scottk/homelab
1
0
Fork 0
mirror of https://github.com/optim-enterprises-bv/homelab.git synced 2025-10-30 01:22:31 +00:00
Code Issues Packages Projects Releases Wiki Activity

feat: install Netbird as a VPN solution

Browse Source 
Also configure Netbird OIDC client in Keycloak using Crossplane
This commit is contained in:
Vegard Hagen
2024-08-03 13:51:27 +02:00
parent 935a13038c
commit 69d56e8e71
47 changed files with 779 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files

6
k8s/README.md
View File

@@ -5,7 +5,7 @@
Gateway API
```shell
kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/experimental-install.yaml
kubectl apply -k infra/crds
```
## Cilium
@@ -40,6 +40,10 @@ kustomize build --enable-helm infra/controllers/argocd | kubectl apply -f -
kubectl -n argocd get secret argocd-initial-admin-secret -ojson | jq -r ' .data.password | @base64d'
```
```shell
kubectl apply -k infra
```
```shell
kubectl apply -k sets
```

18
k8s/infra/auth/keycloak/config/builtin-objects.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: keycloak.crossplane.io/v1alpha1
kind: XBuiltinObjects
metadata:
name: builtin-objects-homelab
spec:
providerConfigName: default
providerSecretName: keycloak-credentials
realm: homelab
builtinClients:
- account
- account-console
- admin-cli
- broker
- realm-management
- security-admin-console
builtinRealmRoles:
- offline_access
- uma_authorization

1
k8s/infra/auth/keycloak/config/kustomization.yaml
View File

@@ -6,3 +6,4 @@ resources:
- users.yaml
- client-cloudflare.yaml
- cloudflare-oidc-credentials.yaml
- builtin-objects.yaml

3
k8s/infra/controllers/crossplane/kustomization.yaml
View File

@@ -3,9 +3,6 @@ kind: Kustomization
resources:
- ns.yaml
- providers/keycloak
# - https://doc.crds.dev/raw/github.com/crossplane/crossplane@v1.16.0 # renovate: helm=crossplane registry=https://charts.crossplane.io/stable
# - https://doc.crds.dev/raw/github.com/crossplane-contrib/provider-keycloak@v1.1.0 # renovate: github-releases=crossplane-contrib/provider-keycloak
helmCharts:
- name: crossplane

34
k8s/infra/crossplane-crds/application-set.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: crossplane-crds
namespace: argocd
labels:
dev.stonegarden: crossplane-crds
spec:
generators:
- git:
repoURL: https://github.com/vehagn/homelab
revision: HEAD
directories:
- path: k8s/infra/crossplane-crds/*
template:
metadata:
name: 'crossplane-crds-{{ path.basename }}'
labels:
dev.stonegarden: crossplane-crds
spec:
project: crossplane-crds
source:
plugin:
name: kustomize-build-with-helm
repoURL: https://github.com/vehagn/homelab
targetRevision: HEAD
path: '{{ path }}'
destination:
name: in-cluster
namespace: argocd
syncPolicy:
automated:
selfHeal: true
prune: true

35
k8s/infra/crossplane-crds/config/keycloak/composition.yaml Normal file
View File

@@ -0,0 +1,35 @@
apiVersion: apiextensions.crossplane.io/v1
kind: Composition
metadata:
name: keycloak-builtin-objects
spec:
compositeTypeRef:
apiVersion: keycloak.crossplane.io/v1alpha1
kind: XBuiltinObjects
mode: Pipeline
pipeline:
- step: pull-provider-configs
functionRef:
name: function-extra-resources
input:
apiVersion: extra-resources.fn.crossplane.io/v1beta1
kind: Input
spec:
extraResources:
- kind: Secret
into: secrets
apiVersion: v1
type: Selector
selector:
minMatch: 1
maxMatch: 100
matchLabels:
- key: type
type: Value
value: provider-credentials
- step: keycloak-builtin-objects
functionRef:
name: function-keycloak-builtin-objects
- step: automatically-detect-ready-composed-resources
functionRef:
name: function-auto-ready

21
k8s/infra/crossplane-crds/config/keycloak/functions.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-extra-resources
spec:
package: xpkg.upbound.io/crossplane-contrib/function-extra-resources:v0.0.3
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-auto-ready
spec:
package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1
---
apiVersion: pkg.crossplane.io/v1beta1
kind: Function
metadata:
name: function-keycloak-builtin-objects
spec:
package: registry.gitlab.com/corewire/images/crossplane/function-keycloak-builtin-objects:v1.0.0
packagePullPolicy: Always

8
k8s/infra/crossplane-crds/config/keycloak/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- provider.yaml
- functions.yaml
- composition.yaml
- xrd.yaml

0
k8s/infra/controllers/crossplane/providers/keycloak/provider.yaml → k8s/infra/crossplane-crds/config/keycloak/provider.yaml
View File

50
k8s/infra/crossplane-crds/config/keycloak/xrd.yaml Normal file
View File

@@ -0,0 +1,50 @@
apiVersion: apiextensions.crossplane.io/v1
kind: CompositeResourceDefinition
metadata:
name: xbuiltinobjects.keycloak.crossplane.io
spec:
group: keycloak.crossplane.io
names:
kind: XBuiltinObjects
plural: xbuiltinobjects
versions:
- name: v1alpha1
served: true
referenceable: true
schema:
openAPIV3Schema:
type: object
properties:
spec:
type: object
properties:
realm:
type: string
description: Realm to import the builtin clients/roles from
builtinClients:
type: array
items:
type: string
description: List of clients to import from the realm
builtinRealmRoles:
type: array
items:
type: string
enum:
- offline_access
- uma_authorization
- admin
- create-realm
description: List of realm roles to import from the realm
providerConfigName:
type: string
description: Name of the provider config to attach to the imported clients/roles
providerSecretName:
type: string
description: Name of the secret containing the provider credentials (Secret must have a label with key=type and value=provider-credentials to be found)
required:
- providerConfigName
- providerSecretName
- realm
required:
- spec

5
k8s/infra/crossplane-crds/config/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- keycloak

9
k8s/infra/crossplane-crds/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
dev.stonegarden: crossplane-crds
app.kubernetes.io/managed-by: argocd
resources:
- project.yaml
- application-set.yaml

16
k8s/infra/crossplane-crds/project.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: crossplane-crds
namespace: argocd
spec:
sourceRepos:
- 'https://github.com/vehagn/homelab'
destinations:
- namespace: 'argocd'
server: '*'
- namespace: 'crossplane'
server: '*'
clusterResourceWhitelist:
- group: '*'
kind: '*'

0
k8s/infra/controllers/crossplane/providers/keycloak/default-config.yaml → k8s/infra/crossplane-crds/providers/keycloak/default-config.yaml
View File

0
k8s/infra/controllers/crossplane/providers/keycloak/keycloak-credentials.yaml → k8s/infra/crossplane-crds/providers/keycloak/keycloak-credentials.yaml
View File

1
k8s/infra/controllers/crossplane/providers/keycloak/kustomization.yaml → k8s/infra/crossplane-crds/providers/keycloak/kustomization.yaml
View File

@@ -2,6 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- provider.yaml
- keycloak-credentials.yaml
- default-config.yaml

5
k8s/infra/crossplane-crds/providers/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- keycloak

34
k8s/infra/vpn/application-set.yaml Normal file
View File

@@ -0,0 +1,34 @@
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: vpn
namespace: argocd
labels:
dev.stonegarden: auth
spec:
generators:
- git:
repoURL: https://github.com/vehagn/homelab
revision: HEAD
directories:
- path: k8s/infra/vpn/*
template:
metadata:
name: '{{ path.basename }}'
labels:
dev.stonegarden: controllers
spec:
project: vpn
source:
plugin:
name: kustomize-build-with-helm
repoURL: https://github.com/vehagn/homelab
targetRevision: HEAD
path: '{{ path }}'
destination:
name: in-cluster
namespace: argocd
syncPolicy:
automated:
selfHeal: true
prune: true

15
k8s/infra/vpn/coturn/kustomization.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: coturn
resources:
- ns.yaml
- secret-netbird-credentials.yaml
helmCharts:
- name: coturn
repo: https://charts.jaconi.io
releaseName: coturn
namespace: coturn
version: 0.8.6
valuesFile: values.yaml

4
k8s/infra/vpn/coturn/ns.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: coturn

14
k8s/infra/vpn/coturn/secret-netbird-credentials.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: netbird-turn-credentials
namespace: coturn
spec:
encryptedData:
password: AgDILP8Rl3KzqKkm0u223SbYovP6j3xYR3zA+le2g9nH6HNudRRDRjxY5STex29aM2wDgtjzyAV6NVGo2TeQD/dFPNIGtH/g6XtXdnF/q7HA9PjRoEoAu7UptJ1S8yxo1bVNdC7SqQuEDqKQKxxNoD7Xgk/0X9Qu0yXoBmL3NgaROOQELwiK/je9UrACAMNQKZMuxZnF+1vGZkBud0zRd3fLL1i0nkhYGM+MWWEs6Te4RYJnpFe1bma1ou7G0oxE/WHsOFJrzqCel1NSACS7vc9Rg5bFh7chQYBbz6sB4/4QBtMS34xKWbgnzPM9U8PyhM5u9Hr+Bj86MQAxjzgXqNmwRBZ+bQuvVgvNBSMxTkmLQtH4mq941OGgS7E7bxlk57qOLjk0NzUV6oKzK3nQARJBTbQT2nDifyKWCIAH7rCkkdkZosKm185XJK3AcIPnM+YJK/b41sVkBzk+h3hwIwSY8FoJUzBAhhD1Ly3FHzkgE9oewYO7WWP4cjl+FndItsd98nlSdRjWpdDTTPpLd2Z4Vyn1WF4DBNfe1+S089mM6XgQzxltsHZ3hCNDQPSCsuUK/oSZAO3fi4Pww/7cdShEXsPpfHRApdZbXkruhEeQ8A1h+fqquFeCW54RrTnztj5pxBxKnoEXLl5h7oYMMsoWKBVpG94Fc3pXh6CcahFvAiiSbNpmwfWjRVnQBJVx7UWqstnUd4soiYtjycRzJz0OiXjyAzUM2zIXjn1x280iuOye6y+68qxY
username: AgCrrYOsRSEszxDU8PTommgDRFmBhtvjge4hE+ifdS3AmAbTzvAfTkG8ZbApWZ21Tch42bb8LDJMYklY7rzmqKmfen4CO5dOyy4vZ1WUyg6FoFrzRGg+BseUZoOxKnO0NRrHqLIWJDlYyhXwOnZj3RCIkuvhYscLCUgFSz5WnqnOtO5k0z26VoanJU6ia8slXFfUZ1XTruZULmBt+WhMhOD1qX9iCL6E3IOxzZ93jRVzFNyyl8SHxPGI6M9YEQFeomaKzKIHqfZ/u1dqWzteVlAQn5rG2ahV5fZ3orXmMwhx1YE8ObyP5e53oEa+idtwcK+I44tc6QNolMD1xMeMIXJ4F7NiyB7LhdduZIDwxH+6VmX5bCMDMRYIqEYPyZQ+bVF+RVGXtmOJEFrWtSJvIkOha/e7rKXw4hMLRj7bFmLtNkFIBFiI/9mH+e/hI0zCFfa3WBfbBBIlK2/NkrreyHpyplqKnhnqXhWuXDkd/0ldYJDowfgHiKqMax8ejIgJ1dmxm2emUt8vigN37yzfTZ6kOeMy9Q7bh9SANKrZnBGlmzHg5DoHCn7sAphEpmbOxCxFKN8+eYT806ilyg5x/tPhR3u5/dw2VAzljosgW6h2rS4+4zSOWkBjVuyrR1KVBUC+VQxBUaK6i8lLbGRZuYizLwrXgrIdDGd/Onub05eymOvHb+KP2iPj2cOqO3JAuG2vf0LGkM+d
template:
metadata:
name: netbird-turn-credentials
namespace: coturn
type: Opaque

20
k8s/infra/vpn/coturn/values.yaml Normal file
View File

@@ -0,0 +1,20 @@
realm: coturn.stonegarden.dev
replicaCount: 1
extraOptions:
- --listening-ip=0.0.0.0
certificate:
enabled: true
dnsName: coturn.stonegarden.dev
issuerName: cloudflare-cluster-issuer
service:
annotations:
io.cilium/lb-ipam-ips: 192.168.1.226
type: LoadBalancer
users:
- name: netbird
secretKeyRef:
name: netbird-turn-credentials
key: password

9
k8s/infra/vpn/kustomization.yaml Normal file
View File

@@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
dev.stonegarden: vpn
app.kubernetes.io/managed-by: argocd
resources:
- project.yaml
- application-set.yaml

23
k8s/infra/vpn/netbird/backend/kustomization.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: netbird
resources:
- oidc-client.yaml
- oidc-sa-role.yaml
- secret-coturn-credentials.yaml
- secret-oidc-credentials.yaml
helmCharts:
- name: netbird
repo: https://charts.jaconi.io
releaseName: netbird-backend
namespace: netbird
version: 0.14.2
valuesFile: values.yaml
patches:
- path: patches/deployment-strategy-management.yaml
- path: patches/deployment-strategy-signal.yaml
- path: patches/pvc-backend-management.yaml
- path: patches/pvc-backend-signal.yaml

25
k8s/infra/vpn/netbird/backend/oidc-client.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
name: netbird-backend
spec:
deletionPolicy: Delete
forProvider:
name: Netbird Backend
accessType: CONFIDENTIAL
clientId: netbird-backend
clientSecretSecretRef:
namespace: netbird
name: netbird-backend-oidc-credentials
key: clientSecret
description: Netbird Backend Client
standardFlowEnabled: true
directAccessGrantsEnabled: true
serviceAccountsEnabled: true
oauth2DeviceAuthorizationGrantEnabled: true
validRedirectUris:
- "/*"
webOrigins:
- "+"
realmIdRef:
name: homelab

13
k8s/infra/vpn/netbird/backend/oidc-sa-role.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientServiceAccountRole
metadata:
name: netbird-backend-view-users
spec:
forProvider:
clientIdRef:
name: builtin-homelab-realm-management
realmIdRef:
name: homelab
role: view-users
serviceAccountUserClientIdRef:
name: netbird-backend

7
k8s/infra/vpn/netbird/backend/patches/deployment-strategy-management.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: netbird-backend-management
spec:
strategy:
type: Recreate

7
k8s/infra/vpn/netbird/backend/patches/deployment-strategy-signal.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: netbird-backend-signal
spec:
strategy:
type: Recreate

7
k8s/infra/vpn/netbird/backend/patches/pvc-backend-management.yaml Normal file
View File

@@ -0,0 +1,7 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: netbird-backend-management
spec:
storageClassName: proxmox-csi
volumeName: pv-netbird-management

7
k8s/infra/vpn/netbird/backend/patches/pvc-backend-signal.yaml Normal file
View File

@@ -0,0 +1,7 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: netbird-backend-signal
spec:
storageClassName: proxmox-csi
volumeName: pv-netbird-signal

14
k8s/infra/vpn/netbird/backend/secret-coturn-credentials.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: netbird-turn-credentials
namespace: netbird
spec:
encryptedData:
password: AgDUdAAoOuDYCGZUlnXoPefrm9YwQuaBr7CNBTRr9CVLsHEYunkYnGRyxcxDCa5y5Kn45JBROqrklITTNq1q6OxYCvR1+VOLYvSltPAH3m5kPN/SR6jkxIrSikkD1YjZQpD49vVTXfNYI7RQCiN803gfEQlTq/mDkSEVXSjBUhlCTPz7Q+1puMXCOux31cbgqGVaFOEm1QxxbbsSbpjTLZl8JZW48/+uHv/0KkQvIHinwOUcx+ChHnijAS0AM8dPNl5k5kcV7SZCayKDVuRaEj7FkAxzoZGrsM7YoPeZXESP1o3ED+jqZhu7LFEGndH/fWDkO/JgyX2MvMqapV+jPFe7b4Cn7gn/ivw01ySnD3E2B/Mpo/7A43Cg5gDKGcVwr/0Fqc++cT0Dc4H04tCqvV4uX+fnuqiemL4xmZj8BYz4/UWuXq+iEK2K+jufrxQOGEZgN3tU7ld5x/SNi8cRf4pIiGCpJzLpnrmR95Y6ae18y67INcsEozc3AZ7KfB8OGS6ak/mZhAbTSj/KO+KZat3h7g/YNUiWlzlmPhETJYmxstXd2PnQG7OCQvjjrSTjpnSoGGvOYv7GpdDdfpW+7sSspDSHXh6AKz2CtqKWaxiaZWmE1vvJKJLfzVnK99mKjITEXPKLQFUrp5+e3KJktFh79bxW+VUKlUoEa+Jy0ZVs25xkLUb1/viAc3Z2vvQYVwv2bMMHYNUC5F8tJReLQ2cwqCZnTf1gwvNH26iK+FFkuOLVB3gQAaba
username: AgDCCj9vGwlR5W6924as08OuxDitR0oQl7+0LxRZYji8T0hBztIIvOv+CZ9aiyTqn+aKLFohWHN4xyDw1v2RiJqgnwP1HjO5BhJA4H/DRpviL5RHhO4Dnf7RB0BpZGrzB0PW3pkY9znRkbU0hwDK6gWUOl1+cJxAeqbeigdrf782NpT9DObs6I80TeVdvSSCOzn6uylguPBX/W7IKqKNilRuHO/SsH8aixEKM2zLpGnInLQlDzb6zEkpSl4kYjORa17YlVzWrZEVtnUOE/N/EP95ezJEjzghjCf41NOhQcoqweciigYwQEsCU84881e9yhGKnRyvP/f5y3xeKEqN+B4zQG2Z8MoMQcGmwavbP/5PpVbMd5dOvnpVF9UtzcAWdBjnKV/PlngO6iMNJX3d9IAYkq0iLxCxuKyx33Z4FRiJPANqP9TqEoOftC1pOhANPQdKFlr7HyXBaER8XRmWzxkjOqbi9BhG0tiw6vsmHsTn/u0u3EgXrNIwe0hiDSYY6Q2g5lk1NIEg4DsG9kJmEf7Cb6iedSiAjVcHbWx+gb1rLDic2eehHCV8H6ShFvmSyLT00ktzssXCXKmdJ4I+JKo4geg8Mws1IdZtZ9wcpqtvd+mjNlP8+LbyTPi2ApuH0giAkzQK3RgtBmJBNJ9E6Bc5B2d2XKIQyY9vM60zfxAtvxCDXQvPWyXvgCvvO4dW7/D+ZMs4S6Ps
template:
metadata:
name: netbird-turn-credentials
namespace: netbird
type: Opaque

14
k8s/infra/vpn/netbird/backend/secret-oidc-credentials.yaml Normal file
View File

@@ -0,0 +1,14 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
name: netbird-backend-oidc-credentials
namespace: netbird
spec:
encryptedData:
clientId: AgBePW/yXzOJPpPfxOIKNGgoubM+2mpxZlmNoNBRoDCCJc3gn1udEIiQbEgKMJWh/0/6cguwUnherqGXE8SVMed1vNhyeoCM5IhjZlxB57Eu1u2G/KSLAQcLfLYr7vXNkuY0cWfvg2BVYE+QTGcNyKGHDLEBdoTsYOqm53hpAcZywuESaq/ace91427CVdpx4s6V7tqxd3JM+VUF6X+J/5M2/U+QpCIDD8spjSbVDEYaScbiu1jlP13jCJ7+YiBmEehRzw2PzYDJ+BmBpCBGd4tKLZf33ZsHlioJUNmQo13y4TezUb0kJqZaExFqoww8ANp8kGxXjk1aR/5iWeW/sEMaNLLyfsvvwnqnDXTLu5O/ThQQvpIvHS0Mn2qYs3ikheUqaRajSwanTStEgftAZb5qfYl9nCJWCc/OWVAPdPP/qdgQJZh30Oy6N8zzkX5ZfQplbtEwl6ju6UptMJzWpfe3RlKq1KoVLCMOV13nt3LS0mRO7p3XRkGDz6MIj+8ecc2dY2LWIEb7PxNqzyf1g0N65U0m6JJ8ywJVZmn8i70V2jPxZda0hpRhTTlzOPMJ5PUbpgbc3A6r7au0c0vABFmtsjKTuAGWaQJJLU5dHZluj1iAg3ltqxdRhagBuZsS9SAvOBOqaUmaqrEFZIQd16LSAKaPRIMfM79djTLMD8qg6/vF8B9Uch08aICaHmPCKZPpw0B0kNXQxoAHlBQ12v4=
clientSecret: AgAeRHLhUWMCc+xaoCHx5TXOo/LnVadRYcBtXRXZ1LBdHeVPidwKajMw5RIFbX12gYH6XLAY4AqevGZd4iQkzNDZmG3L7zGgzy67rFQ7iyMKSXbuuTWnoLS5tzkJhpDuExH7p2IUQOeQYbCibBZRI2vA2uvAav8UgVPNm63CPUyNb5ywSx+edgCt5d9UNNVz7DeuqIP+BcQ6q6T6cC5zF5wGDjv/VwuByHtwghiUmRtRSyXuafRS94s2x53zV3Eb49IVAlWHP9ecqriQgdZsyOLI8Z5qbSqqteaVDCicIqTAwOmXPZSedTbkm7c8xbvPE4vzP7/EPUfvF7uQf9WclVoVBvF5YVxbKh2Sj5HBqIESGvcrPV7kNPodymQdk/uyBaMOzvJgo5dHS13mjxVtpiAnsN+/4+JfgljHKQmdcb8wwbYS1qbKE4A5WQ9zzegtuRqzpWmfe4gXMGvm0/+G5TLUi/ReCO4aAwplAsIJt/7Z+FWofZFGx66ULvd8c0fliearyaGR6Jm/ZodkRJNRh46Y16s8Q79IKKMBChE3eWb68MnLA4XFC8rEdPjTJuItRR+sn/tVyJDfi1ZuuAiO96hZHkQivGopglRzYcxweWOAq/WcPH3fl392iPlQbuxZT37o81gL81Z9Q/SL1u6LinHi2245ETN85R3/Dyv4dWSawvpF+OIa5OLXuDmKcGtKp+GAu3OL4QqISronkvnNQ4ts+CgZinmzLTWXypl5aExiBtzlVfZ4Ti0B
template:
metadata:
name: netbird-backend-oidc-credentials
namespace: netbird
type: Opaque

72
k8s/infra/vpn/netbird/backend/values.yaml Normal file
View File

@@ -0,0 +1,72 @@
auth:
authority: https://keycloak.stonegarden.dev/realms/homelab
audience: netbird
device:
provider: hosted
audience: netbird
authority: https://keycloak.stonegarden.dev/realms/homelab
clientID: netbird
deviceAuthorizationEndpoint: https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/auth
tokenEndpoint: https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token
scope: openid
useIDToken: false
idp:
managerType: keycloak
clientID: netbird-backend
secretKeyRef:
name: netbird-backend-oidc-credentials
key: clientSecret
grantType: client_credentials
adminEndpoint: https://keycloak.stonegarden.dev/admin/realms/homelab
tokenEndpoint: https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token
management:
image:
tag: 0.28.4
nodeSelector:
topology.kubernetes.io/zone: abel
ingress:
enabled: false
# annotations:
# cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
# hosts:
# - host: netbird.stonegarden.dev
# paths:
# - path: /api
# pathType: Prefix
# - path: /management.ManagementService/
# pathType: Prefix
# tls:
# - hosts:
# - netbird.stonegarden.dev
signal:
image:
tag: 0.28.4
nodeSelector:
topology.kubernetes.io/zone: abel
uri: netbird.stonegarden.dev:443
protocol: https
ingress:
enabled: false
# annotations:
# cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
# hosts:
# - host: netbird.stonegarden.dev
# paths:
# - path: /signalexchange.SignalExchange/
# pathType: Prefix
# tls:
# - hosts:
# - netbird.stonegarden.dev
stun:
uri: stun:coturn.stonegarden.dev:3478
turn:
uri: turn:coturn.stonegarden.dev:3478
user: netbird
secretKeyRef:
name: netbird-turn-credentials
key: password

16
k8s/infra/vpn/netbird/dashboard/kustomization.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: netbird
resources:
- oidc-scopes.yaml
- oidc-client.yaml
- oidc-client-scopes.yaml
helmCharts:
- name: netbird-dashboard
repo: https://charts.jaconi.io
releaseName: netbird-dashboard
namespace: netbird
version: 1.0.0
valuesFile: values.yaml

17
k8s/infra/vpn/netbird/dashboard/oidc-client-scopes.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientDefaultScopes
metadata:
name: netbird-default-scopes
spec:
forProvider:
defaultScopes:
- acr
- email
- profile
- roles
- web-origins
- netbird-api
clientIdRef:
name: netbird
realmIdRef:
name: homelab

24
k8s/infra/vpn/netbird/dashboard/oidc-client.yaml Normal file
View File

@@ -0,0 +1,24 @@
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: Client
metadata:
name: netbird
spec:
forProvider:
name: Netbird
accessType: PUBLIC
clientId: netbird
description: Netbird Client
standardFlowEnabled: true
directAccessGrantsEnabled: true
oauth2DeviceAuthorizationGrantEnabled: true
baseUrl: "https://netbird.stonegarden.dev"
validRedirectUris:
- "http://localhost:53000"
- "http://localhost:8080/*"
- "https://netbird.stonegarden.dev/*"
validPostLogoutRedirectUris:
- "https://netbird.stonegarden.dev/*"
webOrigins:
- "+"
realmIdRef:
name: homelab

31
k8s/infra/vpn/netbird/dashboard/oidc-scopes.yaml Normal file
View File

@@ -0,0 +1,31 @@
apiVersion: openidclient.keycloak.crossplane.io/v1alpha1
kind: ClientScope
metadata:
name: netbird-api
spec:
forProvider:
name: netbird-api
consentScreenText: Netbird Management API
includeInTokenScope: true
realmIdRef:
name: homelab
---
apiVersion: client.keycloak.crossplane.io/v1alpha1
kind: ProtocolMapper
metadata:
name: netbird-api-audience-mapper
spec:
forProvider:
name: Audience for NetBird Management API
protocol: openid-connect
protocolMapper: oidc-audience-mapper
config:
included.client.audience: "netbird"
id.token.claim: "false"
access.token.claim: "true"
introspection.token.claim: "true"
userinfo.token.claim: "false"
clientScopeIdRef:
name: netbird-api
realmIdRef:
name: homelab

25
k8s/infra/vpn/netbird/dashboard/values.yaml Normal file
View File

@@ -0,0 +1,25 @@
image:
tag: v2.4.1
auth:
authority: https://keycloak.stonegarden.dev/realms/homelab
audience: netbird
clientID: netbird
supportedScopes: openid profile email offline_access netbird-api
netbird:
managementApiEndpoint: https://netbird.stonegarden.dev
managementGrpcApiEndpoint: https://netbird.stonegarden.dev
ingress:
enabled: false
# annotations:
# cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
# hosts:
# - host: netbird.stonegarden.dev
# paths:
# - path: /
# pathType: Prefix
# tls:
# - hosts:
# - netbird.stonegarden.dev

36
k8s/infra/vpn/netbird/http-route.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: gateway.networking.k8s.io/v1
kind: HTTPRoute
metadata:
name: netbird
namespace: netbird
spec:
parentRefs:
- name: stonegarden
namespace: gateway
hostnames:
- "netbird.stonegarden.dev"
rules:
- backendRefs:
- name: netbird-dashboard
port: 80
matches:
- path:
type: PathPrefix
value: /
- backendRefs:
- name: netbird-backend-management
port: 80
matches:
- path:
type: PathPrefix
value: /api
- path:
type: PathPrefix
value: /management.ManagementService/
- backendRefs:
- name: netbird-backend-signal
port: 80
matches:
- path:
type: PathPrefix
value: /signalexchange.SignalExchange/

50
k8s/infra/vpn/netbird/ingress.yaml Normal file
View File

@@ -0,0 +1,50 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: cloudflare-cluster-issuer
name: netbird
namespace: netbird
spec:
tls:
- secretName: netbird-ingress-tls
hosts:
- netbird.stonegarden.dev
rules:
- host: netbird.stonegarden.dev
http:
paths:
- backend:
service:
name: netbird-backend-management
port:
number: 80
path: /api
pathType: Prefix
- backend:
service:
name: netbird-backend-management
port:
number: 80
path: /management.ManagementService/
pathType: Prefix
- host: netbird.stonegarden.dev
http:
paths:
- backend:
service:
name: netbird-backend-signal
port:
number: 80
path: /signalexchange.SignalExchange/
pathType: Prefix
- host: netbird.stonegarden.dev
http:
paths:
- backend:
service:
name: netbird-dashboard
port:
number: 80
path: /
pathType: Prefix

10
k8s/infra/vpn/netbird/kustomization.yaml Normal file
View File

@@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: netbird
resources:
- ns.yaml
- http-route.yaml
- ingress.yaml
- backend
- dashboard

4
k8s/infra/vpn/netbird/ns.yaml Normal file
View File

@@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: netbird

18
k8s/infra/vpn/project.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: argoproj.io/v1alpha1
kind: AppProject
metadata:
name: vpn
namespace: argocd
spec:
sourceRepos:
- 'https://github.com/vehagn/homelab'
destinations:
- namespace: 'argocd'
server: '*'
- namespace: 'coturn'
server: '*'
- namespace: 'netbird'
server: '*'
clusterResourceWhitelist:
- group: '*'
kind: '*'

34
tofu/kubernetes/bootstrap/volumes/README.md
View File

@@ -31,19 +31,37 @@ tofu state rm "module.volumes.module.proxmox-volume[\"pv-qbittorrent-config\"].r
## import proxmox volume
```shell
tofu import 'module.volumes.module.proxmox-volume["pv-jellyfin-config"].restapi_object.proxmox-volume' /api2/json/nodes/euclid/storage/local-zfs/content/local-zfs:vm-9999-pv-jellyfin-config
tofu import 'module.volumes.module.proxmox-volume["pv-keycloak-db"].restapi_object.proxmox-volume' /api2/json/nodes/euclid/storage/local-zfs/content/local-zfs:vm-9999-pv-keycloak-db
tofu import 'module.volumes.module.proxmox-volume["pv-lidarr-config"].restapi_object.proxmox-volume' /api2/json/nodes/cantor/storage/local-zfs/content/local-zfs:vm-9999-pv-lidarr-config
tofu import "module.volumes.module.proxmox-volume[\"pv-radarr-config\"].restapi_object.proxmox-volume" /api2/json/nodes/cantor/storage/local-zfs/content/local-zfs:vm-9999-pv-radarr-config
tofu import "module.volumes.module.proxmox-volume[\"pv-sonarr-config\"].restapi_object.proxmox-volume" /api2/json/nodes/cantor/storage/local-zfs/content/local-zfs:vm-9999-pv-sonarr-config
tofu import "module.volumes.module.proxmox-volume[\"pv-qbittorrent-config\"].restapi_object.proxmox-volume" /api2/json/nodes/euclid/storage/local-zfs/content/local-zfs:vm-9999-pv-qbittorrent-config
tofu import "module.volumes.module.proxmox-volume[\"pv-plex-config\"].restapi_object.proxmox-volume" /api2/json/nodes/abel/storage/local-zfs/content/local-zfs:vm-9999-pv-plex-config
tofu import "module.volumes.module.proxmox-volume[\"pv-jellyfin-config\"].restapi_object.proxmox-volume" /api2/json/nodes/abel/storage/local-zfs/content/local-zfs:vm-9999-pv-jellyfin-config
tofu import 'module.volumes.module.proxmox-volume["pv-netbird-management"].restapi_object.proxmox-volume' /api2/json/nodes/abel/storage/local-zfs/content/local-zfs:vm-9999-pv-netbird-management
tofu import 'module.volumes.module.proxmox-volume["pv-netbird-signal"].restapi_object.proxmox-volume' /api2/json/nodes/abel/storage/local-zfs/content/local-zfs:vm-9999-pv-netbird-signal
tofu import 'module.volumes.module.proxmox-volume["pv-plex-config"].restapi_object.proxmox-volume' /api2/json/nodes/abel/storage/local-zfs/content/local-zfs:vm-9999-pv-plex-config
tofu import 'module.volumes.module.proxmox-volume["pv-prometheus"].restapi_object.proxmox-volume' /api2/json/nodes/abel/storage/local-zfs/content/local-zfs:vm-9999-pv-prometheus
tofu import 'module.volumes.module.proxmox-volume["pv-prowlarr-config"].restapi_object.proxmox-volume' /api2/json/nodes/euclid/storage/local-zfs/content/local-zfs:vm-9999-pv-prowlarr-config
tofu import 'module.volumes.module.proxmox-volume["pv-radarr-config"].restapi_object.proxmox-volume' /api2/json/nodes/cantor/storage/local-zfs/content/local-zfs:vm-9999-pv-radarr-config
tofu import 'module.volumes.module.proxmox-volume["pv-remark42"].restapi_object.proxmox-volume' /api2/json/nodes/euclid/storage/local-zfs/content/local-zfs:vm-9999-pv-remark42
tofu import 'module.volumes.module.proxmox-volume["pv-sonarr-config"].restapi_object.proxmox-volume' /api2/json/nodes/cantor/storage/local-zfs/content/local-zfs:vm-9999-pv-sonarr-config
tofu import 'module.volumes.module.proxmox-volume["pv-torrent-config"].restapi_object.proxmox-volume' /api2/json/nodes/euclid/storage/local-zfs/content/local-zfs:vm-9999-pv-torrent-config
```
## import persistent volume
```shell
tofu import 'module.volumes.module.persistent-volume["pv-torrent-config"].kubernetes_persistent_volume.pv' pv-torrent-config
tofu state rm module.volumes.module.persistent-volume
```
```shell
tofu import 'module.volumes.module.persistent-volume["pv-jellyfin-config"].kubernetes_persistent_volume.pv' pv-jellyfin-config
tofu import 'module.volumes.module.persistent-volume["pv-keycloak-db"].kubernetes_persistent_volume.pv' pv-keycloak-db
tofu import 'module.volumes.module.persistent-volume["pv-lidarr-config"].kubernetes_persistent_volume.pv' pv-lidarr-config
tofu import 'module.volumes.module.persistent-volume["pv-netbird-management"].kubernetes_persistent_volume.pv' pv-netbird-management
tofu import 'module.volumes.module.persistent-volume["pv-netbird-signal"].kubernetes_persistent_volume.pv' pv-netbird-signal
tofu import 'module.volumes.module.persistent-volume["pv-plex-config"].kubernetes_persistent_volume.pv' pv-plex-config
tofu import 'module.volumes.module.persistent-volume["pv-prometheus"].kubernetes_persistent_volume.pv' pv-prometheus
tofu import 'module.volumes.module.persistent-volume["pv-prowlarr-config"].kubernetes_persistent_volume.pv' pv-prowlarr-config
tofu import 'module.volumes.module.persistent-volume["pv-radarr-config"].kubernetes_persistent_volume.pv' pv-radarr-config
tofu import 'module.volumes.module.persistent-volume["pv-remark42"].kubernetes_persistent_volume.pv' pv-remark42
tofu import 'module.volumes.module.persistent-volume["pv-sonarr-config"].kubernetes_persistent_volume.pv' pv-sonarr-config
tofu import 'module.volumes.module.persistent-volume["pv-torrent-config"].kubernetes_persistent_volume.pv' pv-torrent-config
```

4
tofu/kubernetes/bootstrap/volumes/proxmox-volume/config.tf
View File

@@ -15,6 +15,10 @@ resource "restapi_object" "proxmox-volume" {
size = var.volume.size
format = var.volume.format
})
lifecycle {
prevent_destroy = true
}
}
output "node" {

28
tofu/kubernetes/main.tf
View File

@@ -6,7 +6,7 @@ module "talos" {
}
image = {
version = "v1.7.5"
version = "v1.7.6"
schematic = file("${path.module}/talos/image/schematic.yaml")
}
@@ -17,7 +17,7 @@ module "talos" {
cluster = {
name = "talos"
endpoint = "192.168.1.100"
endpoint = "192.168.1.101"
gateway = "192.168.1.1"
talos_version = "v1.7"
proxmox_cluster = "homelab"
@@ -29,18 +29,17 @@ module "talos" {
machine_type = "controlplane"
ip = "192.168.1.100"
mac_address = "BC:24:11:2E:C8:00"
vm_id = 8000
vm_id = 800
cpu = 8
ram_dedicated = 20480
igpu = true
update = true
}
"ctrl-01" = {
host_node = "euclid"
machine_type = "controlplane"
ip = "192.168.1.101"
mac_address = "BC:24:11:2E:C8:01"
vm_id = 8001
vm_id = 801
cpu = 4
ram_dedicated = 20480
igpu = true
@@ -50,10 +49,19 @@ module "talos" {
machine_type = "controlplane"
ip = "192.168.1.102"
mac_address = "BC:24:11:2E:C8:02"
vm_id = 8002
vm_id = 802
cpu = 4
ram_dedicated = 4096
}
"work-00" = {
host_node = "abel"
machine_type = "controlplane"
ip = "192.168.1.110"
mac_address = "BC:24:11:2E:A8:00"
vm_id = 810
cpu = 8
ram_dedicated = 4096
}
}
}
@@ -127,6 +135,14 @@ module "volumes" {
node = "euclid"
size = "12G"
}
pv-netbird-signal = {
node = "abel"
size = "1G"
}
pv-netbird-management = {
node = "abel"
size = "1G"
}
pv-plex-config = {
node = "abel"
size = "12G"

6
tofu/kubernetes/talos/config.tf
View File

@@ -46,7 +46,9 @@ resource "talos_machine_configuration_apply" "this" {
}
resource "talos_machine_bootstrap" "this" {
node = [for k, v in var.nodes : v.ip if v.machine_type == "controlplane"][0]
depends_on = [talos_machine_configuration_apply.this]
for_each = var.nodes
node = each.value.ip
endpoint = var.cluster.endpoint
client_configuration = talos_machine_secrets.this.client_configuration
}
@@ -70,7 +72,7 @@ data "talos_cluster_kubeconfig" "this" {
talos_machine_bootstrap.this,
data.talos_cluster_health.this
]
node = [for k, v in var.nodes : v.ip if v.machine_type == "controlplane"][0]
node = [for k, v in var.nodes : v.ip if v.machine_type == "controlplane"][1]
endpoint = var.cluster.endpoint
client_configuration = talos_machine_secrets.this.client_configuration
timeouts = {