From 0dc227fc5f5524bead1d563a80cf34fc489b1c59 Mon Sep 17 00:00:00 2001
From: Julius de Jeu <julius@voidcorp.nl>
Date: Sun, 14 Nov 2021 16:33:00 +0100
Subject: [PATCH] Add k8s configs to the repo

Also add the remaining needed websites to the repo
---
 .gitattributes                   |   3 +-
 hosts/k3s/configuration.nix      |  23 ++--
 hosts/nginx/configuration.nix    |   7 +-
 hosts/registry/configuration.nix |   9 ++
 k8s/ansichtkaarten/master.yml    |  55 ++++++++
 k8s/drone/drone.yml              |  93 +++++++++++++
 k8s/drone/namespace.yml          |   6 +
 k8s/drone/runner-rbac.yml        |  40 ++++++
 k8s/drone/runner.yml             |  40 ++++++
 k8s/drone/secrets.yml            | Bin 0 -> 487 bytes
 k8s/galerie/main.yml             |  56 ++++++++
 k8s/galerie/secrets.yml          | Bin 0 -> 22 bytes
 k8s/galerie/staging.yml          |  56 ++++++++
 k8s/keel/keel.yml                | 220 +++++++++++++++++++++++++++++++
 14 files changed, 592 insertions(+), 16 deletions(-)
 create mode 100644 k8s/ansichtkaarten/master.yml
 create mode 100644 k8s/drone/drone.yml
 create mode 100644 k8s/drone/namespace.yml
 create mode 100644 k8s/drone/runner-rbac.yml
 create mode 100644 k8s/drone/runner.yml
 create mode 100644 k8s/drone/secrets.yml
 create mode 100644 k8s/galerie/main.yml
 create mode 100644 k8s/galerie/secrets.yml
 create mode 100644 k8s/galerie/staging.yml
 create mode 100644 k8s/keel/keel.yml

diff --git a/.gitattributes b/.gitattributes
index ad09729..c1101f8 100644
--- a/.gitattributes
+++ b/.gitattributes
@@ -1 +1,2 @@
-secrets.nix filter=git-crypt diff=git-crypt
\ No newline at end of file
+secrets.nix filter=git-crypt diff=git-crypt
+secrets.yml filter=git-crypt diff=git-crypt
\ No newline at end of file
diff --git a/hosts/k3s/configuration.nix b/hosts/k3s/configuration.nix
index 608a41f..e310c9d 100644
--- a/hosts/k3s/configuration.nix
+++ b/hosts/k3s/configuration.nix
@@ -39,18 +39,15 @@
   systemd.services.k3s.path = [ pkgs.gnugrep pkgs.utillinux ];
 
   # Enable k3s as a master node
-  # services.k3s = {
-  #   enable = true;
-  #   role = "server";
+  services.k3s = {
+    enable = true;
+    role = "server";
+
+    extraFlags = builtins.toString [
+      "--data-dir=/var/lib/k3s" # Set data dir to var lib
+      "--cluster-init" # Enable embedded etcd
+      "--cluster-cidr=10.69.0.0/16" # the default of 10.42.0.0/16 clashes with my own network
+    ];
+  };
 
-  #   extraFlags = builtins.toString [
-  #     "--data-dir=/var/lib/k3s" # Set data dir to var lib
-  #     "--cluster-init" # Enable embedded etcd
-  #     "--disable=servicelb" # disable servicelb
-  #     "--no-deploy=traefik" # we want to configure traefik ourselves (or use nginx instead)
-  #     "--cluster-cidr=10.69.0.0/16" # the default of 10.42.0.0/16 clashes with my own network
-  #   ];
-  # };
-  virtualisation.docker.enable = true;
-  users.users.jdejeu.extraGroups = [ "docker" ];
 }
diff --git a/hosts/nginx/configuration.nix b/hosts/nginx/configuration.nix
index 80a947e..b3e374d 100644
--- a/hosts/nginx/configuration.nix
+++ b/hosts/nginx/configuration.nix
@@ -8,7 +8,7 @@ let
       proxyWebsockets = true;
     };
   };
-  k8s_proxy = proxy "https://k8s-1.voidlocal:443/";
+  k8s_proxy = proxy "http://10.42.20.5:80/";
 in {
   imports = [
     # Import common config
@@ -44,7 +44,10 @@ in {
 
     virtualHosts."git.voidcorp.nl" = proxy "http://gitea.voidlocal:3000/";
 
-    virtualHosts."galerievanslagmaat.nl" = proxy "http://10.42.0.124:5667/";
+    virtualHosts."galerievanslagmaat.nl" = k8s_proxy;
+    virtualHosts."staging.galerievanslagmaat.nl" = k8s_proxy;
+    virtualHosts."groenehartansichtkaarten.nl" = k8s_proxy;
+    virtualHosts."drone.voidcorp.nl" = k8s_proxy;
 
     virtualHosts."vaultwarden.voidcorp.nl" = proxy "http://10.42.20.4:8000/";
 
diff --git a/hosts/registry/configuration.nix b/hosts/registry/configuration.nix
index a19951f..4fbf75a 100644
--- a/hosts/registry/configuration.nix
+++ b/hosts/registry/configuration.nix
@@ -32,6 +32,15 @@ in {
         realm = "Voidcorp Registry";
         path = "/etc/htpasswd";
       };
+
+      notifications.endpoints = [{
+        name = "keel";
+        url = "http://10.42.20.5:9300/v1/webhooks/registry";
+        timeout = "500ms";
+        treshold = 5;
+        backoff = "1s";
+      }];
     };
   };
+
 }
diff --git a/k8s/ansichtkaarten/master.yml b/k8s/ansichtkaarten/master.yml
new file mode 100644
index 0000000..4407258
--- /dev/null
+++ b/k8s/ansichtkaarten/master.yml
@@ -0,0 +1,55 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: ansichtkaarten-deployment
+  labels:
+    app: ansichtkaarten-deployment
+    keel.sh/policy: force
+    keel.sh/match-tag: "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: ansichtkaarten-deployment
+  template:
+    metadata:
+      labels:
+        app: ansichtkaarten-deployment
+    spec:
+      containers:
+      - name: ansichtkaarten-deployment
+        image: registry.voidcorp.nl/library/ansichtkaarten:master
+        ports:
+        - containerPort: 80
+      imagePullSecrets:
+      - name: regcred
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: ansichtkaarten-deployment-service
+spec:
+  selector:
+    app: ansichtkaarten-deployment
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: ansichtkaarten-deployment-ingress
+spec:
+  rules:
+  - host: "groenehartansichtkaarten.nl"
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service: 
+            name: ansichtkaarten-deployment-service
+            port: 
+              number: 80
+
diff --git a/k8s/drone/drone.yml b/k8s/drone/drone.yml
new file mode 100644
index 0000000..608ef98
--- /dev/null
+++ b/k8s/drone/drone.yml
@@ -0,0 +1,93 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone-deployment
+  namespace: drone
+  labels:
+    app: drone-deployment
+    # keel.sh/policy: force
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: drone-deployment
+  template:
+    metadata:
+      labels:
+        app: drone-deployment
+    spec:
+      containers:
+      - name: drone-deployment
+        image: drone/drone:2
+        ports:
+        - containerPort: 80
+        env:
+        - name: DRONE_GITEA_CLIENT_ID
+          valueFrom:
+            secretKeyRef:
+              name: drone-secrets
+              key: DRONE_GITEA_CLIENT_ID
+        - name: DRONE_GITEA_CLIENT_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: drone-secrets
+              key: DRONE_GITEA_CLIENT_SECRET
+        - name: DRONE_GITEA_SERVER
+          valueFrom:
+            secretKeyRef:
+              name: drone-secrets
+              key: DRONE_GITEA_SERVER
+        - name: DRONE_GIT_ALWAYS_AUTH
+          valueFrom:
+            secretKeyRef:
+              name: drone-secrets
+              key: DRONE_GIT_ALWAYS_AUTH
+        - name: DRONE_RPC_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: drone-secrets
+              key: DRONE_RPC_SECRET
+        - name: DRONE_SERVER_HOST
+          valueFrom:
+            secretKeyRef:
+              name: drone-secrets
+              key: DRONE_SERVER_HOST
+        - name: DRONE_SERVER_PROTO
+          valueFrom:
+            secretKeyRef:
+              name: drone-secrets
+              key: DRONE_SERVER_PROTO
+      imagePullSecrets:
+      - name: regcred
+---
+apiVersion: v1
+kind: Service
+metadata:
+  namespace: drone
+  name: drone-deployment-service
+spec:
+  selector:
+    app: drone-deployment
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  namespace: drone
+  name: drone-deployment-ingress
+spec:
+  rules:
+  - host: "drone.voidcorp.nl"
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service: 
+            name: drone-deployment-service
+            port: 
+              number: 80
+
diff --git a/k8s/drone/namespace.yml b/k8s/drone/namespace.yml
new file mode 100644
index 0000000..f9449c6
--- /dev/null
+++ b/k8s/drone/namespace.yml
@@ -0,0 +1,6 @@
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: drone
+  labels:
+    name: drone
\ No newline at end of file
diff --git a/k8s/drone/runner-rbac.yml b/k8s/drone/runner-rbac.yml
new file mode 100644
index 0000000..0149dcd
--- /dev/null
+++ b/k8s/drone/runner-rbac.yml
@@ -0,0 +1,40 @@
+kind: Role
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  namespace: drone
+  name: drone
+rules:
+- apiGroups:
+  - ""
+  resources:
+  - secrets
+  verbs:
+  - create
+  - delete
+- apiGroups:
+  - ""
+  resources:
+  - pods
+  - pods/log
+  verbs:
+  - get
+  - create
+  - delete
+  - list
+  - watch
+  - update
+
+---
+kind: RoleBinding
+apiVersion: rbac.authorization.k8s.io/v1
+metadata:
+  name: drone
+  namespace: drone
+subjects:
+- kind: ServiceAccount
+  name: default
+  namespace: drone
+roleRef:
+  kind: Role
+  name: drone
+  apiGroup: rbac.authorization.k8s.io
\ No newline at end of file
diff --git a/k8s/drone/runner.yml b/k8s/drone/runner.yml
new file mode 100644
index 0000000..d8696be
--- /dev/null
+++ b/k8s/drone/runner.yml
@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: drone
+  namespace: drone
+  labels:
+    app.kubernetes.io/name: drone
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app.kubernetes.io/name: drone
+  template:
+    metadata:
+      labels:
+        app.kubernetes.io/name: drone
+    spec:
+      containers:
+      - name: runner
+        image: drone/drone-runner-kube:latest
+        ports:
+        - containerPort: 3000
+        env:
+        - name: DRONE_RPC_SECRET
+          valueFrom:
+            secretKeyRef:
+              name: drone-secrets
+              key: DRONE_RPC_SECRET
+        - name: DRONE_RPC_HOST
+          valueFrom:
+            secretKeyRef:
+              name: drone-secrets
+              key: DRONE_SERVER_HOST
+        - name: DRONE_RPC_PROTO
+          valueFrom:
+            secretKeyRef:
+              name: drone-secrets
+              key: DRONE_SERVER_PROTO
+        - name: DRONE_NAMESPACE_DEFAULT
+          value: drone
\ No newline at end of file
diff --git a/k8s/drone/secrets.yml b/k8s/drone/secrets.yml
new file mode 100644
index 0000000000000000000000000000000000000000..9e0a7edc44439353ebfc048ef5062fb28e3fe073
GIT binary patch
literal 487
zcmV<D0T})OM@dveQdv+`0EB5h$cUEHycaA%GTjn8i$W5`CbL(kv~Jf>j<}faC5S`D
zFu-?vt+dxdLCAbH$l<$Dz|&3LZE4jTu;S{Ukf(<G2i;palksmg$ARfTFgAMpK~QDY
zKc@}G2u@wP*uyK7et_?!?-fx4zckMeS`ah1#MAC@=QtA#b)0VaV}|`Y53Nv2bqPfz
zLf<kTyBQyDPi;b+`kQQ?q{+5d$-u(v&oIIK^2gjK?FN{GPA(wQ*bM386n(^QS@ajK
z>R0DY^q&i@xOSl|-!xSRdo_M!?2VEGM^NZxW-3D78`J$5SoLm|SavjGNe5v%2|ajc
zQg)+Djpxhwzj9c}WN?AaxQ!LS%%H)1a4V2DO@<H;-$8+D<hjgN!`EV3oj@bSg#^{A
zv5v1m>L&fjqd|#;8miv(pptVo>udMS9TlT9Tm)6E_br*8wl320_6|W&eB?%?&rW!M
z?uOE_O~v{w*T#b<#9gKbEDkH1J(a}ETvdx&j9W9C9UVH<%sZ${xAv-VLoYg^zRnaM
z+HOgK_AXbtb;Bg-Su<R%?=^o^2Q|kto&3IQMNv7t|0BIroDvHGTl-m1ugR4oqKTd)
dUXnQQf6t6WdG;*)gD#VnVoLUKARQ8v*WF8(@jd_m

literal 0
HcmV?d00001

diff --git a/k8s/galerie/main.yml b/k8s/galerie/main.yml
new file mode 100644
index 0000000..f2799fc
--- /dev/null
+++ b/k8s/galerie/main.yml
@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: galerie-deployment
+  labels:
+    app: galerie-deployment
+    keel.sh/policy: force
+    keel.sh/match-tag: "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: galerie-deployment
+  template:
+    metadata:
+      labels:
+        app: galerie-deployment
+    spec:
+      containers:
+      - name: galerie-deployment
+        imagePullPolicy: Always
+        image: registry.voidcorp.nl/library/galerie:main
+        ports:
+        - containerPort: 80
+      imagePullSecrets:
+      - name: regcred
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: galerie-deployment-service
+spec:
+  selector:
+    app: galerie-deployment
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: galerie-deployment-ingress
+spec:
+  rules:
+  - host: "galerievanslagmaat.nl"
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service: 
+            name: galerie-deployment-service
+            port: 
+              number: 80
+
diff --git a/k8s/galerie/secrets.yml b/k8s/galerie/secrets.yml
new file mode 100644
index 0000000000000000000000000000000000000000..501449f0f5d3e5be32c46a0bf0f5d1aca3bdaa4b
GIT binary patch
literal 22
ecmZQ@_Y83kiVO&0$e*|2^U|d&<V#nwnE(J-hX{}W

literal 0
HcmV?d00001

diff --git a/k8s/galerie/staging.yml b/k8s/galerie/staging.yml
new file mode 100644
index 0000000..c4e9d6a
--- /dev/null
+++ b/k8s/galerie/staging.yml
@@ -0,0 +1,56 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: galerie-staging-deployment
+  labels:
+    app: galerie-staging-deployment
+    keel.sh/policy: force
+    keel.sh/match-tag: "true"
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: galerie-staging-deployment
+  template:
+    metadata:
+      labels:
+        app: galerie-staging-deployment
+    spec:
+      containers:
+      - name: galerie-staging-deployment
+        imagePullPolicy: Always
+        image: registry.voidcorp.nl/library/galerie:staging
+        ports:
+        - containerPort: 80
+      imagePullSecrets:
+      - name: regcred
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: galerie-staging-deployment-service
+spec:
+  selector:
+    app: galerie-staging-deployment
+  ports:
+    - protocol: TCP
+      port: 80
+      targetPort: 80
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: galerie-staging-deployment-ingress
+spec:
+  rules:
+  - host: "staging.galerievanslagmaat.nl"
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service: 
+            name: galerie-staging-deployment-service
+            port: 
+              number: 80
+
diff --git a/k8s/keel/keel.yml b/k8s/keel/keel.yml
new file mode 100644
index 0000000..96e6319
--- /dev/null
+++ b/k8s/keel/keel.yml
@@ -0,0 +1,220 @@
+---
+
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: "keel"
+
+---
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: keel
+  namespace: "keel"
+  labels:
+    app: keel
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  name: keel
+rules:
+  - apiGroups:
+      - ""
+    resources:
+      - namespaces
+    verbs:
+      - watch
+      - list
+  - apiGroups:
+      - ""
+    resources:
+      - secrets
+    verbs:
+      - get
+      - watch
+      - list
+  - apiGroups:
+      - ""
+      - extensions
+      - apps
+      - batch
+    resources:
+      - pods
+      - replicasets
+      - replicationcontrollers
+      - statefulsets
+      - deployments
+      - daemonsets
+      - jobs
+      - cronjobs
+    verbs:
+      - get
+      - delete # required to delete pods during force upgrade of the same tag
+      - watch
+      - list
+      - update
+  - apiGroups:
+      - ""
+    resources:
+      - configmaps
+      - pods/portforward
+    verbs:
+      - get
+      - create
+      - update
+
+
+---
+
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: keel
+roleRef:
+  apiGroup: rbac.authorization.k8s.io
+  kind: ClusterRole
+  name: keel
+subjects:
+  - kind: ServiceAccount
+    name: keel
+    namespace: "keel"
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: keel
+  namespace: "keel"
+  labels:
+    app: keel
+spec:
+  type: LoadBalancer
+  ports:
+    - port: 9300
+      targetPort: 9300
+      protocol: TCP
+      name: keel
+  selector:
+    app: keel
+  sessionAffinity: None
+
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: keel
+  namespace: "keel"
+  labels:
+    app: keel
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: keel
+  template:
+    metadata:
+      labels:
+        app: keel
+    spec:
+      serviceAccountName: keel
+      containers:
+        
+        - name: keel
+          # Note that we use appVersion to get images tag.
+          image: "keelhq/keel:latest"
+          imagePullPolicy: Always
+          command: ["/bin/keel"]
+          env:
+            - name: NAMESPACE
+              valueFrom:
+                fieldRef:
+                  fieldPath: metadata.namespace
+            # Enable GCR with pub/sub support
+            - name: PROJECT_ID
+              value: ""
+            - name: PUBSUB
+              value: "" # Set to '1' or 'true' to enable GCR pubsub
+            # Basic auth (to enable UI/API)
+            - name: BASIC_AUTH_USER
+              value: j00lz
+            - name: BASIC_AUTH_PASSWORD
+              value: admin
+            - name: AUTHENTICATED_WEBHOOKS
+              value: "false"
+            # Helm configuration
+            
+            # Enable AWS ECR
+            - name: AWS_ACCESS_KEY_ID
+              value: ""
+            - name: AWS_SECRET_ACCESS_KEY
+              value: ""
+            - name: AWS_REGION
+              value: ""
+            # Enable webhook endpoint
+            - name: WEBHOOK_ENDPOINT
+              value: ""
+            # Enable mattermost endpoint
+            - name: MATTERMOST_ENDPOINT
+              value: ""
+            # Enable MS Teams webhook endpoint
+            - name: TEAMS_WEBHOOK_URL
+              value: ""
+            - name: SLACK_TOKEN
+              value: ""
+            - name: SLACK_CHANNELS
+              value: "general"
+            - name: SLACK_APPROVALS_CHANNEL
+              value: "general"
+            - name: SLACK_BOT_NAME
+              value: "keel"
+            # Enable hipchat approvials and notification
+            - name: HIPCHAT_TOKEN
+              value: ""
+            - name: HIPCHAT_CHANNELS
+              value: ""
+            - name: HIPCHAT_APPROVALS_CHANNEL
+              value: ""
+            - name: HIPCHAT_APPROVALS_BOT_NAME
+              value: ""
+            - name: HIPCHAT_APPROVALS_USER_NAME
+              value: ""
+            - name: HIPCHAT_APPROVALS_PASSWORT
+              value: ""
+            - name: NOTIFICATION_LEVEL
+              value: "info"
+            # Enable insecure registries
+            - name: INSECURE_REGISTRY
+              value: "false"
+          ports:
+            - containerPort: 9300
+          livenessProbe:
+            httpGet:
+              path: /healthz
+              port: 9300
+            initialDelaySeconds: 30
+            timeoutSeconds: 10
+          resources:
+            limits:
+              cpu: 100m
+              memory: 128Mi
+            requests:
+              cpu: 50m
+              memory: 64Mi
+      
+
+---
+# Source: keel/templates/pod-disruption-budget.yaml
+
+apiVersion: policy/v1beta1
+kind: PodDisruptionBudget
+metadata:
+  name: keel
+  namespace: "keel"
+spec:
+  maxUnavailable: 1
+  selector:
+    matchLabels:
+      app: keel