DeveloperDurp/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: DeveloperDurp:1160ba317aabaa86fd452419348ea342f4a5cfae
Branches Tags
DeveloperDurp:main DeveloperDurp:renovate/docker.io-swaggerapi-swagger-ui-5.x DeveloperDurp:renovate/cert-manager-1.x DeveloperDurp:renovate/docker.io-nginxinc-nginx-unprivileged-1.x DeveloperDurp:renovate/crowdsec-0.x DeveloperDurp:renovate/crossplane-1.x DeveloperDurp:renovate/gitlab-runner-0.x DeveloperDurp:renovate/gatekeeper-3.x DeveloperDurp:renovate/authentik-2025.x DeveloperDurp:renovate/longhorn-1.x DeveloperDurp:renovate/external-secrets-0.x DeveloperDurp:dev DeveloperDurp:dmz DeveloperDurp:prd
..
compare: DeveloperDurp:dmz
Branches Tags
DeveloperDurp:main DeveloperDurp:renovate/docker.io-swaggerapi-swagger-ui-5.x DeveloperDurp:renovate/cert-manager-1.x DeveloperDurp:renovate/docker.io-nginxinc-nginx-unprivileged-1.x DeveloperDurp:renovate/crowdsec-0.x DeveloperDurp:renovate/crossplane-1.x DeveloperDurp:renovate/gitlab-runner-0.x DeveloperDurp:renovate/gatekeeper-3.x DeveloperDurp:renovate/authentik-2025.x DeveloperDurp:renovate/longhorn-1.x DeveloperDurp:renovate/external-secrets-0.x DeveloperDurp:dev DeveloperDurp:dmz DeveloperDurp:prd

31 Commits
1160ba317a ... dmz

Author SHA1 Message Date
DeveloperDurp
c5e1681c5e update 2024-08-07 05:48:59 -05:00
DeveloperDurp
3caef94aa2 update 2024-08-07 05:48:43 -05:00
DeveloperDurp
d1b5b53626 update 2024-08-07 05:47:57 -05:00
DeveloperDurp
1fb05b911d update 2024-08-07 05:46:58 -05:00
DeveloperDurp
35e46caf8e update 2024-08-07 05:35:50 -05:00
DeveloperDurp
1488f5c3bd update 2024-08-07 05:35:03 -05:00
DeveloperDurp
6d743b8812 update 2024-08-07 05:34:15 -05:00
DeveloperDurp
23a5ebef45 update 2024-08-07 05:33:45 -05:00
DeveloperDurp
c904e0260a update 2024-08-07 05:33:23 -05:00
DeveloperDurp
b4adf6bfe1 update 2024-08-07 05:28:09 -05:00
DeveloperDurp
51c5eed833 update 2024-08-07 05:26:28 -05:00
DeveloperDurp
f308a5c672 update 2024-08-06 05:11:29 -05:00
DeveloperDurp
305a418382 update 2024-08-06 04:55:02 -05:00
DeveloperDurp
86d3fe8b38 update 2024-08-05 05:04:11 -05:00
DeveloperDurp
3df7190f90 update 2024-08-05 04:59:37 -05:00
DeveloperDurp
27dd5ed7b7 update 2024-08-05 04:58:12 -05:00
DeveloperDurp
d5d746743c test secret in same namespace 2024-08-05 04:52:21 -05:00
DeveloperDurp
b794d2945f update 2024-08-05 04:51:46 -05:00
DeveloperDurp
26b4774589 update 2024-08-04 10:53:35 -05:00
DeveloperDurp
16ff689f49 update 2024-08-04 10:47:47 -05:00
DeveloperDurp
45bf00db84 update 2024-08-04 10:40:35 -05:00
DeveloperDurp
0045af169d update 2024-08-04 10:39:19 -05:00
DeveloperDurp
3fe64ede97 update 2024-08-04 10:36:59 -05:00
DeveloperDurp
e4afc699b3 update 2024-08-04 10:35:13 -05:00
DeveloperDurp
aacf1e8656 update 2024-08-04 10:34:29 -05:00
DeveloperDurp
3c3bd1bfa0 update 2024-08-04 10:00:54 -05:00
DeveloperDurp
654f2b4d85 update 2024-08-04 09:53:37 -05:00
DeveloperDurp
1c04237918 update 2024-08-04 09:48:25 -05:00
DeveloperDurp
a8a881dd7c update 2024-08-04 09:44:38 -05:00
DeveloperDurp
43579b8f6e update 2024-08-04 09:34:19 -05:00
DeveloperDurp
e0eaa1a96c update 2024-08-04 09:33:10 -05:00
263 changed files with 544 additions and 10544 deletions
Expand all files Collapse all files

2
.gitignore vendored
View File

@@ -1,3 +1 @@
.idea
infra/terraform/.terraform
infra/terraform/.terraform.lock.hcl

3
.gitlab/.gitlab-ci.yml
View File

@@ -1,3 +0,0 @@
include:
- local: infra/.gitlab/.gitlab-ci.yml
- local: dmz/.gitlab/.gitlab-ci.yml

4
Untitled
View File

@@ -1,4 +0,0 @@
VAULT_HELM_SECRET_NAME=$(kubectl get secrets -n vault --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')
TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)
KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')

5
ansible/base.yaml
View File

@@ -1,5 +0,0 @@
- hosts: all
gather_facts: yes
become: yes
roles:
- base

4
ansible/roles/base/files/10periodic
View File

@@ -1,4 +0,0 @@
APT::Periodic::Update-Package-Lists "1";
APT::Periodic::Download-Upgradeable-Packages "1";
APT::Periodic::AutocleanInterval "7";
APT::Periodic::Unattended-Upgrade "1";

1
ansible/roles/base/files/authorized_keys_user
View File

@@ -1 +0,0 @@
ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M

4
ansible/roles/base/files/issue
View File

@@ -1,4 +0,0 @@
Use of this system is restricted to authorized users only, and all use is subjected to an acceptable use policy.
IF YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM, DISCONNECT NOW.

4
ansible/roles/base/files/motd
View File

@@ -1,4 +0,0 @@
THIS SYSTEM IS FOR AUTHORIZED USE ONLY
All activities are logged and monitored.

95
ansible/roles/base/files/sshd_config_secured
View File

@@ -1,95 +0,0 @@
# Package generated configuration file
# See the sshd_config(5) manpage for details
# What ports, IPs and protocols we listen for
Port 22
# Use these options to restrict which interfaces/protocols sshd will bind to
#ListenAddress ::
#ListenAddress 0.0.0.0
Protocol 2
# HostKeys for protocol version 2
HostKey /etc/ssh/ssh_host_rsa_key
HostKey /etc/ssh/ssh_host_dsa_key
HostKey /etc/ssh/ssh_host_ecdsa_key
HostKey /etc/ssh/ssh_host_ed25519_key
#Privilege Separation is turned on for security
UsePrivilegeSeparation yes
# Lifetime and size of ephemeral version 1 server key
KeyRegenerationInterval 3600
ServerKeyBits 1024
# Logging
SyslogFacility AUTH
LogLevel INFO
# Authentication:
LoginGraceTime 120
PermitRootLogin no
StrictModes yes
RSAAuthentication yes
PubkeyAuthentication yes
#AuthorizedKeysFile %h/.ssh/authorized_keys
# Don't read the user's ~/.rhosts and ~/.shosts files
IgnoreRhosts yes
# For this to work you will also need host keys in /etc/ssh_known_hosts
RhostsRSAAuthentication no
# similar for protocol version 2
HostbasedAuthentication no
# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
#IgnoreUserKnownHosts yes
# To enable empty passwords, change to yes (NOT RECOMMENDED)
PermitEmptyPasswords no
# Change to yes to enable challenge-response passwords (beware issues with
# some PAM modules and threads)
ChallengeResponseAuthentication no
# Change to no to disable tunnelled clear text passwords
PasswordAuthentication no
# Kerberos options
#KerberosAuthentication no
#KerberosGetAFSToken no
#KerberosOrLocalPasswd yes
#KerberosTicketCleanup yes
# GSSAPI options
#GSSAPIAuthentication no
#GSSAPICleanupCredentials yes
X11Forwarding no
X11DisplayOffset 10
PrintMotd no
PrintLastLog yes
TCPKeepAlive yes
#UseLogin no
#MaxStartups 10:30:60
#Banner /etc/issue.net
# Allow client to pass locale environment variables
AcceptEnv LANG LC_*
Subsystem sftp /usr/lib/openssh/sftp-server
# Set this to 'yes' to enable PAM authentication, account processing,
# and session processing. If this is enabled, PAM authentication will
# be allowed through the ChallengeResponseAuthentication and
# PasswordAuthentication. Depending on your PAM configuration,
# PAM authentication via ChallengeResponseAuthentication may bypass
# the setting of "PermitRootLogin without-password".
# If you just want the PAM account and session checks to run without
# PAM authentication, then enable this but set PasswordAuthentication
# and ChallengeResponseAuthentication to 'no'.
UsePAM yes
ClientAliveInterval 300
#enable remote powershell
#Subsystem powershell /usr/bin/pwsh -sshs -NoLogo

143
ansible/roles/base/tasks/main.yaml
View File

@@ -1,143 +0,0 @@
- name: Update packages
apt:
name: '*'
state: latest
update_cache: yes
only_upgrade: yes
retries: 300
delay: 10
- name: Remove packages not needed anymore
apt:
autoremove: yes
retries: 300
delay: 10
- name: Install required packages Debian
apt:
state: latest
pkg: "{{ item }}"
with_items: "{{ required_packages }}"
retries: 300
delay: 10
- name: Create user account
user:
name: "user"
shell: /bin/bash
state: present
createhome: yes
- name: ensure ssh folder exists for user
file:
path: /home/user/.ssh
owner: user
group: user
mode: "0700"
state: directory
- name: Deploy SSH Key (user)
copy:
dest: /home/user/.ssh/authorized_keys
src: files/authorized_keys_user
owner: user
group: user
force: true
- name: Remove Root SSH Configuration
file:
path: /root/.ssh
state: absent
- name: Copy Secured SSHD Configuration
copy:
src: files/sshd_config_secured
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: "0644"
when: ansible_os_family == "Debian"
- name: Copy Secured SSHD Configuration
copy:
src: files/sshd_config_secured_redhat
dest: /etc/ssh/sshd_config
owner: root
group: root
mode: "0644"
when: ansible_os_family == "RedHat"
- name: Restart SSHD
systemd:
name: sshd
daemon_reload: yes
state: restarted
enabled: yes
ignore_errors: yes
- name: Copy unattended-upgrades file
copy:
src: files/10periodic
dest: /etc/apt/apt.conf.d/10periodic
owner: root
group: root
mode: "0644"
force: yes
when: ansible_os_family == "Debian"
- name: Remove undesirable packages
package:
name: "{{ unnecessary_software }}"
state: absent
when: ansible_os_family == "Debian"
- name: Stop and disable unnecessary services
service:
name: "{{ item }}"
state: stopped
enabled: no
with_items: "{{ unnecessary_services }}"
ignore_errors: yes
- name: Set a message of the day
copy:
dest: /etc/motd
src: files/motd
owner: root
group: root
mode: 0644
- name: Set a login banner
copy:
dest: "{{ item }}"
src: files/issue
owner: root
group: root
mode: 0644
with_items:
- /etc/issue
- /etc/issue.net
- name: set timezone
shell: timedatectl set-timezone America/Chicago
- name: Enable cockpit
systemd:
name: cockpit
daemon_reload: yes
state: restarted
enabled: yes
- name: change password
ansible.builtin.user:
name: "user"
state: present
password: "{{ lookup('ansible.builtin.env', 'USER_PASSWORD') | password_hash('sha512') }}"
- name: add user to sudoers
community.general.sudoers:
name: user
state: present
user: user
commands: ALL

17
ansible/roles/base/vars/main.yaml
View File

@@ -1,17 +0,0 @@
required_packages:
- ufw
- qemu-guest-agent
- fail2ban
- unattended-upgrades
- cockpit
- nfs-common
- open-iscsi
unnecessary_services:
- postfix
- telnet
unnecessary_software:
- tcpdump
- nmap-ncat
- wpa_supplicant

2
master/argocd/Chart.yaml → argocd/Chart.yaml
View File

@@ -9,6 +9,6 @@ appVersion: "1.16.0"
dependencies:
- name: argo-cd
repository: https://argoproj.github.io/argo-helm
version: 6.11.1
version: 6.7.11

4
master/argocd/templates/InternalProxy.yaml → argocd/templates/InternalProxy.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/internalproxy
targetRevision: dmz
path: internalproxy
directory:
recurse: true
destination:

8
master/argocd/templates/durpot.yaml → argocd/templates/argocd.yaml
View File

@@ -1,16 +1,16 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: durpot
name: argocd
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/durpot
targetRevision: dmz
path: argocd
destination:
namespace: durpot
namespace: argocd
name: in-cluster
syncPolicy:
automated:

4
master/argocd/templates/cert-manager.yaml → argocd/templates/cert-manager.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/cert-manager
targetRevision: dmz
path: cert-manager
destination:
namespace: cert-manager
name: in-cluster

4
master/argocd/templates/external-dns.yaml → argocd/templates/external-dns.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/external-dns
targetRevision: dmz
path: external-dns
destination:
namespace: external-dns
name: in-cluster

4
master/argocd/templates/external-secrets.yaml → argocd/templates/external-secrets.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/external-secrets
targetRevision: dmz
path: external-secrets
destination:
namespace: external-secrets
name: in-cluster

4
master/argocd/templates/gatekeeper.yaml → argocd/templates/gatekeeper.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/gatekeeper
targetRevision: dmz
path: gatekeeper
destination:
namespace: gatekeeper
name: in-cluster

4
master/argocd/templates/gitlab-runner.yaml → argocd/templates/gitlab-runner.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/gitlab-runner
targetRevision: dmz
path: gitlab-runner
destination:
namespace: gitlab-runner
name: in-cluster

4
master/argocd/templates/kube-prometheus-stack.yaml → argocd/templates/kube-prometheus-stack.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/kube-prometheus-stack
targetRevision: dmz
path: kube-prometheus-stack
destination:
namespace: kube-prometheus-stack
name: in-cluster

4
master/argocd/templates/kubeclarity.yaml → argocd/templates/kubeclarity.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/kubeclarity
targetRevision: dmz
path: kubeclarity
destination:
namespace: kubeclarity
name: in-cluster

4
infra/argocd/templates/longhorn.yaml → argocd/templates/longhorn.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: infra/longhorn
targetRevision: dmz
path: longhorn
destination:
namespace: longhorn-system
name: in-cluster

4
master/argocd/templates/metallb-system.yaml → argocd/templates/metallb-system.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/metallb-system
targetRevision: dmz
path: metallb-system
destination:
namespace: metallb-system
name: in-cluster

4
master/argocd/templates/traefik.yaml → argocd/templates/traefik.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/traefik
targetRevision: dmz
path: traefik
destination:
namespace: traefik
name: in-cluster

4
master/argocd/templates/uptimekuma.yaml → argocd/templates/uptimekuma.yaml
View File

@@ -7,8 +7,8 @@ spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/uptimekuma
targetRevision: dmz
path: uptimekuma
directory:
recurse: true
destination:

14
master/argocd/templates/authentik.yaml → argocd/templates/vault.yaml
View File

@@ -1,16 +1,16 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authentik
name: vault
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: master/authentik
targetRevision: dmz
path: vault
destination:
namespace: authentik
namespace: vault
name: in-cluster
syncPolicy:
automated:
@@ -18,4 +18,8 @@ spec:
selfHeal: true
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
jqPathExpressions:
- .webhooks[]?.clientConfig.caBundle

0
master/argocd/values.yaml → argocd/values.yaml
View File

2
master/cert-manager/Chart.yaml → cert-manager/Chart.yaml
View File

@@ -8,4 +8,4 @@ appVersion: 0.0.1
dependencies:
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.15.3
version: 1.*.*

0
master/cert-manager/templates/letsencrypt-prroduction.yaml → cert-manager/templates/letsencrypt-prroduction.yaml
View File

0
master/cert-manager/templates/letsencrypt-staging.yaml → cert-manager/templates/letsencrypt-staging.yaml
View File

0
master/cert-manager/templates/sealedsecret.yaml → cert-manager/templates/sealedsecret.yaml
View File

0
master/cert-manager/values.yaml → cert-manager/values.yaml
View File

95
dmz/.gitlab/.gitlab-ci.yml
View File

@@ -1,95 +0,0 @@
stages:
- plan
- apply
- destroy
variables:
WORKDIR: $CI_PROJECT_DIR/dmz/terraform
GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dmz
image:
name: registry.durp.info/opentofu/opentofu:latest
entrypoint: [""]
.tf-init:
before_script:
- cd $WORKDIR
- tofu init
-reconfigure
-backend-config="address=${GITLAB_TF_ADDRESS}"
-backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock"
-backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock"
-backend-config="username=gitlab-ci-token"
-backend-config="password=${CI_JOB_TOKEN}"
-backend-config="lock_method=POST"
-backend-config="unlock_method=DELETE"
-backend-config="retry_wait_min=5"
format:
stage: .pre
allow_failure: false
script:
- cd $WORKDIR
- tofu fmt -diff -check -write=false
rules:
- changes:
- "dmz/terraform/*.tf"
validate:
stage: .pre
allow_failure: false
extends: .tf-init
script:
- tofu validate
rules:
- changes:
- "dmz/terraform/*.tf"
plan-dmz-infrastructure:
stage: plan
variables:
PLAN: plan.tfplan
JSON_PLAN_FILE: tfplan.json
ENVIRONMENT_NAME: dmz
allow_failure: false
extends: .tf-init
script:
- apk add --update curl jq
- alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
- tofu plan -out=$PLAN $ARGUMENTS
- tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE
artifacts:
reports:
terraform: $WORKDIR/$JSON_PLAN_FILE
needs: ["validate","format"]
rules:
- changes:
- "dmz/terraform/*.tf"
apply-dmz-infrastructure:
stage: apply
variables:
ENVIRONMENT_NAME: dmz
allow_failure: false
extends: .tf-init
script:
- tofu apply -auto-approve $ARGUMENTS
rules:
- changes:
- "dmz/terraform/*.tf"
when: manual
needs: ["plan-dmz-infrastructure"]
destroy-dmz-infrastructure:
stage: destroy
variables:
ENVIRONMENT_NAME: dmz
allow_failure: false
extends: .tf-init
script:
- tofu destroy -auto-approve $ARGUMENTS
rules:
- changes:
- "dmz/terraform/*.tf"
when: manual
needs: ["plan-dmz-infrastructure"]

12
dmz/authentik/Chart.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v2
name: authentik
description: A Helm chart for Kubernetes
type: application
version: 0.1.0
appVersion: "1.16.0"
dependencies:
- name: authentik-remote-cluster
repository: https://charts.goauthentik.io
version: 2.0.0

30
dmz/authentik/values.yaml
View File

@@ -1,30 +0,0 @@
authentik-remote-cluster:
# -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible
nameOverride: ""
# -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible
fullnameOverride: ""
# -- Override the Kubernetes version, which is used to evaluate certain manifests
kubeVersionOverride: ""
## Globally shared configuration for authentik components.
global:
# -- Provide a name in place of `authentik`
nameOverride: ""
# -- String to fully override `"authentik.fullname"`
fullnameOverride: ""
# -- A custom namespace to override the default namespace for the deployed resources.
namespaceOverride: ""
# -- Common labels for all resources.
additionalLabels: {}
# app: authentik
# -- Annotations to apply to all resources
annotations: {}
serviceAccountSecret:
# -- Create a secret with the service account credentials
enabled: true
clusterRole:
# -- Create a clusterole in addition to a namespaced role.
enabled: true

11
dmz/cert-manager/Chart.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v2
name: cert-manager
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: cert-manager
repository: https://charts.jetstack.io
version: v1.16.3

16
dmz/cert-manager/templates/issuer.yaml
View File

@@ -1,16 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: issuer
secrets:
- name: issuer-token-lmzpj
---
apiVersion: v1
kind: Secret
metadata:
name: issuer-token-lmzpj
annotations:
kubernetes.io/service-account.name: issuer
type: kubernetes.io/service-account-token

35
dmz/cert-manager/templates/letsencrypt.yaml
View File

File diff suppressed because one or more lines are too long

22
dmz/cert-manager/templates/secretvault.yaml
View File

@@ -1,22 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: cloudflare-api-token-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: cloudflare-api-token-secret
data:
- secretKey: cloudflare-api-token-secret
remoteRef:
key: kv/cert-manager
property: cloudflare-api-token-secret
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

26
dmz/cert-manager/values.yaml
View File

@@ -1,26 +0,0 @@
cert-manager:
crds:
enabled: true
image:
registry: registry.internal.durp.info
repository: jetstack/cert-manager-controller
pullPolicy: Always
replicaCount: 3
extraArgs:
- --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
- --dns01-recursive-nameservers-only
podDnsPolicy: None
podDnsConfig:
nameservers:
- "1.1.1.1"
- "1.0.0.1"
webhook:
image:
registry: registry.internal.durp.info
repository: jetstack/cert-manager-webhook
pullPolicy: Always
cainjector:
image:
registry: registry.internal.durp.info
repository: jetstack/cert-manager-cainjector
pullPolicy: Always

30
dmz/external-dns/templates/secrets.yaml
View File

@@ -1,30 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: external-dns-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: external-dns
data:
- secretKey: cloudflare_api_email
remoteRef:
key: kv/cloudflare
property: cloudflare_api_email
- secretKey: cloudflare_api_key
remoteRef:
key: kv/cloudflare
property: cloudflare_api_key
- secretKey: cloudflare_api_token
remoteRef:
key: kv/cloudflare
property: cloudflare_api_token
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

18
dmz/external-dns/values.yaml
View File

@@ -1,18 +0,0 @@
external-dns:
global:
imageRegistry: "registry.durp.info"
image:
pullPolicy: Always
txtPrefix: "dmz-"
sources:
- service
provider: cloudflare
cloudflare:
secretName : "external-dns"
proxied: false
policy: sync

11
dmz/external-secrets/Chart.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v2
name: external-secrets
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: external-secrets
repository: https://charts.external-secrets.io
version: 0.13.0

81
dmz/external-secrets/templates/ca.yaml
View File

@@ -1,81 +0,0 @@
apiVersion: v1
data:
vault.pem: |
-----BEGIN CERTIFICATE-----
MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy
MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN
BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq
scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW
2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I
jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr
XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS
1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB
o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2
dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6
Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo
dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw
MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp
L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy
cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu
Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx
L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k
dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L
5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k
/vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6
GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj
tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo
1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9
+Q/cdsO5lg==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy
MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH
4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/
S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk
U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3
6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ
+SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD
VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V
55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0
BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw
LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt
dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC
hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF
BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br
aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0
cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz
Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq
hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE
QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB
ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN
Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9
zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls
AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw==
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL
BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy
MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox
p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb
/08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ
l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7
GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE
N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B
Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1
8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R
BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k
r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1
AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y
rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD
dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx
Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv
55Fn
-----END CERTIFICATE-----
kind: ConfigMap
metadata:
name: ca-pemstore

94
dmz/external-secrets/values.yaml
View File

@@ -1,94 +0,0 @@
external-secrets:
replicaCount: 3
revisionHistoryLimit: 1
leaderElect: true
installCRDs: true
crds:
createClusterExternalSecret: true
createClusterSecretStore: true
createClusterGenerator: true
createPushSecret: true
conversion:
enabled: false
image:
repository: registry.internal.durp.info/external-secrets/external-secrets
pullPolicy: Always
extraVolumes:
- name: ca-pemstore
configMap:
name: ca-pemstore
extraVolumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/vault.pem
subPath: vault.pem
readOnly: true
resources:
requests:
memory: 32Mi
cpu: 10m
limits:
memory: 32Mi
cpu: 10m
webhook:
create: false
failurePolicy: Ignore
log:
level: debug
image:
repository: registry.internal.durp.info/external-secrets/external-secrets
pullPolicy: Always
extraVolumes:
- name: ca-pemstore
configMap:
name: ca-pemstore
extraVolumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/vault.pem
subPath: vault.pem
readOnly: true
resources:
requests:
memory: 32Mi
cpu: 10m
limits:
memory: 32Mi
cpu: 10m
certController:
create: false
revisionHistoryLimit: 1
log:
level: debug
image:
repository: registry.internal.durp.info/external-secrets/external-secrets
pullPolicy: Always
tag: ""
resources:
requests:
memory: 32Mi
cpu: 10m
limits:
memory: 32Mi
cpu: 10m
extraVolumes:
- name: ca-pemstore
configMap:
name: ca-pemstore
extraVolumeMounts:
- name: ca-pemstore
mountPath: /etc/ssl/certs/vault.pem
subPath: vault.pem
readOnly: true

42
dmz/internalproxy/templates/authentik.yaml
View File

@@ -1,42 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: authentik-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`authentik.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: infra-cluster
port: 443
tls:
secretName: authentik-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: authentik-tls
spec:
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
secretName: authentik-tls
commonName: "authentik.durp.info"
dnsNames:
- "authentik.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: authentik-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
spec:
type: ExternalName
externalName: durp.info

45
dmz/internalproxy/templates/endpoints.yaml
View File

@@ -1,45 +0,0 @@
apiVersion: v1
kind: Endpoints
metadata:
name: master-cluster
subsets:
- addresses:
- ip: 192.168.20.130
ports:
- port: 443
---
apiVersion: v1
kind: Service
metadata:
name: master-cluster
spec:
ports:
- protocol: TCP
port: 443
targetPort: 443
---
apiVersion: v1
kind: Endpoints
metadata:
name: infra-cluster
subsets:
- addresses:
- ip: 192.168.12.130
ports:
- port: 443
---
apiVersion: v1
kind: Service
metadata:
name: infra-cluster
spec:
ports:
- protocol: TCP
port: 443
targetPort: 443

72
dmz/internalproxy/templates/gitea.yaml
View File

@@ -1,72 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: gitea
spec:
ports:
- name: app
port: 3000
protocol: TCP
targetPort: 3000
clusterIP: None
type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
name: gitea
subsets:
- addresses:
- ip: 192.168.21.200
ports:
- name: app
port: 3000
protocol: TCP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: gitea-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`gitea.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: gitea
port: 3000
scheme: http
tls:
secretName: gitea-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: gitea-tls
spec:
secretName: gitea-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "gitea.durp.info"
dnsNames:
- "gitea.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: gitea-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: gitea.durp.info
spec:
type: ExternalName
externalName: durp.info

72
dmz/internalproxy/templates/kasm.yaml
View File

@@ -1,72 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: kasm
spec:
ports:
- name: app
port: 443
protocol: TCP
targetPort: 443
clusterIP: None
type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
name: kasm
subsets:
- addresses:
- ip: 192.168.20.104
ports:
- name: app
port: 443
protocol: TCP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: kasm-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`kasm.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: kasm
port: 443
scheme: https
tls:
secretName: kasm-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: kasm-tls
spec:
secretName: kasm-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "kasm.durp.info"
dnsNames:
- "kasm.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: kasm-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: kasm.durp.info
spec:
type: ExternalName
externalName: durp.info

71
dmz/internalproxy/templates/nexus.yaml
View File

@@ -1,71 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: nexus
spec:
ports:
- name: app
port: 8081
protocol: TCP
targetPort: 8081
clusterIP: None
type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
name: nexus
subsets:
- addresses:
- ip: 192.168.20.200
ports:
- name: app
port: 8081
protocol: TCP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: nexus-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`nexus.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: nexus
port: 8081
tls:
secretName: nexus-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: nexus-tls
spec:
secretName: nexus-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "nexus.durp.info"
dnsNames:
- "nexus.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: nexus-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: nexus.durp.info
spec:
type: ExternalName
externalName: durp.info

102
dmz/internalproxy/templates/ollama.yaml
View File

@@ -1,102 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: ollama-secret
spec:
secretStoreRef:
name: vault
kind: ClusterSecretStore
target:
name: ollama-secret
data:
- secretKey: users
remoteRef:
key: kv/ollama
property: users
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: ollama-basic-auth
spec:
basicAuth:
headerField: x-api-key
secret: ollama-secret
---
apiVersion: v1
kind: Service
metadata:
name: ollama
spec:
ports:
- name: app
port: 11435
protocol: TCP
targetPort: 11435
clusterIP: None
type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
name: ollama
subsets:
- addresses:
- ip: 192.168.20.104
ports:
- name: app
port: 11435
protocol: TCP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: ollama-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`ollama.durp.info`) && PathPrefix(`/`)
middlewares:
- name: ollama-basic-auth
kind: Rule
services:
- name: ollama
port: 11435
tls:
secretName: ollama-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: ollama-tls
spec:
secretName: ollama-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "ollama.durp.info"
dnsNames:
- "ollama.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: ollama-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: ollama.durp.info
spec:
type: ExternalName
externalName: durp.info

30
dmz/internalproxy/templates/open-webui.yaml
View File

@@ -1,30 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: open-webui-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`open-webui.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: master-cluster
port: 443
tls:
secretName: open-webui-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: open-webui-tls
spec:
secretName: open-webui-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "open-webui.durp.info"
dnsNames:
- "open-webui.durp.info"

72
dmz/internalproxy/templates/plex.yaml
View File

@@ -1,72 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: plex
spec:
ports:
- name: app
port: 32400
protocol: TCP
targetPort: 32400
clusterIP: None
type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
name: plex
subsets:
- addresses:
- ip: 192.168.20.200
ports:
- name: app
port: 32400
protocol: TCP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: plex-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`plex.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: plex
port: 32400
scheme: https
tls:
secretName: plex-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: plex-tls
spec:
secretName: plex-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "plex.durp.info"
dnsNames:
- "plex.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: plex-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: plex.durp.info
spec:
type: ExternalName
externalName: durp.info

71
dmz/internalproxy/templates/registry.yaml
View File

@@ -1,71 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: registry
spec:
ports:
- name: app
port: 5000
protocol: TCP
targetPort: 5000
clusterIP: None
type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
name: registry
subsets:
- addresses:
- ip: 192.168.20.200
ports:
- name: app
port: 5000
protocol: TCP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: registry-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`registry.durp.info`) && PathPrefix(`/`)
kind: Rule
services:
- name: registry
port: 5000
tls:
secretName: registry-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: registry-tls
spec:
secretName: registry-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "registry.durp.info"
dnsNames:
- "registry.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: registry-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: registry.durp.info
spec:
type: ExternalName
externalName: durp.info

63
dmz/internalproxy/templates/root-vault.yaml
View File

@@ -1,63 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: root-vault
spec:
ports:
- name: app
port: 8201
protocol: TCP
targetPort: 8201
clusterIP: None
type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
name: root-vault
subsets:
- addresses:
- ip: 192.168.21.200
ports:
- name: app
port: 8201
protocol: TCP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: root-vault-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`root-vault.internal.durp.info`) && PathPrefix(`/`)
middlewares:
- name: whitelist
namespace: traefik
kind: Rule
services:
- name: root-vault
port: 8201
scheme: https
tls:
secretName: root-vault-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: root-vault-tls
spec:
secretName: root-vault-tls
issuerRef:
name: vault-issuer
kind: ClusterIssuer
commonName: "root-vault.internal.durp.info"
dnsNames:
- "root-vault.internal.durp.info"

4
dmz/internalproxy/templates/serviceaccount.yaml
View File

@@ -1,4 +0,0 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

76
dmz/internalproxy/templates/smokeping.yaml
View File

@@ -1,76 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: smokeping
spec:
ports:
- name: app
port: 81
protocol: TCP
targetPort: 81
clusterIP: None
type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
name: smokeping
subsets:
- addresses:
- ip: 192.168.21.200
ports:
- name: app
port: 81
protocol: TCP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: smokeping-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`smokeping.durp.info`) && PathPrefix(`/`)
middlewares:
- name: whitelist
namespace: traefik
- name: authentik-proxy-provider
namespace: traefik
kind: Rule
services:
- name: smokeping
port: 81
tls:
secretName: smokeping-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: smokeping-tls
spec:
secretName: smokeping-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "smokeping.durp.info"
dnsNames:
- "smokeping.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: smokeping-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: smokeping.durp.info
spec:
type: ExternalName
externalName: durp.info

74
dmz/internalproxy/templates/speedtest.yaml
View File

@@ -1,74 +0,0 @@
apiVersion: v1
kind: Service
metadata:
name: speedtest
spec:
ports:
- name: app
port: 6580
protocol: TCP
targetPort: 6580
clusterIP: None
type: ClusterIP
---
apiVersion: v1
kind: Endpoints
metadata:
name: speedtest
subsets:
- addresses:
- ip: 192.168.21.200
ports:
- name: app
port: 6580
protocol: TCP
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: speedtest-ingress
spec:
entryPoints:
- websecure
routes:
- match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
kind: Rule
middlewares:
- name: authentik-proxy-provider
namespace: traefik
services:
- name: speedtest
port: 6580
tls:
secretName: speedtest-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: speedtest-tls
spec:
secretName: speedtest-tls
issuerRef:
name: letsencrypt-production
kind: ClusterIssuer
commonName: "speedtest.durp.info"
dnsNames:
- "speedtest.durp.info"
---
kind: Service
apiVersion: v1
metadata:
name: speedtest-external-dns
annotations:
external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
spec:
type: ExternalName
externalName: durp.info

17
dmz/istio-system/Chart.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: v2
name: istio-system
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: base
repository: https://istio-release.storage.googleapis.com/charts
version: 1.25.0
- name: istiod
repository: https://istio-release.storage.googleapis.com/charts
version: 1.25.0
- name: gateway
repository: https://istio-release.storage.googleapis.com/charts
version: 1.25.0

13
dmz/istio-system/templates/annotate.yaml
View File

@@ -1,13 +0,0 @@
apiVersion: v1
kind: Namespace
metadata:
annotations:
topology.istio.io/controlPlaneClusters: cluster1
labels:
kubernetes.io/metadata.name: istio-system
name: istio-system
spec:
finalizers:
- kubernetes
status:
phase: Active

725
dmz/istio-system/values.yaml
View File

@@ -1,725 +0,0 @@
istiod:
profile: remote
autoscaleEnabled: true
autoscaleMin: 1
autoscaleMax: 5
autoscaleBehavior: {}
replicaCount: 1
rollingMaxSurge: 100%
rollingMaxUnavailable: 25%
hub: ""
tag: ""
variant: ""
# Can be a full hub/image:tag
image: pilot
traceSampling: 1.0
# Resources for a small pilot install
resources:
requests:
cpu: 500m
memory: 2048Mi
# Set to `type: RuntimeDefault` to use the default profile if available.
seccompProfile: {}
# Whether to use an existing CNI installation
cni:
enabled: false
provider: default
# Additional container arguments
extraContainerArgs: []
env: {}
# Settings related to the untaint controller
# This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
# It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
taint:
# Controls whether or not the untaint controller is active
enabled: false
# What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
namespace: ""
affinity: {}
tolerations: []
cpu:
targetAverageUtilization: 80
memory: {}
# targetAverageUtilization: 80
# Additional volumeMounts to the istiod container
volumeMounts: []
# Additional volumes to the istiod pod
volumes: []
# Inject initContainers into the istiod pod
initContainers: []
nodeSelector: {}
podAnnotations: {}
serviceAnnotations: {}
serviceAccountAnnotations: {}
sidecarInjectorWebhookAnnotations: {}
topologySpreadConstraints: []
# You can use jwksResolverExtraRootCA to provide a root certificate
# in PEM format. This will then be trusted by pilot when resolving
# JWKS URIs.
jwksResolverExtraRootCA: ""
# The following is used to limit how long a sidecar can be connected
# to a pilot. It balances out load across pilot instances at the cost of
# increasing system churn.
keepaliveMaxServerConnectionAge: 30m
# Additional labels to apply to the deployment.
deploymentLabels: {}
## Mesh config settings
# Install the mesh config map, generated from values.yaml.
# If false, pilot wil use default values (by default) or user-supplied values.
configMap: true
# Additional labels to apply on the pod level for monitoring and logging configuration.
podLabels: {}
# Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
ipFamilyPolicy: ""
ipFamilies: []
# Ambient mode only.
# Set this if you install ztunnel to a different namespace from `istiod`.
# If set, `istiod` will allow connections from trusted node proxy ztunnels
# in the provided namespace.
# If unset, `istiod` will assume the trusted node proxy ztunnel resides
# in the same namespace as itself.
trustedZtunnelNamespace: ""
sidecarInjectorWebhook:
# You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
# always skip the injection on pods that match that label selector, regardless of the global policy.
# See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
neverInjectSelector: []
alwaysInjectSelector: []
# injectedAnnotations are additional annotations that will be added to the pod spec after injection
# This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
#
# annotations:
# apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
# apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
#
# The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
# the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
# injectedAnnotations:
# container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
# container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
injectedAnnotations: {}
# This enables injection of sidecar in all namespaces,
# with the exception of namespaces with "istio-injection:disabled" annotation
# Only one environment should have this enabled.
enableNamespacesByDefault: false
# Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
# once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
# Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
reinvocationPolicy: Never
rewriteAppHTTPProbe: true
# Templates defines a set of custom injection templates that can be used. For example, defining:
#
# templates:
# hello: |
# metadata:
# labels:
# hello: world
#
# Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
# being injected with the hello=world labels.
# This is intended for advanced configuration only; most users should use the built in template
templates: {}
# Default templates specifies a set of default templates that are used in sidecar injection.
# By default, a template `sidecar` is always provided, which contains the template of default sidecar.
# To inject other additional templates, define it using the `templates` option, and add it to
# the default templates list.
# For example:
#
# templates:
# hello: |
# metadata:
# labels:
# hello: world
#
# defaultTemplates: ["sidecar", "hello"]
defaultTemplates: []
istiodRemote:
# If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
# and istiod itself will NOT be installed in this cluster - only the support resources necessary
# to utilize a remote instance.
enabled: false
# Sidecar injector mutating webhook configuration clientConfig.url value.
# For example: https://$remotePilotAddress:15017/inject
# The host should not refer to a service running in the cluster; use a service reference by specifying
# the clientConfig.service field instead.
injectionURL: ""
# Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
# Override to pass env variables, for example: /inject/cluster/remote/net/network2
injectionPath: "/inject/cluster/cluster2/net/network1"
injectionCABundle: ""
telemetry:
enabled: true
v2:
# For Null VM case now.
# This also enables metadata exchange.
enabled: true
# Indicate if prometheus stats filter is enabled or not
prometheus:
enabled: true
# stackdriver filter settings.
stackdriver:
enabled: false
# Revision is set as 'version' label and part of the resource names when installing multiple control planes.
revision: ""
# Revision tags are aliases to Istio control plane revisions
revisionTags: []
# For Helm compatibility.
ownerName: ""
# meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
# See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
meshConfig:
enablePrometheusMerge: true
experimental:
stableValidationPolicy: false
global:
# Used to locate istiod.
istioNamespace: istio-system
# List of cert-signers to allow "approve" action in the istio cluster role
#
# certSigners:
# - clusterissuers.cert-manager.io/istio-ca
certSigners: []
# enable pod disruption budget for the control plane, which is used to
# ensure Istio control plane components are gradually upgraded or recovered.
defaultPodDisruptionBudget:
enabled: true
# The values aren't mutable due to a current PodDisruptionBudget limitation
# minAvailable: 1
# A minimal set of requested resources to applied to all deployments so that
# Horizontal Pod Autoscaler will be able to function (if set).
# Each component can overwrite these default values by adding its own resources
# block in the relevant section below and setting the desired resources values.
defaultResources:
requests:
cpu: 10m
# memory: 128Mi
# limits:
# cpu: 100m
# memory: 128Mi
# Default hub for Istio images.
# Releases are published to docker hub under 'istio' project.
# Dev builds from prow are on gcr.io
hub: docker.io/istio
# Default tag for Istio images.
tag: 1.25.0
# Variant of the image to use.
# Currently supported are: [debug, distroless]
variant: ""
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent.
imagePullPolicy: ""
# ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
# to use for pulling any images in pods that reference this ServiceAccount.
# For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
# ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
# Must be set for any cluster configured with private docker registry.
imagePullSecrets: []
# - private-registry-key
# Enabled by default in master for maximising testing.
istiod:
enableAnalysis: false
# To output all istio components logs in json format by adding --log_as_json argument to each container argument
logAsJson: false
# Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
# The control plane has different scopes depending on component, but can configure default log level across all components
# If empty, default scope and level will be used as configured in code
logging:
level: "default:info"
omitSidecarInjectorConfigMap: false
# Configure whether Operator manages webhook configurations. The current behavior
# of Istiod is to manage its own webhook configurations.
# When this option is set as true, Istio Operator, instead of webhooks, manages the
# webhook configurations. When this option is set as false, webhooks manage their
# own webhook configurations.
operatorManageWebhooks: false
# Custom DNS config for the pod to resolve names of services in other
# clusters. Use this to add additional search domains, and other settings.
# see
# https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
# This does not apply to gateway pods as they typically need a different
# set of DNS settings than the normal application pods (e.g., in
# multicluster scenarios).
# NOTE: If using templates, follow the pattern in the commented example below.
#podDNSSearchNamespaces:
#- global
#- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
# Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
# system-node-critical, it is better to configure this in order to make sure your Istio pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""
proxy:
image: proxyv2
# This controls the 'policy' in the sidecar injector.
autoInject: enabled
# CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
# cluster domain. Default value is "cluster.local".
clusterDomain: "cluster.local"
# Per Component log level for proxy, applies to gateways and sidecars. If a component level is
# not set, then the global "logLevel" will be used.
componentLogLevel: "misc:error"
# istio ingress capture allowlist
# examples:
# Redirect only selected ports: --includeInboundPorts="80,8080"
excludeInboundPorts: ""
includeInboundPorts: "*"
# istio egress capture allowlist
# https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
# example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
# would only capture egress traffic on those two IP Ranges, all other outbound traffic would
# be allowed by the sidecar
includeIPRanges: "*"
excludeIPRanges: ""
includeOutboundPorts: ""
excludeOutboundPorts: ""
# Log level for proxy, applies to gateways and sidecars.
# Expected values are: trace|debug|info|warning|error|critical|off
logLevel: warning
# Specify the path to the outlier event log.
# Example: /dev/stdout
outlierLogPath: ""
#If set to true, istio-proxy container will have privileged securityContext
privileged: false
# The number of successive failed probes before indicating readiness failure.
readinessFailureThreshold: 4
# The initial delay for readiness probes in seconds.
readinessInitialDelaySeconds: 0
# The period between readiness probes.
readinessPeriodSeconds: 15
# Enables or disables a startup probe.
# For optimal startup times, changing this should be tied to the readiness probe values.
#
# If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
# This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
# and doesn't spam the readiness endpoint too much
#
# If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
# This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
startupProbe:
enabled: true
failureThreshold: 600 # 10 minutes
# Resources for the sidecar.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
# Default port for Pilot agent health checks. A value of 0 will disable health checking.
statusPort: 15020
# Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
# If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
tracer: "none"
proxy_init:
# Base name for the proxy_init container, used to configure iptables.
image: proxyv2
# Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
# Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
forceApplyIptables: false
# configure remote pilot and istiod service and endpoint
remotePilotAddress: "192.168.12.131"
##############################################################################################
# The following values are found in other charts. To effectively modify these values, make #
# make sure they are consistent across your Istio helm charts #
##############################################################################################
# The customized CA address to retrieve certificates for the pods in the cluster.
# CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
# If not set explicitly, default to the Istio discovery address.
caAddress: ""
# Enable control of remote clusters.
externalIstiod: false
# Configure a remote cluster as the config cluster for an external istiod.
configCluster: true
# configValidation enables the validation webhook for Istio configuration.
configValidation: true
# Mesh ID means Mesh Identifier. It should be unique within the scope where
# meshes will interact with each other, but it is not required to be
# globally/universally unique. For example, if any of the following are true,
# then two meshes must have different Mesh IDs:
# - Meshes will have their telemetry aggregated in one place
# - Meshes will be federated together
# - Policy will be written referencing one mesh from the other
#
# If an administrator expects that any of these conditions may become true in
# the future, they should ensure their meshes have different Mesh IDs
# assigned.
#
# Within a multicluster mesh, each cluster must be (manually or auto)
# configured to have the same Mesh ID value. If an existing cluster 'joins' a
# multicluster mesh, it will need to be migrated to the new mesh ID. Details
# of migration TBD, and it may be a disruptive operation to change the Mesh
# ID post-install.
#
# If the mesh admin does not specify a value, Istio will use the value of the
# mesh's Trust Domain. The best practice is to select a proper Trust Domain
# value.
meshID: ""
# Configure the mesh networks to be used by the Split Horizon EDS.
#
# The following example defines two networks with different endpoints association methods.
# For `network1` all endpoints that their IP belongs to the provided CIDR range will be
# mapped to network1. The gateway for this network example is specified by its public IP
# address and port.
# The second network, `network2`, in this example is defined differently with all endpoints
# retrieved through the specified Multi-Cluster registry being mapped to network2. The
# gateway is also defined differently with the name of the gateway service on the remote
# cluster. The public IP for the gateway will be determined from that remote service (only
# LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
# it still need to be configured manually).
#
# meshNetworks:
# network1:
# endpoints:
# - fromCidr: "192.168.0.1/24"
# gateways:
# - address: 1.1.1.1
# port: 80
# network2:
# endpoints:
# - fromRegistry: reg1
# gateways:
# - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
# port: 443
#
meshNetworks: {}
# Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
mountMtlsCerts: false
multiCluster:
# Set to true to connect two kubernetes clusters via their respective
# ingressgateway services when pods in each cluster cannot directly
# talk to one another. All clusters should be using Istio mTLS and must
# have a shared root CA for this model to work.
enabled: false
# Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
# to properly label proxies
clusterName: "dmz"
# Network defines the network this cluster belong to. This name
# corresponds to the networks in the map of mesh networks.
network: ""
# Configure the certificate provider for control plane communication.
# Currently, two providers are supported: "kubernetes" and "istiod".
# As some platforms may not have kubernetes signing APIs,
# Istiod is the default
pilotCertProvider: istiod
sds:
# The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
# When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
# JWT is intended for the CA.
token:
aud: istio-ca
sts:
# The service port used by Security Token Service (STS) server to handle token exchange requests.
# Setting this port to a non-zero value enables STS server.
servicePort: 0
# The name of the CA for workload certificates.
# For example, when caName=GkeWorkloadCertificate, GKE workload certificates
# will be used as the certificates for workloads.
# The default value is "" and when caName="", the CA will be configured by other
# mechanisms (e.g., environmental variable CA_PROVIDER).
caName: ""
waypoint:
# Resources for the waypoint proxy.
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: "2"
memory: 1Gi
# If specified, affinity defines the scheduling constraints of waypoint pods.
affinity: {}
# Topology Spread Constraints for the waypoint proxy.
topologySpreadConstraints: []
# Node labels for the waypoint proxy.
nodeSelector: {}
# Tolerations for the waypoint proxy.
tolerations: []
base:
# For istioctl usage to disable istio config crds in base
enableIstioConfigCRDs: true
# Gateway Settings
gateways:
# Define the security context for the pod.
# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
securityContext: {}
# Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
seccompProfile: {}
base:
profile: remote
global:
imagePullSecrets: []
istioNamespace: istio-system
base:
excludedCRDs: []
enableCRDTemplates: true
validationURL: ""
validationCABundle: ""
enableIstioConfigCRDs: true
defaultRevision: "default"
experimental:
stableValidationPolicy: false
gateway:
# Name allows overriding the release name. Generally this should not be set
name: "istio-eastwestgateway"
# revision declares which revision this gateway is a part of
revision: ""
# Controls the spec.replicas setting for the Gateway deployment if set.
# Otherwise defaults to Kubernetes Deployment default (1).
replicaCount:
kind: Deployment
rbac:
# If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
# when using http://gateway-api.org/.
enabled: true
serviceAccount:
# If set, a service account will be created. Otherwise, the default is used
create: true
# Annotations to add to the service account
annotations: {}
# The name of the service account to use.
# If not set, the release name is used
name: ""
podAnnotations:
prometheus.io/port: "15020"
prometheus.io/scrape: "true"
prometheus.io/path: "/stats/prometheus"
inject.istio.io/templates: "gateway"
sidecar.istio.io/inject: "true"
# Define the security context for the pod.
# If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
# On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
securityContext: {}
containerSecurityContext: {}
service:
# Type of service. Set to "None" to disable the service entirely
type: LoadBalancer
ports:
- name: status-port
port: 15021
protocol: TCP
targetPort: 15021
- name: http2
port: 80
protocol: TCP
targetPort: 80
- name: https
port: 443
protocol: TCP
targetPort: 443
annotations: {}
loadBalancerIP: ""
loadBalancerSourceRanges: []
externalTrafficPolicy: ""
externalIPs: []
ipFamilyPolicy: ""
ipFamilies: []
## Whether to automatically allocate NodePorts (only for LoadBalancers).
# allocateLoadBalancerNodePorts: false
## Set LoadBalancer class (only for LoadBalancers).
# loadBalancerClass: ""
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 2000m
memory: 1024Mi
autoscaling:
enabled: true
minReplicas: 1
maxReplicas: 5
targetCPUUtilizationPercentage: 80
targetMemoryUtilizationPercentage: {}
autoscaleBehavior: {}
# Pod environment variables
env: {}
# Deployment Update strategy
strategy: {}
# Sets the Deployment minReadySeconds value
minReadySeconds:
# Optionally configure a custom readinessProbe. By default the control plane
# automatically injects the readinessProbe. If you wish to override that
# behavior, you may define your own readinessProbe here.
readinessProbe: {}
# Labels to apply to all resources
labels:
# By default, don't enroll gateways into the ambient dataplane
"istio.io/dataplane-mode": none
# Annotations to apply to all resources
annotations: {}
nodeSelector: {}
tolerations: []
topologySpreadConstraints: []
affinity: {}
# If specified, the gateway will act as a network gateway for the given network.
networkGateway: "network1"
# Specify image pull policy if default behavior isn't desired.
# Default behavior: latest images will be Always else IfNotPresent
imagePullPolicy: ""
imagePullSecrets: []
# This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
#
# By default, the `podDisruptionBudget` is disabled (set to `{}`),
# which means that no PodDisruptionBudget resource will be created.
#
# To enable the PodDisruptionBudget, configure it by specifying the
# `minAvailable` or `maxUnavailable`. For example, to set the
# minimum number of available replicas to 1, you can update this value as follows:
#
# podDisruptionBudget:
# minAvailable: 1
#
# Or, to allow a maximum of 1 unavailable replica, you can set:
#
# podDisruptionBudget:
# maxUnavailable: 1
#
# You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
# For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
#
# podDisruptionBudget:
# minAvailable: 1
# unhealthyPodEvictionPolicy: AlwaysAllow
#
# To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
#
# podDisruptionBudget: {}
#
podDisruptionBudget: {}
# Sets the per-pod terminationGracePeriodSeconds setting.
terminationGracePeriodSeconds: 30
# A list of `Volumes` added into the Gateway Pods. See
# https://kubernetes.io/docs/concepts/storage/volumes/.
volumes: []
# A list of `VolumeMounts` added into the Gateway Pods. See
# https://kubernetes.io/docs/concepts/storage/volumes/.
volumeMounts: []
# Configure this to a higher priority class in order to make sure your Istio gateway pods
# will not be killed because of low priority class.
# Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
# for more detail.
priorityClassName: ""

12
dmz/metallb-system/Chart.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v2
name: metallb-system
description: A Helm chart for Kubernetes
type: application
version: 0.1.0
appVersion: "1.16.0"
dependencies:
- name: metallb
repository: https://metallb.github.io/metallb
version: 0.14.9

17
dmz/metallb-system/templates/config.yaml
View File

@@ -1,17 +0,0 @@
apiVersion: metallb.io/v1beta1
kind: IPAddressPool
metadata:
name: cheap
spec:
addresses:
- 192.168.98.130-192.168.98.140
---
apiVersion: metallb.io/v1beta1
kind: L2Advertisement
metadata:
name: pool
namespace: metallb-system
spec:
ipAddressPools:
- cheap

0
dmz/metallb-system/values.yaml
View File

115
dmz/terraform/k3s.tf
View File

@@ -1,115 +0,0 @@
resource "proxmox_vm_qemu" "k3smaster" {
count = local.k3smaster.count
ciuser = "administrator"
vmid = "${local.vlan}${local.k3smaster.ip[count.index]}"
name = local.k3smaster.name[count.index]
target_node = local.k3smaster.node[count.index]
clone = local.template
tags = local.k3smaster.tags
qemu_os = "l26"
full_clone = true
os_type = "cloud-init"
agent = 1
cores = local.k3smaster.cores
sockets = 1
cpu_type = "host"
memory = local.k3smaster.memory
scsihw = "virtio-scsi-pci"
#bootdisk = "scsi0"
boot = "order=virtio0"
onboot = true
sshkeys = local.sshkeys
vga {
type = "serial0"
}
serial {
id = 0
type = "socket"
}
disks {
ide {
ide2 {
cloudinit {
storage = local.storage
}
}
}
virtio {
virtio0 {
disk {
size = local.k3smaster.drive
format = local.format
storage = local.storage
}
}
}
}
network {
id = 0
model = "virtio"
bridge = "vmbr0"
tag = local.vlan
}
#Cloud Init Settings
ipconfig0 = "ip=192.168.${local.vlan}.${local.k3smaster.ip[count.index]}/24,gw=192.168.${local.vlan}.1"
searchdomain = "durp.loc"
nameserver = local.dnsserver
}
resource "proxmox_vm_qemu" "k3sserver" {
count = local.k3sserver.count
ciuser = "administrator"
vmid = "${local.vlan}${local.k3sserver.ip[count.index]}"
name = local.k3sserver.name[count.index]
target_node = local.k3sserver.node[count.index]
clone = local.template
tags = local.k3sserver.tags
qemu_os = "l26"
full_clone = true
os_type = "cloud-init"
agent = 1
cores = local.k3sserver.cores
sockets = 1
cpu_type = "host"
memory = local.k3sserver.memory
scsihw = "virtio-scsi-pci"
#bootdisk = "scsi0"
boot = "order=virtio0"
onboot = true
sshkeys = local.sshkeys
vga {
type = "serial0"
}
serial {
id = 0
type = "socket"
}
disks {
ide {
ide2 {
cloudinit {
storage = local.storage
}
}
}
virtio {
virtio0 {
disk {
size = local.k3sserver.drive
format = local.format
storage = local.storage
}
}
}
}
network {
id = 0
model = "virtio"
bridge = "vmbr0"
tag = local.vlan
}
#Cloud Init Settings
ipconfig0 = "ip=192.168.${local.vlan}.${local.k3sserver.ip[count.index]}/24,gw=192.168.${local.vlan}.1"
searchdomain = "durp.loc"
nameserver = local.dnsserver
}

48
dmz/terraform/main.tf
View File

@@ -1,48 +0,0 @@
terraform {
backend "http" {}
required_providers {
proxmox = {
source = "Telmate/proxmox"
version = "3.0.1-rc6"
}
}
}
provider "proxmox" {
pm_parallel = 1
pm_tls_insecure = true
pm_api_url = var.pm_api_url
pm_user = var.pm_user
pm_password = var.pm_password
pm_debug = false
}
locals {
sshkeys = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEphzWgwUZnvL6E5luKLt3WO0HK7Kh63arSMoNl5gmjzXyhG1DDW0OKfoIl0T+JZw/ZjQ7iii6tmSLFRk6nuYCldqe5GVcFxvTzX4/xGEioAyG0IiUGKy6s+9xzO8QXF0EtSNPH0nfHNKcCjgwWAzM+Lt6gW0Vqs+aU5ICuDiEchmvYPz+rBaVldJVTG7m3ogKJ2aIF7HU/pCPp5l0E9gMOw7s0ABijuc3KXLEWCYgL39jIST6pFH9ceRLmu8Xy5zXHAkkEEauY/e6ld0hlzLadiUD7zYJMdDcm0oRvenYcUlaUl9gS0569IpfsJsjCejuqOxCKzTHPJDOT0f9TbIqPXkGq3s9oEJGpQW+Z8g41BqRpjBCdBk+yv39bzKxlwlumDwqgx1WP8xxKavAWYNqNRG7sBhoWwtxYEOhKXoLNjBaeDRnO5OY5AQJvONWpuByyz0R/gTh4bOFVD+Y8WWlKbT4zfhnN70XvapRsbZiaGhJBPwByAMGg6XxSbC6xtbyligVGCEjCXbTLkeKq1w0DuItY+FBGO3J2k90OiciTVSeyiVz9J/Y03UB0gHdsMCoVNrj+9QWfrTLDhM7D5YrXUt5nj2LQTcbtf49zoQXWxUhozlg42E/FJU/Yla7y55qWizAEVyP2/Ks/PHrF679k59HNd2IJ/aicA9QnmWtLQ== ansible"
template = "Debian12-Template"
storage = "cache-domains"
emulatessd = true
format = "raw"
dnsserver = "192.168.98.1"
vlan = 98
k3smaster = {
tags = "k3s_dmz"
count = 3
name = ["master01-dmz", "master02-dmz", "master03-dmz"]
cores = 2
memory = "4096"
drive = 20
node = ["mothership", "overlord", "vanguard"]
ip = ["11", "12", "13"]
}
k3sserver = {
tags = "k3s_dmz"
count = 3
name = ["node01-dmz", "node02-dmz", "node03-dmz"]
cores = 4
memory = "8192"
drive = 240
node = ["mothership", "overlord", "vanguard"]
ip = ["21", "22", "23"]
}
}

14
dmz/terraform/variables.tf
View File

@@ -1,14 +0,0 @@
variable "pm_api_url" {
description = "API URL to Proxmox provider"
type = string
}
variable "pm_password" {
description = "Passowrd to Proxmox provider"
type = string
}
variable "pm_user" {
description = "UIsername to Proxmox provider"
type = string
}

11
dmz/traefik/Chart.yaml
View File

@@ -1,11 +0,0 @@
apiVersion: v2
name: traefik
description: A Helm chart for Kubernetes
type: application
version: 0.0.1
appVersion: 0.0.1
dependencies:
- name: traefik
repository: https://traefik.github.io/charts
version: 34.0.0

16
dmz/traefik/templates/config.yaml
View File

@@ -1,16 +0,0 @@
#apiVersion: v1
#kind: ConfigMap
#metadata:
# name: traefik-configmap
#data:
# config.yml: |
# http:
# routers:
# router0:
# service: service0
# rule: Host(`testing.durp.info`)
# services:
# service0:
# loadBalancer:
# servers:
# - url: https://192.168.20.130

35
dmz/traefik/templates/middleware.yaml
View File

@@ -1,35 +0,0 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: authentik-proxy-provider
namespace: traefik
spec:
forwardAuth:
address: http://ak-outpost-dmz-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version
---
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: whitelist
namespace: traefik
spec:
ipWhiteList:
sourceRange:
- 192.168.0.0/16
- 172.16.0.0/12
- 10.0.0.0/8

34
dmz/traefik/templates/traefik-dashboard.yaml
View File

@@ -1,34 +0,0 @@
#apiVersion: traefik.io/v1alpha1
#kind: IngressRoute
#metadata:
# name: traefik-ingress
#spec:
# entryPoints:
# - websecure
# routes:
# - match: Host(`traefik.durp.info`)
# kind: Rule
# services:
# - name: api@internal
# kind: TraefikService
# tls:
# secretName: traefik-tls
#
#---
#
#apiVersion: cert-manager.io/v1
#kind: Certificate
#metadata:
# name: traefik-tls
# namespace: traefik
#spec:
# secretName: traefik-tls
# issuerRef:
# name: letsencrypt-production
# kind: ClusterIssuer
# commonName: "traefik.durp.info"
# dnsNames:
# - "traefik.durp.info"
#
#---
#

59
dmz/traefik/values.yaml
View File

@@ -1,59 +0,0 @@
traefik:
image:
# registry: registry.durp.info
# repository: traefik
pullPolicy: Always
providers:
kubernetesCRD:
allowCrossNamespace: true
allowExternalNameServices: true
allowEmptyServices: false
deployment:
replicas: 3
revisionHistoryLimit: 1
# volumes:
# - name: traefik-configmap
# mountPath: "/config"
# type: configMap
ingressRoute:
dashboard:
enabled: true
additionalArguments:
# - "--providers.file.filename=/config/config.yml"
- "--serversTransport.insecureSkipVerify=true"
- "--log.level=DEBUG"
- --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
- --experimental.plugins.jwt.version=v0.7.0
autoscaling:
enabled: true
minReplicas: 3
maxReplicas: 10
metrics:
- type: Resource
resource:
name: cpu
target:
type: Utilization
averageUtilization: 80
behavior:
scaleDown:
stabilizationWindowSeconds: 300
policies:
- type: Pods
value: 1
periodSeconds: 60
# -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
resources:
requests:
cpu: "100m"
memory: "512Mi"
limits:
memory: "512Mi"

23
dmz/vault/templates/secret-store.yaml
View File

@@ -1,23 +0,0 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault
spec:
provider:
vault:
server: "https://vault.infra.durp.info"
path: "kv"
version: "v2"
auth:
kubernetes:
mountPath: "dmz-cluster"
role: "external-secrets"
serviceAccountRef:
name: "vault"
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

13
dmz/vault/values.yaml
View File

@@ -1,13 +0,0 @@
vault:
global:
enabled: true
tlsDisable: false
externalVaultAddr: "https://vault.infra.durp.info"
resources:
requests:
memory: 256Mi
cpu: 250m
limits:
memory: 256Mi
cpu: 250m

2
dmz/external-dns/Chart.yaml → external-dns/Chart.yaml
View File

@@ -9,4 +9,4 @@ appVersion: 0.0.1
dependencies:
- name: external-dns
repository: https://charts.bitnami.com/bitnami
version: 8.3.8
version: 6.20.3

0
master/external-dns/templates/secrets.yaml → external-dns/templates/secrets.yaml
View File

4
master/external-dns/values.yaml → external-dns/values.yaml
View File

@@ -4,10 +4,10 @@ external-dns:
image:
pullPolicy: Always
txtPrefix: "dmz-"
sources:
- service
provider: cloudflare
cloudflare:
secretName : "external-dns"

2
master/external-secrets/Chart.yaml → external-secrets/Chart.yaml
View File

@@ -8,5 +8,5 @@ appVersion: 0.0.1
dependencies:
- name: external-secrets
repository: https://charts.external-secrets.io
version: 0.10.4
version: 0.8.1

26
infra/cert-manager/templates/secretvault.yaml → external-secrets/templates/secret-store.yaml
View File

@@ -1,3 +1,20 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault
spec:
provider:
vault:
server: "https://vault.internal.prd.durp.info"
path: "secrets"
version: "v2"
auth:
kubernetes:
mountPath: "kubernetes"
role: "dmz-external-secrets"
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
@@ -11,13 +28,6 @@ spec:
data:
- secretKey: cloudflare-api-token-secret
remoteRef:
key: kv/cert-manager
key: secrets/cert-manager
property: cloudflare-api-token-secret
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault

0
master/external-secrets/values.yaml → external-secrets/values.yaml
View File

2
master/gatekeeper/Chart.yaml → gatekeeper/Chart.yaml
View File

@@ -8,4 +8,4 @@ appVersion: 0.0.1
dependencies:
- name: gatekeeper
repository: https://open-policy-agent.github.io/gatekeeper/charts
version: 3.17.1
version: 3.14.0

277
gatekeeper/values.yaml Normal file
View File

@@ -0,0 +1,277 @@
gatekeeper:
replicas: 3
revisionHistoryLimit: 10
auditInterval: 60
metricsBackends: ["prometheus"]
auditMatchKindOnly: false
constraintViolationsLimit: 20
auditFromCache: false
disableMutation: false
disableValidatingWebhook: false
validatingWebhookName: gatekeeper-validating-webhook-configuration
validatingWebhookTimeoutSeconds: 3
validatingWebhookFailurePolicy: Ignore
validatingWebhookAnnotations: {}
validatingWebhookExemptNamespacesLabels: {}
validatingWebhookObjectSelector: {}
validatingWebhookCheckIgnoreFailurePolicy: Fail
validatingWebhookCustomRules: {}
validatingWebhookURL: null
enableDeleteOperations: false
enableExternalData: true
enableGeneratorResourceExpansion: true
enableTLSHealthcheck: false
maxServingThreads: -1
mutatingWebhookName: gatekeeper-mutating-webhook-configuration
mutatingWebhookFailurePolicy: Ignore
mutatingWebhookReinvocationPolicy: Never
mutatingWebhookAnnotations: {}
mutatingWebhookExemptNamespacesLabels: {}
mutatingWebhookObjectSelector: {}
mutatingWebhookTimeoutSeconds: 1
mutatingWebhookCustomRules: {}
mutatingWebhookURL: null
mutationAnnotations: false
auditChunkSize: 500
logLevel: INFO
logDenies: false
logMutations: false
emitAdmissionEvents: false
emitAuditEvents: false
admissionEventsInvolvedNamespace: false
auditEventsInvolvedNamespace: false
resourceQuota: true
externaldataProviderResponseCacheTTL: 3m
image:
repository: openpolicyagent/gatekeeper
crdRepository: openpolicyagent/gatekeeper-crds
release: v3.15.0-beta.0
pullPolicy: Always
pullSecrets: []
preInstall:
crdRepository:
image:
repository: null
tag: v3.15.0-beta.0
postUpgrade:
labelNamespace:
enabled: false
image:
repository: openpolicyagent/gatekeeper-crds
tag: v3.15.0-beta.0
pullPolicy: IfNotPresent
pullSecrets: []
extraNamespaces: []
podSecurity: ["pod-security.kubernetes.io/audit=restricted",
"pod-security.kubernetes.io/audit-version=latest",
"pod-security.kubernetes.io/warn=restricted",
"pod-security.kubernetes.io/warn-version=latest",
"pod-security.kubernetes.io/enforce=restricted",
"pod-security.kubernetes.io/enforce-version=v1.24"]
extraAnnotations: {}
priorityClassName: ""
affinity: {}
tolerations: []
nodeSelector: {kubernetes.io/os: linux}
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
postInstall:
labelNamespace:
enabled: true
extraRules: []
image:
repository: openpolicyagent/gatekeeper-crds
tag: v3.15.0-beta.0
pullPolicy: IfNotPresent
pullSecrets: []
extraNamespaces: []
podSecurity: ["pod-security.kubernetes.io/audit=restricted",
"pod-security.kubernetes.io/audit-version=latest",
"pod-security.kubernetes.io/warn=restricted",
"pod-security.kubernetes.io/warn-version=latest",
"pod-security.kubernetes.io/enforce=restricted",
"pod-security.kubernetes.io/enforce-version=v1.24"]
extraAnnotations: {}
priorityClassName: ""
probeWebhook:
enabled: true
image:
repository: curlimages/curl
tag: 7.83.1
pullPolicy: IfNotPresent
pullSecrets: []
waitTimeout: 60
httpTimeout: 2
insecureHTTPS: false
priorityClassName: ""
affinity: {}
tolerations: []
nodeSelector: {kubernetes.io/os: linux}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
preUninstall:
deleteWebhookConfigurations:
extraRules: []
enabled: false
image:
repository: openpolicyagent/gatekeeper-crds
tag: v3.15.0-beta.0
pullPolicy: IfNotPresent
pullSecrets: []
priorityClassName: ""
affinity: {}
tolerations: []
nodeSelector: {kubernetes.io/os: linux}
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
podAnnotations: {}
auditPodAnnotations: {}
podLabels: {}
podCountLimit: "100"
secretAnnotations: {}
enableRuntimeDefaultSeccompProfile: true
controllerManager:
exemptNamespaces: []
exemptNamespacePrefixes: []
hostNetwork: false
dnsPolicy: ClusterFirst
port: 8443
metricsPort: 8888
healthPort: 9090
readinessTimeout: 1
livenessTimeout: 1
priorityClassName: system-cluster-critical
disableCertRotation: false
tlsMinVersion: 1.3
clientCertName: ""
strategyType: RollingUpdate
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- podAffinityTerm:
labelSelector:
matchExpressions:
- key: gatekeeper.sh/operation
operator: In
values:
- webhook
topologyKey: kubernetes.io/hostname
weight: 100
topologySpreadConstraints: []
tolerations: []
nodeSelector: {kubernetes.io/os: linux}
resources:
limits:
memory: 512Mi
requests:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
podSecurityContext:
fsGroup: 999
supplementalGroups:
- 999
extraRules: []
networkPolicy:
enabled: false
ingress: { }
# - from:
# - ipBlock:
# cidr: 0.0.0.0/0
audit:
enablePubsub: false
connection: audit-connection
channel: audit-channel
hostNetwork: false
dnsPolicy: ClusterFirst
metricsPort: 8888
healthPort: 9090
readinessTimeout: 1
livenessTimeout: 1
priorityClassName: system-cluster-critical
disableCertRotation: false
affinity: {}
tolerations: []
nodeSelector: {kubernetes.io/os: linux}
resources:
limits:
memory: 512Mi
requests:
cpu: 100m
memory: 512Mi
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 999
runAsNonRoot: true
runAsUser: 1000
podSecurityContext:
fsGroup: 999
supplementalGroups:
- 999
writeToRAMDisk: false
extraRules: []
crds:
affinity: {}
tolerations: []
nodeSelector: {kubernetes.io/os: linux}
resources: {}
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
runAsGroup: 65532
runAsNonRoot: true
runAsUser: 65532
pdb:
controllerManager:
minAvailable: 1
service: {}
disabledBuiltins: ["{http.send}"]
psp:
enabled: true
upgradeCRDs:
enabled: true
extraRules: []
priorityClassName: ""
rbac:
create: true
externalCertInjection:
enabled: false
secretName: gatekeeper-webhook-server-cert

2
master/gitlab-runner/Chart.yaml → gitlab-runner/Chart.yaml
View File

@@ -8,4 +8,4 @@ appVersion: 0.0.1
dependencies:
- name: gitlab-runner
repository: https://charts.gitlab.io/
version: 0.69.0
version: 0.43.0

0
master/gitlab-runner/templates/secrets.yaml → gitlab-runner/templates/secrets.yaml
View File

4
master/gitlab-runner/values.yaml → gitlab-runner/values.yaml
View File

@@ -6,7 +6,7 @@ gitlab-runner:
imagePullPolicy: Always
gitlabUrl: https://gitlab.com/
unregisterRunner: false
unregisterRunner: true
terminationGracePeriodSeconds: 3600
concurrent: 10
checkInterval: 30
@@ -68,4 +68,4 @@ gitlab-runner:
memory: 2Gi
requests:
memory: 128Mi
cpu: 500m
cpu: 500m

95
infra/.gitlab/.gitlab-ci.yml
View File

@@ -1,95 +0,0 @@
stages:
- plan
- apply
- destroy
variables:
WORKDIR: $CI_PROJECT_DIR/infra/terraform
GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/infra
image:
name: registry.internal.durp.info/opentofu/opentofu:latest
entrypoint: [""]
.tf-init:
before_script:
- cd $WORKDIR
- tofu init
-reconfigure
-backend-config="address=${GITLAB_TF_ADDRESS}"
-backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock"
-backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock"
-backend-config="username=gitlab-ci-token"
-backend-config="password=${CI_JOB_TOKEN}"
-backend-config="lock_method=POST"
-backend-config="unlock_method=DELETE"
-backend-config="retry_wait_min=5"
format:
stage: .pre
allow_failure: false
script:
- cd $WORKDIR
- tofu fmt -diff -check -write=false
rules:
- changes:
- "infra/terraform/*.tf"
validate:
stage: .pre
allow_failure: false
extends: .tf-init
script:
- tofu validate
rules:
- changes:
- "infra/terraform/*.tf"
plan-infrastructure:
stage: plan
variables:
PLAN: plan.tfplan
JSON_PLAN_FILE: tfplan.json
ENVIRONMENT_NAME: infra
allow_failure: false
extends: .tf-init
script:
- apk add --update curl jq
- alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
- tofu plan -out=$PLAN $ARGUMENTS
- tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE
artifacts:
reports:
terraform: $WORKDIR/$JSON_PLAN_FILE
needs: ["validate","format"]
rules:
- changes:
- "infra/terraform/*.tf"
apply-infrastructure:
stage: apply
variables:
ENVIRONMENT_NAME: infra
allow_failure: false
extends: .tf-init
script:
- tofu apply -auto-approve $ARGUMENTS
rules:
- changes:
- "infra/terraform/*.tf"
when: manual
needs: ["plan-infrastructure"]
destroy-infrastructure:
stage: destroy
variables:
ENVIRONMENT_NAME: infra
allow_failure: false
extends: .tf-init
script:
- tofu destroy -auto-approve $ARGUMENTS
rules:
- changes:
- "infra/terraform/*.tf"
when: manual
needs: ["plan-infrastructure"]

12
infra/argocd/Chart.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v2
name: argocd
description: A Helm chart for Kubernetes
type: application
version: 0.1.0
appVersion: "1.16.0"
dependencies:
- name: argo-cd
repository: https://argoproj.github.io/argo-helm
version: 6.11.1

79
infra/argocd/templates/argocd.yaml
View File

@@ -1,79 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: argocd
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: infra/argocd
destination:
namespace: argocd
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
---
#apiVersion: external-secrets.io/v1beta1
#kind: ExternalSecret
#metadata:
# name: vault-argocd
# labels:
# app.kubernetes.io/part-of: argocd
#spec:
# secretStoreRef:
# name: vault
# kind: ClusterSecretStore
# target:
# name: client-secret
# data:
# - secretKey: clientSecret
# remoteRef:
# key: secrets/argocd/authentik
# property: clientsecret
---
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: argocd-ingress
annotations:
cert-manager.io/cluster-issuer: letsencrypt-production
spec:
entryPoints:
- websecure
routes:
- match: Host(`argocd.infra.durp.info`)
#middlewares:
# - name: whitelist
# namespace: traefik
kind: Rule
services:
- name: argocd-server
port: 443
scheme: https
tls:
secretName: argocd-tls
---
apiVersion: cert-manager.io/v1
kind: Certificate
metadata:
name: argocd-tls
spec:
secretName: argocd-tls
issuerRef:
name: vault-issuer
kind: ClusterIssuer
commonName: "argocd.infra.durp.info"
dnsNames:
- "argocd.infra.durp.info"

47
infra/argocd/templates/authentik.yaml
View File

@@ -1,47 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authentik
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: infra/authentik
destination:
namespace: authentik
name: in-cluster
syncPolicy:
managedNamespaceMetadata:
labels:
istio-injection: enabled
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: authentik-dmz
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: dmz/authentik
destination:
namespace: authentik
name: dmz
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

44
infra/argocd/templates/cert-manager.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: infra/cert-manager
destination:
namespace: cert-manager
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cert-manager-dmz
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: dmz/cert-manager
destination:
namespace: cert-manager
name: dmz
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

21
infra/argocd/templates/external-dns.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: external-dns-dmz
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: dmz/external-dns
destination:
namespace: external-dns
name: dmz
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

44
infra/argocd/templates/external-secrets.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: external-secrets
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: infra/external-secrets
destination:
namespace: external-secrets
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: external-secrets-dmz
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: dmz/external-secrets
destination:
namespace: external-secrets
name: dmz
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

21
infra/argocd/templates/internalproxy.yaml
View File

@@ -1,21 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: internal-proxy
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: dmz/internalproxy
destination:
namespace: internalproxy
name: dmz
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

53
infra/argocd/templates/istio.yaml
View File

@@ -1,53 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-system
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: infra/istio-system
destination:
namespace: istio-system
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
jsonPointers:
- /webhooks/0/failurePolicy
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: istio-system-dmz
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: dmz/istio-system
destination:
namespace: istio-system
name: dmz
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- group: admissionregistration.k8s.io
kind: ValidatingWebhookConfiguration
jsonPointers:
- /webhooks/0/failurePolicy

20
infra/argocd/templates/litellm.yaml
View File

@@ -1,20 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: litellm
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: infra/litellm
destination:
namespace: litellm
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

44
infra/argocd/templates/metallb-system.yaml
View File

@@ -1,44 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metallb-system
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: infra/metallb-system
destination:
namespace: metallb-system
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metallb-system-dmz
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: dmz/metallb-system
destination:
namespace: metallb-system
name: dmz
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

50
infra/argocd/templates/traefik.yaml
View File

@@ -1,50 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: traefik
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: infra/traefik
destination:
namespace: traefik
name: in-cluster
syncPolicy:
managedNamespaceMetadata:
labels:
istio-injection: enabled
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: traefik-dmz
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: dmz/traefik
destination:
namespace: traefik
name: dmz
syncPolicy:
# managedNamespaceMetadata:
# labels:
# istio-injection: enabled
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true

53
infra/argocd/templates/vault.yaml
View File

@@ -1,53 +0,0 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: vault
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: infra/vault
destination:
namespace: vault
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
jqPathExpressions:
- .webhooks[]?.clientConfig.caBundle
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: vault-dmz
namespace: argocd
spec:
project: default
source:
repoURL: https://gitlab.com/developerdurp/homelab.git
targetRevision: main
path: dmz/vault
destination:
namespace: vault
name: dmz
syncPolicy:
automated:
prune: true
selfHeal: true
syncOptions:
- CreateNamespace=true
ignoreDifferences:
- group: admissionregistration.k8s.io
kind: MutatingWebhookConfiguration
jqPathExpressions:
- .webhooks[]?.clientConfig.caBundle

62
infra/argocd/values.yaml
View File

@@ -1,62 +0,0 @@
argo-cd:
global:
revisionHistoryLimit: 1
image:
repository: registry.durp.info/argoproj/argocd
imagePullPolicy: Always
server:
#extraArgs:
# - --dex-server-plaintext
# - --dex-server=argocd-dex-server:5556
# oidc.config: |
# name: AzureAD
# issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
# clientID: CLIENT_ID
# clientSecret: $oidc.azuread.clientSecret
# requestedIDTokenClaims:
# groups:
# essential: true
# requestedScopes:
# - openid
# - profile
# - email
dex:
enabled: true
image:
repository: registry.durp.info/dexidp/dex
imagePullPolicy: Always
configs:
cm:
create: true
annotations: {}
url: https://argocd.internal.durp.info
oidc.tls.insecure.skip.verify: "true"
dex.config: |
connectors:
- config:
issuer: https://authentik.durp.info/application/o/argocd/
clientID: dbb8ffc06104fb6e7fac3e4ae7fafb1d90437625
clientSecret: $client-secret:clientSecret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
- groups
name: authentik
type: oidc
id: authentik
rbac:
create: true
policy.csv: |
g, ArgoCD Admins, role:admin
scopes: "[groups]"
server:
route:
enabled: false

12
infra/authentik/Chart.yaml
View File

@@ -1,12 +0,0 @@
apiVersion: v2
name: authentik
description: A Helm chart for Kubernetes
type: application
version: 0.1.0
appVersion: "1.16.0"
dependencies:
- name: authentik
repository: https://charts.goauthentik.io
version: 2024.8.3

Some files were not shown because too many files have changed in this diff Show More