remove helmfiles
diff --git a/helmfile/apps/.sops.yaml b/helmfile/apps/.sops.yaml
deleted file mode 100644
index 013cdf0..0000000
--- a/helmfile/apps/.sops.yaml
+++ /dev/null
@@ -1,2 +0,0 @@
-creation_rules:
-- pgp: 60584680BB48B3CE3FECFFBE7D1302EE361D316A
diff --git a/helmfile/apps/helmfile.yaml b/helmfile/apps/helmfile.yaml
deleted file mode 100644
index c58f99d..0000000
--- a/helmfile/apps/helmfile.yaml
+++ /dev/null
@@ -1,582 +0,0 @@
-repositories:
-- name: ingress-nginx
- url: https://kubernetes.github.io/ingress-nginx
-- name: bitnami
- url: https://charts.bitnami.com/bitnami
-
-helmDefaults:
- tillerless: true
- waitForJobs: true
- createNamespace: false
-
-releases:
-- name: namespaces
- chart: ../../charts/namespaces
- namespace: {{ .Values.id }}
- createNamespace: true
- values:
- - pcloudInstanceId: {{ .Values.id }}
- - namespacePrefix: {{ .Values.namespacePrefix }}
- - namespaces:
- - app-maddy
- - app-matrix
- - app-pihole
- - app-vaultwarden
- - core-auth
- - ingress-private
-- name: vpn-mesh-config
- chart: ../../charts/vpn-mesh-config
- namespace: {{ .Values.namespacePrefix }}ingress-private
- values:
- - domain: {{ .Values.domain }}
- - ingressClassName: {{ .Values.pcloudEnvName }}-ingress-public
- - certificateIssuer: {{ .Values.id }}-public
- - certificateAuthority:
- name: {{ .Values.id }}
- secretName: ca-{{ .Values.id }}-cert
- - lighthouse:
- internalIP: {{ .Values.lighthouseMainIP }}
- externalIP: {{ .Values.publicIP }}
- port: "{{ .Values.lighthouseMainPort }}"
-- name: ingress-private
- chart: ingress-nginx/ingress-nginx
- version: 4.0.3
- namespace: {{ .Values.namespacePrefix }}ingress-private
- values:
- - fullnameOverride: {{ .Values.id }}-nginx-private
- - controller:
- service:
- type: ClusterIP
- ingressClassByName: true
- ingressClassResource:
- name: {{ .Values.id }}-ingress-private
- enabled: true
- default: false
- controllerValue: k8s.io/{{ .Values.id }}-ingress-private
- extraArgs:
- default-ssl-certificate: "{{ .Values.id }}-ingress-private/cert-wildcard.p.{{ .Values.domain }}"
- extraVolumes:
- - name: lighthouse-cert
- secret:
- secretName: node-lighthouse-cert
- - name: config
- configMap:
- name: lighthouse-config
- extraContainers:
- - name: lighthouse
- image: giolekva/nebula:latest
- imagePullPolicy: IfNotPresent
- securityContext:
- privileged: true
- capabilities:
- add:
- - NET_ADMIN
- ports:
- - name: nebula
- containerPort: {{ .Values.lighthouseMainPort }}
- protocol: UDP
- command:
- - nebula
- - --config=/etc/nebula/config/lighthouse.yaml
- volumeMounts:
- - name: lighthouse-cert
- mountPath: /etc/nebula/lighthouse
- - name: config
- mountPath: /etc/nebula/config
- config:
- bind-address: {{ .Values.lighthouseMainIP }}
- proxy-body-size: 0
- - udp:
- 53: "{{ .Values.namespacePrefix }}app-pihole/pihole-dns-udp:53"
- - tcp:
- 53: "{{ .Values.namespacePrefix }}app-pihole/pihole-dns-tcp:53"
- 143: "{{ .Values.namespacePrefix }}app-maddy/maddy:143"
- 465: "{{ .Values.namespacePrefix }}app-maddy/maddy:465"
- 587: "{{ .Values.namespacePrefix }}app-maddy/maddy:587"
- 993: "{{ .Values.namespacePrefix }}app-maddy/maddy:993"
-- name: certificate-issuer
- chart: ../../charts/certificate-issuer
- namespace: {{ .Values.namespacePrefix }}ingress-private
- values:
- - pcloudInstanceId: {{ .Values.id }}
- - certManager:
- namespace: {{ .Values.pcloudEnvName }}-cert-manager
- gandiWebhookSecretReader: {{ .Values.pcloudEnvName }}-cert-manager-webhook-gandi
- - public:
- name: {{ .Values.id }}-public
- server: https://acme-v02.api.letsencrypt.org/directory
- domain: {{ .Values.domain }}
- stagingServer: https://acme-staging-v02.api.letsencrypt.org/directory
- contactEmail: {{ .Values.contactEmail }}
- ingressClass: {{ .Values.pcloudEnvName }}-ingress-public
- - private:
- name: {{ .Values.id }}-private
- server: https://acme-v02.api.letsencrypt.org/directory
- domain: p.{{ .Values.domain }}
- contactEmail: {{ .Values.contactEmail }}
- ingressClassName: {{ .Values.id }}-ingress-private
- gandiAPIToken: {{ .Values.gandiAPIToken }}
-- name: core-auth-storage # TODO(giolekva): merge with core-auth
- chart: bitnami/postgresql
- version: 10.13.5
- namespace: {{ .Values.namespacePrefix }}core-auth
- values:
- - fullnameOverride: postgres
- - image:
- repository: arm64v8/postgres
- tag: 13.4
- - service:
- type: ClusterIP
- port: 5432
- - postgresqlPassword: psswd
- - postgresqlDatabase: kratos
- - persistence:
- size: 1Gi
- - securityContext:
- enabled: true
- fsGroup: 0
- - containerSecurityContext:
- enabled: true
- runAsUser: 0
- - volumePermissions:
- securityContext:
- runAsUser: 0
-- name: core-auth
- chart: ../../charts/auth
- namespace: {{ .Values.namespacePrefix }}core-auth
- values:
- - kratos:
- fullnameOverride: kratos
- image:
- repository: giolekva/ory-kratos
- tag: latest
- pullPolicy: Always
- service:
- admin:
- enabled: true
- type: ClusterIP
- port: 80
- name: http
- public:
- enabled: true
- type: ClusterIP
- port: 80
- name: http
- ingress:
- admin:
- enabled: true
- className: {{ .Values.id }}-ingress-private
- hosts:
- - host: kratos.p.{{ .Values.domain }}
- paths:
- - path: /
- pathType: Prefix
- tls:
- - hosts:
- - kratos.p.{{ .Values.domain }}
- public:
- enabled: true
- className: {{ .Values.pcloudEnvName }}-ingress-public
- hosts:
- - host: accounts.{{ .Values.domain }}
- paths:
- - path: /
- pathType: Prefix
- tls:
- - hosts:
- - accounts.{{ .Values.domain }}
- secretName: cert-accounts.{{ .Values.domain }}
- secret:
- enabled: true
- kratos:
- autoMigrate: true
- development: false
- config:
- version: v0.7.1-alpha.1
- dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
- serve:
- public:
- base_url: https://accounts.{{ .Values.domain }}
- cors:
- enabled: true
- debug: false
- allow_credentials: true
- allowed_origins:
- - https://{{ .Values.domain }}
- - https://*.{{ .Values.domain }}
- admin:
- base_url: https://kratos.p.{{ .Values.domain }}/
- selfservice:
- default_browser_return_url: https://accounts-ui.{{ .Values.domain }}
- whitelisted_return_urls:
- - https://accounts-ui.{{ .Values.domain }}
- methods:
- password:
- enabled: true
- flows:
- error:
- ui_url: https://accounts-ui.{{ .Values.domain }}/error
- settings:
- ui_url: https://accounts-ui.{{ .Values.domain }}/settings
- privileged_session_max_age: 15m
- recovery:
- enabled: false
- verification:
- enabled: false
- logout:
- after:
- default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/login
- login:
- ui_url: https://accounts-ui.{{ .Values.domain }}/login
- lifespan: 10m
- after:
- password:
- default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
- registration:
- lifespan: 10m
- ui_url: https://accounts-ui.{{ .Values.domain }}/registration
- after:
- password:
- hooks:
- -
- hook: session
- default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
- log:
- level: debug
- format: text
- leak_sensitive_values: true
- cookies:
- path: /
- same_site: None
- domain: {{ .Values.domain }}
- secrets:
- cookie:
- - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
- # cipher:
- # - 32-LONG-SECRET-NOT-SECURE-AT-ALL
- # ciphers:
- # algorithm: xchacha20-poly1305
- hashers:
- argon2:
- parallelism: 1
- memory: 128MB
- iterations: 2
- salt_length: 16
- key_length: 16
- identity:
- default_schema_url: file:///etc/config/identity.schema.json
- courier:
- smtp:
- connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Values.domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Values.domain }}
- identitySchemas:
- "identity.schema.json": |
- {
- "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
- "$schema": "http://json-schema.org/draft-07/schema#",
- "title": "User",
- "type": "object",
- "properties": {
- "traits": {
- "type": "object",
- "properties": {
- "username": {
- "type": "string",
- "format": "username",
- "title": "Username",
- "minLength": 3,
- "ory.sh/kratos": {
- "credentials": {
- "password": {
- "identifier": true
- }
- }
- }
- }
- },
- "additionalProperties": false
- }
- }
- }
- - hydra:
- fullnameOverride: hydra
- image:
- repository: giolekva/ory-hydra
- tag: latest
- pullPolicy: Always
- service:
- admin:
- enabled: true
- type: ClusterIP
- port: 80
- name: http
- public:
- enabled: true
- type: ClusterIP
- port: 80
- name: http
- ingress:
- admin:
- enabled: true
- className: {{ .Values.id }}-ingress-private
- hosts:
- - host: hydra.p.{{ .Values.domain }}
- paths:
- - path: /
- pathType: Prefix
- tls:
- - hosts:
- - hydra.p.{{ .Values.domain }}
- public:
- enabled: true
- className: {{ .Values.pcloudEnvName }}-ingress-public
- hosts:
- - host: hydra.{{ .Values.domain }}
- paths:
- - path: /
- pathType: Prefix
- tls:
- - hosts:
- - hydra.{{ .Values.domain }}
- secretName: cert-hydra.{{ .Values.domain }}
- secret:
- enabled: true
- maester:
- enabled: false
- hydraFullnameOverride: hydra
- hydra-maester:
- fullnameOverride: {{ .Values.id }}-hydra-maester
- image:
- repository: giolekva/ory-hydra-maester
- tag: latest
- pullPolicy: IfNotPresent
- adminService:
- name: hydra
- port: 80
- hydra:
- autoMigrate: true
- config:
- version: v1.10.6
- dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
- serve:
- cookies:
- same_site_mode: None
- public:
- cors:
- enabled: true
- debug: false
- allow_credentials: true
- allowed_origins:
- - https://{{ .Values.domain }}
- - https://*.{{ .Values.domain }}
- admin:
- # host: localhost
- cors:
- allowed_origins:
- - https://hydra.p.{{ .Values.domain }}
- tls:
- allow_termination_from:
- - 0.0.0.0/0
- - 10.42.0.0/16
- - 10.43.0.0/16
- - {{ .Values.lighthouseMainIP }}/32
- tls:
- allow_termination_from:
- - 0.0.0.0/0
- - 10.42.0.0/16
- - 10.43.0.0/16
- - {{ .Values.lighthouseMainIP }}/32
- urls:
- self:
- public: https://hydra.{{ .Values.domain }}
- issuer: https://hydra.{{ .Values.domain }}
- consent: https://accounts-ui.{{ .Values.domain }}/consent
- login: https://accounts-ui.{{ .Values.domain }}/login
- logout: https://accounts-ui.{{ .Values.domain }}/logout
- secrets:
- system:
- - youReallyNeedToChangeThis
- oidc:
- subject_identifiers:
- supported_types:
- - pairwise
- - public
- pairwise:
- salt: youReallyNeedToChangeThis
- log:
- level: trace
- leak_sensitive_values: false
- - ui:
- certificateIssuer: {{ .Values.id }}-public
- ingressClassName: {{ .Values.pcloudEnvName }}-ingress-public
- domain: {{ .Values.domain }}
- internalDomain: p.{{ .Values.domain }}
- nebula:
- lighthouse:
- name: ui-lighthouse
- internalIP: {{ .Values.lighthouseMainIP }}
- externalIP: {{ .Values.publicIP }}
- port: "{{ .Values.lighthouseMainPort }}"
- node:
- name: ui
- ipCidr: {{ .Values.lighthouseAuthUIIP }}/24
- secretName: node-ui-cert
- certificateAuthority:
- name: {{ .Values.id }}
- namespace: {{ .Values.namespacePrefix }}ingress-private
-- name: vaultwarden
- chart: ../../charts/vaultwarden
- namespace: {{ .Values.namespacePrefix }}app-vaultwarden
- values:
- - image:
- repository: vaultwarden/server
- tag: 1.22.2
- pullPolicy: IfNotPresent
- - storage:
- size: 1Gi
- - domain: bitwarden.p.{{ .Values.domain }}
- - certificateIssuer: {{ .Values.id }}-private
- - ingressClassName: {{ .Values.id }}-ingress-private
-- name: matrix-storage # TODO(giolekva): merge with core-auth
- chart: bitnami/postgresql
- version: 10.13.5
- namespace: {{ .Values.namespacePrefix }}app-matrix
- values:
- - fullnameOverride: postgres
- - image:
- repository: arm64v8/postgres
- tag: 13.4
- - service:
- type: ClusterIP
- port: 5432
- - postgresqlPassword: psswd
- - initdbScripts:
- createdb.sh: |
- #!/bin/sh
- createdb -U postgres --encoding=UTF8 --locale=C --template=template0 --owner=postgres matrix
- - persistence:
- size: {{ .Values.matrixStorageSize }}
- - securityContext:
- enabled: true
- fsGroup: 0
- - containerSecurityContext:
- enabled: true
- runAsUser: 0
- - volumePermissions:
- securityContext:
- runAsUser: 0
-- name: matrix
- chart: ../../charts/matrix
- namespace: {{ .Values.namespacePrefix }}app-matrix
- values:
- - domain: {{ .Values.domain }}
- - oauth2:
- hydraAdmin: http://hydra-admin.{{ .Values.namespacePrefix}}core-auth.svc.cluster.local
- hydraPublic: https://hydra.{{ .Values.domain }}
- clientId: matrix
- clientSecret: {{ .Values.matrixOAuth2ClientSecret }}
- secretName: oauth2-client
- - postgresql:
- host: postgres
- port: 5432
- database: matrix
- user: postgres
- password: psswd
- - certificateIssuer: {{ .Values.id }}-public
- - ingressClassName: {{ .Values.pcloudEnvName }}-ingress-public
- - configMerge:
- configName: config-to-merge
- fileName: to-merge.yaml
-- name: pihole
- chart: ../../charts/pihole
- namespace: {{ .Values.namespacePrefix }}app-pihole
- values:
- - domain: pihole.p.{{ .Values.domain }}
- - pihole:
- image:
- repository: "pihole/pihole"
- tag: v5.8.1
- persistentVolumeClaim:
- enabled: true
- size: 5Gi
- adminPassword: admin
- ingress:
- enabled: false
- serviceDhcp:
- enabled: false
- serviceDns:
- type: ClusterIP
- serviceWeb:
- type: ClusterIP
- http:
- enabled: true
- https:
- enabled: false
- virtualHost: pihole.p.{{ .Values.domain }}
- resources:
- requests:
- cpu: "250m"
- memory: "100M"
- limits:
- cpu: "500m"
- memory: "250M"
- - oauth2:
- clientId: pihole
- clientSecret: {{ .Values.piholeOAuth2ClientSecret }}
- cookieSecret: {{ .Values.piholeOAuth2CookieSecret }}
- secretName: oauth2-secret
- configName: oauth2-proxy
- hydraAdmin: http://hydra-admin.{{ .Values.namespacePrefix}}core-auth.svc.cluster.local
- - hydraPublic: https://hydra.{{ .Values.domain }}/
- - profileUrl: https://accounts-ui.{{ .Values.domain }}
- - ingressClassName: {{ .Values.id }}-ingress-private
-- name: maddy
- chart: ../../charts/maddy
- namespace: {{ .Values.namespacePrefix }}app-maddy
- values:
- - ingress:
- private:
- className: {{ .Values.id }}-ingress-private
- domain: p.{{ .Values.domain }}
- public:
- className: {{ .Values.pcloudEnvName }}-ingress-public
- domain: {{ .Values.domain }}
- certificateIssuer: {{ .Values.id }}-public
- - storage:
- size: 100Gi
- - mailGateway:
- mxHostname: {{ .Values.mxHostname}}
- address: {{ .Values.mailGatewayAddress }}
-
-environments:
- shveli:
- secrets:
- - secrets.shveli.yaml
- values:
- - pcloudEnvName: pcloud
- - id: shveli
- - namespacePrefix: shveli-
- - domain: shve.li
- - contactEmail: giolekva@gmail.com
- - mxHostname: mail.lekva.me
- - mailGatewayAddress: "tcp://maddy.pcloud-mail-gateway.svc.cluster.local:587"
- - matrixStorageSize: 10Gi
- - publicIP: 46.49.35.44
- - lighthouseMainIP: 110.0.0.1
- - lighthouseMainPort: 4242
- - lighthouseAuthUIIP: 110.0.0.2
- lekva:
- secrets:
- - secrets.lekva.yaml
- values:
- - pcloudEnvName: pcloud
- - id: lekva
- - namespacePrefix: lekva-
- - domain: lekva.me
- - contactEmail: giolekva@gmail.com
- - mxHostname: mail.lekva.me
- - mailGatewayAddress: "tcp://maddy.pcloud-mail-gateway.svc.cluster.local:587"
- - matrixStorageSize: 100Gi
- - publicIP: 46.49.35.44
- - lighthouseMainIP: 111.0.0.1
- - lighthouseMainPort: 4243
- - lighthouseAuthUIIP: 111.0.0.2
diff --git a/helmfile/apps/secrets.lekva.yaml b/helmfile/apps/secrets.lekva.yaml
deleted file mode 100644
index 1a45ed7..0000000
--- a/helmfile/apps/secrets.lekva.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-gandiAPIToken: ENC[AES256_GCM,data:NVxAAyqsg7Vx7Qa1m6koG3wGpsq8ZJre,iv:8vuB+JPMXunl4wIHeoOmZmNwmO6obE09PebTgsUkt1Y=,tag:hQBZUG9RNanzgZ/TxpSRcw==,type:str]
-piholeOAuth2ClientSecret: ENC[AES256_GCM,data:2+h+dpkU9fAdNpuABDhrMtkg3LlPLOV0atXJJ9o+H8Y=,iv:QJLMdfanldaUaiMlPlsaYUa0ga6SaM7kthGyaNykVr0=,tag:vAcE59KOah8KMwWAf3N5Hg==,type:str]
-piholeOAuth2CookieSecret: ENC[AES256_GCM,data:1J7eXqv1Q6CJVtYe+Oczt8GmL1Caa+1jlI2vMwlxZTA=,iv:+2l/JPag19vA7JrKtS+EYAB/eJbvp1ojdTCUnBBIGA8=,tag:WOG2IAIkGxTZrvF6pWQjgg==,type:str]
-matrixOAuth2ClientSecret: ENC[AES256_GCM,data:8DmEC4Td9G/XSLMrdW+Nv08g3khlF9y8ELmr8eFlAaM=,iv:hsy/GolATeoDz1+vJcEvpj6DVf5NlHXh45LkRWpT7uY=,tag:k2lgOZuN387MlCBt1VCtRw==,type:str]
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age: []
- lastmodified: "2021-12-01T13:03:06Z"
- mac: ENC[AES256_GCM,data:xbuh5GNYIAFbJi004V+lVMLoI1ns86xj/J+YUag1CvViOCiSr3/Xp20BHWcXZIBgiGSNcyvDaLVNe+5YB5wbCkYfqkqQ2E4piEJ2VN9QW6oVE0vckZN55XQgmCPtjy3es78+D9wravzuZX4X2KOSrtMfYlzb31HCbonQhwFzoG8=,iv:C3U5WFhts/ZIuecSmHljYDafhvLhFz9Mj9kVWVhOiDA=,tag:7/48p9GmOAs6E0ALiOdXyw==,type:str]
- pgp:
- - created_at: "2021-12-01T13:03:04Z"
- enc: |
- -----BEGIN PGP MESSAGE-----
-
- hQGMA8PXnOzdTLRzAQv+JI6iR7zvOKC6D4ygIqOzZ6Uc6MF2HM9fk7fATnGVMK9D
- 6bgn2uv+O5HyLx3OsSmbWa77wRaAMsSJvxFwnbae8NXbAcYmvLTPezMzHqUoRsLW
- 3c/KIeFE8VsV6gwyJeQPt5WyYgZJdlS7nbZn5wUYljkcUJzz3OrvBkj4cUdejnk7
- 6rFkJnx0iDW1ADC62TVbkT3x/72zAZHxVe0a8q0L/fI7KYkbqZSJNx+RuRomK0Gt
- usIAymUXEIP3lClO5cawTBYQ9rAf2fXrGswlo3cplsXJiiQeQ82OL+wyfL1dorbm
- wXpDUjoKDsLeAmGiMjJbKJcdYkgX/dfUhqSfLQxd7nq2OHdpV+vnrxYGNJ9cTmWG
- DbsU6JQqpJ5KBwZ2GyxB6KRh5yW9jAZXDloK0ueKK41OHioZBEG4pVbDqSfsTu2P
- YQn8VyFOzQLq5XP5LjLPNcTypUrXZFvQM/mpZEgUjBMGjoHwCWzHgQzXs9j/ya1+
- 80/5l93jemawAzy9iLcx0l4B5yttNpP98X/MY4rb2cQ0n77Pd7tZcO1TL9dDXs6h
- F+kZemBr1964028XS8dQpz4wEiMjFZOg2GyLRMrQBvp1fL9Cc5KWZD6Mq0froTMj
- kPUxFjH1emsz7FncsikT
- =FzDH
- -----END PGP MESSAGE-----
- fp: 60584680BB48B3CE3FECFFBE7D1302EE361D316A
- unencrypted_suffix: _unencrypted
- version: 3.7.1
diff --git a/helmfile/apps/secrets.shveli.yaml b/helmfile/apps/secrets.shveli.yaml
deleted file mode 100644
index 4d59681..0000000
--- a/helmfile/apps/secrets.shveli.yaml
+++ /dev/null
@@ -1,33 +0,0 @@
-gandiAPIToken: ENC[AES256_GCM,data:B/PI0O7YT/4vcXMcFykGQ739MkNykLiZ,iv:8pHsH8Yn6SAvboL7/sCOncQIHhmm4YMbHuk3YmkywJw=,tag:7t3LZi/pyN6fR+54TqODzA==,type:str]
-piholeOAuth2ClientSecret: ENC[AES256_GCM,data:jtuOAg9D,iv:0WFBhyuqNn93NE4UYQIqEP5ZOS6QxInQ0HCNdl5Hm3Q=,tag:Hzsc76J2daxIOig7rPsTeA==,type:str]
-piholeOAuth2CookieSecret: ENC[AES256_GCM,data:w0j0OwW1mWT27D0ld1gJjG/pSzCffP//JZxAuh7npDs=,iv:57jgBLf0yBa7a90VClN6COGuBPeGtSvvAvHwsmMhYic=,tag:XEqPFxVfGyHBAcBzRYRCXA==,type:str]
-matrixOAuth2ClientSecret: ENC[AES256_GCM,data:bcQXbrBrh5QpuQwhdCz5BWwm2DiikYE6PvG4vvBPOnM=,iv:BzVnTVHXN7HUljCKPraEpGbypnBkxzdlV4+YjHfK36g=,tag:9ufb9+iTvMFX9IGK2rd0MA==,type:str]
-sops:
- kms: []
- gcp_kms: []
- azure_kv: []
- hc_vault: []
- age: []
- lastmodified: "2021-11-19T09:57:17Z"
- mac: ENC[AES256_GCM,data:j46IHUNor4czBPeOPjq/uHlDIL/0HP34tlHgd8N9+u3dSBDXWlznaGEIo3ohWA3wkbCXqnprPJLe1iw8g8AEih679ZYtsgyJEPnLCsuPJcUwd6+CjP4AlWh5CbyjAFGkUaaIkzuEM0tt6mOTUjj4XOBW5uKH91agMoEY2TMCdzM=,iv:LO2JWUkNgUOA8oKJPzBLYJirKUAtCRTCIxAODyrVHk8=,tag:25Qt1z9qTR2QUhfDOf3vmw==,type:str]
- pgp:
- - created_at: "2021-11-19T09:57:16Z"
- enc: |
- -----BEGIN PGP MESSAGE-----
-
- hQGMA8PXnOzdTLRzAQwAluozyjocyyzlf3n4utcQrQLnD9w9Ki0XyXnCW/+K420X
- WUQTIFq+Yeh6SOECnzbakNNCrFrsIqbI3c/unKgs7veQ7SbGLOyW4f1xr2jKaX9Q
- ecU49He87NkjOuhx6EJEVKoZmDVsWtuLTR9CKDOHsSNPOQ1cSIZafXj14Y7oZrd4
- HR4ZKgOYLHUatfeesWCvjUAjZsrsZebNSHh6SGyi2b8JTSX+NVAvx/Uj6gn8rp4Y
- zvoE7ShaYxtn14X90OZx8Jy8howHHlYzq5O48a/eFLUPICtGqkYu6lEEiwgZNX5u
- 8W1aIa+TysFVQpv9rTytCI2nsDCH1pvmxQEhxqTWADTylvIMOClQvrlQQWS+z+DD
- P8NxC+LLyxo0MLLmeNlWNJpvC7zCOomDe0i7tqe4VHORBYCX4NkgkTCiiQplq1N0
- +vXL5Q25iDs2amj11p9YPX0p8Sc4APAuzt2pVxZhLDyoDiWBaNdYEyw1yVvgJyvQ
- H15mMpGJU9EM9LTjn93G0l4B89AS7PgNUwzax4fCE4RHWL/7ymgJd41Hsub22v8y
- 4f8GxkORbGzPwvXXi6xQWlEVLhyl5+iqyxIPxKS9U+Knxmfry/F1YXZQpgmD9cSv
- arDy6uZIOQ/vT0qoylg3
- =pnPW
- -----END PGP MESSAGE-----
- fp: 60584680BB48B3CE3FECFFBE7D1302EE361D316A
- unencrypted_suffix: _unencrypted
- version: 3.7.1
diff --git a/helmfile/infra/helmfile.yaml b/helmfile/infra/helmfile.yaml
deleted file mode 100644
index e3548b2..0000000
--- a/helmfile/infra/helmfile.yaml
+++ /dev/null
@@ -1,225 +0,0 @@
-repositories:
-- name: appscode
- url: https://charts.appscode.com/stable/
-- name: ingress-nginx
- url: https://kubernetes.github.io/ingress-nginx
-- name: jetstack
- url: https://charts.jetstack.io
-- name: bwolf
- url: https://bwolf.github.io/cert-manager-webhook-gandi
-- name: metallb
- url: https://metallb.github.io/metallb
-- name: longhorn
- url: https://charts.longhorn.io
-- name: ory
- url: https://k8s.ory.sh/helm/charts
-- name: csi-driver-smb
- url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-smb/master/charts
-
-helmDefaults:
- tillerless: true
- waitForJobs: false
- createNamespace: true
-
-releases:
-- name: metallb
- chart: metallb/metallb
- version: 0.12.1
- namespace: {{ .Values.name }}-networking-metallb
- values:
- - fullnameOverride: {{ .Values.name }}-metallb
- - configInline:
- address-pools:
- - name: default
- protocol: layer2
- addresses:
- - {{ .Values.loadBalancerIPRange }}
- - controller:
- image:
- repository: quay.io/metallb/controller
- tag: v0.12.1
- pullPolicy: IfNotPresent
- - speaker:
- image:
- repository: quay.io/metallb/speaker
- tag: v0.12.1
- pullPolicy: IfNotPresent
-- name: ingress-public
- chart: ingress-nginx/ingress-nginx
- version: 4.0.3
- namespace: {{ .Values.name }}-ingress-public
- values:
- - fullnameOverride: {{ .Values.name }}-ingress-public
- - controller:
- service:
- type: LoadBalancer
- ingressClassByName: true
- ingressClassResource:
- name: {{ .Values.name }}-ingress-public
- enabled: true
- default: false
- controllerValue: k8s.io/{{ .Values.name }}-ingress-public
- config:
- proxy-body-size: 100M
- - udp:
- 6881: "lekva-app-torrent:torrent:6881" # TODO(giolekva): namespace
- - tcp:
- 25: {{ .Values.name }}-mail-gateway/maddy:25
- 6881: "lekva-app-torrent:torrent:6881" # TODO(giolekva): namespace
-- name: kubed
- chart: appscode/kubed
- version: v0.12.0
- namespace: {{ .Values.name }}-kubed
- values:
- - enableAnalytics: false
- - fullnameOverride: {{ .Values.name }}-kubed
- - operator:
- registry: appscode
- repository: kubed
- tag: v0.12.0
- - criticalAddon: true
- - config:
- clusterName: {{ .Values.name }}
-- name: cert-manager
- chart: jetstack/cert-manager
- version: v1.6
- namespace: {{ .Values.name }}-cert-manager
- values:
- - installCRDs: true
- - fullnameOverride: {{ .Values.name}}-cert-manager
- - image:
- tag: v1.6.1
- pullPolicy: IfNotPresent
- - resources:
- requests:
- cpu: "100m"
- memory: "50M"
- limits:
- cpu: "250m"
- memory: "150M"
- - tolerations:
- - key: "pcloud"
- operator: "Equal"
- value: "role"
- effect: "NoSchedule"
- - cainjector:
- resources:
- requests:
- cpu: "100m"
- memory: "50M"
- limits:
- cpu: "250m"
- memory: "150M"
- tolerations:
- - key: "pcloud"
- operator: "Equal"
- value: "role"
- effect: "NoSchedule"
- - webhook:
- resources:
- requests:
- cpu: "100m"
- memory: "50M"
- limits:
- cpu: "250m"
- memory: "150M"
- tolerations:
- - key: "pcloud"
- operator: "Equal"
- value: "role"
- effect: "NoSchedule"
-- name: cert-manager-gandi
- chart: bwolf/cert-manager-webhook-gandi
- version: v0.2.0
- namespace: {{ .Values.name }}-cert-manager
- values:
- - certManager:
- namespace: {{ .Values.name }}-cert-manager
- serviceAccountName: {{ .Values.name }}-cert-manager
- - fullnameOverride: {{ .Values.name }}-cert-manager-webhook-gandi
- - image:
- repository: giolekva/cert-manager-webhook-gandi
- tag: v0.2.0
- pullPolicy: IfNotPresent
- - logLevel: 2
- - resources:
- requests:
- cpu: "100m"
- memory: "50M"
- limits:
- cpu: "250m"
- memory: "150M"
- - tolerations:
- - key: "pcloud"
- operator: "Equal"
- value: "role"
- effect: "NoSchedule"
-- name: longhorn
- chart: longhorn/longhorn
- version: v1.2.4
- # TODO(giolekva): pcloud-storage-longhorn ? https://github.com/longhorn/longhorn/issues/2034
- namespace: longhorn-system
- values:
- - defaultSettings:
- defaultDataPath: {{ .Values.storageDir }}
- - persistence:
- defaultClassReplicaCount: 2
- - service:
- ui:
- type: LoadBalancer
- - ingress:
- # TODO(giolekva): maybe run separate Nebula network for pcloud infrastructure services?
- enabled: false
-- name: mail-gateway
- chart: ../../charts/mail-gateway
- namespace: {{ .Values.name }}-mail-gateway
- values:
- - domains:
- primary:
- name: lekva.me
- namespace: lekva-app-maddy
- mx: mail.lekva.me
- certificateIssuer: lekva-public
- others:
- - name: shve.li
- namespace: shveli-app-maddy
- - persistence:
- size: 100Gi
-- name: oauth2-manager
- chart: ory/hydra-maester
- version: v0.20.1
- namespace: {{ .Values.name }}-oauth2-manager
- values:
- - fullnameOverride: {{ .Values.name }}-hydra-maester
- - image:
- repository: giolekva/ory-hydra-maester
- tag: latest
- pullPolicy: IfNotPresent
- - adminService:
- name: hydra # IGNORED
- port: 80
-- name: nebula-controller
- chart: ../../charts/nebula
- namespace: {{ .Values.name }}-nebula-controller
- values:
- - controller:
- image:
- repository: giolekva/nebula-controller
- tag: latest
- pullPolicy: Always
- - manage:
- image:
- repository: giolekva/nebula-web
- tag: latest
- pullPolicy: Always
-- name: csi-driver-smb
- chart: csi-driver-smb/csi-driver-smb
- version: v1.5.0
- namespace: pcloud-csi-driver-smb
-
-environments:
- prod:
- values:
- - name: pcloud
- - loadBalancerIPRange: 192.168.0.200-192.168.0.250
- - storageDir: /pcloud-storage/longhorn