diff --git a/.github/workflows/dns-update-config.yml b/.github/workflows/dns-update-config.yml new file mode 100644 index 0000000..c9860f1 --- /dev/null +++ b/.github/workflows/dns-update-config.yml @@ -0,0 +1,39 @@ +name: Update Config Files + +on: + push: + branches: + - main + - test + - dev + paths: + - 'dns/dns-prod-1/config/**' + workflow_dispatch: + +jobs: + deploy: + runs-on: "self-hosted" + + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: SCP files via ssh key + uses: appleboy/scp-action@master + with: + username: xcad + host: srv-prod-7.home.clcreative.de + key: ${{ secrets.SSH_XCAD }} + source: './config/*' + target: '/home/xcad/dns-prod-1/' + overwrite: true + + - name: Restart Docker Container + uses: fifsky/ssh-action@master + with: + user: xcad + host: srv-prod-7.home.clcreative.de + key: ${{ secrets.SSH_XCAD }} + command: | + cd dns-prod-1 + docker compose restart diff --git a/.github/workflows/dns-update-dns.yml b/.github/workflows/dns-update-dns.yml new file mode 100644 index 0000000..aa93b8a --- /dev/null +++ b/.github/workflows/dns-update-dns.yml @@ -0,0 +1,81 @@ +name: "Update DNS Records" + +on: + push: + branches: + - main + - test + - dev + paths: + - 'dns/dns-prod-1/terraform/*.tf' + workflow_dispatch: + +defaults: + run: + working-directory: ./terraform + +env: + TF_VAR_TSIG_KEY_HOME: ${{ secrets.TSIG_KEY_HOME }} + +jobs: + terraform: + runs-on: "self-hosted" + steps: + + - name: Checkout + uses: actions/checkout@v3 + + - name: Setup Terraform + uses: hashicorp/setup-terraform@v1 + with: + # terraform_version: 0.13.0: + cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }} + + - name: Terraform Format + id: fmt + run: terraform fmt -check + + - name: Terraform Init + id: init + run: terraform init + + - name: Terraform Validate + id: validate + run: terraform validate -no-color + + - name: Terraform Plan + id: plan + if: github.event_name == 'pull_request' + run: terraform plan -no-color -input=false + continue-on-error: true + + - uses: actions/github-script@v6 + if: github.event_name == 'pull_request' + env: + PLAN: "terraform\n${{ steps.plan.outputs.stdout }}" + with: + github-token: ${{ secrets.GITHUB_TOKEN }} + script: | + const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\` + #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\` + #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\` + #### Terraform Plan 📖\`${{ steps.plan.outcome }}\` +
Show Plan + \`\`\`\n + ${process.env.PLAN} + \`\`\` +
+ *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`; + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) + - name: Terraform Plan Status + if: steps.plan.outcome == 'failure' + run: exit 1 + + - name: Terraform Apply + if: github.ref == 'refs/heads/main' && github.event_name == 'push' + run: terraform apply -auto-approve -input=false diff --git a/.github/workflows/dns-update-docker.yml b/.github/workflows/dns-update-docker.yml new file mode 100644 index 0000000..dc399f7 --- /dev/null +++ b/.github/workflows/dns-update-docker.yml @@ -0,0 +1,38 @@ +name: Update Docker Compose File + +on: + push: + branches: + - main + - test + - dev + paths: + - 'dns/dns-prod-1/docker-compose.yaml' + workflow_dispatch: + +jobs: + deploy: + runs-on: "self-hosted" + + steps: + - name: Checkout + uses: actions/checkout@v2 + + - name: Upload new Docker Compose File + uses: appleboy/scp-action@master + with: + username: xcad + host: srv-prod-7.home.clcreative.de + key: ${{ secrets.SSH_XCAD }} + source: './docker-compose.yaml' + target: '/home/xcad/dns-prod-1/' + + - name: Restart Docker Container + uses: fifsky/ssh-action@master + with: + user: xcad + host: srv-prod-7.home.clcreative.de + key: ${{ secrets.SSH_XCAD }} + command: | + cd dns-prod-1 + docker compose up -d --force-recreate diff --git a/.gitignore b/.gitignore index 6a29dc2..103fb87 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,5 @@ +.vscode/** + **/.envrc **/.env diff --git a/argocd/argocd-prod-1/kubernetes/ingress.yml b/argocd/argocd-prod-1/kubernetes/ingress.yml index 4d1380b..88ef6b3 100644 --- a/argocd/argocd-prod-1/kubernetes/ingress.yml +++ b/argocd/argocd-prod-1/kubernetes/ingress.yml @@ -3,7 +3,7 @@ kind: Ingress metadata: name: argocd-prod-1-ingress namespace: argocd - annotations: + annotations: {} # traefik.ingress.kubernetes.io/router.entrypoints: websecure # traefik.ingress.kubernetes.io/router.tls: "true" # traefik.ingress.kubernetes.io/router.tls.options: default diff --git a/argocd/argocd-prod-2/kubernetes/ingress.yml b/argocd/argocd-prod-2/kubernetes/ingress.yml index 85c2077..d879a87 100644 --- a/argocd/argocd-prod-2/kubernetes/ingress.yml +++ b/argocd/argocd-prod-2/kubernetes/ingress.yml @@ -3,7 +3,7 @@ kind: Ingress metadata: name: argocd-demo-1-ingress namespace: argocd - annotations: + annotations: {} # traefik.ingress.kubernetes.io/router.entrypoints: websecure # traefik.ingress.kubernetes.io/router.tls: "true" # traefik.ingress.kubernetes.io/router.tls.options: default diff --git a/cadvisor/cadvisor-prod-1/docker-compose.yaml b/cadvisor/cadvisor-prod-1/docker-compose.yaml new file mode 100644 index 0000000..170a84f --- /dev/null +++ b/cadvisor/cadvisor-prod-1/docker-compose.yaml @@ -0,0 +1,29 @@ +--- +networks: + frontend: + external: true + backend: + external: true +services: + cadvisor: + image: gcr.io/cadvisor/cadvisor:v0.47.2 + container_name: cadvisor-prod-1 + devices: + - /dev/kmsg + privileged: true + volumes: + - /:/rootfs:ro + - /var/run:/var/run:ro + - /sys:/sys:ro + - /var/lib/docker/:/var/lib/docker:ro + - /dev/disk/:/dev/disk:ro + labels: + - traefik.enable=true + - traefik.http.routers.cadvisor-prod-1.entrypoints=websecure + - traefik.http.routers.cadvisor-prod-1.rule=Host(`cadvisor-prod-1.srv-prod-1.home.clcreative.de`) + - traefik.http.routers.cadvisor-prod-1.tls=true + - traefik.http.routers.cadvisor-prod-1.tls.certresolver=cloudflare + networks: + - frontend + - backend + restart: unless-stopped diff --git a/cadvisor/cadvisor-prod-2/docker-compose.yaml b/cadvisor/cadvisor-prod-2/docker-compose.yaml new file mode 100644 index 0000000..170a84f --- /dev/null +++ b/cadvisor/cadvisor-prod-2/docker-compose.yaml @@ -0,0 +1,29 @@ +--- +networks: + frontend: + external: true + backend: + external: true +services: + cadvisor: + image: gcr.io/cadvisor/cadvisor:v0.47.2 + container_name: cadvisor-prod-1 + devices: + - /dev/kmsg + privileged: true + volumes: + - /:/rootfs:ro + - /var/run:/var/run:ro + - /sys:/sys:ro + - /var/lib/docker/:/var/lib/docker:ro + - /dev/disk/:/dev/disk:ro + labels: + - traefik.enable=true + - traefik.http.routers.cadvisor-prod-1.entrypoints=websecure + - traefik.http.routers.cadvisor-prod-1.rule=Host(`cadvisor-prod-1.srv-prod-1.home.clcreative.de`) + - traefik.http.routers.cadvisor-prod-1.tls=true + - traefik.http.routers.cadvisor-prod-1.tls.certresolver=cloudflare + networks: + - frontend + - backend + restart: unless-stopped diff --git a/certmanager/certmanager-demo-1/helm/helm-values.yaml b/certmanager/certmanager-demo-1/helm/helm-values.yaml new file mode 100644 index 0000000..bffda75 --- /dev/null +++ b/certmanager/certmanager-demo-1/helm/helm-values.yaml @@ -0,0 +1,4 @@ +installCRDs: true +extraArgs: + - --dns01-recursive-nameservers-only + - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 diff --git a/certmanager/certmanager-demo-1/kubernetes/clusterissuer.yaml b/certmanager/certmanager-demo-1/kubernetes/clusterissuer.yaml new file mode 100644 index 0000000..23cceff --- /dev/null +++ b/certmanager/certmanager-demo-1/kubernetes/clusterissuer.yaml @@ -0,0 +1,17 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: certmanager-demo-1-clusterissuer +spec: + acme: + email: info@clcreative.de + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: certmanager-demo-1-clusterissuer-account-key + solvers: + - dns01: + cloudflare: + email: info@clcreative.de + apiTokenSecretRef: + name: certmanager-demo-1-token + key: api-token diff --git a/certmanager/certmanager-demo-2/helm/helm-values.yaml b/certmanager/certmanager-demo-2/helm/helm-values.yaml new file mode 100644 index 0000000..440f5b3 --- /dev/null +++ b/certmanager/certmanager-demo-2/helm/helm-values.yaml @@ -0,0 +1,47 @@ +installCRDs: true +extraArgs: + - --dns01-recursive-nameservers-only + - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 +resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 100m + memory: 128Mi +webhook: + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 100m + memory: 128Mi + livenessProbe: + failureThreshold: 3 + initialDelaySeconds: 60 + periodSeconds: 10 + successThreshold: 1 + timeoutSeconds: 1 + readinessProbe: + failureThreshold: 3 + initialDelaySeconds: 5 + periodSeconds: 5 + successThreshold: 1 + timeoutSeconds: 1 +cainjector: + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 100m + memory: 128Mi +startupapicheck: + resources: + requests: + cpu: 10m + memory: 32Mi + limits: + cpu: 100m + memory: 128Mi \ No newline at end of file diff --git a/certmanager/certmanager-demo-2/kubernetes/clusterissuer.yaml b/certmanager/certmanager-demo-2/kubernetes/clusterissuer.yaml new file mode 100644 index 0000000..69b73f9 --- /dev/null +++ b/certmanager/certmanager-demo-2/kubernetes/clusterissuer.yaml @@ -0,0 +1,17 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: certmanager-demo-2-clusterissuer +spec: + acme: + email: info@clcreative.de + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: certmanager-demo-2-clusterissuer-account-key + solvers: + - dns01: + cloudflare: + email: info@clcreative.de + apiTokenSecretRef: + name: certmanager-demo-2-token + key: api-token diff --git a/certmanager/certmanager-prod-1/helm/helm-values.yaml b/certmanager/certmanager-prod-1/helm/helm-values.yaml new file mode 100644 index 0000000..68e3f1a --- /dev/null +++ b/certmanager/certmanager-prod-1/helm/helm-values.yaml @@ -0,0 +1,4 @@ +installCRDs: true +extraArgs: + - --dns01-recursive-nameservers-only + - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53 \ No newline at end of file diff --git a/certmanager/certmanager-prod-1/kubernetes/clusterissuer.yaml b/certmanager/certmanager-prod-1/kubernetes/clusterissuer.yaml new file mode 100644 index 0000000..eb4de1a --- /dev/null +++ b/certmanager/certmanager-prod-1/kubernetes/clusterissuer.yaml @@ -0,0 +1,17 @@ +apiVersion: cert-manager.io/v1 +kind: ClusterIssuer +metadata: + name: certmanager-prod-1-clusterissuer +spec: + acme: + email: info@clcreative.de + server: https://acme-v02.api.letsencrypt.org/directory + privateKeySecretRef: + name: certmanager-prod-1-clusterissuer-account-key + solvers: + - dns01: + cloudflare: + email: info@clcreative.de + apiTokenSecretRef: + name: certmanager-prod-1-token + key: api-token \ No newline at end of file diff --git a/dns/dns-prod-1/config/home-clcreative-de.zone b/dns/dns-prod-1/config/home-clcreative-de.zone new file mode 100644 index 0000000..f6277e8 --- /dev/null +++ b/dns/dns-prod-1/config/home-clcreative-de.zone @@ -0,0 +1,10 @@ +$ORIGIN . +$TTL 86400 ; 1 day +home.clcreative.de IN SOA ns.home.clcreative.de. home.clcreative.de. ( + 2001062618 ; serial + 3600 ; refresh (1 hour) + 3600 ; retry (1 hour) + 2419200 ; expire (4 weeks) + 3600 ; minimum (1 hour) + ) + NS ns.home.clcreative.de. diff --git a/dns/dns-prod-1/config/named.conf b/dns/dns-prod-1/config/named.conf new file mode 100644 index 0000000..8b89817 --- /dev/null +++ b/dns/dns-prod-1/config/named.conf @@ -0,0 +1,40 @@ +include "/etc/bind/named.conf.key"; + +controls { + inet 127.0.0.1 port 953 + allow { 127.0.0.1; } keys { "tsig-key"; }; +}; + +acl docker-1 { + 172.17.0.0/16; + 172.18.0.0/16; + 172.19.0.0/16; + 172.20.0.0/16; + 172.21.0.0/16; + 172.22.0.0/16; + 172.23.0.0/16; + 172.24.0.0/16; + 172.25.0.0/16; +}; + +acl dmz-prod-1 { + 10.20.0.0/16; +}; + +acl lan-prod-1 { + 10.10.0.0/16; +}; + +options { + forwarders { + 1.1.1.1; + 1.0.0.1; + }; + allow-query { 127.0.0.1; docker-1; lan-prod-1; dmz-prod-1; }; +}; + +zone "home.clcreative.de" IN { + type master; + file "/etc/bind/home-clcreative-de.zone"; + update-policy { grant tsig-key zonesub any; }; +}; diff --git a/dns/dns-prod-1/config/rndc.conf b/dns/dns-prod-1/config/rndc.conf new file mode 100644 index 0000000..cd9dd1d --- /dev/null +++ b/dns/dns-prod-1/config/rndc.conf @@ -0,0 +1,7 @@ +include "/etc/bind/named.conf.key"; + +options { + default-key "tsig-key"; + default-server 127.0.0.1; + default-port 953; +}; diff --git a/dns/dns-prod-1/docker-compose.yaml b/dns/dns-prod-1/docker-compose.yaml new file mode 100644 index 0000000..45ac190 --- /dev/null +++ b/dns/dns-prod-1/docker-compose.yaml @@ -0,0 +1,12 @@ +--- +services: + bind9: + container_name: dns-prod-1 + image: ubuntu/bind9:9.18-23.04_edge + environment: + - BIND9_USER=root + - TZ=Europe/Berlin + volumes: + - ./config/:/etc/bind:rw + network_mode: host + restart: unless-stopped diff --git a/dns/dns-prod-1/terraform/_provider.tf b/dns/dns-prod-1/terraform/_provider.tf new file mode 100644 index 0000000..f745f57 --- /dev/null +++ b/dns/dns-prod-1/terraform/_provider.tf @@ -0,0 +1,31 @@ +terraform { + required_version = ">= 0.13.0" + + required_providers { + dns = { + source = "hashicorp/dns" + version = "3.2.3" + } + } + cloud { + organization = "clcreative" + + workspaces { + name = "dns-prod-1" + } + } +} + +variable "TSIG_KEY_HOME" { + type = string + sensitive = true +} + +provider "dns" { + update { + server = "10.20.0.19" + key_name = "tsig-key." + key_algorithm = "hmac-sha256" + key_secret = var.TSIG_KEY_HOME + } +} diff --git a/dns/dns-prod-1/terraform/apps.tf b/dns/dns-prod-1/terraform/apps.tf new file mode 100644 index 0000000..9fefd69 --- /dev/null +++ b/dns/dns-prod-1/terraform/apps.tf @@ -0,0 +1,8 @@ +resource "dns_a_record_set" "db_prod_1" { + zone = "home.clcreative.de." + name = "db-prod-1" + addresses = [ + "10.20.0.3" + ] + ttl = 3600 +} \ No newline at end of file diff --git a/dns/dns-prod-1/terraform/eval.tf b/dns/dns-prod-1/terraform/eval.tf new file mode 100644 index 0000000..e69de29 diff --git a/dns/dns-prod-1/terraform/infra.tf b/dns/dns-prod-1/terraform/infra.tf new file mode 100644 index 0000000..63fa798 --- /dev/null +++ b/dns/dns-prod-1/terraform/infra.tf @@ -0,0 +1,62 @@ +resource "dns_a_record_set" "fw_demo_1" { + zone = "home.clcreative.de." + name = "fw-demo-1" + addresses = [ + "10.20.3.2" + ] + ttl = 3600 +} + +resource "dns_a_record_set" "fw_demo_2" { + zone = "home.clcreative.de." + name = "fw-demo-2" + addresses = [ + "10.20.3.3" + ] + ttl = 3600 +} + +resource "dns_a_record_set" "fw_prod_1" { + zone = "home.clcreative.de." + name = "fw-prod-1" + addresses = [ + "10.20.0.1" + ] + ttl = 3600 +} + +resource "dns_a_record_set" "prx_prod_1" { + zone = "home.clcreative.de." + name = "prx-prod-1" + addresses = [ + "10.20.0.4" + ] + ttl = 3600 +} + +resource "dns_a_record_set" "prx_prod_2" { + zone = "home.clcreative.de." + name = "prx-prod-2" + addresses = [ + "10.20.0.5" + ] + ttl = 3600 +} + +resource "dns_a_record_set" "nas_prod_1" { + zone = "home.clcreative.de." + name = "nas-prod-1" + addresses = [ + "10.20.0.6" + ] + ttl = 3600 +} + +resource "dns_a_record_set" "sw_prod_1" { + zone = "home.clcreative.de." + name = "sw-prod-1" + addresses = [ + "10.50.0.14" + ] + ttl = 3600 +} diff --git a/dns/dns-prod-1/terraform/kubernetes.tf b/dns/dns-prod-1/terraform/kubernetes.tf new file mode 100644 index 0000000..828cfad --- /dev/null +++ b/dns/dns-prod-1/terraform/kubernetes.tf @@ -0,0 +1,62 @@ +resource "dns_a_record_set" "kube_demo_1_lb" { + zone = "home.clcreative.de." + name = "kube-demo-1" + addresses = [ + "10.20.5.1" + ] + ttl = 3600 +} + +resource "dns_a_record_set" "kube_demo_1_lb_wildcard" { + zone = "home.clcreative.de." + name = "*.kube-demo-1" + addresses = [ + "10.20.5.1" + ] + ttl = 3600 +} + +resource "dns_a_record_set" "kube_demo_2_lb" { + zone = "home.clcreative.de." + name = "kube-demo-2" + addresses = [ + "10.20.5.2" + ] + ttl = 3600 +} + +resource "dns_a_record_set" "kube_demo_2_lb_wildcard" { + zone = "home.clcreative.de." + name = "*.kube-demo-2" + addresses = [ + "10.20.5.2" + ] + ttl = 3600 +} + +resource "dns_a_record_set" "kube_prod_1_lb" { + zone = "home.clcreative.de." + name = "kube-prod-1" + addresses = [ + "10.20.2.1" + ] + ttl = 3600 +} + +resource "dns_a_record_set" "kube_prod_1_lb_wildcard" { + zone = "home.clcreative.de." + name = "*.kube-prod-1" + addresses = [ + "10.20.2.1" + ] + ttl = 3600 +} + +resource "dns_a_record_set" "nas_prod_1_lb_wildcard" { + zone = "home.clcreative.de." + name = "*.nas-prod-1" + addresses = [ + "10.20.2.3" + ] + ttl = 3600 +} diff --git a/dns/dns-prod-1/terraform/server.tf b/dns/dns-prod-1/terraform/server.tf new file mode 100644 index 0000000..f8fe768 --- /dev/null +++ b/dns/dns-prod-1/terraform/server.tf @@ -0,0 +1,118 @@ +resource "dns_a_record_set" "srv_prod_1" { + zone = "home.clcreative.de." + name = "srv-prod-1" + addresses = ["10.20.0.2"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_prod_1_wildcard" { + zone = "home.clcreative.de." + name = "*.srv-prod-1" + addresses = ["10.20.0.2"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_prod_2" { + zone = "home.clcreative.de." + name = "srv-prod-2" + addresses = ["10.20.0.3"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_prod_2_wildcard" { + zone = "home.clcreative.de." + name = "*.srv-prod-2" + addresses = ["10.20.0.3"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_prod_3" { + zone = "home.clcreative.de." + name = "srv-prod-3" + addresses = ["10.20.0.15"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_prod_4" { + zone = "home.clcreative.de." + name = "srv-prod-4" + addresses = ["10.20.0.16"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_prod_5" { + zone = "home.clcreative.de." + name = "srv-prod-5" + addresses = ["10.20.0.17"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_prod_6" { + zone = "home.clcreative.de." + name = "srv-prod-6" + addresses = ["10.20.0.18"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_prod_7" { + zone = "home.clcreative.de." + name = "srv-prod-7" + addresses = ["10.20.0.19"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_prod_7_wildcard" { + zone = "home.clcreative.de." + name = "*.srv-prod-7" + addresses = ["10.20.0.19"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_demo_1" { + zone = "home.clcreative.de." + name = "srv-demo-1" + addresses = ["10.20.3.1"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_demo_1_wildcard" { + zone = "home.clcreative.de." + name = "*.srv-demo-1" + addresses = ["10.20.3.1"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_demo_2" { + zone = "home.clcreative.de." + name = "srv-demo-2" + addresses = ["10.20.3.4"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_demo_3" { + zone = "home.clcreative.de." + name = "srv-demo-3" + addresses = ["10.20.3.5"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_demo_4" { + zone = "home.clcreative.de." + name = "srv-demo-4" + addresses = ["10.20.3.6"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_demo_5" { + zone = "home.clcreative.de." + name = "srv-demo-5" + addresses = ["10.20.3.7"] + ttl = 3600 +} + +resource "dns_a_record_set" "srv_demo_6" { + zone = "home.clcreative.de." + name = "srv-demo-6" + addresses = ["10.20.3.8"] + ttl = 3600 +} diff --git a/grafana/grafana-prod-1/docker-compose.yaml b/grafana/grafana-prod-1/docker-compose.yaml new file mode 100644 index 0000000..e5bdd42 --- /dev/null +++ b/grafana/grafana-prod-1/docker-compose.yaml @@ -0,0 +1,24 @@ +--- +networks: + frontend: + external: true +volumes: + grafana-data: + driver: local +services: + grafana: + image: grafana/grafana-oss:10.1.1 + container_name: grafana-prod-1 + volumes: + - grafana-data:/var/lib/grafana + labels: + - traefik.enable=true + - traefik.http.routers.grafana-prod-1-http.entrypoints=web + - traefik.http.routers.grafana-prod-1-http.rule=Host(`grafana-prod-1.srv-prod-1.home.clcreative.de`) + - traefik.http.routers.grafana-prod-1-https.entrypoints=websecure + - traefik.http.routers.grafana-prod-1-https.rule=Host(`grafana-prod-1.srv-prod-1.home.clcreative.de`) + - traefik.http.routers.grafana-prod-1-https.tls=true + - traefik.http.routers.grafana-prod-1-https.tls.certresolver=cloudflare + networks: + - frontend + restart: unless-stopped diff --git a/homeassistant/homeassistant-prod-1/config/configuration.yaml b/homeassistant/homeassistant-prod-1/config/configuration.yaml new file mode 100644 index 0000000..68dcbf2 --- /dev/null +++ b/homeassistant/homeassistant-prod-1/config/configuration.yaml @@ -0,0 +1,23 @@ +# Loads default set of integrations. Do not remove. +default_config: + +# Load frontend themes from the themes folder +# frontend: +# themes: !include_dir_merge_named themes + +# Text to speech +tts: + - platform: google_translate + +automation: !include automations.yaml +script: !include scripts.yaml +scene: !include scenes.yaml + +http: + use_x_forwarded_for: true + trusted_proxies: + - 172.19.0.0/16 + +wake_on_lan: + +zha: diff --git a/homeassistant/homeassistant-prod-1/docker-compose.yaml b/homeassistant/homeassistant-prod-1/docker-compose.yaml new file mode 100644 index 0000000..61475f0 --- /dev/null +++ b/homeassistant/homeassistant-prod-1/docker-compose.yaml @@ -0,0 +1,25 @@ +--- +networks: + frontend: + external: true +services: + homeassistant: + container_name: homeassistant-prod-1 + image: "ghcr.io/home-assistant/home-assistant:2023.6" + volumes: + - ./config:/config + - /etc/localtime:/etc/localtime:ro + devices: + - /dev/ttyACMO + privileged: true + labels: + traefik.enable: "true" + traefik.http.services.homeassistant-prod-1.loadbalancer.server.port: "8123" + traefik.http.services.homeassistant-prod-1.loadbalancer.server.scheme: "http" + traefik.http.routers.homeassistant-prod-1-https.entrypoints: "websecure" + traefik.http.routers.homeassistant-prod-1-https.rule: "Host(`homeassistant-prod-1.srv-prod-7.home.clcreative.de`)" + traefik.http.routers.homeassistant-prod-1-https.tls: "true" + traefik.http.routers.homeassistant-prod-1-https.tls.certresolver: "cloudflare" + networks: + - frontend + restart: unless-stopped diff --git a/homer/homer-prod-1/config/config.yml b/homer/homer-prod-1/config/config.yml index e2f4c41..3189bba 100644 --- a/homer/homer-prod-1/config/config.yml +++ b/homer/homer-prod-1/config/config.yml @@ -138,4 +138,4 @@ services: icon: "fa-solid fa-virus-covid" subtitle: "Kubernetes Compliance and Security" url: "https://cloud.armosec.io/" - target: "_blank" \ No newline at end of file + target: "_blank" diff --git a/homer/homer-prod-1/config/custom.css b/homer/homer-prod-1/config/custom.css new file mode 100644 index 0000000..2044e8d --- /dev/null +++ b/homer/homer-prod-1/config/custom.css @@ -0,0 +1,47 @@ +.first-line { + background: -moz-linear-gradient(0deg, rgba(0,0,0,0) 0%, rgba(0,0,0,0.80) 100%); +background: -webkit-linear-gradient(0deg, rgba(0,0,0,0) 0%, rgba(0,0,0,0.80) 100%); +background: linear-gradient(0deg, rgba(0,0,0,0) 0%, rgba(0,0,0,0.80) 100%); +} + +.logo a img{ + border-radius: 50%; +} + +.dashboard-title span { + display: none; +} + +.dashboard-title h1 { + padding: 16px; + font-weight: bold; + color: #ffffffd0; +} + + +.card-content .image { + background: -moz-linear-gradient(45deg, #E624FF 0%, #1BE1FF 100%); + background: -webkit-linear-gradient(45deg, #E624FF 0%, #1BE1FF 100%); + background: linear-gradient(45deg, #E624FF 0%, #1BE1FF 100%); + -webkit-background-clip: text; + -moz-background-clip: text; + background-clip: text; + -webkit-text-fill-color: transparent; +} + +.card-content i { + display: inline; +} + +body #main-section .container { + box-shadow: 0 2px 15px 0 var(--card-shadow); + padding: 40px 40px 40px 40px; + background-blend-mode: darken; + background-color: #00000090; + border-radius: 20px; + margin: 24px auto 0px auto; +} + +.container-fluid { + margin-top: -86px; +} diff --git a/homer/homer-prod-1/kubernetes/application.yaml b/homer/homer-prod-1/kubernetes/application.yaml index 3503b34..7c75d8e 100644 --- a/homer/homer-prod-1/kubernetes/application.yaml +++ b/homer/homer-prod-1/kubernetes/application.yaml @@ -9,7 +9,7 @@ spec: server: 'https://kubernetes.default.svc' source: path: homer/homer-prod-1/argo - repoURL: 'git@github.com:christianlempa/homelab' + repoURL: 'https://github.com/christianlempa/homelab' targetRevision: HEAD project: default syncPolicy: diff --git a/metallb/metallb-demo-1/helm/helm-values.yml b/metallb/metallb-demo-1/helm/helm-values.yml new file mode 100644 index 0000000..ae1da9c --- /dev/null +++ b/metallb/metallb-demo-1/helm/helm-values.yml @@ -0,0 +1,5 @@ +rbac: + create: true +prometheus: + enabled: false +resources: {} diff --git a/metallb/metallb-demo-1/kubernetes/ipaddresspool.yml b/metallb/metallb-demo-1/kubernetes/ipaddresspool.yml new file mode 100644 index 0000000..eced5df --- /dev/null +++ b/metallb/metallb-demo-1/kubernetes/ipaddresspool.yml @@ -0,0 +1,8 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: metallb-demo-1-ipaddresspool + namespace: metallb-system +spec: + addresses: + - 10.20.5.3/32 # IP address for traefik-demo-3 diff --git a/metallb/metallb-demo-1/kubernetes/l2advertisement.yml b/metallb/metallb-demo-1/kubernetes/l2advertisement.yml new file mode 100644 index 0000000..d98047a --- /dev/null +++ b/metallb/metallb-demo-1/kubernetes/l2advertisement.yml @@ -0,0 +1,8 @@ +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: metallb-demo-1-l2advertisement + namespace: metallb-system +spec: + ipAddressPools: + - metallb-demo-1-ipaddresspool diff --git a/metallb/metallb-prod-1/helm/helm-values.yaml b/metallb/metallb-prod-1/helm/helm-values.yaml new file mode 100644 index 0000000..ae1da9c --- /dev/null +++ b/metallb/metallb-prod-1/helm/helm-values.yaml @@ -0,0 +1,5 @@ +rbac: + create: true +prometheus: + enabled: false +resources: {} diff --git a/metallb/metallb-prod-1/kubernetes/ipaddresspool.yaml b/metallb/metallb-prod-1/kubernetes/ipaddresspool.yaml new file mode 100644 index 0000000..78832e3 --- /dev/null +++ b/metallb/metallb-prod-1/kubernetes/ipaddresspool.yaml @@ -0,0 +1,8 @@ +apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: metallb-prod-1-ipaddresspool + namespace: metallb-system +spec: + addresses: + - 10.20.2.2/32 # IP address for traefik-prod-3 diff --git a/metallb/metallb-prod-1/kubernetes/l2advertisement.yaml b/metallb/metallb-prod-1/kubernetes/l2advertisement.yaml new file mode 100644 index 0000000..efce11e --- /dev/null +++ b/metallb/metallb-prod-1/kubernetes/l2advertisement.yaml @@ -0,0 +1,8 @@ +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: metallb-prod-1-l2advertisement + namespace: metallb-system +spec: + ipAddressPools: + - metallb-prod-1-ipaddresspool diff --git a/passbolt/passbolt-demo-1/docker-compose.yaml b/passbolt/passbolt-demo-1/docker-compose.yaml new file mode 100644 index 0000000..ded5489 --- /dev/null +++ b/passbolt/passbolt-demo-1/docker-compose.yaml @@ -0,0 +1,53 @@ +--- +networks: + frontend: + external: true + backend: + external: true +volumes: + vol-1: + driver: local + driver_opts: + type: nfs + o: addr=nas-prod-1.home.clcreative.de,rw,vers=4.1 + device: ":/mnt/store/app-pv/passbolt-demo-1-vol-1" + vol-2: + driver: local + driver_opts: + type: nfs + o: addr=nas-prod-1.home.clcreative.de,rw,vers=4.1 + device: ":/mnt/store/app-pv/passbolt-demo-1-vol-2" +services: + passbolt: + container_name: passbolt-demo-1 + image: passbolt/passbolt:4.2.0-1-ce + environment: + - APP_FULL_BASE_URL=https://passbolt-demo-1.srv-prod-1.home.clcreative.de + - DATASOURCES_DEFAULT_HOST=db-prod-1.home.clcreative.de + - DATASOURCES_DEFAULT_USERNAME=passbolt-demo-1-user + - DATASOURCES_DEFAULT_PASSWORD=${DATASOURCES_DEFAULT_PASSWORD} + - DATASOURCES_DEFAULT_DATABASE=passbolt_demo_1_db + - EMAIL_TRANSPORT_DEFAULT_HOST=smtp.office365.com + - EMAIL_TRANSPORT_DEFAULT_PORT=587 + - EMAIL_TRANSPORT_DEFAULT_USERNAME=${EMAIL_TRANSPORT_DEFAULT_USERNAME} + - EMAIL_TRANSPORT_DEFAULT_PASSWORD=${EMAIL_TRANSPORT_DEFAULT_PASSWORD} + - EMAIL_TRANSPORT_DEFAULT_TLS=true + - EMAIL_DEFAULT_FROM=${EMAIL_DEFAULT_FROM} + volumes: + - vol-1:/etc/passbolt/gpg + - vol-2:/etc/passbolt/jwt + command: ["/usr/bin/wait-for.sh", "-t", "0", "db-prod-1.home.clcreative.de:3306", "--", "/docker-entrypoint.sh"] + labels: + traefik.enable: "true" + traefik.http.routers.passbolt-http.entrypoints: "web" + traefik.http.routers.passbolt-http.rule: "Host(`passbolt-demo-1.srv-prod-1.home.clcreative.de`)" + traefik.http.routers.passbolt-http.middlewares: "passbolt-demo-1-middleware@file" + traefik.http.routers.passbolt-https.middlewares: "passbolt-demo-1-middleware@file" + traefik.http.routers.passbolt-https.entrypoints: "websecure" + traefik.http.routers.passbolt-https.rule: "Host(`passbolt-demo-1.srv-prod-1.home.clcreative.de`)" + traefik.http.routers.passbolt-https.tls: "true" + traefik.http.routers.passbolt-https.tls.certresolver: "cloudflare" + networks: + - frontend + - backend + restart: unless-stopped diff --git a/prometheus/prometheus-prod-1/config/prometheus.yaml b/prometheus/prometheus-prod-1/config/prometheus.yaml new file mode 100644 index 0000000..501eb0d --- /dev/null +++ b/prometheus/prometheus-prod-1/config/prometheus.yaml @@ -0,0 +1,74 @@ +global: + scrape_interval: 15s # By default, scrape targets every 15 seconds. + + # Attach these labels to any time series or alerts when communicating with + # external systems (federation, remote storage, Alertmanager). + # external_labels: + # monitor: 'codelab-monitor' + +# A scrape configuration containing exactly one endpoint to scrape: +# Here it's Prometheus itself. +scrape_configs: + # The job name is added as a label `job=` to any timeseries scraped from this config. + - job_name: 'prometheus-prod-1' + # Override the global default and scrape targets from this job every 5 seconds. + scrape_interval: 5s + static_configs: + - targets: ['localhost:9090'] + + # Scrape Docker Server in Production + - job_name: 'cadvisor-prod-1' + scrape_interval: 5s + static_configs: + - targets: [cadvisor-prod-1:8080] + + - job_name: 'cadvisor-prod-2' + scheme: https + tls_config: + insecure_skip_verify: true + scrape_interval: 5s + static_configs: + - targets: [cadvisor-prod-2.srv-prod-2.home.clcreative.de:443] + + + # Scrape Production Servers + - job_name: 'srv-prod-1' + scrape_interval: 15s + static_configs: + - targets: [srv-prod-1.home.clcreative.de:9100] + + - job_name: 'srv-prod-2' + scrape_interval: 15s + static_configs: + - targets: [srv-prod-2.home.clcreative.de:9100] + + - job_name: 'srv-prod-3' + scrape_interval: 15s + static_configs: + - targets: [srv-prod-3.home.clcreative.de:9100] + + - job_name: 'srv-prod-4' + scrape_interval: 15s + static_configs: + - targets: [srv-prod-4.home.clcreative.de:9100] + + - job_name: 'srv-prod-5' + scrape_interval: 15s + static_configs: + - targets: [srv-prod-5.home.clcreative.de:9100] + + - job_name: 'srv-prod-6' + scrape_interval: 15s + static_configs: + - targets: [srv-prod-6.home.clcreative.de:9100] + + + # Example job for node_exporter + # - job_name: 'node_exporter' + # static_configs: + # - targets: ['node_exporter:9100'] + + # Example job for cadvisor + # - job_name: 'cadvisor' + # static_configs: + # - targets: ['cadvisor:8080'] diff --git a/prometheus/prometheus-prod-1/docker-compose.yaml b/prometheus/prometheus-prod-1/docker-compose.yaml new file mode 100644 index 0000000..2c73b08 --- /dev/null +++ b/prometheus/prometheus-prod-1/docker-compose.yaml @@ -0,0 +1,29 @@ +--- +networks: + frontend: + external: true + backend: + external: true +volumes: + prometheus-data: + driver: local +services: + prometheus: + image: prom/prometheus:v2.37.9 + container_name: prometheus-prod-1 + command: "--config.file=/etc/prometheus/prometheus.yaml" + volumes: + - ./config/prometheus.yaml:/etc/prometheus/prometheus.yaml:ro + - prometheus-data:/prometheus + labels: + - traefik.enable=true + - traefik.http.routers.prometheus-prod-1-http.entrypoints=web + - traefik.http.routers.prometheus-prod-1-http.rule=Host(`prometheus-prod-1.srv-prod-1.home.clcreative.de`) + - traefik.http.routers.prometheus-prod-1-https.entrypoints=websecure + - traefik.http.routers.prometheus-prod-1-https.rule=Host(`prometheus-prod-1.srv-prod-1.home.clcreative.de`) + - traefik.http.routers.prometheus-prod-1-https.tls=true + - traefik.http.routers.prometheus-prod-1-https.tls.certresolver=cloudflare + networks: + - frontend + - backend + restart: unless-stopped diff --git a/traefik/traefik-demo-1/config/conf/headers.yml b/traefik/traefik-demo-1/config/conf/headers.yml new file mode 100644 index 0000000..5a9a3e9 --- /dev/null +++ b/traefik/traefik-demo-1/config/conf/headers.yml @@ -0,0 +1,20 @@ +http: + middlewares: + passbolt-demo-1-middleware: + headers: + FrameDeny: true + AccessControlAllowMethods: 'GET,OPTIONS,PUT' + AccessControlAllowOriginList: + - origin-list-or-null + AccessControlMaxAge: 100 + AddVaryHeader: true + BrowserXssFilter: true + ContentTypeNosniff: true + ForceSTSHeader: true + STSIncludeSubdomains: true + STSPreload: true + ContentSecurityPolicy: default-src 'self' 'unsafe-inline' + CustomFrameOptionsValue: SAMEORIGIN + ReferrerPolicy: same-origin + PermissionsPolicy: vibrate 'self' + STSSeconds: 315360000 diff --git a/traefik/traefik-demo-1/config/conf/tls.yml b/traefik/traefik-demo-1/config/conf/tls.yml new file mode 100644 index 0000000..20c4d03 --- /dev/null +++ b/traefik/traefik-demo-1/config/conf/tls.yml @@ -0,0 +1,12 @@ +tls: + options: + default: + minVersion: VersionTLS12 + sniStrict: true + curvePreferences: + - CurveP521 + - CurveP384 + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 diff --git a/traefik/traefik-demo-1/config/traefik.yaml b/traefik/traefik-demo-1/config/traefik.yaml new file mode 100644 index 0000000..22d7715 --- /dev/null +++ b/traefik/traefik-demo-1/config/traefik.yaml @@ -0,0 +1,48 @@ +global: + checkNewVersion: false + sendAnonymousUsage: false + +log: + level: DEBUG + +api: + dashboard: true + insecure: true + debug: false + +entryPoints: + web: + address: :80 + http: + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: :443 + +certificatesResolvers: + cloudflare: + acme: + email: "info@clcreative.de" + storage: /etc/traefik/certs/cloudflare-acme.json + caServer: 'https://acme-v02.api.letsencrypt.org/directory' + keyType: EC256 + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + +serversTransport: + insecureSkipVerify: true + +providers: + docker: + exposedByDefault: false + endpoint: 'unix:///var/run/docker.sock' + watch: true + swarmMode: false + file: + directory: /etc/traefik/conf/ + watch: true diff --git a/traefik/traefik-demo-1/docker-compose.yaml b/traefik/traefik-demo-1/docker-compose.yaml new file mode 100644 index 0000000..1e3858a --- /dev/null +++ b/traefik/traefik-demo-1/docker-compose.yaml @@ -0,0 +1,24 @@ +--- +networks: + frontend: + external: true + backend: + external: true +services: + traefik: + container_name: traefik-demo-1 + image: traefik:2.10.4 + ports: + - 80:80 + - 443:443 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro + - ./config/conf/:/etc/traefik/conf/ + - ./config/certs/:/etc/traefik/certs/ + environment: + - CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN + networks: + - frontend + - backend + restart: unless-stopped diff --git a/traefik/traefik-demo-2/helm-values.yaml b/traefik/traefik-demo-2/helm-values.yaml new file mode 100644 index 0000000..cbb624e --- /dev/null +++ b/traefik/traefik-demo-2/helm-values.yaml @@ -0,0 +1,73 @@ +image: + name: traefik + pullPolicy: IfNotPresent +hub: + enabled: false +deployment: + enabled: true + kind: Deployment + replicas: 1 +ingressClass: + enabled: true + isDefaultClass: true +ingressRoute: + dashboard: + enabled: false + annotations: {} + labels: {} +providers: + kubernetesCRD: + enabled: true + kubernetesIngress: + enabled: true + publishedService: # needed for health check fix + enabled: true # needed for health check fix +logs: + general: + level: ERROR + access: + enabled: false +metrics: + prometheus: + entryPoint: metrics +globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" +ports: + traefik: + port: 9000 + expose: false + exposedPort: 9000 + protocol: TCP + web: + port: 8000 + expose: true + exposedPort: 80 + protocol: TCP + redirectTo: websecure + websecure: + port: 8443 + expose: true + exposedPort: 443 + http3: + enabled: false + tls: + enabled: true + metrics: + port: 9100 + expose: false + exposedPort: 9100 + protocol: TCP +tlsOptions: {} +service: + enabled: true + type: LoadBalancer +autoscaling: + enabled: false +persistence: + enabled: false +certResolvers: {} +podSecurityPolicy: + enabled: false +resources: {} +affinity: {} diff --git a/traefik/traefik-demo-3/helm-values.yaml b/traefik/traefik-demo-3/helm-values.yaml new file mode 100644 index 0000000..cbb624e --- /dev/null +++ b/traefik/traefik-demo-3/helm-values.yaml @@ -0,0 +1,73 @@ +image: + name: traefik + pullPolicy: IfNotPresent +hub: + enabled: false +deployment: + enabled: true + kind: Deployment + replicas: 1 +ingressClass: + enabled: true + isDefaultClass: true +ingressRoute: + dashboard: + enabled: false + annotations: {} + labels: {} +providers: + kubernetesCRD: + enabled: true + kubernetesIngress: + enabled: true + publishedService: # needed for health check fix + enabled: true # needed for health check fix +logs: + general: + level: ERROR + access: + enabled: false +metrics: + prometheus: + entryPoint: metrics +globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" +ports: + traefik: + port: 9000 + expose: false + exposedPort: 9000 + protocol: TCP + web: + port: 8000 + expose: true + exposedPort: 80 + protocol: TCP + redirectTo: websecure + websecure: + port: 8443 + expose: true + exposedPort: 443 + http3: + enabled: false + tls: + enabled: true + metrics: + port: 9100 + expose: false + exposedPort: 9100 + protocol: TCP +tlsOptions: {} +service: + enabled: true + type: LoadBalancer +autoscaling: + enabled: false +persistence: + enabled: false +certResolvers: {} +podSecurityPolicy: + enabled: false +resources: {} +affinity: {} diff --git a/traefik/traefik-prod-1/config/conf/headers.yml b/traefik/traefik-prod-1/config/conf/headers.yml new file mode 100644 index 0000000..5a9a3e9 --- /dev/null +++ b/traefik/traefik-prod-1/config/conf/headers.yml @@ -0,0 +1,20 @@ +http: + middlewares: + passbolt-demo-1-middleware: + headers: + FrameDeny: true + AccessControlAllowMethods: 'GET,OPTIONS,PUT' + AccessControlAllowOriginList: + - origin-list-or-null + AccessControlMaxAge: 100 + AddVaryHeader: true + BrowserXssFilter: true + ContentTypeNosniff: true + ForceSTSHeader: true + STSIncludeSubdomains: true + STSPreload: true + ContentSecurityPolicy: default-src 'self' 'unsafe-inline' + CustomFrameOptionsValue: SAMEORIGIN + ReferrerPolicy: same-origin + PermissionsPolicy: vibrate 'self' + STSSeconds: 315360000 diff --git a/traefik/traefik-prod-1/config/conf/tls.yml b/traefik/traefik-prod-1/config/conf/tls.yml new file mode 100644 index 0000000..20c4d03 --- /dev/null +++ b/traefik/traefik-prod-1/config/conf/tls.yml @@ -0,0 +1,12 @@ +tls: + options: + default: + minVersion: VersionTLS12 + sniStrict: true + curvePreferences: + - CurveP521 + - CurveP384 + cipherSuites: + - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256 + - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384 + - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256 diff --git a/traefik/traefik-prod-1/config/traefik.yaml b/traefik/traefik-prod-1/config/traefik.yaml new file mode 100644 index 0000000..11c04d7 --- /dev/null +++ b/traefik/traefik-prod-1/config/traefik.yaml @@ -0,0 +1,48 @@ +global: + checkNewVersion: false + sendAnonymousUsage: false + +log: + level: ERROR + +api: + dashboard: true + insecure: true + debug: false + +entryPoints: + web: + address: :80 + http: + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: :443 + +certificatesResolvers: + cloudflare: + acme: + email: "info@clcreative.de" + storage: /etc/traefik/certs/cloudflare-acme.json + caServer: 'https://acme-v02.api.letsencrypt.org/directory' + keyType: EC256 + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + +serversTransport: + insecureSkipVerify: true + +providers: + docker: + exposedByDefault: false + endpoint: 'unix:///var/run/docker.sock' + watch: true + swarmMode: false + file: + directory: /etc/traefik/conf/ + watch: true diff --git a/traefik/traefik-prod-1/docker-compose.yaml b/traefik/traefik-prod-1/docker-compose.yaml new file mode 100644 index 0000000..71a0e3e --- /dev/null +++ b/traefik/traefik-prod-1/docker-compose.yaml @@ -0,0 +1,24 @@ +--- +networks: + frontend: + external: true + backend: + external: true +services: + traefik: + container_name: traefik-prod-1 + image: traefik:2.10.4 + ports: + - 80:80 + - 443:443 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro + - ./config/conf/:/etc/traefik/conf/ + - ./config/certs/:/etc/traefik/certs/ + environment: + - CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN + networks: + - frontend + - backend + restart: unless-stopped diff --git a/traefik/traefik-prod-2/config/traefik.yaml b/traefik/traefik-prod-2/config/traefik.yaml new file mode 100644 index 0000000..7122d89 --- /dev/null +++ b/traefik/traefik-prod-2/config/traefik.yaml @@ -0,0 +1,53 @@ +global: + checkNewVersion: false + sendAnonymousUsage: false + +log: + level: ERROR + +api: + dashboard: true + insecure: true + debug: false + +entryPoints: + web: + address: :80 + http: + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: :443 + +certificatesResolvers: + cloudflare: + acme: + email: "info@clcreative.de" + storage: /etc/traefik/certs/cloudflare-acme.json + caServer: 'https://acme-v02.api.letsencrypt.org/directory' + keyType: EC256 + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + +serversTransport: + insecureSkipVerify: true + +tls: + options: + default: + minVersion: VersionTLS12 + +providers: + docker: + exposedByDefault: false + endpoint: 'unix:///var/run/docker.sock' + watch: true + swarmMode: false + file: + directory: /etc/traefik + watch: true diff --git a/traefik/traefik-prod-2/docker-compose.yaml b/traefik/traefik-prod-2/docker-compose.yaml new file mode 100644 index 0000000..6980023 --- /dev/null +++ b/traefik/traefik-prod-2/docker-compose.yaml @@ -0,0 +1,24 @@ +--- +networks: + frontend: + external: true + backend: + external: true +services: + traefik: + container_name: traefik-prod-2 + image: traefik:2.10.4 + ports: + - 80:80 + - 443:443 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro + - ./config/conf/:/etc/traefik/conf/ + - ./config/certs/:/etc/traefik/certs/ + environment: + - CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN + networks: + - frontend + - backend + restart: unless-stopped diff --git a/traefik/traefik-prod-3/helm-values.yaml b/traefik/traefik-prod-3/helm-values.yaml new file mode 100644 index 0000000..61becb7 --- /dev/null +++ b/traefik/traefik-prod-3/helm-values.yaml @@ -0,0 +1,73 @@ +image: + name: traefik + pullPolicy: IfNotPresent +hub: + enabled: false +deployment: + enabled: true + kind: Deployment + replicas: 3 +ingressClass: + enabled: true + isDefaultClass: true +ingressRoute: + dashboard: + enabled: false + annotations: {} + labels: {} +providers: + kubernetesCRD: + enabled: true + kubernetesIngress: + enabled: true + publishedService: # needed for health check fix + enabled: true # needed for health check fix +logs: + general: + level: ERROR + access: + enabled: false +metrics: + prometheus: + entryPoint: metrics +globalArguments: + - "--global.checknewversion" + - "--global.sendanonymoususage" +ports: + traefik: + port: 9000 + expose: false + exposedPort: 9000 + protocol: TCP + web: + port: 8000 + expose: true + exposedPort: 80 + protocol: TCP + redirectTo: websecure + websecure: + port: 8443 + expose: true + exposedPort: 443 + http3: + enabled: false + tls: + enabled: true + metrics: + port: 9100 + expose: false + exposedPort: 9100 + protocol: TCP +tlsOptions: {} +service: + enabled: true + type: LoadBalancer +autoscaling: + enabled: false +persistence: + enabled: false +certResolvers: {} +podSecurityPolicy: + enabled: false +resources: {} +affinity: {} diff --git a/traefik/traefik-prod-4/config/traefik.yaml b/traefik/traefik-prod-4/config/traefik.yaml new file mode 100644 index 0000000..c46e0f2 --- /dev/null +++ b/traefik/traefik-prod-4/config/traefik.yaml @@ -0,0 +1,45 @@ +global: + checkNewVersion: false + sendAnonymousUsage: false + +log: + level: ERROR + +api: + dashboard: true + insecure: true + debug: false + +entryPoints: + web: + address: :80 + http: + redirections: + entryPoint: + to: websecure + scheme: https + websecure: + address: :443 + +certificatesResolvers: + cloudflare: + acme: + email: "info@clcreative.de" + storage: /etc/traefik/certs/cloudflare-acme.json + caServer: 'https://acme-v02.api.letsencrypt.org/directory' + keyType: EC256 + dnsChallenge: + provider: cloudflare + resolvers: + - "1.1.1.1:53" + - "8.8.8.8:53" + +serversTransport: + insecureSkipVerify: true + +providers: + docker: + exposedByDefault: false + endpoint: 'unix:///var/run/docker.sock' + watch: true + swarmMode: false diff --git a/traefik/traefik-prod-4/docker-compose.yaml b/traefik/traefik-prod-4/docker-compose.yaml new file mode 100644 index 0000000..765ea8c --- /dev/null +++ b/traefik/traefik-prod-4/docker-compose.yaml @@ -0,0 +1,24 @@ +--- +networks: + frontend: + external: true + backend: + external: true +services: + traefik: + container_name: traefik-prod-4 + image: traefik:2.10.4 + ports: + - 80:80 + - 443:443 + volumes: + - /var/run/docker.sock:/var/run/docker.sock:ro + - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro + - ./config/conf/:/etc/traefik/conf/ + - ./config/certs/:/etc/traefik/certs/ + environment: + - CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN + networks: + - frontend + - backend + restart: unless-stopped diff --git a/uptimekuma/uptimekuma-prod-1/argo/certificate.yaml b/uptimekuma/uptimekuma-prod-1/argo/certificate.yaml new file mode 100644 index 0000000..5762962 --- /dev/null +++ b/uptimekuma/uptimekuma-prod-1/argo/certificate.yaml @@ -0,0 +1,12 @@ +apiVersion: cert-manager.io/v1 +kind: Certificate +metadata: + name: uptimekuma-prod-1-certificate + namespace: uptimekuma-prod-1 +spec: + secretName: uptimekuma-prod-1-tls-secret + issuerRef: + name: certmanager-prod-1-clusterissuer + kind: ClusterIssuer + dnsNames: + - uptimekuma-prod-1.kube-prod-1.home.clcreative.de \ No newline at end of file diff --git a/uptimekuma/uptimekuma-prod-1/argo/deployment.yaml b/uptimekuma/uptimekuma-prod-1/argo/deployment.yaml new file mode 100644 index 0000000..dc5d46f --- /dev/null +++ b/uptimekuma/uptimekuma-prod-1/argo/deployment.yaml @@ -0,0 +1,38 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: uptimekuma-prod-1-deploy + namespace: uptimekuma-prod-1 +spec: + replicas: 1 + selector: + matchLabels: + app: uptimekuma-prod-1 + strategy: + rollingUpdate: + maxSurge: 25% + maxUnavailable: 25% + type: RollingUpdate + template: + metadata: + labels: + app: uptimekuma-prod-1 + spec: + affinity: {} + containers: + - name: uptimekuma + image: louislam/uptime-kuma:1.23.1 + ports: + - containerPort: 3001 + volumeMounts: + - mountPath: /app/data + name: uptimekuma-prod-1-vol-1 + dnsPolicy: ClusterFirst + restartPolicy: Always + schedulerName: default-scheduler + securityContext: {} + terminationGracePeriodSeconds: 10 + volumes: + - name: uptimekuma-prod-1-vol-1 + persistentVolumeClaim: + claimName: uptimekuma-prod-1-pvc diff --git a/uptimekuma/uptimekuma-prod-1/argo/ingressroute.yaml b/uptimekuma/uptimekuma-prod-1/argo/ingressroute.yaml new file mode 100644 index 0000000..4a9b8f2 --- /dev/null +++ b/uptimekuma/uptimekuma-prod-1/argo/ingressroute.yaml @@ -0,0 +1,20 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: IngressRoute +metadata: + name: uptimekuma-prod-1-ingressroute + namespace: uptimekuma-prod-1 +spec: + entryPoints: + - websecure + routes: + - match: Host(`uptimekuma-prod-1.kube-prod-1.home.clcreative.de`) + kind: Rule + services: + - name: uptimekuma-prod-1-service + port: 3001 + middlewares: + - name: uptimekuma-prod-1-middleware-cors + tls: + secretName: uptimekuma-prod-1-tls-secret + domains: + - main: uptimekuma-prod-1.kube-prod-1.home.clcreative.de diff --git a/uptimekuma/uptimekuma-prod-1/argo/middleware.yaml b/uptimekuma/uptimekuma-prod-1/argo/middleware.yaml new file mode 100644 index 0000000..033b860 --- /dev/null +++ b/uptimekuma/uptimekuma-prod-1/argo/middleware.yaml @@ -0,0 +1,15 @@ +apiVersion: traefik.containo.us/v1alpha1 +kind: Middleware +metadata: + name: uptimekuma-prod-1-middleware-cors + namespace: uptimekuma-prod-1 +spec: + headers: + accessControlAllowMethods: + - "*" + accessControlAllowOriginList: + - "*" + # accessControlAllowHeaders: + # - "x-api-key" + accessControlMaxAge: 100 + addVaryHeader: true diff --git a/uptimekuma/uptimekuma-prod-1/argo/namespace.yaml b/uptimekuma/uptimekuma-prod-1/argo/namespace.yaml new file mode 100644 index 0000000..58decaa --- /dev/null +++ b/uptimekuma/uptimekuma-prod-1/argo/namespace.yaml @@ -0,0 +1,4 @@ +apiVersion: v1 +kind: Namespace +metadata: + name: uptimekuma-prod-1 \ No newline at end of file diff --git a/uptimekuma/uptimekuma-prod-1/argo/pv.yaml b/uptimekuma/uptimekuma-prod-1/argo/pv.yaml new file mode 100644 index 0000000..1a2a10f --- /dev/null +++ b/uptimekuma/uptimekuma-prod-1/argo/pv.yaml @@ -0,0 +1,16 @@ +apiVersion: v1 +kind: PersistentVolume +metadata: + name: uptimekuma-prod-1-pv +spec: + capacity: + storage: 500Mi + accessModes: + - ReadWriteOnce + storageClassName: nfs + nfs: + server: nas-prod-1.home.clcreative.de + path: /mnt/store/app-pv/uptimekuma-prod-1-vol-1 + persistentVolumeReclaimPolicy: Retain + mountOptions: + - nfsvers=4.1 diff --git a/uptimekuma/uptimekuma-prod-1/argo/pvc.yaml b/uptimekuma/uptimekuma-prod-1/argo/pvc.yaml new file mode 100644 index 0000000..504bc74 --- /dev/null +++ b/uptimekuma/uptimekuma-prod-1/argo/pvc.yaml @@ -0,0 +1,14 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: uptimekuma-prod-1-pvc + namespace: uptimekuma-prod-1 +spec: + accessModes: + - ReadWriteOnce + storageClassName: nfs + resources: + requests: + storage: 500Mi + volumeName: uptimekuma-prod-1-pv + \ No newline at end of file diff --git a/uptimekuma/uptimekuma-prod-1/argo/service.yaml b/uptimekuma/uptimekuma-prod-1/argo/service.yaml new file mode 100644 index 0000000..d0bd1ab --- /dev/null +++ b/uptimekuma/uptimekuma-prod-1/argo/service.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: uptimekuma-prod-1-service +spec: + selector: + app: uptimekuma-prod-1 + type: ClusterIP + ports: + - name: backend + port: 3001 + targetPort: 3001 + protocol: TCP \ No newline at end of file diff --git a/uptimekuma/uptimekuma-prod-1/kubernetes/application.yaml b/uptimekuma/uptimekuma-prod-1/kubernetes/application.yaml new file mode 100644 index 0000000..f4a79c4 --- /dev/null +++ b/uptimekuma/uptimekuma-prod-1/kubernetes/application.yaml @@ -0,0 +1,18 @@ +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: uptimekuma-prod-1-app + namespace: argocd +spec: + destination: + namespace: uptimekuma-prod-1 + server: 'https://kubernetes.default.svc' + source: + path: uptimekuma/uptimekuma-prod-1/argo + repoURL: 'https://github.com/christianlempa/homelab' + targetRevision: HEAD + project: default + syncPolicy: + automated: + prune: true + selfHeal: true