alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 13 Actions 8 Activity

feat: add more
All checks were successful
lint-test-docker / lint-docker-compose (pull_request) Successful in 42s
Details
lint-test-helm / lint-helm (pull_request) Successful in 15m53s
Details
lint-test-helm / validate-kubeconform (pull_request) Successful in 16m48s
Details

Browse Source
This commit is contained in:
Alex Lebens
2026-04-23 16:40:37 -05:00
parent 4cda238587
commit 3d58df753b
10 changed files with 172 additions and 141 deletions
Download Patch File Download Diff File Expand all files Collapse all files

16
clusters/cl01tl/helm/sparkyfitness/templates/external-secret.yaml
View File

@@ -9,36 +9,36 @@ metadata:
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: api_encryption_key
remoteRef:
key: /cl01tl/sparkyfitness/key
property: api_encryption_key
property: api-encryption-key
- secretKey: better_auth_secret
remoteRef:
key: /cl01tl/sparkyfitness/key
property: better_auth_secret
property: better-auth-secret
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: sparkyfitness-oidc-secret
name: sparkyfitness-oidc-authentik
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: sparkyfitness-oidc-secret
app.kubernetes.io/name: sparkyfitness-oidc-authentik
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: client_id
remoteRef:
key: /authentik/oidc/sparkyfitness
key: /cl01tl/authentik/oidc/sparkyfitness
property: client
- secretKey: client_secret
remoteRef:
key: /authentik/oidc/sparkyfitness
key: /cl01tl/authentik/oidc/sparkyfitness
property: secret

2
clusters/cl01tl/helm/sparkyfitness/values.yaml
View File

@@ -10,7 +10,7 @@ sparkyfitness:
issuerUrl: https://authentik.alexlebens.net/application/o/sparky-fitness
logoUrl: https://cdn.jsdelivr.net/gh/selfhst/icons@main/webp/authentik.webp
secrets:
existingSecret: sparkyfitness-oidc-secret
existingSecret: sparkyfitness-oidc-authentik
httpRoute:
enabled: true
hostname: sparkyfitness.alexlebens.net

2
clusters/cl01tl/helm/stalwart/templates/elasticsearch.yaml
View File

@@ -11,7 +11,7 @@ spec:
version: 9.3.3
auth:
fileRealm:
- secretName: stalwart-elasticsearch-secret
- secretName: stalwart-elasticsearch-config
nodeSets:
- name: default
count: 2

6
clusters/cl01tl/helm/stalwart/templates/external-secret.yaml
View File

@@ -1,15 +1,15 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: stalwart-elasticsearch-secret
name: stalwart-elasticsearch-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: stalwart-elasticsearch-secret
app.kubernetes.io/name: stalwart-elasticsearch-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: username
remoteRef:

4
clusters/cl01tl/helm/stalwart/templates/namespace.yaml
View File

@@ -1,9 +1,9 @@
apiVersion: v1
kind: Namespace
metadata:
name: stalwart
name: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: stalwart
app.kubernetes.io/name: {{ .Release.Namespace }}
{{- include "custom.labels" . | nindent 4 }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged

10
clusters/cl01tl/helm/tailscale-operator/templates/external-secrets.yaml
View File

@@ -9,13 +9,13 @@ metadata:
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: client_id
remoteRef:
key: /tailscale/k8s-operator
property: clientId
key: /tailscale/credentials/k8s-operator
property: client-id
- secretKey: client_secret
remoteRef:
key: /tailscale/k8s-operator
property: clientSecret
key: /tailscale/credentials/k8s-operator
property: client-secret

4
clusters/cl01tl/helm/tailscale-operator/templates/namespace.yaml
View File

@@ -1,9 +1,9 @@
apiVersion: v1
kind: Namespace
metadata:
name: tailscale-operator
name: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: tailscale-operator
app.kubernetes.io/name: {{ .Release.Namespace }}
{{- include "custom.labels" . | nindent 4 }}
pod-security.kubernetes.io/audit: privileged
pod-security.kubernetes.io/enforce: privileged

77
clusters/cl01tl/helm/talos/templates/external-secret.yaml
View File

@@ -1,15 +1,15 @@
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: talos-etcd-backup-local-secret
name: talos-etcd-backup-local-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-etcd-backup-local-secret
app.kubernetes.io/name: talos-etcd-backup-local-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
@@ -19,14 +19,10 @@ spec:
remoteRef:
key: /garage/home-infra/talos-backups
property: ACCESS_SECRET_KEY
- secretKey: .s3cfg
remoteRef:
key: /garage/home-infra/talos-backups
property: s3cfg-local
- secretKey: BUCKET
remoteRef:
key: /garage/home-infra/talos-backups
property: BUCKET
property: BUCKET_PATH
- secretKey: AGE_X25519_PUBLIC_KEY
remoteRef:
key: /cl01tl/talos/etcd-backup
@@ -36,15 +32,15 @@ spec:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: talos-etcd-backup-remote-secret
name: talos-etcd-backup-remote-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-etcd-backup-remote-secret
app.kubernetes.io/name: talos-etcd-backup-remote-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
@@ -54,14 +50,10 @@ spec:
remoteRef:
key: /garage/home-infra/talos-backups
property: ACCESS_SECRET_KEY
- secretKey: .s3cfg
remoteRef:
key: /garage/home-infra/talos-backups
property: s3cfg-remote
- secretKey: BUCKET
remoteRef:
key: /garage/home-infra/talos-backups
property: BUCKET
property: BUCKET_PATH
- secretKey: AGE_X25519_PUBLIC_KEY
remoteRef:
key: /cl01tl/talos/etcd-backup
@@ -71,32 +63,28 @@ spec:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: talos-etcd-backup-external-secret
name: talos-etcd-backup-external-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-etcd-backup-external-secret
app.kubernetes.io/name: talos-etcd-backup-external-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
key: /digital-ocean/home-infra/etcd-backup
key: /digital-ocean/home-infra/talos-backups
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
key: /digital-ocean/home-infra/etcd-backup
key: /digital-ocean/home-infra/talos-backups
property: AWS_SECRET_ACCESS_KEY
- secretKey: .s3cfg
remoteRef:
key: /digital-ocean/home-infra/etcd-backup
property: s3cfg
- secretKey: BUCKET
remoteRef:
key: /digital-ocean/home-infra/etcd-backup
property: BUCKET
key: /digital-ocean/home-infra/talos-backups
property: BUCKET_PATH
- secretKey: AGE_X25519_PUBLIC_KEY
remoteRef:
key: /cl01tl/talos/etcd-backup
@@ -106,44 +94,25 @@ spec:
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: talos-backup-ntfy-secret
name: talos-ntfy-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-backup-ntfy-secret
app.kubernetes.io/name: talos-ntfy-config
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
name: openbao
data:
- secretKey: NTFY_TOKEN
remoteRef:
key: /ntfy/user/cl01tl
key: /cl01tl/ntfy/users/cl01tl
property: token
- secretKey: NTFY_ENDPOINT
remoteRef:
key: /ntfy/user/cl01tl
property: endpoint
key: /cl01tl/ntfy/config
property: internal-endpoint
- secretKey: NTFY_TOPIC
remoteRef:
key: /cl01tl/talos/etcd-backup
property: NTFY_TOPIC
---
apiVersion: external-secrets.io/v1
kind: ExternalSecret
metadata:
name: talos-etcd-defrag-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-etcd-defrag-secret
{{- include "custom.labels" . | nindent 4 }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config
remoteRef:
key: /cl01tl/talos/etcd-defrag
property: config
key: /cl01tl/talos/ntfy
property: topic

78
clusters/cl01tl/helm/talos/templates/secret-provider-class.yaml Normal file
View File

@@ -0,0 +1,78 @@
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: talos-etcd-backup-local-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-etcd-backup-local-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: slskd
objects: |
- objectName: .s3cfg
fileName: .s3cfg
secretPath: secret/data/garage/home-infra/talos-backups
secretKey: s3cfg-local
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: talos-etcd-backup-remote-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-etcd-backup-remote-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: slskd
objects: |
- objectName: .s3cfg
fileName: .s3cfg
secretPath: secret/data/garage/home-infra/talos-backups
secretKey: s3cfg-remote
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: talos-etcd-backup-external-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-etcd-backup-external-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: slskd
objects: |
- objectName: .s3cfg
fileName: .s3cfg
secretPath: secret/data/digital-ocean/home-infra/talos-backups
secretKey: s3cfg
---
apiVersion: secrets-store.csi.x-k8s.io/v1
kind: SecretProviderClass
metadata:
name: talos-etcd-defrag-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: talos-etcd-defrag-config
{{- include "custom.labels" . | nindent 4 }}
spec:
provider: openbao
parameters:
baoAddress: "http://openbao-internal.openbao:8200"
roleName: slskd
objects: |
- objectName: config
fileName: config
secretPath: secret/data/cl01tl/talos/talosconfig
secretKey: config

114
clusters/cl01tl/helm/talos/values.yaml
View File

@@ -37,12 +37,12 @@ etcd-backup:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: talos-etcd-backup-local-secret
name: talos-etcd-backup-local-config
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-backup-local-secret
name: talos-etcd-backup-local-config
key: AWS_SECRET_ACCESS_KEY
- name: AWS_REGION
value: us-east-1
@@ -57,7 +57,7 @@ etcd-backup:
- name: AGE_X25519_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-backup-local-secret
name: talos-etcd-backup-local-config
key: AGE_X25519_PUBLIC_KEY
- name: USE_PATH_STYLE
value: "false"
@@ -72,9 +72,9 @@ etcd-backup:
- /scripts/prune.sh
envFrom:
- secretRef:
name: talos-etcd-backup-local-secret
name: talos-etcd-backup-local-config
- secretRef:
name: talos-backup-ntfy-secret
name: talos-ntfy-config
env:
- name: TARGET
value: Local
@@ -117,12 +117,12 @@ etcd-backup:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: talos-etcd-backup-remote-secret
name: talos-etcd-backup-remote-config
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-backup-remote-secret
name: talos-etcd-backup-remote-config
key: AWS_SECRET_ACCESS_KEY
- name: AWS_REGION
value: us-east-1
@@ -137,7 +137,7 @@ etcd-backup:
- name: AGE_X25519_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-backup-remote-secret
name: talos-etcd-backup-remote-config
key: AGE_X25519_PUBLIC_KEY
- name: USE_PATH_STYLE
value: "false"
@@ -152,9 +152,9 @@ etcd-backup:
- /scripts/prune.sh
envFrom:
- secretRef:
name: talos-etcd-backup-remote-secret
name: talos-etcd-backup-remote-config
- secretRef:
name: talos-backup-ntfy-secret
name: talos-ntfy-config
env:
- name: TARGET
value: Remote
@@ -197,12 +197,12 @@ etcd-backup:
- name: AWS_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: talos-etcd-backup-external-secret
name: talos-etcd-backup-external-config
key: AWS_ACCESS_KEY_ID
- name: AWS_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-backup-external-secret
name: talos-etcd-backup-external-config
key: AWS_SECRET_ACCESS_KEY
- name: AWS_REGION
value: nyc3
@@ -217,7 +217,7 @@ etcd-backup:
- name: AGE_X25519_PUBLIC_KEY
valueFrom:
secretKeyRef:
name: talos-etcd-backup-external-secret
name: talos-etcd-backup-external-config
key: AGE_X25519_PUBLIC_KEY
- name: USE_PATH_STYLE
value: "false"
@@ -232,9 +232,9 @@ etcd-backup:
- /scripts/prune.sh
envFrom:
- secretRef:
name: talos-etcd-backup-external-secret
name: talos-etcd-backup-external-config
- secretRef:
name: talos-backup-ntfy-secret
name: talos-ntfy-config
env:
- name: TARGET
value: External
@@ -280,9 +280,13 @@ etcd-backup:
- path: /scripts/prune.sh
subPath: prune.sh
s3cmd-config-local:
enabled: true
type: secret
name: talos-etcd-backup-local-secret
type: custom
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: talos-etcd-backup-local-config
advancedMounts:
local:
s3-prune:
@@ -291,9 +295,13 @@ etcd-backup:
mountPropagation: None
subPath: .s3cfg
s3cmd-config-remote:
enabled: true
type: secret
name: talos-etcd-backup-remote-secret
type: custom
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: talos-etcd-backup-remote-config
advancedMounts:
remote:
s3-prune:
@@ -302,9 +310,13 @@ etcd-backup:
mountPropagation: None
subPath: .s3cfg
s3cmd-config-external:
enabled: true
type: secret
name: talos-etcd-backup-external-secret
type: custom
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: talos-etcd-backup-external-config
advancedMounts:
external:
s3-prune:
@@ -312,7 +324,7 @@ etcd-backup:
readOnly: true
mountPropagation: None
subPath: .s3cfg
tmp-local:
tmp:
type: emptyDir
medium: Memory
advancedMounts:
@@ -320,23 +332,15 @@ etcd-backup:
backup:
- path: /tmp
readOnly: false
tmp-remote:
type: emptyDir
medium: Memory
advancedMounts:
remote:
backup:
- path: /tmp
readOnly: false
tmp-external:
type: emptyDir
medium: Memory
advancedMounts:
external:
backup:
- path: /tmp
readOnly: false
talos-local:
talos:
type: emptyDir
medium: Memory
advancedMounts:
@@ -344,18 +348,10 @@ etcd-backup:
backup:
- path: /.talos
readOnly: false
talos-remote:
type: emptyDir
medium: Memory
advancedMounts:
remote:
backup:
- path: /.talos
readOnly: false
talos-external:
type: emptyDir
medium: Memory
advancedMounts:
external:
backup:
- path: /.talos
@@ -449,36 +445,24 @@ etcd-defrag:
- name: TALOSCONFIG
value: /tmp/.talos/config
persistence:
talos-config-1:
enabled: true
type: secret
name: talos-etcd-defrag-secret
config:
type: custom
volumeSpec:
csi:
driver: secrets-store.csi.k8s.io
readOnly: true
volumeAttributes:
secretProviderClass: talos-etcd-defrag-config
advancedMounts:
defrag-1:
main:
- path: /tmp/.talos/config
- path: /tmp/.talos/
readOnly: true
mountPropagation: None
subPath: config
talos-config-2:
enabled: true
type: secret
name: talos-etcd-defrag-secret
advancedMounts:
defrag-2:
main:
- path: /tmp/.talos/config
- path: /tmp/.talos/
readOnly: true
mountPropagation: None
subPath: config
talos-config-3:
enabled: true
type: secret
name: talos-etcd-defrag-secret
advancedMounts:
defrag-3:
main:
- path: /tmp/.talos/config
- path: /tmp/.talos/
readOnly: true
mountPropagation: None
subPath: config