feat: NixOS | use LUKS and proper hostname for k3s domain

feat: NixOS | move cluster config to /master

fix: update all stuff for office network

feat: PiHole | set up DHCP server

chore: Cloudflare | delete api token secret

chore: remove external-dns annotations from ingressed services

fix: PiHole | turn off liveness checks due to host ip

fix: GiteaActions | use encrypted storage for runner

fix: ElasticSearch | use encrypted volumes for storage

fix: Pihole | static mac addresses all caps

feat: NixOS | manual network configuration

fix: NixOS | k3s cluster init point to static ip with tls-san

chore: Postgres | move certificate resources into own file + reduce volume size

fix: Pihole | add ingress class name

sec: NixOS | remove token from git

helm/values/gitea.values.yaml

@@ -1,11 +1,9 @@
 service:
   http:
     annotations:
-      external-dns.alpha.kubernetes.io/hostname: git.dogar.dev
       metallb.universe.tf/allow-shared-ip: gitea
   ssh:
     annotations:
-      external-dns.alpha.kubernetes.io/hostname: git.dogar.dev
       metallb.universe.tf/allow-shared-ip: gitea
 ingress:
   enabled: true
@@ -88,6 +86,7 @@ gitea:
           key: password
 persistence:
   enabled: true
+  storageClass: longhorn-crypto
   accessModes:
     - ReadWriteMany
 postgresql-ha:

helm/values/longhorn.values.yaml

@@ -0,0 +1,13 @@
+metrics:
+  serviceMonitor:
+    enabled: true
+ingress:
+  enabled: true
+  ingressClassName: nginx-internal
+  host: longhorn.dogar.dev
+  tls: true
+  tlsSecretName: longhorn-tls
+  annotations:
+    cert-manager.io/cluster-issuer: cloudflare-issuer
+    cert-manager.io/acme-challenge-type: dns01
+    cert-manager.io/private-key-size: "4096"

helm/values/nginx-internal.values.yaml

@@ -6,6 +6,9 @@ controller:
     controllerValue: "k8s.io/ingress-nginx"
     parameters: {}
   ingressClass: nginx-internal
+  service:
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: "postgres.dogar.dev"
 tcp:
   22:    "gitea-system/gitea-ssh:22"
   5432:  "postgres-system/postgres-cluster-rw:5432"

helm/values/pihole.values.yaml

@@ -2,17 +2,21 @@
 DNS1:
   1.1.1.1
 DNS2:
-  192.168.0.1
+  192.168.18.1
+nodeSelector:
+  pihole: "true"
 admin:
   enabled: true
   existingSecret: pihole-admin
   passwordKey: password
 persistentVolumeClaim:
   enabled: true
+  storageClass: longhorn-crypto
   accessModes:
     - ReadWriteOnce
 ingress:
   enabled: true
+  ingressClassName: nginx-internal
   annotations:
     cert-manager.io/cluster-issuer: cloudflare-issuer
     cert-manager.io/acme-challenge-type: dns01
@@ -24,15 +28,54 @@ ingress:
       hosts:
         - pihole.dogar.dev
 serviceWeb:
-  loadBalancerIP: 192.168.0.250
   annotations:
     metallb.universe.tf/allow-shared-ip: pihole-svc
   type: LoadBalancer
+  loadBalancerIP: 192.168.18.250
 serviceDns:
-  loadBalancerIP: 192.168.0.250
   annotations:
     metallb.universe.tf/allow-shared-ip: pihole-svc
   type: LoadBalancer
+  loadBalancerIP: 192.168.18.250
+serviceDhcp:
+  annotations:
+    metallb.universe.tf/allow-shared-ip: pihole-svc
+  enabled: true
+  type: LoadBalancer
+  loadBalancerIP: 192.168.18.250
+probes:
+  liveness:
+    enabled: false
+  readiness:
+    enabled: false
+dnsmasq:
+  additionalHostsEntries:
+    - 192.168.18.10 homelab-0
+    - 192.168.18.11 homelab-1
+    - 192.168.18.12 homelab-2
+    - 192.168.18.10 lab.dogar.dev
+  staticDhcpEntries:
+    - dhcp-host=B0:41:6F:0F:A8:D3,192.168.18.10,homelab-0
+    - dhcp-host=B0:41:6F:0F:AE:89,192.168.18.11,homelab-1
+    - dhcp-host=B0:41:6F:0F:A0:CD,192.168.18.12,homelab-2
+hostNetwork: true
+hostname: pihole
+privileged: true
+capabilities:
+  add:
+    - NET_ADMIN
+extraEnvVars:
+  TZ: "Asia/Karachi"
+  DNSSEC: "true"
+  FTLCONF_LOCAL_IPV4: "192.168.18.250"
+  INTERFACE: "enp1s0"
+  DNSMASQ_LISTENING: "single"
+  DHCP_ACTIVE: "true"
+  DHCP_START: "192.168.18.2"
+  DHCP_END: "192.168.18.20"
+  DHCP_ROUTER: "192.168.18.1"
+  PIHOLE_DOMAIN: "pihole.dogar.dev"
+  VIRTUAL_HOST: "pihole.dogar.dev"
 podAnnotations:
   prometheus.io/scrape: "true"
   prometheus.io/port: "9617"

helm/values/prometheus.values.yaml

@@ -1,8 +1,5 @@
 grafana:
   enabled: true
-  service:
-    annotations:
-      external-dns.alpha.kubernetes.io/hostname: grafana.dogar.dev
   ingress:
     enabled: true
     ingressClassName: nginx-internal