Skip to content

Commit d84ac5b

Browse files
committed
add initial services
1 parent 00c1dba commit d84ac5b

File tree

352 files changed

+10599
-108
lines changed

Some content is hidden

Large Commits have some content hidden by default. Use the searchbox below for content that may be hidden.

352 files changed

+10599
-108
lines changed

.github/linters/.ansible-lint

+1
Original file line numberDiff line numberDiff line change
@@ -1,3 +1,4 @@
1+
---
12
# .ansible-lint
23
warn_list:
34
- unnamed-task

.github/linters/.yamllint.yaml

+2-1
Original file line numberDiff line numberDiff line change
@@ -2,7 +2,8 @@
22
ignore: |
33
*.sops.*
44
gotk-components.yaml
5-
archive/
5+
clusterconfig/
6+
patches/
67
extends: default
78
rules:
89
truthy:

.pre-commit-config.yaml

-1
Original file line numberDiff line numberDiff line change
@@ -1,6 +1,5 @@
11
---
22
fail_fast: false
3-
exclude: archive
43
repos:
54
- repo: https://github.com/adrienverge/yamllint
65
rev: v1.35.1

.taskfiles/talos.yaml

+12
Original file line numberDiff line numberDiff line change
@@ -106,6 +106,18 @@ tasks:
106106
- msg: Node not found
107107
sh: "talosctl --nodes {{.controller}} get machineconfig >/dev/null 2>&1"
108108

109+
run:
110+
desc: Run talos command
111+
dir: "/{{.BOOTSTRAP_TALOS_DIR}}"
112+
cmd: "talosctl {{.CLI_ARGS}}"
113+
requires:
114+
vars: ["cluster"]
115+
preconditions:
116+
- msg: Missing talosconfig
117+
sh: test -f {{.TALOSCONFIG_FILE}}
118+
- msg: Unable to retrieve Talos config
119+
sh: "talosctl config info >/dev/null 2>&1"
120+
109121
destroy:
110122
desc: Resets nodes back to maintenance mode
111123
dir: "/{{.BOOTSTRAP_TALOS_DIR}}"
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,192 @@
1+
---
2+
# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2.schema.json
3+
apiVersion: helm.toolkit.fluxcd.io/v2
4+
kind: HelmRelease
5+
metadata:
6+
name: &app authelia
7+
spec:
8+
interval: 30m
9+
chart:
10+
spec:
11+
chart: app-template
12+
version: 3.2.1
13+
sourceRef:
14+
kind: HelmRepository
15+
name: bjw-s
16+
namespace: flux-system
17+
install:
18+
remediation:
19+
retries: 3
20+
upgrade:
21+
cleanupOnFail: true
22+
remediation:
23+
strategy: rollback
24+
retries: 3
25+
dependsOn:
26+
- name: glauth
27+
namespace: auth
28+
values:
29+
controllers:
30+
authelia:
31+
strategy: RollingUpdate
32+
annotations:
33+
reloader.stakater.com/auto: "true"
34+
initContainers:
35+
init-db:
36+
image:
37+
repository: ghcr.io/onedr0p/postgres-init
38+
tag: 16
39+
env:
40+
INIT_POSTGRES_HOST: &dbHost postgres16-rw.database.svc.cluster.local
41+
INIT_POSTGRES_DBNAME: &dbName authelia
42+
INIT_POSTGRES_USER:
43+
valueFrom:
44+
secretKeyRef:
45+
name: authelia-secret
46+
key: AUTHELIA_STORAGE_POSTGRES_USERNAME
47+
INIT_POSTGRES_PASS:
48+
valueFrom:
49+
secretKeyRef:
50+
name: authelia-secret
51+
key: AUTHELIA_STORAGE_POSTGRES_PASSWORD
52+
INIT_POSTGRES_SUPER_PASS:
53+
valueFrom:
54+
secretKeyRef:
55+
name: cloudnative-pg-secret
56+
key: password
57+
containers:
58+
app:
59+
image:
60+
repository: ghcr.io/authelia/authelia
61+
tag: 4.38.8@sha256:19375b10024caeef4e0b119a6247beae84cbaa02c846cfd750e92dea910d4b6a
62+
env:
63+
AUTHELIA_THEME: light
64+
AUTHELIA_SERVER_ADDRESS: tcp://0.0.0.0:80
65+
AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
66+
AUTHELIA_TELEMETRY_METRICS_ADDRESS: tcp://0.0.0.0:8080
67+
AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
68+
AUTHELIA_SESSION_REDIS_HOST: dragonfly.database.svc.cluster.local
69+
AUTHELIA_SESSION_REDIS_PORT: 6379
70+
AUTHELIA_SESSION_REDIS_PASSWORD:
71+
valueFrom:
72+
secretKeyRef:
73+
name: dragonfly-secret
74+
key: password
75+
AUTHELIA_SESSION_REDIS_DATABASE_INDEX: 2
76+
AUTHELIA_STORAGE_POSTGRES_DATABASE: *dbName
77+
AUTHELIA_STORAGE_POSTGRES_ADDRESS: *dbHost
78+
AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK: "true"
79+
AUTHELIA_NOTIFIER_SMTP_ADDRESS: maddy.default.svc.cluster.local:25
80+
AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia <${SMTP_FROM}>"
81+
AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: "true"
82+
AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE: "true"
83+
AUTHELIA_AUTHENTICATION_BACKEND_REFRESH_INTERVAL: 1m
84+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION: custom
85+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDRESS: ldap://glauth.auth.svc.cluster.local:389
86+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT: 5s
87+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS: "false"
88+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN: dc=home,dc=arpa
89+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER: "(&({username_attribute}={input})(objectClass=posixAccount))"
90+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN: ou=people,ou=users
91+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN: ou=users
92+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER: "(&(uniqueMember={dn})(objectClass=posixGroup))"
93+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: cn=search,ou=svcaccts,ou=users,dc=home,dc=arpa
94+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_USERNAME: uid
95+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_DISPLAY_NAME: givenName
96+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_GROUP_NAME: ou
97+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_MAIL: mail
98+
AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ATTRIBUTES_MEMBER_OF: memberOf
99+
AUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY: one_factor
100+
AUTHELIA_TOTP_DISABLE: false
101+
AUTHELIA_TOTP_ISSUER: authelia.com
102+
X_AUTHELIA_CONFIG: /config/configuration.yaml
103+
X_AUTHELIA_CONFIG_FILTERS: template
104+
SECRET_EXTERNAL_DOMAIN: "${SECRET_EXTERNAL_DOMAIN}"
105+
SECRET_INTERNAL_DOMAIN: "${SECRET_INTERNAL_DOMAIN}"
106+
CLUSTER_CIDR: "${CLUSTER_CIDR}"
107+
NODE_CIDR: "${NODE_CIDR}"
108+
HOME_CIDR: "${HOME_CIDR}"
109+
envFrom:
110+
- secretRef:
111+
name: authelia-secret
112+
probes:
113+
liveness: &probes
114+
enabled: true
115+
custom: true
116+
spec:
117+
httpGet:
118+
path: /api/health
119+
port: &port 80
120+
initialDelaySeconds: 0
121+
periodSeconds: 10
122+
timeoutSeconds: 1
123+
failureThreshold: 3
124+
readiness: *probes
125+
securityContext:
126+
allowPrivilegeEscalation: false
127+
readOnlyRootFilesystem: true
128+
capabilities: { drop: ["ALL"] }
129+
resources:
130+
requests:
131+
cpu: 10m
132+
limits:
133+
memory: 128Mi
134+
defaultPodOptions:
135+
securityContext:
136+
runAsNonRoot: true
137+
runAsUser: 65534
138+
runAsGroup: 65534
139+
seccompProfile: { type: RuntimeDefault }
140+
topologySpreadConstraints:
141+
- maxSkew: 1
142+
topologyKey: kubernetes.io/hostname
143+
whenUnsatisfiable: DoNotSchedule
144+
labelSelector:
145+
matchLabels:
146+
app.kubernetes.io/name: *app
147+
service:
148+
app:
149+
controller: authelia
150+
ports:
151+
http:
152+
port: *port
153+
metrics:
154+
port: 8080
155+
serviceMonitor:
156+
app:
157+
serviceName: authelia
158+
endpoints:
159+
- port: metrics
160+
scheme: http
161+
path: /metrics
162+
interval: 1m
163+
scrapeTimeout: 10s
164+
ingress:
165+
app:
166+
className: external
167+
annotations:
168+
external-dns.alpha.kubernetes.io/target: "external.${SECRET_EXTERNAL_DOMAIN}"
169+
nginx.ingress.kubernetes.io/configuration-snippet: |
170+
add_header Cache-Control "no-store";
171+
add_header Pragma "no-cache";
172+
add_header X-Frame-Options "SAMEORIGIN";
173+
add_header X-XSS-Protection "1; mode=block";
174+
gethomepage.dev/enabled: "true"
175+
gethomepage.dev/group: Services
176+
gethomepage.dev/name: Authelia
177+
gethomepage.dev/icon: mdi-two-factor-authentication
178+
hosts:
179+
- host: "auth.${SECRET_EXTERNAL_DOMAIN}"
180+
paths:
181+
- path: /
182+
service:
183+
identifier: app
184+
port: http
185+
persistence:
186+
config:
187+
type: configMap
188+
name: authelia-config
189+
globalMounts:
190+
- path: /config/configuration.yaml
191+
subPath: configuration.yaml
192+
readOnly: true
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,16 @@
1+
---
2+
# yaml-language-server: $schema=https://json.schemastore.org/kustomization
3+
apiVersion: kustomize.config.k8s.io/v1beta1
4+
kind: Kustomization
5+
resources:
6+
- ./secret.sops.yaml
7+
- ./helmrelease.yaml
8+
- ../../../../templates/gatus/external
9+
- ../../../database/cloudnative-pg/app/secret.sops.yaml
10+
- ../../../database/dragonfly/app/secret.sops.yaml
11+
configMapGenerator:
12+
- name: authelia-config
13+
files:
14+
- configuration.yaml=./resources/configuration.yaml
15+
generatorOptions:
16+
disableNameSuffixHash: true
Original file line numberDiff line numberDiff line change
@@ -0,0 +1,77 @@
1+
---
2+
session:
3+
same_site: lax
4+
inactivity: 5m
5+
expiration: 1h
6+
remember_me: 1M
7+
cookies:
8+
- name: '{{ env "SECRET_EXTERNAL_DOMAIN" }}_session'
9+
domain: '{{ env "SECRET_EXTERNAL_DOMAIN" }}'
10+
authelia_url: 'https://auth.{{ env "SECRET_EXTERNAL_DOMAIN" }}'
11+
default_redirection_url: 'https://{{ env "SECRET_EXTERNAL_DOMAIN" }}'
12+
13+
access_control:
14+
default_policy: &policy two_factor
15+
networks:
16+
- name: internal
17+
networks: ['{{ env "CLUSTER_CIDR" }}', '{{ env "NODE_CIDR" }}', '{{ env "HOME_CIDR" }}']
18+
rules: []
19+
20+
identity_providers:
21+
oidc:
22+
jwks:
23+
- algorithm: RS256
24+
key: |-
25+
{{- env "OIDC_JWKS_KEY" | nindent 10 }}
26+
cors:
27+
endpoints: [authorization, token, revocation, introspection]
28+
allowed_origins_from_client_redirect_uris: true
29+
clients:
30+
- client_name: Grafana
31+
client_id: grafana
32+
# docker run authelia/authelia:latest authelia crypto hash generate pbkdf2 --variant sha512 --random --random.length 72 --random.charset rfc3986
33+
client_secret: '{{ env "GRAFANA_OAUTH_CLIENT_HASHED_SECRET" }}'
34+
public: false
35+
authorization_policy: *policy
36+
pre_configured_consent_duration: 1y
37+
scopes: [openid, profile, groups, email]
38+
redirect_uris: ['https://grafana.{{ env "SECRET_INTERNAL_DOMAIN" }}/login/generic_oauth']
39+
userinfo_signed_response_alg: none
40+
- client_name: pgAdmin
41+
client_id: pgadmin
42+
client_secret: '{{ env "PGADMIN_OAUTH_CLIENT_HASHED_SECRET" }}'
43+
public: false
44+
authorization_policy: *policy
45+
pre_configured_consent_duration: 1y
46+
scopes: [openid, profile, email]
47+
redirect_uris: ['https://pgadmin.{{ env "SECRET_INTERNAL_DOMAIN" }}/oauth2/authorize']
48+
userinfo_signed_response_alg: none
49+
token_endpoint_auth_method: client_secret_basic
50+
- client_id: minio
51+
client_name: MinIO
52+
client_secret: '{{ env "MINIO_OAUTH_CLIENT_HASHED_SECRET" }}'
53+
public: false
54+
authorization_policy: *policy
55+
pre_configured_consent_duration: 1y
56+
redirect_uris: ['https://minio.{{ env "SECRET_INTERNAL_DOMAIN" }}/oauth_callback']
57+
scopes: [openid, profile, email, groups]
58+
userinfo_signed_response_alg: none
59+
- client_name: Miniflux
60+
client_id: miniflux
61+
client_secret: '{{ env "MINIFLUX_OAUTH_CLIENT_HASHED_SECRET" }}'
62+
public: false
63+
authorization_policy: *policy
64+
pre_configured_consent_duration: 1y
65+
scopes: [openid, profile, groups, email]
66+
redirect_uris: ['https://rss.{{ env "SECRET_EXTERNAL_DOMAIN" }}/oauth2/oidc/callback']
67+
userinfo_signed_response_alg: none
68+
- client_id: mealie
69+
client_name: Mealie
70+
public: true
71+
authorization_policy: *policy
72+
require_pkce: true
73+
pkce_challenge_method: 'S256'
74+
redirect_uris: ['https://recipes.{{ env "SECRET_EXTERNAL_DOMAIN" }}/login']
75+
scopes: [openid, email, profile, groups]
76+
userinfo_signed_response_alg: 'none'
77+
token_endpoint_auth_method: 'none'

0 commit comments

Comments
 (0)