Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 17861bc0aff3b876e2cbaf8e64459348bc7efc59 / . / helmfile / users / helmfile.yaml
blob: 24a90823714378cabde6919ccd29349f844d91c1 [file] [log] [blame]
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]1repositories:
2- name: ingress-nginx
3 url: https://kubernetes.github.io/ingress-nginx
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]4- name: bitnami
5 url: https://charts.bitnami.com/bitnami
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]6
7helmDefaults:
8 tillerless: true
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]9 waitForJobs: false
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]10
11releases:
giolekva17861bc2021-11-09 19:50:50 +0400[diff] [blame^]12# - name: vpn-mesh-config
13# chart: ../../charts/vpn-mesh-config
14# namespace: {{ .Values.id }}-ingress-private
15# createNamespace: true
16# values:
17# - certificateAuthority:
18# name: {{ .Values.id }}
19# secretName: ca-{{ .Values.id }}-cert
20# - lighthouse:
21# internalIP: 111.0.0.1
22# externalIP: 46.49.35.44
23# port: "4243"
24# - name: ingress-private
25# chart: ingress-nginx/ingress-nginx
26# version: 4.0.3
27# namespace: {{ .Values.id }}-ingress-private
28# createNamespace: true
29# values:
30# - fullnameOverride: nginx
31# - controller:
32# service:
33# type: ClusterIP
34# ingressClassByName: true
35# ingressClassResource:
36# name: {{ .Values.id }}-ingress-private
37# enabled: true
38# default: false
39# controllerValue: k8s.io/{{ .Values.id }}-ingress-private
40# extraArgs:
41# default-ssl-certificate: "{{ .Values.id }}-ingress-private/cert-wildcard.p.{{ .Values.domain }}"
42# extraVolumes:
43# - name: lighthouse-cert
44# secret:
45# secretName: node-lighthouse-cert
46# - name: config
47# configMap:
48# name: lighthouse-config
49# extraContainers:
50# - name: lighthouse
51# image: giolekva/nebula:latest
52# imagePullPolicy: IfNotPresent
53# securityContext:
54# privileged: true
55# capabilities:
56# add:
57# - NET_ADMIN
58# ports:
59# - name: nebula
60# containerPort: 4243
61# protocol: UDP
62# command:
63# - nebula
64# - --config=/etc/nebula/config/lighthouse.yaml
65# volumeMounts:
66# - name: lighthouse-cert
67# mountPath: /etc/nebula/lighthouse
68# - name: config
69# mountPath: /etc/nebula/config
70# config:
71# bind-address: 111.0.0.1
72# proxy-body-size: 0
73# udp:
74# - 53: {{ .Values.id }}-app-pihole/pihole-dns-udp:53
75# tcp:
76# - 53: {{ .Values.id }}-app-pihole/pihole-dns-tcp:53
77# - name: certificate-issuer
78# chart: ../../charts/certificate-issuer
79# namespace: {{ .Values.certManagerNamespace }} # {{ .Values.id }}-ingress-private
80# createNamespace: true
81# values:
82# - public:
83# name: {{ .Values.id }}-public
84# server: https://acme-v02.api.letsencrypt.org/directory
85# stagingServer: https://acme-staging-v02.api.letsencrypt.org/directory
86# contactEmail: {{ .Values.contactEmail }}
87# ingressClass: nginx
88# - private:
89# name: {{ .Values.id }}-private
90# domain: {{ .Values.id }}
91# ingressClassName: {{ .Values.id }}-ingress-private
92# - name: core-auth-storage # TODO(giolekva): merge with core-auth
93# chart: bitnami/postgresql
94# version: 10.13.5
95# namespace: {{ .Values.id }}-core-auth
96# createNamespace: true
97# values:
98# - fullnameOverride: postgres
99# - image:
100# repository: arm64v8/postgres
101# tag: 13.4
102# - service:
103# type: ClusterIP
104# port: 5432
105# - postgresqlPassword: psswd
106# - postgresqlDatabase: kratos
107# - persistence:
108# size: 1Gi
109# - securityContext:
110# enabled: true
111# fsGroup: 0
112# - containerSecurityContext:
113# enabled: true
114# runAsUser: 0
115# - volumePermissions:
116# securityContext:
117# runAsUser: 0
118# - name: core-auth
119# chart: ../../charts/auth
120# namespace: {{ .Values.id }}-core-auth
121# createNamespace: true
122# values:
123# - kratos:
124# fullnameOverride: kratos
125# image:
126# repository: giolekva/ory-kratos
127# tag: latest
128# pullPolicy: Always
129# service:
130# admin:
131# enabled: true
132# type: ClusterIP
133# port: 80
134# name: http
135# public:
136# enabled: true
137# type: ClusterIP
138# port: 80
139# name: http
140# ingress:
141# admin:
142# enabled: true
143# className: {{ .Values.id }}-ingress-private
144# hosts:
145# - host: kratos.{{ .Values.id }}
146# paths:
147# - path: /
148# pathType: Prefix
149# annotations:
150# cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
151# acme.cert-manager.io/http01-edit-in-place: "true"
152# tls:
153# - hosts:
154# - kratos.{{ .Values.id }}
155# secretName: cert-kratos.{{ .Values.id }}
156# public:
157# enabled: true
158# className: nginx
159# hosts:
160# - host: accounts.{{ .Values.domain }}
161# paths:
162# - path: /
163# pathType: Prefix
164# annotations:
165# cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
166# acme.cert-manager.io/http01-edit-in-place: "true"
167# tls:
168# - hosts:
169# - accounts.{{ .Values.domain }}
170# # secretName: cert-accounts.{{ .Values.domain }}
171# secretName: cert-wildcard.{{ .Values.domain }}
172# secret:
173# enabled: true
174# kratos:
175# autoMigrate: true
176# development: false
177# config:
178# version: v0.7.1-alpha.1
179# dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
180# serve:
181# public:
182# base_url: https://accounts.{{ .Values.domain }}
183# cors:
184# enabled: true
185# debug: false
186# allow_credentials: true
187# allowed_origins:
188# - https://{{ .Values.domain }}
189# - https://*.{{ .Values.domain }}
190# admin:
191# base_url: https://kratos.{{ .Values.id }}/
192# selfservice:
193# default_browser_return_url: https://accounts-ui.{{ .Values.domain }}
194# whitelisted_return_urls:
195# - https://accounts-ui.{{ .Values.domain }}
196# methods:
197# password:
198# enabled: true
199# flows:
200# error:
201# ui_url: https://accounts-ui.{{ .Values.domain }}/error
202# settings:
203# ui_url: https://accounts-ui.{{ .Values.domain }}/settings
204# privileged_session_max_age: 15m
205# recovery:
206# enabled: false
207# verification:
208# enabled: false
209# logout:
210# after:
211# default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/login
212# login:
213# ui_url: https://accounts-ui.{{ .Values.domain }}/login
214# lifespan: 10m
215# after:
216# password:
217# default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
218# registration:
219# lifespan: 10m
220# ui_url: https://accounts-ui.{{ .Values.domain }}/registration
221# after:
222# password:
223# hooks:
224# -
225# hook: session
226# default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
227# log:
228# level: debug
229# format: text
230# leak_sensitive_values: true
231# cookies:
232# path: /
233# same_site: None
234# domain: {{ .Values.domain }}
235# secrets:
236# cookie:
237# - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
238# # cipher:
239# # - 32-LONG-SECRET-NOT-SECURE-AT-ALL
240# # ciphers:
241# # algorithm: xchacha20-poly1305
242# hashers:
243# argon2:
244# parallelism: 1
245# memory: 128MB
246# iterations: 2
247# salt_length: 16
248# key_length: 16
249# identity:
250# default_schema_url: file:///etc/config/identity.schema.json
251# courier:
252# smtp:
253# connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Values.domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Values.domain }}
254# identitySchemas:
255# "identity.schema.json": |
256# {
257# "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
258# "$schema": "http://json-schema.org/draft-07/schema#",
259# "title": "User",
260# "type": "object",
261# "properties": {
262# "traits": {
263# "type": "object",
264# "properties": {
265# "username": {
266# "type": "string",
267# "format": "username",
268# "title": "Username",
269# "minLength": 3,
270# "ory.sh/kratos": {
271# "credentials": {
272# "password": {
273# "identifier": true
274# }
275# }
276# }
277# }
278# },
279# "additionalProperties": false
280# }
281# }
282# }
283# - hydra:
284# fullnameOverride: hydra
285# image:
286# repository: giolekva/ory-hydra
287# tag: latest
288# pullPolicy: Always
289# service:
290# admin:
291# enabled: true
292# type: ClusterIP
293# port: 80
294# name: http
295# public:
296# enabled: true
297# type: ClusterIP
298# port: 80
299# name: http
300# ingress:
301# admin:
302# enabled: true
303# className: {{ .Values.id }}-ingress-private
304# hosts:
305# - host: hydra.{{ .Values.id }}
306# paths:
307# - path: /
308# pathType: Prefix
309# annotations:
310# cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
311# acme.cert-manager.io/http01-edit-in-place: "true"
312# tls:
313# - hosts:
314# - hydra.{{ .Values.id }}
315# secretName: cert-hydra.{{ .Values.id }}
316# public:
317# enabled: true
318# className: nginx
319# hosts:
320# - host: hydra.{{ .Values.domain }}
321# paths:
322# - path: /
323# pathType: Prefix
324# annotations:
325# cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
326# acme.cert-manager.io/http01-edit-in-place: "true"
327# tls:
328# - hosts:
329# - hydra.{{ .Values.domain }}
330# # secretName: cert-hydra.{{ .Values.domain }}
331# secretName: cert-wildcard.{{ .Values.domain }}
332# secret:
333# enabled: true
334# maester:
335# enabled: true
336# hydraFullnameOverride: hydra
337# hydra-maester:
338# image:
339# repository: giolekva/ory-hydra-maester
340# tag: latest
341# pullPolicy: IfNotPresent
342# adminService:
343# name: hydra
344# port: 80
345# hydra:
346# autoMigrate: true
347# config:
348# version: v1.10.6
349# dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
350# serve:
351# cookies:
352# same_site_mode: None
353# public:
354# cors:
355# enabled: true
356# debug: false
357# allow_credentials: true
358# allowed_origins:
359# - https://{{ .Values.domain }}
360# - https://*.{{ .Values.domain }}
361# admin:
362# # host: localhost
363# cors:
364# allowed_origins:
365# - https://hydra.{{ .Values.id }}
366# tls:
367# allow_termination_from:
368# - 0.0.0.0/0
369# - 10.42.0.0/16
370# - 10.43.0.0/16
371# - 111.0.0.1/32
372# tls:
373# allow_termination_from:
374# - 0.0.0.0/0
375# - 10.42.0.0/16
376# - 10.43.0.0/16
377# - 111.0.0.1/32
378# urls:
379# self:
380# public: https://hydra.{{ .Values.domain }}
381# issuer: https://hydra.{{ .Values.domain }}
382# consent: https://accounts-ui.{{ .Values.domain }}/consent
383# login: https://accounts-ui.{{ .Values.domain }}/login
384# logout: https://accounts-ui.{{ .Values.domain }}/logout
385# secrets:
386# system:
387# - youReallyNeedToChangeThis
388# oidc:
389# subject_identifiers:
390# supported_types:
391# - pairwise
392# - public
393# pairwise:
394# salt: youReallyNeedToChangeThis
395# log:
396# level: trace
397# leak_sensitive_values: false
398# - ui:
399# certificateIssuer: {{ .Values.id }}-public
400# ingressClassName: nginx
401# domain: {{ .Values.domain }}
402# internalDomain: {{ .Values.id }}
403# nebula:
404# lighthouse:
405# name: ui-lighthouse
406# internalIP: 111.0.0.1
407# externalIP: 46.49.35.44
408# port: "4243"
409# node:
410# name: ui
411# ipCidr: 111.0.0.2/24
412# secretName: node-ui-cert
413# certificateAuthority:
414# name: {{ .Values.id }}
415# namespace: {{ .Values.id }}-ingress-private
416# - name: vaultwarden
417# chart: ../../charts/vaultwarden
418# namespace: {{ .Values.id }}-app-vaultwarden
419# createNamespace: true
420# values:
421# - image:
422# repository: vaultwarden/server
423# tag: 1.22.2
424# pullPolicy: IfNotPresent
425# - storage:
426# size: 1Gi
427# - domain: bitwarden.{{ .Values.id }}
428# - certificateIssuer: {{ .Values.id }}-private
429# - ingressClassName: {{ .Values.id }}-ingress-private
430# - name: matrix-storage # TODO(giolekva): merge with core-auth
431# chart: bitnami/postgresql
432# version: 10.13.5
433# namespace: {{ .Values.id }}-app-matrix
434# createNamespace: true
435# values:
436# - fullnameOverride: postgres
437# - image:
438# repository: arm64v8/postgres
439# tag: 13.4
440# - service:
441# type: ClusterIP
442# port: 5432
443# - postgresqlPassword: psswd
444# - initdbScripts:
445# createdb.sh: |
446# #!/bin/sh
447# createdb -U postgres --encoding=UTF8 --locale=C --template=template0 --owner=postgres matrix
448# - persistence:
449# size: 1Gi
450# - securityContext:
451# enabled: true
452# fsGroup: 0
453# - containerSecurityContext:
454# enabled: true
455# runAsUser: 0
456# - volumePermissions:
457# securityContext:
458# runAsUser: 0
459# - name: matrix
460# chart: ../../charts/matrix
461# namespace: {{ .Values.id }}-app-matrix
462# createNamespace: true
463# values:
464# - domain: {{ .Values.domain }}
465# - oauth2:
466# hydraAdmin: http://hydra-admin
467# hydraPublic: https://hydra.{{ .Values.domain }}
468# clientId: matrix
469# clientSecret: ""
470# secretName: oauth2-client
471# - postgresql:
472# host: postgres
473# port: 5432
474# database: matrix
475# user: postgres
476# password: psswd
477# - certificateIssuer: {{ .Values.id }}-public
478# - ingressClassName: nginx
479# - configMerge:
480# configName: config-to-merge
481# fileName: to-merge.yaml
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]482- name: pihole
483 chart: ../../charts/pihole
484 namespace: {{ .Values.id }}-app-pihole
485 createNamespace: true
486 values:
giolekva17861bc2021-11-09 19:50:50 +0400[diff] [blame^]487 - domain: {{ .Values.domain }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]488 - pihole:
489 image:
490 repository: "pihole/pihole"
491 tag: v5.8.1
492 persistentVolumeClaim:
493 enabled: true
494 size: 5Gi
495 adminPassword: "admin"
496 ingress:
497 enabled: false
498 serviceDhcp:
499 enabled: false
500 serviceDns:
501 type: ClusterIP
502 serviceWeb:
503 type: ClusterIP
504 http:
505 enabled: true
506 https:
507 enabled: false
giolekva17861bc2021-11-09 19:50:50 +0400[diff] [blame^]508 virtualHost: pihole.p.{{ .Values.domain }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]509 resources:
510 requests:
511 cpu: "250m"
512 memory: "100M"
513 limits:
514 cpu: "500m"
515 memory: "250M"
516 - oauth2:
517 clientId: pihole
518 clientSecret: ""
519 secretName: oauth2-secret
520 configName: oauth2-proxy
521 hydraAdmin: http://hydra-admin
522 - hydraPublic: https://hydra.{{ .Values.domain }}/
523 - profileUrl: https://accounts-ui.{{ .Values.domain }}
524 - certificateIssuer: {{ .Values.id }}-private
525 - ingressClassName: {{ .Values.id }}-ingress-private
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]526
527environments:
528 shveli:
529 values:
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]530 - id: shveli
531 - domain: shve.li
532 - contactEmail: giolekva@gmail.com
533 - certManagerNamespace: cert-manager