parent
140a2a2721
commit
f271be68d2
16 changed files with 69 additions and 79 deletions
kubernetes
apps/production
cert-manager
longhorn
nginx
cluster/production/flux-system
secrets
packer/debian
terraform/proxmox
|
|
@ -2,10 +2,10 @@
|
||||||
apiVersion: cert-manager.io/v1
|
apiVersion: cert-manager.io/v1
|
||||||
kind: Certificate
|
kind: Certificate
|
||||||
metadata:
|
metadata:
|
||||||
name: local-mafyuh-com
|
name: local-mafyuh-dev
|
||||||
namespace: cert-manager
|
namespace: cert-manager
|
||||||
spec:
|
spec:
|
||||||
secretName: local-mafyuh-com-production-tls
|
secretName: local-mafyuh-dev-production-tls
|
||||||
secretTemplate:
|
secretTemplate:
|
||||||
annotations:
|
annotations:
|
||||||
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
|
reflector.v1.k8s.emberstack.com/reflection-auto-enabled: "true"
|
||||||
|
|
@ -13,7 +13,7 @@ spec:
|
||||||
issuerRef:
|
issuerRef:
|
||||||
name: letsencrypt-production
|
name: letsencrypt-production
|
||||||
kind: ClusterIssuer
|
kind: ClusterIssuer
|
||||||
commonName: "*.local.mafyuh.com"
|
commonName: "*.local.mafyuh.dev"
|
||||||
dnsNames:
|
dnsNames:
|
||||||
- "local.mafyuh.com"
|
- "local.mafyuh.dev"
|
||||||
- "*.local.mafyuh.com"
|
- "*.local.mafyuh.dev"
|
||||||
|
|
@ -18,10 +18,10 @@ spec:
|
||||||
installCRDs: true
|
installCRDs: true
|
||||||
replicaCount: 1
|
replicaCount: 1
|
||||||
extraArgs:
|
extraArgs:
|
||||||
- --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
|
- --dns01-recursive-nameservers=1.1.1.1:53,8.8.8.8:53
|
||||||
- --dns01-recursive-nameservers-only
|
- --dns01-recursive-nameservers-only
|
||||||
podDnsPolicy: None
|
podDnsPolicy: None
|
||||||
podDnsConfig:
|
podDnsConfig:
|
||||||
nameservers:
|
nameservers:
|
||||||
- "1.1.1.1"
|
- "1.1.1.1"
|
||||||
- "9.9.9.9"
|
- "8.8.8.8"
|
||||||
|
|
|
||||||
|
|
@ -1,21 +1,20 @@
|
||||||
---
|
|
||||||
apiVersion: cert-manager.io/v1
|
apiVersion: cert-manager.io/v1
|
||||||
kind: ClusterIssuer
|
kind: ClusterIssuer
|
||||||
metadata:
|
metadata:
|
||||||
name: letsencrypt-production
|
name: letsencrypt-production
|
||||||
spec:
|
spec:
|
||||||
acme:
|
acme:
|
||||||
server: https://acme-v02.api.letsencrypt.org/directory
|
server: https://acme-v02.api.letsencrypt.org/directory
|
||||||
email: matt@mafyuh.dev
|
email: matt@mafyuh.dev
|
||||||
privateKeySecretRef:
|
privateKeySecretRef:
|
||||||
name: letsencrypt-production
|
name: letsencrypt-production
|
||||||
solvers:
|
solvers:
|
||||||
- dns01:
|
- dns01:
|
||||||
cloudflare:
|
cloudflare:
|
||||||
email: matt@mafyuh.dev
|
email: matt@mafyuh.dev
|
||||||
apiTokenSecretRef:
|
apiTokenSecretRef:
|
||||||
name: cloudflare-token-secret
|
name: cloudflare-token-secret
|
||||||
key: cloudflare-token
|
key: cloudflare-token
|
||||||
selector:
|
selector:
|
||||||
dnsZones:
|
dnsZones:
|
||||||
- "mafyuh.com"
|
- local.mafyuh.dev
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@ metadata:
|
||||||
namespace: cert-manager
|
namespace: cert-manager
|
||||||
type: Opaque
|
type: Opaque
|
||||||
stringData:
|
stringData:
|
||||||
cloudflare-token: ENC[AES256_GCM,data:v2kjVp6LLc/VG+ufNNfZel5ehCuZlglaVeKjfiw0YWlaO7YDYhrVbQ==,iv:+ME0TvaiOhoariGhZ+00UWvEkwlvwLhsG4zv6A0qZy8=,tag:2ZVGoDCzVeluB2Xz35mfEg==,type:str]
|
cloudflare-token: ENC[AES256_GCM,data:QDWamL3h0NLZzezOq5Sxo64K+7nivtl2pmpCbWk6rUFzKXJR7ym6Mg==,iv:Uf6v8dHRvx7dFs9ES5e+YWIo12WtrrXqK1xJ8z/gOO4=,tag:6undZMM8eDXXRp12cRX+dA==,type:str]
|
||||||
sops:
|
sops:
|
||||||
kms: []
|
kms: []
|
||||||
gcp_kms: []
|
gcp_kms: []
|
||||||
|
|
@ -15,14 +15,14 @@ sops:
|
||||||
- recipient: age18z6wevr8ze5azvq7nfty3l29s7887l8n5mefr64avhlthtr4uvnqw90nfs
|
- recipient: age18z6wevr8ze5azvq7nfty3l29s7887l8n5mefr64avhlthtr4uvnqw90nfs
|
||||||
enc: |
|
enc: |
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5d1BDMzRsZG1RekZ1QXJ4
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBjRzV5Sy80OGJGQXRiNkND
|
||||||
MkZmejc2N0N5L3ZDMktuWjFNQ0FuWjBiVUFFCmFhc3JCT1poSUY4c0pVblhXWHE3
|
azlFZG1CNllYbG5kQ0VHRXNhbjdRcEN6TUU0Ckc2RjMza2laWS9Zb21tNmE0eUw3
|
||||||
YVIza1ROWTFzb1QvWFY5KzR1QTFLclkKLS0tIGxHMUVUUytoMFZwVVR6eTliUlVS
|
RG9SclYrWEFxYWs2ck95VWQ3MlJDUlEKLS0tIDg0dXYxZUFlUTNiQ2VWUElIdU1J
|
||||||
NXFHeGlQZjZuOUZOUlFjWDByeE1nTkUKIj2H5RlZXGnCoRv8C5AMcwiiuAVZq/d2
|
ajRYUzRGREhIenNjdnlwMmtvVCthTHMKI74UwAsVX1QKQSez4E+Ks9VAF2QwbRDa
|
||||||
J70Wv/Dq/k4QNWC357Zj8sgMJicDjpOHbwgBwj6b+StEmPAeWgFBVg==
|
rO/PdBYJK+MwCptCEiinxaSc5BDAyE0wYiC6Tmldz6ZHYTv1ADe21Q==
|
||||||
-----END AGE ENCRYPTED FILE-----
|
-----END AGE ENCRYPTED FILE-----
|
||||||
lastmodified: "2025-01-28T04:59:18Z"
|
lastmodified: "2025-02-08T18:43:20Z"
|
||||||
mac: ENC[AES256_GCM,data:6P0dTpxLmBacIJd3OQzPoh89l0eGarG7nc4X2rl/ULLn7IfiRh7CAo1RYbypCLzlo60WQGOD1bY0vzd+E652vqdV4BjuLG4WYm3lDTZ8BbpwUw1G2y9+5gg8zQPVhBcbGg9xV+gszTcaF6oziFT2q6OqD4Hhbgt8vCXOLD13bG4=,iv:5OFeeyapfZXaZyKNYDKzOTNCxocYS7f0ryW5ubJ16TQ=,tag:peEEC2Re+LCGRRd/hRdiwg==,type:str]
|
mac: ENC[AES256_GCM,data:fuTN6KncxLvzw7o3ENVYKCIcmxDDbvOeIyfn/H1M5rtw3C8WiRnuz4XviYTh2y6EHv9FGEOI5RiRmtEtqiux7xn81DBobmAdgl/RFsrMsKus0SVpGn4PmZYfO/8R9xknyX93fbYicnahYpM3aHvwQx1njK64ywN+Hp0U+PZfMoQ=,iv:4EgN+gBOwkNty9uPSb1/wDOKTEHUUEtkeDEJDkB2/EE=,tag:Meb79CBfm3tot4vKf1OOmg==,type:str]
|
||||||
pgp: []
|
pgp: []
|
||||||
encrypted_regex: ^(data|stringData)$
|
encrypted_regex: ^(data|stringData)$
|
||||||
version: 3.9.4
|
version: 3.9.4
|
||||||
|
|
|
||||||
|
|
@ -12,5 +12,6 @@ spec:
|
||||||
sourceRef:
|
sourceRef:
|
||||||
kind: HelmRepository
|
kind: HelmRepository
|
||||||
name: longhorn-repo
|
name: longhorn-repo
|
||||||
|
namespace: flux-system
|
||||||
version: v1.8.0
|
version: v1.8.0
|
||||||
interval: 1m0s
|
interval: 1m0s
|
||||||
|
|
|
||||||
|
|
@ -11,7 +11,7 @@ metadata:
|
||||||
spec:
|
spec:
|
||||||
ingressClassName: nginx
|
ingressClassName: nginx
|
||||||
rules:
|
rules:
|
||||||
- host: "longhorn.local.mafyuh.com"
|
- host: "longhorn.local.mafyuh.dev"
|
||||||
http:
|
http:
|
||||||
paths:
|
paths:
|
||||||
- pathType: Prefix
|
- pathType: Prefix
|
||||||
|
|
@ -23,5 +23,5 @@ spec:
|
||||||
number: 80
|
number: 80
|
||||||
tls:
|
tls:
|
||||||
- hosts:
|
- hosts:
|
||||||
- longhorn.local.mafyuh.com
|
- longhorn.local.mafyuh.dev
|
||||||
secretName: local-mafyuh-com-production-tls
|
secretName: local-mafyuh-dev-production-tls
|
||||||
|
|
|
||||||
|
|
@ -1,6 +1,6 @@
|
||||||
apiVersion: v1
|
apiVersion: v1
|
||||||
kind: Namespace
|
kind: Namespace
|
||||||
metadata:
|
metadata:
|
||||||
name: nginx-ingress
|
name: ingress-nginx
|
||||||
labels:
|
labels:
|
||||||
name: nginx-ingress
|
name: ingress-nginx
|
||||||
|
|
@ -5,7 +5,7 @@ metadata:
|
||||||
namespace: flux-system
|
namespace: flux-system
|
||||||
spec:
|
spec:
|
||||||
interval: 5m
|
interval: 5m
|
||||||
path: "../../../apps"
|
path: "./kubernetes/apps"
|
||||||
sourceRef:
|
sourceRef:
|
||||||
kind: GitRepository
|
kind: GitRepository
|
||||||
name: flux-system
|
name: flux-system
|
||||||
|
|
|
||||||
|
|
@ -5,7 +5,7 @@ metadata:
|
||||||
namespace: flux-system
|
namespace: flux-system
|
||||||
spec:
|
spec:
|
||||||
interval: 5m
|
interval: 5m
|
||||||
path: "./secrets"
|
path: "./kubernetes/secrets"
|
||||||
sourceRef:
|
sourceRef:
|
||||||
kind: GitRepository
|
kind: GitRepository
|
||||||
name: flux-system
|
name: flux-system
|
||||||
|
|
|
||||||
|
|
@ -1,28 +0,0 @@
|
||||||
apiVersion: v1
|
|
||||||
kind: Secret
|
|
||||||
metadata:
|
|
||||||
name: cloudflare-token-secret
|
|
||||||
namespace: cert-manager
|
|
||||||
type: Opaque
|
|
||||||
stringData:
|
|
||||||
cloudflare-token: ENC[AES256_GCM,data:v2kjVp6LLc/VG+ufNNfZel5ehCuZlglaVeKjfiw0YWlaO7YDYhrVbQ==,iv:+ME0TvaiOhoariGhZ+00UWvEkwlvwLhsG4zv6A0qZy8=,tag:2ZVGoDCzVeluB2Xz35mfEg==,type:str]
|
|
||||||
sops:
|
|
||||||
kms: []
|
|
||||||
gcp_kms: []
|
|
||||||
azure_kv: []
|
|
||||||
hc_vault: []
|
|
||||||
age:
|
|
||||||
- recipient: age18z6wevr8ze5azvq7nfty3l29s7887l8n5mefr64avhlthtr4uvnqw90nfs
|
|
||||||
enc: |
|
|
||||||
-----BEGIN AGE ENCRYPTED FILE-----
|
|
||||||
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB5d1BDMzRsZG1RekZ1QXJ4
|
|
||||||
MkZmejc2N0N5L3ZDMktuWjFNQ0FuWjBiVUFFCmFhc3JCT1poSUY4c0pVblhXWHE3
|
|
||||||
YVIza1ROWTFzb1QvWFY5KzR1QTFLclkKLS0tIGxHMUVUUytoMFZwVVR6eTliUlVS
|
|
||||||
NXFHeGlQZjZuOUZOUlFjWDByeE1nTkUKIj2H5RlZXGnCoRv8C5AMcwiiuAVZq/d2
|
|
||||||
J70Wv/Dq/k4QNWC357Zj8sgMJicDjpOHbwgBwj6b+StEmPAeWgFBVg==
|
|
||||||
-----END AGE ENCRYPTED FILE-----
|
|
||||||
lastmodified: "2025-01-28T04:59:18Z"
|
|
||||||
mac: ENC[AES256_GCM,data:6P0dTpxLmBacIJd3OQzPoh89l0eGarG7nc4X2rl/ULLn7IfiRh7CAo1RYbypCLzlo60WQGOD1bY0vzd+E652vqdV4BjuLG4WYm3lDTZ8BbpwUw1G2y9+5gg8zQPVhBcbGg9xV+gszTcaF6oziFT2q6OqD4Hhbgt8vCXOLD13bG4=,iv:5OFeeyapfZXaZyKNYDKzOTNCxocYS7f0ryW5ubJ16TQ=,tag:peEEC2Re+LCGRRd/hRdiwg==,type:str]
|
|
||||||
pgp: []
|
|
||||||
encrypted_regex: ^(data|stringData)$
|
|
||||||
version: 3.9.4
|
|
||||||
|
|
@ -107,10 +107,11 @@ build {
|
||||||
|
|
||||||
|
|
||||||
provisioner "shell" {
|
provisioner "shell" {
|
||||||
inline = [
|
inline = [
|
||||||
"sudo apt-get update",
|
"sudo apt-get update",
|
||||||
"sudo apt-get -y upgrade"
|
"sudo DEBIAN_FRONTEND=noninteractive apt-get install -y open-iscsi nfs-common cryptsetup",
|
||||||
]
|
"sudo mkdir -p /etc/systemd/resolved.conf.d && echo '[Resolve]\nDNS=1.1.1.1' | sudo tee /etc/systemd/resolved.conf.d/dns_servers.conf",
|
||||||
|
"sudo apt-get -y upgrade"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -107,10 +107,12 @@ build {
|
||||||
|
|
||||||
|
|
||||||
provisioner "shell" {
|
provisioner "shell" {
|
||||||
inline = [
|
inline = [
|
||||||
"sudo apt-get update",
|
"sudo apt-get update",
|
||||||
"sudo apt-get -y upgrade"
|
"sudo mkdir -p /etc/systemd/resolved.conf.d && echo '[Resolve]\nDNS=1.1.1.1' | sudo tee /etc/systemd/resolved.conf.d/dns_servers.conf",
|
||||||
]
|
"sudo DEBIAN_FRONTEND=noninteractive apt-get install -y open-iscsi nfs-common cryptsetup",
|
||||||
|
"sudo apt-get -y upgrade"
|
||||||
|
]
|
||||||
}
|
}
|
||||||
|
|
||||||
}
|
}
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,8 @@ resource "proxmox_virtual_environment_vm" "K3s-Master1" {
|
||||||
initialization {
|
initialization {
|
||||||
ip_config {
|
ip_config {
|
||||||
ipv4 {
|
ipv4 {
|
||||||
address = "dhcp"
|
address = data.bitwarden-secrets_secret.k3s_master1_ip.value
|
||||||
|
gateway = data.bitwarden-secrets_secret.vlan_gateway.value
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,8 @@ resource "proxmox_virtual_environment_vm" "K3s-Master2" {
|
||||||
initialization {
|
initialization {
|
||||||
ip_config {
|
ip_config {
|
||||||
ipv4 {
|
ipv4 {
|
||||||
address = "dhcp"
|
address = data.bitwarden-secrets_secret.k3s_master2_ip.value
|
||||||
|
gateway = data.bitwarden-secrets_secret.vlan_gateway.value
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -48,7 +48,8 @@ resource "proxmox_virtual_environment_vm" "K3s-Master3" {
|
||||||
initialization {
|
initialization {
|
||||||
ip_config {
|
ip_config {
|
||||||
ipv4 {
|
ipv4 {
|
||||||
address = "dhcp"
|
address = data.bitwarden-secrets_secret.k3s_master3_ip.value
|
||||||
|
gateway = data.bitwarden-secrets_secret.vlan_gateway.value
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
|
|
||||||
|
|
|
||||||
|
|
@ -16,4 +16,16 @@ data "bitwarden-secrets_secret" "ubu_ip" {
|
||||||
|
|
||||||
data "bitwarden-secrets_secret" "arrbuntu_ip" {
|
data "bitwarden-secrets_secret" "arrbuntu_ip" {
|
||||||
id = "c65f8886-f6fb-4c17-bc79-b208000604bf"
|
id = "c65f8886-f6fb-4c17-bc79-b208000604bf"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "bitwarden-secrets_secret" "k3s_master1_ip" {
|
||||||
|
id = "528104e1-2186-4d57-ae86-b27e01263972"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "bitwarden-secrets_secret" "k3s_master2_ip" {
|
||||||
|
id = "71051171-a582-45e7-a239-b27e01269ef2"
|
||||||
|
}
|
||||||
|
|
||||||
|
data "bitwarden-secrets_secret" "k3s_master3_ip" {
|
||||||
|
id = "b48234d4-1b52-43e2-bab9-b27e0126bfdb"
|
||||||
}
|
}
|
||||||
Reference in a new issue