diff --git a/k8s/argo-apps/factorio.yaml b/k8s/argo-apps/factorio.yaml deleted file mode 100644 index cd2d97d..0000000 --- a/k8s/argo-apps/factorio.yaml +++ /dev/null @@ -1,45 +0,0 @@ ---- -apiVersion: argoproj.io/v1alpha1 -kind: Application -metadata: - name: factorio - namespace: argocd -spec: - destination: - name: '' - namespace: apps-fuku - server: https://kubernetes.default.svc - sources: - - chart: factorio-server-charts - repoURL: https://sqljames.github.io/factorio-server-charts/ - targetRevision: 2.5.* - helm: - valuesObject: - rcon: - passwordSecret: secrets-factorio - nodeSelector: - kubernetes.io/hostname: agent1 - image: - tag: latest - factorioServer: - save_name: fukurokuju-space - admin_list: - - Phireh - account: - accountSecret: secrets-factorio - server_settings: - name: factorio-fukurokuju - visibility: - public: false - require_user_verification: false - persistence: - storageClassName: truenas-nfs-csi - serverPassword: - passwordSecret: secrets-factorio - - - repoURL: https://git.roboces.dev/catalin/fukuops.git - path: k8s/services/factorio - targetRevision: main - project: fuku - syncPolicy: - automated: {} diff --git a/k8s/argo-apps/pulse.yaml b/k8s/argo-apps/pulse.yaml new file mode 100644 index 0000000..7873917 --- /dev/null +++ b/k8s/argo-apps/pulse.yaml @@ -0,0 +1,43 @@ +--- +apiVersion: argoproj.io/v1alpha1 +kind: Application +metadata: + name: pulse + namespace: argocd +spec: + destination: + name: '' + namespace: apps-fuku + server: https://kubernetes.default.svc + project: fuku + syncPolicy: + automated: {} + sources: + - repoURL: https://rcourtman.github.io/Pulse + chart: pulse + targetRevision: v5.0.* + helm: + valuesObject: + persistence: + enabled: true + size: 10Gi + storageClass: truenas-nfs-csi + accessModes: + - ReadWriteMany + service: + type: LoadBalancer + ingress: + enabled: true + hosts: + - host: pulse.fukurokuju.dev + paths: + - path: / + pathType: Prefix + tls: [] + monitoring: + serviceMonitor: + enabled: true + + - path: k8s/services/pulse + repoURL: https://git.roboces.dev/catalin/fukuops.git + targetRevision: main diff --git a/k8s/services/argo/project-fuku.yaml b/k8s/services/argo/project-fuku.yaml index 43e602a..ead0d89 100644 --- a/k8s/services/argo/project-fuku.yaml +++ b/k8s/services/argo/project-fuku.yaml @@ -32,3 +32,4 @@ spec: - registry-1.docker.io/cloudpirates - https://vmware-tanzu.github.io/helm-charts/ - https://helm.runix.net + - https://rcourtman.github.io/Pulse diff --git a/k8s/services/pulse/ds.yaml b/k8s/services/pulse/ds.yaml new file mode 100644 index 0000000..26516fa --- /dev/null +++ b/k8s/services/pulse/ds.yaml @@ -0,0 +1,105 @@ +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: pulse-agent + namespace: apps-fuku +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRole +metadata: + name: pulse-agent-read +rules: + - apiGroups: [""] + resources: ["nodes", "pods"] + verbs: ["get", "list", "watch"] + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "watch"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: ClusterRoleBinding +metadata: + name: pulse-agent-read +subjects: + - kind: ServiceAccount + name: pulse-agent + namespace: apps-fuku +roleRef: + kind: ClusterRole + name: pulse-agent-read + apiGroup: rbac.authorization.k8s.io +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: pulse-agent + namespace: apps-fuku +spec: + selector: + matchLabels: + app: pulse-agent + template: + metadata: + labels: + app: pulse-agent + spec: + serviceAccountName: pulse-agent + containers: + - name: pulse-agent + image: rcourtman/pulse:v5.0.17 + command: ["/opt/pulse/bin/pulse-agent-linux-amd64"] + args: + - --enable-kubernetes + env: + - name: PULSE_URL + value: "https://pulse.fukurokuju.dev" + - name: PULSE_TOKEN + valueFrom: + secretKeyRef: + name: pulse-agent-secrets + key: PULSE_TOKEN + - name: PULSE_AGENT_ID + value: "k8s-cluster" + - name: PULSE_ENABLE_HOST + value: "true" + - name: HOST_PROC + value: "/host/proc" + - name: HOST_SYS + value: "/host/sys" + - name: HOST_ETC + value: "/host/etc" + - name: PULSE_KUBE_INCLUDE_ALL_PODS + value: "true" + - name: PULSE_KUBE_INCLUDE_ALL_DEPLOYMENTS + value: "true" + securityContext: + privileged: true + resources: + requests: + cpu: 50m + memory: 128Mi + limits: + memory: 512Mi + volumeMounts: + - name: host-proc + mountPath: /host/proc + readOnly: true + - name: host-sys + mountPath: /host/sys + readOnly: true + - name: host-root + mountPath: /host/root + readOnly: true + volumes: + - name: host-proc + hostPath: + path: /proc + - name: host-sys + hostPath: + path: /sys + - name: host-root + hostPath: + path: / + tolerations: + - operator: Exists diff --git a/k8s/services/pulse/sealedsecrets.yaml b/k8s/services/pulse/sealedsecrets.yaml new file mode 100644 index 0000000..0cade5d --- /dev/null +++ b/k8s/services/pulse/sealedsecrets.yaml @@ -0,0 +1,17 @@ +# yamllint disable rule:line-length +--- +apiVersion: bitnami.com/v1alpha1 +kind: SealedSecret +metadata: + creationTimestamp: null + name: pulse-agent-secrets + namespace: apps-fuku +spec: + encryptedData: + PULSE_TOKEN: AgBBxrJ80IpJ0RvYKQuN6p3G8vIdSL9nESO9OTAR0NiMjSGZNbNEELKE/a1f2ixQUSsNc/k31c+7GlAi+8PmNC4c7rmRJTe+z3uO/BNNLYeTi7DsEk9/oJZTWn7iOcLogiZJQKxbGozCp/S8zrWisH67N2ZHmzz5UEJAzq57+fBEyAk22/WR0QMfW3oOYHGZFNR5AdAxrdfyRwTvSEOz4R2YlrQKRtOFVIPG/aEaAn42AGYfrq2cLVEiCygjE+8nZQ62TMmQqMiwiCjk5do9uRhhiRimuD78FrNnFU5dSwe/11ji5sSrEPjszPB8O0TBbsCssxfz48cKRm/6IdI9B5pKHYob68Ed8u5UgpRU/ZhUWJLyXuZF/Tgw+WcIsVkQXb3eqQTARBeZueugnA23lnzxh5gjR17wjPw7ePYaLiUWTYikOK5HvgpJyiuB0ev2cjGSqYeeAAn5ewCGM/NODXUAlFdC+N9S7ft1+chJrHoaXgHy8J9LWm/maKW99+yT08a68RvGGoZtFPZNlFjzurNF6EY9SLUFf0RLzShkyq6uuOzLm8gENyDIQ+Ru7wWEwyEcUz4ceAR5I78k0gCIDR1o4Ti22asdbRjMptZdOTbep+PWmu2K1oUvxXtXwgKkn8pvTkJpcdejqehnYPWfRAI3Guxi7LQDf++yShKS1NdXMdjhtFoNLa03xHM/G94sF3/mnJwivNhur1V7iC1yCY5NlruPr4KCd5AgOnKqoreRRvRbCVlFO1mtP6XV4sjqEIhmZyXWFJ76bwAC+hxSlFzL + template: + metadata: + creationTimestamp: null + name: pulse-agent-secrets + namespace: apps-fuku + type: Opaque diff --git a/tofu/adguard/main.tf b/tofu/adguard/main.tf index e419eee..894cfea 100644 --- a/tofu/adguard/main.tf +++ b/tofu/adguard/main.tf @@ -85,8 +85,12 @@ resource "adguard_rewrite" "master2" { answer = "192.168.1.32" } - resource "adguard_rewrite" "k3m3" { domain = "k3m3.fuku" answer = "192.168.1.43" } + +resource "adguard_rewrite" "pulse" { + answer = "pulse.fukurokuju.dev" + domain = "192.168.1.12" +} diff --git a/tofu/authentik/main.tf b/tofu/authentik/main.tf index 7979f79..6151382 100644 --- a/tofu/authentik/main.tf +++ b/tofu/authentik/main.tf @@ -260,3 +260,15 @@ module "jellyseerr" { app_description = "Solicita series, animes y pelis para ser añadidas automáticamente a Jellyfin" app_access_group_id = authentik_group.arrs.id } + +module "pulse" { + source = "../modules/authentik-oidc" + app_name = "Pulse" + app_slug = "pulse" + app_url = "https://pulse.fukurokuju.dev" + client_id = var.pulse_client_id + client_secret = var.pulse_client_secret + app_icon = "https://pulse.fukurokuju.dev/logo.svg" + redirect_uris = [{ matching_mode = "strict", url = "https://pulse.fukurokuju.dev/api/oidc/callback" }] + app_access_group_id = authentik_group.admins.id +} diff --git a/tofu/authentik/sample.env b/tofu/authentik/sample.env index d7e4361..31a7461 100644 --- a/tofu/authentik/sample.env +++ b/tofu/authentik/sample.env @@ -16,3 +16,5 @@ TF_VAR_tandoor_client_id= TF_VAR_tandoor_client_secret= TF_VAR_ganymede_client_id= TF_VAR_ganymede_client_secret= +TF_VAR_pulse_client_id= +TF_VAR_pulse_client_secret= diff --git a/tofu/authentik/vars.tf b/tofu/authentik/vars.tf index f85bfe7..f0e5dc2 100644 --- a/tofu/authentik/vars.tf +++ b/tofu/authentik/vars.tf @@ -78,3 +78,13 @@ variable "ganymede_client_secret" { description = "Ganymede client secret" type = string } + +variable "pulse_client_id" { + description = "Pulse client ID" + type = string +} + +variable "pulse_client_secret" { + description = "Pulse client secret" + type = string +}