Merge branch 'main' of ssh://git-ssh.martyn.berlin:2222/martyn/infra4talos

Signed-off-by: Martyn Ranyard <m@rtyn.berlin>
This commit is contained in:
Martyn 2023-12-05 20:13:50 +01:00
commit 4d9bd7de6f
16 changed files with 490 additions and 7 deletions

View File

@ -1,4 +1,8 @@
{{- $fullName := include "wg-access-server.fullname" . -}}
{{ $secretName := $fullName }}
{{- if .Values.config.existingSecret -}}
{{ $secretName = .Values.config.existingSecret }}
{{ end -}}
apiVersion: apps/v1
kind: Deployment
metadata:
@ -46,34 +50,43 @@ spec:
- name: WG_WIREGUARD_PRIVATE_KEY
valueFrom:
secretKeyRef:
name: "{{ $fullName }}"
name: "{{ $secretName }}"
key: privateKey
{{- end }}
{{- if .Values.web.config.adminUsername }}
- name: WG_ADMIN_USERNAME
valueFrom:
secretKeyRef:
name: "{{ $fullName }}"
name: "{{ $secretName }}"
key: adminUsername
{{- end}}
{{- if .Values.web.config.adminPassword }}
- name: WG_ADMIN_PASSWORD
valueFrom:
secretKeyRef:
name: "{{ $fullName }}"
name: "{{ $secretName }}"
key: adminPassword
{{- end}}
{{- if .Values.config.csiSecretsStore }}
- name: WG_CONFIG
value: /secrets/config.yaml
{{- end}}
volumeMounts:
- name: tun
mountPath: /dev/net/tun
- name: data
mountPath: /data
{{- if .Values.config.csiSecretsStore }}
- name: config
mountPath: /secrets
{{- else }}
- name: config
mountPath: /config.yaml
subPath: config.yaml
{{- end}}
readinessProbe:
httpGet:
path: /
path: /health
port: http
resources:
{{- toYaml .Values.resources | nindent 12 }}
@ -90,9 +103,18 @@ spec:
{{- if not .Values.persistence.enabled }}
emptyDir: {}
{{- end }}
{{- if .Values.config.csiSecretsStore }}
- name: config
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: app-secrets
{{- else }}
- name: config
configMap:
name: "{{ $fullName }}"
{{- end }}
{{- with .Values.nodeSelector }}
nodeSelector:
{{- toYaml . | nindent 8 }}

View File

@ -0,0 +1,13 @@
---
{{- if .Values.config.csiSecretsStore -}}
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: app-secrets
spec:
provider: {{ .Values.config.csiSecretsStore.providerName | default "1password" }}
parameters:
secrets: |
- resourceName: {{ .Values.config.csiSecretsStore.resourceName | default "vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes" }}
path: "config.yaml"
{{- end -}}

View File

@ -1,5 +1,9 @@
# wg-access-server config
config: {}
config:
existingSecret: ""
csiSecretsStore: {}
# providerName: 1password
# resourceName: vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes
web:
config:

View File

@ -0,0 +1,47 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: bazarr
name: bazarr
spec:
replicas: 1
selector:
matchLabels:
app: bazarr
template:
metadata:
creationTimestamp: null
labels:
app: bazarr
spec:
containers:
- image: hotio/bazarr:release
name: bazarr
ports:
- name: http
containerPort: 6767
protocol: TCP
volumeMounts:
- name: config
mountPath: /config
- name: series
mountPath: /series
- name: oldseries
mountPath: /oldseries
- name: films
mountPath: /films
volumes:
- name: config
persistentVolumeClaim:
claimName: bazarr-config-data
- name: series
persistentVolumeClaim:
claimName: smb-series
- name: oldseries
persistentVolumeClaim:
claimName: smb-oldseries
- name: films
persistentVolumeClaim:
claimName: smb-films

View File

@ -0,0 +1,35 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: smb-series
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: smb-series
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: smb-oldseries
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: smb-oldseries
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: smb-films
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: smb-films

View File

@ -0,0 +1,11 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: bazarr-config-data
spec:
storageClassName: rook-ceph-block-ssd
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
labels:
app: bazarr
name: bazarr
annotations:
external-dns.alpha.kubernetes.io/hostname: bazarr.martyn.berlin
spec:
type: LoadBalancer
ports:
- port: 80
targetPort: 6767
selector:
app: bazarr

View File

@ -0,0 +1,85 @@
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app.kubernetes.io/name: cryptpad
name: cryptpad
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: cryptpad
template:
metadata:
labels:
app.kubernetes.io/name: cryptpad
spec:
containers:
- image: cryptpad/cryptpad:version-5.5.0
command:
- /usr/local/bin/npm
- start
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 5
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: http
timeoutSeconds: 10
name: cryptpad
ports:
- containerPort: 3000
name: http
protocol: TCP
- containerPort: 3001
name: http-safe
protocol: TCP
readinessProbe:
failureThreshold: 5
initialDelaySeconds: 30
periodSeconds: 10
successThreshold: 1
tcpSocket:
port: http
timeoutSeconds: 10
terminationMessagePath: /dev/termination-log
terminationMessagePolicy: File
volumeMounts:
- mountPath: /cryptpad/blob
name: blob
- mountPath: /cryptpad/block
name: block
- mountPath: /cryptpad/config
name: config
- mountPath: /cryptpad/customize
name: customize
- mountPath: /cryptpad/data
name: data
- mountPath: /cryptpad/datasource
name: datasource
- mountPath: /cryptpad/datastore
name: datastore
volumes:
- name: blob
persistentVolumeClaim:
claimName: cryptpad-blob
- name: block
persistentVolumeClaim:
claimName: cryptpad-block
- name: config
persistentVolumeClaim:
claimName: cryptpad-config
- name: customize
persistentVolumeClaim:
claimName: cryptpad-customize
- name: data
persistentVolumeClaim:
claimName: cryptpad-data
- name: datasource
persistentVolumeClaim:
claimName: cryptpad-datasource
- name: datastore
persistentVolumeClaim:
claimName: cryptpad-datastore

View File

@ -0,0 +1,63 @@
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt
external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "cross-origin-resource-policy: cross-origin";
more_set_headers "cross-origin-embedder-policy: require-corp";
nginx.ingress.kubernetes.io/cors-allow-origin: https://cryptpad-safe.martyn.berlin
nginx.ingress.kubernetes.io/enable-cors: "true"
labels:
app.kubernetes.io/name: cryptpad
name: cryptpad
spec:
rules:
- host: cryptpad.martyn.berlin
http:
paths:
- backend:
service:
name: cryptpad
port:
number: 3000
path: /
pathType: Prefix
tls:
- hosts:
- cryptpad.martyn.berlin
secretName: cryptpad-tls
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
annotations:
cert-manager.io/cluster-issuer: letsencrypt
external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
kubernetes.io/ingress.class: nginx
nginx.ingress.kubernetes.io/configuration-snippet: |
more_set_headers "cross-origin-resource-policy: cross-origin";
more_set_headers "cross-origin-embedder-policy: require-corp";
nginx.ingress.kubernetes.io/cors-allow-origin: https://cryptpad-safe.martyn.berlin
nginx.ingress.kubernetes.io/enable-cors: "true"
labels:
app.kubernetes.io/name: cryptpad
name: cryptpad-0
spec:
rules:
- host: cryptpad-safe.martyn.berlin
http:
paths:
- backend:
service:
name: cryptpad
port:
number: 3000
path: /
pathType: Prefix
tls:
- hosts:
- cryptpad-safe.martyn.berlin
secretName: cryptpad-safe-tls

View File

@ -0,0 +1,101 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/name: cryptpad
name: cryptpad-blob
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2500Mi
storageClassName: rook-ceph-block-ssd
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/name: cryptpad
name: cryptpad-block
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2500Mi
storageClassName: rook-ceph-block-ssd
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/name: cryptpad
name: cryptpad-config
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: rook-ceph-block-ssd
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/name: cryptpad
name: cryptpad-customize
namespace: cryptpad
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: rook-ceph-block-ssd
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/name: cryptpad
name: cryptpad-data
namespace: cryptpad
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 2500Mi
storageClassName: rook-ceph-block-ssd
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/name: cryptpad
name: cryptpad-datasource
namespace: cryptpad
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: rook-ceph-block-ssd
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
labels:
app.kubernetes.io/name: cryptpad
name: cryptpad-datastore
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
storageClassName: rook-ceph-block-ssd

View File

@ -0,0 +1,26 @@
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: cryptpad
name: cryptpad
spec:
ports:
- name: http
port: 3000
targetPort: http
selector:
app.kubernetes.io/name: cryptpad
---
apiVersion: v1
kind: Service
metadata:
labels:
app.kubernetes.io/name: cryptpad
name: cryptpad-safe
spec:
ports:
- name: http-safe
port: 3001
selector:
app.kubernetes.io/name: cryptpad

View File

@ -33,9 +33,9 @@ spec:
- name: l2announcements.enabled
value: "true"
- name: k8sClientRateLimit.qps
value: "30"
- name: k8sClientRateLimit.burst
value: "50"
- name: k8sClientRateLimit.burst
value: "100"
syncPolicy:
automated:
selfHeal: true

View File

@ -16,6 +16,8 @@ spec:
parameters:
- name: controller.service.type
value: LoadBalancer
- name: controller.allowSnippetAnnotations
value: "true"
syncPolicy:
automated:
selfHeal: true

View File

@ -0,0 +1,17 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: bazarr
namespace: argocd
spec:
destination:
namespace: bazarr
server: https://kubernetes.default.svc
project: default
source:
path: apps-kustomized/bazarr
repoURL: https://git.martyn.berlin/martyn/infra4talos.git
targetRevision: HEAD
syncPolicy:
automated:
selfHeal: true

View File

@ -0,0 +1,17 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cryptpad
namespace: argocd
spec:
destination:
namespace: cryptpad
server: https://kubernetes.default.svc
project: apps
source:
path: apps-kustomized/cryptpad
repoURL: https://git.martyn.berlin/martyn/infra4talos
targetRevision: HEAD
syncPolicy:
automated:
selfHeal: true

View File

@ -0,0 +1,25 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: wg-access-server
namespace: argocd
spec:
destination:
namespace: wg-access
server: https://kubernetes.default.svc
project: infra
source:
helm:
parameters:
- name: web.service.type
value: LoadBalancer
- name: wireguard.service.type
value: LoadBalancer
values: |-
config:
csiSecretsStore:
providerName: 1password
resourceName: vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/idkjj6oyua2fq6df4fkjzmh4ne/config.yaml
path: apps-helm/wg-access-server
repoURL: https://git.martyn.berlin/martyn/infra4talos
targetRevision: HEAD