diff --git a/.archive/kubernetes-schemas/app/helmrelease.yaml b/.archive/kubernetes-schemas/app/helmrelease.yaml new file mode 100644 index 0000000..10da4cd --- /dev/null +++ b/.archive/kubernetes-schemas/app/helmrelease.yaml @@ -0,0 +1,77 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app kubernetes-schemas +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controllers: + kubernetes-schemas: + containers: + app: + image: + repository: ghcr.io/budimanjojo/kubernetes-schemas-web + tag: latest@sha256:6798cb1435f9928d93398b5ea00c6dd5ecc0aae0889278e17db1fa1b14117b5b + resources: + requests: + cpu: 10m + memory: 50Mi + limits: + cpu: 200m + memory: 128Mi + probes: + startup: + enabled: true + spec: + failureThreshold: 30 + periodSeconds: 5 + liveness: + enabled: true + readiness: + enabled: true + + service: + app: + controller: *app + ports: + http: + port: 8080 + + ingress: + app: + enabled: true + className: traefik + annotations: + cert-manager.io/cluster-issuer: "letsencrypt-production" + gethomepage.dev/enabled: "true" + gethomepage.dev/name: Kubernetes Schemas + gethomepage.dev/group: Tools + gethomepage.dev/icon: mdi-file-document + hosts: + - host: &host "k8s.${SECRET_INTERNAL_DOMAIN}" + paths: + - path: / + service: + identifier: main + port: http + tls: + - secretName: "{{ .Release.Name }}-secret" + hosts: [*host] diff --git a/kubernetes/main/apps/dev/kustomization.yaml b/.archive/kubernetes-schemas/app/kustomization.yaml similarity index 77% rename from kubernetes/main/apps/dev/kustomization.yaml rename to .archive/kubernetes-schemas/app/kustomization.yaml index d3a01e6..17cbc72 100644 --- a/kubernetes/main/apps/dev/kustomization.yaml +++ b/.archive/kubernetes-schemas/app/kustomization.yaml @@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./namespace.yaml - #- ./windmill/ks.yaml + - ./helmrelease.yaml diff --git a/.archive/kubernetes-schemas/ks.yaml b/.archive/kubernetes-schemas/ks.yaml new file mode 100644 index 0000000..fb4ee61 --- /dev/null +++ b/.archive/kubernetes-schemas/ks.yaml @@ -0,0 +1,26 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app kubernetes-schemas + namespace: flux-system +spec: + targetNamespace: dev + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: traefik + path: ./kubernetes/main/apps/dev/kubernetes-schemas/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/main/apps/public/mataroa/app/helmrelease.yaml b/.archive/mataroa/app/helmrelease.yaml similarity index 94% rename from kubernetes/main/apps/public/mataroa/app/helmrelease.yaml rename to .archive/mataroa/app/helmrelease.yaml index 326f2f8..bc8793e 100644 --- a/kubernetes/main/apps/public/mataroa/app/helmrelease.yaml +++ b/.archive/mataroa/app/helmrelease.yaml @@ -33,9 +33,8 @@ spec: initContainers: init-db: image: - repository: ghcr.io/onedr0p/postgres-init + repository: ghcr.io/liana64/postgres-init tag: 16 - # https://github.com/onedr0p/containers/blob/main/apps/postgres-init/entrypoint.sh env: INIT_POSTGRES_HOST: &dbHost postgres-1-rw.database.svc.cluster.local INIT_POSTGRES_DBNAME: &dbName mataroa @@ -62,7 +61,7 @@ spec: tag: rolling@sha256:702eae37414c0b492b766771a50b9c8490b4a34259699eae3a7bdf284f2abad6 env: DEBUG: 1 - DATABASE_URL: "postgres://${PGUSER}:${PGPASSWORD}@mataroa:5432/mataroa" + DATABASE_URL: "postgres://${PGUSER}:${PGPASSWORD}@postgres-1-rw.database.svc.cluster.local:5432/mataroa" envFrom: - secretRef: name: *secret diff --git a/kubernetes/main/apps/public/mataroa/app/kustomization.yaml b/.archive/mataroa/app/kustomization.yaml similarity index 100% rename from kubernetes/main/apps/public/mataroa/app/kustomization.yaml rename to .archive/mataroa/app/kustomization.yaml diff --git a/kubernetes/main/apps/public/mataroa/app/secret.sops.yaml b/.archive/mataroa/app/secret.sops.yaml similarity index 100% rename from kubernetes/main/apps/public/mataroa/app/secret.sops.yaml rename to .archive/mataroa/app/secret.sops.yaml diff --git a/kubernetes/main/apps/public/mataroa/ks.yaml b/.archive/mataroa/ks.yaml similarity index 100% rename from kubernetes/main/apps/public/mataroa/ks.yaml rename to .archive/mataroa/ks.yaml diff --git a/kubernetes/main/apps/dev/windmill/app/helmrelease.yaml b/.archive/windmill/app/helmrelease.yaml similarity index 97% rename from kubernetes/main/apps/dev/windmill/app/helmrelease.yaml rename to .archive/windmill/app/helmrelease.yaml index b5d3fff..034b293 100644 --- a/kubernetes/main/apps/dev/windmill/app/helmrelease.yaml +++ b/.archive/windmill/app/helmrelease.yaml @@ -74,6 +74,7 @@ spec: enabled: true className: traefik annotations: + cert-manager.io/cluster-issuer: "letsencrypt-production" gethomepage.dev/enabled: "true" gethomepage.dev/name: Windmill gethomepage.dev/description: Workflow engine diff --git a/kubernetes/main/apps/dev/windmill/app/kustomization.yaml b/.archive/windmill/app/kustomization.yaml similarity index 100% rename from kubernetes/main/apps/dev/windmill/app/kustomization.yaml rename to .archive/windmill/app/kustomization.yaml diff --git a/kubernetes/main/apps/dev/windmill/app/secret.sops.yaml b/.archive/windmill/app/secret.sops.yaml similarity index 100% rename from kubernetes/main/apps/dev/windmill/app/secret.sops.yaml rename to .archive/windmill/app/secret.sops.yaml diff --git a/kubernetes/main/apps/dev/windmill/ks.yaml b/.archive/windmill/ks.yaml similarity index 100% rename from kubernetes/main/apps/dev/windmill/ks.yaml rename to .archive/windmill/ks.yaml diff --git a/kubernetes/main/apps/auth/authelia/app/secret.sops.yaml b/kubernetes/main/apps/auth/authelia/app/secret.sops.yaml index 8c21bcb..a14fd89 100644 --- a/kubernetes/main/apps/auth/authelia/app/secret.sops.yaml +++ b/kubernetes/main/apps/auth/authelia/app/secret.sops.yaml @@ -6,20 +6,20 @@ metadata: name: authelia-secret namespace: security stringData: - AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ENC[AES256_GCM,data:FXVNmAF4uYvAl8C5TmLcqrSf0N212FvxC7prP0x0L9WRtYxNia7tl0SOXNiviT8Iuf3OQEdG451RXFKLgqcpHQ==,iv:Lsb9ljoxbN6iyiFG7TTqPTHtc5OOrl+TR/8pz83kCMc=,tag:NqnPayIgRN5FqY9IMb8V2w==,type:str] - AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:Jd+xXGRUp/1JvSeIHMFkZEiIXNF6Og8i78EfNwKrLwv0haU1bAsX+DGXLz6YxqdwrrCBsJ+W9VNggPUa05Ky5w==,iv:iw+tNb67iXC/M0d6ihuiJFsCUYN0jxBERhpRwb3dc6M=,tag:KbJUDzNf1aSmK3JHl/41Dw==,type:str] - AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:12MJ1XuuSj2ysNdlL238aVrGFrkXbVqvo/Y46V9fKdtcV5lU4PwiFJwZt2m71YNITpdfJjCm9EZRBA3GYcpJQA==,iv:BqRYbwc7dkPbwuG9hrCHRwfVOwmnVvpSm8YbGAb6G48=,tag:HlzCRAj3Mpi2ZUh9N5VSKA==,type:str] - AUTHELIA_STORAGE_POSTGRES_USERNAME: ENC[AES256_GCM,data:DUQa97EzMUY=,iv:l7EFj4pwQGGfFrt8CLwuylKzbFh6UNBe9/ARFaz5LTU=,tag:+ODryqYm1NWMrGktVi0NDA==,type:str] - AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:OUpIuVKtLGu37mxLYFmtWlPZxeh/NFNbkgE8tw==,iv:tr5nrRsgSBZ3F72IBIGHIh58R7RAMhjG+LT7JVyTGw4=,tag:NxSiCOAcBsQECRt+dsIXcA==,type:str] - AUTHELIA_NOTIFIER_SMTP_ADDRESS: ENC[AES256_GCM,data:GTGJKrhAjahAR3oSVfSySB8ZVZQ=,iv:Iz4m693bspgYRgWPtMe4eJwhuzURa94S3QgyreJCCbs=,tag:KlA3Hvircl5I4qt13gvFhA==,type:str] - AUTHELIA_NOTIFIER_SMTP_USERNAME: ENC[AES256_GCM,data:nS602NajWVfnDbsxp/+SSmoIdrrH773/txM5IlA=,iv:80JGSZ+I49LGUm2/uVuDuHxjhMMhStKgct3384Kkkgw=,tag:Kf21b45hGlkgaHJzHHyO7w==,type:str] - AUTHELIA_NOTIFIER_SMTP_PASSWORD: ENC[AES256_GCM,data:B21x05gGOxXyjP9o/LQR+H5tp1maILt0DwG59DVlal42XmxyLZXOEJmD4qRod6R8P04=,iv:fo3yX7km0gKhtq6zblGvwFk56Msjnu5NxnwI4drlxYg=,tag:Tz/pvTTrUHLNMwPSJGT0lA==,type:str] - #ENC[AES256_GCM,data:GS7H8x+FRf+Xx5ANHWXveW4U0QXNBZ5InOO8jaTi4EEos5ok9vinWmPu22h9gj6y+wgIv8GX1O2Sc7CNemQ4hr23fP3uwgKD369JSDb3U7M9xhsh8mA7jA==,iv:MsKk+Hlur9shsxwQXcZGAFEIAUZYxDxlSO4s/y7Bk28=,tag:A1rOym1+mTCYoeYHJztGXw==,type:comment] - GRAFANA_OAUTH_CLIENT_HASHED_SECRET: ENC[AES256_GCM,data:gGcK16/Evyv5XaOk0ITTrbsNdCuNoP2JUuAAk9gL/meLNNR44jAkWn8eBUe0ZIcucTAgo4DgtEfOIPzee5PA/TndSCEroivX+4vFkUh4slJ5y9NAN/yzcuC2P0JfydhE6Wl4WK0b25gm8mlUiTDPrGzhlYxshRxdmfxC52zslg+vaxOTqRUsReHJsqldyxhnctdzxgZ5FQylrMkI92piqRJV7cYKR6w2jy96n2F0lp4=,iv:rI+iQqOW0qTL6izm3MPLW4Bb58yeU9LXehLF3TioZlo=,tag:kKbGVG+MwnWeDkJ6TMk6Rw==,type:str] - #ENC[AES256_GCM,data:8qjPhCQZZE4LCKYbgtjiN6ABICxKR0rp74ZIbkQdVgPAdlzJQ2Ktz79xImtiEKNPsJUqXpI5pU8ojFvMRzQqR0GQ286/UEVbAfL05L8+3gIi6TFYKLKGbdQ=,iv:vM5/ouScE93c3PEMFl1tAVAfAo7MQiHgFlaItxm2gHo=,tag:u8SWmgA/Y7yAJpPSwNiZ+w==,type:comment] - MINIFLUX_OAUTH_CLIENT_HASHED_SECRET: ENC[AES256_GCM,data:cRDIaFBfjEGiGecAGvNErVcSreHL4JRP9BMiewhCzGoSr85MirnSy5kWZZs4VdTnkH73oQW1dvM9lcHqBYNECMssfoBzjobkWP4kOPzN+tIt5x3Y9iUGmzp8Ax80JBYxLhDZABrc4R3V4vTi8hcM92fzDGmUQqtP1h/8TwMh85o6m6xM/R1ww4W1UsTHzAPkBk3xltTFBTk9B3K97+B1Hbr2vUTnEDsxPqp6EjyeRLM=,iv:KtB3Jz/OvgwW0HDlvDaLQZKyrxxuKjmb0SrZdqHjPfo=,tag:NSePCkYujTp4lSNticzolg==,type:str] - OIDC_JWKS_KEY: ENC[AES256_GCM,data:GnKzzhqilCHF1Zi1NNfchRRyAMZvaTaSJMDdlVF59m373W0kFeD1LgKKc/Vk46T7NHEHWXxZ8TDm+pxLUsxzaWtSWxRQ2syk7CcepJbteX8d1+1tUEfNjWhU2GrYnjXHneQIlQkW+1eFV43WupibB45n3frKuBv+Ixj6b5MDCwVpWXCO8OuSkU48gCZP1wUbnoIKAJ7qUUCniU+PQH8uDhD2k6hFkjbTvDtK9FK1JMHUwiQbp/kj510WaSu7I57XsC/XdzEfe6uIZScvtOeF1fP0DZCFc9oLVajLcpe90f1ZBX+967etDn4qpNxaguDOe7/XoefZLHwl8CkwcnxDGZIn0yg/I/C5cx+LWQFOCtbqWluYP+OAThTWx/sIYFylMz/9b9gL7z+VvnnwgRAgSqe5kVJg7PWB1s73Svq1V/mnVyGJ6Ul+TMHOkokKrAN2IKayrlqdUoB9mMBu+LyH9oedrNs7dFC1gRmwzy1fGnDnNqM325S3EdwkN2wXM25mnfOScgpSxREUWV9CI0kwnXSpG5VQSwgetYbr5QWpQonylPoslKlSVi/I95PFwL25JGzEai/yVe+lV4MUa/w6/89gPGPDbFobkQL3GQfHTPPAxXa+2wUN6Fh1tDTTWZCUdsRs3hvmPXGO8qxJkEoBTt+XapnbOXSsCxRyy5KD2j1TPTUAK3UHfBhD+t/pmCrR2O4KdgJdNqUfqgIJhEBYyOZvLhnClnctDDZrvmV9c8sJEG2VFq3tN9rDeB9NKES3JRIfNAVsA8olAzHiDW5vvtUQ0KNB33CDGI3ramFtyQf6Jf17fVY2xklfBE8Sy91DUgF+UP/LpRs6nrpPPsx4HP983tAxbSA0C8wo+4p7lOaMjvIcvwcS4RR0Wqa7hprp2luhCMXk+cIm9ZjRFfTEZ7J8fFHfhHYI7kzxhlbO6TzATk5IlbecImW75q+9Gj6FyanFcj63FvIm5lGfh1jo+4iprKAcE9Px6aCVggplWsH3ypOukQzf35wm4qc2sLhtMOMo+Psazv4f9XPVwgdBsoK+Oy86Jhj6aoWOnxtkphC7+rmwSA1GhQ/EMlod7JoRmwvgeBf0PCe8Y7xSY0jn58yk9xhgKKMcotW8uVuSwzEfSUSJ7YMW4Gv/ZKPQferaKEb3VoYcCiPtDi1KvzBd9hJ6SXLJEBjg+j9m4NKLJlJayi+zASRo0o1RLjYpPqpqMpkcEYvLIo6b/EevdpbSY+gtj8ear1YpTocb/DEaCUMQZii4hJQaISOjXfTxIexM1PKnIFHNsj2Syw8K3Nq7EYezbQ6QQnSFOLwZ2Nxi7A4VmADk9rsYkPsFfa/p+7X7bvGu9OKWbZkduULJ7DRbQ3kR46SC5Ra5PlfwLk8p1hmey36CgpLaJcA3xbXv4DH+QCzpYbwaRcknHzD/cxjACKganTuzTVD2W6j1MAiqaO6gL9re4Oi2wuASexdsyvO8wx6gwDT0AE4Q3fAr14R7LVkGY51D68RusqHS5OfjLPIhZ4J48/11MQFL+D06EJOU7WQYzvDEhmzJeJywqJnWY1/k7/sSB8kNgzSS+91tZZKxAl8GCqIvcoLFecl88ZmJKX3hVkvKpxlzdBA3mZdelsYvGR+CsEJPgqIjYri+u3sqKFJjf1lWvQAHklReyIoifSZGW/OybkT5qjwq6Kud9cxh+LTRTKdXza+l7S95p9UAV96eZZuk65W0RTtR+vY98+BqOvwpcqLjLZmOIPVqQOEwzT17bnGthmFZ7ZlxuKhde3i5+T95arWTIs3UPSv0xNBXhJLV4uVdUaR7jl9RR+miHa6mH2KrTk+CUdzNXtICtS5ukaidHKQsvJYk5F1m4XY7Sli1r4faTiX7cIYf2hzONUSJlLwrARQdKJRN/p6GUT2TvwpFPIzmwsPOH8y1djsm91D5wdfj16teHJz4mBUNHprkhODz/DXQJsrqVNwegiPX4yWCLYzlqrKF4pxs//TteKcRGHflvCmgvqWNW22A//vPMstP/klV/o8qK3bByGd19dSJxDG7AKC+qwKmf+N02/JZbxvKnGyVnlUFwIXmRAC2i970lZXJspoPEoiSz9o1RYb+6V9W1bOvb3wnfEeqW0I7Ur6fDNlQnnYsTQAolayZSfKNowk3nidUWibYo9C7WWE8Ds+IXH31kvi3iY5KXT6vNapKqBKjb4LOJY2YpuqKz6ygDZZhYppC/FdRD9HDdj+ZJnXqeaHqQmlrfu6uzCj/uTDIrrGTmnq0M0X8Mj9DAa06LNPzGpx0IySJA6rRX+OMk2V0G4l/bUxs0Dt+D4SB51rnoaEOv/Y1OKhuHO0lJNoj1sdfNalABk7Frgi0kqiOfv31QLGEcKnC9euLddY5e4EdGxUOaSBoJZkzsZ0RpAmw2lfnNJU4i2pgh5VTGcCvrQl2O6QpIJGfoBSAb/kfeqhVLwYHeHJDh5AS2C3q76lY/TT4/WShOGYMSqWoe5VjhqEFf+ruYgCUcU4Xf7V6N3J8zSF+oylV1tBJQDqFBhZvfZKkOqWSW8FwCBgSI6Yjl3SJaepqSaaqPn9JSQC/epqOtBq8Jk0yDeeLLRJbrcCSia3o+AqWhVFNaHDWplEaR4hmnbGIXc3+YJ+uzMF8dL0V/rqZwksN/k4N6z1qHz8UtVY/f8jDdiQWO+IMLhx4aICDPwNX/LA5++R4N4jLFBLpkHNU/JJ86BR3sWG6pD4L8dCsMO2NDHvjJJ3sGOoea6Dh0+Zpw5HyurOjhH5qafhZ/rkc5Q8l/dp7RjwOWp1hRT1BBJG/yaMVjpIWZiq/4fLFrapUROcgJOSM+iRjRlMF2X9pDOi7y/VSVKa4eIS+VPw/p9PZrf01h3yCLIKWzGbPtFsE8+sfRRCzdPNwsfxm/9VAnPhe2QyJ6+Gw1NplnJW9O9oPxiZVRrKxCIldB2wKiZ2cqjIDJkvWW2gvOhkZEwkdH9eHIDTGlWcrj7k33wM56Gna250eBjzYbh+8DhcrCxXVJjCyz0aOmct3x7NukpHbUVk8EpqOPzK3BVh+RuLraVEH0cXUr5FzoqVHO3CjJ0TEN1K2pKO9sXAnZRAbHacePdXj0w3ygrNc9kBUoboB6NH0O+WnoBccW5Hvh/DP7zeb+5MPlU0vW9qcLEitMfL6lTlmf66Y+a6ogOWoE+BQB3Lk1DfKGKpmGPtmejEpjstz+H1/5DSOW7khQqfri3SbXnrE7V40qMx9epqvuWl+4v908sYtTcIe8ImN/OvFskXXi7oJU00kOXGFPkCYWoI4TV2LDrocrV0r332AFn/lhE9s4mMR5bhAh42M913T3NURTkIPccSg22mGnNoEEbnIyUza9Q/sdNPZ+p9YR8L+yyo6Yg2FCsT1egEkmayBgdyVLLY2nw+UrSs1Iec4LAY8D/ixSFXFHk+wXiXbFnN1i0LYXOWG+YDvOWMSWhyEyjom7fKq9UgXC+Rz+n0msP3G6GT+V5doX4JwUbCQiMaAoKjeVyKijx4xMKeIwTy3Q8b8s50gR5tHHYD1O1oE8bBXGL0lGD6qDkzMVPHqP5DRW0RJIjhjCRpLKqWm/e1aYIdl9E3VXNjdX2SlJsRnEuoFyJL2nexdMw9Bf39v0W5dbp/zoZAA8qBTJ+Kw+DIDM/aMtqXgt2cwii/Qexk3ImpTrF6+4q448Ie7ey4gikN0y8x3FXOrk7oualGLUUMh6pwV+ht5ONr2YJIrqMHx97x7TDNSEyQZKOqQM1LQQ6GT1ZGplGREVY2Yw03J8sV2PtL/qhRAtLG7415qohpe/iezIFUU4rTzNvPuduzRyjdiQkOv+6hODfust6t7r0JCucLf/dvvjPVOK/tsIAxUE2nJKtxBxSjWl3EmAd7FHHFlDhmddwCg7D5IPvSaIHaC8aPjUpvqcNjGAgj45MxvRYyOsxIX1oy9aBIiyYL/fBdvcHuNXQaN6M1JGS2fpIvX0Znah87vxbnjkyNtXJQsKP297DYXfQKM0LSrg01JL5Xwne8+L+VgpOh+/jdkBg64u+yAGBSnk/gbxE1UL/IqOXgtqbWpMDk0FErMz8dTJ0qKtJwfoo9fZMEUx/IxHGwRJuG09taNYWtIm4Sy5zYaOA6pro0iaTan+0FNDYSuQAoOpX+9qDjBJMQeWod/WVovTPdZYcKPmYnF6k/znKHRhmmdN/S83+Z+oPpAw/Q1JXEyolX8HnnsV4ACoPkOnEb0TCoucS+wPp4ATpW1r7SMZbZM7o+r83D7IVg9yA7aVcNM4UWIzmgykeZe28vjDmhOJ/3BbFaAb//zueWtQdPSMr/UXlpxg5dPGevpSbSyoO3FPMRpvnXEHy6+ZhbH/9b6h8xuFy8LjZkrtA==,iv:AL5stW2E6N+Xc9iJAwy4a+HmoNRx2KglBMO82PXnkO8=,tag:+aovjQZaxewz7kDPOXZFnw==,type:str] - OIDC_JWKS_CERTIFICATE: ENC[AES256_GCM,data:qPXCl0mz+mNO36EgexG7up/asCGzB66xeGbLoOle9shRW7FGDHSeQaYApgFlAH69iCNHH+ujSXP+qa6WwsBv31NP5qEoZCK7QEA+RrYEcu8ZsxUaSWaSH3sSLCWfWOyWpns+8sjDsj/ChTeokOG2TvVqQODAl4ZAlV77rsysldd9yfr8g/belK2a2rRjh7cCZ3oEwU9W5fA+bkBujxbAQ1CfKLiKIPUF4aTpm+tu6f90ojpHd0YDPX74OLRUmGi+UIvMf5/x39ukQezvLg0MRcqOHYJE/fpwpHlWwsAC+SNf0n8P+/P2F+7s7j7HzuCIMkL/IGYjTtj5Csuq3f+FuOweG5RwxWzpTo7upJdN1L3gVgV+O+R7i5QzM0+r4zb7OoVPdC5WJ8uG84SUQ6EdcX78mezBBt2QOKa9iBMY8SxEq0KEqLR2Y7YTfgZdq68QO1+wYfosClyMiWrMxDre1XyFTdMoTuNTJ//z1Yg+m5jz+FVuj97Em7LoRph8/fD0j+h52MK95n3mRGtGvAOFv7vm0skKmTbbQcaqPsBCvsj8Z4cvaOpePBcFVo8SXoLjrXnGxVm11G9YRJWtb/pjoc/hL//wqEgpa/AD8i/psJbanUga+IGCk3+UhDQKKQnQGAmlyWcVgSdZ1FLK20rr8vjoG/SPaCxV45vDZy1+wRFzFT7o76uVugRua5GUBQGftKHGKV2DiO5Rydyc0BzNVaueib+203kOa8SD1lZrSS680NJPaFrt9kakhFKGNsY2wWRW1pW0tEgmdNGFyWF5is9BC2qodfu4ZJZScsAnCqJXV1qqZWV2DipjQ11SJvB15GBO0Ly5eZVN6wyaZbISzBkTTmpLRJNVpqcdmSdXZxoCOTnNEIGpSjSXCwiksgBKpTokrInI78gB8mS+gXH72W6hYMm6zgQ3031rQZq9hixz+MAmyNMqL2Y/vldZiVVSaiBfbGDgwiODJffxfa9NqP1WLF7bEiZxvuBh+LSIsJ3Zf51TXbB9/1DmIUglvkAsIWp7wHRnL0qVFAf9PB+NSjxRjBpFBEixdADKJwVN+CTv4i/H+dU/6WRnmCFadGRSxyFiUNXyISaE7+iDk0xGs8wbTsb9AYeffmhyhXjRpqCxZBjTCNQOdHv8of+Qes52UTaHYn7SKo/7ij9maEgr4VVJq6YNrs5H+PcPZRhYTCN1vuMorZx7J7iXhiQhjXUYUkxcePKVE7I6PV+L2V/4vIyZfk7ax8w1AkXv78Ovyp0H9yTPVLmxqkHg3s1qXptAQtIS5/XvAW1tixLS+lNIcZtit73j4yImA3euaa0VhoTJNQ2c1oG5W4oa9Fk+5K34jB5tMHwHCWksIwm4iKYX+/zV/cQRgWxaEqkVNjWZ0eiWm+oVssWZs5BkINXBwNF4LHeIvQ5pbyNuR9W8VruNDaJDle3EeBH/pAtTmD+iCFcXcdsKus/xPkxJD+woejqUCZ5pwnFmdntdINQVdNCxFgoYuHIZSaPd0IOyTXUwgfuDhQnCGvrvB5gsZQrnqUPt/TULlgb7Et2gcZ6yYexILbiHeEQwMvt8N3hByk0gstXY9cv4Qg+GMA5g471/RQVa+z+P0dVFdAAfgA7yd8PUPCqF6+oz5n3UOY9fz1xUV2xWW3H/gbn1UTwVNEXBzCuA0bmbavFZG1ob8kCc1ERKmkqIetJQeC0aS3jD3cfhtYxPziowfdVz2nNWvERtEQ0hjeuliekSOjJJ9AZSmL7XXGNGQe0oHYP2hF1O2NDQTV/+LuEAeHNwkENEOS2Xhzkm1kgqlmxpxedLZlVEbd18MqhUZa40DV31nGDDIlSyls9bC5ee2+9UGFtlMbTs0gBVOMuCyXwf39c9UVuoaqepV4l/FHsrj7wjCTWNpY/vFzUSiHJ0hcEUn4OXgJPizOxXA9tIlD9rzhKVtbCzNIHbbeobfwjHltI+isBaXUFM64VwXjqlkyNCxr9N+SEl/Z01dw1nz2GN3fg4l1J/y4nYEfJNPE0QrlK0HEVX+OFHJP5ADm0J/CVBcKau/1gFhvtr+UIklq37rJ4RiUxWE8iXK8GK08ERLh26uNpAio152PA0ewiAqBUpU6n5eF8savH/BwEBzM2H7aVINCQ1KlFyaSs4YOcDD5JQ1wbp0j+wFfgH4qlpY82Zs3flhSYcAuYoy0vfN64J97hvHqPZyVsHzZCY9ZoeWbrliTu42lHdjKfMoMsYYwq4t/AmsAXM+s09NAxu2bjzp9o7AoWiZmOToNQkP6tz/x4CeDh5mpdsG2ilaErDofnrfP/TopDkojsFpMFAkBirTwNgvt5QdIiuPNcg9pVebY9G8CwASnJKSbopCREoc4GP5VyOSX417d2qgfP/1QmXoxtVChPytU3ZgBTjPKl7qc2aqtCwYBOsIrnEO4bWdrae8BOUy0mRc0FQnAMyCfphT/HBVltXqnVtaC6HLlUAUSSDeNGX9f3IBrMCEzp7RNM=,iv:JhsVfRZsp/+HjM+8sesoD1E8cvy3PUzOE17/6JGiqUs=,tag:c8r8YZtTFq02sRdakTCc9g==,type:str] + AUTHELIA_AUTHENTICATION_BACKEND_LDAP_PASSWORD: ENC[AES256_GCM,data:fSj36g21uZ3o1T1gMLiJB00atgY0XkGrS/i2UUBfnZOLyHLEFwjezUY6hj3IHtr1d3WGkkd0f3szIMfNX7Ar1g==,iv:tWzKcW+piwuiXZtqTpHrdPA2nzDMKiBdEjr+kHTdoeM=,tag:FG2pikcDBBEnOxIRYJmebw==,type:str] + AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:WmAFNbE+Vw8Hd66VfYcgEbr0M+FetqwOALatgEbTQv166tm7e1wwoo22EkKF9IzpOs8IEQ0Nrr1MChugd/7Pcw==,iv:D1RWLkS0Z4JdoDF9Pk03IWOpC5cmJP6BAkJ7M+V224c=,tag:BKeyjKkHGl+tRoWzdiZXfQ==,type:str] + AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:VOqGiqIy6LRhjjQubS2MCWwiO7pxOzRQCwqcO/CuobxNbsP5voAaH4FA3tJAqADbRdQ6EJzqqiGFRmQZjcyNfw==,iv:TRHulGnl9J0poJGkIB0hmGKnNKuHC30ExtnaCIewBrI=,tag:5seAMHOBXFB6sAZhI1VfUw==,type:str] + AUTHELIA_STORAGE_POSTGRES_USERNAME: ENC[AES256_GCM,data:x0e2Udwrlgw=,iv:shqpMXVK6FbdtCk2bmgFwWLI6UOQ8JadQsSlzdJ8O8U=,tag:gBcQLfmmqcTvx0fNZQV/ug==,type:str] + AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:Fo3memwrN4Y/3D3Sh6pNWZlJN3qp8iMAgjt5RA==,iv:2HqOK3zt7AZLzT9Cxrs1ztWs9YaNxGMBZNagNEBgJ10=,tag:jGt6vCUlYfqzZOY2Y32aWg==,type:str] + AUTHELIA_NOTIFIER_SMTP_ADDRESS: ENC[AES256_GCM,data:LA45EKObYX40kiDJFRrxjF72ap4=,iv:gKgxo54Vzvfa4S9Mf15Tg1KqBr7ifoLDn2x4wvVh+Zs=,tag:defx3kG0HaLOmt/2qpl7Vw==,type:str] + AUTHELIA_NOTIFIER_SMTP_USERNAME: ENC[AES256_GCM,data:Pa3x89QOEzxtVDrVf3zBl1nEj31w0LGKxyC6Rng=,iv:0TQeuIdNNmOFjt8wIwoaanycuz5sMZ/TzdpzlgOOddk=,tag:ZzQY0OuuSAO6ri4KbISUig==,type:str] + AUTHELIA_NOTIFIER_SMTP_PASSWORD: ENC[AES256_GCM,data:Iif673bqxdMPwtcSYRDCgCEPwGW8PJf9KED/uOIC6Kp0mg8dwyMnVo6GKswyzfmDCgA=,iv:H8FWx0+wUIzTKmTY532x2rTnzJTUvOZldHJ6RX5LS/Y=,tag:zydn2bpMf5qwQAxxSunrdg==,type:str] + #ENC[AES256_GCM,data:V0LfayajrGp7RS9Z1Hm6Ri7YDpCOuokfQH2Uqto02sokF1oVttb0DmsmmFr+3hYq2PFmAapXcRCX9YzCU0mCRGGF5iMhv4PTClthCTW4bH6wm5/UIWZE3w==,iv:dR+n+75T0a7ZxYOb4iDWaiEPbWGVrhMMdQBeCUJGnlU=,tag:5TOqh2HUaxmCqcAUGDV9Qg==,type:comment] + GRAFANA_OAUTH_CLIENT_HASHED_SECRET: ENC[AES256_GCM,data:uoETUYsB7OytGPXxpwk9vSwmlYNiLMcjIFKUirzpxcJoxUV9C36BTYqOZGUNJAXf/EGxoCB5bq3LOxdQJeWC1QHHQFoh00B8WWNM/aq3aOqRyeNyFkGC7mV+qh5IM17V8x1JSie9ERVC6WzT29ESCdOAo0Sw4dbWTiNEEdHqLcARinV0wsZls6DN3CFY16pyR6fCQbK17E9k0cIz36LcabFRTTfyrBN/a0eF5ZjU42s=,iv:Ln99e981bTirguT2ef+B5VY58nD7byL70m64XY6nJj8=,tag:8lKnVUAqL4fWxyuwiGOdCw==,type:str] + #ENC[AES256_GCM,data:QLlurNRDJBvi4s1fxoKqgwMsFCsa+SaOzrgPQ6A81y1TgizRINusUtOlpPUNH2voTb9vz75qySAN1i679nMnL2qJL5KS2+s9mLsOn3dEN3AuibOZlL/BF58=,iv:c6aZGU/CnkTVkUXM64YELelItc8CRec68JFE+0IesLk=,tag:9lBnD3OSoi2NLW8Ijiys4w==,type:comment] + MINIFLUX_OAUTH_CLIENT_HASHED_SECRET: ENC[AES256_GCM,data:yW8Om3vTpN1vNWoozPNhHkZ9h/teDx3sOQ2lC4tDvvft9xWW2qXo/s4ldjQVzcB+8O37qFlqK+n//+04qW8Rwvk51naVpkxOmP2AB+NL4u3f7tOv2iwnZonl85jsXtlzdytzLz4GFD16r6kez6aCj40AKYWaPSOfcEDGLv4Tma1ZE/gP8kKCaaALBw6zpVR20K9qzLWcf+9JwNytdY27cSwQgjqcUwR6rap5fInRbi4=,iv:Tc2/hffDpAJXVXVJfPfteHNderPeIpNjDFPy9nF6s/k=,tag:O82h5y4C5ZF8Wa0gWkCn1g==,type:str] + OIDC_JWKS_KEY: ENC[AES256_GCM,data:xNE9UeEWgiROb5iCnZJfCM/soyY2yH4/wxafOz/AcG9FSnTObXQv0rDCj3rdVxbIx5HOketBrm7f0W31XDZ0UEbkfqyJYhO3CnINsdKQCvL6H31+Tkq90EXftLGdRVshY3k7v8G1XUTFluJSXohZveIXKkmN55Dc1xU+Vs81EZqjienlUPppfPxue/GZbjf2qKoqvOh2NjW+Vg7ZNp3MBPsGc8W86xvXzsKk0dDL9JopdC/Xo5ajcmW1jCAa0P+zAw5I5Mxe0TEjGxo7pUhUhBSe7dL1djkDqcWUgveHJrDAV3aPoWNHtfQoVIiRavr9sS7zuUxqnIKun9cjwIh3X4b0Byf5pYYgsgLYCd5+sAO0wwpiNQ4XEfopVkkY7JMIOi7CqRW/TpgxaMNy5peBHNiAUygluIEi4fAPddk19AjGJ54Zkr5sidYEVKLNRheU24B4crRJ+ClVSHuAdlEizcklx8fjni9OoPvDeW3lhnfPLMLNBvVV/ZVxp3ztWxdzMdcKsPhb+mXIGp4sLfhvb9AD2vkkRHZITxdpLiNcu++ViEAy0pdD1w8o7caHVeM68/WGeP7TxhbH/yx30noMOJF62utV+J0RIAgb24TblfagieK/vls/46n8Me2k7Xe1mRDV3p15PaRQHpRzPLGkl7gq1NQr/Hl59CXN0/QHMbOHZ5H7Z7DFYouIEt9ZgZE/Ef5IYZ7EcVto90xnApju/IW2VVxV1RPA8/yf0Ns1dPl5P9rRwJ/EpMny84Wf5b3anM2Yr9RuPuqFZFOeN/NEePmo1llF/c3sYCI62e3KJF4o2zLJCOsi2rZLzzhi0T0j1rnAN4hc6204EuDPI2ZKc6bmnjRa3dYGKHyxvu2MEf2TxSZLOC+LOyNlsgNoCjci0ZxW5SDuX33i6xIBU+AXkbt2hdjrl9uqJNqcMtzRpngE+fuq0GaR0zNFK5Dn0+jona5Dyi1fIdereUFa/bsT8o0bBNUpEtsh81sfuIgNVuIu62EFYEMmo7cREbqJZqfVmH1r0MWPBNeMH+wPDRB+i6BnEjIoZExs48DhJgggfrA79kqbwxHHaLrngXNoeLf/TLu8e2WxPrzfip/bzQpIr2K4lKQYXsahvWn23DVBqTKnQsPEl0bBz7O5t/V/tGs+TiYEE9nuOcCSYcMynWbgGNMSB4A2xlgMHYspcgJIHMVlAp/lS92jNwNc1J+/mtvtsdfQ23C4OJ4/7Nc/OEa1TKVWNkexhSXblkajOLcpnzSrz529rRDV7qMysSyrrc7axOuSPzLUZlB/MXeLAKibZfUfQCMIQxZfSFHXmk6sEjr/yBL9CuGlwZpB7yL8gTovd41UH67x2SZNlbfNi+GQ1YMi5SeSZB4S18etpBp7b32YgdJBH96sIZrwTMGTxCjIXNtkLqLVCwKKYL3f/S98p6U7iAnmxgg/xyitq/WhylVj903FTSqo5KOVyZ5tcCHfWf8oUh8Q/bRekTk20+8JpRhikDaH5lEzvGsbLZ6F+4W6aL9eSePLSpIU5o8F81pdqIffNJ4NwHcPraHVXq9YsiO9UwlMVYhcijY2zKnaZMWfv7yHN9QWm5SVPiGZtp4+iQGl3z7CjVZnqTD/QDa0ZBMU2DE3ajZciuGzpuR9aaCypu3txlhinS0t4yMPi6N32wKsNBemtMgasfywQ6jC2Sc4N4FolydoEdgh5hfCDyfZaEZdel/WL7UCdE5aY9OXwTJvmcl6yjQ8ZhXsuCXGG2z7WcWyAHYWrvI4Ke32/2N9dhpXGRupeS/B2JxH29SCkYj1ftvrXSnXi5zs9npbXGFO+knLjfZD7HktO3E3pbKUsgZnIadDG1mDXcOIVcqYeb08Aoz8oGAVZIMWKth7wnQTbZ84dNMZArxmI/V5GfcoM4r5mkH5AMb3T00lxM4apYOA+2ae20P0biKuMZOQXhb2f3bftNEOaFbOYboNQic96cwLKeoT3aPdHU8xp2pIfMpG9AskzZ0i0Fp4x0n2xoHtfACbEjNlkANkIbZKj5HH/9EfrUu22YXfBu46tEG2FuhQC4mgj97d93BCZ/8f5yvajy6LQjacjJQ3tafoG2DfZhHEtJ+4lPlPhpnnKpWadUEG5jCtfu1mZa0LxeObkBN+6tOY/g7bJW4vlyLIthLUrglevkIkIuqRmi31Pm2t8NTXRknDo6Iy1x07Ip2ewI/2P0sVQSTxozSqLcXMpyyUTfuPAR+fvRDLEYpD+/dZCwCdGaeLr3B9HFY/A5IcQeWp5kL27bPTYkpvVNUHLkYRILjkMprsyk4WhgreroE3Xur8dmQ3mh0lUZ9ZhWRqd+M0439WObgly3obTwSd4YGGf3mjzLRo8eNq1I1iUMXsVqAFGzLnRCDoI65EWfQ+kme5gvDBPC/lnO7TwUJFVyFuWU2spgeB6tlFQptX9ZVQlMOnTayKF0NH0bH/ng2SBct1rlO0WEjI0xnnky5K24l2cryRFBjbRF/x6qVC4PkKbsCYfl2dCh20ItPMonCI14634zIGzszEt5BJitmyF0iGse/EBBIHQ1EGkERDUd4g1ZInAJToXuE1pxdb6IJKp47QmTZRd59uQr1172oo4GsvOO7FGs7XDD/ihAwXWWbayN0rKdt+myJpJHs5qj2/Vq3d1p5SWt9aETGG9kDuJLQkeyieTueaKva2pqECB+WebcYqx4NmjkWMyhrJv018djk3jGG9JTl4hHdSV3MJWtrQGKvMhNrqfawyH/P100xlNZTKivWkIl3O08JiaHy0Xq7VxWjv2Uf5rpGlKn3jQuKameHiRslVpveS9jenapr/sJM/uLvANqSVTXl0tbXrLqn7GHi9IoJKGYAj9Eqw6iLT1V1KJFN9P4RP7ErzfHG3D1Ur112U0S0qThbsCsJvN8sRAUMnFqKVaTkNNQaO1zV5tlI0Pc4RJVAYY3Z62xMTEuLwWU952k5qLG13KW4QZlusIyIJwiqvxsk7gXyJClWWUs554WdILlmYyBOxHEH46LDEaJ5it88AMnjJBEFxIm/LnUSPaSNZ0TlfQsZ8nMWzpxfDYM60anSJqeRhkc5EIJtORbqFDggmJjLCp2TLbBq5DTMoJ0c/lL6/JzSiRnQQBxFSahGh9raBjHDXTC+T1volv3YPXov9hrN/Oej/MwJnlUxIZo6PSNfDLNpzEpCwPV02aezQ/tR4S7Ea5DbAjaBmi5A3Crp/6u3Gf/3fNmqANbbl/Ks+EMk6Vovd432ICo/ZcojAvrp2DWdXgBg0P/CGsuIjurWT9etyDmi5aIVpI7IKNi9dFcgWgpTYimxr/lp1xE9fsrsE5fRcwegt45asySZM12r9vS/u8pt8Cl1K8C3nXmhjwHNlMkgKAxdP8bSBrDGwiHw2quiT5kpd5bGUrc0zu1/5PwgskiS4DIhhDhSTLwd102CS7bpLzf2iB0ljZQ/TmRLjisn/+sZ1TEeosEXoGlICih7/FjWM+hPd1/I67DajC5LTlM9Qu22+ASUlW2Y8jLam4Bnsz9xEIE2EdnYRw3d2aH+ZwRjSsO1AmBP+J9HgaYlyyYB6y7epVB23qGogOwH1N7EpqK/bg9rxOQSTVketk3dWzGMwvFISP6QIpSZMqhkWQsvK+DOLrJRiq7KWbk2+fwU6IcW3en63kwR4cO1D+niUgTSsGIf65xKsn1Z8O7dudeUUKvU/pGsAHnpVLTHxc+yhT+YDKGMRs1OediIbpGkLgVLmdm4V3a3Fa09fXMPiulm7vZj6vAQ74iuW4t4flOAW31NJEA1CBSeOMuoozo1gW0F8Ot/2kOWJjhEfb9FWFadpelaB5lCPWlrsgYN6U0TH7TxpVAXIyt8m2sAkrvWJ9kNgLy5H8EReX/OD2MqdkEOnQFNq1YoavnOEFImW0Vv6jEVABjQkzhdsaa4ay6gh0CuiQtPJ+UfOrwdTybwi0dh8a/SOBssz1SARWz7Ly5sGUx4Jwg37YfgJn7r7Grpz25pbql1IqCzKAF+aBWc2mKUeONe3qMpiP9gMaQZlQQuDYOfdHwoeXo4kPWdNn71Z3DE+kLA4xPutYwzSGa622ONH0ajo5z0XHRTFdERX/7wszFctbnTpsOYE7M8ZMdWEsC78dg3jlMywhTDjfEaLDWdH2QAbCsPGZTxNOWRE+fX5lZ1/L/8KiND/ujofYolgx9HQELZA6O/ypso0Ar49JD2iRfbJiHUBecBJ1rviK5XggRhJXFmF7lQPAgmk7vdB+AQBHCKUrZTUflGv2Nc6NfoaMzQS/db7TxLfjx0xopSAnCe/nxOup9cooQXG3sRU5BfEY/Qloza/Opffqs+Gq6bnOzWzfknWPv02bMbCERU61b2oxISYVA==,iv:Ph6kbILKlKrx6ISwsWmANj+ht8QcGDJcu0n3KHLe5Po=,tag:w/sF3EUj0miklK6O29BO3w==,type:str] + OIDC_JWKS_CERTIFICATE: ENC[AES256_GCM,data:ETU0+nm261uIackSZnfOaV9ukKUcfDCyjOBxEjoE3EPHwxZqvS/iX6O9KSTUAy7tZzNBdh6pNali+njcIG6HiWMgrC2XrUlg8Bo3O2WK0Dbmbyxi6g25hOu7dMT4a2IMYxoFdxJgiRFJNSVsJHuFl/gLmZ8cL9cfzsRx4VRmm0+ocSZM8EJhck/LV2Nw8C0lmtYYDXO6M2JqHSJNYOZFhFmtcR/uIo1/v6mLyqIh6p0GuHm7etHi0cMiiqJMQituAd3Toi8JWg7xg6CFu4o2UPt8ddejIpMzAZeLxz8ZWxAME/AH1ZghgU0O5xJe2ti5gp5oPvFuxVcuYxkwfFrRhm34cRCyeCHKwHWmGv5GUexNb2AZtXBhtaVo41ABE4o023sbQFrJQFy+hNuaTEzfxXAtkkGelnphh78h3CCWB2Ssir9N1ASni077NeC9dX6zaPZQ6Rz3T5O7yBbxFZ0gDMputJENk2iJe6sKZEKOZ5VrIF+xRsjA0uDusoy3+WDg9Q8gyaMZzMLmJBpDlW69IIoYeDtr3u68ik5ehPuKUUrgIRVZb4m5H8FpWn37Tm/01zyQG9kz5ZgSjlzqfDHnd1DXtIgqmx34j4KJEWszMMkLDr9pxcQJfU9xHD3iENErr3onZIe5pUtRJzvQgWJb9pWra9yqWNrghXrzHxJfwwz4NUGJOPVJXNYyRaWLZZUKqfkkb9EJEZiAqj9ROcg4QtzLLkoW/q5DqPX/6jrhv3ZLf9ky+jkpnwbu0R8HCMA4uYqcI8YizdZtspxsixlDeJkEpC9hmxzRiDS/2vvKOojVoQJD7MhSY8M4tCYqyKPQMFd6BUH5dPXjlLEdQK2Y49Zw+xsXyoQJhTuhLBp15lb8gt/PF1atuOuhe6t+mFXPV+OmUESXPV0L8pyhrJFkklaD9J4+YoPCjUZXQpcEtu7SN88BJnkpAIQW4+zswOwNyIJELO+ztbb8TKvBVeEC/aFTpDqpbW2yx+6KkiO10tqA7kYaOu46oXtCENXpcTqFv+vhle14dwIqxkRXL7cWXvJfX4hOueGLfH5V8DiEYmiPM8tlxvRinQfm0Pwh7SSgjes4x0dBCUUkca3InSnsR1m21CwW3/vJmwKD/mbl/ABy6r45pfE9BOv7MLIgv7Ffay0PE4tA97ZdoKrV85KZtNYmn3I4dXAvgsmW1hKKR5xAwTBZCEhDVlenqVzGW766ruwsgdMXO7lzxOfvNCoOGzGWu2pkdCONhdOZTLHWKgE9eLFdUqRlpIFRPXhBWZ0L2YEu3Z8ODRUR+1kqNJMuYh8wogCnd2ruLXMRGLAcH/nipwJ3trXBtXrIA9N3GPl77chNL4fDaMvAnTrIsKoGR0kHX6t81YBw+20RFUS+X3p7fAn527jy1lWPvhzmyNa0x5J1T6fOz6rdX4tMHn/8bNH16llgI5D4P4zYvhmgbtMR75zbwxEkFDDwaVaE7z5L6T/sbMGaNtVJQntnM5cDWO4LrgAqQT2k5rFcSEYNCfC9K7opaaZszixe/x4gdyobq2jVd5x/nMTgatrdsS4BiOnS7nFkZrTMbEKtfyee0VjWltz5ltBpXiezu7LorxQVWgtG9xkMgPryR6oyVbIO/YsbvZaJpa4DWnCHZLy16qLdZmVsiaNArt1pm/zJLWhZhZ8IrLMWQCTPX5JSJp4T0xEu7X/KGtE77nao4xPnit0NfxIU9UwNUWUXuXcoKQgbGAcqTnJi0glYczhNKjVIIcDvFJlfzs5OG0R/TiBJLFXUOohwLfOcdSGKBqYqvKQXHg5MNXCZankrv5g0akewnT7f4ZjW7ZGS0jFYDn9J6f4jcMhN1ctfai51uVncbJUInez4YEYwBnLQ3DkJVyEcDImTZtnpoUkTwWfWSc2PPvO1wTzC/QqCdCp9oyPcaVZYh2G55D7jGuAVQS1FcnR1Q0gNlmOOSYm9HRq64V7pEErWSTfqL7AjEr1c0WgJqLd7xxsNJjY+ERoL0sTNBuP8JaI60/apR0HCuQRlk4Ys4EwT6h9LoMiq6lxKIe3rk4pYve5wJsx6MtwOQYGxtxBzX4wNf7JOH1eh4dRQRLfbbACfOzaVoZjfBkxMeOI/sUwl19K6nVHokhgd9E/6L6XnFzwWCXrtThS66SxlKb3/e97buuMBskxk0odkWuALrpF491DlohoTvvYbfueVKx6Gow7gXVLm1eThzVRP2EPOz6R/UQfxEoNyHRNRQc+KM/sOfZ039QDGjrOzmSM2apXqGd6G8wo8JAwiUCUOe34vxYVoeIpWV9jNOD6yCpmKvlKXK6KShNW69RnUqjbc4lxeECqEIpOy3gSquW05vKDahf1hSylNaHD/VyV355xu49gmir1nYdHPGZIO/ERWGF+Vshn6rEezsQDlw643xDxtIuft5X6pqV8xLwDzudY7jYZfkZ6/RMdJV8q8An6yQyKSbw4m6qBo7ABiyXQK5XgNWFKj1mG7G3c=,iv:haZFJpgGzuLB8JMkM2tI9ItWAH47PQS+wa5gOJBZBek=,tag:UYG7F7ElMHDMG8DJP8nsvA==,type:str] sops: kms: [] gcp_kms: [] @@ -29,14 +29,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5ekhUM3RpNk5NM0V2M2Nj - b1ljV0xtMWp2d3gxazAyNCtiTURncHl2cVRZCkMzUU82N05WcUVxUGd6MXd4N21N - enU4TFBwc0ovOGJlQldHa2doTnQxcHcKLS0tIGVaT25yZENPWDZoaWg5ZWZ2dkFi - eUV4NFlTL3NkMTVycW5lQW5tb2NLd0UKx5u3VW+NR62DhnAYh50OAWdMaULtdSZc - YOZYsu7EzV2ssO+Q+g/2neUdTIpUuv3NZ2/U3JwfsqRY54bkkboijA== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBON1N3SGQ1VWVDcjAzV2Zp + Sm1LdHVJR1BjZzBRWXltVjRxYUY2UGdBeGtNCjUyUjJQZFVoWm9XT2xzZGdXNlo2 + RWZVdjMxak9CV1ZTRnpqV2xOcks0ZGMKLS0tIG1SUUtBdDF3djlDazdXZkVVQmRo + bTBwUnVwWEU3WnZYOVFPT3BCVy9lQlkK9SgI2StPa5TGRX9noHeupyLvETEcbxFh + LeNV+w1cDI2jkUTtDfrwiFOEDopMbagrbsu/A4UHn8ImnqVoW0Y6XQ== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-09T19:28:26Z" - mac: ENC[AES256_GCM,data:RnimgNedU+/rebVqoqOGE0H/lZuC2+TrHLSac7I1fRvgL+dMy+5F+TZ1Fmi6IQmBykhZE2kAUC5gyqeyefQByUjulPtnFI5/oqCt2i3XGpv9+t4uS28uuHDHpKAyF6NiuSBxpAu7VC+6vDxDS2hRafZmEYGQqnRkz1LmcHsHx6U=,iv:irTRihWnyVBvN1u4BbNjPnfgi3/0VyC0ufgs5eQLuJU=,tag:r7dXETjHKyFlF+R61MqsKw==,type:str] + lastmodified: "2024-12-22T21:11:58Z" + mac: ENC[AES256_GCM,data:UEXDi50bC/9Tad3Nxh9Jx4pesqfJ7jWBpD7gxUs2t4xVtrnKkVGe0Ul1qV1ZYxFeAYB7fmrMKehlJ+U/y1f0BjKklGkKuCjPWRQLwCAmvOIKHGyt0kIl7HrMQSqfJvCxVeL1xv4/MxK+MJUQCnUPrUo/MYKebEixj3fcEREHhR8=,iv:DUzhUHMTpwHArz8nJhz4O9L0RqCEmv1iuMCJBsyBQ3Y=,tag:JqNNHk5uWc1+gp071xlTQA==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.9.1 + version: 3.9.2 diff --git a/kubernetes/main/apps/bitwarden/bitwarden/app/helmrelease.yaml b/kubernetes/main/apps/bitwarden/bitwarden/app/helmrelease.yaml new file mode 100644 index 0000000..03e4be7 --- /dev/null +++ b/kubernetes/main/apps/bitwarden/bitwarden/app/helmrelease.yaml @@ -0,0 +1,205 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2beta2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: bitwarden +spec: + interval: 30m + chart: + spec: + chart: self-host + version: 2024.11.0 + sourceRef: + kind: HelmRepository + name: bitwarden + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + retries: 3 + values: + sharedStorageClassName: "cluster-nvme" + general: + admins: "${SECRET_ADMIN_EMAIL}" + disableUserRegistration: "false" + cloudRegion: US + enableCloudCommunication: true + sharedStorageClassName: "cluster-nvme" + volumeAccessMode: "ReadWriteOnce" + domain: "bitwarden.${SECRET_EXTERNAL_DOMAIN}" + ingress: + enabled: true + className: traefik + annotations: + gethomepage.dev/enabled: "true" + gethomepage.dev/group: Home + gethomepage.dev/name: Bitwarden + gethomepage.dev/description: Password management + gethomepage.dev/icon: bitwarden + tls: + name: bitwarden-tls + clusterIssuer: letsencrypt-production + paths: + web: + path: / + pathType: ImplementationSpecific + attachments: + path: /attachments/ + pathType: ImplementationSpecific + api: + path: /api/ + pathType: ImplementationSpecific + icons: + path: /icons/ + pathType: ImplementationSpecific + notifications: + path: /notifications/ + pathType: ImplementationSpecific + events: + path: /events/ + pathType: ImplementationSpecific + scim: + path: /scim/ + pathType: ImplementationSpecific + sso: + path: /sso/ + pathType: ImplementationSpecific + identity: + path: /identity/ + pathType: ImplementationSpecific + admin: + path: /admin/ + pathType: ImplementationSpecific + email: + smtpSsl: "false" + smtpPort: "465" + smtpHost: "${SECRET_SMTP_HOST}" + replyToEmail: "${SECRET_SMTP_FROM}" + secrets: + secretName: bitwarden-secret + database: + enabled: false + #volume: + # backups: + # storageClass: "cluster-nvme" + # data: + # storageClass: "cluster-nvme" + # log: + # storageClass: "cluster-nvme" + volume: + dataprotection: + storageClass: "cluster-nvme" + attachments: + storageClass: "cluster-nvme" + licenses: + storageClass: "cluster-nvme" + logs: + enabled: true + storageClass: "cluster-nvme" + # rawManifests: + # preInstall: [] + # postInstall: + # - apiVersion: traefik.io/v1alpha1 + # kind: Middleware + # metadata: + # name: "bitwarden-self-host-middleware-stripprefix" + # spec: + # stripPrefix: + # prefixes: + # - /api + # - /attachements + # - /icons + # - /notifications + # - /events + # - /scim + # ##### NOTE: Admin, Identity, and SSO will not function correctly with path strip middleware + # - apiVersion: traefik.io/v1alpha1 + # kind: IngressRoute + # metadata: + # name: "bitwarden-self-host-ingress" + # spec: + # entryPoints: + # - websecure + # routes: + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/`) + # services: + # - kind: Service + # name: bitwarden-self-host-web + # passHostHeader: true + # port: 5000 + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/api/`) + # services: + # - kind: Service + # name: bitwarden-self-host-api + # port: 5000 + # middlewares: + # - name: "bitwarden-self-host-middleware-stripprefix" + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/attachments/`) + # services: + # - kind: Service + # name: bitwarden-self-host-api + # port: 5000 + # middlewares: + # - name: "bitwarden-self-host-middleware-stripprefix" + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/icons/`) + # services: + # - kind: Service + # name: bitwarden-self-host-icons + # port: 5000 + # middlewares: + # - name: "bitwarden-self-host-middleware-stripprefix" + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/notifications/`) + # services: + # - kind: Service + # name: bitwarden-self-host-notifications + # port: 5000 + # middlewares: + # - name: "bitwarden-self-host-middleware-stripprefix" + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/events/`) + # services: + # - kind: Service + # name: bitwarden-self-host-events + # port: 5000 + # middlewares: + # - name: "bitwarden-self-host-middleware-stripprefix" + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/scim/`) + # services: + # - kind: Service + # name: bitwarden-self-host-scim + # port: 5000 + # middlewares: + # - name: "bitwarden-self-host-middleware-stripprefix" + # ##### NOTE: SSO will not function correctly with path strip middleware + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/sso/`) + # services: + # - kind: Service + # name: bitwarden-self-host-sso + # port: 5000 + # ##### NOTE: Identity will not function correctly with path strip middleware + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/identity/`) + # services: + # - kind: Service + # name: bitwarden-self-host-identity + # port: 5000 + # ##### NOTE: Admin will not function correctly with path strip middleware + # - kind: Rule + # match: Host(`bitwarden.${SECRET_EXTERNAL_DOMAIN}`) && PathPrefix(`/admin`) + # services: + # - kind: Service + # name: bitwarden-self-host-admin + # port: 5000 + # tls: + # certResolver: letsencrypt-production diff --git a/kubernetes/main/apps/bitwarden/bitwarden/app/kustomization.yaml b/kubernetes/main/apps/bitwarden/bitwarden/app/kustomization.yaml new file mode 100644 index 0000000..95bf474 --- /dev/null +++ b/kubernetes/main/apps/bitwarden/bitwarden/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/bitwarden/bitwarden/app/secret.sops.yaml b/kubernetes/main/apps/bitwarden/bitwarden/app/secret.sops.yaml new file mode 100644 index 0000000..ce98397 --- /dev/null +++ b/kubernetes/main/apps/bitwarden/bitwarden/app/secret.sops.yaml @@ -0,0 +1,34 @@ +# yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: bitwarden-secret +stringData: + replyToEmail: ENC[AES256_GCM,data:7NR/XlAqsO4PtCNKQ890Njv6Qh2Jp6W/t0Lc8px7,iv:VznXZaMbwLda8LkrJDTc2UKurHRWqGTJ1T0/1C3VMus=,tag:Z+Wkfb7DqcaPam7AFrvWUw==,type:str] + globalSettings__installation__id: ENC[AES256_GCM,data:U091rHP2N4UjYgSdGrkDvSBZHQu9w8s75xWPCp6gfZ0773gW,iv:PZ2hBlqta/sclVQUtO6LYD/ZhL6e+Q+yDESxrt6CYjQ=,tag:1A/9gKzuflMqOktyoZ5adQ==,type:str] + globalSettings__installation__key: ENC[AES256_GCM,data:/pWJt9ElR+mgiv5m8I0Gdb5Z6H8=,iv:31bd6uhc45WMi41iACel8/YOjDjVTDxoR3Ok19+U43A=,tag:xtI3eCRActaFajUqVdxemw==,type:str] + globalSettings__mail__smtp__username: ENC[AES256_GCM,data:wGph7iTpKhvYXjsFKnPIFevGsJvgovvfNnIJPjFf,iv:o7l19Onw6PHMmk19e++zTArLmZrwSIAXgDpuwaDhjuo=,tag:ojY3lQFiP3G3oYeVQXri7A==,type:str] + globalSettings__mail__smtp__password: ENC[AES256_GCM,data:OQ3mROVpRAZ2MNFZtvRV0N74EPOaSdSvmaOJas1JCgEbHHNq0laLg5r2ufTYz9vA0aM=,iv:vB9ElILgqKyvY6wgQ8Nesg2pygGK9mcjIhEYGsHVWEQ=,tag:l84bsTR3twb3Al19FKezqA==,type:str] + globalSettings__sqlServer__connectionString: ENC[AES256_GCM,data:mJxp4MXvqV4T+/J7O0XX6+Z4kmo4IVFYvUPEBU0uaJ3w0YNcqPps+LH9pgFNOjwBWCAQ8QxvCH9ul2uSiYGhy41YjLsQD4X/UF1Hhimezc3IrexCDFkXXl4WIACAZjpQf6morvx9+/v0EvdxofP7auWQ2BGcid4lHYxO78gEAvPaueS+L0TerqEpEnxS26r2uMLOe2w5L0hxBKGQyWmWPx8mTAJXTgTaXAvKLT2G97JNa9a5EQSAPuBoi95F+CkQBEwbo6uwrcJS6DTWQmNefEdZ1D7Abp50zlpJfC7Tuf54tjnHyGya9EWEwc32mTadqCto047ySvDNNB2jgrG97HXvnqOo4LGpZn9jYGJsJZjVFibiy2+WHzgxDmU=,iv:Nq4LIbSDzk9WurGEPojUfRe8WqEOGO4t7WnfyYoupVo=,tag:yV7w9j9gRKuAsgsnxncUtA==,type:str] + #ENC[AES256_GCM,data:r7/63ugBvNNcFQGkau56LkG5lNH0NwvuA0OiRj0FOjAWlbf6sR7v5JOgIy97uMC+mBWy8A+OGZFO8p4bosrdrmzuomArHNnM4oWN498=,iv:2TaG5UkIEjLwPQpEZjOJdEviNNnSVi/e1lUUckJ+KqM=,tag:BPd/IOSUJvS1/mgPqqSlyQ==,type:comment] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFRGFTc01qRmdlMzZ0WE53 + OWtoUzBaMUp4T3FoYnJuVGhGODVna1RHYkRZCk0xWEVjOWp2YW9NZmE0MnNFYnJX + OEdHbkdsOWM4Tk44aTRVZ0VoNWorWDAKLS0tIHp2SE9Wd1lmTmV2eUFYRmRYNDZn + NFR5QkpIaFQ5Tk1FdGV3aUtzNTZsRXcKyNl9cFicgjcTiGkoQK/StLd7FEHGUVWD + hs8+h4ak+r++3+KpUay4aNqY09RtAzvUd4Vl3VQ2tYt/TOlDrgErHQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-11-29T17:22:46Z" + mac: ENC[AES256_GCM,data:+KthNzUdXl/XgnupjWiEdk8EHvHldUvUwfWT7FNpR+Pysl/fdI1fAK02rXOlY0ABCKpejSIobHipy3RkxTXiF6PPGTC4R0aoqxRvZjyXDCUaHc3F4KdYBH4vkGoBchosHJnOX0qymSEGbzJERRSjxEZ3JDg0JRIEB8jQtObGivs=,iv:w7XSWHs1RaDAuxsImvxDHo96T6qwaaYlXGZUP2nfqLg=,tag:QNSjFrABn8tf8nQlu5MXkw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.1 diff --git a/kubernetes/main/apps/bitwarden/bitwarden/ks.yaml b/kubernetes/main/apps/bitwarden/bitwarden/ks.yaml new file mode 100644 index 0000000..2792893 --- /dev/null +++ b/kubernetes/main/apps/bitwarden/bitwarden/ks.yaml @@ -0,0 +1,20 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app bitwarden + namespace: flux-system +spec: + targetNamespace: bitwarden + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/bitwarden/bitwarden/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: true + interval: 30m + retryInterval: 1m + timeout: 5m diff --git a/kubernetes/main/apps/bitwarden/kustomization.yaml b/kubernetes/main/apps/bitwarden/kustomization.yaml new file mode 100644 index 0000000..85537a8 --- /dev/null +++ b/kubernetes/main/apps/bitwarden/kustomization.yaml @@ -0,0 +1,6 @@ +--- +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./namespace.yaml + #- ./bitwarden/ks.yaml diff --git a/kubernetes/main/apps/dev/namespace.yaml b/kubernetes/main/apps/bitwarden/namespace.yaml similarity index 85% rename from kubernetes/main/apps/dev/namespace.yaml rename to kubernetes/main/apps/bitwarden/namespace.yaml index b237971..8fdd863 100644 --- a/kubernetes/main/apps/dev/namespace.yaml +++ b/kubernetes/main/apps/bitwarden/namespace.yaml @@ -2,6 +2,6 @@ apiVersion: v1 kind: Namespace metadata: - name: dev + name: bitwarden labels: kustomize.toolkit.fluxcd.io/prune: disabled diff --git a/kubernetes/main/apps/database/kustomization.yaml b/kubernetes/main/apps/database/kustomization.yaml index 0f79200..8af7c6f 100644 --- a/kubernetes/main/apps/database/kustomization.yaml +++ b/kubernetes/main/apps/database/kustomization.yaml @@ -8,4 +8,5 @@ resources: - ./cloudnative-pg/ks.yaml - ./pgadmin/ks.yaml - ./minio/ks.yaml + #- ./mysql/ks.yaml #- ./mssql/ks.yaml diff --git a/kubernetes/main/apps/database/mysql/app/helmrelease.yaml b/kubernetes/main/apps/database/mysql/app/helmrelease.yaml new file mode 100644 index 0000000..b66355e --- /dev/null +++ b/kubernetes/main/apps/database/mysql/app/helmrelease.yaml @@ -0,0 +1,61 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app mysql +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + defaultPodOptions: + imagePullSecrets: + - name: github + controllers: + mysql: + strategy: RollingUpdate + annotations: + reloader.stakater.com/auto: "true" + containers: + mysql: + image: + repository: ghcr.io/linuxserver/mariadb + tag: 10.11.10 + env: + PUID: "1000" + PGID: "1000" + MYSQL_ROOT_PASSWORD: password + service: + mysql: + controller: mysql + type: LoadBalancer + annotations: + io.cilium/lb-ipam-ips: "${LB_MYSQL}" + external-dns.alpha.kubernetes.io/target: "external.${SECRET_EXTERNAL_DOMAIN}" + ports: + mysql: + port: 3306 + persistence: + data: + type: persistentVolumeClaim + storageClass: cluster-nvme + accessMode: ReadWriteOnce + size: 8Gi + retain: true + globalMounts: + - path: /config diff --git a/kubernetes/main/apps/database/mysql/app/kustomization.yaml b/kubernetes/main/apps/database/mysql/app/kustomization.yaml new file mode 100644 index 0000000..8b3cc1a --- /dev/null +++ b/kubernetes/main/apps/database/mysql/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml + - ./secret.sops.yaml diff --git a/kubernetes/main/apps/database/mysql/app/secret.sops.yaml b/kubernetes/main/apps/database/mysql/app/secret.sops.yaml new file mode 100644 index 0000000..b7dd9e5 --- /dev/null +++ b/kubernetes/main/apps/database/mysql/app/secret.sops.yaml @@ -0,0 +1,28 @@ +# yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: mysql-secret +stringData: + MYSQL_ROOT_PASSWORD: ENC[AES256_GCM,data:itJLu2+bK6F4039pm+ygnm+4lXySO6oaF6E0PymgVljNxFOSQBX4iYVjc0P0ogxaseATaSPGFww=,iv:UmLA+Y+N9UPksuL70R/MWRsTNsqCuzmBK1UIMQ2s7v4=,tag:C9cukU/Daqkd4cI8rO3fBA==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMb1Q3THBzTnBNSUJDN3ky + dEFCeTlJWkFvMWFnV092ZmZ3ZG1PbEg4b1ZjCm9wK0s4ekdJK0VSaU5FQUdJdjdp + dmppZytiRThhQUhhU2JiYVVDTSthTjgKLS0tIEJFeHlIdGJFM1pJL042WEsrL1pp + SFlGZDcyNDQyR084bC9XYTBGRjMrYkEK0z0CF6EZPd8cniJTtCZNy26wRYXUs13c + F2wPUaGydg88EsYNaQYx6unQVj0QgwN5wgLpAh/Y0SnNXFetS2jkNA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-24T05:03:04Z" + mac: ENC[AES256_GCM,data:sbyMYCS+X+h2hJEQYV5S47IZ7qk8YxK20aCWEU7WkcSZP7kMvbxjhyptpoMeihU3PFbQjBLveYxWF2hdsUY/p1WZ3rihLSD5QluMhtn5ha0CZIj8B21aLtHohVq5QUI0Os5a4rxWfh3/rI8ayuS/zcbtAouFkV05cPZ8z2vu7W0=,iv:6baoBg2UyvrXjrxHM6klGcxm5ze3j/0mhT46ca8UpUM=,tag:NXek+0VfPz2T9GSztheOtw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.2 diff --git a/kubernetes/main/apps/database/mysql/ks.yaml b/kubernetes/main/apps/database/mysql/ks.yaml new file mode 100644 index 0000000..bda67ba --- /dev/null +++ b/kubernetes/main/apps/database/mysql/ks.yaml @@ -0,0 +1,26 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app mysql + namespace: flux-system +spec: + targetNamespace: database + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: traefik + path: ./kubernetes/main/apps/database/mysql/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/main/apps/downloads/archivebox/app/helmrelease.yaml b/kubernetes/main/apps/downloads/archivebox/app/helmrelease.yaml index c95d843..8183054 100644 --- a/kubernetes/main/apps/downloads/archivebox/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/archivebox/app/helmrelease.yaml @@ -119,3 +119,13 @@ spec: app: - path: /data subPath: ./data + nfs-media: + type: nfs + server: ${NFS_HOST} + path: ${NFS_MEDIA} + advancedMounts: + archivebox: + app: + - path: /data/r720xd-media + readOnly: false + #- path: "/data/r720xd-media/M Media/00-09 Archives/01 Backups/01.10 ArchiveBox" diff --git a/kubernetes/main/apps/home/homepage/app/secret.sops.yaml b/kubernetes/main/apps/home/homepage/app/secret.sops.yaml index bd2ca2c..2f9c3d4 100644 --- a/kubernetes/main/apps/home/homepage/app/secret.sops.yaml +++ b/kubernetes/main/apps/home/homepage/app/secret.sops.yaml @@ -5,15 +5,15 @@ type: Opaque metadata: name: homepage-secret stringData: - HOMEPAGE_VAR_LATITUDE: ENC[AES256_GCM,data:+oayJpU0x7E=,iv:k+VHqGsbvS0DlTMpNXObZGJurJ3vrs4kEjNHXMnbdV4=,tag:+jcXAEylIXrjSGIFGVt/bw==,type:str] - HOMEPAGE_VAR_LONGITUDE: ENC[AES256_GCM,data:kQvg6M1AD3YX,iv:ZYJs9ghlZzFNOcqYJRlBysmWWmf2N7uo3G9UUiaNe1k=,tag:JKAkVg6S91I07Ka7oqLm8w==,type:str] - HOMEPAGE_VAR_OPNSENSE_API_KEY: ENC[AES256_GCM,data:EAWnYyMHXFWuO7iefrueR04kkTa9iy84SJfeZv2Lujvl8DpHRhF9a7q7dcJKhHLyoiZAAvvQC4IeENiGZTMe8voWs3YRR7Y9+iC9xTz7cYc=,iv:KiUIF31YYINue8mxz8NHLiCa1AyF3pjCknBYUmE0O4c=,tag:m9NhvBKWLMR9A3GpV0mvnA==,type:str] - HOMEPAGE_VAR_OPNSENSE_API_SECRET: ENC[AES256_GCM,data:TWPzdZqSa8UsU3B6wkx8XLDmUylHcEBjk83XYpP7nP3a2UZKYPST3mnJGf1Yqas5ZB3PCu56/rheObj6al/naek76RJxnTukE2oC/xGBxKc=,iv:qeCnqJDHmg+jF8c8MYLEjiXh7l/TrnVmvS29CXXPgp8=,tag:uPZC5NkzZQBBRiXdGgwMOA==,type:str] - HOMEPAGE_VAR_JELLYFIN_API_KEY: ENC[AES256_GCM,data:SpvFcmYuQf8FQ77urujzH1Jpx4gFiaf5bq3TE6vUmt4=,iv:q3riCnHKzhhmXGyip3Y4FPZTWV0AkGgxqdSjHkPb5wM=,tag:3n6zztaeklwGszsTDna/aA==,type:str] - HOMEPAGE_VAR_JELLYSEERR_API_KEY: ENC[AES256_GCM,data:FvXp+1uIfEYFhhy3RbyOdFgWD8yauBCoCvgaxegjbvikDDdwZ9+2aM+9nff7heeDn55uAR5R5RvxQ7UxlfTfG/BR7oU=,iv:x4y9ngDELtKehiVwIr/VAnvTP0IowjSDi39Ed6kSVd4=,tag:C1CaLA8Yy/shVIDyV0uOdw==,type:str] - HOMEPAGE_VAR_MINIFLUX_TOKEN: ENC[AES256_GCM,data:iqjEel0RpvXxNxVCO5bCcA48vc0ikPyODlKP5cnY8qDz2OQb/XkTBDB5QQ==,iv:vpnxC/3BMgmA1zXfjqBYPKLeB6ZnyxQMvTQ68f17tZc=,tag:C+ljve0qNz3W9YK4EyBT4Q==,type:str] - OPENWEATHERMAP_API_KEY: ENC[AES256_GCM,data:1rBsPkGTX0gpfW8+3aRSCafKsDo7uELpAvXs8oqLlw==,iv:MurRgocr1IhsNT5Euc6aEzIg4P89Q7bJBMORahIB7kg=,tag:yIxMRDPZ3DNI/rx5yYoi1Q==,type:str] - bookmarks.yaml: ENC[AES256_GCM,data:JAiTH0yhaDgHZoMhED17GV/A2m/CSgSiRNsuY0Yne/wP0a0ADBMEb6OOroT/wCRyyS7Fr0slF3sGwT+XOwiC9pwC+t42e11uEdtnD+iRdxwu4O6QNl/dwlwNzvyTCB3evGBcE+4P06SdKhIiWl9080oe0cw/pUCp1KosHsoui2S/74ga9kH9Ost+S3rH354QoO23OIQ2yEuRNvaiR6lURGu6LOXmVF9r2oAU4RX7oO1HHFn1SqeOP5k3Z0XbaiRd4mb5SgnPzlEjy4KhynsxHgcMINO8367/FZIorKg/MfJnIqvLr3zdedwsa7TQdzyOT0YMCiR2sqwUQgEFAahR2RKeAlrLt+ZJFls+sqMfLEkHeaXQZRvgWmYZx48manSqzeeNNfY0M2uS2BuCWmejBqJtnmY4+YjM+B4Tp/5+BCnkRgeWheNAbMOOwT+6pimBxx2CKH+blxQSLj0tuXRlht6GFggXN0sKcNCfTHQZTF90hdsXypmnLlbf+tC0QTZM27TPX5OBbBvvT+HLJUTiOmFwY/nToT7pzAX/rJOLdIfLDqFkAqbSPwAfpG85DOF481XJi1gibzPGlpNJWaxgE2u4MMGz4TlOxzOpfH5XwFE8rMh/fitYdQvLBRYc3d/rhOQ8g3F0355BJD/oWru2hBGWqYN7quE0FcDcMXi7yXOrhk+mZRXoh5xpVEeo4Bb9IaPLhL+5JWEVwASbXitdLFVCenSbfCQ/S9W28EIkTlqAgWnsrQwb3BsOzmafz5F0Mkhzd1c6IaaB1n0GxUx9BJlvNG5lR/Lvj5Oqr1NeBsWqLASoavoY5XaMrdFzKwafWCA9YpJ7iZwxd1Todu7XvPQQT7W/a8ycGKdxqYf5vlvtfTpYCTQ+xMQPNHFq1rVhykJcslcTcAol/VSFjMqGKT6KRnNquIAjlZ6qvnnrL/jfJl/z7bjRNMWsktp9kY8JtmTAWtCtbkhL04lhXwYUfb56LKMs060Prl5HSxC3LKIoZIre1AL4pbBhzxYJLUoBWABPfSFP,iv:Z5OUC11huYzfPP/fx0z3MS6pC3KRcHySDtpdc+n2+SQ=,tag:MN+NLCw9dARa2onNARgD9w==,type:str] + HOMEPAGE_VAR_LATITUDE: ENC[AES256_GCM,data:teu5Iya1hz4=,iv:CXabbI8kVv2X4uoYb7QBq5OOnLlP9EPRyc00rG1UU68=,tag:NlyaiMHCmazmS5l4w4ewGA==,type:str] + HOMEPAGE_VAR_LONGITUDE: ENC[AES256_GCM,data:JOB3jKdcTeIk,iv:dKyXV/lq1PDaC88t2Dva41XE4dF+w0J1v18BCMB4sBU=,tag:hwyzS9g91J7qeGxzzOS2cw==,type:str] + HOMEPAGE_VAR_OPNSENSE_API_KEY: ENC[AES256_GCM,data:xSj1O6znu2YyRNUo+aVdjWIR+4ODeA92ZtiA5VENY8GJczzF27vDXcOMSsLMUHmvFEFBdSxJSRIX+SghgnVxEtl6N5moMfYgAf/OR69Dm3g=,iv:PCwX8Gwc19xgfhaRKtD5l4d6fZaE7mgsTGKmyd7ICKE=,tag:ORBR41NJF2Gb7CnO04GrRA==,type:str] + HOMEPAGE_VAR_OPNSENSE_API_SECRET: ENC[AES256_GCM,data:Awa7d1YjadmYV1EH8hmkyQzUxOue3mQEj7A7ZIQesjH6TXxrc483/vWg6N2Gjaat73i5dPY7gd6XirxqDL9GpTjJ8kPnHl9a/EFyelV/tDI=,iv:wEhpovpIii0hfqe0ThIomlqWaPltKu9zGzKT8BESTkE=,tag:eT8wivNLmgMYeSXfomNr+Q==,type:str] + HOMEPAGE_VAR_JELLYFIN_API_KEY: ENC[AES256_GCM,data:ZuoFl6hao96WU/tErmEuKX2dyejiiZ1WubZCIEizJyg=,iv:9+0nsjUlAplvreL7SgdzsbKjWWgXz4PPJDiiVVVtMOQ=,tag:3djuZ5Pr2s3rk3n4hGWO9g==,type:str] + HOMEPAGE_VAR_JELLYSEERR_API_KEY: ENC[AES256_GCM,data:xa1Oe2ppsLNDbCTFKqBJc3K+7GjvyTdvmZ/xrVehwE7/vXGHCzpTPsgzeAOtTWiHuqmG//e9G2pVjgPUOTr+Ps44qd0=,iv:bM8Q2PCzwocgh7JtIWeZSFv/T5XAORXbrpaUB8EjwS8=,tag:90NyPW0gNSclBNbwfR8t0Q==,type:str] + HOMEPAGE_VAR_MINIFLUX_TOKEN: ENC[AES256_GCM,data:5yoOUHqyoucxokJO+Xm4ovi8dIo6t0ZM6i3YpmOEH1q7iMn/wMjo1JsZqw==,iv:6hZ91KDKzHp19fJT2NJPeRFN/cKaidAV1+so/ZBXOSw=,tag:ZaOvASxLMYpKxihwiBigog==,type:str] + OPENWEATHERMAP_API_KEY: ENC[AES256_GCM,data:et/vw+MqQQqnBb9eBuv9srdT4y2ePyKlny8Tw4zvYQ==,iv:RAhut9E/zoa2IULMRgEpd2ijzQbg7jqRzx9XsimRCo0=,tag:fD/SoU8T37/4VOhF/T1Mfw==,type:str] + bookmarks.yaml: ENC[AES256_GCM,data:C3VxowJMsToWtByYmiwbrAr/FoZjS0KlzH1hnvyEB4rz+lxat07iFOYIey6PkBQ3SPkjfcaVhxd4nYBITz4W9fbUI3/H6k6Itg8L1gkTvGEYR0IAx6RlxRKdyAgP8iuwZC87p209MfUDLg6jBKM7YvanPAaUSqYh0tYi+sTusvp524HNIEkn0VvWYsIpAVSfPlkILsniwWZ9l/7/ozkKvWAM58AaKkz8YEplKqkvy7Rlx5r2chcyhQpNBETy8XA5+U+GCgSTzqwnVhOB0d1L+w3OvG4Js0hvl5xy8UOi7uBjHcZkcCdNUlidGhFlI1NQ0APcm14nYVBejSsexrhKkScfcqdR4uV+XKn2ryBcSkWrsBD6Ky+LOMsahCbVo+OCki/YK5FJ8EsHCJn1Z6JL1B7uREizt4fhyARAHlQndJVCRT7g0SlLZ7OqHymN2a5YcIR0atiBu/Ht0ZWG1zEY+HOc9LrwYuHoTjDql0oGaKF6KIQOI6wA5JLceBgLqV60FeWV1N19W+g6PDFSNYMS3f0kvJyJf4888vJpZI1XC5wr6KDLD38ChMHCMRzAuI0wN28HYx4+wmjk88cuax2u2f6a92/92weYLWMZ0X1ebXUf+13mnROU2N9vI5yuU24H3gmJbBkMpXNoI/R7NzFiF3rlRs0r4rUke9a+qITjOoM3e624hds/eCbsiv/hdY8Njb6N9jMIX7fReurHcV4XYPl7oWZKd0PUS4j4gCWTiKGqCzhR8UQxV/6lHNXIAOBmmJfoTJ+YnIwcSovDamDkqZZKC3PiO3/7tfqsJds228mNK61/XHspFiJU0hRfPWwtVWhzwhFkLyWq4A2sHOiIyaEWKkmfYUGcAmHbIU/oCoPxfcQVQNPghUVLRJwAtt0UdYoJWvyNqRGriuzGkasXkxv94srKlH7BebTnnlnGeujX4Dt2R6vPipX8fVMHiHfO8hosPOuQprXy58DXleN2ckRpeNIUBvjFJTO40Kg89yXgXLYjQjZZh6Wqx0jwlU6j8baMAt5x,iv:J+REbDBl0p98/D8VsjfAD72sYeXKS9xSIPFhxkpe9M8=,tag:8YeenqnIA5GYi/+ParOzCg==,type:str] sops: kms: [] gcp_kms: [] @@ -23,14 +23,14 @@ sops: - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUUFBNdk5xSTI2bTdNR2Nk - bmw1T2tROXB5cDdJdWU4SGNuai9WVEhHeXhFCnVtWkNYVG9LZGtJWFFqWXExVzFv - eTlQYWhlOUJLR0tzN3VZS2NvTitRQ2sKLS0tIExSSnlLNlRXSkJETmthYzk3Qnhy - Q1UwcUtNMXNtcWsyaDltMlBOOFpIS0kKOfyKmMwnRI0lSftf4PonTPAtnMK5Lv8p - FZNW4t4CiDTKHuRmOceiKHLrKwacozxT0qyF5NTFoABIJ6uQltZwhw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkc1hyV3pxdVRvVTI0TEx5 + QXR0akcvWWUrdjBEWlU2ZXMxM2xOMTdhWEZ3Ckg2M3VIRFcvQUFxSDVyMHd6QWFp + b3RWeG5RSVBrYWp1WVJTK0ZSeFFINjQKLS0tIHN3VG5qTUVpMkpKMW9WR2VqVHZ5 + L2tTZTZrK1U1N3NWK0dKM1NDTjB2Y2cK/Pi/9Rhd8lAueoplZOnZUguhnliFPpkn + ccGD1S3bz459b4b4+0GqlZQBx2o3WJApsj5Oxuxkp4YwJoUIa04OPA== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-17T02:13:26Z" - mac: ENC[AES256_GCM,data:e7gB7qbrJYszp66B7ApoUl+2kHzfMnw1sf984mLZAbhtm+tegN+/9vrFL8dWteNWvhxKWr92jhyElqnYeimsWTqJc9lSmYD1ZTS1NbW/X944dH9+ozoyfoaoN16vRMxRgPoIO6RgjRzMC7ULOnQMAjMVn6cImden6NzrMmskqsQ=,iv:VoBtD8UODfCqQTjAZra4cT664DOJM1CO7AghH+IFTvw=,tag:gEunp12cSythclZc0McFrA==,type:str] + lastmodified: "2024-12-28T01:33:39Z" + mac: ENC[AES256_GCM,data:hDvD9EuRjLC5VyewkdMCYRLHhhtHF9v+PeudNVqaO+0qScz1/NGqhBAPbHqj5oq7EMhVAdbevDJl1jmm3fjseJi15s45AIdmskLIA+hUzdcy8eZenpEfebjFgIPWqDLJDVbqcjLtgrCqXWbnWZdMyz/FvoPCjUAQeE28OuZhZGY=,iv:BJ7aOL2r+Mb4PFHtu+bmKGQF6Pgub8Foyn/zGwhcIMA=,tag:xugZkDi+hLDOldcIF60yDw==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ version: 3.9.2 diff --git a/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml b/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml index 7b73c08..0593bed 100644 --- a/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml +++ b/kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml @@ -2,7 +2,10 @@ ## BPF Masquerade should be enabled for use with Talos and host DNS (`machine.features.hostDNS.forwardKubeDNSToHost`) ## CNI exclusivity should be false and endpoint routes enabled for use with Istio ## -######## +## Sizing the client rate limit (`k8sClientRateLimit.qps` and `k8sClientRateLimit.burst`) is important when using L2 announcements due to increased API usage +## See: https://docs.cilium.io/en/latest/network/l2-announcements/#sizing-client-rate-limit +## +############# --- autoDirectNodeRoutes: true @@ -30,9 +33,11 @@ k8sServiceHost: 127.0.0.1 k8sServicePort: 7445 kubeProxyReplacement: true kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256 -bgp: - announce: - loadbalancerIP: true +k8sClientRateLimit: + qps: 50 + burst: 200 +#bgpControlPlane: +# enabled: true l2announcements: enabled: true loadBalancer: diff --git a/kubernetes/main/apps/kube-system/cilium/config/bgp.yaml b/kubernetes/main/apps/kube-system/cilium/config/bgp.yaml new file mode 100644 index 0000000..3b8723b --- /dev/null +++ b/kubernetes/main/apps/kube-system/cilium/config/bgp.yaml @@ -0,0 +1,28 @@ +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumBGPPeeringPolicy +metadata: + name: bgp-peering-policy + spec: + virtualRouters: + - localASN: 64801 + exportPodCIDR: true + neighbors: + - peerAddress: "10.0.0.1" + peerASN: 64800 + eBGPMultihopTTL: 10 + connectRetryTimeSeconds: 120 + holdTimeSeconds: 90 + keepAliveTimeSeconds: 30 + gracefulRestart: + enabled: true + restartTimeSeconds: 120 +--- +apiVersion: cilium.io/v2alpha1 +kind: CiliumLoadBalancerIPPool +metadata: + name: bgp-pool + spec: + allowFirstLastIPs: "Yes" + cidrs: + - cidr: 172.28.0.0/24 diff --git a/kubernetes/main/apps/kube-system/cilium/config/kustomization.yaml b/kubernetes/main/apps/kube-system/cilium/config/kustomization.yaml index a3562ae..2b4a6d4 100644 --- a/kubernetes/main/apps/kube-system/cilium/config/kustomization.yaml +++ b/kubernetes/main/apps/kube-system/cilium/config/kustomization.yaml @@ -3,3 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./policy.yaml + #- ./bgp.yaml diff --git a/kubernetes/main/apps/observability/blackbox-exporter/app/helmrelease.yaml b/kubernetes/main/apps/observability/blackbox-exporter/app/helmrelease.yaml new file mode 100644 index 0000000..1a897f5 --- /dev/null +++ b/kubernetes/main/apps/observability/blackbox-exporter/app/helmrelease.yaml @@ -0,0 +1,82 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/helm.toolkit.fluxcd.io/helmrelease_v2.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: blackbox-exporter +spec: + interval: 30m + chart: + spec: + chart: prometheus-blackbox-exporter + version: 9.0.1 + sourceRef: + kind: HelmRepository + name: prometheus-community + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + fullnameOverride: blackbox-exporter + config: + modules: + http_2xx: + prober: http + timeout: 5s + http: + valid_http_versions: ["HTTP/1.1", "HTTP/2.0"] + follow_redirects: true + preferred_ip_protocol: ip4 + icmp: + prober: icmp + timeout: 30s + icmp: + preferred_ip_protocol: ip4 + ingress: + enabled: true + className: internal + annotations: + gethomepage.dev/enabled: "true" + gethomepage.dev/group: Observability + gethomepage.dev/name: Blackbox Exporter + gethomepage.dev/icon: mdi-box + hosts: + - host: "blackbox-exporter.${SECRET_INTERNAL_DOMAIN}" + paths: + - path: / + pathType: Prefix + prometheusRule: + enabled: true + rules: + - alert: BlackboxProbeFailed + expr: probe_success == 0 + for: 15m + labels: + severity: critical + annotations: + summary: |- + The host {{ $labels.target }} is currently unreachable + pspEnabled: false + securityContext: + capabilities: + add: ["NET_RAW"] + podSecurityContext: + sysctls: + - name: net.ipv4.ping_group_range + value: "0 2147483647" + serviceMonitor: + enabled: true + defaults: + interval: 1m + targets: + - { + name: &name "opnsense.${SECRET_OLD_DOMAIN}", + module: icmp, + url: *name, + } diff --git a/kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml b/kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml new file mode 100644 index 0000000..17cbc72 --- /dev/null +++ b/kubernetes/main/apps/observability/blackbox-exporter/app/kustomization.yaml @@ -0,0 +1,6 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/observability/blackbox-exporter/ks.yaml b/kubernetes/main/apps/observability/blackbox-exporter/ks.yaml new file mode 100644 index 0000000..05338ba --- /dev/null +++ b/kubernetes/main/apps/observability/blackbox-exporter/ks.yaml @@ -0,0 +1,26 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app blackbox-exporter + namespace: flux-system +spec: + targetNamespace: observability + commonMetadata: + labels: + app.kubernetes.io/name: *app + dependsOn: + - name: traefik + path: ./kubernetes/main/apps/observability/blackbox-exporter/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml index 6b04250..beda559 100644 --- a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml @@ -244,8 +244,9 @@ spec: annotations: cert-manager.io/cluster-issuer: "letsencrypt-production" gethomepage.dev/enabled: "true" - gethomepage.dev/group: Services + gethomepage.dev/group: Observability gethomepage.dev/name: Grafana + gethomepage.dev/description: Observability dashboard gethomepage.dev/icon: grafana ingressClassName: traefik hosts: ["grafana.${SECRET_INTERNAL_DOMAIN}"] diff --git a/kubernetes/main/apps/observability/grafana/app/secret.sops.yaml b/kubernetes/main/apps/observability/grafana/app/secret.sops.yaml index 59a39c6..197b6d7 100644 --- a/kubernetes/main/apps/observability/grafana/app/secret.sops.yaml +++ b/kubernetes/main/apps/observability/grafana/app/secret.sops.yaml @@ -5,26 +5,25 @@ type: Opaque metadata: name: grafana-secret stringData: - GF_DATABASE_USER: ENC[AES256_GCM,data:hhUyQv0mTQ==,iv:G+NXYesVuxohciWRyC8tlFQZWdkFsuPIbV2JhfFwwJo=,tag:Ct9qBpTWi7utSuwuLuZhaQ==,type:str] - GF_DATABASE_PASSWORD: ENC[AES256_GCM,data:pxk3OSuny5FvgNEFyQux+wi8Rc/7JiI015J2ODZuWq3/WEpOpMgLtkUFxrWKNlrJTP2kyIY27w==,iv:72TF7uDSRUI9R7CsXBW0RXrMmXm8CJjFp6KT/E4hcCM=,tag:xQ0IGtRQxter8osUPOV6pQ==,type:str] - GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET: ENC[AES256_GCM,data:kjPp9GxuoIE3NUBYz0dqTESwgr4/NVdlpabCcGfsIzN5/wqrQj16gGtfVLz0wXjiLzVUjG0AyGVtUyhDvIrJGccaOkHqF3b2,iv:yWkEbw69BHr5znZkp9/Y5gIpAHlnDkamc8RdsMr2YfU=,tag:vVlr37fZYUib2lKC1tRAWA==,type:str] + GF_DATABASE_USER: ENC[AES256_GCM,data:Pk6/JYszCw==,iv:IBVA+R+lvuTPb3dHfDETfTc9kSqIkNLCckZ5vUWkXho=,tag:DiHxJEmJj+idYki04RsMeg==,type:str] + GF_DATABASE_PASSWORD: ENC[AES256_GCM,data:va8Sj4xtFPFddgzHBSLL6PdeE3tVKTmVo56APK19PSkMSHyVPsY0JeI+fkQ=,iv:wbOJI6/deB6+UhUOPKMUmXACCy+X5Es+pojZEwb0GDA=,tag:eQ7+UHiqOh46M17ygbSwmA==,type:str] sops: kms: [] gcp_kms: [] azure_kv: [] hc_vault: [] age: - - recipient: age1ey3reuxyffqynll464r4q3tlhq5v73nxesyktr44lfez8jzxm94s0644n7 + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLUmt5Q08yekNBOEQwa0FB - bDB4cm1hTXM0U3piajRYaGxzc0FOalc3dEg0Clc5ZFBYYkhZNlVHbU9YeEZyM0N4 - SVRNWENobThXUjJLOW94bTBKbWFNTmcKLS0tIHZSbEdtZ0lQRHF0STVWV2JISHVv - VlhqUnZvTlRpajBNd05OUzdtTXNka2cKronvjmWA/Lk4tu8jgMe4SQQmXXkqfG9z - BxDbUxlBp8sze8Eh2zMiHicNEJkXQcFrdWoYywT11mkiUX9ZcMElWw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzdmV5V0sxc2xxL1ZxVzR2 + U0dvL0trM2ZKVmYvZXZib1JNcjRFM1NZMVhVCmcwZEt0Z2wrYTVCTFRwclk1U0M5 + ZCtZUksrNllEQ0gvcXZaRm5CSVBtM0kKLS0tIDcxanRlcW51eWltaTZIaTJOSmdP + aXM1bmRLaVNoTE11QnhMelcweG42TXMKKL7YbGj54ufXWmKoMYGljYX5ZFCmrZPJ + qPb3DVL0CumTMPYOFfKAPUixo7/MS6syU8eeQd3cKPH6HzDIaMkK/A== -----END AGE ENCRYPTED FILE----- - lastmodified: "2024-12-22T21:19:34Z" - mac: ENC[AES256_GCM,data:qAc9w/gsAg7hA7kliwQWAwEY2IyQp4BHztWmZiFrvnNJQeen3QDAbu7GtIgI08q/A08R3VWCctVZt1L32Mbxwp9jKu48zebZgcdJHLYXd0X0CqoQaCjIiD9tZPHOkAKQcpK+ladaz2bGaP1embg5xzQWWoAxQP0qtDARp81mIpQ=,iv:6gyRVKxoq14Iv07C31/YsAj1liKTwjLTQ8ua5+nYCq4=,tag:xyNQ6YHcKG+eNeCialWCaw==,type:str] + lastmodified: "2024-12-23T04:39:29Z" + mac: ENC[AES256_GCM,data:Dd+RpphBbTB1VTaICgIU50HpL3oWaA0pBCYkysu35hWcIokZ5OilGk/wivGlFcsAXIHdYoFyRu8yVwD6mUKSed3c8Wh750F9vR4JvB3oRB1tULAwUjBTgQ+OgDteqJgnGI8oXrDNQxtNbELr5cuUA0HdtxdgK62+zpmTJbFtNQU=,iv:DKZryemko/3ye1AXhWbdw4DaB0gIBDRTsX+dBKlFsCk=,tag:hk3BmQ8jfheyzmNIv6Kw+Q==,type:str] pgp: [] encrypted_regex: ^(data|stringData)$ - version: 3.9.2 + version: 3.9.1 diff --git a/kubernetes/main/apps/observability/kustomization.yaml b/kubernetes/main/apps/observability/kustomization.yaml index dded5ef..ce10dfe 100644 --- a/kubernetes/main/apps/observability/kustomization.yaml +++ b/kubernetes/main/apps/observability/kustomization.yaml @@ -6,8 +6,8 @@ resources: - ./prometheus-operator-crds/ks.yaml - ./kube-prometheus-stack/ks.yaml - ./grafana/ks.yaml - #- ./kube-state-metrics/ks.yaml - ./loki/ks.yaml - ./speedtest-exporter/ks.yaml - ./changedetection/ks.yaml + - ./blackbox-exporter/ks.yaml #- ./gatus/ks.yaml diff --git a/kubernetes/main/apps/public/kustomization.yaml b/kubernetes/main/apps/public/kustomization.yaml index ca99c00..39a0f35 100644 --- a/kubernetes/main/apps/public/kustomization.yaml +++ b/kubernetes/main/apps/public/kustomization.yaml @@ -6,4 +6,4 @@ resources: - ./namespace.yaml - ./excalidraw/ks.yaml - ./echo-server/ks.yaml - #- ./mataroa/ks.yaml + - ./writefreely/ks.yaml diff --git a/kubernetes/main/apps/public/writefreely/app/helmrelease.yaml b/kubernetes/main/apps/public/writefreely/app/helmrelease.yaml new file mode 100644 index 0000000..aac7d51 --- /dev/null +++ b/kubernetes/main/apps/public/writefreely/app/helmrelease.yaml @@ -0,0 +1,101 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json +apiVersion: helm.toolkit.fluxcd.io/v2 +kind: HelmRelease +metadata: + name: &app writefreely +spec: + interval: 30m + chart: + spec: + chart: app-template + version: 3.5.1 + sourceRef: + kind: HelmRepository + name: bjw-s + namespace: flux-system + install: + remediation: + retries: 3 + upgrade: + cleanupOnFail: true + remediation: + strategy: rollback + retries: 3 + values: + controllers: + writefreely: + replicas: 1 + strategy: RollingUpdate + containers: + app: + image: + repository: ghcr.io/liana64/writefreely + tag: 0.15.1@sha256:77d92d89555f51d9c9733b58e9ae9397b799d21fd7793b1f33f19c383c6ad027 + command: ["writefreely", "--gen-keys"] + securityContext: + capabilities.drop: ["ALL"] + probes: + liveness: + enabled: true + readiness: + enabled: true + resources: + requests: + cpu: 5m + memory: 10Mi + limits: + cpu: 512m + memory: 256Mi + + service: + app: + controller: writefreely + ports: + http: + port: 8080 + + ingress: + app: + className: traefik-external + annotations: + external-dns.alpha.kubernetes.io/target: external.${SECRET_EXTERNAL_DOMAIN} + cert-manager.io/cluster-issuer: "letsencrypt-production" + gethomepage.dev/enabled: "true" + gethomepage.dev/group: Services + gethomepage.dev/name: Writefreely + gethomepage.dev/description: Blog + gethomepage.dev/icon: writefreely + hosts: + - host: &host ${SECRET_EXTERNAL_DOMAIN} + paths: + - path: / + service: + identifier: app + port: http + tls: + - secretName: writefreely-tls + hosts: [*host] + + persistence: + data: + storageClass: cluster-nvme + accessMode: ReadWriteOnce + size: 5Gi + retain: true + globalMounts: + - path: /config + config: + type: secret + name: writefreely-secret + globalMounts: + - subPath: config.ini + path: /go/config.ini + readOnly: true + keys: + storageClass: cluster-nvme + accessMode: ReadWriteOnce + size: 512Mi + retain: true + globalMounts: + - path: /go/keys diff --git a/kubernetes/main/apps/public/writefreely/app/kustomization.yaml b/kubernetes/main/apps/public/writefreely/app/kustomization.yaml new file mode 100644 index 0000000..16a6ce3 --- /dev/null +++ b/kubernetes/main/apps/public/writefreely/app/kustomization.yaml @@ -0,0 +1,7 @@ +--- +# yaml-language-server: $schema=https://json.schemastore.org/kustomization +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - ./secret.sops.yaml + - ./helmrelease.yaml diff --git a/kubernetes/main/apps/public/writefreely/app/secret.sops.yaml b/kubernetes/main/apps/public/writefreely/app/secret.sops.yaml new file mode 100644 index 0000000..b7f82d0 --- /dev/null +++ b/kubernetes/main/apps/public/writefreely/app/secret.sops.yaml @@ -0,0 +1,29 @@ +# yamllint disable +kind: Secret +apiVersion: v1 +type: Opaque +metadata: + name: writefreely-secret +stringData: + #ENC[AES256_GCM,data:Uiyd+T5h8f/lS6fWRM+tmpT2/rTjG3+42OfMlZYMrfXyZoR+0bCYbHE7oC9nWdVMTq87eSBFYz6hsBS1nyRWXawUvdTv64Q=,iv:DsYU8VW0YfljaVRQJ1hCDzlEMFc7fk5FBXiNNzEOqDg=,tag:uR56MyMbEFDOq3ojbMXb1w==,type:comment] + config.ini: ENC[AES256_GCM,data:olTzV/6qSHpy0le8D/mNF/9DDBl4PHLdyqeNmApRx6rujgrjz74YwSseSzGsGg5eegSG4MLfHGrvBeccxW1Jcw1ph8OwguxVgzYdpHTwQUdh9xHIn+4nFE832qeyzHiCpMlkkF985uALhuuo2Na1GlD2VRAwRkqIKJ8bGManQZO8xAsFu7Ne52vllP1quhkgcKA996McHoL7SCoAu/OpdrM9ZVoCvz12LgF2qO66CDvXVJ05TaUNG7iEuXnfdTRIfJCWuHr7smbICjAI4AW7PnLEyfatSiXmPMiRKu+eJHab2dMyUrHP3hLgue6eXRw0oHDogBstMD6lYea+a2JPMVuI7DfdI6/JVlxO+1jrZuIgq0Pnw6ehEkPgRsZBCXjT9/UmpGi8eGM252Gnp/pH20YmAwqY1dTDkQmVVmJiInoScjct4Drd65TLzbCPrTYH6z8q/fuSZQkpQn4IYhqKsLACOhku5pDB7O/FvgDVfZEz2YSUYyJNy3gTGO6/IKxzFcM4K5hdQ4cxKg5DwRFcWczcrxQVZuIyOJOe8gBoNkksttLQXXoBeT9BlHfmMAAMVxh0lkKtpWryteZ8zN2C6Nn1tt7q2L9TI/U2TQ94B82cxcVxq5jtImUpPfES7qY+4uF/ojYxA14guuSK5nwjiI29jOwJyDAkovlJ7esurmkOBIVS/z86J3IQE2sRk6quapHuVGXGcJkkk5laH+KES/CiZUbF1CW5+aWvbeWHVgt6IS7+5j3E4fQy,iv:UMDrYkGNFLWHVpWSdCPmD9IbLtwKOxaZpjLTnRC4a+o=,tag:k/SzPl1GEn9K+q8atYX00w==,type:str] +sops: + kms: [] + gcp_kms: [] + azure_kv: [] + hc_vault: [] + age: + - recipient: age19nu7uf8dageqlmzk23x7vl24fpn0l7cq20l3l4xxf2sk2xd5h98qss437p + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIVVRhM1VTdHEzZytRQjVO + SmVaYWRMNS92MFQvVi9SeDhGWVkwY3UreVg0ClNnTHJkR2ROdUVyNkFFb1VXRmJo + ZmtFaTZzK0NTOU9VdFdOWVpLbHNHNFkKLS0tIFROc0crMmhOYUp1b3Nza0gyZDRD + U1l5T3JpSWlhYVZYKzl2OWZHQ2dSb1UKdo5cRSkX+t55YWOQKTu1QV47bWIfjMoB + FsE1XIFyu/WafVCX4W/rAYM7vQt0U03qin1WtrkzpNB+rZzjj2B1xA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2024-12-28T01:33:39Z" + mac: ENC[AES256_GCM,data:hAEH/3RnQuxZ9J2qpeqMRxSSAnB5BtcbbnOKMNsN/hGxyAHLmfDbuKC3p0qPbASCEHTuBG/vmx1CttWdtMQk16Uu6CmPT5WJBNFkIwuZyAdV4nScexQAznciYZgEelIOG0aI06BiqEDb3ebUhq9fjmCFMDU9as4BP2LCxOTEAms=,iv:4/oTOxy9SNAW3HJPbgiQpsPftNCcWTI1qikZJxwGQkQ=,tag:8HLdP5Ns7xokDHJ4J5Fmrw==,type:str] + pgp: [] + encrypted_regex: ^(data|stringData)$ + version: 3.9.2 diff --git a/kubernetes/main/apps/public/writefreely/ks.yaml b/kubernetes/main/apps/public/writefreely/ks.yaml new file mode 100644 index 0000000..563e4ee --- /dev/null +++ b/kubernetes/main/apps/public/writefreely/ks.yaml @@ -0,0 +1,24 @@ +--- +# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: &app writefreely + namespace: flux-system +spec: + targetNamespace: public + commonMetadata: + labels: + app.kubernetes.io/name: *app + path: ./kubernetes/main/apps/public/writefreely/app + prune: true + sourceRef: + kind: GitRepository + name: k8s-gitops + wait: false + interval: 30m + retryInterval: 1m + timeout: 5m + postBuild: + substitute: + APP: *app diff --git a/kubernetes/main/bootstrap/talos/patches/control/cluster.yaml b/kubernetes/main/bootstrap/talos/patches/control/cluster.yaml index 947ee44..f6d4c7e 100644 --- a/kubernetes/main/bootstrap/talos/patches/control/cluster.yaml +++ b/kubernetes/main/bootstrap/talos/patches/control/cluster.yaml @@ -8,6 +8,9 @@ cluster: disabled: true proxy: disabled: true + controllerManager: + extraArgs: + bind-address: 0.0.0.0 scheduler: extraArgs: bind-address: 0.0.0.0 diff --git a/kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml b/kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml index ca0f986..f9847f6 100644 --- a/kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml +++ b/kubernetes/main/bootstrap/talos/patches/global/hostdns.yaml @@ -4,8 +4,8 @@ machine: hostDNS: enabled: true resolveMemberNames: true - # For BGP mode, set to true - forwardKubeDNSToHost: true # Requires Cilium `bpf.masquerade: false` + # For BGP mode, set to true and `bpf.masquerade` to false + forwardKubeDNSToHost: false kubePrism: enabled: true port: 7445 diff --git a/kubernetes/main/flux/vars/cluster-settings.yaml b/kubernetes/main/flux/vars/cluster-settings.yaml index fa75f3b..bb7325d 100644 --- a/kubernetes/main/flux/vars/cluster-settings.yaml +++ b/kubernetes/main/flux/vars/cluster-settings.yaml @@ -24,3 +24,4 @@ data: LB_TRAEFIK_EXTERNAL: "10.28.12.101" LB_POSTGRES: "10.28.12.102" LB_MINECRAFT: "10.28.12.103" + LB_MYSQL: "10.28.12.104"