Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 01b3d3bc65d3a381eda181cdbb3ebed9cfdb7399 / . / helmfile / users / helmfile.yaml
blob: 7c62f4635e8cb89cc209f1ed00b570b3747b7029 [file] [log] [blame]
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]1repositories:
2- name: ingress-nginx
3 url: https://kubernetes.github.io/ingress-nginx
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]4- name: bitnami
5 url: https://charts.bitnami.com/bitnami
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]6
7helmDefaults:
8 tillerless: true
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]9 waitForJobs: false
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]10
11releases:
12- name: vpn-mesh-config
13 chart: ../../charts/vpn-mesh-config
14 namespace: {{ .Values.id }}-ingress-private
15 createNamespace: true
16 values:
17 - certificateAuthority:
18 name: {{ .Values.id }}
19 secretName: ca-{{ .Values.id }}-cert
20 - lighthouse:
21 internalIP: 111.0.0.1
22 externalIP: 46.49.35.44
23 port: "4243"
24- name: ingress-private
25 chart: ingress-nginx/ingress-nginx
26 version: 4.0.3
27 namespace: {{ .Values.id }}-ingress-private
28 createNamespace: true
29 values:
30 - fullnameOverride: nginx
31 - controller:
32 service:
33 type: ClusterIP
34 ingressClassByName: true
35 ingressClassResource:
36 name: {{ .Values.id }}-ingress-private
37 enabled: true
38 default: false
39 controllerValue: k8s.io/{{ .Values.id }}-ingress-private
40 extraVolumes:
41 - name: lighthouse-cert
42 secret:
43 secretName: node-lighthouse-cert
44 - name: config
45 configMap:
46 name: lighthouse-config
47 extraContainers:
48 - name: lighthouse
49 image: giolekva/nebula:latest
50 imagePullPolicy: IfNotPresent
51 securityContext:
52 privileged: true
53 capabilities:
54 add:
55 - NET_ADMIN
56 ports:
57 - name: nebula
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]58 containerPort: 4243
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]59 protocol: UDP
60 command:
61 - nebula
62 - --config=/etc/nebula/config/lighthouse.yaml
63 volumeMounts:
64 - name: lighthouse-cert
65 mountPath: /etc/nebula/lighthouse
66 - name: config
67 mountPath: /etc/nebula/config
68 config:
69 bind-address: 111.0.0.1
70 proxy-body-size: 0
71 udp:
72 - 53: {{ .Values.id }}-app-pihole/pihole-dns-udp:53
73 tcp:
74 - 53: {{ .Values.id }}-app-pihole/pihole-dns-tcp:53
giolekvaf15d5a32021-11-06 16:42:58 +0400[diff] [blame]75- name: certificate-issuer
76 chart: ../../charts/certificate-issuer
77 namespace: {{ .Values.certManagerNamespace }} # {{ .Values.id }}-ingress-private
78 createNamespace: true
79 values:
80 - public:
81 name: {{ .Values.id }}-public
82 server: https://acme-v02.api.letsencrypt.org/directory
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]83 stagingServer: https://acme-staging-v02.api.letsencrypt.org/directory
giolekvaf15d5a32021-11-06 16:42:58 +0400[diff] [blame]84 contactEmail: {{ .Values.contactEmail }}
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]85 ingressClass: nginx
giolekvaf15d5a32021-11-06 16:42:58 +0400[diff] [blame]86 - private:
87 name: {{ .Values.id }}-private
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame^]88 domain: {{ .Values.id }}
89 ingressClassName: {{ .Values.id }}-ingress-private
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]90- name: core-auth-storage # TODO(giolekva): merge with core-auth
91 chart: bitnami/postgresql
92 version: 10.13.5
93 namespace: {{ .Values.id }}-core-auth
94 createNamespace: true
95 values:
96 - fullnameOverride: postgres
97 - image:
98 repository: arm64v8/postgres
99 tag: 13.4
100 - service:
101 type: ClusterIP
102 port: 5432
103 - postgresqlPassword: psswd
104 - postgresqlDatabase: kratos
105 - persistence:
106 size: 1Gi
107 - securityContext:
108 enabled: true
109 fsGroup: 0
110 - containerSecurityContext:
111 enabled: true
112 runAsUser: 0
113 - volumePermissions:
114 securityContext:
115 runAsUser: 0
116- name: core-auth
117 chart: ../../charts/auth
118 namespace: {{ .Values.id }}-core-auth
119 createNamespace: true
120 values:
121 - kratos:
122 fullnameOverride: kratos
123 image:
124 repository: giolekva/ory-kratos
125 tag: latest
126 pullPolicy: Always
127 service:
128 admin:
129 enabled: true
130 type: ClusterIP
131 port: 80
132 name: http
133 public:
134 enabled: true
135 type: ClusterIP
136 port: 80
137 name: http
138 ingress:
139 admin:
140 enabled: true
141 className: {{ .Values.id }}-ingress-private
142 hosts:
143 - host: kratos.{{ .Values.id }}
144 paths:
145 - path: /
146 pathType: Prefix
147 annotations:
148 cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
149 acme.cert-manager.io/http01-edit-in-place: "true"
150 tls:
151 - hosts:
152 - kratos.{{ .Values.id }}
153 secretName: cert-kratos.{{ .Values.id }}
154 public:
155 enabled: true
156 className: nginx
157 hosts:
158 - host: accounts.{{ .Values.domain }}
159 paths:
160 - path: /
161 pathType: Prefix
162 annotations:
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame]163 cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]164 acme.cert-manager.io/http01-edit-in-place: "true"
165 tls:
166 - hosts:
167 - accounts.{{ .Values.domain }}
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame]168 # secretName: cert-accounts.{{ .Values.domain }}
169 secretName: cert-wildcard.{{ .Values.domain }}
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]170 secret:
171 enabled: true
172 kratos:
173 autoMigrate: true
174 development: false
175 config:
176 version: v0.7.1-alpha.1
177 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
178 serve:
179 public:
180 base_url: https://accounts.{{ .Values.domain }}
181 cors:
182 enabled: true
183 debug: false
184 allow_credentials: true
185 allowed_origins:
186 - https://{{ .Values.domain }}
187 - https://*.{{ .Values.domain }}
188 admin:
189 base_url: https://kratos.{{ .Values.id }}/
190 selfservice:
191 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}
192 whitelisted_return_urls:
193 - https://accounts-ui.{{ .Values.domain }}
194 methods:
195 password:
196 enabled: true
197 flows:
198 error:
199 ui_url: https://accounts-ui.{{ .Values.domain }}/error
200 settings:
201 ui_url: https://accounts-ui.{{ .Values.domain }}/settings
202 privileged_session_max_age: 15m
203 recovery:
204 enabled: false
205 verification:
206 enabled: false
207 logout:
208 after:
209 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/login
210 login:
211 ui_url: https://accounts-ui.{{ .Values.domain }}/login
212 lifespan: 10m
213 after:
214 password:
215 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
216 registration:
217 lifespan: 10m
218 ui_url: https://accounts-ui.{{ .Values.domain }}/registration
219 after:
220 password:
221 hooks:
222 -
223 hook: session
224 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
225 log:
226 level: debug
227 format: text
228 leak_sensitive_values: true
229 cookies:
230 path: /
231 same_site: None
232 domain: {{ .Values.domain }}
233 secrets:
234 cookie:
235 - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
236 # cipher:
237 # - 32-LONG-SECRET-NOT-SECURE-AT-ALL
238 # ciphers:
239 # algorithm: xchacha20-poly1305
240 hashers:
241 argon2:
242 parallelism: 1
243 memory: 128MB
244 iterations: 2
245 salt_length: 16
246 key_length: 16
247 identity:
248 default_schema_url: file:///etc/config/identity.schema.json
249 courier:
250 smtp:
251 connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Values.domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Values.domain }}
252 identitySchemas:
253 "identity.schema.json": |
254 {
255 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
256 "$schema": "http://json-schema.org/draft-07/schema#",
257 "title": "User",
258 "type": "object",
259 "properties": {
260 "traits": {
261 "type": "object",
262 "properties": {
263 "username": {
264 "type": "string",
265 "format": "username",
266 "title": "Username",
267 "minLength": 3,
268 "ory.sh/kratos": {
269 "credentials": {
270 "password": {
271 "identifier": true
272 }
273 }
274 }
275 }
276 },
277 "additionalProperties": false
278 }
279 }
280 }
281 - hydra:
282 fullnameOverride: hydra
283 image:
284 repository: giolekva/ory-hydra
285 tag: latest
286 pullPolicy: Always
287 service:
288 admin:
289 enabled: true
290 type: ClusterIP
291 port: 80
292 name: http
293 public:
294 enabled: true
295 type: ClusterIP
296 port: 80
297 name: http
298 ingress:
299 admin:
300 enabled: true
301 className: {{ .Values.id }}-ingress-private
302 hosts:
303 - host: hydra.{{ .Values.id }}
304 paths:
305 - path: /
306 pathType: Prefix
307 annotations:
308 cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
309 acme.cert-manager.io/http01-edit-in-place: "true"
310 tls:
311 - hosts:
312 - hydra.{{ .Values.id }}
313 secretName: cert-hydra.{{ .Values.id }}
314 public:
315 enabled: true
316 className: nginx
317 hosts:
318 - host: hydra.{{ .Values.domain }}
319 paths:
320 - path: /
321 pathType: Prefix
322 annotations:
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame]323 cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]324 acme.cert-manager.io/http01-edit-in-place: "true"
325 tls:
326 - hosts:
327 - hydra.{{ .Values.domain }}
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame]328 # secretName: cert-hydra.{{ .Values.domain }}
329 secretName: cert-wildcard.{{ .Values.domain }}
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]330 secret:
331 enabled: true
332 maester:
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame]333 enabled: true
334 hydraFullnameOverride: hydra
335 hydra-maester:
336 image:
337 repository: giolekva/ory-hydra-maester
338 tag: latest
339 pullPolicy: IfNotPresent
340 adminService:
341 name: hydra
342 port: 80
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]343 hydra:
344 autoMigrate: true
345 config:
346 version: v1.10.6
347 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
348 serve:
349 cookies:
350 same_site_mode: None
351 public:
352 cors:
353 enabled: true
354 debug: false
355 allow_credentials: true
356 allowed_origins:
357 - https://{{ .Values.domain }}
358 - https://*.{{ .Values.domain }}
359 admin:
360 # host: localhost
361 cors:
362 allowed_origins:
363 - https://hydra.{{ .Values.id }}
364 tls:
365 allow_termination_from:
366 - 0.0.0.0/0
367 - 10.42.0.0/16
368 - 10.43.0.0/16
369 - 111.0.0.1/32
370 tls:
371 allow_termination_from:
372 - 0.0.0.0/0
373 - 10.42.0.0/16
374 - 10.43.0.0/16
375 - 111.0.0.1/32
376 urls:
377 self:
378 public: https://hydra.{{ .Values.domain }}
379 issuer: https://hydra.{{ .Values.domain }}
380 consent: https://accounts-ui.{{ .Values.domain }}/consent
381 login: https://accounts-ui.{{ .Values.domain }}/login
382 logout: https://accounts-ui.{{ .Values.domain }}/logout
383 secrets:
384 system:
385 - youReallyNeedToChangeThis
386 oidc:
387 subject_identifiers:
388 supported_types:
389 - pairwise
390 - public
391 pairwise:
392 salt: youReallyNeedToChangeThis
393 log:
394 level: trace
395 leak_sensitive_values: false
396 - ui:
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame]397 certificateIssuer: {{ .Values.id }}-public
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]398 ingressClassName: nginx
399 domain: {{ .Values.domain }}
400 internalDomain: {{ .Values.id }}
401 nebula:
402 lighthouse:
403 name: ui-lighthouse
404 internalIP: 111.0.0.1
405 externalIP: 46.49.35.44
406 port: "4243"
407 node:
408 name: ui
409 ipCidr: 111.0.0.2/24
410 secretName: node-ui-cert
411 certificateAuthority:
412 name: {{ .Values.id }}
413 namespace: {{ .Values.id }}-ingress-private
giolekvad9d85132021-11-07 14:18:46 +0400[diff] [blame]414- name: vaultwarden
415 chart: ../../charts/vaultwarden
416 namespace: {{ .Values.id }}-app-vaultwarden
417 createNamespace: true
418 values:
419 - image:
420 repository: vaultwarden/server
421 tag: 1.22.2
422 pullPolicy: IfNotPresent
423 - storage:
424 size: 1Gi
425 - domain: bitwarden.{{ .Values.id }}
426 - certificateIssuer: {{ .Values.id }}-private
427 - ingressClassName: {{ .Values.id }}-ingress-private
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame]428- name: matrix-storage # TODO(giolekva): merge with core-auth
429 chart: bitnami/postgresql
430 version: 10.13.5
431 namespace: {{ .Values.id }}-app-matrix
432 createNamespace: true
433 values:
434 - fullnameOverride: postgres
435 - image:
436 repository: arm64v8/postgres
437 tag: 13.4
438 - service:
439 type: ClusterIP
440 port: 5432
441 - postgresqlPassword: psswd
442 - initdbScripts:
443 createdb.sh: |
444 #!/bin/sh
445 createdb -U postgres --encoding=UTF8 --locale=C --template=template0 --owner=postgres matrix
446 - persistence:
447 size: 1Gi
448 - securityContext:
449 enabled: true
450 fsGroup: 0
451 - containerSecurityContext:
452 enabled: true
453 runAsUser: 0
454 - volumePermissions:
455 securityContext:
456 runAsUser: 0
457- name: matrix
458 chart: ../../charts/matrix
459 namespace: {{ .Values.id }}-app-matrix
460 createNamespace: true
461 values:
462 - domain: {{ .Values.domain }}
463 - oauth2:
464 hydraAdmin: http://hydra-admin
465 hydraPublic: https://hydra.{{ .Values.domain }}
466 clientId: matrix
467 clientSecret: ""
468 secretName: oauth2-client
469 - postgresql:
470 host: postgres
471 port: 5432
472 database: matrix
473 user: postgres
474 password: psswd
475 - certificateIssuer: {{ .Values.id }}-public
476 - ingressClassName: nginx
477 - configMerge:
478 configName: config-to-merge
479 fileName: to-merge.yaml
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame^]480- name: pihole
481 chart: ../../charts/pihole
482 namespace: {{ .Values.id }}-app-pihole
483 createNamespace: true
484 values:
485 - domain: {{ .Values.id }}
486 - pihole:
487 image:
488 repository: "pihole/pihole"
489 tag: v5.8.1
490 persistentVolumeClaim:
491 enabled: true
492 size: 5Gi
493 adminPassword: "admin"
494 ingress:
495 enabled: false
496 serviceDhcp:
497 enabled: false
498 serviceDns:
499 type: ClusterIP
500 serviceWeb:
501 type: ClusterIP
502 http:
503 enabled: true
504 https:
505 enabled: false
506 virtualHost: pihole.{{ .Values.id }}
507 resources:
508 requests:
509 cpu: "250m"
510 memory: "100M"
511 limits:
512 cpu: "500m"
513 memory: "250M"
514 - oauth2:
515 clientId: pihole
516 clientSecret: ""
517 secretName: oauth2-secret
518 configName: oauth2-proxy
519 hydraAdmin: http://hydra-admin
520 - hydraPublic: https://hydra.{{ .Values.domain }}/
521 - profileUrl: https://accounts-ui.{{ .Values.domain }}
522 - certificateIssuer: {{ .Values.id }}-private
523 - ingressClassName: {{ .Values.id }}-ingress-private
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]524
525environments:
526 shveli:
527 values:
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]528 - id: shveli
529 - domain: shve.li
530 - contactEmail: giolekva@gmail.com
531 - certManagerNamespace: cert-manager