diff --git a/.gitignore b/.gitignore index 6725bac..d1cdd50 100644 --- a/.gitignore +++ b/.gitignore @@ -1,3 +1,3 @@ secrets.yaml -infra/tailscale.patch.yaml +infra/*/tailscale.patch.yaml .DS_Store diff --git a/.sops.yaml b/.sops.yaml new file mode 100644 index 0000000..c12e37f --- /dev/null +++ b/.sops.yaml @@ -0,0 +1,3 @@ +creation_rules: + - age: >- + age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw diff --git a/apps/README.md b/apps/README.md new file mode 100644 index 0000000..e69de29 diff --git a/apps/autoupdate-teable-figurines-currencies/secrets.sops.yaml b/apps/autoupdate-teable-figurines-currencies/secrets.sops.yaml index aeb29a7..2624a68 100644 --- a/apps/autoupdate-teable-figurines-currencies/secrets.sops.yaml +++ b/apps/autoupdate-teable-figurines-currencies/secrets.sops.yaml @@ -4,20 +4,20 @@ metadata: name: autoupdate-teable-figurines-currencies-secret type: Opaque data: - RATES_EXCHANGE_APIKEY: ENC[AES256_GCM,data:mQ7j0QNtmPRKEbs0/1Gyha1d4dQSVs2TwheGiQu0LPoAeYLe1gyzSGGS+/SF8lKl,iv:42LINaSLOptLq2/NrqR+c40t7wMWj90PaMVp74GbakY=,tag:7/WuSXVH9AZbveiaSjN1ig==,type:str] - TEABLE_APIKEY: ENC[AES256_GCM,data:iuHX8DJIgb7k4+e3AHjDDnyx1PRMa1IAKBzBBIln8nT6CzWgZHXCheb3Bz6rJUTUutvOEXgSWBRffkJZ3kjayifAmEXHLxMQtrKqfa3dm0ghJQCqCZaewL9vN2VAe3D2,iv:WojW3eQYAaKK6h5m9+7kUgJRcotYEqaDbfDva/Cwc08=,tag:HkzwC3d5Ndv5FoXVJZMmYw==,type:str] + RATES_EXCHANGE_APIKEY: ENC[AES256_GCM,data:mV++90/V9p43Q4+RAfCjPC4i4Lop1dJ6IAkAi9iggf9mHz+g5q8qL5zN4ypR8k4w,iv:D68wPyFZV8FbDrsnsY+KYm351hq6e+yCq6UNxaxEAk0=,tag:5/EPNLdyLI1cGaIVqNGsdQ==,type:str] + TEABLE_APIKEY: ENC[AES256_GCM,data:qubq7DX6l91oqgojqme3m0BIIEfzfdBIAY1uBS+K0slXqzNRLPvlLouZgH7VFc6+69aeoPhIlAyU+/kuSlYhUH5x529L+CzsSMpsk1OxQrAcxaZz4mCnSBIAKn1aTsmt,iv:EoS2nz7QufRtIot8OyjkLvXLaKvouh+xU9rEm5/MhMQ=,tag:BG7xwy5sV2Eaf84OKHwOkw==,type:str] sops: age: - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAramZZVEV3TEhyUmErZDNZ - RlR0Mm44WThoMEZqd2dYUWVXRS9qNjJKZ2swCjd0ZXhLUkVHUkNvcjlIU21Kd0h1 - SUNyeSt1bWtVTkwwT054aTVXUzhzZHcKLS0tIFY4dGdUZ1VRWkZZSUNJOU1RbGx4 - d09XVFVKY1dNcVdldCtSUUxYZUtXd0kKynbS+MZUw0fWcQ5HbiiOnf0NajSD4mQ0 - QhcFWaadsR5LZjdxTfS1XFcbVGa2H8E3FtQvksz7lGwLsU0xqMRGzw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbnJqTkRUSDFaQTBwZEdQ + ZkE3WG5JeS85M2NlSFFidGhGTzlwcmdCU3pzCmhvVkh6UGlOZzNDSFFPNm1OVG44 + Q1VUeG1ML3k5UWZ1eE1CbVBQNC81MnMKLS0tIENNTmxpZlFuNlhVdWw3Ui9RZm1E + Mkl5OFdORE9Va0E1TXVrNE9HUDJ0NGcKYapn7Ts31w8hLoavGPWrMkcrCIYn0QD9 + zuLnkKygt28TECslnafjRKA4UmcJbRlhspc+5BcynIeYgIKppAk7ow== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-29T22:38:31Z" - mac: ENC[AES256_GCM,data:cVxy/FkFJnxjzygwf0KdBNvF13nKk8wOjiMSaAtkXcrYPQshu5dONx/2pkG0HjifVKIZvATu/3G7nhcb7pX5+t03QOPkqmoHSowxejMB7w5eX24MALhzAMze/5nlnRQMLA5ZQ+3lG1SNsUXAXlWrlNAS4FKYvIjsvFRA0OTH95s=,iv:NdE7v3ysPuyACIFgquSwZN4AXhFr9Pv9k0PkqAEsVxc=,tag:zM4ga1oK7OpW+ppiS0/HTg==,type:str] + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:QWDNIc/xxmWoQin4FL2NdGcxvzEWCyVifHTVBfYXTKbokKOiLtcHt7DkPtXle3QyZsl9lsqmQbJ6XNpDHcvuP2SCZzvE3kHNMcl1UTlfMBaqzobRn6FymYQ/jO95WiHPDqL/SFIbWbJQKtKTr8zS497/1723yvU6NPRS9ibF9FQ=,iv:08BTWnmlCHpfFJg/7Yk4jSwfYS118rTqKicQ6t6dTG4=,tag:cBtCVKsUeCzdgqHQIVCo0Q==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.10.2 diff --git a/apps/individual/import.yaml b/apps/individual/import.yaml index 03c7564..5a7587b 100644 --- a/apps/individual/import.yaml +++ b/apps/individual/import.yaml @@ -15,7 +15,12 @@ spec: volumeMounts: - name: data mountPath: "/data" + # - name: olddata + # mountPath: "/olddata" volumes: - name: data persistentVolumeClaim: - claimName: technitium-data-pvc \ No newline at end of file + claimName: znc-pvc + # - name: olddata + # persistentVolumeClaim: + # claimName: gitea-pvc diff --git a/apps/kakigoori/local_settings.sops.py b/apps/kakigoori/local_settings.sops.py deleted file mode 100644 index fde807f..0000000 --- a/apps/kakigoori/local_settings.sops.py +++ /dev/null @@ -1,15 +0,0 @@ -{ - "data": "ENC[AES256_GCM,data:0bMlVfY4+bGNfAmEEO2rVJ0xwd+/HBQX5smKwJpmqGff3zColq3BPkoYbmjwHzSy665vzO5GYgfiGmNwNpZuFoslUElprR92kg8tDePDwDsKeN1547TsQky3box7YI/2keEP2q5D8h8ZUPVFmlVltWsTUlS6CMyVKg1Dx0qUorIZdnqrIkvY8OxC9tEH0Rc3Edpz2QEMNL70NogfZchY4K3xXMFVEgIaVBYJi0AsAkkMOkgfrGyZScIqg+ypNTmGvn3DvKagofsiMZAsdS6u05T9kwII9scimDiAHBpmEvYsBMng8cqLgRmrOyMvIM8w0U6cG0aH41AjxGGmXbpAsuNm/e62x6hU3JNUGGOoGRVuEYnHGAEoJ6PEzPoSHlLGsCk/CqNrrDxyvHIaji9OvYBgujfBMljcTnsuGjYCG0XkNmN4UlpeNYGCtWh8r8aZzlhZTbmWZaN7U3yc8zQBxbdw5vmTV4vuWQ61Dk4xbVoX+h/2O9RF1mzODCd2MghCyXWbtIuh9T7dcI8H1f0hR73+YKrmXRDm1z4iRC/FBUXoZzGiYpOml2L2iRtUyR7E0VunLVKGT5t1ONJzqesMt8NFlHMj0T8n1OdTXlofddsU0qzFaIpIV7E0QlQz393BIIKNecAuKa2jHaujUzqLSG8+Kg+yT4rqc50d9BuizMECEyjyhsY8G9sxPCwrybg+8Jqs4zYWPaWRmepbBbMm1yXcfAqUOVpcuxWww6otA+f/bMwmyfbGd9wVK5snPMmPg3JD05navmKNYGDilfNVPO87CjUHT96tTT+9hfsAYM9rIzkrCKnndbtPmuWFGWUZYxQ6nN9kbCHEe8CSDcN2Dp8qNK+hVUAwMknFwU+zQWJU6X39fT/WySsdOhql8ntrapYTxIDgxZz3oEvVnIxMZBuZgVex1pWgvFv0iA==,iv:C3NDjBZktYMnnXWC0BOBOF1RLPaR/++CanDSCKtZpdk=,tag:8Tnh2UNfE2UThNexHTzlRQ==,type:str]", - "sops": { - "age": [ - { - "recipient": "age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw", - "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCWVZRUzBMTHpHUVlNcG1L\ndGhWUEtkc2o5Y1U5NTJEN0pHbWpZUDI3ZWt3Cld5SE14UjgwK0xoWVE3TFlkYXho\nT3pBYTZIRENoZzNwY0xxWXNOUkJrMlkKLS0tIEZTMXhaMjhyMkdHRmZZVjVrOVdu\nUTVNUzAvYUtjWHRSakcrclJTQkkvZ0EK4+jaOzoxwa+kVrRdkmizMBZmbSTktBU1\nj5YnJPDwtyBCtPTrF5d9hcD/NmEdhv2Dm6JilT5EPkZslvcdHQcjZg==\n-----END AGE ENCRYPTED FILE-----\n" - } - ], - "lastmodified": "2025-05-31T11:22:24Z", - "mac": "ENC[AES256_GCM,data:l17vrFzlOog3YcwMA61iJGIa/zra9RERPXiT3TH1sLtv2pLNEcu/eFOK5IhqMSPDtkSN1LuCcKqSj3JKpVVRINsoybSSD2XuWEXwSKaaBvtY49HGxpCu+Id1GEt/81IwMvWOu1CFsOyuRkYtBwBc40ThqcqCU8ub2ob9vwjpxGY=,iv:AnGQtzGcboOPYyFGuzOI+N+atZr9ZnkH9nqj3bbd5iY=,tag:Yy7zzJ1V8+Zn15B8xBoy5w==,type:str]", - "unencrypted_suffix": "_unencrypted", - "version": "3.10.2" - } -} diff --git a/apps/kakigoori/secrets.sops.yaml b/apps/kakigoori/secrets.sops.yaml deleted file mode 100644 index 59c1494..0000000 --- a/apps/kakigoori/secrets.sops.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: anubis-kakigoori-key -type: Opaque -data: - ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:+Qbmh7nMRRkgAttxWUllxvnHN+XpiBZCm3Kppxzb79KSMlili/FC9PFLZ0I6F45vF65TIhmlCfdkWd0ikgFTjpUnmat4rzfb21Nyhx4+6bZkR+7eQJmePw==,iv:xzqrI+Dp5Zx9FJxUvaNGhbbZ8bZY0JSxKTj0pf1T+08=,tag:J8CZYgiWFpJm3H3L0mrMIw==,type:str] - THOTH_URL: ENC[AES256_GCM,data:o0cQMFKRPaRLE2ZJ1CXxKWoMTO380w2qVNkbIO8ul9d/yNBexi9xh/3yHMLjr9Ti,iv:td6XXTJXHZcDLs14dsRijmMiy2HzoT0+Kmt3g+KShjk=,tag:cWr1XF47B1ayuYUUMKw3DA==,type:str] - THOTH_TOKEN: ENC[AES256_GCM,data:e+SbKz72mYSjh3MH0NfLhUo9/28ENB4k8kN4/z2ooI33QWQLT1rCS2uDZuw/KpQIF8PobpYmF8qJkNM1gpuMB4MTHog3jUxpB9Ff8GxnvIbal1yRsIj6/UEW8BEzuENACszjHWKah6Az53SRyFxFPDNopKRlCTvdm9/bTG2f2Ie2jFWriu2e/7jMgKQUbcvdfcJoOdPbaRLU5tlHfUOrzgSAjfj02ktCPac8ss2dNKKQib6iX4gQdMfjGgTSzXObopYvX9aXhUGTpJOebTNAfz5ECLejYG63ZKY4VTnHmnWkzvuWLYsgocAL/6pLiTrS/JWzAyZF+Gce7K2XaAOO0deBAjGWQl7GhB+WMF3aiePjtyib2jAhXpa5fVET1lPwmom6Xf8Hg9DwJQ+4WSReMK7sGzh+RSwmFegxX0mnhvDtw8CaT+fKkLs8APdEBCBnD8H/e1xJJsqPgVJVQnwt+TkKRldELAKzq9jbHRVuWCpoJBBnnYJNlvSAbbwIGH/mv998FFT8f2ARSDJYUl4fNyQorRWMV4Zhky+8QIX+jPQBqljY,iv:ZXCUFpqh85W8l1saUYWLNg37QTkxy24vlZyPS0I8mjQ=,tag:ExMldQHFqAPdOtLqmDLrKQ==,type:str] -sops: - age: - - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VkUzSWdtZlI0Wm1PMC9U - T2JIdWkvYjIxby9SMmlRVTlKaDZrUThvaFdNCnFCOVJhS2hIWWwzNWVKT0xKbUY5 - TVVXa1d3MUpUcjlVRllTZk02bnBqdDAKLS0tIHFDYzB2TXJIS1FyQ0JYTE5YUTFS - WFN0Q1dqeUtYUitwVW9EalA1a295M00KItuiSlWjFU/EuP/gHfx5ZiOEC1mgUa2I - KQdJSOzHobfICZY2/wF8+KPpMBwcuB0IQL6SJF5I8CRS3H1dIPTaeg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-16T00:27:47Z" - mac: ENC[AES256_GCM,data:UiSbzEO8qKqVHPqoH6mHwokCfGt9kBJAi66ja3EOMTdrKXueLxEii2YrgaPnBTcx93Ha/VBhzwLbVxeF4C4PIxNdsauWrh25YmfZvkBe2F3viJQpJVgIGbLPf7Uv/fZ/xhwuk/A4+Ob7+XymFb0PFZ3Zo9pEXzjNwZ6QuFChiYs=,iv:1caTZ3pG2CgqtWwGJIa2nAV+2/yhDRv0zRFtv+T+GBk=,tag:phIjj4ZpMcr5CC5P9qVbpg==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/apps/kustomization.yaml b/apps/kustomization.yaml deleted file mode 100644 index 3150772..0000000 --- a/apps/kustomization.yaml +++ /dev/null @@ -1,18 +0,0 @@ -resources: - - autoupdate-teable-figurines-currencies - - glance - - kakigoori - - opengist - - pocketid - - prettysunflower-website - - privatebin - - publicfiles - - rallly - - renovate - - static-websites - - teable - - technitium - - thelounge - - uptime-kuma - - znc - - vaultwarden \ No newline at end of file diff --git a/apps/opengist/secrets.sops.yaml b/apps/opengist/secrets.sops.yaml deleted file mode 100644 index 1cc49b4..0000000 --- a/apps/opengist/secrets.sops.yaml +++ /dev/null @@ -1,27 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: opengist-secret -type: Opaque -data: - OG_DB_URI: ENC[AES256_GCM,data:TZpj9cVMF6jHqhJf2EKMDe8bDp3ozn86b9IG1hIinX8V4sUkayB2UznScqhnsEAd+FKAimf7exu5+fQ+qDVLVk0izy7PNNKK6JpNWatkfwfk7bN0hMghiIRlNL/dB5vnH/m4FktUD04=,iv:NueU8M+PBvgCnUY2J/DyHLSyOHYkkPs0Nu3QnnlrOg4=,tag:bMDNa9AbzK0pWW2/V76VGA==,type:str] - OG_SECRET_KEY: ENC[AES256_GCM,data:FRMGtPW95ypXvPdcss61FYEZPwTU4IbULt//av3pncC6c4RraXzEr8zwGpxlxsLsorlhVN7xm2SybDxtHHVs6B7Emr8NwRq+5fLZfU6YHa8y/tqr68/vlQ==,iv:Sfkx30Cqw9Y1jKNTtXrQiwMwbsiT3E2mygRACf20JuY=,tag:3vmHOZWs/jsynIL1Na3LPQ==,type:str] - OG_OIDC_PROVIDER_NAME: ENC[AES256_GCM,data:ff/7A9194cworblcum6zbyLTKzI=,iv:CPECmbTOlDAGf0Pd8GGNodmGA8ARnfeaU2E/JpxezU8=,tag:mnVi10u7mZGgoMpeYu1Y7Q==,type:str] - OG_OIDC_CLIENT_KEY: ENC[AES256_GCM,data:OjZc3bFKk9q24RWm7ftP5j2TUfAVerOh+2CA4+4+0FMef8HP/g0p3nFVzIl5H/9R,iv:RUsTi63pi7RsdUnHct/Whmeg3xf5VKp26bli0GfsPcs=,tag:9E9pdIieAAqAg/TXrxqseQ==,type:str] - OG_OIDC_SECRET: ENC[AES256_GCM,data:zBWln9wZiG7PU4VkzAqA81enp7+bkWF+GNE8W46RhsgQOgG9AQmBEuEB++E=,iv:5MDI8JvcKhQ/sHX/3IL0wRNMRqs5tYgdsX/KcNqUYPM=,tag:aM/Dlbbw2tnXpSq4zJnSGQ==,type:str] - OG_OIDC_DISCOVERY_URL: ENC[AES256_GCM,data:2X2m6q6d0VMrAbYq2EVKc7ID3Y9kv5yKS9ncnqVQtShnx95g0boAKYhs2+vTw4ERQFKWAlgVoBrjfdEgkwuQrWoON3n7Y94n3Sgqsg==,iv:f7NhX74g09/ATfxvr3k22R0h9daRDA4ZzceRmkqbH+k=,tag:hgKMrwPyw4WEJtnALCQzzg==,type:str] -sops: - age: - - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxREt0L3FXRkc1aXdQeG5s - R2RoZGhyUnVYbnJ3all0eXBCaHp0Ly9JaFNvCmxrNGx4MDFEOFFtQ2I3ZldRcE5E - V0FtV3lMUk9SQllQV1A4OWRlNkdxb0UKLS0tIExYWXNxbjcvTmNLSFV0QVZtcWpv - NWtHbTd6bnRyN01aeEVUanVRMFpnR0kK/lnokfJiXcO9aFj+4iWqEnUMxdvz91GD - 4LUJR0MDE4zblg3/8ZEUM83Bb0CwtnEiQ/8IXbHwLwMdu4AJ4Fj5dA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-10T00:20:57Z" - mac: ENC[AES256_GCM,data:O3x8Cp4SHVrZPoRVHbnMUnGjOuf4VXgnD2OX7PhuATHJGOvFrmKBQPs/cTdyLz785sRWDHqJume1SEKjezgOw2dw61tDm11CMRM9t1M5oG5rMOg7yhdCFFvw4MGW3TLn7VmJwoFpbSMbq8SH8xSQEBf8+B2XZvU0LudEhTVn0xA=,iv:D7mGMmT2K1PfL4dTRKztus1xbAfbTWJ6OgUOn/U24dY=,tag:N8dA7a82HvDnAZWVh80kvA==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/apps/prettysunflower-website/namespace.yaml b/apps/prettysunflower-website/namespace.yaml deleted file mode 100644 index 1745ccb..0000000 --- a/apps/prettysunflower-website/namespace.yaml +++ /dev/null @@ -1,6 +0,0 @@ -kind: Namespace -apiVersion: v1 -metadata: - name: prettysunflower-website - labels: - name: prettysunflower-website \ No newline at end of file diff --git a/apps/prettysunflower-website/secrets.sops.yaml b/apps/prettysunflower-website/secrets.sops.yaml deleted file mode 100644 index 5fa0f46..0000000 --- a/apps/prettysunflower-website/secrets.sops.yaml +++ /dev/null @@ -1,47 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: prettysunflower-website-secret - namespace: prettysunflower-website -type: Opaque -data: - GOOGLE_API_KEY: ENC[AES256_GCM,data:Kff/H1QrNmyUoNCgG/DJmYTSluBfQkzATpNYcW+mpXA5igR1TW/8rxBI3pEavbiXq8s5dg==,iv:2w6gt7+r/bQTlWmObBeqkY/8osdAmvKaWUjIm+DjNyc=,tag:rLFP3GiJ+QMGFH81noKutQ==,type:str] -sops: - age: - - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZXZUZklxb2UyRHA0OSt0 - UXdad2FnQ2RVaVFKWkgvUFduUnVJVkpsZXhjCjF0dUlJTmVvUFVhZ2pueUdBS0t2 - MHZKS29XRkUwTUUwSWNmb28relhxME0KLS0tIFZuT0JCZU9nMFltUk0yTU1zV2U0 - YWdTRm5wdUdBN3BJelZhQUZhWllRTVUKxNufC3hgtybXvB+AL4rqeDCCGsbSTG3Z - f+04lkOLzcLr2sTBueGNG8UfnflSQI1JIrlHAzb7LlNi4vuH3KdFEg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-29T22:40:27Z" - mac: ENC[AES256_GCM,data:JtiGrHVD+JJQ5ZwHLCT4rTOu/UoYCscn1Wv0F3E8Q1y9olFXLhq4b9L/vOGe+Wf4/8cl56zf9YnifWR73c71/qnTjsByN/0zqWJjtsDomaxFkGtjLwKbnvvJs3+NyUw1OJGSnL0c79rhEZTkzfFrN/td1hbr/Qho227UvoVOLsc=,iv:YHBAJqUJBz/kzcdNOUPDxaWqEVVmHvkgcjbP2FYwwDA=,tag:OIM5/vlgMCxRYocvy6xjRw==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 ---- -apiVersion: v1 -kind: Secret -metadata: - name: anubis-key - namespace: prettysunflower-website -type: Opaque -data: - ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:uVHaqVVCLb9j8y/zXo2ZutfYgi8tu1sLJ003yw0l7C+jy/s2hHKkgVwqXMTZRA+Hq0RIRNEwHyswfM8tQ2olmQVlPASEXnT0yW0lAidoZ/xf8fs1Am14vg==,iv:w/ag0nJ3MnP3UUGq6iMNu/qHLr+kt8G/Ntzd6APQCuY=,tag:mAHZM2PGAqHjnp4QVIkqPg==,type:str] -sops: - age: - - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzZXZUZklxb2UyRHA0OSt0 - UXdad2FnQ2RVaVFKWkgvUFduUnVJVkpsZXhjCjF0dUlJTmVvUFVhZ2pueUdBS0t2 - MHZKS29XRkUwTUUwSWNmb28relhxME0KLS0tIFZuT0JCZU9nMFltUk0yTU1zV2U0 - YWdTRm5wdUdBN3BJelZhQUZhWllRTVUKxNufC3hgtybXvB+AL4rqeDCCGsbSTG3Z - f+04lkOLzcLr2sTBueGNG8UfnflSQI1JIrlHAzb7LlNi4vuH3KdFEg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-29T22:40:27Z" - mac: ENC[AES256_GCM,data:JtiGrHVD+JJQ5ZwHLCT4rTOu/UoYCscn1Wv0F3E8Q1y9olFXLhq4b9L/vOGe+Wf4/8cl56zf9YnifWR73c71/qnTjsByN/0zqWJjtsDomaxFkGtjLwKbnvvJs3+NyUw1OJGSnL0c79rhEZTkzfFrN/td1hbr/Qho227UvoVOLsc=,iv:YHBAJqUJBz/kzcdNOUPDxaWqEVVmHvkgcjbP2FYwwDA=,tag:OIM5/vlgMCxRYocvy6xjRw==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/apps/prettysunflower-website/services.yaml b/apps/prettysunflower-website/services.yaml deleted file mode 100644 index c258a10..0000000 --- a/apps/prettysunflower-website/services.yaml +++ /dev/null @@ -1,29 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: website - namespace: prettysunflower-website -spec: - type: ClusterIP - selector: - app.kubernetes.io/name: prettysunflower-website - ports: - - protocol: TCP - port: 80 - targetPort: 8080 - name: anubis ---- -apiVersion: v1 -kind: Service -metadata: - name: static - namespace: prettysunflower-website -spec: - type: ClusterIP - selector: - app.kubernetes.io/name: prettysunflower-website - ports: - - protocol: TCP - port: 80 - targetPort: 8001 - name: anubis-static \ No newline at end of file diff --git a/apps/privatebin/secrets.sops.yaml b/apps/privatebin/secrets.sops.yaml deleted file mode 100644 index 90470a2..0000000 --- a/apps/privatebin/secrets.sops.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: anubis-key -type: Opaque -data: - ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:DBMXjeG7KguofrBF8wFRZoplFKhsxRGvWAXga5QJkhYn4HNF6WvFr8dkCww7Z6qpqdskKqBQqBiYq6OgTe5f55or9sWeO5XwKprjTUYYJ+/Yxvg1MBMlSg==,iv:MfK068uL94QNPlh62FNjBMK26M6Uig9yWvHRLpmEASE=,tag:0w4OMh/KcWsK5n4xnkLzaw==,type:str] -sops: - age: - - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2dGp5eTNoRWZRVENPaXVv - cUdJc2d4Sm82RklXb29vRHZQZmhRNHRxWGpRCllwNENBY015WUFqeWI2TGhhcXZ3 - Z0w4dXJZeEtQZkJRQzAveTZtS1RZdDQKLS0tIHlYeEZzMzNXTzdJaEd3S2s0RWh0 - L3lRQkxCNWRBbFdlMW1DS2RXUXJwTlkKW7jjQfIC2tZo9vj6QenOdOa54xCjMU5v - 3Be8lPn1H6js15fKTpCw+6+VaEBaAxO9Q1BnSlKx76YQc4V/1pRGhQ== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-30T10:26:13Z" - mac: ENC[AES256_GCM,data:mC8nlQZA7o6h+FDK5eB4XOXrYnygml0rYDDlg4oq0i0rNXlK0gQcTQxYU3ZJLyEJirsjKhdoyF/thP9ro1Jdbt2bNn5k7crc4o5Ar4/Rlu05xxq7reZKtX2RiUaGonlWNrNLbXWnPFv9TZ2A+qkdIlXYLMg5vNFPJS0E56b/SH0=,iv:1ERSVhVwzEj3Y+vPdbBEeHsjLi5IZ0pgWwh423cGB2g=,tag:l/2a74j+gbyIQIn2DIN09w==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/apps/rallly/secrets.sops.yaml b/apps/rallly/secrets.sops.yaml index f225b07..295c6ff 100644 --- a/apps/rallly/secrets.sops.yaml +++ b/apps/rallly/secrets.sops.yaml @@ -4,29 +4,29 @@ metadata: name: rallly-config type: Opaque stringData: - DATABASE_URL: ENC[AES256_GCM,data:og/DjZzZQJZSeMsqf2t7rS2+b7g0ak6eIC1JGYCtGJq63x4nTmJyAD0oJEN8ME1kp/V+edX1T68SVVPdrsPVHlawwb5ZJOeSu2wB,iv:PV84Oi/kLGDDm45WWN6w+llLBzIcopP3kB0bLYCTM5o=,tag:fuqKM+VghdxjWoArEiEYMg==,type:str] - SECRET_PASSWORD: ENC[AES256_GCM,data:324h5buHxd/xxr+V87aepxHfEDyjta2BL1pkwwCtPzPS9MC9xcJm4HX7c8qGxr1GsJkFS2/LIBPHRpl9sZ3aww==,iv:5W7NStdQcOSOBG3YfQsF+PqY4pBYNYPb+dZFOMnfVHY=,tag:3h0Ey6V9nmrAivgQwhbvWQ==,type:str] - ALLOWED_EMAILS: ENC[AES256_GCM,data:R+LvSgga0H5eBls+gOPvYsYag0FF,iv:lOiJhKe1pPMG0R32DWiqG2lX1ziXauMVjrl2+veQFKE=,tag:CHKPCZRmxG6dmz5RywH8CQ==,type:str] - SUPPORT_EMAIL: ENC[AES256_GCM,data:yYWpEnghNcOe0cRuMg2ffOp10GsWMk8/,iv:ZmPrBS4egsFUrkOvZKBJMTvh/Lcf3nLwjaqz8aVYaGg=,tag:M3fkjRJjNRrysY7HagbfXQ==,type:str] - SMTP_HOST: ENC[AES256_GCM,data:cOJLpNdBmLPBE53IUQ==,iv:Nv7S1ZKisrmkQIYwJf7Y/xqSQFHkvFrc4DzaMcXy4Ug=,tag:XEgyNik0EiGk4niqYujUHQ==,type:str] - SMTP_PORT: ENC[AES256_GCM,data:sFaL,iv:UzQux93MPbrQIFpA+xD86z4E8YsMzbAmb5OKYKB3EKc=,tag:8x/f+OPkBUO2sD+ih+DEHQ==,type:str] - SMTP_SECURE: ENC[AES256_GCM,data:dDZwLPE=,iv:U30Wj2jbUvusUyk3e3wW9vYd0/vNEicle5Ab4RhXpY0=,tag:V5t8wNToYJuoYdjBIfGtvA==,type:str] - SMTP_USER: ENC[AES256_GCM,data:eRFXbLAUgIv0iv1gveEsg75+QiJDiA==,iv:AbLvwCpVIRjNyq9IM25SevEQGihOIVFLTjeDGYvfDsQ=,tag:Xj1jHRKZ6D4Kwar6VW1B5Q==,type:str] - SMTP_PWD: ENC[AES256_GCM,data:myJOrcEv0J/JeIVan/WRzA==,iv:cPmyFTu6ZGe57SRzDbN5bdmYaPz/yaUvuQsrP2V1iZA=,tag:3xbNjIaANxRBENxpzm3XdQ==,type:str] - NEXT_PUBLIC_BASE_URL: ENC[AES256_GCM,data:85hc4Aca8yBCctXXpwdfeF5TUcbK1rX8qelB+kR6h7/nZG9sqvI=,iv:mz3+Yc3mTB6cNmZyYNOBf/rm11/1HoR0VTeJEbCzWyw=,tag:GxIY03wU3MGiIHmdZM+E+g==,type:str] - NOREPLY_EMAIL: ENC[AES256_GCM,data:hjMfBGrXThJi2AqaW1G+J8mVE7laZ5OjCAzE+uYn,iv:t8YQOZtlhTTEoqgtbxwzWzInltH5K5cGr09cRU740PA=,tag:kfQXf0yldyljOHNdl1gv1g==,type:str] + DATABASE_URL: ENC[AES256_GCM,data:lYuzcEIsbFibHLunbiySE5pBDak7ERmaTlStyCv1epmVFo3DXa+u/Z7cWzbGoJ9ZUcHgTRKGyI87jWcvf8q3rmryYDI01Bps4syx,iv:7L8D3ODEc1Wqi78Zo6WcIMZ9PoEnEUbaxtXROlW1uNI=,tag:vudFPhiMj5qRA2yXR78AbQ==,type:str] + SECRET_PASSWORD: ENC[AES256_GCM,data:oFqbJwS+Mbxp1weU3/78w/P5EbC2M6D+sQ8CmplQNNh8vlA4tv868hKMSJRaSErYQ1kN2qQ7ssgRBjFbKRM+Og==,iv:3ir7GG4CXN9OO3f2QJIN1LPMHOAkeNOQg/hOGpm5g0Q=,tag:R4WmPVoSSLOxl8sMIyoxUw==,type:str] + ALLOWED_EMAILS: ENC[AES256_GCM,data:c9ab4CvjqTv2GBByhqzw6I9wNG4F,iv:YRHEXHp02LQD1vJ2ihmOC5L1in6nEI0bNm8PE5kLn/g=,tag:DXr+woHpyq9oToVvE+q9bg==,type:str] + SUPPORT_EMAIL: ENC[AES256_GCM,data:HScMvYjK5t+qhBzo5J18XdpVEohyb9UB,iv:N9DE6NO+uAEezHOFjoZBGT63uaHcXjW+W4RBdpABaCY=,tag:OQEbgraRJkwfmbYL3gnRpA==,type:str] + SMTP_HOST: ENC[AES256_GCM,data:40XpC0/q0YlxtXsu3w==,iv:eKmnKvRHSUGMm88doxmz5vjNqS2mNK+idjGFw7GAV6E=,tag:g5SoJxpoAD7JB+fXygHTvQ==,type:str] + SMTP_PORT: ENC[AES256_GCM,data:KNFA,iv:ebpkTJ7aLV6YuK+tuEkgydzfcDost0BabwLy+THxAJ8=,tag:EDa/OonRseVxxdRWIyR0yQ==,type:str] + SMTP_SECURE: ENC[AES256_GCM,data:ljHsvHM=,iv:p+miRdGI5Du1Xe9UCisP94DVyHEQbwfIcMCOiFarHCM=,tag:79+8l4P2X9H/WjOp294VYw==,type:str] + SMTP_USER: ENC[AES256_GCM,data:yleHjuxtepfrWGgVg/aUCTod2O7o+w==,iv:mvNqD8EB53xV13mxVcpknUj0VigTvpHAM7AR8udFoB0=,tag:kplCsvWYyjGT3qKUBx/tyw==,type:str] + SMTP_PWD: ENC[AES256_GCM,data:QRpk7RUq0BZU6KdSYSyZ2A==,iv:c9nMcctW++51kzvWeo+7Jd40SS8HxfLpuKbPIxIMOqQ=,tag:yxb9ZrCmjBFXZDi1uI8g9g==,type:str] + NEXT_PUBLIC_BASE_URL: ENC[AES256_GCM,data:s66MoHOPDosVFTvEd/YWcn4+erI7Y7qaoIU052vuiPdd3AkV6dI=,iv:SXLdwkz9NKq8mRtWSRSCnBrNExz1LaCXZyImXib2WTo=,tag:uhJxpnQWMzR+yRumkzBCVw==,type:str] + NOREPLY_EMAIL: ENC[AES256_GCM,data:yqt37KXHO3y3Y+eoV3IZ1KZsnFa+tMT6rdVlVSEQ,iv:+9ktTkcLzgybXcX7TXq4FrxqGaF7mTD1ZVnDASR4xOs=,tag:qt9DU2Iirte9vksn0V+uGQ==,type:str] sops: age: - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw enc: | -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBacEJRM1VQRmlqaytuWDNC - QlpUMjhYQ3NQVjlVbEVwS2dHNTlQTHlYQ3dnCkFCUytDSmQ3TFB3RVNyNlBXVlNK - bUtJNXZiT0sxRU9rSlZrTVRXdjlSVWsKLS0tIFlZelJZNTIxc0RHOTFDNWhOZ01m - U25wSVJicDE1VVpXeUd5b3d1NUVUQzQKQV/DaIkKLsHiksmLhggIyjX1UIg16SIQ - lGk22q4xM4v+82O4y0t4oxxVPiXxDPkj6NQiiZcsx0pmzFchfv6Lcw== + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCMGFSRHpoRXBrbTM5Z0JH + M2ZxQjltMVUxajl4TWs0Q0gxNVhqSDZURmtVCnZmRFpYVHFsWFR2bUtocEE2eFZl + eThlY0NneTEza1ozVUZGT01rTmZkYjQKLS0tIGwxYVlNd0gxUjU5TWlPMnh0MVkr + OTFOQzdoOVpJSFdiTy9xSldHMVZsMzQKOR721Pl0ZC1ncgQesWI5PrD04cui+MvB + BgszEpbKFCiWPawaGTss58ADzhY178XSGWnsj8WypkFuyFY6U7uhUg== -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-06T09:18:00Z" - mac: ENC[AES256_GCM,data:NbZlZN6vxP8moSxXUlk79pLsgvHMsUCKAOq3QImJ5GMiH2dkkzuHAtj0izyAtnYnFBfwreS/V5gXk9L/EENae3tBMB2Bld0/6j+Z5Te0jeKrIAoXXqAQiBrLogKYg2omm9fKRyCZ4CdfcjFBVlJ/vO5/TJDHe5Ne3nk62nVdMgo=,iv:euAkY1YTi+NXZLzHFrpfqWhPOWeYBmVOVp6g9Z5txQE=,tag:Wixp55DxJwzxhk82KDsrjA==,type:str] + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:IbNJjPW0kIgh1ZCQo172v4HAVYiRxtDAUpytd9XfLRAoWie0wM4Qg1IX+RedWop7+mc8Yh8a1r5UmFEnAmB8vUjirg88dtHDSMi3Z7rjaYfF1Jz563fpSFDnbRIIoBAckZsoEmjCOatwzra3E+MUry4UrjPhBGtjEeV5KiZypvI=,iv:2L5TrFlYrHCvHKcd+8sQ3NjSydOpzCSgTGS0uAH7ngk=,tag:I+qk6UffT8exKyJaV6ChRQ==,type:str] encrypted_regex: ^(data|stringData)$ version: 3.10.2 diff --git a/apps/kakigoori/.gitignore b/apps/seija/kakigoori/.gitignore similarity index 100% rename from apps/kakigoori/.gitignore rename to apps/seija/kakigoori/.gitignore diff --git a/apps/kakigoori/deployment.yaml b/apps/seija/kakigoori/deployment.yaml similarity index 87% rename from apps/kakigoori/deployment.yaml rename to apps/seija/kakigoori/deployment.yaml index ff163a2..82f6e52 100644 --- a/apps/kakigoori/deployment.yaml +++ b/apps/seija/kakigoori/deployment.yaml @@ -5,7 +5,7 @@ metadata: labels: app.kubernetes.io/name: kakigoori spec: - replicas: 2 + replicas: 3 selector: matchLabels: app.kubernetes.io/name: kakigoori @@ -14,19 +14,9 @@ spec: labels: app.kubernetes.io/name: kakigoori spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: location - operator: In - values: - - fsn containers: - name: kakigoori - image: "git.remilia.ch/remilia/kakigoori:main" + image: "git.prettysunflower.moe/prettysunflower/kakigoori:main" imagePullPolicy: Always ports: - containerPort: 8001 diff --git a/apps/kakigoori/kustomization.yaml b/apps/seija/kakigoori/kustomization.yaml similarity index 100% rename from apps/kakigoori/kustomization.yaml rename to apps/seija/kakigoori/kustomization.yaml diff --git a/apps/seija/kakigoori/local_settings.sops.py b/apps/seija/kakigoori/local_settings.sops.py new file mode 100644 index 0000000..8b38fcb --- /dev/null +++ b/apps/seija/kakigoori/local_settings.sops.py @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:xk32d+fT8YwTbJ9zSh+5ceMzF43NCRnQzPeoxcgRijQHKAbTiJyG6bz5bd98aNkc5dTKtDmFzJlPVszzud4g/zQAUxToJ/IMiWG+6YQxcUZA6b/DsTYu8hB/sw8YVS/fUhvtOMaI4p5Yt/cxFSkRBDLumTMIiCMr/hjJfL7KsnQnT+G1SOkdXKOW5ZCC1DwePH4uSAT+pIBDS4T/j6+bfnIk69BFo2O6J30abNJv8n7/jCLUDCuuZ+KQNfiAYHJIcsj1HI5hLUyTxSRXDxBYBDhar/sceJWZCzumEiqieSmWiUTBELQmado4+i5sqEVBNCqAcDmtRBJM67au0CKoOLM1Zce1O9JBOT/pPA1h5oIQ8j3S4JcEwivcZOvI1F47QkMcwqzvsVY1l43Jj2bAs8f9i/QfyoahBjIQdqTZ1GSMMDiZxv8Od1pMZ3RduptdzUZwXlghdtQRRaO9Wp/Qdm+EhcN89k9lmw9wcNl3sAywjmy+7ZeHMwTxZdWHW7ooYf3miaxahewqQXKkydLoaPF2LjI2b76mMiuw45HsKg8laURrdRp9KP8YEZUz43BEOUPBicL5SHvBJbvZOhtMKgGkX4vKvGztUdkDlk8Jn/KCoKL6eWyqJs90lTp7pY+pf8CTFeZk9cHamBF6qi3But95pPGFz65ZOJP5PUrVkM0HY1gsMlXJQyo6umMo6NYtwnlXakqcN5lr9noAZdZZljzfPlDEwLOQ/UkDuoMhFbIRtsE6bqibs4NRAPdboI9dh97HPns3jx4krXjm+IaLyG2Fjb+HsrpxOpOKhVYxE6ogB32gm0jmd0OsuIQHHhuI6XTCv7ojCTAfWHpDzfa/wpj5JTaDT2KhaKmwxDremT3QtdoEA4tC5TYmw9ACoYL2sLsw6bKikMi3eW+aqUCUnxGoB1s51bBeEjKCN6v/qYaPOh7+3MkqGsOJpyTrcYkk+QznYKRJBN9J0qK36PwCtS0IOeHErtNkzo8k8di4M5Gfmgtym406Bmv2v5fRiCfUHZ3TszOSILi8VmlzmkjRuD96zatnlS5LGbf5fSRfRjqBLpx6vHrzlmACzMqJtLGW3zHm/8b5tffLAy+uNMTFj25o+iFRMPCC0nBeCmBex2AAcbZEmEeiUgx1zfQEUVo3HotdXbXCCWBL0l6YCInZ9QikANqMo6urUAtG1nBxe6GxG+2t3KI=,iv:K8WPuND70blkG810M/ru82znvGVqJVWh7U3ZfhRTS5Q=,tag:e7TewsvDz2x0R+pohEGlDA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB0MEQxbnA4T0NQSER6NzhG\nN29rVVpmOEJWbEV0TmdVbVp0SGdoMXU4cmxnCkNpMS9Ua2dqQkNQU0RJSUNSTkZu\nUzc4RldaeERPYWxWaElwZlBzU3JjWHcKLS0tIGRoa3pSdDhQbG1kYm9Jb0F6eVZs\nODNRaHFtbnlGMC9rTDJFVWZOMkdZd00KBBUHdx/zbhwEqBaAoeaauiWgkrQ/06wO\nAcGtTapGrKKEj+hDJNVIuP4EcCXt6tlaYPm9IVxQh92VQ3YrAkHLrw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-07-16T14:35:28Z", + "mac": "ENC[AES256_GCM,data:+boBB9vcGpRgwaxDs4kFgQk6nVmE3jL1lCkNnmL0ya501M2YlKgZ/UP87qkh8eMQFizpWfs6NFamdF0Zfd7fM1hokOjXQ4pM3rfNa+3lxK2pkEV16OOA5V2F9vTAIkuaCHqKihUZL/PMIko/koKroGU8jfq3ZtgBXTlhIRKeGNI=,iv:zc7vR7gJrMbGIUr+C/R4EWH8LaYX2SxwNtX050nrfEI=,tag:EacHLbwFtujnJuQaKteXkw==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/apps/seija/kakigoori/secrets.sops.yaml b/apps/seija/kakigoori/secrets.sops.yaml new file mode 100644 index 0000000..d015d1f --- /dev/null +++ b/apps/seija/kakigoori/secrets.sops.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Secret +metadata: + name: anubis-kakigoori-key +type: Opaque +data: + ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:mLGdCjuZFgjQ/0WlGBRCf+T0TKHbc/1otllDvsqmAOi+1unw0ZEoCH6+fr1WEAagN0VKulwQmlf26ji7g/+9Q1fiwWMBzxAd1/ZbDZdRptLBvDRBjAP6zA==,iv:P2bwoNjfT8NkBtf8xcKk+VlAPUMzjiuD3z/DHIiDacg=,tag:3CE4qOo0K0BVGgFAUIGZ2Q==,type:str] +stringData: + THOTH_URL: ENC[AES256_GCM,data:9jcvAvIylF4WkQKvAPwyOLpE8w9Es7XJCBHi2gU6A79dTnnl,iv:PcwIyDifQxOmJzrxNxPQqvhS5gT2r7G2+mBP7OYNvCs=,tag:a+sqdXJpd1WVWQlAC3lgdw==,type:str] + THOTH_TOKEN: ENC[AES256_GCM,data:ER/93+x9aFGjSPtv7ObT4zhTnCdlJGa+MMY1nqGNGH/GtDKoF+XtyRmclQj+oFZ6DxhV9gM6VeP20YLz7g5t5K23ZmIfFzwAtQAxwJSvDeJw85dkhQbKfTIvou/NM4bL9T1A7j9zGuKvpYAqlkwYnLlDfBy3aWUdD4qkRIjTvXwijG6BjL3dBNXqC1UAxn7j5Y9QojGt6j04/rllYfjuADsIsT4Kbb/EM4jgP13Mu+nJP/3GkfjBQfaC02RvAREjIPuKfVz28zcwLbBTT2kPPSYGuSxIpo1kWKnpttmHDkKgcHu9/q6EFaswgeX3aIbowXiPEY20yYZW4QBbvcBSQOX27Rhg9HR4pcYVM5VT7RTia+kDWIEmhV5JtFlYzx5wiXDM2vgEF+wX+t5mVC96I+En4PuTaBV2lbE=,iv:3dvQjX+takhickmJ3AHo29sEUEfXpSYgh78Rqkfmgkw=,tag:78wOIOovvjkfRxbpDpQoKg==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWK2RpVUIxZkZVMjdFV29L + VnpYUVJnY3hIYTVSb1htNm5xcTJGRlVWZ0IwCmdSWXFFanBMV1FKTnozUmorL0Qr + Z0F0cjc1T2VqRXRwK080VU5tUk1VbkUKLS0tIENiTm5CbkVmTnRRNzJaK3hjMjgr + TzhQMmFQOXhCWjRUbGNGOUZHazFNdU0KTLIACJrcciwiFdEhyQCY+ln/afHuwaUU + dQXcslNIFa5GeFCA7P7zDkhJWbM1nwOg2D/hh36vYKH6mwdhKVy3Bw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:uPR8lkkMZ1Uko36jISMNG6YMKRHh2jZ1P6aA8lY12Qlml21QsDz3z2c+3iOFaSE9CHZ2TPaMj4gkTkHojkkoKmOdGOZSulKKnnSZ42bDVZPPIjiTcMZxYGUiloBrFAzitRqub5UPtgnoKIxnlsZvMJvl8m9oZ27oi9R7K0MgyYI=,iv:AJBS0RDHXDkjF0DMctPCka2f7iaKFw6VQIHl9VWOCog=,tag:bL5DPT/uvQElYbUG9BjxJQ==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/kakigoori/services.yaml b/apps/seija/kakigoori/services.yaml similarity index 100% rename from apps/kakigoori/services.yaml rename to apps/seija/kakigoori/services.yaml diff --git a/apps/seija/mazanoke/deployment.yaml b/apps/seija/mazanoke/deployment.yaml new file mode 100644 index 0000000..95989d5 --- /dev/null +++ b/apps/seija/mazanoke/deployment.yaml @@ -0,0 +1,22 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: mazanoke + labels: + app.kubernetes.io/name: mazanoke +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: mazanoke + template: + metadata: + labels: + app.kubernetes.io/name: mazanoke + spec: + containers: + - name: mazanoke + image: ghcr.io/civilblur/mazanoke:v1.1.5 + ports: + - containerPort: 80 + name: http \ No newline at end of file diff --git a/apps/seija/mazanoke/kustomization.yaml b/apps/seija/mazanoke/kustomization.yaml new file mode 100644 index 0000000..40ad69f --- /dev/null +++ b/apps/seija/mazanoke/kustomization.yaml @@ -0,0 +1,3 @@ +resources: + - deployment.yaml + - svc.yaml \ No newline at end of file diff --git a/apps/seija/mazanoke/svc.yaml b/apps/seija/mazanoke/svc.yaml new file mode 100644 index 0000000..9df48ee --- /dev/null +++ b/apps/seija/mazanoke/svc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: mazanoke +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: mazanoke + ports: + - protocol: TCP + port: 80 + targetPort: http \ No newline at end of file diff --git a/apps/seija/ourfigurecollection/deployment.yaml b/apps/seija/ourfigurecollection/deployment.yaml new file mode 100644 index 0000000..fb113da --- /dev/null +++ b/apps/seija/ourfigurecollection/deployment.yaml @@ -0,0 +1,108 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: ourfigurecollection + labels: + app.kubernetes.io/name: ourfigurecollection +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: ourfigurecollection + template: + metadata: + labels: + app.kubernetes.io/name: ourfigurecollection + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: location + operator: In + values: + - fsn + containers: + - name: ourfigurecollection-django + image: "git.prettysunflower.moe/prettysunflower/ourfigurecollection:main" + imagePullPolicy: Always + ports: + - containerPort: 8001 + volumeMounts: + - name: config + mountPath: /ourfigurecollection/ourfigurecollection/local_settings.py + subPath: local_settings.py + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + - name: ourfigurecollection-static + image: "git.prettysunflower.moe/prettysunflower/ourfigurecollection-static:main" + imagePullPolicy: Always + ports: + - containerPort: 8002 + - name: anubis + image: ghcr.io/techarohq/anubis:v1.20.0 + env: + - name: "BIND" + value: ":8080" + - name: "DIFFICULTY" + value: "4" + - name: ED25519_PRIVATE_KEY_HEX + valueFrom: + secretKeyRef: + name: anubis-ourfigurecollection-key + key: ED25519_PRIVATE_KEY_HEX + - name: "THOTH_URL" + valueFrom: + secretKeyRef: + name: anubis-ourfigurecollection-key + key: THOTH_URL + - name: "THOTH_TOKEN" + valueFrom: + secretKeyRef: + name: anubis-ourfigurecollection-key + key: THOTH_TOKEN + - name: "METRICS_BIND" + value: ":9090" + - name: "SERVE_ROBOTS_TXT" + value: "true" + - name: "TARGET" + value: "http://localhost:8001" + - name: "OG_PASSTHROUGH" + value: "true" + - name: "OG_EXPIRY_TIME" + value: "24h" + resources: + limits: + cpu: 750m + memory: 256Mi + requests: + cpu: 250m + memory: 256Mi + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + volumes: + - name: config + configMap: + name: ourfigurecollection-config + dnsPolicy: "None" + dnsConfig: + nameservers: + - 100.96.226.96 diff --git a/apps/seija/ourfigurecollection/kustomization.yaml b/apps/seija/ourfigurecollection/kustomization.yaml new file mode 100644 index 0000000..e678323 --- /dev/null +++ b/apps/seija/ourfigurecollection/kustomization.yaml @@ -0,0 +1,8 @@ +resources: +- deployment.yaml +- svc.yaml +- secrets.yaml +configMapGenerator: +- name: ourfigurecollection-config + files: + - local_settings.py diff --git a/apps/seija/ourfigurecollection/local_settings.py b/apps/seija/ourfigurecollection/local_settings.py new file mode 100644 index 0000000..1bbd099 --- /dev/null +++ b/apps/seija/ourfigurecollection/local_settings.py @@ -0,0 +1,35 @@ +DATABASES = { + "default": { + "ENGINE": "django.db.backends.postgresql", + "NAME": "ourfigurecollection", + "USER": "ourfigurecollection", + "PASSWORD": "xxHWl#d$FoYZ54", + "HOST": "100.85.208.69", + "PORT": "5432", + } +} + +import sentry_sdk + +ALLOWED_HOSTS = ["ourfigurecollection.moe"] +DEBUG = False +KAKIGOORI_API_KEY = "63586938-dd4b-4e01-a48a-6344e0bc226b" +OIDC_CLIENT_ID = "749bcfb1-ee32-4c79-85b5-92062d7192b3" +OIDC_CLIENT_SECRET = "dEhOJ6pvfy3d95Cx7kMq0SHBEgb6romd" +OIDC_DISCOVERY_URL = "https://auth.remilia.ch/.well-known/openid-configuration" + +sentry_sdk.init( + dsn="https://62638433153873bc2395021d22e96972@o134957.ingest.us.sentry.io/4508270934360064", + # Add data like request headers and IP for users; + # see https://docs.sentry.io/platforms/python/data-management/data-collected/ for more info + send_default_pii=True, + # Set traces_sample_rate to 1.0 to capture 100% + # of transactions for tracing. + traces_sample_rate=1.0, + # To collect profiles for all profile sessions, + # set `profile_session_sample_rate` to 1.0. + profile_session_sample_rate=1.0, + # Profiles will be automatically collected while + # there is an active span. + profile_lifecycle="trace", +) \ No newline at end of file diff --git a/apps/seija/ourfigurecollection/local_settings.sops.py b/apps/seija/ourfigurecollection/local_settings.sops.py new file mode 100644 index 0000000..009b50d --- /dev/null +++ b/apps/seija/ourfigurecollection/local_settings.sops.py @@ -0,0 +1,15 @@ +{ + "data": "ENC[AES256_GCM,data:4MYUeRSLBpr51Gae4rNAhutaDiOT1Bjz0lpDiXGAcv9sAXDQTfJA6nHSAhJxcE0ZopIt4te2F6B105/7fCDa4qBma6lQf3c0wQjd+Q+YhzaUSAhf3MFXANIcmpLVYV5szcgJ/Snc8z4lgzZtt2bONEL/wJQU8dEFBpHKdoqQtWoKJB/XbjvgBMpnTq/FjTiOk6KauD224jf4F2fFGRijkJLJAFp9DAtmZ0zZs/IkVTgsTsXkxyQnMsSN9eOGzT7UIJ6sZIuRpvl1nsTV0sLH545PHSufykJCnrdFl05jjNCUxz10mfDg4dXieuAWHWD7vd3eB71uJS8+iEhMc1+PJLOPiItdtcXqT8Z24Grz6A9ANLHkocqRxZ/x7+2KTy5pKVpLRtdGaSF1oiBiBfHAcZX3CCsEci3k0aohrIVywher8rTf5SLfyb0jjoihTjeKvKzDpgADvJSnEnJMMszuA5K3Vu+wszVP+tlA1pLJ4+nITKhT65PRUw0+A9TA5iA2ETsrfyE8dI4q5TCyfXmh6LP7vB2bZsk5zaKDpfU22gBF/foLV6tlFvvv+zT5UnKRAjTbIzAtIe2VFWG/4aAR++PLqM9W5vUYjwoPxP7GqVa5BQStVgdVu8rGaQfx2Z+aG8VMlODJZrA4U7+XCmlDFZMUJiBOBieVo0gsYkhQO2GNnd8/WpEmlsE+8i6LOJUPopmfpH51wriXBol9SJwxDwslxmCQ6in+kX43Jf57m/1GxLnUeIvEZHlyzesC0WIkmUU20e+1MqRmFI7jAwLBE50tsDB4fRjUF0+TtwFGv9eP0qlS6SNTa/5JrXYP956u35XDqYfy5BTiZyEu9RwwirvaeoamelVgIzhyxbokwK50adYcGoETlg/JEwEffmvb0KxcMJIXC8N6iI79/MpW3vc/u+qPeiY605zaLqKBf5zwlwqAXnMdkN9JEmeuCcOq4OVanrexX1LHTWANJe7cKtLHKAvct/FeDACRCfMBaa47ZGtgRo1fXExQOfA66xAlFGUZRH3l1ucQFHRRDqg8mNB5depedXwwtoC2iX35vKkYXhbMTK5lIgpOvbwDvFYmfD+iD0I4L03aSnDGFxJFAVKVwtPbUUTHT5TQdA4ZaUG/pJlSAaxR9iSd9rbtSPjIoDstdpscovzis9gA0zVhwSKK/24JO55dxFb8wCYlc6RxDW1YgSmNdKDy5AsjSDJF//1nzrU/+raDAB3xr1IUoFDDJy377N7467LKjy6GbDm5PpEhBETnMqV7rHmmy6x7KoieNfwQrY48YF2FbcngwCaQ2dH+irFfYeJ9NdAl1M7DeDLOI6I3E7EL57UbIZSTRXk/RutShRwPr+Mw8iZjB81Ii3vsq7j5LNtRA3flLZdoRtTlw0RS2Rr/yCKmsVqOiTbonbG/WeUFUaPISzm4FsGPoSIXp3yt3FRj1zhPSuKvSw2KolMR4uLz8wEKBplB3/t05bnQn3HvfIOqtXhaNTIKPCr6NUgLrc1H8N+FL/RziwA+46uW4YwpfD435tmN4j3c0tcZLHXc2zfh/molQwOYF9me+KU8OJc/636kThz0tUAp6/DEfV8tkjwjFjfB91/L7ChTyh8NuRidK9KsPSV88yQ9kNWxLnetsKsQMOETBBNx3SCly2x2Qh18a9rjgbPgVg==,iv:7IlGRvqypBq82d5wtssqADkCBOvDnRAlJIewsccOcSw=,tag:H5yQtygO/RNhL+1bdEy4bA==,type:str]", + "sops": { + "age": [ + { + "recipient": "age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw", + "enc": "-----BEGIN AGE ENCRYPTED FILE-----\nYWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBtQlE4dEI4WHp1dWs0MU1J\nWmI1aExtdTNRSWVMK0hCZ3JhbzUyUnpBc3pVCmZRWSs2eWwxaTIydTU1TVdhb3RS\nVU00VWNMb1JKUFpwcElHbk14cStveVUKLS0tIDVrcFlmV0dCNXZVaDV5OTZQOTJ2\ndGtzTzQyL1k5QUlyTVcvdk9wWVBBOUUKnGPFDBicVruq445e5JnPutHoXVFnR7h7\nDNBBiZTNDzV73F/DEmwUtUu5r/0WDWfVBTY7EhXyry//JmViF1HGRw==\n-----END AGE ENCRYPTED FILE-----\n" + } + ], + "lastmodified": "2025-07-16T14:35:28Z", + "mac": "ENC[AES256_GCM,data:tJ3DK0YoCy3YpdIq0jzPB8kFDyFx064i7DjouO7GVGWgrbm5i11OO/dvG/LkP5xMVHp83TkUAjbeW9SHM8h2+OiHZwCOfnYEcGQqcK+JMa9o8jDGfsARph6GKTM/JnlkLYyYuIgGqK2XJEmOazQ3Yt2BhGAFb5GrHp9/fVxCG+k=,iv:zlGkcrccPBh7Vbxc7rQjLjrXtmv+278BgV+cfcSt+o4=,tag:dRwIf51HJrqCTAIOVz206Q==,type:str]", + "unencrypted_suffix": "_unencrypted", + "version": "3.10.2" + } +} diff --git a/apps/seija/ourfigurecollection/secrets.sops.yaml b/apps/seija/ourfigurecollection/secrets.sops.yaml new file mode 100644 index 0000000..3c49c57 --- /dev/null +++ b/apps/seija/ourfigurecollection/secrets.sops.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Secret +metadata: + name: anubis-ourfigurecollection-key +type: Opaque +stringData: + ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:cXINZRGu3j/lch50MqcOl7TkuVwFmBN16Dt2G9yvGkiGhAukrRBSXLTM5q7zbu1J+bBJi9a2PLvGS8i/Q2Opbg==,iv:hL1XQ+odWJTp6cMBcMbmg+GxURbx6CvIKB8uwk5U15Q=,tag:7RquLIFtPNGeYNXDQKpQeQ==,type:str] + THOTH_URL: ENC[AES256_GCM,data:PqDBOXxE2os0HkTpzhWWDPTxkiQc4N1O8+QCu10DT8QhZneO,iv:jWBYmCIJZJI7atECZSEZ1+SmcWT9F5TR6Az00fohVXA=,tag:NsMNIqQW8OHkn0Ga70hB+A==,type:str] + THOTH_TOKEN: ENC[AES256_GCM,data:brbDUCMIm+AuEfDdsrZT5xpas79Z5WUSGvpL98mcIYpswbqrqluhOUkG6kQrbfnxUm9Z0gW9IPgi+4x8K0hz6YMYPaZVJwau+Ggm8raWY2rKSVI/57S+xqWeRMqD/JegvlFjePZZGqtPEjPXurZC9Hh/mSKPNtk0j/41aLrt9cDZVBlHqYjqPFBAQ0G3opWjOvS552sv+hXHzVy5VmbX/DdYeW9+0Nw8yGk1qJKhNj/uOv0/JufSqIvRPgv4jvAKJ/pFiZ5HHZvn1JC4IVdXfey2oNiRKhD89/CcbJCmk8b9dk4MGQoo6O+ppRUNhQozB2cn5RNgF9LJeFD4Cg8ssPavtWtK8deQc4GruHI9sVu7DG90O6fwH3/Ns+LY9D0f11TI9cux5GzAC0RmnBqU8LyVuQKDqsd6htU=,iv:O05keiJh5iPUhVnrPkW4YMNoAha4ghNBIL0bhu5a56Q=,tag:Wt1I+4ccLuAnQR8obRQafw==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlYU0zZG5LSDNvVEFjeXNE + bWI4RzhxVUp4M3RYN1V3eE96Y2ZXdUxlTWtrCkRvSTVTcU5TeUJSZXBpWFpVQkF4 + czUydFVDdFk3djF3eURLd2tyTVEzRzQKLS0tIFR4NzNTQ3lFUnMyU2R5bW5yaDNa + MGdKQ0tZRGxFRWlER2d6UExkcnFLUHcKI0785hD9BzhDtZk4lIDq/XFGNkaMiVop + PGK6RSbouD5oG0gga07YyAKMsOvz1CCCGEwFhTgsWb2p+1bN2QqXkw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:4GDYYdLIjt+SfUfJvLOLZLrmDBiXhyoh03g5fwk4Uj944I+51paT1oMxJl9Dd0XRWbFK2JMUIc7sSe4HUpsEaSOkfYtM/t4sX0iNTWfPKzxwqOSAE72eDI31ocPUzwlN94/6VYkqPcG1vKADFVqsY4zqp2f2bPOnMbaLLQQGoQU=,iv:91aG7OGowAUkOcp6fLHT8khbSXv2tq8gYFmM4qqcPX0=,tag:zqjA+KVxielyksOtVD8i2w==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/seija/ourfigurecollection/svc.yaml b/apps/seija/ourfigurecollection/svc.yaml new file mode 100644 index 0000000..b13e0ee --- /dev/null +++ b/apps/seija/ourfigurecollection/svc.yaml @@ -0,0 +1,21 @@ +apiVersion: v1 +kind: Service +metadata: + name: ourfigurecollection +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: ourfigurecollection + ports: + - protocol: TCP + port: 8001 + targetPort: 8001 + name: ourfigurecollection + - protocol: TCP + port: 8002 + targetPort: 8002 + name: ourfigurecollection-static + - protocol: TCP + port: 80 + targetPort: 8080 + name: anubis \ No newline at end of file diff --git a/apps/pocketid/configmap.yaml b/apps/seija/pocketid/configmap.yaml similarity index 100% rename from apps/pocketid/configmap.yaml rename to apps/seija/pocketid/configmap.yaml diff --git a/apps/pocketid/deployment.yaml b/apps/seija/pocketid/deployment.yaml similarity index 100% rename from apps/pocketid/deployment.yaml rename to apps/seija/pocketid/deployment.yaml diff --git a/apps/pocketid/kustomization.yaml b/apps/seija/pocketid/kustomization.yaml similarity index 100% rename from apps/pocketid/kustomization.yaml rename to apps/seija/pocketid/kustomization.yaml diff --git a/apps/pocketid/pvc.yaml b/apps/seija/pocketid/pvc.yaml similarity index 71% rename from apps/pocketid/pvc.yaml rename to apps/seija/pocketid/pvc.yaml index a723e97..0cc456f 100644 --- a/apps/pocketid/pvc.yaml +++ b/apps/seija/pocketid/pvc.yaml @@ -7,5 +7,5 @@ spec: - ReadWriteOnce resources: requests: - storage: 2Gi - storageClassName: seaweedfs-storage \ No newline at end of file + storage: 1Gi + storageClassName: hcloud-volumes diff --git a/apps/pocketid/services.yaml b/apps/seija/pocketid/services.yaml similarity index 100% rename from apps/pocketid/services.yaml rename to apps/seija/pocketid/services.yaml diff --git a/apps/prettysunflower-website/deployment.yaml b/apps/seija/prettysunflower-website/deployment.yaml similarity index 76% rename from apps/prettysunflower-website/deployment.yaml rename to apps/seija/prettysunflower-website/deployment.yaml index 9759c3f..7463771 100644 --- a/apps/prettysunflower-website/deployment.yaml +++ b/apps/seija/prettysunflower-website/deployment.yaml @@ -2,11 +2,10 @@ apiVersion: apps/v1 kind: Deployment metadata: name: prettysunflower-website - namespace: prettysunflower-website labels: app.kubernetes.io/name: prettysunflower-website spec: - replicas: 3 + replicas: 2 selector: matchLabels: app.kubernetes.io/name: prettysunflower-website @@ -40,18 +39,28 @@ spec: - name: ED25519_PRIVATE_KEY_HEX valueFrom: secretKeyRef: - name: anubis-key + name: anubis-prettysunflower-website-key key: ED25519_PRIVATE_KEY_HEX - name: "METRICS_BIND" value: ":9090" - name: "SERVE_ROBOTS_TXT" - value: "true" + value: "false" - name: "TARGET" value: "http://localhost:3334" - name: "OG_PASSTHROUGH" value: "true" - name: "OG_EXPIRY_TIME" value: "24h" + - name: "THOTH_URL" + valueFrom: + secretKeyRef: + name: anubis-prettysunflower-website-key + key: THOTH_URL + - name: "THOTH_TOKEN" + valueFrom: + secretKeyRef: + name: anubis-prettysunflower-website-key + key: THOTH_TOKEN resources: limits: cpu: 750m @@ -68,4 +77,8 @@ spec: drop: - ALL seccompProfile: - type: RuntimeDefault \ No newline at end of file + type: RuntimeDefault + dnsPolicy: "ClusterFirst" + dnsConfig: + nameservers: + - 100.96.226.96 diff --git a/apps/prettysunflower-website/kustomization.yaml b/apps/seija/prettysunflower-website/kustomization.yaml similarity index 59% rename from apps/prettysunflower-website/kustomization.yaml rename to apps/seija/prettysunflower-website/kustomization.yaml index c0c3923..f8fa02f 100644 --- a/apps/prettysunflower-website/kustomization.yaml +++ b/apps/seija/prettysunflower-website/kustomization.yaml @@ -1,5 +1,4 @@ resources: - deployment.yaml - services.yaml -- secrets.yaml -- namespace.yaml \ No newline at end of file +- secrets.yaml \ No newline at end of file diff --git a/apps/seija/prettysunflower-website/secrets.sops.yaml b/apps/seija/prettysunflower-website/secrets.sops.yaml new file mode 100644 index 0000000..3b1f226 --- /dev/null +++ b/apps/seija/prettysunflower-website/secrets.sops.yaml @@ -0,0 +1,48 @@ +apiVersion: v1 +kind: Secret +metadata: + name: prettysunflower-website-secret +type: Opaque +data: + GOOGLE_API_KEY: ENC[AES256_GCM,data:irEM9uQpUiQiQ1ORclh6DbAPdahzXGCC/32KhgVmgxd1ApEd9yxcaH/DaCssldoMyu0EDQ==,iv:rQtEs+4zhA6MVXGJbCFeG+I7X/kGMNW1fcH6jR5hS8w=,tag:dfRid1Arrui6EcFEKh1b4Q==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d0dIQnlnRjk1UFJTdFlx + bkVjdytJUjF6SnRVMW1tckdGVUN3OTRCRkIwClBhNi9NR1VIQ2dQR2ZjbWd5dnNT + MzlsV2xjaW93NUljeGlnelgxT1pSZlUKLS0tIEJEMS9VNDdQN0ppOEFnZ2lqeFJp + V2cyekl2WmN1cjBWNzVQUStQVmNBQ3MKaAzPeJuPHKUsF8WFMKBLfijcc9xGoiIy + 7ZUqenMvu/hO62LgT+4NlQ66XN/OfLSiwSl3YYuGuELR1jGdK9LXVA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:vaiTEgR5/qYJf9tOwnn4ZB3ZgD62taLHHBEw252d1eaW9TSOCv4UGplPao8CVpp4dtEPY+EJlBV5h3pBB42KFDKZHDSrGqIz3wE/H3xJMovazmz4ZtHKVFbzp852CApL2F7GNWZgyZI/IRyYVk74v7XYqrks+BgF9WnPLdka1WY=,iv:zKYlyFmLeVaMfLiX3ZB3evlbekzrnQKripy6shpWTCs=,tag:dGjhYoaGCxvnJ8JQ6h5qfA==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 +--- +apiVersion: v1 +kind: Secret +metadata: + name: anubis-prettysunflower-website-key +type: Opaque +data: + ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:rsuPNEvHbI3CRnCDydyYrtkT2VIz9Ps4hos35joR2sVuaNtaLC9NGYeueRRMxusHZIgFED+KqP8YbIYotpOXqJuS8NTjFI8dgQj5dkXF6ZjNk5L3nJz9BA==,iv:mTmq2vSmJVJBQTVPINC4lcK6yxdxOpkHLk3mF8UJ84k=,tag:WbvdAu69Rhdr36aQq1zeYg==,type:str] +stringData: + THOTH_URL: ENC[AES256_GCM,data:o1Gk3f6ADbEyQ1dKXlcMyZqIj9Fb0IXFBkm+PrlBcMb/lPi9,iv:vBS7y4Hj4v8ySNL2zgIIK97wxIwgYs9vuM6lwVZeywc=,tag:SiFy3WIHTz585Zi/BR8X+g==,type:str] + THOTH_TOKEN: ENC[AES256_GCM,data:S9ZIlYOTEF31n/AdnPKd/JByg/B+tQpSRLXl8bLjbpA5dMEVBJfjYT68WBh/cJLRIUwkJMJhgIEVN3yJBePRpu+kRRzcg+XE2f4yuYdbgplGYfm7RG50CjE8GRNdLnE5bK05Z7LIuEGeYG6DEDiH0iNHWeZdGpmzeynSxTdVFlcRMSBzi8LRXQdw3ZySOabn+Z2F45Fv6DMKbyANLtR9YPViLvo0B8VLhVtoYJ5spu0Rr31p9ZLv4+w/AfeCt1NrN379UXmEoZ8YgvScpi42q9/qC/zjtKPx0AfC7vuTGSodQPcmmlDkvrxsZC3/mhy9QFsE3vHt64Yk9PcJXiv8R8ZgGN04yiWrI48vkeXjtEe/UIOnCyExwfXVQk6xRATY+xO946NgPUBz6ACX8CcEiiK9UNkZbEULho4=,iv:4+0uA3BWZgctn6W1xZYHjXHksdx364Y+PG6CqCiHKCw=,tag:2lJyO+KISqLFZfaJeaHGbQ==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA2d0dIQnlnRjk1UFJTdFlx + bkVjdytJUjF6SnRVMW1tckdGVUN3OTRCRkIwClBhNi9NR1VIQ2dQR2ZjbWd5dnNT + MzlsV2xjaW93NUljeGlnelgxT1pSZlUKLS0tIEJEMS9VNDdQN0ppOEFnZ2lqeFJp + V2cyekl2WmN1cjBWNzVQUStQVmNBQ3MKaAzPeJuPHKUsF8WFMKBLfijcc9xGoiIy + 7ZUqenMvu/hO62LgT+4NlQ66XN/OfLSiwSl3YYuGuELR1jGdK9LXVA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:vaiTEgR5/qYJf9tOwnn4ZB3ZgD62taLHHBEw252d1eaW9TSOCv4UGplPao8CVpp4dtEPY+EJlBV5h3pBB42KFDKZHDSrGqIz3wE/H3xJMovazmz4ZtHKVFbzp852CApL2F7GNWZgyZI/IRyYVk74v7XYqrks+BgF9WnPLdka1WY=,iv:zKYlyFmLeVaMfLiX3ZB3evlbekzrnQKripy6shpWTCs=,tag:dGjhYoaGCxvnJ8JQ6h5qfA==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/seija/prettysunflower-website/services.yaml b/apps/seija/prettysunflower-website/services.yaml new file mode 100644 index 0000000..7ce4fd4 --- /dev/null +++ b/apps/seija/prettysunflower-website/services.yaml @@ -0,0 +1,17 @@ +apiVersion: v1 +kind: Service +metadata: + name: prettysunflower-website +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: prettysunflower-website + ports: + - protocol: TCP + port: 80 + targetPort: 8080 + name: anubis + - protocol: TCP + port: 8001 + targetPort: 8001 + name: website-static \ No newline at end of file diff --git a/apps/privatebin/deployment.yaml b/apps/seija/privatebin/deployment.yaml similarity index 99% rename from apps/privatebin/deployment.yaml rename to apps/seija/privatebin/deployment.yaml index beeb566..765879d 100644 --- a/apps/privatebin/deployment.yaml +++ b/apps/seija/privatebin/deployment.yaml @@ -5,7 +5,7 @@ metadata: labels: app.kubernetes.io/name: privatebin spec: - replicas: 2 + replicas: 1 selector: matchLabels: app.kubernetes.io/name: privatebin diff --git a/apps/privatebin/kustomization.yaml b/apps/seija/privatebin/kustomization.yaml similarity index 100% rename from apps/privatebin/kustomization.yaml rename to apps/seija/privatebin/kustomization.yaml diff --git a/apps/privatebin/pvc.yaml b/apps/seija/privatebin/pvc.yaml similarity index 81% rename from apps/privatebin/pvc.yaml rename to apps/seija/privatebin/pvc.yaml index 347ac21..b14897a 100644 --- a/apps/privatebin/pvc.yaml +++ b/apps/seija/privatebin/pvc.yaml @@ -9,4 +9,4 @@ spec: resources: requests: storage: 5Gi - storageClassName: seaweedfs-storage + storageClassName: hcloud-volumes \ No newline at end of file diff --git a/apps/seija/privatebin/secrets.sops.yaml b/apps/seija/privatebin/secrets.sops.yaml new file mode 100644 index 0000000..abc19fa --- /dev/null +++ b/apps/seija/privatebin/secrets.sops.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Secret +metadata: + name: anubis-key +type: Opaque +data: + ED25519_PRIVATE_KEY_HEX: ENC[AES256_GCM,data:iatFUERK2zHMMq+2uzsTdr15pnyEY9bXYlXFt3sZR+C36cneumogFu3AhV4j0EadseLDPKxkSml3bazpejSyNvWinjpIOwORSi6EHlw71ByDy4Li4/hppg==,iv:5/wZHTzGHN8okMzzm19gt3T5d2rCjvb4RtoaWCwUwgY=,tag:9ZC63C2okeTRt/wGlvb6Lg==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1aFZqQ3g1VDFLY0RuaVZ0 + bzhpVHd0UERaSnlidVBidzVnR256T0xWS3lnCnBlbDdlSm9CNWlmVmFzdTZPSmFX + bTJUU3hJZy9jKzVWOTJFNVVMbWMzUnMKLS0tIFdDUnpLMGRQTlNjT3pqV2s2OVZH + V0lpRFdvMXVaYWZ6NmVxNTlsM2IvZHMK10ArWUv7S8w0WwDJCmOwWp56Us8fAkrp + 5rZPG2IhlxAG+5NbbQq13jxjGuQuzACllkreXD3NtwmACWgubGZV2Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:K7jl1bA6UAlJ3LVJsnAOdHf1MFJAK4vrxRktWzoV1zh4DSOVIo3TeGn7wLqlPlbbILFlXKMJUHT7AzfKyv/MtECTe5TOyjQqFYPZ7ZRvE72faghkJAN/AfHIjLZWFOuWOAB2ZEY9cJWCe7zLbC+cwHC7KxepPBHZdQnh//wuz4s=,iv:aooSLGTTL5v5ZhHGJKKcaCGhSl6GciHpGyG00ybzWIQ=,tag:pQ/HNQODherqkToT+JTbIA==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/privatebin/services.yaml b/apps/seija/privatebin/services.yaml similarity index 100% rename from apps/privatebin/services.yaml rename to apps/seija/privatebin/services.yaml diff --git a/apps/uptime-kuma/deployment.yaml b/apps/seija/uptime-kuma/deployment.yaml similarity index 100% rename from apps/uptime-kuma/deployment.yaml rename to apps/seija/uptime-kuma/deployment.yaml diff --git a/apps/uptime-kuma/kustomization.yaml b/apps/seija/uptime-kuma/kustomization.yaml similarity index 100% rename from apps/uptime-kuma/kustomization.yaml rename to apps/seija/uptime-kuma/kustomization.yaml diff --git a/apps/uptime-kuma/pvc.yaml b/apps/seija/uptime-kuma/pvc.yaml similarity index 72% rename from apps/uptime-kuma/pvc.yaml rename to apps/seija/uptime-kuma/pvc.yaml index bb89dfb..07a7bd0 100644 --- a/apps/uptime-kuma/pvc.yaml +++ b/apps/seija/uptime-kuma/pvc.yaml @@ -5,7 +5,7 @@ metadata: spec: accessModes: - ReadWriteOnce - storageClassName: s3yuyuko + storageClassName: hcloud-volumes resources: requests: - storage: 3Gi \ No newline at end of file + storage: 3Gi diff --git a/apps/uptime-kuma/services.yaml b/apps/seija/uptime-kuma/services.yaml similarity index 100% rename from apps/uptime-kuma/services.yaml rename to apps/seija/uptime-kuma/services.yaml diff --git a/apps/thelounge/kustomization.yaml b/apps/seija/znc/kustomization.yaml similarity index 100% rename from apps/thelounge/kustomization.yaml rename to apps/seija/znc/kustomization.yaml diff --git a/apps/znc/pvc.yaml b/apps/seija/znc/pvc.yaml similarity index 80% rename from apps/znc/pvc.yaml rename to apps/seija/znc/pvc.yaml index 9dd1ce7..76cb6ac 100644 --- a/apps/znc/pvc.yaml +++ b/apps/seija/znc/pvc.yaml @@ -8,4 +8,4 @@ spec: resources: requests: storage: 5Gi - storageClassName: seaweedfs-storage \ No newline at end of file + storageClassName: hcloud-volumes \ No newline at end of file diff --git a/apps/znc/services.yaml b/apps/seija/znc/services.yaml similarity index 80% rename from apps/znc/services.yaml rename to apps/seija/znc/services.yaml index dfa7dc7..49204f7 100644 --- a/apps/znc/services.yaml +++ b/apps/seija/znc/services.yaml @@ -1,7 +1,7 @@ apiVersion: v1 kind: Service metadata: - name: znc-service + name: znc spec: type: NodePort selector: @@ -10,10 +10,8 @@ spec: - protocol: TCP port: 4921 targetPort: 4921 - nodePort: 30004 name: https - protocol: TCP port: 4922 targetPort: 4922 - nodePort: 30008 name: http \ No newline at end of file diff --git a/apps/znc/statefulset.yaml b/apps/seija/znc/statefulset.yaml similarity index 100% rename from apps/znc/statefulset.yaml rename to apps/seija/znc/statefulset.yaml diff --git a/apps/sekibanki/etherpad/configmap.yaml b/apps/sekibanki/etherpad/configmap.yaml new file mode 100644 index 0000000..9dcd207 --- /dev/null +++ b/apps/sekibanki/etherpad/configmap.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: etherpad-config +data: + TITLE: "🌻 Etherpad" + DEFAULT_PAD_TEXT: "Welcome to Etherpad! This pad text is provided by the prettysunflower collective, and is synchronized as you type, so that everyone viewing this page sees the same text. This allows you to collaborate seamlessly on documents! Get involved with Etherpad at https://etherpad.org" + DB_TYPE: "postgres" + DB_HOST: "100.110.40.2" + DB_PORT: "5432" + TRUST_PROXY: "true" + AUTOMATIC_RECONNECTION_TIMEOUT: "5" diff --git a/apps/sekibanki/etherpad/deployment.yaml b/apps/sekibanki/etherpad/deployment.yaml new file mode 100644 index 0000000..1fca072 --- /dev/null +++ b/apps/sekibanki/etherpad/deployment.yaml @@ -0,0 +1,48 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: etherpad + labels: + app.kubernetes.io/name: etherpad +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: etherpad + template: + metadata: + labels: + app.kubernetes.io/name: etherpad + spec: + affinity: + nodeAffinity: + preferredDuringSchedulingIgnoredDuringExecution: + - weight: 1 + preference: + matchExpressions: + - key: location + operator: In + values: + - fsn + containers: + - name: etherpad + image: etherpad/etherpad:2.3.2 + ports: + - containerPort: 9001 + name: http + envFrom: + - configMapRef: + name: etherpad-config + - secretRef: + name: etherpad-secrets + volumeMounts: + - name: etherpad-images + mountPath: /opt/etherpad-lite/src/static/skins/colibris/images + dnsPolicy: "None" + dnsConfig: + nameservers: + - 100.96.226.96 + volumes: + - name: etherpad-images + persistentVolumeClaim: + claimName: etherpad-images-pvc \ No newline at end of file diff --git a/apps/sekibanki/etherpad/fond.jpg b/apps/sekibanki/etherpad/fond.jpg new file mode 100644 index 0000000..11793b0 Binary files /dev/null and b/apps/sekibanki/etherpad/fond.jpg differ diff --git a/apps/sekibanki/etherpad/kustomization.yaml b/apps/sekibanki/etherpad/kustomization.yaml new file mode 100644 index 0000000..527409e --- /dev/null +++ b/apps/sekibanki/etherpad/kustomization.yaml @@ -0,0 +1,6 @@ +resources: +- deployment.yaml +- configmap.yaml +- secrets.yaml +- svc.yaml +- pvc.yaml \ No newline at end of file diff --git a/apps/sekibanki/etherpad/pvc.yaml b/apps/sekibanki/etherpad/pvc.yaml new file mode 100644 index 0000000..e24b7c3 --- /dev/null +++ b/apps/sekibanki/etherpad/pvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: etherpad-images-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 256M + storageClassName: nfs-csi diff --git a/apps/sekibanki/etherpad/secrets.sops.yaml b/apps/sekibanki/etherpad/secrets.sops.yaml new file mode 100644 index 0000000..642750b --- /dev/null +++ b/apps/sekibanki/etherpad/secrets.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: etherpad-secrets +type: Opaque +stringData: + DB_USER: ENC[AES256_GCM,data:8ewltKeF4XE=,iv:VEzUayqbRUGl3aPpIic56MLVaYymw9Rf/OUjdOsnlWk=,tag:w2BtxnVBVtQopPNxRr+rRQ==,type:str] + DB_PASS: ENC[AES256_GCM,data:/dppdINLe4fiEdyjbeE=,iv:5iO79O+81CV1UROtDPuoupd1HIk9x14RQ981ZdEe/GM=,tag:EQ/9Ugs/UGQur1+RvmVluw==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzWGM5T1VTUkdZanNNRTR3 + bkprOEYzTGorSDh4a1Y3dytJT3p0QlBtQW1nCkdsVUEzUWxVckpiZjRkUHFpSFRM + bXFUNnk0TEFuYmd6WUdRM0swWE5FYlUKLS0tIFJlTmxkaXdJM1ZDeDd2ejB2czVw + SzYvV1RmYXpzdnZBU1RYaS9NYlAxaFkKEbbTjI6c2cr/NqGA4rZEmSpeVni1R1KP + 7CPrKpPiV96vnG9NM37L2lpwZvig5H3JUtPdRzSdpJJDoQbBeAvpYg== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:UPl5mlWdtTyXl6W+QINngFrMIPpMdOrnRPCREsFuMJqcU0Qb2udIBImZIeYdURXd/ymRr3hwC0E6bzRbQJBUEJpd9oWzOTv/IIsvdptnjuKjZz7Ojnpfrmd8FO8YuSnR9x/qHC4B05E14GPrOKHJIOuKrAv40ATSwrAl2PFdoTo=,iv:meWIlngiKEWHoivsDv4AUFOEJY4w75zuL9lVtv9VW2E=,tag:HpHKDB5Ux57YM5yeGgx4og==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/sekibanki/etherpad/svc.yaml b/apps/sekibanki/etherpad/svc.yaml new file mode 100644 index 0000000..be33d5c --- /dev/null +++ b/apps/sekibanki/etherpad/svc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: etherpad +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: etherpad + ports: + - protocol: TCP + port: 80 + targetPort: http \ No newline at end of file diff --git a/apps/gitea/configmap.yaml b/apps/sekibanki/gitea/configmap.yaml similarity index 93% rename from apps/gitea/configmap.yaml rename to apps/sekibanki/gitea/configmap.yaml index abfc7ff..e4120c4 100644 --- a/apps/gitea/configmap.yaml +++ b/apps/sekibanki/gitea/configmap.yaml @@ -13,7 +13,7 @@ data: GITEA__server__STATIC_ROOT_PATH: /usr/share/webapps/gitea GITEA__server__APP_DATA_PATH: /var/lib/gitea/data GITEA__server__LFS_START_SERVER: "true" - GITEA__server__SSH_DOMAIN: git.default.svc.yakumo.prettysunflower.moe + GITEA__server__SSH_DOMAIN: git.default.svc.sekibanki.prettysunflower.moe GITEA__server__DOMAIN: git.prettysunflower.moe GITEA__server__HTTP_PORT: "3000" GITEA__server__ROOT_URL: https://git.prettysunflower.moe/ @@ -23,7 +23,7 @@ data: GITEA__server__PUBLIC_URL_DETECTION: auto GITEA__database__DB_TYPE: postgres GITEA__database__SSL_MODE: disable - GITEA__database__HOST: 100.75.132.10:5432 + GITEA__database__HOST: 100.110.40.2:5432 GITEA__database__NAME: gitea GITEA__database__SCHEMA: public GITEA__database__LOG_SQL: "false" @@ -61,4 +61,4 @@ data: GITEA__security__PASSWORD_HASH_ALGO: argon2 GITEA__cache__ADAPTER: redis GITEA__cache__HOST: redis://127.0.0.1:6379/0 - GITEA__cache_0X2E_last_commit__COMMITS_COUNT: "1" \ No newline at end of file + GITEA__cache_0X2E_last_commit__COMMITS_COUNT: "1" diff --git a/apps/gitea/deployment.yaml b/apps/sekibanki/gitea/deployment.yaml similarity index 87% rename from apps/gitea/deployment.yaml rename to apps/sekibanki/gitea/deployment.yaml index 330ef8f..20dfafd 100644 --- a/apps/gitea/deployment.yaml +++ b/apps/sekibanki/gitea/deployment.yaml @@ -14,16 +14,6 @@ spec: labels: app.kubernetes.io/name: gitea spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: location - operator: In - values: - - fsn volumes: - name: data persistentVolumeClaim: @@ -40,7 +30,7 @@ spec: nameservers: - 100.96.226.96 containers: - - image: docker.gitea.com/gitea:1.24.2-rootless + - image: docker.gitea.com/gitea:1.24.3-rootless name: gitea ports: - containerPort: 3000 diff --git a/apps/gitea/kustomization.yaml b/apps/sekibanki/gitea/kustomization.yaml similarity index 100% rename from apps/gitea/kustomization.yaml rename to apps/sekibanki/gitea/kustomization.yaml diff --git a/apps/gitea/pvc.yaml b/apps/sekibanki/gitea/pvc.yaml similarity index 55% rename from apps/gitea/pvc.yaml rename to apps/sekibanki/gitea/pvc.yaml index dc65039..9c194a3 100644 --- a/apps/gitea/pvc.yaml +++ b/apps/sekibanki/gitea/pvc.yaml @@ -8,8 +8,8 @@ spec: - ReadWriteMany resources: requests: - storage: 5G - storageClassName: seaweedfs-storage + storage: 50G + storageClassName: nfs-csi --- apiVersion: v1 kind: PersistentVolumeClaim @@ -21,16 +21,4 @@ spec: resources: requests: storage: 64M - storageClassName: seaweedfs-storage ---- -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: gitea-tigris-pvc -spec: - accessModes: - - ReadWriteMany - resources: - requests: - storage: 50G - storageClassName: tigris \ No newline at end of file + storageClassName: nfs-csi \ No newline at end of file diff --git a/apps/sekibanki/gitea/secrets.sops.yaml b/apps/sekibanki/gitea/secrets.sops.yaml new file mode 100644 index 0000000..33af152 --- /dev/null +++ b/apps/sekibanki/gitea/secrets.sops.yaml @@ -0,0 +1,30 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gitea-secrets +type: Opaque +stringData: + GITEA__server__LFS_JWT_SECRET: ENC[AES256_GCM,data:lUGklHzgVyGtW7YWHqQlOEs9TlcKrAp+wOHKmvrnUx7g9NzrUOarqVwwqg==,iv:Fyr5WFaFps60Sc735FkcdaTUfP4Rf++3ZGFC8/x/beI=,tag:D11RCpU8j1YkqJnJghzbPw==,type:str] + GITEA__database__USER: ENC[AES256_GCM,data:J1WUgvw=,iv:f/PIxtSVYJD0M6oQATy/cCcLqBska2KbqJu0LOdgCnQ=,tag:6J1NjGpVEKQY+eII5aM2kQ==,type:str] + GITEA__database__PASSWD: ENC[AES256_GCM,data:MDsAOxL3BDmZD2s8NPE=,iv:nbs4k3kqZbJXW3ptyQy04M8ZehxXzzRiaJpCFbmeGXA=,tag:+EXlilcYXFdU1flRV+Y+nw==,type:str] + GITEA__mailer__USER: ENC[AES256_GCM,data:h3aLMQygmPalb53QGe4KP2DvQxpUaw==,iv:nsTin6xBu6aGEfElOULW7ScdvMUNoM5fbX3x+WSpwgc=,tag:w8Nvm/XOBQqDHdRBgmDc4w==,type:str] + GITEA__mailer__PASSWD: ENC[AES256_GCM,data:aDuDhi8miweNKBYV2N7p5Q==,iv:WPur5yPGtKOUPQ+17MfihHljinBAKgpFTnXPW/HGuO4=,tag:fEAUy5bfxwIFEUs5oYljtQ==,type:str] + GITEA__storage__MINIO_SECRET_ACCESS_KEY: ENC[AES256_GCM,data:gDC9Xk6k01sar/AdG6FA7topLA1yzBklpXB3v11u7PseRXKtxSzbjg3yRSxDKfS7dz0uuChTx/Fj4yR3+MZSKMR+Av1UU9dA0koS,iv:lMvi+NCmeZZz7AtVhFJpM1qjweGf9tNmA0pXSJdsdL0=,tag:NbCmn20JTrYSzmbc2kgnBQ==,type:str] + GITEA__security__INTERNAL_TOKEN: ENC[AES256_GCM,data:LBD8u8OsXhkO69XSvhfP0vDCeZRfY+Yc1nKfaacCF2QL/T6v2054ymbvGjTvR+DM5g+XezwZWLYrE+AfY5LEa35EpC4S2c7kQAGikyBvGo9ANAcP6NxfC6ShraUBnGg5njrjf4ZVBGrd,iv:xH5amSwdV5e4rqneqr/x62hCdOWnjoPHFA30LwM3260=,tag:LhK1heV4xe3qUXwZ+pgfwg==,type:str] + GITEA__security__SECRET_KEY: ENC[AES256_GCM,data:mRdk8gS0wrV6PYr9jiSwvZAql4SyUjXEc0UNLdZMV3FOZsRKPHVWAsiw443HwPZ8pyBH6ucNHj1Zdj9qTMonHg==,iv:k8EIL2n+EGT+Fz0wTP4u+Tczyv2la478x0oV/jAHa/o=,tag:0gfQNJ3YQ6EK5WAPfzd6dg==,type:str] + GITEA__oauth2__JWT_SECRET: ENC[AES256_GCM,data:JoU3xarzXINK1Vs0slgtdVYGG9ilTENLzt2ggT69zFoQppQKt2lZUmqw5g==,iv:nAd74z6iMwpYN++0FQ8Ow3cg03sYBrV6790NiV4y2lk=,tag:KAvL0ugsZDzRfhpdoqzo/A==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSArUU5vdTVaS2t6OXpwaUEx + cUNTWFpUbkVmYStHT1VBRXBJWCsvZllzQWwwClZZV01aSFRaamI2VzR5SGNvR0ZE + VUQyU3hPVUZUY2dHT1NSMzdGdHVSeHMKLS0tIHRBRlVzRWR4b2tXb3o5UmxPdjNt + YXRHQkdHek1DTkM5WjhRenBaLzRxdEUKBypMt0YqbWUgzmcMgfWjEXDICOstdYya + sGqjC1GYuaffqCrpWScDq5ok/QXznbye3yEJwzV1opwbhKPrWmOgqQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:0N1JMKyxhHKsQ/Q5A9uCCAo+E5tvbhA75wJiVAX1fSRtPIfaJ7T6LdP7MLLxNXQTcl+LqcHn+XvIfU7z5XeZmH/qBZZEldgwj8CbEhPKjw3+kThoNWHV5nggxlIyFePE18bo/lpRV8Bqpyhocdd0F1fEDNEotnaO5Nle7SWAcWo=,iv:qWEv7WVf2v7aIr19S7OE/Q4Fu13FZ7hVF+bAdlZZv1s=,tag:/rzDd4uheETv+WugfaizEw==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/gitea/svc.yaml b/apps/sekibanki/gitea/svc.yaml similarity index 100% rename from apps/gitea/svc.yaml rename to apps/sekibanki/gitea/svc.yaml diff --git a/apps/glance/deployment.yaml b/apps/sekibanki/glance/deployment.yaml similarity index 98% rename from apps/glance/deployment.yaml rename to apps/sekibanki/glance/deployment.yaml index 3fffe9a..737c499 100644 --- a/apps/glance/deployment.yaml +++ b/apps/sekibanki/glance/deployment.yaml @@ -5,7 +5,7 @@ metadata: labels: app.kubernetes.io/name: glance spec: - replicas: 2 + replicas: 1 selector: matchLabels: app.kubernetes.io/name: glance diff --git a/apps/glance/glance.yml b/apps/sekibanki/glance/glance.yml similarity index 97% rename from apps/glance/glance.yml rename to apps/sekibanki/glance/glance.yml index 79dd6e8..75a9bb4 100644 --- a/apps/glance/glance.yml +++ b/apps/sekibanki/glance/glance.yml @@ -40,7 +40,10 @@ pages: - type: search search-engine: https://kagi.com/search?token=ygXAizA-9gY.ejxyFYbeHxOWVxBYgxMGtJPmAeu1pi1DCtOVTW5yFd8&q={QUERY} autofocus: true - - type: hacker-news + - type: group + widgets: + - type: lobsters + - type: hacker-news - type: bookmarks groups: - title: Internal diff --git a/apps/glance/kustomization.yaml b/apps/sekibanki/glance/kustomization.yaml similarity index 100% rename from apps/glance/kustomization.yaml rename to apps/sekibanki/glance/kustomization.yaml diff --git a/apps/glance/services.yaml b/apps/sekibanki/glance/services.yaml similarity index 100% rename from apps/glance/services.yaml rename to apps/sekibanki/glance/services.yaml diff --git a/apps/sekibanki/gotosocial/configmap.yaml b/apps/sekibanki/gotosocial/configmap.yaml new file mode 100644 index 0000000..1e837e2 --- /dev/null +++ b/apps/sekibanki/gotosocial/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: gotosocial-config +data: + GTS_HOST: fedi.prettysunflower.moe + GTS_ACCOUNT_DOMAIN: prettysunflower.moe + GTS_TRUSTED_PROXIES: "10.217.0.0/32" + GTS_INSTANCE_LANGUAGES: en,fr + GTS_ACCOUNTS_ALLOW_CUSTOM_CSS: "true" \ No newline at end of file diff --git a/apps/sekibanki/gotosocial/deployment.yaml b/apps/sekibanki/gotosocial/deployment.yaml new file mode 100644 index 0000000..817cae1 --- /dev/null +++ b/apps/sekibanki/gotosocial/deployment.yaml @@ -0,0 +1,76 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: gotosocial + labels: + app.kubernetes.io/name: gotosocial +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: gotosocial + template: + metadata: + labels: + app.kubernetes.io/name: gotosocial + spec: + volumes: + - name: data + persistentVolumeClaim: + claimName: gotosocial-pvc + dnsPolicy: "None" + dnsConfig: + nameservers: + - 100.96.226.96 + containers: + - image: docker.io/superseriousbusiness/gotosocial:0.19.1 + name: gotosocial + ports: + - containerPort: 8080 + protocol: TCP + name: http + volumeMounts: + - name: data + mountPath: /gotosocial/storage + envFrom: + - configMapRef: + name: gotosocial-config + - secretRef: + name: gotosocial-secrets + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + livenessProbe: + httpGet: + path: /livez + port: http + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + startupProbe: + httpGet: + path: /readyz + port: http + initialDelaySeconds: 10 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 30 + successThreshold: 1 + readinessProbe: + httpGet: + path: /readyz + port: http + initialDelaySeconds: 15 + periodSeconds: 10 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 \ No newline at end of file diff --git a/apps/sekibanki/gotosocial/kustomization.yaml b/apps/sekibanki/gotosocial/kustomization.yaml new file mode 100644 index 0000000..9894c8b --- /dev/null +++ b/apps/sekibanki/gotosocial/kustomization.yaml @@ -0,0 +1,6 @@ +resources: +- configmap.yaml +- deployment.yaml +- pvc.yaml +- secrets.yaml +- svc.yaml \ No newline at end of file diff --git a/apps/sekibanki/gotosocial/pvc.yaml b/apps/sekibanki/gotosocial/pvc.yaml new file mode 100644 index 0000000..7a8dd73 --- /dev/null +++ b/apps/sekibanki/gotosocial/pvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: gotosocial-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10G + storageClassName: nfs-csi \ No newline at end of file diff --git a/apps/sekibanki/gotosocial/secrets.sops.yaml b/apps/sekibanki/gotosocial/secrets.sops.yaml new file mode 100644 index 0000000..2d9bba5 --- /dev/null +++ b/apps/sekibanki/gotosocial/secrets.sops.yaml @@ -0,0 +1,24 @@ +apiVersion: v1 +kind: Secret +metadata: + name: gotosocial-secrets +type: Opaque +stringData: + GTS_DB_ADDRESS: ENC[AES256_GCM,data:PqPAl3c/2yYw/R+o,iv:01M73o6Ok/cDxxtSpHjduWKSFplXNJ93WcQYf19DTWg=,tag:KdMISrg8LEG7pj49OyeYdA==,type:str] + GTS_DB_USER: ENC[AES256_GCM,data:LFMfG09Z2OIBhA==,iv:L2Gapmk2nvOdDRiRM7sRLdIJnhhJ+N9kAzYl4P4w7r8=,tag:PghjpZRZjiN6BqvCz5g3Dg==,type:str] + GTS_DB_PASSWORD: ENC[AES256_GCM,data:CnqraWwcOkRHt+ET/0lp,iv:asmChmzapS73l3nTVK+qhBr3HDNi7UvNVwjOO2razPk=,tag:fB9JOnpqWf1ZczAjIjc9Zg==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB6dkoxaUJ2bnRDNEFadjdN + MFRmUUM2M0xlRXJ1WmhPY080WVdHa2h2S1FRCnI2MmdJRUxlUlNxVnBUa3ZHUEVF + YkxKaUZXYTFrU0FYSmNIQm94SDN4bHcKLS0tIHIvdTBXdmxqM2I3WGo3dWpPK3lL + ditudGE2OVpNZVRTMXdoM2w2eHdpZkUKOQ+LS4zDEeJheoJ/pR06h/WwozoyBXMz + DbxFpJ0ykjmUuRJ3CBr/MPVRa0V8NA8qVTHxjYDYwg4H9LH4nB+yiw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:Ys4wt4Z2ocKt3WPxztXl7K/2gEFnnppxvSPGxqB6KBeNe/mRkYQ7PAqCcUKZledncIgXpxRfU/Cv7huc93MlQVGyNZ1MgYO7U9H8vBHaDJuS1bAJ6n/NnDKKCQA7yJOJpfd09FnScOpeMf1cO+PQPuHaYUbIZpS+6ctepXLpHQo=,iv:uCFSGP8qvZA6EmTzUD6q9uwrkIHraMGyyjQ+42FikTM=,tag:gCePqCDIeZ3yxkKbsWCsZw==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/teable/services.yaml b/apps/sekibanki/gotosocial/svc.yaml similarity index 59% rename from apps/teable/services.yaml rename to apps/sekibanki/gotosocial/svc.yaml index 20ba688..12bd439 100644 --- a/apps/teable/services.yaml +++ b/apps/sekibanki/gotosocial/svc.yaml @@ -1,14 +1,13 @@ apiVersion: v1 kind: Service metadata: - name: teable - namespace: teable + name: gotosocial spec: type: ClusterIP selector: - app.kubernetes.io/name: teable + app.kubernetes.io/name: gotosocial ports: - protocol: TCP port: 80 - targetPort: 3000 + targetPort: http name: http \ No newline at end of file diff --git a/apps/opengist/deployment.yaml b/apps/sekibanki/opengist/deployment.yaml similarity index 100% rename from apps/opengist/deployment.yaml rename to apps/sekibanki/opengist/deployment.yaml diff --git a/apps/opengist/kustomization.yaml b/apps/sekibanki/opengist/kustomization.yaml similarity index 100% rename from apps/opengist/kustomization.yaml rename to apps/sekibanki/opengist/kustomization.yaml diff --git a/apps/opengist/pvc.yaml b/apps/sekibanki/opengist/pvc.yaml similarity index 82% rename from apps/opengist/pvc.yaml rename to apps/sekibanki/opengist/pvc.yaml index 34436fb..6129c10 100644 --- a/apps/opengist/pvc.yaml +++ b/apps/sekibanki/opengist/pvc.yaml @@ -9,4 +9,4 @@ spec: resources: requests: storage: 5Gi - storageClassName: seaweedfs-storage \ No newline at end of file + storageClassName: nfs-csi \ No newline at end of file diff --git a/apps/sekibanki/opengist/secrets.sops.yaml b/apps/sekibanki/opengist/secrets.sops.yaml new file mode 100644 index 0000000..b63911d --- /dev/null +++ b/apps/sekibanki/opengist/secrets.sops.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: opengist-secret +type: Opaque +data: + OG_SECRET_KEY: ENC[AES256_GCM,data:CvlbIc/O4FkhELpy76zfE027zavhIEfSDx1JwPfjN5716LJDEuPIoLd19RDx8i92jbPk5RrGEvgLcwyWShwQ11BXPuXIXD8KsAqFwECwk6TKneuJSDbnlQ==,iv:xruob7s++xnqvzmS+JboXlL6W0leicziZMOc0zn//HA=,tag:/OLxQC02uFbcduvhJeoAKg==,type:str] + OG_OIDC_PROVIDER_NAME: ENC[AES256_GCM,data:Asg/Wvct6UjcKQj0ZmO/zWYAlZ8=,iv:14qEsQgm923nX3L+zDrrwYWX4oqpAGRS5lkP/c+Ufl4=,tag:38WXRayva09L2/QsKqPsXw==,type:str] + OG_OIDC_DISCOVERY_URL: ENC[AES256_GCM,data:3OD/XS9JUAAI3MacofVKQXWl/jC1mBoG9CEFmIm/ol7GaN9PBdmlC7c5+rsvf37aolqKkpyQdlVVEAlP98caRAJxR75STzEQS708pw==,iv:b4d1i/xOX3TaYR3ZwDh84mvAe0MYmat5JHLJj4TXSsU=,tag:5Aqhpl39RURk+PjEPJtw2A==,type:str] +stringData: + OG_OIDC_CLIENT_KEY: ENC[AES256_GCM,data:mdWOC+W+ksd+XOJRYKBEFSHDyIYV7ID9fYkpHAjoJf9UNx+c,iv:xU9zVltACcgqsATlJgfhT7M/P3+sVIE8rWn83/1fubo=,tag:rW3zq1rY0InpFo3Mmgft2A==,type:str] + OG_OIDC_SECRET: ENC[AES256_GCM,data:97lerV+9dPvEcCEJneTnwO7Iv829PnLiGd0WYuD48H4=,iv:5oDgiZ0oOnTCVJPyHXIQ+Tjaq/dBe+xZEn6EhGaDn+s=,tag:ZWBqzTGREyEuDRu6gBfKcA==,type:str] + OG_DB_URI: ENC[AES256_GCM,data:QjdJc2PDyMTBga9P+U6c5JkTABuXIpoA5ba+rPW+DHyWDA7WZtvlt+cssPd2yBH363+XqLmH40r9Wz8pWXaRHj7dnhmI7cSfSgtnGA==,iv:ilk2GD0wL/5jefsa5fu9YXwXn0G+U4Agqzme+ilUGL4=,tag:F8C+/Hdv/gSkh0Uvxt1qAA==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBYMnRpRlJxbjBReDVGS2dY + bDNyVlFWaW5oQ2VmaUdsRWNZN0dnNE9kQ1FJCjg5VW9XOUc3eEdOcnZCMTI4YXcz + Q3RpZjNIczJSV01QZmFsRkV6aU4vMEkKLS0tIE5xMHd4Tk1xYlllTWwxQ2htS1NR + M3VwVERJVHE3VVB0QzlOMGk4RDF1UEkKT2BbgMdJBz9OVX279VffXQ+LonSi5IzB + +gxybF3+/HzTaGnKo0juVDO8x8cZqjmWkOWGl7iFTDv7z87qHgLV+A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:KIeBdomBppTaAua5hF3UJUX3a2bViLNEu2kygATDCEovnhCZCr7vwuJBHnwOq9X1+tvoMJLzEf4vhXCE2PjOcNAf5QHR/a/7NZdnB/9lnWCpRVu2Av6vJPBtbqWhIhS6skFgBPnz22Lo9y1A4ZhqiMF4kx0gVKe8CfMXhFhcfT4=,iv:TfY9mxLBDllQE56GklfCgMD9OrSW1tHMHvhWKVjQulI=,tag:O//p0etj0WTf+/5qnmkmEw==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/opengist/services.yaml b/apps/sekibanki/opengist/services.yaml similarity index 100% rename from apps/opengist/services.yaml rename to apps/sekibanki/opengist/services.yaml diff --git a/apps/sekibanki/planka/configmap.yaml b/apps/sekibanki/planka/configmap.yaml new file mode 100644 index 0000000..86e9f2f --- /dev/null +++ b/apps/sekibanki/planka/configmap.yaml @@ -0,0 +1,10 @@ +apiVersion: v1 +kind: ConfigMap +metadata: + name: planka-config +data: + BASE_URL: https://kanban.prettysunflower.moe + OIDC_ISSUER: https://auth.remilia.ch + OIDC_CLIENT_ID: eb200a8b-5b93-4b77-a070-1081481270a1 + OIDC_IGNORE_ROLES: "true" + OIDC_ENFORCED: "true" \ No newline at end of file diff --git a/apps/sekibanki/planka/deployment.yaml b/apps/sekibanki/planka/deployment.yaml new file mode 100644 index 0000000..aa8bf86 --- /dev/null +++ b/apps/sekibanki/planka/deployment.yaml @@ -0,0 +1,44 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: planka + labels: + app.kubernetes.io/name: planka +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: planka + template: + metadata: + labels: + app.kubernetes.io/name: planka + spec: + volumes: + - name: planka-data + persistentVolumeClaim: + claimName: planka-data-pvc + containers: + - name: planka + image: ghcr.io/plankanban/planka:2.0.0-rc.3 + ports: + - containerPort: 1337 + name: http + volumeMounts: + - name: planka-data + subPath: favicons + mountPath: "/app/public/favicons/" + - name: planka-data + subPath: user-avatars + mountPath: "/app/public/user-avatars/" + - name: planka-data + subPath: background-images + mountPath: "/app/public/background-images/" + - name: planka-data + subPath: attachments + mountPath: "/app/private/attachments/" + envFrom: + - configMapRef: + name: planka-config + - secretRef: + name: planka-secrets \ No newline at end of file diff --git a/apps/sekibanki/planka/kustomization.yaml b/apps/sekibanki/planka/kustomization.yaml new file mode 100644 index 0000000..9894c8b --- /dev/null +++ b/apps/sekibanki/planka/kustomization.yaml @@ -0,0 +1,6 @@ +resources: +- configmap.yaml +- deployment.yaml +- pvc.yaml +- secrets.yaml +- svc.yaml \ No newline at end of file diff --git a/apps/sekibanki/planka/pvc.yaml b/apps/sekibanki/planka/pvc.yaml new file mode 100644 index 0000000..415b569 --- /dev/null +++ b/apps/sekibanki/planka/pvc.yaml @@ -0,0 +1,12 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: planka-data-pvc +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 5G + storageClassName: nfs-csi \ No newline at end of file diff --git a/apps/sekibanki/planka/secrets.sops.yaml b/apps/sekibanki/planka/secrets.sops.yaml new file mode 100644 index 0000000..834e13b --- /dev/null +++ b/apps/sekibanki/planka/secrets.sops.yaml @@ -0,0 +1,25 @@ +apiVersion: v1 +kind: Secret +metadata: + name: planka-secrets +type: Opaque +stringData: + DATABASE_URL: ENC[AES256_GCM,data:/P/UTQ5hn4iXostkAQfguXOEgm3i4u4GU2AtXf63Fa5Vj+xphAZIswrVs3A/UYUGsm8pQzc=,iv:Scg5AkeGhBG6k7AoYbsEihOu659Q5g4j8EOp7xYW6Zo=,tag:FBrGgdzW6divFyEAbdZnvQ==,type:str] + SECRET_KEY: ENC[AES256_GCM,data:SN8r72D2iLxpGdqEzjQ5I9PHW/P3NwwJOUYbp+Gi9Hg/a0TBZ9QJZnhveGJPh9aV3KiwuzNK8+AT5TWcFkCSwYa33ZlwJeiTxvfombDYWuqvccwl2Vwun52vUYfrdqogDYcaeP9US6GsJd8eaRUO3iyc0A+C039S68jkGt18h8Q=,iv:hlpmq4fGDjnxXmYRhCBTM9RwBWXA1OAF5AMhs7T0IqU=,tag:Soq3gnQQDaTHBBYoQ9l88A==,type:str] + OIDC_CLIENT_SECRET: ENC[AES256_GCM,data:PE6qqlsEpAcaZopGVh6y6/S2EuM3ybTpha+Gmhh7krA=,iv:AcS4H21JOOlAtLDDawqpyzdxdSUr3kFtMB6ynxG3Ewg=,tag:WLZ1JfVOOahaJgvP+YYORA==,type:str] + DEFAULT_ADMIN_EMAIL: ENC[AES256_GCM,data:0q437f+tid9X9Hj2F+nlEvyD,iv:TR6YBD84MevOic8d/btZdIAJtkiHRPftOIIJQwkc5iQ=,tag:nspH0pSxPMfevqwXz3RYMw==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBnMVhvdGNYSzBhSWhpTXRY + eFU0Y3Z1YXlIUU1tZkhHVTloaEhMbk1rNFNvCnl3d3NSZit3MklkSHBPOFgrL25n + d01RbGJlZ3BzN2V4R3lVbUZBZ051VTQKLS0tIFp4c3pRTitISFJOR3JYNjU2TnRI + YzAvRHM5cHprbDJCTlNGa3h0MkZxN2sKnlvHgMwqUM3X47+OeRLxJepfEaVvHSag + XWVGGhEAtFkXbyW3e59+LygrabU1Eq0BX4sbN404VpSaosCCxREM5A== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:9rFIGDm44sPYF2a8lYAw5ooMW0U2td8ajclYHoeOHxQNPouXtTLvEyqjYNeXIIpUfpjYe6qz7us3PeuFeCCGAmobQ34qRu87Jd2n9yg70OSyklzMr4lCaeenlU+3q5nhWWyrv0tHuDUgLWR9F674Xl5T4QfbfbfKwzNMskNg7QM=,iv:pIT6NI7ed8EK7FEF6OySSxrN4vurMv0rUl75Y45wUdQ=,tag:rHgn4IWBGq9UH6d3z1lVkw==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/sekibanki/planka/svc.yaml b/apps/sekibanki/planka/svc.yaml new file mode 100644 index 0000000..c42109c --- /dev/null +++ b/apps/sekibanki/planka/svc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: planka +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: planka + ports: + - protocol: TCP + port: 80 + targetPort: http \ No newline at end of file diff --git a/apps/sekibanki/radicale/config b/apps/sekibanki/radicale/config new file mode 100644 index 0000000..e5d5798 --- /dev/null +++ b/apps/sekibanki/radicale/config @@ -0,0 +1,321 @@ +# -*- mode: conf -*- +# vim:ft=cfg + +# Config file for Radicale - A simple calendar server +# +# Place it into /etc/radicale/config (global) +# or ~/.config/radicale/config (user) +# +# The current values are the default ones + + +[server] + +# CalDAV server hostnames separated by a comma +# IPv4 syntax: address:port +# IPv6 syntax: [address]:port +# Hostname syntax (using "getaddrinfo" to resolve to IPv4/IPv6 adress(es)): hostname:port +# For example: 0.0.0.0:9999, [::]:9999, localhost:9999 +#hosts = localhost:5232 +hosts = 0.0.0.0:5232 + +# Max parallel connections +#max_connections = 8 + +# Max size of request body (bytes) +#max_content_length = 100000000 + +# Socket timeout (seconds) +#timeout = 30 + +# SSL flag, enable HTTPS protocol +#ssl = False + +# SSL certificate path +#certificate = /etc/ssl/radicale.cert.pem + +# SSL private key +#key = /etc/ssl/radicale.key.pem + +# CA certificate for validating clients. This can be used to secure +# TCP traffic between Radicale and a reverse proxy +#certificate_authority = + +# SSL protocol, secure configuration: ALL -SSLv3 -TLSv1 -TLSv1.1 +#protocol = (default) + +# SSL ciphersuite, secure configuration: DHE:ECDHE:-NULL:-SHA (see also "man openssl-ciphers") +#ciphersuite = (default) + +# script name to strip from URI if called by reverse proxy +#script_name = (default taken from HTTP_X_SCRIPT_NAME or SCRIPT_NAME) + + +[encoding] + +# Encoding for responding requests +#request = utf-8 + +# Encoding for storing local collections +#stock = utf-8 + + +[auth] + +# Authentication method +# Value: none | htpasswd | remote_user | http_x_remote_user | dovecot | ldap | oauth2 | pam | denyall +#type = denyall +type = none + +# Cache logins for until expiration time +#cache_logins = false + +# Expiration time for caching successful logins in seconds +#cache_successful_logins_expiry = 15 + +## Expiration time of caching failed logins in seconds +#cache_failed_logins_expiry = 90 + +# Ignore modifyTimestamp and createTimestamp attributes. Required e.g. for Authentik LDAP server +#ldap_ignore_attribute_create_modify_timestamp = false + +# URI to the LDAP server +#ldap_uri = ldap://localhost + +# The base DN where the user accounts have to be searched +#ldap_base = ##BASE_DN## + +# The reader DN of the LDAP server +#ldap_reader_dn = CN=ldapreader,CN=Users,##BASE_DN## + +# Password of the reader DN +#ldap_secret = ldapreader-secret + +# Path of the file containing password of the reader DN +#ldap_secret_file = /run/secrets/ldap_password + +# the attribute to read the group memberships from in the user's LDAP entry (default: not set) +#ldap_groups_attribute = memberOf + +# The filter to find the DN of the user. This filter must contain a python-style placeholder for the login +#ldap_filter = (&(objectClass=person)(uid={0})) + +# the attribute holding the value to be used as username after authentication +#ldap_user_attribute = cn + +# Use ssl on the ldap connection +# Soon to be deprecated, use ldap_security instead +#ldap_use_ssl = False + +# the encryption mode to be used: tls, starttls, default is none +#ldap_security = none + +# The certificate verification mode. Works for ssl and starttls. NONE, OPTIONAL, default is REQUIRED +#ldap_ssl_verify_mode = REQUIRED + +# The path to the CA file in pem format which is used to certificate the server certificate +#ldap_ssl_ca_file = + +# Connection type for dovecot authentication (AF_UNIX|AF_INET|AF_INET6) +# Note: credentials are transmitted in cleartext +#dovecot_connection_type = AF_UNIX + +# The path to the Dovecot client authentication socket (eg. /run/dovecot/auth-client on Fedora). Radicale must have read / write access to the socket. +#dovecot_socket = /var/run/dovecot/auth-client + +# Host of via network exposed dovecot socket +#dovecot_host = localhost + +# Port of via network exposed dovecot socket +#dovecot_port = 12345 + +# IMAP server hostname +# Syntax: address | address:port | [address]:port | imap.server.tld +#imap_host = localhost + +# Secure the IMAP connection +# Value: tls | starttls | none +#imap_security = tls + +# OAuth2 token endpoint URL +#oauth2_token_endpoint = + +# PAM service +#pam_serivce = radicale + +# PAM group user should be member of +#pam_group_membership = + +# Htpasswd filename +#htpasswd_filename = /etc/radicale/users + +# Htpasswd encryption method +# Value: plain | bcrypt | md5 | sha256 | sha512 | argon2 | autodetect +# bcrypt requires the installation of 'bcrypt' module. +# argon2 requires the installation of 'argon2-cffi' module. +#htpasswd_encryption = autodetect + +# Enable caching of htpasswd file based on size and mtime_ns +#htpasswd_cache = False + +# Incorrect authentication delay (seconds) +#delay = 1 + +# Message displayed in the client when a password is needed +#realm = Radicale - Password Required + +# Convert username to lowercase, must be true for case-insensitive auth providers +#lc_username = False + +# Strip domain name from username +#strip_domain = False + + +[rights] + +# Rights backend +# Value: authenticated | owner_only | owner_write | from_file +#type = owner_only + +# File for rights management from_file +#file = /etc/radicale/rights + +# Permit delete of a collection (global) +#permit_delete_collection = True + +# Permit overwrite of a collection (global) +#permit_overwrite_collection = True + +# URL Decode the given username (when URL-encoded by the client - useful for iOS devices when using email address) +# urldecode_username = False + +[storage] + +# Storage backend +# Value: multifilesystem | multifilesystem_nolock +#type = multifilesystem + +# Folder for storing local collections, created if not present +#filesystem_folder = /var/lib/radicale/collections +filesystem_folder = /data/collections + +# Folder for storing cache of local collections, created if not present +# Note: only used in case of use_cache_subfolder_* options are active +# Note: can be used on multi-instance setup to cache files on local node (see below) +filesystem_cache_folder = /cache + +# Use subfolder 'collection-cache' for 'item' cache file structure instead of inside collection folder +# Note: can be used on multi-instance setup to cache 'item' on local node +use_cache_subfolder_for_item = True + +# Use subfolder 'collection-cache' for 'history' cache file structure instead of inside collection folder +# Note: use only on single-instance setup, will break consistency with client in multi-instance setup +use_cache_subfolder_for_history = True + +# Use subfolder 'collection-cache' for 'sync-token' cache file structure instead of inside collection folder +# Note: use only on single-instance setup, will break consistency with client in multi-instance setup +use_cache_subfolder_for_synctoken = True + +# Use last modifiction time (nanoseconds) and size (bytes) for 'item' cache instead of SHA256 (improves speed) +# Note: check used filesystem mtime precision before enabling +# Note: conversion is done on access, bulk conversion can be done offline using storage verification option: radicale --verify-storage +use_mtime_and_size_for_item_cache = True + +# Use configured umask for folder creation (not applicable for OS Windows) +# Useful value: 0077 | 0027 | 0007 | 0022 +#folder_umask = (system default, usual 0022) + +# Delete sync token that are older (seconds) +#max_sync_token_age = 2592000 + +# Skip broken item instead of triggering an exception +#skip_broken_item = True + +# Command that is run after changes to storage, default is emtpy +# Supported placeholders: +# %(user)s: logged-in user +# %(cwd)s : current working directory +# %(path)s: full path of item +# Command will be executed with base directory defined in filesystem_folder +# For "git" check DOCUMENTATION.md for bootstrap instructions +# Example(test): echo \"user=%(user)s path=%(path)s cwd=%(cwd)s\" +# Example(git): git add -A && (git diff --cached --quiet || git commit -m "Changes by \"%(user)s\"") +#hook = + +# Create predefined user collections +# +# json format: +# +# { +# "def-addressbook": { +# "D:displayname": "Personal Address Book", +# "tag": "VADDRESSBOOK" +# }, +# "def-calendar": { +# "C:supported-calendar-component-set": "VEVENT,VJOURNAL,VTODO", +# "D:displayname": "Personal Calendar", +# "tag": "VCALENDAR" +# } +# } +# +#predefined_collections = + + +[web] + +# Web interface backend +# Value: none | internal +#type = internal + + +[logging] + +# Threshold for the logger +# Value: debug | info | warning | error | critical +#level = info + +# Don't include passwords in logs +#mask_passwords = True + +# Log bad PUT request content +#bad_put_request_content = False + +# Log backtrace on level=debug +#backtrace_on_debug = False + +# Log request header on level=debug +#request_header_on_debug = False + +# Log request content on level=debug +#request_content_on_debug = False + +# Log response content on level=debug +#response_content_on_debug = False + +# Log rights rule which doesn't match on level=debug +#rights_rule_doesnt_match_on_debug = False + +# Log storage cache actions on level=debug +#storage_cache_actions_on_debug = False + +[headers] + +# Additional HTTP headers +#Access-Control-Allow-Origin = * + + +[hook] + +# Hook types +# Value: none | rabbitmq +#type = none +#rabbitmq_endpoint = +#rabbitmq_topic = +#rabbitmq_queue_type = classic + + +[reporting] + +# When returning a free-busy report, limit the number of returned +# occurences per event to prevent DOS attacks. +#max_freebusy_occurrence = 10000 \ No newline at end of file diff --git a/apps/sekibanki/radicale/deployment.yaml b/apps/sekibanki/radicale/deployment.yaml new file mode 100644 index 0000000..4b7bc32 --- /dev/null +++ b/apps/sekibanki/radicale/deployment.yaml @@ -0,0 +1,69 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: radicale + labels: + app.kubernetes.io/name: radicale +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: radicale + template: + metadata: + labels: + app.kubernetes.io/name: radicale + spec: + volumes: + - name: radicale-data + persistentVolumeClaim: + claimName: radicale-data-pvc + # emptyDir: + # sizeLimit: 50Mi + # medium: Memory + - name: radicale-config + configMap: + name: radicale-config + - name: cache-volume + emptyDir: + sizeLimit: 50Mi + medium: Memory + containers: + - name: radicale + image: tomsquest/docker-radicale:3.5.4.0 + ports: + - containerPort: 5232 + name: http + volumeMounts: + - name: radicale-data + mountPath: "/data" + - name: radicale-config + mountPath: "/config" + - name: cache-volume + mountPath: "/cache" + resources: + requests: + cpu: 200m + memory: 64M + limits: + cpu: 500m + memory: 256M + livenessProbe: + httpGet: + path: / + port: 5232 + initialDelaySeconds: 30 + periodSeconds: 30 + timeoutSeconds: 5 + failureThreshold: 3 + successThreshold: 1 + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault \ No newline at end of file diff --git a/apps/sekibanki/radicale/kustomization.yaml b/apps/sekibanki/radicale/kustomization.yaml new file mode 100644 index 0000000..8571431 --- /dev/null +++ b/apps/sekibanki/radicale/kustomization.yaml @@ -0,0 +1,8 @@ +resources: + - deployment.yaml + - pvc.yaml + - svc.yaml +configMapGenerator: +- name: radicale-config + files: + - config \ No newline at end of file diff --git a/apps/technitium/pvc.yaml b/apps/sekibanki/radicale/pvc.yaml similarity index 61% rename from apps/technitium/pvc.yaml rename to apps/sekibanki/radicale/pvc.yaml index bf8b83f..97421c2 100644 --- a/apps/technitium/pvc.yaml +++ b/apps/sekibanki/radicale/pvc.yaml @@ -1,11 +1,11 @@ apiVersion: v1 kind: PersistentVolumeClaim metadata: - name: technitium-data-pvc + name: radicale-data-pvc spec: accessModes: - ReadWriteOnce - storageClassName: longhorn resources: requests: - storage: 1Gi + storage: 3Gi + storageClassName: nfs-csi \ No newline at end of file diff --git a/apps/sekibanki/radicale/svc.yaml b/apps/sekibanki/radicale/svc.yaml new file mode 100644 index 0000000..78b975f --- /dev/null +++ b/apps/sekibanki/radicale/svc.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: caldav +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: radicale + ports: + - protocol: TCP + port: 80 + targetPort: http \ No newline at end of file diff --git a/apps/renovate/cronjob.yaml b/apps/sekibanki/renovate/cronjob.yaml similarity index 100% rename from apps/renovate/cronjob.yaml rename to apps/sekibanki/renovate/cronjob.yaml diff --git a/apps/renovate/kustomization.yaml b/apps/sekibanki/renovate/kustomization.yaml similarity index 100% rename from apps/renovate/kustomization.yaml rename to apps/sekibanki/renovate/kustomization.yaml diff --git a/apps/sekibanki/renovate/secrets.sops.yaml b/apps/sekibanki/renovate/secrets.sops.yaml new file mode 100644 index 0000000..4cd9ff5 --- /dev/null +++ b/apps/sekibanki/renovate/secrets.sops.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Secret +metadata: + name: renovate-gitea-env +type: Opaque +stringData: + RENOVATE_GITHUB_COM_TOKEN: ENC[AES256_GCM,data:tEaxtH/tMQ4lpvSMwNRf75Ir5Z711/x45fgOkvFDE/SQDq752QfKhA==,iv:2j2aQFodFg47a1xRTw5KCJsE/hqCa9Fe9bDMr1IPhvY=,tag:QvOEfa38bx0DnGeimP8EFA==,type:str] + RENOVATE_AUTODISCOVER: ENC[AES256_GCM,data:qgD3GA==,iv:hIXYcwxQTOn6XVdWYqjz8UISwIJ4fGdSo0bQrxbgcLs=,tag:YLP/28760E6YyuWiWVcCFw==,type:str] + RENOVATE_ENDPOINT: ENC[AES256_GCM,data:Yx8NJsN/zfCAy4IeMgObrhvpVOCdi4k9oubQfKubJlbBF5309nE=,iv:ozkCVyOgHtE05qUfcubxqUTrfYiNKrIIDg3ZZlbNGMs=,tag:8gqxc4FienvPH1oqP81ZKA==,type:str] + RENOVATE_GIT_AUTHOR: ENC[AES256_GCM,data:WFwP86EfQYSedLLcQyL/nQmZFkIRx7IMSfOTNeCqIDRLjMueQ7zeupRivNPk9A==,iv:aOC1n0EbWx5jq+8C3kM9KLUwZIAXW6GlZXvGjMwDTZ0=,tag:yrATDQw4EdUY2XcCltUhQg==,type:str] + RENOVATE_PLATFORM: ENC[AES256_GCM,data:Uw4ihT8=,iv:2Y4Mv6YNjG0KfU+0ZBX6f1eJ47v1r2o0kiV1QgWOn5I=,tag:XBw4rJCDcBTBHdxMcwmLfA==,type:str] + RENOVATE_TOKEN: ENC[AES256_GCM,data:brPzHjCuxpPU3z0pfd1loXavpMiqAWD0Nod4+szW3EWBsWAHgHj26A==,iv:smXMkCRv5vNg1vsd+X2x6RyumRcqSSwGp8xaKppsg6w=,tag:nbUYnF8Vte8shvcIQyiI0Q==,type:str] + RENOVATE_KUBERNETES: ENC[AES256_GCM,data:kY8sEwcsuvehijA6BwHvHIUI6OSO/S2MCsY=,iv:UMRcqpTQ9vScisXugKiVnDPLR8tsSz600pl6dw3v/xc=,tag:GukTMpkIXozz6TAATZjA0w==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBBbitVRE5mcnBhaUhybHlT + dFg5N0V0R0g1UFlyZzFjSk9aa09QUVVEUkhvCkFPanpEYmZ6a1lmMlFCMlZZMC9O + V0gwM2lBNFhKeWtwVzRIeEhGZ0YxL0UKLS0tIEl2NkxsTThaUTY5UUozNjk1cnBx + a0NWZFRyYkVJTXZpU0d0QlBmRDNrWm8KNGrP45Bj87LHygIZsFLsz6iL8zHyuDw0 + JVxqzb2tCa90OfhzDQpIh06N5ep1AowE9IWea7PoW4jaWzd7vDge5g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:+0envuEAfwqgOI2ysbTYcPph7sIKFK26RqAy8vLQ/tvQ700nXyZRgOS2DSOIKeMq0+e3bg2gbgWaKLu8TPGYSf6DI4xGOx+vXSjcPMdiO05Wa0qu1Ha3+C3Uoyijt1YY2TZ0YO/WCNakyF7WPP4urFBNtictvoZIWTv31JPw7OQ=,iv:TmsTKP8dJxnjnDM0WFzSIRqImT0XVwYBAgG06VTWkDE=,tag:++33bVCSjOhW4JQCQ8e2Xg==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/teable/config.yaml b/apps/sekibanki/teable/config.yaml similarity index 77% rename from apps/teable/config.yaml rename to apps/sekibanki/teable/config.yaml index c38d732..7a5339a 100644 --- a/apps/teable/config.yaml +++ b/apps/sekibanki/teable/config.yaml @@ -8,4 +8,5 @@ data: BACKEND_CACHE_PROVIDER: "redis" NEXT_ENV_IMAGES_ALL_REMOTE: "true" PRISMA_ENGINES_CHECKSUM_IGNORE_MISSING: "1" - NODE_TLS_REJECT_UNAUTHORIZED: '0' \ No newline at end of file + NODE_TLS_REJECT_UNAUTHORIZED: '0' + BACKEND_STORAGE_TOKEN_EXPIRE_IN: '1d' \ No newline at end of file diff --git a/apps/teable/deployment.yaml b/apps/sekibanki/teable/deployment.yaml similarity index 83% rename from apps/teable/deployment.yaml rename to apps/sekibanki/teable/deployment.yaml index 48a1784..fe5834e 100644 --- a/apps/teable/deployment.yaml +++ b/apps/sekibanki/teable/deployment.yaml @@ -15,28 +15,13 @@ spec: labels: app.kubernetes.io/name: teable spec: - affinity: - nodeAffinity: - preferredDuringSchedulingIgnoredDuringExecution: - - weight: 1 - preference: - matchExpressions: - - key: location - operator: In - values: - - fsn - volumes: - - name: valkey-data - persistentVolumeClaim: - claimName: valkey-data-pvc hostAliases: - ip: "100.113.193.5" hostnames: - "mail.prettysunflower.moe" initContainers: - name: db-migrate - image: ghcr.io/teableio/teable:sha-257d098af67e9260b6abb09da0e08eafef34ae08 - imagePullPolicy: Always + image: ghcr.io/teableio/teable:83745958bbba83111145e1cd48de811cfc7db601 args: - migrate-only envFrom: @@ -63,8 +48,7 @@ spec: type: RuntimeDefault containers: - name: teable - image: ghcr.io/teableio/teable:sha-257d098af67e9260b6abb09da0e08eafef34ae08 - imagePullPolicy: Always + image: ghcr.io/teableio/teable:83745958bbba83111145e1cd48de811cfc7db601 args: - skip-migrate ports: @@ -108,7 +92,30 @@ spec: timeoutSeconds: 5 failureThreshold: 3 successThreshold: 1 - - image: valkey/valkey:alpine +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: valkey + namespace: teable + labels: + app.kubernetes.io/name: valkey +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: valkey + template: + metadata: + labels: + app.kubernetes.io/name: valkey + spec: + volumes: + - name: valkey-data + persistentVolumeClaim: + claimName: valkey-data-pvc + containers: + - image: valkey/valkey:8.1.2-alpine name: valkey envFrom: - secretRef: @@ -129,4 +136,4 @@ spec: drop: - ALL seccompProfile: - type: RuntimeDefault + type: RuntimeDefault \ No newline at end of file diff --git a/apps/teable/kustomization.yaml b/apps/sekibanki/teable/kustomization.yaml similarity index 100% rename from apps/teable/kustomization.yaml rename to apps/sekibanki/teable/kustomization.yaml diff --git a/apps/teable/namespace.yaml b/apps/sekibanki/teable/namespace.yaml similarity index 100% rename from apps/teable/namespace.yaml rename to apps/sekibanki/teable/namespace.yaml diff --git a/apps/teable/pvc.yaml b/apps/sekibanki/teable/pvc.yaml similarity index 83% rename from apps/teable/pvc.yaml rename to apps/sekibanki/teable/pvc.yaml index cf03a05..55dd9c8 100644 --- a/apps/teable/pvc.yaml +++ b/apps/sekibanki/teable/pvc.yaml @@ -9,4 +9,4 @@ spec: resources: requests: storage: 5Gi - storageClassName: seaweedfs-storage \ No newline at end of file + storageClassName: nfs-csi \ No newline at end of file diff --git a/apps/sekibanki/teable/secrets.sops.yaml b/apps/sekibanki/teable/secrets.sops.yaml new file mode 100644 index 0000000..823bd8c --- /dev/null +++ b/apps/sekibanki/teable/secrets.sops.yaml @@ -0,0 +1,63 @@ +apiVersion: v1 +kind: Secret +metadata: + name: teable-secrets + namespace: teable +type: Opaque +stringData: + PRISMA_DATABASE_URL: ENC[AES256_GCM,data:S7Y4B5apBAYbZ6lQ5/O31RThkAnKV3Qx+ab2ieQSn63qsik451ciRWzTysIuADOeivo+1sSqyIIdBvBGpPR+n108kw==,iv:zSwa0dgoydq2hbaxxXDO/gBcrLMPFqAxjTUaPMfzyOg=,tag:Uy/+KAP7SE4bOrDN7eNWIg==,type:str] + SECRET_KEY: ENC[AES256_GCM,data:KXnjt6MiPts4u1vqf4pFYjAJq+6xPQ==,iv:8U61KBz8ZaNZluvLsGNmP3X7M5Upv/02ngoy2lpndUQ=,tag:0RmPivQtQgQa+XAltN6Dxg==,type:str] + BACKEND_STORAGE_PROVIDER: ENC[AES256_GCM,data:M9o=,iv:Z8twg5olXc+PtrVNxl24W6m+l/5bS81kAiXF4O8CSHQ=,tag:ImiZg6nCiGGFUPIfWRqrlQ==,type:str] + BACKEND_STORAGE_S3_REGION: ENC[AES256_GCM,data:JvGqWw==,iv:8KbVumdAXPZBLB7g7oqf1rfFnHKhPvleezY7Tryma1o=,tag:9VVoNTjvuPs7v0ep8wSc9w==,type:str] + BACKEND_STORAGE_S3_ENDPOINT: ENC[AES256_GCM,data:THKG0BPjvXU9u1qeutoBkGJ8pbq1aw==,iv:T04svNvlk+05mrwlVV9sp32eyjbKWp/Z0Fdc3PUOB1k=,tag:Ov7Wr4lJ0ixdTD3/9db0DA==,type:str] + BACKEND_STORAGE_S3_ACCESS_KEY: ENC[AES256_GCM,data:4X9UespqF1qtiLIfMQRi79VP5Xdjage7xTxZKPtJ80vs2VnaFknqzzDTMsAm9fZk7FKMCWde,iv:Rp0AlShe6e0JrQ/4fVyiGs5lAkPXl7574UF35HHntwQ=,tag:TSemTreK3c5+mZjTt+Cl0w==,type:str] + BACKEND_STORAGE_S3_SECRET_KEY: ENC[AES256_GCM,data:GtenV4qKUlZmGMV8WCO3/9tsjpdTceoCzY8v4maWIo1L9iy/u4I8TKXa6iv/9QpSTq0YW2qh5YtmSOvpeqOsmceNV3s61CNydqsE,iv:I9cn5jmP6OjQ3H3Z8TLT5ZGNihnME3cnyn7BI9iBIUg=,tag:9CXNZtg9B/4Yj2ZKTgwSRg==,type:str] + BACKEND_STORAGE_PUBLIC_BUCKET: ENC[AES256_GCM,data:GoOlFVdgcG8yx9hTFyI0zK/WvlgnMAYshLejrKs=,iv:lJTx2Wovtka+fHGK7ojWiY81besS7IrV/oPcN5546UI=,tag:M4Q0ukX3Vhc/F6WPQsmmVQ==,type:str] + BACKEND_STORAGE_PRIVATE_BUCKET: ENC[AES256_GCM,data:2pmNoVRrkkwggoj2gjxy2fOGQYTT+q5L7LqYnNOF,iv:LSe93EycfC304/ji1BU/dovsCP2L+s6II3Uz7drl7lY=,tag:NlCE0GMQOEWABcjDKG6rIQ==,type:str] + BACKEND_CACHE_REDIS_URI: ENC[AES256_GCM,data:2WSh32ZQb26dPyI9LVqxQaykMdXhFuA6YKMzpT9X3HXcKO0wGiJMl0tDZvIK/qnGU4ShgCXqD5/TQZSzTe6XI1YKJoFou6pvHkXgFIoEJEZSgxWlhY9unj3Fizwm,iv:8vkHRo5cpLRNzVxmeJILY/DAO9Xgp8RoJnTiG4mqQJc=,tag:EzhcJ9ntjlWD95KDpke2Bg==,type:str] + BACKEND_MAIL_HOST: ENC[AES256_GCM,data:dRZR7Oi9acB5ANFcO6HWUyPyHFcgESYb,iv:uyyQHB18OuZJDM0+6FcYvbyZEjOeOPQj8HTE7zWLl28=,tag:6x5clI3OquJI4ryoJ/mIhQ==,type:str] + BACKEND_MAIL_PORT: ENC[AES256_GCM,data:UzK1,iv:KYdakhFPfe7wLyNbxpQlAmYDYhmHfKVAiDtFMTwxhPU=,tag:KfrNLO7Z5y24gWcFo3O9Sw==,type:str] + BACKEND_MAIL_SECURE: ENC[AES256_GCM,data:yqGAQG0=,iv:oVaScBsc2v7AqudqJxyM/AGmd9479igZzNsY+G+wNWE=,tag:JM7JfT8Ljv6IbytBGmAplg==,type:str] + BACKEND_MAIL_SENDER: ENC[AES256_GCM,data:PNmUSwER7gjYv4bVxBPDxy5LOwFMhoPsY6U=,iv:1lUdrocPb6nP7N/6Xk4+d67pF3iu4jvvskKJ0x/UADU=,tag:reHZtXP0ZXwOFH9XibNrWA==,type:str] + BACKEND_MAIL_SENDER_NAME: ENC[AES256_GCM,data:IipWnw==,iv:Tp6k90QrG1/5M9kdvSLnXtz4xcU/mxNQ4563PSeb0Xc=,tag:oIJjlXpIuDbbTtnbZ6HRgw==,type:str] + BACKEND_MAIL_AUTH_USER: ENC[AES256_GCM,data:7pz5djxOzt19o2KgDchkO4hdXuPoZA==,iv:LHK7Cb1iFJbRWlGEEB4ziKZJKhOJ4OPfEgGNqxm244I=,tag:03A36lsN5GkKZhTqQQFMFw==,type:str] + BACKEND_MAIL_AUTH_PASS: ENC[AES256_GCM,data:7Oo6vF4MRSLuTWJGnZueug==,iv:813e2G1nGQFLv9AWZF4oKIIHq1eBLKuTm/0BR/a0tAw=,tag:iWUsbvmDFLnBVNNoXJ4hcA==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQVVUU3AxN2tnUG1ORmpw + c29YMWErYXl0QmtKVWdjWng2azRBUDJSbnlnClVnSVBlRUJ6NElDWmZOVnJRTUVB + NWVIRm1FUWc2NW14TE9MSnNpVnNPcU0KLS0tIDdrbjhWY3hoZCtROWtPKytXenJ0 + eEptQ1R2QlAyeDdnZWdkZGNBcFZxL0EKe5wXjgOEN5hULVrSdyq7ljGIDlhDdwTl + jo0aeu4ObPlgMCc6jC9Coxk62SNt7yVg+brvkX2AmufuwR0lzg7N+g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:aFo7gkxw4ZgbJEkI7UbXwTUwB8DJHZGQ3cjJxTlRuROsoz6ryxzUg6jq0cDHVMrBa+Aj6atU5KUQ/o0krThZzZiL4kAWystxFgHj0IVH5aJBN2R4P5qLzwgofXP0UuTSd5x32hrAi5XVJ4loJGTQBxu/LdBHwOGQTg5Iuclk2K0=,iv:iRWTZnjiCUVCTnB99+wGmOjh6PkGak4PHJrMIs/rptU=,tag:0OgOkXAcsVaeCcXmCTSHjw==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 +--- +apiVersion: v1 +kind: Secret +metadata: + name: valkey-secrets + namespace: teable +type: Opaque +stringData: + VALKEY_EXTRA_FLAGS: ENC[AES256_GCM,data:S+rjMu5wNv+Nni1d7/ZZTDoPhqf2TY28xJhgH/FPPmQB5qGpQmkVGoZW9rhsuc6eI7JL7KDRbfPyyoa8,iv:v3pjMJD1RvusZ9+0ppCP3RW3ojpsqQseeitJ8jagvxo=,tag:IQAIFa9vsRmFFDFXAmV8Jg==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBFQVVUU3AxN2tnUG1ORmpw + c29YMWErYXl0QmtKVWdjWng2azRBUDJSbnlnClVnSVBlRUJ6NElDWmZOVnJRTUVB + NWVIRm1FUWc2NW14TE9MSnNpVnNPcU0KLS0tIDdrbjhWY3hoZCtROWtPKytXenJ0 + eEptQ1R2QlAyeDdnZWdkZGNBcFZxL0EKe5wXjgOEN5hULVrSdyq7ljGIDlhDdwTl + jo0aeu4ObPlgMCc6jC9Coxk62SNt7yVg+brvkX2AmufuwR0lzg7N+g== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:aFo7gkxw4ZgbJEkI7UbXwTUwB8DJHZGQ3cjJxTlRuROsoz6ryxzUg6jq0cDHVMrBa+Aj6atU5KUQ/o0krThZzZiL4kAWystxFgHj0IVH5aJBN2R4P5qLzwgofXP0UuTSd5x32hrAi5XVJ4loJGTQBxu/LdBHwOGQTg5Iuclk2K0=,iv:iRWTZnjiCUVCTnB99+wGmOjh6PkGak4PHJrMIs/rptU=,tag:0OgOkXAcsVaeCcXmCTSHjw==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/sekibanki/teable/services.yaml b/apps/sekibanki/teable/services.yaml new file mode 100644 index 0000000..fab1b0a --- /dev/null +++ b/apps/sekibanki/teable/services.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: Service +metadata: + name: teable + namespace: teable +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: teable + ports: + - protocol: TCP + port: 80 + targetPort: 3000 + name: http +--- +apiVersion: v1 +kind: Service +metadata: + name: valkey + namespace: teable +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: valkey + ports: + - protocol: TCP + port: 6379 + targetPort: 6379 \ No newline at end of file diff --git a/apps/znc/kustomization.yaml b/apps/sekibanki/thelounge/kustomization.yaml similarity index 100% rename from apps/znc/kustomization.yaml rename to apps/sekibanki/thelounge/kustomization.yaml diff --git a/apps/thelounge/pvc.yaml b/apps/sekibanki/thelounge/pvc.yaml similarity index 81% rename from apps/thelounge/pvc.yaml rename to apps/sekibanki/thelounge/pvc.yaml index 8e24130..d678757 100644 --- a/apps/thelounge/pvc.yaml +++ b/apps/sekibanki/thelounge/pvc.yaml @@ -8,4 +8,4 @@ spec: resources: requests: storage: 3Gi - storageClassName: seaweedfs-storage \ No newline at end of file + storageClassName: nfs-csi \ No newline at end of file diff --git a/apps/thelounge/services.yaml b/apps/sekibanki/thelounge/services.yaml similarity index 100% rename from apps/thelounge/services.yaml rename to apps/sekibanki/thelounge/services.yaml diff --git a/apps/thelounge/statefulset.yaml b/apps/sekibanki/thelounge/statefulset.yaml similarity index 88% rename from apps/thelounge/statefulset.yaml rename to apps/sekibanki/thelounge/statefulset.yaml index 3e59c8f..b7ec708 100644 --- a/apps/thelounge/statefulset.yaml +++ b/apps/sekibanki/thelounge/statefulset.yaml @@ -14,6 +14,10 @@ spec: labels: app.kubernetes.io/name: thelounge spec: + dnsPolicy: "None" + dnsConfig: + nameservers: + - 100.96.226.96 volumes: - name: thelounge-data persistentVolumeClaim: diff --git a/apps/vaultwarden/configmap.yaml b/apps/sekibanki/vaultwarden/configmap.yaml similarity index 100% rename from apps/vaultwarden/configmap.yaml rename to apps/sekibanki/vaultwarden/configmap.yaml diff --git a/apps/vaultwarden/deployment.yaml b/apps/sekibanki/vaultwarden/deployment.yaml similarity index 100% rename from apps/vaultwarden/deployment.yaml rename to apps/sekibanki/vaultwarden/deployment.yaml diff --git a/apps/vaultwarden/kustomization.yaml b/apps/sekibanki/vaultwarden/kustomization.yaml similarity index 100% rename from apps/vaultwarden/kustomization.yaml rename to apps/sekibanki/vaultwarden/kustomization.yaml diff --git a/apps/vaultwarden/pvc.yaml b/apps/sekibanki/vaultwarden/pvc.yaml similarity index 82% rename from apps/vaultwarden/pvc.yaml rename to apps/sekibanki/vaultwarden/pvc.yaml index d70c3a9..8b7272c 100644 --- a/apps/vaultwarden/pvc.yaml +++ b/apps/sekibanki/vaultwarden/pvc.yaml @@ -8,4 +8,4 @@ spec: resources: requests: storage: 5Gi - storageClassName: seaweedfs-storage \ No newline at end of file + storageClassName: nfs-csi \ No newline at end of file diff --git a/apps/sekibanki/vaultwarden/secrets.sops.yaml b/apps/sekibanki/vaultwarden/secrets.sops.yaml new file mode 100644 index 0000000..fa3212a --- /dev/null +++ b/apps/sekibanki/vaultwarden/secrets.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: vaultwarden-secrets +type: Opaque +stringData: + SMTP_PASSWORD: ENC[AES256_GCM,data:xyLyid9vbNnZqSZmlOzr0w==,iv:FqgmKBNXi3z6rP2OkpnBvCcrUJFNuyXSZqEveRjHgXc=,tag:uNzVVes83mEIRXX8eONyxg==,type:str] + DATABASE_URL: ENC[AES256_GCM,data:O7ziU0tNyTwlxauvYvKP9cbvmQrGiczq8PVeTiO6TM4G5MX3C44EBGh8toWIFqDH3CtTl3fZ2HWzR4Jz+v8ffhLW886ruOMZLk207PwI2Xhm8rJ5+jPLTtjn,iv:M9V+FFzmlvC3gSPq9X7YFjg8+ag7pEOFsrY2DXuq/8I=,tag:+7Lt8WcIzItetgRcEC0DyA==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBCdUhTOGc0TVVyNlNOeHMx + YmxzQSsxUVoyZGlMU29RRk5ERGRjdHdvSlFRCjUrYTkwTXJPQ1J6VGlPbG80YnB2 + cjJ1RXNTL1hvZFkvL0o1L1VPMC9pRlEKLS0tIDZXYlRrRGtGcjJac1NWb3lhd0U5 + OTFtdU1IUjlrVnlaQ0VBTnludmJTbFEKzWnGs3tiHrmIcYftVn79QxTI5MmzyZCQ + EvnSjD/WyNNf1iXpH9jsvuoFDIiaS3aWh0Y6Lbc4EcnKQWUq/buaIw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:i/U+lQrXgCcva8ukhSyoqG+f6k5ZiYI8UtBQngud3UnuMnEuyGgY1iuovdsYj1KuGnvZ3d5vnqMIccevQhLXFJVL1LHmRSiLIf2Ugs7r5SsEb7kAFMF2BAtyht75r0oJ/d9Uui+mnxC71GuowRf0uSlIeP545cOb1BebHRk5Y5o=,iv:3FL0djcCnr2UhtO0t52625rALsA25kTUKB4b95Y4nH0=,tag:BnWDkst2Z0wSqV/MmIYqzQ==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/apps/vaultwarden/services.yaml b/apps/sekibanki/vaultwarden/services.yaml similarity index 100% rename from apps/vaultwarden/services.yaml rename to apps/sekibanki/vaultwarden/services.yaml diff --git a/apps/stump/deployment.yaml b/apps/stump/deployment.yaml new file mode 100644 index 0000000..c411846 --- /dev/null +++ b/apps/stump/deployment.yaml @@ -0,0 +1,41 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: stump + labels: + app.kubernetes.io/name: stump +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: stump + template: + metadata: + labels: + app.kubernetes.io/name: stump + spec: + volumes: + - name: stump-config + persistentVolumeClaim: + claimName: stump-config-pvc + - name: stump-data + persistentVolumeClaim: + claimName: stump-data-pvc + containers: + - name: stump + image: aaronleopold/stump:latest + ports: + - containerPort: 10801 + name: http + volumeMounts: + - name: stump-config + mountPath: "/config" + - name: stump-data + mountPath: "/data" + env: + - name: PUID + value: '1000' + - name: PGID + value: '1000' + - name: STUMP_PORT + value: "10801" diff --git a/apps/stump/kustomization.yaml b/apps/stump/kustomization.yaml new file mode 100644 index 0000000..14134a9 --- /dev/null +++ b/apps/stump/kustomization.yaml @@ -0,0 +1,4 @@ +resources: + - deployment.yaml + - pvc.yaml + - svc.yaml diff --git a/apps/stump/pvc.yaml b/apps/stump/pvc.yaml new file mode 100644 index 0000000..2a0cc23 --- /dev/null +++ b/apps/stump/pvc.yaml @@ -0,0 +1,55 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: stump-config-pvc +spec: + accessModes: + - ReadWriteOnce + storageClassName: gouyoku-s3fs + resources: + requests: + storage: 5Gi +--- +apiVersion: v1 +kind: PersistentVolume +metadata: + name: stump-data-pv +spec: + storageClassName: s3yuyuko + capacity: + storage: 500G + accessModes: + - ReadWriteOnce + claimRef: + namespace: default + name: stump-data-pvc + csi: + driver: ru.yandex.s3.csi + controllerPublishSecretRef: + name: csi-yuyuko-secret + namespace: kube-system + nodePublishSecretRef: + name: csi-yuyuko-secret + namespace: kube-system + nodeStageSecretRef: + name: csi-yuyuko-secret + namespace: kube-system + volumeAttributes: + capacity: 500G + mounter: s3fs-fuse + options: --memory-limit 1000 --dir-mode 0777 --file-mode 0666 -o allow_other --uid 1000 --gid 1000 + volumeHandle: books +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: stump-data-pvc +spec: + accessModes: + - ReadWriteOnce + storageClassName: s3yuyuko + resources: + requests: + storage: 500G + volumeMode: Filesystem + volumeName: stump-data-pv \ No newline at end of file diff --git a/apps/stump/svc.yaml b/apps/stump/svc.yaml new file mode 100644 index 0000000..b8d46b0 --- /dev/null +++ b/apps/stump/svc.yaml @@ -0,0 +1,13 @@ +apiVersion: v1 +kind: Service +metadata: + name: stump +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: stump + ports: + - protocol: TCP + port: 80 + targetPort: http + name: http \ No newline at end of file diff --git a/apps/suwayomi/deployment.yaml b/apps/suwayomi/deployment.yaml new file mode 100644 index 0000000..7f8628b --- /dev/null +++ b/apps/suwayomi/deployment.yaml @@ -0,0 +1,66 @@ +apiVersion: apps/v1 +kind: Deployment +metadata: + name: suwayomi + labels: + app.kubernetes.io/name: suwayomi +spec: + replicas: 1 + selector: + matchLabels: + app.kubernetes.io/name: suwayomi + template: + metadata: + labels: + app.kubernetes.io/name: suwayomi + spec: + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - ran + volumes: + - name: data + persistentVolumeClaim: + claimName: suwayomi-pvc + containers: + - name: suwayomi + image: ghcr.io/suwayomi/suwayomi-server:v2.0.1802 + ports: + - containerPort: 4567 + name: http + env: + - name: "TZ" + value: "America/Toronto" + - name: "DOWNLOAD_AS_CBZ" + value: "true" + - name: "EXTENSION_REPOS" + value: "[\"https://raw.githubusercontent.com/keiyoushi/extensions/repo/index.min.json\"]" + - name: "AUTO_DOWNLOAD_CHAPTERS" + value: "true" + - name: "BASIC_AUTH_ENABLED" + value: "false" + volumeMounts: + - name: data + mountPath: "/home/suwayomi/.local/share/Tachidesk" + securityContext: + runAsUser: 1000 + runAsGroup: 1000 + runAsNonRoot: true + allowPrivilegeEscalation: false + capabilities: + drop: + - ALL + seccompProfile: + type: RuntimeDefault + resources: + limits: + cpu: 1500m + memory: 1024Mi + requests: + cpu: 250m + memory: 256Mi \ No newline at end of file diff --git a/apps/suwayomi/kustomization.yaml b/apps/suwayomi/kustomization.yaml new file mode 100644 index 0000000..517719f --- /dev/null +++ b/apps/suwayomi/kustomization.yaml @@ -0,0 +1,4 @@ +resources: + - deployment.yaml + - pvc.yaml + - services.yaml \ No newline at end of file diff --git a/apps/suwayomi/pvc.yaml b/apps/suwayomi/pvc.yaml new file mode 100644 index 0000000..59b409b --- /dev/null +++ b/apps/suwayomi/pvc.yaml @@ -0,0 +1,11 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: suwayomi-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 150Gi + storageClassName: seaweedfs-keiki \ No newline at end of file diff --git a/apps/suwayomi/services.yaml b/apps/suwayomi/services.yaml new file mode 100644 index 0000000..0df482b --- /dev/null +++ b/apps/suwayomi/services.yaml @@ -0,0 +1,12 @@ +apiVersion: v1 +kind: Service +metadata: + name: suwayomi +spec: + type: ClusterIP + selector: + app.kubernetes.io/name: suwayomi + ports: + - protocol: TCP + port: 80 + targetPort: http \ No newline at end of file diff --git a/apps/teable/secrets.sops.yaml b/apps/teable/secrets.sops.yaml deleted file mode 100644 index c264a88..0000000 --- a/apps/teable/secrets.sops.yaml +++ /dev/null @@ -1,63 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: teable-secrets - namespace: teable -type: Opaque -stringData: - PRISMA_DATABASE_URL: ENC[AES256_GCM,data:p4SCW5CKfbLNBzRqC8VfD39Nq7TeTxFtCzA2KJvpy5mdKriI+3GnPi2AYjmwjrsiNF16AkPh5AcuYtKbH3oGnpgJBDQ=,iv:BiqYo7kJ1++edcUZ0rY4XtWsW4knPvR0BqtC/ty2IRw=,tag:LWdNYowNsmfJeRPprhVt2w==,type:str] - SECRET_KEY: ENC[AES256_GCM,data:aOWFqRx6aZtZWsSMiRp+6oYKqvddKA==,iv:xyRdo0N6M47QwvmfsRh4M2tKvqKc75ueAlvsH/DgoBM=,tag:2/WXJ1BzH7itediRt8S8gQ==,type:str] - BACKEND_STORAGE_PROVIDER: ENC[AES256_GCM,data:yCs=,iv:/8T8JAqOKnSvhyMh0hCVArc0GT2vKQnKPqt9azSRdyk=,tag:2f4kmL5+C3cr1qFcH9svow==,type:str] - BACKEND_STORAGE_S3_REGION: ENC[AES256_GCM,data:KZ8Y3A==,iv:bZ7iD6Qm0BE4oLZe4+WZLNHA1nIeyDzmyzcRRVKGGOU=,tag:eNghzGEJPOMqYMWjyFzffw==,type:str] - BACKEND_STORAGE_S3_ENDPOINT: ENC[AES256_GCM,data:wQ0eVIEXcQPb+xK8dgHFdgVyIgI04Q==,iv:sTNtjHmO0zncNQPssd5TYmGu1JItmWRAFz7r8tfx+0c=,tag:amLJpZgmvk7tj6iCR0MSWg==,type:str] - BACKEND_STORAGE_S3_ACCESS_KEY: ENC[AES256_GCM,data:Z1p3SjBp8+lIyJEXnBT2qbExPFTdaQgcsEp73l6aA+wg5HGYkl5sGHVT52D7nmLCE9BPCT7b,iv:rhQ6+jRaQau9ZU2Gmrgt7Xx9nXp6sy81dj3EN2o4+JU=,tag:DWH8TFquX7FK9zfSolVMvw==,type:str] - BACKEND_STORAGE_S3_SECRET_KEY: ENC[AES256_GCM,data:9PTHmhNvzjN0Q8/3iAgVQcKXrltUlIuBiulsOBl6Fte6Ys/H/CUHiIL8pYQ6uZSCph5AXDzzzJAFRt6kQ8ADB6dFmt/nZy4JfwLc,iv:NXQ1hhFjwEU2v+ENBexIMv2fAQEco0j79OdlpG3QZlY=,tag:x1o/ALTfIP3Gi/TO0XB+7A==,type:str] - BACKEND_STORAGE_PUBLIC_BUCKET: ENC[AES256_GCM,data:Kaqw/Qn9lBLohjGxNfFsi7QFUTAhXybpLRTZeMw=,iv:oxBRJS2L32tVTQyp7cVgMYqHWya2C5JTy5RrIKJeTMk=,tag:u4IZhFenN7ZUe3LQp7iGXQ==,type:str] - BACKEND_STORAGE_PRIVATE_BUCKET: ENC[AES256_GCM,data:cT8TnvJjHUwk1Bi/ALRgRCXxjkAOQeAANbJq6pGS,iv:dHj4dVrvheMxEpzAhqv5SaatG8GkHevRiLz+uSuNkCo=,tag:0fnqY40MaPxWbVWNujwizA==,type:str] - BACKEND_CACHE_REDIS_URI: ENC[AES256_GCM,data:B0+f12ZiB/ahJx5ODWsFju3Zi2r5upDsrkKR5WZciCn0oRXfOJKpFkOJQ13gyPFODrXQKUN2mA==,iv:CTqcmzU9uXvuK+Np+wJFz5ZvKvBmNwn4OaBH7o3YEmI=,tag:dT4rEjYrzxxyxpBW4OJeaQ==,type:str] - BACKEND_MAIL_HOST: ENC[AES256_GCM,data:h/heC0+aSnj+aMCSFz56z4OcPt3+JEuk,iv:9P/C0ZNK41e1VBwb5Bp2IZftsTxZOUqIt2QRPqEfw0U=,tag:GZuTls2Mk/eOI4xYWMJMfQ==,type:str] - BACKEND_MAIL_PORT: ENC[AES256_GCM,data:nufq,iv:FZR3Y1o7aFX2fPWEQ9vF8Q5SGlrPkiQaYHwyUGee/Nc=,tag:Jq/fvK1zgg6kaYplFaq5aA==,type:str] - BACKEND_MAIL_SECURE: ENC[AES256_GCM,data:1E7AurY=,iv:7U78J5yYcZ31S2RfJnFKvUifqgc9V3QfJLf6NlVQ0is=,tag:aubiOJZqsJYCTSCMv822aQ==,type:str] - BACKEND_MAIL_SENDER: ENC[AES256_GCM,data:h5n57NafCdaWIJh7yuj4kgBh+S2Md6JkNRA=,iv:ccB3n2LJ+Q+lvtKzv63DWnzJWesPyI2HtvmqY27JTLY=,tag:Qg8niJJi0+bowZMKaowFYQ==,type:str] - BACKEND_MAIL_SENDER_NAME: ENC[AES256_GCM,data:2TEqZA==,iv:GGBP3Mgj2vyykjdOjqAktvlhXtG4Yr45qyargkdACEY=,tag:1BoUY/o4l/yWnnTV5aeUyw==,type:str] - BACKEND_MAIL_AUTH_USER: ENC[AES256_GCM,data:zW2rwHkBk4zexbshtR+RfzQNum7pMQ==,iv:R6g3Qy7s7jtsEJ86qB9p5xEJe+7hrI0TZZ+t90XGFUA=,tag:drxqSlmuiWERL2xhmNdJTA==,type:str] - BACKEND_MAIL_AUTH_PASS: ENC[AES256_GCM,data:DtFGivgfY3xcYdUrNfTMlw==,iv:72fyZwylD5qyguBoISjAwIVBPobIL+AKxzn/7ypV5bc=,tag:zEdgf84eMhR9Ir6BMx+CHg==,type:str] -sops: - age: - - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQc1kwakRRamxOZW13YkNP - VHB2ZFFhSnBIWWRXSEFOTXpsR1g3bzFHMXkwCnlTSTJjOXp6dnRtVHdmWkEwQzRG - WENWWHR2aGUzdnJZaFJmU01ZUFQ2ZTQKLS0tIDd3bnBjUXB6akx3WnJraThqRlBn - d0Z1TFhOTDEycVVCRGY3NHFGaWFoV0kKDEVOygYUWB4S1fpCyVB1MWSt6+e6Ge9Z - AWDy03vHqhubdjM8VZeoxXNRfAtOkCfcHmovD2hzJiP31wb4zFfQKg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-06T09:15:39Z" - mac: ENC[AES256_GCM,data:HbmOK4kLgQ5P26aLGNhEAQ8CSx9W9eUWju2CeGgOglfCBRLon37i/z9O4D2Z98xZpqR0aubjV0VCMLORI4JKK123BUscsS6Od58Lj89LzRf4Kt7MZMkn5k52Smj9Z2NldXa/OUpr2R/vcfyW9mYrqfl4z0Y2xY7QxfgOj589CQo=,iv:AYviec5/ZouEYz7pONTxFNB5qv3YRjQo5G/8qpCKtE0=,tag:TugoHvi02uZxO/qoqxQTow==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 ---- -apiVersion: v1 -kind: Secret -metadata: - name: valkey-secrets - namespace: teable -type: Opaque -stringData: - VALKEY_EXTRA_FLAGS: ENC[AES256_GCM,data:7MDLC5SfLa7U6qQzPiK9Qck5SJLBQ12JfUChoKGO8eYOt7j134Zb4YRfOkHIwswW,iv:u/O/oRarsA0O8zqRJsuolvr0s0jvWq96tMdVm5oavl8=,tag:4THBYneG4aC0vuBulQa8nA==,type:str] -sops: - age: - - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBQc1kwakRRamxOZW13YkNP - VHB2ZFFhSnBIWWRXSEFOTXpsR1g3bzFHMXkwCnlTSTJjOXp6dnRtVHdmWkEwQzRG - WENWWHR2aGUzdnJZaFJmU01ZUFQ2ZTQKLS0tIDd3bnBjUXB6akx3WnJraThqRlBn - d0Z1TFhOTDEycVVCRGY3NHFGaWFoV0kKDEVOygYUWB4S1fpCyVB1MWSt6+e6Ge9Z - AWDy03vHqhubdjM8VZeoxXNRfAtOkCfcHmovD2hzJiP31wb4zFfQKg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-06T09:15:39Z" - mac: ENC[AES256_GCM,data:HbmOK4kLgQ5P26aLGNhEAQ8CSx9W9eUWju2CeGgOglfCBRLon37i/z9O4D2Z98xZpqR0aubjV0VCMLORI4JKK123BUscsS6Od58Lj89LzRf4Kt7MZMkn5k52Smj9Z2NldXa/OUpr2R/vcfyW9mYrqfl4z0Y2xY7QxfgOj589CQo=,iv:AYviec5/ZouEYz7pONTxFNB5qv3YRjQo5G/8qpCKtE0=,tag:TugoHvi02uZxO/qoqxQTow==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/apps/technitium/deployment.yaml b/apps/technitium/deployment.yaml deleted file mode 100644 index 3c1ca1c..0000000 --- a/apps/technitium/deployment.yaml +++ /dev/null @@ -1,32 +0,0 @@ -apiVersion: apps/v1 -kind: Deployment -metadata: - name: technitium-dns - labels: - app.kubernetes.io/name: technitium-dns -spec: - replicas: 1 - selector: - matchLabels: - app.kubernetes.io/name: technitium-dns - template: - metadata: - labels: - app.kubernetes.io/name: technitium-dns - spec: - volumes: - - name: technitium-data - persistentVolumeClaim: - claimName: technitium-data-pvc - containers: - - image: technitium/dns-server:latest - name: technitium - ports: - - containerPort: 5380 - - containerPort: 53 - protocol: TCP - - containerPort: 53 - protocol: UDP - volumeMounts: - - name: technitium-data - mountPath: "/etc/dns" diff --git a/apps/technitium/kustomization.yaml b/apps/technitium/kustomization.yaml deleted file mode 100644 index 597e9cd..0000000 --- a/apps/technitium/kustomization.yaml +++ /dev/null @@ -1,4 +0,0 @@ -resources: -- pvc.yaml -- deployment.yaml -- services.yaml \ No newline at end of file diff --git a/apps/technitium/services.yaml b/apps/technitium/services.yaml deleted file mode 100644 index f833387..0000000 --- a/apps/technitium/services.yaml +++ /dev/null @@ -1,24 +0,0 @@ -apiVersion: v1 -kind: Service -metadata: - name: technitium -spec: - type: NodePort - selector: - app.kubernetes.io/name: technitium-dns - ports: - - protocol: TCP - port: 80 - targetPort: 5380 - nodePort: 30011 - name: http - - protocol: TCP - port: 53 - targetPort: 53 - nodePort: 30012 - name: dns-tcp - - protocol: UDP - port: 53 - targetPort: 53 - nodePort: 30012 - name: dns-udp \ No newline at end of file diff --git a/apps/vaultwarden/secrets.sops.yaml b/apps/vaultwarden/secrets.sops.yaml deleted file mode 100644 index 32105ee..0000000 --- a/apps/vaultwarden/secrets.sops.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -kind: Secret -metadata: - name: vaultwarden-secrets -type: Opaque -stringData: - SMTP_PASSWORD: ENC[AES256_GCM,data:ufFFpjspCNUdGT3sYNuuKQ==,iv:D3h1kX9ZQ9530gJ63L/YBD15NKu8j8OxhKcCzP61vnM=,tag:IxXauPdCxSqlYRtzFH0Hhw==,type:str] - DATABASE_URL: ENC[AES256_GCM,data:7+H4czU+m7HZhda+y7mj9ST6bayMgC+jcQmRgcLlmZFV+4Nnzypd2vefOrhLAiZV9wpOi1orKvUtcrl9gNsBjOXxgkVGSos6W+pKnckupikbknW+Ra99ij5VJw==,iv:f3zvmuf1Z6ysdmvC0kbstOnkvM9O/zYsrkv5pP026HA=,tag:286U6+3GZyfwZxK2L4wWSw==,type:str] -sops: - age: - - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB1VFNZYnJzd2NQYXV1ckd2 - d3lybWtYbUJIcWxnVlhLV09STTRtVDdhZVZVClZQOVZQZTJqQzJkb3R0clBxNG5q - elY2MFNpNGVLTVYyQkJENUJ5SmQ5TWsKLS0tIGFmWDRsUS9YZVgwaFBsN3RZcVlz - VFRQMEprYVA0ZEU1ZG5ienJ1dEt5S28KgCutiomxOnX/G58d4XOBOJxgr5W9NW0s - GogonWwuW7gCHvS0K2LQFYaQpZtM++9y+IjTFwUYv2fIxuKBkd5QVw== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-23T15:29:56Z" - mac: ENC[AES256_GCM,data:fFr7jczPTJKtBui7cItBem3TEO2VAEGp6GfyvPeJ3/ZjxUJzxSjIUiTTAVWKYq4a4O69tCHijFfXMlAXSf4C/CgjfFpi0y459gn4Iz0GC8uD2YlJS5558tB8roc5QPF5NK6SN2AtIAOTe37ScbI//aKzM0LYTEb1Lke18yei4Fw=,iv:GzIaYOUgk684UX1lpIhP6iuoxVTenVWfhAbV4tcO8So=,tag:+mY461BhKOJUggExjK7AHA==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.10.2 diff --git a/encrypt_secrets.sh b/encrypt_secrets.sh new file mode 100755 index 0000000..c30ef22 --- /dev/null +++ b/encrypt_secrets.sh @@ -0,0 +1,5 @@ +#!/bin/sh + + +fd -I "secrets.yaml" -x sops -e --encrypted-regex '^(data|stringData)$' --output {.}.sops.yaml {} +fd -I "local_settings.py" -x sops -e --output {.}.sops.py {} \ No newline at end of file diff --git a/infra/README.md b/infra/README.md new file mode 100644 index 0000000..436d949 --- /dev/null +++ b/infra/README.md @@ -0,0 +1,45 @@ +# Infra + +The cluster is formed by three Proxmox hosts, hosting in total 6 Talos virtual machines. All of them are linked through Wireguard and kubespan. They're also connected to Tailscale to allow accessing other hosts. + +## Host `yuyuko` + +The main server. It also contains most of the computer power and most of the storage (a ZFS array with 64.56 TiB of raw storage!). This is also the most painful to upgrade things on / reboot due to... reasons. + +**Location**: Montréal (Home) + +**Virtual machines**: +- yukari (controlplane) + - Address: 10.0.0.240 +- ran (worker) + - Address: 10.0.0.241 + +### Internal gateway `suika` + +Outside of the Kubernetes cluster is the `suika` virtual machine. I didn't want to fiddle around _too_ much with MetalLB and Load Balancers, so this virtual machine runs NGINX as a way to provide HTTPS service to the cluster with more memorable names (because ``. + +## Host `niwatori` + +The 30$ eBay computer. It's mainly there to provide some redundency and a bit of storage (a 1TB SSD is in there) + +**Location**: Montréal (Home) + +**Virtual machines**: +- fujiwara-no-mokou (worker) + - Address: 10.0.0.245 + +## Host `yuuma` + +Hetzner's server auctions are great! This is my offsite server to provide a stable endpoint in Europe. + +**Location**: Falkenstein + +**Virtual machines**: +- yukari (controlplane) + - Address: 10.0.0.240 +- ran (worker) + - Address: 10.0.0.241 + +### External gateway `okina` + +Outside of the Kubernetes cluster is the `okina` virtual machine. Same reasons as for `suika`, but for outside people to my infra. It runs Caddy to do that. \ No newline at end of file diff --git a/infra/clusterconfig/.gitignore b/infra/clusterconfig/.gitignore deleted file mode 100644 index 91748c4..0000000 --- a/infra/clusterconfig/.gitignore +++ /dev/null @@ -1,8 +0,0 @@ -yakumo-yukari.yaml -yakumo-byakuren.yaml -yakumo-tojiko.yaml -yakumo-chen.yaml -yakumo-ran.yaml -yakumo-fujiwara-no-moukou.yaml -talosconfig -yakumo-wagasakihime.yaml diff --git a/infra/create_new_bucket.sh b/infra/create_new_bucket.sh deleted file mode 100644 index ddc68b4..0000000 --- a/infra/create_new_bucket.sh +++ /dev/null @@ -1,3 +0,0 @@ -garage bucket create books -garage bucket allow --read --write --owner books --key k8s -garage bucket allow --read --write books --key prettysunflower \ No newline at end of file diff --git a/infra/init_seaweed.sh b/infra/init_seaweed.sh deleted file mode 100644 index be0885c..0000000 --- a/infra/init_seaweed.sh +++ /dev/null @@ -1,3 +0,0 @@ -git clone https://github.com/seaweedfs/seaweedfs-csi-driver.git -helm install --set storageClassName="seaweedfs-keiki" --set seaweedfsFiler="100.79.209.9:8888" seaweedfs-csi-keiki-driver ./seaweedfs-csi-driver/deploy/helm/seaweedfs-csi-driver --namespace="kube-system" -helm install --set driverName="seaweedfs-csi-keiki-driver" --set storageClassName="seaweedfs-keiki" --set seaweedfsFiler="100.79.209.9:8888" seaweedfs-csi-keiki-driver ./seaweedfs-csi-driver/deploy/helm/seaweedfs-csi-driver --namespace="kube-system" \ No newline at end of file diff --git a/infra/seija/clusterconfig/.gitignore b/infra/seija/clusterconfig/.gitignore new file mode 100644 index 0000000..661349f --- /dev/null +++ b/infra/seija/clusterconfig/.gitignore @@ -0,0 +1,4 @@ +seija-fulgora.yaml +seija-gleba.yaml +seija-vulcanus.yaml +talosconfig diff --git a/infra/seija/csi/hcloud-csi.yaml b/infra/seija/csi/hcloud-csi.yaml new file mode 100644 index 0000000..cd40575 --- /dev/null +++ b/infra/seija/csi/hcloud-csi.yaml @@ -0,0 +1,401 @@ +--- +# Source: hcloud-csi/templates/controller/serviceaccount.yaml +apiVersion: v1 +kind: ServiceAccount +metadata: + name: hcloud-csi-controller + namespace: "kube-system" + labels: + app.kubernetes.io/name: hcloud-csi + app.kubernetes.io/instance: hcloud-csi + app.kubernetes.io/component: controller +automountServiceAccountToken: true +--- +# Source: hcloud-csi/templates/core/storageclass.yaml +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: hcloud-volumes + annotations: + storageclass.kubernetes.io/is-default-class: "true" +provisioner: csi.hetzner.cloud +volumeBindingMode: WaitForFirstConsumer +allowVolumeExpansion: true +reclaimPolicy: "Delete" +--- +# Source: hcloud-csi/templates/controller/clusterrole.yaml +kind: ClusterRole +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hcloud-csi-controller + labels: + app.kubernetes.io/name: hcloud-csi + app.kubernetes.io/instance: hcloud-csi + app.kubernetes.io/component: controller +rules: +# attacher +- apiGroups: [""] + resources: [persistentvolumes] + verbs: [get, list, watch, update, patch] +- apiGroups: [""] + resources: [nodes] + verbs: [get, list, watch] +- apiGroups: [csi.storage.k8s.io] + resources: [csinodeinfos] + verbs: [get, list, watch] +- apiGroups: [storage.k8s.io] + resources: [csinodes] + verbs: [get, list, watch] +- apiGroups: [storage.k8s.io] + resources: [volumeattachments] + verbs: [get, list, watch, update, patch] +- apiGroups: [storage.k8s.io] + resources: [volumeattachments/status] + verbs: [patch] +# provisioner +- apiGroups: [""] + resources: [secrets] + verbs: [get, list] +- apiGroups: [""] + resources: [persistentvolumes] + verbs: [get, list, watch, create, delete, patch] +- apiGroups: [""] + resources: [persistentvolumeclaims, persistentvolumeclaims/status] + verbs: [get, list, watch, update, patch] +- apiGroups: [storage.k8s.io] + resources: [storageclasses] + verbs: [get, list, watch] +- apiGroups: [""] + resources: [events] + verbs: [list, watch, create, update, patch] +- apiGroups: [snapshot.storage.k8s.io] + resources: [volumesnapshots] + verbs: [get, list] +- apiGroups: [snapshot.storage.k8s.io] + resources: [volumesnapshotcontents] + verbs: [get, list] +# resizer +- apiGroups: [""] + resources: [pods] + verbs: [get, list, watch] +# node +- apiGroups: [""] + resources: [events] + verbs: [get, list, watch, create, update, patch] +--- +# Source: hcloud-csi/templates/controller/clusterrolebinding.yaml +kind: ClusterRoleBinding +apiVersion: rbac.authorization.k8s.io/v1 +metadata: + name: hcloud-csi-controller + labels: + app.kubernetes.io/name: hcloud-csi + app.kubernetes.io/instance: hcloud-csi + app.kubernetes.io/component: controller +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: ClusterRole + name: hcloud-csi-controller +subjects: + - kind: ServiceAccount + name: hcloud-csi-controller + namespace: "kube-system" +--- +# Source: hcloud-csi/templates/controller/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: hcloud-csi-controller-metrics + namespace: "kube-system" + labels: + app.kubernetes.io/name: hcloud-csi + app.kubernetes.io/instance: hcloud-csi + app.kubernetes.io/component: controller +spec: + ports: + - name: metrics + port: 9189 + selector: + app.kubernetes.io/name: hcloud-csi + app.kubernetes.io/instance: hcloud-csi + app.kubernetes.io/component: controller +--- +# Source: hcloud-csi/templates/node/service.yaml +apiVersion: v1 +kind: Service +metadata: + name: hcloud-csi-node-metrics + namespace: "kube-system" + labels: + app.kubernetes.io/name: hcloud-csi + app.kubernetes.io/instance: hcloud-csi + app.kubernetes.io/component: node +spec: + ports: + - name: metrics + port: 9189 + selector: + app.kubernetes.io/name: hcloud-csi + app.kubernetes.io/instance: hcloud-csi + app.kubernetes.io/component: node +--- +# Source: hcloud-csi/templates/node/daemonset.yaml +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: hcloud-csi-node + namespace: "kube-system" + labels: + app.kubernetes.io/name: hcloud-csi + app.kubernetes.io/instance: hcloud-csi + app.kubernetes.io/component: node + app: hcloud-csi +spec: + updateStrategy: + type: RollingUpdate + selector: + matchLabels: + app: hcloud-csi + template: + metadata: + labels: + app.kubernetes.io/name: hcloud-csi + app.kubernetes.io/instance: hcloud-csi + app.kubernetes.io/component: node + app: hcloud-csi + spec: + + affinity: + nodeAffinity: + requiredDuringSchedulingIgnoredDuringExecution: + nodeSelectorTerms: + - matchExpressions: + - key: instance.hetzner.cloud/is-root-server + operator: NotIn + values: + - "true" + tolerations: + - effect: NoExecute + operator: Exists + - effect: NoSchedule + operator: Exists + - key: CriticalAddonsOnly + operator: Exists + securityContext: + fsGroup: 1001 + initContainers: + containers: + - name: csi-node-driver-registrar + image: registry.k8s.io/sig-storage/csi-node-driver-registrar:v2.7.0 + imagePullPolicy: IfNotPresent + args: + - --kubelet-registration-path=/var/lib/kubelet/plugins/csi.hetzner.cloud/socket + volumeMounts: + - name: plugin-dir + mountPath: /run/csi + - name: registration-dir + mountPath: /registration + resources: + limits: {} + requests: {} + - name: liveness-probe + image: registry.k8s.io/sig-storage/livenessprobe:v2.9.0 + imagePullPolicy: IfNotPresent + volumeMounts: + - mountPath: /run/csi + name: plugin-dir + resources: + limits: {} + requests: {} + - name: hcloud-csi-driver + image: docker.io/hetznercloud/hcloud-csi-driver:v2.5.1 # x-release-please-version + imagePullPolicy: IfNotPresent + command: [/bin/hcloud-csi-driver-node] + volumeMounts: + - name: kubelet-dir + mountPath: /var/lib/kubelet + mountPropagation: "Bidirectional" + - name: plugin-dir + mountPath: /run/csi + - name: device-dir + mountPath: /dev + securityContext: + privileged: true + env: + - name: CSI_ENDPOINT + value: unix:///run/csi/socket + - name: METRICS_ENDPOINT + value: "0.0.0.0:9189" + - name: ENABLE_METRICS + value: "true" + ports: + - containerPort: 9189 + name: metrics + - name: healthz + protocol: TCP + containerPort: 9808 + resources: + limits: {} + requests: {} + livenessProbe: + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 3 + httpGet: + path: /healthz + port: healthz + volumes: + - name: kubelet-dir + hostPath: + path: /var/lib/kubelet + type: Directory + - name: plugin-dir + hostPath: + path: /var/lib/kubelet/plugins/csi.hetzner.cloud/ + type: DirectoryOrCreate + - name: registration-dir + hostPath: + path: /var/lib/kubelet/plugins_registry/ + type: Directory + - name: device-dir + hostPath: + path: /dev + type: Directory +--- +# Source: hcloud-csi/templates/controller/deployment.yaml +apiVersion: apps/v1 +kind: Deployment +metadata: + name: hcloud-csi-controller + namespace: "kube-system" + labels: + app.kubernetes.io/name: hcloud-csi + app.kubernetes.io/instance: hcloud-csi + app.kubernetes.io/component: controller + app: hcloud-csi-controller +spec: + replicas: 1 + strategy: + type: RollingUpdate + selector: + matchLabels: + app: hcloud-csi-controller + template: + metadata: + labels: + app.kubernetes.io/name: hcloud-csi + app.kubernetes.io/instance: hcloud-csi + app.kubernetes.io/component: controller + app: hcloud-csi-controller + spec: + serviceAccountName: hcloud-csi-controller + + securityContext: + fsGroup: 1001 + initContainers: + containers: + - name: csi-attacher + image: registry.k8s.io/sig-storage/csi-attacher:v4.1.0 + imagePullPolicy: IfNotPresent + resources: + limits: {} + requests: {} + args: + - --default-fstype=ext4 + volumeMounts: + - name: socket-dir + mountPath: /run/csi + + - name: csi-resizer + image: registry.k8s.io/sig-storage/csi-resizer:v1.7.0 + imagePullPolicy: IfNotPresent + resources: + limits: {} + requests: {} + volumeMounts: + - name: socket-dir + mountPath: /run/csi + + - name: csi-provisioner + image: registry.k8s.io/sig-storage/csi-provisioner:v3.4.0 + imagePullPolicy: IfNotPresent + resources: + limits: {} + requests: {} + args: + - --feature-gates=Topology=true + - --default-fstype=ext4 + volumeMounts: + - name: socket-dir + mountPath: /run/csi + + - name: liveness-probe + image: registry.k8s.io/sig-storage/livenessprobe:v2.9.0 + imagePullPolicy: IfNotPresent + resources: + limits: {} + requests: {} + volumeMounts: + - mountPath: /run/csi + name: socket-dir + + - name: hcloud-csi-driver + image: docker.io/hetznercloud/hcloud-csi-driver:v2.5.1 # x-release-please-version + imagePullPolicy: IfNotPresent + command: [/bin/hcloud-csi-driver-controller] + env: + - name: CSI_ENDPOINT + value: unix:///run/csi/socket + - name: METRICS_ENDPOINT + value: "0.0.0.0:9189" + - name: ENABLE_METRICS + value: "true" + - name: KUBE_NODE_NAME + valueFrom: + fieldRef: + apiVersion: v1 + fieldPath: spec.nodeName + - name: HCLOUD_TOKEN + valueFrom: + secretKeyRef: + name: hcloud + key: token + resources: + limits: {} + requests: {} + ports: + - name: metrics + containerPort: 9189 + - name: healthz + protocol: TCP + containerPort: 9808 + livenessProbe: + failureThreshold: 5 + initialDelaySeconds: 10 + periodSeconds: 2 + successThreshold: 1 + timeoutSeconds: 3 + httpGet: + path: /healthz + port: healthz + volumeMounts: + - name: socket-dir + mountPath: /run/csi + + volumes: + - name: socket-dir + emptyDir: {} +--- +# Source: hcloud-csi/templates/core/csidriver.yaml +apiVersion: storage.k8s.io/v1 +kind: CSIDriver +metadata: + name: csi.hetzner.cloud +spec: + attachRequired: true + fsGroupPolicy: File + podInfoOnMount: true + volumeLifecycleModes: + - Persistent \ No newline at end of file diff --git a/infra/seija/csi/kustomization.yaml b/infra/seija/csi/kustomization.yaml new file mode 100644 index 0000000..98b4352 --- /dev/null +++ b/infra/seija/csi/kustomization.yaml @@ -0,0 +1,3 @@ +resources: +- secrets.yaml +- hcloud-csi.yaml \ No newline at end of file diff --git a/infra/seija/csi/secrets.sops.yaml b/infra/seija/csi/secrets.sops.yaml new file mode 100644 index 0000000..152b7d8 --- /dev/null +++ b/infra/seija/csi/secrets.sops.yaml @@ -0,0 +1,22 @@ +apiVersion: v1 +kind: Secret +metadata: + name: hcloud + namespace: kube-system +stringData: + token: ENC[AES256_GCM,data:CqEok5/IsGRdab1LULB9iere2rjZY8L68k8CWa+FHyl72foxt28zPD/1DvlfPzodBzx3VRE+LRgRhhf6RI3wdg==,iv:23kcSWaKIylLLrqML30c7DDC0wI4cGgFtNIxuxqtTrQ=,tag:m4Zn7aOusfMcqEfQtA+Dyw==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBmWTlBa3NsazVQYjVHMEk1 + eW5PUjl4K01ZZ1pTSmg2YWxSUkVZSmswczBFCnQ2N2pudmhTUVNIaFVPenZXamx1 + S3kxeXB5TUdCQ2hhYkRRYzc5VU02S1kKLS0tIHVEWGowSFE1aXRnVzkyVFY3NWlM + OVRxNzNoZ016QVVTakswbDhLYmp2bEUKHS9TOqjU9n82LtbBtKTVsKtTlEvrtyGz + +9MGRvCGQydbf6qZO/OLfiMRbPmgcnVovvb1a0NeWjXSR3r4uc+OUw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T14:35:28Z" + mac: ENC[AES256_GCM,data:IX1iQajPzcUXRHwRdbxPz0eXL5PoVNzIxPYL18De/+Wn6Vu0V5DDJbxK7bLd3Wnv66KBsZzpnrqRY/eu9HZ1bv8RE2dHVjXu07zDD1uu+yek2v0RpeChs0eovaogeBztPlJoyNg7sbwdDoMSWyWlqHe0TozgjEyVeZ9JCwIrDXw=,iv:UZk6JnZ5NLNVx22hzoULAXfjhvzxS6t5ZOY66hRGWQQ=,tag:VmNwnTx0RLtODOrWxu+f1Q==,type:str] + encrypted_regex: ^(data|stringData)$ + version: 3.10.2 diff --git a/infra/seija/csi/test.yaml b/infra/seija/csi/test.yaml new file mode 100644 index 0000000..c7c1099 --- /dev/null +++ b/infra/seija/csi/test.yaml @@ -0,0 +1,28 @@ +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: csi-pvc +spec: + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 10Gi + storageClassName: hcloud-volumes +--- +kind: Pod +apiVersion: v1 +metadata: + name: my-csi-app +spec: + containers: + - name: my-frontend + image: busybox + volumeMounts: + - mountPath: "/data" + name: my-csi-volume + command: [ "sleep", "1000000" ] + volumes: + - name: my-csi-volume + persistentVolumeClaim: + claimName: csi-pvc \ No newline at end of file diff --git a/infra/seija/tailscale.patch.sops.yaml b/infra/seija/tailscale.patch.sops.yaml new file mode 100644 index 0000000..557393c --- /dev/null +++ b/infra/seija/tailscale.patch.sops.yaml @@ -0,0 +1,21 @@ +apiVersion: ENC[AES256_GCM,data:uI18BwMBL54=,iv:ZSGmHuHUMCqi2SHW50PSH+NnJO1+hoECwUQtaWsSrPg=,tag:ZziftWKJwa3MUsMpNefOQw==,type:str] +kind: ENC[AES256_GCM,data:5V20Tgezvlxgb0kAQD8BfF1XWA3tLQ==,iv:zsqIXN+mlt244DMXmP2Pia3o89lcgYuL/htl5KW2Zn0=,tag:4QNn2oh+3s+KXEGjToqccw==,type:str] +name: ENC[AES256_GCM,data:1pcGqvBlP9Ac,iv:MxjPSVNREt4y+2OP431CDsV6eYJyFuM5KRJmjIfU1II=,tag:/iyAlxNQdIvid9+dx9hX4g==,type:str] +environment: + - ENC[AES256_GCM,data:7TFf83OkFQ7IKpaB8cXcPn5RgRicEjlNZW8wIJyuRfccofhSIyG7V/hVEz6yWGE4a2JHQS/1uLdqT+vFHClr/tlq3E39uBii,iv:6qkmu/vW3/LeXjWanyQs7xYuGOlm2qJMIMC/ASivaWo=,tag:3r1FuTCRXOAfn44rYfYOng==,type:str] + - ENC[AES256_GCM,data:ZUh+YUH69xeNHlEgfotvVp56PmlvFRD9xLo/qnEVL6+YbYu79A==,iv:pZVUahrl13V/CkfdcOPMnn3SGiNgbPc1GZ9FQKKwFGQ=,tag:n/HQN21jGrQpy3FSVO95eA==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBRMGdkamh3amNUaXRKSDRS + MElWZ2dKQ28rbU9xY3NIM0lSVUZWNzBkT2dVCnZqcDNwV2pSRGVPUXFTd1VSZUpt + YWdBR1lQTmRUaCtFWFJMUE1Dd3JROWMKLS0tIHJUSUt6VVpmWEcxOWRLT2MyZ2hV + cGhzT204cmJRdWFwTTV6ZDJoY0xyZHcK3f/Y2MDGjjL7LUoVJV7POZYR6D8jrsxn + g9ZRQfbw24W4NYoYXI1bJttG5u0LVw9Bw5IYYIDVa1XsyH2km8EMSA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T13:05:51Z" + mac: ENC[AES256_GCM,data:5lVkH9qeurFzrwLoaB2P2CYxifToiA5cQvTJhUV+yCoLREwiu1uBsD1Dhr4m9YsXu/Lvhe54iEUF6bCVO5bKKqSoA5NpJYAms/9hPptmSaGFYmfpIITcvTbnYkByCDyjx45LyFaeexr6tUdfm6C9c9pA1JoFaZC4TPI+L3dvPtk=,iv:gjqyzhevuhpYMM/HjXaa2hfiVGxzH97Gu35CesLoVLk=,tag:8lZUnRl4QLetxR7/lZsrpw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/infra/talconfig.yaml b/infra/seija/talconfig.yaml similarity index 50% rename from infra/talconfig.yaml rename to infra/seija/talconfig.yaml index 3406c19..baba172 100644 --- a/infra/talconfig.yaml +++ b/infra/seija/talconfig.yaml @@ -1,14 +1,14 @@ --- -clusterName: yakumo -talosVersion: v1.10.4 -kubernetesVersion: v1.33.1 -endpoint: https://10.0.15.33:6443 -domain: yakumo.prettysunflower.moe -allowSchedulingOnControlPlanes: false +clusterName: seija +talosVersion: v1.10.5 +kubernetesVersion: v1.33.2 +endpoint: https://10.11.0.2:6443 +domain: seija.prettysunflower.moe +allowSchedulingOnControlPlanes: true clusterPodNets: - - 10.244.0.0/16 + - 10.215.0.0/16 clusterSvcNets: - - 10.96.0.0/12 + - 10.216.0.0/16 patches: - |- - op: add @@ -19,56 +19,27 @@ patches: path: /machine/features/hostDNS value: forwardKubeDNSToHost: false + - op: add + path: /machine/network + value: + nameservers: + - 100.96.226.96 nodes: - - hostname: yukari - ipAddress: 10.0.0.240 + - hostname: fulgora + ipAddress: 10.11.0.2 controlPlane: true arch: amd64 installDisk: /dev/sda - nodeLabels: - location: yul - - hostname: byakuren - ipAddress: 10.0.15.33 + - hostname: gleba + ipAddress: 10.11.0.3 controlPlane: true arch: amd64 installDisk: /dev/sda - nodeLabels: - location: fsn - - hostname: tojiko - ipAddress: 10.0.15.35 + - hostname: vulcanus + ipAddress: 10.11.0.4 controlPlane: true arch: amd64 installDisk: /dev/sda - nodeLabels: - location: fsn - - hostname: chen - ipAddress: 10.0.15.32 - controlPlane: false - arch: amd64 - installDisk: /dev/sda - nodeLabels: - location: fsn - - hostname: ran - ipAddress: 10.0.0.241 - controlPlane: false - arch: amd64 - installDisk: /dev/sda - nodeLabels: - location: yul - - hostname: fujiwara-no-moukou - ipAddress: 10.0.0.245 - controlPlane: false - arch: amd64 - installDisk: /dev/sda - nodeLabels: - location: yul - - hostname: wagasakihime - ipAddress: 192.168.19.133 - controlPlane: false - arch: amd64 - installDisk: /dev/sda - nodeLabels: - location: gva controlPlane: extraManifests: diff --git a/infra/seija/talsecret.sops.yaml b/infra/seija/talsecret.sops.yaml new file mode 100644 index 0000000..4b38a72 --- /dev/null +++ b/infra/seija/talsecret.sops.yaml @@ -0,0 +1,38 @@ +cluster: + id: ENC[AES256_GCM,data:yK4kyb1YmkK9qxfPQrVQLbenPD7iP8bzTbyo1ymqAZiOxCxjVsWu/F+FKiY=,iv:3HvebEnwjn8KiGU7WM2xOK0Ll+prDZyeHOxqSEG5Irc=,tag:2iKQwR+du2ft93ShbVEKIg==,type:str] + secret: ENC[AES256_GCM,data:Ii1+lu8Hmu1AnZrPZaMztTV6QUHvvL8JY90QCToOUcJzp7tDkYBXctXjuDU=,iv:jlPJ9FDZd+M27jdGc6quSHVHQ4dfK+ks9Zh2mfRItW0=,tag:So/qg5vqk+415t+YmRDsnw==,type:str] +secrets: + bootstraptoken: ENC[AES256_GCM,data:UQgxJihAo3OCE4ADNYRLoOyrmJUdtk0=,iv:WdMudPLie0CHQh2HsWfT1uTF6whmqC8wlJDh2VNyGtk=,tag:yWF+jjODFvRyzR8wcddOrw==,type:str] + secretboxencryptionsecret: ENC[AES256_GCM,data:cOKmfBigi8gbY1689k5p35p/H/QKZOryQO8vJ8qBa59KO3Nu5z/GSnzTzsw=,iv:q60NOdKWQg+3hAcOk4avqv52QTRpm8hmgexWVjEaneI=,tag:32Dcp74rH27JGWSEuhVZbA==,type:str] +trustdinfo: + token: ENC[AES256_GCM,data:ZRNdMDBjNKkbbxRj34Jr+K3ZkOAAozE=,iv:ylJzwhstCc2zLXpagYD1ztWAT6g6RkcVBBzlIkKaZ5g=,tag:2Yr5G/qJzx8A2IR37reZoQ==,type:str] +certs: + etcd: + crt: ENC[AES256_GCM,data:7Mhvgh/nRjuAhMsKnwXjZ+Te41IhV0cnJRapgDt9gqcMEoyxuYelMnosh5/+nj0gefa19XqDy7w2RpkczLHNx0LYBE1jhpRl3ryikodmhNVjt276OXCyBpPve9h5GyEQaUepy6tcRqZutqY2tHO/iJTBXJs4xXi/Y1uvyZfbCVkJelkSgN4YjvA76YHsJ3Jm1cLDpzeJ9I/il27YYgLjdNh5zd7vrLKKLZuuQsldCRcQhQyafYvvITiMcLAJtsGtNglZqieLUCpFit5ljdYU9gCmVT55tTw9dejfHVYYLg8TDtGQWQTC09jKTPRptjOABnvWCz/HLHoa2t0/t94kHVgIPY/IxZ3ZZSgDid3V8C2bZ12ohGa6miJ4AR1aqqoqqu4cUgPTPKDBSDd6FoE4YtoQdKNsipD4LiXVQo5vdxUUAIpRvt3dBedEUJdmOEaqyEAFzCpXCr5uCEdjycjNx/ELW+oBoz1aiafvfmg1SSRq/0h2e321/bJUI9PnjUsw7D/7OheYykFSn4L25qBf+wEo081cxPKswnAoxrE/o6cCASooCjKiZvwqfm7s+GaZh4YUXo47LD9N+xL/QmQKpwSb6AVx2vjKdj37Ezxl7iYHtni6w/9tfHlPfJOroBM8Tc51LQPCy34tWV9n/+1z4eH8O58wiuS84JaAVXZFN+H3+QptyyIlU2gOJU0BAx5pzUOoYwFZqppzl/PKgvN1w9QOwTOhp3aAv9Ax90Gd6n98xicxFeck7YNnQKIPbV6Vs2idjldadwgSIXxDFx3GHrLGyqU+AB2fcB4iWeCPh3P/rYdtKUMHMhshG0g/kxGPXrnSE7sII9RQwFi5j0NrZMOoB5+l8BJMnmAzzHONqLkfMVJQmYfrasTOb1FzjWMeO9LDxSFZy1KpGhMZGzU9h+dxqblxIZ0bFBEuyLV2eT9+ZiTXQ2NzHDqk6vG0Flo7h4MmoKjy6CZdM0jbP7aLyGaumG+zK4RkDfyzrUX6bKoR3fJEiZeA1aX0xzavhU1RA1HmJw==,iv:GI1qaCD6ERrfydgksLwJn3GLJhEZ8H+nab80280mhFc=,tag:CVxMSCmn6CPT2ZDhXDT9wg==,type:str] + key: ENC[AES256_GCM,data:VCEaYltj7ikCY2wshXNzYH3ioqfl9zjLmWi2QmDZJjWOChhTGEJburV3lbkKW5SJE2YKtbwecH0AwhQ22wWfIqxU2FE/KMHyZT3Z8cTnjhPS4u7RaBpBwW7bobLtq4ss86ExMT211UOClcS1Z7nc93csnouB+zJEvkybMFVvN11cb97y+CAI/kZSTss345WCH8O7DKBzYnCeCxc47/rWsufgKy2pl7fN40Kk44FuM7tM4PgTvluAEjkTvJDH3uYd5ej+fA8aKt1/6NK6iFvIySSq3UIk3SxBEEsu4IcZ3u2gQW+apCVZqQ5eD/odsErvd8iPF7M4pvuk1rCkCkxxqF/UsTr36Lu1bi34M9AubDiVN6jP8cyRyASbv8beFmxKthcQpiceltTWdkGW9vA5Vw==,iv:APUlzzvrY+x697kuijg8rFk0yGhvMrvA1F3cUv4kzYM=,tag:UsNsBdWIqY9qeqb/OYrwgg==,type:str] + k8s: + crt: ENC[AES256_GCM,data:pI5UTxsCQz92vCq8i1zaE8N8mTa/epvt0pWj7J6MbnTiW4qoeL3a4FhRpI1tt5jgCkQxh458Nu83JPBVZKFNvrSS3icQQVHWAY9jp5ArKHKKOedfxh2QkAwosEH0mVopVhFRTG1+mdLmuYbjIDeqvGb8CYL7n3n0UK5BjdE+LYc0bi/UClNTEAo21fWNvxsFXDP3zoCSKTSke+qOgsuVy4Y7XSFxJQwY2yGTS1Pmd0kyewvIP0X+Q+Ej+YtKYZXxelN5GrnYc852r2D1aD5M4lAPyGz0p2GRYDE992CVr0Xul69hCcSHwZJiJC1f69SVU9uWkzibq6XQEEpm4MOFFkpjZaxw6PNEa2fjkezYBA9UbswHSyHgrl/n6wTNUV5+MlFpUCLwsf8HasWJyMzHxEcvWOSqhdvXk6Kpg+8nVguTiu5Z0UmK0Jld5Aoh1U+LwfYpjsSCugddEKZ9bst5Lxk/OO4JNjT6Vu38NLv4J1+W9o5/nt/AHdeuO/z+A6Y6GI1jUq8XJd+GQubi72bKHrJfCRn9nisn7qfEqDwHdcCTb8XjiVVpC5iHP5sQRhdgCK7KA0k23j/hcJSi8VweUgar39PVwfbxdVTgC2ugB1S7EBo+s04c1KU6QeCFq1BhInuLdzL86xjZ2FYYGqhTixUWmcnkkTes3wKVcAXz7/gHTX0SRvLM65wRd0JDuD67PFYbz3qFbTZLqi9dFRUhu4EUwbYqzNYGiN/pXHVCqA54UPMxHgsJ+i9MRMno9h7BXscddSys5SQdNjjBNkZ631RgiDtgw2W3WbHZoS6LTRTGRlMPH1bh2OvckQA5ZVx28TX+qj36Nlz35n+QqKq5JNtMdHMWt5+5r9rB8sOse90low/ayGx09HOXdoFvL8HTfvIHKR7vOKdC0UMAmOkQbq0n9W+cZAAlYn+Vqf3m/0VNmQ3axiREKY0TIDdlQFyGtNtfY+SAH9dVT8bKy9NTMMlmsJ8ZGk4us6g3Ztl36dff6Sq9dC+IlJV6KIfxDqfVSY5fwWWK6TAcvrVBqNbEf5AFxxVfTF7Q6grnfQ==,iv:5/VYSvxXsi9Xb4pFlvaZjOUbYlIOIl/0qQlKpPPbefo=,tag:220oAUmMZzJ7GWV5AAoIpg==,type:str] + key: ENC[AES256_GCM,data:Hi85nmduWHju3/MGr3g2ncywxQTAVWsOoY+PdSRxI3OK0Ann70r6r39M9e92Y+XpkQ/7b5SkavAcfS6JYhz/AOt3PJKIovfc2GaADUxj07A2AccMTq31k0ZuqI+jdRzPt39ZcFuYj9Zup/BHEy/p2UVW+bNW5mrpO+r1btNvQ4MqlqgkLEIqJOa6U0IsAs2Zt8o8LAg5lWdQjwk5/CG2j27DNwJcIO59hTNZNtl1rEJMoJWiDlZ1HmzKlTOf3x86ZkPPSjSEpB4LH4CdGRX5o5hwyS+J2xWTPc9l6exqvg3GtFVbiL3tyrfMhZ1NiO8VVdvo/ZmO2VF6G+PmpqBcIpzUKoq5XH84Ky2WrowVnFiUAxlJTnmtil/0oO0ByR6R5UxgNiilkoMSj28ydd5foQ==,iv:UXO+QoSkeDyFBibxTDWf2U8b2SUJgdzCEjwP00gC/eA=,tag:TIe3rDACfGc3tZ0X1Lqs+Q==,type:str] + k8saggregator: + crt: ENC[AES256_GCM,data:EdjtlJv7wzCV5akIcqOnGFnmcPmNw3EGNzsEtwEnVOXbnLGjQxRTJqwxq45WNACdrn4jVi9QIJPTbOdT8fuxgg/1jpipiXEA6+3ZTlGGkeFOzzF3cSzwha577UwYjFkQH/QCZvIQ1/q6Y8qqTJ/OUcfcigLUTE5Afv8YlT4ZOKx7UVavIk67uW/hcpEnFQdlUR9jkQhHcusdSHZtlsYNc9WHDJciSd82CnV7fDgIPkTK/PD8jhvEzCsUdPGZPa64zcmifdCc7WlfbUTtDGoPLzzxvjOnzS1oVqzn87KxWPvphh/ThACQC+EO/Yajxh0iv2jsb9xyz5KH7tfU4MuqRtHoid9+aKNzx/GgRk5d2wsRcmSEylerKX5E5Zj0YKFbxY9MJrqP9/uRwBtKKHhhuZiOSYIxm0MDYTPYIuY5ibFNmQapZpccoUgRpwnEz+/lU0lggFaXIoN1Z/WlHjcTMexjpK8mK2CBADDuYJnw7k/yic1AvBkJhVFZ8Iu7dahNn3ZEbnEPsyHt2vzvQQNHqRsaTWeDoFyfmCImfw+95GWp2W/L/9UOREssORc2V4mRKRLRD5D5SpTBTILbZrdjOz5VnDMmO45/DB1azhdiRETSddffIquP0NN8USWw0xlbJgftUwxWJyLpRVRGA+0IuiiUYuGGmTwQVfMpCQEbbVyxJJ/3CkjCPyobsBPsP57BOIJRYrHaZX8c+gYSYMEufJw2Ttkdzyp/GvK2arNcxakoY2ukc/Sv0TnIbwIzLKoznXKVaLe55oH/BYRHtNtVFVZmoygSj2oy6TLyMIVCTCk2+mlXfqaac/0P0anWcl3RZAkbo4g7QefquLeRAxe45nkxSEC6Ds2LyJ8HjLOXu8CGecONZiFRV6GXTHXW81eg0BrT3iVbd8pNqzZT0V1/cooByj4W4xqeWltBthMYwqpskUUW62i+3phYM+POjJGr,iv:5XgQMQnYvcRW7pw4GVoNZ44i84XU2dbuMpPTmZaXARs=,tag:vsubLcPswOIxflC3VsoStg==,type:str] + key: ENC[AES256_GCM,data:piD1SaELNXT9UIH3IcYJoFNzh8VK3p2joIFvxmpjnuIWMZBqmlAiIMa3NXYVGi7GrkQkihzKr331DuoMNsSeG6RzoKZ/bG31KvbUlF3nja9VBClEN3t8uon5EDS34t7NY4UdynHmyXFCd2L50LWG84O8rAlQOAm1jEEYctyNPSOpAKmt+ijC7gFzkzmpASPECFWjfsk1CnwST/LgbtcMEwUKtWaKwonNHSkP+YusWM27S5pUlfbzHYM4zlD3eG8m12XjZzCjuy32RBgycyDRoQXRlifRc9JUtx6exvWupQuf8WFTjtHPAlZO+WDR+Scmm9nu3apVK5NI2MuWOUuipZWZgs1JT2RqUXIUah/Vc1QbZjaCC/dQ4TKePEjgY+/v9jpN1sJI8FX7+LQpNd8MVg==,iv:uK1sfmurBK7iLrr6h81xs8ain1uyLnkJ8Jxyu4LHfPE=,tag:fHmC8zxJdsiENs9mMlsX4A==,type:str] + k8sserviceaccount: + key: ENC[AES256_GCM,data:wNC3EdEjiv5Se/E3RAyOa4jM6ZmCqT0HyC8/GL2KsI6RQj37dNEZfZ3wGVJETmJGT68GA1OzCzCr2j/W8mxKeENj5aAE9DuNjgD/qjzWaVAAO2cnPvOhoVvXHHKyH744vRvbP3sXsLFPhzBqy8SiPkq+SkQLy7q8qGvALQtVMQhg9SRTgvBiJPBtA4sq8H7pOIn8tuznqpstXngG1K+qSDVFUpV2HEw8mMfZmUQkme5FypyZU7JAI3w56w3aiHLr8AHsqa7NmtptLBGlcwuJ1RubNAlvnJ5p0lFaC/4rFjmwhGOqDbMLvbZH+os722y/qfrZju+0sVICoddfwfH4UJLWQxoWvI+E/bVTmUUFSea7RQ1FaLwZCCkYXbYS/LqTGX89SvP3Un3NYRr5e5H84hUb4CXDrfbCRX50qX2cccFTMKm6WYazjt5PL1tUKy+QVvh1XuCBSIPSHx8bS7ydNV5heV2gdclv0z3ZmLn34VjdMTiT36UAykSUv7lqEyaK+nVlpVNF7U8g3w7X6vSQHkAxuuJd7Zsgbjc7Mmvv/FcbrwCWefO5HyY/2xkIXS+2QKq09Gqey8XkXvVzKVE17vSJj3JPfaaOwU59u/YZ2F1aNgdtVQ3tDGhZLwq/3+MZIOVSy4yTEQhFYiPE8FYDTXDWY4zMVNajwWrTinCgUaqMQCXCOYQzYnuwQsZNA1v96jTtKd5pren0vgzZHMpNxcVhtG//qaFr/Jef8Acmb0GsjCLus2sW4GMGy89htF216Fw7BM/xnYGfVXmTOICz1hO8jQpaov72VJ/w9ir0SdTVTvEDleGNxZs3O/B1iL76iho+MDMNZkDWF0TKaCqMF25YuyW4JpnOvS3yZooKH0P9WxKCBKdFPf1KaPRFMk+iilF8dHMa2RIMJosbhtk0/q+FqSLeALlqytMqzmiNEcWyb1pSsRO/s2m/XKjDYIwPDrkW6Js+5kb6RHYx2W68SKA0SC6qlGQFIB2A1ZIhhbiGkwh/jTJxSnRcvBf2Mjt4zgPWTDo9vz03qOWBz9NcAdYKQ/l7ew+lseOYMPEwoKsM4BTFcFyTxZ14x+MWA7qXKouoRg4YxR73sTDtUF139ffUUF/2tL7Js+DxDfT8mmXv6mlFrXQJUf1tOSdfzkfLh+j7FN8o+KbvvuYOKpF4xBuWqRu63AswJecklj2bDFdgQ+gy52085b9Dth8iFbj8gUG1Spx6GDokqMu6Xftsi2fgqRXe/Yzw27O1XFvQc1+sts4CwBNjVMDxdljBXN+8uOnAkxKWRFmBhMA4kgPE8jeDO1pTFd+i16ctb6o6+GXddNUYK/0OBay8q1wniwtzftpZIatokfMlTck8ingMzSDXK7HRUimTc18JyIKI2Ul4733YRglbtZ2eZdUQqBrlfDDxw1R+pxzQ92Vp7MHtuXdavWlrx+1xoMpb/3IR8YDulrB5cToS/5B+vy7fJAz5wuc5HngGzXKPrBDvduehB3SZIjeXhkN2boTLJQGbxWfnM/kyk/NfT04clqV+g2oPKjZOSDWbwqYn4x2zs1LiRWkOrKastb9w+E4f1SFM9jkLlLO9qdCBKk7p4fnib4LvwutOyf/0FkEyrrYLJc3XXcf2a+enb1Z1YhfAoRaEpBQs4jZ0GPjomLbBJ9TFfknKtx5w3k7ZC4sjlrNjEMoFsxyd2tp5xX4DDM2eesQr+3/lm4wIGP/37lrWwibN+rRnp6Its0q6LGSoNm9cSSxj4X6oATMUcRh5JNpAOyl7430ZfWN1Ax3R/7cZ7qcaVO46UcLY48qNnPeQrsJse0BzVq2cUTA0+1693qrPaVLn6qHx2z0svXyxIMO/cGNSLKeQQ353Byt2oBEJtwdGAcRrQKSQYrZfqSAoub+IKDuMXvtMtOp4Wo1NzwoBgc29a5DLIf9fUt85/lHJF2CXHqa6Db9cNgx/kWOiJa+es4rtUoMJDhndezG96RYc2qUq2VHRW48pyl2qkBXmLU3tpJeDNp08e06RXECCpLCfm9nBVGv8H8pP+HIl/upyqA1QrSdOsqigBvVItLBNIKyldsD64LOfoJBdXY+1NDQ0YjzRln0/WKuPwUMrDZaHa1upmMRHSHNAe6P6+N28HwL03jmGXqIUlPhbxludx+Dh+rB54w/lKs2nnMcHPM+u5AgEai/rtFDyaeYQtjsSIzFIkzOyzZaejNcaFGeOPqI3CinJYe8O+qTNRVwqnOSCFvjZdCDy+50NFLFPswrKM9rUIpmJ9vXaBBONvY9M/yBALo10kJCrte3i2CZrrbdOlWs2om3c9dmtOCpYiQAHiP6PLp6pS9B/mwowN8fWKMVTte/DVAItCjr5sjoEPFYQxjke+5SLIkSxRuNIGqLFFwHMbi9Lk0H/zyKjeP+ZaCpF2m5DlVdTzHgnhA9hcFlX035kWgA7x7j7umxIGGUV8vybPOd8YJZoT1RWTorIfGjjk31VeXWgK7HA0B68H5wS5V7oqOAwtBGCv6ZfbNKZa8+pPlX3QnwVIpaUCN2vF3W5fcCehnmSBk5UrUEsKzI9R5atdRsPf/kq/C6jyKjoKWrse2ZA5JxA309L5fZmCh4GZXS1dZaDcoF28X5BaM9E++DAyuKni6b7uS/Sgz7GJE1aNqOEKaVu3vgm3TfyR+JsDQdhuQhS2PKmGx/CR2spArRFf05vkfMPZi3TMwh1EayHaOOPmbeYT0dGka/swrmZntdI3+HZdYeqKpd2wPpXuBEWNXB/iJ21Z++j7rbgvpPHXsTngqq0+9xqXE9eBTs//N+Q4BPLZd1QgvCmVltgs24iLoD+qaL60Ds5uWWNkfqopCwZkao4XpTTLmXyEwkD4EJe4huYyzJfdrZCC9Ck/TbIHlh80OodXq/cnK4pNXf8xu/g2uyqYYGIna5Y/QplL1bh2qxqVJhfzL3umLNdq78NVvkR1FU7WvI+nCMOempXP01GnoL93MDhVArdHCS6cG8DGMBci4xy/NTa6yx89NOQ369hVKESUEKkEYX+e+Mw3uoX66xpA8BSpNlxhEsmngC/g2qJfn49pqJQEIhHKlX/1wL6mSKmG7faheKPYZdxAaEDZfIqIApzkJi/NAjk/Xrt/CuOIMyzGbxzY/m7XAj6zLZjjZe0dcoV6NxhYhbRKQiZOdPdKl88P6tvdb0QuIkMlwZ5jFKRxm8S4oPxh4r84OtNEGTaL56qZo08CbBYuXCHXlOHDw+IsD7Oy0uxtqhB2Rmnf3KJmZKPmad/cK5xrX0MsueaNrkRVBSZAXMyt/dhUo0soWm7V6CttpIG7i3RD4/PhKlzIQIPHilJe3lltEcB/zu5Dho/FHcvhbLvqGKYnLpx1CaIDrzrxWkjlaHn29WjJy+3KwI4VOnbIgu4CrViaz92iOWNAmeahHAfBttd7TVdf/azmU14WUMXVUgFVY5m0QqM3p5EajMz/LUxRk+ntmTJo/2s/6UMOGFwVZoDJpAqdc63CUiYBBt3MF+tQghq5gaWM7PrPQwK6jkjFDFN7ki3RIKCXSrIff5+Ph23kTpT6OLIU3Y0DprbCiHqDY11ic5iFLK6LL32/f9SlH9iou9SaEpGFTvUXGt88uokVXm2NkJjwMbunAO3gpfsxNUil2QiPT6jkl7qVPJa7N2jf7XpskxBIQgaKEPyW9mbI2tGgwBhd9r6QazS8aOnEsQ2HCfWepIAxtMseXv9mKpIJr+ypKOHC6yfpUquCb96HrRtLdzb0WzAZgx+1ZEZLqrz5yHrr2Fq1bYs5vO83Vu0XAouDHBd2q2QP744RbY8wzvW8TrLhoWnoQetEcBqj8l317+JkKrSeo60OLcsYq9R6Y5wN5t3GJtCjjnzMtxCn25isOJyoq7mB7pAh3tuznw94pyvkZblHBKICnHtG4HNKsGXPSwHYhnoM5j0fQHfOUUDHqo3AzTSFb6nNAQ+qDMXE3XMcWQ4vw9odrIhqCREupHDhjJpgSHsagQT5OmuZwQZtO7ftxw5yzx4Qc+AwFN78VhmjWdW835oJ7Kp8lnyQDdrCggekJbsPxTNZ2depzAmM6iRwzYVLWKm+GcDYK6IklM5PtEf8YkJ7Dp6wlsW1xJ8yHbtbc32FE3SY0NwTcgIZTqYHk01MRz4lYaespRGXBUBW1HqQpXE+UNlQ+HrNOF7yo1DQQ7nfOjic5ARX4wdmlRQJbZKiMYeJJLM+g1r5OWby9xDEbMlBLJk05MP965FSHmwceXqKKicokcZPdm5K2SsVx04oCihCph8hZm3cnG9QtYVAIp2vvbHqwRz1Nplj2G9PnvppOByoL6Or2uHJEMqW72jSB2A4t0PbajwLPgLjb7NNI12wZV5PoH1y8KIwK6ogFpaYVkW5n540WYaq/mrs9YEqLbadxRflG9cx+0/+yPVWZczSjrfMJgze67SO8iaUSriBbiAaavn2iJZCJkwe8Sap3IT5DScyvERuMBHL/p5jFepjKHIXA2KS4OwciOj9vq1DwaqY652FlNfyJhfHl/LEruAvrsjFDIc+PTCeQKcC+HvfDGjJ2/MVjw78e48GlrkPZBTXgQacTaaxIfNZ6Foj/PxjQeKSn3BbxV4+oQoQY9FRVjnLFJ/U+ivnyFFvb8tkLmlUc0fkeIrv01zfuTuIWjLlv6DnVS7pZ91jfavztjQ4wnB2WNXhUiQk9V09cGc4Tiwc4opdOUSiSXmZqGVGJXINGCE0uRKfrwZcPyMgIjNyks3h24v8W+7+F4LV/jS6GKdIdedBvoq4BC8DdhjdU9Y0fpGv7NBuDklUfPQ2TAe4erklb16/zspxTh334sVrQw0rwZsmpUnecIszJYsfncypmPmVwZ6gjdbDgFYymYw0YTz5fm5RMcZzxiRR4oJIdyqstg72G7hoBvH8CKHQw8g1VvsHcvjFgJHOE8LgV7EU9lxK9vnfBEMZcvto4rF+hi1n9M3pxJuaCycRM6T/ZODW32ICzezOPA+scXaejDR0tvh+KTxWlyiF4N+x0VMSOr+O137eykNDMRhur3+DkiF0nMz2AhTj/iBgbNeSutUaj2J53VfD/JD92fZMNGQq/jq6/CrSrxgPe8Cfz70VUFCTzZRMbgsi8v887WqRXXMbzfrAXBvhGtjwch8XmiqsCy1qIPxfkvR3SCmw9YAmzrOWq5eiSA143Z9/Y9NWLn+krIX24BNI/a15UFTIRi5W/uhF7t1A2224zEUGosVjriMyaagI66PUxkdCeAQh6WWHywGU5alQ7CiviIRcbyRlGnnWvVbMtmZK7FNeseXzlBZBAorrYGBeDTTj9ElAPys21qwfdoeWR9utWlFiJQWRmIoZkL6PrVgCMag547crxBqTiPfvskwOKQfUnzj+wyKGVd27rUeOY14nDvUzQuOEbEAPU0Q3+1nO1wA2jrvB/vIuoXwxR0/DFGfvLWwMgui2O4tayLon+3jPurALLxenWNbP5lwD1FQDBl7o0MKBNrVOPfH+cYHUyQbCkO6syjkfb+ZqI9tTvcLnXiNGrQVLN7E4KFHISW5v1WEBuXE2+iBvka57zwNz2GkNP9Frt7wK018+7kA8DloAs8GCMrKNcfqouP+02VUTNORi8/P8dtfj2a3GqHslNG+j37O5Hq0zVHu3DjLL+EYus8jXzJuU7LGZBz26F0enhiBWfzOI4/PPvecgkgUfMF2ziuWTAzsjMDkdTnarkVbtHgYs+STYU0pRptPO6fNYS0vzOTJEVhvyDbCjKEigVpPSRlbMBm9YjJ+GBHkMotn0Q==,iv:JaDeFUaX0r+1C2AX4chqDkK7Dkxnmslpg6zYYDWvJTo=,tag:tm/5beu6vy4HgN1H7RmSgw==,type:str] + os: + crt: ENC[AES256_GCM,data:wGKgMtc36P7Xywox4G+0vDGcrJXTp/lRO5bE0XVKou5+A9bSE53NP7vly700aVg7tgIcO/I+MolL19cTv5zM+slXGBTaB4OLPxP28vFaC03n+7kj4I73YkJOX1YLlXozq8cmrdQj63AylLfpc9j3CXQz3Tb06AoSYUNQYXZmnCmgjJM7aSs7njD6boI1z84pfzy6aGviWoapnYRNdHJ2mJh9pHpWerjJ55/k0fAJi9Wgid1NGwy3XufuruQmr3XMnhRtT4jrGpSZ7kLobbR5bbj6iN7KqF2d1NhUPW8j5fhMweGIEafhhiHxBnTtaDNqOur31D3O36XBQL2CK4RkSmGB7J4cU6N904rGq2yMqQx5Et+unKdMIt6qtbbRakQiwnSzfYqvI0Qgot2JojYGCXK4c6ChPMhc9G750wz3vTCFCx+VSpvjGv3no/B6QuCplx9ycyi3O9WphzachyVwobsEBM2PXVEiiw3HSPw7kWNzFfRMJotV9crVmtH1ZHWEPtJWvjjcG/GWPX8JUECXTuLliFpCdRwZeQHADxyNlkw9oADTl5rQZrsZjXMr/bf5t01//nG/teQ4DY0HhiC7Do2UQR29MvfgYxpxhJwMcVQiuFQVHDPtuWXMfA3v/r4Zoxsg5hbS6+WuzcLzHFa1dUgCEI6n83W4D4UHQY60xxTUQyKEwqw+6z18HCPLtuxDq/uZMmoTfXm+ZcWSM5hNRTZmxgQtm7CLLIsfPtNTTZ7bEdIV7LD08BH2y1WG6FC5r+T7uqFmkE43YW8Ck+gIHapocP35tBxXaUgwneStXpZ7jIGtF6iOQUy3CGK6XT7YleSUqi2zxqn1wLQlcqcgENzmFTMOQ5j44+jsIBDJmFlp7Fac,iv:zU6VH29+IjakqvT/F5vNzEwZMO9uhPgBdiXCwN+tpC8=,tag:2GQSKPciu/MpWwRpqfPmJA==,type:str] + key: ENC[AES256_GCM,data:xUwbKyTYi3WczOPjnuc07BT790OpLn/JhfGPZo9f6m2gR7jncGjscEJVv1/45wqW8uKzJaQuzrjSCWZQsMklHg10/2dEIU+pfQsSiXiICcaJq/3CYb5OHVjNpCo5YjykcoiydDMpmIMxMyFXsmHAtfFqRNCGz7SUQ8qU9h+X3c/Z4WxNM6HgyeiY4fmTmamNoHJY8AxZWPHO5DbsQus43evk8NWmSlfY0Fet+MsKDiO/wnpp,iv:h3gZRSQ/8+1dS1U3xTJSwkZLy09VPUppaowodPPv/Hs=,tag:IUj2m6Sse2tlYSQjY6eqxQ==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpdnhkV3pPRndibHBab3dt + T3c0aXR6c0VxZ2NySTNqa1JjOWM1bXRwZmdvClZPaDJldlh6a2pzb1dwQWdlVkxm + U1R2L3dkZFgvY2RDUDY5M3M3N201U3MKLS0tIEhLa0gxL2NyY3JrMFhJOGdnQ1Ru + ZklVYmU5MXROSUVNd3dxaldqU0JDM2cKdEIGW1aedSIlllJoaeJnGk2MluiKau7n + yWVHirB5PCq4jns0KsroQGY3aCAHquygWr7oZZyqn1J2/MD/oUGQ1Q== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T13:04:43Z" + mac: ENC[AES256_GCM,data:DFpvaavdirF3c8fxksiMDaU3R+rr6wpHkYu3jMO7JqJfGuFwJck+qCXPj+MbtnhJ9HIszMW4Eb06Ub43YtqocRnAnavWnbyjH74lrHgm4ZDdqj+DUI4xiMiIjBCnJHaaoSYYHygDVjiqVC7Bw5Io1QY9uFcWDl9u3xtafyEdBQk=,iv:EJ/NobtYCigamti7agzvqYvpGSm+LsTTqD4Ych4h0UI=,tag:5FOa8cKEWSaZ8/nDVx4Syw==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/infra/sekibanki/clusterconfig/.gitignore b/infra/sekibanki/clusterconfig/.gitignore new file mode 100644 index 0000000..3bda58f --- /dev/null +++ b/infra/sekibanki/clusterconfig/.gitignore @@ -0,0 +1,7 @@ +seija-fulgora.yaml +seija-gleba.yaml +seija-vulcanus.yaml +talosconfig +sekibanki-fulgora.yaml +sekibanki-gleba.yaml +sekibanki-vulcanus.yaml diff --git a/infra/sekibanki/storageclass.yaml b/infra/sekibanki/storageclass.yaml new file mode 100644 index 0000000..5a282e4 --- /dev/null +++ b/infra/sekibanki/storageclass.yaml @@ -0,0 +1,14 @@ +apiVersion: storage.k8s.io/v1 +kind: StorageClass +metadata: + name: nfs-csi +provisioner: nfs.csi.k8s.io +parameters: + server: 100.126.243.21 + share: /mnt/yuyuko/k8s +reclaimPolicy: Delete +volumeBindingMode: Immediate +allowVolumeExpansion: true +mountOptions: + - nfsvers=4.1 + - nolock \ No newline at end of file diff --git a/infra/sekibanki/tailscale.patch.sops.yaml b/infra/sekibanki/tailscale.patch.sops.yaml new file mode 100644 index 0000000..8ad81a3 --- /dev/null +++ b/infra/sekibanki/tailscale.patch.sops.yaml @@ -0,0 +1,21 @@ +apiVersion: ENC[AES256_GCM,data:JtbVO8dJx3k=,iv:n6WiYmMWkJaHDDs6AHqpOf2XTgn51P5RLm7QGXq/0II=,tag:acoR8HtwZznCQgOTUgM+2g==,type:str] +kind: ENC[AES256_GCM,data:HAV4diOt/z6mpOWkKnPvZhi7/2hJkQ==,iv:Mu4CPHT4kNbxOT/H4XWeT7Plk/eUBGRvNHw9nxWgw3g=,tag:dQyMj081Yc8IhCDD9JdjJw==,type:str] +name: ENC[AES256_GCM,data:7L5d+0wWwbj4,iv:g1eVngZ2oy5oTDtwvsEijn1teWFwtCqrN9/Vxw7Yzmg=,tag:hr/PSHHKu/IFfYsRV0jVJA==,type:str] +environment: + - ENC[AES256_GCM,data:1Ysk3JMsRz1/AG9hL8gqeasn6ZI+aME+ZW2KexCumIpHX2VaA9pLURHp+MVu74y8uZN1osrnIY5xnX/UTK0uyDscHTYQDYHf,iv:rx8cbpaTkcitqO2BITvTeegG26u9RPSlaci8YW8LOLA=,tag:JYFRq0/OappD52gnsIpAYw==,type:str] + - ENC[AES256_GCM,data:fq0Bztl5pIo1PF1Sk+XTw2QJ1BQ1Yxrc2SCBQnbbQRq8jLkYlg==,iv:vviBnVDWnTB7/nJk17JRx0fbU4ko48rtplztDo2rHwc=,tag:072S1LtCfYAK73gxx7hO4g==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA0aisrWVdLd1lMWVVMbGZS + QWdyekxGUHYwRGpCaWh3angySkZ2MXZ0Q3djCllLZ1NwdVdFcTJSVTlHR3VYNGJK + SEZLeXNzd3ZWWGNXUnlCaXBDRmF6VXcKLS0tIG9rTDZYOVdybG52YmI1QUpJMWdu + MmFHRTZEVG9YdVpjSEdmaFhIUWZMWWsKYOrmAJy6+XzkbK2fuW0AyqUlMFW3lZd4 + yg7eTI6idbKe4sDg0NjNH64DRfz/+3kQaj8e2H6Y7VIAz5yqVkI3nw== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T13:05:20Z" + mac: ENC[AES256_GCM,data:lgFyiUEMxBfA5C/6TMJrq2hSUx0l0IKG2yDHglBqIkqO1YoeOLgbJXq4cPE3B5f+mtx0CDaQh8/C0lcbH7QcfnLv3rqJo5cmRNEdN5RhBrQ2Z9I8fRcnZIOiz2Ze09CHDBCsGWQgfge003z3E5Q73R/+lArjYMY/JRagzosRKKg=,iv:NQ4xWYdmUB8yMGAe337ojA1fLEMbv8pZSY7N1ze9VPY=,tag:r8bRD7a53YhNnM7EOS0IgQ==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/infra/sekibanki/talconfig.yaml b/infra/sekibanki/talconfig.yaml new file mode 100644 index 0000000..090560d --- /dev/null +++ b/infra/sekibanki/talconfig.yaml @@ -0,0 +1,61 @@ +--- +clusterName: sekibanki +talosVersion: v1.10.5 +kubernetesVersion: v1.33.2 +endpoint: https://10.0.0.32:6443 +domain: sekibanki.prettysunflower.moe +allowSchedulingOnControlPlanes: true +clusterPodNets: + - 10.217.0.0/16 +clusterSvcNets: + - 10.218.0.0/16 +patches: + - |- + - op: add + path: /machine/network/kubespan + value: + enabled: true + - op: add + path: /machine/features/hostDNS + value: + forwardKubeDNSToHost: false +nodes: + - hostname: fulgora + ipAddress: 10.0.0.32 + controlPlane: true + arch: amd64 + installDisk: /dev/sda + - hostname: gleba + ipAddress: 10.0.0.30 + controlPlane: true + arch: amd64 + installDisk: /dev/sda + - hostname: vulcanus + ipAddress: 10.0.0.33 + controlPlane: true + arch: amd64 + installDisk: /dev/sda + +controlPlane: + extraManifests: + - tailscale.patch.yaml + schematic: + customization: + systemExtensions: + officialExtensions: + - siderolabs/iscsi-tools + - siderolabs/qemu-guest-agent + - siderolabs/tailscale + - siderolabs/util-linux-tools + +worker: + extraManifests: + - tailscale.patch.yaml + schematic: + customization: + systemExtensions: + officialExtensions: + - siderolabs/iscsi-tools + - siderolabs/qemu-guest-agent + - siderolabs/tailscale + - siderolabs/util-linux-tools diff --git a/infra/sekibanki/talsecret.sops.yaml b/infra/sekibanki/talsecret.sops.yaml new file mode 100644 index 0000000..eb18c74 --- /dev/null +++ b/infra/sekibanki/talsecret.sops.yaml @@ -0,0 +1,38 @@ +cluster: + id: ENC[AES256_GCM,data:rr2utB+YRIzrYANp5ciqhOVxUFnGNYGQpj9m6yEnWfvrntUR0T/Kr5asJVA=,iv:FVUDSfV/LzvJXreEvJGqovrTdiL4dOCK10osin3qIPI=,tag:Wo399KZasL6Ctj2H/pO1Ig==,type:str] + secret: ENC[AES256_GCM,data:o3FXXu33TX2P9kcgZSprEK2h+zPXU755feDjZVcCYWE1WSwLOi2Xj6KRmbE=,iv:MmsymnXTQrAfW5b898okFp5+kNX2r5wmSo/bi+AgHfs=,tag:HcXvTxWAm9vBcLi736ofZw==,type:str] +secrets: + bootstraptoken: ENC[AES256_GCM,data:mpdEeM6ioq4QQv2dHP2lnyAjuozTG4w=,iv:wXpKhDwMAyxZ9ekKB7q9BKU2nIPUgd5ksUa3jXNpeOw=,tag:uuIAvNGbf8GDjdUjMk1kWQ==,type:str] + secretboxencryptionsecret: ENC[AES256_GCM,data:/kVdfshNR8QYhfWPdp9Hipxdz7TdSj0O3ZjJ5zaRpSA9RgAEnWCEYeAzUoY=,iv:o3tCI/cr9Ej7Vd7GprKOFDP2Of2UTBzLEvWOiY9euao=,tag:nv/0wyqr1l7C7/O2kiMoLA==,type:str] +trustdinfo: + token: ENC[AES256_GCM,data:MemoMjZYNZZ+X/QasSd5n1fPQekfDRw=,iv:VJyd+niqezZ3j3hQDKcQAaE4kCKFnGozKJ1vRbURxnw=,tag:Da8lIYIHY0npsbed4L76gQ==,type:str] +certs: + etcd: + crt: ENC[AES256_GCM,data:xAJFr3VUMuJbzM4DTqOqyMlcd8E85G8NIvzvoScAuj6MCeUlkumDzJBjkl1Uv9ZUsozdvWdtVo3aNkQEmWo4Lum3c0DxBvr/rdrCgOCrhf4FelUWUYAB2nY7iAvPyPUajd1n5oYhWouEekiRiyZHuXNtVxxLD3jHzex0b466ccpt+Y6LioHmtdn+FPog6DEiRBxQOvh/PYcKWCIt/3WmkuXuAxNqiqsJ60x4x36TOCv5cdPGFCZEpevtGdOsmbDRBLnLvevpdojMN/dg/GP8kaDpJ+hToSDIlcUeU0i74nfQJaxDORmzbtlDGbesxkIlHPm6ZxL35LYWanrQ1AYT6l41aIeFdN2rkLKZUhsRDPj0yZGef2cASxqgUqo7jBlPoQ8ENsxz6tKz9x7Pf2BwK9e3R/aQuuiEP0yy15ZJ6+39UjhaimUBDz+HGUr8pwIq3dVFPCxIZvpov4VPHkevYcWWgBbCTvplUx8Iba5aealer0FYX80GwSXFGxPUeXVut/6Ili6imsKQ6OMJL+HGyQXmyach3B1+Bnv9j3yFZQJZQmx/i8Z5i4pV+zxV8DJV+Eh1+EX1zp69YPlQ9wOFGze/13Bhiuf72Da4Wh3GSrcDOncxWivSs/nEydMhBYc/sHJnFGlhUNVEJWoQbh2KgGviZmiEOCziryqJn8Y1kOljfM3JQC4+89uGCGmbBW5BS+XZAGtEna1PkZ0Ggm/ArPAyNpbjE37ZVN5LHCi1uGQkKfWGb+ywplJQeQuODdVCuoHM29DlSx9JeV6prv+Hru+ryIgKZuP364dK8xVN3IETHJCyV18kxm82Y4+EIvVy5Qg1LUjWaGesbziqYx7IeEODKP9ta4qgtBeysA3A5cW7lK3aG1v2/LrfkqdRblXDkYoQXEtRZZ1acIjF9k4no5TkL1QgPF8/KGY5hjKZFYfeH15hi03ynhHcdEBSslr6O/LZgTJNfnOG6A1SGbzgZMnq7AR5FFyNUvElYctcUVLKy3ud8LMpPMzDilsIqzbyZvUCYw==,iv:YTtcHh+H6ow0gRZDKCcC2LtOooYaiiflJjChtpU8d24=,tag:lUltkENRBwxLrfb5PNqyJw==,type:str] + key: ENC[AES256_GCM,data:tg/V+cJLgS29vUwdINZkjzkImCvHm0DaLOlZsBUXc4rWqVlaOtsStJo9mWFBXDsj9lEh8DMomTjHLNQrf/4kjsWkYDnUy1mOFfE9+KhvYAxsRWombMWUYS9nIKWWz1HYMFMuQOID6nnjiNONa8d/5KpQTUwVv5yFxziXaE1UbS2pUIQmGeuFPjTB/rTjuuG+XPjTRm8q+m90qPjPAsvGHf0QXWspYfYmEroEy53BiYXw/mugbaf/wQGROu6pkb8m6BJjIEi6+cNp2zAvcs9QV71i/03XI3TIRz1OiuBuhtvNK0g9g3OdWVKZU643UToQ4SdRuZhKYK5jfTFiH7ALOthjWAcfk9lJp9TXZyW+ocUoRMkDAUIn+4dHQJIbB6ruehUQFS28jvJCg+XHPPHWHQ==,iv:JfmoxCFV19QY+L483nypYoFHBWKjiI8XpUauLFRFmcE=,tag:yrh+v8CywggUzLriDuTz5A==,type:str] + k8s: + crt: ENC[AES256_GCM,data:MixD4PwztfA+X7rqGLiCp+/iOgxbvzOk1quc20O753hONaah4XC7wpkV148a4nz9loO/DJBgqb+/9k8E9U3q98f/VkJh5qFwIeJPSHA2wQJv9WDA5/sRHEvmydkYcfkvhcI5D8v4MBpbebljJj2KeN2KHhONze7XKXsiGWHPN1yMAJ+b/JqQBt0wLC7LgH+CNDkWgP3BmBHTJwYnuvPcwUNhlIhYxqIxuZRJwXq91Ia1SfTZOwIGu578CRybhrQWscfj8zSJSgicOwgKAs0jPwKDYt9cO8bSS0YjgwiEMsTgjkzLC0M7JlJIamrTHJWfH3ABydPKwv/GKVkyTOA21S9vb5XOcWxGSf7JH1oCxQrqvvy1Zsf8q5gRA15xuVMFF643LpjDOmllFdBcvhx4AYyIyi1xUTZBF1lv+tKkbmwoCmbu3MDg0A2MUUfpM+KON7yURBV/MIsoeKUcb2oHI7eXJ3iE0IjCZG+DiqJzAAf/YD9KB0nkiUWThIfwTY7ChrHS1cKaoCsMkobp0oNPr2YJlPaIncxUUTbG5uaGfNEOa2e5Vi6htIaz0o5666lSQ6LijAMLHPUXqS8JvND6T12liNxkbqx2ZYzQhjupGGDWO80COo6K8TolM6MH0VK0COqw3+0zBPe5b2T6kN+F7IbG/qt39vIIflH1Ec4TxJNXSm7idK7JjnCpwAyI7vOJf8FEm2ZcD715WNW7R8TDSrMrHZGdzhdlYsqkmnj8tGsFifzLskDYwGfG5C84dTyfA1Di0WCnsWIMes6B8P3EUurC2G5SRRv4a7kUXWDbJVX/W3b40cItXpmNjoRbZTw5IPVqptgwQ479TZeKtR7IUNheDdyVW71TBKs062AlsNqXIxxEBycaAItNFSBVAQZD82uuV0hrTZXt6ZTJfDWPoF8iKm2Xnz967drIdjbwqKHkANF3RjOFmp0Q5VHm6FNHZIow4pIJZLVzCa1jVs23l9fKlehnn9WobQtIgASrn5M0cE8A42lrINrd/al617RgsZWXZtAasZw2bil5tct8w+w7d/UWFthQVwwUeA==,iv:Xw6co//Bf5ZIGI/fweJDO+winUf8Jn+ZRaxzlLgKjyI=,tag:Q4rSX8641dV1YCC9Aw9EtA==,type:str] + key: ENC[AES256_GCM,data:tvlFFgElyt1pN437ejzS5joWQ3YDs6U49cQXG5cT48BIqzmR8MaQ6mECUZKt9uiTxzyWKcKCPPmYuAMx/RbcV2qFBS/2ackCfxTq9lyALEUJ6FZsy8hhttvP2HSO3uJeEZWNcd8/XTL7bBXBAwPoKylHiqXLTxHRjjSxUo8+UKcCeRqYE8P48BVzIbVl3zezPi71DYBUXFg124En94G7c5SbrlZrC+vAgNuEEXWtlJLuYYerT/X46qJ1I3BphozXnDyjqWelyrddI/wFCnvQk+CfLUbTKaUkg4sB+6/Y9uft1SpcB9zI8Dbc9nd7xhlBSBtHbZzgyQ7+raJDm1961LjWejDPLlAW0rkFMl6XFf0oSabayH/DCa7sGHvojICxg7ETL6QyEJfPRpNcKn/cyQ==,iv:I1aTjis6dKpevUX+/A55TOdTfK8uVFa3Qb4G9pGP7QE=,tag:ifLYLV7Fr/5vXsmLXV5fqg==,type:str] + k8saggregator: + crt: ENC[AES256_GCM,data:w0yO0JFiwSrJJ9lA+ttF5yta8ePnGBymfCBuY1XipPk+zgQ8nnxYBeY04bMSnzxzdc0J77Jvz1yA1zWtav3Lqhb3TLAQ71WFFxdy2QEWUHEP4raCkcV0OyVJ+G624b9wV40UYoaneo8St24B717Ywd+con2FMzEbtTz5SzBj7sTpN+3sZSYRLJQb3hl7mUm3N4rnY+4bp22muoRMT8JBvhL3GJEaKwQ4QY6y+0BBEzLgJjv5Xdhzyy8XlmW1wjQEUo3vmvteIyalK1WsxMgAA/0fK+aROA3LjSgj7Fmp1oVGPiIEtARPGIuGXd/5kbsfEkbi/Dr2AXVMmkcTJM94YCX3yqQ40fltkXlN4CqZnnM6yhYpR6W3HORzxV3leMawxHnziDQCRjEVHRkwEyNsMM+4NGVcvyvBCb5euDMrqoHnr93Ng+5Ca3urcOTexCVSczDshPwEeynUM6MqoaxDZEgG23A99tpSnGIc/Xd3ow3yjMjJFQjKUnbdPPE4p2+v/7qP0lhiexYJ2i8OF/VHo1c/cbOZHAuxhFLwqslYdIrPBMRtDGhjMZhAxGp/bfA4ZYOxc3ElFfobV1cDEwPPBQ6WFqiF/5tKbfovEyV1YqPWevHsTh3KxsPACM81zYjUsdYztcgRNJJuh/0T2v4U/3O20Lu7Aoa3kYVuWo6dHWngca3AlCbp6p2a4RhFf16rN9oDysP32uo6ApTJbOv0+OmWhUedC92wKreJvwffjAxGH6g3pF6A3kVtTM2Ar9mUEThv8Tblg7xqyzd/LXQdu7fo1as9T7ZnkQBTQ9qPpyYwtDT1V6o613/FGwoUFsxQtJzjN7EyUmmOGQoALFOm3DFPMs/YLasXTrAefWZn4LsXtiy2h5DjuVFNSp1dTU9T7a7ZFl36iJt6ZJxDR4BlLvss3dKOcVoKruZN6oFQevaWEtnmsae5ZLRVfcKLNJkx,iv:yZAWmAGirlbczjpKDplgnHhPEw0C1eHjOucfdz0DBvo=,tag:COLA/759Uj1cgub7dFveYA==,type:str] + key: ENC[AES256_GCM,data:n6JcPxXe2QeBelJRAZohXI+HqPvUlkV7pcxteh+S+DXm8i1ONztmUtqO4xufM3CKdLyRDHBrSZFu0r4pttKbwWocGx+Ad9hN+r4aRBYrR2ETDYDDV8ehyFvofsqwUb5eajaTfBZFN8MMQbkHmrf9fqqZA4k4fwCNCKiT9D/zW9NYxCzZFncMNIVMIGmR+RVQWdBXmvkQCuLX66Z703NgorwxUm1ZWymAhYYx2lI4BjmzBzjflKMbsBr4H4NTL7iDf1TWtKBId/o/5+mw1SRqnQII8R21SaWCUcnA7kGmSuvAV66j9HkkN0Wo9a2Q5erZ/HAGzR/JkUxUHjFssxsCsZ09s4dbLYXLrDwqLmId9MFtxSZ/eyuAlundDISag+S551ECfVs8DXpbG0zpyQpj5g==,iv:JMvKFOmNND6q+MIcaeRI/hc3tHimyfNEbfm3q2X5kGM=,tag:FzP6KYyRdgDeF2SXCc8CPw==,type:str] + k8sserviceaccount: + key: ENC[AES256_GCM,data:ABNFj44FSFFoPe8iMkiHJ3+m7j8HwZB60Q4IArnZ6q26IFDlnKdK4DeYPNGL88Ec6WCSAvV0DiUZyxJSh2mHcQEehtOti4v4IQb3tEKj4aDZmDCZKLUu12Yl4tJ8w+fKiwjzSRTJwYCxXCMxyx6bdSYAmg4ZKWZ6UioPOtaHA+GFHLpmrwCidR8NNi3NIscy/a9TZV2Af1mpcM1q2NCQuJxytt4B4J/gpGX4cThpY36ot/CG0fGroTBwnuRKQv/EmYXKyQRvUlT68Jwf4NMn/7qOIwf2evcMl0qvBSg+xJoi47IsPSIHKU/IhZBP5r913cjDg2OyDpGrqaYitkGX58bQB7hLsEvuDxopW8lmcpa3AEprsvAJRyhXIdQLRFJ+63U9YdPG5ZU8o3H58lqbAngS3GKCyJ21WQHtTlZbhgWX+7NK775TP0LmT1KslPWM5mpj6LQpJ0d8V3OcApuUwOmWapJhi3mMA9c5DDpYKvydWVCfGH+EVuInbdy/ThBQdV1hzXbWqiBE6+mfjVN622ozgHkUEqvnAbw8AIPQ3jWa3CRrAjRhO9TY5v1/YBWA/7z5xJFHRD+wvR2Cpx1/zVTax6jSn4w9UdG8B6jAZJ3im1QM49aTOh71nVu0MNu78Q7OZyA6ZX2Mo8LkXFD8JfX9TZt1C8Jm3ywvT83BzGec0GHdMmDdSEiPQ0SyZ+b3HaldPGnCjTOQ9T51glxRVbnftrHNR6lKMQHTq/GDr48xlEkaZjtnz7HRzhBGi8XyHPaBsvokjNrpYu1LpQw/fs8YnG7GAeAFoyKeDfraFh8WWhFUAqu7h9fZI0zVOgYJrt76GpLSpPccBY3SDsKnSFJeWcqw9fb0lqH51pg7k1zf5Tl3kI17OSUhE9d/hls03Es/+7r8IJQL3n3e9927ZIpX42OQp9r4lQi7Eg2Bv4Pp7YMXrHDyZruInAFiq7e9XRjj/g4jMdPC+z+2a9IWQ6R4EONTDaP0dGcHPry5IcHEv4fFiRKl4UVQ0KBVPZzVTuywykB9MBXO9vg6Pk/p+GGE/dHpHW7G951GSBiFh8M4kgbingVL2EH8TFY/c8ibPfLP2ETBW99psJEZd2wFeXpD9L9xkNp44AHjJy94b8Y9vvVMY/vPhntbJjiGJdhdXdSp+qNRwvfpQ/7If2zURfxQsEk2AUP6y4y0kG5uWicnIWxJ2/Lm8Uj1ZCD0gjRHd+vU4rvqwwbmoC4vUVGN0kRTxe7uifTrKv2eyXBJWh5cwwlLspx9mgy3AJ5ro2XU2s8kM4paSNQVm6VhZXfqF3eqeGmYcIvRNOVgQWgfk/0mwgyPg4EyBQleQx/ZKMg955HscE63k32Y57ObnoRM+18uqg7lnRIjomyYqzYvl1fd5esbxXjrF/HOKERs7bFtcsTGpTwhqtZWdbJkQWdCAhsrFOb977xIRao5LN5+KIwg6l4uBl+MCuUEblaeugTFqLDV/qWfPlbEfPWi7jo/RHdixzMDLzYY60BRsEukhGsTCxjxF51VlI1dcPcHjGFna1SHM75eZ4NVOgvUjOr+Y/lP+Q1OM9jdv4pigByZIDAHkdrvY3jLnhG1qpqfBJHdGoieo/XqUV5oN7I852RgyaZdXo/EBZmvNvrFvhAJghUgt93nry/yYIohAXK22Ie+0fHHyByzfEUFErreBPDzNd1A4B9loxhMDBI1h7azhlXp65CWR5OHWpS8WX4Z3lFeYnXV2jt2ioUzz+eQDL6C+Oqv1+q30qZvoodk5BM/yxvcgAOTnHLzakSNOly103gFbz5R4wb6KIGjb05QO6RN1NnikX8ObtmA+GDOqRzgl81Kgz4qnBB2GDuZujpnz7kcy2eUu8bEW/IQnJJv2oEAT6OaO3B30m7iUHGrHv53kAAN4pENw2dN1UaITqPdrpU3JSCHG76cIg7TT4ABugL/RtbL/hfdiQOLBeHGtFKhWkv3BO0mtYqIidunfMlJtYuPaO55KQDZTn6MbHT+lb6Zu8tQSJ1rBguo8ALcMw093MT4EQKZJFHHKwT9btonWD8qLlsx2jvztIxmv5PRfaqJFbL2psrR/iU2lDCYe3O9fZVPKi0F6OHa3fFLEleySIS+kYuqaR/9djV0cp8E6oIzbUHI4MB/TCMUTuqqxsZIXjQ/nsLQ791QVAIvabBUP/g3GxHU5KIZQ2UlJF5Bus0ZaK/8Hfl0DLiUez/dI03bxxhg6nFvocB9OYCKflbXaKua0bLDAv6/jti8G06J6WUCOk7VFBbqEA+obFAUXTkGm52Or0vv2uqB5joBruZhPxIuzNNBSdixTdyuIl1A3c2gqI3gQjgg+uhMiWCzNRREdrFvkxXOAuaFNMYVm+5nIrjQ+USmEXKjwyWDYYrnoEIQoYlPVWr103AZTuglZVXq4H3mnRmPl5yLZdEW9sHdbQPi6sMRTrvcvJcs7kTpAXckWhjGRapaCAX2ANWMhpxy4UjER8Izt/BH+2vh33haY32DkKi4da4rtzYLVL5Uxdjb/P6PBXJ1CxhZYpofQWOLrCQ0B9Vh5+SZDnJF1VkUN8so9Go3+5DvpR6FymXVkjtsFFEiHqbI75ORyf85GFr0b1HmbH9T1L87ybjd4Pzk/JpFwKFZ3vZlTuSZse3wlO90NvHVgTSPWVbAbgzB8Th1+LeeMXaZCm130n8qE5+3/tk4g0oci1DLP2Rt1tAjPukK/b9dAyVQk3+D39j5lz5xP05/1pqRfn0BeajGdss93isZzlQ0MIV1hXiJbIn2LIro2BmWfaFCsTMwNr6ulg+o8ACp9oXxn6t5DbDOq5rEzWslQnQMPnzFBj9CsLu5+IR/999bcty9GX8JmkW3nwda95HNB4CqsxWFEPmInc68MRGn9X3iYleBK2PkklbgkQ3zdpros9nlwqQce7LpoLEgeTNUnkx1k8/odk3UnnSgkMky0+sGu7Nyp34roASwFjvMK+8OOo1bPgXeQs3jAwHbg2swTheEc/Hu7VzOLX5+glESrLN+8X/9jae5ENmk2GvkV47QCjjEBXV4CI/WAURNzdW1EdUibNhsnGKdXt9j/nkxB0YfjUCjHv9502KlLbRPcCQ3MdA8a8bkOhd4PqWBhu994lQCmpokB3A7dEEI96YUeoFbuB/pIERJp5KGLnG7owSR8ylTENhxq+xcHGn5epvydbua3js9oDu5q4Ha2IZVlSxgMkqwIAgapYGWx65u1S2jKrd/ItLgKVIhr5LhRvlhruLd4VKAaIx+pAuSSfSdTizyaQQa199liJ5UYzfclBWybjZq6IWRMFJpbtrR1uzVTXQjIq0DtOlYF3yDSNR7iArhrASPFmavEH1mVgT9DnTjGPHFF5sJDr+GgbXURmnJZqOcR74KVL1213ZaXpnZ3WmrfO4DyH3Sg8cDkUJGwrdUhBspPVyaFcNfQ85tXOlaNoni7LRAPSSwkKItWR+ySEFVs9lyN3FNsRXZjeETZJBpvuXG7gxzbvkMoMss+Rp4zEGl3arhqQzxub5UprdDpmiDBgThRTrw8VVgEW3vlDfN6jc3z3DApBv74DnGSq08R/O6kC6CU48CenMkhKLMxYF/EgNcRl0CkL1I7Vevy4CHO4/rlyKENMXQV0RkvfuoqrHdQRbcqg1wOTkqVwQ+R4DJpdhYMnMQVfGWXTKGH32OLcsy8seBkCStH8Iv4/CJNmeIt5k9VtnFx2VhtkUoD3w/6Xp0pv2UIdWmj4RC0p4lPRivbBcvvpledM/3+opDFOU8bMfxmoE/YpjffBNa4N5uItau5p0BwRN3eun68+IyDEeW4UZnL36CYP0F7juRrS4TMkhDXWGzG+5sgatZLwmS1yFPRFi8oYJICW2E2g80RCLK1xv1ao8LyEKPhOcE62e5/DfMy9Un+Kzb4+ebb0/2/+wZ5Qcs0dXYKfo1OE766/qkDsRMprURT08+x4yXme2JGIDsSAXSLqumqGVsZjni/zKqE9tVlCMB1mpnsk4dqdxUTQmB6wEkb7YATrGpVjxm/Vbq6RiEwkOusT7EY4SSCX+KZPcHeXTjG/7Ocb4TdVucx7SBo7pVAByBJ2NApqAI/7HeIr/QwBdFE4d+tnFZmvELFaKxqPALwAoguO6wDetM2qyCmYR6nEq1qJ404ULWkjA6RChfMsi6cmDBXSEOArWlfsTWHTTO3BjeaQUA6HZwrCTxz3/3YxrUCEM9fhcYQaoQvk9L9jC8pn/3qoGUR7iFzMwbBBbiVYG80WDjj24qmuLZr1hn1+gWiA2rt5GS3npwBwUjwEK/IPWIWqKp25zOTuiH7EBkjiU2oUSuVdntdIdOFohnhvQ3/LiTxyYO+znd19Lsdi2opTbRylsghjDnhq1mqfMCgT+6ig4tUUI7tlCQN/JV67R9YQkw8LSt185uY/D8JiQNyNtMSh/m3Wk0reOxhAe1cOronJxEdPL3Mo3MWAfa+XkYrfk2F9L4+Ak0G7sXbVCnWOvjaGLJRRJUOzI/YGenfQpTzbgZ9L1D5fsv4ZNwpV2FS6zcSH66DySOUcF8j5lm4lQRwRx4IGOMfEFszPg+AgebiqyEqlWBqebl7naoFdq0CNSbePg0xLm23FAmHq6S3pDZrHhAgQ6oOCioFeCgcgES9JlsLmyP8QMT1Pu8z1XKHw1GilRyOW+krULi9DaM3KDn6hmFWHzOV4Iy5EYr64bxiRuwvZFcwUk8UDd6LM5D8Xgv1D3whtOrle1j3zR/GFZowfCr7itMcqn4Qtr3wpbp8vnYvipmvI+RKAaUumWhbELBKckFiTn/Lja46BxDAdgageSKg1yhdyGQgyQ5F0l9eY21dmlYxJFZiq1PZRrkXXQFh1dYjm1MmWm/hjkX5CpJionTG97nDlEtpRYVNulJGestD0Mp7FREbLMmqY/I2Xq8ORFxg6b7q2vvI2TP1ASMUR8c+cPrQxLgSkgkTY5Cpj/bZLtDvRN8HmlgxZ8To/hPp2n/JcJefDGSnuKVVfwbtAEVsAha8CYt1YoheCqa7dVW88Q927G9+o3BHbDLc2OUu0AvkP8lehWSWCOt/N1CCC/8v1JLKGp5UBSZb+NHNq5bYSAVadThIljMBk77V6u4hAUW7NRBMky9Svebd3CjvK3UwlhU5MLc5OrxjJNjniEMTUOhfj7SzfFtWGu4k8Iy7DnMfNHMqqf0rmhB4euc0ZzszHBpVZ9uBjQOZvNvNcgrtQipZr7WT64e7RHDvsDC6PxipZ6Q5EmmtE9CGWKUaXyTmpmPZKuE5ZRRgmwhE39J15ibqy/InoPkGoend6zbw865WS9mPqty8zV8uwxswo4I1ILVmRZjrhNbB4KGi72E4YCazVUpo01L+i7y4gXtq1A55z1DO01A3L1npPz77G0ErDsMj9BHHs+Z536Xyr7eljPRu/yQ7IVJCb86QT89UHV/H57jHNnOwxHlGTroJRxWx0wMb2SYaS4gVcX9V9vJILIwrKMXQtXC7kylkEiJseMr5uxx2N+5wnitQQ3Q6DX5g4Ts0/1rs9fW4PrYb57qJ11nZnG+y35Kij2pL2GUa2bwClrtfXqgDuONMaxkbCMY/WNuCo7VcbJZXCsmUVZkJfEdQH2Yi2GZ574IsPwTfnxnuGuEOKf8ski0+9TQeKmVgmImT0Uffhgr2btmbNL6WDbyOr9nVrlO8Wb46by1R6kYpx+a+TPjfTrxsraQeQw/pptk+fe+/wwAAbfTFlbFcBrDXmj8toodU98p9Md28VJezMC81eawGBmdbzjqRXNN3Q==,iv:++Y7UD6JGh10WoJWfACpu7WB7cjlepJA88fV0Yo/zqk=,tag:noujCeQZ8AIswnUn9zFxfA==,type:str] + os: + crt: ENC[AES256_GCM,data:YM9eQOdTLahJXjWZC3Jjhv4pq0dPrCiJmFFfK6ZeHkHgWxGvkTBnsGW3jsUWzZ1JyRo8OC+Ir+oGcjORFry7DPeG2jFtFDuem3p1Lf/PLQJaSX9idd1rzNqnbyAPaoPa/seyXhIwP8upiU+dfvzh24iHJHUgwLT4ZXWwWJHo+LAhnuaBpY4Lu3lsqEH+E/yK7zg9xn+CX7IbSc1gPmhYlXwRa4zbNJA5KP1BW1gaIefyagUTQ1ceSPIuI6LUTL6CH2mBRuKiksWrad+BlnI5wRVZpqrjV1AjFlcfC/I+Y0qKvsNajv+ttaznjFhLBZ8WhIGPGPc/IED6wcUXp1LLfJPW5TIGHsNB7H0vDhyNp/6cEmATuoEB+l5ZrRyPx1c0l026UfTaGT/F9EwjIVwHQfA2TthwGKMPms57JCs7jklv7HTt9GOxjkim1YFGax42kkD0aDci9dz3wiXTpicnIku1roEkCf2g+BydiX5K45dyGWpl1gTM0ojsaU2U2C8E1KAfYZKQKgZQauOpzsGZgCwJPAaSY4rbkqPfAwe93SLWfthZoh4TmaVcZakh/RjkzsB4IegYUZZVCiDkoF/xAyjLLcXqGcbS7opOlcThs0WJlxTzMb7xWQdADxjFjG6ujspGAL2wg6N+UZCY4KbNm0/I1RSIU/0pdc3PHWc6E+sqcrfCx5xXD88Lfh2XunnPBI8AXnouITzmtbet24Z61STNOJFgQ4SDlPY7f6rePEyUBTnu+5moQ019uOOApMBhsjpSWidPXJY2vqDM2Dqc2AJIFz0W0asoZYz7KIWgS1eLaDj7bqnLPAyPtr8iSStMI8ynzAFSwZwqXaeAKwM/aj1ncDzCX0Agtk4AQ6edyyYss9yS,iv:td8VR8so0+xCo2mvdCkSiZg0RRxpgjhpDbBrxWTQRfk=,tag:cl9LFqGCO4OMhZ2r6Cljaw==,type:str] + key: ENC[AES256_GCM,data:PPXDB6tD8YcwGskF3/oygwlrJFcjZXDXrP7ncD9nR7r7xrEpsT3H/WFwzJCZtj9+kcblwkUhUSIN1RUq3lP4ezfnq9BXeGThCVnGO7lrOXqq4w/bHpbcML9vO1OGPoJPu9IoiMBRuZ17LNv0TU6gT+p5D7drAb4hzwzgILckfpisqhnSBre0Rs6UiuVf59fWiOdW+xvnGaRj3rq+gFJ15ICTDA45WHK1uUs6UtnRVQVp/Wz7,iv:9KxIUl6Vk18r/zEevrJRHM2z12/SHdQeHC9SBLy+tOo=,tag:7tvzgoPuGoBjR5kjAvDSww==,type:str] +sops: + age: + - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBxWTBNbkRLUmhjd3dtbW1X + QnpDQ21tekF4MnlnYmlQdmFQUStzbVRGWlJnClYwUmpUMkxvTDdZRTBiMFE4OCt5 + cDh1OXJQOE8zOUxYUGhjZTNHUHFvb1EKLS0tIFRhenBHNDJhejA5N0JkdWc2a3Jq + dmFXZGZtUlp6QVJSNEZ0LzJ2TTBNTm8KFec68A7jARAdrtwEUGJ4p6WhnCA9EVbe + UFsPsRgUm4ldYw3XpUnVQLf0H9oAS7oFLovM7UBwdK8C2YHCCiQwPQ== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2025-07-16T13:05:00Z" + mac: ENC[AES256_GCM,data:Tyf1UTIN8XiDJO0q9u5Wl9T8n6Afbn0fPASFcA1WHIZVTrkaeF3/fHzRRKsdFEGT9vAEzI+ZVMoS81gIu3QDdFUsvf/VzDTw0eS6SeSNN35CfhCqZYknVUEnfa1aLQNIpzE9sXPZ9gyrQhf64521TPPHlSioRXmUBofXLK7Lkrc=,iv:1P6L4cU/a0Pn5it+1FoRSgfOHRdUKt9V39QIbnwMTfw=,tag:6MLctEqnH5olXSpKCdJY2g==,type:str] + unencrypted_suffix: _unencrypted + version: 3.10.2 diff --git a/infra/sekibanki/test_nfs.yaml b/infra/sekibanki/test_nfs.yaml new file mode 100644 index 0000000..298ab41 --- /dev/null +++ b/infra/sekibanki/test_nfs.yaml @@ -0,0 +1,13 @@ +--- +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: pvc-nfs-dynamic + namespace: default +spec: + accessModes: + - ReadWriteMany + resources: + requests: + storage: 10Gi + storageClassName: nfs-csi \ No newline at end of file diff --git a/infra/tailscale.patch.sops.yaml b/infra/tailscale.patch.sops.yaml deleted file mode 100644 index 6505be5..0000000 --- a/infra/tailscale.patch.sops.yaml +++ /dev/null @@ -1,21 +0,0 @@ -apiVersion: ENC[AES256_GCM,data:ah3WtiHrAcg=,iv:uYIKkCkdmwwaggRo55d5u0CYKXZZ1SGt54sdJpfcrZY=,tag:Kd9T+MGR7/jeXc9jf0eGcQ==,type:str] -kind: ENC[AES256_GCM,data:7c7dbqKfqFY/kvcanIMiiSemkik1pw==,iv:RO9GFhFH53ysNZy3KAxS80SyXmMJsU0piOwLrciPjoo=,tag:RPxSMv6gFurgPGRAf31RjQ==,type:str] -name: ENC[AES256_GCM,data:3y37jr57H28J,iv:ApWTMC82qfjCu6wmoTYpWHhodRtQrABpl9S5yMDBvT8=,tag:lIbtTOuMH6IQ9n/y2K8E5g==,type:str] -environment: - - ENC[AES256_GCM,data:gFTe0n7FZ5SxOS4zFq3cU1ZWeFhQ/MZpQlxXo0XMsbsT1KDpVHJcOGwpX7iKb7OLfBfusfgDOBm2OyDorpJRft76Bur6N4ra,iv:j2zvvWpzRZ7PQmlIMA1aJA1zSWkELHcc0k/rVano42A=,tag:wC8VcxC3BmyU+Na5TUeqEw==,type:str] - - ENC[AES256_GCM,data:rXQnctDqQ1pAyQkMmoagpWyzNwvJ5gi7+GkNRsSbH1yCImHf,iv:aU1DDR7i/uW7KBvaZgaR3cge/DkywKibaidWm3eevCI=,tag:Zc2r0cL76DIu7N27KMN7Zg==,type:str] -sops: - age: - - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBlelhjZjR5cGE0OTdVY044 - Z2h0VWwxNzBYdHNFbnRHNzRpVnducE1JdUdJCmdnRzlySVdBeUNjc2swbzBRL2g1 - dHhqQU02d1VZajBVcVE0K21UaWUyVnMKLS0tIE8xUFFweTFaY2x2ekVQTUNtSExP - V0Q0UkJNdHd4QWg5VzI2aXlEWU1jSTAKap0c3sraAXRKXFiKm+na07wNF1WB4670 - 1qfTyDBYGO/O8UL99FlmvKllRFSF6LjQPG9EOdP58g/r1kftI04ubA== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-05-29T22:50:57Z" - mac: ENC[AES256_GCM,data:Ym0eCUDUPXPi5uK9GuAD8zB+TUlGPo8ByDx7YmJHQTD6nCsfsWcXHYXXr4Rrmk5K5DBhyslhUKZnJXtj00ObyaNOo8umopPn+Y/AFSyI0drdj2ZjwlB9ocSIfLAGubggJsJ8JMPKz609vT3hGHGPKO0d3DzFRM2NJLNEb6VH2CY=,iv:1i0zZi2WdEl3U9zbVadbTw5smIFAzSavWveXlq/qZ/Q=,tag:0yimyUW8A7KczPS8hipsGw==,type:str] - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/infra/talsecret.sops.yaml b/infra/talsecret.sops.yaml deleted file mode 100644 index c5cc523..0000000 --- a/infra/talsecret.sops.yaml +++ /dev/null @@ -1,38 +0,0 @@ -cluster: - id: ENC[AES256_GCM,data:ru7IlZsHavKUhpsWPf6il18aRJScAmxJg/cyY4qKSXTaFR/+aVT991gMqF0=,iv:qDQGwSoUBKj36bD7IPXBnW4UO/HIFtW4ANkgT/IugH8=,tag:I7bjT/XyP1yVljLoiweKvg==,type:str] - secret: ENC[AES256_GCM,data:nLajhyzbOu+QkjkSy9kueGL4w66qVfX0B0kbidaycm501y565OCBYuDEPL4=,iv:WJypiyJZLk2TIVueKCZxsgrUoPEWTI4JUfwgI1tlX2M=,tag:MlkR/z727XJOIup7pRTxqQ==,type:str] -secrets: - bootstraptoken: ENC[AES256_GCM,data:Y1G9g9PojkMhPJbTG1UzeDHgb9QTFQs=,iv:z11O1NGbPLQ7Ud3WJK3KwaGfXvUx8Jc8kkx5p1Q9q0I=,tag:k5DimznRv8ECXL7ELasOlg==,type:str] - secretboxencryptionsecret: ENC[AES256_GCM,data:MGS+FwnexfGSIbzdbvV0YCq6phnRr/r0/j6qxsz2pUo/HgDfSEvc5xDr+yI=,iv:kg6+bKPVHiyh0Ri8tDhyl6e/lo3MBW1lljFYS7+7Sf0=,tag:W6jnqxljFezFjJMYNmRFIg==,type:str] -trustdinfo: - token: ENC[AES256_GCM,data:3Vo0nE8OveQdsuQDOzA4YVJzCWCTsRs=,iv:7tv16Frwx2jqwz6nXv7iAX9IpAO+GnIk/nQ8bExHmbY=,tag:edANtYhueV/23KOQ/f8A4g==,type:str] -certs: - etcd: - crt: ENC[AES256_GCM,data:NSq2dX2XvKPJnjITWiZIpPPww8wDtvhfGPgDh9EwmzmxY3w3QhGbODL9sJ12Ps/d7HeFOQP7oZbuDpBWRw9jPuZxMGmwBugOopt70DhRSwtcfRdKTKkSpC2fZyRd+wACHBojgrNOH224QIbohc9wiS4cMPtJEOtDl7AMuAO6Q+oqT7Cw6qXWSd7AiqLCl87Lir4vRtCd2iu3Ze+LEpy+A86WxKU0DdH488mcpw/o/4ypj+yh8LZehSFKbQ7KQu/V9qYrLyGeTztN639u2I1ubvpiNFItTx0uk0WEOhfD8ng3/NwFqKJhDUZjkBz3Ho1K0LdshXOOtkcWglgCN/KkZOX8HurcMPi67KaLwbBagZkuCGwNDvxtzulX/Tz2ijAvmNQrTqbDKIY7z0t6dFdh4syat18Rll9XqcAOPgCEQPq+tvt56SDxoJIDyOFHfQ9DDX7ZNXOc7nceM0PMCGgO5d6ywTCOSNSL+1OHo6dp5+gtr02bYeOie8snkKKx6uD5Xx/bT37ck2dih7XTDKO0AvoZU2oRewiYfMsv3tE4ptpovWrg2cmf25dEePjkNSjXRob2UP6kWXYsb6nhcUZu8TkzO5JtP+m9T6FCtj041YpLEP3M2lKbUtBYY0FCszHuxt0F5/TOrbvLWHhXSCcfqbkf251zYILGQnZPqKxB8k2OUD7nWwEnPrrCMxyWrooy7LhjFKwkLMMoOJqFj0z8S6jZxPIedj9KEtH7EyKn3y5Frp66IYR/Dp1cjWKAiXe1E/0KBPCSZfnmOIWzx9Yqm7hbtgY0gQQNKRvvP9id+cIThgH9ysM1a+QdfaFuh78Aqssl/m0qkZ/Wy6scC3iZal2o0RTpWAOO9xcsFJ8NBATc5TyLHAhdujRz47/DZGIs3+a6LhZ5p1ERr+xkAM2Dcs9ct8BNxflJfJza09xFq+KcI3jDKYmVCbP0KbLbjU+bNbQvJ2yzszus64+2NrpstKWs1kyqUXC429uFfmhoh06PiFFgg9X0vV7nwgRyYEwKfdj2Hw==,iv:7YXoxHOvffV0nUFOvvH2+4v2aslupgXpmThGTVTZzUI=,tag:y5k3I1kcLDV3k4dfm1ypCg==,type:str] - key: ENC[AES256_GCM,data:ioHaiIPq9VNBQm6Q+NJz3r5mRgowaKbpn5O9+430SefQlfhOaFVcuvhhLHJyIyPnpIXzDRZ10vsJoHaFLiE5C9WbBiu8yrlg6sv0fYh/h1yU3VqBLKDY1SM+MjmR6FEbHuv3KL7BTcP7aEzM0k2hOhXTLsGzizotnu3xP2ZyX2TU4r+UrC5QoYjQZF0A/aTn9LExehKl6m2nlzU1yKbSplv2NHKYvZoezS9/p31JKbVYmRcuHQ9HscSiig2bHRJMrX8n0fgxBYi/cJt4jVBRemA6xh4y4Xkj1RtIOfP7xZi5o53oUS67k4YPraHnSy9mhKd2bMkrgOcEicAOdxP5IPmXhhzIfbCSgUwh78LzOjy+f2q8jFpKjeBMetZKffY//i0JBC+Z3HkdjbSzhaf0Tg==,iv:e4kAbeQjyvwZivAiXRmnX9QQXcRtVhjHeAyGgQdiiRo=,tag:C6GTYLG4y7oeHxgEytbhfg==,type:str] - k8s: - crt: ENC[AES256_GCM,data:0WJOP9M9I2Jsn8n3JQ/TIsFzDqwXEyQywZKNX8WxKQOyZz5nFat9WP/qKL6O4VdQ9AGg3TxFkYBDgco3UlwvYybKMtqOo8KR2yDXSHTWTJOtycHos+kgg8oQ5111W7G3zDrIV3eELXaVkVJsJ6erJ1mRHLqrFt5b98uXOA1WD6rT/EnKOg5QEw2Fv5wyqV3m9F0Ym6GNT2fdlKcoAWQIczeOsmaNu8ERFrE57F8zitFzZ0EA4v/XlWuuc9O0Kez0Gt64JPU8kF2RVHpOcu5eHabNE/wvgk8/OjOi1j6YV1MvyGVqmZnXsoJSeJ9JNZcHUhSUh5K3ODRSeoxb5ZnXCazOpmNaloEqeSRgHmOQBCgTELrFA4BW9k+kwcSPF7yxRz2G3GZc74fPZD/zEs6TPlyfhTACaxmpwVqTJuFg9pJ23E9D4AZHK5v0uMaXeIcXScw0hHIzqBf9pbxloAiR3W+d93knGt0dqk1wNnXe9nZpbgBRVapk6on9PZ09XT/B1oEQHncMKHDE4CbicYmcagx8ttuPK5qSbMdvgpRD2IJgPt3nrcu27C6s1oR4Mfq1EMu5SPDAjen9G+8vtq0aMfslFIq463nPVIz59BN/1oMPjNSJ5MkhIie5BMYS2ngyikfoGS/7JyGk6H7ygVIN+/mlT+NYhyBIXWSy823JdGcChOAm5H/PICQ5kEugsWp9S2+DVuCOqYEZ2Nnhdx8gr487itPYSxxItKS1glHyNJC+ODFODwATYECci49GSdqtZRP4HrKZ7GrhKZtViEA0jT6Iftwb90pRCN+B71SMomygHv7EiwWhF2E9iuOeva4hHyxOjTDFkArICq8nv/d/iFN1vpVWU8Htas9FpG+d+KcXppkrBJOCqOgo57B8UuKMHZd+pGiwYElL5nMNqByaV7J1e9PpbTI63qwk0EwUz1gXGPt43AF/afwuYTe6kawV3nah1ijPgjuiyO0Mba2ekV1bDnJ+8ogs8aQpZRvBOA+tDBmjtaQkweRRLGaa60nupprpdTGR7CknQxtkM6YaGChgBWfy1xcH58wSRw==,iv:5XZsuLqeN9ijCoWCXMR0oIIZddpPD/H68yhGjIg1umU=,tag:StQoHfsPWzp8bz3Qq4xWAA==,type:str] - key: ENC[AES256_GCM,data:ZQpqRVz9HqVLxJoaa+TBOT2kF/zbQkXNyK4t8MJZ5u+Q7/WboHdOZQki6nD9GyAbxjFlhGAZn0q7EV1uRYgtyqMyPTeD2Jsc21YAvPi+o+4JJ019c8Ztme6jYIh8cRfXX/PO/zVVTSYDxETqIOrurDjT2sgHfiaf6IXogkTHmbiBChfvfQaxdR63/NuVOMUjOif2X3EouGTJpdzQP5Mrf95neYwS1vtUE6eYMsaP1f4RgxZTQcoRD25t8ezfT6HaLuNGF9rAcoMdB89pL2SBYBDSly6tT8SV12GNeYMOqosA2sTJmsVyeAOhb9rfNhseKLw7vslQ304Q4CcpZXGabBpf+/1g2uHoORs2MvdDKCFm47wmWxAkC8FTRx+vgSoUfRa7cqxzCMYRYbG7Go94Sw==,iv:5Z7HOTdfyJiLjvuxLY7E3OhFVN8efj89/fn1Hn7B8pA=,tag:fFHPEphc2+5VYyW2EIJV7w==,type:str] - k8saggregator: - crt: ENC[AES256_GCM,data:EMv6Lo6gmUeSFOZs+dUXsv0bCUP687LiRSzm7Zl7/AaFDOtcQQDusNro/BAPfovurcgvOgUl3lTTTuHoGloDERzRf6+vWRqRnSOrLSAoHyiual237/ssU2WFXRYGbE9rn36DGJp6yMm/dCS5qkRF6iU71MWfp6T7v+ADQARW4tnXkLekm5fih7u1r8ZBdpdD5Bp5evB8q2KRjf4MdL7u0MwlSMnVMg9dgq9fd9LeyZ3M1NcArFIeXrG7fSQ9cJcymEcoEj4fj7J6UipKOXpjfB/tniM0STvxGALhngRbFOZg/bVOonu91fzCYSkL3Nscpq/EWFoLhn7ri7qTUoMH+W4zMgwaQveK98rAT4a+wEIIN6XGuCd+w9kyV6dEfESxEZzGQ59j4Nh3YO5V/YbpF1UO0bxzAi1IyfyCdB9Kkb9FBe722s9M3NtbxfOy3iUwVv19TaztqPnVaPjPLduONee6GjZKqIpjRJy0shN+p9Sunlb10R9L5wNPc5dXI7apdevEfBsI/i22w6NandvNQ9A/0kWPokglD2XhmkxAfHS8SvSII8ZflIiBSvXrXB2NBICd1KGMymeCOpelOLL5x4Sw8XmZfHLzc8ZOs4Fj4l8fVv1+cGNv6U0aZMmQNGfISBvRiZ0cv1ZTOQfAu/LZoWddVEm3FqrHbOdcS10a4aM647t6UAumv90VBS+EXQCNlrhwE8n42zzNJ5RdgQpGW+QKKvISyM1u/kir1E1b7uBz8aSfQxH2hC4MxrlSXw51TELkopciBZpM/ZWQgLJ2aF/aops+SHFeQ8RmQ5MSVsrOehgmLuDHN6YqBM4saJfGwoJqnymbue2cTeA+AZJFIYCQaAUaedce8WtKU/0trkB3KisVCXGq+S5cxu1/PU2Pk/rFgVeosWxp8dfRmoSudI3X/VWSJq9jqjzmY8c0GR0RPL4Fxo7WlttE3kRjYWgs,iv:GZPC9AvPxjxB8w/U5OTDScrcp2VefKf3IAYHNto/BSY=,tag:A4KJnWew2G3GxmIEE3PGeQ==,type:str] - key: ENC[AES256_GCM,data:zaU6Q7WFB1XFlfVqLWANzphAiEB3YoVN3oUV8a0F4updQl+vXR4dGS2VRGq2lKSUiwT3XhyhRmJB7a8Su4MB5BpttoXAZ7wK0UgNFmroUqIhzVQABcwL13toJpvJuPA4/5E+W9jtXQlLryZZvp3aXgRhLQd8sRDawNWQFpf0b1uF5LEkfIYI7AXSCeLx1GhR+sBzxYvES+ah+W3FLtxgpNo52eMaPGyUjXqDugZY6xmWqERvHRwDBq34OAgU7rnNge96+VkVh59kT3KTtalYfAKyvBJFL2QB6/dXmQGyH8IP4NIwT4eCSZ1r+loZl73vaDwMMWFUczN+RYcziOPIf7pFu672XBj5aKgeAd8DyTwCUIv1hUrT0DaSvIVBeZtfHwjaDmUqKM1UvTB1pE7YTQ==,iv:ItAxNRkEjWlD7zXTBca/jEL18V+T8iGpa5/ae78KLws=,tag:vRp+RARdR1mczjSI5JsLaQ==,type:str] - k8sserviceaccount: - key: ENC[AES256_GCM,data:kUX1LGw/8rn2GyMpI5nmCyLsNwIHT9SzFaLdc9UD4MogrZ3/aWlxOz1o7rYuRGv3c9ZUZmcV/YnKEoTCvh0a2bJBbG7SJMOs7MG9cHEPjQTTGPVQxOwr7s/xU0y3VvdhzdocFbaDKDvdkXPBsyiHbDnXD8ZMT+ZYgLcFwhU0kBFbC3VVcSLD/hCwuKNebL1p5s+8zVh55GTFsn7gcKlu1aQMTGmOHTMP7yHtg1ShkiPL5beXNZzbDLqREUqwe6p2ahVQAfNJaA1YQGuKbWd0K6E2fSEmalKceaBPvuxj2jllk2jD1BFm3y0EeKMBf53fnwdmVItyTxRbqV4n9Cfd2I9vxvUvi0Bci3TBsatscliATXHnx1y1NYAceq8w766DmaK2XnaY25ZIhbyC5hg0ZgD+hdR1nY2iO1GA+kIhWtc+qHbpQA2BPSOfMj81WoQXLCgCwRJXdsv/ut8sd5aZm8nN/ePBskcssb931q71NdxqQf2tMfQpe5JSR6cy4+TDMK1ZsgsN/TZm9iZtLNGydnbPMtyk9C5iP5JHQLwQhL/b+o0ohYqzpCcWeevUVLTfWse24uTs843tfG4jy17M+p1JBJ56lZLE2GMjiX/mYrHyDxaRSd7wUun2nGeOTuSim2QhJqjfZOfE/pTaw4/IDG4wSC3qYLP3sYV5houvUe05SlC+KTNt6CjORrF8v3vP8viEeVv3dKYYnkMSyc6/WaM+AkpFlNJdQPWG3rRtiUUZwUM5HYvmHpp6OZT9/jyjd9P/6+JGOQq4zQWZsC45/J1J9e5Navc8F7ZP5FY5NWW8iPWN0AlqSniTlNAsgVEF3lyE33RO+8PRCBAYF+PXd3JwKwgNXhC+WVRaXsC+UVYGQEC5JqXcpu4wtLS9Vmp07oqVGuLxDX5NVQrZe6lv1Wkd1t2E5inIrA3h0gDUpJfO5eUyT5NEEONXPhDv4OpRYiRtLbOJGhcL45utrFJqpu3z152Ammyw1H7GBlUDFnTRQG6KDfammo5VIKC/VRGXaL7peyDfS4DCA2S3Y3LJEF9+vKXZkpY0C4Rzud7CkejpOLrQEvjgfKbiLr5yB1mFkYERuY5Q/N5nhv+7UFMKOWP8+9VCEDwjr+txhK9E3gIwMV6XaGEf4zxxz+6QY9sToHleP1VVfJ4x9a78c8bt1mpO5eN1qG2+VpYyYEZJN9Zgeu9Hjy0f0bYFKcGxEZjOCb+RHWXenV49ZtWJpONmrv4BWVrLeBS1LeVMuY/8/8UAlenGyhnd8Nzw/kDMZkJ8us8LE6e3F0N+3OT1O/K+aZQAH6rAoWVRo1vRuZ9N9qnijjvoNhTII4t0/I8lrfzopbM2kManDDRtL9L4MpwaS4UMENswcXLKkRNhyDAO/6dGVuk2r36SF6qcNjscS2gL/unG5DQqSvJKhv7AdXslTnU8OBNMZjiWSPb2CnYow7ICu8chA40IYJq1Tkc2g57s7ackR6ldZvTpzrYLHQrozJKR7KbKPx4aqbqtDzTz/Y8e36ELQ50/Rh6Qb180XGRkTLyA3Sl867xrH10wWBc2A403OWoD614OIN0FLXP4bVcMjc3fbZJu6UcvfkKRjV4YcJ7E+bd9GcFJ8AbBRQTIHIbZCd4Z7E2cPbLOiu+pBjiUK2SouiSImYx0EK6X7EavxQNkpjSDo5bL7J0nlq7smtFTkmHIfKge6GQ2sRrFvEQNKaB8vqvXWmg0xRXMFxj9BSiRmexAA0mIIi1q8kBIocYo6MirxgJLlAVlJD+imo/X3N3zI663RlazH1rdn3GIsyG1t5TG0g3K6YJ8icgtzPPoCxEHpCvPTN5sVrhX4BTYqpyF/cHE1doyr0k2bsFQo6t+6GBGfZsnaF8XPICBCt28jyER7wOSws1Iv0p4hUh8ELMFhFlLAOYdarqxkD2YnN7zKrRpzNFPOgCuepKZO2fvN2zCioDF1zGsmkUQ/Q3lGQPHEmmw3ErozlFrkFj2I6hXXWx0ck5KshU89kAZyvPb4NmvEFBXcX5pjm0YfYcuY5Vk3MvButzu/2QKhngl/XY6WAWzkporkBJr8ZQhxRppX7QzpT7iw9PJdWoL7MHjgiObGGEVvwxfMRzZgtE3KWcHmvqkW3b75l63KLtEg0KOm/aXvGQsP/OhUYQtO05LKzPI/2k0uogP8wL2k+5Cmkng1gxrZiCy7i9sCAIxbQ43317qwfIwbN/KabvSG0lMrS/W2bBrt49rdDZWZEO921/y2BVYda32ufILJ6DzAgKdNQbQbbqc7o3JndtIGrX7x4VXlLFLVZ8dJ2xoZQ2EVXMR0hTuA3gczgxbi9r/lw9ZitAwoPXA8h5yX4b/q2Qzpjsdq+duZhFBmXB2YAF5ASk5YVhNay8Eshy6cklMS8ZWpS9WYO6Wm0PWe1+hnnXpepUX2KyNCIjU3W+/3kuR6v5PImFoJpdzmQTaxsTeLL+9KHn99SSEA6oIqGh/efCmmJ2gBQd2QAebbMMUPRxusJC/i3XZlXdFYSHrYGPHM5HQvkVInTCfwc7jo/bj1Jl+SfkOQkb4s5asRDv5W8/KMBAmq4neQ4H3o1jwzMzYpjic9oOzbWqbifg0euMvBM89zdlz/6YGHWw0ZtP5Y85HLawA7PGOiUD6ywBhClZGYEgEmbgnZjShvZWOLK1IoRplhHh0KrA0K9C3BTun7bYO9WVJqUjGVBhzCyqTv0o2x1D5wRc6/lNEqpHdPcEWzz9PzYwurL0pr7H0DOUZxdOvRchNuZRi7R7WoMFmIde/m5mntLB9hyFiOx3Bj1OJ8U4bPC+rFGPRpk6pb6xqEgdCZLNPk5hkiwxAKKzIAgbaOLkB+eJLo6ts+IcNBhLsYaHq3N/gexPMQ4p3TToQCMlvrS6NvctkYk5W3iL2XuGXujiDk1FUXO4UmYo7l4a0lnRjOtRhvzu36N4cs0B70gY0vtiJ5YAGUkRkk2JCh+igl1T2dh5bOnL6nyMcoyjIFVUkWyISs/LNXD2cfXL40teh8i1hKAbcND2TxlY316/4DWAbHHljaWRKP9by6gjSWgEb19/L1WZ4WfeEX00sWCvjjBbjsF0dib3TZK2FYfmSngzR/YP3Il61U0y0E1zMUStGmTPlq/Nnc3svItkEK4S/8rYfOFj4PMv/tVkPSwnmrW+5y9BtAjqN9GoED16TOdrVl/cmONpg2MBps5qQs/qpv7IT3y4cJJd6Cizb2IN3zSfxnSBpSeYF+0k8FmrrZzrGvj0A13cPX9QoYdL9sWwcGgXo4fLPKlV4oVobDqbqTTGm3HC0tj68t/a8WFKXqnQYOKp+6W+e4VlrCPREWFG7irM9Dag3j/tssaKhMOWgzq1Wkr4wGADssHweXlsPLtOG8vWaXSCUEzu4twvDNPN6yiO782PWqFDN604oyBOwWsOI9jMjr0uAmUFOnw5dmsnIjsRHEmvrN9T9Y4iLd+AWJJPGclQWXs1A1dtURa8JI7/odL2diAxl2xzvd4WBG0AS/CMWpUdCoFDuMZQ60R+IkX90MuTND0Bshxq1STTQ5HnvsxdhYn55DttUrcb+tKv68JOd7+OjQadz8wdjHTVP27xZOd9cZpDw4sKHeNDBBfPrOXRkMzGj5SzieZ4pCgA5nAr9jLSVUvGPNlNvix1dCCl3PuEv82mEP6OQlAsgbCuU4zKpZVhphAot0NZKWr9Cd/gbXz9amQmaajwyrG+xVx+3I+/Pgsohy4tvYDCL2FhSrq1e0YH7QxzWC5rIpQDbSkGvLRJp5zV/j0w96coTXcDj7htpZ+CLFMkaFpmSXfdtEEBYA5tzhltk/xfZrha4aB/wOoKB5kG4Zgpzm53gqnaVul6tEAc8YK2ntSXfU19NSL/yfQph2fmCj1zeiCFhNS26XRGDl40Sngu2fJ5w7QEkDNF7/C8mTG21vk6bvmxC2ifrdZCvO+J5jAfmyyI6/u7MwOVTvYa6wgl+hf8SuFYAn9i5qNVtjKX9aOghTsYPg3mqRCl9pFt6YNnJh5n/0NlURbhPcCZAgR9eegK5sNuJntFMQ2/PVQuUwQDEihmOswmlkQbs6YomapmK7Apm2Y1YS+0z3NEluYwDJ32MCgkON36rK+xIY/2E8ZlyYCSjPh+yne23ystuj68U1+oc1qI3mKnwqCUP2dIQzgPT2bzmBv7c2QXkomZr9K0HPsYOo+O4tqe5YQBXGIcr93KgpAeg08qcwtVw6mr/5HmBByesRG0/RoJwEWnrqXYXnuLl3DU/oc6wkvC9CeiD+CbQXOY0o72120DWb9qwWxZXnenV9VDgYyee7aQNANZ3a4N0r3YjHW/ZCGAxf4sKYGK7r9n2ZJkOxMUwROdA549bLYj8UbEEKC0vy5OSbwecp0Mp5lRJRbgz5uP8nuxodtv76HqsLY+WrtIGlJSF7CJ3fqnXaMlrzQOVwyT98BuJ+VNF5ZAv/uemm4iwq6Jpsak4zmRs+1WTQ1yHn9kIGFuwmEDFRr/BhbRNlxQ9SfE70b+WtXQtB7Q+sUEtH4PpImCneeAWsbBWaUudxZUhlvge1OlRVHFJd3TE7y/OIdLF3akUKJfmyuRw9gHkrMSOgGSgNTGc0jGVfWxASXJMbyrLAZz8gWvbpXS7nabN9nNZygw/YPOZhq/PLODHrLpkxxQAN3VS5ZyMHUTxBSjKbLCYwuRwkSct+k2qEqeALEEWOjJp1OL9bmDFV8uPG7AagjHUDxDhGV8gAZgv/sdkWybhR48SaOV5PFNBlxAMz4eltC2cvy26zYnrZCQHlSegYsYy6885OLWRURLrrN0cTlhvoZPS7p+KAWDcD7FVEsI0wBSX29WnwYJiMF982OXDxYgf4UpUulOHqBZ/76shbG0Hh/806gjjhzCFblJeK5w062KzGDCepclCJfRuKM7AivhbjWAUPnXuVxeovtqPMizGMvp599BRWv4xDvfiSXv/ciHmjB25Tpoox7VCtVFc5Cvesztk43qvdbrHZDpa0NPgD/g+rjPjcUUOk76YaGHGonOalx9bv1jRvZihhWysa/Zt2ojJJDvQEoz6D2yLiah+Ekma043GOZwUIEs9qr0tCMAN1wNJuivQ/5e0Jg9QXs6zQsrGC1SQpW0G73ax8xe0Hyeov2gZ67JZ5ocj19d5miGUiJHgqwh31fOaqBmE6ITGLzfAqMZDR35v3Psg9R8nS5DUL/a/wGcQkPFO/6f4OoQV6EJa4umpdL1U35hAujP4Al8sIpZ6yfDgxRyRtct2/YPAO1c8GfUNfrZqFDav7xgjGgKBNk4A7S6lK3OaPRw0c69Xk8myLjjRxw+3wgKxTSAa+aW1ILm6M+wH9fTGrFZaBUD8T8aB2fhS2opI9PcNwoV6NmZEois+vB2NMbRokQM+EAbY1zoqw9Njf98A+ANy+ffQQUGnN9vg+H2SsdrZxIk5QTiZri5BHGfwAO+o08EIRJvOGk6BfRdsrjBxaHvhjfilK9Lmj5zKpKU4F1kC19dH6CwHwf6eSrrVoN2FKqQ7MpALW4pPG4yVAT88Aa0u/TFQ8ZQ0z8aTCeaDKZV8rF/kdRJkttKZZXziipDewyATcq9KBDAqZxp3c3kvmdYqHez1o5ps4aMREeneRcLGHKteZg+tD6quI1o3q724lAfY/1lQEB0Vt54jioJHWOhTcrgqyIozd4vQ8g5i3TQKeSP1h4UxMHssn9lxjj8GaEmQfyUwnM0OJ/kKMBnLi62Xh3sdn7VUkzrJ2SXUW87cBcIdiZcuESfNH8y8uLwUebYLkA==,iv:kbs5FdLFBXgTWFu97xnrvW5bZFTWlaoZu+433HTIjXY=,tag:4Z1/EbWRFizJj2hyKk0v0w==,type:str] - os: - crt: ENC[AES256_GCM,data:v2NBBYpIE5gSG1dT0bEo7CtPKV/mshb8dRlRFWi9TuuE6DhIyWPSERT2Hnff3eScVjoYiQA9DrvIJPwL9pCDKglqfhP5tdQcugJYTpzWsAedu/3l+OJkcadnPMirV/F4SZxj6KjW3tymVt9lKgy5W9EmnQY899YwokaJrt37LkPsLSiUk82MB3vgaLjXVeMR4m2f9uBd4CHv8zt+vW5LjefAf8VScMrwRksd4zaJxRLonpAkfTqxqM6ajVpT/cN7619eqlBatlrdgRYWcYdUaf6S2wGeWnVjK2v7RN1MluxdY/y5usyJqUWAPkss5MZhc/blikriXNv0fCleDC3cxzykqgobsnQIWaIO4AzEIAVvpfsmQlaYrQhMxtZvxOFGNCjr6kY1QeRDt0pA/tF4oZ0d7dz7EsAF0sOH/kuPvUXjcft/glPioh6QDWEtA2T6/u3EcvGxgoomcrAXTINNn3dlrbC4IpVZIwUvLPuzQ38baJ6nwG8e3D5OM6MQLhiZijHAqNgKnzEXYcyS+/T9eDXll24G4YoC0MC78/KD6VbL+TMt9h+tnWDCRsPOOXy42o5sxNzaj7BNqxWreriWv2jZPk3gYnRYpbHd4OGemI+w9H8u1UtIIwBiI/ldVpKhiQK5IWorp5SL0mGXmb1wTZzo00Jmtfd1GVdusjotKeMepsCsZPkPBmQRWI5FJ1xf838y5kTHrHVdxdX7hnhI4ldla9cLgtrOzymg62cIwvClonsVWF5XD/RHCjXr5DJlH71V9bADWImKQONbhZimv91BNB5ae4VMlG8+TNq6ybFmkVnoxkluDGtbaVlXaoSACr25IRymfeO+eOL1m8ccuv3T9PmYT7kXkf/u9vazRf2buLAw,iv:UBoFFCWRTsWUcqTODvgky7qitOcZlJD10SuuyGJQOiU=,tag:jaIt8kKdH8LiRaFztTsWbA==,type:str] - key: ENC[AES256_GCM,data:zTKIGgtynJZxP61tQRA9V+ClkoJKHysWCiMB4JlnhDvsgDVTMHqJ9Euj7m0G9xwuh+jSzQvz5xSRPDZu39n98FoDLCjmM83FvhPqP+bfQVMo5cMujkLLa7IuIl0cdRXdbweZD9gU+9KrD3Np/whAfnqynCH+pEzP2ISG56IUBpITstjt4XtzkNP9HsWDcIwLDWS3vn4x9ui2GJhWY0ZMkJRcLRMGpiqXxL1VxTfsz6UeHq7Z,iv:KOr3YpSlWR2YltO9Ph6VpxzwivLQIR+CGIsN0yTkQUg=,tag:D5KHEsH34jfjOWd8BRwJKg==,type:str] -sops: - age: - - recipient: age1r0tjhg6uexyj0p7fp0ftv5h7r7e3ptzkk2797pznfvrvsm576u0s37yyaw - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzNDhqOHJtNHA0YzJqem5x - SEJaZGtNanNEQ1h3S1lyQnVvTnYrc2RKTkdnClgwN1NOU2Nqam9GY2swZDdxa1V5 - V2ZpNWYrUXJNcUsrblJyWkdNcWhWUGMKLS0tIE5abHZWeURicjZUWkhyM084dmNz - ZVNyYnc0N1hrWERBMmVBd09TdE1qcEkK/qIVrg2rqb4cISqzB41gOVKt4eM1faMY - H42hl7edFN5jgD3Wj/TJsapgNkttZ3CxNK2HvLSPw5CGBJEFdaOR6w== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-06-29T00:48:56Z" - mac: ENC[AES256_GCM,data:uaikHfoklOF2MBkfNchcGpui2bQCN0O80qz7MjhXnycu9bVKnnIK4WQb42qzYtragXtzo3wR4d1pUUfL90FXVQdNAg1mZkRyO6zV9AxAZEykwoWEp8R1YWmSoJ3jNUOBU28TVVRJttFt2hNBd1YBsKytR8vANlRfLLAtYK1Fnng=,iv:4ecpqtiyItuAfEHOUgzdXiWlEF3QsWbe4iJyaJe7ztY=,tag:J2sMNFc5NF9GnzzbSH9jmA==,type:str] - unencrypted_suffix: _unencrypted - version: 3.10.2 diff --git a/infra/tigrisfs.yaml b/infra/tigrisfs.yaml new file mode 100644 index 0000000..b722916 --- /dev/null +++ b/infra/tigrisfs.yaml @@ -0,0 +1,29 @@ +apiVersion: v1 +kind: Secret +metadata: + name: tigris-s3-secret + namespace: kube-system +stringData: + accessKeyID: tid_GsNqXtWmklNUqliOVxEukmEFmBLoIaxNvDIlQHDXmKqNghvKwv + secretAccessKey: tsec_A-r53r0ktXNrW-vKqZjSlgX1JboZzGv6zzYrjcb3ySn+BjnNV3dffm05WSLYcG+Zo2c+OC + endpoint: https://t3.storage.dev +--- +kind: StorageClass +apiVersion: storage.k8s.io/v1 +metadata: + name: tigris +provisioner: ca.gmem.s3.csi +parameters: + mounter: tigrisfs + # you can set mount options here, for example limit memory cache size (recommended) + options: "--memory-limit 1000 --dir-mode 0777 --file-mode 0666" + # to use an existing bucket, specify it here: + #bucket: some-existing-bucket + csi.storage.k8s.io/provisioner-secret-name: tigris-s3-secret + csi.storage.k8s.io/provisioner-secret-namespace: kube-system + csi.storage.k8s.io/controller-publish-secret-name: tigris-s3-secret + csi.storage.k8s.io/controller-publish-secret-namespace: kube-system + csi.storage.k8s.io/node-stage-secret-name: tigris-s3-secret + csi.storage.k8s.io/node-stage-secret-namespace: kube-system + csi.storage.k8s.io/node-publish-secret-name: tigris-s3-secret + csi.storage.k8s.io/node-publish-secret-namespace: kube-system \ No newline at end of file