diff --git a/k8s/README.md b/k8s/README.md index 1ed29c4..bb21e57 100644 --- a/k8s/README.md +++ b/k8s/README.md @@ -5,7 +5,7 @@ Gateway API ```shell -kubectl apply -f https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.0.0/experimental-install.yaml +kubectl apply -k infra/crds ``` ## Cilium @@ -40,6 +40,10 @@ kustomize build --enable-helm infra/controllers/argocd | kubectl apply -f - kubectl -n argocd get secret argocd-initial-admin-secret -ojson | jq -r ' .data.password | @base64d' ``` +```shell +kubectl apply -k infra +``` + ```shell kubectl apply -k sets ``` diff --git a/k8s/infra/auth/keycloak/config/builtin-objects.yaml b/k8s/infra/auth/keycloak/config/builtin-objects.yaml new file mode 100644 index 0000000..cdcae0d --- /dev/null +++ b/k8s/infra/auth/keycloak/config/builtin-objects.yaml @@ -0,0 +1,18 @@ +apiVersion: keycloak.crossplane.io/v1alpha1 +kind: XBuiltinObjects +metadata: + name: builtin-objects-homelab +spec: + providerConfigName: default + providerSecretName: keycloak-credentials + realm: homelab + builtinClients: + - account + - account-console + - admin-cli + - broker + - realm-management + - security-admin-console + builtinRealmRoles: + - offline_access + - uma_authorization diff --git a/k8s/infra/auth/keycloak/config/kustomization.yaml b/k8s/infra/auth/keycloak/config/kustomization.yaml index 2111df3..0843f06 100644 --- a/k8s/infra/auth/keycloak/config/kustomization.yaml +++ b/k8s/infra/auth/keycloak/config/kustomization.yaml @@ -6,3 +6,4 @@ resources: - users.yaml - client-cloudflare.yaml - cloudflare-oidc-credentials.yaml + - builtin-objects.yaml diff --git a/k8s/infra/controllers/crossplane/kustomization.yaml b/k8s/infra/controllers/crossplane/kustomization.yaml index 34d94b7..8454b80 100644 --- a/k8s/infra/controllers/crossplane/kustomization.yaml +++ b/k8s/infra/controllers/crossplane/kustomization.yaml @@ -3,9 +3,6 @@ kind: Kustomization resources: - ns.yaml - - providers/keycloak -# - https://doc.crds.dev/raw/github.com/crossplane/crossplane@v1.16.0 # renovate: helm=crossplane registry=https://charts.crossplane.io/stable -# - https://doc.crds.dev/raw/github.com/crossplane-contrib/provider-keycloak@v1.1.0 # renovate: github-releases=crossplane-contrib/provider-keycloak helmCharts: - name: crossplane diff --git a/k8s/infra/crossplane-crds/application-set.yaml b/k8s/infra/crossplane-crds/application-set.yaml new file mode 100644 index 0000000..b305cd3 --- /dev/null +++ b/k8s/infra/crossplane-crds/application-set.yaml @@ -0,0 +1,34 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: crossplane-crds + namespace: argocd + labels: + dev.stonegarden: crossplane-crds +spec: + generators: + - git: + repoURL: https://github.com/vehagn/homelab + revision: HEAD + directories: + - path: k8s/infra/crossplane-crds/* + template: + metadata: + name: 'crossplane-crds-{{ path.basename }}' + labels: + dev.stonegarden: crossplane-crds + spec: + project: crossplane-crds + source: + plugin: + name: kustomize-build-with-helm + repoURL: https://github.com/vehagn/homelab + targetRevision: HEAD + path: '{{ path }}' + destination: + name: in-cluster + namespace: argocd + syncPolicy: + automated: + selfHeal: true + prune: true diff --git a/k8s/infra/crossplane-crds/config/keycloak/composition.yaml b/k8s/infra/crossplane-crds/config/keycloak/composition.yaml new file mode 100644 index 0000000..6f4d3d6 --- /dev/null +++ b/k8s/infra/crossplane-crds/config/keycloak/composition.yaml @@ -0,0 +1,35 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: Composition +metadata: + name: keycloak-builtin-objects +spec: + compositeTypeRef: + apiVersion: keycloak.crossplane.io/v1alpha1 + kind: XBuiltinObjects + mode: Pipeline + pipeline: + - step: pull-provider-configs + functionRef: + name: function-extra-resources + input: + apiVersion: extra-resources.fn.crossplane.io/v1beta1 + kind: Input + spec: + extraResources: + - kind: Secret + into: secrets + apiVersion: v1 + type: Selector + selector: + minMatch: 1 + maxMatch: 100 + matchLabels: + - key: type + type: Value + value: provider-credentials + - step: keycloak-builtin-objects + functionRef: + name: function-keycloak-builtin-objects + - step: automatically-detect-ready-composed-resources + functionRef: + name: function-auto-ready diff --git a/k8s/infra/crossplane-crds/config/keycloak/functions.yaml b/k8s/infra/crossplane-crds/config/keycloak/functions.yaml new file mode 100644 index 0000000..1889a9c --- /dev/null +++ b/k8s/infra/crossplane-crds/config/keycloak/functions.yaml @@ -0,0 +1,21 @@ +apiVersion: pkg.crossplane.io/v1beta1 +kind: Function +metadata: + name: function-extra-resources +spec: + package: xpkg.upbound.io/crossplane-contrib/function-extra-resources:v0.0.3 +--- +apiVersion: pkg.crossplane.io/v1beta1 +kind: Function +metadata: + name: function-auto-ready +spec: + package: xpkg.upbound.io/crossplane-contrib/function-auto-ready:v0.2.1 +--- +apiVersion: pkg.crossplane.io/v1beta1 +kind: Function +metadata: + name: function-keycloak-builtin-objects +spec: + package: registry.gitlab.com/corewire/images/crossplane/function-keycloak-builtin-objects:v1.0.0 + packagePullPolicy: Always diff --git a/k8s/infra/crossplane-crds/config/keycloak/kustomization.yaml b/k8s/infra/crossplane-crds/config/keycloak/kustomization.yaml new file mode 100644 index 0000000..fc079dc --- /dev/null +++ b/k8s/infra/crossplane-crds/config/keycloak/kustomization.yaml @@ -0,0 +1,8 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - provider.yaml + - functions.yaml + - composition.yaml + - xrd.yaml diff --git a/k8s/infra/controllers/crossplane/providers/keycloak/provider.yaml b/k8s/infra/crossplane-crds/config/keycloak/provider.yaml similarity index 100% rename from k8s/infra/controllers/crossplane/providers/keycloak/provider.yaml rename to k8s/infra/crossplane-crds/config/keycloak/provider.yaml diff --git a/k8s/infra/crossplane-crds/config/keycloak/xrd.yaml b/k8s/infra/crossplane-crds/config/keycloak/xrd.yaml new file mode 100644 index 0000000..9e03693 --- /dev/null +++ b/k8s/infra/crossplane-crds/config/keycloak/xrd.yaml @@ -0,0 +1,50 @@ +apiVersion: apiextensions.crossplane.io/v1 +kind: CompositeResourceDefinition +metadata: + name: xbuiltinobjects.keycloak.crossplane.io +spec: + group: keycloak.crossplane.io + names: + kind: XBuiltinObjects + plural: xbuiltinobjects + versions: + - name: v1alpha1 + served: true + referenceable: true + schema: + openAPIV3Schema: + type: object + properties: + spec: + type: object + properties: + realm: + type: string + description: Realm to import the builtin clients/roles from + builtinClients: + type: array + items: + type: string + description: List of clients to import from the realm + builtinRealmRoles: + type: array + items: + type: string + enum: + - offline_access + - uma_authorization + - admin + - create-realm + description: List of realm roles to import from the realm + providerConfigName: + type: string + description: Name of the provider config to attach to the imported clients/roles + providerSecretName: + type: string + description: Name of the secret containing the provider credentials (Secret must have a label with key=type and value=provider-credentials to be found) + required: + - providerConfigName + - providerSecretName + - realm + required: + - spec diff --git a/k8s/infra/crossplane-crds/config/kustomization.yaml b/k8s/infra/crossplane-crds/config/kustomization.yaml new file mode 100644 index 0000000..39bbd11 --- /dev/null +++ b/k8s/infra/crossplane-crds/config/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - keycloak diff --git a/k8s/infra/crossplane-crds/kustomization.yaml b/k8s/infra/crossplane-crds/kustomization.yaml new file mode 100644 index 0000000..ce3848f --- /dev/null +++ b/k8s/infra/crossplane-crds/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + dev.stonegarden: crossplane-crds + app.kubernetes.io/managed-by: argocd + +resources: + - project.yaml + - application-set.yaml diff --git a/k8s/infra/crossplane-crds/project.yaml b/k8s/infra/crossplane-crds/project.yaml new file mode 100644 index 0000000..970e0a1 --- /dev/null +++ b/k8s/infra/crossplane-crds/project.yaml @@ -0,0 +1,16 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: crossplane-crds + namespace: argocd +spec: + sourceRepos: + - 'https://github.com/vehagn/homelab' + destinations: + - namespace: 'argocd' + server: '*' + - namespace: 'crossplane' + server: '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' diff --git a/k8s/infra/controllers/crossplane/providers/keycloak/default-config.yaml b/k8s/infra/crossplane-crds/providers/keycloak/default-config.yaml similarity index 100% rename from k8s/infra/controllers/crossplane/providers/keycloak/default-config.yaml rename to k8s/infra/crossplane-crds/providers/keycloak/default-config.yaml diff --git a/k8s/infra/controllers/crossplane/providers/keycloak/keycloak-credentials.yaml b/k8s/infra/crossplane-crds/providers/keycloak/keycloak-credentials.yaml similarity index 100% rename from k8s/infra/controllers/crossplane/providers/keycloak/keycloak-credentials.yaml rename to k8s/infra/crossplane-crds/providers/keycloak/keycloak-credentials.yaml diff --git a/k8s/infra/controllers/crossplane/providers/keycloak/kustomization.yaml b/k8s/infra/crossplane-crds/providers/keycloak/kustomization.yaml similarity index 87% rename from k8s/infra/controllers/crossplane/providers/keycloak/kustomization.yaml rename to k8s/infra/crossplane-crds/providers/keycloak/kustomization.yaml index 324ae5f..a24e484 100644 --- a/k8s/infra/controllers/crossplane/providers/keycloak/kustomization.yaml +++ b/k8s/infra/crossplane-crds/providers/keycloak/kustomization.yaml @@ -2,6 +2,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - provider.yaml - keycloak-credentials.yaml - default-config.yaml diff --git a/k8s/infra/crossplane-crds/providers/kustomization.yaml b/k8s/infra/crossplane-crds/providers/kustomization.yaml new file mode 100644 index 0000000..39bbd11 --- /dev/null +++ b/k8s/infra/crossplane-crds/providers/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +resources: + - keycloak diff --git a/k8s/infra/vpn/application-set.yaml b/k8s/infra/vpn/application-set.yaml new file mode 100644 index 0000000..9ed1d93 --- /dev/null +++ b/k8s/infra/vpn/application-set.yaml @@ -0,0 +1,34 @@ +apiVersion: argoproj.io/v1alpha1 +kind: ApplicationSet +metadata: + name: vpn + namespace: argocd + labels: + dev.stonegarden: auth +spec: + generators: + - git: + repoURL: https://github.com/vehagn/homelab + revision: HEAD + directories: + - path: k8s/infra/vpn/* + template: + metadata: + name: '{{ path.basename }}' + labels: + dev.stonegarden: controllers + spec: + project: vpn + source: + plugin: + name: kustomize-build-with-helm + repoURL: https://github.com/vehagn/homelab + targetRevision: HEAD + path: '{{ path }}' + destination: + name: in-cluster + namespace: argocd + syncPolicy: + automated: + selfHeal: true + prune: true diff --git a/k8s/infra/vpn/coturn/kustomization.yaml b/k8s/infra/vpn/coturn/kustomization.yaml new file mode 100644 index 0000000..f07f816 --- /dev/null +++ b/k8s/infra/vpn/coturn/kustomization.yaml @@ -0,0 +1,15 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: coturn + +resources: + - ns.yaml + - secret-netbird-credentials.yaml + +helmCharts: + - name: coturn + repo: https://charts.jaconi.io + releaseName: coturn + namespace: coturn + version: 0.8.6 + valuesFile: values.yaml diff --git a/k8s/infra/vpn/coturn/ns.yaml b/k8s/infra/vpn/coturn/ns.yaml new file mode 100644 index 0000000..a4872c9 --- /dev/null +++ b/k8s/infra/vpn/coturn/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: coturn diff --git a/k8s/infra/vpn/coturn/secret-netbird-credentials.yaml b/k8s/infra/vpn/coturn/secret-netbird-credentials.yaml new file mode 100644 index 0000000..7f75f18 --- /dev/null +++ b/k8s/infra/vpn/coturn/secret-netbird-credentials.yaml @@ -0,0 +1,14 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: netbird-turn-credentials + namespace: coturn +spec: + encryptedData: + password: AgDILP8Rl3KzqKkm0u223SbYovP6j3xYR3zA+le2g9nH6HNudRRDRjxY5STex29aM2wDgtjzyAV6NVGo2TeQD/dFPNIGtH/g6XtXdnF/q7HA9PjRoEoAu7UptJ1S8yxo1bVNdC7SqQuEDqKQKxxNoD7Xgk/0X9Qu0yXoBmL3NgaROOQELwiK/je9UrACAMNQKZMuxZnF+1vGZkBud0zRd3fLL1i0nkhYGM+MWWEs6Te4RYJnpFe1bma1ou7G0oxE/WHsOFJrzqCel1NSACS7vc9Rg5bFh7chQYBbz6sB4/4QBtMS34xKWbgnzPM9U8PyhM5u9Hr+Bj86MQAxjzgXqNmwRBZ+bQuvVgvNBSMxTkmLQtH4mq941OGgS7E7bxlk57qOLjk0NzUV6oKzK3nQARJBTbQT2nDifyKWCIAH7rCkkdkZosKm185XJK3AcIPnM+YJK/b41sVkBzk+h3hwIwSY8FoJUzBAhhD1Ly3FHzkgE9oewYO7WWP4cjl+FndItsd98nlSdRjWpdDTTPpLd2Z4Vyn1WF4DBNfe1+S089mM6XgQzxltsHZ3hCNDQPSCsuUK/oSZAO3fi4Pww/7cdShEXsPpfHRApdZbXkruhEeQ8A1h+fqquFeCW54RrTnztj5pxBxKnoEXLl5h7oYMMsoWKBVpG94Fc3pXh6CcahFvAiiSbNpmwfWjRVnQBJVx7UWqstnUd4soiYtjycRzJz0OiXjyAzUM2zIXjn1x280iuOye6y+68qxY + username: AgCrrYOsRSEszxDU8PTommgDRFmBhtvjge4hE+ifdS3AmAbTzvAfTkG8ZbApWZ21Tch42bb8LDJMYklY7rzmqKmfen4CO5dOyy4vZ1WUyg6FoFrzRGg+BseUZoOxKnO0NRrHqLIWJDlYyhXwOnZj3RCIkuvhYscLCUgFSz5WnqnOtO5k0z26VoanJU6ia8slXFfUZ1XTruZULmBt+WhMhOD1qX9iCL6E3IOxzZ93jRVzFNyyl8SHxPGI6M9YEQFeomaKzKIHqfZ/u1dqWzteVlAQn5rG2ahV5fZ3orXmMwhx1YE8ObyP5e53oEa+idtwcK+I44tc6QNolMD1xMeMIXJ4F7NiyB7LhdduZIDwxH+6VmX5bCMDMRYIqEYPyZQ+bVF+RVGXtmOJEFrWtSJvIkOha/e7rKXw4hMLRj7bFmLtNkFIBFiI/9mH+e/hI0zCFfa3WBfbBBIlK2/NkrreyHpyplqKnhnqXhWuXDkd/0ldYJDowfgHiKqMax8ejIgJ1dmxm2emUt8vigN37yzfTZ6kOeMy9Q7bh9SANKrZnBGlmzHg5DoHCn7sAphEpmbOxCxFKN8+eYT806ilyg5x/tPhR3u5/dw2VAzljosgW6h2rS4+4zSOWkBjVuyrR1KVBUC+VQxBUaK6i8lLbGRZuYizLwrXgrIdDGd/Onub05eymOvHb+KP2iPj2cOqO3JAuG2vf0LGkM+d + template: + metadata: + name: netbird-turn-credentials + namespace: coturn + type: Opaque diff --git a/k8s/infra/vpn/coturn/values.yaml b/k8s/infra/vpn/coturn/values.yaml new file mode 100644 index 0000000..8f3a8d5 --- /dev/null +++ b/k8s/infra/vpn/coturn/values.yaml @@ -0,0 +1,20 @@ +realm: coturn.stonegarden.dev +replicaCount: 1 +extraOptions: + - --listening-ip=0.0.0.0 + +certificate: + enabled: true + dnsName: coturn.stonegarden.dev + issuerName: cloudflare-cluster-issuer + +service: + annotations: + io.cilium/lb-ipam-ips: 192.168.1.226 + type: LoadBalancer + +users: + - name: netbird + secretKeyRef: + name: netbird-turn-credentials + key: password diff --git a/k8s/infra/vpn/kustomization.yaml b/k8s/infra/vpn/kustomization.yaml new file mode 100644 index 0000000..d8dbc4e --- /dev/null +++ b/k8s/infra/vpn/kustomization.yaml @@ -0,0 +1,9 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +commonLabels: + dev.stonegarden: vpn + app.kubernetes.io/managed-by: argocd + +resources: + - project.yaml + - application-set.yaml diff --git a/k8s/infra/vpn/netbird/backend/kustomization.yaml b/k8s/infra/vpn/netbird/backend/kustomization.yaml new file mode 100644 index 0000000..ced305d --- /dev/null +++ b/k8s/infra/vpn/netbird/backend/kustomization.yaml @@ -0,0 +1,23 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: netbird + +resources: + - oidc-client.yaml + - oidc-sa-role.yaml + - secret-coturn-credentials.yaml + - secret-oidc-credentials.yaml + +helmCharts: + - name: netbird + repo: https://charts.jaconi.io + releaseName: netbird-backend + namespace: netbird + version: 0.14.2 + valuesFile: values.yaml + +patches: + - path: patches/deployment-strategy-management.yaml + - path: patches/deployment-strategy-signal.yaml + - path: patches/pvc-backend-management.yaml + - path: patches/pvc-backend-signal.yaml diff --git a/k8s/infra/vpn/netbird/backend/oidc-client.yaml b/k8s/infra/vpn/netbird/backend/oidc-client.yaml new file mode 100644 index 0000000..f5e6167 --- /dev/null +++ b/k8s/infra/vpn/netbird/backend/oidc-client.yaml @@ -0,0 +1,25 @@ +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: Client +metadata: + name: netbird-backend +spec: + deletionPolicy: Delete + forProvider: + name: Netbird Backend + accessType: CONFIDENTIAL + clientId: netbird-backend + clientSecretSecretRef: + namespace: netbird + name: netbird-backend-oidc-credentials + key: clientSecret + description: Netbird Backend Client + standardFlowEnabled: true + directAccessGrantsEnabled: true + serviceAccountsEnabled: true + oauth2DeviceAuthorizationGrantEnabled: true + validRedirectUris: + - "/*" + webOrigins: + - "+" + realmIdRef: + name: homelab diff --git a/k8s/infra/vpn/netbird/backend/oidc-sa-role.yaml b/k8s/infra/vpn/netbird/backend/oidc-sa-role.yaml new file mode 100644 index 0000000..193397c --- /dev/null +++ b/k8s/infra/vpn/netbird/backend/oidc-sa-role.yaml @@ -0,0 +1,13 @@ +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: ClientServiceAccountRole +metadata: + name: netbird-backend-view-users +spec: + forProvider: + clientIdRef: + name: builtin-homelab-realm-management + realmIdRef: + name: homelab + role: view-users + serviceAccountUserClientIdRef: + name: netbird-backend diff --git a/k8s/infra/vpn/netbird/backend/patches/deployment-strategy-management.yaml b/k8s/infra/vpn/netbird/backend/patches/deployment-strategy-management.yaml new file mode 100644 index 0000000..66c8f4c --- /dev/null +++ b/k8s/infra/vpn/netbird/backend/patches/deployment-strategy-management.yaml @@ -0,0 +1,7 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: netbird-backend-management +spec: + strategy: + type: Recreate diff --git a/k8s/infra/vpn/netbird/backend/patches/deployment-strategy-signal.yaml b/k8s/infra/vpn/netbird/backend/patches/deployment-strategy-signal.yaml new file mode 100644 index 0000000..5dcd5c4 --- /dev/null +++ b/k8s/infra/vpn/netbird/backend/patches/deployment-strategy-signal.yaml @@ -0,0 +1,7 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: netbird-backend-signal +spec: + strategy: + type: Recreate diff --git a/k8s/infra/vpn/netbird/backend/patches/pvc-backend-management.yaml b/k8s/infra/vpn/netbird/backend/patches/pvc-backend-management.yaml new file mode 100644 index 0000000..2614bd2 --- /dev/null +++ b/k8s/infra/vpn/netbird/backend/patches/pvc-backend-management.yaml @@ -0,0 +1,7 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: netbird-backend-management +spec: + storageClassName: proxmox-csi + volumeName: pv-netbird-management diff --git a/k8s/infra/vpn/netbird/backend/patches/pvc-backend-signal.yaml b/k8s/infra/vpn/netbird/backend/patches/pvc-backend-signal.yaml new file mode 100644 index 0000000..25360f5 --- /dev/null +++ b/k8s/infra/vpn/netbird/backend/patches/pvc-backend-signal.yaml @@ -0,0 +1,7 @@ +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + name: netbird-backend-signal +spec: + storageClassName: proxmox-csi + volumeName: pv-netbird-signal diff --git a/k8s/infra/vpn/netbird/backend/secret-coturn-credentials.yaml b/k8s/infra/vpn/netbird/backend/secret-coturn-credentials.yaml new file mode 100644 index 0000000..ef187a6 --- /dev/null +++ b/k8s/infra/vpn/netbird/backend/secret-coturn-credentials.yaml @@ -0,0 +1,14 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: netbird-turn-credentials + namespace: netbird +spec: + encryptedData: + password: AgDUdAAoOuDYCGZUlnXoPefrm9YwQuaBr7CNBTRr9CVLsHEYunkYnGRyxcxDCa5y5Kn45JBROqrklITTNq1q6OxYCvR1+VOLYvSltPAH3m5kPN/SR6jkxIrSikkD1YjZQpD49vVTXfNYI7RQCiN803gfEQlTq/mDkSEVXSjBUhlCTPz7Q+1puMXCOux31cbgqGVaFOEm1QxxbbsSbpjTLZl8JZW48/+uHv/0KkQvIHinwOUcx+ChHnijAS0AM8dPNl5k5kcV7SZCayKDVuRaEj7FkAxzoZGrsM7YoPeZXESP1o3ED+jqZhu7LFEGndH/fWDkO/JgyX2MvMqapV+jPFe7b4Cn7gn/ivw01ySnD3E2B/Mpo/7A43Cg5gDKGcVwr/0Fqc++cT0Dc4H04tCqvV4uX+fnuqiemL4xmZj8BYz4/UWuXq+iEK2K+jufrxQOGEZgN3tU7ld5x/SNi8cRf4pIiGCpJzLpnrmR95Y6ae18y67INcsEozc3AZ7KfB8OGS6ak/mZhAbTSj/KO+KZat3h7g/YNUiWlzlmPhETJYmxstXd2PnQG7OCQvjjrSTjpnSoGGvOYv7GpdDdfpW+7sSspDSHXh6AKz2CtqKWaxiaZWmE1vvJKJLfzVnK99mKjITEXPKLQFUrp5+e3KJktFh79bxW+VUKlUoEa+Jy0ZVs25xkLUb1/viAc3Z2vvQYVwv2bMMHYNUC5F8tJReLQ2cwqCZnTf1gwvNH26iK+FFkuOLVB3gQAaba + username: AgDCCj9vGwlR5W6924as08OuxDitR0oQl7+0LxRZYji8T0hBztIIvOv+CZ9aiyTqn+aKLFohWHN4xyDw1v2RiJqgnwP1HjO5BhJA4H/DRpviL5RHhO4Dnf7RB0BpZGrzB0PW3pkY9znRkbU0hwDK6gWUOl1+cJxAeqbeigdrf782NpT9DObs6I80TeVdvSSCOzn6uylguPBX/W7IKqKNilRuHO/SsH8aixEKM2zLpGnInLQlDzb6zEkpSl4kYjORa17YlVzWrZEVtnUOE/N/EP95ezJEjzghjCf41NOhQcoqweciigYwQEsCU84881e9yhGKnRyvP/f5y3xeKEqN+B4zQG2Z8MoMQcGmwavbP/5PpVbMd5dOvnpVF9UtzcAWdBjnKV/PlngO6iMNJX3d9IAYkq0iLxCxuKyx33Z4FRiJPANqP9TqEoOftC1pOhANPQdKFlr7HyXBaER8XRmWzxkjOqbi9BhG0tiw6vsmHsTn/u0u3EgXrNIwe0hiDSYY6Q2g5lk1NIEg4DsG9kJmEf7Cb6iedSiAjVcHbWx+gb1rLDic2eehHCV8H6ShFvmSyLT00ktzssXCXKmdJ4I+JKo4geg8Mws1IdZtZ9wcpqtvd+mjNlP8+LbyTPi2ApuH0giAkzQK3RgtBmJBNJ9E6Bc5B2d2XKIQyY9vM60zfxAtvxCDXQvPWyXvgCvvO4dW7/D+ZMs4S6Ps + template: + metadata: + name: netbird-turn-credentials + namespace: netbird + type: Opaque diff --git a/k8s/infra/vpn/netbird/backend/secret-oidc-credentials.yaml b/k8s/infra/vpn/netbird/backend/secret-oidc-credentials.yaml new file mode 100644 index 0000000..04624c5 --- /dev/null +++ b/k8s/infra/vpn/netbird/backend/secret-oidc-credentials.yaml @@ -0,0 +1,14 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: netbird-backend-oidc-credentials + namespace: netbird +spec: + encryptedData: + clientId: AgBePW/yXzOJPpPfxOIKNGgoubM+2mpxZlmNoNBRoDCCJc3gn1udEIiQbEgKMJWh/0/6cguwUnherqGXE8SVMed1vNhyeoCM5IhjZlxB57Eu1u2G/KSLAQcLfLYr7vXNkuY0cWfvg2BVYE+QTGcNyKGHDLEBdoTsYOqm53hpAcZywuESaq/ace91427CVdpx4s6V7tqxd3JM+VUF6X+J/5M2/U+QpCIDD8spjSbVDEYaScbiu1jlP13jCJ7+YiBmEehRzw2PzYDJ+BmBpCBGd4tKLZf33ZsHlioJUNmQo13y4TezUb0kJqZaExFqoww8ANp8kGxXjk1aR/5iWeW/sEMaNLLyfsvvwnqnDXTLu5O/ThQQvpIvHS0Mn2qYs3ikheUqaRajSwanTStEgftAZb5qfYl9nCJWCc/OWVAPdPP/qdgQJZh30Oy6N8zzkX5ZfQplbtEwl6ju6UptMJzWpfe3RlKq1KoVLCMOV13nt3LS0mRO7p3XRkGDz6MIj+8ecc2dY2LWIEb7PxNqzyf1g0N65U0m6JJ8ywJVZmn8i70V2jPxZda0hpRhTTlzOPMJ5PUbpgbc3A6r7au0c0vABFmtsjKTuAGWaQJJLU5dHZluj1iAg3ltqxdRhagBuZsS9SAvOBOqaUmaqrEFZIQd16LSAKaPRIMfM79djTLMD8qg6/vF8B9Uch08aICaHmPCKZPpw0B0kNXQxoAHlBQ12v4= + clientSecret: AgAeRHLhUWMCc+xaoCHx5TXOo/LnVadRYcBtXRXZ1LBdHeVPidwKajMw5RIFbX12gYH6XLAY4AqevGZd4iQkzNDZmG3L7zGgzy67rFQ7iyMKSXbuuTWnoLS5tzkJhpDuExH7p2IUQOeQYbCibBZRI2vA2uvAav8UgVPNm63CPUyNb5ywSx+edgCt5d9UNNVz7DeuqIP+BcQ6q6T6cC5zF5wGDjv/VwuByHtwghiUmRtRSyXuafRS94s2x53zV3Eb49IVAlWHP9ecqriQgdZsyOLI8Z5qbSqqteaVDCicIqTAwOmXPZSedTbkm7c8xbvPE4vzP7/EPUfvF7uQf9WclVoVBvF5YVxbKh2Sj5HBqIESGvcrPV7kNPodymQdk/uyBaMOzvJgo5dHS13mjxVtpiAnsN+/4+JfgljHKQmdcb8wwbYS1qbKE4A5WQ9zzegtuRqzpWmfe4gXMGvm0/+G5TLUi/ReCO4aAwplAsIJt/7Z+FWofZFGx66ULvd8c0fliearyaGR6Jm/ZodkRJNRh46Y16s8Q79IKKMBChE3eWb68MnLA4XFC8rEdPjTJuItRR+sn/tVyJDfi1ZuuAiO96hZHkQivGopglRzYcxweWOAq/WcPH3fl392iPlQbuxZT37o81gL81Z9Q/SL1u6LinHi2245ETN85R3/Dyv4dWSawvpF+OIa5OLXuDmKcGtKp+GAu3OL4QqISronkvnNQ4ts+CgZinmzLTWXypl5aExiBtzlVfZ4Ti0B + template: + metadata: + name: netbird-backend-oidc-credentials + namespace: netbird + type: Opaque diff --git a/k8s/infra/vpn/netbird/backend/values.yaml b/k8s/infra/vpn/netbird/backend/values.yaml new file mode 100644 index 0000000..ff04969 --- /dev/null +++ b/k8s/infra/vpn/netbird/backend/values.yaml @@ -0,0 +1,72 @@ +auth: + authority: https://keycloak.stonegarden.dev/realms/homelab + audience: netbird + device: + provider: hosted + audience: netbird + authority: https://keycloak.stonegarden.dev/realms/homelab + clientID: netbird + deviceAuthorizationEndpoint: https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/auth + tokenEndpoint: https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token + scope: openid + useIDToken: false + +idp: + managerType: keycloak + clientID: netbird-backend + secretKeyRef: + name: netbird-backend-oidc-credentials + key: clientSecret + grantType: client_credentials + adminEndpoint: https://keycloak.stonegarden.dev/admin/realms/homelab + tokenEndpoint: https://keycloak.stonegarden.dev/realms/homelab/protocol/openid-connect/token + +management: + image: + tag: 0.28.4 + nodeSelector: + topology.kubernetes.io/zone: abel + ingress: + enabled: false +# annotations: +# cert-manager.io/cluster-issuer: cloudflare-cluster-issuer +# hosts: +# - host: netbird.stonegarden.dev +# paths: +# - path: /api +# pathType: Prefix +# - path: /management.ManagementService/ +# pathType: Prefix +# tls: +# - hosts: +# - netbird.stonegarden.dev + +signal: + image: + tag: 0.28.4 + nodeSelector: + topology.kubernetes.io/zone: abel + uri: netbird.stonegarden.dev:443 + protocol: https + ingress: + enabled: false +# annotations: +# cert-manager.io/cluster-issuer: cloudflare-cluster-issuer +# hosts: +# - host: netbird.stonegarden.dev +# paths: +# - path: /signalexchange.SignalExchange/ +# pathType: Prefix +# tls: +# - hosts: +# - netbird.stonegarden.dev + +stun: + uri: stun:coturn.stonegarden.dev:3478 + +turn: + uri: turn:coturn.stonegarden.dev:3478 + user: netbird + secretKeyRef: + name: netbird-turn-credentials + key: password diff --git a/k8s/infra/vpn/netbird/dashboard/kustomization.yaml b/k8s/infra/vpn/netbird/dashboard/kustomization.yaml new file mode 100644 index 0000000..ed09298 --- /dev/null +++ b/k8s/infra/vpn/netbird/dashboard/kustomization.yaml @@ -0,0 +1,16 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: netbird + +resources: + - oidc-scopes.yaml + - oidc-client.yaml + - oidc-client-scopes.yaml + +helmCharts: + - name: netbird-dashboard + repo: https://charts.jaconi.io + releaseName: netbird-dashboard + namespace: netbird + version: 1.0.0 + valuesFile: values.yaml diff --git a/k8s/infra/vpn/netbird/dashboard/oidc-client-scopes.yaml b/k8s/infra/vpn/netbird/dashboard/oidc-client-scopes.yaml new file mode 100644 index 0000000..f4b5708 --- /dev/null +++ b/k8s/infra/vpn/netbird/dashboard/oidc-client-scopes.yaml @@ -0,0 +1,17 @@ +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: ClientDefaultScopes +metadata: + name: netbird-default-scopes +spec: + forProvider: + defaultScopes: + - acr + - email + - profile + - roles + - web-origins + - netbird-api + clientIdRef: + name: netbird + realmIdRef: + name: homelab diff --git a/k8s/infra/vpn/netbird/dashboard/oidc-client.yaml b/k8s/infra/vpn/netbird/dashboard/oidc-client.yaml new file mode 100644 index 0000000..db5d99c --- /dev/null +++ b/k8s/infra/vpn/netbird/dashboard/oidc-client.yaml @@ -0,0 +1,24 @@ +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: Client +metadata: + name: netbird +spec: + forProvider: + name: Netbird + accessType: PUBLIC + clientId: netbird + description: Netbird Client + standardFlowEnabled: true + directAccessGrantsEnabled: true + oauth2DeviceAuthorizationGrantEnabled: true + baseUrl: "https://netbird.stonegarden.dev" + validRedirectUris: + - "http://localhost:53000" + - "http://localhost:8080/*" + - "https://netbird.stonegarden.dev/*" + validPostLogoutRedirectUris: + - "https://netbird.stonegarden.dev/*" + webOrigins: + - "+" + realmIdRef: + name: homelab diff --git a/k8s/infra/vpn/netbird/dashboard/oidc-scopes.yaml b/k8s/infra/vpn/netbird/dashboard/oidc-scopes.yaml new file mode 100644 index 0000000..03af8d8 --- /dev/null +++ b/k8s/infra/vpn/netbird/dashboard/oidc-scopes.yaml @@ -0,0 +1,31 @@ +apiVersion: openidclient.keycloak.crossplane.io/v1alpha1 +kind: ClientScope +metadata: + name: netbird-api +spec: + forProvider: + name: netbird-api + consentScreenText: Netbird Management API + includeInTokenScope: true + realmIdRef: + name: homelab +--- +apiVersion: client.keycloak.crossplane.io/v1alpha1 +kind: ProtocolMapper +metadata: + name: netbird-api-audience-mapper +spec: + forProvider: + name: Audience for NetBird Management API + protocol: openid-connect + protocolMapper: oidc-audience-mapper + config: + included.client.audience: "netbird" + id.token.claim: "false" + access.token.claim: "true" + introspection.token.claim: "true" + userinfo.token.claim: "false" + clientScopeIdRef: + name: netbird-api + realmIdRef: + name: homelab diff --git a/k8s/infra/vpn/netbird/dashboard/values.yaml b/k8s/infra/vpn/netbird/dashboard/values.yaml new file mode 100644 index 0000000..873c147 --- /dev/null +++ b/k8s/infra/vpn/netbird/dashboard/values.yaml @@ -0,0 +1,25 @@ +image: + tag: v2.4.1 + +auth: + authority: https://keycloak.stonegarden.dev/realms/homelab + audience: netbird + clientID: netbird + supportedScopes: openid profile email offline_access netbird-api + +netbird: + managementApiEndpoint: https://netbird.stonegarden.dev + managementGrpcApiEndpoint: https://netbird.stonegarden.dev + +ingress: + enabled: false +# annotations: +# cert-manager.io/cluster-issuer: cloudflare-cluster-issuer +# hosts: +# - host: netbird.stonegarden.dev +# paths: +# - path: / +# pathType: Prefix +# tls: +# - hosts: +# - netbird.stonegarden.dev diff --git a/k8s/infra/vpn/netbird/http-route.yaml b/k8s/infra/vpn/netbird/http-route.yaml new file mode 100644 index 0000000..894e5e0 --- /dev/null +++ b/k8s/infra/vpn/netbird/http-route.yaml @@ -0,0 +1,36 @@ +apiVersion: gateway.networking.k8s.io/v1 +kind: HTTPRoute +metadata: + name: netbird + namespace: netbird +spec: + parentRefs: + - name: stonegarden + namespace: gateway + hostnames: + - "netbird.stonegarden.dev" + rules: + - backendRefs: + - name: netbird-dashboard + port: 80 + matches: + - path: + type: PathPrefix + value: / + - backendRefs: + - name: netbird-backend-management + port: 80 + matches: + - path: + type: PathPrefix + value: /api + - path: + type: PathPrefix + value: /management.ManagementService/ + - backendRefs: + - name: netbird-backend-signal + port: 80 + matches: + - path: + type: PathPrefix + value: /signalexchange.SignalExchange/ diff --git a/k8s/infra/vpn/netbird/ingress.yaml b/k8s/infra/vpn/netbird/ingress.yaml new file mode 100644 index 0000000..27404ae --- /dev/null +++ b/k8s/infra/vpn/netbird/ingress.yaml @@ -0,0 +1,50 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + cert-manager.io/cluster-issuer: cloudflare-cluster-issuer + name: netbird + namespace: netbird +spec: + tls: + - secretName: netbird-ingress-tls + hosts: + - netbird.stonegarden.dev + rules: + - host: netbird.stonegarden.dev + http: + paths: + - backend: + service: + name: netbird-backend-management + port: + number: 80 + path: /api + pathType: Prefix + - backend: + service: + name: netbird-backend-management + port: + number: 80 + path: /management.ManagementService/ + pathType: Prefix + - host: netbird.stonegarden.dev + http: + paths: + - backend: + service: + name: netbird-backend-signal + port: + number: 80 + path: /signalexchange.SignalExchange/ + pathType: Prefix + - host: netbird.stonegarden.dev + http: + paths: + - backend: + service: + name: netbird-dashboard + port: + number: 80 + path: / + pathType: Prefix diff --git a/k8s/infra/vpn/netbird/kustomization.yaml b/k8s/infra/vpn/netbird/kustomization.yaml new file mode 100644 index 0000000..22c9872 --- /dev/null +++ b/k8s/infra/vpn/netbird/kustomization.yaml @@ -0,0 +1,10 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +namespace: netbird + +resources: + - ns.yaml + - http-route.yaml + - ingress.yaml + - backend + - dashboard diff --git a/k8s/infra/vpn/netbird/ns.yaml b/k8s/infra/vpn/netbird/ns.yaml new file mode 100644 index 0000000..db05a13 --- /dev/null +++ b/k8s/infra/vpn/netbird/ns.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: netbird diff --git a/k8s/infra/vpn/project.yaml b/k8s/infra/vpn/project.yaml new file mode 100644 index 0000000..c420906 --- /dev/null +++ b/k8s/infra/vpn/project.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: AppProject +metadata: + name: vpn + namespace: argocd +spec: + sourceRepos: + - 'https://github.com/vehagn/homelab' + destinations: + - namespace: 'argocd' + server: '*' + - namespace: 'coturn' + server: '*' + - namespace: 'netbird' + server: '*' + clusterResourceWhitelist: + - group: '*' + kind: '*' diff --git a/tofu/kubernetes/bootstrap/volumes/README.md b/tofu/kubernetes/bootstrap/volumes/README.md index afa02fe..2694acd 100644 --- a/tofu/kubernetes/bootstrap/volumes/README.md +++ b/tofu/kubernetes/bootstrap/volumes/README.md @@ -31,19 +31,37 @@ tofu state rm "module.volumes.module.proxmox-volume[\"pv-qbittorrent-config\"].r ## import proxmox volume ```shell +tofu import 'module.volumes.module.proxmox-volume["pv-jellyfin-config"].restapi_object.proxmox-volume' /api2/json/nodes/euclid/storage/local-zfs/content/local-zfs:vm-9999-pv-jellyfin-config +tofu import 'module.volumes.module.proxmox-volume["pv-keycloak-db"].restapi_object.proxmox-volume' /api2/json/nodes/euclid/storage/local-zfs/content/local-zfs:vm-9999-pv-keycloak-db tofu import 'module.volumes.module.proxmox-volume["pv-lidarr-config"].restapi_object.proxmox-volume' /api2/json/nodes/cantor/storage/local-zfs/content/local-zfs:vm-9999-pv-lidarr-config -tofu import "module.volumes.module.proxmox-volume[\"pv-radarr-config\"].restapi_object.proxmox-volume" /api2/json/nodes/cantor/storage/local-zfs/content/local-zfs:vm-9999-pv-radarr-config -tofu import "module.volumes.module.proxmox-volume[\"pv-sonarr-config\"].restapi_object.proxmox-volume" /api2/json/nodes/cantor/storage/local-zfs/content/local-zfs:vm-9999-pv-sonarr-config - -tofu import "module.volumes.module.proxmox-volume[\"pv-qbittorrent-config\"].restapi_object.proxmox-volume" /api2/json/nodes/euclid/storage/local-zfs/content/local-zfs:vm-9999-pv-qbittorrent-config - -tofu import "module.volumes.module.proxmox-volume[\"pv-plex-config\"].restapi_object.proxmox-volume" /api2/json/nodes/abel/storage/local-zfs/content/local-zfs:vm-9999-pv-plex-config -tofu import "module.volumes.module.proxmox-volume[\"pv-jellyfin-config\"].restapi_object.proxmox-volume" /api2/json/nodes/abel/storage/local-zfs/content/local-zfs:vm-9999-pv-jellyfin-config +tofu import 'module.volumes.module.proxmox-volume["pv-netbird-management"].restapi_object.proxmox-volume' /api2/json/nodes/abel/storage/local-zfs/content/local-zfs:vm-9999-pv-netbird-management +tofu import 'module.volumes.module.proxmox-volume["pv-netbird-signal"].restapi_object.proxmox-volume' /api2/json/nodes/abel/storage/local-zfs/content/local-zfs:vm-9999-pv-netbird-signal +tofu import 'module.volumes.module.proxmox-volume["pv-plex-config"].restapi_object.proxmox-volume' /api2/json/nodes/abel/storage/local-zfs/content/local-zfs:vm-9999-pv-plex-config +tofu import 'module.volumes.module.proxmox-volume["pv-prometheus"].restapi_object.proxmox-volume' /api2/json/nodes/abel/storage/local-zfs/content/local-zfs:vm-9999-pv-prometheus +tofu import 'module.volumes.module.proxmox-volume["pv-prowlarr-config"].restapi_object.proxmox-volume' /api2/json/nodes/euclid/storage/local-zfs/content/local-zfs:vm-9999-pv-prowlarr-config +tofu import 'module.volumes.module.proxmox-volume["pv-radarr-config"].restapi_object.proxmox-volume' /api2/json/nodes/cantor/storage/local-zfs/content/local-zfs:vm-9999-pv-radarr-config +tofu import 'module.volumes.module.proxmox-volume["pv-remark42"].restapi_object.proxmox-volume' /api2/json/nodes/euclid/storage/local-zfs/content/local-zfs:vm-9999-pv-remark42 +tofu import 'module.volumes.module.proxmox-volume["pv-sonarr-config"].restapi_object.proxmox-volume' /api2/json/nodes/cantor/storage/local-zfs/content/local-zfs:vm-9999-pv-sonarr-config +tofu import 'module.volumes.module.proxmox-volume["pv-torrent-config"].restapi_object.proxmox-volume' /api2/json/nodes/euclid/storage/local-zfs/content/local-zfs:vm-9999-pv-torrent-config ``` ## import persistent volume ```shell -tofu import 'module.volumes.module.persistent-volume["pv-torrent-config"].kubernetes_persistent_volume.pv' pv-torrent-config +tofu state rm module.volumes.module.persistent-volume +``` +```shell +tofu import 'module.volumes.module.persistent-volume["pv-jellyfin-config"].kubernetes_persistent_volume.pv' pv-jellyfin-config +tofu import 'module.volumes.module.persistent-volume["pv-keycloak-db"].kubernetes_persistent_volume.pv' pv-keycloak-db +tofu import 'module.volumes.module.persistent-volume["pv-lidarr-config"].kubernetes_persistent_volume.pv' pv-lidarr-config +tofu import 'module.volumes.module.persistent-volume["pv-netbird-management"].kubernetes_persistent_volume.pv' pv-netbird-management +tofu import 'module.volumes.module.persistent-volume["pv-netbird-signal"].kubernetes_persistent_volume.pv' pv-netbird-signal +tofu import 'module.volumes.module.persistent-volume["pv-plex-config"].kubernetes_persistent_volume.pv' pv-plex-config +tofu import 'module.volumes.module.persistent-volume["pv-prometheus"].kubernetes_persistent_volume.pv' pv-prometheus +tofu import 'module.volumes.module.persistent-volume["pv-prowlarr-config"].kubernetes_persistent_volume.pv' pv-prowlarr-config +tofu import 'module.volumes.module.persistent-volume["pv-radarr-config"].kubernetes_persistent_volume.pv' pv-radarr-config +tofu import 'module.volumes.module.persistent-volume["pv-remark42"].kubernetes_persistent_volume.pv' pv-remark42 +tofu import 'module.volumes.module.persistent-volume["pv-sonarr-config"].kubernetes_persistent_volume.pv' pv-sonarr-config +tofu import 'module.volumes.module.persistent-volume["pv-torrent-config"].kubernetes_persistent_volume.pv' pv-torrent-config ``` \ No newline at end of file diff --git a/tofu/kubernetes/bootstrap/volumes/proxmox-volume/config.tf b/tofu/kubernetes/bootstrap/volumes/proxmox-volume/config.tf index 3da505a..3414276 100644 --- a/tofu/kubernetes/bootstrap/volumes/proxmox-volume/config.tf +++ b/tofu/kubernetes/bootstrap/volumes/proxmox-volume/config.tf @@ -15,6 +15,10 @@ resource "restapi_object" "proxmox-volume" { size = var.volume.size format = var.volume.format }) + + lifecycle { + prevent_destroy = true + } } output "node" { diff --git a/tofu/kubernetes/main.tf b/tofu/kubernetes/main.tf index 6b8a1e6..396a202 100644 --- a/tofu/kubernetes/main.tf +++ b/tofu/kubernetes/main.tf @@ -6,7 +6,7 @@ module "talos" { } image = { - version = "v1.7.5" + version = "v1.7.6" schematic = file("${path.module}/talos/image/schematic.yaml") } @@ -17,7 +17,7 @@ module "talos" { cluster = { name = "talos" - endpoint = "192.168.1.100" + endpoint = "192.168.1.101" gateway = "192.168.1.1" talos_version = "v1.7" proxmox_cluster = "homelab" @@ -29,18 +29,17 @@ module "talos" { machine_type = "controlplane" ip = "192.168.1.100" mac_address = "BC:24:11:2E:C8:00" - vm_id = 8000 + vm_id = 800 cpu = 8 ram_dedicated = 20480 igpu = true - update = true } "ctrl-01" = { host_node = "euclid" machine_type = "controlplane" ip = "192.168.1.101" mac_address = "BC:24:11:2E:C8:01" - vm_id = 8001 + vm_id = 801 cpu = 4 ram_dedicated = 20480 igpu = true @@ -50,10 +49,19 @@ module "talos" { machine_type = "controlplane" ip = "192.168.1.102" mac_address = "BC:24:11:2E:C8:02" - vm_id = 8002 + vm_id = 802 cpu = 4 ram_dedicated = 4096 } + "work-00" = { + host_node = "abel" + machine_type = "controlplane" + ip = "192.168.1.110" + mac_address = "BC:24:11:2E:A8:00" + vm_id = 810 + cpu = 8 + ram_dedicated = 4096 + } } } @@ -127,6 +135,14 @@ module "volumes" { node = "euclid" size = "12G" } + pv-netbird-signal = { + node = "abel" + size = "1G" + } + pv-netbird-management = { + node = "abel" + size = "1G" + } pv-plex-config = { node = "abel" size = "12G" diff --git a/tofu/kubernetes/talos/config.tf b/tofu/kubernetes/talos/config.tf index 6d621a6..419e71b 100644 --- a/tofu/kubernetes/talos/config.tf +++ b/tofu/kubernetes/talos/config.tf @@ -46,7 +46,9 @@ resource "talos_machine_configuration_apply" "this" { } resource "talos_machine_bootstrap" "this" { - node = [for k, v in var.nodes : v.ip if v.machine_type == "controlplane"][0] + depends_on = [talos_machine_configuration_apply.this] + for_each = var.nodes + node = each.value.ip endpoint = var.cluster.endpoint client_configuration = talos_machine_secrets.this.client_configuration } @@ -70,7 +72,7 @@ data "talos_cluster_kubeconfig" "this" { talos_machine_bootstrap.this, data.talos_cluster_health.this ] - node = [for k, v in var.nodes : v.ip if v.machine_type == "controlplane"][0] + node = [for k, v in var.nodes : v.ip if v.machine_type == "controlplane"][1] endpoint = var.cluster.endpoint client_configuration = talos_machine_secrets.this.client_configuration timeouts = {