Installer: introduce namespacePrefix, fix certificates, split matrix installation using pre-install hook
diff --git a/helmfile/users/helmfile.yaml b/helmfile/users/helmfile.yaml
index ae3840c..b2fae82 100644
--- a/helmfile/users/helmfile.yaml
+++ b/helmfile/users/helmfile.yaml
@@ -6,7 +6,7 @@
helmDefaults:
tillerless: true
- waitForJobs: false
+ waitForJobs: true
createNamespace: false
releases:
@@ -16,6 +16,7 @@
createNamespace: true
values:
- pcloudInstanceId: {{ .Values.id }}
+ - namespacePrefix: {{ .Values.namespacePrefix }}
- namespaces:
- app-maddy
- app-matrix
@@ -25,7 +26,7 @@
- ingress-private
- name: vpn-mesh-config
chart: ../../charts/vpn-mesh-config
- namespace: {{ .Values.id }}-ingress-private
+ namespace: {{ .Values.namespacePrefix }}ingress-private
values:
- certificateAuthority:
name: {{ .Values.id }}
@@ -37,7 +38,7 @@
- name: ingress-private
chart: ingress-nginx/ingress-nginx
version: 4.0.3
- namespace: {{ .Values.id }}-ingress-private
+ namespace: {{ .Values.namespacePrefix }}ingress-private
values:
- fullnameOverride: {{ .Values.id }}-nginx-private
- controller:
@@ -83,16 +84,16 @@
bind-address: 111.0.0.1
proxy-body-size: 0
- udp:
- 53: "{{ .Values.id }}-app-pihole/pihole-dns-udp:53"
+ 53: "{{ .Values.namespacePrefix }}app-pihole/pihole-dns-udp:53"
- tcp:
- 53: "{{ .Values.id }}-app-pihole/pihole-dns-tcp:53"
- 143: "{{ .Values.id }}-app-maddy/maddy:143"
- 465: "{{ .Values.id }}-app-maddy/maddy:465"
- 587: "{{ .Values.id }}-app-maddy/maddy:587"
- 993: "{{ .Values.id }}-app-maddy/maddy:993"
+ 53: "{{ .Values.namespacePrefix }}app-pihole/pihole-dns-tcp:53"
+ 143: "{{ .Values.namespacePrefix }}app-maddy/maddy:143"
+ 465: "{{ .Values.namespacePrefix }}app-maddy/maddy:465"
+ 587: "{{ .Values.namespacePrefix }}app-maddy/maddy:587"
+ 993: "{{ .Values.namespacePrefix }}app-maddy/maddy:993"
- name: certificate-issuer
chart: ../../charts/certificate-issuer
- namespace: {{ .Values.id }}-ingress-private
+ namespace: {{ .Values.namespacePrefix }}ingress-private
values:
- pcloudInstanceId: {{ .Values.id }}
- certManager:
@@ -115,7 +116,7 @@
- name: core-auth-storage # TODO(giolekva): merge with core-auth
chart: bitnami/postgresql
version: 10.13.5
- namespace: {{ .Values.id }}-core-auth
+ namespace: {{ .Values.namespacePrefix }}core-auth
values:
- fullnameOverride: postgres
- image:
@@ -139,7 +140,7 @@
runAsUser: 0
- name: core-auth
chart: ../../charts/auth
- namespace: {{ .Values.id }}-core-auth
+ namespace: {{ .Values.namespacePrefix }}core-auth
values:
- kratos:
fullnameOverride: kratos
@@ -348,6 +349,7 @@
enabled: true
hydraFullnameOverride: hydra
hydra-maester:
+ fullnameOverride: {{ .Values.id }}-hydra-maester
image:
repository: giolekva/ory-hydra-maester
tag: latest
@@ -425,10 +427,10 @@
secretName: node-ui-cert
certificateAuthority:
name: {{ .Values.id }}
- namespace: {{ .Values.id }}-ingress-private
+ namespace: {{ .Values.namespacePrefix }}ingress-private
- name: vaultwarden
chart: ../../charts/vaultwarden
- namespace: {{ .Values.id }}-app-vaultwarden
+ namespace: {{ .Values.namespacePrefix }}app-vaultwarden
values:
- image:
repository: vaultwarden/server
@@ -442,7 +444,7 @@
- name: matrix-storage # TODO(giolekva): merge with core-auth
chart: bitnami/postgresql
version: 10.13.5
- namespace: {{ .Values.id }}-app-matrix
+ namespace: {{ .Values.namespacePrefix }}app-matrix
values:
- fullnameOverride: postgres
- image:
@@ -457,7 +459,7 @@
#!/bin/sh
createdb -U postgres --encoding=UTF8 --locale=C --template=template0 --owner=postgres matrix
- persistence:
- size: 1Gi
+ size: {{ .Values.matrixStorageSize }}
- securityContext:
enabled: true
fsGroup: 0
@@ -469,7 +471,7 @@
runAsUser: 0
- name: matrix
chart: ../../charts/matrix
- namespace: {{ .Values.id }}-app-matrix
+ namespace: {{ .Values.namespacePrefix }}app-matrix
values:
- domain: {{ .Values.domain }}
- oauth2:
@@ -491,9 +493,9 @@
fileName: to-merge.yaml
- name: pihole
chart: ../../charts/pihole
- namespace: {{ .Values.id }}-app-pihole
+ namespace: {{ .Values.namespacePrefix }}app-pihole
values:
- - domain: {{ .Values.domain }}
+ - domain: pihole.p.{{ .Values.domain }}
- pihole:
image:
repository: "pihole/pihole"
@@ -531,11 +533,10 @@
hydraAdmin: http://hydra-admin
- hydraPublic: https://hydra.{{ .Values.domain }}/
- profileUrl: https://accounts-ui.{{ .Values.domain }}
- - certificateIssuer: {{ .Values.id }}-private
- ingressClassName: {{ .Values.id }}-ingress-private
- name: maddy
chart: ../../charts/maddy
- namespace: {{ .Values.id }}-app-maddy
+ namespace: {{ .Values.namespacePrefix }}app-maddy
values:
- ingress:
private:
@@ -558,8 +559,23 @@
values:
- pcloudEnvName: pcloud
- id: shveli
+ - namespacePrefix: shveli-
- domain: shve.li
- contactEmail: giolekva@gmail.com
- certManagerNamespace: cert-manager
- - mxHostname: mx1.lekva.me
+ - mxHostname: mail.lekva.me
- mailGatewayAddress: "tcp://maddy.pcloud-mail-gateway.svc.cluster.local:587"
+ - matrixStorageSize: 100Gi
+ lekva:
+ secrets:
+ - secrets.lekva.yaml
+ values:
+ - pcloudEnvName: pcloud
+ - id: lekva
+ - namespacePrefix: lekva-
+ - domain: lekva.me
+ - contactEmail: giolekva@gmail.com
+ - certManagerNamespace: cert-manager
+ - mxHostname: mail.lekva.me
+ - mailGatewayAddress: "tcp://maddy.pcloud-mail-gateway.svc.cluster.local:587"
+ - matrixStorageSize: 100Gi
diff --git a/helmfile/users/secrets.lekva.yaml b/helmfile/users/secrets.lekva.yaml
new file mode 100644
index 0000000..a355a12
--- /dev/null
+++ b/helmfile/users/secrets.lekva.yaml
@@ -0,0 +1,33 @@
+gandiAPIToken: ENC[AES256_GCM,data:GxZUH3fLSbPusqZqViv3cr/tBTmSgruZ,iv:+g6mmJglcieJyN2qwjHx8NkT2i1VK5xZA8uYiAIA23Y=,tag:aDLkDZ4r6ToYYHq54cZedQ==,type:str]
+piholeOAuth2ClientSecret: ENC[AES256_GCM,data:WZ6aWggy,iv:32Dg7r+SL2W35z/kDqkwKNevw+KFWR0VoisLJQ6kpUw=,tag:l/s1pHsK4M9Rh1FitXY4Jw==,type:str]
+piholeOAuth2CookieSecret: ENC[AES256_GCM,data:6ed1Px5QFkq3sc6K7cfPMYPd0KcAhLXIf2qZug5b+lM=,iv:RGn0z4Q2ygwCBF3z/8Y/vvQsSLycihi65LF//L0rbEU=,tag:ULKiC0XK7Uk8Ppv1Qs5tgw==,type:str]
+matrixOAuth2ClientSecret: ENC[AES256_GCM,data:A0cPpQ1Nt0speE36+6fDb9/5g7teW2x5+P/IThnDThA=,iv:REzjYKRJ9Kpa85dnDaeBNLODrAxBWVr7dwlyYO0J9Zw=,tag:P08EiiAO2qtVGmsIVIWt7A==,type:str]
+sops:
+ kms: []
+ gcp_kms: []
+ azure_kv: []
+ hc_vault: []
+ age: []
+ lastmodified: "2021-11-28T18:09:52Z"
+ mac: ENC[AES256_GCM,data:zOoZxh3/tJt70M7GM0mY0EMAPEGOOWm3Lk92hFk50H2XcBAX/mfZJ3jq26aULJDlktJIwxBkjLqXSQEXpJed96Wcr7SfB1u1lrtK5AyD1HrCNwtyBDX9Rbuf6SijKpjGxpXdPaQiGt1HvP9J7lA8BnuAXDBFR9RDOCgJ6T2gdU0=,iv:UIKEr0K/wDFJtOLegePubEb2SitU4w0Qv/rSNOD46X4=,tag:QBn5WAaDq+8+y0U5ucnFrg==,type:str]
+ pgp:
+ - created_at: "2021-11-28T18:09:51Z"
+ enc: |
+ -----BEGIN PGP MESSAGE-----
+
+ hQGMA8PXnOzdTLRzAQv+LzuGeNoPR+EFLfIbg0Ml05bFu//MT+0+1AEXzEEglyYU
+ /aXEXN1MPGRyy4WPN51bfnvMBD0WTDmFmyTM6R9dIaHdUeh+Cxm6zmn6U7yF/ciw
+ jhO2bCEmbPKCGyVueIPnZwF69CK2pwk7rQW29PTlnnGV4KcfKgHxIZwMufJcE4Le
+ 7elr+uhkrmoHp9bYMmzCPPi/ugSlF5+UD+nf5ZcvnqHDpNeOdrhFDCzEkZPleH4i
+ 1+HgELkgvLHooRCUVf51SyisDmyZFXFh80LSOZAKOUH3mHau9kSiWdEnfp8Vtx8v
+ 2ofUltMYJ6TeVLyeUmmgmdDloSWfQNGu0tg9La/rnxL8vFHVT/wenZQSFRs+mPsA
+ zLwf8qM5ZFrmPtenqtioJX3X2N9KsNVRz6K99Yo5FJiqvAe1mLakDj+xTJRdQ3Kt
+ E9Ozuwoz7Ri/amwmCaEXttFxbONhAmegTdjQyQGP16XmKUNA3pOenQSLeKB5Tw5y
+ 4mpCNeZefBqfR0ov9szF0l4BIvCJ+kv3Z7bG7fozyXDNmlJWUIwB5qt0v7ZPyt43
+ jyhMhARgY/ALlEdwvze5XE5hptv6/QyVSbhkbHou3e57kHGPY6BfIhOf8qxhWzuf
+ PUgEIks5sxhRZK/MZ7NY
+ =d6+Q
+ -----END PGP MESSAGE-----
+ fp: 60584680BB48B3CE3FECFFBE7D1302EE361D316A
+ unencrypted_suffix: _unencrypted
+ version: 3.7.1