kacerr/home-kubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
77 Commits 1 Branch 0 Tags
96ba77a606eefd38101aacec8b4763f9df08b3e6
Commit Graph

77 Commits

This Branch
This Branch
All Branches
Author SHA1 Message Date
Jan Novak
96ba77a606 docker-30: gitea CI/CD integration with Vault and Kanidm, misc updates 
vault:
- Add JWT auth backend bound to Gitea (jwks_url from gitea OIDC keys)
- Add gitea-ci-read policy scoped to secret/data/gitea/*
- Add JWT role gitea-ci (sub claim, bound to Gitea audience, 10m TTL)
- Add AppRole gitea-ci as alternative auth method for the same policy
- Add gitea-access-into-vault.md documenting the setup end-to-end
- Update terraform.tfstate (OpenTofu 1.11.5, new gitea-ci resources)

kanidm:
- Add run.sh with docker run command (pinned to v1.9.1)
- Add gitea-action-kubernetes-access.md documenting how to set up
  a Kanidm service account and OAuth2 client for Gitea CI k8s access
- readme: add upgrade procedure, recover-account command, and
  service account + API token setup for gitea-ci-token

maru-hleda-byt:
- Add --restart=always to docker run command

fuj-management:
- Add run.sh (new service config)

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-07 23:09:52 +01:00
Jan Novak
dda6a9d032 vms: add monitoring stack and node-exporter for docker host 
utility-101-shadow:
- Add full monitoring stack (Prometheus + Blackbox Exporter + Alertmanager)
  with Docker Compose and a systemd unit (monitoring.service)
- Prometheus scrapes: itself, blackbox-exporter, and node-exporter on
  the docker host (docker:9100); blackbox probes cover HTTPS endpoints
  with TLS cert monitoring
- Alertmanager routes warnings to Slack/Discord, critical alerts also
  to email (Gmail SMTP); inhibit rule suppresses SSLCertExpiringSoon
  when SSLCertExpired already fires
- Alert rules: 11 node-exporter alerts (host down, CPU, memory, disk
  fill/prediction, iowait, OOM kill, systemd failed units) + 3 blackbox
  alerts (probe failed, SSL expiring, SSL expired)
- readme: add services list and Docker Engine installation steps

docker host:
- Add node-exporter container running with host pid/network and
  read-only mounts of /proc, /sys, / for full host metrics visibility
- Enable --collector.systemd for systemd unit state metrics
- Add systemd unit (node-exporter.service) to manage the container

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
 2026-03-07 23:07:44 +01:00
Jan Novak
1b6015f732 gitops: fix kustomization: 00-rbac 2026-03-01 14:39:36 +01:00
Jan Novak
9877b093e8 gitops: add rbac kustomization + store some forgotten older changes in 
repo
 2026-03-01 14:33:56 +01:00
Jan Novak
0eab64c954 hosting: some config files for host: shadow, some named conf for 
utility-101-shadow vm
 2026-02-20 02:16:16 +01:00
Jan Novak
be362a5ab7 gitops/cilium: configure gateway and wildcard certificate it needs 2026-02-20 02:15:02 +01:00
Jan Novak
bb9f2ae3ce docker-30: several new and forgotten config files relevant to services 
running in docker
 2026-02-20 02:13:55 +01:00
Jan Novak
dc947165a4 gitops/ghost: add httproute resource aka gatewayApi instead of ingress 2026-02-20 02:13:09 +01:00
Jan Novak
1cd7625220 gitops/cert-manager: add dns challenger cluster issuer, add 
deployment/service with socat proxy that works around my internet
provider's medling into dns traffic on port 53.
 2026-02-20 02:11:50 +01:00
Jan Novak
409f8247e6 gitops/cert-manager: enable Gateway API support 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-19 01:43:04 +01:00
Jan Novak
8608696909 gitops/cilium: fix gateway.yaml indentation 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-19 01:04:18 +01:00
Jan Novak
6454c893cb gitops/cilium: move gateway listeners from helm values to Gateway resource 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-19 01:02:14 +01:00
Jan Novak
b2daa822a6 gitops/cilium: configure gateway listeners and allow routes from all namespaces 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-19 00:51:37 +01:00
Jan Novak
8ae7b086a5 gitops/00-crds: add Gateway API v1.2.0 CRDs for Cilium gateway support 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 12:17:46 +01:00
Jan Novak
4b7ed6085b gitops/cilium: enable Gateway API and add HTTPRoute for ghost 
Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
 2026-02-17 11:55:49 +01:00
Jan Novak
0d97a796e9 gitops/velero: add manifests and runbook - kustomization is yet to be 
created
 2026-01-17 00:07:03 +01:00
Jan Novak
b9f99c2950 gitops/plane: fix issuer on ingress 2026-01-16 13:21:15 +01:00
Jan Novak
a20ae55b8f gitops/cilium: specify which interfaces it handles to not clash with 
tailscaled
 2026-01-15 01:24:49 +01:00
Jan Novak
36f447c39c gitops: assorted leftovers and fixes 2026-01-14 14:49:54 +01:00
Jan Novak
76e3ff9d03 kubernetes/terraform: several updates 2026-01-14 14:49:19 +01:00
Jan Novak
90a44bd59f vault: deployment manifest, some docs, backup script - expected to run 
on docker host
 2026-01-14 14:48:09 +01:00
Jan Novak
b5e1f4b737 gitops/external-secrets: change roleid 2026-01-13 10:28:43 +01:00
Jan Novak
099734fb6b gitops/ghost: prepare initial deployment with secrets in vault 2026-01-08 10:40:13 +01:00
Jan Novak
b081e947f5 gitops/plane: remove doc_upload_size_limit which seems to be causing 
crashes
 2026-01-07 22:42:26 +01:00
Jan Novak
d908e788af gitops/external-secrets: fix cloudsecretstore location where to look for 
approle secret_id
 2026-01-07 22:16:13 +01:00
Jan Novak
81f2e754ed gitops/external-secrets: set deployment replicas to 1 and add 
cloudsecretstore
 2026-01-07 22:05:31 +01:00
Jan Novak
a3a6ef79fe gitops/external-secrets do not use outdated api version of secretstore 2026-01-07 20:19:34 +01:00
Jan Novak
52089bc1b4 gitops: fix external secrets CRDs helm release 2026-01-07 20:02:57 +01:00
Jan Novak
a3c8cc9e47 gitops: move external-secrets helmrepo to 00-crds 2026-01-07 19:54:24 +01:00
Jan Novak
b6f775fd2b gitops/external-secrets: deploy CRDs first in another kustomization 2026-01-07 19:52:16 +01:00
Jan Novak
ed14d74738 gitops/external-secrets: add helmrelease + some coredns config for vault 
resolving
 2026-01-07 19:43:39 +01:00
Jan Novak
060a24437b gitops/plane: fix ingress 2026-01-06 10:57:11 +01:00
Jan Novak
c8011579c9 gitops: fix grafana ingress 2026-01-06 10:39:52 +01:00
Jan Novak
5bfc1f5fe5 gitops: add kube-prometheus 2026-01-06 09:57:26 +01:00
Jan Novak
7be7e0871c gitops: fix oauth kustomization 2026-01-05 22:21:12 +01:00
Jan Novak
437c94f2e1 gitops: add oauth-proxy + some changes in plane helmrelease 2026-01-05 22:19:31 +01:00
Jan Novak
edd945b709 gitops/plane: use app version v1.2.1 2026-01-05 11:48:57 +01:00
Jan Novak
1e9e981642 gitops/plane: use existing version of helm chart 2026-01-05 11:44:20 +01:00
Jan Novak
e4bc0424a7 gitops: add plane kustomization 2026-01-05 11:34:46 +01:00
Jan Novak
1096c7b603 gitops: plane - project management 2026-01-05 11:32:55 +01:00
Jan Novak
d3697c8132 terraform: extend kubernetes a little bit 2026-01-02 23:17:43 +01:00
Jan Novak
bdf82c7e49 gitops: cert-manager (semi manual deployment / incomplete) 2026-01-02 23:16:41 +01:00
Jan Novak
777772019c docker-30: kanidm deployment 2026-01-02 23:15:30 +01:00
Jan Novak
0e72629197 gitops: add cert-manager 2026-01-01 23:10:56 +01:00
Jan Novak
01fe056584 gitops/cilium: configure l2 ip address anouncement for external 
loadbalancer ips
 2026-01-01 20:21:37 +01:00
Jan Novak
6447e39163 gitops/podinfo: remove values.yaml 2025-12-30 23:37:37 +01:00
Jan Novak
dd9a90e8b2 gitops: add podinfo kustomization, remove everything related to kuard 
which has no available image anyway
 2025-12-30 23:36:01 +01:00
Jan Novak
817a3c8335 gitops: add podinfo deployment 2025-12-30 23:33:27 +01:00
Jan Novak
d275ec09a4 gitops: fix repo path for home-kubernetes and kuard image version 2025-12-30 23:22:58 +01:00
Flux
f3c1e5c635 Add Flux v2.7.5 component manifests 2025-12-30 23:16:55 +01:00