From 89a6e08245c4eafa4acfa357e13e1753bc7411ae Mon Sep 17 00:00:00 2001 From: Viktor Barzin Date: Mon, 23 Feb 2026 22:05:28 +0000 Subject: [PATCH] [ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability Phase 1 - Critical Security: - Netbox: move hardcoded DB/superuser passwords to variables - MeshCentral: disable public registration, add Authentik auth - Traefik: disable insecure API dashboard (api.insecure=false) - Traefik: configure forwarded headers with Cloudflare trusted IPs Phase 2 - Security Hardening: - Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.) - Add Kyverno pod security policies in audit mode (privileged, host namespaces, SYS_ADMIN, trusted registries) - Tighten rate limiting (avg=10, burst=50) - Add Authentik protection to grampsweb Phase 3 - Monitoring & Alerting: - Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale, Authentik, Loki) - Increase Loki retention from 7 to 30 days (720h) - Add predictive PV filling alert (predict_linear) - Re-enable Hackmd and Privatebin down alerts Phase 4 - Reliability: - Add resource requests/limits to Redis, DBaaS, Technitium, Headscale, Vaultwarden, Uptime Kuma - Increase Alloy DaemonSet memory to 512Mi/1Gi Phase 6 - Maintainability: - Extract duplicated tiers locals to terragrunt.hcl generate block (removed from 67 stacks) - Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114 instances across 63 files) - Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references with variables across ~35 stacks - Migrate xray raw ingress resources to ingress_factory modules --- stacks/actualbudget/factory/main.tf | 3 +- stacks/actualbudget/main.tf | 9 - stacks/affine/main.tf | 21 +- stacks/audiobookshelf/main.tf | 18 +- stacks/blog/main.tf | 9 - stacks/calibre/main.tf | 22 +- stacks/changedetection/main.tf | 12 +- stacks/city-guesser/main.tf | 9 - stacks/coturn/main.tf | 9 - stacks/cyberchef/main.tf | 9 - stacks/dashy/main.tf | 9 - stacks/dawarich/main.tf | 18 +- stacks/diun/main.tf | 12 +- stacks/ebook2audiobook/main.tf | 18 +- stacks/echo/main.tf | 9 - stacks/excalidraw/main.tf | 12 +- stacks/f1-stream/main.tf | 12 +- stacks/forgejo/main.tf | 12 +- stacks/freedify/main.tf | 9 - stacks/freshrss/main.tf | 14 +- stacks/frigate/main.tf | 14 +- stacks/grampsweb/main.tf | 26 +-- stacks/hackmd/main.tf | 15 +- stacks/health/main.tf | 15 +- stacks/homepage/main.tf | 9 - stacks/immich/main.tf | 33 ++- stacks/isponsorblocktv/main.tf | 12 +- stacks/jsoncrack/main.tf | 9 - stacks/k8s-dashboard/main.tf | 9 - stacks/kms/main.tf | 9 - stacks/linkwarden/main.tf | 12 +- stacks/matrix/main.tf | 12 +- stacks/meshcentral/main.tf | 19 +- stacks/n8n/main.tf | 15 +- stacks/navidrome/main.tf | 14 +- stacks/netbox/main.tf | 24 +-- stacks/networking-toolbox/main.tf | 9 - stacks/nextcloud/chart_values.yaml | 4 +- stacks/nextcloud/main.tf | 20 +- stacks/ntfy/main.tf | 12 +- stacks/ollama/main.tf | 19 +- stacks/onlyoffice/main.tf | 18 +- stacks/openclaw/main.tf | 17 +- stacks/osm_routing/main.tf | 16 +- stacks/owntracks/main.tf | 12 +- stacks/paperless-ngx/main.tf | 18 +- stacks/platform/main.tf | 38 ++-- stacks/platform/modules/authentik/main.tf | 3 +- stacks/platform/modules/authentik/values.yaml | 2 +- stacks/platform/modules/crowdsec/main.tf | 3 +- stacks/platform/modules/crowdsec/values.yaml | 4 +- stacks/platform/modules/dbaas/main.tf | 35 ++- stacks/platform/modules/headscale/main.tf | 27 ++- .../modules/infra-maintenance/main.tf | 3 +- .../modules/kyverno/security-policies.tf | 203 ++++++++++++++++++ stacks/platform/modules/mailserver/main.tf | 5 +- .../modules/mailserver/roundcubemail.tf | 7 +- stacks/platform/modules/monitoring/alloy.yaml | 4 +- stacks/platform/modules/monitoring/grafana.tf | 7 +- .../monitoring/grafana_chart_values.yaml | 2 +- stacks/platform/modules/monitoring/loki.tf | 4 +- stacks/platform/modules/monitoring/loki.yaml | 2 +- stacks/platform/modules/monitoring/main.tf | 1 + .../platform/modules/monitoring/prometheus.tf | 3 +- .../monitoring/prometheus_chart_values.tpl | 79 +++++-- stacks/platform/modules/nvidia/main.tf | 2 +- stacks/platform/modules/redis/main.tf | 14 +- stacks/platform/modules/technitium/main.tf | 22 +- stacks/platform/modules/traefik/main.tf | 9 +- stacks/platform/modules/traefik/middleware.tf | 29 ++- stacks/platform/modules/uptime-kuma/main.tf | 16 +- stacks/platform/modules/vaultwarden/main.tf | 18 +- stacks/platform/modules/xray/main.tf | 129 +++-------- stacks/plotting-book/main.tf | 9 - stacks/poison-fountain/main.tf | 14 +- stacks/privatebin/main.tf | 12 +- stacks/real-estate-crawler/main.tf | 60 ++++-- stacks/reloader/main.tf | 10 - stacks/resume/main.tf | 15 +- stacks/rybbit/main.tf | 15 +- stacks/send/main.tf | 15 +- stacks/servarr/aiostreams/main.tf | 3 +- stacks/servarr/lidarr/main.tf | 7 +- stacks/servarr/listenarr/main.tf | 5 +- stacks/servarr/main.tf | 9 - stacks/servarr/prowlarr/main.tf | 5 +- stacks/servarr/qbittorrent/main.tf | 5 +- stacks/servarr/readarr/main.tf | 5 +- stacks/servarr/soulseek/main.tf | 5 +- stacks/shadowsocks/main.tf | 9 - stacks/speedtest/main.tf | 15 +- stacks/stirling-pdf/main.tf | 12 +- stacks/tandoor/main.tf | 18 +- stacks/tor-proxy/main.tf | 9 - stacks/travel_blog/main.tf | 9 - stacks/tuya-bridge/main.tf | 9 - stacks/url/main.tf | 12 +- stacks/wealthfolio/main.tf | 12 +- stacks/webhook_handler/main.tf | 9 - stacks/whisper/main.tf | 14 +- stacks/woodpecker/main.tf | 22 +- stacks/woodpecker/values.yaml | 2 +- stacks/ytdlp/main.tf | 20 +- terragrunt.hcl | 18 ++ 104 files changed, 773 insertions(+), 920 deletions(-) create mode 100644 stacks/platform/modules/kyverno/security-policies.tf diff --git a/stacks/actualbudget/factory/main.tf b/stacks/actualbudget/factory/main.tf index 35d2e722..6728f548 100644 --- a/stacks/actualbudget/factory/main.tf +++ b/stacks/actualbudget/factory/main.tf @@ -12,6 +12,7 @@ variable "budget_encryption_password" { type = string default = null # If not passed, we won't run banksync ;known after initial installation } +variable "nfs_server" { type = string } resource "kubernetes_deployment" "actualbudget" { metadata { @@ -59,7 +60,7 @@ resource "kubernetes_deployment" "actualbudget" { name = "data" nfs { path = "/mnt/main/actualbudget/${var.name}" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/actualbudget/main.tf b/stacks/actualbudget/main.tf index a9a99446..40339b02 100644 --- a/stacks/actualbudget/main.tf +++ b/stacks/actualbudget/main.tf @@ -1,15 +1,6 @@ variable "tls_secret_name" { type = string } variable "actualbudget_credentials" { type = map(any) } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} # To create a new deployment: /** diff --git a/stacks/affine/main.tf b/stacks/affine/main.tf index 07406113..0e5c3742 100644 --- a/stacks/affine/main.tf +++ b/stacks/affine/main.tf @@ -1,16 +1,11 @@ variable "tls_secret_name" { type = string } variable "affine_postgresql_password" { type = string } variable "mailserver_accounts" { type = map(any) } +variable "nfs_server" { type = string } +variable "redis_host" { type = string } +variable "postgresql_host" { type = string } +variable "mail_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "affine" { metadata { @@ -31,11 +26,11 @@ locals { common_env = [ { name = "DATABASE_URL" - value = "postgresql://affine:${var.affine_postgresql_password}@postgresql.dbaas.svc.cluster.local:5432/affine" + value = "postgresql://affine:${var.affine_postgresql_password}@${var.postgresql_host}:5432/affine" }, { name = "REDIS_SERVER_HOST" - value = "redis.redis.svc.cluster.local" + value = var.redis_host }, { name = "AFFINE_INDEXER_ENABLED" @@ -57,7 +52,7 @@ locals { # Email/SMTP configuration { name = "MAILER_HOST" - value = "mailserver.viktorbarzin.me" + value = var.mail_host }, { name = "MAILER_PORT" @@ -187,7 +182,7 @@ resource "kubernetes_deployment" "affine" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/affine" } } diff --git a/stacks/audiobookshelf/main.tf b/stacks/audiobookshelf/main.tf index b3015430..04d77295 100644 --- a/stacks/audiobookshelf/main.tf +++ b/stacks/audiobookshelf/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "audiobookshelf" { metadata { @@ -83,28 +75,28 @@ resource "kubernetes_deployment" "audiobookshelf" { name = "audiobooks" nfs { path = "/mnt/main/audiobookshelf/audiobooks" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "podcasts" nfs { path = "/mnt/main/audiobookshelf/podcasts" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "config" nfs { path = "/mnt/main/audiobookshelf/config" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "metadata" nfs { path = "/mnt/main/audiobookshelf/metadata" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/blog/main.tf b/stacks/blog/main.tf index 0235cb53..018eff14 100644 --- a/stacks/blog/main.tf +++ b/stacks/blog/main.tf @@ -1,14 +1,5 @@ variable "tls_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "website" { metadata { diff --git a/stacks/calibre/main.tf b/stacks/calibre/main.tf index b3f26691..d330925a 100644 --- a/stacks/calibre/main.tf +++ b/stacks/calibre/main.tf @@ -1,15 +1,7 @@ variable "tls_secret_name" { type = string } variable "homepage_credentials" { type = map(any) } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "calibre" { metadata { @@ -94,7 +86,7 @@ module "tls_secret" { # name = "data" # nfs { # path = "/mnt/main/calibre" -# server = "10.0.10.15" +# server = var.nfs_server # } # } # } @@ -181,21 +173,21 @@ resource "kubernetes_deployment" "calibre-web-automated" { name = "library" nfs { path = "/mnt/main/calibre-web-automated/calibre-library" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "config" nfs { path = "/mnt/main/calibre-web-automated/config" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "ingest" nfs { path = "/mnt/main/calibre-web-automated/cwa-book-ingest" - server = "10.0.10.15" + server = var.nfs_server } } } @@ -292,14 +284,14 @@ resource "kubernetes_deployment" "annas-archive-stacks" { name = "config" nfs { path = "/mnt/main/calibre-web-automated/stacks" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "ingest" nfs { path = "/mnt/main/calibre-web-automated/cwa-book-ingest" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/changedetection/main.tf b/stacks/changedetection/main.tf index b05307ed..76f1fe15 100644 --- a/stacks/changedetection/main.tf +++ b/stacks/changedetection/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "changedetection" { metadata { @@ -104,7 +96,7 @@ resource "kubernetes_deployment" "changedetection" { name = "data" nfs { path = "/mnt/main/changedetection" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/city-guesser/main.tf b/stacks/city-guesser/main.tf index cd402610..695e1f08 100644 --- a/stacks/city-guesser/main.tf +++ b/stacks/city-guesser/main.tf @@ -1,14 +1,5 @@ variable "tls_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "city-guesser" { metadata { diff --git a/stacks/coturn/main.tf b/stacks/coturn/main.tf index 4085dabc..511ca0f3 100644 --- a/stacks/coturn/main.tf +++ b/stacks/coturn/main.tf @@ -2,15 +2,6 @@ variable "tls_secret_name" { type = string } variable "coturn_turn_secret" { type = string } variable "public_ip" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} locals { turn_realm = "viktorbarzin.me" diff --git a/stacks/cyberchef/main.tf b/stacks/cyberchef/main.tf index 4fcd450c..225c5454 100644 --- a/stacks/cyberchef/main.tf +++ b/stacks/cyberchef/main.tf @@ -1,14 +1,5 @@ variable "tls_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "cyberchef" { metadata { diff --git a/stacks/dashy/main.tf b/stacks/dashy/main.tf index 8b9bbbe5..1830b515 100644 --- a/stacks/dashy/main.tf +++ b/stacks/dashy/main.tf @@ -1,14 +1,5 @@ variable "tls_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} module "tls_secret" { source = "../../modules/kubernetes/setup_tls_secret" diff --git a/stacks/dawarich/main.tf b/stacks/dawarich/main.tf index 1a3e351b..f63e65c7 100644 --- a/stacks/dawarich/main.tf +++ b/stacks/dawarich/main.tf @@ -2,20 +2,14 @@ variable "tls_secret_name" { type = string } variable "dawarich_database_password" { type = string } variable "geoapify_api_key" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} variable "image_version" { type = string default = "0.37.1" } +variable "nfs_server" { type = string } +variable "redis_host" { type = string } +variable "postgresql_host" { type = string } resource "kubernetes_namespace" "dawarich" { metadata { @@ -82,11 +76,11 @@ resource "kubernetes_deployment" "dawarich" { args = ["bin/dev"] env { name = "REDIS_URL" - value = "redis://redis.redis.svc.cluster.local:6379" + value = "redis://${var.redis_host}:6379" } env { name = "DATABASE_HOST" - value = "postgresql.dbaas" + value = var.postgresql_host } env { name = "DATABASE_USERNAME" @@ -272,7 +266,7 @@ resource "kubernetes_deployment" "dawarich" { # name = "data" # nfs { # path = "/mnt/main/photon" -# server = "10.0.10.15" +# server = var.nfs_server # } # } # } diff --git a/stacks/diun/main.tf b/stacks/diun/main.tf index 8f0d2d1b..f756b708 100644 --- a/stacks/diun/main.tf +++ b/stacks/diun/main.tf @@ -1,16 +1,8 @@ variable "tls_secret_name" { type = string } variable "diun_nfty_token" { type = string } variable "diun_slack_url" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "diun" { metadata { @@ -176,7 +168,7 @@ resource "kubernetes_deployment" "diun" { name = "data" nfs { path = "/mnt/main/diun" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/ebook2audiobook/main.tf b/stacks/ebook2audiobook/main.tf index 8fd9864d..32914d99 100644 --- a/stacks/ebook2audiobook/main.tf +++ b/stacks/ebook2audiobook/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} module "tls_secret" { source = "../../modules/kubernetes/setup_tls_secret" @@ -98,7 +90,7 @@ resource "kubernetes_deployment" "ebook2audiobook" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/ebook2audiobook" } } @@ -199,7 +191,7 @@ resource "kubernetes_service" "ebook2audiobook" { # volume { # name = "data" # nfs { -# server = "10.0.10.15" +# server = var.nfs_server # path = "/mnt/main/piper" # } # } @@ -288,7 +280,7 @@ resource "kubernetes_deployment" "audiblez" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/audiblez" } } @@ -376,7 +368,7 @@ resource "kubernetes_deployment" "audiblez-web" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/audiblez" } } diff --git a/stacks/echo/main.tf b/stacks/echo/main.tf index cfc98271..0d6ff2d0 100644 --- a/stacks/echo/main.tf +++ b/stacks/echo/main.tf @@ -1,14 +1,5 @@ variable "tls_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "echo" { metadata { diff --git a/stacks/excalidraw/main.tf b/stacks/excalidraw/main.tf index f13d8039..39de7e27 100644 --- a/stacks/excalidraw/main.tf +++ b/stacks/excalidraw/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "excalidraw" { metadata { @@ -77,7 +69,7 @@ resource "kubernetes_deployment" "excalidraw" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/excalidraw" } } diff --git a/stacks/f1-stream/main.tf b/stacks/f1-stream/main.tf index 27650931..8216a509 100644 --- a/stacks/f1-stream/main.tf +++ b/stacks/f1-stream/main.tf @@ -1,16 +1,8 @@ variable "tls_secret_name" { type = string } variable "coturn_turn_secret" { type = string } variable "public_ip" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "f1-stream" { metadata { @@ -97,7 +89,7 @@ resource "kubernetes_deployment" "f1-stream" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/f1-stream" } } diff --git a/stacks/forgejo/main.tf b/stacks/forgejo/main.tf index 1fbc0cad..5852d346 100644 --- a/stacks/forgejo/main.tf +++ b/stacks/forgejo/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "forgejo" { metadata { @@ -77,7 +69,7 @@ resource "kubernetes_deployment" "forgejo" { name = "data" nfs { path = "/mnt/main/forgejo" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/freedify/main.tf b/stacks/freedify/main.tf index 1ab6ffe6..2a319de6 100644 --- a/stacks/freedify/main.tf +++ b/stacks/freedify/main.tf @@ -1,15 +1,6 @@ variable "tls_secret_name" { type = string } variable "freedify_credentials" { type = map(any) } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} # To create a new deployment: /** diff --git a/stacks/freshrss/main.tf b/stacks/freshrss/main.tf index 8ba17aa6..8fdd3fcb 100644 --- a/stacks/freshrss/main.tf +++ b/stacks/freshrss/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} module "tls_secret" { source = "../../modules/kubernetes/setup_tls_secret" @@ -88,14 +80,14 @@ resource "kubernetes_deployment" "freshrss" { name = "data" nfs { path = "/mnt/main/freshrss/data" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "extensions" nfs { path = "/mnt/main/freshrss/extensions" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/frigate/main.tf b/stacks/frigate/main.tf index 264850d8..8e476044 100644 --- a/stacks/frigate/main.tf +++ b/stacks/frigate/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "frigate" { metadata { @@ -120,7 +112,7 @@ resource "kubernetes_deployment" "frigate" { name = "config" nfs { path = "/mnt/main/frigate/config" - server = "10.0.10.15" + server = var.nfs_server } } volume { @@ -134,7 +126,7 @@ resource "kubernetes_deployment" "frigate" { name = "media" nfs { path = "/mnt/main/frigate/media" - server = "10.0.10.15" + server = var.nfs_server } } volume { diff --git a/stacks/grampsweb/main.tf b/stacks/grampsweb/main.tf index f4e827fb..3c817b04 100644 --- a/stacks/grampsweb/main.tf +++ b/stacks/grampsweb/main.tf @@ -1,15 +1,10 @@ variable "tls_secret_name" { type = string } variable "mailserver_accounts" { type = map(any) } +variable "nfs_server" { type = string } +variable "redis_host" { type = string } +variable "ollama_host" { type = string } +variable "mail_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "grampsweb" { metadata { @@ -43,15 +38,15 @@ locals { }, { name = "GRAMPSWEB_CELERY_CONFIG__broker_url" - value = "redis://redis.redis.svc.cluster.local:6379/2" + value = "redis://${var.redis_host}:6379/2" }, { name = "GRAMPSWEB_CELERY_CONFIG__result_backend" - value = "redis://redis.redis.svc.cluster.local:6379/2" + value = "redis://${var.redis_host}:6379/2" }, { name = "GRAMPSWEB_RATELIMIT_STORAGE_URI" - value = "redis://redis.redis.svc.cluster.local:6379/3" + value = "redis://${var.redis_host}:6379/3" }, { name = "GRAMPSWEB_BASE_URL" @@ -63,7 +58,7 @@ locals { }, { name = "GRAMPSWEB_EMAIL_HOST" - value = "mail.viktorbarzin.me" + value = var.mail_host }, { name = "GRAMPSWEB_EMAIL_PORT" @@ -91,7 +86,7 @@ locals { }, { name = "GRAMPSWEB_LLM_BASE_URL" - value = "http://ollama.ollama.svc.cluster.local:11434/v1" + value = "http://${var.ollama_host}:11434/v1" }, { name = "GRAMPSWEB_LLM_MODEL" @@ -239,7 +234,7 @@ resource "kubernetes_deployment" "grampsweb" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/grampsweb" } } @@ -276,4 +271,5 @@ module "ingress" { service_name = "grampsweb" tls_secret_name = var.tls_secret_name max_body_size = "500m" + protected = true } diff --git a/stacks/hackmd/main.tf b/stacks/hackmd/main.tf index fb5f8d86..b026eb80 100644 --- a/stacks/hackmd/main.tf +++ b/stacks/hackmd/main.tf @@ -1,15 +1,8 @@ variable "hackmd_db_password" { type = string } variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } +variable "mysql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "hackmd" { metadata { @@ -97,7 +90,7 @@ resource "kubernetes_deployment" "hackmd" { env { name = "CMD_DB_URL" # value = format("%s%s%s", "postgres://codimd:", var.hackmd_db_password, "@localhost/codimd") - value = format("%s%s%s", "mysql://codimd:", var.hackmd_db_password, "@mysql.dbaas/codimd") + value = format("%s%s%s", "mysql://codimd:", var.hackmd_db_password, "@${var.mysql_host}/codimd") } env { name = "CMD_USECDN" @@ -121,7 +114,7 @@ resource "kubernetes_deployment" "hackmd" { name = "data" nfs { path = "/mnt/main/hackmd" - server = "10.0.10.15" + server = var.nfs_server } # iscsi { # target_portal = "iscsi.viktorbarzin.lan:3260" diff --git a/stacks/health/main.tf b/stacks/health/main.tf index 428a865e..4e8c93fd 100644 --- a/stacks/health/main.tf +++ b/stacks/health/main.tf @@ -1,16 +1,9 @@ variable "tls_secret_name" { type = string } variable "health_postgresql_password" { type = string } variable "health_secret_key" { type = string } +variable "nfs_server" { type = string } +variable "postgresql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "health" { metadata { @@ -60,7 +53,7 @@ resource "kubernetes_deployment" "health" { env { name = "DATABASE_URL" - value = "postgresql+asyncpg://health:${var.health_postgresql_password}@postgresql.dbaas.svc.cluster.local:5432/health" + value = "postgresql+asyncpg://health:${var.health_postgresql_password}@${var.postgresql_host}:5432/health" } env { name = "SECRET_KEY" @@ -102,7 +95,7 @@ resource "kubernetes_deployment" "health" { volume { name = "uploads" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/health" } } diff --git a/stacks/homepage/main.tf b/stacks/homepage/main.tf index 107da13c..b88e6f53 100644 --- a/stacks/homepage/main.tf +++ b/stacks/homepage/main.tf @@ -1,14 +1,5 @@ variable "tls_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} module "tls_secret" { source = "../../modules/kubernetes/setup_tls_secret" diff --git a/stacks/immich/main.tf b/stacks/immich/main.tf index 4769ff40..2f05ec1e 100644 --- a/stacks/immich/main.tf +++ b/stacks/immich/main.tf @@ -3,21 +3,14 @@ variable "immich_postgresql_password" { type = string } variable "immich_frame_api_key" { type = string } variable "homepage_credentials" { type = map(any) } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} variable "immich_version" { type = string # Change me to upgrade default = "v2.5.6" } +variable "nfs_server" { type = string } +variable "redis_host" { type = string } module "tls_secret" { @@ -104,7 +97,7 @@ resource "kubernetes_deployment" "immich_server" { } env { name = "REDIS_HOSTNAME" - value = "redis.redis.svc.cluster.local" + value = var.redis_host } liveness_probe { @@ -176,7 +169,7 @@ resource "kubernetes_deployment" "immich_server" { # volume { # name = "library-old" # nfs { - # server = "10.0.10.15" + # server = var.nfs_server # path = "/mnt/main/immich/immich/" # } # } @@ -184,42 +177,42 @@ resource "kubernetes_deployment" "immich_server" { volume { name = "backups" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/immich/immich/backups" } } volume { name = "encoded-video" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/immich/immich/encoded-video" } } volume { name = "library" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/immich/immich/library" } } volume { name = "profile" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/immich/immich/profile" } } volume { name = "thumbs" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/ssd/immich/thumbs" } } volume { name = "upload" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/immich/immich/upload" } } @@ -305,7 +298,7 @@ resource "kubernetes_deployment" "immich-postgres" { name = "postgresql-persistent-storage" nfs { path = "/mnt/main/immich/data-immich-postgresql" - server = "10.0.10.15" + server = var.nfs_server } } } @@ -442,7 +435,7 @@ resource "kubernetes_deployment" "immich-machine-learning" { nfs { # path = "/mnt/main/immich/machine-learning" path = "/mnt/ssd/immich/machine-learning" # load cache from ssd - server = "10.0.10.15" + server = var.nfs_server } } } @@ -533,7 +526,7 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" { name = "postgresql-backup" nfs { path = "/mnt/main/immich/data-immich-postgresql" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/isponsorblocktv/main.tf b/stacks/isponsorblocktv/main.tf index 21b555ba..e5bff04d 100644 --- a/stacks/isponsorblocktv/main.tf +++ b/stacks/isponsorblocktv/main.tf @@ -1,12 +1,4 @@ -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} +variable "nfs_server" { type = string } resource "kubernetes_namespace" "isponsorblocktv" { metadata { @@ -55,7 +47,7 @@ resource "kubernetes_deployment" "isponsorblocktv-vermont" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/isponsorblocktv/vermont" } } diff --git a/stacks/jsoncrack/main.tf b/stacks/jsoncrack/main.tf index 16777af7..bbf573ac 100644 --- a/stacks/jsoncrack/main.tf +++ b/stacks/jsoncrack/main.tf @@ -1,14 +1,5 @@ variable "tls_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "jsoncrack" { metadata { diff --git a/stacks/k8s-dashboard/main.tf b/stacks/k8s-dashboard/main.tf index 0061837a..17915274 100644 --- a/stacks/k8s-dashboard/main.tf +++ b/stacks/k8s-dashboard/main.tf @@ -1,15 +1,6 @@ variable "tls_secret_name" { type = string } variable "client_certificate_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "random_password" "csrf_token" { length = 16 diff --git a/stacks/kms/main.tf b/stacks/kms/main.tf index f9a52f46..f79a5e3e 100644 --- a/stacks/kms/main.tf +++ b/stacks/kms/main.tf @@ -1,14 +1,5 @@ variable "tls_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "kms" { metadata { diff --git a/stacks/linkwarden/main.tf b/stacks/linkwarden/main.tf index 5cb025d7..10ccdfae 100644 --- a/stacks/linkwarden/main.tf +++ b/stacks/linkwarden/main.tf @@ -2,16 +2,8 @@ variable "tls_secret_name" { type = string } variable "linkwarden_postgresql_password" { type = string } variable "linkwarden_authentik_client_id" { type = string } variable "linkwarden_authentik_client_secret" { type = string } +variable "postgresql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "linkwarden" { metadata { @@ -73,7 +65,7 @@ resource "kubernetes_deployment" "linkwarden" { } env { name = "DATABASE_URL" - value = "postgresql://linkwarden:${var.linkwarden_postgresql_password}@postgresql.dbaas.svc.cluster.local:5432/linkwarden" + value = "postgresql://linkwarden:${var.linkwarden_postgresql_password}@${var.postgresql_host}:5432/linkwarden" } env { name = "NEXT_PUBLIC_AUTHENTIK_ENABLED" diff --git a/stacks/matrix/main.tf b/stacks/matrix/main.tf index 8e3c4087..7f172b11 100644 --- a/stacks/matrix/main.tf +++ b/stacks/matrix/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "matrix" { metadata { @@ -71,7 +63,7 @@ resource "kubernetes_deployment" "matrix" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/matrix" } } diff --git a/stacks/meshcentral/main.tf b/stacks/meshcentral/main.tf index 6ccd8bc9..ba777b51 100644 --- a/stacks/meshcentral/main.tf +++ b/stacks/meshcentral/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "meshcentral" { metadata { @@ -82,7 +74,7 @@ resource "kubernetes_deployment" "meshcentral" { } env { name = "ALLOW_NEW_ACCOUNTS" - value = "true" + value = "false" } env { name = "WEBRTC" @@ -106,21 +98,21 @@ resource "kubernetes_deployment" "meshcentral" { name = "data" nfs { path = "/mnt/main/meshcentral/meshcentral-data" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "files" nfs { path = "/mnt/main/meshcentral/meshcentral-files" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "backups" nfs { path = "/mnt/main/meshcentral/meshcentral-backups" - server = "10.0.10.15" + server = var.nfs_server } } } @@ -156,4 +148,5 @@ module "ingress" { name = "meshcentral" tls_secret_name = var.tls_secret_name port = 443 + protected = true } diff --git a/stacks/n8n/main.tf b/stacks/n8n/main.tf index 9410d432..a5bd7411 100644 --- a/stacks/n8n/main.tf +++ b/stacks/n8n/main.tf @@ -1,15 +1,8 @@ variable "tls_secret_name" { type = string } variable "n8n_postgresql_password" { type = string } +variable "nfs_server" { type = string } +variable "postgresql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} module "tls_secret" { source = "../../modules/kubernetes/setup_tls_secret" @@ -62,7 +55,7 @@ resource "kubernetes_deployment" "n8n" { } env { name = "DB_POSTGRESDB_HOST" - value = "postgresql.dbaas" + value = var.postgresql_host } env { name = "DB_POSTGRESDB_PORT" @@ -114,7 +107,7 @@ resource "kubernetes_deployment" "n8n" { name = "data" nfs { path = "/mnt/main/n8n" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/navidrome/main.tf b/stacks/navidrome/main.tf index 5927ed12..e48300ec 100644 --- a/stacks/navidrome/main.tf +++ b/stacks/navidrome/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "navidrome" { metadata { @@ -79,7 +71,7 @@ resource "kubernetes_deployment" "navidrome" { name = "data" nfs { path = "/mnt/main/navidrome" - server = "10.0.10.15" + server = var.nfs_server } } volume { @@ -93,7 +85,7 @@ resource "kubernetes_deployment" "navidrome" { name = "lidarr" nfs { path = "/mnt/main/servarr/lidarr" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/netbox/main.tf b/stacks/netbox/main.tf index 1796fdd8..457ab7e0 100644 --- a/stacks/netbox/main.tf +++ b/stacks/netbox/main.tf @@ -1,14 +1,10 @@ variable "tls_secret_name" { type = string } +variable "netbox_db_password" { type = string } +variable "netbox_superuser_password" { type = string } +variable "nfs_server" { type = string } +variable "redis_host" { type = string } +variable "postgresql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "netbox" { metadata { @@ -75,11 +71,11 @@ resource "kubernetes_deployment" "netbox" { } env { name = "DB_PASSWORD" - value = "ttPSBjF9oPLb49XZst3sGF" + value = var.netbox_db_password } env { name = "DB_HOST" - value = "postgresql.dbaas.svc.cluster.local" + value = var.postgresql_host } env { name = "DB_NAME" @@ -99,7 +95,7 @@ resource "kubernetes_deployment" "netbox" { } env { name = "REDIS_HOST" - value = "redis.redis" + value = var.redis_host } env { name = "ALLOWED_HOST" @@ -111,7 +107,7 @@ resource "kubernetes_deployment" "netbox" { } env { name = "SUPERUSER_PASSWORD" - value = "ttPSBjF9oPLb49XZst3sGFasdf" + value = var.netbox_superuser_password } env { name = "REMOTE_AUTH_ENABLED" @@ -147,7 +143,7 @@ resource "kubernetes_deployment" "netbox" { # name = "data" # nfs { # path = "/mnt/main/netbox" - # server = "10.0.10.15" + # server = var.nfs_server # } # } } diff --git a/stacks/networking-toolbox/main.tf b/stacks/networking-toolbox/main.tf index c4744cc3..0c129dcb 100644 --- a/stacks/networking-toolbox/main.tf +++ b/stacks/networking-toolbox/main.tf @@ -1,14 +1,5 @@ variable "tls_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "networking-toolbox" { metadata { diff --git a/stacks/nextcloud/chart_values.yaml b/stacks/nextcloud/chart_values.yaml index cda04812..2825c518 100644 --- a/stacks/nextcloud/chart_values.yaml +++ b/stacks/nextcloud/chart_values.yaml @@ -28,13 +28,13 @@ nextcloud: externalRedis: enabled: true - host: redis.redis.svc.cluster.local + host: ${redis_host} # Currently not in use; we use the nextcloud.db sqlite3 externalDatabase: enabled: false type: mysql - host: mysql.dbaas.svc.cluster.local + host: ${mysql_host} user: nextcloud password: ${db_password} databse: nextcloud diff --git a/stacks/nextcloud/main.tf b/stacks/nextcloud/main.tf index b8a07e4e..b3c1a757 100644 --- a/stacks/nextcloud/main.tf +++ b/stacks/nextcloud/main.tf @@ -1,15 +1,9 @@ variable "tls_secret_name" { type = string } variable "nextcloud_db_password" { type = string } +variable "nfs_server" { type = string } +variable "redis_host" { type = string } +variable "mysql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} module "tls_secret" { source = "../../modules/kubernetes/setup_tls_secret" @@ -36,7 +30,7 @@ resource "helm_release" "nextcloud" { atomic = true version = "8.8.1" - values = [templatefile("${path.module}/chart_values.yaml", { tls_secret_name = var.tls_secret_name, db_password = var.nextcloud_db_password })] + values = [templatefile("${path.module}/chart_values.yaml", { tls_secret_name = var.tls_secret_name, db_password = var.nextcloud_db_password, redis_host = var.redis_host, mysql_host = var.mysql_host })] timeout = 6000 } @@ -136,7 +130,7 @@ resource "kubernetes_persistent_volume" "nextcloud-data-pv" { persistent_volume_source { nfs { path = "/mnt/main/nextcloud" - server = "10.0.10.15" + server = var.nfs_server } } } @@ -298,7 +292,7 @@ resource "kubernetes_cron_job_v1" "nextcloud-backup" { volume { name = "nextcloud-data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/nextcloud" } } @@ -306,7 +300,7 @@ resource "kubernetes_cron_job_v1" "nextcloud-backup" { volume { name = "backup" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/nextcloud-backup" } } diff --git a/stacks/ntfy/main.tf b/stacks/ntfy/main.tf index a01ebf84..1d556c9c 100644 --- a/stacks/ntfy/main.tf +++ b/stacks/ntfy/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "ntfy" { metadata { @@ -99,7 +91,7 @@ resource "kubernetes_deployment" "ntfy" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/ntfy" } } diff --git a/stacks/ollama/main.tf b/stacks/ollama/main.tf index b336bab0..e22075fb 100644 --- a/stacks/ollama/main.tf +++ b/stacks/ollama/main.tf @@ -1,15 +1,8 @@ variable "tls_secret_name" { type = string } variable "ollama_api_credentials" { type = map(string) } +variable "nfs_server" { type = string } +variable "ollama_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "ollama" { metadata { @@ -54,7 +47,7 @@ resource "kubernetes_persistent_volume" "ollama-pv" { persistent_volume_source { nfs { path = "/mnt/main/ollama" - server = "10.0.10.15" + server = var.nfs_server } } } @@ -130,7 +123,7 @@ resource "kubernetes_deployment" "ollama" { nfs { # path = "/mnt/main/ollama" path = "/mnt/ssd/ollama" - server = "10.0.10.15" + server = var.nfs_server } } } @@ -254,7 +247,7 @@ resource "kubernetes_deployment" "ollama-ui" { name = "ollama-ui" env { name = "OLLAMA_BASE_URL" - value = "http://ollama.ollama.svc.cluster.local:11434" + value = "http://${var.ollama_host}:11434" } port { @@ -269,7 +262,7 @@ resource "kubernetes_deployment" "ollama-ui" { name = "data" nfs { path = "/mnt/main/ollama" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/onlyoffice/main.tf b/stacks/onlyoffice/main.tf index e9df99e2..0b55d1a1 100644 --- a/stacks/onlyoffice/main.tf +++ b/stacks/onlyoffice/main.tf @@ -1,16 +1,10 @@ variable "tls_secret_name" { type = string } variable "onlyoffice_db_password" { type = string } variable "onlyoffice_jwt_token" { type = string } +variable "nfs_server" { type = string } +variable "redis_host" { type = string } +variable "mysql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "onlyoffice" { metadata { @@ -75,7 +69,7 @@ resource "kubernetes_deployment" "onlyoffice-document-server" { } env { name = "DB_HOST" - value = "mysql.dbaas" + value = var.mysql_host } env { name = "DB_PORT" @@ -95,7 +89,7 @@ resource "kubernetes_deployment" "onlyoffice-document-server" { } env { name = "REDIS_SERVER_HOST" - value = "redis.redis" + value = var.redis_host } env { name = "REDIS_SERVER_PORT" @@ -115,7 +109,7 @@ resource "kubernetes_deployment" "onlyoffice-document-server" { name = "data" nfs { path = "/mnt/main/onlyoffice" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/openclaw/main.tf b/stacks/openclaw/main.tf index a9739929..ede9990e 100644 --- a/stacks/openclaw/main.tf +++ b/stacks/openclaw/main.tf @@ -5,16 +5,9 @@ variable "gemini_api_key" { type = string } variable "llama_api_key" { type = string } variable "brave_api_key" { type = string } variable "modal_api_key" { type = string } +variable "nfs_server" { type = string } +variable "ollama_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "openclaw" { metadata { @@ -148,7 +141,7 @@ resource "kubernetes_config_map" "openclaw_config" { ] } ollama = { - baseUrl = "http://ollama.ollama.svc.cluster.local:11434/v1" + baseUrl = "http://${var.ollama_host}:11434/v1" api = "openai-completions" apiKey = "ollama" models = [ @@ -429,14 +422,14 @@ resource "kubernetes_deployment" "openclaw" { volume { name = "workspace" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/openclaw/workspace" } } volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/openclaw/data" } } diff --git a/stacks/osm_routing/main.tf b/stacks/osm_routing/main.tf index 1bb8d9b6..9e65b045 100644 --- a/stacks/osm_routing/main.tf +++ b/stacks/osm_routing/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "osm-routing" { metadata { @@ -64,7 +56,7 @@ resource "kubernetes_deployment" "osrm-foot" { volume { name = "osrm-data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/osm-routing/osrm-data" } } @@ -136,7 +128,7 @@ resource "kubernetes_deployment" "osrm-bicycle" { volume { name = "osrm-data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/osm-routing/osrm-data" } } @@ -208,7 +200,7 @@ resource "kubernetes_deployment" "otp" { volume { name = "otp-data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/osm-routing/otp-data" } } diff --git a/stacks/owntracks/main.tf b/stacks/owntracks/main.tf index b28c0151..82e37c9b 100644 --- a/stacks/owntracks/main.tf +++ b/stacks/owntracks/main.tf @@ -1,15 +1,7 @@ variable "tls_secret_name" { type = string } variable "owntracks_credentials" { type = map(string) } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "owntracks" { metadata { @@ -107,7 +99,7 @@ resource "kubernetes_deployment" "owntracks" { name = "data" nfs { path = "/mnt/main/owntracks" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/paperless-ngx/main.tf b/stacks/paperless-ngx/main.tf index c61db63e..144a4f74 100644 --- a/stacks/paperless-ngx/main.tf +++ b/stacks/paperless-ngx/main.tf @@ -1,16 +1,10 @@ variable "tls_secret_name" { type = string } variable "paperless_db_password" { type = string } variable "homepage_credentials" { type = map(any) } +variable "nfs_server" { type = string } +variable "redis_host" { type = string } +variable "mysql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "paperless-ngx" { metadata { @@ -69,7 +63,7 @@ resource "kubernetes_deployment" "paperless-ngx" { env { name = "PAPERLESS_REDIS" // If redis gets stuck, try deleting the locks files in log dir - value = "redis://redis.redis" + value = "redis://${var.redis_host}" } env { name = "PAPERLESS_REDIS_PREFIX" @@ -81,7 +75,7 @@ resource "kubernetes_deployment" "paperless-ngx" { } env { name = "PAPERLESS_DBHOST" - value = "mysql.dbaas" + value = var.mysql_host } env { name = "PAPERLESS_DBNAME" @@ -124,7 +118,7 @@ resource "kubernetes_deployment" "paperless-ngx" { name = "data" nfs { path = "/mnt/main/paperless-ngx" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/platform/main.tf b/stacks/platform/main.tf index b03dd6ca..2862be4b 100644 --- a/stacks/platform/main.tf +++ b/stacks/platform/main.tf @@ -16,15 +16,6 @@ # ----------------------------------------------------------------------------- # Tier Definitions # ----------------------------------------------------------------------------- -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} # ============================================================================= # Variable Declarations @@ -32,6 +23,12 @@ locals { # --- Core --- variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } +variable "redis_host" { type = string } +variable "postgresql_host" { type = string } +variable "mysql_host" { type = string } +variable "ollama_host" { type = string } +variable "mail_host" { type = string } variable "prod" { type = bool default = false @@ -140,6 +137,7 @@ module "dbaas" { source = "./modules/dbaas" prod = var.prod tls_secret_name = var.tls_secret_name + nfs_server = var.nfs_server dbaas_root_password = var.dbaas_root_password postgresql_root_password = var.dbaas_postgresql_root_password pgadmin_password = var.dbaas_pgadmin_password @@ -152,6 +150,7 @@ module "dbaas" { module "redis" { source = "./modules/redis" tls_secret_name = var.tls_secret_name + nfs_server = var.nfs_server tier = local.tiers.cluster } @@ -171,6 +170,8 @@ module "traefik" { module "technitium" { source = "./modules/technitium" tls_secret_name = var.tls_secret_name + nfs_server = var.nfs_server + mysql_host = var.mysql_host homepage_token = var.homepage_credentials["technitium"]["token"] technitium_db_password = var.technitium_db_password tier = local.tiers.core @@ -182,6 +183,7 @@ module "technitium" { module "headscale" { source = "./modules/headscale" tls_secret_name = var.tls_secret_name + nfs_server = var.nfs_server headscale_config = var.headscale_config headscale_acl = var.headscale_acl tier = local.tiers.core @@ -196,6 +198,7 @@ module "authentik" { tls_secret_name = var.tls_secret_name secret_key = var.authentik_secret_key postgres_password = var.authentik_postgres_password + redis_host = var.redis_host } # ----------------------------------------------------------------------------- @@ -225,6 +228,7 @@ module "crowdsec" { source = "./modules/crowdsec" tier = local.tiers.cluster tls_secret_name = var.tls_secret_name + mysql_host = var.mysql_host homepage_username = var.homepage_credentials["crowdsec"]["username"] homepage_password = var.homepage_credentials["crowdsec"]["password"] enroll_key = var.crowdsec_enroll_key @@ -241,6 +245,8 @@ module "crowdsec" { module "monitoring" { source = "./modules/monitoring" tls_secret_name = var.tls_secret_name + nfs_server = var.nfs_server + mysql_host = var.mysql_host alertmanager_account_password = var.alertmanager_account_password idrac_username = var.monitoring_idrac_username idrac_password = var.monitoring_idrac_password @@ -259,6 +265,8 @@ module "monitoring" { module "vaultwarden" { source = "./modules/vaultwarden" tls_secret_name = var.tls_secret_name + nfs_server = var.nfs_server + mail_host = var.mail_host smtp_password = var.vaultwarden_smtp_password tier = local.tiers.edge } @@ -304,6 +312,7 @@ module "kyverno" { module "uptime-kuma" { source = "./modules/uptime-kuma" tls_secret_name = var.tls_secret_name + nfs_server = var.nfs_server tier = local.tiers.cluster } @@ -338,6 +347,8 @@ module "xray" { module "mailserver" { source = "./modules/mailserver" tls_secret_name = var.tls_secret_name + nfs_server = var.nfs_server + mysql_host = var.mysql_host mailserver_accounts = var.mailserver_accounts postfix_account_aliases = var.mailserver_aliases opendkim_key = var.mailserver_opendkim_key @@ -370,6 +381,7 @@ module "cloudflared" { # ----------------------------------------------------------------------------- module "infra-maintenance" { source = "./modules/infra-maintenance" + nfs_server = var.nfs_server git_user = var.webhook_handler_git_user git_token = var.webhook_handler_git_token technitium_username = var.technitium_username @@ -385,11 +397,11 @@ output "tls_secret_name" { } output "redis_host" { - value = "redis.redis.svc.cluster.local" + value = var.redis_host } output "postgresql_host" { - value = "postgresql.dbaas.svc.cluster.local" + value = var.postgresql_host } output "postgresql_port" { @@ -397,7 +409,7 @@ output "postgresql_port" { } output "mysql_host" { - value = "mysql.dbaas.svc.cluster.local" + value = var.mysql_host } output "mysql_port" { @@ -405,7 +417,7 @@ output "mysql_port" { } output "smtp_host" { - value = "mail.viktorbarzin.me" + value = var.mail_host } output "smtp_port" { diff --git a/stacks/platform/modules/authentik/main.tf b/stacks/platform/modules/authentik/main.tf index 2087ea18..a52cde34 100644 --- a/stacks/platform/modules/authentik/main.tf +++ b/stacks/platform/modules/authentik/main.tf @@ -2,6 +2,7 @@ variable "tls_secret_name" {} variable "secret_key" {} variable "postgres_password" {} variable "tier" { type = string } +variable "redis_host" { type = string } module "tls_secret" { @@ -48,7 +49,7 @@ resource "helm_release" "authentik" { atomic = true timeout = 6000 - values = [templatefile("${path.module}/values.yaml", { postgres_password = var.postgres_password, secret_key = var.secret_key })] + values = [templatefile("${path.module}/values.yaml", { postgres_password = var.postgres_password, secret_key = var.secret_key, redis_host = var.redis_host })] } diff --git a/stacks/platform/modules/authentik/values.yaml b/stacks/platform/modules/authentik/values.yaml index c94d4694..2b267407 100644 --- a/stacks/platform/modules/authentik/values.yaml +++ b/stacks/platform/modules/authentik/values.yaml @@ -13,7 +13,7 @@ authentik: user: authentik password: ${postgres_password} redis: - host: redis.redis + host: ${redis_host} server: replicas: 3 diff --git a/stacks/platform/modules/crowdsec/main.tf b/stacks/platform/modules/crowdsec/main.tf index d27a8d92..0f640614 100644 --- a/stacks/platform/modules/crowdsec/main.tf +++ b/stacks/platform/modules/crowdsec/main.tf @@ -8,6 +8,7 @@ variable "crowdsec_dash_machine_id" { type = string } # used for web dash variable "crowdsec_dash_machine_password" { type = string } # used for web dash variable "tier" { type = string } variable "slack_webhook_url" { type = string } +variable "mysql_host" { type = string } module "tls_secret" { source = "../../../../modules/kubernetes/setup_tls_secret" @@ -99,7 +100,7 @@ resource "helm_release" "crowdsec" { repository = "https://crowdsecurity.github.io/helm-charts" chart = "crowdsec" - values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url })] + values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url, mysql_host = var.mysql_host })] timeout = 3600 } diff --git a/stacks/platform/modules/crowdsec/values.yaml b/stacks/platform/modules/crowdsec/values.yaml index c991536f..0029993e 100644 --- a/stacks/platform/modules/crowdsec/values.yaml +++ b/stacks/platform/modules/crowdsec/values.yaml @@ -81,7 +81,7 @@ lapi: - name: MB_DB_PASS value: "${DB_PASSWORD}" - name: MB_DB_HOST - value: "mysql.dbaas.svc.cluster.local" + value: "${mysql_host}" - name: MB_EMAIL_SMTP_USERNAME value: "info@viktorbarzin.me" @@ -166,7 +166,7 @@ config: user: crowdsec password: ${DB_PASSWORD} db_name: crowdsec - host: mysql.dbaas.svc.cluster.local + host: ${mysql_host} port: 3306 api: server: diff --git a/stacks/platform/modules/dbaas/main.tf b/stacks/platform/modules/dbaas/main.tf index 3a964132..1c42b64a 100644 --- a/stacks/platform/modules/dbaas/main.tf +++ b/stacks/platform/modules/dbaas/main.tf @@ -11,6 +11,7 @@ variable "prod" { default = false type = bool } +variable "nfs_server" { type = string } resource "kubernetes_namespace" "dbaas" { metadata { @@ -131,6 +132,18 @@ resource "kubernetes_deployment" "mysql" { container { image = "mysql:9.2.0" name = "mysql" + + resources { + requests = { + cpu = "250m" + memory = "512Mi" + } + limits = { + cpu = "1" + memory = "2Gi" + } + } + env { name = "MYSQL_ROOT_PASSWORD" value = var.dbaas_root_password @@ -153,7 +166,7 @@ resource "kubernetes_deployment" "mysql" { name = "mysql-persistent-storage" nfs { path = "/mnt/main/mysql" - server = "10.0.10.15" + server = var.nfs_server } } @@ -219,7 +232,7 @@ resource "kubernetes_cron_job_v1" "mysql-backup" { name = "mysql-backup" nfs { path = "/mnt/main/mysql-backup" - server = "10.0.10.15" + server = var.nfs_server } } } @@ -717,6 +730,18 @@ resource "kubernetes_deployment" "postgres" { image = "viktorbarzin/postgres:16-master" # mix of postgis + pgvector # image = "postgres:17.2-bullseye" # needs pg_upgrade to data dir name = "postgresql" + + resources { + requests = { + cpu = "250m" + memory = "512Mi" + } + limits = { + cpu = "1" + memory = "2Gi" + } + } + env { name = "POSTGRES_PASSWORD" value = var.postgresql_root_password @@ -744,7 +769,7 @@ resource "kubernetes_deployment" "postgres" { name = "postgresql-persistent-storage" nfs { path = "/mnt/main/postgresql/data" - server = "10.0.10.15" + server = var.nfs_server } } # volume { @@ -830,7 +855,7 @@ resource "kubernetes_deployment" "pgadmin" { # } nfs { path = "/mnt/main/postgresql/pgadmin" - server = "10.0.10.15" + server = var.nfs_server } } } @@ -905,7 +930,7 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" { name = "postgresql-backup" nfs { path = "/mnt/main/postgresql-backup" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/platform/modules/headscale/main.tf b/stacks/platform/modules/headscale/main.tf index 1cbcbeaa..60bf2e4d 100644 --- a/stacks/platform/modules/headscale/main.tf +++ b/stacks/platform/modules/headscale/main.tf @@ -3,6 +3,7 @@ variable "tls_secret_name" {} variable "tier" { type = string } variable "headscale_config" {} variable "headscale_acl" {} +variable "nfs_server" { type = string } resource "kubernetes_namespace" "headscale" { metadata { @@ -61,6 +62,18 @@ resource "kubernetes_deployment" "headscale" { # image = "headscale/headscale:0.23.0-debug" # -debug is for debug images name = "headscale" command = ["headscale", "serve"] + + resources { + requests = { + cpu = "50m" + memory = "64Mi" + } + limits = { + cpu = "200m" + memory = "256Mi" + } + } + port { container_port = 8080 } @@ -100,7 +113,7 @@ resource "kubernetes_deployment" "headscale" { name = "nfs-config" nfs { path = "/mnt/main/headscale" - server = "10.0.10.15" + server = var.nfs_server } } # container { @@ -114,6 +127,18 @@ resource "kubernetes_deployment" "headscale" { image = "ghcr.io/gurucomputing/headscale-ui:latest" # image = "ghcr.io/tale/headplane:0.3.2" name = "headscale-ui" + + resources { + requests = { + cpu = "25m" + memory = "32Mi" + } + limits = { + cpu = "100m" + memory = "128Mi" + } + } + port { container_port = 8081 # container_port = 3000 diff --git a/stacks/platform/modules/infra-maintenance/main.tf b/stacks/platform/modules/infra-maintenance/main.tf index 27a92a96..1f572630 100644 --- a/stacks/platform/modules/infra-maintenance/main.tf +++ b/stacks/platform/modules/infra-maintenance/main.tf @@ -3,6 +3,7 @@ variable "git_user" {} variable "git_token" {} variable "technitium_username" {} variable "technitium_password" {} +variable "nfs_server" { type = string } # DISABLED WHILST USING CLOUDFLARE NS @@ -124,7 +125,7 @@ resource "kubernetes_cron_job_v1" "backup-etcd" { name = "backup" nfs { path = "/mnt/main/etcd-backup" - server = "10.0.10.15" + server = var.nfs_server } } volume { diff --git a/stacks/platform/modules/kyverno/security-policies.tf b/stacks/platform/modules/kyverno/security-policies.tf new file mode 100644 index 00000000..1f1c83a8 --- /dev/null +++ b/stacks/platform/modules/kyverno/security-policies.tf @@ -0,0 +1,203 @@ +# ============================================================================= +# Pod Security Policies (Audit Mode) +# ============================================================================= +# Kyverno validate policies for pod security standards. +# All policies start in Audit mode - violations are logged but not blocked. + +resource "kubernetes_manifest" "policy_deny_privileged" { + manifest = { + apiVersion = "kyverno.io/v1" + kind = "ClusterPolicy" + metadata = { + name = "deny-privileged-containers" + annotations = { + "policies.kyverno.io/title" = "Deny Privileged Containers" + "policies.kyverno.io/category" = "Pod Security" + "policies.kyverno.io/severity" = "high" + "policies.kyverno.io/description" = "Privileged containers have full host access. Deny unless explicitly exempted." + } + } + spec = { + validationFailureAction = "Audit" + background = true + rules = [{ + name = "deny-privileged" + match = { + any = [{ + resources = { + kinds = ["Pod"] + } + }] + } + exclude = { + any = [{ + resources = { + namespaces = ["frigate", "nvidia", "monitoring"] + } + }] + } + validate = { + message = "Privileged containers are not allowed. Use specific capabilities instead." + pattern = { + spec = { + containers = [{ + "=(securityContext)" = { + "=(privileged)" = false + } + }] + "=(initContainers)" = [{ + "=(securityContext)" = { + "=(privileged)" = false + } + }] + } + } + } + }] + } + } + + depends_on = [helm_release.kyverno] +} + +resource "kubernetes_manifest" "policy_deny_host_namespaces" { + manifest = { + apiVersion = "kyverno.io/v1" + kind = "ClusterPolicy" + metadata = { + name = "deny-host-namespaces" + annotations = { + "policies.kyverno.io/title" = "Deny Host Namespaces" + "policies.kyverno.io/category" = "Pod Security" + "policies.kyverno.io/severity" = "high" + "policies.kyverno.io/description" = "Sharing host namespaces enables container escapes. Deny hostNetwork, hostPID, hostIPC." + } + } + spec = { + validationFailureAction = "Audit" + background = true + rules = [{ + name = "deny-host-namespaces" + match = { + any = [{ + resources = { + kinds = ["Pod"] + } + }] + } + exclude = { + any = [{ + resources = { + namespaces = ["frigate", "monitoring"] + } + }] + } + validate = { + message = "Host namespaces (hostNetwork, hostPID, hostIPC) are not allowed." + pattern = { + spec = { + "=(hostNetwork)" = false + "=(hostPID)" = false + "=(hostIPC)" = false + } + } + } + }] + } + } + + depends_on = [helm_release.kyverno] +} + +resource "kubernetes_manifest" "policy_restrict_capabilities" { + manifest = { + apiVersion = "kyverno.io/v1" + kind = "ClusterPolicy" + metadata = { + name = "restrict-sys-admin" + annotations = { + "policies.kyverno.io/title" = "Restrict SYS_ADMIN Capability" + "policies.kyverno.io/category" = "Pod Security" + "policies.kyverno.io/severity" = "high" + "policies.kyverno.io/description" = "SYS_ADMIN is nearly equivalent to root. Restrict to explicitly exempted namespaces." + } + } + spec = { + validationFailureAction = "Audit" + background = true + rules = [{ + name = "restrict-sys-admin" + match = { + any = [{ + resources = { + kinds = ["Pod"] + } + }] + } + exclude = { + any = [{ + resources = { + namespaces = ["nvidia", "monitoring"] + } + }] + } + validate = { + message = "Adding SYS_ADMIN capability is not allowed." + deny = { + conditions = { + any = [{ + key = "{{ request.object.spec.containers[].securityContext.capabilities.add[] || `[]` }}" + operator = "AnyIn" + value = ["SYS_ADMIN"] + }] + } + } + } + }] + } + } + + depends_on = [helm_release.kyverno] +} + +resource "kubernetes_manifest" "policy_require_trusted_registries" { + manifest = { + apiVersion = "kyverno.io/v1" + kind = "ClusterPolicy" + metadata = { + name = "require-trusted-registries" + annotations = { + "policies.kyverno.io/title" = "Require Trusted Image Registries" + "policies.kyverno.io/category" = "Pod Security" + "policies.kyverno.io/severity" = "medium" + "policies.kyverno.io/description" = "Images must come from trusted registries to prevent supply chain attacks." + } + } + spec = { + validationFailureAction = "Audit" + background = true + rules = [{ + name = "validate-registries" + match = { + any = [{ + resources = { + kinds = ["Pod"] + } + }] + } + validate = { + message = "Images must be from trusted registries (docker.io, ghcr.io, quay.io, registry.k8s.io, or local cache)." + pattern = { + spec = { + containers = [{ + image = "docker.io/* | ghcr.io/* | quay.io/* | registry.k8s.io/* | 10.0.20.10* | */*" + }] + } + } + } + }] + } + } + + depends_on = [helm_release.kyverno] +} diff --git a/stacks/platform/modules/mailserver/main.tf b/stacks/platform/modules/mailserver/main.tf index 4fa39309..7d95672d 100644 --- a/stacks/platform/modules/mailserver/main.tf +++ b/stacks/platform/modules/mailserver/main.tf @@ -4,6 +4,7 @@ variable "mailserver_accounts" {} variable "postfix_account_aliases" {} variable "opendkim_key" {} variable "sasl_passwd" {} # For sendgrid i.e relayhost +variable "nfs_server" { type = string } resource "kubernetes_namespace" "mailserver" { metadata { @@ -106,7 +107,7 @@ resource "kubernetes_config_map" "mailserver_config" { } } EOF - fail2ban_conf = <<-EOF + fail2ban_conf = <<-EOF [DEFAULT] #logtarget = /var/log/fail2ban.log @@ -393,7 +394,7 @@ resource "kubernetes_deployment" "mailserver" { name = "data" nfs { path = "/mnt/main/mailserver" - server = "10.0.10.15" + server = var.nfs_server } # iscsi { # target_portal = "iscsi.viktorbarzin.lan:3260" diff --git a/stacks/platform/modules/mailserver/roundcubemail.tf b/stacks/platform/modules/mailserver/roundcubemail.tf index ce77f0d2..2f26c9d7 100644 --- a/stacks/platform/modules/mailserver/roundcubemail.tf +++ b/stacks/platform/modules/mailserver/roundcubemail.tf @@ -1,4 +1,5 @@ variable "roundcube_db_password" { type = string } +variable "mysql_host" { type = string } # If you want to override settings mount this in /var/roundcube/config # more info in https://github.com/roundcube/roundcubemail-docker?tab=readme-ov-file @@ -89,7 +90,7 @@ resource "kubernetes_deployment" "roundcubemail" { } env { name = "ROUNDCUBEMAIL_DB_HOST" - value = "mysql.dbaas" + value = var.mysql_host } env { name = "ROUNDCUBEMAIL_DB_USER" @@ -148,14 +149,14 @@ resource "kubernetes_deployment" "roundcubemail" { name = "html" nfs { path = "/mnt/main/roundcubemail/html" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "enigma" nfs { path = "/mnt/main/roundcubemail/enigma" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/platform/modules/monitoring/alloy.yaml b/stacks/platform/modules/monitoring/alloy.yaml index b68c8d91..ac3148e8 100644 --- a/stacks/platform/modules/monitoring/alloy.yaml +++ b/stacks/platform/modules/monitoring/alloy.yaml @@ -125,7 +125,7 @@ alloy: resources: requests: cpu: 50m - memory: 256Mi + memory: 512Mi limits: cpu: 200m - memory: 768Mi + memory: 1Gi diff --git a/stacks/platform/modules/monitoring/grafana.tf b/stacks/platform/modules/monitoring/grafana.tf index 899f3478..aa3c22df 100644 --- a/stacks/platform/modules/monitoring/grafana.tf +++ b/stacks/platform/modules/monitoring/grafana.tf @@ -1,4 +1,5 @@ + # resource "kubernetes_persistent_volume" "prometheus_grafana_pv" { # metadata { # name = "grafana-pv" @@ -11,7 +12,7 @@ # persistent_volume_source { # nfs { # path = "/mnt/main/grafana" -# server = "10.0.10.15" +# server = var.nfs_server # } # # iscsi { # # target_portal = "iscsi.viktorbarzin.lan:3260" @@ -35,7 +36,7 @@ resource "kubernetes_persistent_volume" "alertmanager_pv" { persistent_volume_source { nfs { path = "/mnt/main/alertmanager" - server = "10.0.10.15" + server = var.nfs_server } } } @@ -65,5 +66,5 @@ resource "helm_release" "grafana" { repository = "https://grafana.github.io/helm-charts" chart = "grafana" - values = [templatefile("${path.module}/grafana_chart_values.yaml", { db_password = var.grafana_db_password, grafana_admin_password = var.grafana_admin_password })] + values = [templatefile("${path.module}/grafana_chart_values.yaml", { db_password = var.grafana_db_password, grafana_admin_password = var.grafana_admin_password, mysql_host = var.mysql_host })] } diff --git a/stacks/platform/modules/monitoring/grafana_chart_values.yaml b/stacks/platform/modules/monitoring/grafana_chart_values.yaml index 8cfc207f..d7d8b2f2 100644 --- a/stacks/platform/modules/monitoring/grafana_chart_values.yaml +++ b/stacks/platform/modules/monitoring/grafana_chart_values.yaml @@ -48,7 +48,7 @@ env: grafana.ini: database: type: mysql - host: mysql.dbaas.svc.cluster.local:3306 + host: ${mysql_host}:3306 name: grafana user: grafana password: $__env{GF_DATABASE_PASSWORD} diff --git a/stacks/platform/modules/monitoring/loki.tf b/stacks/platform/modules/monitoring/loki.tf index 14ecd1a8..9bcef976 100644 --- a/stacks/platform/modules/monitoring/loki.tf +++ b/stacks/platform/modules/monitoring/loki.tf @@ -1,3 +1,5 @@ +variable "nfs_server" { type = string } + resource "helm_release" "loki" { namespace = kubernetes_namespace.monitoring.metadata[0].name create_namespace = true @@ -24,7 +26,7 @@ resource "kubernetes_persistent_volume" "loki" { persistent_volume_source { nfs { path = "/mnt/main/loki/loki" - server = "10.0.10.15" + server = var.nfs_server } } persistent_volume_reclaim_policy = "Retain" diff --git a/stacks/platform/modules/monitoring/loki.yaml b/stacks/platform/modules/monitoring/loki.yaml index 639bf0b3..63be79f8 100644 --- a/stacks/platform/modules/monitoring/loki.yaml +++ b/stacks/platform/modules/monitoring/loki.yaml @@ -22,7 +22,7 @@ loki: limits_config: allow_structured_metadata: true volume_enabled: true - retention_period: 168h + retention_period: 720h compactor: retention_enabled: true working_directory: /var/loki/compactor diff --git a/stacks/platform/modules/monitoring/main.tf b/stacks/platform/modules/monitoring/main.tf index 5d92740a..24d69dd0 100644 --- a/stacks/platform/modules/monitoring/main.tf +++ b/stacks/platform/modules/monitoring/main.tf @@ -16,6 +16,7 @@ variable "pve_password" { type = string } variable "grafana_db_password" { type = string } variable "grafana_admin_password" { type = string } variable "tier" { type = string } +variable "mysql_host" { type = string } resource "kubernetes_namespace" "monitoring" { metadata { diff --git a/stacks/platform/modules/monitoring/prometheus.tf b/stacks/platform/modules/monitoring/prometheus.tf index 12a00b66..472603e7 100644 --- a/stacks/platform/modules/monitoring/prometheus.tf +++ b/stacks/platform/modules/monitoring/prometheus.tf @@ -1,4 +1,5 @@ + resource "kubernetes_persistent_volume_claim" "prometheus_server_pvc" { metadata { name = "prometheus-iscsi-pvc" @@ -29,7 +30,7 @@ resource "kubernetes_persistent_volume" "prometheus_server_pvc" { persistent_volume_source { nfs { path = "/mnt/main/prometheus" - server = "10.0.10.15" + server = var.nfs_server } # iscsi { # fs_type = "ext4" diff --git a/stacks/platform/modules/monitoring/prometheus_chart_values.tpl b/stacks/platform/modules/monitoring/prometheus_chart_values.tpl index ed020448..caba0ef3 100755 --- a/stacks/platform/modules/monitoring/prometheus_chart_values.tpl +++ b/stacks/platform/modules/monitoring/prometheus_chart_values.tpl @@ -316,6 +316,13 @@ serverFiles: severity: warning annotations: summary: "PV {{ $labels.persistentvolumeclaim }} in {{ $labels.namespace }}: {{ $value | printf \"%.0f\" }}% used (threshold: 85%)" + - alert: PVPredictedFull + expr: predict_linear(kubelet_volume_stats_used_bytes[6h], 3600*24) > kubelet_volume_stats_capacity_bytes + for: 1h + labels: + severity: warning + annotations: + summary: "PV {{ $labels.persistentvolumeclaim }} in {{ $labels.namespace }} predicted to fill within 24h" - name: K8s Health rules: - alert: PodCrashLooping @@ -389,6 +396,50 @@ serverFiles: severity: warning annotations: summary: "Prometheus notification errors: {{ $value | printf \"%.2f\" }}/s" + - name: Critical Services + rules: + - alert: PostgreSQLDown + expr: (kube_deployment_status_replicas_available{namespace="dbaas", deployment=~"postgresql.*"} or on() vector(0)) < 1 + for: 5m + labels: + severity: critical + annotations: + summary: "PostgreSQL has no available replicas" + - alert: MySQLDown + expr: (kube_deployment_status_replicas_available{namespace="dbaas", deployment=~"mysql.*"} or on() vector(0)) < 1 + for: 5m + labels: + severity: critical + annotations: + summary: "MySQL has no available replicas" + - alert: RedisDown + expr: (kube_deployment_status_replicas_available{namespace="redis"} or on() vector(0)) < 1 + for: 5m + labels: + severity: critical + annotations: + summary: "Redis has no available replicas" + - alert: HeadscaleDown + expr: (kube_deployment_status_replicas_available{namespace="headscale"} or on() vector(0)) < 1 + for: 5m + labels: + severity: critical + annotations: + summary: "Headscale VPN has no available replicas" + - alert: AuthentikDown + expr: (kube_deployment_status_replicas_available{namespace="authentik", deployment="authentik-server"} or on() vector(0)) < 1 + for: 5m + labels: + severity: critical + annotations: + summary: "Authentik auth server has no available replicas" + - alert: LokiDown + expr: (kube_statefulset_status_replicas_ready{namespace="monitoring", statefulset=~"loki.*"} or on() vector(0)) < 1 + for: 5m + labels: + severity: warning + annotations: + summary: "Loki log aggregation has no ready replicas" - name: Cluster rules: - alert: NodeDown @@ -548,20 +599,20 @@ serverFiles: severity: page annotations: summary: Mail server has no available replicas. This means mail may not be received. - # - alert: Hackmd has no replicas available - # expr: (kube_deployment_status_replicas_available{namespace="hackmd"} or on() vector(0)) < 1 - # for: 1m - # labels: - # severity: page - # annotations: - # summary: Hackmd has no available replicas. - # - alert: Privatebin has no replicas available - # expr: (kube_deployment_status_replicas_available{namespace="privatebin"} or on() vector(0)) < 1 - # for: 10m - # labels: - # severity: page - # annotations: - # summary: Privatebin has no available replicas. + - alert: HackmdDown + expr: (kube_deployment_status_replicas_available{namespace="hackmd"} or on() vector(0)) < 1 + for: 5m + labels: + severity: warning + annotations: + summary: "Hackmd has no available replicas" + - alert: PrivatebinDown + expr: (kube_deployment_status_replicas_available{namespace="privatebin"} or on() vector(0)) < 1 + for: 10m + labels: + severity: warning + annotations: + summary: "Privatebin has no available replicas" # - name: London OpenWRT Down # rules: # - alert: OpenWRT client unreachable diff --git a/stacks/platform/modules/nvidia/main.tf b/stacks/platform/modules/nvidia/main.tf index 57ab63cd..097c7dfd 100644 --- a/stacks/platform/modules/nvidia/main.tf +++ b/stacks/platform/modules/nvidia/main.tf @@ -12,7 +12,7 @@ resource "kubernetes_namespace" "nvidia" { name = "nvidia" labels = { "istio-injection" : "disabled" - tier = var.tier + tier = var.tier "resource-governance/custom-quota" = "true" } } diff --git a/stacks/platform/modules/redis/main.tf b/stacks/platform/modules/redis/main.tf index 5db3cbe5..79088543 100644 --- a/stacks/platform/modules/redis/main.tf +++ b/stacks/platform/modules/redis/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} variable "tier" { type = string } +variable "nfs_server" { type = string } resource "kubernetes_namespace" "redis" { metadata { @@ -49,6 +50,17 @@ resource "kubernetes_deployment" "redis" { image = "redis/redis-stack:latest" name = "redis" + resources { + requests = { + cpu = "100m" + memory = "128Mi" + } + limits = { + cpu = "500m" + memory = "512Mi" + } + } + port { container_port = 6379 } @@ -64,7 +76,7 @@ resource "kubernetes_deployment" "redis" { name = "data" nfs { path = "/mnt/main/redis" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/platform/modules/technitium/main.tf b/stacks/platform/modules/technitium/main.tf index 633abf77..a5a459ab 100644 --- a/stacks/platform/modules/technitium/main.tf +++ b/stacks/platform/modules/technitium/main.tf @@ -2,6 +2,8 @@ variable "tls_secret_name" {} variable "tier" { type = string } variable "homepage_token" {} variable "technitium_db_password" {} +variable "nfs_server" { type = string } +variable "mysql_host" { type = string } resource "kubernetes_namespace" "technitium" { metadata { @@ -131,14 +133,14 @@ resource "kubernetes_deployment" "technitium" { image = "technitium/dns-server:latest" name = "technitium" resources { - # limits = { - # cpu = "1" - # memory = "1Gi" - # } - # requests = { - # cpu = "1" - # memory = "1Gi" - # } + requests = { + cpu = "100m" + memory = "128Mi" + } + limits = { + cpu = "500m" + memory = "512Mi" + } } port { container_port = 5380 @@ -162,7 +164,7 @@ resource "kubernetes_deployment" "technitium" { name = "nfs-config" nfs { path = "/mnt/main/technitium" - server = "10.0.10.15" + server = var.nfs_server } } volume { @@ -278,7 +280,7 @@ resource "kubernetes_config_map" "grafana_technitium_datasource" { name = "Technitium MySQL" type = "mysql" access = "proxy" - url = "mysql.dbaas.svc.cluster.local:3306" + url = "${var.mysql_host}:3306" database = "technitium" user = "technitium" uid = "technitium-mysql" diff --git a/stacks/platform/modules/traefik/main.tf b/stacks/platform/modules/traefik/main.tf index ab836a27..d7a9da5a 100644 --- a/stacks/platform/modules/traefik/main.tf +++ b/stacks/platform/modules/traefik/main.tf @@ -80,7 +80,7 @@ resource "helm_release" "traefik" { # Enable dashboard API (accessible on port 8080 internally) api = { - insecure = true + insecure = false } # Entrypoints @@ -174,7 +174,6 @@ resource "helm_release" "traefik" { } additionalArguments = [ - "--api.insecure=true", "--global.checknewversion=false", "--global.sendanonymoususage=false", # Skip TLS verification for self-signed backend certs (proxmox, idrac, etc.) @@ -184,8 +183,10 @@ resource "helm_release" "traefik" { "--serversTransport.forwardingTimeouts.responseHeaderTimeout=0s", "--serversTransport.forwardingTimeouts.idleConnTimeout=90s", # Use forwarded headers from trusted proxies - "--entryPoints.websecure.forwardedHeaders.insecure=true", - "--entryPoints.web.forwardedHeaders.insecure=true", + "--entryPoints.websecure.forwardedHeaders.insecure=false", + "--entryPoints.web.forwardedHeaders.insecure=false", + "--entryPoints.websecure.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,10.0.0.0/8,192.168.0.0/16", + "--entryPoints.web.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,10.0.0.0/8,192.168.0.0/16", ] resources = { diff --git a/stacks/platform/modules/traefik/middleware.tf b/stacks/platform/modules/traefik/middleware.tf index 8cfba83c..0a5481b6 100644 --- a/stacks/platform/modules/traefik/middleware.tf +++ b/stacks/platform/modules/traefik/middleware.tf @@ -13,8 +13,8 @@ resource "kubernetes_manifest" "middleware_rate_limit" { } spec = { rateLimit = { - average = 5 - burst = 250 + average = 10 + burst = 50 } } } @@ -113,6 +113,31 @@ resource "kubernetes_manifest" "middleware_csp_headers" { depends_on = [helm_release.traefik] } +# Security headers middleware (HSTS, X-Frame-Options, etc.) +resource "kubernetes_manifest" "middleware_security_headers" { + manifest = { + apiVersion = "traefik.io/v1alpha1" + kind = "Middleware" + metadata = { + name = "security-headers" + namespace = kubernetes_namespace.traefik.metadata[0].name + } + spec = { + headers = { + stsSeconds = 31536000 + stsIncludeSubdomains = true + frameDeny = true + contentTypeNosniff = true + browserXssFilter = true + referrerPolicy = "strict-origin-when-cross-origin" + permissionsPolicy = "camera=(), microphone=(), geolocation=()" + } + } + } + + depends_on = [helm_release.traefik] +} + # CrowdSec bouncer plugin middleware resource "kubernetes_manifest" "middleware_crowdsec" { manifest = { diff --git a/stacks/platform/modules/uptime-kuma/main.tf b/stacks/platform/modules/uptime-kuma/main.tf index 0ecdc9dc..d93232c0 100644 --- a/stacks/platform/modules/uptime-kuma/main.tf +++ b/stacks/platform/modules/uptime-kuma/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} variable "tier" { type = string } +variable "nfs_server" { type = string } resource "kubernetes_namespace" "uptime-kuma" { metadata { @@ -56,6 +57,17 @@ resource "kubernetes_deployment" "uptime-kuma" { image = "louislam/uptime-kuma:2" name = "uptime-kuma" + resources { + requests = { + cpu = "50m" + memory = "64Mi" + } + limits = { + cpu = "200m" + memory = "256Mi" + } + } + port { container_port = 3001 } @@ -67,7 +79,7 @@ resource "kubernetes_deployment" "uptime-kuma" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/uptime-kuma" } } @@ -160,7 +172,7 @@ module "ingress" { # volume { # name = "data" # nfs { -# server = "10.0.10.15" +# server = var.nfs_server # path = "/mnt/main/uptime-kuma" # } # } diff --git a/stacks/platform/modules/vaultwarden/main.tf b/stacks/platform/modules/vaultwarden/main.tf index f2f14d9c..c97cff8f 100644 --- a/stacks/platform/modules/vaultwarden/main.tf +++ b/stacks/platform/modules/vaultwarden/main.tf @@ -1,6 +1,8 @@ variable "tls_secret_name" {} variable "tier" { type = string } variable "smtp_password" {} +variable "nfs_server" { type = string } +variable "mail_host" { type = string } resource "kubernetes_namespace" "vaultwarden" { metadata { @@ -51,6 +53,18 @@ resource "kubernetes_deployment" "vaultwarden" { container { image = "vaultwarden/server:1.35.2" name = "vaultwarden" + + resources { + requests = { + cpu = "50m" + memory = "64Mi" + } + limits = { + cpu = "200m" + memory = "256Mi" + } + } + env { name = "DOMAIN" value = "https://vaultwarden.viktorbarzin.me" @@ -61,7 +75,7 @@ resource "kubernetes_deployment" "vaultwarden" { # } env { name = "SMTP_HOST" - value = "mail.viktorbarzin.me" + value = var.mail_host } env { name = "SMTP_FROM" @@ -96,7 +110,7 @@ resource "kubernetes_deployment" "vaultwarden" { name = "data" nfs { path = "/mnt/main/vaultwarden" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/platform/modules/xray/main.tf b/stacks/platform/modules/xray/main.tf index a87086e5..c5069e1a 100644 --- a/stacks/platform/modules/xray/main.tf +++ b/stacks/platform/modules/xray/main.tf @@ -186,109 +186,36 @@ resource "kubernetes_service" "xray-reality" { } } -resource "kubernetes_ingress_v1" "ingress" { - metadata { - namespace = kubernetes_namespace.xray.metadata[0].name - name = "xray" - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } +module "ingress_ws" { + source = "../../../../modules/kubernetes/ingress_factory" + namespace = kubernetes_namespace.xray.metadata[0].name + name = "xray-ws" + service_name = "xray" + host = "xray-ws" + port = 8443 + tls_secret_name = var.tls_secret_name +} - spec { - ingress_class_name = "traefik" - tls { - hosts = ["xray-ws.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "xray-ws.viktorbarzin.me" - http { - path { - backend { - service { - name = "xray" - port { - number = 8443 - - } - } - } - } - } - } +module "ingress_grpc" { + source = "../../../../modules/kubernetes/ingress_factory" + namespace = kubernetes_namespace.xray.metadata[0].name + name = "xray-grpc" + service_name = "xray" + host = "xray-grpc" + port = 9443 + tls_secret_name = var.tls_secret_name + ingress_path = ["/grpc-vpn"] + extra_annotations = { + "traefik.ingress.kubernetes.io/service.serversscheme" = "h2c" } } -resource "kubernetes_ingress_v1" "ingress-grpc" { - metadata { - namespace = kubernetes_namespace.xray.metadata[0].name - name = "xray-grpc" - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - "traefik.ingress.kubernetes.io/service.serversscheme" = "h2c" - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["xray-grpc.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "xray-grpc.viktorbarzin.me" - http { - path { - path = "/grpc-vpn" - path_type = "Prefix" - backend { - service { - name = "xray" - port { - number = 9443 - } - } - } - } - } - } - } -} - -resource "kubernetes_ingress_v1" "ingress-vless" { - metadata { - namespace = kubernetes_namespace.xray.metadata[0].name - name = "xray-vless" - annotations = { - "traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" - "traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" - } - } - - spec { - ingress_class_name = "traefik" - tls { - hosts = ["xray-vless.viktorbarzin.me"] - secret_name = var.tls_secret_name - } - rule { - host = "xray-vless.viktorbarzin.me" - http { - path { - backend { - service { - name = "xray" - port { - number = 6443 - - } - } - } - } - } - } - } +module "ingress_vless" { + source = "../../../../modules/kubernetes/ingress_factory" + namespace = kubernetes_namespace.xray.metadata[0].name + name = "xray-vless" + service_name = "xray" + host = "xray-vless" + port = 6443 + tls_secret_name = var.tls_secret_name } diff --git a/stacks/plotting-book/main.tf b/stacks/plotting-book/main.tf index bc91ea0c..c24d16cf 100644 --- a/stacks/plotting-book/main.tf +++ b/stacks/plotting-book/main.tf @@ -1,14 +1,5 @@ variable "tls_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "plotting-book" { metadata { diff --git a/stacks/poison-fountain/main.tf b/stacks/poison-fountain/main.tf index add4832b..352cdc6d 100644 --- a/stacks/poison-fountain/main.tf +++ b/stacks/poison-fountain/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "poison_fountain" { metadata { @@ -152,7 +144,7 @@ resource "kubernetes_deployment" "poison_fountain" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/poison-fountain" } } @@ -259,7 +251,7 @@ resource "kubernetes_cron_job_v1" "poison_fetcher" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/poison-fountain" } } diff --git a/stacks/privatebin/main.tf b/stacks/privatebin/main.tf index 517324ee..7fe97aa0 100644 --- a/stacks/privatebin/main.tf +++ b/stacks/privatebin/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "privatebin" { metadata { @@ -70,7 +62,7 @@ resource "kubernetes_deployment" "privatebin" { name = "data" nfs { path = "/mnt/main/privatebin" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/real-estate-crawler/main.tf b/stacks/real-estate-crawler/main.tf index 6cf195c5..f8e9e993 100644 --- a/stacks/real-estate-crawler/main.tf +++ b/stacks/real-estate-crawler/main.tf @@ -1,23 +1,17 @@ variable "tls_secret_name" { type = string } variable "realestate_crawler_db_password" { type = string } variable "realestate_crawler_notification_settings" { type = map(string) } +variable "nfs_server" { type = string } +variable "redis_host" { type = string } +variable "mysql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "realestate-crawler" { metadata { name = "realestate-crawler" labels = { "istio-injection" : "disabled" - tier = local.tiers.aux + tier = local.tiers.aux "resource-governance/custom-quota" = "true" } } @@ -143,7 +137,7 @@ resource "kubernetes_deployment" "realestate-crawler-api" { } env { name = "DB_CONNECTION_STRING" - value = "mysql://wrongmove:${var.realestate_crawler_db_password}@mysql.dbaas.svc.cluster.local:3306/wrongmove" + value = "mysql://wrongmove:${var.realestate_crawler_db_password}@${var.mysql_host}:3306/wrongmove" } # env { @@ -156,11 +150,11 @@ resource "kubernetes_deployment" "realestate-crawler-api" { # } env { name = "CELERY_BROKER_URL" - value = "redis://redis.redis.svc.cluster.local:6379/0" + value = "redis://${var.redis_host}:6379/0" } env { name = "CELERY_RESULT_BACKEND" - value = "redis://redis.redis.svc.cluster.local:6379/1" + value = "redis://${var.redis_host}:6379/1" } env { @@ -196,6 +190,16 @@ resource "kubernetes_deployment" "realestate-crawler-api" { container_port = 5001 protocol = "TCP" } + resources { + requests = { + cpu = "50m" + memory = "128Mi" + } + limits = { + cpu = "2000m" + memory = "1Gi" + } + } volume_mount { name = "data" mount_path = "/app/data" @@ -205,7 +209,7 @@ resource "kubernetes_deployment" "realestate-crawler-api" { name = "data" nfs { path = "/mnt/main/real-estate-crawler" - server = "10.0.10.15" + server = var.nfs_server } } } @@ -292,7 +296,7 @@ resource "kubernetes_deployment" "realestate-crawler-celery" { name = "celery-worker" image = "viktorbarzin/realestatecrawler:latest" image_pull_policy = "Always" - command = ["python", "-m", "celery", "-A", "celery_app", "worker", "--loglevel=info"] + command = ["python", "-m", "celery", "-A", "celery_app", "worker", "--loglevel=info", "--pool=threads"] port { name = "metrics" container_port = 9090 @@ -304,15 +308,15 @@ resource "kubernetes_deployment" "realestate-crawler-celery" { } env { name = "DB_CONNECTION_STRING" - value = "mysql://wrongmove:${var.realestate_crawler_db_password}@mysql.dbaas.svc.cluster.local:3306/wrongmove" + value = "mysql://wrongmove:${var.realestate_crawler_db_password}@${var.mysql_host}:3306/wrongmove" } env { name = "CELERY_BROKER_URL" - value = "redis://redis.redis.svc.cluster.local:6379/0" + value = "redis://${var.redis_host}:6379/0" } env { name = "CELERY_RESULT_BACKEND" - value = "redis://redis.redis.svc.cluster.local:6379/1" + value = "redis://${var.redis_host}:6379/1" } env { name = "SLACK_WEBHOOK_URL" @@ -339,7 +343,7 @@ resource "kubernetes_deployment" "realestate-crawler-celery" { name = "data" nfs { path = "/mnt/main/real-estate-crawler" - server = "10.0.10.15" + server = var.nfs_server } } } @@ -398,21 +402,31 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" { name = "celery-beat" image = "viktorbarzin/realestatecrawler:latest" command = ["python", "-m", "celery", "-A", "celery_app", "beat", "--loglevel=info"] + resources { + requests = { + cpu = "10m" + memory = "64Mi" + } + limits = { + cpu = "200m" + memory = "256Mi" + } + } env { name = "ENV" value = "prod" } env { name = "DB_CONNECTION_STRING" - value = "mysql://wrongmove:${var.realestate_crawler_db_password}@mysql.dbaas.svc.cluster.local:3306/wrongmove" + value = "mysql://wrongmove:${var.realestate_crawler_db_password}@${var.mysql_host}:3306/wrongmove" } env { name = "CELERY_BROKER_URL" - value = "redis://redis.redis.svc.cluster.local:6379/0" + value = "redis://${var.redis_host}:6379/0" } env { name = "CELERY_RESULT_BACKEND" - value = "redis://redis.redis.svc.cluster.local:6379/1" + value = "redis://${var.redis_host}:6379/1" } env { name = "SCRAPE_SCHEDULES" @@ -427,7 +441,7 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" { name = "data" nfs { path = "/mnt/main/real-estate-crawler" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/reloader/main.tf b/stacks/reloader/main.tf index da1395ab..3d9e03a8 100644 --- a/stacks/reloader/main.tf +++ b/stacks/reloader/main.tf @@ -1,13 +1,3 @@ -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} - resource "kubernetes_namespace" "crowdsec" { metadata { name = "reloader" diff --git a/stacks/resume/main.tf b/stacks/resume/main.tf index f091fdc0..94661a17 100644 --- a/stacks/resume/main.tf +++ b/stacks/resume/main.tf @@ -2,16 +2,9 @@ variable "tls_secret_name" { type = string } variable "resume_database_url" { type = string } variable "resume_auth_secret" { type = string } variable "mailserver_accounts" { type = map(any) } +variable "nfs_server" { type = string } +variable "mail_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} locals { namespace = "resume" @@ -192,7 +185,7 @@ resource "kubernetes_deployment" "resume" { # SMTP config for password reset emails env { name = "SMTP_HOST" - value = "mail.viktorbarzin.me" + value = var.mail_host } env { name = "SMTP_PORT" @@ -259,7 +252,7 @@ resource "kubernetes_deployment" "resume" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/resume" } } diff --git a/stacks/rybbit/main.tf b/stacks/rybbit/main.tf index 794fbe36..896e5d69 100644 --- a/stacks/rybbit/main.tf +++ b/stacks/rybbit/main.tf @@ -1,16 +1,9 @@ variable "tls_secret_name" { type = string } variable "clickhouse_password" { type = string } variable "clickhouse_postgres_password" { type = string } +variable "nfs_server" { type = string } +variable "postgresql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "rybbit" { metadata { @@ -89,7 +82,7 @@ resource "kubernetes_deployment" "clickhouse" { name = "data" nfs { path = "/mnt/main/clickhouse" - server = "10.0.10.15" + server = var.nfs_server } } } @@ -168,7 +161,7 @@ resource "kubernetes_deployment" "rybbit" { } env { name = "POSTGRES_HOST" - value = "postgresql.dbaas.svc.cluster.local" + value = var.postgresql_host } env { name = "POSTGRES_PORT" diff --git a/stacks/send/main.tf b/stacks/send/main.tf index f1b43931..663337cf 100644 --- a/stacks/send/main.tf +++ b/stacks/send/main.tf @@ -1,14 +1,7 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } +variable "redis_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "send" { metadata { @@ -81,7 +74,7 @@ resource "kubernetes_deployment" "send" { } env { name = "REDIS_HOST" - value = "redis.redis.svc.cluster.local" + value = var.redis_host } volume_mount { name = "data" @@ -92,7 +85,7 @@ resource "kubernetes_deployment" "send" { name = "data" nfs { path = "/mnt/main/send" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/servarr/aiostreams/main.tf b/stacks/servarr/aiostreams/main.tf index 1ec5e4ae..a97af8bf 100644 --- a/stacks/servarr/aiostreams/main.tf +++ b/stacks/servarr/aiostreams/main.tf @@ -1,6 +1,7 @@ variable "tls_secret_name" {} variable "tier" { type = string } variable "aiostreams_database_connection_string" { type = string } +variable "nfs_server" { type = string } resource "kubernetes_namespace" "aiostreams" { metadata { @@ -64,7 +65,7 @@ resource "kubernetes_deployment" "aiostreams" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/servarr/aiostreams" } } diff --git a/stacks/servarr/lidarr/main.tf b/stacks/servarr/lidarr/main.tf index b851ca18..7816592d 100644 --- a/stacks/servarr/lidarr/main.tf +++ b/stacks/servarr/lidarr/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} variable "tier" { type = string } +variable "nfs_server" { type = string } resource "kubernetes_deployment" "lidarr" { @@ -77,21 +78,21 @@ resource "kubernetes_deployment" "lidarr" { name = "data" nfs { path = "/mnt/main/servarr/lidarr" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "downloads" nfs { path = "/mnt/main/servarr/downloads" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "deemix-config" nfs { path = "/mnt/main/servarr/lidarr" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/servarr/listenarr/main.tf b/stacks/servarr/listenarr/main.tf index 2b371421..035971d7 100644 --- a/stacks/servarr/listenarr/main.tf +++ b/stacks/servarr/listenarr/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} variable "tier" { type = string } +variable "nfs_server" { type = string } resource "kubernetes_deployment" "listenarr" { @@ -44,14 +45,14 @@ resource "kubernetes_deployment" "listenarr" { name = "data" nfs { path = "/mnt/main/servarr/listenarr" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "downloads" nfs { path = "/mnt/main/servarr/downloads" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/servarr/main.tf b/stacks/servarr/main.tf index 8498fcc8..105c55d3 100644 --- a/stacks/servarr/main.tf +++ b/stacks/servarr/main.tf @@ -1,15 +1,6 @@ variable "tls_secret_name" { type = string } variable "aiostreams_database_connection_string" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "servarr" { metadata { diff --git a/stacks/servarr/prowlarr/main.tf b/stacks/servarr/prowlarr/main.tf index 78bfebfc..a1ea2416 100644 --- a/stacks/servarr/prowlarr/main.tf +++ b/stacks/servarr/prowlarr/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} variable "tier" { type = string } +variable "nfs_server" { type = string } resource "kubernetes_deployment" "prowlarr" { @@ -64,14 +65,14 @@ resource "kubernetes_deployment" "prowlarr" { name = "data" nfs { path = "/mnt/main/servarr/prowlarr" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "downloads" nfs { path = "/mnt/main/servarr/downloads" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/servarr/qbittorrent/main.tf b/stacks/servarr/qbittorrent/main.tf index 41976bfd..4d972e28 100644 --- a/stacks/servarr/qbittorrent/main.tf +++ b/stacks/servarr/qbittorrent/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} variable "tier" { type = string } +variable "nfs_server" { type = string } resource "kubernetes_deployment" "qbittorrent" { @@ -64,14 +65,14 @@ resource "kubernetes_deployment" "qbittorrent" { name = "data" nfs { path = "/mnt/main/servarr/qbittorrent" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "downloads" nfs { path = "/mnt/main/servarr/downloads" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/servarr/readarr/main.tf b/stacks/servarr/readarr/main.tf index e58dc4db..7310495e 100644 --- a/stacks/servarr/readarr/main.tf +++ b/stacks/servarr/readarr/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} variable "tier" { type = string } +variable "nfs_server" { type = string } resource "kubernetes_namespace" "readarr" { metadata { name = "readarr" @@ -83,14 +84,14 @@ resource "kubernetes_deployment" "readarr" { name = "data" nfs { path = "/mnt/main/servarr/readarr" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "qbittorrent" nfs { path = "/mnt/main/servarr/qbittorrent" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/servarr/soulseek/main.tf b/stacks/servarr/soulseek/main.tf index eaf11b79..fc623565 100644 --- a/stacks/servarr/soulseek/main.tf +++ b/stacks/servarr/soulseek/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} variable "tier" { type = string } +variable "nfs_server" { type = string } resource "kubernetes_deployment" "soulseek" { @@ -59,14 +60,14 @@ resource "kubernetes_deployment" "soulseek" { name = "config" nfs { path = "/mnt/main/servarr/lidarr" - server = "10.0.10.15" + server = var.nfs_server } } volume { name = "downloads" nfs { path = "/mnt/main/servarr/lidarr" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/shadowsocks/main.tf b/stacks/shadowsocks/main.tf index 9a036079..0b13ac51 100644 --- a/stacks/shadowsocks/main.tf +++ b/stacks/shadowsocks/main.tf @@ -1,14 +1,5 @@ variable "shadowsocks_password" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} variable "method" { default = "chacha20-ietf-poly1305" diff --git a/stacks/speedtest/main.tf b/stacks/speedtest/main.tf index 0357f801..35cffd4b 100644 --- a/stacks/speedtest/main.tf +++ b/stacks/speedtest/main.tf @@ -1,15 +1,8 @@ variable "tls_secret_name" { type = string } variable "speedtest_db_password" { type = string } +variable "nfs_server" { type = string } +variable "mysql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "speedtest" { metadata { @@ -90,7 +83,7 @@ resource "kubernetes_deployment" "speedtest" { } env { name = "DB_HOST" - value = "mysql.dbaas.svc.cluster.local" + value = var.mysql_host } env { name = "DB_DATABASE" @@ -116,7 +109,7 @@ resource "kubernetes_deployment" "speedtest" { volume { name = "config" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/speedtest" } } diff --git a/stacks/stirling-pdf/main.tf b/stacks/stirling-pdf/main.tf index 48bf69bd..71a1175e 100644 --- a/stacks/stirling-pdf/main.tf +++ b/stacks/stirling-pdf/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "stirling-pdf" { metadata { @@ -63,7 +55,7 @@ resource "kubernetes_deployment" "stirling-pdf" { volume { name = "configs" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/stirling-pdf" } } diff --git a/stacks/tandoor/main.tf b/stacks/tandoor/main.tf index 54d3c09e..9f69e674 100644 --- a/stacks/tandoor/main.tf +++ b/stacks/tandoor/main.tf @@ -4,16 +4,10 @@ variable "tandoor_email_password" { type = string default = "" } +variable "nfs_server" { type = string } +variable "postgresql_host" { type = string } +variable "mail_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "tandoor" { metadata { @@ -75,7 +69,7 @@ resource "kubernetes_deployment" "tandoor" { } env { name = "POSTGRES_HOST" - value = "postgresql.dbaas.svc.cluster.local" + value = var.postgresql_host } env { name = "POSTGRES_PORT" @@ -107,7 +101,7 @@ resource "kubernetes_deployment" "tandoor" { } env { name = "EMAIL_HOST" - value = "mail.viktorbarzin.me" + value = var.mail_host } env { name = "EMAIL_HOST_USER" @@ -148,7 +142,7 @@ resource "kubernetes_deployment" "tandoor" { name = "data" nfs { path = "/mnt/main/tandoor" - server = "10.0.10.15" + server = var.nfs_server } } } diff --git a/stacks/tor-proxy/main.tf b/stacks/tor-proxy/main.tf index 0c48104d..f43a55af 100644 --- a/stacks/tor-proxy/main.tf +++ b/stacks/tor-proxy/main.tf @@ -1,14 +1,5 @@ variable "tls_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "tor-proxy" { metadata { diff --git a/stacks/travel_blog/main.tf b/stacks/travel_blog/main.tf index 8e6d699c..5781369c 100644 --- a/stacks/travel_blog/main.tf +++ b/stacks/travel_blog/main.tf @@ -1,14 +1,5 @@ variable "tls_secret_name" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "travel-blog" { metadata { diff --git a/stacks/tuya-bridge/main.tf b/stacks/tuya-bridge/main.tf index 54fadc53..918e5c7f 100644 --- a/stacks/tuya-bridge/main.tf +++ b/stacks/tuya-bridge/main.tf @@ -4,15 +4,6 @@ variable "tiny_tuya_api_secret" { type = string } variable "tiny_tuya_service_secret" { type = string } variable "tiny_tuya_slack_url" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "tuya-bridge" { metadata { diff --git a/stacks/url/main.tf b/stacks/url/main.tf index 421f21f2..76972471 100644 --- a/stacks/url/main.tf +++ b/stacks/url/main.tf @@ -2,16 +2,8 @@ variable "tls_secret_name" { type = string } variable "url_shortener_geolite_license_key" { type = string } variable "url_shortener_api_key" { type = string } variable "url_shortener_mysql_password" { type = string } +variable "mysql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} ## Setup ## Need to manually add @@ -128,7 +120,7 @@ resource "kubernetes_deployment" "shlink" { } env { name = "DB_HOST" - value = "mysql.dbaas.svc.cluster.local" + value = var.mysql_host } # env { # name = "DB_USER" diff --git a/stacks/wealthfolio/main.tf b/stacks/wealthfolio/main.tf index e458b89c..6f2be13f 100644 --- a/stacks/wealthfolio/main.tf +++ b/stacks/wealthfolio/main.tf @@ -1,15 +1,7 @@ variable "tls_secret_name" { type = string } variable "wealthfolio_password_hash" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} # To refresh transactions use finance db positions exporters: # @@ -100,7 +92,7 @@ resource "kubernetes_deployment" "wealthfolio" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/wealthfolio" } } diff --git a/stacks/webhook_handler/main.tf b/stacks/webhook_handler/main.tf index 79f5b1e6..3bb3d833 100644 --- a/stacks/webhook_handler/main.tf +++ b/stacks/webhook_handler/main.tf @@ -7,15 +7,6 @@ variable "webhook_handler_git_user" { type = string } variable "webhook_handler_git_token" { type = string } variable "webhook_handler_ssh_key" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "webhook-handler" { metadata { diff --git a/stacks/whisper/main.tf b/stacks/whisper/main.tf index 1c099c16..4f10e23c 100644 --- a/stacks/whisper/main.tf +++ b/stacks/whisper/main.tf @@ -1,14 +1,6 @@ variable "tls_secret_name" { type = string } +variable "nfs_server" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "whisper" { metadata { @@ -80,7 +72,7 @@ resource "kubernetes_deployment" "whisper" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/whisper" } } @@ -190,7 +182,7 @@ resource "kubernetes_deployment" "piper" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/whisper" } } diff --git a/stacks/woodpecker/main.tf b/stacks/woodpecker/main.tf index 25815fa7..90432b22 100644 --- a/stacks/woodpecker/main.tf +++ b/stacks/woodpecker/main.tf @@ -4,16 +4,9 @@ variable "woodpecker_github_client_secret" { type = string } variable "woodpecker_agent_secret" { type = string } variable "woodpecker_db_password" { type = string } variable "dbaas_postgresql_root_password" { type = string } +variable "nfs_server" { type = string } +variable "postgresql_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "woodpecker" { metadata { @@ -76,11 +69,11 @@ resource "kubernetes_job" "db_init" { <<-EOT set -e # Create user if not exists - PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h postgresql.dbaas.svc.cluster.local -U root -tc "SELECT 1 FROM pg_roles WHERE rolname='woodpecker'" | grep -q 1 || \ - PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h postgresql.dbaas.svc.cluster.local -U root -c "CREATE ROLE woodpecker WITH LOGIN PASSWORD '${var.woodpecker_db_password}'" + PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h ${var.postgresql_host} -U root -tc "SELECT 1 FROM pg_roles WHERE rolname='woodpecker'" | grep -q 1 || \ + PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h ${var.postgresql_host} -U root -c "CREATE ROLE woodpecker WITH LOGIN PASSWORD '${var.woodpecker_db_password}'" # Create database if not exists - PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h postgresql.dbaas.svc.cluster.local -U root -tc "SELECT 1 FROM pg_database WHERE datname='woodpecker'" | grep -q 1 || \ - PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h postgresql.dbaas.svc.cluster.local -U root -c "CREATE DATABASE woodpecker OWNER woodpecker" + PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h ${var.postgresql_host} -U root -tc "SELECT 1 FROM pg_database WHERE datname='woodpecker'" | grep -q 1 || \ + PGPASSWORD='${var.dbaas_postgresql_root_password}' psql -h ${var.postgresql_host} -U root -c "CREATE DATABASE woodpecker OWNER woodpecker" echo "Database init complete" EOT ] @@ -108,7 +101,7 @@ resource "kubernetes_persistent_volume" "woodpecker_server_data" { access_modes = ["ReadWriteOnce"] persistent_volume_source { nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/woodpecker" } } @@ -133,6 +126,7 @@ resource "helm_release" "woodpecker" { github_client_secret = var.woodpecker_github_client_secret agent_secret = var.woodpecker_agent_secret db_password = var.woodpecker_db_password + postgresql_host = var.postgresql_host }) ] diff --git a/stacks/woodpecker/values.yaml b/stacks/woodpecker/values.yaml index 6427930b..21f7f948 100644 --- a/stacks/woodpecker/values.yaml +++ b/stacks/woodpecker/values.yaml @@ -15,7 +15,7 @@ server: WOODPECKER_GITHUB_SECRET: "${github_client_secret}" WOODPECKER_AGENT_SECRET: "${agent_secret}" WOODPECKER_DATABASE_DRIVER: "postgres" - WOODPECKER_DATABASE_DATASOURCE: "postgres://woodpecker:${db_password}@postgresql.dbaas.svc.cluster.local:5432/woodpecker?sslmode=disable" + WOODPECKER_DATABASE_DATASOURCE: "postgres://woodpecker:${db_password}@${postgresql_host}:5432/woodpecker?sslmode=disable" WOODPECKER_PLUGINS_PRIVILEGED: "woodpeckerci/plugin-docker-buildx,plugins/docker" WOODPECKER_PLUGINS_TRUSTED_CLONE: "woodpeckerci/plugin-git,alpine" WOODPECKER_LOG_LEVEL: "info" diff --git a/stacks/ytdlp/main.tf b/stacks/ytdlp/main.tf index 484891d6..e8990ecf 100644 --- a/stacks/ytdlp/main.tf +++ b/stacks/ytdlp/main.tf @@ -2,16 +2,10 @@ variable "tls_secret_name" { type = string } variable "openrouter_api_key" { type = string } variable "slack_bot_token" { type = string } variable "slack_channel" { type = string } +variable "nfs_server" { type = string } +variable "redis_host" { type = string } +variable "ollama_host" { type = string } -locals { - tiers = { - core = "0-core" - cluster = "1-cluster" - gpu = "2-gpu" - edge = "3-edge" - aux = "4-aux" - } -} resource "kubernetes_namespace" "ytdlp" { metadata { @@ -100,7 +94,7 @@ resource "kubernetes_deployment" "ytdlp" { name = "data" nfs { path = "/mnt/main/ytdlp" - server = "10.0.10.15" + server = var.nfs_server } } # } @@ -247,7 +241,7 @@ resource "kubernetes_deployment" "yt_highlights" { } env { name = "REDIS_URL" - value = "redis://redis.redis.svc.cluster.local:6379/0" + value = "redis://${var.redis_host}:6379/0" } # Store model cache on NFS to avoid ephemeral storage eviction env { @@ -261,7 +255,7 @@ resource "kubernetes_deployment" "yt_highlights" { # Ollama fallback for when OpenRouter models fail env { name = "OLLAMA_URL" - value = "http://ollama.ollama.svc.cluster.local:11434" + value = "http://${var.ollama_host}:11434" } env { name = "OLLAMA_MODEL" @@ -290,7 +284,7 @@ resource "kubernetes_deployment" "yt_highlights" { volume { name = "data" nfs { - server = "10.0.10.15" + server = var.nfs_server path = "/mnt/main/ytdlp-highlights" } } diff --git a/terragrunt.hcl b/terragrunt.hcl index a75d0c13..b197928e 100644 --- a/terragrunt.hcl +++ b/terragrunt.hcl @@ -53,3 +53,21 @@ provider "helm" { } EOF } + +# Generate shared tiers locals for all stacks. +# Previously duplicated in 67+ stacks; now defined once here. +generate "tiers" { + path = "tiers.tf" + if_exists = "overwrite_terragrunt" + contents = <