Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 11881b5f1453916b039ccdd2cb4a1f598bf33fdf / . / helmfile / users / helmfile.yaml
blob: aad46b766a5d4e620b7b9c9a6eb5b8b5b4328681 [file] [log] [blame]
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]1repositories:
2- name: ingress-nginx
3 url: https://kubernetes.github.io/ingress-nginx
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]4- name: bitnami
5 url: https://charts.bitnami.com/bitnami
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]6
7helmDefaults:
8 tillerless: true
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]9 waitForJobs: false
giolekva11881b52021-11-27 16:51:58 +0400[diff] [blame^]10 createNamespace: false
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]11
12releases:
giolekva11881b52021-11-27 16:51:58 +0400[diff] [blame^]13- name: namespaces
14 chart: ../../charts/namespaces
15 namespace: {{ .Values.id }}
16 createNamespace: true
17 values:
18 - pcloudInstanceId: {{ .Values.id }}
19 - namespaces:
20 - app-maddy
21 - app-matrix
22 - app-pihole
23 - app-vaultwarden
24 - core-auth
25 - ingress-private
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]26- name: vpn-mesh-config
27 chart: ../../charts/vpn-mesh-config
28 namespace: {{ .Values.id }}-ingress-private
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]29 values:
30 - certificateAuthority:
31 name: {{ .Values.id }}
32 secretName: ca-{{ .Values.id }}-cert
33 - lighthouse:
34 internalIP: 111.0.0.1
35 externalIP: 46.49.35.44
36 port: "4243"
37- name: ingress-private
38 chart: ingress-nginx/ingress-nginx
39 version: 4.0.3
40 namespace: {{ .Values.id }}-ingress-private
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]41 values:
giolekva75ee2712021-11-26 13:57:12 +0400[diff] [blame]42 - fullnameOverride: {{ .Values.id }}-nginx-private
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]43 - controller:
44 service:
45 type: ClusterIP
46 ingressClassByName: true
47 ingressClassResource:
48 name: {{ .Values.id }}-ingress-private
49 enabled: true
50 default: false
51 controllerValue: k8s.io/{{ .Values.id }}-ingress-private
52 extraArgs:
53 default-ssl-certificate: "{{ .Values.id }}-ingress-private/cert-wildcard.p.{{ .Values.domain }}"
54 extraVolumes:
55 - name: lighthouse-cert
56 secret:
57 secretName: node-lighthouse-cert
58 - name: config
59 configMap:
60 name: lighthouse-config
61 extraContainers:
62 - name: lighthouse
63 image: giolekva/nebula:latest
64 imagePullPolicy: IfNotPresent
65 securityContext:
66 privileged: true
67 capabilities:
68 add:
69 - NET_ADMIN
70 ports:
71 - name: nebula
72 containerPort: 4243
73 protocol: UDP
74 command:
75 - nebula
76 - --config=/etc/nebula/config/lighthouse.yaml
77 volumeMounts:
78 - name: lighthouse-cert
79 mountPath: /etc/nebula/lighthouse
80 - name: config
81 mountPath: /etc/nebula/config
82 config:
83 bind-address: 111.0.0.1
84 proxy-body-size: 0
giolekva75ee2712021-11-26 13:57:12 +0400[diff] [blame]85 - udp:
86 53: "{{ .Values.id }}-app-pihole/pihole-dns-udp:53"
87 - tcp:
88 53: "{{ .Values.id }}-app-pihole/pihole-dns-tcp:53"
89 143: "{{ .Values.id }}-app-maddy/maddy:143"
90 465: "{{ .Values.id }}-app-maddy/maddy:465"
91 587: "{{ .Values.id }}-app-maddy/maddy:587"
92 993: "{{ .Values.id }}-app-maddy/maddy:993"
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]93- name: certificate-issuer
94 chart: ../../charts/certificate-issuer
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]95 namespace: {{ .Values.id }}-ingress-private
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]96 values:
giolekva11881b52021-11-27 16:51:58 +0400[diff] [blame^]97 - pcloudInstanceId: {{ .Values.id }}
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]98 - certManager:
giolekva11881b52021-11-27 16:51:58 +0400[diff] [blame^]99 namespace: {{ .Values.pcloudEnvName }}-cert-manager
100 gandiWebhookSecretReader: {{ .Values.pcloudEnvName }}-cert-manager-webhook-gandi
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]101 - public:
102 name: {{ .Values.id }}-public
103 server: https://acme-v02.api.letsencrypt.org/directory
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]104 domain: {{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]105 stagingServer: https://acme-staging-v02.api.letsencrypt.org/directory
106 contactEmail: {{ .Values.contactEmail }}
107 ingressClass: nginx
108 - private:
109 name: {{ .Values.id }}-private
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]110 server: https://acme-v02.api.letsencrypt.org/directory
111 domain: p.{{ .Values.domain }}
112 contactEmail: {{ .Values.contactEmail }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]113 ingressClassName: {{ .Values.id }}-ingress-private
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]114 gandiAPIToken: {{ .Values.gandiAPIToken }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]115- name: core-auth-storage # TODO(giolekva): merge with core-auth
116 chart: bitnami/postgresql
117 version: 10.13.5
118 namespace: {{ .Values.id }}-core-auth
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]119 values:
120 - fullnameOverride: postgres
121 - image:
122 repository: arm64v8/postgres
123 tag: 13.4
124 - service:
125 type: ClusterIP
126 port: 5432
127 - postgresqlPassword: psswd
128 - postgresqlDatabase: kratos
129 - persistence:
130 size: 1Gi
131 - securityContext:
132 enabled: true
133 fsGroup: 0
134 - containerSecurityContext:
135 enabled: true
136 runAsUser: 0
137 - volumePermissions:
138 securityContext:
139 runAsUser: 0
140- name: core-auth
141 chart: ../../charts/auth
142 namespace: {{ .Values.id }}-core-auth
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]143 values:
144 - kratos:
145 fullnameOverride: kratos
146 image:
147 repository: giolekva/ory-kratos
148 tag: latest
149 pullPolicy: Always
150 service:
151 admin:
152 enabled: true
153 type: ClusterIP
154 port: 80
155 name: http
156 public:
157 enabled: true
158 type: ClusterIP
159 port: 80
160 name: http
161 ingress:
162 admin:
163 enabled: true
164 className: {{ .Values.id }}-ingress-private
165 hosts:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]166 - host: kratos.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]167 paths:
168 - path: /
169 pathType: Prefix
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]170 tls:
171 - hosts:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]172 - kratos.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]173 public:
174 enabled: true
175 className: nginx
176 hosts:
177 - host: accounts.{{ .Values.domain }}
178 paths:
179 - path: /
180 pathType: Prefix
giolekva11881b52021-11-27 16:51:58 +0400[diff] [blame^]181 annotations:
182 cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
183 acme.cert-manager.io/http01-edit-in-place: "true"
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]184 tls:
185 - hosts:
186 - accounts.{{ .Values.domain }}
giolekva11881b52021-11-27 16:51:58 +0400[diff] [blame^]187 secretName: cert-accounts.{{ .Values.domain }}
188 # secretName: cert-wildcard.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]189 secret:
190 enabled: true
191 kratos:
192 autoMigrate: true
193 development: false
194 config:
195 version: v0.7.1-alpha.1
196 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
197 serve:
198 public:
199 base_url: https://accounts.{{ .Values.domain }}
200 cors:
201 enabled: true
202 debug: false
203 allow_credentials: true
204 allowed_origins:
205 - https://{{ .Values.domain }}
206 - https://*.{{ .Values.domain }}
207 admin:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]208 base_url: https://kratos.p.{{ .Values.domain }}/
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]209 selfservice:
210 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}
211 whitelisted_return_urls:
212 - https://accounts-ui.{{ .Values.domain }}
213 methods:
214 password:
215 enabled: true
216 flows:
217 error:
218 ui_url: https://accounts-ui.{{ .Values.domain }}/error
219 settings:
220 ui_url: https://accounts-ui.{{ .Values.domain }}/settings
221 privileged_session_max_age: 15m
222 recovery:
223 enabled: false
224 verification:
225 enabled: false
226 logout:
227 after:
228 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/login
229 login:
230 ui_url: https://accounts-ui.{{ .Values.domain }}/login
231 lifespan: 10m
232 after:
233 password:
234 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
235 registration:
236 lifespan: 10m
237 ui_url: https://accounts-ui.{{ .Values.domain }}/registration
238 after:
239 password:
240 hooks:
241 -
242 hook: session
243 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
244 log:
245 level: debug
246 format: text
247 leak_sensitive_values: true
248 cookies:
249 path: /
250 same_site: None
251 domain: {{ .Values.domain }}
252 secrets:
253 cookie:
254 - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
255 # cipher:
256 # - 32-LONG-SECRET-NOT-SECURE-AT-ALL
257 # ciphers:
258 # algorithm: xchacha20-poly1305
259 hashers:
260 argon2:
261 parallelism: 1
262 memory: 128MB
263 iterations: 2
264 salt_length: 16
265 key_length: 16
266 identity:
267 default_schema_url: file:///etc/config/identity.schema.json
268 courier:
269 smtp:
270 connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Values.domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Values.domain }}
271 identitySchemas:
272 "identity.schema.json": |
273 {
274 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
275 "$schema": "http://json-schema.org/draft-07/schema#",
276 "title": "User",
277 "type": "object",
278 "properties": {
279 "traits": {
280 "type": "object",
281 "properties": {
282 "username": {
283 "type": "string",
284 "format": "username",
285 "title": "Username",
286 "minLength": 3,
287 "ory.sh/kratos": {
288 "credentials": {
289 "password": {
290 "identifier": true
291 }
292 }
293 }
294 }
295 },
296 "additionalProperties": false
297 }
298 }
299 }
300 - hydra:
301 fullnameOverride: hydra
302 image:
303 repository: giolekva/ory-hydra
304 tag: latest
305 pullPolicy: Always
306 service:
307 admin:
308 enabled: true
309 type: ClusterIP
310 port: 80
311 name: http
312 public:
313 enabled: true
314 type: ClusterIP
315 port: 80
316 name: http
317 ingress:
318 admin:
319 enabled: true
320 className: {{ .Values.id }}-ingress-private
321 hosts:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]322 - host: hydra.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]323 paths:
324 - path: /
325 pathType: Prefix
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]326 tls:
327 - hosts:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]328 - hydra.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]329 public:
330 enabled: true
331 className: nginx
332 hosts:
333 - host: hydra.{{ .Values.domain }}
334 paths:
335 - path: /
336 pathType: Prefix
giolekva11881b52021-11-27 16:51:58 +0400[diff] [blame^]337 annotations:
338 cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
339 acme.cert-manager.io/http01-edit-in-place: "true"
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]340 tls:
341 - hosts:
342 - hydra.{{ .Values.domain }}
giolekva11881b52021-11-27 16:51:58 +0400[diff] [blame^]343 secretName: cert-hydra.{{ .Values.domain }}
344 # secretName: cert-wildcard.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]345 secret:
346 enabled: true
347 maester:
348 enabled: true
349 hydraFullnameOverride: hydra
350 hydra-maester:
351 image:
352 repository: giolekva/ory-hydra-maester
353 tag: latest
354 pullPolicy: IfNotPresent
355 adminService:
356 name: hydra
357 port: 80
358 hydra:
359 autoMigrate: true
360 config:
361 version: v1.10.6
362 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
363 serve:
364 cookies:
365 same_site_mode: None
366 public:
367 cors:
368 enabled: true
369 debug: false
370 allow_credentials: true
371 allowed_origins:
372 - https://{{ .Values.domain }}
373 - https://*.{{ .Values.domain }}
374 admin:
375 # host: localhost
376 cors:
377 allowed_origins:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]378 - https://hydra.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]379 tls:
380 allow_termination_from:
381 - 0.0.0.0/0
382 - 10.42.0.0/16
383 - 10.43.0.0/16
384 - 111.0.0.1/32
385 tls:
386 allow_termination_from:
387 - 0.0.0.0/0
388 - 10.42.0.0/16
389 - 10.43.0.0/16
390 - 111.0.0.1/32
391 urls:
392 self:
393 public: https://hydra.{{ .Values.domain }}
394 issuer: https://hydra.{{ .Values.domain }}
395 consent: https://accounts-ui.{{ .Values.domain }}/consent
396 login: https://accounts-ui.{{ .Values.domain }}/login
397 logout: https://accounts-ui.{{ .Values.domain }}/logout
398 secrets:
399 system:
400 - youReallyNeedToChangeThis
401 oidc:
402 subject_identifiers:
403 supported_types:
404 - pairwise
405 - public
406 pairwise:
407 salt: youReallyNeedToChangeThis
408 log:
409 level: trace
410 leak_sensitive_values: false
411 - ui:
412 certificateIssuer: {{ .Values.id }}-public
413 ingressClassName: nginx
414 domain: {{ .Values.domain }}
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]415 internalDomain: p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]416 nebula:
417 lighthouse:
418 name: ui-lighthouse
419 internalIP: 111.0.0.1
420 externalIP: 46.49.35.44
421 port: "4243"
422 node:
423 name: ui
424 ipCidr: 111.0.0.2/24
425 secretName: node-ui-cert
426 certificateAuthority:
427 name: {{ .Values.id }}
428 namespace: {{ .Values.id }}-ingress-private
429- name: vaultwarden
430 chart: ../../charts/vaultwarden
431 namespace: {{ .Values.id }}-app-vaultwarden
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]432 values:
433 - image:
434 repository: vaultwarden/server
435 tag: 1.22.2
436 pullPolicy: IfNotPresent
437 - storage:
438 size: 1Gi
giolekva9cdcc042021-11-10 15:24:54 +0400[diff] [blame]439 - domain: bitwarden.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]440 - certificateIssuer: {{ .Values.id }}-private
441 - ingressClassName: {{ .Values.id }}-ingress-private
442- name: matrix-storage # TODO(giolekva): merge with core-auth
443 chart: bitnami/postgresql
444 version: 10.13.5
445 namespace: {{ .Values.id }}-app-matrix
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]446 values:
447 - fullnameOverride: postgres
448 - image:
449 repository: arm64v8/postgres
450 tag: 13.4
451 - service:
452 type: ClusterIP
453 port: 5432
454 - postgresqlPassword: psswd
455 - initdbScripts:
456 createdb.sh: |
457 #!/bin/sh
458 createdb -U postgres --encoding=UTF8 --locale=C --template=template0 --owner=postgres matrix
459 - persistence:
460 size: 1Gi
461 - securityContext:
462 enabled: true
463 fsGroup: 0
464 - containerSecurityContext:
465 enabled: true
466 runAsUser: 0
467 - volumePermissions:
468 securityContext:
469 runAsUser: 0
470- name: matrix
471 chart: ../../charts/matrix
472 namespace: {{ .Values.id }}-app-matrix
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]473 values:
474 - domain: {{ .Values.domain }}
475 - oauth2:
476 hydraAdmin: http://hydra-admin
477 hydraPublic: https://hydra.{{ .Values.domain }}
478 clientId: matrix
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]479 clientSecret: {{ .Values.matrixOAuth2ClientSecret }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]480 secretName: oauth2-client
481 - postgresql:
482 host: postgres
483 port: 5432
484 database: matrix
485 user: postgres
486 password: psswd
487 - certificateIssuer: {{ .Values.id }}-public
488 - ingressClassName: nginx
489 - configMerge:
490 configName: config-to-merge
491 fileName: to-merge.yaml
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]492- name: pihole
493 chart: ../../charts/pihole
494 namespace: {{ .Values.id }}-app-pihole
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]495 values:
giolekva17861bc2021-11-09 19:50:50 +0400[diff] [blame]496 - domain: {{ .Values.domain }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]497 - pihole:
498 image:
499 repository: "pihole/pihole"
500 tag: v5.8.1
501 persistentVolumeClaim:
502 enabled: true
503 size: 5Gi
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]504 adminPassword: admin
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]505 ingress:
506 enabled: false
507 serviceDhcp:
508 enabled: false
509 serviceDns:
510 type: ClusterIP
511 serviceWeb:
512 type: ClusterIP
513 http:
514 enabled: true
515 https:
516 enabled: false
giolekva17861bc2021-11-09 19:50:50 +0400[diff] [blame]517 virtualHost: pihole.p.{{ .Values.domain }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]518 resources:
519 requests:
520 cpu: "250m"
521 memory: "100M"
522 limits:
523 cpu: "500m"
524 memory: "250M"
525 - oauth2:
526 clientId: pihole
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]527 clientSecret: {{ .Values.piholeOAuth2ClientSecret }}
528 cookieSecret: {{ .Values.piholeOAuth2CookieSecret }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]529 secretName: oauth2-secret
530 configName: oauth2-proxy
531 hydraAdmin: http://hydra-admin
532 - hydraPublic: https://hydra.{{ .Values.domain }}/
533 - profileUrl: https://accounts-ui.{{ .Values.domain }}
534 - certificateIssuer: {{ .Values.id }}-private
535 - ingressClassName: {{ .Values.id }}-ingress-private
giolekva7fe15192021-11-19 13:58:16 +0400[diff] [blame]536- name: maddy
537 chart: ../../charts/maddy
538 namespace: {{ .Values.id }}-app-maddy
giolekva7fe15192021-11-19 13:58:16 +0400[diff] [blame]539 values:
540 - ingress:
541 private:
542 className: {{ .Values.id }}-ingress-private
543 domain: p.{{ .Values.domain }}
544 public:
545 className: nginx
546 domain: {{ .Values.domain }}
547 certificateIssuer: {{ .Values.id }}-public
548 - storage:
549 size: 10Gi
giolekva75ee2712021-11-26 13:57:12 +0400[diff] [blame]550 - mailGateway:
551 mxHostname: {{ .Values.mxHostname}}
552 address: {{ .Values.mailGatewayAddress }}
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]553
554environments:
555 shveli:
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]556 secrets:
557 - secrets.shveli.yaml
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]558 values:
giolekva11881b52021-11-27 16:51:58 +0400[diff] [blame^]559 - pcloudEnvName: pcloud
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]560 - id: shveli
561 - domain: shve.li
562 - contactEmail: giolekva@gmail.com
563 - certManagerNamespace: cert-manager
giolekva75ee2712021-11-26 13:57:12 +0400[diff] [blame]564 - mxHostname: mx1.lekva.me
565 - mailGatewayAddress: "tcp://maddy.pcloud-mail-gateway.svc.cluster.local:587"