├── .editorconfig ├── .gitattributes ├── .github ├── CODEOWNERS ├── contrib │ ├── kind-config.yaml │ └── mkdocs.yml ├── lint │ ├── .markdownlint.yaml │ ├── .prettierignore │ ├── .prettierrc.yaml │ └── .yamllint.yaml ├── renovate.json5 ├── renovate │ └── autoMerge.json5 ├── scripts │ └── container-parser.sh └── workflows │ ├── docs.yaml │ ├── scan-containers.yaml │ ├── terraform-gcp-pr.yml │ └── terraform-gcp-production.yml ├── .gitignore ├── .just └── uboot.sh ├── .pre-commit-config.yaml ├── .sops.yaml ├── .taskfiles ├── ansible.yml ├── format.yml ├── lint.yml └── pre-commit.yml ├── .whitesource ├── Justfile ├── LICENSE ├── README.md ├── armature ├── prod │ ├── b2 │ │ ├── .terraform.lock.hcl │ │ ├── buckets.tf │ │ └── main.tf │ ├── butane │ │ ├── base.ign │ │ ├── base.yaml │ │ └── scr1 │ │ │ ├── ceph-01.ign │ │ │ ├── ceph-01.yaml │ │ │ ├── ceph-03.ign │ │ │ └── ceph-03.yaml │ ├── cloud-dns │ │ ├── .terraform.lock.hcl │ │ ├── int.tf │ │ ├── kutara.tf │ │ ├── main.tf │ │ └── tf-secrets.sops.yaml │ ├── cloud-do │ │ └── vpc │ │ │ ├── .terraform.lock.hcl │ │ │ ├── main.tf │ │ │ └── variables.tf │ ├── gcp │ │ ├── bootstrap │ │ │ ├── .gitignore │ │ │ ├── .terraform.lock.hcl │ │ │ ├── main.tf │ │ │ ├── org.tf │ │ │ └── variables.tf │ │ ├── kutara │ │ │ ├── .terraform.lock.hcl │ │ │ ├── gke-kutara.tf │ │ │ ├── main.tf │ │ │ ├── project.tf │ │ │ ├── sa.tf │ │ │ ├── variables.tf │ │ │ └── vpc.tf │ │ └── top22 │ │ │ ├── .terraform.lock.hcl │ │ │ ├── main.tf │ │ │ ├── project.tf │ │ │ ├── sa.tf │ │ │ └── variables.tf │ ├── nwk1 │ │ ├── .gitignore │ │ ├── .terraform.lock.hcl │ │ ├── butane │ │ │ └── base_ignition.yaml │ │ ├── dns.tf │ │ ├── main.tf │ │ ├── nas-1.tf │ │ └── tf-secrets.sops.yaml │ ├── scr1 │ │ ├── .terraform.lock.hcl │ │ ├── dns_records.tf │ │ ├── fcos-derivations │ │ │ └── libvirt-01 │ │ │ │ ├── Dockerfile │ │ │ │ ├── br0.nmconnection │ │ │ │ ├── bridge-slave-eno1.nmconnection │ │ │ │ └── default_connection.nmconnection │ │ ├── fcos │ │ │ └── k8s-node │ │ │ │ └── worker-config.bu.sops.yaml │ │ ├── main.tf │ │ ├── switch-configs │ │ │ ├── readme.md │ │ │ ├── sw-2-config.rsc │ │ │ ├── sw-4-808-bedroom.rsc │ │ │ ├── sw-core-2.rsc │ │ │ └── sw-core-config.rsc │ │ ├── tf-secret.sops.yaml │ │ └── vms │ │ │ ├── ceph-02 │ │ │ ├── .terraform.lock.hcl │ │ │ ├── ceph-02.yaml │ │ │ ├── main.tf │ │ │ └── providers.tf │ │ │ └── dbs │ │ │ ├── .terraform.lock.hcl │ │ │ ├── db-01.yaml │ │ │ ├── main.tf │ │ │ ├── postgres.tf │ │ │ ├── providers.tf │ │ │ ├── sops.tf │ │ │ └── tf-secrets.sops.yaml │ └── tf-states │ │ ├── .terraform.lock.hcl │ │ ├── main.tf │ │ ├── org.tf │ │ └── states.tf └── raspberrypi4-uefi │ ├── Dockerfile │ ├── patch.yaml │ └── serials │ ├── 61895898 │ └── RPI_EFI.fd │ ├── 0210edae │ └── RPI_EFI.fd │ ├── 1836c205 │ └── RPI_EFI.fd │ ├── 3e79ca27 │ └── RPI_EFI.fd │ ├── 56af08e4 │ └── RPI_EFI.fd │ ├── 583d6465 │ └── RPI_EFI.fd │ └── 8e2bc983 │ └── RPI_EFI.fd ├── docs ├── README.md ├── _static │ └── custom.css ├── index.md ├── opensuse-kubic │ ├── combustion-examples │ │ └── ignition │ │ │ ├── combustion │ │ │ ├── autologin.conf │ │ │ ├── firstbootreboot.service │ │ │ ├── id_rsa.pub │ │ │ └── script │ │ │ └── ignition │ │ │ └── IGNORE │ └── combustion.md ├── pimatrix.md ├── secrets │ └── sealed-secrets.md └── tooling │ └── getting-started.md ├── hack ├── k8srollingUpdate.sh └── pvcPod.yaml └── k8s ├── base ├── crypto │ ├── bitcoind │ │ ├── helm-release.yaml │ │ └── service-monitor.yaml │ ├── kustomization.yaml │ ├── lnd │ │ ├── external-secret.yaml │ │ ├── helm-release.yaml │ │ ├── ingress.yaml │ │ └── service-monitor.yaml │ ├── lnd2 │ │ ├── external-secret.yaml │ │ ├── helm-release.yaml │ │ ├── ingress.yaml │ │ └── service-monitor.yaml │ ├── lndhub │ │ ├── external-secret.yaml │ │ └── helm-release.yaml │ ├── namespace.yaml │ ├── network-policy.yaml │ ├── peerswap │ │ ├── config-map.yaml │ │ └── helm-release.yaml │ └── rtl │ │ ├── helm-release.yaml │ │ └── ingress.yaml ├── database │ ├── cloudnative-pg │ │ ├── cluster │ │ │ ├── cluster-external-secret.yaml │ │ │ └── cluster.yaml │ │ └── deploy │ │ │ └── helm-release.yaml │ ├── couchdb │ │ └── helm-release.yaml │ ├── kustomization.yaml │ ├── namespace.yaml │ └── redis │ │ ├── helm-release.yaml │ │ └── sentinel │ │ └── helm-release.yaml ├── default │ ├── evobot │ │ ├── deployment.yaml │ │ └── secret.sops.yaml │ ├── kustomization.yaml │ ├── namespace.yaml │ ├── palworld │ │ ├── helm-release.yaml │ │ ├── helm-repo.yaml │ │ └── pvc.yaml │ └── thelounge │ │ ├── config-pvc.yaml │ │ └── helm-release.yaml ├── federation │ ├── db │ │ ├── cluster.yaml │ │ └── external-secret.yaml │ └── lemmy │ │ ├── external-secret.yaml │ │ ├── kustomize.yaml │ │ ├── object-bucket-claim.yaml │ │ └── oci-repo.yaml ├── flux-system │ ├── cluster-config │ │ ├── base │ │ │ ├── base-secrets.yaml │ │ │ └── config.yaml │ │ └── overlays │ │ │ └── scr1-cluster-0 │ │ │ ├── cluster-config.yaml │ │ │ ├── cluster-secrets.yaml │ │ │ └── kustomization.yaml │ ├── helm-chart-repositories │ │ ├── bitnami-charts.yaml │ │ ├── bjw-s.yaml │ │ ├── bootc-charts.yaml │ │ ├── cilium-charts.yaml │ │ ├── cloudnative-pg.yaml │ │ ├── couchdb-charts.yaml │ │ ├── democractic-csi.yaml │ │ ├── descheduler-charts.yaml │ │ ├── external-dns-charts.yaml │ │ ├── external-secrets.yaml │ │ ├── fairwinds-charts.yaml │ │ ├── galoy-anthr76.yaml │ │ ├── galoy.yaml │ │ ├── grafana-charts.yaml │ │ ├── hajimari-charts.yaml │ │ ├── hashicorp-charts.yaml │ │ ├── ingress-nginx-charts.yaml │ │ ├── jetstack-charts.yaml │ │ ├── k8s-at-home-chart.yaml │ │ ├── metallb-charts.yaml │ │ ├── metrics-server-charts.yaml │ │ ├── minecraft-server-charts.yaml │ │ ├── nats-charts.yaml │ │ ├── nfd-charts.yaml │ │ ├── oauth2-proxy-charts.yaml │ │ ├── prometheus-community-charts.yaml │ │ ├── rocm-charts.yaml │ │ ├── rook-ceph-charts.yaml │ │ ├── stakater-charts.yaml │ │ ├── stakewise-charts.yaml │ │ ├── vector-charts.yaml │ │ └── vmware-charts.yaml │ ├── monitoring │ │ ├── pod-monitor.yaml │ │ └── prometheus-rule.yaml │ ├── notifications │ │ ├── discord │ │ │ ├── notification.yaml │ │ │ └── secret.sops.yaml │ │ ├── github │ │ │ ├── notification.yaml │ │ │ └── secret.sops.yaml │ │ └── kustomization.yaml │ └── webhook │ │ ├── github │ │ ├── ingress.yaml │ │ ├── receiver.yaml │ │ └── secret.sops.yaml │ │ └── kustomization.yaml ├── home │ ├── esphome │ │ ├── config-pvc.yaml │ │ └── helm-release.yaml │ ├── frigate │ │ ├── config-pvc.yaml │ │ ├── config.yaml │ │ ├── helm-release.yaml │ │ ├── kustomization.yaml │ │ ├── media-pvc.yaml │ │ └── secret.yaml │ ├── home-assistant-nwk3 │ │ ├── config-pvc.yaml │ │ ├── external-secret.yaml │ │ └── helm-release.yaml │ ├── home-assistant │ │ ├── config-pvc.yaml │ │ ├── external-secret.yaml │ │ ├── helm-release.yaml │ │ └── pdb.yaml │ ├── kustomization.yaml │ ├── mosquitto │ │ ├── config-pvc.yaml │ │ ├── helm-release.yaml │ │ ├── kustomization.yaml │ │ ├── mosquitto_pwd.sops │ │ ├── mqtt.conf │ │ └── pdb.yaml │ ├── namespace.yaml │ ├── nats │ │ ├── helm-release.yaml │ │ └── pdb.yaml │ ├── priority-class.yaml │ ├── zigbee2mqtt │ │ ├── config-pvc.yaml │ │ ├── helm-release.yaml │ │ └── pdb.yaml │ └── zwavejs2mqtt │ │ ├── config-pvc.yaml │ │ └── helm-release.yaml ├── infra │ ├── external-secrets │ │ ├── cluster-secret-store │ │ │ ├── cluster-secret-store.yaml │ │ │ └── gcp-sa-secret.yaml │ │ └── helm-release.yaml │ ├── hajimari │ │ ├── config-pvc.yaml │ │ └── helm-release.yaml │ ├── kustomization.yaml │ ├── namespace.yaml │ ├── netbox │ │ ├── helm-release.yaml │ │ ├── id_rsa.pub.sops │ │ ├── id_rsa.sops │ │ ├── kustomization.yaml │ │ └── secret.sops.yaml │ ├── paperless │ │ ├── external-secret.yaml │ │ ├── helm-release.yaml │ │ └── pvc.yaml │ └── unifi │ │ ├── helm-release.yaml │ │ └── pvc.yaml ├── kube-system │ ├── cilium │ │ └── helm-release.yaml │ ├── descheduler │ │ ├── helm-release.yaml │ │ └── metrics.yaml │ ├── home-dns │ │ ├── kustomization.yaml │ │ └── rbac.yaml │ ├── intel-gpu-plugin │ │ └── helm-release.yaml │ ├── kubelet-serving-cert-approver │ │ ├── kustomization.yaml │ │ └── kustomize.yaml │ ├── kustomization.yaml │ ├── metallb │ │ ├── helm-release.yaml │ │ ├── kustomization.yaml │ │ └── scr1 │ │ │ └── resources.yaml │ ├── metrics-server │ │ └── helm-release.yaml │ ├── multus │ │ ├── helm-release.yaml │ │ └── scr1 │ │ │ └── networkattachmentdefinition.yaml │ ├── namespace.yaml │ ├── networkpolicy.yaml │ ├── node-feature-discovery │ │ └── helm-release.yaml │ ├── reloader │ │ └── helm-release.yaml │ └── rocm-k8s-device-plugin │ │ ├── k8s-ds-amdgpu-dp-health.yaml │ │ ├── k8s-ds-amdgpu-dp.yaml │ │ ├── k8s-ds-amdgpu-labeller.yaml │ │ └── kustomization.yaml ├── kyverno │ ├── namespace.yaml │ ├── operator │ │ └── kustomize.yaml │ └── policies │ │ └── apply-ingress-whitelist-annotations.yaml ├── media │ ├── autobrr │ │ ├── external-secret.yaml │ │ └── helm-release.yaml │ ├── bazarr │ │ ├── config-pvc.yaml │ │ └── helm-release.yaml │ ├── cross-seed │ │ ├── config.js │ │ ├── external-secret.yaml │ │ ├── helm-release.yaml │ │ └── kustomization.yaml │ ├── kustomization.yaml │ ├── lidarr │ │ ├── config-pvc.yaml │ │ ├── helm-release.yaml │ │ └── secret.sops.yaml │ ├── media-pvc.yaml │ ├── namespace.yaml │ ├── overseerr │ │ ├── config-pvc.yaml │ │ ├── helm-release.yaml │ │ └── pdb.yaml │ ├── plex │ │ ├── config-pvc.yaml │ │ ├── helm-release.yaml │ │ └── pdb.yaml │ ├── priority-class.yaml │ ├── prowlarr │ │ ├── config-pvc.yaml │ │ ├── external-secret.yaml │ │ └── helm-release.yaml │ ├── qbittorrent │ │ ├── completed.sh │ │ ├── config-pvc.yaml │ │ ├── helm-release.yaml │ │ ├── kustomization.yaml │ │ ├── qbtools-config.yaml │ │ └── qbtools-helm-release.yaml │ ├── radarr │ │ ├── config-pvc.yaml │ │ ├── external-secret.yaml │ │ └── helm-release.yaml │ ├── recyclarr │ │ ├── config-pvc.yaml │ │ ├── external-secret.yaml │ │ ├── helm-release.yaml │ │ ├── kustomization.yaml │ │ └── recyclarr.yaml │ ├── sabnzbd │ │ ├── config-pvc.yaml │ │ └── helm-release.yaml │ ├── samba │ │ ├── deployment.yaml │ │ ├── secret.sops.yaml │ │ └── service.yaml │ ├── sonarr │ │ ├── config-pvc.yaml │ │ ├── helm-release.yaml │ │ └── secret.sops.yaml │ ├── tvheadend │ │ ├── config-pvc.yaml │ │ └── helm-release.yaml │ └── unpackerr │ │ ├── helm-release.yaml │ │ └── secret.sops.yaml ├── monitoring │ ├── grafana │ │ ├── external-secret.yaml │ │ └── helm-release.yaml │ ├── kube-prometheus-stack │ │ └── helm-release.yaml │ ├── kustomization.yaml │ ├── loki │ │ ├── helm-release.yaml │ │ ├── kustomization.yaml │ │ ├── object-bucket-claim.yaml │ │ └── rules.yaml │ ├── mimir │ │ ├── etcd-helm-release.yaml │ │ ├── external-secret.yaml │ │ ├── helm-release.yaml │ │ └── object-bucket-claim.yaml │ ├── namespace.yaml │ ├── snmp-exporter-ups │ │ ├── config-map.yaml │ │ ├── helm-release-806.yaml │ │ ├── helm-release-808.yaml │ │ └── prometheus-rule.yaml │ ├── snmp-exporter-vyos │ │ └── helm-release.yaml │ ├── vector │ │ ├── agent │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ ├── rbac.yaml │ │ │ └── vector.yaml │ │ └── aggregator │ │ │ ├── external-secret.yaml │ │ │ ├── helm-release.yaml │ │ │ ├── kustomization.yaml │ │ │ └── vector.yaml │ └── vpa │ │ └── helm-release.yaml ├── networking │ ├── cert-manager │ │ ├── cert-manager.sops.yaml │ │ ├── helm-release.yaml │ │ ├── issuers │ │ │ ├── letsencrypt-production.yaml │ │ │ └── letsencrypt-staging.yaml │ │ └── kustomization.yaml │ ├── external-dns │ │ ├── helm-release.yaml │ │ └── secret.sops.yaml │ ├── kustomization.yaml │ ├── namespace.yaml │ ├── nginx │ │ ├── certificate.yaml │ │ └── helm-release.yaml │ └── oauth2-proxy │ │ ├── helm-release-ext.yaml │ │ ├── helm-release-int.yaml │ │ └── secret.yaml └── rook-ceph │ ├── cluster │ └── helm-release.yaml │ ├── kustomization.yaml │ ├── local-path-provisioner │ └── helm-release.yaml │ ├── namespace.yaml │ └── operator │ └── helm-release.yaml ├── clusters ├── gke-cluster-1 │ ├── definitions │ │ ├── flux-system.yaml │ │ ├── home.yaml │ │ ├── infra.yaml │ │ ├── kube-system.yaml │ │ ├── media.yaml │ │ ├── monitoring.yaml │ │ ├── networking.yaml │ │ ├── rook-ceph-external.yaml │ │ ├── rook-ceph.yaml │ │ ├── sway-sig.yaml │ │ └── tekton-pipelines.yaml │ └── gotk │ │ └── flux-system │ │ ├── flux.yaml │ │ ├── gotk-sync.yaml │ │ └── kustomization.yaml ├── nwk2-cluster-0 │ └── Justfile └── scr1-cluster-0 │ ├── definitions │ ├── crypto.yaml │ ├── database.yaml │ ├── default.yaml │ ├── federation.yaml │ ├── flux-system.yaml │ ├── home.yaml │ ├── infra.yaml │ ├── kube-system.yaml │ ├── kyverno.yaml │ ├── media.yaml │ ├── monitoring.yaml │ ├── networking.yaml │ └── rook-ceph.yaml │ ├── gotk │ └── flux-system │ │ ├── flux.yaml │ │ ├── gotk-sync.yaml │ │ └── kustomization.yaml │ └── iac │ ├── apply.sh │ ├── clusterconfig │ └── .gitignore │ ├── cni │ ├── cluster_0_quick_install.yaml │ └── values.yaml │ ├── talconfig.yaml │ └── talenv.sops.yaml ├── my-prom-rules.yaml └── rbac ├── k8s-auth ├── nixos.yaml └── oidc-cluster-admin.yaml └── k8s-gateway ├── cluster-role-binding.yaml ├── cluster-role.yaml └── service-account.yaml /.editorconfig: -------------------------------------------------------------------------------- 1 | # editorconfig.org 2 | root = true 3 | 4 | [*] 5 | indent_style = space 6 | indent_size = 2 7 | end_of_line = lf 8 | charset = utf-8 9 | trim_trailing_whitespace = true 10 | insert_final_newline = true 11 | 12 | [Makefile] 13 | indent_style = space 14 | indent_size = 4 15 | 16 | [*.{bash,sh}] 17 | indent_style = space 18 | indent_size = 4 19 | 20 | [*.{yaml,yml}] 21 | indent_size = 2 22 | -------------------------------------------------------------------------------- /.gitattributes: -------------------------------------------------------------------------------- 1 | *.yml diff=dyff 2 | *.yaml diff=dyff 3 | -------------------------------------------------------------------------------- /.github/CODEOWNERS: -------------------------------------------------------------------------------- 1 | * @anthr76 2 | -------------------------------------------------------------------------------- /.github/contrib/kind-config.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kind.x-k8s.io/v1alpha4 2 | kind: Cluster 3 | networking: 4 | apiServerAddress: "0.0.0.0" 5 | 6 | # add to the apiServer certSANs the name of the docker (dind) service in order to be able to reach the cluster through it 7 | kubeadmConfigPatchesJSON6902: 8 | - group: kubeadm.k8s.io 9 | version: v1beta2 10 | kind: ClusterConfiguration 11 | patch: | 12 | - op: add 13 | path: /apiServer/certSANs/- 14 | value: docker 15 | nodes: 16 | - role: control-plane 17 | - role: worker 18 | -------------------------------------------------------------------------------- /.github/contrib/mkdocs.yml: -------------------------------------------------------------------------------- 1 | --- 2 | site_name: anthr76 | infra 3 | site_description: Personal home-lab or for home infrastructure in a declaritive state. 4 | site_author: Anthony Rabbito 5 | site_url: https://anthr76.github.io/infra/ 6 | 7 | repo_name: anthr76/infra 8 | repo_url: https://github.com/anthr76/infra 9 | edit_uri: "edit/main/docs/" 10 | 11 | theme: 12 | name: material 13 | # logo: _files/flux-icon@2x.png 14 | language: en 15 | palette: 16 | scheme: slate 17 | primary: blue 18 | accent: indigo 19 | 20 | docs_dir: ../../docs/ 21 | 22 | extra_css: 23 | - _static/custom.css 24 | 25 | plugins: 26 | - search 27 | 28 | markdown_extensions: 29 | - admonition 30 | - meta 31 | - codehilite: 32 | guess_lang: false 33 | - toc: 34 | permalink: true 35 | - pymdownx.superfences: 36 | highlight_code: true 37 | - pymdownx.tabbed 38 | - pymdownx.tilde 39 | - pymdownx.progressbar 40 | - pymdownx.tasklist 41 | - pymdownx.superfences 42 | - pymdownx.snippets 43 | - pymdownx.emoji: 44 | emoji_index: !!python/name:materialx.emoji.twemoji 45 | emoji_generator: !!python/name:materialx.emoji.to_svg 46 | 47 | nav: 48 | - Introduction: index.md 49 | - Getting Started: tooling/getting-started.md 50 | - Kubic/MicroOS: opensuse-kubic/combustion.md 51 | -------------------------------------------------------------------------------- /.github/lint/.markdownlint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | default: true 3 | 4 | # MD013/line-length - Line length 5 | MD013: 6 | # Number of characters 7 | line_length: 240 8 | # Number of characters for headings 9 | heading_line_length: 80 10 | # Number of characters for code blocks 11 | code_block_line_length: 80 12 | # Include code blocks 13 | code_blocks: true 14 | # Include tables 15 | tables: true 16 | # Include headings 17 | headings: true 18 | # Include headings 19 | headers: true 20 | # Strict length checking 21 | strict: false 22 | # Stern length checking 23 | stern: false 24 | -------------------------------------------------------------------------------- /.github/lint/.prettierignore: -------------------------------------------------------------------------------- 1 | .private 2 | .vscode 3 | *.sops.* 4 | *.enc.* 5 | ansible/roles/xanmanning.k3s/ 6 | gotk-components.yaml 7 | *.terraform 8 | *-secrets* 9 | *-ssh* 10 | *-pat* 11 | -------------------------------------------------------------------------------- /.github/lint/.prettierrc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | trailingComma: "es5" 3 | tabWidth: 2 4 | semi: false 5 | singleQuote: false 6 | -------------------------------------------------------------------------------- /.github/lint/.yamllint.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | ignore: | 3 | .private/ 4 | .vscode/ 5 | *.sops.* 6 | *.terraform* 7 | gotk-components.yaml 8 | extends: default 9 | rules: 10 | truthy: 11 | allowed-values: ["true", "false", "on"] 12 | comments: 13 | min-spaces-from-content: 1 14 | line-length: disable 15 | braces: 16 | min-spaces-inside: 0 17 | max-spaces-inside: 1 18 | brackets: 19 | min-spaces-inside: 0 20 | max-spaces-inside: 0 21 | indentation: enable 22 | -------------------------------------------------------------------------------- /.github/renovate/autoMerge.json5: -------------------------------------------------------------------------------- 1 | { 2 | packageRules: [ 3 | { 4 | matchDatasources: ["docker"], 5 | automerge: true, 6 | automergeType: "branch", 7 | requiredStatusChecks: null, 8 | matchUpdateTypes: ["minor", "patch"], 9 | matchPackageNames: [ 10 | "ghcr.io/k8s-at-home/prowlarr-nightly", 11 | "ghcr.io/k8s-at-home/radarr-nightly", 12 | "ghcr.io/k8s-at-home/sonarr-nightly", 13 | "ghcr.io/onedr0p/prowlarr-nightly", 14 | "ghcr.io/onedr0p/sonarr-nightly", 15 | "ghcr.io/onedr0p/radarr-nightly", 16 | ], 17 | }, 18 | { 19 | "description": "Auto merge container digests", 20 | "matchDatasources": ["docker"], 21 | "automerge": true, 22 | "automergeType": "branch", 23 | "requiredStatusChecks": null, 24 | "matchUpdateTypes": ["digest"], 25 | "matchPackagePattern": ["ghcr.io/k8s-at-home","ghcr.io/onedr0p"] 26 | }, 27 | ], 28 | } 29 | -------------------------------------------------------------------------------- /.github/workflows/docs.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | name: Publish docs via GitHub Pages 3 | 4 | on: # yamllint disable-line rule:truthy 5 | workflow_dispatch: 6 | push: 7 | branches: 8 | - "docs-*" 9 | - main 10 | paths: 11 | - ".github/workflows/docs.yaml" 12 | - ".github/contrib/mkdocs.yml" 13 | - "docs/**" 14 | 15 | jobs: 16 | build: 17 | runs-on: ubuntu-22.04 18 | steps: 19 | - name: Checkout branch 20 | uses: actions/checkout@v3 21 | 22 | - name: Deploy docs 23 | uses: mhausenblas/mkdocs-deploy-gh-pages@master 24 | env: 25 | GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }} 26 | CONFIG_FILE: .github/contrib/mkdocs.yml 27 | -------------------------------------------------------------------------------- /.gitignore: -------------------------------------------------------------------------------- 1 | **/.terraform 2 | /ansible/output/ 3 | /ansible/debug.yml 4 | /ansible/test-inventory/* 5 | /ansible/playbooks/kubic-cluster/nyc1/output/ 6 | /ansible/playbooks/kubic-cluster/nwk1/output/ 7 | ansible/roles/anthr76.ansible_vfio* 8 | ansible/k8s-cilium-exec.sh 9 | clusters/nwk1/gitops/openebs/openebs/uninstall.sh 10 | bin/ 11 | .vscode 12 | ansible/roles/anthr76.routeros-configure 13 | 14 | # Sops 15 | .decrypted~*.yaml 16 | /ansible/roles/mrlesmithjr.zfs 17 | 18 | # Temp 19 | /clusters/scr1/intergrations/server-classes 20 | /clusters/scr1/intergrations/servers 21 | /clusters/scr1/intergrations/scr1-cluster-0.yaml 22 | ansible/roles/ansible-role-vyos 23 | .direnv/* -------------------------------------------------------------------------------- /.just/uboot.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | dnf install -y cpio util-linux jq rsync 3 | mkdir -p /tmp/RPi4boot/boot/efi/ 4 | dnf install -y --downloadonly --forcearch=aarch64 --destdir=/tmp/RPi4boot/ uboot-images-armv8 bcm283x-firmware bcm283x-overlays 5 | for rpm in /tmp/RPi4boot/*rpm; do rpm2cpio $rpm | sudo cpio -idv -D /tmp/RPi4boot/; done 6 | mv /tmp/RPi4boot/usr/share/uboot/rpi_4/u-boot.bin /tmp/RPi4boot/boot/efi/rpi4-u-boot.bin 7 | FCOSEFIPARTITION=$(lsblk $FCOSDISK -J -oLABEL,PATH | jq -r '.blockdevices[] | select(.label == "EFI-SYSTEM")'.path) 8 | mkdir /tmp/FCOSEFIpart 9 | mount $FCOSEFIPARTITION /tmp/FCOSEFIpart 10 | rsync -avh --ignore-existing /tmp/RPi4boot/boot/efi/ /tmp/FCOSEFIpart/ 11 | umount $FCOSEFIPARTITION 12 | 13 | 14 | 15 | -------------------------------------------------------------------------------- /.pre-commit-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | fail_fast: false 3 | repos: 4 | - repo: https://github.com/adrienverge/yamllint 5 | rev: v1.32.0 6 | hooks: 7 | - args: 8 | - --config-file 9 | - .github/lint/.yamllint.yaml 10 | id: yamllint 11 | - repo: https://github.com/pre-commit/pre-commit-hooks 12 | rev: v4.4.0 13 | hooks: 14 | - id: trailing-whitespace 15 | - id: end-of-file-fixer 16 | - id: mixed-line-ending 17 | - repo: https://github.com/Lucas-C/pre-commit-hooks 18 | rev: v1.5.4 19 | hooks: 20 | - id: remove-crlf 21 | - id: remove-tabs 22 | - repo: https://github.com/sirosen/fix-smartquotes 23 | rev: 0.2.0 24 | hooks: 25 | - id: fix-smartquotes 26 | - repo: https://github.com/k8s-at-home/sops-pre-commit 27 | rev: v2.1.1 28 | hooks: 29 | - id: forbid-secrets 30 | -------------------------------------------------------------------------------- /.sops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | creation_rules: 3 | - path_regex: k8s/.*\.ya?ml 4 | encrypted_regex: '((?i)(pass|secret($|[^N])|key|token|^data$|^stringData))' 5 | age: >- 6 | age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x 7 | - path_regex: k8s/clusters/scr1-cluster-0/iac/.*\.ya?ml 8 | encrypted_regex: '((?i)(pass|secret($|[^N])|key|id|oidc-client-id|crt|token|^data$|^stringData))' 9 | age: >- 10 | age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x 11 | - path_regex: armature/prod/scr1/fcos/.*\.sops\.ya?ml 12 | encrypted_regex: "^(files|stringData)$" 13 | age: >- 14 | age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x 15 | -------------------------------------------------------------------------------- /.taskfiles/ansible.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | env: 5 | ANSIBLE_CONFIG: "{{.PROJECT_DIR}}/ansible/ansible.cfg" 6 | 7 | vars: 8 | ANSIBLE_PLAYBOOK_DIR: "{{.ANSIBLE_DIR}}/playbooks" 9 | ANSIBLE_INVENTORY_DIR: "{{.ANSIBLE_DIR}}/inventory" 10 | 11 | tasks: 12 | deps: 13 | desc: Upgrade Ansible galaxy deps 14 | dir: ansible 15 | cmds: 16 | - "ansible-galaxy install -r requirements.yml --force" 17 | - "pip3 install -r requirements.txt" 18 | silent: true 19 | 20 | list: 21 | desc: List all the hosts 22 | dir: ansible 23 | cmds: 24 | - "ansible all -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --list-hosts" 25 | silent: true 26 | 27 | ping: 28 | desc: Ping all the hosts 29 | dir: ansible 30 | cmds: 31 | - "ansible all -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --one-line -m 'ping'" 32 | silent: true 33 | 34 | uptime: 35 | desc: Uptime of all the hosts 36 | dir: ansible 37 | cmds: 38 | - ansible all -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml --one-line -a 'uptime' 39 | silent: true 40 | 41 | reboot: 42 | desc: Reboot all the k8s nodes 43 | dir: ansible 44 | cmds: 45 | - "ansible kubernetes -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml -m reboot" 46 | silent: true 47 | 48 | shutdown: 49 | desc: Shutdown all the k8s nodes 50 | dir: ansible 51 | cmds: 52 | - "ansible kubernetes -i {{.ANSIBLE_INVENTORY_DIR}}/home-cluster/hosts.yml -m shutdown" 53 | silent: true 54 | -------------------------------------------------------------------------------- /.taskfiles/format.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | tasks: 5 | all: 6 | - task: markdown 7 | - task: yaml 8 | markdown: 9 | desc: Format Markdown 10 | cmds: 11 | - >- 12 | prettier 13 | --ignore-path '.github/lint/.prettierignore' 14 | --config '.github/lint/.prettierrc.yaml' 15 | --list-different 16 | --ignore-unknown 17 | --parser=markdown 18 | --write '*.md' '**/*.md' 19 | ignore_error: true 20 | yaml: 21 | desc: Format YAML 22 | cmds: 23 | - >- 24 | prettier 25 | --ignore-path '.github/lint/.prettierignore' 26 | --config 27 | '.github/lint/.prettierrc.yaml' 28 | --list-different 29 | --ignore-unknown 30 | --parser=yaml 31 | --write '*.y*ml' 32 | '**/*.y*ml' 33 | ignore_error: true 34 | -------------------------------------------------------------------------------- /.taskfiles/lint.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | tasks: 5 | all: 6 | - task: markdown 7 | - task: yaml 8 | - task: format 9 | 10 | markdown: 11 | desc: Lint Markdown 12 | cmds: 13 | - markdownlint -c '.github/lint/.markdownlint.yaml' *.md **/*.md 14 | ignore_errors: true 15 | 16 | yaml: 17 | desc: Lint YAML 18 | cmds: 19 | - yamllint -c '.github/lint/.yamllint.yaml' . 20 | ignore_errors: true 21 | 22 | format: 23 | desc: Lint general formatting 24 | cmds: 25 | - prettier --ignore-path '.github/lint/.prettierignore' --config '.github/lint/.prettierrc.yaml' --check . 26 | ignore_errors: true 27 | -------------------------------------------------------------------------------- /.taskfiles/pre-commit.yml: -------------------------------------------------------------------------------- 1 | --- 2 | version: "3" 3 | 4 | tasks: 5 | init: 6 | desc: Initialize pre-commit hooks 7 | cmds: 8 | - pre-commit install-hooks 9 | run: 10 | desc: Run pre-commit 11 | cmds: 12 | - pre-commit run --all-files 13 | -------------------------------------------------------------------------------- /.whitesource: -------------------------------------------------------------------------------- 1 | { 2 | "scanSettings": { 3 | "baseBranches": [] 4 | }, 5 | "checkRunSettings": { 6 | "vulnerableCheckRunConclusionLevel": "failure", 7 | "displayMode": "diff", 8 | "useMendCheckNames": true 9 | }, 10 | "issueSettings": { 11 | "minSeverityLevel": "LOW", 12 | "issueType": "DEPENDENCY" 13 | } 14 | } -------------------------------------------------------------------------------- /armature/prod/b2/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/backblaze/b2" { 5 | version = "0.8.4" 6 | constraints = "0.8.4" 7 | hashes = [ 8 | "h1:EjWvu+zMSI+bSn1Mm2EIuj0bw8xojk9jtyrUVRGe6uk=", 9 | "h1:WXKvSMAphowc2WrY7MKv50zeLTD2qWhkgcJBCTLro8M=", 10 | "h1:iTNGfXzJeiUYsrhnWo/hTO7zgtQiYH9U5xrlSCSb/rU=", 11 | "h1:vtRe9tVLQqXMJPthxF+lh1uq2xai/FdOUUY8OkPHBqk=", 12 | ] 13 | } 14 | 15 | provider "registry.terraform.io/hashicorp/google" { 16 | version = "4.79.0" 17 | constraints = "4.79.0" 18 | hashes = [ 19 | "h1:0P/wyCd5dh1zG5cXaWPiO36c59fCnBGcggw7UWy2myc=", 20 | "h1:6ybJILr8uFF4j9q4sCPGbmP3LSfb0ocyjcKTD3NUiHU=", 21 | "h1:Li/wjCxais5NQTFyxfca1ot58EKadeOgQIRKO1INFwU=", 22 | "h1:NFh7yr4ZzOEZUoL6PbXyMzuZ2om/PG5gkF6OhYH7sAc=", 23 | "h1:WwOcCD1bX08jjcUTsfWA+8tJlv7vVV2hGlXPz2ZAZME=", 24 | "h1:aLb9b7sENSRhXkgWb6L08pS9e2MGiA3TvMONVucf/yg=", 25 | "h1:ja8L+cpokSBX6k7XuorPYLxn6RMRur/K5pdR1Hpi3sw=", 26 | "h1:ogFyLeIXnNf1L8YGjWqsbHbodercUXCoSrRFj7kGF4o=", 27 | "h1:qOYZ0O2hYTSEU7uquabV97GNa1WhJ1l+Uxr3gctmWRA=", 28 | "h1:wM0D6HcMu7OWI/7LGVtkfbvbWGyGy7rUEMRMUQYuHhs=", 29 | "h1:zk1cuvVrxTBz0jK6j2Ffl2yEPsTJsTrVatngkh2H5Tg=", 30 | ] 31 | } 32 | -------------------------------------------------------------------------------- /armature/prod/b2/buckets.tf: -------------------------------------------------------------------------------- 1 | # resource "b2_bucket" "kopia" { 2 | # bucket_name = "k8s-kopia" 3 | # bucket_type = "allPrivate" 4 | # } 5 | 6 | # resource "b2_application_key" "kopia" { 7 | # key_name = "k8s-kopia" 8 | # bucket_id = b2_bucket.kopia.id 9 | # capabilities = [ 10 | # "deleteFiles", 11 | # "listAllBucketNames", 12 | # "listBuckets", 13 | # "listFiles", 14 | # "readBuckets", 15 | # "readFiles", 16 | # "shareFiles", 17 | # "writeFiles" 18 | # ] 19 | # } 20 | 21 | # resource "google_secret_manager_secret" "b2_kopia_bucket_key" { 22 | # secret_id = "B2_KOPIA_BUCKET_KEY" 23 | 24 | # replication { 25 | # automatic = true 26 | # } 27 | # } 28 | 29 | 30 | # resource "google_secret_manager_secret_version" "b2_kopia_bucket_key" { 31 | # secret = google_secret_manager_secret.b2_kopia_bucket_key.id 32 | 33 | # secret_data = b2_application_key.kopia.application_key 34 | # } 35 | 36 | # resource "google_secret_manager_secret" "b2_kopia_bucket_key_id" { 37 | # secret_id = "B2_KOPIA_BUCKET_KEY_ID" 38 | 39 | # replication { 40 | # automatic = true 41 | # } 42 | # } 43 | 44 | 45 | # resource "google_secret_manager_secret_version" "b2_kopia_bucket_key_id" { 46 | # secret = google_secret_manager_secret.b2_kopia_bucket_key_id.id 47 | 48 | # secret_data = b2_application_key.kopia.application_key_id 49 | # } 50 | -------------------------------------------------------------------------------- /armature/prod/b2/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "remote" { 3 | organization = "kutara" 4 | workspaces { 5 | name = "backblaze" 6 | } 7 | } 8 | required_version = ">= 1.0.0" 9 | required_providers { 10 | b2 = { 11 | source = "Backblaze/b2" 12 | version = "0.8.4" 13 | } 14 | google = { 15 | source = "hashicorp/google" 16 | version = "4.79.0" 17 | } 18 | } 19 | } 20 | 21 | provider "google" { 22 | project = "kutara-prod-ad74" 23 | region = "us-central1" 24 | } 25 | 26 | data "google_secret_manager_secret_version" "b2_key_id" { 27 | secret = "BACKBLAZE_MASTER_KEY_ID" 28 | } 29 | 30 | data "google_secret_manager_secret_version" "b2_key" { 31 | secret = "BACKBLAZE_MASTER_KEY" 32 | } 33 | 34 | provider "b2" { 35 | application_key = data.google_secret_manager_secret_version.b2_key.secret_data 36 | application_key_id = data.google_secret_manager_secret_version.b2_key_id.secret_data 37 | } 38 | 39 | 40 | -------------------------------------------------------------------------------- /armature/prod/butane/base.ign: -------------------------------------------------------------------------------- 1 | { 2 | "ignition": { 3 | "version": "3.3.0" 4 | }, 5 | "passwd": { 6 | "users": [ 7 | { 8 | "groups": [ 9 | "wheel", 10 | "sudo" 11 | ], 12 | "name": "anthonyjrabbito", 13 | "sshAuthorizedKeys": [ 14 | "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE0SaE3DjA8TkonMthpFvud67S1wJe+XhN0pueHccwF4iDWkAUHA0wLObGORucoO//aR5o7HZGiqPSUbjIS/GwY=", 15 | "ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLhz2vRJ9Jaonksg5hQME2MWSQf8zriDMkPVuylZiF1eq+WTnqYMOiUABhJcG5sI45cfqmpeY3l/GarIV8tRd/Q=", 16 | "ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFl0kiwbZBZA0df4hT5TzgcHlrOGzRkH10n0UOtfGzlU" 17 | ] 18 | } 19 | ] 20 | } 21 | } 22 | -------------------------------------------------------------------------------- /armature/prod/butane/base.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | variant: fcos 3 | version: 1.4.0 4 | passwd: 5 | users: 6 | - name: anthonyjrabbito 7 | groups: 8 | - wheel 9 | - sudo 10 | ssh_authorized_keys: 11 | - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBE0SaE3DjA8TkonMthpFvud67S1wJe+XhN0pueHccwF4iDWkAUHA0wLObGORucoO//aR5o7HZGiqPSUbjIS/GwY= 12 | - ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBLhz2vRJ9Jaonksg5hQME2MWSQf8zriDMkPVuylZiF1eq+WTnqYMOiUABhJcG5sI45cfqmpeY3l/GarIV8tRd/Q= 13 | - ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIFl0kiwbZBZA0df4hT5TzgcHlrOGzRkH10n0UOtfGzlU 14 | 15 | -------------------------------------------------------------------------------- /armature/prod/butane/scr1/ceph-01.ign: -------------------------------------------------------------------------------- 1 | { 2 | "ignition": { 3 | "config": { 4 | "merge": [ 5 | { 6 | "source": "https://raw.githubusercontent.com/anthr76/infra/main/armature/prod/butane/base.ign" 7 | } 8 | ] 9 | }, 10 | "version": "3.3.0" 11 | }, 12 | "storage": { 13 | "files": [ 14 | { 15 | "path": "/etc/hostname", 16 | "contents": { 17 | "source": "data:,ceph-01" 18 | }, 19 | "mode": 420 20 | } 21 | ] 22 | } 23 | } 24 | -------------------------------------------------------------------------------- /armature/prod/butane/scr1/ceph-01.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | variant: fcos 3 | version: 1.4.0 4 | ignition: 5 | config: 6 | merge: 7 | - source: https://raw.githubusercontent.com/anthr76/infra/main/armature/prod/butane/base.ign 8 | storage: 9 | files: 10 | - path: /etc/hostname 11 | mode: 0644 12 | contents: 13 | inline: ceph-01 14 | -------------------------------------------------------------------------------- /armature/prod/butane/scr1/ceph-03.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | variant: fcos 3 | version: 1.4.0 4 | ignition: 5 | config: 6 | merge: 7 | - source: https://raw.githubusercontent.com/anthr76/infra/main/armature/prod/butane/base.ign 8 | passwd: 9 | users: 10 | - name: root 11 | ssh_authorized_keys: 12 | - ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQC8Y8DoJOGLdeuxz2e4f9DNy2IUL8uB+11Q/lteKrDnmMFDEDP5yVeo4ZmUuMkG23/xUTBzfkPHzvCmWUd5w6DKnPLsP23aopkTY0Nd4zBgsm9rbB8zKkjevXN9T4owrRuZpk+L1qCpFWdzA4yRHeC+k3JROrTPH6hdHcgjMBbU+g0tui0FJHJoYDw52VaoHuIclp5/JB9/qiZzlnqsjhpaK78r9oF+LgvQIIAjjOanQ/XokJKjcAzS5W30JfiBjxYgtoYAQm7lsuiBeyteplqTZNnsTqqWAYhVUftzfRlpi8+F66RQWD0v4L+O5LcvtP7giQWvuuhZiTcFx652qcvGPpSGikDQwR6o/sutBwn76vNdD2JBTAwb7iaJ5nJDev12iWOT42E2mcQ4d9cW3KdUBGQoyQyxGDfoY9iRas2pOcK4cbKhhMMHY0gSjbiVvSAXV7qf2w/re4vomj0U11/niVft4VLricDPfcSpOqCuafQuOlk9Ybgs5lomAGy5vG0= ceph-da1cac6a-ebd1-11ec-b64d-80615f039923 13 | storage: 14 | files: 15 | - path: /etc/hostname 16 | mode: 0644 17 | contents: 18 | inline: ceph-03 19 | systemd: 20 | units: 21 | - name: docker.service 22 | enabled: false 23 | - name: rpm-ostree-layer.service 24 | enabled: true 25 | contents: | 26 | [Unit] 27 | Description=rpm-ostree layering. 28 | Wants=network-online.target 29 | After=network-online.target 30 | Before=zincati.service 31 | ConditionPathExists=!/var/lib/%N.stamp 32 | [Service] 33 | Type=oneshot 34 | RemainAfterExit=yes 35 | ExecStart=/usr/bin/rpm-ostree install --apply-live --allow-inactive cephadm 36 | ExecStart=/bin/touch /var/lib/%N.stamp 37 | [Install] 38 | WantedBy=multi-user.target 39 | -------------------------------------------------------------------------------- /armature/prod/cloud-dns/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/carlpett/sops" { 5 | version = "0.7.2" 6 | constraints = "0.7.2" 7 | hashes = [ 8 | "h1:+A1/RJ3eNVQHDFHjol70EfC5Yh9e78WMXxh1uoxlAYQ=", 9 | "h1:3Bw0Dms7NNi0bgH9kdWcSapc9hBKQy9yFMwdxivR83c=", 10 | "h1:4tj1DoKYd83LR3HtIiyDs2BJqwUviEEMhOuofsJi03Q=", 11 | "h1:5cpao0AUhGCcAJCsoThT0icxIddzmwZNdgjz7gnYWdc=", 12 | "h1:eetjYKFBQb6nbgxjehD/gzzAmH2ru94ha2tEzXNiNy8=", 13 | "h1:li6aZQcIHjJKX3zXbpu8XYIKEShGVzrmdMxKIs/IOTo=", 14 | "h1:nWrLW+9JjGLwfss4T7pTaE+JiZlBJQGoYxt4pDe5OE8=", 15 | ] 16 | } 17 | 18 | provider "registry.terraform.io/cloudflare/cloudflare" { 19 | version = "4.13.0" 20 | constraints = "4.13.0" 21 | hashes = [ 22 | "h1:13B93/dG0FrT26/3EF4r77UEw0cqC3wAjrN7yDSiFUo=", 23 | "h1:3ETcVRT14Rz6yhgdHIxmjvhsJsMjRFvWD67e2pv+/Wg=", 24 | "h1:5oTKFcKNqMXDX4jU0JqUeN0mabvaN6vbcl1n+vx3mrg=", 25 | "h1:8BaPHwPkDuBndQQZr3oWprAc5r726L/3VhnYmzD7ELs=", 26 | "h1:BQW5aTAUmlWij/0t9FHr/ExGCxBGRrcpjpVcSwGI0Ks=", 27 | "h1:IFJK0uWJrG5KMIE0nlClpOsLXuFv07C4/CXklgWuu8w=", 28 | "h1:JVOhc8iz7fhXBWew3LZeaxRxNFe8s0rf+ZApfjmIfog=", 29 | "h1:KM/upaMHmA1TY7zuNt4v/QReckaGfBZlx1TlEChVQ3E=", 30 | "h1:aU4V+gO1jeG0B04XwgIkFmiF1tKL5fED2YQ4AsBm5uo=", 31 | "h1:m9PtJmF37kHaNLiBvXIsbfmxjbqXex9PxqhnyjP0n+U=", 32 | "h1:mprbWtkcOEgFieEPiYAHuz4qRScGt+ELZ7OBDgyCWfQ=", 33 | "h1:nrBkG2lod2O3koJMm52aAn/zKaw0aVICkFZTa0QHrbQ=", 34 | "h1:x7g/0EXYIxIUKcq573iYMNWt+V8fnbRpWOQ50jAsQIc=", 35 | "h1:yZmDO/wLTGFveiWfASqUVqfyU1ZYykrT35looNDvfsc=", 36 | ] 37 | } 38 | -------------------------------------------------------------------------------- /armature/prod/cloud-dns/int.tf: -------------------------------------------------------------------------------- 1 | resource "cloudflare_zone_settings_override" "int_cf_settings" { 2 | zone_id = data.sops_file.tf_secrets.data["int_zone_id"] 3 | settings { 4 | brotli = "on" 5 | challenge_ttl = 2700 6 | security_level = "high" 7 | opportunistic_encryption = "off" 8 | automatic_https_rewrites = "off" 9 | always_online = "on" 10 | browser_check = "on" 11 | ipv6 = "on" 12 | always_use_https = "off" 13 | min_tls_version = "1.1" 14 | universal_ssl = "off" 15 | ssl = "off" 16 | development_mode = "off" 17 | email_obfuscation = "on" 18 | hotlink_protection = "on" 19 | ip_geolocation = "on" 20 | opportunistic_onion = "on" 21 | privacy_pass = "on" 22 | rocket_loader = "on" 23 | server_side_exclude = "on" 24 | tls_client_auth = "off" 25 | websockets = "off" 26 | tls_1_3 = "zrt" 27 | minify { 28 | css = "on" 29 | js = "on" 30 | html = "on" 31 | } 32 | security_header { 33 | enabled = false 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /armature/prod/cloud-dns/kutara.tf: -------------------------------------------------------------------------------- 1 | resource "cloudflare_zone_settings_override" "kutara_cf_settings" { 2 | zone_id = data.sops_file.tf_secrets.data["kutara_zone_id"] 3 | settings { 4 | brotli = "on" 5 | challenge_ttl = 2700 6 | security_level = "high" 7 | opportunistic_encryption = "off" 8 | automatic_https_rewrites = "off" 9 | always_online = "on" 10 | browser_check = "on" 11 | ipv6 = "on" 12 | always_use_https = "off" 13 | min_tls_version = "1.1" 14 | universal_ssl = "off" 15 | ssl = "off" 16 | development_mode = "off" 17 | email_obfuscation = "on" 18 | hotlink_protection = "on" 19 | ip_geolocation = "on" 20 | opportunistic_onion = "on" 21 | privacy_pass = "on" 22 | rocket_loader = "on" 23 | server_side_exclude = "on" 24 | tls_client_auth = "off" 25 | websockets = "off" 26 | tls_1_3 = "zrt" 27 | minify { 28 | css = "on" 29 | js = "on" 30 | html = "on" 31 | } 32 | security_header { 33 | enabled = false 34 | } 35 | } 36 | } 37 | -------------------------------------------------------------------------------- /armature/prod/cloud-dns/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "http" { 3 | address = "https://gitlab.com/api/v4/projects/27033486/terraform/state/cloud-dns-prod" 4 | lock_address = "https://gitlab.com/api/v4/projects/27033486/terraform/state/cloud-dns-prod/lock" 5 | unlock_address = "https://gitlab.com/api/v4/projects/27033486/terraform/state/cloud-dns-prod/lock" 6 | lock_method = "POST" 7 | unlock_method = "DELETE" 8 | retry_wait_min = 5 9 | } 10 | required_providers { 11 | sops = { 12 | source = "carlpett/sops" 13 | version = "0.7.2" 14 | } 15 | cloudflare = { 16 | source = "cloudflare/cloudflare" 17 | version = "4.13.0" 18 | } 19 | } 20 | } 21 | 22 | provider "sops" {} 23 | 24 | data "sops_file" "tf_secrets" { 25 | source_file = "tf-secrets.sops.yaml" 26 | } 27 | 28 | provider "cloudflare" { 29 | email = data.sops_file.tf_secrets.data["cf_email"] 30 | api_key = data.sops_file.tf_secrets.data["cf_api_key"] 31 | } 32 | -------------------------------------------------------------------------------- /armature/prod/cloud-do/vpc/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/digitalocean/digitalocean" { 5 | version = "2.28.1" 6 | constraints = "2.28.1" 7 | hashes = [ 8 | "h1:01/5WNolFWSt/ZE0YLb+JWr4Zpdst4UA5ZIZYKl9Yts=", 9 | "h1:4qJ8d8yjIf9866IrjUqUEePtjfBk2k4aby6oz4QSePs=", 10 | "h1:BtXT/8oFRJKufrsgExsjmFrarVnDxMImfbefg3ZBShQ=", 11 | "h1:FskzN+GiDTXVjJvLmdw8Hj6pIhLbN7T0speosrqwnac=", 12 | "h1:SYehGwIm90Pbv9JCJ+9bMWdTrNCkUo5hhycsimB1OLA=", 13 | "h1:WGr2grD8g+qyqNyQPJKCraGwPiEl/Sgk7QjnDauTkGc=", 14 | "h1:aSxcSWa0wQQGLW2/XyivecmR/BL9fVtw42Bg2UngmT0=", 15 | "h1:aX69+9V/jUTjKyvKU1ALdwsETPgNysRW0epewfKR02s=", 16 | "h1:bjUNGmY2UV5xILbX/HY9/qOzxVzcHPqT89TTESLk4p4=", 17 | "h1:bwf8OuXTm95+liFiEz1Jopi+eKyXX3CGEDVYoXWrQ8s=", 18 | "h1:gL8vGZLJ8nbGAbT25Wq98cE+OlQE/cScKbIJ+cVhLi0=", 19 | "h1:gwQEJc5ehBp3UsAQ8+euWvJeSoSJZc6tGdo2PKsucVE=", 20 | "h1:htToNXQXbdW6JnyJhLzIOU0Ir7DaaL+ndL8GY6lBT/A=", 21 | "h1:uA5JelRCf4jIvyn+X9FbO5MmAV67Jxw1GEFcPMB+iQw=", 22 | "h1:vQLbGapH57do82BFLqI9XLyLIy/K/ucSVXOlbNFICkk=", 23 | "h1:ziUR/YMhZksDWApo/+P0NnoROoLpzUbcSB+ph/mZqWI=", 24 | ] 25 | } 26 | -------------------------------------------------------------------------------- /armature/prod/cloud-do/vpc/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "remote" { 3 | organization = "rabbito-home" 4 | workspaces { 5 | name = "core" 6 | } 7 | } 8 | required_providers { 9 | digitalocean = { 10 | source = "digitalocean/digitalocean" 11 | version = "2.28.1" 12 | } 13 | } 14 | } 15 | 16 | provider "digitalocean" { 17 | # Provider is configured using environment variables: 18 | # DIGITALOCEAN_TOKEN, DIGITALOCEAN_ACCESS_TOKEN 19 | } 20 | 21 | resource "digitalocean_vpc" "nyc1_idm" { 22 | name = var.vpc_name 23 | description = var.vpc_description 24 | region = var.vpc_region 25 | } 26 | -------------------------------------------------------------------------------- /armature/prod/cloud-do/vpc/variables.tf: -------------------------------------------------------------------------------- 1 | variable "vpc_name" { 2 | description = "name of the VPC" 3 | default = "idm-nyc1" 4 | } 5 | 6 | variable "vpc_description" { 7 | description = "vpc description" 8 | default = "idm network" 9 | } 10 | 11 | variable "vpc_region" { 12 | description = "vpc region" 13 | default = "nyc1" 14 | } 15 | -------------------------------------------------------------------------------- /armature/prod/gcp/bootstrap/.gitignore: -------------------------------------------------------------------------------- 1 | terraform.tfvars 2 | -------------------------------------------------------------------------------- /armature/prod/gcp/bootstrap/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "remote" { 3 | organization = "kutara" 4 | workspaces { 5 | name = "gcp-seed" 6 | } 7 | } 8 | required_providers { 9 | google = { 10 | source = "hashicorp/google" 11 | version = "4.79.0" 12 | } 13 | } 14 | } 15 | 16 | provider "google" { 17 | region = "us-east4" 18 | } 19 | -------------------------------------------------------------------------------- /armature/prod/gcp/bootstrap/variables.tf: -------------------------------------------------------------------------------- 1 | variable "org_id" { 2 | description = "GCP Organization ID" 3 | type = string 4 | } 5 | 6 | variable "billing_account" { 7 | description = "The ID of the billing account to associate projects with." 8 | type = string 9 | } 10 | 11 | variable "group_org_admins" { 12 | description = "Google Group for GCP Organization Administrators" 13 | type = string 14 | } 15 | 16 | variable "group_billing_admins" { 17 | description = "Google Group for GCP Billing Administrators" 18 | type = string 19 | } 20 | -------------------------------------------------------------------------------- /armature/prod/gcp/kutara/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "remote" { 3 | organization = "kutara" 4 | workspaces { 5 | name = "gcp-kutara" 6 | } 7 | } 8 | required_providers { 9 | google = { 10 | source = "hashicorp/google" 11 | version = "4.79.0" 12 | } 13 | google-beta = { 14 | source = "hashicorp/google-beta" 15 | version = "4.79.0" 16 | } 17 | } 18 | } 19 | 20 | provider "google" { 21 | region = "us-central1" 22 | } 23 | 24 | provider "google-beta" { 25 | region = "us-central1" 26 | } 27 | -------------------------------------------------------------------------------- /armature/prod/gcp/kutara/project.tf: -------------------------------------------------------------------------------- 1 | module "kutara-proj-testing" { 2 | source = "terraform-google-modules/project-factory/google" 3 | version = "14.3.0" 4 | name = "kutara-testing" 5 | random_project_id = true 6 | org_id = var.org_id 7 | billing_account = var.billing_account 8 | activate_apis = ["compute.googleapis.com", "container.googleapis.com", "cloudbilling.googleapis.com"] 9 | } 10 | 11 | module "kutara-proj-prod" { 12 | source = "terraform-google-modules/project-factory/google" 13 | version = "14.3.0" 14 | name = "kutara-prod" 15 | random_project_id = true 16 | org_id = var.org_id 17 | billing_account = var.billing_account 18 | activate_apis = ["compute.googleapis.com", "container.googleapis.com", "cloudbilling.googleapis.com", "secretmanager.googleapis.com"] 19 | } 20 | 21 | -------------------------------------------------------------------------------- /armature/prod/gcp/kutara/sa.tf: -------------------------------------------------------------------------------- 1 | module "external_secrets_sa" { 2 | source = "terraform-google-modules/service-accounts/google" 3 | version = "4.2.1" 4 | project_id = module.kutara-proj-prod.project_id 5 | prefix = "k8s" 6 | names = ["external-secrets"] 7 | project_roles = [ 8 | "${module.kutara-proj-prod.project_id}=>roles/secretmanager.secretAccessor" 9 | ] 10 | display_name = "External Secrets Kubernetes" 11 | description = "Access to secrets for Kubernetes" 12 | } 13 | 14 | 15 | -------------------------------------------------------------------------------- /armature/prod/gcp/kutara/variables.tf: -------------------------------------------------------------------------------- 1 | variable "org_id" { 2 | description = "GCP Organization ID" 3 | type = string 4 | } 5 | 6 | variable "billing_account" { 7 | description = "The ID of the billing account to associate projects with." 8 | type = string 9 | } 10 | 11 | variable "group_org_admins" { 12 | description = "Google Group for GCP Organization Administrators" 13 | type = string 14 | } 15 | 16 | variable "group_billing_admins" { 17 | description = "Google Group for GCP Billing Administrators" 18 | type = string 19 | } 20 | -------------------------------------------------------------------------------- /armature/prod/gcp/kutara/vpc.tf: -------------------------------------------------------------------------------- 1 | # module "vpc" { 2 | # source = "terraform-google-modules/network/google" 3 | # version = "5.2.0" 4 | # project_id = module.kutara-proj-testing.project_id 5 | # network_name = "kutara-homeprod" 6 | # subnets = [ 7 | # { 8 | # subnet_name = "us-central1-subnet-01" 9 | # subnet_ip = "10.10.0.0/16" 10 | # subnet_region = "us-central1" 11 | # }, 12 | # ] 13 | # secondary_ranges = { 14 | # "us-central1-subnet-01" = [ 15 | # { 16 | # range_name = "k8s-pod" 17 | # ip_cidr_range = "10.20.0.0/16" 18 | # }, 19 | # { 20 | # range_name = "k8s-service" 21 | # ip_cidr_range = "10.30.0.0/16" 22 | # }, 23 | # ] 24 | # } 25 | # } 26 | -------------------------------------------------------------------------------- /armature/prod/gcp/top22/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "remote" { 3 | organization = "kutara" 4 | workspaces { 5 | name = "gcp-top22" 6 | } 7 | } 8 | required_providers { 9 | google = { 10 | source = "hashicorp/google" 11 | version = "4.79.0" 12 | } 13 | google-beta = { 14 | source = "hashicorp/google-beta" 15 | version = "4.79.0" 16 | } 17 | } 18 | } 19 | 20 | provider "google" { 21 | region = "us-central1" 22 | } 23 | 24 | provider "google-beta" { 25 | region = "us-central1" 26 | } 27 | -------------------------------------------------------------------------------- /armature/prod/gcp/top22/project.tf: -------------------------------------------------------------------------------- 1 | module "top22-proj-prod" { 2 | source = "terraform-google-modules/project-factory/google" 3 | version = "14.3.0" 4 | name = "top22-prod" 5 | random_project_id = true 6 | org_id = var.org_id 7 | billing_account = var.billing_account 8 | activate_apis = ["compute.googleapis.com", "container.googleapis.com", "cloudbilling.googleapis.com", "secretmanager.googleapis.com"] 9 | } 10 | 11 | -------------------------------------------------------------------------------- /armature/prod/gcp/top22/sa.tf: -------------------------------------------------------------------------------- 1 | # module "external_secrets_sa" { 2 | # source = "terraform-google-modules/service-accounts/google" 3 | # version = "4.2.0" 4 | # project_id = module.top22-proj-prod.project_id 5 | # prefix = "k8s" 6 | # names = ["external-secrets"] 7 | # project_roles = [ 8 | # "${module.top22-proj-prod.project_id}=>roles/secretmanager.secretAccessor" 9 | # ] 10 | # display_name = "External Secrets Kubernetes" 11 | # description = "Access to secrets for Kubernetes" 12 | # } 13 | 14 | 15 | -------------------------------------------------------------------------------- /armature/prod/gcp/top22/variables.tf: -------------------------------------------------------------------------------- 1 | variable "org_id" { 2 | description = "GCP Organization ID" 3 | type = string 4 | } 5 | 6 | variable "billing_account" { 7 | description = "The ID of the billing account to associate projects with." 8 | type = string 9 | } 10 | 11 | variable "group_org_admins" { 12 | description = "Google Group for GCP Organization Administrators" 13 | type = string 14 | } 15 | 16 | variable "group_billing_admins" { 17 | description = "Google Group for GCP Billing Administrators" 18 | type = string 19 | } 20 | -------------------------------------------------------------------------------- /armature/prod/nwk1/.gitignore: -------------------------------------------------------------------------------- 1 | Caddyfile 2 | -------------------------------------------------------------------------------- /armature/prod/nwk1/dns.tf: -------------------------------------------------------------------------------- 1 | resource "cloudflare_record" "minio" { 2 | zone_id = data.sops_file.tf_secrets.data["int_zone_id"] 3 | name = "s3.nwk1" 4 | value = "lb-2.nwk1.rabbito.tech" 5 | type = "CNAME" 6 | ttl = 1 7 | } 8 | -------------------------------------------------------------------------------- /armature/prod/nwk1/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "http" { 3 | address = "https://gitlab.com/api/v4/projects/27033486/terraform/state/nas-1-vm" 4 | lock_address = "https://gitlab.com/api/v4/projects/27033486/terraform/state/nas-1-vm/lock" 5 | unlock_address = "https://gitlab.com/api/v4/projects/27033486/terraform/state/nas-1-vm/lock" 6 | lock_method = "POST" 7 | unlock_method = "DELETE" 8 | retry_wait_min = 5 9 | } 10 | required_providers { 11 | libvirt = { 12 | source = "dmacvicar/libvirt" 13 | version = "0.7.1" 14 | } 15 | sops = { 16 | source = "carlpett/sops" 17 | version = "0.7.2" 18 | } 19 | ct = { 20 | source = "poseidon/ct" 21 | version = "0.13.0" 22 | } 23 | cloudflare = { 24 | source = "cloudflare/cloudflare" 25 | version = "4.13.0" 26 | } 27 | } 28 | } 29 | 30 | provider "sops" {} 31 | 32 | data "sops_file" "tf_secrets" { 33 | source_file = "tf-secrets.sops.yaml" 34 | } 35 | 36 | provider "cloudflare" { 37 | email = data.sops_file.tf_secrets.data["cf_email"] 38 | api_key = data.sops_file.tf_secrets.data["cf_api_key_alt"] 39 | } 40 | -------------------------------------------------------------------------------- /armature/prod/scr1/dns_records.tf: -------------------------------------------------------------------------------- 1 | # 2 | # Base records 3 | # 4 | 5 | # cluster-0 ingress endpoint 6 | resource "cloudflare_record" "cluster_0_ie" { 7 | name = "cluster-0-ie.scr1.rabbito.tech" 8 | zone_id = data.sops_file.cloudflare_secrets.data["int_zone_id"] 9 | value = "24.229.169.35" 10 | proxied = false 11 | type = "A" 12 | } 13 | -------------------------------------------------------------------------------- /armature/prod/scr1/fcos-derivations/libvirt-01/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM quay.io/coreos-assembler/fcos:stable@sha256:4366918a490a34e161b115c0ff38fdaaf226841e1d3abaca8ed48571d05f4b43 2 | 3 | COPY *.nmconnection /etc/NetworkManager/system-connections 4 | 5 | RUN \ 6 | rpm-ostree install \ 7 | libvirt-daemon-config-network \ 8 | libvirt-daemon-kvm \ 9 | qemu-kvm \ 10 | virt-install && \ 11 | mkdir -p /var/roothome/.ssh/authorized_keys.d && \ 12 | curl https://github.com/anthr76.keys > /var/roothome/.ssh/authorized_keys.d/github_anthr76 && \ 13 | rpm-ostree cleanup -m && \ 14 | ostree container commit 15 | 16 | -------------------------------------------------------------------------------- /armature/prod/scr1/fcos-derivations/libvirt-01/br0.nmconnection: -------------------------------------------------------------------------------- 1 | [connection] 2 | id=br0 3 | uuid=e0fbcda5-673b-41d2-9b67-236277dd6978 4 | type=bridge 5 | interface-name=br0 6 | permissions= 7 | 8 | [bridge] 9 | stp=false 10 | 11 | [ipv4] 12 | dns-search= 13 | method=auto 14 | 15 | [ipv6] 16 | addr-gen-mode=stable-privacy 17 | dns-search= 18 | method=auto 19 | 20 | [proxy] 21 | -------------------------------------------------------------------------------- /armature/prod/scr1/fcos-derivations/libvirt-01/bridge-slave-eno1.nmconnection: -------------------------------------------------------------------------------- 1 | [connection] 2 | id=bridge-slave-eno1 3 | uuid=6ee8eba7-2a21-4026-a43f-8ee960b764c6 4 | type=ethernet 5 | interface-name=eno1 6 | master=br0 7 | permissions= 8 | slave-type=bridge 9 | timestamp=1652028374 10 | 11 | [ethernet] 12 | mac-address-blacklist= 13 | mtu=1500 14 | 15 | [bridge-port] 16 | -------------------------------------------------------------------------------- /armature/prod/scr1/fcos-derivations/libvirt-01/default_connection.nmconnection: -------------------------------------------------------------------------------- 1 | [connection] 2 | id=Wired Connection 3 | uuid=2aa05654-8f69-4b56-8c32-4e4d313d3c7b 4 | type=ethernet 5 | autoconnect-retries=1 6 | multi-connect=3 7 | permissions= 8 | wait-device-timeout=60000 9 | 10 | [ethernet] 11 | mac-address-blacklist= 12 | 13 | [ipv4] 14 | dhcp-timeout=90 15 | dns-search= 16 | may-fail=false 17 | method=auto 18 | 19 | [ipv6] 20 | addr-gen-mode=eui64 21 | dhcp-timeout=90 22 | dns-search= 23 | method=auto 24 | 25 | [proxy] 26 | 27 | [user] 28 | org.freedesktop.NetworkManager.origin=nm-initrd-generator 29 | -------------------------------------------------------------------------------- /armature/prod/scr1/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | 3 | backend "remote" { 4 | organization = "rabbito-home" 5 | workspaces { 6 | name = "scr1-dns" 7 | } 8 | } 9 | 10 | required_providers { 11 | cloudflare = { 12 | source = "cloudflare/cloudflare" 13 | version = "4.13.0" 14 | } 15 | http = { 16 | source = "hashicorp/http" 17 | version = "3.4.0" 18 | } 19 | sops = { 20 | source = "carlpett/sops" 21 | version = "0.7.2" 22 | } 23 | } 24 | } 25 | 26 | data "sops_file" "cloudflare_secrets" { 27 | source_file = "tf-secret.sops.yaml" 28 | } 29 | 30 | provider "cloudflare" { 31 | email = data.sops_file.cloudflare_secrets.data["cloudflare_email"] 32 | api_key = data.sops_file.cloudflare_secrets.data["cloudflare_apikey"] 33 | } 34 | 35 | -------------------------------------------------------------------------------- /armature/prod/scr1/switch-configs/readme.md: -------------------------------------------------------------------------------- 1 | This is a stop gap until the ansible-role is fully finished. Backing up switch configs here.. 2 | 3 | Drift will happen and this serves more or less as a scratch pad. 4 | -------------------------------------------------------------------------------- /armature/prod/scr1/tf-secret.sops.yaml: -------------------------------------------------------------------------------- 1 | Kind: Secret 2 | cloudflare_email: ENC[AES256_GCM,data:ftj14dTA7I7sEVc73gMWPA==,iv:XAFxd/BoCb4GXnuBbyRnby4tOvkOzN2ghRB8nCZ0Z7w=,tag:RSnWpevglALjTOfuvxZihQ==,type:str] 3 | cloudflare_apikey: ENC[AES256_GCM,data:F3ubByPeRu/9Q5gqd4pPThNjQ9Xyf/tsKE4qJRtnugj2I/LghA==,iv:4aRWmKun2Oann7/HmnTtw7MvCV89V3ycvJsB4eaNyio=,tag:hnYSH2WRHft8O8CoLcTjKw==,type:str] 4 | int_zone_id: ENC[AES256_GCM,data:5LpMOq6ShAv0dlYwbsyXahqfTXSzEz+shC+EeJal3yg=,iv:DOxzDRgyM8DLsdJeU2mdXF9vSuQzvCEBAdG0U1C2kZI=,tag:ltZXERN7KruDmqW3FNKlLg==,type:str] 5 | sops: 6 | kms: [] 7 | gcp_kms: [] 8 | azure_kv: [] 9 | hc_vault: [] 10 | age: 11 | - recipient: age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x 12 | enc: | 13 | -----BEGIN AGE ENCRYPTED FILE----- 14 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQMjl1UXE1dC8zbUFmeTNx 15 | WFQ1U2ZBZkdFc0t1bU9KMEVEMTJEU0FKV2tRCnRWRmF6NEFHN1dkdzFMeDBoSU5J 16 | TE02NStiVlpDeEpkYmdiYTFTRTcrVUkKLS0tIFZFTy9RczhrZjJuTTdTdFBUNHNB 17 | Y2MrSEFvbFZxdVM1YjRiQWNESHcvU1kKqc1tIlQqR0njmGadjnSsdfQS9dp0R20d 18 | oQZWaGx8c0yydEjUz0OmEPmUOkgKfYMOe23Hsj1UwxJglzEdiGZ55A== 19 | -----END AGE ENCRYPTED FILE----- 20 | lastmodified: "2021-10-15T20:23:59Z" 21 | mac: ENC[AES256_GCM,data:3vskWtNk705GQe/iG8+Z3VCHbpVyzkwvxv5NRFnFmQ5Q84Ana5UMo1Axkz+Qk6unJrtBDC9NpY/Ie8uWvvMp1th/aqGZuzCA+Qhj5dXih61nFDbvf81YuEFrLjjN/fBQ8g4zklOknipTAbu50qoHFPsxNrMke9HXOJF54nHfgEY=,iv:dG9hyRDUDN5rF5wceskIThZClTUzGNGT0ZMtZfJT3XM=,tag:gaSh0qkyq3/fj/CvF6E7QA==,type:str] 22 | pgp: [] 23 | unencrypted_regex: ^(Kind)$ 24 | version: 3.7.1 25 | -------------------------------------------------------------------------------- /armature/prod/scr1/vms/ceph-02/main.tf: -------------------------------------------------------------------------------- 1 | locals { 2 | coreos_version = "36.20220522.3.0" 3 | hostname = "ceph-02" 4 | } 5 | 6 | resource "random_uuid" "volume" { 7 | keepers = { 8 | # The glue is real yeo. But this was a script then a null provisioner lmfao. 9 | libvirt_ignition = "${sensitive(libvirt_ignition.core_os_config.content)}" 10 | } 11 | } 12 | 13 | resource "libvirt_volume" "fcos" { 14 | name = "fcos-base-${random_uuid.volume.id}" 15 | format = "qcow2" 16 | size = "20442450944" 17 | base_volume_name = "fedora-coreos-${local.coreos_version}-qemu.x86_64.qcow2" 18 | pool = "default" 19 | } 20 | 21 | resource "libvirt_volume" "persist" { 22 | name = "ceph-02-var-lib-ceph" 23 | format = "qcow2" 24 | size = "100442450944" 25 | pool = "fast-data" 26 | } 27 | 28 | data "ct_config" "ceph_02" { 29 | content = file("ceph-02.yaml") 30 | strict = true 31 | pretty_print = true 32 | } 33 | 34 | resource "libvirt_ignition" "core_os_config" { 35 | name = "ceph-02-ignition" 36 | content = data.ct_config.ceph_02.rendered 37 | } 38 | 39 | resource "libvirt_domain" "ceph_02" { 40 | name = "ceph-02" 41 | description = "Ceph daemon node" 42 | vcpu = "2" 43 | memory = "6058" 44 | qemu_agent = true 45 | coreos_ignition = libvirt_ignition.core_os_config.id 46 | autostart = true 47 | console { 48 | type = "pty" 49 | target_port = "0" 50 | } 51 | disk { 52 | volume_id = libvirt_volume.fcos.id 53 | } 54 | disk { 55 | volume_id = libvirt_volume.persist.id 56 | } 57 | network_interface { 58 | network_name = "vmnet" 59 | mac = "52:54:00:b2:2f:86" 60 | } 61 | } 62 | -------------------------------------------------------------------------------- /armature/prod/scr1/vms/ceph-02/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "remote" { 3 | organization = "kutara" 4 | workspaces { 5 | name = "scr1-ceph-02" 6 | } 7 | } 8 | required_version = ">= 0.13" 9 | required_providers { 10 | libvirt = { 11 | source = "dmacvicar/libvirt" 12 | version = "0.7.1" 13 | } 14 | ct = { 15 | source = "poseidon/ct" 16 | version = "0.13.0" 17 | } 18 | sops = { 19 | source = "carlpett/sops" 20 | version = "0.7.2" 21 | } 22 | random = { 23 | source = "hashicorp/random" 24 | version = "3.5.1" 25 | } 26 | } 27 | } 28 | 29 | provider "libvirt" { 30 | uri = "qemu+ssh://root@libvirt-01.scr1.rabbito.tech/system?&no_verify=1" 31 | } 32 | 33 | -------------------------------------------------------------------------------- /armature/prod/scr1/vms/dbs/providers.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "remote" { 3 | organization = "kutara" 4 | workspaces { 5 | name = "scr1-db" 6 | } 7 | } 8 | required_version = ">= 0.13" 9 | required_providers { 10 | libvirt = { 11 | source = "dmacvicar/libvirt" 12 | version = "0.7.1" 13 | } 14 | ct = { 15 | source = "poseidon/ct" 16 | version = "0.13.0" 17 | } 18 | sops = { 19 | source = "carlpett/sops" 20 | version = "0.7.2" 21 | } 22 | random = { 23 | source = "hashicorp/random" 24 | version = "3.5.1" 25 | } 26 | postgresql = { 27 | source = "cyrilgdn/postgresql" 28 | version = "1.19.0" 29 | } 30 | } 31 | } 32 | 33 | provider "libvirt" { 34 | uri = "qemu+ssh://root@libvirt-01.scr1.rabbito.tech/system?&no_verify=1" 35 | } 36 | 37 | provider "postgresql" { 38 | host = "db-01.scr1.rabbito.tech" 39 | port = 5432 40 | database = "postgres" 41 | username = "db-01" 42 | password = data.sops_file.tf_secrets.data["postgres_password"] 43 | sslmode = "disable" 44 | connect_timeout = 90000000 45 | } 46 | -------------------------------------------------------------------------------- /armature/prod/scr1/vms/dbs/sops.tf: -------------------------------------------------------------------------------- 1 | provider "sops" {} 2 | 3 | data "sops_file" "tf_secrets" { 4 | source_file = "tf-secrets.sops.yaml" 5 | } 6 | -------------------------------------------------------------------------------- /armature/prod/tf-states/.terraform.lock.hcl: -------------------------------------------------------------------------------- 1 | # This file is maintained automatically by "terraform init". 2 | # Manual edits may be lost in future updates. 3 | 4 | provider "registry.terraform.io/hashicorp/tfe" { 5 | version = "0.48.0" 6 | constraints = "0.48.0" 7 | hashes = [ 8 | "h1:EEffFDWajOUNKb6Ul7zOVFSoV4PqxDuTCAa3wKLtiZI=", 9 | "h1:KOFl1bsYNzgFocTBbinbEsq5ID2MMCq/Sz/GqpeKxmg=", 10 | "h1:LJC0S6OKcyJ4z4nV7iDWg1l6UCBFm62y0bprYtIQAWk=", 11 | "h1:PTHxWVG7LZKiUFc878caQNg69Zfd0p5rnQmcHpN6SXI=", 12 | "h1:TvQVpNg1cGkVQUdsh4oqMH+KMHYRF4Lak47BBnbc4xk=", 13 | "h1:ebK4i/CbMxei4fSdGRtAgkAXDHtilc5oew8iqYmuvTg=", 14 | "h1:hOSxiCQenSPXqACkqu81odkzWJYfQ0+aBbB1XscKDYs=", 15 | "h1:mR6vWaeVncnLSMuyTVwOwuv8gu+1+YqsH/bUyXzA+hs=", 16 | "h1:u8bxmuOzxXRXZ9vg4Qr9JNbVr6vdQvW6kjnjhLXyjmg=", 17 | "h1:x3Iiy/x5LQIuMR4UjIxZRDWUEPx1ixoMCkGQT2NTEqk=", 18 | "h1:yDDZsHruGBFlS/SFWlbf4Pf1nkV0wm3JJZQXa9z5Mmk=", 19 | ] 20 | } 21 | -------------------------------------------------------------------------------- /armature/prod/tf-states/main.tf: -------------------------------------------------------------------------------- 1 | terraform { 2 | backend "remote" { 3 | organization = "kutara" 4 | workspaces { 5 | name = "tf-states" 6 | } 7 | } 8 | required_providers { 9 | tfe = { 10 | source = "hashicorp/tfe" 11 | version = "0.48.0" 12 | } 13 | } 14 | } 15 | 16 | provider "tfe" { 17 | # Configuration options 18 | } 19 | -------------------------------------------------------------------------------- /armature/prod/tf-states/org.tf: -------------------------------------------------------------------------------- 1 | resource "tfe_organization" "kutara" { 2 | name = "kutara" 3 | email = "admin@kutara.io" 4 | } 5 | -------------------------------------------------------------------------------- /armature/prod/tf-states/states.tf: -------------------------------------------------------------------------------- 1 | resource "tfe_workspace" "backblaze" { 2 | name = "backblaze" 3 | organization = tfe_organization.kutara.name 4 | execution_mode = "local" 5 | queue_all_runs = false 6 | } 7 | 8 | resource "tfe_workspace" "gcp_kutara" { 9 | name = "gcp-kutara" 10 | organization = tfe_organization.kutara.name 11 | execution_mode = "local" 12 | queue_all_runs = false 13 | } 14 | 15 | resource "tfe_workspace" "gcp_top22" { 16 | name = "gcp-top22" 17 | organization = tfe_organization.kutara.name 18 | execution_mode = "local" 19 | queue_all_runs = false 20 | } 21 | 22 | resource "tfe_workspace" "gcp_seed" { 23 | name = "gcp-seed" 24 | organization = tfe_organization.kutara.name 25 | execution_mode = "local" 26 | queue_all_runs = false 27 | } 28 | 29 | resource "tfe_workspace" "scr1_db" { 30 | name = "scr1-db" 31 | organization = tfe_organization.kutara.name 32 | execution_mode = "local" 33 | queue_all_runs = false 34 | } 35 | 36 | resource "tfe_workspace" "scr1_libvirt" { 37 | name = "scr1-libvirt" 38 | organization = tfe_organization.kutara.name 39 | execution_mode = "local" 40 | queue_all_runs = false 41 | } 42 | 43 | resource "tfe_workspace" "top22_github" { 44 | name = "top-22-github" 45 | organization = tfe_organization.kutara.name 46 | execution_mode = "local" 47 | queue_all_runs = false 48 | } 49 | 50 | resource "tfe_workspace" "top22_cloudflare" { 51 | name = "top-22-cloudflare" 52 | organization = tfe_organization.kutara.name 53 | execution_mode = "local" 54 | queue_all_runs = false 55 | } 56 | -------------------------------------------------------------------------------- /armature/raspberrypi4-uefi/Dockerfile: -------------------------------------------------------------------------------- 1 | FROM docker.io/library/alpine:3.18.3@sha256:7144f7bab3d4c2648d7e59409f15ec52a18006a128c733fcff20d3a4a54ba44a 2 | 3 | COPY ./serials /serials 4 | 5 | ADD https://github.com/pftf/RPi4/releases/download/v1.31/RPi4_UEFI_Firmware_v1.31.zip RPi4_UEFI_Firmware.zip 6 | 7 | RUN apk add --update --no-cache \ 8 | unzip \ 9 | && mkdir /rpi4 \ 10 | && mv RPi4_UEFI_Firmware.zip /rpi4/RPi4_UEFI_Firmware.zip \ 11 | && cd /rpi4 \ 12 | && ls \ 13 | && unzip RPi4_UEFI_Firmware.zip \ 14 | && rm RPi4_UEFI_Firmware.zip \ 15 | && mkdir /tftp \ 16 | && ls /serials | while read serial; do mkdir /tftp/$serial && cp -r /rpi4/* /tftp/$serial && cp -r /serials/$serial/* /tftp/$serial/; done 17 | -------------------------------------------------------------------------------- /armature/raspberrypi4-uefi/patch.yaml: -------------------------------------------------------------------------------- 1 | spec: 2 | template: 3 | spec: 4 | volumes: 5 | - name: tftp-folder 6 | emptyDir: {} 7 | initContainers: 8 | - image: quay.io/kutara/raspberrypi4-uefi:latest 9 | imagePullPolicy: Always 10 | name: tftp-folder-setup 11 | command: 12 | - cp 13 | args: 14 | - -r 15 | - /tftp 16 | - /var/lib/sidero/ 17 | volumeMounts: 18 | - mountPath: /var/lib/sidero/tftp 19 | name: tftp-folder 20 | containers: 21 | - name: manager 22 | volumeMounts: 23 | - mountPath: /var/lib/sidero/tftp 24 | name: tftp-folder 25 | -------------------------------------------------------------------------------- /armature/raspberrypi4-uefi/serials/0210edae/RPI_EFI.fd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anthr76/infra/995c901fe711e4baa78ee3548846fd431b601ec5/armature/raspberrypi4-uefi/serials/0210edae/RPI_EFI.fd -------------------------------------------------------------------------------- /armature/raspberrypi4-uefi/serials/1836c205/RPI_EFI.fd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anthr76/infra/995c901fe711e4baa78ee3548846fd431b601ec5/armature/raspberrypi4-uefi/serials/1836c205/RPI_EFI.fd -------------------------------------------------------------------------------- /armature/raspberrypi4-uefi/serials/3e79ca27/RPI_EFI.fd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anthr76/infra/995c901fe711e4baa78ee3548846fd431b601ec5/armature/raspberrypi4-uefi/serials/3e79ca27/RPI_EFI.fd -------------------------------------------------------------------------------- /armature/raspberrypi4-uefi/serials/56af08e4/RPI_EFI.fd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anthr76/infra/995c901fe711e4baa78ee3548846fd431b601ec5/armature/raspberrypi4-uefi/serials/56af08e4/RPI_EFI.fd -------------------------------------------------------------------------------- /armature/raspberrypi4-uefi/serials/583d6465/RPI_EFI.fd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anthr76/infra/995c901fe711e4baa78ee3548846fd431b601ec5/armature/raspberrypi4-uefi/serials/583d6465/RPI_EFI.fd -------------------------------------------------------------------------------- /armature/raspberrypi4-uefi/serials/61895898/RPI_EFI.fd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anthr76/infra/995c901fe711e4baa78ee3548846fd431b601ec5/armature/raspberrypi4-uefi/serials/61895898/RPI_EFI.fd -------------------------------------------------------------------------------- /armature/raspberrypi4-uefi/serials/8e2bc983/RPI_EFI.fd: -------------------------------------------------------------------------------- https://raw.githubusercontent.com/anthr76/infra/995c901fe711e4baa78ee3548846fd431b601ec5/armature/raspberrypi4-uefi/serials/8e2bc983/RPI_EFI.fd -------------------------------------------------------------------------------- /docs/README.md: -------------------------------------------------------------------------------- 1 | --- 2 | description: Welcome to my infrastructure handbook 3 | --- 4 | 5 | # README 6 | 7 | A getting started guide used to exist and is not archived. 8 | 9 | {% page-ref page="archive/getting-started.md" %} 10 | 11 | A new getting started guide is currently being worked on through not finished. A project to put Kubectl related CLIs in a flatpak. 12 | 13 | See more info here on how I use combustion to provision my Kubic nodes 14 | 15 | {% page-ref page="opensuse-kubic/combustion.md" %} 16 | 17 | 18 | 19 | 20 | 21 | -------------------------------------------------------------------------------- /docs/opensuse-kubic/combustion-examples/ignition/combustion/autologin.conf: -------------------------------------------------------------------------------- 1 | [Service] 2 | ExecStart= 3 | ExecStart=-/sbin/agetty -a localanthony %I $TERM 4 | -------------------------------------------------------------------------------- /docs/opensuse-kubic/combustion-examples/ignition/combustion/firstbootreboot.service: -------------------------------------------------------------------------------- 1 | [Unit] 2 | Description=First Boot Reboot 3 | 4 | [Service] 5 | Type=oneshot 6 | ExecStart=rm /etc/systemd/system/firstbootreboot.service 7 | ExecStart=rm /etc/systemd/system/default.target.wants/firstbootreboot.service 8 | ExecStart=systemctl reboot 9 | 10 | [Install] 11 | WantedBy=default.target 12 | -------------------------------------------------------------------------------- /docs/opensuse-kubic/combustion-examples/ignition/combustion/id_rsa.pub: -------------------------------------------------------------------------------- 1 | ssh-rsa 2 | -------------------------------------------------------------------------------- /docs/opensuse-kubic/combustion-examples/ignition/combustion/script: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # combustion: network 3 | ## Mount /var and /home so user can be created smoothly 4 | mount /var 5 | mount /home 6 | 7 | ## Make user 8 | useradd -m localanthony 9 | 10 | ## Add user to sudoers 11 | echo "localanthony ALL=(ALL) NOPASSWD: ALL" > /etc/sudoers.d/localanthony 12 | 13 | ## Create ssh folder and populate authorized_keys for remote sshd 14 | mkdir -pm700 /home/localanthony/.ssh 15 | chown localanthony:users -R /home/localanthony/.ssh 16 | cat authorized_keys > /home/localanthony/.ssh/authorized_keys 17 | 18 | ## Make user login by default 19 | mkdir -p /etc/systemd/system/getty@tty1.service.d 20 | cp autologin.conf /etc/systemd/system/getty@tty1.service.d 21 | 22 | ## Reboot after setup 23 | cp firstbootreboot.service /etc/systemd/system/ 24 | systemctl enable firstbootreboot.service 25 | 26 | # Add OBS Repo 27 | zypper --non-interactive addrepo https://download.opensuse.org/repositories/home:anthr76:kubernetes/openSUSE_Tumbleweed/home:anthr76:kubernetes.repo 28 | zypper --non-interactive --gpg-auto-import-keys refresh 29 | 30 | # Install supporting K8s packages 31 | zypper --non-interactive --gpg-auto-import-keys install python38-rpm open-iscsi python3-openshift inotify-tools terminfo 32 | 33 | # Enable iscsid 34 | systemctl enable iscsid 35 | 36 | # Set hostname 37 | echo "master-02.k8s.rabbito.tech" > /etc/hostname 38 | echo "kernel.hostname = master-02.k8s.rabbito.tech" > /etc/sysctl.d/85-hostname-sysctl.conf 39 | 40 | ## Clear up mounts 41 | umount /var 42 | umount /home 43 | 44 | # Redirect output to the console 45 | exec > >(exec tee -a /dev/tty0) 2>&1 46 | -------------------------------------------------------------------------------- /docs/opensuse-kubic/combustion-examples/ignition/ignition/IGNORE: -------------------------------------------------------------------------------- 1 | { 2 | "ignition": { "version": "3.1.0" }, 3 | "passwd": { 4 | "users": [ 5 | { 6 | "name": "root", 7 | "sshAuthorizedKeys": [ 8 | "ssh-rsa " 9 | ] 10 | } 11 | ] 12 | } 13 | } 14 | { 15 | "ignition": { "version": "3.0.0" }, 16 | "storage": { 17 | "files": [{ 18 | "filesystem": "root", 19 | "path": "/etc/hostname", 20 | "mode": 420, 21 | "overwrite": true, 22 | "contents": { "source": "data:,master-02.k8s.rabbito.tech" } 23 | }] 24 | } 25 | } 26 | -------------------------------------------------------------------------------- /docs/opensuse-kubic/combustion.md: -------------------------------------------------------------------------------- 1 | # Combustion 2 | 3 | !!! note "Work in progress" 4 | This document is a work in progress. 5 | 6 | See [file directory](https://github.com/anthr76/infra/tree/main/docs/combustion-examples) and files for a combustion example. Combustion sits on a micro-sd card in my nodes, and the OS lives on a hard drive. 7 | 8 | An example combustion directory tree looks like: 9 | 10 | ```text 11 | . 12 | └── ignition/ 13 | ├── combustion/ 14 | │ ├── autologin.conf 15 | │ ├── firstreboot.service 16 | │ ├── id_rsa.pub 17 | │ └── script 18 | └── ignition/ 19 | └── ignition.ign 20 | ``` 21 | 22 | This can be used to package into an ISO. 23 | 24 | #### Relevant Links 25 | 26 | * [MicroOS RPi Network Monitor](https://rootco.de/2020-12-09-microos-pi-network-monitor/) 27 | 28 | * [OpenSuse Docs](https://en.opensuse.org/Portal:MicroOS/Combustion) 29 | -------------------------------------------------------------------------------- /docs/pimatrix.md: -------------------------------------------------------------------------------- 1 | ### Pi Matrix 2 | 3 | | Mac | Serial | Desired Hostname| Pi | Known eeprom | 4 | | :------------------ |:----------:| :--------------:| :-----:|:------------:| 5 | |`dc:a6:32:cc:34:a6` | `56af08e4` | worker-4 | v4 8gb | `000138a1` | 6 | |`dc:a6:32:46:d6:3c` | `61895898` | worker-5 | v4 4gb | `000138a1` | 7 | |`dc:a6:32:39:76:89` | `1836c205` | worker-7 | v4 4gb | `000138a1` | 8 | |`dc:a6:32:39:5d:69` | `8e2bc983` | master-1 | v4 4gb | `000138a1` | 9 | |`dc:a6:32:03:cf:77` | `583d6465` | master-2 | v4 4gb | `000138a1` | 10 | |`dc:a6:32:03:d2:ff` | `3e79ca27` | master-3 | v4 4gb | `000138a1` | 11 | 12 | [BootOrder Docs](https://www.raspberrypi.org/documentation/hardware/raspberrypi/bcm2711_bootloader_config.md) 13 | 14 | ``` 15 | sudo -E rpi-eeprom-config --edit 16 | BOOT_ORDER=0xf241 17 | ``` 18 | -------------------------------------------------------------------------------- /docs/secrets/sealed-secrets.md: -------------------------------------------------------------------------------- 1 | # Sealed Secrets 2 | 3 | -------------------------------------------------------------------------------- /hack/k8srollingUpdate.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | # This is a hack until auto updates with Zincati is supported. 4 | # This can be smarter using Kubectl etc but at this point Zincati might 5 | # Actually work but I don't have the time to figure that out currently. 6 | 7 | hosts=( 8 | "worker-01.scr1.rabbito.tech" 9 | "worker-02.scr1.rabbito.tech" 10 | "worker-03.scr1.rabbito.tech" 11 | "worker-13.scr1.rabbito.tech" 12 | "worker-14.scr1.rabbito.tech" 13 | ) 14 | 15 | Color_Off='\033[0m' # Text Reset 16 | Black='\033[0;30m' # Black 17 | Red='\033[0;31m' # Red 18 | Green='\033[0;32m' # Green 19 | 20 | for i in "${hosts[@]}"; do 21 | echo -e ${Green} Starting "$i" ${Color_Off} 22 | ssh -l core "$i" 'sudo rpm-ostree upgrade -r; exit' 23 | sleep 15 24 | while ! timeout 0.2 ping -c 1 -n "$i" &>/dev/null; do 25 | printf "%c" "." 26 | done 27 | printf "\n%s\n" "Server is back online" 28 | 29 | done 30 | -------------------------------------------------------------------------------- /hack/pvcPod.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Pod 4 | metadata: 5 | name: task-pvc-pod 6 | namespace: media 7 | spec: 8 | volumes: 9 | - name: task-pv-storage 10 | persistentVolumeClaim: 11 | claimName: config-sonarr-0 12 | containers: 13 | - name: task-pv-container 14 | image: registry.fedoraproject.org/fedora:latest 15 | command: [ "/bin/bash", "-c", "--" ] 16 | args: [ "while true; do sleep 180; done;" ] 17 | volumeMounts: 18 | - mountPath: "/data" 19 | name: task-pv-storage 20 | -------------------------------------------------------------------------------- /k8s/base/crypto/bitcoind/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: bitcoind 6 | namespace: crypto 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 30m 11 | chart: 12 | spec: 13 | chart: bitcoind 14 | version: 0.3.1 15 | sourceRef: 16 | kind: HelmRepository 17 | name: galoymoney 18 | namespace: flux-system 19 | values: 20 | replicaCount: 1 21 | persistence: 22 | storageClass: slow-ceph-block 23 | 24 | -------------------------------------------------------------------------------- /k8s/base/crypto/bitcoind/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: bitcoind 6 | namespace: crypto 7 | spec: 8 | endpoints: 9 | - port: metrics 10 | namespaceSelector: 11 | matchNames: 12 | - crypto 13 | selector: 14 | matchLabels: 15 | app.kubernetes.io/instance: bitcoind 16 | app.kubernetes.io/name: bitcoind 17 | -------------------------------------------------------------------------------- /k8s/base/crypto/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | -------------------------------------------------------------------------------- /k8s/base/crypto/lnd/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: lnd 6 | namespace: crypto 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: lnd-es 14 | creationPolicy: Owner 15 | template: 16 | engineVersion: v2 17 | data: 18 | # postgresql://dbuser:dbpass@127.0.0.1:5432/dbname 19 | uri: 'postgresql://lnd:{{ .postgres_password }}@postgres-rw.database.svc.cluster.local:5432/lnd' 20 | postgresql-password: '{{.postgres_password}}' 21 | data: 22 | - secretKey: postgres_password 23 | remoteRef: 24 | key: lnd-postgres-password 25 | -------------------------------------------------------------------------------- /k8s/base/crypto/lnd/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: lnd 6 | namespace: crypto 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | dependsOn: 11 | - name: bitcoind 12 | interval: 10m 13 | upgrade: 14 | disableWait: true 15 | remediation: 16 | remediateLastFailure: false 17 | chart: 18 | spec: 19 | chart: lnd 20 | version: 0.9.0 21 | sourceRef: 22 | kind: HelmRepository 23 | name: galoymoney 24 | namespace: flux-system 25 | values: 26 | configmap: 27 | customValues: 28 | - bitcoind.rpchost=bitcoind:8332 29 | - tlsextradomain=lnd.scr1.rabbito.tech 30 | - tlsextradomain=77n5xifxcsdgmwya5d6nhid7twuanoszd727nko6jcepbltqorw2wfqd.onion 31 | - alias=Kutara 32 | - allow-circular-route=true 33 | loop: 34 | persistence: 35 | storageClass: fast-ceph-block 36 | persistence: 37 | storageClass: fast-ceph-block 38 | postgresql: 39 | auth: 40 | existingSecret: lnd-es 41 | lnd: 42 | db: 43 | config: 44 | secret: lnd-es 45 | -------------------------------------------------------------------------------- /k8s/base/crypto/lnd/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: lnd 6 | annotations: 7 | cert-manager.io/cluster-issuer: letsencrypt-production 8 | internal-whitelist.kutara.io/enabled: "true" 9 | nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" 10 | namespace: crypto 11 | spec: 12 | ingressClassName: nginx 13 | rules: 14 | - host: lnd.scr1.rabbito.tech 15 | http: 16 | paths: 17 | - backend: 18 | service: 19 | name: lnd 20 | port: 21 | number: 8080 22 | path: / 23 | pathType: Prefix 24 | tls: 25 | - hosts: 26 | - lnd.scr1.rabbito.tech 27 | secretName: lnd-tls 28 | -------------------------------------------------------------------------------- /k8s/base/crypto/lnd/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: lnd 6 | namespace: crypto 7 | spec: 8 | endpoints: 9 | - port: http 10 | namespaceSelector: 11 | matchNames: 12 | - crypto 13 | selector: 14 | matchLabels: 15 | app.kubernetes.io/instance: lnd 16 | app.kubernetes.io/name: lndmon 17 | -------------------------------------------------------------------------------- /k8s/base/crypto/lnd2/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: lnd2 6 | namespace: crypto 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: lnd2-es 14 | creationPolicy: Owner 15 | template: 16 | engineVersion: v2 17 | data: 18 | # postgresql://dbuser:dbpass@127.0.0.1:5432/dbname 19 | uri: 'postgresql://lnd:{{ .postgres_password }}@postgres-rw.database.svc.cluster.local:5432/lnd2' 20 | postgresql-password: '{{.postgres_password}}' 21 | data: 22 | - secretKey: postgres_password 23 | remoteRef: 24 | key: lnd2-postgres-password 25 | -------------------------------------------------------------------------------- /k8s/base/crypto/lnd2/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: lnd2 6 | namespace: crypto 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | dependsOn: 11 | - name: bitcoind 12 | interval: 10m 13 | upgrade: 14 | disableWait: true 15 | remediation: 16 | remediateLastFailure: false 17 | chart: 18 | spec: 19 | chart: lnd 20 | version: 0.9.0 21 | sourceRef: 22 | kind: HelmRepository 23 | name: galoymoney 24 | namespace: flux-system 25 | values: 26 | configmap: 27 | customValues: 28 | - bitcoind.rpchost=bitcoind:8332 29 | - tlsextradomain=lnd2.scr1.rabbito.tech 30 | - tlsextradomain=esbluzwc7wmbjdy3ekdesjp3c4cbobxif3tiukppsipuswsnsudj3pid.onion 31 | - alias="Kutara Pay" 32 | - allow-circular-route=true 33 | loop: 34 | persistence: 35 | storageClass: fast-ceph-block 36 | persistence: 37 | storageClass: fast-ceph-block 38 | postgresql: 39 | auth: 40 | existingSecret: lnd-es 41 | lnd: 42 | db: 43 | config: 44 | secret: lnd-es 45 | -------------------------------------------------------------------------------- /k8s/base/crypto/lnd2/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: lnd2 6 | annotations: 7 | cert-manager.io/cluster-issuer: letsencrypt-production 8 | internal-whitelist.kutara.io/enabled: "true" 9 | nginx.ingress.kubernetes.io/backend-protocol: "HTTPS" 10 | namespace: crypto 11 | spec: 12 | ingressClassName: nginx 13 | rules: 14 | - host: lnd2.scr1.rabbito.tech 15 | http: 16 | paths: 17 | - backend: 18 | service: 19 | name: lnd2 20 | port: 21 | number: 8080 22 | path: / 23 | pathType: Prefix 24 | tls: 25 | - hosts: 26 | - lnd2.scr1.rabbito.tech 27 | secretName: lnd2-tls 28 | -------------------------------------------------------------------------------- /k8s/base/crypto/lnd2/service-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: ServiceMonitor 4 | metadata: 5 | name: lnd2 6 | namespace: crypto 7 | spec: 8 | endpoints: 9 | - port: http 10 | namespaceSelector: 11 | matchNames: 12 | - crypto 13 | selector: 14 | matchLabels: 15 | app.kubernetes.io/instance: lnd2 16 | app.kubernetes.io/name: lndmon 17 | -------------------------------------------------------------------------------- /k8s/base/crypto/lndhub/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: lndhub 6 | namespace: crypto 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: lndhub-es 14 | creationPolicy: Owner 15 | template: 16 | engineVersion: v2 17 | data: 18 | # postgresql://user:password@localhost:5432/lndhub?sslmode=disable 19 | DATABASE_URI: 'postgresql://lndhub:{{ .postgres_password }}@postgres-rw.database.svc.cluster.local:5432/lndhub?sslmode=disable' 20 | JWT_SECRET: '{{.jwt_secret}}' 21 | ADMIN_TOKEN: '{{ .admin_token }}' 22 | postgresql-password: '{{.postgres_password}}' 23 | data: 24 | - secretKey: postgres_password 25 | remoteRef: 26 | key: lndhub-postgres-password 27 | - secretKey: jwt_secret 28 | remoteRef: 29 | key: lndhub-jwt 30 | - secretKey: admin_token 31 | remoteRef: 32 | key: lndhub-admin-token 33 | 34 | -------------------------------------------------------------------------------- /k8s/base/crypto/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: crypto 6 | labels: 7 | component.kutara.io/postgres-secrets: "true" 8 | -------------------------------------------------------------------------------- /k8s/base/crypto/network-policy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: "cilium.io/v2" 3 | kind: CiliumNetworkPolicy 4 | metadata: 5 | name: "isolate-crypto" 6 | namespace: crypto 7 | spec: 8 | endpointSelector: 9 | matchLabels: 10 | {} 11 | ingress: 12 | - fromEndpoints: 13 | - matchLabels: 14 | k8s:io.kubernetes.pod.namespace: crypto 15 | - fromEndpoints: 16 | - matchLabels: 17 | k8s:io.kubernetes.pod.namespace: database 18 | cnpg.io/cluster: postgres 19 | toPorts: 20 | - ports: 21 | - port: '5432' 22 | protocol: TCP 23 | - fromEndpoints: 24 | - matchLabels: 25 | k8s:io.kubernetes.pod.namespace: monitoring 26 | name: prometheus 27 | toPorts: 28 | - ports: 29 | - port: '3000' 30 | protocol: TCP 31 | - ports: 32 | - port: '9092' 33 | protocol: TCP 34 | - fromEndpoints: 35 | - matchLabels: 36 | k8s:io.kubernetes.pod.namespace: networking 37 | app.kubernetes.io/name: ingress-nginx 38 | 39 | egress: 40 | - toEndpoints: 41 | - matchLabels: 42 | k8s:io.kubernetes.pod.namespace: crypto 43 | - toEntities: 44 | - world 45 | - kube-apiserver 46 | - toEndpoints: 47 | - matchLabels: 48 | k8s:io.kubernetes.pod.namespace: kube-system 49 | k8s-app: kube-dns 50 | toPorts: 51 | - ports: 52 | - port: '53' 53 | protocol: UDP 54 | - toEndpoints: 55 | - matchLabels: 56 | k8s:io.kubernetes.pod.namespace: database 57 | cnpg.io/cluster: postgres 58 | toPorts: 59 | - ports: 60 | - port: '5432' 61 | protocol: TCP 62 | -------------------------------------------------------------------------------- /k8s/base/crypto/peerswap/config-map.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: ConfigMap 3 | metadata: 4 | name: peerswap 5 | namespace: crypto 6 | data: 7 | peerswap.conf: | 8 | -------------------------------------------------------------------------------- /k8s/base/crypto/rtl/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: rtl 6 | namespace: crypto 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | dependsOn: 11 | - name: lnd 12 | interval: 30m 13 | chart: 14 | spec: 15 | chart: rtl 16 | version: 0.4.3 17 | sourceRef: 18 | kind: HelmRepository 19 | name: galoymoney 20 | namespace: flux-system 21 | values: 22 | ingress: 23 | enabled: true 24 | annotations: 25 | cert-manager.io/cluster-issuer: letsencrypt-production 26 | # nginx.ingress.kubernetes.io/whitelist-source-range: | 27 | # 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,2001:559:87dd::/48 28 | hostname: rtl.scr1.rabbito.tech 29 | ingressClassName: "nginx" 30 | tls: true 31 | lnds: 32 | - url: lnd 33 | secretName: lnd-credentials 34 | dark: true 35 | themeColor: YELLOW 36 | - url: lnd2 37 | secretName: lnd2-credentials 38 | dark: true 39 | themeColor: YELLOW 40 | resources: 41 | requests: 42 | memory: 50Mi 43 | cpu: 10m 44 | limits: 45 | memory: 512Mi 46 | cpu: 500m 47 | 48 | -------------------------------------------------------------------------------- /k8s/base/crypto/rtl/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | annotations: 6 | cert-manager.io/cluster-issuer: letsencrypt-production 7 | # internal-whitelist.kutara.io/enabled: "true" 8 | labels: 9 | app.kubernetes.io/instance: rtl 10 | app.kubernetes.io/name: rtl 11 | name: rtl 12 | namespace: crypto 13 | spec: 14 | ingressClassName: nginx 15 | rules: 16 | - host: rtl.scr1.rabbito.tech 17 | http: 18 | paths: 19 | - backend: 20 | service: 21 | name: rtl 22 | port: 23 | number: 3000 24 | path: / 25 | pathType: Prefix 26 | tls: 27 | - hosts: 28 | - rtl.scr1.rabbito.tech 29 | secretName: rtl-tls 30 | -------------------------------------------------------------------------------- /k8s/base/database/cloudnative-pg/cluster/cluster-external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ClusterExternalSecret 4 | metadata: 5 | name: postgres-superuser 6 | spec: 7 | externalSecretName: "postgres-superuser" 8 | externalSecretSpec: 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: postgres-superuser 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: username 17 | remoteRef: 18 | key: cpng-supeuser-username 19 | - secretKey: password 20 | remoteRef: 21 | key: cpng-superuser-password 22 | namespaceSelector: 23 | matchLabels: 24 | component.kutara.io/postgres-secrets: "true" 25 | 26 | -------------------------------------------------------------------------------- /k8s/base/database/cloudnative-pg/cluster/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: postgresql.cnpg.io/v1 3 | kind: Cluster 4 | metadata: 5 | name: postgres 6 | namespace: database 7 | spec: 8 | affinity: 9 | nodeSelector: 10 | kubernetes.io/arch: amd64 11 | instances: 3 12 | imageName: ghcr.io/cloudnative-pg/postgresql:15.1 13 | primaryUpdateStrategy: unsupervised 14 | storage: 15 | size: 50Gi 16 | storageClass: fast-ceph-block 17 | superuserSecret: 18 | name: postgres-superuser 19 | monitoring: 20 | enablePodMonitor: true 21 | -------------------------------------------------------------------------------- /k8s/base/database/cloudnative-pg/deploy/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: cloudnative-pg 6 | namespace: database 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 30m 11 | chart: 12 | spec: 13 | chart: cloudnative-pg 14 | version: 0.22.1 15 | sourceRef: 16 | kind: HelmRepository 17 | name: cloudnative-pg 18 | namespace: flux-system 19 | values: 20 | nodeSelector: 21 | kubernetes.io/arch: amd64 22 | -------------------------------------------------------------------------------- /k8s/base/database/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | -------------------------------------------------------------------------------- /k8s/base/database/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: database 6 | labels: 7 | component.kutara.io/postgres-secrets: "true" 8 | -------------------------------------------------------------------------------- /k8s/base/database/redis/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: redis 6 | namespace: database 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 15m 11 | upgrade: 12 | disableWait: true 13 | force: true 14 | chart: 15 | spec: 16 | chart: redis 17 | version: 18.0.0 18 | sourceRef: 19 | kind: HelmRepository 20 | name: bitnami-charts 21 | namespace: flux-system 22 | values: 23 | global: 24 | storageClass: fast-ceph-block 25 | auth: 26 | enabled: false 27 | sentinel: false 28 | master: 29 | nodeSelector: 30 | kubernetes.io/arch: amd64 31 | replica: 32 | nodeSelector: 33 | kubernetes.io/arch: amd64 34 | sentinel: 35 | enabled: false 36 | resources: 37 | limits: 38 | cpu: 800m 39 | memory: 800Mi 40 | requests: 41 | cpu: 20m 42 | memory: 30Mi 43 | metrics: 44 | enabled: true 45 | serviceMonitor: 46 | enabled: true 47 | 48 | -------------------------------------------------------------------------------- /k8s/base/database/redis/sentinel/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: redis-sentinel 6 | namespace: database 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 15m 11 | upgrade: 12 | disableWait: true 13 | force: true 14 | chart: 15 | spec: 16 | chart: redis 17 | version: 18.0.0 18 | sourceRef: 19 | kind: HelmRepository 20 | name: bitnami-charts 21 | namespace: flux-system 22 | values: 23 | global: 24 | storageClass: fast-ceph-block 25 | auth: 26 | enabled: false 27 | sentinel: false 28 | master: 29 | nodeSelector: 30 | kubernetes.io/arch: amd64 31 | replica: 32 | nodeSelector: 33 | kubernetes.io/arch: amd64 34 | sentinel: 35 | enabled: true 36 | masterSet: redis-master 37 | getMasterTimeout: 10 38 | startupProbe: 39 | failureThreshold: 2 40 | resources: 41 | limits: 42 | cpu: 800m 43 | memory: 800Mi 44 | requests: 45 | cpu: 20m 46 | memory: 30Mi 47 | metrics: 48 | enabled: true 49 | serviceMonitor: 50 | enabled: true 51 | 52 | -------------------------------------------------------------------------------- /k8s/base/default/evobot/deployment.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: Deployment 4 | metadata: 5 | name: evobot 6 | namespace: default 7 | spec: 8 | progressDeadlineSeconds: 600 9 | replicas: 1 10 | revisionHistoryLimit: 10 11 | selector: 12 | matchLabels: 13 | app.kubernetes.io/name: evobot 14 | strategy: 15 | type: RollingUpdate 16 | template: 17 | metadata: 18 | creationTimestamp: null 19 | labels: 20 | app.kubernetes.io/component: evobot 21 | app.kubernetes.io/name: evobot 22 | spec: 23 | containers: 24 | - envFrom: 25 | - secretRef: 26 | name: evobot 27 | image: docker.io/eritislami/evobot:2.9.0 28 | imagePullPolicy: IfNotPresent 29 | name: evobot 30 | resources: 31 | limits: 32 | cpu: "1000" 33 | memory: 2Gi 34 | requests: 35 | cpu: 128m 36 | memory: 128Mi 37 | terminationMessagePath: /dev/termination-log 38 | terminationMessagePolicy: File 39 | dnsPolicy: ClusterFirst 40 | -------------------------------------------------------------------------------- /k8s/base/default/evobot/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: evobot 6 | namespace: default 7 | type: Opaque 8 | stringData: 9 | TOKEN: ENC[AES256_GCM,data:KBudZKyB7EuyEtze121WA4chIQvYFyIiRSpgpbnfFWsAyUMfbCyyGMrx0MVEsB/NobLE9gYkmATlel3hyso1c4aH20egHfHh,iv:c+rtVEKKjfXmYs/IB0MRF2T2av/6KqAaX9V1ETVXoic=,tag:xBSSFNj7ylyAH2pcYiOHFw==,type:str] 10 | MAX_PLAYLIST_SIZE: ENC[AES256_GCM,data:KF4=,iv:39dTRsM++vcT8wikqBQTRlrRd9aCMqgHzrhpgvZY7Lw=,tag:+MCDV0PfFHb95M+lxC4Hag==,type:str] 11 | sops: 12 | kms: [] 13 | gcp_kms: [] 14 | azure_kv: [] 15 | hc_vault: [] 16 | age: 17 | - recipient: age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x 18 | enc: | 19 | -----BEGIN AGE ENCRYPTED FILE----- 20 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUXlxdXpIT3krRi9VMXEz 21 | YXJqcERZZUV1YlgrK2hYUmx6WDhMcFprMVQwCjVmczc0YkFQblhMbnA5dVQzaUNJ 22 | MnBLM210NmIvSXZOM1JUZFpUOUpqU1kKLS0tIFdvdnJ2QnArZ0JUcEcrTzdjMjNo 23 | a1gxOWRxY1RMdVErcGk5byt4L3QzNEEKICpnOnU5Z2Gq4JkgVAUXlg/gbSQkI78E 24 | ntBScqNNbgZEtF7Ob+33s08XR/R/HAtH/k7sV2s9w8kmnVXZVKMHnA== 25 | -----END AGE ENCRYPTED FILE----- 26 | lastmodified: "2023-12-16T22:34:03Z" 27 | mac: ENC[AES256_GCM,data:KDmN7W7fLIZ6/if+uxtX+g9WHhZ6FOFbwgoc/i/7EhBdB1SHT897Kf32BTguh25PzPV+F4Abdj1RJuT9XFhY3idIbnKBks7/yOBwIBEO6/wgOQhdSUFJwiEG6Qq131dCE2tDBpNi5kdduaUVIgAyzkfmKxbCFnQC9J/+W7FP2Ms=,iv:9cVI5E28pZV69BQ/dPIn9tAX7268nfx7ExNCgnfkD5E=,tag:G0ticieCU15mYEMJiiwXUA==,type:str] 28 | pgp: [] 29 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 30 | version: 3.8.1 31 | -------------------------------------------------------------------------------- /k8s/base/default/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | -------------------------------------------------------------------------------- /k8s/base/default/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: default 6 | -------------------------------------------------------------------------------- /k8s/base/default/palworld/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: palworld-server 6 | namespace: default 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 30m 11 | chart: 12 | spec: 13 | chart: palworld 14 | version: 0.30.1 15 | sourceRef: 16 | kind: HelmRepository 17 | name: palworld-charts 18 | namespace: default 19 | values: 20 | server: 21 | image: 22 | repository: docker.io/thijsvanloef/palworld-server-docker 23 | tag: v0.33.0 24 | service: 25 | annotations: 26 | metallb.universe.tf/loadBalancerIPs: "10.45.0.4" 27 | external-dns.alpha.kubernetes.io/hostname: palworld.kutara.io 28 | external-dns.alpha.kubernetes.io/target: scr1.rabbito.tech 29 | type: LoadBalancer 30 | resources: 31 | requests: 32 | memory: 2Gi 33 | cpu: 1000m 34 | limits: 35 | memory: 16Gi 36 | storage: 37 | main: 38 | external: true 39 | externalName: palworld-server 40 | config: 41 | server_description: "DBC NightShift Kutara Server" 42 | server_name: "Kutara" 43 | community: 44 | password: "dbcpals" 45 | daily_reboot: 46 | enable: true 47 | env: 48 | PAL_EGG_DEFAULT_HATCHING_TIME: "6.000000" 49 | BASE_CAMP_WORKER_MAX_NUM: "20" 50 | -------------------------------------------------------------------------------- /k8s/base/default/palworld/helm-repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: palworld-charts 6 | namespace: default 7 | spec: 8 | type: oci 9 | interval: 2h 10 | url: oci://ghcr.io/twinki14/palworld-server-chart 11 | 12 | -------------------------------------------------------------------------------- /k8s/base/default/palworld/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | labels: 6 | name: palworld-server 7 | namespace: default 8 | spec: 9 | accessModes: 10 | - ReadWriteOnce 11 | resources: 12 | requests: 13 | storage: 30Gi 14 | storageClassName: fast-ceph-block 15 | -------------------------------------------------------------------------------- /k8s/base/default/thelounge/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: thelounge 6 | namespace: default 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: fast-ceph-block 14 | -------------------------------------------------------------------------------- /k8s/base/federation/db/cluster.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: postgresql.cnpg.io/v1 3 | kind: Cluster 4 | metadata: 5 | name: federation-postgres 6 | namespace: federation 7 | spec: 8 | affinity: 9 | nodeSelector: 10 | kubernetes.io/arch: amd64 11 | instances: 3 12 | imageName: ghcr.io/cloudnative-pg/postgresql:15.1 13 | primaryUpdateStrategy: unsupervised 14 | storage: 15 | size: 50Gi 16 | storageClass: fast-ceph-block 17 | superuserSecret: 18 | name: postgres-superuser 19 | monitoring: 20 | enablePodMonitor: true 21 | -------------------------------------------------------------------------------- /k8s/base/federation/db/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: postgres-superuser 6 | namespace: federation 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: gcp-kutara-prod 11 | target: 12 | name: postgres-superuser 13 | creationPolicy: Owner 14 | data: 15 | - secretKey: username 16 | remoteRef: 17 | key: cpng-federation-superuser-username 18 | - secretKey: password 19 | remoteRef: 20 | key: cpng-federation-superuser-password 21 | 22 | -------------------------------------------------------------------------------- /k8s/base/federation/lemmy/object-bucket-claim.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: objectbucket.io/v1alpha1 3 | kind: ObjectBucketClaim 4 | metadata: 5 | name: pictrs-bucket-v1 6 | namespace: federation 7 | spec: 8 | bucketName: pictrs-v1 9 | storageClassName: slow-ceph-bucket 10 | -------------------------------------------------------------------------------- /k8s/base/federation/lemmy/oci-repo.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: OCIRepository 4 | metadata: 5 | name: lemmy-ks 6 | namespace: federation 7 | spec: 8 | interval: 5m 9 | url: oci://ghcr.io/anthr76/lemmy-ks 10 | ref: 11 | tag: 0.6.1 12 | -------------------------------------------------------------------------------- /k8s/base/flux-system/cluster-config/base/config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | namespace: flux-system 6 | name: global-cluster-config 7 | data: 8 | FOO_BAR: "this" 9 | -------------------------------------------------------------------------------- /k8s/base/flux-system/cluster-config/overlays/scr1-cluster-0/cluster-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ConfigMap 4 | metadata: 5 | name: cluster-config 6 | namespace: flux-system 7 | data: 8 | CLUSTER_NAME: "scr1-cluster-0" 9 | CLUSTER_ID: "1" 10 | CONTROL_PLANE_ENDPOINT: "cluster-0.scr1.rabbito.tech" 11 | INGRESS_ENDPOINT_HOSTNAME: "cluster-0-ie.scr1.rabbito.tech" 12 | CLUSTER_POD_CIDR: "10.244.0.0/16" 13 | CLUSTER_SERVICE_CIDR: 10.96.0.0/12 14 | NATIVE_CIDR: "192.168.8.0/24" 15 | OSD_HOSTNAME_1: "worker-01" 16 | OSD_HOSTNAME_2: "worker-02" 17 | OSD_HOSTNAME_3: "worker-03" 18 | NAS_1_ADDRESS: "nas-1.scr1.rabbito.tech" 19 | INT_DOMAIN: "scr1.rabbito.tech" 20 | GENERIC_CLUSTER_INGRESS: "cluster-0.scr1.rabbito.tech" 21 | SVC_MQTT_ADDR: 10.45.0.1 22 | SVC_PLEX_ADDR: 10.45.0.2 23 | SVC_SYSLOG_ADDR: 10.45.0.5 24 | SVC_QBITTORRENT_ADDR: 10.45.0.3, 2001:559:87dd:a00:dead:beef:0:500 25 | SVC_WEB_ADDR: 10.45.0.80, 2001:559:87dd:a00:dead:beef:0:443 26 | SVC_MC_ADDR: 10.45.0.4, 2001:559:87dd:a00:dead:beef:0:565 27 | VPN_GATEWAY_VPN_PORT: "51820" 28 | VPN_FORWARDED_PORT_1: "56220" 29 | VPN_COUNTRY: US 30 | -------------------------------------------------------------------------------- /k8s/base/flux-system/cluster-config/overlays/scr1-cluster-0/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - ../../base/config.yaml 6 | - ../../base/base-secrets.yaml 7 | - cluster-secrets.yaml 8 | - cluster-config.yaml 9 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/bitnami-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: bitnami-charts 6 | namespace: flux-system 7 | spec: 8 | type: oci 9 | interval: 2h 10 | url: oci://registry-1.docker.io/bitnamicharts 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/bjw-s.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: bjw-s 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://bjw-s.github.io/helm-charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/bootc-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: bootc-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://charts.boo.tc 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/cilium-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: cilium-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://helm.cilium.io 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/cloudnative-pg.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: cloudnative-pg 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://cloudnative-pg.github.io/charts 10 | timeout: 3m 11 | 12 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/couchdb-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: couchdb-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 24h 9 | url: https://apache.github.io/couchdb-helm 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/democractic-csi.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/source.toolkit.fluxcd.io/helmrepository_v1beta2.json 3 | apiVersion: source.toolkit.fluxcd.io/v1 4 | kind: HelmRepository 5 | metadata: 6 | name: democratic-csi 7 | namespace: flux-system 8 | spec: 9 | interval: 2h 10 | url: https://democratic-csi.github.io/charts/ 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/descheduler-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: descheduler-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 12h 9 | url: https://kubernetes-sigs.github.io/descheduler 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/external-dns-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: external-dns-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 15m 9 | url: https://kubernetes-sigs.github.io/external-dns 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/external-secrets.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: external-secrets 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | url: https://charts.external-secrets.io 10 | 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/fairwinds-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: fairwinds-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://charts.fairwinds.com/stable 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/galoy-anthr76.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: galoy-anthr76 6 | namespace: flux-system 7 | spec: 8 | type: "oci" 9 | interval: 5m0s 10 | url: oci://ghcr.io/anthr76/galoy-charts 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/galoy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: galoymoney 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://raw.githubusercontent.com/GaloyMoney/charts/gh-pages 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/grafana-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: grafana-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://grafana.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/hajimari-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: hajimari-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://hajimari.io 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/hashicorp-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: hashicorp-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://helm.releases.hashicorp.com 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/ingress-nginx-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: ingress-nginx-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 30m 9 | url: https://kubernetes.github.io/ingress-nginx 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/jetstack-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: jetstack-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://charts.jetstack.io/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/k8s-at-home-chart.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: k8s-at-home-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://k8s-at-home.com/charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/metallb-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: metallb-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 15m 9 | url: https://metallb.github.io/metallb 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/metrics-server-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: metrics-server-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 15m 9 | url: https://kubernetes-sigs.github.io/metrics-server 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/minecraft-server-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: minecraft-server-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 15m 9 | url: https://itzg.github.io/minecraft-server-charts/ 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/nats-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: nats-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 2h 9 | url: https://nats-io.github.io/k8s/helm/charts/ 10 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/nfd-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: node-feature-discovery-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://kubernetes-sigs.github.io/node-feature-discovery/charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/oauth2-proxy-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: oauth2-proxy-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://oauth2-proxy.github.io/manifests 10 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/prometheus-community-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: prometheus-community-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://prometheus-community.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/rocm-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: rocm-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://radeonopencompute.github.io/k8s-device-plugin 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/rook-ceph-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: rook-ceph-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://charts.rook.io/release 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/stakater-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: stakater-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 15m 9 | url: https://stakater.github.io/stakater-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/stakewise-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: stakewise-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://charts.stakewise.io 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/vector-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: vector-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 10m 9 | url: https://helm.vector.dev 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/helm-chart-repositories/vmware-charts.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: HelmRepository 4 | metadata: 5 | name: vmware-charts 6 | namespace: flux-system 7 | spec: 8 | interval: 24h 9 | url: https://vmware-tanzu.github.io/helm-charts 10 | timeout: 3m 11 | -------------------------------------------------------------------------------- /k8s/base/flux-system/monitoring/pod-monitor.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PodMonitor 4 | metadata: 5 | name: flux-system 6 | namespace: flux-system 7 | labels: 8 | app.kubernetes.io/part-of: flux 9 | spec: 10 | namespaceSelector: 11 | matchNames: 12 | - flux-system 13 | selector: 14 | matchExpressions: 15 | - key: app 16 | operator: Exists 17 | podMetricsEndpoints: 18 | - port: http-prom 19 | honorLabels: true 20 | -------------------------------------------------------------------------------- /k8s/base/flux-system/monitoring/prometheus-rule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | name: flux 6 | namespace: flux-system 7 | spec: 8 | groups: 9 | - name: flux 10 | rules: 11 | - alert: FluxComponentAbsent 12 | annotations: 13 | description: Flux component has disappeared from Prometheus target discovery. 14 | summary: Flux component is down. 15 | expr: | 16 | absent(up{job=~".*flux-system.*"} == 1) 17 | for: 15m 18 | labels: 19 | severity: critical 20 | - alert: FluxReconciliationFailure 21 | annotations: 22 | description: 23 | "{{ $labels.kind }} {{ $labels.namespace }}/{{ $labels.name }} reconciliation has been failing 24 | for more than ten minutes." 25 | summary: Flux reconciliation failure. 26 | expr: | 27 | max(gotk_reconcile_condition{status="False",type="Ready"}) by (namespace, name, kind) 28 | + 29 | on(namespace, name, kind) (max(gotk_reconcile_condition{status="Deleted"}) 30 | by (namespace, name, kind)) * 2 == 1 31 | for: 15m 32 | labels: 33 | severity: critical 34 | -------------------------------------------------------------------------------- /k8s/base/flux-system/notifications/discord/notification.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 3 | kind: Provider 4 | metadata: 5 | name: discord 6 | namespace: flux-system 7 | spec: 8 | type: discord 9 | username: tom-servo 10 | channel: flux 11 | secretRef: 12 | name: discord-webhook-url 13 | --- 14 | apiVersion: notification.toolkit.fluxcd.io/v1beta1 15 | kind: Alert 16 | metadata: 17 | name: ${CLUSTER_NAME}-discord 18 | namespace: flux-system 19 | spec: 20 | summary: "${CLUSTER_NAME}" 21 | providerRef: 22 | name: discord 23 | eventSeverity: error 24 | eventSources: 25 | - kind: HelmRelease 26 | name: "*" 27 | - kind: Kustomization 28 | name: "*" 29 | - kind: GitRepository 30 | name: "*" 31 | exclusionList: 32 | - "waiting.*socket" 33 | suspend: false 34 | -------------------------------------------------------------------------------- /k8s/base/flux-system/notifications/discord/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: discord-webhook-url 6 | namespace: flux-system 7 | stringData: 8 | address: ENC[AES256_GCM,data:hQFhlx/90Op5GcYIqbg8U2b0YM6D7aBZKPve/V50qw/dotgz5/yvLzyap/nmippISibWjDUVwfVWKvTF/It8h0DuarszC2wsKcSNr+0V8Zo4tV8BYRzALdqgCGvVeXhv+vgxUio2jHYzQpoiiLyHcgF0Oy36/1rw,iv:wY+JLCJq6DBm3bd5/hJPV4R6IPaOJNxMc6/3ianvGGA=,tag:V+yCIm0mkE3VEWGgLUdExA==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3a1RuMGJIM0IxL3MxaUFK 19 | djhCb2Znb3FlUWd0MGV1RXQvVWZlbnIrQ0FJCmFQUEZKT3hmNjRxNHlKVDF2T291 20 | eVB2cWVIUHdSbEpGdmlhSFNPNXg4aFUKLS0tIDNVc0RpWm5hOWlDZEtWWis3aDlJ 21 | dis1d2hxaS9BWVZySUNPaU9kY0pWUkEKfBaE6TBPPIXXSq4+rgz7q2cJ7AcyOBPm 22 | Cu3DvK77YOWRrPe4Rg0ZzyCh5sEaJ2kD5lT8kiyO2tHzK580w92p4A== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2021-10-12T19:11:25Z" 25 | mac: ENC[AES256_GCM,data:cdo7jwLcI9ptteqwti0qjaYKXpELO4h7HAcFLXFQmXiXOE4J+okvqZhg72LhOyzLwezFlIpn9wKAeT36XHrCb+P/8NwH9ggee0PdWlmxFL1hknDtSiyVjr+6CAgrvwiDbQG2uzaqB1SQW+5zLoJOHNQTjmu1dd1O5xxxRiuV6tw=,iv:luVnxAJ6VOhHX9CrEGTHjNGRsvKlNR7zqt00GQDK+GM=,tag:oyP9eoB/DJwdpniccBzB/Q==,type:str] 26 | pgp: [] 27 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 28 | version: 3.7.1 29 | -------------------------------------------------------------------------------- /k8s/base/flux-system/notifications/github/notification.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1beta3 3 | kind: Provider 4 | metadata: 5 | name: github 6 | namespace: flux-system 7 | spec: 8 | type: github 9 | address: https://github.com/anthr76/infra 10 | secretRef: 11 | name: github-token 12 | --- 13 | apiVersion: notification.toolkit.fluxcd.io/v1beta1 14 | kind: Alert 15 | metadata: 16 | name: ${CLUSTER_NAME}-github 17 | namespace: flux-system 18 | spec: 19 | summary: "${CLUSTER_NAME}" 20 | providerRef: 21 | name: github 22 | eventSeverity: info 23 | eventSources: 24 | - kind: Kustomization 25 | name: "*" 26 | - kind: HelmRelease 27 | name: "*" 28 | exclusionList: 29 | - "waiting.*socket" 30 | -------------------------------------------------------------------------------- /k8s/base/flux-system/notifications/github/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: github-token 6 | namespace: flux-system 7 | stringData: 8 | token: ENC[AES256_GCM,data:ZuGD8DpwG9vlByg957TCcX67YIAahU/iwvuLf8plA96+vNiJbH9aAw==,iv:rqukQ+vre9VSNOz6H1NKFK6JpaIE8XYovCGka5mndb8=,tag:Zsz6eStrrr2Vm4LgtSRBKQ==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEZ244MUlPVHR6Y1pJWElY 19 | V3I1LzNGV2xHMDBpVjlzNVh4L0Ntc3pUNGprCkZnVXRzSW5QMW9HV1BsQjNJcnUy 20 | eEdvL1pEbEtBajBlOXFjdUhCM0NNVkkKLS0tIDdCajBnR09ieEhBNS9YK2ZTZDRu 21 | T0FreDVObXpuMFNyS1RNWWhacUdtUjAKzKT1ONgvPOjGRmGVBjN2+lXgqN4h6XR5 22 | ulQVKcHUC0k6Z0HD5zwLUDIpg+ttDGolOv4whPgUHG+aU5BRWG56oQ== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2021-10-12T18:51:53Z" 25 | mac: ENC[AES256_GCM,data:a/jEPTyqyWIiDiaSMEMTf4DCtpudcjjdANPZlNFYtvW/F0MPNKJ5hCoNLNSOZ6ugRZRjNlvo7/jV9IzAIQKk13k9mYoTkohFjlThKj0Og7zlHFq0QWLeSxcyHzppEK9ZYh2NwRi6tyh+i4wteCY1QhNxnVCFx9P7BTFev0i6SPQ=,iv:mOSnfw/0IOZA+Nqh0xGO/SMcKwhmoJdcsoghRHczXQc=,tag:1/cNR9dQuE681GX3miLldA==,type:str] 26 | pgp: [] 27 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 28 | version: 3.7.1 29 | -------------------------------------------------------------------------------- /k8s/base/flux-system/notifications/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - discord/notification.yaml 6 | - discord/secret.sops.yaml 7 | - github/notification.yaml 8 | - github/secret.sops.yaml 9 | -------------------------------------------------------------------------------- /k8s/base/flux-system/webhook/github/ingress.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: Ingress 4 | metadata: 5 | name: webhook-receiver 6 | namespace: flux-system 7 | annotations: 8 | cert-manager.io/cluster-issuer: letsencrypt-production 9 | spec: 10 | ingressClassName: nginx 11 | rules: 12 | - host: "flux-receiver-${CLUSTER_NAME}.kutara.io" 13 | http: 14 | paths: 15 | - path: /hook/ 16 | pathType: Prefix 17 | backend: 18 | service: 19 | name: webhook-receiver 20 | port: 21 | number: 80 22 | tls: 23 | - hosts: 24 | - "flux-receiver-${CLUSTER_NAME}.kutara.io" 25 | secretName: flux-receiver-${CLUSTER_NAME}-tls 26 | -------------------------------------------------------------------------------- /k8s/base/flux-system/webhook/github/receiver.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: notification.toolkit.fluxcd.io/v1 3 | kind: Receiver 4 | metadata: 5 | name: github-receiver 6 | namespace: flux-system 7 | spec: 8 | type: github 9 | events: 10 | - "ping" 11 | - "push" 12 | secretRef: 13 | name: github-webhook-token 14 | resources: 15 | - apiVersion: source.toolkit.fluxcd.io/v1beta1 16 | kind: GitRepository 17 | name: "flux-system" 18 | namespace: "flux-system" 19 | - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 20 | kind: Kustomization 21 | name: "flux-system" 22 | namespace: "flux-system" 23 | - apiVersion: kustomize.toolkit.fluxcd.io/v1beta2 24 | kind: Kustomization 25 | name: "cluster-config" 26 | namespace: "flux-system" 27 | -------------------------------------------------------------------------------- /k8s/base/flux-system/webhook/github/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: github-webhook-token 6 | namespace: flux-system 7 | stringData: 8 | token: ENC[AES256_GCM,data:tbSJzTuY7OA3t6Isf6rRkenu31gAM/KTijIwXW6Z4K6OdZue3sAp0w==,iv:RNHX5F6C7LWKCg9gnvTGijYEDof1ALlPmggctOT1rYA=,tag:UGcvUAJsMEvJrl1CAYIRFA==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjeWNPRUJPcGJBQU5JNWhO 19 | MHl2VHZjR2NqL2xCOHc1Y0xFV2dWUm0xOURRCk96TWROV1pxcmQzMmdZU3dCMnNT 20 | a1N5ajMzUmhJdE91UlFxU1dBdTdMRXcKLS0tIEtOUGtlbjROTHNoSG9DWmVSUk9Q 21 | ZUxWYWMxbkxKMUhua2RPOU51T3I2cE0KJuQBy+MItOZb9YU/lDnOq/CHrMXr7G1Z 22 | UWif0B1qZum5N/30IUTk8vWdiQQp7PkHBxe7SDSCeFNFuvYAFFKldw== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2021-10-14T01:02:41Z" 25 | mac: ENC[AES256_GCM,data:93kTf14kTD5tszvhgr8B/drBYbORxDNPKPvxSsBKCV8WfVKwf/vkvlctTTPSmzbIj/HaesV3aMQgX6kp+ANOhTlVD0RzTcQniWZlm5yeSSrOdzop9jPv2sz3BehnnbvD2X6XCFrPiZ9KHKE/8UmwY50hg82RCUT1mWu8cSD26Ig=,iv:h4rPtYW8g5aHYMe0mBJGya9Fg30qvujDfnJ9CzfXXE0=,tag:wr7vIDRKijsDLty3Jyw7dg==,type:str] 26 | pgp: [] 27 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 28 | version: 3.7.1 29 | -------------------------------------------------------------------------------- /k8s/base/flux-system/webhook/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - github/ingress.yaml 6 | - github/receiver.yaml 7 | - github/secret.sops.yaml 8 | -------------------------------------------------------------------------------- /k8s/base/home/esphome/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: esphome-config-v2 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: fast-ceph-filesystem 14 | -------------------------------------------------------------------------------- /k8s/base/home/frigate/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: frigate-config-v3 6 | namespace: home 7 | spec: 8 | storageClassName: fast-ceph-filesystem 9 | accessModes: 10 | - ReadWriteMany 11 | resources: 12 | requests: 13 | storage: 5Gi 14 | -------------------------------------------------------------------------------- /k8s/base/home/frigate/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - config-pvc.yaml 6 | - helm-release.yaml 7 | - secret.yaml 8 | - media-pvc.yaml 9 | namespace: home 10 | configMapGenerator: 11 | - name: frigate 12 | files: 13 | - config.yaml 14 | generatorOptions: 15 | disableNameSuffixHash: true 16 | annotations: 17 | kustomize.toolkit.fluxcd.io/substitute: disabled 18 | -------------------------------------------------------------------------------- /k8s/base/home/frigate/media-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: frigate-media-v2 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 1024Gi 13 | storageClassName: slow-ceph-filesystem 14 | -------------------------------------------------------------------------------- /k8s/base/home/frigate/secret.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Secret 3 | metadata: 4 | name: frigate 5 | namespace: home 6 | type: Opaque 7 | stringData: 8 | mqtt-password: ENC[AES256_GCM,data:N3guhIRRUY1V1x/K,iv:qQZTGiXpzySgCwo0MNvVhj9psE4CzATWeIHtYr9P78c=,tag:bjSTH7JUUK+lHMYHt498zA==,type:str] 9 | sops: 10 | kms: [] 11 | gcp_kms: [] 12 | azure_kv: [] 13 | hc_vault: [] 14 | age: 15 | - recipient: age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x 16 | enc: | 17 | -----BEGIN AGE ENCRYPTED FILE----- 18 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUa09nTG81akhELzRGcE1I 19 | RXJTdDhKdlZ1YWlDRVdQVFRjM1pCNHVxZEdFCkdpa0VpNlVQTjByeGwyeDVuZGFk 20 | c1BZTE96d3dxSEtQem42bmwvakJCS0kKLS0tIGIzRWlYQjJuaHgzUkllRlF4eDVr 21 | azBxNlZHUlorVC9SUzNhdytxcnIydncKe+sh2Gw/trUfSj0/bntkT8EYMfw/LnQ+ 22 | DYyKE/bS0O/69EyWM/1TGMA9gzNz54AaLchjLDkLJxBYQb+pqHQSpA== 23 | -----END AGE ENCRYPTED FILE----- 24 | lastmodified: "2022-11-21T15:37:13Z" 25 | mac: ENC[AES256_GCM,data:DfCFqVxiiorr/+ifOdFLX/aprv+3HkzRzne8yCan/qW2QTtS169vjk7wfTlqOl/w/qNYdJOsRNcmgLcbT+IJ18jnBjrC4IsS0C4BAsQ4bm6zviA/xB0m8toevjGzVu4IGd5MEvDBbyS0b712ArVnt6q6mVbXMkKOhZBOxNfUmBU=,iv:DdqMF2jS1GVdgxdMFiyF2/cVYoj8gFlSVC8o2PpKHM0=,tag:G6ngYkoLaAAqBVsT9h68Kg==,type:str] 26 | pgp: [] 27 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 28 | version: 3.7.3 29 | -------------------------------------------------------------------------------- /k8s/base/home/home-assistant-nwk3/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: home-assistant-nwk3-config-v1 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: fast-ceph-filesystem 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: home-assistant-nwk3-backup-v1 19 | namespace: home 20 | spec: 21 | accessModes: 22 | - ReadWriteMany 23 | resources: 24 | requests: 25 | storage: 5Gi 26 | storageClassName: slow-ceph-filesystem 27 | -------------------------------------------------------------------------------- /k8s/base/home/home-assistant-nwk3/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: home-assistant-nwk3 6 | namespace: home 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: home-assistant-nwk3 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: postgres-password 17 | remoteRef: 18 | key: home-assistant-nwk3-postgres-password 19 | -------------------------------------------------------------------------------- /k8s/base/home/home-assistant/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: home-assistant-config-v2 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: fast-ceph-filesystem 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: home-assistant-backup-v2 19 | namespace: home 20 | spec: 21 | accessModes: 22 | - ReadWriteMany 23 | resources: 24 | requests: 25 | storage: 5Gi 26 | storageClassName: slow-ceph-filesystem 27 | -------------------------------------------------------------------------------- /k8s/base/home/home-assistant/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: home-assistant 6 | namespace: home 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: home-assistant 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: postgres-password 17 | remoteRef: 18 | key: home-assistant-postgres-password 19 | - secretKey: postgres-user 20 | remoteRef: 21 | key: home-assistant-postgres-user 22 | -------------------------------------------------------------------------------- /k8s/base/home/home-assistant/pdb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: home-assistant 6 | namespace: home 7 | spec: 8 | maxUnavailable: 1 9 | selector: 10 | matchLabels: 11 | app.kubernetes.io/name: home-assistant 12 | -------------------------------------------------------------------------------- /k8s/base/home/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | - priority-class.yaml 7 | -------------------------------------------------------------------------------- /k8s/base/home/mosquitto/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: mosquitto-config-v2 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 100Mi 13 | storageClassName: fast-ceph-filesystem 14 | -------------------------------------------------------------------------------- /k8s/base/home/mosquitto/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: mosquitto 6 | namespace: home 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 5m 11 | chart: 12 | spec: 13 | chart: mosquitto 14 | version: 4.8.2 15 | sourceRef: 16 | kind: HelmRepository 17 | name: k8s-at-home-charts 18 | namespace: flux-system 19 | interval: 5m 20 | values: 21 | priorityClassName: home-cluster-critical 22 | image: 23 | repository: docker.io/library/eclipse-mosquitto 24 | tag: 2.0.17 25 | service: 26 | main: 27 | type: LoadBalancer 28 | annotations: 29 | metallb.universe.tf/loadBalancerIPs: "10.45.0.1" 30 | externalTrafficPolicy: Local 31 | auth: 32 | enabled: true 33 | podAnnotations: 34 | secret.reloader.stakater.com/reload: mosquitto 35 | resources: 36 | requests: 37 | memory: 30Mi 38 | cpu: 10m 39 | limits: 40 | cpu: 200m 41 | memory: 200Mi 42 | persistence: 43 | data: 44 | enabled: true 45 | existingClaim: mosquitto-config-v2 46 | configinc: 47 | enabled: true 48 | type: configMap 49 | mountPath: /mosquitto/configinc 50 | name: mqtt-conf 51 | mosquitto-pwd: 52 | enabled: true 53 | type: secret 54 | mountPath: /mosquitto/configinc/auth 55 | name: mosquitto-pwd 56 | -------------------------------------------------------------------------------- /k8s/base/home/mosquitto/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - config-pvc.yaml 7 | - pdb.yaml 8 | namespace: home 9 | generatorOptions: 10 | disableNameSuffixHash: true 11 | 12 | secretGenerator: 13 | - name: mosquitto-pwd 14 | files: 15 | - mosquitto_pwd=mosquitto_pwd.sops 16 | 17 | configMapGenerator: 18 | - name: mqtt-conf 19 | files: 20 | - mqtt.conf 21 | -------------------------------------------------------------------------------- /k8s/base/home/mosquitto/mosquitto_pwd.sops: -------------------------------------------------------------------------------- 1 | { 2 | "data": "ENC[AES256_GCM,data:TKmTtQVLiMXVfYb4olSDuZuZZSBjkK13TTtjXvQ6mzk3FxhDf7ReWCw34Xt6Xmu2i65z/Tbk18EJV0M26TAfKj0XOjJ426rf0GIS/B/XAsz2YOWDl59E1tJNrkfm1rc6fzF0ZeMxl44mtZTkTbSfznZ/h9D4pQ==,iv:PhEqVvLgLFwi2lkNnvYdFABQIszs4z+E8HIUIBPvNGw=,tag:gNMib+0GlQtA9aZqJvoMTw==,type:str]", 3 | "sops": { 4 | "kms": null, 5 | "gcp_kms": null, 6 | "azure_kv": null, 7 | "hc_vault": null, 8 | "age": [ 9 | { 10 | "recipient": "age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x", 11 | "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRWjF0eFNsY0xyTFRvME5T\nYWE0RnhubktDSWEzZGlTT3lLTW5KYjRpNmdrCkE0L2VqSytGTUNoeXVLaktoalk4\nY1F6L2F2MVA2R0wrWTdyaGJwc2MwYXMKLS0tIDBWdUJjaGQ1UGszWVI1YVNnVmU1\nK1Z1YWdhTkh3OVkyOHhMbW80dVM3ZG8KpC2qauXG5+W/U4BuxOFhDpr5jZ98Z8++\nZU/tQ+mFDkKG+wJ5d1XeRLCI6/UKm/ZneWwzQTHbx5qT5IiwhXBlFA==\n-----END AGE ENCRYPTED FILE-----\n" 12 | } 13 | ], 14 | "lastmodified": "2022-01-01T16:01:59Z", 15 | "mac": "ENC[AES256_GCM,data:Qg9jiTNVuz0y0fxdtM76RFPrwsQeLCTKPwAll29o2WGYgeeiqAZFBXWbkE3SswXeDKz2pzYO+8gFROeJVLbwoOpLAdpEPoNEdE/b+KnFy522ysvrDgtCOwl0fpXL1RY+B3YA0z/XTIYYMg0aV/eeZsJTTAJvN1FkDRE/on7fZKE=,iv:4dboFuHx8L9G7HSNG5sdOg9XyVFzyUTEKj1OaV93hVA=,tag:rHvcRaKVxysSDoreSWT8jg==,type:str]", 16 | "pgp": null, 17 | "unencrypted_suffix": "_unencrypted", 18 | "version": "3.7.1" 19 | } 20 | } 21 | -------------------------------------------------------------------------------- /k8s/base/home/mosquitto/mqtt.conf: -------------------------------------------------------------------------------- 1 | connection_messages false 2 | password_file /mosquitto/configinc/auth/mosquitto_pwd 3 | autosave_interval 60 4 | -------------------------------------------------------------------------------- /k8s/base/home/mosquitto/pdb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: mosquitto 6 | namespace: home 7 | spec: 8 | maxUnavailable: 1 9 | selector: 10 | matchLabels: 11 | app.kubernetes.io/name: mosquitto 12 | -------------------------------------------------------------------------------- /k8s/base/home/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: home 5 | labels: 6 | goldilocks.fairwinds.com/enabled: "true" 7 | component.kutara.io/postgres-secrets: "true" 8 | -------------------------------------------------------------------------------- /k8s/base/home/nats/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: nats-nwk3 6 | namespace: home 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 5m 11 | chart: 12 | spec: 13 | chart: nats 14 | version: 1.1.7 15 | sourceRef: 16 | kind: HelmRepository 17 | name: nats-charts 18 | namespace: flux-system 19 | interval: 5m 20 | values: 21 | config: 22 | cluster: 23 | enabled: true 24 | replicas: 3 25 | jetstream: 26 | enabled: true 27 | fileStore: 28 | pvc: 29 | storageClassName: fast-ceph-block 30 | mqtt: 31 | enabled: true 32 | extraResources: 33 | - apiVersion: v1 34 | kind: Service 35 | metadata: 36 | name: nats-nwk3-mqtt 37 | namespace: home 38 | spec: 39 | type: LoadBalancer 40 | ipFamilyPolicy: PreferDualStack 41 | ports: 42 | - appProtocol: tcp 43 | name: mqtt 44 | port: 1883 45 | protocol: TCP 46 | targetPort: mqtt 47 | selector: 48 | app.kubernetes.io/component: nats 49 | app.kubernetes.io/instance: nats-nwk3 50 | app.kubernetes.io/name: nats 51 | sessionAffinity: None 52 | -------------------------------------------------------------------------------- /k8s/base/home/nats/pdb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: mosquitto 6 | namespace: home 7 | spec: 8 | maxUnavailable: 1 9 | selector: 10 | matchLabels: 11 | app.kubernetes.io/name: mosquitto 12 | -------------------------------------------------------------------------------- /k8s/base/home/priority-class.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: scheduling.k8s.io/v1 3 | description: Used for home critical pods that must run in the cluster for WAF, but can be 4 | moved to another node if necessary. 5 | kind: PriorityClass 6 | metadata: 7 | name: home-cluster-critical 8 | preemptionPolicy: PreemptLowerPriority 9 | value: 100001 10 | -------------------------------------------------------------------------------- /k8s/base/home/zigbee2mqtt/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: zigbee2mqtt-config-v2 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: fast-ceph-filesystem 14 | -------------------------------------------------------------------------------- /k8s/base/home/zigbee2mqtt/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: zigbee2mqtt 6 | namespace: home 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 5m 11 | chart: 12 | spec: 13 | chart: app-template 14 | version: 1.5.1 15 | sourceRef: 16 | kind: HelmRepository 17 | name: bjw-s 18 | namespace: flux-system 19 | interval: 5m 20 | values: 21 | priorityClassName: home-cluster-critical 22 | controller: 23 | type: statefulset 24 | image: 25 | repository: ghcr.io/koenkk/zigbee2mqtt 26 | tag: 1.32.2@sha256:98bf0afb61b2fca7402f6cd71933abc72f90e53766cbb65c8be6060b20312f45 27 | env: 28 | TZ: America/New_York 29 | ZIGBEE2MQTT_DATA: /data 30 | service: 31 | main: 32 | ports: 33 | http: 34 | port: 8080 35 | ingress: 36 | main: 37 | enabled: true 38 | ingressClassName: nginx 39 | annotations: 40 | cert-manager.io/cluster-issuer: "letsencrypt-production" 41 | hosts: 42 | - host: "zigbee2mqtt.scr1.rabbito.tech" 43 | paths: 44 | - path: / 45 | pathType: Prefix 46 | tls: 47 | - secretName: zigbee2mqtt-tls 48 | hosts: 49 | - "zigbee2mqtt.scr1.rabbito.tech" 50 | volumeClaimTemplates: 51 | - name: config 52 | mountPath: /data 53 | accessMode: ReadWriteOnce 54 | size: 1Gi 55 | storageClass: fast-ceph-block 56 | -------------------------------------------------------------------------------- /k8s/base/home/zigbee2mqtt/pdb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: zigbee2mqtt 6 | namespace: home 7 | spec: 8 | maxUnavailable: 1 9 | selector: 10 | matchLabels: 11 | app.kubernetes.io/name: zigbee2mqtt 12 | -------------------------------------------------------------------------------- /k8s/base/home/zwavejs2mqtt/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: zwavejs2mqtt-config-v2 6 | namespace: home 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: fast-ceph-filesystem 14 | -------------------------------------------------------------------------------- /k8s/base/infra/external-secrets/cluster-secret-store/cluster-secret-store.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ClusterSecretStore 4 | metadata: 5 | name: gcp-kutara-prod 6 | namespace: infra 7 | spec: 8 | provider: 9 | gcpsm: 10 | auth: 11 | secretRef: 12 | secretAccessKeySecretRef: 13 | name: gcp-kutara-prod-sa-ad74 14 | namespace: infra 15 | key: kutara-prod-ad74-8b13fb370b88.json 16 | projectID: kutara-prod-ad74 17 | 18 | -------------------------------------------------------------------------------- /k8s/base/infra/external-secrets/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: external-secrets 6 | namespace: infra 7 | spec: 8 | interval: 15m 9 | chart: 10 | spec: 11 | chart: external-secrets 12 | version: 0.9.4 13 | sourceRef: 14 | kind: HelmRepository 15 | name: external-secrets 16 | namespace: flux-system 17 | interval: 15m 18 | install: 19 | crds: CreateReplace 20 | createNamespace: true 21 | remediation: 22 | retries: 3 23 | upgrade: 24 | crds: CreateReplace 25 | remediation: 26 | retries: 3 27 | values: 28 | 29 | -------------------------------------------------------------------------------- /k8s/base/infra/hajimari/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: hajimari-config-v2 6 | namespace: infra 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: fast-ceph-filesystem 14 | -------------------------------------------------------------------------------- /k8s/base/infra/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | -------------------------------------------------------------------------------- /k8s/base/infra/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: infra 5 | labels: 6 | goldilocks.fairwinds.com/enabled: "true" 7 | component.kutara.io/postgres-secrets: "true" 8 | -------------------------------------------------------------------------------- /k8s/base/infra/netbox/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - secret.sops.yaml 6 | - helm-release.yaml 7 | namespace: infra 8 | generatorOptions: 9 | disableNameSuffixHash: true 10 | secretGenerator: 11 | - name: napalm-ssh 12 | files: 13 | - id_rsa=id_rsa.sops 14 | - id_rsa.pub=id_rsa.pub.sops 15 | -------------------------------------------------------------------------------- /k8s/base/infra/paperless/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: paperless 6 | namespace: infra 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: paperless 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: PAPERLESS_DBUSER 17 | remoteRef: 18 | key: paperless-postgres-username 19 | - secretKey: PAPERLESS_DBPASS 20 | remoteRef: 21 | key: paperless-postgres-password 22 | - secretKey: PAPERLESS_ADMIN_USER 23 | remoteRef: 24 | key: paperless-admin-user 25 | - secretKey: PAPERLESS_ADMIN_PASSWORD 26 | remoteRef: 27 | key: paperless-admin-password 28 | -------------------------------------------------------------------------------- /k8s/base/infra/paperless/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: paperless-data-v2 6 | namespace: infra 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: fast-ceph-filesystem 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: paperless-media-v2 19 | namespace: infra 20 | spec: 21 | accessModes: 22 | - ReadWriteMany 23 | resources: 24 | requests: 25 | storage: 10Gi 26 | storageClassName: slow-ceph-filesystem 27 | --- 28 | apiVersion: v1 29 | kind: PersistentVolumeClaim 30 | metadata: 31 | name: paperless-consume-v2 32 | namespace: infra 33 | spec: 34 | accessModes: 35 | - ReadWriteMany 36 | resources: 37 | requests: 38 | storage: 10Gi 39 | storageClassName: slow-ceph-filesystem 40 | --- 41 | apiVersion: v1 42 | kind: PersistentVolumeClaim 43 | metadata: 44 | name: paperless-export-v2 45 | namespace: infra 46 | spec: 47 | accessModes: 48 | - ReadWriteMany 49 | resources: 50 | requests: 51 | storage: 10Gi 52 | storageClassName: slow-ceph-filesystem 53 | -------------------------------------------------------------------------------- /k8s/base/infra/unifi/pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: unifi-data 6 | namespace: infra 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 2Gi 13 | storageClassName: fast-ceph-block 14 | 15 | -------------------------------------------------------------------------------- /k8s/base/kube-system/descheduler/metrics.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | labels: 6 | app.kubernetes.io/name: descheduler 7 | name: descheduler 8 | namespace: kube-system 9 | spec: 10 | ports: 11 | - name: metrics 12 | port: 10258 13 | protocol: TCP 14 | targetPort: 10258 15 | selector: 16 | app.kubernetes.io/name: descheduler 17 | sessionAffinity: None 18 | type: ClusterIP 19 | --- 20 | apiVersion: monitoring.coreos.com/v1 21 | kind: ServiceMonitor 22 | metadata: 23 | labels: 24 | app.kubernetes.io/name: descheduler 25 | name: descheduler 26 | namespace: kube-system 27 | spec: 28 | endpoints: 29 | - honorLabels: true 30 | interval: 30s 31 | metricRelabelings: 32 | - action: replace 33 | sourceLabels: 34 | - exported_namespace 35 | targetLabel: pod_namespace 36 | path: /metrics 37 | port: metrics 38 | scheme: https 39 | tlsConfig: 40 | insecureSkipVerify: true 41 | jobLabel: app.kubernetes.io/name 42 | namespaceSelector: 43 | matchNames: 44 | - kube-system 45 | selector: 46 | matchLabels: 47 | app.kubernetes.io/name: descheduler 48 | -------------------------------------------------------------------------------- /k8s/base/kube-system/home-dns/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - rbac.yaml 6 | -------------------------------------------------------------------------------- /k8s/base/kube-system/home-dns/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: home-dns 6 | namespace: kube-system 7 | --- 8 | apiVersion: rbac.authorization.k8s.io/v1 9 | kind: ClusterRole 10 | metadata: 11 | name: home-dns 12 | rules: 13 | - apiGroups: 14 | - "" 15 | resources: 16 | - services 17 | - namespaces 18 | verbs: 19 | - list 20 | - watch 21 | - apiGroups: 22 | - extensions 23 | - networking.k8s.io 24 | resources: 25 | - ingresses 26 | verbs: 27 | - list 28 | - watch 29 | --- 30 | apiVersion: rbac.authorization.k8s.io/v1 31 | kind: ClusterRoleBinding 32 | metadata: 33 | name: home-dns 34 | roleRef: 35 | apiGroup: rbac.authorization.k8s.io 36 | kind: ClusterRole 37 | name: home-dns 38 | subjects: 39 | - kind: ServiceAccount 40 | name: home-dns 41 | namespace: kube-system 42 | -------------------------------------------------------------------------------- /k8s/base/kube-system/intel-gpu-plugin/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: intel-gpu-plugin 6 | namespace: kube-system 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 5m 11 | chart: 12 | spec: 13 | chart: intel-gpu-plugin 14 | version: 4.4.2 15 | sourceRef: 16 | kind: HelmRepository 17 | name: k8s-at-home-charts 18 | namespace: flux-system 19 | interval: 5m 20 | values: 21 | image: 22 | repository: ghcr.io/k8s-at-home/intel-gpu-plugin 23 | tag: v0.22.0 24 | pullPolicy: IfNotPresent 25 | args: 26 | - -shared-dev-num 27 | - "2" 28 | resources: 29 | requests: 30 | cpu: 15m 31 | memory: 64Mi 32 | limits: 33 | memory: 64Mi 34 | cpu: 200m 35 | affinity: 36 | nodeAffinity: 37 | requiredDuringSchedulingIgnoredDuringExecution: 38 | nodeSelectorTerms: 39 | - matchExpressions: 40 | - key: feature.node.kubernetes.io/custom-intel-gpu 41 | operator: In 42 | values: 43 | - "true" 44 | -------------------------------------------------------------------------------- /k8s/base/kube-system/kubelet-serving-cert-approver/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - kustomize.yaml 6 | -------------------------------------------------------------------------------- /k8s/base/kube-system/kubelet-serving-cert-approver/kustomize.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: kubelet-serving-cert-approver 6 | namespace: flux-system 7 | spec: 8 | interval: 10m0s 9 | ref: 10 | tag: v0.7.2 11 | url: https://github.com/alex1989hu/kubelet-serving-cert-approver 12 | ignore: | 13 | # exclude all 14 | /* 15 | # include gitops dirs 16 | !/deploy 17 | --- 18 | apiVersion: kustomize.toolkit.fluxcd.io/v1 19 | kind: Kustomization 20 | metadata: 21 | name: kubelet-serving-cert-approver 22 | namespace: flux-system 23 | spec: 24 | interval: 10m0s 25 | path: ./deploy/standalone 26 | prune: true 27 | wait: true 28 | targetNamespace: kube-system 29 | sourceRef: 30 | kind: GitRepository 31 | name: kubelet-serving-cert-approver 32 | -------------------------------------------------------------------------------- /k8s/base/kube-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | -------------------------------------------------------------------------------- /k8s/base/kube-system/metallb/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | namespace: kube-system 7 | generatorOptions: 8 | disableNameSuffixHash: true 9 | -------------------------------------------------------------------------------- /k8s/base/kube-system/metallb/scr1/resources.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: metallb.io/v1beta2 3 | kind: BGPPeer 4 | metadata: 5 | name: scr1 6 | namespace: kube-system 7 | spec: 8 | myASN: 64512 9 | peerASN: 64512 10 | peerAddress: 10.20.99.1 11 | bfdProfile: scr1 12 | --- 13 | apiVersion: metallb.io/v1beta1 14 | kind: IPAddressPool 15 | metadata: 16 | name: bgp-pool 17 | namespace: kube-system 18 | spec: 19 | addresses: 20 | - 10.45.0.0/16 21 | - 2001:559:87dd:a00::/56 22 | avoidBuggyIPs: true 23 | --- 24 | apiVersion: metallb.io/v1beta1 25 | kind: IPAddressPool 26 | metadata: 27 | name: production-public 28 | namespace: kube-system 29 | spec: 30 | addresses: 31 | - 50.239.94.170/32 32 | - 2001:559:7bd::1eff/126 33 | avoidBuggyIPs: true 34 | --- 35 | apiVersion: metallb.io/v1beta1 36 | kind: BGPAdvertisement 37 | metadata: 38 | name: bgp-lb 39 | namespace: kube-system 40 | spec: 41 | ipAddressPools: 42 | - bgp-pool 43 | - production-public 44 | --- 45 | apiVersion: metallb.io/v1beta1 46 | kind: BFDProfile 47 | metadata: 48 | name: scr1 49 | namespace: kube-system 50 | spec: 51 | receiveInterval: 380 52 | transmitInterval: 270 53 | -------------------------------------------------------------------------------- /k8s/base/kube-system/metrics-server/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: metrics-server 6 | namespace: kube-system 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 5m 11 | chart: 12 | spec: 13 | chart: metrics-server 14 | version: 3.12.0 15 | sourceRef: 16 | kind: HelmRepository 17 | name: metrics-server-charts 18 | namespace: flux-system 19 | interval: 5m 20 | install: 21 | createNamespace: true 22 | remediation: 23 | retries: 5 24 | upgrade: 25 | remediation: 26 | retries: 5 27 | values: 28 | args: 29 | # TODO: Get \"https://192.168.8.51:10250/metrics/resource\": x509: cannot validate certificate for 192.168.8.51 because it doesn't contain any IP SANs" node="master-03" 30 | # master nodes aren't in the SAN? Need to dig into this. 31 | - --kubelet-insecure-tls 32 | - --kubelet-preferred-address-types=InternalIP,ExternalIP,Hostname 33 | - --kubelet-use-node-status-port 34 | - --metric-resolution=15s 35 | metrics: 36 | enabled: true 37 | serviceMonitor: 38 | enabled: true 39 | -------------------------------------------------------------------------------- /k8s/base/kube-system/multus/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: multus 6 | namespace: kube-system 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 5m 11 | chart: 12 | spec: 13 | chart: multus 14 | version: 3.5.2 15 | sourceRef: 16 | kind: HelmRepository 17 | name: k8s-at-home-charts 18 | namespace: flux-system 19 | interval: 5m 20 | values: 21 | image: 22 | repository: ghcr.io/k8snetworkplumbingwg/multus-cni 23 | tag: v4.0.2 24 | cni: 25 | image: 26 | repository: ghcr.io/k8s-at-home/cni-plugins 27 | tag: v1.1.1 28 | version: "0.3.1" 29 | paths: 30 | bin: /opt/cni/bin 31 | config: /etc/cni/net.d 32 | -------------------------------------------------------------------------------- /k8s/base/kube-system/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: kube-system 5 | -------------------------------------------------------------------------------- /k8s/base/kube-system/networkpolicy.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: networking.k8s.io/v1 3 | kind: NetworkPolicy 4 | metadata: 5 | name: default-allow-all 6 | namespace: kube-system 7 | spec: 8 | podSelector: {} 9 | ingress: 10 | - {} 11 | egress: 12 | - {} 13 | policyTypes: 14 | - Ingress 15 | - Egress 16 | -------------------------------------------------------------------------------- /k8s/base/kube-system/reloader/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: reloader 6 | namespace: kube-system 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 5m 11 | chart: 12 | spec: 13 | chart: reloader 14 | version: 1.0.38 15 | sourceRef: 16 | kind: HelmRepository 17 | name: stakater-charts 18 | namespace: flux-system 19 | interval: 5m 20 | values: 21 | nameOverride: reloader 22 | fullnameOverride: reloader 23 | reloader: 24 | podMonitor: 25 | enabled: true 26 | namespace: kube-system 27 | -------------------------------------------------------------------------------- /k8s/base/kube-system/rocm-k8s-device-plugin/k8s-ds-amdgpu-dp-health.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: DaemonSet 4 | metadata: 5 | name: amdgpu-device-plugin 6 | namespace: kube-system 7 | spec: 8 | selector: 9 | matchLabels: 10 | name: amdgpu-device-plugin 11 | template: 12 | metadata: 13 | labels: 14 | name: amdgpu-device-plugin 15 | spec: 16 | priorityClassName: system-node-critical 17 | tolerations: 18 | - key: CriticalAddonsOnly 19 | operator: Exists 20 | containers: 21 | - image: docker.io/rocm/k8s-device-plugin:1.25.2@sha256:eef13b57969189eea7d6a3ad71774b283d8ddbca44af07e6d7a3ba25e84e12ba 22 | name: amdgpu-dp-cntr-health 23 | workingDir: /root 24 | command: ["./k8s-device-plugin"] 25 | args: 26 | - "-logtostderr=true" 27 | - "-stderrthreshold=INFO" 28 | - "-v=5" 29 | - "-pulse=2" 30 | securityContext: 31 | privileged: true 32 | capabilities: 33 | drop: ["ALL"] 34 | volumeMounts: 35 | - name: dp 36 | mountPath: /var/lib/kubelet/device-plugins 37 | - name: sys 38 | mountPath: /sys 39 | - name: dev 40 | mountPath: /dev 41 | volumes: 42 | - name: dp 43 | hostPath: 44 | path: /var/lib/kubelet/device-plugins 45 | - name: sys 46 | hostPath: 47 | path: /sys 48 | - name: dev 49 | hostPath: 50 | path: /dev 51 | -------------------------------------------------------------------------------- /k8s/base/kube-system/rocm-k8s-device-plugin/k8s-ds-amdgpu-dp.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: apps/v1 3 | kind: DaemonSet 4 | metadata: 5 | name: amdgpu-device-plugin 6 | namespace: kube-system 7 | spec: 8 | selector: 9 | matchLabels: 10 | name: amdgpu-deviceplugin 11 | template: 12 | metadata: 13 | annotations: 14 | labels: 15 | name: amdgpu-deviceplugin 16 | spec: 17 | tolerations: 18 | - key: CriticalAddonsOnly 19 | operator: Exists 20 | containers: 21 | - image: docker.io/rocm/k8s-device-plugin:1.25.2@sha256:eef13b57969189eea7d6a3ad71774b283d8ddbca44af07e6d7a3ba25e84e12ba 22 | name: amdgpu-dp-cntr 23 | workingDir: /root 24 | command: ["./k8s-device-plugin"] 25 | args: ["-logtostderr=true", "-stderrthreshold=INFO", "-v=5"] 26 | securityContext: 27 | allowPrivilegeEscalation: false 28 | capabilities: 29 | drop: ["ALL"] 30 | volumeMounts: 31 | - name: dp 32 | mountPath: /var/lib/kubelet/device-plugins 33 | - name: sys 34 | mountPath: /sys 35 | volumes: 36 | - name: dp 37 | hostPath: 38 | path: /var/lib/kubelet/device-plugins 39 | - name: sys 40 | hostPath: 41 | path: /sys 42 | -------------------------------------------------------------------------------- /k8s/base/kube-system/rocm-k8s-device-plugin/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - k8s-ds-amdgpu-labeller.yaml 6 | - k8s-ds-amdgpu-dp.yaml 7 | namespace: kube-system 8 | patchesJson6902: 9 | - target: 10 | version: v1 11 | kind: DaemonSet 12 | name: amdgpu-device-plugin 13 | patch: |- 14 | - op: add 15 | path: /spec/template/spec/nodeSelector 16 | value: 17 | feature.node.kubernetes.io/custom-vega11-gpu: "true" 18 | - target: 19 | version: v1 20 | kind: DaemonSet 21 | name: amdgpu-labeller 22 | patch: |- 23 | - op: add 24 | path: /spec/template/spec/nodeSelector 25 | value: 26 | feature.node.kubernetes.io/custom-vega11-gpu: "true" 27 | -------------------------------------------------------------------------------- /k8s/base/kyverno/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: kyverno 6 | -------------------------------------------------------------------------------- /k8s/base/kyverno/operator/kustomize.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1beta2 3 | kind: OCIRepository 4 | metadata: 5 | name: kyverno-controller 6 | namespace: flux-system 7 | spec: 8 | interval: 120m0s 9 | provider: generic 10 | url: oci://ghcr.io/kyverno/manifests/kyverno 11 | ref: 12 | tag: "v1.11.1" 13 | verify: 14 | provider: cosign 15 | --- 16 | apiVersion: kustomize.toolkit.fluxcd.io/v1 17 | kind: Kustomization 18 | metadata: 19 | name: kyverno-controller-deploy 20 | namespace: flux-system 21 | spec: 22 | interval: 720m0s 23 | patches: 24 | - patch: | 25 | - op: add 26 | path: /spec/replicas 27 | value: 3 28 | target: 29 | kind: Deployment 30 | labelSelector: "app.kubernetes.io/name=kyverno" 31 | sourceRef: 32 | kind: OCIRepository 33 | name: kyverno-controller 34 | serviceAccountName: kustomize-controller 35 | path: ./ 36 | prune: true 37 | wait: true 38 | timeout: 5m 39 | -------------------------------------------------------------------------------- /k8s/base/kyverno/policies/apply-ingress-whitelist-annotations.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kyverno.io/v1 3 | kind: ClusterPolicy 4 | metadata: 5 | name: apply-ingress-whitelist-annotations 6 | annotations: 7 | policies.kyverno.io/title: Apply Ingress Whitelist Annotations 8 | policies.kyverno.io/subject: Ingress 9 | policies.kyverno.io/description: >- 10 | This policy creates annotations on ingresses. When 11 | the `internal-whitelist.kutara.io/enabled` annotation is not 12 | set it applies the nginx annotations for use with only 13 | internal application access. 14 | spec: 15 | mutateExistingOnPolicyUpdate: true 16 | generateExistingOnPolicyUpdate: true 17 | rules: 18 | - name: whitelist 19 | match: 20 | any: 21 | - resources: 22 | kinds: ["Ingress"] 23 | annotations: 24 | internal-whitelist.kutara.io/enabled: "true" 25 | mutate: 26 | patchStrategicMerge: 27 | metadata: 28 | annotations: 29 | +(nginx.ingress.kubernetes.io/whitelist-source-range): "10.0.0.0/8,172.16.0.0/12,192.168.0.0/16,2001:559:87dd::/48" 30 | -------------------------------------------------------------------------------- /k8s/base/media/bazarr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: bazarr-config-v3 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: fast-ceph-filesystem 14 | -------------------------------------------------------------------------------- /k8s/base/media/cross-seed/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: cross-seed 6 | namespace: media 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: cross-seed 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: PROWLARR_API_KEY 17 | remoteRef: 18 | key: arr-api-key 19 | -------------------------------------------------------------------------------- /k8s/base/media/cross-seed/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - external-secret.yaml 7 | namespace: media 8 | configMapGenerator: 9 | - name: cross-seed 10 | files: 11 | - config.js 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | annotations: 15 | kustomize.toolkit.fluxcd.io/substitute: disabled 16 | -------------------------------------------------------------------------------- /k8s/base/media/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | - media-pvc.yaml 7 | - priority-class.yaml 8 | -------------------------------------------------------------------------------- /k8s/base/media/lidarr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: lidarr-config-v2 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: fast-ceph-filesystem 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: lidarr-backup-v2 19 | namespace: media 20 | spec: 21 | accessModes: 22 | - ReadWriteMany 23 | resources: 24 | requests: 25 | storage: 10Gi 26 | storageClassName: slow-ceph-filesystem 27 | -------------------------------------------------------------------------------- /k8s/base/media/lidarr/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: lidarr 6 | namespace: media 7 | type: Opaque 8 | stringData: 9 | LIDARR__API_KEY: ENC[AES256_GCM,data:h5B9lp/EWrpmQLVv4n+SBg8sPN1BxpFQpuiPCdDMuPk=,iv:+/WfvzqAdraNMaJiPK59OYVMQmOJUvPoP3/cGdVRxQI=,tag:73FMKvKtlsX1V3Wn9+dAuA==,type:str] 10 | sops: 11 | kms: [] 12 | gcp_kms: [] 13 | azure_kv: [] 14 | hc_vault: [] 15 | age: 16 | - recipient: age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x 17 | enc: | 18 | -----BEGIN AGE ENCRYPTED FILE----- 19 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUXlxdXpIT3krRi9VMXEz 20 | YXJqcERZZUV1YlgrK2hYUmx6WDhMcFprMVQwCjVmczc0YkFQblhMbnA5dVQzaUNJ 21 | MnBLM210NmIvSXZOM1JUZFpUOUpqU1kKLS0tIFdvdnJ2QnArZ0JUcEcrTzdjMjNo 22 | a1gxOWRxY1RMdVErcGk5byt4L3QzNEEKICpnOnU5Z2Gq4JkgVAUXlg/gbSQkI78E 23 | ntBScqNNbgZEtF7Ob+33s08XR/R/HAtH/k7sV2s9w8kmnVXZVKMHnA== 24 | -----END AGE ENCRYPTED FILE----- 25 | lastmodified: "2022-07-06T16:38:06Z" 26 | mac: ENC[AES256_GCM,data:njxvV+1eyivkF09MHtheYfm4Wa4WSR0ju137IJXh8W+DwNLqdLVOh+fnCGqk6ZBqBYjg8gl3YljYs6XneL52jfpr+07sANn1ZtumEyWj+bARrnKLlfOYnmRr7Xuzwm8PYqA97X8pKuQH6bOt59NCsd9h5FrUl+70HcMralvR8UY=,iv:Hn/nVaimiKCQu4jKm025joTX63z+C0SB8evHLW+acf8=,tag:UTVEQ9j6IciBkurUWKSbpg==,type:str] 27 | pgp: [] 28 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 29 | version: 3.7.3 30 | -------------------------------------------------------------------------------- /k8s/base/media/media-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: media-v2 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 15T 13 | storageClassName: slow-ceph-filesystem 14 | -------------------------------------------------------------------------------- /k8s/base/media/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: media 5 | labels: 6 | goldilocks.fairwinds.com/enabled: "true" 7 | component.kutara.io/postgres-secrets: "true" 8 | -------------------------------------------------------------------------------- /k8s/base/media/overseerr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: overseerr-config-v4 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: fast-ceph-block 14 | -------------------------------------------------------------------------------- /k8s/base/media/overseerr/pdb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: overseerr 6 | namespace: media 7 | spec: 8 | maxUnavailable: 1 9 | selector: 10 | matchLabels: 11 | app.kubernetes.io/name: overseerr 12 | -------------------------------------------------------------------------------- /k8s/base/media/plex/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: plex-config-v2 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 100Gi 13 | storageClassName: fast-ceph-filesystem 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: plex-backup-v2 19 | namespace: media 20 | spec: 21 | accessModes: 22 | - ReadWriteMany 23 | resources: 24 | requests: 25 | storage: 100Gi 26 | storageClassName: slow-ceph-filesystem 27 | -------------------------------------------------------------------------------- /k8s/base/media/plex/pdb.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: policy/v1 3 | kind: PodDisruptionBudget 4 | metadata: 5 | name: plex 6 | namespace: media 7 | spec: 8 | maxUnavailable: 1 9 | selector: 10 | matchLabels: 11 | app.kubernetes.io/name: plex 12 | -------------------------------------------------------------------------------- /k8s/base/media/priority-class.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: scheduling.k8s.io/v1 3 | description: Used for home critical pods that must run in the cluster for WAF, but can be 4 | moved to another node if necessary. 5 | kind: PriorityClass 6 | metadata: 7 | name: media-cluster-critical 8 | preemptionPolicy: PreemptLowerPriority 9 | value: 100000 10 | -------------------------------------------------------------------------------- /k8s/base/media/prowlarr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: prowlarr-config-v2 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: fast-ceph-filesystem 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: prowlarr-backup-v2 19 | namespace: media 20 | spec: 21 | accessModes: 22 | - ReadWriteMany 23 | resources: 24 | requests: 25 | storage: 1Gi 26 | storageClassName: slow-ceph-filesystem 27 | -------------------------------------------------------------------------------- /k8s/base/media/prowlarr/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: prowlarr 6 | namespace: media 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: prowlarr 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: PROWLARR__POSTGRES_USER 17 | remoteRef: 18 | key: prowlarr-postgres-username 19 | - secretKey: PROWLARR__POSTGRES_PASSWORD 20 | remoteRef: 21 | key: prowlarr-postgres-password 22 | - secretKey: PROWLARR__API_KEY 23 | remoteRef: 24 | key: arr-api-key 25 | -------------------------------------------------------------------------------- /k8s/base/media/qbittorrent/completed.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | # qBittorrent settings > 'Run external program on torrent finished' 3 | # /scripts/completed.sh "%F" "%G" 4 | /bin/chmod -R 750 "$1" 5 | if [[ "$2" == *"force-cross-seed"* ]]; then 6 | printf "Searching cross-seed for '%s' with tags '%s'\n" "$1" "$2" 7 | /usr/bin/curl \ 8 | --silent \ 9 | --connect-timeout 5 \ 10 | --max-time 10 \ 11 | --retry 5 \ 12 | --retry-delay 0 \ 13 | --retry-max-time 40 \ 14 | --request POST \ 15 | --data-urlencode "path=$1" \ 16 | http://cross-seed.default.svc.cluster.local/api/webhook 17 | else 18 | printf "Skipping cross-seed check for '%s' with tags '%s'\n" "$1" "$2" 19 | fi 20 | exit 0 21 | -------------------------------------------------------------------------------- /k8s/base/media/qbittorrent/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: config-qbittorrent-0 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: fast-ceph-block 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: qbittorrent-v3 19 | namespace: media 20 | spec: 21 | accessModes: 22 | - ReadWriteMany 23 | resources: 24 | requests: 25 | storage: 1Gi 26 | storageClassName: fast-ceph-filesystem 27 | -------------------------------------------------------------------------------- /k8s/base/media/qbittorrent/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - config-pvc.yaml 7 | - qbtools-helm-release.yaml 8 | namespace: media 9 | configMapGenerator: 10 | - name: qbtools 11 | files: 12 | - config.yaml=qbtools-config.yaml 13 | - name: qbittorrent-scripts 14 | files: 15 | - completed.sh 16 | generatorOptions: 17 | disableNameSuffixHash: true 18 | annotations: 19 | kustomize.toolkit.fluxcd.io/substitute: disabled 20 | -------------------------------------------------------------------------------- /k8s/base/media/qbittorrent/qbtools-config.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | trackers: 3 | - name: anthelion 4 | urls: ["anthelion.me"] 5 | required_seed_ratio: 1.01 6 | required_seed_days: 0 7 | - name: blutopia 8 | urls: ["blutopia.cc", "blutopia.xyz"] 9 | required_seed_ratio: 1.01 10 | required_seed_days: 14.1 11 | - name: broadcasthenet 12 | urls: ["landof.tv"] 13 | required_seed_ratio: 1.01 14 | required_seed_days: 14.1 15 | - name: filelist 16 | urls: ["filelist.io", "flro.org"] 17 | required_seed_ratio: 1.01 18 | required_seed_days: 2.1 19 | - name: hd-space 20 | urls: ["hd-space.pw"] 21 | required_seed_ratio: 0 22 | required_seed_days: 2.1 23 | - name: hd-torrents 24 | urls: ["hdts-announce.ru"] 25 | required_seed_ratio: 1.01 26 | required_seed_days: 0 27 | - name: iptorrents 28 | urls: ["bgp.technology", "empirehost.me", "stackoverflow.tech"] 29 | required_seed_ratio: 1.01 30 | required_seed_days: 14.1 31 | - name: myspleen 32 | urls: ["myspleen.org"] 33 | required_seed_ratio: 1.01 34 | required_seed_days: 0 35 | - name: torrentleech 36 | urls: ["tleechreload.org", "torrentleech.org"] 37 | required_seed_ratio: 1.01 38 | required_seed_days: 10.1 39 | - name: animetorrents 40 | urls: ["animetorrents.me"] 41 | required_seed_ratio: 1.01 42 | required_seed_days: 7 43 | - name: bakabt 44 | urls: ["bakabt.me"] 45 | required_seed_ratio: 1.01 46 | required_seed_days: 0 47 | - name: torrentseeds 48 | urls: ["torrentseeds.org"] 49 | required_seed_ratio: 1.01 50 | required_seed_days: 9 51 | -------------------------------------------------------------------------------- /k8s/base/media/radarr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: radarr-config-v2 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 15Gi 13 | storageClassName: fast-ceph-filesystem 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: radarr-backup-v2 19 | namespace: media 20 | spec: 21 | accessModes: 22 | - ReadWriteMany 23 | resources: 24 | requests: 25 | storage: 15Gi 26 | storageClassName: slow-ceph-filesystem 27 | -------------------------------------------------------------------------------- /k8s/base/media/radarr/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: radarr 6 | namespace: media 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: radarr 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: RADARR__POSTGRES_USER 17 | remoteRef: 18 | key: radarr-postgres-username 19 | - secretKey: RADARR__POSTGRES_PASSWORD 20 | remoteRef: 21 | key: radarr-postgres-password 22 | - secretKey: RADARR__API_KEY 23 | remoteRef: 24 | key: arr-api-key 25 | -------------------------------------------------------------------------------- /k8s/base/media/recyclarr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: recyclarr-config-v1 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteOnce 10 | resources: 11 | requests: 12 | storage: 5Gi 13 | storageClassName: fast-ceph-block 14 | -------------------------------------------------------------------------------- /k8s/base/media/recyclarr/external-secret.yaml: -------------------------------------------------------------------------------- 1 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json 2 | --- 3 | apiVersion: external-secrets.io/v1beta1 4 | kind: ExternalSecret 5 | metadata: 6 | name: recyclarr 7 | namespace: media 8 | spec: 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: recyclarr 14 | template: 15 | engineVersion: v2 16 | data: 17 | RADARR_API_KEY: "{{ .RADARR_API_KEY }}" 18 | SONARR_API_KEY: "{{ .SONARR_API_KEY }}" 19 | data: 20 | - secretKey: RADARR_API_KEY 21 | remoteRef: 22 | key: radarr 23 | - secretKey: SONARR_API_KEY 24 | remoteRef: 25 | key: sonarr 26 | -------------------------------------------------------------------------------- /k8s/base/media/recyclarr/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - helm-release.yaml 6 | - external-secret.yaml 7 | - config-pvc.yaml 8 | namespace: media 9 | configMapGenerator: 10 | - name: recyclarr 11 | files: 12 | - recyclarr.yaml 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | annotations: 16 | kustomize.toolkit.fluxcd.io/substitute: disabled 17 | -------------------------------------------------------------------------------- /k8s/base/media/sabnzbd/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: sabnzbd-config-v2 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: fast-ceph-filesystem 14 | -------------------------------------------------------------------------------- /k8s/base/media/samba/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | labels: 6 | app.kubernetes.io/component: samba 7 | app.kubernetes.io/name: samba-media 8 | name: samba 9 | namespace: media 10 | type: Opaque 11 | data: 12 | PASSWORD: OTE5OUFzdXNNb2Jv 13 | USERNAME: YW50aG9ueQ== 14 | -------------------------------------------------------------------------------- /k8s/base/media/samba/service.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Service 4 | metadata: 5 | annotations: 6 | metallb.universe.tf/allow-shared-ip: samba-media 7 | name: samba-media 8 | namespace: media 9 | spec: 10 | allocateLoadBalancerNodePorts: false 11 | externalTrafficPolicy: Local 12 | ports: 13 | - name: netbios-ssn 14 | port: 139 15 | protocol: TCP 16 | targetPort: 139 17 | - name: microsoft-ds 18 | port: 445 19 | protocol: TCP 20 | targetPort: 445 21 | - name: microsoft-ds-backup 22 | port: 4450 23 | protocol: TCP 24 | targetPort: 445 25 | selector: 26 | app.kubernetes.io/name: samba-media 27 | sessionAffinity: None 28 | type: LoadBalancer 29 | -------------------------------------------------------------------------------- /k8s/base/media/sonarr/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: sonarr-config-v4 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 10Gi 13 | storageClassName: fast-ceph-filesystem 14 | --- 15 | apiVersion: v1 16 | kind: PersistentVolumeClaim 17 | metadata: 18 | name: sonarr-backup-v4 19 | namespace: media 20 | spec: 21 | accessModes: 22 | - ReadWriteMany 23 | resources: 24 | requests: 25 | storage: 10Gi 26 | storageClassName: slow-ceph-filesystem 27 | -------------------------------------------------------------------------------- /k8s/base/media/sonarr/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: sonarr 6 | namespace: media 7 | type: Opaque 8 | stringData: 9 | SONARR__API_KEY: ENC[AES256_GCM,data:vbZSasEalVTrvKlUDXFUfl4fre6+jVDaec0LDpnRETs=,iv:z6WzGf8MuRO+Qujy+jgN88B2TT4Bp51Ov3kkNmnNXuA=,tag:tZnc5a8RL9YlgABhpPuqZg==,type:str] 10 | sops: 11 | kms: [] 12 | gcp_kms: [] 13 | azure_kv: [] 14 | hc_vault: [] 15 | age: 16 | - recipient: age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x 17 | enc: | 18 | -----BEGIN AGE ENCRYPTED FILE----- 19 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCUXlxdXpIT3krRi9VMXEz 20 | YXJqcERZZUV1YlgrK2hYUmx6WDhMcFprMVQwCjVmczc0YkFQblhMbnA5dVQzaUNJ 21 | MnBLM210NmIvSXZOM1JUZFpUOUpqU1kKLS0tIFdvdnJ2QnArZ0JUcEcrTzdjMjNo 22 | a1gxOWRxY1RMdVErcGk5byt4L3QzNEEKICpnOnU5Z2Gq4JkgVAUXlg/gbSQkI78E 23 | ntBScqNNbgZEtF7Ob+33s08XR/R/HAtH/k7sV2s9w8kmnVXZVKMHnA== 24 | -----END AGE ENCRYPTED FILE----- 25 | lastmodified: "2022-06-20T21:53:32Z" 26 | mac: ENC[AES256_GCM,data:A4o4JcoFV0Qpm0yaqAHrIUXOwXF+vspX0xtryv0Ew8qRb54jQFDXSjTPZILC1YvrRYa+xkdQzAM36sCcdzWIXF0QrvWCkfIqimyv0UYjeGWZw8pTqdlIXvHaHNuBlEAuvLQXwxO2T1ZSp69GtWqCnvTaynb82ExAvuPq1oD90YU=,iv:gjs9hrByA/gqbrkjvOBz8LNoar+DUYCeepDsmgSDaZU=,tag:MZRN23vDVk9jqebhfedFUQ==,type:str] 27 | pgp: [] 28 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 29 | version: 3.7.3 30 | -------------------------------------------------------------------------------- /k8s/base/media/tvheadend/config-pvc.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: PersistentVolumeClaim 4 | metadata: 5 | name: tvheadend-config-v2 6 | namespace: media 7 | spec: 8 | accessModes: 9 | - ReadWriteMany 10 | resources: 11 | requests: 12 | storage: 1Gi 13 | storageClassName: fast-ceph-filesystem 14 | -------------------------------------------------------------------------------- /k8s/base/monitoring/grafana/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: grafana 6 | namespace: monitoring 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: grafana 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: GF_DATABASE_PASSWORD 17 | remoteRef: 18 | key: grafana-postgres-password 19 | - secretKey: GF_SECURITY_ADMIN_USERNAME 20 | remoteRef: 21 | key: grafana-admin-user 22 | - secretKey: GF_SECURITY_ADMIN_PASSWORD 23 | remoteRef: 24 | key: grafana-admin-password 25 | - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID 26 | remoteRef: 27 | key: grafana-oauth-client-id 28 | - secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET 29 | remoteRef: 30 | key: grafana-oauth-client-secret 31 | -------------------------------------------------------------------------------- /k8s/base/monitoring/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | -------------------------------------------------------------------------------- /k8s/base/monitoring/loki/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | resources: 6 | - ./object-bucket-claim.yaml 7 | - ./helm-release.yaml 8 | configMapGenerator: 9 | - name: loki-alerting-rules 10 | files: 11 | - loki-alerting-rules.yaml=./rules.yaml 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | -------------------------------------------------------------------------------- /k8s/base/monitoring/loki/object-bucket-claim.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: objectbucket.io/v1alpha1 3 | kind: ObjectBucketClaim 4 | metadata: 5 | name: loki-bucket-v2 6 | namespace: monitoring 7 | spec: 8 | bucketName: loki-v2 9 | storageClassName: slow-ceph-bucket 10 | -------------------------------------------------------------------------------- /k8s/base/monitoring/loki/rules.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | groups: 3 | - name: zigbee2mqtt 4 | rules: 5 | - alert: ZigbeeMQTTUnreachable 6 | expr: | 7 | sum(count_over_time({app="zigbee2mqtt"} |~ "(?i)not connected to mqtt server"[2m])) > 0 8 | for: 2m 9 | labels: 10 | severity: critical 11 | category: logs 12 | annotations: 13 | app: "{{ $labels.app }}" 14 | summary: "{{ $labels.app }} is unable to reach MQTT" 15 | -------------------------------------------------------------------------------- /k8s/base/monitoring/mimir/etcd-helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: mimir-etcd 6 | namespace: monitoring 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 15m 11 | upgrade: 12 | disableWait: true 13 | force: true 14 | chart: 15 | spec: 16 | chart: etcd 17 | version: 9.8.0 18 | sourceRef: 19 | kind: HelmRepository 20 | name: bitnami-charts 21 | namespace: flux-system 22 | values: 23 | global: 24 | storageClass: local-hostpath 25 | replicaCount: 3 26 | auth: 27 | token: 28 | ttl: 10000h 29 | rbac: 30 | existingSecret: mimir 31 | existingSecretPasswordKey: "MIMIR_ETCD_PASSWORD" 32 | -------------------------------------------------------------------------------- /k8s/base/monitoring/mimir/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: mimir 6 | namespace: monitoring 7 | spec: 8 | refreshInterval: 1h 9 | secretStoreRef: 10 | kind: ClusterSecretStore 11 | name: gcp-kutara-prod 12 | target: 13 | name: mimir 14 | creationPolicy: Owner 15 | data: 16 | - secretKey: MIMIR_ETCD_PASSWORD 17 | remoteRef: 18 | key: mimir-etcd-password 19 | -------------------------------------------------------------------------------- /k8s/base/monitoring/mimir/object-bucket-claim.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/objectbucket.io/objectbucketclaim_v1alpha1.json 3 | apiVersion: objectbucket.io/v1alpha1 4 | kind: ObjectBucketClaim 5 | metadata: 6 | name: mimir-ruler-v1 7 | namespace: monitoring 8 | spec: 9 | bucketName: ruler-v1 10 | storageClassName: slow-ceph-bucket 11 | --- 12 | # yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/objectbucket.io/objectbucketclaim_v1alpha1.json 13 | apiVersion: objectbucket.io/v1alpha1 14 | kind: ObjectBucketClaim 15 | metadata: 16 | name: mimir-tsdb-v1 17 | namespace: monitoring 18 | spec: 19 | bucketName: tsdb-v1 20 | storageClassName: slow-ceph-bucket 21 | -------------------------------------------------------------------------------- /k8s/base/monitoring/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: monitoring 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | component.kutara.io/postgres-secrets: "true" 9 | -------------------------------------------------------------------------------- /k8s/base/monitoring/snmp-exporter-ups/helm-release-806.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: snmp-exporter-ups-806 6 | namespace: monitoring 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: prometheus-snmp-exporter 12 | version: 1.8.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: prometheus-community-charts 16 | namespace: flux-system 17 | interval: 5m 18 | values: 19 | fullnameOverride: snmp-exporter-ups-806 20 | image: 21 | repository: quay.io/prometheus/snmp-exporter 22 | extraArgs: 23 | - "--config.file=/config/snmp.yaml" 24 | extraConfigmapMounts: 25 | - name: snmp-exporter-ups-0 26 | mountPath: /config/snmp.yaml 27 | subPath: snmp.yaml 28 | configMap: snmp-exporter-ups-0 29 | readOnly: true 30 | defaultMode: 420 31 | serviceMonitor: 32 | enabled: true 33 | namespace: monitoring 34 | params: 35 | - name: ups-806 36 | module: 37 | - apcups 38 | target: ups-806.scr1.rabbito.tech 39 | path: /snmp 40 | # interval: 60s 41 | scrapeTimeout: 10s 42 | relabelings: 43 | - sourceLabels: [__param_target] 44 | targetLabel: instance 45 | -------------------------------------------------------------------------------- /k8s/base/monitoring/snmp-exporter-ups/helm-release-808.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: snmp-exporter-ups-808 6 | namespace: monitoring 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: prometheus-snmp-exporter 12 | version: 1.8.0 13 | sourceRef: 14 | kind: HelmRepository 15 | name: prometheus-community-charts 16 | namespace: flux-system 17 | interval: 5m 18 | values: 19 | fullnameOverride: snmp-exporter-ups-808 20 | image: 21 | repository: quay.io/prometheus/snmp-exporter 22 | extraArgs: 23 | - "--config.file=/config/snmp.yaml" 24 | extraConfigmapMounts: 25 | - name: snmp-exporter-ups-0 26 | mountPath: /config/snmp.yaml 27 | subPath: snmp.yaml 28 | configMap: snmp-exporter-ups-0 29 | readOnly: true 30 | defaultMode: 420 31 | serviceMonitor: 32 | enabled: true 33 | namespace: monitoring 34 | params: 35 | - name: 808-ups 36 | module: 37 | - apcups 38 | target: ups-808.scr1.rabbito.tech 39 | path: /snmp 40 | # interval: 60s 41 | scrapeTimeout: 10s 42 | relabelings: 43 | - sourceLabels: [__param_target] 44 | targetLabel: instance 45 | -------------------------------------------------------------------------------- /k8s/base/monitoring/snmp-exporter-ups/prometheus-rule.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: monitoring.coreos.com/v1 3 | kind: PrometheusRule 4 | metadata: 5 | labels: 6 | prometheus: k8s 7 | role: alert-rules 8 | name: ups-rules 9 | namespace: monitoring 10 | spec: 11 | groups: 12 | - name: ups.rules 13 | rules: 14 | - alert: UPSOnBattery 15 | annotations: 16 | summary: ZPM {{$labels.instance}} is running on batteries 17 | and has less than 20 minutes of battery left 18 | expr: | 19 | ( 20 | upsAdvBatteryRunTimeRemaining/60/100 <= 20 21 | and 22 | upsBasicBatteryTimeOnBattery > 0 23 | ) 24 | for: 1m 25 | labels: 26 | severity: critical 27 | -------------------------------------------------------------------------------- /k8s/base/monitoring/snmp-exporter-vyos/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: snmp-exporter-vyos 6 | namespace: monitoring 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 5m 11 | chart: 12 | spec: 13 | chart: prometheus-snmp-exporter 14 | version: 1.8.0 15 | sourceRef: 16 | kind: HelmRepository 17 | name: prometheus-community-charts 18 | namespace: flux-system 19 | interval: 5m 20 | values: 21 | fullnameOverride: snmp-exporter-vyos 22 | image: 23 | repository: quay.io/prometheus/snmp-exporter 24 | serviceMonitor: 25 | enabled: true 26 | namespace: monitoring 27 | params: 28 | enabled: true 29 | conf: 30 | module: 31 | - if_mib 32 | target: 33 | - fw-1.scr1.rabbito.tech 34 | path: /snmp 35 | # interval: 60s 36 | scrapeTimeout: 10s 37 | relabelings: 38 | - sourceLabels: [__param_target] 39 | targetLabel: instance 40 | - source_labels: [__address__] 41 | target_label: __param_target 42 | -------------------------------------------------------------------------------- /k8s/base/monitoring/vector/agent/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | # yaml-language-server: $schema=https://json.schemastore.org/kustomization 3 | apiVersion: kustomize.config.k8s.io/v1beta1 4 | kind: Kustomization 5 | namespace: monitoring 6 | resources: 7 | - ./helm-release.yaml 8 | - ./rbac.yaml 9 | configMapGenerator: 10 | - name: vector-agent-configmap 11 | files: 12 | - vector.yaml=./vector.yaml 13 | generatorOptions: 14 | disableNameSuffixHash: true 15 | -------------------------------------------------------------------------------- /k8s/base/monitoring/vector/agent/rbac.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: vector-agent 6 | labels: 7 | app.kubernetes.io/instance: vector-agent 8 | app.kubernetes.io/name: vector-agent 9 | rules: 10 | - apiGroups: 11 | - "" 12 | resources: 13 | - namespaces 14 | - nodes 15 | - pods 16 | verbs: 17 | - list 18 | - watch 19 | --- 20 | apiVersion: rbac.authorization.k8s.io/v1 21 | kind: ClusterRoleBinding 22 | metadata: 23 | name: vector-agent 24 | labels: 25 | app.kubernetes.io/instance: vector-agent 26 | app.kubernetes.io/name: vector-agent 27 | roleRef: 28 | apiGroup: rbac.authorization.k8s.io 29 | kind: ClusterRole 30 | name: vector-agent 31 | subjects: 32 | - kind: ServiceAccount 33 | name: vector-agent 34 | namespace: monitoring 35 | -------------------------------------------------------------------------------- /k8s/base/monitoring/vector/agent/vector.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | data_dir: /vector-data-dir 3 | 4 | sources: 5 | journald_source: 6 | type: journald 7 | journal_directory: /var/log/journal 8 | 9 | kubernetes_source: 10 | type: kubernetes_logs 11 | use_apiserver_cache: true 12 | pod_annotation_fields: 13 | container_image: container_image 14 | container_name: container_name 15 | pod_labels: pod_labels 16 | pod_name: pod_name 17 | pod_annotations: "" 18 | namespace_annotation_fields: 19 | namespace_labels: "" 20 | node_annotation_fields: 21 | node_labels: "" 22 | 23 | sinks: 24 | journald: 25 | type: vector 26 | compression: true 27 | version: "2" 28 | address: vector-aggregator.monitoring.svc.cluster.local:6000 29 | inputs: ["journald_source"] 30 | 31 | kubernetes: 32 | type: vector 33 | compression: true 34 | version: "2" 35 | address: vector-aggregator.monitoring.svc.cluster.local:6010 36 | inputs: ["kubernetes_source"] 37 | -------------------------------------------------------------------------------- /k8s/base/monitoring/vector/aggregator/external-secret.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: external-secrets.io/v1beta1 3 | kind: ExternalSecret 4 | metadata: 5 | name: vector-geoipupdate 6 | namespace: monitoring 7 | spec: 8 | secretStoreRef: 9 | kind: ClusterSecretStore 10 | name: gcp-kutara-prod 11 | target: 12 | name: vector-aggregator-secret 13 | creationPolicy: Owner 14 | data: 15 | - secretKey: GEOIPUPDATE_ACCOUNT_ID 16 | remoteRef: 17 | key: geoip-account-id 18 | - secretKey: GEOIPUPDATE_LICENSE_KEY 19 | remoteRef: 20 | key: geoip-account-license-key 21 | -------------------------------------------------------------------------------- /k8s/base/monitoring/vector/aggregator/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | namespace: monitoring 5 | resources: 6 | - helm-release.yaml 7 | - external-secret.yaml 8 | configMapGenerator: 9 | - name: vector-aggregator-configmap 10 | files: 11 | - vector.yaml=./vector.yaml 12 | generatorOptions: 13 | disableNameSuffixHash: true 14 | -------------------------------------------------------------------------------- /k8s/base/monitoring/vpa/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: vpa 6 | namespace: monitoring 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 5m 11 | chart: 12 | spec: 13 | chart: vpa 14 | version: 2.5.1 15 | sourceRef: 16 | kind: HelmRepository 17 | name: fairwinds-charts 18 | namespace: flux-system 19 | interval: 15m 20 | values: 21 | recommender: 22 | enabled: true 23 | extraArgs: 24 | storage: prometheus 25 | prometheus-address: |- 26 | http://thanos-query.monitoring.svc.cluster.local:9090 27 | updater: 28 | enabled: false 29 | admissionController: 30 | enabled: false 31 | -------------------------------------------------------------------------------- /k8s/base/networking/cert-manager/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: cert-manager 6 | namespace: networking 7 | spec: 8 | interval: 5m 9 | chart: 10 | spec: 11 | chart: cert-manager 12 | version: v1.12.3 13 | sourceRef: 14 | kind: HelmRepository 15 | name: jetstack-charts 16 | namespace: flux-system 17 | interval: 5m 18 | install: 19 | crds: CreateReplace 20 | upgrade: 21 | crds: CreateReplace 22 | values: 23 | installCRDs: true 24 | replicaCount: 3 25 | webhook: 26 | replicaCount: 3 27 | cainjector: 28 | replicaCount: 3 29 | extraArgs: 30 | - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 31 | - --dns01-recursive-nameservers-only 32 | podDnsPolicy: None 33 | podDnsConfig: 34 | nameservers: 35 | - "1.1.1.1" 36 | - "1.0.0.1" 37 | prometheus: 38 | enabled: true 39 | servicemonitor: 40 | enabled: true 41 | prometheusInstance: monitoring 42 | -------------------------------------------------------------------------------- /k8s/base/networking/cert-manager/issuers/letsencrypt-production.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-production 6 | spec: 7 | acme: 8 | server: https://acme-v02.api.letsencrypt.org/directory 9 | email: ted437+k8s@gmail.com 10 | privateKeySecretRef: 11 | name: letsencrypt-production 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | email: ted437@gmail.com 16 | apiKeySecretRef: 17 | name: cert-manager 18 | key: CF_API_KEY 19 | -------------------------------------------------------------------------------- /k8s/base/networking/cert-manager/issuers/letsencrypt-staging.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: ClusterIssuer 4 | metadata: 5 | name: letsencrypt-staging 6 | spec: 7 | acme: 8 | server: https://acme-staging-v02.api.letsencrypt.org/directory 9 | email: ted437+k8s@gmail.com 10 | privateKeySecretRef: 11 | name: letsencrypt-staging 12 | solvers: 13 | - dns01: 14 | cloudflare: 15 | email: ted437@gmail.com 16 | apiKeySecretRef: 17 | name: cert-manager 18 | key: CF_API_KEY 19 | -------------------------------------------------------------------------------- /k8s/base/networking/cert-manager/kustomization.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: kustomize.config.k8s.io/v1beta1 2 | kind: Kustomization 3 | resources: 4 | - cert-manager.sops.yaml 5 | - helm-release.yaml 6 | -------------------------------------------------------------------------------- /k8s/base/networking/external-dns/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: external-dns 6 | namespace: networking 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 5m 11 | chart: 12 | spec: 13 | chart: external-dns 14 | version: 1.13.0 15 | sourceRef: 16 | kind: HelmRepository 17 | name: external-dns-charts 18 | namespace: flux-system 19 | interval: 5m 20 | values: 21 | interval: 5m 22 | # logLevel: debug 23 | serviceMonitor: 24 | enabled: true 25 | provider: cloudflare 26 | env: 27 | - name: CF_API_EMAIL 28 | valueFrom: 29 | secretKeyRef: 30 | name: external-dns 31 | key: cf-email 32 | - name: CF_API_KEY 33 | valueFrom: 34 | secretKeyRef: 35 | name: external-dns 36 | key: cf-api-key 37 | #extraArgs: 38 | #- "--default-targets=50.223.56.162" 39 | policy: sync 40 | txtPrefix: "${CLUSTER_NAME}." 41 | domainFilters: 42 | - "kutara.io" 43 | resources: 44 | requests: 45 | cpu: 15m 46 | memory: 105M 47 | limits: 48 | cpu: 40m 49 | memory: 245M 50 | -------------------------------------------------------------------------------- /k8s/base/networking/external-dns/secret.sops.yaml: -------------------------------------------------------------------------------- 1 | # yamllint disable 2 | apiVersion: v1 3 | kind: Secret 4 | metadata: 5 | name: external-dns 6 | namespace: networking 7 | stringData: 8 | cf-api-key: ENC[AES256_GCM,data:W4ANvadLwF1+/DvBo76l8YXFy/JCyw8ETiUoJa6IlG2YmVm6tQ==,iv:N0Npeez4ZaVjIKkg4HvHx3voSeJpMJOkZuCK48Rp4vQ=,tag:4DwbRB6LOPvhP4AUGV1MLA==,type:str] 9 | cf-email: ENC[AES256_GCM,data:wvP2/GExFTk8wwWbtXl8pw==,iv:jHAVvb9Sb/3wPGTgU8FjQ4ZOGJS4v2XOt6W5W76S4Gk=,tag:MOnk2PrjMu4tSOdnxYcGNQ==,type:str] 10 | sops: 11 | kms: [] 12 | gcp_kms: [] 13 | azure_kv: [] 14 | hc_vault: [] 15 | age: 16 | - recipient: age12t69fa3kqmnxdx4sca7ecv6lfu3wrfwm95zuuhujcfk3ukcn8dzsk40u6x 17 | enc: | 18 | -----BEGIN AGE ENCRYPTED FILE----- 19 | YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBqUXMvTmdzVCtwTGFTZG14 20 | RTVvS1pXaGxXWWtrY01td1g4UFdBMitrWVhJClJsT2krdWZXNWhUZ1pVVHBvRkVy 21 | R2ZZRVp5dDY3SHFDTk9wODh1bEZBQjgKLS0tIE9vYmo3eW45RTBSMU1jVVkyN0VG 22 | Vm82bmwrYm1admtrUUVCWHo2aExLZVkKkgjGDi5wjCsE89t+R2/0Y8Xjo4jbR5Bs 23 | KG3IUutsBMlkYWOCsDIwFB8gGAuQgYIjftYc8PEQGzn3BeDtqTFhuQ== 24 | -----END AGE ENCRYPTED FILE----- 25 | lastmodified: "2021-10-14T01:23:38Z" 26 | mac: ENC[AES256_GCM,data:PV/RccVzcXd/DaN+Y9HGazrOa90bJoyRlWzi8K8A6j4aknUAtLJDPL73lD5Z6Aej7njcDGDyyhiY+TSp9QOAE7ckw58F4ksuFgXbZDq8Xus8TnvvkAPQZ1hyf3X+lJUd9Dq1AI2Gr5p7N0Yx9g9W0vc29bc4Wnc71H99m1Mn9j8=,iv:mEZwZrEDQvTS5JMnxM5oLGY+CRee0QDPxcWzQCYgycE=,tag:NmlqvNPx/lxTJjpwt2bWgw==,type:str] 27 | pgp: [] 28 | encrypted_regex: ((?i)(pass|secret($|[^N])|key|token|^data$|^stringData)) 29 | version: 3.7.1 30 | -------------------------------------------------------------------------------- /k8s/base/networking/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | -------------------------------------------------------------------------------- /k8s/base/networking/namespace.yaml: -------------------------------------------------------------------------------- 1 | apiVersion: v1 2 | kind: Namespace 3 | metadata: 4 | name: networking 5 | labels: 6 | goldilocks.fairwinds.com/enabled: "true" 7 | -------------------------------------------------------------------------------- /k8s/base/networking/nginx/certificate.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: cert-manager.io/v1 3 | kind: Certificate 4 | metadata: 5 | name: kutara-wildcard 6 | namespace: networking 7 | spec: 8 | secretTemplate: 9 | secretName: "wc-kutara-tls" 10 | issuerRef: 11 | name: letsencrypt-production 12 | kind: ClusterIssuer 13 | commonName: "kutara.io" 14 | dnsNames: 15 | - "kutara.io" 16 | - "*.scr1.kutara.io" 17 | - "*.kutara.io" 18 | -------------------------------------------------------------------------------- /k8s/base/rook-ceph/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - namespace.yaml 6 | -------------------------------------------------------------------------------- /k8s/base/rook-ceph/namespace.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: Namespace 4 | metadata: 5 | name: rook-ceph 6 | labels: 7 | goldilocks.fairwinds.com/enabled: "true" 8 | -------------------------------------------------------------------------------- /k8s/base/rook-ceph/operator/helm-release.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: helm.toolkit.fluxcd.io/v2 3 | kind: HelmRelease 4 | metadata: 5 | name: rook-ceph 6 | namespace: rook-ceph 7 | labels: 8 | component.kutara.io/part-of: standard-helm-release 9 | spec: 10 | interval: 5m 11 | chart: 12 | spec: 13 | chart: rook-ceph 14 | version: v1.14.8 15 | sourceRef: 16 | kind: HelmRepository 17 | name: rook-ceph-charts 18 | namespace: flux-system 19 | install: 20 | crds: CreateReplace 21 | upgrade: 22 | crds: CreateReplace 23 | values: 24 | crds: 25 | enabled: true 26 | monitoring: 27 | enabled: true 28 | csi: 29 | enableOMAPGenerator: true 30 | # enablePluginSelinuxHostMount: true 31 | nfs: 32 | enabled: true 33 | resources: 34 | requests: 35 | cpu: 350m 36 | memory: 128Mi 37 | limits: 38 | cpu: 1000m 39 | memory: 356Mi 40 | hostpathRequiresPrivileged: true 41 | -------------------------------------------------------------------------------- /k8s/clusters/gke-cluster-1/definitions/flux-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: flux-system-helm-chart-repos 6 | namespace: flux-system 7 | labels: 8 | component.kutara.io/part-of: definitions 9 | spec: 10 | path: "./k8s/base/flux-system/helm-chart-repositories" 11 | prune: true 12 | --- 13 | apiVersion: kustomize.toolkit.fluxcd.io/v1 14 | kind: Kustomization 15 | metadata: 16 | name: flux-system-webhook 17 | namespace: flux-system 18 | labels: 19 | component.kutara.io/part-of: definitions 20 | spec: 21 | path: "./k8s/base/flux-system/webhook" 22 | prune: true 23 | --- 24 | apiVersion: kustomize.toolkit.fluxcd.io/v1 25 | kind: Kustomization 26 | metadata: 27 | name: flux-system-notifications 28 | namespace: flux-system 29 | labels: 30 | component.kutara.io/part-of: definitions 31 | spec: 32 | path: "./k8s/base/flux-system/notifications" 33 | prune: true 34 | --- 35 | apiVersion: kustomize.toolkit.fluxcd.io/v1 36 | kind: Kustomization 37 | metadata: 38 | name: flux-system-monitoring 39 | namespace: flux-system 40 | labels: 41 | component.kutara.io/part-of: definitions 42 | spec: 43 | path: "./k8s/base/flux-system/monitoring" 44 | prune: true 45 | -------------------------------------------------------------------------------- /k8s/clusters/gke-cluster-1/definitions/rook-ceph-external.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: rook-ceph-external-namespace 6 | namespace: flux-system 7 | labels: 8 | component.kutara.io/part-of: definitions 9 | spec: 10 | path: "./k8s/base/rook-ceph" 11 | prune: true 12 | --- 13 | apiVersion: kustomize.toolkit.fluxcd.io/v1 14 | kind: Kustomization 15 | metadata: 16 | name: rook-ceph-external-external-cluster 17 | namespace: flux-system 18 | labels: 19 | component.kutara.io/part-of: definitions 20 | spec: 21 | path: "./k8s/base/rook-ceph-external/external-cluster" 22 | prune: true 23 | dependsOn: 24 | - name: rook-ceph-snapshot-controller-crds 25 | -------------------------------------------------------------------------------- /k8s/clusters/gke-cluster-1/definitions/tekton-pipelines.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: tekton-pipelines 6 | namespace: flux-system 7 | labels: 8 | component.kutara.io/part-of: definitions 9 | spec: 10 | path: "./k8s/base/tekton-pipelines" 11 | prune: true 12 | -------------------------------------------------------------------------------- /k8s/clusters/gke-cluster-1/gotk/flux-system/flux.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: source.toolkit.fluxcd.io/v1 3 | kind: GitRepository 4 | metadata: 5 | name: flux 6 | namespace: flux-system 7 | spec: 8 | interval: 9m0s 9 | ref: 10 | tag: v2.4.0 11 | url: https://github.com/fluxcd/flux2 12 | ignore: | 13 | # exclude all 14 | /* 15 | # include gitops dirs 16 | !/manifests 17 | --- 18 | apiVersion: kustomize.toolkit.fluxcd.io/v1 19 | kind: Kustomization 20 | metadata: 21 | name: flux 22 | namespace: flux-system 23 | spec: 24 | interval: 10m0s 25 | path: ./manifests/install 26 | prune: true 27 | wait: true 28 | sourceRef: 29 | kind: GitRepository 30 | name: flux 31 | patches: 32 | - patch: |- 33 | apiVersion: apps/v1 34 | kind: Deployment 35 | metadata: 36 | name: not-used 37 | namespace: flux-system 38 | spec: 39 | nodeSelector: 40 | kubernetes.io/arch: arm64 41 | target: 42 | kind: Deployment 43 | labelSelector: control-plane=controller 44 | -------------------------------------------------------------------------------- /k8s/clusters/gke-cluster-1/gotk/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - gotk-sync.yaml 6 | - flux.yaml 7 | -------------------------------------------------------------------------------- /k8s/clusters/nwk2-cluster-0/Justfile: -------------------------------------------------------------------------------- 1 | # Generate butane to install to disk 2 | bootstrap: 3 | #!/usr/bin/env sh 4 | # node-1 5 | podman-remote run --rm -it -v $PWD/iac/node-1:/etc/kubernetes/pki:z fedora \ 6 | dnf install kubernetes-kubeadm && \ 7 | kubeadm init phase certs all \ 8 | --apiserver-advertise-address 192.168.7.14 \ 9 | --control-plane-endpoint cluster-0.nwk2.rabbito.tech \ 10 | --apiserver-cert-extra-sans node-0.nwk2.rabbito.tech 11 | 12 | -------------------------------------------------------------------------------- /k8s/clusters/scr1-cluster-0/definitions/default.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: default 6 | namespace: flux-system 7 | labels: 8 | component.kutara.io/part-of: definitions 9 | spec: 10 | path: "./k8s/base/default" 11 | prune: true 12 | --- 13 | apiVersion: kustomize.toolkit.fluxcd.io/v1 14 | kind: Kustomization 15 | metadata: 16 | name: default-evobot 17 | namespace: flux-system 18 | labels: 19 | component.kutara.io/part-of: definitions 20 | spec: 21 | path: "./k8s/base/default/evobot" 22 | prune: true 23 | --- 24 | apiVersion: kustomize.toolkit.fluxcd.io/v1 25 | kind: Kustomization 26 | metadata: 27 | name: default-thelounge 28 | namespace: flux-system 29 | labels: 30 | component.kutara.io/part-of: definitions 31 | spec: 32 | path: "./k8s/base/default/thelounge" 33 | prune: true 34 | --- 35 | apiVersion: kustomize.toolkit.fluxcd.io/v1 36 | kind: Kustomization 37 | metadata: 38 | name: default-palworld 39 | namespace: flux-system 40 | labels: 41 | component.kutara.io/part-of: definitions 42 | spec: 43 | path: "./k8s/base/default/palworld" 44 | prune: true 45 | -------------------------------------------------------------------------------- /k8s/clusters/scr1-cluster-0/definitions/federation.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: federation 6 | namespace: flux-system 7 | labels: 8 | component.kutara.io/part-of: definitions 9 | spec: 10 | path: "./k8s/base/federation" 11 | prune: true 12 | --- 13 | apiVersion: kustomize.toolkit.fluxcd.io/v1 14 | kind: Kustomization 15 | metadata: 16 | name: federation-db 17 | namespace: flux-system 18 | labels: 19 | component.kutara.io/part-of: definitions 20 | spec: 21 | path: "./k8s/base/federation/db" 22 | prune: true 23 | --- 24 | apiVersion: kustomize.toolkit.fluxcd.io/v1 25 | kind: Kustomization 26 | metadata: 27 | name: federation-lemmy 28 | namespace: flux-system 29 | labels: 30 | component.kutara.io/part-of: definitions 31 | spec: 32 | path: "./k8s/base/federation/lemmy" 33 | prune: true 34 | -------------------------------------------------------------------------------- /k8s/clusters/scr1-cluster-0/definitions/flux-system.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: flux-system-helm-chart-repos 6 | namespace: flux-system 7 | labels: 8 | component.kutara.io/part-of: definitions 9 | spec: 10 | path: "./k8s/base/flux-system/helm-chart-repositories" 11 | prune: true 12 | --- 13 | apiVersion: kustomize.toolkit.fluxcd.io/v1 14 | kind: Kustomization 15 | metadata: 16 | name: flux-system-webhook 17 | namespace: flux-system 18 | labels: 19 | component.kutara.io/part-of: definitions 20 | spec: 21 | path: "./k8s/base/flux-system/webhook" 22 | prune: true 23 | --- 24 | apiVersion: kustomize.toolkit.fluxcd.io/v1 25 | kind: Kustomization 26 | metadata: 27 | name: flux-system-notifications 28 | namespace: flux-system 29 | labels: 30 | component.kutara.io/part-of: definitions 31 | spec: 32 | path: "./k8s/base/flux-system/notifications" 33 | prune: true 34 | --- 35 | apiVersion: kustomize.toolkit.fluxcd.io/v1 36 | kind: Kustomization 37 | metadata: 38 | name: flux-system-monitoring 39 | namespace: flux-system 40 | labels: 41 | component.kutara.io/part-of: definitions 42 | spec: 43 | path: "./k8s/base/flux-system/monitoring" 44 | prune: true 45 | -------------------------------------------------------------------------------- /k8s/clusters/scr1-cluster-0/definitions/kyverno.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: kyverno 6 | namespace: flux-system 7 | labels: 8 | component.kutara.io/part-of: definitions 9 | spec: 10 | path: "./k8s/base/kyverno" 11 | prune: true 12 | --- 13 | apiVersion: kustomize.toolkit.fluxcd.io/v1 14 | kind: Kustomization 15 | metadata: 16 | name: kyverno-kyverno 17 | namespace: flux-system 18 | labels: 19 | component.kutara.io/part-of: definitions 20 | spec: 21 | path: "./k8s/base/kyverno/operator" 22 | prune: true 23 | # --- 24 | # apiVersion: kustomize.toolkit.fluxcd.io/v1 25 | # kind: Kustomization 26 | # metadata: 27 | # name: kyverno-policies 28 | # namespace: flux-system 29 | # labels: 30 | # component.kutara.io/part-of: definitions 31 | # spec: 32 | # path: "./k8s/base/kyverno/policies" 33 | # prune: true 34 | 35 | -------------------------------------------------------------------------------- /k8s/clusters/scr1-cluster-0/definitions/rook-ceph.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.toolkit.fluxcd.io/v1 3 | kind: Kustomization 4 | metadata: 5 | name: rook-ceph-namespace 6 | namespace: flux-system 7 | labels: 8 | component.kutara.io/part-of: definitions 9 | spec: 10 | path: "./k8s/base/rook-ceph" 11 | prune: false 12 | --- 13 | apiVersion: kustomize.toolkit.fluxcd.io/v1 14 | kind: Kustomization 15 | metadata: 16 | name: rook-ceph-operator 17 | namespace: flux-system 18 | labels: 19 | component.kutara.io/part-of: definitions 20 | spec: 21 | path: "./k8s/base/rook-ceph/operator" 22 | prune: false 23 | --- 24 | apiVersion: kustomize.toolkit.fluxcd.io/v1 25 | kind: Kustomization 26 | metadata: 27 | name: rook-ceph-cluster 28 | namespace: flux-system 29 | labels: 30 | component.kutara.io/part-of: definitions 31 | spec: 32 | path: "./k8s/base/rook-ceph/cluster" 33 | prune: false 34 | --- 35 | apiVersion: kustomize.toolkit.fluxcd.io/v1 36 | kind: Kustomization 37 | metadata: 38 | name: rook-ceph-local-path-provisoner 39 | namespace: flux-system 40 | labels: 41 | component.kutara.io/part-of: definitions 42 | spec: 43 | path: "./k8s/base/rook-ceph/local-path-provisioner" 44 | prune: false 45 | -------------------------------------------------------------------------------- /k8s/clusters/scr1-cluster-0/gotk/flux-system/kustomization.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: kustomize.config.k8s.io/v1beta1 3 | kind: Kustomization 4 | resources: 5 | - gotk-sync.yaml 6 | - flux.yaml 7 | -------------------------------------------------------------------------------- /k8s/clusters/scr1-cluster-0/iac/apply.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | #TODO: maybe make this better in a lot of ways. 4 | # or not.. 5 | talhelper genconfig 6 | for i in {1..3} 7 | do 8 | echo -n "master-0"$i" " 9 | talosctl apply-config -n master-0"$i" -f clusterconfig/scr1-cluster-0-master-0"$i".scr1.rabbito.tech.yaml 10 | done 11 | for i in {1..9} 12 | do 13 | echo -n "worker-0"$i" " 14 | talosctl apply-config -n worker-0"$i" -f clusterconfig/scr1-cluster-0-worker-0"$i".scr1.rabbito.tech.yaml 15 | done 16 | for i in {10..12} 17 | do 18 | echo -n "worker-"$i" " 19 | talosctl apply-config -n worker-"$i" -f clusterconfig/scr1-cluster-0-worker-"$i".scr1.rabbito.tech.yaml 20 | done 21 | -------------------------------------------------------------------------------- /k8s/clusters/scr1-cluster-0/iac/clusterconfig/.gitignore: -------------------------------------------------------------------------------- 1 | scr1-cluster-0-master-01.scr1.rabbito.tech.yaml 2 | scr1-cluster-0-master-02.scr1.rabbito.tech.yaml 3 | scr1-cluster-0-master-03.scr1.rabbito.tech.yaml 4 | scr1-cluster-0-worker-01.scr1.rabbito.tech.yaml 5 | scr1-cluster-0-worker-02.scr1.rabbito.tech.yaml 6 | scr1-cluster-0-worker-03.scr1.rabbito.tech.yaml 7 | scr1-cluster-0-worker-04.scr1.rabbito.tech.yaml 8 | scr1-cluster-0-worker-05.scr1.rabbito.tech.yaml 9 | scr1-cluster-0-worker-06.scr1.rabbito.tech.yaml 10 | scr1-cluster-0-worker-07.scr1.rabbito.tech.yaml 11 | scr1-cluster-0-worker-08.scr1.rabbito.tech.yaml 12 | scr1-cluster-0-worker-09.scr1.rabbito.tech.yaml 13 | scr1-cluster-0-worker-10.scr1.rabbito.tech.yaml 14 | scr1-cluster-0-worker-11.scr1.rabbito.tech.yaml 15 | scr1-cluster-0-worker-12.scr1.rabbito.tech.yaml 16 | talosconfig 17 | -------------------------------------------------------------------------------- /k8s/clusters/scr1-cluster-0/iac/cni/values.yaml: -------------------------------------------------------------------------------- 1 | kubeProxyReplacement: "strict" 2 | k8sServiceHost: cluster-0.scr1.rabbito.tech 3 | k8sServicePort: 6443 4 | -------------------------------------------------------------------------------- /k8s/rbac/k8s-auth/nixos.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: nixos 6 | namespace: kube-system 7 | --- 8 | apiVersion: v1 9 | kind: Secret 10 | metadata: 11 | name: nixos-sa-token 12 | namespace: kube-system 13 | annotations: 14 | kubernetes.io/service-account.name: nixos 15 | type: kubernetes.io/service-account-token 16 | --- 17 | apiVersion: rbac.authorization.k8s.io/v1 18 | kind: ClusterRoleBinding 19 | metadata: 20 | name: nixos 21 | roleRef: 22 | apiGroup: rbac.authorization.k8s.io 23 | kind: ClusterRole 24 | name: cluster-admin 25 | subjects: 26 | - kind: ServiceAccount 27 | name: nixos 28 | namespace: kube-system 29 | -------------------------------------------------------------------------------- /k8s/rbac/k8s-auth/oidc-cluster-admin.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: oidc-cluster-admin 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: cluster-admin 10 | subjects: 11 | - apiGroup: rbac.authorization.k8s.io 12 | kind: User 13 | name: oidc:hello@anthonyrabbito.com 14 | - apiGroup: rbac.authorization.k8s.io 15 | kind: User 16 | name: oidc:ted437@gmail.com 17 | -------------------------------------------------------------------------------- /k8s/rbac/k8s-gateway/cluster-role-binding.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRoleBinding 4 | metadata: 5 | name: k8s-gateway 6 | roleRef: 7 | apiGroup: rbac.authorization.k8s.io 8 | kind: ClusterRole 9 | name: k8s-gateway 10 | subjects: 11 | - kind: ServiceAccount 12 | name: k8s-gateway 13 | namespace: kube-system 14 | -------------------------------------------------------------------------------- /k8s/rbac/k8s-gateway/cluster-role.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: rbac.authorization.k8s.io/v1 3 | kind: ClusterRole 4 | metadata: 5 | name: k8s-gateway 6 | rules: 7 | - apiGroups: 8 | - "" 9 | resources: 10 | - services 11 | - namespaces 12 | verbs: 13 | - list 14 | - watch 15 | - apiGroups: 16 | - extensions 17 | - networking.k8s.io 18 | resources: 19 | - ingresses 20 | verbs: 21 | - list 22 | - watch 23 | -------------------------------------------------------------------------------- /k8s/rbac/k8s-gateway/service-account.yaml: -------------------------------------------------------------------------------- 1 | --- 2 | apiVersion: v1 3 | kind: ServiceAccount 4 | metadata: 5 | name: k8s-gateway 6 | namespace: kube-system 7 | 8 | --------------------------------------------------------------------------------