kat/nixfiles
1
0
Fork 0
mirror of https://github.com/kittywitch/nixfiles.git synced 2026-02-09 12:29:19 -08:00
Code Issues Projects Releases Packages Wiki Activity

Remove cluster TF

Browse source
This commit is contained in:
Kat Inskip 2023-07-16 11:48:46 -07:00
parent e193ee5a9f
commit c27b6d21af
Signed by: kat
GPG key ID: 465E64DECEA8CF0F
20 changed files with 0 additions and 637 deletions
Download patch file Download diff file Expand all files Collapse all files

2
cluster/.envrc
View file

@ -1,2 +0,0 @@
sops -d ./cluster.tfvars.sops > cluster.tfvars
export TF_CLI_ARGS="--var-file=cluster.tfvars"

1
cluster/.gitignore vendored
View file

@ -1 +0,0 @@
cluster.tfvars

75
cluster/authentik.tf
View file

@ -1,75 +0,0 @@
variable "authentik_postgresql_password" {
type = string
}
variable "authentik_secret_key" {
type = string
}
resource "helm_release" "authentik" {
depends_on = [
helm_release.local_path_provisioner
]
name = "authentik"
repository = "https://charts.goauthentik.io"
chart = "authentik"
create_namespace = true
namespace = "authentik"
timeout = var.helm_timeout
cleanup_on_fail = true
force_update = true
values = [
yamlencode({
authentik = {
secret_key = var.authentik_secret_key
error_reporting = {
enabled = true
}
postgresql = {
password = var.authentik_postgresql_password
}
}
redis = {
enabled = true
master = {
persistence = {
enabled = true
storageClass = "local-path"
accessModes = [
"ReadWriteOnce"
]
}
}
}
postgresql = {
enabled = true
password = var.authentik_postgresql_password
postgresqlPassword = var.authentik_postgresql_password
persistence = {
enabled = true
storageClass = "local-path"
accessModes = [
"ReadWriteOnce"
]
}
}
ingress = {
enabled = true
hosts = [
{
host = "auth.inskip.me"
paths = [
{
path = "/"
pathType = "Prefix"
}
]
}
]
}
})
]
}

10
cluster/backend.tf
View file

@ -1,10 +0,0 @@
terraform {
backend "remote" {
hostname = "app.terraform.io"
organization = "kittywitch"
workspaces {
name = "infrastructure-cluster"
}
}
}

17
cluster/cert-manager.tf
View file

@ -1,17 +0,0 @@
resource "helm_release" "cert-manager" {
name = "cert-manager"
repository = "https://charts.jetstack.io"
chart = "cert-manager"
create_namespace = true
namespace = "cert-manager"
timeout = var.helm_timeout
cleanup_on_fail = true
force_update = true
values = [
yamlencode({
installCRDs = true
})
]
}

51
cluster/cloudflare.tf
View file

@ -1,51 +0,0 @@
variable "cloudflare_api_token" {
type = string
}
resource "kubernetes_secret" "cloudflare_api_token" {
metadata {
name = "cloudflare-api-token"
namespace = "traefik"
}
data = {
api-token = var.cloudflare_api_token
}
type = "Opaque"
}
resource "kubernetes_manifest" "cert_manager_cloudflare_issuer" {
depends_on = [
helm_release.traefik
]
manifest = {
"apiVersion" = "cert-manager.io/v1"
"kind" = "Issuer"
"metadata" = {
"name" = "cloudflare"
"namespace" = "traefik"
}
"spec" = {
"acme" = {
"email" = "acme@inskip.me"
"privateKeySecretRef" = {
"name" = "cloudflare-key"
}
"server" = "https://acme-v02.api.letsencrypt.org/directory"
"solvers" = [
{
"dns01" = {
"cloudflare" = {
"apiTokenSecretRef" = {
"key" = "api-token"
"name" = "cloudflare-api-token"
}
"email" = "kat@inskip.me"
}
}
},
]
}
}
}
}

22
cluster/cluster.tfvars.sops
View file

File diff suppressed because one or more lines are too long

12
cluster/helm.tf
View file

@ -1,12 +0,0 @@
provider "helm" {
kubernetes {
host = "https://ran.gensokyo.zone:6443"
client_certificate = var.client_certificate
client_key = var.client_key
cluster_ca_certificate = var.cluster_ca_certificate
}
}
variable "helm_timeout" {
type = number
}

18
cluster/kubernetes.tf
View file

@ -1,18 +0,0 @@
variable "client_certificate" {
type = string
}
variable "client_key" {
type = string
}
variable "cluster_ca_certificate" {
type = string
}
provider "kubernetes" {
host = "https://ran.gensokyo.zone:6443"
client_certificate = var.client_certificate
client_key = var.client_key
cluster_ca_certificate = var.cluster_ca_certificate
}

17
cluster/local-path-provisioner.tf
View file

@ -1,17 +0,0 @@
resource "helm_release" "local_path_provisioner" {
name = "local-path-storage"
repository = "${path.module}/lpp/deploy/chart"
chart = "local-path-provisioner"
create_namespace = true
namespace = "local-path-storage"
timeout = var.helm_timeout
cleanup_on_fail = true
force_update = true
values = [yamlencode({
storageClass = {
defaultClass = true
}
})]
}

1
cluster/lpp

@ -1 +0,0 @@
Subproject commit 97e0501428f0a5bcac49ecd0bfdb051797c4a6c5

39
cluster/pihole-configmaps.tf
View file

@ -1,39 +0,0 @@
resource "kubernetes_config_map" "pihole_regex_list" {
metadata {
name = "regex.list"
namespace = kubernetes_namespace.pihole.metadata[0].name
}
data = {
"regex.list" = <<EOF
EOF
}
}
resource "kubernetes_config_map" "pihole_adlists_list" {
metadata {
name = "adlists.list"
namespace = kubernetes_namespace.pihole.metadata[0].name
}
data = {
"adlists.list" = <<EOF
https://raw.githubusercontent.com/Perflyst/PiHoleBlocklist/master/android-tracking.txt
https://raw.githubusercontent.com/crazy-max/WindowsSpyBlocker/master/data/hosts/spy.txt
https://gitlab.com/quidsup/notrack-blocklists/raw/master/notrack-blocklist.txt
EOF
}
}
resource "kubernetes_config_map" "pihole_whitelist_list" {
metadata {
name = "whitelist.txt"
namespace = kubernetes_namespace.pihole.metadata[0].name
}
data = {
"adlists.list" = <<EOF
bbc.co.uk
EOF
}
}

229
cluster/pihole-deployment.tf
View file

@ -1,229 +0,0 @@
resource "kubernetes_deployment" "pihole" {
metadata {
name = "pihole"
labels = {
app = "pihole"
}
namespace = kubernetes_namespace.pihole.metadata[0].name
}
spec {
replicas = 1
selector {
match_labels = {
app = "pihole"
}
}
template {
metadata {
labels = {
app = "pihole"
}
}
spec {
container {
image = "pihole/pihole:latest"
name = "pihole"
port {
container_port = 80
name = "http"
protocol = "TCP"
}
port {
container_port = 443
name = "https"
protocol = "TCP"
}
port {
container_port = 53
name = "dns-udp"
protocol = "UDP"
}
port {
container_port = 67
name = "dns67"
protocol = "UDP"
}
env {
name = "TZ"
value = "America/Vancouver"
}
env {
name = "WEBPASSWORD"
value_from {
secret_key_ref {
name = "pihole-secret-webpassword"
key = "WEBPASSWORD"
}
}
}
env {
name = "VIRTUAL_HOST"
value = "pihole.inskip.me"
}
env {
name = "DNS1"
value = "1.1.1.1"
}
env {
name = "DNS2"
value = "1.0.0.1"
}
env {
name = "DNSMASQ_LISTENING"
value = "all"
}
env {
name = "PIHOLE_BASE"
value = "/opt/pihole-volume"
}
resources {
limits = {
cpu = "250m"
memory = "896Mi"
}
requests = {
cpu = "20m"
memory = "512Mi"
}
}
volume_mount {
name = "pihole-volume"
mount_path = "/opt/pihole-volume"
}
volume_mount {
name = "regex"
mount_path = "/etc/pihole/regex.list"
sub_path = "regex.list"
}
volume_mount {
name = "adlists"
mount_path = "/etc/pihole/adlists.list"
sub_path = "adlists.list"
}
volume_mount {
name = "whitelist"
mount_path = "/etc/pihole/whitelist.txt"
sub_path = "whitelist.txt"
}
/*
TODO: figure out probes
liveness_probe {
http_get {
path = "/admin/index.php"
port = 80
}
initial_delay_seconds = 180
period_seconds = 15
}
readiness_probe {
http_get {
path = "/admin/index.php"
port = 80
}
initial_delay_seconds = 60
period_seconds = 15
}
*/
}
container {
image = "ghcr.io/tailscale/tailscale:latest"
name = "tailscale"
security_context {
capabilities {
add = ["NET_ADMIN"]
}
}
env {
name = "TS_HOSTNAME"
value = "pihole"
}
env {
name = "TS_KUBE_SECRET"
value = ""
}
env {
name = "TS_STATE_DIR"
value = "/tailscale"
}
env {
name = "TS_USERPSACE"
value = "false"
}
env {
name = "TS_AUTHKEY"
value_from {
secret_key_ref {
name = "tailscale-auth"
key = "TS_AUTHKEY"
}
}
}
resources {
limits = {
cpu = "250m"
memory = "512Mi"
}
requests = {
cpu = "20m"
memory = "64Mi"
}
}
volume_mount {
name = "tailscale-state-volume"
mount_path = "/tailscale"
}
}
volume {
name = "pihole-volume"
persistent_volume_claim {
claim_name = "pihole-volume-claim"
}
}
volume {
name = "regex"
config_map {
name = "regex.list"
}
}
volume {
name = "adlists"
config_map {
name = "adlists.list"
}
}
volume {
name = "whitelist"
config_map {
name = "whitelist.txt"
}
}
volume {
name = "tailscale-state-volume"
persistent_volume_claim {
claim_name = "tailscale-state-volume-claim"
}
}
}
}
}
}

13
cluster/pihole-namespace.tf
View file

@ -1,13 +0,0 @@
resource "kubernetes_namespace" "pihole" {
metadata {
annotations = {
name = "pihole"
}
labels = {
app = "pihole"
}
name = "pihole"
}
}

31
cluster/pihole-pvc.tf
View file

@ -1,31 +0,0 @@
resource "kubernetes_persistent_volume_claim" "pihole-volume" {
metadata {
name = "pihole-volume-claim"
namespace = kubernetes_namespace.pihole.metadata[0].name
}
spec {
storage_class_name = "local-path"
access_modes = ["ReadWriteOnce"]
resources {
requests = {
storage = "1Gi"
}
}
}
}
resource "kubernetes_persistent_volume_claim" "tailscale-state-volume" {
metadata {
name = "tailscale-state-volume-claim"
namespace = kubernetes_namespace.pihole.metadata[0].name
}
spec {
storage_class_name = "local-path"
access_modes = ["ReadWriteOnce"]
resources {
requests = {
storage = "5Gi"
}
}
}
}

14
cluster/pihole-secret.tf
View file

@ -1,14 +0,0 @@
variable "pihole_secret_WEBPASSWORD" {
description = "web ui password"
}
resource "kubernetes_secret" "pihole-webpassword" {
metadata {
name = "pihole-secret-webpassword"
namespace = kubernetes_namespace.pihole.metadata[0].name
}
data = {
WEBPASSWORD = var.pihole_secret_WEBPASSWORD
}
type = "Opaque"
}

0
cluster/prometheus.tf
View file

31
cluster/tailscale.tf
View file

@ -1,31 +0,0 @@
variable "tailscale_api_key" {
type = string
}
variable "tailnet" {
type = string
}
provider "tailscale" {
api_key = var.tailscale_api_key
tailnet = var.tailnet
}
resource "tailscale_tailnet_key" "cluster_reusable" {
reusable = true
ephemeral = true
preauthorized = true
}
resource "kubernetes_secret" "tailscale_auth" {
metadata {
name = "tailscale-auth"
namespace = kubernetes_namespace.pihole.metadata[0].name
}
data = {
TS_AUTHKEY = tailscale_tailnet_key.cluster_reusable.key
}
type = "Opaque"
}

16
cluster/terraform.tf
View file

@ -1,16 +0,0 @@
terraform {
required_providers {
helm = {
source = "hashicorp/helm"
version = "2.9.0"
}
kubernetes = {
source = "hashicorp/kubernetes"
version = "2.20.0"
}
tailscale = {
source = "tailscale/tailscale"
version = "0.13.7"
}
}
}

38
cluster/traefik.tf
View file

@ -1,38 +0,0 @@
resource "helm_release" "traefik" {
name = "traefik"
repository = "https://traefik.github.io/charts"
chart = "traefik"
create_namespace = true
namespace = "traefik"
timeout = var.helm_timeout
cleanup_on_fail = true
force_update = true
values = [
yamlencode({
deployment = {
replicas = 1
}
service = {
type = "NodePort"
}
ports = {
traefik = {
expose = true
exposedPort = 9000
}
web = {
nodePort = 80
exposedPort = 80
expose = true
}
websecure = {
nodePort = 443
exposedPort = 443
expose = true
}
}
})
]
}