Merge branch 'main' of ssh://git-ssh.martyn.berlin:2222/martyn/infra4talos

Signed-off-by: Martyn Ranyard <m@rtyn.berlin>

apps-helm/wg-access-server/templates/deployment.yaml

@@ -1,4 +1,8 @@
 {{- $fullName := include "wg-access-server.fullname" . -}}
+{{ $secretName := $fullName }}
+{{- if .Values.config.existingSecret -}}
+{{ $secretName = .Values.config.existingSecret }}
+{{ end -}}
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -46,34 +50,43 @@ spec:
             - name: WG_WIREGUARD_PRIVATE_KEY
               valueFrom:
                 secretKeyRef:
-                  name: "{{ $fullName }}"
+                  name: "{{ $secretName }}"
                   key: privateKey
             {{- end }}
             {{- if .Values.web.config.adminUsername }}
             - name: WG_ADMIN_USERNAME
               valueFrom:
                 secretKeyRef:
-                  name: "{{ $fullName }}"
+                  name: "{{ $secretName }}"
                   key: adminUsername
             {{- end}}
             {{- if .Values.web.config.adminPassword }}
             - name: WG_ADMIN_PASSWORD
               valueFrom:
                 secretKeyRef:
-                  name: "{{ $fullName }}"
+                  name: "{{ $secretName }}"
                   key: adminPassword
             {{- end}}
+            {{- if .Values.config.csiSecretsStore }}
+            - name: WG_CONFIG
+              value: /secrets/config.yaml
+            {{- end}}
           volumeMounts:
             - name: tun
               mountPath: /dev/net/tun
             - name: data
               mountPath: /data
+            {{- if .Values.config.csiSecretsStore }}
+            - name: config
+              mountPath: /secrets
+            {{- else }}
             - name: config
               mountPath: /config.yaml
               subPath: config.yaml
+            {{- end}}
           readinessProbe:
             httpGet:
-              path: /
+              path: /health
               port: http
           resources:
             {{- toYaml .Values.resources | nindent 12 }}
@@ -90,9 +103,18 @@ spec:
         {{- if not .Values.persistence.enabled }}
           emptyDir: {}
         {{- end }}
+        {{- if .Values.config.csiSecretsStore }}
+        - name: config
+          csi:
+            driver: secrets-store.csi.k8s.io
+            readOnly: true
+            volumeAttributes:
+              secretProviderClass: app-secrets
+        {{- else }}
         - name: config
           configMap:
             name: "{{ $fullName }}"
+        {{- end }}
       {{- with .Values.nodeSelector }}
       nodeSelector:
         {{- toYaml . | nindent 8 }}

apps-helm/wg-access-server/templates/secretProviderClass.yaml

@@ -0,0 +1,13 @@
+---
+{{- if .Values.config.csiSecretsStore -}}
+apiVersion: secrets-store.csi.x-k8s.io/v1
+kind: SecretProviderClass
+metadata:
+  name: app-secrets
+spec:
+  provider: {{ .Values.config.csiSecretsStore.providerName | default "1password" }}
+  parameters:
+    secrets: |
+      - resourceName: {{ .Values.config.csiSecretsStore.resourceName | default "vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes" }}
+        path: "config.yaml"
+{{- end -}}

apps-helm/wg-access-server/values.yaml

@@ -1,5 +1,9 @@
 # wg-access-server config
-config: {}
+config: 
+  existingSecret: ""
+  csiSecretsStore: {}
+#   providerName: 1password
+#   resourceName: vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/nyamadlgfac4pmce4uexrhtuju/notes
 
 web:
   config:

apps-kustomized/bazarr/deploy.yaml

@@ -0,0 +1,47 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app: bazarr
+  name: bazarr
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: bazarr
+  template:
+    metadata:
+      creationTimestamp: null
+      labels:
+        app: bazarr
+    spec:
+      containers:
+      - image: hotio/bazarr:release
+        name: bazarr
+        ports:
+        - name: http
+          containerPort: 6767
+          protocol: TCP
+        volumeMounts:
+        - name: config
+          mountPath: /config
+        - name: series
+          mountPath: /series
+        - name: oldseries
+          mountPath: /oldseries
+        - name: films
+          mountPath: /films
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: bazarr-config-data
+      - name: series
+        persistentVolumeClaim:
+          claimName: smb-series
+      - name: oldseries
+        persistentVolumeClaim:
+          claimName: smb-oldseries
+      - name: films
+        persistentVolumeClaim:
+          claimName: smb-films
+

apps-kustomized/bazarr/pvc-smb.yaml

@@ -0,0 +1,35 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: smb-series
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: smb-series
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: smb-oldseries
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: smb-oldseries
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: smb-films
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: smb-films

apps-kustomized/bazarr/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: bazarr-config-data
+spec:
+  storageClassName: rook-ceph-block-ssd
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi

apps-kustomized/bazarr/service.yaml

@@ -0,0 +1,15 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app: bazarr
+  name: bazarr
+  annotations:
+    external-dns.alpha.kubernetes.io/hostname: bazarr.martyn.berlin
+spec:
+  type: LoadBalancer
+  ports:
+  - port: 80
+    targetPort: 6767
+  selector:
+    app: bazarr

apps-kustomized/cryptpad/deploy.yaml

@@ -0,0 +1,85 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: cryptpad
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: cryptpad
+    spec:
+      containers:
+      - image: cryptpad/cryptpad:version-5.5.0
+        command:
+        - /usr/local/bin/npm
+        - start
+        imagePullPolicy: IfNotPresent
+        livenessProbe:
+          failureThreshold: 5
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          successThreshold: 1
+          tcpSocket:
+            port: http
+          timeoutSeconds: 10
+        name: cryptpad
+        ports:
+        - containerPort: 3000
+          name: http
+          protocol: TCP
+        - containerPort: 3001
+          name: http-safe
+          protocol: TCP
+        readinessProbe:
+          failureThreshold: 5
+          initialDelaySeconds: 30
+          periodSeconds: 10
+          successThreshold: 1
+          tcpSocket:
+            port: http
+          timeoutSeconds: 10
+        terminationMessagePath: /dev/termination-log
+        terminationMessagePolicy: File
+        volumeMounts:
+        - mountPath: /cryptpad/blob
+          name: blob
+        - mountPath: /cryptpad/block
+          name: block
+        - mountPath: /cryptpad/config
+          name: config
+        - mountPath: /cryptpad/customize
+          name: customize
+        - mountPath: /cryptpad/data
+          name: data
+        - mountPath: /cryptpad/datasource
+          name: datasource
+        - mountPath: /cryptpad/datastore
+          name: datastore
+      volumes:
+      - name: blob
+        persistentVolumeClaim:
+          claimName: cryptpad-blob
+      - name: block
+        persistentVolumeClaim:
+          claimName: cryptpad-block
+      - name: config
+        persistentVolumeClaim:
+          claimName: cryptpad-config
+      - name: customize
+        persistentVolumeClaim:
+          claimName: cryptpad-customize
+      - name: data
+        persistentVolumeClaim:
+          claimName: cryptpad-data
+      - name: datasource
+        persistentVolumeClaim:
+          claimName: cryptpad-datasource
+      - name: datastore
+        persistentVolumeClaim:
+          claimName: cryptpad-datastore

apps-kustomized/cryptpad/ingress.yaml

@@ -0,0 +1,63 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "cross-origin-resource-policy: cross-origin";
+      more_set_headers "cross-origin-embedder-policy: require-corp";
+    nginx.ingress.kubernetes.io/cors-allow-origin: https://cryptpad-safe.martyn.berlin
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad
+spec:
+  rules:
+  - host: cryptpad.martyn.berlin
+    http:
+      paths:
+      - backend:
+          service:
+            name: cryptpad
+            port:
+              number: 3000
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - cryptpad.martyn.berlin
+    secretName: cryptpad-tls
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    external-dns.alpha.kubernetes.io/target: armnleg.martyn.berlin
+    kubernetes.io/ingress.class: nginx
+    nginx.ingress.kubernetes.io/configuration-snippet: |
+      more_set_headers "cross-origin-resource-policy: cross-origin";
+      more_set_headers "cross-origin-embedder-policy: require-corp";
+    nginx.ingress.kubernetes.io/cors-allow-origin: https://cryptpad-safe.martyn.berlin
+    nginx.ingress.kubernetes.io/enable-cors: "true"
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-0
+spec:
+  rules:
+  - host: cryptpad-safe.martyn.berlin
+    http:
+      paths:
+      - backend:
+          service:
+            name: cryptpad
+            port:
+              number: 3000
+        path: /
+        pathType: Prefix
+  tls:
+  - hosts:
+    - cryptpad-safe.martyn.berlin
+    secretName: cryptpad-safe-tls

apps-kustomized/cryptpad/pvc.yaml

@@ -0,0 +1,101 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-blob
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2500Mi
+  storageClassName: rook-ceph-block-ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-block
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2500Mi
+  storageClassName: rook-ceph-block-ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-config
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: rook-ceph-block-ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-customize
+  namespace: cryptpad
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: rook-ceph-block-ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-data
+  namespace: cryptpad
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 2500Mi
+  storageClassName: rook-ceph-block-ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-datasource
+  namespace: cryptpad
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: rook-ceph-block-ssd
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-datastore
+spec:
+  accessModes:
+  - ReadWriteOnce
+  resources:
+    requests:
+      storage: 1Gi
+  storageClassName: rook-ceph-block-ssd

apps-kustomized/cryptpad/service.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad
+spec:
+  ports:
+  - name: http
+    port: 3000
+    targetPort: http
+  selector:
+    app.kubernetes.io/name: cryptpad
+---
+apiVersion: v1
+kind: Service
+metadata:
+  labels:
+    app.kubernetes.io/name: cryptpad
+  name: cryptpad-safe
+spec:
+  ports:
+  - name: http-safe
+    port: 3001
+  selector:
+    app.kubernetes.io/name: cryptpad

everything-app/app-cilium.yaml

@@ -33,9 +33,9 @@ spec:
         - name: l2announcements.enabled
           value: "true"
         - name: k8sClientRateLimit.qps
-          value: "30"
-        - name: k8sClientRateLimit.burst
           value: "50"
+        - name: k8sClientRateLimit.burst
+          value: "100"
   syncPolicy:
     automated:
       selfHeal: true

everything-app/app-ingress-nginx.yaml

@@ -16,6 +16,8 @@ spec:
       parameters:
       - name: controller.service.type
         value: LoadBalancer
+      - name: controller.allowSnippetAnnotations
+        value: "true"
   syncPolicy:
     automated:
       selfHeal: true

everything-app/bazarr.yaml

@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: bazarr
+  namespace: argocd
+spec:
+  destination:
+    namespace: bazarr
+    server: https://kubernetes.default.svc
+  project: default
+  source:
+    path: apps-kustomized/bazarr
+    repoURL: https://git.martyn.berlin/martyn/infra4talos.git
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      selfHeal: true

everything-app/cryptpad.yaml

@@ -0,0 +1,17 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cryptpad
+  namespace: argocd
+spec:
+  destination:
+    namespace: cryptpad
+    server: https://kubernetes.default.svc
+  project: apps
+  source:
+    path: apps-kustomized/cryptpad
+    repoURL: https://git.martyn.berlin/martyn/infra4talos
+    targetRevision: HEAD
+  syncPolicy:
+    automated:
+      selfHeal: true

everything-app/wg-access-server.yaml

@@ -0,0 +1,25 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: wg-access-server
+  namespace: argocd
+spec:
+  destination:
+    namespace: wg-access
+    server: https://kubernetes.default.svc
+  project: infra
+  source:
+    helm:
+      parameters:
+      - name: web.service.type
+        value: LoadBalancer
+      - name: wireguard.service.type
+        value: LoadBalancer
+      values: |-
+        config:
+          csiSecretsStore:
+            providerName: 1password
+            resourceName: vaults/3oh5jxmxvqvpuimu2lbuajtizi/allitems/idkjj6oyua2fq6df4fkjzmh4ne/config.yaml
+    path: apps-helm/wg-access-server
+    repoURL: https://git.martyn.berlin/martyn/infra4talos
+    targetRevision: HEAD