mirror of
https://github.com/outbackdingo/Biohazard.git
synced 2026-03-22 05:39:51 +00:00
150 lines
4.1 KiB
YAML
150 lines
4.1 KiB
YAML
---
|
|
apiVersion: helm.toolkit.fluxcd.io/v2beta1
|
|
kind: HelmRelease
|
|
metadata:
|
|
name: &app code-server
|
|
namespace: *app
|
|
spec:
|
|
interval: 5m
|
|
chart:
|
|
spec:
|
|
chart: app-template
|
|
version: "2.5.0"
|
|
sourceRef:
|
|
name: bjw-s
|
|
kind: HelmRepository
|
|
namespace: flux-system
|
|
values:
|
|
controllers:
|
|
main:
|
|
type: deployment
|
|
replicas: 1
|
|
pod:
|
|
labels:
|
|
tailscale.com/expose: "true"
|
|
ingress.home.arpa/nginx-internal: "allow"
|
|
egress.home.arpa/apiserver: "allow"
|
|
egress.home.arpa/world: "allow"
|
|
containers:
|
|
main:
|
|
image:
|
|
repository: "ghcr.io/coder/code-server"
|
|
tag: "4.20.1"
|
|
command: ["dumb-init", "/usr/bin/code-server"]
|
|
args: [
|
|
"--auth", "none",
|
|
"--disable-telemetry",
|
|
"--user-data-dir", "/home/coder/.vscode",
|
|
"--extensions-dir", "/home/coder/.vscode",
|
|
"--bind-addr", "0.0.0.0:8080",
|
|
"--port", "8080",
|
|
"/home/coder"
|
|
]
|
|
env:
|
|
TZ: "${CONFIG_TZ}"
|
|
SSH_AUTH_SOCK: ""
|
|
SOPS_AGE_KEY:
|
|
valueFrom:
|
|
secretKeyRef:
|
|
name: "code-server-secrets"
|
|
key: "age.agekey"
|
|
securityContext: &sc
|
|
readOnlyRootFilesystem: true
|
|
allowPrivilegeEscalation: false
|
|
capabilities:
|
|
drop: ["ALL"]
|
|
resources:
|
|
requests:
|
|
cpu: "10m"
|
|
limits:
|
|
cpu: "1000m" # I previously had a code-server that would eat cores
|
|
memory: "1Gi"
|
|
service:
|
|
main:
|
|
ports:
|
|
http:
|
|
port: 8080
|
|
ingress:
|
|
main:
|
|
enabled: true
|
|
primary: true
|
|
className: "tailscale"
|
|
annotations:
|
|
tailscale.com/tags: "tag:jjgadgets-apps"
|
|
hosts:
|
|
- host: &host "vs.${DNS_TS}"
|
|
paths:
|
|
- path: /
|
|
pathType: Prefix
|
|
service:
|
|
name: main
|
|
port: http
|
|
tls:
|
|
- hosts: [*host]
|
|
persistence:
|
|
config:
|
|
enabled: true
|
|
existingClaim: "code-server-data"
|
|
globalMounts:
|
|
- subPath: "data"
|
|
path: "/home/coder"
|
|
- subPath: "ssh"
|
|
path: "/home/coder/.ssh" # override secret mount perms
|
|
misc: # not backed up
|
|
enabled: true
|
|
existingClaim: "code-server-misc"
|
|
globalMounts:
|
|
- subPath: "brew"
|
|
path: "/home/linuxbrew"
|
|
- subPath: "nix"
|
|
path: "/nix"
|
|
secrets:
|
|
enabled: true
|
|
type: secret
|
|
name: "code-server-secrets"
|
|
defaultMode: 0600
|
|
advancedMounts:
|
|
main:
|
|
main:
|
|
- subPath: "ssh-privkey"
|
|
path: "/home/coder/.ssh/id_rsa"
|
|
readOnly: true
|
|
- subPath: "ssh-pubkey"
|
|
path: "/home/coder/.ssh/id_rsa.pub"
|
|
readOnly: true
|
|
tmp:
|
|
enabled: true
|
|
type: emptyDir
|
|
medium: Memory
|
|
globalMounts:
|
|
- subPath: "tmp"
|
|
path: "/tmp"
|
|
readOnly: false
|
|
serviceAccount:
|
|
name: "code-server"
|
|
create: true
|
|
defaultPodOptions:
|
|
automountServiceAccountToken: true
|
|
enableServiceLinks: true
|
|
securityContext:
|
|
runAsNonRoot: true
|
|
runAsUser: &uid 1000
|
|
runAsGroup: *uid
|
|
fsGroup: *uid
|
|
fsGroupChangePolicy: "Always"
|
|
seccompProfile: { type: "RuntimeDefault" }
|
|
topologySpreadConstraints:
|
|
- maxSkew: 1
|
|
topologyKey: "kubernetes.io/hostname"
|
|
whenUnsatisfiable: "DoNotSchedule"
|
|
labelSelector:
|
|
matchLabels:
|
|
app.kubernetes.io/name: *app
|
|
affinity:
|
|
nodeAffinity:
|
|
requiredDuringSchedulingIgnoredDuringExecution:
|
|
nodeSelectorTerms:
|
|
- matchExpressions:
|
|
- key: "fuckoff.home.arpa/code-server"
|
|
operator: "DoesNotExist"
|