DeveloperDurp/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: DeveloperDurp:072045d3e8844a7a6d682d01c9eca1fba6d6c5bf
Branches Tags
DeveloperDurp:main DeveloperDurp:renovate/docker.io-nginxinc-nginx-unprivileged-1.x DeveloperDurp:renovate/crowdsec-0.x DeveloperDurp:renovate/crossplane-1.x DeveloperDurp:renovate/gitlab-runner-0.x DeveloperDurp:renovate/docker.io-swaggerapi-swagger-ui-5.x DeveloperDurp:renovate/gatekeeper-3.x DeveloperDurp:renovate/authentik-2025.x DeveloperDurp:renovate/longhorn-1.x DeveloperDurp:renovate/external-secrets-0.x DeveloperDurp:renovate/cert-manager-1.x DeveloperDurp:dev DeveloperDurp:dmz DeveloperDurp:prd
..
compare: DeveloperDurp:dev
Branches Tags
DeveloperDurp:main DeveloperDurp:renovate/docker.io-nginxinc-nginx-unprivileged-1.x DeveloperDurp:renovate/crowdsec-0.x DeveloperDurp:renovate/crossplane-1.x DeveloperDurp:renovate/gitlab-runner-0.x DeveloperDurp:renovate/docker.io-swaggerapi-swagger-ui-5.x DeveloperDurp:renovate/gatekeeper-3.x DeveloperDurp:renovate/authentik-2025.x DeveloperDurp:renovate/longhorn-1.x DeveloperDurp:renovate/external-secrets-0.x DeveloperDurp:renovate/cert-manager-1.x DeveloperDurp:dev DeveloperDurp:dmz DeveloperDurp:prd

107 Commits
072045d3e8 ... dev

Author SHA1 Message Date
pipeline
3a4e96aaf0 Update Chart 2024-09-28 21:44:17 +00:00
pipeline
f196ed4fbb Update Chart 2024-09-08 10:42:20 +00:00
pipeline
86e50e6ed8 Update Chart 2024-09-04 23:52:49 +00:00
pipeline
0bb5570668 Update Chart 2024-09-02 12:10:58 +00:00
DeveloperDurp
34950703ca update chart 2024-08-27 04:50:42 -05:00
DeveloperDurp
0ff4cc5bad update 2024-08-27 04:47:51 -05:00
DeveloperDurp
6e4ae08a5c update 2024-08-27 04:46:57 -05:00
DeveloperDurp
df62890043 update 2024-08-25 20:12:35 -05:00
DeveloperDurp
8a9004d456 update 2024-08-25 20:11:49 -05:00
DeveloperDurp
00969f8183 update 2024-08-25 20:10:08 -05:00
DeveloperDurp
b90fdc1991 update 2024-08-25 13:10:41 -05:00
DeveloperDurp
b6e7d5065c update 2024-08-24 18:44:38 -05:00
pipeline
1bab20668d Update Chart 2024-07-14 23:09:00 +00:00
pipeline
750889d58c Update Chart 2024-06-22 17:50:38 +00:00
pipeline
f6da30f4f4 Update Chart 2024-06-16 23:34:26 +00:00
DeveloperDurp
01e75840d3 update 2024-06-08 13:40:49 -05:00
DeveloperDurp
cb2798e201 update 2024-06-08 13:36:03 -05:00
DeveloperDurp
2978aee67a update 2024-06-08 13:32:58 -05:00
DeveloperDurp
6d7e5d6956 update 2024-06-08 13:32:27 -05:00
pipeline
6c3e9ba781 Update Chart 2024-05-29 03:27:44 +00:00
pipeline
5811b6ecbf Update Chart 2024-05-29 03:22:44 +00:00
pipeline
3b05002fcf Update Chart 2024-05-29 03:16:45 +00:00
pipeline
911398e73f Update Chart 2024-05-29 03:06:48 +00:00
pipeline
3254fda226 Update Chart 2024-05-29 03:01:14 +00:00
pipeline
ef8c5e6ba2 Update Chart 2024-05-29 02:45:48 +00:00
pipeline
01c8cd9e38 Update Chart 2024-05-29 02:29:24 +00:00
pipeline
f761405a7f Update Chart 2024-05-29 02:25:50 +00:00
DeveloperDurp
8a3104684e update 2024-05-25 18:18:18 -05:00
DeveloperDurp
6aaafd3a7e update 2024-05-25 10:55:13 -05:00
DeveloperDurp
78e6bd6b8e update 2024-05-25 08:48:13 -05:00
DeveloperDurp
338e3c23c2 update 2024-05-25 08:43:43 -05:00
DeveloperDurp
f4f02d9147 update 2024-05-25 08:33:40 -05:00
DeveloperDurp
2256f76caa update 2024-05-25 07:22:52 -05:00
DeveloperDurp
5915b5b7a3 update 2024-05-25 07:21:53 -05:00
DeveloperDurp
1e19df0c7a update 2024-05-24 05:01:05 -05:00
DeveloperDurp
43486b4ab4 update 2024-05-23 04:58:42 -05:00
DeveloperDurp
9e1debe339 update 2024-05-23 04:54:11 -05:00
DeveloperDurp
f349a1c43a update 2024-05-23 04:49:54 -05:00
DeveloperDurp
a0f384a428 update 2024-05-19 08:40:40 -05:00
DeveloperDurp
1ef48ae879 update 2024-05-19 08:19:42 -05:00
DeveloperDurp
9c35356c5d update 2024-05-19 08:17:52 -05:00
DeveloperDurp
0d4ec2c08a update 2024-05-19 08:13:28 -05:00
DeveloperDurp
ed970283ae update 2024-05-19 08:12:42 -05:00
DeveloperDurp
6bebb64c41 update 2024-05-19 08:08:17 -05:00
DeveloperDurp
bf6d929398 update 2024-05-19 08:07:48 -05:00
DeveloperDurp
475ccd6576 update 2024-05-19 08:06:59 -05:00
DeveloperDurp
8461a4e818 update 2024-05-19 08:03:37 -05:00
DeveloperDurp
d6b5a05352 update 2024-05-19 08:02:12 -05:00
DeveloperDurp
bd9af60728 update 2024-05-19 08:00:18 -05:00
DeveloperDurp
b30297b951 update 2024-05-19 07:36:05 -05:00
DeveloperDurp
81384297be update 2024-05-19 07:35:10 -05:00
DeveloperDurp
8e585ed7b0 update 2024-05-19 07:27:58 -05:00
DeveloperDurp
1017d6a834 update 2024-05-19 07:26:18 -05:00
DeveloperDurp
db7e629fed update 2024-05-19 07:25:59 -05:00
DeveloperDurp
d01ee2da24 update 2024-05-19 07:18:52 -05:00
DeveloperDurp
083bbe5af5 update 2024-05-19 07:04:28 -05:00
DeveloperDurp
c45d239b8c update 2024-05-19 07:00:51 -05:00
DeveloperDurp
1b1d9178d3 update 2024-05-19 06:59:23 -05:00
DeveloperDurp
ca4d492882 update 2024-05-19 06:55:17 -05:00
DeveloperDurp
b7c14e18b2 update 2024-05-19 06:54:35 -05:00
DeveloperDurp
6ad1f067e4 update 2024-05-19 06:54:06 -05:00
DeveloperDurp
3babb5db29 update 2024-05-19 06:50:32 -05:00
DeveloperDurp
b03642cd1d update 2024-05-19 06:49:33 -05:00
DeveloperDurp
f95e7539f0 update 2024-05-19 06:47:54 -05:00
DeveloperDurp
540a9c6f8a update 2024-05-19 06:47:17 -05:00
DeveloperDurp
ce256ff51a update 2024-05-19 06:38:52 -05:00
DeveloperDurp
d0ec1a9909 update 2024-05-19 06:36:12 -05:00
DeveloperDurp
ec8111c239 update 2024-05-18 09:26:47 -05:00
DeveloperDurp
54e51af63f update 2024-05-18 08:57:04 -05:00
DeveloperDurp
6a57946a53 update 2024-05-18 08:53:43 -05:00
DeveloperDurp
2fe3df9227 update 2024-05-18 08:48:37 -05:00
DeveloperDurp
fd9731b7e1 update 2024-05-18 07:45:43 -05:00
DeveloperDurp
0aeccd39b8 update 2024-05-18 07:43:15 -05:00
DeveloperDurp
d63ee6027d update 2024-05-18 07:42:26 -05:00
DeveloperDurp
dd91465e44 update 2024-05-18 07:33:42 -05:00
DeveloperDurp
d42cf229bf update 2024-05-18 07:18:46 -05:00
DeveloperDurp
ec8afdb6bc update 2024-05-18 07:14:11 -05:00
DeveloperDurp
8568d5e4c0 update 2024-05-18 07:08:59 -05:00
DeveloperDurp
2b4e117ba3 update 2024-05-17 05:09:10 -05:00
DeveloperDurp
9f45c8b145 update 2024-05-17 05:07:52 -05:00
DeveloperDurp
38846d58f3 update 2024-05-17 04:57:51 -05:00
DeveloperDurp
43160a8da1 update 2024-05-17 04:57:22 -05:00
DeveloperDurp
690c9e40c9 update 2024-05-17 04:54:23 -05:00
DeveloperDurp
29136dd395 update 2024-05-17 04:53:44 -05:00
DeveloperDurp
bf6314e914 update 2024-05-17 04:52:41 -05:00
DeveloperDurp
a669676e8b update 2024-05-14 06:12:36 -05:00
DeveloperDurp
f69d3babfc update 2024-05-14 06:11:09 -05:00
DeveloperDurp
6059303fcf update 2024-05-14 05:11:27 -05:00
DeveloperDurp
1a0458354b update 2024-05-14 05:10:37 -05:00
DeveloperDurp
a63fe8cb3f update 2024-05-14 05:10:12 -05:00
DeveloperDurp
c47dba6dc6 update 2024-05-14 05:08:32 -05:00
DeveloperDurp
77faed876d update 2024-05-14 05:07:12 -05:00
DeveloperDurp
b105b7004c update 2024-05-14 05:06:44 -05:00
DeveloperDurp
9c59677594 update 2024-05-14 04:54:36 -05:00
DeveloperDurp
2ef82bd70f update 2024-05-14 04:53:37 -05:00
DeveloperDurp
f0ca5ec41f update 2024-05-14 04:51:35 -05:00
DeveloperDurp
c3411b7f93 update 2024-05-14 04:51:07 -05:00
DeveloperDurp
7beeb5c86f update 2024-05-14 04:44:51 -05:00
DeveloperDurp
aed1ff9556 update 2024-05-13 08:21:10 -05:00
DeveloperDurp
76449c7ccd update 2024-05-13 07:39:25 -05:00
DeveloperDurp
2f9dca4bc7 update 2024-05-13 07:38:09 -05:00
DeveloperDurp
583c548900 update 2024-05-13 07:36:54 -05:00
DeveloperDurp
8ff8705a2f update 2024-05-13 07:17:14 -05:00
DeveloperDurp
d0e7fd57ed update 2024-05-13 06:52:13 -05:00
DeveloperDurp
1be8492f4c update 2024-05-13 06:50:24 -05:00
DeveloperDurp
e06a35f1a2 update 2024-05-13 05:08:56 -05:00
DeveloperDurp
ea811669c3 move everything to dev branch 2024-05-13 04:54:27 -05:00
397 changed files with 1044 additions and 12915 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -1,3 +1 @@
.idea
infra/terraform/.terraform
infra/terraform/.terraform.lock.hcl

34
.gitlab/.gitlab-ci.yml
View File

@@ -1,34 +0,0 @@
stages:
- triggers
build_dmz:
stage: triggers
trigger:
include: infra/.gitlab/.gitlab-ci.yml
rules:
- changes:
- "dmz/terraform/*.tf"
build_infra:
stage: triggers
trigger:
include: infra/.gitlab/.gitlab-ci.yml
rules:
- changes:
- "infra/terraform/*.tf"
build_dev:
stage: triggers
trigger:
include: dev/.gitlab/.gitlab-ci.yml
rules:
- changes:
- "dev/terraform/*.tf"
build_prd:
stage: triggers
trigger:
include: prd/.gitlab/.gitlab-ci.yml
rules:
- changes:
- "prd/terraform/*.tf"

4
Untitled
View File

@@ -1,4 +0,0 @@
VAULT_HELM_SECRET_NAME=$(kubectl get secrets -n vault --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')
TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)
KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')

5
ansible/base.yaml
View File

@@ -1,5 +0,0 @@
- hosts: all
gather_facts: yes
become: yes
roles:
- base

2
ansible/newcluster.yaml
View File

@@ -1,2 +0,0 @@
argocd login --insecure
argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd

1
ansible/roles/base/files/01proxy
View File

@@ -1 +0,0 @@
Acquire::http::Proxy "http://192.168.21.200:3142";

4
ansible/roles/base/files/10periodic
View File

@@ -1,4 +0,0 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

2
ansible/roles/base/files/authorized_keys_user
View File

@@ -1,2 +0,0 @@
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey
sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano

4
ansible/roles/base/files/issue
View File

@@ -1,4 +0,0 @@
Use of this system is restricted to authorized users only, and all use is subjected to an acceptable use policy.
IF YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM, DISCONNECT NOW.

4
ansible/roles/base/files/motd
View File

@@ -1,4 +0,0 @@
THIS SYSTEM IS FOR AUTHORIZED USE ONLY
All activities are logged and monitored.

95
ansible/roles/base/files/sshd_config_secured
View File

@@ -1,95 +0,0 @@
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
ClientAliveInterval 300
#enable remote powershell
#Subsystem powershell /usr/bin/pwsh -sshs -NoLogo

155
ansible/roles/base/tasks/main.yaml
View File

@@ -1,155 +0,0 @@
- name: Copy apt proxy
copy:
src: files/01proxy
dest: /etc/apt/apt.conf.d/01proxy
owner: root
group: root
mode: "0644"
force: yes
when:
- ansible_os_family == "Debian"
- inventory_hostname not in hosts_deny
- name: Update packages
apt:
name: '*'
state: latest
update_cache: yes
only_upgrade: yes
retries: 300
delay: 10
- name: Remove packages not needed anymore
apt:
autoremove: yes
retries: 300
delay: 10
- name: Install required packages Debian
apt:
state: latest
pkg: "{{ item }}"
with_items: "{{ required_packages }}"
retries: 300
delay: 10
- name: Create user account
user:
name: "user"
shell: /bin/bash
state: present
createhome: yes
- name: ensure ssh folder exists for user
file:
path: /home/user/.ssh
owner: user
group: user
mode: "0700"
state: directory
- name: Deploy SSH Key (user)
copy:
dest: /home/user/.ssh/authorized_keys
src: files/authorized_keys_user
owner: user
group: user
force: true
- name: Remove Root SSH Configuration
file:
path: /root/.ssh
state: absent
- name: Copy Secured SSHD Configuration
copy:
src: files/sshd_config_secured
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: "0644"
when: ansible_os_family == "Debian"
- name: Copy Secured SSHD Configuration
copy:
src: files/sshd_config_secured_redhat
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: "0644"
when: ansible_os_family == "RedHat"
- name: Restart SSHD
systemd:
name: sshd
daemon_reload: yes
state: restarted
enabled: yes
ignore_errors: yes
- name: Copy unattended-upgrades file
copy:
src: files/10periodic
dest: /etc/apt/apt.conf.d/10periodic
owner: root
group: root
mode: "0644"
force: yes
when: ansible_os_family == "Debian"
- name: Remove undesirable packages
package:
name: "{{ unnecessary_software }}"
state: absent
when: ansible_os_family == "Debian"
- name: Stop and disable unnecessary services
service:
name: "{{ item }}"
state: stopped
enabled: no
with_items: "{{ unnecessary_services }}"
ignore_errors: yes
- name: Set a message of the day
copy:
dest: /etc/motd
src: files/motd
owner: root
group: root
mode: 0644
- name: Set a login banner
copy:
dest: "{{ item }}"
src: files/issue
owner: root
group: root
mode: 0644
with_items:
- /etc/issue
- /etc/issue.net
- name: set timezone
shell: timedatectl set-timezone America/Chicago
- name: Enable cockpit
systemd:
name: cockpit
daemon_reload: yes
state: restarted
enabled: yes
- name: change password
ansible.builtin.user:
name: "user"
state: present
password: "{{ lookup('ansible.builtin.env', 'USER_PASSWORD') | password_hash('sha512') }}"
- name: add user to sudoers
community.general.sudoers:
name: user
state: present
user: user
commands: ALL

17
ansible/roles/base/vars/main.yaml
View File

@@ -1,17 +0,0 @@
required_packages:
- ufw
- qemu-guest-agent
- fail2ban
- unattended-upgrades
- cockpit
- nfs-common
- open-iscsi
unnecessary_services:
- postfix
- telnet
unnecessary_software:
- tcpdump
- nmap-ncat
- wpa_supplicant

2
master/argocd/Chart.yaml → argocd/Chart.yaml
View File

@@ -9,6 +9,6 @@ appVersion: "1.16.0"
dependencies:
- name: argo-cd
repository: https://argoproj.github.io/argo-helm
version: 8.1.3
version: 6.7.11

12
infra/argocd/templates/internalproxy.yaml → argocd/templates/InternalProxy.yaml
View File

@@ -1,21 +1,23 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: internal-proxy
name: internalproxy
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: dmz/internalproxy
targetRevision: dev
path: internalproxy
directory:
recurse: true
destination:
server: https://kubernetes.default.svc
namespace: internalproxy
name: dmz
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- CreateNamespace=true

8
infra/argocd/templates/nebula-sync.yaml → argocd/templates/argocd.yaml
View File

@@ -1,16 +1,16 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: nebula-sync
name: argocd
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: infra/nebula-sync
targetRevision: dev
path: argocd
destination:
namespace: nebula-sync
namespace: argocd
name: in-cluster
syncPolicy:
automated:

21
argocd/templates/authentik.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authentik
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: authentik
destination:
namespace: authentik
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

4
master/argocd/templates/bitwarden.yaml → argocd/templates/bitwarden.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/bitwarden
targetRevision: dev
path: bitwarden
directory:
recurse: true
destination:

4
master/argocd/templates/cert-manager.yaml → argocd/templates/cert-manager.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/cert-manager
targetRevision: dev
path: cert-manager
destination:
namespace: cert-manager
name: in-cluster

20
argocd/templates/crossplane.yml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: crossplane
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: crossplane
destination:
namespace: crossplane
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

4
master/argocd/templates/durpapi.yaml → argocd/templates/durpapi.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/durpapi
targetRevision: dev
path: durpapi
destination:
namespace: durpapi
name: in-cluster

4
master/argocd/templates/durpot.yaml → argocd/templates/durpot.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/durpot
targetRevision: dev
path: durpot
destination:
namespace: durpot
name: in-cluster

4
master/argocd/templates/external-dns.yaml → argocd/templates/external-dns.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/external-dns
targetRevision: dev
path: external-dns
destination:
namespace: external-dns
name: in-cluster

4
master/argocd/templates/external-secrets.yaml → argocd/templates/external-secrets.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/external-secrets
targetRevision: dev
path: external-secrets
destination:
namespace: external-secrets
name: in-cluster

20
argocd/templates/gatekeeper.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: gatekeeper
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: gatekeeper
destination:
namespace: gatekeeper
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

10
infra/argocd/templates/gitlab-runner.yaml → argocd/templates/gitlab-runner.yaml
View File

@@ -1,21 +1,21 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: gitlab-runner-dmz
name: gitlab-runner
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: dmz/gitlab-runner
targetRevision: dev
path: gitlab-runner
destination:
namespace: gitlab-runner
name: dmz
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
- CreateNamespace=true

4
master/argocd/templates/heimdall.yaml → argocd/templates/heimdall.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/heimdall
targetRevision: dev
path: heimdall
destination:
namespace: heimdall
name: in-cluster

36
argocd/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,36 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: argocd-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
entryPoints:
- websecure
routes:
- match: Host(`argocd.internal.dev.durp.info`)
middlewares:
- name: internal-only
namespace: traefik
kind: Rule
services:
- name: argocd-server
port: 443
scheme: https
tls:
secretName: argocd-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argocd-tls
spec:
secretName: argocd-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "argocd.internal.dev.durp.info"
dnsNames:
- "argocd.internal.dev.durp.info"

4
master/argocd/templates/krakend.yaml → argocd/templates/krakend.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/krakend
targetRevision: dev
path: krakend
destination:
namespace: krakend
name: in-cluster

21
argocd/templates/kube-prometheus-stack.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kube-prometheus-stack
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: kube-prometheus-stack
destination:
namespace: kube-prometheus-stack
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

20
argocd/templates/kubeclarity.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubeclarity
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: kubeclarity
destination:
namespace: kubeclarity
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

4
master/argocd/templates/littlelink.yaml → argocd/templates/littlelink.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/littlelink
targetRevision: dev
path: littlelink
directory:
recurse: true
destination:

4
master/argocd/templates/longhorn.yaml → argocd/templates/longhorn.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/longhorn
targetRevision: dev
path: longhorn
destination:
namespace: longhorn-system
name: in-cluster

5
master/argocd/templates/metallb-system.yaml → argocd/templates/metallb-system.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/metallb-system
targetRevision: dev
path: metallb-system
destination:
namespace: metallb-system
name: in-cluster
@@ -19,4 +19,3 @@ spec:
syncOptions:
- CreateNamespace=true

4
master/argocd/templates/nfs-client.yaml → argocd/templates/nfs-client.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/nfs-client
targetRevision: dev
path: nfs-client
directory:
recurse: true
destination:

20
argocd/templates/open-webui.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: open-webui
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: open-webui
destination:
namespace: open-webui
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

2
master/argocd/templates/secrets.yaml → argocd/templates/secrets.yaml
View File

@@ -1,4 +1,4 @@
apiVersion: external-secrets.io/v1
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vault-argocd

4
master/argocd/templates/traefik.yaml → argocd/templates/traefik.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/traefik
targetRevision: dev
path: traefik
destination:
namespace: traefik
name: in-cluster

4
master/argocd/templates/uptimekuma.yaml → argocd/templates/uptimekuma.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/uptimekuma
targetRevision: dev
path: uptimekuma
directory:
recurse: true
destination:

25
argocd/templates/vault.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: vault
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: dev
path: vault
destination:
namespace: vault
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
jqPathExpressions:
- .webhooks[]?.clientConfig.caBundle

44
argocd/values.yaml Normal file
View File

@@ -0,0 +1,44 @@
argo-cd:
global:
revisionHistoryLimit: 1
image:
repository: registry.internal.durp.info/argoproj/argocd
imagePullPolicy: Always
dex:
enabled: true
image:
repository: registry.internal.durp.info/dexidp/dex
imagePullPolicy: Always
configs:
cm:
create: true
annotations: {}
url: https://argocd.dev.durp.info
oidc.tls.insecure.skip.verify: "true"
dex.config: |
connectors:
- config:
issuer: https://authentik.dev.durp.info/application/o/argocd/
clientID: lKuMgyYaOlQMNAUSjsRVYgkwZG9UT6CeFWeTLAcl
clientSecret: $client-secret:clientSecret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
- groups
name: authentik
type: oidc
id: authentik
rbac:
create: true
policy.csv: |
g, ArgoCD Admins, role:admin
scopes: "[groups]"
server:
route:
enabled: false

4
master/authentik/Chart.yaml → authentik/Chart.yaml
View File

@@ -7,6 +7,6 @@ version: 0.1.0
appVersion: "1.16.0"
dependencies:
- name: authentik-remote-cluster
- name: authentik
repository: https://charts.goauthentik.io
version: 2.1.0
version: 2024.4.1

0
master/authentik/templates/authentik-pv.yaml → authentik/templates/authentik-pv.yaml
View File

0
master/authentik/templates/authentik-pvc.yaml → authentik/templates/authentik-pvc.yaml
View File

64
dmz/authentik/templates/ingress.yaml → authentik/templates/ingress.yaml
View File

@@ -1,18 +1,4 @@
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: authentik-tls
spec:
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
secretName: authentik-tls
commonName: "authentik.durp.info"
dnsNames:
- "authentik.durp.info"
---
apiVersion: traefik.io/v1alpha1
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: authentik-ingress
@@ -20,15 +6,31 @@ spec:
entryPoints:
- websecure
routes:
- match: Host(`authentik.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: infra-cluster
port: 443
- match: Host(`authentik.dev.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: authentik-server
port: 80
tls:
secretName: authentik-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: authentik-tls
spec:
secretName: authentik-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "authentik.dev.durp.info"
dnsNames:
- "authentik.dev.durp.info"
---
kind: Service
apiVersion: v1
metadata:
@@ -38,25 +40,3 @@ metadata:
spec:
type: ExternalName
externalName: durp.info
---
apiVersion: v1
kind: Endpoints
metadata:
name: infra-cluster
subsets:
- addresses:
- ip: 192.168.12.130
ports:
- port: 443
---
apiVersion: v1
kind: Service
metadata:
name: infra-cluster
spec:
ports:
- protocol: TCP
port: 443
targetPort: 443

2
master/authentik/templates/secrets.yaml → authentik/templates/secrets.yaml
View File

@@ -1,4 +1,4 @@
apiVersion: external-secrets.io/v1
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: authentik-secret

35
infra/authentik/values.yaml → authentik/values.yaml
View File

@@ -1,8 +1,8 @@
authentik:
global:
security:
allowInsecureImages: true
env:
env:
- name: AUTHENTIK_REDIS__DB
value: "1"
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
@@ -15,43 +15,44 @@ authentik:
key: secretkey
revisionHistoryLimit: 1
image:
repository: registry.durp.info/goauthentik/server
repository: registry.internal.durp.info/goauthentik/server
pullPolicy: Always
authentik:
outposts:
container_image_base: registry.durp.info/goauthentik/%(type)s:%(version)s
container_image_base: registry.internal.durp.info/goauthentik/%(type)s:%(version)s
postgresql:
host: "{{ .Release.Name }}-postgresql-hl"
host: '{{ .Release.Name }}-postgresql-hl'
name: "authentik"
user: "authentik"
port: 5432
server:
name: server
replicas: 3
worker:
replicas: 3
postgresql:
enabled: true
image:
registry: registry.durp.info
registry: registry.internal.durp.info
repository: bitnami/postgresql
pullPolicy: Always
postgresqlUsername: "authentik"
postgresqlDatabase: "authentik"
existingSecret: db-pass
auth:
username: "authentik"
existingSecret: db-pass
secretKeys:
adminPasswordKey: dbpass
userPasswordKey: dbpass
#postgresqlUsername: "authentik"
#postgresqlDatabase: "authentik"
#existingSecret: db-pass
persistence:
enabled: true
storageClass: longhorn
size: 16Gi
accessModes:
- ReadWriteMany
redis:
enabled: true
master:
persistence:
enabled: false
image:
registry: registry.durp.info
registry: registry.internal.durp.info
repository: bitnami/redis
pullPolicy: Always
architecture: standalone

0
infra/bitwarden/Chart.yaml → bitwarden/Chart.yaml
View File

0
master/bitwarden/templates/bitwarden-pv.yaml → bitwarden/templates/bitwarden-pv.yaml
View File

0
infra/bitwarden/templates/bitwarden-pvc.yaml → bitwarden/templates/bitwarden-pvc.yaml
View File

6
master/bitwarden/templates/deployment.yaml → bitwarden/templates/deployment.yaml
View File

@@ -17,7 +17,7 @@ spec:
spec:
containers:
- name: bitwarden
image: registry.durp.info/vaultwarden/server:1.32.7
image: registry.internal.durp.info/vaultwarden/server:1.30.5
imagePullPolicy: Always
volumeMounts:
- name: bitwarden-pvc
@@ -28,7 +28,7 @@ spec:
containerPort: 80
env:
- name: SIGNUPS_ALLOWED
value: "FALSE"
value: "TRUE"
- name: INVITATIONS_ALLOWED
value: "FALSE"
- name: WEBSOCKET_ENABLED
@@ -39,7 +39,7 @@ spec:
value: "80"
- name: ROCKET_WORKERS
value: "10"
- name: SECRET_USERNAME
- name: ADMIN_TOKEN
valueFrom:
secretKeyRef:
name: bitwarden-secret

63
bitwarden/templates/ingress.yaml Normal file
View File

@@ -0,0 +1,63 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: bitwarden-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`bitwarden.dev.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: bitwarden
port: 80
tls:
secretName: bitwarden-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: bitwarden-tls
spec:
secretName: bitwarden-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "bitwarden.dev.durp.info"
dnsNames:
- "bitwarden.dev.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: bitwarden-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: bitwarden.dev.durp.info
spec:
type: ExternalName
externalName: dev.durp.info
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: bitwarden-admin-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`bitwarden.dev.durp.info`) && PathPrefix(`/admin`)
kind: Rule
middlewares:
- name: whitelist
namespace: traefik
services:
- name: bitwarden
port: 80
tls:
secretName: bitwarden-tls

2
master/bitwarden/templates/secrets.yaml → bitwarden/templates/secrets.yaml
View File

@@ -1,4 +1,4 @@
apiVersion: external-secrets.io/v1
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: bitwarden-secret

0
infra/bitwarden/templates/service.yaml → bitwarden/templates/service.yaml
View File

2
infra/cert-manager/Chart.yaml → cert-manager/Chart.yaml
View File

@@ -8,4 +8,4 @@ appVersion: 0.0.1
dependencies:
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.17.2
version: 1.*.*

0
master/cert-manager/templates/letsencrypt-prroduction.yaml → cert-manager/templates/letsencrypt-production.yaml
View File

0
master/cert-manager/templates/letsencrypt-staging.yaml → cert-manager/templates/letsencrypt-staging.yaml
View File

2
master/cert-manager/templates/sealedsecret.yaml → cert-manager/templates/sealedsecret.yaml
View File

@@ -1,4 +1,4 @@
apiVersion: external-secrets.io/v1
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: cloudflare-api-token-secret

13
cert-manager/templates/self-signed.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: cert-manager.io/v1
kind: Issuer
metadata:
name: selfsigned-issuer
spec:
selfSigned: {}
---
apiVersion: cert-manager.io/v1
kind: ClusterIssuer
metadata:
name: selfsigned-cluster-issuer
spec:
selfSigned: {}

0
master/cert-manager/values.yaml → cert-manager/values.yaml
View File

2
master/crossplane/Chart.yaml → crossplane/Chart.yaml
View File

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
dependencies:
- name: crossplane
repository: https://charts.crossplane.io/stable
version: 1.20.0
version: 1.16.0

4
master/crossplane/templates/gitlab.yml → crossplane/templates/gitlab.yml
View File

@@ -3,10 +3,10 @@ kind: Provider
metadata:
name: provider-gitlab
spec:
package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.5.0
package: xpkg.upbound.io/crossplane-contrib/provider-gitlab:v0.7.0
---
apiVersion: external-secrets.io/v1
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitlab-secret

186
crossplane/values.yaml Normal file
View File

@@ -0,0 +1,186 @@
# helm-docs renders these comments into markdown. Use markdown formatting where
# appropiate.
#
# -- The number of Crossplane pod `replicas` to deploy.
replicas: 1
# -- The deployment strategy for the Crossplane and RBAC Manager pods.
deploymentStrategy: RollingUpdate
image:
# -- Repository for the Crossplane pod image.
repository: xpkg.upbound.io/crossplane/crossplane
# -- The Crossplane image tag. Defaults to the value of `appVersion` in `Chart.yaml`.
tag: ""
# -- The image pull policy used for Crossplane and RBAC Manager pods.
pullPolicy: IfNotPresent
# -- Add `nodeSelectors` to the Crossplane pod deployment.
nodeSelector: {}
# -- Add `tolerations` to the Crossplane pod deployment.
tolerations: []
# -- Add `affinities` to the Crossplane pod deployment.
affinity: {}
# -- Enable `hostNetwork` for the Crossplane deployment. Caution: enabling `hostNetwork` grants the Crossplane Pod access to the host network namespace. Consider setting `dnsPolicy` to `ClusterFirstWithHostNet`.
hostNetwork: false
# -- Specify the `dnsPolicy` to be used by the Crossplane pod.
dnsPolicy: ""
# -- Add custom `labels` to the Crossplane pod deployment.
customLabels: {}
# -- Add custom `annotations` to the Crossplane pod deployment.
customAnnotations: {}
serviceAccount:
# -- Add custom `annotations` to the Crossplane ServiceAccount.
customAnnotations: {}
# -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the Crossplane pod.
leaderElection: true
# -- Add custom arguments to the Crossplane pod.
args: []
provider:
# -- A list of Provider packages to install.
packages: []
configuration:
# -- A list of Configuration packages to install.
packages: []
function:
# -- A list of Function packages to install
packages: []
# -- The imagePullSecret names to add to the Crossplane ServiceAccount.
imagePullSecrets: []
registryCaBundleConfig:
# -- The ConfigMap name containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates.
name: ""
# -- The ConfigMap key containing a custom CA bundle to enable fetching packages from registries with unknown or untrusted certificates.
key: ""
service:
# -- Configure annotations on the service object. Only enabled when webhooks.enabled = true
customAnnotations: {}
webhooks:
# -- Enable webhooks for Crossplane and installed Provider packages.
enabled: true
rbacManager:
# -- Deploy the RBAC Manager pod and its required roles.
deploy: true
# -- Don't install aggregated Crossplane ClusterRoles.
skipAggregatedClusterRoles: false
# -- The number of RBAC Manager pod `replicas` to deploy.
replicas: 1
# -- Enable [leader election](https://docs.crossplane.io/latest/concepts/pods/#leader-election) for the RBAC Manager pod.
leaderElection: true
# -- Add custom arguments to the RBAC Manager pod.
args: []
# -- Add `nodeSelectors` to the RBAC Manager pod deployment.
nodeSelector: {}
# -- Add `tolerations` to the RBAC Manager pod deployment.
tolerations: []
# -- Add `affinities` to the RBAC Manager pod deployment.
affinity: {}
# -- The PriorityClass name to apply to the Crossplane and RBAC Manager pods.
priorityClassName: ""
resourcesCrossplane:
limits:
# -- CPU resource limits for the Crossplane pod.
cpu: 500m
# -- Memory resource limits for the Crossplane pod.
memory: 1024Mi
requests:
# -- CPU resource requests for the Crossplane pod.
cpu: 100m
# -- Memory resource requests for the Crossplane pod.
memory: 256Mi
securityContextCrossplane:
# -- The user ID used by the Crossplane pod.
runAsUser: 65532
# -- The group ID used by the Crossplane pod.
runAsGroup: 65532
# -- Enable `allowPrivilegeEscalation` for the Crossplane pod.
allowPrivilegeEscalation: false
# -- Set the Crossplane pod root file system as read-only.
readOnlyRootFilesystem: true
packageCache:
# -- Set to `Memory` to hold the package cache in a RAM backed file system. Useful for Crossplane development.
medium: ""
# -- The size limit for the package cache. If medium is `Memory` the `sizeLimit` can't exceed Node memory.
sizeLimit: 20Mi
# -- The name of a PersistentVolumeClaim to use as the package cache. Disables the default package cache `emptyDir` Volume.
pvc: ""
# -- The name of a ConfigMap to use as the package cache. Disables the default package cache `emptyDir` Volume.
configMap: ""
resourcesRBACManager:
limits:
# -- CPU resource limits for the RBAC Manager pod.
cpu: 100m
# -- Memory resource limits for the RBAC Manager pod.
memory: 512Mi
requests:
# -- CPU resource requests for the RBAC Manager pod.
cpu: 100m
# -- Memory resource requests for the RBAC Manager pod.
memory: 256Mi
securityContextRBACManager:
# -- The user ID used by the RBAC Manager pod.
runAsUser: 65532
# -- The group ID used by the RBAC Manager pod.
runAsGroup: 65532
# -- Enable `allowPrivilegeEscalation` for the RBAC Manager pod.
allowPrivilegeEscalation: false
# -- Set the RBAC Manager pod root file system as read-only.
readOnlyRootFilesystem: true
metrics:
# -- Enable Prometheus path, port and scrape annotations and expose port 8080 for both the Crossplane and RBAC Manager pods.
enabled: false
# -- Add custom environmental variables to the Crossplane pod deployment.
# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`.
extraEnvVarsCrossplane: {}
# -- Add custom environmental variables to the RBAC Manager pod deployment.
# Replaces any `.` in a variable name with `_`. For example, `SAMPLE.KEY=value1` becomes `SAMPLE_KEY=value1`.
extraEnvVarsRBACManager: {}
# -- Add a custom `securityContext` to the Crossplane pod.
podSecurityContextCrossplane: {}
# -- Add a custom `securityContext` to the RBAC Manager pod.
podSecurityContextRBACManager: {}
# -- Add custom `volumes` to the Crossplane pod.
extraVolumesCrossplane: {}
# -- Add custom `volumeMounts` to the Crossplane pod.
extraVolumeMountsCrossplane: {}
# -- To add arbitrary Kubernetes Objects during a Helm Install
extraObjects: []
# - apiVersion: pkg.crossplane.io/v1alpha1
# kind: ControllerConfig
# metadata:
# name: aws-config
# annotations:
# eks.amazonaws.com/role-arn: arn:aws:iam::123456789101:role/example
# helm.sh/hook: post-install
# spec:
# podSecurityContext:
# fsGroup: 2000

0
master/dashboards/nginx-dashboard.yaml → dashboards/nginx-dashboard.yaml
View File

95
dev/.gitlab/.gitlab-ci.yml
View File

@@ -1,95 +0,0 @@
stages:
- plan
- apply
- destroy
variables:
WORKDIR: $CI_PROJECT_DIR/dev/terraform
GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dev
image:
name: registry.durp.info/opentofu/opentofu:latest
entrypoint: [""]
.tf-init:
before_script:
- cd $WORKDIR
- tofu init
-reconfigure
-backend-config="address=${GITLAB_TF_ADDRESS}"
-backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock"
-backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock"
-backend-config="username=gitlab-ci-token"
-backend-config="password=${CI_JOB_TOKEN}"
-backend-config="lock_method=POST"
-backend-config="unlock_method=DELETE"
-backend-config="retry_wait_min=5"
format:
stage: .pre
allow_failure: false
script:
- cd $WORKDIR
- tofu fmt -diff -check -write=false
rules:
- changes:
- "dev/terraform/*.tf"
validate:
stage: .pre
allow_failure: false
extends: .tf-init
script:
- tofu validate
rules:
- changes:
- "dev/terraform/*.tf"
plan-dev-infrastructure:
stage: plan
variables:
PLAN: plan.tfplan
JSON_PLAN_FILE: tfplan.json
ENVIRONMENT_NAME: dev
allow_failure: false
extends: .tf-init
script:
- apk add --update curl jq
- alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
- tofu plan -out=$PLAN $ARGUMENTS
- tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE
artifacts:
reports:
terraform: $WORKDIR/$JSON_PLAN_FILE
needs: ["validate","format"]
rules:
- changes:
- "dev/terraform/*.tf"
apply-dev-infrastructure:
stage: apply
variables:
ENVIRONMENT_NAME: dev
allow_failure: false
extends: .tf-init
script:
- tofu apply -auto-approve $ARGUMENTS
rules:
- changes:
- "dev/terraform/*.tf"
when: manual
needs: ["plan-dev-infrastructure"]
destroy-dev-infrastructure:
stage: destroy
variables:
ENVIRONMENT_NAME: dev
allow_failure: false
extends: .tf-init
script:
- tofu destroy -auto-approve $ARGUMENTS
rules:
- changes:
- "dev/terraform/*.tf"
when: manual
needs: ["plan-dev-infrastructure"]

11
dev/cert-manager/Chart.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v2
name: cert-manager
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.17.2

16
dev/cert-manager/templates/issuer.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: issuer
secrets:
- name: issuer-token-lmzpj
---
apiVersion: v1
kind: Secret
metadata:
name: issuer-token-lmzpj
annotations:
kubernetes.io/service-account.name: issuer
type: kubernetes.io/service-account-token

35
dev/cert-manager/templates/letsencrypt.yaml
View File

File diff suppressed because one or more lines are too long

22
dev/cert-manager/templates/secretvault.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: cloudflare-api-token-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: cloudflare-api-token-secret
data:
- secretKey: cloudflare-api-token-secret
remoteRef:
key: kv/cert-manager
property: cloudflare-api-token-secret
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

26
dev/cert-manager/values.yaml
View File

@@ -1,26 +0,0 @@
cert-manager:
crds:
enabled: true
image:
registry: registry.internal.durp.info
repository: jetstack/cert-manager-controller
pullPolicy: Always
replicaCount: 3
extraArgs:
- --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
- --dns01-recursive-nameservers-only
podDnsPolicy: None
podDnsConfig:
nameservers:
- "1.1.1.1"
- "1.0.0.1"
webhook:
image:
registry: registry.internal.durp.info
repository: jetstack/cert-manager-webhook
pullPolicy: Always
cainjector:
image:
registry: registry.internal.durp.info
repository: jetstack/cert-manager-cainjector
pullPolicy: Always

12
dev/external-dns/Chart.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v2
name: external-dns
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: external-dns
repository: https://charts.bitnami.com/bitnami
version: 8.9.2

30
dev/external-dns/templates/secrets.yaml
View File

@@ -1,30 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: external-dns-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: external-dns
data:
- secretKey: cloudflare_api_email
remoteRef:
key: kv/cloudflare
property: cloudflare_api_email
- secretKey: cloudflare_api_key
remoteRef:
key: kv/cloudflare
property: cloudflare_api_key
- secretKey: cloudflare_api_token
remoteRef:
key: kv/cloudflare
property: cloudflare_api_token
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

18
dev/external-dns/values.yaml
View File

@@ -1,18 +0,0 @@
external-dns:
global:
imageRegistry: "registry.durp.info"
image:
pullPolicy: Always
txtPrefix: "dmz-"
sources:
- service
provider: cloudflare
cloudflare:
secretName : "external-dns"
proxied: false
policy: sync

11
dev/external-secrets/Chart.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v2
name: external-secrets
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: external-secrets
repository: https://charts.external-secrets.io
version: 0.17.0

81
dev/external-secrets/templates/ca.yaml
View File

@@ -1,81 +0,0 @@
apiVersion: v1
data:
vault.pem: |
-----BEGIN CERTIFICATE-----
MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy
MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq
scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW
2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I
jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr
XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS
1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB
o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2
dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6
Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo
dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw
MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp
L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy
cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu
Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx
L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k
dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L
5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k
/vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6
GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj
tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo
1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9
+Q/cdsO5lg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy
MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH
4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/
S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk
U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3
6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ
+SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V
55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0
BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw
LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt
dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC
hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF
BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br
aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0
cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz
Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq
hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE
QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB
ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN
Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9
zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls
AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy
MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox
p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb
/08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ
l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7
GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE
N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1
8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R
BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k
r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1
AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y
rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD
dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx
Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv
55Fn
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
name: ca-pemstore

94
dev/external-secrets/values.yaml
View File

@@ -1,94 +0,0 @@
external-secrets:
replicaCount: 3
revisionHistoryLimit: 1
leaderElect: true
installCRDs: true
crds:
createClusterExternalSecret: true
createClusterSecretStore: true
createClusterGenerator: true
createPushSecret: true
conversion:
enabled: false
image:
repository: registry.durp.info/external-secrets/external-secrets
pullPolicy: Always
extraVolumes:
- name: ca-pemstore
configMap:
name: ca-pemstore
extraVolumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/vault.pem
subPath: vault.pem
readOnly: true
resources:
requests:
memory: 32Mi
cpu: 10m
limits:
memory: 32Mi
cpu: 10m
webhook:
create: false
failurePolicy: Ignore
log:
level: debug
image:
repository: registry.durp.info/external-secrets/external-secrets
pullPolicy: Always
extraVolumes:
- name: ca-pemstore
configMap:
name: ca-pemstore
extraVolumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/vault.pem
subPath: vault.pem
readOnly: true
resources:
requests:
memory: 32Mi
cpu: 10m
limits:
memory: 32Mi
cpu: 10m
certController:
create: false
revisionHistoryLimit: 1
log:
level: debug
image:
repository: registry.durp.info/external-secrets/external-secrets
pullPolicy: Always
tag: ""
resources:
requests:
memory: 32Mi
cpu: 10m
limits:
memory: 32Mi
cpu: 10m
extraVolumes:
- name: ca-pemstore
configMap:
name: ca-pemstore
extraVolumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/vault.pem
subPath: vault.pem
readOnly: true

17
dev/metallb-system/templates/config.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: cheap
spec:
addresses:
- 192.168.10.130-192.168.10.140
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: pool
namespace: metallb-system
spec:
ipAddressPools:
- cheap

0
dev/metallb-system/values.yaml
View File

115
dev/terraform/k3s.tf
View File

@@ -1,115 +0,0 @@
resource "proxmox_vm_qemu" "k3smaster" {
count = local.k3smaster.count
ciuser = "administrator"
vmid = "${local.vlan}${local.k3smaster.ip[count.index]}"
name = local.k3smaster.name[count.index]
target_node = local.k3smaster.node[count.index]
clone = local.template
tags = local.k3smaster.tags
qemu_os = "l26"
full_clone = true
os_type = "cloud-init"
agent = 1
cores = local.k3smaster.cores
sockets = 1
cpu_type = "host"
memory = local.k3smaster.memory
scsihw = "virtio-scsi-pci"
#bootdisk = "scsi0"
boot = "order=virtio0"
onboot = true
sshkeys = local.sshkeys
vga {
type = "serial0"
}
serial {
id = 0
type = "socket"
}
disks {
ide {
ide2 {
cloudinit {
storage = local.k3smaster.storage
}
}
}
virtio {
virtio0 {
disk {
size = local.k3smaster.drive
format = local.format
storage = local.k3smaster.storage
}
}
}
}
network {
id = 0
model = "virtio"
bridge = "vmbr0"
tag = local.vlan
}
#Cloud Init Settings
ipconfig0 = "ip=192.168.${local.vlan}.${local.k3smaster.ip[count.index]}/24,gw=192.168.${local.vlan}.1"
searchdomain = "durp.loc"
nameserver = local.dnsserver
}
resource "proxmox_vm_qemu" "k3sserver" {
count = local.k3sserver.count
ciuser = "administrator"
vmid = "${local.vlan}${local.k3sserver.ip[count.index]}"
name = local.k3sserver.name[count.index]
target_node = local.k3sserver.node[count.index]
clone = local.template
tags = local.k3sserver.tags
qemu_os = "l26"
full_clone = true
os_type = "cloud-init"
agent = 1
cores = local.k3sserver.cores
sockets = 1
cpu_type = "host"
memory = local.k3sserver.memory
scsihw = "virtio-scsi-pci"
#bootdisk = "scsi0"
boot = "order=virtio0"
onboot = true
sshkeys = local.sshkeys
vga {
type = "serial0"
}
serial {
id = 0
type = "socket"
}
disks {
ide {
ide2 {
cloudinit {
storage = local.k3sserver.storage
}
}
}
virtio {
virtio0 {
disk {
size = local.k3sserver.drive
format = local.format
storage = local.k3sserver.storage
}
}
}
}
network {
id = 0
model = "virtio"
bridge = "vmbr0"
tag = local.vlan
}
#Cloud Init Settings
ipconfig0 = "ip=192.168.${local.vlan}.${local.k3sserver.ip[count.index]}/24,gw=192.168.${local.vlan}.1"
searchdomain = "durp.loc"
nameserver = local.dnsserver
}

48
dev/terraform/main.tf
View File

@@ -1,48 +0,0 @@
terraform {
backend "http" {}
required_providers {
proxmox = {
source = "Telmate/proxmox"
version = "3.0.1-rc9"
}
}
}
provider "proxmox" {
pm_parallel = 1
pm_tls_insecure = true
pm_api_url = var.pm_api_url
pm_user = var.pm_user
pm_password = var.pm_password
pm_debug = false
}
locals {
sshkeys = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEphzWgwUZnvL6E5luKLt3WO0HK7Kh63arSMoNl5gmjzXyhG1DDW0OKfoIl0T+JZw/ZjQ7iii6tmSLFRk6nuYCldqe5GVcFxvTzX4/xGEioAyG0IiUGKy6s+9xzO8QXF0EtSNPH0nfHNKcCjgwWAzM+Lt6gW0Vqs+aU5ICuDiEchmvYPz+rBaVldJVTG7m3ogKJ2aIF7HU/pCPp5l0E9gMOw7s0ABijuc3KXLEWCYgL39jIST6pFH9ceRLmu8Xy5zXHAkkEEauY/e6ld0hlzLadiUD7zYJMdDcm0oRvenYcUlaUl9gS0569IpfsJsjCejuqOxCKzTHPJDOT0f9TbIqPXkGq3s9oEJGpQW+Z8g41BqRpjBCdBk+yv39bzKxlwlumDwqgx1WP8xxKavAWYNqNRG7sBhoWwtxYEOhKXoLNjBaeDRnO5OY5AQJvONWpuByyz0R/gTh4bOFVD+Y8WWlKbT4zfhnN70XvapRsbZiaGhJBPwByAMGg6XxSbC6xtbyligVGCEjCXbTLkeKq1w0DuItY+FBGO3J2k90OiciTVSeyiVz9J/Y03UB0gHdsMCoVNrj+9QWfrTLDhM7D5YrXUt5nj2LQTcbtf49zoQXWxUhozlg42E/FJU/Yla7y55qWizAEVyP2/Ks/PHrF679k59HNd2IJ/aicA9QnmWtLQ== ansible"
template = "Debian12-Template"
format = "raw"
dnsserver = "192.168.10.1"
vlan = 10
k3smaster = {
tags = "k3s_dev"
count = 3
name = ["master01-dev", "master02-dev", "master03-dev"]
cores = 2
memory = "4096"
drive = 20
storage = "cache-domains"
node = ["mothership", "overlord", "vanguard"]
ip = ["11", "12", "13"]
}
k3sserver = {
tags = "k3s_dev"
count = 3
name = ["node01-dev", "node02-dev", "node03-dev"]
cores = 4
memory = "8192"
drive = 120
storage = "cache-domains"
node = ["mothership", "overlord", "vanguard"]
ip = ["21", "22", "23"]
}
}

14
dev/terraform/variables.tf
View File

@@ -1,14 +0,0 @@
variable "pm_api_url" {
description = "API URL to Proxmox provider"
type = string
}
variable "pm_password" {
description = "Passowrd to Proxmox provider"
type = string
}
variable "pm_user" {
description = "Username to Proxmox provider"
type = string
}

58
dev/traefik/values.yaml
View File

@@ -1,58 +0,0 @@
traefik:
image:
# registry: registry.durp.info
# repository: traefik
pullPolicy: Always
providers:
kubernetesCRD:
allowCrossNamespace: true
allowExternalNameServices: true
allowEmptyServices: false
deployment:
replicas: 3
revisionHistoryLimit: 1
# volumes:
# - name: traefik-configmap
# mountPath: "/config"
# type: configMap
ingressRoute:
dashboard:
enabled: true
additionalArguments:
# - "--providers.file.filename=/config/config.yml"
- "--serversTransport.insecureSkipVerify=true"
- "--log.level=DEBUG"
- --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
- --experimental.plugins.jwt.version=v0.7.0
autoscaling:
enabled: true
minReplicas: 3
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
behavior:
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Pods
value: 1
periodSeconds: 60
# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
resources:
requests:
cpu: "100m"
memory: "512Mi"
limits:
memory: "512Mi"

12
dev/vault/Chart.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v2
name: vault
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: vault
repository: https://helm.releases.hashicorp.com
version: 0.30.0

23
dev/vault/templates/secret-store.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ClusterSecretStore
metadata:
name: vault
spec:
provider:
vault:
server: "https://vault.infra.durp.info"
path: "kv"
version: "v2"
auth:
kubernetes:
mountPath: "dmz-cluster"
role: "external-secrets"
serviceAccountRef:
name: "vault"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

13
dev/vault/values.yaml
View File

@@ -1,13 +0,0 @@
vault:
global:
enabled: true
tlsDisable: false
externalVaultAddr: "https://vault.infra.durp.info"
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 256Mi
cpu: 250m

95
dmz/.gitlab/.gitlab-ci.yml
View File

@@ -1,95 +0,0 @@
stages:
- plan
- apply
- destroy
variables:
WORKDIR: $CI_PROJECT_DIR/dmz/terraform
GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dmz
image:
name: registry.durp.info/opentofu/opentofu:latest
entrypoint: [""]
.tf-init:
before_script:
- cd $WORKDIR
- tofu init
-reconfigure
-backend-config="address=${GITLAB_TF_ADDRESS}"
-backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock"
-backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock"
-backend-config="username=gitlab-ci-token"
-backend-config="password=${CI_JOB_TOKEN}"
-backend-config="lock_method=POST"
-backend-config="unlock_method=DELETE"
-backend-config="retry_wait_min=5"
format:
stage: .pre
allow_failure: false
script:
- cd $WORKDIR
- tofu fmt -diff -check -write=false
rules:
- changes:
- "dmz/terraform/*.tf"
validate:
stage: .pre
allow_failure: false
extends: .tf-init
script:
- tofu validate
rules:
- changes:
- "dmz/terraform/*.tf"
plan-dmz-infrastructure:
stage: plan
variables:
PLAN: plan.tfplan
JSON_PLAN_FILE: tfplan.json
ENVIRONMENT_NAME: dmz
allow_failure: false
extends: .tf-init
script:
- apk add --update curl jq
- alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
- tofu plan -out=$PLAN $ARGUMENTS
- tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE
artifacts:
reports:
terraform: $WORKDIR/$JSON_PLAN_FILE
needs: ["validate","format"]
rules:
- changes:
- "dmz/terraform/*.tf"
apply-dmz-infrastructure:
stage: apply
variables:
ENVIRONMENT_NAME: dmz
allow_failure: false
extends: .tf-init
script:
- tofu apply -auto-approve $ARGUMENTS
rules:
- changes:
- "dmz/terraform/*.tf"
when: manual
needs: ["plan-dmz-infrastructure"]
destroy-dmz-infrastructure:
stage: destroy
variables:
ENVIRONMENT_NAME: dmz
allow_failure: false
extends: .tf-init
script:
- tofu destroy -auto-approve $ARGUMENTS
rules:
- changes:
- "dmz/terraform/*.tf"
when: manual
needs: ["plan-dmz-infrastructure"]

12
dmz/authentik/Chart.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v2
name: authentik
description: A Helm chart for Kubernetes
type: application
version: 0.1.0
appVersion: "1.16.0"
dependencies:
- name: authentik-remote-cluster
repository: https://charts.goauthentik.io
version: 2.1.0

30
dmz/authentik/values.yaml
View File

@@ -1,30 +0,0 @@
authentik-remote-cluster:
# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible
nameOverride: ""
# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible
fullnameOverride: ""
# -- Override the Kubernetes version, which is used to evaluate certain manifests
kubeVersionOverride: ""
## Globally shared configuration for authentik components.
global:
# -- Provide a name in place of `authentik`
nameOverride: ""
# -- String to fully override `"authentik.fullname"`
fullnameOverride: ""
# -- A custom namespace to override the default namespace for the deployed resources.
namespaceOverride: ""
# -- Common labels for all resources.
additionalLabels: {}
# app: authentik
# -- Annotations to apply to all resources
annotations: {}
serviceAccountSecret:
# -- Create a secret with the service account credentials
enabled: true
clusterRole:
# -- Create a clusterole in addition to a namespaced role.
enabled: true

11
dmz/cert-manager/Chart.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v2
name: cert-manager
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.17.2

16
dmz/cert-manager/templates/issuer.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: issuer
secrets:
- name: issuer-token-lmzpj
---
apiVersion: v1
kind: Secret
metadata:
name: issuer-token-lmzpj
annotations:
kubernetes.io/service-account.name: issuer
type: kubernetes.io/service-account-token

35
dmz/cert-manager/templates/letsencrypt.yaml
View File

File diff suppressed because one or more lines are too long

22
dmz/cert-manager/templates/secretvault.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: cloudflare-api-token-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: cloudflare-api-token-secret
data:
- secretKey: cloudflare-api-token-secret
remoteRef:
key: kv/cert-manager
property: cloudflare-api-token-secret
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

31
dmz/cert-manager/values.yaml
View File

@@ -1,31 +0,0 @@
cert-manager:
crds:
enabled: true
image:
registry: registry.durp.info
repository: jetstack/cert-manager-controller
pullPolicy: Always
replicaCount: 3
extraArgs:
- --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
- --dns01-recursive-nameservers-only
podDnsPolicy: None
podDnsConfig:
nameservers:
- "1.1.1.1"
- "1.0.0.1"
webhook:
image:
registry: registry.durp.info
repository: jetstack/cert-manager-webhook
pullPolicy: Always
cainjector:
image:
registry: registry.durp.info
repository: jetstack/cert-manager-cainjector
pullPolicy: Always
hostAliases:
- ip: 192.168.12.130
hostnames:
- vault.infra.durp.info

11
dmz/crowdsec/Chart.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v2
name: crowdsec
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: crowdsec
repository: https://crowdsecurity.github.io/helm-charts
version: 0.20.0

29
dmz/crowdsec/templates/secrets.yaml
View File

@@ -1,29 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: enroll-key
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: enroll-key
data:
- secretKey: ENROLL_INSTANCE_NAME
remoteRef:
key: kv/crowdsec/dmz-enroll
property: ENROLL_INSTANCE_NAME
- secretKey: ENROLL_KEY
remoteRef:
key: kv/crowdsec/dmz-enroll
property: ENROLL_KEY
- secretKey: ENROLL_TAGS
remoteRef:
key: kv/crowdsec/dmz-enroll
property: ENROLL_TAGS
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

24
dmz/crowdsec/values.yaml
View File

@@ -1,24 +0,0 @@
crowdsec:
#
image:
repository: registry.durp.info/crowdsecurity/crowdsec
pullPolicy: Always
# for raw logs format: json or cri (docker|containerd)
container_runtime: containerd
agent:
# Specify each pod whose logs you want to process
acquisition:
# The namespace where the pod is located
- namespace: traefik
# The pod name
podName: traefik-*
# as in crowdsec configuration, we need to specify the program name to find a matching parser
program: traefik
env:
- name: COLLECTIONS
value: "crowdsecurity/traefik"
lapi:
envFrom:
- secretRef:
name: enroll-key

30
dmz/external-dns/templates/secrets.yaml
View File

@@ -1,30 +0,0 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: external-dns-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: external-dns
data:
- secretKey: cloudflare_api_email
remoteRef:
key: kv/cloudflare
property: cloudflare_api_email
- secretKey: cloudflare_api_key
remoteRef:
key: kv/cloudflare
property: cloudflare_api_key
- secretKey: cloudflare_api_token
remoteRef:
key: kv/cloudflare
property: cloudflare_api_token
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

20
dmz/external-dns/values.yaml
View File

@@ -1,20 +0,0 @@
external-dns:
global:
imageRegistry: "registry.durp.info"
security:
allowInsecureImages: true
image:
pullPolicy: Always
txtPrefix: "dmz-"
sources:
- service
provider: cloudflare
cloudflare:
secretName: "external-dns"
proxied: false
policy: sync

11
dmz/external-secrets/Chart.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v2
name: external-secrets
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: external-secrets
repository: https://charts.external-secrets.io
version: 0.17.0

81
dmz/external-secrets/templates/ca.yaml
View File

@@ -1,81 +0,0 @@
apiVersion: v1
data:
vault.pem: |
-----BEGIN CERTIFICATE-----
MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy
MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq
scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW
2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I
jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr
XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS
1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB
o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2
dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6
Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo
dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw
MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp
L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy
cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu
Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx
L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k
dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L
5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k
/vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6
GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj
tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo
1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9
+Q/cdsO5lg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy
MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH
4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/
S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk
U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3
6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ
+SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V
55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0
BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw
LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt
dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC
hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF
BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br
aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0
cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz
Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq
hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE
QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB
ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN
Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9
zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls
AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy
MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox
p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb
/08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ
l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7
GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE
N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1
8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R
BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k
r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1
AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y
rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD
dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx
Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv
55Fn
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
name: ca-pemstore

Some files were not shown because too many files have changed in this diff Show More