update

.gitignore

@@ -0,0 +1 @@
+.idea

dmz/internalproxy/templates/ollama.yaml

@@ -0,0 +1,101 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: ollama-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: ollama-secret
+  data:
+    - secretKey: users
+      remoteRef:
+        key: secrets/internalproxy/ollama
+        property: users
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: ollama-basic-auth
+spec:
+  basicAuth:
+    secret: ollama-secret
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: ollama
+spec:
+  ports:
+    - name: app
+      port: 11435
+      protocol: TCP
+      targetPort: 11435
+  clusterIP: None
+  type: ClusterIP
+
+---
+
+apiVersion: v1
+kind: Endpoints
+metadata:
+  name: ollama
+subsets:
+  - addresses:
+      - ip: 192.168.20.104
+    ports:
+      - name: app
+        port: 11435
+        protocol: TCP
+
+---
+
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: ollama-ingress
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`ollama.durp.info`) && PathPrefix(`/`)
+      middlewares:
+        - name: ollama-basic-auth
+      kind: Rule
+      services:
+        - name: ollama
+          port: 11435
+  tls:
+    secretName: ollama-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: ollama-tls
+spec:
+  secretName: ollama-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "ollama.durp.info"
+  dnsNames:
+    - "ollama.durp.info"
+
+---
+
+kind: Service
+apiVersion: v1
+metadata:
+  name: ollama-external-dns
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: ollama.durp.info
+spec:
+  type: ExternalName
+  externalName: durp.info

gatekeeper/values.yaml

@@ -1,277 +0,0 @@
-gatekeeper:
-  replicas: 3
-  revisionHistoryLimit: 10
-  auditInterval: 60
-  metricsBackends: ["prometheus"]
-  auditMatchKindOnly: false
-  constraintViolationsLimit: 20
-  auditFromCache: false
-  disableMutation: false
-  disableValidatingWebhook: false
-  validatingWebhookName: gatekeeper-validating-webhook-configuration
-  validatingWebhookTimeoutSeconds: 3
-  validatingWebhookFailurePolicy: Ignore
-  validatingWebhookAnnotations: {}
-  validatingWebhookExemptNamespacesLabels: {}
-  validatingWebhookObjectSelector: {}
-  validatingWebhookCheckIgnoreFailurePolicy: Fail
-  validatingWebhookCustomRules: {}
-  validatingWebhookURL: null
-  enableDeleteOperations: false
-  enableExternalData: true
-  enableGeneratorResourceExpansion: true
-  enableTLSHealthcheck: false
-  maxServingThreads: -1
-  mutatingWebhookName: gatekeeper-mutating-webhook-configuration
-  mutatingWebhookFailurePolicy: Ignore
-  mutatingWebhookReinvocationPolicy: Never
-  mutatingWebhookAnnotations: {}
-  mutatingWebhookExemptNamespacesLabels: {}
-  mutatingWebhookObjectSelector: {}
-  mutatingWebhookTimeoutSeconds: 1
-  mutatingWebhookCustomRules: {}
-  mutatingWebhookURL: null
-  mutationAnnotations: false
-  auditChunkSize: 500
-  logLevel: INFO
-  logDenies: false
-  logMutations: false
-  emitAdmissionEvents: false
-  emitAuditEvents: false
-  admissionEventsInvolvedNamespace: false
-  auditEventsInvolvedNamespace: false
-  resourceQuota: true
-  externaldataProviderResponseCacheTTL: 3m
-  image:
-    repository: openpolicyagent/gatekeeper
-    crdRepository: openpolicyagent/gatekeeper-crds
-    release: v3.15.0-beta.0
-    pullPolicy: Always
-    pullSecrets: []
-  preInstall:
-    crdRepository:
-      image:
-        repository: null
-        tag: v3.15.0-beta.0
-  postUpgrade:
-    labelNamespace:
-      enabled: false
-      image:
-        repository: openpolicyagent/gatekeeper-crds
-        tag: v3.15.0-beta.0
-        pullPolicy: IfNotPresent
-        pullSecrets: []
-      extraNamespaces: []
-      podSecurity: ["pod-security.kubernetes.io/audit=restricted",
-        "pod-security.kubernetes.io/audit-version=latest",
-        "pod-security.kubernetes.io/warn=restricted",
-        "pod-security.kubernetes.io/warn-version=latest",
-        "pod-security.kubernetes.io/enforce=restricted",
-        "pod-security.kubernetes.io/enforce-version=v1.24"]
-      extraAnnotations: {}
-      priorityClassName: ""
-    affinity: {}
-    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
-    resources: {}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      runAsGroup: 999
-      runAsNonRoot: true
-      runAsUser: 1000
-  postInstall:
-    labelNamespace:
-      enabled: true
-      extraRules: []
-      image:
-        repository: openpolicyagent/gatekeeper-crds
-        tag: v3.15.0-beta.0
-        pullPolicy: IfNotPresent
-        pullSecrets: []
-      extraNamespaces: []
-      podSecurity: ["pod-security.kubernetes.io/audit=restricted",
-        "pod-security.kubernetes.io/audit-version=latest",
-        "pod-security.kubernetes.io/warn=restricted",
-        "pod-security.kubernetes.io/warn-version=latest",
-        "pod-security.kubernetes.io/enforce=restricted",
-        "pod-security.kubernetes.io/enforce-version=v1.24"]
-      extraAnnotations: {}
-      priorityClassName: ""
-    probeWebhook:
-      enabled: true
-      image:
-        repository: curlimages/curl
-        tag: 7.83.1
-        pullPolicy: IfNotPresent
-        pullSecrets: []
-      waitTimeout: 60
-      httpTimeout: 2
-      insecureHTTPS: false
-      priorityClassName: ""
-    affinity: {}
-    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      runAsGroup: 999
-      runAsNonRoot: true
-      runAsUser: 1000
-  preUninstall:
-    deleteWebhookConfigurations:
-      extraRules: []
-      enabled: false
-      image:
-        repository: openpolicyagent/gatekeeper-crds
-        tag: v3.15.0-beta.0
-        pullPolicy: IfNotPresent
-        pullSecrets: []
-      priorityClassName: ""
-    affinity: {}
-    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
-    resources: {}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      runAsGroup: 999
-      runAsNonRoot: true
-      runAsUser: 1000
-  podAnnotations: {}
-  auditPodAnnotations: {}
-  podLabels: {}
-  podCountLimit: "100"
-  secretAnnotations: {}
-  enableRuntimeDefaultSeccompProfile: true
-  controllerManager:
-    exemptNamespaces: []
-    exemptNamespacePrefixes: []
-    hostNetwork: false
-    dnsPolicy: ClusterFirst
-    port: 8443
-    metricsPort: 8888
-    healthPort: 9090
-    readinessTimeout: 1
-    livenessTimeout: 1
-    priorityClassName: system-cluster-critical
-    disableCertRotation: false
-    tlsMinVersion: 1.3
-    clientCertName: ""
-    strategyType: RollingUpdate
-    affinity:
-      podAntiAffinity:
-        preferredDuringSchedulingIgnoredDuringExecution:
-          - podAffinityTerm:
-              labelSelector:
-                matchExpressions:
-                  - key: gatekeeper.sh/operation
-                    operator: In
-                    values:
-                      - webhook
-              topologyKey: kubernetes.io/hostname
-            weight: 100
-    topologySpreadConstraints: []
-    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
-    resources:
-      limits:
-        memory: 512Mi
-      requests:
-        cpu: 100m
-        memory: 512Mi
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      runAsGroup: 999
-      runAsNonRoot: true
-      runAsUser: 1000
-    podSecurityContext:
-      fsGroup: 999
-      supplementalGroups:
-        - 999
-    extraRules: []
-    networkPolicy:
-      enabled: false
-      ingress: { }
-        # - from:
-        #   - ipBlock:
-        #       cidr: 0.0.0.0/0
-  audit:
-    enablePubsub: false
-    connection: audit-connection
-    channel: audit-channel
-    hostNetwork: false
-    dnsPolicy: ClusterFirst
-    metricsPort: 8888
-    healthPort: 9090
-    readinessTimeout: 1
-    livenessTimeout: 1
-    priorityClassName: system-cluster-critical
-    disableCertRotation: false
-    affinity: {}
-    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
-    resources:
-      limits:
-        memory: 512Mi
-      requests:
-        cpu: 100m
-        memory: 512Mi
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      runAsGroup: 999
-      runAsNonRoot: true
-      runAsUser: 1000
-    podSecurityContext:
-      fsGroup: 999
-      supplementalGroups:
-        - 999
-    writeToRAMDisk: false
-    extraRules: []
-  crds:
-    affinity: {}
-    tolerations: []
-    nodeSelector: {kubernetes.io/os: linux}
-    resources: {}
-    securityContext:
-      allowPrivilegeEscalation: false
-      capabilities:
-        drop:
-        - ALL
-      readOnlyRootFilesystem: true
-      runAsGroup: 65532
-      runAsNonRoot: true
-      runAsUser: 65532
-  pdb:
-    controllerManager:
-      minAvailable: 1
-  service: {}
-  disabledBuiltins: ["{http.send}"]
-  psp:
-    enabled: true
-  upgradeCRDs:
-    enabled: true
-    extraRules: []
-    priorityClassName: ""
-  rbac:
-    create: true
-  externalCertInjection:
-    enabled: false
-    secretName: gatekeeper-webhook-server-cert

infra/argocd/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: argocd
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: argo-cd
+  repository: https://argoproj.github.io/argo-helm
+  version: 6.11.1

infra/argocd/templates/argocd.yaml

@@ -0,0 +1,79 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/argocd
+  destination:
+    namespace: argocd
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+
+---
+
+#apiVersion: external-secrets.io/v1beta1
+#kind: ExternalSecret
+#metadata:
+#  name: vault-argocd
+#  labels:
+#    app.kubernetes.io/part-of: argocd
+#spec:
+#  secretStoreRef:
+#    name: vault
+#    kind: ClusterSecretStore
+#  target:
+#    name: client-secret
+#  data:
+#  - secretKey: clientSecret
+#    remoteRef:
+#      key: secrets/argocd/authentik
+#      property: clientsecret
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: argocd-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`argocd.infra.durp.info`)
+      #middlewares:
+      #  - name: whitelist
+      #    namespace: traefik
+      kind: Rule
+      services:
+        - name: argocd-server
+          port: 443
+          scheme: https
+  tls:
+    secretName: argocd-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: argocd-tls
+spec:
+  secretName: argocd-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "argocd.infra.durp.info"
+  dnsNames:
+    - "argocd.infra.durp.info"

infra/argocd/templates/cert-manager.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: cert-manager
+    path: infra/cert-manager
   destination:
     namespace: cert-manager
     name: in-cluster
@@ -18,3 +18,4 @@ spec:
       selfHeal: true  
     syncOptions:
       - CreateNamespace=true 
+

infra/argocd/templates/external-secrets.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: external-secrets
+    path: infra/external-secrets
   destination:
     namespace: external-secrets
     name: in-cluster
@@ -18,3 +18,4 @@ spec:
       selfHeal: true  
     syncOptions:
       - CreateNamespace=true 
+

infra/argocd/templates/longhorn.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: longhorn
+    path: infra/longhorn
   destination:
     namespace: longhorn-system
     name: in-cluster

infra/argocd/templates/metallb-system.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metallb-system
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: infra/metallb-system
+  destination:
+    namespace: metallb-system
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+

infra/argocd/templates/traefik.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: traefik
+    path: infra/traefik
   destination:
     namespace: traefik
     name: in-cluster
@@ -18,3 +18,4 @@ spec:
       selfHeal: true  
     syncOptions:
       - CreateNamespace=true 
+

infra/argocd/templates/vault.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: vault
+    path: infra/vault
   destination:
     namespace: vault
     name: in-cluster

infra/argocd/values.yaml

@@ -0,0 +1,62 @@
+argo-cd:
+
+  global:
+    revisionHistoryLimit: 1
+    image:
+      repository: registry.internal.durp.info/argoproj/argocd
+      imagePullPolicy: Always
+
+  server:
+    #extraArgs:
+    #  - --dex-server-plaintext
+    #  - --dex-server=argocd-dex-server:5556
+    # oidc.config: |
+    #   name: AzureAD
+    #   issuer: https://login.microsoftonline.com/TENANT_ID/v2.0
+    #   clientID: CLIENT_ID
+    #   clientSecret: $oidc.azuread.clientSecret
+    #   requestedIDTokenClaims:
+    #     groups:
+    #       essential: true
+    #   requestedScopes:
+    #     - openid
+    #     - profile
+    #     - email
+
+  dex:
+    enabled: true
+    image:
+      repository: registry.internal.durp.info/dexidp/dex
+      imagePullPolicy: Always
+
+  configs:
+    cm:
+      create: true
+      annotations: {}
+      url: https://argocd.internal.durp.info
+      oidc.tls.insecure.skip.verify: "true"
+      dex.config: |
+        connectors:
+          - config:
+              issuer: https://authentik.durp.info/application/o/argocd/
+              clientID: dbb8ffc06104fb6e7fac3e4ae7fafb1d90437625
+              clientSecret: $client-secret:clientSecret
+              insecureEnableGroups: true
+              scopes:
+                - openid
+                - profile
+                - email
+                - groups
+            name: authentik
+            type: oidc
+            id: authentik
+
+    rbac:
+      create: true
+      policy.csv: |
+        g, ArgoCD Admins, role:admin
+      scopes: "[groups]"
+
+  server:
+    route: 
+      enabled: false

infra/cert-manager/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: cert-manager
   repository: https://charts.jetstack.io
-  version: 1.*.*
+  version: v1.16.3

infra/cert-manager/templates/secretvault.yaml

@@ -0,0 +1,23 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: cloudflare-api-token-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: cloudflare-api-token-secret
+  data:
+  - secretKey: cloudflare-api-token-secret
+    remoteRef:
+      key: kv/cert-manager
+      property: cloudflare-api-token-secret
+
+---
+
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+

infra/cert-manager/values.yaml

@@ -0,0 +1,26 @@
+cert-manager:
+  crds:
+    enabled: true
+  image:
+    registry: registry.internal.durp.info
+    repository: jetstack/cert-manager-controller
+    pullPolicy: Always
+  replicaCount: 3
+  #extraArgs:
+  #  - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
+  #  - --dns01-recursive-nameservers-only
+  #podDnsPolicy: None
+  #podDnsConfig:
+  #  nameservers:
+  #    - "1.1.1.1"
+  #    - "1.0.0.1"
+  webhook:
+    image:
+      registry: registry.internal.durp.info
+      repository: jetstack/cert-manager-webhook
+      pullPolicy: Always  
+  cainjector:
+    image:
+      registry: registry.internal.durp.info
+      repository: jetstack/cert-manager-cainjector
+      pullPolicy: Always

infra/external-secrets/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: external-secrets
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: external-secrets
+  repository: https://charts.external-secrets.io
+  version: 0.13.0

infra/external-secrets/templates/ca.yaml

@@ -0,0 +1,81 @@
+apiVersion: v1
+data:
+  vault.pem: |
+    -----BEGIN CERTIFICATE-----
+    MIIEszCCA5ugAwIBAgIUZEzzxqEuYiKHkL1df+Cb22NRRJMwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzIyMzQ0MloXDTM1MDEy
+    MTExMTU1NVowIDEeMBwGA1UEAxMVdmF1bHQuaW5mcmEuZHVycC5pbmZvMIIBIjAN
+    BgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAkZM0ue4bMcmmATs+kGYSpR2hLUzq
+    scGIwCtqmaKCMbd1xhmgjnIR3zvSRptLR2GVGvc1ti6qby0jXYvcqbxkHvay00zW
+    2zYN+M2m4lXpuWzg1t6NEoO6XGAsGj2v0vcVktPPU9uj0rGUVGWWfsvjoXqQFg5I
+    jdxsxK9SvMvw2XtE3FgKxpzCyw94InIHlcPwFTO+3ZdKStZlMbUDIkmszLBrWFcr
+    XOsPDfLxqMy0Ck//LKIt8djh3254FHB1GG5+kI+JSW1o+tUcL2NymvIINwm/2acS
+    1uTm+j9W7iEXav0pJNmm+/dzSskc3Y0ftM0h2HCXgitBIaEZnUVneNHOLwIDAQAB
+    o4IB7zCCAeswDgYDVR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0O
+    BBYEFCaQ2q7j7LyBGETEZ5qaJAdlISKCMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2
+    dfBMWVYeWrQ2MIH0BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6
+    Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFo
+    dHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3Nw
+    MDEGCCsGAQUFBzAChiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtp
+    L2NhMDsGCCsGAQUFBzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVy
+    cC5pbmZvL3YxL3BraS9jYTAgBgNVHREEGTAXghV2YXVsdC5pbmZyYS5kdXJwLmlu
+    Zm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAx
+    L3YxL3BraS9jcmwwNqA0oDKGMGh0dHBzOi8vcm9vdC12YXVsdC5pbnRlcm5hbC5k
+    dXJwLmluZm8vdjEvcGtpL2NybDANBgkqhkiG9w0BAQsFAAOCAQEAuJ+lplY/+A5L
+    5LzkljbKDTy3U6PLv1LtxqVCOFGiJXBnXMjtVW07bBEUadzFRNW8GHQ3w5QzOG6k
+    /vE/TrrJho7l05J/uc+BUrPSNjefLmQV6hn4jrP86PR0vzRfbSqKKBIID9M7+zi6
+    GFvHlVkSHsQyMQp7JOoax9KVzW2Y+OIgw7Lgw2tP122WCt2SIF0QenoZHsoW0guj
+    tzTJRmJDjn6XeJ7L3FPkf37H6ub0Jg3zBGr6eorEFfYZNN5CXezjqMFBpRdq4UIo
+    1M3A7o3uyZFcFsp/vGDcMBkwaCsBV9idu/HwkvGaTUNI285ilBORPD0bMZnACq/9
+    +Q/cdsO5lg==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIEmzCCA4OgAwIBAgIUQwCAs82sgSuiaVbjANHScO2DSfAwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMjEyNVoXDTM1MDEy
+    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
+    AAOCAQ8AMIIBCgKCAQEAn9fjGRqqFsqguz56X6cXZwEMtD9wElwSFCb4Fc8YTzlH
+    4fV13QwXKESLE/Q+7bw4y4FJQ8BiGNbxxbQOOgWhfGGlQyFa1lfhJtYLfqRN5C2/
+    S7nr0YxDB9duc4OAExVL6Pr4/Koc+vDZY03l7RzwnF2AOM9DjFTASw01TphCQjRk
+    U+upiN2TUhUPejV/gMR+zXM6pn98UBKG1dNubS0HzAMwAEXAPm141NDyWUCPT9+3
+    6P03Ka8mUTx3X49OCtvJEGEQbtlnTFQaOSkP1yLW+XRMHw3sQaV2PWXu5fInbEpZ
+    +SuzmgLOXtmQNmHLav9q1qeTVkpBGPWvfh2Vh1JJhQIDAQABo4IB4zCCAd8wDgYD
+    VR0PAQH/BAQDAgEGMA8GA1UdEwEB/wQFMAMBAf8wHQYDVR0OBBYEFJaP17f1Zw0V
+    55Ks9Uf0USVWl0BPMB8GA1UdIwQYMBaAFO1jCyGkpFO+QiR2dfBMWVYeWrQ2MIH0
+    BggrBgEFBQcBAQSB5zCB5DAzBggrBgEFBQcwAYYnaHR0cHM6Ly8xOTIuMTY4LjIw
+    LjI1Mzo4MjAxL3YxL3BraS9vY3NwMD0GCCsGAQUFBzABhjFodHRwczovL3Jvb3Qt
+    dmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3BraS9vY3NwMDEGCCsGAQUFBzAC
+    hiVodHRwczovLzE5Mi4xNjguMjAuMjUzOjgyMDEvdjEvcGtpL2NhMDsGCCsGAQUF
+    BzAChi9odHRwczovL3Jvb3QtdmF1bHQuaW50ZXJuYWwuZHVycC5pbmZvL3YxL3Br
+    aS9jYTAUBgNVHREEDTALgglkdXJwLmluZm8wbwYDVR0fBGgwZjAsoCqgKIYmaHR0
+    cHM6Ly8xOTIuMTY4LjIwLjI1Mzo4MjAxL3YxL3BraS9jcmwwNqA0oDKGMGh0dHBz
+    Oi8vcm9vdC12YXVsdC5pbnRlcm5hbC5kdXJwLmluZm8vdjEvcGtpL2NybDANBgkq
+    hkiG9w0BAQsFAAOCAQEAiqAZ4zNIEkCWcvpDRq0VyJuk59sVtJr5X4FscHQ179nE
+    QbbvMe+EBDFS6XQml1Elj8jiPa/D5O9Oc6Iisnm5+weZKwApz/lQ+XVkWLCoEplB
+    ZZ9fcWVCbMLt0xlt8qn5z/mYKfbCT7ZCqDO+prQZt+ADJcQbiknfroAAqEbNKxwN
+    Y9uUyOWNF3SxJEch4w2dtX+IEVmxeZnhMy8OuP0SQKl8aW40ugiG0ZD5yTBBfOD9
+    zsrGSU/iSatn0b7bevBhaL96hz1/rNR1cL+4/albX2hrr8Rv3/SB2DLtNQlQW0ls
+    AfhXAqP5zL+Ytgf1Of/pVdgnhxrYUY7RKCSGY5Hagw==
+    -----END CERTIFICATE-----
+    -----BEGIN CERTIFICATE-----
+    MIIDLzCCAhegAwIBAgIUNHdvOzam2HPVdwXpMHUy4wl8ZRYwDQYJKoZIhvcNAQEL
+    BQAwFDESMBAGA1UEAxMJZHVycC5pbmZvMB4XDTI1MDEyMzExMTUyNVoXDTM1MDEy
+    MTExMTU1NVowFDESMBAGA1UEAxMJZHVycC5pbmZvMIIBIjANBgkqhkiG9w0BAQEF
+    AAOCAQ8AMIIBCgKCAQEA8XDTVEtRI3+k4yuvqVqfIiLRQJcXbmhfVtAeYk+5j9Ox
+    p1w9YHdnPLqLFrD1PzadjqYeAp/fwlEFfs6lqwoTS8S9vhaFqcgB57nVMb77dTBb
+    /08XHXOU6FPRjdFKm5QMpS7tn1XacPMy/o0bKqRREQeiuFDGVRyuF5PUgvWc1dvJ
+    l27JvvgYktgjfpNS4DlCxg4lGXT5abvaKf2hnr65egaIo/yRWN9wnvAzRiY7oci7
+    GA1oKz87Yc1tfL2gcynrwccOOCF/eUKesJR1I6GXNkN/a1fcr+Ld9Z9NhHBtO+vE
+    N8DsZY+kG7DE3M4BCCTFUzllcYHjaW4HaF9vZW+PYwIDAQABo3kwdzAOBgNVHQ8B
+    Af8EBAMCAQYwDwYDVR0TAQH/BAUwAwEB/zAdBgNVHQ4EFgQU7WMLIaSkU75CJHZ1
+    8ExZVh5atDYwHwYDVR0jBBgwFoAU7WMLIaSkU75CJHZ18ExZVh5atDYwFAYDVR0R
+    BA0wC4IJZHVycC5pbmZvMA0GCSqGSIb3DQEBCwUAA4IBAQAS/qUI/1Yv07xUTK5k
+    r93kC7GSPpmpkXIsfjChAl93sebN143fu70NUP74jjCc0Wkb8hRofGg10E+/24r1
+    AI0KsLhzKzfIASxUVQAn8RTptLruaaPLboSA4MUZ8IB5y8Vy8E3/KtD0gD80j64Y
+    rm9XGHA0HTJHbPUTb/Rux2g0E7WtiyWSWH8mqzbegU8IrkM3eVT4+ylBE7YkfWDD
+    dw44sB71tfmDKpzWg6XQ6YMh0YfnyG1fYCj9LhuecNY9Uuo6cjDaAvkzMewWwqDx
+    Q2Ekas98Di6itCP8vET+gBDjeCc+XR6Hx6vzWmxlZhwDuxEKL1a2/DabUxJyMNzv
+    55Fn
+    -----END CERTIFICATE-----
+kind: ConfigMap
+metadata:
+  name: ca-pemstore

infra/external-secrets/values.yaml

@@ -0,0 +1,70 @@
+external-secrets:
+  replicaCount: 3
+  revisionHistoryLimit: 1
+  leaderElect: true
+
+  installCRDs: true
+  crds:
+    createClusterExternalSecret: true
+    createClusterSecretStore: true
+    createClusterGenerator: true
+    createPushSecret: true
+    conversion:
+      enabled: false
+
+  image:
+    repository: registry.internal.durp.info/external-secrets/external-secrets
+    pullPolicy: Always
+
+  extraVolumes: 
+    - name: ca-pemstore
+      configMap:
+        name: ca-pemstore
+
+  extraVolumeMounts: 
+    - name: ca-pemstore
+      mountPath: /etc/ssl/certs/vault.pem
+      subPath: vault.pem
+      readOnly: true
+
+  resources: 
+    requests:
+      memory: 32Mi
+      cpu: 10m
+    limits:
+      memory: 32Mi
+      cpu: 10m
+
+  webhook:
+    log:
+      level: debug
+    image:
+      repository: registry.internal.durp.info/external-secrets/external-secrets
+      pullPolicy: Always
+
+    resources: 
+      requests:
+        memory: 32Mi
+        cpu: 10m
+      limits:
+        memory: 32Mi
+        cpu: 10m
+
+  certController:
+    create: false
+    revisionHistoryLimit: 1
+    log:
+      level: debug
+
+    image:
+      repository: registry.internal.durp.info/external-secrets/external-secrets
+      pullPolicy: Always
+      tag: ""
+
+    resources: 
+      requests:
+        memory: 32Mi
+        cpu: 10m
+      limits:
+        memory: 32Mi
+        cpu: 10m

infra/longhorn/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: longhorn
   repository: https://charts.longhorn.io
-  version: 1.3.2
+  version: 1.7.2

infra/longhorn/templates/ingress.yaml

@@ -0,0 +1,32 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: longhorn-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`longhorn.infra.durp.info`) && PathPrefix(`/`)
+    kind: Rule
+    services:
+    - name: longhorn-frontend
+      port: 80
+  tls:
+    secretName: longhorn-tls1
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: longhorn-tls1
+spec:
+  secretName: longhorn-tls1
+  issuerRef:
+    name: vault-issuer
+    kind: ClusterIssuer
+  commonName: "longhorn.infra.durp.info"
+  dnsNames:
+    - "longhorn.infra.durp.info"

infra/longhorn/templates/secrets.yaml

@@ -0,0 +1,30 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: vault
+
+---
+
+apiVersion: external-secrets.io/v1beta1
+kind: ExternalSecret
+metadata:
+  name: external-longhorn-backup-token-secret
+spec:
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: longhorn-backup-token-secret
+  data:
+  - secretKey: AWS_ACCESS_KEY_ID
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_ACCESS_KEY_ID
+  - secretKey: AWS_ENDPOINTS 
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_ENDPOINTS 
+  - secretKey: AWS_SECRET_ACCESS_KEY
+    remoteRef:
+      key: kv/longhorn/backup
+      property: AWS_SECRET_ACCESS_KEY

infra/longhorn/values.yaml

@@ -0,0 +1,192 @@
+longhorn: 
+  global:
+    cattle:
+      systemDefaultRegistry: ""
+  
+  image:
+    longhorn:
+      engine:
+        repository: longhornio/longhorn-engine
+      manager:
+        repository: longhornio/longhorn-manager
+      ui:
+        repository: longhornio/longhorn-ui
+      instanceManager:
+        repository: longhornio/longhorn-instance-manager
+      shareManager:
+        repository: longhornio/longhorn-share-manager
+      backingImageManager:
+        repository: longhornio/backing-image-manager
+    csi:
+      attacher:
+        repository: longhornio/csi-attacher
+      provisioner:
+        repository: longhornio/csi-provisioner
+      nodeDriverRegistrar:
+        repository: longhornio/csi-node-driver-registrar
+      resizer:
+        repository: longhornio/csi-resizer
+      snapshotter:
+        repository: longhornio/csi-snapshotter
+    pullPolicy: Always
+  
+  service:
+    ui:
+      type: ClusterIP
+      nodePort: null
+    manager:
+      type: ClusterIP
+      nodePort: ""
+      loadBalancerIP: ""
+      loadBalancerSourceRanges: ""
+  
+  persistence:
+    defaultClass: true
+    defaultFsType: ext4
+    defaultClassReplicaCount: 3
+    defaultDataLocality: disabled # best-effort otherwise
+    reclaimPolicy: Delete
+    migratable: false
+    recurringJobSelector:
+      enable: true
+      jobList: '[
+          {
+            "name":"backup", 
+            "task":"backup", 
+            "cron":"0 0 * * *", 
+            "retain":24
+          }
+        ]'
+    backingImage:
+      enable: false
+      name: ~
+      dataSourceType: ~
+      dataSourceParameters: ~
+      expectedChecksum: ~
+  
+  csi:
+    kubeletRootDir: ~
+    attacherReplicaCount: ~
+    provisionerReplicaCount: ~
+    resizerReplicaCount: ~
+    snapshotterReplicaCount: ~
+  
+  defaultSettings:
+    backupTarget: S3://longhorn-infra@us-east-1/
+    backupTargetCredentialSecret: longhorn-backup-token-secret
+    allowRecurringJobWhileVolumeDetached: ~
+    createDefaultDiskLabeledNodes: ~
+    defaultDataPath: ~
+    defaultDataLocality: ~
+    replicaSoftAntiAffinity: ~
+    replicaAutoBalance: ~
+    storageOverProvisioningPercentage: ~
+    storageMinimalAvailablePercentage: ~
+    upgradeChecker: ~
+    defaultReplicaCount: ~
+    defaultLonghornStaticStorageClass: longhorn
+    backupstorePollInterval: ~
+    taintToleration: ~
+    systemManagedComponentsNodeSelector: ~
+    priorityClass: ~
+    autoSalvage: ~
+    autoDeletePodWhenVolumeDetachedUnexpectedly: ~
+    disableSchedulingOnCordonedNode: ~
+    replicaZoneSoftAntiAffinity: ~
+    nodeDownPodDeletionPolicy: ~
+    allowNodeDrainWithLastHealthyReplica: ~
+    mkfsExt4Parameters: ~
+    disableReplicaRebuild: ~
+    replicaReplenishmentWaitInterval: ~
+    concurrentReplicaRebuildPerNodeLimit: ~
+    disableRevisionCounter: ~
+    systemManagedPodsImagePullPolicy: ~
+    allowVolumeCreationWithDegradedAvailability: ~
+    autoCleanupSystemGeneratedSnapshot: ~
+    concurrentAutomaticEngineUpgradePerNodeLimit: ~
+    backingImageCleanupWaitInterval: ~
+    backingImageRecoveryWaitInterval: ~
+    guaranteedEngineManagerCPU: ~
+    guaranteedReplicaManagerCPU: ~
+    kubernetesClusterAutoscalerEnabled: ~
+    orphanAutoDeletion: ~
+    storageNetwork: ~
+  privateRegistry:
+    createSecret: ~
+    registryUrl: ~
+    registryUser: ~
+    registryPasswd: ~
+    registrySecret: ~
+  
+  longhornManager:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn Manager DaemonSet, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn Manager DaemonSet, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  longhornDriver:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn Driver Deployer Deployment, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn Driver Deployer Deployment, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  longhornUI:
+    priorityClass: ~
+    tolerations: []
+    ## If you want to set tolerations for Longhorn UI Deployment, delete the `[]` in the line above
+    ## and uncomment this example block
+    # - key: "key"
+    #   operator: "Equal"
+    #   value: "value"
+    #   effect: "NoSchedule"
+    nodeSelector: {}
+    ## If you want to set node selector for Longhorn UI Deployment, delete the `{}` in the line above
+    ## and uncomment this example block
+    #  label-key1: "label-value1"
+    #  label-key2: "label-value2"
+  
+  resources: {}
+    # We usually recommend not to specify default resources and to leave this as a conscious
+    # choice for the user. This also increases chances charts run on environments with little
+    # resources, such as Minikube. If you do want to specify resources, uncomment the following
+    # lines, adjust them as necessary, and remove the curly braces after 'resources:'.
+    # limits:
+    #  cpu: 100m
+    #  memory: 128Mi
+    # requests:
+    #  cpu: 100m
+    #  memory: 128Mi
+    #
+  
+  ingress:
+    enabled: false
+  
+  ## Specify override namespace, specifically this is useful for using longhorn as sub-chart
+  ## and its release namespace is not the `longhorn-system`
+  namespaceOverride: ""
+  
+  # Annotations to add to the Longhorn Manager DaemonSet Pods. Optional.
+  annotations: {}
+  
+  serviceAccount:
+    # Annotations to add to the service account
+    annotations: {}
+  

infra/metallb-system/Chart.yaml

@@ -0,0 +1,12 @@
+apiVersion: v2
+name: metallb-system
+description: A Helm chart for Kubernetes
+type: application
+
+version: 0.1.0
+appVersion: "1.16.0"
+
+dependencies:
+- name: metallb
+  repository: https://metallb.github.io/metallb
+  version: 0.14.9

infra/metallb-system/templates/config.yaml

@@ -0,0 +1,17 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+  name: cheap
+spec:
+  addresses:
+    - 192.168.12.130-192.168.12.140
+---
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+  name: pool
+  namespace: metallb-system
+spec:
+  ipAddressPools:
+  - cheap
+

infra/traefik/Chart.yaml

@@ -8,4 +8,4 @@ appVersion: 0.0.1
 dependencies:
 - name: traefik
   repository: https://traefik.github.io/charts
-  version: 22.1.0
+  version: 34.0.0

infra/traefik/values.yaml

@@ -0,0 +1,47 @@
+traefik:
+  image: 
+    registry: registry.durp.info
+    repository: traefik
+    pullPolicy: Always
+  
+  deployment:
+    replicas: 3
+    revisionHistoryLimit: 1
+  
+  ingressRoute:
+    dashboard:
+      enabled: true
+  
+  additionalArguments: 
+    - "--serversTransport.insecureSkipVerify=true"
+    - "--log.level=DEBUG"
+    - --experimental.plugins.jwt.moduleName=github.com/traefik-plugins/traefik-jwt-plugin
+    - --experimental.plugins.jwt.version=v0.7.0
+  
+  autoscaling:
+    enabled: true
+    minReplicas: 3
+    maxReplicas: 10
+    metrics:
+    - type: Resource
+      resource:
+        name: cpu
+        target:
+          type: Utilization
+          averageUtilization: 80
+    behavior:
+      scaleDown:
+        stabilizationWindowSeconds: 300
+        policies:
+        - type: Pods
+          value: 1
+          periodSeconds: 60
+  
+  
+  # -- [Resources](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/) for `traefik` container.
+  resources: 
+    requests:
+      cpu: "100m"
+      memory: "512Mi"
+    limits:
+      memory: "512Mi"

infra/vault/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: vault
   repository: https://helm.releases.hashicorp.com  
-  version: 0.27.0
+  version: 0.29.1
 

infra/vault/templates/ingress.yaml

@@ -0,0 +1,33 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: vault-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`vault.infra.durp.info`)
+    kind: Rule
+    services:
+    - name: vault
+      port: 8200
+      scheme: https
+  tls:
+    secretName: vault-tls  
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: vault-tls
+spec:
+  secretName: vault-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "vault.infra.durp.info"
+  dnsNames:
+    - "vault.infra.durp.info"

infra/vault/templates/sa.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: issuer

infra/vault/templates/secret-store.yaml

@@ -0,0 +1,17 @@
+apiVersion: external-secrets.io/v1beta1
+kind: ClusterSecretStore
+metadata:
+  name: vault
+spec:
+  provider:
+    vault:
+      server: "https://vault.infra.durp.info"
+      path: "kv"
+      version: "v2"
+      auth:
+        kubernetes:
+          mountPath: "kubernetes"
+          role: "external-secrets"
+          serviceAccountRef:
+            name: "vault"
+

infra/vault/values.yaml

@@ -0,0 +1,140 @@
+vault:
+  global:
+    enabled: true
+    tlsDisable: false
+    resources:
+      requests:
+        memory: 256Mi
+        cpu: 250m
+      limits:
+        memory: 256Mi
+        cpu: 250m
+  
+  server:
+    image:
+      repository: "hashicorp/vault"
+    # These Resource Limits are in line with node requirements in the
+    # Vault Reference Architecture for a Small Cluster
+    #resources:
+    #  requests:
+    #    memory: 8Gi
+    #    cpu: 2000m
+    #  limits:
+    #    memory: 16Gi
+    #    cpu: 2000m
+  
+    # For HA configuration and because we need to manually init the vault,
+    # we need to define custom readiness/liveness Probe settings
+    readinessProbe:
+      enabled: true
+      path: "/v1/sys/health?standbyok=true&sealedcode=204&uninitcode=204"
+    livenessProbe:
+      enabled: true
+      path: "/v1/sys/health?standbyok=true"
+      initialDelaySeconds: 60
+  
+    # extraEnvironmentVars is a list of extra environment variables to set with the stateful set. These could be
+    # used to include variables required for auto-unseal.
+    extraEnvironmentVars:
+      VAULT_CACERT: /vault/userconfig/vault-server-tls/vault.ca
+
+    extraSecretEnvironmentVars: 
+      - envName: VAULT_TOKEN
+        secretName: autounseal
+        secretKey: VAULT_TOKEN
+  
+    volumes:
+      - name: userconfig-vault-server-tls
+        secret:
+          defaultMode: 420
+          secretName: vault-server-tls 
+
+    volumeMounts:
+      - mountPath: /vault/userconfig/vault-server-tls
+        name: userconfig-vault-server-tls
+        readOnly: true
+  
+    # This configures the Vault Statefulset to create a PVC for audit logs.
+    # See https://www.vaultproject.io/docs/audit/index.html to know more
+    auditStorage:
+      enabled: true
+  
+    standalone:
+      enabled: false
+
+      config: |
+        disable_mlock = true
+        ui = true
+        listener "tcp" {
+          address = "[::]:8200"
+          cluster_address = "[::]:8201"
+            tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
+            tls_key_file  = "/vault/userconfig/vault-server-tls/vault.key"
+        }
+
+        seal "transit" {
+          address = "https://root-vault.internal.durp.info"
+          disable_renewal = "false"
+          key_name = "autounseal"
+          mount_path = "transit/"
+          tls_skip_verify = "true"
+        }
+
+        storage "raft" {
+            path = "/vault/data"
+        }
+  
+    # Run Vault in "HA" mode.
+    ha:
+      enabled: true
+      replicas: 3
+      raft:
+        enabled: true
+        setNodeId: true
+  
+        config: |
+          ui = true
+          cluster_name = "vault-integrated-storage"
+          listener "tcp" {
+            address = "[::]:8200"
+            cluster_address = "[::]:8201"
+            tls_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
+            tls_key_file  = "/vault/userconfig/vault-server-tls/vault.key"
+          }
+
+          seal "transit" {
+            address = "https://root-vault.internal.durp.info"
+            disable_renewal = "false"
+            key_name = "autounseal"
+            mount_path = "transit/"
+            tls_skip_verify = "true"
+          }
+  
+          storage "raft" {
+            path = "/vault/data"
+            retry_join {
+              leader_api_addr = "https://vault-0.vault-internal:8200"
+              leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
+              leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
+              leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
+            }
+            retry_join {
+              leader_api_addr = "https://vault-1.vault-internal:8200"
+              leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
+              leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
+              leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
+            }
+            retry_join {
+              leader_api_addr = "https://vault-2.vault-internal:8200"
+              leader_ca_cert_file = "/vault/userconfig/vault-server-tls/vault.ca"
+              leader_client_cert_file = "/vault/userconfig/vault-server-tls/vault.crt"
+              leader_client_key_file = "/vault/userconfig/vault-server-tls/vault.key"
+            }
+          } 
+  
+  # Vault UI
+  ui:
+    enabled: false
+    serviceType: "LoadBalancer"
+    serviceNodePort: null
+    externalPort: 8200

internalproxy/templates/argocd.yaml

@@ -1,46 +0,0 @@
-apiVersion: traefik.containo.us/v1alpha1
-kind: IngressRoute
-metadata:
-  name: argocd-ingress
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`argocd.internal.durp.info`)
-    middlewares:
-    - name: whitelist
-      namespace: traefik  
-    kind: Rule
-    services:
-    - name: argocd-server
-      port: 443
-      scheme: https
-  tls:
-    secretName: argocd-tls  
-
----
-
-kind: Service
-apiVersion: v1
-metadata:
-  name: argocd-server
-spec:
-  type: ExternalName
-  externalName: argocd-server.argocd.svc.cluster.local  
-
----
-
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: argocd-tls
-spec:
-  secretName: argocd-tls
-  issuerRef:
-    name: letsencrypt-production
-    kind: ClusterIssuer
-  commonName: "argocd.internal.durp.info"
-  dnsNames:
-  - "argocd.internal.durp.info"  

internalproxy/templates/gitea.yaml

@@ -1,9 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: gitea-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: gitea.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

internalproxy/templates/jellyfin.yaml

@@ -1,9 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: jellyfin-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: jellyfin.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info  

internalproxy/templates/kasm.yaml

@@ -1,9 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: kasm-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: kasm.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info

internalproxy/templates/plex.yaml

@@ -1,9 +0,0 @@
-kind: Service
-apiVersion: v1
-metadata:
-  name: plex-external-dns
-  annotations:
-    external-dns.alpha.kubernetes.io/hostname: plex.durp.info
-spec:
-  type: ExternalName
-  externalName: durp.info  

master/argocd/Chart.yaml

@@ -9,6 +9,6 @@ appVersion: "1.16.0"
 dependencies:
 - name: argo-cd
   repository: https://argoproj.github.io/argo-helm
-  version: 6.7.11
+  version: 6.11.1
 
 

master/argocd/templates/InternalProxy.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: internalproxy
+    path: master/internalproxy
     directory:
       recurse: true
   destination:

master/argocd/templates/argocd.yaml

@@ -0,0 +1,59 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: argocd
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: master/argocd
+  destination:
+    namespace: argocd
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+
+---
+
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: argocd-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt-production
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`argocd.internal.durp.info`)
+      middlewares:
+        - name: whitelist
+          namespace: traefik
+      kind: Rule
+      services:
+        - name: argocd-server
+          port: 443
+          scheme: https
+  tls:
+    secretName: argocd-tls
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: argocd-tls
+spec:
+  secretName: argocd-tls
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "argocd.internal.durp.info"
+  dnsNames:
+    - "argocd.internal.durp.info"

master/argocd/templates/authentik.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: authentik
+    path: master/authentik
   destination:
     namespace: authentik
     name: in-cluster

master/argocd/templates/bitwarden.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: bitwarden
+    path: master/bitwarden
     directory:
       recurse: true
   destination:

master/argocd/templates/cert-manager.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cert-manager
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: master/cert-manager
+  destination:
+    namespace: cert-manager
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 

master/argocd/templates/crossplane.yml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: crossplane
+    path: master/crossplane
   destination:
     namespace: crossplane
     name: in-cluster

master/argocd/templates/durpapi.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: durpapi
+    path: master/durpapi
   destination:
     namespace: durpapi
     name: in-cluster

master/argocd/templates/durpot.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: durpot
+    path: master/durpot
   destination:
     namespace: durpot
     name: in-cluster

master/argocd/templates/external-dns.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: external-dns
+    path: master/external-dns
   destination:
     namespace: external-dns
     name: in-cluster

master/argocd/templates/external-secrets.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: external-secrets
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: master/external-secrets
+  destination:
+    namespace: external-secrets
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 

master/argocd/templates/gatekeeper.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: gatekeeper
+    path: master/gatekeeper
   destination:
     namespace: gatekeeper
     name: in-cluster

master/argocd/templates/gitlab-runner.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: gitlab-runner
+    path: master/gitlab-runner
   destination:
     namespace: gitlab-runner
     name: in-cluster

master/argocd/templates/heimdall.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: heimdall
+    path: master/heimdall
   destination:
     namespace: heimdall
     name: in-cluster

master/argocd/templates/krakend.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: krakend
+    path: master/krakend
   destination:
     namespace: krakend
     name: in-cluster

master/argocd/templates/kube-prometheus-stack.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: kube-prometheus-stack
+    path: master/kube-prometheus-stack
   destination:
     namespace: kube-prometheus-stack
     name: in-cluster

master/argocd/templates/kubeclarity.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: kubeclarity
+    path: master/kubeclarity
   destination:
     namespace: kubeclarity
     name: in-cluster

master/argocd/templates/littlelink.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: littlelink
+    path: master/littlelink
     directory:
       recurse: true
   destination:

master/argocd/templates/longhorn.yaml

@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: longhorn-system
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: master/longhorn
+  destination:
+    namespace: longhorn-system
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+

master/argocd/templates/metallb-system.yaml

@@ -0,0 +1,22 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: metallb-system
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: master/metallb-system
+  destination:
+    namespace: metallb-system
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true  
+    syncOptions:
+      - CreateNamespace=true 
+
+

master/argocd/templates/nfs-client.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: nfs-client
+    path: master/nfs-client
     directory:
       recurse: true
   destination:

master/argocd/templates/open-webui.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: open-webui
+    path: master/open-webui
   destination:
     namespace: open-webui
     name: in-cluster

master/argocd/templates/traefik.yaml

@@ -1,16 +1,16 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
-  name: argocd
+  name: traefik
   namespace: argocd
 spec:
   project: default
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: argocd
+    path: master/traefik
   destination:
-    namespace: argocd
+    namespace: traefik
     name: in-cluster
   syncPolicy:
     automated:

master/argocd/templates/uptimekuma.yaml

@@ -8,7 +8,7 @@ spec:
   source:
     repoURL: https://gitlab.com/developerdurp/homelab.git
     targetRevision: main
-    path: uptimekuma
+    path: master/uptimekuma
     directory:
       recurse: true
   destination:

master/argocd/templates/vault.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: vault
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: https://gitlab.com/developerdurp/homelab.git
+    targetRevision: main
+    path: master/vault
+  destination:
+    namespace: vault
+    name: in-cluster
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+  ignoreDifferences:
+    - group: admissionregistration.k8s.io
+      kind: MutatingWebhookConfiguration
+      jqPathExpressions:
+        - .webhooks[]?.clientConfig.caBundle

master/authentik/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: authentik
   repository: https://charts.goauthentik.io
-  version: 2024.4.1
+  version: 2024.8.3

master/authentik/values.yaml

@@ -26,6 +26,8 @@ authentik:
   server:
     name: server
     replicas: 3
+  worker:
+    replicas: 3
   postgresql:
     enabled: true
     image:
@@ -42,6 +44,9 @@ authentik:
         - ReadWriteMany
   redis:
     enabled: true
+    master:
+      persistence:
+        enabled: false    
     image:
       registry: registry.internal.durp.info
       repository: bitnami/redis

master/bitwarden/templates/deployment.yaml

@@ -17,7 +17,7 @@ spec:
     spec:
       containers:
       - name: bitwarden
-        image: registry.internal.durp.info/vaultwarden/server:1.30.3
+        image: registry.internal.durp.info/vaultwarden/server:1.32.7
         imagePullPolicy: Always
         volumeMounts:
         - name: bitwarden-pvc

master/cert-manager/Chart.yaml

@@ -0,0 +1,11 @@
+apiVersion: v2
+name: cert-manager
+description: A Helm chart for Kubernetes
+type: application
+version: 0.0.1
+appVersion: 0.0.1
+
+dependencies:
+- name: cert-manager
+  repository: https://charts.jetstack.io
+  version: v1.15.3

master/crossplane/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: "1.16.0"
 dependencies:
 - name: crossplane
   repository: https://charts.crossplane.io/stable
-  version: 1.12.0
+  version: 1.17.1

master/durpapi/Chart.yaml

@@ -1,11 +1,13 @@
-version: 0.1.0-dev0144
 apiVersion: v2
 name: durpapi
-dependencies:
-- version: 12.5.*
-  condition: postgresql.enabled
-  name: postgresql
-  repository: https://charts.bitnami.com/bitnami
 description: A Helm chart for Kubernetes
 type: application
+
+version: 0.1.0-dev0184
 appVersion: 0.1.0
+
+dependencies:
+- condition: postgresql.enabled
+  version: 12.5.*
+  repository: https://charts.bitnami.com/bitnami
+  name: postgresql

master/durpapi/values.yaml

@@ -10,15 +10,15 @@ deployment:
   probe:
     readiness:  
       httpGet:
-        path: /api/health/gethealth
+        path: /health/gethealth
         port: 8080
     liveness: 
       httpGet:
-        path: /api/health/gethealth
+        path: /health/gethealth
         port: 8080
     startup: 
       httpGet:
-        path: /api/health/gethealth
+        path: /health/gethealth
         port: 8080
 service:
   type: ClusterIP

master/external-dns/Chart.yaml

@@ -9,4 +9,4 @@ appVersion: 0.0.1
 dependencies:
 - name: external-dns
   repository: https://charts.bitnami.com/bitnami
-  version: 6.20.3
+  version: 8.3.8

master/external-dns/values.yaml

@@ -11,6 +11,6 @@ external-dns:
   provider: cloudflare
   cloudflare:
     secretName : "external-dns"
-    proxied: true
+    proxied: false
 
-  policy: sync
+  policy: sync

master/external-secrets/Chart.yaml

@@ -8,5 +8,5 @@ appVersion: 0.0.1
 dependencies:
 - name: external-secrets
   repository: https://charts.external-secrets.io
-  version: 0.8.1
+  version: 0.10.4