infrastructure/apps
1
0
Fork 0
Code Issues Pull requests 3 Projects Releases Packages Wiki Activity Actions

refactor: move to new repo

Browse source
This commit is contained in:
Peter 2023-11-14 22:12:33 +01:00
commit 62501c93a0
No known key found for this signature in database
103 changed files with 19334 additions and 0 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

16
.editorconfig Normal file
View file

@ -0,0 +1,16 @@
root = true
[*]
indent_style = space
end_of_line = lf
charset = utf-8
trim_trailing_whitespace = true
insert_final_newline = true
max_line_length = 120
[*.tf]
trim_trailing_whitespace = false
[*.{yml,yaml,yml.j2,yaml.j2}]
indent_size = 2
insert_final_newline = true

4
.gitignore vendored Normal file
View file

@ -0,0 +1,4 @@
.terraform/
.vaultpw
.vscode/
.ssh/

5
.sops.yaml Normal file
View file

@ -0,0 +1,5 @@
creation_rules:
- unencrypted_regex: "^(apiVersion|metadata|kind|type)$"
age: >
age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we,
age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr

1
drone/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
charts/

29
drone/base/config/values.drone-runner-arm64.yaml Normal file
View file

@ -0,0 +1,29 @@
image:
tag: 1.8.3
replicaCount: 4
extraSecretNamesForEnvFrom:
- drone-runner-secrets
env:
DRONE_RUNNER_PRIVILEGED_IMAGES: code.icb4dc0.de/inetmock/inetmock
DRONE_RPC_HOST: drone.drone.svc.cluster.local:8080
DRONE_RPC_PROTO: http
DRONE_RUNNER_CAPACITY: 1
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- drone-runner-docker
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/arch: arm64

27
drone/base/config/values.drone-runner-x86-64.yaml Normal file
View file

@ -0,0 +1,27 @@
image:
tag: 1.8.3
extraSecretNamesForEnvFrom:
- drone-runner-secrets
env:
DRONE_RUNNER_PRIVILEGED_IMAGES: code.icb4dc0.de/inetmock/inetmock
DRONE_RPC_HOST: drone.drone.svc.cluster.local:8080
DRONE_RPC_PROTO: http
DRONE_RUNNER_CAPACITY: 1
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 100
podAffinityTerm:
labelSelector:
matchExpressions:
- key: app.kubernetes.io/name
operator: In
values:
- drone-runner-docker
topologyKey: kubernetes.io/hostname
nodeSelector:
kubernetes.io/arch: amd64

44
drone/base/config/values.drone.yaml Normal file
View file

@ -0,0 +1,44 @@
image:
tag: 2.20.0
ingress:
enabled: true
annotations:
gethomepage.dev/description: CI/CD system
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: drone.png
gethomepage.dev/name: Drone CI/CD
hosts:
- host: drone.icb4dc0.de
paths:
- path: /
pathType: Prefix
service:
port: 8080
persistentVolume:
enabled: false
extraSecretNamesForEnvFrom:
- drone-secrets
env:
## REQUIRED: Set the user-visible Drone hostname, sans protocol.
## Ref: https://docs.drone.io/installation/reference/drone-server-host/
##
DRONE_SERVER_HOST: "drone.icb4dc0.de"
DRONE_SERVER_PROTO: https
DRONE_DATABASE_DRIVER: postgres
DRONE_GIT_ALWAYS_AUTH: true
DRONE_LOGS_DEBUG: true
DRONE_S3_ENDPOINT: https://2df513adaee2eeae12106af900bed297.r2.cloudflarestorage.com
DRONE_S3_BUCKET: drone
DRONE_S3_PATH_STYLE: true
DRONE_S3_SKIP_VERIFY: true
AWS_REGION: us-east-1
AWS_DEFAULT_REGION: us-east-1
DRONE_REDIS_CONNECTION: redis://drone-session-cache-keydb:6379

31
drone/base/config/values.keydb.yaml Normal file
View file

@ -0,0 +1,31 @@
imageRepository: code.icb4dc0.de/prskr/infrastructure/keydb
imageTag: v6.3.2
podDisruptionBudget:
enabled: true
persistentVolume:
enabled: false
resources:
requests:
cpu: 10m
memory: 60Mi
limits:
cpu: 100m
memory: 128Mi
serviceMonitor:
enabled: true
labels:
prometheus: default
exporter:
enabled: true
imageTag: v1.51.0
resources:
requests:
cpu: 50m
memory: 50Mi
limits:
cpu: 150m
memory: 100Mi

40
drone/base/kustomization.yaml Normal file
View file

@ -0,0 +1,40 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: drone
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
commonAnnotations:
"helm.sh/resource-policy": keep
helmCharts:
- name: keydb
repo: https://enapter.github.io/charts/
releaseName: drone-session-cache
namespace: nocodb
version: "0.48.0"
valuesFile: config/values.keydb.yaml
- name: drone
repo: https://charts.drone.io
releaseName: drone
namespace: drone
version: "0.6.3"
valuesFile: config/values.drone.yaml
- name: drone-runner-docker
repo: https://charts.drone.io
releaseName: drone-kube-runner-arm64
namespace: drone
version: "0.6.0"
valuesFile: config/values.drone-runner-arm64.yaml
- name: drone-runner-docker
repo: https://charts.drone.io
releaseName: drone-kube-runner-x86-64
namespace: drone
version: "0.6.0"
valuesFile: config/values.drone-runner-x86-64.yaml

20
drone/kustomization.yaml Normal file
View file

@ -0,0 +1,20 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
commonAnnotations:
"helm.sh/resource-policy": keep
resources:
- "base/"
- "resources/namespaces.yaml"
- "resources/sa.yaml"
- "resources/sa_secret.yaml"
- "resources/cluster_role.yaml"
- "resources/role_bindings.yaml"
generators:
- ./secret-generator.yaml

44
drone/resources/cluster_role.yaml Normal file
View file

@ -0,0 +1,44 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: drone-deploy
rules:
- apiGroups: [""]
resources:
- secrets
- configmaps
- pods
- services
- persistentvolumeclaims
- serviceaccounts
verbs: ["*"]
- apiGroups: ["apps"]
resources:
- replicasets
- deployments
- statefulsets
verbs: ["*"]
- apiGroups: ["batch"]
resources:
- jobs
- cronjobs
verbs: ["*"]
- apiGroups: ["autoscaling"]
resources:
- horizontalpodautoscalers
verbs: ["*"]
- apiGroups: ["networking.k8s.io"]
resources:
- ingresses
verbs: ["*"]
- apiGroups: ["rbac.authorization.k8s.io"]
resources:
- roles
- rolebindings
verbs: ["*"]
- apiGroups: ["monitoring.coreos.com"]
resources:
- podmonitors
- servicemonitors
verbs: ["*"]

37
drone/resources/drone-runner-secrets.enc.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: v1
kind: Secret
metadata:
name: drone-runner-secrets
namespace: drone
type: Opaque
stringData:
DRONE_RPC_SECRET: ENC[AES256_GCM,data:HEXPjEhzVd32+DrxgsZUj3wSX21QCuMjHiwR1P+OhOI=,iv:DWcpdvoO5x3pAbAYtHPC0t8CCzUV6EHBeM5pwNxH/yw=,tag:oLRLwOmbNMsOD2NclOQwFg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBldVdpMWV2eW85bzJ2aDQr
a0dQcEtZZHRvdG5iTGlBc1dQRFRLbVVoZEJVCkluZnFqTkZoL2p5QUdReWtHVFlE
bzhMMldBNG83TzlhTlZrL1dLRi82aEEKLS0tIDBka2xPN2E0ZE1ZN2RYUlNFcmZu
eURnd1RpYzZ4NmdRSUN3aXVYVDYwWVUKeUhg2fbE+L1Dr4re0kuJ0Lhhf38lJiZ3
7D0szVTlCoIcFQFMOUNwpNdYGuBkyXhJgpSpyUhIuPGE5gxkrLZI1g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYTWEyaWZXd3pSVFQ4NnV3
N3c2S2RUQTU1MDZwQ0tuVVk0bmxIU1NuY0hBCitQdE1JYm9MRjNrN2kzSmNOWUQ0
UCtZODZRaUhiTnhvSjBVUk94ZDFDWFkKLS0tIFo2bVlUbUFOUk9ESmdvKzkrQlY2
QzVTTjVsb0ovT1JNRUw2dXQrcnVJUm8KvQ4hyDw8ImxrSzn5qpo9xkkQnapDXwKl
lfV9wESEo23V5MO/ZMxGBl1S1RzR10abcwkuzpYNfDr5DW4wvKPdYA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-26T19:23:40Z"
mac: ENC[AES256_GCM,data:eFCDA4wsm056C1Vzjer5whxItNoZNk7w3c0VvcpIMN0qrP6u7vZjEezsrT9OGv/sh7DLvVRx6qmIKZ6tw8kc7cutZB7OqfqwYLTTkPcXbVPIwCubjc4LseyFeXGhPQmQH52c8SCtKM/Ft9WMdlE624mpACLUXp7aKvGuiRkwREs=,iv:Qbt+GkUyYeopknU+z4nQ96q6blmuKS3gShQ8GuZ/qFw=,tag:OpUHMsil1ij3FbWIe43FAQ==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

45
drone/resources/drone-secrets.enc.yaml Normal file
View file

@ -0,0 +1,45 @@
apiVersion: v1
kind: Secret
metadata:
name: drone-secrets
namespace: drone
type: Opaque
stringData:
AWS_ACCESS_KEY_ID: ENC[AES256_GCM,data:HWUsFOc2tD8CnEm4m4+2nuynOOW6lbUrtROLaPNgkmI=,iv:pmfvhL69opyb/MPlLRNjhjid5ORtE/E1B2/tCdOJKIc=,tag:xUVez9qJc4eBR14HeHyYmA==,type:str]
AWS_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:skSkCr5p1YpNqeiwUz1zTUstRb9wbaSUVOzCgyLJxf9kKXWpPjQOQxve7s5m6iNhwgxICBmjNgxA6f2wYXrF2w==,iv:h/kNCcbYfXDGyH1oUz1A2Nfeb/AM92msQQ65YXHu+o4=,tag:xv7tm2PtVOCBtJ45K6H/QA==,type:str]
DRONE_COOKIE_SECRET: ENC[AES256_GCM,data:zG8FSKnxIRVk7cCbtIP6VC2tbM+FfjFcg5Y6mTE19Tw=,iv:Ac50qD8l7CwtGxFFITl/0dMq1McHbztU7320v4pPWFs=,tag:JZCwGhJ+NQ/pdpULMzI+pQ==,type:str]
DRONE_DATABASE_DATASOURCE: ENC[AES256_GCM,data:j5sqt/EpuGOHQH2p+kuwm/CYIxT0DviopKST2MrTpXR+Jh20NRgiq9CnYFTzCIHQZaSsO16b4Gyu0ViXgYSEK5t0j0QNnEjo8/z+ko6mOYEMyAbdAUuBmS9i/vbCb0HaXTpoTy3RG7Vjxif3WqDf,iv:b1rssEhX4K/cHNEytIuLW8NZaOPSnOokmhH+kBggyN8=,tag:Ns4lIcSWntsT1zpKMNd7cg==,type:str]
DRONE_DATABASE_SECRET: ENC[AES256_GCM,data:qSNVcSzH0y0pCY07Y3yDjfMaPZFtPWEmf3tqq076n7o=,iv:XNJaU2kQJeS7iMJyIoAkwzVS3QdqLAZy/FbE3VFvYXU=,tag:FPYbmgQ8/VSkMexXko+7Nw==,type:str]
DRONE_GITEA_CLIENT_ID: ENC[AES256_GCM,data:jTR4bxuyrxt5llnRDuBHnughiIyzKQ2JEylh16wjZDIyWrid,iv:NrUudI15R+ZiaL3M/k70Mdfm20aerCWjDs6R0MHC4Hc=,tag:kfX4fNcCP4Xy//V72WzDrg==,type:str]
DRONE_GITEA_CLIENT_SECRET: ENC[AES256_GCM,data:0t8swJmx5qSvx7q9GsuRU+FOfcKxelIzDm5u16Nypfrqf5m9CbqmT39Uibj1wL8dWwx04Xo4mxc=,iv:agqn9RVuDq9WXly1AvckabpIyOqyK+0E89u4iItKRn4=,tag:KZLQlq+61QZtFGY/CnlQ2w==,type:str]
DRONE_GITEA_SERVER: ENC[AES256_GCM,data:BgMZnIL6OM5r4N+L4RU9t8Pf2XOEMYA=,iv:4dbpEY3iCMmwEOPwp40VDkOIYUOfCkOnRXsmf9P/acE=,tag:1Vb6R/s+sK1UnZBIkZXxKQ==,type:str]
DRONE_RPC_SECRET: ENC[AES256_GCM,data:dyaF1jehSfCk+3lbuPffibwpXEQCggb1O7YRNu1Li7Q=,iv:wBlkUev6z1F9n+BjDfa5NAXjBbGm94AEfdUqiwrxUek=,tag:y66eOgLjTnYA3ZYFgWMKTg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBHUXdoTlVUYW1kSEp1eVF6
OFVUbndGRjEvR0ppOW94K2ZEekpCTjNXQlU4ClpsRkVKd2JSTldacm9Ddm9OZ2N0
Q0dtRUpTMmdIZkRwaDBHNUpmbG1Wbk0KLS0tIHM2OW9MYUord0pTT1ZRSXQvLzlN
VWR5WmNSTUF4MWNnVW5kQnBKUVZWNkkKErKeKJge7brrhxxZqlE7SOxQVcRczPhH
yd/bmsHwg84yOOsJejwXTMAmZcEns6qIHpq6PE7icqnsm40H6Ms1zQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2RGhBQmZxY3BVK1JyY2JF
SUZDbUpQbUliQUpGM0VPQ3J3Y2txNXVVZlU0Ck1KY0NoM3IycUNPV0pkeWliVVNM
KzA5a0trQTN2ZDFmZUV3ZnlNVFF5K0kKLS0tIGdJWFJrNUU4UHFZSnNCMWMwSW5S
VGN1VEJlL3RxOXVwNmo3RTk4aUhEb1EKtAHu3KqQ7EH7SQE/Dvc6gfuSmkcsy3+c
1xxDYh69cMHkV3q4Wfnqg/DyWUq6D7OE4tVAuzNfo1SzZuBHXXCdQQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-08T18:21:47Z"
mac: ENC[AES256_GCM,data:Lblzygh5+S25J2c1bH+hlKE9DGkmYAzI+BcBfpoLs3uB16NIyIku833XN0jEerpxINSiJMClLBVzZ2uKCpDCfcxxz0rJIldtoUqOzKtxTtcziMt6VXoG3h5m9pPbILzGU27uzo/D7E9SbXAUAmTGYsEFLx/R7bZYWMCdhgCOO0I=,iv:tnjm+xhTCie9W8LPG4MYCK3KNMZBa8TJPmzpYxZ0HQc=,tag:R4W/OU/aNCz5S7pXHjIWbg==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

28
drone/resources/namespaces.yaml Normal file
View file

@ -0,0 +1,28 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: drone
labels:
prometheus: default
---
apiVersion: v1
kind: Namespace
metadata:
name: inetmock
labels:
prometheus: default
---
apiVersion: v1
kind: Namespace
metadata:
name: blog
labels:
prometheus: default
---
apiVersion: v1
kind: Namespace
metadata:
name: buildr
labels:
prometheus: default

42
drone/resources/role_bindings.yaml Normal file
View file

@ -0,0 +1,42 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: drone-deploy-blog
namespace: blog
subjects:
- kind: ServiceAccount
name: drone-deploy
namespace: drone
roleRef:
kind: ClusterRole
name: drone-deploy
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: drone-deploy-inetmock
namespace: inetmock
subjects:
- kind: ServiceAccount
name: drone-deploy
namespace: drone
roleRef:
kind: ClusterRole
name: drone-deploy
apiGroup: rbac.authorization.k8s.io
---
apiVersion: rbac.authorization.k8s.io/v1
kind: RoleBinding
metadata:
name: drone-deploy-buildr
namespace: buildr
subjects:
- kind: ServiceAccount
name: drone-deploy
namespace: drone
roleRef:
kind: ClusterRole
name: drone-deploy
apiGroup: rbac.authorization.k8s.io

6
drone/resources/sa.yaml Normal file
View file

@ -0,0 +1,6 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: drone-deploy
namespace: drone

9
drone/resources/sa_secret.yaml Normal file
View file

@ -0,0 +1,9 @@
---
apiVersion: v1
kind: Secret
metadata:
name: drone-deploy
namespace: drone
annotations:
kubernetes.io/service-account.name: drone-deploy
type: kubernetes.io/service-account-token

12
drone/secret-generator.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: drone-secrets-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/drone-secrets.enc.yaml
- ./resources/drone-runner-secrets.enc.yaml

1
forgejo/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
charts/

107
forgejo/config/values.forgejo.yaml Normal file
View file

@ -0,0 +1,107 @@
image:
rootless: true
service:
ssh:
type: NodePort
nodePort: 32022
ingress:
enabled: true
annotations:
gethomepage.dev/description: where to code goes to
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: forgejo.png
gethomepage.dev/name: Forgejo
hosts:
- host: code.icb4dc0.de
paths:
- path: /
pathType: Prefix
resources:
limits:
cpu: 500m
memory: 3Gi
requests:
cpu: 250m
memory: 512Mi
persistence:
enabled: true
size: 10Gi
storageClass: hcloud-volumes
gitea:
additionalConfigSources:
- secret:
secretName: forgejo-credentials
admin:
existingSecret: forgejo-admin-credentials
metrics:
enabled: true
serviceMonitor:
enabled: true
additionalLabels:
prometheus: default
config:
repository:
FILE_MAX_SIZE: 30
MAX_FILES: 15
repository.release:
ALLOWED_TYPES: .bz2,.gz,.md,.pdf,.tgz,.txt,.zip,.tar.gz,.txt,application/gzip,application/x-gzip,application/x-gtar,application/x-tgz,application/x-compressed-tar,text/plain
git.timeout:
migrate: 3600
default: 3600
clone: 3600
pull: 3600
gc: 300
log:
level: Warn
server:
PROTOCOL: http
ROOT_URL: https://code.icb4dc0.de/
LFS_START_SERVER: 'true'
LANDING_PAGE: explore
ENABLE_GZIP: 'true'
ENABLE_PPROF: 'true'
service:
DISABLE_REGISTRATION: 'true'
DEFAULT_KEEP_EMAIL_PRIVATE: 'true'
DEFAULT_ALLOW_CREATE_ORGANIZATION: 'false'
DEFAULT_USER_IS_RESTRICTED: 'true'
storage:
STORAGE_TYPE: minio
MINIO_ENDPOINT: 2df513adaee2eeae12106af900bed297.r2.cloudflarestorage.com:443
MINIO_BUCKET: gitea
MINIO_LOCATION: us-east-1
MINIO_USE_SSL: 'true'
MINIO_CHECKSUM_ALGORITHM: md5
attachment:
ALLOWED_TYPES: .bz2,.gz,.md,.pdf,.tgz,.txt,.zip,.tar.gz,.txt,application/gzip,application/x-gzip,application/x-gtar,application/x-tgz,application/x-compressed-tar,text/plain
MAX_SIZE: 30
MAX_FILES: 15
STORAGE_TYPE: minio
MINIO_ENDPOINT: 2df513adaee2eeae12106af900bed297.r2.cloudflarestorage.com:443
MINIO_BUCKET: gitea
MINIO_LOCATION: us-east-1
MINIO_USE_SSL: 'true'
MINIO_CHECKSUM_ALGORITHM: md5
actions:
ENABLED: 'true'
DEFAULT_ACTIONS_URL: github
STORAGE_TYPE: minio
database:
DB_TYPE: postgres
HOST: default-cluster-primary.postgres.svc
NAME: forgejo
USER: forgejo
SSL_MODE: require
log_sql: "false"
metrics:
ENABLED: true
postgresql:
enabled: false

30
forgejo/kustomization.yaml Normal file
View file

@ -0,0 +1,30 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: forgejo
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
images:
- name: act_runner
newName: docker.io/gitea/act_runner
newTag: 0.2.6-dind-rootless
resources:
- resources/runners/act-runner.yaml
helmCharts:
- name: forgejo
repo: oci://codeberg.org/forgejo-contrib
releaseName: forgejo
namespace: forgejo
version: "0.13.0"
valuesFile: config/values.forgejo.yaml
skipTests: true
apiVersions:
- "networking.k8s.io/v1/Ingress"
generators:
- ./secret-generator.yaml

37
forgejo/resources/admin-credentials.enc.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: v1
kind: Secret
metadata:
name: forgejo-admin-credentials
type: Opaque
stringData:
password: ENC[AES256_GCM,data:c7XwM+a8OHXU7yovRfvX,iv:LX/dP8QxQoRus/MGijpXO0t0PjFeAtB6iTBa2OlIceg=,tag:RJuxiISXnMQdkt44avhL3w==,type:str]
username: ENC[AES256_GCM,data:tkl0o85yyf41vPc=,iv:1zdcy3qhMmpFLP8BsNHJ+YBRbtDBWt8xtxSvNAuBMiM=,tag:1Cui9dcneiyAZb8y7zFWCA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0N2dUTE8rVVF4SVV0Z2Q5
aGZRdkI0QVc3N1BJRnN4dVpWRkxKa3Q1MkNBCmI3V1JiSzhEdk4rYzNNUFp0YklV
Y2dCSERmRXNMZGdldUg2emdrdGs0L0kKLS0tIFo1R3F1RFpoQXJ1WXdYMGErSGIv
UjBUODZudEVLOHJrbFBRNVJlYXVrb2cKwC13RKJZkF3bFA9AlXARfr03T0cKaCOR
RvtRKKHoS1iW095l1l2T+aSoPiAi1BdYBLuaH7fl6RhFW8q6veR64Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBc3JJbVJPVUl4ZklaT2FU
RjBUb3NmTEVBTldEd2Q2Q0sxVjcxS1ViSkNzCnloUjB3ZVBmVmJDTmJpQ1JsbHdZ
cnpHU2VSTmFETHIyR0oxbUM3ei8wbGcKLS0tIFp6TUJHTzJpQzMydlo3YVoxQVBW
RldtRnI1YnBMTGt0SVN3OGt3empNRG8K72vZ0rxA2jUsqiqoWoYZyTWDwcJl+lhV
SVvbq6wtz5tMqsPY3zFyfehaLqRR21ADZhbJgWMNvUcqpJ1YJCznhA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-26T20:22:36Z"
mac: ENC[AES256_GCM,data:IBwGNRBOlZwXyL/m4NuwbQzh+Pdaitr7JBmJam1hrbGx//yFyrlcthLnCpxHRvxJ6+y05NZdzvSDiUILQeQGZ9kR7wjWxypBRV6tJw1k9kZ5tEiz/MMPLyXvTVr7jcv1lXV70qRzT/ZodMSwWyQz9t0rQchTdyUxA7wOxg6wqfE=,iv:U0hOm2Htxxi6ZZYLHPkgizaGHbPwi0ZMuUwyOmf15fs=,tag:RijQRWYqiEcprayxpVH91w==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

38
forgejo/resources/credentials.enc.yaml Normal file
View file

@ -0,0 +1,38 @@
apiVersion: v1
kind: Secret
metadata:
name: forgejo-credentials
type: Opaque
stringData:
database: ENC[AES256_GCM,data:kTQSEpMRi0ze+d0nsYerRFfhlS8VzZ7stF6AaXCKg4c=,iv:ZK+l+N2LTmXiJ7eHbNpgq5cQ2geXJJVUwcnhqSvJaTk=,tag:zfK4sXZVg89aXNco2zVYkw==,type:str]
attachment: ENC[AES256_GCM,data:1yXF5ynIGQ8gv6F9SkehA+xnwlI0b1BuZAaSpmymNF/nm01rM5St0G2HBRAQp9i9HeJuRL3DitywAXqVyT1Usx5PFZrK3DnN1NoCCKFEOq5E3JFDQcVrisWtqab562y4ucR5GlynZHG+mjWEExTldnCoQc03KM8m/JsHI4Z5lV23/p+yrSMu/GpxERsu,iv:Llsh9nftLztMX5+3HML0u3hnaKoFKADR0Lj8WCDtsaU=,tag:yH65vLuB+/jUL+Rvaxt6CA==,type:str]
storage: ENC[AES256_GCM,data:6RyQ4kXlBexGZbHd8/RO7TdZ6jv+I9LC7rqHfZo9949G4FWDS47PdAtMWWV9IG/k2RziB//aBe8E7C5uvFWIpSQF7p4gxNTmdSzRq4/e1HrSdOKZ2+GdDPAzD7PWo7L7GhDN5iuAlUKAVsl/DFJWUkH6vFWPmVf3nJ/sW5MRjpjgzWuAzQAgdJttCxEi,iv:Xoy0TJ4QSoyY/b+EWkFEnx3OlBQSXNLJQL3nwTOv6Tg=,tag:7E2AMs7IkdZkN99cb7gAAg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAxM0lPdlVhQWp0ZlNtdnZn
QWREaDF0NGtkVmx4UHhhNXJEbW55SHdtcWlnCisxcFRzR3BzUXk1L05DYXgxRHpU
Q2QwbzlLVzdiS2Q4RlpBUnlLTmptbnMKLS0tIGx2OTFiUlRmZkNyRzFVbEhqVFQ0
c3NZQkYvbzFDM2hjcmVvbHJ6S3dLUkUK/ye/CGkeP+fyAR4SWzxvHYXfQUv1Trit
mW0DaG99PWGF3PuxjPRAVm/nZw7dRNtQkrqx88lSdObkMSq2pMwarw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlb2E3eGpqTFB1VExiNXNm
VXpRbjc1RmllaU1LSFdRZnpvWnZoWmR4RDJjCkJIRmdieXNzRGIzNnhuclg3LzRh
QU9tRnFzY0JHQWFvNWM3UEI2YmliRW8KLS0tIHNNemVzdmNrektDK0V0MHVSYjl3
bHk2WG41aDdPeWVJR0NjRWZOVnVMS2cKLZZt2VNc5XdqW9Cknr2Re7pW2+s5CSYj
hQyzCSAPp8hN9mietVqzX3eyFf9ngYJ96TjvBd+2dduxchxAEoi4tQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-07T21:04:47Z"
mac: ENC[AES256_GCM,data:+9JzeBV2UT8O+d98Pvmx4+IujahWvuIIQijjW/JYaE6vbNfzcp21L+3jtU4JZb5Yj3KTySLvlaMvHKDxER/xHsIbYKUF0MMm90eJnccxiiJ7YhPKMkHmRhGbNEP60COv01O1bba4RrAqFdS0velAo74PmYFZO0gAX5T0080+4KQ=,iv:9J6QCO1J4scRCQklRtc62rcNSaVxsKfgqHpjsITruZM=,tag:jlUKMcYvSWmG7KpUOhNN5A==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

65
forgejo/resources/runners/act-runner.yaml Normal file
View file

@ -0,0 +1,65 @@
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: act-runner-arm64
spec:
selector:
matchLabels:
app.kubernetes.io/name: act-runner
serviceName: act-runner
replicas: 2
template:
metadata:
labels:
app.kubernetes.io/name: act-runner
spec:
restartPolicy: Always
initContainers:
- name: runner-registration
image: docker.io/alpine:3.18
command:
- /bin/ash
- -c
- "cp /etc/act/`hostname` /data/.runner"
volumeMounts:
- name: runner-data
mountPath: /data
- name: runner-registrations
mountPath: /etc/act
containers:
- name: runner
image: act_runner
imagePullPolicy: Always
# command: ["sh", "-c", "while ! nc -z localhost 2376 </dev/null; do echo 'waiting for docker daemon...'; sleep 5; done; /sbin/tini -- /opt/act/run.sh"]
workingDir: /data
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_CERT_PATH
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
volumeMounts:
- name: runner-data
mountPath: /data
securityContext:
privileged: true
securityContext:
fsGroup: 1000
affinity:
nodeAffinity:
requiredDuringSchedulingIgnoredDuringExecution:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/arch
operator: In
values:
- arm64
volumes:
- name: runner-data
emptyDir:
sizeLimit: 500Mi
- name: runner-registrations
secret:
secretName: runner-registrations

37
forgejo/resources/runners/runner-registrations.enc.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: v1
kind: Secret
metadata:
name: runner-registrations
type: Opaque
stringData:
act-runner-arm64-0: ENC[AES256_GCM,data:uyrvGXYwuPExUSQp4WbMkpDuAo6XHMCGGcIbrUF2eGmM8xartGtKQ4QTuFJebQOkKv1fg/BELhbPGWa6S8+k7HKLWiiQFxNnwJam8cGFKoZZWubCAV+iRa7NdotiaZ7scGZW8PiCzejQZOC0L1QhGCDMEBFJ6ZkowBhtpWddIMsGrWmC1gyL5zWV6/wrmF5oJucdWyP7wJDsyOXoc9DyfVL1IfrVESleQRe8FXP/O+UQXV5zNzEP58tXKTjdhsHCaPDDX0sDT4mP3QkM2r5IqKs1GDer/UBTW0PNfsp7Y7dlhlzHAqqhNb+/OtOa+mrScBNXMwrL02cDnLE92rSrzNM76+nnBxBln/c2/4h8DvGO4l/Is6VryaeIwghWFUOKsgNP8OmhvKqpZ/+3q9YxRBL65KyErun6hOhs+3V7y2WqzevN8H2ETDOIF87ybPriaoPs1NeLRGwVZDlx4FlvAH6pz0lhsicxc2T2kAM5yMSFtePlbz2w1TT1NEN6YZF1eugXmYOBAva9JJ4yqbpOE3b2JuT38Lok81CtPM46yJreyQglVgOPvhMNaWxo50f/APlVt0q8J5JfbFQ/WKNeh+niLoJlYiKb1doY1s+tWlVav2qRDqtKaKMRiRi29339plLQtmFMgZmEIgREDiC2ZdvYTRu9QKNZT0AbFvZwttMJI1/Q7zXoESZn/zaWofxSlMsi,iv:xfY7wW8iEudBtLJBnTgfThZWFAg6yTPRq7adLQvVE9c=,tag:XAt1qSBhaXqS6ZGbmZS2qQ==,type:str]
act-runner-arm64-1: ENC[AES256_GCM,data:rB/kGXHssX1q+4OO/VQh2QK3yLcCaYcF6Fz8KjPtI4BtBW+LwvoPHN4yksbchnksdmWY8BJNwuQi6G7m8X6w9Pg4J/Zdz+nbLmpZytg4woDF6eWErZXkBlf8gLwsg0VnBRpUNj8/klL3n23V9lBKDrw3O2VjimPub0lwmyrQk7RdZDWWlKbD0xu818GhDF3ADQclTE7nq6NwgAV9869AWh1+DULYfEk0wXGENVya1jF0DPjUb2U4q/EsrAm3pkyd3pRmIw2ojsVYon1SGl+zcuEUqF3LY4zw9mu9H5Vi/adL/s1m7HxQrzLtz4kZVbmyGLCgkia/1NOrtU5nAHSrAwNxACOWdYP7F9nKV1abAud2/a7l9EyIhi/AnVEGQZEuV1uuHUH1vActDGgFO9HFLnxRGjwTpHNB7cRr8E4JE2dHShOux7rGpiVx5QnI89+bTzvo3gHvoZZA97BAOfxxlbTXn2zWtLIJTn75JDDndOkxniRmhkxyyFi4VnpDda3OpAWWqhdllMob+b/AK0LW7uJL/gdttYKxQLaQ5YLniy8aFXU9wZbEf0/AY2LUI1WDj7OVB4U/m00JiHg0MUDly5QHOA5QYAVF3zMuJ0fHo9itxZnUzb2g4Pds4OyshlB8NQOV+Lrh7fr87TUYFmxK9YYdsYUdqGn1SVzE/UMPyy9mi93jRbtu1qQRmqbF+M6looMq,iv:XRzrky6m/qcfa2YtxJHLbMO/yguNCc8qKGyUDyky8pc=,tag:/crdE1RWYfoCXK2ZcNQhXQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1eUJYZGNhZ1ZocjBkZkdF
S1JGaFJXd0ErSWtySVcySy93bElLUjNTa1Q4Cko3UmR2bXo4L2RMaWJZQ1B4WTFW
QWhOWS9GVnVIa3hyTk1UNG5wVnVpOEEKLS0tIDM4cEZsZjVLR0dtQ1FkRnNPaVV5
ejUrMVRLMGROWjFrWUZpd1E5SmtDSzAKAbzU1DcQ6l7mSTLKTxzNFx0y9tMxw+dF
KFNKs/3YWpns07tomAdnDeKhXj6EvDsuxhz+wNg6b6/6wAISoYZI3g==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSByVExLZElOS29RQmRySnlV
blZ1SFZ5R1NoSlUxZ0JJOVkrL0xLaktraHlvCnQ5dlE0cEVpeW93K1BheWNDcUx1
b0lIVTNVaWxoZWhzTUlBQ0YwTDhxdHcKLS0tIFBGVEoyM21tM3BaVlZsNzBNaDgr
VnExSnBIcEVCRVNjeFdDbGZNbURLUEkKTZLpcYtYWKgHWISrxkvVeU+x56QHf0lF
xxG8xPUiesGm/MBidk19TblX14oWy+VYA65KQrHBtgBIJUmohnNLvw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-14T20:55:58Z"
mac: ENC[AES256_GCM,data:wFTn/1rdxGqz8pbckijAGIwwD5o443HpkbiPD0bB4+Dhs3CHz34PL/7cXFZ/hVG8x/0Ux3dmxXAKKm7AC4ozpReToByv3vNtJFqwDwmY6UVXMKviv/dCPCyBRRO0FFhe3g6Or9JYv2kNuAnEBJaza9oqH22Obk7QHYjMzeFNWQA=,iv:PrVAkT9ST9KpibVx82IcV+wvJSPOZZr8IKsKGS86qr8=,tag:ERpvyi7CFmcBXqr0sVmuMQ==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

36
forgejo/resources/runners/runner-token.enc.yaml Normal file
View file

@ -0,0 +1,36 @@
apiVersion: v1
kind: Secret
metadata:
name: act-runner-token
type: Opaque
stringData:
token: ENC[AES256_GCM,data:txVfWXQqYudWB5vf/mls1oyufsWxs6vzAuLyUvOXASEjiQPn6XaTHw==,iv:UR4R9pXkdmcqHOtq/mLUAbaX5s2C1XWreAp0gP61BqY=,tag:RqGydSex2VlrI/dW+kcENw==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBUYjJJaGVqY09DMUxRc2pM
MUpyYkdqdGpCUDhQcytVb0dXUmpjWllnQlFzCiswaW5sRWQ2bW5uak1ISW5MVzk0
UVkwYnV3OWtyQjdkUVRmNnVLMlFTR2cKLS0tIDBSZlFsZTBBS2RCdDd5aEx2aCs3
djJaZXIzR1RZMXZDMENUUGlrODZseHcKGxgdz827T+TTAAjSKOy3qYwtbz4kHqOF
Al3ul28B091tuvdaE8qGTaRtQnK0BnumsN+YDcMI1JBLdENbAZ7/1A==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBMUmt0bG5UenVtem5YYktU
Qzc4QkJmK2l1R1A3TnV5ZS8yMlZ3QWdzeGhRCjZZdE5vWmFoMmFEelJSbTViMGZ0
THRpS0IydHMzWnRLUWVpNVM5SzVTRmsKLS0tIFFHZVhsUys4V1I1N0JseE4vZVVm
S2tKd0NqWWQrWHhUaXBxclJQOHZVWm8KyKDRWNsF87V+U/9ygJ1Vd+LXGl/cvqQy
7/C3NQkvbi7QCtuya7xo3zDjNgpl9nIaH3iOEkKee4Ae+Rbay2UqRg==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-08T20:48:38Z"
mac: ENC[AES256_GCM,data:osWt9+lgJzAjMdRDcAKFlePuWaqCpCYZCg+WoUsBfgPDH4e26JV+hzEh/XkJQumgCS957Fu/xQD3JE+umv+prqXpUNBhPabDee4azwjgLEeePY03ydxN1QHz+2w7apzKB/juAnZ1UwToFZYSP3WdqJeqT7UMkmYh3/DvyvddbuQ=,iv:XwGxZj1dZbgBuF36BTaZk1ltKAXo+Kp0v8JK3QyS0/w=,tag:LSde/unaOkmUHZzWnFQpuQ==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

13
forgejo/secret-generator.yaml Normal file
View file

@ -0,0 +1,13 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: hedgedoc-config-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/credentials.enc.yaml
- ./resources/admin-credentials.enc.yaml
- ./resources/runners/runner-registrations.enc.yaml

1
ghostcms/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
charts/

33
ghostcms/config/values.keydb.yaml Normal file
View file

@ -0,0 +1,33 @@
imageRepository: code.icb4dc0.de/prskr/infrastructure/keydb
imageTag: v6.3.3
nodes: 3
podDisruptionBudget:
enabled: true
persistentVolume:
enabled: false
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 250m
memory: 256Mi
exporter:
enabled: true
imageTag: v1.51.0
resources:
requests:
cpu: 50m
memory: 50Mi
limits:
cpu: 150m
memory: 100Mi
serviceMonitor:
enabled: true
labels:
prometheus: default

32
ghostcms/kustomization.yaml Normal file
View file

@ -0,0 +1,32 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: ghostcms
images:
- name: ghostcms
newName: docker.io/ghost
newTag: 5.71.0-alpine
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
resources:
- resources/namespace.yaml
- resources/db.yaml
- resources/pvc.yaml
- resources/deployment.yaml
- resources/service.yaml
- resources/ingress.yaml
generators:
- ./secret-generator.yaml
helmCharts:
- name: keydb
repo: https://enapter.github.io/charts/
releaseName: ghostcms-keydb
namespace: ghostcms
version: "0.48.0"
valuesFile: config/values.keydb.yaml

41
ghostcms/resources/creds.enc.yaml Normal file
View file

@ -0,0 +1,41 @@
apiVersion: v1
kind: Secret
metadata:
name: ghostcms-secret-config
type: Opaque
stringData:
database__client: ENC[AES256_GCM,data:sr6EfhI=,iv:pOo9u6/twN/F7O9B2TDoB5Zs5FC60vyLYtvJVDMUtV0=,tag:v2CLpeiV5CVzLK7pKAFbKA==,type:str]
database__connection__host: ENC[AES256_GCM,data:f8eQyV/1OvXQdHs/DtW6q1NbHqLIqbMi,iv:F0ChUjxJunyuKG2hKwHjylaHTDLA9SgMNMMX93aHo7c=,tag:4DcCiD1JRSqPd/KQSsyHsg==,type:str]
database__connection__user: ENC[AES256_GCM,data:zq6qSDV2N18=,iv:Pdt16Av6sw6iAEBPDu6W06AFsgBq7wkhTaxkyQahhac=,tag:RJesMhyVRK5VFFsJQsWeoA==,type:str]
database__connection__password: ENC[AES256_GCM,data:irsrzl+G4+HHosntR8/Y6BEuHmi5WAJEsZf+jwzlsbo=,iv:29BoRix+4CpMIjcFKFFDXTxEaQjHwERUTvxWwUgkLas=,tag:WoB18ym4MxO20oAnqxP5GQ==,type:str]
database__connection__database: ENC[AES256_GCM,data:+tiIhcFt06I=,iv:kwX/n8+4LW5eKmST3wxhdvPcmZoxtEh6zJ+spbvccPM=,tag:ZlwXxLRfZ6XpGE3hRga/2g==,type:str]
url: ENC[AES256_GCM,data:iNCEULqcDoiGhvAA1y80mbL0+lOzCxo=,iv:lw+5Sk1tRPJFOqIKH1MaQn7RvG02Hg0kmLTIT7JSeNE=,tag:vGNQVyRrnu1kBLYNEdNIzA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRkFMcWRyNE9tMU5NVkVs
UmNsSFVDN3k4SDJxK2tva1Rza2xuR2ExcUhVCndua28xNUZBaVlGeTJ0TG0xMlpo
cTB5ZTBkMzZ4NW03T1ZacmVGRnZMUXMKLS0tIEYyVGdMZlVCTHREdnBOR3h3NU4x
UzBWYXdMS3RadXpEQmN6cVBBUUpHWkUKugUfHbVc5+0597P5r8k8bAIcXHx2BfFe
DVdOoxLasWTXvz1GWTFuzvin3Z42GB9zCnjfzkEnwXbATwQy26MhaQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndE9JcHB5NWtBRDZLYTQ4
QXhJRG93bEtXYUlmRWhKWC93Mng2YUtDN2ljCmE3RklOdTN2dE42Q0RSc0djSXpX
UzBkdXRPVHJ2YUFDR0REeSt5YS9NNEUKLS0tIGJGR0pBWUp3Vm5tMVNneUtaQ1NB
UnE2NTVSSUp1OEVFVDd5bHJYOEZpaVkKqmw9GLZavqaPQOJjGhLqXo4ggfmFDgXz
C9HNxeDVr2kY452gleVS/YFTPWo0QPevl0SjpZg2gvnz28qLDSNXYQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-02T19:37:36Z"
mac: ENC[AES256_GCM,data:W1Q9cRmdgxtpREVPzbI9kF3wEFFkF9vWTek8n6sNEDyYd2sew9FQ0gaqoA2bSKro8ff4iLBpwChQIhM7AZbiw5CP0OjUZMWbcjw8YeJEwowIZ+jp3D4qrMuAfjdqhoAJf2G75RyWsChsRG2fPyQ0rVU0sPJf3haiA0MziZi97xM=,iv:yghPQbr5/CLZIeltIGPXYozs08KdcmypSOTO+OrZiHk=,tag:nIh+ntR5wcLJm2AihwhQ9A==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

37
ghostcms/resources/db-cred.enc.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: v1
kind: Secret
metadata:
name: ghostcms-db-creds
type: Opaque
stringData:
root-password: ENC[AES256_GCM,data:tCCuYiHneNQMbWk9JYBOQT0fq+M3yjSJpg5MeMVl7Bw=,iv:EAX8seGBIUtaG2/S5SDUKYBkY57g4UKJdMFjCTBBZIs=,tag:giYe8hiyk8dSbcNT9fHJhQ==,type:str]
password: ENC[AES256_GCM,data:ae7q5C9RyPZJEpMSYc11Rdx0fgyxZSdW0QPrrhd4EXU=,iv:PZd/tVfoh3xetvov/BVdRPeev2MKRG+6uVLmi1YkHRA=,tag:H2fe2T0TWLV93yhcNheYhg==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFREpwa1VjOHZOa1Rmc3M3
R001d0cxZjNYMUNLeGdxODlmMWI2bVVJd0RBCmxuOVl2cGg1dHpHU2tSMDJGSVpQ
TU5udWpEdjZZQVR5RnE3djFxZWcyRHMKLS0tICtCK1k5V0JTVy9PamViL3BtYTZk
WEo0RU5seTZvR2E2ZnhwdTNwUGF4K00KHItzwS/FL1N3iB5880SqBCAzogk2mvJo
frkb2ysHPA3e6mC/iYEJwENYTjHqi4tfkwYQmYErAFnNeD28690q1w==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhaHJPb1FORk5NL2Q3Y2Fx
S3FzQjBmUmNTdVRiYkJqOE94THB6Q0ZwU3pzCmtLT0ZsZ2NEQVVVSy9IMFEyTnNN
QUVCQ1IxQjYvVGV5U1lHcUJveHk5ZU0KLS0tIFo5eWZIUzFma3BYWnlaZ08xVFkv
Y2YwMThRcUlTSVJmSDArbzdudGs3a1UKqfdWZlKDD3qsYAAKYts51XS41a52O5w1
Rivz1sRaMg7deBAMcERU9ACH7NmatWSTvehkKBWpGdkQuiGIcMCEBA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-31T14:40:10Z"
mac: ENC[AES256_GCM,data:mK71CK+Cp/BbobMrCr5nHpb/bdXQLFB1mxhq1vzw8FZqGQzvYQ2X5pQFeJe8Z3jOYBaR+EUIETdWnBqp7kpaci0QLYw7DnrANpAPmQxczyvITh2m1RNgkHiQxkzF7ywmmdQjr8jrm79p7viy488HLgyrCuiB5zcSW6Cu1D3RT+Y=,iv:Hsafop14fyk3cKpI9TJKHwBjVDR7v92vcHB72Qf14Nw=,tag:eM2QkUKJVN9h27ccw3Zt1w==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

51
ghostcms/resources/db.yaml Normal file
View file

@ -0,0 +1,51 @@
---
apiVersion: mariadb.mmontes.io/v1alpha1
kind: MariaDB
metadata:
name: ghostcms-db
spec:
rootPasswordSecretKeyRef:
name: ghostcms-db-creds
key: root-password
image: mariadb:11.1.2
port: 3306
database: ghostcms
username: ghostcms
passwordSecretKeyRef:
name: ghostcms-db-creds
key: password
volumeClaimTemplate:
storageClassName: hcloud-volumes
resources:
requests:
storage: 10Gi
accessModes:
- ReadWriteOnce
securityContext:
allowPrivilegeEscalation: false
livenessProbe:
exec:
command:
- bash
- -c
- mariadb -u root -p"${MARIADB_ROOT_PASSWORD}" -e "SELECT 1;"
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 5
readinessProbe:
exec:
command:
- bash
- -c
- mariadb -u root -p"${MARIADB_ROOT_PASSWORD}" -e "SELECT 1;"
initialDelaySeconds: 20
periodSeconds: 10
timeoutSeconds: 5

69
ghostcms/resources/deployment.yaml Normal file
View file

@ -0,0 +1,69 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ghostcms
spec:
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: ghostcms
template:
metadata:
labels:
app.kubernetes.io/name: ghostcms
spec:
initContainers:
- name: plugins
image: ghostcms
imagePullPolicy: Always
command:
- /bin/ash
- -c
- '-'
args:
- |
if [ ! -d "/var/lib/ghost/content/adapters/storage/s3" ]; then
npm install --prefix /tmp ghos3
mkdir -p /var/lib/ghost/content/adapters/storage/s3
cp -r /tmp/node_modules/ghos3/* /var/lib/ghost/content/adapters/storage/s3
fi
volumeMounts:
- name: ghost-content
mountPath: /var/lib/ghost/content
containers:
- name: ghostcms
image: ghostcms
imagePullPolicy: Always
envFrom:
- secretRef:
name: ghostcms-secret-config
ports:
- containerPort: 2368
env:
- name: NODE_ENV
value: production
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: false
capabilities:
drop:
- ALL
privileged: false
resources:
limits:
memory: "384Mi"
cpu: "100m"
volumeMounts:
- name: ghost-content
mountPath: /var/lib/ghost/content
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
runAsNonRoot: true
volumes:
- name: ghost-content
persistentVolumeClaim:
claimName: ghost-content

23
ghostcms/resources/ingress.yaml Normal file
View file

@ -0,0 +1,23 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: ghostcms
annotations:
gethomepage.dev/description: GhostCMS blog
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: ghost.png
gethomepage.dev/name: GhostCMS
spec:
rules:
- host: blog.icb4dc0.de
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: ghostcms
port:
number: 2368

7
ghostcms/resources/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: ghostcms
labels:
prometheus: default

13
ghostcms/resources/pvc.yaml Normal file
View file

@ -0,0 +1,13 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: ghost-content
spec:
storageClassName: hcloud-volumes
resources:
requests:
storage: 10Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce

12
ghostcms/resources/service.yaml Normal file
View file

@ -0,0 +1,12 @@
---
apiVersion: v1
kind: Service
metadata:
name: ghostcms
spec:
selector:
app.kubernetes.io/name: ghostcms
ports:
- protocol: TCP
port: 2368
targetPort: 2368

12
ghostcms/secret-generator.yaml Normal file
View file

@ -0,0 +1,12 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: ghostcms-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/db-cred.enc.yaml
- ./resources/creds.enc.yaml

38
hedgedoc/config/base.env Normal file
View file

@ -0,0 +1,38 @@
CMD_DOMAIN=md.icb4dc0.de
CMD_URL_ADDPORT=false
CMD_PROTOCOL_USESSL=true
CMD_USECDN=false
CMD_SESSION_LIFE=1209600000
CMD_HSTS_ENABLE=true
CMD_HSTS_MAX_AGE=31536000
CMD_HSTS_INCLUDE_SUBDOMAINS=false
CMD_HSTS_PRELOAD=true
CMD_CSP_ENABLE=true
CMD_ALLOW_GRAVATAR=true
CMD_RESPONSE_MAX_LAG=70
CMD_ALLOW_FREEURL=false
CMD_FORBIDDEN_NOTE_IDS=robots.txt,favicon.ico,api
CMD_DEFAULT_PERMISSION=editable
CMD_ALLOW_ANONYMOUS_EDITS=false
CMD_ALLOW_ANONYMOUS_VIEWS=true
CMD_ALLOW_PDF_EXPORT=true
CMD_DEFAULT_USE_HARD_BREAK=true
CMD_LINKIFY_HEADER_STYLE=keep-case
CMD_AUTO_VERSION_CHECK=true
CMD_ALLOW_EMAIL_REGISTER=true
CMD_EMAIL=false
CMD_OAUTH2_BASEURL=https://code.icb4dc0.de
CMD_OAUTH2_USER_PROFILE_URL=https://code.icb4dc0.de/login/oauth/userinfo
CMD_OAUTH2_AUTHORIZATION_URL=https://code.icb4dc0.de/login/oauth/authorize
CMD_OAUTH2_TOKEN_URL=https://code.icb4dc0.de/login/oauth/access_token
CMD_OAUTH2_PROVIDERNAME=Forgejo
CMD_OAUTH2_SCOPE=openid profile email
CMD_OAUTH2_USER_PROFILE_DISPLAY_NAME_ATTR=name
CMD_OAUTH2_USER_PROFILE_EMAIL_ATTR=email
CMD_OAUTH2_USER_PROFILE_USERNAME_ATTR=preferred_username
CMD_IMAGE_UPLOAD_TYPE=minio
CMD_S3_BUCKET=hedgedoc
CMD_S3_PUBLIC_FILES=false
CMD_MINIO_ENDPOINT=2df513adaee2eeae12106af900bed297.r2.cloudflarestorage.com
CMD_MINIO_PORT=443
CMD_MINIO_SECURE=true

27
hedgedoc/kustomization.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: hedgedoc
images:
- name: hedgedoc
newName: quay.io/hedgedoc/hedgedoc
newTag: "1.9.9"
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
resources:
- "resources/namespace.yaml"
- "resources/deployment.yaml"
- "resources/service.yaml"
- "resources/ingress.yaml"
generators:
- ./secret-generator.yaml
secretGenerator:
- name: hedgedoc-base-config
envs:
- "config/base.env"

41
hedgedoc/resources/config.enc.yaml Normal file
View file

@ -0,0 +1,41 @@
apiVersion: v1
kind: Secret
metadata:
name: hedgedoc-secret-config
type: Opaque
stringData:
CMD_DB_URL: ENC[AES256_GCM,data:4nqueG0hIb5fPQbPJll+keWZVODpFxBUhVkeHTKJ2/J8Kpj8DMuU41HLQ1+iGFiUtEdv2LPvbgDOeXT4UR3zjDdGL96SpKbLQIKQlNjPWNfUXeHASkiIiMHh9Y7z3d/s2coopzk9ULTHs5XIMywCUoY8DX4=,iv:drx1hQdbsLbPSojSL79TFop1wni2KxNPJ+KwlOL9WQo=,tag:4JbriWueqRye/n3rnBpSkw==,type:str]
CMD_MINIO_ACCESS_KEY: ENC[AES256_GCM,data:VqudURssSgmCDVhCRjak2TDG10pwvCNfi0w9FlEh4SI=,iv:VGavO528JfqsUVyvWSAlWkMTXJAmLUablaGZ3VCEtq8=,tag:unvEa2k/9AzfVMEnhCDB1Q==,type:str]
CMD_MINIO_SECRET_KEY: ENC[AES256_GCM,data:/iQq6wnoH/WwEzApap6szpr7z+KZJ+twcuINgqtbHOMDXeVz9Yi7cjC0hGlqQHZTCO4jR5gp+OwdIkzRk0zDsw==,iv:1OHm8K3AA340q0xkNCF3RsPpcpKmUE5Yibu+IWIZ7+E=,tag:cB/pckdoEZQlzlRVWoYKmA==,type:str]
CMD_OAUTH2_CLIENT_ID: ENC[AES256_GCM,data:x1zEeQl4WM49dmbx9v159APlimVVmQX4uPUTa0Nwu7jazcD1,iv:eXSk8Js2OhKC6q1M2anzCdC30IqA9YIj7rxmzFRE4bo=,tag:zgutG/3INA7DxUY5PRJoIg==,type:str]
CMD_OAUTH2_CLIENT_SECRET: ENC[AES256_GCM,data:biyLVbyONbJK2V16Zz9/MVdpdqu3iTzsyBVx0iKK5MCyNfU1Y0lV9g88w44junGvvby/LWOAEGs=,iv:uSRtuu+bHpt8JOVfw5BpCXjqWW07x0jJ8Ja2pIcoQf4=,tag:He4d6BrE1V9OJbNH3hrPcQ==,type:str]
CMD_SESSION_SECRET: ENC[AES256_GCM,data:Nq6arL1aE69BeTRjx4pA90xZqcOtqOb3R/Zt98FyIVd+Uq53dWsqURG2M+IQpvl9MEpY8FpUNY0=,iv:JaOAe8YgNVnDBzV2x1TSqMJq36Qwqazk6cCkWwseBZc=,tag:FMKKOhow/w5HLwfNarQdjQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5cHVKUm5Nby9hSjdOM3JY
UWs0UWdrNC9FOVd1b1VjK1BmYVdwZng4T2tvCnBhYVdNbGFwWnBPMkJiSk1pbHlv
aGJTRjdsb1JrSHpIMk5JWEZNOTBoc0kKLS0tIEZscSs4SFVIVG5NanlUQU1IM1hv
M1F2WE1taWZ2bG0reU1EYWw2K1pZK2cKSHxed4HgSf0vKNGBMuFaS99znRPphkoF
TgjkD7nI/nyvflV0Bs1lqMlWZJsyY9+HaLp38j95mAcXc224SSBMxw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtd3k2MzQ2aGx0NmwzYU95
QkVNVkJuQmdrOEUwM3FJNGFOZndxYWFTeVFZCmo3RnRQakxoelV6WmJHK3UyMnBZ
NTMvYkxqWHhYbjVBSkV5YjZlZTdndjQKLS0tICs5UlQwNHAvdW5oYXlqYTFFOEM5
ZXpzNmEzbXhtZDkySFM2L0VQTzZCdTQKh46uRnVtRzzdnnnuCJNwgQo8AeNKpc6B
WC91My4qyOtvM9J+FJC71DTovfmHrZw0YWbPwXqNRU6XBWHfC/MViA==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-08T19:19:28Z"
mac: ENC[AES256_GCM,data:mG1SOLX1AFuPuJ3v8o12ofU+rHD/Iwwp3xFfIoayHp+K/w8btnwZ1rrbzZLRwZfR2nnxF9Rn4UZ2d1v6B9z2Dlz/p4EDc2pDyyhgWFCoJgf1J3w7Gj7b1C9ukoGrxcQ0RaZjhhZrU0XjN5EyfTgxcl1e5UahOrHVUu5OMBukkKg=,iv:2M5gtUdMpsYmLZkuaWXoHGGKPM9pvXwEpqqRjhSN8yo=,tag:ORpppvL5KKXRVgIwAoTOCw==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

50
hedgedoc/resources/deployment.yaml Normal file
View file

@ -0,0 +1,50 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: hedgedoc
spec:
selector:
matchLabels:
app.kubernetes.io/name: hedgedoc
template:
metadata:
labels:
app.kubernetes.io/name: hedgedoc
spec:
containers:
- name: hedgedoc
image: hedgedoc
envFrom:
- secretRef:
name: hedgedoc-base-config
- secretRef:
name: hedgedoc-secret-config
ports:
- containerPort: 3000
protocol: TCP
name: web
volumeMounts:
- name: upload-tmp
mountPath: /tmp
resources:
requests:
memory: "168Mi"
cpu: "50m"
limits:
memory: "256Mi"
cpu: "500m"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true
volumes:
- name: upload-tmp
emptyDir:
sizeLimit: 500Mi

23
hedgedoc/resources/ingress.yaml Normal file
View file

@ -0,0 +1,23 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: hedgedoc
annotations:
gethomepage.dev/description: Markdown scratch pad
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: https://md.icb4dc0.de/icons/android-chrome-192x192.png
gethomepage.dev/name: HedgeDoc
spec:
rules:
- host: md.icb4dc0.de
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: hedgedoc
port:
number: 3000

7
hedgedoc/resources/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: hedgedoc
labels:
prometheus: default

12
hedgedoc/resources/service.yaml Normal file
View file

@ -0,0 +1,12 @@
---
apiVersion: v1
kind: Service
metadata:
name: hedgedoc
spec:
selector:
app.kubernetes.io/name: hedgedoc
ports:
- protocol: TCP
port: 3000
targetPort: 3000

11
hedgedoc/secret-generator.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: hedgedoc-config-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/config.enc.yaml

11
homepage/config/oauth2-proxy.env Normal file
View file

@ -0,0 +1,11 @@
OAUTH2_PROXY_PROVIDER=github
OAUTH2_PROXY_PROVIDER_DISPLAY_NAME=Forgejo
OAUTH2_PROXY_REDIRECT_URL=https://home.icb4dc0.de/oauth2/callback
OAUTH2_PROXY_LOGIN_URL=https://code.icb4dc0.de/login/oauth/authorize
OAUTH2_PROXY_REDEEM_URL=https://code.icb4dc0.de/login/oauth/access_token
OAUTH2_PROXY_VALIDATE_URL=https://code.icb4dc0.de/api/v1/user
OAUTH2_PROXY_REVERSE_PROXY=true
OAUTH2_PROXY_UPSTREAMS=http://127.0.0.1:3000
OAUTH2_PROXY_EMAIL_DOMAINS=*
OAUTH2_PROXY_HTTP_ADDRESS=0.0.0.0:3001
OAUTH2_PROXY_SKIP_PROVIDER_BUTTON=true

34
homepage/kustomization.yaml Normal file
View file

@ -0,0 +1,34 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: homepage
images:
- name: homepage
newName: ghcr.io/gethomepage/homepage
newTag: "v0.7.4"
- name: oauth2-proxy
newName: quay.io/oauth2-proxy/oauth2-proxy
newTag: v7.5.1
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
resources:
- "resources/namespace.yaml"
- "resources/sa.yaml"
- "resources/sa_secret.yaml"
- "resources/cluster_role.yaml"
- "resources/cluster_role_binding.yaml"
- "resources/deployment.yaml"
- "resources/service.yaml"
- "resources/ingress.yaml"
generators:
- ./secret-generator.yaml
secretGenerator:
- name: oauth2-proxy-base-config
envs:
- "config/oauth2-proxy.env"

49
homepage/resources/cluster_role.yaml Normal file
View file

@ -0,0 +1,49 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
rules:
- apiGroups:
- ""
resources:
- namespaces
- pods
- nodes
verbs:
- get
- list
- apiGroups:
- extensions
- networking.k8s.io
resources:
- ingresses
verbs:
- get
- list
- apiGroups:
- traefik.containo.us
resources:
- ingressroutes
- ingressroutes/status
verbs:
- get
- list
- apiGroups:
- metrics.k8s.io
resources:
- nodes
- pods
verbs:
- get
- list
- apiGroups:
- apiextensions.k8s.io
resources:
- customresourcedefinitions
- customresourcedefinitions/status
verbs:
- get
- list

15
homepage/resources/cluster_role_binding.yaml Normal file
View file

@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: homepage
subjects:
- kind: ServiceAccount
name: homepage
namespace: default

43
homepage/resources/config.enc.yaml Normal file
View file

@ -0,0 +1,43 @@
apiVersion: v1
kind: Secret
metadata:
name: homepage-config
type: Opaque
stringData:
bookmarks.yaml: ENC[AES256_GCM,data:EpNhM/Uaoo/zGpsbsrmLvNSSAplc1pUrOA1LP2wZY4zh3fgHc/f47e95j59Wa9YScGbEx3/+nzUbvQmW2i1zjV+9pLQRcBg6RsBWhRcwLlmcTA==,iv:5pxGhroFCqv1jaDQY0FZN1ReJ3H6HSrdaQFWzekKczU=,tag:ebhZM3Ux5SwbXupEA+qsHw==,type:str]
custom.css: ""
custom.js: ""
docker.yaml: ""
kubernetes.yaml: ENC[AES256_GCM,data:I+/V1rEWrQ5AH7mt8g==,iv:hMiXMxRKXLaJItecxULvDkzV0pdF1VwridsfgvG6pKU=,tag:9c9lLvSsHPqPZnBbWcm0/Q==,type:str]
services.yaml: ENC[AES256_GCM,data:3d8SWZ/mmKnAkaC3IHpsuz8pbB2+XA5dKb+skTbpnxOhJmEHpTVpzEPS7s7AdaPZbuHPSN2HMgURKF3/tgwNSje7a20W+ApUc1nNfqBnCldzz14gVJp9X4JVtY/9COc3lmSBgkFoQTv/HmLlxtIps3eYfUU2lfabZiMMYWKKvJ9kpIDamsQCwmwP2w/scf5bUXs7xmmq7tLZHuEY4R3e1cuZrlukF3ZhIyIugCb6G7J8zAPZxMnaQ+shewLaRijcPqk+Oj8GgucPnr8IGLC83QXpbbE5XhSCYNNSWYDXyDukuBoulQuzJTR3UfmmdiqKCT+U2m06p+JeEnXOtOe0ovjMc/cb2e9UruBp4NqMBKw0ZaXKJBb4dRkDgBr8KZm5iHFFqO9b6aVDQR8g/CB4dMJ+2F6uXf2nGdEoMTW9x3Jdzgssvu1E8GIGA69l5CaDfY02n1s9pJQnSewK5oft2f9VKKbXVZ+C3Hbvfo/hLi6hGQCuwLYABPYfSlTXbc4w1mNHjMH79axO0lQfra3RPHdl9zfLc8yvaAMn4JGSb4m4yk/85ymX46QHrQL7OWoM8zpiknCrbRmty9hSRQ0j2IoKXBeZf/xuzhukZqJbJztfOs7RrALZg33z/U/xmGnNdTKVpBf3gF6Oltvt1alzfnWSjpBUAgpVtpUdXPtqm7EiCCwDbk7qWGm/hJpY9gfl+GLRZ5iieUroycGahqFMJV3u20/DD8vAjf1H30a1uenDfmiEqdqRCUFndsY/hWAMik+dZKu1RBrWNp1v/CJqxJ8=,iv:KBXZ45bV9tosXm8isbs+twA9ghQ5T++6NUOt+zzaC/4=,tag:19ivPWPlJP8kI2qeRUVvqw==,type:str]
settings.yaml: ENC[AES256_GCM,data:yvYu7VrWPeDZWEeiLCx7ow76HRgmEWVAfczOkZFlpc1Yrq5ASISiXhk=,iv:2s0Kz25YMh7yZ6CotJhFdLEiAbvEFYNzp3ghksbWm28=,tag:q1bl1+s24KGgj8N7cpEjVw==,type:str]
widgets.yaml: ENC[AES256_GCM,data:ph9yvrX38L1RqCi8L0fjPQF7BmNNksdBiZdhBUoomw+xjF+99Nn+fj6AQVo2WvFy8LKsx++lT36eAO1WJR4i1HvTjTcIPSzMcVeM7TxvEsNEX9ZVzxqaneo7w3/R6FcjnAHLqMbDya9oqmEVUkBiwXcfQevWEZLff0KLWBeDdH8ILRGY0DLwSteWw2bwnkhsJkUahMbNihA6x4aKGMTQwQjJOGlh8WGDEC9fvq+BVu0bfJ5Oqy4eO2pynI6sGdHlX30456puDFxhha3Hc/Okckoek2+G6CfMFC1u5NSfatqqSNaWmgRFtJlRkDuAoGupMQhlocKrlHWG9KyLwAp75PiK5/P1bu9+5YlkBHipiJMQaeqnh+3E7BRY/QL7Q4dsgVA1c+lRwgh2iY+6snWIlPfxGHYt5aJIPjdGynDZCS6lO5eUhjvRzYFDUjjVUhllLTwJodqTYBqZj3sqMnIjlV1AN0eKDilAD7A3ovMFGeFaqXAMkJ1qqTO98Q0EtqlC1m7TLnbuuYT24R3t7F35jvFMAkapIAoE4kTaChwq5FRwtWSf25IDXhfK0Yc30j9374fYZ6Hj95sf1GtRp/n2Hv9mVZ7RN13uelHJAqK+QBdIGNGLE7eamMhrOjcI8LkQMc7doMWsqgAFgdrZ1rp2HLayVa0cxCU7tTcJn2qCamTYFRquEO/oNaCwdNHTsKWH/phzEwz9BEz/c0vNEc0xLn3cXIUbwL0/C9DFyA+HHLNiAP/KkRAa+cWNnCyihkdSGTK82p9yiAZG74c+ZJPWFOi2XakTmSM=,iv:hUKLr3J6G660sUJbHx7y40q4sU2Zve64KAHdVxe8nGg=,tag:dIRk9SulLYfE0Th3eX12xA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBIQVVaUUl4NjV6RkdpTzh3
WEZIR3hScC9RaDlHMnJscjdWN1RZMXVmSEhNCnZsUGtuOGV6MWVadHdZcGpjOU9j
UDNPNW1WRXdWT0Z3SndDeWkxWEQ5SkUKLS0tIEsrSXZyTHI5dmt2dktsZDFrTm92
VTVlZTNqUFR3eXNBVW1DMVVLSzZJSkUKPy0xO7yQuuy+fzngITe71drKxsRvZUoI
je3yUDNG0oNk/vVLityGc0p+4K0YBTCwQbNReEtG3gaNytcM75zcGw==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA3K2lNaUgvZjJqV3V5MzVy
ald4MTVIUWU1WG1ES1Yza0JhaWhFTDFCMVNnClRqajloVm51WnZsNG9SSGFDUG5S
YnZwZ2NGVlowaTJIcGtid0crVlZ2a2MKLS0tIHNuaEhtd3VXcDNKYzUxZjE1ZEkv
dWZHWXNNQlBIRTA1dFZXdXM1ZzlFSXMK3BJyrwoIRldG3lrGpNKiMA0QWNQA1jt1
zEqT2pgENYG8SZLXHKH3Ywrb9fNjHYPajLC6bYxkwTqTSIziNiwmaQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-10-25T19:41:17Z"
mac: ENC[AES256_GCM,data:bsjhBINLZxZUB+KUMKmJ1gFD+bkzZ9xSX0iClGRmBZb7dh2rMNPKjCfPGRdYkLEcVbREbbHYPgw74RrHYlc7cjDWiNQEB2i8xkPCScE5B8xQxmHQOIkWW4u2IR26vqPhslXI5ucYi9ojO6I5vrtbuIdxvVAdHUyqjNOz1o4/vFY=,iv:cwMx4ItAph0ETcJf6MJhIDd49eK7G7Bk9bGCksNhF0M=,tag:uv8Qd8jbnTRQKiz8BhXSOg==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

64
homepage/resources/deployment.yaml Normal file
View file

@ -0,0 +1,64 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
spec:
revisionHistoryLimit: 3
replicas: 1
strategy:
type: RollingUpdate
selector:
matchLabels:
app.kubernetes.io/name: homepage
template:
metadata:
labels:
app.kubernetes.io/name: homepage
spec:
serviceAccountName: homepage
automountServiceAccountToken: true
dnsPolicy: ClusterFirst
enableServiceLinks: true
containers:
- name: homepage
image: homepage
volumeMounts:
- mountPath: /app/config
name: homepage-config
readOnly: true
- mountPath: /app/config/logs
name: logs
resources:
requests:
memory: 256Mi
cpu: 100m
limits:
memory: 512Mi
cpu: 200m
- name: oauth2-proxy
image: oauth2-proxy
envFrom:
- secretRef:
name: oauth2-proxy-base-config
- secretRef:
name: oauth2-proxy-secret-config
ports:
- name: http
containerPort: 3001
protocol: TCP
resources:
requests:
memory: 50Mi
cpu: 10m
limits:
memory: 100Mi
cpu: 20m
volumes:
- name: homepage-config
secret:
secretName: homepage-config
- name: logs
emptyDir: {}

25
homepage/resources/ingress.yaml Normal file
View file

@ -0,0 +1,25 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
annotations:
gethomepage.dev/description: THE home page
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: homepage.png
gethomepage.dev/name: Homepage
spec:
rules:
- host: "home.icb4dc0.de"
http:
paths:
- path: "/"
pathType: Prefix
backend:
service:
name: homepage
port:
number: 3000

7
homepage/resources/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: homepage
labels:
prometheus: default

9
homepage/resources/sa.yaml Normal file
View file

@ -0,0 +1,9 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
secrets:
- name: homepage

10
homepage/resources/sa_secret.yaml Normal file
View file

@ -0,0 +1,10 @@
---
apiVersion: v1
kind: Secret
type: kubernetes.io/service-account-token
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
annotations:
kubernetes.io/service-account.name: homepage

16
homepage/resources/service.yaml Normal file
View file

@ -0,0 +1,16 @@
apiVersion: v1
kind: Service
metadata:
name: homepage
labels:
app.kubernetes.io/name: homepage
annotations: {}
spec:
type: ClusterIP
ports:
- port: 3000
targetPort: http
protocol: TCP
name: http
selector:
app.kubernetes.io/name: homepage

11
homepage/secret-generator.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: homepage-config-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/config.enc.yaml

1
mariadb-operator/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
charts/

2
mariadb-operator/config/mariadb-operator.values.yaml Normal file
View file

@ -0,0 +1,2 @@
metrics:
enabled: true

17
mariadb-operator/kustomization.yaml Normal file
View file

@ -0,0 +1,17 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: mariadb-system
resources:
- resources/namespace.yaml
helmCharts:
- name: mariadb-operator
releaseName: mariadb-operator
repo: https://mariadb-operator.github.io/mariadb-operator
namespace: mariadb-system
version: "0.22.0"
valuesFile: config/mariadb-operator.values.yaml
includeCRDs: true
skipTests: true

7
mariadb-operator/resources/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: mariadb-system
labels:
prometheus: default

1
nocodb/.gitignore vendored Normal file
View file

@ -0,0 +1 @@
charts/

9
nocodb/config/base.env Normal file
View file

@ -0,0 +1,9 @@
NC_PUBLIC_URL=https://noco.icb4dc0.de
NC_TOOL_DIR=/usr/app/data/
DB_QUERY_LIMIT_DEFAULT=25
DB_QUERY_LIMIT_MAX=1000
DB_QUERY_LIMIT_MIN=1
NC_JWT_EXPIRES_IN=1h
NC_DISABLE_TELE=true
NC_ADMIN_EMAIL=peter.kurfer@gmail.com
NC_REDIS_URL=redis://nocodb-keydb:6379/0

33
nocodb/config/values.keydb.yaml Normal file
View file

@ -0,0 +1,33 @@
imageRepository: code.icb4dc0.de/prskr/infrastructure/keydb
imageTag: v6.3.3
nodes: 3
podDisruptionBudget:
enabled: true
persistentVolume:
enabled: false
resources:
requests:
cpu: 50m
memory: 100Mi
limits:
cpu: 250m
memory: 256Mi
exporter:
enabled: true
imageTag: v1.51.0
resources:
requests:
cpu: 50m
memory: 50Mi
limits:
cpu: 150m
memory: 100Mi
serviceMonitor:
enabled: true
labels:
prometheus: default

36
nocodb/kustomization.yaml Normal file
View file

@ -0,0 +1,36 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: nocodb
images:
- name: nocodb
newName: docker.io/nocodb/nocodb
newTag: "0.202.5"
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
resources:
- "resources/namespace.yaml"
- "resources/pvc.yaml"
- "resources/deployment.yaml"
- "resources/service.yaml"
- "resources/ingress.yaml"
generators:
- ./secret-generator.yaml
secretGenerator:
- name: nocodb-base-config
envs:
- "config/base.env"
helmCharts:
- name: keydb
repo: https://enapter.github.io/charts/
releaseName: nocodb-keydb
namespace: nocodb
version: "0.48.0"
valuesFile: config/values.keydb.yaml

40
nocodb/resources/config.enc.yaml Normal file
View file

@ -0,0 +1,40 @@
apiVersion: v1
kind: Secret
metadata:
name: nocodb-secret-config
type: Opaque
stringData:
#ENC[AES256_GCM,data:Hs6V,iv:5x3mHRFQ64to+CJGDDx+JNW1IEnHJ/ybe6JeecPJNeE=,tag:PBkuJceINQDF0YdjqmtcjA==,type:comment]
NC_DB_JSON: ENC[AES256_GCM,data:z2Ersb4CH2aQKdO8f4lxWfxUnNvYA5ese5hMsAnDT5uuaSGCUIIOEYhbREbbu/3rZhIrOMm10S3DZAlDDmc+Z1a4UeRHTsO5WEA9eyMG4mq5+6FV2FELORn+23jhpLgn9rP17IP5fSPlmWp6RdGsdsvXCFbHrz5YEofIlxJYQDL8ix/toTkVjKynNheqzU2bSyTQTfC7ZzDmGaCw43OtB4lo4S1flrNDyZubsqIAM3E8igOCTLbXf7ak9AMwTIs2jo/HAj5ErWXcdgBUZkNOPOYGbdKAIBdMS49EUsX4k5CAKZEmU14VGdWYwwpthAQ2osOELuZleXdlAdkhqFGgBG5zwKpDqV5EZ9HkbQtgL81gDnVR+nVXgU/Lnor2qS32szWl3xNskk0wyB/9OdbvJwV4L9yuLW0rwWI07aBWRACfXAvtDL/kUi7YPzC2ZueFw6628Bfjif3gUbm++plNpkDPKJw+MJRXvDqjCnB+ewaZ7O1nqQh7BjO0ZjkrOsJqm1HaCr8FpXVc5i8PrkYCIPrVA8zcdbu7AO/ngLpmN7AfcXOwjXKdFKdtwVgkK3mJBh976vGFRPTc0+4ENt3OnDVRIb+A0AdGuqWWNp9ctkjDGv4Ne2sH7dwCnnK0r0yORyfkr5ZQRUT8YCd42hUnEUlP54TDBMH9ZOpZX/nYKbv9BfFPRPP44hbYElkLtwAM02DkJX9EEW2yILGVE/roMrDlham+VNNSB7/Hrm7aUEWYwOBk9XghxOC1vhrxaG9LPZHhsKBakX/Jz1I3lWpcDf4ILa4clfej4M5gYwzMYY9P38G+MAzjnmyrjrgSvPVw8dZw9d6X4X+CRNKPXWm2UYLQHFHODkx1F4yH3aXQUy7nkCosX9SK03/kuBFo5FcARSudsYDJ9Y8SSTVtn3rTJeZF2hFww5tstZ3Ca0jTz75kaWYwvj4DpCd3AKw7/b9pw6DNCpPg07ipFI+fPjLVY+wXy1S+e8HmB6041BiMmc3dDyd4r0vuCH8a8b3Gna6/E4SyQWEv2dhEBAcKb5Eekdf8u9aSMjT7z9fVfrG7V5FQXZ+U46OgbNIUYKzQkJzO5WfRwVhbtUWlqV+YGIaBdq4V6lt0eNq5gdWSgY4pXLBOFtELbJN4wkwqeNh30vJAqmyT+SzfZxxEhire/kRAUFArql2m1aaWUEUw1rwMED8NIRryrQsBSirUFtHPSJM8NtU5/9bvZmS73prn3PTYJfKSVxD8b4c9/5O8WMWL9DxcLNRt863DT1p/RzA=,iv:dLiu9WddIz9iO3cOT7jny4PpdxiN7R/YccF/aaEy6Rc=,tag:w71GGULEaSzy0vrh4gOLvQ==,type:str]
#ENC[AES256_GCM,data:MQnRuJg=,iv:E82k3W8MaSx0BM7hXCkY1tN+H7D5S1kDPKmvP3Gi4/4=,tag:H4502GVmN8WvwPsiek5VpA==,type:comment]
NC_AUTH_JWT_SECRET: ENC[AES256_GCM,data:Js/NIpruZBw9hqvEP8cC0poEh5jf99mPd7fpDEJYsfNf5bGNN1hdXgypl8Y=,iv:aYw84L2YA4NBkICn/kP8eo345O4hEE87MwodzmlAGZk=,tag:5wyFoE9zpV9bp1ltheVHIQ==,type:str]
NC_ADMIN_PASSWORD: ENC[AES256_GCM,data:sKchDix8Q5VtC56G6cjT1rbO4h0/wzy+bFm9TUbhtvA=,iv:eR7nEDGn18t8hPMZK2xV26EvmrGmiWGuGFF1vgR0giA=,tag:KHLXghuZ8FE2oQ5HOkQbiQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBTUkJmeVlidTVPTXhJanJT
WmFwMXB5d0hRVFFkTnJmK2JGbmVYNWYza1JjCjNCK0xnTFViN0o3Y1FKellnelR4
dk9qM1A4NHgvYWZpNW1wRVFHZnVrbk0KLS0tICttWE13RVF6Y3N5RFpMenpsQmp0
aElkeEVMN0hnS25QamEyZGNHRkY1Q2cKxi/tu37yGgnUh5pbO3gb+aWp0P4SJZQj
8uW0zavu2ppT4gk/3v3u8ty8sD5rCSaBih0XM2f8+i6LdFHIzcQE6Q==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCb2pGSHlvKzFQdFNoQ2V6
ditvYXFNVllETXJIbk9ETHEraWN4Mjk5bkJRCnVyT0YySU5CTk1DUUlCazhOeWYz
WVpMVVIrc3BqTU41d0tkaHNTa2NoQ1EKLS0tIGRwVEJQejBDL0kwYnIyaVJVOEla
UmFSZEd1ekI1alFVOG1qUVNBcHFUQlUKW7idC59jIRv2NgxxwDIMAYRe9tvBI6or
rjkpmb3b1ONLX470pY4FtmejOw02rm7YoeFTLPSePQgeK/+7tE3P+Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-08T20:15:51Z"
mac: ENC[AES256_GCM,data:Hvm/nLFI9TV9r8QxLzGM/dWRTX96TFcSUlEo1Q5nWfXym3pAI8LXqtxOri8IF9aZYdo87G9u3K+IPoGHL+1rYchYRF5O9T/Dez5lm9rMBc0z3dvq3gU0HKVjNaK9bso0b7Z90VSilbb7S0ZgI8gd2Xc//jgKnRrlMTeNVVgICQ0=,iv:icFu9+L4zlFLY62J7z+/1xwkTilUh2a1ZhrkCkbWyPI=,tag:L5QgfT9w2S2N+EIugXABuQ==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

83
nocodb/resources/deployment.yaml Normal file
View file

@ -0,0 +1,83 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: nocodb
spec:
selector:
matchLabels:
app.kubernetes.io/name: nocodb
replicas: 1
strategy:
type: Recreate
template:
metadata:
labels:
app.kubernetes.io/name: nocodb
spec:
containers:
- name: nocodb
image: nocodb
envFrom:
- secretRef:
name: nocodb-base-config
- secretRef:
name: nocodb-secret-config
ports:
- containerPort: 8080
protocol: TCP
name: web
volumeMounts:
- mountPath: /usr/app/data
name: nocodb-metadata
- mountPath: /usr/src/app/
name: app-volume
- mountPath: /tmp
name: app-tmp
livenessProbe:
httpGet:
path: /api/v1/health
port: web
scheme: HTTP
initialDelaySeconds: 10
timeoutSeconds: 3
periodSeconds: 5
successThreshold: 1
failureThreshold: 3
readinessProbe:
httpGet:
path: /api/v1/health
port: web
scheme: HTTP
initialDelaySeconds: 5
timeoutSeconds: 3
periodSeconds: 5
successThreshold: 1
failureThreshold: 3
resources:
requests:
memory: "168Mi"
cpu: "50m"
limits:
memory: "256Mi"
cpu: "500m"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumes:
- name: nocodb-metadata
persistentVolumeClaim:
claimName: nocodb-metadata
- name: app-volume
emptyDir:
sizeLimit: 1500Mi
- name: app-tmp
emptyDir:
sizeLimit: 500Mi
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true

23
nocodb/resources/ingress.yaml Normal file
View file

@ -0,0 +1,23 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: nocodb
annotations:
gethomepage.dev/description: Data workspace
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: nocodb.png
gethomepage.dev/name: NocoDB
spec:
rules:
- host: noco.icb4dc0.de
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: nocodb
port:
number: 8080

7
nocodb/resources/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: nocodb
labels:
prometheus: default

14
nocodb/resources/pvc.yaml Normal file
View file

@ -0,0 +1,14 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: nocodb-metadata
labels:
app.kubernetes.io/name: nocodb
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi
storageClassName: hcloud-volumes

12
nocodb/resources/service.yaml Normal file
View file

@ -0,0 +1,12 @@
---
apiVersion: v1
kind: Service
metadata:
name: nocodb
spec:
selector:
app.kubernetes.io/name: nocodb
ports:
- protocol: TCP
port: 8080
targetPort: 8080

11
nocodb/secret-generator.yaml Normal file
View file

@ -0,0 +1,11 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
# Specify a name
name: nocodb-config-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/config.enc.yaml

28
postgres-operator/kustomization.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
labels:
- includeTemplates: true
pairs:
app.kubernetes.io/name: pgo
# The version below should match the version on the PostgresCluster CRD
app.kubernetes.io/version: 5.4.3
postgres-operator.crunchydata.com/control-plane: postgres-operator
images:
- name: postgres-operator
newName: registry.developers.crunchydata.com/crunchydata/postgres-operator
newTag: ubi8-5.4.3-0
resources:
- resources/namespace.yaml
- resources/crd/postgresclusters.yaml
- resources/crd/pgupgrades.yaml
- resources/rbac/service_account.yaml
- resources/rbac/role.yaml
- resources/rbac/role_binding.yaml
- resources/manager.yaml
- resources/db/default-cluster.yaml
generators:
- ./secret-generator.yaml

1075
postgres-operator/resources/crd/pgupgrades.yaml Normal file
View file

File diff suppressed because it is too large Load diff

15465
postgres-operator/resources/crd/postgresclusters.yaml Normal file
View file

File diff suppressed because it is too large Load diff

77
postgres-operator/resources/db/default-cluster.yaml Normal file
View file

@ -0,0 +1,77 @@
---
apiVersion: postgres-operator.crunchydata.com/v1beta1
kind: PostgresCluster
metadata:
name: default-cluster
namespace: postgres
spec:
image: registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.4-1
postgresVersion: 15
users:
- name: postgres
- name: coder
databases:
- coder
- name: drone
databases:
- drone
- name: fider
databases:
- fider
- name: forgejo
databases:
- forgejo
- name: grafana
databases:
- grafana
- name: hedgedoc
databases:
- hedgedoc
- name: nextcloud
databases:
- nextcloud
- name: noco
databases:
- noco
- name: vikunja
databases:
- vikunja
- name: zipline
databases:
- zipline
instances:
- name: instance1
replicas: 2
dataVolumeClaimSpec:
storageClassName: hcloud-volumes
accessModes:
- "ReadWriteOnce"
resources:
requests:
storage: 10Gi
affinity:
podAntiAffinity:
preferredDuringSchedulingIgnoredDuringExecution:
- weight: 1
podAffinityTerm:
topologyKey: kubernetes.io/hostname
labelSelector:
matchLabels:
postgres-operator.crunchydata.com/cluster: default-cluster
postgres-operator.crunchydata.com/instance-set: instance1
backups:
pgbackrest:
image: registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-1
configuration:
- secret:
name: pgo-s3-creds
global:
repo1-path: /pgbackrest/default-cluster/repo1
repo1-s3-uri-style: path
repos:
- name: repo1
s3:
bucket: backup
endpoint: 2df513adaee2eeae12106af900bed297.r2.cloudflarestorage.com
region: us-east-1

37
postgres-operator/resources/db/pgo-s3-creds.enc.yaml Normal file
View file

@ -0,0 +1,37 @@
apiVersion: v1
kind: Secret
metadata:
name: pgo-s3-creds
namespace: postgres
type: Opaque
stringData:
s3.conf: ENC[AES256_GCM,data:nd12eOx2aXNyvUyNxZVP7v9dgh/P51f5UM+vgvP2odnBX9dzE79/2/kI5dn/hJsa/6Jibmk/3Pvexl9PTc1BmYFogVXfkVH04RhH1iaP6Jsl8oycIaG4oPdPgfwSseZlGCmSIBP+GTRoQ8mUmNDVxaSb4SwYHI9vjTalxoSyo+vnE8ABBt7h5J5QgXo=,iv:av60ntIqiRfv7gum585jjO1McCOXmMVD+voBuWfukm0=,tag:+GgMk3Z16JFyfLvsHH/m0Q==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBoU3pnbVhrREF3d3ZiU040
UjU1TUMraXhlV0k3aGprSnZvaUZncDU3Q1hFCkZtMklKS0VWS0w1SllxQ3lKYmxC
b2NFSitjSEtqMEpiZnNmeEhPb2RBa28KLS0tIFYxQ2w1aW1zaFVGY1RZekJVOEdH
UGZwVWhNTHdCS1hDMjJYcy9kVittTlEKLMWQALBbEmqMLx2gGMWr6m6CHb7vP9k3
lIZNhA5nwpH2R7TSbbNpnzsq3yhC9ClM8smfAmr+02rUK6T4RYaZiQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4RVRxb2h5WjRFc0xBdE5m
b0JrbHJvM1pCZDlFVXU4bG0wdVpnQjRRaUd3CmphMU9LbGx4NURrNUlUekJMUHN6
ZVFncDgvcXdNeVVjSk52LzZ1N2NmSk0KLS0tIEJvQlBnNHFEQnVvZFZESDlRSHox
RHhmT1VJWHNsK2QrS1p1dEkyM2JrcTQKs4gzaEY/ofkMHkD03Yu9JIgnR12c5LWm
2bwb+wJ056Sxz2jwC66gW2F7CcX8tIBOuWW99JqfHhFBj9oYZGoDxw==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-07T18:09:57Z"
mac: ENC[AES256_GCM,data:yndsk1ZStyVRDFm8h3dTARBzsiXAgWNNvrVmQeHuzYAYO78UxDXljbuQHBIJHGpSD4jEZl569cy3VY8Wk8ulUHHJM82LSMtYeAabv3GMJIpPxMHsczngBpbqmLQEpW6Yb6EB8eY7F8gL0MtZu46r4Dw9zZJKmGW6V1cIPK6G6As=,iv:udMhvZbf966Rdyl/2I/0IQL6kOvUOY4OSQMj+bWEKvM=,tag:BQPy3GoWP9FKcH6+o4B/8g==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

63
postgres-operator/resources/manager.yaml Normal file
View file

@ -0,0 +1,63 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: pgo
namespace: postgres-system
labels:
postgres-operator.crunchydata.com/control-plane: postgres-operator
spec:
replicas: 1
strategy: { type: Recreate }
selector:
matchLabels:
postgres-operator.crunchydata.com/control-plane: postgres-operator
template:
metadata:
labels:
postgres-operator.crunchydata.com/control-plane: postgres-operator
spec:
containers:
- name: operator
image: postgres-operator
env:
- name: PGO_NAMESPACE
valueFrom:
fieldRef:
fieldPath: metadata.namespace
- name: CRUNCHY_DEBUG
value: "true"
- name: RELATED_IMAGE_POSTGRES_14
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-14.9-1"
- name: RELATED_IMAGE_POSTGRES_14_GIS_3.1
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.9-3.1-1"
- name: RELATED_IMAGE_POSTGRES_14_GIS_3.2
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.9-3.2-1"
- name: RELATED_IMAGE_POSTGRES_14_GIS_3.3
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-14.9-3.3-1"
- name: RELATED_IMAGE_POSTGRES_15
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-15.4-1"
- name: RELATED_IMAGE_POSTGRES_15_GIS_3.3
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-15.4-3.3-1"
- name: RELATED_IMAGE_POSTGRES_16
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres:ubi8-16.0-0"
- name: RELATED_IMAGE_POSTGRES_16_GIS_3.3
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.0-3.3-0"
- name: RELATED_IMAGE_POSTGRES_16_GIS_3.4
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-gis:ubi8-16.0-3.4-0"
- name: RELATED_IMAGE_PGADMIN
value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgadmin4:ubi8-4.30-18"
- name: RELATED_IMAGE_PGBACKREST
value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbackrest:ubi8-2.47-1"
- name: RELATED_IMAGE_PGBOUNCER
value: "registry.developers.crunchydata.com/crunchydata/crunchy-pgbouncer:ubi8-1.19-5"
- name: RELATED_IMAGE_PGEXPORTER
value: "registry.developers.crunchydata.com/crunchydata/crunchy-postgres-exporter:ubi8-5.4.3-0"
- name: RELATED_IMAGE_PGUPGRADE
value: "registry.developers.crunchydata.com/crunchydata/crunchy-upgrade:ubi8-5.4.3-0"
securityContext:
allowPrivilegeEscalation: false
capabilities: { drop: [ALL] }
readOnlyRootFilesystem: true
runAsNonRoot: true
serviceAccountName: pgo

14
postgres-operator/resources/namespace.yaml Normal file
View file

@ -0,0 +1,14 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: postgres-system
labels:
prometheus: default
---
apiVersion: v1
kind: Namespace
metadata:
name: postgres
labels:
prometheus: default

156
postgres-operator/resources/rbac/role.yaml Normal file
View file

@ -0,0 +1,156 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRole
metadata:
name: postgres-operator
rules:
- apiGroups:
- ''
resources:
- configmaps
- persistentvolumeclaims
- secrets
- services
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- ''
resources:
- endpoints
verbs:
- create
- delete
- deletecollection
- get
- list
- patch
- watch
- apiGroups:
- ''
resources:
- endpoints/restricted
- pods/exec
verbs:
- create
- apiGroups:
- ''
resources:
- events
verbs:
- create
- patch
- apiGroups:
- ''
resources:
- pods
verbs:
- delete
- get
- list
- patch
- watch
- apiGroups:
- ''
resources:
- serviceaccounts
verbs:
- create
- get
- list
- patch
- watch
- apiGroups:
- apps
resources:
- deployments
- statefulsets
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- batch
resources:
- cronjobs
- jobs
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- policy
resources:
- poddisruptionbudgets
verbs:
- create
- delete
- get
- list
- patch
- watch
- apiGroups:
- postgres-operator.crunchydata.com
resources:
- pgupgrades
verbs:
- get
- list
- watch
- apiGroups:
- postgres-operator.crunchydata.com
resources:
- pgupgrades/finalizers
verbs:
- patch
- update
- apiGroups:
- postgres-operator.crunchydata.com
resources:
- pgupgrades/status
verbs:
- get
- patch
- watch
- apiGroups:
- postgres-operator.crunchydata.com
resources:
- postgresclusters
verbs:
- get
- list
- patch
- watch
- apiGroups:
- postgres-operator.crunchydata.com
resources:
- postgresclusters/finalizers
verbs:
- update
- apiGroups:
- postgres-operator.crunchydata.com
resources:
- postgresclusters/status
verbs:
- patch
- apiGroups:
- rbac.authorization.k8s.io
resources:
- rolebindings
- roles
verbs:
- create
- get
- list
- patch
- watch

15
postgres-operator/resources/rbac/role_binding.yaml Normal file
View file

@ -0,0 +1,15 @@
---
apiVersion: rbac.authorization.k8s.io/v1
kind: ClusterRoleBinding
metadata:
name: postgres-operator
labels:
postgres-operator.crunchydata.com/control-plane: postgres-operator
roleRef:
apiGroup: rbac.authorization.k8s.io
kind: ClusterRole
name: postgres-operator
subjects:
- kind: ServiceAccount
name: pgo
namespace: postgres-system

8
postgres-operator/resources/rbac/service_account.yaml Normal file
View file

@ -0,0 +1,8 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: pgo
namespace: postgres-system
labels:
postgres-operator.crunchydata.com/control-plane: postgres-operator

10
postgres-operator/secret-generator.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: postgres-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/db/pgo-s3-creds.enc.yaml

28
vikunja/kustomization.yaml Normal file
View file

@ -0,0 +1,28 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: vikunja
images:
- name: vikunja-api
newName: docker.io/vikunja/api
newTag: "0.21.0"
- name: vikunja-ui
newName: docker.io/vikunja/frontend
newTag: "0.21.0"
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
resources:
- resources/namespace.yaml
- resources/api/pvc.yaml
- resources/api/deployment.yaml
- resources/api/service.yaml
- resources/ui/deployment.yaml
- resources/ui/service.yaml
- resources/ingress.yaml
generators:
- ./secret-generator.yaml

36
vikunja/resources/api/config.enc.yaml Normal file
View file

@ -0,0 +1,36 @@
apiVersion: v1
kind: Secret
metadata:
name: vikunja-config
type: Opaque
stringData:
config.yml: ENC[AES256_GCM,data:tmSeQoniqMDqsVqhpBvEZaSgQtXXwJFShVtwaUW/z43tsOybO38w1NkkyjPnOxVLb0SWkznSG5bDdvDPEXgk7EXBA2N29+hnDpp6kxE2MPQbIzLlNgZrfLC6tjEZtezOmXrZE6Xb5kleljuHFN+ph9WGes2m/ha7++fVKf/GD48MytqmC7SPBAJpitROXfx8NkqI2fhJIHkBhRsfTVy4Ur69dTryFt7xGLsC1ckxOWZebf7TYj10bpVPLAtxyLN7Os+l4Hl9GGbfjWMQ9lkSzIat3l4BNnkIWoZ2CoRqla2z/POn1crMJm7xeMkx1f6yB45NQM9r+/9HSbk3LDNGw5rgqrwkShj+/aXk2ePzGJK5O6zUSUidZpPpTLmxPNSaCu7QVmz6XR9zfzoXa4Ppdee4vbnqTa6FxUeM/oGcFI68X8kqRR+UImbjTrFKzFOPRw3hU7zHVwg2Wzh/k/4R+GNpLTLU+RlrT3dw9IvRFIERb15XTJzfId5+nWIxoMaH6tjaib84HVe1wtaRahYZNoYi7WZ748fiSx1b+AWRnxhCfK2EsQjul5Zdh2SSkYZysHi9Bmog,iv:K41jhC1s98trTYvcceAQOxx+ckAHrx22HLa5U6CYxWk=,tag:r7m/tjgYfaW3Wpfl8cJKTA==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBiRkFMcWRyNE9tMU5NVkVs
UmNsSFVDN3k4SDJxK2tva1Rza2xuR2ExcUhVCndua28xNUZBaVlGeTJ0TG0xMlpo
cTB5ZTBkMzZ4NW03T1ZacmVGRnZMUXMKLS0tIEYyVGdMZlVCTHREdnBOR3h3NU4x
UzBWYXdMS3RadXpEQmN6cVBBUUpHWkUKugUfHbVc5+0597P5r8k8bAIcXHx2BfFe
DVdOoxLasWTXvz1GWTFuzvin3Z42GB9zCnjfzkEnwXbATwQy26MhaQ==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBndE9JcHB5NWtBRDZLYTQ4
QXhJRG93bEtXYUlmRWhKWC93Mng2YUtDN2ljCmE3RklOdTN2dE42Q0RSc0djSXpX
UzBkdXRPVHJ2YUFDR0REeSt5YS9NNEUKLS0tIGJGR0pBWUp3Vm5tMVNneUtaQ1NB
UnE2NTVSSUp1OEVFVDd5bHJYOEZpaVkKqmw9GLZavqaPQOJjGhLqXo4ggfmFDgXz
C9HNxeDVr2kY452gleVS/YFTPWo0QPevl0SjpZg2gvnz28qLDSNXYQ==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-03T13:04:43Z"
mac: ENC[AES256_GCM,data:V29XEZk91KgM0cgTFO6qtwWcY73o+mSFTEVw5MN/NJoEPEHtzcnGXVcHePSvtVEWdWajOX8mz51WM/5sV/B3+Iah3tHNXXzlyCte/kBBa+8NTWvWXSrVUAY0b+W7kRAaAHtXIwYrHwMGkyN+lvNRTAXEcs21OSmM7n375nDsmlY=,iv:wTEKdY34e6B1lxM9qiOGcm5MWIa7RP5wYewwafz+X7A=,tag:XoGiBJwplBWyhVcqaJhkng==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

82
vikunja/resources/api/deployment.yaml Normal file
View file

@ -0,0 +1,82 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vikunja-api
spec:
strategy:
type: Recreate
selector:
matchLabels:
app.kubernetes.io/name: vikunja
app.kubernetes.io/component: api
app.kubernetes.io/part-of: vikunja
template:
metadata:
labels:
app.kubernetes.io/name: vikunja
app.kubernetes.io/component: api
app.kubernetes.io/part-of: vikunja
spec:
containers:
- name: vikunja-api
image: vikunja-api
command:
- /app/vikunja/vikunja
env:
- name: VIKUNJA_DATABASE_TYPE
value: postgres
- name: VIKUNJA_SERVICE_FRONTENDURL
value: https://todo.icb4dc0.de
- name: VIKUNJA_DATABASE_SSLMODE
value: require
- name: VIKUNJA_DATABASE_HOST
valueFrom:
secretKeyRef:
name: default-cluster-pguser-vikunja
key: host
- name: VIKUNJA_DATABASE_DATABASE
valueFrom:
secretKeyRef:
name: default-cluster-pguser-vikunja
key: dbname
- name: VIKUNJA_DATABASE_USER
valueFrom:
secretKeyRef:
name: default-cluster-pguser-vikunja
key: user
- name: VIKUNJA_DATABASE_PASSWORD
valueFrom:
secretKeyRef:
name: default-cluster-pguser-vikunja
key: password
ports:
- containerPort: 3456
securityContext:
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
capabilities:
drop:
- ALL
privileged: false
resources:
limits:
memory: "384Mi"
cpu: "100m"
volumeMounts:
- name: vikunja-config
mountPath: /etc/vikunja
- name: vikunja-content
mountPath: /app/vikunja/files
securityContext:
fsGroup: 1000
runAsGroup: 1000
runAsUser: 1000
runAsNonRoot: false
volumes:
- name: vikunja-config
secret:
secretName: vikunja-config
- name: vikunja-content
persistentVolumeClaim:
claimName: vikunja-content

13
vikunja/resources/api/pvc.yaml Normal file
View file

@ -0,0 +1,13 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: vikunja-content
spec:
storageClassName: hcloud-volumes
resources:
requests:
storage: 10Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce

14
vikunja/resources/api/service.yaml Normal file
View file

@ -0,0 +1,14 @@
---
apiVersion: v1
kind: Service
metadata:
name: vikunja-api
spec:
selector:
app.kubernetes.io/name: vikunja
app.kubernetes.io/component: api
app.kubernetes.io/part-of: vikunja
ports:
- protocol: TCP
port: 3456
targetPort: 3456

30
vikunja/resources/ingress.yaml Normal file
View file

@ -0,0 +1,30 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: vikunja
annotations:
gethomepage.dev/description: ToDos
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: vikunja.png
gethomepage.dev/name: Vikunja
spec:
rules:
- host: todo.icb4dc0.de
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: vikunja-ui
port:
number: 8080
- pathType: Prefix
path: /api/v1
backend:
service:
name: vikunja-api
port:
number: 3456

7
vikunja/resources/namespace.yaml Normal file
View file

@ -0,0 +1,7 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: vikunja
labels:
prometheus: default

32
vikunja/resources/ui/deployment.yaml Normal file
View file

@ -0,0 +1,32 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: vikunja-ui
spec:
selector:
matchLabels:
app.kubernetes.io/name: vikunja
app.kubernetes.io/component: ui
app.kubernetes.io/part-of: vikunja
template:
metadata:
labels:
app.kubernetes.io/name: vikunja
app.kubernetes.io/component: ui
app.kubernetes.io/part-of: vikunja
spec:
containers:
- name: vikunja-ui
image: vikunja-ui
env:
- name: VIKUNJA_API_URL
value: https://todo.icb4dc0.de/api/v1
- name: VIKUNJA_HTTP_PORT
value: "8080"
resources:
limits:
memory: "128Mi"
cpu: "50m"
ports:
- containerPort: 8080

13
vikunja/resources/ui/service.yaml Normal file
View file

@ -0,0 +1,13 @@
---
apiVersion: v1
kind: Service
metadata:
name: vikunja-ui
spec:
selector:
app.kubernetes.io/name: vikunja
app.kubernetes.io/component: ui
app.kubernetes.io/part-of: vikunja
ports:
- port: 8080
targetPort: 8080

10
vikunja/secret-generator.yaml Normal file
View file

@ -0,0 +1,10 @@
apiVersion: viaduct.ai/v1
kind: ksops
metadata:
name: vikunja-secret-generator
annotations:
config.kubernetes.io/function: |
exec:
path: ksops
files:
- ./resources/api/config.enc.yaml

15
zipline/config/base.env Normal file
View file

@ -0,0 +1,15 @@
CORE_RETURN_HTTPS=true
CORE_HOST=0.0.0.0
CORE_PORT=3000
CORE_LOGGER=true
DATASOURCE_TYPE=s3
DATASOURCE_S3_ENDPOINT=2df513adaee2eeae12106af900bed297.r2.cloudflarestorage.com
DATASOURCE_S3_PORT=443
DATASOURCE_S3_BUCKET=zipline
DATASOURCE_S3_FORCE_S3_PATH=true
DATASOURCE_S3_USE_SSL=true
DATASOURCE_S3_REGION=us-east-1
FEATURES_INVITES=true
FEATURES_OAUTH_REGISTRATION=true
FEATURES_OAUTH_LOGIN_ONLY=true
FEATURES_USER_REGISTRATION=false

27
zipline/kustomization.yaml Normal file
View file

@ -0,0 +1,27 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
namespace: zipline
images:
- name: zipline
newName: ghcr.io/diced/zipline
newTag: "3.7.4"
commonLabels:
app.kubernetes.io/instance: icb4dc0de
app.kubernetes.io/managed-by: kustomize
resources:
- "resources/namespace.yaml"
- "resources/deployment.yaml"
- "resources/service.yaml"
- "resources/ingress.yaml"
generators:
- ./secret-generator.yaml
secretGenerator:
- name: zipline-base-config
envs:
- "config/base.env"

41
zipline/resources/config.enc.yaml Normal file
View file

@ -0,0 +1,41 @@
apiVersion: v1
kind: Secret
metadata:
name: zipline-secret-config
type: Opaque
stringData:
CORE_DATABASE_URL: ENC[AES256_GCM,data:5wI/kj0+X2vx4898sQS9Axhgp20IQh1xpbQgZOgobvYRvPxni7ad3RDd6misLSGF4eTeNWn7LQltf5aONGmvC6C6ueAF+sZhnzQPRfXZS2msiL8CtWXaON3Vo+boPqUNfoGHpg2+NH3tm+L1r3HwZDQkWg==,iv:hMTkTw/oLPFs4XVRnCViKNxKmE7OBlcLQa+aXgqnWes=,tag:Au1mkU0XBQPPumGvx+VWvw==,type:str]
CORE_SECRET: ENC[AES256_GCM,data:taa93xNb8h0vUVdWgDQ69+PQr541weQQmGJWau+2fXdTm13VtOLv2sH430Y=,iv:vxh60WKz2MM62O1AA4Uzxsz8rvxkdQTKxBfpjAOa1KY=,tag:OF5fOv5W+2U4yaRHOo2ohA==,type:str]
DATASOURCE_S3_ACCESS_KEY_ID: ENC[AES256_GCM,data:WcbIP7ir/5/j14GSXprxNGSQxnNhSxZHdqNk5k4EKy0=,iv:fCWBiA2vXbNFTQhjaoOl5Lhy5oKmIfnJr80El3O2SXY=,tag:uaPwWdtR2y07nuxzti14JA==,type:str]
DATASOURCE_S3_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:52dOiJH4BxDVgHBLGAHVv0yocB4VWJx7RPUQ4ge012T9gU8k2jYJ2Y3aL3Y+mFqdB24S6HJZ918dR0aglhiQyA==,iv:j+cs1zkb3VY3AVdbGeNcdIJ1S9ytSwfxwGt5/S96dsI=,tag:iy+Xgc97GierA74BYtHMZg==,type:str]
OAUTH_GITHUB_CLIENT_ID: ENC[AES256_GCM,data:7a773t7iacejEQayPqUbkKxL2XY=,iv:tfZuc2oTEmB/LI1BvPTbPVoA07kSW0AG4FH+8yJ72/A=,tag:B/kD0/rOW38trSpe+LVH5w==,type:str]
OAUTH_GITHUB_CLIENT_SECRET: ENC[AES256_GCM,data:IgxkqECtYbUdc3u/o2AATlQVkVPtcRU0+zvjwBLWNoPYdneWd2YBJg==,iv:XQq/HjK3wca31T8g5zqIreJ58Ar6GptLK3Um0Eh1CHY=,tag:lfvAOFAtj57mPPHdIdW7mQ==,type:str]
sops:
kms: []
gcp_kms: []
azure_kv: []
hc_vault: []
age:
- recipient: age18e0w4jn03n66qwg8h3rjstz7g5zx2vhvz28aterkfkfetrxtpuysftp6we
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEWWFBMUF2aGpEK0dNdGQy
aHdxY084UnNZS2xrQ21McnYzTlpsOFFwVjN3CkRuNWlTeE5ObEFwRGZsekJFV3pJ
QW9mNk1xMDBmb2hlRENRUGF2MmF2NGMKLS0tIFVtUkdyWU9ZTmwxSVh6dVRIM1hK
Q3NxUHV0T2JjM0krZStCWDQ2RmdRc0EKS6LHARFCZ/9Vww3TyhrEBgvOY/lWGDLP
cRvq9w+7qQYgsO0KCC+hfxDVbtZdbRku/2ZXr9cv8Vv/PgFJhwHScA==
-----END AGE ENCRYPTED FILE-----
- recipient: age1yssdnqk90tn6zzggmwt70krndw04yfk9hwzdac3wsgfxmttngd7q89qzjr
enc: |
-----BEGIN AGE ENCRYPTED FILE-----
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmbVZXMUFPbWovc0lnek5J
WC9zaEZTaWh1V2pLbFhBQXBvSjBtcFp1MGx3CnFRSlpGTkJEMjNhd283ekNhYnIw
Q28rS2trMVN5UWljZkJoTmdHWjBNeEkKLS0tIFhWYjV0TzhnVzAyT0RvWHB5Vjlm
eEQxM25tM2FxY1RvNEhxQWk2cE1wdTgKFq1rbrN1ScKuujg2xyRaESwswoMu2+zr
LvIVDhLTl4jyUb0WH8Iy8/xQhUhsp7KJnccXFoCc5TFE7QzEKfrv6Q==
-----END AGE ENCRYPTED FILE-----
lastmodified: "2023-11-08T20:23:36Z"
mac: ENC[AES256_GCM,data:+PwY2NaAQTCbWAWl5sovsb0dang4WmUBI6FIjtwn2OzCIkUkvKvsHOl5sVoj8DyiQJT46Ui4xDwB/kKDUwobmQZXxaorJrEmBv1tfF7NBXIilrs0JWprxQ/0AZZY94KrQ/1lgcZ/a+Ax5JXDUxmHh81gM224X2sHLKS4tAaTfzY=,iv:vWHbCE50vIoI4uQMexywNB+HiBo43F2Ne067ITK2f1I=,tag:q8zqd8FCjdEYXhADlOg/yA==,type:str]
pgp: []
unencrypted_regex: ^(apiVersion|metadata|kind|type)$
version: 3.8.1

51
zipline/resources/deployment.yaml Normal file
View file

@ -0,0 +1,51 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: zipline
spec:
selector:
matchLabels:
app.kubernetes.io/name: zipline
replicas: 2
template:
metadata:
labels:
app.kubernetes.io/name: zipline
spec:
containers:
- name: zipline
image: zipline
envFrom:
- secretRef:
name: zipline-base-config
- secretRef:
name: zipline-secret-config
ports:
- containerPort: 3000
protocol: TCP
name: web
volumeMounts:
- mountPath: /tmp
name: temp
resources:
requests:
memory: "256Mi"
cpu: "50m"
limits:
memory: "512Mi"
cpu: "500m"
securityContext:
allowPrivilegeEscalation: false
capabilities:
drop:
- ALL
readOnlyRootFilesystem: true
volumes:
- name: temp
emptyDir:
sizeLimit: 1500Mi
securityContext:
runAsUser: 1000
runAsGroup: 1000
runAsNonRoot: true

23
zipline/resources/ingress.yaml Normal file
View file

@ -0,0 +1,23 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: zipline
annotations:
gethomepage.dev/description: Sharing is caring
gethomepage.dev/enabled: "true"
gethomepage.dev/group: Apps
gethomepage.dev/icon: zipline.png
gethomepage.dev/name: Zipline
spec:
rules:
- host: share.icb4dc0.de
http:
paths:
- pathType: Prefix
path: /
backend:
service:
name: zipline
port:
number: 3000

Some files were not shown because too many files have changed in this diff Show more