viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

[ci skip] Infrastructure hardening: security, monitoring, reliability, maintainability

Browse source 
Phase 1 - Critical Security:
- Netbox: move hardcoded DB/superuser passwords to variables
- MeshCentral: disable public registration, add Authentik auth
- Traefik: disable insecure API dashboard (api.insecure=false)
- Traefik: configure forwarded headers with Cloudflare trusted IPs

Phase 2 - Security Hardening:
- Add security headers middleware (HSTS, X-Frame-Options, nosniff, etc.)
- Add Kyverno pod security policies in audit mode (privileged, host
  namespaces, SYS_ADMIN, trusted registries)
- Tighten rate limiting (avg=10, burst=50)
- Add Authentik protection to grampsweb

Phase 3 - Monitoring & Alerting:
- Add critical service alerts (PostgreSQL, MySQL, Redis, Headscale,
  Authentik, Loki)
- Increase Loki retention from 7 to 30 days (720h)
- Add predictive PV filling alert (predict_linear)
- Re-enable Hackmd and Privatebin down alerts

Phase 4 - Reliability:
- Add resource requests/limits to Redis, DBaaS, Technitium, Headscale,
  Vaultwarden, Uptime Kuma
- Increase Alloy DaemonSet memory to 512Mi/1Gi

Phase 6 - Maintainability:
- Extract duplicated tiers locals to terragrunt.hcl generate block
  (removed from 67 stacks)
- Replace hardcoded NFS IP 10.0.10.15 with var.nfs_server (114
  instances across 63 files)
- Replace hardcoded Redis/PostgreSQL/MySQL/Ollama/mail host references
  with variables across ~35 stacks
- Migrate xray raw ingress resources to ingress_factory modules
This commit is contained in:
Viktor Barzin 2026-02-23 22:05:28 +00:00
parent 1b4737c90c
commit 89a6e08245
104 changed files with 773 additions and 920 deletions
Download patch file Download diff file Expand all files Collapse all files

3
stacks/actualbudget/factory/main.tf
View file

@ -12,6 +12,7 @@ variable "budget_encryption_password" {
type = string type = string
default = null # If not passed, we won't run banksync ;known after initial installation default = null # If not passed, we won't run banksync ;known after initial installation
} }
variable "nfs_server" { type = string }
resource "kubernetes_deployment" "actualbudget" { resource "kubernetes_deployment" "actualbudget" {
metadata { metadata {
@ -59,7 +60,7 @@ resource "kubernetes_deployment" "actualbudget" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/actualbudget/${var.name}" path = "/mnt/main/actualbudget/${var.name}"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

9
stacks/actualbudget/main.tf
View file

@ -1,15 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "actualbudget_credentials" { type = map(any) } variable "actualbudget_credentials" { type = map(any) }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
# To create a new deployment: # To create a new deployment:
/** /**

21
stacks/affine/main.tf
View file

@ -1,16 +1,11 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "affine_postgresql_password" { type = string } variable "affine_postgresql_password" { type = string }
variable "mailserver_accounts" { type = map(any) } variable "mailserver_accounts" { type = map(any) }
variable "nfs_server" { type = string }
variable "redis_host" { type = string }
variable "postgresql_host" { type = string }
variable "mail_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "affine" { resource "kubernetes_namespace" "affine" {
metadata { metadata {
@ -31,11 +26,11 @@ locals {
common_env = [ common_env = [
{ {
name = "DATABASE_URL" name = "DATABASE_URL"
value = "postgresql://affine:${var.affine_postgresql_password}@postgresql.dbaas.svc.cluster.local:5432/affine" value = "postgresql://affine:${var.affine_postgresql_password}@${var.postgresql_host}:5432/affine"
}, },
{ {
name = "REDIS_SERVER_HOST" name = "REDIS_SERVER_HOST"
value = "redis.redis.svc.cluster.local" value = var.redis_host
}, },
{ {
name = "AFFINE_INDEXER_ENABLED" name = "AFFINE_INDEXER_ENABLED"
@ -57,7 +52,7 @@ locals {
# Email/SMTP configuration # Email/SMTP configuration
{ {
name = "MAILER_HOST" name = "MAILER_HOST"
value = "mailserver.viktorbarzin.me" value = var.mail_host
}, },
{ {
name = "MAILER_PORT" name = "MAILER_PORT"
@ -187,7 +182,7 @@ resource "kubernetes_deployment" "affine" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/affine" path = "/mnt/main/affine"
} }
} }

18
stacks/audiobookshelf/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "audiobookshelf" { resource "kubernetes_namespace" "audiobookshelf" {
metadata { metadata {
@ -83,28 +75,28 @@ resource "kubernetes_deployment" "audiobookshelf" {
name = "audiobooks" name = "audiobooks"
nfs { nfs {
path = "/mnt/main/audiobookshelf/audiobooks" path = "/mnt/main/audiobookshelf/audiobooks"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "podcasts" name = "podcasts"
nfs { nfs {
path = "/mnt/main/audiobookshelf/podcasts" path = "/mnt/main/audiobookshelf/podcasts"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "config" name = "config"
nfs { nfs {
path = "/mnt/main/audiobookshelf/config" path = "/mnt/main/audiobookshelf/config"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "metadata" name = "metadata"
nfs { nfs {
path = "/mnt/main/audiobookshelf/metadata" path = "/mnt/main/audiobookshelf/metadata"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

9
stacks/blog/main.tf
View file

@ -1,14 +1,5 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "website" { resource "kubernetes_namespace" "website" {
metadata { metadata {

22
stacks/calibre/main.tf
View file

@ -1,15 +1,7 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "homepage_credentials" { type = map(any) } variable "homepage_credentials" { type = map(any) }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "calibre" { resource "kubernetes_namespace" "calibre" {
metadata { metadata {
@ -94,7 +86,7 @@ module "tls_secret" {
# name = "data" # name = "data"
# nfs { # nfs {
# path = "/mnt/main/calibre" # path = "/mnt/main/calibre"
# server = "10.0.10.15" # server = var.nfs_server
# } # }
# } # }
# } # }
@ -181,21 +173,21 @@ resource "kubernetes_deployment" "calibre-web-automated" {
name = "library" name = "library"
nfs { nfs {
path = "/mnt/main/calibre-web-automated/calibre-library" path = "/mnt/main/calibre-web-automated/calibre-library"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "config" name = "config"
nfs { nfs {
path = "/mnt/main/calibre-web-automated/config" path = "/mnt/main/calibre-web-automated/config"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "ingest" name = "ingest"
nfs { nfs {
path = "/mnt/main/calibre-web-automated/cwa-book-ingest" path = "/mnt/main/calibre-web-automated/cwa-book-ingest"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -292,14 +284,14 @@ resource "kubernetes_deployment" "annas-archive-stacks" {
name = "config" name = "config"
nfs { nfs {
path = "/mnt/main/calibre-web-automated/stacks" path = "/mnt/main/calibre-web-automated/stacks"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "ingest" name = "ingest"
nfs { nfs {
path = "/mnt/main/calibre-web-automated/cwa-book-ingest" path = "/mnt/main/calibre-web-automated/cwa-book-ingest"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

12
stacks/changedetection/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "changedetection" { resource "kubernetes_namespace" "changedetection" {
metadata { metadata {
@ -104,7 +96,7 @@ resource "kubernetes_deployment" "changedetection" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/changedetection" path = "/mnt/main/changedetection"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

9
stacks/city-guesser/main.tf
View file

@ -1,14 +1,5 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "city-guesser" { resource "kubernetes_namespace" "city-guesser" {
metadata { metadata {

9
stacks/coturn/main.tf
View file

@ -2,15 +2,6 @@ variable "tls_secret_name" { type = string }
variable "coturn_turn_secret" { type = string } variable "coturn_turn_secret" { type = string }
variable "public_ip" { type = string } variable "public_ip" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
locals { locals {
turn_realm = "viktorbarzin.me" turn_realm = "viktorbarzin.me"

9
stacks/cyberchef/main.tf
View file

@ -1,14 +1,5 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "cyberchef" { resource "kubernetes_namespace" "cyberchef" {
metadata { metadata {

9
stacks/dashy/main.tf
View file

@ -1,14 +1,5 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
module "tls_secret" { module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret" source = "../../modules/kubernetes/setup_tls_secret"

18
stacks/dawarich/main.tf
View file

@ -2,20 +2,14 @@ variable "tls_secret_name" { type = string }
variable "dawarich_database_password" { type = string } variable "dawarich_database_password" { type = string }
variable "geoapify_api_key" { type = string } variable "geoapify_api_key" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
variable "image_version" { variable "image_version" {
type = string type = string
default = "0.37.1" default = "0.37.1"
} }
variable "nfs_server" { type = string }
variable "redis_host" { type = string }
variable "postgresql_host" { type = string }
resource "kubernetes_namespace" "dawarich" { resource "kubernetes_namespace" "dawarich" {
metadata { metadata {
@ -82,11 +76,11 @@ resource "kubernetes_deployment" "dawarich" {
args = ["bin/dev"] args = ["bin/dev"]
env { env {
name = "REDIS_URL" name = "REDIS_URL"
value = "redis://redis.redis.svc.cluster.local:6379" value = "redis://${var.redis_host}:6379"
} }
env { env {
name = "DATABASE_HOST" name = "DATABASE_HOST"
value = "postgresql.dbaas" value = var.postgresql_host
} }
env { env {
name = "DATABASE_USERNAME" name = "DATABASE_USERNAME"
@ -272,7 +266,7 @@ resource "kubernetes_deployment" "dawarich" {
# name = "data" # name = "data"
# nfs { # nfs {
# path = "/mnt/main/photon" # path = "/mnt/main/photon"
# server = "10.0.10.15" # server = var.nfs_server
# } # }
# } # }
# } # }

12
stacks/diun/main.tf
View file

@ -1,16 +1,8 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "diun_nfty_token" { type = string } variable "diun_nfty_token" { type = string }
variable "diun_slack_url" { type = string } variable "diun_slack_url" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "diun" { resource "kubernetes_namespace" "diun" {
metadata { metadata {
@ -176,7 +168,7 @@ resource "kubernetes_deployment" "diun" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/diun" path = "/mnt/main/diun"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

18
stacks/ebook2audiobook/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
module "tls_secret" { module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret" source = "../../modules/kubernetes/setup_tls_secret"
@ -98,7 +90,7 @@ resource "kubernetes_deployment" "ebook2audiobook" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/ebook2audiobook" path = "/mnt/main/ebook2audiobook"
} }
} }
@ -199,7 +191,7 @@ resource "kubernetes_service" "ebook2audiobook" {
# volume { # volume {
# name = "data" # name = "data"
# nfs { # nfs {
# server = "10.0.10.15" # server = var.nfs_server
# path = "/mnt/main/piper" # path = "/mnt/main/piper"
# } # }
# } # }
@ -288,7 +280,7 @@ resource "kubernetes_deployment" "audiblez" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/audiblez" path = "/mnt/main/audiblez"
} }
} }
@ -376,7 +368,7 @@ resource "kubernetes_deployment" "audiblez-web" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/audiblez" path = "/mnt/main/audiblez"
} }
} }

9
stacks/echo/main.tf
View file

@ -1,14 +1,5 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "echo" { resource "kubernetes_namespace" "echo" {
metadata { metadata {

12
stacks/excalidraw/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "excalidraw" { resource "kubernetes_namespace" "excalidraw" {
metadata { metadata {
@ -77,7 +69,7 @@ resource "kubernetes_deployment" "excalidraw" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/excalidraw" path = "/mnt/main/excalidraw"
} }
} }

12
stacks/f1-stream/main.tf
View file

@ -1,16 +1,8 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "coturn_turn_secret" { type = string } variable "coturn_turn_secret" { type = string }
variable "public_ip" { type = string } variable "public_ip" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "f1-stream" { resource "kubernetes_namespace" "f1-stream" {
metadata { metadata {
@ -97,7 +89,7 @@ resource "kubernetes_deployment" "f1-stream" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/f1-stream" path = "/mnt/main/f1-stream"
} }
} }

12
stacks/forgejo/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "forgejo" { resource "kubernetes_namespace" "forgejo" {
metadata { metadata {
@ -77,7 +69,7 @@ resource "kubernetes_deployment" "forgejo" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/forgejo" path = "/mnt/main/forgejo"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

9
stacks/freedify/main.tf
View file

@ -1,15 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "freedify_credentials" { type = map(any) } variable "freedify_credentials" { type = map(any) }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
# To create a new deployment: # To create a new deployment:
/** /**

14
stacks/freshrss/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
module "tls_secret" { module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret" source = "../../modules/kubernetes/setup_tls_secret"
@ -88,14 +80,14 @@ resource "kubernetes_deployment" "freshrss" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/freshrss/data" path = "/mnt/main/freshrss/data"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "extensions" name = "extensions"
nfs { nfs {
path = "/mnt/main/freshrss/extensions" path = "/mnt/main/freshrss/extensions"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

14
stacks/frigate/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "frigate" { resource "kubernetes_namespace" "frigate" {
metadata { metadata {
@ -120,7 +112,7 @@ resource "kubernetes_deployment" "frigate" {
name = "config" name = "config"
nfs { nfs {
path = "/mnt/main/frigate/config" path = "/mnt/main/frigate/config"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
@ -134,7 +126,7 @@ resource "kubernetes_deployment" "frigate" {
name = "media" name = "media"
nfs { nfs {
path = "/mnt/main/frigate/media" path = "/mnt/main/frigate/media"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {

26
stacks/grampsweb/main.tf
View file

@ -1,15 +1,10 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "mailserver_accounts" { type = map(any) } variable "mailserver_accounts" { type = map(any) }
variable "nfs_server" { type = string }
variable "redis_host" { type = string }
variable "ollama_host" { type = string }
variable "mail_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "grampsweb" { resource "kubernetes_namespace" "grampsweb" {
metadata { metadata {
@ -43,15 +38,15 @@ locals {
}, },
{ {
name = "GRAMPSWEB_CELERY_CONFIG__broker_url" name = "GRAMPSWEB_CELERY_CONFIG__broker_url"
value = "redis://redis.redis.svc.cluster.local:6379/2" value = "redis://${var.redis_host}:6379/2"
}, },
{ {
name = "GRAMPSWEB_CELERY_CONFIG__result_backend" name = "GRAMPSWEB_CELERY_CONFIG__result_backend"
value = "redis://redis.redis.svc.cluster.local:6379/2" value = "redis://${var.redis_host}:6379/2"
}, },
{ {
name = "GRAMPSWEB_RATELIMIT_STORAGE_URI" name = "GRAMPSWEB_RATELIMIT_STORAGE_URI"
value = "redis://redis.redis.svc.cluster.local:6379/3" value = "redis://${var.redis_host}:6379/3"
}, },
{ {
name = "GRAMPSWEB_BASE_URL" name = "GRAMPSWEB_BASE_URL"
@ -63,7 +58,7 @@ locals {
}, },
{ {
name = "GRAMPSWEB_EMAIL_HOST" name = "GRAMPSWEB_EMAIL_HOST"
value = "mail.viktorbarzin.me" value = var.mail_host
}, },
{ {
name = "GRAMPSWEB_EMAIL_PORT" name = "GRAMPSWEB_EMAIL_PORT"
@ -91,7 +86,7 @@ locals {
}, },
{ {
name = "GRAMPSWEB_LLM_BASE_URL" name = "GRAMPSWEB_LLM_BASE_URL"
value = "http://ollama.ollama.svc.cluster.local:11434/v1" value = "http://${var.ollama_host}:11434/v1"
}, },
{ {
name = "GRAMPSWEB_LLM_MODEL" name = "GRAMPSWEB_LLM_MODEL"
@ -239,7 +234,7 @@ resource "kubernetes_deployment" "grampsweb" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/grampsweb" path = "/mnt/main/grampsweb"
} }
} }
@ -276,4 +271,5 @@ module "ingress" {
service_name = "grampsweb" service_name = "grampsweb"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
max_body_size = "500m" max_body_size = "500m"
protected = true
} }

15
stacks/hackmd/main.tf
View file

@ -1,15 +1,8 @@
variable "hackmd_db_password" { type = string } variable "hackmd_db_password" { type = string }
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
variable "mysql_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "hackmd" { resource "kubernetes_namespace" "hackmd" {
metadata { metadata {
@ -97,7 +90,7 @@ resource "kubernetes_deployment" "hackmd" {
env { env {
name = "CMD_DB_URL" name = "CMD_DB_URL"
# value = format("%s%s%s", "postgres://codimd:", var.hackmd_db_password, "@localhost/codimd") # value = format("%s%s%s", "postgres://codimd:", var.hackmd_db_password, "@localhost/codimd")
value = format("%s%s%s", "mysql://codimd:", var.hackmd_db_password, "@mysql.dbaas/codimd") value = format("%s%s%s", "mysql://codimd:", var.hackmd_db_password, "@${var.mysql_host}/codimd")
} }
env { env {
name = "CMD_USECDN" name = "CMD_USECDN"
@ -121,7 +114,7 @@ resource "kubernetes_deployment" "hackmd" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/hackmd" path = "/mnt/main/hackmd"
server = "10.0.10.15" server = var.nfs_server
} }
# iscsi { # iscsi {
# target_portal = "iscsi.viktorbarzin.lan:3260" # target_portal = "iscsi.viktorbarzin.lan:3260"

15
stacks/health/main.tf
View file

@ -1,16 +1,9 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "health_postgresql_password" { type = string } variable "health_postgresql_password" { type = string }
variable "health_secret_key" { type = string } variable "health_secret_key" { type = string }
variable "nfs_server" { type = string }
variable "postgresql_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "health" { resource "kubernetes_namespace" "health" {
metadata { metadata {
@ -60,7 +53,7 @@ resource "kubernetes_deployment" "health" {
env { env {
name = "DATABASE_URL" name = "DATABASE_URL"
value = "postgresql+asyncpg://health:${var.health_postgresql_password}@postgresql.dbaas.svc.cluster.local:5432/health" value = "postgresql+asyncpg://health:${var.health_postgresql_password}@${var.postgresql_host}:5432/health"
} }
env { env {
name = "SECRET_KEY" name = "SECRET_KEY"
@ -102,7 +95,7 @@ resource "kubernetes_deployment" "health" {
volume { volume {
name = "uploads" name = "uploads"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/health" path = "/mnt/main/health"
} }
} }

9
stacks/homepage/main.tf
View file

@ -1,14 +1,5 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
module "tls_secret" { module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret" source = "../../modules/kubernetes/setup_tls_secret"

33
stacks/immich/main.tf
View file

@ -3,21 +3,14 @@ variable "immich_postgresql_password" { type = string }
variable "immich_frame_api_key" { type = string } variable "immich_frame_api_key" { type = string }
variable "homepage_credentials" { type = map(any) } variable "homepage_credentials" { type = map(any) }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
variable "immich_version" { variable "immich_version" {
type = string type = string
# Change me to upgrade # Change me to upgrade
default = "v2.5.6" default = "v2.5.6"
} }
variable "nfs_server" { type = string }
variable "redis_host" { type = string }
module "tls_secret" { module "tls_secret" {
@ -104,7 +97,7 @@ resource "kubernetes_deployment" "immich_server" {
} }
env { env {
name = "REDIS_HOSTNAME" name = "REDIS_HOSTNAME"
value = "redis.redis.svc.cluster.local" value = var.redis_host
} }
liveness_probe { liveness_probe {
@ -176,7 +169,7 @@ resource "kubernetes_deployment" "immich_server" {
# volume { # volume {
# name = "library-old" # name = "library-old"
# nfs { # nfs {
# server = "10.0.10.15" # server = var.nfs_server
# path = "/mnt/main/immich/immich/" # path = "/mnt/main/immich/immich/"
# } # }
# } # }
@ -184,42 +177,42 @@ resource "kubernetes_deployment" "immich_server" {
volume { volume {
name = "backups" name = "backups"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/immich/immich/backups" path = "/mnt/main/immich/immich/backups"
} }
} }
volume { volume {
name = "encoded-video" name = "encoded-video"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/immich/immich/encoded-video" path = "/mnt/main/immich/immich/encoded-video"
} }
} }
volume { volume {
name = "library" name = "library"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/immich/immich/library" path = "/mnt/main/immich/immich/library"
} }
} }
volume { volume {
name = "profile" name = "profile"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/immich/immich/profile" path = "/mnt/main/immich/immich/profile"
} }
} }
volume { volume {
name = "thumbs" name = "thumbs"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/ssd/immich/thumbs" path = "/mnt/ssd/immich/thumbs"
} }
} }
volume { volume {
name = "upload" name = "upload"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/immich/immich/upload" path = "/mnt/main/immich/immich/upload"
} }
} }
@ -305,7 +298,7 @@ resource "kubernetes_deployment" "immich-postgres" {
name = "postgresql-persistent-storage" name = "postgresql-persistent-storage"
nfs { nfs {
path = "/mnt/main/immich/data-immich-postgresql" path = "/mnt/main/immich/data-immich-postgresql"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -442,7 +435,7 @@ resource "kubernetes_deployment" "immich-machine-learning" {
nfs { nfs {
# path = "/mnt/main/immich/machine-learning" # path = "/mnt/main/immich/machine-learning"
path = "/mnt/ssd/immich/machine-learning" # load cache from ssd path = "/mnt/ssd/immich/machine-learning" # load cache from ssd
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -533,7 +526,7 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" {
name = "postgresql-backup" name = "postgresql-backup"
nfs { nfs {
path = "/mnt/main/immich/data-immich-postgresql" path = "/mnt/main/immich/data-immich-postgresql"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

12
stacks/isponsorblocktv/main.tf
View file

@ -1,12 +1,4 @@
locals { variable "nfs_server" { type = string }
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "isponsorblocktv" { resource "kubernetes_namespace" "isponsorblocktv" {
metadata { metadata {
@ -55,7 +47,7 @@ resource "kubernetes_deployment" "isponsorblocktv-vermont" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/isponsorblocktv/vermont" path = "/mnt/main/isponsorblocktv/vermont"
} }
} }

9
stacks/jsoncrack/main.tf
View file

@ -1,14 +1,5 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "jsoncrack" { resource "kubernetes_namespace" "jsoncrack" {
metadata { metadata {

9
stacks/k8s-dashboard/main.tf
View file

@ -1,15 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "client_certificate_secret_name" { type = string } variable "client_certificate_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "random_password" "csrf_token" { resource "random_password" "csrf_token" {
length = 16 length = 16

9
stacks/kms/main.tf
View file

@ -1,14 +1,5 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "kms" { resource "kubernetes_namespace" "kms" {
metadata { metadata {

12
stacks/linkwarden/main.tf
View file

@ -2,16 +2,8 @@ variable "tls_secret_name" { type = string }
variable "linkwarden_postgresql_password" { type = string } variable "linkwarden_postgresql_password" { type = string }
variable "linkwarden_authentik_client_id" { type = string } variable "linkwarden_authentik_client_id" { type = string }
variable "linkwarden_authentik_client_secret" { type = string } variable "linkwarden_authentik_client_secret" { type = string }
variable "postgresql_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "linkwarden" { resource "kubernetes_namespace" "linkwarden" {
metadata { metadata {
@ -73,7 +65,7 @@ resource "kubernetes_deployment" "linkwarden" {
} }
env { env {
name = "DATABASE_URL" name = "DATABASE_URL"
value = "postgresql://linkwarden:${var.linkwarden_postgresql_password}@postgresql.dbaas.svc.cluster.local:5432/linkwarden" value = "postgresql://linkwarden:${var.linkwarden_postgresql_password}@${var.postgresql_host}:5432/linkwarden"
} }
env { env {
name = "NEXT_PUBLIC_AUTHENTIK_ENABLED" name = "NEXT_PUBLIC_AUTHENTIK_ENABLED"

12
stacks/matrix/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "matrix" { resource "kubernetes_namespace" "matrix" {
metadata { metadata {
@ -71,7 +63,7 @@ resource "kubernetes_deployment" "matrix" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/matrix" path = "/mnt/main/matrix"
} }
} }

19
stacks/meshcentral/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "meshcentral" { resource "kubernetes_namespace" "meshcentral" {
metadata { metadata {
@ -82,7 +74,7 @@ resource "kubernetes_deployment" "meshcentral" {
} }
env { env {
name = "ALLOW_NEW_ACCOUNTS" name = "ALLOW_NEW_ACCOUNTS"
value = "true" value = "false"
} }
env { env {
name = "WEBRTC" name = "WEBRTC"
@ -106,21 +98,21 @@ resource "kubernetes_deployment" "meshcentral" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/meshcentral/meshcentral-data" path = "/mnt/main/meshcentral/meshcentral-data"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "files" name = "files"
nfs { nfs {
path = "/mnt/main/meshcentral/meshcentral-files" path = "/mnt/main/meshcentral/meshcentral-files"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "backups" name = "backups"
nfs { nfs {
path = "/mnt/main/meshcentral/meshcentral-backups" path = "/mnt/main/meshcentral/meshcentral-backups"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -156,4 +148,5 @@ module "ingress" {
name = "meshcentral" name = "meshcentral"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
port = 443 port = 443
protected = true
} }

15
stacks/n8n/main.tf
View file

@ -1,15 +1,8 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "n8n_postgresql_password" { type = string } variable "n8n_postgresql_password" { type = string }
variable "nfs_server" { type = string }
variable "postgresql_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
module "tls_secret" { module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret" source = "../../modules/kubernetes/setup_tls_secret"
@ -62,7 +55,7 @@ resource "kubernetes_deployment" "n8n" {
} }
env { env {
name = "DB_POSTGRESDB_HOST" name = "DB_POSTGRESDB_HOST"
value = "postgresql.dbaas" value = var.postgresql_host
} }
env { env {
name = "DB_POSTGRESDB_PORT" name = "DB_POSTGRESDB_PORT"
@ -114,7 +107,7 @@ resource "kubernetes_deployment" "n8n" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/n8n" path = "/mnt/main/n8n"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

14
stacks/navidrome/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "navidrome" { resource "kubernetes_namespace" "navidrome" {
metadata { metadata {
@ -79,7 +71,7 @@ resource "kubernetes_deployment" "navidrome" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/navidrome" path = "/mnt/main/navidrome"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
@ -93,7 +85,7 @@ resource "kubernetes_deployment" "navidrome" {
name = "lidarr" name = "lidarr"
nfs { nfs {
path = "/mnt/main/servarr/lidarr" path = "/mnt/main/servarr/lidarr"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

24
stacks/netbox/main.tf
View file

@ -1,14 +1,10 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "netbox_db_password" { type = string }
variable "netbox_superuser_password" { type = string }
variable "nfs_server" { type = string }
variable "redis_host" { type = string }
variable "postgresql_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "netbox" { resource "kubernetes_namespace" "netbox" {
metadata { metadata {
@ -75,11 +71,11 @@ resource "kubernetes_deployment" "netbox" {
} }
env { env {
name = "DB_PASSWORD" name = "DB_PASSWORD"
value = "ttPSBjF9oPLb49XZst3sGF" value = var.netbox_db_password
} }
env { env {
name = "DB_HOST" name = "DB_HOST"
value = "postgresql.dbaas.svc.cluster.local" value = var.postgresql_host
} }
env { env {
name = "DB_NAME" name = "DB_NAME"
@ -99,7 +95,7 @@ resource "kubernetes_deployment" "netbox" {
} }
env { env {
name = "REDIS_HOST" name = "REDIS_HOST"
value = "redis.redis" value = var.redis_host
} }
env { env {
name = "ALLOWED_HOST" name = "ALLOWED_HOST"
@ -111,7 +107,7 @@ resource "kubernetes_deployment" "netbox" {
} }
env { env {
name = "SUPERUSER_PASSWORD" name = "SUPERUSER_PASSWORD"
value = "ttPSBjF9oPLb49XZst3sGFasdf" value = var.netbox_superuser_password
} }
env { env {
name = "REMOTE_AUTH_ENABLED" name = "REMOTE_AUTH_ENABLED"
@ -147,7 +143,7 @@ resource "kubernetes_deployment" "netbox" {
# name = "data" # name = "data"
# nfs { # nfs {
# path = "/mnt/main/netbox" # path = "/mnt/main/netbox"
# server = "10.0.10.15" # server = var.nfs_server
# } # }
# } # }
} }

9
stacks/networking-toolbox/main.tf
View file

@ -1,14 +1,5 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "networking-toolbox" { resource "kubernetes_namespace" "networking-toolbox" {
metadata { metadata {

4
stacks/nextcloud/chart_values.yaml
View file

@ -28,13 +28,13 @@ nextcloud:
externalRedis: externalRedis:
enabled: true enabled: true
host: redis.redis.svc.cluster.local host: ${redis_host}
# Currently not in use; we use the nextcloud.db sqlite3 # Currently not in use; we use the nextcloud.db sqlite3
externalDatabase: externalDatabase:
enabled: false enabled: false
type: mysql type: mysql
host: mysql.dbaas.svc.cluster.local host: ${mysql_host}
user: nextcloud user: nextcloud
password: ${db_password} password: ${db_password}
databse: nextcloud databse: nextcloud

20
stacks/nextcloud/main.tf
View file

@ -1,15 +1,9 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nextcloud_db_password" { type = string } variable "nextcloud_db_password" { type = string }
variable "nfs_server" { type = string }
variable "redis_host" { type = string }
variable "mysql_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
module "tls_secret" { module "tls_secret" {
source = "../../modules/kubernetes/setup_tls_secret" source = "../../modules/kubernetes/setup_tls_secret"
@ -36,7 +30,7 @@ resource "helm_release" "nextcloud" {
atomic = true atomic = true
version = "8.8.1" version = "8.8.1"
values = [templatefile("${path.module}/chart_values.yaml", { tls_secret_name = var.tls_secret_name, db_password = var.nextcloud_db_password })] values = [templatefile("${path.module}/chart_values.yaml", { tls_secret_name = var.tls_secret_name, db_password = var.nextcloud_db_password, redis_host = var.redis_host, mysql_host = var.mysql_host })]
timeout = 6000 timeout = 6000
} }
@ -136,7 +130,7 @@ resource "kubernetes_persistent_volume" "nextcloud-data-pv" {
persistent_volume_source { persistent_volume_source {
nfs { nfs {
path = "/mnt/main/nextcloud" path = "/mnt/main/nextcloud"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -298,7 +292,7 @@ resource "kubernetes_cron_job_v1" "nextcloud-backup" {
volume { volume {
name = "nextcloud-data" name = "nextcloud-data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/nextcloud" path = "/mnt/main/nextcloud"
} }
} }
@ -306,7 +300,7 @@ resource "kubernetes_cron_job_v1" "nextcloud-backup" {
volume { volume {
name = "backup" name = "backup"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/nextcloud-backup" path = "/mnt/main/nextcloud-backup"
} }
} }

12
stacks/ntfy/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "ntfy" { resource "kubernetes_namespace" "ntfy" {
metadata { metadata {
@ -99,7 +91,7 @@ resource "kubernetes_deployment" "ntfy" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/ntfy" path = "/mnt/main/ntfy"
} }
} }

19
stacks/ollama/main.tf
View file

@ -1,15 +1,8 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "ollama_api_credentials" { type = map(string) } variable "ollama_api_credentials" { type = map(string) }
variable "nfs_server" { type = string }
variable "ollama_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "ollama" { resource "kubernetes_namespace" "ollama" {
metadata { metadata {
@ -54,7 +47,7 @@ resource "kubernetes_persistent_volume" "ollama-pv" {
persistent_volume_source { persistent_volume_source {
nfs { nfs {
path = "/mnt/main/ollama" path = "/mnt/main/ollama"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -130,7 +123,7 @@ resource "kubernetes_deployment" "ollama" {
nfs { nfs {
# path = "/mnt/main/ollama" # path = "/mnt/main/ollama"
path = "/mnt/ssd/ollama" path = "/mnt/ssd/ollama"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -254,7 +247,7 @@ resource "kubernetes_deployment" "ollama-ui" {
name = "ollama-ui" name = "ollama-ui"
env { env {
name = "OLLAMA_BASE_URL" name = "OLLAMA_BASE_URL"
value = "http://ollama.ollama.svc.cluster.local:11434" value = "http://${var.ollama_host}:11434"
} }
port { port {
@ -269,7 +262,7 @@ resource "kubernetes_deployment" "ollama-ui" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/ollama" path = "/mnt/main/ollama"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

18
stacks/onlyoffice/main.tf
View file

@ -1,16 +1,10 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "onlyoffice_db_password" { type = string } variable "onlyoffice_db_password" { type = string }
variable "onlyoffice_jwt_token" { type = string } variable "onlyoffice_jwt_token" { type = string }
variable "nfs_server" { type = string }
variable "redis_host" { type = string }
variable "mysql_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "onlyoffice" { resource "kubernetes_namespace" "onlyoffice" {
metadata { metadata {
@ -75,7 +69,7 @@ resource "kubernetes_deployment" "onlyoffice-document-server" {
} }
env { env {
name = "DB_HOST" name = "DB_HOST"
value = "mysql.dbaas" value = var.mysql_host
} }
env { env {
name = "DB_PORT" name = "DB_PORT"
@ -95,7 +89,7 @@ resource "kubernetes_deployment" "onlyoffice-document-server" {
} }
env { env {
name = "REDIS_SERVER_HOST" name = "REDIS_SERVER_HOST"
value = "redis.redis" value = var.redis_host
} }
env { env {
name = "REDIS_SERVER_PORT" name = "REDIS_SERVER_PORT"
@ -115,7 +109,7 @@ resource "kubernetes_deployment" "onlyoffice-document-server" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/onlyoffice" path = "/mnt/main/onlyoffice"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

17
stacks/openclaw/main.tf
View file

@ -5,16 +5,9 @@ variable "gemini_api_key" { type = string }
variable "llama_api_key" { type = string } variable "llama_api_key" { type = string }
variable "brave_api_key" { type = string } variable "brave_api_key" { type = string }
variable "modal_api_key" { type = string } variable "modal_api_key" { type = string }
variable "nfs_server" { type = string }
variable "ollama_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "openclaw" { resource "kubernetes_namespace" "openclaw" {
metadata { metadata {
@ -148,7 +141,7 @@ resource "kubernetes_config_map" "openclaw_config" {
] ]
} }
ollama = { ollama = {
baseUrl = "http://ollama.ollama.svc.cluster.local:11434/v1" baseUrl = "http://${var.ollama_host}:11434/v1"
api = "openai-completions" api = "openai-completions"
apiKey = "ollama" apiKey = "ollama"
models = [ models = [
@ -429,14 +422,14 @@ resource "kubernetes_deployment" "openclaw" {
volume { volume {
name = "workspace" name = "workspace"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/openclaw/workspace" path = "/mnt/main/openclaw/workspace"
} }
} }
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/openclaw/data" path = "/mnt/main/openclaw/data"
} }
} }

16
stacks/osm_routing/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "osm-routing" { resource "kubernetes_namespace" "osm-routing" {
metadata { metadata {
@ -64,7 +56,7 @@ resource "kubernetes_deployment" "osrm-foot" {
volume { volume {
name = "osrm-data" name = "osrm-data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/osm-routing/osrm-data" path = "/mnt/main/osm-routing/osrm-data"
} }
} }
@ -136,7 +128,7 @@ resource "kubernetes_deployment" "osrm-bicycle" {
volume { volume {
name = "osrm-data" name = "osrm-data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/osm-routing/osrm-data" path = "/mnt/main/osm-routing/osrm-data"
} }
} }
@ -208,7 +200,7 @@ resource "kubernetes_deployment" "otp" {
volume { volume {
name = "otp-data" name = "otp-data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/osm-routing/otp-data" path = "/mnt/main/osm-routing/otp-data"
} }
} }

12
stacks/owntracks/main.tf
View file

@ -1,15 +1,7 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "owntracks_credentials" { type = map(string) } variable "owntracks_credentials" { type = map(string) }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "owntracks" { resource "kubernetes_namespace" "owntracks" {
metadata { metadata {
@ -107,7 +99,7 @@ resource "kubernetes_deployment" "owntracks" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/owntracks" path = "/mnt/main/owntracks"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

18
stacks/paperless-ngx/main.tf
View file

@ -1,16 +1,10 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "paperless_db_password" { type = string } variable "paperless_db_password" { type = string }
variable "homepage_credentials" { type = map(any) } variable "homepage_credentials" { type = map(any) }
variable "nfs_server" { type = string }
variable "redis_host" { type = string }
variable "mysql_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "paperless-ngx" { resource "kubernetes_namespace" "paperless-ngx" {
metadata { metadata {
@ -69,7 +63,7 @@ resource "kubernetes_deployment" "paperless-ngx" {
env { env {
name = "PAPERLESS_REDIS" name = "PAPERLESS_REDIS"
// If redis gets stuck, try deleting the locks files in log dir // If redis gets stuck, try deleting the locks files in log dir
value = "redis://redis.redis" value = "redis://${var.redis_host}"
} }
env { env {
name = "PAPERLESS_REDIS_PREFIX" name = "PAPERLESS_REDIS_PREFIX"
@ -81,7 +75,7 @@ resource "kubernetes_deployment" "paperless-ngx" {
} }
env { env {
name = "PAPERLESS_DBHOST" name = "PAPERLESS_DBHOST"
value = "mysql.dbaas" value = var.mysql_host
} }
env { env {
name = "PAPERLESS_DBNAME" name = "PAPERLESS_DBNAME"
@ -124,7 +118,7 @@ resource "kubernetes_deployment" "paperless-ngx" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/paperless-ngx" path = "/mnt/main/paperless-ngx"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

38
stacks/platform/main.tf
View file

@ -16,15 +16,6 @@
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
# Tier Definitions # Tier Definitions
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
# ============================================================================= # =============================================================================
# Variable Declarations # Variable Declarations
@ -32,6 +23,12 @@ locals {
# --- Core --- # --- Core ---
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
variable "redis_host" { type = string }
variable "postgresql_host" { type = string }
variable "mysql_host" { type = string }
variable "ollama_host" { type = string }
variable "mail_host" { type = string }
variable "prod" { variable "prod" {
type = bool type = bool
default = false default = false
@ -140,6 +137,7 @@ module "dbaas" {
source = "./modules/dbaas" source = "./modules/dbaas"
prod = var.prod prod = var.prod
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
nfs_server = var.nfs_server
dbaas_root_password = var.dbaas_root_password dbaas_root_password = var.dbaas_root_password
postgresql_root_password = var.dbaas_postgresql_root_password postgresql_root_password = var.dbaas_postgresql_root_password
pgadmin_password = var.dbaas_pgadmin_password pgadmin_password = var.dbaas_pgadmin_password
@ -152,6 +150,7 @@ module "dbaas" {
module "redis" { module "redis" {
source = "./modules/redis" source = "./modules/redis"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
nfs_server = var.nfs_server
tier = local.tiers.cluster tier = local.tiers.cluster
} }
@ -171,6 +170,8 @@ module "traefik" {
module "technitium" { module "technitium" {
source = "./modules/technitium" source = "./modules/technitium"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
nfs_server = var.nfs_server
mysql_host = var.mysql_host
homepage_token = var.homepage_credentials["technitium"]["token"] homepage_token = var.homepage_credentials["technitium"]["token"]
technitium_db_password = var.technitium_db_password technitium_db_password = var.technitium_db_password
tier = local.tiers.core tier = local.tiers.core
@ -182,6 +183,7 @@ module "technitium" {
module "headscale" { module "headscale" {
source = "./modules/headscale" source = "./modules/headscale"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
nfs_server = var.nfs_server
headscale_config = var.headscale_config headscale_config = var.headscale_config
headscale_acl = var.headscale_acl headscale_acl = var.headscale_acl
tier = local.tiers.core tier = local.tiers.core
@ -196,6 +198,7 @@ module "authentik" {
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
secret_key = var.authentik_secret_key secret_key = var.authentik_secret_key
postgres_password = var.authentik_postgres_password postgres_password = var.authentik_postgres_password
redis_host = var.redis_host
} }
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
@ -225,6 +228,7 @@ module "crowdsec" {
source = "./modules/crowdsec" source = "./modules/crowdsec"
tier = local.tiers.cluster tier = local.tiers.cluster
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
mysql_host = var.mysql_host
homepage_username = var.homepage_credentials["crowdsec"]["username"] homepage_username = var.homepage_credentials["crowdsec"]["username"]
homepage_password = var.homepage_credentials["crowdsec"]["password"] homepage_password = var.homepage_credentials["crowdsec"]["password"]
enroll_key = var.crowdsec_enroll_key enroll_key = var.crowdsec_enroll_key
@ -241,6 +245,8 @@ module "crowdsec" {
module "monitoring" { module "monitoring" {
source = "./modules/monitoring" source = "./modules/monitoring"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
nfs_server = var.nfs_server
mysql_host = var.mysql_host
alertmanager_account_password = var.alertmanager_account_password alertmanager_account_password = var.alertmanager_account_password
idrac_username = var.monitoring_idrac_username idrac_username = var.monitoring_idrac_username
idrac_password = var.monitoring_idrac_password idrac_password = var.monitoring_idrac_password
@ -259,6 +265,8 @@ module "monitoring" {
module "vaultwarden" { module "vaultwarden" {
source = "./modules/vaultwarden" source = "./modules/vaultwarden"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
nfs_server = var.nfs_server
mail_host = var.mail_host
smtp_password = var.vaultwarden_smtp_password smtp_password = var.vaultwarden_smtp_password
tier = local.tiers.edge tier = local.tiers.edge
} }
@ -304,6 +312,7 @@ module "kyverno" {
module "uptime-kuma" { module "uptime-kuma" {
source = "./modules/uptime-kuma" source = "./modules/uptime-kuma"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
nfs_server = var.nfs_server
tier = local.tiers.cluster tier = local.tiers.cluster
} }
@ -338,6 +347,8 @@ module "xray" {
module "mailserver" { module "mailserver" {
source = "./modules/mailserver" source = "./modules/mailserver"
tls_secret_name = var.tls_secret_name tls_secret_name = var.tls_secret_name
nfs_server = var.nfs_server
mysql_host = var.mysql_host
mailserver_accounts = var.mailserver_accounts mailserver_accounts = var.mailserver_accounts
postfix_account_aliases = var.mailserver_aliases postfix_account_aliases = var.mailserver_aliases
opendkim_key = var.mailserver_opendkim_key opendkim_key = var.mailserver_opendkim_key
@ -370,6 +381,7 @@ module "cloudflared" {
# ----------------------------------------------------------------------------- # -----------------------------------------------------------------------------
module "infra-maintenance" { module "infra-maintenance" {
source = "./modules/infra-maintenance" source = "./modules/infra-maintenance"
nfs_server = var.nfs_server
git_user = var.webhook_handler_git_user git_user = var.webhook_handler_git_user
git_token = var.webhook_handler_git_token git_token = var.webhook_handler_git_token
technitium_username = var.technitium_username technitium_username = var.technitium_username
@ -385,11 +397,11 @@ output "tls_secret_name" {
} }
output "redis_host" { output "redis_host" {
value = "redis.redis.svc.cluster.local" value = var.redis_host
} }
output "postgresql_host" { output "postgresql_host" {
value = "postgresql.dbaas.svc.cluster.local" value = var.postgresql_host
} }
output "postgresql_port" { output "postgresql_port" {
@ -397,7 +409,7 @@ output "postgresql_port" {
} }
output "mysql_host" { output "mysql_host" {
value = "mysql.dbaas.svc.cluster.local" value = var.mysql_host
} }
output "mysql_port" { output "mysql_port" {
@ -405,7 +417,7 @@ output "mysql_port" {
} }
output "smtp_host" { output "smtp_host" {
value = "mail.viktorbarzin.me" value = var.mail_host
} }
output "smtp_port" { output "smtp_port" {

3
stacks/platform/modules/authentik/main.tf
View file

@ -2,6 +2,7 @@ variable "tls_secret_name" {}
variable "secret_key" {} variable "secret_key" {}
variable "postgres_password" {} variable "postgres_password" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "redis_host" { type = string }
module "tls_secret" { module "tls_secret" {
@ -48,7 +49,7 @@ resource "helm_release" "authentik" {
atomic = true atomic = true
timeout = 6000 timeout = 6000
values = [templatefile("${path.module}/values.yaml", { postgres_password = var.postgres_password, secret_key = var.secret_key })] values = [templatefile("${path.module}/values.yaml", { postgres_password = var.postgres_password, secret_key = var.secret_key, redis_host = var.redis_host })]
} }

2
stacks/platform/modules/authentik/values.yaml
View file

@ -13,7 +13,7 @@ authentik:
user: authentik user: authentik
password: ${postgres_password} password: ${postgres_password}
redis: redis:
host: redis.redis host: ${redis_host}
server: server:
replicas: 3 replicas: 3

3
stacks/platform/modules/crowdsec/main.tf
View file

@ -8,6 +8,7 @@ variable "crowdsec_dash_machine_id" { type = string } # used for web dash
variable "crowdsec_dash_machine_password" { type = string } # used for web dash variable "crowdsec_dash_machine_password" { type = string } # used for web dash
variable "tier" { type = string } variable "tier" { type = string }
variable "slack_webhook_url" { type = string } variable "slack_webhook_url" { type = string }
variable "mysql_host" { type = string }
module "tls_secret" { module "tls_secret" {
source = "../../../../modules/kubernetes/setup_tls_secret" source = "../../../../modules/kubernetes/setup_tls_secret"
@ -99,7 +100,7 @@ resource "helm_release" "crowdsec" {
repository = "https://crowdsecurity.github.io/helm-charts" repository = "https://crowdsecurity.github.io/helm-charts"
chart = "crowdsec" chart = "crowdsec"
values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url })] values = [templatefile("${path.module}/values.yaml", { homepage_username = var.homepage_username, homepage_password = var.homepage_password, DB_PASSWORD = var.db_password, ENROLL_KEY = var.enroll_key, SLACK_WEBHOOK_URL = var.slack_webhook_url, mysql_host = var.mysql_host })]
timeout = 3600 timeout = 3600
} }

4
stacks/platform/modules/crowdsec/values.yaml
View file

@ -81,7 +81,7 @@ lapi:
- name: MB_DB_PASS - name: MB_DB_PASS
value: "${DB_PASSWORD}" value: "${DB_PASSWORD}"
- name: MB_DB_HOST - name: MB_DB_HOST
value: "mysql.dbaas.svc.cluster.local" value: "${mysql_host}"
- name: MB_EMAIL_SMTP_USERNAME - name: MB_EMAIL_SMTP_USERNAME
value: "info@viktorbarzin.me" value: "info@viktorbarzin.me"
@ -166,7 +166,7 @@ config:
user: crowdsec user: crowdsec
password: ${DB_PASSWORD} password: ${DB_PASSWORD}
db_name: crowdsec db_name: crowdsec
host: mysql.dbaas.svc.cluster.local host: ${mysql_host}
port: 3306 port: 3306
api: api:
server: server:

35
stacks/platform/modules/dbaas/main.tf
View file

@ -11,6 +11,7 @@ variable "prod" {
default = false default = false
type = bool type = bool
} }
variable "nfs_server" { type = string }
resource "kubernetes_namespace" "dbaas" { resource "kubernetes_namespace" "dbaas" {
metadata { metadata {
@ -131,6 +132,18 @@ resource "kubernetes_deployment" "mysql" {
container { container {
image = "mysql:9.2.0" image = "mysql:9.2.0"
name = "mysql" name = "mysql"
resources {
requests = {
cpu = "250m"
memory = "512Mi"
}
limits = {
cpu = "1"
memory = "2Gi"
}
}
env { env {
name = "MYSQL_ROOT_PASSWORD" name = "MYSQL_ROOT_PASSWORD"
value = var.dbaas_root_password value = var.dbaas_root_password
@ -153,7 +166,7 @@ resource "kubernetes_deployment" "mysql" {
name = "mysql-persistent-storage" name = "mysql-persistent-storage"
nfs { nfs {
path = "/mnt/main/mysql" path = "/mnt/main/mysql"
server = "10.0.10.15" server = var.nfs_server
} }
} }
@ -219,7 +232,7 @@ resource "kubernetes_cron_job_v1" "mysql-backup" {
name = "mysql-backup" name = "mysql-backup"
nfs { nfs {
path = "/mnt/main/mysql-backup" path = "/mnt/main/mysql-backup"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -717,6 +730,18 @@ resource "kubernetes_deployment" "postgres" {
image = "viktorbarzin/postgres:16-master" # mix of postgis + pgvector image = "viktorbarzin/postgres:16-master" # mix of postgis + pgvector
# image = "postgres:17.2-bullseye" # needs pg_upgrade to data dir # image = "postgres:17.2-bullseye" # needs pg_upgrade to data dir
name = "postgresql" name = "postgresql"
resources {
requests = {
cpu = "250m"
memory = "512Mi"
}
limits = {
cpu = "1"
memory = "2Gi"
}
}
env { env {
name = "POSTGRES_PASSWORD" name = "POSTGRES_PASSWORD"
value = var.postgresql_root_password value = var.postgresql_root_password
@ -744,7 +769,7 @@ resource "kubernetes_deployment" "postgres" {
name = "postgresql-persistent-storage" name = "postgresql-persistent-storage"
nfs { nfs {
path = "/mnt/main/postgresql/data" path = "/mnt/main/postgresql/data"
server = "10.0.10.15" server = var.nfs_server
} }
} }
# volume { # volume {
@ -830,7 +855,7 @@ resource "kubernetes_deployment" "pgadmin" {
# } # }
nfs { nfs {
path = "/mnt/main/postgresql/pgadmin" path = "/mnt/main/postgresql/pgadmin"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -905,7 +930,7 @@ resource "kubernetes_cron_job_v1" "postgresql-backup" {
name = "postgresql-backup" name = "postgresql-backup"
nfs { nfs {
path = "/mnt/main/postgresql-backup" path = "/mnt/main/postgresql-backup"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

27
stacks/platform/modules/headscale/main.tf
View file

@ -3,6 +3,7 @@ variable "tls_secret_name" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "headscale_config" {} variable "headscale_config" {}
variable "headscale_acl" {} variable "headscale_acl" {}
variable "nfs_server" { type = string }
resource "kubernetes_namespace" "headscale" { resource "kubernetes_namespace" "headscale" {
metadata { metadata {
@ -61,6 +62,18 @@ resource "kubernetes_deployment" "headscale" {
# image = "headscale/headscale:0.23.0-debug" # -debug is for debug images # image = "headscale/headscale:0.23.0-debug" # -debug is for debug images
name = "headscale" name = "headscale"
command = ["headscale", "serve"] command = ["headscale", "serve"]
resources {
requests = {
cpu = "50m"
memory = "64Mi"
}
limits = {
cpu = "200m"
memory = "256Mi"
}
}
port { port {
container_port = 8080 container_port = 8080
} }
@ -100,7 +113,7 @@ resource "kubernetes_deployment" "headscale" {
name = "nfs-config" name = "nfs-config"
nfs { nfs {
path = "/mnt/main/headscale" path = "/mnt/main/headscale"
server = "10.0.10.15" server = var.nfs_server
} }
} }
# container { # container {
@ -114,6 +127,18 @@ resource "kubernetes_deployment" "headscale" {
image = "ghcr.io/gurucomputing/headscale-ui:latest" image = "ghcr.io/gurucomputing/headscale-ui:latest"
# image = "ghcr.io/tale/headplane:0.3.2" # image = "ghcr.io/tale/headplane:0.3.2"
name = "headscale-ui" name = "headscale-ui"
resources {
requests = {
cpu = "25m"
memory = "32Mi"
}
limits = {
cpu = "100m"
memory = "128Mi"
}
}
port { port {
container_port = 8081 container_port = 8081
# container_port = 3000 # container_port = 3000

3
stacks/platform/modules/infra-maintenance/main.tf
View file

@ -3,6 +3,7 @@ variable "git_user" {}
variable "git_token" {} variable "git_token" {}
variable "technitium_username" {} variable "technitium_username" {}
variable "technitium_password" {} variable "technitium_password" {}
variable "nfs_server" { type = string }
# DISABLED WHILST USING CLOUDFLARE NS # DISABLED WHILST USING CLOUDFLARE NS
@ -124,7 +125,7 @@ resource "kubernetes_cron_job_v1" "backup-etcd" {
name = "backup" name = "backup"
nfs { nfs {
path = "/mnt/main/etcd-backup" path = "/mnt/main/etcd-backup"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {

203
stacks/platform/modules/kyverno/security-policies.tf Normal file
View file

@ -0,0 +1,203 @@
# =============================================================================
# Pod Security Policies (Audit Mode)
# =============================================================================
# Kyverno validate policies for pod security standards.
# All policies start in Audit mode - violations are logged but not blocked.
resource "kubernetes_manifest" "policy_deny_privileged" {
manifest = {
apiVersion = "kyverno.io/v1"
kind = "ClusterPolicy"
metadata = {
name = "deny-privileged-containers"
annotations = {
"policies.kyverno.io/title" = "Deny Privileged Containers"
"policies.kyverno.io/category" = "Pod Security"
"policies.kyverno.io/severity" = "high"
"policies.kyverno.io/description" = "Privileged containers have full host access. Deny unless explicitly exempted."
}
}
spec = {
validationFailureAction = "Audit"
background = true
rules = [{
name = "deny-privileged"
match = {
any = [{
resources = {
kinds = ["Pod"]
}
}]
}
exclude = {
any = [{
resources = {
namespaces = ["frigate", "nvidia", "monitoring"]
}
}]
}
validate = {
message = "Privileged containers are not allowed. Use specific capabilities instead."
pattern = {
spec = {
containers = [{
"=(securityContext)" = {
"=(privileged)" = false
}
}]
"=(initContainers)" = [{
"=(securityContext)" = {
"=(privileged)" = false
}
}]
}
}
}
}]
}
}
depends_on = [helm_release.kyverno]
}
resource "kubernetes_manifest" "policy_deny_host_namespaces" {
manifest = {
apiVersion = "kyverno.io/v1"
kind = "ClusterPolicy"
metadata = {
name = "deny-host-namespaces"
annotations = {
"policies.kyverno.io/title" = "Deny Host Namespaces"
"policies.kyverno.io/category" = "Pod Security"
"policies.kyverno.io/severity" = "high"
"policies.kyverno.io/description" = "Sharing host namespaces enables container escapes. Deny hostNetwork, hostPID, hostIPC."
}
}
spec = {
validationFailureAction = "Audit"
background = true
rules = [{
name = "deny-host-namespaces"
match = {
any = [{
resources = {
kinds = ["Pod"]
}
}]
}
exclude = {
any = [{
resources = {
namespaces = ["frigate", "monitoring"]
}
}]
}
validate = {
message = "Host namespaces (hostNetwork, hostPID, hostIPC) are not allowed."
pattern = {
spec = {
"=(hostNetwork)" = false
"=(hostPID)" = false
"=(hostIPC)" = false
}
}
}
}]
}
}
depends_on = [helm_release.kyverno]
}
resource "kubernetes_manifest" "policy_restrict_capabilities" {
manifest = {
apiVersion = "kyverno.io/v1"
kind = "ClusterPolicy"
metadata = {
name = "restrict-sys-admin"
annotations = {
"policies.kyverno.io/title" = "Restrict SYS_ADMIN Capability"
"policies.kyverno.io/category" = "Pod Security"
"policies.kyverno.io/severity" = "high"
"policies.kyverno.io/description" = "SYS_ADMIN is nearly equivalent to root. Restrict to explicitly exempted namespaces."
}
}
spec = {
validationFailureAction = "Audit"
background = true
rules = [{
name = "restrict-sys-admin"
match = {
any = [{
resources = {
kinds = ["Pod"]
}
}]
}
exclude = {
any = [{
resources = {
namespaces = ["nvidia", "monitoring"]
}
}]
}
validate = {
message = "Adding SYS_ADMIN capability is not allowed."
deny = {
conditions = {
any = [{
key = "{{ request.object.spec.containers[].securityContext.capabilities.add[] || `[]` }}"
operator = "AnyIn"
value = ["SYS_ADMIN"]
}]
}
}
}
}]
}
}
depends_on = [helm_release.kyverno]
}
resource "kubernetes_manifest" "policy_require_trusted_registries" {
manifest = {
apiVersion = "kyverno.io/v1"
kind = "ClusterPolicy"
metadata = {
name = "require-trusted-registries"
annotations = {
"policies.kyverno.io/title" = "Require Trusted Image Registries"
"policies.kyverno.io/category" = "Pod Security"
"policies.kyverno.io/severity" = "medium"
"policies.kyverno.io/description" = "Images must come from trusted registries to prevent supply chain attacks."
}
}
spec = {
validationFailureAction = "Audit"
background = true
rules = [{
name = "validate-registries"
match = {
any = [{
resources = {
kinds = ["Pod"]
}
}]
}
validate = {
message = "Images must be from trusted registries (docker.io, ghcr.io, quay.io, registry.k8s.io, or local cache)."
pattern = {
spec = {
containers = [{
image = "docker.io/* | ghcr.io/* | quay.io/* | registry.k8s.io/* | 10.0.20.10* | */*"
}]
}
}
}
}]
}
}
depends_on = [helm_release.kyverno]
}

5
stacks/platform/modules/mailserver/main.tf
View file

@ -4,6 +4,7 @@ variable "mailserver_accounts" {}
variable "postfix_account_aliases" {} variable "postfix_account_aliases" {}
variable "opendkim_key" {} variable "opendkim_key" {}
variable "sasl_passwd" {} # For sendgrid i.e relayhost variable "sasl_passwd" {} # For sendgrid i.e relayhost
variable "nfs_server" { type = string }
resource "kubernetes_namespace" "mailserver" { resource "kubernetes_namespace" "mailserver" {
metadata { metadata {
@ -106,7 +107,7 @@ resource "kubernetes_config_map" "mailserver_config" {
} }
} }
EOF EOF
fail2ban_conf = <<-EOF fail2ban_conf = <<-EOF
[DEFAULT] [DEFAULT]
#logtarget = /var/log/fail2ban.log #logtarget = /var/log/fail2ban.log
@ -393,7 +394,7 @@ resource "kubernetes_deployment" "mailserver" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/mailserver" path = "/mnt/main/mailserver"
server = "10.0.10.15" server = var.nfs_server
} }
# iscsi { # iscsi {
# target_portal = "iscsi.viktorbarzin.lan:3260" # target_portal = "iscsi.viktorbarzin.lan:3260"

7
stacks/platform/modules/mailserver/roundcubemail.tf
View file

@ -1,4 +1,5 @@
variable "roundcube_db_password" { type = string } variable "roundcube_db_password" { type = string }
variable "mysql_host" { type = string }
# If you want to override settings mount this in /var/roundcube/config # If you want to override settings mount this in /var/roundcube/config
# more info in https://github.com/roundcube/roundcubemail-docker?tab=readme-ov-file # more info in https://github.com/roundcube/roundcubemail-docker?tab=readme-ov-file
@ -89,7 +90,7 @@ resource "kubernetes_deployment" "roundcubemail" {
} }
env { env {
name = "ROUNDCUBEMAIL_DB_HOST" name = "ROUNDCUBEMAIL_DB_HOST"
value = "mysql.dbaas" value = var.mysql_host
} }
env { env {
name = "ROUNDCUBEMAIL_DB_USER" name = "ROUNDCUBEMAIL_DB_USER"
@ -148,14 +149,14 @@ resource "kubernetes_deployment" "roundcubemail" {
name = "html" name = "html"
nfs { nfs {
path = "/mnt/main/roundcubemail/html" path = "/mnt/main/roundcubemail/html"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "enigma" name = "enigma"
nfs { nfs {
path = "/mnt/main/roundcubemail/enigma" path = "/mnt/main/roundcubemail/enigma"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

4
stacks/platform/modules/monitoring/alloy.yaml
View file

@ -125,7 +125,7 @@ alloy:
resources: resources:
requests: requests:
cpu: 50m cpu: 50m
memory: 256Mi memory: 512Mi
limits: limits:
cpu: 200m cpu: 200m
memory: 768Mi memory: 1Gi

7
stacks/platform/modules/monitoring/grafana.tf
View file

@ -1,4 +1,5 @@
# resource "kubernetes_persistent_volume" "prometheus_grafana_pv" { # resource "kubernetes_persistent_volume" "prometheus_grafana_pv" {
# metadata { # metadata {
# name = "grafana-pv" # name = "grafana-pv"
@ -11,7 +12,7 @@
# persistent_volume_source { # persistent_volume_source {
# nfs { # nfs {
# path = "/mnt/main/grafana" # path = "/mnt/main/grafana"
# server = "10.0.10.15" # server = var.nfs_server
# } # }
# # iscsi { # # iscsi {
# # target_portal = "iscsi.viktorbarzin.lan:3260" # # target_portal = "iscsi.viktorbarzin.lan:3260"
@ -35,7 +36,7 @@ resource "kubernetes_persistent_volume" "alertmanager_pv" {
persistent_volume_source { persistent_volume_source {
nfs { nfs {
path = "/mnt/main/alertmanager" path = "/mnt/main/alertmanager"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -65,5 +66,5 @@ resource "helm_release" "grafana" {
repository = "https://grafana.github.io/helm-charts" repository = "https://grafana.github.io/helm-charts"
chart = "grafana" chart = "grafana"
values = [templatefile("${path.module}/grafana_chart_values.yaml", { db_password = var.grafana_db_password, grafana_admin_password = var.grafana_admin_password })] values = [templatefile("${path.module}/grafana_chart_values.yaml", { db_password = var.grafana_db_password, grafana_admin_password = var.grafana_admin_password, mysql_host = var.mysql_host })]
} }

2
stacks/platform/modules/monitoring/grafana_chart_values.yaml
View file

@ -48,7 +48,7 @@ env:
grafana.ini: grafana.ini:
database: database:
type: mysql type: mysql
host: mysql.dbaas.svc.cluster.local:3306 host: ${mysql_host}:3306
name: grafana name: grafana
user: grafana user: grafana
password: $__env{GF_DATABASE_PASSWORD} password: $__env{GF_DATABASE_PASSWORD}

4
stacks/platform/modules/monitoring/loki.tf
View file

@ -1,3 +1,5 @@
variable "nfs_server" { type = string }
resource "helm_release" "loki" { resource "helm_release" "loki" {
namespace = kubernetes_namespace.monitoring.metadata[0].name namespace = kubernetes_namespace.monitoring.metadata[0].name
create_namespace = true create_namespace = true
@ -24,7 +26,7 @@ resource "kubernetes_persistent_volume" "loki" {
persistent_volume_source { persistent_volume_source {
nfs { nfs {
path = "/mnt/main/loki/loki" path = "/mnt/main/loki/loki"
server = "10.0.10.15" server = var.nfs_server
} }
} }
persistent_volume_reclaim_policy = "Retain" persistent_volume_reclaim_policy = "Retain"

2
stacks/platform/modules/monitoring/loki.yaml
View file

@ -22,7 +22,7 @@ loki:
limits_config: limits_config:
allow_structured_metadata: true allow_structured_metadata: true
volume_enabled: true volume_enabled: true
retention_period: 168h retention_period: 720h
compactor: compactor:
retention_enabled: true retention_enabled: true
working_directory: /var/loki/compactor working_directory: /var/loki/compactor

1
stacks/platform/modules/monitoring/main.tf
View file

@ -16,6 +16,7 @@ variable "pve_password" { type = string }
variable "grafana_db_password" { type = string } variable "grafana_db_password" { type = string }
variable "grafana_admin_password" { type = string } variable "grafana_admin_password" { type = string }
variable "tier" { type = string } variable "tier" { type = string }
variable "mysql_host" { type = string }
resource "kubernetes_namespace" "monitoring" { resource "kubernetes_namespace" "monitoring" {
metadata { metadata {

3
stacks/platform/modules/monitoring/prometheus.tf
View file

@ -1,4 +1,5 @@
resource "kubernetes_persistent_volume_claim" "prometheus_server_pvc" { resource "kubernetes_persistent_volume_claim" "prometheus_server_pvc" {
metadata { metadata {
name = "prometheus-iscsi-pvc" name = "prometheus-iscsi-pvc"
@ -29,7 +30,7 @@ resource "kubernetes_persistent_volume" "prometheus_server_pvc" {
persistent_volume_source { persistent_volume_source {
nfs { nfs {
path = "/mnt/main/prometheus" path = "/mnt/main/prometheus"
server = "10.0.10.15" server = var.nfs_server
} }
# iscsi { # iscsi {
# fs_type = "ext4" # fs_type = "ext4"

79
stacks/platform/modules/monitoring/prometheus_chart_values.tpl
View file

@ -316,6 +316,13 @@ serverFiles:
severity: warning severity: warning
annotations: annotations:
summary: "PV {{ $labels.persistentvolumeclaim }} in {{ $labels.namespace }}: {{ $value | printf \"%.0f\" }}% used (threshold: 85%)" summary: "PV {{ $labels.persistentvolumeclaim }} in {{ $labels.namespace }}: {{ $value | printf \"%.0f\" }}% used (threshold: 85%)"
- alert: PVPredictedFull
expr: predict_linear(kubelet_volume_stats_used_bytes[6h], 3600*24) > kubelet_volume_stats_capacity_bytes
for: 1h
labels:
severity: warning
annotations:
summary: "PV {{ $labels.persistentvolumeclaim }} in {{ $labels.namespace }} predicted to fill within 24h"
- name: K8s Health - name: K8s Health
rules: rules:
- alert: PodCrashLooping - alert: PodCrashLooping
@ -389,6 +396,50 @@ serverFiles:
severity: warning severity: warning
annotations: annotations:
summary: "Prometheus notification errors: {{ $value | printf \"%.2f\" }}/s" summary: "Prometheus notification errors: {{ $value | printf \"%.2f\" }}/s"
- name: Critical Services
rules:
- alert: PostgreSQLDown
expr: (kube_deployment_status_replicas_available{namespace="dbaas", deployment=~"postgresql.*"} or on() vector(0)) < 1
for: 5m
labels:
severity: critical
annotations:
summary: "PostgreSQL has no available replicas"
- alert: MySQLDown
expr: (kube_deployment_status_replicas_available{namespace="dbaas", deployment=~"mysql.*"} or on() vector(0)) < 1
for: 5m
labels:
severity: critical
annotations:
summary: "MySQL has no available replicas"
- alert: RedisDown
expr: (kube_deployment_status_replicas_available{namespace="redis"} or on() vector(0)) < 1
for: 5m
labels:
severity: critical
annotations:
summary: "Redis has no available replicas"
- alert: HeadscaleDown
expr: (kube_deployment_status_replicas_available{namespace="headscale"} or on() vector(0)) < 1
for: 5m
labels:
severity: critical
annotations:
summary: "Headscale VPN has no available replicas"
- alert: AuthentikDown
expr: (kube_deployment_status_replicas_available{namespace="authentik", deployment="authentik-server"} or on() vector(0)) < 1
for: 5m
labels:
severity: critical
annotations:
summary: "Authentik auth server has no available replicas"
- alert: LokiDown
expr: (kube_statefulset_status_replicas_ready{namespace="monitoring", statefulset=~"loki.*"} or on() vector(0)) < 1
for: 5m
labels:
severity: warning
annotations:
summary: "Loki log aggregation has no ready replicas"
- name: Cluster - name: Cluster
rules: rules:
- alert: NodeDown - alert: NodeDown
@ -548,20 +599,20 @@ serverFiles:
severity: page severity: page
annotations: annotations:
summary: Mail server has no available replicas. This means mail may not be received. summary: Mail server has no available replicas. This means mail may not be received.
# - alert: Hackmd has no replicas available - alert: HackmdDown
# expr: (kube_deployment_status_replicas_available{namespace="hackmd"} or on() vector(0)) < 1 expr: (kube_deployment_status_replicas_available{namespace="hackmd"} or on() vector(0)) < 1
# for: 1m for: 5m
# labels: labels:
# severity: page severity: warning
# annotations: annotations:
# summary: Hackmd has no available replicas. summary: "Hackmd has no available replicas"
# - alert: Privatebin has no replicas available - alert: PrivatebinDown
# expr: (kube_deployment_status_replicas_available{namespace="privatebin"} or on() vector(0)) < 1 expr: (kube_deployment_status_replicas_available{namespace="privatebin"} or on() vector(0)) < 1
# for: 10m for: 10m
# labels: labels:
# severity: page severity: warning
# annotations: annotations:
# summary: Privatebin has no available replicas. summary: "Privatebin has no available replicas"
# - name: London OpenWRT Down # - name: London OpenWRT Down
# rules: # rules:
# - alert: OpenWRT client unreachable # - alert: OpenWRT client unreachable

2
stacks/platform/modules/nvidia/main.tf
View file

@ -12,7 +12,7 @@ resource "kubernetes_namespace" "nvidia" {
name = "nvidia" name = "nvidia"
labels = { labels = {
"istio-injection" : "disabled" "istio-injection" : "disabled"
tier = var.tier tier = var.tier
"resource-governance/custom-quota" = "true" "resource-governance/custom-quota" = "true"
} }
} }

14
stacks/platform/modules/redis/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {} variable "tls_secret_name" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "nfs_server" { type = string }
resource "kubernetes_namespace" "redis" { resource "kubernetes_namespace" "redis" {
metadata { metadata {
@ -49,6 +50,17 @@ resource "kubernetes_deployment" "redis" {
image = "redis/redis-stack:latest" image = "redis/redis-stack:latest"
name = "redis" name = "redis"
resources {
requests = {
cpu = "100m"
memory = "128Mi"
}
limits = {
cpu = "500m"
memory = "512Mi"
}
}
port { port {
container_port = 6379 container_port = 6379
} }
@ -64,7 +76,7 @@ resource "kubernetes_deployment" "redis" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/redis" path = "/mnt/main/redis"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

22
stacks/platform/modules/technitium/main.tf
View file

@ -2,6 +2,8 @@ variable "tls_secret_name" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "homepage_token" {} variable "homepage_token" {}
variable "technitium_db_password" {} variable "technitium_db_password" {}
variable "nfs_server" { type = string }
variable "mysql_host" { type = string }
resource "kubernetes_namespace" "technitium" { resource "kubernetes_namespace" "technitium" {
metadata { metadata {
@ -131,14 +133,14 @@ resource "kubernetes_deployment" "technitium" {
image = "technitium/dns-server:latest" image = "technitium/dns-server:latest"
name = "technitium" name = "technitium"
resources { resources {
# limits = { requests = {
# cpu = "1" cpu = "100m"
# memory = "1Gi" memory = "128Mi"
# } }
# requests = { limits = {
# cpu = "1" cpu = "500m"
# memory = "1Gi" memory = "512Mi"
# } }
} }
port { port {
container_port = 5380 container_port = 5380
@ -162,7 +164,7 @@ resource "kubernetes_deployment" "technitium" {
name = "nfs-config" name = "nfs-config"
nfs { nfs {
path = "/mnt/main/technitium" path = "/mnt/main/technitium"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
@ -278,7 +280,7 @@ resource "kubernetes_config_map" "grafana_technitium_datasource" {
name = "Technitium MySQL" name = "Technitium MySQL"
type = "mysql" type = "mysql"
access = "proxy" access = "proxy"
url = "mysql.dbaas.svc.cluster.local:3306" url = "${var.mysql_host}:3306"
database = "technitium" database = "technitium"
user = "technitium" user = "technitium"
uid = "technitium-mysql" uid = "technitium-mysql"

9
stacks/platform/modules/traefik/main.tf
View file

@ -80,7 +80,7 @@ resource "helm_release" "traefik" {
# Enable dashboard API (accessible on port 8080 internally) # Enable dashboard API (accessible on port 8080 internally)
api = { api = {
insecure = true insecure = false
} }
# Entrypoints # Entrypoints
@ -174,7 +174,6 @@ resource "helm_release" "traefik" {
} }
additionalArguments = [ additionalArguments = [
"--api.insecure=true",
"--global.checknewversion=false", "--global.checknewversion=false",
"--global.sendanonymoususage=false", "--global.sendanonymoususage=false",
# Skip TLS verification for self-signed backend certs (proxmox, idrac, etc.) # Skip TLS verification for self-signed backend certs (proxmox, idrac, etc.)
@ -184,8 +183,10 @@ resource "helm_release" "traefik" {
"--serversTransport.forwardingTimeouts.responseHeaderTimeout=0s", "--serversTransport.forwardingTimeouts.responseHeaderTimeout=0s",
"--serversTransport.forwardingTimeouts.idleConnTimeout=90s", "--serversTransport.forwardingTimeouts.idleConnTimeout=90s",
# Use forwarded headers from trusted proxies # Use forwarded headers from trusted proxies
"--entryPoints.websecure.forwardedHeaders.insecure=true", "--entryPoints.websecure.forwardedHeaders.insecure=false",
"--entryPoints.web.forwardedHeaders.insecure=true", "--entryPoints.web.forwardedHeaders.insecure=false",
"--entryPoints.websecure.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,10.0.0.0/8,192.168.0.0/16",
"--entryPoints.web.forwardedHeaders.trustedIPs=173.245.48.0/20,103.21.244.0/22,103.22.200.0/22,103.31.4.0/22,141.101.64.0/18,108.162.192.0/18,190.93.240.0/20,188.114.96.0/20,197.234.240.0/22,198.41.128.0/17,162.158.0.0/15,104.16.0.0/13,104.24.0.0/14,172.64.0.0/13,131.0.72.0/22,10.0.0.0/8,192.168.0.0/16",
] ]
resources = { resources = {

29
stacks/platform/modules/traefik/middleware.tf
View file

@ -13,8 +13,8 @@ resource "kubernetes_manifest" "middleware_rate_limit" {
} }
spec = { spec = {
rateLimit = { rateLimit = {
average = 5 average = 10
burst = 250 burst = 50
} }
} }
} }
@ -113,6 +113,31 @@ resource "kubernetes_manifest" "middleware_csp_headers" {
depends_on = [helm_release.traefik] depends_on = [helm_release.traefik]
} }
# Security headers middleware (HSTS, X-Frame-Options, etc.)
resource "kubernetes_manifest" "middleware_security_headers" {
manifest = {
apiVersion = "traefik.io/v1alpha1"
kind = "Middleware"
metadata = {
name = "security-headers"
namespace = kubernetes_namespace.traefik.metadata[0].name
}
spec = {
headers = {
stsSeconds = 31536000
stsIncludeSubdomains = true
frameDeny = true
contentTypeNosniff = true
browserXssFilter = true
referrerPolicy = "strict-origin-when-cross-origin"
permissionsPolicy = "camera=(), microphone=(), geolocation=()"
}
}
}
depends_on = [helm_release.traefik]
}
# CrowdSec bouncer plugin middleware # CrowdSec bouncer plugin middleware
resource "kubernetes_manifest" "middleware_crowdsec" { resource "kubernetes_manifest" "middleware_crowdsec" {
manifest = { manifest = {

16
stacks/platform/modules/uptime-kuma/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {} variable "tls_secret_name" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "nfs_server" { type = string }
resource "kubernetes_namespace" "uptime-kuma" { resource "kubernetes_namespace" "uptime-kuma" {
metadata { metadata {
@ -56,6 +57,17 @@ resource "kubernetes_deployment" "uptime-kuma" {
image = "louislam/uptime-kuma:2" image = "louislam/uptime-kuma:2"
name = "uptime-kuma" name = "uptime-kuma"
resources {
requests = {
cpu = "50m"
memory = "64Mi"
}
limits = {
cpu = "200m"
memory = "256Mi"
}
}
port { port {
container_port = 3001 container_port = 3001
} }
@ -67,7 +79,7 @@ resource "kubernetes_deployment" "uptime-kuma" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/uptime-kuma" path = "/mnt/main/uptime-kuma"
} }
} }
@ -160,7 +172,7 @@ module "ingress" {
# volume { # volume {
# name = "data" # name = "data"
# nfs { # nfs {
# server = "10.0.10.15" # server = var.nfs_server
# path = "/mnt/main/uptime-kuma" # path = "/mnt/main/uptime-kuma"
# } # }
# } # }

18
stacks/platform/modules/vaultwarden/main.tf
View file

@ -1,6 +1,8 @@
variable "tls_secret_name" {} variable "tls_secret_name" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "smtp_password" {} variable "smtp_password" {}
variable "nfs_server" { type = string }
variable "mail_host" { type = string }
resource "kubernetes_namespace" "vaultwarden" { resource "kubernetes_namespace" "vaultwarden" {
metadata { metadata {
@ -51,6 +53,18 @@ resource "kubernetes_deployment" "vaultwarden" {
container { container {
image = "vaultwarden/server:1.35.2" image = "vaultwarden/server:1.35.2"
name = "vaultwarden" name = "vaultwarden"
resources {
requests = {
cpu = "50m"
memory = "64Mi"
}
limits = {
cpu = "200m"
memory = "256Mi"
}
}
env { env {
name = "DOMAIN" name = "DOMAIN"
value = "https://vaultwarden.viktorbarzin.me" value = "https://vaultwarden.viktorbarzin.me"
@ -61,7 +75,7 @@ resource "kubernetes_deployment" "vaultwarden" {
# } # }
env { env {
name = "SMTP_HOST" name = "SMTP_HOST"
value = "mail.viktorbarzin.me" value = var.mail_host
} }
env { env {
name = "SMTP_FROM" name = "SMTP_FROM"
@ -96,7 +110,7 @@ resource "kubernetes_deployment" "vaultwarden" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/vaultwarden" path = "/mnt/main/vaultwarden"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

129
stacks/platform/modules/xray/main.tf
View file

@ -186,109 +186,36 @@ resource "kubernetes_service" "xray-reality" {
} }
} }
resource "kubernetes_ingress_v1" "ingress" { module "ingress_ws" {
metadata { source = "../../../../modules/kubernetes/ingress_factory"
namespace = kubernetes_namespace.xray.metadata[0].name namespace = kubernetes_namespace.xray.metadata[0].name
name = "xray" name = "xray-ws"
annotations = { service_name = "xray"
"traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" host = "xray-ws"
"traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" port = 8443
} tls_secret_name = var.tls_secret_name
} }
spec { module "ingress_grpc" {
ingress_class_name = "traefik" source = "../../../../modules/kubernetes/ingress_factory"
tls { namespace = kubernetes_namespace.xray.metadata[0].name
hosts = ["xray-ws.viktorbarzin.me"] name = "xray-grpc"
secret_name = var.tls_secret_name service_name = "xray"
} host = "xray-grpc"
rule { port = 9443
host = "xray-ws.viktorbarzin.me" tls_secret_name = var.tls_secret_name
http { ingress_path = ["/grpc-vpn"]
path { extra_annotations = {
backend { "traefik.ingress.kubernetes.io/service.serversscheme" = "h2c"
service {
name = "xray"
port {
number = 8443
}
}
}
}
}
}
} }
} }
resource "kubernetes_ingress_v1" "ingress-grpc" { module "ingress_vless" {
metadata { source = "../../../../modules/kubernetes/ingress_factory"
namespace = kubernetes_namespace.xray.metadata[0].name namespace = kubernetes_namespace.xray.metadata[0].name
name = "xray-grpc" name = "xray-vless"
annotations = { service_name = "xray"
"traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd" host = "xray-vless"
"traefik.ingress.kubernetes.io/router.entrypoints" = "websecure" port = 6443
"traefik.ingress.kubernetes.io/service.serversscheme" = "h2c" tls_secret_name = var.tls_secret_name
}
}
spec {
ingress_class_name = "traefik"
tls {
hosts = ["xray-grpc.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "xray-grpc.viktorbarzin.me"
http {
path {
path = "/grpc-vpn"
path_type = "Prefix"
backend {
service {
name = "xray"
port {
number = 9443
}
}
}
}
}
}
}
}
resource "kubernetes_ingress_v1" "ingress-vless" {
metadata {
namespace = kubernetes_namespace.xray.metadata[0].name
name = "xray-vless"
annotations = {
"traefik.ingress.kubernetes.io/router.middlewares" = "traefik-rate-limit@kubernetescrd,traefik-csp-headers@kubernetescrd,traefik-crowdsec@kubernetescrd"
"traefik.ingress.kubernetes.io/router.entrypoints" = "websecure"
}
}
spec {
ingress_class_name = "traefik"
tls {
hosts = ["xray-vless.viktorbarzin.me"]
secret_name = var.tls_secret_name
}
rule {
host = "xray-vless.viktorbarzin.me"
http {
path {
backend {
service {
name = "xray"
port {
number = 6443
}
}
}
}
}
}
}
} }

9
stacks/plotting-book/main.tf
View file

@ -1,14 +1,5 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "plotting-book" { resource "kubernetes_namespace" "plotting-book" {
metadata { metadata {

14
stacks/poison-fountain/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "poison_fountain" { resource "kubernetes_namespace" "poison_fountain" {
metadata { metadata {
@ -152,7 +144,7 @@ resource "kubernetes_deployment" "poison_fountain" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/poison-fountain" path = "/mnt/main/poison-fountain"
} }
} }
@ -259,7 +251,7 @@ resource "kubernetes_cron_job_v1" "poison_fetcher" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/poison-fountain" path = "/mnt/main/poison-fountain"
} }
} }

12
stacks/privatebin/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "privatebin" { resource "kubernetes_namespace" "privatebin" {
metadata { metadata {
@ -70,7 +62,7 @@ resource "kubernetes_deployment" "privatebin" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/privatebin" path = "/mnt/main/privatebin"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

60
stacks/real-estate-crawler/main.tf
View file

@ -1,23 +1,17 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "realestate_crawler_db_password" { type = string } variable "realestate_crawler_db_password" { type = string }
variable "realestate_crawler_notification_settings" { type = map(string) } variable "realestate_crawler_notification_settings" { type = map(string) }
variable "nfs_server" { type = string }
variable "redis_host" { type = string }
variable "mysql_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "realestate-crawler" { resource "kubernetes_namespace" "realestate-crawler" {
metadata { metadata {
name = "realestate-crawler" name = "realestate-crawler"
labels = { labels = {
"istio-injection" : "disabled" "istio-injection" : "disabled"
tier = local.tiers.aux tier = local.tiers.aux
"resource-governance/custom-quota" = "true" "resource-governance/custom-quota" = "true"
} }
} }
@ -143,7 +137,7 @@ resource "kubernetes_deployment" "realestate-crawler-api" {
} }
env { env {
name = "DB_CONNECTION_STRING" name = "DB_CONNECTION_STRING"
value = "mysql://wrongmove:${var.realestate_crawler_db_password}@mysql.dbaas.svc.cluster.local:3306/wrongmove" value = "mysql://wrongmove:${var.realestate_crawler_db_password}@${var.mysql_host}:3306/wrongmove"
} }
# env { # env {
@ -156,11 +150,11 @@ resource "kubernetes_deployment" "realestate-crawler-api" {
# } # }
env { env {
name = "CELERY_BROKER_URL" name = "CELERY_BROKER_URL"
value = "redis://redis.redis.svc.cluster.local:6379/0" value = "redis://${var.redis_host}:6379/0"
} }
env { env {
name = "CELERY_RESULT_BACKEND" name = "CELERY_RESULT_BACKEND"
value = "redis://redis.redis.svc.cluster.local:6379/1" value = "redis://${var.redis_host}:6379/1"
} }
env { env {
@ -196,6 +190,16 @@ resource "kubernetes_deployment" "realestate-crawler-api" {
container_port = 5001 container_port = 5001
protocol = "TCP" protocol = "TCP"
} }
resources {
requests = {
cpu = "50m"
memory = "128Mi"
}
limits = {
cpu = "2000m"
memory = "1Gi"
}
}
volume_mount { volume_mount {
name = "data" name = "data"
mount_path = "/app/data" mount_path = "/app/data"
@ -205,7 +209,7 @@ resource "kubernetes_deployment" "realestate-crawler-api" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/real-estate-crawler" path = "/mnt/main/real-estate-crawler"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -292,7 +296,7 @@ resource "kubernetes_deployment" "realestate-crawler-celery" {
name = "celery-worker" name = "celery-worker"
image = "viktorbarzin/realestatecrawler:latest" image = "viktorbarzin/realestatecrawler:latest"
image_pull_policy = "Always" image_pull_policy = "Always"
command = ["python", "-m", "celery", "-A", "celery_app", "worker", "--loglevel=info"] command = ["python", "-m", "celery", "-A", "celery_app", "worker", "--loglevel=info", "--pool=threads"]
port { port {
name = "metrics" name = "metrics"
container_port = 9090 container_port = 9090
@ -304,15 +308,15 @@ resource "kubernetes_deployment" "realestate-crawler-celery" {
} }
env { env {
name = "DB_CONNECTION_STRING" name = "DB_CONNECTION_STRING"
value = "mysql://wrongmove:${var.realestate_crawler_db_password}@mysql.dbaas.svc.cluster.local:3306/wrongmove" value = "mysql://wrongmove:${var.realestate_crawler_db_password}@${var.mysql_host}:3306/wrongmove"
} }
env { env {
name = "CELERY_BROKER_URL" name = "CELERY_BROKER_URL"
value = "redis://redis.redis.svc.cluster.local:6379/0" value = "redis://${var.redis_host}:6379/0"
} }
env { env {
name = "CELERY_RESULT_BACKEND" name = "CELERY_RESULT_BACKEND"
value = "redis://redis.redis.svc.cluster.local:6379/1" value = "redis://${var.redis_host}:6379/1"
} }
env { env {
name = "SLACK_WEBHOOK_URL" name = "SLACK_WEBHOOK_URL"
@ -339,7 +343,7 @@ resource "kubernetes_deployment" "realestate-crawler-celery" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/real-estate-crawler" path = "/mnt/main/real-estate-crawler"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -398,21 +402,31 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" {
name = "celery-beat" name = "celery-beat"
image = "viktorbarzin/realestatecrawler:latest" image = "viktorbarzin/realestatecrawler:latest"
command = ["python", "-m", "celery", "-A", "celery_app", "beat", "--loglevel=info"] command = ["python", "-m", "celery", "-A", "celery_app", "beat", "--loglevel=info"]
resources {
requests = {
cpu = "10m"
memory = "64Mi"
}
limits = {
cpu = "200m"
memory = "256Mi"
}
}
env { env {
name = "ENV" name = "ENV"
value = "prod" value = "prod"
} }
env { env {
name = "DB_CONNECTION_STRING" name = "DB_CONNECTION_STRING"
value = "mysql://wrongmove:${var.realestate_crawler_db_password}@mysql.dbaas.svc.cluster.local:3306/wrongmove" value = "mysql://wrongmove:${var.realestate_crawler_db_password}@${var.mysql_host}:3306/wrongmove"
} }
env { env {
name = "CELERY_BROKER_URL" name = "CELERY_BROKER_URL"
value = "redis://redis.redis.svc.cluster.local:6379/0" value = "redis://${var.redis_host}:6379/0"
} }
env { env {
name = "CELERY_RESULT_BACKEND" name = "CELERY_RESULT_BACKEND"
value = "redis://redis.redis.svc.cluster.local:6379/1" value = "redis://${var.redis_host}:6379/1"
} }
env { env {
name = "SCRAPE_SCHEDULES" name = "SCRAPE_SCHEDULES"
@ -427,7 +441,7 @@ resource "kubernetes_deployment" "realestate-crawler-celery-beat" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/real-estate-crawler" path = "/mnt/main/real-estate-crawler"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

10
stacks/reloader/main.tf
View file

@ -1,13 +1,3 @@
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "crowdsec" { resource "kubernetes_namespace" "crowdsec" {
metadata { metadata {
name = "reloader" name = "reloader"

15
stacks/resume/main.tf
View file

@ -2,16 +2,9 @@ variable "tls_secret_name" { type = string }
variable "resume_database_url" { type = string } variable "resume_database_url" { type = string }
variable "resume_auth_secret" { type = string } variable "resume_auth_secret" { type = string }
variable "mailserver_accounts" { type = map(any) } variable "mailserver_accounts" { type = map(any) }
variable "nfs_server" { type = string }
variable "mail_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
locals { locals {
namespace = "resume" namespace = "resume"
@ -192,7 +185,7 @@ resource "kubernetes_deployment" "resume" {
# SMTP config for password reset emails # SMTP config for password reset emails
env { env {
name = "SMTP_HOST" name = "SMTP_HOST"
value = "mail.viktorbarzin.me" value = var.mail_host
} }
env { env {
name = "SMTP_PORT" name = "SMTP_PORT"
@ -259,7 +252,7 @@ resource "kubernetes_deployment" "resume" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/resume" path = "/mnt/main/resume"
} }
} }

15
stacks/rybbit/main.tf
View file

@ -1,16 +1,9 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "clickhouse_password" { type = string } variable "clickhouse_password" { type = string }
variable "clickhouse_postgres_password" { type = string } variable "clickhouse_postgres_password" { type = string }
variable "nfs_server" { type = string }
variable "postgresql_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "rybbit" { resource "kubernetes_namespace" "rybbit" {
metadata { metadata {
@ -89,7 +82,7 @@ resource "kubernetes_deployment" "clickhouse" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/clickhouse" path = "/mnt/main/clickhouse"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }
@ -168,7 +161,7 @@ resource "kubernetes_deployment" "rybbit" {
} }
env { env {
name = "POSTGRES_HOST" name = "POSTGRES_HOST"
value = "postgresql.dbaas.svc.cluster.local" value = var.postgresql_host
} }
env { env {
name = "POSTGRES_PORT" name = "POSTGRES_PORT"

15
stacks/send/main.tf
View file

@ -1,14 +1,7 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
variable "redis_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "send" { resource "kubernetes_namespace" "send" {
metadata { metadata {
@ -81,7 +74,7 @@ resource "kubernetes_deployment" "send" {
} }
env { env {
name = "REDIS_HOST" name = "REDIS_HOST"
value = "redis.redis.svc.cluster.local" value = var.redis_host
} }
volume_mount { volume_mount {
name = "data" name = "data"
@ -92,7 +85,7 @@ resource "kubernetes_deployment" "send" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/send" path = "/mnt/main/send"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

3
stacks/servarr/aiostreams/main.tf
View file

@ -1,6 +1,7 @@
variable "tls_secret_name" {} variable "tls_secret_name" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "aiostreams_database_connection_string" { type = string } variable "aiostreams_database_connection_string" { type = string }
variable "nfs_server" { type = string }
resource "kubernetes_namespace" "aiostreams" { resource "kubernetes_namespace" "aiostreams" {
metadata { metadata {
@ -64,7 +65,7 @@ resource "kubernetes_deployment" "aiostreams" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/servarr/aiostreams" path = "/mnt/main/servarr/aiostreams"
} }
} }

7
stacks/servarr/lidarr/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {} variable "tls_secret_name" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "nfs_server" { type = string }
resource "kubernetes_deployment" "lidarr" { resource "kubernetes_deployment" "lidarr" {
@ -77,21 +78,21 @@ resource "kubernetes_deployment" "lidarr" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/servarr/lidarr" path = "/mnt/main/servarr/lidarr"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "downloads" name = "downloads"
nfs { nfs {
path = "/mnt/main/servarr/downloads" path = "/mnt/main/servarr/downloads"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "deemix-config" name = "deemix-config"
nfs { nfs {
path = "/mnt/main/servarr/lidarr" path = "/mnt/main/servarr/lidarr"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

5
stacks/servarr/listenarr/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {} variable "tls_secret_name" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "nfs_server" { type = string }
resource "kubernetes_deployment" "listenarr" { resource "kubernetes_deployment" "listenarr" {
@ -44,14 +45,14 @@ resource "kubernetes_deployment" "listenarr" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/servarr/listenarr" path = "/mnt/main/servarr/listenarr"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "downloads" name = "downloads"
nfs { nfs {
path = "/mnt/main/servarr/downloads" path = "/mnt/main/servarr/downloads"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

9
stacks/servarr/main.tf
View file

@ -1,15 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "aiostreams_database_connection_string" { type = string } variable "aiostreams_database_connection_string" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "servarr" { resource "kubernetes_namespace" "servarr" {
metadata { metadata {

5
stacks/servarr/prowlarr/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {} variable "tls_secret_name" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "nfs_server" { type = string }
resource "kubernetes_deployment" "prowlarr" { resource "kubernetes_deployment" "prowlarr" {
@ -64,14 +65,14 @@ resource "kubernetes_deployment" "prowlarr" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/servarr/prowlarr" path = "/mnt/main/servarr/prowlarr"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "downloads" name = "downloads"
nfs { nfs {
path = "/mnt/main/servarr/downloads" path = "/mnt/main/servarr/downloads"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

5
stacks/servarr/qbittorrent/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {} variable "tls_secret_name" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "nfs_server" { type = string }
resource "kubernetes_deployment" "qbittorrent" { resource "kubernetes_deployment" "qbittorrent" {
@ -64,14 +65,14 @@ resource "kubernetes_deployment" "qbittorrent" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/servarr/qbittorrent" path = "/mnt/main/servarr/qbittorrent"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "downloads" name = "downloads"
nfs { nfs {
path = "/mnt/main/servarr/downloads" path = "/mnt/main/servarr/downloads"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

5
stacks/servarr/readarr/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {} variable "tls_secret_name" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "nfs_server" { type = string }
resource "kubernetes_namespace" "readarr" { resource "kubernetes_namespace" "readarr" {
metadata { metadata {
name = "readarr" name = "readarr"
@ -83,14 +84,14 @@ resource "kubernetes_deployment" "readarr" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/servarr/readarr" path = "/mnt/main/servarr/readarr"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "qbittorrent" name = "qbittorrent"
nfs { nfs {
path = "/mnt/main/servarr/qbittorrent" path = "/mnt/main/servarr/qbittorrent"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

5
stacks/servarr/soulseek/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {} variable "tls_secret_name" {}
variable "tier" { type = string } variable "tier" { type = string }
variable "nfs_server" { type = string }
resource "kubernetes_deployment" "soulseek" { resource "kubernetes_deployment" "soulseek" {
@ -59,14 +60,14 @@ resource "kubernetes_deployment" "soulseek" {
name = "config" name = "config"
nfs { nfs {
path = "/mnt/main/servarr/lidarr" path = "/mnt/main/servarr/lidarr"
server = "10.0.10.15" server = var.nfs_server
} }
} }
volume { volume {
name = "downloads" name = "downloads"
nfs { nfs {
path = "/mnt/main/servarr/lidarr" path = "/mnt/main/servarr/lidarr"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

9
stacks/shadowsocks/main.tf
View file

@ -1,14 +1,5 @@
variable "shadowsocks_password" { type = string } variable "shadowsocks_password" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
variable "method" { variable "method" {
default = "chacha20-ietf-poly1305" default = "chacha20-ietf-poly1305"

15
stacks/speedtest/main.tf
View file

@ -1,15 +1,8 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "speedtest_db_password" { type = string } variable "speedtest_db_password" { type = string }
variable "nfs_server" { type = string }
variable "mysql_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "speedtest" { resource "kubernetes_namespace" "speedtest" {
metadata { metadata {
@ -90,7 +83,7 @@ resource "kubernetes_deployment" "speedtest" {
} }
env { env {
name = "DB_HOST" name = "DB_HOST"
value = "mysql.dbaas.svc.cluster.local" value = var.mysql_host
} }
env { env {
name = "DB_DATABASE" name = "DB_DATABASE"
@ -116,7 +109,7 @@ resource "kubernetes_deployment" "speedtest" {
volume { volume {
name = "config" name = "config"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/speedtest" path = "/mnt/main/speedtest"
} }
} }

12
stacks/stirling-pdf/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "stirling-pdf" { resource "kubernetes_namespace" "stirling-pdf" {
metadata { metadata {
@ -63,7 +55,7 @@ resource "kubernetes_deployment" "stirling-pdf" {
volume { volume {
name = "configs" name = "configs"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/stirling-pdf" path = "/mnt/main/stirling-pdf"
} }
} }

18
stacks/tandoor/main.tf
View file

@ -4,16 +4,10 @@ variable "tandoor_email_password" {
type = string type = string
default = "" default = ""
} }
variable "nfs_server" { type = string }
variable "postgresql_host" { type = string }
variable "mail_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "tandoor" { resource "kubernetes_namespace" "tandoor" {
metadata { metadata {
@ -75,7 +69,7 @@ resource "kubernetes_deployment" "tandoor" {
} }
env { env {
name = "POSTGRES_HOST" name = "POSTGRES_HOST"
value = "postgresql.dbaas.svc.cluster.local" value = var.postgresql_host
} }
env { env {
name = "POSTGRES_PORT" name = "POSTGRES_PORT"
@ -107,7 +101,7 @@ resource "kubernetes_deployment" "tandoor" {
} }
env { env {
name = "EMAIL_HOST" name = "EMAIL_HOST"
value = "mail.viktorbarzin.me" value = var.mail_host
} }
env { env {
name = "EMAIL_HOST_USER" name = "EMAIL_HOST_USER"
@ -148,7 +142,7 @@ resource "kubernetes_deployment" "tandoor" {
name = "data" name = "data"
nfs { nfs {
path = "/mnt/main/tandoor" path = "/mnt/main/tandoor"
server = "10.0.10.15" server = var.nfs_server
} }
} }
} }

9
stacks/tor-proxy/main.tf
View file

@ -1,14 +1,5 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "tor-proxy" { resource "kubernetes_namespace" "tor-proxy" {
metadata { metadata {

9
stacks/travel_blog/main.tf
View file

@ -1,14 +1,5 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "travel-blog" { resource "kubernetes_namespace" "travel-blog" {
metadata { metadata {

9
stacks/tuya-bridge/main.tf
View file

@ -4,15 +4,6 @@ variable "tiny_tuya_api_secret" { type = string }
variable "tiny_tuya_service_secret" { type = string } variable "tiny_tuya_service_secret" { type = string }
variable "tiny_tuya_slack_url" { type = string } variable "tiny_tuya_slack_url" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "tuya-bridge" { resource "kubernetes_namespace" "tuya-bridge" {
metadata { metadata {

12
stacks/url/main.tf
View file

@ -2,16 +2,8 @@ variable "tls_secret_name" { type = string }
variable "url_shortener_geolite_license_key" { type = string } variable "url_shortener_geolite_license_key" { type = string }
variable "url_shortener_api_key" { type = string } variable "url_shortener_api_key" { type = string }
variable "url_shortener_mysql_password" { type = string } variable "url_shortener_mysql_password" { type = string }
variable "mysql_host" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
## Setup ## Setup
## Need to manually add ## Need to manually add
@ -128,7 +120,7 @@ resource "kubernetes_deployment" "shlink" {
} }
env { env {
name = "DB_HOST" name = "DB_HOST"
value = "mysql.dbaas.svc.cluster.local" value = var.mysql_host
} }
# env { # env {
# name = "DB_USER" # name = "DB_USER"

12
stacks/wealthfolio/main.tf
View file

@ -1,15 +1,7 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "wealthfolio_password_hash" { type = string } variable "wealthfolio_password_hash" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
# To refresh transactions use finance db positions exporters: # To refresh transactions use finance db positions exporters:
# #
@ -100,7 +92,7 @@ resource "kubernetes_deployment" "wealthfolio" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/wealthfolio" path = "/mnt/main/wealthfolio"
} }
} }

9
stacks/webhook_handler/main.tf
View file

@ -7,15 +7,6 @@ variable "webhook_handler_git_user" { type = string }
variable "webhook_handler_git_token" { type = string } variable "webhook_handler_git_token" { type = string }
variable "webhook_handler_ssh_key" { type = string } variable "webhook_handler_ssh_key" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "webhook-handler" { resource "kubernetes_namespace" "webhook-handler" {
metadata { metadata {

14
stacks/whisper/main.tf
View file

@ -1,14 +1,6 @@
variable "tls_secret_name" { type = string } variable "tls_secret_name" { type = string }
variable "nfs_server" { type = string }
locals {
tiers = {
core = "0-core"
cluster = "1-cluster"
gpu = "2-gpu"
edge = "3-edge"
aux = "4-aux"
}
}
resource "kubernetes_namespace" "whisper" { resource "kubernetes_namespace" "whisper" {
metadata { metadata {
@ -80,7 +72,7 @@ resource "kubernetes_deployment" "whisper" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/whisper" path = "/mnt/main/whisper"
} }
} }
@ -190,7 +182,7 @@ resource "kubernetes_deployment" "piper" {
volume { volume {
name = "data" name = "data"
nfs { nfs {
server = "10.0.10.15" server = var.nfs_server
path = "/mnt/main/whisper" path = "/mnt/main/whisper"
} }
} }

Some files were not shown because too many files have changed in this diff Show more