scottk/Biohazard
1
0
Fork 0
mirror of https://github.com/outbackdingo/Biohazard.git synced 2026-04-05 08:04:12 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat(sandstorm): app-template v3 refresher

Browse Source 
cronjob update files, ES, steamcmd.sh ulimit perms workaround, better organize config files, userns, etc
This commit is contained in:
JJGadgets
2025-01-19 03:03:04 +08:00
parent db20aa9635
commit aeb24cb253
18 changed files with 246 additions and 299 deletions
Download Patch File Download Diff File Expand all files Collapse all files

2
kube/clusters/biohazard/flux/kustomization.yaml
View File

@@ -78,7 +78,7 @@ resources:
- ../../../deploy/apps/gokapi/
- ../../../deploy/apps/minecraft/
- ../../../deploy/apps/minecraft2/
- ../../../deploy/apps/sandstorm/
- ../../../deploy/apps/insurgency-sandstorm/
- ../../../deploy/apps/jellyfin/
- ../../../deploy/apps/media/_deps/
- ../../../deploy/apps/media/kavita/

0
kube/deploy/apps/sandstorm/app/config/Engine.ini → kube/deploy/apps/insurgency-sandstorm/app/config/Engine.ini
View File

0
kube/deploy/apps/sandstorm/app/config/Game.ini → kube/deploy/apps/insurgency-sandstorm/app/config/Game.ini
View File

0
kube/deploy/apps/sandstorm/app/config/MapCycle.txt → kube/deploy/apps/insurgency-sandstorm/app/config/MapCycle.txt
View File

2
kube/deploy/apps/sandstorm/app/config/Mods.txt → kube/deploy/apps/insurgency-sandstorm/app/config/Mods.txt
View File

@@ -11,4 +11,4 @@
1161703; No Smoke
164061; COOP-Mayhem
156146; Round Progress
125754 Allahu Akbar
125754they go loud bang

12
kube/deploy/apps/insurgency-sandstorm/app/config/kustomization.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
configMapGenerator:
- name: insurgency-sandstorm-config
files:
- ./Game.ini
- ./Engine.ini
- ./MapCycle.txt
- ./Mods.txt
generatorOptions:
disableNameSuffixHash: true

32
kube/deploy/apps/insurgency-sandstorm/app/es.yaml Normal file
View File

@@ -0,0 +1,32 @@
---
# yaml-language-server: $schema=https://crds.jank.ing/external-secrets.io/externalsecret_v1beta1.json
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: &name insurgency-sandstorm-secrets
namespace: insurgency-sandstorm
spec:
refreshInterval: 1m
secretStoreRef:
kind: ClusterSecretStore
name: 1p
dataFrom:
- extract:
key: "Insurgency Sandstorm - ${CLUSTER_NAME}"
target:
creationPolicy: Owner
deletionPolicy: Retain
name: *name
template:
type: Opaque
data:
SECRET_SANDSTORM_PASSWORD: '{{ .SECRET_SANDSTORM_PASSWORD }}'
Admins.txt: |
{{ .Admins.txt }}
GameUserSettings.ini: |
[/Script/ModKit.ModIOClient]
bHasUserAcceptedTerms=True
AccessToken={{ .SECRET_SANDSTORM_MODIO_TOKEN }}
AccessExpiryTime=-1
bCachedUserDetails=True
CachedUser=(Id=,NameId="",Username="",DateOnline=0,Avatar=(Thumb_50x50="",Thumb_100x100="",Filename="",Original=""),Timezone="",Language="",ProfileUrl="")

159
kube/deploy/apps/insurgency-sandstorm/app/hr.yaml Normal file
View File

@@ -0,0 +1,159 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/app-template-3.6.1/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: &app insurgency-sandstorm
namespace: *app
spec:
interval: 5m
chart:
spec:
chart: app-template
version: 3.6.1
sourceRef:
name: bjw-s
kind: HelmRepository
namespace: flux-system
values:
controllers:
insurgency-sandstorm:
type: deployment
replicas: 1
pod:
labels:
ingress.home.arpa/world: allow
containers:
main:
image: &img
repository: ghcr.io/andrewmhub/insurgency-sandstorm
tag: lite@sha256:4f9bcc482e742fb61576fe7c806d3ce65d1baf54bfb1eea898bd6e287675ed27
command: ["/home/steam/steamcmd/sandstorm/Insurgency/Binaries/Linux/InsurgencyServer-Linux-Shipping"]
args: ['-hostname="${CONFIG_SANDSTORM_NAME}"', "-Log", "-Port=$(PORT)", "-QueryPort=$(QUERYPORT)", "-MapCycle=MapCycle", "-NoEAC", "-EnableCheats", "-Mods", '-CmdModList="${CONFIG_SANDSTORM_MODS}"', "-mutators=${CONFIG_SANDSTORM_MUTATORS}", "-ModDownloadTravelTo=${CONFIG_SANDSTORM_INIT_MAP}?Scenario=Scenario_${CONFIG_SANDSTORM_INIT_MAP}_${CONFIG_SANDSTORM_INIT_SCENARIO}?Password=$(PASSWORD)"]
env: &env
TZ: "${CONFIG_TZ}"
PORT: &port 27102
QUERYPORT: &query 27131
PASSWORD:
valueFrom:
secretKeyRef:
name: insurgency-sandstorm-secrets
key: SECRET_SANDSTORM_PASSWORD
securityContext: &sc
readOnlyRootFilesystem: true
allowPrivilegeEscalation: false
capabilities:
drop: ["ALL"]
resources:
requests:
cpu: "10m"
limits:
cpu: "2"
memory: "2Gi"
# probes: # TODO
# liveness:
# enabled: true
# readiness:
# enabled: true
download:
type: cronjob
cronjob:
schedule: "@daily"
concurrencyPolicy: "Replace"
pod:
labels:
egress.home.arpa/internet: allow
containers:
main:
image: *img
# command: ["/home/steam/steamcmd/steamcmd.sh"] # script contains a ulimit command that won't run on Talos 1.9+
command: ["/bin/sh", "-c", "LD_LIBRARY_PATH=/home/steam/steamcmd/linux32:$(LD_LIBRARY_PATH) /home/steam/steamcmd/linux32/steamcmd"]
args: ["+force_install_dir", "/home/steam/steamcmd/sandstorm/", "+login", "anonymous", "+app_update", "581330", "validate", "+quit"]
securityContext: *sc
resources:
requests:
cpu: "10m"
limits:
cpu: "1"
memory: "1Gi"
service:
insurgency-sandstorm:
controller: insurgency-sandstorm
type: LoadBalancer
annotations:
coredns.io/hostname: "${APP_DNS_INSURGENCY_SANDSTORM:=insurgency-sandstorm}"
"io.cilium/lb-ipam-ips": "${APP_IP_INSURGENCY_SANDSTORM:=127.0.0.1}"
ports:
game:
port: *port
protocol: UDP
query:
port: *query
protocol: UDP
persistence:
misc:
existingClaim: insurgency-sandstorm-misc
globalMounts:
- subPath: data
path: /home/steam/steamcmd/sandstorm
config:
type: configMap
name: insurgency-sandstorm-config
globalMounts:
- subPath: Game.ini
path: /home/steam/steamcmd/sandstorm/Insurgency/Saved/Config/LinuxServer/Game.ini
- subPath: Engine.ini
path: /home/steam/steamcmd/sandstorm/Insurgency/Saved/Config/LinuxServer/Engine.ini
- subPath: MapCycle.txt
path: /home/steam/steamcmd/sandstorm/Insurgency/Config/Server/MapCycle.txt
- subPath: Mods.txt
path: /home/steam/steamcmd/sandstorm/Insurgency/Config/Server/Mods.txt
secrets:
type: secret
name: insurgency-sandstorm-secrets
globalMounts:
- subPath: GameUserSettings.ini
path: /home/steam/steamcmd/sandstorm/Insurgency/Saved/Config/LinuxServer/GameUserSettings.ini
- subPath: Admins.txt
path: /home/steam/steamcmd/sandstorm/Insurgency/Config/Server/Admins.txt
defaultPodOptions:
automountServiceAccountToken: false
enableServiceLinks: false
dnsConfig:
options:
- name: ndots
value: "1"
hostUsers: false
securityContext:
runAsNonRoot: true
runAsUser: &uid 1000
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: Always
seccompProfile: { type: "RuntimeDefault" }
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: fuckoff.home.arpa/insurgency-sandstorm
operator: DoesNotExist
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 20
preference:
matchExpressions:
- key: "kubernetes.io/hostname"
operator: In
values: ["thunderscreech"] # R730xd VM, because it can't run VMs so let others run VMs
- weight: 15
preference:
matchExpressions:
- key: "kubernetes.io/hostname"
operator: In
values: ["ange", "charlotte"] # i5-8500T
- weight: 10
preference:
matchExpressions:
- key: "kubernetes.io/hostname"
operator: In
values: ["chise"] # i3-8100

16
kube/deploy/apps/insurgency-sandstorm/app/pvc.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: "insurgency-sandstorm-misc"
namespace: &app "insurgency-sandstorm"
annotations:
description: "PVC for game server files that can be redownloaded."
labels:
app.kubernetes.io/name: *app
spec:
storageClassName: "file-ec-2-1"
accessModes: ["ReadWriteMany"]
resources:
requests:
storage: "20Gi"

14
kube/deploy/apps/insurgency-sandstorm/ks.yaml Normal file
View File

@@ -0,0 +1,14 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: insurgency-sandstorm-app
namespace: flux-system
labels: &l
app.kubernetes.io/name: "insurgency-sandstorm"
spec:
commonMetadata:
labels: *l
path: ./kube/deploy/apps/insurgency-sandstorm/app
targetNamespace: "insurgency-sandstorm"
dependsOn: []

2
kube/deploy/apps/sandstorm/kustomization.yaml → kube/deploy/apps/insurgency-sandstorm/kustomization.yaml
View File

@@ -3,4 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ns.yaml
- ks.yaml
- ks.yaml

10
kube/deploy/apps/insurgency-sandstorm/ns.yaml Normal file
View File

@@ -0,0 +1,10 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: insurgency-sandstorm
labels:
kustomize.toolkit.fluxcd.io/prune: disabled
pod-security.kubernetes.io/enforce: &ps restricted
pod-security.kubernetes.io/audit: *ps
pod-security.kubernetes.io/warn: *ps

79
kube/deploy/apps/sandstorm/app/config/secrets.yaml
View File

@@ -1,79 +0,0 @@
apiVersion: v1
kind: Secret
metadata:
name: insurgency-sandstorm-adminstxt
namespace: sandstorm
data:
Admins.txt: ENC[AES256_GCM,data:uWHsWK9CDIBbsVq/2Vted3G7qTSoC58sLen20U6qkqWXeFCoQl51RrW+HgRRCpAdK/Eg3Q5R9sXEDBL8lCiEPWWN0TO9HJq8gCWmM+jYayPcrp4l9RZ70He4EufFj+Qo,iv:LhxGRsGGjVEbL11pogKc+UNOlKTRdp4qXshEF5KqVzk=,tag:AG1dTrjir5BtKU6PZTbsuA==,type:str]
stringData:
Admins.txt: ENC[AES256_GCM,data:ele7KkoR6TasStJSKoxP6rQpO8EwA3WWj7lFQQkQtMqqQfaNRXiWms2VQ9ph+NR3nIPM9PemGVB3+fsbinmStgEiY5mzuiRB,iv:whqHTv+sGOx1SkI24SlXVCkcUOnrxHJjR3wJ0MPSTuo=,tag:UHZY7hIr7Gv5Pb3dEhxVmQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvQW9QWWh2eDNKQWxtUG9D
SFowaGx3OTBJdXZvalJSdEMxWlFxak5EQTNjClpPRjdUTW4rM05SV2pPM3VidGlG
cHdnM1BRcUNSSVZRWFh1L2xzVy9jZEkKLS0tIFdLbUJISmh0QmlWL0wzdmFDM3Fr
ZEptbEJ4TmltMHA5OXlNQzkveExtU28KhPZlMTutOgR3fT6ezRJWAsAAFy/imy0T
9qhDB1ACi6LuGfsYN3wLfyqovK019D1Ar8bNts9Mp/MtBB7J/vZRJg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-27T19:11:54Z"
mac: ENC[AES256_GCM,data:gttuFsDvrKb8ZbD5OpfRudNTr3MBfCGUdyeO3LJ3zyT2KVORpjr2XHttl9nVAjiYDfyVVHMg8ykDJyZRDyup2OTY2fK1F/Ts2Tvz7o3QO7jMTKIt6dKc7Xa/awJ2L3T6ohgmtd3U57Cqi8n+rmwgT9+A5isoecGBvswFgIl+LJo=,iv:JUyhtZZFfNTUtHUa17oWqsNf7iyD+cdaaYejv4DAJrY=,tag:OvEQ/7TLeY/MEIAQ6sW3lA==,type:str]
pgp:
- created_at: "2023-02-24T08:22:12Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DAAAAAAAAAAASAQdABXbRHudKz8q+QOkRPJ2eeU/0veOU9KrQa/2wyRnSaSsw
72MFRADdhDYCOcV7g83fvzTBhJYSoSIJTmlfMO3F61ADl5oUnzv0tvAGQ//oyZuG
0l4BgolRPcbIyAMt1LsO43qtsl0gmcq+YFeAqJ9/SrB6NuCpmtaN/mCossM/uMwK
kfxGlin/uhM4nhwMgIo/El0i+yug9yPtpSpmUOwcwfcNQMSQLxmpKzuNl3G3E0Pu
=D/9e
-----END PGP MESSAGE-----
fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
encrypted_regex: ^(NETBIRD_AUTH_AUDIENCE|NETBIRD_AUTH_CLIENT_ID|NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID|NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT|NETBIRD_DOMAIN|NETBIRD_MGMT_DNS_DOMAIN|WHOOGLE_CONFIG_URL|ZT_ALLOW_MANAGEMENT_FROM|ZU_CONTROLLER_ENDPOINT|ZU_DEFAULT_PASSWORD|ZU_DEFAULT_USERNAME|addresses|clusterDomain|commonName|config.yaml|data|dnsNames|dnsZones|domain|email|externalIPs|host|hosts|ip|ipv4NativeRoutingCIDR|k8sServiceHost|loadBalancerIP|my-asn|nameservers|peer-address|peer-asn|secretName|stringData|whitelist-source-range)$
version: 3.7.3
---
apiVersion: v1
kind: Secret
metadata:
name: insurgency-sandstorm-gameusersettingsini
namespace: sandstorm
stringData:
GameUserSettings.ini: ENC[AES256_GCM,data:wOlJGH1KCzY3p7u4ARyrcKy6lPXTVgDwWzR3/QN2rrG68cgt88BZ4E9cjPfdLF7GZp9CNb5if9NslAtlJ7aKr22M7CQcH45Ljp//FcDw4gMss1i++L7L/W2FgrNoQCXS8iXrSnqJ76gGORgCPtLYkFuu4Gp8EjBbTA1gHJ75uPo9MytQ+pPuybPQ7vsaHb79WMCTKrl0MHyeduaJkm0g9VBTu9qQSOnbMhO1U9/vhUrOC744FtRqWrQd5wwM+p22wLipncw+4uxZtQQNMuLLtf+ZtONlRUa/kqTCS3jnocQTMnvM78rPG6KGrqfD6Zev8nqVUIUXhFd5gH+C8WOiWOUxyPs7k6kY7wlaWtFlryAhZxA/7DG47BSzPNRMFEaFCQncoO9mxZq5VaYs3Q1q05dQQLnPHRhFe2jhfZqLXepEOuTCTSix0QLUa4Dk/APWu4/0BCuSMhdFUjHDSysAHhItfTgOIYs9r9fJwQzt7F8tReas+wwl8pzBl4/devD1PJdmUN4YhAVAtLE+5gbHfZ9zs5S8X8Om9LacGeLHN0+vj3DgbW5s9VNzXlWSWXDc7zJ8+6BaMLHg/3fg224OAHgIWRu++Rm9mmOjGGT+PpUphz8hgGiw4zR6gozfpp3Oo2YEOye9OoCgfjaJC3MkjlMIqvJPBUYSdyU/3fuZrc2iACPQD0SOBm/cFPMxyBlOMAqlpSosAs8xiJXgf4gY9qcU8a7XPvyM17k+j5jljnsM0CC9ldf8sW7EdUlzziWm8YiXPVGULJ1Ev4Qj/UxQsspRR35/oh6TflYItMhczsk5TlYLfKFXp91IMfAOZxnLA7JkzJcjwkY+SxynZekDb30hZRp9+pih+3C7fCL08tkVn2ORBICxUR+aVkVQGfD2wPaYoFo/NTlAp3A6blxyqYM51qgLzOR0VT683lrPNvTrXXy5CEJCEJwyipb9nw/LcrZUzqksZ7OJSD8P53t423ZWzAplu4QXiS7jnH3hk3T43rAfONP5xQK3jfb9+b6HLQFjSmjhnVel0SvRok86B+IC161lFWiHs2n77qTINkOrKPpVvXwYY4JvRgN5e+xnYiMmJeK+90F2dHeqU8GeJJ6+50x6xLeQl7fIW0VuBVPlXR0KW5AHzR2iBXq8JwfkHau4Vc9wrnVzJUT6qi3H+yUOIploUvUvhUShxrujqbtWc9ujomVHQRIIlgUP8XEXf1lsTHlVGSXBCfP3mHcnWL1fQ2uKtyXE3Tsli9HKnwtoRJC0psM26F1tU4xDb6dnMit9pCK8f0fx1Otz0mhGTZ1+HzkOiouobtJpSevexIraBaZIxf0cQYIU9BzwYCCABgUaEeBxPO2iJ23QXl+M5Av1hwc2UZHati0sHyqc7kuxadiO2cX71om5PaYJ1PMGTP3anL5Pg1FfgUdPqWQvyNDCoT5dky96c6ClISIEUwTAbsk/hhWQG7AYCfb2/SJkJzvaJOjMYY02lTuJ+/uiMdp7y1iEK1hys9dGUnRYB3glHSTQDjXtfCR2Wma5MyDFCr/VfzMsMgVwysxfNLony/bytGn6lB4Lwaz8P2E4ACanuH+BX8CYd6ze/2y7BJQZSyhL0lXtH+m3ys7AB5URweMCkckwJgkQPHOSo+J3aIzkp6rVuYn0WuKkPmmAI43FEyp7n4HBXiMmLxU9o1l5+eE0kvLShPnnAihcu5dMM+k8aTh1IbCWrlb3SdqB+vEV3ZpdD6C4UCLJwpIjU8JRvEEQC4G7srQ/JeKEopDJeNUvoTd8uiVtFlfqn7iZEq7YQuv0pet89YGj64s3vulOXWp6ILQIB5OOSc9MFpeCaE4H7W+3nhKb59dH2Y7Mc+xGeyW+0/FIOUDnB/uDuwMxEWFm2cc95y1CiyjjHuqrjFg0vn+PECWPLB6cjciaXvAVBFUx6a0i6SLHAGIto1UW5I65aHi4zQEq67Mqtz2pFmKrCubWWqBWvfnEmHCOJUuVmfCCpugsGrxhxYxTEeK4SEdFpyqS2dXMArdaOPMhJYR+Cktt8mFW6WWXjVMX2jXk/BpHSaklRgDLk/KW+qSxLrFxmxtp4hOI4ltoVeUVDSE5xqp4zInfcC+fjKgD/ZTUgiaXSU/J7yCL0C0rTI9odKKICYg/Ea3tkchElWoYxi1+xiBFtGz2lyo5iRc0zypbqkChWSKw9RuaHEYDrDt5pqotYJb2XEZ+IPy94n9rD/1UBeNL2u5FpRfxohPbYhaB1OG/0YWwPDat1pbevLQkMCIJpqw58gsIybAdpXEL2kJnVq6LRbeycT6x8CdfuurCZTNkKUWoa8nGSba+h8OMVxcFXPE901pKx5uABu2V8dfZ1Cku8uXUZgNfIlN0Ve3XnyIO9RITvD9sk7hzsFfZjhGJJbQzom3DMWBqHYzMAP0Gr63pQ24Db5tGrDtjFTtF5bP2kzM/BWPXHuk64sFI,iv:N9w6t3NxmW/MAg6CiZhu8nYeRx8hCkhOZ+4krZB/Smk=,tag:c0Ofab+auhVrhyQnRbPOxg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age1u57l4s400gqstc0p485j4646cemntufr0pcyp32yudklsp90xpmszxvnkj
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAvQW9QWWh2eDNKQWxtUG9D
SFowaGx3OTBJdXZvalJSdEMxWlFxak5EQTNjClpPRjdUTW4rM05SV2pPM3VidGlG
cHdnM1BRcUNSSVZRWFh1L2xzVy9jZEkKLS0tIFdLbUJISmh0QmlWL0wzdmFDM3Fr
ZEptbEJ4TmltMHA5OXlNQzkveExtU28KhPZlMTutOgR3fT6ezRJWAsAAFy/imy0T
9qhDB1ACi6LuGfsYN3wLfyqovK019D1Ar8bNts9Mp/MtBB7J/vZRJg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-02-27T19:11:54Z"
mac: ENC[AES256_GCM,data:gttuFsDvrKb8ZbD5OpfRudNTr3MBfCGUdyeO3LJ3zyT2KVORpjr2XHttl9nVAjiYDfyVVHMg8ykDJyZRDyup2OTY2fK1F/Ts2Tvz7o3QO7jMTKIt6dKc7Xa/awJ2L3T6ohgmtd3U57Cqi8n+rmwgT9+A5isoecGBvswFgIl+LJo=,iv:JUyhtZZFfNTUtHUa17oWqsNf7iyD+cdaaYejv4DAJrY=,tag:OvEQ/7TLeY/MEIAQ6sW3lA==,type:str]
pgp:
- created_at: "2023-02-24T08:22:12Z"
enc: |
-----BEGIN PGP MESSAGE-----
hF4DAAAAAAAAAAASAQdABXbRHudKz8q+QOkRPJ2eeU/0veOU9KrQa/2wyRnSaSsw
72MFRADdhDYCOcV7g83fvzTBhJYSoSIJTmlfMO3F61ADl5oUnzv0tvAGQ//oyZuG
0l4BgolRPcbIyAMt1LsO43qtsl0gmcq+YFeAqJ9/SrB6NuCpmtaN/mCossM/uMwK
kfxGlin/uhM4nhwMgIo/El0i+yug9yPtpSpmUOwcwfcNQMSQLxmpKzuNl3G3E0Pu
=D/9e
-----END PGP MESSAGE-----
fp: 31E70E5BC80C58AFF5DD649921AC5A1AC6E5B7F2
encrypted_regex: ^(NETBIRD_AUTH_AUDIENCE|NETBIRD_AUTH_CLIENT_ID|NETBIRD_AUTH_DEVICE_AUTH_CLIENT_ID|NETBIRD_AUTH_OIDC_CONFIGURATION_ENDPOINT|NETBIRD_DOMAIN|NETBIRD_MGMT_DNS_DOMAIN|WHOOGLE_CONFIG_URL|ZT_ALLOW_MANAGEMENT_FROM|ZU_CONTROLLER_ENDPOINT|ZU_DEFAULT_PASSWORD|ZU_DEFAULT_USERNAME|addresses|clusterDomain|commonName|config.yaml|data|dnsNames|dnsZones|domain|email|externalIPs|host|hosts|ip|ipv4NativeRoutingCIDR|k8sServiceHost|loadBalancerIP|my-asn|nameservers|peer-address|peer-asn|secretName|stringData|whitelist-source-range)$
version: 3.7.3

144
kube/deploy/apps/sandstorm/app/hr.yaml
View File

@@ -1,144 +0,0 @@
---
apiVersion: helm.toolkit.fluxcd.io/v2beta2
kind: HelmRelease
metadata:
name: insurgency-sandstorm
namespace: sandstorm
spec:
chart:
spec:
chart: app-template
version: 1.5.1
sourceRef:
name: bjw-s
kind: HelmRepository
namespace: flux-system
values:
podLabels:
egress.home.arpa/internet: allow
controller:
strategy: Recreate
type: deployment
replicas: 1
fullNameOverride: insurgency-sandstorm
image:
repository: "docker.io/andrewmhub/insurgency-sandstorm"
tag: lite # I wish this wasn't how it's tagged, but alas
args: ["-hostname=\"${CONFIG_SANDSTORM_NAME}\"", "-Log", "-Port=${CONFIG_SANDSTORM_PORT}", "-QueryPort=${CONFIG_SANDSTORM_QUERYPORT}", "-MapCycle=MapCycle", "-NoEAC", "-EnableCheats", "-Mods", "-CmdModList=\"${CONFIG_SANDSTORM_MODS}\"", "-mutators=${CONFIG_SANDSTORM_MUTATORS}", "-ModDownloadTravelTo=${CONFIG_SANDSTORM_INIT_MAP}?Scenario=Scenario_${CONFIG_SANDSTORM_INIT_MAP}_${CONFIG_SANDSTORM_INIT_SCENARIO}"]
env:
HOSTNAME: "${CONFIG_SANDSTORM_NAME}"
PORT: &port "27102"
QUERYPORT: &query "27131"
LAUNCH_SERVER_ENV: "-hostname=\"${CONFIG_SANDSTORM_NAME}\" -Log -Port=${CONFIG_SANDSTORM_PORT} -QueryPort=${CONFIG_SANDSTORM_QUERYPORT} -MapCycle=MapCycle -NoEAC -EnableCheats -Mods -mutators=${CONFIG_SANDSTORM_MUTATORS} -ModDownloadTravelTo=${CONFIG_SANDSTORM_INIT_MAP}?Scenario=Scenario_${CONFIG_SANDSTORM_INIT_MAP}_${CONFIG_SANDSTORM_INIT_SCENARIO}"
probes:
liveness:
enabled: false
readiness:
enabled: false
startup:
enabled: false
service:
main:
enabled: true
# type: ClusterIP
type: LoadBalancer
externalTrafficPolicy: Cluster
annotations:
"io.cilium/lb-ipam-ips": "${APP_IP_SANDSTORM}"
ports:
http:
enabled: false
primary: false
gameudp:
enabled: true
port: *port
protocol: UDP
queryudp:
enabled: true
port: *query
protocol: UDP
podSecurityContext:
runAsUser: &uid 1000
runAsGroup: *uid
fsGroup: *uid
fsGroupChangePolicy: "Always"
persistence:
game:
enabled: true
type: pvc
mountPath: /home/steam/steamcmd/sandstorm
accessMode: ReadWriteOnce
storageClass: block
size: 100Gi
retain: true
readOnly: false
gameini:
enabled: true
type: configMap
name: insurgency-sandstorm-gameini
subPath: Game.ini
mountPath: /home/steam/steamcmd/sandstorm/Insurgency/Saved/Config/LinuxServer/Game.ini
defaultMode: 0777
readOnly: true
engineini:
enabled: true
type: configMap
name: insurgency-sandstorm-engineini
subPath: Engine.ini
mountPath: /home/steam/steamcmd/sandstorm/Insurgency/Saved/Config/LinuxServer/Engine.ini
defaultMode: 0777
readOnly: true
gameusersettingsini:
enabled: true
type: secret
name: insurgency-sandstorm-gameusersettingsini
subPath: GameUserSettings.ini
mountPath: /home/steam/steamcmd/sandstorm/Insurgency/Saved/Config/LinuxServer/GameUserSettings.ini
defaultMode: 0777
readOnly: true
adminstxt:
enabled: true
type: secret
name: insurgency-sandstorm-adminstxt
subPath: Admins.txt
mountPath: /home/steam/steamcmd/sandstorm/Insurgency/Config/Server/Admins.txt
defaultMode: 0777
readOnly: true
mapcycletxt:
enabled: true
type: configMap
name: insurgency-sandstorm-mapcycletxt
subPath: MapCycle.txt
mountPath: /home/steam/steamcmd/sandstorm/Insurgency/Config/Server/MapCycle.txt
defaultMode: 0777
readOnly: true
modstxt:
enabled: true
type: configMap
name: insurgency-sandstorm-modstxt
subPath: Mods.txt
mountPath: /home/steam/steamcmd/sandstorm/Insurgency/Config/Server/Mods.txt
defaultMode: 0777
readOnly: true
resources:
requests:
cpu: "1000m"
memory: "2048Mi"
limits:
cpu: "3000m" # 3 cores
memory: "6000Mi"
affinity:
nodeAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 15
preference:
matchExpressions:
- key: "kubernetes.io/hostname"
operator: In
values: ["ange", "charlotte"] # i5-8500T
- weight: 10
preference:
matchExpressions:
- key: "kubernetes.io/hostname"
operator: In
values: ["chise"] # i3-8100

32
kube/deploy/apps/sandstorm/app/kustomization.yaml
View File

@@ -1,32 +0,0 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- config/secrets.yaml
- hr.yaml
- netpol.yaml
configMapGenerator:
- name: insurgency-sandstorm-gameini
namespace: sandstorm
files:
- ./config/Game.ini
- name: insurgency-sandstorm-engineini
namespace: sandstorm
files:
- ./config/Engine.ini
- name: insurgency-sandstorm-mapcycletxt
namespace: sandstorm
files:
- ./config/MapCycle.txt
- name: insurgency-sandstorm-modstxt
namespace: sandstorm
files:
- ./config/Mods.txt
generatorOptions:
disableNameSuffixHash: true
annotations:
kustomize.toolkit.fluxcd.io/substitute: disabled
labels:
- pairs:
app.kubernetes.io/name: insurgency-sandstorm
app.kubernetes.io/instance: insurgency-sandstorm

19
kube/deploy/apps/sandstorm/app/netpol.yaml
View File

@@ -1,19 +0,0 @@
---
# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cilium.io/ciliumnetworkpolicy_v2.json
apiVersion: cilium.io/v2
kind: CiliumNetworkPolicy
metadata:
name: &app sandstorm
namespace: *app
spec:
endpointSelector: {}
ingress:
# players
- fromCIDRSet:
- cidr: "${IP_ROUTER_LAN_CIDR}"
- cidr: "${IP_WG_USER_1_V4}"
- cidr: "${IP_WG_GUEST_V4}"
toPorts:
- ports:
- port: "27102"
- port: "27131"

10
kube/deploy/apps/sandstorm/ks.yaml
View File

@@ -1,10 +0,0 @@
---
apiVersion: kustomize.toolkit.fluxcd.io/v1
kind: Kustomization
metadata:
name: sandstorm-app
namespace: flux-system
spec:
path: ./kube/deploy/apps/sandstorm/app
dependsOn:
- name: 1-core-storage-rook-ceph-cluster

12
kube/deploy/apps/sandstorm/ns.yaml
View File

@@ -1,12 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: sandstorm
labels:
pod-security.kubernetes.io/enforce: privileged
pod-security.kubernetes.io/enforce-version: v1.26
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/audit-version: v1.26
pod-security.kubernetes.io/warn: privileged
pod-security.kubernetes.io/warn-version: v1.26