diff --git a/kubernetes/main/apps/cert-manager/cert-manager/issuers/clusterissuer.yaml b/kubernetes/main/apps/cert-manager/cert-manager/issuers/clusterissuer.yaml index 2016baa3f0..ff59de4fad 100644 --- a/kubernetes/main/apps/cert-manager/cert-manager/issuers/clusterissuer.yaml +++ b/kubernetes/main/apps/cert-manager/cert-manager/issuers/clusterissuer.yaml @@ -7,18 +7,18 @@ metadata: spec: acme: server: https://acme-v02.api.letsencrypt.org/directory - email: "${SECRET_ACME_EMAIL}" + email: jory@jory.dev privateKeySecretRef: name: letsencrypt-production solvers: - dns01: cloudflare: - email: "${SECRET_ACME_EMAIL}" + email: jory@jory.dev apiTokenSecretRef: name: cloudflare-secret key: CLOUDFLARE_API_KEY selector: - dnsZones: ["${SECRET_DOMAIN}"] + dnsZones: ["jory.dev"] --- # yaml-language-server: $schema=https://kube-schemas.pages.dev/cert-manager.io/clusterissuer_v1.json apiVersion: cert-manager.io/v1 @@ -28,15 +28,15 @@ metadata: spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory - email: "${SECRET_ACME_EMAIL}" + email: jory@jory.dev privateKeySecretRef: name: letsencrypt-staging solvers: - dns01: cloudflare: - email: "${SECRET_ACME_EMAIL}" + email: jory@jory.dev apiTokenSecretRef: name: cloudflare-secret key: CLOUDFLARE_API_KEY selector: - dnsZones: ["${SECRET_DOMAIN}"] + dnsZones: ["jory.dev"] diff --git a/kubernetes/main/apps/cert-manager/cert-manager/tls/certificates.yaml b/kubernetes/main/apps/cert-manager/cert-manager/tls/certificates.yaml index b2e7c3f1dc..9dd5cd53fd 100644 --- a/kubernetes/main/apps/cert-manager/cert-manager/tls/certificates.yaml +++ b/kubernetes/main/apps/cert-manager/cert-manager/tls/certificates.yaml @@ -3,11 +3,11 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: "${SECRET_DOMAIN}" + name: "jory.dev" spec: - secretName: "${SECRET_DOMAIN}-tls" + secretName: "jory.dev-tls" issuerRef: name: letsencrypt-production kind: ClusterIssuer - commonName: "${SECRET_DOMAIN}" - dnsNames: ["${SECRET_DOMAIN}", "*.${SECRET_DOMAIN}"] + commonName: "jory.dev" + dnsNames: ["jory.dev", "*.jory.dev"] diff --git a/kubernetes/main/apps/cert-manager/cert-manager/tls/pushsecret.yaml b/kubernetes/main/apps/cert-manager/cert-manager/tls/pushsecret.yaml index 92b150ec9a..0a501d112d 100644 --- a/kubernetes/main/apps/cert-manager/cert-manager/tls/pushsecret.yaml +++ b/kubernetes/main/apps/cert-manager/cert-manager/tls/pushsecret.yaml @@ -10,7 +10,7 @@ spec: kind: ClusterSecretStore selector: secret: - name: ${SECRET_DOMAIN}-tls + name: jory.dev-tls template: engineVersion: v2 data: diff --git a/kubernetes/main/apps/cert-manager/cert-manager/tls/staging.yaml b/kubernetes/main/apps/cert-manager/cert-manager/tls/staging.yaml index 98e31849f5..3ba8d52811 100644 --- a/kubernetes/main/apps/cert-manager/cert-manager/tls/staging.yaml +++ b/kubernetes/main/apps/cert-manager/cert-manager/tls/staging.yaml @@ -9,5 +9,5 @@ spec: issuerRef: name: letsencrypt-staging kind: ClusterIssuer - commonName: "${SECRET_DOMAIN}" - dnsNames: ["${SECRET_DOMAIN}", "*.${SECRET_DOMAIN}"] + commonName: "jory.dev" + dnsNames: ["jory.dev", "*.jory.dev"] diff --git a/kubernetes/main/apps/database/crunchy-postgres/cluster/cluster.yaml b/kubernetes/main/apps/database/crunchy-postgres/cluster/cluster.yaml index a1c8d34da8..379197e028 100644 --- a/kubernetes/main/apps/database/crunchy-postgres/cluster/cluster.yaml +++ b/kubernetes/main/apps/database/crunchy-postgres/cluster/cluster.yaml @@ -192,8 +192,8 @@ spec: service: metadata: annotations: - external-dns.alpha.kubernetes.io/hostname: cpgo.${SECRET_DOMAIN} - lbipam.cilium.io/ips: ${SVC_CPGO_ADDR:=temp} + external-dns.alpha.kubernetes.io/hostname: cpgo.jory.dev + lbipam.cilium.io/ips: 10.69.1.34 type: LoadBalancer port: 5432 replicas: *replicas diff --git a/kubernetes/main/apps/database/crunchy-postgres/cluster/externalsecret.yaml b/kubernetes/main/apps/database/crunchy-postgres/cluster/externalsecret.yaml index 3e69b845a2..234613f2d9 100644 --- a/kubernetes/main/apps/database/crunchy-postgres/cluster/externalsecret.yaml +++ b/kubernetes/main/apps/database/crunchy-postgres/cluster/externalsecret.yaml @@ -12,10 +12,11 @@ spec: name: *name template: data: + CLOUDFLARE_ACCOUNT_ID: "{{ .CLOUDFLARE_ACCOUNT_TAG }}" s3.conf: | [global] - repo1-s3-key={{ .AWS_ACCESS_KEY_ID }} - repo1-s3-key-secret={{ .AWS_SECRET_ACCESS_KEY }} + # repo1-s3-key={{ .AWS_ACCESS_KEY_ID }} + # repo1-s3-key-secret={{ .AWS_SECRET_ACCESS_KEY }} repo2-s3-key={{ .R2_ACCESS_KEY_ID }} repo2-s3-key-secret={{ .R2_SECRET_ACCESS_KEY }} encryption.conf: | @@ -27,5 +28,5 @@ spec: key: cloudflare - extract: key: crunchy-pgo - - extract: - key: postgresql-bucket + # - extract: + # key: postgresql-bucket diff --git a/kubernetes/main/apps/database/crunchy-postgres/cluster/nfs-pvc.yaml b/kubernetes/main/apps/database/crunchy-postgres/cluster/nfs-pvc.yaml index 1d3226c9ca..009642f162 100644 --- a/kubernetes/main/apps/database/crunchy-postgres/cluster/nfs-pvc.yaml +++ b/kubernetes/main/apps/database/crunchy-postgres/cluster/nfs-pvc.yaml @@ -10,7 +10,7 @@ spec: storageClassName: nfs-slow #csi-driver-nfs nfs: server: voyager.internal - path: ${SECRET_NFS_POSTGRES:=temp} + path: /mnt/user/kubernetes/postgres mountOptions: - nfsvers=4.2 - hard @@ -20,16 +20,3 @@ spec: - wsize=131072 - nconnect=8 persistentVolumeReclaimPolicy: Delete -# --- -# apiVersion: v1 -# kind: PersistentVolumeClaim -# metadata: -# name: postgres-nfs -# spec: -# accessModes: -# - ReadWriteMany -# volumeName: postgres-nfs -# storageClassName: "" -# resources: -# requests: -# storage: 1Mi diff --git a/kubernetes/main/apps/database/crunchy-postgres/ks.yaml b/kubernetes/main/apps/database/crunchy-postgres/ks.yaml index a7ee09298b..02908bcad4 100644 --- a/kubernetes/main/apps/database/crunchy-postgres/ks.yaml +++ b/kubernetes/main/apps/database/crunchy-postgres/ks.yaml @@ -41,6 +41,10 @@ spec: wait: true interval: 30m timeout: 5m + postBuild: + substituteFrom: + - kind: Secret + name: cluster-secrets --- # yaml-language-server: $schema=https://kube-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 diff --git a/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml index e04e768c54..2ea2422835 100644 --- a/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/bazarr/app/helmrelease.yaml @@ -108,7 +108,7 @@ spec: gethomepage.dev/widget.url: http://bazarr.downloads:6767 gethomepage.dev/widget.key: "{{ `{{HOMEPAGE_VAR_BAZARR_TOKEN}}` }}" hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: @@ -126,7 +126,7 @@ spec: data: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /data log: diff --git a/kubernetes/main/apps/downloads/dashbrr/app/externalsecret.yaml b/kubernetes/main/apps/downloads/dashbrr/app/externalsecret.yaml index a814fdc828..1637cbeefd 100644 --- a/kubernetes/main/apps/downloads/dashbrr/app/externalsecret.yaml +++ b/kubernetes/main/apps/downloads/dashbrr/app/externalsecret.yaml @@ -17,10 +17,10 @@ spec: DASHBRR_MAINTAINERR_API_KEY: "{{ .MAINTAINERR_API_KEY }}" DASHBRR_PLEX_API_KEY: "{{ .PLEX_API_KEY }}" # OIDC - OIDC_ISSUER: "https://sso.${SECRET_DOMAIN}/application/o/dashbrr/" + OIDC_ISSUER: "https://sso.jory.dev/application/o/dashbrr/" OIDC_CLIENT_ID: "{{ .DASHBRR_CLIENT_ID }}" OIDC_CLIENT_SECRET: "{{ .DASHBRR_CLIENT_SECRET }}" - OIDC_REDIRECT_URL: "https://dashbrr.${SECRET_DOMAIN}/api/auth/callback" + OIDC_REDIRECT_URL: "https://dashbrr.jory.dev/api/auth/callback" # Database DASHBRR__DB_TYPE: postgres DASHBRR__DB_NAME: '{{ .dbname }}' diff --git a/kubernetes/main/apps/downloads/dashbrr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/dashbrr/app/helmrelease.yaml index 345fd78f83..26c87e39ef 100644 --- a/kubernetes/main/apps/downloads/dashbrr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/dashbrr/app/helmrelease.yaml @@ -92,7 +92,7 @@ spec: # gethomepage.dev/widget.url: http://dashbrr.downloads # gethomepage.dev/widget.key: "{{ `{{HOMEPAGE_VAR_DASHBRR_TOKEN}}` }}" hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: diff --git a/kubernetes/main/apps/downloads/kapowarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/kapowarr/app/helmrelease.yaml index adf9ac1b97..1fd82cf1ae 100644 --- a/kubernetes/main/apps/downloads/kapowarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/kapowarr/app/helmrelease.yaml @@ -61,7 +61,7 @@ spec: gethomepage.dev/icon: calibre-web.png gethomepage.dev/description: Comic Downloads hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: @@ -75,6 +75,6 @@ spec: data: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /data diff --git a/kubernetes/main/apps/downloads/metube/app/helmrelease.yaml b/kubernetes/main/apps/downloads/metube/app/helmrelease.yaml index 7db378bd7c..ac8be335fc 100644 --- a/kubernetes/main/apps/downloads/metube/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/metube/app/helmrelease.yaml @@ -61,7 +61,7 @@ spec: app: className: internal hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: @@ -73,7 +73,7 @@ spec: downloads: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /downloads subPath: metube diff --git a/kubernetes/main/apps/downloads/mylar/app/helmrelease.yaml b/kubernetes/main/apps/downloads/mylar/app/helmrelease.yaml index 7f66e30c38..e931bdd3c9 100644 --- a/kubernetes/main/apps/downloads/mylar/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/mylar/app/helmrelease.yaml @@ -74,7 +74,7 @@ spec: gethomepage.dev/widget.url: http://mylar.downloads:8090 gethomepage.dev/widget.key: "{{ `{{HOMEPAGE_VAR_MYLAR_TOKEN}}` }}" hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: @@ -86,6 +86,6 @@ spec: data: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /data diff --git a/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml index 4ed54faf31..b0c81c80c7 100644 --- a/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/prowlarr/app/helmrelease.yaml @@ -81,7 +81,7 @@ spec: gethomepage.dev/widget.url: http://prowlarr.downloads gethomepage.dev/widget.key: "{{ `{{HOMEPAGE_VAR_PROWLARR_TOKEN}}` }}" hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / pathType: Prefix diff --git a/kubernetes/main/apps/downloads/qbittorrent/app/gatus.yaml b/kubernetes/main/apps/downloads/qbittorrent/app/gatus.yaml deleted file mode 100644 index c1acd9afcf..0000000000 --- a/kubernetes/main/apps/downloads/qbittorrent/app/gatus.yaml +++ /dev/null @@ -1,24 +0,0 @@ ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: qbittorrent-gatus-ep - labels: - gatus.io/enabled: "true" -data: - config.yaml: | - endpoints: - - name: qbittorrent - group: guarded - url: 1.1.1.1 - interval: 1m - ui: - hide-hostname: true - hide-url: true - dns: - query-name: qbittorrent.${SECRET_DOMAIN} - query-type: A - conditions: - - "len([BODY]) == 0" - alerts: - - type: discord diff --git a/kubernetes/main/apps/downloads/qbittorrent/app/helmrelease.yaml b/kubernetes/main/apps/downloads/qbittorrent/app/helmrelease.yaml index 869929a46b..b2b1ede3d0 100644 --- a/kubernetes/main/apps/downloads/qbittorrent/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/qbittorrent/app/helmrelease.yaml @@ -90,7 +90,7 @@ spec: controller: *app type: LoadBalancer annotations: - lbipam.cilium.io/ips: ${SVC_QBITTTORENT_ADDR:=temp} + lbipam.cilium.io/ips: 10.69.1.36 ports: bittorrent: enabled: true @@ -114,7 +114,7 @@ spec: proxy_hide_header "content-security-policy"; proxy_hide_header "X-Frame-Options"; hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: @@ -126,7 +126,7 @@ spec: downloads: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /downloads subPath: torrents diff --git a/kubernetes/main/apps/downloads/radarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/radarr/app/helmrelease.yaml index 4af36cb28b..42730b12f6 100644 --- a/kubernetes/main/apps/downloads/radarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/radarr/app/helmrelease.yaml @@ -101,7 +101,7 @@ spec: gethomepage.dev/widget.url: http://radarr.downloads gethomepage.dev/widget.key: "{{ `{{HOMEPAGE_VAR_RADARR_TOKEN}}` }}" hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: @@ -115,6 +115,6 @@ spec: data: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /data diff --git a/kubernetes/main/apps/downloads/readarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/readarr/app/helmrelease.yaml index 7ab34a2144..e847d5e8c3 100644 --- a/kubernetes/main/apps/downloads/readarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/readarr/app/helmrelease.yaml @@ -84,7 +84,7 @@ spec: gethomepage.dev/widget.url: http://readarr.downloads gethomepage.dev/widget.key: "{{ `{{HOMEPAGE_VAR_READARR_TOKEN}}` }}" hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: @@ -98,6 +98,6 @@ spec: data: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /data diff --git a/kubernetes/main/apps/downloads/sabnzbd/app/helmrelease.yaml b/kubernetes/main/apps/downloads/sabnzbd/app/helmrelease.yaml index b998c856d3..547f7f225c 100644 --- a/kubernetes/main/apps/downloads/sabnzbd/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/sabnzbd/app/helmrelease.yaml @@ -42,7 +42,7 @@ spec: TZ: ${TIMEZONE} SABNZBD__PORT: &port 8080 SABNZBD__HOST_WHITELIST_ENTRIES: >- - sabnzbd, sabnzbd.downloads, sabnzbd.downloads.svc, sabnzbd.downloads.svc.cluster, sabnzbd.downloads.svc.cluster.local, sabnzbd.${SECRET_DOMAIN} + sabnzbd, sabnzbd.downloads, sabnzbd.downloads.svc, sabnzbd.downloads.svc.cluster, sabnzbd.downloads.svc.cluster.local, sabnzbd.jory.dev envFrom: - secretRef: name: sabnzbd-secret @@ -105,7 +105,7 @@ spec: gethomepage.dev/widget.url: http://sabnzbd.downloads:8080 gethomepage.dev/widget.key: "{{ `{{HOMEPAGE_VAR_SABNZBD_TOKEN}}` }}" hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: @@ -117,7 +117,7 @@ spec: downloads: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /downloads subPath: usenet diff --git a/kubernetes/main/apps/downloads/sonarr/app/helmrelease.yaml b/kubernetes/main/apps/downloads/sonarr/app/helmrelease.yaml index cb81aba647..3f301335a1 100644 --- a/kubernetes/main/apps/downloads/sonarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/downloads/sonarr/app/helmrelease.yaml @@ -100,7 +100,7 @@ spec: gethomepage.dev/widget.url: http://sonarr.downloads gethomepage.dev/widget.key: "{{ `{{HOMEPAGE_VAR_SONARR_TOKEN}}` }}" hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: @@ -125,6 +125,6 @@ spec: data: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /data diff --git a/kubernetes/main/apps/flux-system/clickops/app/helmrelease.yaml b/kubernetes/main/apps/flux-system/clickops/app/helmrelease.yaml index 4bfa7a4b78..ca2a5a04ba 100644 --- a/kubernetes/main/apps/flux-system/clickops/app/helmrelease.yaml +++ b/kubernetes/main/apps/flux-system/clickops/app/helmrelease.yaml @@ -36,7 +36,7 @@ spec: TZ: ${TIMEZONE} # not used __PORT: &port 3000 - __HOST: &host "clickops.${SECRET_DOMAIN}" + __HOST: &host "clickops.jory.dev" probes: liveness: &probe enabled: true @@ -82,7 +82,7 @@ spec: app: className: internal hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / pathType: Prefix diff --git a/kubernetes/main/apps/flux-system/flux-operator/instance/externalsecret.yaml b/kubernetes/main/apps/flux-system/flux-operator/instance/externalsecret.yaml new file mode 100644 index 0000000000..ebf33b032d --- /dev/null +++ b/kubernetes/main/apps/flux-system/flux-operator/instance/externalsecret.yaml @@ -0,0 +1,18 @@ +--- +# yaml-language-server: $schema=https://kube-schemas.pages.dev/external-secrets.io/externalsecret_v1beta1.json +apiVersion: external-secrets.io/v1beta1 +kind: ExternalSecret +metadata: + name: &name cluster-secrets +spec: + secretStoreRef: + kind: ClusterSecretStore + name: onepassword-connect + target: + name: *name + template: + data: + CLOUDFLARE_ACCOUNT_ID: "{{ .CLOUDFLARE_ACCOUNT_TAG }}" + dataFrom: + - extract: + key: cloudflare diff --git a/kubernetes/main/apps/flux-system/flux-operator/instance/github/webhooks/ingress.yaml b/kubernetes/main/apps/flux-system/flux-operator/instance/github/webhooks/ingress.yaml index 40da7cda8b..53d2384976 100644 --- a/kubernetes/main/apps/flux-system/flux-operator/instance/github/webhooks/ingress.yaml +++ b/kubernetes/main/apps/flux-system/flux-operator/instance/github/webhooks/ingress.yaml @@ -6,7 +6,7 @@ metadata: spec: ingressClassName: external rules: - - host: flux-webhook.${SECRET_DOMAIN} + - host: flux-webhook.jory.dev http: paths: - path: /hook/ diff --git a/kubernetes/main/apps/flux-system/flux-operator/instance/helm-values.yaml b/kubernetes/main/apps/flux-system/flux-operator/instance/helm-values.yaml index 7d33ebedbe..36d1edd5c1 100644 --- a/kubernetes/main/apps/flux-system/flux-operator/instance/helm-values.yaml +++ b/kubernetes/main/apps/flux-system/flux-operator/instance/helm-values.yaml @@ -21,17 +21,6 @@ instance: app.kubernetes.io/name: flux kustomize: patches: - # Add Sops decryption to Kustomizations - - patch: | - - op: add - path: /spec/decryption - value: - provider: sops - secretRef: - name: sops-age - target: - group: kustomize.toolkit.fluxcd.io - kind: Kustomization # Increase the number of workers and limits # Ref: https://fluxcd.io/flux/installation/configuration/vertical-scaling/#increase-the-number-of-workers-and-limits - patch: | diff --git a/kubernetes/main/apps/flux-system/flux-operator/instance/kustomization.yaml b/kubernetes/main/apps/flux-system/flux-operator/instance/kustomization.yaml index de1b98ea65..c72094f717 100644 --- a/kubernetes/main/apps/flux-system/flux-operator/instance/kustomization.yaml +++ b/kubernetes/main/apps/flux-system/flux-operator/instance/kustomization.yaml @@ -4,6 +4,7 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - ./github + - ./externalsecrets.yaml - ./helmrelease.yaml - ./prometheusrule.yaml configMapGenerator: diff --git a/kubernetes/main/apps/flux-system/weave-gitops/app/helmrelease.yaml b/kubernetes/main/apps/flux-system/weave-gitops/app/helmrelease.yaml index 5ca0cc33f0..777dbeebd1 100644 --- a/kubernetes/main/apps/flux-system/weave-gitops/app/helmrelease.yaml +++ b/kubernetes/main/apps/flux-system/weave-gitops/app/helmrelease.yaml @@ -37,7 +37,7 @@ spec: gethomepage.dev/icon: https://raw.githubusercontent.com/joryirving/home-ops/main/docs/src/assets/icons/weave.png gethomepage.dev/description: Flux Dashboard hosts: - - host: "gitops.${SECRET_DOMAIN}" + - host: "gitops.jory.dev" paths: - path: / pathType: Prefix diff --git a/kubernetes/main/apps/games/core-keeper/app/dnsendpoint.yaml b/kubernetes/main/apps/games/core-keeper/app/dnsendpoint.yaml index 2922d3f12d..e694ac7b9f 100644 --- a/kubernetes/main/apps/games/core-keeper/app/dnsendpoint.yaml +++ b/kubernetes/main/apps/games/core-keeper/app/dnsendpoint.yaml @@ -6,9 +6,9 @@ metadata: name: core-keeper spec: endpoints: - - dnsName: "core-keeper.${SECRET_DOMAIN}" + - dnsName: "core-keeper.jory.dev" recordType: CNAME - targets: ["ipv4.${SECRET_DOMAIN}"] + targets: ["ipv4.jory.dev"] providerSpecific: - name: external-dns.alpha.kubernetes.io/cloudflare-proxied value: 'false' diff --git a/kubernetes/main/apps/games/core-keeper/app/helmrelease.yaml b/kubernetes/main/apps/games/core-keeper/app/helmrelease.yaml index 2828f2620f..b9b245d58f 100644 --- a/kubernetes/main/apps/games/core-keeper/app/helmrelease.yaml +++ b/kubernetes/main/apps/games/core-keeper/app/helmrelease.yaml @@ -74,7 +74,7 @@ spec: # controller: *app # type: LoadBalancer # annotations: - # lbipam.cilium.io/ips: ${SVC_COREKEEPER_ADDR:=temp} + # lbipam.cilium.io/ips: 10.69.1.37 # ports: # game: # protocol: UDP @@ -84,9 +84,9 @@ spec: # enabled: false #nginx doesn't support non-https # className: external # annotations: - # external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN} + # external-dns.alpha.kubernetes.io/target: ipv4.jory.dev # hosts: - # - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + # - host: "{{ .Release.Name }}.jory.dev" # paths: # - path: / # service: diff --git a/kubernetes/main/apps/games/minecraft/create/dnsendpoint.yaml b/kubernetes/main/apps/games/minecraft/create/dnsendpoint.yaml index e7bfdb9cc5..03fd81eb37 100644 --- a/kubernetes/main/apps/games/minecraft/create/dnsendpoint.yaml +++ b/kubernetes/main/apps/games/minecraft/create/dnsendpoint.yaml @@ -6,9 +6,9 @@ metadata: name: create spec: endpoints: - - dnsName: "create.${SECRET_DOMAIN}" + - dnsName: "create.jory.dev" recordType: CNAME - targets: ["mc.${SECRET_DOMAIN}"] + targets: ["mc.jory.dev"] providerSpecific: - name: external-dns.alpha.kubernetes.io/cloudflare-proxied value: 'false' diff --git a/kubernetes/main/apps/games/minecraft/create/helmrelease.yaml b/kubernetes/main/apps/games/minecraft/create/helmrelease.yaml index 2425409979..e565258686 100644 --- a/kubernetes/main/apps/games/minecraft/create/helmrelease.yaml +++ b/kubernetes/main/apps/games/minecraft/create/helmrelease.yaml @@ -73,7 +73,7 @@ spec: enabled: true existingClaim: *app serviceAnnotations: - mc-router.itzg.me/externalServerName: &host create.${SECRET_DOMAIN} + mc-router.itzg.me/externalServerName: &host create.jory.dev minecraftServer: eula: true version: "1.20.1" @@ -111,7 +111,7 @@ spec: ingressClassName: external enabled: true annotations: - external-dns.alpha.kubernetes.io/target: mc.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/target: mc.jory.dev external-dns.alpha.kubernetes.io/cloudflare-proxied: "false" hosts: - name: *host diff --git a/kubernetes/main/apps/games/minecraft/mc-router/dnsendpoint.yaml b/kubernetes/main/apps/games/minecraft/mc-router/dnsendpoint.yaml index d08a1a35a3..2b014e9af5 100644 --- a/kubernetes/main/apps/games/minecraft/mc-router/dnsendpoint.yaml +++ b/kubernetes/main/apps/games/minecraft/mc-router/dnsendpoint.yaml @@ -6,9 +6,9 @@ metadata: name: mc-router spec: endpoints: - - dnsName: "mc.${SECRET_DOMAIN}" + - dnsName: "mc.jory.dev" recordType: CNAME - targets: ["ipv4.${SECRET_DOMAIN}"] + targets: ["ipv4.jory.dev"] providerSpecific: - name: external-dns.alpha.kubernetes.io/cloudflare-proxied value: 'false' diff --git a/kubernetes/main/apps/games/minecraft/mc-router/helmrelease.yaml b/kubernetes/main/apps/games/minecraft/mc-router/helmrelease.yaml index 072407ac67..6a394b8a32 100644 --- a/kubernetes/main/apps/games/minecraft/mc-router/helmrelease.yaml +++ b/kubernetes/main/apps/games/minecraft/mc-router/helmrelease.yaml @@ -27,5 +27,5 @@ spec: minecraft: type: LoadBalancer annotations: - lbipam.cilium.io/ips: ${SVC_MINECRAFT_ADDR:=temp} - external-dns.alpha.kubernetes.io/hostname: mc.${SECRET_DOMAIN} + lbipam.cilium.io/ips: 10.69.1.40 + external-dns.alpha.kubernetes.io/hostname: mc.jory.dev diff --git a/kubernetes/main/apps/games/minecraft/takocraft/dnsendpoint.yaml b/kubernetes/main/apps/games/minecraft/takocraft/dnsendpoint.yaml index ce96836ff2..2e6430c296 100644 --- a/kubernetes/main/apps/games/minecraft/takocraft/dnsendpoint.yaml +++ b/kubernetes/main/apps/games/minecraft/takocraft/dnsendpoint.yaml @@ -6,9 +6,9 @@ metadata: name: takocraft spec: endpoints: - - dnsName: "takocraft.${SECRET_DOMAIN}" + - dnsName: "takocraft.jory.dev" recordType: CNAME - targets: ["mc.${SECRET_DOMAIN}"] + targets: ["mc.jory.dev"] providerSpecific: - name: external-dns.alpha.kubernetes.io/cloudflare-proxied value: 'false' diff --git a/kubernetes/main/apps/games/minecraft/takocraft/helmrelease.yaml b/kubernetes/main/apps/games/minecraft/takocraft/helmrelease.yaml index 7e03696efe..6cbc127680 100644 --- a/kubernetes/main/apps/games/minecraft/takocraft/helmrelease.yaml +++ b/kubernetes/main/apps/games/minecraft/takocraft/helmrelease.yaml @@ -73,7 +73,7 @@ spec: enabled: true existingClaim: *app serviceAnnotations: - mc-router.itzg.me/externalServerName: &host takocraft.${SECRET_DOMAIN} + mc-router.itzg.me/externalServerName: &host takocraft.jory.dev minecraftServer: eula: true version: "1.21" @@ -92,7 +92,7 @@ spec: worldSaveName: takocraft viewDistance: 12 # serviceAnnotations: - # lbipam.cilium.io/ips: ${SVC_TAKOCRAFT_ADDR:=temp} + # lbipam.cilium.io/ips: 10.69.1.38 # serviceType: LoadBalancer spigetResources: - 36618 #Prom Exporter @@ -112,7 +112,7 @@ spec: ingressClassName: external enabled: true annotations: - external-dns.alpha.kubernetes.io/target: mc.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/target: mc.jory.dev external-dns.alpha.kubernetes.io/cloudflare-proxied: "false" hosts: - name: *host diff --git a/kubernetes/main/apps/games/minecraft/vibecraft/dnsendpoint.yaml b/kubernetes/main/apps/games/minecraft/vibecraft/dnsendpoint.yaml index f8c6ca998e..3bdb983e4a 100644 --- a/kubernetes/main/apps/games/minecraft/vibecraft/dnsendpoint.yaml +++ b/kubernetes/main/apps/games/minecraft/vibecraft/dnsendpoint.yaml @@ -6,9 +6,9 @@ metadata: name: vibecraft spec: endpoints: - - dnsName: "vibecraft.${SECRET_DOMAIN}" + - dnsName: "vibecraft.jory.dev" recordType: CNAME - targets: ["mc.${SECRET_DOMAIN}"] + targets: ["mc.jory.dev"] providerSpecific: - name: external-dns.alpha.kubernetes.io/cloudflare-proxied value: 'false' diff --git a/kubernetes/main/apps/games/minecraft/vibecraft/helmrelease.yaml b/kubernetes/main/apps/games/minecraft/vibecraft/helmrelease.yaml index 6756423b3a..6209c8e1a0 100644 --- a/kubernetes/main/apps/games/minecraft/vibecraft/helmrelease.yaml +++ b/kubernetes/main/apps/games/minecraft/vibecraft/helmrelease.yaml @@ -81,7 +81,7 @@ spec: # subPath: config.yml # readOnly: true serviceAnnotations: - mc-router.itzg.me/externalServerName: &host vibecraft.${SECRET_DOMAIN} + mc-router.itzg.me/externalServerName: &host vibecraft.jory.dev minecraftServer: eula: true version: "1.21" @@ -117,7 +117,7 @@ spec: ingressClassName: external enabled: true annotations: - external-dns.alpha.kubernetes.io/target: mc.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/target: mc.jory.dev external-dns.alpha.kubernetes.io/cloudflare-proxied: "false" hosts: - name: *host diff --git a/kubernetes/main/apps/games/palworld/app/dnsendpoint.yaml b/kubernetes/main/apps/games/palworld/app/dnsendpoint.yaml index 37f51b324f..559b2032f6 100644 --- a/kubernetes/main/apps/games/palworld/app/dnsendpoint.yaml +++ b/kubernetes/main/apps/games/palworld/app/dnsendpoint.yaml @@ -6,9 +6,9 @@ metadata: name: palworld spec: endpoints: - - dnsName: "palworld.${SECRET_DOMAIN}" + - dnsName: "palworld.jory.dev" recordType: CNAME - targets: ["ipv4.${SECRET_DOMAIN}"] + targets: ["ipv4.jory.dev"] providerSpecific: - name: external-dns.alpha.kubernetes.io/cloudflare-proxied value: 'false' diff --git a/kubernetes/main/apps/games/palworld/app/helmrelease.yaml b/kubernetes/main/apps/games/palworld/app/helmrelease.yaml index 4dda23a81d..1c67b98e28 100644 --- a/kubernetes/main/apps/games/palworld/app/helmrelease.yaml +++ b/kubernetes/main/apps/games/palworld/app/helmrelease.yaml @@ -57,7 +57,7 @@ spec: PUBLIC_PORT: &port 8211 RCON_ENABLED: true RCON_PORT: &rcon-port 25575 - PUBLIC_IP: palworld.${SECRET_DOMAIN} + PUBLIC_IP: palworld.jory.dev ## Webhook Settings WEBHOOK_ENABLED: true envFrom: @@ -105,7 +105,7 @@ spec: controller: *app type: LoadBalancer annotations: - lbipam.cilium.io/ips: ${SVC_PALWORLD_ADDR:=temp} + lbipam.cilium.io/ips: 10.69.1.39 ports: http: port: 9877 @@ -128,9 +128,9 @@ spec: enabled: false #nginx doesn't support non-https className: external annotations: - external-dns.alpha.kubernetes.io/target: ipv4.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/target: ipv4.jory.dev hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: diff --git a/kubernetes/main/apps/games/vrising/app/dnsendpoint.yaml b/kubernetes/main/apps/games/vrising/app/dnsendpoint.yaml index 622b8ef44e..b1d24d2592 100644 --- a/kubernetes/main/apps/games/vrising/app/dnsendpoint.yaml +++ b/kubernetes/main/apps/games/vrising/app/dnsendpoint.yaml @@ -6,9 +6,9 @@ metadata: name: vrising spec: endpoints: - - dnsName: "vrising.${SECRET_DOMAIN}" + - dnsName: "vrising.jory.dev" recordType: CNAME - targets: ["ipv4.${SECRET_DOMAIN}"] + targets: ["ipv4.jory.dev"] providerSpecific: - name: external-dns.alpha.kubernetes.io/cloudflare-proxied value: 'false' diff --git a/kubernetes/main/apps/games/vrising/app/helmrelease.yaml b/kubernetes/main/apps/games/vrising/app/helmrelease.yaml index ac9e0f5be2..ce369b571a 100644 --- a/kubernetes/main/apps/games/vrising/app/helmrelease.yaml +++ b/kubernetes/main/apps/games/vrising/app/helmrelease.yaml @@ -74,7 +74,7 @@ spec: controller: *app type: LoadBalancer annotations: - lbipam.cilium.io/ips: ${SVC_VRISING_ADDR:=temp} + lbipam.cilium.io/ips: 10.69.1.33 ports: game: enabled: true diff --git a/kubernetes/main/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/main/apps/kube-system/cilium/app/helmrelease.yaml index d09b8dd473..2b87dd2b9d 100644 --- a/kubernetes/main/apps/kube-system/cilium/app/helmrelease.yaml +++ b/kubernetes/main/apps/kube-system/cilium/app/helmrelease.yaml @@ -64,4 +64,4 @@ spec: gethomepage.dev/name: Hubble gethomepage.dev/group: Observability gethomepage.dev/description: Network Monitoring Dashboard - hosts: ["hubble.${SECRET_DOMAIN}"] + hosts: ["hubble.jory.dev"] diff --git a/kubernetes/main/apps/media/ersatztv/app/helmrelease.yaml b/kubernetes/main/apps/media/ersatztv/app/helmrelease.yaml index fba1d55199..0764f44a6d 100644 --- a/kubernetes/main/apps/media/ersatztv/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/ersatztv/app/helmrelease.yaml @@ -81,7 +81,7 @@ spec: app: className: internal hosts: - - host: "tv.${SECRET_DOMAIN}" + - host: "tv.jory.dev" paths: - path: / service: @@ -99,7 +99,7 @@ spec: media: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /data subPath: media diff --git a/kubernetes/main/apps/media/jellyseerr/app/helmrelease.yaml b/kubernetes/main/apps/media/jellyseerr/app/helmrelease.yaml index 35fd570d3d..353e109de4 100644 --- a/kubernetes/main/apps/media/jellyseerr/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/jellyseerr/app/helmrelease.yaml @@ -73,7 +73,7 @@ spec: gethomepage.dev/widget.url: http://jellyseerr.media:5055 gethomepage.dev/widget.key: "{{ `{{HOMEPAGE_VAR_JELLYSEERR_TOKEN}}` }}" hosts: - - host: requests.${SECRET_DOMAIN} + - host: requests.jory.dev paths: - path: / service: diff --git a/kubernetes/main/apps/media/kavita/app/helmrelease.yaml b/kubernetes/main/apps/media/kavita/app/helmrelease.yaml index 5bd398149c..8e734b6c1a 100644 --- a/kubernetes/main/apps/media/kavita/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/kavita/app/helmrelease.yaml @@ -65,7 +65,7 @@ spec: gethomepage.dev/widget.username: "{{ `{{HOMEPAGE_VAR_KAVITA_USERNAME}}` }}" gethomepage.dev/widget.password: "{{ `{{HOMEPAGE_VAR_KAVITA_PASSWORD}}` }}" hosts: - - host: comics.${SECRET_DOMAIN} + - host: comics.jory.dev paths: - path: / service: @@ -79,7 +79,7 @@ spec: media: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /data subPath: media diff --git a/kubernetes/main/apps/media/komga/app/helmrelease.yaml b/kubernetes/main/apps/media/komga/app/helmrelease.yaml index 550d2afcd6..012d1850a7 100644 --- a/kubernetes/main/apps/media/komga/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/komga/app/helmrelease.yaml @@ -66,7 +66,7 @@ spec: gethomepage.dev/widget.username: "{{ `{{HOMEPAGE_VAR_KOMGA_USERNAME}}` }}" gethomepage.dev/widget.password: "{{ `{{HOMEPAGE_VAR_KOMGA_PASSWORD}}` }}" hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: @@ -78,7 +78,7 @@ spec: media: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /data subPath: media diff --git a/kubernetes/main/apps/media/kyoo/app-template/configs/config.yaml b/kubernetes/main/apps/media/kyoo/app-template/configs/config.yaml index 59fb0692ff..562eb2f6ae 100644 --- a/kubernetes/main/apps/media/kyoo/app-template/configs/config.yaml +++ b/kubernetes/main/apps/media/kyoo/app-template/configs/config.yaml @@ -29,7 +29,7 @@ data: GOCODER_PREFIX: /video # The url you can use to reach your kyoo instance. This is used during oidc to redirect users to your instance. - PUBLIC_URL: https://kyoo.${SECRET_DOMAIN} + PUBLIC_URL: https://kyoo.jory.dev # To debug the front end, you can set the following to an external backend KYOO_URL: http://kyoo-back:5000 diff --git a/kubernetes/main/apps/media/kyoo/app-template/externalsecret.yaml b/kubernetes/main/apps/media/kyoo/app-template/externalsecret.yaml index f922758f64..ec48b28f09 100644 --- a/kubernetes/main/apps/media/kyoo/app-template/externalsecret.yaml +++ b/kubernetes/main/apps/media/kyoo/app-template/externalsecret.yaml @@ -22,10 +22,10 @@ spec: RABBITMQ_DEFAULT_PASS: '{{ .RABBITMQ_PASS }}' # OIDC OIDC_AUTHENTIK_NAME: Authentik - OIDC_AUTHENTIK_LOGO: https://sso.${SECRET_DOMAIN}/static/dist/assets/icons/icon.png - OIDC_AUTHENTIK_AUTHORIZATION: https://sso.${SECRET_DOMAIN}/application/o/authorize/ - OIDC_AUTHENTIK_TOKEN: https://sso.${SECRET_DOMAIN}/application/o/token/ - OIDC_AUTHENTIK_PROFILE: https://sso.${SECRET_DOMAIN}/application/o/userinfo/ + OIDC_AUTHENTIK_LOGO: https://sso.jory.dev/static/dist/assets/icons/icon.png + OIDC_AUTHENTIK_AUTHORIZATION: https://sso.jory.dev/application/o/authorize/ + OIDC_AUTHENTIK_TOKEN: https://sso.jory.dev/application/o/token/ + OIDC_AUTHENTIK_PROFILE: https://sso.jory.dev/application/o/userinfo/ OIDC_AUTHENTIK_SCOPE: openid email profile OIDC_AUTHENTIK_CLIENTID: '{{ .KYOO_CLIENT_ID }}' OIDC_AUTHENTIK_SECRET: '{{ .KYOO_CLIENT_SECRET }}' diff --git a/kubernetes/main/apps/media/kyoo/app-template/helmrelease.yaml b/kubernetes/main/apps/media/kyoo/app-template/helmrelease.yaml index 6fea24d752..c1b75e77ba 100644 --- a/kubernetes/main/apps/media/kyoo/app-template/helmrelease.yaml +++ b/kubernetes/main/apps/media/kyoo/app-template/helmrelease.yaml @@ -257,7 +257,7 @@ spec: nignx.ingress.kubernetes.io/force-ssl-redirect: "true" nginx.ingress.kubernetes.io/proxy-body-size: "0" hosts: - - host: kyoo.${SECRET_DOMAIN} + - host: kyoo.jory.dev paths: - path: / pathType: Prefix @@ -297,7 +297,7 @@ spec: media: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /data subPath: media diff --git a/kubernetes/main/apps/media/kyoo/app/helmrelease.yaml b/kubernetes/main/apps/media/kyoo/app/helmrelease.yaml index 3927ab9bfa..434c6ad90f 100644 --- a/kubernetes/main/apps/media/kyoo/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/kyoo/app/helmrelease.yaml @@ -59,7 +59,7 @@ spec: kyoo_scanner: *rabbit kyoo: - address: https://kyoo.${SECRET_DOMAIN} + address: https://kyoo.jory.dev transcoderAcceleration: vaapi # hardware acceleration profile (valid values: disabled, vaapi, qsv, nvidia) apikey: existingSecret: *secret @@ -69,10 +69,10 @@ spec: existingSecret: *secret clientIdKey: OIDC_AUTHENTIK_CLIENTID clientSecretKey: OIDC_AUTHENTIK_SECRET - logo: https://sso.${SECRET_DOMAIN}/static/dist/assets/icons/icon.png - authorizationAddress: https://sso.${SECRET_DOMAIN}/application/o/authorize/ - tokenAddress: https://sso.${SECRET_DOMAIN}/application/o/token/ - profileAddress: https://sso.${SECRET_DOMAIN}/application/o/userinfo/ + logo: https://sso.jory.dev/static/dist/assets/icons/icon.png + authorizationAddress: https://sso.jory.dev/application/o/authorize/ + tokenAddress: https://sso.jory.dev/application/o/token/ + profileAddress: https://sso.jory.dev/application/o/userinfo/ scope: "openid email profile" authMethod: ClientSecretBasic @@ -81,7 +81,7 @@ spec: - name: media nfs: server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data volumeMounts: - mountPath: &path /media name: media @@ -112,7 +112,7 @@ spec: ingress: enabled: true ingressClassName: external - host: kyoo.${SECRET_DOMAIN} + host: kyoo.jory.dev tls: true meilisearch: diff --git a/kubernetes/main/apps/media/maintainerr/app/helmrelease.yaml b/kubernetes/main/apps/media/maintainerr/app/helmrelease.yaml index f811e8e564..80b88a3ef0 100644 --- a/kubernetes/main/apps/media/maintainerr/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/maintainerr/app/helmrelease.yaml @@ -77,7 +77,7 @@ spec: gethomepage.dev/icon: https://raw.githubusercontent.com/joryirving/home-ops/main/docs/src/assets/icons/maintainerr.png gethomepage.dev/description: Media Library Management hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: diff --git a/kubernetes/main/apps/media/plex/app/helmrelease.yaml b/kubernetes/main/apps/media/plex/app/helmrelease.yaml index 1759988041..1cd1a2f476 100644 --- a/kubernetes/main/apps/media/plex/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/plex/app/helmrelease.yaml @@ -41,7 +41,7 @@ spec: tag: 1.41.3.9314-a0bfb8370@sha256:533822d6ddce6657df67fe92be5de0d4c6f8806488befa330dc297f568d3f01c env: TZ: ${TIMEZONE} - PLEX_ADVERTISE_URL: https://plex.${SECRET_DOMAIN}:443,http://${SVC_PLEX_ADDR}:32400 + PLEX_ADVERTISE_URL: https://plex.jory.dev:443,http://${SVC_PLEX_ADDR}:32400 PLEX_NO_AUTH_NETWORKS: ${NODE_CIDR},${TRUSTED_CIDR} probes: liveness: &probes @@ -87,7 +87,7 @@ spec: controller: *app type: LoadBalancer annotations: - lbipam.cilium.io/ips: ${SVC_PLEX_ADDR:=temp} + lbipam.cilium.io/ips: 10.69.1.35 ports: http: port: 32400 @@ -111,7 +111,7 @@ spec: proxy_http_version 1.1; } hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: @@ -136,7 +136,7 @@ spec: media: type: nfs server: voyager.internal - path: ${SECRET_NFS_DATA:=temp} + path: /mnt/user/data globalMounts: - path: /data subPath: media diff --git a/kubernetes/main/apps/media/plex/movie-roulette/helmrelease.yaml b/kubernetes/main/apps/media/plex/movie-roulette/helmrelease.yaml index 4309988015..261559b580 100644 --- a/kubernetes/main/apps/media/plex/movie-roulette/helmrelease.yaml +++ b/kubernetes/main/apps/media/plex/movie-roulette/helmrelease.yaml @@ -39,7 +39,7 @@ spec: #Homepage ENV HOMEPAGE_MODE: "FALSE" #Plex ENV - PLEX_URL: https://plex.${SECRET_DOMAIN} + PLEX_URL: https://plex.jory.dev PLEX_MOVIE_LIBRARIES: "Movies" #Default movies, add more with comma delimiter A,B,C #Poster ENV TZ: ${TIMEZONE} @@ -70,7 +70,7 @@ spec: app: className: external hosts: - - host: movie-roulette.${SECRET_DOMAIN} + - host: movie-roulette.jory.dev paths: - path: / service: diff --git a/kubernetes/main/apps/media/tautulli/app/helmrelease.yaml b/kubernetes/main/apps/media/tautulli/app/helmrelease.yaml index 0e970b8d1b..5d7050bc87 100644 --- a/kubernetes/main/apps/media/tautulli/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/tautulli/app/helmrelease.yaml @@ -87,7 +87,7 @@ spec: gethomepage.dev/widget.url: http://tautulli.media gethomepage.dev/widget.key: "{{ `{{HOMEPAGE_VAR_TAUTULLI_TOKEN}}` }}" hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: diff --git a/kubernetes/main/apps/media/wizarr/app/helmrelease.yaml b/kubernetes/main/apps/media/wizarr/app/helmrelease.yaml index 39ef99a121..73c70849c4 100644 --- a/kubernetes/main/apps/media/wizarr/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/wizarr/app/helmrelease.yaml @@ -70,7 +70,7 @@ spec: # gethomepage.dev/widget.url: http://wizarr.media.svc.cluster.local:5690 # gethomepage.dev/widget.key: ${WIZARR_TOKEN} hosts: - - host: join.${SECRET_DOMAIN} + - host: join.jory.dev paths: - path: / service: diff --git a/kubernetes/main/apps/media/your-spotify/app/helmrelease.yaml b/kubernetes/main/apps/media/your-spotify/app/helmrelease.yaml index c0d2e15ed8..75299f31a2 100644 --- a/kubernetes/main/apps/media/your-spotify/app/helmrelease.yaml +++ b/kubernetes/main/apps/media/your-spotify/app/helmrelease.yaml @@ -35,8 +35,8 @@ spec: env: TIMEZONE: ${TIMEZONE} # Caveat if it includes Spotify in name: https://github.com/Yooooomi/your_spotify/pull/254 - API_ENDPOINT: &api_endpoint https://spotty.${SECRET_DOMAIN}/api - CLIENT_ENDPOINT: https://spotty.${SECRET_DOMAIN} + API_ENDPOINT: &api_endpoint https://spotty.jory.dev/api + CLIENT_ENDPOINT: https://spotty.jory.dev MONGO_ENDPOINT: mongodb://your-spotify-mongodb:27017/your_spotify #mongo sucks PORT: &port 8080 envFrom: @@ -103,7 +103,7 @@ spec: nginx.ingress.kubernetes.io/proxy-read-timeout: "3600" nginx.ingress.kubernetes.io/rewrite-target: /$1 hosts: - - host: spotty.${SECRET_DOMAIN} + - host: spotty.jory.dev paths: - path: /?(.*) pathType: Prefix diff --git a/kubernetes/main/apps/network/external/cloudflared/dnsendpoint.yaml b/kubernetes/main/apps/network/external/cloudflared/dnsendpoint.yaml index 6bf5a6a07b..f00b7a4a7a 100644 --- a/kubernetes/main/apps/network/external/cloudflared/dnsendpoint.yaml +++ b/kubernetes/main/apps/network/external/cloudflared/dnsendpoint.yaml @@ -6,6 +6,6 @@ metadata: name: cloudflared spec: endpoints: - - dnsName: "external.${SECRET_DOMAIN}" + - dnsName: "external.jory.dev" recordType: CNAME targets: ["85be482d-5cf9-4ee5-a9a0-c489e3dd6188.cfargotunnel.com"] diff --git a/kubernetes/main/apps/network/external/cloudflared/resources/config.yaml b/kubernetes/main/apps/network/external/cloudflared/resources/config.yaml index 45aea07721..ca5fac77f0 100644 --- a/kubernetes/main/apps/network/external/cloudflared/resources/config.yaml +++ b/kubernetes/main/apps/network/external/cloudflared/resources/config.yaml @@ -1,10 +1,10 @@ --- originRequest: - originServerName: external.${SECRET_DOMAIN} + originServerName: external.jory.dev ingress: - - hostname: ${SECRET_DOMAIN} + - hostname: jory.dev service: https://external-ingress-nginx-controller.network.svc.cluster.local:443 - - hostname: "*.${SECRET_DOMAIN}" + - hostname: "*.jory.dev" service: https://external-ingress-nginx-controller.network.svc.cluster.local:443 - service: http_status:404 diff --git a/kubernetes/main/apps/network/external/echo-server/helmrelease.yaml b/kubernetes/main/apps/network/external/echo-server/helmrelease.yaml index d0da461f5b..b831c4ecf2 100644 --- a/kubernetes/main/apps/network/external/echo-server/helmrelease.yaml +++ b/kubernetes/main/apps/network/external/echo-server/helmrelease.yaml @@ -93,7 +93,7 @@ spec: app: className: external hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: diff --git a/kubernetes/main/apps/network/external/external-dns/helmrelease.yaml b/kubernetes/main/apps/network/external/external-dns/helmrelease.yaml index 54e59ff66e..681c14fc3d 100644 --- a/kubernetes/main/apps/network/external/external-dns/helmrelease.yaml +++ b/kubernetes/main/apps/network/external/external-dns/helmrelease.yaml @@ -46,7 +46,7 @@ spec: sources: ["crd", "ingress"] txtOwnerId: ${CLUSTER} txtPrefix: k8s.${CLUSTER}. - domainFilters: ["${SECRET_DOMAIN}"] + domainFilters: ["jory.dev"] serviceMonitor: enabled: true podAnnotations: diff --git a/kubernetes/main/apps/network/external/ingress-nginx/helmrelease.yaml b/kubernetes/main/apps/network/external/ingress-nginx/helmrelease.yaml index fa22ecad9a..c3f8ad2b9e 100644 --- a/kubernetes/main/apps/network/external/ingress-nginx/helmrelease.yaml +++ b/kubernetes/main/apps/network/external/ingress-nginx/helmrelease.yaml @@ -28,8 +28,8 @@ spec: replicaCount: 2 service: annotations: - external-dns.alpha.kubernetes.io/hostname: &hostname external.${SECRET_DOMAIN} - lbipam.cilium.io/ips: ${SVC_NGINX_EXTERNAL:=temp} + external-dns.alpha.kubernetes.io/hostname: &hostname external.jory.dev + lbipam.cilium.io/ips: 10.69.1.32 ingressClassResource: name: external default: false @@ -73,7 +73,7 @@ spec: namespaceSelector: any: true extraArgs: - default-ssl-certificate: cert-manager/${SECRET_DOMAIN}-tls + default-ssl-certificate: cert-manager/jory.dev-tls publish-status-address: *hostname terminationGracePeriodSeconds: 120 publishService: diff --git a/kubernetes/main/apps/network/internal/external-dns/helmrelease.yaml b/kubernetes/main/apps/network/internal/external-dns/helmrelease.yaml index f91e39d802..39f04d5cf8 100644 --- a/kubernetes/main/apps/network/internal/external-dns/helmrelease.yaml +++ b/kubernetes/main/apps/network/internal/external-dns/helmrelease.yaml @@ -60,7 +60,7 @@ spec: sources: ["ingress", "service"] txtOwnerId: ${CLUSTER} txtPrefix: k8s.${CLUSTER}. - domainFilters: ["${SECRET_DOMAIN}"] + domainFilters: ["jory.dev"] serviceMonitor: enabled: true podAnnotations: diff --git a/kubernetes/main/apps/network/internal/ingress-nginx/helmrelease.yaml b/kubernetes/main/apps/network/internal/ingress-nginx/helmrelease.yaml index e56007a3e6..a1cb134cb1 100644 --- a/kubernetes/main/apps/network/internal/ingress-nginx/helmrelease.yaml +++ b/kubernetes/main/apps/network/internal/ingress-nginx/helmrelease.yaml @@ -28,8 +28,8 @@ spec: replicaCount: 2 service: annotations: - external-dns.alpha.kubernetes.io/hostname: &hostname internal.${SECRET_DOMAIN} - lbipam.cilium.io/ips: ${SVC_NGINX_INTERNAL:=temp} + external-dns.alpha.kubernetes.io/hostname: &hostname internal.jory.dev + lbipam.cilium.io/ips: 10.69.1.31 externalTrafficPolicy: Cluster ingressClassResource: name: internal @@ -74,7 +74,7 @@ spec: namespaceSelector: any: true extraArgs: - default-ssl-certificate: cert-manager/${SECRET_DOMAIN}-tls + default-ssl-certificate: cert-manager/jory.dev-tls publish-status-address: *hostname terminationGracePeriodSeconds: 120 publishService: diff --git a/kubernetes/main/apps/observability/exporters/blackbox-exporter/app/helmrelease.yaml b/kubernetes/main/apps/observability/exporters/blackbox-exporter/app/helmrelease.yaml index ef5af9c572..db470ea33b 100644 --- a/kubernetes/main/apps/observability/exporters/blackbox-exporter/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/exporters/blackbox-exporter/app/helmrelease.yaml @@ -42,7 +42,7 @@ spec: enabled: true className: internal hosts: - - host: blackbox.${SECRET_DOMAIN} + - host: blackbox.jory.dev paths: - path: / pathType: Prefix diff --git a/kubernetes/main/apps/observability/exporters/nut-exporter/app/helmrelease.yaml b/kubernetes/main/apps/observability/exporters/nut-exporter/app/helmrelease.yaml index 1b159b2c99..d7ff6ab6d3 100644 --- a/kubernetes/main/apps/observability/exporters/nut-exporter/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/exporters/nut-exporter/app/helmrelease.yaml @@ -58,4 +58,4 @@ spec: protocol: TCP port: 9199 annotations: - external-dns.alpha.kubernetes.io/hostname: exporters.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/hostname: exporters.jory.dev diff --git a/kubernetes/main/apps/observability/exporters/nut-exporter/app/servicemonitor.yaml b/kubernetes/main/apps/observability/exporters/nut-exporter/app/servicemonitor.yaml index 3293d3e78c..7bff88b610 100644 --- a/kubernetes/main/apps/observability/exporters/nut-exporter/app/servicemonitor.yaml +++ b/kubernetes/main/apps/observability/exporters/nut-exporter/app/servicemonitor.yaml @@ -28,7 +28,7 @@ spec: regex: (pod) params: server: - - network-nut.${SECRET_DOMAIN} + - network-nut.jory.dev path: /ups_metrics port: metrics scheme: http diff --git a/kubernetes/main/apps/observability/gatus/app/config/config.yaml b/kubernetes/main/apps/observability/gatus/app/config/config.yaml index fbff2b8622..45725db973 100644 --- a/kubernetes/main/apps/observability/gatus/app/config/config.yaml +++ b/kubernetes/main/apps/observability/gatus/app/config/config.yaml @@ -26,7 +26,7 @@ connectivity: endpoints: - name: status group: main-external - url: https://status.${SECRET_DOMAIN} + url: https://status.jory.dev interval: 1m client: dns-resolver: tcp://1.1.1.1:53 @@ -34,7 +34,7 @@ endpoints: alerts: [{ type: discord }] - name: flux-webhook group: main-external - url: https://flux-webhook.${SECRET_DOMAIN} + url: https://flux-webhook.jory.dev interval: 1m client: dns-resolver: tcp://1.1.1.1:53 @@ -43,4 +43,4 @@ endpoints: remote: instances: - endpoint-prefix: "" - url: "https://status-utility.${SECRET_DOMAIN}/api/v1/endpoints/statuses" + url: "https://status-utility.jory.dev/api/v1/endpoints/statuses" diff --git a/kubernetes/main/apps/observability/gatus/app/externalsecret.yaml b/kubernetes/main/apps/observability/gatus/app/externalsecret.yaml index cad768b93f..fb955917b2 100644 --- a/kubernetes/main/apps/observability/gatus/app/externalsecret.yaml +++ b/kubernetes/main/apps/observability/gatus/app/externalsecret.yaml @@ -11,7 +11,7 @@ spec: data: # App DISCORD_WEBHOOK_URL: "{{ .DISCORD_WEBHOOK_URL }}" - SECRET_DOMAIN: ${SECRET_DOMAIN} + SECRET_DOMAIN: jory.dev # Database POSTGRES_URI: '{{ index . "pgbouncer-uri" }}' dataFrom: diff --git a/kubernetes/main/apps/observability/gatus/app/helmrelease.yaml b/kubernetes/main/apps/observability/gatus/app/helmrelease.yaml index 174f7b5db2..de6b5bc872 100644 --- a/kubernetes/main/apps/observability/gatus/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/gatus/app/helmrelease.yaml @@ -121,7 +121,7 @@ spec: gethomepage.dev/widget.type: gatus gethomepage.dev/widget.url: http://gatus.observability hosts: - - host: status.${SECRET_DOMAIN} + - host: status.jory.dev paths: - path: / service: diff --git a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml index e4c9da77c0..f06659b514 100644 --- a/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/grafana/app/helmrelease.yaml @@ -32,7 +32,7 @@ spec: GF_FEATURE_TOGGLES_ENABLE: publicDashboards GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel GF_SECURITY_COOKIE_SAMESITE: *app - GF_SERVER_ROOT_URL: https://grafana.${SECRET_DOMAIN} + GF_SERVER_ROOT_URL: https://grafana.jory.dev envFromSecrets: - name: grafana-secret grafana.ini: @@ -41,7 +41,7 @@ spec: check_for_plugin_updates: false reporting_enabled: false auth: - signout_redirect_url: https://sso.${SECRET_DOMAIN}/application/o/grafana/end-session/ + signout_redirect_url: https://sso.jory.dev/application/o/grafana/end-session/ oauth_auto_login: false oauth_allow_insecure_email_lookup: true auth.anonymous: @@ -53,9 +53,9 @@ spec: name: authentik enabled: true scopes: openid email profile - auth_url: https://sso.${SECRET_DOMAIN}/application/o/authorize/ - token_url: https://sso.${SECRET_DOMAIN}/application/o/token/ - api_url: https://sso.${SECRET_DOMAIN}/application/o/userinfo/ + auth_url: https://sso.jory.dev/application/o/authorize/ + token_url: https://sso.jory.dev/application/o/token/ + api_url: https://sso.jory.dev/application/o/userinfo/ # Optionally map user groups to Grafana roles role_attribute_path: contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer' deploymentStrategy: @@ -399,7 +399,7 @@ spec: # gethomepage.dev/widget.username: '{{`{{HOMEPAGE_VAR_GRAFANA_USERNAME}}`}}' # gethomepage.dev/widget.password: '{{`{{HOMEPAGE_VAR_GRAFANA_PASSWORD}}`}}' hosts: - - "{{ .Release.Name }}.${SECRET_DOMAIN}" + - "{{ .Release.Name }}.jory.dev" persistence: enabled: false topologySpreadConstraints: diff --git a/kubernetes/main/apps/observability/karma/app/config/config.yaml b/kubernetes/main/apps/observability/karma/app/config/config.yaml index 0f5290c96d..3df97a0217 100644 --- a/kubernetes/main/apps/observability/karma/app/config/config.yaml +++ b/kubernetes/main/apps/observability/karma/app/config/config.yaml @@ -12,7 +12,7 @@ alertmanager: - alertname=Watchdog - prometheus=observability/kube-prometheus-stack - name: utility - uri: https://alertmanager-utility.${SECRET_DOMAIN} + uri: https://alertmanager-utility.jory.dev timeout: 10s healthcheck: visible: false diff --git a/kubernetes/main/apps/observability/karma/app/helmrelease.yaml b/kubernetes/main/apps/observability/karma/app/helmrelease.yaml index fa3f7da453..8b1863d4ac 100644 --- a/kubernetes/main/apps/observability/karma/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/karma/app/helmrelease.yaml @@ -84,7 +84,7 @@ spec: gethomepage.dev/group: Observability gethomepage.dev/description: Alertmanger Quick View hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: diff --git a/kubernetes/main/apps/observability/kromgo/app/helmrelease.yaml b/kubernetes/main/apps/observability/kromgo/app/helmrelease.yaml index 549c29f042..dc3847be91 100644 --- a/kubernetes/main/apps/observability/kromgo/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/kromgo/app/helmrelease.yaml @@ -84,7 +84,7 @@ spec: app: className: external hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/app/helmrelease.yaml index d2c7655488..154adb528e 100644 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/kube-prometheus-stack/app/helmrelease.yaml @@ -37,13 +37,13 @@ spec: enabled: true pathType: Prefix ingressClassName: internal - hosts: ["alertmanager.${SECRET_DOMAIN}"] + hosts: ["alertmanager.jory.dev"] alertmanagerSpec: alertmanagerConfiguration: name: alertmanager global: resolveTimeout: 5m - externalUrl: https://alertmanager.${SECRET_DOMAIN} + externalUrl: https://alertmanager.jory.dev storage: volumeClaimTemplate: spec: @@ -148,7 +148,7 @@ spec: gethomepage.dev/widget.type: prometheus gethomepage.dev/widget.url: http://kube-prometheus-stack-prometheus.observability:9090 pathType: Prefix - hosts: ["prometheus.${SECRET_DOMAIN}"] + hosts: ["prometheus.jory.dev"] prometheusSpec: enableAdminAPI: true walCompression: true diff --git a/kubernetes/main/apps/observability/kube-prometheus-stack/app/scrapeconfig.yaml b/kubernetes/main/apps/observability/kube-prometheus-stack/app/scrapeconfig.yaml index 8b91eb62b5..a71b53bea5 100644 --- a/kubernetes/main/apps/observability/kube-prometheus-stack/app/scrapeconfig.yaml +++ b/kubernetes/main/apps/observability/kube-prometheus-stack/app/scrapeconfig.yaml @@ -53,7 +53,7 @@ metadata: spec: staticConfigs: - targets: - - s3.${SECRET_DOMAIN} + - s3.jory.dev metricsPath: /minio/v2/metrics/cluster relabelings: - action: replace diff --git a/kubernetes/main/apps/observability/network-ups-tools/app/helmrelease.yaml b/kubernetes/main/apps/observability/network-ups-tools/app/helmrelease.yaml index 6a36226e34..f76b4638d5 100644 --- a/kubernetes/main/apps/observability/network-ups-tools/app/helmrelease.yaml +++ b/kubernetes/main/apps/observability/network-ups-tools/app/helmrelease.yaml @@ -51,7 +51,7 @@ spec: type: LoadBalancer annotations: lbipam.cilium.io/ips: ${SVC_SERVER_NUT_ADDR:=temp} - external-dns.alpha.kubernetes.io/hostname: server-nut.${SECRET_DOMAIN} + external-dns.alpha.kubernetes.io/hostname: server-nut.jory.dev externalTrafficPolicy: Cluster ports: http: diff --git a/kubernetes/main/apps/observability/network-ups-tools/app/servicemonitor.yaml b/kubernetes/main/apps/observability/network-ups-tools/app/servicemonitor.yaml index 899d2053db..f3043e102c 100644 --- a/kubernetes/main/apps/observability/network-ups-tools/app/servicemonitor.yaml +++ b/kubernetes/main/apps/observability/network-ups-tools/app/servicemonitor.yaml @@ -28,7 +28,7 @@ spec: regex: (pod) params: server: - - server-nut.${SECRET_DOMAIN} + - server-nut.jory.dev path: /ups_metrics port: metrics scheme: http diff --git a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml b/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml index 42642116b5..9c4dc30926 100644 --- a/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml +++ b/kubernetes/main/apps/rook-ceph/rook-ceph/cluster/helmrelease.yaml @@ -38,7 +38,7 @@ spec: dashboard: ingressClassName: internal host: - name: rook.${SECRET_DOMAIN} + name: rook.jory.dev path: / toolbox: enabled: true @@ -203,5 +203,5 @@ spec: # nginx.ingress.kubernetes.io/proxy-body-size: "0" # nginx.ingress.kubernetes.io/proxy-request-buffering: "off" # host: - # name: rgw.${SECRET_DOMAIN} + # name: rgw.jory.dev # path: / diff --git a/kubernetes/main/apps/security/authentik/app/helmrelease.yaml b/kubernetes/main/apps/security/authentik/app/helmrelease.yaml index e389c90c8c..deddd512f8 100644 --- a/kubernetes/main/apps/security/authentik/app/helmrelease.yaml +++ b/kubernetes/main/apps/security/authentik/app/helmrelease.yaml @@ -56,7 +56,7 @@ spec: gethomepage.dev/widget.url: http://authentik-server.security gethomepage.dev/widget.key: "{{HOMEPAGE_VAR_AUTHENTIK_TOKEN}}" hosts: - - sso.${SECRET_DOMAIN} + - sso.jory.dev https: false worker: autoscaling: diff --git a/kubernetes/main/apps/self-hosted/actual/app/helmrelease.yaml b/kubernetes/main/apps/self-hosted/actual/app/helmrelease.yaml index ef14710e41..ebc2ede4c7 100644 --- a/kubernetes/main/apps/self-hosted/actual/app/helmrelease.yaml +++ b/kubernetes/main/apps/self-hosted/actual/app/helmrelease.yaml @@ -65,7 +65,7 @@ spec: gethomepage.dev/icon: actual.png gethomepage.dev/description: Budget Management Software hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / pathType: Prefix diff --git a/kubernetes/main/apps/self-hosted/atuin/app/helmrelease.yaml b/kubernetes/main/apps/self-hosted/atuin/app/helmrelease.yaml index c11999d660..a8cf83ac68 100644 --- a/kubernetes/main/apps/self-hosted/atuin/app/helmrelease.yaml +++ b/kubernetes/main/apps/self-hosted/atuin/app/helmrelease.yaml @@ -103,7 +103,7 @@ spec: app: className: internal hosts: - - host: sh.${SECRET_DOMAIN} + - host: sh.jory.dev paths: - path: / service: diff --git a/kubernetes/main/apps/self-hosted/homepage/app/configmap.yaml b/kubernetes/main/apps/self-hosted/homepage/app/configmap.yaml index cae165bc6a..a859a73085 100644 --- a/kubernetes/main/apps/self-hosted/homepage/app/configmap.yaml +++ b/kubernetes/main/apps/self-hosted/homepage/app/configmap.yaml @@ -77,7 +77,7 @@ data: description: Unifi Dashboard widget: type: unifi - url: https://unifi.${SECRET_DOMAIN} + url: https://unifi.jory.dev username: {{HOMEPAGE_VAR_UNIFI_USERNAME}} password: {{HOMEPAGE_VAR_UNIFI_PASSWORD}} - Games: @@ -117,7 +117,7 @@ data: service_name: Readarr # service name for that widget - Infrastructure: - Portainer: - href: &url https://portainer.${SECRET_DOMAIN} + href: &url https://portainer.jory.dev icon: portainer.png description: Docker Container Management widget: @@ -126,17 +126,17 @@ data: env: 1 key: {{HOMEPAGE_VAR_PORTAINER_TOKEN}} - Unraid: - href: https://nas.${SECRET_DOMAIN} + href: https://nas.jory.dev icon: unraid.png description: Unraid NAS - Home: - Home-Assistant: - href: https://hass.${SECRET_DOMAIN} + href: https://hass.jory.dev icon: home-assistant.png description: Home Automation Software widget: type: homeassistant - url: https://hass.${SECRET_DOMAIN} + url: https://hass.jory.dev key: {{HOMEPAGE_VAR_HASS_TOKEN}} settings.yaml: | title: Dashboard diff --git a/kubernetes/main/apps/self-hosted/homepage/app/helmrelease.yaml b/kubernetes/main/apps/self-hosted/homepage/app/helmrelease.yaml index 849d44ae84..cf7c95bc24 100644 --- a/kubernetes/main/apps/self-hosted/homepage/app/helmrelease.yaml +++ b/kubernetes/main/apps/self-hosted/homepage/app/helmrelease.yaml @@ -55,7 +55,7 @@ spec: app: className: internal hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / pathType: Prefix diff --git a/kubernetes/main/apps/self-hosted/lubelog/app/externalsecret.yaml b/kubernetes/main/apps/self-hosted/lubelog/app/externalsecret.yaml index d0f64f83c9..2f7373b3c4 100644 --- a/kubernetes/main/apps/self-hosted/lubelog/app/externalsecret.yaml +++ b/kubernetes/main/apps/self-hosted/lubelog/app/externalsecret.yaml @@ -13,9 +13,9 @@ spec: OpenIDConfig__Name: authentik OpenIDConfig__ClientId: "{{ .LUBELOG_CLIENT_ID }}" OpenIDConfig__ClientSecret: "{{ .LUBELOG_CLIENT_SECRET }}" - OpenIDConfig__AuthURL: https://sso.${SECRET_DOMAIN}/application/o/authorize/ - OpenIDConfig__TokenURL: https://sso.${SECRET_DOMAIN}/application/o/token/ - OpenIDConfig__RedirectURL: https://lubelog.${SECRET_DOMAIN}/Login/RemoteAuth + OpenIDConfig__AuthURL: https://sso.jory.dev/application/o/authorize/ + OpenIDConfig__TokenURL: https://sso.jory.dev/application/o/token/ + OpenIDConfig__RedirectURL: https://lubelog.jory.dev/Login/RemoteAuth OpenIDConfig__Scope: email # Database POSTGRES_CONNECTION: 'Host={{ index . "pgbouncer-host" }}:{{ .port }};Username={{ .user }};Password={{ .password }};Database={{ .dbname }}' diff --git a/kubernetes/main/apps/self-hosted/lubelog/app/helmrelease.yaml b/kubernetes/main/apps/self-hosted/lubelog/app/helmrelease.yaml index 46c074c51b..7cb46ae1fc 100644 --- a/kubernetes/main/apps/self-hosted/lubelog/app/helmrelease.yaml +++ b/kubernetes/main/apps/self-hosted/lubelog/app/helmrelease.yaml @@ -75,7 +75,7 @@ spec: gethomepage.dev/widget.username: "{{ `{{HOMEPAGE_VAR_LUBELOG_USERNAME}}` }}" gethomepage.dev/widget.password: "{{ `{{HOMEPAGE_VAR_LUBELOG_PASSWORD}}` }}" hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / pathType: Prefix diff --git a/kubernetes/main/apps/self-hosted/paperless/app/externalsecret.yaml b/kubernetes/main/apps/self-hosted/paperless/app/externalsecret.yaml index 5ee9bb6177..0d375dba74 100644 --- a/kubernetes/main/apps/self-hosted/paperless/app/externalsecret.yaml +++ b/kubernetes/main/apps/self-hosted/paperless/app/externalsecret.yaml @@ -23,7 +23,7 @@ spec: "client_id": "{{ .PAPERLESS_CLIENT_ID }}", "secret": "{{ .PAPERLESS_CLIENT_SECRET }}", "settings": { - "server_url": "https://sso.${SECRET_DOMAIN}/application/o/paperless/.well-known/openid-configuration" + "server_url": "https://sso.jory.dev/application/o/paperless/.well-known/openid-configuration" } } ] diff --git a/kubernetes/main/apps/self-hosted/paperless/app/helmrelease.yaml b/kubernetes/main/apps/self-hosted/paperless/app/helmrelease.yaml index fa76da60c8..770d622456 100644 --- a/kubernetes/main/apps/self-hosted/paperless/app/helmrelease.yaml +++ b/kubernetes/main/apps/self-hosted/paperless/app/helmrelease.yaml @@ -43,7 +43,7 @@ spec: # Configure application PAPERLESS_APPS: allauth.socialaccount.providers.openid_connect PAPERLESS_REDIS_PREFIX: pngx - PAPERLESS_URL: https://paperless.${SECRET_DOMAIN} + PAPERLESS_URL: https://paperless.jory.dev PAPERLESS_PORT: "8000" PAPERLESS_TIME_ZONE: America/Edmonton PAPERLESS_WEBSERVER_WORKERS: "2" @@ -94,7 +94,7 @@ spec: gethomepage.dev/widget.url: http://paperless.self-hosted:8000 gethomepage.dev/widget.key: "{{ `{{HOMEPAGE_VAR_PAPERLESS_TOKEN}}` }}" hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: @@ -108,6 +108,6 @@ spec: nas: type: nfs server: voyager.internal - path: ${SECRET_NFS_PAPERLESS:=temp} + path: /mnt/user/scans globalMounts: - path: /data/nas diff --git a/kubernetes/main/apps/self-hosted/redlib/app/helmrelease.yaml b/kubernetes/main/apps/self-hosted/redlib/app/helmrelease.yaml index 8f1b6cb489..6eece3d5ee 100644 --- a/kubernetes/main/apps/self-hosted/redlib/app/helmrelease.yaml +++ b/kubernetes/main/apps/self-hosted/redlib/app/helmrelease.yaml @@ -67,7 +67,7 @@ spec: gethomepage.dev/icon: https://raw.githubusercontent.com/redlib-org/redlib/main/static/logo.svg gethomepage.dev/description: Reddit private front end hosts: - - host: &host "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: &host "{{ .Release.Name }}.jory.dev" paths: - path: / service: diff --git a/kubernetes/main/apps/storage/volsync/app/mutations/volsync-mover-nfs.yaml b/kubernetes/main/apps/storage/volsync/app/mutations/volsync-mover-nfs.yaml index 516154b8c4..1e90567bd6 100644 --- a/kubernetes/main/apps/storage/volsync/app/mutations/volsync-mover-nfs.yaml +++ b/kubernetes/main/apps/storage/volsync/app/mutations/volsync-mover-nfs.yaml @@ -47,7 +47,7 @@ spec: name: "repository", nfs: Object.spec.template.spec.volumes.nfs{ server: "voyager.internal", - path: "${SECRET_NFS_VOLSYNC}" + path: "/mnt/user/kubernetes/volsync" } } } diff --git a/kubernetes/main/flux/config/cluster.yaml b/kubernetes/main/flux/config/cluster.yaml index 25f19acce7..8049c3f6e5 100644 --- a/kubernetes/main/flux/config/cluster.yaml +++ b/kubernetes/main/flux/config/cluster.yaml @@ -14,10 +14,6 @@ spec: sourceRef: kind: GitRepository name: flux-system - decryption: - provider: sops - secretRef: - name: sops-age --- # yaml-language-server: $schema=https://kube-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 @@ -50,10 +46,6 @@ spec: sourceRef: kind: GitRepository name: flux-system - decryption: - provider: sops - secretRef: - name: sops-age --- # yaml-language-server: $schema=https://kube-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 @@ -72,50 +64,3 @@ spec: sourceRef: kind: GitRepository name: flux-system - decryption: - provider: sops - secretRef: - name: sops-age - postBuild: - substituteFrom: - - name: cluster-settings - kind: ConfigMap - optional: true - - name: cluster-settings-main - kind: ConfigMap - optional: true - - name: cluster-secrets - kind: Secret - optional: true - - name: cluster-secrets-main - kind: Secret - optional: true - patches: - - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1 - kind: Kustomization - metadata: - name: not-used - spec: - decryption: - provider: sops - secretRef: - name: sops-age - postBuild: - substituteFrom: - - name: cluster-settings - kind: ConfigMap - optional: true - - name: cluster-settings-main - kind: ConfigMap - optional: true - - name: cluster-secrets - kind: Secret - optional: true - - name: cluster-secrets-main - kind: Secret - optional: true - target: - group: kustomize.toolkit.fluxcd.io - kind: Kustomization - labelSelector: substitution.flux.home.arpa/disabled notin (true) diff --git a/kubernetes/main/flux/settings/cluster-secrets.sops.yaml b/kubernetes/main/flux/settings/cluster-secrets.sops.yaml deleted file mode 100644 index 23bd7b68f8..0000000000 --- a/kubernetes/main/flux/settings/cluster-secrets.sops.yaml +++ /dev/null @@ -1,40 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cluster-secrets-main -stringData: - #ENC[AES256_GCM,data:4fDPDBjGJd+bDq6XWw==,iv:aCQGLarnqqB8Kn/oNB7N51s2sMVKvlRTmam5cXFBDys=,tag:QyhWt48zxgH8fJmikPMQmg==,type:comment] - SVC_COREKEEPER_ADDR: ENC[AES256_GCM,data:fA4djsP75bTYlA==,iv:Kipkmlx+4AEkjmSjCdLKxSRRViAp0AP8SYgcyQImC0s=,tag:o7yurCyzgSHSnGmCHqZmAg==,type:str] - SVC_CPGO_ADDR: ENC[AES256_GCM,data:1ZEfa153U4NV5Q==,iv:Y6TDN76pCpEGLx03ZOO/0X6Z6rKuB+Kxk8/KXmS13K0=,tag:SwpJ/0qUK+j8Eq8lUuV2aQ==,type:str] - SVC_MINECRAFT_ADDR: ENC[AES256_GCM,data:f12BWnkvCdvjNg==,iv:gHfGEfHHQY9Rbu0uDls0sLdkje7UIQ4Mp+l5n33BJBA=,tag:NUo6kfMNYZQY9gRqZZN36g==,type:str] - SVC_NGINX_INTERNAL: ENC[AES256_GCM,data:TyCwPUZSIIF7Xg==,iv:0pUtIxWfTzL/l1Ksw9W7/OpEoosIoj+7RBj8OkjGDkM=,tag:4xPusaS1Nc72il6Zl1M0Og==,type:str] - SVC_NGINX_EXTERNAL: ENC[AES256_GCM,data:yD0KlDNJdHu23A==,iv:ufbiRzNHpGdtc59e8xxEWC2s/6lfI7pKPA/WorZ+ui0=,tag:YJaK+m3aT5k9ARXCsauzWw==,type:str] - SVC_PALWORLD_ADDR: ENC[AES256_GCM,data:sN51CLk0J5lueA==,iv:h/WiPB2ByiOjLLJwSegF0SXKklZazd81e0Qn//G8Wbk=,tag:Isi9IegNRCGbZ+nJfgC6Fw==,type:str] - SVC_PLEX_ADDR: ENC[AES256_GCM,data:1xZjw3xL5OJDQw==,iv:W8H53fUTHjDmhnyyZr+jcdUOakWdw3PRjVuLO/oDnBo=,tag:q/QaiVn1iQiFWOG0UOnIQw==,type:str] - SVC_QBITTTORENT_ADDR: ENC[AES256_GCM,data:C1YY5DhkkwdO2A==,iv:SyHEO9JMb5ClhVm80Deq7desvahK8pYlWJtzb0g6pyY=,tag:GPFpWhdjJofBhd3khypV2A==,type:str] - SVC_TAKOCRAFT_ADDR: ENC[AES256_GCM,data:FO629jc3FznVFQ==,iv:ggVburenvA0IOfOWr+RmGWUDntL369P4BjFMkJWEY8Y=,tag:MiX1TyqS1fahbZe93ETGwg==,type:str] - SVC_VRISING_ADDR: ENC[AES256_GCM,data:UMTb1QfKqeCiqA==,iv:OEI5tZKR6m0AgO8VqezIowzRUeqSI2qwSU34P5IqIXo=,tag:xMiAC6TEaYLb6o8i1jHlyw==,type:str] - #ENC[AES256_GCM,data:NYqIEJwguAGYzknS,iv:U0oZbqHMObZ+Wvx8ryQE8dlR0SG26wsfYV3F2F67H+w=,tag:oCJYngN4jrdWrQug82W9vQ==,type:comment] - SECRET_NFS_DATA: ENC[AES256_GCM,data:85DKixrSI8rproq1PmI=,iv:kvg70gJHchxhVQsjGInXA8V1bx1XzWjmICMhfquYZTg=,tag:f3dPXLWTKx7ApYucQtIe1w==,type:str] - SECRET_NFS_PAPERLESS: ENC[AES256_GCM,data:U5zrsgH3/TED4QVZSzP2,iv:E1RB4QWwMpLYSGRJLOtC89Uat/7K3Hf/4m8feU2dcGw=,tag:TrZbkBC+3I7OUIb2VWGuWw==,type:str] - SECRET_NFS_POSTGRES: ENC[AES256_GCM,data:wsXmVzJZuz+YmB0RiEmNCBL3+eHC6sf/vWKYWUM=,iv:axtTCqsexrbVEemk2Xg29mWsB7I4rPzoErmfLx7YgVM=,tag:JL03bowQOFJnqrKzvB/MFQ==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age12v9uw8k6myrr49z9aq6jmcwa79aepu0p6p462nrv968qcae72pcspwldec - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB3NWNTRmtma01pMFY3Ny93 - N2F5bTZFc0ZKYm5hWHp6bENndktxRXNBa1F3CnBNVXJldG9ZR0cwcXQrcjc5UTNu - dlpJNEZ5eVhIdkwvRE5ubUNBQjhnWTQKLS0tIDhzRGZTdWFKak5PNmVnbG5hckl3 - Mml3TDJwa2tWTUV3d0piVTFJSFhhOEEKr0FLybpRsnIlbT55No+/qolp2GVAB1yD - yeGYjULaarqScUazhWSnuzDcRj4X0MX8UDV5lc4OsGba9ymVbywDbQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-16T19:46:40Z" - mac: ENC[AES256_GCM,data:sJnhniVEI2r+G3tKuscACgHwDYlZL7gMS8EoAPq5WslX8IONGUP5QCNPt9CBk6tFBJVGU58YpdlR9wzkt9nPoUIO5T6zAV71NcHOC7wj+LRt1gUytymHrECij5ewxg8cruk5PpFNWdhF4eJIwg4HOn5QaMLGfVJhkoHgI47CQbY=,iv:tptDHHI3278CpAt+YKUfyLFrNZIwa9xWNGhqyk/7794=,tag:vGLUQopYgpxwa+IAxmcOfg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.9.3 diff --git a/kubernetes/main/flux/settings/ks-substitution.yaml b/kubernetes/main/flux/settings/ks-substitution.yaml new file mode 100644 index 0000000000..043023af8c --- /dev/null +++ b/kubernetes/main/flux/settings/ks-substitution.yaml @@ -0,0 +1,213 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicyBinding +metadata: + name: flux-ks-no-postbuild +spec: + policyName: flux-ks-no-postbuild +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicyBinding +metadata: + name: flux-ks-no-substitutefrom +spec: + policyName: flux-ks-no-substitutefrom +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicyBinding +metadata: + name: flux-ks-add-cluster-settings +spec: + policyName: flux-ks-add-cluster-settings +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicyBinding +metadata: + name: flux-ks-add-cluster-settings-main +spec: + policyName: flux-ks-add-cluster-settings-main +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicy-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicy +metadata: + name: flux-ks-no-postbuild +spec: + matchConstraints: + resourceRules: + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["kustomizations"] + matchConditions: + - name: name-is-not-flux-system + expression: > + !(object.metadata.name == "flux-system") + - name: postbuild-field-does-not-exist + expression: > + !has(object.spec.postBuild) + failurePolicy: Fail + reinvocationPolicy: IfNeeded + mutations: + - patchType: "JSONPatch" + jsonPatch: + expression: > + [ + JSONPatch{ + op: "add", path: "/spec/postBuild", + value: {} + }, + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom", + value: [] + }, + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom/-", + value: Object.spec.postBuild.substituteFrom{ + name: "cluster-settings", + kind: "ConfigMap", + optional: true + } + }, + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom/-", + value: Object.spec.postBuild.substituteFrom{ + name: "cluster-settings-main", + kind: "ConfigMap", + optional: true + } + } + ] +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicy-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicy +metadata: + name: flux-ks-no-substitutefrom +spec: + matchConstraints: + resourceRules: + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["kustomizations"] + matchConditions: + - name: name-is-not-flux-system + expression: > + !(object.metadata.name == "flux-system") + - name: has-postbuild-field + expression: > + has(object.spec.postBuild) + - name: substitutefrom-field-does-not-exist + expression: > + !has(object.spec.postBuild.substituteFrom) + failurePolicy: Fail + reinvocationPolicy: IfNeeded + mutations: + - patchType: "JSONPatch" + jsonPatch: + expression: > + [ + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom", + value: [] + }, + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom/-", + value: Object.spec.postBuild.substituteFrom{ + name: "cluster-settings", + kind: "ConfigMap", + optional: true + } + }, + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom/-", + value: Object.spec.postBuild.substituteFrom{ + name: "cluster-settings-main", + kind: "ConfigMap", + optional: true + } + } + ] +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicy-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicy +metadata: + name: flux-ks-add-cluster-settings +spec: + matchConstraints: + resourceRules: + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["kustomizations"] + matchConditions: + - name: name-is-not-flux-system + expression: > + !(object.metadata.name == "flux-system") + - name: has-substitutefrom-field + expression: > + (has(object.spec.postBuild) && has(object.spec.postBuild.substituteFrom)) + - name: cluster-settings-configmap-not-present + expression: > + !object.spec.postBuild.substituteFrom.exists(item, item.name == "cluster-settings") + failurePolicy: Fail + reinvocationPolicy: IfNeeded + mutations: + - patchType: "JSONPatch" + jsonPatch: + expression: > + [ + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom/-", + value: Object.spec.postBuild.substituteFrom{ + name: "cluster-settings", + kind: "ConfigMap", + optional: true + } + } + ] +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicy-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicy +metadata: + name: flux-ks-add-cluster-settings-main +spec: + matchConstraints: + resourceRules: + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["kustomizations"] + matchConditions: + - name: name-is-not-flux-system + expression: > + !(object.metadata.name == "flux-system") + - name: has-substitutefrom-field + expression: > + (has(object.spec.postBuild) && has(object.spec.postBuild.substituteFrom)) + - name: cluster-settings-configmap-not-present + expression: > + !object.spec.postBuild.substituteFrom.exists(item, item.name == "cluster-settings") + failurePolicy: Fail + reinvocationPolicy: IfNeeded + mutations: + - patchType: "JSONPatch" + jsonPatch: + expression: > + [ + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom/-", + value: Object.spec.postBuild.substituteFrom{ + name: "cluster-settings-main", + kind: "ConfigMap", + optional: true + } + } + ] diff --git a/kubernetes/main/flux/settings/kustomization.yaml b/kubernetes/main/flux/settings/kustomization.yaml index 3b96efbcb2..b3d1238ca7 100644 --- a/kubernetes/main/flux/settings/kustomization.yaml +++ b/kubernetes/main/flux/settings/kustomization.yaml @@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./cluster-secrets.sops.yaml - ./cluster-settings.yaml + - ./ks-substitution.yaml diff --git a/kubernetes/shared/settings/cluster-secrets.sops.yaml b/kubernetes/shared/settings/cluster-secrets.sops.yaml deleted file mode 100644 index d9fb190eba..0000000000 --- a/kubernetes/shared/settings/cluster-secrets.sops.yaml +++ /dev/null @@ -1,33 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cluster-secrets - namespace: flux-system -stringData: - CLOUDFLARE_ACCOUNT_ID: ENC[AES256_GCM,data:kLP6M5Bb2BuNOarZ5i2SvE01QCk4sxgNtp7ZlXlIKt4=,iv:2SxTwsoMNJ4pEqA/og2Aewq7iO4EZC0EYxGd5P4DFyE=,tag:caSVj/2tKvlYJKC7J79egQ==,type:str] - SECRET_ACME_EMAIL: ENC[AES256_GCM,data:umb7RbR4uWbgz98iHA==,iv:K9i/iq9Bc4PYoIpMfqaJTeexoxT1vbdfHUdOEe3GeR8=,tag:w6jcFxfq1xSyEMpfy/lhCg==,type:str] - SECRET_DOMAIN: ENC[AES256_GCM,data:4dlwtokraZ0=,iv:AyH/endMPGS/6iYDunUt1AqP0NIRqc2ZEVQe6JQRifw=,tag:IBhjr44MJu44hmc0UOLZEA==,type:str] - SVC_NETWORK_NUT_ADDR: ENC[AES256_GCM,data:crW+MqPlCwaCs9k=,iv:e6LO2ELTDH84oXUIlF76CJ7MTuKNUPSJxG47kXW/yIo=,tag:3n22Qz7/Atuf49yibSSyAQ==,type:str] - #ENC[AES256_GCM,data:27uZO6UzcTf5A9D6,iv:1OXUBE3M/TYquUyfFO9QK3rQsAsJ8t/dex6vg+d1bao=,tag:q5T/XEhCtRnBuiYkpR3Ltw==,type:comment] - SECRET_NFS_VOLSYNC: ENC[AES256_GCM,data:m2oGkbu49oDsRV/7/bGy5xL0q0TViNh0rcHtQA==,iv:8fZv2xzVjzlC6PUX79RK3MguQjFG+kFwmlSlVBumwBQ=,tag:OHef6PwZO4LjP27pqZ4SbA==,type:str] - TRUSTED_CIDR: ENC[AES256_GCM,data:WuEfwOvS3rNQZ5Kw/YqK,iv:VZB2mzK1QkkGbjknpklpH3UWqfu4+1TTM8rYiZ0uIko=,tag:ipPi1MPUmsR+n957QHpS8w==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age12v9uw8k6myrr49z9aq6jmcwa79aepu0p6p462nrv968qcae72pcspwldec - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBLaG00WmxPWjIvRjRVTTh3 - V05uRFA2UmFXOFJIZmFnS3FvZVN0MkMvRVhjCmRqVnlQZDBOcUlzTzNTTDlvVnV4 - ZTJ2RWd1M00yeWFTWEJVWUZITkYxU0EKLS0tIFlPcEtiN1E4SUlKckpyVm9ram5C - eG8vOG4zOXRQVW01K1hzNnNUdUxYNDQK2r6cmnIxsIDMUHfq8p0kOcr+E/KAea4z - tdtvD/HkOfTil0Qwld0NWRyA4DKC7AjhC0P8QlhYrNlfr5lqBqIFmQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-16T15:47:20Z" - mac: ENC[AES256_GCM,data:Iwn4Cy2R29pgfRr4jzrtcNtqJHz3jhcfo66544V2wxvPyTe3yb9co5mWDcIxBsACaNELK41A6qi2qxJhX8VFzCg8ZV/hTw8y2YAiLL044630YWkR5lTk+h35X+FaXUHDPgVLO21aD8HLWnnaesGHazgazSjGtgVvAbSnx4+cngw=,iv:h9NyphbGvUkTqyld7F9Vv80bFKqnpvKt5BBI3c5LEOo=,tag:gKpXe9Ctdr97stnwWkZUkg==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.9.3 diff --git a/kubernetes/shared/settings/cluster-settings.yaml b/kubernetes/shared/settings/cluster-settings.yaml index 7a528f746c..dc110f6599 100644 --- a/kubernetes/shared/settings/cluster-settings.yaml +++ b/kubernetes/shared/settings/cluster-settings.yaml @@ -8,3 +8,4 @@ data: TIMEZONE: "America/Edmonton" CLUSTER_CIDR: "10.42.0.0/16" NODE_CIDR: "10.69.1.0/24" + TRUSTED_CIDR: "192.168.30.0/24" diff --git a/kubernetes/shared/settings/kustomization.yaml b/kubernetes/shared/settings/kustomization.yaml index 3b96efbcb2..7df83325ef 100644 --- a/kubernetes/shared/settings/kustomization.yaml +++ b/kubernetes/shared/settings/kustomization.yaml @@ -3,5 +3,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./cluster-secrets.sops.yaml - ./cluster-settings.yaml diff --git a/kubernetes/shared/templates/gatus/external/configmap.yaml b/kubernetes/shared/templates/gatus/external/configmap.yaml index c87b49f7e1..cefbf0cbf2 100644 --- a/kubernetes/shared/templates/gatus/external/configmap.yaml +++ b/kubernetes/shared/templates/gatus/external/configmap.yaml @@ -10,7 +10,7 @@ data: endpoints: - name: "${APP}" group: ${CLUSTER}-external - url: "https://${GATUS_SUBDOMAIN:-${APP}}.${SECRET_DOMAIN}${GATUS_PATH:-/}" + url: "https://${GATUS_SUBDOMAIN:-${APP}}.jory.dev${GATUS_PATH:-/}" interval: 1m client: dns-resolver: tcp://1.1.1.1:53 diff --git a/kubernetes/shared/templates/gatus/guarded/configmap.yaml b/kubernetes/shared/templates/gatus/guarded/configmap.yaml index 5561a615f6..f5d0a6c8bf 100644 --- a/kubernetes/shared/templates/gatus/guarded/configmap.yaml +++ b/kubernetes/shared/templates/gatus/guarded/configmap.yaml @@ -16,7 +16,7 @@ data: hide-hostname: true hide-url: true dns: - query-name: "${GATUS_SUBDOMAIN:-${APP}}.${SECRET_DOMAIN}" + query-name: "${GATUS_SUBDOMAIN:-${APP}}.jory.dev" query-type: A conditions: - "len([BODY]) == 0" diff --git a/kubernetes/utility/apps/cert-manager/cert-manager/issuers/clusterissuer.yaml b/kubernetes/utility/apps/cert-manager/cert-manager/issuers/clusterissuer.yaml index 2016baa3f0..ff59de4fad 100644 --- a/kubernetes/utility/apps/cert-manager/cert-manager/issuers/clusterissuer.yaml +++ b/kubernetes/utility/apps/cert-manager/cert-manager/issuers/clusterissuer.yaml @@ -7,18 +7,18 @@ metadata: spec: acme: server: https://acme-v02.api.letsencrypt.org/directory - email: "${SECRET_ACME_EMAIL}" + email: jory@jory.dev privateKeySecretRef: name: letsencrypt-production solvers: - dns01: cloudflare: - email: "${SECRET_ACME_EMAIL}" + email: jory@jory.dev apiTokenSecretRef: name: cloudflare-secret key: CLOUDFLARE_API_KEY selector: - dnsZones: ["${SECRET_DOMAIN}"] + dnsZones: ["jory.dev"] --- # yaml-language-server: $schema=https://kube-schemas.pages.dev/cert-manager.io/clusterissuer_v1.json apiVersion: cert-manager.io/v1 @@ -28,15 +28,15 @@ metadata: spec: acme: server: https://acme-staging-v02.api.letsencrypt.org/directory - email: "${SECRET_ACME_EMAIL}" + email: jory@jory.dev privateKeySecretRef: name: letsencrypt-staging solvers: - dns01: cloudflare: - email: "${SECRET_ACME_EMAIL}" + email: jory@jory.dev apiTokenSecretRef: name: cloudflare-secret key: CLOUDFLARE_API_KEY selector: - dnsZones: ["${SECRET_DOMAIN}"] + dnsZones: ["jory.dev"] diff --git a/kubernetes/utility/apps/cert-manager/cert-manager/tls/certificates.yaml b/kubernetes/utility/apps/cert-manager/cert-manager/tls/certificates.yaml index b2e7c3f1dc..9dd5cd53fd 100644 --- a/kubernetes/utility/apps/cert-manager/cert-manager/tls/certificates.yaml +++ b/kubernetes/utility/apps/cert-manager/cert-manager/tls/certificates.yaml @@ -3,11 +3,11 @@ apiVersion: cert-manager.io/v1 kind: Certificate metadata: - name: "${SECRET_DOMAIN}" + name: "jory.dev" spec: - secretName: "${SECRET_DOMAIN}-tls" + secretName: "jory.dev-tls" issuerRef: name: letsencrypt-production kind: ClusterIssuer - commonName: "${SECRET_DOMAIN}" - dnsNames: ["${SECRET_DOMAIN}", "*.${SECRET_DOMAIN}"] + commonName: "jory.dev" + dnsNames: ["jory.dev", "*.jory.dev"] diff --git a/kubernetes/utility/apps/cert-manager/cert-manager/tls/pushsecret.yaml b/kubernetes/utility/apps/cert-manager/cert-manager/tls/pushsecret.yaml index 92b150ec9a..0a501d112d 100644 --- a/kubernetes/utility/apps/cert-manager/cert-manager/tls/pushsecret.yaml +++ b/kubernetes/utility/apps/cert-manager/cert-manager/tls/pushsecret.yaml @@ -10,7 +10,7 @@ spec: kind: ClusterSecretStore selector: secret: - name: ${SECRET_DOMAIN}-tls + name: jory.dev-tls template: engineVersion: v2 data: diff --git a/kubernetes/utility/apps/cert-manager/cert-manager/tls/staging.yaml b/kubernetes/utility/apps/cert-manager/cert-manager/tls/staging.yaml index 98e31849f5..3ba8d52811 100644 --- a/kubernetes/utility/apps/cert-manager/cert-manager/tls/staging.yaml +++ b/kubernetes/utility/apps/cert-manager/cert-manager/tls/staging.yaml @@ -9,5 +9,5 @@ spec: issuerRef: name: letsencrypt-staging kind: ClusterIssuer - commonName: "${SECRET_DOMAIN}" - dnsNames: ["${SECRET_DOMAIN}", "*.${SECRET_DOMAIN}"] + commonName: "jory.dev" + dnsNames: ["jory.dev", "*.jory.dev"] diff --git a/kubernetes/utility/apps/flux-system/capacitor/app/helmrelease.yaml b/kubernetes/utility/apps/flux-system/capacitor/app/helmrelease.yaml index 051db9524e..1cea4fe3c6 100644 --- a/kubernetes/utility/apps/flux-system/capacitor/app/helmrelease.yaml +++ b/kubernetes/utility/apps/flux-system/capacitor/app/helmrelease.yaml @@ -60,7 +60,7 @@ spec: enabled: true className: internal hosts: - - host: "{{ .Release.Name }}-utility.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}-utility.jory.dev" paths: - path: / service: diff --git a/kubernetes/utility/apps/flux-system/flux-operator/instance/helm-values.yaml b/kubernetes/utility/apps/flux-system/flux-operator/instance/helm-values.yaml index 0e7836fc4e..70ea0b232a 100644 --- a/kubernetes/utility/apps/flux-system/flux-operator/instance/helm-values.yaml +++ b/kubernetes/utility/apps/flux-system/flux-operator/instance/helm-values.yaml @@ -21,17 +21,6 @@ instance: app.kubernetes.io/name: flux kustomize: patches: - # Add Sops decryption to Kustomizations - - patch: | - - op: add - path: /spec/decryption - value: - provider: sops - secretRef: - name: sops-age - target: - group: kustomize.toolkit.fluxcd.io - kind: Kustomization # Increase the number of workers and limits # Ref: https://fluxcd.io/flux/installation/configuration/vertical-scaling/#increase-the-number-of-workers-and-limits - patch: | diff --git a/kubernetes/utility/apps/flux-system/tofu-controller/terraform/authentik.yaml b/kubernetes/utility/apps/flux-system/tofu-controller/terraform/authentik.yaml index 83b811cf18..8cd9a7854a 100644 --- a/kubernetes/utility/apps/flux-system/tofu-controller/terraform/authentik.yaml +++ b/kubernetes/utility/apps/flux-system/tofu-controller/terraform/authentik.yaml @@ -13,7 +13,7 @@ spec: key = "authentik/authentik.tfstate" region = "main" endpoints = { - s3 = "https://s3.${SECRET_DOMAIN}" + s3 = "https://s3.jory.dev" } skip_credentials_validation = true diff --git a/kubernetes/utility/apps/flux-system/tofu-controller/terraform/minio.yaml b/kubernetes/utility/apps/flux-system/tofu-controller/terraform/minio.yaml index 1c9a63dc31..101dc24d3b 100644 --- a/kubernetes/utility/apps/flux-system/tofu-controller/terraform/minio.yaml +++ b/kubernetes/utility/apps/flux-system/tofu-controller/terraform/minio.yaml @@ -13,7 +13,7 @@ spec: key = "minio/minio.tfstate" region = "main" endpoints = { - s3 = "https://s3.${SECRET_DOMAIN}" + s3 = "https://s3.jory.dev" } skip_credentials_validation = true diff --git a/kubernetes/utility/apps/flux-system/weave-gitops/app/helmrelease.yaml b/kubernetes/utility/apps/flux-system/weave-gitops/app/helmrelease.yaml index 2b6562aaab..019b34ff81 100644 --- a/kubernetes/utility/apps/flux-system/weave-gitops/app/helmrelease.yaml +++ b/kubernetes/utility/apps/flux-system/weave-gitops/app/helmrelease.yaml @@ -31,7 +31,7 @@ spec: enabled: true className: internal hosts: - - host: gitops-utility.${SECRET_DOMAIN} + - host: gitops-utility.jory.dev paths: - path: / pathType: Prefix diff --git a/kubernetes/utility/apps/home-automation/home-assistant/app/helmrelease.yaml b/kubernetes/utility/apps/home-automation/home-assistant/app/helmrelease.yaml index 6df506d02d..f34ec24293 100644 --- a/kubernetes/utility/apps/home-automation/home-assistant/app/helmrelease.yaml +++ b/kubernetes/utility/apps/home-automation/home-assistant/app/helmrelease.yaml @@ -79,7 +79,7 @@ spec: nameOverride: *app type: LoadBalancer annotations: - lbipam.cilium.io/ips: ${SVC_HOME_ASSISTANT_ADDR:=temp} + lbipam.cilium.io/ips: 10.69.1.133 ports: http: port: 8123 @@ -89,7 +89,7 @@ spec: app: className: external hosts: - - host: hass.${SECRET_DOMAIN} + - host: hass.jory.dev paths: - path: / service: @@ -98,7 +98,7 @@ spec: codeserver: className: internal hosts: - - host: hass-code.${SECRET_DOMAIN} + - host: hass-code.jory.dev paths: - path: / service: diff --git a/kubernetes/utility/apps/home-automation/mosquitto/app/helmrelease.yaml b/kubernetes/utility/apps/home-automation/mosquitto/app/helmrelease.yaml index b019af588d..6f2f4ceb99 100644 --- a/kubernetes/utility/apps/home-automation/mosquitto/app/helmrelease.yaml +++ b/kubernetes/utility/apps/home-automation/mosquitto/app/helmrelease.yaml @@ -65,8 +65,8 @@ spec: controller: *app type: LoadBalancer annotations: - external-dns.alpha.kubernetes.io/hostname: mqtt.${SECRET_DOMAIN} - lbipam.cilium.io/ips: ${SVC_MQTT_ADDR:=temp} + external-dns.alpha.kubernetes.io/hostname: mqtt.jory.dev + lbipam.cilium.io/ips: 10.69.1.134 ports: http: port: 1883 diff --git a/kubernetes/utility/apps/home-automation/zigbee2mqtt/app/helmrelease.yaml b/kubernetes/utility/apps/home-automation/zigbee2mqtt/app/helmrelease.yaml index f790e640e6..d6d920e7a8 100644 --- a/kubernetes/utility/apps/home-automation/zigbee2mqtt/app/helmrelease.yaml +++ b/kubernetes/utility/apps/home-automation/zigbee2mqtt/app/helmrelease.yaml @@ -103,7 +103,7 @@ spec: app: className: internal hosts: - - host: zigbee.${SECRET_DOMAIN} + - host: zigbee.jory.dev paths: - path: / service: diff --git a/kubernetes/utility/apps/kube-system/cilium/app/helmrelease.yaml b/kubernetes/utility/apps/kube-system/cilium/app/helmrelease.yaml index 7ca0f1b878..38888c8276 100644 --- a/kubernetes/utility/apps/kube-system/cilium/app/helmrelease.yaml +++ b/kubernetes/utility/apps/kube-system/cilium/app/helmrelease.yaml @@ -58,4 +58,4 @@ spec: ingress: enabled: true className: internal - hosts: ["hubble-utility.${SECRET_DOMAIN}"] + hosts: ["hubble-utility.jory.dev"] diff --git a/kubernetes/utility/apps/network/external/cloudflare-ddns/helmrelease.yaml b/kubernetes/utility/apps/network/external/cloudflare-ddns/helmrelease.yaml index fe0f2ea3cf..791ae62b8b 100644 --- a/kubernetes/utility/apps/network/external/cloudflare-ddns/helmrelease.yaml +++ b/kubernetes/utility/apps/network/external/cloudflare-ddns/helmrelease.yaml @@ -34,9 +34,9 @@ spec: tag: v1.0.3@sha256:2ee2ba2f4741a771fdf6333dce33f50a4fc739f64388966d3c7d27c07c22f18b args: - --zone-name - - ${SECRET_DOMAIN} + - jory.dev - --record-name - - ipv4.${SECRET_DOMAIN} + - ipv4.jory.dev - --provider - random env: @@ -87,7 +87,7 @@ spec: app: className: internal hosts: - - host: "ddns.${SECRET_DOMAIN}" + - host: "ddns.jory.dev" paths: - path: / service: diff --git a/kubernetes/utility/apps/network/external/cloudflared/dnsendpoint.yaml b/kubernetes/utility/apps/network/external/cloudflared/dnsendpoint.yaml index 263da56442..570d2df24b 100644 --- a/kubernetes/utility/apps/network/external/cloudflared/dnsendpoint.yaml +++ b/kubernetes/utility/apps/network/external/cloudflared/dnsendpoint.yaml @@ -6,6 +6,6 @@ metadata: name: cloudflared spec: endpoints: - - dnsName: "external-utility.${SECRET_DOMAIN}" + - dnsName: "external-utility.jory.dev" recordType: CNAME targets: ["4e64e0e1-a45d-40c2-bb22-1d94f3bb51ba.cfargotunnel.com"] diff --git a/kubernetes/utility/apps/network/external/cloudflared/resources/config.yaml b/kubernetes/utility/apps/network/external/cloudflared/resources/config.yaml index f61dd5bc32..2193f746ae 100644 --- a/kubernetes/utility/apps/network/external/cloudflared/resources/config.yaml +++ b/kubernetes/utility/apps/network/external/cloudflared/resources/config.yaml @@ -1,10 +1,10 @@ --- originRequest: - originServerName: external-utility.${SECRET_DOMAIN} + originServerName: external-utility.jory.dev ingress: - - hostname: ${SECRET_DOMAIN} + - hostname: jory.dev service: https://external-ingress-nginx-controller.network.svc.cluster.local:443 - - hostname: "*.${SECRET_DOMAIN}" + - hostname: "*.jory.dev" service: https://external-ingress-nginx-controller.network.svc.cluster.local:443 - service: http_status:404 diff --git a/kubernetes/utility/apps/network/external/echo-server/helmrelease.yaml b/kubernetes/utility/apps/network/external/echo-server/helmrelease.yaml index 1d99bb3844..e00075ced4 100644 --- a/kubernetes/utility/apps/network/external/echo-server/helmrelease.yaml +++ b/kubernetes/utility/apps/network/external/echo-server/helmrelease.yaml @@ -94,7 +94,7 @@ spec: app: className: external hosts: - - host: "{{ .Release.Name }}-utility.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}-utility.jory.dev" paths: - path: / service: diff --git a/kubernetes/utility/apps/network/external/external-dns/helmrelease.yaml b/kubernetes/utility/apps/network/external/external-dns/helmrelease.yaml index 54e59ff66e..681c14fc3d 100644 --- a/kubernetes/utility/apps/network/external/external-dns/helmrelease.yaml +++ b/kubernetes/utility/apps/network/external/external-dns/helmrelease.yaml @@ -46,7 +46,7 @@ spec: sources: ["crd", "ingress"] txtOwnerId: ${CLUSTER} txtPrefix: k8s.${CLUSTER}. - domainFilters: ["${SECRET_DOMAIN}"] + domainFilters: ["jory.dev"] serviceMonitor: enabled: true podAnnotations: diff --git a/kubernetes/utility/apps/network/external/ingress-nginx/helmrelease.yaml b/kubernetes/utility/apps/network/external/ingress-nginx/helmrelease.yaml index 772513d655..da6178bb05 100644 --- a/kubernetes/utility/apps/network/external/ingress-nginx/helmrelease.yaml +++ b/kubernetes/utility/apps/network/external/ingress-nginx/helmrelease.yaml @@ -28,8 +28,8 @@ spec: replicaCount: 1 service: annotations: - external-dns.alpha.kubernetes.io/hostname: &hostname external-utility.${SECRET_DOMAIN} - lbipam.cilium.io/ips: ${SVC_NGINX_EXTERNAL:=temp} + external-dns.alpha.kubernetes.io/hostname: &hostname external-utility.jory.dev + lbipam.cilium.io/ips: 10.69.1.132 ingressClassResource: name: external default: false @@ -73,7 +73,7 @@ spec: namespaceSelector: any: true extraArgs: - default-ssl-certificate: cert-manager/${SECRET_DOMAIN}-tls + default-ssl-certificate: cert-manager/jory.dev-tls publish-status-address: *hostname terminationGracePeriodSeconds: 120 publishService: diff --git a/kubernetes/utility/apps/network/internal/external-dns/helmrelease.yaml b/kubernetes/utility/apps/network/internal/external-dns/helmrelease.yaml index f91e39d802..39f04d5cf8 100644 --- a/kubernetes/utility/apps/network/internal/external-dns/helmrelease.yaml +++ b/kubernetes/utility/apps/network/internal/external-dns/helmrelease.yaml @@ -60,7 +60,7 @@ spec: sources: ["ingress", "service"] txtOwnerId: ${CLUSTER} txtPrefix: k8s.${CLUSTER}. - domainFilters: ["${SECRET_DOMAIN}"] + domainFilters: ["jory.dev"] serviceMonitor: enabled: true podAnnotations: diff --git a/kubernetes/utility/apps/network/internal/ingress-nginx/helmrelease.yaml b/kubernetes/utility/apps/network/internal/ingress-nginx/helmrelease.yaml index 131c3647df..a7cdb9279a 100644 --- a/kubernetes/utility/apps/network/internal/ingress-nginx/helmrelease.yaml +++ b/kubernetes/utility/apps/network/internal/ingress-nginx/helmrelease.yaml @@ -28,8 +28,8 @@ spec: replicaCount: 1 service: annotations: - external-dns.alpha.kubernetes.io/hostname: &hostname internal-utility.${SECRET_DOMAIN} - lbipam.cilium.io/ips: ${SVC_NGINX_INTERNAL:=temp} + external-dns.alpha.kubernetes.io/hostname: &hostname internal-utility.jory.dev + lbipam.cilium.io/ips: 10.69.1.131 externalTrafficPolicy: Cluster ingressClassResource: name: internal @@ -74,7 +74,7 @@ spec: namespaceSelector: any: true extraArgs: - default-ssl-certificate: cert-manager/${SECRET_DOMAIN}-tls + default-ssl-certificate: cert-manager/jory.dev-tls publish-status-address: *hostname terminationGracePeriodSeconds: 120 publishService: diff --git a/kubernetes/utility/apps/observability/gatus/app/helmrelease.yaml b/kubernetes/utility/apps/observability/gatus/app/helmrelease.yaml index 6cc6d9c168..8a7dd8293c 100644 --- a/kubernetes/utility/apps/observability/gatus/app/helmrelease.yaml +++ b/kubernetes/utility/apps/observability/gatus/app/helmrelease.yaml @@ -111,7 +111,7 @@ spec: app: className: external hosts: - - host: status-utility.${SECRET_DOMAIN} + - host: status-utility.jory.dev paths: - path: / service: diff --git a/kubernetes/utility/apps/observability/grafana/app/helmrelease.yaml b/kubernetes/utility/apps/observability/grafana/app/helmrelease.yaml index 776c002850..0e19c12415 100644 --- a/kubernetes/utility/apps/observability/grafana/app/helmrelease.yaml +++ b/kubernetes/utility/apps/observability/grafana/app/helmrelease.yaml @@ -32,7 +32,7 @@ spec: GF_FEATURE_TOGGLES_ENABLE: publicDashboards GF_PLUGINS_ALLOW_LOADING_UNSIGNED_PLUGINS: natel-discrete-panel,pr0ps-trackmap-panel,panodata-map-panel GF_SECURITY_COOKIE_SAMESITE: *app - GF_SERVER_ROOT_URL: https://grafana-utility.${SECRET_DOMAIN} + GF_SERVER_ROOT_URL: https://grafana-utility.jory.dev envFromSecrets: - name: grafana-secret grafana.ini: @@ -41,7 +41,7 @@ spec: check_for_plugin_updates: false reporting_enabled: false auth: - signout_redirect_url: https://sso.${SECRET_DOMAIN}/application/o/grafana/end-session/ + signout_redirect_url: https://sso.jory.dev/application/o/grafana/end-session/ oauth_auto_login: false oauth_allow_insecure_email_lookup: true auth.anonymous: @@ -53,9 +53,9 @@ spec: name: authentik enabled: true scopes: openid email profile - auth_url: https://sso.${SECRET_DOMAIN}/application/o/authorize/ - token_url: https://sso.${SECRET_DOMAIN}/application/o/token/ - api_url: https://sso.${SECRET_DOMAIN}/application/o/userinfo/ + auth_url: https://sso.jory.dev/application/o/authorize/ + token_url: https://sso.jory.dev/application/o/token/ + api_url: https://sso.jory.dev/application/o/userinfo/ # Optionally map user groups to Grafana roles role_attribute_path: contains(groups[*], 'Grafana Admins') && 'Admin' || contains(groups[*], 'Grafana Editors') && 'Editor' || 'Viewer' deploymentStrategy: @@ -252,6 +252,6 @@ spec: enabled: true ingressClassName: external hosts: - - "{{ .Release.Name }}-utility.${SECRET_DOMAIN}" + - "{{ .Release.Name }}-utility.jory.dev" persistence: enabled: false diff --git a/kubernetes/utility/apps/observability/kube-prometheus-stack/app/helmrelease.yaml b/kubernetes/utility/apps/observability/kube-prometheus-stack/app/helmrelease.yaml index 41ac735a06..b1ec51f196 100644 --- a/kubernetes/utility/apps/observability/kube-prometheus-stack/app/helmrelease.yaml +++ b/kubernetes/utility/apps/observability/kube-prometheus-stack/app/helmrelease.yaml @@ -37,13 +37,13 @@ spec: enabled: true pathType: Prefix ingressClassName: internal - hosts: ["alertmanager-utility.${SECRET_DOMAIN}"] + hosts: ["alertmanager-utility.jory.dev"] alertmanagerSpec: alertmanagerConfiguration: name: alertmanager global: resolveTimeout: 5m - externalUrl: https://alertmanager-utility.${SECRET_DOMAIN} + externalUrl: https://alertmanager-utility.jory.dev storage: volumeClaimTemplate: spec: @@ -129,7 +129,7 @@ spec: enabled: true ingressClassName: internal pathType: Prefix - hosts: ["prometheus-utility.${SECRET_DOMAIN}"] + hosts: ["prometheus-utility.jory.dev"] prometheusSpec: enableAdminAPI: true walCompression: true diff --git a/kubernetes/utility/apps/observability/network-ups-tools/app/helmrelease.yaml b/kubernetes/utility/apps/observability/network-ups-tools/app/helmrelease.yaml index 1023943421..5374bcfcb8 100644 --- a/kubernetes/utility/apps/observability/network-ups-tools/app/helmrelease.yaml +++ b/kubernetes/utility/apps/observability/network-ups-tools/app/helmrelease.yaml @@ -50,8 +50,8 @@ spec: controller: *app type: LoadBalancer annotations: - lbipam.cilium.io/ips: ${SVC_NETWORK_NUT_ADDR:=temp} - external-dns.alpha.kubernetes.io/hostname: network-nut.${SECRET_DOMAIN} + lbipam.cilium.io/ips: 10.69.1.136 + external-dns.alpha.kubernetes.io/hostname: network-nut.jory.dev externalTrafficPolicy: Cluster ports: http: diff --git a/kubernetes/utility/apps/self-hosted/it-tools/app/helmrelease.yaml b/kubernetes/utility/apps/self-hosted/it-tools/app/helmrelease.yaml index 79c4914caf..e7ec372836 100644 --- a/kubernetes/utility/apps/self-hosted/it-tools/app/helmrelease.yaml +++ b/kubernetes/utility/apps/self-hosted/it-tools/app/helmrelease.yaml @@ -62,7 +62,7 @@ spec: app: className: external hosts: - - host: "{{ .Release.Name }}.${SECRET_DOMAIN}" + - host: "{{ .Release.Name }}.jory.dev" paths: - path: / service: diff --git a/kubernetes/utility/apps/self-hosted/meshcentral/app/helmrelease.yaml b/kubernetes/utility/apps/self-hosted/meshcentral/app/helmrelease.yaml index fb47e6f210..4246715dd5 100644 --- a/kubernetes/utility/apps/self-hosted/meshcentral/app/helmrelease.yaml +++ b/kubernetes/utility/apps/self-hosted/meshcentral/app/helmrelease.yaml @@ -38,7 +38,7 @@ spec: env: TZ: ${TIMEZONE} NODE_ENV: production - HOSTNAME: &host mesh.${SECRET_DOMAIN} + HOSTNAME: &host mesh.jory.dev ALLOW_NEW_ACCOUNTS: "false" securityContext: allowPrivilegeEscalation: false diff --git a/kubernetes/utility/apps/self-hosted/thelounge/app/helmrelease.yaml b/kubernetes/utility/apps/self-hosted/thelounge/app/helmrelease.yaml index 3c247fd883..90b2f6c37f 100644 --- a/kubernetes/utility/apps/self-hosted/thelounge/app/helmrelease.yaml +++ b/kubernetes/utility/apps/self-hosted/thelounge/app/helmrelease.yaml @@ -69,7 +69,7 @@ spec: app: className: external hosts: - - host: tl.${SECRET_DOMAIN} + - host: tl.jory.dev paths: - path: / service: diff --git a/kubernetes/utility/flux/config/cluster.yaml b/kubernetes/utility/flux/config/cluster.yaml index baffbf1a94..c28920b1d1 100644 --- a/kubernetes/utility/flux/config/cluster.yaml +++ b/kubernetes/utility/flux/config/cluster.yaml @@ -14,10 +14,6 @@ spec: sourceRef: kind: GitRepository name: flux-system - decryption: - provider: sops - secretRef: - name: sops-age --- # yaml-language-server: $schema=https://kube-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 @@ -50,10 +46,6 @@ spec: sourceRef: kind: GitRepository name: flux-system - decryption: - provider: sops - secretRef: - name: sops-age --- # yaml-language-server: $schema=https://kube-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json apiVersion: kustomize.toolkit.fluxcd.io/v1 @@ -72,50 +64,3 @@ spec: sourceRef: kind: GitRepository name: flux-system - decryption: - provider: sops - secretRef: - name: sops-age - postBuild: - substituteFrom: - - name: cluster-settings - kind: ConfigMap - optional: true - - name: cluster-settings-utility - kind: ConfigMap - optional: true - - name: cluster-secrets - kind: Secret - optional: true - - name: cluster-secrets-utility - kind: Secret - optional: true - patches: - - patch: |- - apiVersion: kustomize.toolkit.fluxcd.io/v1 - kind: Kustomization - metadata: - name: not-used - spec: - decryption: - provider: sops - secretRef: - name: sops-age - postBuild: - substituteFrom: - - name: cluster-settings - kind: ConfigMap - optional: true - - name: cluster-settings-utility - kind: ConfigMap - optional: true - - name: cluster-secrets - kind: Secret - optional: true - - name: cluster-secrets-utility - kind: Secret - optional: true - target: - group: kustomize.toolkit.fluxcd.io - kind: Kustomization - labelSelector: substitution.flux.home.arpa/disabled notin (true) diff --git a/kubernetes/utility/flux/settings/cluster-secrets.sops.yaml b/kubernetes/utility/flux/settings/cluster-secrets.sops.yaml deleted file mode 100644 index 566bde9d30..0000000000 --- a/kubernetes/utility/flux/settings/cluster-secrets.sops.yaml +++ /dev/null @@ -1,31 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: cluster-secrets-utility -stringData: - #ENC[AES256_GCM,data:xxnbfu67wgLvZ0PqTcNN0Q==,iv:LasA5aqx6l471zjQEEVJuPHGUWr+meE1DKMask3+Zb4=,tag:hgtvtQXcoMaInOpBa++mgw==,type:comment] - CLOUDFLARE_TUNNEL_ID: ENC[AES256_GCM,data:ML50Qq14IREwEbAM/N1JOKRZqfBcNa3zQGyy3cLXn3Mpn8nY,iv:lj5fvYFno80fnNu/tgD8UKPPAC1AnuMtQcS/D2rMTTU=,tag:kVGtheTEWcMRQEp/2yTtlA==,type:str] - SVC_HOME_ASSISTANT_ADDR: ENC[AES256_GCM,data:KlS7OuwdThCf8qg=,iv:Tv51Qc+2q2jmm83YfpKwcqJCOVap9WACE7yTrpvr9h0=,tag:Sk7GdOaHC9NORZIGsxlCxg==,type:str] - SVC_MQTT_ADDR: ENC[AES256_GCM,data:JLe9yBBRNm4rQ3Y=,iv:35bLdpiBgXNeWPMYpAY6ehGBQVeZh3HZpMMyzXeqq0I=,tag:AaH6B2ycs0ZZARXGaYuu+g==,type:str] - SVC_NGINX_EXTERNAL: ENC[AES256_GCM,data:EEnrrSfroxhmdK0=,iv:A2CoFRYWGqyWYD/825xZ62Ppl9Rd1fAdDTC1iIoCFEE=,tag:DBn3cz0JIFxlbQILnLoegw==,type:str] - SVC_NGINX_INTERNAL: ENC[AES256_GCM,data:ilfw6QhaTh0U7UU=,iv:eJ7/LGu8IZZjWJvDcl0DCAiavC8gf0gO8MTyQ04q3Ck=,tag:Feg8UOuivAv2gyeSh4OuCA==,type:str] -sops: - kms: [] - gcp_kms: [] - azure_kv: [] - hc_vault: [] - age: - - recipient: age12v9uw8k6myrr49z9aq6jmcwa79aepu0p6p462nrv968qcae72pcspwldec - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA4SnlFNVh6cDhuaXdSdXg1 - a2IwUXFvejRQc2Z6NlR4ak5pdWJ5Q1JtU3pjCldleml5RXA4Tk5wc3VQZW5kNXlm - enpieDhJL3dUQkxKQ2hKVldiTFhGa2MKLS0tIFV2ZWFJTGVodmNhS0FUQzZMbExY - ZjkzSGxlT1R6VHNHNDVNb3hBVzNVZ3MKMtBhVS0FKr6NWqv9S6mSOhjCDIdO3uNz - OS9Qh8tX5J/s1ZH6z3/DNLWKonA6mccm1kH7jNQe/+w4ozYxa4me9Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-01-16T15:47:07Z" - mac: ENC[AES256_GCM,data:zjJM5WabD1HUlAixKj0XjeasE/rBEScOrY3KqgcdZtuaoNpPUT/NTFHeEH6nuMelqa0XfjJKwviYVVkaCaWldbp33h1doRyHSK5RusAJ1qbPCZBjvkpZ4bnBwz3DM4GPGoo2T2fGpoaxEWHqfRj7V3kIfnijiWQldyp1DAMIh64=,iv:vZwL7Kb0EaafROrcxpdEuiBJ9amJeqzosoJFtJFGHjA=,tag:wG9oYEUDvjgwOE5xPJGG9Q==,type:str] - pgp: [] - encrypted_regex: ^(data|stringData)$ - version: 3.9.3 diff --git a/kubernetes/utility/flux/settings/ks-substitution.yaml b/kubernetes/utility/flux/settings/ks-substitution.yaml new file mode 100644 index 0000000000..043023af8c --- /dev/null +++ b/kubernetes/utility/flux/settings/ks-substitution.yaml @@ -0,0 +1,213 @@ +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicyBinding +metadata: + name: flux-ks-no-postbuild +spec: + policyName: flux-ks-no-postbuild +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicyBinding +metadata: + name: flux-ks-no-substitutefrom +spec: + policyName: flux-ks-no-substitutefrom +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicyBinding +metadata: + name: flux-ks-add-cluster-settings +spec: + policyName: flux-ks-add-cluster-settings +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicybinding-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicyBinding +metadata: + name: flux-ks-add-cluster-settings-main +spec: + policyName: flux-ks-add-cluster-settings-main +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicy-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicy +metadata: + name: flux-ks-no-postbuild +spec: + matchConstraints: + resourceRules: + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["kustomizations"] + matchConditions: + - name: name-is-not-flux-system + expression: > + !(object.metadata.name == "flux-system") + - name: postbuild-field-does-not-exist + expression: > + !has(object.spec.postBuild) + failurePolicy: Fail + reinvocationPolicy: IfNeeded + mutations: + - patchType: "JSONPatch" + jsonPatch: + expression: > + [ + JSONPatch{ + op: "add", path: "/spec/postBuild", + value: {} + }, + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom", + value: [] + }, + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom/-", + value: Object.spec.postBuild.substituteFrom{ + name: "cluster-settings", + kind: "ConfigMap", + optional: true + } + }, + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom/-", + value: Object.spec.postBuild.substituteFrom{ + name: "cluster-settings-main", + kind: "ConfigMap", + optional: true + } + } + ] +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicy-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicy +metadata: + name: flux-ks-no-substitutefrom +spec: + matchConstraints: + resourceRules: + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["kustomizations"] + matchConditions: + - name: name-is-not-flux-system + expression: > + !(object.metadata.name == "flux-system") + - name: has-postbuild-field + expression: > + has(object.spec.postBuild) + - name: substitutefrom-field-does-not-exist + expression: > + !has(object.spec.postBuild.substituteFrom) + failurePolicy: Fail + reinvocationPolicy: IfNeeded + mutations: + - patchType: "JSONPatch" + jsonPatch: + expression: > + [ + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom", + value: [] + }, + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom/-", + value: Object.spec.postBuild.substituteFrom{ + name: "cluster-settings", + kind: "ConfigMap", + optional: true + } + }, + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom/-", + value: Object.spec.postBuild.substituteFrom{ + name: "cluster-settings-main", + kind: "ConfigMap", + optional: true + } + } + ] +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicy-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicy +metadata: + name: flux-ks-add-cluster-settings +spec: + matchConstraints: + resourceRules: + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["kustomizations"] + matchConditions: + - name: name-is-not-flux-system + expression: > + !(object.metadata.name == "flux-system") + - name: has-substitutefrom-field + expression: > + (has(object.spec.postBuild) && has(object.spec.postBuild.substituteFrom)) + - name: cluster-settings-configmap-not-present + expression: > + !object.spec.postBuild.substituteFrom.exists(item, item.name == "cluster-settings") + failurePolicy: Fail + reinvocationPolicy: IfNeeded + mutations: + - patchType: "JSONPatch" + jsonPatch: + expression: > + [ + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom/-", + value: Object.spec.postBuild.substituteFrom{ + name: "cluster-settings", + kind: "ConfigMap", + optional: true + } + } + ] +--- +# yaml-language-server: $schema=https://raw.githubusercontent.com/yannh/kubernetes-json-schema/refs/heads/master/v1.32.0/mutatingadmissionpolicy-admissionregistration-v1alpha1.json +apiVersion: admissionregistration.k8s.io/v1alpha1 +kind: MutatingAdmissionPolicy +metadata: + name: flux-ks-add-cluster-settings-main +spec: + matchConstraints: + resourceRules: + - apiGroups: ["kustomize.toolkit.fluxcd.io"] + apiVersions: ["v1"] + operations: ["CREATE", "UPDATE"] + resources: ["kustomizations"] + matchConditions: + - name: name-is-not-flux-system + expression: > + !(object.metadata.name == "flux-system") + - name: has-substitutefrom-field + expression: > + (has(object.spec.postBuild) && has(object.spec.postBuild.substituteFrom)) + - name: cluster-settings-configmap-not-present + expression: > + !object.spec.postBuild.substituteFrom.exists(item, item.name == "cluster-settings") + failurePolicy: Fail + reinvocationPolicy: IfNeeded + mutations: + - patchType: "JSONPatch" + jsonPatch: + expression: > + [ + JSONPatch{ + op: "add", path: "/spec/postBuild/substituteFrom/-", + value: Object.spec.postBuild.substituteFrom{ + name: "cluster-settings-main", + kind: "ConfigMap", + optional: true + } + } + ] diff --git a/kubernetes/utility/flux/settings/kustomization.yaml b/kubernetes/utility/flux/settings/kustomization.yaml index 3b96efbcb2..b3d1238ca7 100644 --- a/kubernetes/utility/flux/settings/kustomization.yaml +++ b/kubernetes/utility/flux/settings/kustomization.yaml @@ -3,5 +3,5 @@ apiVersion: kustomize.config.k8s.io/v1beta1 kind: Kustomization resources: - - ./cluster-secrets.sops.yaml - ./cluster-settings.yaml + - ./ks-substitution.yaml