update

.gitignore

@@ -1 +1,3 @@
 .idea
+infra/terraform/.terraform
+infra/terraform/.terraform.lock.hcl

.gitlab/.gitlab-ci.yml

@@ -0,0 +1,3 @@
+include:
+  - local: infra/.gitlab/.gitlab-ci.yml
+  - local: dmz/.gitlab/.gitlab-ci.yml

Untitled

@@ -0,0 +1,4 @@
+VAULT_HELM_SECRET_NAME=$(kubectl get secrets -n vault --output=json | jq -r '.items[].metadata | select(.name|startswith("vault-token-")).name')
+TOKEN_REVIEW_JWT=$(kubectl get secret $VAULT_HELM_SECRET_NAME -n vault --output='go-template={{ .data.token }}' | base64 --decode)
+KUBE_CA_CERT=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.certificate-authority-data}' | base64 --decode)
+KUBE_HOST=$(kubectl config view --raw --minify --flatten --output='jsonpath={.clusters[].cluster.server}')

ansible/base.yaml

@@ -0,0 +1,5 @@
+- hosts: all
+  gather_facts: yes
+  become: yes
+  roles:
+    - base

ansible/roles/base/files/10periodic

@@ -0,0 +1,4 @@
+APT::Periodic::Update-Package-Lists "1";
+APT::Periodic::Download-Upgradeable-Packages "1";
+APT::Periodic::AutocleanInterval "7";
+APT::Periodic::Unattended-Upgrade "1";

ansible/roles/base/files/authorized_keys_user

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M

ansible/roles/base/files/issue

@@ -0,0 +1,4 @@
+Use of this system is restricted to authorized users only, and all use is subjected to an acceptable use policy.
+
+IF YOU ARE NOT AUTHORIZED TO USE THIS SYSTEM, DISCONNECT NOW.
+

ansible/roles/base/files/motd

@@ -0,0 +1,4 @@
+THIS SYSTEM IS FOR AUTHORIZED USE ONLY
+
+All activities are logged and monitored.
+

ansible/roles/base/files/sshd_config_secured

@@ -0,0 +1,95 @@
+# Package generated configuration file
+# See the sshd_config(5) manpage for details
+
+# What ports, IPs and protocols we listen for
+Port 22
+# Use these options to restrict which interfaces/protocols sshd will bind to
+#ListenAddress ::
+#ListenAddress 0.0.0.0
+Protocol 2
+# HostKeys for protocol version 2
+HostKey /etc/ssh/ssh_host_rsa_key
+HostKey /etc/ssh/ssh_host_dsa_key
+HostKey /etc/ssh/ssh_host_ecdsa_key
+HostKey /etc/ssh/ssh_host_ed25519_key
+#Privilege Separation is turned on for security
+UsePrivilegeSeparation yes
+
+# Lifetime and size of ephemeral version 1 server key
+KeyRegenerationInterval 3600
+ServerKeyBits 1024
+
+# Logging
+SyslogFacility AUTH
+LogLevel INFO
+
+# Authentication:
+LoginGraceTime 120
+PermitRootLogin no
+StrictModes yes
+
+RSAAuthentication yes
+PubkeyAuthentication yes
+#AuthorizedKeysFile %h/.ssh/authorized_keys
+
+# Don't read the user's ~/.rhosts and ~/.shosts files
+IgnoreRhosts yes
+# For this to work you will also need host keys in /etc/ssh_known_hosts
+RhostsRSAAuthentication no
+# similar for protocol version 2
+HostbasedAuthentication no
+# Uncomment if you don't trust ~/.ssh/known_hosts for RhostsRSAAuthentication
+#IgnoreUserKnownHosts yes
+
+# To enable empty passwords, change to yes (NOT RECOMMENDED)
+PermitEmptyPasswords no
+
+# Change to yes to enable challenge-response passwords (beware issues with
+# some PAM modules and threads)
+ChallengeResponseAuthentication no
+
+# Change to no to disable tunnelled clear text passwords
+PasswordAuthentication no
+
+# Kerberos options
+#KerberosAuthentication no
+#KerberosGetAFSToken no
+#KerberosOrLocalPasswd yes
+#KerberosTicketCleanup yes
+
+# GSSAPI options
+#GSSAPIAuthentication no
+#GSSAPICleanupCredentials yes
+
+X11Forwarding no
+X11DisplayOffset 10
+PrintMotd no
+PrintLastLog yes
+TCPKeepAlive yes
+#UseLogin no
+
+#MaxStartups 10:30:60
+#Banner /etc/issue.net
+
+# Allow client to pass locale environment variables
+AcceptEnv LANG LC_*
+
+Subsystem sftp /usr/lib/openssh/sftp-server
+
+# Set this to 'yes' to enable PAM authentication, account processing,
+# and session processing. If this is enabled, PAM authentication will
+# be allowed through the ChallengeResponseAuthentication and
+# PasswordAuthentication.  Depending on your PAM configuration,
+# PAM authentication via ChallengeResponseAuthentication may bypass
+# the setting of "PermitRootLogin without-password".
+# If you just want the PAM account and session checks to run without
+# PAM authentication, then enable this but set PasswordAuthentication
+# and ChallengeResponseAuthentication to 'no'.
+UsePAM yes
+
+ClientAliveInterval 300
+
+#enable remote powershell
+#Subsystem powershell /usr/bin/pwsh -sshs -NoLogo
+
+

ansible/roles/base/tasks/main.yaml

@@ -0,0 +1,143 @@
+- name: Update packages
+  apt:
+    name: '*'
+    state: latest
+    update_cache: yes
+    only_upgrade: yes
+  retries: 300
+  delay: 10
+
+- name: Remove packages not needed anymore
+  apt:
+    autoremove: yes  
+  retries: 300
+  delay: 10      
+      
+- name: Install required packages Debian
+  apt: 
+    state: latest 
+    pkg: "{{ item }}"
+  with_items:  "{{ required_packages }}" 
+  retries: 300
+  delay: 10  
+
+- name: Create user account
+  user: 
+    name: "user"
+    shell: /bin/bash
+    state: present
+    createhome: yes
+
+- name: ensure ssh folder exists for user
+  file: 
+    path: /home/user/.ssh
+    owner: user 
+    group: user 
+    mode: "0700"
+    state: directory
+
+- name: Deploy SSH Key (user)
+  copy:
+    dest: /home/user/.ssh/authorized_keys
+    src: files/authorized_keys_user
+    owner: user 
+    group: user
+    force: true 
+
+- name: Remove Root SSH Configuration
+  file: 
+    path: /root/.ssh
+    state: absent
+
+- name: Copy Secured SSHD Configuration
+  copy: 
+    src: files/sshd_config_secured 
+    dest: /etc/ssh/sshd_config 
+    owner: root 
+    group: root 
+    mode: "0644"
+  when: ansible_os_family == "Debian"   
+
+- name: Copy Secured SSHD Configuration
+  copy: 
+    src: files/sshd_config_secured_redhat 
+    dest: /etc/ssh/sshd_config 
+    owner: root 
+    group: root 
+    mode: "0644"    
+  when: ansible_os_family == "RedHat"   
+
+- name: Restart SSHD
+  systemd:
+    name: sshd
+    daemon_reload: yes
+    state: restarted
+    enabled: yes
+  ignore_errors: yes
+
+
+- name: Copy unattended-upgrades file
+  copy: 
+    src: files/10periodic
+    dest: /etc/apt/apt.conf.d/10periodic 
+    owner: root 
+    group: root 
+    mode: "0644"
+    force: yes
+  when: ansible_os_family == "Debian"      
+
+- name: Remove undesirable packages
+  package:
+    name: "{{ unnecessary_software }}"
+    state: absent
+  when: ansible_os_family == "Debian"    
+
+- name: Stop and disable unnecessary services
+  service:
+    name: "{{ item }}"
+    state: stopped
+    enabled: no
+  with_items: "{{ unnecessary_services }}"
+  ignore_errors: yes
+
+- name: Set a message of the day
+  copy:
+    dest: /etc/motd
+    src: files/motd
+    owner: root
+    group: root
+    mode: 0644
+
+- name: Set a login banner
+  copy:
+    dest: "{{ item }}"
+    src: files/issue
+    owner: root
+    group: root
+    mode: 0644
+  with_items:
+    - /etc/issue
+    - /etc/issue.net
+
+- name: set timezone
+  shell: timedatectl set-timezone America/Chicago
+
+- name: Enable cockpit
+  systemd:
+    name: cockpit
+    daemon_reload: yes
+    state: restarted
+    enabled: yes
+
+- name: change password
+  ansible.builtin.user:
+    name: "user"
+    state: present
+    password: "{{ lookup('ansible.builtin.env', 'USER_PASSWORD') | password_hash('sha512') }}"
+
+- name: add user to sudoers
+  community.general.sudoers:
+    name: user
+    state: present
+    user: user
+    commands: ALL

ansible/roles/base/vars/main.yaml

@@ -0,0 +1,17 @@
+required_packages:
+    - ufw
+    - qemu-guest-agent
+    - fail2ban
+    - unattended-upgrades
+    - cockpit
+    - nfs-common
+    - open-iscsi
+
+unnecessary_services:
+    - postfix
+    - telnet
+    
+unnecessary_software:
+    - tcpdump
+    - nmap-ncat
+    - wpa_supplicant    

argocd/templates/InternalProxy.yaml

@@ -1,23 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: internalproxy
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: internalproxy
-    directory:
-      recurse: true
-  destination:
-    server: https://kubernetes.default.svc
-    namespace: internalproxy
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true   
-

argocd/templates/gatekeeper.yaml

@@ -1,20 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: gatekeeper
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: gatekeeper
-  destination:
-    namespace: gatekeeper
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true 

argocd/templates/gitlab-runner.yaml

@@ -1,21 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: Application
-metadata:
-  name: gitlab-runner
-  namespace: argocd
-spec:
-  project: default
-  source:
-    repoURL: https://gitlab.com/developerdurp/homelab.git
-    targetRevision: main
-    path: gitlab-runner
-  destination:
-    namespace: gitlab-runner
-    name: in-cluster
-  syncPolicy:
-    automated:
-      prune: true
-      selfHeal: true  
-    syncOptions:
-      - CreateNamespace=true    
-

dmz/.gitlab/.gitlab-ci.yml

@@ -0,0 +1,95 @@
+stages:
+  - plan
+  - apply
+  - destroy
+
+variables:
+  WORKDIR: $CI_PROJECT_DIR/dmz/terraform
+  GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dmz
+
+image:
+  name: registry.durp.info/opentofu/opentofu:latest
+  entrypoint: [""]
+
+.tf-init:
+  before_script:
+    - cd $WORKDIR
+    - tofu init 
+      -reconfigure 
+      -backend-config="address=${GITLAB_TF_ADDRESS}" 
+      -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" 
+      -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock"
+      -backend-config="username=gitlab-ci-token" 
+      -backend-config="password=${CI_JOB_TOKEN}"
+      -backend-config="lock_method=POST"
+      -backend-config="unlock_method=DELETE"
+      -backend-config="retry_wait_min=5"
+
+format:
+  stage: .pre
+  allow_failure: false
+  script:
+    - cd $WORKDIR
+    - tofu fmt -diff -check -write=false
+  rules:
+    - changes:
+        - "dmz/terraform/*.tf"
+
+validate:
+  stage: .pre
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu validate
+  rules:
+    - changes:
+        - "dmz/terraform/*.tf"
+
+plan-dmz-infrastructure:
+  stage: plan
+  variables:
+    PLAN: plan.tfplan
+    JSON_PLAN_FILE: tfplan.json
+    ENVIRONMENT_NAME: dmz
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - apk add --update curl jq
+    - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
+    - tofu plan -out=$PLAN $ARGUMENTS
+    - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE
+  artifacts:
+    reports:
+      terraform: $WORKDIR/$JSON_PLAN_FILE
+  needs: ["validate","format"]
+  rules:
+    - changes:
+        - "dmz/terraform/*.tf"
+
+apply-dmz-infrastructure:
+  stage: apply
+  variables:
+    ENVIRONMENT_NAME: dmz
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu apply -auto-approve $ARGUMENTS
+  rules:
+    - changes:
+        - "dmz/terraform/*.tf"
+      when: manual
+  needs: ["plan-dmz-infrastructure"]
+
+destroy-dmz-infrastructure:
+  stage: destroy
+  variables:
+    ENVIRONMENT_NAME: dmz
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu destroy -auto-approve $ARGUMENTS
+  rules:
+    - changes:
+        - "dmz/terraform/*.tf"
+      when: manual
+  needs: ["plan-dmz-infrastructure"]

dmz/authentik/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: authentik
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: authentik-remote-cluster
+  repository: https://charts.goauthentik.io
+  version: 2.0.0

dmz/authentik/values.yaml

@@ -0,0 +1,30 @@
+authentik-remote-cluster:
+  # -- Provide a name in place of `authentik`. Prefer using global.nameOverride if possible
+  nameOverride: ""
+  # -- String to fully override `"authentik.fullname"`. Prefer using global.fullnameOverride if possible
+  fullnameOverride: ""
+  # -- Override the Kubernetes version, which is used to evaluate certain manifests
+  kubeVersionOverride: ""
+
+  ## Globally shared configuration for authentik components.
+  global:
+    # -- Provide a name in place of `authentik`
+    nameOverride: ""
+    # -- String to fully override `"authentik.fullname"`
+    fullnameOverride: ""
+    # -- A custom namespace to override the default namespace for the deployed resources.
+    namespaceOverride: ""
+    # -- Common labels for all resources.
+    additionalLabels: {}
+      # app: authentik
+
+  # -- Annotations to apply to all resources
+  annotations: {}
+
+  serviceAccountSecret:
+    # -- Create a secret with the service account credentials
+    enabled: true
+
+  clusterRole:
+    # -- Create a clusterole in addition to a namespaced role.
+    enabled: true

dmz/cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: 1.*.*
+  version: v1.16.3

dmz/cert-manager/templates/issuer.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: issuer
+secrets:
+  - name:  issuer-token-lmzpj
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: issuer-token-lmzpj
+  annotations:
+    kubernetes.io/service-account.name: issuer
+type: kubernetes.io/service-account-token

dmz/cert-manager/templates/secretvault.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-api-token-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: cloudflare-api-token-secret
+  data:
+  - secretKey: cloudflare-api-token-secret
+    remoteRef:
+      key: kv/cert-manager
+      property: cloudflare-api-token-secret
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/cert-manager/values.yaml

@@ -0,0 +1,26 @@
+cert-manager:
+  crds:
+    enabled: true
+  image:
+    registry: registry.internal.durp.info
+    repository: jetstack/cert-manager-controller
+    pullPolicy: Always
+  replicaCount: 3
+  extraArgs:
+    - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
+    - --dns01-recursive-nameservers-only
+  podDnsPolicy: None
+  podDnsConfig:
+    nameservers:
+      - "1.1.1.1"
+      - "1.0.0.1"
+  webhook:
+    image:
+      registry: registry.internal.durp.info
+      repository: jetstack/cert-manager-webhook
+      pullPolicy: Always  
+  cainjector:
+    image:
+      registry: registry.internal.durp.info
+      repository: jetstack/cert-manager-cainjector
+      pullPolicy: Always

dmz/external-dns/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami
-  version: 6.20.3
+  version: 8.3.8

dmz/external-dns/templates/secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: external-dns-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: external-dns
+  data:
+  - secretKey: cloudflare_api_email
+    remoteRef:
+      key: kv/cloudflare
+      property: cloudflare_api_email
+  - secretKey: cloudflare_api_key
+    remoteRef:
+      key: kv/cloudflare
+      property: cloudflare_api_key
+  - secretKey: cloudflare_api_token
+    remoteRef:
+      key: kv/cloudflare
+      property: cloudflare_api_token
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/external-dns/values.yaml

@@ -0,0 +1,18 @@
+external-dns:
+  global:
+    imageRegistry: "registry.durp.info"
+
+  image:
+    pullPolicy: Always
+
+  txtPrefix: "dmz-"
+
+  sources:
+    - service
+    
+  provider: cloudflare
+  cloudflare:
+    secretName : "external-dns"
+    proxied: false
+
+  policy: sync

dmz/external-secrets/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: external-secrets
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: external-secrets
+  repository: https://charts.external-secrets.io
+  version: 0.13.0

dmz/external-secrets/templates/ca.yaml

@@ -0,0 +1,81 @@
+apiVersion: v1
+data:
+  vault.pem: |
+    -----BEGIN CERTIFICATE-----
+    MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy
+    MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN
+    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq
+    scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW
+    2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I
+    jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr
+    XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS
+    1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB
+    o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+    BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2
+    dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6
+    Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo
+    dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw
+    MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp
+    L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy
+    cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu
+    Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx
+    L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k
+    dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L
+    5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k
+    /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6
+    GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj
+    tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo
+    1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9
+    +Q/cdsO5lg==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy
+    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
+    AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH
+    4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/
+    S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk
+    U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3
+    6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ
+    +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD
+    VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V
+    55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0
+    BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw
+    LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt
+    dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC
+    hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF
+    BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br
+    aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0
+    cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz
+    Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq
+    hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE
+    QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB
+    ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN
+    Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9
+    zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls
+    AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy
+    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
+    AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox
+    p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb
+    /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ
+    l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7
+    GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE
+    N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B
+    Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1
+    8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R
+    BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k
+    r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1
+    AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y
+    rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD
+    dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx
+    Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv
+    55Fn
+    -----END CERTIFICATE-----
+kind: ConfigMap
+metadata:
+  name: ca-pemstore

dmz/external-secrets/values.yaml

@@ -0,0 +1,94 @@
+external-secrets:
+  replicaCount: 3
+  revisionHistoryLimit: 1
+  leaderElect: true
+
+  installCRDs: true
+  crds:
+    createClusterExternalSecret: true
+    createClusterSecretStore: true
+    createClusterGenerator: true
+    createPushSecret: true
+    conversion:
+      enabled: false
+
+  image:
+    repository: registry.durp.info/external-secrets/external-secrets
+    pullPolicy: Always
+
+  extraVolumes: 
+    - name: ca-pemstore
+      configMap:
+        name: ca-pemstore
+
+  extraVolumeMounts: 
+    - name: ca-pemstore
+      mountPath: /etc/ssl/certs/vault.pem
+      subPath: vault.pem
+      readOnly: true
+
+  resources: 
+    requests:
+      memory: 32Mi
+      cpu: 10m
+    limits:
+      memory: 32Mi
+      cpu: 10m
+
+  webhook:
+    create: false
+    failurePolicy: Ignore
+    log:
+      level: debug
+    image:
+      repository: registry.durp.info/external-secrets/external-secrets
+      pullPolicy: Always
+
+    extraVolumes: 
+      - name: ca-pemstore
+        configMap:
+          name: ca-pemstore
+
+    extraVolumeMounts: 
+      - name: ca-pemstore
+        mountPath: /etc/ssl/certs/vault.pem
+        subPath: vault.pem
+        readOnly: true
+
+    resources: 
+      requests:
+        memory: 32Mi
+        cpu: 10m
+      limits:
+        memory: 32Mi
+        cpu: 10m
+
+  certController:
+    create: false
+    revisionHistoryLimit: 1
+    log:
+      level: debug
+
+    image:
+      repository: registry.durp.info/external-secrets/external-secrets
+      pullPolicy: Always
+      tag: ""
+
+    resources: 
+      requests:
+        memory: 32Mi
+        cpu: 10m
+      limits:
+        memory: 32Mi
+        cpu: 10m
+
+    extraVolumes: 
+      - name: ca-pemstore
+        configMap:
+          name: ca-pemstore
+
+    extraVolumeMounts: 
+      - name: ca-pemstore
+        mountPath: /etc/ssl/certs/vault.pem
+        subPath: vault.pem
+        readOnly: true

dmz/gitlab-runner/Chart.yaml

@@ -0,0 +1,15 @@
+apiVersion: v2
+name: gitlab-runner
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: gitlab-runner
+  repository: https://charts.gitlab.io/
+  version: 0.69.0
+- name: gitlab-runner
+  repository: https://charts.gitlab.io/
+  version: 0.69.0
+  alias: personal

dmz/gitlab-runner/templates/secrets.yaml

@@ -0,0 +1,48 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitlab-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: gitlab-secret
+  data:
+  - secretKey: runner-registration-token
+    remoteRef:
+      key: kv/gitlab/runner
+      property: runner-registration-token
+  - secretKey: runner-token
+    remoteRef:
+      key: kv/gitlab/runner
+      property: runner-token
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+
+---
+
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: gitlab-secret-personal
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: gitlab-secret-personal
+  data:
+  - secretKey: runner-token
+    remoteRef:
+      key: kv/gitlab/runner
+      property: personal-runner-token
+  - secretKey: runner-registration-token
+    remoteRef:
+      key: kv/gitlab/runner
+      property: personal-runner-token

dmz/gitlab-runner/values.yaml

@@ -0,0 +1,143 @@
+gitlab-runner:
+
+  image:
+    registry: registry.durp.info
+    image: gitlab-org/gitlab-runner
+
+  imagePullPolicy: Always
+  gitlabUrl: https://gitlab.com/
+  unregisterRunner: false
+  terminationGracePeriodSeconds: 3600
+  concurrent: 10
+  checkInterval: 30
+
+  rbac:
+    create: true
+    rules: []
+    clusterWideAccess: false
+    podSecurityPolicy:
+      enabled: false
+      resourceNames:
+      - gitlab-runner
+
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true      
+  service:
+    enabled: true
+    annotations: {}  
+
+  runners:
+    config: |
+      [[runners]]
+        [runners.kubernetes]
+          namespace = "{{.Release.Namespace}}"
+          image = "ubuntu:22.04"
+          privileged = true
+
+    executor: kubernetes
+    name: "k3s"
+    runUntagged: true
+    privileged: true
+    secret: gitlab-secret
+    #builds: 
+      #cpuLimit: 200m
+      #cpuLimitOverwriteMaxAllowed: 400m
+      #memoryLimit: 256Mi
+      #memoryLimitOverwriteMaxAllowed: 512Mi
+      #cpuRequests: 100m
+      #cpuRequestsOverwriteMaxAllowed: 200m
+      #memoryRequests: 128Mi
+      #memoryRequestsOverwriteMaxAllowed: 256Mi
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+    privileged: false
+    capabilities:
+      drop: ["ALL"]
+
+  podSecurityContext:
+    runAsUser: 100
+    fsGroup: 65533
+
+  resources: 
+    limits:
+      memory: 2Gi
+    requests:
+      memory: 128Mi
+      cpu: 500m
+
+personal:
+
+  image:
+    registry: registry.durp.info
+    image: gitlab-org/gitlab-runner
+
+  imagePullPolicy: Always
+  gitlabUrl: https://gitlab.com/
+  unregisterRunner: false
+  terminationGracePeriodSeconds: 3600
+  concurrent: 10
+  checkInterval: 30
+
+  rbac:
+    create: true
+    rules: []
+    clusterWideAccess: false
+    podSecurityPolicy:
+      enabled: false
+      resourceNames:
+      - gitlab-runner
+
+  metrics:
+    enabled: true
+    serviceMonitor:
+      enabled: true      
+  service:
+    enabled: true
+    annotations: {}  
+
+  runners:
+    config: |
+      [[runners]]
+        [runners.kubernetes]
+          namespace = "{{.Release.Namespace}}"
+          image = "ubuntu:22.04"
+          privileged = true
+
+    executor: kubernetes
+    name: "k3s"
+    runUntagged: true
+    privileged: true
+    secret: gitlab-secret-personal
+    #builds: 
+      #cpuLimit: 200m
+      #cpuLimitOverwriteMaxAllowed: 400m
+      #memoryLimit: 256Mi
+      #memoryLimitOverwriteMaxAllowed: 512Mi
+      #cpuRequests: 100m
+      #cpuRequestsOverwriteMaxAllowed: 200m
+      #memoryRequests: 128Mi
+      #memoryRequestsOverwriteMaxAllowed: 256Mi
+
+  securityContext:
+    allowPrivilegeEscalation: false
+    readOnlyRootFilesystem: false
+    runAsNonRoot: true
+    privileged: false
+    capabilities:
+      drop: ["ALL"]
+
+  podSecurityContext:
+    runAsUser: 100
+    fsGroup: 65533
+
+  resources: 
+    limits:
+      memory: 2Gi
+    requests:
+      memory: 128Mi
+      cpu: 500m

dmz/internalproxy/templates/authentik.yaml

@@ -1,4 +1,4 @@
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: authentik-ingress
@@ -9,8 +9,8 @@ spec:
   - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
     kind: Rule
     services:
-    - name: authentik-server
-      port: 80
+    - name: infra-cluster
+      port: 443
   tls:
     secretName: authentik-tls
 
@@ -21,13 +21,13 @@ kind: Certificate
 metadata:
   name: authentik-tls
 spec:
-  secretName: authentik-tls
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
+  secretName: authentik-tls
   commonName: "authentik.durp.info"
   dnsNames:
-  - "authentik.durp.info" 
+  - "authentik.durp.info"
 
 ---
 

dmz/internalproxy/templates/bitwarden.yaml

@@ -0,0 +1,42 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: bitwarden-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) 
+    kind: Rule
+    services:
+    - name: master-cluster
+      port: 443
+  tls:
+    secretName: bitwarden-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: bitwarden-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: bitwarden-tls
+  commonName: "bitwarden.durp.info"
+  dnsNames:
+  - "bitwarden.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: bitwarden-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: bitwarden.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/duplicati.yaml

@@ -0,0 +1,64 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: duplicati
+spec:
+  ports:
+  - name: app
+    port: 8200
+    protocol: TCP
+    targetPort: 8200
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: duplicati
+subsets:
+- addresses:
+  - ip: 192.168.21.200
+  ports:
+  - name: app
+    port: 8200
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: duplicati-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`duplicati.internal.durp.info`) && PathPrefix(`/`)
+    middlewares:
+    - name: whitelist
+      namespace: traefik
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    kind: Rule
+    services:
+    - name: duplicati
+      port: 8200
+  tls:
+    secretName: duplicati-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: duplicati-tls
+spec:
+  secretName: duplicati-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "duplicati.internal.durp.info"
+  dnsNames:
+  - "duplicati.internal.durp.info"  

dmz/internalproxy/templates/endpoints.yaml

@@ -0,0 +1,45 @@
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: master-cluster
+subsets:
+  - addresses:
+      - ip: 192.168.20.130
+    ports:
+      - port: 443
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: master-cluster
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: infra-cluster
+subsets:
+  - addresses:
+      - ip: 192.168.12.130
+    ports:
+      - port: 443
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: infra-cluster
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443

dmz/internalproxy/templates/gitea.yaml

@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitea
+spec:
+  ports:
+    - name: app
+      port: 3000
+      protocol: TCP
+      targetPort: 3000
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: gitea
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 3000
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitea-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitea.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: gitea
+          port: 3000
+          scheme: http
+  tls:
+    secretName: gitea-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitea-tls
+spec:
+  secretName: gitea-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "gitea.durp.info"
+  dnsNames:
+    - "gitea.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: gitea-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: gitea.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/kasm.yaml

@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: kasm
+spec:
+  ports:
+    - name: app
+      port: 443
+      protocol: TCP
+      targetPort: 443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: kasm
+subsets:
+  - addresses:
+      - ip: 192.168.20.104
+    ports:
+      - name: app
+        port: 443
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kasm-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`kasm.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: kasm
+          port: 443
+          scheme: https
+  tls:
+    secretName: kasm-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kasm-tls
+spec:
+  secretName: kasm-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "kasm.durp.info"
+  dnsNames:
+    - "kasm.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: kasm-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: kasm.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/kuma.yaml

@@ -0,0 +1,45 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: kuma-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`kuma.durp.info`) && PathPrefix(`/`) 
+    kind: Rule
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    services:
+    - name: master-cluster
+      port: 443
+  tls:
+    secretName: kuma-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: kuma-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: kuma-tls
+  commonName: "kuma.durp.info"
+  dnsNames:
+  - "kuma.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: kuma-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: kuma.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/nexus.yaml

@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: nexus
+spec:
+  ports:
+  - name: app
+    port: 8081
+    protocol: TCP
+    targetPort: 8081
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: nexus
+subsets:
+- addresses:
+  - ip: 192.168.20.200
+  ports:
+  - name: app
+    port: 8081
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nexus-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`nexus.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: nexus
+      port: 8081
+  tls:
+    secretName: nexus-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nexus-tls
+spec:
+  secretName: nexus-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "nexus.durp.info"
+  dnsNames:
+  - "nexus.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: nexus-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: nexus.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/ollama.yaml

@@ -0,0 +1,102 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ollama-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: ollama-secret
+  data:
+    - secretKey: users
+      remoteRef:
+        key: kv/ollama
+        property: users
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: ollama-basic-auth
+spec:
+  basicAuth:
+    headerField: x-api-key
+    secret: ollama-secret
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: ollama
+spec:
+  ports:
+    - name: app
+      port: 11435
+      protocol: TCP
+      targetPort: 11435
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: ollama
+subsets:
+  - addresses:
+      - ip: 192.168.20.104
+    ports:
+      - name: app
+        port: 11435
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ollama-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`ollama.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: ollama-basic-auth
+      kind: Rule
+      services:
+        - name: ollama
+          port: 11435
+  tls:
+    secretName: ollama-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ollama-tls
+spec:
+  secretName: ollama-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "ollama.durp.info"
+  dnsNames:
+    - "ollama.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: ollama-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: ollama.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/open-webui.yaml

@@ -0,0 +1,42 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: open-webui-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`open-webui.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: master-cluster
+      port: 443
+  tls:
+    secretName: open-webui-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: open-webui-tls
+spec:
+  secretName: open-webui-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "open-webui.durp.info"
+  dnsNames:
+  - "open-webui.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: open-webui-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: open-webui.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info  

dmz/internalproxy/templates/plex.yaml

@@ -0,0 +1,72 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: plex
+spec:
+  ports:
+    - name: app
+      port: 32400
+      protocol: TCP
+      targetPort: 32400
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: plex
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 32400
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: plex-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`plex.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: plex
+          port: 32400
+          scheme: https
+  tls:
+    secretName: plex-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: plex-tls
+spec:
+  secretName: plex-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "plex.durp.info"
+  dnsNames:
+    - "plex.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: plex-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: plex.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info  

dmz/internalproxy/templates/portainer.yaml

@@ -0,0 +1,62 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: portainer
+spec:
+  ports:
+  - name: app
+    port: 9443
+    protocol: TCP
+    targetPort: 9443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: portainer
+subsets:
+- addresses:
+  - ip: 192.168.20.104
+  ports:
+  - name: app
+    port: 9443
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: portainer-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`portainer.internal.durp.info`) && PathPrefix(`/`)
+    middlewares:
+    - name: whitelist
+      namespace: traefik
+    kind: Rule
+    services:
+    - name: portainer
+      port: 9443
+  tls:
+    secretName: portainer-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: portainer-tls
+spec:
+  secretName: portainer-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "portainer.internal.durp.info"
+  dnsNames:
+  - "portainer.internal.durp.info"  

dmz/internalproxy/templates/proxmox.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: proxmox
+spec:
+  ports:
+    - name: app
+      port: 8006
+      protocol: TCP
+      targetPort: 8006
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: proxmox
+subsets:
+  - addresses:
+      - ip: 192.168.21.254
+    ports:
+      - name: app
+        port: 8006
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: proxmox-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`proxmox.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: proxmox
+          port: 8006
+          scheme: https
+  tls:
+    secretName: proxmox-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: proxmox-tls
+spec:
+  secretName: proxmox-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "proxmox.internal.durp.info"
+  dnsNames:
+    - "proxmox.internal.durp.info"

dmz/internalproxy/templates/redlib.yaml

@@ -1,19 +1,7 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: guac-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: guac.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
-
----
-
 apiVersion: v1
 kind: Service
 metadata:
-  name: guac
+  name: redlib
 spec:
   ports:
   - name: app
@@ -28,10 +16,10 @@ spec:
 apiVersion: v1
 kind: Endpoints
 metadata:
-  name: guac
+  name: redlib
 subsets:
 - addresses:
-  - ip: 192.168.20.253
+  - ip: 192.168.21.200
   ports:
   - name: app
     port: 8082
@@ -39,33 +27,48 @@ subsets:
 
 ---    
 
-apiVersion: traefik.containo.us/v1alpha1
+apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
-  name: guac-ingress
+  name: redlib-ingress
 spec:
   entryPoints:
     - websecure
   routes:
-  - match: Host(`guac.durp.info`) && PathPrefix(`/`)
+  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
     kind: Rule
     services:
-    - name: guac
+    - name: redlib
       port: 8082
   tls:
-    secretName: guac-tls
+    secretName: redlib-tls
 
 ---
 
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
-  name: guac-tls
+  name: redlib-tls
 spec:
-  secretName: guac-tls
+  secretName: redlib-tls
   issuerRef:
     name: letsencrypt-production
     kind: ClusterIssuer
-  commonName: "guac.durp.info"
+  commonName: "redlib.durp.info"
   dnsNames:
-  - "guac.durp.info"  
+  - "redlib.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: redlib-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/registry.yaml

@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: registry
+spec:
+  ports:
+  - name: app
+    port: 5000
+    protocol: TCP
+    targetPort: 5000
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: registry
+subsets:
+- addresses:
+  - ip: 192.168.21.200
+  ports:
+  - name: app
+    port: 5000
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: registry-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`registry.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: registry
+      port: 5000
+  tls:
+    secretName: registry-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: registry-tls
+spec:
+  secretName: registry-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "registry.durp.info"
+  dnsNames:
+  - "registry.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: registry-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/root-vault.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: root-vault
+spec:
+  ports:
+    - name: app
+      port: 8201
+      protocol: TCP
+      targetPort: 8201
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: root-vault
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 8201
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: root-vault-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`root-vault.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: root-vault
+          port: 8201
+          scheme: https
+  tls:
+    secretName: root-vault-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: root-vault-tls
+spec:
+  secretName: root-vault-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "root-vault.internal.durp.info"
+  dnsNames:
+    - "root-vault.internal.durp.info"

dmz/internalproxy/templates/serviceaccount.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/internalproxy/templates/smokeping.yaml

@@ -0,0 +1,76 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: smokeping
+spec:
+  ports:
+  - name: app
+    port: 81
+    protocol: TCP
+    targetPort: 81
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: smokeping
+subsets:
+- addresses:
+  - ip: 192.168.21.200
+  ports:
+  - name: app
+    port: 81
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: smokeping-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`smokeping.durp.info`) && PathPrefix(`/`)
+    middlewares:
+    - name: whitelist
+      namespace: traefik
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    kind: Rule
+    services:
+    - name: smokeping
+      port: 81
+  tls:
+    secretName: smokeping-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: smokeping-tls
+spec:
+  secretName: smokeping-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "smokeping.durp.info"
+  dnsNames:
+  - "smokeping.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: smokeping-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: smokeping.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info  

dmz/internalproxy/templates/speedtest.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: speedtest
+spec:
+  ports:
+  - name: app
+    port: 6580
+    protocol: TCP
+    targetPort: 6580
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: speedtest
+subsets:
+- addresses:
+  - ip: 192.168.21.200
+  ports:
+  - name: app
+    port: 6580
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: speedtest-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik 
+    services:
+    - name: speedtest
+      port: 6580
+  tls:
+    secretName: speedtest-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: speedtest-tls
+spec:
+  secretName: speedtest-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "speedtest.durp.info"
+  dnsNames:
+  - "speedtest.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: speedtest-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/tdarr.yaml

@@ -0,0 +1,67 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: tdarr
+spec:
+  ports:
+  - name: app
+    port: 8267
+    protocol: TCP
+    targetPort: 8267
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: tdarr
+subsets:
+- addresses:
+  - ip: 192.168.21.200
+  ports:
+  - name: app
+    port: 8267
+    protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: tdarr-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`tdarr.internal.durp.info`)
+    middlewares:
+    - name: whitelist
+      namespace: traefik  
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    kind: Rule
+    services:
+    - name: tdarr
+      port: 8267
+      scheme: http
+  tls:
+    secretName: tdarr-tls  
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: tdarr-tls
+spec:
+  secretName: tdarr-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "tdarr.internal.durp.info"
+  dnsNames:
+  - "tdarr.internal.durp.info"  

dmz/internalproxy/templates/unifi.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: unifi
+spec:
+  ports:
+    - name: app
+      port: 443
+      protocol: TCP
+      targetPort: 443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: unifi
+subsets:
+  - addresses:
+      - ip: 192.168.98.1
+    ports:
+      - name: app
+        port: 443
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: unifi-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`unifi.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: unifi
+          port: 443
+          scheme: https
+  tls:
+    secretName: unifi-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: unifi-tls
+spec:
+  secretName: unifi-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "unifi.internal.durp.info"
+  dnsNames:
+    - "unifi.internal.durp.info"

dmz/istio-system/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: istio-system
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: base
+  repository: https://istio-release.storage.googleapis.com/charts
+  version: 1.25.0
+- name: istiod
+  repository: https://istio-release.storage.googleapis.com/charts
+  version: 1.25.0
+- name: gateway
+  repository: https://istio-release.storage.googleapis.com/charts
+  version: 1.25.0

dmz/istio-system/templates/annotate.yaml

@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  annotations:
+    topology.istio.io/controlPlaneClusters: cluster1
+  labels:
+    kubernetes.io/metadata.name: istio-system
+  name: istio-system
+spec:
+  finalizers:
+  - kubernetes
+status:
+  phase: Active

dmz/istio-system/values.yaml

@@ -0,0 +1,725 @@
+istiod:
+  profile: remote
+  autoscaleEnabled: true
+  autoscaleMin: 1
+  autoscaleMax: 5
+  autoscaleBehavior: {}
+  replicaCount: 1
+  rollingMaxSurge: 100%
+  rollingMaxUnavailable: 25%
+
+  hub: ""
+  tag: ""
+  variant: ""
+
+  # Can be a full hub/image:tag
+  image: pilot
+  traceSampling: 1.0
+
+  # Resources for a small pilot install
+  resources:
+    requests:
+      cpu: 500m
+      memory: 2048Mi
+
+  # Set to `type: RuntimeDefault` to use the default profile if available.
+  seccompProfile: {}
+
+  # Whether to use an existing CNI installation
+  cni:
+    enabled: false
+    provider: default
+
+  # Additional container arguments
+  extraContainerArgs: []
+
+  env: {}
+
+  # Settings related to the untaint controller
+  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
+  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
+  taint:
+    # Controls whether or not the untaint controller is active
+    enabled: false
+    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
+    namespace: ""
+
+  affinity: {}
+
+  tolerations: []
+
+  cpu:
+    targetAverageUtilization: 80
+  memory: {}
+    # targetAverageUtilization: 80
+
+  # Additional volumeMounts to the istiod container
+  volumeMounts: []
+
+  # Additional volumes to the istiod pod
+  volumes: []
+
+  # Inject initContainers into the istiod pod
+  initContainers: []
+
+  nodeSelector: {}
+  podAnnotations: {}
+  serviceAnnotations: {}
+  serviceAccountAnnotations: {}
+  sidecarInjectorWebhookAnnotations: {}
+
+  topologySpreadConstraints: []
+
+  # You can use jwksResolverExtraRootCA to provide a root certificate
+  # in PEM format. This will then be trusted by pilot when resolving
+  # JWKS URIs.
+  jwksResolverExtraRootCA: ""
+
+  # The following is used to limit how long a sidecar can be connected
+  # to a pilot. It balances out load across pilot instances at the cost of
+  # increasing system churn.
+  keepaliveMaxServerConnectionAge: 30m
+
+  # Additional labels to apply to the deployment.
+  deploymentLabels: {}
+
+  ## Mesh config settings
+
+  # Install the mesh config map, generated from values.yaml.
+  # If false, pilot wil use default values (by default) or user-supplied values.
+  configMap: true
+
+  # Additional labels to apply on the pod level for monitoring and logging configuration.
+  podLabels: {}
+
+  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
+  ipFamilyPolicy: ""
+  ipFamilies: []
+
+  # Ambient mode only.
+  # Set this if you install ztunnel to a different namespace from `istiod`.
+  # If set, `istiod` will allow connections from trusted node proxy ztunnels
+  # in the provided namespace.
+  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
+  # in the same namespace as itself.
+  trustedZtunnelNamespace: ""
+
+  sidecarInjectorWebhook:
+    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
+    # always skip the injection on pods that match that label selector, regardless of the global policy.
+    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
+    neverInjectSelector: []
+    alwaysInjectSelector: []
+
+    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
+    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
+    #
+    # annotations:
+    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
+    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
+    #
+    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
+    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
+    # injectedAnnotations:
+    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
+    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
+    injectedAnnotations: {}
+
+    # This enables injection of sidecar in all namespaces,
+    # with the exception of namespaces with "istio-injection:disabled" annotation
+    # Only one environment should have this enabled.
+    enableNamespacesByDefault: false
+
+    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
+    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
+    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
+    reinvocationPolicy: Never
+
+    rewriteAppHTTPProbe: true
+
+    # Templates defines a set of custom injection templates that can be used. For example, defining:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
+    # being injected with the hello=world labels.
+    # This is intended for advanced configuration only; most users should use the built in template
+    templates: {}
+
+    # Default templates specifies a set of default templates that are used in sidecar injection.
+    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
+    # To inject other additional templates, define it using the `templates` option, and add it to
+    # the default templates list.
+    # For example:
+    #
+    # templates:
+    #   hello: |
+    #     metadata:
+    #       labels:
+    #         hello: world
+    #
+    # defaultTemplates: ["sidecar", "hello"]
+    defaultTemplates: []
+  istiodRemote:
+    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
+    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
+    # to utilize a remote instance.
+    enabled: false
+    # Sidecar injector mutating webhook configuration clientConfig.url value.
+    # For example: https://$remotePilotAddress:15017/inject
+    # The host should not refer to a service running in the cluster; use a service reference by specifying
+    # the clientConfig.service field instead.
+    injectionURL: ""
+
+    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
+    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
+    injectionPath: "/inject/cluster/cluster2/net/network1"
+
+    injectionCABundle: ""
+  telemetry:
+    enabled: true
+    v2:
+      # For Null VM case now.
+      # This also enables metadata exchange.
+      enabled: true
+      # Indicate if prometheus stats filter is enabled or not
+      prometheus:
+        enabled: true
+      # stackdriver filter settings.
+      stackdriver:
+        enabled: false
+  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
+  revision: ""
+
+  # Revision tags are aliases to Istio control plane revisions
+  revisionTags: []
+
+  # For Helm compatibility.
+  ownerName: ""
+
+  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
+  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
+  meshConfig:
+    enablePrometheusMerge: true
+
+  experimental:
+    stableValidationPolicy: false
+
+  global:
+    # Used to locate istiod.
+    istioNamespace: istio-system
+    # List of cert-signers to allow "approve" action in the istio cluster role
+    #
+    # certSigners:
+    #   - clusterissuers.cert-manager.io/istio-ca
+    certSigners: []
+    # enable pod disruption budget for the control plane, which is used to
+    # ensure Istio control plane components are gradually upgraded or recovered.
+    defaultPodDisruptionBudget:
+      enabled: true
+      # The values aren't mutable due to a current PodDisruptionBudget limitation
+      # minAvailable: 1
+
+    # A minimal set of requested resources to applied to all deployments so that
+    # Horizontal Pod Autoscaler will be able to function (if set).
+    # Each component can overwrite these default values by adding its own resources
+    # block in the relevant section below and setting the desired resources values.
+    defaultResources:
+      requests:
+        cpu: 10m
+      #   memory: 128Mi
+      # limits:
+      #   cpu: 100m
+      #   memory: 128Mi
+
+    # Default hub for Istio images.
+    # Releases are published to docker hub under 'istio' project.
+    # Dev builds from prow are on gcr.io
+    hub: docker.io/istio
+    # Default tag for Istio images.
+    tag: 1.25.0
+    # Variant of the image to use.
+    # Currently supported are: [debug, distroless]
+    variant: ""
+
+    # Specify image pull policy if default behavior isn't desired.
+    # Default behavior: latest images will be Always else IfNotPresent.
+    imagePullPolicy: ""
+
+    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
+    # to use for pulling any images in pods that reference this ServiceAccount.
+    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
+    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
+    # Must be set for any cluster configured with private docker registry.
+    imagePullSecrets: []
+    # - private-registry-key
+
+    # Enabled by default in master for maximising testing.
+    istiod:
+      enableAnalysis: false
+
+    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
+    logAsJson: false
+
+    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
+    # The control plane has different scopes depending on component, but can configure default log level across all components
+    # If empty, default scope and level will be used as configured in code
+    logging:
+      level: "default:info"
+
+    omitSidecarInjectorConfigMap: false
+
+    # Configure whether Operator manages webhook configurations. The current behavior
+    # of Istiod is to manage its own webhook configurations.
+    # When this option is set as true, Istio Operator, instead of webhooks, manages the
+    # webhook configurations. When this option is set as false, webhooks manage their
+    # own webhook configurations.
+    operatorManageWebhooks: false
+
+    # Custom DNS config for the pod to resolve names of services in other
+    # clusters. Use this to add additional search domains, and other settings.
+    # see
+    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
+    # This does not apply to gateway pods as they typically need a different
+    # set of DNS settings than the normal application pods (e.g., in
+    # multicluster scenarios).
+    # NOTE: If using templates, follow the pattern in the commented example below.
+    #podDNSSearchNamespaces:
+    #- global
+    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
+
+    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
+    # system-node-critical, it is better to configure this in order to make sure your Istio pods
+    # will not be killed because of low priority class.
+    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+    # for more detail.
+    priorityClassName: ""
+
+    proxy:
+      image: proxyv2
+
+      # This controls the 'policy' in the sidecar injector.
+      autoInject: enabled
+
+      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
+      # cluster domain. Default value is "cluster.local".
+      clusterDomain: "cluster.local"
+
+      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
+      # not set, then the global "logLevel" will be used.
+      componentLogLevel: "misc:error"
+
+      # istio ingress capture allowlist
+      # examples:
+      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
+      excludeInboundPorts: ""
+      includeInboundPorts: "*"
+
+      # istio egress capture allowlist
+      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
+      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
+      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
+      # be allowed by the sidecar
+      includeIPRanges: "*"
+      excludeIPRanges: ""
+      includeOutboundPorts: ""
+      excludeOutboundPorts: ""
+
+      # Log level for proxy, applies to gateways and sidecars.
+      # Expected values are: trace|debug|info|warning|error|critical|off
+      logLevel: warning
+
+      # Specify the path to the outlier event log.
+      # Example: /dev/stdout
+      outlierLogPath: ""
+
+      #If set to true, istio-proxy container will have privileged securityContext
+      privileged: false
+
+      # The number of successive failed probes before indicating readiness failure.
+      readinessFailureThreshold: 4
+
+      # The initial delay for readiness probes in seconds.
+      readinessInitialDelaySeconds: 0
+
+      # The period between readiness probes.
+      readinessPeriodSeconds: 15
+
+      # Enables or disables a startup probe.
+      # For optimal startup times, changing this should be tied to the readiness probe values.
+      #
+      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
+      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
+      # and doesn't spam the readiness endpoint too much
+      #
+      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
+      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
+      startupProbe:
+        enabled: true
+        failureThreshold: 600 # 10 minutes
+
+      # Resources for the sidecar.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: 2000m
+          memory: 1024Mi
+
+      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
+      statusPort: 15020
+
+      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
+      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
+      tracer: "none"
+
+    proxy_init:
+      # Base name for the proxy_init container, used to configure iptables.
+      image: proxyv2
+      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
+      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
+      forceApplyIptables: false
+
+    # configure remote pilot and istiod service and endpoint
+    remotePilotAddress: "192.168.12.131"
+
+    ##############################################################################################
+    # The following values are found in other charts. To effectively modify these values, make   #
+    # make sure they are consistent across your Istio helm charts                                #
+    ##############################################################################################
+
+    # The customized CA address to retrieve certificates for the pods in the cluster.
+    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
+    # If not set explicitly, default to the Istio discovery address.
+    caAddress: ""
+
+    # Enable control of remote clusters.
+    externalIstiod: false
+
+    # Configure a remote cluster as the config cluster for an external istiod.
+    configCluster: true
+
+    # configValidation enables the validation webhook for Istio configuration.
+    configValidation: true
+
+    # Mesh ID means Mesh Identifier. It should be unique within the scope where
+    # meshes will interact with each other, but it is not required to be
+    # globally/universally unique. For example, if any of the following are true,
+    # then two meshes must have different Mesh IDs:
+    # - Meshes will have their telemetry aggregated in one place
+    # - Meshes will be federated together
+    # - Policy will be written referencing one mesh from the other
+    #
+    # If an administrator expects that any of these conditions may become true in
+    # the future, they should ensure their meshes have different Mesh IDs
+    # assigned.
+    #
+    # Within a multicluster mesh, each cluster must be (manually or auto)
+    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
+    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
+    # of migration TBD, and it may be a disruptive operation to change the Mesh
+    # ID post-install.
+    #
+    # If the mesh admin does not specify a value, Istio will use the value of the
+    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
+    # value.
+    meshID: ""
+
+    # Configure the mesh networks to be used by the Split Horizon EDS.
+    #
+    # The following example defines two networks with different endpoints association methods.
+    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
+    # mapped to network1. The gateway for this network example is specified by its public IP
+    # address and port.
+    # The second network, `network2`, in this example is defined differently with all endpoints
+    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
+    # gateway is also defined differently with the name of the gateway service on the remote
+    # cluster. The public IP for the gateway will be determined from that remote service (only
+    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
+    # it still need to be configured manually).
+    #
+    # meshNetworks:
+    #   network1:
+    #     endpoints:
+    #     - fromCidr: "192.168.0.1/24"
+    #     gateways:
+    #     - address: 1.1.1.1
+    #       port: 80
+    #   network2:
+    #     endpoints:
+    #     - fromRegistry: reg1
+    #     gateways:
+    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
+    #       port: 443
+    #
+    meshNetworks: {}
+
+    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
+    mountMtlsCerts: false
+
+    multiCluster:
+      # Set to true to connect two kubernetes clusters via their respective
+      # ingressgateway services when pods in each cluster cannot directly
+      # talk to one another. All clusters should be using Istio mTLS and must
+      # have a shared root CA for this model to work.
+      enabled: false
+      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
+      # to properly label proxies
+      clusterName: "dmz"
+
+    # Network defines the network this cluster belong to. This name
+    # corresponds to the networks in the map of mesh networks.
+    network: ""
+
+    # Configure the certificate provider for control plane communication.
+    # Currently, two providers are supported: "kubernetes" and "istiod".
+    # As some platforms may not have kubernetes signing APIs,
+    # Istiod is the default
+    pilotCertProvider: istiod
+
+    sds:
+      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
+      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
+      # JWT is intended for the CA.
+      token:
+        aud: istio-ca
+
+    sts:
+      # The service port used by Security Token Service (STS) server to handle token exchange requests.
+      # Setting this port to a non-zero value enables STS server.
+      servicePort: 0
+
+    # The name of the CA for workload certificates.
+    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
+    # will be used as the certificates for workloads.
+    # The default value is "" and when caName="", the CA will be configured by other
+    # mechanisms (e.g., environmental variable CA_PROVIDER).
+    caName: ""
+
+    waypoint:
+      # Resources for the waypoint proxy.
+      resources:
+        requests:
+          cpu: 100m
+          memory: 128Mi
+        limits:
+          cpu: "2"
+          memory: 1Gi
+
+      # If specified, affinity defines the scheduling constraints of waypoint pods.
+      affinity: {}
+
+      # Topology Spread Constraints for the waypoint proxy.
+      topologySpreadConstraints: []
+
+      # Node labels for the waypoint proxy.
+      nodeSelector: {}
+
+      # Tolerations for the waypoint proxy.
+      tolerations: []
+
+  base:
+    # For istioctl usage to disable istio config crds in base
+    enableIstioConfigCRDs: true
+
+  # Gateway Settings
+  gateways:
+    # Define the security context for the pod.
+    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+    securityContext: {}
+
+    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
+    seccompProfile: {}
+base:
+  profile: remote
+  global:
+    imagePullSecrets: []
+
+    istioNamespace: istio-system
+  base:
+    excludedCRDs: []
+    enableCRDTemplates: true
+
+    validationURL: ""
+    validationCABundle: ""
+
+    enableIstioConfigCRDs: true
+
+  defaultRevision: "default"
+  experimental:
+    stableValidationPolicy: false
+
+gateway:
+  # Name allows overriding the release name. Generally this should not be set
+  name: "istio-eastwestgateway"
+  # revision declares which revision this gateway is a part of
+  revision: ""
+
+  # Controls the spec.replicas setting for the Gateway deployment if set.
+  # Otherwise defaults to Kubernetes Deployment default (1).
+  replicaCount:
+
+  kind: Deployment
+
+  rbac:
+    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
+    # when using http://gateway-api.org/.
+    enabled: true
+
+  serviceAccount:
+    # If set, a service account will be created. Otherwise, the default is used
+    create: true
+    # Annotations to add to the service account
+    annotations: {}
+    # The name of the service account to use.
+    # If not set, the release name is used
+    name: ""
+
+  podAnnotations:
+    prometheus.io/port: "15020"
+    prometheus.io/scrape: "true"
+    prometheus.io/path: "/stats/prometheus"
+    inject.istio.io/templates: "gateway"
+    sidecar.istio.io/inject: "true"
+
+  # Define the security context for the pod.
+  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
+  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
+  securityContext: {}
+  containerSecurityContext: {}
+
+  service:
+    # Type of service. Set to "None" to disable the service entirely
+    type: LoadBalancer
+    ports:
+    - name: status-port
+      port: 15021
+      protocol: TCP
+      targetPort: 15021
+    - name: http2
+      port: 80
+      protocol: TCP
+      targetPort: 80
+    - name: https
+      port: 443
+      protocol: TCP
+      targetPort: 443
+    annotations: {}
+    loadBalancerIP: ""
+    loadBalancerSourceRanges: []
+    externalTrafficPolicy: ""
+    externalIPs: []
+    ipFamilyPolicy: ""
+    ipFamilies: []
+    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
+    # allocateLoadBalancerNodePorts: false
+    ## Set LoadBalancer class (only for LoadBalancers).
+    # loadBalancerClass: ""
+
+  resources:
+    requests:
+      cpu: 100m
+      memory: 128Mi
+    limits:
+      cpu: 2000m
+      memory: 1024Mi
+
+  autoscaling:
+    enabled: true
+    minReplicas: 1
+    maxReplicas: 5
+    targetCPUUtilizationPercentage: 80
+    targetMemoryUtilizationPercentage: {}
+    autoscaleBehavior: {}
+
+  # Pod environment variables
+  env: {}
+
+  # Deployment Update strategy
+  strategy: {}
+  
+  # Sets the Deployment minReadySeconds value
+  minReadySeconds:
+  
+  # Optionally configure a custom readinessProbe. By default the control plane
+  # automatically injects the readinessProbe. If you wish to override that
+  # behavior, you may define your own readinessProbe here.
+  readinessProbe: {}
+
+  # Labels to apply to all resources
+  labels:
+    # By default, don't enroll gateways into the ambient dataplane
+    "istio.io/dataplane-mode": none
+
+  # Annotations to apply to all resources
+  annotations: {}
+
+  nodeSelector: {}
+
+  tolerations: []
+
+  topologySpreadConstraints: []
+
+  affinity: {}
+
+  # If specified, the gateway will act as a network gateway for the given network.
+  networkGateway: "network1"
+
+  # Specify image pull policy if default behavior isn't desired.
+  # Default behavior: latest images will be Always else IfNotPresent
+  imagePullPolicy: ""
+
+  imagePullSecrets: []
+
+  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
+  #
+  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
+  # which means that no PodDisruptionBudget resource will be created.
+  #
+  # To enable the PodDisruptionBudget, configure it by specifying the
+  # `minAvailable` or `maxUnavailable`. For example, to set the
+  # minimum number of available replicas to 1, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #
+  # Or, to allow a maximum of 1 unavailable replica, you can set:
+  #
+  # podDisruptionBudget:
+  #   maxUnavailable: 1
+  #
+  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
+  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
+  #
+  # podDisruptionBudget:
+  #   minAvailable: 1
+  #   unhealthyPodEvictionPolicy: AlwaysAllow
+  #
+  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
+  #
+  # podDisruptionBudget: {}
+  #
+  podDisruptionBudget: {}
+
+  # Sets the per-pod terminationGracePeriodSeconds setting.
+  terminationGracePeriodSeconds: 30
+
+  # A list of `Volumes` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumes: []
+
+  # A list of `VolumeMounts` added into the Gateway Pods. See
+  # https://kubernetes.io/docs/concepts/storage/volumes/.
+  volumeMounts: []
+
+  # Configure this to a higher priority class in order to make sure your Istio gateway pods
+  # will not be killed because of low priority class.
+  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
+  # for more detail.
+  priorityClassName: ""

dmz/metallb-system/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: metallb-system
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: metallb
+  repository: https://metallb.github.io/metallb
+  version: 0.14.9

dmz/metallb-system/templates/config.yaml

@@ -0,0 +1,17 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: cheap
+spec:
+  addresses:
+    - 192.168.98.130-192.168.98.140
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: pool
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+  - cheap
+

dmz/terraform/k3s.tf

@@ -0,0 +1,115 @@
+resource "proxmox_vm_qemu" "k3smaster" {
+  count       = local.k3smaster.count
+  ciuser      = "administrator"
+  vmid        = "${local.vlan}${local.k3smaster.ip[count.index]}"
+  name        = local.k3smaster.name[count.index]
+  target_node = local.k3smaster.node[count.index]
+  clone       = local.template
+  tags        = local.k3smaster.tags
+  qemu_os     = "l26"
+  full_clone  = true
+  os_type     = "cloud-init"
+  agent       = 1
+  cores       = local.k3smaster.cores
+  sockets     = 1
+  cpu_type    = "host"
+  memory      = local.k3smaster.memory
+  scsihw      = "virtio-scsi-pci"
+  #bootdisk    = "scsi0"
+  boot    = "order=virtio0"
+  onboot  = true
+  sshkeys = local.sshkeys
+  vga {
+    type = "serial0"
+  }
+  serial {
+    id   = 0
+    type = "socket"
+  }
+  disks {
+    ide {
+      ide2 {
+        cloudinit {
+          storage = local.storage
+        }
+      }
+    }
+    virtio {
+      virtio0 {
+        disk {
+          size    = local.k3smaster.drive
+          format  = local.format
+          storage = local.storage
+        }
+      }
+    }
+  }
+  network {
+    id     = 0
+    model  = "virtio"
+    bridge = "vmbr0"
+    tag    = local.vlan
+  }
+  #Cloud Init Settings
+  ipconfig0    = "ip=192.168.${local.vlan}.${local.k3smaster.ip[count.index]}/24,gw=192.168.${local.vlan}.1"
+  searchdomain = "durp.loc"
+  nameserver   = local.dnsserver
+}
+
+resource "proxmox_vm_qemu" "k3sserver" {
+  count       = local.k3sserver.count
+  ciuser      = "administrator"
+  vmid        = "${local.vlan}${local.k3sserver.ip[count.index]}"
+  name        = local.k3sserver.name[count.index]
+  target_node = local.k3sserver.node[count.index]
+  clone       = local.template
+  tags        = local.k3sserver.tags
+  qemu_os     = "l26"
+  full_clone  = true
+  os_type     = "cloud-init"
+  agent       = 1
+  cores       = local.k3sserver.cores
+  sockets     = 1
+  cpu_type    = "host"
+  memory      = local.k3sserver.memory
+  scsihw      = "virtio-scsi-pci"
+  #bootdisk    = "scsi0"
+  boot    = "order=virtio0"
+  onboot  = true
+  sshkeys = local.sshkeys
+  vga {
+    type = "serial0"
+  }
+  serial {
+    id   = 0
+    type = "socket"
+  }
+  disks {
+    ide {
+      ide2 {
+        cloudinit {
+          storage = local.storage
+        }
+      }
+    }
+    virtio {
+      virtio0 {
+        disk {
+          size    = local.k3sserver.drive
+          format  = local.format
+          storage = local.storage
+        }
+      }
+    }
+  }
+  network {
+    id     = 0
+    model  = "virtio"
+    bridge = "vmbr0"
+    tag    = local.vlan
+  }
+  #Cloud Init Settings
+  ipconfig0    = "ip=192.168.${local.vlan}.${local.k3sserver.ip[count.index]}/24,gw=192.168.${local.vlan}.1"
+  searchdomain = "durp.loc"
+  nameserver   = local.dnsserver
+}

dmz/terraform/main.tf

@@ -0,0 +1,48 @@
+terraform {
+  backend "http" {}
+  required_providers {
+    proxmox = {
+      source  = "Telmate/proxmox"
+      version = "3.0.1-rc6"
+    }
+  }
+}
+
+provider "proxmox" {
+  pm_parallel     = 1
+  pm_tls_insecure = true
+  pm_api_url      = var.pm_api_url
+  pm_user         = var.pm_user
+  pm_password     = var.pm_password
+  pm_debug        = false
+}
+
+locals {
+  sshkeys    = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEphzWgwUZnvL6E5luKLt3WO0HK7Kh63arSMoNl5gmjzXyhG1DDW0OKfoIl0T+JZw/ZjQ7iii6tmSLFRk6nuYCldqe5GVcFxvTzX4/xGEioAyG0IiUGKy6s+9xzO8QXF0EtSNPH0nfHNKcCjgwWAzM+Lt6gW0Vqs+aU5ICuDiEchmvYPz+rBaVldJVTG7m3ogKJ2aIF7HU/pCPp5l0E9gMOw7s0ABijuc3KXLEWCYgL39jIST6pFH9ceRLmu8Xy5zXHAkkEEauY/e6ld0hlzLadiUD7zYJMdDcm0oRvenYcUlaUl9gS0569IpfsJsjCejuqOxCKzTHPJDOT0f9TbIqPXkGq3s9oEJGpQW+Z8g41BqRpjBCdBk+yv39bzKxlwlumDwqgx1WP8xxKavAWYNqNRG7sBhoWwtxYEOhKXoLNjBaeDRnO5OY5AQJvONWpuByyz0R/gTh4bOFVD+Y8WWlKbT4zfhnN70XvapRsbZiaGhJBPwByAMGg6XxSbC6xtbyligVGCEjCXbTLkeKq1w0DuItY+FBGO3J2k90OiciTVSeyiVz9J/Y03UB0gHdsMCoVNrj+9QWfrTLDhM7D5YrXUt5nj2LQTcbtf49zoQXWxUhozlg42E/FJU/Yla7y55qWizAEVyP2/Ks/PHrF679k59HNd2IJ/aicA9QnmWtLQ== ansible"
+  template   = "Debian12-Template"
+  storage    = "cache-domains"
+  emulatessd = true
+  format     = "raw"
+  dnsserver  = "192.168.98.1"
+  vlan       = 98
+  k3smaster = {
+    tags   = "k3s_dmz"
+    count  = 3
+    name   = ["master01-dmz", "master02-dmz", "master03-dmz"]
+    cores  = 2
+    memory = "4096"
+    drive  = 20
+    node   = ["mothership", "overlord", "vanguard"]
+    ip     = ["11", "12", "13"]
+  }
+  k3sserver = {
+    tags   = "k3s_dmz"
+    count  = 3
+    name   = ["node01-dmz", "node02-dmz", "node03-dmz"]
+    cores  = 4
+    memory = "8192"
+    drive  = 240
+    node   = ["mothership", "overlord", "vanguard"]
+    ip     = ["21", "22", "23"]
+  }
+}

dmz/terraform/variables.tf

@@ -0,0 +1,14 @@
+variable "pm_api_url" {
+  description = "API URL to Proxmox provider"
+  type        = string
+}
+
+variable "pm_password" {
+  description = "Passowrd to Proxmox provider"
+  type        = string
+}
+
+variable "pm_user" {
+  description = "UIsername to Proxmox provider"
+  type        = string
+}

dmz/traefik/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 22.1.0
+  version: 34.0.0

dmz/traefik/templates/config.yaml

@@ -0,0 +1,16 @@
+#apiVersion: v1
+#kind: ConfigMap
+#metadata:
+#  name: traefik-configmap
+#data:
+#  config.yml: |
+#    http:
+#      routers:
+#        router0:
+#          service: service0
+#          rule: Host(`testing.durp.info`)
+#      services:
+#        service0:
+#          loadBalancer:
+#            servers:
+#              - url: https://192.168.20.130

dmz/traefik/templates/middleware.yaml

@@ -0,0 +1,35 @@
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+    name: authentik-proxy-provider
+    namespace: traefik
+spec:
+  forwardAuth:
+    address: http://ak-outpost-dmz-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: whitelist
+  namespace: traefik
+spec:
+  ipWhiteList:
+    sourceRange:
+      - 192.168.0.0/16
+      - 172.16.0.0/12
+      - 10.0.0.0/8

dmz/traefik/templates/traefik-dashboard.yaml

@@ -0,0 +1,34 @@
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: traefik-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#  - match: Host(`traefik.durp.info`)
+#    kind: Rule
+#    services:
+#    - name: api@internal
+#      kind: TraefikService
+#  tls:
+#    secretName: traefik-tls  
+#
+#---
+#
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: traefik-tls
+#  namespace: traefik
+#spec:
+#  secretName: traefik-tls
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  commonName: "traefik.durp.info"
+#  dnsNames:
+#  - "traefik.durp.info"
+#
+#---
+#

dmz/traefik/values.yaml

@@ -0,0 +1,59 @@
+traefik:
+  image: 
+    #    registry: registry.durp.info
+    #    repository: traefik
+    pullPolicy: Always
+  
+  providers:  
+    kubernetesCRD:
+      allowCrossNamespace: true
+      allowExternalNameServices: true
+      allowEmptyServices: false
+
+  deployment:
+    replicas: 3
+    revisionHistoryLimit: 1
+
+  # volumes:
+  #   - name: traefik-configmap
+  #     mountPath: "/config"
+  #     type: configMap
+  
+  ingressRoute:
+    dashboard:
+      enabled: true
+  
+  additionalArguments: 
+    #  - "--providers.file.filename=/config/config.yml"
+    - "--serversTransport.insecureSkipVerify=true"
+    - "--log.level=DEBUG"
+    - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
+    - --experimental.plugins.jwt.version=v0.7.0
+  
+  autoscaling:
+    enabled: true
+    minReplicas: 3
+    maxReplicas: 10
+    metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 80
+    behavior:
+      scaleDown:
+        stabilizationWindowSeconds: 300
+        policies:
+        - type: Pods
+          value: 1
+          periodSeconds: 60
+  
+  
+  # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
+  resources: 
+    requests:
+      cpu: "100m"
+      memory: "512Mi"
+    limits:
+      memory: "512Mi"

dmz/vault/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
   repository: https://helm.releases.hashicorp.com  
-  version: 0.27.0
+  version: 0.29.1
 

dmz/vault/templates/secret-store.yaml

@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault
+spec:
+  provider:
+    vault:
+      server: "https://vault.infra.durp.info"
+      path: "kv"
+      version: "v2"
+      auth:
+        kubernetes:
+          mountPath: "dmz-cluster"
+          role: "external-secrets"
+          serviceAccountRef:
+            name: "vault"
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/vault/values.yaml

@@ -0,0 +1,13 @@
+vault:
+  global:
+    enabled: true
+    tlsDisable: false
+    externalVaultAddr: "https://vault.infra.durp.info"
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 250m
+      limits:
+        memory: 256Mi
+        cpu: 250m
+  

gatekeeper/values.yaml

@@ -1,277 +0,0 @@
-gatekeeper:
-  replicas: 3
-  revisionHistoryLimit: 10
-  auditInterval: 60
-  metricsBackends: ["prometheus"]
-  auditMatchKindOnly: false
-  constraintViolationsLimit: 20
-  auditFromCache: false
-  disableMutation: false
-  disableValidatingWebhook: false
-  validatingWebhookName: gatekeeper-validating-webhook-configuration
-  validatingWebhookTimeoutSeconds: 3
-  validatingWebhookFailurePolicy: Ignore
-  validatingWebhookAnnotations: {}
-  validatingWebhookExemptNamespacesLabels: {}
-  validatingWebhookObjectSelector: {}
-  validatingWebhookCheckIgnoreFailurePolicy: Fail
-  validatingWebhookCustomRules: {}
-  validatingWebhookURL: null
-  enableDeleteOperations: false
-  enableExternalData: true
-  enableGeneratorResourceExpansion: true
-  enableTLSHealthcheck: false
-  maxServingThreads: -1
-  mutatingWebhookName: gatekeeper-mutating-webhook-configuration
-  mutatingWebhookFailurePolicy: Ignore
-  mutatingWebhookReinvocationPolicy: Never
-  mutatingWebhookAnnotations: {}
-  mutatingWebhookExemptNamespacesLabels: {}
-  mutatingWebhookObjectSelector: {}
-  mutatingWebhookTimeoutSeconds: 1
-  mutatingWebhookCustomRules: {}
-  mutatingWebhookURL: null
-  mutationAnnotations: false
-  auditChunkSize: 500
-  logLevel: INFO
-  logDenies: false
-  logMutations: false
-  emitAdmissionEvents: false
-  emitAuditEvents: false
-  admissionEventsInvolvedNamespace: false
-  auditEventsInvolvedNamespace: false
-  resourceQuota: true
-  externaldataProviderResponseCacheTTL: 3m
-  image:
-    repository: openpolicyagent/gatekeeper
-    crdRepository: openpolicyagent/gatekeeper-crds
-    release: v3.15.0-beta.0
-    pullPolicy: Always
-    pullSecrets: []
-  preInstall:
-    crdRepository:
-      image:
-        repository: null
-        tag: v3.15.0-beta.0
-  postUpgrade:
-    labelNamespace:
-      enabled: false
-      image:
-        repository: openpolicyagent/gatekeeper-crds
-        tag: v3.15.0-beta.0
-        pullPolicy: IfNotPresent
-        pullSecrets: []
-      extraNamespaces: []
-      podSecurity: ["pod-security.kubernetes.io/audit=restricted",
-        "pod-security.kubernetes.io/audit-version=latest",
-        "pod-security.kubernetes.io/warn=restricted",
-        "pod-security.kubernetes.io/warn-version=latest",
-        "pod-security.kubernetes.io/enforce=restricted",
-        "pod-security.kubernetes.io/enforce-version=v1.24"]
-      extraAnnotations: {}
-      priorityClassName: ""
-    affinity: {}
-    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
-    resources: {}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      runAsGroup: 999
-      runAsNonRoot: true
-      runAsUser: 1000
-  postInstall:
-    labelNamespace:
-      enabled: true
-      extraRules: []
-      image:
-        repository: openpolicyagent/gatekeeper-crds
-        tag: v3.15.0-beta.0
-        pullPolicy: IfNotPresent
-        pullSecrets: []
-      extraNamespaces: []
-      podSecurity: ["pod-security.kubernetes.io/audit=restricted",
-        "pod-security.kubernetes.io/audit-version=latest",
-        "pod-security.kubernetes.io/warn=restricted",
-        "pod-security.kubernetes.io/warn-version=latest",
-        "pod-security.kubernetes.io/enforce=restricted",
-        "pod-security.kubernetes.io/enforce-version=v1.24"]
-      extraAnnotations: {}
-      priorityClassName: ""
-    probeWebhook:
-      enabled: true
-      image:
-        repository: curlimages/curl
-        tag: 7.83.1
-        pullPolicy: IfNotPresent
-        pullSecrets: []
-      waitTimeout: 60
-      httpTimeout: 2
-      insecureHTTPS: false
-      priorityClassName: ""
-    affinity: {}
-    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      runAsGroup: 999
-      runAsNonRoot: true
-      runAsUser: 1000
-  preUninstall:
-    deleteWebhookConfigurations:
-      extraRules: []
-      enabled: false
-      image:
-        repository: openpolicyagent/gatekeeper-crds
-        tag: v3.15.0-beta.0
-        pullPolicy: IfNotPresent
-        pullSecrets: []
-      priorityClassName: ""
-    affinity: {}
-    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
-    resources: {}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      runAsGroup: 999
-      runAsNonRoot: true
-      runAsUser: 1000
-  podAnnotations: {}
-  auditPodAnnotations: {}
-  podLabels: {}
-  podCountLimit: "100"
-  secretAnnotations: {}
-  enableRuntimeDefaultSeccompProfile: true
-  controllerManager:
-    exemptNamespaces: []
-    exemptNamespacePrefixes: []
-    hostNetwork: false
-    dnsPolicy: ClusterFirst
-    port: 8443
-    metricsPort: 8888
-    healthPort: 9090
-    readinessTimeout: 1
-    livenessTimeout: 1
-    priorityClassName: system-cluster-critical
-    disableCertRotation: false
-    tlsMinVersion: 1.3
-    clientCertName: ""
-    strategyType: RollingUpdate
-    affinity:
-      podAntiAffinity:
-        preferredDuringSchedulingIgnoredDuringExecution:
-          - podAffinityTerm:
-              labelSelector:
-                matchExpressions:
-                  - key: gatekeeper.sh/operation
-                    operator: In
-                    values:
-                      - webhook
-              topologyKey: kubernetes.io/hostname
-            weight: 100
-    topologySpreadConstraints: []
-    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
-    resources:
-      limits:
-        memory: 512Mi
-      requests:
-        cpu: 100m
-        memory: 512Mi
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      runAsGroup: 999
-      runAsNonRoot: true
-      runAsUser: 1000
-    podSecurityContext:
-      fsGroup: 999
-      supplementalGroups:
-        - 999
-    extraRules: []
-    networkPolicy:
-      enabled: false
-      ingress: { }
-        # - from:
-        #   - ipBlock:
-        #       cidr: 0.0.0.0/0
-  audit:
-    enablePubsub: false
-    connection: audit-connection
-    channel: audit-channel
-    hostNetwork: false
-    dnsPolicy: ClusterFirst
-    metricsPort: 8888
-    healthPort: 9090
-    readinessTimeout: 1
-    livenessTimeout: 1
-    priorityClassName: system-cluster-critical
-    disableCertRotation: false
-    affinity: {}
-    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
-    resources:
-      limits:
-        memory: 512Mi
-      requests:
-        cpu: 100m
-        memory: 512Mi
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      runAsGroup: 999
-      runAsNonRoot: true
-      runAsUser: 1000
-    podSecurityContext:
-      fsGroup: 999
-      supplementalGroups:
-        - 999
-    writeToRAMDisk: false
-    extraRules: []
-  crds:
-    affinity: {}
-    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
-    resources: {}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      runAsGroup: 65532
-      runAsNonRoot: true
-      runAsUser: 65532
-  pdb:
-    controllerManager:
-      minAvailable: 1
-  service: {}
-  disabledBuiltins: ["{http.send}"]
-  psp:
-    enabled: true
-  upgradeCRDs:
-    enabled: true
-    extraRules: []
-    priorityClassName: ""
-  rbac:
-    create: true
-  externalCertInjection:
-    enabled: false
-    secretName: gatekeeper-webhook-server-cert

infra/.gitlab/.gitlab-ci.yml

@@ -0,0 +1,95 @@
+stages:
+  - plan
+  - apply
+  - destroy
+
+variables:
+  WORKDIR: $CI_PROJECT_DIR/infra/terraform
+  GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/infra
+
+image:
+  name: registry.internal.durp.info/opentofu/opentofu:latest
+  entrypoint: [""]
+
+.tf-init:
+  before_script:
+    - cd $WORKDIR
+    - tofu init 
+      -reconfigure 
+      -backend-config="address=${GITLAB_TF_ADDRESS}" 
+      -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" 
+      -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock"
+      -backend-config="username=gitlab-ci-token" 
+      -backend-config="password=${CI_JOB_TOKEN}"
+      -backend-config="lock_method=POST"
+      -backend-config="unlock_method=DELETE"
+      -backend-config="retry_wait_min=5"
+
+format:
+  stage: .pre
+  allow_failure: false
+  script:
+    - cd $WORKDIR
+    - tofu fmt -diff -check -write=false
+  rules:
+    - changes:
+        - "infra/terraform/*.tf"
+
+validate:
+  stage: .pre
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu validate
+  rules:
+    - changes:
+        - "infra/terraform/*.tf"
+
+plan-infrastructure:
+  stage: plan
+  variables:
+    PLAN: plan.tfplan
+    JSON_PLAN_FILE: tfplan.json
+    ENVIRONMENT_NAME: infra
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - apk add --update curl jq
+    - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
+    - tofu plan -out=$PLAN $ARGUMENTS
+    - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE
+  artifacts:
+    reports:
+      terraform: $WORKDIR/$JSON_PLAN_FILE
+  needs: ["validate","format"]
+  rules:
+    - changes:
+        - "infra/terraform/*.tf"
+
+apply-infrastructure:
+  stage: apply
+  variables:
+    ENVIRONMENT_NAME: infra
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu apply -auto-approve $ARGUMENTS
+  rules:
+    - changes:
+        - "infra/terraform/*.tf"
+      when: manual
+  needs: ["plan-infrastructure"]
+
+destroy-infrastructure:
+  stage: destroy
+  variables:
+    ENVIRONMENT_NAME: infra
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu destroy -auto-approve $ARGUMENTS
+  rules:
+    - changes:
+        - "infra/terraform/*.tf"
+      when: manual
+  needs: ["plan-infrastructure"]

infra/argocd/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: argocd
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: argo-cd
+  repository: https://argoproj.github.io/argo-helm
+  version: 6.11.1

infra/argocd/templates/argocd.yaml

@@ -0,0 +1,79 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/argocd
+  destination:
+    namespace: argocd
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+
+---
+
+#apiVersion: external-secrets.io/v1beta1
+#kind: ExternalSecret
+#metadata:
+#  name: vault-argocd
+#  labels:
+#    app.kubernetes.io/part-of: argocd
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: client-secret
+#  data:
+#  - secretKey: clientSecret
+#    remoteRef:
+#      key: secrets/argocd/authentik
+#      property: clientsecret
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: argocd-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`argocd.infra.durp.info`)
+      #middlewares:
+      #  - name: whitelist
+      #    namespace: traefik
+      kind: Rule
+      services:
+        - name: argocd-server
+          port: 443
+          scheme: https
+  tls:
+    secretName: argocd-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: argocd-tls
+spec:
+  secretName: argocd-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "argocd.infra.durp.info"
+  dnsNames:
+    - "argocd.infra.durp.info"

infra/argocd/templates/authentik.yaml

@@ -0,0 +1,47 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: authentik
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/authentik
+  destination:
+    namespace: authentik
+    name: in-cluster
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        istio-injection: enabled
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: authentik-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/authentik
+  destination:
+    namespace: authentik
+    name: dmz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+

infra/argocd/templates/cert-manager.yaml

@@ -0,0 +1,44 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/cert-manager
+  destination:
+    namespace: cert-manager
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/cert-manager
+  destination:
+    namespace: cert-manager
+    name: dmz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+

infra/argocd/templates/external-dns.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-dns-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/external-dns
+  destination:
+    namespace: external-dns
+    name: dmz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+

infra/argocd/templates/external-secrets.yaml

@@ -0,0 +1,44 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/external-secrets
+  destination:
+    namespace: external-secrets
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/external-secrets
+  destination:
+    namespace: external-secrets
+    name: dmz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+

infra/argocd/templates/gitlab-runner.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: gitlab-runner-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/gitlab-runner
+  destination:
+    namespace: gitlab-runner
+    name: dmz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+

infra/argocd/templates/internalproxy.yaml

@@ -1,20 +1,21 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: crossplane
+  name: internal-proxy
   namespace: argocd
 spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: crossplane
+    path: dmz/internalproxy
   destination:
-    namespace: crossplane
-    name: in-cluster
+    namespace: internalproxy
+    name: dmz
   syncPolicy:
     automated:
       prune: true
       selfHeal: true  
     syncOptions:
       - CreateNamespace=true 
+

infra/argocd/templates/istio.yaml

@@ -0,0 +1,53 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: istio-system
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/istio-system
+  destination:
+    namespace: istio-system
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+  ignoreDifferences:
+  - group: admissionregistration.k8s.io
+    kind: ValidatingWebhookConfiguration
+    jsonPointers:
+    - /webhooks/0/failurePolicy
+
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: istio-system-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/istio-system
+  destination:
+    namespace: istio-system
+    name: dmz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+  ignoreDifferences:
+  - group: admissionregistration.k8s.io
+    kind: ValidatingWebhookConfiguration
+    jsonPointers:
+    - /webhooks/0/failurePolicy

infra/argocd/templates/litellm.yaml

@@ -1,16 +1,16 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: argocd
+  name: litellm
   namespace: argocd
 spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: argocd
+    path: infra/litellm
   destination:
-    namespace: argocd
+    namespace: litellm
     name: in-cluster
   syncPolicy:
     automated:

infra/argocd/templates/longhorn.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: longhorn
+    path: infra/longhorn
   destination:
     namespace: longhorn-system
     name: in-cluster

infra/argocd/templates/metallb-system.yaml

@@ -0,0 +1,44 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metallb-system
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/metallb-system
+  destination:
+    namespace: metallb-system
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metallb-system-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/metallb-system
+  destination:
+    namespace: metallb-system
+    name: dmz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+

infra/argocd/templates/traefik.yaml

@@ -0,0 +1,50 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/traefik
+  destination:
+    namespace: traefik
+    name: in-cluster
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        istio-injection: enabled
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: traefik-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/traefik
+  destination:
+    namespace: traefik
+    name: dmz
+  syncPolicy:
+    #    managedNamespaceMetadata:
+    #      labels:
+    #        istio-injection: enabled
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+

infra/argocd/templates/vault.yaml

@@ -0,0 +1,53 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/vault
+  destination:
+    namespace: vault
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+  ignoreDifferences:
+  - group: admissionregistration.k8s.io
+    kind: MutatingWebhookConfiguration
+    jqPathExpressions:
+    - .webhooks[]?.clientConfig.caBundle
+
+---
+
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault-dmz
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: dmz/vault
+  destination:
+    namespace: vault
+    name: dmz
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+  ignoreDifferences:
+  - group: admissionregistration.k8s.io
+    kind: MutatingWebhookConfiguration
+    jqPathExpressions:
+    - .webhooks[]?.clientConfig.caBundle

infra/argocd/values.yaml

@@ -0,0 +1,62 @@
+argo-cd:
+
+  global:
+    revisionHistoryLimit: 1
+    image:
+      repository: registry.durp.info/argoproj/argocd
+      imagePullPolicy: Always
+
+  server:
+    #extraArgs:
+    #  - --dex-server-plaintext
+    #  - --dex-server=argocd-dex-server:5556
+    # oidc.config: |
+    #   name: AzureAD
+    #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
+    #   clientID: CLIENT_ID
+    #   clientSecret: $oidc.azuread.clientSecret
+    #   requestedIDTokenClaims:
+    #     groups:
+    #       essential: true
+    #   requestedScopes:
+    #     - openid
+    #     - profile
+    #     - email
+
+  dex:
+    enabled: true
+    image:
+      repository: registry.durp.info/dexidp/dex
+      imagePullPolicy: Always
+
+  configs:
+    cm:
+      create: true
+      annotations: {}
+      url: https://argocd.internal.durp.info
+      oidc.tls.insecure.skip.verify: "true"
+      dex.config: |
+        connectors:
+          - config:
+              issuer: https://authentik.durp.info/application/o/argocd/
+              clientID: dbb8ffc06104fb6e7fac3e4ae7fafb1d90437625
+              clientSecret: $client-secret:clientSecret
+              insecureEnableGroups: true
+              scopes:
+                - openid
+                - profile
+                - email
+                - groups
+            name: authentik
+            type: oidc
+            id: authentik
+
+    rbac:
+      create: true
+      policy.csv: |
+        g, ArgoCD Admins, role:admin
+      scopes: "[groups]"
+
+  server:
+    route: 
+      enabled: false

infra/authentik/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: authentik
   repository: https://charts.goauthentik.io
-  version: 2024.4.1
+  version: 2024.8.3

infra/authentik/templates/ingress.yaml

@@ -0,0 +1,31 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authentik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
+    kind: Rule
+    services:
+    - name: authentik-server
+      port: 80
+  tls:
+    secretName: authentik-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: authentik-tls
+spec:
+  secretName: authentik-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "authentik.durp.info"
+  dnsNames:
+  - "authentik.durp.info" 
+

infra/authentik/templates/secrets.yaml

@@ -0,0 +1,35 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: authentik-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: db-pass
+  data:
+  - secretKey: dbpass
+    remoteRef:
+      key: kv/authentik/database
+      property: dbpass
+  - secretKey: secretkey
+    remoteRef:
+      key: kv/authentik/database
+      property: secretkey     
+  - secretKey: postgresql-postgres-password 
+    remoteRef:
+      key: kv/authentik/database
+      property: dbpass
+  - secretKey: postgresql-password 
+    remoteRef:
+      key: kv/authentik/database
+      property: dbpass
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+

infra/authentik/values.yaml

@@ -13,11 +13,11 @@ authentik:
             key: secretkey
     revisionHistoryLimit: 1
     image:
-      repository: registry.internal.durp.info/goauthentik/server
+      repository: registry.durp.info/goauthentik/server
       pullPolicy: Always
   authentik:
     outposts:
-      container_image_base: registry.internal.durp.info/goauthentik/%(type)s:%(version)s
+      container_image_base: registry.durp.info/goauthentik/%(type)s:%(version)s
     postgresql:
       host: '{{ .Release.Name }}-postgresql-hl'
       name: "authentik"
@@ -26,10 +26,12 @@ authentik:
   server:
     name: server
     replicas: 3
+  worker:
+    replicas: 3
   postgresql:
     enabled: true
     image:
-      registry: registry.internal.durp.info
+      registry: registry.durp.info
       repository: bitnami/postgresql
       pullPolicy: Always
     postgresqlUsername: "authentik"
@@ -38,12 +40,16 @@ authentik:
     persistence:
       enabled: true
       storageClass: longhorn
+      size: 16Gi
       accessModes:
         - ReadWriteMany
   redis:
     enabled: true
+    master:
+      persistence:
+        enabled: false    
     image:
-      registry: registry.internal.durp.info
+      registry: registry.durp.info
       repository: bitnami/redis
       pullPolicy: Always
     architecture: standalone

infra/cert-manager/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: cert-manager
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.16.3

infra/cert-manager/templates/issuer.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: issuer
+secrets:
+  - name:  issuer-token-lmzpj

infra/cert-manager/templates/secretvault.yaml

@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-api-token-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: cloudflare-api-token-secret
+  data:
+  - secretKey: cloudflare-api-token-secret
+    remoteRef:
+      key: kv/cert-manager
+      property: cloudflare-api-token-secret
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+

infra/cert-manager/values.yaml

@@ -0,0 +1,26 @@
+cert-manager:
+  crds:
+    enabled: true
+  image:
+    registry: registry.internal.durp.info
+    repository: jetstack/cert-manager-controller
+    pullPolicy: Always
+  replicaCount: 3
+  #extraArgs:
+  #  - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
+  #  - --dns01-recursive-nameservers-only
+  #podDnsPolicy: None
+  #podDnsConfig:
+  #  nameservers:
+  #    - "1.1.1.1"
+  #    - "1.0.0.1"
+  webhook:
+    image:
+      registry: registry.internal.durp.info
+      repository: jetstack/cert-manager-webhook
+      pullPolicy: Always  
+  cainjector:
+    image:
+      registry: registry.internal.durp.info
+      repository: jetstack/cert-manager-cainjector
+      pullPolicy: Always

infra/external-secrets/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: external-secrets
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: external-secrets
+  repository: https://charts.external-secrets.io
+  version: 0.13.0

infra/external-secrets/templates/ca.yaml

@@ -0,0 +1,81 @@
+apiVersion: v1
+data:
+  vault.pem: |
+    -----BEGIN CERTIFICATE-----
+    MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy
+    MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN
+    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq
+    scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW
+    2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I
+    jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr
+    XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS
+    1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB
+    o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+    BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2
+    dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6
+    Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo
+    dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw
+    MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp
+    L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy
+    cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu
+    Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx
+    L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k
+    dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L
+    5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k
+    /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6
+    GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj
+    tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo
+    1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9
+    +Q/cdsO5lg==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy
+    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
+    AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH
+    4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/
+    S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk
+    U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3
+    6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ
+    +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD
+    VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V
+    55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0
+    BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw
+    LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt
+    dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC
+    hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF
+    BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br
+    aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0
+    cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz
+    Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq
+    hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE
+    QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB
+    ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN
+    Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9
+    zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls
+    AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy
+    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
+    AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox
+    p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb
+    /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ
+    l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7
+    GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE
+    N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B
+    Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1
+    8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R
+    BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k
+    r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1
+    AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y
+    rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD
+    dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx
+    Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv
+    55Fn
+    -----END CERTIFICATE-----
+kind: ConfigMap
+metadata:
+  name: ca-pemstore

infra/external-secrets/values.yaml

@@ -0,0 +1,70 @@
+external-secrets:
+  replicaCount: 3
+  revisionHistoryLimit: 1
+  leaderElect: true
+
+  installCRDs: true
+  crds:
+    createClusterExternalSecret: true
+    createClusterSecretStore: true
+    createClusterGenerator: true
+    createPushSecret: true
+    conversion:
+      enabled: false
+
+  image:
+    repository: registry.internal.durp.info/external-secrets/external-secrets
+    pullPolicy: Always
+
+  extraVolumes: 
+    - name: ca-pemstore
+      configMap:
+        name: ca-pemstore
+
+  extraVolumeMounts: 
+    - name: ca-pemstore
+      mountPath: /etc/ssl/certs/vault.pem
+      subPath: vault.pem
+      readOnly: true
+
+  resources: 
+    requests:
+      memory: 32Mi
+      cpu: 10m
+    limits:
+      memory: 32Mi
+      cpu: 10m
+
+  webhook:
+    log:
+      level: debug
+    image:
+      repository: registry.internal.durp.info/external-secrets/external-secrets
+      pullPolicy: Always
+
+    resources: 
+      requests:
+        memory: 32Mi
+        cpu: 10m
+      limits:
+        memory: 32Mi
+        cpu: 10m
+
+  certController:
+    create: false
+    revisionHistoryLimit: 1
+    log:
+      level: debug
+
+    image:
+      repository: registry.internal.durp.info/external-secrets/external-secrets
+      pullPolicy: Always
+      tag: ""
+
+    resources: 
+      requests:
+        memory: 32Mi
+        cpu: 10m
+      limits:
+        memory: 32Mi
+        cpu: 10m

infra/istio-system/Chart.yaml

@@ -0,0 +1,17 @@
+apiVersion: v2
+name: istio-system
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: base
+  repository: https://istio-release.storage.googleapis.com/charts
+  version: 1.25.0
+- name: istiod
+  repository: https://istio-release.storage.googleapis.com/charts
+  version: 1.25.0
+- name: gateway
+  repository: https://istio-release.storage.googleapis.com/charts
+  version: 1.25.0