chore(apps): Add catalog

chore: Remove Minecraft manifests
feat(metallb): Add local and wg IP address spaces
2025-03-27 20:23:21 +01:00 · 2025-03-24 18:14:10 +01:00 · 2025-03-24 18:11:47 +01:00 · 2025-03-24 17:50:16 +01:00 · 2025-03-24 17:49:41 +01:00 · 2025-03-24 17:46:02 +01:00
33 changed files with 477 additions and 83 deletions
--- a/apps/adguard.yaml
+++ b/apps/adguard.yaml
@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: adguard
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://git.halis.io/athens-school/adguard
    targetRevision: master
    path: manifests
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=false
      - ApplyOutOfSyncOnly=true
      - PruneLast=true
  destination:
    server: https://kubernetes.default.svc
    namespace: adguard
--- a/apps/dawarich.yaml
+++ b/apps/dawarich.yaml
@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: dawarich
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://git.halis.io/athens-school/dawarich
    targetRevision: master
    path: manifests
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=false
      - ApplyOutOfSyncOnly=true
      - PruneLast=true
  destination:
    server: https://kubernetes.default.svc
    namespace: dawarich
--- a/apps/ghostfolio.yaml
+++ b/apps/ghostfolio.yaml
@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: ghostfolio
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://git.halis.io/athens-school/ghostfolio
    targetRevision: master
    path: manifests
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=false
      - ApplyOutOfSyncOnly=true
      - PruneLast=true
  destination:
    server: https://kubernetes.default.svc
    namespace: ghostfolio
--- a/apps/immich.yaml
+++ b/apps/immich.yaml
@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: immich
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://git.halis.io/athens-school/immich
    targetRevision: master
    path: manifests
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=false
      - ApplyOutOfSyncOnly=true
      - PruneLast=true
  destination:
    server: https://kubernetes.default.svc
    namespace: immich
--- a/apps/mastodon.yaml
+++ b/apps/mastodon.yaml
@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: mastodon
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://git.halis.io/athens-school/mastodon
    targetRevision: master
    path: manifests
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=false
      - ApplyOutOfSyncOnly=true
      - PruneLast=true
  destination:
    server: https://kubernetes.default.svc
    namespace: mastodon
--- a/apps/mealie.yaml
+++ b/apps/mealie.yaml
@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: mealie
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://git.halis.io/athens-school/mealie
    targetRevision: master
    path: manifests
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=false
      - ApplyOutOfSyncOnly=true
      - PruneLast=true
  destination:
    server: https://kubernetes.default.svc
    namespace: mealie
--- a/apps/netbird.yaml
+++ b/apps/netbird.yaml
@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: netbird
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://git.halis.io/athens-school/netbird
    targetRevision: master
    path: manifests
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=false
      - ApplyOutOfSyncOnly=true
      - PruneLast=true
  destination:
    server: https://kubernetes.default.svc
    namespace: netbird
--- a/apps/paperless.yaml
+++ b/apps/paperless.yaml
@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: paperless
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://git.halis.io/athens-school/paperless
    targetRevision: master
    path: manifests
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=false
      - ApplyOutOfSyncOnly=true
      - PruneLast=true
  destination:
    server: https://kubernetes.default.svc
    namespace: paperless
--- a/apps/zitadel.yaml
+++ b/apps/zitadel.yaml
@ -0,0 +1,24 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: zitadel
  namespace: argocd
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: https://git.halis.io/athens-school/zitadel
    targetRevision: dev
    path: manifests
  syncPolicy:
    automated:
      prune: true
      selfHeal: true
    syncOptions:
      - CreateNamespace=false
      - ApplyOutOfSyncOnly=true
      - PruneLast=true
  destination:
    server: https://kubernetes.default.svc
    namespace: zitadel
--- a/environments/prod/bootstrap/kustomization.yaml
+++ b/environments/prod/bootstrap/kustomization.yaml
@ -3,18 +3,21 @@ kind: Kustomization
 resources:
  # MetalLB installation and configuration
- github.com/metallb/metallb/config/native?ref=v0.14.3
+- github.com/metallb/metallb/config/native?ref=v0.14.9
  # Traefik CRD
  #- https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-definition-v1.yml
  #- https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-crd-rbac.yml
  # Cert manager CRD
- https://github.com/cert-manager/cert-manager/releases/download/v1.16.1/cert-manager.crds.yaml
+- https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.crds.yaml
  # Longhorn CRD
- https://raw.githubusercontent.com/longhorn/longhorn/v1.7.2/deploy/longhorn.yaml
+- https://raw.githubusercontent.com/longhorn/longhorn/v1.8.1/deploy/longhorn.yaml
  # SOPS secrets operator CRDs
 - https://raw.githubusercontent.com/isindir/sops-secrets-operator/master/config/crd/bases/isindir.github.com_sopssecrets.yaml
  # Install CoudNativePG operator
- https://github.com/cloudnative-pg/cloudnative-pg/raw/refs/heads/main/releases/cnpg-1.24.1.yaml
+- https://github.com/cloudnative-pg/cloudnative-pg/raw/refs/heads/main/releases/cnpg-1.25.0.yaml
  # Install Valkey operator
  #- https://github.com/hyperspike/valkey-operator/releases/download/v0.0.57/install.yaml
  #- ../../../valkey-operator
 patches:
 - path: ./metallb-patch.yaml
--- a/longhorn/daily-backup.yaml
+++ b/longhorn/daily-backup.yaml
@ -0,0 +1,15 @@
 apiVersion: longhorn.io/v1beta1
 kind: RecurringJob
 metadata:
  name: daily-backup
  namespace: longhorn-system
 spec:
  cron: "0 0 * * *"
  task: backup
  groups:
  - standard-pvc
  retain: 2
  concurrency: 2
  labels:
    recurrence: daily
    group: standard-pvc
--- a/longhorn/hourly-snapshot.yaml
+++ b/longhorn/hourly-snapshot.yaml
@ -0,0 +1,15 @@
 apiVersion: longhorn.io/v1beta1
 kind: RecurringJob
 metadata:
  name: hourly-snapshot
  namespace: longhorn-system
 spec:
  cron: "0 * * * *"
  task: snapshot
  groups:
  - standard-pvc
  retain: 10
  concurrency: 2
  labels:
    recurrence: hourly
    group: standard-pvc
--- a/longhorn/kustomization.yaml
+++ b/longhorn/kustomization.yaml
@ -3,6 +3,9 @@ kind: Kustomization
 resources:
  - ingress.yaml
-  - recurrent-backup.yaml
+  - daily-backup.yaml
  - weekly-backup.yaml
  - monthly-backup.yaml
  - hourly-snapshot.yaml
  - secrets.yaml
  - servicemonitor.yaml
--- a/longhorn/monthly-backup.yaml
+++ b/longhorn/monthly-backup.yaml
@ -0,0 +1,15 @@
 apiVersion: longhorn.io/v1beta1
 kind: RecurringJob
 metadata:
  name: monthly-backup
  namespace: longhorn-system
 spec:
  cron: "0 0 1 * *"
  task: backup
  groups:
  - standard-pvc
  retain: 2
  concurrency: 2
  labels:
    recurrence: monthly
    group: standard-pvc
--- a/longhorn/weekly-backup.yaml
+++ b/longhorn/weekly-backup.yaml
@ -0,0 +1,15 @@
 apiVersion: longhorn.io/v1beta1
 kind: RecurringJob
 metadata:
  name: weekly-backup
  namespace: longhorn-system
 spec:
  cron: "0 0 * * 0"
  task: backup
  groups:
  - standard-pvc
  retain: 2
  concurrency: 2
  labels:
    recurrence: weekly
    group: standard-pvc
--- a/metallb/configmap.yaml
+++ b/metallb/configmap.yaml
@ -8,5 +8,6 @@ data:
    ipaddress-pools:
    - name: default
      addresses:
      - 10.10.0.0/24
      - 10.20.0.0/24
      - 51.15.80.73/32
--- a/metallb/ipaddresspool.yaml
+++ b/metallb/ipaddresspool.yaml
@ -7,3 +7,4 @@ spec:
  addresses:
    - 51.15.80.73/32
    - 10.10.0.0/24
    - 10.20.0.0/24
--- a/minecraft/deployment.yaml
+++ b/minecraft/deployment.yaml
@ -1,35 +0,0 @@
 apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: minecraft
 spec:
  replicas: 1
  selector:
    matchLabels:
      app: minecraft
  template:
    metadata:
      labels:
        app: minecraft
    spec:
      containers:
        - name: minecraft
          image: itzg/minecraft-server
          ports:
            - containerPort: 25565
              protocol: TCP
          env:
            - name: EULA
              value: "TRUE"
          volumeMounts:
            - name: minecraft-data
              mountPath: /data/world
              subPath: world
      volumes:
        - name: minecraft-data
          persistentVolumeClaim:
              claimName: minecraft-pvc
      nodeSelector:
          kubernetes.io/hostname: "archimedes"
      securityContext:
          fsGroup: 1000
--- a/minecraft/ingress.yaml
+++ b/minecraft/ingress.yaml
@ -1,13 +0,0 @@
 apiVersion: traefik.containo.us/v1alpha1
 kind: IngressRouteTCP
 metadata:
    name: minecrafttcp
 spec:
    entryPoints:
      - minecrafttcp
    routes:
      - match: HostSNI(`*`)
        services:
          - name: minecraft-svc-tcp
            port: 25565
--- a/minecraft/pvc.yaml
+++ b/minecraft/pvc.yaml
@ -1,11 +0,0 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
    name: minecraft-pvc
 spec:
    accessModes:
        - ReadWriteOnce
    resources:
        requests:
            storage: 5Gi
    storageClassName: flat-storage-class
--- a/minecraft/service.yaml
+++ b/minecraft/service.yaml
@ -1,12 +0,0 @@
 apiVersion: v1
 kind: Service
 metadata:
    name: minecraft-svc-tcp
 spec:
  type: ClusterIP
  ports:
    - protocol: TCP
      port: 25565
  selector:
    app: minecraft
--- a/nginx/external/deploy.yaml
+++ b/nginx/external/deploy.yaml
@ -351,6 +351,30 @@ spec:
    port: 443
    protocol: TCP
    targetPort: https
  - name: netbird-one-udp
    port: 3478
    protocol: UDP
    targetPort: netbird-one-udp
  - name: netbird-one-tcp
    port: 3478
    protocol: TCP
    targetPort: netbird-one-tcp
  - name: netbird-two-udp
    port: 5349
    protocol: UDP
    targetPort: netbird-two-udp
  - name: netbird-two-tcp
    port: 5349
    protocol: TCP
    targetPort: netbird-two-tcp
  - name: netbird-rel-tcp
    port: 33080
    protocol: TCP
    targetPort: netbird-rel-tcp
  - name: netbird-rel-udp
    port: 33080
    protocol: UDP
    targetPort: netbird-rel-udp
  - name: prometheus
    port: 10254
    protocol: TCP
@ -444,6 +468,8 @@ spec:
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        - --enable-metrics=true
        - --udp-services-configmap=$(POD_NAMESPACE)/nginx-external-ingress-udp-services
        - --tcp-services-configmap=$(POD_NAMESPACE)/nginx-external-ingress-tcp-services
        env:
        - name: POD_NAME
          valueFrom:
@ -480,6 +506,24 @@ spec:
        - containerPort: 443
          name: https
          protocol: TCP
        - containerPort: 3478
          name: netbird-one-udp
          protocol: UDP
        - containerPort: 3478
          name: netbird-one-tcp
          protocol: TCP
        - containerPort: 5349
          name: netbird-two-udp
          protocol: UDP
        - containerPort: 5349
          name: netbird-two-tcp
          protocol: TCP
        - containerPort: 33080
          name: netbird-rel-tcp
          protocol: TCP
        - containerPort: 33080
          name: netbird-rel-udp
          protocol: UDP
        - containerPort: 8443
          name: webhook
          protocol: TCP
--- a/nginx/external/kustomization.yaml
+++ b/nginx/external/kustomization.yaml
@ -4,4 +4,6 @@ kind: Kustomization
 resources:
  - deploy.yaml
  - loadbalancer.yaml
-  - networkpolicy.yaml
+  #- networkpolicy.yaml
  - udp-services.yaml
  - tcp-services.yaml
--- a/nginx/external/loadbalancer.yaml
+++ b/nginx/external/loadbalancer.yaml
@ -17,5 +17,29 @@ spec:
      port: 443
      protocol: TCP
      targetPort: 443
    - name: netbird-one-udp
      port: 3478
      protocol: UDP
      targetPort: 3478
    - name: netbird-one-tcp
      port: 3478
      protocol: TCP
      targetPort: 3478
    - name: netbird-two-udp
      port: 5349
      protocol: UDP
      targetPort: 5349
    - name: netbird-two-tcp
      port: 5349
      protocol: TCP
      targetPort: 5349
    - name: netbird-rel-udp
      port: 33080
      protocol: UDP
      targetPort: 33080
    - name: netbird-rel-tcp
      port: 33080
      protocol: TCP
      targetPort: 33080
  type: LoadBalancer
  externalTrafficPolicy: Local
--- a/nginx/external/networkpolicy.yaml
+++ b/nginx/external/networkpolicy.yaml
@ -21,8 +21,8 @@ spec:
          - 54.224.0.0/11 # Random crawler
    ports:
    - protocol: TCP
-      port: 80
+      port: 1
-    - protocol: TCP
+      endPort: 65535
-      port: 443
+    - protocol: UDP
-    - protocol: TCP
+      port: 1
-      port: 8443
+      endPort: 65535
--- a/nginx/external/tcp-services.yaml
+++ b/nginx/external/tcp-services.yaml
@ -0,0 +1,9 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: nginx-external-ingress-tcp-services
  namespace: nginx-ingress
 data:
  "3478": "netbird/netbird-turn-svc:3478"
  "5349": "netbird/netbird-turn-svc:5349"
  "33080": "netbird/netbird-relay-svc:33080"
--- a/nginx/external/udp-services.yaml
+++ b/nginx/external/udp-services.yaml
@ -0,0 +1,9 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: nginx-external-ingress-udp-services
  namespace: nginx-ingress
 data:
  "3478": "netbird/netbird-turn-svc:3478"
  "5349": "netbird/netbird-turn-svc:5349"
  "33080": "netbird/netbird-relay-svc:33080"
--- a/nginx/internal/deploy.yaml
+++ b/nginx/internal/deploy.yaml
@ -341,6 +341,14 @@ spec:
  - IPv4
  ipFamilyPolicy: SingleStack
  ports:
  - name: dns-tcp
    port: 53
    protocol: TCP
    targetPort: dns-tcp
  - name: dns-udp
    port: 53
    protocol: TCP
    targetPort: dns-udp
  - appProtocol: http
    name: http
    port: 80
@ -444,6 +452,8 @@ spec:
        - --validating-webhook-certificate=/usr/local/certificates/cert
        - --validating-webhook-key=/usr/local/certificates/key
        - --enable-metrics=true
        - --udp-services-configmap=$(POD_NAMESPACE)/nginx-internal-ingress-udp-services
        - --tcp-services-configmap=$(POD_NAMESPACE)/nginx-internal-ingress-tcp-services
        env:
        - name: POD_NAME
          valueFrom:
@ -474,6 +484,12 @@ spec:
          timeoutSeconds: 1
        name: controller
        ports:
        - containerPort: 53
          name: dns-tcp
          protocol: TCP
        - containerPort: 53
          name: dns-udp
          protocol: UDP
        - containerPort: 80
          name: http
          protocol: TCP
--- a/nginx/internal/kustomization.yaml
+++ b/nginx/internal/kustomization.yaml
@ -3,4 +3,7 @@ kind: Kustomization
 resources:
  - deploy.yaml
-  - loadbalancer.yaml
+  - loadbalancer-local.yaml
  - loadbalancer-vpn.yaml
  - udp-services.yaml
  - tcp-services.yaml
--- a/nginx/internal/loadbalancer-local.yaml
+++ b/nginx/internal/loadbalancer-local.yaml
@ -0,0 +1,30 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: nginx-internal-ingress-controller-loadbalancer-local
  namespace: nginx-ingress
 spec:
  selector:
    app.kubernetes.io/component: controller-internal
    app.kubernetes.io/instance: nginx-internal-ingress
    app.kubernetes.io/name: nginx-internal-ingress
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
    - name: https
      port: 443
      protocol: TCP
      targetPort: 443
    - name: dns-tcp
      port: 53
      protocol: TCP
      targetPort: 53
    - name: dns-udp
      port: 53
      protocol: UDP
      targetPort: 53
  type: LoadBalancer
  externalTrafficPolicy: Local
  loadBalancerIP: 10.10.0.16
--- a/nginx/internal/loadbalancer-vpn.yaml
+++ b/nginx/internal/loadbalancer-vpn.yaml
@ -0,0 +1,30 @@
 apiVersion: v1
 kind: Service
 metadata:
  name: nginx-internal-ingress-controller-loadbalancer-vpn
  namespace: nginx-ingress
 spec:
  selector:
    app.kubernetes.io/component: controller-internal
    app.kubernetes.io/instance: nginx-internal-ingress
    app.kubernetes.io/name: nginx-internal-ingress
  ports:
    - name: http
      port: 80
      protocol: TCP
      targetPort: 80
    - name: https
      port: 443
      protocol: TCP
      targetPort: 443
    - name: dns-tcp
      port: 53
      protocol: TCP
      targetPort: 53
    - name: dns-udp
      port: 53
      protocol: UDP
      targetPort: 53
  type: LoadBalancer
  externalTrafficPolicy: Local
  loadBalancerIP: 10.20.0.1
--- a/nginx/internal/tcp-services.yaml
+++ b/nginx/internal/tcp-services.yaml
@ -0,0 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: nginx-internal-ingress-tcp-services
  namespace: nginx-ingress
 data:
  "53": "adguard/adguard-svc:53"
--- a/nginx/internal/udp-services.yaml
+++ b/nginx/internal/udp-services.yaml
@ -0,0 +1,7 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: nginx-internal-ingress-udp-services
  namespace: nginx-ingress
 data:
  "53": "adguard/adguard-svc:53"
Author	SHA1	Message	Date
Tanguy Herbron	b9e8bdea83	chore(apps): Add catalog	2025-03-27 20:23:21 +01:00
Tanguy Herbron	091f39b26d	chore: Remove Minecraft manifests	2025-03-24 18:14:10 +01:00
Tanguy Herbron	3906fcb7ff	feat(metallb): Add local and wg IP address spaces	2025-03-24 18:11:47 +01:00
Tanguy Herbron	560b74653c	feat(longhorn): Add backup/snapshot schedules	2025-03-24 17:50:16 +01:00
Tanguy Herbron	7084aa1257	feat(nginx): Add TCP/UDP port openings	2025-03-24 17:49:41 +01:00
Tanguy Herbron	05003237f6	chore(version): Bump numerous dependencies	2025-03-24 17:46:02 +01:00