Compare commits
25 Commits
| Author | SHA1 | Date | |
|---|---|---|---|
| 75db626903 | |||
| 67104123a5 | |||
| 976ea1fbe1 | |||
| 7cfcfac94c | |||
| 4b981e3d97 | |||
| f53ab23d8e | |||
| df1aa96316 | |||
| 3d58baaf2f | |||
| 78c1519398 | |||
| d8a5a916e1 | |||
| a840dd674a | |||
| a094d3b925 | |||
| 9508a8483c | |||
| c5919259f6 | |||
| 83de150f87 | |||
| 70d785769e | |||
| f129977993 | |||
| cf4c70075c | |||
| 2b979b5f43 | |||
| dbecdb7069 | |||
| fb7dfbee57 | |||
| 6b5a0fc31f | |||
| 47adf8e718 | |||
| 54980ff18b | |||
| ccfa5df898 |
@@ -42,6 +42,7 @@ ArgoCD homelab project
|
||||
|
||||
| Application | Status |
|
||||
| :--- | :---: |
|
||||
| **amnezia** | [](https://ag.hexor.cy/applications/argocd/amnezia) |
|
||||
| **comfyui** | [](https://ag.hexor.cy/applications/argocd/comfyui) |
|
||||
| **furumi** | [](https://ag.hexor.cy/applications/argocd/furumi) |
|
||||
| **gitea** | [](https://ag.hexor.cy/applications/argocd/gitea) |
|
||||
@@ -53,6 +54,7 @@ ArgoCD homelab project
|
||||
| **k8s-secrets** | [](https://ag.hexor.cy/applications/argocd/k8s-secrets) |
|
||||
| **khm** | [](https://ag.hexor.cy/applications/argocd/khm) |
|
||||
| **lidarr** | [](https://ag.hexor.cy/applications/argocd/lidarr) |
|
||||
| **llamacpp** | [](https://ag.hexor.cy/applications/argocd/llamacpp) |
|
||||
| **matrix** | [](https://ag.hexor.cy/applications/argocd/matrix) |
|
||||
| **mtproxy** | [](https://ag.hexor.cy/applications/argocd/mtproxy) |
|
||||
| **n8n** | [](https://ag.hexor.cy/applications/argocd/n8n) |
|
||||
|
||||
@@ -30,6 +30,21 @@ data:
|
||||
fi
|
||||
}
|
||||
|
||||
delete_rule() {
|
||||
local table_args=()
|
||||
if [ "${1:-}" = "-t" ]; then
|
||||
table_args=("$1" "$2")
|
||||
shift 2
|
||||
fi
|
||||
|
||||
local chain="$1"
|
||||
shift
|
||||
|
||||
while iptables "${table_args[@]}" -D "${chain}" "$@" >/dev/null 2>&1; do
|
||||
true
|
||||
done
|
||||
}
|
||||
|
||||
ensure_append_rule() {
|
||||
local table_args=()
|
||||
if [ "${1:-}" = "-t" ]; then
|
||||
@@ -56,6 +71,7 @@ data:
|
||||
|
||||
sysctl -w net.ipv4.ip_forward=1
|
||||
|
||||
delete_rule INPUT -i tailscale0 -p udp -m comment --comment amneziawg-block-tailscale -j DROP
|
||||
ensure_insert_rule INPUT -i "${EXT_IF}" -p udp --dport "${PORT}" -m comment --comment amneziawg-allow-external -j ACCEPT
|
||||
ensure_insert_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP
|
||||
ensure_append_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT
|
||||
@@ -100,6 +116,7 @@ data:
|
||||
fi
|
||||
|
||||
delete_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP
|
||||
delete_rule INPUT -i tailscale0 -p udp -m comment --comment amneziawg-block-tailscale -j DROP
|
||||
delete_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT
|
||||
delete_rule FORWARD -i awg0 -m comment --comment amneziawg-forward-in -j ACCEPT
|
||||
delete_rule FORWARD -o awg0 -m comment --comment amneziawg-forward-out -j ACCEPT
|
||||
@@ -111,6 +128,9 @@ data:
|
||||
SERVER_CONFIG="/etc/amnezia/server/awg0.conf"
|
||||
CLIENTS_DIR="/etc/amnezia/clients"
|
||||
RUNTIME_CONFIG="/run/amnezia/awg0.conf"
|
||||
SYNC_CONFIG="/run/amnezia/awg0.sync.conf"
|
||||
STATUS_FILE="/run/amnezia/reload-status"
|
||||
RELOAD_INTERVAL="${AMNEZIAWG_RELOAD_INTERVAL:-10}"
|
||||
|
||||
cleanup() {
|
||||
if awg show awg0 >/dev/null 2>&1; then
|
||||
@@ -120,32 +140,125 @@ data:
|
||||
|
||||
render_config() {
|
||||
mkdir -p "$(dirname "${RUNTIME_CONFIG}")"
|
||||
cp "${SERVER_CONFIG}" "${RUNTIME_CONFIG}"
|
||||
chmod 0600 "${RUNTIME_CONFIG}"
|
||||
local tmp_config="${RUNTIME_CONFIG}.tmp"
|
||||
cp "${SERVER_CONFIG}" "${tmp_config}"
|
||||
chmod 0600 "${tmp_config}"
|
||||
|
||||
local clients_found=0
|
||||
for client_config in "${CLIENTS_DIR}"/*; do
|
||||
[ -f "${client_config}" ] || continue
|
||||
[ -s "${client_config}" ] || continue
|
||||
printf '\n' >> "${RUNTIME_CONFIG}"
|
||||
cat "${client_config}" >> "${RUNTIME_CONFIG}"
|
||||
printf '\n' >> "${tmp_config}"
|
||||
cat "${client_config}" >> "${tmp_config}"
|
||||
clients_found=1
|
||||
done
|
||||
|
||||
if [ "${clients_found}" = "0" ]; then
|
||||
echo "No client peer configs found in ${CLIENTS_DIR}; starting without peers"
|
||||
fi
|
||||
|
||||
mv "${tmp_config}" "${RUNTIME_CONFIG}"
|
||||
chmod 0600 "${RUNTIME_CONFIG}"
|
||||
}
|
||||
|
||||
client_config_hash() {
|
||||
{
|
||||
for client_config in "${CLIENTS_DIR}"/*; do
|
||||
[ -f "${client_config}" ] || continue
|
||||
sha256sum "${client_config}"
|
||||
done
|
||||
} | sha256sum | awk '{print $1}'
|
||||
}
|
||||
|
||||
write_reload_status() {
|
||||
local state="${1}"
|
||||
local hash="${2:-}"
|
||||
local applied_at_ms=""
|
||||
if [ "${state}" = "applied" ]; then
|
||||
applied_at_ms="$(($(date +%s) * 1000))"
|
||||
fi
|
||||
|
||||
mkdir -p "$(dirname "${STATUS_FILE}")"
|
||||
{
|
||||
printf 'state=%s\n' "${state}"
|
||||
printf 'hash=%s\n' "${hash}"
|
||||
printf 'applied_at_ms=%s\n' "${applied_at_ms}"
|
||||
} > "${STATUS_FILE}.tmp"
|
||||
mv "${STATUS_FILE}.tmp" "${STATUS_FILE}"
|
||||
}
|
||||
|
||||
apply_live_config() {
|
||||
render_config
|
||||
awg-quick strip "${RUNTIME_CONFIG}" > "${SYNC_CONFIG}"
|
||||
chmod 0600 "${SYNC_CONFIG}"
|
||||
awg syncconf awg0 "${SYNC_CONFIG}"
|
||||
}
|
||||
|
||||
watch_client_config() {
|
||||
local last_hash="${1}"
|
||||
while true; do
|
||||
sleep "${RELOAD_INTERVAL}" &
|
||||
wait "$!" || return 0
|
||||
|
||||
local current_hash
|
||||
current_hash="$(client_config_hash)"
|
||||
if [ "${current_hash}" = "${last_hash}" ]; then
|
||||
continue
|
||||
fi
|
||||
|
||||
echo "Detected AmneziaWG client peer config change; applying with awg syncconf"
|
||||
if apply_live_config; then
|
||||
last_hash="${current_hash}"
|
||||
write_reload_status applied "${current_hash}"
|
||||
awg show awg0 || true
|
||||
else
|
||||
echo "ERROR: failed to hot-reload AmneziaWG client peer config" >&2
|
||||
write_reload_status error "${current_hash}"
|
||||
fi
|
||||
done
|
||||
}
|
||||
|
||||
trap cleanup EXIT
|
||||
trap 'exit 0' TERM INT
|
||||
|
||||
initial_hash="$(client_config_hash)"
|
||||
render_config
|
||||
cleanup
|
||||
awg-quick up "${RUNTIME_CONFIG}"
|
||||
awg show awg0 || true
|
||||
write_reload_status applied "${initial_hash}"
|
||||
watch_client_config "${initial_hash}"
|
||||
|
||||
status-patch.sh: |
|
||||
#!/usr/bin/env bash
|
||||
set -euo pipefail
|
||||
|
||||
STATUS_FILE="/run/amnezia/reload-status"
|
||||
PATCH_INTERVAL="${AMNEZIAWG_STATUS_PATCH_INTERVAL:-5}"
|
||||
NAMESPACE="${POD_NAMESPACE:-$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)}"
|
||||
: "${POD_NAME:?POD_NAME is required}"
|
||||
|
||||
last_file_hash=""
|
||||
|
||||
patch_status() {
|
||||
local state="unknown"
|
||||
local hash=""
|
||||
local applied_at_ms=""
|
||||
|
||||
# The file is generated by run.sh and contains only shell assignments.
|
||||
# shellcheck disable=SC1090
|
||||
source "${STATUS_FILE}"
|
||||
|
||||
kubectl patch pod "${POD_NAME}" -n "${NAMESPACE}" --type merge -p "{\"metadata\":{\"annotations\":{\"amnezia-fellow.hexor.cy/client-secret-reload-status\":\"${state}\",\"amnezia-fellow.hexor.cy/client-secret-applied-at-ms\":\"${applied_at_ms}\",\"amnezia-fellow.hexor.cy/client-secret-applied-hash\":\"${hash}\"}}}"
|
||||
}
|
||||
|
||||
while true; do
|
||||
sleep 3600 &
|
||||
wait "$!"
|
||||
if [ -f "${STATUS_FILE}" ]; then
|
||||
file_hash="$(sha256sum "${STATUS_FILE}" | awk '{print $1}')"
|
||||
if [ "${file_hash}" != "${last_file_hash}" ]; then
|
||||
patch_status || true
|
||||
last_file_hash="${file_hash}"
|
||||
fi
|
||||
fi
|
||||
sleep "${PATCH_INTERVAL}"
|
||||
done
|
||||
|
||||
@@ -6,8 +6,8 @@ metadata:
|
||||
labels:
|
||||
app: amneziawg
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
secret.reloader.stakater.com/reload: "amneziawg-server,amneziawg-clients"
|
||||
secret.reloader.stakater.com/reload: "amneziawg-server"
|
||||
configmap.reloader.stakater.com/reload: "amneziawg-scripts"
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
@@ -27,6 +27,19 @@ spec:
|
||||
tolerations:
|
||||
- operator: Exists
|
||||
initContainers:
|
||||
- name: install-awg
|
||||
image: amneziavpn/amneziawg-go:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- /bin/bash
|
||||
- -lc
|
||||
- |
|
||||
set -euo pipefail
|
||||
cp /usr/bin/awg /shared-bin/awg
|
||||
chmod 0755 /shared-bin/awg
|
||||
volumeMounts:
|
||||
- name: awg-bin
|
||||
mountPath: /shared-bin
|
||||
- name: register-endpoint
|
||||
image: bitnami/kubectl:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
@@ -123,6 +136,81 @@ spec:
|
||||
mountPath: /run/amnezia
|
||||
- name: dev-net-tun
|
||||
mountPath: /dev/net/tun
|
||||
- name: reload-status
|
||||
image: bitnami/kubectl:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
env:
|
||||
- name: POD_NAME
|
||||
valueFrom:
|
||||
fieldRef:
|
||||
fieldPath: metadata.name
|
||||
command:
|
||||
- /bin/bash
|
||||
- /scripts/status-patch.sh
|
||||
resources:
|
||||
requests:
|
||||
memory: "32Mi"
|
||||
cpu: "10m"
|
||||
limits:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
volumeMounts:
|
||||
- name: scripts
|
||||
mountPath: /scripts
|
||||
readOnly: true
|
||||
- name: runtime-config
|
||||
mountPath: /run/amnezia
|
||||
- name: amneziawg-exporter-redis
|
||||
image: redis:alpine
|
||||
imagePullPolicy: IfNotPresent
|
||||
command:
|
||||
- redis-server
|
||||
- /etc/redis/redis.conf
|
||||
ports:
|
||||
- name: redis
|
||||
containerPort: 6379
|
||||
protocol: TCP
|
||||
resources:
|
||||
requests:
|
||||
memory: "32Mi"
|
||||
cpu: "10m"
|
||||
limits:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
volumeMounts:
|
||||
- name: exporter-redis-config
|
||||
mountPath: /etc/redis
|
||||
readOnly: true
|
||||
- name: exporter-redis-data
|
||||
mountPath: /data
|
||||
- name: amneziawg-exporter
|
||||
image: amneziavpn/amneziawg-exporter:latest
|
||||
imagePullPolicy: IfNotPresent
|
||||
securityContext:
|
||||
capabilities:
|
||||
add:
|
||||
- NET_ADMIN
|
||||
env:
|
||||
- name: AWG_EXPORTER_REDIS_HOST
|
||||
value: "127.0.0.1"
|
||||
- name: AWG_EXPORTER_REDIS_PORT
|
||||
value: "6379"
|
||||
ports:
|
||||
- name: metrics
|
||||
containerPort: 9351
|
||||
protocol: TCP
|
||||
resources:
|
||||
requests:
|
||||
memory: "64Mi"
|
||||
cpu: "25m"
|
||||
limits:
|
||||
memory: "256Mi"
|
||||
cpu: "200m"
|
||||
volumeMounts:
|
||||
- name: awg-bin
|
||||
mountPath: /usr/bin/awg
|
||||
subPath: awg
|
||||
readOnly: true
|
||||
volumes:
|
||||
- name: server-config
|
||||
secret:
|
||||
@@ -142,6 +230,13 @@ spec:
|
||||
defaultMode: 0755
|
||||
- name: runtime-config
|
||||
emptyDir: {}
|
||||
- name: awg-bin
|
||||
emptyDir: {}
|
||||
- name: exporter-redis-config
|
||||
configMap:
|
||||
name: amneziawg-exporter-redis
|
||||
- name: exporter-redis-data
|
||||
emptyDir: {}
|
||||
- name: dev-net-tun
|
||||
hostPath:
|
||||
path: /dev/net/tun
|
||||
|
||||
@@ -0,0 +1,28 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: amneziawg-exporter-redis
|
||||
labels:
|
||||
app: amneziawg
|
||||
component: exporter
|
||||
data:
|
||||
redis.conf: |
|
||||
bind 0.0.0.0
|
||||
protected-mode no
|
||||
port 6379
|
||||
tcp-backlog 511
|
||||
timeout 0
|
||||
tcp-keepalive 300
|
||||
daemonize no
|
||||
pidfile /run/redis.pid
|
||||
loglevel warning
|
||||
logfile ""
|
||||
databases 16
|
||||
always-show-logo no
|
||||
set-proc-title no
|
||||
save 3600 1
|
||||
stop-writes-on-bgsave-error no
|
||||
rdbcompression yes
|
||||
rdbchecksum yes
|
||||
dir /data
|
||||
@@ -0,0 +1,17 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: amneziawg-exporter
|
||||
labels:
|
||||
app: amneziawg
|
||||
component: exporter
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: amneziawg
|
||||
ports:
|
||||
- name: metrics
|
||||
protocol: TCP
|
||||
port: 9351
|
||||
targetPort: 9351
|
||||
@@ -0,0 +1,74 @@
|
||||
---
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: amnezia-fellow
|
||||
labels:
|
||||
app: amnezia-fellow
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: amnezia-fellow
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: amnezia-fellow
|
||||
spec:
|
||||
serviceAccountName: amnezia-fellow
|
||||
nodeSelector:
|
||||
kubernetes.io/os: linux
|
||||
kubernetes.io/hostname: cy.tail2fe2d.ts.net
|
||||
containers:
|
||||
- name: amnezia-fellow
|
||||
image: ultradesu/amnezia-fellow:latest
|
||||
imagePullPolicy: Always
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8000
|
||||
protocol: TCP
|
||||
env:
|
||||
- name: AMNEZIA_FELLOW_DATABASE_URL
|
||||
value: "sqlite:///data/amnezia-fellow.sqlite3?mode=rwc"
|
||||
- name: AMNEZIA_FELLOW_K8S_NAMESPACE
|
||||
value: "amnezia"
|
||||
- name: AMNEZIA_FELLOW_K8S_CLIENTS_SECRET
|
||||
value: "amneziawg-clients"
|
||||
- name: AMNEZIA_FELLOW_K8S_CLIENTS_SECRET_KEY
|
||||
value: "peers.conf"
|
||||
- name: AMNEZIA_FELLOW_K8S_SERVER_SECRET
|
||||
value: "amneziawg-server"
|
||||
- name: AMNEZIA_FELLOW_K8S_ENDPOINTS_SECRET
|
||||
value: "amneziawg-endpoints"
|
||||
- name: AMNEZIA_FELLOW_VPN_CLIENT_CIDR
|
||||
value: "10.8.0.0/16"
|
||||
- name: AMNEZIA_FELLOW_VPN_MTU
|
||||
value: "1376"
|
||||
readinessProbe:
|
||||
tcpSocket:
|
||||
port: http
|
||||
initialDelaySeconds: 5
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 3
|
||||
livenessProbe:
|
||||
tcpSocket:
|
||||
port: http
|
||||
initialDelaySeconds: 30
|
||||
periodSeconds: 30
|
||||
timeoutSeconds: 5
|
||||
resources:
|
||||
requests:
|
||||
cpu: "50m"
|
||||
memory: "128Mi"
|
||||
limits:
|
||||
cpu: "500m"
|
||||
memory: "512Mi"
|
||||
volumeMounts:
|
||||
- name: data
|
||||
mountPath: /data
|
||||
volumes:
|
||||
- name: data
|
||||
persistentVolumeClaim:
|
||||
claimName: amnezia-fellow-data
|
||||
@@ -0,0 +1,26 @@
|
||||
---
|
||||
apiVersion: networking.k8s.io/v1
|
||||
kind: Ingress
|
||||
metadata:
|
||||
name: amnezia-fellow-tls-ingress
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
|
||||
acme.cert-manager.io/http01-edit-in-place: "true"
|
||||
spec:
|
||||
ingressClassName: traefik
|
||||
rules:
|
||||
- host: awg.hexor.cy
|
||||
http:
|
||||
paths:
|
||||
- path: /
|
||||
pathType: Prefix
|
||||
backend:
|
||||
service:
|
||||
name: amnezia-fellow
|
||||
port:
|
||||
number: 8000
|
||||
tls:
|
||||
- secretName: amnezia-fellow-tls
|
||||
hosts:
|
||||
- awg.hexor.cy
|
||||
@@ -0,0 +1,35 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: ServiceAccount
|
||||
metadata:
|
||||
name: amnezia-fellow
|
||||
labels:
|
||||
app: amnezia-fellow
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: Role
|
||||
metadata:
|
||||
name: amnezia-fellow
|
||||
labels:
|
||||
app: amnezia-fellow
|
||||
rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "create", "update", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["pods"]
|
||||
verbs: ["get", "list"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
metadata:
|
||||
name: amnezia-fellow
|
||||
labels:
|
||||
app: amnezia-fellow
|
||||
roleRef:
|
||||
apiGroup: rbac.authorization.k8s.io
|
||||
kind: Role
|
||||
name: amnezia-fellow
|
||||
subjects:
|
||||
- kind: ServiceAccount
|
||||
name: amnezia-fellow
|
||||
@@ -0,0 +1,16 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: amnezia-fellow
|
||||
labels:
|
||||
app: amnezia-fellow
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: amnezia-fellow
|
||||
ports:
|
||||
- name: http
|
||||
protocol: TCP
|
||||
port: 8000
|
||||
targetPort: 8000
|
||||
@@ -0,0 +1,14 @@
|
||||
---
|
||||
apiVersion: v1
|
||||
kind: PersistentVolumeClaim
|
||||
metadata:
|
||||
name: amnezia-fellow-data
|
||||
labels:
|
||||
app: amnezia-fellow
|
||||
spec:
|
||||
accessModes:
|
||||
- ReadWriteOnce
|
||||
storageClassName: longhorn
|
||||
resources:
|
||||
requests:
|
||||
storage: 3Gi
|
||||
@@ -7,4 +7,12 @@ resources:
|
||||
- external-secrets.yaml
|
||||
- configmap-scripts.yaml
|
||||
- rbac.yaml
|
||||
- fellow-rbac.yaml
|
||||
- fellow-storage.yaml
|
||||
- fellow-service.yaml
|
||||
- fellow-ingress.yaml
|
||||
- fellow-deployment.yaml
|
||||
- exporter-redis-configmap.yaml
|
||||
- exporter-service.yaml
|
||||
- servicemonitor.yaml
|
||||
- daemonset.yaml
|
||||
|
||||
@@ -42,6 +42,9 @@ rules:
|
||||
- apiGroups: [""]
|
||||
resources: ["secrets"]
|
||||
verbs: ["get", "create", "patch"]
|
||||
- apiGroups: [""]
|
||||
resources: ["pods"]
|
||||
verbs: ["get", "patch"]
|
||||
---
|
||||
apiVersion: rbac.authorization.k8s.io/v1
|
||||
kind: RoleBinding
|
||||
|
||||
@@ -0,0 +1,23 @@
|
||||
---
|
||||
apiVersion: monitoring.coreos.com/v1
|
||||
kind: ServiceMonitor
|
||||
metadata:
|
||||
name: amneziawg-exporter
|
||||
labels:
|
||||
app: amneziawg
|
||||
component: exporter
|
||||
release: prometheus
|
||||
spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: amneziawg
|
||||
component: exporter
|
||||
endpoints:
|
||||
- port: metrics
|
||||
path: /metrics
|
||||
interval: 30s
|
||||
scrapeTimeout: 10s
|
||||
honorLabels: true
|
||||
namespaceSelector:
|
||||
matchNames:
|
||||
- amnezia
|
||||
@@ -41,18 +41,18 @@ spec:
|
||||
- name: GITEA__service__REGISTER_MANUAL_CONFIRM
|
||||
value: "true"
|
||||
- name: GITEA__service__ENABLE_CAPTCHA
|
||||
value: "false"
|
||||
- name: GITEA__service__REQUIRE_CAPTCHA_FOR_LOGIN
|
||||
value: "true"
|
||||
- name: GITEA__service__REQUIRE_CAPTCHA_FOR_LOGIN
|
||||
value: "false"
|
||||
- name: GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA
|
||||
value: "true"
|
||||
- name: GITEA__service__CAPTCHA_TYPE
|
||||
value: "hcaptcha"
|
||||
value: "cfturnstile"
|
||||
- name: GITEA__webhook__ALLOWED_HOST_LIST
|
||||
value: "*"
|
||||
envFrom:
|
||||
- secretRef:
|
||||
name: gitea-recapcha-creds
|
||||
name: gitea-runner-act-runner-secrets
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 3000
|
||||
|
||||
@@ -13,6 +13,10 @@ spec:
|
||||
data:
|
||||
token: |-
|
||||
{{ .password }}
|
||||
GITEA__service__CF_TURNSTILE_SITEKEY: |-
|
||||
{{ .CF_TURNSTILE_SITEKEY }}
|
||||
GITEA__service__CF_TURNSTILE_SECRET: |-
|
||||
{{ .CF_TURNSTILE_SECRET }}
|
||||
data:
|
||||
- secretKey: password
|
||||
sourceRef:
|
||||
@@ -22,38 +26,19 @@ spec:
|
||||
remoteRef:
|
||||
key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
|
||||
property: login.password
|
||||
|
||||
---
|
||||
apiVersion: external-secrets.io/v1
|
||||
kind: ExternalSecret
|
||||
metadata:
|
||||
name: gitea-recapcha-creds
|
||||
spec:
|
||||
refreshInterval: 1m
|
||||
target:
|
||||
name: gitea-recapcha-creds
|
||||
deletionPolicy: Delete
|
||||
template:
|
||||
type: Opaque
|
||||
data:
|
||||
GITEA__service__HCAPTCHA_SITEKEY: |-
|
||||
{{ .HCAPTCHA_SITEKEY }}
|
||||
GITEA__service__HCAPTCHA_SECRET: |-
|
||||
{{ .HCAPTCHA_SECRET }}
|
||||
data:
|
||||
- secretKey: HCAPTCHA_SITEKEY
|
||||
- secretKey: CF_TURNSTILE_SITEKEY
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
key: 89c8d8d2-6b53-42c5-805f-38a341ef163e
|
||||
property: login.username
|
||||
- secretKey: HCAPTCHA_SECRET
|
||||
key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
|
||||
property: fields[0].value
|
||||
- secretKey: CF_TURNSTILE_SECRET
|
||||
sourceRef:
|
||||
storeRef:
|
||||
name: vaultwarden-login
|
||||
kind: ClusterSecretStore
|
||||
remoteRef:
|
||||
key: 89c8d8d2-6b53-42c5-805f-38a341ef163e
|
||||
property: login.password
|
||||
key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
|
||||
property: fields[1].value
|
||||
|
||||
@@ -5,6 +5,6 @@ resources:
|
||||
- app.yaml
|
||||
- external-secrets.yaml
|
||||
- deployment.yaml
|
||||
- user-unban-cronjob.yaml
|
||||
- service.yaml
|
||||
- ingress.yaml
|
||||
|
||||
|
||||
@@ -0,0 +1,60 @@
|
||||
---
|
||||
apiVersion: batch/v1
|
||||
kind: CronJob
|
||||
metadata:
|
||||
name: gitea-user-unban
|
||||
labels:
|
||||
app: gitea-user-unban
|
||||
spec:
|
||||
schedule: "*/10 * * * *"
|
||||
concurrencyPolicy: Forbid
|
||||
successfulJobsHistoryLimit: 3
|
||||
failedJobsHistoryLimit: 3
|
||||
jobTemplate:
|
||||
spec:
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: gitea-user-unban
|
||||
spec:
|
||||
restartPolicy: OnFailure
|
||||
nodeSelector:
|
||||
kubernetes.io/hostname: master.tail2fe2d.ts.net
|
||||
volumes:
|
||||
- name: storage
|
||||
hostPath:
|
||||
path: /k8s/gitea
|
||||
type: Directory
|
||||
containers:
|
||||
- name: sqlite-unban
|
||||
image: 'gitea/gitea:latest'
|
||||
imagePullPolicy: IfNotPresent
|
||||
resources:
|
||||
requests:
|
||||
memory: "32Mi"
|
||||
cpu: "10m"
|
||||
limits:
|
||||
memory: "128Mi"
|
||||
cpu: "100m"
|
||||
command:
|
||||
- /bin/sh
|
||||
- -ec
|
||||
- |
|
||||
sqlite3 -cmd ".timeout 30000" /data/gitea/gitea.db "
|
||||
UPDATE \"user\"
|
||||
SET is_active = 1,
|
||||
prohibit_login = 0,
|
||||
updated_unix = unixepoch()
|
||||
WHERE lower(email) = lower('ab@hexor.cy')
|
||||
AND (is_active <> 1 OR prohibit_login <> 0);
|
||||
|
||||
SELECT printf(
|
||||
'gitea user watchdog: id=%d login=%s email=%s is_active=%d prohibit_login=%d updated_unix=%d',
|
||||
id, lower_name, email, is_active, prohibit_login, updated_unix
|
||||
)
|
||||
FROM \"user\"
|
||||
WHERE lower(email) = lower('ab@hexor.cy');
|
||||
"
|
||||
volumeMounts:
|
||||
- name: storage
|
||||
mountPath: /data
|
||||
@@ -0,0 +1,12 @@
|
||||
apiVersion: v1
|
||||
kind: ConfigMap
|
||||
metadata:
|
||||
name: llamacpp-cuda-config
|
||||
data:
|
||||
LLAMA_CACHE: /models
|
||||
LLAMA_ARG_HOST: 0.0.0.0
|
||||
LLAMA_ARG_PORT: "8080"
|
||||
LLAMA_ARG_HF_REPO: "unsloth/gemma-4-12b-it-GGUF:Q6_K"
|
||||
LLAMA_ARG_CTX_SIZE: "128000"
|
||||
LLAMA_ARG_FLASH_ATTN: auto
|
||||
LLAMA_ARG_FIT: "on"
|
||||
@@ -0,0 +1,72 @@
|
||||
apiVersion: apps/v1
|
||||
kind: Deployment
|
||||
metadata:
|
||||
name: llamacpp-cuda
|
||||
annotations:
|
||||
reloader.stakater.com/auto: "true"
|
||||
labels:
|
||||
app: llamacpp-cuda
|
||||
spec:
|
||||
replicas: 1
|
||||
strategy:
|
||||
type: Recreate
|
||||
selector:
|
||||
matchLabels:
|
||||
app: llamacpp-cuda
|
||||
template:
|
||||
metadata:
|
||||
labels:
|
||||
app: llamacpp-cuda
|
||||
spec:
|
||||
dnsPolicy: Default
|
||||
runtimeClassName: nvidia
|
||||
nodeSelector:
|
||||
kubernetes.io/hostname: uk-desktop.tail2fe2d.ts.net
|
||||
tolerations:
|
||||
- key: workload
|
||||
operator: Equal
|
||||
value: desktop
|
||||
effect: NoSchedule
|
||||
containers:
|
||||
- name: llamacpp
|
||||
image: ghcr.io/ggml-org/llama.cpp:server-cuda-b9501
|
||||
imagePullPolicy: IfNotPresent
|
||||
envFrom:
|
||||
- configMapRef:
|
||||
name: llamacpp-cuda-config
|
||||
env:
|
||||
- name: HF_TOKEN
|
||||
valueFrom:
|
||||
secretKeyRef:
|
||||
name: llamacpp-hf-token
|
||||
key: token
|
||||
optional: true
|
||||
ports:
|
||||
- name: http
|
||||
containerPort: 8080
|
||||
protocol: TCP
|
||||
resources:
|
||||
limits:
|
||||
nvidia.com/gpu: 1
|
||||
startupProbe:
|
||||
httpGet:
|
||||
path: /health
|
||||
port: http
|
||||
failureThreshold: 180
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
readinessProbe:
|
||||
httpGet:
|
||||
path: /health
|
||||
port: http
|
||||
failureThreshold: 3
|
||||
periodSeconds: 10
|
||||
timeoutSeconds: 5
|
||||
volumeMounts:
|
||||
- name: models
|
||||
mountPath: /models
|
||||
volumes:
|
||||
- name: models
|
||||
hostPath:
|
||||
path: /data/llama.cpp/models
|
||||
type: DirectoryOrCreate
|
||||
@@ -3,6 +3,9 @@ kind: Kustomization
|
||||
|
||||
resources:
|
||||
- app.yaml
|
||||
- configmap-cuda.yaml
|
||||
- configmap.yaml
|
||||
- deployment-cuda.yaml
|
||||
- deployment.yaml
|
||||
- service-cuda.yaml
|
||||
- service.yaml
|
||||
|
||||
@@ -0,0 +1,15 @@
|
||||
apiVersion: v1
|
||||
kind: Service
|
||||
metadata:
|
||||
name: llamacpp-cuda
|
||||
labels:
|
||||
app: llamacpp-cuda
|
||||
spec:
|
||||
type: ClusterIP
|
||||
selector:
|
||||
app: llamacpp-cuda
|
||||
ports:
|
||||
- name: http
|
||||
port: 8080
|
||||
targetPort: http
|
||||
protocol: TCP
|
||||
@@ -15,14 +15,14 @@ resources:
|
||||
- service.yaml
|
||||
- ingress.yaml
|
||||
|
||||
helmCharts:
|
||||
- name: yacy
|
||||
repo: https://gt.hexor.cy/api/packages/ab/helm
|
||||
version: 0.1.2
|
||||
releaseName: yacy
|
||||
namespace: n8n
|
||||
valuesFile: values-yacy.yaml
|
||||
includeCRDs: true
|
||||
# helmCharts:
|
||||
# - name: yacy
|
||||
# repo: https://gt.hexor.cy/api/packages/ab/helm
|
||||
# version: 0.1.2
|
||||
# releaseName: yacy
|
||||
# namespace: n8n
|
||||
# valuesFile: values-yacy.yaml
|
||||
# includeCRDs: true
|
||||
|
||||
commonLabels:
|
||||
app.kubernetes.io/name: n8n
|
||||
|
||||
@@ -11,7 +11,7 @@ spec:
|
||||
selector:
|
||||
matchLabels:
|
||||
app: pasarguard
|
||||
replicas: 1
|
||||
replicas: 2
|
||||
strategy:
|
||||
type: RollingUpdate
|
||||
template:
|
||||
@@ -34,7 +34,7 @@ spec:
|
||||
mountPath: /templates/subscription
|
||||
containers:
|
||||
- name: pasarguard-web
|
||||
image: pasarguard/panel:v5.0.1
|
||||
image: pasarguard/panel:v5.0.3
|
||||
imagePullPolicy: Always
|
||||
envFrom:
|
||||
- secretRef:
|
||||
@@ -50,6 +50,10 @@ spec:
|
||||
value: "/app/tls/tls.crt"
|
||||
- name: UVICORN_SSL_KEYFILE
|
||||
value: "/app/tls/tls.key"
|
||||
- name: UVICORN_PROXY_HEADERS
|
||||
value: "true"
|
||||
- name: FORWARDED_ALLOW_IPS
|
||||
value: "*"
|
||||
- name: CUSTOM_TEMPLATES_DIRECTORY
|
||||
value: "/code/app/templates/"
|
||||
- name: SUBSCRIPTION_PAGE_TEMPLATE
|
||||
|
||||
@@ -7,7 +7,7 @@ kind: Kustomization
|
||||
helmCharts:
|
||||
- name: longhorn
|
||||
repo: https://charts.longhorn.io
|
||||
version: 1.11.2
|
||||
version: 1.12.0
|
||||
releaseName: longhorn
|
||||
namespace: longhorn
|
||||
valuesFile: values.yaml
|
||||
|
||||
@@ -1,7 +1,54 @@
|
||||
global:
|
||||
tolerations:
|
||||
- key: "workload"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
- key: "node.kubernetes.io/unreachable"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
- key: "node.kubernetes.io/unreachable"
|
||||
operator: "Exists"
|
||||
effect: "NoExecute"
|
||||
|
||||
longhornManager:
|
||||
tolerations:
|
||||
- key: "workload"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
- key: "node.kubernetes.io/unreachable"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
- key: "node.kubernetes.io/unreachable"
|
||||
operator: "Exists"
|
||||
effect: "NoExecute"
|
||||
|
||||
longhornDriver:
|
||||
tolerations:
|
||||
- key: "workload"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
- key: "node.kubernetes.io/unreachable"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
- key: "node.kubernetes.io/unreachable"
|
||||
operator: "Exists"
|
||||
effect: "NoExecute"
|
||||
|
||||
longhornUI:
|
||||
replicas: 1
|
||||
tolerations:
|
||||
- key: "workload"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
- key: "node.kubernetes.io/unreachable"
|
||||
operator: "Exists"
|
||||
effect: "NoSchedule"
|
||||
- key: "node.kubernetes.io/unreachable"
|
||||
operator: "Exists"
|
||||
effect: "NoExecute"
|
||||
|
||||
defaultSettings:
|
||||
taintToleration: "workload=ai:NoSchedule; workload=desktop:NoSchedule; node.kubernetes.io/unreachable:NoSchedule; node.kubernetes.io/unreachable:NoExecute"
|
||||
# Keep new instance-manager pods schedulable on nodes with high CPU requests.
|
||||
guaranteedInstanceManagerCPU: '{"v1":"6","v2":"6"}'
|
||||
|
||||
|
||||
@@ -0,0 +1,45 @@
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: Middleware
|
||||
metadata:
|
||||
name: auth-proxy
|
||||
spec:
|
||||
forwardAuth:
|
||||
address: http://auth-proxy.auth-proxy.svc:80/auth
|
||||
trustForwardHeader: true
|
||||
authResponseHeaders:
|
||||
- X-Auth-Request-User
|
||||
- X-Auth-Request-Email
|
||||
- X-Auth-Request-Groups
|
||||
---
|
||||
apiVersion: traefik.io/v1alpha1
|
||||
kind: IngressRoute
|
||||
metadata:
|
||||
name: prometheus
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
spec:
|
||||
entryPoints:
|
||||
- websecure
|
||||
routes:
|
||||
- match: Host(`prom.hexor.cy`)
|
||||
kind: Rule
|
||||
middlewares:
|
||||
- name: auth-proxy
|
||||
services:
|
||||
- name: prometheus-kube-prometheus-prometheus
|
||||
port: 9090
|
||||
tls:
|
||||
secretName: prometheus-tls
|
||||
---
|
||||
apiVersion: cert-manager.io/v1
|
||||
kind: Certificate
|
||||
metadata:
|
||||
name: prometheus-tls
|
||||
spec:
|
||||
secretName: prometheus-tls
|
||||
issuerRef:
|
||||
name: letsencrypt
|
||||
kind: ClusterIssuer
|
||||
dnsNames:
|
||||
- prom.hexor.cy
|
||||
@@ -4,6 +4,7 @@ kind: Kustomization
|
||||
resources:
|
||||
- persistentVolume.yaml
|
||||
- external-secrets.yaml
|
||||
- ingress.yaml
|
||||
- grafana-alerting-configmap.yaml
|
||||
- alertmanager-config.yaml
|
||||
- dashboards/telemt-dashboard-cm.yaml
|
||||
|
||||
@@ -1,4 +1,3 @@
|
||||
|
||||
alertmanager:
|
||||
config:
|
||||
global:
|
||||
@@ -25,7 +24,7 @@ alertmanager:
|
||||
{{ end }}
|
||||
|
||||
ingress:
|
||||
enabled: true
|
||||
enabled: false
|
||||
ingressClassName: traefik
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
@@ -46,7 +45,7 @@ alertmanager:
|
||||
|
||||
prometheus:
|
||||
ingress:
|
||||
enabled: true
|
||||
enabled: false
|
||||
ingressClassName: traefik
|
||||
annotations:
|
||||
cert-manager.io/cluster-issuer: letsencrypt
|
||||
|
||||
@@ -16,6 +16,10 @@ proxy_applications = {
|
||||
domain = "pass.hexor.cy"
|
||||
allowed_groups = ["hexor-admin", "app-pass"]
|
||||
}
|
||||
Prometheus = {
|
||||
domain = "prom.hexor.cy"
|
||||
allowed_groups = ["hexor-admin"]
|
||||
}
|
||||
}
|
||||
|
||||
oauth2_applications = {
|
||||
@@ -91,4 +95,9 @@ oauth2_applications = {
|
||||
web_origins = ["https://auth.matrix.hexor.cy"]
|
||||
post_logout_redirect_uris = ["https://auth.matrix.hexor.cy/*"]
|
||||
}
|
||||
Amnezia-Fellow = {
|
||||
redirect_uris = ["https://awg.hexor.cy/auth/oidc/callback"]
|
||||
web_origins = ["https://awg.hexor.cy"]
|
||||
post_logout_redirect_uris = ["https://awg.hexor.cy/*"]
|
||||
}
|
||||
}
|
||||
|
||||
Reference in New Issue
Block a user