diff --git a/README.md b/README.md index cfb2acd..886221b 100644 --- a/README.md +++ b/README.md @@ -1,10 +1,5 @@ -*TODO: Files with sensitive data; migrate to SealedSecret* -``` -# line ??: services/Mastodon/deploy-Mastodon.yml -``` - # Kubernetes.K3s.installLog -*3 VM's provisioned with Ubuntu Server 18.04* +*3 VM's provisioned with Ubuntu Server 22.04*
additional lvm configuration ```shell @@ -117,14 +112,10 @@ kubectl apply -f storage/flexVolSMB/sealedSecret-flexVolSMB.yml #### 2.3) `storageClass` for distributed block storage: See [Longhorn Helm Chart](https://longhorn.io/): ```shell -kubectl create namespace longhorn-system -helm repo add longhorn https://charts.longhorn.io -helm install longhorn longhorn/longhorn --namespace longhorn-system --values=storage/Longhorn/chart-values.yml -``` -Expose Longhorn's dashboard through `IngressRoute`: -```shell -kubectl apply -f storage/Longhorn/ingressRoute-Longhorn.yml +helm repo add longhorn https://charts.longhorn.io && helm repo update +helm install longhorn longhorn/longhorn --namespace longhorn-system --create-namespace --values=storage/Longhorn/chart-values.yml ``` + Log on to the web interface and delete the default disks on each node (mounted at `/var/lib/longhorn`) and replace them with new disks mounted at `/mnt/blockstorage`. Add additional `storageClass` with backup schedule: @@ -149,32 +140,10 @@ kubectl patch storageclass longhorn-dailybackup -p '{"metadata": {"annotations": ``` ### 3) Ingress Controller -##### 3.1) Create `configMap`, `secret` and `persistentVolumeClaim` -The `configMap` contains Traefik's static and dynamic config: +Reconfigure default Traefik configuration: +See [Traefik 2.x Helm Chart](https://github.com/traefik/traefik-helm-chart) and [HelmChartConfig](https://docs.k3s.io/helm) ```shell -kubectl apply -f ingress/Traefik2.x/configMap-Traefik.yml -``` - -The `secret` contains credentials for Cloudflare's API: -```shell -kubectl apply -f ingress/Traefik2.x/sealedSecret-Traefik-Cloudflare.yml -``` - -The `persistentVolumeClaim` will contain `/data/acme.json` (referenced as `existingClaim`): -```shell -kubectl apply -f ingress/Traefik2.x/persistentVolumeClaim-Traefik.yml -``` -##### 3.2) Install Helm Chart -See [Traefik 2.x Helm Chart](https://github.com/containous/traefik-helm-chart): -```shell -helm repo add traefik https://containous.github.io/traefik-helm-chart -helm repo update -helm install traefik traefik/traefik --namespace kube-system --values=ingress/Traefik2.x/chart-values.yml -``` -##### 3.3) Replace `IngressRoute` for Traefik's dashboard: -```shell -kubectl apply -f ingress/Traefik2.x/ingressRoute-Traefik.yaml -kubectl delete ingressroute traefik-dashboard --namespace kube-system +kubectl apply -f ingress/Traefik2.x/helmchartconfig-traefik.yaml ``` ### 4) GitOps @@ -292,31 +261,11 @@ kubectl apply -f services/PVR/deploy-Sonarr.yml ```shell kubectl apply -f services/Shaarli/deploy-Shaarli.yml ``` -##### 5.11) [Terraform backend](https://www.terraform.io/language/settings/backends/pg) (supporting database) -```shell -kubectl apply -f services/TfState/deploy-TfState.yml -kubectl apply -f services/TfState/sealedSecret-TfState.yml -``` -##### 5.12) [Traefik-Certs-Dumper](https://github.com/ldez/traefik-certs-dumper) (certificate tooling) + +##### 5.11) [Traefik-Certs-Dumper](https://github.com/ldez/traefik-certs-dumper) (certificate tooling) ```shell kubectl apply -f services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml ``` -##### 5.13) [Unifi-Controller]() (network infrastructure management) -```shell -kubectl apply -f services/Unifi/deploy-Unifi.yml -``` -*Change STUN port to non-default:* -```shell -kubectl exec --namespace unifi -it unifi- -- /bin/bash -sed -e 's/# unifi.stun.port=3478/unifi.stun.port=3479/' -i /data/system.properties -exit -kubectl rollout restart deployment --namespace unifi unifi -``` -*Update STUN url on devices:* doesn't seem to work -```shell -ssh @ -sed -e 's|stun://|stun://:3479|' -i /etc/persistent/cfg/mgmt -``` ### 6) Miscellaneous *Various notes/useful links* @@ -336,14 +285,14 @@ sed -e 's|stun://|stun://:3479|' -i /etc/persistent/cfg/mg or kubectl run -it --rm busybox --restart=Never --image=busybox:1.28 -- nslookup api.github.com [-debug] [fqdn] -* Delete namespaces stuck in `Terminating` state: - *First* check whether there are any resources still present; preventing the namespace from being deleted: +* Delete namespaces stuck in `Terminating` state: + *First* check whether there are any resources still present; preventing the namespace from being deleted: kubectl api-resources --verbs=list --namespaced -o name \ | xargs -n 1 kubectl get --show-kind --ignore-not-found -n - Any resources returned should be deleted first (worth mentioning: if you get an error `error: unable to retrieve the complete list of server APIs`, you should check `kubectl get apiservice` for any apiservice with a status of `False`) - If there are no resources left in the namespace, and it is still stuck *terminating*, the following commands remove the blocking finalizer (this is a last resort, you are bypassing protections put in place to prevent zombie processes): + Any resources returned should be deleted first (worth mentioning: if you get an error `error: unable to retrieve the complete list of server APIs`, you should check `kubectl get apiservice` for any apiservice with a status of `False`) + If there are no resources left in the namespace, and it is still stuck *terminating*, the following commands remove the blocking finalizer (this is a last resort, you are bypassing protections put in place to prevent zombie processes): kubectl get namespace -o json | jq -j '.spec.finalizers=null' > tmp.json kubectl replace --raw "/api/v1/namespaces//finalize" -f ./tmp.json diff --git a/ingress/Traefik2.x/chart-values.yml b/ingress/Traefik2.x/chart-values.yml deleted file mode 100644 index b0bc1e0..0000000 --- a/ingress/Traefik2.x/chart-values.yml +++ /dev/null @@ -1,46 +0,0 @@ -image: - name: bv11-cr01.bessems.eu/proxy/library/traefik -# tag: '2.4.8' - -ports: - web: - redirectTo: websecure - -service: - spec: - externalTrafficPolicy: Local - loadBalancerIP: 192.168.11.248 - -volumes: - - name: traefik-configmap - mountPath: /etc/traefik - type: configMap - -persistence: - enabled: true - accessMode: ReadWriteMany - path: /data - existingClaim: "traefik" - -env: - - name: CF_API_EMAIL - valueFrom: - secretKeyRef: - name: traefik-cloudflare - key: CF_API_EMAIL - - name: CF_API_KEY - valueFrom: - secretKeyRef: - name: traefik-cloudflare - key: CF_API_KEY - -securityContext: - capabilities: - drop: [] - readOnlyRootFilesystem: true - runAsGroup: 0 - runAsNonRoot: false - runAsUser: 0 - -podSecurityContext: - fsGroup: 0 diff --git a/ingress/Traefik2.x/configMap-Traefik.yml b/ingress/Traefik2.x/configMap-Traefik.yml deleted file mode 100644 index 8b4ea8b..0000000 --- a/ingress/Traefik2.x/configMap-Traefik.yml +++ /dev/null @@ -1,119 +0,0 @@ -apiVersion: v1 -kind: ConfigMap -metadata: - name: traefik-configmap - namespace: kube-system -data: - traefik.yml: | - global: - checkNewVersion: true - sendAnonymousUsage: true - entryPoints: - web: - address: :8000 - websecure: - address: :8443 - forwardedHeaders: - insecure: true - http: - tls: - options: defaults@file - certResolver: default - domains: - - main: '*.spamasaurus.com' - sans: - - 'spamasaurus.com' - - main: '*.chat.spamasaurus.com' - - main: '*.bessems.com' - sans: - - 'bessems.com' - - main: '*.bessems.eu' - sans: - - 'bessems.eu' - - main: '*.gabaldon.eu' - sans: - - 'gabaldon.eu' - - main: '*.gabaldon.nl' - sans: - - 'gabaldon.nl' - - main: '*.itch.fyi' - sans: - - 'itch.fyi' - - main: '*.oneup.town' - sans: - - 'oneup.town' - # trustedIPs: - # - "127.0.0.0/8" - # - "192.168.5.0/24" - # - "192.168.11.0/24" - traefik: - address: :9000 - providers: - file: - filename: /etc/traefik/dynamic.yml - kubernetesCRD: - allowCrossNamespace: true - api: - dashboard: true - ping: {} - #accessLog: {} - log: - level: INFO - # level: DEBUG - certificatesResolvers: - default: - acme: - email: letsencrypt.org.danny@spamasaurus.com - storage: /data/acme.json - dnsChallenge: - provider: cloudflare - delayBeforeCheck: 5m0s - resolvers: - - 1.1.1.1:53 - - 1.0.0.1:53 - serversTransport: - insecureSkipVerify: true - dynamic.yml: | - http: - middlewares: - force-tls: - redirectScheme: - scheme: https - 2fa-authentication: - forwardAuth: - address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/" - trustForwardHeader: true - security-headers: - headers: - forceSTSHeader: true - stsSeconds: 315360000 - stsIncludeSubdomains: true - stsPreload: true - compression: - compress: {} - routers: - force-tls: - entryPoints: - - "web" - rule: "HostRegexp(`{any:.+}`)" - middlewares: - - "force-tls" - service: noop@internal - tls: - options: - defaults: - minVersion: VersionTLS12 - sniStrict: true - curvePreferences: - - secp521r1 - - secp384r1 - cipherSuites: - - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 - - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 - - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 - - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 - - TLS_AES_128_GCM_SHA256 - - TLS_AES_256_GCM_SHA384 - - TLS_CHACHA20_POLY1305_SHA256 - - TLS_FALLBACK_SCSV diff --git a/ingress/Traefik2.x/helmchartconfig-traefik.yaml b/ingress/Traefik2.x/helmchartconfig-traefik.yaml new file mode 100644 index 0000000..3756f69 --- /dev/null +++ b/ingress/Traefik2.x/helmchartconfig-traefik.yaml @@ -0,0 +1,159 @@ +apiVersion: helm.cattle.io/v1 +kind: HelmChartConfig +metadata: + name: traefik + namespace: kube-system +spec: + valuesContent: |- + additionalArguments: + - "--providers.file.directory=/etc/traefik/dynamic" + - "--providers.file.watch=true" + certResolvers: + default: + email: letsencrypt.org.danny@spamasaurus.com + storage: /data/acme.json + dnsChallenge: + provider: cloudflare + delayBeforeCheck: 5m0s + resolvers: + - 1.1.1.1:53 + - 1.0.0.1:53 + deployment: + initContainers: + - name: volume-permissions + image: busybox:latest + command: + [ + "sh", + "-c", + "touch /data/acme.json; chown 65532 /data/acme.json; chmod -v 600 /data/acme.json", + ] + securityContext: + runAsNonRoot: false + runAsGroup: 0 + runAsUser: 0 + volumeMounts: + - name: traefik-data + mountPath: /data + env: + - name: CF_API_EMAIL + valueFrom: + secretKeyRef: + name: traefik-cloudflare + key: CF_API_EMAIL + - name: CF_API_KEY + valueFrom: + secretKeyRef: + name: traefik-cloudflare + key: CF_API_KEY + extraObjects: + - apiVersion: v1 + kind: ConfigMap + metadata: + name: traefik-file-provider + namespace: kube-system + data: + config.yml: | + http: + middlewares: + 2fa-authentication: + forwardAuth: + address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/" + trustForwardHeader: true + security-headers: + headers: + forceSTSHeader: true + stsSeconds: 315360000 + stsIncludeSubdomains: true + stsPreload: true + compression: + compress: {} + tls: + options: + defaults: + minVersion: VersionTLS12 + sniStrict: true + curvePreferences: + - secp521r1 + - secp384r1 + cipherSuites: + - TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305 + - TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305 + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256 + - TLS_AES_128_GCM_SHA256 + - TLS_AES_256_GCM_SHA384 + - TLS_CHACHA20_POLY1305_SHA256 + - TLS_FALLBACK_SCSV + - apiVersion: bitnami.com/v1alpha1 + kind: SealedSecret + metadata: + creationTimestamp: null + name: traefik-cloudflare + namespace: kube-system + spec: + encryptedData: + CF_API_EMAIL: AgCeBTkyKJ2iOEug2JLlnSt7nsR+UZDiCz+vYyUsk4HRmvPj2j6Vy46jzF3N26eDXA5glaL95OVIfrakAZ6StEe2tfb0PwQJcHxLsrzS95WN/9EqMpPz3PtoOFhqtLrOj9T05Q92RlY5E8nY5CEHAO0pdMUN8WR+mAm5coL4Cd5MFg54f+Y3U4NTG3DgeED5sE3O9u6kBMenSYsvD/9Bn3crigK/imE7NtDYn/cDLkxDPyL05gGzLScp9pzhChHe303vdLFy+NbXrVKB2p2PXxz/4aB48CIN/e8mdUGb/DTPakSbG1x4EKea+5N5FtxnZx+0mCmSiYwAH+kYvg25Wnf08+2CQsiaFbbTBWYjO9pkvrADOZ0IV/66fOIOaAQIxh2hztLgM/AAuuWsMV5CLSNG4JfnEMVwztWLxj/lz3vKpSQnzzh9DfX/Yzz4QtZlneCooc9TvhUn9UxPqB4ydXEyUUw8DAKQjVxVs0MmnVwp+tKY+xCUSRPPQ9Z1PvGS+i0m6L7Fm5WVXEUZT2jFSeBCHm+UBkY7COvm1VHinTviNZYXtP0tWCty8eg2AvbOl5vxoV2MJRkqYy8mfnRRlxY5zvKSdDjWgFQoHQgHjjKZqV2RE/PEaEfoQ+PLZSigkr2vFf6uFQ5P5riS69MaqvcwvBhYj5AnB3Ev8NW/kljRx6HeJWijEiLFuUmXqgHhtjoNfhRUjrGH25/XIXokAPA+McxCVbwFEQkiGAj69Wb6LQ/tu90= + CF_API_KEY: AgBMs0EeSS9OW2zHjxIZqzEuvVf09phrzsD+5L90DKWsnQVUsV1kmSYk7fun6A76vlR5gnSlWLVl1n2EezNHnViXKyIwu1s01vJ+rTPvNcTdkGWGYB8ZYnqvIe7PB3L4pzaSjOcHJ6jazByz1GFHf5hQC9AdaFtPX6ie8EGV7vOD8fic35BMRV/Y3Qc77W1U0mmA22hgHyvTCqdvlObbkHd23a3ArFXk+ELdPM4E3sPefFWjF2nZOJ/4ltouKs/O4+D2RXc1Am3N8cxKyMc7rTBtz69BLJppyTj4DaAbwq+hN8A328wi9oAuu6ifY7zpd2w0exw3uOfAGoksQZrldYDnTc2w/ecrijcBmcVGQb2AoBS1m+ZXJIdii6E3oyW3wpTcPsgdS+z+xviBnQMtScr+KMHTRlayaQXfEc9kFPp+qqAlf+mIq+dB8xFtNCT2qICWThh3LKZh6i6SkYpR+kFBzqd2wqpjyBLIRAwkAKF1NvR1KQtYsMYNAMlchJ6nhcLz2GmmHqTG9L+NmSafEdLbOhy7lnofpHZ94xCvs75+AISobYVxSXPTERff4NOcb492JT7ojYBfSjD9aZq5B1KU0A6r8+gErK3SKfKh9DkT1lotIV/giOvKfAfJhecUFRRqeCrJPXJVeKJxbLRhDL2i3lEvQqIru/bxebuw5t83rU/2SD+fANgmjRvsz5w9x+pbeg9VyRMJerx9bLb+Gw+enDBqq+s5QIyNK1t5b5J+H+ta1uZO + template: + metadata: + creationTimestamp: null + name: traefik-cloudflare + namespace: kube-system + type: Opaque + ingressRoute: + dashboard: + enabled: true + entryPoints: + - websecure + matchRule: Host(`ingress.spamasaurus.com`) + middlewares: + # - name: 2fa-authentication@file + - name: security-headers@file + - name: compression@file + logs: + general: + level: DEBUG + persistence: + enabled: true + name: traefik-data + path: /data + storageClass: longhorn + ports: + web: + redirectTo: + port: websecure + websecure: + tls: + options: defaults@file + certResolver: default + domains: + - main: '*.spamasaurus.com' + sans: + - 'spamasaurus.com' + - main: '*.bessems.com' + sans: + - 'bessems.com' + - main: '*.bessems.eu' + sans: + - 'bessems.eu' + - main: '*.gabaldon.eu' + sans: + - 'gabaldon.eu' + - main: '*.gabaldon.nl' + sans: + - 'gabaldon.nl' + - main: '*.itch.fyi' + sans: + - 'itch.fyi' + service: + spec: + loadBalancerIP: "192.168.154.240" + updateStrategy: + type: Recreate + rollingUpdate: null + volumes: + - name: traefik-file-provider + type: configMap + mountPath: /etc/traefik/dynamic diff --git a/ingress/Traefik2.x/ingressRoute-Traefik.yml b/ingress/Traefik2.x/ingressRoute-Traefik.yml deleted file mode 100644 index 6437f21..0000000 --- a/ingress/Traefik2.x/ingressRoute-Traefik.yml +++ /dev/null @@ -1,18 +0,0 @@ -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: traefik - namespace: default -spec: - entryPoints: - - websecure - routes: - - match: Host(`ingress.spamasaurus.com`) - kind: Rule - services: - - name: api@internal - kind: TraefikService - middlewares: - - name: 2fa-authentication@file - - name: security-headers@file - - name: compression@file diff --git a/ingress/Traefik2.x/persistentVolumeClaim-Traefik.yml b/ingress/Traefik2.x/persistentVolumeClaim-Traefik.yml deleted file mode 100644 index 6839939..0000000 --- a/ingress/Traefik2.x/persistentVolumeClaim-Traefik.yml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: v1 -kind: PersistentVolume -metadata: - name: flexvolsmb-traefik-data - namespace: kube-system -spec: - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - storageClassName: flexvolsmb-traefik-data - flexVolume: - driver: mount/smb - secretRef: - name: smb-secret - namespace: default - options: - opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl - server: 192.168.11.225 - share: /K3s.Volumes/traefik/data ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: traefik - namespace: kube-system -spec: - accessModes: - - ReadWriteMany - storageClassName: flexvolsmb-traefik-data - resources: - requests: - storage: 1Gi diff --git a/ingress/Traefik2.x/sealedSecret-Traefik-Cloudflare.yml b/ingress/Traefik2.x/sealedSecret-Traefik-Cloudflare.yml deleted file mode 100644 index a79e448..0000000 --- a/ingress/Traefik2.x/sealedSecret-Traefik-Cloudflare.yml +++ /dev/null @@ -1,24 +0,0 @@ -{ - "kind": "SealedSecret", - "apiVersion": "bitnami.com/v1alpha1", - "metadata": { - "name": "traefik-cloudflare", - "namespace": "kube-system", - "creationTimestamp": null - }, - "spec": { - "template": { - "metadata": { - "name": "traefik-cloudflare", - "namespace": "kube-system", - "creationTimestamp": null - }, - "type": "Opaque", - "data": null - }, - "encryptedData": { - "CF_API_EMAIL": "AgClXlPfqjYUhRn4ssez5YiAN7pjR5PIeOaDhGrCI2QksjPVFhCbOhX8ijfSmurd8q/7TXTp1gQdh4SLzQy0jkOobZEDQSvDW2U3crQCRSel/4I5sXSbU5q6plbwuN0Z0BGbA2HxwIXN7t8Gb2PVCFT1HwrFAPxJiCPMFsvjUox7BHvhZAs8fFcSiZQpZ7Hz1+7up0CwjVXMNDkm+OYvirKR3lLWfiwJlCKpQoiQU5IX482EJAE1dqrIWthk1xkX12eXJ9FU+hL8X07a4HxDt461+sANOs9cOCDlRYs5zrqmxsVFeL3Kxgr1NRmQbRRD+pg7I4rwfYBeL9NPpKCGURytfkuwC5gNZOz16795L0liitFdgJ/5uZMywf370yI4bfcs3C1hi7kBGACLKxDeHuRwDqOqsXbpbo0+HENeiMosMOw35thmJJpb1zKBkjrja7HGzgLrzdvwOhz6JCxfLjfygjhoEgjpatPlRXY8+lK5ATaPh6hLvXz2+9l4p27MyV+VjM1UqQvHGvcI6VVkpgRU2e/nPfA+g58tVGO8eIflGRN3oA/H1a8GV7JEQmlH2e7xfuun1/CtPANNb5uAB3NijaBJajCWbF/1qBAdk09QNzkAxm0/m9gpNjmumG3UkasRfbai+2yNzwhScOBOjCWAa+SSOyAGrEcQ76augkcPT/TwoX4gF547+RW/nAcR7QSTViY7gBcuauCPpX8iDyJfe5NZ22XUTCocbvmYGXvw7Q3eVx4=", - "CF_API_KEY": "AgCHaCrShxGC+XVP64KcGuemFg+Z95hCxWsERjyxWNO6+RDCu7J26n2isVs4jG7VeJKO0Br0Of7vIdzAKqFm8DWVZBWwPzE0LZqDxujv3RPY0A9OO4EjHiJKZfaFUc6VNy3O0Re+6cBRz16WorFbdMnvForcJYTWih73yggq1n/ZnifAAQgoIkRLH36Rq0/47gUt/rubFtbGa0X9ka2zObX5SYgs2qKtfZx/m31tTe9WqyccEk4DKvdnbWocY0VnBfSndt+B1kM6PN7xNltiLxr/XLEyo04NseFFHiu0Qph3E2K7C4NijxwOOJdYywFZBP9oaq8HTjXKfU9uLz/pkF9+PEMGPdVni0NClasAleOCkbKOigxorKfQlOQlfNq3bGdMLZNfe5xkz5P2uHRIVIoiG7P9KXx+IIT0m453OfG28ttHmFf5HYn7VnVGZ9M2/1ipLTQja1Vg9mUiZcrDgZMzxfEWY6KJJwjVZE6JZkMlvNlnP/oWW4IFyKDNRRcu0ULzeyDUp0jAxXlbCDHMGZTV3M0qDkrEcnzPgQI8bW4+z26Q1XbgaiErb17mETobuNJuHakIgutHR1sJUbkHeAohYXUrAazu7TLVW+v0WrF7FDogyADBRWxYcLxqm4JHDwdaTdRefKcbRgVUKcQV6OUB5pgfNwkz/mU5ad4jUT7VvhSXR9hYfem4DeR1qEiluVtbvrI5XT7Fx6mkn9TNES6og1RLc2vtkA8JrfCCBBfIeAbWGrX+" - } - } -} diff --git a/services/Authelia/_namespace-authelia.yml b/services/Authelia/_namespace-authelia.yml new file mode 100644 index 0000000..6c48a0b --- /dev/null +++ b/services/Authelia/_namespace-authelia.yml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: authelia diff --git a/services/Authelia/deploy-Authelia.yml b/services/Authelia/deploy-Authelia.yml deleted file mode 100644 index b08d614..0000000 --- a/services/Authelia/deploy-Authelia.yml +++ /dev/null @@ -1,147 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: authelia - labels: - app: authelia -spec: - replicas: 1 - selector: - matchLabels: - app: authelia - template: - metadata: - labels: - app: authelia - spec: - enableServiceLinks: false - containers: - - name: authelia - image: authelia/authelia:4 - imagePullPolicy: Always - env: - - name: TZ - value: Europe/Amsterdam - ports: - - name: web - containerPort: 9091 - volumeMounts: - - name: flexvolsmb-authelia-conf - mountPath: /config - - name: redis - image: redis:7-alpine - args: - - redis-server - - --requirepass - - authelia - - --appendonly - - 'yes' - ports: - - name: redis - containerPort: 6379 - volumeMounts: - - name: flexvolsmb-authelia-redis - mountPath: /data - volumes: - - name: flexvolsmb-authelia-conf - persistentVolumeClaim: - claimName: flexvolsmb-authelia-conf - - name: flexvolsmb-authelia-redis - persistentVolumeClaim: - claimName: flexvolsmb-authelia-redis ---- -apiVersion: v1 -kind: Service -metadata: - name: authelia -spec: - ports: - - protocol: TCP - name: web - port: 9091 - - protocol: TCP - name: redis - port: 6379 - selector: - app: authelia ---- -apiVersion: traefik.containo.us/v1alpha1 -kind: IngressRoute -metadata: - name: authelia -spec: - entryPoints: - - websecure - routes: - - match: Host(`auth.spamasaurus.com`) - kind: Rule - services: - - name: authelia - port: 9091 - middlewares: - - name: security-headers@file - - name: compression@file ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: flexvolsmb-authelia-conf -spec: - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - storageClassName: flexvolsmb-authelia-conf - flexVolume: - driver: mount/smb - secretRef: - name: smb-secret - options: - opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl - server: 192.168.11.225 - share: /K3s.Volumes/authelia/conf ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: flexvolsmb-authelia-conf - namespace: default -spec: - accessModes: - - ReadWriteMany - storageClassName: flexvolsmb-authelia-conf - resources: - requests: - storage: 1Gi ---- -apiVersion: v1 -kind: PersistentVolume -metadata: - name: flexvolsmb-authelia-redis -spec: - capacity: - storage: 1Gi - accessModes: - - ReadWriteMany - storageClassName: flexvolsmb-authelia-redis - flexVolume: - driver: mount/smb - secretRef: - name: smb-secret - options: - opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=999,gid=1000,iocharset=utf8,nobrl - server: 192.168.11.225 - share: /K3s.Volumes/authelia/redis ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: flexvolsmb-authelia-redis - namespace: default -spec: - accessModes: - - ReadWriteMany - storageClassName: flexvolsmb-authelia-redis - resources: - requests: - storage: 1Gi diff --git a/services/Authelia/deployment-authelia.yaml b/services/Authelia/deployment-authelia.yaml new file mode 100644 index 0000000..c283ea8 --- /dev/null +++ b/services/Authelia/deployment-authelia.yaml @@ -0,0 +1,54 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: authelia + namespace: authelia + labels: + app: authelia +spec: + replicas: 1 + selector: + matchLabels: + app: authelia + strategy: + type: Recreate + template: + metadata: + labels: + app: authelia + spec: + enableServiceLinks: false + containers: + - name: authelia + image: authelia/authelia:4 + imagePullPolicy: Always + env: + - name: TZ + value: Europe/Amsterdam + ports: + - name: web + containerPort: 9091 + volumeMounts: + - name: flexvolsmb-authelia-conf + mountPath: /config + - name: redis + image: redis:7-alpine + args: + - redis-server + - --requirepass + - authelia + - --appendonly + - 'yes' + ports: + - name: redis + containerPort: 6379 + volumeMounts: + - name: flexvolsmb-authelia-redis + mountPath: /data + volumes: + - name: flexvolsmb-authelia-conf + persistentVolumeClaim: + claimName: flexvolsmb-authelia-conf + - name: flexvolsmb-authelia-redis + persistentVolumeClaim: + claimName: flexvolsmb-authelia-redis diff --git a/services/Authelia/ingressroute-authelia.yaml b/services/Authelia/ingressroute-authelia.yaml new file mode 100644 index 0000000..6e5a201 --- /dev/null +++ b/services/Authelia/ingressroute-authelia.yaml @@ -0,0 +1,17 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: authelia + namespace: authelia +spec: + entryPoints: + - websecure + routes: + - match: Host(`auth.spamasaurus.com`) + kind: Rule + services: + - name: authelia + port: 9091 + middlewares: + - name: security-headers@file + - name: compression@file diff --git a/services/Authelia/persistentvolume-flexvolsmb-authelia-conf.yaml b/services/Authelia/persistentvolume-flexvolsmb-authelia-conf.yaml new file mode 100644 index 0000000..45fe64e --- /dev/null +++ b/services/Authelia/persistentvolume-flexvolsmb-authelia-conf.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: flexvolsmb-authelia-conf +spec: + capacity: + storage: 1Gi + accessModes: + - ReadWriteMany + storageClassName: flexvolsmb-authelia-conf + flexVolume: + driver: mount/smb + secretRef: + name: flexvolsmb-credentials + options: + opts: file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl + server: 192.168.154.225 + share: /K3s.Volumes/authelia/conf diff --git a/services/Authelia/persistentvolume-flexvolsmb-authelia-redis.yaml b/services/Authelia/persistentvolume-flexvolsmb-authelia-redis.yaml new file mode 100644 index 0000000..c0277de --- /dev/null +++ b/services/Authelia/persistentvolume-flexvolsmb-authelia-redis.yaml @@ -0,0 +1,18 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: flexvolsmb-authelia-redis +spec: + capacity: + storage: 1Gi + accessModes: + - ReadWriteMany + storageClassName: flexvolsmb-authelia-redis + flexVolume: + driver: mount/smb + secretRef: + name: flexvolsmb-credentials + options: + opts: file_mode=0700,dir_mode=0700,uid=999,gid=1000,iocharset=utf8,nobrl + server: 192.168.154.225 + share: /K3s.Volumes/authelia/redis diff --git a/services/Authelia/persistentvolumeclaim-flexvolsmb-authelia-conf.yaml b/services/Authelia/persistentvolumeclaim-flexvolsmb-authelia-conf.yaml new file mode 100644 index 0000000..261d435 --- /dev/null +++ b/services/Authelia/persistentvolumeclaim-flexvolsmb-authelia-conf.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: flexvolsmb-authelia-conf + namespace: authelia +spec: + accessModes: + - ReadWriteMany + storageClassName: flexvolsmb-authelia-conf + resources: + requests: + storage: 1Gi diff --git a/services/Authelia/persistentvolumeclaim-flexvolsmb-authelia-redis.yaml b/services/Authelia/persistentvolumeclaim-flexvolsmb-authelia-redis.yaml new file mode 100644 index 0000000..a73d0e8 --- /dev/null +++ b/services/Authelia/persistentvolumeclaim-flexvolsmb-authelia-redis.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: flexvolsmb-authelia-redis + namespace: authelia +spec: + accessModes: + - ReadWriteMany + storageClassName: flexvolsmb-authelia-redis + resources: + requests: + storage: 1Gi diff --git a/services/Authelia/sealedsecret-flexvolsmb-credentials.yaml b/services/Authelia/sealedsecret-flexvolsmb-credentials.yaml new file mode 100644 index 0000000..8418365 --- /dev/null +++ b/services/Authelia/sealedsecret-flexvolsmb-credentials.yaml @@ -0,0 +1,16 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: flexvolsmb-credentials + namespace: authelia +spec: + encryptedData: + password: AgC/GDJHhqeyFSWsJ8Ie3tt9ppAe3Ns6tt29rieMKcJrQ71sn47MFEow9SOJJVNSjzUWukDg8tRrkq3CdB63jz7NO6CWKNy++nlSU0adDtuwioNUov3a9bnhzgdjjM/ZzpO/pz7j/utGFO1bkPWn4bU/tGoRYM1TsjP1t9m2qL/Me9LigLtafG8LTd/JKNHdyvii1CNcWkZoxKTocy+YdB3hA+0KZClxaQ2O5KPZMl6AoxJGWcuOVpvqQ831Epkl4f+uJp+YtMZbu+poB+hxhuhFZZH9Sx1sn20mZd8M2Kc863oJjzpZPAR5I9faMmDyEqBvJmdS9C9dZrpIdeDZFm25QYIGgu3ZNk+LItuWSoW8kZGsEefsINV6rqAOQmysfvq5aPkYe90RHvaf6Nf0F4wYq1fEiEoSnLPH+J0ToUSIPxMftBcXimTm/HtkUJCg2+rDb+EHp9ahjGaJBp45vd8hOKSF50GA2X8e4UlvbR6QBib6G//F7Pf6OBgsVxSvKQmlSsrBJRo3hxm7G7iLWd5lCmk0jbgRFWJvEnQMk/FqYoc/fcodpGtzEM0I6jL4Kpi1DnRnIgHQTWtU3LVF9aym2H1ExhZfhu0I2F56VQsQcg3vUVOBOwF+XjlrBaAEAEMcbBuigUbvqiSfpUHMQJSsIjtnkAEUs0/19iNCNNSvmjENr5Ml+88iqYQmg9hY11s4LbrsXa5t8q2TgTBrfPVw + username: AgCORI9b0L6FSdB+yDY6VEq77p9CFcwnpZ7nb0M1bz7tVNluYQSB69Y6dLTDCCVx2KdOXyU/QOdb0z8mzEywtC9R4Kzm4+SkTRHgrKOTmxXF3qW5VZDe0UlbSbJUUb3YdC9k2HPPoUvg45woGv1LGXFHgYTxbG+U1lxU8LDoMKfBQ3+GaeUUjI2bx33kyHKztyQizd+b2eSkoSHwRCHiBWZMNYa3zEvY6+07ytKJtaOhGhVsdt04blw4jUMym2sHOBCf95pAzI9gJH2RcuQBQI+ZXci0VeMPvmY3B6T+MruH+1Goy+/HoZOjI2Keu1Jk/Ppg/1FyB9VGX6A2YMyismk8LKWKG0/RNBfWn8RcDVlpgAcjDeX2PdYY17E/gZz2NLnIctBJ/dc93QjrAp/ZfLXBakCA3d0LKLFjUbpKwgaST5wnKif+UjqasDyjVkEG7jK5lGk3fmRCDyPgyxzqkUOSeCHQjDUa07AqKm56qfz/Wr9gm94VC1GiQ39F5/LAnAa2+qAQyJ+RVCBkXmt33sDSvelmXKmh9rIBCvsIxwUSkprpf76HcReRjaRv/9CyuPaskjYAkwOX6/NQPDQVHgKYtvoUhm4OnJ4amrsK2tPco1HC9xPGFIhrqoWeyfiUc1ui8IjxO5geV4hAWSUi5J/H3XBXsFpQt6ZqbemTnQyorTGd0asNP/6OTBtMcIgaPMmZi7F1Olo= + template: + metadata: + creationTimestamp: null + name: flexvolsmb-credentials + namespace: authelia + type: mount/smb diff --git a/services/Authelia/service-authelia.yaml b/services/Authelia/service-authelia.yaml new file mode 100644 index 0000000..2817e4e --- /dev/null +++ b/services/Authelia/service-authelia.yaml @@ -0,0 +1,15 @@ +apiVersion: v1 +kind: Service +metadata: + name: authelia + namespace: authelia +spec: + ports: + - protocol: TCP + name: web + port: 9091 + - protocol: TCP + name: redis + port: 6379 + selector: + app: authelia diff --git a/services/Gitea/ingressRoute-Gitea.yml b/services/Gitea/ingressRoute-Gitea.yml index 559f8fc..f799857 100644 --- a/services/Gitea/ingressRoute-Gitea.yml +++ b/services/Gitea/ingressRoute-Gitea.yml @@ -12,6 +12,6 @@ spec: services: - name: gitea port: 3000 - # middlewares: - # - name: security-headers@file - # - name: compression@file + middlewares: + - name: security-headers@file + - name: compression@file diff --git a/services/Guacamole/ingressRoute-Guacamole.yml b/services/Guacamole/ingressRoute-Guacamole.yml index 8e3b2e7..5e39609 100644 --- a/services/Guacamole/ingressRoute-Guacamole.yml +++ b/services/Guacamole/ingressRoute-Guacamole.yml @@ -14,5 +14,5 @@ spec: port: 8080 middlewares: - name: prepend-path-guacamole - # - name: security-headers@file - # - name: compression@file + - name: security-headers@file + - name: compression@file diff --git a/services/Vaultwarden/ingressroute-vaultwarden.yaml b/services/Vaultwarden/ingressroute-vaultwarden.yaml index c39df3d..8e8e401 100644 --- a/services/Vaultwarden/ingressroute-vaultwarden.yaml +++ b/services/Vaultwarden/ingressroute-vaultwarden.yaml @@ -20,6 +20,6 @@ spec: services: - name: vaultwarden port: 3012 - # middlewares: - # - name: security-headers@file - # - name: compression@file + middlewares: + - name: security-headers@file + - name: compression@file diff --git a/storage/Longhorn/chart-values.yml b/storage/Longhorn/chart-values.yml index d7aaef0..a46fa49 100644 --- a/storage/Longhorn/chart-values.yml +++ b/storage/Longhorn/chart-values.yml @@ -1,5 +1,5 @@ -csi: - kubeletRootDir: /var/lib/kubelet defaultSettings: -# defaultDataPath: /var/lib/longhorn/ defaultDataPath: /mnt/blockstorage/ +ingress: + enabled: true + host: storage.spamasaurus.com