Update Helm release gitlab-runner to v0.83.3

Revert "Merge branch 'renovate/authentik-2025.x' into 'main'"

See merge request developerdurp/homelab!50

.gitlab/.gitlab-ci.yml

@@ -1,3 +1,34 @@
-include:
-  - local: infra/.gitlab/.gitlab-ci.yml
-  - local: dmz/.gitlab/.gitlab-ci.yml
+stages:
+  - triggers
+
+build_dmz:
+  stage: triggers
+  trigger:
+    include: infra/.gitlab/.gitlab-ci.yml
+  rules:
+    - changes:
+        - "dmz/terraform/*.tf"
+
+build_infra:
+  stage: triggers
+  trigger:
+    include: infra/.gitlab/.gitlab-ci.yml
+  rules:
+    - changes:
+        - "infra/terraform/*.tf"
+
+build_dev:
+  stage: triggers
+  trigger:
+    include: dev/.gitlab/.gitlab-ci.yml
+  rules:
+    - changes:
+        - "dev/terraform/*.tf"
+
+build_prd:
+  stage: triggers
+  trigger:
+    include: prd/.gitlab/.gitlab-ci.yml
+  rules:
+    - changes:
+        - "prd/terraform/*.tf"

ansible/newcluster.yaml

@@ -0,0 +1,2 @@
+argocd login --insecure
+argocd cluster add default --name prd --yes --kubeconfig ~/Documents/config-prd

ansible/roles/base/files/01proxy

@@ -0,0 +1 @@
+Acquire::http::Proxy "http://192.168.21.200:3142";

ansible/roles/base/files/authorized_keys_user

@@ -1 +1,2 @@
-ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGhPVgL8gXdRTw0E2FvlOUoUI4vd794nB0nZVIsc+U5M
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAIGilcndatMrXg06VxtNKuIo3scoyyXbYX8Z7cOjeA102AAAABHNzaDo= desktop-arch-09-08-2025-yubikey
+sk-ssh-ed25519@openssh.com AAAAGnNrLXNzaC1lZDI1NTE5QG9wZW5zc2guY29tAAAAINsbNSZ5Wr+50Ahz+IeZxt6F7gZ6wm1J8uKXQLbdbKFaAAAABHNzaDo= desktop-arch-09-08-2025-yubikeyNano

ansible/roles/base/tasks/main.yaml

@@ -1,3 +1,15 @@
+- name: Copy apt proxy
+  copy: 
+    src: files/01proxy
+    dest: /etc/apt/apt.conf.d/01proxy
+    owner: root 
+    group: root 
+    mode: "0644"
+    force: yes
+  when: 
+    - ansible_os_family == "Debian"      
+    - inventory_hostname not in hosts_deny
+
 - name: Update packages
   apt:
     name: '*'

dev/.gitlab/.gitlab-ci.yml

@@ -0,0 +1,95 @@
+stages:
+  - plan
+  - apply
+  - destroy
+
+variables:
+  WORKDIR: $CI_PROJECT_DIR/dev/terraform
+  GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/dev
+
+image:
+  name: registry.durp.info/opentofu/opentofu:latest
+  entrypoint: [""]
+
+.tf-init:
+  before_script:
+    - cd $WORKDIR
+    - tofu init 
+      -reconfigure 
+      -backend-config="address=${GITLAB_TF_ADDRESS}" 
+      -backend-config="lock_address=${GITLAB_TF_ADDRESS}/lock" 
+      -backend-config="unlock_address=${GITLAB_TF_ADDRESS}/lock"
+      -backend-config="username=gitlab-ci-token" 
+      -backend-config="password=${CI_JOB_TOKEN}"
+      -backend-config="lock_method=POST"
+      -backend-config="unlock_method=DELETE"
+      -backend-config="retry_wait_min=5"
+
+format:
+  stage: .pre
+  allow_failure: false
+  script:
+    - cd $WORKDIR
+    - tofu fmt -diff -check -write=false
+  rules:
+    - changes:
+        - "dev/terraform/*.tf"
+
+validate:
+  stage: .pre
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu validate
+  rules:
+    - changes:
+        - "dev/terraform/*.tf"
+
+plan-dev-infrastructure:
+  stage: plan
+  variables:
+    PLAN: plan.tfplan
+    JSON_PLAN_FILE: tfplan.json
+    ENVIRONMENT_NAME: dev
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - apk add --update curl jq
+    - alias convert_report="jq -r '([.resource_changes[].change.actions?]|flatten)|{\"create\":(map(select(.==\"create\"))|length),\"update\":(map(select(.==\"update\"))|length),\"delete\":(map(select(.==\"delete\"))|length)}'"
+    - tofu plan -out=$PLAN $ARGUMENTS
+    - tofu show --json $PLAN | jq -r '([.resource_changes[].change.actions?]|flatten)|{"create":(map(select(.=="create"))|length),"update":(map(select(.=="update"))|length),"delete":(map(select(.=="delete"))|length)}' > $JSON_PLAN_FILE
+  artifacts:
+    reports:
+      terraform: $WORKDIR/$JSON_PLAN_FILE
+  needs: ["validate","format"]
+  rules:
+    - changes:
+        - "dev/terraform/*.tf"
+
+apply-dev-infrastructure:
+  stage: apply
+  variables:
+    ENVIRONMENT_NAME: dev
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu apply -auto-approve $ARGUMENTS
+  rules:
+    - changes:
+        - "dev/terraform/*.tf"
+      when: manual
+  needs: ["plan-dev-infrastructure"]
+
+destroy-dev-infrastructure:
+  stage: destroy
+  variables:
+    ENVIRONMENT_NAME: dev
+  allow_failure: false
+  extends: .tf-init
+  script:
+    - tofu destroy -auto-approve $ARGUMENTS
+  rules:
+    - changes:
+        - "dev/terraform/*.tf"
+      when: manual
+  needs: ["plan-dev-infrastructure"]

dev/cert-manager/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: cert-manager
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.17.2

dev/cert-manager/templates/issuer.yaml

@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: issuer
+secrets:
+  - name:  issuer-token-lmzpj
+
+---
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: issuer-token-lmzpj
+  annotations:
+    kubernetes.io/service-account.name: issuer
+type: kubernetes.io/service-account-token

dev/cert-manager/templates/secretvault.yaml

@@ -0,0 +1,22 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-api-token-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: cloudflare-api-token-secret
+  data:
+  - secretKey: cloudflare-api-token-secret
+    remoteRef:
+      key: kv/cert-manager
+      property: cloudflare-api-token-secret
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dev/cert-manager/values.yaml

@@ -0,0 +1,26 @@
+cert-manager:
+  crds:
+    enabled: true
+  image:
+    registry: registry.internal.durp.info
+    repository: jetstack/cert-manager-controller
+    pullPolicy: Always
+  replicaCount: 3
+  extraArgs:
+    - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
+    - --dns01-recursive-nameservers-only
+  podDnsPolicy: None
+  podDnsConfig:
+    nameservers:
+      - "1.1.1.1"
+      - "1.0.0.1"
+  webhook:
+    image:
+      registry: registry.internal.durp.info
+      repository: jetstack/cert-manager-webhook
+      pullPolicy: Always  
+  cainjector:
+    image:
+      registry: registry.internal.durp.info
+      repository: jetstack/cert-manager-cainjector
+      pullPolicy: Always

dev/external-dns/Chart.yaml

@@ -0,0 +1,12 @@
+
+apiVersion: v2
+name: external-dns
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: external-dns
+  repository: https://charts.bitnami.com/bitnami
+  version: 8.9.2

dev/external-dns/templates/secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: external-dns-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: external-dns
+  data:
+  - secretKey: cloudflare_api_email
+    remoteRef:
+      key: kv/cloudflare
+      property: cloudflare_api_email
+  - secretKey: cloudflare_api_key
+    remoteRef:
+      key: kv/cloudflare
+      property: cloudflare_api_key
+  - secretKey: cloudflare_api_token
+    remoteRef:
+      key: kv/cloudflare
+      property: cloudflare_api_token
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dev/external-dns/values.yaml

@@ -0,0 +1,18 @@
+external-dns:
+  global:
+    imageRegistry: "registry.durp.info"
+
+  image:
+    pullPolicy: Always
+
+  txtPrefix: "dmz-"
+
+  sources:
+    - service
+    
+  provider: cloudflare
+  cloudflare:
+    secretName : "external-dns"
+    proxied: false
+
+  policy: sync

dev/external-secrets/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: external-secrets
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: external-secrets
+  repository: https://charts.external-secrets.io
+  version: 0.17.0

dev/external-secrets/templates/ca.yaml

@@ -0,0 +1,81 @@
+apiVersion: v1
+data:
+  vault.pem: |
+    -----BEGIN CERTIFICATE-----
+    MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy
+    MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN
+    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq
+    scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW
+    2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I
+    jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr
+    XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS
+    1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB
+    o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+    BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2
+    dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6
+    Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo
+    dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw
+    MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp
+    L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy
+    cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu
+    Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx
+    L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k
+    dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L
+    5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k
+    /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6
+    GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj
+    tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo
+    1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9
+    +Q/cdsO5lg==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy
+    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
+    AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH
+    4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/
+    S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk
+    U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3
+    6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ
+    +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD
+    VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V
+    55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0
+    BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw
+    LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt
+    dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC
+    hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF
+    BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br
+    aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0
+    cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz
+    Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq
+    hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE
+    QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB
+    ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN
+    Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9
+    zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls
+    AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy
+    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
+    AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox
+    p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb
+    /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ
+    l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7
+    GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE
+    N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B
+    Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1
+    8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R
+    BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k
+    r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1
+    AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y
+    rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD
+    dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx
+    Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv
+    55Fn
+    -----END CERTIFICATE-----
+kind: ConfigMap
+metadata:
+  name: ca-pemstore

dev/external-secrets/values.yaml

@@ -0,0 +1,94 @@
+external-secrets:
+  replicaCount: 3
+  revisionHistoryLimit: 1
+  leaderElect: true
+
+  installCRDs: true
+  crds:
+    createClusterExternalSecret: true
+    createClusterSecretStore: true
+    createClusterGenerator: true
+    createPushSecret: true
+    conversion:
+      enabled: false
+
+  image:
+    repository: registry.durp.info/external-secrets/external-secrets
+    pullPolicy: Always
+
+  extraVolumes: 
+    - name: ca-pemstore
+      configMap:
+        name: ca-pemstore
+
+  extraVolumeMounts: 
+    - name: ca-pemstore
+      mountPath: /etc/ssl/certs/vault.pem
+      subPath: vault.pem
+      readOnly: true
+
+  resources: 
+    requests:
+      memory: 32Mi
+      cpu: 10m
+    limits:
+      memory: 32Mi
+      cpu: 10m
+
+  webhook:
+    create: false
+    failurePolicy: Ignore
+    log:
+      level: debug
+    image:
+      repository: registry.durp.info/external-secrets/external-secrets
+      pullPolicy: Always
+
+    extraVolumes: 
+      - name: ca-pemstore
+        configMap:
+          name: ca-pemstore
+
+    extraVolumeMounts: 
+      - name: ca-pemstore
+        mountPath: /etc/ssl/certs/vault.pem
+        subPath: vault.pem
+        readOnly: true
+
+    resources: 
+      requests:
+        memory: 32Mi
+        cpu: 10m
+      limits:
+        memory: 32Mi
+        cpu: 10m
+
+  certController:
+    create: false
+    revisionHistoryLimit: 1
+    log:
+      level: debug
+
+    image:
+      repository: registry.durp.info/external-secrets/external-secrets
+      pullPolicy: Always
+      tag: ""
+
+    resources: 
+      requests:
+        memory: 32Mi
+        cpu: 10m
+      limits:
+        memory: 32Mi
+        cpu: 10m
+
+    extraVolumes: 
+      - name: ca-pemstore
+        configMap:
+          name: ca-pemstore
+
+    extraVolumeMounts: 
+      - name: ca-pemstore
+        mountPath: /etc/ssl/certs/vault.pem
+        subPath: vault.pem
+        readOnly: true

dev/metallb-system/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: metallb-system
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: metallb
+  repository: https://metallb.github.io/metallb
+  version: 0.15.2

dev/metallb-system/templates/config.yaml

@@ -0,0 +1,17 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: cheap
+spec:
+  addresses:
+    - 192.168.10.130-192.168.10.140
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: pool
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+  - cheap
+

dev/terraform/k3s.tf

@@ -0,0 +1,115 @@
+resource "proxmox_vm_qemu" "k3smaster" {
+  count       = local.k3smaster.count
+  ciuser      = "administrator"
+  vmid        = "${local.vlan}${local.k3smaster.ip[count.index]}"
+  name        = local.k3smaster.name[count.index]
+  target_node = local.k3smaster.node[count.index]
+  clone       = local.template
+  tags        = local.k3smaster.tags
+  qemu_os     = "l26"
+  full_clone  = true
+  os_type     = "cloud-init"
+  agent       = 1
+  cores       = local.k3smaster.cores
+  sockets     = 1
+  cpu_type    = "host"
+  memory      = local.k3smaster.memory
+  scsihw      = "virtio-scsi-pci"
+  #bootdisk    = "scsi0"
+  boot    = "order=virtio0"
+  onboot  = true
+  sshkeys = local.sshkeys
+  vga {
+    type = "serial0"
+  }
+  serial {
+    id   = 0
+    type = "socket"
+  }
+  disks {
+    ide {
+      ide2 {
+        cloudinit {
+          storage = local.k3smaster.storage
+        }
+      }
+    }
+    virtio {
+      virtio0 {
+        disk {
+          size    = local.k3smaster.drive
+          format  = local.format
+          storage = local.k3smaster.storage
+        }
+      }
+    }
+  }
+  network {
+    id     = 0
+    model  = "virtio"
+    bridge = "vmbr0"
+    tag    = local.vlan
+  }
+  #Cloud Init Settings
+  ipconfig0    = "ip=192.168.${local.vlan}.${local.k3smaster.ip[count.index]}/24,gw=192.168.${local.vlan}.1"
+  searchdomain = "durp.loc"
+  nameserver   = local.dnsserver
+}
+
+resource "proxmox_vm_qemu" "k3sserver" {
+  count       = local.k3sserver.count
+  ciuser      = "administrator"
+  vmid        = "${local.vlan}${local.k3sserver.ip[count.index]}"
+  name        = local.k3sserver.name[count.index]
+  target_node = local.k3sserver.node[count.index]
+  clone       = local.template
+  tags        = local.k3sserver.tags
+  qemu_os     = "l26"
+  full_clone  = true
+  os_type     = "cloud-init"
+  agent       = 1
+  cores       = local.k3sserver.cores
+  sockets     = 1
+  cpu_type    = "host"
+  memory      = local.k3sserver.memory
+  scsihw      = "virtio-scsi-pci"
+  #bootdisk    = "scsi0"
+  boot    = "order=virtio0"
+  onboot  = true
+  sshkeys = local.sshkeys
+  vga {
+    type = "serial0"
+  }
+  serial {
+    id   = 0
+    type = "socket"
+  }
+  disks {
+    ide {
+      ide2 {
+        cloudinit {
+          storage = local.k3sserver.storage
+        }
+      }
+    }
+    virtio {
+      virtio0 {
+        disk {
+          size    = local.k3sserver.drive
+          format  = local.format
+          storage = local.k3sserver.storage
+        }
+      }
+    }
+  }
+  network {
+    id     = 0
+    model  = "virtio"
+    bridge = "vmbr0"
+    tag    = local.vlan
+  }
+  #Cloud Init Settings
+  ipconfig0    = "ip=192.168.${local.vlan}.${local.k3sserver.ip[count.index]}/24,gw=192.168.${local.vlan}.1"
+  searchdomain = "durp.loc"
+  nameserver   = local.dnsserver
+}

dev/terraform/main.tf

@@ -0,0 +1,48 @@
+terraform {
+  backend "http" {}
+  required_providers {
+    proxmox = {
+      source  = "Telmate/proxmox"
+      version = "3.0.1-rc9"
+    }
+  }
+}
+
+provider "proxmox" {
+  pm_parallel     = 1
+  pm_tls_insecure = true
+  pm_api_url      = var.pm_api_url
+  pm_user         = var.pm_user
+  pm_password     = var.pm_password
+  pm_debug        = false
+}
+
+locals {
+  sshkeys   = "ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAACAQDEphzWgwUZnvL6E5luKLt3WO0HK7Kh63arSMoNl5gmjzXyhG1DDW0OKfoIl0T+JZw/ZjQ7iii6tmSLFRk6nuYCldqe5GVcFxvTzX4/xGEioAyG0IiUGKy6s+9xzO8QXF0EtSNPH0nfHNKcCjgwWAzM+Lt6gW0Vqs+aU5ICuDiEchmvYPz+rBaVldJVTG7m3ogKJ2aIF7HU/pCPp5l0E9gMOw7s0ABijuc3KXLEWCYgL39jIST6pFH9ceRLmu8Xy5zXHAkkEEauY/e6ld0hlzLadiUD7zYJMdDcm0oRvenYcUlaUl9gS0569IpfsJsjCejuqOxCKzTHPJDOT0f9TbIqPXkGq3s9oEJGpQW+Z8g41BqRpjBCdBk+yv39bzKxlwlumDwqgx1WP8xxKavAWYNqNRG7sBhoWwtxYEOhKXoLNjBaeDRnO5OY5AQJvONWpuByyz0R/gTh4bOFVD+Y8WWlKbT4zfhnN70XvapRsbZiaGhJBPwByAMGg6XxSbC6xtbyligVGCEjCXbTLkeKq1w0DuItY+FBGO3J2k90OiciTVSeyiVz9J/Y03UB0gHdsMCoVNrj+9QWfrTLDhM7D5YrXUt5nj2LQTcbtf49zoQXWxUhozlg42E/FJU/Yla7y55qWizAEVyP2/Ks/PHrF679k59HNd2IJ/aicA9QnmWtLQ== ansible"
+  template  = "Debian12-Template"
+  format    = "raw"
+  dnsserver = "192.168.10.1"
+  vlan      = 10
+  k3smaster = {
+    tags    = "k3s_dev"
+    count   = 3
+    name    = ["master01-dev", "master02-dev", "master03-dev"]
+    cores   = 2
+    memory  = "4096"
+    drive   = 20
+    storage = "cache-domains"
+    node    = ["mothership", "overlord", "vanguard"]
+    ip      = ["11", "12", "13"]
+  }
+  k3sserver = {
+    tags    = "k3s_dev"
+    count   = 3
+    name    = ["node01-dev", "node02-dev", "node03-dev"]
+    cores   = 4
+    memory  = "8192"
+    drive   = 120
+    storage = "cache-domains"
+    node    = ["mothership", "overlord", "vanguard"]
+    ip      = ["21", "22", "23"]
+  }
+}

dev/terraform/variables.tf

@@ -0,0 +1,14 @@
+variable "pm_api_url" {
+  description = "API URL to Proxmox provider"
+  type        = string
+}
+
+variable "pm_password" {
+  description = "Passowrd to Proxmox provider"
+  type        = string
+}
+
+variable "pm_user" {
+  description = "Username to Proxmox provider"
+  type        = string
+}

dev/traefik/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: traefik
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: traefik
+  repository: https://traefik.github.io/charts
+  version: 34.5.0

dev/traefik/values.yaml

@@ -0,0 +1,58 @@
+traefik:
+  image:
+    #    registry: registry.durp.info
+    #    repository: traefik
+    pullPolicy: Always
+
+  providers:
+    kubernetesCRD:
+      allowCrossNamespace: true
+      allowExternalNameServices: true
+      allowEmptyServices: false
+
+  deployment:
+    replicas: 3
+    revisionHistoryLimit: 1
+
+  # volumes:
+  #   - name: traefik-configmap
+  #     mountPath: "/config"
+  #     type: configMap
+
+  ingressRoute:
+    dashboard:
+      enabled: true
+
+  additionalArguments:
+    #  - "--providers.file.filename=/config/config.yml"
+    - "--serversTransport.insecureSkipVerify=true"
+    - "--log.level=DEBUG"
+    - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
+    - --experimental.plugins.jwt.version=v0.7.0
+
+  autoscaling:
+    enabled: true
+    minReplicas: 3
+    maxReplicas: 10
+    metrics:
+      - type: Resource
+        resource:
+          name: cpu
+          target:
+            type: Utilization
+            averageUtilization: 80
+    behavior:
+      scaleDown:
+        stabilizationWindowSeconds: 300
+        policies:
+          - type: Pods
+            value: 1
+            periodSeconds: 60
+
+  # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
+  resources:
+    requests:
+      cpu: "100m"
+      memory: "512Mi"
+    limits:
+      memory: "512Mi"

dev/vault/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: vault
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: vault
+  repository: https://helm.releases.hashicorp.com  
+  version: 0.30.0
+

dev/vault/templates/secret-store.yaml

@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1
+kind: ClusterSecretStore
+metadata:
+  name: vault
+spec:
+  provider:
+    vault:
+      server: "https://vault.infra.durp.info"
+      path: "kv"
+      version: "v2"
+      auth:
+        kubernetes:
+          mountPath: "dmz-cluster"
+          role: "external-secrets"
+          serviceAccountRef:
+            name: "vault"
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dev/vault/values.yaml

@@ -0,0 +1,13 @@
+vault:
+  global:
+    enabled: true
+    tlsDisable: false
+    externalVaultAddr: "https://vault.infra.durp.info"
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 250m
+      limits:
+        memory: 256Mi
+        cpu: 250m
+  

dmz/authentik/Chart.yaml

@@ -7,6 +7,6 @@ version: 0.1.0
 appVersion: "1.16.0"
 
 dependencies:
-- name: authentik-remote-cluster
+  - name: authentik-remote-cluster
     repository: https://charts.goauthentik.io
-  version: 2.0.0
+    version: 2.1.0

dmz/authentik/templates/ingress.yaml

@@ -0,0 +1,62 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: authentik-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: authentik-tls
+  commonName: "authentik.durp.info"
+  dnsNames:
+    - "authentik.durp.info"
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authentik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: authentik-tls
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: authentik-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: infra-cluster
+subsets:
+  - addresses:
+      - ip: 192.168.12.130
+    ports:
+      - port: 443
+
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: infra-cluster
+spec:
+  ports:
+    - protocol: TCP
+      port: 443
+      targetPort: 443

dmz/cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: v1.16.3
+  version: v1.17.2

dmz/cert-manager/templates/secretvault.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: cloudflare-api-token-secret

dmz/cert-manager/values.yaml

@@ -2,7 +2,7 @@ cert-manager:
   crds:
     enabled: true
   image:
-    registry: registry.internal.durp.info
+    registry: registry.durp.info
     repository: jetstack/cert-manager-controller
     pullPolicy: Always
   replicaCount: 3
@@ -16,11 +16,16 @@ cert-manager:
       - "1.0.0.1"
   webhook:
     image:
-      registry: registry.internal.durp.info
+      registry: registry.durp.info
       repository: jetstack/cert-manager-webhook
       pullPolicy: Always  
   cainjector:
     image:
-      registry: registry.internal.durp.info
+      registry: registry.durp.info
       repository: jetstack/cert-manager-cainjector
       pullPolicy: Always
+
+  hostAliases: 
+  - ip: 192.168.12.130
+    hostnames:
+    - vault.infra.durp.info

dmz/crowdsec/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: crowdsec
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+  - name: crowdsec
+    repository: https://crowdsecurity.github.io/helm-charts
+    version: 0.19.4

dmz/crowdsec/templates/secrets.yaml

@@ -0,0 +1,29 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: enroll-key
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: enroll-key
+  data:
+    - secretKey: ENROLL_INSTANCE_NAME
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_INSTANCE_NAME
+    - secretKey: ENROLL_KEY
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_KEY
+    - secretKey: ENROLL_TAGS
+      remoteRef:
+        key: kv/crowdsec/dmz-enroll
+        property: ENROLL_TAGS
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/crowdsec/values.yaml

@@ -0,0 +1,24 @@
+crowdsec:
+  #
+  image:
+    repository: registry.durp.info/crowdsecurity/crowdsec
+    pullPolicy: Always
+
+  # for raw logs format: json or cri (docker|containerd)
+  container_runtime: containerd
+  agent:
+    # Specify each pod whose logs you want to process
+    acquisition:
+      # The namespace where the pod is located
+      - namespace: traefik
+        # The pod name
+        podName: traefik-*
+        # as in crowdsec configuration, we need to specify the program name to find a matching parser
+        program: traefik
+    env:
+      - name: COLLECTIONS
+        value: "crowdsecurity/traefik"
+  lapi:
+    envFrom:
+      - secretRef:
+          name: enroll-key

dmz/external-dns/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami
-  version: 8.3.8
+  version: 8.9.2

dmz/external-dns/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: external-dns-secret

dmz/external-dns/values.yaml

@@ -1,6 +1,8 @@
 external-dns:
   global:
     imageRegistry: "registry.durp.info"
+    security:
+      allowInsecureImages: true
 
   image:
     pullPolicy: Always
@@ -12,7 +14,7 @@ external-dns:
 
   provider: cloudflare
   cloudflare:
-    secretName : "external-dns"
+    secretName: "external-dns"
     proxied: false
 
   policy: sync

dmz/external-secrets/Chart.yaml

@@ -6,6 +6,6 @@ version: 0.0.1
 appVersion: 0.0.1
 
 dependencies:
-- name: external-secrets
+  - name: external-secrets
     repository: https://charts.external-secrets.io
-  version: 0.13.0
+    version: 0.17.0

dmz/external-secrets/values.yaml

@@ -1,7 +1,13 @@
 external-secrets:
-  replicaCount: 3
+  global:
+    security:
+      allowInsecureImages: true
+
+  log:
+    level: debug
+  replicaCount: 1
   revisionHistoryLimit: 1
-  leaderElect: true
+  leaderElect: false
 
   installCRDs: true
   crds:
@@ -27,13 +33,13 @@ external-secrets:
       subPath: vault.pem
       readOnly: true
 
-  resources: 
-    requests:
-      memory: 32Mi
-      cpu: 10m
-    limits:
-      memory: 32Mi
-      cpu: 10m
+  #  resources:
+  #    requests:
+  #      memory: 32Mi
+  #      cpu: 10m
+  #    limits:
+  #      memory: 32Mi
+  #      cpu: 10m
 
   webhook:
     create: false
@@ -55,13 +61,13 @@ external-secrets:
         subPath: vault.pem
         readOnly: true
 
-    resources: 
-      requests:
-        memory: 32Mi
-        cpu: 10m
-      limits:
-        memory: 32Mi
-        cpu: 10m
+  #    resources:
+  #      requests:
+  #        memory: 32Mi
+  #        cpu: 10m
+  #      limits:
+  #        memory: 32Mi
+  #        cpu: 10m
 
   certController:
     create: false

dmz/gitlab-runner/Chart.yaml

@@ -8,8 +8,8 @@ appVersion: 0.0.1
 dependencies:
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.83.3
 - name: gitlab-runner
   repository: https://charts.gitlab.io/
-  version: 0.69.0
+  version: 0.83.3
   alias: personal

dmz/gitlab-runner/templates/secrets.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: gitlab-secret
@@ -27,7 +27,7 @@ metadata:
 
 ---
 
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: gitlab-secret-personal

dmz/internalproxy/templates/authentik.yaml

@@ -1,42 +1,40 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: authentik-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`authentik.durp.info`) && PathPrefix(`/`) 
-    kind: Rule
-    services:
-    - name: infra-cluster
-      port: 443
-  tls:
-    secretName: authentik-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: authentik-tls
-spec:
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  secretName: authentik-tls
-  commonName: "authentik.durp.info"
-  dnsNames:
-  - "authentik.durp.info"
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: authentik-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: authentik-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#    - match: Host(`authentik.durp.info`) && PathPrefix(`/`)
+#      kind: Rule
+#      services:
+#        - name: infra-cluster
+#          port: 443
+#  tls:
+#    secretName: authentik-tls
+#
+#---
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: authentik-tls
+#spec:
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  secretName: authentik-tls
+#  commonName: "authentik.durp.info"
+#  dnsNames:
+#    - "authentik.durp.info"
+#
+#---
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: authentik-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: authentik.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/bitwarden.yaml

@@ -9,7 +9,7 @@ spec:
   - match: Host(`bitwarden.durp.info`) && PathPrefix(`/`) 
     kind: Rule
     services:
-    - name: master-cluster
+    - name: infra-cluster
       port: 443
   tls:
     secretName: bitwarden-tls

dmz/internalproxy/templates/gitlab.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: gitlab
+spec:
+  ports:
+    - name: app
+      port: 9080
+      protocol: TCP
+      targetPort: 9080
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: gitlab
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 9080
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: gitlab-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`gitlab.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: gitlab
+          port: 9080
+          scheme: http
+  tls:
+    secretName: gitlab-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gitlab-tls
+spec:
+  secretName: gitlab-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "gitlab.durp.info"
+  dnsNames:
+    - "gitlab.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: gitlab-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: gitlab.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/grafana.yaml

@@ -0,0 +1,40 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: grafana-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`grafana.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: grafana-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: grafana-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: grafana-tls
+  commonName: "grafana.durp.info"
+  dnsNames:
+    - "grafana.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: grafana-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: grafana.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/invidious.yaml

@@ -0,0 +1,74 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: invidious
+spec:
+  ports:
+  - name: app
+    port: 3000
+    protocol: TCP
+    targetPort: 3000
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: invidious
+subsets:
+- addresses:
+  - ip: 192.168.20.104
+  ports:
+  - name: app
+    port: 3000
+    protocol: TCP
+
+---    
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: invidious-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`invidious.durp.info`) && PathPrefix(`/`)
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    kind: Rule
+    services:
+    - name: invidious
+      port: 3000
+  tls:
+    secretName: invidious-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: invidious-tls
+spec:
+  secretName: invidious-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "invidious.durp.info"
+  dnsNames:
+  - "invidious.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: invidious-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: invidious.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/litellm.yaml

@@ -0,0 +1,71 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: litellm
+spec:
+  ports:
+    - name: app
+      port: 4000
+      protocol: TCP
+      targetPort: 4000
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: litellm
+subsets:
+  - addresses:
+      - ip: 192.168.20.104
+    ports:
+      - name: app
+        port: 4000
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: litellm-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`litellm.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: litellm
+          port: 4000
+  tls:
+    secretName: litellm-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: litellm-tls
+spec:
+  secretName: litellm-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "litellm.durp.info"
+  dnsNames:
+    - "litellm.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: litellm-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: litellm.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/minio.yaml

@@ -0,0 +1,63 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: minio
+spec:
+  ports:
+    - name: app
+      port: 9769
+      protocol: TCP
+      targetPort: 9769
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: minio
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 9769
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: minio-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`minio.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: minio
+          port: 9769
+          scheme: http
+  tls:
+    secretName: minio-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: minio-tls
+spec:
+  secretName: minio-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "minio.internal.durp.info"
+  dnsNames:
+    - "minio.internal.durp.info"

dmz/internalproxy/templates/n8n.yaml

@@ -0,0 +1,68 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: n8n
+spec:
+  ports:
+    - name: app
+      port: 5678
+      protocol: TCP
+      targetPort: 5678
+  clusterIP: None
+  type: ClusterIP
+
+---
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: n8n
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 5678
+        protocol: TCP
+
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: n8n-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`n8n.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: n8n
+          port: 5678
+          scheme: http
+  tls:
+    secretName: n8n-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: n8n-tls
+spec:
+  secretName: n8n-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "n8n.durp.info"
+  dnsNames:
+    - "n8n.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: n8n-dns
+  annotations:
+    dns.alpha.kubernetes.io/hostname: n8n.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/octopus.yaml

@@ -0,0 +1,40 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: octopus-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`octopus.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: infra-cluster
+          port: 443
+  tls:
+    secretName: octopus-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: octopus-tls
+spec:
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  secretName: octopus-tls
+  commonName: "octopus.durp.info"
+  dnsNames:
+    - "octopus.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: octopus-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: octopus.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/ollama.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ExternalSecret
 metadata:
   name: ollama-secret

dmz/internalproxy/templates/open-webui.yaml

@@ -1,3 +1,32 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: open-webui
+spec:
+  ports:
+    - name: app
+      port: 8089
+      protocol: TCP
+      targetPort: 8089
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: open-webui
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 8089
+        protocol: TCP
+
+---
+
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -9,8 +38,9 @@ spec:
     - match: Host(`open-webui.durp.info`) && PathPrefix(`/`)
       kind: Rule
       services:
-    - name: master-cluster
-      port: 443
+        - name: open-webui
+          port: 8089
+          scheme: http
   tls:
     secretName: open-webui-tls
 

dmz/internalproxy/templates/portainer.yaml

@@ -36,13 +36,14 @@ spec:
     - websecure
   routes:
   - match: Host(`portainer.internal.durp.info`) && PathPrefix(`/`)
-    middlewares:
-    - name: whitelist
-      namespace: traefik
+      #middlewares:
+      #- name: whitelist
+      #  namespace: traefik
     kind: Rule
     services:
     - name: portainer
       port: 9443
+      scheme: https
   tls:
     secretName: portainer-tls
 

dmz/internalproxy/templates/redlib.yaml

@@ -1,74 +1,74 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: redlib
-spec:
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-    targetPort: 8082
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: redlib
-subsets:
-- addresses:
-  - ip: 192.168.21.200
-  ports:
-  - name: app
-    port: 8082
-    protocol: TCP
-
----    
-
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: redlib-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
-    middlewares:
-    - name: authentik-proxy-provider
-      namespace: traefik  
-    kind: Rule
-    services:
-    - name: redlib
-      port: 8082
-  tls:
-    secretName: redlib-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: redlib-tls
-spec:
-  secretName: redlib-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "redlib.durp.info"
-  dnsNames:
-  - "redlib.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: redlib-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: v1
+#kind: Service
+#metadata:
+#  name: redlib
+#spec:
+#  ports:
+#  - name: app
+#    port: 8082
+#    protocol: TCP
+#    targetPort: 8082
+#  clusterIP: None
+#  type: ClusterIP
+#
+#---
+#
+#apiVersion: v1
+#kind: Endpoints
+#metadata:
+#  name: redlib
+#subsets:
+#- addresses:
+#  - ip: 192.168.21.200
+#  ports:
+#  - name: app
+#    port: 8082
+#    protocol: TCP
+#
+#---    
+#
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: redlib-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#  - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+#    middlewares:
+#    - name: authentik-proxy-provider
+#      namespace: traefik  
+#    kind: Rule
+#    services:
+#    - name: redlib
+#      port: 8082
+#  tls:
+#    secretName: redlib-tls
+#
+#---
+#
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: redlib-tls
+#spec:
+#  secretName: redlib-tls
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  commonName: "redlib.durp.info"
+#  dnsNames:
+#  - "redlib.durp.info"  
+#
+#---
+#
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: redlib-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/registry.yaml

@@ -12,13 +12,12 @@ spec:
   type: ClusterIP
 
 ---
-
 apiVersion: v1
 kind: Endpoints
 metadata:
   name: registry
 subsets:
-- addresses:
+  - addresses:
       - ip: 192.168.21.200
     ports:
       - name: app
@@ -26,7 +25,6 @@ subsets:
         protocol: TCP
 
 ---
-
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
@@ -37,6 +35,9 @@ spec:
   routes:
     - match: Host(`registry.durp.info`) && PathPrefix(`/`)
       kind: Rule
+      middlewares:
+        - name: whitelist
+          namespace: traefik
       services:
         - name: registry
           port: 5000
@@ -44,7 +45,6 @@ spec:
     secretName: registry-tls
 
 ---
-
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
@@ -59,13 +59,12 @@ spec:
     - "registry.durp.info"
 
 ---
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: registry-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: registry-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: registry.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/s3.yaml

@@ -0,0 +1,109 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: s3
+spec:
+  ports:
+    - name: app
+      port: 9768
+      protocol: TCP
+      targetPort: 9768
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: s3
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 9768
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: s3-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`s3.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: s3
+          port: 9768
+          scheme: http
+  tls:
+    secretName: s3-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: s3-tls
+spec:
+  secretName: s3-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "s3.internal.durp.info"
+  dnsNames:
+    - "s3.internal.durp.info"
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: s3-ingress-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`s3.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      services:
+        - name: s3
+          port: 9768
+          scheme: http
+  tls:
+    secretName: s3-external-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: s3-external-tls
+spec:
+  secretName: s3-external-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "s3.durp.info"
+  dnsNames:
+    - "s3.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: s3-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: s3.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/internalproxy/templates/semaphore.yaml

@@ -0,0 +1,64 @@
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: semaphore
+spec:
+  ports:
+    - name: app
+      port: 3001
+      protocol: TCP
+      targetPort: 3001
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: semaphore
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 3001
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: semaphore-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`semaphore.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: semaphore
+          port: 3001
+          scheme: http
+  tls:
+    secretName: semaphore-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: semaphore-tls
+spec:
+  secretName: semaphore-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "semaphore.internal.durp.info"
+  dnsNames:
+    - "semaphore.internal.durp.info"

dmz/internalproxy/templates/speedtest.yaml

@@ -1,74 +1,74 @@
-apiVersion: v1
-kind: Service
-metadata:
-  name: speedtest
-spec:
-  ports:
-  - name: app
-    port: 6580
-    protocol: TCP
-    targetPort: 6580
-  clusterIP: None
-  type: ClusterIP
-
----
-
-apiVersion: v1
-kind: Endpoints
-metadata:
-  name: speedtest
-subsets:
-- addresses:
-  - ip: 192.168.21.200
-  ports:
-  - name: app
-    port: 6580
-    protocol: TCP
-
----    
-
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: speedtest-ingress
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
-    kind: Rule
-    middlewares:
-    - name: authentik-proxy-provider
-      namespace: traefik 
-    services:
-    - name: speedtest
-      port: 6580
-  tls:
-    secretName: speedtest-tls
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: speedtest-tls
-spec:
-  secretName: speedtest-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "speedtest.durp.info"
-  dnsNames:
-  - "speedtest.durp.info"  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: speedtest-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info
+#apiVersion: v1
+#kind: Service
+#metadata:
+#  name: speedtest
+#spec:
+#  ports:
+#  - name: app
+#    port: 6580
+#    protocol: TCP
+#    targetPort: 6580
+#  clusterIP: None
+#  type: ClusterIP
+#
+#---
+#
+#apiVersion: v1
+#kind: Endpoints
+#metadata:
+#  name: speedtest
+#subsets:
+#- addresses:
+#  - ip: 192.168.21.200
+#  ports:
+#  - name: app
+#    port: 6580
+#    protocol: TCP
+#
+#---    
+#
+#apiVersion: traefik.io/v1alpha1
+#kind: IngressRoute
+#metadata:
+#  name: speedtest-ingress
+#spec:
+#  entryPoints:
+#    - websecure
+#  routes:
+#  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
+#    kind: Rule
+#    middlewares:
+#    - name: authentik-proxy-provider
+#      namespace: traefik 
+#    services:
+#    - name: speedtest
+#      port: 6580
+#  tls:
+#    secretName: speedtest-tls
+#
+#---
+#
+#apiVersion: cert-manager.io/v1
+#kind: Certificate
+#metadata:
+#  name: speedtest-tls
+#spec:
+#  secretName: speedtest-tls
+#  issuerRef:
+#    name: letsencrypt-production
+#    kind: ClusterIssuer
+#  commonName: "speedtest.durp.info"
+#  dnsNames:
+#  - "speedtest.durp.info"  
+#
+#---
+#
+#kind: Service
+#apiVersion: v1
+#metadata:
+#  name: speedtest-external-dns
+#  annotations:
+#    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
+#spec:
+#  type: ExternalName
+#  externalName: durp.info

dmz/internalproxy/templates/unraid.yaml

@@ -0,0 +1,64 @@
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: unraid
+spec:
+  ports:
+    - name: app
+      port: 443
+      protocol: TCP
+      targetPort: 443
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: unraid
+subsets:
+  - addresses:
+      - ip: 192.168.21.200
+    ports:
+      - name: app
+        port: 443
+        protocol: TCP
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: unraid-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`unraid.internal.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: unraid
+          port: 443
+          scheme: https
+  tls:
+    secretName: unraid-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: unraid-tls
+spec:
+  secretName: unraid-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "unraid.internal.durp.info"
+  dnsNames:
+    - "unraid.internal.durp.info"

dmz/istio-system/Chart.yaml

@@ -6,12 +6,12 @@ version: 0.0.1
 appVersion: 0.0.1
 
 dependencies:
-- name: base
+  - name: base
     repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.0
-- name: istiod
+    version: 1.26.2
+  - name: istiod
     repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.0
-- name: gateway
+    version: 1.26.2
+  - name: gateway
     repository: https://istio-release.storage.googleapis.com/charts
-  version: 1.25.0
+    version: 1.26.2

dmz/istio-system/templates/annotate.yaml

@@ -1,13 +1,14 @@
-apiVersion: v1
-kind: Namespace
-metadata:
-  annotations:
-    topology.istio.io/controlPlaneClusters: cluster1
-  labels:
-    kubernetes.io/metadata.name: istio-system
-  name: istio-system
-spec:
-  finalizers:
-  - kubernetes
-status:
-  phase: Active
+#apiVersion: v1
+#kind: Namespace
+#metadata:
+#  annotations:
+#    topology.istio.io/controlPlaneClusters: cluster1
+#  labels:
+#    kubernetes.io/metadata.name: istio-system
+#  name: istio-system
+#spec:
+#  finalizers:
+#  - kubernetes
+#status:
+#  phase: Active
+#

dmz/istio-system/templates/expose.yaml

@@ -0,0 +1,16 @@
+apiVersion: networking.istio.io/v1
+kind: Gateway
+metadata:
+  name: cross-network-gateway
+spec:
+  selector:
+    istio: eastwestgateway
+  servers:
+    - port:
+        number: 15443
+        name: tls
+        protocol: TLS
+      tls:
+        mode: AUTO_PASSTHROUGH
+      hosts:
+        - "*.local"

dmz/istio-system/values.yaml

@@ -1,725 +1,10 @@
 istiod:
-  profile: remote
-  autoscaleEnabled: true
-  autoscaleMin: 1
-  autoscaleMax: 5
-  autoscaleBehavior: {}
-  replicaCount: 1
-  rollingMaxSurge: 100%
-  rollingMaxUnavailable: 25%
-
-  hub: ""
-  tag: ""
-  variant: ""
-
-  # Can be a full hub/image:tag
-  image: pilot
-  traceSampling: 1.0
-
-  # Resources for a small pilot install
-  resources:
-    requests:
-      cpu: 500m
-      memory: 2048Mi
-
-  # Set to `type: RuntimeDefault` to use the default profile if available.
-  seccompProfile: {}
-
-  # Whether to use an existing CNI installation
-  cni:
-    enabled: false
-    provider: default
-
-  # Additional container arguments
-  extraContainerArgs: []
-
-  env: {}
-
-  # Settings related to the untaint controller
-  # This controller will remove `cni.istio.io/not-ready` from nodes when the istio-cni pod becomes ready
-  # It should be noted that cluster operator/owner is responsible for having the taint set by their infrastructure provider when new nodes are added to the cluster; the untaint controller does not taint nodes
-  taint:
-    # Controls whether or not the untaint controller is active
-    enabled: false
-    # What namespace the untaint controller should watch for istio-cni pods. This is only required when istio-cni is running in a different namespace than istiod
-    namespace: ""
-
-  affinity: {}
-
-  tolerations: []
-
-  cpu:
-    targetAverageUtilization: 80
-  memory: {}
-    # targetAverageUtilization: 80
-
-  # Additional volumeMounts to the istiod container
-  volumeMounts: []
-
-  # Additional volumes to the istiod pod
-  volumes: []
-
-  # Inject initContainers into the istiod pod
-  initContainers: []
-
-  nodeSelector: {}
-  podAnnotations: {}
-  serviceAnnotations: {}
-  serviceAccountAnnotations: {}
-  sidecarInjectorWebhookAnnotations: {}
-
-  topologySpreadConstraints: []
-
-  # You can use jwksResolverExtraRootCA to provide a root certificate
-  # in PEM format. This will then be trusted by pilot when resolving
-  # JWKS URIs.
-  jwksResolverExtraRootCA: ""
-
-  # The following is used to limit how long a sidecar can be connected
-  # to a pilot. It balances out load across pilot instances at the cost of
-  # increasing system churn.
-  keepaliveMaxServerConnectionAge: 30m
-
-  # Additional labels to apply to the deployment.
-  deploymentLabels: {}
-
-  ## Mesh config settings
-
-  # Install the mesh config map, generated from values.yaml.
-  # If false, pilot wil use default values (by default) or user-supplied values.
-  configMap: true
-
-  # Additional labels to apply on the pod level for monitoring and logging configuration.
-  podLabels: {}
-
-  # Setup how istiod Service is configured. See https://kubernetes.io/docs/concepts/services-networking/dual-stack/#services
-  ipFamilyPolicy: ""
-  ipFamilies: []
-
-  # Ambient mode only.
-  # Set this if you install ztunnel to a different namespace from `istiod`.
-  # If set, `istiod` will allow connections from trusted node proxy ztunnels
-  # in the provided namespace.
-  # If unset, `istiod` will assume the trusted node proxy ztunnel resides
-  # in the same namespace as itself.
-  trustedZtunnelNamespace: ""
-
-  sidecarInjectorWebhook:
-    # You can use the field called alwaysInjectSelector and neverInjectSelector which will always inject the sidecar or
-    # always skip the injection on pods that match that label selector, regardless of the global policy.
-    # See https://istio.io/docs/setup/kubernetes/additional-setup/sidecar-injection/#more-control-adding-exceptions
-    neverInjectSelector: []
-    alwaysInjectSelector: []
-
-    # injectedAnnotations are additional annotations that will be added to the pod spec after injection
-    # This is primarily to support PSP annotations. For example, if you defined a PSP with the annotations:
-    #
-    # annotations:
-    #   apparmor.security.beta.kubernetes.io/allowedProfileNames: runtime/default
-    #   apparmor.security.beta.kubernetes.io/defaultProfileName: runtime/default
-    #
-    # The PSP controller would add corresponding annotations to the pod spec for each container. However, this happens before
-    # the inject adds additional containers, so we must specify them explicitly here. With the above example, we could specify:
-    # injectedAnnotations:
-    #   container.apparmor.security.beta.kubernetes.io/istio-init: runtime/default
-    #   container.apparmor.security.beta.kubernetes.io/istio-proxy: runtime/default
-    injectedAnnotations: {}
-
-    # This enables injection of sidecar in all namespaces,
-    # with the exception of namespaces with "istio-injection:disabled" annotation
-    # Only one environment should have this enabled.
-    enableNamespacesByDefault: false
-
-    # Mutations that occur after the sidecar injector are not handled by default, as the Istio sidecar injector is only run
-    # once. For example, an OPA sidecar injected after the Istio sidecar will not have it's liveness/readiness probes rewritten.
-    # Setting this to `IfNeeded` will result in the sidecar injector being run again if additional mutations occur.
-    reinvocationPolicy: Never
-
-    rewriteAppHTTPProbe: true
-
-    # Templates defines a set of custom injection templates that can be used. For example, defining:
-    #
-    # templates:
-    #   hello: |
-    #     metadata:
-    #       labels:
-    #         hello: world
-    #
-    # Then starting a pod with the `inject.istio.io/templates: hello` annotation, will result in the pod
-    # being injected with the hello=world labels.
-    # This is intended for advanced configuration only; most users should use the built in template
-    templates: {}
-
-    # Default templates specifies a set of default templates that are used in sidecar injection.
-    # By default, a template `sidecar` is always provided, which contains the template of default sidecar.
-    # To inject other additional templates, define it using the `templates` option, and add it to
-    # the default templates list.
-    # For example:
-    #
-    # templates:
-    #   hello: |
-    #     metadata:
-    #       labels:
-    #         hello: world
-    #
-    # defaultTemplates: ["sidecar", "hello"]
-    defaultTemplates: []
-  istiodRemote:
-    # If `true`, indicates that this cluster/install should consume a "remote istiod" installation,
-    # and istiod itself will NOT be installed in this cluster - only the support resources necessary
-    # to utilize a remote instance.
-    enabled: false
-    # Sidecar injector mutating webhook configuration clientConfig.url value.
-    # For example: https://$remotePilotAddress:15017/inject
-    # The host should not refer to a service running in the cluster; use a service reference by specifying
-    # the clientConfig.service field instead.
-    injectionURL: ""
-
-    # Sidecar injector mutating webhook configuration path value for the clientConfig.service field.
-    # Override to pass env variables, for example: /inject/cluster/remote/net/network2
-    injectionPath: "/inject/cluster/cluster2/net/network1"
-
-    injectionCABundle: ""
-  telemetry:
-    enabled: true
-    v2:
-      # For Null VM case now.
-      # This also enables metadata exchange.
-      enabled: true
-      # Indicate if prometheus stats filter is enabled or not
-      prometheus:
-        enabled: true
-      # stackdriver filter settings.
-      stackdriver:
-        enabled: false
-  # Revision is set as 'version' label and part of the resource names when installing multiple control planes.
-  revision: ""
-
-  # Revision tags are aliases to Istio control plane revisions
-  revisionTags: []
-
-  # For Helm compatibility.
-  ownerName: ""
-
-  # meshConfig defines runtime configuration of components, including Istiod and istio-agent behavior
-  # See https://istio.io/docs/reference/config/istio.mesh.v1alpha1/ for all available options
-  meshConfig:
-    enablePrometheusMerge: true
-
-  experimental:
-    stableValidationPolicy: false
-
   global:
-    # Used to locate istiod.
-    istioNamespace: istio-system
-    # List of cert-signers to allow "approve" action in the istio cluster role
-    #
-    # certSigners:
-    #   - clusterissuers.cert-manager.io/istio-ca
-    certSigners: []
-    # enable pod disruption budget for the control plane, which is used to
-    # ensure Istio control plane components are gradually upgraded or recovered.
-    defaultPodDisruptionBudget:
-      enabled: true
-      # The values aren't mutable due to a current PodDisruptionBudget limitation
-      # minAvailable: 1
-
-    # A minimal set of requested resources to applied to all deployments so that
-    # Horizontal Pod Autoscaler will be able to function (if set).
-    # Each component can overwrite these default values by adding its own resources
-    # block in the relevant section below and setting the desired resources values.
-    defaultResources:
-      requests:
-        cpu: 10m
-      #   memory: 128Mi
-      # limits:
-      #   cpu: 100m
-      #   memory: 128Mi
-
-    # Default hub for Istio images.
-    # Releases are published to docker hub under 'istio' project.
-    # Dev builds from prow are on gcr.io
-    hub: docker.io/istio
-    # Default tag for Istio images.
-    tag: 1.25.0
-    # Variant of the image to use.
-    # Currently supported are: [debug, distroless]
-    variant: ""
-
-    # Specify image pull policy if default behavior isn't desired.
-    # Default behavior: latest images will be Always else IfNotPresent.
-    imagePullPolicy: ""
-
-    # ImagePullSecrets for all ServiceAccount, list of secrets in the same namespace
-    # to use for pulling any images in pods that reference this ServiceAccount.
-    # For components that don't use ServiceAccounts (i.e. grafana, servicegraph, tracing)
-    # ImagePullSecrets will be added to the corresponding Deployment(StatefulSet) objects.
-    # Must be set for any cluster configured with private docker registry.
-    imagePullSecrets: []
-    # - private-registry-key
-
-    # Enabled by default in master for maximising testing.
-    istiod:
-      enableAnalysis: false
-
-    # To output all istio components logs in json format by adding --log_as_json argument to each container argument
-    logAsJson: false
-
-    # Comma-separated minimum per-scope logging level of messages to output, in the form of <scope>:<level>,<scope>:<level>
-    # The control plane has different scopes depending on component, but can configure default log level across all components
-    # If empty, default scope and level will be used as configured in code
-    logging:
-      level: "default:info"
-
-    omitSidecarInjectorConfigMap: false
-
-    # Configure whether Operator manages webhook configurations. The current behavior
-    # of Istiod is to manage its own webhook configurations.
-    # When this option is set as true, Istio Operator, instead of webhooks, manages the
-    # webhook configurations. When this option is set as false, webhooks manage their
-    # own webhook configurations.
-    operatorManageWebhooks: false
-
-    # Custom DNS config for the pod to resolve names of services in other
-    # clusters. Use this to add additional search domains, and other settings.
-    # see
-    # https://kubernetes.io/docs/concepts/services-networking/dns-pod-service/#dns-config
-    # This does not apply to gateway pods as they typically need a different
-    # set of DNS settings than the normal application pods (e.g., in
-    # multicluster scenarios).
-    # NOTE: If using templates, follow the pattern in the commented example below.
-    #podDNSSearchNamespaces:
-    #- global
-    #- "{{ valueOrDefault .DeploymentMeta.Namespace \"default\" }}.global"
-
-    # Kubernetes >=v1.11.0 will create two PriorityClass, including system-cluster-critical and
-    # system-node-critical, it is better to configure this in order to make sure your Istio pods
-    # will not be killed because of low priority class.
-    # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
-    # for more detail.
-    priorityClassName: ""
-
-    proxy:
-      image: proxyv2
-
-      # This controls the 'policy' in the sidecar injector.
-      autoInject: enabled
-
-      # CAUTION: It is important to ensure that all Istio helm charts specify the same clusterDomain value
-      # cluster domain. Default value is "cluster.local".
-      clusterDomain: "cluster.local"
-
-      # Per Component log level for proxy, applies to gateways and sidecars. If a component level is
-      # not set, then the global "logLevel" will be used.
-      componentLogLevel: "misc:error"
-
-      # istio ingress capture allowlist
-      # examples:
-      #     Redirect only selected ports:            --includeInboundPorts="80,8080"
-      excludeInboundPorts: ""
-      includeInboundPorts: "*"
-
-      # istio egress capture allowlist
-      # https://istio.io/docs/tasks/traffic-management/egress.html#calling-external-services-directly
-      # example: includeIPRanges: "172.30.0.0/16,172.20.0.0/16"
-      # would only capture egress traffic on those two IP Ranges, all other outbound traffic would
-      # be allowed by the sidecar
-      includeIPRanges: "*"
-      excludeIPRanges: ""
-      includeOutboundPorts: ""
-      excludeOutboundPorts: ""
-
-      # Log level for proxy, applies to gateways and sidecars.
-      # Expected values are: trace|debug|info|warning|error|critical|off
-      logLevel: warning
-
-      # Specify the path to the outlier event log.
-      # Example: /dev/stdout
-      outlierLogPath: ""
-
-      #If set to true, istio-proxy container will have privileged securityContext
-      privileged: false
-
-      # The number of successive failed probes before indicating readiness failure.
-      readinessFailureThreshold: 4
-
-      # The initial delay for readiness probes in seconds.
-      readinessInitialDelaySeconds: 0
-
-      # The period between readiness probes.
-      readinessPeriodSeconds: 15
-
-      # Enables or disables a startup probe.
-      # For optimal startup times, changing this should be tied to the readiness probe values.
-      #
-      # If the probe is enabled, it is recommended to have delay=0s,period=15s,failureThreshold=4.
-      # This ensures the pod is marked ready immediately after the startup probe passes (which has a 1s poll interval),
-      # and doesn't spam the readiness endpoint too much
-      #
-      # If the probe is disabled, it is recommended to have delay=1s,period=2s,failureThreshold=30.
-      # This ensures the startup is reasonable fast (polling every 2s). 1s delay is used since the startup is not often ready instantly.
-      startupProbe:
-        enabled: true
-        failureThreshold: 600 # 10 minutes
-
-      # Resources for the sidecar.
-      resources:
-        requests:
-          cpu: 100m
-          memory: 128Mi
-        limits:
-          cpu: 2000m
-          memory: 1024Mi
-
-      # Default port for Pilot agent health checks. A value of 0 will disable health checking.
-      statusPort: 15020
-
-      # Specify which tracer to use. One of: zipkin, lightstep, datadog, stackdriver, none.
-      # If using stackdriver tracer outside GCP, set env GOOGLE_APPLICATION_CREDENTIALS to the GCP credential file.
-      tracer: "none"
-
-    proxy_init:
-      # Base name for the proxy_init container, used to configure iptables.
-      image: proxyv2
-      # Bypasses iptables idempotency handling, and attempts to apply iptables rules regardless of table state, which may cause unrecoverable failures.
-      # Do not use unless you need to work around an issue of the idempotency handling. This flag will be removed in future releases.
-      forceApplyIptables: false
-
-    # configure remote pilot and istiod service and endpoint
-    remotePilotAddress: "192.168.12.131"
-
-    ##############################################################################################
-    # The following values are found in other charts. To effectively modify these values, make   #
-    # make sure they are consistent across your Istio helm charts                                #
-    ##############################################################################################
-
-    # The customized CA address to retrieve certificates for the pods in the cluster.
-    # CSR clients such as the Istio Agent and ingress gateways can use this to specify the CA endpoint.
-    # If not set explicitly, default to the Istio discovery address.
-    caAddress: ""
-
-    # Enable control of remote clusters.
-    externalIstiod: false
-
-    # Configure a remote cluster as the config cluster for an external istiod.
-    configCluster: true
-
-    # configValidation enables the validation webhook for Istio configuration.
-    configValidation: true
-
-    # Mesh ID means Mesh Identifier. It should be unique within the scope where
-    # meshes will interact with each other, but it is not required to be
-    # globally/universally unique. For example, if any of the following are true,
-    # then two meshes must have different Mesh IDs:
-    # - Meshes will have their telemetry aggregated in one place
-    # - Meshes will be federated together
-    # - Policy will be written referencing one mesh from the other
-    #
-    # If an administrator expects that any of these conditions may become true in
-    # the future, they should ensure their meshes have different Mesh IDs
-    # assigned.
-    #
-    # Within a multicluster mesh, each cluster must be (manually or auto)
-    # configured to have the same Mesh ID value. If an existing cluster 'joins' a
-    # multicluster mesh, it will need to be migrated to the new mesh ID. Details
-    # of migration TBD, and it may be a disruptive operation to change the Mesh
-    # ID post-install.
-    #
-    # If the mesh admin does not specify a value, Istio will use the value of the
-    # mesh's Trust Domain. The best practice is to select a proper Trust Domain
-    # value.
-    meshID: ""
-
-    # Configure the mesh networks to be used by the Split Horizon EDS.
-    #
-    # The following example defines two networks with different endpoints association methods.
-    # For `network1` all endpoints that their IP belongs to the provided CIDR range will be
-    # mapped to network1. The gateway for this network example is specified by its public IP
-    # address and port.
-    # The second network, `network2`, in this example is defined differently with all endpoints
-    # retrieved through the specified Multi-Cluster registry being mapped to network2. The
-    # gateway is also defined differently with the name of the gateway service on the remote
-    # cluster. The public IP for the gateway will be determined from that remote service (only
-    # LoadBalancer gateway service type is currently supported, for a NodePort type gateway service,
-    # it still need to be configured manually).
-    #
-    # meshNetworks:
-    #   network1:
-    #     endpoints:
-    #     - fromCidr: "192.168.0.1/24"
-    #     gateways:
-    #     - address: 1.1.1.1
-    #       port: 80
-    #   network2:
-    #     endpoints:
-    #     - fromRegistry: reg1
-    #     gateways:
-    #     - registryServiceName: istio-ingressgateway.istio-system.svc.cluster.local
-    #       port: 443
-    #
-    meshNetworks: {}
-
-    # Use the user-specified, secret volume mounted key and certs for Pilot and workloads.
-    mountMtlsCerts: false
-
+    network: network2
+    meshID: mesh1
     multiCluster:
-      # Set to true to connect two kubernetes clusters via their respective
-      # ingressgateway services when pods in each cluster cannot directly
-      # talk to one another. All clusters should be using Istio mTLS and must
-      # have a shared root CA for this model to work.
-      enabled: false
-      # Should be set to the name of the cluster this installation will run in. This is required for sidecar injection
-      # to properly label proxies
-      clusterName: "dmz"
-
-    # Network defines the network this cluster belong to. This name
-    # corresponds to the networks in the map of mesh networks.
-    network: ""
-
-    # Configure the certificate provider for control plane communication.
-    # Currently, two providers are supported: "kubernetes" and "istiod".
-    # As some platforms may not have kubernetes signing APIs,
-    # Istiod is the default
-    pilotCertProvider: istiod
-
-    sds:
-      # The JWT token for SDS and the aud field of such JWT. See RFC 7519, section 4.1.3.
-      # When a CSR is sent from Istio Agent to the CA (e.g. Istiod), this aud is to make sure the
-      # JWT is intended for the CA.
-      token:
-        aud: istio-ca
-
-    sts:
-      # The service port used by Security Token Service (STS) server to handle token exchange requests.
-      # Setting this port to a non-zero value enables STS server.
-      servicePort: 0
-
-    # The name of the CA for workload certificates.
-    # For example, when caName=GkeWorkloadCertificate, GKE workload certificates
-    # will be used as the certificates for workloads.
-    # The default value is "" and when caName="", the CA will be configured by other
-    # mechanisms (e.g., environmental variable CA_PROVIDER).
-    caName: ""
-
-    waypoint:
-      # Resources for the waypoint proxy.
-      resources:
-        requests:
-          cpu: 100m
-          memory: 128Mi
-        limits:
-          cpu: "2"
-          memory: 1Gi
-
-      # If specified, affinity defines the scheduling constraints of waypoint pods.
-      affinity: {}
-
-      # Topology Spread Constraints for the waypoint proxy.
-      topologySpreadConstraints: []
-
-      # Node labels for the waypoint proxy.
-      nodeSelector: {}
-
-      # Tolerations for the waypoint proxy.
-      tolerations: []
-
-  base:
-    # For istioctl usage to disable istio config crds in base
-    enableIstioConfigCRDs: true
-
-  # Gateway Settings
-  gateways:
-    # Define the security context for the pod.
-    # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
-    # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
-    securityContext: {}
-
-    # Set to `type: RuntimeDefault` to use the default profile for templated gateways, if your container runtime supports it
-    seccompProfile: {}
-base:
-  profile: remote
-  global:
-    imagePullSecrets: []
-
-    istioNamespace: istio-system
-  base:
-    excludedCRDs: []
-    enableCRDTemplates: true
-
-    validationURL: ""
-    validationCABundle: ""
-
-    enableIstioConfigCRDs: true
-
-  defaultRevision: "default"
-  experimental:
-    stableValidationPolicy: false
+      clusterName: dmz
 
 gateway:
-  # Name allows overriding the release name. Generally this should not be set
-  name: "istio-eastwestgateway"
-  # revision declares which revision this gateway is a part of
-  revision: ""
-
-  # Controls the spec.replicas setting for the Gateway deployment if set.
-  # Otherwise defaults to Kubernetes Deployment default (1).
-  replicaCount:
-
-  kind: Deployment
-
-  rbac:
-    # If enabled, roles will be created to enable accessing certificates from Gateways. This is not needed
-    # when using http://gateway-api.org/.
-    enabled: true
-
-  serviceAccount:
-    # If set, a service account will be created. Otherwise, the default is used
-    create: true
-    # Annotations to add to the service account
-    annotations: {}
-    # The name of the service account to use.
-    # If not set, the release name is used
-    name: ""
-
-  podAnnotations:
-    prometheus.io/port: "15020"
-    prometheus.io/scrape: "true"
-    prometheus.io/path: "/stats/prometheus"
-    inject.istio.io/templates: "gateway"
-    sidecar.istio.io/inject: "true"
-
-  # Define the security context for the pod.
-  # If unset, this will be automatically set to the minimum privileges required to bind to port 80 and 443.
-  # On Kubernetes 1.22+, this only requires the `net.ipv4.ip_unprivileged_port_start` sysctl.
-  securityContext: {}
-  containerSecurityContext: {}
-
-  service:
-    # Type of service. Set to "None" to disable the service entirely
-    type: LoadBalancer
-    ports:
-    - name: status-port
-      port: 15021
-      protocol: TCP
-      targetPort: 15021
-    - name: http2
-      port: 80
-      protocol: TCP
-      targetPort: 80
-    - name: https
-      port: 443
-      protocol: TCP
-      targetPort: 443
-    annotations: {}
-    loadBalancerIP: ""
-    loadBalancerSourceRanges: []
-    externalTrafficPolicy: ""
-    externalIPs: []
-    ipFamilyPolicy: ""
-    ipFamilies: []
-    ## Whether to automatically allocate NodePorts (only for LoadBalancers).
-    # allocateLoadBalancerNodePorts: false
-    ## Set LoadBalancer class (only for LoadBalancers).
-    # loadBalancerClass: ""
-
-  resources:
-    requests:
-      cpu: 100m
-      memory: 128Mi
-    limits:
-      cpu: 2000m
-      memory: 1024Mi
-
-  autoscaling:
-    enabled: true
-    minReplicas: 1
-    maxReplicas: 5
-    targetCPUUtilizationPercentage: 80
-    targetMemoryUtilizationPercentage: {}
-    autoscaleBehavior: {}
-
-  # Pod environment variables
-  env: {}
-
-  # Deployment Update strategy
-  strategy: {}
-  
-  # Sets the Deployment minReadySeconds value
-  minReadySeconds:
-  
-  # Optionally configure a custom readinessProbe. By default the control plane
-  # automatically injects the readinessProbe. If you wish to override that
-  # behavior, you may define your own readinessProbe here.
-  readinessProbe: {}
-
-  # Labels to apply to all resources
-  labels:
-    # By default, don't enroll gateways into the ambient dataplane
-    "istio.io/dataplane-mode": none
-
-  # Annotations to apply to all resources
-  annotations: {}
-
-  nodeSelector: {}
-
-  tolerations: []
-
-  topologySpreadConstraints: []
-
-  affinity: {}
-
-  # If specified, the gateway will act as a network gateway for the given network.
-  networkGateway: "network1"
-
-  # Specify image pull policy if default behavior isn't desired.
-  # Default behavior: latest images will be Always else IfNotPresent
-  imagePullPolicy: ""
-
-  imagePullSecrets: []
-
-  # This value is used to configure a Kubernetes PodDisruptionBudget for the gateway.
-  #
-  # By default, the `podDisruptionBudget` is disabled (set to `{}`),
-  # which means that no PodDisruptionBudget resource will be created.
-  #
-  # To enable the PodDisruptionBudget, configure it by specifying the
-  # `minAvailable` or `maxUnavailable`. For example, to set the
-  # minimum number of available replicas to 1, you can update this value as follows:
-  #
-  # podDisruptionBudget:
-  #   minAvailable: 1
-  #
-  # Or, to allow a maximum of 1 unavailable replica, you can set:
-  #
-  # podDisruptionBudget:
-  #   maxUnavailable: 1
-  #
-  # You can also specify the `unhealthyPodEvictionPolicy` field, and the valid values are `IfHealthyBudget` and `AlwaysAllow`.
-  # For example, to set the `unhealthyPodEvictionPolicy` to `AlwaysAllow`, you can update this value as follows:
-  #
-  # podDisruptionBudget:
-  #   minAvailable: 1
-  #   unhealthyPodEvictionPolicy: AlwaysAllow
-  #
-  # To disable the PodDisruptionBudget, you can leave it as an empty object `{}`:
-  #
-  # podDisruptionBudget: {}
-  #
-  podDisruptionBudget: {}
-
-  # Sets the per-pod terminationGracePeriodSeconds setting.
-  terminationGracePeriodSeconds: 30
-
-  # A list of `Volumes` added into the Gateway Pods. See
-  # https://kubernetes.io/docs/concepts/storage/volumes/.
-  volumes: []
-
-  # A list of `VolumeMounts` added into the Gateway Pods. See
-  # https://kubernetes.io/docs/concepts/storage/volumes/.
-  volumeMounts: []
-
-  # Configure this to a higher priority class in order to make sure your Istio gateway pods
-  # will not be killed because of low priority class.
-  # Refer to https://kubernetes.io/docs/concepts/configuration/pod-priority-preemption/#priorityclass
-  # for more detail.
-  priorityClassName: ""
+  name: istio-eastwestgateway
+  networkGateway: network2

dmz/littlelink/templates/deployment.yaml

@@ -0,0 +1,101 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: littlelink
+  name: littlelink
+  labels:
+    app: littlelink
+spec:
+  selector:
+    matchLabels:
+      app: littlelink
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: littlelink
+    spec:
+      containers:
+      - name: littlelink
+        image: registry.durp.info/techno-tim/littlelink-server:latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /healthcheck
+            port: 3000
+        readinessProbe:
+          httpGet:
+            path: /healthcheck
+            port: 3000            
+        env:
+          - name: META_TITLE
+            value: DeveloperDurp
+          - name: META_DESCRIPTION
+            value: The Durpy Developer
+          - name: META_AUTHOR
+            value: DeveloperDurp
+          - name: LANG
+            value: en
+          - name: META_INDEX_STATUS
+            value: all
+          - name: OG_TITLE
+            value: DeveloperDurp
+          - name: OG_DESCRIPTION
+            value: DeveloperDurp
+          - name: OG_URL
+            value: https://gitlab.com/developerdurp
+          - name: OG_IMAGE
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : OG_IMAGE_WIDTH
+            value: "400"
+          - name : OG_IMAGE_HEIGHT
+            value: "400"
+          - name : THEME
+            value: Dark 
+          - name : FAVICON_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : AVATAR_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png
+          - name : AVATAR_2X_URL
+            value: https://gitlab.com/uploads/-/system/user/avatar/9987937/avatar.png   
+          - name : AVATAR_ALT
+            value: DeveloperDurp Profile Pic
+          - name : NAME
+            value: DeveloperDurp
+          - name : BIO
+            value: Sup Nerd,
+          - name : BUTTON_ORDER
+            value: GITHUB,GITLAB,YOUTUBE,INSTAGRAM,TWITTER,BLUESKY,COFFEE,EMAIL
+          - name : TWITTER
+            value: https://twitter.com/developerdurp                
+          - name : GITHUB
+            value: https://github.com/DeveloperDurp
+          - name: INSTAGRAM
+            value: https://instagram.com/developerdurp
+          - name : GITLAB
+            value: https://gitlab.com/developerdurp
+          - name: YOUTUBE
+            value: https://www.youtube.com/channel/UC1rGa6s6kER_gLpIQsxeMVQ
+          - name : EMAIL
+            value: DeveloperDurp@durp.info
+          - name : EMAIL_TEXT
+            value: DeveloperDurp@durp.info            
+          - name : FOOTER
+            value: DeveloperDurp © 2022         
+          - name: CUSTOM_BUTTON_TEXT
+            value: BuyMeACoffee,BlueSky
+          - name: CUSTOM_BUTTON_URL
+            value: https://www.buymeacoffee.com/DeveloperDurp,https://bsky.app/profile/durp.info
+          - name: CUSTOM_BUTTON_COLOR
+            value: '#ffdd00,#1185fe'
+          - name: CUSTOM_BUTTON_TEXT_COLOR
+            value: '#000000,#FFFFFF'
+          - name: CUSTOM_BUTTON_ALT_TEXT
+            value: Support,BlueSky
+          - name: CUSTOM_BUTTON_NAME
+            value: COFFEE,BLUESKY
+          - name: CUSTOM_BUTTON_ICON
+            value: fa-solid fa-cup-togo
+        ports:
+        - name: http
+          containerPort: 3000          

dmz/littlelink/templates/ingress.yaml

@@ -0,0 +1,42 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: littlelink-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`links.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: littlelink
+      port: 80
+  tls:
+    secretName: littlelink-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: littlelink-tls
+spec:
+  secretName: littlelink-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "links.durp.info"
+  dnsNames:
+  - "links.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: links-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: links.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/littlelink/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: littlelink
+spec:
+  ports:
+  - name: http
+    port: 80
+    targetPort: 3000
+    protocol: TCP 
+  selector:
+    app: littlelink

dmz/longhorn/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: longhorn-system
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: longhorn
+  repository: https://charts.longhorn.io
+  version: 1.9.0

dmz/longhorn/templates/ingress.yaml

@@ -0,0 +1,34 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: longhorn-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: vault-issuer
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`longhorn.dmz.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: longhorn-frontend
+          port: 80
+  tls:
+    secretName: longhorn-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: longhorn-tls
+spec:
+  secretName: longhorn-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "longhorn.dmz.durp.info"
+  dnsNames:
+    - "longhorn.dmz.durp.info"

dmz/longhorn/templates/secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+
+---
+
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: external-longhorn-backup-token-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: longhorn-backup-token-secret
+  data:
+  - secretKey: AWS_ACCESS_KEY_ID
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_ACCESS_KEY_ID
+  - secretKey: AWS_ENDPOINTS 
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_ENDPOINTS 
+  - secretKey: AWS_SECRET_ACCESS_KEY
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_SECRET_ACCESS_KEY

dmz/longhorn/values.yaml

@@ -0,0 +1,192 @@
+longhorn: 
+  global:
+    cattle:
+      systemDefaultRegistry: ""
+  
+  image:
+    longhorn:
+      engine:
+        repository: longhornio/longhorn-engine
+      manager:
+        repository: longhornio/longhorn-manager
+      ui:
+        repository: longhornio/longhorn-ui
+      instanceManager:
+        repository: longhornio/longhorn-instance-manager
+      shareManager:
+        repository: longhornio/longhorn-share-manager
+      backingImageManager:
+        repository: longhornio/backing-image-manager
+    csi:
+      attacher:
+        repository: longhornio/csi-attacher
+      provisioner:
+        repository: longhornio/csi-provisioner
+      nodeDriverRegistrar:
+        repository: longhornio/csi-node-driver-registrar
+      resizer:
+        repository: longhornio/csi-resizer
+      snapshotter:
+        repository: longhornio/csi-snapshotter
+    pullPolicy: Always
+  
+  service:
+    ui:
+      type: ClusterIP
+      nodePort: null
+    manager:
+      type: ClusterIP
+      nodePort: ""
+      loadBalancerIP: ""
+      loadBalancerSourceRanges: ""
+  
+  persistence:
+    defaultClass: true
+    defaultFsType: ext4
+    defaultClassReplicaCount: 3
+    defaultDataLocality: disabled # best-effort otherwise
+    reclaimPolicy: Delete
+    migratable: false
+    recurringJobSelector:
+      enable: true
+      jobList: '[
+          {
+            "name":"backup", 
+            "task":"backup", 
+            "cron":"0 0 * * *", 
+            "retain":24
+          }
+        ]'
+    backingImage:
+      enable: false
+      name: ~
+      dataSourceType: ~
+      dataSourceParameters: ~
+      expectedChecksum: ~
+  
+  csi:
+    kubeletRootDir: ~
+    attacherReplicaCount: ~
+    provisionerReplicaCount: ~
+    resizerReplicaCount: ~
+    snapshotterReplicaCount: ~
+  
+  defaultSettings:
+    backupTarget: S3://longhorn-master@us-east-1/
+    backupTargetCredentialSecret: longhorn-backup-token-secret
+    allowRecurringJobWhileVolumeDetached: ~
+    createDefaultDiskLabeledNodes: ~
+    defaultDataPath: ~
+    defaultDataLocality: ~
+    replicaSoftAntiAffinity: ~
+    replicaAutoBalance: ~
+    storageOverProvisioningPercentage: ~
+    storageMinimalAvailablePercentage: ~
+    upgradeChecker: ~
+    defaultReplicaCount: ~
+    defaultLonghornStaticStorageClass: longhorn
+    backupstorePollInterval: ~
+    taintToleration: ~
+    systemManagedComponentsNodeSelector: ~
+    priorityClass: ~
+    autoSalvage: ~
+    autoDeletePodWhenVolumeDetachedUnexpectedly: ~
+    disableSchedulingOnCordonedNode: ~
+    replicaZoneSoftAntiAffinity: ~
+    nodeDownPodDeletionPolicy: ~
+    allowNodeDrainWithLastHealthyReplica: ~
+    mkfsExt4Parameters: ~
+    disableReplicaRebuild: ~
+    replicaReplenishmentWaitInterval: ~
+    concurrentReplicaRebuildPerNodeLimit: ~
+    disableRevisionCounter: ~
+    systemManagedPodsImagePullPolicy: ~
+    allowVolumeCreationWithDegradedAvailability: ~
+    autoCleanupSystemGeneratedSnapshot: ~
+    concurrentAutomaticEngineUpgradePerNodeLimit: ~
+    backingImageCleanupWaitInterval: ~
+    backingImageRecoveryWaitInterval: ~
+    guaranteedEngineManagerCPU: ~
+    guaranteedReplicaManagerCPU: ~
+    kubernetesClusterAutoscalerEnabled: ~
+    orphanAutoDeletion: ~
+    storageNetwork: ~
+  privateRegistry:
+    createSecret: ~
+    registryUrl: ~
+    registryUser: ~
+    registryPasswd: ~
+    registrySecret: ~
+  
+  longhornManager:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  longhornDriver:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  longhornUI:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  resources: {}
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    # limits:
+    #  cpu: 100m
+    #  memory: 128Mi
+    # requests:
+    #  cpu: 100m
+    #  memory: 128Mi
+    #
+  
+  ingress:
+    enabled: false
+  
+  ## Specify override namespace, specifically this is useful for using longhorn as sub-chart
+  ## and its release namespace is not the `longhorn-system`
+  namespaceOverride: ""
+  
+  # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional.
+  annotations: {}
+  
+  serviceAccount:
+    # Annotations to add to the service account
+    annotations: {}
+  

dmz/metallb-system/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: metallb
   repository: https://metallb.github.io/metallb
-  version: 0.14.9
+  version: 0.15.2

dmz/openspeedtest/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: openspeedtest
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"

dmz/openspeedtest/templates/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: openspeedtest
+  name: openspeedtest
+  labels:
+    app: openspeedtest
+spec:
+  selector:
+    matchLabels:
+      app: openspeedtest
+  replicas: 1
+  template:
+    metadata:
+      labels:
+        app: openspeedtest
+    spec:
+      containers:
+      - name: openspeedtest
+        image: registry.durp.info/openspeedtest/latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 3000
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 3000
+        env:
+        ports:
+        - name: http
+          containerPort: 3000

dmz/openspeedtest/templates/ingress.yaml

@@ -0,0 +1,56 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: openspeedtest-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`speedtest.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    middlewares:
+    - name: authentik-proxy-provider
+      namespace: traefik  
+    - name: limit-buffering
+    services:
+    - name: openspeedtest
+      port: 3000
+  tls:
+    secretName: openspeedtest-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: openspeedtest-tls
+spec:
+  secretName: openspeedtest-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "speedtest.durp.info"
+  dnsNames:
+  - "speedtest.durp.info"  
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: openspeedtest-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: speedtest.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: limit-buffering
+spec:
+  buffering:
+    maxRequestBodyBytes: 10000000000

dmz/openspeedtest/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: openspeedtest
+spec:
+  ports:
+  - name: http
+    port: 3000
+    targetPort: 3000
+    protocol: TCP 
+  selector:
+    app: openspeedtest

dmz/redlib/Chart.yaml

@@ -0,0 +1,7 @@
+apiVersion: v2
+name: redlib
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"

dmz/redlib/templates/deployment.yaml

@@ -0,0 +1,33 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  namespace: redlib
+  name: redlib
+  labels:
+    app: redlib
+spec:
+  selector:
+    matchLabels:
+      app: redlib
+  replicas: 3
+  template:
+    metadata:
+      labels:
+        app: redlib
+    spec:
+      containers:
+      - name: redlib
+        image: registry.durp.info/redlib/redlib:latest
+        imagePullPolicy: Always
+        livenessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        readinessProbe:
+          httpGet:
+            path: /
+            port: 8080
+        env:
+        ports:
+        - name: http
+          containerPort: 8080

dmz/redlib/templates/ingress.yaml

@@ -0,0 +1,43 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: redlib-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`redlib.durp.info`) && PathPrefix(`/`)
+      kind: Rule
+      middlewares:
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: redlib
+          port: 8080
+  tls:
+    secretName: redlib-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: redlib-tls
+spec:
+  secretName: redlib-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "redlib.durp.info"
+  dnsNames:
+    - "redlib.durp.info"
+
+---
+kind: Service
+apiVersion: v1
+metadata:
+  name: redlib-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: redlib.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

dmz/redlib/templates/service.yaml

@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: redlib
+spec:
+  ports:
+  - name: http
+    port: 8080
+    targetPort: 8080
+    protocol: TCP 
+  selector:
+    app: redlib

dmz/terraform/main.tf

@@ -3,7 +3,7 @@ terraform {
   required_providers {
     proxmox = {
       source  = "Telmate/proxmox"
-      version = "3.0.1-rc6"
+      version = "3.0.1-rc9"
     }
   }
 }

dmz/traefik/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 34.0.0
+  version: 34.5.0

dmz/traefik/templates/middleware.yaml

@@ -5,7 +5,7 @@ metadata:
   namespace: traefik
 spec:
   forwardAuth:
-    address: http://ak-outpost-dmz-embedded-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
+    address: http://ak-outpost-authentik-dmz-outpost.authentik.svc.cluster.local:9000/outpost.goauthentik.io/auth/traefik?rd=$scheme://$http_host$request_uri
     trustForwardHeader: true
     authResponseHeaders:
       - X-authentik-username
@@ -21,7 +21,6 @@ spec:
       - X-authentik-meta-version
 
 ---
-
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
@@ -33,3 +32,23 @@ spec:
       - 192.168.0.0/16
       - 172.16.0.0/12
       - 10.0.0.0/8
+
+---
+#apiVersion: traefik.io/v1alpha1
+#kind: Middleware
+#metadata:
+#  name: bouncer
+#  namespace: traefik
+#spec:
+#  plugin:
+#    bouncer:
+#      enabled: true
+#      crowdsecMode: stream
+#      crowdsecLapiScheme: https
+#      crowdsecLapiTLSInsecureVerify: true
+#      crowdsecLapiHost: crowdsec-service.crowdsec:8080
+#      crowdsecLapiKey:
+#        valueFrom:
+#          secretKeyRef:
+#            name: crowdsec-lapi-key
+#            key: lapi-key

dmz/traefik/templates/secrets.yaml

@@ -0,0 +1,21 @@
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: crowdsec-lapi-key
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: crowdsec-lapi-key
+  data:
+    - secretKey: lapi-key
+      remoteRef:
+        key: kv/crowdsec/api
+        property: key
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault

dmz/traefik/templates/traefik-dashboard.yaml

@@ -1,34 +1,35 @@
-#apiVersion: traefik.io/v1alpha1
-#kind: IngressRoute
-#metadata:
-#  name: traefik-ingress
-#spec:
-#  entryPoints:
-#    - websecure
-#  routes:
-#  - match: Host(`traefik.durp.info`)
-#    kind: Rule
-#    services:
-#    - name: api@internal
-#      kind: TraefikService
-#  tls:
-#    secretName: traefik-tls  
-#
-#---
-#
-#apiVersion: cert-manager.io/v1
-#kind: Certificate
-#metadata:
-#  name: traefik-tls
-#  namespace: traefik
-#spec:
-#  secretName: traefik-tls
-#  issuerRef:
-#    name: letsencrypt-production
-#    kind: ClusterIssuer
-#  commonName: "traefik.durp.info"
-#  dnsNames:
-#  - "traefik.durp.info"
-#
-#---
-#
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: traefik-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`traefik.dmz.durp.info`)
+      kind: Rule
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+        - name: authentik-proxy-provider
+          namespace: traefik
+      services:
+        - name: api@internal
+          kind: TraefikService
+  tls:
+    secretName: traefik-tls
+
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: traefik-tls
+  namespace: traefik
+spec:
+  secretName: traefik-tls
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "traefik.dmz.durp.info"
+  dnsNames:
+    - "traefik.dmz.durp.info"

dmz/traefik/values.yaml

@@ -29,6 +29,8 @@ traefik:
     - "--log.level=DEBUG"
     - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
     - --experimental.plugins.jwt.version=v0.7.0
+    - --experimental.plugins.bouncer.moduleName=github.com/maxlerebourg/crowdsec-bouncer-traefik-plugin
+    - --experimental.plugins.bouncer.version=v1.4.2
 
   autoscaling:
     enabled: true
@@ -49,7 +51,6 @@ traefik:
             value: 1
             periodSeconds: 60
 
-  
   # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
   resources:
     requests:

dmz/vault/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
   repository: https://helm.releases.hashicorp.com  
-  version: 0.29.1
+  version: 0.30.0
 

dmz/vault/templates/secret-store.yaml

@@ -1,4 +1,4 @@
-apiVersion: external-secrets.io/v1beta1
+apiVersion: external-secrets.io/v1
 kind: ClusterSecretStore
 metadata:
   name: vault

infra/.gitlab/.gitlab-ci.yml

@@ -8,7 +8,7 @@ variables:
   GITLAB_TF_ADDRESS: ${CI_API_V4_URL}/projects/${CI_PROJECT_ID}/terraform/state/infra
 
 image:
-  name: registry.internal.durp.info/opentofu/opentofu:latest
+  name: registry.durp.info/opentofu/opentofu:latest
   entrypoint: [""]
 
 .tf-init:

infra/argocd/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 6.11.1
+  version: 8.1.3

infra/argocd/templates/argocd-crossplane.yaml

@@ -0,0 +1,101 @@
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: argocd-secret-crossplane
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: argocd-secret-crossplane
+#  data:
+#    - secretKey: authToken
+#      remoteRef:
+#        key: kv/argocd/provider-argocd
+#        property: token
+#
+#---
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: prod-kubeconfig
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: prod-kubeconfig
+#  data:
+#    - secretKey: kubeconfig
+#      remoteRef:
+#        key: kv/argocd/prd
+#        property: kubeconfig
+#
+#---
+#apiVersion: argocd.crossplane.io/v1alpha1
+#kind: ProviderConfig
+#metadata:
+#  name: argocd-provider
+#spec:
+#  serverAddr: argocd-server.argocd.svc:443
+#  insecure: true
+#  plainText: false
+#  credentials:
+#    source: Secret
+#    secretRef:
+#      namespace: argocd
+#      name: argocd-secret-crossplane
+#      key: authToken
+#
+#---
+#apiVersion: cluster.argocd.crossplane.io/v1alpha1
+#kind: Cluster
+#metadata:
+#  name: prd
+#  labels:
+#    purpose: prd
+#spec:
+#  forProvider:
+#    name: prd
+#    config:
+#      kubeconfigSecretRef:
+#        name: prod-kubeconfig
+#        namespace: argocd
+#        key: kubeconfig
+#  providerConfigRef:
+#    name: argocd-provider
+#
+#---
+#apiVersion: external-secrets.io/v1
+#kind: ExternalSecret
+#metadata:
+#  name: dev-kubeconfig
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: dev-kubeconfig
+#  data:
+#    - secretKey: kubeconfig
+#      remoteRef:
+#        key: kv/argocd/dev
+#        property: kubeconfig
+#
+#---
+#apiVersion: cluster.argocd.crossplane.io/v1alpha1
+#kind: Cluster
+#metadata:
+#  name: dev
+#  labels:
+#    purpose: dev
+#spec:
+#  forProvider:
+#    name: dev
+#    config:
+#      kubeconfigSecretRef:
+#        name: dev-kubeconfig
+#        namespace: argocd
+#        key: kubeconfig
+#  providerConfigRef:
+#    name: argocd-provider

infra/argocd/templates/argocd.yaml

@@ -21,23 +21,23 @@ spec:
 
 ---
 
-#apiVersion: external-secrets.io/v1beta1
-#kind: ExternalSecret
-#metadata:
-#  name: vault-argocd
-#  labels:
-#    app.kubernetes.io/part-of: argocd
-#spec:
-#  secretStoreRef:
-#    name: vault
-#    kind: ClusterSecretStore
-#  target:
-#    name: client-secret
-#  data:
-#  - secretKey: clientSecret
-#    remoteRef:
-#      key: secrets/argocd/authentik
-#      property: clientsecret
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: vault-argocd
+  labels:
+    app.kubernetes.io/part-of: argocd
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: client-secret
+  data:
+  - secretKey: clientSecret
+    remoteRef:
+      key: kv/authentik/argocd
+      property: clientsecret
 
 ---
 
@@ -45,8 +45,6 @@ apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
   name: argocd-ingress
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
 spec:
   entryPoints:
     - websecure
@@ -77,3 +75,11 @@ spec:
   commonName: "argocd.infra.durp.info"
   dnsNames:
     - "argocd.infra.durp.info"
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+

infra/argocd/templates/authentik.yaml

@@ -13,9 +13,9 @@ spec:
     namespace: authentik
     name: in-cluster
   syncPolicy:
-    managedNamespaceMetadata:
-      labels:
-        istio-injection: enabled
+    #managedNamespaceMetadata:
+    #  labels:
+    #    istio-injection: enabled
     automated:
       prune: true
       selfHeal: true
@@ -23,7 +23,6 @@ spec:
       - CreateNamespace=true
 
 ---
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -44,4 +43,3 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-

infra/argocd/templates/bitwarden.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: bitwarden
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/bitwarden
+  destination:
+    namespace: bitwarden
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

infra/argocd/templates/crowdsec.yaml

@@ -0,0 +1,20 @@
+#apiVersion: argoproj.io/v1alpha1
+#kind: Application
+#metadata:
+#  name: crowdsec
+#  namespace: argocd
+#spec:
+#  project: default
+#  source:
+#    repoURL: https://gitlab.com/developerdurp/homelab.git
+#    targetRevision: main
+#    path: dmz/crowdsec
+#  destination:
+#    namespace: crowdsec
+#    name: dmz
+#  syncPolicy:
+#    automated:
+#      prune: true
+#      selfHeal: true
+#    syncOptions:
+#      - CreateNamespace=true

infra/argocd/templates/istio.yaml

@@ -13,6 +13,9 @@ spec:
     namespace: istio-system
     name: in-cluster
   syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        topology.istio.io/network: network1
     automated:
       prune: true
       selfHeal: true
@@ -25,7 +28,6 @@ spec:
         - /webhooks/0/failurePolicy
 
 ---
-
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
@@ -41,6 +43,9 @@ spec:
     namespace: istio-system
     name: dmz
   syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        topology.istio.io/network: network2
     automated:
       prune: true
       selfHeal: true

infra/argocd/templates/kube-prometheus-stack.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: kube-prometheus-stack
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/kube-prometheus-stack
+  destination:
+    namespace: kube-prometheus-stack
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true