Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 95340e88088a9d27c1af1202cc019cb25a23cfa4 / . / helmfile / users / helmfile.yaml
blob: 8d948797fb51c468e383b9c22e95178c14cfb703 [file] [log] [blame]
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]1repositories:
2- name: ingress-nginx
3 url: https://kubernetes.github.io/ingress-nginx
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]4- name: bitnami
5 url: https://charts.bitnami.com/bitnami
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]6
7helmDefaults:
8 tillerless: true
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]9 waitForJobs: false
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]10
11releases:
12- name: vpn-mesh-config
13 chart: ../../charts/vpn-mesh-config
14 namespace: {{ .Values.id }}-ingress-private
15 createNamespace: true
16 values:
17 - certificateAuthority:
18 name: {{ .Values.id }}
19 secretName: ca-{{ .Values.id }}-cert
20 - lighthouse:
21 internalIP: 111.0.0.1
22 externalIP: 46.49.35.44
23 port: "4243"
24- name: ingress-private
25 chart: ingress-nginx/ingress-nginx
26 version: 4.0.3
27 namespace: {{ .Values.id }}-ingress-private
28 createNamespace: true
29 values:
30 - fullnameOverride: nginx
31 - controller:
32 service:
33 type: ClusterIP
34 ingressClassByName: true
35 ingressClassResource:
36 name: {{ .Values.id }}-ingress-private
37 enabled: true
38 default: false
39 controllerValue: k8s.io/{{ .Values.id }}-ingress-private
40 extraVolumes:
41 - name: lighthouse-cert
42 secret:
43 secretName: node-lighthouse-cert
44 - name: config
45 configMap:
46 name: lighthouse-config
47 extraContainers:
48 - name: lighthouse
49 image: giolekva/nebula:latest
50 imagePullPolicy: IfNotPresent
51 securityContext:
52 privileged: true
53 capabilities:
54 add:
55 - NET_ADMIN
56 ports:
57 - name: nebula
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]58 containerPort: 4243
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]59 protocol: UDP
60 command:
61 - nebula
62 - --config=/etc/nebula/config/lighthouse.yaml
63 volumeMounts:
64 - name: lighthouse-cert
65 mountPath: /etc/nebula/lighthouse
66 - name: config
67 mountPath: /etc/nebula/config
68 config:
69 bind-address: 111.0.0.1
70 proxy-body-size: 0
71 udp:
72 - 53: {{ .Values.id }}-app-pihole/pihole-dns-udp:53
73 tcp:
74 - 53: {{ .Values.id }}-app-pihole/pihole-dns-tcp:53
giolekvaf15d5a32021-11-06 16:42:58 +0400[diff] [blame]75- name: certificate-issuer
76 chart: ../../charts/certificate-issuer
77 namespace: {{ .Values.certManagerNamespace }} # {{ .Values.id }}-ingress-private
78 createNamespace: true
79 values:
80 - public:
81 name: {{ .Values.id }}-public
82 server: https://acme-v02.api.letsencrypt.org/directory
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]83 stagingServer: https://acme-staging-v02.api.letsencrypt.org/directory
giolekvaf15d5a32021-11-06 16:42:58 +0400[diff] [blame]84 contactEmail: {{ .Values.contactEmail }}
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]85 ingressClass: nginx
giolekvaf15d5a32021-11-06 16:42:58 +0400[diff] [blame]86 - private:
87 name: {{ .Values.id }}-private
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]88- name: core-auth-storage # TODO(giolekva): merge with core-auth
89 chart: bitnami/postgresql
90 version: 10.13.5
91 namespace: {{ .Values.id }}-core-auth
92 createNamespace: true
93 values:
94 - fullnameOverride: postgres
95 - image:
96 repository: arm64v8/postgres
97 tag: 13.4
98 - service:
99 type: ClusterIP
100 port: 5432
101 - postgresqlPassword: psswd
102 - postgresqlDatabase: kratos
103 - persistence:
104 size: 1Gi
105 - securityContext:
106 enabled: true
107 fsGroup: 0
108 - containerSecurityContext:
109 enabled: true
110 runAsUser: 0
111 - volumePermissions:
112 securityContext:
113 runAsUser: 0
114- name: core-auth
115 chart: ../../charts/auth
116 namespace: {{ .Values.id }}-core-auth
117 createNamespace: true
118 values:
119 - kratos:
120 fullnameOverride: kratos
121 image:
122 repository: giolekva/ory-kratos
123 tag: latest
124 pullPolicy: Always
125 service:
126 admin:
127 enabled: true
128 type: ClusterIP
129 port: 80
130 name: http
131 public:
132 enabled: true
133 type: ClusterIP
134 port: 80
135 name: http
136 ingress:
137 admin:
138 enabled: true
139 className: {{ .Values.id }}-ingress-private
140 hosts:
141 - host: kratos.{{ .Values.id }}
142 paths:
143 - path: /
144 pathType: Prefix
145 annotations:
146 cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
147 acme.cert-manager.io/http01-edit-in-place: "true"
148 tls:
149 - hosts:
150 - kratos.{{ .Values.id }}
151 secretName: cert-kratos.{{ .Values.id }}
152 public:
153 enabled: true
154 className: nginx
155 hosts:
156 - host: accounts.{{ .Values.domain }}
157 paths:
158 - path: /
159 pathType: Prefix
160 annotations:
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame^]161 cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]162 acme.cert-manager.io/http01-edit-in-place: "true"
163 tls:
164 - hosts:
165 - accounts.{{ .Values.domain }}
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame^]166 # secretName: cert-accounts.{{ .Values.domain }}
167 secretName: cert-wildcard.{{ .Values.domain }}
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]168 secret:
169 enabled: true
170 kratos:
171 autoMigrate: true
172 development: false
173 config:
174 version: v0.7.1-alpha.1
175 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
176 serve:
177 public:
178 base_url: https://accounts.{{ .Values.domain }}
179 cors:
180 enabled: true
181 debug: false
182 allow_credentials: true
183 allowed_origins:
184 - https://{{ .Values.domain }}
185 - https://*.{{ .Values.domain }}
186 admin:
187 base_url: https://kratos.{{ .Values.id }}/
188 selfservice:
189 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}
190 whitelisted_return_urls:
191 - https://accounts-ui.{{ .Values.domain }}
192 methods:
193 password:
194 enabled: true
195 flows:
196 error:
197 ui_url: https://accounts-ui.{{ .Values.domain }}/error
198 settings:
199 ui_url: https://accounts-ui.{{ .Values.domain }}/settings
200 privileged_session_max_age: 15m
201 recovery:
202 enabled: false
203 verification:
204 enabled: false
205 logout:
206 after:
207 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/login
208 login:
209 ui_url: https://accounts-ui.{{ .Values.domain }}/login
210 lifespan: 10m
211 after:
212 password:
213 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
214 registration:
215 lifespan: 10m
216 ui_url: https://accounts-ui.{{ .Values.domain }}/registration
217 after:
218 password:
219 hooks:
220 -
221 hook: session
222 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
223 log:
224 level: debug
225 format: text
226 leak_sensitive_values: true
227 cookies:
228 path: /
229 same_site: None
230 domain: {{ .Values.domain }}
231 secrets:
232 cookie:
233 - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
234 # cipher:
235 # - 32-LONG-SECRET-NOT-SECURE-AT-ALL
236 # ciphers:
237 # algorithm: xchacha20-poly1305
238 hashers:
239 argon2:
240 parallelism: 1
241 memory: 128MB
242 iterations: 2
243 salt_length: 16
244 key_length: 16
245 identity:
246 default_schema_url: file:///etc/config/identity.schema.json
247 courier:
248 smtp:
249 connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Values.domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Values.domain }}
250 identitySchemas:
251 "identity.schema.json": |
252 {
253 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
254 "$schema": "http://json-schema.org/draft-07/schema#",
255 "title": "User",
256 "type": "object",
257 "properties": {
258 "traits": {
259 "type": "object",
260 "properties": {
261 "username": {
262 "type": "string",
263 "format": "username",
264 "title": "Username",
265 "minLength": 3,
266 "ory.sh/kratos": {
267 "credentials": {
268 "password": {
269 "identifier": true
270 }
271 }
272 }
273 }
274 },
275 "additionalProperties": false
276 }
277 }
278 }
279 - hydra:
280 fullnameOverride: hydra
281 image:
282 repository: giolekva/ory-hydra
283 tag: latest
284 pullPolicy: Always
285 service:
286 admin:
287 enabled: true
288 type: ClusterIP
289 port: 80
290 name: http
291 public:
292 enabled: true
293 type: ClusterIP
294 port: 80
295 name: http
296 ingress:
297 admin:
298 enabled: true
299 className: {{ .Values.id }}-ingress-private
300 hosts:
301 - host: hydra.{{ .Values.id }}
302 paths:
303 - path: /
304 pathType: Prefix
305 annotations:
306 cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
307 acme.cert-manager.io/http01-edit-in-place: "true"
308 tls:
309 - hosts:
310 - hydra.{{ .Values.id }}
311 secretName: cert-hydra.{{ .Values.id }}
312 public:
313 enabled: true
314 className: nginx
315 hosts:
316 - host: hydra.{{ .Values.domain }}
317 paths:
318 - path: /
319 pathType: Prefix
320 annotations:
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame^]321 cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]322 acme.cert-manager.io/http01-edit-in-place: "true"
323 tls:
324 - hosts:
325 - hydra.{{ .Values.domain }}
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame^]326 # secretName: cert-hydra.{{ .Values.domain }}
327 secretName: cert-wildcard.{{ .Values.domain }}
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]328 secret:
329 enabled: true
330 maester:
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame^]331 enabled: true
332 hydraFullnameOverride: hydra
333 hydra-maester:
334 image:
335 repository: giolekva/ory-hydra-maester
336 tag: latest
337 pullPolicy: IfNotPresent
338 adminService:
339 name: hydra
340 port: 80
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]341 hydra:
342 autoMigrate: true
343 config:
344 version: v1.10.6
345 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
346 serve:
347 cookies:
348 same_site_mode: None
349 public:
350 cors:
351 enabled: true
352 debug: false
353 allow_credentials: true
354 allowed_origins:
355 - https://{{ .Values.domain }}
356 - https://*.{{ .Values.domain }}
357 admin:
358 # host: localhost
359 cors:
360 allowed_origins:
361 - https://hydra.{{ .Values.id }}
362 tls:
363 allow_termination_from:
364 - 0.0.0.0/0
365 - 10.42.0.0/16
366 - 10.43.0.0/16
367 - 111.0.0.1/32
368 tls:
369 allow_termination_from:
370 - 0.0.0.0/0
371 - 10.42.0.0/16
372 - 10.43.0.0/16
373 - 111.0.0.1/32
374 urls:
375 self:
376 public: https://hydra.{{ .Values.domain }}
377 issuer: https://hydra.{{ .Values.domain }}
378 consent: https://accounts-ui.{{ .Values.domain }}/consent
379 login: https://accounts-ui.{{ .Values.domain }}/login
380 logout: https://accounts-ui.{{ .Values.domain }}/logout
381 secrets:
382 system:
383 - youReallyNeedToChangeThis
384 oidc:
385 subject_identifiers:
386 supported_types:
387 - pairwise
388 - public
389 pairwise:
390 salt: youReallyNeedToChangeThis
391 log:
392 level: trace
393 leak_sensitive_values: false
394 - ui:
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame^]395 certificateIssuer: {{ .Values.id }}-public
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]396 ingressClassName: nginx
397 domain: {{ .Values.domain }}
398 internalDomain: {{ .Values.id }}
399 nebula:
400 lighthouse:
401 name: ui-lighthouse
402 internalIP: 111.0.0.1
403 externalIP: 46.49.35.44
404 port: "4243"
405 node:
406 name: ui
407 ipCidr: 111.0.0.2/24
408 secretName: node-ui-cert
409 certificateAuthority:
410 name: {{ .Values.id }}
411 namespace: {{ .Values.id }}-ingress-private
giolekvad9d85132021-11-07 14:18:46 +0400[diff] [blame]412- name: vaultwarden
413 chart: ../../charts/vaultwarden
414 namespace: {{ .Values.id }}-app-vaultwarden
415 createNamespace: true
416 values:
417 - image:
418 repository: vaultwarden/server
419 tag: 1.22.2
420 pullPolicy: IfNotPresent
421 - storage:
422 size: 1Gi
423 - domain: bitwarden.{{ .Values.id }}
424 - certificateIssuer: {{ .Values.id }}-private
425 - ingressClassName: {{ .Values.id }}-ingress-private
giolekva95340e82021-11-08 21:36:55 +0400[diff] [blame^]426- name: matrix-storage # TODO(giolekva): merge with core-auth
427 chart: bitnami/postgresql
428 version: 10.13.5
429 namespace: {{ .Values.id }}-app-matrix
430 createNamespace: true
431 values:
432 - fullnameOverride: postgres
433 - image:
434 repository: arm64v8/postgres
435 tag: 13.4
436 - service:
437 type: ClusterIP
438 port: 5432
439 - postgresqlPassword: psswd
440 - initdbScripts:
441 createdb.sh: |
442 #!/bin/sh
443 createdb -U postgres --encoding=UTF8 --locale=C --template=template0 --owner=postgres matrix
444 - persistence:
445 size: 1Gi
446 - securityContext:
447 enabled: true
448 fsGroup: 0
449 - containerSecurityContext:
450 enabled: true
451 runAsUser: 0
452 - volumePermissions:
453 securityContext:
454 runAsUser: 0
455- name: matrix
456 chart: ../../charts/matrix
457 namespace: {{ .Values.id }}-app-matrix
458 createNamespace: true
459 values:
460 - domain: {{ .Values.domain }}
461 - oauth2:
462 hydraAdmin: http://hydra-admin
463 hydraPublic: https://hydra.{{ .Values.domain }}
464 clientId: matrix
465 clientSecret: ""
466 secretName: oauth2-client
467 - postgresql:
468 host: postgres
469 port: 5432
470 database: matrix
471 user: postgres
472 password: psswd
473 - certificateIssuer: {{ .Values.id }}-public
474 - ingressClassName: nginx
475 - configMerge:
476 configName: config-to-merge
477 fileName: to-merge.yaml
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]478
479environments:
480 shveli:
481 values:
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]482 - id: shveli
483 - domain: shve.li
484 - contactEmail: giolekva@gmail.com
485 - certManagerNamespace: cert-manager