Initial commit for coffee-shop-2.0

.github/known_hosts

@@ -0,0 +1,3 @@
+github.com ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIOMqqnkVzrm0SdG6UOoqKLsabgH5C9okWi0dh2l9GKJl
+github.com ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBEmKSENjQEezOmxkZMy7opKgwFB9nkt5YRrYMjNuG5N87uRgg6CLrbo5wAdT/y6v0mKV0U2w0WZ2YB/++Tpockg=
+github.com ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABgQCj7ndNxQowgcQnjshcLrqPEiiphnt+VTTvDP6mHBL9j1aNUkY4Ue1gvwnGLVlOhGeYrnZaMgRK6+PKCUXaDbC7qtbW8gIkhL7aGCsOr/C56SJMy/BCZfxd1nWzAOxSDPgVsmerOBYfNqltV9/hWCqBywINIR+5dIg6JTJ72pcEpEjcYgXkE2YEFXV1JHnsKgbLWNlhScqb2UmyRkQyytRLtL+38TGxkxCflmO+5Z8CSSNY7GidjMIZ7Q4zMjA2n1nGrlTDkzwDCsw+wqFPGQA179cnfGWOWRVruj16z6XyvxvjJwbz0wQZ75XK5tKSb7FNyeIEs4TT4jk+S4dhPeAUC5y+bDYirYgM4GC7uEnztnZyaVWQ7B381AK4Qdrwt51ZqExKbQpTUNn+EjqoTwvqNj4kqx5QUCI0ThS/YkOxJCXmPUWZbhjpCg56i+2aB6CmK2JGhn57K5mj0MNdBXA4/WnwH6XoPWJzK5Nyu2zB3nAZp+S5hpQs+p1vN1/wsjk=

.gitignore

@@ -13,3 +13,5 @@ bin
 # Ansible
 xanmanning.k3s*
 node_modules
+# Secrets
+*.key

.pre-commit-config.yaml

@@ -1,33 +1,35 @@
 ---
 repos:
   - repo: https://github.com/pre-commit/pre-commit-hooks
-    rev: v4.0.1
+    rev: v4.6.0
     hooks:
       - id: trailing-whitespace
       - id: end-of-file-fixer
+      - id: fix-byte-order-marker
       - id: mixed-line-ending
+      - id: check-merge-conflict
+      - id: check-case-conflict
+
   - repo: https://github.com/Lucas-C/pre-commit-hooks
-    rev: v1.1.10
+    rev: v1.5.5
     hooks:
       - id: remove-crlf
       - id: remove-tabs
-  - repo: https://github.com/sirosen/fix-smartquotes
-    rev: 0.2.0
+        types: [yaml]
+
+  - repo: https://github.com/gabe565/pre-commit-fluxcd
+    rev: v0.5.1
     hooks:
-      - id: fix-smartquotes
-  - repo: https://github.com/k8s-at-home/sops-pre-commit
-    rev: v2.0.3
+      - id: check-charts-pinned
+      - id: check-charts-support-renovate
+      - id: check-drift-detection-enabled
+      - id: check-secrets-encrypted
+
+  - repo: https://github.com/gabe565/template-kubernetes-apps-markdown
+    rev: v0.5.0
     hooks:
-      - id: forbid-secrets
-  - repo: https://github.com/adrienverge/yamllint
-    rev: v1.26.3
-    hooks:
-      - args:
-          - -c
-          - .github/yamllint.config.yaml
-        id: yamllint
-  - repo: https://github.com/alessandrojcm/commitlint-pre-commit-hook
-    rev: v6.0.0
-    hooks:
-      - id: commitlint
-        stages: [commit-msg]
+      - id: template
+        args:
+          - --dirs=kubernetes
+          - --paths-re=^kubernetes/(?P<cluster>.+?)/
+          - --supporting-services=borgmatic,postgresql,redis,mariadb

.sops.yaml

@@ -1,7 +1,21 @@
 ---
 creation_rules:
-- path_regex: cluster/.*\.ya?ml
+- path_regex: ^cluster/.*\.ya?ml
   encrypted_regex: '^(data|stringData)$'
   pgp: >-
     EEC9902152C0690384D8A104D86E27E8B691FAA1,
     DE99604016EF8893AD54FDE83BC85C121EA96233
+
+- path_regex: ^kubernetes/.+\.secret(\.sops)?\.ya?ml
+  input_type: yaml
+  encrypted_regex: '^(data|stringData)$'
+  mac_only_encrypted: true
+  pgp: >-
+    EEC9902152C0690384D8A104D86E27E8B691FAA1
+
+- path_regex: ^kubernetes/.+\.secret(\.sops)?\.ya?ml
+  input_type: env
+  encrypted_regex: '^(data|stringData)$'
+  mac_only_encrypted: true
+  pgp: >-
+    EEC9902152C0690384D8A104D86E27E8B691FAA1

.taskfiles/bootstrap.yml

@@ -0,0 +1,15 @@
+---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
+version: "3"
+
+tasks:
+  flux:
+    vars:
+      cluster: '{{.cluster | default "coffee-shop-2"}}'
+    cmds:
+      - kubectl --context {{.cluster}} apply --server-side --kustomize {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap
+      - sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/gpg-key.secret.sops.yaml | kubectl --context {{.cluster}} apply --server-side --filename -
+      - sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/github-deploy-key.secret.sops.yaml | kubectl --context {{.cluster}} apply --server-side --filename -
+      - sops --decrypt {{.KUBERNETES_DIR}}/{{.cluster}}/cluster/vars/cluster-secrets.secret.sops.yaml | kubectl --context {{.cluster}} apply --server-side --filename -
+      - kubectl --context {{.cluster}} apply --server-side --filename {{.KUBERNETES_DIR}}/{{.cluster}}/cluster/vars/cluster-settings.yaml
+      - kubectl --context {{.cluster}} apply --server-side --kustomize {{.KUBERNETES_DIR}}/{{.cluster}}/cluster/config

.taskfiles/sops.yml

@@ -23,11 +23,35 @@ tasks:
           EOF
       - gpg --list-secret-keys "${KEY_NAME}"
 
-  create-secret:
-    desc: Creates the sops-gpg secret
+  create-gpg-secret-file:
+    desc: Creates the sops-gpg secret under {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/gpg-key.secret.sops.yaml
+    vars:
+      cluster: '{{.cluster | default "coffee-shop-2"}}'
+      secret_name: '{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/gpg-key.secret.sops.yaml'
     cmds:
       - |
         gpg --export-secret-keys --armor "${KEY_NAME}" | \
           kubectl create secret generic sops-gpg \
           --namespace=flux-system \
-          --from-file=sops.asc=/dev/stdin
+          --from-file=sops.asc=/dev/stdin \
+          --dry-run=client \
+          -o yaml | \
+            sops encrypt --filename-override {{.secret_name}} /dev/stdin > {{.secret_name}}
+
+  create-github-secret-file:
+    desc: Creates the github-deploy-key secret under {{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/github-deploy-key.secret.sops.yaml
+    vars:
+      cluster: '{{.cluster | default "coffee-shop-2"}}'
+      secret_name: '{{.KUBERNETES_DIR}}/{{.cluster}}/bootstrap/github-deploy-key.secret.sops.yaml'
+    cmds:
+      - |
+          kubectl create secret generic github-deploy-key \
+          --namespace=flux-system \
+          --from-file=identity={{.ROOT_DIR}}/github-deploy-key.key \
+          --from-file=known_hosts={{.ROOT_DIR}}/.github/known_hosts \
+          --dry-run=client \
+          -o yaml | \
+            sops encrypt --filename-override {{.secret_name}} /dev/stdin > {{.secret_name}}
+    preconditions:
+      - test -f {{.ROOT_DIR}}/.github/known_hosts
+      - test -f {{.ROOT_DIR}}/github-deploy-key.key

README.md

@@ -1,54 +1,111 @@
-# ☕Coffee Shop
+> [!CAUTION]
+> This is a work-in-progress. For the "stable" code see: https://github.com/Jonnobrow/coffee-shop/tree/main
 
-This repository contains the deploy files and other useful information
-for my K8s Server.
+<div align="center">
 
-## Why Coffee Shop?
+### Coffee Shop 2.0 ☕
+
+_... managed with Flux and Renovate :robot:
+
+</div>
+
+## 📖 Overview
+
+This is the repository for my home infrastructure and Kubernetes cluster. I follow infrastructure as Code (IaC) and GitOps practices using
+tooling like [Terraform](https://www.terraform.io/), [Kubernetes](https://kubernetes.io/), [FluxCD](https://github.com/fluxcd/flux2), and
+[Renovate](https://github.com/renovatebot/renovate).
+
+## ☕ Why Coffee Shop?
 - I like Coffee!
 - *therefore* my servers and devices are coffee themed
     - Espresso: Proxmox VE Server
-    - Cappuccino: NAS Virtual Machine (NFS Shares right now)
-    - Mocha: K3S Virtual Machine
-    - Ristretto: Raspberry Pi (PiHole) **[OFFLINE]**
+    - Cappuccino: NAS Virtual Machine (NFS+Samba Shares right now)
+    - Mocha: Virtual Machine running K3s
+    - Picolo: LXC Container running PiHole
+    - Ristretto: Raspberry Pi 5 running Home Assistant
+
+## :bricks:&nbsp; Infrastructure
+
+**Currently the base infrastructure is manually provisioned :clown_face:**
+
+## :technologist:&nbsp; Configuration
 
-## Ansible
-- There are ansible roles for setting up infrastructure
+I use [Ansible](https://www.ansible.com/) roles for setting up infrastructure.
 
-## Some of the notable services
+## ⛵ Kubernetes
+
+### Installation
+
+[k3s](https://k3s.io) provisioned on a PVE Virtual Machine running Ubuntu. I only have a single physical machine so currently only
+run a single node - this may change as time goes on.
+
+### Core Components
 - [cert-manager](https://cert-manager.io/) - SSL certificates - with Cloudflare DNS challenge
 - [flux](https://toolkit.fluxcd.io/) - GitOps tool for deploying manifests from the `cluster` directory
-- [hajimari](https://github.com/toboshii/hajimari) - start page with ingress discovery
 - [local-path-provisioner](https://github.com/rancher/local-path-provisioner) - default storage class provided by k3s
 - [metallb](https://metallb.universe.tf/) - bare metal load balancer
 - [traefik](https://traefik.io) - ingress controller
 
-A full list with services will be available soon on my blog:
-[](https://jonathanbartlett.co.uk) so subscribe over there or check back here if
-you are interested.
+### GitOps
 
-## pre-commit
-It is advisable to install [pre-commit](https://pre-commit.com/)
-and the pre-commit hooks that come with this repository.
-[sops-pre-commit](https://github.com/k8s-at-home/sops-pre-commit) will check to
-make sure you are not by accident committing your secrets un-encrypted.
+[FluxCD](https://github.com/fluxcd/flux2) watches the clusters in my [kubernetes](./kubernetes/) folder (see Directories below)
+and makes the changes to my clusters based on the state of my Git repository.
 
-After pre-commit is installed on your machine run:
+Flux will recursively search the `kubernetes/${cluster}/apps` folder until it finds the most top level `kustomization.yaml` per directory and
+then apply all the resources listed in it. That `kustomization.yaml` will generally only have a namespace resource and one or many Flux
+kustomizations (`ks.yaml`). Under the control of those Flux kustomizations there will be a `HelmRelease` or other resources related to
+the application which will be applied.
 
-```bash
-pre-commit install-hooks
-```
+[Renovate](https://github.com/renovatebot/renovate) watches my **entire** repository looking for dependency updates, when they are found
+a PR is automatically created. When some PRs are merged Flux applies the changes to my cluster.
 
-## Diagrams
+### Directories
 
-![CoffeeShop Network](./CoffeeShop.drawio.svg)
+This Git repository contains the following directories under [Kubernetes](./kubernetes/).
 
+```sh
+📁 kubernetes
+├── 📁 apps           # applications
+├── 📁 bootstrap      # bootstrap procedures
+└── 📁 cluster        # core flux configuration
+```
+
+### Repo Index
+
+<!-- Begin apps section -->
+<table>
+  <tr>
+    <th>Namespace</th>
+    <th>Kind</th>
+    <th>Name</th>
+    <th>Supporting Services</th>
+  </tr>
+  <tr>
+    <td>cert-manager</td>
+    <td><code>HelmRelease</code></td>
+    <td><a href="kubernetes/coffee-shop-2/apps/cert-manager/app/helmrelease.yaml">cert-manager</a></td>
+    <td></td>
+  </tr>
+  <tr>
+    <td>flux-system</td>
+    <td><code>GitRepository</code></td>
+    <td><a href="https://github.com/Jonnobrow/coffee-shop">coffee-shop-2</a></td>
+    <td></td>
+  </tr>
+  <tr>
+    <td>metallb-system</td>
+    <td><code>HelmRelease</code></td>
+    <td><a href="kubernetes/coffee-shop-2/apps/metallb/app/helmrelease.yaml">metallb</a></td>
+    <td></td>
+  </tr>
+</table>
+<!-- End apps section -->
 
 ## :handshake:&nbsp; Thanks
-Big shout out to the following for the inspiration and manifests used in this
-repo.
-
-- Flux Managed Clusters:
-    - [cbirkenbeul/k3s-gitops](https://github.com/cbirkenbeul/k3s-gitops)
-    - [carpenike/k8s-gitops](https://github.com/carpenike/k8s-gitops)
-    - [toboshii/home-cluster](https://github.com/toboshii/home-cluster)
-- [k8s@home](https://github.com/k8s-at-home)
+Shout out to the following projects / people for the inspiration, support and manifests used in this repo.
+
+- https://kubesearch.dev/ : A great tool for finding other inspiration
+- [gabe565/home-ops](https://github.com/gabe565/home-ops)
+- [gabe565/charts](https://github.com/gabe565/charts)
+- [bjw-s/home-ops](https://github.com/bjw-s/home-ops)
+- [onedr0p/home-ops](https://github.com/onedr0p/home-ops)

Taskfile.yml

@@ -1,28 +1,32 @@
 ---
+# yaml-language-server: $schema=https://taskfile.dev/schema.json
 version: "3"
 
 vars:
-  PROJECT_DIR:
-    sh: "git rev-parse --show-toplevel"
-  CLUSTER_DIR: "{{.PROJECT_DIR}}/cluster"
-  ANSIBLE_DIR: "{{.PROJECT_DIR}}/server/ansible"
+  KUBERNETES_DIR: "{{.ROOT_DIR}}/kubernetes"
+  ANSIBLE_DIR: "{{.ROOT_DIR}}/server/ansible"
 
 env:
-  KUBECONFIG: "{{.PROJECT_DIR}}/kubeconfig"
+  KUBECONFIG: "{{.KUBERNETES_DIR}}/coffee-shop-2/kubeconfig"
 
 includes:
   ansible: .taskfiles/ansible.yml
   flux: .taskfiles/flux.yml
   sops: .taskfiles/sops.yml
   nextcloud: .taskfiles/nextcloud.yml
   db: .taskfiles/db.yml
+  bootstrap: .taskfiles/bootstrap.yml
 
 tasks:
   kubeconfig:
     desc: Remotely fetch kubeconfig from k3s
+    vars:
+      cluster: '{{.cluster | default "coffee-shop-2"}}'
     cmds:
-      - rsync --verbose --progress --partial --rsync-path="sudo rsync" [email protected]:/etc/rancher/k3s/k3s.yaml ./kubeconfig
-      - '{{if eq OS "linux"}}sed -i{{else}}sed -i ""{{end}} "s/127.0.0.1/192.168.4.3/g" ./kubeconfig'
-      - '{{if eq OS "linux"}}sed -i{{else}}sed -i ""{{end}} "s/default/coffee-shop/g" ./kubeconfig'
+      - rsync --verbose --progress --partial --rsync-path="sudo rsync" [email protected]:/etc/rancher/k3s/k3s.yaml {{.KUBECONFIG}}
+      - '{{if eq OS "linux"}}sed -i{{else}}sed -i ""{{end}} "s/127.0.0.1/192.168.4.3/g" {{.KUBECONFIG}}'
+      - '{{if eq OS "linux"}}sed -i{{else}}sed -i ""{{end}} "s/default/{{.cluster}}/g" {{.KUBECONFIG}}'
       - chmod go-r kubeconfig
     silent: true
+
+  default: task -l

cluster/base/apps.yaml

@@ -23,4 +23,4 @@ spec:
       - kind: ConfigMap
         name: cluster-settings
       - kind: Secret
-        name: cluster-secrets
+        name: cluster-secretsGitRepo

github-deploy-key.key.pub

@@ -0,0 +1 @@
+ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIATs7MOjIwYV+b6Z0SOeTSUciGWsSuuhjmswAObUcznn cappuccino.jonnobrow.co.uk (Coffee Shop 2)

kubernetes/coffee-shop-2/apps/cert-manager/app/cloudflare-api-token-secret.secret.sops.yaml

@@ -0,0 +1,41 @@
+# yamllint disable
+apiVersion: v1
+data:
+    api-token: ENC[AES256_GCM,data:1ZVv5mFkvqL5/hBcp8/hMIZpPz6QI3F4wj6kdByYLqcBFhnqVRm85VcXVGD3EVp3FGFxFF/PJsQ=,iv:ve9Iix7BD2o/mVrKSOqreq50Li3luuXqrB8Bnly3yvo=,tag:CRaclzzPbkCUFUMCpddTvg==,type:str]
+kind: Secret
+metadata:
+    creationTimestamp: null
+    name: cloudflare-api-token-secret
+    namespace: cert-manager
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2024-08-12T12:24:05Z"
+    mac: ENC[AES256_GCM,data:kZWEr/RNntJUgnyWrUDy7+FTXUbOHW4TZ9Lk2SW7V07vWyOLpTSjNWuMZDV9TVoD3JqQVs/XnTg4HXUIPYhoWIHuYxoO+znaUsAncuCIjIYyMmkoueqDnAreUVojulVxJPMXlbLaIZyHvL1X9xEXdQBFZ7IkN+rWqpgEEvjnd9Y=,iv:EQk1w665sQLayJpWsnahTqLhiYc+KbgJkGOeFLbE9s4=,tag:iGPdLR0JmjrdUMVGsPsxUw==,type:str]
+    pgp:
+        - created_at: "2024-08-12T12:24:05Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMAzqujJzjVu3QARAAkHsy/TvXTFjl8jhvo+a+tm3AKoKJyE6594f6ttvXq0Eh
+            WAADJ0HsvWU1HMFEgfGAKGJp3pstmxoU5Y0epK3AS3cPfvVXv6gzPmTyt/RlPsMN
+            hDW6Uz1WC7r2BcwomymexctaZj2ZyTFTCCQiyCBc7QLuzZ/cOiA3PmLV3I/mhMXD
+            X2EDn9X1KJ4xvwZFpmGKrMpL4zbUIxazFXVcVYpY675EpRldLo6x3iTmYGYGJtEN
+            MjvQSxxQ0yvYh0tfgIK99OYDFrZcGbq9sAwPVrNgd4pPxlmvFwg+Tiue7uyFkccJ
+            kxiBBGkZ6E/Fln5+Ccxi1UQzFHekoSTrxHqd1f/7z20FtSJARHAD5aZt9jO8YgI9
+            XNpaU4G2HIq/cAQ0g0iaeAtbRu3YK/GoJ4Ebcb0Jf2ZnR1aC9/tqQp7zt5V9d8P4
+            5pogRczAljoCCoOnaLWT7dhXcRb/2McXovlviWqT6WXNQYSkIBSHs2dx1+wjZoGm
+            x06PJbwXkWtZUH965KGHf/Z+yQEVEEFt9rPQVq16vwG+SowqCPy4VpQK4a7z1kQi
+            ORWoHZjOzE4LM80fx2fv60s8Wp9Z75vK+R83KKD7nHz0V5dVh4cAPwn3dmFNys+M
+            wG6pSFKcsbWdRUQnV6GCxy14dFS8NOTu3cLupu2kW4LAoHT0/tsOC1KxK0gj583S
+            XAF4RF2kOG+09jarAyLK57TOmMn3p3HvBRA4T3RAK5aEq50ASgJxs9re6GyeJF9U
+            c1CgPTCfjxPp3hzhqCkvGHZLIvGLr3e0qrWoJ+STB+0ZO6GANR98XHAtlrcV
+            =gIbJ
+            -----END PGP MESSAGE-----
+          fp: EEC9902152C0690384D8A104D86E27E8B691FAA1
+    encrypted_regex: ^(data|stringData)$
+    mac_only_encrypted: true
+    version: 3.9.0