viktor/infra
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

add tier to all deployments [ci skip]

Browse source
This commit is contained in:
Viktor Barzin 2026-01-10 16:28:12 +00:00
parent 20cd480988
commit 8abb8eddc0
No known key found for this signature in database
GPG key ID: 4056458DBDBF8863
95 changed files with 794 additions and 118 deletions
Download patch file Download diff file Expand all files Collapse all files

4
modules/kubernetes/actualbudget/factory/main.tf
View file

@ -3,13 +3,15 @@ variable "name" {}
variable "tag" {
default = "latest"
}
variable "tier" { type = string }
resource "kubernetes_deployment" "actualbudget" {
metadata {
name = "actualbudget-${var.name}"
namespace = "actualbudget"
labels = {
app = "actualbudget-${var.name}"
app = "actualbudget-${var.name}"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

3
modules/kubernetes/actualbudget/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
# To create a new deployment:
/**
@ -30,6 +31,7 @@ module "viktor" {
tag = "edge"
tls_secret_name = var.tls_secret_name
depends_on = [kubernetes_namespace.actualbudget]
tier = var.tier
}
# https://budget-anca.viktorbarzin.me/
@ -39,4 +41,5 @@ module "anca" {
tag = "edge"
tls_secret_name = var.tls_secret_name
depends_on = [kubernetes_namespace.actualbudget]
tier = var.tier
}

4
modules/kubernetes/audiobookshelf/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "audiobookshelf" {
metadata {
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "audiobookshelf" {
name = "audiobookshelf"
namespace = kubernetes_namespace.audiobookshelf.metadata[0].name
labels = {
app = "audiobookshelf"
app = "audiobookshelf"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/authentik/main.tf
View file

@ -1,6 +1,7 @@
variable "tls_secret_name" {}
variable "secret_key" {}
variable "postgres_password" {}
variable "tier" { type = string }
module "tls_secret" {
@ -12,6 +13,9 @@ module "tls_secret" {
resource "kubernetes_namespace" "authentik" {
metadata {
name = "authentik"
labels = {
tier = var.tier
}
}
}

3
modules/kubernetes/authentik/pgbouncer.tf
View file

@ -29,7 +29,8 @@ resource "kubernetes_deployment" "pgbouncer" {
name = "pgbouncer"
namespace = "authentik"
labels = {
app = "pgbouncer"
app = "pgbouncer"
tier = var.tier
}
}

4
modules/kubernetes/blog/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
# variable "dockerhub_password" {}
resource "kubernetes_namespace" "website" {
@ -27,7 +28,8 @@ resource "kubernetes_deployment" "blog" {
name = "blog"
namespace = kubernetes_namespace.website.metadata[0].name
labels = {
run = "blog"
run = "blog"
tier = var.tier
}
}
spec {

7
modules/kubernetes/calibre/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "homepage_username" {
default = ""
}
@ -99,7 +100,8 @@ resource "kubernetes_deployment" "calibre-web-automated" {
name = "calibre-web-automated"
namespace = kubernetes_namespace.calibre.metadata[0].name
labels = {
app = "calibre-web-automated"
app = "calibre-web-automated"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"
@ -250,7 +252,8 @@ resource "kubernetes_deployment" "annas-archive-stacks" {
name = "annas-archive-stacks"
namespace = kubernetes_namespace.calibre.metadata[0].name
labels = {
app = "annas-archive-stacks"
app = "annas-archive-stacks"
tier = var.tier
}
}
spec {

4
modules/kubernetes/changedetection/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "changedetection" {
metadata {
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "changedetection" {
name = "changedetection"
namespace = kubernetes_namespace.changedetection.metadata[0].name
labels = {
app = "changedetection"
app = "changedetection"
tier = var.tier
}
}
spec {

11
modules/kubernetes/city-guesser/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {}
# variable "dockerhub_password" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "city-guesser" {
metadata {
@ -16,18 +16,13 @@ module "tls_secret" {
tls_secret_name = var.tls_secret_name
}
# module "dockerhub_creds" {
# source = "../dockerhub_secret"
# namespace = "website"
# password = var.dockerhub_password
# }
resource "kubernetes_deployment" "city-guesser" {
metadata {
name = "city-guesser"
namespace = "city-guesser"
labels = {
run = "city-guesser"
run = "city-guesser"
tier = var.tier
}
}
spec {

4
modules/kubernetes/cloudflared/main.tf
View file

@ -7,6 +7,7 @@ resource "kubernetes_namespace" "cloudflared" {
name = "cloudflared"
}
}
variable "tier" { type = string }
module "tls_secret" {
source = "../setup_tls_secret"
@ -19,7 +20,8 @@ resource "kubernetes_deployment" "cloudflared" {
name = "cloudflared"
namespace = kubernetes_namespace.cloudflared.metadata[0].name
labels = {
app = "cloudflared"
app = "cloudflared"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

5
modules/kubernetes/crowdsec/main.tf
View file

@ -6,6 +6,7 @@ variable "enroll_key" {}
variable "crowdsec_dash_api_key" { type = string } # used for web dash
variable "crowdsec_dash_machine_id" { type = string } # used for web dash
variable "crowdsec_dash_machine_password" { type = string } # used for web dash
variable "tier" { type = string }
module "tls_secret" {
source = "../setup_tls_secret"
@ -16,6 +17,9 @@ module "tls_secret" {
resource "kubernetes_namespace" "crowdsec" {
metadata {
name = "crowdsec"
labels = {
tier = var.tier
}
}
}
@ -84,6 +88,7 @@ resource "kubernetes_deployment" "crowdsec-web" {
labels = {
app = "crowdsec_web"
"kubernetes.io/cluster-service" = "true"
tier = var.tier
}
}
spec {

4
modules/kubernetes/cyberchef/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "cyberchef" {
metadata {
name = "cyberchef"
@ -16,7 +17,8 @@ resource "kubernetes_deployment" "cyberchef" {
name = "cyberchef"
namespace = kubernetes_namespace.cyberchef.metadata[0].name
labels = {
app = "cyberchef"
app = "cyberchef"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/dashy/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
module "tls_secret" {
source = "../setup_tls_secret"
@ -36,7 +37,8 @@ resource "kubernetes_deployment" "dashy" {
name = "dashy"
namespace = kubernetes_namespace.dashy.metadata[0].name
labels = {
app = "dashy"
app = "dashy"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/dawarich/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "database_password" {}
variable "geoapify_api_key" {}
variable "image_version" {
@ -26,7 +27,8 @@ resource "kubernetes_deployment" "dawarich" {
name = "dawarich"
namespace = kubernetes_namespace.dawarich.metadata[0].name
labels = {
app = "dawarich"
app = "dawarich"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

11
modules/kubernetes/dbaas/main.tf
View file

@ -1,5 +1,6 @@
# DB as a service. Installs MySQL operator
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "dbaas_root_password" {}
variable "cluster_master_service" {
default = "mysql"
@ -99,6 +100,9 @@ resource "kubernetes_deployment" "mysql" {
annotations = {
"reloader.stakater.com/search" = "true"
}
labels = {
tier = var.tier
}
}
spec {
replicas = 1
@ -358,6 +362,7 @@ resource "kubernetes_deployment" "phpmyadmin" {
namespace = kubernetes_namespace.dbaas.metadata[0].name
labels = {
"app" = "phpmyadmin"
tier = var.tier
}
annotations = {
@ -684,6 +689,9 @@ resource "kubernetes_deployment" "postgres" {
annotations = {
"reloader.stakater.com/search" = "true"
}
labels = {
tier = var.tier
}
}
spec {
selector {
@ -777,6 +785,9 @@ resource "kubernetes_deployment" "pgadmin" {
annotations = {
"reloader.stakater.com/search" = "true"
}
labels = {
tier = var.tier
}
}
spec {
selector {

2
modules/kubernetes/descheduler/main.tf
View file

@ -74,7 +74,7 @@ resource "kubernetes_cluster_role_binding" "descheduler" {
}
}
resource "helm_release" "prometheus" {
resource "helm_release" "descheduler" { # rename me
namespace = kubernetes_namespace.descheduler.metadata[0].name
name = "descheduler"

4
modules/kubernetes/diun/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "diun_nfty_token" {}
variable "diun_slack_url" {}
@ -56,7 +57,8 @@ resource "kubernetes_deployment" "diun" {
name = "diun"
namespace = kubernetes_namespace.diun.metadata[0].name
labels = {
app = "diun"
app = "diun"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

10
modules/kubernetes/drone/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "github_client_id" {}
variable "github_client_secret" {}
variable "rpc_secret" {}
@ -43,7 +44,8 @@ resource "kubernetes_deployment" "drone_server" {
name = "drone-server"
namespace = kubernetes_namespace.drone.metadata[0].name
labels = {
app = "drone"
app = "drone"
tier = var.tier
}
}
spec {
@ -211,7 +213,8 @@ resource "kubernetes_deployment" "drone_runner" {
name = "drone-runner"
namespace = kubernetes_namespace.drone.metadata[0].name
labels = {
app = "drone-runner"
app = "drone-runner"
tier = var.tier
}
}
spec {
@ -286,7 +289,8 @@ resource "kubernetes_deployment" "drone_runner_secret" {
name = "drone-runner-secret"
namespace = kubernetes_namespace.drone.metadata[0].name
labels = {
app = "drone-runner-secret"
app = "drone-runner-secret"
tier = var.tier
}
}
spec {

4
modules/kubernetes/ebook2audiobook/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
module "tls_secret" {
source = "../setup_tls_secret"
@ -235,7 +236,8 @@ resource "kubernetes_deployment" "audiblez" {
name = "audiblez"
namespace = kubernetes_namespace.ebook2audiobook.metadata[0].name
labels = {
app = "audiblez"
app = "audiblez"
tier = var.tier
}
}
spec {

4
modules/kubernetes/echo/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "echo" {
metadata {
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "echo" {
name = "echo"
namespace = kubernetes_namespace.echo.metadata[0].name
labels = {
app = "echo"
app = "echo"
tier = var.tier
}
}
spec {

4
modules/kubernetes/excalidraw/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "excalidraw" {
metadata {
@ -21,7 +22,8 @@ resource "kubernetes_deployment" "excalidraw" {
name = "excalidraw"
namespace = kubernetes_namespace.excalidraw.metadata[0].name
labels = {
app = "excalidraw"
app = "excalidraw"
tier = var.tier
}
}
spec {

4
modules/kubernetes/f1-stream/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "f1-stream" {
metadata {
@ -14,7 +15,8 @@ resource "kubernetes_deployment" "f1-stream" {
name = "f1-stream"
namespace = kubernetes_namespace.f1-stream.metadata[0].name
labels = {
app = "f1-stream"
app = "f1-stream"
tier = var.tier
}
}
spec {

4
modules/kubernetes/forgejo/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "forgejo" {
metadata {
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "forgejo" {
name = "forgejo"
namespace = kubernetes_namespace.forgejo.metadata[0].name
labels = {
app = "forgejo"
app = "forgejo"
tier = var.tier
}
}
spec {

2
modules/kubernetes/freshrss/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
module "tls_secret" {
source = "../setup_tls_secret"
@ -20,6 +21,7 @@ resource "kubernetes_deployment" "freshrss" {
labels = {
app = "freshrss"
"kubernetes.io/cluster-service" = "true"
tier = var.tier
}
}
spec {

4
modules/kubernetes/frigate/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "frigate" {
metadata {
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "frigate" {
name = "frigate"
namespace = kubernetes_namespace.frigate.metadata[0].name
labels = {
app = "frigate"
app = "frigate"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

2
modules/kubernetes/hackmd/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "hackmd_db_password" {}
resource "kubernetes_namespace" "hackmd" {
@ -23,6 +24,7 @@ resource "kubernetes_deployment" "hackmd" {
labels = {
app = "hackmd"
"kubernetes.io/cluster-service" = "true"
tier = var.tier
}
}
spec {

4
modules/kubernetes/headscale/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "headscale_config" {}
variable "headscale_acl" {}
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "headscale" {
name = "headscale"
namespace = kubernetes_namespace.headscale.metadata[0].name
labels = {
app = "headscale"
app = "headscale"
tier = var.tier
# scare to try but probably non-http will fail
# "istio-injection" : "enabled"
}

3
modules/kubernetes/homepage/main.tf
View file

@ -1,5 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
module "tls_secret" {
source = "../setup_tls_secret"
@ -12,6 +12,7 @@ resource "kubernetes_namespace" "homepage" {
name = "homepage"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/immich/frame.tf
View file

@ -41,6 +41,9 @@ resource "kubernetes_deployment" "immich-frame" {
annotations = {
"reloader.stakater.com/search" = "true"
}
labels = {
tier = var.tier
}
}
spec {

10
modules/kubernetes/immich/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "postgresql_password" {}
variable "homepage_token" {}
variable "immich_version" {
@ -26,7 +27,8 @@ resource "kubernetes_deployment" "immich_server" {
namespace = kubernetes_namespace.immich.metadata[0].name
labels = {
app = "immich-server"
app = "immich-server"
tier = var.tier
}
}
@ -235,6 +237,9 @@ resource "kubernetes_deployment" "immich-postgres" {
metadata {
name = "immich-postgresql"
namespace = kubernetes_namespace.immich.metadata[0].name
labels = {
tier = var.tier
}
}
spec {
replicas = 1
@ -334,6 +339,9 @@ resource "kubernetes_deployment" "immich-machine-learning" {
metadata {
name = "immich-machine-learning"
namespace = kubernetes_namespace.immich.metadata[0].name
labels = {
tier = var.tier
}
}
spec {
replicas = 1

4
modules/kubernetes/isponsorblocktv/main.tf
View file

@ -1,4 +1,5 @@
# https://github.com/dmunozv04/iSponsorBlockTV
variable "tier" { type = string }
resource "kubernetes_namespace" "isponsorblocktv" {
metadata {
@ -17,7 +18,8 @@ resource "kubernetes_deployment" "isponsorblocktv-vermont" {
name = "isponsorblocktv-vermont"
namespace = kubernetes_namespace.isponsorblocktv.metadata[0].name
labels = {
app = "isponsorblocktv-vermont"
app = "isponsorblocktv-vermont"
tier = var.tier
}
}
spec {

4
modules/kubernetes/jsoncrack/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "jsoncrack" {
metadata {
@ -19,7 +20,8 @@ resource "kubernetes_deployment" "jsoncrack" {
name = "jsoncrack"
namespace = kubernetes_namespace.jsoncrack.metadata[0].name
labels = {
app = "jsoncrack"
app = "jsoncrack"
tier = var.tier
}
}
spec {

2
modules/kubernetes/k8s-dashboard/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {}
variable "client_certificate_secret_name" {}
variable "tier" { type = string }
resource "random_password" "csrf_token" {
length = 16
@ -25,6 +26,7 @@ resource "kubernetes_namespace" "k8s-dashboard" {
name = "kubernetes-dashboard"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

155
modules/kubernetes/keyserver/deploy_keyserver.yaml Normal file
View file

@ -0,0 +1,155 @@
# @nocommit: job to periodically update the certs
---
- name: Deploy Nginx-based key server for TrueNAS unlock
hosts: keyserver
become: true
vars:
server_name: "keyserver.viktorbarzin.me"
key_filename: "truenas.key"
htpasswd_user: "truenas"
htpasswd_password: "3RgTvqHWeiae7drCUBGyj6XZSIP" # replace with vault
ssl_cert_path: "/etc/ssl/certs/keyserver.crt"
ssl_key_path: "/etc/ssl/private/keyserver.key"
local_ssl_cert: "../../../secrets/fullchain.pem" # LOCAL path
local_ssl_key: "../../../secrets/privkey.pem" # LOCAL path
tasks:
- name: Install packages
apt:
name:
- nginx
- apache2-utils
- python3-passlib
state: present
update_cache: yes
- name: Create basic-auth file
community.general.htpasswd:
path: /etc/nginx/.htpasswd
name: "{{ htpasswd_user }}"
password: "{{ htpasswd_password }}"
crypt_scheme: bcrypt
- name: Create key directory
file:
path: /srv/keys
state: directory
owner: root
group: root
mode: '0755'
- name: Create key file if it doesn't exist
command: "head -c 128 /dev/urandom > /srv/keys/{{ key_filename }}"
args:
creates: "/srv/keys/{{ key_filename }}"
- name: Set key file permissions
file:
path: "/srv/keys/{{ key_filename }}"
owner: www-data
group: www-data
mode: '0640'
- name: Enable info logging in nginx.conf
lineinfile:
path: /etc/nginx/nginx.conf
regexp: '^(\s*)error_log'
line: ' error_log /var/log/nginx/error.log info;'
insertafter: 'http {'
notify: reload nginx
- name: Ensure rate limit config exists
copy:
dest: /etc/nginx/conf.d/ratelimit.conf
content: |
limit_req_zone $binary_remote_addr zone=authfail:10m rate=5r/m;
notify: reload nginx
- name: Deploy keyserver nginx site
copy:
dest: /etc/nginx/sites-available/keyserver.conf
content: |
server {
listen 443 ssl;
server_name {{ server_name }};
ssl_certificate {{ ssl_cert_path }};
ssl_certificate_key {{ ssl_key_path }};
ssl_protocols TLSv1.2 TLSv1.3;
ssl_prefer_server_ciphers on;
limit_req zone=authfail burst=2 nodelay;
location /keys/ {
alias /srv/keys/;
auth_basic "Restricted";
auth_basic_user_file /etc/nginx/.htpasswd;
autoindex off;
add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always;
}
}
notify: reload nginx
- name: Enable keyserver site
file:
src: /etc/nginx/sites-available/keyserver.conf
dest: /etc/nginx/sites-enabled/keyserver.conf
state: link
notify: reload nginx
- name: Remove default site
file:
path: /etc/nginx/sites-enabled/default
state: absent
notify: reload nginx
- name: Copy SSL certificate to server
copy:
src: "{{ local_ssl_cert }}"
dest: "{{ ssl_cert_path }}"
owner: root
group: root
mode: '0644'
notify: reload nginx
- name: Copy SSL private key to server
copy:
src: "{{ local_ssl_key }}"
dest: "{{ ssl_key_path }}"
owner: root
group: root
mode: '0644'
notify: reload nginx
# - name: Create self-signed SSL certificate if missing
# command: >
# openssl req -x509 -newkey rsa:2048 -nodes
# -keyout {{ ssl_key_path }}
# -out {{ ssl_cert_path }}
# -days 365
# -subj "/CN={{ server_name }}"
# args:
# creates: "{{ ssl_cert_path }}"
notify: reload nginx
- name: Test nginx config
command: nginx -t
register: nginx_test
failed_when: "'successful' not in nginx_test.stderr"
- name: Ensure nginx is running
service:
name: nginx
state: started
enabled: true
handlers:
- name: reload nginx
service:
name: nginx
state: reloaded

5
modules/kubernetes/kms/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "kms" {
metadata {
@ -32,6 +33,7 @@ resource "kubernetes_deployment" "kms-web-page" {
labels = {
"app" = "kms-web-page"
"kubernetes.io/cluster-service" = "true"
tier = var.tier
}
}
spec {
@ -121,7 +123,8 @@ resource "kubernetes_deployment" "windows_kms" {
name = "kms"
namespace = kubernetes_namespace.kms.metadata[0].name
labels = {
app = "kms-service"
app = "kms-service"
tier = var.tier
}
}
spec {

120
modules/kubernetes/kyverno/main.tf Normal file
View file

@ -0,0 +1,120 @@
resource "kubernetes_namespace" "kyverno" {
metadata {
name = "kyverno"
labels = {
"istio-injection" : "disabled"
}
}
}
resource "helm_release" "kyverno" {
namespace = kubernetes_namespace.kyverno.metadata[0].name
create_namespace = false
name = "kyverno"
atomic = true
repository = "https://kyverno.github.io/kyverno/"
chart = "kyverno"
# values = [templatefile("${path.module}/grafana_chart_values.yaml", { db_password = var.grafana_db_password })]
}
# To unlabel all:
# kubectl label deployment,statefulset,daemonset --all-namespaces -l tier tier-
resource "kubernetes_manifest" "mutate_tier_from_namespace" {
manifest = {
apiVersion = "kyverno.io/v1"
kind = "ClusterPolicy"
metadata = {
name = "sync-tier-label-from-namespace"
}
spec = {
rules = [
{
name = "lookup-and-add-tier"
match = {
any = [
{
resources = {
kinds = ["Deployment", "StatefulSet", "DaemonSet"]
}
}
]
}
exclude = {
any = [
{
resources = {
namespaces = ["kube-system", "metallb-system", "n8n"]
}
}
]
}
# Context allows us to perform an API call to get Namespace metadata
context = [
{
name = "namespaceLabel"
apiCall = {
urlPath = "/api/v1/namespaces/{{request.namespace}}"
jmesPath = "metadata.labels.tier || 'default'"
}
}
]
mutate = {
patchStrategicMerge = {
metadata = {
labels = {
# Injects the variable discovered in the context above
"+(tier)" = "{{namespaceLabel}}"
}
}
}
}
}
]
}
}
}
# resource "kubernetes_manifest" "enforce_pod_tier_label" {
# manifest = {
# apiVersion = "kyverno.io/v1"
# kind = "ClusterPolicy"
# metadata = {
# name = "enforce-pod-tier-label"
# annotations = {
# "policies.kyverno.io/description" = "Rejects any pod that does not have a tier label."
# }
# }
# spec = {
# # 'Enforce' blocks the creation. 'Audit' just reports it.
# validationFailureAction = "Enforce"
# background = true
# rules = [
# {
# name = "check-for-tier-label"
# match = {
# any = [
# {
# resources = {
# kinds = ["Pod"]
# }
# }
# ]
# }
# validate = {
# message = "The label 'tier' is required for all pods in this cluster."
# pattern = {
# metadata = {
# labels = {
# "tier" = "?*" # The "?*" syntax means the value must not be empty
# }
# }
# }
# }
# }
# ]
# }
# }
# }

4
modules/kubernetes/linkwarden/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "postgresql_password" {}
variable "authentik_client_id" {}
variable "authentik_client_secret" {}
@ -26,7 +27,8 @@ resource "kubernetes_deployment" "linkwarden" {
name = "linkwarden"
namespace = kubernetes_namespace.linkwarden.metadata[0].name
labels = {
app = "linkwarden"
app = "linkwarden"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

3
modules/kubernetes/mailserver/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "mailserver_accounts" {}
variable "postfix_account_aliases" {}
variable "opendkim_key" {}
@ -134,6 +135,7 @@ resource "kubernetes_deployment" "mailserver" {
namespace = kubernetes_namespace.mailserver.metadata[0].name
labels = {
"app" = "mailserver"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"
@ -157,7 +159,6 @@ resource "kubernetes_deployment" "mailserver" {
labels = {
"app" = "mailserver"
"role" = "mail"
"tier" = "backend"
}
}
spec {

1
modules/kubernetes/mailserver/roundcubemail.tf
View file

@ -32,6 +32,7 @@ resource "kubernetes_deployment" "roundcubemail" {
namespace = "mailserver"
labels = {
"app" = "roundcubemail"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

100
modules/kubernetes/main.tf
View file

@ -124,7 +124,7 @@ variable "defcon_level" {
locals {
defcon_modules = {
1 : ["wireguard", "technitium", "headscale", "nginx-ingress", "xray", "authentik", "cloudflare", "authelia", "monitoring"], # Critical connectivity services
2 : ["vaultwarden", "redis", "immich", "nvidia", "metrics-server", "uptime-kuma", "crowdsec"], # Storage and other db services
2 : ["vaultwarden", "redis", "immich", "nvidia", "metrics-server", "uptime-kuma", "crowdsec", "kyverno"], # Storage and other db services
3 : ["k8s-dashboard", "reverse-proxy"], # Cluster admin services
4 : [
"mailserver", "shadowsocks", "webhook_handler", "tuya-bridge", "dawarich", "owntracks", "nextcloud",
@ -143,6 +143,14 @@ locals {
for level in range(1, var.defcon_level + 1) : # From current level to 5
lookup(local.defcon_modules, level, [])
]))
tiers = {
core = "0-core" # Bare minimum cluster primitives
cluster = "1-cluster" # All cluster primitives
gpu = "2-gpu" # GPU services
edge = "3-edge" # Critical user services
aux = "4-aux" # Optional user services
}
}
resource "null_resource" "core_services" {
@ -159,6 +167,7 @@ module "blog" {
source = "./blog"
tls_secret_name = var.tls_secret_name
# dockerhub_password = var.dockerhub_password
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -177,6 +186,7 @@ module "dbaas" {
dbaas_root_password = var.dbaas_root_password
postgresql_root_password = var.dbaas_postgresql_root_password
pgadmin_password = var.dbaas_pgadmin_password
tier = local.tiers.core
}
module "descheduler" {
@ -200,6 +210,7 @@ module "drone" {
rpc_secret = var.drone_rpc_secret
server_host = "drone.viktorbarzin.me"
server_proto = "https"
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
@ -208,6 +219,7 @@ module "f1-stream" {
source = "./f1-stream"
for_each = contains(local.active_modules, "f1-stream") ? { f1-stream = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -217,6 +229,7 @@ module "hackmd" {
for_each = contains(local.active_modules, "hackmd") ? { hackmd = true } : {}
hackmd_db_password = var.hackmd_db_password
tls_secret_name = var.tls_secret_name
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
@ -231,12 +244,14 @@ module "kms" {
source = "./kms"
for_each = contains(local.active_modules, "kms") ? { kms = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
module "k8s-dashboard" {
source = "./k8s-dashboard"
tier = local.tiers.cluster
for_each = contains(local.active_modules, "k8s-dashboard") ? { k8s-dashboard = true } : {}
tls_secret_name = var.tls_secret_name
client_certificate_secret_name = var.client_certificate_secret_name
@ -253,12 +268,14 @@ module "mailserver" {
opendkim_key = var.mailserver_opendkim_key
sasl_passwd = var.mailserver_sasl_passwd
roundcube_db_password = var.mailserver_roundcubemail_db_password
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
module "metallb" {
source = "./metallb"
tier = local.tiers.core
}
module "monitoring" {
@ -273,6 +290,7 @@ module "monitoring" {
haos_api_token = var.haos_api_token
pve_password = var.pve_password
grafana_db_password = var.grafana_db_password
tier = local.tiers.cluster
}
# module "oauth" {
@ -305,21 +323,24 @@ module "privatebin" {
source = "./privatebin"
for_each = contains(local.active_modules, "privatebin") ? { privatebin = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
module "vault" {
source = "./vault"
for_each = contains(local.active_modules, "vault") ? { vault = true } : {}
tls_secret_name = var.tls_secret_name
# module "vault" {
# source = "./vault"
# tier = local.tiers.edge
# for_each = contains(local.active_modules, "vault") ? { vault = true } : {}
# tls_secret_name = var.tls_secret_name
depends_on = [null_resource.core_services]
}
# depends_on = [null_resource.core_services]
# }
module "reloader" {
source = "./reloader"
for_each = contains(local.active_modules, "reloader") ? { reloader = true } : {}
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -328,6 +349,7 @@ module "shadowsocks" {
source = "./shadowsocks"
for_each = contains(local.active_modules, "shadowsocks") ? { shadowsocks = true } : {}
password = var.shadowsocks_password
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
@ -336,6 +358,7 @@ module "city-guesser" {
source = "./city-guesser"
for_each = contains(local.active_modules, "city-guesser") ? { city-guesser = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -344,6 +367,7 @@ module "echo" {
for_each = contains(local.active_modules, "echo") ? { echo = true } : {}
tls_secret_name = var.tls_secret_name
depends_on = [null_resource.core_services]
tier = local.tiers.edge
}
module "url" {
@ -353,6 +377,7 @@ module "url" {
geolite_license_key = var.url_shortener_geolite_license_key
api_key = var.url_shortener_api_key
mysql_password = var.url_shortener_mysql_password
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -368,6 +393,7 @@ module "webhook_handler" {
git_user = var.webhook_handler_git_user
git_token = var.webhook_handler_git_token
ssh_key = var.webhook_handler_ssh_key
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -379,6 +405,7 @@ module "wireguard" {
wg_0_conf = var.wireguard_wg_0_conf
wg_0_key = var.wireguard_wg_0_key
firewall_sh = var.wireguard_firewall_sh
tier = local.tiers.cluster
depends_on = [null_resource.core_services]
}
@ -404,6 +431,7 @@ module "excalidraw" {
source = "./excalidraw"
for_each = contains(local.active_modules, "excalidraw") ? { excalidraw = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -420,6 +448,7 @@ module "travel_blog" {
source = "./travel_blog"
for_each = contains(local.active_modules, "travel_blog") ? { travel_blog = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -429,6 +458,7 @@ module "technitium" {
for_each = contains(local.active_modules, "technitium") ? { technitium = true } : {}
tls_secret_name = var.tls_secret_name
homepage_token = var.homepage_credentials["technitium"]["token"]
tier = local.tiers.core
}
module "headscale" {
@ -437,6 +467,7 @@ module "headscale" {
tls_secret_name = var.tls_secret_name
headscale_config = var.headscale_config
headscale_acl = var.headscale_acl
tier = local.tiers.core
depends_on = [null_resource.core_services]
}
@ -445,6 +476,7 @@ module "dashy" {
source = "./dashy"
for_each = contains(local.active_modules, "dashy") ? { dashy = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -459,6 +491,7 @@ module "vaultwarden" {
for_each = contains(local.active_modules, "vaultwarden") ? { vaultwarden = true } : {}
tls_secret_name = var.tls_secret_name
smtp_password = var.vaultwarden_smtp_password
tier = local.tiers.edge
}
module "reverse-proxy" {
@ -474,6 +507,7 @@ module "send" {
source = "./send"
for_each = contains(local.active_modules, "send") ? { send = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -482,12 +516,14 @@ module "redis" {
source = "./redis"
for_each = contains(local.active_modules, "redis") ? { redis = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.core
}
module "ytdlp" {
source = "./youtube_dl"
for_each = contains(local.active_modules, "ytdlp") ? { ytdlp = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -499,12 +535,14 @@ module "immich" {
postgresql_password = var.immich_postgresql_password
frame_api_key = var.immich_frame_api_key
homepage_token = var.homepage_credentials["immich"]["token"]
tier = local.tiers.gpu
depends_on = [null_resource.core_services]
}
module "nginx-ingress" {
source = "./nginx-ingress"
tier = local.tiers.core
for_each = contains(local.active_modules, "nginx-ingress") ? { nginx-ingress = true } : {}
honeypotapikey = var.ingress_honeypotapikey
crowdsec_api_key = var.ingress_crowdsec_api_key
@ -514,6 +552,7 @@ module "nginx-ingress" {
module "crowdsec" {
source = "./crowdsec"
tier = local.tiers.cluster
for_each = contains(local.active_modules, "crowdsec") ? { crowdsec = true } : {}
tls_secret_name = var.tls_secret_name
homepage_username = var.homepage_credentials["crowdsec"]["username"]
@ -537,6 +576,7 @@ module "uptime-kuma" {
source = "./uptime-kuma"
for_each = contains(local.active_modules, "uptime-kuma") ? { uptime-kuma = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.cluster
depends_on = [null_resource.core_services]
}
@ -547,6 +587,7 @@ module "calibre" {
tls_secret_name = var.tls_secret_name
homepage_username = var.homepage_credentials["calibre-web"]["username"]
homepage_password = var.homepage_credentials["calibre-web"]["password"]
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
@ -561,6 +602,7 @@ module "audiobookshelf" {
source = "./audiobookshelf"
for_each = contains(local.active_modules, "audiobookshelf") ? { audiobookshelf = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -569,6 +611,7 @@ module "frigate" {
source = "./frigate"
for_each = contains(local.active_modules, "frigate") ? { frigate = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.gpu
depends_on = [null_resource.core_services]
}
@ -582,6 +625,7 @@ module "frigate" {
module "cloudflared" {
source = "./cloudflared"
tier = local.tiers.core
# for_each = contains(local.active_modules, "cloudflared") ? { cloudflared = true } : {}
tls_secret_name = var.tls_secret_name
@ -616,6 +660,7 @@ module "cloudflared" {
module "metrics-server" {
source = "./metrics-server"
tier = local.tiers.cluster
for_each = contains(local.active_modules, "metrics-server") ? { metrics-server = true } : {}
tls_secret_name = var.tls_secret_name
}
@ -628,6 +673,7 @@ module "paperless-ngx" {
# homepage_token = var.homepage_credentials["paperless-ngx"]["token"]
homepage_username = var.homepage_credentials["paperless-ngx"]["username"]
homepage_password = var.homepage_credentials["paperless-ngx"]["password"]
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
@ -636,6 +682,7 @@ module "jsoncrack" {
source = "./jsoncrack"
for_each = contains(local.active_modules, "jsoncrack") ? { jsoncrack = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -644,6 +691,7 @@ module "servarr" {
source = "./servarr"
for_each = contains(local.active_modules, "servarr") ? { servarr = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
aiostreams_database_connection_string = var.aiostreams_database_connection_string
@ -658,6 +706,7 @@ module "ollama" { # Disabled as it requires too much resources...
source = "./ollama"
for_each = contains(local.active_modules, "ollama") ? { ollama = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.gpu
depends_on = [null_resource.core_services]
}
@ -666,6 +715,7 @@ module "ntfy" {
source = "./ntfy"
for_each = contains(local.active_modules, "ntfy") ? { ntfy = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -674,6 +724,7 @@ module "cyberchef" {
source = "./cyberchef"
for_each = contains(local.active_modules, "cyberchef") ? { cyberchef = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -684,6 +735,7 @@ module "diun" {
tls_secret_name = var.tls_secret_name
diun_nfty_token = var.diun_nfty_token
diun_slack_url = var.diun_slack_url
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -692,6 +744,7 @@ module "meshcentral" {
source = "./meshcentral"
for_each = contains(local.active_modules, "meshcentral") ? { meshcentral = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -699,6 +752,7 @@ module "netbox" {
source = "./netbox"
for_each = contains(local.active_modules, "netbox") ? { netbox = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
}
module "nextcloud" {
@ -706,12 +760,14 @@ module "nextcloud" {
for_each = contains(local.active_modules, "nextcloud") ? { nextcloud = true } : {}
tls_secret_name = var.tls_secret_name
db_password = var.nextcloud_db_password
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
module "homepage" {
source = "./homepage"
tier = local.tiers.aux
for_each = contains(local.active_modules, "homepage") ? { homepage = true } : {}
tls_secret_name = var.tls_secret_name
@ -722,12 +778,14 @@ module "matrix" {
source = "./matrix"
for_each = contains(local.active_modules, "matrix") ? { matrix = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
module "authentik" {
source = "./authentik"
tier = local.tiers.core
for_each = contains(local.active_modules, "authentik") ? { authentik = true } : {}
tls_secret_name = var.tls_secret_name
secret_key = var.authentik_secret_key
@ -741,6 +799,7 @@ module "linkwarden" {
postgresql_password = var.linkwarden_postgresql_password
authentik_client_id = var.linkwarden_authentik_client_id
authentik_client_secret = var.linkwarden_authentik_client_secret
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -749,6 +808,7 @@ module "actualbudget" {
source = "./actualbudget"
for_each = contains(local.active_modules, "actualbudget") ? { actualbudget = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
@ -758,6 +818,7 @@ module "owntracks" {
for_each = contains(local.active_modules, "owntracks") ? { owntracks = true } : {}
tls_secret_name = var.tls_secret_name
owntracks_credentials = var.owntracks_credentials
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -768,6 +829,7 @@ module "dawarich" {
tls_secret_name = var.tls_secret_name
database_password = var.dawarich_database_password
geoapify_api_key = var.geoapify_api_key
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
@ -776,6 +838,7 @@ module "changedetection" {
source = "./changedetection"
for_each = contains(local.active_modules, "changedetection") ? { changedetection = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -785,6 +848,7 @@ module "tandoor" {
tls_secret_name = var.tls_secret_name
tandoor_database_password = var.tandoor_database_password
tandoor_email_password = var.tandoor_email_password
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -794,6 +858,7 @@ module "n8n" {
for_each = contains(local.active_modules, "n8n") ? { n8n = true } : {}
tls_secret_name = var.tls_secret_name
postgresql_password = var.n8n_postgresql_password
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -804,6 +869,7 @@ module "real-estate-crawler" {
tls_secret_name = var.tls_secret_name
db_password = var.realestate_crawler_db_password
notification_settings = var.realestate_crawler_notification_settings
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -812,6 +878,7 @@ module "tor-proxy" {
source = "./tor-proxy"
for_each = contains(local.active_modules, "tor-proxy") ? { tor-proxy = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -828,6 +895,7 @@ module "onlyoffice" {
tls_secret_name = var.tls_secret_name
db_password = var.onlyoffice_db_password
jwt_token = var.onlyoffice_jwt_token
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
@ -837,6 +905,7 @@ module "forgejo" {
source = "./forgejo"
for_each = contains(local.active_modules, "forgejo") ? { forgejo = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
@ -845,6 +914,7 @@ module "xray" {
source = "./xray"
for_each = contains(local.active_modules, "xray") ? { xray = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
xray_reality_clients = var.xray_reality_clients
xray_reality_private_key = var.xray_reality_private_key
@ -857,6 +927,7 @@ module "freshrss" {
source = "./freshrss"
for_each = contains(local.active_modules, "freshrss") ? { freshrss = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -865,6 +936,7 @@ module "navidrome" {
source = "./navidrome"
for_each = contains(local.active_modules, "navidrome") ? { navidrome = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -873,6 +945,7 @@ module "networking-toolbox" {
source = "./networking-toolbox"
for_each = contains(local.active_modules, "networking-toolbox") ? { networking-toolbox = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -881,6 +954,7 @@ module "tuya-bridge" {
source = "./tuya-bridge"
for_each = contains(local.active_modules, "tuya-bridge") ? { tuya-bridge = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.cluster
tiny_tuya_api_key = var.tiny_tuya_api_key
tiny_tuya_api_secret = var.tiny_tuya_api_secret
@ -895,6 +969,7 @@ module "stirling-pdf" {
source = "./stirling-pdf"
for_each = contains(local.active_modules, "stirling-pdf") ? { stirling-pdf = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -902,6 +977,7 @@ module "stirling-pdf" {
module "isponsorblocktv" {
source = "./isponsorblocktv"
for_each = contains(local.active_modules, "isponsorblocktv") ? { isponsorblocktv = true } : {}
tier = local.tiers.edge
depends_on = [null_resource.core_services]
}
@ -910,12 +986,14 @@ module "nvidia" {
source = "./nvidia"
for_each = contains(local.active_modules, "nvidia") ? { nvidia = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.gpu
}
module "ebook2audiobook" {
source = "./ebook2audiobook"
for_each = contains(local.active_modules, "ebook2audiobook") ? { ebook2audiobook = true } : {}
tls_secret_name = var.tls_secret_name
tier = local.tiers.gpu
}
module "rybbit" {
@ -924,6 +1002,7 @@ module "rybbit" {
tls_secret_name = var.tls_secret_name
clickhouse_password = var.clickhouse_password
postgres_password = var.clickhouse_postgres_password
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
@ -933,6 +1012,13 @@ module "wealthfolio" {
for_each = contains(local.active_modules, "wealthfolio") ? { wealthfolio = true } : {}
tls_secret_name = var.tls_secret_name
wealthfolio_password_hash = var.wealthfolio_password_hash
tier = local.tiers.aux
depends_on = [null_resource.core_services]
}
module "kyverno" {
source = "./kyverno"
for_each = contains(local.active_modules, "kyverno") ? { kyverno = true } : {}
depends_on = [null_resource.core_services]
}

4
modules/kubernetes/matrix/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "matrix" {
metadata {
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "matrix" {
name = "matrix"
namespace = kubernetes_namespace.matrix.metadata[0].name
labels = {
app = "matrix"
app = "matrix"
tier = var.tier
}
}
spec {

4
modules/kubernetes/meshcentral/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "meshcentral" {
metadata {
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "meshcentral" {
name = "meshcentral"
namespace = kubernetes_namespace.meshcentral.metadata[0].name
labels = {
app = "meshcentral"
app = "meshcentral"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

19
modules/kubernetes/metallb/main.tf
View file

@ -4,16 +4,29 @@
# source = "colinwilson/metallb/kubernetes"
# version = "0.1.7"
# }
variable "tier" { type = string }
resource "kubernetes_namespace" "metallb" {
metadata {
name = "metallb-system"
labels = {
app = "metallb"
# "istio-injection" : "disabled"
# tier = var.tier
}
}
}
module "metallb" {
source = "ViktorBarzin/metallb/kubernetes"
version = "0.1.5"
source = "ViktorBarzin/metallb/kubernetes"
version = "0.1.5"
depends_on = [kubernetes_namespace.metallb]
}
resource "kubernetes_config_map" "config" {
metadata {
name = "config"
namespace = "metallb-system"
namespace = kubernetes_namespace.metallb.metadata[0].name
}
data = {
config = <<EOT

7
modules/kubernetes/metrics-server/main.tf
View file

@ -1,11 +1,12 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "metrics-server" {
metadata {
name = "metrics-server"
# labels = {
# "istio-injection" : "enabled"
# }
labels = {
tier = var.tier
}
}
}

3
modules/kubernetes/monitoring/idrac.tf
View file

@ -30,7 +30,8 @@ resource "kubernetes_deployment" "idrac-redfish" {
name = "idrac-redfish-exporter"
namespace = kubernetes_namespace.monitoring.metadata[0].name
labels = {
app = "idrac-redfish-exporter"
app = "idrac-redfish-exporter"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

2
modules/kubernetes/monitoring/main.tf
View file

@ -14,12 +14,14 @@ variable "tiny_tuya_service_secret" { type = string }
variable "haos_api_token" { type = string }
variable "pve_password" { type = string }
variable "grafana_db_password" { type = string }
variable "tier" { type = string }
resource "kubernetes_namespace" "monitoring" {
metadata {
name = "monitoring"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}

3
modules/kubernetes/monitoring/pve_exporter.tf
View file

@ -20,6 +20,9 @@ resource "kubernetes_deployment" "pve_exporter" {
metadata {
name = "proxmox-exporter"
namespace = kubernetes_namespace.monitoring.metadata[0].name
labels = {
tier = var.tier
}
}
spec {

3
modules/kubernetes/monitoring/snmp_exporter.tf
View file

@ -29,7 +29,8 @@ resource "kubernetes_deployment" "snmp-exporter" {
name = "snmp-exporter"
namespace = kubernetes_namespace.monitoring.metadata[0].name
labels = {
app = "snmp-exporter"
app = "snmp-exporter"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

7
modules/kubernetes/n8n/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "postgresql_password" {}
module "tls_secret" {
@ -18,7 +19,8 @@ resource "kubernetes_deployment" "n8n" {
name = "n8n"
namespace = kubernetes_namespace.n8n.metadata[0].name
labels = {
app = "n8n"
app = "n8n"
tier = var.tier
}
}
spec {
@ -31,8 +33,7 @@ resource "kubernetes_deployment" "n8n" {
template {
metadata {
labels = {
app = "n8n"
"kubernetes.io/cluster-service" = "true"
app = "n8n"
}
}
spec {

8
modules/kubernetes/navidrome/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "navidrome" {
metadata {
@ -20,8 +21,8 @@ resource "kubernetes_deployment" "navidrome" {
name = "navidrome"
namespace = kubernetes_namespace.navidrome.metadata[0].name
labels = {
app = "navidrome"
"kubernetes.io/cluster-service" = "true"
app = "navidrome"
tier = var.tier
}
}
spec {
@ -37,8 +38,7 @@ resource "kubernetes_deployment" "navidrome" {
template {
metadata {
labels = {
app = "navidrome"
"kubernetes.io/cluster-service" = "true"
app = "navidrome"
}
}
spec {

4
modules/kubernetes/netbox/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "netbox" {
metadata {
@ -26,7 +27,8 @@ resource "kubernetes_deployment" "netbox" {
name = "netbox"
namespace = kubernetes_namespace.netbox.metadata[0].name
labels = {
app = "netbox"
app = "netbox"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/networking-toolbox/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "networking-toolbox" {
metadata {
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "networking-toolbox" {
name = "networking-toolbox"
namespace = kubernetes_namespace.networking-toolbox.metadata[0].name
labels = {
app = "networking-toolbox"
app = "networking-toolbox"
tier = var.tier
}
}
spec {

5
modules/kubernetes/nextcloud/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {}
variable "db_password" {}
variable "tier" { type = string }
module "tls_secret" {
source = "../setup_tls_secret"
@ -12,6 +13,7 @@ resource "kubernetes_namespace" "nextcloud" {
name = "nextcloud"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}
@ -49,7 +51,8 @@ resource "kubernetes_deployment" "whiteboard" {
name = "whiteboard"
namespace = kubernetes_namespace.nextcloud.metadata[0].name
labels = {
app = "whiteboard"
app = "whiteboard"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

3
modules/kubernetes/nginx-ingress/main.tf
View file

@ -12,6 +12,8 @@ variable "honeypotapikey" {
variable "crowdsec_api_key" {}
variable "crowdsec_captcha_secret_key" {}
variable "crowdsec_captcha_site_key" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "ingress_nginx" {
metadata {
name = "ingress-nginx"
@ -469,6 +471,7 @@ resource "kubernetes_deployment" "ingress_nginx_controller" {
"app.kubernetes.io/name" = "ingress-nginx"
"app.kubernetes.io/part-of" = "ingress-nginx"
"app.kubernetes.io/version" = "1.13.1"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/ntfy/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "ntfy" {
metadata {
name = "ntfy"
@ -16,7 +17,8 @@ resource "kubernetes_deployment" "ntfy" {
name = "ntfy"
namespace = kubernetes_namespace.ntfy.metadata[0].name
labels = {
app = "ntfy"
app = "ntfy"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

27
modules/kubernetes/nvidia/Dockerfile Normal file
View file

@ -0,0 +1,27 @@
# GPU container
FROM ubuntu
ENV DEBIAN_FRONTEND=noninteractive
# Install Python and pip
RUN apt-get update && \
apt-get install -y --no-install-recommends \
python3 \
python3-pip \
python3-venv
# Deps
RUN apt-get install -y ffmpeg espeak-ng
# Set a working directory
WORKDIR /app
RUN python3 -m venv audiblez && ./audiblez/bin/pip install audiblez
# RUN python3 -m venv audiblez
CMD ["/usr/bin/sleep", "86400"]
# RUN pip install audiblez
# # Default command
# CMD ["/usr/bin/sleep", "86400"]

53
modules/kubernetes/nvidia/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
module "tls_secret" {
source = "../setup_tls_secret"
@ -11,6 +12,7 @@ resource "kubernetes_namespace" "nvidia" {
name = "nvidia"
labels = {
"istio-injection" : "disabled"
tier = var.tier
}
}
}
@ -59,7 +61,8 @@ resource "kubernetes_deployment" "nvidia-exporter" {
name = "nvidia-exporter"
namespace = kubernetes_namespace.nvidia.metadata[0].name
labels = {
app = "nvidia-exporter"
app = "nvidia-exporter"
tier = var.tier
}
}
spec {
@ -168,3 +171,51 @@ module "ingress" {
# }
# }
# }
# resource "kubernetes_deployment" "gpu-container" {
# metadata {
# name = "gpu-container"
# namespace = kubernetes_namespace.nvidia.metadata[0].name
# labels = {
# app = "gpu-container"
# }
# }
# spec {
# replicas = 1
# selector {
# match_labels = {
# app = "gpu-container"
# }
# }
# template {
# metadata {
# labels = {
# app = "gpu-container"
# }
# }
# spec {
# node_selector = {
# "gpu" : "true"
# }
# container {
# image = "ubuntu"
# name = "gpu-container"
# command = ["/usr/bin/sleep", "3600"]
# # security_context {
# # privileged = true
# # capabilities {
# # add = ["SYS_ADMIN"]
# # }
# # }
# resources {
# limits = {
# "nvidia.com/gpu" = "1"
# }
# }
# }
# }
# }
# }
# depends_on = [helm_release.nvidia-gpu-operator]
# }

7
modules/kubernetes/ollama/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "ollama" {
metadata {
@ -64,7 +65,8 @@ resource "kubernetes_deployment" "ollama" {
name = "ollama"
namespace = kubernetes_namespace.ollama.metadata[0].name
labels = {
app = "ollama"
app = "ollama"
tier = var.tier
}
}
spec {
@ -162,7 +164,8 @@ resource "kubernetes_deployment" "ollama-ui" {
name = "ollama-ui"
namespace = kubernetes_namespace.ollama.metadata[0].name
labels = {
app = "ollama-ui"
app = "ollama-ui"
tier = var.tier
}
}
spec {

4
modules/kubernetes/onlyoffice/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "db_password" { type = string }
variable "jwt_token" { type = string }
@ -22,7 +23,8 @@ resource "kubernetes_deployment" "onlyoffice-document-server" {
name = "onlyoffice-document-server"
namespace = kubernetes_namespace.onlyoffice.metadata[0].name
labels = {
app = "onlyoffice-document-server"
app = "onlyoffice-document-server"
tier = var.tier
}
}
spec {

4
modules/kubernetes/owntracks/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "owntracks_credentials" {
type = map(string)
default = {
@ -47,7 +48,8 @@ resource "kubernetes_deployment" "owntracks" {
name = "owntracks"
namespace = kubernetes_namespace.owntracks.metadata[0].name
labels = {
app = "owntracks"
app = "owntracks"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/paperless-ngx/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "db_password" {}
# variable "homepage_token" {}
variable "homepage_username" {}
@ -25,7 +26,8 @@ resource "kubernetes_deployment" "paperless-ngx" {
name = "paperless-ngx"
namespace = kubernetes_namespace.paperless-ngx.metadata[0].name
labels = {
app = "paperless-ngx"
app = "paperless-ngx"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

8
modules/kubernetes/privatebin/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "privatebin" {
metadata {
@ -20,8 +21,8 @@ resource "kubernetes_deployment" "privatebin" {
name = "privatebin"
namespace = kubernetes_namespace.privatebin.metadata[0].name
labels = {
app = "privatebin"
"kubernetes.io/cluster-service" = "true"
app = "privatebin"
tier = var.tier
}
}
spec {
@ -37,8 +38,7 @@ resource "kubernetes_deployment" "privatebin" {
template {
metadata {
labels = {
app = "privatebin"
"kubernetes.io/cluster-service" = "true"
app = "privatebin"
}
}
spec {

10
modules/kubernetes/real-estate-crawler/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "notification_settings" {
type = map(string)
default = {
@ -26,7 +27,8 @@ resource "kubernetes_deployment" "realestate-crawler-ui" {
name = "realestate-crawler-ui"
namespace = kubernetes_namespace.realestate-crawler.metadata[0].name
labels = {
app = "realestate-crawler-ui"
app = "realestate-crawler-ui"
tier = var.tier
}
}
spec {
@ -42,8 +44,7 @@ resource "kubernetes_deployment" "realestate-crawler-ui" {
template {
metadata {
labels = {
app = "realestate-crawler-ui"
"kubernetes.io/cluster-service" = "true"
app = "realestate-crawler-ui"
}
}
spec {
@ -97,7 +98,8 @@ resource "kubernetes_deployment" "realestate-crawler-api" {
name = "realestate-crawler-api"
namespace = kubernetes_namespace.realestate-crawler.metadata[0].name
labels = {
app = "realestate-crawler-api"
app = "realestate-crawler-api"
tier = var.tier
}
}
spec {

4
modules/kubernetes/redis/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "redis" {
metadata {
@ -17,7 +18,8 @@ resource "kubernetes_deployment" "redis" {
name = "redis"
namespace = kubernetes_namespace.redis.metadata[0].name
labels = {
app = "redis"
app = "redis"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

15
modules/kubernetes/reloader/main.tf
View file

@ -1,7 +1,18 @@
variable "tier" { type = string }
resource "kubernetes_namespace" "crowdsec" {
metadata {
name = "reloader"
labels = {
tier = var.tier
}
}
}
resource "helm_release" "reloader" {
namespace = "reloader"
create_namespace = true
namespace = kubernetes_namespace.crowdsec.metadata[0].name
create_namespace = false
name = "reloader"
atomic = true
repository = "https://stakater.github.io/stakater-charts"
chart = "reloader"

5
modules/kubernetes/reverse_proxy/factory/main.tf
View file

@ -37,6 +37,10 @@ variable "rybbit_site_id" {
default = null
type = string
}
variable "additional_configuration_snippet" {
default = ""
type = string
}
resource "kubernetes_service" "proxied-service" {
@ -90,6 +94,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" {
"nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF
limit_req_status 429;
limit_conn_status 429;
${var.additional_configuration_snippet}
${var.rybbit_site_id != null ? <<-JS
# Rybbit Analytics
# Only modify HTML

17
modules/kubernetes/reverse_proxy/main.tf
View file

@ -96,6 +96,23 @@ module "tp-link-gateway" {
backend_protocol = "HTTPS"
depends_on = [kubernetes_namespace.reverse-proxy]
protected = true
# Doesn't work due to 413 due to GA/authentik cookie
# additional_configuration_snippet = <<-EOF
# # 1. Try to extract the sysauth cookie and its value
# # This regex looks for 'sysauth=' followed by everything until a semicolon or end of string
# set $sysauth_only "";
# if ($http_cookie ~* "sysauth=([^;]+)") {
# set $sysauth_only "sysauth=$1";
# }
# # 2. Overwrite the Cookie header.
# # If sysauth was found, only it is sent. If not found, no cookies are sent.
# proxy_set_header Cookie $sysauth_only;
# EOF
# extra_annotations = {
# client-header-buffer-size : "16k"
# large-client-header-buffers : "4 16k"
# }
}
# https://truenas.viktorbarzin.me/

10
modules/kubernetes/rybbit/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "clickhouse_password" { type = string }
variable "postgres_password" { type = string }
@ -29,7 +30,8 @@ resource "kubernetes_deployment" "clickhouse" {
name = "clickhouse"
namespace = kubernetes_namespace.rybbit.metadata[0].name
labels = {
app = "clickhouse"
app = "clickhouse"
tier = var.tier
}
}
spec {
@ -110,7 +112,8 @@ resource "kubernetes_deployment" "rybbit" {
name = "rybbit"
namespace = kubernetes_namespace.rybbit.metadata[0].name
labels = {
app = "rybbit"
app = "rybbit"
tier = var.tier
}
}
spec {
@ -222,7 +225,8 @@ resource "kubernetes_deployment" "rybbit-client" {
name = "rybbit-client"
namespace = kubernetes_namespace.rybbit.metadata[0].name
labels = {
app = "rybbit-client"
app = "rybbit-client"
tier = var.tier
}
}
spec {

4
modules/kubernetes/send/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "send" {
metadata {
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "send" {
name = "send"
namespace = kubernetes_namespace.send.metadata[0].name
labels = {
app = "send"
app = "send"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/servarr/aiostreams/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "aiostreams_database_connection_string" { type = string }
resource "kubernetes_namespace" "aiostreams" {
@ -19,7 +20,8 @@ resource "kubernetes_deployment" "aiostreams" {
name = "aiostreams"
namespace = kubernetes_namespace.aiostreams.metadata[0].name
labels = {
app = "aiostreams"
app = "aiostreams"
tier = var.tier
}
}
spec {

4
modules/kubernetes/servarr/flaresolverr/main.tf
View file

@ -1,11 +1,13 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_deployment" "flaresolverr" {
metadata {
name = "flaresolverr"
namespace = "servarr"
labels = {
app = "flaresolverr"
app = "flaresolverr"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/servarr/lidarr/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_deployment" "lidarr" {
@ -6,7 +7,8 @@ resource "kubernetes_deployment" "lidarr" {
name = "lidarr"
namespace = "servarr"
labels = {
app = "lidarr"
app = "lidarr"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/servarr/listenarr/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_deployment" "listenarr" {
@ -6,7 +7,8 @@ resource "kubernetes_deployment" "listenarr" {
name = "listenarr"
namespace = "servarr"
labels = {
app = "listenarr"
app = "listenarr"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

9
modules/kubernetes/servarr/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "aiostreams_database_connection_string" { type = string }
resource "kubernetes_namespace" "servarr" {
@ -17,40 +18,48 @@ module "tls_secret" {
# module "readarr" {
# source = "./readarr"
# tls_secret_name = var.tls_secret_name
# tier = var.tier
# }
module "prowlarr" {
source = "./prowlarr"
tls_secret_name = var.tls_secret_name
tier = var.tier
}
module "qbittorrent" {
source = "./qbittorrent"
tls_secret_name = var.tls_secret_name
tier = var.tier
}
module "flaresolverr" {
source = "./flaresolverr"
tls_secret_name = var.tls_secret_name
tier = var.tier
}
# module "lidarr" {
# source = "./lidarr"
# tls_secret_name = var.tls_secret_name
# tier = var.tier
# }
# module "soulseek" {
# source = "./soulseek"
# tls_secret_name = var.tls_secret_name
# tier = var.tier
# }
module "listenarr" {
source = "./listenarr"
tls_secret_name = var.tls_secret_name
tier = var.tier
}
module "aiostreams" {
source = "./aiostreams"
tls_secret_name = var.tls_secret_name
aiostreams_database_connection_string = var.aiostreams_database_connection_string
tier = var.tier
}

4
modules/kubernetes/servarr/prowlarr/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_deployment" "prowlarr" {
@ -6,7 +7,8 @@ resource "kubernetes_deployment" "prowlarr" {
name = "prowlarr"
namespace = "servarr"
labels = {
app = "prowlarr"
app = "prowlarr"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/servarr/qbittorrent/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_deployment" "qbittorrent" {
@ -6,7 +7,8 @@ resource "kubernetes_deployment" "qbittorrent" {
name = "qbittorrent"
namespace = "servarr"
labels = {
app = "qbittorrent"
app = "qbittorrent"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/servarr/readarr/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "readarr" {
metadata {
name = "readarr"
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "readarr" {
name = "readarr"
namespace = "readarr"
labels = {
app = "readarr"
app = "readarr"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/servarr/soulseek/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_deployment" "soulseek" {
@ -6,7 +7,8 @@ resource "kubernetes_deployment" "soulseek" {
name = "soulseek"
namespace = "servarr"
labels = {
app = "soulseek"
app = "soulseek"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/shadowsocks/main.tf
View file

@ -1,4 +1,5 @@
variable "password" {}
variable "tier" { type = string }
variable "method" {
default = "chacha20-ietf-poly1305"
}
@ -19,6 +20,7 @@ resource "kubernetes_deployment" "shadowsocks" {
namespace = kubernetes_namespace.shadowsocks.metadata[0].name
labels = {
"app" = "shadowsocks"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"
@ -64,7 +66,7 @@ resource "kubernetes_deployment" "shadowsocks" {
}
}
resource "kubernetes_service" "mailserver" {
resource "kubernetes_service" "mailserver" { # rename me
metadata {
name = "shadowsocks"
namespace = kubernetes_namespace.shadowsocks.metadata[0].name

4
modules/kubernetes/stirling-pdf/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "stirling-pdf" {
metadata {
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "stirling-pdf" {
name = "stirling-pdf"
namespace = kubernetes_namespace.stirling-pdf.metadata[0].name
labels = {
app = "stirling-pdf"
app = "stirling-pdf"
tier = var.tier
}
}
spec {

4
modules/kubernetes/tandoor/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "tandoor_database_password" {}
variable "tandoor_email_password" {}
@ -26,7 +27,8 @@ resource "kubernetes_deployment" "tandoor" {
name = "tandoor"
namespace = kubernetes_namespace.tandoor.metadata[0].name
labels = {
app = "tandoor"
app = "tandoor"
tier = var.tier
}
}
spec {

4
modules/kubernetes/technitium/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "homepage_token" {}
resource "kubernetes_namespace" "technitium" {
@ -23,7 +24,8 @@ resource "kubernetes_deployment" "technitium" {
name = "technitium"
namespace = kubernetes_namespace.technitium.metadata[0].name
labels = {
app = "technitium"
app = "technitium"
tier = var.tier
}
}
spec {

4
modules/kubernetes/tor-proxy/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "tor-proxy" {
metadata {
@ -34,7 +35,8 @@ resource "kubernetes_deployment" "tor-proxy" {
name = "tor-proxy"
namespace = "tor-proxy"
labels = {
app = "tor-proxy"
app = "tor-proxy"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

12
modules/kubernetes/travel_blog/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "travel-blog" {
metadata {
@ -26,20 +27,21 @@ resource "kubernetes_deployment" "blog" {
name = "travel-blog"
namespace = kubernetes_namespace.travel-blog.metadata[0].name
labels = {
run = "travel-blog"
app = "travel-blog"
tier = var.tier
}
}
spec {
replicas = 3
selector {
match_labels = {
run = "travel-blog"
app = "travel-blog"
}
}
template {
metadata {
labels = {
run = "travel-blog"
app = "travel-blog"
}
}
spec {
@ -79,7 +81,7 @@ resource "kubernetes_service" "travel-blog" {
name = "travel-blog"
namespace = kubernetes_namespace.travel-blog.metadata[0].name
labels = {
"run" = "travel-blog"
app = "travel-blog"
}
annotations = {
"prometheus.io/scrape" = "true"
@ -90,7 +92,7 @@ resource "kubernetes_service" "travel-blog" {
spec {
selector = {
run = "travel-blog"
app = "travel-blog"
}
port {
name = "http"

4
modules/kubernetes/tuya-bridge/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "tiny_tuya_api_key" { type = string }
variable "tiny_tuya_api_secret" { type = string }
variable "tiny_tuya_service_secret" { type = string }
@ -24,7 +25,8 @@ resource "kubernetes_deployment" "tuya-bridge" {
name = "tuya-bridge"
namespace = kubernetes_namespace.tuya-bridge.metadata[0].name
labels = {
app = "tuya-bridge"
app = "tuya-bridge"
tier = var.tier
}
}
spec {

4
modules/kubernetes/uptime-kuma/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "uptime-kuma" {
metadata {
@ -20,7 +21,8 @@ resource "kubernetes_deployment" "uptime-kuma" {
name = "uptime-kuma"
namespace = kubernetes_namespace.uptime-kuma.metadata[0].name
labels = {
app = "uptime-kuma"
app = "uptime-kuma"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

7
modules/kubernetes/url-shortener/main.tf
View file

@ -5,6 +5,7 @@
## to the mysql tier
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "geolite_license_key" {}
variable "api_key" {}
variable "mysql_password" {}
@ -76,7 +77,8 @@ resource "kubernetes_deployment" "shlink" {
name = "shlink"
namespace = kubernetes_namespace.shlink.metadata[0].name
labels = {
run = "shlink"
run = "shlink"
tier = var.tier
}
}
spec {
@ -213,7 +215,8 @@ resource "kubernetes_deployment" "shlink-web" {
name = "shlink-web"
namespace = kubernetes_namespace.shlink.metadata[0].name
labels = {
run = "shlink-web"
run = "shlink-web"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

10
modules/kubernetes/vault/main.tf
View file

@ -2,10 +2,14 @@ variable "tls_secret_name" {}
variable "host" {
default = "vault.viktorbarzin.me"
}
variable "tier" { type = string }
resource "kubernetes_namespace" "vault" {
metadata {
name = "vault"
labels = {
tier = var.tier
}
}
}
@ -34,9 +38,9 @@ resource "kubernetes_persistent_volume" "vault_data" {
}
resource "helm_release" "vault" {
namespace = kubernetes_namespace.vault.metadata[0].name
name = "vault"
atomic = true
namespace = kubernetes_namespace.vault.metadata[0].name
name = "vault"
atomic = true
repository = "https://helm.releases.hashicorp.com"
chart = "vault"

4
modules/kubernetes/vaultwarden/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "smtp_password" {}
resource "kubernetes_namespace" "vaultwarden" {
@ -21,7 +22,8 @@ resource "kubernetes_deployment" "vaultwarden" {
name = "vaultwarden"
namespace = kubernetes_namespace.vaultwarden.metadata[0].name
labels = {
app = "vaultwarden"
app = "vaultwarden"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/wealthfolio/main.tf
View file

@ -6,6 +6,7 @@
# Note that currently wealthfolio doesn't dedup (https://github.com/afadil/wealthfolio/issues/476)
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "wealthfolio_password_hash" {}
resource "kubernetes_namespace" "wealthfolio" {
@ -33,7 +34,8 @@ resource "kubernetes_deployment" "wealthfolio" {
name = "wealthfolio"
namespace = kubernetes_namespace.wealthfolio.metadata[0].name
labels = {
app = "wealthfolio"
app = "wealthfolio"
tier = var.tier
}
}
spec {

4
modules/kubernetes/webhook_handler/main.tf
View file

@ -1,5 +1,6 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "webhook_secret" {}
variable "fb_verify_token" {}
variable "fb_page_token" {}
@ -70,7 +71,8 @@ resource "kubernetes_deployment" "webhook_handler" {
name = "webhook-handler"
namespace = kubernetes_namespace.webhook-handler.metadata[0].name
labels = {
app = "webhook-handler"
app = "webhook-handler"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/wireguard/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "wg_0_conf" {}
variable "firewall_sh" {}
variable "wg_0_key" {}
@ -56,7 +57,8 @@ resource "kubernetes_deployment" "wireguard" {
name = "wireguard"
namespace = kubernetes_namespace.wireguard.metadata[0].name
labels = {
app = "wireguard"
app = "wireguard"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/xray/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
variable "xray_reality_clients" { type = list(map(string)) }
variable "xray_reality_private_key" { type = string }
variable "xray_reality_short_ids" { type = list(string) }
@ -48,7 +49,8 @@ resource "kubernetes_deployment" "xray" {
name = "xray"
namespace = kubernetes_namespace.xray.metadata[0].name
labels = {
app = "xray"
app = "xray"
tier = var.tier
}
annotations = {
"reloader.stakater.com/search" = "true"

4
modules/kubernetes/youtube_dl/main.tf
View file

@ -1,4 +1,5 @@
variable "tls_secret_name" {}
variable "tier" { type = string }
resource "kubernetes_namespace" "ytdlp" {
metadata {
@ -21,7 +22,8 @@ resource "kubernetes_deployment" "ytdlp" {
name = "ytdlp"
namespace = kubernetes_namespace.ytdlp.metadata[0].name
labels = {
app = "ytdlp"
app = "ytdlp"
tier = var.tier
}
annotations = {
"diun.enable" = "true"

BIN
terraform.tfstate
View file

Binary file not shown.