update

Revert "Merge branch 'renovate/authentik-2025.x' into 'main'"

See merge request developerdurp/homelab!50

.gitignore

@@ -0,0 +1,3 @@
+.idea
+infra/terraform/.terraform
+infra/terraform/.terraform.lock.hcl

.gitlab/.gitlab-ci.yml

@@ -0,0 +1,34 @@
+stages:
+  - triggers
+
+build_dmz:
+  stage: triggers
+  trigger:
+    include: infra/.gitlab/.gitlab-ci.yml
+  rules:
+    - changes:
+        - "dmz/terraform/*.tf"
+
+build_infra:
+  stage: triggers
+  trigger:
+    include: infra/.gitlab/.gitlab-ci.yml
+  rules:
+    - changes:
+        - "infra/terraform/*.tf"
+
+build_dev:
+  stage: triggers
+  trigger:
+    include: dev/.gitlab/.gitlab-ci.yml
+  rules:
+    - changes:
+        - "dev/terraform/*.tf"
+
+build_prd:
+  stage: triggers
+  trigger:
+    include: prd/.gitlab/.gitlab-ci.yml
+  rules:
+    - changes:
+        - "prd/terraform/*.tf"

Untitled

@@ -0,0 +1,4 @@
+VAULT_HELM_SECRET_NAME=$(kubectl get secrets -n vault --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')
+TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)
+KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
+KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')

ansible/base.yaml

@@ -0,0 +1,5 @@
+- hosts: all
+  gather_facts: yes
+  become: yes
+  roles:
+    - base

ansible/newcluster.yaml

@@ -0,0 +1,2 @@
+argocd login --insecure
+argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd

ansible/roles/base/files/01proxy

@@ -0,0 +1 @@
+Acquire::http::Proxy "http://192.168.21.200:3142";

ansible/roles/base/files/10periodic

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";

ansible/roles/base/files/authorized_keys_user

@@ -0,0 +1,2 @@
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano

ansible/roles/base/files/issue

@@ -0,0 +1,4 @@
+Use of this system is restricted to authorized users only, and all use is subjected to an acceptable use policy.
+
+IF YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM, DISCONNECT NOW.
+

ansible/roles/base/files/motd

@@ -0,0 +1,4 @@
+THIS SYSTEM IS FOR AUTHORIZED USE ONLY
+
+All activities are logged and monitored.
+

ansible/roles/base/files/sshd_config_secured

@@ -0,0 +1,95 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+ClientAliveInterval 300
+
+#enable remote powershell
+#Subsystem powershell /usr/bin/pwsh -sshs -NoLogo
+
+

ansible/roles/base/tasks/main.yaml

@@ -0,0 +1,155 @@
+- name: Copy apt proxy
+  copy: 
+    src: files/01proxy
+    dest: /etc/apt/apt.conf.d/01proxy
+    owner: root 
+    group: root 
+    mode: "0644"
+    force: yes
+  when: 
+    - ansible_os_family == "Debian"      
+    - inventory_hostname not in hosts_deny
+
+- name: Update packages
+  apt:
+    name: '*'
+    state: latest
+    update_cache: yes
+    only_upgrade: yes
+  retries: 300
+  delay: 10
+
+- name: Remove packages not needed anymore
+  apt:
+    autoremove: yes  
+  retries: 300
+  delay: 10      
+      
+- name: Install required packages Debian
+  apt: 
+    state: latest 
+    pkg: "{{ item }}"
+  with_items:  "{{ required_packages }}" 
+  retries: 300
+  delay: 10  
+
+- name: Create user account
+  user: 
+    name: "user"
+    shell: /bin/bash
+    state: present
+    createhome: yes
+
+- name: ensure ssh folder exists for user
+  file: 
+    path: /home/user/.ssh
+    owner: user 
+    group: user 
+    mode: "0700"
+    state: directory
+
+- name: Deploy SSH Key (user)
+  copy:
+    dest: /home/user/.ssh/authorized_keys
+    src: files/authorized_keys_user
+    owner: user 
+    group: user
+    force: true 
+
+- name: Remove Root SSH Configuration
+  file: 
+    path: /root/.ssh
+    state: absent
+
+- name: Copy Secured SSHD Configuration
+  copy: 
+    src: files/sshd_config_secured 
+    dest: /etc/ssh/sshd_config 
+    owner: root 
+    group: root 
+    mode: "0644"
+  when: ansible_os_family == "Debian"   
+
+- name: Copy Secured SSHD Configuration
+  copy: 
+    src: files/sshd_config_secured_redhat 
+    dest: /etc/ssh/sshd_config 
+    owner: root 
+    group: root 
+    mode: "0644"    
+  when: ansible_os_family == "RedHat"   
+
+- name: Restart SSHD
+  systemd:
+    name: sshd
+    daemon_reload: yes
+    state: restarted
+    enabled: yes
+  ignore_errors: yes
+
+
+- name: Copy unattended-upgrades file
+  copy: 
+    src: files/10periodic
+    dest: /etc/apt/apt.conf.d/10periodic 
+    owner: root 
+    group: root 
+    mode: "0644"
+    force: yes
+  when: ansible_os_family == "Debian"      
+
+- name: Remove undesirable packages
+  package:
+    name: "{{ unnecessary_software }}"
+    state: absent
+  when: ansible_os_family == "Debian"    
+
+- name: Stop and disable unnecessary services
+  service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+  with_items: "{{ unnecessary_services }}"
+  ignore_errors: yes
+
+- name: Set a message of the day
+  copy:
+    dest: /etc/motd
+    src: files/motd
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Set a login banner
+  copy:
+    dest: "{{ item }}"
+    src: files/issue
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - /etc/issue
+    - /etc/issue.net
+
+- name: set timezone
+  shell: timedatectl set-timezone America/Chicago
+
+- name: Enable cockpit
+  systemd:
+    name: cockpit
+    daemon_reload: yes
+    state: restarted
+    enabled: yes
+
+- name: change password
+  ansible.builtin.user:
+    name: "user"
+    state: present
+    password: "{{ lookup('ansible.builtin.env', 'USER_PASSWORD') | password_hash('sha512') }}"
+
+- name: add user to sudoers
+  community.general.sudoers:
+    name: user
+    state: present
+    user: user
+    commands: ALL

ansible/roles/base/vars/main.yaml

@@ -0,0 +1,17 @@
+required_packages:
+    - ufw
+    - qemu-guest-agent
+    - fail2ban
+    - unattended-upgrades
+    - cockpit
+    - nfs-common
+    - open-iscsi
+
+unnecessary_services:
+    - postfix
+    - telnet
+    
+unnecessary_software:
+    - tcpdump
+    - nmap-ncat
+    - wpa_supplicant    

argocd/templates/gitlab-runner.yaml

@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: gitlab-runner
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: gitlab-runner
-  destination:
-    namespace: gitlab-runner
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true    
-

argocd/templates/kubeclarity.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: kubeclarity
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: kubeclarity
-  destination:
-    namespace: kubeclarity
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 

argocd/templates/open-webui.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: open-webui
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: open-webui
-  destination:
-    namespace: open-webui
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 

dev/.gitlab/.gitlab-ci.yml

@@ -0,0 +1,95 @@
+stages:
+  - plan
+  - apply
+  - destroy
+
+variables:
+  WORKDIR: $CI_PROJECT_DIR/dev/terraform
+  GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dev
+
+image:
+  name: registry.durp.info/opentofu/opentofu:latest
+  entrypoint: [""]
+
+.tf-init:
+  before_script:
+    - cd $WORKDIR
+    - tofu init 
+      -reconfigure 
+      -backend-config="address=${GITLAB_TF_ADDRESS}" 
+      -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" 
+      -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock"
+      -backend-config="username=gitlab-ci-token" 
+      -backend-config="password=${CI_JOB_TOKEN}"
+      -backend-config="lock_method=POST"
+      -backend-config="unlock_method=DELETE"
+      -backend-config="retry_wait_min=5"
+
+format:
+  stage: .pre
+  allow_failure: false
+  script:
+    - cd $WORKDIR
+    - tofu fmt -diff -check -write=false
+  rules:
+    - changes:
+        - "dev/terraform/*.tf"
+
+validate:
+  stage: .pre
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu validate
+  rules:
+    - changes:
+        - "dev/terraform/*.tf"
+
+plan-dev-infrastructure:
+  stage: plan
+  variables:
+    PLAN: plan.tfplan
+    JSON_PLAN_FILE: tfplan.json
+    ENVIRONMENT_NAME: dev
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - apk add --update curl jq
+    - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
+    - tofu plan -out=$PLAN $ARGUMENTS
+    - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE
+  artifacts:
+    reports:
+      terraform: $WORKDIR/$JSON_PLAN_FILE
+  needs: ["validate","format"]
+  rules:
+    - changes:
+        - "dev/terraform/*.tf"
+
+apply-dev-infrastructure:
+  stage: apply
+  variables:
+    ENVIRONMENT_NAME: dev
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu apply -auto-approve $ARGUMENTS
+  rules:
+    - changes:
+        - "dev/terraform/*.tf"
+      when: manual
+  needs: ["plan-dev-infrastructure"]
+
+destroy-dev-infrastructure:
+  stage: destroy
+  variables:
+    ENVIRONMENT_NAME: dev
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu destroy -auto-approve $ARGUMENTS
+  rules:
+    - changes:
+        - "dev/terraform/*.tf"
+      when: manual
+  needs: ["plan-dev-infrastructure"]

dev/cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: 1.*.*
+  version: v1.17.2

dev/cert-manager/templates/issuer.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: issuer
+secrets:
+  - name:  issuer-token-lmzpj
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: issuer-token-lmzpj
+  annotations:
+    kubernetes.io/service-account.name: issuer
+type: kubernetes.io/service-account-token

dev/cert-manager/templates/secretvault.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-api-token-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: cloudflare-api-token-secret
+  data:
+  - secretKey: cloudflare-api-token-secret
+    remoteRef:
+      key: kv/cert-manager
+      property: cloudflare-api-token-secret
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dev/cert-manager/values.yaml

@@ -0,0 +1,26 @@
+cert-manager:
+  crds:
+    enabled: true
+  image:
+    registry: registry.internal.durp.info
+    repository: jetstack/cert-manager-controller
+    pullPolicy: Always
+  replicaCount: 3
+  extraArgs:
+    - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
+    - --dns01-recursive-nameservers-only
+  podDnsPolicy: None
+  podDnsConfig:
+    nameservers:
+      - "1.1.1.1"
+      - "1.0.0.1"
+  webhook:
+    image:
+      registry: registry.internal.durp.info
+      repository: jetstack/cert-manager-webhook
+      pullPolicy: Always  
+  cainjector:
+    image:
+      registry: registry.internal.durp.info
+      repository: jetstack/cert-manager-cainjector
+      pullPolicy: Always

dev/external-dns/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami
-  version: 6.20.3
+  version: 8.9.2

dev/external-dns/templates/secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: external-dns-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: external-dns
+  data:
+  - secretKey: cloudflare_api_email
+    remoteRef:
+      key: kv/cloudflare
+      property: cloudflare_api_email
+  - secretKey: cloudflare_api_key
+    remoteRef:
+      key: kv/cloudflare
+      property: cloudflare_api_key
+  - secretKey: cloudflare_api_token
+    remoteRef:
+      key: kv/cloudflare
+      property: cloudflare_api_token
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dev/external-dns/values.yaml

@@ -0,0 +1,18 @@
+external-dns:
+  global:
+    imageRegistry: "registry.durp.info"
+
+  image:
+    pullPolicy: Always
+
+  txtPrefix: "dmz-"
+
+  sources:
+    - service
+    
+  provider: cloudflare
+  cloudflare:
+    secretName : "external-dns"
+    proxied: false
+
+  policy: sync

dev/external-secrets/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: external-secrets
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: external-secrets
+  repository: https://charts.external-secrets.io
+  version: 0.17.0

dev/external-secrets/templates/ca.yaml

@@ -0,0 +1,81 @@
+apiVersion: v1
+data:
+  vault.pem: |
+    -----BEGIN CERTIFICATE-----
+    MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy
+    MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN
+    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq
+    scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW
+    2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I
+    jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr
+    XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS
+    1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB
+    o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+    BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2
+    dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6
+    Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo
+    dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw
+    MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp
+    L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy
+    cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu
+    Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx
+    L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k
+    dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L
+    5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k
+    /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6
+    GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj
+    tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo
+    1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9
+    +Q/cdsO5lg==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy
+    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
+    AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH
+    4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/
+    S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk
+    U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3
+    6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ
+    +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD
+    VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V
+    55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0
+    BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw
+    LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt
+    dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC
+    hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF
+    BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br
+    aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0
+    cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz
+    Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq
+    hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE
+    QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB
+    ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN
+    Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9
+    zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls
+    AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy
+    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
+    AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox
+    p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb
+    /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ
+    l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7
+    GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE
+    N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B
+    Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1
+    8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R
+    BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k
+    r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1
+    AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y
+    rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD
+    dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx
+    Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv
+    55Fn
+    -----END CERTIFICATE-----
+kind: ConfigMap
+metadata:
+  name: ca-pemstore

dev/external-secrets/values.yaml

@@ -0,0 +1,94 @@
+external-secrets:
+  replicaCount: 3
+  revisionHistoryLimit: 1
+  leaderElect: true
+
+  installCRDs: true
+  crds:
+    createClusterExternalSecret: true
+    createClusterSecretStore: true
+    createClusterGenerator: true
+    createPushSecret: true
+    conversion:
+      enabled: false
+
+  image:
+    repository: registry.durp.info/external-secrets/external-secrets
+    pullPolicy: Always
+
+  extraVolumes: 
+    - name: ca-pemstore
+      configMap:
+        name: ca-pemstore
+
+  extraVolumeMounts: 
+    - name: ca-pemstore
+      mountPath: /etc/ssl/certs/vault.pem
+      subPath: vault.pem
+      readOnly: true
+
+  resources: 
+    requests:
+      memory: 32Mi
+      cpu: 10m
+    limits:
+      memory: 32Mi
+      cpu: 10m
+
+  webhook:
+    create: false
+    failurePolicy: Ignore
+    log:
+      level: debug
+    image:
+      repository: registry.durp.info/external-secrets/external-secrets
+      pullPolicy: Always
+
+    extraVolumes: 
+      - name: ca-pemstore
+        configMap:
+          name: ca-pemstore
+
+    extraVolumeMounts: 
+      - name: ca-pemstore
+        mountPath: /etc/ssl/certs/vault.pem
+        subPath: vault.pem
+        readOnly: true
+
+    resources: 
+      requests:
+        memory: 32Mi
+        cpu: 10m
+      limits:
+        memory: 32Mi
+        cpu: 10m
+
+  certController:
+    create: false
+    revisionHistoryLimit: 1
+    log:
+      level: debug
+
+    image:
+      repository: registry.durp.info/external-secrets/external-secrets
+      pullPolicy: Always
+      tag: ""
+
+    resources: 
+      requests:
+        memory: 32Mi
+        cpu: 10m
+      limits:
+        memory: 32Mi
+        cpu: 10m
+
+    extraVolumes: 
+      - name: ca-pemstore
+        configMap:
+          name: ca-pemstore
+
+    extraVolumeMounts: 
+      - name: ca-pemstore
+        mountPath: /etc/ssl/certs/vault.pem
+        subPath: vault.pem
+        readOnly: true

dev/metallb-system/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: metallb-system
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: metallb
+  repository: https://metallb.github.io/metallb
+  version: 0.15.2

dev/metallb-system/templates/config.yaml

@@ -0,0 +1,17 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: cheap
+spec:
+  addresses:
+    - 192.168.10.130-192.168.10.140
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: pool
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+  - cheap
+

dev/terraform/k3s.tf

@@ -0,0 +1,115 @@
+resource "proxmox_vm_qemu" "k3smaster" {
+  count       = local.k3smaster.count
+  ciuser      = "administrator"
+  vmid        = "${local.vlan}${local.k3smaster.ip[count.index]}"
+  name        = local.k3smaster.name[count.index]
+  target_node = local.k3smaster.node[count.index]
+  clone       = local.template
+  tags        = local.k3smaster.tags
+  qemu_os     = "l26"
+  full_clone  = true
+  os_type     = "cloud-init"
+  agent       = 1
+  cores       = local.k3smaster.cores
+  sockets     = 1
+  cpu_type    = "host"
+  memory      = local.k3smaster.memory
+  scsihw      = "virtio-scsi-pci"
+  #bootdisk    = "scsi0"
+  boot    = "order=virtio0"
+  onboot  = true
+  sshkeys = local.sshkeys
+  vga {
+    type = "serial0"
+  }
+  serial {
+    id   = 0
+    type = "socket"
+  }
+  disks {
+    ide {
+      ide2 {
+        cloudinit {
+          storage = local.k3smaster.storage
+        }
+      }
+    }
+    virtio {
+      virtio0 {
+        disk {
+          size    = local.k3smaster.drive
+          format  = local.format
+          storage = local.k3smaster.storage
+        }
+      }
+    }
+  }
+  network {
+    id     = 0
+    model  = "virtio"
+    bridge = "vmbr0"
+    tag    = local.vlan
+  }
+  #Cloud Init Settings
+  ipconfig0    = "ip=192.168.${local.vlan}.${local.k3smaster.ip[count.index]}/24,gw=192.168.${local.vlan}.1"
+  searchdomain = "durp.loc"
+  nameserver   = local.dnsserver
+}
+
+resource "proxmox_vm_qemu" "k3sserver" {
+  count       = local.k3sserver.count
+  ciuser      = "administrator"
+  vmid        = "${local.vlan}${local.k3sserver.ip[count.index]}"
+  name        = local.k3sserver.name[count.index]
+  target_node = local.k3sserver.node[count.index]
+  clone       = local.template
+  tags        = local.k3sserver.tags
+  qemu_os     = "l26"
+  full_clone  = true
+  os_type     = "cloud-init"
+  agent       = 1
+  cores       = local.k3sserver.cores
+  sockets     = 1
+  cpu_type    = "host"
+  memory      = local.k3sserver.memory
+  scsihw      = "virtio-scsi-pci"
+  #bootdisk    = "scsi0"
+  boot    = "order=virtio0"
+  onboot  = true
+  sshkeys = local.sshkeys
+  vga {
+    type = "serial0"
+  }
+  serial {
+    id   = 0
+    type = "socket"
+  }
+  disks {
+    ide {
+      ide2 {
+        cloudinit {
+          storage = local.k3sserver.storage
+        }
+      }
+    }
+    virtio {
+      virtio0 {
+        disk {
+          size    = local.k3sserver.drive
+          format  = local.format
+          storage = local.k3sserver.storage
+        }
+      }
+    }
+  }
+  network {
+    id     = 0
+    model  = "virtio"
+    bridge = "vmbr0"
+    tag    = local.vlan
+  }
+  #Cloud Init Settings
+  ipconfig0    = "ip=192.168.${local.vlan}.${local.k3sserver.ip[count.index]}/24,gw=192.168.${local.vlan}.1"
+  searchdomain = "durp.loc"
+  nameserver   = local.dnsserver
+}

dev/terraform/main.tf

@@ -0,0 +1,48 @@
+terraform {
+  backend "http" {}
+  required_providers {
+    proxmox = {
+      source  = "Telmate/proxmox"
+      version = "3.0.1-rc9"
+    }
+  }
+}
+
+provider "proxmox" {
+  pm_parallel     = 1
+  pm_tls_insecure = true
+  pm_api_url      = var.pm_api_url
+  pm_user         = var.pm_user
+  pm_password     = var.pm_password
+  pm_debug        = false
+}
+
+locals {
+  sshkeys   = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEphzWgwUZnvL6E5luKLt3WO0HK7Kh63arSMoNl5gmjzXyhG1DDW0OKfoIl0T+JZw/ZjQ7iii6tmSLFRk6nuYCldqe5GVcFxvTzX4/xGEioAyG0IiUGKy6s+9xzO8QXF0EtSNPH0nfHNKcCjgwWAzM+Lt6gW0Vqs+aU5ICuDiEchmvYPz+rBaVldJVTG7m3ogKJ2aIF7HU/pCPp5l0E9gMOw7s0ABijuc3KXLEWCYgL39jIST6pFH9ceRLmu8Xy5zXHAkkEEauY/e6ld0hlzLadiUD7zYJMdDcm0oRvenYcUlaUl9gS0569IpfsJsjCejuqOxCKzTHPJDOT0f9TbIqPXkGq3s9oEJGpQW+Z8g41BqRpjBCdBk+yv39bzKxlwlumDwqgx1WP8xxKavAWYNqNRG7sBhoWwtxYEOhKXoLNjBaeDRnO5OY5AQJvONWpuByyz0R/gTh4bOFVD+Y8WWlKbT4zfhnN70XvapRsbZiaGhJBPwByAMGg6XxSbC6xtbyligVGCEjCXbTLkeKq1w0DuItY+FBGO3J2k90OiciTVSeyiVz9J/Y03UB0gHdsMCoVNrj+9QWfrTLDhM7D5YrXUt5nj2LQTcbtf49zoQXWxUhozlg42E/FJU/Yla7y55qWizAEVyP2/Ks/PHrF679k59HNd2IJ/aicA9QnmWtLQ== ansible"
+  template  = "Debian12-Template"
+  format    = "raw"
+  dnsserver = "192.168.10.1"
+  vlan      = 10
+  k3smaster = {
+    tags    = "k3s_dev"
+    count   = 3
+    name    = ["master01-dev", "master02-dev", "master03-dev"]
+    cores   = 2
+    memory  = "4096"
+    drive   = 20
+    storage = "cache-domains"
+    node    = ["mothership", "overlord", "vanguard"]
+    ip      = ["11", "12", "13"]
+  }
+  k3sserver = {
+    tags    = "k3s_dev"
+    count   = 3
+    name    = ["node01-dev", "node02-dev", "node03-dev"]
+    cores   = 4
+    memory  = "8192"
+    drive   = 120
+    storage = "cache-domains"
+    node    = ["mothership", "overlord", "vanguard"]
+    ip      = ["21", "22", "23"]
+  }
+}

dev/terraform/variables.tf

@@ -0,0 +1,14 @@
+variable "pm_api_url" {
+  description = "API URL to Proxmox provider"
+  type        = string
+}
+
+variable "pm_password" {
+  description = "Passowrd to Proxmox provider"
+  type        = string
+}
+
+variable "pm_user" {
+  description = "Username to Proxmox provider"
+  type        = string
+}

dev/traefik/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 22.1.0
+  version: 34.5.0

dev/traefik/values.yaml

@@ -0,0 +1,58 @@
+traefik:
+  image:
+    #    registry: registry.durp.info
+    #    repository: traefik
+    pullPolicy: Always
+
+  providers:
+    kubernetesCRD:
+      allowCrossNamespace: true
+      allowExternalNameServices: true
+      allowEmptyServices: false
+
+  deployment:
+    replicas: 3
+    revisionHistoryLimit: 1
+
+  # volumes:
+  #   - name: traefik-configmap
+  #     mountPath: "/config"
+  #     type: configMap
+
+  ingressRoute:
+    dashboard:
+      enabled: true
+
+  additionalArguments:
+    #  - "--providers.file.filename=/config/config.yml"
+    - "--serversTransport.insecureSkipVerify=true"
+    - "--log.level=DEBUG"
+    - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
+    - --experimental.plugins.jwt.version=v0.7.0
+
+  autoscaling:
+    enabled: true
+    minReplicas: 3
+    maxReplicas: 10
+    metrics:
+      - type: Resource
+        resource:
+          name: cpu
+          target:
+            type: Utilization
+            averageUtilization: 80
+    behavior:
+      scaleDown:
+        stabilizationWindowSeconds: 300
+        policies:
+          - type: Pods
+            value: 1
+            periodSeconds: 60
+
+  # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
+  resources:
+    requests:
+      cpu: "100m"
+      memory: "512Mi"
+    limits:
+      memory: "512Mi"

dev/vault/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
   repository: https://helm.releases.hashicorp.com  
-  version: 0.27.0
+  version: 0.30.0
 

dev/vault/templates/secret-store.yaml

@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: vault
+spec:
+  provider:
+    vault:
+      server: "https://vault.infra.durp.info"
+      path: "kv"
+      version: "v2"
+      auth:
+        kubernetes:
+          mountPath: "dmz-cluster"
+          role: "external-secrets"
+          serviceAccountRef:
+            name: "vault"
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dev/vault/values.yaml

@@ -0,0 +1,13 @@
+vault:
+  global:
+    enabled: true
+    tlsDisable: false
+    externalVaultAddr: "https://vault.infra.durp.info"
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 250m
+      limits:
+        memory: 256Mi
+        cpu: 250m
+  

dmz/.gitlab/.gitlab-ci.yml

@@ -0,0 +1,95 @@
+stages:
+  - plan
+  - apply
+  - destroy
+
+variables:
+  WORKDIR: $CI_PROJECT_DIR/dmz/terraform
+  GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dmz
+
+image:
+  name: registry.durp.info/opentofu/opentofu:latest
+  entrypoint: [""]
+
+.tf-init:
+  before_script:
+    - cd $WORKDIR
+    - tofu init 
+      -reconfigure 
+      -backend-config="address=${GITLAB_TF_ADDRESS}" 
+      -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" 
+      -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock"
+      -backend-config="username=gitlab-ci-token" 
+      -backend-config="password=${CI_JOB_TOKEN}"
+      -backend-config="lock_method=POST"
+      -backend-config="unlock_method=DELETE"
+      -backend-config="retry_wait_min=5"
+
+format:
+  stage: .pre
+  allow_failure: false
+  script:
+    - cd $WORKDIR
+    - tofu fmt -diff -check -write=false
+  rules:
+    - changes:
+        - "dmz/terraform/*.tf"
+
+validate:
+  stage: .pre
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu validate
+  rules:
+    - changes:
+        - "dmz/terraform/*.tf"
+
+plan-dmz-infrastructure:
+  stage: plan
+  variables:
+    PLAN: plan.tfplan
+    JSON_PLAN_FILE: tfplan.json
+    ENVIRONMENT_NAME: dmz
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - apk add --update curl jq
+    - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
+    - tofu plan -out=$PLAN $ARGUMENTS
+    - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE
+  artifacts:
+    reports:
+      terraform: $WORKDIR/$JSON_PLAN_FILE
+  needs: ["validate","format"]
+  rules:
+    - changes:
+        - "dmz/terraform/*.tf"
+
+apply-dmz-infrastructure:
+  stage: apply
+  variables:
+    ENVIRONMENT_NAME: dmz
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu apply -auto-approve $ARGUMENTS
+  rules:
+    - changes:
+        - "dmz/terraform/*.tf"
+      when: manual
+  needs: ["plan-dmz-infrastructure"]
+
+destroy-dmz-infrastructure:
+  stage: destroy
+  variables:
+    ENVIRONMENT_NAME: dmz
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu destroy -auto-approve $ARGUMENTS
+  rules:
+    - changes:
+        - "dmz/terraform/*.tf"
+      when: manual
+  needs: ["plan-dmz-infrastructure"]

dmz/authentik/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: authentik
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+  - name: authentik-remote-cluster
+    repository: https://charts.goauthentik.io
+    version: 2.1.0

dmz/authentik/templates/ingress.yaml

@@ -1,4 +1,18 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: authentik-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: authentik-tls
+  commonName: "authentik.durp.info"
+  dnsNames:
+    - "authentik.durp.info"
+
+---
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: authentik-ingress
@@ -6,31 +20,15 @@ spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
-    kind: Rule
-    services:
-    - name: authentik-server
-      port: 80
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
   tls:
     secretName: authentik-tls
 
 ---
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: authentik-tls
-spec:
-  secretName: authentik-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "authentik.durp.info"
-  dnsNames:
-  - "authentik.durp.info" 
-
----
-
 kind: Service
 apiVersion: v1
 metadata:
@@ -40,3 +38,25 @@ metadata:
 spec:
   type: ExternalName
   externalName: durp.info
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: infra-cluster
+subsets:
+  - addresses:
+      - ip: 192.168.12.130
+    ports:
+      - port: 443
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: infra-cluster
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443

dmz/authentik/values.yaml

@@ -0,0 +1,30 @@
+authentik-remote-cluster:
+  # -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible
+  nameOverride: ""
+  # -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible
+  fullnameOverride: ""
+  # -- Override the Kubernetes version, which is used to evaluate certain manifests
+  kubeVersionOverride: ""
+
+  ## Globally shared configuration for authentik components.
+  global:
+    # -- Provide a name in place of `authentik`
+    nameOverride: ""
+    # -- String to fully override `"authentik.fullname"`
+    fullnameOverride: ""
+    # -- A custom namespace to override the default namespace for the deployed resources.
+    namespaceOverride: ""
+    # -- Common labels for all resources.
+    additionalLabels: {}
+      # app: authentik
+
+  # -- Annotations to apply to all resources
+  annotations: {}
+
+  serviceAccountSecret:
+    # -- Create a secret with the service account credentials
+    enabled: true
+
+  clusterRole:
+    # -- Create a clusterole in addition to a namespaced role.
+    enabled: true

dmz/cert-manager/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: cert-manager
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.17.2

dmz/cert-manager/templates/issuer.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: issuer
+secrets:
+  - name:  issuer-token-lmzpj
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: issuer-token-lmzpj
+  annotations:
+    kubernetes.io/service-account.name: issuer
+type: kubernetes.io/service-account-token

dmz/cert-manager/templates/secretvault.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-api-token-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: cloudflare-api-token-secret
+  data:
+  - secretKey: cloudflare-api-token-secret
+    remoteRef:
+      key: kv/cert-manager
+      property: cloudflare-api-token-secret
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/cert-manager/values.yaml

@@ -0,0 +1,31 @@
+cert-manager:
+  crds:
+    enabled: true
+  image:
+    registry: registry.durp.info
+    repository: jetstack/cert-manager-controller
+    pullPolicy: Always
+  replicaCount: 3
+  extraArgs:
+    - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
+    - --dns01-recursive-nameservers-only
+  podDnsPolicy: None
+  podDnsConfig:
+    nameservers:
+      - "1.1.1.1"
+      - "1.0.0.1"
+  webhook:
+    image:
+      registry: registry.durp.info
+      repository: jetstack/cert-manager-webhook
+      pullPolicy: Always  
+  cainjector:
+    image:
+      registry: registry.durp.info
+      repository: jetstack/cert-manager-cainjector
+      pullPolicy: Always
+
+  hostAliases: 
+  - ip: 192.168.12.130
+    hostnames:
+    - vault.infra.durp.info

dmz/crowdsec/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: crowdsec
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+  - name: crowdsec
+    repository: https://crowdsecurity.github.io/helm-charts
+    version: 0.19.4

dmz/crowdsec/templates/secrets.yaml

@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: enroll-key
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: enroll-key
+  data:
+    - secretKey: ENROLL_INSTANCE_NAME
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_INSTANCE_NAME
+    - secretKey: ENROLL_KEY
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_KEY
+    - secretKey: ENROLL_TAGS
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_TAGS
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/crowdsec/values.yaml

@@ -0,0 +1,24 @@
+crowdsec:
+  #
+  image:
+    repository: registry.durp.info/crowdsecurity/crowdsec
+    pullPolicy: Always
+
+  # for raw logs format: json or cri (docker|containerd)
+  container_runtime: containerd
+  agent:
+    # Specify each pod whose logs you want to process
+    acquisition:
+      # The namespace where the pod is located
+      - namespace: traefik
+        # The pod name
+        podName: traefik-*
+        # as in crowdsec configuration, we need to specify the program name to find a matching parser
+        program: traefik
+    env:
+      - name: COLLECTIONS
+        value: "crowdsecurity/traefik"
+  lapi:
+    envFrom:
+      - secretRef:
+          name: enroll-key

dmz/external-dns/Chart.yaml

@@ -0,0 +1,12 @@
+
+apiVersion: v2
+name: external-dns
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: external-dns
+  repository: https://charts.bitnami.com/bitnami
+  version: 8.9.2

dmz/external-dns/templates/secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: external-dns-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: external-dns
+  data:
+  - secretKey: cloudflare_api_email
+    remoteRef:
+      key: kv/cloudflare
+      property: cloudflare_api_email
+  - secretKey: cloudflare_api_key
+    remoteRef:
+      key: kv/cloudflare
+      property: cloudflare_api_key
+  - secretKey: cloudflare_api_token
+    remoteRef:
+      key: kv/cloudflare
+      property: cloudflare_api_token
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/external-dns/values.yaml

@@ -0,0 +1,20 @@
+external-dns:
+  global:
+    imageRegistry: "registry.durp.info"
+    security:
+      allowInsecureImages: true
+
+  image:
+    pullPolicy: Always
+
+  txtPrefix: "dmz-"
+
+  sources:
+    - service
+
+  provider: cloudflare
+  cloudflare:
+    secretName: "external-dns"
+    proxied: false
+
+  policy: sync

dmz/external-secrets/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: external-secrets
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+  - name: external-secrets
+    repository: https://charts.external-secrets.io
+    version: 0.17.0

dmz/external-secrets/templates/ca.yaml

@@ -0,0 +1,81 @@
+apiVersion: v1
+data:
+  vault.pem: |
+    -----BEGIN CERTIFICATE-----
+    MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy
+    MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN
+    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq
+    scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW
+    2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I
+    jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr
+    XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS
+    1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB
+    o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+    BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2
+    dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6
+    Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo
+    dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw
+    MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp
+    L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy
+    cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu
+    Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx
+    L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k
+    dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L
+    5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k
+    /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6
+    GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj
+    tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo
+    1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9
+    +Q/cdsO5lg==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy
+    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
+    AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH
+    4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/
+    S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk
+    U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3
+    6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ
+    +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD
+    VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V
+    55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0
+    BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw
+    LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt
+    dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC
+    hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF
+    BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br
+    aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0
+    cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz
+    Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq
+    hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE
+    QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB
+    ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN
+    Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9
+    zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls
+    AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy
+    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
+    AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox
+    p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb
+    /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ
+    l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7
+    GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE
+    N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B
+    Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1
+    8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R
+    BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k
+    r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1
+    AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y
+    rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD
+    dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx
+    Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv
+    55Fn
+    -----END CERTIFICATE-----
+kind: ConfigMap
+metadata:
+  name: ca-pemstore

dmz/external-secrets/values.yaml

@@ -0,0 +1,100 @@
+external-secrets:
+  global:
+    security:
+      allowInsecureImages: true
+
+  log:
+    level: debug
+  replicaCount: 1
+  revisionHistoryLimit: 1
+  leaderElect: false
+
+  installCRDs: true
+  crds:
+    createClusterExternalSecret: true
+    createClusterSecretStore: true
+    createClusterGenerator: true
+    createPushSecret: true
+    conversion:
+      enabled: false
+
+  image:
+    repository: registry.durp.info/external-secrets/external-secrets
+    pullPolicy: Always
+
+  extraVolumes:
+    - name: ca-pemstore
+      configMap:
+        name: ca-pemstore
+
+  extraVolumeMounts:
+    - name: ca-pemstore
+      mountPath: /etc/ssl/certs/vault.pem
+      subPath: vault.pem
+      readOnly: true
+
+  #  resources:
+  #    requests:
+  #      memory: 32Mi
+  #      cpu: 10m
+  #    limits:
+  #      memory: 32Mi
+  #      cpu: 10m
+
+  webhook:
+    create: false
+    failurePolicy: Ignore
+    log:
+      level: debug
+    image:
+      repository: registry.durp.info/external-secrets/external-secrets
+      pullPolicy: Always
+
+    extraVolumes:
+      - name: ca-pemstore
+        configMap:
+          name: ca-pemstore
+
+    extraVolumeMounts:
+      - name: ca-pemstore
+        mountPath: /etc/ssl/certs/vault.pem
+        subPath: vault.pem
+        readOnly: true
+
+  #    resources:
+  #      requests:
+  #        memory: 32Mi
+  #        cpu: 10m
+  #      limits:
+  #        memory: 32Mi
+  #        cpu: 10m
+
+  certController:
+    create: false
+    revisionHistoryLimit: 1
+    log:
+      level: debug
+
+    image:
+      repository: registry.durp.info/external-secrets/external-secrets
+      pullPolicy: Always
+      tag: ""
+
+    resources:
+      requests:
+        memory: 32Mi
+        cpu: 10m
+      limits:
+        memory: 32Mi
+        cpu: 10m
+
+    extraVolumes:
+      - name: ca-pemstore
+        configMap:
+          name: ca-pemstore
+
+    extraVolumeMounts:
+      - name: ca-pemstore
+        mountPath: /etc/ssl/certs/vault.pem
+        subPath: vault.pem
+        readOnly: true

dmz/gitlab-runner/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: gitlab-runner
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: gitlab-runner
+  repository: https://charts.gitlab.io/
+  version: 0.77.2
+- name: gitlab-runner
+  repository: https://charts.gitlab.io/
+  version: 0.77.2
+  alias: personal

dmz/gitlab-runner/templates/secrets.yaml

@@ -0,0 +1,48 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitlab-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: gitlab-secret
+  data:
+  - secretKey: runner-registration-token
+    remoteRef:
+      key: kv/gitlab/runner
+      property: runner-registration-token
+  - secretKey: runner-token
+    remoteRef:
+      key: kv/gitlab/runner
+      property: runner-token
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+
+---
+
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: gitlab-secret-personal
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: gitlab-secret-personal
+  data:
+  - secretKey: runner-token
+    remoteRef:
+      key: kv/gitlab/runner
+      property: personal-runner-token
+  - secretKey: runner-registration-token
+    remoteRef:
+      key: kv/gitlab/runner
+      property: personal-runner-token

dmz/gitlab-runner/values.yaml

@@ -0,0 +1,143 @@
+gitlab-runner:
+
+  image:
+    registry: registry.durp.info
+    image: gitlab-org/gitlab-runner
+
+  imagePullPolicy: Always
+  gitlabUrl: https://gitlab.com/
+  unregisterRunner: false
+  terminationGracePeriodSeconds: 3600
+  concurrent: 10
+  checkInterval: 30
+
+  rbac:
+    create: true
+    rules: []
+    clusterWideAccess: false
+    podSecurityPolicy:
+      enabled: false
+      resourceNames:
+      - gitlab-runner
+
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true      
+  service:
+    enabled: true
+    annotations: {}  
+
+  runners:
+    config: |
+      [[runners]]
+        [runners.kubernetes]
+          namespace = "{{.Release.Namespace}}"
+          image = "ubuntu:22.04"
+          privileged = true
+
+    executor: kubernetes
+    name: "k3s"
+    runUntagged: true
+    privileged: true
+    secret: gitlab-secret
+    #builds: 
+      #cpuLimit: 200m
+      #cpuLimitOverwriteMaxAllowed: 400m
+      #memoryLimit: 256Mi
+      #memoryLimitOverwriteMaxAllowed: 512Mi
+      #cpuRequests: 100m
+      #cpuRequestsOverwriteMaxAllowed: 200m
+      #memoryRequests: 128Mi
+      #memoryRequestsOverwriteMaxAllowed: 256Mi
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+    privileged: false
+    capabilities:
+      drop: ["ALL"]
+
+  podSecurityContext:
+    runAsUser: 100
+    fsGroup: 65533
+
+  resources: 
+    limits:
+      memory: 2Gi
+    requests:
+      memory: 128Mi
+      cpu: 500m
+
+personal:
+
+  image:
+    registry: registry.durp.info
+    image: gitlab-org/gitlab-runner
+
+  imagePullPolicy: Always
+  gitlabUrl: https://gitlab.com/
+  unregisterRunner: false
+  terminationGracePeriodSeconds: 3600
+  concurrent: 10
+  checkInterval: 30
+
+  rbac:
+    create: true
+    rules: []
+    clusterWideAccess: false
+    podSecurityPolicy:
+      enabled: false
+      resourceNames:
+      - gitlab-runner
+
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true      
+  service:
+    enabled: true
+    annotations: {}  
+
+  runners:
+    config: |
+      [[runners]]
+        [runners.kubernetes]
+          namespace = "{{.Release.Namespace}}"
+          image = "ubuntu:22.04"
+          privileged = true
+
+    executor: kubernetes
+    name: "k3s"
+    runUntagged: true
+    privileged: true
+    secret: gitlab-secret-personal
+    #builds: 
+      #cpuLimit: 200m
+      #cpuLimitOverwriteMaxAllowed: 400m
+      #memoryLimit: 256Mi
+      #memoryLimitOverwriteMaxAllowed: 512Mi
+      #cpuRequests: 100m
+      #cpuRequestsOverwriteMaxAllowed: 200m
+      #memoryRequests: 128Mi
+      #memoryRequestsOverwriteMaxAllowed: 256Mi
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+    privileged: false
+    capabilities:
+      drop: ["ALL"]
+
+  podSecurityContext:
+    runAsUser: 100
+    fsGroup: 65533
+
+  resources: 
+    limits:
+      memory: 2Gi
+    requests:
+      memory: 128Mi
+      cpu: 500m

dmz/internalproxy/templates/authentik.yaml

@@ -0,0 +1,40 @@
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: authentik-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+#      kind: Rule
+#      services:
+#        - name: infra-cluster
+#          port: 443
+#  tls:
+#    secretName: authentik-tls
+#
+#---
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: authentik-tls
+#spec:
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  secretName: authentik-tls
+#  commonName: "authentik.durp.info"
+#  dnsNames:
+#    - "authentik.durp.info"
+#
+#---
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: authentik-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/bitwarden.yaml

@@ -0,0 +1,42 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: bitwarden-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) 
+    kind: Rule
+    services:
+    - name: infra-cluster
+      port: 443
+  tls:
+    secretName: bitwarden-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: bitwarden-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: bitwarden-tls
+  commonName: "bitwarden.durp.info"
+  dnsNames:
+  - "bitwarden.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: bitwarden-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: bitwarden.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/duplicati.yaml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: duplicati
+spec:
+  ports:
+  - name: app
+    port: 8200
+    protocol: TCP
+    targetPort: 8200
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: duplicati
+subsets:
+- addresses:
+  - ip: 192.168.21.200
+  ports:
+  - name: app
+    port: 8200
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: duplicati-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`)
+    middlewares:
+    - name: whitelist
+      namespace: traefik
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    kind: Rule
+    services:
+    - name: duplicati
+      port: 8200
+  tls:
+    secretName: duplicati-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: duplicati-tls
+spec:
+  secretName: duplicati-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "duplicati.internal.durp.info"
+  dnsNames:
+  - "duplicati.internal.durp.info"  

dmz/internalproxy/templates/endpoints.yaml

@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: master-cluster
+subsets:
+  - addresses:
+      - ip: 192.168.20.130
+    ports:
+      - port: 443
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: master-cluster
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: infra-cluster
+subsets:
+  - addresses:
+      - ip: 192.168.12.130
+    ports:
+      - port: 443
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: infra-cluster
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443

dmz/internalproxy/templates/gitea.yaml

@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea
+spec:
+  ports:
+    - name: app
+      port: 3000
+      protocol: TCP
+      targetPort: 3000
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: gitea
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 3000
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitea.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: gitea
+          port: 3000
+          scheme: http
+  tls:
+    secretName: gitea-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea-tls
+spec:
+  secretName: gitea-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "gitea.durp.info"
+  dnsNames:
+    - "gitea.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: gitea-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: gitea.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/gitlab.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab
+spec:
+  ports:
+    - name: app
+      port: 9080
+      protocol: TCP
+      targetPort: 9080
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: gitlab
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 9080
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitlab-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitlab.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: gitlab
+          port: 9080
+          scheme: http
+  tls:
+    secretName: gitlab-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitlab-tls
+spec:
+  secretName: gitlab-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "gitlab.durp.info"
+  dnsNames:
+    - "gitlab.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: gitlab-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/grafana.yaml

@@ -0,0 +1,40 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: grafana-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: grafana-tls
+  commonName: "grafana.durp.info"
+  dnsNames:
+    - "grafana.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: grafana-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/invidious.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: invidious
+spec:
+  ports:
+  - name: app
+    port: 3000
+    protocol: TCP
+    targetPort: 3000
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: invidious
+subsets:
+- addresses:
+  - ip: 192.168.20.104
+  ports:
+  - name: app
+    port: 3000
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: invidious-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`invidious.durp.info`) && PathPrefix(`/`)
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    kind: Rule
+    services:
+    - name: invidious
+      port: 3000
+  tls:
+    secretName: invidious-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: invidious-tls
+spec:
+  secretName: invidious-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "invidious.durp.info"
+  dnsNames:
+  - "invidious.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: invidious-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: invidious.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/kasm.yaml

@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kasm
+spec:
+  ports:
+    - name: app
+      port: 443
+      protocol: TCP
+      targetPort: 443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: kasm
+subsets:
+  - addresses:
+      - ip: 192.168.20.104
+    ports:
+      - name: app
+        port: 443
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kasm-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`kasm.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: kasm
+          port: 443
+          scheme: https
+  tls:
+    secretName: kasm-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kasm-tls
+spec:
+  secretName: kasm-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "kasm.durp.info"
+  dnsNames:
+    - "kasm.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: kasm-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: kasm.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/kuma.yaml

@@ -0,0 +1,45 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kuma-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`kuma.durp.info`) && PathPrefix(`/`) 
+    kind: Rule
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    services:
+    - name: master-cluster
+      port: 443
+  tls:
+    secretName: kuma-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kuma-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: kuma-tls
+  commonName: "kuma.durp.info"
+  dnsNames:
+  - "kuma.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: kuma-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: kuma.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/litellm.yaml

@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: litellm
+spec:
+  ports:
+    - name: app
+      port: 4000
+      protocol: TCP
+      targetPort: 4000
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: litellm
+subsets:
+  - addresses:
+      - ip: 192.168.20.104
+    ports:
+      - name: app
+        port: 4000
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: litellm-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`litellm.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: litellm
+          port: 4000
+  tls:
+    secretName: litellm-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: litellm-tls
+spec:
+  secretName: litellm-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "litellm.durp.info"
+  dnsNames:
+    - "litellm.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: litellm-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: litellm.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/minio.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: minio
+spec:
+  ports:
+    - name: app
+      port: 9769
+      protocol: TCP
+      targetPort: 9769
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: minio
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 9769
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: minio-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`minio.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: minio
+          port: 9769
+          scheme: http
+  tls:
+    secretName: minio-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: minio-tls
+spec:
+  secretName: minio-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "minio.internal.durp.info"
+  dnsNames:
+    - "minio.internal.durp.info"

dmz/internalproxy/templates/n8n.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: n8n
+spec:
+  ports:
+    - name: app
+      port: 5678
+      protocol: TCP
+      targetPort: 5678
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: n8n
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 5678
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: n8n-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`n8n.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: n8n
+          port: 5678
+          scheme: http
+  tls:
+    secretName: n8n-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: n8n-tls
+spec:
+  secretName: n8n-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "n8n.durp.info"
+  dnsNames:
+    - "n8n.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: n8n-dns
+  annotations:
+    dns.alpha.kubernetes.io/hostname: n8n.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/nexus.yaml

@@ -1,25 +1,13 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: guac-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: guac.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
-
----
-
 apiVersion: v1
 kind: Service
 metadata:
-  name: guac
+  name: nexus
 spec:
   ports:
   - name: app
-    port: 8082
+    port: 8081
     protocol: TCP
-    targetPort: 8082
+    targetPort: 8081
   clusterIP: None
   type: ClusterIP
 
@@ -28,44 +16,56 @@ spec:
 apiVersion: v1
 kind: Endpoints
 metadata:
-  name: guac
+  name: nexus
 subsets:
 - addresses:
-  - ip: 192.168.20.253
+  - ip: 192.168.20.200
   ports:
   - name: app
-    port: 8082
+    port: 8081
     protocol: TCP
 
 ---    
 
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: guac-ingress
+  name: nexus-ingress
 spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`guac.durp.info`) && PathPrefix(`/`)
+  - match: Host(`nexus.durp.info`) && PathPrefix(`/`)
     kind: Rule
     services:
-    - name: guac
-      port: 8082
+    - name: nexus
+      port: 8081
   tls:
-    secretName: guac-tls
+    secretName: nexus-tls
 
 ---
 
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: guac-tls
+  name: nexus-tls
 spec:
-  secretName: guac-tls
+  secretName: nexus-tls
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "guac.durp.info"
+  commonName: "nexus.durp.info"
   dnsNames:
-  - "guac.durp.info"  
+  - "nexus.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: nexus-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: nexus.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/octopus.yaml

@@ -0,0 +1,41 @@
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: octopus-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#    - match: Host(`octopus.durp.info`) && PathPrefix(`/`)
+#      kind: Rule
+#      services:
+#        - name: infra-cluster
+#          port: 443
+#  tls:
+#    secretName: octopus-tls
+#
+#---
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: octopus-tls
+#spec:
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  secretName: octopus-tls
+#  commonName: "octopus.durp.info"
+#  dnsNames:
+#    - "octopus.durp.info"
+#
+#---
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: octopus-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: octopus.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info
+#

dmz/internalproxy/templates/ollama.yaml

@@ -0,0 +1,102 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: ollama-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: ollama-secret
+  data:
+    - secretKey: users
+      remoteRef:
+        key: kv/ollama
+        property: users
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: ollama-basic-auth
+spec:
+  basicAuth:
+    headerField: x-api-key
+    secret: ollama-secret
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: ollama
+spec:
+  ports:
+    - name: app
+      port: 11435
+      protocol: TCP
+      targetPort: 11435
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: ollama
+subsets:
+  - addresses:
+      - ip: 192.168.20.104
+    ports:
+      - name: app
+        port: 11435
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ollama-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`ollama.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: ollama-basic-auth
+      kind: Rule
+      services:
+        - name: ollama
+          port: 11435
+  tls:
+    secretName: ollama-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ollama-tls
+spec:
+  secretName: ollama-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "ollama.durp.info"
+  dnsNames:
+    - "ollama.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: ollama-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: ollama.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/open-webui.yaml

@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: open-webui
+spec:
+  ports:
+    - name: app
+      port: 8089
+      protocol: TCP
+      targetPort: 8089
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: open-webui
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 8089
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: open-webui-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`open-webui.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: open-webui
+          port: 8089
+          scheme: http
+  tls:
+    secretName: open-webui-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: open-webui-tls
+spec:
+  secretName: open-webui-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "open-webui.durp.info"
+  dnsNames:
+    - "open-webui.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: open-webui-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: open-webui.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/plex.yaml

@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: plex
+spec:
+  ports:
+    - name: app
+      port: 32400
+      protocol: TCP
+      targetPort: 32400
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: plex
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 32400
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: plex-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`plex.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: plex
+          port: 32400
+          scheme: https
+  tls:
+    secretName: plex-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: plex-tls
+spec:
+  secretName: plex-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "plex.durp.info"
+  dnsNames:
+    - "plex.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: plex-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: plex.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info  

dmz/internalproxy/templates/portainer.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer
+spec:
+  ports:
+  - name: app
+    port: 9443
+    protocol: TCP
+    targetPort: 9443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: portainer
+subsets:
+- addresses:
+  - ip: 192.168.20.104
+  ports:
+  - name: app
+    port: 9443
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: portainer-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`portainer.internal.durp.info`) && PathPrefix(`/`)
+      #middlewares:
+      #- name: whitelist
+      #  namespace: traefik
+    kind: Rule
+    services:
+    - name: portainer
+      port: 9443
+      scheme: https
+  tls:
+    secretName: portainer-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: portainer-tls
+spec:
+  secretName: portainer-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "portainer.internal.durp.info"
+  dnsNames:
+  - "portainer.internal.durp.info"  

dmz/internalproxy/templates/proxmox.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: proxmox
+spec:
+  ports:
+    - name: app
+      port: 8006
+      protocol: TCP
+      targetPort: 8006
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: proxmox
+subsets:
+  - addresses:
+      - ip: 192.168.21.254
+    ports:
+      - name: app
+        port: 8006
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: proxmox-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`proxmox.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: proxmox
+          port: 8006
+          scheme: https
+  tls:
+    secretName: proxmox-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: proxmox-tls
+spec:
+  secretName: proxmox-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "proxmox.internal.durp.info"
+  dnsNames:
+    - "proxmox.internal.durp.info"

dmz/internalproxy/templates/redlib.yaml

@@ -0,0 +1,74 @@
+#apiVersion: v1
+#kind: Service
+#metadata:
+#  name: redlib
+#spec:
+#  ports:
+#  - name: app
+#    port: 8082
+#    protocol: TCP
+#    targetPort: 8082
+#  clusterIP: None
+#  type: ClusterIP
+#
+#---
+#
+#apiVersion: v1
+#kind: Endpoints
+#metadata:
+#  name: redlib
+#subsets:
+#- addresses:
+#  - ip: 192.168.21.200
+#  ports:
+#  - name: app
+#    port: 8082
+#    protocol: TCP
+#
+#---    
+#
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: redlib-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+#    middlewares:
+#    - name: authentik-proxy-provider
+#      namespace: traefik  
+#    kind: Rule
+#    services:
+#    - name: redlib
+#      port: 8082
+#  tls:
+#    secretName: redlib-tls
+#
+#---
+#
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: redlib-tls
+#spec:
+#  secretName: redlib-tls
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  commonName: "redlib.durp.info"
+#  dnsNames:
+#  - "redlib.durp.info"  
+#
+#---
+#
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: redlib-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/registry.yaml

@@ -0,0 +1,70 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: registry
+spec:
+  ports:
+    - name: app
+      port: 5000
+      protocol: TCP
+      targetPort: 5000
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: registry
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 5000
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: registry-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`registry.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      services:
+        - name: registry
+          port: 5000
+  tls:
+    secretName: registry-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: registry-tls
+spec:
+  secretName: registry-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "registry.durp.info"
+  dnsNames:
+    - "registry.durp.info"
+
+---
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: registry-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/root-vault.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: root-vault
+spec:
+  ports:
+    - name: app
+      port: 8201
+      protocol: TCP
+      targetPort: 8201
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: root-vault
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 8201
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: root-vault-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`root-vault.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: root-vault
+          port: 8201
+          scheme: https
+  tls:
+    secretName: root-vault-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: root-vault-tls
+spec:
+  secretName: root-vault-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "root-vault.internal.durp.info"
+  dnsNames:
+    - "root-vault.internal.durp.info"

dmz/internalproxy/templates/s3.yaml

@@ -0,0 +1,109 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: s3
+spec:
+  ports:
+    - name: app
+      port: 9768
+      protocol: TCP
+      targetPort: 9768
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: s3
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 9768
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: s3-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`s3.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: s3
+          port: 9768
+          scheme: http
+  tls:
+    secretName: s3-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: s3-tls
+spec:
+  secretName: s3-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "s3.internal.durp.info"
+  dnsNames:
+    - "s3.internal.durp.info"
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: s3-ingress-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`s3.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: s3
+          port: 9768
+          scheme: http
+  tls:
+    secretName: s3-external-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: s3-external-tls
+spec:
+  secretName: s3-external-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "s3.durp.info"
+  dnsNames:
+    - "s3.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: s3-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: s3.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/semaphore.yaml

@@ -0,0 +1,64 @@
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: semaphore
+spec:
+  ports:
+    - name: app
+      port: 3001
+      protocol: TCP
+      targetPort: 3001
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: semaphore
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 3001
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: semaphore-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`semaphore.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: semaphore
+          port: 3001
+          scheme: http
+  tls:
+    secretName: semaphore-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: semaphore-tls
+spec:
+  secretName: semaphore-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "semaphore.internal.durp.info"
+  dnsNames:
+    - "semaphore.internal.durp.info"

dmz/internalproxy/templates/serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/internalproxy/templates/smokeping.yaml

@@ -0,0 +1,76 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: smokeping
+spec:
+  ports:
+  - name: app
+    port: 81
+    protocol: TCP
+    targetPort: 81
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: smokeping
+subsets:
+- addresses:
+  - ip: 192.168.21.200
+  ports:
+  - name: app
+    port: 81
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: smokeping-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`smokeping.durp.info`) && PathPrefix(`/`)
+    middlewares:
+    - name: whitelist
+      namespace: traefik
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    kind: Rule
+    services:
+    - name: smokeping
+      port: 81
+  tls:
+    secretName: smokeping-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: smokeping-tls
+spec:
+  secretName: smokeping-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "smokeping.durp.info"
+  dnsNames:
+  - "smokeping.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: smokeping-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: smokeping.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info  

dmz/internalproxy/templates/speedtest.yaml

@@ -0,0 +1,74 @@
+#apiVersion: v1
+#kind: Service
+#metadata:
+#  name: speedtest
+#spec:
+#  ports:
+#  - name: app
+#    port: 6580
+#    protocol: TCP
+#    targetPort: 6580
+#  clusterIP: None
+#  type: ClusterIP
+#
+#---
+#
+#apiVersion: v1
+#kind: Endpoints
+#metadata:
+#  name: speedtest
+#subsets:
+#- addresses:
+#  - ip: 192.168.21.200
+#  ports:
+#  - name: app
+#    port: 6580
+#    protocol: TCP
+#
+#---    
+#
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: speedtest-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
+#    kind: Rule
+#    middlewares:
+#    - name: authentik-proxy-provider
+#      namespace: traefik 
+#    services:
+#    - name: speedtest
+#      port: 6580
+#  tls:
+#    secretName: speedtest-tls
+#
+#---
+#
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: speedtest-tls
+#spec:
+#  secretName: speedtest-tls
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  commonName: "speedtest.durp.info"
+#  dnsNames:
+#  - "speedtest.durp.info"  
+#
+#---
+#
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: speedtest-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/tdarr.yaml

@@ -0,0 +1,67 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: tdarr
+spec:
+  ports:
+  - name: app
+    port: 8267
+    protocol: TCP
+    targetPort: 8267
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: tdarr
+subsets:
+- addresses:
+  - ip: 192.168.21.200
+  ports:
+  - name: app
+    port: 8267
+    protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: tdarr-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`tdarr.internal.durp.info`)
+    middlewares:
+    - name: whitelist
+      namespace: traefik  
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    kind: Rule
+    services:
+    - name: tdarr
+      port: 8267
+      scheme: http
+  tls:
+    secretName: tdarr-tls  
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tdarr-tls
+spec:
+  secretName: tdarr-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "tdarr.internal.durp.info"
+  dnsNames:
+  - "tdarr.internal.durp.info"  

dmz/internalproxy/templates/unifi.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: unifi
+spec:
+  ports:
+    - name: app
+      port: 443
+      protocol: TCP
+      targetPort: 443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: unifi
+subsets:
+  - addresses:
+      - ip: 192.168.98.1
+    ports:
+      - name: app
+        port: 443
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: unifi-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`unifi.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: unifi
+          port: 443
+          scheme: https
+  tls:
+    secretName: unifi-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: unifi-tls
+spec:
+  secretName: unifi-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "unifi.internal.durp.info"
+  dnsNames:
+    - "unifi.internal.durp.info"

dmz/internalproxy/templates/unraid.yaml

@@ -0,0 +1,64 @@
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: unraid
+spec:
+  ports:
+    - name: app
+      port: 443
+      protocol: TCP
+      targetPort: 443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: unraid
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 443
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: unraid-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`unraid.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: unraid
+          port: 443
+          scheme: https
+  tls:
+    secretName: unraid-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: unraid-tls
+spec:
+  secretName: unraid-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "unraid.internal.durp.info"
+  dnsNames:
+    - "unraid.internal.durp.info"

dmz/istio-system/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: istio-system
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+  - name: base
+    repository: https://istio-release.storage.googleapis.com/charts
+    version: 1.26.2
+  - name: istiod
+    repository: https://istio-release.storage.googleapis.com/charts
+    version: 1.26.2
+  - name: gateway
+    repository: https://istio-release.storage.googleapis.com/charts
+    version: 1.26.2

dmz/istio-system/templates/annotate.yaml

@@ -0,0 +1,14 @@
+#apiVersion: v1
+#kind: Namespace
+#metadata:
+#  annotations:
+#    topology.istio.io/controlPlaneClusters: cluster1
+#  labels:
+#    kubernetes.io/metadata.name: istio-system
+#  name: istio-system
+#spec:
+#  finalizers:
+#  - kubernetes
+#status:
+#  phase: Active
+#

dmz/istio-system/templates/expose.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.istio.io/v1
+kind: Gateway
+metadata:
+  name: cross-network-gateway
+spec:
+  selector:
+    istio: eastwestgateway
+  servers:
+    - port:
+        number: 15443
+        name: tls
+        protocol: TLS
+      tls:
+        mode: AUTO_PASSTHROUGH
+      hosts:
+        - "*.local"

dmz/istio-system/values.yaml

@@ -0,0 +1,10 @@
+istiod:
+  global:
+    network: network2
+    meshID: mesh1
+    multiCluster:
+      clusterName: dmz
+
+gateway:
+  name: istio-eastwestgateway
+  networkGateway: network2

dmz/littlelink/templates/deployment.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: littlelink
+  name: littlelink
+  labels:
+    app: littlelink
+spec:
+  selector:
+    matchLabels:
+      app: littlelink
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: littlelink
+    spec:
+      containers:
+      - name: littlelink
+        image: registry.durp.info/techno-tim/littlelink-server:latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthcheck
+            port: 3000
+        readinessProbe:
+          httpGet:
+            path: /healthcheck
+            port: 3000            
+        env:
+          - name: META_TITLE
+            value: DeveloperDurp
+          - name: META_DESCRIPTION
+            value: The Durpy Developer
+          - name: META_AUTHOR
+            value: DeveloperDurp
+          - name: LANG
+            value: en
+          - name: META_INDEX_STATUS
+            value: all
+          - name: OG_TITLE
+            value: DeveloperDurp
+          - name: OG_DESCRIPTION
+            value: DeveloperDurp
+          - name: OG_URL
+            value: https://gitlab.com/developerdurp
+          - name: OG_IMAGE
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : OG_IMAGE_WIDTH
+            value: "400"
+          - name : OG_IMAGE_HEIGHT
+            value: "400"
+          - name : THEME
+            value: Dark 
+          - name : FAVICON_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : AVATAR_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : AVATAR_2X_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png   
+          - name : AVATAR_ALT
+            value: DeveloperDurp Profile Pic
+          - name : NAME
+            value: DeveloperDurp
+          - name : BIO
+            value: Sup Nerd,
+          - name : BUTTON_ORDER
+            value: GITHUB,GITLAB,YOUTUBE,INSTAGRAM,TWITTER,BLUESKY,COFFEE,EMAIL
+          - name : TWITTER
+            value: https://twitter.com/developerdurp                
+          - name : GITHUB
+            value: https://github.com/DeveloperDurp
+          - name: INSTAGRAM
+            value: https://instagram.com/developerdurp
+          - name : GITLAB
+            value: https://gitlab.com/developerdurp
+          - name: YOUTUBE
+            value: https://www.youtube.com/channel/UC1rGa6s6kER_gLpIQsxeMVQ
+          - name : EMAIL
+            value: DeveloperDurp@durp.info
+          - name : EMAIL_TEXT
+            value: DeveloperDurp@durp.info            
+          - name : FOOTER
+            value: DeveloperDurp © 2022         
+          - name: CUSTOM_BUTTON_TEXT
+            value: BuyMeACoffee,BlueSky
+          - name: CUSTOM_BUTTON_URL
+            value: https://www.buymeacoffee.com/DeveloperDurp,https://bsky.app/profile/durp.info
+          - name: CUSTOM_BUTTON_COLOR
+            value: '#ffdd00,#1185fe'
+          - name: CUSTOM_BUTTON_TEXT_COLOR
+            value: '#000000,#FFFFFF'
+          - name: CUSTOM_BUTTON_ALT_TEXT
+            value: Support,BlueSky
+          - name: CUSTOM_BUTTON_NAME
+            value: COFFEE,BLUESKY
+          - name: CUSTOM_BUTTON_ICON
+            value: fa-solid fa-cup-togo
+        ports:
+        - name: http
+          containerPort: 3000          

dmz/littlelink/templates/ingress.yaml

@@ -0,0 +1,42 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: littlelink-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`links.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: littlelink
+      port: 80
+  tls:
+    secretName: littlelink-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: littlelink-tls
+spec:
+  secretName: littlelink-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "links.durp.info"
+  dnsNames:
+  - "links.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: links-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: links.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info