From 71b52e4c6f0463f5e31690ac0983ff9d9337cf32 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Sat, 2 Nov 2024 19:50:13 -0500 Subject: [PATCH 1/3] 20125: Deploy Status server https://20125.home/ is the URL the Status Android application loads in its main WebView. This site is powered by a server that generates a custom page showing the status of our self-hosted applications, based on alerts retrieved from the AlertManager API. Android WebView does not allow cleartext HTTP connections. It does, however, allow connecting an HTTPS server and ignoring the certificate it presents, which is effectively the same thing. Thus, we generate a self-signed certificate for the Ingress for this site. --- 20125/config.yml | 79 +++++++++++++++++++++++++++++++++++++ 20125/ingress.yaml | 25 ++++++++++++ 20125/kustomization.yaml | 26 ++++++++++++ 20125/namespace.yaml | 6 +++ 20125/secrets.yaml | 13 ++++++ 20125/status-server-ca.yaml | 32 +++++++++++++++ 20125/status-server.yaml | 46 +++++++++++++++++++++ 7 files changed, 227 insertions(+) create mode 100644 20125/config.yml create mode 100644 20125/ingress.yaml create mode 100644 20125/kustomization.yaml create mode 100644 20125/namespace.yaml create mode 100644 20125/secrets.yaml create mode 100644 20125/status-server-ca.yaml create mode 100644 20125/status-server.yaml diff --git a/20125/config.yml b/20125/config.yml new file mode 100644 index 0000000..7a06670 --- /dev/null +++ b/20125/config.yml @@ -0,0 +1,79 @@ +alertmanager: + url: http://alertmanager.victoria-metrics:9093 + +system_wide: + alerts: + - alertgoup: Active Directory + - alertgoup: Longhorn + - alertgoup: PostgreSQL + - alertgoup: Restic + - alertgoup: Temperature + - job: authelia + - job: blackbox + - job: dns_pyrocufflink + - job: dns_recursive + - job: kubelet + - job: kubernetes + - instance: db0.pyrocufflink.blue + - instance: gw1.pyrocufflink.blue + - instance: vmhost0.pyrocufflink.blue + - instance: vmhost1.pyrocufflink.blue + +applications: +- name: Home Assistant + url: https://homeassistant.pyrocufflink.blue/ + icon: + url: icons/home-assistant.svg + alerts: + - alertgroup: Home Assistant + - alertgroup: Frigate + - job: homeassistant + - instance: homeassistant.pyrocufflink.blue + +- name: Nextcloud + url: &url https://nextcloud.pyrocufflink.net/ + icon: + url: icons/nextcloud.png + alerts: + - instance: *url + - instance: cloud0.pyrocufflink.blue + +- name: Invoice Ninja + url: &url https://invoiceninja.pyrocufflink.net/ + icon: + url: icons/invoiceninja.svg + class: light-bg + alerts: + - instance: *url + +- name: Jellyfin + url: &url https://jellyfin.pyrocufflink.net/ + icon: + url: icons/jellyfin.svg + alerts: + - instance: *url + +- name: Vaultwarden + url: &url https://bitwarden.pyrocufflink.net/ + icon: + url: icons/vaultwarden.svg + class: light-bg + alerts: + - instance: *url + - alertgroup: Bitwarden + +- name: Paperless-ngx + url: &url https://paperless.pyrocufflink.blue/ + icon: + url: icons/paperless-ngx.svg + alerts: + - instance: *url + - alertgroup: Paperless-ngx + - job: paperless-ngx + +- name: Firefly III + url: &url https://firefly.pyrocufflink.blue/ + icon: + url: icons/firefly-iii.svg + alerts: + - instance: *url diff --git a/20125/ingress.yaml b/20125/ingress.yaml new file mode 100644 index 0000000..acb274b --- /dev/null +++ b/20125/ingress.yaml @@ -0,0 +1,25 @@ +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + annotations: + nginx.ingress.kubernetes.io/force-ssl-redirect: "true" + cert-manager.io/issuer: status-server-ca + labels: &labels + app.kubernetes.io/name: status-server + name: status-server +spec: + tls: + - hosts: + - 20125.home + secretName: status-server-cert + rules: + - host: 20125.home + http: + paths: + - backend: + service: + name: status-server + port: + number: 80 + path: / + pathType: Prefix diff --git a/20125/kustomization.yaml b/20125/kustomization.yaml new file mode 100644 index 0000000..2be0fb3 --- /dev/null +++ b/20125/kustomization.yaml @@ -0,0 +1,26 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization + +namespace: '20125' + +labels: +- pairs: + app.kubernetes.io/instance: '20125' + app.kubernetes.io/part-of: '20125' + includeSelectors: true + +resources: +- namespace.yaml +- secrets.yaml +- status-server-ca.yaml +- status-server.yaml +- ingress.yaml + +configMapGenerator: +- name: 20125-config + files: + - config.yml + +images: +- name: git.pyrocufflink.net/packages/20125.home + newTag: dev diff --git a/20125/namespace.yaml b/20125/namespace.yaml new file mode 100644 index 0000000..fae9930 --- /dev/null +++ b/20125/namespace.yaml @@ -0,0 +1,6 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: "20125" + labels: + app.kubernetes.io/name: '20125' diff --git a/20125/secrets.yaml b/20125/secrets.yaml new file mode 100644 index 0000000..2fec0b2 --- /dev/null +++ b/20125/secrets.yaml @@ -0,0 +1,13 @@ +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + name: imagepull-gitea + namespace: "20125" +spec: + encryptedData: + .dockerconfigjson: AgAXY5XsnGF9E3RU9dnKXK9fWjqK0khCDf7n0vuJCLACrcM01aoWVSjl26+j7oSTTyc7t5C+EKPJnuKdlkNfh2Omw9Lh3dn8rPRYcBRmUEAyt0TvBVkxBIiP+49y39QEV1opYY+b1gLVJ5ZEC92u5uI9y8xovwx9wqtKLfQ+KCfc5m93AYaQJ9EcnV1DSEkv/HdtWNikQes2hO6pTLF/GHrh/s79eIeXMTm5oG/OyJWTOGQdy1SdoGWLLf31dsjhsJyGMYOtWx42Nou20lWqmdoy4Dd8OXuuhcfeDNzkH187mI4XpVjbS0M+P5teJsGiTwx+VyJlGQnEaquIiHy3KLt3YH/ltGeNeCNbFmSDa70A3IdP/t0cAXN20rlIFGVzqNrAOhMYtiTDEgaKOrL7mwM4i4NTCnLTA2nXU7gLEcLGPRqO7LKIhc1/6d1xWMT58SFjHAVklFt/lq1udY6zE8gXHp+RQ+7hIIEu500YiaKubvh2MsOKIqYOaX99Q4BW7PQhwjjwtFHFuwNjZn8wAbDq+3gsDSqgeFPgHAs7nPIImcBne/fTobsHhUVvxEnBNLCRtSqpkvOLzpgC+dRNsD6ZTcXPhFWTEOvjBMcUWqOTcRmd8DCsdxalM42x/ZQjlNlubZeuaNki+4pA80bYlsLWt3A2nWtcVbO/aAYrT1qiK/d8NZsPNidD0HE1rkUkCNv5KgXVWUfVU7ptX1YFpYXXuEIFeWzulH3gWmdW4q+t2nGHAqwkszZfijtpsexBttff1ym3rgBTGHFmQRkmSMbNHIAq29ehuVrxkH7uM8Q1cXXmMnGgre0ijtUfW9zMlx92jR86187xOLM3/hxANhfyt4eZVMwx8D42facMxxAngCi01vYTwqihA9mtBFkKlkQdKCH1NxgWQqwAJi87utgHoFivxeM+Pck7Zeottr0yzUEisdoBAdQR99hijR2C5SnC4iURnqfi9sloj0Uuo74SxiTGapA7pg77LmvpV9Wzu6QiEm944tftcZHwaMg= + template: + metadata: + name: imagepull-gitea + namespace: "20125" + type: kubernetes.io/dockerconfigjson diff --git a/20125/status-server-ca.yaml b/20125/status-server-ca.yaml new file mode 100644 index 0000000..0c96fa8 --- /dev/null +++ b/20125/status-server-ca.yaml @@ -0,0 +1,32 @@ +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: selfsigned-ca +spec: + selfSigned: {} + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: status-server-ca +spec: + isCA: true + commonName: 20125 CA + secretName: status-server-ca-secret + privateKey: + algorithm: ECDSA + size: 256 + issuerRef: + name: selfsigned-ca + kind: Issuer + group: cert-manager.io + +--- +apiVersion: cert-manager.io/v1 +kind: Issuer +metadata: + name: status-server-ca +spec: + ca: + secretName: status-server-ca-secret diff --git a/20125/status-server.yaml b/20125/status-server.yaml new file mode 100644 index 0000000..82d7fbe --- /dev/null +++ b/20125/status-server.yaml @@ -0,0 +1,46 @@ +apiVersion: v1 +kind: Service +metadata: + labels: &labels + app.kubernetes.io/name: status-server + app.kubernetes.io/component: status-server + name: status-server +spec: + ports: + - port: 80 + protocol: TCP + targetPort: 20125 + selector: *labels + type: ClusterIP + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + labels: &labels + app.kubernetes.io/name: status-server + app.kubernetes.io/component: status-server + name: status-server +spec: + replicas: 1 + selector: + matchLabels: *labels + template: + metadata: + labels: *labels + spec: + containers: + - name: status-server + image: git.pyrocufflink.net/packages/20125.home + imagePullPolicy: Always + volumeMounts: + - mountPath: /usr/local/share/20125.home/config.yml + name: config + subPath: config.yml + readOnly: True + imagePullSecrets: + - name: imagepull-gitea + volumes: + - name: config + configMap: + name: 20125-config From 4ad5518f18d6c464e95b1a39194f9837e979bcee Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 5 Nov 2024 06:13:53 -0600 Subject: [PATCH 2/3] cert-manager: Migrate config to configMapGenerator --- cert-manager/cert-exporter.config.yml | 36 +++++++++++++++++++++ cert-manager/cert-exporter.yaml | 45 --------------------------- cert-manager/kustomization.yaml | 8 +++++ 3 files changed, 44 insertions(+), 45 deletions(-) create mode 100644 cert-manager/cert-exporter.config.yml diff --git a/cert-manager/cert-exporter.config.yml b/cert-manager/cert-exporter.config.yml new file mode 100644 index 0000000..9992f8c --- /dev/null +++ b/cert-manager/cert-exporter.config.yml @@ -0,0 +1,36 @@ +git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git +certs: +- name: pyrocufflink-cert + namespace: default + key: certificates/_.pyrocufflink.net.key + cert: certificates/_.pyrocufflink.net.crt + bundle: certificates/_.pyrocufflink.net.pem +- name: dustinhatchname-cert + namespace: default + key: acme.sh/dustin.hatch.name/dustin.hatch.name.key + cert: acme.sh/dustin.hatch.name/fullchain.cer +- name: hatchchat-cert + namespace: default + key: certificates/hatch.chat.key + cert: certificates/hatch.chat.crt + bundle: certificates/hatch.chat.pem +- name: tabitha-cert + namespace: default + key: certificates/tabitha.biz.key + cert: certificates/tabitha.biz.crt + bundle: certificates/tabitha.biz.pem +- name: chmod777-cert + namespace: default + key: certificates/chmod777.sh.key + cert: certificates/chmod777.sh.crt + bundle: certificates/chmod777.sh.pem +- name: dustinandtabitha-cert + namespace: default + key: certificates/dustinandtabitha.com.key + cert: certificates/dustinandtabitha.com.crt + bundle: certificates/dustinandtabitha.com.pem +- name: hlc-cert + namespace: default + key: certificates/hatchlearningcenter.org.key + cert: certificates/hatchlearningcenter.org.crt + bundle: certificates/hatchlearningcenter.org.pem diff --git a/cert-manager/cert-exporter.yaml b/cert-manager/cert-exporter.yaml index 7a3f32a..6dba3f2 100644 --- a/cert-manager/cert-exporter.yaml +++ b/cert-manager/cert-exporter.yaml @@ -4,51 +4,6 @@ metadata: name: cert-exporter namespace: cert-manager ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: cert-exporter - namespace: cert-manager -data: - config.yml: | - git_repo: gitea@git.pyrocufflink.blue:dustin/certs.git - certs: - - name: pyrocufflink-cert - namespace: default - key: certificates/_.pyrocufflink.net.key - cert: certificates/_.pyrocufflink.net.crt - bundle: certificates/_.pyrocufflink.net.pem - - name: dustinhatchname-cert - namespace: default - key: acme.sh/dustin.hatch.name/dustin.hatch.name.key - cert: acme.sh/dustin.hatch.name/fullchain.cer - - name: hatchchat-cert - namespace: default - key: certificates/hatch.chat.key - cert: certificates/hatch.chat.crt - bundle: certificates/hatch.chat.pem - - name: tabitha-cert - namespace: default - key: certificates/tabitha.biz.key - cert: certificates/tabitha.biz.crt - bundle: certificates/tabitha.biz.pem - - name: chmod777-cert - namespace: default - key: certificates/chmod777.sh.key - cert: certificates/chmod777.sh.crt - bundle: certificates/chmod777.sh.pem - - name: dustinandtabitha-cert - namespace: default - key: certificates/dustinandtabitha.com.key - cert: certificates/dustinandtabitha.com.crt - bundle: certificates/dustinandtabitha.com.pem - - name: hlc-cert - namespace: default - key: certificates/hatchlearningcenter.org.key - cert: certificates/hatchlearningcenter.org.crt - bundle: certificates/hatchlearningcenter.org.pem - --- apiVersion: rbac.authorization.k8s.io/v1 kind: Role diff --git a/cert-manager/kustomization.yaml b/cert-manager/kustomization.yaml index 24ab378..6216727 100644 --- a/cert-manager/kustomization.yaml +++ b/cert-manager/kustomization.yaml @@ -8,6 +8,14 @@ resources: - cert-exporter.yaml - dch-ca-issuer.yaml +configMapGenerator: +- name: cert-exporter + namespace: cert-manager + files: + - config.yml=cert-exporter.config.yml + options: + disableNameSuffixHash: True + secretGenerator: - name: zerossl-eab namespace: cert-manager From e1d9833e837e1c37a399344f5d8ef2e6527210d4 Mon Sep 17 00:00:00 2001 From: "Dustin C. Hatch" Date: Tue, 5 Nov 2024 07:04:27 -0600 Subject: [PATCH 3/3] cert-manager: Add cert for apps.du5t1n.xyz --- cert-manager/cert-exporter.config.yml | 5 +++++ cert-manager/cert-exporter.yaml | 1 + cert-manager/certificates.yaml | 17 +++++++++++++++++ 3 files changed, 23 insertions(+) diff --git a/cert-manager/cert-exporter.config.yml b/cert-manager/cert-exporter.config.yml index 9992f8c..bb6ed50 100644 --- a/cert-manager/cert-exporter.config.yml +++ b/cert-manager/cert-exporter.config.yml @@ -34,3 +34,8 @@ certs: key: certificates/hatchlearningcenter.org.key cert: certificates/hatchlearningcenter.org.crt bundle: certificates/hatchlearningcenter.org.pem +- name: appsxyz-cert + namespace: default + key: certificates/apps.du5t1n.xyz.key + cert: certificates/apps.du5t1n.xyz.crt + bundle: certificates/apps.du5t1n.xyz.pem diff --git a/cert-manager/cert-exporter.yaml b/cert-manager/cert-exporter.yaml index 6dba3f2..b88c92f 100644 --- a/cert-manager/cert-exporter.yaml +++ b/cert-manager/cert-exporter.yaml @@ -24,6 +24,7 @@ rules: - chmod777-cert - dustinandtabitha-cert - hlc-cert + - appsxyz-cert --- apiVersion: rbac.authorization.k8s.io/v1 diff --git a/cert-manager/certificates.yaml b/cert-manager/certificates.yaml index d9fec2e..8960987 100644 --- a/cert-manager/certificates.yaml +++ b/cert-manager/certificates.yaml @@ -136,3 +136,20 @@ spec: privateKey: algorithm: ECDSA rotationPolicy: Always + +--- +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: appsxyz-cert +spec: + secretName: appsxyz-cert + dnsNames: + - apps.du5t1n.xyz + issuerRef: + group: cert-manager.io + kind: ClusterIssuer + name: zerossl + privateKey: + algorithm: ECDSA + rotationPolicy: Always