arch/infra
arch/infra
1
0
Fork 0
Code Actions Packages Activity

Transition to Vault
All checks were successful
Lint / lint (push) Successful in 37s
Details

Browse source
This commit is contained in:
Gabriel Simmer 2024-07-06 00:48:36 +01:00
parent 79f73d2dd2
commit 7ac99af974
Signed by: arch
SSH key fingerprint: SHA256:m3OEcdtrnBpMX+2BDGh/byv3hrCekCLzDYMdvGEKPPQ
92 changed files with 850 additions and 371 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

11
kubernetes/atuin/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: atuin
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/atuin/VaultStaticSecret-postgres-atuin.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-atuin
namespace: atuin
spec:
destination:
create: true
name: postgres-atuin
mount: kv
path: atuin/postgres-atuin
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

0
kubernetes/misc/atuin.yaml → kubernetes/atuin/deployment.yaml
View file

6
kubernetes/atuin/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- VaultAuth.yaml
- VaultStaticSecret-postgres-atuin.yaml
- deployment.yaml

11
kubernetes/authentik/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: authentik
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/authentik/VaultStaticSecret-authentik-secrets.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: authentik-secrets
namespace: authentik
spec:
destination:
create: true
name: authentik-secrets
mount: kv
path: authentik/authentik-secrets
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

14
kubernetes/authentik/VaultStaticSecret-postgres-authentik.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-authentik
namespace: authentik
spec:
destination:
create: true
name: postgres-authentik
mount: kv
path: authentik/postgres-authentik
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

21
kubernetes/authentik/kustomization.yaml
View file

@ -1,12 +1,15 @@
apiVersion: kustomize.config.k8s.io/v1beta1
helmCharts:
- kubeVersion: '1.30'
name: authentik
namespace: authentik
releaseName: authentik
repo: https://charts.goauthentik.io
valuesFile: ./authentik.yml
version: 2024.6.0
kind: Kustomization
namespace: authentik
helmCharts:
- name: authentik
repo: https://charts.goauthentik.io
releaseName: authentik
namespace: authentik
version: 2024.6.0
valuesFile: ./authentik.yml
kubeVersion: "1.30"
resources:
- VaultAuth.yaml
- VaultStaticSecret-postgres-authentik.yaml
- VaultStaticSecret-authentik-secrets.yaml

11
kubernetes/cert-manager/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: cert-manager
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/cert-manager/VaultStaticSecret-cloudflare-cert-api.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: cloudflare-cert-api
namespace: cert-manager
spec:
destination:
create: true
name: cloudflare-cert-api
mount: kv
path: cert-manager/cloudflare-cert-api
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

6
kubernetes/cert-manager/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: cert-manager
resources:
- VaultAuth.yaml
- VaultStaticSecret-cloudflare-cert-api.yaml

11
kubernetes/cloudflare/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: cloudflare
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/cloudflare/VaultStaticSecret-cloudflare-exporter.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: cloudflare-exporter
namespace: cloudflare
spec:
destination:
create: true
name: cloudflare-exporter
mount: kv
path: cloudflare/cloudflare-exporter
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

14
kubernetes/cloudflare/VaultStaticSecret-tunnel-credentials.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: tunnel-credentials
namespace: cloudflare
spec:
destination:
create: true
name: tunnel-credentials
mount: kv
path: cloudflare/tunnel-credentials
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

32
kubernetes/cloudflare/kustomization.yaml
View file

@ -1,20 +1,22 @@
apiVersion: kustomize.config.k8s.io/v1beta1
helmCharts:
- kubeVersion: '1.30'
name: cloudflare-exporter
releaseName: cloudflare-exporter
repo: https://lablabs.github.io/cloudflare-exporter
valuesInline:
image:
tag: 0.0.16
secretRef: cloudflare-exporter
serviceMonitor:
enabled: true
labels:
release: prometheus
version: 0.2.1
kind: Kustomization
namespace: cloudflare
resources:
- cloudflared.yml
helmCharts:
- name: cloudflare-exporter
releaseName: cloudflare-exporter
version: 0.2.1
repo: https://lablabs.github.io/cloudflare-exporter
valuesInline:
image:
tag: "0.0.16"
secretRef: "cloudflare-exporter"
serviceMonitor:
enabled: true
labels:
release: "prometheus"
kubeVersion: "1.30"
- VaultAuth.yaml
- VaultStaticSecret-tunnel-credentials.yaml
- VaultStaticSecret-cloudflare-exporter.yaml

11
kubernetes/duplikate/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: duplikate
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/duplikate/VaultStaticSecret-duplikate.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: duplikate
namespace: duplikate
spec:
destination:
create: true
name: duplikate
mount: kv
path: duplikate/duplikate
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

16
kubernetes/duplikate/kustomization.yaml
View file

@ -1,20 +1,20 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: duplikate
resources:
- Deployment-duplikate.yaml
- InfisicalSecret-duplikate.yaml
helmCharts:
- name: redis
releaseName: duplikate-redis
version: 18.6.1
repo: https://charts.bitnami.com/bitnami
valuesInline:
architecture: standalone
auth:
enabled: false
architecture: standalone
image:
registry: registry.redict.io
repository: redict
tag: 7.3-compat
version: 18.6.1
kind: Kustomization
namespace: duplikate
resources:
- Deployment-duplikate.yaml
- VaultAuth.yaml
- VaultStaticSecret-duplikate.yaml

11
kubernetes/e6-gallery/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: e6-gallery
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/e6-gallery/VaultStaticSecret-regcred.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: regcred
namespace: e6-gallery
spec:
destination:
create: true
name: regcred
mount: kv
path: e6-gallery/regcred
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

0
kubernetes/misc/e6-gallery.yaml → kubernetes/e6-gallery/e6-gallery.yaml
View file

9
kubernetes/e6-gallery/kustomization.yaml Normal file
View file

@ -0,0 +1,9 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: e6-gallery
resources:
- VaultAuth.yaml
- VaultStaticSecret-regcred.yaml
- e6-gallery.yaml

12
kubernetes/endpoints/Endpoints-secrets.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: v1
kind: Endpoints
metadata:
name: secrets
namespace: endpoints
subsets:
- addresses:
- ip: 192.168.50.147
ports:
- name: vault
port: 8200
protocol: TCP

22
kubernetes/endpoints/Ingress-secrets.yaml Normal file
View file

@ -0,0 +1,22 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
nginx.ingress.kubernetes.io/backend-protocol: HTTP
name: secrets
namespace: endpoints
spec:
rules:
- host: secrets.gmem.ca
http:
paths:
- backend:
service:
name: secrets
port:
number: 8200
path: /
pathType: Prefix
tls:
- hosts:
- secrets.gmem.ca

10
kubernetes/endpoints/Service-secrets.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: v1
kind: Service
metadata:
name: secrets
namespace: endpoints
spec:
ports:
- name: secrets
port: 8200
targetPort: 8200

3
kubernetes/endpoints/kustomization.yaml
View file

@ -16,3 +16,6 @@ resources:
- Ingress-ibiza.yaml
- Ingress-proxmox.yaml
- Ingress-tokyo.yaml
- Endpoints-secrets.yaml
- Ingress-secrets.yaml
- Service-secrets.yaml

11
kubernetes/homepage/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: homepage
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/homepage/VaultStaticSecret-homepage-config.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: homepage-config
namespace: homepage
spec:
destination:
create: true
name: homepage-config
mount: kv
path: homepage/homepage-config
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

22
kubernetes/homepage/kustomization.yaml
View file

@ -1,16 +1,16 @@
apiVersion: kustomize.config.k8s.io/v1beta1
helmCharts:
- kubeVersion: '1.30'
name: homepage
namespace: homepage
releaseName: homepage
repo: https://jameswynn.github.io/helm-charts
valuesFile: ./homepage.yaml
version: 1.2.3
kind: Kustomization
namespace: homepage
patches:
- path: ./deployment.yaml
helmCharts:
- name: homepage
repo: https://jameswynn.github.io/helm-charts
releaseName: homepage
namespace: homepage
version: 1.2.3
kubeVersion: "1.30"
valuesFile: ./homepage.yaml
resources:
- ./VaultStaticSecret-homepage-config.yaml
- ./VaultAuth.yaml

12
kubernetes/infisical/infvalues.yml
View file

@ -1,12 +0,0 @@
infisical:
fullnameOverride: infisical
image:
tag: v0.70.1-postgres
ingress:
enabled: true
hostName: secrets.gmem.ca
tls:
- hosts:
- secrets.gmem.ca
postgresql:
enabled: false

19
kubernetes/infisical/kustomization.yaml
View file

@ -1,19 +0,0 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: infisical
helmCharts:
- name: infisical-standalone
repo: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts
releaseName: infisical
namespace: infisical
version: 1.0.8
valuesFile: ./infvalues.yml
kubeVersion: "1.30"
- name: secrets-operator
repo: https://dl.cloudsmith.io/public/infisical/helm-charts/helm/charts
releaseName: secrets-operator-1718466666
namespace: infisical
version: 0.6.2
kubeVersion: "1.30"

16
kubernetes/ingress-nginx/kustomization.yaml
View file

@ -1,12 +1,12 @@
apiVersion: kustomize.config.k8s.io/v1beta1
helmCharts:
- kubeVersion: '1.30'
name: ingress-nginx
namespace: ingress-nginx
releaseName: ingress-nginx
repo: https://kubernetes.github.io/ingress-nginx
valuesFile: ./nginx.yaml
version: 4.10.1
kind: Kustomization
namespace: ingress-nginx
helmCharts:
- name: ingress-nginx
repo: https://kubernetes.github.io/ingress-nginx
releaseName: ingress-nginx
namespace: ingress-nginx
version: 4.10.1
valuesFile: ./nginx.yaml
kubeVersion: "1.30"

30
kubernetes/irc/ConfigMap-soju-4a44ac46db.yaml
View file

@ -1,30 +0,0 @@
apiVersion: v1
data:
config: 'listen ircs://
listen unix+admin:///app/admin
listen ws+insecure://
listen http+prometheus://localhost:9090
hostname irc.gmem.ca
title irc.gmem.ca
db postgres "dbname=soju"
message-store db
tls /ssl/tls.crt /ssl/tls.key
'
kind: ConfigMap
metadata:
annotations:
kubenix/k8s-version: '1.30'
kubenix/project-name: kubenix
labels:
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
name: soju-4a44ac46db
namespace: irc

4
kubernetes/irc/Deployment-soju.yaml
View file

@ -47,12 +47,12 @@ spec:
volumeMounts:
- mountPath: /etc/soju/config
name: config
subPath: config
subPath: config.in
- mountPath: /ssl
name: ssl
volumes:
- configMap:
name: soju-4a44ac46db
name: soju
name: config
- name: ssl
secret:

11
kubernetes/irc/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: irc
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/irc/VaultStaticSecret-postgres-soju.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-soju
namespace: irc
spec:
destination:
create: true
name: postgres-soju
mount: kv
path: irc/postgres-soju
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

14
kubernetes/irc/VaultStaticSecret-soju.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: soju
namespace: irc
spec:
destination:
create: true
name: soju
mount: kv
path: irc/soju
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

9
kubernetes/irc/config.in Normal file
View file

@ -0,0 +1,9 @@
listen ircs://
listen unix+admin:///app/admin
listen ws+insecure://
listen http+prometheus://localhost:9090
hostname irc.gmem.ca
title irc.gmem.ca
db postgres "dbname=soju"
message-store db
tls /ssl/tls.crt /ssl/tls.key

13
kubernetes/irc/kustomization.yaml
View file

@ -1,10 +1,21 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: irc
resources:
- ConfigMap-soju-4a44ac46db.yaml
- Deployment-gamja.yaml
- Deployment-soju.yaml
- Service-gamja.yaml
- Service-soju.yaml
- Service-soju-ws.yaml
- Ingress-irc.yaml
- irc-cert.yml
- VaultAuth.yaml
- VaultStaticSecret-postgres-soju.yaml
- VaultStaticSecret-soju.yaml
configMapGenerator:
- name: soju
files:
- config.in

11
kubernetes/jellyseerr/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: jellyseerr
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/jellyseerr/VaultStaticSecret-jellyseerr.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: jellyseerr
namespace: jellyseerr
spec:
destination:
create: true
name: jellyseerr
mount: kv
path: jellyseerr/jellyseerr
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

2
kubernetes/jellyseerr/kustomization.yaml
View file

@ -4,3 +4,5 @@ resources:
- Deployment-jellyseerr.yaml
- Service-jellyseerr.yaml
- Ingress-jellyseerr.yaml
- VaultAuth.yaml
- VaultStaticSecret-jellyseerr.yaml

7
kubernetes/kustomization.yaml
View file

@ -1,7 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- atuin
- authentik
- duplikate
- miniflux
- nitter
@ -20,6 +21,8 @@ resources:
- endpoints
- ingress-nginx
- homepage
- infisical
- nfs-subdir-external-provisioner
- misc
- vault-secrets-operator
- vaultwarden
- smarthome

11
kubernetes/minecraft-invites/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: minecraft-invites
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/minecraft-invites/VaultStaticSecret-whitelistmanager.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: whitelistmanager
namespace: minecraft-invites
spec:
destination:
create: true
name: whitelistmanager
mount: kv
path: whitelistmanager/whitelistmanager
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

2
kubernetes/minecraft-invites/kustomization.yaml
View file

@ -6,3 +6,5 @@ resources:
- Service-whitelistmanager.yaml
- Service-whitelistmanager-frontend.yaml
- Ingress-whitelistmanager.yaml
- VaultAuth.yaml
- VaultStaticSecret-whitelistmanager.yaml

22
kubernetes/miniflux/ConfigMap-miniflux-a4c33abb52.yaml
View file

@ -1,22 +0,0 @@
apiVersion: v1
data:
BASE_URL: https://rss.gmem.ca/
CLEANUP_ARCHIVE_UNREAD_DAYS: '60'
CREATE_ADMIN: '1'
METRICS_ALLOWED_NETWORKS: 0.0.0.0/0
METRICS_COLLECTOR: '1'
OAUTH2_OIDC_DISCOVERY_ENDPOINT: https://authentik.gmem.ca/application/o/miniflux/
OAUTH2_PROVIDER: oidc
OAUTH2_REDIRECT_URL: https://rss.gmem.ca/oauth2/oidc/callback
OAUTH2_USER_CREATION: '1'
RUN_MIGRATIONS: '1'
YOUTUBE_EMBED_URL_OVERRIDE: https://piped.gmem.ca/embed/
kind: ConfigMap
metadata:
annotations:
kubenix/k8s-version: '1.30'
kubenix/project-name: kubenix
labels:
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
name: miniflux-a4c33abb52
namespace: miniflux

2
kubernetes/miniflux/Deployment-miniflux.yaml
View file

@ -22,7 +22,7 @@ spec:
- secretRef:
name: miniflux
- configMapRef:
name: miniflux-a4c33abb52
name: miniflux
image: docker.io/miniflux/miniflux
name: miniflux
ports:

27
kubernetes/miniflux/InfisicalSecret-miniflux.yaml
View file

@ -1,27 +0,0 @@
apiVersion: secrets.infisical.com/v1alpha1
kind: InfisicalSecret
metadata:
annotations:
kubenix/k8s-version: '1.30'
kubenix/project-name: kubenix
labels:
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
name: miniflux
namespace: miniflux
spec:
authentication:
kubernetesAuth:
identityId: 68d1f432-7b0a-4e4a-b439-acbbbc160f1e
secretsScope:
envSlug: prod
projectSlug: kubernetes-homelab-dp67
secretsPath: /miniflux
serviceAccountRef:
name: infisical-auth
namespace: infisical
hostAPI: http://infisical:8080
managedSecretReference:
creationPolicy: Owner
secretName: miniflux
secretNamespace: miniflux
resyncInterval: 10

11
kubernetes/miniflux/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: miniflux
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/miniflux/VaultStaticSecret-miniflux.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: miniflux
namespace: miniflux
spec:
destination:
create: true
name: miniflux
mount: kv
path: miniflux/miniflux
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

9
kubernetes/miniflux/kustomization.yaml
View file

@ -1,9 +1,14 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- ConfigMap-miniflux-a4c33abb52.yaml
- Deployment-miniflux.yaml
- Service-miniflux.yaml
- ServiceMonitor-miniflux.yaml
- Ingress-miniflux.yaml
- InfisicalSecret-miniflux.yaml
- VaultAuth.yaml
- VaultStaticSecret-miniflux.yaml
configMapGenerator:
- name: miniflux
envs:
- miniflux.env

11
kubernetes/miniflux/miniflux.env Normal file
View file

@ -0,0 +1,11 @@
BASE_URL=https://rss.gmem.ca/
CLEANUP_ARCHIVE_UNREAD_DAYS=60
CREATE_ADMIN=1
METRICS_ALLOWED_NETWORKS=0.0.0.0/0
METRICS_COLLECTOR=1
OAUTH2_OIDC_DISCOVERY_ENDPOINT=https://authentik.gmem.ca/application/o/miniflux/
OAUTH2_PROVIDER=oidc
OAUTH2_REDIRECT_URL=https://rss.gmem.ca/oauth2/oidc/callback
OAUTH2_USER_CREATION=1
RUN_MIGRATIONS=1
YOUTUBE_EMBED_URL_OVERRIDE=https://piped.gmem.ca/embed/

5
kubernetes/misc/kustomization.yaml
View file

@ -1,12 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- atuin.yaml
- e6-gallery.yaml
- hue.yml
- issuer.yml
- nginx-podmonitor.yml
- ntfy.yaml
- tools.yml
- vaultwarden.yml

17
kubernetes/nfs-subdir-external-provisioner/kustomization.yaml
View file

@ -1,12 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
helmCharts:
- kubeVersion: '1.30'
name: nfs-subdir-external-provisioner
namespace: nfs-subdir-external-provisioner
releaseName: nfs-subdir-external-provisioner
repo: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
valuesFile: ./nfs-provisioner-values.yml
version: 4.0.18
kind: Kustomization
namespace: nfs-subdir-external-provisioner
helmCharts:
- name: nfs-subdir-external-provisioner
repo: https://kubernetes-sigs.github.io/nfs-subdir-external-provisioner/
releaseName: nfs-subdir-external-provisioner
namespace: nfs-subdir-external-provisioner
version: 4.0.18
valuesFile: ./nfs-provisioner-values.yml
kubeVersion: "1.30"

13
kubernetes/nitter/ConfigMap-nitter-bot-5d9aefaae4.yaml
View file

@ -1,13 +0,0 @@
apiVersion: v1
data:
NITTER_EXTERNAL_URL: https://nitter.gmem.ca
NITTER_URL: http://nitter:8080
kind: ConfigMap
metadata:
annotations:
kubenix/k8s-version: '1.30'
kubenix/project-name: kubenix
labels:
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
name: nitter-bot-5d9aefaae4
namespace: nitter

45
kubernetes/nitter/ConfigMap-nitter-redis-configuration-4712c8e029.yaml
View file

@ -1,45 +0,0 @@
apiVersion: v1
data:
master.conf: 'dir /data
# User-supplied master configuration:
rename-command FLUSHDB ""
rename-command FLUSHALL ""
# End of master configuration'
redis.conf: '# User-supplied common configuration:
# Enable AOF https://redis.io/topics/persistence#append-only-file
appendonly yes
# Disable RDB persistence, AOF persistence already enabled.
save ""
# End of common configuration'
replica.conf: 'dir /data
# User-supplied replica configuration:
rename-command FLUSHDB ""
rename-command FLUSHALL ""
# End of replica configuration'
kind: ConfigMap
metadata:
annotations:
kubenix/k8s-version: '1.30'
kubenix/project-name: kubenix
labels:
app.kubernetes.io/instance: nitter-redis
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: redis
app.kubernetes.io/version: 7.2.3
helm.sh/chart: redis-18.6.1
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
name: nitter-redis-configuration-4712c8e029
namespace: nitter

63
kubernetes/nitter/ConfigMap-nitter-redis-health-05691b979f.yaml
View file

@ -1,63 +0,0 @@
apiVersion: v1
data:
ping_liveness_local.sh: "#!/bin/bash\n\n[[ -f $REDIS_PASSWORD_FILE ]] && export\
\ REDIS_PASSWORD=\"$(< \"${REDIS_PASSWORD_FILE}\")\"\n[[ -n \"$REDIS_PASSWORD\"\
\ ]] && export REDISCLI_AUTH=\"$REDIS_PASSWORD\"\nresponse=$(\n timeout -s 15\
\ $1 \\\n redis-cli \\\n -h localhost \\\n -p $REDIS_PORT \\\n ping\n\
)\nif [ \"$?\" -eq \"124\" ]; then\n echo \"Timed out\"\n exit 1\nfi\nresponseFirstWord=$(echo\
\ $response | head -n1 | awk '{print $1;}')\nif [ \"$response\" != \"PONG\" ]\
\ && [ \"$responseFirstWord\" != \"LOADING\" ] && [ \"$responseFirstWord\" !=\
\ \"MASTERDOWN\" ]; then\n echo \"$response\"\n exit 1\nfi"
ping_liveness_local_and_master.sh: 'script_dir="$(dirname "$0")"
exit_status=0
"$script_dir/ping_liveness_local.sh" $1 || exit_status=$?
"$script_dir/ping_liveness_master.sh" $1 || exit_status=$?
exit $exit_status'
ping_liveness_master.sh: "#!/bin/bash\n\n[[ -f $REDIS_MASTER_PASSWORD_FILE ]] &&\
\ export REDIS_MASTER_PASSWORD=\"$(< \"${REDIS_MASTER_PASSWORD_FILE}\")\"\n[[\
\ -n \"$REDIS_MASTER_PASSWORD\" ]] && export REDISCLI_AUTH=\"$REDIS_MASTER_PASSWORD\"\
\nresponse=$(\n timeout -s 15 $1 \\\n redis-cli \\\n -h $REDIS_MASTER_HOST\
\ \\\n -p $REDIS_MASTER_PORT_NUMBER \\\n ping\n)\nif [ \"$?\" -eq \"124\"\
\ ]; then\n echo \"Timed out\"\n exit 1\nfi\nresponseFirstWord=$(echo $response\
\ | head -n1 | awk '{print $1;}')\nif [ \"$response\" != \"PONG\" ] && [ \"$responseFirstWord\"\
\ != \"LOADING\" ]; then\n echo \"$response\"\n exit 1\nfi"
ping_readiness_local.sh: "#!/bin/bash\n\n[[ -f $REDIS_PASSWORD_FILE ]] && export\
\ REDIS_PASSWORD=\"$(< \"${REDIS_PASSWORD_FILE}\")\"\n[[ -n \"$REDIS_PASSWORD\"\
\ ]] && export REDISCLI_AUTH=\"$REDIS_PASSWORD\"\nresponse=$(\n timeout -s 15\
\ $1 \\\n redis-cli \\\n -h localhost \\\n -p $REDIS_PORT \\\n ping\n\
)\nif [ \"$?\" -eq \"124\" ]; then\n echo \"Timed out\"\n exit 1\nfi\nif [ \"\
$response\" != \"PONG\" ]; then\n echo \"$response\"\n exit 1\nfi"
ping_readiness_local_and_master.sh: 'script_dir="$(dirname "$0")"
exit_status=0
"$script_dir/ping_readiness_local.sh" $1 || exit_status=$?
"$script_dir/ping_readiness_master.sh" $1 || exit_status=$?
exit $exit_status'
ping_readiness_master.sh: "#!/bin/bash\n\n[[ -f $REDIS_MASTER_PASSWORD_FILE ]] &&\
\ export REDIS_MASTER_PASSWORD=\"$(< \"${REDIS_MASTER_PASSWORD_FILE}\")\"\n[[\
\ -n \"$REDIS_MASTER_PASSWORD\" ]] && export REDISCLI_AUTH=\"$REDIS_MASTER_PASSWORD\"\
\nresponse=$(\n timeout -s 15 $1 \\\n redis-cli \\\n -h $REDIS_MASTER_HOST\
\ \\\n -p $REDIS_MASTER_PORT_NUMBER \\\n ping\n)\nif [ \"$?\" -eq \"124\"\
\ ]; then\n echo \"Timed out\"\n exit 1\nfi\nif [ \"$response\" != \"PONG\"\
\ ]; then\n echo \"$response\"\n exit 1\nfi"
kind: ConfigMap
metadata:
annotations:
kubenix/k8s-version: '1.30'
kubenix/project-name: kubenix
labels:
app.kubernetes.io/instance: nitter-redis
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: redis
app.kubernetes.io/version: 7.2.3
helm.sh/chart: redis-18.6.1
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
name: nitter-redis-health-05691b979f
namespace: nitter

24
kubernetes/nitter/ConfigMap-nitter-redis-scripts-a4596108c1.yaml
View file

@ -1,24 +0,0 @@
apiVersion: v1
data:
start-master.sh: "#!/bin/bash\n\n[[ -f $REDIS_PASSWORD_FILE ]] && export REDIS_PASSWORD=\"\
$(< \"${REDIS_PASSWORD_FILE}\")\"\nif [[ -f /opt/bitnami/redis/mounted-etc/master.conf\
\ ]];then\n cp /opt/bitnami/redis/mounted-etc/master.conf /opt/bitnami/redis/etc/master.conf\n\
fi\nif [[ -f /opt/bitnami/redis/mounted-etc/redis.conf ]];then\n cp /opt/bitnami/redis/mounted-etc/redis.conf\
\ /opt/bitnami/redis/etc/redis.conf\nfi\nARGS=(\"--port\" \"${REDIS_PORT}\")\n\
ARGS+=(\"--protected-mode\" \"no\")\nARGS+=(\"--include\" \"/opt/bitnami/redis/etc/redis.conf\"\
)\nARGS+=(\"--include\" \"/opt/bitnami/redis/etc/master.conf\")\nexec redis-server\
\ \"${ARGS[@]}\"\n"
kind: ConfigMap
metadata:
annotations:
kubenix/k8s-version: '1.30'
kubenix/project-name: kubenix
labels:
app.kubernetes.io/instance: nitter-redis
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/name: redis
app.kubernetes.io/version: 7.2.3
helm.sh/chart: redis-18.6.1
kubenix/hash: e672eb08bf0db5ef675b3b6036ca047f43b4614f
name: nitter-redis-scripts-a4596108c1
namespace: nitter

11
kubernetes/nitter/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: nitter
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/nitter/VaultStaticSecret-nitter-bot.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: nitter-bot
namespace: nitter
spec:
destination:
create: true
name: nitter-bot
mount: kv
path: nitter/nitter-bot
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

14
kubernetes/nitter/VaultStaticSecret-nitter.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: nitter
namespace: nitter
spec:
destination:
create: true
name: nitter
mount: kv
path: nitter/nitter
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

28
kubernetes/nitter/kustomization.yaml
View file

@ -1,15 +1,27 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: nitter
resources:
- ConfigMap-nitter-bot-5d9aefaae4.yaml
- ConfigMap-nitter-redis-configuration-4712c8e029.yaml
- ConfigMap-nitter-redis-health-05691b979f.yaml
- ConfigMap-nitter-redis-scripts-a4596108c1.yaml
- Deployment-nitter.yaml
- StatefulSet-nitter-bot.yaml
- StatefulSet-nitter-redis-master.yaml
- Service-nitter.yaml
- Service-nitter-redis-headless.yaml
- Service-nitter-redis-master.yaml
- ServiceAccount-nitter-redis.yaml
- Ingress-nitter.yaml
- VaultAuth.yaml
- VaultStaticSecret-nitter-bot.yaml
- VaultStaticSecret-nitter.yaml
helmCharts:
- name: redis
releaseName: nitter-redis
repo: https://charts.bitnami.com/bitnami
valuesInline:
architecture: standalone
auth:
enabled: false
image:
registry: registry.redict.io
repository: redict
tag: 7.3-compat
version: 18.6.1

11
kubernetes/piped/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: piped
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/piped/VaultStaticSecret-postgres-piped.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: postgres-piped
namespace: piped
spec:
destination:
create: true
name: postgres-piped
mount: kv
path: piped/postgres-piped
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

11
kubernetes/piped/kustomization.yaml
View file

@ -3,12 +3,5 @@ kind: Kustomization
namespace: piped
resources:
- CronJob-piped-refresh.yaml
# Requires a server-side Helm render and apply.
# helmCharts:
# - name: piped
# releaseName: piped
# version: 5.2.0
# repo: https://helm.piped.video
# valuesFile: ./helm.yaml
# kubeVersion: "1.30"
- VaultAuth.yaml
- VaultStaticSecret-postgres-piped.yaml

11
kubernetes/prometheus/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: prometheus
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/prometheus/VaultStaticSecret-nextdns-exporter.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: nextdns-exporter
namespace: prometheus
spec:
destination:
create: true
name: nextdns-exporter
mount: kv
path: prometheus/nextdns-exporter
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

14
kubernetes/prometheus/VaultStaticSecret-nextdns-ts-exporter.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: nextdns-ts-exporter
namespace: prometheus
spec:
destination:
create: true
name: nextdns-ts-exporter
mount: kv
path: prometheus/nextdns-ts-exporter
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

14
kubernetes/prometheus/VaultStaticSecret-prometheus-remote-basic-auth.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: prometheus-remote-basic-auth
namespace: prometheus
spec:
destination:
create: true
name: prometheus-remote-basic-auth
mount: kv
path: prometheus/prometheus-remote-basic-auth
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

16
kubernetes/prometheus/kustomization.yaml
View file

@ -1,19 +1,11 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: prometheus
resources:
- Deployment-nextdns-exporter.yaml
- Service-nextdns-exporter-metrics.yaml
- ServiceMonitor-nextdns-exporter.yaml
# Simply doesn't work for some reason :(
# helmCharts:
# - name: kube-prometheus-stack
# repo: https://prometheus-community.github.io/helm-charts
# releaseName: prometheus
# namespace: prometheus
# version: 61.1.0
# valuesFile: ./prometheus-agent.yml
# kubeVersion: "1.30"
- VaultAuth.yaml
- VaultStaticSecret-nextdns-exporter.yaml
- VaultStaticSecret-nextdns-ts-exporter.yaml
- VaultStaticSecret-prometheus-remote-basic-auth.yaml

1
kubernetes/redlib/kustomization.yaml
View file

@ -4,3 +4,4 @@ resources:
- Deployment-redlib.yaml
- Service-redlib.yaml
- Ingress-redlib.yaml

11
kubernetes/searxng/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: searxng
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/searxng/VaultStaticSecret-searxng.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: searxng
namespace: searxng
spec:
destination:
create: true
name: searxng
mount: kv
path: searxng/searxng
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

29
kubernetes/searxng/kustomization.yaml
View file

@ -1,4 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1beta1
helmCharts:
- name: redis
releaseName: searxng-redis
repo: https://charts.bitnami.com/bitnami
valuesInline:
architecture: standalone
auth:
enabled: false
image:
registry: registry.redict.io
repository: redict
tag: 7.3-compat
version: 18.6.1
kind: Kustomization
namespace: searxng
resources:
@ -6,17 +19,5 @@ resources:
- Deployment-searxng.yaml
- Service-searxng.yaml
- Ingress-searxng.yaml
helmCharts:
- name: redis
releaseName: searxng-redis
version: 18.6.1
repo: https://charts.bitnami.com/bitnami
valuesInline:
auth:
enabled: false
architecture: standalone
image:
registry: registry.redict.io
repository: redict
tag: 7.3-compat
- VaultAuth.yaml
- VaultStaticSecret-searxng.yaml

11
kubernetes/smarthome/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: smarthome
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/smarthome/VaultStaticSecret-hue.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: hue
namespace: smarthome
spec:
destination:
create: true
name: hue
mount: kv
path: smarthome/hue
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

0
kubernetes/misc/homebridge.yaml → kubernetes/smarthome/homebridge.yaml
View file

0
kubernetes/misc/hue.yml → kubernetes/smarthome/hue.yaml
View file

10
kubernetes/smarthome/kustomization.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: smarthome
resources:
- homebridge.yaml
- hue.yaml
- VaultAuth.yaml
- VaultStaticSecret-hue.yaml

11
kubernetes/tclip/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: tclip
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/tclip/VaultStaticSecret-tclip.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: tclip
namespace: tclip
spec:
destination:
create: true
name: tclip
mount: kv
path: tclip/tclip
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

2
kubernetes/tclip/kustomization.yaml
View file

@ -4,3 +4,5 @@ resources:
- StatefulSet-tclip.yaml
- Service-tclip.yaml
- Ingress-tclip.yaml
- VaultAuth.yaml
- VaultStaticSecret-tclip.yaml

26
kubernetes/vault-secrets-operator/crb.yaml Normal file
View file

@ -0,0 +1,26 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: vault-auth
---
apiVersion: v1
kind: Secret
metadata:
name: vault-auth
annotations:
kubernetes.io/service-account.name: vault-auth
type: kubernetes.io/service-account-token
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: role-tokenreview-binding
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: system:auth-delegator
subjects:
- kind: ServiceAccount
name: vault-auth
namespace: default

21
kubernetes/vault-secrets-operator/kustomization.yaml Normal file
View file

@ -0,0 +1,21 @@
apiVersion: kustomize.config.k8s.io/v1beta1
helmCharts:
- includeCrds: true
kubeVersion: '1.30'
name: vault-secrets-operator
namespace: vault-secrets-operator
releaseName: vault-secrets-operator
repo: https://helm.releases.hashicorp.com
valuesInline:
defaultVaultConnection:
address: https://secrets.gmem.ca
enabled: true
skipTLSVerify: false
tests:
enabled: false
version: 0.7.1
kind: Kustomization
namespace: vault-secrets-operator
resources:
- ./crb.yaml

11
kubernetes/vaultwarden/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: vaultwarden
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/vaultwarden/VaultStaticSecret-vaultwarden.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: vaultwarden
namespace: vaultwarden
spec:
destination:
create: true
name: vaultwarden
mount: kv
path: vaultwarden/vaultwarden
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

0
kubernetes/misc/vaultwarden.yml → kubernetes/vaultwarden/deployment.yaml
View file

6
kubernetes/vaultwarden/kustomization.yaml Normal file
View file

@ -0,0 +1,6 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- VaultAuth.yaml
- VaultStaticSecret-vaultwarden.yaml
- deployment.yaml

11
kubernetes/vrchat/VaultAuth.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: vault
namespace: vrchat
spec:
kubernetes:
role: reader
serviceAccount: default
method: kubernetes
mount: kubernetes

14
kubernetes/vrchat/VaultStaticSecret-vrchat-prometheus-adapter.yaml Normal file
View file

@ -0,0 +1,14 @@
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: vrchat-prometheus-adapter
namespace: vrchat
spec:
destination:
create: true
name: vrchat-prometheus-adapter
mount: kv
path: vrchat-prometheus-adapter
refreshAfter: 30s
type: kv-v2
vaultAuthRef: vault

1
kubernetes/vrchat/kustomization.yaml
View file

@ -4,3 +4,4 @@ resources:
- Deployment-vrchat-prometheus-adapter.yaml
- Service-vrchat-prometheus-adapter.yaml
- ServiceMonitor-vrchat-prometheus-adapter.yaml
- VaultAuth.yaml