infra/kube-cascade
3
1
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Merge branch 'main' of https://git.strudelline.net/infra/kube-cascade into main

Browse Source
This commit is contained in:
brechin 2023-06-18 20:01:36 -05:00
commit cd08693b65
7 changed files with 201 additions and 86 deletions

10
cloudflared/application.yaml
View File

@ -23,9 +23,12 @@ spec:
source:
chart: cloudflare-tunnel
repoURL: https://rlex.github.io/helm-charts
targetRevision: 0.6.0
targetRevision: 0.7.0
helm:
values: |-
extraEnv:
- name: TUNNEL_TRANSPORT_PROTOCOL
value: http2
cloudflared:
tunnelSecret: cloudflare-tunnel-werts-credentials
tunnel: 060edc8a-f8f3-46fc-b007-ded654fdf6f1
@ -74,9 +77,12 @@ spec:
source:
chart: cloudflare-tunnel
repoURL: https://rlex.github.io/helm-charts
targetRevision: 0.6.0
targetRevision: 0.7.0
helm:
values: |-
extraEnv:
- name: TUNNEL_TRANSPORT_PROTOCOL
value: http2
cloudflared:
tunnelSecret: cloudflare-tunnel-strudelline-credentials
tunnel: 12dcd4b7-4987-4639-8bb3-0da0dfd1b1bc

77
k8s-mediaserver/application.yaml
View File

@ -1,77 +0,0 @@
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: "mediaserver-operator"
namespace: "argocd"
# DO NOT place the resource finalizer here. Since this is ArgoCD itself, it
# will never be able to finalize itself since it will have to delete itself
# before removing the finalizer.
spec:
project: default
destination:
namespace: "mediaserver"
name: in-cluster
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 10
backoff:
duration: 5s
factor: 2
maxDuration: 3m0s
source:
repoURL: "https://github.com/jamesandariese/k8s-mediaserver-operator"
targetRevision: "v0.8.0"
path: helm-charts/k8s-mediaserver
helm:
values: |-
general:
pgid: 101 # administrators
puid: 1024 # admin
storage:
#pvcStorageClass: nfs
customVolume: true
volumes:
nfs:
server: 172.16.18.1
path: /volume1/k8s-volumes/mediaserver
ingress_host: media.strudelline.net
plex_ingress_host: plex.strudelline.net
jackett:
ingress:
tls:
enabled: true
secretName: wildcard-tls
plex:
ingress:
tls:
enabled: true
secretName: wildcard-tls
prowlarr:
ingress:
tls:
enabled: true
secretName: wildcard-tls
radarr:
ingress:
tls:
enabled: true
secretName: wildcard-tls
sabnzbd:
ingress:
tls:
enabled: true
secretName: wildcard-tls
sonarr:
ingress:
tls:
enabled: true
secretName: wildcard-tls
transmission:
ingress:
tls:
enabled: true
secretName: wildcard-tls

7
k8s-mediaserver/ns.yaml
View File

@ -1,7 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
labels:
wildcard-tls.kn8v.com/copy: "true"
name: mediaserver

88
matrix/config.yaml Normal file
View File

@ -0,0 +1,88 @@
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: "synapse-werts-config"
namespace: synapse
spec:
refreshInterval: "5s"
secretStoreRef:
name: k8s-store
kind: SecretStore
data:
- {"secretKey": "registration_shared_secret", "remoteRef": {"key": "synapse-werts-secrets", "property": "registration_shared_secret"}}
- {"secretKey": "pepper", "remoteRef": {"key": "synapse-werts-secrets", "property": "password_config__pepper"}}
- {"secretKey": "macaroon_secret_key", "remoteRef": {"key": "synapse-werts-secrets", "property": "macaroon_secret_key"}}
- {"secretKey": "form_secret", "remoteRef": {"key": "synapse-werts-secrets", "property": "form_secret"}}
- {"secretKey": "oidc_client_id", "remoteRef": {"key": "synapse-werts-secrets-oidc", "property": "client_id"}}
- {"secretKey": "oidc_client_secret", "remoteRef": {"key": "synapse-werts-secrets-oidc", "property": "client_secret"}}
- {"secretKey": "db_user", "remoteRef": {"key": "synapse-werts-db-pguser-synapse-werts-db", "property": "user"}}
- {"secretKey": "db_password", "remoteRef": {"key": "synapse-werts-db-pguser-synapse-werts-db", "property": "password"}}
- {"secretKey": "db_dbname", "remoteRef": {"key": "synapse-werts-db-pguser-synapse-werts-db", "property": "dbname"}}
- {"secretKey": "db_host", "remoteRef": {"key": "synapse-werts-db-pguser-synapse-werts-db", "property": "host"}}
target:
name: synapse-werts-config
template:
type: Opaque
data:
"homeserver.yaml": |
macaroon_secret_key: "{{.macaroon_secret_key}}"
form_secret: "{{.form_secret}}"
registration_shared_secret: "{{.registration_shared_secret}}"
password_config:
enabled: true
pepper: "{{ .pepper }}"
server_name: werts.us
public_baseurl: https://chat.werts.us/
pid_file: /data/homeserver.pid
media_store_path: "/data/media_store"
report_stats: false
trusted_key_servers:
- server_name: "matrix.org"
signing_key_path: "/data/my.matrix.host.signing.key"
limit_remote_rooms:
enabled: true
complexity: 0.0
complexity_error: "only admins are allowed to join federated rooms"
admins_can_join: true
allow_public_rooms_without_auth: false
allow_public_rooms_over_federation: false
listeners:
- port: 8008
tls: false
type: http
x_forwarded: true
resources:
- names: [client, federation]
compress: false
database:
name: psycopg2
args:
user: "{{ .db_user }}"
password: "{{ .db_password }}"
database: "{{ .db_dbname }}"
host: "{{ .db_host }}"
cp_min: 5
cp_max: 10
oidc_providers:
- idp_id: my_idp
idp_name: "werts.us"
discover: true
issuer: "https://auth.werts.us/realms/werts"
scopes: ["openid", "profile"]
skip_verification: true
user_mapping_provider:
config:
subject_claim: "preferred_username"
localpart_template: "{{"{{"}} user.preferred_username {{"}}"}}"
display_name_template: "{{"{{"}} user.name {{"}}"}}"
email_template: "{{"{{"}} user.email {{"}}"}}"
client_id: "{{ .oidc_client_id }}"
client_secret: "{{ .oidc_client_secret }}"

17
matrix/secrets-oidc-sealed.yaml Normal file
View File

@ -0,0 +1,17 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: synapse-werts-secrets-oidc
namespace: synapse
spec:
encryptedData:
client_id: AgB0ydrAv3Gcz2mMtgfODxKWztp4IkAP9bPJ680xjKKjK9XnxPBsX9N3YOknMI33W5IQbO6kGaXQv0XCOVxsFyLh5U0DUOp3QIhzR7izLNhGPUqgveXm53A6ALgCB/EK1IXfNMAJZdkXpUDWIQv+zRtbLgpQ+3/p39ORbHdqyOxpHxsnCA5EJtVe2qIj68RVrkTXa7l2DWpD2S3ISCuIzobyN8Tlv9NW9LsRyq7aFaAI5ngYyGOcOAw4CSQ/H0mhv3ICoBBFtmMkv4SvsLvfHHxobibr+iDJ3+X3sExgQ4OkTpDfVhi2EcOgtcm/Vvp+1S5DZPfP9Cs5qfA0USdNNAl8Yt4OMAXtfyN9gkb5aKvNyk/VJA4Zmqre8fs1qmgAFwHfshzF2/Ag4CqjHdNNqrcTbSUxhL0W30MkAPUAvduVdePM9wCm8FZ3D4oar9D7kK3SlgpYHVKthTml06ppWdFrGSGa+9R0EKYT+SNpqErhYcisf3R6rLdk3n5DAUP4Srf7ET7xDiH7ntnqLI/PNn9163K6MVf7qlN9VgJdc5DpV2J3+yW8J3fdieVBqcvUwhAlkFLxlx9pY6bhIcwi0ZTNSkj8gOhmQDmOpa1hqo+Eyrc+P5zPDBa4+Nl2jWeQ7xAgmxpvJwWlj2vi6VB7XdSAc3uv0IFh0b3E5JE3x/yLYbX/DQODYZDM3vTXHjpMqENM00Tuzfg=
client_secret: AgBSUKoK1Ije4xhotG5IWvUt3+Saky4qxR/Otxq/ZCcsmeLX77Hg5FYCpzeoqG7DnJy2Y6ndZ6wVW2g6lD/Ch6+wrPN7sjo7Pl1qdr6n8cker9xDww0fkOvLMADVEuAxJZeU6fmGDiebaYtv3Y+gvbQHu4GcZkqEWQo/F5/xRAj2zBRCr8WmthOFnai0eVnqe/ay6PVBwCoTFlM6uMmDWF/Veb7C81QxIadtfcgGtt38eKoeSRflwYXxRaSfPR8i4xm9vICjUfkY1qHJkHVxhIT35EOQJALKfxq1Lftbv7LeN/pgWPUm/k9b32GSQcXykRza04fyZVKyeCEc9FlboOUrYLXdfNkxEwYJb0qEv+x28QoWCfnX2OH3u7fueJD1hCGi9OSqg5IWgqFwqJiBWIkpsPmd5LfF7+DTl+SVlMeGX7ldWfoXWoNiJMhjngKQTttccZ2IwpC+Rv7Ue9AB/4bo+uIKe0woxwPOr1HQwe1Rw8GFZ7LdsU3/TvEOy6dJqige062PlJfgtOnjVJVyyVIq6g5gnkguO9cgssDheBKfKrkcDRxL+9aGFuqaiw4pHKx6DscAS/ujn0DiEc1slX2owxaIUdCrkREKcECgr92zFHlJpi5gHV9PSXvES2h29LnycQkUIOpFq0wOSkRDOPizt/DNPTxbAP28F4828znU1+SIuJsxklt/uqOOElGbnK/ms9wcB0dvKprt255Q2pqtNVY9/Qt3CcxOs2o9T/nBsxN+V10+Af1X4+T40phmpR4BJUpxPr55HpNjBhaiXNiPY4Shvm7a3oiLWUnANbJNI/GOuUx9zw==
template:
metadata:
creationTimestamp: null
name: synapse-werts-secrets-oidc
namespace: synapse
type: Opaque

19
matrix/secrets-sealed.yaml Normal file
View File

@ -0,0 +1,19 @@
apiVersion: bitnami.com/v1alpha1
kind: SealedSecret
metadata:
creationTimestamp: null
name: synapse-werts-secrets
namespace: synapse
spec:
encryptedData:
form_secret: AgBhY/ppJWTsYA0ItjZI4XPPmFKAf4yH6dDV+cK37W7KKXRtLuUISpvE7VfVkOKsdoDNfirwQDyTKdfL/TU2glt3Xi50xrtaqG3VkkzXp+vd2wIdFHFUqHBhU3WkyVxd42+hszLz9lBHokHkO/ZO4UTBv3nlSTk46abhXiKCcou0z8sPhO9Ed90Xft1MwxydazcG8aJp/BwcpHD+wGattI29cSUvLNYhW6ViUdxul4J3+dOoBDXnrkf4+3PSwYb7OCSWHRupg1KMXpUVcu0/2n3TdPLr3O/leaJDfhGIpO5ZSLHHmouZMuN8RHBQZVg11e9/cfmVqN/qKzuFAeuCfQ13khqvroXlne/OTdPNdvmnSd98TkvCpbDs/SBb5h/AtlSYJM2KbLLTwT85VwoZWYn9iVP4j5bok9EFY97WIrYluONepp8bhOLcnZiei3Pn4qn0UYEo2eXzA00pkyEedZzn2Mte6QhvgoKfZ7pMkYnpmI/8R7QpQOyW+Kf8vIzQIAe16blsQhpqd4R1/ddnwvE0+fHwrZ889jy2S5v4in13NMAfpABBRg0O8ntinhZsx3Cf0nNe/3t6lJAQXWeyhnJtU41WzBntOME7axwDKnzaGPuLQn+BArL616S7S9RPZEH7llr12ABdO3mKuncUGXc4sCTER5tjESBlnFiQIcp8GAwjofJmYYYjpBJNUZIxTZxAZdlRwecZ61CBDIWo7bYXL6WT8cQfPv+7CkxbJ/nt/yEDmeY1/xW6c5n6UisFOYefNQ==
macaroon_secret_key: AgCeK1HntBncfkXJmZrejkcLH53s0fN1yr1jENKPon2CPTXpQ/vA58xXHEbxAUJMDsw9PUzCbYLyEk8oPL6i7TZW9D8f/fvsnlZhOIjHObV6s/7XPLe5z+KWUDXMDOGmjMS32Z1w5wLih0/iAch5txOZVX9bk1fAXLf9Lre+0/4qL8p9ieBdcnieM0a7swZdfINckGFNgEjpTU4fdcAMDWAKcgL0v5b5w5etMZ48KIRjmZIiJvXPIxT1teCYxCTFrQD/N4USN9rQ+HXLIyGj8UdEv3HA0T0k/xSOfwlC2Qy9SvjdX+UIDTVxdvXDdBNulorowYlbzmuFaqscnDI50dtrw73s6VjreW91iUJ0kDRAiOgUrTWnaXXOGKU/2hQOorTVfRcUAW5kpkLM355rZGwdzeEP/7qxxBnHwAGGV5vfaGhsP8UNZwRDd+L2R5bYx05IXP73wxXE+NihCHgvDS3wmCSCoPnlGyzrG3oed0Nbi3+mbKqfQCB8IBfzkXX5WoeI6GQF+HwHBY+/msR/hsda+YbqTp+gm13COXFGsijsKUAv7FC3HJ6tM/XXKEDM+DeN2samhLp8NLRwLkxJRzBcVFWifAjBj5ONjdryoN0oZKmbm5D+BpWPBjKDjLG7kjoux/SD7bz/1u0Kbd2TyVMxEl7SP5yAkRruUybQQVWvmz7jKAZnUwPIeu5cxuD8yefXpdfZkJuToPJcblVsmBq7Hq9o5rCaArjJC3qa4BVd+ybauBgXNRMOBamHEeGkv0aO5Q==
password_config__pepper: AgCXcCt67yMenHJe/om73r0aR0re98D29GOwwAgYmpaOYCrqWzfjPsbNsHTJhBihcTm4asMrqD3Q1w4IRmCynvB1umretCDhMw1BFoeeePDvIq8F+HN/uEByaHBkcBWGwYZcrgH22qieX1oKr5fcpFqXchdGnZfQUnWC4hqaiuCJtH74P7M/skzuJXqrsR//0AbL83siqogIykqCrYdeHvYAuwwFlT4x/obsVkOF2CXEgxt4tTRUtUQ4IZk9gAzOm+UG5E5R4da9zaBA1wzqmKX9tHFli6vgDJIVkOf/pcazX2fk38f/PyKqyvnmp0TOV6xPdulwajE4NsE5sCSGoHsRYlI7Hkv1BtVvY7ZmzX2P8CpAYchLUb0swKlwP8oehtTx2Wz0CksxPTZB4rYS13aw1446A3CxiS+KDZgDpFm8eMdqw8creUv0gM0xHIlCBf06om3xGr0/ecOeBftvZT9nbWRalOneYctEdv53sj8gx5X2M4amTfejPR62viL9vAAYLTSLylH4k/kJMKA+lgOaHrL5qXlhqUGIn9HE+tI0B6sMZCWWpt7mANGkmSaSnqINd8KUExy8KjkFmsKnyxG166OJHEwF+L3Atb2n+RvAQbAe1wck0LpV6nqZ3AvmSD6Wef4QpFhgvbm5uGNPCt43GtaNzEFAThGrIotdlVUjpn+4cyuPmmxKdA17OlkwrPkd8zqaxQpKIYoWjU7YZwX9OprhNBqvORpc79335JI9XQ==
registration_shared_secret: AgALJfyfX/hBVqavMkjOjEGEWoOat6yAbik7ueKv2YzHuND+lEJTIRI6yjgmmeKQed8zhjpZ0BHt5fWsm0cRj7FXjnaEtLJONFoZE6gS8+QNjU2Ictw7NUc9LF2XlS6UR+df09Z9/P+di43Dvoe04yp4brcVtr14OCijndsrbwKc0K2ReG2nFcqsQSsS0cJw0UqWQhfX/dEmMO/hwJxx+dANdh8ieOCbabQTPr+Io49v70CcvZl8AQM4E9zLA866rRqNvs6nY6AWv/BIABVy5+ftx0PcfLTpCZP59+ZKgpDLUBfGDM0xVfLDPn63urC9ct/hBG4O+Ct3ZU3GT+i66SaIPw2ttmRRLBsUWBknwayVnALmZ0ZRHEd/2//AHH10XonY4jEXpdUsPX1Nv3XBUYXJyfW6XARV4el1HGtge4+q2IwNXpClkbCGggWM0RJTxb55t6r7trMuBCPVJdqPeAFrlgmB5uYUK5E1uhnPM3iWr5rHCaG1l85SDSJAiUVoqjAauv6GTLBHDYeuiJBlb9c9nCM7i9sJKpJFjdJBs5X1O0OtEVMFombO9CzLHGmZPTJp9Sn0xTLsBHZvME6QgRana7sF4XsdQET+na3F416b9hzWApdx+2d0pfxQzuXJGASO10Rlk50YiXl67m3OdjCe/mp2TO0i4KttZ2OviDc7X98fgOVh/aKjEhgfRYyupDXmFJ498yjL3Z/CHnXT7/ubcLyVIWiwE7CEuo3PI57uQQ==
template:
metadata:
creationTimestamp: null
name: synapse-werts-secrets
namespace: synapse
type: Opaque

69
matrix/ss.yaml Normal file
View File

@ -0,0 +1,69 @@
apiVersion: v1
kind: ServiceAccount
metadata:
name: eso-store-sa
namespace: synapse
---
apiVersion: rbac.authorization.k8s.io/v1
kind: Role
metadata:
namespace: synapse
name: eso-store-role
rules:
- apiGroups: [""]
resources:
- secrets
verbs:
- get
- list
- watch
- apiGroups:
- authorization.k8s.io
resources:
- selfsubjectrulesreviews
verbs:
- create
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
creationTimestamp: null
name: eso-store-rolebinding
namespace: synapse
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: Role
name: eso-store-role
subjects:
- kind: ServiceAccount
name: eso-store-sa
namespace: synapse
---
apiVersion: v1
kind: Secret
metadata:
name: secret-store-token
namespace: synapse
annotations:
kubernetes.io/service-account.name: eso-store-sa
type: kubernetes.io/service-account-token
---
apiVersion: external-secrets.io/v1beta1
kind: SecretStore
metadata:
name: k8s-store
namespace: synapse
spec:
provider:
kubernetes:
auth:
token:
bearerToken:
name: secret-store-token
key: token
remoteNamespace: synapse
server:
caProvider:
type: Secret
name: secret-store-token
key: ca.crt