp.json + rm ./tmp.json +} + +TERMINATING_NS=$(kubectl get ns | awk '$2=="Terminating" {print $1}') + +for ns in $TERMINATING_NS +do + delete_namespace $ns +done diff --git a/hack/playlist.sh b/hack/playlist.sh deleted file mode 100755 index 52bbde18..00000000 --- a/hack/playlist.sh +++ /dev/null @@ -1,10 +0,0 @@ -#!/usr/bin/env bash - -while true; do - figlet -f slant "media" | lolcat - kubecolor get po -n media; sleep 5; clear; - figlet -f slant "home" | lolcat - kubecolor get po -n home; sleep 5; clear; - figlet -f slant "nodes" | lolcat - kubecolor get nodes; sleep 5; clear; -done diff --git a/hack/restore-job.yaml b/hack/restore-job.yaml new file mode 100644 index 00000000..d586b8c4 --- /dev/null +++ b/hack/restore-job.yaml @@ -0,0 +1,42 @@ +--- +apiVersion: batch/v1 +kind: Job +metadata: + name: $APP-restore + namespace: $NAMESPACE +spec: + ttlSecondsAfterFinished: 3600 + template: + spec: + automountServiceAccountToken: false + restartPolicy: OnFailure + containers: + - name: restore + image: ghcr.io/onedr0p/kopia:0.11.3@sha256:2ae9ede0edac68c09d517abd71fa12c96efcf19f27ce7ffca968cebb10ed0e2d + env: + - name: KOPIA_PASSWORD + value: "none" + command: + - /bin/bash + - -c + - |- + shopt -s dotglob + printf "\e[1;32m%-6s\e[m\n" "[01/03] Remove previous data ..." && rm -rf /data/config/* + printf "\e[1;32m%-6s\e[m\n" "[02/03] Connect to repo ..." && kopia repo connect filesystem --path=/data/backups --override-hostname=cluster --override-username=root + printf "\e[1;32m%-6s\e[m\n" "[03/03] Restore latest snap ..." && kopia snap restore "$(kopia snapshot list /$APP --json | jq --raw-output '.[-1] | .id')" /data/config + printf "\e[1;32m%-6s\e[m\n" "[09/09] Disconnect from repo ..." && kopia repo disconnect + volumeMounts: + - name: config + mountPath: /data/config + - name: backups + mountPath: /data/backups + securityContext: + privileged: true + volumes: + - name: config + persistentVolumeClaim: + claimName: $PVC + - name: backups + nfs: + server: nas01 + path: /tank/data/backups/kopia diff --git a/mkdocs.yml b/mkdocs.yml index d55e820a..562f3a04 100644 --- a/mkdocs.yml +++ b/mkdocs.yml @@ -1,5 +1,4 @@ --- - site_name: Toboshii | Home Cluster site_description: My home Kubernetes (k3s) cluster managed by GitOps (Flux2) site_author: Toboshii Nakama @@ -15,28 +14,28 @@ theme: repo: fontawesome/brands/github-alt language: en features: - - navigation.sections - # - navigation.tabs - - navigation.tracking - # - navigation.indexes - - search.highlight - - search.share - - search.suggest + - navigation.sections + # - navigation.tabs + - navigation.tracking + # - navigation.indexes + - search.highlight + - search.share + - search.suggest palette: - - media: "(prefers-color-scheme: light)" - scheme: default - primary: blue - accent: indigo - toggle: - icon: material/weather-sunny - name: Switch to dark mode - - media: "(prefers-color-scheme: dark)" - scheme: slate - primary: blue - accent: indigo - toggle: - icon: material/weather-night - name: Switch to light mode + - media: "(prefers-color-scheme: light)" + scheme: default + primary: blue + accent: indigo + toggle: + icon: material/weather-sunny + name: Switch to dark mode + - media: "(prefers-color-scheme: dark)" + scheme: slate + primary: blue + accent: indigo + toggle: + icon: material/weather-night + name: Switch to light mode font: text: Roboto code: Roboto Mono @@ -44,68 +43,68 @@ theme: docs_dir: ./docs extra_css: -- _static/custom.css + - _static/custom.css # Plugins plugins: -- search -- minify: - minify_html: true + - search + - minify: + minify_html: true # Customization extra: social: - - icon: fontawesome/brands/github - link: https://github.com/toboshii - - icon: fontawesome/brands/discord - link: https://discord.gg/sTMX7Vh - - icon: fontawesome/brands/docker - link: https://hub.docker.com/u/toboshii + - icon: fontawesome/brands/github + link: https://github.com/toboshii + - icon: fontawesome/brands/discord + link: https://discord.gg/sTMX7Vh + - icon: fontawesome/brands/docker + link: https://hub.docker.com/u/toboshii # Extensions markdown_extensions: -- admonition -- abbr -- attr_list -- def_list -- footnotes -- meta -- md_in_html -- toc: - permalink: true -- pymdownx.arithmatex: - generic: true -- pymdownx.betterem: - smart_enable: all -- pymdownx.caret -- pymdownx.critic -- pymdownx.details -- pymdownx.emoji: - emoji_index: !!python/name:materialx.emoji.twemoji - emoji_generator: !!python/name:materialx.emoji.to_svg -- pymdownx.highlight -- pymdownx.inlinehilite -- pymdownx.keys -- pymdownx.magiclink: - repo_url_shorthand: true - user: toboshii - repo: home-cluster -- pymdownx.mark -- pymdownx.smartsymbols -- pymdownx.superfences: - custom_fences: - - name: mermaid - class: mermaid-experimental - format: !!python/name:pymdownx.superfences.fence_code_format -- pymdownx.tabbed -- pymdownx.tasklist: - custom_checkbox: true -- pymdownx.tilde + - admonition + - abbr + - attr_list + - def_list + - footnotes + - meta + - md_in_html + - toc: + permalink: true + - pymdownx.arithmatex: + generic: true + - pymdownx.betterem: + smart_enable: all + - pymdownx.caret + - pymdownx.critic + - pymdownx.details + - pymdownx.emoji: + emoji_index: !!python/name:materialx.emoji.twemoji + emoji_generator: !!python/name:materialx.emoji.to_svg + - pymdownx.highlight + - pymdownx.inlinehilite + - pymdownx.keys + - pymdownx.magiclink: + repo_url_shorthand: true + user: toboshii + repo: home-cluster + - pymdownx.mark + - pymdownx.smartsymbols + - pymdownx.superfences: + custom_fences: + - name: mermaid + class: mermaid-experimental + format: !!python/name:pymdownx.superfences.fence_code_format + - pymdownx.tabbed + - pymdownx.tasklist: + custom_checkbox: true + - pymdownx.tilde # Page tree nav: -- Introduction: index.md -- Restore Process: restore.md + - Introduction: index.md + - Restore Process: restore.md # - External Secrets: external-secrets.md # - Flux: flux.md # - Opnsense: diff --git a/server/ansible/playbooks/k3s/install.yml b/server/ansible/playbooks/k3s/install.yml deleted file mode 100644 index 0725edb5..00000000 --- a/server/ansible/playbooks/k3s/install.yml +++ /dev/null @@ -1,27 +0,0 @@ ---- - -- hosts: - - master-nodes - - worker-nodes - - gpu-nodes - become: true - gather_facts: true - any_errors_fatal: true - pre_tasks: - - name: Pausing for 5 seconds... - pause: - seconds: 5 - roles: - - k3s - -- hosts: - - gpu-nodes - become: true - gather_facts: true - any_errors_fatal: true - pre_tasks: - - name: Pausing for 5 seconds... - pause: - seconds: 5 - roles: - - nvidia diff --git a/server/ansible/playbooks/k3s/nuke.yml b/server/ansible/playbooks/k3s/nuke.yml deleted file mode 100644 index 6c12f9cb..00000000 --- a/server/ansible/playbooks/k3s/nuke.yml +++ /dev/null @@ -1,34 +0,0 @@ ---- - -- hosts: - - master-nodes - - worker-nodes - - gpu-nodes - become: true - gather_facts: true - any_errors_fatal: true - pre_tasks: - - name: Pausing for 5 seconds... - pause: - seconds: 5 - tasks: - - name: kill k3s - ansible.builtin.command: /usr/local/bin/k3s-killall.sh - - name: uninstall k3s - ansible.builtin.command: - cmd: /usr/local/bin/k3s-uninstall.sh - removes: /usr/local/bin/k3s-uninstall.sh - - name: uninstall k3s agent - ansible.builtin.command: - cmd: /usr/local/bin/k3s-agent-uninstall.sh - removes: /usr/local/bin/k3s-agent-uninstall.sh - - name: gather list of CNI files to delete - find: - paths: /etc/cni/net.d - patterns: "*" - register: files_to_delete - - name: delete CNI files - ansible.builtin.file: - path: "{{ item.path }}" - state: absent - loop: "{{ files_to_delete.files }}" diff --git a/server/ansible/playbooks/k3s/upgrade.yml b/server/ansible/playbooks/k3s/upgrade.yml deleted file mode 100644 index 1d3c17eb..00000000 --- a/server/ansible/playbooks/k3s/upgrade.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- hosts: - - master-nodes - - worker-nodes - - gpu-nodes - become: true - gather_facts: true - any_errors_fatal: true - pre_tasks: - - name: Pausing for 5 seconds... - pause: - seconds: 5 - roles: - - k3s diff --git a/server/ansible/playbooks/ubuntu/prepare.yml b/server/ansible/playbooks/ubuntu/prepare.yml deleted file mode 100644 index ec2db678..00000000 --- a/server/ansible/playbooks/ubuntu/prepare.yml +++ /dev/null @@ -1,15 +0,0 @@ ---- - -- hosts: - - master-nodes - - worker-nodes - - gpu-nodes - become: true - gather_facts: true - any_errors_fatal: true - pre_tasks: - - name: Pausing for 5 seconds... - pause: - seconds: 5 - roles: - - ubuntu diff --git a/server/ansible/playbooks/ubuntu/upgrade.yml b/server/ansible/playbooks/ubuntu/upgrade.yml deleted file mode 100644 index fe2d214f..00000000 --- a/server/ansible/playbooks/ubuntu/upgrade.yml +++ /dev/null @@ -1,24 +0,0 @@ ---- - -- hosts: - - master-nodes - - worker-nodes - - gpu-nodes - become: true - gather_facts: true - any_errors_fatal: true - pre_tasks: - - name: Pausing for 5 seconds... - pause: - seconds: 5 - tasks: - - name: upgrade - ansible.builtin.apt: - upgrade: full - update_cache: true - cache_valid_time: 3600 - autoclean: true - autoremove: true - register: apt_upgrade - retries: 5 - until: apt_upgrade is success diff --git a/server/ansible/requirements.yml b/server/ansible/requirements.yml deleted file mode 100644 index 8ab1eb51..00000000 --- a/server/ansible/requirements.yml +++ /dev/null @@ -1,6 +0,0 @@ ---- -roles: -- src: xanmanning.k3s - version: v2.11.1 -collections: -- name: community.general diff --git a/server/ansible/roles/k3s/tasks/kubeconfig.yml b/server/ansible/roles/k3s/tasks/kubeconfig.yml deleted file mode 100644 index 83dc9f77..00000000 --- a/server/ansible/roles/k3s/tasks/kubeconfig.yml +++ /dev/null @@ -1,20 +0,0 @@ ---- - -- name: kubeconfig | copy config file to /tmp - run_once: true - ansible.builtin.fetch: - src: "/etc/rancher/k3s/k3s.yaml" - dest: "/tmp/kubeconfig" - flat: true - when: - - k3s_control_node is defined - - k3s_control_node - -- name: kubeconfig | update kubeconfig with the right IPv4 address - delegate_to: localhost - become: false - run_once: true - ansible.builtin.replace: - path: "/tmp/kubeconfig" - regexp: 'https://127.0.0.1:6443' - replace: 'https://{{ k3s_registration_domain }}:6443' diff --git a/server/ansible/roles/nvidia/files/blacklist-nouveau.conf b/server/ansible/roles/nvidia/files/blacklist-nouveau.conf deleted file mode 100644 index 976fcc25..00000000 --- a/server/ansible/roles/nvidia/files/blacklist-nouveau.conf +++ /dev/null @@ -1,2 +0,0 @@ -blacklist nouveau -options nouveau modeset=0 \ No newline at end of file diff --git a/server/ansible/roles/ubuntu/defaults/main.yml b/server/ansible/roles/ubuntu/defaults/main.yml deleted file mode 100644 index 06c254cb..00000000 --- a/server/ansible/roles/ubuntu/defaults/main.yml +++ /dev/null @@ -1,47 +0,0 @@ ---- - -packages: - apt_install: - - apt-transport-https - - arptables - - ca-certificates - - curl - - ebtables - - gdisk - - hdparm - - htop - - iputils-ping - - ipvsadm - - net-tools - - nfs-common - - nano - - ntpdate - - open-iscsi - - psmisc - - socat - - software-properties-common - - unattended-upgrades - - unzip - apt_remove: - - apport - - bcache-tools - - btrfs-progs - - byobu - - cloud-init - - cloud-guest-utils - - cloud-initramfs-copymods - - cloud-initramfs-dyn-netconf - - friendly-recovery - - fwupd - - landscape-common - - lxd-agent-loader - - ntfs-3g - - open-vm-tools - - plymouth - - plymouth-theme-ubuntu-text - - popularity-contest - - snapd - - sosreport - - tmux - - ubuntu-advantage-tools - - ufw diff --git a/server/ansible/roles/ubuntu/tasks/packages.yml b/server/ansible/roles/ubuntu/tasks/packages.yml deleted file mode 100644 index 309dce77..00000000 --- a/server/ansible/roles/ubuntu/tasks/packages.yml +++ /dev/null @@ -1,95 +0,0 @@ ---- - -- name: packages | disable recommends - ansible.builtin.blockinfile: - path: /etc/apt/apt.conf.d/02norecommends - mode: 0644 - create: true - block: | - APT::Install-Recommends "false"; - APT::Install-Suggests "false"; - APT::Get::Install-Recommends "false"; - APT::Get::Install-Suggests "false"; - -- name: packages | upgrade all packages - ansible.builtin.apt: - upgrade: full - update_cache: true - cache_valid_time: 3600 - autoclean: true - autoremove: true - register: apt_upgrade - retries: 5 - until: apt_upgrade is success - when: - - (skip_upgrade_packages is not defined or (skip_upgrade_packages is defined and not skip_upgrade_packages)) - -- name: packages | install common - ansible.builtin.apt: - name: "{{ packages.apt_install }}" - install_recommends: false - update_cache: true - cache_valid_time: 3600 - autoclean: true - autoremove: true - register: apt_install_common - retries: 5 - until: apt_install_common is success - when: - - packages.apt_install is defined - - packages.apt_install is iterable - - packages.apt_install | length > 0 - -- name: packages | remove crufty packages - block: - - name: packages | remove crufty packages | gather install packages - ansible.builtin.package_facts: - manager: auto - when: - - "'snapd' in packages.apt_remove" - - name: packages | remove crufty packages | check if snap is installed - ansible.builtin.debug: - msg: "snapd is installed" - register: snapd_check - when: - - "'snapd' in packages.apt_remove" - - "'snapd' in ansible_facts.packages" - - name: packages | remove crufty packages | remove snap packages - - ansible.builtin.command: snap remove {{ item }} - loop: - - lxd - - core18 - - snapd - when: - - "'snapd' in packages.apt_remove" - - "'snapd' in ansible_facts.packages" - - snapd_check.failed is defined - - name: packages | remove crufty packages | remove packages - - ansible.builtin.apt: - name: "{{ packages.apt_remove }}" - state: absent - autoremove: true - - name: packages | remove crufty packages | remove crufty files - - ansible.builtin.file: - state: absent - path: "{{ item }}" - loop: - - "/home/{{ ansible_user }}/.snap" - - "/snap" - - "/var/snap" - - "/var/lib/snapd" - - "/var/cache/snapd" - - "/usr/lib/snapd" - - "/etc/cloud" - - "/var/lib/cloud" - when: - - "'snapd' in packages.apt_remove" - - "'cloud-init' in packages.apt_remove" - when: - - packages.apt_remove is defined - - packages.apt_remove is iterable - - packages.apt_remove | length > 0 - - (skip_remove_packages is not defined or (skip_remove_packages is defined and not skip_remove_packages)) diff --git a/talos/cni/kustomization.yaml b/talos/cni/kustomization.yaml index 58d33acb..45acf44c 100644 --- a/talos/cni/kustomization.yaml +++ b/talos/cni/kustomization.yaml @@ -12,4 +12,4 @@ commonAnnotations: meta.helm.sh/release-name: cilium meta.helm.sh/release-namespace: kube-system commonLabels: - app.kubernetes.io/managed-by: Helm \ No newline at end of file + app.kubernetes.io/managed-by: Helm diff --git a/talos/talconfig.yaml b/talos/talconfig.yaml index ea94f468..60080fa4 100644 --- a/talos/talconfig.yaml +++ b/talos/talconfig.yaml @@ -1,3 +1,4 @@ +--- clusterName: cluster01 talosVersion: v1.1.0 kubernetesVersion: v1.24.2 @@ -9,7 +10,7 @@ clusterSvcNets: cniConfig: name: custom urls: - - https://gist.githubusercontent.com/toboshii/72d5570d8a7a6a9f4daf8a2162d07ee9/raw/6225cb24b8905a145e39438babadce771eb9e4ed/install.yaml + - https://raw.githubusercontent.com/toboshii/home-ops/main/talos/cni/install.yaml nodes: - hostname: k8s-control01.${domainName} ipAddress: 10.75.40.20 @@ -107,6 +108,7 @@ controlPlane: key: ${clusterCertKey} controllerManager: extraArgs: + bind-address: 0.0.0.0 feature-gates: MixedProtocolLBService=true,EphemeralContainers=True discovery: registries: @@ -116,6 +118,8 @@ controlPlane: ca: crt: ${etcdCert} key: ${etcdCertKey} + extraArgs: + listen-metrics-urls: http://0.0.0.0:2381 extraManifests: - https://raw.githubusercontent.com/alex1989hu/kubelet-serving-cert-approver/v0.5.1/deploy/ha-install.yaml proxy: @@ -124,6 +128,7 @@ controlPlane: feature-gates: MixedProtocolLBService=true,EphemeralContainers=True scheduler: extraArgs: + bind-address: 0.0.0.0 feature-gates: MixedProtocolLBService=true,EphemeralContainers=True secret: ${clusterSecret} serviceAccount: @@ -157,9 +162,9 @@ controlPlane: ip: ${clusterEndpointIP} registries: mirrors: - docker.io: - endpoints: - - http://nas01.dfw.56k.sh:5000 + docker.io: + endpoints: + - http://nas01.dfw.56k.sh:5000 time: disabled: false servers: @@ -209,9 +214,9 @@ worker: fs.inotify.max_user_watches: "1048576" registries: mirrors: - docker.io: - endpoints: - - http://nas01.dfw.56k.sh:5000 + docker.io: + endpoints: + - http://nas01.dfw.56k.sh:5000 time: disabled: false servers: diff --git a/server/terraform/.secrets.yaml b/terraform/.secrets.sops.yaml similarity index 100% rename from server/terraform/.secrets.yaml rename to terraform/.secrets.sops.yaml diff --git a/server/terraform/README.md b/terraform/README.md similarity index 100% rename from server/terraform/README.md rename to terraform/README.md diff --git a/server/terraform/main.tf b/terraform/main.tf similarity index 100% rename from server/terraform/main.tf rename to terraform/main.tf diff --git a/server/terraform/masters.tf b/terraform/masters.tf similarity index 100% rename from server/terraform/masters.tf rename to terraform/masters.tf diff --git a/terraform/outputs.tf b/terraform/outputs.tf new file mode 100644 index 00000000..e69de29b diff --git a/server/terraform/secrets.tf b/terraform/secrets.tf similarity index 96% rename from server/terraform/secrets.tf rename to terraform/secrets.tf index f5231f99..0121e765 100644 --- a/server/terraform/secrets.tf +++ b/terraform/secrets.tf @@ -1,3 +1,3 @@ data "sops_file" "secrets" { source_file = ".secrets.yaml" -} \ No newline at end of file +} diff --git a/server/terraform/variables.tf b/terraform/variables.tf similarity index 100% rename from server/terraform/variables.tf rename to terraform/variables.tf diff --git a/server/terraform/workers.tf b/terraform/workers.tf similarity index 100% rename from server/terraform/workers.tf rename to terraform/workers.tf