Gitiles
Code Review Sign In
code.v1.dodo.cloud / pcloud / 99c6cdd4d538ae3a560921451d29fa890ad5d332 / . / helmfile / users / helmfile.yaml
blob: 8bfc2e465057086d09d488a72ff32678bb689442 [file] [log] [blame]
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]1repositories:
2- name: ingress-nginx
3 url: https://kubernetes.github.io/ingress-nginx
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]4- name: bitnami
5 url: https://charts.bitnami.com/bitnami
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]6
7helmDefaults:
8 tillerless: true
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]9 waitForJobs: false
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]10
11releases:
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame^]12- name: vpn-mesh-config
13 chart: ../../charts/vpn-mesh-config
14 namespace: {{ .Values.id }}-ingress-private
15 createNamespace: true
16 values:
17 - certificateAuthority:
18 name: {{ .Values.id }}
19 secretName: ca-{{ .Values.id }}-cert
20 - lighthouse:
21 internalIP: 111.0.0.1
22 externalIP: 46.49.35.44
23 port: "4243"
24- name: ingress-private
25 chart: ingress-nginx/ingress-nginx
26 version: 4.0.3
27 namespace: {{ .Values.id }}-ingress-private
28 createNamespace: true
29 values:
30 - fullnameOverride: nginx
31 - controller:
32 service:
33 type: ClusterIP
34 ingressClassByName: true
35 ingressClassResource:
36 name: {{ .Values.id }}-ingress-private
37 enabled: true
38 default: false
39 controllerValue: k8s.io/{{ .Values.id }}-ingress-private
40 extraArgs:
41 default-ssl-certificate: "{{ .Values.id }}-ingress-private/cert-wildcard.p.{{ .Values.domain }}"
42 extraVolumes:
43 - name: lighthouse-cert
44 secret:
45 secretName: node-lighthouse-cert
46 - name: config
47 configMap:
48 name: lighthouse-config
49 extraContainers:
50 - name: lighthouse
51 image: giolekva/nebula:latest
52 imagePullPolicy: IfNotPresent
53 securityContext:
54 privileged: true
55 capabilities:
56 add:
57 - NET_ADMIN
58 ports:
59 - name: nebula
60 containerPort: 4243
61 protocol: UDP
62 command:
63 - nebula
64 - --config=/etc/nebula/config/lighthouse.yaml
65 volumeMounts:
66 - name: lighthouse-cert
67 mountPath: /etc/nebula/lighthouse
68 - name: config
69 mountPath: /etc/nebula/config
70 config:
71 bind-address: 111.0.0.1
72 proxy-body-size: 0
73 udp:
74 - 53: {{ .Values.id }}-app-pihole/pihole-dns-udp:53
75 tcp:
76 - 53: {{ .Values.id }}-app-pihole/pihole-dns-tcp:53
77- name: certificate-issuer
78 chart: ../../charts/certificate-issuer
79 namespace: {{ .Values.certManagerNamespace }} # {{ .Values.id }}-ingress-private
80 createNamespace: true
81 values:
82 - public:
83 name: {{ .Values.id }}-public
84 server: https://acme-v02.api.letsencrypt.org/directory
85 stagingServer: https://acme-staging-v02.api.letsencrypt.org/directory
86 contactEmail: {{ .Values.contactEmail }}
87 ingressClass: nginx
88 - private:
89 name: {{ .Values.id }}-private
90 domain: {{ .Values.id }}
91 ingressClassName: {{ .Values.id }}-ingress-private
92- name: core-auth-storage # TODO(giolekva): merge with core-auth
93 chart: bitnami/postgresql
94 version: 10.13.5
95 namespace: {{ .Values.id }}-core-auth
96 createNamespace: true
97 values:
98 - fullnameOverride: postgres
99 - image:
100 repository: arm64v8/postgres
101 tag: 13.4
102 - service:
103 type: ClusterIP
104 port: 5432
105 - postgresqlPassword: psswd
106 - postgresqlDatabase: kratos
107 - persistence:
108 size: 1Gi
109 - securityContext:
110 enabled: true
111 fsGroup: 0
112 - containerSecurityContext:
113 enabled: true
114 runAsUser: 0
115 - volumePermissions:
116 securityContext:
117 runAsUser: 0
118- name: core-auth
119 chart: ../../charts/auth
120 namespace: {{ .Values.id }}-core-auth
121 createNamespace: true
122 values:
123 - kratos:
124 fullnameOverride: kratos
125 image:
126 repository: giolekva/ory-kratos
127 tag: latest
128 pullPolicy: Always
129 service:
130 admin:
131 enabled: true
132 type: ClusterIP
133 port: 80
134 name: http
135 public:
136 enabled: true
137 type: ClusterIP
138 port: 80
139 name: http
140 ingress:
141 admin:
142 enabled: true
143 className: {{ .Values.id }}-ingress-private
144 hosts:
145 - host: kratos.{{ .Values.id }}
146 paths:
147 - path: /
148 pathType: Prefix
149 annotations:
150 cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
151 acme.cert-manager.io/http01-edit-in-place: "true"
152 tls:
153 - hosts:
154 - kratos.{{ .Values.id }}
155 secretName: cert-kratos.{{ .Values.id }}
156 public:
157 enabled: true
158 className: nginx
159 hosts:
160 - host: accounts.{{ .Values.domain }}
161 paths:
162 - path: /
163 pathType: Prefix
164 annotations:
165 cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
166 acme.cert-manager.io/http01-edit-in-place: "true"
167 tls:
168 - hosts:
169 - accounts.{{ .Values.domain }}
170 # secretName: cert-accounts.{{ .Values.domain }}
171 secretName: cert-wildcard.{{ .Values.domain }}
172 secret:
173 enabled: true
174 kratos:
175 autoMigrate: true
176 development: false
177 config:
178 version: v0.7.1-alpha.1
179 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
180 serve:
181 public:
182 base_url: https://accounts.{{ .Values.domain }}
183 cors:
184 enabled: true
185 debug: false
186 allow_credentials: true
187 allowed_origins:
188 - https://{{ .Values.domain }}
189 - https://*.{{ .Values.domain }}
190 admin:
191 base_url: https://kratos.{{ .Values.id }}/
192 selfservice:
193 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}
194 whitelisted_return_urls:
195 - https://accounts-ui.{{ .Values.domain }}
196 methods:
197 password:
198 enabled: true
199 flows:
200 error:
201 ui_url: https://accounts-ui.{{ .Values.domain }}/error
202 settings:
203 ui_url: https://accounts-ui.{{ .Values.domain }}/settings
204 privileged_session_max_age: 15m
205 recovery:
206 enabled: false
207 verification:
208 enabled: false
209 logout:
210 after:
211 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/login
212 login:
213 ui_url: https://accounts-ui.{{ .Values.domain }}/login
214 lifespan: 10m
215 after:
216 password:
217 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
218 registration:
219 lifespan: 10m
220 ui_url: https://accounts-ui.{{ .Values.domain }}/registration
221 after:
222 password:
223 hooks:
224 -
225 hook: session
226 default_browser_return_url: https://accounts-ui.{{ .Values.domain }}/
227 log:
228 level: debug
229 format: text
230 leak_sensitive_values: true
231 cookies:
232 path: /
233 same_site: None
234 domain: {{ .Values.domain }}
235 secrets:
236 cookie:
237 - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
238 # cipher:
239 # - 32-LONG-SECRET-NOT-SECURE-AT-ALL
240 # ciphers:
241 # algorithm: xchacha20-poly1305
242 hashers:
243 argon2:
244 parallelism: 1
245 memory: 128MB
246 iterations: 2
247 salt_length: 16
248 key_length: 16
249 identity:
250 default_schema_url: file:///etc/config/identity.schema.json
251 courier:
252 smtp:
253 connection_uri: smtps://test-z1VmkYfYPjgdPRgPFgmeZ31esT9rUgS%40{{ .Values.domain }}:iW%213Kk%5EPPLFrZa%24%21bbpTPN9Wv3b8mvwS6ZJvMLtce%23A2%2A4MotD@mx1.{{ .Values.domain }}
254 identitySchemas:
255 "identity.schema.json": |
256 {
257 "$id": "https://schemas.ory.sh/presets/kratos/quickstart/email-password/identity.schema.json",
258 "$schema": "http://json-schema.org/draft-07/schema#",
259 "title": "User",
260 "type": "object",
261 "properties": {
262 "traits": {
263 "type": "object",
264 "properties": {
265 "username": {
266 "type": "string",
267 "format": "username",
268 "title": "Username",
269 "minLength": 3,
270 "ory.sh/kratos": {
271 "credentials": {
272 "password": {
273 "identifier": true
274 }
275 }
276 }
277 }
278 },
279 "additionalProperties": false
280 }
281 }
282 }
283 - hydra:
284 fullnameOverride: hydra
285 image:
286 repository: giolekva/ory-hydra
287 tag: latest
288 pullPolicy: Always
289 service:
290 admin:
291 enabled: true
292 type: ClusterIP
293 port: 80
294 name: http
295 public:
296 enabled: true
297 type: ClusterIP
298 port: 80
299 name: http
300 ingress:
301 admin:
302 enabled: true
303 className: {{ .Values.id }}-ingress-private
304 hosts:
305 - host: hydra.{{ .Values.id }}
306 paths:
307 - path: /
308 pathType: Prefix
309 annotations:
310 cert-manager.io/cluster-issuer: "{{ .Values.id }}-private"
311 acme.cert-manager.io/http01-edit-in-place: "true"
312 tls:
313 - hosts:
314 - hydra.{{ .Values.id }}
315 secretName: cert-hydra.{{ .Values.id }}
316 public:
317 enabled: true
318 className: nginx
319 hosts:
320 - host: hydra.{{ .Values.domain }}
321 paths:
322 - path: /
323 pathType: Prefix
324 annotations:
325 cert-manager.io/cluster-issuer: "{{ .Values.id }}-public"
326 acme.cert-manager.io/http01-edit-in-place: "true"
327 tls:
328 - hosts:
329 - hydra.{{ .Values.domain }}
330 # secretName: cert-hydra.{{ .Values.domain }}
331 secretName: cert-wildcard.{{ .Values.domain }}
332 secret:
333 enabled: true
334 maester:
335 enabled: true
336 hydraFullnameOverride: hydra
337 hydra-maester:
338 image:
339 repository: giolekva/ory-hydra-maester
340 tag: latest
341 pullPolicy: IfNotPresent
342 adminService:
343 name: hydra
344 port: 80
345 hydra:
346 autoMigrate: true
347 config:
348 version: v1.10.6
349 dsn: postgres://postgres:psswd@postgres:5432/kratos?sslmode=disable&max_conns=20&max_idle_conns=4
350 serve:
351 cookies:
352 same_site_mode: None
353 public:
354 cors:
355 enabled: true
356 debug: false
357 allow_credentials: true
358 allowed_origins:
359 - https://{{ .Values.domain }}
360 - https://*.{{ .Values.domain }}
361 admin:
362 # host: localhost
363 cors:
364 allowed_origins:
365 - https://hydra.{{ .Values.id }}
366 tls:
367 allow_termination_from:
368 - 0.0.0.0/0
369 - 10.42.0.0/16
370 - 10.43.0.0/16
371 - 111.0.0.1/32
372 tls:
373 allow_termination_from:
374 - 0.0.0.0/0
375 - 10.42.0.0/16
376 - 10.43.0.0/16
377 - 111.0.0.1/32
378 urls:
379 self:
380 public: https://hydra.{{ .Values.domain }}
381 issuer: https://hydra.{{ .Values.domain }}
382 consent: https://accounts-ui.{{ .Values.domain }}/consent
383 login: https://accounts-ui.{{ .Values.domain }}/login
384 logout: https://accounts-ui.{{ .Values.domain }}/logout
385 secrets:
386 system:
387 - youReallyNeedToChangeThis
388 oidc:
389 subject_identifiers:
390 supported_types:
391 - pairwise
392 - public
393 pairwise:
394 salt: youReallyNeedToChangeThis
395 log:
396 level: trace
397 leak_sensitive_values: false
398 - ui:
399 certificateIssuer: {{ .Values.id }}-public
400 ingressClassName: nginx
401 domain: {{ .Values.domain }}
402 internalDomain: {{ .Values.id }}
403 nebula:
404 lighthouse:
405 name: ui-lighthouse
406 internalIP: 111.0.0.1
407 externalIP: 46.49.35.44
408 port: "4243"
409 node:
410 name: ui
411 ipCidr: 111.0.0.2/24
412 secretName: node-ui-cert
413 certificateAuthority:
414 name: {{ .Values.id }}
415 namespace: {{ .Values.id }}-ingress-private
416- name: vaultwarden
417 chart: ../../charts/vaultwarden
418 namespace: {{ .Values.id }}-app-vaultwarden
419 createNamespace: true
420 values:
421 - image:
422 repository: vaultwarden/server
423 tag: 1.22.2
424 pullPolicy: IfNotPresent
425 - storage:
426 size: 1Gi
427 - domain: bitwarden.{{ .Values.id }}
428 - certificateIssuer: {{ .Values.id }}-private
429 - ingressClassName: {{ .Values.id }}-ingress-private
430- name: matrix-storage # TODO(giolekva): merge with core-auth
431 chart: bitnami/postgresql
432 version: 10.13.5
433 namespace: {{ .Values.id }}-app-matrix
434 createNamespace: true
435 values:
436 - fullnameOverride: postgres
437 - image:
438 repository: arm64v8/postgres
439 tag: 13.4
440 - service:
441 type: ClusterIP
442 port: 5432
443 - postgresqlPassword: psswd
444 - initdbScripts:
445 createdb.sh: |
446 #!/bin/sh
447 createdb -U postgres --encoding=UTF8 --locale=C --template=template0 --owner=postgres matrix
448 - persistence:
449 size: 1Gi
450 - securityContext:
451 enabled: true
452 fsGroup: 0
453 - containerSecurityContext:
454 enabled: true
455 runAsUser: 0
456 - volumePermissions:
457 securityContext:
458 runAsUser: 0
459- name: matrix
460 chart: ../../charts/matrix
461 namespace: {{ .Values.id }}-app-matrix
462 createNamespace: true
463 values:
464 - domain: {{ .Values.domain }}
465 - oauth2:
466 hydraAdmin: http://hydra-admin
467 hydraPublic: https://hydra.{{ .Values.domain }}
468 clientId: matrix
469 clientSecret: ""
470 secretName: oauth2-client
471 - postgresql:
472 host: postgres
473 port: 5432
474 database: matrix
475 user: postgres
476 password: psswd
477 - certificateIssuer: {{ .Values.id }}-public
478 - ingressClassName: nginx
479 - configMerge:
480 configName: config-to-merge
481 fileName: to-merge.yaml
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]482- name: pihole
483 chart: ../../charts/pihole
484 namespace: {{ .Values.id }}-app-pihole
485 createNamespace: true
486 values:
giolekva17861bc2021-11-09 19:50:50 +0400[diff] [blame]487 - domain: {{ .Values.domain }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]488 - pihole:
489 image:
490 repository: "pihole/pihole"
491 tag: v5.8.1
492 persistentVolumeClaim:
493 enabled: true
494 size: 5Gi
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame^]495 adminPassword: admin
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]496 ingress:
497 enabled: false
498 serviceDhcp:
499 enabled: false
500 serviceDns:
501 type: ClusterIP
502 serviceWeb:
503 type: ClusterIP
504 http:
505 enabled: true
506 https:
507 enabled: false
giolekva17861bc2021-11-09 19:50:50 +0400[diff] [blame]508 virtualHost: pihole.p.{{ .Values.domain }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]509 resources:
510 requests:
511 cpu: "250m"
512 memory: "100M"
513 limits:
514 cpu: "500m"
515 memory: "250M"
516 - oauth2:
517 clientId: pihole
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame^]518 clientSecret: {{ .Values.piholeOAuth2ClientSecret }}
519 cookieSecret: {{ .Values.piholeOAuth2CookieSecret }}
giolekva01b3d3b2021-11-09 17:48:28 +0400[diff] [blame]520 secretName: oauth2-secret
521 configName: oauth2-proxy
522 hydraAdmin: http://hydra-admin
523 - hydraPublic: https://hydra.{{ .Values.domain }}/
524 - profileUrl: https://accounts-ui.{{ .Values.domain }}
525 - certificateIssuer: {{ .Values.id }}-private
526 - ingressClassName: {{ .Values.id }}-ingress-private
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]527
528environments:
529 shveli:
giolekva99c6cdd2021-11-10 15:12:48 +0400[diff] [blame^]530 secrets:
531 - secrets.shveli.yaml
giolekva5cd32162021-11-05 20:10:19 +0400[diff] [blame]532 values:
giolekvadd750802021-11-07 13:24:21 +0400[diff] [blame]533 - id: shveli
534 - domain: shve.li
535 - contactEmail: giolekva@gmail.com
536 - certManagerNamespace: cert-manager