feat: use cnpg

cluster/apps/media/szurubooru/database.yaml

@@ -3,7 +3,7 @@ apiVersion: db.movetokube.com/v1alpha1
 kind: Postgres
 metadata:
   name: szurubooru-db
-  namespace: selfhosted
+  namespace: media
 spec:
   database: szurubooru
 ---
@@ -11,7 +11,7 @@ apiVersion: db.movetokube.com/v1alpha1
 kind: PostgresUser
 metadata:
   name: szurubooru-user
-  namespace: selfhosted
+  namespace: media
 spec:
   role: szurubooru
   database: szurubooru-db

cluster/apps/security/authentik/database.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: authentik-db
+  namespace: security
+spec:
+  database: authentik
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: authentik-user
+  namespace: security
+spec:
+  role: authentik
+  database: authentik-db
+  secretName: database
+  privileges: OWNER

cluster/apps/security/authentik/helm-release.yaml

@@ -21,15 +21,42 @@ spec:
     image:
       repository: ghcr.io/goauthentik/server
       tag: 2022.6.3
+    initContainers:
+      wait-for-db:
+        image: ghcr.io/patrickdappollonio/wait-for:v1.0.0
+        imagePullPolicy: IfNotPresent
+        env:
+          - name: POSTGRES_HOST
+            valueFrom:
+              secretKeyRef:
+                name: database-authentik-user
+                key: HOST
+        command:
+          - /wait-for
+        args:
+          - --host="$(POSTGRES_HOST):5432"
+          - --verbose
+    envValueFrom:
+      AUTHENTIK_POSTGRESQL__HOST:
+        secretKeyRef:
+          name: database-authentik-user
+          key: HOST
+      AUTHENTIK_POSTGRESQL__NAME:
+        secretKeyRef:
+          name: database-authentik-user
+          key: DATABASE_NAME
+      AUTHENTIK_POSTGRESQL__USER:
+        secretKeyRef:
+          name: database-authentik-user
+          key: LOGIN
+      AUTHENTIK_POSTGRESQL__PASSWORD:
+        secretKeyRef:
+          name: database-authentik-user
+          key: PASSWORD
     authentik:
       outposts:
         docker_image_base: ghcr.io/goauthentik/%(type)s:%(version)s
       secret_key: "${SECRET_AUTHENTIK_SECRET_KEY}"
-      postgresql:
-        host: "authentik-postgresql"
-        name: "authentik"
-        user: "authentik"
-        password: "${SECRET_AUTHENTIK_POSTGRES_PASSWORD}"
       redis:
         host: "authentik-redis-master"
       email:
@@ -53,9 +80,6 @@ spec:
       tls:
         - hosts:
             - "id.${SECRET_DOMAIN}"
-    postgresql:
-      enabled: true
-      postgresqlPassword: "${SECRET_AUTHENTIK_POSTGRES_PASSWORD}"
     redis:
       enabled: true
     prometheus:

cluster/apps/security/authentik/kustomization.yaml

@@ -2,4 +2,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
+  - database.yaml
   - helm-release.yaml

cluster/apps/security/vaultwarden/config-pvc.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vaultwarden-config-v1
+  namespace: security
+  labels:
+    app.kubernetes.io/name: &name vaultwarden
+    app.kubernetes.io/instance: *name
+    pmb.home.arpa/backup: "true"
+spec:
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: ceph-block

cluster/apps/security/vaultwarden/database.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: Postgres
+metadata:
+  name: vaultwarden-db
+  namespace: security
+spec:
+  database: vaultwarden
+---
+apiVersion: db.movetokube.com/v1alpha1
+kind: PostgresUser
+metadata:
+  name: vaultwarden-user
+  namespace: security
+spec:
+  role: vaultwarden
+  database: vaultwarden-db
+  secretName: database
+  privileges: OWNER

cluster/apps/security/vaultwarden/helm-release.yaml

@@ -6,23 +6,47 @@ metadata:
   namespace: security
 spec:
   releaseName: vaultwarden
-  interval: 5m
+  interval: 15m
   chart:
     spec:
-      # renovate: registryUrl=https://k8s-at-home.com/charts/
-      chart: vaultwarden
-      version: 3.3.1
+      chart: kah-common-chart
+      version: 1.1.2
       sourceRef:
         kind: HelmRepository
         name: k8s-at-home-charts
         namespace: flux-system
-      interval: 5m
+      interval: 15m
+  install:
+    createNamespace: true
+    remediation:
+      retries: 5
+  upgrade:
+    remediation:
+      retries: 5
   values:
-    nameOverride: vaultwarden
-    fullnameOverride: vaultwarden
+    global:
+      nameOverride: *app
+    controller:
+      labels:
+        pmb.home.arpa/backup-claim: &claimName "vaultwarden-config-v1"
     image:
-      repository: vaultwarden/server
-      tag: 1.23.0-alpine
+      repository: ghcr.io/k8s-at-home/vaultwarden
+      tag: 1.25.1@sha256:ea7901a9629897801b38b6afbce1869d357ebb9e080ec6ffff5839d85d8a79e4
+    initContainers:
+      wait-for-db:
+        image: ghcr.io/patrickdappollonio/wait-for:v1.0.0
+        imagePullPolicy: IfNotPresent
+        env:
+          - name: POSTGRES_HOST
+            valueFrom:
+              secretKeyRef:
+                name: database-vaultwarden-user
+                key: HOST
+        command:
+          - /wait-for
+        args:
+          - --host="$(POSTGRES_HOST):5432"
+          - --verbose
     env:
       DATA_FOLDER: "config"
       SIGNUPS_ALLOWED: false
@@ -38,12 +62,17 @@ spec:
       SMTP_PORT: 587
       SMTP_USERNAME: "apikey"
       SMTP_PASSWORD: "${SECRET_SENDGRID_API_KEY}"
-      DATABASE_URL: "postgresql://vaultwarden:${SECRET_VAULTWARDEN_DB_PASSWORD}@vaultwarden-postgresql/vaultwarden"
+      DATABASE_URL:
+        valueFrom:
+          secretKeyRef:
+            name: database-vaultwarden-user
+            key: POSTGRES_URL
     ingress:
       main:
         enabled: true
         ingressClassName: "nginx"
         annotations:
+          hajimari.io/icon: "form-textbox-password"
           external-dns/is-public: "true"
           external-dns.alpha.kubernetes.io/target: "ipv4.${SECRET_DOMAIN}"
         hosts:
@@ -59,20 +88,3 @@ spec:
         tls:
           - hosts:
               - "warden.${SECRET_DOMAIN}"
-    persistence:
-      config:
-        enabled: true
-        storageClass: ceph-block
-        accessMode: ReadWriteOnce
-        size: 10Gi
-    postgresql:
-      enabled: true
-      postgresqlUsername: "vaultwarden"
-      postgresqlPassword: "${SECRET_VAULTWARDEN_DB_PASSWORD}"
-      postgresqlDatabase: "vaultwarden"
-      persistence:
-        enabled: true
-        storageClass: ceph-block
-        accessModes:
-          - ReadWriteOnce
-        size: 10Gi

cluster/apps/security/vaultwarden/kustomization.yaml

@@ -2,4 +2,6 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - helm-release.yaml
+  - config-pvc.yaml
+  - database.yaml
+  # - helm-release.yaml

talos/talconfig.yaml

@@ -68,6 +68,7 @@ controlPlane:
         crt: ${k8sAggregatorCert}
         key: ${k8sAggregatorCertKey}
       apiServer:
+        admissionControl: []
         certSANs:
           - ${clusterEndpointIP}
           - cluster01.${domainName}