diff --git a/kubernetes/atuin/Namespace-atuin.yaml b/kubernetes/atuin/Namespace-atuin.yaml new file mode 100644 index 0000000..ccbdcfd --- /dev/null +++ b/kubernetes/atuin/Namespace-atuin.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: atuin diff --git a/kubernetes/atuin/kustomization.yaml b/kubernetes/atuin/kustomization.yaml index ba68706..41841d8 100644 --- a/kubernetes/atuin/kustomization.yaml +++ b/kubernetes/atuin/kustomization.yaml @@ -4,3 +4,4 @@ resources: - VaultAuth.yaml - VaultStaticSecret-postgres-atuin.yaml - deployment.yaml +- Namespace-atuin.yaml diff --git a/kubernetes/authentik/Namespace-authentik.yaml b/kubernetes/authentik/Namespace-authentik.yaml new file mode 100644 index 0000000..bb24d8d --- /dev/null +++ b/kubernetes/authentik/Namespace-authentik.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: authentik diff --git a/kubernetes/authentik/kustomization.yaml b/kubernetes/authentik/kustomization.yaml index 5524721..516236a 100644 --- a/kubernetes/authentik/kustomization.yaml +++ b/kubernetes/authentik/kustomization.yaml @@ -13,3 +13,4 @@ resources: - VaultAuth.yaml - VaultStaticSecret-postgres-authentik.yaml - VaultStaticSecret-authentik-secrets.yaml +- Namespace-authentik.yaml diff --git a/kubernetes/misc/issuer.yml b/kubernetes/cert-manager/ClusterIssuer-cloudflare.yaml similarity index 100% rename from kubernetes/misc/issuer.yml rename to kubernetes/cert-manager/ClusterIssuer-cloudflare.yaml diff --git a/kubernetes/cert-manager/Namespace-cert-manager.yaml b/kubernetes/cert-manager/Namespace-cert-manager.yaml new file mode 100644 index 0000000..0d43ae7 --- /dev/null +++ b/kubernetes/cert-manager/Namespace-cert-manager.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cert-manager + labels: + pod-security.kubernetes.io/enforce: privileged diff --git a/kubernetes/cert-manager/kustomization.yaml b/kubernetes/cert-manager/kustomization.yaml index bbd2ea8..1e682b1 100644 --- a/kubernetes/cert-manager/kustomization.yaml +++ b/kubernetes/cert-manager/kustomization.yaml @@ -4,3 +4,7 @@ namespace: cert-manager resources: - VaultAuth.yaml - VaultStaticSecret-cloudflare-cert-api.yaml +- ClusterIssuer-cloudflare.yaml +- https://github.com/cert-manager/cert-manager/releases/download/v1.15.1/cert-manager.yaml +patches: +- path: Namespace-cert-manager.yaml diff --git a/kubernetes/cloudflare/Namespace-cloudflare.yaml b/kubernetes/cloudflare/Namespace-cloudflare.yaml new file mode 100644 index 0000000..b7626fc --- /dev/null +++ b/kubernetes/cloudflare/Namespace-cloudflare.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: cloudflare diff --git a/kubernetes/cloudflare/config.yaml b/kubernetes/cloudflare/config.yaml index 10ee5b2..d4a75be 100644 --- a/kubernetes/cloudflare/config.yaml +++ b/kubernetes/cloudflare/config.yaml @@ -12,7 +12,7 @@ ingress: - hostname: authentik.gmem.ca service: https://homelab.gmem.ca - hostname: nitter.gmem.ca - service: https://homelab.gmem.ca + service: http://nitter.nitter.svc.cluster.local:8081 - hostname: git.gmem.ca service: https://homelab.gmem.ca - hostname: proxmox.gmem.ca diff --git a/kubernetes/cloudflare/kustomization.yaml b/kubernetes/cloudflare/kustomization.yaml index 6a602c5..8674a4a 100644 --- a/kubernetes/cloudflare/kustomization.yaml +++ b/kubernetes/cloudflare/kustomization.yaml @@ -7,6 +7,7 @@ resources: - VaultAuth.yaml - VaultStaticSecret-tunnel-credentials.yaml - VaultStaticSecret-cloudflare-exporter.yaml +- Namespace-cloudflare.yaml configMapGenerator: - name: cloudflared @@ -27,3 +28,4 @@ helmCharts: labels: release: prometheus version: 0.2.1 + diff --git a/kubernetes/duplikate/Namespace-duplikate.yaml b/kubernetes/duplikate/Namespace-duplikate.yaml new file mode 100644 index 0000000..07aa81d --- /dev/null +++ b/kubernetes/duplikate/Namespace-duplikate.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: duplikate diff --git a/kubernetes/duplikate/kustomization.yaml b/kubernetes/duplikate/kustomization.yaml index 9624822..575115c 100644 --- a/kubernetes/duplikate/kustomization.yaml +++ b/kubernetes/duplikate/kustomization.yaml @@ -18,3 +18,4 @@ resources: - Deployment-duplikate.yaml - VaultAuth.yaml - VaultStaticSecret-duplikate.yaml +- Namespace-duplikate.yaml diff --git a/kubernetes/e6-gallery/Namespace-e6-gallery.yaml b/kubernetes/e6-gallery/Namespace-e6-gallery.yaml new file mode 100644 index 0000000..8210a06 --- /dev/null +++ b/kubernetes/e6-gallery/Namespace-e6-gallery.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: e6-gallery diff --git a/kubernetes/e6-gallery/VaultStaticSecret-regcred.yaml b/kubernetes/e6-gallery/VaultStaticSecret-regcred.yaml index daa8c34..17aa91b 100644 --- a/kubernetes/e6-gallery/VaultStaticSecret-regcred.yaml +++ b/kubernetes/e6-gallery/VaultStaticSecret-regcred.yaml @@ -7,6 +7,7 @@ spec: destination: create: true name: regcred + type: kubernetes.io/dockerconfigjson mount: kv path: e6-gallery/regcred refreshAfter: 30s diff --git a/kubernetes/e6-gallery/kustomization.yaml b/kubernetes/e6-gallery/kustomization.yaml index d1956fa..7716633 100644 --- a/kubernetes/e6-gallery/kustomization.yaml +++ b/kubernetes/e6-gallery/kustomization.yaml @@ -7,3 +7,4 @@ resources: - VaultAuth.yaml - VaultStaticSecret-regcred.yaml - e6-gallery.yaml +- Namespace-e6-gallery.yaml diff --git a/kubernetes/endpoints/Endpoints-photos.yaml b/kubernetes/endpoints/Endpoints-photos.yaml new file mode 100644 index 0000000..8411dab --- /dev/null +++ b/kubernetes/endpoints/Endpoints-photos.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Endpoints +metadata: + name: photos + namespace: endpoints +subsets: +- addresses: + - ip: 192.168.50.229 + ports: + - name: photos + port: 443 + protocol: TCP diff --git a/kubernetes/endpoints/Ingress-photos.yaml b/kubernetes/endpoints/Ingress-photos.yaml new file mode 100644 index 0000000..31e6425 --- /dev/null +++ b/kubernetes/endpoints/Ingress-photos.yaml @@ -0,0 +1,23 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/backend-protocol: HTTPS + nginx.ingress.kubernetes.io/proxy-body-size: 10g + name: photos + namespace: endpoints +spec: + rules: + - host: photos.gmem.ca + http: + paths: + - backend: + service: + name: photos + port: + number: 443 + path: / + pathType: Prefix + tls: + - hosts: + - photos.gmem.ca diff --git a/kubernetes/endpoints/Namespace-endpoints.yaml b/kubernetes/endpoints/Namespace-endpoints.yaml new file mode 100644 index 0000000..ed4a5ac --- /dev/null +++ b/kubernetes/endpoints/Namespace-endpoints.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: endpoints diff --git a/kubernetes/endpoints/Service-photos.yaml b/kubernetes/endpoints/Service-photos.yaml new file mode 100644 index 0000000..96e0767 --- /dev/null +++ b/kubernetes/endpoints/Service-photos.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: Service +metadata: + name: photos + namespace: endpoints +spec: + ports: + - name: photos + port: 443 + targetPort: 443 diff --git a/kubernetes/endpoints/kustomization.yaml b/kubernetes/endpoints/kustomization.yaml index 5a69570..b55372c 100644 --- a/kubernetes/endpoints/kustomization.yaml +++ b/kubernetes/endpoints/kustomization.yaml @@ -6,16 +6,20 @@ resources: - Endpoints-ibiza.yaml - Endpoints-proxmox.yaml - Endpoints-tokyo.yaml +- Endpoints-photos.yaml - Service-austin.yaml - Service-git.yaml - Service-ibiza.yaml - Service-proxmox.yaml - Service-tokyo.yaml +- Service-photos.yaml - Ingress-austin.yaml - Ingress-git.yaml - Ingress-ibiza.yaml - Ingress-proxmox.yaml - Ingress-tokyo.yaml +- Ingress-photos.yaml - Endpoints-secrets.yaml - Ingress-secrets.yaml - Service-secrets.yaml +- Namespace-endpoints.yaml diff --git a/kubernetes/homepage/Namespace-homepage.yaml b/kubernetes/homepage/Namespace-homepage.yaml new file mode 100644 index 0000000..19d1b55 --- /dev/null +++ b/kubernetes/homepage/Namespace-homepage.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: homepage diff --git a/kubernetes/homepage/kustomization.yaml b/kubernetes/homepage/kustomization.yaml index df1a817..58b4c70 100644 --- a/kubernetes/homepage/kustomization.yaml +++ b/kubernetes/homepage/kustomization.yaml @@ -14,3 +14,4 @@ patches: resources: - ./VaultStaticSecret-homepage-config.yaml - ./VaultAuth.yaml +- Namespace-homepage.yaml diff --git a/kubernetes/ingress-nginx/Namespace-ingress-nginx.yaml b/kubernetes/ingress-nginx/Namespace-ingress-nginx.yaml new file mode 100644 index 0000000..f008bb1 --- /dev/null +++ b/kubernetes/ingress-nginx/Namespace-ingress-nginx.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ingress-nginx + labels: + pod-security.kubernetes.io/enforce: privileged diff --git a/kubernetes/ingress-nginx/kustomization.yaml b/kubernetes/ingress-nginx/kustomization.yaml index 6f9b638..cd59ff8 100644 --- a/kubernetes/ingress-nginx/kustomization.yaml +++ b/kubernetes/ingress-nginx/kustomization.yaml @@ -10,3 +10,5 @@ helmCharts: kind: Kustomization namespace: ingress-nginx +resources: +- Namespace-ingress-nginx.yaml diff --git a/kubernetes/ingress-nginx/nginx.yaml b/kubernetes/ingress-nginx/nginx.yaml index c7ddc13..efdaa66 100644 --- a/kubernetes/ingress-nginx/nginx.yaml +++ b/kubernetes/ingress-nginx/nginx.yaml @@ -1,5 +1,11 @@ controller: kind: DaemonSet + config: + enable-real-ip: "true" + use-proxy-protocol: "true" + enable-brotli: "true" + proxy-send-timeout: "30" + proxy-read-timeout: "30" metrics: enabled: true serviceMonitor: diff --git a/kubernetes/irc/Namespace-irc.yaml b/kubernetes/irc/Namespace-irc.yaml new file mode 100644 index 0000000..fdbf70a --- /dev/null +++ b/kubernetes/irc/Namespace-irc.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: irc diff --git a/kubernetes/irc/kustomization.yaml b/kubernetes/irc/kustomization.yaml index 249ecca..8254de9 100644 --- a/kubernetes/irc/kustomization.yaml +++ b/kubernetes/irc/kustomization.yaml @@ -14,8 +14,10 @@ resources: - VaultAuth.yaml - VaultStaticSecret-postgres-soju.yaml - VaultStaticSecret-soju.yaml +- Namespace-irc.yaml configMapGenerator: - name: soju files: - config.in + diff --git a/kubernetes/jellyseerr/Namespace-jellyseerr.yaml b/kubernetes/jellyseerr/Namespace-jellyseerr.yaml new file mode 100644 index 0000000..419fe60 --- /dev/null +++ b/kubernetes/jellyseerr/Namespace-jellyseerr.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: jellyseerr diff --git a/kubernetes/jellyseerr/kustomization.yaml b/kubernetes/jellyseerr/kustomization.yaml index 1967f48..3a45573 100644 --- a/kubernetes/jellyseerr/kustomization.yaml +++ b/kubernetes/jellyseerr/kustomization.yaml @@ -7,3 +7,4 @@ resources: - VaultAuth.yaml - VaultStaticSecret-jellyseerr.yaml - ConfigMap-jellyseerr.yaml +- Namespace-jellyseerr.yaml diff --git a/kubernetes/kustomization.yaml b/kubernetes/kustomization.yaml index 49d1016..c9f57d8 100644 --- a/kubernetes/kustomization.yaml +++ b/kubernetes/kustomization.yaml @@ -26,3 +26,4 @@ resources: - vault-secrets-operator - vaultwarden - smarthome +- cert-manager diff --git a/kubernetes/librespeed/Namespace-librespeed.yaml b/kubernetes/librespeed/Namespace-librespeed.yaml new file mode 100644 index 0000000..50bc20f --- /dev/null +++ b/kubernetes/librespeed/Namespace-librespeed.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: librespeed diff --git a/kubernetes/librespeed/kustomization.yaml b/kubernetes/librespeed/kustomization.yaml index 697d46c..3e1a860 100644 --- a/kubernetes/librespeed/kustomization.yaml +++ b/kubernetes/librespeed/kustomization.yaml @@ -4,3 +4,4 @@ resources: - Deployment-librespeed.yaml - Service-librespeed.yaml - Ingress-librespeed.yaml +- Namespace-librespeed.yaml diff --git a/kubernetes/metube/Namespace-metube.yaml b/kubernetes/metube/Namespace-metube.yaml new file mode 100644 index 0000000..6bafd26 --- /dev/null +++ b/kubernetes/metube/Namespace-metube.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: metube diff --git a/kubernetes/metube/kustomization.yaml b/kubernetes/metube/kustomization.yaml index 52da786..5473803 100644 --- a/kubernetes/metube/kustomization.yaml +++ b/kubernetes/metube/kustomization.yaml @@ -4,3 +4,4 @@ resources: - Deployment-metube.yaml - Service-metube.yaml - Ingress-metube.yaml +- Namespace-metube.yaml diff --git a/kubernetes/minecraft-invites/Namespace-minecraft-invites.yaml b/kubernetes/minecraft-invites/Namespace-minecraft-invites.yaml new file mode 100644 index 0000000..d606e03 --- /dev/null +++ b/kubernetes/minecraft-invites/Namespace-minecraft-invites.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: minecraft-invites diff --git a/kubernetes/minecraft-invites/VaultStaticSecret-whitelistmanager.yaml b/kubernetes/minecraft-invites/VaultStaticSecret-whitelistmanager.yaml index 0545df1..b7141e5 100644 --- a/kubernetes/minecraft-invites/VaultStaticSecret-whitelistmanager.yaml +++ b/kubernetes/minecraft-invites/VaultStaticSecret-whitelistmanager.yaml @@ -8,7 +8,7 @@ spec: create: true name: whitelistmanager mount: kv - path: whitelistmanager/whitelistmanager + path: minecraft-invites/whitelistmanager refreshAfter: 30s type: kv-v2 vaultAuthRef: vault diff --git a/kubernetes/minecraft-invites/kustomization.yaml b/kubernetes/minecraft-invites/kustomization.yaml index 7b293a3..646e080 100644 --- a/kubernetes/minecraft-invites/kustomization.yaml +++ b/kubernetes/minecraft-invites/kustomization.yaml @@ -8,3 +8,4 @@ resources: - Ingress-whitelistmanager.yaml - VaultAuth.yaml - VaultStaticSecret-whitelistmanager.yaml +- Namespace-minecraft-invites.yaml diff --git a/kubernetes/miniflux/Namespace-miniflux.yaml b/kubernetes/miniflux/Namespace-miniflux.yaml new file mode 100644 index 0000000..4ae15f8 --- /dev/null +++ b/kubernetes/miniflux/Namespace-miniflux.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: miniflux diff --git a/kubernetes/miniflux/kustomization.yaml b/kubernetes/miniflux/kustomization.yaml index 948baae..656299a 100644 --- a/kubernetes/miniflux/kustomization.yaml +++ b/kubernetes/miniflux/kustomization.yaml @@ -1,5 +1,8 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization + +namespace: miniflux + resources: - Deployment-miniflux.yaml - Service-miniflux.yaml @@ -7,6 +10,7 @@ resources: - Ingress-miniflux.yaml - VaultAuth.yaml - VaultStaticSecret-miniflux.yaml +- Namespace-miniflux.yaml configMapGenerator: - name: miniflux diff --git a/kubernetes/misc/CronJob-router-cert.yaml b/kubernetes/misc/CronJob-router-cert.yaml new file mode 100644 index 0000000..9b4c982 --- /dev/null +++ b/kubernetes/misc/CronJob-router-cert.yaml @@ -0,0 +1,101 @@ +apiVersion: batch/v1 +kind: CronJob +metadata: + name: router-cert + namespace: default +spec: + jobTemplate: + spec: + template: + spec: + volumes: + - secret: + secretName: router-gmem-ca + name: cert + containers: + - command: + - /bin/bash + - -c + - > + apt update && apt install -y curl + + curl "https://healthchecks.gmem.ca/ping/${HEALTHCHECKS_UUID}/start" + + export LOGIN=$(echo -n "${LOGIN_USERNAME}:${LOGIN_PASSWORD}" | base64 -w0) + + curl "https://${BASE_URL}/login.cgi" + -H "Content-Type: application/x-www-form-urlencoded" + -H "Referer: https://${BASE_URL}/Main_Login.asp" + --data-urlencode "login_authorization=${LOGIN}" + -c /tmp/cookie.txt -k + + curl "https://${BASE_URL}/upload_cert_key.cgi" + -H "Referer: https://${BASE_URL}/Advanced_ASUSDDNS_Content.asp" + -F "file_key=@/data/tls.key" + -F "file_cert=@/data/tls.crt" + -F "le_enable=2" + -b /tmp/cookie.txt -k + + curl "https://${BASE_URL}/Logout.asp" + -H "Referer: https://${BASE_URL}/index.asp" + -b /tmp/cookie.txt -k + + curl "https://healthchecks.gmem.ca/ping/${HEALTHCHECKS_UUID}" + envFrom: + - configMapRef: + name: router-cert + - secretRef: + name: router-cert + image: debian:bookworm-slim + name: upload-certificate + volumeMounts: + - mountPath: /data + name: cert + restartPolicy: Never + schedule: "0 0 1 * *" +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: router-gmem-ca + namespace: default +spec: + # Secret names are always required. + secretName: router-gmem-ca + + duration: 2160h # 90d + renewBefore: 360h # 15d + + dnsNames: + - router.gmem.ca + issuerRef: + name: le-issuer + # We can reference ClusterIssuers by changing the kind here. + # The default value is Issuer (i.e. a locally namespaced Issuer) + kind: ClusterIssuer + # This is optional since cert-manager will default to this value however + # if you are using an external issuer, change this to that issuer group. + group: cert-manager.io +--- +apiVersion: v1 +data: + BASE_URL: router.gmem.ca +kind: ConfigMap +metadata: + name: router-cert + namespace: default +--- +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultStaticSecret +metadata: + name: router-cert + namespace: default +spec: + destination: + create: true + name: router-cert + mount: kv + path: default/router-cert + refreshAfter: 30s + type: kv-v2 + vaultAuthRef: vault diff --git a/kubernetes/misc/Namespace-misc.yaml b/kubernetes/misc/Namespace-misc.yaml new file mode 100644 index 0000000..aab92c2 --- /dev/null +++ b/kubernetes/misc/Namespace-misc.yaml @@ -0,0 +1,9 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: ntfy +--- +apiVersion: v1 +kind: Namespace +metadata: + name: it-tools diff --git a/kubernetes/misc/VaultAuth.yaml b/kubernetes/misc/VaultAuth.yaml new file mode 100644 index 0000000..72d3a4f --- /dev/null +++ b/kubernetes/misc/VaultAuth.yaml @@ -0,0 +1,11 @@ +apiVersion: secrets.hashicorp.com/v1beta1 +kind: VaultAuth +metadata: + name: vault + namespace: default +spec: + kubernetes: + role: reader + serviceAccount: default + method: kubernetes + mount: kubernetes diff --git a/kubernetes/misc/kustomization.yaml b/kubernetes/misc/kustomization.yaml index baf5e98..a64389f 100644 --- a/kubernetes/misc/kustomization.yaml +++ b/kubernetes/misc/kustomization.yaml @@ -1,7 +1,9 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: -- issuer.yml - nginx-podmonitor.yml - ntfy.yaml - tools.yml +- Namespace-misc.yaml +- VaultAuth.yaml +- CronJob-router-cert.yaml diff --git a/kubernetes/nfs-subdir-external-provisioner/Namespace-nfs-subdir-external-provisioner.yaml b/kubernetes/nfs-subdir-external-provisioner/Namespace-nfs-subdir-external-provisioner.yaml new file mode 100644 index 0000000..cb6386d --- /dev/null +++ b/kubernetes/nfs-subdir-external-provisioner/Namespace-nfs-subdir-external-provisioner.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nfs-subdir-external-provisioner diff --git a/kubernetes/nfs-subdir-external-provisioner/kustomization.yaml b/kubernetes/nfs-subdir-external-provisioner/kustomization.yaml index 60b90fd..f16b93a 100644 --- a/kubernetes/nfs-subdir-external-provisioner/kustomization.yaml +++ b/kubernetes/nfs-subdir-external-provisioner/kustomization.yaml @@ -9,3 +9,5 @@ helmCharts: version: 4.0.18 kind: Kustomization namespace: nfs-subdir-external-provisioner +resources: +- Namespace-nfs-subdir-external-provisioner.yaml diff --git a/kubernetes/nitter/Namespace-nitter.yaml b/kubernetes/nitter/Namespace-nitter.yaml new file mode 100644 index 0000000..0700d26 --- /dev/null +++ b/kubernetes/nitter/Namespace-nitter.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: nitter diff --git a/kubernetes/nitter/StatefulSet-nitter-bot.yaml b/kubernetes/nitter/StatefulSet-nitter-bot.yaml index 000609d..712066e 100644 --- a/kubernetes/nitter/StatefulSet-nitter-bot.yaml +++ b/kubernetes/nitter/StatefulSet-nitter-bot.yaml @@ -23,7 +23,7 @@ spec: - secretRef: name: nitter-bot - configMapRef: - name: nitter-bot-5d9aefaae4 + name: nitter-bot image: git.gmem.ca/arch/nitter-bot:latest name: nitter-bot resources: diff --git a/kubernetes/nitter/kustomization.yaml b/kubernetes/nitter/kustomization.yaml index acfd689..37658ab 100644 --- a/kubernetes/nitter/kustomization.yaml +++ b/kubernetes/nitter/kustomization.yaml @@ -13,6 +13,7 @@ resources: - VaultStaticSecret-nitter.yaml - ConfigMap-nitter.yaml - ConfigMap-nitter-bot.yaml +- Namespace-nitter.yaml helmCharts: - name: redis diff --git a/kubernetes/piped/Namespace-piped.yaml b/kubernetes/piped/Namespace-piped.yaml new file mode 100644 index 0000000..10bdc4e --- /dev/null +++ b/kubernetes/piped/Namespace-piped.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: piped diff --git a/kubernetes/piped/kustomization.yaml b/kubernetes/piped/kustomization.yaml index b3bb781..41d8e85 100644 --- a/kubernetes/piped/kustomization.yaml +++ b/kubernetes/piped/kustomization.yaml @@ -5,3 +5,4 @@ resources: - CronJob-piped-refresh.yaml - VaultAuth.yaml - VaultStaticSecret-postgres-piped.yaml +- Namespace-piped.yaml diff --git a/kubernetes/prometheus/Namespace-prometheus.yaml b/kubernetes/prometheus/Namespace-prometheus.yaml new file mode 100644 index 0000000..fa64c15 --- /dev/null +++ b/kubernetes/prometheus/Namespace-prometheus.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: prometheus + labels: + pod-security.kubernetes.io/enforce: privileged diff --git a/kubernetes/prometheus/kustomization.yaml b/kubernetes/prometheus/kustomization.yaml index 5627d2e..00f3b8b 100644 --- a/kubernetes/prometheus/kustomization.yaml +++ b/kubernetes/prometheus/kustomization.yaml @@ -9,3 +9,4 @@ resources: - VaultStaticSecret-nextdns-exporter.yaml - VaultStaticSecret-nextdns-ts-exporter.yaml - VaultStaticSecret-prometheus-remote-basic-auth.yaml +- Namespace-prometheus.yaml diff --git a/kubernetes/redlib/Namespace-redlib.yaml b/kubernetes/redlib/Namespace-redlib.yaml new file mode 100644 index 0000000..1c49bcc --- /dev/null +++ b/kubernetes/redlib/Namespace-redlib.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: redlib diff --git a/kubernetes/redlib/kustomization.yaml b/kubernetes/redlib/kustomization.yaml index bd64ff1..449258e 100644 --- a/kubernetes/redlib/kustomization.yaml +++ b/kubernetes/redlib/kustomization.yaml @@ -4,4 +4,4 @@ resources: - Deployment-redlib.yaml - Service-redlib.yaml - Ingress-redlib.yaml - +- Namespace-redlib.yaml diff --git a/kubernetes/searxng/Namespace-searxng.yaml b/kubernetes/searxng/Namespace-searxng.yaml new file mode 100644 index 0000000..8739154 --- /dev/null +++ b/kubernetes/searxng/Namespace-searxng.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: searxng diff --git a/kubernetes/searxng/kustomization.yaml b/kubernetes/searxng/kustomization.yaml index 1a9a8bd..5802e29 100644 --- a/kubernetes/searxng/kustomization.yaml +++ b/kubernetes/searxng/kustomization.yaml @@ -23,9 +23,11 @@ resources: - Ingress-searxng.yaml - VaultAuth.yaml - VaultStaticSecret-searxng.yaml +- Namespace-searxng.yaml configMapGenerator: - name: searxng files: - limiter.toml - settings.yml + diff --git a/kubernetes/smarthome/Namespace-smarthome.yaml b/kubernetes/smarthome/Namespace-smarthome.yaml new file mode 100644 index 0000000..11958fa --- /dev/null +++ b/kubernetes/smarthome/Namespace-smarthome.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: smarthome + labels: + pod-security.kubernetes.io/enforce: privileged diff --git a/kubernetes/smarthome/kustomization.yaml b/kubernetes/smarthome/kustomization.yaml index 3755c41..5074b64 100644 --- a/kubernetes/smarthome/kustomization.yaml +++ b/kubernetes/smarthome/kustomization.yaml @@ -8,3 +8,4 @@ resources: - hue.yaml - VaultAuth.yaml - VaultStaticSecret-hue.yaml +- Namespace-smarthome.yaml diff --git a/kubernetes/tclip/Namespace-tclip.yaml b/kubernetes/tclip/Namespace-tclip.yaml new file mode 100644 index 0000000..c37e567 --- /dev/null +++ b/kubernetes/tclip/Namespace-tclip.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: tclip diff --git a/kubernetes/tclip/kustomization.yaml b/kubernetes/tclip/kustomization.yaml index cfd5563..74087c4 100644 --- a/kubernetes/tclip/kustomization.yaml +++ b/kubernetes/tclip/kustomization.yaml @@ -6,3 +6,4 @@ resources: - Ingress-tclip.yaml - VaultAuth.yaml - VaultStaticSecret-tclip.yaml +- Namespace-tclip.yaml diff --git a/kubernetes/vault-secrets-operator/Namespace-vault-secrets-operator.yaml b/kubernetes/vault-secrets-operator/Namespace-vault-secrets-operator.yaml new file mode 100644 index 0000000..ae22d67 --- /dev/null +++ b/kubernetes/vault-secrets-operator/Namespace-vault-secrets-operator.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: vault-secrets-operator + labels: + pod-security.kubernetes.io/enforce: privileged diff --git a/kubernetes/vault-secrets-operator/crb.yaml b/kubernetes/vault-secrets-operator/crb.yaml index 08537a4..c448aa9 100644 --- a/kubernetes/vault-secrets-operator/crb.yaml +++ b/kubernetes/vault-secrets-operator/crb.yaml @@ -23,4 +23,4 @@ roleRef: subjects: - kind: ServiceAccount name: vault-auth - namespace: default + namespace: vault-secrets-operator diff --git a/kubernetes/vault-secrets-operator/kustomization.yaml b/kubernetes/vault-secrets-operator/kustomization.yaml index cbc190e..64ae9e4 100644 --- a/kubernetes/vault-secrets-operator/kustomization.yaml +++ b/kubernetes/vault-secrets-operator/kustomization.yaml @@ -18,4 +18,4 @@ kind: Kustomization namespace: vault-secrets-operator resources: - ./crb.yaml - +- Namespace-vault-secrets-operator.yaml diff --git a/kubernetes/vault-secrets-operator/tokenreview.yaml b/kubernetes/vault-secrets-operator/tokenreview.yaml new file mode 100644 index 0000000..1a52c22 --- /dev/null +++ b/kubernetes/vault-secrets-operator/tokenreview.yaml @@ -0,0 +1,7 @@ +apiVersion: authentication.k8s.io/v1 +kind: TokenReview +metadata: + name: test +spec: + audiences: [] + token: "eyJhbGciOiJSUzI1NiIsImtpZCI6ImpXVFI3MGdGTmJkRHN3MUVqdTNpOTZPeXZHNk1sNzYtS09pOTJwc09OdkEifQ.eyJpc3MiOiJrdWJlcm5ldGVzL3NlcnZpY2VhY2NvdW50Iiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9uYW1lc3BhY2UiOiJ2YXVsdC1zZWNyZXRzLW9wZXJhdG9yIiwia3ViZXJuZXRlcy5pby9zZXJ2aWNlYWNjb3VudC9zZWNyZXQubmFtZSI6InZhdWx0LWF1dGgiLCJrdWJlcm5ldGVzLmlvL3NlcnZpY2VhY2NvdW50L3NlcnZpY2UtYWNjb3VudC5uYW1lIjoidmF1bHQtYXV0aCIsImt1YmVybmV0ZXMuaW8vc2VydmljZWFjY291bnQvc2VydmljZS1hY2NvdW50LnVpZCI6IjQzNjdmMjBjLWZlOTAtNDIxMy04YmM2LTcwYjZiYThmNzJmYSIsInN1YiI6InN5c3RlbTpzZXJ2aWNlYWNjb3VudDp2YXVsdC1zZWNyZXRzLW9wZXJhdG9yOnZhdWx0LWF1dGgifQ.SlQ3GUc9RUicbmcsH-qMzw231mansaG2OE-kZwLaYGyoFYNSt-kwW-GaUUdCQ3rB7fz4yADM_SCbOyczYGmhtm5hEUJxs4Vp_171RP8xfvphrbeGUxd5e5e0hv5vDFXtWQxLCkSwZX8sWymSpj01ujEqW9fJgDl9zGYsg7Yf94YaEEynYpU2ClamiFuPsmzu2yARYZEOaSTV_zq6TDjt6dojB63e5wYVODuJr_rOU1TNniQrL9SHBnIwFYTwM24cYP16rG8deV_yUaJE8BCTEUPXFv_vyh-RU3sQWQ1RuuCoDmxZqcQ5yiZ7dW7wcdP6FjKzbkrXB5Y7gni8Zl0WmIgJfZegnQktJIiHFZQaJAOE7V4b-NvYG6jb3HqtvtyHHXs92BS4jj9_B_M2TJb4Vv4fB7Y0v1ev39uOmMsPNkqp_SIhyOrlrjz7bvQAwcE9g5ew7QuNtcJN1ljF9s7dVJes8gjQjoOwKrk-S9GlLSPFk5jqt8e6WS85LO-3_hNliKECCWZar2z0L1SVOU7yrdguoH4ydligBwVemKotydnnmcYh6vdZOjhW5ZNoQwjclHDhTggCMvmWMuTnTRL-z_S8o2jYjmBEuo6EbTqgoT1NXmp8miT9mYkgE8JMM7IP-CD_HMfIYEWoKWRpwUX5SRkub6rELgMNVT6Xge_uQPk" diff --git a/kubernetes/vaultwarden/Namespace-vaultwarden.yaml b/kubernetes/vaultwarden/Namespace-vaultwarden.yaml new file mode 100644 index 0000000..6fc17a5 --- /dev/null +++ b/kubernetes/vaultwarden/Namespace-vaultwarden.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: vaultwarden diff --git a/kubernetes/vaultwarden/deployment.yaml b/kubernetes/vaultwarden/deployment.yaml index 3729ca1..c6be787 100644 --- a/kubernetes/vaultwarden/deployment.yaml +++ b/kubernetes/vaultwarden/deployment.yaml @@ -18,8 +18,7 @@ spec: emptyDir: {} containers: - name: vaultwarden - image: vaultwarden/server:testing - imagePullPolicy: Always + image: vaultwarden/server:1.31.0 resources: limits: memory: "128Mi" @@ -37,6 +36,8 @@ spec: env: - name: LOG_LEVEL value: debug + - name: ROCKET_ADDRESS + value: "::" ports: - containerPort: 80 name: web diff --git a/kubernetes/vaultwarden/kustomization.yaml b/kubernetes/vaultwarden/kustomization.yaml index 78a01aa..6771dc7 100644 --- a/kubernetes/vaultwarden/kustomization.yaml +++ b/kubernetes/vaultwarden/kustomization.yaml @@ -7,8 +7,10 @@ resources: - VaultAuth.yaml - VaultStaticSecret-vaultwarden.yaml - deployment.yaml +- Namespace-vaultwarden.yaml configMapGenerator: - name: vaultwarden envs: - vaultwarden.env + diff --git a/kubernetes/vrchat/Namespace-vrchat.yaml b/kubernetes/vrchat/Namespace-vrchat.yaml new file mode 100644 index 0000000..db4f658 --- /dev/null +++ b/kubernetes/vrchat/Namespace-vrchat.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: vrchat diff --git a/kubernetes/vrchat/VaultStaticSecret-vrchat-prometheus-adapter.yaml b/kubernetes/vrchat/VaultStaticSecret-vrchat-prometheus-adapter.yaml index 5a795e0..3d3111c 100644 --- a/kubernetes/vrchat/VaultStaticSecret-vrchat-prometheus-adapter.yaml +++ b/kubernetes/vrchat/VaultStaticSecret-vrchat-prometheus-adapter.yaml @@ -8,7 +8,7 @@ spec: create: true name: vrchat-prometheus-adapter mount: kv - path: vrchat-prometheus-adapter + path: vrchat/vrchat-prometheus-adapter refreshAfter: 30s type: kv-v2 vaultAuthRef: vault diff --git a/kubernetes/vrchat/kustomization.yaml b/kubernetes/vrchat/kustomization.yaml index d9513c7..a7c3448 100644 --- a/kubernetes/vrchat/kustomization.yaml +++ b/kubernetes/vrchat/kustomization.yaml @@ -8,8 +8,10 @@ resources: - Service-vrchat-prometheus-adapter.yaml - ServiceMonitor-vrchat-prometheus-adapter.yaml - VaultAuth.yaml - +- Namespace-vrchat.yaml +- VaultStaticSecret-vrchat-prometheus-adapter.yaml configMapGenerator: - name: vrchat-prometheus-adapter files: - config.toml +