Compare commits
1 Commits
auto-updat
...
auto-updat
| Author | SHA1 | Date | |
|---|---|---|---|
|
d9007b5da6 |
@@ -49,7 +49,6 @@ ArgoCD homelab project
|
||||
| **k8s-secrets** | [](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
|
||||
| **khm** | [](https://ag.hexor.cy/applications/argocd/khm) |
|
||||
| **lidarr** | [](https://ag.hexor.cy/applications/argocd/lidarr) |
|
||||
| **matrix** | [](https://ag.hexor.cy/applications/argocd/matrix) |
|
||||
| **mtproxy** | [](https://ag.hexor.cy/applications/argocd/mtproxy) |
|
||||
| **n8n** | [](https://ag.hexor.cy/applications/argocd/n8n) |
|
||||
| **ollama** | [](https://ag.hexor.cy/applications/argocd/ollama) |
|
||||
|
||||
@@ -154,63 +154,3 @@ spec:
|
||||
value: "k8s-runner"
|
||||
- name: GITEA_RUNNER_LABELS
|
||||
value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"
|
||||
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: gitea-runner-desktop
|
||||
spec:
|
||||
replicas: 1
|
||||
selector:
|
||||
matchLabels:
|
||||
app: gitea-runner-desktop
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gitea-runner-desktop
|
||||
spec:
|
||||
nodeSelector:
|
||||
kubernetes.io/hostname: uk-desktop.tail2fe2d.ts.net
|
||||
tolerations:
|
||||
- key: workload
|
||||
operator: Equal
|
||||
value: desktop
|
||||
effect: NoSchedule
|
||||
volumes:
|
||||
- name: docker-sock
|
||||
hostPath:
|
||||
path: /var/run/docker.sock
|
||||
type: Socket
|
||||
- name: runner-data
|
||||
emptyDir:
|
||||
sizeLimit: 30Gi
|
||||
containers:
|
||||
- name: gitea-runner
|
||||
image: gitea/act_runner:nightly
|
||||
resources:
|
||||
requests:
|
||||
cpu: "100m"
|
||||
memory: "256Mi"
|
||||
ephemeral-storage: "1Gi"
|
||||
limits:
|
||||
cpu: "3000m"
|
||||
memory: "4Gi"
|
||||
ephemeral-storage: "28Gi"
|
||||
volumeMounts:
|
||||
- name: docker-sock
|
||||
mountPath: /var/run/docker.sock
|
||||
- name: runner-data
|
||||
mountPath: /data
|
||||
env:
|
||||
- name: GITEA_INSTANCE_URL
|
||||
value: "https://gt.hexor.cy"
|
||||
- name: GITEA_RUNNER_REGISTRATION_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: gitea-runner-act-runner-secrets
|
||||
key: token
|
||||
- name: GITEA_RUNNER_NAME
|
||||
value: "k8s-runner-desktop"
|
||||
- name: GITEA_RUNNER_LABELS
|
||||
value: "ubuntu-latest:docker://ghcr.io/catthehacker/ubuntu:act-latest,ubuntu-22.04:docker://ghcr.io/catthehacker/ubuntu:act-22.04,ubuntu-20.04:docker://ghcr.io/catthehacker/ubuntu:act-20.04"
|
||||
|
||||
@@ -1,20 +0,0 @@
|
||||
apiVersion: argoproj.io/v1alpha1
|
||||
kind: Application
|
||||
metadata:
|
||||
name: matrix
|
||||
namespace: argocd
|
||||
spec:
|
||||
project: apps
|
||||
destination:
|
||||
namespace: matrix
|
||||
server: https://kubernetes.default.svc
|
||||
source:
|
||||
repoURL: ssh://git@gt.hexor.cy:30022/ab/homelab.git
|
||||
targetRevision: HEAD
|
||||
path: k8s/apps/matrix
|
||||
syncPolicy:
|
||||
automated:
|
||||
selfHeal: true
|
||||
prune: true
|
||||
syncOptions:
|
||||
- CreateNamespace=true
|
||||
@@ -1,82 +0,0 @@
|
||||
---
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: matrix-postgres-creds
|
||||
spec:
|
||||
target:
|
||||
name: matrix-postgres-creds
|
||||
deletionPolicy: Delete
|
||||
template:
|
||||
type: Opaque
|
||||
data:
|
||||
synapse_db_password: |-
|
||||
{{ .synapse_db_password }}
|
||||
mas_db_password: |-
|
||||
{{ .mas_db_password }}
|
||||
data:
|
||||
- secretKey: synapse_db_password
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
key: CHANGE_ME
|
||||
property: CHANGE_ME
|
||||
- secretKey: mas_db_password
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
key: CHANGE_ME
|
||||
property: CHANGE_ME
|
||||
---
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: matrix-oidc-config
|
||||
spec:
|
||||
target:
|
||||
name: matrix-oidc-config
|
||||
deletionPolicy: Delete
|
||||
template:
|
||||
type: Opaque
|
||||
data:
|
||||
mas-oidc.yaml: |
|
||||
upstream_oauth2:
|
||||
providers:
|
||||
- id: authentik
|
||||
human_name: Authentik
|
||||
issuer: https://idm.hexor.cy/application/o/matrix/
|
||||
client_id: {{ .oauth_client_id }}
|
||||
client_secret: {{ .oauth_client_secret }}
|
||||
scope: "openid profile email"
|
||||
claims_imports:
|
||||
localpart:
|
||||
action: require
|
||||
template: "{{ `{{ user.preferred_username }}` }}"
|
||||
displayname:
|
||||
action: suggest
|
||||
template: "{{ `{{ user.name }}` }}"
|
||||
email:
|
||||
action: suggest
|
||||
template: "{{ `{{ user.email }}` }}"
|
||||
set_email_verification: always
|
||||
data:
|
||||
- secretKey: oauth_client_id
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
key: CHANGE_ME
|
||||
property: CHANGE_ME
|
||||
- secretKey: oauth_client_secret
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
key: CHANGE_ME
|
||||
property: CHANGE_ME
|
||||
@@ -1,15 +0,0 @@
|
||||
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||
kind: Kustomization
|
||||
|
||||
resources:
|
||||
- app.yaml
|
||||
- external-secrets.yaml
|
||||
|
||||
helmCharts:
|
||||
- name: matrix-stack
|
||||
repo: oci://ghcr.io/element-hq/ess-helm
|
||||
version: 26.2.3
|
||||
releaseName: matrix-stack
|
||||
namespace: matrix
|
||||
valuesFile: matrix-stack-values.yaml
|
||||
includeCRDs: true
|
||||
@@ -1,85 +0,0 @@
|
||||
## Matrix server name - appears in @user:matrix.hexor.cy
|
||||
serverName: matrix.hexor.cy
|
||||
|
||||
## Use letsencrypt cluster issuer for all ingresses
|
||||
certManager:
|
||||
clusterIssuer: letsencrypt
|
||||
|
||||
## Global ingress settings
|
||||
ingress:
|
||||
className: traefik
|
||||
annotations:
|
||||
traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
|
||||
|
||||
## Disable built-in PostgreSQL - using external database
|
||||
postgres:
|
||||
enabled: false
|
||||
|
||||
## Disable components we don't need yet
|
||||
matrixRTC:
|
||||
enabled: false
|
||||
hookshot:
|
||||
enabled: false
|
||||
haproxy:
|
||||
enabled: false
|
||||
|
||||
## Synapse homeserver
|
||||
synapse:
|
||||
enabled: true
|
||||
postgres:
|
||||
host: psql.psql.svc
|
||||
port: 5432
|
||||
user: synapse
|
||||
database: synapse
|
||||
sslMode: prefer
|
||||
password:
|
||||
secret: matrix-postgres-creds
|
||||
secretKey: synapse_db_password
|
||||
media:
|
||||
storage:
|
||||
size: 20Gi
|
||||
maxUploadSize: 100M
|
||||
# nodeSelector:
|
||||
# kubernetes.io/hostname: nas.homenet
|
||||
|
||||
## Matrix Authentication Service
|
||||
matrixAuthenticationService:
|
||||
enabled: true
|
||||
postgres:
|
||||
host: psql.psql.svc
|
||||
port: 5432
|
||||
user: mas
|
||||
database: mas
|
||||
sslMode: prefer
|
||||
password:
|
||||
secret: matrix-postgres-creds
|
||||
secretKey: mas_db_password
|
||||
## Authentik OIDC upstream provider
|
||||
additional:
|
||||
0-oidc:
|
||||
configSecret: matrix-oidc-config
|
||||
configSecretKey: mas-oidc.yaml
|
||||
# nodeSelector:
|
||||
# kubernetes.io/hostname: nas.homenet
|
||||
|
||||
## Element Web client
|
||||
elementWeb:
|
||||
enabled: true
|
||||
ingress:
|
||||
host: chat.hexor.cy
|
||||
# nodeSelector:
|
||||
# kubernetes.io/hostname: nas.homenet
|
||||
|
||||
## Element Admin panel
|
||||
elementAdmin:
|
||||
enabled: true
|
||||
ingress:
|
||||
host: matrix-admin.hexor.cy
|
||||
# nodeSelector:
|
||||
# kubernetes.io/hostname: nas.homenet
|
||||
|
||||
## Well-known delegation on the base domain
|
||||
wellKnownDelegation:
|
||||
enabled: true
|
||||
ingress:
|
||||
host: matrix.hexor.cy
|
||||
@@ -34,9 +34,6 @@ spec:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
conversionStrategy: Default
|
||||
decodingStrategy: None
|
||||
metadataPolicy: None
|
||||
key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
|
||||
property: login.password
|
||||
- secretKey: username
|
||||
@@ -45,9 +42,6 @@ spec:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
conversionStrategy: Default
|
||||
decodingStrategy: None
|
||||
metadataPolicy: None
|
||||
key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
|
||||
property: login.username
|
||||
- secretKey: secret_key
|
||||
@@ -56,9 +50,6 @@ spec:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
conversionStrategy: Default
|
||||
decodingStrategy: None
|
||||
metadataPolicy: None
|
||||
key: 279c2c1f-c147-4b6b-a511-36c3cd764f9d
|
||||
property: fields[0].value
|
||||
|
||||
|
||||
@@ -10,7 +10,7 @@ resources:
|
||||
helmCharts:
|
||||
- name: cert-manager
|
||||
repo: https://charts.jetstack.io
|
||||
version: 1.20.0
|
||||
version: 1.19.1
|
||||
releaseName: cert-manager
|
||||
namespace: cert-manager
|
||||
valuesFile: values.yaml
|
||||
|
||||
@@ -449,7 +449,7 @@
|
||||
"type": "prometheus",
|
||||
"uid": "${datasource}"
|
||||
},
|
||||
"expr": "sum(process_resident_memory_bytes) / 1024 / 1024",
|
||||
"expr": "process_resident_memory_bytes / 1024 / 1024",
|
||||
"legendFormat": "Resident Memory",
|
||||
"refId": "A"
|
||||
},
|
||||
@@ -458,7 +458,7 @@
|
||||
"type": "prometheus",
|
||||
"uid": "${datasource}"
|
||||
},
|
||||
"expr": "sum(process_virtual_memory_bytes) / 1024 / 1024",
|
||||
"expr": "process_virtual_memory_bytes / 1024 / 1024",
|
||||
"legendFormat": "Virtual Memory",
|
||||
"refId": "B"
|
||||
}
|
||||
|
||||
@@ -11,7 +11,7 @@ resources:
|
||||
helmCharts:
|
||||
- name: kube-prometheus-stack
|
||||
repo: https://prometheus-community.github.io/helm-charts
|
||||
version: 82.10.3
|
||||
version: 79.7.1
|
||||
releaseName: prometheus
|
||||
namespace: prometheus
|
||||
valuesFile: prom-values.yaml
|
||||
|
||||
@@ -16,7 +16,7 @@ spec:
|
||||
serviceAccountName: system-upgrade
|
||||
upgrade:
|
||||
image: rancher/k3s-upgrade
|
||||
version: v1.35.2+k3s1
|
||||
version: v1.34.3+k3s1
|
||||
---
|
||||
# Agent plan
|
||||
apiVersion: upgrade.cattle.io/v1
|
||||
@@ -39,4 +39,5 @@ spec:
|
||||
serviceAccountName: system-upgrade
|
||||
upgrade:
|
||||
image: rancher/k3s-upgrade
|
||||
version: v1.35.2+k3s1
|
||||
version: v1.34.3+k3s1
|
||||
|
||||
|
||||
23
terraform/authentik/.claude/settings.local.json
Normal file
23
terraform/authentik/.claude/settings.local.json
Normal file
@@ -0,0 +1,23 @@
|
||||
{
|
||||
"permissions": {
|
||||
"allow": [
|
||||
"WebSearch",
|
||||
"WebFetch(domain:registry.terraform.io)",
|
||||
"Bash(C:UsersabAppDataLocalMicrosoftWinGetPackagesHashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbweterraform.exe apply -auto-approve)",
|
||||
"Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve)",
|
||||
"Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -auto-approve -lock=false)",
|
||||
"Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" plan -lock=false)",
|
||||
"Bash(\"C:\\Users\\ab\\AppData\\Local\\Microsoft\\WinGet\\Packages\\Hashicorp.Terraform_Microsoft.Winget.Source_8wekyb3d8bbwe\\terraform.exe\" apply -replace=\"authentik_outpost.outposts[\"\"kubernetes-outpost\"\"]\" -auto-approve -lock=false)",
|
||||
"Bash(terraform plan:*)",
|
||||
"Bash(terraform state:*)",
|
||||
"Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform plan:*)",
|
||||
"Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform force-unlock:*)",
|
||||
"Bash(git:*)",
|
||||
"Bash(TF_VAR_authentik_token=ZDTbu4OKl0UcmdYKG5XgkRThZO7vWX2xz0w5vP2d8sudIr44ccwKOby6iRUa terraform state:*)",
|
||||
"Bash(terraform version:*)",
|
||||
"Bash(curl:*)"
|
||||
],
|
||||
"deny": [],
|
||||
"ask": []
|
||||
}
|
||||
}
|
||||
Reference in New Issue
Block a user