This serves as the base defintion for everything CoRE runs, this single repo, allows for the fully autonomous bootstrap of EVERYTHING.
As of January 23, 2025 I've started to rebuild my infra using my Dell R620 located within dc1.resolvemy.host see node1-k3s.dc1.resolvemy.host for more details about the bootstrapping of that system.
CoRE is the name that I have assigned to my infrastructure and business, this repo serves as the repository where I do most of the work on the base systems that power my operation and business.
This is deployed by ArgoCD which handles GitOps and allows me to have a simple web interface to control and handle rolling out new services and applications, currently I do not have auto sync setup as I slowly get my services back online, however this will change.
For AAA I have Authentik serving as the root source of truth for user accounts, service accounts, and groups and permisisons, the goal of my infrastructure is to allow users/staff/friends/services to only have a single set of credentials needed to access EVERYTHING, this is built up using LDAP, RADIUS, and lots and lots of OAuth2/OIDC (OpenID Connect), some header auth where Envoy Gateway handles redirecting the user automatically to login and then uses the details obatained from Authentik to allow or deny users/service accounts in.
I say service account alot thats because even the end applications (GitLab, OpenProject, NextCloud, Grafana, Authentik) use credentials generated by Crossplane during the deployment by ArgoCD and these are what the applications/serviceAccounts use to access their databases and S3 buckets as well. Even the API credentials to access Netbox are generated automatically by Crossplane and stored in Kubernetes secrets which are then automatically picked up at runtime by the applications.
See SSO Users Crossplane Configuration
I run a 3 node cluster of Patroni handled entirely automatically by the Postgres Operator
PSQL & Related Services Deployment Database Operators
For observability I use the Grafana GLTM Stack
I have an Eclipse Che cluster deployed via the Che Operator this is deployed by the Development Stack
The .devfile.yaml ensures everyone gets the same extensions and confiiguration when working on this repository
For my credential vault for machine and service credentials I use Hashicorp Vault I have two instances running, one which is called CoreVault and then Vault CoreVault has to be manually unsealed, or at least it used to, I eventually got around to setting up a workflow using external secrets and Crossplane to automatically unseal CoREVault and then Vault uses CoreVault Transit seal to unseal. The keys to unlock CoREVault are also stored in the organizations 1Password.
Both CoreVault and Vault use Consul as their storage to allow for scalability and multi node high availability. This is also done to ensure there is no chicken and egg situation, CoreVault has some secrets that are synced down by External-Secrets deployed at Operations/Secrets/