Initial commit after reset and multi-cluster folder structure 🚀

kubernetes/main/apps/cert-manager/cert-manager/app/helmrelease.yaml

@@ -0,0 +1,31 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.16.1
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  values:
+    crds:
+      enabled: true
+    dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
+    dns01RecursiveNameserversOnly: true
+    prometheus:
+      enabled: true
+      servicemonitor:
+        enabled: true

kubernetes/main/apps/cert-manager/cert-manager/app/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml

kubernetes/main/apps/cert-manager/cert-manager/issuers/issuers.yaml

@@ -0,0 +1,39 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: "${SECRET_ACME_EMAIL}"
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cert-manager-secret
+              key: api-token
+        selector:
+          dnsZones:
+            - "${SECRET_DOMAIN}"
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: "${SECRET_ACME_EMAIL}"
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cert-manager-secret
+              key: api-token
+        selector:
+          dnsZones:
+            - "${SECRET_DOMAIN}"

kubernetes/main/apps/cert-manager/cert-manager/issuers/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./issuers.yaml

kubernetes/main/apps/cert-manager/cert-manager/issuers/secret.sops.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cert-manager-secret
+stringData:
+    api-token: ENC[AES256_GCM,data:9FrYCjhfdParNTjYFytXLatUWVkXoda3yUMb7PDJTzmVjlyjGRSnrw==,iv:DFy7yg2bCapDAuvoU9blucqelEU0firrd+1/R26PtRI=,tag:mkjsxptT5Nj7wfuN+/u9cA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10x2a6rhd5v9kd5w4cn9jemdxch7ecsltw3mpynx4gttcdpsqhumqtkh6kf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAyQ2hlSmxjaFVZRmM3TTdK
+            bGlDSVBRa2txRjR1aGRwVk00dTdIeDlZVTEwCmJMeUhuOWlEZm1Zd0JnTnlxeW5W
+            VTBjYmU5WHZqUzZSSmpvaUIwcVYrc3cKLS0tIFJJazZDRytrMGp2MFNGTEh5cFpR
+            b2xiVGJ3QXR6SFRrYnRSM3RveXhBd28KPCJq2PnGyvYncdMNa6tV9eECJ0azJJNF
+            qv3jfz50O/5q4XFPH1rNjzWYqwRA7EEUTXLfaK/Vh2v4T5dJRrnK5g==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-14T18:39:10Z"
+    mac: ENC[AES256_GCM,data:JrDoviqwAWXWKrJXOXcSzDlCu9o3pOV9F8dXqZSu10GVzCPudBKTWgP0yy9vvOTtvjAmYIRuN/nTOl8H/mCHNcdRNw6uT3wwuapttOLSLJ1Z27SzqO81nEXknpz53B2dEOoRxrJwjQrElBqcTY5t9reEiVumnFb38ailYyDn/2g=,iv:/R+RZfeCPk/bBJBmAhhWXZy0jN7tJubfkYJjxXNnldo=,tag:RQ/YUCfjfXzzFxyqlWu4jQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1

kubernetes/main/apps/cert-manager/cert-manager/ks.yaml

@@ -0,0 +1,40 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app cert-manager
+  namespace: flux-system
+spec:
+  targetNamespace: cert-manager
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/main/apps/cert-manager/cert-manager/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: true
+  interval: 30m
+  timeout: 5m
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app cert-manager-issuers
+  namespace: flux-system
+spec:
+  targetNamespace: cert-manager
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cert-manager
+  path: ./kubernetes/main/apps/cert-manager/cert-manager/issuers
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: true
+  interval: 30m
+  timeout: 5m

kubernetes/main/apps/cert-manager/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./cert-manager/ks.yaml

kubernetes/main/apps/cert-manager/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled

kubernetes/main/apps/flux-system/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./webhooks/ks.yaml

kubernetes/main/apps/flux-system/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: flux-system
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled

kubernetes/main/apps/flux-system/webhooks/app/github/ingress.yaml

@@ -0,0 +1,20 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: flux-webhook
+  annotations:
+    external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}"
+spec:
+  ingressClassName: external
+  rules:
+    - host: "flux-webhook.${SECRET_DOMAIN}"
+      http:
+        paths:
+          - path: /hook/
+            pathType: Prefix
+            backend:
+              service:
+                name: webhook-receiver
+                port:
+                  number: 80

kubernetes/main/apps/flux-system/webhooks/app/github/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./ingress.yaml
+  - ./receiver.yaml

kubernetes/main/apps/flux-system/webhooks/app/github/receiver.yaml

@@ -0,0 +1,25 @@
+---
+apiVersion: notification.toolkit.fluxcd.io/v1
+kind: Receiver
+metadata:
+  name: github-receiver
+spec:
+  type: github
+  events:
+    - ping
+    - push
+  secretRef:
+    name: github-webhook-token-secret
+  resources:
+    - apiVersion: source.toolkit.fluxcd.io/v1
+      kind: GitRepository
+      name: home-kubernetes
+      namespace: flux-system
+    - apiVersion: kustomize.toolkit.fluxcd.io/v1
+      kind: Kustomization
+      name: cluster
+      namespace: flux-system
+    - apiVersion: kustomize.toolkit.fluxcd.io/v1
+      kind: Kustomization
+      name: cluster-apps
+      namespace: flux-system

kubernetes/main/apps/flux-system/webhooks/app/github/secret.sops.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: github-webhook-token-secret
+stringData:
+    token: ENC[AES256_GCM,data:xETCSkV/Znd+wNCY7Eia9oiUdnIo8nbe6uxtfgSGgn8=,iv:azPN0l942kwuddYVQvkaOuTQmWkgcTauK8SNSTUrdE8=,tag:FMO+Uh9DyEkI3r2wwYR43A==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age10x2a6rhd5v9kd5w4cn9jemdxch7ecsltw3mpynx4gttcdpsqhumqtkh6kf
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBzTy9Xeld2YUo3RmJMNVJZ
+            ZkNMWXpUTEVOcHVLNkdDdXQ0V2U0S2ZuZUFzCjhtZ1ptZmFwM3JpR2V0TWJsVldl
+            cmErMjNOajlHdGx2aWRhYmpFWFB6bUkKLS0tIGtjS0RyVDRoNXFZc2RURlBTTzBn
+            TzE3dDdMV0NZS1NDVFBTYU95Yko4aU0KJZzWs5fBpE8UGyxewETP92wtXLw2JI8B
+            UAEMm9qrCDXS9afJsDG+8X+IX3qUCFEVTQf3xULvWIo9H1s36M+CDg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-11-14T18:39:10Z"
+    mac: ENC[AES256_GCM,data:G5XAH/N6v7/cDDUe+3ZWwe8UzyKa3zMYB5xCnVdxmmV8XjTtQp2d0PPv5rp9KOT3L437O8Y1amV+CE3cK0wLG163WLUpp9BLK33MuHkb/AVBH1imgnbV/O/Lm6qLtjGMgMIWRf1rRAinQfMIILosmVKRSGYTgH+QZdqu/bm9H2A=,iv:3Y/HI4bBEy8YoytEnXKz4ICf1NXQjD99Rvy9CCx0pqc=,tag:60ZuFeCGykBWjE5Qu3j/3w==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1

kubernetes/main/apps/flux-system/webhooks/app/kustomization.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./github

kubernetes/main/apps/flux-system/webhooks/ks.yaml

@@ -0,0 +1,19 @@
+---
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app flux-webhooks
+  namespace: flux-system
+spec:
+  targetNamespace: flux-system
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  path: ./kubernetes/main/apps/flux-system/webhooks/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: true
+  interval: 30m
+  timeout: 5m

kubernetes/main/apps/kube-system/cilium/app/helm-values.yaml

@@ -0,0 +1,59 @@
+---
+autoDirectNodeRoutes: true
+bgpControlPlane:
+  enabled: true
+bpf:
+  masquerade: false # Required for Talos `.machine.features.hostDNS.forwardKubeDNSToHost`
+cgroup:
+  automount:
+    enabled: false
+  hostRoot: /sys/fs/cgroup
+cluster:
+  id: 1
+  name: "home-kubernetes"
+cni:
+  exclusive: false
+# NOTE: devices might need to be set if you have more than one active NIC on your hosts
+# devices: eno+ eth+
+endpointRoutes:
+  enabled: true
+envoy:
+  enabled: false
+hubble:
+  enabled: false
+ipam:
+  mode: kubernetes
+ipv4NativeRoutingCIDR: "10.69.0.0/16"
+k8sServiceHost: 127.0.0.1
+k8sServicePort: 7445
+kubeProxyReplacement: true
+kubeProxyReplacementHealthzBindAddr: 0.0.0.0:10256
+l2announcements:
+  enabled: false # https://github.com/cilium/cilium/issues/28985
+loadBalancer:
+  algorithm: maglev
+  mode: "dsr"
+localRedirectPolicy: true
+operator:
+  replicas: 1
+  rollOutPods: true
+rollOutCiliumPods: true
+routingMode: native
+securityContext:
+  capabilities:
+    ciliumAgent:
+      - CHOWN
+      - KILL
+      - NET_ADMIN
+      - NET_RAW
+      - IPC_LOCK
+      - SYS_ADMIN
+      - SYS_RESOURCE
+      - DAC_OVERRIDE
+      - FOWNER
+      - SETGID
+      - SETUID
+    cleanCiliumState:
+      - NET_ADMIN
+      - SYS_ADMIN
+      - SYS_RESOURCE