catalin/fukuops
1
0
Fork 1
Code Issues Pull requests 2 Releases Packages 1 Activity

wip

Browse source
This commit is contained in:
cătălin 2026-04-08 20:09:04 +02:00
commit 2963cc68c9
No known key found for this signature in database
15 changed files with 189 additions and 189 deletions
Download patch file Download diff file Expand all files Collapse all files

40
.forgejo/workflows/ci.yaml
View file

@ -1,40 +0,0 @@
---
name: checks
on: # yamllint disable-line rule:truthy
- 'push'
jobs:
pre-commit:
runs-on: ubuntu-22.04
steps:
- uses: https://code.forgejo.org/actions/checkout@v6
- uses: https://code.forgejo.org/actions/setup-python@v6
with:
python-version: '3.10'
- uses: opentofu/setup-opentofu@v2
with:
tofu_version: 1.7.0
- uses: pre-commit/action@v3.0.1
k8s:
runs-on: ubuntu-22.04
steps:
- uses: https://code.forgejo.org/actions/checkout@v6
- name: Set up Kubeconform
uses: bmuschko/setup-kubeconform@v1
- name: Validate manifests
run: make lint--kubeconform
tflint:
runs-on: ubuntu-22.04
steps:
- uses: https://code.forgejo.org/actions/checkout@v6
- uses: terraform-linters/setup-tflint@v6
name: Setup TFLint
with:
tflint_version: v0.50.3
- name: Run TFLint
run: make lint--tflint

55
.forgejo/workflows/deploy-tofu.yaml
View file

@ -1,55 +0,0 @@
---
name: OpenTofu deployments
on: # yamllint disable-line rule:truthy
push:
branches:
- 'main'
jobs:
authentik:
runs-on: ubuntu-22.04
steps:
- uses: https://code.forgejo.org/actions/checkout@v6
- uses: opentofu/setup-opentofu@v2
with:
tofu_version: 1.8.1
- name: Deploy
env:
AUTHENTIK_URL: ${{ secrets.AUTHENTIK_URL }}
AUTHENTIK_TOKEN: ${{ secrets.AUTHENTIK_TOKEN }}
TF_VAR_firezone_client_id: ${{ secrets.TF_VAR_firezone_client_id }}
TF_VAR_firezone_client_secret: ${{ secrets.TF_VAR_firezone_client_secret }}
TF_VAR_gitea_client_id: ${{ secrets.TF_VAR_gitea_client_id }}
TF_VAR_gitea_client_secret: ${{ secrets.TF_VAR_gitea_client_secret }}
TF_VAR_miniflux_client_id: ${{ secrets.TF_VAR_miniflux_client_id }}
TF_VAR_miniflux_client_secret: ${{ secrets.TF_VAR_miniflux_client_secret }}
TF_VAR_portainer_client_id: ${{ secrets.TF_VAR_portainer_client_id }}
TF_VAR_portainer_client_secret: ${{ secrets.TF_VAR_portainer_client_secret }}
TF_VAR_paperless_client_id: ${{ secrets.TF_VAR_paperless_client_id }}
TF_VAR_paperless_client_secret: ${{ secrets.TF_VAR_paperless_secret }}
TF_VAR_netbird_client_id: ${{ secrets.TF_VAR_netbird_client_id }}
TF_VAR_netbird_client_secret: ${{ secrets.TF_VAR_netbird_client_secret }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
cd tofu/authentik
tofu init
tofu apply -auto-approve
adguard:
runs-on: ubuntu-22.04
steps:
- uses: https://code.forgejo.org/actions/checkout@v6
- uses: opentofu/setup-opentofu@v2
with:
tofu_version: 1.7.0
- name: Deploy
env:
ADGUARD_PASSWORD: ${{ secrets.ADGUARD_PASSWORD }}
AWS_ACCESS_KEY_ID: ${{ secrets.AWS_ACCESS_KEY_ID }}
AWS_SECRET_ACCESS_KEY: ${{ secrets.AWS_SECRET_ACCESS_KEY }}
run: |
cd tofu/adguard
tofu init
tofu apply -auto-approve

8
.pre-commit-config.yaml
View file

@ -1,7 +1,7 @@
--- ---
repos: repos:
- repo: https://github.com/pre-commit/pre-commit-hooks - repo: https://github.com/pre-commit/pre-commit-hooks
rev: v5.0.0 rev: v6.0.0
hooks: hooks:
- id: trailing-whitespace - id: trailing-whitespace
- id: end-of-file-fixer - id: end-of-file-fixer
@ -15,18 +15,18 @@ repos:
- id: trailing-whitespace - id: trailing-whitespace
- repo: https://github.com/antonbabenko/pre-commit-terraform - repo: https://github.com/antonbabenko/pre-commit-terraform
rev: v1.92.1 rev: v1.105.0
hooks: hooks:
- id: terraform_fmt - id: terraform_fmt
- repo: https://github.com/adrienverge/yamllint.git - repo: https://github.com/adrienverge/yamllint.git
rev: v1.35.1 rev: v1.38.0
hooks: hooks:
- id: yamllint - id: yamllint
args: [--format, parsable, --strict] args: [--format, parsable, --strict]
- repo: https://github.com/shellcheck-py/shellcheck-py - repo: https://github.com/shellcheck-py/shellcheck-py
rev: v0.10.0.1 rev: v0.11.0.1
hooks: hooks:
- id: shellcheck - id: shellcheck
files: \.sh files: \.sh

32
.woodpecker/fmt.yaml Normal file
View file

@ -0,0 +1,32 @@
---
when:
- event: push
branch: feat/woodpecker-ci
steps:
- name: build-image
image: woodpeckerci/plugin-docker-buildx
settings:
registry: git.roboces.dev/catalin/fukuops
repo: git.roboces.dev/catalin/fukuops
tags: ci-fmt
target: fmt
- name: pre-commit
image: git.roboces.dev/catalin/fukuops:ci-fmt
depends_on: [build-image]
commands:
- make fmt--pre-commit
- name: kubeconform
image: git.roboces.dev/catalin/fukuops:ci-fmt
depends_on: [build-image]
commands:
#- make fmt--kubeconform
- echo "foo"
- name: tflint
image: git.roboces.dev/catalin/fukuops:ci-fmt
depends_on: [build-image]
commands:
- make fmt--tflint

20
.woodpecker/tofu.yaml Normal file
View file

@ -0,0 +1,20 @@
---
when:
- event: push
branch: feat/woodpecker-ci
steps:
- name: tofu-authentik
image: ghcr.io/opentofu/opentofu:1.10.9-minimal
commands:
- cd tofu/authentik
- tofu init
- tofu apply -auto-approve
- name: tofu-adguard
image: ghcr.io/opentofu/opentofu:1.10.9-minimal
commands:
- cd tofu/adguard
- tofu init
- tofu apply -auto-approve

10
Dockerfile Normal file
View file

@ -0,0 +1,10 @@
FROM alpine:3.21 AS fmt
RUN apk add --no-cache \
opentofu \
pre-commit \
kubeconform \
tflint
# Default command
CMD ["/bin/sh"]

18
Makefile
View file

@ -1,13 +1,15 @@
lint--pre-commit: fmt--pre-commit:
pre-commit run --all-files --color always pre-commit run --all-files --color always
lint--kubeconform: fmt--kubeconform:
kubeconform -strict -ignore-missing-schemas k8s/ kubeconform -strict -ignore-missing-schemas k8s/argo-apps
kubeconform -strict -ignore-missing-schemas k8s/services
lint--tflint:
fmt--tflint:
tflint --recursive tflint --recursive
lint: fmt:
make lint--pre-commit make fmt--pre-commit
make lint--kubeconform make fmt--kubeconform
make lint--tflint make fmt--tflint

3
README.md
View file

@ -1,4 +1,3 @@
# fukuops # fukuops
[![Last build status](https://git.roboces.dev/catalin/fukuops/badges/workflows/ci.yaml/badge.svg)](https://git.roboces.dev/catalin/fukuops/actions) [![status-badge](https://ci.roboces.dev/api/badges/1/status.svg)](https://ci.roboces.dev/repos/1)
[![Tofu deployments](https://git.roboces.dev/catalin/fukuops/badges/workflows/deploy-tofu.yaml/badge.svg)](https://git.roboces.dev/catalin/fukuops/actions)

8
k8s/argo-apps/woodpecker.yaml
View file

@ -22,6 +22,8 @@ spec:
storageClass: truenas-nfs-csi storageClass: truenas-nfs-csi
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
env:
WOODPECKER_MAX_WORKFLOWS: '4'
server: server:
env: env:
WOODPECKER_ADMIN: 'woodpecker,admin,catalin' WOODPECKER_ADMIN: 'woodpecker,admin,catalin'
@ -38,6 +40,12 @@ spec:
secretKeyRef: secretKeyRef:
name: woodpecker name: woodpecker
key: WOODPECKER_FORGEJO_SECRET key: WOODPECKER_FORGEJO_SECRET
WOODPECKER_DATABASE_DRIVER: postgres
WOODPECKER_DATABASE_DATASOURCE:
valueFrom:
secretKeyRef:
name: woodpecker
key: WOODPECKER_DATABASE_DATASOURCE
persistentVolume: persistentVolume:
storageClass: truenas-nfs-csi storageClass: truenas-nfs-csi
accessModes: accessModes:

19
k8s/playground/nfstest/pod.yaml
View file

@ -1,19 +0,0 @@
---
kind: Pod
apiVersion: v1
metadata:
name: pod-using-nfs
namespace: apps-fuku
spec:
containers:
- name: app
image: alpine
volumeMounts:
- name: data
mountPath: /var/nfs
command: ["/bin/sh"]
args: ["-c", "sleep 500000"]
volumes:
- name: data
persistentVolumeClaim:
claimName: myapp-nfs

14
k8s/playground/nfstest/pvc.yaml
View file

@ -1,14 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: myapp-nfs
namespace: apps-fuku
spec:
accessModes:
- ReadWriteMany
storageClassName: ""
volumeName: nas1
resources:
requests:
storage: 5Gi

15
k8s/playground/nfstest/pvwithnfs.yaml
View file

@ -1,15 +0,0 @@
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: nas1
namespace: apps-fuku
spec:
capacity:
storage: 5Gi
accessModes:
- ReadWriteMany
persistentVolumeReclaimPolicy: Retain
nfs:
server: zeruel.fuku
path: /mnt/pool1/nas1

103
scripts/create-nginx-certs.sh Executable file
View file

@ -0,0 +1,103 @@
#!/usr/bin/env bash
set -euo pipefail
usage() {
cat <<'EOF'
Usage:
create-nginx-certs.sh --domain <domain> [--output <name>]
Options:
-d, --domain Domain name to use for the certificate Common Name and SAN
-o, --output Output file base name (defaults to the domain name)
-h, --help Show this help message
Examples:
./create-nginx-certs.sh --domain mydomain.local
./create-nginx-certs.sh --domain mydomain.local --output foo
EOF
}
DOMAIN=""
OUTPUT_BASE=""
while [[ $# -gt 0 ]]; do
case "$1" in
-d|--domain)
if [[ $# -lt 2 ]]; then
echo "Error: --domain requires a value" >&2
usage >&2
exit 1
fi
DOMAIN="$2"
shift 2
;;
-o|--output)
if [[ $# -lt 2 ]]; then
echo "Error: --output requires a value" >&2
usage >&2
exit 1
fi
OUTPUT_BASE="$2"
shift 2
;;
-h|--help)
usage
exit 0
;;
*)
echo "Error: unknown argument: $1" >&2
usage >&2
exit 1
;;
esac
done
if [[ -z "$DOMAIN" ]]; then
echo "Error: --domain is required" >&2
usage >&2
exit 1
fi
if [[ -z "$OUTPUT_BASE" ]]; then
OUTPUT_BASE="$DOMAIN"
fi
CERT_FILE="${OUTPUT_BASE}.pem"
KEY_FILE="${OUTPUT_BASE}.key.pem"
TMP_CONFIG="$(mktemp)"
cleanup() {
rm -f "$TMP_CONFIG"
}
trap cleanup EXIT
cat > "$TMP_CONFIG" <<EOF
[req]
default_bits = 2048
prompt = no
default_md = sha256
distinguished_name = dn
req_extensions = req_ext
[dn]
CN = ${DOMAIN}
[req_ext]
subjectAltName = @alt_names
[alt_names]
DNS.1 = ${DOMAIN}
EOF
openssl req -x509 \
-nodes \
-days 3650 \
-newkey rsa:2048 \
-keyout "$KEY_FILE" \
-out "$CERT_FILE" \
-config "$TMP_CONFIG" \
-extensions req_ext
echo "Created certificate: $CERT_FILE"
echo "Created private key: $KEY_FILE"

11
tofu/adguard/main.tf
View file

@ -23,18 +23,9 @@ provider "adguard" {
resource "adguard_rewrite" "argo_1" { resource "adguard_rewrite" "argo_1" {
domain = "argo.fuku" domain = "argo.fuku"
answer = "192.168.1.31" answer = "192.168.1.12"
} }
resource "adguard_rewrite" "argo_2" {
domain = "argo.fuku"
answer = "192.168.1.32"
}
resource "adguard_rewrite" "argo_3" {
domain = "argo.fuku"
answer = "192.168.1.33"
}
resource "adguard_rewrite" "feeds" { resource "adguard_rewrite" "feeds" {
domain = "feeds.roboces.dev" domain = "feeds.roboces.dev"
answer = "192.168.1.12" answer = "192.168.1.12"

22
tofu/modules/authentik-app/vars.tf
View file

@ -8,33 +8,11 @@ variable "app_slug" {
type = string type = string
} }
variable "client_type" {
type = string
default = "confidential"
validation {
condition = contains(["confidential", "public"], var.client_type)
error_message = "client_type must be 'confidential' or 'public'"
}
}
variable "app_access_group_id" { variable "app_access_group_id" {
description = "ID of a group which will have access to the app" description = "ID of a group which will have access to the app"
type = string type = string
} }
variable "sub_mode" {
type = string
default = "user_username"
validation {
condition = contains(["user_id", "user_username", "hashed_user_id"], var.sub_mode)
error_message = "sub_mode must be 'user_id', 'user_username' or 'hashed_user_id'"
}
}
variable "open_in_new_tab" { variable "open_in_new_tab" {
type = bool type = bool
description = "Open apps in a new tab" description = "Open apps in a new tab"