diff --git a/.terraform.lock.hcl b/.terraform.lock.hcl index b46e9923..fc04e339 100644 --- a/.terraform.lock.hcl +++ b/.terraform.lock.hcl @@ -1,21 +1,6 @@ # This file is maintained automatically by "terraform init". # Manual edits may be lost in future updates. -provider "registry.terraform.io/gavinbunney/kubectl" { - version = "1.10.0" - constraints = ">= 1.10.0" - hashes = [ - "h1:x5NHOW8DG0cBE1QmJ/Hl4ktMpeIfkEpoOvnf/kISdBU=", - "zh:0786e6cb375e4e6a70220bb67fc3de80c8c30dcb00c0f4f0ec7bb10404a120db", - "zh:577347a8334c8cd13215608780e03b77615d211fac64ad6e4356b7f4bb160022", - "zh:7d3347690a0b68dca54ae5cc90877cf82069f7ef13517668b17fd37f49c91e8c", - "zh:7f4eeae41b22de803ea7bf8977226c2bc0baaf204a4a2a05c421d9358c907808", - "zh:8db7a6550374918109d6f445c6c196f02ea3fa2029b882eca186d6e13bd1e4ce", - "zh:9c93ad71c3039463cf4345acb781c68d7ce82fe8f8495a94a6b588bf87259e51", - "zh:ee94ff2448caee374f3a3e888568d7ff48e6b9438df76f6eb72efa1aadc6391b", - ] -} - provider "registry.terraform.io/hashicorp/helm" { version = "2.4.1" hashes = [ diff --git a/main.tf b/main.tf index 20f7b171..d6bb4599 100644 --- a/main.tf +++ b/main.tf @@ -45,6 +45,7 @@ variable "webhook_handler_ssh_key" {} variable "monitoring_idrac_username" {} variable "monitoring_idrac_password" {} variable "alertmanager_slack_api_url" {} +variable "home_assistant_configuration" {} variable "ansible_prefix" { default = "ANSIBLE_VAULT_PASSWORD_FILE=~/.ansible/vault_pass.txt ansible-playbook -i playbook/hosts.yaml playbook/linux.yml -t linux/initial_setup" @@ -234,5 +235,6 @@ module "kubernetes_cluster" { # dbaas dbaas_root_password = var.dbaas_root_password - + # home-assistant + home_assistant_configuration = var.home_assistant_configuration } diff --git a/modules/kubernetes/descheduler/main.tf b/modules/kubernetes/descheduler/main.tf index c6f7d967..e6b3393e 100644 --- a/modules/kubernetes/descheduler/main.tf +++ b/modules/kubernetes/descheduler/main.tf @@ -101,6 +101,7 @@ resource "kubernetes_config_map" "policy" { - "bind" - "monitoring" - "kube-system" + - "wireguard" EOF } } diff --git a/modules/kubernetes/home_assistant/home_assistant_chart_values.tpl b/modules/kubernetes/home_assistant/home_assistant_chart_values.tpl new file mode 100644 index 00000000..db885068 --- /dev/null +++ b/modules/kubernetes/home_assistant/home_assistant_chart_values.tpl @@ -0,0 +1,74 @@ +# hostname: home-assistant + +ingress: + main: + # -- Enables or disables the ingress + enabled: true + + # -- Make this the primary ingress (used in probes, notes, etc...). + # If there is more than 1 ingress, make sure that only 1 ingress is marked as primary. + primary: true + + # -- Override the name suffix that is used for this ingress. + nameOverride: + + # -- Provide additional annotations which may be required. + annotations: #{} + kubernetes.io/ingress.class : "nginx" + nginx.ingress.kubernetes.io/force-ssl-redirect : "true" + nginx.ingress.kubernetes.io/auth-tls-verify-client : "on" + nginx.ingress.kubernetes.io/auth-tls-secret : ${client_certificate_secret_name} + # kubernetes.io/ingress.class: nginx + # kubernetes.io/tls-acme: "true" + + # -- Provide additional labels which may be required. + labels: {} + + # -- Set the ingressClass that is used for this ingress. + # Requires Kubernetes >=1.19 + ingressClassName: # "nginx" + + ## Configure the hosts for the ingress + hosts: + - # -- Host address. Helm template can be passed. + host: home-assistant.viktorbarzin.me + ## Configure the paths for the host + paths: + - # -- Path. Helm template can be passed. + path: / + # -- Ignored if not kubeVersion >= 1.14-0 + pathType: Prefix + service: + # -- Overrides the service name reference for this path + name: home-assistant + # -- Overrides the service port reference for this path + port: 8123 + + # -- Configure TLS for the ingress. Both secretName and hosts can process a Helm template. + tls: #[] + - secretName: ${tls_secret_name} + hosts: + - home-assistant.viktorbarzin.me + +# -- Configure persistence for the chart here. +# Additional items can be added by adding a dictionary key similar to the 'config' key. +# [[ref]](http://docs.k8s-at-home.com/our-helm-charts/common-library-storage) +# @default -- See below +persistence: + # -- Default persistence for configuration files. + # @default -- See below + config: + # -- Enables or disables the persistence item + enabled: false + + # -- Sets the persistence type + # Valid options are pvc, emptyDir, hostPath, secret, configMap or custom + type: configMap + name: home-assistant-configmap + + # -- Where to mount the volume in the main container. + # Defaults to `/`, + # setting to '-' creates the volume but disables the volumeMount. + mountPath: /config + # -- Specify if the volume should be mounted read-only. + readOnly: true diff --git a/modules/kubernetes/home_assistant/main.tf b/modules/kubernetes/home_assistant/main.tf new file mode 100644 index 00000000..5a427ce9 --- /dev/null +++ b/modules/kubernetes/home_assistant/main.tf @@ -0,0 +1,253 @@ +variable "tls_secret_name" {} +variable "client_certificate_secret_name" {} +variable "configuration_yaml" {} + +resource "kubernetes_namespace" "home_assistant" { + metadata { + name = "home-assistant" + } +} + +resource "kubernetes_persistent_volume" "home_assistant_pv" { + metadata { + name = "home-assistant-pv" + } + spec { + capacity = { + storage = "2Gi" + } + access_modes = ["ReadWriteMany"] + persistent_volume_source { + vsphere_volume { + volume_path = "/config" + } + } + } +} + +resource "kubernetes_config_map" "home_assistant_config_map" { + metadata { + name = "home-assistant-configmap" + namespace = "home-assistant" + + annotations = { + "reloader.stakater.com/match" = "true" + } + } + + data = { + # "db.viktorbarzin.lan" = var.db_viktorbarzin_lan + # "db.viktorbarzin.me" = format("%s%s", var.db_viktorbarzin_me, file("${path.module}/extra/viktorbarzin.me")) + # "db.181.191.213.in-addr.arpa" = var.db_ptr + "configuration.yaml" = var.configuration_yaml + } +} + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = "home-assistant" + tls_secret_name = var.tls_secret_name +} + +# resource "helm_release" "home_assistant" { +# namespace = "home-assistant" +# create_namespace = true +# name = "home-assistant" + +# repository = "https://k8s-at-home.com/charts/" +# chart = "home-assistant" + +# values = [templatefile("${path.module}/home_assistant_chart_values.tpl", { tls_secret_name = var.tls_secret_name, client_certificate_secret_name = var.client_certificate_secret_name })] +# } + +resource "kubernetes_deployment" "home_assistant" { + metadata { + name = "home-assistant" + namespace = "home-assistant" + + labels = { + "app.kubernetes.io/instance" = "home-assistant" + "app.kubernetes.io/name" = "home-assistant" + "app.kubernetes.io/version" = "2022.5.4" + } + } + + spec { + replicas = 1 + + selector { + match_labels = { + "app.kubernetes.io/instance" = "home-assistant" + "app.kubernetes.io/name" = "home-assistant" + } + } + + template { + metadata { + labels = { + "app.kubernetes.io/instance" = "home-assistant" + + "app.kubernetes.io/name" = "home-assistant" + } + } + + spec { + container { + name = "home-assistant" + image = "ghcr.io/home-assistant/home-assistant:2022.5.4" + port { + name = "http" + container_port = 8123 + protocol = "TCP" + } + env { + name = "TZ" + value = "UTC+3" + } + + volume_mount { + name = "configuration" + mount_path = "/config" + # sub_path = "hackmd" + } + liveness_probe { + tcp_socket { + port = "8123" + } + timeout_seconds = 1 + period_seconds = 10 + success_threshold = 1 + failure_threshold = 3 + } + + readiness_probe { + tcp_socket { + port = "8123" + } + + timeout_seconds = 1 + period_seconds = 10 + success_threshold = 1 + failure_threshold = 3 + } + + startup_probe { + tcp_socket { + port = "8123" + } + + timeout_seconds = 1 + period_seconds = 5 + success_threshold = 1 + failure_threshold = 30 + } + + termination_message_path = "/dev/termination-log" + image_pull_policy = "IfNotPresent" + } + + volume { + name = "configuration" + iscsi { + target_portal = "iscsi.viktorbarzin.lan:3260" + fs_type = "ext4" + iqn = "iqn.2020-12.lan.viktorbarzin:storage:home-assistant" + lun = 0 + read_only = false + } + } + + restart_policy = "Always" + termination_grace_period_seconds = 30 + dns_policy = "ClusterFirst" + service_account_name = "default" + } + } + + strategy { + type = "Recreate" + } + revision_history_limit = 3 + } +} +resource "kubernetes_service" "home_assistant" { + metadata { + name = "home-assistant" + namespace = "home-assistant" + + labels = { + "app.kubernetes.io/instance" = "home-assistant" + + "app.kubernetes.io/managed-by" = "Helm" + + "app.kubernetes.io/name" = "home-assistant" + + "app.kubernetes.io/version" = "2022.5.4" + + "helm.sh/chart" = "home-assistant-13.2.0" + } + + annotations = { + "meta.helm.sh/release-name" = "home-assistant" + + "meta.helm.sh/release-namespace" = "home-assistant" + } + } + + spec { + port { + name = "http" + protocol = "TCP" + port = 8123 + target_port = "http" + } + + selector = { + "app.kubernetes.io/instance" = "home-assistant" + + "app.kubernetes.io/name" = "home-assistant" + } + + # cluster_ip = "10.102.20.150" + type = "ClusterIP" + session_affinity = "None" + } +} + + + +resource "kubernetes_ingress_v1" "home-assistant-ui" { + metadata { + name = "home-assistant-ui-ingress" + namespace = "home-assistant" + annotations = { + "kubernetes.io/ingress.class" = "nginx" + "nginx.ingress.kubernetes.io/force-ssl-redirect" = "true" + "nginx.ingress.kubernetes.io/auth-tls-verify-client" = "on" + "nginx.ingress.kubernetes.io/auth-tls-secret" = var.client_certificate_secret_name + } + } + + spec { + tls { + hosts = ["home-assistant.viktorbarzin.me"] + secret_name = var.tls_secret_name + } + rule { + host = "home-assistant.viktorbarzin.me" + http { + path { + path = "/" + backend { + service { + name = "home-assistant" + port { + number = 8123 + } + } + } + } + } + } + } +} diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index c67aa892..6c2e9bb1 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -33,6 +33,7 @@ variable "webhook_handler_ssh_key" {} variable "idrac_username" {} variable "idrac_password" {} variable "alertmanager_slack_api_url" {} +variable "home_assistant_configuration" {} resource "null_resource" "core_services" { # List all the core modules that must be provisioned first @@ -225,3 +226,10 @@ module "wireguard" { wg_0_key = var.wireguard_wg_0_key firewall_sh = var.wireguard_firewall_sh } + +module "home_assistant" { + source = "./home_assistant" + tls_secret_name = var.tls_secret_name + client_certificate_secret_name = var.client_certificate_secret_name + configuration_yaml = var.home_assistant_configuration +}