feat: NixOS | use LUKS and proper hostname for k3s domain

feat: NixOS | move cluster config to /master

fix: update all stuff for office network

feat: PiHole | set up DHCP server

chore: Cloudflare | delete api token secret

chore: remove external-dns annotations from ingressed services

fix: PiHole | turn off liveness checks due to host ip

fix: GiteaActions | use encrypted storage for runner

fix: ElasticSearch | use encrypted volumes for storage

fix: Pihole | static mac addresses all caps

feat: NixOS | manual network configuration

fix: NixOS | k3s cluster init point to static ip with tls-san

chore: Postgres | move certificate resources into own file + reduce volume size

fix: Pihole | add ingress class name

sec: NixOS | remove token from git

1password/secrets.yaml

@@ -61,16 +61,6 @@ spec:
 ---
 apiVersion: onepassword.com/v1
 kind: OnePasswordItem
-metadata:
-  name: cloudflare-token
-  namespace: cloudflare-system
-  annotations:
-    operator.1password.io/auto-restart: "true"
-spec:
-  itemPath: "vaults/Lab/items/Cloudflare"
----
-apiVersion: onepassword.com/v1
-kind: OnePasswordItem
 metadata:
   name: authentik-postgres
   namespace: authentik-system
@@ -138,3 +128,13 @@ metadata:
     operator.1password.io/auto-restart: "true"
 spec:
   itemPath: "vaults/Lab/items/smtp-token"
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: longhorn-encryption
+  namespace: longhorn-system
+  annotations:
+    operator.1password.io/auto-restart: "true"
+spec:
+  itemPath: "vaults/Lab/items/longhorn-encryption"

elasticsearch/cluster.yaml

@@ -38,5 +38,15 @@ spec:
   nodeSets:
   - name: master
     count: 1
+    volumeClaimTemplates:
+    - metadata:
+        name: elasticsearch-data
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 10Gi
+        storageClassName: longhorn-crypto
     config:
       node.roles: ["master", "data"]

gitea/actions/runner.yaml

@@ -9,7 +9,7 @@ spec:
   resources:
     requests:
       storage: 10Gi
-  storageClassName: longhorn
+  storageClassName: longhorn-crypto
 ---
 apiVersion: apps/v1
 kind: Deployment

helm/helmfile.yaml

@@ -26,6 +26,8 @@ releases:
     namespace: longhorn-system
     chart: longhorn/longhorn
     version: 1.7.0
+    values:
+      - ./values/longhorn.values.yaml
 
   # Load Balancer
   - name: metallb

helm/values/gitea.values.yaml

@@ -1,11 +1,9 @@
 service:
   http:
     annotations:
-      external-dns.alpha.kubernetes.io/hostname: git.dogar.dev
       metallb.universe.tf/allow-shared-ip: gitea
   ssh:
     annotations:
-      external-dns.alpha.kubernetes.io/hostname: git.dogar.dev
       metallb.universe.tf/allow-shared-ip: gitea
 ingress:
   enabled: true
@@ -88,6 +86,7 @@ gitea:
           key: password
 persistence:
   enabled: true
+  storageClass: longhorn-crypto
   accessModes:
     - ReadWriteMany
 postgresql-ha:

helm/values/longhorn.values.yaml

@@ -0,0 +1,13 @@
+metrics:
+  serviceMonitor:
+    enabled: true
+ingress:
+  enabled: true
+  ingressClassName: nginx-internal
+  host: longhorn.dogar.dev
+  tls: true
+  tlsSecretName: longhorn-tls
+  annotations:
+    cert-manager.io/cluster-issuer: cloudflare-issuer
+    cert-manager.io/acme-challenge-type: dns01
+    cert-manager.io/private-key-size: "4096"

helm/values/nginx-internal.values.yaml

@@ -6,6 +6,9 @@ controller:
     controllerValue: "k8s.io/ingress-nginx"
     parameters: {}
   ingressClass: nginx-internal
+  service:
+    annotations:
+      external-dns.alpha.kubernetes.io/hostname: "postgres.dogar.dev"
 tcp:
   22:    "gitea-system/gitea-ssh:22"
   5432:  "postgres-system/postgres-cluster-rw:5432"

helm/values/pihole.values.yaml

@@ -2,17 +2,21 @@
 DNS1:
   1.1.1.1
 DNS2:
-  192.168.0.1
+  192.168.18.1
+nodeSelector:
+  pihole: "true"
 admin:
   enabled: true
   existingSecret: pihole-admin
   passwordKey: password
 persistentVolumeClaim:
   enabled: true
+  storageClass: longhorn-crypto
   accessModes:
     - ReadWriteOnce
 ingress:
   enabled: true
+  ingressClassName: nginx-internal
   annotations:
     cert-manager.io/cluster-issuer: cloudflare-issuer
     cert-manager.io/acme-challenge-type: dns01
@@ -24,15 +28,54 @@ ingress:
       hosts:
         - pihole.dogar.dev
 serviceWeb:
-  loadBalancerIP: 192.168.0.250
   annotations:
     metallb.universe.tf/allow-shared-ip: pihole-svc
   type: LoadBalancer
+  loadBalancerIP: 192.168.18.250
 serviceDns:
-  loadBalancerIP: 192.168.0.250
   annotations:
     metallb.universe.tf/allow-shared-ip: pihole-svc
   type: LoadBalancer
+  loadBalancerIP: 192.168.18.250
+serviceDhcp:
+  annotations:
+    metallb.universe.tf/allow-shared-ip: pihole-svc
+  enabled: true
+  type: LoadBalancer
+  loadBalancerIP: 192.168.18.250
+probes:
+  liveness:
+    enabled: false
+  readiness:
+    enabled: false
+dnsmasq:
+  additionalHostsEntries:
+    - 192.168.18.10 homelab-0
+    - 192.168.18.11 homelab-1
+    - 192.168.18.12 homelab-2
+    - 192.168.18.10 lab.dogar.dev
+  staticDhcpEntries:
+    - dhcp-host=B0:41:6F:0F:A8:D3,192.168.18.10,homelab-0
+    - dhcp-host=B0:41:6F:0F:AE:89,192.168.18.11,homelab-1
+    - dhcp-host=B0:41:6F:0F:A0:CD,192.168.18.12,homelab-2
+hostNetwork: true
+hostname: pihole
+privileged: true
+capabilities:
+  add:
+    - NET_ADMIN
+extraEnvVars:
+  TZ: "Asia/Karachi"
+  DNSSEC: "true"
+  FTLCONF_LOCAL_IPV4: "192.168.18.250"
+  INTERFACE: "enp1s0"
+  DNSMASQ_LISTENING: "single"
+  DHCP_ACTIVE: "true"
+  DHCP_START: "192.168.18.2"
+  DHCP_END: "192.168.18.20"
+  DHCP_ROUTER: "192.168.18.1"
+  PIHOLE_DOMAIN: "pihole.dogar.dev"
+  VIRTUAL_HOST: "pihole.dogar.dev"
 podAnnotations:
   prometheus.io/scrape: "true"
   prometheus.io/port: "9617"

helm/values/prometheus.values.yaml

@@ -1,8 +1,5 @@
 grafana:
   enabled: true
-  service:
-    annotations:
-      external-dns.alpha.kubernetes.io/hostname: grafana.dogar.dev
   ingress:
     enabled: true
     ingressClassName: nginx-internal

kustomize/metallb/pool.yaml

@@ -6,7 +6,7 @@ metadata:
   namespace: metallb-system
 spec:
   addresses:
-    - 192.168.0.192/26
+    - 192.168.18.192/26
 ---
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement

longhorn/encrypted-storage-class.yaml

@@ -0,0 +1,18 @@
+---
+kind: StorageClass
+apiVersion: storage.k8s.io/v1
+metadata:
+  name: longhorn-crypto
+  namespace: longhorn-system
+provisioner: driver.longhorn.io
+allowVolumeExpansion: true
+parameters:
+  numberOfReplicas: "3"
+  staleReplicaTimeout: "2880" # 48 hours in minutes
+  encrypted: "true"
+  csi.storage.k8s.io/provisioner-secret-name: "longhorn-encryption"
+  csi.storage.k8s.io/provisioner-secret-namespace: "longhorn-system"
+  csi.storage.k8s.io/node-publish-secret-name: "longhorn-encryption"
+  csi.storage.k8s.io/node-publish-secret-namespace: "longhorn-system"
+  csi.storage.k8s.io/node-stage-secret-name: "longhorn-encryption"
+  csi.storage.k8s.io/node-stage-secret-namespace: "longhorn-system"

nixos/disko-config.nix

@@ -1,56 +0,0 @@
-{
-  disko.devices = {
-    disk = {
-      vdb = {
-        type = "disk";
-        device = "/dev/nvme0n1";
-        content = {
-          type = "gpt";
-          partitions = {
-            ESP = {
-              priority = 1;
-              name = "ESP";
-              start = "1M";
-              end = "128M";
-              type = "EF00";
-              content = {
-                type = "filesystem";
-                format = "vfat";
-                mountpoint = "/boot";
-              };
-            };
-            root = {
-              size = "100%";
-              content = {
-                type = "btrfs";
-                extraArgs = [ "-f" ]; # Override existing partition
-                # Subvolumes must set a mountpoint in order to be mounted,
-                # unless their parent is mounted
-                subvolumes = {
-                  # Subvolume name is different from mountpoint
-                  "/rootfs" = {
-                    mountpoint = "/";
-                  };
-                  # Subvolume name is the same as the mountpoint
-                  "/home" = {
-                    mountOptions = [ "compress=zstd" ];
-                    mountpoint = "/home";
-                  };
-                  # Sub(sub)volume doesn't need a mountpoint as its parent is mounted
-                  "/home/shahab" = { };
-                  # Parent is not mounted so the mountpoint must be set
-                  "/nix" = {
-                    mountOptions = [ "compress=zstd" "noatime" ];
-                    mountpoint = "/nix";
-                  };
-                };
-
-                mountpoint = "/partition-root";
-              };
-            };
-          };
-        };
-      };
-    };
-  };
-}

nixos/master/configuration.nix

@@ -23,6 +23,22 @@
   networking.hostName = meta.hostname; # Define your hostname.
   # Pick only one of the below networking options.
   networking.networkmanager.enable = true;
+  networking.interfaces.enp1s0.ipv4.addresses = [
+    {
+      address = (
+        if meta.hostname == "homelab-0" then "192.168.18.10"
+        else if meta.hostname == "homelab-1" then "192.168.18.11"
+        else if meta.hostname == "homelab-2" then "192.168.18.12"
+        else throw "Unknown hostname"
+      );
+      prefixLength = 24;
+    }
+  ];
+  networking.defaultGateway = "192.168.18.1";
+  networking.nameservers = [
+    "192.168.18.250"
+    "1.1.1.1"
+  ];
 
   # Set your time zone.
   time.timeZone = "Asia/Karachi";
@@ -61,8 +77,9 @@
 	    "--disable servicelb"
 	    "--disable traefik"
 	    "--disable local-storage"
+      "--tls-san homelab-0"
     ] ++ (if meta.hostname == "homelab-0" then [] else [
-	      "--server https://homelab-0:6443"
+	      "--server https://192.168.18.10:6443"
     ]));
     clusterInit = (meta.hostname == "homelab-0");
   };
@@ -147,6 +164,6 @@
   # and migrated your data accordingly.
   #
   # For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
-  system.stateVersion = "23.11"; # Did you read the comment?
+  system.stateVersion = "24.05"; # Did you read the comment?
 
 }

nixos/master/disko-config.nix

@@ -0,0 +1,40 @@
+{
+  disko.devices = {
+    disk = {
+      vdb = {
+        type = "disk";
+        device = "/dev/nvme0n1";
+        content = {
+          type = "gpt";
+          partitions = {
+            ESP = {
+              priority = 1;
+              name = "ESP";
+              start = "1M";
+              end = "128M";
+              type = "EF00";
+              content = {
+                type = "filesystem";
+                format = "vfat";
+                mountpoint = "/boot";
+              };
+            };
+            luks = {
+              size = "100%";
+              content = {
+                name = "crypted";
+                type = "luks";
+                askPassword = true;
+                content = {
+                  type = "filesystem";
+                  format = "ext4";
+                  mountpoint = "/";
+                };
+              };
+            };
+          };
+        };
+      };
+    };
+  };
+}

nixos/master/hardware-configuration.nix

@@ -15,8 +15,8 @@
   # (the default) this is the recommended approach. When using systemd-networkd it's
   # still possible to use this option, but it's recommended to use it in conjunction
   # with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
-  networking.useDHCP = lib.mkDefault true;
+  networking.useDHCP = lib.mkDefault false;
-  # networking.interfaces.enp1s0.useDHCP = lib.mkDefault true;
+  networking.interfaces.enp1s0.useDHCP = lib.mkDefault false;
   # networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
 
   nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";

postgres/certificates.yaml

@@ -1,5 +1,115 @@
 ---
 apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: selfsigned-issuer
+  namespace: postgres-system
+spec:
+  selfSigned: {}
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: server-ca
+  namespace: postgres-system
+spec:
+  isCA: true
+  commonName: postgres-server-ca
+  secretName: postgres-server-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 384
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: postgres-server-ca-issuer
+  namespace: postgres-system
+spec:
+  ca:
+    secretName: postgres-server-ca
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgres-server-cert
+  namespace: postgres-system
+  labels:
+    cnpg.io/reload: ""
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-server-cert
+  namespace: postgres-system
+spec:
+  secretName: postgres-server-cert
+  usages:
+    - server auth
+  dnsNames:
+    - postgres-cluster-rw.postgres-system.svc.cluster.local
+    - postgres-cluster-ro.postgres-system.svc.cluster.local
+    - postgres-cluster-r.postgres-system.svc.cluster.local
+    - postgres.dogar.dev
+  issuerRef:
+    name: postgres-server-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: client-ca
+  namespace: postgres-system
+spec:
+  isCA: true
+  commonName: postgres-client-ca
+  secretName: postgres-client-ca
+  privateKey:
+    algorithm: ECDSA
+    size: 256
+  issuerRef:
+    name: selfsigned-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: postgres-client-ca-issuer
+  namespace: postgres-system
+spec:
+  ca:
+    secretName: postgres-client-ca
+---
+apiVersion: v1
+kind: Secret
+metadata:
+  name: postgres-client-cert
+  namespace: postgres-system
+  labels:
+    cnpg.io/reload: ""
+---
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: postgres-client-cert
+  namespace: postgres-system
+spec:
+  secretName: postgres-client-cert
+  usages:
+    - client auth
+  commonName: streaming_replica
+  issuerRef:
+    name: postgres-client-ca-issuer
+    kind: Issuer
+    group: cert-manager.io
+---
+apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
   name: shahab-client-cert

postgres/cluster.yaml

@@ -1,114 +1,4 @@
 ---
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: selfsigned-issuer
-  namespace: postgres-system
-spec:
-  selfSigned: {}
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: server-ca
-  namespace: postgres-system
-spec:
-  isCA: true
-  commonName: postgres-server-ca
-  secretName: postgres-server-ca
-  privateKey:
-    algorithm: ECDSA
-    size: 384
-  issuerRef:
-    name: selfsigned-issuer
-    kind: Issuer
-    group: cert-manager.io
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: postgres-server-ca-issuer
-  namespace: postgres-system
-spec:
-  ca:
-    secretName: postgres-server-ca
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: postgres-server-cert
-  namespace: postgres-system
-  labels:
-    cnpg.io/reload: ""
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: postgres-server-cert
-  namespace: postgres-system
-spec:
-  secretName: postgres-server-cert
-  usages:
-    - server auth
-  dnsNames:
-    - postgres-cluster-rw.postgres-system.svc.cluster.local
-    - postgres-cluster-ro.postgres-system.svc.cluster.local
-    - postgres-cluster-r.postgres-system.svc.cluster.local
-    - postgres.dogar.dev
-  issuerRef:
-    name: postgres-server-ca-issuer
-    kind: Issuer
-    group: cert-manager.io
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: client-ca
-  namespace: postgres-system
-spec:
-  isCA: true
-  commonName: postgres-client-ca
-  secretName: postgres-client-ca
-  privateKey:
-    algorithm: ECDSA
-    size: 256
-  issuerRef:
-    name: selfsigned-issuer
-    kind: Issuer
-    group: cert-manager.io
----
-apiVersion: cert-manager.io/v1
-kind: Issuer
-metadata:
-  name: postgres-client-ca-issuer
-  namespace: postgres-system
-spec:
-  ca:
-    secretName: postgres-client-ca
----
-apiVersion: v1
-kind: Secret
-metadata:
-  name: postgres-client-cert
-  namespace: postgres-system
-  labels:
-    cnpg.io/reload: ""
----
-apiVersion: cert-manager.io/v1
-kind: Certificate
-metadata:
-  name: postgres-client-cert
-  namespace: postgres-system
-spec:
-  secretName: postgres-client-cert
-  usages:
-    - client auth
-  commonName: streaming_replica
-  issuerRef:
-    name: postgres-client-ca-issuer
-    kind: Issuer
-    group: cert-manager.io
----
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
@@ -127,7 +17,6 @@ spec:
     pg_hba:
       - hostssl all      shahab   all          cert
       - hostssl sameuser all      all          cert
-      - hostssl giteadb  gitea    10.42.0.0/16 scram-sha-256
   enableSuperuserAccess: false
   bootstrap:
     initdb:
@@ -137,4 +26,8 @@ spec:
       postInitSQL:
         - 'CREATE USER shahab SUPERUSER;'
   storage:
+    size: 10Gi
+    storageClass: longhorn-crypto
+  walStorage:
     size: 1Gi
+    storageClass: longhorn-crypto