Auto-update README with current k8s applications

Generated by CI/CD workflow on 2026-06-29 18:02:16

This PR updates the README.md file with the current list of applications found in the k8s/ directory structure.

k8s/apps/amnezia/configmap-scripts.yaml

@@ -30,6 +30,21 @@ data:
       fi
     }
 
+    delete_rule() {
+      local table_args=()
+      if [ "${1:-}" = "-t" ]; then
+        table_args=("$1" "$2")
+        shift 2
+      fi
+
+      local chain="$1"
+      shift
+
+      while iptables "${table_args[@]}" -D "${chain}" "$@" >/dev/null 2>&1; do
+        true
+      done
+    }
+
     ensure_append_rule() {
       local table_args=()
       if [ "${1:-}" = "-t" ]; then
@@ -56,6 +71,7 @@ data:
 
     sysctl -w net.ipv4.ip_forward=1
 
+    delete_rule INPUT -i tailscale0 -p udp -m comment --comment amneziawg-block-tailscale -j DROP
     ensure_insert_rule INPUT -i "${EXT_IF}" -p udp --dport "${PORT}" -m comment --comment amneziawg-allow-external -j ACCEPT
     ensure_insert_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP
     ensure_append_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT
@@ -100,6 +116,7 @@ data:
     fi
 
     delete_rule INPUT -i tailscale0 -p udp --dport "${PORT}" -m comment --comment amneziawg-block-tailscale -j DROP
+    delete_rule INPUT -i tailscale0 -p udp -m comment --comment amneziawg-block-tailscale -j DROP
     delete_rule INPUT -i awg0 -m comment --comment amneziawg-awg-input -j ACCEPT
     delete_rule FORWARD -i awg0 -m comment --comment amneziawg-forward-in -j ACCEPT
     delete_rule FORWARD -o awg0 -m comment --comment amneziawg-forward-out -j ACCEPT
@@ -109,8 +126,11 @@ data:
     set -euo pipefail
 
     SERVER_CONFIG="/etc/amnezia/server/awg0.conf"
-    CLIENTS_DIR="/etc/amnezia/clients"
+    CLIENTS_DIR="${AMNEZIAWG_CLIENTS_DIR:-/run/amnezia/clients}"
     RUNTIME_CONFIG="/run/amnezia/awg0.conf"
+    SYNC_CONFIG="/run/amnezia/awg0.sync.conf"
+    STATUS_FILE="/run/amnezia/reload-status"
+    RELOAD_INTERVAL="${AMNEZIAWG_RELOAD_INTERVAL:-10}"
 
     cleanup() {
       if awg show awg0 >/dev/null 2>&1; then
@@ -120,32 +140,181 @@ data:
 
     render_config() {
       mkdir -p "$(dirname "${RUNTIME_CONFIG}")"
-      cp "${SERVER_CONFIG}" "${RUNTIME_CONFIG}"
-      chmod 0600 "${RUNTIME_CONFIG}"
+      local tmp_config="${RUNTIME_CONFIG}.tmp"
+      cp "${SERVER_CONFIG}" "${tmp_config}"
+      chmod 0600 "${tmp_config}"
 
       local clients_found=0
       for client_config in "${CLIENTS_DIR}"/*; do
         [ -f "${client_config}" ] || continue
         [ -s "${client_config}" ] || continue
-        printf '\n' >> "${RUNTIME_CONFIG}"
-        cat "${client_config}" >> "${RUNTIME_CONFIG}"
+        printf '\n' >> "${tmp_config}"
+        cat "${client_config}" >> "${tmp_config}"
         clients_found=1
       done
 
       if [ "${clients_found}" = "0" ]; then
         echo "No client peer configs found in ${CLIENTS_DIR}; starting without peers"
       fi
+
+      mv "${tmp_config}" "${RUNTIME_CONFIG}"
+      chmod 0600 "${RUNTIME_CONFIG}"
+    }
+
+    client_config_hash() {
+      {
+        for client_config in "${CLIENTS_DIR}"/*; do
+          [ -f "${client_config}" ] || continue
+          sha256sum "${client_config}"
+        done
+      } | sha256sum | awk '{print $1}'
+    }
+
+    write_reload_status() {
+      local state="${1}"
+      local hash="${2:-}"
+      local applied_at_ms=""
+      if [ "${state}" = "applied" ]; then
+        applied_at_ms="$(($(date +%s) * 1000))"
+      fi
+
+      mkdir -p "$(dirname "${STATUS_FILE}")"
+      {
+        printf 'state=%s\n' "${state}"
+        printf 'hash=%s\n' "${hash}"
+        printf 'applied_at_ms=%s\n' "${applied_at_ms}"
+      } > "${STATUS_FILE}.tmp"
+      mv "${STATUS_FILE}.tmp" "${STATUS_FILE}"
+    }
+
+    apply_live_config() {
+      render_config
+      awg-quick strip "${RUNTIME_CONFIG}" > "${SYNC_CONFIG}"
+      chmod 0600 "${SYNC_CONFIG}"
+      awg syncconf awg0 "${SYNC_CONFIG}"
+    }
+
+    watch_client_config() {
+      local last_hash="${1}"
+      while true; do
+        sleep "${RELOAD_INTERVAL}" &
+        wait "$!" || return 0
+
+        local current_hash
+        current_hash="$(client_config_hash)"
+        if [ "${current_hash}" = "${last_hash}" ]; then
+          continue
+        fi
+
+        echo "Detected AmneziaWG client peer config change; applying with awg syncconf"
+        if apply_live_config; then
+          last_hash="${current_hash}"
+          write_reload_status applied "${current_hash}"
+          awg show awg0 || true
+        else
+          echo "ERROR: failed to hot-reload AmneziaWG client peer config" >&2
+          write_reload_status error "${current_hash}"
+        fi
+      done
     }
 
     trap cleanup EXIT
     trap 'exit 0' TERM INT
 
+    initial_hash="$(client_config_hash)"
     render_config
     cleanup
     awg-quick up "${RUNTIME_CONFIG}"
     awg show awg0 || true
+    write_reload_status applied "${initial_hash}"
+    watch_client_config "${initial_hash}"
+
+  client-secret-sync.sh: |
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+    CLIENT_SECRET="${AMNEZIAWG_CLIENT_SECRET:-amneziawg-clients}"
+    CLIENT_SECRET_KEY="${AMNEZIAWG_CLIENT_SECRET_KEY:-peers.conf}"
+    CLIENTS_DIR="${AMNEZIAWG_CLIENTS_DIR:-/run/amnezia/clients}"
+    PEERS_FILE="${CLIENTS_DIR}/peers.conf"
+    SYNC_INTERVAL="${AMNEZIAWG_CLIENT_SECRET_SYNC_INTERVAL:-5}"
+    NAMESPACE="${POD_NAMESPACE:-$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)}"
+
+    write_empty_once() {
+      mkdir -p "${CLIENTS_DIR}"
+      if [ ! -f "${PEERS_FILE}" ]; then
+        : > "${PEERS_FILE}"
+        chmod 0600 "${PEERS_FILE}"
+      fi
+    }
+
+    sync_once() {
+      mkdir -p "${CLIENTS_DIR}"
+      local tmp_file="${PEERS_FILE}.tmp"
+      local encoded=""
+
+      if ! encoded="$(kubectl get secret "${CLIENT_SECRET}" -n "${NAMESPACE}" -o "go-template={{ index .data \"${CLIENT_SECRET_KEY}\" }}" 2>/dev/null)"; then
+        echo "WARN: failed to read Secret ${NAMESPACE}/${CLIENT_SECRET}; keeping current peers" >&2
+        write_empty_once
+        return 0
+      fi
+
+      if [ -n "${encoded}" ]; then
+        printf '%s' "${encoded}" | base64 -d > "${tmp_file}"
+      else
+        : > "${tmp_file}"
+      fi
+      chmod 0600 "${tmp_file}"
+
+      if [ -f "${PEERS_FILE}" ] && cmp -s "${tmp_file}" "${PEERS_FILE}"; then
+        rm -f "${tmp_file}"
+        return 0
+      fi
+
+      mv "${tmp_file}" "${PEERS_FILE}"
+      echo "Synced AmneziaWG client peers from Secret ${NAMESPACE}/${CLIENT_SECRET}:${CLIENT_SECRET_KEY}"
+    }
+
+    if [ "${1:-}" = "once" ]; then
+      sync_once
+      exit 0
+    fi
 
     while true; do
-      sleep 3600 &
-      wait "$!"
+      sync_once || true
+      sleep "${SYNC_INTERVAL}"
+    done
+
+  status-patch.sh: |
+    #!/usr/bin/env bash
+    set -euo pipefail
+
+    STATUS_FILE="/run/amnezia/reload-status"
+    PATCH_INTERVAL="${AMNEZIAWG_STATUS_PATCH_INTERVAL:-5}"
+    NAMESPACE="${POD_NAMESPACE:-$(cat /var/run/secrets/kubernetes.io/serviceaccount/namespace)}"
+    : "${POD_NAME:?POD_NAME is required}"
+
+    last_file_hash=""
+
+    patch_status() {
+      local state="unknown"
+      local hash=""
+      local applied_at_ms=""
+
+      # The file is generated by run.sh and contains only shell assignments.
+      # shellcheck disable=SC1090
+      source "${STATUS_FILE}"
+
+      kubectl patch pod "${POD_NAME}" -n "${NAMESPACE}" --type merge -p "{\"metadata\":{\"annotations\":{\"amnezia-fellow.hexor.cy/client-secret-reload-status\":\"${state}\",\"amnezia-fellow.hexor.cy/client-secret-applied-at-ms\":\"${applied_at_ms}\",\"amnezia-fellow.hexor.cy/client-secret-applied-hash\":\"${hash}\"}}}"
+    }
+
+    while true; do
+      if [ -f "${STATUS_FILE}" ]; then
+        file_hash="$(sha256sum "${STATUS_FILE}" | awk '{print $1}')"
+        if [ "${file_hash}" != "${last_file_hash}" ]; then
+          patch_status || true
+          last_file_hash="${file_hash}"
+        fi
+      fi
+      sleep "${PATCH_INTERVAL}"
     done

k8s/apps/amnezia/daemonset.yaml

@@ -6,8 +6,8 @@ metadata:
   labels:
     app: amneziawg
   annotations:
-    reloader.stakater.com/auto: "true"
-    secret.reloader.stakater.com/reload: "amneziawg-server,amneziawg-clients"
+    secret.reloader.stakater.com/reload: "amneziawg-server"
+    configmap.reloader.stakater.com/reload: "amneziawg-scripts"
 spec:
   selector:
     matchLabels:
@@ -27,6 +27,19 @@ spec:
       tolerations:
         - operator: Exists
       initContainers:
+        - name: install-awg
+          image: amneziavpn/amneziawg-go:latest
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - -lc
+            - |
+              set -euo pipefail
+              cp /usr/bin/awg /shared-bin/awg
+              chmod 0755 /shared-bin/awg
+          volumeMounts:
+            - name: awg-bin
+              mountPath: /shared-bin
         - name: register-endpoint
           image: bitnami/kubectl:latest
           imagePullPolicy: IfNotPresent
@@ -65,6 +78,26 @@ spec:
                 kubectl create secret generic amneziawg-endpoints -n "${NAMESPACE}" \
                   --from-literal="${NODE_NAME}=${VALUE}"
               fi
+        - name: sync-client-secret
+          image: bitnami/kubectl:latest
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - /scripts/client-secret-sync.sh
+            - once
+          resources:
+            requests:
+              memory: "32Mi"
+              cpu: "10m"
+            limits:
+              memory: "128Mi"
+              cpu: "100m"
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+              readOnly: true
+            - name: runtime-config
+              mountPath: /run/amnezia
       containers:
         - name: amneziawg
           image: amneziavpn/amneziawg-go:latest
@@ -113,9 +146,6 @@ spec:
             - name: server-config
               mountPath: /etc/amnezia/server
               readOnly: true
-            - name: client-config
-              mountPath: /etc/amnezia/clients
-              readOnly: true
             - name: scripts
               mountPath: /scripts
               readOnly: true
@@ -123,6 +153,100 @@ spec:
               mountPath: /run/amnezia
             - name: dev-net-tun
               mountPath: /dev/net/tun
+        - name: reload-status
+          image: bitnami/kubectl:latest
+          imagePullPolicy: IfNotPresent
+          env:
+            - name: POD_NAME
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.name
+          command:
+            - /bin/bash
+            - /scripts/status-patch.sh
+          resources:
+            requests:
+              memory: "32Mi"
+              cpu: "10m"
+            limits:
+              memory: "128Mi"
+              cpu: "100m"
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+              readOnly: true
+            - name: runtime-config
+              mountPath: /run/amnezia
+        - name: client-secret-sync
+          image: bitnami/kubectl:latest
+          imagePullPolicy: IfNotPresent
+          command:
+            - /bin/bash
+            - /scripts/client-secret-sync.sh
+          resources:
+            requests:
+              memory: "32Mi"
+              cpu: "10m"
+            limits:
+              memory: "128Mi"
+              cpu: "100m"
+          volumeMounts:
+            - name: scripts
+              mountPath: /scripts
+              readOnly: true
+            - name: runtime-config
+              mountPath: /run/amnezia
+        - name: amneziawg-exporter-redis
+          image: redis:alpine
+          imagePullPolicy: IfNotPresent
+          command:
+            - redis-server
+            - /etc/redis/redis.conf
+          ports:
+            - name: redis
+              containerPort: 6379
+              protocol: TCP
+          resources:
+            requests:
+              memory: "32Mi"
+              cpu: "10m"
+            limits:
+              memory: "128Mi"
+              cpu: "100m"
+          volumeMounts:
+            - name: exporter-redis-config
+              mountPath: /etc/redis
+              readOnly: true
+            - name: exporter-redis-data
+              mountPath: /data
+        - name: amneziawg-exporter
+          image: amneziavpn/amneziawg-exporter:latest
+          imagePullPolicy: IfNotPresent
+          securityContext:
+            capabilities:
+              add:
+                - NET_ADMIN
+          env:
+            - name: AWG_EXPORTER_REDIS_HOST
+              value: "127.0.0.1"
+            - name: AWG_EXPORTER_REDIS_PORT
+              value: "6379"
+          ports:
+            - name: metrics
+              containerPort: 9351
+              protocol: TCP
+          resources:
+            requests:
+              memory: "64Mi"
+              cpu: "25m"
+            limits:
+              memory: "256Mi"
+              cpu: "200m"
+          volumeMounts:
+            - name: awg-bin
+              mountPath: /usr/bin/awg
+              subPath: awg
+              readOnly: true
       volumes:
         - name: server-config
           secret:
@@ -131,17 +255,19 @@ spec:
             items:
               - key: awg0.conf
                 path: awg0.conf
-        - name: client-config
-          secret:
-            secretName: amneziawg-clients
-            optional: true
-            defaultMode: 0600
         - name: scripts
           configMap:
             name: amneziawg-scripts
             defaultMode: 0755
         - name: runtime-config
           emptyDir: {}
+        - name: awg-bin
+          emptyDir: {}
+        - name: exporter-redis-config
+          configMap:
+            name: amneziawg-exporter-redis
+        - name: exporter-redis-data
+          emptyDir: {}
         - name: dev-net-tun
           hostPath:
             path: /dev/net/tun

k8s/apps/amnezia/exporter-redis-configmap.yaml

@@ -0,0 +1,28 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: amneziawg-exporter-redis
+  labels:
+    app: amneziawg
+    component: exporter
+data:
+  redis.conf: |
+    bind 0.0.0.0
+    protected-mode no
+    port 6379
+    tcp-backlog 511
+    timeout 0
+    tcp-keepalive 300
+    daemonize no
+    pidfile /run/redis.pid
+    loglevel warning
+    logfile ""
+    databases 16
+    always-show-logo no
+    set-proc-title no
+    save 3600 1
+    stop-writes-on-bgsave-error no
+    rdbcompression yes
+    rdbchecksum yes
+    dir /data

k8s/apps/amnezia/exporter-service.yaml

@@ -0,0 +1,17 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: amneziawg-exporter
+  labels:
+    app: amneziawg
+    component: exporter
+spec:
+  type: ClusterIP
+  selector:
+    app: amneziawg
+  ports:
+    - name: metrics
+      protocol: TCP
+      port: 9351
+      targetPort: 9351

k8s/apps/amnezia/fellow-deployment.yaml

@@ -0,0 +1,74 @@
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: amnezia-fellow
+  labels:
+    app: amnezia-fellow
+spec:
+  replicas: 1
+  strategy:
+    type: Recreate
+  selector:
+    matchLabels:
+      app: amnezia-fellow
+  template:
+    metadata:
+      labels:
+        app: amnezia-fellow
+    spec:
+      serviceAccountName: amnezia-fellow
+      nodeSelector:
+        kubernetes.io/os: linux
+        kubernetes.io/hostname: cy.tail2fe2d.ts.net
+      containers:
+        - name: amnezia-fellow
+          image: ultradesu/amnezia-fellow:latest
+          imagePullPolicy: Always
+          ports:
+            - name: http
+              containerPort: 8000
+              protocol: TCP
+          env:
+            - name: AMNEZIA_FELLOW_DATABASE_URL
+              value: "sqlite:///data/amnezia-fellow.sqlite3?mode=rwc"
+            - name: AMNEZIA_FELLOW_K8S_NAMESPACE
+              value: "amnezia"
+            - name: AMNEZIA_FELLOW_K8S_CLIENTS_SECRET
+              value: "amneziawg-clients"
+            - name: AMNEZIA_FELLOW_K8S_CLIENTS_SECRET_KEY
+              value: "peers.conf"
+            - name: AMNEZIA_FELLOW_K8S_SERVER_SECRET
+              value: "amneziawg-server"
+            - name: AMNEZIA_FELLOW_K8S_ENDPOINTS_SECRET
+              value: "amneziawg-endpoints"
+            - name: AMNEZIA_FELLOW_VPN_CLIENT_CIDR
+              value: "10.8.0.0/16"
+            - name: AMNEZIA_FELLOW_VPN_MTU
+              value: "1376"
+          readinessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: 5
+            periodSeconds: 10
+            timeoutSeconds: 3
+          livenessProbe:
+            tcpSocket:
+              port: http
+            initialDelaySeconds: 30
+            periodSeconds: 30
+            timeoutSeconds: 5
+          resources:
+            requests:
+              cpu: "50m"
+              memory: "128Mi"
+            limits:
+              cpu: "500m"
+              memory: "512Mi"
+          volumeMounts:
+            - name: data
+              mountPath: /data
+      volumes:
+        - name: data
+          persistentVolumeClaim:
+            claimName: amnezia-fellow-data

k8s/apps/amnezia/fellow-ingress.yaml

@@ -0,0 +1,26 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: amnezia-fellow-tls-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+    traefik.ingress.kubernetes.io/router.middlewares: kube-system-https-redirect@kubernetescrd
+    acme.cert-manager.io/http01-edit-in-place: "true"
+spec:
+  ingressClassName: traefik
+  rules:
+    - host: awg.hexor.cy
+      http:
+        paths:
+          - path: /
+            pathType: Prefix
+            backend:
+              service:
+                name: amnezia-fellow
+                port:
+                  number: 8000
+  tls:
+    - secretName: amnezia-fellow-tls
+      hosts:
+        - awg.hexor.cy

k8s/apps/amnezia/fellow-rbac.yaml

@@ -0,0 +1,35 @@
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: amnezia-fellow
+  labels:
+    app: amnezia-fellow
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: Role
+metadata:
+  name: amnezia-fellow
+  labels:
+    app: amnezia-fellow
+rules:
+  - apiGroups: [""]
+    resources: ["secrets"]
+    verbs: ["get", "create", "update", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "list"]
+---
+apiVersion: rbac.authorization.k8s.io/v1
+kind: RoleBinding
+metadata:
+  name: amnezia-fellow
+  labels:
+    app: amnezia-fellow
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: Role
+  name: amnezia-fellow
+subjects:
+  - kind: ServiceAccount
+    name: amnezia-fellow

k8s/apps/amnezia/fellow-service.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: amnezia-fellow
+  labels:
+    app: amnezia-fellow
+spec:
+  type: ClusterIP
+  selector:
+    app: amnezia-fellow
+  ports:
+    - name: http
+      protocol: TCP
+      port: 8000
+      targetPort: 8000

k8s/apps/amnezia/fellow-storage.yaml

@@ -0,0 +1,14 @@
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: amnezia-fellow-data
+  labels:
+    app: amnezia-fellow
+spec:
+  accessModes:
+    - ReadWriteOnce
+  storageClassName: longhorn
+  resources:
+    requests:
+      storage: 3Gi

k8s/apps/amnezia/kustomization.yaml

@@ -7,4 +7,12 @@ resources:
   - external-secrets.yaml
   - configmap-scripts.yaml
   - rbac.yaml
+  - fellow-rbac.yaml
+  - fellow-storage.yaml
+  - fellow-service.yaml
+  - fellow-ingress.yaml
+  - fellow-deployment.yaml
+  - exporter-redis-configmap.yaml
+  - exporter-service.yaml
+  - servicemonitor.yaml
   - daemonset.yaml

k8s/apps/amnezia/rbac.yaml

@@ -42,6 +42,9 @@ rules:
   - apiGroups: [""]
     resources: ["secrets"]
     verbs: ["get", "create", "patch"]
+  - apiGroups: [""]
+    resources: ["pods"]
+    verbs: ["get", "patch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding

k8s/apps/amnezia/servicemonitor.yaml

@@ -0,0 +1,23 @@
+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: amneziawg-exporter
+  labels:
+    app: amneziawg
+    component: exporter
+    release: prometheus
+spec:
+  selector:
+    matchLabels:
+      app: amneziawg
+      component: exporter
+  endpoints:
+    - port: metrics
+      path: /metrics
+      interval: 30s
+      scrapeTimeout: 10s
+      honorLabels: true
+  namespaceSelector:
+    matchNames:
+      - amnezia

k8s/apps/gitea/deployment.yaml

@@ -41,18 +41,18 @@ spec:
             - name: GITEA__service__REGISTER_MANUAL_CONFIRM
               value: "true"
             - name: GITEA__service__ENABLE_CAPTCHA
-              value: "false"
-            - name: GITEA__service__REQUIRE_CAPTCHA_FOR_LOGIN
               value: "true"
+            - name: GITEA__service__REQUIRE_CAPTCHA_FOR_LOGIN
+              value: "false"
             - name: GITEA__service__REQUIRE_EXTERNAL_REGISTRATION_CAPTCHA
               value: "true"
             - name: GITEA__service__CAPTCHA_TYPE
-              value: "hcaptcha"
+              value: "cfturnstile"
             - name: GITEA__webhook__ALLOWED_HOST_LIST
               value: "*"
           envFrom:
           - secretRef:
-              name: gitea-recapcha-creds
+              name: gitea-runner-act-runner-secrets
           ports:
             - name: http
               containerPort: 3000

k8s/apps/gitea/external-secrets.yaml

@@ -13,6 +13,10 @@ spec:
       data:
         token: |-
           {{ .password }}
+        GITEA__service__CF_TURNSTILE_SITEKEY: |-
+          {{ .CF_TURNSTILE_SITEKEY }}
+        GITEA__service__CF_TURNSTILE_SECRET: |-
+          {{ .CF_TURNSTILE_SECRET }}
   data:
     - secretKey: password
       sourceRef:
@@ -22,38 +26,19 @@ spec:
       remoteRef:
         key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
         property: login.password
-
----
-apiVersion: external-secrets.io/v1
-kind: ExternalSecret
-metadata:
-  name: gitea-recapcha-creds
-spec:
-  refreshInterval: 1m
-  target:
-    name: gitea-recapcha-creds
-    deletionPolicy: Delete
-    template:
-      type: Opaque
-      data:
-        GITEA__service__HCAPTCHA_SITEKEY: |-
-          {{ .HCAPTCHA_SITEKEY }}
-        GITEA__service__HCAPTCHA_SECRET: |-
-          {{ .HCAPTCHA_SECRET }}
-  data:
-    - secretKey: HCAPTCHA_SITEKEY
+    - secretKey: CF_TURNSTILE_SITEKEY
       sourceRef:
         storeRef:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
-        key: 89c8d8d2-6b53-42c5-805f-38a341ef163e
-        property: login.username
-    - secretKey: HCAPTCHA_SECRET
+        key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
+        property: fields[0].value
+    - secretKey: CF_TURNSTILE_SECRET
       sourceRef:
         storeRef:
           name: vaultwarden-login
           kind: ClusterSecretStore
       remoteRef:
-        key: 89c8d8d2-6b53-42c5-805f-38a341ef163e
-        property: login.password
+        key: e475b5ab-ea3c-48a5-bb4c-a6bc552fc064
+        property: fields[1].value

k8s/apps/gitea/kustomization.yaml

@@ -5,6 +5,6 @@ resources:
   - app.yaml
   - external-secrets.yaml
   - deployment.yaml
+  - user-unban-cronjob.yaml
   - service.yaml
   - ingress.yaml
-

k8s/apps/gitea/user-unban-cronjob.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: batch/v1
+kind: CronJob
+metadata:
+  name: gitea-user-unban
+  labels:
+    app: gitea-user-unban
+spec:
+  schedule: "*/10 * * * *"
+  concurrencyPolicy: Forbid
+  successfulJobsHistoryLimit: 3
+  failedJobsHistoryLimit: 3
+  jobTemplate:
+    spec:
+      template:
+        metadata:
+          labels:
+            app: gitea-user-unban
+        spec:
+          restartPolicy: OnFailure
+          nodeSelector:
+            kubernetes.io/hostname: master.tail2fe2d.ts.net
+          volumes:
+            - name: storage
+              hostPath:
+                path: /k8s/gitea
+                type: Directory
+          containers:
+            - name: sqlite-unban
+              image: 'gitea/gitea:latest'
+              imagePullPolicy: IfNotPresent
+              resources:
+                requests:
+                  memory: "32Mi"
+                  cpu: "10m"
+                limits:
+                  memory: "128Mi"
+                  cpu: "100m"
+              command:
+                - /bin/sh
+                - -ec
+                - |
+                  sqlite3 -cmd ".timeout 30000" /data/gitea/gitea.db "
+                    UPDATE \"user\"
+                       SET is_active = 1,
+                           prohibit_login = 0,
+                           updated_unix = unixepoch()
+                     WHERE lower(email) = lower('ab@hexor.cy')
+                       AND (is_active <> 1 OR prohibit_login <> 0);
+
+                    SELECT printf(
+                      'gitea user watchdog: id=%d login=%s email=%s is_active=%d prohibit_login=%d updated_unix=%d',
+                      id, lower_name, email, is_active, prohibit_login, updated_unix
+                    )
+                      FROM \"user\"
+                     WHERE lower(email) = lower('ab@hexor.cy');
+                  "
+              volumeMounts:
+                - name: storage
+                  mountPath: /data

k8s/core/longhorn/values.yaml

@@ -1,7 +1,54 @@
+global:
+  tolerations:
+    - key: "workload"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node.kubernetes.io/unreachable"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node.kubernetes.io/unreachable"
+      operator: "Exists"
+      effect: "NoExecute"
+
+longhornManager:
+  tolerations:
+    - key: "workload"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node.kubernetes.io/unreachable"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node.kubernetes.io/unreachable"
+      operator: "Exists"
+      effect: "NoExecute"
+
+longhornDriver:
+  tolerations:
+    - key: "workload"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node.kubernetes.io/unreachable"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node.kubernetes.io/unreachable"
+      operator: "Exists"
+      effect: "NoExecute"
+
 longhornUI:
   replicas: 1
+  tolerations:
+    - key: "workload"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node.kubernetes.io/unreachable"
+      operator: "Exists"
+      effect: "NoSchedule"
+    - key: "node.kubernetes.io/unreachable"
+      operator: "Exists"
+      effect: "NoExecute"
 
 defaultSettings:
+  taintToleration: "workload=ai:NoSchedule; workload=desktop:NoSchedule; node.kubernetes.io/unreachable:NoSchedule; node.kubernetes.io/unreachable:NoExecute"
   # Keep new instance-manager pods schedulable on nodes with high CPU requests.
   guaranteedInstanceManagerCPU: '{"v1":"6","v2":"6"}'
 

k8s/core/prom-stack/ingress.yaml

@@ -0,0 +1,45 @@
+---
+apiVersion: traefik.io/v1alpha1
+kind: Middleware
+metadata:
+  name: auth-proxy
+spec:
+  forwardAuth:
+    address: http://auth-proxy.auth-proxy.svc:80/auth
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-Auth-Request-User
+      - X-Auth-Request-Email
+      - X-Auth-Request-Groups
+---
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: prometheus
+  annotations:
+    cert-manager.io/cluster-issuer: letsencrypt
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`prom.hexor.cy`)
+      kind: Rule
+      middlewares:
+        - name: auth-proxy
+      services:
+        - name: prometheus-kube-prometheus-prometheus
+          port: 9090
+  tls:
+    secretName: prometheus-tls
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: prometheus-tls
+spec:
+  secretName: prometheus-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  dnsNames:
+    - prom.hexor.cy

k8s/core/prom-stack/kustomization.yaml

@@ -4,6 +4,7 @@ kind: Kustomization
 resources:
   - persistentVolume.yaml
   - external-secrets.yaml
+  - ingress.yaml
   - grafana-alerting-configmap.yaml
   - alertmanager-config.yaml
   - dashboards/telemt-dashboard-cm.yaml

k8s/core/prom-stack/prom-values.yaml

@@ -1,4 +1,3 @@
-
 alertmanager:
   config:
     global:
@@ -25,7 +24,7 @@ alertmanager:
               {{ end }}
 
   ingress:
-    enabled: true
+    enabled: false
     ingressClassName: traefik
     annotations:
       cert-manager.io/cluster-issuer: letsencrypt
@@ -46,7 +45,7 @@ alertmanager:
 
 prometheus:
   ingress:
-    enabled: true
+    enabled: false
     ingressClassName: traefik
     annotations:
       cert-manager.io/cluster-issuer: letsencrypt

terraform/keycloak/terraform.tfvars

@@ -16,6 +16,10 @@ proxy_applications = {
     domain         = "pass.hexor.cy"
     allowed_groups = ["hexor-admin", "app-pass"]
   }
+  Prometheus = {
+    domain         = "prom.hexor.cy"
+    allowed_groups = ["hexor-admin"]
+  }
 }
 
 oauth2_applications = {
@@ -91,4 +95,9 @@ oauth2_applications = {
     web_origins               = ["https://auth.matrix.hexor.cy"]
     post_logout_redirect_uris = ["https://auth.matrix.hexor.cy/*"]
   }
+  Amnezia-Fellow = {
+    redirect_uris             = ["https://awg.hexor.cy/auth/oidc/callback"]
+    web_origins               = ["https://awg.hexor.cy"]
+    post_logout_redirect_uris = ["https://awg.hexor.cy/*"]
+  }
 }