Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 75ee27167691521d040bae25be3edb856795da30 / . / helmfile / users / helmfile.yaml
blob: 49020959e662df26b18b386e411dd075be7a8ee5 [file] [log] [blame]
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]1repositories:
2- name: ingress-nginx
3 url: https://kubernetes.github.io/ingress-nginx
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]4- name: bitnami
5 url: https://charts.bitnami.com/bitnami
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]6
7helmDefaults:
8 tillerless: true
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]9 waitForJobs: false
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]10
11releases:
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]12- name: vpn-mesh-config
13 chart: ../../charts/vpn-mesh-config
14 namespace: {{ .Values.id }}-ingress-private
15 createNamespace: true
16 values:
17 - certificateAuthority:
18 name: {{ .Values.id }}
19 secretName: ca-{{ .Values.id }}-cert
20 - lighthouse:
21 internalIP: 111.0.0.1
22 externalIP: 46.49.35.44
23 port: "4243"
24- name: ingress-private
25 chart: ingress-nginx/ingress-nginx
26 version: 4.0.3
27 namespace: {{ .Values.id }}-ingress-private
28 createNamespace: true
29 values:
giolekva75ee2712021-11-26 13:57:12 +0400[diff] [blame^]30 - fullnameOverride: {{ .Values.id }}-nginx-private
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]31 - controller:
32 service:
33 type: ClusterIP
34 ingressClassByName: true
35 ingressClassResource:
36 name: {{ .Values.id }}-ingress-private
37 enabled: true
38 default: false
39 controllerValue: k8s.io/{{ .Values.id }}-ingress-private
40 extraArgs:
41 default-ssl-certificate: "{{ .Values.id }}-ingress-private/cert-wildcard.p.{{ .Values.domain }}"
42 extraVolumes:
43 - name: lighthouse-cert
44 secret:
45 secretName: node-lighthouse-cert
46 - name: config
47 configMap:
48 name: lighthouse-config
49 extraContainers:
50 - name: lighthouse
51 image: giolekva/nebula:latest
52 imagePullPolicy: IfNotPresent
53 securityContext:
54 privileged: true
55 capabilities:
56 add:
57 - NET_ADMIN
58 ports:
59 - name: nebula
60 containerPort: 4243
61 protocol: UDP
62 command:
63 - nebula
64 - --config=/etc/nebula/config/lighthouse.yaml
65 volumeMounts:
66 - name: lighthouse-cert
67 mountPath: /etc/nebula/lighthouse
68 - name: config
69 mountPath: /etc/nebula/config
70 config:
71 bind-address: 111.0.0.1
72 proxy-body-size: 0
giolekva75ee2712021-11-26 13:57:12 +0400[diff] [blame^]73 - udp:
74 53: "{{ .Values.id }}-app-pihole/pihole-dns-udp:53"
75 - tcp:
76 53: "{{ .Values.id }}-app-pihole/pihole-dns-tcp:53"
77 143: "{{ .Values.id }}-app-maddy/maddy:143"
78 465: "{{ .Values.id }}-app-maddy/maddy:465"
79 587: "{{ .Values.id }}-app-maddy/maddy:587"
80 993: "{{ .Values.id }}-app-maddy/maddy:993"
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]81- name: certificate-issuer
82 chart: ../../charts/certificate-issuer
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]83 namespace: {{ .Values.id }}-ingress-private
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]84 createNamespace: true
85 values:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]86 - certManager:
87 namespace: cert-manager
88 gandiWebhookSecretReader: cert-manager-webhook-gandi
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]89 - public:
90 name: {{ .Values.id }}-public
91 server: https://acme-v02.api.letsencrypt.org/directory
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]92 domain: {{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]93 stagingServer: https://acme-staging-v02.api.letsencrypt.org/directory
94 contactEmail: {{ .Values.contactEmail }}
95 ingressClass: nginx
96 - private:
97 name: {{ .Values.id }}-private
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]98 server: https://acme-v02.api.letsencrypt.org/directory
99 domain: p.{{ .Values.domain }}
100 contactEmail: {{ .Values.contactEmail }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]101 ingressClassName: {{ .Values.id }}-ingress-private
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]102 gandiAPIToken: {{ .Values.gandiAPIToken }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]103- name: core-auth-storage # TODO(giolekva): merge with core-auth
104 chart: bitnami/postgresql
105 version: 10.13.5
106 namespace: {{ .Values.id }}-core-auth
107 createNamespace: true
108 values:
109 - fullnameOverride: postgres
110 - image:
111 repository: arm64v8/postgres
112 tag: 13.4
113 - service:
114 type: ClusterIP
115 port: 5432
116 - postgresqlPassword: psswd
117 - postgresqlDatabase: kratos
118 - persistence:
119 size: 1Gi
120 - securityContext:
121 enabled: true
122 fsGroup: 0
123 - containerSecurityContext:
124 enabled: true
125 runAsUser: 0
126 - volumePermissions:
127 securityContext:
128 runAsUser: 0
129- name: core-auth
130 chart: ../../charts/auth
131 namespace: {{ .Values.id }}-core-auth
132 createNamespace: true
133 values:
134 - kratos:
135 fullnameOverride: kratos
136 image:
137 repository: giolekva/ory-kratos
138 tag: latest
139 pullPolicy: Always
140 service:
141 admin:
142 enabled: true
143 type: ClusterIP
144 port: 80
145 name: http
146 public:
147 enabled: true
148 type: ClusterIP
149 port: 80
150 name: http
151 ingress:
152 admin:
153 enabled: true
154 className: {{ .Values.id }}-ingress-private
155 hosts:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]156 - host: kratos.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]157 paths:
158 - path: /
159 pathType: Prefix
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]160 tls:
161 - hosts:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]162 - kratos.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]163 public:
164 enabled: true
165 className: nginx
166 hosts:
167 - host: accounts.{{ .Values.domain }}
168 paths:
169 - path: /
170 pathType: Prefix
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]171 # annotations:
172 # cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
173 # acme.cert-manager.io/http01-edit-in-place: "true"
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]174 tls:
175 - hosts:
176 - accounts.{{ .Values.domain }}
177 # secretName: cert-accounts.{{ .Values.domain }}
178 secretName: cert-wildcard.{{ .Values.domain }}
179 secret:
180 enabled: true
181 kratos:
182 autoMigrate: true
183 development: false
184 config:
185 version: v0.7.1-alpha.1
186 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
187 serve:
188 public:
189 base_url: https://accounts.{{ .Values.domain }}
190 cors:
191 enabled: true
192 debug: false
193 allow_credentials: true
194 allowed_origins:
195 - https://{{ .Values.domain }}
196 - https://*.{{ .Values.domain }}
197 admin:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]198 base_url: https://kratos.p.{{ .Values.domain }}/
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]199 selfservice:
200 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}
201 whitelisted_return_urls:
202 - https://accounts-ui.{{ .Values.domain }}
203 methods:
204 password:
205 enabled: true
206 flows:
207 error:
208 ui_url: https://accounts-ui.{{ .Values.domain }}/error
209 settings:
210 ui_url: https://accounts-ui.{{ .Values.domain }}/settings
211 privileged_session_max_age: 15m
212 recovery:
213 enabled: false
214 verification:
215 enabled: false
216 logout:
217 after:
218 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/login
219 login:
220 ui_url: https://accounts-ui.{{ .Values.domain }}/login
221 lifespan: 10m
222 after:
223 password:
224 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
225 registration:
226 lifespan: 10m
227 ui_url: https://accounts-ui.{{ .Values.domain }}/registration
228 after:
229 password:
230 hooks:
231 -
232 hook: session
233 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
234 log:
235 level: debug
236 format: text
237 leak_sensitive_values: true
238 cookies:
239 path: /
240 same_site: None
241 domain: {{ .Values.domain }}
242 secrets:
243 cookie:
244 - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
245 # cipher:
246 # - 32-LONG-SECRET-NOT-SECURE-AT-ALL
247 # ciphers:
248 # algorithm: xchacha20-poly1305
249 hashers:
250 argon2:
251 parallelism: 1
252 memory: 128MB
253 iterations: 2
254 salt_length: 16
255 key_length: 16
256 identity:
257 default_schema_url: file:///etc/config/identity.schema.json
258 courier:
259 smtp:
260 connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Values.domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Values.domain }}
261 identitySchemas:
262 "identity.schema.json": |
263 {
264 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
265 "$schema": "http://json-schema.org/draft-07/schema#",
266 "title": "User",
267 "type": "object",
268 "properties": {
269 "traits": {
270 "type": "object",
271 "properties": {
272 "username": {
273 "type": "string",
274 "format": "username",
275 "title": "Username",
276 "minLength": 3,
277 "ory.sh/kratos": {
278 "credentials": {
279 "password": {
280 "identifier": true
281 }
282 }
283 }
284 }
285 },
286 "additionalProperties": false
287 }
288 }
289 }
290 - hydra:
291 fullnameOverride: hydra
292 image:
293 repository: giolekva/ory-hydra
294 tag: latest
295 pullPolicy: Always
296 service:
297 admin:
298 enabled: true
299 type: ClusterIP
300 port: 80
301 name: http
302 public:
303 enabled: true
304 type: ClusterIP
305 port: 80
306 name: http
307 ingress:
308 admin:
309 enabled: true
310 className: {{ .Values.id }}-ingress-private
311 hosts:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]312 - host: hydra.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]313 paths:
314 - path: /
315 pathType: Prefix
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]316 tls:
317 - hosts:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]318 - hydra.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]319 public:
320 enabled: true
321 className: nginx
322 hosts:
323 - host: hydra.{{ .Values.domain }}
324 paths:
325 - path: /
326 pathType: Prefix
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]327 # annotations:
328 # cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
329 # acme.cert-manager.io/http01-edit-in-place: "true"
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]330 tls:
331 - hosts:
332 - hydra.{{ .Values.domain }}
333 # secretName: cert-hydra.{{ .Values.domain }}
334 secretName: cert-wildcard.{{ .Values.domain }}
335 secret:
336 enabled: true
337 maester:
338 enabled: true
339 hydraFullnameOverride: hydra
340 hydra-maester:
341 image:
342 repository: giolekva/ory-hydra-maester
343 tag: latest
344 pullPolicy: IfNotPresent
345 adminService:
346 name: hydra
347 port: 80
348 hydra:
349 autoMigrate: true
350 config:
351 version: v1.10.6
352 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
353 serve:
354 cookies:
355 same_site_mode: None
356 public:
357 cors:
358 enabled: true
359 debug: false
360 allow_credentials: true
361 allowed_origins:
362 - https://{{ .Values.domain }}
363 - https://*.{{ .Values.domain }}
364 admin:
365 # host: localhost
366 cors:
367 allowed_origins:
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]368 - https://hydra.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]369 tls:
370 allow_termination_from:
371 - 0.0.0.0/0
372 - 10.42.0.0/16
373 - 10.43.0.0/16
374 - 111.0.0.1/32
375 tls:
376 allow_termination_from:
377 - 0.0.0.0/0
378 - 10.42.0.0/16
379 - 10.43.0.0/16
380 - 111.0.0.1/32
381 urls:
382 self:
383 public: https://hydra.{{ .Values.domain }}
384 issuer: https://hydra.{{ .Values.domain }}
385 consent: https://accounts-ui.{{ .Values.domain }}/consent
386 login: https://accounts-ui.{{ .Values.domain }}/login
387 logout: https://accounts-ui.{{ .Values.domain }}/logout
388 secrets:
389 system:
390 - youReallyNeedToChangeThis
391 oidc:
392 subject_identifiers:
393 supported_types:
394 - pairwise
395 - public
396 pairwise:
397 salt: youReallyNeedToChangeThis
398 log:
399 level: trace
400 leak_sensitive_values: false
401 - ui:
402 certificateIssuer: {{ .Values.id }}-public
403 ingressClassName: nginx
404 domain: {{ .Values.domain }}
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]405 internalDomain: p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]406 nebula:
407 lighthouse:
408 name: ui-lighthouse
409 internalIP: 111.0.0.1
410 externalIP: 46.49.35.44
411 port: "4243"
412 node:
413 name: ui
414 ipCidr: 111.0.0.2/24
415 secretName: node-ui-cert
416 certificateAuthority:
417 name: {{ .Values.id }}
418 namespace: {{ .Values.id }}-ingress-private
419- name: vaultwarden
420 chart: ../../charts/vaultwarden
421 namespace: {{ .Values.id }}-app-vaultwarden
422 createNamespace: true
423 values:
424 - image:
425 repository: vaultwarden/server
426 tag: 1.22.2
427 pullPolicy: IfNotPresent
428 - storage:
429 size: 1Gi
giolekva9cdcc042021-11-10 15:24:54 +0400[diff] [blame]430 - domain: bitwarden.p.{{ .Values.domain }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]431 - certificateIssuer: {{ .Values.id }}-private
432 - ingressClassName: {{ .Values.id }}-ingress-private
433- name: matrix-storage # TODO(giolekva): merge with core-auth
434 chart: bitnami/postgresql
435 version: 10.13.5
436 namespace: {{ .Values.id }}-app-matrix
437 createNamespace: true
438 values:
439 - fullnameOverride: postgres
440 - image:
441 repository: arm64v8/postgres
442 tag: 13.4
443 - service:
444 type: ClusterIP
445 port: 5432
446 - postgresqlPassword: psswd
447 - initdbScripts:
448 createdb.sh: |
449 #!/bin/sh
450 createdb -U postgres --encoding=UTF8 --locale=C --template=template0 --owner=postgres matrix
451 - persistence:
452 size: 1Gi
453 - securityContext:
454 enabled: true
455 fsGroup: 0
456 - containerSecurityContext:
457 enabled: true
458 runAsUser: 0
459 - volumePermissions:
460 securityContext:
461 runAsUser: 0
462- name: matrix
463 chart: ../../charts/matrix
464 namespace: {{ .Values.id }}-app-matrix
465 createNamespace: true
466 values:
467 - domain: {{ .Values.domain }}
468 - oauth2:
469 hydraAdmin: http://hydra-admin
470 hydraPublic: https://hydra.{{ .Values.domain }}
471 clientId: matrix
giolekva01a6b792021-11-11 19:01:17 +0400[diff] [blame]472 clientSecret: {{ .Values.matrixOAuth2ClientSecret }}
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]473 secretName: oauth2-client
474 - postgresql:
475 host: postgres
476 port: 5432
477 database: matrix
478 user: postgres
479 password: psswd
480 - certificateIssuer: {{ .Values.id }}-public
481 - ingressClassName: nginx
482 - configMerge:
483 configName: config-to-merge
484 fileName: to-merge.yaml
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]485- name: pihole
486 chart: ../../charts/pihole
487 namespace: {{ .Values.id }}-app-pihole
488 createNamespace: true
489 values:
giolekva17861bc2021-11-09 19:50:50 +0400[diff] [blame]490 - domain: {{ .Values.domain }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]491 - pihole:
492 image:
493 repository: "pihole/pihole"
494 tag: v5.8.1
495 persistentVolumeClaim:
496 enabled: true
497 size: 5Gi
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]498 adminPassword: admin
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]499 ingress:
500 enabled: false
501 serviceDhcp:
502 enabled: false
503 serviceDns:
504 type: ClusterIP
505 serviceWeb:
506 type: ClusterIP
507 http:
508 enabled: true
509 https:
510 enabled: false
giolekva17861bc2021-11-09 19:50:50 +0400[diff] [blame]511 virtualHost: pihole.p.{{ .Values.domain }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]512 resources:
513 requests:
514 cpu: "250m"
515 memory: "100M"
516 limits:
517 cpu: "500m"
518 memory: "250M"
519 - oauth2:
520 clientId: pihole
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]521 clientSecret: {{ .Values.piholeOAuth2ClientSecret }}
522 cookieSecret: {{ .Values.piholeOAuth2CookieSecret }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]523 secretName: oauth2-secret
524 configName: oauth2-proxy
525 hydraAdmin: http://hydra-admin
526 - hydraPublic: https://hydra.{{ .Values.domain }}/
527 - profileUrl: https://accounts-ui.{{ .Values.domain }}
528 - certificateIssuer: {{ .Values.id }}-private
529 - ingressClassName: {{ .Values.id }}-ingress-private
giolekva7fe15192021-11-19 13:58:16 +0400[diff] [blame]530- name: maddy
531 chart: ../../charts/maddy
532 namespace: {{ .Values.id }}-app-maddy
533 createNamespace: true
534 values:
535 - ingress:
536 private:
537 className: {{ .Values.id }}-ingress-private
538 domain: p.{{ .Values.domain }}
539 public:
540 className: nginx
541 domain: {{ .Values.domain }}
542 certificateIssuer: {{ .Values.id }}-public
543 - storage:
544 size: 10Gi
giolekva75ee2712021-11-26 13:57:12 +0400[diff] [blame^]545 - mailGateway:
546 mxHostname: {{ .Values.mxHostname}}
547 address: {{ .Values.mailGatewayAddress }}
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]548
549environments:
550 shveli:
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame]551 secrets:
552 - secrets.shveli.yaml
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]553 values:
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]554 - id: shveli
555 - domain: shve.li
556 - contactEmail: giolekva@gmail.com
557 - certManagerNamespace: cert-manager
giolekva75ee2712021-11-26 13:57:12 +0400[diff] [blame^]558 - mxHostname: mx1.lekva.me
559 - mailGatewayAddress: "tcp://maddy.pcloud-mail-gateway.svc.cluster.local:587"