add further payloads

soerenschneider · soerenschneider · commit f307a660f162 · 2025-08-26T20:42:03.000+02:00
diff --git a/clusters/argo-svc.dd.soeren.cloud/applicationset-apps.yaml b/clusters/argo-svc.dd.soeren.cloud/applicationset-apps.yaml
diff --git a/clusters/argo-svc.dd.soeren.cloud/applicationset-infra.yaml b/clusters/argo-svc.dd.soeren.cloud/applicationset-infra.yaml
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/acmevault/kustomization.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/acmevault/kustomization.yaml
@@ -0,0 +1,17 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: acmevault
+resources:
+  - namespace.yaml
+  - ../../../common/acmevault
+patches:
+  - target:
+      kind: Deployment
+      name: acmevault
+    patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/env/-
+        value:
+          name: ACMEVAULT_VAULT_K8S_MOUNT
+          value: svc.dd.soeren.cloud
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/acmevault/namespace.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/acmevault/namespace.yaml
@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: acmevault
+  labels:
+    name: acmevault
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/hermes/external-secret-hermes.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/hermes/external-secret-hermes.yaml
@@ -0,0 +1,18 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: hermes-tokens
+spec:
+  refreshInterval: 12h
+  secretStoreRef:
+    name: "vault"
+    kind: "ClusterSecretStore"
+  target:
+    name: "hermes-tokens"
+    creationPolicy: "Owner"
+  data:
+    - secretKey: "gotify"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/hermes"
+        property: "gotify"
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/hermes/hermes-config.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/hermes/hermes-config.yaml
@@ -0,0 +1,21 @@
+---
+http:
+  address: "0.0.0.0:8080"
+metrics_addr: "0.0.0.0:9223"
+events_impl: [http]
+
+db:
+  type: sqlite
+  name: "/data/sqlite.db"
+
+awtrix:
+  - uri: "awtrix-office"
+    addr: "http://awtrix-office.dd.soeren.cloud"
+  - uri: "awtrix-livingroom"
+    addr: "http://awtrix-livingroom.dd.soeren.cloud"
+
+dead_letter_queue: "gotify"
+gotify:
+  - uri: "gotify"
+    token_file: "/etc/hermes/gotify"
+    addr: "http://gotify.gotify"
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/hermes/kustomization.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/hermes/kustomization.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: "kustomize.config.k8s.io/v1beta1"
+kind: "Kustomization"
+namespace: "hermes"
+components:
+  - "../../../../apps/hermes/components/istio"
+  - "../../../../apps/hermes/components/secret"
+  - "../../../../apps/hermes/components/pvc"
+resources:
+  - "namespace.yaml"
+  - "external-secret-hermes.yaml"
+  - "../../../../apps/hermes"
+configMapGenerator:
+  - name: "hermes-config"
+    files:
+      - "hermes-config.yaml"
+patches:
+  - target:
+      kind: "VirtualService"
+      name: "hermes"
+    patch: |-
+      - op: "replace"
+        path: "/spec/hosts"
+        value:
+          - "hermes.svc.dd.soeren.cloud"
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/hermes/namespace.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/hermes/namespace.yaml
@@ -0,0 +1,9 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: hermes
+  labels:
+    name: hermes
+    pod-security.kubernetes.io/enforce: baseline
+    pod-security.kubernetes.io/enforce-version: latest
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/microbin/external-secret-microbin.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/microbin/external-secret-microbin.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: "external-secrets.io/v1"
+kind: "ExternalSecret"
+metadata:
+  name: "microbin"
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: "vault"
+    kind: "ClusterSecretStore"
+  target:
+    name: "microbin"
+    creationPolicy: "Owner"
+  data:
+    - secretKey: "MICROBIN_ADMIN_USERNAME"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/microbin"
+        property: "MICROBIN_ADMIN_USERNAME"
+    - secretKey: "MICROBIN_ADMIN_PASSWORD"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/microbin"
+        property: "MICROBIN_ADMIN_PASSWORD"
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/microbin/kustomization.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/microbin/kustomization.yaml
@@ -0,0 +1,25 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: microbin
+resources:
+  - namespace.yaml
+  - external-secret-microbin.yaml
+  - ../../../../apps/microbin
+components:
+  - ../../../../apps/microbin/components/istio
+  - ../../../../apps/microbin/components/pvc
+patches:
+  - target:
+      kind: VirtualService
+      name: microbin
+    patch: |-
+      - op: replace
+        path: /spec/hosts
+        value:
+          - microbin.svc.dd.soeren.cloud
+configMapGenerator:
+  - name: microbin-config
+    behavior: merge
+    literals:
+      - MICROBIN_PUBLIC_PATH=https://microbin.svc.dd.soeren.cloud
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/microbin/namespace.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/microbin/namespace.yaml
@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: microbin
+  labels:
+    name: microbin
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/miniflux/external-secret-miniflux-postgres-restic.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/miniflux/external-secret-miniflux-postgres-restic.yaml
@@ -0,0 +1,34 @@
+---
+apiVersion: "external-secrets.io/v1"
+kind: "ExternalSecret"
+metadata:
+  name: "miniflux-restic-postgres"
+spec:
+  refreshInterval: "1h"
+  secretStoreRef:
+    name: "vault"
+    kind: "ClusterSecretStore"
+  target:
+    name: "miniflux-restic-postgres"
+    creationPolicy: "Owner"
+  data:
+    - secretKey: "AWS_ACCESS_KEY_ID"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/restic/miniflux/aws-credentials"
+        property: "AWS_ACCESS_KEY_ID"
+    - secretKey: "AWS_SECRET_ACCESS_KEY"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/restic/miniflux/aws-credentials"
+        property: "AWS_SECRET_ACCESS_KEY"
+    - secretKey: "RESTIC_PASSWORD"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/restic/miniflux/restic"
+        property: "pass"
+    - secretKey: "POSTGRES_USER"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/miniflux-postgres"
+        property: "POSTGRES_USER"
+    - secretKey: "POSTGRES_PASSWORD"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/miniflux-postgres"
+        property: "POSTGRES_PASSWORD"
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/miniflux/external-secret-miniflux-postgres.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/miniflux/external-secret-miniflux-postgres.yaml
@@ -0,0 +1,22 @@
+---
+apiVersion: "external-secrets.io/v1"
+kind: "ExternalSecret"
+metadata:
+  name: "miniflux-postgres"
+spec:
+  refreshInterval: "12h"
+  secretStoreRef:
+    name: "vault"
+    kind: "ClusterSecretStore"
+  target:
+    name: "miniflux-postgres"
+    creationPolicy: "Owner"
+  data:
+    - secretKey: "POSTGRES_USER"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/miniflux-postgres"
+        property: "POSTGRES_USER"
+    - secretKey: "POSTGRES_PASSWORD"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/miniflux-postgres"
+        property: "POSTGRES_PASSWORD"
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/miniflux/external-secret-miniflux.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/miniflux/external-secret-miniflux.yaml
@@ -0,0 +1,35 @@
+---
+apiVersion: "external-secrets.io/v1"
+kind: "ExternalSecret"
+metadata:
+  name: "miniflux"
+spec:
+  refreshInterval: 12h
+  secretStoreRef:
+    name: "vault"
+    kind: "ClusterSecretStore"
+  target:
+    name: "miniflux"
+    template:
+      engineVersion: v2
+      data:
+        DATABASE_URL: "postgres://{{ .POSTGRES_USER }}:{{ .POSTGRES_PASSWORD }}@postgres/miniflux?sslmode=disable"
+        ADMIN_USERNAME: "{{ .ADMIN_USERNAME }}"
+        ADMIN_PASSWORD: "{{ .ADMIN_PASSWORD }}"
+  data:
+    - secretKey: "POSTGRES_USER"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/miniflux-postgres"
+        property: "POSTGRES_USER"
+    - secretKey: "POSTGRES_PASSWORD"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/miniflux-postgres"
+        property: "POSTGRES_PASSWORD"
+    - secretKey: "ADMIN_USERNAME"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/miniflux"
+        property: "ADMIN_USERNAME"
+    - secretKey: "ADMIN_PASSWORD"
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/miniflux"
+        property: "ADMIN_PASSWORD"
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/miniflux/kustomization.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/miniflux/kustomization.yaml
@@ -0,0 +1,37 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: miniflux
+resources:
+  - namespace.yaml
+  - external-secret-miniflux.yaml
+  - external-secret-miniflux-postgres.yaml
+  - external-secret-miniflux-postgres-restic.yaml
+  - ../../../../apps/miniflux
+components:
+  - ../../../../apps/miniflux/components/istio
+  - ../../../../apps/miniflux/components/postgres
+  - ../../../../apps/miniflux/components/postgres-pvc
+  - ../../../../apps/miniflux/components/restic-postgres
+patches:
+  - target:
+      kind: "VirtualService"
+      name: "miniflux"
+    patch: |-
+      - op: replace
+        path: /spec/hosts
+        value:
+          - miniflux.svc.dd.soeren.cloud
+configMapGenerator:
+  - name: miniflux
+    behavior: merge
+    literals:
+      - CREATE_ADMIN=1
+  - name: miniflux-restic-postgres
+    literals:
+      - "RETENTION_DAYS=7"
+      - "RETENTION_WEEKS=4"
+      - "RETENTION_MONTHS=6"
+      - RESTIC_REPOSITORY=s3:https://s3.amazonaws.com/soerenschneider-restic-prod/miniflux
+      - RESTIC_BACKUP_ID=miniflux
+      - POSTGRES_HOST=postgres
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/miniflux/namespace.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/miniflux/namespace.yaml
@@ -0,0 +1,7 @@
+---
+kind: Namespace
+apiVersion: v1
+metadata:
+  name: miniflux
+  labels:
+    name: miniflux
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/privatebin/kustomization.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/privatebin/kustomization.yaml
@@ -0,0 +1,19 @@
+---
+apiVersion: "kustomize.config.k8s.io/v1beta1"
+kind: "Kustomization"
+namespace: "privatebin"
+resources:
+  - "namespace.yaml"
+  - "../../../../apps/privatebin"
+components:
+  - "../../../../apps/privatebin/components/istio"
+  - "../../../../apps/privatebin/components/istio-proxy"
+patches:
+  - target:
+      kind: "VirtualService"
+      name: "privatebin"
+    patch: |-
+      - op: "replace"
+        path: "/spec/hosts"
+        value:
+          - "privatebin.svc.dd.soeren.cloud"
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/privatebin/namespace.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/privatebin/namespace.yaml
@@ -0,0 +1,7 @@
+---
+kind: "Namespace"
+apiVersion: "v1"
+metadata:
+  name: "privatebin"
+  labels:
+    name: "privatebin"
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/renovatebot/kustomization.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/renovatebot/kustomization.yaml
@@ -0,0 +1,28 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: renovate
+resources:
+  - ../../../common/renovatebot
+  - renovate-external-secret.yaml
+patches:
+  - target:
+      kind: CronJob
+      name: renovate-github
+    patch: |-
+      - op: add
+        path: /spec/timeZone
+        value: "Europe/Berlin"
+      - op: replace
+        path: /spec/schedule
+        value: "0 6 * * 1-5"
+  - target:
+      kind: CronJob
+      name: renovate-gitlab
+    patch: |-
+      - op: add
+        path: /spec/timeZone
+        value: "Europe/Berlin"
+      - op: replace
+        path: /spec/schedule
+        value: "0 6 * * 1-5"
diff --git a/clusters/argo-svc.dd.soeren.cloud/apps/renovatebot/renovate-external-secret.yaml b/clusters/argo-svc.dd.soeren.cloud/apps/renovatebot/renovate-external-secret.yaml
@@ -0,0 +1,26 @@
+---
+apiVersion: external-secrets.io/v1
+kind: ExternalSecret
+metadata:
+  name: renovatebot
+spec:
+  refreshInterval: 1h
+  secretStoreRef:
+    name: vault
+    kind: ClusterSecretStore
+  target:
+    name: tokens
+    creationPolicy: Owner
+  data:
+    - secretKey: RENOVATE_HOST_RULES
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/renovatebot"
+        property: HOST_RULES
+    - secretKey: github-token
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/renovatebot"
+        property: github-token
+    - secretKey: gitlab-token
+      remoteRef:
+        key: "secret/soeren.cloud/env/prod/renovatebot"
+        property: gitlab-token
diff --git a/clusters/argo-svc.dd.soeren.cloud/k8s-infra/vault-backup/kustomization.yaml b/clusters/argo-svc.dd.soeren.cloud/k8s-infra/vault-backup/kustomization.yaml
@@ -0,0 +1,13 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ../../../common/vault-backup
+namespace: vault-backup
+configMapGenerator:
+  - name: vault-backup
+    options:
+      disableNameSuffixHash: true
+    behavior: merge
+    literals:
+      - VAULT_LOGIN_AUTH_MOUNT=svc.dd.soeren.cloud
diff --git a/clusters/argo-svc.dd.soeren.cloud/kustomization.yaml b/clusters/argo-svc.dd.soeren.cloud/kustomization.yaml
