Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 4703175dcdf67dbdc3adcd6253efc741fed9b4fb / . / helmfile / users / helmfile.yaml
blob: 0ab0ed44e0cde9527259f3bb058f1e6c570a2089 [file] [log] [blame]
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]1repositories:
2- name: ingress-nginx
3 url: https://kubernetes.github.io/ingress-nginx
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]4- name: bitnami
5 url: https://charts.bitnami.com/bitnami
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]6
7helmDefaults:
8 tillerless: true
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]9 waitForJobs: false
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]10
11releases:
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]12- name: vpn-mesh-config
13 chart: ../../charts/vpn-mesh-config
14 namespace: {{ .Values.id }}-ingress-private
15 createNamespace: true
16 values:
17 - certificateAuthority:
18 name: {{ .Values.id }}
19 secretName: ca-{{ .Values.id }}-cert
20 - lighthouse:
21 internalIP: 111.0.0.1
22 externalIP: 46.49.35.44
23 port: "4243"
24- name: ingress-private
25 chart: ingress-nginx/ingress-nginx
26 version: 4.0.3
27 namespace: {{ .Values.id }}-ingress-private
28 createNamespace: true
29 values:
30 - fullnameOverride: nginx
31 - controller:
32 service:
33 type: ClusterIP
34 ingressClassByName: true
35 ingressClassResource:
36 name: {{ .Values.id }}-ingress-private
37 enabled: true
38 default: false
39 controllerValue: k8s.io/{{ .Values.id }}-ingress-private
40 extraArgs:
41 default-ssl-certificate: "{{ .Values.id }}-ingress-private/cert-wildcard.p.{{ .Values.domain }}"
42 extraVolumes:
43 - name: lighthouse-cert
44 secret:
45 secretName: node-lighthouse-cert
46 - name: config
47 configMap:
48 name: lighthouse-config
49 extraContainers:
50 - name: lighthouse
51 image: giolekva/nebula:latest
52 imagePullPolicy: IfNotPresent
53 securityContext:
54 privileged: true
55 capabilities:
56 add:
57 - NET_ADMIN
58 ports:
59 - name: nebula
60 containerPort: 4243
61 protocol: UDP
62 command:
63 - nebula
64 - --config=/etc/nebula/config/lighthouse.yaml
65 volumeMounts:
66 - name: lighthouse-cert
67 mountPath: /etc/nebula/lighthouse
68 - name: config
69 mountPath: /etc/nebula/config
70 config:
71 bind-address: 111.0.0.1
72 proxy-body-size: 0
73 udp:
74 - 53: {{ .Values.id }}-app-pihole/pihole-dns-udp:53
75 tcp:
76 - 53: {{ .Values.id }}-app-pihole/pihole-dns-tcp:53
77- name: certificate-issuer
78 chart: ../../charts/certificate-issuer
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]79 namespace: {{ .Values.id }}-ingress-private
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]80 createNamespace: true
81 values:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]82 - certManager:
83 namespace: cert-manager
84 gandiWebhookSecretReader: cert-manager-webhook-gandi
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]85 - public:
86 name: {{ .Values.id }}-public
87 server: https://acme-v02.api.letsencrypt.org/directory
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]88 domain: {{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]89 stagingServer: https://acme-staging-v02.api.letsencrypt.org/directory
90 contactEmail: {{ .Values.contactEmail }}
91 ingressClass: nginx
92 - private:
93 name: {{ .Values.id }}-private
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]94 server: https://acme-v02.api.letsencrypt.org/directory
95 domain: p.{{ .Values.domain }}
96 contactEmail: {{ .Values.contactEmail }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]97 ingressClassName: {{ .Values.id }}-ingress-private
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]98 gandiAPIToken: {{ .Values.gandiAPIToken }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]99- name: core-auth-storage # TODO(giolekva): merge with core-auth
100 chart: bitnami/postgresql
101 version: 10.13.5
102 namespace: {{ .Values.id }}-core-auth
103 createNamespace: true
104 values:
105 - fullnameOverride: postgres
106 - image:
107 repository: arm64v8/postgres
108 tag: 13.4
109 - service:
110 type: ClusterIP
111 port: 5432
112 - postgresqlPassword: psswd
113 - postgresqlDatabase: kratos
114 - persistence:
115 size: 1Gi
116 - securityContext:
117 enabled: true
118 fsGroup: 0
119 - containerSecurityContext:
120 enabled: true
121 runAsUser: 0
122 - volumePermissions:
123 securityContext:
124 runAsUser: 0
125- name: core-auth
126 chart: ../../charts/auth
127 namespace: {{ .Values.id }}-core-auth
128 createNamespace: true
129 values:
130 - kratos:
131 fullnameOverride: kratos
132 image:
133 repository: giolekva/ory-kratos
134 tag: latest
135 pullPolicy: Always
136 service:
137 admin:
138 enabled: true
139 type: ClusterIP
140 port: 80
141 name: http
142 public:
143 enabled: true
144 type: ClusterIP
145 port: 80
146 name: http
147 ingress:
148 admin:
149 enabled: true
150 className: {{ .Values.id }}-ingress-private
151 hosts:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]152 - host: kratos.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]153 paths:
154 - path: /
155 pathType: Prefix
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]156 tls:
157 - hosts:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]158 - kratos.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]159 public:
160 enabled: true
161 className: nginx
162 hosts:
163 - host: accounts.{{ .Values.domain }}
164 paths:
165 - path: /
166 pathType: Prefix
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]167 # annotations:
168 # cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
169 # acme.cert-manager.io/http01-edit-in-place: "true"
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]170 tls:
171 - hosts:
172 - accounts.{{ .Values.domain }}
173 # secretName: cert-accounts.{{ .Values.domain }}
174 secretName: cert-wildcard.{{ .Values.domain }}
175 secret:
176 enabled: true
177 kratos:
178 autoMigrate: true
179 development: false
180 config:
181 version: v0.7.1-alpha.1
182 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
183 serve:
184 public:
185 base_url: https://accounts.{{ .Values.domain }}
186 cors:
187 enabled: true
188 debug: false
189 allow_credentials: true
190 allowed_origins:
191 - https://{{ .Values.domain }}
192 - https://*.{{ .Values.domain }}
193 admin:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]194 base_url: https://kratos.p.{{ .Values.domain }}/
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]195 selfservice:
196 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}
197 whitelisted_return_urls:
198 - https://accounts-ui.{{ .Values.domain }}
199 methods:
200 password:
201 enabled: true
202 flows:
203 error:
204 ui_url: https://accounts-ui.{{ .Values.domain }}/error
205 settings:
206 ui_url: https://accounts-ui.{{ .Values.domain }}/settings
207 privileged_session_max_age: 15m
208 recovery:
209 enabled: false
210 verification:
211 enabled: false
212 logout:
213 after:
214 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/login
215 login:
216 ui_url: https://accounts-ui.{{ .Values.domain }}/login
217 lifespan: 10m
218 after:
219 password:
220 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
221 registration:
222 lifespan: 10m
223 ui_url: https://accounts-ui.{{ .Values.domain }}/registration
224 after:
225 password:
226 hooks:
227 -
228 hook: session
229 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
230 log:
231 level: debug
232 format: text
233 leak_sensitive_values: true
234 cookies:
235 path: /
236 same_site: None
237 domain: {{ .Values.domain }}
238 secrets:
239 cookie:
240 - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
241 # cipher:
242 # - 32-LONG-SECRET-NOT-SECURE-AT-ALL
243 # ciphers:
244 # algorithm: xchacha20-poly1305
245 hashers:
246 argon2:
247 parallelism: 1
248 memory: 128MB
249 iterations: 2
250 salt_length: 16
251 key_length: 16
252 identity:
253 default_schema_url: file:///etc/config/identity.schema.json
254 courier:
255 smtp:
256 connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Values.domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Values.domain }}
257 identitySchemas:
258 "identity.schema.json": |
259 {
260 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
261 "$schema": "http://json-schema.org/draft-07/schema#",
262 "title": "User",
263 "type": "object",
264 "properties": {
265 "traits": {
266 "type": "object",
267 "properties": {
268 "username": {
269 "type": "string",
270 "format": "username",
271 "title": "Username",
272 "minLength": 3,
273 "ory.sh/kratos": {
274 "credentials": {
275 "password": {
276 "identifier": true
277 }
278 }
279 }
280 }
281 },
282 "additionalProperties": false
283 }
284 }
285 }
286 - hydra:
287 fullnameOverride: hydra
288 image:
289 repository: giolekva/ory-hydra
290 tag: latest
291 pullPolicy: Always
292 service:
293 admin:
294 enabled: true
295 type: ClusterIP
296 port: 80
297 name: http
298 public:
299 enabled: true
300 type: ClusterIP
301 port: 80
302 name: http
303 ingress:
304 admin:
305 enabled: true
306 className: {{ .Values.id }}-ingress-private
307 hosts:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]308 - host: hydra.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]309 paths:
310 - path: /
311 pathType: Prefix
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]312 tls:
313 - hosts:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]314 - hydra.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]315 public:
316 enabled: true
317 className: nginx
318 hosts:
319 - host: hydra.{{ .Values.domain }}
320 paths:
321 - path: /
322 pathType: Prefix
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]323 # annotations:
324 # cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
325 # acme.cert-manager.io/http01-edit-in-place: "true"
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]326 tls:
327 - hosts:
328 - hydra.{{ .Values.domain }}
329 # secretName: cert-hydra.{{ .Values.domain }}
330 secretName: cert-wildcard.{{ .Values.domain }}
331 secret:
332 enabled: true
333 maester:
334 enabled: true
335 hydraFullnameOverride: hydra
336 hydra-maester:
337 image:
338 repository: giolekva/ory-hydra-maester
339 tag: latest
340 pullPolicy: IfNotPresent
341 adminService:
342 name: hydra
343 port: 80
344 hydra:
345 autoMigrate: true
346 config:
347 version: v1.10.6
348 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
349 serve:
350 cookies:
351 same_site_mode: None
352 public:
353 cors:
354 enabled: true
355 debug: false
356 allow_credentials: true
357 allowed_origins:
358 - https://{{ .Values.domain }}
359 - https://*.{{ .Values.domain }}
360 admin:
361 # host: localhost
362 cors:
363 allowed_origins:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]364 - https://hydra.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]365 tls:
366 allow_termination_from:
367 - 0.0.0.0/0
368 - 10.42.0.0/16
369 - 10.43.0.0/16
370 - 111.0.0.1/32
371 tls:
372 allow_termination_from:
373 - 0.0.0.0/0
374 - 10.42.0.0/16
375 - 10.43.0.0/16
376 - 111.0.0.1/32
377 urls:
378 self:
379 public: https://hydra.{{ .Values.domain }}
380 issuer: https://hydra.{{ .Values.domain }}
381 consent: https://accounts-ui.{{ .Values.domain }}/consent
382 login: https://accounts-ui.{{ .Values.domain }}/login
383 logout: https://accounts-ui.{{ .Values.domain }}/logout
384 secrets:
385 system:
386 - youReallyNeedToChangeThis
387 oidc:
388 subject_identifiers:
389 supported_types:
390 - pairwise
391 - public
392 pairwise:
393 salt: youReallyNeedToChangeThis
394 log:
395 level: trace
396 leak_sensitive_values: false
397 - ui:
398 certificateIssuer: {{ .Values.id }}-public
399 ingressClassName: nginx
400 domain: {{ .Values.domain }}
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]401 internalDomain: p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]402 nebula:
403 lighthouse:
404 name: ui-lighthouse
405 internalIP: 111.0.0.1
406 externalIP: 46.49.35.44
407 port: "4243"
408 node:
409 name: ui
410 ipCidr: 111.0.0.2/24
411 secretName: node-ui-cert
412 certificateAuthority:
413 name: {{ .Values.id }}
414 namespace: {{ .Values.id }}-ingress-private
415- name: vaultwarden
416 chart: ../../charts/vaultwarden
417 namespace: {{ .Values.id }}-app-vaultwarden
418 createNamespace: true
419 values:
420 - image:
421 repository: vaultwarden/server
422 tag: 1.22.2
423 pullPolicy: IfNotPresent
424 - storage:
425 size: 1Gi
giolekva9cdcc042021-11-10 15:24:54 +0400[diff] [blame]426 - domain: bitwarden.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]427 - certificateIssuer: {{ .Values.id }}-private
428 - ingressClassName: {{ .Values.id }}-ingress-private
429- name: matrix-storage # TODO(giolekva): merge with core-auth
430 chart: bitnami/postgresql
431 version: 10.13.5
432 namespace: {{ .Values.id }}-app-matrix
433 createNamespace: true
434 values:
435 - fullnameOverride: postgres
436 - image:
437 repository: arm64v8/postgres
438 tag: 13.4
439 - service:
440 type: ClusterIP
441 port: 5432
442 - postgresqlPassword: psswd
443 - initdbScripts:
444 createdb.sh: |
445 #!/bin/sh
446 createdb -U postgres --encoding=UTF8 --locale=C --template=template0 --owner=postgres matrix
447 - persistence:
448 size: 1Gi
449 - securityContext:
450 enabled: true
451 fsGroup: 0
452 - containerSecurityContext:
453 enabled: true
454 runAsUser: 0
455 - volumePermissions:
456 securityContext:
457 runAsUser: 0
458- name: matrix
459 chart: ../../charts/matrix
460 namespace: {{ .Values.id }}-app-matrix
461 createNamespace: true
462 values:
463 - domain: {{ .Values.domain }}
464 - oauth2:
465 hydraAdmin: http://hydra-admin
466 hydraPublic: https://hydra.{{ .Values.domain }}
467 clientId: matrix
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]468 clientSecret: {{ .Values.matrixOAuth2ClientSecret }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]469 secretName: oauth2-client
470 - postgresql:
471 host: postgres
472 port: 5432
473 database: matrix
474 user: postgres
475 password: psswd
476 - certificateIssuer: {{ .Values.id }}-public
477 - ingressClassName: nginx
478 - configMerge:
479 configName: config-to-merge
480 fileName: to-merge.yaml
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]481- name: pihole
482 chart: ../../charts/pihole
483 namespace: {{ .Values.id }}-app-pihole
484 createNamespace: true
485 values:
giolekva17861bc2021-11-09 19:50:50 +0400[diff] [blame]486 - domain: {{ .Values.domain }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]487 - pihole:
488 image:
489 repository: "pihole/pihole"
490 tag: v5.8.1
491 persistentVolumeClaim:
492 enabled: true
493 size: 5Gi
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]494 adminPassword: admin
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]495 ingress:
496 enabled: false
497 serviceDhcp:
498 enabled: false
499 serviceDns:
500 type: ClusterIP
501 serviceWeb:
502 type: ClusterIP
503 http:
504 enabled: true
505 https:
506 enabled: false
giolekva17861bc2021-11-09 19:50:50 +0400[diff] [blame]507 virtualHost: pihole.p.{{ .Values.domain }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]508 resources:
509 requests:
510 cpu: "250m"
511 memory: "100M"
512 limits:
513 cpu: "500m"
514 memory: "250M"
515 - oauth2:
516 clientId: pihole
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]517 clientSecret: {{ .Values.piholeOAuth2ClientSecret }}
518 cookieSecret: {{ .Values.piholeOAuth2CookieSecret }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]519 secretName: oauth2-secret
520 configName: oauth2-proxy
521 hydraAdmin: http://hydra-admin
522 - hydraPublic: https://hydra.{{ .Values.domain }}/
523 - profileUrl: https://accounts-ui.{{ .Values.domain }}
524 - certificateIssuer: {{ .Values.id }}-private
525 - ingressClassName: {{ .Values.id }}-ingress-private
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]526
527environments:
528 shveli:
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]529 secrets:
530 - secrets.shveli.yaml
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]531 values:
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]532 - id: shveli
533 - domain: shve.li
534 - contactEmail: giolekva@gmail.com
535 - certManagerNamespace: cert-manager