Lumpiasty/klaster
0
0
Fork 0
Code Issues Pull Requests 4 Packages Projects Releases Wiki Activity

Compare commits

base: Lumpiasty:renovate/cloudnative-pg-0.x
Branches Tags
Lumpiasty:fresh-start Lumpiasty:renovate/renovate-renovate-43.x Lumpiasty:renovate/alpine-k8s-1.x Lumpiasty:renovate/open-webui-13.x Lumpiasty:renovate/cloudnative-pg-0.x Lumpiasty:renovate/renovate-renovate-41.x
...
compare: Lumpiasty:8532ffccaf46e390e1910d49618600a61e730a52
Branches Tags
Lumpiasty:renovate/renovate-renovate-43.x Lumpiasty:fresh-start Lumpiasty:renovate/alpine-k8s-1.x Lumpiasty:renovate/open-webui-13.x Lumpiasty:renovate/cloudnative-pg-0.x Lumpiasty:renovate/renovate-renovate-41.x

127 Commits
renovate/c ... 8532ffccaf

Author SHA1 Message Date
Renovate Bot
8532ffccaf Update renovate/renovate Docker tag to v41 2025-06-27 22:00:50 +00:00
Lumpiasty
b88cfef589 fix openebs after update 2025-06-27 23:54:28 +02:00
Lumpiasty
3e95a5edd1 Merge pull request 'Update Helm release openebs to v4.3.2' (#43) from renovate/openebs-4.x into fresh-start 
Reviewed-on: #43
 2025-06-27 21:38:27 +00:00
Lumpiasty
10fe51f52d Merge pull request 'Update registry.k8s.io/coredns/coredns Docker tag to v1.12.2' (#44) from renovate/registry.k8s.io-coredns-coredns-1.x into fresh-start 
Reviewed-on: #44
 2025-06-27 21:33:44 +00:00
Lumpiasty
e197cf5e5e Merge pull request 'Update Helm release gitea to v12.1.1' (#45) from renovate/gitea-12.x into fresh-start 
Reviewed-on: #45
 2025-06-27 21:31:42 +00:00
Lumpiasty
c54109dbf3 Merge pull request 'Update Helm release cilium to v1.17.5' (#46) from renovate/cilium-1.x into fresh-start 
Reviewed-on: #46
 2025-06-27 21:29:36 +00:00
Renovate Bot
5a97e4b1d8 Update Helm release openebs to v4.3.2 2025-06-27 20:28:16 +00:00
Renovate Bot
35e579fc01 Update Helm release gitea to v12.1.1 2025-06-27 20:28:01 +00:00
Renovate Bot
89542df777 Update Helm release cilium to v1.17.5 2025-06-27 20:27:51 +00:00
Renovate Bot
461f0589b3 Update registry.k8s.io/coredns/coredns Docker tag to v1.12.2 2025-06-16 09:00:47 +00:00
Lumpiasty
5cd5263d19 Merge pull request 'Update Helm release cilium to v1.17.4' (#34) from renovate/cilium-1.x into fresh-start 
Reviewed-on: #34
 2025-05-17 22:00:56 +00:00
Lumpiasty
a886e7c79c Merge pull request 'Update renovate/renovate Docker tag to v40.14.3' (#33) from renovate/renovate-renovate-40.x into fresh-start 
Reviewed-on: #33
 2025-05-17 22:00:49 +00:00
Lumpiasty
dd676716f9 fix valkey persistence in gitea chart 2025-05-17 23:54:04 +02:00
Lumpiasty
110ffa9c22 Merge pull request 'Update Helm release gitea to v12' (#35) from renovate/gitea-12.x into fresh-start 
Reviewed-on: #35
 2025-05-17 21:46:57 +00:00
Lumpiasty
6ed7d61e21 rename mentions of redis to valkey in gitea 2025-05-17 23:46:35 +02:00
Lumpiasty
051083cd6e Merge pull request 'Update Helm release ollama to v1.17.0' (#36) from renovate/ollama-1.x into fresh-start 
Reviewed-on: #36
 2025-05-17 21:40:40 +00:00
Lumpiasty
87f2446cd1 move ollama api key to valut 2025-05-17 23:32:33 +02:00
Lumpiasty
faa55fa069 move ovh cert-manager secret to vault 2025-05-17 23:12:42 +02:00
Lumpiasty
af29de91d6 move renovate gitea token to vault 2025-05-17 22:58:43 +02:00
Lumpiasty
5f3a775201 move some settings of renovate to configmap 2025-05-17 22:45:43 +02:00
Renovate Bot
81f750e5e5 Update renovate/renovate Docker tag to v40.14.3 2025-05-17 19:00:49 +00:00
Renovate Bot
641e50b5e9 Update Helm release ollama to v1.17.0 2025-05-17 03:00:44 +00:00
Renovate Bot
3fe8626391 Update Helm release gitea to v12 2025-05-16 14:00:56 +00:00
Renovate Bot
94f851c607 Update Helm release cilium to v1.17.4 2025-05-15 19:00:42 +00:00
Lumpiasty
d2134ad554 Merge pull request 'Update renovate/renovate Docker tag to v40.11.6' (#32) from renovate/renovate-renovate-40.x into fresh-start 
Reviewed-on: #32
 2025-05-12 00:16:15 +00:00
Lumpiasty
22910085b7 add vault secret of gitea backups 2025-05-12 02:08:32 +02:00
Lumpiasty
6a4dee0852 add vault secrets operator 2025-05-12 02:05:36 +02:00
Lumpiasty
49d5803b4f add external-secrets 2025-05-12 00:42:56 +02:00
Renovate Bot
b5c51f6720 Update renovate/renovate Docker tag to v40.11.6 2025-05-11 11:00:42 +00:00
Lumpiasty
3a8dbc6e0c Merge pull request 'Update Helm release ollama to v1.16.0' (#30) from renovate/ollama-1.x into fresh-start 
Reviewed-on: #30
 2025-05-10 00:13:08 +00:00
Lumpiasty
ead8be8bcb Merge pull request 'Update Helm release cert-manager to v1.17.2' (#28) from renovate/cert-manager-1.x into fresh-start 
Reviewed-on: #28
 2025-05-10 00:13:02 +00:00
Lumpiasty
f027dad029 Merge pull request 'Update caddy Docker tag to v2.10.0' (#26) from renovate/caddy-2.x into fresh-start 
Reviewed-on: #26
 2025-05-10 00:12:41 +00:00
Lumpiasty
e35b8ccac8 Merge pull request 'Update Helm release librechat to v1.8.10' (#29) from renovate/librechat-1.x into fresh-start 
Reviewed-on: #29
 2025-05-10 00:12:32 +00:00
Lumpiasty
f69128b245 Merge pull request 'Update renovate/renovate Docker tag to v40' (#31) from renovate/renovate-renovate-40.x into fresh-start 
Reviewed-on: #31
 2025-05-10 00:12:02 +00:00
Lumpiasty
d14b62f384 pin cores to minimum frequency 2025-05-10 01:43:20 +02:00
Renovate Bot
ab7b8a6f26 Update renovate/renovate Docker tag to v40 2025-05-09 13:00:22 +00:00
Renovate Bot
8acc480b05 Update Helm release ollama to v1.16.0 2025-05-06 02:00:31 +00:00
Renovate Bot
65834037ee Update Helm release librechat to v1.8.10 2025-04-24 19:00:25 +00:00
Renovate Bot
1bf63168f2 Update Helm release cert-manager to v1.17.2 2025-04-24 12:00:33 +00:00
Renovate Bot
b3db332075 Update caddy Docker tag to v2.10.0 2025-04-22 01:00:33 +00:00
Lumpiasty
b84c792992 add basedpyright and make it happy 2025-04-22 02:42:16 +02:00
Lumpiasty
947f154a81 use nix provided python as default interpreter 2025-04-21 23:01:58 +02:00
Lumpiasty
1a88b1c602 synchronize kubernetes auth method in recoincile script 2025-04-21 22:09:13 +02:00
Lumpiasty
55fce1fc36 gitea switch to database from cloudnativepg 2025-04-21 21:16:02 +02:00
Lumpiasty
bb4afc0c07 increase ollama proxy-read-timeout on ingress 2025-04-21 19:59:03 +02:00
Lumpiasty
eb92a85cac fix apps kustomization 2025-04-21 17:54:30 +02:00
Lumpiasty
8f70ae5f2e Merge pull request 'Update renovate/renovate Docker tag to v39.253.2' (#22) from renovate/renovate-renovate-39.x into fresh-start 
Reviewed-on: #22
 2025-04-21 15:52:55 +00:00
Lumpiasty
f89a2fd1cc Merge pull request 'Update Helm release cilium to v1.17.3' (#23) from renovate/cilium-1.x into fresh-start 
Reviewed-on: #23
 2025-04-21 15:52:34 +00:00
Lumpiasty
b493ee9d77 Merge pull request 'Update Helm release nginx-ingress to v2.1.0' (#25) from renovate/nginx-ingress-2.x into fresh-start 
Reviewed-on: #25
 2025-04-21 15:52:19 +00:00
Lumpiasty
8de0663571 Merge pull request 'Update Helm release openbao to v0.12.0' (#24) from renovate/openbao-0.x into fresh-start 
Reviewed-on: #24
 2025-04-21 15:52:09 +00:00
Lumpiasty
3fc534f44b remove gpt-researcher 2025-04-21 17:48:08 +02:00
Renovate Bot
1c8ccd0fc4 Update renovate/renovate Docker tag to v39.253.2 2025-04-21 10:00:40 +00:00
Lumpiasty
847fd3557b use tavily and openrouter in gpt researcher 2025-04-20 03:06:46 +02:00
Lumpiasty
d2c2f5038f change models used by gpt-researcher 2025-04-20 00:19:34 +02:00
Lumpiasty
afb9dcec65 enable support for websockets for researcher 2025-04-19 05:21:29 +02:00
Lumpiasty
ba51980cec use our own image for gpt researcher 2025-04-19 04:49:55 +02:00
Lumpiasty
e0eb26b63d add docker registry 2025-04-19 04:43:27 +02:00
Lumpiasty
eda5ba08a0 add gpt-researcher 2025-04-19 04:07:21 +02:00
Lumpiasty
318aedf89d update network config 2025-04-17 22:35:53 +02:00
Renovate Bot
7b9090afc1 Update Helm release nginx-ingress to v2.1.0 2025-04-16 15:00:30 +00:00
Lumpiasty
a109290c18 increase ollama proxy timeout 2025-04-15 23:28:03 +02:00
Renovate Bot
f4b9742ab1 Update Helm release openbao to v0.12.0 2025-04-15 20:00:29 +00:00
Renovate Bot
b103358816 Update Helm release cilium to v1.17.3 2025-04-14 21:00:32 +00:00
Lumpiasty
46cacb339d Merge pull request 'Update renovate/renovate Docker tag to v39.240.1' (#18) from renovate/renovate-renovate-39.x into fresh-start 
Reviewed-on: #18
 2025-04-13 00:13:01 +00:00
Lumpiasty
1e7dd52721 Merge pull request 'Update Helm release ollama to v1.14.0' (#19) from renovate/ollama-1.x into fresh-start 
Reviewed-on: #19
 2025-04-13 00:12:53 +00:00
Lumpiasty
044cc37392 Merge pull request 'Update registry.k8s.io/coredns/coredns Docker tag to v1.12.1' (#20) from renovate/registry.k8s.io-coredns-coredns-1.x into fresh-start 
Reviewed-on: #20
 2025-04-13 00:07:17 +00:00
Lumpiasty
68ba891abc Merge pull request 'Update Helm release community-operator to v0.13.0' (#21) from renovate/community-operator-0.x into fresh-start 
Reviewed-on: #21
 2025-04-13 00:07:04 +00:00
Renovate Bot
81ed455ff8 Update renovate/renovate Docker tag to v39.240.1 2025-04-12 19:00:28 +00:00
Renovate Bot
b7c2da4419 Update Helm release community-operator to v0.13.0 2025-04-11 19:00:24 +00:00
Lumpiasty
4bc01e2e78 disable proxy bufferring in ollama ingress 2025-04-11 03:24:45 +02:00
Renovate Bot
94d51de471 Update registry.k8s.io/coredns/coredns Docker tag to v1.12.1 2025-04-08 20:00:30 +00:00
Renovate Bot
dc0104c55d Update Helm release ollama to v1.14.0 2025-04-08 13:00:44 +00:00
Lumpiasty
83be6619e8 deploy gitea postgres cluster 2025-04-05 22:34:57 +02:00
Lumpiasty
48ccacefdd Fix librechat kustomization typo 2025-04-05 22:12:40 +02:00
Lumpiasty
cfeef90515 Split renovate deployment to files 2025-04-05 22:11:37 +02:00
Lumpiasty
ce0bef4970 Split librechat deployment to files 2025-04-05 22:09:59 +02:00
Lumpiasty
bd5fd97ed0 split ollama deployment to files 2025-04-05 22:08:02 +02:00
Lumpiasty
52641779bc split gitea deployment to files 2025-04-05 22:01:53 +02:00
Lumpiasty
e98e02705d Move gitea kustomization to subdir 2025-04-05 20:22:29 +02:00
Lumpiasty
3c849f52f7 install cloudnativepg 2025-04-05 20:05:54 +02:00
Lumpiasty
36187fff41 Merge pull request 'Update renovate/renovate Docker tag to v39.233.3' (#15) from renovate/renovate-renovate-39.x into fresh-start 
Reviewed-on: #15
 2025-04-05 13:37:14 +00:00
Lumpiasty
1ac7504585 Merge pull request 'Update Helm release community-operator to v0.12.1' (#16) from renovate/community-operator-0.x into fresh-start 
Reviewed-on: #16
 2025-04-05 13:36:59 +00:00
Lumpiasty
879c013e89 Merge pull request 'Update Helm release ollama to v1.13.0' (#17) from renovate/ollama-1.x into fresh-start 
Reviewed-on: #17
 2025-04-05 13:36:35 +00:00
Lumpiasty
aa7fe8d3cf enable search in librechat 2025-04-05 03:56:02 +02:00
Lumpiasty
fd280f1fca add ingress to librechat 2025-04-05 03:54:11 +02:00
Lumpiasty
2ad381e35c Install librechat from different chart 2025-04-05 02:59:41 +02:00
Lumpiasty
e63a285dc3 Remove old librechat deployment 2025-04-04 23:01:49 +02:00
Renovate Bot
5336df3134 Update renovate/renovate Docker tag to v39.233.3 2025-04-04 12:00:48 +00:00
Renovate Bot
966639e3c8 Update Helm release ollama to v1.13.0 2025-04-04 04:00:32 +00:00
Renovate Bot
97924a8064 Update Helm release community-operator to v0.12.1 2025-04-01 09:00:25 +00:00
Lumpiasty
37b78f079e Add librechat 2025-04-01 02:55:59 +02:00
Lumpiasty
0d17825eab Add mongodb database for librechat 2025-04-01 00:35:50 +02:00
Lumpiasty
ffeecf65f6 Mongodb operator 2025-03-31 23:38:58 +02:00
Lumpiasty
fea49ae167 Merge pull request 'Update renovate/renovate Docker tag to v39.221.0' (#14) from renovate/renovate-renovate-39.x into fresh-start 
Reviewed-on: #14
 2025-03-30 16:31:27 +00:00
Renovate Bot
6b6e7937c1 Update renovate/renovate Docker tag to v39.221.0 2025-03-30 13:00:33 +00:00
Lumpiasty
487baa2813 vulkan support in ollama 2025-03-30 03:05:51 +02:00
Lumpiasty
fe2f79d13c Disable flux network policy 2025-03-29 23:12:35 +01:00
Lumpiasty
c3a747c03c Merge pull request 'Update renovate/renovate Docker tag to v39.220.4' (#12) from renovate/renovate-renovate-39.x into fresh-start 
Reviewed-on: #12
 2025-03-29 22:10:11 +00:00
Lumpiasty
f1f6ffb9a0 Merge pull request 'Update Helm release ollama to v1.12.0' (#13) from renovate/ollama-1.x into fresh-start 
Reviewed-on: #13
 2025-03-29 22:10:03 +00:00
Renovate Bot
e851f6ab8c Update Helm release ollama to v1.12.0 2025-03-29 17:00:29 +00:00
Renovate Bot
2ecd20c9d7 Update renovate/renovate Docker tag to v39.220.4 2025-03-29 14:00:39 +00:00
Lumpiasty
bdb3bd3234 Ollama proxy fix secret ref 2025-03-27 01:47:23 +01:00
Lumpiasty
47e957e444 add cert-manager annotation to ollama ingress 2025-03-27 01:34:23 +01:00
Lumpiasty
b2dfb2dc0b disable https for caddy 2025-03-27 01:32:37 +01:00
Lumpiasty
6ccc964c87 add ollama proxy and ingress 2025-03-27 01:30:12 +01:00
Lumpiasty
5c7b258ccf Merge pull request 'Update renovate/renovate Docker tag to v39.218.1' (#10) from renovate/renovate-renovate-39.x into fresh-start 
Reviewed-on: #10
 2025-03-26 23:13:23 +00:00
Lumpiasty
351426f055 Merge pull request 'Update Helm release gitea to v11.0.1' (#11) from renovate/gitea-11.x into fresh-start 
Reviewed-on: #11
 2025-03-26 23:12:11 +00:00
Renovate Bot
ca598f9750 Update Helm release gitea to v11.0.1 2025-03-26 18:00:58 +00:00
Renovate Bot
0cb93ce8a1 Update renovate/renovate Docker tag to v39.218.1 2025-03-26 17:00:31 +00:00
Lumpiasty
6fde991ba9 add ollama deployment 2025-03-26 02:17:53 +01:00
Lumpiasty
5f3840cc02 Reapply "Merge pull request 'Update Helm release gitea to v11' (#9) from renovate/gitea-11.x into fresh-start" 
This reverts commit d9a22723ef.
 2025-03-26 01:48:36 +01:00
Lumpiasty
d9a22723ef Revert "Merge pull request 'Update Helm release gitea to v11' (#9) from renovate/gitea-11.x into fresh-start" 
This reverts commit f97a655ad5, reversing
changes made to f36ce88026.
 2025-03-26 01:16:23 +01:00
Lumpiasty
f97a655ad5 Merge pull request 'Update Helm release gitea to v11' (#9) from renovate/gitea-11.x into fresh-start 
Reviewed-on: #9
 2025-03-26 00:07:23 +00:00
Lumpiasty
c2aacd0ef4 Remove custom gitea tag from values 2025-03-26 01:06:24 +01:00
Lumpiasty
f36ce88026 Merge pull request 'Update Helm release openebs to v4.2.0' (#7) from renovate/openebs-4.x into fresh-start 
Reviewed-on: #7
 2025-03-26 00:01:50 +00:00
Lumpiasty
d19d332b59 Merge pull request 'Update renovate/renovate Docker tag to v39.216.1' (#8) from renovate/renovate-renovate-39.x into fresh-start 
Reviewed-on: #8
 2025-03-26 00:00:00 +00:00
Lumpiasty
5cf9de7997 renovate improve yaml matching 2025-03-26 00:58:03 +01:00
Lumpiasty
3c84632a2d Merge pull request 'Update Helm release openbao to v0.10.1' (#6) from renovate/openbao-0.x into fresh-start 
Reviewed-on: #6
 2025-03-25 23:54:58 +00:00
Lumpiasty
14bcc8546c Merge pull request 'Update Helm release k8up to v4.8.4' (#4) from renovate/k8up-4.x into fresh-start 
Reviewed-on: #4
 2025-03-25 23:53:54 +00:00
Lumpiasty
ca8a63fdbe Merge pull request 'Update Helm release cert-manager to v1.17.1' (#3) from renovate/cert-manager-1.x into fresh-start 
Reviewed-on: #3
 2025-03-25 23:44:47 +00:00
Renovate Bot
3a46d17f02 Update Helm release gitea to v11 2025-03-25 23:42:27 +00:00
Renovate Bot
add851ee9e Update renovate/renovate Docker tag to v39.216.1 2025-03-25 23:42:26 +00:00
Renovate Bot
edbfd26bde Update Helm release openebs to v4.2.0 2025-03-25 23:42:25 +00:00
Renovate Bot
dea0dfb7cc Update Helm release openbao to v0.10.1 2025-03-25 23:42:24 +00:00
Renovate Bot
874fc826cd Update Helm release k8up to v4.8.4 2025-03-25 23:42:21 +00:00
Renovate Bot
33cb5c72c7 Update Helm release cert-manager to v1.17.1 2025-03-25 23:42:20 +00:00
Lumpiasty
31df54fcf0 Merge pull request 'Configure Renovate' (#2) from renovate/configure into fresh-start 
Reviewed-on: #2
 2025-03-25 23:41:34 +00:00
59 changed files with 12803 additions and 11689 deletions
Expand all files Collapse all files

6
.vscode/extensions.json vendored
View File

@@ -1,3 +1,7 @@
{
"recommendations": ["arrterian.nix-env-selector", "jnoortheen.nix-ide"]
"recommendations": [
"arrterian.nix-env-selector",
"jnoortheen.nix-ide",
"detachhead.basedpyright"
]
}

3
.vscode/settings.json vendored
View File

@@ -8,5 +8,6 @@
}
},
"terminal.integrated.defaultProfile.linux": "Nix Shell",
"ansible.python.interpreterPath": "/bin/python"
"ansible.python.interpreterPath": "/bin/python",
"python.defaultInterpreterPath": "${env:PYTHON_BIN}"
}

33
apps/gitea/backups.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: k8up.io/v1
kind: Schedule
metadata:
name: gitea-backup
namespace: gitea
spec:
backend:
# Manually adding secrets for now
repoPasswordSecretRef:
name: gitea-backup-restic
key: password
s3:
endpoint: https://s3.eu-central-003.backblazeb2.com
bucket: lumpiasty-backups
accessKeyIDSecretRef:
name: gitea-backup-backblaze
key: aws_access_key_id
secretAccessKeySecretRef:
name: gitea-backup-backblaze
key: aws_secret_access_key
backup:
schedule: "@daily-random"
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
check:
schedule: "@daily-random"
prune:
schedule: "@daily-random"
retention:
keepLast: 14
keepDaily: 14
keepWeekly: 50
keepYearly: 10

8
apps/gitea/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- postgres-cluster.yaml
- release.yaml
- secret.yaml
- backups.yaml

5
apps/gitea/namespace.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: gitea

12
apps/gitea/postgres-cluster.yaml Normal file
View File

@@ -0,0 +1,12 @@
---
apiVersion: postgresql.cnpg.io/v1
kind: Cluster
metadata:
name: gitea-postgresql-cluster
namespace: gitea
spec:
instances: 1
storage:
size: 10Gi
storageClass: mayastor-single-hdd

62
apps/gitea.yaml → apps/gitea/release.yaml
View File

@@ -1,9 +1,3 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: gitea
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
@@ -23,7 +17,7 @@ spec:
chart:
spec:
chart: gitea
version: 10.6.0
version: 12.1.1
sourceRef:
kind: HelmRepository
name: gitea-charts
@@ -34,7 +28,7 @@ spec:
enabled: false
postgresql:
enabled: true
enabled: false
primary:
persistence:
enabled: true
@@ -43,12 +37,12 @@ spec:
requests:
cpu: 0
redis-cluster:
valkey-cluster:
enabled: false
redis:
valkey:
enabled: true
master:
primary:
persistence:
enabled: true
storageClass: mayastor-single-hdd
@@ -60,13 +54,19 @@ spec:
enabled: true
storageClass: mayastor-single-hdd
image:
tag: 1.23.3
gitea:
additionalConfigFromEnvs:
- name: GITEA__DATABASE__PASSWD
valueFrom:
secretKeyRef:
name: gitea-postgresql-cluster-app
key: password
config:
database:
DB_TYPE: postgres
HOST: gitea-postgresql-cluster-rw:5432
NAME: app
USER: app
indexer:
ISSUE_INDEXER_TYPE: bleve
REPO_INDEXER_ENABLED: true
@@ -111,37 +111,3 @@ spec:
resources:
requests:
cpu: 0
---
apiVersion: k8up.io/v1
kind: Schedule
metadata:
name: gitea-backup
namespace: gitea
spec:
backend:
# Manually adding secrets for now
repoPasswordSecretRef:
name: restic-repo
key: password
s3:
endpoint: https://s3.eu-central-003.backblazeb2.com
bucket: lumpiasty-backups
accessKeyIDSecretRef:
name: backblaze
key: keyid
secretAccessKeySecretRef:
name: backblaze
key: secret
backup:
schedule: "@daily-random"
failedJobsHistoryLimit: 2
successfulJobsHistoryLimit: 2
check:
schedule: "@daily-random"
prune:
schedule: "@daily-random"
retention:
keepLast: 14
keepDaily: 14
keepWeekly: 50
keepYearly: 10

58
apps/gitea/secret.yaml Normal file
View File

@@ -0,0 +1,58 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: backup
namespace: gitea
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: backup
namespace: gitea
spec:
method: kubernetes
mount: kubernetes
kubernetes:
role: backup
serviceAccount: backup
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: gitea-backup-restic
namespace: gitea
spec:
type: kv-v2
mount: secret
path: restic
destination:
create: true
name: gitea-backup-restic
type: Opaque
transformation:
excludeRaw: true
vaultAuthRef: backup
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: gitea-backup-backblaze
namespace: gitea
spec:
type: kv-v2
mount: secret
path: backblaze
destination:
create: true
name: gitea-backup-backblaze
type: Opaque
transformation:
excludeRaw: true
vaultAuthRef: backup

7
apps/kustomization.yaml
View File

@@ -1,5 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- gitea.yaml
- renovate.yaml
- gitea
- registry
- renovate
- ollama
- librechat

5
apps/librechat/kustomization.yaml Normal file
View File

@@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- release.yaml

5
apps/librechat/namespace.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: librechat

90
apps/librechat/release.yaml Normal file
View File

@@ -0,0 +1,90 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: bat-librechat
namespace: librechat
spec:
interval: 24h
url: https://charts.blue-atlas.de
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: librechat
namespace: librechat
spec:
interval: 30m
chart:
spec:
chart: librechat
version: 1.8.10
sourceRef:
kind: HelmRepository
name: bat-librechat
values:
global:
librechat:
existingSecretName: librechat
librechat:
configEnv:
PLUGIN_MODELS: null
ALLOW_REGISTRATION: "false"
TRUST_PROXY: "1"
DOMAIN_CLIENT: https://librechat.lumpiasty.xyz
SEARCH: "true"
existingSecretName: librechat
configYamlContent: |
version: 1.0.3
endpoints:
custom:
- name: "Ollama"
apiKey: "ollama"
baseURL: "http://ollama.ollama.svc.cluster.local:11434/v1/chat/completions"
models:
default: [
"llama2",
"mistral",
"codellama",
"dolphin-mixtral",
"mistral-openorca"
]
# fetching list of models is supported but the `name` field must start
# with `ollama` (case-insensitive), as it does in this example.
fetch: true
titleConvo: true
titleModel: "current_model"
summarize: false
summaryModel: "current_model"
forcePrompt: false
modelDisplayLabel: "Ollama"
imageVolume:
enabled: true
size: 10G
accessModes: ReadWriteOnce
storageClassName: mayastor-single-hdd
ingress:
enabled: true
className: nginx
annotations:
cert-manager.io/cluster-issuer: letsencrypt
hosts:
- host: librechat.lumpiasty.xyz
paths:
- path: /
pathType: ImplementationSpecific
tls:
- hosts:
- librechat.lumpiasty.xyz
secretName: librechat-ingress
mongodb:
persistence:
storageClass: mayastor-single-hdd
meilisearch:
persistence:
storageClass: mayastor-single-hdd
auth:
existingMasterKeySecret: librechat

68
apps/ollama/auth-proxy.yaml Normal file
View File

@@ -0,0 +1,68 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: ollama-proxy
namespace: ollama
spec:
replicas: 1
selector:
matchLabels:
app.kubernetes.io/name: ollama-proxy
template:
metadata:
labels:
app.kubernetes.io/name: ollama-proxy
spec:
containers:
- name: caddy
image: caddy:2.10.0-alpine
imagePullPolicy: IfNotPresent
volumeMounts:
- mountPath: /etc/caddy
name: proxy-config
env:
- name: API_KEY
valueFrom:
secretKeyRef:
name: ollama-api-key
key: API_KEY
volumes:
- name: proxy-config
configMap:
name: ollama-proxy-config
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: ollama
name: ollama-proxy-config
data:
Caddyfile: |
http://ollama.lumpiasty.xyz {
@requireAuth {
not header Authorization "Bearer {env.API_KEY}"
}
respond @requireAuth "Unauthorized" 401
reverse_proxy ollama:11434 {
flush_interval -1
}
}
---
apiVersion: v1
kind: Service
metadata:
namespace: ollama
name: ollama-proxy
spec:
type: ClusterIP
selector:
app.kubernetes.io/name: ollama-proxy
ports:
- name: http
port: 80
targetPort: 80
protocol: TCP

28
apps/ollama/ingress.yaml Normal file
View File

@@ -0,0 +1,28 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: ollama
name: ollama
annotations:
cert-manager.io/cluster-issuer: letsencrypt
acme.cert-manager.io/http01-edit-in-place: "true"
nginx.ingress.kubernetes.io/proxy-buffering: "false"
nginx.org/proxy-read-timeout: 30m
spec:
ingressClassName: nginx
rules:
- host: ollama.lumpiasty.xyz
http:
paths:
- backend:
service:
name: ollama-proxy
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- ollama.lumpiasty.xyz
secretName: ollama-ingress

8
apps/ollama/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- release.yaml
- secret.yaml
- auth-proxy.yaml
- ingress.yaml

5
apps/ollama/namespace.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: ollama

60
apps/ollama/release.yaml Normal file
View File

@@ -0,0 +1,60 @@
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: ollama-helm
namespace: ollama
spec:
interval: 24h
url: https://otwld.github.io/ollama-helm/
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: ollama
namespace: ollama
spec:
interval: 30m
chart:
spec:
chart: ollama
version: 1.17.0
sourceRef:
kind: HelmRepository
name: ollama-helm
namespace: ollama
interval: 12h
values:
ollama:
gpu:
enabled: false
persistentVolume:
enabled: true
storageClass: mayastor-single-hdd
size: 200Gi
# GPU support
# Rewrite of options in
# https://hub.docker.com/r/grinco/ollama-amd-apu
image:
repository: grinco/ollama-amd-apu
tag: vulkan
securityContext:
# Not ideal
privileged: true
capabilities:
add:
- PERFMON
volumeMounts:
- name: kfd
mountPath: /dev/kfd
- name: dri
mountPath: /dev/dri
volumes:
- name: kfd
hostPath:
path: /dev/kfd
type: CharDevice
- name: dri
hostPath:
path: /dev/dri
type: Directory

38
apps/ollama/secret.yaml Normal file
View File

@@ -0,0 +1,38 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ollama-proxy
namespace: ollama
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: ollama
namespace: ollama
spec:
method: kubernetes
mount: kubernetes
kubernetes:
role: ollama-proxy
serviceAccount: ollama-proxy
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: ollama-api-key
namespace: ollama
spec:
type: kv-v2
mount: secret
path: ollama
destination:
create: true
name: ollama-api-key
type: Opaque
transformation:
excludeRaw: true
vaultAuthRef: ollama

40
apps/registry/deployment.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: apps/v1
kind: Deployment
metadata:
name: registry
namespace: registry
spec:
replicas: 1
selector:
matchLabels:
app: registry
template:
metadata:
labels:
app: registry
spec:
containers:
- name: registry
image: registry:3.0.0
ports:
- containerPort: 5000
volumeMounts:
- name: data
mountPath: /var/lib/registry
volumes:
- name: data
persistentVolumeClaim:
claimName: registry-data
---
apiVersion: v1
kind: Service
metadata:
name: registry-service
namespace: registry
spec:
selector:
app: registry
ports:
- protocol: TCP
port: 80
targetPort: 5000

26
apps/registry/ingress.yaml Normal file
View File

@@ -0,0 +1,26 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
namespace: registry
name: registry
annotations:
cert-manager.io/cluster-issuer: letsencrypt
nginx.org/client-max-body-size: "0"
spec:
ingressClassName: nginx
rules:
- host: registry.lumpiasty.xyz
http:
paths:
- backend:
service:
name: registry-service
port:
number: 80
path: /
pathType: Prefix
tls:
- hosts:
- registry.lumpiasty.xyz
secretName: researcher-ingress

8
apps/registry/kustomization.yaml Normal file
View File

@@ -0,0 +1,8 @@
---
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- volume.yaml
- deployment.yaml
- ingress.yaml

5
apps/registry/namespace.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: registry

13
apps/registry/volume.yaml Normal file
View File

@@ -0,0 +1,13 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: registry-data
namespace: registry
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 50Gi
storageClassName: mayastor-single-hdd

11
apps/renovate/configmap.yaml Normal file
View File

@@ -0,0 +1,11 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
namespace: renovate
name: renovate-config
data:
RENOVATE_AUTODISCOVER: "true"
RENOVATE_ENDPOINT: https://gitea.lumpiasty.xyz/api/v1
RENOVATE_PLATFORM: gitea
RENOVATE_GIT_AUTHOR: Renovate Bot <renovate@lumpiasty.xyz>

11
apps/renovate.yaml → apps/renovate/cronjob.yaml
View File

@@ -1,9 +1,4 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: renovate
---
apiVersion: batch/v1
kind: CronJob
metadata:
@@ -20,8 +15,10 @@ spec:
- name: renovate
# Update this to the latest available and then enable Renovate on
# the manifest
image: renovate/renovate:39.215.2-full
image: renovate/renovate:41.15.0-full
envFrom:
- secretRef:
name: renovate-env
name: renovate-gitea-token
- configMapRef:
name: renovate-config
restartPolicy: Never

7
apps/renovate/kustomization.yaml Normal file
View File

@@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- namespace.yaml
- configmap.yaml
- secret.yaml
- cronjob.yaml

5
apps/renovate/namespace.yaml Normal file
View File

@@ -0,0 +1,5 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: renovate

38
apps/renovate/secret.yaml Normal file
View File

@@ -0,0 +1,38 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: renovate
namespace: renovate
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: renovate
namespace: renovate
spec:
method: kubernetes
mount: kubernetes
kubernetes:
role: renovate
serviceAccount: renovate
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: renovate-gitea-token
namespace: renovate
spec:
type: kv-v2
mount: secret
path: renovate
destination:
create: true
name: renovate-gitea-token
type: Opaque
transformation:
excludeRaw: true
vaultAuthRef: renovate

23491
cluster/flux-system/gotk-components.yaml
View File

File diff suppressed because it is too large Load Diff

9
flake.nix
View File

@@ -19,12 +19,13 @@
overlays = [ krew2nix.overlay ];
inherit system;
};
python = (pkgs.python313.withPackages (python-pkgs: with python-pkgs; [
hvac
]));
in
pkgs.mkShell {
packages = with pkgs; [
(python313.withPackages (python-pkgs: with python-pkgs; [
hvac
]))
python
vim gnumake
talosctl cilium-cli
kubectx k9s kubernetes-helm
@@ -53,6 +54,8 @@
# Add scripts from utils subdir
export PATH="$PATH:$(pwd)/utils"
export PYTHON_BIN=${python}/bin/python
'';
};
};

38
infra/configs/ovh-cert-manager-secret.yaml Normal file
View File

@@ -0,0 +1,38 @@
---
apiVersion: v1
kind: ServiceAccount
metadata:
name: ovh-credentials
namespace: cert-manager
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultAuth
metadata:
name: cert-manager
namespace: cert-manager
spec:
method: kubernetes
mount: kubernetes
kubernetes:
role: cert-manager
serviceAccount: ovh-credentials
---
apiVersion: secrets.hashicorp.com/v1beta1
kind: VaultStaticSecret
metadata:
name: webhook-ovh-credentials
namespace: cert-manager
spec:
type: kv-v2
mount: secret
path: ovh-cert-manager
destination:
create: true
name: ovh-credentials
type: Opaque
transformation:
excludeRaw: true
vaultAuthRef: cert-manager

2
infra/controllers/cert-manager.yaml
View File

@@ -23,7 +23,7 @@ spec:
chart:
spec:
chart: cert-manager
version: 1.17.0
version: v1.17.2
sourceRef:
kind: HelmRepository
name: cert-manager

2
infra/controllers/cilium.yaml
View File

@@ -23,7 +23,7 @@ spec:
chart:
spec:
chart: cilium
version: 1.17.2
version: 1.17.5
sourceRef:
kind: HelmRepository
name: cilium

31
infra/controllers/cloudnative-pg.yaml Normal file
View File

@@ -0,0 +1,31 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: cnpg-system
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: cnpg
namespace: cnpg-system
spec:
interval: 24h
url: https://cloudnative-pg.github.io/charts
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: cnpg
namespace: cnpg-system
spec:
interval: 30m
chart:
spec:
chart: cloudnative-pg
version: 0.23.2
sourceRef:
kind: HelmRepository
name: cnpg
namespace: cnpg-system
interval: 12h

2
infra/controllers/dns-public.yaml
View File

@@ -97,7 +97,7 @@ spec:
env:
- name: GOMEMLIMIT
value: 161MiB
image: registry.k8s.io/coredns/coredns:v1.12.0
image: registry.k8s.io/coredns/coredns:v1.12.2
imagePullPolicy: IfNotPresent
livenessProbe:
failureThreshold: 5

32
infra/controllers/external-secrets.yaml Normal file
View File

@@ -0,0 +1,32 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: external-secrets
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: external-secrets
namespace: external-secrets
spec:
interval: 24h
url: https://charts.external-secrets.io
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: external-secrets
namespace: external-secrets
spec:
interval: 30m
chart:
spec:
chart: external-secrets
version: 0.16.2
sourceRef:
kind: HelmRepository
name: external-secrets
namespace: external-secrets
interval: 12h
values:

2
infra/controllers/k8up.yaml
View File

@@ -23,7 +23,7 @@ spec:
chart:
spec:
chart: k8up
version: 4.8.3
version: 4.8.4
sourceRef:
kind: HelmRepository
name: k8up-io

33
infra/controllers/mongodb-operator.yaml Normal file
View File

@@ -0,0 +1,33 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: mongodb
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: mongodb
namespace: mongodb
spec:
interval: 24h
url: https://mongodb.github.io/helm-charts
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: mongodb-operator
namespace: mongodb
spec:
interval: 30m
chart:
spec:
chart: community-operator
version: 0.13.0
sourceRef:
kind: HelmRepository
name: mongodb
namespace: mongodb
values:
operator:
watchNamespace: "*"

5
infra/controllers/nginx.yaml
View File

@@ -23,7 +23,7 @@ spec:
chart:
spec:
chart: nginx-ingress
version: 2.0.1
version: 2.1.0
sourceRef:
kind: HelmRepository
name: nginx
@@ -54,3 +54,6 @@ spec:
lbipam.cilium.io/sharing-key: gitea
lbipam.cilium.io/sharing-cross-namespace: gitea
lbipam.cilium.io/ips: 10.44.0.0,2001:470:61a3:400::1
config:
entries:
proxy-buffering: "false"

2
infra/controllers/openbao.yaml
View File

@@ -23,7 +23,7 @@ spec:
chart:
spec:
chart: openbao
version: 0.8.1
version: 0.12.0
sourceRef:
kind: HelmRepository
name: openbao

12
infra/controllers/openebs.yaml
View File

@@ -23,7 +23,7 @@ spec:
chart:
spec:
chart: openebs
version: 4.1.3
version: 4.3.2
sourceRef:
kind: HelmRepository
name: openebs
@@ -63,7 +63,7 @@ spec:
# Workaround for crashing io-engine
# https://github.com/openebs/mayastor/issues/1763#issuecomment-2481922234
envcontext: "iova-mode=pa"
coreList: [2, 3]
coreList: [1, 7]
resources:
limits:
cpu: 4
@@ -102,6 +102,14 @@ spec:
requests:
cpu: 0
nats:
cluster:
replicas: 1
loki:
commonConfig:
replication_factor: 1
engines:
local:
lvm:

35
infra/controllers/vault-secrets-operator.yaml Normal file
View File

@@ -0,0 +1,35 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: vault-secrets-operator
---
apiVersion: source.toolkit.fluxcd.io/v1
kind: HelmRepository
metadata:
name: hashicorp
namespace: vault-secrets-operator
spec:
interval: 24h
url: https://helm.releases.hashicorp.com
---
apiVersion: helm.toolkit.fluxcd.io/v2
kind: HelmRelease
metadata:
name: vault-secrets-operator
namespace: vault-secrets-operator
spec:
interval: 30m
chart:
spec:
chart: vault-secrets-operator
version: 0.10.0
sourceRef:
kind: HelmRepository
name: hashicorp
namespace: vault-secrets-operator
interval: 12h
values:
defaultVaultConnection:
enabled: true
address: "https://openbao.lumpiasty.xyz:8200"

5
infra/kustomization.yaml
View File

@@ -10,9 +10,14 @@ resources:
- controllers/openebs.yaml
- controllers/k8up.yaml
- controllers/openbao.yaml
- controllers/external-secrets.yaml
- controllers/vault-secrets-operator.yaml
- controllers/mongodb-operator.yaml
- controllers/cloudnative-pg.yaml
- diskpools/anapistula-delrosalae-hdd.yaml
- configs/bgp-cluster-config.yaml
- configs/loadbalancer-ippool.yaml
- configs/single-hdd-sc.yaml
- configs/mayastor-snapshotclass.yaml
- configs/openbao-cert.yaml
- configs/ovh-cert-manager-secret.yaml

16
monke/gpt-researcher.yaml Normal file
View File

@@ -0,0 +1,16 @@
---
apiVersion: v1
kind: Secret
metadata:
name: tavily
namespace: gpt-researcher
stringData:
TAVILY_API_KEY: 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
---
apiVersion: v1
kind: Secret
metadata:
name: openrouter
namespace: gpt-researcher
stringData:
OPENROUTER_API_KEY: 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

3
pyrightconfig.json Normal file
View File

@@ -0,0 +1,3 @@
{
"allowedUntypedLibraries": ["hvac"]
}

8
renovate.json
View File

@@ -1,10 +1,14 @@
{
"$schema": "https://docs.renovatebot.com/renovate-schema.json",
"kubernetes": {
"fileMatch": ["\\.yaml$"]
"fileMatch": ["infra/.+\\.yaml$", "apps/.+\\.yaml$"]
},
"flux": {
"fileMatch": ["infra/.+\\.yaml$", "apps/.+\\.yaml$"]
"fileMatch": [
"infra/.+\\.yaml$",
"apps/.+\\.yaml$",
"gotk-components\\.ya?ml$"
]
},
"prHourlyLimit": 9
}

10
talos/patches/anapistula-delrosalae.patch
View File

@@ -1,7 +1,7 @@
machine:
network:
interfaces:
- interface: enp4s0
- interface: eno1
addresses:
- 2001:470:61a3:100::3/64
- 192.168.1.35/24
@@ -20,3 +20,11 @@ machine:
image: factory.talos.dev/installer/06deebb947b815afa53f04c450d355d3c8bc28927a387c754db1622a0a06349e:v1.9.5
extraKernelArgs:
- cpufreq.default_governor=performance
sysfs:
devices.system.cpu.cpu0.cpufreq.scaling_max_freq: "550000"
devices.system.cpu.cpu1.cpufreq.scaling_max_freq: "550000"
devices.system.cpu.cpu2.cpufreq.scaling_max_freq: "550000"
devices.system.cpu.cpu6.cpufreq.scaling_max_freq: "550000"
devices.system.cpu.cpu7.cpufreq.scaling_max_freq: "550000"
devices.system.cpu.cpu8.cpufreq.scaling_max_freq: "550000"

11
talos/patches/ollama.patch Normal file
View File

@@ -0,0 +1,11 @@
# CSI driver requirement
cluster:
apiServer:
admissionControl:
- name: PodSecurity
configuration:
apiVersion: pod-security.admission.config.k8s.io/v1beta1
kind: PodSecurityConfiguration
exemptions:
namespaces:
- ollama

2
talos/patches/openebs.patch
View File

@@ -16,7 +16,7 @@ machine:
- rw
install:
extraKernelArgs:
- isolcpus=2,3
- isolcpus=1,7
cluster:
apiServer:

35
utils/synchronize-vault.py
View File

@@ -2,14 +2,15 @@
import argparse
import os
from hvac.api.system_backend import mount
import yaml
from typing import Any, cast
import hvac
from hvac.api.auth_methods import Kubernetes, kubernetes
from hvac.api.auth_methods import Kubernetes
import yaml
# Read vault/policies dir then write what is there and delete missing
def synchronize_policies(client: hvac.Client):
policies = {}
policies: dict[str, str] = {}
# Read all policies files
policy_dir = os.path.join(os.path.dirname(__file__), '../vault/policy')
for filename in os.listdir(policy_dir):
@@ -17,7 +18,7 @@ def synchronize_policies(client: hvac.Client):
policy_name = os.path.splitext(filename)[0]
policies[policy_name] = f.read()
policies_on_vault = client.sys.list_policies()['data']['policies']
policies_on_vault: list[str] = cast(list[str], client.sys.list_policies()['data']['policies'])
# Delete policies that should not be there
for policy in policies_on_vault:
@@ -30,34 +31,41 @@ def synchronize_policies(client: hvac.Client):
print(f'Updating policy: {policy_name}')
client.sys.create_or_update_acl_policy(policy_name, policy_content)
# Read vault/kubernetes-config.yaml and write it to kubernetes auth method config
def synchronize_auth_kubernetes_config(client: hvac.Client):
config_file = os.path.join(os.path.dirname(__file__), '../vault/kubernetes-config.yaml')
with open(config_file, 'r') as f:
config = cast(dict[str, str], yaml.safe_load(f.read()))
_ = client.write_data('/auth/kubernetes/config', data=config)
# Read vault/kubernetes-roles dir then write what is there and delete missing
def synchronize_kubernetes_roles(client: hvac.Client):
kubernetes = Kubernetes(client.adapter)
policy_dir = os.path.join(os.path.dirname(__file__), '../vault/kubernetes-roles/')
roles = {}
roles: dict[str, Any] = {} # pyright:ignore[reportExplicitAny]
for filename in os.listdir(policy_dir):
with open(os.path.join(policy_dir, filename), 'r') as f:
role_name = os.path.splitext(filename)[0]
roles[role_name] = yaml.safe_load(f.read())
roles_on_vault = []
roles_on_vault: list[str] = []
try:
roles_on_vault = kubernetes.list_roles()['keys']
except hvac.exceptions.InvalidPath:
roles_on_vault = cast(list[str], kubernetes.list_roles()['keys'])
except hvac.exceptions.InvalidPath: # pyright:ignore[reportAttributeAccessIssue, reportUnknownMemberType]
print("No roles found on server!")
for role in roles_on_vault:
if role not in roles_on_vault:
if role not in roles:
print(f'Deleting role: {role}')
kubernetes.delete_role(role)
for role_name, role_content in roles.items():
for role_name, role_content in roles.items(): # pyright:ignore[reportAny]
print(f'Updating role: {role_name}')
# Using write data instead of kubernetes.create_role, we can pass raw yaml
client.write_data(f'/auth/kubernetes/role/{role_name}', data=role_content)
_ = client.write_data(f'/auth/kubernetes/role/{role_name}', data=role_content) # pyright:ignore[reportAny]
if __name__ == '__main__':
parser = argparse.ArgumentParser(
@@ -71,5 +79,8 @@ if __name__ == '__main__':
print('Synchronizing policies')
synchronize_policies(client)
print('Synchronizing kubernetes config')
synchronize_auth_kubernetes_config(client)
print('Synchronizing kubernetes roles')
synchronize_kubernetes_roles(client)

1
vault/kubernetes-config.yaml Normal file
View File

@@ -0,0 +1 @@
kubernetes_host: https://10.43.0.1:443

6
vault/kubernetes-roles/backup.yaml Normal file
View File

@@ -0,0 +1,6 @@
bound_service_account_names:
- backup
bound_service_account_namespaces:
- gitea
token_policies:
- backup

6
vault/kubernetes-roles/cert-manager.yaml Normal file
View File

@@ -0,0 +1,6 @@
bound_service_account_names:
- ovh-credentials
bound_service_account_namespaces:
- cert-manager
token_policies:
- ovh-credentials

6
vault/kubernetes-roles/ollama-proxy.yaml Normal file
View File

@@ -0,0 +1,6 @@
bound_service_account_names:
- ollama-proxy
bound_service_account_namespaces:
- ollama
token_policies:
- ollama

6
vault/kubernetes-roles/renovate.yaml Normal file
View File

@@ -0,0 +1,6 @@
bound_service_account_names:
- renovate
bound_service_account_namespaces:
- renovate
token_policies:
- renovate

7
vault/policy/backup.hcl Normal file
View File

@@ -0,0 +1,7 @@
path "secret/data/restic" {
capabilities = ["read"]
}
path "secret/data/backblaze" {
capabilities = ["read"]
}

3
vault/policy/ollama.hcl Normal file
View File

@@ -0,0 +1,3 @@
path "secret/data/ollama" {
capabilities = ["read"]
}

3
vault/policy/ovh-credentials.hcl Normal file
View File

@@ -0,0 +1,3 @@
path "secret/data/ovh-cert-manager" {
capabilities = ["read"]
}

3
vault/policy/renovate.hcl Normal file
View File

@@ -0,0 +1,3 @@
path "secret/data/renovate" {
capabilities = ["read"]
}