diff --git a/README.md b/README.md
index 97f8b67..ccc3e78 100644
--- a/README.md
+++ b/README.md
@@ -4,7 +4,10 @@
|-------------------------|--------------------------------------|---------------|--------------|------------|----------------------|----------------------|------------------|------------------------|-----------------------------------|
| Traefik | Reverse proxy and load balancer | Public* | Socrates | - | - | - | Configured | Configured | Completed |
| Vaultwarden | Password manager | Public | Pythagoras-b | MariaDB | - | 4AM K8s CronJob | Configured | Not available | Completed |
-| Gitlab | Version control system | Public | Pythagoras-b | PostgreSQL | User created content | 5AM internal CronJob | Configured | Configured | Completed4 |
+| Gitlab | Version control system | Public | Pythagoras-b | PostgreSQL | User created content | 5AM internal CronJob | Configured | Configured | Completed4 |
+| Prometheus | Metrics aggregator | Private | Pythagoras-b | TBD | - | Not configured | Configured | Configured | Partial |
+| Loki | Log aggregator | Private | Pythagoras-b | TBD | - | Not configured | Configured | Configured | Partial |
+| Grafana | Graph visualizer | Public | Pythagoras-b | - | - | Not configured | Configured | Configured | Partial |
| Adguard | DNS ad blocker and custom DNS server | Private | Socrates | - | - | - | Not configured | Not configured | Pending configuration1 |
| Owncloud Infinity Scale | File hosting webUI | Public | Plato | ? | Drive files | Not configured | Configured | Not available | Pending configuration2 |
| Synapse | Matrix server - Message centralizer | Public | Pythagoras-b | PostgreSQL | User medias | 4AM K8s CronJob | Configured | Configured | Pending configuration3 |
@@ -13,18 +16,15 @@
| Vikunja | To-do and Kanban boards | Public | Pythagoras-b | - | - | - | Not configured | Not configured | Migrate to Gitlab |
| Wiki | Documentation manager | Public | Pythagoras-b | - | - | - | Not configured | Not configured | Migrate to VuePress and Gitlab |
| PaperlessNG | PDF viewer and organiser | Public | Pythagoras-b | PostgreSQL | - | - | Not configured | Not configured | Research migration into OCIS |
-| Raspsnir | Bachelor memorial website | Public | Pythagoras-b | PostgreSQL | - | Not configured | Not configured | Not configured | Awaiting configuration |
| Jellyfin | Media streaming | Public | Archimedes | - | - | - | Not configured | Not configured | Awaiting configuration |
| Sonarr | TV shows collection manager | Private | Plato | SQLite** | Internal backups | Not configured | Not configured | Not configured | Awaiting configuration |
| Radarr | Movie collection manager | Private | Plato | SQLite** | Internal backups | Not configured | Not configured | Not configured | Awaiting configuration |
| Jackett | Torrent indexer | Private | Plato | - |
? | Not configured | Not configured | Not configured | Awaiting configuration |
| Deluge | Torrent client | Private | Plato | - | ? | - | Not configured | Not configured | Awaiting configuration |
| Minecraft | Vanilla minecraft server for friends | Public | Archimedes | - | Game map | Not configured | Not configured | Not configured | Awaiting configuration |
-| Satisfactory | Satisfactory server for friends | Public | Archimedes | - | Game map | Not configured | Not configured | Not configured | Awaiting configuration |
-| Space engineers | Space engineers server for friends | Public | Archimedes | - | Game map | Not configured | Not configured | Not configured | Awaiting configuration |
-| Prometheus | Metrics aggregator | Private | Pythagoras-b | TBD | - | Not configured | Configured | Configured | Partial |
-| Loki | Log aggregator | Private | Pythagoras-b | TBD | - | Not configured | Configured | Configured | Partial |
-| Grafana | Graph visualizer | Public | Pythagoras-b | - | - | Not configured | Configured | Configured | Partial |
+| Satisfactory | Satisfactory server for friends | Public | Archimedes | - | Game map | Not configured | Not configured | Not configured | Not needed for v1 |
+| Space engineers | Space engineers server for friends | Public | Archimedes | - | Game map | Not configured | Not configured | Not configured | Not needed for v1 |
+| Raspsnir | Bachelor memorial website | Public | Pythagoras-b | PostgreSQL | - | Not configured | Not configured | Not configured | Not needed for v1 |
\* Configuration panel only available internally
** Current implementation only support SQLite, making manual backups a necessity
@@ -57,7 +57,7 @@ longhorn
- Change host/deployment specific variables to use environment variables
- Write CI/CD pipeline to create environment loaded files
- Write CI/CD pipeline to deploy cluster
-- Setup internal traefik with nodeport as reverse proxy for internal only services
+- ~~Setup internal traefik with nodeport as reverse proxy for internal only services~~ Done through internal LB
- ~~Setup DB container sidecars for automated backups to Longhorn volume~~
- Setup secrets configuration through CI/CD variable injection
- Explore permission issues when issuing OVH API keys (not working for wildcard and `beta.halia.dev` subdomain)
@@ -95,3 +95,13 @@ Add longhorn storage classes
### Gitlab backup process
Because gitlab does not offer the possibility to backup a container's data from an external container, a cronjob has been implemented in the custom image used for deployment.
+
+### VPN configuration for Deluge
+Instead of adding an extra networking layer to the whole cluster, it seems like a better idea to just integrate a wireguard connection inside of the deluge image, and self-build everything within Gitlab registry.
+This image could utilize kubernetes secrets, including a "torrent-vpn" secret produces by the initial wireguard configuration done via Ansible.
+This ansible script could create one (or more) additional client(s) depending on the inventory configuration, and keep the "torrent-vpn" configuration file within a k3s formated file, inside of the auto-applied directory on CP.
+Cf : https://docs.k3s.io/advanced#auto-deploying-manifests
+
+### Development domains
+To access a service publicly when developping, the domain name should be *.beta.halia.dev
+To only expose a service internally, the domain name should be *.k3s.beta
diff --git a/metallb/configmap.yaml b/metallb/configmap.yaml
new file mode 100644
index 0000000..6149eb7
--- /dev/null
+++ b/metallb/configmap.yaml
@@ -0,0 +1,12 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+ namespace: metallb-system
+ name: config
+data:
+ config: |
+ ipaddress-pools:
+ - name: default
+ protocol: layer2
+ addresses:
+ - 10.20.0.1-10.20.0.100
diff --git a/metallb/ipaddresspool.yaml b/metallb/ipaddresspool.yaml
new file mode 100644
index 0000000..e9f6d29
--- /dev/null
+++ b/metallb/ipaddresspool.yaml
@@ -0,0 +1,9 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+ name: base
+ namespace: metallb-system
+spec:
+ addresses:
+ - 10.19.66.247/32
+ - 10.10.0.64-10.10.0.69
diff --git a/traefik/dashboard.yaml b/traefik/dashboard.yaml
index 34d8abb..ce18f71 100644
--- a/traefik/dashboard.yaml
+++ b/traefik/dashboard.yaml
@@ -1,18 +1,4 @@
apiVersion: traefik.containo.us/v1alpha1
-kind: Middleware
-metadata:
- name: internal-ipwhitelist
-spec:
- ipWhiteList:
- sourceRange:
- - 10.10.0.1/24
- - 10.20.0.1/24
- - 10.42.1.1/24
- ipStrategy:
- depth: 0
-
----
-apiVersion: traefik.containo.us/v1alpha1
kind: IngressRoute
metadata:
name: traefik-dashboard
diff --git a/traefik/deployment.yaml b/traefik/deployment.yaml
index fafe8a6..a426504 100644
--- a/traefik/deployment.yaml
+++ b/traefik/deployment.yaml
@@ -94,7 +94,6 @@ spec:
mountPath: /tmp
args:
- "--global.checknewversion"
- - "--global.sendanonymoususage"
- "--entrypoints.admin.address=:8080/tcp"
- "--entrypoints.metrics.address=:9100/tcp"
- "--entrypoints.minecrafttcp.address=:25565/tcp"
@@ -110,6 +109,7 @@ spec:
- "--entrypoints.web.http.redirections.entryPoint.to=:443"
- "--entrypoints.web.http.redirections.entryPoint.scheme=https"
- "--log.level=DEBUG"
+ - "--accesslog=true"
- "--entrypoints.websecure.http.tls=true"
- "--entrypoints.websecure.http.tls.certresolver=letsencrypt"
- "--entrypoints.websecure.http.tls.domains[0].main=beta.halia.dev"
diff --git a/traefik/service.yaml b/traefik/service-external.yaml
similarity index 81%
rename from traefik/service.yaml
rename to traefik/service-external.yaml
index 86d98c5..d1c17b6 100644
--- a/traefik/service.yaml
+++ b/traefik/service-external.yaml
@@ -3,28 +3,25 @@
apiVersion: v1
kind: List
metadata:
- name: traefik
+ name: traefik-external
items:
- apiVersion: v1
kind: Service
metadata:
- name: traefik
+ name: traefik-external
labels:
- app.kubernetes.io/name: traefik
+ app.kubernetes.io/name: traefik-external
helm.sh/chart: traefik-10.24.2
app.kubernetes.io/managed-by: Helm
app.kubernetes.io/instance: traefik
annotations:
spec:
type: LoadBalancer
+ loadBalancerIP: 10.19.66.247
selector:
app.kubernetes.io/name: traefik
app.kubernetes.io/instance: traefik
ports:
- - port: 8080
- name: admin
- targetPort: "admin"
- protocol: TCP
- port: 25565
name: minecrafttcp
targetPort: "minecrafttcp"
diff --git a/traefik/service-internal.yaml b/traefik/service-internal.yaml
new file mode 100644
index 0000000..8a67e6d
--- /dev/null
+++ b/traefik/service-internal.yaml
@@ -0,0 +1,36 @@
+---
+# Source: traefik/templates/service.yaml
+apiVersion: v1
+kind: List
+metadata:
+ name: traefik-internal
+items:
+ - apiVersion: v1
+ kind: Service
+ metadata:
+ name: traefik-internal
+ labels:
+ app.kubernetes.io/name: traefik-internal
+ helm.sh/chart: traefik-10.24.2
+ app.kubernetes.io/managed-by: Helm
+ app.kubernetes.io/instance: traefik
+ annotations:
+ spec:
+ type: LoadBalancer
+ loadBalancerIP: 10.10.0.64
+ selector:
+ app.kubernetes.io/name: traefik
+ app.kubernetes.io/instance: traefik
+ ports:
+ - port: 25565
+ name: minecrafttcp
+ targetPort: "minecrafttcp"
+ protocol: TCP
+ - port: 80
+ name: web
+ targetPort: "web"
+ protocol: TCP
+ - port: 443
+ name: websecure
+ targetPort: "websecure"
+ protocol: TCP