diff --git a/.github/workflows/dns-update-config.yml b/.github/workflows/dns-update-config.yml
new file mode 100644
index 0000000..c9860f1
--- /dev/null
+++ b/.github/workflows/dns-update-config.yml
@@ -0,0 +1,39 @@
+name: Update Config Files
+
+on:
+ push:
+ branches:
+ - main
+ - test
+ - dev
+ paths:
+ - 'dns/dns-prod-1/config/**'
+ workflow_dispatch:
+
+jobs:
+ deploy:
+ runs-on: "self-hosted"
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: SCP files via ssh key
+ uses: appleboy/scp-action@master
+ with:
+ username: xcad
+ host: srv-prod-7.home.clcreative.de
+ key: ${{ secrets.SSH_XCAD }}
+ source: './config/*'
+ target: '/home/xcad/dns-prod-1/'
+ overwrite: true
+
+ - name: Restart Docker Container
+ uses: fifsky/ssh-action@master
+ with:
+ user: xcad
+ host: srv-prod-7.home.clcreative.de
+ key: ${{ secrets.SSH_XCAD }}
+ command: |
+ cd dns-prod-1
+ docker compose restart
diff --git a/.github/workflows/dns-update-dns.yml b/.github/workflows/dns-update-dns.yml
new file mode 100644
index 0000000..aa93b8a
--- /dev/null
+++ b/.github/workflows/dns-update-dns.yml
@@ -0,0 +1,81 @@
+name: "Update DNS Records"
+
+on:
+ push:
+ branches:
+ - main
+ - test
+ - dev
+ paths:
+ - 'dns/dns-prod-1/terraform/*.tf'
+ workflow_dispatch:
+
+defaults:
+ run:
+ working-directory: ./terraform
+
+env:
+ TF_VAR_TSIG_KEY_HOME: ${{ secrets.TSIG_KEY_HOME }}
+
+jobs:
+ terraform:
+ runs-on: "self-hosted"
+ steps:
+
+ - name: Checkout
+ uses: actions/checkout@v3
+
+ - name: Setup Terraform
+ uses: hashicorp/setup-terraform@v1
+ with:
+ # terraform_version: 0.13.0:
+ cli_config_credentials_token: ${{ secrets.TF_API_TOKEN }}
+
+ - name: Terraform Format
+ id: fmt
+ run: terraform fmt -check
+
+ - name: Terraform Init
+ id: init
+ run: terraform init
+
+ - name: Terraform Validate
+ id: validate
+ run: terraform validate -no-color
+
+ - name: Terraform Plan
+ id: plan
+ if: github.event_name == 'pull_request'
+ run: terraform plan -no-color -input=false
+ continue-on-error: true
+
+ - uses: actions/github-script@v6
+ if: github.event_name == 'pull_request'
+ env:
+ PLAN: "terraform\n${{ steps.plan.outputs.stdout }}"
+ with:
+ github-token: ${{ secrets.GITHUB_TOKEN }}
+ script: |
+ const output = `#### Terraform Format and Style 🖌\`${{ steps.fmt.outcome }}\`
+ #### Terraform Initialization ⚙️\`${{ steps.init.outcome }}\`
+ #### Terraform Validation 🤖\`${{ steps.validate.outcome }}\`
+ #### Terraform Plan 📖\`${{ steps.plan.outcome }}\`
+ Show Plan
+ \`\`\`\n
+ ${process.env.PLAN}
+ \`\`\`
+
+ *Pushed by: @${{ github.actor }}, Action: \`${{ github.event_name }}\`*`;
+ github.rest.issues.createComment({
+ issue_number: context.issue.number,
+ owner: context.repo.owner,
+ repo: context.repo.repo,
+ body: output
+ })
+ - name: Terraform Plan Status
+ if: steps.plan.outcome == 'failure'
+ run: exit 1
+
+ - name: Terraform Apply
+ if: github.ref == 'refs/heads/main' && github.event_name == 'push'
+ run: terraform apply -auto-approve -input=false
diff --git a/.github/workflows/dns-update-docker.yml b/.github/workflows/dns-update-docker.yml
new file mode 100644
index 0000000..dc399f7
--- /dev/null
+++ b/.github/workflows/dns-update-docker.yml
@@ -0,0 +1,38 @@
+name: Update Docker Compose File
+
+on:
+ push:
+ branches:
+ - main
+ - test
+ - dev
+ paths:
+ - 'dns/dns-prod-1/docker-compose.yaml'
+ workflow_dispatch:
+
+jobs:
+ deploy:
+ runs-on: "self-hosted"
+
+ steps:
+ - name: Checkout
+ uses: actions/checkout@v2
+
+ - name: Upload new Docker Compose File
+ uses: appleboy/scp-action@master
+ with:
+ username: xcad
+ host: srv-prod-7.home.clcreative.de
+ key: ${{ secrets.SSH_XCAD }}
+ source: './docker-compose.yaml'
+ target: '/home/xcad/dns-prod-1/'
+
+ - name: Restart Docker Container
+ uses: fifsky/ssh-action@master
+ with:
+ user: xcad
+ host: srv-prod-7.home.clcreative.de
+ key: ${{ secrets.SSH_XCAD }}
+ command: |
+ cd dns-prod-1
+ docker compose up -d --force-recreate
diff --git a/.gitignore b/.gitignore
index 6a29dc2..103fb87 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,3 +1,5 @@
+.vscode/**
+
**/.envrc
**/.env
diff --git a/argocd/argocd-prod-1/kubernetes/ingress.yml b/argocd/argocd-prod-1/kubernetes/ingress.yml
index 4d1380b..88ef6b3 100644
--- a/argocd/argocd-prod-1/kubernetes/ingress.yml
+++ b/argocd/argocd-prod-1/kubernetes/ingress.yml
@@ -3,7 +3,7 @@ kind: Ingress
metadata:
name: argocd-prod-1-ingress
namespace: argocd
- annotations:
+ annotations: {}
# traefik.ingress.kubernetes.io/router.entrypoints: websecure
# traefik.ingress.kubernetes.io/router.tls: "true"
# traefik.ingress.kubernetes.io/router.tls.options: default
diff --git a/argocd/argocd-prod-2/kubernetes/ingress.yml b/argocd/argocd-prod-2/kubernetes/ingress.yml
index 85c2077..d879a87 100644
--- a/argocd/argocd-prod-2/kubernetes/ingress.yml
+++ b/argocd/argocd-prod-2/kubernetes/ingress.yml
@@ -3,7 +3,7 @@ kind: Ingress
metadata:
name: argocd-demo-1-ingress
namespace: argocd
- annotations:
+ annotations: {}
# traefik.ingress.kubernetes.io/router.entrypoints: websecure
# traefik.ingress.kubernetes.io/router.tls: "true"
# traefik.ingress.kubernetes.io/router.tls.options: default
diff --git a/cadvisor/cadvisor-prod-1/docker-compose.yaml b/cadvisor/cadvisor-prod-1/docker-compose.yaml
new file mode 100644
index 0000000..170a84f
--- /dev/null
+++ b/cadvisor/cadvisor-prod-1/docker-compose.yaml
@@ -0,0 +1,29 @@
+---
+networks:
+ frontend:
+ external: true
+ backend:
+ external: true
+services:
+ cadvisor:
+ image: gcr.io/cadvisor/cadvisor:v0.47.2
+ container_name: cadvisor-prod-1
+ devices:
+ - /dev/kmsg
+ privileged: true
+ volumes:
+ - /:/rootfs:ro
+ - /var/run:/var/run:ro
+ - /sys:/sys:ro
+ - /var/lib/docker/:/var/lib/docker:ro
+ - /dev/disk/:/dev/disk:ro
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.cadvisor-prod-1.entrypoints=websecure
+ - traefik.http.routers.cadvisor-prod-1.rule=Host(`cadvisor-prod-1.srv-prod-1.home.clcreative.de`)
+ - traefik.http.routers.cadvisor-prod-1.tls=true
+ - traefik.http.routers.cadvisor-prod-1.tls.certresolver=cloudflare
+ networks:
+ - frontend
+ - backend
+ restart: unless-stopped
diff --git a/cadvisor/cadvisor-prod-2/docker-compose.yaml b/cadvisor/cadvisor-prod-2/docker-compose.yaml
new file mode 100644
index 0000000..170a84f
--- /dev/null
+++ b/cadvisor/cadvisor-prod-2/docker-compose.yaml
@@ -0,0 +1,29 @@
+---
+networks:
+ frontend:
+ external: true
+ backend:
+ external: true
+services:
+ cadvisor:
+ image: gcr.io/cadvisor/cadvisor:v0.47.2
+ container_name: cadvisor-prod-1
+ devices:
+ - /dev/kmsg
+ privileged: true
+ volumes:
+ - /:/rootfs:ro
+ - /var/run:/var/run:ro
+ - /sys:/sys:ro
+ - /var/lib/docker/:/var/lib/docker:ro
+ - /dev/disk/:/dev/disk:ro
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.cadvisor-prod-1.entrypoints=websecure
+ - traefik.http.routers.cadvisor-prod-1.rule=Host(`cadvisor-prod-1.srv-prod-1.home.clcreative.de`)
+ - traefik.http.routers.cadvisor-prod-1.tls=true
+ - traefik.http.routers.cadvisor-prod-1.tls.certresolver=cloudflare
+ networks:
+ - frontend
+ - backend
+ restart: unless-stopped
diff --git a/certmanager/certmanager-demo-1/helm/helm-values.yaml b/certmanager/certmanager-demo-1/helm/helm-values.yaml
new file mode 100644
index 0000000..bffda75
--- /dev/null
+++ b/certmanager/certmanager-demo-1/helm/helm-values.yaml
@@ -0,0 +1,4 @@
+installCRDs: true
+extraArgs:
+ - --dns01-recursive-nameservers-only
+ - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
diff --git a/certmanager/certmanager-demo-1/kubernetes/clusterissuer.yaml b/certmanager/certmanager-demo-1/kubernetes/clusterissuer.yaml
new file mode 100644
index 0000000..23cceff
--- /dev/null
+++ b/certmanager/certmanager-demo-1/kubernetes/clusterissuer.yaml
@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: certmanager-demo-1-clusterissuer
+spec:
+ acme:
+ email: info@clcreative.de
+ server: https://acme-v02.api.letsencrypt.org/directory
+ privateKeySecretRef:
+ name: certmanager-demo-1-clusterissuer-account-key
+ solvers:
+ - dns01:
+ cloudflare:
+ email: info@clcreative.de
+ apiTokenSecretRef:
+ name: certmanager-demo-1-token
+ key: api-token
diff --git a/certmanager/certmanager-demo-2/helm/helm-values.yaml b/certmanager/certmanager-demo-2/helm/helm-values.yaml
new file mode 100644
index 0000000..440f5b3
--- /dev/null
+++ b/certmanager/certmanager-demo-2/helm/helm-values.yaml
@@ -0,0 +1,47 @@
+installCRDs: true
+extraArgs:
+ - --dns01-recursive-nameservers-only
+ - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
+resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ limits:
+ cpu: 100m
+ memory: 128Mi
+webhook:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ limits:
+ cpu: 100m
+ memory: 128Mi
+ livenessProbe:
+ failureThreshold: 3
+ initialDelaySeconds: 60
+ periodSeconds: 10
+ successThreshold: 1
+ timeoutSeconds: 1
+ readinessProbe:
+ failureThreshold: 3
+ initialDelaySeconds: 5
+ periodSeconds: 5
+ successThreshold: 1
+ timeoutSeconds: 1
+cainjector:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ limits:
+ cpu: 100m
+ memory: 128Mi
+startupapicheck:
+ resources:
+ requests:
+ cpu: 10m
+ memory: 32Mi
+ limits:
+ cpu: 100m
+ memory: 128Mi
\ No newline at end of file
diff --git a/certmanager/certmanager-demo-2/kubernetes/clusterissuer.yaml b/certmanager/certmanager-demo-2/kubernetes/clusterissuer.yaml
new file mode 100644
index 0000000..69b73f9
--- /dev/null
+++ b/certmanager/certmanager-demo-2/kubernetes/clusterissuer.yaml
@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: certmanager-demo-2-clusterissuer
+spec:
+ acme:
+ email: info@clcreative.de
+ server: https://acme-v02.api.letsencrypt.org/directory
+ privateKeySecretRef:
+ name: certmanager-demo-2-clusterissuer-account-key
+ solvers:
+ - dns01:
+ cloudflare:
+ email: info@clcreative.de
+ apiTokenSecretRef:
+ name: certmanager-demo-2-token
+ key: api-token
diff --git a/certmanager/certmanager-prod-1/helm/helm-values.yaml b/certmanager/certmanager-prod-1/helm/helm-values.yaml
new file mode 100644
index 0000000..68e3f1a
--- /dev/null
+++ b/certmanager/certmanager-prod-1/helm/helm-values.yaml
@@ -0,0 +1,4 @@
+installCRDs: true
+extraArgs:
+ - --dns01-recursive-nameservers-only
+ - --dns01-recursive-nameservers=1.1.1.1:53,1.0.0.1:53
\ No newline at end of file
diff --git a/certmanager/certmanager-prod-1/kubernetes/clusterissuer.yaml b/certmanager/certmanager-prod-1/kubernetes/clusterissuer.yaml
new file mode 100644
index 0000000..eb4de1a
--- /dev/null
+++ b/certmanager/certmanager-prod-1/kubernetes/clusterissuer.yaml
@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+ name: certmanager-prod-1-clusterissuer
+spec:
+ acme:
+ email: info@clcreative.de
+ server: https://acme-v02.api.letsencrypt.org/directory
+ privateKeySecretRef:
+ name: certmanager-prod-1-clusterissuer-account-key
+ solvers:
+ - dns01:
+ cloudflare:
+ email: info@clcreative.de
+ apiTokenSecretRef:
+ name: certmanager-prod-1-token
+ key: api-token
\ No newline at end of file
diff --git a/dns/dns-prod-1/config/home-clcreative-de.zone b/dns/dns-prod-1/config/home-clcreative-de.zone
new file mode 100644
index 0000000..f6277e8
--- /dev/null
+++ b/dns/dns-prod-1/config/home-clcreative-de.zone
@@ -0,0 +1,10 @@
+$ORIGIN .
+$TTL 86400 ; 1 day
+home.clcreative.de IN SOA ns.home.clcreative.de. home.clcreative.de. (
+ 2001062618 ; serial
+ 3600 ; refresh (1 hour)
+ 3600 ; retry (1 hour)
+ 2419200 ; expire (4 weeks)
+ 3600 ; minimum (1 hour)
+ )
+ NS ns.home.clcreative.de.
diff --git a/dns/dns-prod-1/config/named.conf b/dns/dns-prod-1/config/named.conf
new file mode 100644
index 0000000..8b89817
--- /dev/null
+++ b/dns/dns-prod-1/config/named.conf
@@ -0,0 +1,40 @@
+include "/etc/bind/named.conf.key";
+
+controls {
+ inet 127.0.0.1 port 953
+ allow { 127.0.0.1; } keys { "tsig-key"; };
+};
+
+acl docker-1 {
+ 172.17.0.0/16;
+ 172.18.0.0/16;
+ 172.19.0.0/16;
+ 172.20.0.0/16;
+ 172.21.0.0/16;
+ 172.22.0.0/16;
+ 172.23.0.0/16;
+ 172.24.0.0/16;
+ 172.25.0.0/16;
+};
+
+acl dmz-prod-1 {
+ 10.20.0.0/16;
+};
+
+acl lan-prod-1 {
+ 10.10.0.0/16;
+};
+
+options {
+ forwarders {
+ 1.1.1.1;
+ 1.0.0.1;
+ };
+ allow-query { 127.0.0.1; docker-1; lan-prod-1; dmz-prod-1; };
+};
+
+zone "home.clcreative.de" IN {
+ type master;
+ file "/etc/bind/home-clcreative-de.zone";
+ update-policy { grant tsig-key zonesub any; };
+};
diff --git a/dns/dns-prod-1/config/rndc.conf b/dns/dns-prod-1/config/rndc.conf
new file mode 100644
index 0000000..cd9dd1d
--- /dev/null
+++ b/dns/dns-prod-1/config/rndc.conf
@@ -0,0 +1,7 @@
+include "/etc/bind/named.conf.key";
+
+options {
+ default-key "tsig-key";
+ default-server 127.0.0.1;
+ default-port 953;
+};
diff --git a/dns/dns-prod-1/docker-compose.yaml b/dns/dns-prod-1/docker-compose.yaml
new file mode 100644
index 0000000..45ac190
--- /dev/null
+++ b/dns/dns-prod-1/docker-compose.yaml
@@ -0,0 +1,12 @@
+---
+services:
+ bind9:
+ container_name: dns-prod-1
+ image: ubuntu/bind9:9.18-23.04_edge
+ environment:
+ - BIND9_USER=root
+ - TZ=Europe/Berlin
+ volumes:
+ - ./config/:/etc/bind:rw
+ network_mode: host
+ restart: unless-stopped
diff --git a/dns/dns-prod-1/terraform/_provider.tf b/dns/dns-prod-1/terraform/_provider.tf
new file mode 100644
index 0000000..f745f57
--- /dev/null
+++ b/dns/dns-prod-1/terraform/_provider.tf
@@ -0,0 +1,31 @@
+terraform {
+ required_version = ">= 0.13.0"
+
+ required_providers {
+ dns = {
+ source = "hashicorp/dns"
+ version = "3.2.3"
+ }
+ }
+ cloud {
+ organization = "clcreative"
+
+ workspaces {
+ name = "dns-prod-1"
+ }
+ }
+}
+
+variable "TSIG_KEY_HOME" {
+ type = string
+ sensitive = true
+}
+
+provider "dns" {
+ update {
+ server = "10.20.0.19"
+ key_name = "tsig-key."
+ key_algorithm = "hmac-sha256"
+ key_secret = var.TSIG_KEY_HOME
+ }
+}
diff --git a/dns/dns-prod-1/terraform/apps.tf b/dns/dns-prod-1/terraform/apps.tf
new file mode 100644
index 0000000..9fefd69
--- /dev/null
+++ b/dns/dns-prod-1/terraform/apps.tf
@@ -0,0 +1,8 @@
+resource "dns_a_record_set" "db_prod_1" {
+ zone = "home.clcreative.de."
+ name = "db-prod-1"
+ addresses = [
+ "10.20.0.3"
+ ]
+ ttl = 3600
+}
\ No newline at end of file
diff --git a/dns/dns-prod-1/terraform/eval.tf b/dns/dns-prod-1/terraform/eval.tf
new file mode 100644
index 0000000..e69de29
diff --git a/dns/dns-prod-1/terraform/infra.tf b/dns/dns-prod-1/terraform/infra.tf
new file mode 100644
index 0000000..63fa798
--- /dev/null
+++ b/dns/dns-prod-1/terraform/infra.tf
@@ -0,0 +1,62 @@
+resource "dns_a_record_set" "fw_demo_1" {
+ zone = "home.clcreative.de."
+ name = "fw-demo-1"
+ addresses = [
+ "10.20.3.2"
+ ]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "fw_demo_2" {
+ zone = "home.clcreative.de."
+ name = "fw-demo-2"
+ addresses = [
+ "10.20.3.3"
+ ]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "fw_prod_1" {
+ zone = "home.clcreative.de."
+ name = "fw-prod-1"
+ addresses = [
+ "10.20.0.1"
+ ]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "prx_prod_1" {
+ zone = "home.clcreative.de."
+ name = "prx-prod-1"
+ addresses = [
+ "10.20.0.4"
+ ]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "prx_prod_2" {
+ zone = "home.clcreative.de."
+ name = "prx-prod-2"
+ addresses = [
+ "10.20.0.5"
+ ]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "nas_prod_1" {
+ zone = "home.clcreative.de."
+ name = "nas-prod-1"
+ addresses = [
+ "10.20.0.6"
+ ]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "sw_prod_1" {
+ zone = "home.clcreative.de."
+ name = "sw-prod-1"
+ addresses = [
+ "10.50.0.14"
+ ]
+ ttl = 3600
+}
diff --git a/dns/dns-prod-1/terraform/kubernetes.tf b/dns/dns-prod-1/terraform/kubernetes.tf
new file mode 100644
index 0000000..828cfad
--- /dev/null
+++ b/dns/dns-prod-1/terraform/kubernetes.tf
@@ -0,0 +1,62 @@
+resource "dns_a_record_set" "kube_demo_1_lb" {
+ zone = "home.clcreative.de."
+ name = "kube-demo-1"
+ addresses = [
+ "10.20.5.1"
+ ]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "kube_demo_1_lb_wildcard" {
+ zone = "home.clcreative.de."
+ name = "*.kube-demo-1"
+ addresses = [
+ "10.20.5.1"
+ ]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "kube_demo_2_lb" {
+ zone = "home.clcreative.de."
+ name = "kube-demo-2"
+ addresses = [
+ "10.20.5.2"
+ ]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "kube_demo_2_lb_wildcard" {
+ zone = "home.clcreative.de."
+ name = "*.kube-demo-2"
+ addresses = [
+ "10.20.5.2"
+ ]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "kube_prod_1_lb" {
+ zone = "home.clcreative.de."
+ name = "kube-prod-1"
+ addresses = [
+ "10.20.2.1"
+ ]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "kube_prod_1_lb_wildcard" {
+ zone = "home.clcreative.de."
+ name = "*.kube-prod-1"
+ addresses = [
+ "10.20.2.1"
+ ]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "nas_prod_1_lb_wildcard" {
+ zone = "home.clcreative.de."
+ name = "*.nas-prod-1"
+ addresses = [
+ "10.20.2.3"
+ ]
+ ttl = 3600
+}
diff --git a/dns/dns-prod-1/terraform/server.tf b/dns/dns-prod-1/terraform/server.tf
new file mode 100644
index 0000000..f8fe768
--- /dev/null
+++ b/dns/dns-prod-1/terraform/server.tf
@@ -0,0 +1,118 @@
+resource "dns_a_record_set" "srv_prod_1" {
+ zone = "home.clcreative.de."
+ name = "srv-prod-1"
+ addresses = ["10.20.0.2"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_prod_1_wildcard" {
+ zone = "home.clcreative.de."
+ name = "*.srv-prod-1"
+ addresses = ["10.20.0.2"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_prod_2" {
+ zone = "home.clcreative.de."
+ name = "srv-prod-2"
+ addresses = ["10.20.0.3"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_prod_2_wildcard" {
+ zone = "home.clcreative.de."
+ name = "*.srv-prod-2"
+ addresses = ["10.20.0.3"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_prod_3" {
+ zone = "home.clcreative.de."
+ name = "srv-prod-3"
+ addresses = ["10.20.0.15"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_prod_4" {
+ zone = "home.clcreative.de."
+ name = "srv-prod-4"
+ addresses = ["10.20.0.16"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_prod_5" {
+ zone = "home.clcreative.de."
+ name = "srv-prod-5"
+ addresses = ["10.20.0.17"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_prod_6" {
+ zone = "home.clcreative.de."
+ name = "srv-prod-6"
+ addresses = ["10.20.0.18"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_prod_7" {
+ zone = "home.clcreative.de."
+ name = "srv-prod-7"
+ addresses = ["10.20.0.19"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_prod_7_wildcard" {
+ zone = "home.clcreative.de."
+ name = "*.srv-prod-7"
+ addresses = ["10.20.0.19"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_demo_1" {
+ zone = "home.clcreative.de."
+ name = "srv-demo-1"
+ addresses = ["10.20.3.1"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_demo_1_wildcard" {
+ zone = "home.clcreative.de."
+ name = "*.srv-demo-1"
+ addresses = ["10.20.3.1"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_demo_2" {
+ zone = "home.clcreative.de."
+ name = "srv-demo-2"
+ addresses = ["10.20.3.4"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_demo_3" {
+ zone = "home.clcreative.de."
+ name = "srv-demo-3"
+ addresses = ["10.20.3.5"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_demo_4" {
+ zone = "home.clcreative.de."
+ name = "srv-demo-4"
+ addresses = ["10.20.3.6"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_demo_5" {
+ zone = "home.clcreative.de."
+ name = "srv-demo-5"
+ addresses = ["10.20.3.7"]
+ ttl = 3600
+}
+
+resource "dns_a_record_set" "srv_demo_6" {
+ zone = "home.clcreative.de."
+ name = "srv-demo-6"
+ addresses = ["10.20.3.8"]
+ ttl = 3600
+}
diff --git a/grafana/grafana-prod-1/docker-compose.yaml b/grafana/grafana-prod-1/docker-compose.yaml
new file mode 100644
index 0000000..e5bdd42
--- /dev/null
+++ b/grafana/grafana-prod-1/docker-compose.yaml
@@ -0,0 +1,24 @@
+---
+networks:
+ frontend:
+ external: true
+volumes:
+ grafana-data:
+ driver: local
+services:
+ grafana:
+ image: grafana/grafana-oss:10.1.1
+ container_name: grafana-prod-1
+ volumes:
+ - grafana-data:/var/lib/grafana
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.grafana-prod-1-http.entrypoints=web
+ - traefik.http.routers.grafana-prod-1-http.rule=Host(`grafana-prod-1.srv-prod-1.home.clcreative.de`)
+ - traefik.http.routers.grafana-prod-1-https.entrypoints=websecure
+ - traefik.http.routers.grafana-prod-1-https.rule=Host(`grafana-prod-1.srv-prod-1.home.clcreative.de`)
+ - traefik.http.routers.grafana-prod-1-https.tls=true
+ - traefik.http.routers.grafana-prod-1-https.tls.certresolver=cloudflare
+ networks:
+ - frontend
+ restart: unless-stopped
diff --git a/homeassistant/homeassistant-prod-1/config/configuration.yaml b/homeassistant/homeassistant-prod-1/config/configuration.yaml
new file mode 100644
index 0000000..68dcbf2
--- /dev/null
+++ b/homeassistant/homeassistant-prod-1/config/configuration.yaml
@@ -0,0 +1,23 @@
+# Loads default set of integrations. Do not remove.
+default_config:
+
+# Load frontend themes from the themes folder
+# frontend:
+# themes: !include_dir_merge_named themes
+
+# Text to speech
+tts:
+ - platform: google_translate
+
+automation: !include automations.yaml
+script: !include scripts.yaml
+scene: !include scenes.yaml
+
+http:
+ use_x_forwarded_for: true
+ trusted_proxies:
+ - 172.19.0.0/16
+
+wake_on_lan:
+
+zha:
diff --git a/homeassistant/homeassistant-prod-1/docker-compose.yaml b/homeassistant/homeassistant-prod-1/docker-compose.yaml
new file mode 100644
index 0000000..61475f0
--- /dev/null
+++ b/homeassistant/homeassistant-prod-1/docker-compose.yaml
@@ -0,0 +1,25 @@
+---
+networks:
+ frontend:
+ external: true
+services:
+ homeassistant:
+ container_name: homeassistant-prod-1
+ image: "ghcr.io/home-assistant/home-assistant:2023.6"
+ volumes:
+ - ./config:/config
+ - /etc/localtime:/etc/localtime:ro
+ devices:
+ - /dev/ttyACMO
+ privileged: true
+ labels:
+ traefik.enable: "true"
+ traefik.http.services.homeassistant-prod-1.loadbalancer.server.port: "8123"
+ traefik.http.services.homeassistant-prod-1.loadbalancer.server.scheme: "http"
+ traefik.http.routers.homeassistant-prod-1-https.entrypoints: "websecure"
+ traefik.http.routers.homeassistant-prod-1-https.rule: "Host(`homeassistant-prod-1.srv-prod-7.home.clcreative.de`)"
+ traefik.http.routers.homeassistant-prod-1-https.tls: "true"
+ traefik.http.routers.homeassistant-prod-1-https.tls.certresolver: "cloudflare"
+ networks:
+ - frontend
+ restart: unless-stopped
diff --git a/homer/homer-prod-1/config/config.yml b/homer/homer-prod-1/config/config.yml
index e2f4c41..3189bba 100644
--- a/homer/homer-prod-1/config/config.yml
+++ b/homer/homer-prod-1/config/config.yml
@@ -138,4 +138,4 @@ services:
icon: "fa-solid fa-virus-covid"
subtitle: "Kubernetes Compliance and Security"
url: "https://cloud.armosec.io/"
- target: "_blank"
\ No newline at end of file
+ target: "_blank"
diff --git a/homer/homer-prod-1/config/custom.css b/homer/homer-prod-1/config/custom.css
new file mode 100644
index 0000000..2044e8d
--- /dev/null
+++ b/homer/homer-prod-1/config/custom.css
@@ -0,0 +1,47 @@
+.first-line {
+ background: -moz-linear-gradient(0deg, rgba(0,0,0,0) 0%, rgba(0,0,0,0.80) 100%);
+background: -webkit-linear-gradient(0deg, rgba(0,0,0,0) 0%, rgba(0,0,0,0.80) 100%);
+background: linear-gradient(0deg, rgba(0,0,0,0) 0%, rgba(0,0,0,0.80) 100%);
+}
+
+.logo a img{
+ border-radius: 50%;
+}
+
+.dashboard-title span {
+ display: none;
+}
+
+.dashboard-title h1 {
+ padding: 16px;
+ font-weight: bold;
+ color: #ffffffd0;
+}
+
+
+.card-content .image {
+ background: -moz-linear-gradient(45deg, #E624FF 0%, #1BE1FF 100%);
+ background: -webkit-linear-gradient(45deg, #E624FF 0%, #1BE1FF 100%);
+ background: linear-gradient(45deg, #E624FF 0%, #1BE1FF 100%);
+ -webkit-background-clip: text;
+ -moz-background-clip: text;
+ background-clip: text;
+ -webkit-text-fill-color: transparent;
+}
+
+.card-content i {
+ display: inline;
+}
+
+body #main-section .container {
+ box-shadow: 0 2px 15px 0 var(--card-shadow);
+ padding: 40px 40px 40px 40px;
+ background-blend-mode: darken;
+ background-color: #00000090;
+ border-radius: 20px;
+ margin: 24px auto 0px auto;
+}
+
+.container-fluid {
+ margin-top: -86px;
+}
diff --git a/homer/homer-prod-1/kubernetes/application.yaml b/homer/homer-prod-1/kubernetes/application.yaml
index 3503b34..7c75d8e 100644
--- a/homer/homer-prod-1/kubernetes/application.yaml
+++ b/homer/homer-prod-1/kubernetes/application.yaml
@@ -9,7 +9,7 @@ spec:
server: 'https://kubernetes.default.svc'
source:
path: homer/homer-prod-1/argo
- repoURL: 'git@github.com:christianlempa/homelab'
+ repoURL: 'https://github.com/christianlempa/homelab'
targetRevision: HEAD
project: default
syncPolicy:
diff --git a/metallb/metallb-demo-1/helm/helm-values.yml b/metallb/metallb-demo-1/helm/helm-values.yml
new file mode 100644
index 0000000..ae1da9c
--- /dev/null
+++ b/metallb/metallb-demo-1/helm/helm-values.yml
@@ -0,0 +1,5 @@
+rbac:
+ create: true
+prometheus:
+ enabled: false
+resources: {}
diff --git a/metallb/metallb-demo-1/kubernetes/ipaddresspool.yml b/metallb/metallb-demo-1/kubernetes/ipaddresspool.yml
new file mode 100644
index 0000000..eced5df
--- /dev/null
+++ b/metallb/metallb-demo-1/kubernetes/ipaddresspool.yml
@@ -0,0 +1,8 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+ name: metallb-demo-1-ipaddresspool
+ namespace: metallb-system
+spec:
+ addresses:
+ - 10.20.5.3/32 # IP address for traefik-demo-3
diff --git a/metallb/metallb-demo-1/kubernetes/l2advertisement.yml b/metallb/metallb-demo-1/kubernetes/l2advertisement.yml
new file mode 100644
index 0000000..d98047a
--- /dev/null
+++ b/metallb/metallb-demo-1/kubernetes/l2advertisement.yml
@@ -0,0 +1,8 @@
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+ name: metallb-demo-1-l2advertisement
+ namespace: metallb-system
+spec:
+ ipAddressPools:
+ - metallb-demo-1-ipaddresspool
diff --git a/metallb/metallb-prod-1/helm/helm-values.yaml b/metallb/metallb-prod-1/helm/helm-values.yaml
new file mode 100644
index 0000000..ae1da9c
--- /dev/null
+++ b/metallb/metallb-prod-1/helm/helm-values.yaml
@@ -0,0 +1,5 @@
+rbac:
+ create: true
+prometheus:
+ enabled: false
+resources: {}
diff --git a/metallb/metallb-prod-1/kubernetes/ipaddresspool.yaml b/metallb/metallb-prod-1/kubernetes/ipaddresspool.yaml
new file mode 100644
index 0000000..78832e3
--- /dev/null
+++ b/metallb/metallb-prod-1/kubernetes/ipaddresspool.yaml
@@ -0,0 +1,8 @@
+apiVersion: metallb.io/v1beta1
+kind: IPAddressPool
+metadata:
+ name: metallb-prod-1-ipaddresspool
+ namespace: metallb-system
+spec:
+ addresses:
+ - 10.20.2.2/32 # IP address for traefik-prod-3
diff --git a/metallb/metallb-prod-1/kubernetes/l2advertisement.yaml b/metallb/metallb-prod-1/kubernetes/l2advertisement.yaml
new file mode 100644
index 0000000..efce11e
--- /dev/null
+++ b/metallb/metallb-prod-1/kubernetes/l2advertisement.yaml
@@ -0,0 +1,8 @@
+apiVersion: metallb.io/v1beta1
+kind: L2Advertisement
+metadata:
+ name: metallb-prod-1-l2advertisement
+ namespace: metallb-system
+spec:
+ ipAddressPools:
+ - metallb-prod-1-ipaddresspool
diff --git a/passbolt/passbolt-demo-1/docker-compose.yaml b/passbolt/passbolt-demo-1/docker-compose.yaml
new file mode 100644
index 0000000..ded5489
--- /dev/null
+++ b/passbolt/passbolt-demo-1/docker-compose.yaml
@@ -0,0 +1,53 @@
+---
+networks:
+ frontend:
+ external: true
+ backend:
+ external: true
+volumes:
+ vol-1:
+ driver: local
+ driver_opts:
+ type: nfs
+ o: addr=nas-prod-1.home.clcreative.de,rw,vers=4.1
+ device: ":/mnt/store/app-pv/passbolt-demo-1-vol-1"
+ vol-2:
+ driver: local
+ driver_opts:
+ type: nfs
+ o: addr=nas-prod-1.home.clcreative.de,rw,vers=4.1
+ device: ":/mnt/store/app-pv/passbolt-demo-1-vol-2"
+services:
+ passbolt:
+ container_name: passbolt-demo-1
+ image: passbolt/passbolt:4.2.0-1-ce
+ environment:
+ - APP_FULL_BASE_URL=https://passbolt-demo-1.srv-prod-1.home.clcreative.de
+ - DATASOURCES_DEFAULT_HOST=db-prod-1.home.clcreative.de
+ - DATASOURCES_DEFAULT_USERNAME=passbolt-demo-1-user
+ - DATASOURCES_DEFAULT_PASSWORD=${DATASOURCES_DEFAULT_PASSWORD}
+ - DATASOURCES_DEFAULT_DATABASE=passbolt_demo_1_db
+ - EMAIL_TRANSPORT_DEFAULT_HOST=smtp.office365.com
+ - EMAIL_TRANSPORT_DEFAULT_PORT=587
+ - EMAIL_TRANSPORT_DEFAULT_USERNAME=${EMAIL_TRANSPORT_DEFAULT_USERNAME}
+ - EMAIL_TRANSPORT_DEFAULT_PASSWORD=${EMAIL_TRANSPORT_DEFAULT_PASSWORD}
+ - EMAIL_TRANSPORT_DEFAULT_TLS=true
+ - EMAIL_DEFAULT_FROM=${EMAIL_DEFAULT_FROM}
+ volumes:
+ - vol-1:/etc/passbolt/gpg
+ - vol-2:/etc/passbolt/jwt
+ command: ["/usr/bin/wait-for.sh", "-t", "0", "db-prod-1.home.clcreative.de:3306", "--", "/docker-entrypoint.sh"]
+ labels:
+ traefik.enable: "true"
+ traefik.http.routers.passbolt-http.entrypoints: "web"
+ traefik.http.routers.passbolt-http.rule: "Host(`passbolt-demo-1.srv-prod-1.home.clcreative.de`)"
+ traefik.http.routers.passbolt-http.middlewares: "passbolt-demo-1-middleware@file"
+ traefik.http.routers.passbolt-https.middlewares: "passbolt-demo-1-middleware@file"
+ traefik.http.routers.passbolt-https.entrypoints: "websecure"
+ traefik.http.routers.passbolt-https.rule: "Host(`passbolt-demo-1.srv-prod-1.home.clcreative.de`)"
+ traefik.http.routers.passbolt-https.tls: "true"
+ traefik.http.routers.passbolt-https.tls.certresolver: "cloudflare"
+ networks:
+ - frontend
+ - backend
+ restart: unless-stopped
diff --git a/prometheus/prometheus-prod-1/config/prometheus.yaml b/prometheus/prometheus-prod-1/config/prometheus.yaml
new file mode 100644
index 0000000..501eb0d
--- /dev/null
+++ b/prometheus/prometheus-prod-1/config/prometheus.yaml
@@ -0,0 +1,74 @@
+global:
+ scrape_interval: 15s # By default, scrape targets every 15 seconds.
+
+ # Attach these labels to any time series or alerts when communicating with
+ # external systems (federation, remote storage, Alertmanager).
+ # external_labels:
+ # monitor: 'codelab-monitor'
+
+# A scrape configuration containing exactly one endpoint to scrape:
+# Here it's Prometheus itself.
+scrape_configs:
+ # The job name is added as a label `job=` to any timeseries scraped from this config.
+ - job_name: 'prometheus-prod-1'
+ # Override the global default and scrape targets from this job every 5 seconds.
+ scrape_interval: 5s
+ static_configs:
+ - targets: ['localhost:9090']
+
+ # Scrape Docker Server in Production
+ - job_name: 'cadvisor-prod-1'
+ scrape_interval: 5s
+ static_configs:
+ - targets: [cadvisor-prod-1:8080]
+
+ - job_name: 'cadvisor-prod-2'
+ scheme: https
+ tls_config:
+ insecure_skip_verify: true
+ scrape_interval: 5s
+ static_configs:
+ - targets: [cadvisor-prod-2.srv-prod-2.home.clcreative.de:443]
+
+
+ # Scrape Production Servers
+ - job_name: 'srv-prod-1'
+ scrape_interval: 15s
+ static_configs:
+ - targets: [srv-prod-1.home.clcreative.de:9100]
+
+ - job_name: 'srv-prod-2'
+ scrape_interval: 15s
+ static_configs:
+ - targets: [srv-prod-2.home.clcreative.de:9100]
+
+ - job_name: 'srv-prod-3'
+ scrape_interval: 15s
+ static_configs:
+ - targets: [srv-prod-3.home.clcreative.de:9100]
+
+ - job_name: 'srv-prod-4'
+ scrape_interval: 15s
+ static_configs:
+ - targets: [srv-prod-4.home.clcreative.de:9100]
+
+ - job_name: 'srv-prod-5'
+ scrape_interval: 15s
+ static_configs:
+ - targets: [srv-prod-5.home.clcreative.de:9100]
+
+ - job_name: 'srv-prod-6'
+ scrape_interval: 15s
+ static_configs:
+ - targets: [srv-prod-6.home.clcreative.de:9100]
+
+
+ # Example job for node_exporter
+ # - job_name: 'node_exporter'
+ # static_configs:
+ # - targets: ['node_exporter:9100']
+
+ # Example job for cadvisor
+ # - job_name: 'cadvisor'
+ # static_configs:
+ # - targets: ['cadvisor:8080']
diff --git a/prometheus/prometheus-prod-1/docker-compose.yaml b/prometheus/prometheus-prod-1/docker-compose.yaml
new file mode 100644
index 0000000..2c73b08
--- /dev/null
+++ b/prometheus/prometheus-prod-1/docker-compose.yaml
@@ -0,0 +1,29 @@
+---
+networks:
+ frontend:
+ external: true
+ backend:
+ external: true
+volumes:
+ prometheus-data:
+ driver: local
+services:
+ prometheus:
+ image: prom/prometheus:v2.37.9
+ container_name: prometheus-prod-1
+ command: "--config.file=/etc/prometheus/prometheus.yaml"
+ volumes:
+ - ./config/prometheus.yaml:/etc/prometheus/prometheus.yaml:ro
+ - prometheus-data:/prometheus
+ labels:
+ - traefik.enable=true
+ - traefik.http.routers.prometheus-prod-1-http.entrypoints=web
+ - traefik.http.routers.prometheus-prod-1-http.rule=Host(`prometheus-prod-1.srv-prod-1.home.clcreative.de`)
+ - traefik.http.routers.prometheus-prod-1-https.entrypoints=websecure
+ - traefik.http.routers.prometheus-prod-1-https.rule=Host(`prometheus-prod-1.srv-prod-1.home.clcreative.de`)
+ - traefik.http.routers.prometheus-prod-1-https.tls=true
+ - traefik.http.routers.prometheus-prod-1-https.tls.certresolver=cloudflare
+ networks:
+ - frontend
+ - backend
+ restart: unless-stopped
diff --git a/traefik/traefik-demo-1/config/conf/headers.yml b/traefik/traefik-demo-1/config/conf/headers.yml
new file mode 100644
index 0000000..5a9a3e9
--- /dev/null
+++ b/traefik/traefik-demo-1/config/conf/headers.yml
@@ -0,0 +1,20 @@
+http:
+ middlewares:
+ passbolt-demo-1-middleware:
+ headers:
+ FrameDeny: true
+ AccessControlAllowMethods: 'GET,OPTIONS,PUT'
+ AccessControlAllowOriginList:
+ - origin-list-or-null
+ AccessControlMaxAge: 100
+ AddVaryHeader: true
+ BrowserXssFilter: true
+ ContentTypeNosniff: true
+ ForceSTSHeader: true
+ STSIncludeSubdomains: true
+ STSPreload: true
+ ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
+ CustomFrameOptionsValue: SAMEORIGIN
+ ReferrerPolicy: same-origin
+ PermissionsPolicy: vibrate 'self'
+ STSSeconds: 315360000
diff --git a/traefik/traefik-demo-1/config/conf/tls.yml b/traefik/traefik-demo-1/config/conf/tls.yml
new file mode 100644
index 0000000..20c4d03
--- /dev/null
+++ b/traefik/traefik-demo-1/config/conf/tls.yml
@@ -0,0 +1,12 @@
+tls:
+ options:
+ default:
+ minVersion: VersionTLS12
+ sniStrict: true
+ curvePreferences:
+ - CurveP521
+ - CurveP384
+ cipherSuites:
+ - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
diff --git a/traefik/traefik-demo-1/config/traefik.yaml b/traefik/traefik-demo-1/config/traefik.yaml
new file mode 100644
index 0000000..22d7715
--- /dev/null
+++ b/traefik/traefik-demo-1/config/traefik.yaml
@@ -0,0 +1,48 @@
+global:
+ checkNewVersion: false
+ sendAnonymousUsage: false
+
+log:
+ level: DEBUG
+
+api:
+ dashboard: true
+ insecure: true
+ debug: false
+
+entryPoints:
+ web:
+ address: :80
+ http:
+ redirections:
+ entryPoint:
+ to: websecure
+ scheme: https
+ websecure:
+ address: :443
+
+certificatesResolvers:
+ cloudflare:
+ acme:
+ email: "info@clcreative.de"
+ storage: /etc/traefik/certs/cloudflare-acme.json
+ caServer: 'https://acme-v02.api.letsencrypt.org/directory'
+ keyType: EC256
+ dnsChallenge:
+ provider: cloudflare
+ resolvers:
+ - "1.1.1.1:53"
+ - "8.8.8.8:53"
+
+serversTransport:
+ insecureSkipVerify: true
+
+providers:
+ docker:
+ exposedByDefault: false
+ endpoint: 'unix:///var/run/docker.sock'
+ watch: true
+ swarmMode: false
+ file:
+ directory: /etc/traefik/conf/
+ watch: true
diff --git a/traefik/traefik-demo-1/docker-compose.yaml b/traefik/traefik-demo-1/docker-compose.yaml
new file mode 100644
index 0000000..1e3858a
--- /dev/null
+++ b/traefik/traefik-demo-1/docker-compose.yaml
@@ -0,0 +1,24 @@
+---
+networks:
+ frontend:
+ external: true
+ backend:
+ external: true
+services:
+ traefik:
+ container_name: traefik-demo-1
+ image: traefik:2.10.4
+ ports:
+ - 80:80
+ - 443:443
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock:ro
+ - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro
+ - ./config/conf/:/etc/traefik/conf/
+ - ./config/certs/:/etc/traefik/certs/
+ environment:
+ - CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN
+ networks:
+ - frontend
+ - backend
+ restart: unless-stopped
diff --git a/traefik/traefik-demo-2/helm-values.yaml b/traefik/traefik-demo-2/helm-values.yaml
new file mode 100644
index 0000000..cbb624e
--- /dev/null
+++ b/traefik/traefik-demo-2/helm-values.yaml
@@ -0,0 +1,73 @@
+image:
+ name: traefik
+ pullPolicy: IfNotPresent
+hub:
+ enabled: false
+deployment:
+ enabled: true
+ kind: Deployment
+ replicas: 1
+ingressClass:
+ enabled: true
+ isDefaultClass: true
+ingressRoute:
+ dashboard:
+ enabled: false
+ annotations: {}
+ labels: {}
+providers:
+ kubernetesCRD:
+ enabled: true
+ kubernetesIngress:
+ enabled: true
+ publishedService: # needed for health check fix
+ enabled: true # needed for health check fix
+logs:
+ general:
+ level: ERROR
+ access:
+ enabled: false
+metrics:
+ prometheus:
+ entryPoint: metrics
+globalArguments:
+ - "--global.checknewversion"
+ - "--global.sendanonymoususage"
+ports:
+ traefik:
+ port: 9000
+ expose: false
+ exposedPort: 9000
+ protocol: TCP
+ web:
+ port: 8000
+ expose: true
+ exposedPort: 80
+ protocol: TCP
+ redirectTo: websecure
+ websecure:
+ port: 8443
+ expose: true
+ exposedPort: 443
+ http3:
+ enabled: false
+ tls:
+ enabled: true
+ metrics:
+ port: 9100
+ expose: false
+ exposedPort: 9100
+ protocol: TCP
+tlsOptions: {}
+service:
+ enabled: true
+ type: LoadBalancer
+autoscaling:
+ enabled: false
+persistence:
+ enabled: false
+certResolvers: {}
+podSecurityPolicy:
+ enabled: false
+resources: {}
+affinity: {}
diff --git a/traefik/traefik-demo-3/helm-values.yaml b/traefik/traefik-demo-3/helm-values.yaml
new file mode 100644
index 0000000..cbb624e
--- /dev/null
+++ b/traefik/traefik-demo-3/helm-values.yaml
@@ -0,0 +1,73 @@
+image:
+ name: traefik
+ pullPolicy: IfNotPresent
+hub:
+ enabled: false
+deployment:
+ enabled: true
+ kind: Deployment
+ replicas: 1
+ingressClass:
+ enabled: true
+ isDefaultClass: true
+ingressRoute:
+ dashboard:
+ enabled: false
+ annotations: {}
+ labels: {}
+providers:
+ kubernetesCRD:
+ enabled: true
+ kubernetesIngress:
+ enabled: true
+ publishedService: # needed for health check fix
+ enabled: true # needed for health check fix
+logs:
+ general:
+ level: ERROR
+ access:
+ enabled: false
+metrics:
+ prometheus:
+ entryPoint: metrics
+globalArguments:
+ - "--global.checknewversion"
+ - "--global.sendanonymoususage"
+ports:
+ traefik:
+ port: 9000
+ expose: false
+ exposedPort: 9000
+ protocol: TCP
+ web:
+ port: 8000
+ expose: true
+ exposedPort: 80
+ protocol: TCP
+ redirectTo: websecure
+ websecure:
+ port: 8443
+ expose: true
+ exposedPort: 443
+ http3:
+ enabled: false
+ tls:
+ enabled: true
+ metrics:
+ port: 9100
+ expose: false
+ exposedPort: 9100
+ protocol: TCP
+tlsOptions: {}
+service:
+ enabled: true
+ type: LoadBalancer
+autoscaling:
+ enabled: false
+persistence:
+ enabled: false
+certResolvers: {}
+podSecurityPolicy:
+ enabled: false
+resources: {}
+affinity: {}
diff --git a/traefik/traefik-prod-1/config/conf/headers.yml b/traefik/traefik-prod-1/config/conf/headers.yml
new file mode 100644
index 0000000..5a9a3e9
--- /dev/null
+++ b/traefik/traefik-prod-1/config/conf/headers.yml
@@ -0,0 +1,20 @@
+http:
+ middlewares:
+ passbolt-demo-1-middleware:
+ headers:
+ FrameDeny: true
+ AccessControlAllowMethods: 'GET,OPTIONS,PUT'
+ AccessControlAllowOriginList:
+ - origin-list-or-null
+ AccessControlMaxAge: 100
+ AddVaryHeader: true
+ BrowserXssFilter: true
+ ContentTypeNosniff: true
+ ForceSTSHeader: true
+ STSIncludeSubdomains: true
+ STSPreload: true
+ ContentSecurityPolicy: default-src 'self' 'unsafe-inline'
+ CustomFrameOptionsValue: SAMEORIGIN
+ ReferrerPolicy: same-origin
+ PermissionsPolicy: vibrate 'self'
+ STSSeconds: 315360000
diff --git a/traefik/traefik-prod-1/config/conf/tls.yml b/traefik/traefik-prod-1/config/conf/tls.yml
new file mode 100644
index 0000000..20c4d03
--- /dev/null
+++ b/traefik/traefik-prod-1/config/conf/tls.yml
@@ -0,0 +1,12 @@
+tls:
+ options:
+ default:
+ minVersion: VersionTLS12
+ sniStrict: true
+ curvePreferences:
+ - CurveP521
+ - CurveP384
+ cipherSuites:
+ - TLS_ECDHE_ECDSA_WITH_AES_128_GCM_SHA256
+ - TLS_ECDHE_ECDSA_WITH_AES_256_GCM_SHA384
+ - TLS_ECDHE_ECDSA_WITH_CHACHA20_POLY1305_SHA256
diff --git a/traefik/traefik-prod-1/config/traefik.yaml b/traefik/traefik-prod-1/config/traefik.yaml
new file mode 100644
index 0000000..11c04d7
--- /dev/null
+++ b/traefik/traefik-prod-1/config/traefik.yaml
@@ -0,0 +1,48 @@
+global:
+ checkNewVersion: false
+ sendAnonymousUsage: false
+
+log:
+ level: ERROR
+
+api:
+ dashboard: true
+ insecure: true
+ debug: false
+
+entryPoints:
+ web:
+ address: :80
+ http:
+ redirections:
+ entryPoint:
+ to: websecure
+ scheme: https
+ websecure:
+ address: :443
+
+certificatesResolvers:
+ cloudflare:
+ acme:
+ email: "info@clcreative.de"
+ storage: /etc/traefik/certs/cloudflare-acme.json
+ caServer: 'https://acme-v02.api.letsencrypt.org/directory'
+ keyType: EC256
+ dnsChallenge:
+ provider: cloudflare
+ resolvers:
+ - "1.1.1.1:53"
+ - "8.8.8.8:53"
+
+serversTransport:
+ insecureSkipVerify: true
+
+providers:
+ docker:
+ exposedByDefault: false
+ endpoint: 'unix:///var/run/docker.sock'
+ watch: true
+ swarmMode: false
+ file:
+ directory: /etc/traefik/conf/
+ watch: true
diff --git a/traefik/traefik-prod-1/docker-compose.yaml b/traefik/traefik-prod-1/docker-compose.yaml
new file mode 100644
index 0000000..71a0e3e
--- /dev/null
+++ b/traefik/traefik-prod-1/docker-compose.yaml
@@ -0,0 +1,24 @@
+---
+networks:
+ frontend:
+ external: true
+ backend:
+ external: true
+services:
+ traefik:
+ container_name: traefik-prod-1
+ image: traefik:2.10.4
+ ports:
+ - 80:80
+ - 443:443
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock:ro
+ - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro
+ - ./config/conf/:/etc/traefik/conf/
+ - ./config/certs/:/etc/traefik/certs/
+ environment:
+ - CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN
+ networks:
+ - frontend
+ - backend
+ restart: unless-stopped
diff --git a/traefik/traefik-prod-2/config/traefik.yaml b/traefik/traefik-prod-2/config/traefik.yaml
new file mode 100644
index 0000000..7122d89
--- /dev/null
+++ b/traefik/traefik-prod-2/config/traefik.yaml
@@ -0,0 +1,53 @@
+global:
+ checkNewVersion: false
+ sendAnonymousUsage: false
+
+log:
+ level: ERROR
+
+api:
+ dashboard: true
+ insecure: true
+ debug: false
+
+entryPoints:
+ web:
+ address: :80
+ http:
+ redirections:
+ entryPoint:
+ to: websecure
+ scheme: https
+ websecure:
+ address: :443
+
+certificatesResolvers:
+ cloudflare:
+ acme:
+ email: "info@clcreative.de"
+ storage: /etc/traefik/certs/cloudflare-acme.json
+ caServer: 'https://acme-v02.api.letsencrypt.org/directory'
+ keyType: EC256
+ dnsChallenge:
+ provider: cloudflare
+ resolvers:
+ - "1.1.1.1:53"
+ - "8.8.8.8:53"
+
+serversTransport:
+ insecureSkipVerify: true
+
+tls:
+ options:
+ default:
+ minVersion: VersionTLS12
+
+providers:
+ docker:
+ exposedByDefault: false
+ endpoint: 'unix:///var/run/docker.sock'
+ watch: true
+ swarmMode: false
+ file:
+ directory: /etc/traefik
+ watch: true
diff --git a/traefik/traefik-prod-2/docker-compose.yaml b/traefik/traefik-prod-2/docker-compose.yaml
new file mode 100644
index 0000000..6980023
--- /dev/null
+++ b/traefik/traefik-prod-2/docker-compose.yaml
@@ -0,0 +1,24 @@
+---
+networks:
+ frontend:
+ external: true
+ backend:
+ external: true
+services:
+ traefik:
+ container_name: traefik-prod-2
+ image: traefik:2.10.4
+ ports:
+ - 80:80
+ - 443:443
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock:ro
+ - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro
+ - ./config/conf/:/etc/traefik/conf/
+ - ./config/certs/:/etc/traefik/certs/
+ environment:
+ - CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN
+ networks:
+ - frontend
+ - backend
+ restart: unless-stopped
diff --git a/traefik/traefik-prod-3/helm-values.yaml b/traefik/traefik-prod-3/helm-values.yaml
new file mode 100644
index 0000000..61becb7
--- /dev/null
+++ b/traefik/traefik-prod-3/helm-values.yaml
@@ -0,0 +1,73 @@
+image:
+ name: traefik
+ pullPolicy: IfNotPresent
+hub:
+ enabled: false
+deployment:
+ enabled: true
+ kind: Deployment
+ replicas: 3
+ingressClass:
+ enabled: true
+ isDefaultClass: true
+ingressRoute:
+ dashboard:
+ enabled: false
+ annotations: {}
+ labels: {}
+providers:
+ kubernetesCRD:
+ enabled: true
+ kubernetesIngress:
+ enabled: true
+ publishedService: # needed for health check fix
+ enabled: true # needed for health check fix
+logs:
+ general:
+ level: ERROR
+ access:
+ enabled: false
+metrics:
+ prometheus:
+ entryPoint: metrics
+globalArguments:
+ - "--global.checknewversion"
+ - "--global.sendanonymoususage"
+ports:
+ traefik:
+ port: 9000
+ expose: false
+ exposedPort: 9000
+ protocol: TCP
+ web:
+ port: 8000
+ expose: true
+ exposedPort: 80
+ protocol: TCP
+ redirectTo: websecure
+ websecure:
+ port: 8443
+ expose: true
+ exposedPort: 443
+ http3:
+ enabled: false
+ tls:
+ enabled: true
+ metrics:
+ port: 9100
+ expose: false
+ exposedPort: 9100
+ protocol: TCP
+tlsOptions: {}
+service:
+ enabled: true
+ type: LoadBalancer
+autoscaling:
+ enabled: false
+persistence:
+ enabled: false
+certResolvers: {}
+podSecurityPolicy:
+ enabled: false
+resources: {}
+affinity: {}
diff --git a/traefik/traefik-prod-4/config/traefik.yaml b/traefik/traefik-prod-4/config/traefik.yaml
new file mode 100644
index 0000000..c46e0f2
--- /dev/null
+++ b/traefik/traefik-prod-4/config/traefik.yaml
@@ -0,0 +1,45 @@
+global:
+ checkNewVersion: false
+ sendAnonymousUsage: false
+
+log:
+ level: ERROR
+
+api:
+ dashboard: true
+ insecure: true
+ debug: false
+
+entryPoints:
+ web:
+ address: :80
+ http:
+ redirections:
+ entryPoint:
+ to: websecure
+ scheme: https
+ websecure:
+ address: :443
+
+certificatesResolvers:
+ cloudflare:
+ acme:
+ email: "info@clcreative.de"
+ storage: /etc/traefik/certs/cloudflare-acme.json
+ caServer: 'https://acme-v02.api.letsencrypt.org/directory'
+ keyType: EC256
+ dnsChallenge:
+ provider: cloudflare
+ resolvers:
+ - "1.1.1.1:53"
+ - "8.8.8.8:53"
+
+serversTransport:
+ insecureSkipVerify: true
+
+providers:
+ docker:
+ exposedByDefault: false
+ endpoint: 'unix:///var/run/docker.sock'
+ watch: true
+ swarmMode: false
diff --git a/traefik/traefik-prod-4/docker-compose.yaml b/traefik/traefik-prod-4/docker-compose.yaml
new file mode 100644
index 0000000..765ea8c
--- /dev/null
+++ b/traefik/traefik-prod-4/docker-compose.yaml
@@ -0,0 +1,24 @@
+---
+networks:
+ frontend:
+ external: true
+ backend:
+ external: true
+services:
+ traefik:
+ container_name: traefik-prod-4
+ image: traefik:2.10.4
+ ports:
+ - 80:80
+ - 443:443
+ volumes:
+ - /var/run/docker.sock:/var/run/docker.sock:ro
+ - ./config/traefik.yaml:/etc/traefik/traefik.yaml:ro
+ - ./config/conf/:/etc/traefik/conf/
+ - ./config/certs/:/etc/traefik/certs/
+ environment:
+ - CF_DNS_API_TOKEN=$CF_DNS_API_TOKEN
+ networks:
+ - frontend
+ - backend
+ restart: unless-stopped
diff --git a/uptimekuma/uptimekuma-prod-1/argo/certificate.yaml b/uptimekuma/uptimekuma-prod-1/argo/certificate.yaml
new file mode 100644
index 0000000..5762962
--- /dev/null
+++ b/uptimekuma/uptimekuma-prod-1/argo/certificate.yaml
@@ -0,0 +1,12 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+ name: uptimekuma-prod-1-certificate
+ namespace: uptimekuma-prod-1
+spec:
+ secretName: uptimekuma-prod-1-tls-secret
+ issuerRef:
+ name: certmanager-prod-1-clusterissuer
+ kind: ClusterIssuer
+ dnsNames:
+ - uptimekuma-prod-1.kube-prod-1.home.clcreative.de
\ No newline at end of file
diff --git a/uptimekuma/uptimekuma-prod-1/argo/deployment.yaml b/uptimekuma/uptimekuma-prod-1/argo/deployment.yaml
new file mode 100644
index 0000000..dc5d46f
--- /dev/null
+++ b/uptimekuma/uptimekuma-prod-1/argo/deployment.yaml
@@ -0,0 +1,38 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+ name: uptimekuma-prod-1-deploy
+ namespace: uptimekuma-prod-1
+spec:
+ replicas: 1
+ selector:
+ matchLabels:
+ app: uptimekuma-prod-1
+ strategy:
+ rollingUpdate:
+ maxSurge: 25%
+ maxUnavailable: 25%
+ type: RollingUpdate
+ template:
+ metadata:
+ labels:
+ app: uptimekuma-prod-1
+ spec:
+ affinity: {}
+ containers:
+ - name: uptimekuma
+ image: louislam/uptime-kuma:1.23.1
+ ports:
+ - containerPort: 3001
+ volumeMounts:
+ - mountPath: /app/data
+ name: uptimekuma-prod-1-vol-1
+ dnsPolicy: ClusterFirst
+ restartPolicy: Always
+ schedulerName: default-scheduler
+ securityContext: {}
+ terminationGracePeriodSeconds: 10
+ volumes:
+ - name: uptimekuma-prod-1-vol-1
+ persistentVolumeClaim:
+ claimName: uptimekuma-prod-1-pvc
diff --git a/uptimekuma/uptimekuma-prod-1/argo/ingressroute.yaml b/uptimekuma/uptimekuma-prod-1/argo/ingressroute.yaml
new file mode 100644
index 0000000..4a9b8f2
--- /dev/null
+++ b/uptimekuma/uptimekuma-prod-1/argo/ingressroute.yaml
@@ -0,0 +1,20 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+ name: uptimekuma-prod-1-ingressroute
+ namespace: uptimekuma-prod-1
+spec:
+ entryPoints:
+ - websecure
+ routes:
+ - match: Host(`uptimekuma-prod-1.kube-prod-1.home.clcreative.de`)
+ kind: Rule
+ services:
+ - name: uptimekuma-prod-1-service
+ port: 3001
+ middlewares:
+ - name: uptimekuma-prod-1-middleware-cors
+ tls:
+ secretName: uptimekuma-prod-1-tls-secret
+ domains:
+ - main: uptimekuma-prod-1.kube-prod-1.home.clcreative.de
diff --git a/uptimekuma/uptimekuma-prod-1/argo/middleware.yaml b/uptimekuma/uptimekuma-prod-1/argo/middleware.yaml
new file mode 100644
index 0000000..033b860
--- /dev/null
+++ b/uptimekuma/uptimekuma-prod-1/argo/middleware.yaml
@@ -0,0 +1,15 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+ name: uptimekuma-prod-1-middleware-cors
+ namespace: uptimekuma-prod-1
+spec:
+ headers:
+ accessControlAllowMethods:
+ - "*"
+ accessControlAllowOriginList:
+ - "*"
+ # accessControlAllowHeaders:
+ # - "x-api-key"
+ accessControlMaxAge: 100
+ addVaryHeader: true
diff --git a/uptimekuma/uptimekuma-prod-1/argo/namespace.yaml b/uptimekuma/uptimekuma-prod-1/argo/namespace.yaml
new file mode 100644
index 0000000..58decaa
--- /dev/null
+++ b/uptimekuma/uptimekuma-prod-1/argo/namespace.yaml
@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+ name: uptimekuma-prod-1
\ No newline at end of file
diff --git a/uptimekuma/uptimekuma-prod-1/argo/pv.yaml b/uptimekuma/uptimekuma-prod-1/argo/pv.yaml
new file mode 100644
index 0000000..1a2a10f
--- /dev/null
+++ b/uptimekuma/uptimekuma-prod-1/argo/pv.yaml
@@ -0,0 +1,16 @@
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+ name: uptimekuma-prod-1-pv
+spec:
+ capacity:
+ storage: 500Mi
+ accessModes:
+ - ReadWriteOnce
+ storageClassName: nfs
+ nfs:
+ server: nas-prod-1.home.clcreative.de
+ path: /mnt/store/app-pv/uptimekuma-prod-1-vol-1
+ persistentVolumeReclaimPolicy: Retain
+ mountOptions:
+ - nfsvers=4.1
diff --git a/uptimekuma/uptimekuma-prod-1/argo/pvc.yaml b/uptimekuma/uptimekuma-prod-1/argo/pvc.yaml
new file mode 100644
index 0000000..504bc74
--- /dev/null
+++ b/uptimekuma/uptimekuma-prod-1/argo/pvc.yaml
@@ -0,0 +1,14 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+ name: uptimekuma-prod-1-pvc
+ namespace: uptimekuma-prod-1
+spec:
+ accessModes:
+ - ReadWriteOnce
+ storageClassName: nfs
+ resources:
+ requests:
+ storage: 500Mi
+ volumeName: uptimekuma-prod-1-pv
+
\ No newline at end of file
diff --git a/uptimekuma/uptimekuma-prod-1/argo/service.yaml b/uptimekuma/uptimekuma-prod-1/argo/service.yaml
new file mode 100644
index 0000000..d0bd1ab
--- /dev/null
+++ b/uptimekuma/uptimekuma-prod-1/argo/service.yaml
@@ -0,0 +1,13 @@
+apiVersion: v1
+kind: Service
+metadata:
+ name: uptimekuma-prod-1-service
+spec:
+ selector:
+ app: uptimekuma-prod-1
+ type: ClusterIP
+ ports:
+ - name: backend
+ port: 3001
+ targetPort: 3001
+ protocol: TCP
\ No newline at end of file
diff --git a/uptimekuma/uptimekuma-prod-1/kubernetes/application.yaml b/uptimekuma/uptimekuma-prod-1/kubernetes/application.yaml
new file mode 100644
index 0000000..f4a79c4
--- /dev/null
+++ b/uptimekuma/uptimekuma-prod-1/kubernetes/application.yaml
@@ -0,0 +1,18 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+ name: uptimekuma-prod-1-app
+ namespace: argocd
+spec:
+ destination:
+ namespace: uptimekuma-prod-1
+ server: 'https://kubernetes.default.svc'
+ source:
+ path: uptimekuma/uptimekuma-prod-1/argo
+ repoURL: 'https://github.com/christianlempa/homelab'
+ targetRevision: HEAD
+ project: default
+ syncPolicy:
+ automated:
+ prune: true
+ selfHeal: true