diff --git a/main.tf b/main.tf index 9dcb32eb..eb6382a4 100644 --- a/main.tf +++ b/main.tf @@ -131,6 +131,7 @@ variable "grafana_db_password" { type = string } variable "clickhouse_password" { type = string } variable "clickhouse_postgres_password" { type = string } variable "wealthfolio_password_hash" { type = string } +variable "aiostreams_database_connection_string" { type = string } provider "kubernetes" { @@ -543,6 +544,8 @@ module "kubernetes_cluster" { clickhouse_postgres_password = var.clickhouse_postgres_password wealthfolio_password_hash = var.wealthfolio_password_hash + + aiostreams_database_connection_string = var.aiostreams_database_connection_string } diff --git a/modules/kubernetes/actualbudget/factory/main.tf b/modules/kubernetes/actualbudget/factory/main.tf index fc615705..b19f1f06 100644 --- a/modules/kubernetes/actualbudget/factory/main.tf +++ b/modules/kubernetes/actualbudget/factory/main.tf @@ -3,13 +3,15 @@ variable "name" {} variable "tag" { default = "latest" } +variable "tier" { type = string } resource "kubernetes_deployment" "actualbudget" { metadata { name = "actualbudget-${var.name}" namespace = "actualbudget" labels = { - app = "actualbudget-${var.name}" + app = "actualbudget-${var.name}" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/actualbudget/main.tf b/modules/kubernetes/actualbudget/main.tf index 4bf5380a..fa5259ae 100644 --- a/modules/kubernetes/actualbudget/main.tf +++ b/modules/kubernetes/actualbudget/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } # To create a new deployment: /** @@ -30,6 +31,7 @@ module "viktor" { tag = "edge" tls_secret_name = var.tls_secret_name depends_on = [kubernetes_namespace.actualbudget] + tier = var.tier } # https://budget-anca.viktorbarzin.me/ @@ -39,4 +41,5 @@ module "anca" { tag = "edge" tls_secret_name = var.tls_secret_name depends_on = [kubernetes_namespace.actualbudget] + tier = var.tier } diff --git a/modules/kubernetes/audiobookshelf/main.tf b/modules/kubernetes/audiobookshelf/main.tf index 39e46787..62d1207b 100644 --- a/modules/kubernetes/audiobookshelf/main.tf +++ b/modules/kubernetes/audiobookshelf/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "audiobookshelf" { metadata { @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "audiobookshelf" { name = "audiobookshelf" namespace = kubernetes_namespace.audiobookshelf.metadata[0].name labels = { - app = "audiobookshelf" + app = "audiobookshelf" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" @@ -44,7 +46,7 @@ resource "kubernetes_deployment" "audiobookshelf" { } spec { container { - image = "ghcr.io/advplyr/audiobookshelf:latest" + image = "ghcr.io/advplyr/audiobookshelf:2.32.1" name = "audiobookshelf" port { diff --git a/modules/kubernetes/authentik/main.tf b/modules/kubernetes/authentik/main.tf index f5df26e1..483e3ef0 100644 --- a/modules/kubernetes/authentik/main.tf +++ b/modules/kubernetes/authentik/main.tf @@ -1,6 +1,7 @@ variable "tls_secret_name" {} variable "secret_key" {} variable "postgres_password" {} +variable "tier" { type = string } module "tls_secret" { @@ -12,6 +13,9 @@ module "tls_secret" { resource "kubernetes_namespace" "authentik" { metadata { name = "authentik" + labels = { + tier = var.tier + } } } diff --git a/modules/kubernetes/authentik/pgbouncer.tf b/modules/kubernetes/authentik/pgbouncer.tf index f9c83fd9..d6d24a8b 100644 --- a/modules/kubernetes/authentik/pgbouncer.tf +++ b/modules/kubernetes/authentik/pgbouncer.tf @@ -29,7 +29,8 @@ resource "kubernetes_deployment" "pgbouncer" { name = "pgbouncer" namespace = "authentik" labels = { - app = "pgbouncer" + app = "pgbouncer" + tier = var.tier } } diff --git a/modules/kubernetes/blog/main.tf b/modules/kubernetes/blog/main.tf index 91cf4fed..eef7860e 100644 --- a/modules/kubernetes/blog/main.tf +++ b/modules/kubernetes/blog/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } # variable "dockerhub_password" {} resource "kubernetes_namespace" "website" { @@ -27,7 +28,8 @@ resource "kubernetes_deployment" "blog" { name = "blog" namespace = kubernetes_namespace.website.metadata[0].name labels = { - run = "blog" + run = "blog" + tier = var.tier } } spec { diff --git a/modules/kubernetes/calibre/main.tf b/modules/kubernetes/calibre/main.tf index 040374bf..32594172 100644 --- a/modules/kubernetes/calibre/main.tf +++ b/modules/kubernetes/calibre/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "homepage_username" { default = "" } @@ -99,7 +100,8 @@ resource "kubernetes_deployment" "calibre-web-automated" { name = "calibre-web-automated" namespace = kubernetes_namespace.calibre.metadata[0].name labels = { - app = "calibre-web-automated" + app = "calibre-web-automated" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" @@ -250,7 +252,8 @@ resource "kubernetes_deployment" "annas-archive-stacks" { name = "annas-archive-stacks" namespace = kubernetes_namespace.calibre.metadata[0].name labels = { - app = "annas-archive-stacks" + app = "annas-archive-stacks" + tier = var.tier } } spec { diff --git a/modules/kubernetes/changedetection/main.tf b/modules/kubernetes/changedetection/main.tf index c7154e72..06f16212 100644 --- a/modules/kubernetes/changedetection/main.tf +++ b/modules/kubernetes/changedetection/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "changedetection" { metadata { @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "changedetection" { name = "changedetection" namespace = kubernetes_namespace.changedetection.metadata[0].name labels = { - app = "changedetection" + app = "changedetection" + tier = var.tier } } spec { diff --git a/modules/kubernetes/city-guesser/main.tf b/modules/kubernetes/city-guesser/main.tf index 72fbd7e0..e6f8bac1 100644 --- a/modules/kubernetes/city-guesser/main.tf +++ b/modules/kubernetes/city-guesser/main.tf @@ -1,5 +1,5 @@ variable "tls_secret_name" {} -# variable "dockerhub_password" {} +variable "tier" { type = string } resource "kubernetes_namespace" "city-guesser" { metadata { @@ -16,18 +16,13 @@ module "tls_secret" { tls_secret_name = var.tls_secret_name } -# module "dockerhub_creds" { -# source = "../dockerhub_secret" -# namespace = "website" -# password = var.dockerhub_password -# } - resource "kubernetes_deployment" "city-guesser" { metadata { name = "city-guesser" namespace = "city-guesser" labels = { - run = "city-guesser" + run = "city-guesser" + tier = var.tier } } spec { diff --git a/modules/kubernetes/cloudflared/main.tf b/modules/kubernetes/cloudflared/main.tf index bbd33b47..e5c63b45 100644 --- a/modules/kubernetes/cloudflared/main.tf +++ b/modules/kubernetes/cloudflared/main.tf @@ -7,6 +7,7 @@ resource "kubernetes_namespace" "cloudflared" { name = "cloudflared" } } +variable "tier" { type = string } module "tls_secret" { source = "../setup_tls_secret" @@ -19,7 +20,8 @@ resource "kubernetes_deployment" "cloudflared" { name = "cloudflared" namespace = kubernetes_namespace.cloudflared.metadata[0].name labels = { - app = "cloudflared" + app = "cloudflared" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/crowdsec/main.tf b/modules/kubernetes/crowdsec/main.tf index e3cb5566..a06fa429 100644 --- a/modules/kubernetes/crowdsec/main.tf +++ b/modules/kubernetes/crowdsec/main.tf @@ -6,6 +6,7 @@ variable "enroll_key" {} variable "crowdsec_dash_api_key" { type = string } # used for web dash variable "crowdsec_dash_machine_id" { type = string } # used for web dash variable "crowdsec_dash_machine_password" { type = string } # used for web dash +variable "tier" { type = string } module "tls_secret" { source = "../setup_tls_secret" @@ -16,6 +17,9 @@ module "tls_secret" { resource "kubernetes_namespace" "crowdsec" { metadata { name = "crowdsec" + labels = { + tier = var.tier + } } } @@ -35,7 +39,7 @@ resource "kubernetes_config_map" "crowdsec_custom_scenarios" { description: "Detect IPs triggering too many HTTP 403s in NGINX ingress logs" filter: "evt.Meta.log_type == 'http_access-log' && evt.Parsed.status == '403'" groupby: "evt.Meta.source_ip" - leakspeed: "30s" + leakspeed: "2s" capacity: 10 blackhole: 5m labels: @@ -84,6 +88,7 @@ resource "kubernetes_deployment" "crowdsec-web" { labels = { app = "crowdsec_web" "kubernetes.io/cluster-service" = "true" + tier = var.tier } } spec { diff --git a/modules/kubernetes/cyberchef/main.tf b/modules/kubernetes/cyberchef/main.tf index 8049635e..b8f4041c 100644 --- a/modules/kubernetes/cyberchef/main.tf +++ b/modules/kubernetes/cyberchef/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "cyberchef" { metadata { name = "cyberchef" @@ -16,7 +17,8 @@ resource "kubernetes_deployment" "cyberchef" { name = "cyberchef" namespace = kubernetes_namespace.cyberchef.metadata[0].name labels = { - app = "cyberchef" + app = "cyberchef" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/dashy/main.tf b/modules/kubernetes/dashy/main.tf index 1fb34fb9..67d839b7 100644 --- a/modules/kubernetes/dashy/main.tf +++ b/modules/kubernetes/dashy/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} +variable "tier" { type = string } module "tls_secret" { source = "../setup_tls_secret" @@ -36,7 +37,8 @@ resource "kubernetes_deployment" "dashy" { name = "dashy" namespace = kubernetes_namespace.dashy.metadata[0].name labels = { - app = "dashy" + app = "dashy" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/dawarich/main.tf b/modules/kubernetes/dawarich/main.tf index d6a1cef5..215b18ef 100644 --- a/modules/kubernetes/dawarich/main.tf +++ b/modules/kubernetes/dawarich/main.tf @@ -1,9 +1,10 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "database_password" {} variable "geoapify_api_key" {} variable "image_version" { type = string - default = "0.36.3" + default = "0.37.1" } resource "kubernetes_namespace" "dawarich" { @@ -26,7 +27,8 @@ resource "kubernetes_deployment" "dawarich" { name = "dawarich" namespace = kubernetes_namespace.dawarich.metadata[0].name labels = { - app = "dawarich" + app = "dawarich" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" @@ -137,78 +139,78 @@ resource "kubernetes_deployment" "dawarich" { # mount_path = "/var/app/tmp/imports/watched" # } } - container { - image = "freikin/dawarich:${var.image_version}" - name = "dawarich-sidekiq" - command = ["sidekiq-entrypoint.sh"] - args = ["sidekiq"] - env { - name = "REDIS_URL" - value = "redis://redis.redis.svc.cluster.local:6379" - } - env { - name = "DATABASE_HOST" - value = "postgresql.dbaas" - } - env { - name = "DATABASE_USERNAME" - value = "dawarich" - } - env { - name = "DATABASE_PASSWORD" - value = var.database_password - } - env { - name = "DATABASE_NAME" - value = "dawarich" - } - env { - name = "MIN_MINUTES_SPENT_IN_CITY" - value = "60" - } - env { - name = "BACKGROUND_PROCESSING_CONCURRENCY" - value = "10" - } - env { - name = "ENABLE_TELEMETRY" - value = "true" - } - env { - name = "APPLICATION_HOST" - value = "dawarich.viktorbarzin.me" - } - # env { - # name = "PROMETHEUS_EXPORTER_ENABLED" - # value = "false" - # } - # env { - # name = "PROMETHEUS_EXPORTER_HOST" - # value = "dawarich.dawarich" - # } - # env { - # name = "PHOTON_API_HOST" - # value = "photon.dawarich:2322" - # # value = "photon.komoot.io" - # } - # env { - # name = "PHOTON_API_USE_HTTPS" - # value = "false" - # } - env { - name = "GEOAPIFY_API_KEY" - value = var.geoapify_api_key - } - env { - name = "SELF_HOSTED" - value = "true" - } + # container { + # image = "freikin/dawarich:${var.image_version}" + # name = "dawarich-sidekiq" + # command = ["sidekiq-entrypoint.sh"] + # args = ["bundle exec sidekiq"] + # env { + # name = "REDIS_URL" + # value = "redis://redis.redis.svc.cluster.local:6379" + # } + # env { + # name = "DATABASE_HOST" + # value = "postgresql.dbaas" + # } + # env { + # name = "DATABASE_USERNAME" + # value = "dawarich" + # } + # env { + # name = "DATABASE_PASSWORD" + # value = var.database_password + # } + # env { + # name = "DATABASE_NAME" + # value = "dawarich" + # } + # env { + # name = "MIN_MINUTES_SPENT_IN_CITY" + # value = "60" + # } + # env { + # name = "BACKGROUND_PROCESSING_CONCURRENCY" + # value = "10" + # } + # env { + # name = "ENABLE_TELEMETRY" + # value = "true" + # } + # env { + # name = "APPLICATION_HOST" + # value = "dawarich.viktorbarzin.me" + # } + # # env { + # # name = "PROMETHEUS_EXPORTER_ENABLED" + # # value = "false" + # # } + # # env { + # # name = "PROMETHEUS_EXPORTER_HOST" + # # value = "dawarich.dawarich" + # # } + # # env { + # # name = "PHOTON_API_HOST" + # # value = "photon.dawarich:2322" + # # # value = "photon.komoot.io" + # # } + # # env { + # # name = "PHOTON_API_USE_HTTPS" + # # value = "false" + # # } + # env { + # name = "GEOAPIFY_API_KEY" + # value = var.geoapify_api_key + # } + # env { + # name = "SELF_HOSTED" + # value = "true" + # } - # volume_mount { - # name = "watched" - # mount_path = "/var/app/tmp/imports/watched" - # } - } + # # volume_mount { + # # name = "watched" + # # mount_path = "/var/app/tmp/imports/watched" + # # } + # } } } } diff --git a/modules/kubernetes/dbaas/main.tf b/modules/kubernetes/dbaas/main.tf index 5d3a9d8f..0ec05257 100644 --- a/modules/kubernetes/dbaas/main.tf +++ b/modules/kubernetes/dbaas/main.tf @@ -1,5 +1,6 @@ # DB as a service. Installs MySQL operator variable "tls_secret_name" {} +variable "tier" { type = string } variable "dbaas_root_password" {} variable "cluster_master_service" { default = "mysql" @@ -99,6 +100,9 @@ resource "kubernetes_deployment" "mysql" { annotations = { "reloader.stakater.com/search" = "true" } + labels = { + tier = var.tier + } } spec { replicas = 1 @@ -358,6 +362,7 @@ resource "kubernetes_deployment" "phpmyadmin" { namespace = kubernetes_namespace.dbaas.metadata[0].name labels = { "app" = "phpmyadmin" + tier = var.tier } annotations = { @@ -684,6 +689,9 @@ resource "kubernetes_deployment" "postgres" { annotations = { "reloader.stakater.com/search" = "true" } + labels = { + tier = var.tier + } } spec { selector { @@ -777,6 +785,9 @@ resource "kubernetes_deployment" "pgadmin" { annotations = { "reloader.stakater.com/search" = "true" } + labels = { + tier = var.tier + } } spec { selector { diff --git a/modules/kubernetes/descheduler/main.tf b/modules/kubernetes/descheduler/main.tf index 4d49240a..e7fed580 100644 --- a/modules/kubernetes/descheduler/main.tf +++ b/modules/kubernetes/descheduler/main.tf @@ -74,7 +74,7 @@ resource "kubernetes_cluster_role_binding" "descheduler" { } } -resource "helm_release" "prometheus" { +resource "helm_release" "descheduler" { # rename me namespace = kubernetes_namespace.descheduler.metadata[0].name name = "descheduler" diff --git a/modules/kubernetes/diun/main.tf b/modules/kubernetes/diun/main.tf index 3a075d4d..46aec4ca 100644 --- a/modules/kubernetes/diun/main.tf +++ b/modules/kubernetes/diun/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "diun_nfty_token" {} variable "diun_slack_url" {} @@ -56,7 +57,8 @@ resource "kubernetes_deployment" "diun" { name = "diun" namespace = kubernetes_namespace.diun.metadata[0].name labels = { - app = "diun" + app = "diun" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/drone/main.tf b/modules/kubernetes/drone/main.tf index de9c02a6..eb730be6 100644 --- a/modules/kubernetes/drone/main.tf +++ b/modules/kubernetes/drone/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "github_client_id" {} variable "github_client_secret" {} variable "rpc_secret" {} @@ -43,7 +44,8 @@ resource "kubernetes_deployment" "drone_server" { name = "drone-server" namespace = kubernetes_namespace.drone.metadata[0].name labels = { - app = "drone" + app = "drone" + tier = var.tier } } spec { @@ -211,7 +213,8 @@ resource "kubernetes_deployment" "drone_runner" { name = "drone-runner" namespace = kubernetes_namespace.drone.metadata[0].name labels = { - app = "drone-runner" + app = "drone-runner" + tier = var.tier } } spec { @@ -286,7 +289,8 @@ resource "kubernetes_deployment" "drone_runner_secret" { name = "drone-runner-secret" namespace = kubernetes_namespace.drone.metadata[0].name labels = { - app = "drone-runner-secret" + app = "drone-runner-secret" + tier = var.tier } } spec { diff --git a/modules/kubernetes/ebook2audiobook/main.tf b/modules/kubernetes/ebook2audiobook/main.tf new file mode 100644 index 00000000..0e1801cc --- /dev/null +++ b/modules/kubernetes/ebook2audiobook/main.tf @@ -0,0 +1,291 @@ + +variable "tls_secret_name" {} +variable "tier" { type = string } + +module "tls_secret" { + source = "../setup_tls_secret" + namespace = kubernetes_namespace.ebook2audiobook.metadata[0].name + tls_secret_name = var.tls_secret_name +} + +resource "kubernetes_namespace" "ebook2audiobook" { + metadata { + name = "ebook2audiobook" + labels = { + "istio-injection" : "disabled" + } + } +} + + +# resource "kubernetes_deployment" "ebook2audiobook" { +# metadata { +# name = "ebook2audiobook" +# namespace = kubernetes_namespace.ebook2audiobook.metadata[0].name +# labels = { +# app = "ebook2audiobook" +# } +# } +# spec { +# replicas = 1 +# strategy { +# type = "Recreate" +# } + +# selector { +# match_labels = { +# app = "ebook2audiobook" +# } +# } + +# template { +# metadata { +# labels = { +# app = "ebook2audiobook" +# } +# } + +# spec { +# container { +# name = "ebook2audiobook" +# # image = "docker.io/athomasson2/ebook2audiobook:latest" +# image = "docker.io/athomasson2/ebook2audiobook:v25.12.30-cu128" + +# working_dir = "/app" +# # command = ["python", "app.py", "--script_mode", "full_docker"] +# # command = ["/bin/bash", "-c", <<-EOT +# # # echo "Uninstalling current pytorch" +# # # pip uninstall -y torch torchvision torchaudio coqui-tts pyannote.audio torchcodec || true +# # # echo "Installing cuda13 compatible pytorch" +# # # pip install --pre --extra-index-url https://download.pytorch.org/whl/nightly/cu130 torch torchvision torchaudio pyannote.audio torchcodec triton deepspeed coqui-tts-trainer +# # # #pip install torch==2.9.0 torchvision==0.24.0 torchaudio==2.9.0 --index-url https://download.pytorch.org/whl/cu130 +# # # echo "Starting main container" +# # #python app.py --script_mode full_docker +# # sleep 3600 +# # EOT +# # ] + +# tty = true +# stdin = true + +# port { +# container_port = 7860 +# } + +# volume_mount { +# mount_path = "/app" +# name = "data" +# } + +# resources { +# limits = { +# "nvidia.com/gpu" = "1" +# } +# } +# security_context { +# privileged = true +# } +# } + +# volume { +# name = "data" +# nfs { +# server = "10.0.10.15" +# path = "/mnt/main/ebook2audiobook" +# } +# } +# } +# } +# } +# } + + +resource "kubernetes_service" "ebook2audiobook" { + metadata { + name = "ebook2audiobook" + namespace = kubernetes_namespace.ebook2audiobook.metadata[0].name + labels = { + "app" = "ebook2audiobook" + } + } + + spec { + selector = { + app = "ebook2audiobook" + } + port { + name = "http" + port = 80 + target_port = 7860 + } + } +} + +# resource "kubernetes_deployment" "piper" { +# metadata { +# name = "piper" +# namespace = kubernetes_namespace.ebook2audiobook.metadata[0].name +# labels = { +# app = "piper" +# } +# } +# spec { +# replicas = 1 +# strategy { +# type = "Recreate" +# } + +# selector { +# match_labels = { +# app = "piper" +# } +# } + +# template { +# metadata { +# labels = { +# app = "piper" +# } +# } + +# spec { +# container { +# name = "piper" +# # image = "lscr.io/linuxserver/piper:gpu" +# # image = "piper-tts-wyoming:latest" +# image = "viktorbarzin/piper" +# # image = "nvidia/cuda:12.8.1-cudnn-devel-ubuntu24.04" + +# # working_dir = "/app" +# command = ["sleep", "3600"] + +# volume_mount { +# mount_path = "/config" +# name = "data" +# } + +# resources { +# limits = { +# "nvidia.com/gpu" = "1" +# } +# } +# # env { +# # name = "PIPER_VOICE" +# # value = "en_US-lessac-medium" +# # } + +# env { +# name = "VOICE_MODEL" +# value = "en_US-lessac-medium" +# } +# env { +# name = "LOG_LEVEL" +# value = "DEBUG" +# } +# port { +# name = "web" +# container_port = 10200 +# } +# } + +# volume { +# name = "data" +# nfs { +# server = "10.0.10.15" +# path = "/mnt/main/piper" +# } +# } +# } +# } +# } +# } + +# resource "kubernetes_service" "piper" { +# metadata { +# name = "piper" +# namespace = kubernetes_namespace.ebook2audiobook.metadata[0].name +# labels = { +# "app" = "piper" +# } +# } + +# spec { +# selector = { +# app = "piper" +# } +# port { +# name = "http" +# port = 80 +# target_port = 10200 +# } +# } +# } + + +module "ingress" { + source = "../ingress_factory" + namespace = kubernetes_namespace.ebook2audiobook.metadata[0].name + name = "ebook2audiobook" + tls_secret_name = var.tls_secret_name + protected = true +} + + +resource "kubernetes_deployment" "audiblez" { + metadata { + name = "audiblez" + namespace = kubernetes_namespace.ebook2audiobook.metadata[0].name + labels = { + app = "audiblez" + tier = var.tier + } + } + spec { + replicas = 1 + selector { + match_labels = { + app = "audiblez" + } + } + template { + metadata { + labels = { + app = "audiblez" + } + } + spec { + node_selector = { + "gpu" : "true" + } + container { + image = "viktorbarzin/audiblez:latest" + name = "audiblez" + command = ["/usr/bin/sleep", "86400"] + volume_mount { + name = "data" + mount_path = "/mnt" + } + # security_context { + # privileged = true + # capabilities { + # add = ["SYS_ADMIN"] + # } + # } + resources { + limits = { + "nvidia.com/gpu" = "1" + } + } + } + volume { + name = "data" + nfs { + server = "10.0.10.15" + path = "/mnt/main/audiblez" + } + } + } + } + } +} + diff --git a/modules/kubernetes/echo/main.tf b/modules/kubernetes/echo/main.tf index e668d87c..724e07d4 100644 --- a/modules/kubernetes/echo/main.tf +++ b/modules/kubernetes/echo/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "echo" { metadata { @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "echo" { name = "echo" namespace = kubernetes_namespace.echo.metadata[0].name labels = { - app = "echo" + app = "echo" + tier = var.tier } } spec { diff --git a/modules/kubernetes/excalidraw/main.tf b/modules/kubernetes/excalidraw/main.tf index 206f8879..2df6db3a 100644 --- a/modules/kubernetes/excalidraw/main.tf +++ b/modules/kubernetes/excalidraw/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "excalidraw" { metadata { @@ -21,7 +22,8 @@ resource "kubernetes_deployment" "excalidraw" { name = "excalidraw" namespace = kubernetes_namespace.excalidraw.metadata[0].name labels = { - app = "excalidraw" + app = "excalidraw" + tier = var.tier } } spec { diff --git a/modules/kubernetes/f1-stream/main.tf b/modules/kubernetes/f1-stream/main.tf index bb0569bb..24caf9da 100644 --- a/modules/kubernetes/f1-stream/main.tf +++ b/modules/kubernetes/f1-stream/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "f1-stream" { metadata { @@ -14,7 +15,8 @@ resource "kubernetes_deployment" "f1-stream" { name = "f1-stream" namespace = kubernetes_namespace.f1-stream.metadata[0].name labels = { - app = "f1-stream" + app = "f1-stream" + tier = var.tier } } spec { diff --git a/modules/kubernetes/forgejo/main.tf b/modules/kubernetes/forgejo/main.tf index e495b8a6..b1960ff0 100644 --- a/modules/kubernetes/forgejo/main.tf +++ b/modules/kubernetes/forgejo/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "forgejo" { metadata { @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "forgejo" { name = "forgejo" namespace = kubernetes_namespace.forgejo.metadata[0].name labels = { - app = "forgejo" + app = "forgejo" + tier = var.tier } } spec { diff --git a/modules/kubernetes/freshrss/main.tf b/modules/kubernetes/freshrss/main.tf index 545ba50f..5972e2a2 100644 --- a/modules/kubernetes/freshrss/main.tf +++ b/modules/kubernetes/freshrss/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } module "tls_secret" { source = "../setup_tls_secret" @@ -20,6 +21,7 @@ resource "kubernetes_deployment" "freshrss" { labels = { app = "freshrss" "kubernetes.io/cluster-service" = "true" + tier = var.tier } } spec { diff --git a/modules/kubernetes/frigate/main.tf b/modules/kubernetes/frigate/main.tf index 261b75bb..215836a4 100644 --- a/modules/kubernetes/frigate/main.tf +++ b/modules/kubernetes/frigate/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "frigate" { metadata { @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "frigate" { name = "frigate" namespace = kubernetes_namespace.frigate.metadata[0].name labels = { - app = "frigate" + app = "frigate" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/hackmd/main.tf b/modules/kubernetes/hackmd/main.tf index 0d3d6490..e8bbdaed 100644 --- a/modules/kubernetes/hackmd/main.tf +++ b/modules/kubernetes/hackmd/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "hackmd_db_password" {} resource "kubernetes_namespace" "hackmd" { @@ -23,6 +24,7 @@ resource "kubernetes_deployment" "hackmd" { labels = { app = "hackmd" "kubernetes.io/cluster-service" = "true" + tier = var.tier } } spec { diff --git a/modules/kubernetes/headscale/main.tf b/modules/kubernetes/headscale/main.tf index 9ffac4e9..61ad739c 100644 --- a/modules/kubernetes/headscale/main.tf +++ b/modules/kubernetes/headscale/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "headscale_config" {} variable "headscale_acl" {} @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "headscale" { name = "headscale" namespace = kubernetes_namespace.headscale.metadata[0].name labels = { - app = "headscale" + app = "headscale" + tier = var.tier # scare to try but probably non-http will fail # "istio-injection" : "enabled" } diff --git a/modules/kubernetes/homepage/main.tf b/modules/kubernetes/homepage/main.tf index ecdc421a..9f8f0d31 100644 --- a/modules/kubernetes/homepage/main.tf +++ b/modules/kubernetes/homepage/main.tf @@ -1,5 +1,5 @@ - variable "tls_secret_name" {} +variable "tier" { type = string } module "tls_secret" { source = "../setup_tls_secret" @@ -12,6 +12,7 @@ resource "kubernetes_namespace" "homepage" { name = "homepage" labels = { "istio-injection" : "disabled" + tier = var.tier } } } diff --git a/modules/kubernetes/immich/frame.tf b/modules/kubernetes/immich/frame.tf index b81d29c5..3d07176d 100644 --- a/modules/kubernetes/immich/frame.tf +++ b/modules/kubernetes/immich/frame.tf @@ -41,6 +41,9 @@ resource "kubernetes_deployment" "immich-frame" { annotations = { "reloader.stakater.com/search" = "true" } + labels = { + tier = var.tier + } } spec { diff --git a/modules/kubernetes/immich/main.tf b/modules/kubernetes/immich/main.tf index 19522715..aca51fe6 100644 --- a/modules/kubernetes/immich/main.tf +++ b/modules/kubernetes/immich/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "postgresql_password" {} variable "homepage_token" {} variable "immich_version" { @@ -26,7 +27,8 @@ resource "kubernetes_deployment" "immich_server" { namespace = kubernetes_namespace.immich.metadata[0].name labels = { - app = "immich-server" + app = "immich-server" + tier = var.tier } } @@ -235,6 +237,9 @@ resource "kubernetes_deployment" "immich-postgres" { metadata { name = "immich-postgresql" namespace = kubernetes_namespace.immich.metadata[0].name + labels = { + tier = var.tier + } } spec { replicas = 1 @@ -334,6 +339,9 @@ resource "kubernetes_deployment" "immich-machine-learning" { metadata { name = "immich-machine-learning" namespace = kubernetes_namespace.immich.metadata[0].name + labels = { + tier = var.tier + } } spec { replicas = 1 diff --git a/modules/kubernetes/ingress_factory/main.tf b/modules/kubernetes/ingress_factory/main.tf index 4c21ac5f..89e8bc7c 100644 --- a/modules/kubernetes/ingress_factory/main.tf +++ b/modules/kubernetes/ingress_factory/main.tf @@ -107,7 +107,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { "nginx.ingress.kubernetes.io/proxy-read-timeout" : var.proxy_timeout "nginx.ingress.kubernetes.io/proxy-buffering" : "on" - "nginx.ingress.kubernetes.io/whitelist-source-range" : var.allow_local_access_only ? "192.168.1.0/24, 10.0.0.0/8" : "0.0.0.0/0" + "nginx.ingress.kubernetes.io/whitelist-source-range" : var.allow_local_access_only ? "192.168.1.0/24, 10.0.0.0/8, ::1/128, fc00::/7, fe80::/10" : "0.0.0.0/0, ::/0" "nginx.ingress.kubernetes.io/ssl-redirect" : "${var.ssl_redirect}" # DDOS protection diff --git a/modules/kubernetes/isponsorblocktv/main.tf b/modules/kubernetes/isponsorblocktv/main.tf index 40773697..e7b452be 100644 --- a/modules/kubernetes/isponsorblocktv/main.tf +++ b/modules/kubernetes/isponsorblocktv/main.tf @@ -1,4 +1,5 @@ # https://github.com/dmunozv04/iSponsorBlockTV +variable "tier" { type = string } resource "kubernetes_namespace" "isponsorblocktv" { metadata { @@ -17,7 +18,8 @@ resource "kubernetes_deployment" "isponsorblocktv-vermont" { name = "isponsorblocktv-vermont" namespace = kubernetes_namespace.isponsorblocktv.metadata[0].name labels = { - app = "isponsorblocktv-vermont" + app = "isponsorblocktv-vermont" + tier = var.tier } } spec { diff --git a/modules/kubernetes/jsoncrack/main.tf b/modules/kubernetes/jsoncrack/main.tf index db5d8df3..bfa02284 100644 --- a/modules/kubernetes/jsoncrack/main.tf +++ b/modules/kubernetes/jsoncrack/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "jsoncrack" { metadata { @@ -19,7 +20,8 @@ resource "kubernetes_deployment" "jsoncrack" { name = "jsoncrack" namespace = kubernetes_namespace.jsoncrack.metadata[0].name labels = { - app = "jsoncrack" + app = "jsoncrack" + tier = var.tier } } spec { diff --git a/modules/kubernetes/k8s-dashboard/main.tf b/modules/kubernetes/k8s-dashboard/main.tf index ac815daf..20ded87d 100644 --- a/modules/kubernetes/k8s-dashboard/main.tf +++ b/modules/kubernetes/k8s-dashboard/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} variable "client_certificate_secret_name" {} +variable "tier" { type = string } resource "random_password" "csrf_token" { length = 16 @@ -25,6 +26,7 @@ resource "kubernetes_namespace" "k8s-dashboard" { name = "kubernetes-dashboard" labels = { "istio-injection" : "disabled" + tier = var.tier } } } diff --git a/modules/kubernetes/keyserver/deploy_keyserver.yaml b/modules/kubernetes/keyserver/deploy_keyserver.yaml new file mode 100644 index 00000000..2a5b5291 --- /dev/null +++ b/modules/kubernetes/keyserver/deploy_keyserver.yaml @@ -0,0 +1,155 @@ +# @nocommit: job to periodically update the certs +--- +- name: Deploy Nginx-based key server for TrueNAS unlock + hosts: keyserver + become: true + vars: + server_name: "keyserver.viktorbarzin.me" + key_filename: "truenas.key" + htpasswd_user: "truenas" + htpasswd_password: "3RgTvqHWeiae7drCUBGyj6XZSIP" # replace with vault + ssl_cert_path: "/etc/ssl/certs/keyserver.crt" + ssl_key_path: "/etc/ssl/private/keyserver.key" + local_ssl_cert: "../../../secrets/fullchain.pem" # LOCAL path + local_ssl_key: "../../../secrets/privkey.pem" # LOCAL path + + tasks: + + - name: Install packages + apt: + name: + - nginx + - apache2-utils + - python3-passlib + state: present + update_cache: yes + + - name: Create basic-auth file + community.general.htpasswd: + path: /etc/nginx/.htpasswd + name: "{{ htpasswd_user }}" + password: "{{ htpasswd_password }}" + crypt_scheme: bcrypt + + - name: Create key directory + file: + path: /srv/keys + state: directory + owner: root + group: root + mode: '0755' + + - name: Create key file if it doesn't exist + command: "head -c 128 /dev/urandom > /srv/keys/{{ key_filename }}" + args: + creates: "/srv/keys/{{ key_filename }}" + + - name: Set key file permissions + file: + path: "/srv/keys/{{ key_filename }}" + owner: www-data + group: www-data + mode: '0640' + + - name: Enable info logging in nginx.conf + lineinfile: + path: /etc/nginx/nginx.conf + regexp: '^(\s*)error_log' + line: ' error_log /var/log/nginx/error.log info;' + insertafter: 'http {' + notify: reload nginx + + - name: Ensure rate limit config exists + copy: + dest: /etc/nginx/conf.d/ratelimit.conf + content: | + limit_req_zone $binary_remote_addr zone=authfail:10m rate=5r/m; + notify: reload nginx + + - name: Deploy keyserver nginx site + copy: + dest: /etc/nginx/sites-available/keyserver.conf + content: | + server { + listen 443 ssl; + server_name {{ server_name }}; + + ssl_certificate {{ ssl_cert_path }}; + ssl_certificate_key {{ ssl_key_path }}; + + ssl_protocols TLSv1.2 TLSv1.3; + ssl_prefer_server_ciphers on; + + limit_req zone=authfail burst=2 nodelay; + + location /keys/ { + alias /srv/keys/; + + auth_basic "Restricted"; + auth_basic_user_file /etc/nginx/.htpasswd; + + autoindex off; + + add_header Cache-Control "no-store, no-cache, must-revalidate, max-age=0" always; + } + } + notify: reload nginx + + - name: Enable keyserver site + file: + src: /etc/nginx/sites-available/keyserver.conf + dest: /etc/nginx/sites-enabled/keyserver.conf + state: link + notify: reload nginx + + - name: Remove default site + file: + path: /etc/nginx/sites-enabled/default + state: absent + notify: reload nginx + + - name: Copy SSL certificate to server + copy: + src: "{{ local_ssl_cert }}" + dest: "{{ ssl_cert_path }}" + owner: root + group: root + mode: '0644' + notify: reload nginx + + - name: Copy SSL private key to server + copy: + src: "{{ local_ssl_key }}" + dest: "{{ ssl_key_path }}" + owner: root + group: root + mode: '0644' + notify: reload nginx + + # - name: Create self-signed SSL certificate if missing + # command: > + # openssl req -x509 -newkey rsa:2048 -nodes + # -keyout {{ ssl_key_path }} + # -out {{ ssl_cert_path }} + # -days 365 + # -subj "/CN={{ server_name }}" + # args: + # creates: "{{ ssl_cert_path }}" + notify: reload nginx + + - name: Test nginx config + command: nginx -t + register: nginx_test + failed_when: "'successful' not in nginx_test.stderr" + + - name: Ensure nginx is running + service: + name: nginx + state: started + enabled: true + + handlers: + - name: reload nginx + service: + name: nginx + state: reloaded diff --git a/modules/kubernetes/kms/main.tf b/modules/kubernetes/kms/main.tf index 4d6d703b..955a9b38 100644 --- a/modules/kubernetes/kms/main.tf +++ b/modules/kubernetes/kms/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "kms" { metadata { @@ -32,6 +33,7 @@ resource "kubernetes_deployment" "kms-web-page" { labels = { "app" = "kms-web-page" "kubernetes.io/cluster-service" = "true" + tier = var.tier } } spec { @@ -121,7 +123,8 @@ resource "kubernetes_deployment" "windows_kms" { name = "kms" namespace = kubernetes_namespace.kms.metadata[0].name labels = { - app = "kms-service" + app = "kms-service" + tier = var.tier } } spec { diff --git a/modules/kubernetes/kyverno/main.tf b/modules/kubernetes/kyverno/main.tf new file mode 100644 index 00000000..eb50274b --- /dev/null +++ b/modules/kubernetes/kyverno/main.tf @@ -0,0 +1,120 @@ + +resource "kubernetes_namespace" "kyverno" { + metadata { + name = "kyverno" + labels = { + "istio-injection" : "disabled" + } + } +} + +resource "helm_release" "kyverno" { + namespace = kubernetes_namespace.kyverno.metadata[0].name + create_namespace = false + name = "kyverno" + atomic = true + + repository = "https://kyverno.github.io/kyverno/" + chart = "kyverno" + + # values = [templatefile("${path.module}/grafana_chart_values.yaml", { db_password = var.grafana_db_password })] +} + +# To unlabel all: +# kubectl label deployment,statefulset,daemonset --all-namespaces -l tier tier- +resource "kubernetes_manifest" "mutate_tier_from_namespace" { + manifest = { + apiVersion = "kyverno.io/v1" + kind = "ClusterPolicy" + metadata = { + name = "sync-tier-label-from-namespace" + } + spec = { + rules = [ + { + name = "lookup-and-add-tier" + match = { + any = [ + { + resources = { + kinds = ["Deployment", "StatefulSet", "DaemonSet"] + } + } + ] + } + exclude = { + any = [ + { + resources = { + namespaces = ["kube-system", "metallb-system", "n8n"] + } + } + ] + } + # Context allows us to perform an API call to get Namespace metadata + context = [ + { + name = "namespaceLabel" + apiCall = { + urlPath = "/api/v1/namespaces/{{request.namespace}}" + jmesPath = "metadata.labels.tier || 'default'" + } + } + ] + mutate = { + patchStrategicMerge = { + metadata = { + labels = { + # Injects the variable discovered in the context above + "+(tier)" = "{{namespaceLabel}}" + } + } + } + } + } + ] + } + } +} + +# resource "kubernetes_manifest" "enforce_pod_tier_label" { +# manifest = { +# apiVersion = "kyverno.io/v1" +# kind = "ClusterPolicy" +# metadata = { +# name = "enforce-pod-tier-label" +# annotations = { +# "policies.kyverno.io/description" = "Rejects any pod that does not have a tier label." +# } +# } +# spec = { +# # 'Enforce' blocks the creation. 'Audit' just reports it. +# validationFailureAction = "Enforce" +# background = true +# rules = [ +# { +# name = "check-for-tier-label" +# match = { +# any = [ +# { +# resources = { +# kinds = ["Pod"] +# } +# } +# ] +# } +# validate = { +# message = "The label 'tier' is required for all pods in this cluster." +# pattern = { +# metadata = { +# labels = { +# "tier" = "?*" # The "?*" syntax means the value must not be empty +# } +# } +# } +# } +# } +# ] +# } +# } +# } diff --git a/modules/kubernetes/linkwarden/main.tf b/modules/kubernetes/linkwarden/main.tf index b16a3fff..a1d1ea66 100644 --- a/modules/kubernetes/linkwarden/main.tf +++ b/modules/kubernetes/linkwarden/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "postgresql_password" {} variable "authentik_client_id" {} variable "authentik_client_secret" {} @@ -26,7 +27,8 @@ resource "kubernetes_deployment" "linkwarden" { name = "linkwarden" namespace = kubernetes_namespace.linkwarden.metadata[0].name labels = { - app = "linkwarden" + app = "linkwarden" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/mailserver/main.tf b/modules/kubernetes/mailserver/main.tf index 2e1b3805..bd30225b 100644 --- a/modules/kubernetes/mailserver/main.tf +++ b/modules/kubernetes/mailserver/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "mailserver_accounts" {} variable "postfix_account_aliases" {} variable "opendkim_key" {} @@ -134,6 +135,7 @@ resource "kubernetes_deployment" "mailserver" { namespace = kubernetes_namespace.mailserver.metadata[0].name labels = { "app" = "mailserver" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" @@ -157,7 +159,6 @@ resource "kubernetes_deployment" "mailserver" { labels = { "app" = "mailserver" "role" = "mail" - "tier" = "backend" } } spec { diff --git a/modules/kubernetes/mailserver/roundcubemail.tf b/modules/kubernetes/mailserver/roundcubemail.tf index d1217db8..1eb4902d 100644 --- a/modules/kubernetes/mailserver/roundcubemail.tf +++ b/modules/kubernetes/mailserver/roundcubemail.tf @@ -32,6 +32,7 @@ resource "kubernetes_deployment" "roundcubemail" { namespace = "mailserver" labels = { "app" = "roundcubemail" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/main.tf b/modules/kubernetes/main.tf index 808a8f32..3e6ebb82 100644 --- a/modules/kubernetes/main.tf +++ b/modules/kubernetes/main.tf @@ -110,6 +110,7 @@ variable "grafana_db_password" { type = string } variable "clickhouse_password" { type = string } variable "clickhouse_postgres_password" { type = string } variable "wealthfolio_password_hash" { type = string } +variable "aiostreams_database_connection_string" { type = string } variable "defcon_level" { @@ -117,13 +118,13 @@ variable "defcon_level" { default = 5 validation { condition = var.defcon_level >= 1 && var.defcon_level <= 5 - error_message = "DEFCON level must be between 1 and 5. 1 is highest level or alertness" + error_message = "DEFCON level must be between 1 and 5. 1 is highest level of alertness" } } locals { defcon_modules = { 1 : ["wireguard", "technitium", "headscale", "nginx-ingress", "xray", "authentik", "cloudflare", "authelia", "monitoring"], # Critical connectivity services - 2 : ["vaultwarden", "redis", "immich", "nvidia", "metrics-server", "uptime-kuma", "crowdsec"], # Storage and other db services + 2 : ["vaultwarden", "redis", "immich", "nvidia", "metrics-server", "uptime-kuma", "crowdsec", "kyverno"], # Storage and other db services 3 : ["k8s-dashboard", "reverse-proxy"], # Cluster admin services 4 : [ "mailserver", "shadowsocks", "webhook_handler", "tuya-bridge", "dawarich", "owntracks", "nextcloud", @@ -135,13 +136,21 @@ locals { "url", "excalidraw", "travel_blog", "dashy", "send", "ytdlp", "wealthfolio", "rybbit", "stirling-pdf", "networking-toolbox", "navidrome", "freshrss", "forgejo", "tor-proxy", "real-estate-crawler", "n8n", "changedetection", "linkwarden", "matrix", "homepage", "meshcentral", "diun", "cyberchef", "ntfy", "ollama", - "servarr", "jsoncrack", "paperless-ngx", "frigate", "audiobookshelf", "tandoor" + "servarr", "jsoncrack", "paperless-ngx", "frigate", "audiobookshelf", "tandoor", "ebook2audiobook", "netbox" ], } active_modules = distinct(flatten([ for level in range(1, var.defcon_level + 1) : # From current level to 5 lookup(local.defcon_modules, level, []) ])) + + tiers = { + core = "0-core" # Bare minimum cluster primitives + cluster = "1-cluster" # All cluster primitives + gpu = "2-gpu" # GPU services + edge = "3-edge" # Critical user services + aux = "4-aux" # Optional user services + } } resource "null_resource" "core_services" { @@ -158,6 +167,7 @@ module "blog" { source = "./blog" tls_secret_name = var.tls_secret_name # dockerhub_password = var.dockerhub_password + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -176,6 +186,7 @@ module "dbaas" { dbaas_root_password = var.dbaas_root_password postgresql_root_password = var.dbaas_postgresql_root_password pgadmin_password = var.dbaas_pgadmin_password + tier = local.tiers.core } module "descheduler" { @@ -199,6 +210,7 @@ module "drone" { rpc_secret = var.drone_rpc_secret server_host = "drone.viktorbarzin.me" server_proto = "https" + tier = local.tiers.edge depends_on = [null_resource.core_services] } @@ -207,6 +219,7 @@ module "f1-stream" { source = "./f1-stream" for_each = contains(local.active_modules, "f1-stream") ? { f1-stream = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -216,6 +229,7 @@ module "hackmd" { for_each = contains(local.active_modules, "hackmd") ? { hackmd = true } : {} hackmd_db_password = var.hackmd_db_password tls_secret_name = var.tls_secret_name + tier = local.tiers.edge depends_on = [null_resource.core_services] } @@ -230,12 +244,14 @@ module "kms" { source = "./kms" for_each = contains(local.active_modules, "kms") ? { kms = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } module "k8s-dashboard" { source = "./k8s-dashboard" + tier = local.tiers.cluster for_each = contains(local.active_modules, "k8s-dashboard") ? { k8s-dashboard = true } : {} tls_secret_name = var.tls_secret_name client_certificate_secret_name = var.client_certificate_secret_name @@ -252,12 +268,14 @@ module "mailserver" { opendkim_key = var.mailserver_opendkim_key sasl_passwd = var.mailserver_sasl_passwd roundcube_db_password = var.mailserver_roundcubemail_db_password + tier = local.tiers.edge depends_on = [null_resource.core_services] } module "metallb" { source = "./metallb" + tier = local.tiers.core } module "monitoring" { @@ -272,6 +290,7 @@ module "monitoring" { haos_api_token = var.haos_api_token pve_password = var.pve_password grafana_db_password = var.grafana_db_password + tier = local.tiers.cluster } # module "oauth" { @@ -304,21 +323,24 @@ module "privatebin" { source = "./privatebin" for_each = contains(local.active_modules, "privatebin") ? { privatebin = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.edge depends_on = [null_resource.core_services] } -module "vault" { - source = "./vault" - for_each = contains(local.active_modules, "vault") ? { vault = true } : {} - tls_secret_name = var.tls_secret_name +# module "vault" { +# source = "./vault" +# tier = local.tiers.edge +# for_each = contains(local.active_modules, "vault") ? { vault = true } : {} +# tls_secret_name = var.tls_secret_name - depends_on = [null_resource.core_services] -} +# depends_on = [null_resource.core_services] +# } module "reloader" { source = "./reloader" for_each = contains(local.active_modules, "reloader") ? { reloader = true } : {} + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -327,6 +349,7 @@ module "shadowsocks" { source = "./shadowsocks" for_each = contains(local.active_modules, "shadowsocks") ? { shadowsocks = true } : {} password = var.shadowsocks_password + tier = local.tiers.edge depends_on = [null_resource.core_services] } @@ -335,6 +358,7 @@ module "city-guesser" { source = "./city-guesser" for_each = contains(local.active_modules, "city-guesser") ? { city-guesser = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -343,6 +367,7 @@ module "echo" { for_each = contains(local.active_modules, "echo") ? { echo = true } : {} tls_secret_name = var.tls_secret_name depends_on = [null_resource.core_services] + tier = local.tiers.edge } module "url" { @@ -352,6 +377,7 @@ module "url" { geolite_license_key = var.url_shortener_geolite_license_key api_key = var.url_shortener_api_key mysql_password = var.url_shortener_mysql_password + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -367,6 +393,7 @@ module "webhook_handler" { git_user = var.webhook_handler_git_user git_token = var.webhook_handler_git_token ssh_key = var.webhook_handler_ssh_key + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -378,6 +405,7 @@ module "wireguard" { wg_0_conf = var.wireguard_wg_0_conf wg_0_key = var.wireguard_wg_0_key firewall_sh = var.wireguard_firewall_sh + tier = local.tiers.cluster depends_on = [null_resource.core_services] } @@ -403,6 +431,7 @@ module "excalidraw" { source = "./excalidraw" for_each = contains(local.active_modules, "excalidraw") ? { excalidraw = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -419,6 +448,7 @@ module "travel_blog" { source = "./travel_blog" for_each = contains(local.active_modules, "travel_blog") ? { travel_blog = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -428,6 +458,7 @@ module "technitium" { for_each = contains(local.active_modules, "technitium") ? { technitium = true } : {} tls_secret_name = var.tls_secret_name homepage_token = var.homepage_credentials["technitium"]["token"] + tier = local.tiers.core } module "headscale" { @@ -436,6 +467,7 @@ module "headscale" { tls_secret_name = var.tls_secret_name headscale_config = var.headscale_config headscale_acl = var.headscale_acl + tier = local.tiers.core depends_on = [null_resource.core_services] } @@ -444,6 +476,7 @@ module "dashy" { source = "./dashy" for_each = contains(local.active_modules, "dashy") ? { dashy = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -458,6 +491,7 @@ module "vaultwarden" { for_each = contains(local.active_modules, "vaultwarden") ? { vaultwarden = true } : {} tls_secret_name = var.tls_secret_name smtp_password = var.vaultwarden_smtp_password + tier = local.tiers.edge } module "reverse-proxy" { @@ -473,6 +507,7 @@ module "send" { source = "./send" for_each = contains(local.active_modules, "send") ? { send = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -481,12 +516,14 @@ module "redis" { source = "./redis" for_each = contains(local.active_modules, "redis") ? { redis = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.core } module "ytdlp" { source = "./youtube_dl" for_each = contains(local.active_modules, "ytdlp") ? { ytdlp = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -498,12 +535,14 @@ module "immich" { postgresql_password = var.immich_postgresql_password frame_api_key = var.immich_frame_api_key homepage_token = var.homepage_credentials["immich"]["token"] + tier = local.tiers.gpu depends_on = [null_resource.core_services] } module "nginx-ingress" { source = "./nginx-ingress" + tier = local.tiers.core for_each = contains(local.active_modules, "nginx-ingress") ? { nginx-ingress = true } : {} honeypotapikey = var.ingress_honeypotapikey crowdsec_api_key = var.ingress_crowdsec_api_key @@ -513,6 +552,7 @@ module "nginx-ingress" { module "crowdsec" { source = "./crowdsec" + tier = local.tiers.cluster for_each = contains(local.active_modules, "crowdsec") ? { crowdsec = true } : {} tls_secret_name = var.tls_secret_name homepage_username = var.homepage_credentials["crowdsec"]["username"] @@ -536,6 +576,7 @@ module "uptime-kuma" { source = "./uptime-kuma" for_each = contains(local.active_modules, "uptime-kuma") ? { uptime-kuma = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.cluster depends_on = [null_resource.core_services] } @@ -546,6 +587,7 @@ module "calibre" { tls_secret_name = var.tls_secret_name homepage_username = var.homepage_credentials["calibre-web"]["username"] homepage_password = var.homepage_credentials["calibre-web"]["password"] + tier = local.tiers.edge depends_on = [null_resource.core_services] } @@ -560,6 +602,7 @@ module "audiobookshelf" { source = "./audiobookshelf" for_each = contains(local.active_modules, "audiobookshelf") ? { audiobookshelf = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -568,6 +611,7 @@ module "frigate" { source = "./frigate" for_each = contains(local.active_modules, "frigate") ? { frigate = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.gpu depends_on = [null_resource.core_services] } @@ -581,6 +625,7 @@ module "frigate" { module "cloudflared" { source = "./cloudflared" + tier = local.tiers.core # for_each = contains(local.active_modules, "cloudflared") ? { cloudflared = true } : {} tls_secret_name = var.tls_secret_name @@ -615,6 +660,7 @@ module "cloudflared" { module "metrics-server" { source = "./metrics-server" + tier = local.tiers.cluster for_each = contains(local.active_modules, "metrics-server") ? { metrics-server = true } : {} tls_secret_name = var.tls_secret_name } @@ -627,6 +673,7 @@ module "paperless-ngx" { # homepage_token = var.homepage_credentials["paperless-ngx"]["token"] homepage_username = var.homepage_credentials["paperless-ngx"]["username"] homepage_password = var.homepage_credentials["paperless-ngx"]["password"] + tier = local.tiers.edge depends_on = [null_resource.core_services] } @@ -635,6 +682,7 @@ module "jsoncrack" { source = "./jsoncrack" for_each = contains(local.active_modules, "jsoncrack") ? { jsoncrack = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -643,8 +691,10 @@ module "servarr" { source = "./servarr" for_each = contains(local.active_modules, "servarr") ? { servarr = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux - depends_on = [null_resource.core_services] + depends_on = [null_resource.core_services] + aiostreams_database_connection_string = var.aiostreams_database_connection_string } # module "dnscat2" { @@ -656,6 +706,7 @@ module "ollama" { # Disabled as it requires too much resources... source = "./ollama" for_each = contains(local.active_modules, "ollama") ? { ollama = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.gpu depends_on = [null_resource.core_services] } @@ -664,6 +715,7 @@ module "ntfy" { source = "./ntfy" for_each = contains(local.active_modules, "ntfy") ? { ntfy = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -672,6 +724,7 @@ module "cyberchef" { source = "./cyberchef" for_each = contains(local.active_modules, "cyberchef") ? { cyberchef = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -682,6 +735,7 @@ module "diun" { tls_secret_name = var.tls_secret_name diun_nfty_token = var.diun_nfty_token diun_slack_url = var.diun_slack_url + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -690,25 +744,30 @@ module "meshcentral" { source = "./meshcentral" for_each = contains(local.active_modules, "meshcentral") ? { meshcentral = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } -# module "netbox" { -# source = "./netbox" -# tls_secret_name = var.tls_secret_name -# } +module "netbox" { + source = "./netbox" + for_each = contains(local.active_modules, "netbox") ? { netbox = true } : {} + tls_secret_name = var.tls_secret_name + tier = local.tiers.aux +} module "nextcloud" { source = "./nextcloud" for_each = contains(local.active_modules, "nextcloud") ? { nextcloud = true } : {} tls_secret_name = var.tls_secret_name db_password = var.nextcloud_db_password + tier = local.tiers.edge depends_on = [null_resource.core_services] } module "homepage" { source = "./homepage" + tier = local.tiers.aux for_each = contains(local.active_modules, "homepage") ? { homepage = true } : {} tls_secret_name = var.tls_secret_name @@ -719,12 +778,14 @@ module "matrix" { source = "./matrix" for_each = contains(local.active_modules, "matrix") ? { matrix = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } module "authentik" { source = "./authentik" + tier = local.tiers.core for_each = contains(local.active_modules, "authentik") ? { authentik = true } : {} tls_secret_name = var.tls_secret_name secret_key = var.authentik_secret_key @@ -738,6 +799,7 @@ module "linkwarden" { postgresql_password = var.linkwarden_postgresql_password authentik_client_id = var.linkwarden_authentik_client_id authentik_client_secret = var.linkwarden_authentik_client_secret + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -746,6 +808,7 @@ module "actualbudget" { source = "./actualbudget" for_each = contains(local.active_modules, "actualbudget") ? { actualbudget = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.edge depends_on = [null_resource.core_services] } @@ -755,6 +818,7 @@ module "owntracks" { for_each = contains(local.active_modules, "owntracks") ? { owntracks = true } : {} tls_secret_name = var.tls_secret_name owntracks_credentials = var.owntracks_credentials + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -765,6 +829,7 @@ module "dawarich" { tls_secret_name = var.tls_secret_name database_password = var.dawarich_database_password geoapify_api_key = var.geoapify_api_key + tier = local.tiers.edge depends_on = [null_resource.core_services] } @@ -773,6 +838,7 @@ module "changedetection" { source = "./changedetection" for_each = contains(local.active_modules, "changedetection") ? { changedetection = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -782,6 +848,7 @@ module "tandoor" { tls_secret_name = var.tls_secret_name tandoor_database_password = var.tandoor_database_password tandoor_email_password = var.tandoor_email_password + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -791,6 +858,7 @@ module "n8n" { for_each = contains(local.active_modules, "n8n") ? { n8n = true } : {} tls_secret_name = var.tls_secret_name postgresql_password = var.n8n_postgresql_password + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -801,6 +869,7 @@ module "real-estate-crawler" { tls_secret_name = var.tls_secret_name db_password = var.realestate_crawler_db_password notification_settings = var.realestate_crawler_notification_settings + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -809,6 +878,7 @@ module "tor-proxy" { source = "./tor-proxy" for_each = contains(local.active_modules, "tor-proxy") ? { tor-proxy = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -825,6 +895,7 @@ module "onlyoffice" { tls_secret_name = var.tls_secret_name db_password = var.onlyoffice_db_password jwt_token = var.onlyoffice_jwt_token + tier = local.tiers.edge depends_on = [null_resource.core_services] } @@ -834,6 +905,7 @@ module "forgejo" { source = "./forgejo" for_each = contains(local.active_modules, "forgejo") ? { forgejo = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.edge depends_on = [null_resource.core_services] } @@ -842,6 +914,7 @@ module "xray" { source = "./xray" for_each = contains(local.active_modules, "xray") ? { xray = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux xray_reality_clients = var.xray_reality_clients xray_reality_private_key = var.xray_reality_private_key @@ -854,6 +927,7 @@ module "freshrss" { source = "./freshrss" for_each = contains(local.active_modules, "freshrss") ? { freshrss = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -862,6 +936,7 @@ module "navidrome" { source = "./navidrome" for_each = contains(local.active_modules, "navidrome") ? { navidrome = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -870,6 +945,7 @@ module "networking-toolbox" { source = "./networking-toolbox" for_each = contains(local.active_modules, "networking-toolbox") ? { networking-toolbox = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -878,6 +954,7 @@ module "tuya-bridge" { source = "./tuya-bridge" for_each = contains(local.active_modules, "tuya-bridge") ? { tuya-bridge = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.cluster tiny_tuya_api_key = var.tiny_tuya_api_key tiny_tuya_api_secret = var.tiny_tuya_api_secret @@ -892,6 +969,7 @@ module "stirling-pdf" { source = "./stirling-pdf" for_each = contains(local.active_modules, "stirling-pdf") ? { stirling-pdf = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -899,6 +977,7 @@ module "stirling-pdf" { module "isponsorblocktv" { source = "./isponsorblocktv" for_each = contains(local.active_modules, "isponsorblocktv") ? { isponsorblocktv = true } : {} + tier = local.tiers.edge depends_on = [null_resource.core_services] } @@ -907,12 +986,15 @@ module "nvidia" { source = "./nvidia" for_each = contains(local.active_modules, "nvidia") ? { nvidia = true } : {} tls_secret_name = var.tls_secret_name + tier = local.tiers.gpu } -# module "ebook2audiobook" { -# source = "./ebook2audiobook" -# tls_secret_name = var.tls_secret_name -# } +module "ebook2audiobook" { + source = "./ebook2audiobook" + for_each = contains(local.active_modules, "ebook2audiobook") ? { ebook2audiobook = true } : {} + tls_secret_name = var.tls_secret_name + tier = local.tiers.gpu +} module "rybbit" { source = "./rybbit" @@ -920,6 +1002,7 @@ module "rybbit" { tls_secret_name = var.tls_secret_name clickhouse_password = var.clickhouse_password postgres_password = var.clickhouse_postgres_password + tier = local.tiers.aux depends_on = [null_resource.core_services] } @@ -929,6 +1012,13 @@ module "wealthfolio" { for_each = contains(local.active_modules, "wealthfolio") ? { wealthfolio = true } : {} tls_secret_name = var.tls_secret_name wealthfolio_password_hash = var.wealthfolio_password_hash + tier = local.tiers.aux depends_on = [null_resource.core_services] } + +module "kyverno" { + source = "./kyverno" + for_each = contains(local.active_modules, "kyverno") ? { kyverno = true } : {} + depends_on = [null_resource.core_services] +} diff --git a/modules/kubernetes/matrix/main.tf b/modules/kubernetes/matrix/main.tf index bd025f73..12a069af 100644 --- a/modules/kubernetes/matrix/main.tf +++ b/modules/kubernetes/matrix/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "matrix" { metadata { @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "matrix" { name = "matrix" namespace = kubernetes_namespace.matrix.metadata[0].name labels = { - app = "matrix" + app = "matrix" + tier = var.tier } } spec { diff --git a/modules/kubernetes/meshcentral/main.tf b/modules/kubernetes/meshcentral/main.tf index 12609f05..563d53dc 100644 --- a/modules/kubernetes/meshcentral/main.tf +++ b/modules/kubernetes/meshcentral/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "meshcentral" { metadata { @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "meshcentral" { name = "meshcentral" namespace = kubernetes_namespace.meshcentral.metadata[0].name labels = { - app = "meshcentral" + app = "meshcentral" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/metallb/main.tf b/modules/kubernetes/metallb/main.tf index 374f377c..1659f08e 100644 --- a/modules/kubernetes/metallb/main.tf +++ b/modules/kubernetes/metallb/main.tf @@ -4,16 +4,29 @@ # source = "colinwilson/metallb/kubernetes" # version = "0.1.7" # } +variable "tier" { type = string } + +resource "kubernetes_namespace" "metallb" { + metadata { + name = "metallb-system" + labels = { + app = "metallb" + # "istio-injection" : "disabled" + # tier = var.tier + } + } +} module "metallb" { - source = "ViktorBarzin/metallb/kubernetes" - version = "0.1.5" + source = "ViktorBarzin/metallb/kubernetes" + version = "0.1.5" + depends_on = [kubernetes_namespace.metallb] } resource "kubernetes_config_map" "config" { metadata { name = "config" - namespace = "metallb-system" + namespace = kubernetes_namespace.metallb.metadata[0].name } data = { config = < 75 + expr: node_hwmon_temp_celsius{instance="pve-node-r730"} * on(chip) group_left(chip_name) node_hwmon_chip_names{instance="pve-node-r730"} > 60 for: 30m labels: severity: page @@ -302,8 +303,8 @@ serverFiles: annotations: summary: "Low registry cache hit rate" - alert: NodeHighCPUUsage - expr: node_load1{instance!="pve-node-r730"} > 2 - for: 20m + expr: pve_cpu_usage_ratio > 0.3 + for: 6h labels: severity: page annotations: @@ -472,8 +473,8 @@ extraScrapeConfigs: | regex: '(.*)' replacement: 'r730_idrac_$${1}' - job_name: 'redfish-idrac' - scrape_interval: 3m - scrape_timeout: 1m + scrape_interval: 1m + scrape_timeout: 45s metrics_path: /metrics static_configs: - targets: diff --git a/modules/kubernetes/monitoring/pve_exporter.tf b/modules/kubernetes/monitoring/pve_exporter.tf index af20cd19..74937a05 100644 --- a/modules/kubernetes/monitoring/pve_exporter.tf +++ b/modules/kubernetes/monitoring/pve_exporter.tf @@ -20,6 +20,9 @@ resource "kubernetes_deployment" "pve_exporter" { metadata { name = "proxmox-exporter" namespace = kubernetes_namespace.monitoring.metadata[0].name + labels = { + tier = var.tier + } } spec { diff --git a/modules/kubernetes/monitoring/snmp_exporter.tf b/modules/kubernetes/monitoring/snmp_exporter.tf index f8c3eeb3..9f97bda8 100644 --- a/modules/kubernetes/monitoring/snmp_exporter.tf +++ b/modules/kubernetes/monitoring/snmp_exporter.tf @@ -29,7 +29,8 @@ resource "kubernetes_deployment" "snmp-exporter" { name = "snmp-exporter" namespace = kubernetes_namespace.monitoring.metadata[0].name labels = { - app = "snmp-exporter" + app = "snmp-exporter" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/n8n/main.tf b/modules/kubernetes/n8n/main.tf index 29cd54d0..77c06fe4 100644 --- a/modules/kubernetes/n8n/main.tf +++ b/modules/kubernetes/n8n/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "postgresql_password" {} module "tls_secret" { @@ -18,7 +19,8 @@ resource "kubernetes_deployment" "n8n" { name = "n8n" namespace = kubernetes_namespace.n8n.metadata[0].name labels = { - app = "n8n" + app = "n8n" + tier = var.tier } } spec { @@ -31,8 +33,7 @@ resource "kubernetes_deployment" "n8n" { template { metadata { labels = { - app = "n8n" - "kubernetes.io/cluster-service" = "true" + app = "n8n" } } spec { diff --git a/modules/kubernetes/navidrome/main.tf b/modules/kubernetes/navidrome/main.tf index b1597eaa..12d21684 100644 --- a/modules/kubernetes/navidrome/main.tf +++ b/modules/kubernetes/navidrome/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "navidrome" { metadata { @@ -20,8 +21,8 @@ resource "kubernetes_deployment" "navidrome" { name = "navidrome" namespace = kubernetes_namespace.navidrome.metadata[0].name labels = { - app = "navidrome" - "kubernetes.io/cluster-service" = "true" + app = "navidrome" + tier = var.tier } } spec { @@ -37,8 +38,7 @@ resource "kubernetes_deployment" "navidrome" { template { metadata { labels = { - app = "navidrome" - "kubernetes.io/cluster-service" = "true" + app = "navidrome" } } spec { diff --git a/modules/kubernetes/netbox/main.tf b/modules/kubernetes/netbox/main.tf index 46c9f58a..21ee2c51 100644 --- a/modules/kubernetes/netbox/main.tf +++ b/modules/kubernetes/netbox/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "netbox" { metadata { @@ -12,12 +13,22 @@ module "tls_secret" { tls_secret_name = var.tls_secret_name } +resource "random_string" "random" { + length = 50 + lower = true +} +resource "random_string" "api_token_pepper" { + length = 50 + lower = true +} + resource "kubernetes_deployment" "netbox" { metadata { name = "netbox" namespace = kubernetes_namespace.netbox.metadata[0].name labels = { - app = "netbox" + app = "netbox" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" @@ -44,7 +55,7 @@ resource "kubernetes_deployment" "netbox" { } spec { container { - image = "lscr.io/linuxserver/netbox:v4.0.9-ls219" + image = "netboxcommunity/netbox:v4.5.0-beta1" name = "netbox" env { name = "DB_USER" @@ -58,6 +69,22 @@ resource "kubernetes_deployment" "netbox" { name = "DB_HOST" value = "postgresql.dbaas.svc.cluster.local" } + env { + name = "DB_NAME" + value = "netbox" + } + env { + name = "DB_WAIT_DEBUG" + value = "1" + } + env { + name = "SECRET_KEY" + value = random_string.random.result + } + env { + name = "API_TOKEN_PEPPERS" + value = random_string.api_token_pepper.result + } env { name = "REDIS_HOST" value = "redis.redis" @@ -97,7 +124,7 @@ resource "kubernetes_deployment" "netbox" { } port { - container_port = 8000 + container_port = 8080 } # volume_mount { # name = "data" @@ -130,7 +157,7 @@ resource "kubernetes_service" "netbox" { } port { name = "http" - target_port = 8000 + target_port = 8080 port = 80 protocol = "TCP" } diff --git a/modules/kubernetes/networking-toolbox/main.tf b/modules/kubernetes/networking-toolbox/main.tf index 56abc187..df8ab459 100644 --- a/modules/kubernetes/networking-toolbox/main.tf +++ b/modules/kubernetes/networking-toolbox/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "networking-toolbox" { metadata { @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "networking-toolbox" { name = "networking-toolbox" namespace = kubernetes_namespace.networking-toolbox.metadata[0].name labels = { - app = "networking-toolbox" + app = "networking-toolbox" + tier = var.tier } } spec { diff --git a/modules/kubernetes/nextcloud/main.tf b/modules/kubernetes/nextcloud/main.tf index e33fef1a..b76bb7bd 100644 --- a/modules/kubernetes/nextcloud/main.tf +++ b/modules/kubernetes/nextcloud/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} variable "db_password" {} +variable "tier" { type = string } module "tls_secret" { source = "../setup_tls_secret" @@ -12,6 +13,7 @@ resource "kubernetes_namespace" "nextcloud" { name = "nextcloud" labels = { "istio-injection" : "disabled" + tier = var.tier } } } @@ -49,7 +51,8 @@ resource "kubernetes_deployment" "whiteboard" { name = "whiteboard" namespace = kubernetes_namespace.nextcloud.metadata[0].name labels = { - app = "whiteboard" + app = "whiteboard" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/nginx-ingress/main.tf b/modules/kubernetes/nginx-ingress/main.tf index 27e5f6ee..8ba56189 100644 --- a/modules/kubernetes/nginx-ingress/main.tf +++ b/modules/kubernetes/nginx-ingress/main.tf @@ -12,6 +12,8 @@ variable "honeypotapikey" { variable "crowdsec_api_key" {} variable "crowdsec_captcha_secret_key" {} variable "crowdsec_captcha_site_key" {} +variable "tier" { type = string } + resource "kubernetes_namespace" "ingress_nginx" { metadata { name = "ingress-nginx" @@ -469,6 +471,7 @@ resource "kubernetes_deployment" "ingress_nginx_controller" { "app.kubernetes.io/name" = "ingress-nginx" "app.kubernetes.io/part-of" = "ingress-nginx" "app.kubernetes.io/version" = "1.13.1" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/ntfy/main.tf b/modules/kubernetes/ntfy/main.tf index 7a7d9a5d..dafdbd5b 100644 --- a/modules/kubernetes/ntfy/main.tf +++ b/modules/kubernetes/ntfy/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "ntfy" { metadata { name = "ntfy" @@ -16,7 +17,8 @@ resource "kubernetes_deployment" "ntfy" { name = "ntfy" namespace = kubernetes_namespace.ntfy.metadata[0].name labels = { - app = "ntfy" + app = "ntfy" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/nvidia/Dockerfile b/modules/kubernetes/nvidia/Dockerfile new file mode 100644 index 00000000..aba73858 --- /dev/null +++ b/modules/kubernetes/nvidia/Dockerfile @@ -0,0 +1,27 @@ +# GPU container + +FROM ubuntu + +ENV DEBIAN_FRONTEND=noninteractive + +# Install Python and pip +RUN apt-get update && \ + apt-get install -y --no-install-recommends \ + python3 \ + python3-pip \ + python3-venv + +# Deps +RUN apt-get install -y ffmpeg espeak-ng + +# Set a working directory +WORKDIR /app + +RUN python3 -m venv audiblez && ./audiblez/bin/pip install audiblez +# RUN python3 -m venv audiblez + +CMD ["/usr/bin/sleep", "86400"] +# RUN pip install audiblez + +# # Default command +# CMD ["/usr/bin/sleep", "86400"] diff --git a/modules/kubernetes/nvidia/main.tf b/modules/kubernetes/nvidia/main.tf index 1948e58e..70f294cb 100644 --- a/modules/kubernetes/nvidia/main.tf +++ b/modules/kubernetes/nvidia/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } module "tls_secret" { source = "../setup_tls_secret" @@ -11,6 +12,7 @@ resource "kubernetes_namespace" "nvidia" { name = "nvidia" labels = { "istio-injection" : "disabled" + tier = var.tier } } } @@ -59,7 +61,8 @@ resource "kubernetes_deployment" "nvidia-exporter" { name = "nvidia-exporter" namespace = kubernetes_namespace.nvidia.metadata[0].name labels = { - app = "nvidia-exporter" + app = "nvidia-exporter" + tier = var.tier } } spec { @@ -168,3 +171,51 @@ module "ingress" { # } # } # } + + +# resource "kubernetes_deployment" "gpu-container" { +# metadata { +# name = "gpu-container" +# namespace = kubernetes_namespace.nvidia.metadata[0].name +# labels = { +# app = "gpu-container" +# } +# } +# spec { +# replicas = 1 +# selector { +# match_labels = { +# app = "gpu-container" +# } +# } +# template { +# metadata { +# labels = { +# app = "gpu-container" +# } +# } +# spec { +# node_selector = { +# "gpu" : "true" +# } +# container { +# image = "ubuntu" +# name = "gpu-container" +# command = ["/usr/bin/sleep", "3600"] +# # security_context { +# # privileged = true +# # capabilities { +# # add = ["SYS_ADMIN"] +# # } +# # } +# resources { +# limits = { +# "nvidia.com/gpu" = "1" +# } +# } +# } +# } +# } +# } +# depends_on = [helm_release.nvidia-gpu-operator] +# } diff --git a/modules/kubernetes/ollama/main.tf b/modules/kubernetes/ollama/main.tf index 9a4de923..0ecf6063 100644 --- a/modules/kubernetes/ollama/main.tf +++ b/modules/kubernetes/ollama/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "ollama" { metadata { @@ -64,7 +65,8 @@ resource "kubernetes_deployment" "ollama" { name = "ollama" namespace = kubernetes_namespace.ollama.metadata[0].name labels = { - app = "ollama" + app = "ollama" + tier = var.tier } } spec { @@ -162,7 +164,8 @@ resource "kubernetes_deployment" "ollama-ui" { name = "ollama-ui" namespace = kubernetes_namespace.ollama.metadata[0].name labels = { - app = "ollama-ui" + app = "ollama-ui" + tier = var.tier } } spec { diff --git a/modules/kubernetes/onlyoffice/main.tf b/modules/kubernetes/onlyoffice/main.tf index c3c26811..df130db4 100644 --- a/modules/kubernetes/onlyoffice/main.tf +++ b/modules/kubernetes/onlyoffice/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "db_password" { type = string } variable "jwt_token" { type = string } @@ -22,7 +23,8 @@ resource "kubernetes_deployment" "onlyoffice-document-server" { name = "onlyoffice-document-server" namespace = kubernetes_namespace.onlyoffice.metadata[0].name labels = { - app = "onlyoffice-document-server" + app = "onlyoffice-document-server" + tier = var.tier } } spec { diff --git a/modules/kubernetes/owntracks/main.tf b/modules/kubernetes/owntracks/main.tf index 6e9cce09..9a68196c 100644 --- a/modules/kubernetes/owntracks/main.tf +++ b/modules/kubernetes/owntracks/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "owntracks_credentials" { type = map(string) default = { @@ -47,7 +48,8 @@ resource "kubernetes_deployment" "owntracks" { name = "owntracks" namespace = kubernetes_namespace.owntracks.metadata[0].name labels = { - app = "owntracks" + app = "owntracks" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/paperless-ngx/main.tf b/modules/kubernetes/paperless-ngx/main.tf index e847a4f4..e2bcce71 100644 --- a/modules/kubernetes/paperless-ngx/main.tf +++ b/modules/kubernetes/paperless-ngx/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "db_password" {} # variable "homepage_token" {} variable "homepage_username" {} @@ -25,7 +26,8 @@ resource "kubernetes_deployment" "paperless-ngx" { name = "paperless-ngx" namespace = kubernetes_namespace.paperless-ngx.metadata[0].name labels = { - app = "paperless-ngx" + app = "paperless-ngx" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/privatebin/main.tf b/modules/kubernetes/privatebin/main.tf index 36f63c27..199fe729 100644 --- a/modules/kubernetes/privatebin/main.tf +++ b/modules/kubernetes/privatebin/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "privatebin" { metadata { @@ -20,8 +21,8 @@ resource "kubernetes_deployment" "privatebin" { name = "privatebin" namespace = kubernetes_namespace.privatebin.metadata[0].name labels = { - app = "privatebin" - "kubernetes.io/cluster-service" = "true" + app = "privatebin" + tier = var.tier } } spec { @@ -37,8 +38,7 @@ resource "kubernetes_deployment" "privatebin" { template { metadata { labels = { - app = "privatebin" - "kubernetes.io/cluster-service" = "true" + app = "privatebin" } } spec { diff --git a/modules/kubernetes/real-estate-crawler/main.tf b/modules/kubernetes/real-estate-crawler/main.tf index 38d1d628..9bb495c0 100644 --- a/modules/kubernetes/real-estate-crawler/main.tf +++ b/modules/kubernetes/real-estate-crawler/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "notification_settings" { type = map(string) default = { @@ -26,7 +27,8 @@ resource "kubernetes_deployment" "realestate-crawler-ui" { name = "realestate-crawler-ui" namespace = kubernetes_namespace.realestate-crawler.metadata[0].name labels = { - app = "realestate-crawler-ui" + app = "realestate-crawler-ui" + tier = var.tier } } spec { @@ -42,8 +44,7 @@ resource "kubernetes_deployment" "realestate-crawler-ui" { template { metadata { labels = { - app = "realestate-crawler-ui" - "kubernetes.io/cluster-service" = "true" + app = "realestate-crawler-ui" } } spec { @@ -97,7 +98,8 @@ resource "kubernetes_deployment" "realestate-crawler-api" { name = "realestate-crawler-api" namespace = kubernetes_namespace.realestate-crawler.metadata[0].name labels = { - app = "realestate-crawler-api" + app = "realestate-crawler-api" + tier = var.tier } } spec { diff --git a/modules/kubernetes/redis/main.tf b/modules/kubernetes/redis/main.tf index 7750d447..4271c99e 100644 --- a/modules/kubernetes/redis/main.tf +++ b/modules/kubernetes/redis/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "redis" { metadata { @@ -17,7 +18,8 @@ resource "kubernetes_deployment" "redis" { name = "redis" namespace = kubernetes_namespace.redis.metadata[0].name labels = { - app = "redis" + app = "redis" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/reloader/main.tf b/modules/kubernetes/reloader/main.tf index 59971834..f220b799 100644 --- a/modules/kubernetes/reloader/main.tf +++ b/modules/kubernetes/reloader/main.tf @@ -1,7 +1,18 @@ +variable "tier" { type = string } + +resource "kubernetes_namespace" "crowdsec" { + metadata { + name = "reloader" + labels = { + tier = var.tier + } + } +} resource "helm_release" "reloader" { - namespace = "reloader" - create_namespace = true + namespace = kubernetes_namespace.crowdsec.metadata[0].name + create_namespace = false name = "reloader" + atomic = true repository = "https://stakater.github.io/stakater-charts" chart = "reloader" diff --git a/modules/kubernetes/reverse_proxy/factory/main.tf b/modules/kubernetes/reverse_proxy/factory/main.tf index 1c3c9af3..a80407f5 100644 --- a/modules/kubernetes/reverse_proxy/factory/main.tf +++ b/modules/kubernetes/reverse_proxy/factory/main.tf @@ -37,6 +37,10 @@ variable "rybbit_site_id" { default = null type = string } +variable "additional_configuration_snippet" { + default = "" + type = string +} resource "kubernetes_service" "proxied-service" { @@ -90,6 +94,7 @@ resource "kubernetes_ingress_v1" "proxied-ingress" { "nginx.ingress.kubernetes.io/configuration-snippet" = <<-EOF limit_req_status 429; limit_conn_status 429; + ${var.additional_configuration_snippet} ${var.rybbit_site_id != null ? <<-JS # Rybbit Analytics # Only modify HTML diff --git a/modules/kubernetes/reverse_proxy/main.tf b/modules/kubernetes/reverse_proxy/main.tf index 9f459271..3ea44e12 100644 --- a/modules/kubernetes/reverse_proxy/main.tf +++ b/modules/kubernetes/reverse_proxy/main.tf @@ -96,6 +96,23 @@ module "tp-link-gateway" { backend_protocol = "HTTPS" depends_on = [kubernetes_namespace.reverse-proxy] protected = true + # Doesn't work due to 413 due to GA/authentik cookie + # additional_configuration_snippet = <<-EOF + # # 1. Try to extract the sysauth cookie and its value + # # This regex looks for 'sysauth=' followed by everything until a semicolon or end of string + # set $sysauth_only ""; + # if ($http_cookie ~* "sysauth=([^;]+)") { + # set $sysauth_only "sysauth=$1"; + # } + + # # 2. Overwrite the Cookie header. + # # If sysauth was found, only it is sent. If not found, no cookies are sent. + # proxy_set_header Cookie $sysauth_only; + # EOF + # extra_annotations = { + # client-header-buffer-size : "16k" + # large-client-header-buffers : "4 16k" + # } } # https://truenas.viktorbarzin.me/ diff --git a/modules/kubernetes/rybbit/main.tf b/modules/kubernetes/rybbit/main.tf index 51d212a3..8e30f113 100644 --- a/modules/kubernetes/rybbit/main.tf +++ b/modules/kubernetes/rybbit/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "clickhouse_password" { type = string } variable "postgres_password" { type = string } @@ -29,7 +30,8 @@ resource "kubernetes_deployment" "clickhouse" { name = "clickhouse" namespace = kubernetes_namespace.rybbit.metadata[0].name labels = { - app = "clickhouse" + app = "clickhouse" + tier = var.tier } } spec { @@ -110,7 +112,8 @@ resource "kubernetes_deployment" "rybbit" { name = "rybbit" namespace = kubernetes_namespace.rybbit.metadata[0].name labels = { - app = "rybbit" + app = "rybbit" + tier = var.tier } } spec { @@ -222,7 +225,8 @@ resource "kubernetes_deployment" "rybbit-client" { name = "rybbit-client" namespace = kubernetes_namespace.rybbit.metadata[0].name labels = { - app = "rybbit-client" + app = "rybbit-client" + tier = var.tier } } spec { diff --git a/modules/kubernetes/send/main.tf b/modules/kubernetes/send/main.tf index bf4773f9..6469688b 100644 --- a/modules/kubernetes/send/main.tf +++ b/modules/kubernetes/send/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "send" { metadata { @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "send" { name = "send" namespace = kubernetes_namespace.send.metadata[0].name labels = { - app = "send" + app = "send" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/servarr/aiostreams/main.tf b/modules/kubernetes/servarr/aiostreams/main.tf new file mode 100644 index 00000000..e5ec5ec6 --- /dev/null +++ b/modules/kubernetes/servarr/aiostreams/main.tf @@ -0,0 +1,103 @@ +variable "tls_secret_name" {} +variable "tier" { type = string } +variable "aiostreams_database_connection_string" { type = string } + +resource "kubernetes_namespace" "aiostreams" { + metadata { + name = "aiostreams" + labels = { + "istio-injection" : "disabled" + } + } +} + +resource "random_id" "secret_key" { + byte_length = 32 # 32 bytes × 2 hex chars = 64 hex characters +} + +resource "kubernetes_deployment" "aiostreams" { + metadata { + name = "aiostreams" + namespace = kubernetes_namespace.aiostreams.metadata[0].name + labels = { + app = "aiostreams" + tier = var.tier + } + } + spec { + replicas = 1 + selector { + match_labels = { + app = "aiostreams" + } + } + template { + metadata { + labels = { + app = "aiostreams" + } + } + spec { + container { + image = "viren070/aiostreams:nightly" + name = "aiostreams" + port { + container_port = 3000 + } + env { + name = "BASE_URL" + value = "https://aiostreams.viktorbarzin.me" + } + env { + name = "SECRET_KEY" + value = random_id.secret_key.hex + } + env { + name = "DATABASE_URI" + value = var.aiostreams_database_connection_string + } + volume_mount { + name = "data" + mount_path = "/app/data" + } + } + volume { + name = "data" + nfs { + server = "10.0.10.15" + path = "/mnt/main/servarr/aiostreams" + } + } + } + } + } +} + +resource "kubernetes_service" "aiostreams" { + metadata { + name = "aiostreams" + namespace = kubernetes_namespace.aiostreams.metadata[0].name + labels = { + "app" = "aiostreams" + } + } + + spec { + selector = { + app = "aiostreams" + } + port { + name = "http" + port = 80 + target_port = 3000 + } + } +} + +module "ingress" { + source = "../../ingress_factory" + namespace = kubernetes_namespace.aiostreams.metadata[0].name + name = "aiostreams" + tls_secret_name = var.tls_secret_name + # protected = true +} diff --git a/modules/kubernetes/servarr/flaresolverr/main.tf b/modules/kubernetes/servarr/flaresolverr/main.tf index 6e8f7131..623685e6 100644 --- a/modules/kubernetes/servarr/flaresolverr/main.tf +++ b/modules/kubernetes/servarr/flaresolverr/main.tf @@ -1,11 +1,13 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_deployment" "flaresolverr" { metadata { name = "flaresolverr" namespace = "servarr" labels = { - app = "flaresolverr" + app = "flaresolverr" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/servarr/lidarr/main.tf b/modules/kubernetes/servarr/lidarr/main.tf index 8166298b..7539754a 100644 --- a/modules/kubernetes/servarr/lidarr/main.tf +++ b/modules/kubernetes/servarr/lidarr/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_deployment" "lidarr" { @@ -6,7 +7,8 @@ resource "kubernetes_deployment" "lidarr" { name = "lidarr" namespace = "servarr" labels = { - app = "lidarr" + app = "lidarr" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/servarr/listenarr/main.tf b/modules/kubernetes/servarr/listenarr/main.tf new file mode 100644 index 00000000..98651a12 --- /dev/null +++ b/modules/kubernetes/servarr/listenarr/main.tf @@ -0,0 +1,90 @@ +variable "tls_secret_name" {} +variable "tier" { type = string } + + +resource "kubernetes_deployment" "listenarr" { + metadata { + name = "listenarr" + namespace = "servarr" + labels = { + app = "listenarr" + tier = var.tier + } + annotations = { + "reloader.stakater.com/search" = "true" + } + } + spec { + replicas = 1 + selector { + match_labels = { + app = "listenarr" + } + } + template { + metadata { + labels = { + app = "listenarr" + } + } + spec { + container { + image = "ghcr.io/therobbiedavis/listenarr:canary" + name = "listenarr" + + port { + container_port = 5000 + } + volume_mount { + name = "data" + mount_path = "/app/config" + } + } + volume { + name = "data" + nfs { + path = "/mnt/main/servarr/listenarr" + server = "10.0.10.15" + } + } + volume { + name = "downloads" + nfs { + path = "/mnt/main/servarr/downloads" + server = "10.0.10.15" + } + } + } + } + } +} + +resource "kubernetes_service" "listenarr" { + metadata { + name = "listenarr" + namespace = "servarr" + labels = { + app = "listenarr" + } + } + + spec { + selector = { + app = "listenarr" + } + port { + name = "http" + port = 80 + target_port = 5000 + } + } +} + + +module "ingress" { + source = "../../ingress_factory" + namespace = "servarr" + name = "listenarr" + tls_secret_name = var.tls_secret_name + protected = true +} diff --git a/modules/kubernetes/servarr/main.tf b/modules/kubernetes/servarr/main.tf index 7604b8d4..e55e8da0 100644 --- a/modules/kubernetes/servarr/main.tf +++ b/modules/kubernetes/servarr/main.tf @@ -1,4 +1,6 @@ variable "tls_secret_name" {} +variable "tier" { type = string } +variable "aiostreams_database_connection_string" { type = string } resource "kubernetes_namespace" "servarr" { metadata { @@ -16,29 +18,48 @@ module "tls_secret" { # module "readarr" { # source = "./readarr" # tls_secret_name = var.tls_secret_name +# tier = var.tier # } -# module "prowlarr" { -# source = "./prowlarr" -# tls_secret_name = var.tls_secret_name -# } +module "prowlarr" { + source = "./prowlarr" + tls_secret_name = var.tls_secret_name + tier = var.tier +} -# module "qbittorrent" { -# source = "./qbittorrent" -# tls_secret_name = var.tls_secret_name -# } +module "qbittorrent" { + source = "./qbittorrent" + tls_secret_name = var.tls_secret_name + tier = var.tier +} module "flaresolverr" { source = "./flaresolverr" tls_secret_name = var.tls_secret_name + tier = var.tier } # module "lidarr" { # source = "./lidarr" # tls_secret_name = var.tls_secret_name +# tier = var.tier # } # module "soulseek" { # source = "./soulseek" # tls_secret_name = var.tls_secret_name +# tier = var.tier # } + +module "listenarr" { + source = "./listenarr" + tls_secret_name = var.tls_secret_name + tier = var.tier +} + +module "aiostreams" { + source = "./aiostreams" + tls_secret_name = var.tls_secret_name + aiostreams_database_connection_string = var.aiostreams_database_connection_string + tier = var.tier +} diff --git a/modules/kubernetes/servarr/prowlarr/main.tf b/modules/kubernetes/servarr/prowlarr/main.tf index 44350de9..82204bec 100644 --- a/modules/kubernetes/servarr/prowlarr/main.tf +++ b/modules/kubernetes/servarr/prowlarr/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_deployment" "prowlarr" { @@ -6,7 +7,8 @@ resource "kubernetes_deployment" "prowlarr" { name = "prowlarr" namespace = "servarr" labels = { - app = "prowlarr" + app = "prowlarr" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/servarr/qbittorrent/main.tf b/modules/kubernetes/servarr/qbittorrent/main.tf index ecb858a8..2a473a3e 100644 --- a/modules/kubernetes/servarr/qbittorrent/main.tf +++ b/modules/kubernetes/servarr/qbittorrent/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_deployment" "qbittorrent" { @@ -6,7 +7,8 @@ resource "kubernetes_deployment" "qbittorrent" { name = "qbittorrent" namespace = "servarr" labels = { - app = "qbittorrent" + app = "qbittorrent" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/servarr/readarr/main.tf b/modules/kubernetes/servarr/readarr/main.tf index b612b762..68369b06 100644 --- a/modules/kubernetes/servarr/readarr/main.tf +++ b/modules/kubernetes/servarr/readarr/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "readarr" { metadata { name = "readarr" @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "readarr" { name = "readarr" namespace = "readarr" labels = { - app = "readarr" + app = "readarr" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/servarr/soulseek/main.tf b/modules/kubernetes/servarr/soulseek/main.tf index 2ca68c32..446ba8c6 100644 --- a/modules/kubernetes/servarr/soulseek/main.tf +++ b/modules/kubernetes/servarr/soulseek/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_deployment" "soulseek" { @@ -6,7 +7,8 @@ resource "kubernetes_deployment" "soulseek" { name = "soulseek" namespace = "servarr" labels = { - app = "soulseek" + app = "soulseek" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/shadowsocks/main.tf b/modules/kubernetes/shadowsocks/main.tf index 6dd980e9..acb5ea9b 100644 --- a/modules/kubernetes/shadowsocks/main.tf +++ b/modules/kubernetes/shadowsocks/main.tf @@ -1,4 +1,5 @@ variable "password" {} +variable "tier" { type = string } variable "method" { default = "chacha20-ietf-poly1305" } @@ -19,6 +20,7 @@ resource "kubernetes_deployment" "shadowsocks" { namespace = kubernetes_namespace.shadowsocks.metadata[0].name labels = { "app" = "shadowsocks" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" @@ -64,7 +66,7 @@ resource "kubernetes_deployment" "shadowsocks" { } } -resource "kubernetes_service" "mailserver" { +resource "kubernetes_service" "mailserver" { # rename me metadata { name = "shadowsocks" namespace = kubernetes_namespace.shadowsocks.metadata[0].name diff --git a/modules/kubernetes/stirling-pdf/main.tf b/modules/kubernetes/stirling-pdf/main.tf index 319285e9..25b29ee4 100644 --- a/modules/kubernetes/stirling-pdf/main.tf +++ b/modules/kubernetes/stirling-pdf/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "stirling-pdf" { metadata { @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "stirling-pdf" { name = "stirling-pdf" namespace = kubernetes_namespace.stirling-pdf.metadata[0].name labels = { - app = "stirling-pdf" + app = "stirling-pdf" + tier = var.tier } } spec { diff --git a/modules/kubernetes/tandoor/main.tf b/modules/kubernetes/tandoor/main.tf index d1aa6c5e..b395890c 100644 --- a/modules/kubernetes/tandoor/main.tf +++ b/modules/kubernetes/tandoor/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "tandoor_database_password" {} variable "tandoor_email_password" {} @@ -26,7 +27,8 @@ resource "kubernetes_deployment" "tandoor" { name = "tandoor" namespace = kubernetes_namespace.tandoor.metadata[0].name labels = { - app = "tandoor" + app = "tandoor" + tier = var.tier } } spec { diff --git a/modules/kubernetes/technitium/main.tf b/modules/kubernetes/technitium/main.tf index b3376443..57b37d5e 100644 --- a/modules/kubernetes/technitium/main.tf +++ b/modules/kubernetes/technitium/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "homepage_token" {} resource "kubernetes_namespace" "technitium" { @@ -23,7 +24,8 @@ resource "kubernetes_deployment" "technitium" { name = "technitium" namespace = kubernetes_namespace.technitium.metadata[0].name labels = { - app = "technitium" + app = "technitium" + tier = var.tier } } spec { diff --git a/modules/kubernetes/tor-proxy/main.tf b/modules/kubernetes/tor-proxy/main.tf index b13b0c4e..6994393d 100644 --- a/modules/kubernetes/tor-proxy/main.tf +++ b/modules/kubernetes/tor-proxy/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "tor-proxy" { metadata { @@ -34,7 +35,8 @@ resource "kubernetes_deployment" "tor-proxy" { name = "tor-proxy" namespace = "tor-proxy" labels = { - app = "tor-proxy" + app = "tor-proxy" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/travel_blog/main.tf b/modules/kubernetes/travel_blog/main.tf index 067838c4..15b29720 100644 --- a/modules/kubernetes/travel_blog/main.tf +++ b/modules/kubernetes/travel_blog/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "travel-blog" { metadata { @@ -26,20 +27,21 @@ resource "kubernetes_deployment" "blog" { name = "travel-blog" namespace = kubernetes_namespace.travel-blog.metadata[0].name labels = { - run = "travel-blog" + app = "travel-blog" + tier = var.tier } } spec { replicas = 3 selector { match_labels = { - run = "travel-blog" + app = "travel-blog" } } template { metadata { labels = { - run = "travel-blog" + app = "travel-blog" } } spec { @@ -79,7 +81,7 @@ resource "kubernetes_service" "travel-blog" { name = "travel-blog" namespace = kubernetes_namespace.travel-blog.metadata[0].name labels = { - "run" = "travel-blog" + app = "travel-blog" } annotations = { "prometheus.io/scrape" = "true" @@ -90,7 +92,7 @@ resource "kubernetes_service" "travel-blog" { spec { selector = { - run = "travel-blog" + app = "travel-blog" } port { name = "http" diff --git a/modules/kubernetes/tuya-bridge/main.tf b/modules/kubernetes/tuya-bridge/main.tf index 9545ebf7..e685c59a 100644 --- a/modules/kubernetes/tuya-bridge/main.tf +++ b/modules/kubernetes/tuya-bridge/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "tiny_tuya_api_key" { type = string } variable "tiny_tuya_api_secret" { type = string } variable "tiny_tuya_service_secret" { type = string } @@ -24,7 +25,8 @@ resource "kubernetes_deployment" "tuya-bridge" { name = "tuya-bridge" namespace = kubernetes_namespace.tuya-bridge.metadata[0].name labels = { - app = "tuya-bridge" + app = "tuya-bridge" + tier = var.tier } } spec { diff --git a/modules/kubernetes/uptime-kuma/main.tf b/modules/kubernetes/uptime-kuma/main.tf index 19641350..2c5e410b 100644 --- a/modules/kubernetes/uptime-kuma/main.tf +++ b/modules/kubernetes/uptime-kuma/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "uptime-kuma" { metadata { @@ -20,7 +21,8 @@ resource "kubernetes_deployment" "uptime-kuma" { name = "uptime-kuma" namespace = kubernetes_namespace.uptime-kuma.metadata[0].name labels = { - app = "uptime-kuma" + app = "uptime-kuma" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/url-shortener/main.tf b/modules/kubernetes/url-shortener/main.tf index 157844e8..caaeb0f3 100644 --- a/modules/kubernetes/url-shortener/main.tf +++ b/modules/kubernetes/url-shortener/main.tf @@ -5,6 +5,7 @@ ## to the mysql tier variable "tls_secret_name" {} +variable "tier" { type = string } variable "geolite_license_key" {} variable "api_key" {} variable "mysql_password" {} @@ -76,7 +77,8 @@ resource "kubernetes_deployment" "shlink" { name = "shlink" namespace = kubernetes_namespace.shlink.metadata[0].name labels = { - run = "shlink" + run = "shlink" + tier = var.tier } } spec { @@ -213,7 +215,8 @@ resource "kubernetes_deployment" "shlink-web" { name = "shlink-web" namespace = kubernetes_namespace.shlink.metadata[0].name labels = { - run = "shlink-web" + run = "shlink-web" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/vault/main.tf b/modules/kubernetes/vault/main.tf index 99c6ccf2..8d4d4ded 100644 --- a/modules/kubernetes/vault/main.tf +++ b/modules/kubernetes/vault/main.tf @@ -2,10 +2,14 @@ variable "tls_secret_name" {} variable "host" { default = "vault.viktorbarzin.me" } +variable "tier" { type = string } resource "kubernetes_namespace" "vault" { metadata { name = "vault" + labels = { + tier = var.tier + } } } @@ -34,9 +38,9 @@ resource "kubernetes_persistent_volume" "vault_data" { } resource "helm_release" "vault" { - namespace = kubernetes_namespace.vault.metadata[0].name - name = "vault" - atomic = true + namespace = kubernetes_namespace.vault.metadata[0].name + name = "vault" + atomic = true repository = "https://helm.releases.hashicorp.com" chart = "vault" diff --git a/modules/kubernetes/vaultwarden/main.tf b/modules/kubernetes/vaultwarden/main.tf index 62214392..11cfb4bd 100644 --- a/modules/kubernetes/vaultwarden/main.tf +++ b/modules/kubernetes/vaultwarden/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "smtp_password" {} resource "kubernetes_namespace" "vaultwarden" { @@ -21,7 +22,8 @@ resource "kubernetes_deployment" "vaultwarden" { name = "vaultwarden" namespace = kubernetes_namespace.vaultwarden.metadata[0].name labels = { - app = "vaultwarden" + app = "vaultwarden" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/wealthfolio/main.tf b/modules/kubernetes/wealthfolio/main.tf index 30c146d0..f9733332 100644 --- a/modules/kubernetes/wealthfolio/main.tf +++ b/modules/kubernetes/wealthfolio/main.tf @@ -6,6 +6,7 @@ # Note that currently wealthfolio doesn't dedup (https://github.com/afadil/wealthfolio/issues/476) variable "tls_secret_name" {} +variable "tier" { type = string } variable "wealthfolio_password_hash" {} resource "kubernetes_namespace" "wealthfolio" { @@ -33,7 +34,8 @@ resource "kubernetes_deployment" "wealthfolio" { name = "wealthfolio" namespace = kubernetes_namespace.wealthfolio.metadata[0].name labels = { - app = "wealthfolio" + app = "wealthfolio" + tier = var.tier } } spec { diff --git a/modules/kubernetes/webhook_handler/main.tf b/modules/kubernetes/webhook_handler/main.tf index b670285f..fc33c938 100644 --- a/modules/kubernetes/webhook_handler/main.tf +++ b/modules/kubernetes/webhook_handler/main.tf @@ -1,5 +1,6 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "webhook_secret" {} variable "fb_verify_token" {} variable "fb_page_token" {} @@ -70,7 +71,8 @@ resource "kubernetes_deployment" "webhook_handler" { name = "webhook-handler" namespace = kubernetes_namespace.webhook-handler.metadata[0].name labels = { - app = "webhook-handler" + app = "webhook-handler" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/wireguard/main.tf b/modules/kubernetes/wireguard/main.tf index 8b3c577a..32d1a7d9 100644 --- a/modules/kubernetes/wireguard/main.tf +++ b/modules/kubernetes/wireguard/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "wg_0_conf" {} variable "firewall_sh" {} variable "wg_0_key" {} @@ -56,7 +57,8 @@ resource "kubernetes_deployment" "wireguard" { name = "wireguard" namespace = kubernetes_namespace.wireguard.metadata[0].name labels = { - app = "wireguard" + app = "wireguard" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/xray/main.tf b/modules/kubernetes/xray/main.tf index 1234c0bf..b2538ddc 100644 --- a/modules/kubernetes/xray/main.tf +++ b/modules/kubernetes/xray/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } variable "xray_reality_clients" { type = list(map(string)) } variable "xray_reality_private_key" { type = string } variable "xray_reality_short_ids" { type = list(string) } @@ -48,7 +49,8 @@ resource "kubernetes_deployment" "xray" { name = "xray" namespace = kubernetes_namespace.xray.metadata[0].name labels = { - app = "xray" + app = "xray" + tier = var.tier } annotations = { "reloader.stakater.com/search" = "true" diff --git a/modules/kubernetes/youtube_dl/main.tf b/modules/kubernetes/youtube_dl/main.tf index 0693de7f..71523195 100644 --- a/modules/kubernetes/youtube_dl/main.tf +++ b/modules/kubernetes/youtube_dl/main.tf @@ -1,4 +1,5 @@ variable "tls_secret_name" {} +variable "tier" { type = string } resource "kubernetes_namespace" "ytdlp" { metadata { @@ -21,7 +22,8 @@ resource "kubernetes_deployment" "ytdlp" { name = "ytdlp" namespace = kubernetes_namespace.ytdlp.metadata[0].name labels = { - app = "ytdlp" + app = "ytdlp" + tier = var.tier } annotations = { "diun.enable" = "true" diff --git a/secrets/fullchain.pem b/secrets/fullchain.pem index b7da727a..9c130cfd 100644 Binary files a/secrets/fullchain.pem and b/secrets/fullchain.pem differ diff --git a/secrets/privkey.pem b/secrets/privkey.pem index c4fa8479..181d9698 100644 Binary files a/secrets/privkey.pem and b/secrets/privkey.pem differ diff --git a/terraform.tfstate b/terraform.tfstate index ba3881b9..bcb43bcf 100644 Binary files a/terraform.tfstate and b/terraform.tfstate differ diff --git a/terraform.tfvars b/terraform.tfvars index bff261db..984fd4e0 100644 Binary files a/terraform.tfvars and b/terraform.tfvars differ