djpbessems/Kubernetes.K3s.installLog
djpbessems/Kubernetes.K3s.installLog
1
1
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Refactor Authelia,Longhorn,Traefik; Enable ingress middlewares; Update docs

Browse Source
This commit is contained in:
Danny Bessems 2023-12-28 10:03:36 +11:00
parent 6780322b44
commit 1d0e465630
21 changed files with 349 additions and 462 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

77
README.md
View File

@ -1,10 +1,5 @@
*TODO: Files with sensitive data; migrate to SealedSecret*
```
# line ??: services/Mastodon/deploy-Mastodon.yml
```
# Kubernetes.K3s.installLog # Kubernetes.K3s.installLog
*3 VM's provisioned with Ubuntu Server 18.04* *3 VM's provisioned with Ubuntu Server 22.04*
<details><summary>additional lvm configuration</summary> <details><summary>additional lvm configuration</summary>
```shell ```shell
@ -117,14 +112,10 @@ kubectl apply -f storage/flexVolSMB/sealedSecret-flexVolSMB.yml
#### 2.3) `storageClass` for distributed block storage: #### 2.3) `storageClass` for distributed block storage:
See [Longhorn Helm Chart](https://longhorn.io/): See [Longhorn Helm Chart](https://longhorn.io/):
```shell ```shell
kubectl create namespace longhorn-system helm repo add longhorn https://charts.longhorn.io && helm repo update
helm repo add longhorn https://charts.longhorn.io helm install longhorn longhorn/longhorn --namespace longhorn-system --create-namespace --values=storage/Longhorn/chart-values.yml
helm install longhorn longhorn/longhorn --namespace longhorn-system --values=storage/Longhorn/chart-values.yml
```
Expose Longhorn's dashboard through `IngressRoute`:
```shell
kubectl apply -f storage/Longhorn/ingressRoute-Longhorn.yml
``` ```
Log on to the web interface and delete the default disks on each node (mounted at `/var/lib/longhorn`) and replace them with new disks mounted at `/mnt/blockstorage`. Log on to the web interface and delete the default disks on each node (mounted at `/var/lib/longhorn`) and replace them with new disks mounted at `/mnt/blockstorage`.
Add additional `storageClass` with backup schedule: Add additional `storageClass` with backup schedule:
@ -149,32 +140,10 @@ kubectl patch storageclass longhorn-dailybackup -p '{"metadata": {"annotations":
``` ```
### 3) Ingress Controller ### 3) Ingress Controller
##### 3.1) Create `configMap`, `secret` and `persistentVolumeClaim` Reconfigure default Traefik configuration:
The `configMap` contains Traefik's static and dynamic config: See [Traefik 2.x Helm Chart](https://github.com/traefik/traefik-helm-chart) and [HelmChartConfig](https://docs.k3s.io/helm)
```shell ```shell
kubectl apply -f ingress/Traefik2.x/configMap-Traefik.yml kubectl apply -f ingress/Traefik2.x/helmchartconfig-traefik.yaml
```
The `secret` contains credentials for Cloudflare's API:
```shell
kubectl apply -f ingress/Traefik2.x/sealedSecret-Traefik-Cloudflare.yml
```
The `persistentVolumeClaim` will contain `/data/acme.json` (referenced as `existingClaim`):
```shell
kubectl apply -f ingress/Traefik2.x/persistentVolumeClaim-Traefik.yml
```
##### 3.2) Install Helm Chart
See [Traefik 2.x Helm Chart](https://github.com/containous/traefik-helm-chart):
```shell
helm repo add traefik https://containous.github.io/traefik-helm-chart
helm repo update
helm install traefik traefik/traefik --namespace kube-system --values=ingress/Traefik2.x/chart-values.yml
```
##### 3.3) Replace `IngressRoute` for Traefik's dashboard:
```shell
kubectl apply -f ingress/Traefik2.x/ingressRoute-Traefik.yaml
kubectl delete ingressroute traefik-dashboard --namespace kube-system
``` ```
### 4) GitOps ### 4) GitOps
@ -292,31 +261,11 @@ kubectl apply -f services/PVR/deploy-Sonarr.yml
```shell ```shell
kubectl apply -f services/Shaarli/deploy-Shaarli.yml kubectl apply -f services/Shaarli/deploy-Shaarli.yml
``` ```
##### 5.11) [Terraform backend](https://www.terraform.io/language/settings/backends/pg) <small>(supporting database)</small>
```shell ##### 5.11) [Traefik-Certs-Dumper](https://github.com/ldez/traefik-certs-dumper) <small>(certificate tooling)</small>
kubectl apply -f services/TfState/deploy-TfState.yml
kubectl apply -f services/TfState/sealedSecret-TfState.yml
```
##### 5.12) [Traefik-Certs-Dumper](https://github.com/ldez/traefik-certs-dumper) <small>(certificate tooling)</small>
```shell ```shell
kubectl apply -f services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml kubectl apply -f services/TraefikCertsDumper/deploy-TraefikCertsDumper.yml
``` ```
##### 5.13) [Unifi-Controller]() <small>(network infrastructure management)</small>
```shell
kubectl apply -f services/Unifi/deploy-Unifi.yml
```
*Change STUN port to non-default:*
```shell
kubectl exec --namespace unifi -it unifi-<uuid> -- /bin/bash
sed -e 's/# unifi.stun.port=3478/unifi.stun.port=3479/' -i /data/system.properties
exit
kubectl rollout restart deployment --namespace unifi unifi
```
*Update STUN url on devices:* <small>doesn't seem to work</small>
```shell
ssh <username>@<ipaddress>
sed -e 's|stun://<ipaddress>|stun://<ipaddress>:3479|' -i /etc/persistent/cfg/mgmt
```
### 6) Miscellaneous ### 6) Miscellaneous
*Various notes/useful links* *Various notes/useful links*
@ -336,14 +285,14 @@ sed -e 's|stun://<ipaddress>|stun://<ipaddress>:3479|' -i /etc/persistent/cfg/mg
or or
kubectl run -it --rm busybox --restart=Never --image=busybox:1.28 -- nslookup api.github.com [-debug] [fqdn] kubectl run -it --rm busybox --restart=Never --image=busybox:1.28 -- nslookup api.github.com [-debug] [fqdn]
* Delete namespaces stuck in `Terminating` state: * Delete namespaces stuck in `Terminating` state:
*First* check whether there are any resources still present; preventing the namespace from being deleted: *First* check whether there are any resources still present; preventing the namespace from being deleted:
kubectl api-resources --verbs=list --namespaced -o name \ kubectl api-resources --verbs=list --namespaced -o name \
| xargs -n 1 kubectl get --show-kind --ignore-not-found -n <namespace> | xargs -n 1 kubectl get --show-kind --ignore-not-found -n <namespace>
Any resources returned should be deleted first (worth mentioning: if you get an error `error: unable to retrieve the complete list of server APIs`, you should check `kubectl get apiservice` for any apiservice with a status of `False`) Any resources returned should be deleted first (worth mentioning: if you get an error `error: unable to retrieve the complete list of server APIs`, you should check `kubectl get apiservice` for any apiservice with a status of `False`)
If there are no resources left in the namespace, and it is still stuck *terminating*, the following commands remove the blocking finalizer (this is a last resort, you are bypassing protections put in place to prevent zombie processes): If there are no resources left in the namespace, and it is still stuck *terminating*, the following commands remove the blocking finalizer (this is a last resort, you are bypassing protections put in place to prevent zombie processes):
kubectl get namespace <namespace> -o json | jq -j '.spec.finalizers=null' > tmp.json kubectl get namespace <namespace> -o json | jq -j '.spec.finalizers=null' > tmp.json
kubectl replace --raw "/api/v1/namespaces/<namespace>/finalize" -f ./tmp.json kubectl replace --raw "/api/v1/namespaces/<namespace>/finalize" -f ./tmp.json

46
ingress/Traefik2.x/chart-values.yml
View File

@ -1,46 +0,0 @@
image:
name: bv11-cr01.bessems.eu/proxy/library/traefik
# tag: '2.4.8'
ports:
web:
redirectTo: websecure
service:
spec:
externalTrafficPolicy: Local
loadBalancerIP: 192.168.11.248
volumes:
- name: traefik-configmap
mountPath: /etc/traefik
type: configMap
persistence:
enabled: true
accessMode: ReadWriteMany
path: /data
existingClaim: "traefik"
env:
- name: CF_API_EMAIL
valueFrom:
secretKeyRef:
name: traefik-cloudflare
key: CF_API_EMAIL
- name: CF_API_KEY
valueFrom:
secretKeyRef:
name: traefik-cloudflare
key: CF_API_KEY
securityContext:
capabilities:
drop: []
readOnlyRootFilesystem: true
runAsGroup: 0
runAsNonRoot: false
runAsUser: 0
podSecurityContext:
fsGroup: 0

119
ingress/Traefik2.x/configMap-Traefik.yml
View File

@ -1,119 +0,0 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-configmap
namespace: kube-system
data:
traefik.yml: |
global:
checkNewVersion: true
sendAnonymousUsage: true
entryPoints:
web:
address: :8000
websecure:
address: :8443
forwardedHeaders:
insecure: true
http:
tls:
options: defaults@file
certResolver: default
domains:
- main: '*.spamasaurus.com'
sans:
- 'spamasaurus.com'
- main: '*.chat.spamasaurus.com'
- main: '*.bessems.com'
sans:
- 'bessems.com'
- main: '*.bessems.eu'
sans:
- 'bessems.eu'
- main: '*.gabaldon.eu'
sans:
- 'gabaldon.eu'
- main: '*.gabaldon.nl'
sans:
- 'gabaldon.nl'
- main: '*.itch.fyi'
sans:
- 'itch.fyi'
- main: '*.oneup.town'
sans:
- 'oneup.town'
# trustedIPs:
# - "127.0.0.0/8"
# - "192.168.5.0/24"
# - "192.168.11.0/24"
traefik:
address: :9000
providers:
file:
filename: /etc/traefik/dynamic.yml
kubernetesCRD:
allowCrossNamespace: true
api:
dashboard: true
ping: {}
#accessLog: {}
log:
level: INFO
# level: DEBUG
certificatesResolvers:
default:
acme:
email: letsencrypt.org.danny@spamasaurus.com
storage: /data/acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 5m0s
resolvers:
- 1.1.1.1:53
- 1.0.0.1:53
serversTransport:
insecureSkipVerify: true
dynamic.yml: |
http:
middlewares:
force-tls:
redirectScheme:
scheme: https
2fa-authentication:
forwardAuth:
address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/"
trustForwardHeader: true
security-headers:
headers:
forceSTSHeader: true
stsSeconds: 315360000
stsIncludeSubdomains: true
stsPreload: true
compression:
compress: {}
routers:
force-tls:
entryPoints:
- "web"
rule: "HostRegexp(`{any:.+}`)"
middlewares:
- "force-tls"
service: noop@internal
tls:
options:
defaults:
minVersion: VersionTLS12
sniStrict: true
curvePreferences:
- secp521r1
- secp384r1
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV

159
ingress/Traefik2.x/helmchartconfig-traefik.yaml Normal file
View File

@ -0,0 +1,159 @@
apiVersion: helm.cattle.io/v1
kind: HelmChartConfig
metadata:
name: traefik
namespace: kube-system
spec:
valuesContent: |-
additionalArguments:
- "--providers.file.directory=/etc/traefik/dynamic"
- "--providers.file.watch=true"
certResolvers:
default:
email: letsencrypt.org.danny@spamasaurus.com
storage: /data/acme.json
dnsChallenge:
provider: cloudflare
delayBeforeCheck: 5m0s
resolvers:
- 1.1.1.1:53
- 1.0.0.1:53
deployment:
initContainers:
- name: volume-permissions
image: busybox:latest
command:
[
"sh",
"-c",
"touch /data/acme.json; chown 65532 /data/acme.json; chmod -v 600 /data/acme.json",
]
securityContext:
runAsNonRoot: false
runAsGroup: 0
runAsUser: 0
volumeMounts:
- name: traefik-data
mountPath: /data
env:
- name: CF_API_EMAIL
valueFrom:
secretKeyRef:
name: traefik-cloudflare
key: CF_API_EMAIL
- name: CF_API_KEY
valueFrom:
secretKeyRef:
name: traefik-cloudflare
key: CF_API_KEY
extraObjects:
- apiVersion: v1
kind: ConfigMap
metadata:
name: traefik-file-provider
namespace: kube-system
data:
config.yml: |
http:
middlewares:
2fa-authentication:
forwardAuth:
address: "https://auth.spamasaurus.com/api/verify?rd=https://auth.spamasaurus.com/"
trustForwardHeader: true
security-headers:
headers:
forceSTSHeader: true
stsSeconds: 315360000
stsIncludeSubdomains: true
stsPreload: true
compression:
compress: {}
tls:
options:
defaults:
minVersion: VersionTLS12
sniStrict: true
curvePreferences:
- secp521r1
- secp384r1
cipherSuites:
- TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384
- TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_RSA_WITH_CHACHA20_POLY1305
- TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
- TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256
- TLS_AES_128_GCM_SHA256
- TLS_AES_256_GCM_SHA384
- TLS_CHACHA20_POLY1305_SHA256
- TLS_FALLBACK_SCSV
- apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: traefik-cloudflare
namespace: kube-system
spec:
encryptedData:
CF_API_EMAIL: AgCeBTkyKJ2iOEug2JLlnSt7nsR+UZDiCz+vYyUsk4HRmvPj2j6Vy46jzF3N26eDXA5glaL95OVIfrakAZ6StEe2tfb0PwQJcHxLsrzS95WN/9EqMpPz3PtoOFhqtLrOj9T05Q92RlY5E8nY5CEHAO0pdMUN8WR+mAm5coL4Cd5MFg54f+Y3U4NTG3DgeED5sE3O9u6kBMenSYsvD/9Bn3crigK/imE7NtDYn/cDLkxDPyL05gGzLScp9pzhChHe303vdLFy+NbXrVKB2p2PXxz/4aB48CIN/e8mdUGb/DTPakSbG1x4EKea+5N5FtxnZx+0mCmSiYwAH+kYvg25Wnf08+2CQsiaFbbTBWYjO9pkvrADOZ0IV/66fOIOaAQIxh2hztLgM/AAuuWsMV5CLSNG4JfnEMVwztWLxj/lz3vKpSQnzzh9DfX/Yzz4QtZlneCooc9TvhUn9UxPqB4ydXEyUUw8DAKQjVxVs0MmnVwp+tKY+xCUSRPPQ9Z1PvGS+i0m6L7Fm5WVXEUZT2jFSeBCHm+UBkY7COvm1VHinTviNZYXtP0tWCty8eg2AvbOl5vxoV2MJRkqYy8mfnRRlxY5zvKSdDjWgFQoHQgHjjKZqV2RE/PEaEfoQ+PLZSigkr2vFf6uFQ5P5riS69MaqvcwvBhYj5AnB3Ev8NW/kljRx6HeJWijEiLFuUmXqgHhtjoNfhRUjrGH25/XIXokAPA+McxCVbwFEQkiGAj69Wb6LQ/tu90=
CF_API_KEY: AgBMs0EeSS9OW2zHjxIZqzEuvVf09phrzsD+5L90DKWsnQVUsV1kmSYk7fun6A76vlR5gnSlWLVl1n2EezNHnViXKyIwu1s01vJ+rTPvNcTdkGWGYB8ZYnqvIe7PB3L4pzaSjOcHJ6jazByz1GFHf5hQC9AdaFtPX6ie8EGV7vOD8fic35BMRV/Y3Qc77W1U0mmA22hgHyvTCqdvlObbkHd23a3ArFXk+ELdPM4E3sPefFWjF2nZOJ/4ltouKs/O4+D2RXc1Am3N8cxKyMc7rTBtz69BLJppyTj4DaAbwq+hN8A328wi9oAuu6ifY7zpd2w0exw3uOfAGoksQZrldYDnTc2w/ecrijcBmcVGQb2AoBS1m+ZXJIdii6E3oyW3wpTcPsgdS+z+xviBnQMtScr+KMHTRlayaQXfEc9kFPp+qqAlf+mIq+dB8xFtNCT2qICWThh3LKZh6i6SkYpR+kFBzqd2wqpjyBLIRAwkAKF1NvR1KQtYsMYNAMlchJ6nhcLz2GmmHqTG9L+NmSafEdLbOhy7lnofpHZ94xCvs75+AISobYVxSXPTERff4NOcb492JT7ojYBfSjD9aZq5B1KU0A6r8+gErK3SKfKh9DkT1lotIV/giOvKfAfJhecUFRRqeCrJPXJVeKJxbLRhDL2i3lEvQqIru/bxebuw5t83rU/2SD+fANgmjRvsz5w9x+pbeg9VyRMJerx9bLb+Gw+enDBqq+s5QIyNK1t5b5J+H+ta1uZO
template:
metadata:
creationTimestamp: null
name: traefik-cloudflare
namespace: kube-system
type: Opaque
ingressRoute:
dashboard:
enabled: true
entryPoints:
- websecure
matchRule: Host(`ingress.spamasaurus.com`)
middlewares:
# - name: 2fa-authentication@file
- name: security-headers@file
- name: compression@file
logs:
general:
level: DEBUG
persistence:
enabled: true
name: traefik-data
path: /data
storageClass: longhorn
ports:
web:
redirectTo:
port: websecure
websecure:
tls:
options: defaults@file
certResolver: default
domains:
- main: '*.spamasaurus.com'
sans:
- 'spamasaurus.com'
- main: '*.bessems.com'
sans:
- 'bessems.com'
- main: '*.bessems.eu'
sans:
- 'bessems.eu'
- main: '*.gabaldon.eu'
sans:
- 'gabaldon.eu'
- main: '*.gabaldon.nl'
sans:
- 'gabaldon.nl'
- main: '*.itch.fyi'
sans:
- 'itch.fyi'
service:
spec:
loadBalancerIP: "192.168.154.240"
updateStrategy:
type: Recreate
rollingUpdate: null
volumes:
- name: traefik-file-provider
type: configMap
mountPath: /etc/traefik/dynamic

18
ingress/Traefik2.x/ingressRoute-Traefik.yml
View File

@ -1,18 +0,0 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik
namespace: default
spec:
entryPoints:
- websecure
routes:
- match: Host(`ingress.spamasaurus.com`)
kind: Rule
services:
- name: api@internal
kind: TraefikService
middlewares:
- name: 2fa-authentication@file
- name: security-headers@file
- name: compression@file

33
ingress/Traefik2.x/persistentVolumeClaim-Traefik.yml
View File

@ -1,33 +0,0 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-traefik-data
namespace: kube-system
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-traefik-data
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
namespace: default
options:
opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/traefik/data
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: traefik
namespace: kube-system
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-traefik-data
resources:
requests:
storage: 1Gi

24
ingress/Traefik2.x/sealedSecret-Traefik-Cloudflare.yml
View File

@ -1,24 +0,0 @@
{
"kind": "SealedSecret",
"apiVersion": "bitnami.com/v1alpha1",
"metadata": {
"name": "traefik-cloudflare",
"namespace": "kube-system",
"creationTimestamp": null
},
"spec": {
"template": {
"metadata": {
"name": "traefik-cloudflare",
"namespace": "kube-system",
"creationTimestamp": null
},
"type": "Opaque",
"data": null
},
"encryptedData": {
"CF_API_EMAIL": "AgClXlPfqjYUhRn4ssez5YiAN7pjR5PIeOaDhGrCI2QksjPVFhCbOhX8ijfSmurd8q/7TXTp1gQdh4SLzQy0jkOobZEDQSvDW2U3crQCRSel/4I5sXSbU5q6plbwuN0Z0BGbA2HxwIXN7t8Gb2PVCFT1HwrFAPxJiCPMFsvjUox7BHvhZAs8fFcSiZQpZ7Hz1+7up0CwjVXMNDkm+OYvirKR3lLWfiwJlCKpQoiQU5IX482EJAE1dqrIWthk1xkX12eXJ9FU+hL8X07a4HxDt461+sANOs9cOCDlRYs5zrqmxsVFeL3Kxgr1NRmQbRRD+pg7I4rwfYBeL9NPpKCGURytfkuwC5gNZOz16795L0liitFdgJ/5uZMywf370yI4bfcs3C1hi7kBGACLKxDeHuRwDqOqsXbpbo0+HENeiMosMOw35thmJJpb1zKBkjrja7HGzgLrzdvwOhz6JCxfLjfygjhoEgjpatPlRXY8+lK5ATaPh6hLvXz2+9l4p27MyV+VjM1UqQvHGvcI6VVkpgRU2e/nPfA+g58tVGO8eIflGRN3oA/H1a8GV7JEQmlH2e7xfuun1/CtPANNb5uAB3NijaBJajCWbF/1qBAdk09QNzkAxm0/m9gpNjmumG3UkasRfbai+2yNzwhScOBOjCWAa+SSOyAGrEcQ76augkcPT/TwoX4gF547+RW/nAcR7QSTViY7gBcuauCPpX8iDyJfe5NZ22XUTCocbvmYGXvw7Q3eVx4=",
"CF_API_KEY": "AgCHaCrShxGC+XVP64KcGuemFg+Z95hCxWsERjyxWNO6+RDCu7J26n2isVs4jG7VeJKO0Br0Of7vIdzAKqFm8DWVZBWwPzE0LZqDxujv3RPY0A9OO4EjHiJKZfaFUc6VNy3O0Re+6cBRz16WorFbdMnvForcJYTWih73yggq1n/ZnifAAQgoIkRLH36Rq0/47gUt/rubFtbGa0X9ka2zObX5SYgs2qKtfZx/m31tTe9WqyccEk4DKvdnbWocY0VnBfSndt+B1kM6PN7xNltiLxr/XLEyo04NseFFHiu0Qph3E2K7C4NijxwOOJdYywFZBP9oaq8HTjXKfU9uLz/pkF9+PEMGPdVni0NClasAleOCkbKOigxorKfQlOQlfNq3bGdMLZNfe5xkz5P2uHRIVIoiG7P9KXx+IIT0m453OfG28ttHmFf5HYn7VnVGZ9M2/1ipLTQja1Vg9mUiZcrDgZMzxfEWY6KJJwjVZE6JZkMlvNlnP/oWW4IFyKDNRRcu0ULzeyDUp0jAxXlbCDHMGZTV3M0qDkrEcnzPgQI8bW4+z26Q1XbgaiErb17mETobuNJuHakIgutHR1sJUbkHeAohYXUrAazu7TLVW+v0WrF7FDogyADBRWxYcLxqm4JHDwdaTdRefKcbRgVUKcQV6OUB5pgfNwkz/mU5ad4jUT7VvhSXR9hYfem4DeR1qEiluVtbvrI5XT7Fx6mkn9TNES6og1RLc2vtkA8JrfCCBBfIeAbWGrX+"
}
}
}

4
services/Authelia/_namespace-authelia.yml Normal file
View File

@ -0,0 +1,4 @@
apiVersion: v1
kind: Namespace
metadata:
name: authelia

147
services/Authelia/deploy-Authelia.yml
View File

@ -1,147 +0,0 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: authelia
labels:
app: authelia
spec:
replicas: 1
selector:
matchLabels:
app: authelia
template:
metadata:
labels:
app: authelia
spec:
enableServiceLinks: false
containers:
- name: authelia
image: authelia/authelia:4
imagePullPolicy: Always
env:
- name: TZ
value: Europe/Amsterdam
ports:
- name: web
containerPort: 9091
volumeMounts:
- name: flexvolsmb-authelia-conf
mountPath: /config
- name: redis
image: redis:7-alpine
args:
- redis-server
- --requirepass
- authelia
- --appendonly
- 'yes'
ports:
- name: redis
containerPort: 6379
volumeMounts:
- name: flexvolsmb-authelia-redis
mountPath: /data
volumes:
- name: flexvolsmb-authelia-conf
persistentVolumeClaim:
claimName: flexvolsmb-authelia-conf
- name: flexvolsmb-authelia-redis
persistentVolumeClaim:
claimName: flexvolsmb-authelia-redis
---
apiVersion: v1
kind: Service
metadata:
name: authelia
spec:
ports:
- protocol: TCP
name: web
port: 9091
- protocol: TCP
name: redis
port: 6379
selector:
app: authelia
---
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: authelia
spec:
entryPoints:
- websecure
routes:
- match: Host(`auth.spamasaurus.com`)
kind: Rule
services:
- name: authelia
port: 9091
middlewares:
- name: security-headers@file
- name: compression@file
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-authelia-conf
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-authelia-conf
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/authelia/conf
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-authelia-conf
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-authelia-conf
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-authelia-redis
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-authelia-redis
flexVolume:
driver: mount/smb
secretRef:
name: smb-secret
options:
opts: domain=bessems.eu,file_mode=0700,dir_mode=0700,uid=999,gid=1000,iocharset=utf8,nobrl
server: 192.168.11.225
share: /K3s.Volumes/authelia/redis
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-authelia-redis
namespace: default
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-authelia-redis
resources:
requests:
storage: 1Gi

54
services/Authelia/deployment-authelia.yaml Normal file
View File

@ -0,0 +1,54 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: authelia
namespace: authelia
labels:
app: authelia
spec:
replicas: 1
selector:
matchLabels:
app: authelia
strategy:
type: Recreate
template:
metadata:
labels:
app: authelia
spec:
enableServiceLinks: false
containers:
- name: authelia
image: authelia/authelia:4
imagePullPolicy: Always
env:
- name: TZ
value: Europe/Amsterdam
ports:
- name: web
containerPort: 9091
volumeMounts:
- name: flexvolsmb-authelia-conf
mountPath: /config
- name: redis
image: redis:7-alpine
args:
- redis-server
- --requirepass
- authelia
- --appendonly
- 'yes'
ports:
- name: redis
containerPort: 6379
volumeMounts:
- name: flexvolsmb-authelia-redis
mountPath: /data
volumes:
- name: flexvolsmb-authelia-conf
persistentVolumeClaim:
claimName: flexvolsmb-authelia-conf
- name: flexvolsmb-authelia-redis
persistentVolumeClaim:
claimName: flexvolsmb-authelia-redis

17
services/Authelia/ingressroute-authelia.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: authelia
namespace: authelia
spec:
entryPoints:
- websecure
routes:
- match: Host(`auth.spamasaurus.com`)
kind: Rule
services:
- name: authelia
port: 9091
middlewares:
- name: security-headers@file
- name: compression@file

18
services/Authelia/persistentvolume-flexvolsmb-authelia-conf.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-authelia-conf
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-authelia-conf
flexVolume:
driver: mount/smb
secretRef:
name: flexvolsmb-credentials
options:
opts: file_mode=0600,dir_mode=0600,iocharset=utf8,nobrl
server: 192.168.154.225
share: /K3s.Volumes/authelia/conf

18
services/Authelia/persistentvolume-flexvolsmb-authelia-redis.yaml Normal file
View File

@ -0,0 +1,18 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: flexvolsmb-authelia-redis
spec:
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-authelia-redis
flexVolume:
driver: mount/smb
secretRef:
name: flexvolsmb-credentials
options:
opts: file_mode=0700,dir_mode=0700,uid=999,gid=1000,iocharset=utf8,nobrl
server: 192.168.154.225
share: /K3s.Volumes/authelia/redis

12
services/Authelia/persistentvolumeclaim-flexvolsmb-authelia-conf.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-authelia-conf
namespace: authelia
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-authelia-conf
resources:
requests:
storage: 1Gi

12
services/Authelia/persistentvolumeclaim-flexvolsmb-authelia-redis.yaml Normal file
View File

@ -0,0 +1,12 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: flexvolsmb-authelia-redis
namespace: authelia
spec:
accessModes:
- ReadWriteMany
storageClassName: flexvolsmb-authelia-redis
resources:
requests:
storage: 1Gi

16
services/Authelia/sealedsecret-flexvolsmb-credentials.yaml Normal file
View File

@ -0,0 +1,16 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: flexvolsmb-credentials
namespace: authelia
spec:
encryptedData:
password: AgC/GDJHhqeyFSWsJ8Ie3tt9ppAe3Ns6tt29rieMKcJrQ71sn47MFEow9SOJJVNSjzUWukDg8tRrkq3CdB63jz7NO6CWKNy++nlSU0adDtuwioNUov3a9bnhzgdjjM/ZzpO/pz7j/utGFO1bkPWn4bU/tGoRYM1TsjP1t9m2qL/Me9LigLtafG8LTd/JKNHdyvii1CNcWkZoxKTocy+YdB3hA+0KZClxaQ2O5KPZMl6AoxJGWcuOVpvqQ831Epkl4f+uJp+YtMZbu+poB+hxhuhFZZH9Sx1sn20mZd8M2Kc863oJjzpZPAR5I9faMmDyEqBvJmdS9C9dZrpIdeDZFm25QYIGgu3ZNk+LItuWSoW8kZGsEefsINV6rqAOQmysfvq5aPkYe90RHvaf6Nf0F4wYq1fEiEoSnLPH+J0ToUSIPxMftBcXimTm/HtkUJCg2+rDb+EHp9ahjGaJBp45vd8hOKSF50GA2X8e4UlvbR6QBib6G//F7Pf6OBgsVxSvKQmlSsrBJRo3hxm7G7iLWd5lCmk0jbgRFWJvEnQMk/FqYoc/fcodpGtzEM0I6jL4Kpi1DnRnIgHQTWtU3LVF9aym2H1ExhZfhu0I2F56VQsQcg3vUVOBOwF+XjlrBaAEAEMcbBuigUbvqiSfpUHMQJSsIjtnkAEUs0/19iNCNNSvmjENr5Ml+88iqYQmg9hY11s4LbrsXa5t8q2TgTBrfPVw
username: AgCORI9b0L6FSdB+yDY6VEq77p9CFcwnpZ7nb0M1bz7tVNluYQSB69Y6dLTDCCVx2KdOXyU/QOdb0z8mzEywtC9R4Kzm4+SkTRHgrKOTmxXF3qW5VZDe0UlbSbJUUb3YdC9k2HPPoUvg45woGv1LGXFHgYTxbG+U1lxU8LDoMKfBQ3+GaeUUjI2bx33kyHKztyQizd+b2eSkoSHwRCHiBWZMNYa3zEvY6+07ytKJtaOhGhVsdt04blw4jUMym2sHOBCf95pAzI9gJH2RcuQBQI+ZXci0VeMPvmY3B6T+MruH+1Goy+/HoZOjI2Keu1Jk/Ppg/1FyB9VGX6A2YMyismk8LKWKG0/RNBfWn8RcDVlpgAcjDeX2PdYY17E/gZz2NLnIctBJ/dc93QjrAp/ZfLXBakCA3d0LKLFjUbpKwgaST5wnKif+UjqasDyjVkEG7jK5lGk3fmRCDyPgyxzqkUOSeCHQjDUa07AqKm56qfz/Wr9gm94VC1GiQ39F5/LAnAa2+qAQyJ+RVCBkXmt33sDSvelmXKmh9rIBCvsIxwUSkprpf76HcReRjaRv/9CyuPaskjYAkwOX6/NQPDQVHgKYtvoUhm4OnJ4amrsK2tPco1HC9xPGFIhrqoWeyfiUc1ui8IjxO5geV4hAWSUi5J/H3XBXsFpQt6ZqbemTnQyorTGd0asNP/6OTBtMcIgaPMmZi7F1Olo=
template:
metadata:
creationTimestamp: null
name: flexvolsmb-credentials
namespace: authelia
type: mount/smb

15
services/Authelia/service-authelia.yaml Normal file
View File

@ -0,0 +1,15 @@
apiVersion: v1
kind: Service
metadata:
name: authelia
namespace: authelia
spec:
ports:
- protocol: TCP
name: web
port: 9091
- protocol: TCP
name: redis
port: 6379
selector:
app: authelia

6
services/Gitea/ingressRoute-Gitea.yml
View File

@ -12,6 +12,6 @@ spec:
services: services:
- name: gitea - name: gitea
port: 3000 port: 3000
# middlewares: middlewares:
# - name: security-headers@file - name: security-headers@file
# - name: compression@file - name: compression@file

4
services/Guacamole/ingressRoute-Guacamole.yml
View File

@ -14,5 +14,5 @@ spec:
port: 8080 port: 8080
middlewares: middlewares:
- name: prepend-path-guacamole - name: prepend-path-guacamole
# - name: security-headers@file - name: security-headers@file
# - name: compression@file - name: compression@file

6
services/Vaultwarden/ingressroute-vaultwarden.yaml
View File

@ -20,6 +20,6 @@ spec:
services: services:
- name: vaultwarden - name: vaultwarden
port: 3012 port: 3012
# middlewares: middlewares:
# - name: security-headers@file - name: security-headers@file
# - name: compression@file - name: compression@file

6
storage/Longhorn/chart-values.yml
View File

@ -1,5 +1,5 @@
csi:
kubeletRootDir: /var/lib/kubelet
defaultSettings: defaultSettings:
# defaultDataPath: /var/lib/longhorn/
defaultDataPath: /mnt/blockstorage/ defaultDataPath: /mnt/blockstorage/
ingress:
enabled: true
host: storage.spamasaurus.com