diff --git a/.gitattributes b/.gitattributes index ad09729..c1101f8 100644 --- a/.gitattributes +++ b/.gitattributes @@ -1 +1,2 @@ -secrets.nix filter=git-crypt diff=git-crypt \ No newline at end of file +secrets.nix filter=git-crypt diff=git-crypt +secrets.yml filter=git-crypt diff=git-crypt \ No newline at end of file diff --git a/hosts/k3s/configuration.nix b/hosts/k3s/configuration.nix index 608a41f..e310c9d 100644 --- a/hosts/k3s/configuration.nix +++ b/hosts/k3s/configuration.nix @@ -39,18 +39,15 @@ systemd.services.k3s.path = [ pkgs.gnugrep pkgs.utillinux ]; # Enable k3s as a master node - # services.k3s = { - # enable = true; - # role = "server"; + services.k3s = { + enable = true; + role = "server"; + + extraFlags = builtins.toString [ + "--data-dir=/var/lib/k3s" # Set data dir to var lib + "--cluster-init" # Enable embedded etcd + "--cluster-cidr=10.69.0.0/16" # the default of 10.42.0.0/16 clashes with my own network + ]; + }; - # extraFlags = builtins.toString [ - # "--data-dir=/var/lib/k3s" # Set data dir to var lib - # "--cluster-init" # Enable embedded etcd - # "--disable=servicelb" # disable servicelb - # "--no-deploy=traefik" # we want to configure traefik ourselves (or use nginx instead) - # "--cluster-cidr=10.69.0.0/16" # the default of 10.42.0.0/16 clashes with my own network - # ]; - # }; - virtualisation.docker.enable = true; - users.users.jdejeu.extraGroups = [ "docker" ]; } diff --git a/hosts/nginx/configuration.nix b/hosts/nginx/configuration.nix index 80a947e..b3e374d 100644 --- a/hosts/nginx/configuration.nix +++ b/hosts/nginx/configuration.nix @@ -8,7 +8,7 @@ let proxyWebsockets = true; }; }; - k8s_proxy = proxy "https://k8s-1.voidlocal:443/"; + k8s_proxy = proxy "http://10.42.20.5:80/"; in { imports = [ # Import common config @@ -44,7 +44,10 @@ in { virtualHosts."git.voidcorp.nl" = proxy "http://gitea.voidlocal:3000/"; - virtualHosts."galerievanslagmaat.nl" = proxy "http://10.42.0.124:5667/"; + virtualHosts."galerievanslagmaat.nl" = k8s_proxy; + virtualHosts."staging.galerievanslagmaat.nl" = k8s_proxy; + virtualHosts."groenehartansichtkaarten.nl" = k8s_proxy; + virtualHosts."drone.voidcorp.nl" = k8s_proxy; virtualHosts."vaultwarden.voidcorp.nl" = proxy "http://10.42.20.4:8000/"; diff --git a/hosts/registry/configuration.nix b/hosts/registry/configuration.nix index a19951f..4fbf75a 100644 --- a/hosts/registry/configuration.nix +++ b/hosts/registry/configuration.nix @@ -32,6 +32,15 @@ in { realm = "Voidcorp Registry"; path = "/etc/htpasswd"; }; + + notifications.endpoints = [{ + name = "keel"; + url = "http://10.42.20.5:9300/v1/webhooks/registry"; + timeout = "500ms"; + treshold = 5; + backoff = "1s"; + }]; }; }; + } diff --git a/k8s/ansichtkaarten/master.yml b/k8s/ansichtkaarten/master.yml new file mode 100644 index 0000000..4407258 --- /dev/null +++ b/k8s/ansichtkaarten/master.yml @@ -0,0 +1,55 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ansichtkaarten-deployment + labels: + app: ansichtkaarten-deployment + keel.sh/policy: force + keel.sh/match-tag: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: ansichtkaarten-deployment + template: + metadata: + labels: + app: ansichtkaarten-deployment + spec: + containers: + - name: ansichtkaarten-deployment + image: registry.voidcorp.nl/library/ansichtkaarten:master + ports: + - containerPort: 80 + imagePullSecrets: + - name: regcred +--- +apiVersion: v1 +kind: Service +metadata: + name: ansichtkaarten-deployment-service +spec: + selector: + app: ansichtkaarten-deployment + ports: + - protocol: TCP + port: 80 + targetPort: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: ansichtkaarten-deployment-ingress +spec: + rules: + - host: "groenehartansichtkaarten.nl" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: ansichtkaarten-deployment-service + port: + number: 80 + diff --git a/k8s/drone/drone.yml b/k8s/drone/drone.yml new file mode 100644 index 0000000..608ef98 --- /dev/null +++ b/k8s/drone/drone.yml @@ -0,0 +1,93 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: drone-deployment + namespace: drone + labels: + app: drone-deployment + # keel.sh/policy: force +spec: + replicas: 1 + selector: + matchLabels: + app: drone-deployment + template: + metadata: + labels: + app: drone-deployment + spec: + containers: + - name: drone-deployment + image: drone/drone:2 + ports: + - containerPort: 80 + env: + - name: DRONE_GITEA_CLIENT_ID + valueFrom: + secretKeyRef: + name: drone-secrets + key: DRONE_GITEA_CLIENT_ID + - name: DRONE_GITEA_CLIENT_SECRET + valueFrom: + secretKeyRef: + name: drone-secrets + key: DRONE_GITEA_CLIENT_SECRET + - name: DRONE_GITEA_SERVER + valueFrom: + secretKeyRef: + name: drone-secrets + key: DRONE_GITEA_SERVER + - name: DRONE_GIT_ALWAYS_AUTH + valueFrom: + secretKeyRef: + name: drone-secrets + key: DRONE_GIT_ALWAYS_AUTH + - name: DRONE_RPC_SECRET + valueFrom: + secretKeyRef: + name: drone-secrets + key: DRONE_RPC_SECRET + - name: DRONE_SERVER_HOST + valueFrom: + secretKeyRef: + name: drone-secrets + key: DRONE_SERVER_HOST + - name: DRONE_SERVER_PROTO + valueFrom: + secretKeyRef: + name: drone-secrets + key: DRONE_SERVER_PROTO + imagePullSecrets: + - name: regcred +--- +apiVersion: v1 +kind: Service +metadata: + namespace: drone + name: drone-deployment-service +spec: + selector: + app: drone-deployment + ports: + - protocol: TCP + port: 80 + targetPort: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + namespace: drone + name: drone-deployment-ingress +spec: + rules: + - host: "drone.voidcorp.nl" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: drone-deployment-service + port: + number: 80 + diff --git a/k8s/drone/namespace.yml b/k8s/drone/namespace.yml new file mode 100644 index 0000000..f9449c6 --- /dev/null +++ b/k8s/drone/namespace.yml @@ -0,0 +1,6 @@ +kind: Namespace +apiVersion: v1 +metadata: + name: drone + labels: + name: drone \ No newline at end of file diff --git a/k8s/drone/runner-rbac.yml b/k8s/drone/runner-rbac.yml new file mode 100644 index 0000000..0149dcd --- /dev/null +++ b/k8s/drone/runner-rbac.yml @@ -0,0 +1,40 @@ +kind: Role +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + namespace: drone + name: drone +rules: +- apiGroups: + - "" + resources: + - secrets + verbs: + - create + - delete +- apiGroups: + - "" + resources: + - pods + - pods/log + verbs: + - get + - create + - delete + - list + - watch + - update + +--- +kind: RoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: drone + namespace: drone +subjects: +- kind: ServiceAccount + name: default + namespace: drone +roleRef: + kind: Role + name: drone + apiGroup: rbac.authorization.k8s.io \ No newline at end of file diff --git a/k8s/drone/runner.yml b/k8s/drone/runner.yml new file mode 100644 index 0000000..d8696be --- /dev/null +++ b/k8s/drone/runner.yml @@ -0,0 +1,40 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: drone + namespace: drone + labels: + app.kubernetes.io/name: drone +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: drone + template: + metadata: + labels: + app.kubernetes.io/name: drone + spec: + containers: + - name: runner + image: drone/drone-runner-kube:latest + ports: + - containerPort: 3000 + env: + - name: DRONE_RPC_SECRET + valueFrom: + secretKeyRef: + name: drone-secrets + key: DRONE_RPC_SECRET + - name: DRONE_RPC_HOST + valueFrom: + secretKeyRef: + name: drone-secrets + key: DRONE_SERVER_HOST + - name: DRONE_RPC_PROTO + valueFrom: + secretKeyRef: + name: drone-secrets + key: DRONE_SERVER_PROTO + - name: DRONE_NAMESPACE_DEFAULT + value: drone \ No newline at end of file diff --git a/k8s/drone/secrets.yml b/k8s/drone/secrets.yml new file mode 100644 index 0000000..9e0a7ed Binary files /dev/null and b/k8s/drone/secrets.yml differ diff --git a/k8s/galerie/main.yml b/k8s/galerie/main.yml new file mode 100644 index 0000000..f2799fc --- /dev/null +++ b/k8s/galerie/main.yml @@ -0,0 +1,56 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: galerie-deployment + labels: + app: galerie-deployment + keel.sh/policy: force + keel.sh/match-tag: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: galerie-deployment + template: + metadata: + labels: + app: galerie-deployment + spec: + containers: + - name: galerie-deployment + imagePullPolicy: Always + image: registry.voidcorp.nl/library/galerie:main + ports: + - containerPort: 80 + imagePullSecrets: + - name: regcred +--- +apiVersion: v1 +kind: Service +metadata: + name: galerie-deployment-service +spec: + selector: + app: galerie-deployment + ports: + - protocol: TCP + port: 80 + targetPort: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: galerie-deployment-ingress +spec: + rules: + - host: "galerievanslagmaat.nl" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: galerie-deployment-service + port: + number: 80 + diff --git a/k8s/galerie/secrets.yml b/k8s/galerie/secrets.yml new file mode 100644 index 0000000..501449f Binary files /dev/null and b/k8s/galerie/secrets.yml differ diff --git a/k8s/galerie/staging.yml b/k8s/galerie/staging.yml new file mode 100644 index 0000000..c4e9d6a --- /dev/null +++ b/k8s/galerie/staging.yml @@ -0,0 +1,56 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: galerie-staging-deployment + labels: + app: galerie-staging-deployment + keel.sh/policy: force + keel.sh/match-tag: "true" +spec: + replicas: 1 + selector: + matchLabels: + app: galerie-staging-deployment + template: + metadata: + labels: + app: galerie-staging-deployment + spec: + containers: + - name: galerie-staging-deployment + imagePullPolicy: Always + image: registry.voidcorp.nl/library/galerie:staging + ports: + - containerPort: 80 + imagePullSecrets: + - name: regcred +--- +apiVersion: v1 +kind: Service +metadata: + name: galerie-staging-deployment-service +spec: + selector: + app: galerie-staging-deployment + ports: + - protocol: TCP + port: 80 + targetPort: 80 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: galerie-staging-deployment-ingress +spec: + rules: + - host: "staging.galerievanslagmaat.nl" + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: galerie-staging-deployment-service + port: + number: 80 + diff --git a/k8s/keel/keel.yml b/k8s/keel/keel.yml new file mode 100644 index 0000000..96e6319 --- /dev/null +++ b/k8s/keel/keel.yml @@ -0,0 +1,220 @@ +--- + +apiVersion: v1 +kind: Namespace +metadata: + name: "keel" + +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: keel + namespace: "keel" + labels: + app: keel + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: keel +rules: + - apiGroups: + - "" + resources: + - namespaces + verbs: + - watch + - list + - apiGroups: + - "" + resources: + - secrets + verbs: + - get + - watch + - list + - apiGroups: + - "" + - extensions + - apps + - batch + resources: + - pods + - replicasets + - replicationcontrollers + - statefulsets + - deployments + - daemonsets + - jobs + - cronjobs + verbs: + - get + - delete # required to delete pods during force upgrade of the same tag + - watch + - list + - update + - apiGroups: + - "" + resources: + - configmaps + - pods/portforward + verbs: + - get + - create + - update + + +--- + +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: keel +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: keel +subjects: + - kind: ServiceAccount + name: keel + namespace: "keel" +--- + +apiVersion: v1 +kind: Service +metadata: + name: keel + namespace: "keel" + labels: + app: keel +spec: + type: LoadBalancer + ports: + - port: 9300 + targetPort: 9300 + protocol: TCP + name: keel + selector: + app: keel + sessionAffinity: None + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: keel + namespace: "keel" + labels: + app: keel +spec: + replicas: 1 + selector: + matchLabels: + app: keel + template: + metadata: + labels: + app: keel + spec: + serviceAccountName: keel + containers: + + - name: keel + # Note that we use appVersion to get images tag. + image: "keelhq/keel:latest" + imagePullPolicy: Always + command: ["/bin/keel"] + env: + - name: NAMESPACE + valueFrom: + fieldRef: + fieldPath: metadata.namespace + # Enable GCR with pub/sub support + - name: PROJECT_ID + value: "" + - name: PUBSUB + value: "" # Set to '1' or 'true' to enable GCR pubsub + # Basic auth (to enable UI/API) + - name: BASIC_AUTH_USER + value: j00lz + - name: BASIC_AUTH_PASSWORD + value: admin + - name: AUTHENTICATED_WEBHOOKS + value: "false" + # Helm configuration + + # Enable AWS ECR + - name: AWS_ACCESS_KEY_ID + value: "" + - name: AWS_SECRET_ACCESS_KEY + value: "" + - name: AWS_REGION + value: "" + # Enable webhook endpoint + - name: WEBHOOK_ENDPOINT + value: "" + # Enable mattermost endpoint + - name: MATTERMOST_ENDPOINT + value: "" + # Enable MS Teams webhook endpoint + - name: TEAMS_WEBHOOK_URL + value: "" + - name: SLACK_TOKEN + value: "" + - name: SLACK_CHANNELS + value: "general" + - name: SLACK_APPROVALS_CHANNEL + value: "general" + - name: SLACK_BOT_NAME + value: "keel" + # Enable hipchat approvials and notification + - name: HIPCHAT_TOKEN + value: "" + - name: HIPCHAT_CHANNELS + value: "" + - name: HIPCHAT_APPROVALS_CHANNEL + value: "" + - name: HIPCHAT_APPROVALS_BOT_NAME + value: "" + - name: HIPCHAT_APPROVALS_USER_NAME + value: "" + - name: HIPCHAT_APPROVALS_PASSWORT + value: "" + - name: NOTIFICATION_LEVEL + value: "info" + # Enable insecure registries + - name: INSECURE_REGISTRY + value: "false" + ports: + - containerPort: 9300 + livenessProbe: + httpGet: + path: /healthz + port: 9300 + initialDelaySeconds: 30 + timeoutSeconds: 10 + resources: + limits: + cpu: 100m + memory: 128Mi + requests: + cpu: 50m + memory: 64Mi + + +--- +# Source: keel/templates/pod-disruption-budget.yaml + +apiVersion: policy/v1beta1 +kind: PodDisruptionBudget +metadata: + name: keel + namespace: "keel" +spec: + maxUnavailable: 1 + selector: + matchLabels: + app: keel