Pulling out more config, secrets

2024-07-07 00:33:01 +01:00 · 2024-07-07 00:33:01 +01:00 · 124b319b57
parent 7ac99af974
commit 124b319b57
23 changed files with 319 additions and 155 deletions
--- a/.gitignore
+++ b/.gitignore
@ -43,4 +43,6 @@ result
 .direnv/
 .env
 plan.out
-config.tf.json
+config.tf.json
+
+**/charts
--- a/kubernetes/atuin/VaultStaticSecret-postgres-atuin.yaml
+++ b/kubernetes/atuin/VaultStaticSecret-postgres-atuin.yaml
@ -1,14 +1,21 @@
 apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
+kind: VaultDynamicSecret
 metadata:
  name: postgres-atuin
  namespace: atuin
 spec:
+  allowStaticCreds: true
  destination:
    create: true
    name: postgres-atuin
-  mount: kv
-  path: atuin/postgres-atuin
+    transformation:
+      templates:
+        ATUIN_DB_URI:
+          text: postgres://{{ .Secrets.username }}:{{ .Secrets.password }}@192.168.50.236/atuin
+  mount: database
+  path: static-creds/atuin
  refreshAfter: 30s
-  type: kv-v2
  vaultAuthRef: vault
+  rolloutRestartTargets:
+    - name: atuin
+      kind: Deployment
--- a/kubernetes/atuin/deployment.yaml
+++ b/kubernetes/atuin/deployment.yaml
@ -19,18 +19,17 @@ spec:
            - server
            - start
          env:
-            - name: ATUIN_DB_URI
-              valueFrom:
-                secretKeyRef:
-                  name: postgres-atuin
-                  key: uri
-                  optional: false
            - name: ATUIN_HOST
              value: 0.0.0.0
            - name: ATUIN_PORT
              value: "8888"
            - name: ATUIN_OPEN_REGISTRATION
              value: "false"
+            - name: RUST_LOG
+              value: "info,atuin_server=debug"
+          envFrom:
+            - secretRef:
+                name: postgres-atuin
          image: ghcr.io/atuinsh/atuin:v18.2.0
          name: atuin
          ports:
--- a/kubernetes/cloudflare/cloudflared.yaml
+++ b/kubernetes/cloudflare/cloudflared.yaml
@ -81,43 +81,3 @@ spec:
  podMetricsEndpoints:
  - port: metrics
    interval: 30s
---
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: cloudflared
-  namespace: cloudflare
-data:
-  config.yaml: |
-    tunnel: new-homelab
-    credentials-file: /etc/cloudflared/creds/credentials.json
-    metrics: 0.0.0.0:2000
-    no-autoupdate: true
-    warp-routing:
-      enabled: true
-    ingress:
-    - hostname: photos.gmem.ca
-      service: https://homelab.gmem.ca
-    - hostname: pw.gmem.ca
-      service: https://homelab.gmem.ca
-    - hostname: authentik.gmem.ca
-      service: https://homelab.gmem.ca
-    - hostname: nitter.gmem.ca
-      service: https://homelab.gmem.ca
-    - hostname: git.gmem.ca
-      service: https://homelab.gmem.ca
-    - hostname: proxmox.gmem.ca
-      service: https://homelab.gmem.ca
-    - hostname: tokyo.gmem.ca
-      service: https://homelab.gmem.ca
-    - hostname: ibiza.gmem.ca
-      service: https://homelab.gmem.ca
-    - hostname: chat.gmem.ca
-      service: https://homelab.gmem.ca
-    - hostname: paste.gmem.ca
-      service: https://homelab.gmem.ca
-    - hostname: e6.gmem.ca
-      service: https://homelab.gmem.ca
-    - hostname: minecraft-invites.gmem.ca
-      service: https://homelab.gmem.ca
-    - service: http_status:404
--- a/kubernetes/cloudflare/config.yaml
+++ b/kubernetes/cloudflare/config.yaml
@ -0,0 +1,32 @@
+tunnel: new-homelab
+credentials-file: /etc/cloudflared/creds/credentials.json
+metrics: 0.0.0.0:2000
+no-autoupdate: true
+warp-routing:
+  enabled: true
+ingress:
+- hostname: photos.gmem.ca
+  service: https://homelab.gmem.ca
+- hostname: pw.gmem.ca
+  service: https://homelab.gmem.ca
+- hostname: authentik.gmem.ca
+  service: https://homelab.gmem.ca
+- hostname: nitter.gmem.ca
+  service: https://homelab.gmem.ca
+- hostname: git.gmem.ca
+  service: https://homelab.gmem.ca
+- hostname: proxmox.gmem.ca
+  service: https://homelab.gmem.ca
+- hostname: tokyo.gmem.ca
+  service: https://homelab.gmem.ca
+- hostname: ibiza.gmem.ca
+  service: https://homelab.gmem.ca
+- hostname: chat.gmem.ca
+  service: https://homelab.gmem.ca
+- hostname: paste.gmem.ca
+  service: https://homelab.gmem.ca
+- hostname: e6.gmem.ca
+  service: https://homelab.gmem.ca
+- hostname: minecraft-invites.gmem.ca
+  service: https://homelab.gmem.ca
+- service: http_status:404
--- a/kubernetes/cloudflare/kustomization.yaml
+++ b/kubernetes/cloudflare/kustomization.yaml
@ -1,4 +1,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cloudflare
+
+resources:
+- cloudflared.yaml
+- VaultAuth.yaml
+- VaultStaticSecret-tunnel-credentials.yaml
+- VaultStaticSecret-cloudflare-exporter.yaml
+
+configMapGenerator:
+- name: cloudflared
+  files:
+  - config.yaml
+
 helmCharts:
 - kubeVersion: '1.30'
  name: cloudflare-exporter
@ -13,10 +27,3 @@ helmCharts:
      labels:
        release: prometheus
  version: 0.2.1
-kind: Kustomization
-namespace: cloudflare
-resources:
- cloudflared.yml
- VaultAuth.yaml
- VaultStaticSecret-tunnel-credentials.yaml
- VaultStaticSecret-cloudflare-exporter.yaml
--- a/kubernetes/irc/Deployment-soju.yaml
+++ b/kubernetes/irc/Deployment-soju.yaml
@ -20,10 +20,7 @@ spec:
      containers:
      - env:
        - name: PGDATABASE
-          valueFrom:
-            secretKeyRef:
-              key: dbname
-              name: postgres-soju
+          value: soju
        - name: PGHOST
          value: 192.168.50.236
        - name: PGPASSWORD
@ -34,7 +31,7 @@ spec:
        - name: PGUSER
          valueFrom:
            secretKeyRef:
-              key: user
+              key: username
              name: postgres-soju
        image: git.gmem.ca/arch/soju:s3
        imagePullPolicy: Always
--- a/kubernetes/irc/VaultStaticSecret-postgres-soju.yaml
+++ b/kubernetes/irc/VaultStaticSecret-postgres-soju.yaml
@ -1,14 +1,18 @@
 apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
+kind: VaultDynamicSecret
 metadata:
  name: postgres-soju
-  namespace: irc
+  namespace: soju
 spec:
+  allowStaticCreds: true
  destination:
    create: true
    name: postgres-soju
-  mount: kv
-  path: irc/postgres-soju
+    transformation:
+  mount: database
+  path: static-creds/soju
  refreshAfter: 30s
-  type: kv-v2
  vaultAuthRef: vault
+  rolloutRestartTargets:
+    - name: soju
+      kind: Deployment
--- a/kubernetes/jellyseerr/kustomization.yaml
+++ b/kubernetes/jellyseerr/kustomization.yaml
@ -6,3 +6,4 @@ resources:
 - Ingress-jellyseerr.yaml
 - VaultAuth.yaml
 - VaultStaticSecret-jellyseerr.yaml
+- ConfigMap-jellyseerr.yaml
--- a/kubernetes/nitter/ConfigMap-nitter-bot.yaml
+++ b/kubernetes/nitter/ConfigMap-nitter-bot.yaml
@ -0,0 +1,8 @@
+apiVersion: v1
+data:
+  NITTER_EXTERNAL_URL: https://nitter.gmem.ca
+  NITTER_URL: http://nitter:8080
+kind: ConfigMap
+metadata:
+  name: nitter-bot
+  namespace: nitter
--- a/kubernetes/nitter/ConfigMap-nitter.yaml
+++ b/kubernetes/nitter/ConfigMap-nitter.yaml
@ -0,0 +1,103 @@
+apiVersion: v1
+data:
+  nitter-ro.conf: |
+    [Server]
+    hostname = "nitter.gmem.ca"  # for generating links, change this to your own domain/ip
+    title = "nitter.gmem.ca"
+    address = "0.0.0.0"
+    port = 8081
+    https = false  # disable to enable cookies when not using https
+    httpMaxConnections = 100
+    staticDir = "./public"
+    readOnly = true
+
+    [Cache]
+    listMinutes = 240  # how long to cache list info (not the tweets, so keep it high)
+    rssMinutes = 10  # how long to cache rss queries
+    redisHost = "nitter-redis-master"  # Change to "nitter-redis" if using docker-compose
+    redisPort = 6379
+    redisPassword = ""
+    redisConnections = 20  # minimum open connections in pool
+    redisMaxConnections = 30
+    # new connections are opened when none are available, but if the pool size
+    # goes above this, they're closed when released. don't worry about this unless
+    # you receive tons of requests per second
+
+    [Config]
+    hmacKey = "66c3d14a0576c2c0fb723a2193f8f7a49f8f70a87c4e3b5b278cafa988cd3df25f92dc6d59fe2e44ca0316f850df4d42849833ebd3fbf2dba07479b20ebb543e"  # random key for cryptographic signing of video urls
+    base64Media = false  # use base64 encoding for proxied media urls
+    enableRSS = true  # set this to false to disable RSS feeds
+    enableDebug = false  # enable request logs and debug endpoints (/.tokens)
+    proxy = ""  # http/https url, SOCKS proxies are not supported
+    proxyAuth = ""
+    tokenCount = 10
+    # minimum amount of usable tokens. tokens are used to authorize API requests,
+    # but they expire after ~1 hour, and have a limit of 500 requests per endpoint.
+    # the limits reset every 15 minutes, and the pool is filled up so there's
+    # always at least `tokenCount` usable tokens. only increase this if you receive
+    # major bursts all the time and don't have a rate limiting setup via e.g. nginx
+
+    # cookieHeader = "ct0=a5239634ecfbbdfe8c4826016062b7c1d3f5db7f5ccf45898d854739541810865323f2535c504bcd4f3907ee888379b02871a4fa78abace77c6f155c515740e99fb8add35bcd38ac534927e6c5744ba2; auth_token=cd6e00f611df987100a886885b019a3c6b575c97" # authentication cookie of a logged in account, required for the likes tab and NSFW content
+    # xCsrfToken = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # required for the likes tab and NSFW content
+
+    # Change default preferences here, see src/prefs_impl.nim for a complete list
+    [Preferences]
+    theme = "Nitter"
+    replaceTwitter = "nitter.gmem.ca"
+    replaceYouTube = "piped.video"
+    replaceReddit = "teddit.net"
+    proxyVideos = false
+    hlsPlayback = true
+    infiniteScroll = true
+  nitter.conf: |
+    [Server]
+    hostname = "nitter.gmem.ca"  # for generating links, change this to your own domain/ip
+    title = "nitter.gmem.ca"
+    address = "0.0.0.0"
+    port = 8080
+    https = false  # disable to enable cookies when not using https
+    httpMaxConnections = 100
+    staticDir = "./public"
+
+    [Cache]
+    listMinutes = 240  # how long to cache list info (not the tweets, so keep it high)
+    rssMinutes = 10  # how long to cache rss queries
+    redisHost = "nitter-redis-master"  # Change to "nitter-redis" if using docker-compose
+    redisPort = 6379
+    redisPassword = ""
+    redisConnections = 20  # minimum open connections in pool
+    redisMaxConnections = 30
+    # new connections are opened when none are available, but if the pool size
+    # goes above this, they're closed when released. don't worry about this unless
+    # you receive tons of requests per second
+
+    [Config]
+    hmacKey = "66c3d14a0576c2c0fb723a2193f8f7a49f8f70a87c4e3b5b278cafa988cd3df25f92dc6d59fe2e44ca0316f850df4d42849833ebd3fbf2dba07479b20ebb543e"  # random key for cryptographic signing of video urls
+    base64Media = false  # use base64 encoding for proxied media urls
+    enableRSS = true  # set this to false to disable RSS feeds
+    enableDebug = false  # enable request logs and debug endpoints (/.tokens)
+    proxy = ""  # http/https url, SOCKS proxies are not supported
+    proxyAuth = ""
+    tokenCount = 10
+    # minimum amount of usable tokens. tokens are used to authorize API requests,
+    # but they expire after ~1 hour, and have a limit of 500 requests per endpoint.
+    # the limits reset every 15 minutes, and the pool is filled up so there's
+    # always at least `tokenCount` usable tokens. only increase this if you receive
+    # major bursts all the time and don't have a rate limiting setup via e.g. nginx
+
+    # cookieHeader = "ct0=a5239634ecfbbdfe8c4826016062b7c1d3f5db7f5ccf45898d854739541810865323f2535c504bcd4f3907ee888379b02871a4fa78abace77c6f155c515740e99fb8add35bcd38ac534927e6c5744ba2; auth_token=cd6e00f611df987100a886885b019a3c6b575c97" # authentication cookie of a logged in account, required for the likes tab and NSFW content
+    # xCsrfToken = "XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" # required for the likes tab and NSFW content
+
+    # Change default preferences here, see src/prefs_impl.nim for a complete list
+    [Preferences]
+    theme = "Nitter"
+    replaceTwitter = "nitter.gmem.ca"
+    replaceYouTube = "piped.gmem.ca"
+    replaceReddit = "red.gmem.ca"
+    proxyVideos = false
+    hlsPlayback = true
+    infiniteScroll = true
+kind: ConfigMap
+metadata:
+  name: nitter
+  namespace: nitter
--- a/kubernetes/nitter/kustomization.yaml
+++ b/kubernetes/nitter/kustomization.yaml
@ -11,6 +11,8 @@ resources:
 - VaultAuth.yaml
 - VaultStaticSecret-nitter-bot.yaml
 - VaultStaticSecret-nitter.yaml
+- ConfigMap-nitter.yaml
+- ConfigMap-nitter-bot.yaml

 helmCharts:
 - name: redis
--- a/kubernetes/searxng/ConfigMap-searxng-3e1ca337d7.yaml
+++ b/kubernetes/searxng/ConfigMap-searxng-3e1ca337d7.yaml
@ -1,29 +0,0 @@
-apiVersion: v1
-data:
-  limiter.toml: '# This configuration file updates the default configuration file
-
-    # See https://github.com/searxng/searxng/blob/master/searx/botdetection/limiter.toml
-
-
-    [botdetection.ip_limit]
-
-    # activate link_token method in the ip_limit method
-
-    link_token = true
-
-    '
-  settings.yml: "use_default_settings: true\nserver:\n  image_proxy: true\n  http_protocol_version:\
-    \ \"1.1\"\n  method: \"GET\"\nui:\n  static_use_hash: true\nredis:\n  url: redis://searxng-redis-master:6379/0\n\
-    general:\n  instance_name: search.gmem.ca\nhostname_replace:\n  '(.*\\.)?youtube\\\
-    .com$': 'piped.gmem.ca'\n  '(.*\\.)?youtu\\.be$': 'piped.gmem.ca'\n  '(.*\\.)?youtube-noocookie\\\
-    .com$': 'piped.gmem.ca'\n  '(www\\.)?twitter\\.com$': 'nitter.gmem.ca'\n  '(www\\\
-    .)?x\\.com$': 'nitter.gmem.ca'\n  '(.*\\.)?reddit\\.com$': 'red.gmem.ca'\n"
-kind: ConfigMap
-metadata:
-  annotations:
-    kubenix/k8s-version: '1.30'
-    kubenix/project-name: kubenix
-  labels:
-    kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
-  name: searxng-3e1ca337d7
-  namespace: searxng
--- a/kubernetes/searxng/Deployment-searxng.yaml
+++ b/kubernetes/searxng/Deployment-searxng.yaml
@ -42,5 +42,5 @@ spec:
          subPath: limiter.toml
      volumes:
      - configMap:
-          name: searxng-3e1ca337d7
+          name: searxng
        name: config
--- a/kubernetes/searxng/kustomization.yaml
+++ b/kubernetes/searxng/kustomization.yaml
@ -1,4 +1,8 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+namespace: searxng
+
 helmCharts:
 - name: redis
  releaseName: searxng-redis
@ -12,12 +16,16 @@ helmCharts:
      repository: redict
      tag: 7.3-compat
  version: 18.6.1
-kind: Kustomization
-namespace: searxng
+
 resources:
- ConfigMap-searxng-3e1ca337d7.yaml
 - Deployment-searxng.yaml
 - Service-searxng.yaml
 - Ingress-searxng.yaml
 - VaultAuth.yaml
 - VaultStaticSecret-searxng.yaml
+
+configMapGenerator:
+- name: searxng
+  files:
+  - limiter.toml
+  - settings.yml
--- a/kubernetes/searxng/limiter.toml
+++ b/kubernetes/searxng/limiter.toml
@ -0,0 +1,6 @@
+# This configuration file updates the default configuration file
+
+# See https://github.com/searxng/searxng/blob/master/searx/botdetection/limiter.toml
+[botdetection.ip_limit]
+# activate link_token method in the ip_limit method
+link_token = true
--- a/kubernetes/searxng/settings.yml
+++ b/kubernetes/searxng/settings.yml
@ -0,0 +1,19 @@
+use_default_settings: true
+server:
+  image_proxy: true
+  http_protocol_version: "1.1"
+  method: "GET"
+ui:
+  static_use_hash: true
+redis:
+  url: redis://searxng-redis-master:6379/0
+general:
+  instance_name: search.gmem.ca
+hostnames:
+  replace:
+    '(.*\.)?youtube\.com$': 'piped.gmem.ca'
+    '(.*\.)?youtube\.com$': 'piped.gmem.ca'
+    '(.*\.)?youtube-noocookie.com$': 'piped.gmem.ca'
+    '(.*\.)?twitter.com$': 'nitter.gmem.ca'
+    '(.*\.)?x.com$': 'nitter.gmem.ca'
+    '(.*\.)?reddit.com$': 'red.gmem.ca'
--- a/kubernetes/vaultwarden/VaultStaticSecret-vaultwarden.yaml
+++ b/kubernetes/vaultwarden/VaultStaticSecret-vaultwarden.yaml
@ -12,3 +12,25 @@ spec:
  refreshAfter: 30s
  type: kv-v2
  vaultAuthRef: vault
+---
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: postgres-vaultwarden
+  namespace: vaultwarden
+spec:
+  allowStaticCreds: true
+  destination:
+    create: true
+    name: postgres-vaultwarden
+    transformation:
+      templates:
+        DATABASE_URL:
+          text: postgres://{{ .Secrets.username }}:{{ .Secrets.password }}@192.168.50.236/vaultwarden
+  mount: database
+  path: static-creds/vaultwarden
+  refreshAfter: 30s
+  vaultAuthRef: vault
+  rolloutRestartTargets:
+    - name: vaultwarden
+      kind: Deployment
--- a/kubernetes/vaultwarden/deployment.yaml
+++ b/kubernetes/vaultwarden/deployment.yaml
@ -16,10 +16,6 @@ spec:
      volumes:
        - name: data-dir
          emptyDir: {}
-        - name: rsa-keys
-          secret:
-            secretName: vaultwarden-rsa
-            defaultMode: 0644
      containers:
        - name: vaultwarden
          image: vaultwarden/server:testing
@ -34,8 +30,10 @@ spec:
          envFrom:
            - secretRef:
                name: vaultwarden
+            - secretRef:
+                name: postgres-vaultwarden
            - configMapRef:
-                name: vaultwarden-env
+                name: vaultwarden
          env:
            - name: LOG_LEVEL
              value: debug
@ -43,9 +41,6 @@ spec:
            - containerPort: 80
              name: web
          volumeMounts:
-            - name: rsa-keys
-              mountPath: /data/keys
-              readOnly: true
            - name: data-dir
              mountPath: /data
 ---
@ -87,49 +82,3 @@ spec:
                name:  vaultwarden
                port:
                  number: 80
---
-apiVersion: secrets.infisical.com/v1alpha1
-kind: InfisicalSecret
-metadata:
-  name: vaultwarden
-  namespace: vaultwarden
-spec:
-  hostAPI: http://infisical:8080
-  resyncInterval: 10
-  authentication:
-    kubernetesAuth:
-      identityId: 68d1f432-7b0a-4e4a-b439-acbbbc160f1e
-      serviceAccountRef:
-        name: infisical-auth
-        namespace: infisical
-      secretsScope:
-        projectSlug: kubernetes-homelab-dp67
-        envSlug: prod
-        secretsPath: "/vaultwarden"
-  managedSecretReference:
-    secretName: vaultwarden
-    secretNamespace: vaultwarden
-    creationPolicy: "Owner"
---
-apiVersion: secrets.infisical.com/v1alpha1
-kind: InfisicalSecret
-metadata:
-  name: vaultwarden-rsa
-  namespace: vaultwarden
-spec:
-  hostAPI: http://infisical:8080
-  resyncInterval: 10
-  authentication:
-    kubernetesAuth:
-      identityId: 68d1f432-7b0a-4e4a-b439-acbbbc160f1e
-      serviceAccountRef:
-        name: infisical-auth
-        namespace: infisical
-      secretsScope:
-        projectSlug: kubernetes-homelab-dp67
-        envSlug: prod
-        secretsPath: "/vaultwarden/keys"
-  managedSecretReference:
-    secretName: vaultwarden-rsa
-    secretNamespace: vaultwarden
-    creationPolicy: "Owner"
--- a/kubernetes/vaultwarden/kustomization.yaml
+++ b/kubernetes/vaultwarden/kustomization.yaml
@ -1,6 +1,14 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+
+namespace: vaultwarden
+
 resources:
 - VaultAuth.yaml
 - VaultStaticSecret-vaultwarden.yaml
 - deployment.yaml
+
+configMapGenerator:
+- name: vaultwarden
+  envs:
+  - vaultwarden.env
--- a/kubernetes/vaultwarden/vaultwarden.env
+++ b/kubernetes/vaultwarden/vaultwarden.env
@ -0,0 +1,15 @@
+DOMAIN=https://pw.gmem.ca
+ENABLE_WEBSOCKET=true
+EXTENDED_LOGGING=true
+IP_HEADER=X-Real-IP
+LOG_LEVEL=error
+PUSH_ENABLED=true
+PUSH_IDENTITY_URI=https://identity.bitwarden.eu
+PUSH_RELAY_URI=https://push.bitwarden.eu
+RSA_KEY_FILENAME=/data/rsa_key
+SIGNUPS_ALLOWED=false
+SIGNUPS_VERIFY=true
+SMTP_FROM=vaultwarden@gmem.ca
+SMTP_FROM_NAME=Arch's Vault
+SMTP_PORT=465
+SMTP_SECURITY=force_tls
--- a/kubernetes/vrchat/config.toml
+++ b/kubernetes/vrchat/config.toml
@ -0,0 +1,36 @@
+[groups.waterwolf]
+id = "grp_41df2df4-be4e-4a4e-be5e-eabb1425c4e5"
+vrcdn = "waterwolf"
+
+[groups.vibenight]
+id = "grp_8cf1101a-e75d-4e80-b5d5-c5ba2916cce8"
+vrcdn = "vibenight"
+
+[groups.vibenight-roxy]
+id = ""
+vrcdn = "roxyreee"
+
+[groups.zrave]
+id = "grp_f65e9e2e-c2a4-46af-a787-0e7c5d6be03c"
+vrcdn = "furxmas"
+
+[groups.eufuria]
+id = "grp_47c07467-c09a-4354-bba2-31e103b3c934"
+vrcdn = "technicallysane"
+
+[groups.waterwolf-nullreff]
+id = ""
+vrcdn = "nullreff"
+
+[groups.con-vr-portals]
+id = "grp_dcddb898-14bf-41ab-8c3e-e874847be6c9"
+
+#[groups.furality]
+#id = "grp_210dbc09-c3da-4ebb-b641-73c99ce2619b"
+#vrcdn = "furalityvrcdn"
+
+[worlds]
+"becki" = "wrld_e3a45ec6-a319-42af-b68d-f82f47bddef3"
+"foxxcon" = "wrld_27806231-964b-4fbe-add8-10bf14be8071"
+"becki v2" = "wrld_74f11f39-9064-4d03-93e9-2141f4a60147"
+
--- a/kubernetes/vrchat/kustomization.yaml
+++ b/kubernetes/vrchat/kustomization.yaml
@ -1,7 +1,15 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
+
+namespace: vrchat
+
 resources:
 - Deployment-vrchat-prometheus-adapter.yaml
 - Service-vrchat-prometheus-adapter.yaml
 - ServiceMonitor-vrchat-prometheus-adapter.yaml
 - VaultAuth.yaml
+
+configMapGenerator:
+- name: vrchat-prometheus-adapter
+  files:
+  - config.toml