feat: NixOS | use LUKS and proper hostname for k3s domain

feat: NixOS | move cluster config to /master fix: update all stuff for office network feat: PiHole | set up DHCP server chore: Cloudflare | delete api token secret chore: remove external-dns annotations from ingressed services fix: PiHole | turn off liveness checks due to host ip fix: GiteaActions | use encrypted storage for runner fix: ElasticSearch | use encrypted volumes for storage fix: Pihole | static mac addresses all caps feat: NixOS | manual network configuration fix: NixOS | k3s cluster init point to static ip with tls-san chore: Postgres | move certificate resources into own file + reduce volume size fix: Pihole | add ingress class name sec: NixOS | remove token from git
2024-10-19 13:15:36 +05:00
parent 38e5e53fd9
commit 0d4f700b89
19 changed files with 280 additions and 191 deletions
--- a/postgres/certificates.yaml
+++ b/postgres/certificates.yaml
@@ -1,5 +1,115 @@
 ---
 apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: postgres-system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: server-ca
+  namespace: postgres-system
+spec:
+  isCA: true
+  commonName: postgres-server-ca
+  secretName: postgres-server-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 384
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: postgres-server-ca-issuer
+  namespace: postgres-system
+spec:
+  ca:
+    secretName: postgres-server-ca
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgres-server-cert
+  namespace: postgres-system
+  labels:
+    cnpg.io/reload: ""
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-server-cert
+  namespace: postgres-system
+spec:
+  secretName: postgres-server-cert
+  usages:
+    - server auth
+  dnsNames:
+    - postgres-cluster-rw.postgres-system.svc.cluster.local
+    - postgres-cluster-ro.postgres-system.svc.cluster.local
+    - postgres-cluster-r.postgres-system.svc.cluster.local
+    - postgres.dogar.dev
+  issuerRef:
+    name: postgres-server-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: client-ca
+  namespace: postgres-system
+spec:
+  isCA: true
+  commonName: postgres-client-ca
+  secretName: postgres-client-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: postgres-client-ca-issuer
+  namespace: postgres-system
+spec:
+  ca:
+    secretName: postgres-client-ca
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgres-client-cert
+  namespace: postgres-system
+  labels:
+    cnpg.io/reload: ""
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-client-cert
+  namespace: postgres-system
+spec:
+  secretName: postgres-client-cert
+  usages:
+    - client auth
+  commonName: streaming_replica
+  issuerRef:
+    name: postgres-client-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: shahab-client-cert