fix: Traefik | remove ingress property from values.yaml

This reverts commit faa5a74702.

cache-infrastructure/go/values.yaml

@@ -1,4 +1,4 @@
-replicaCount: 3
+replicaCount: 1
 image:
   runAsNonRoot: true
 nodeSelector:

cache-infrastructure/nix/index.ts

@@ -73,7 +73,7 @@ export class NixCache extends Construct {
         namespace,
       },
       spec: {
-        replicas: "3",
+        replicas: "1",
         selector: {
           matchLabels: {
             app: name,

cache-infrastructure/npm/index.ts

@@ -70,7 +70,7 @@ export class NpmCache extends Construct {
         namespace,
       },
       spec: {
-        replicas: "3",
+        replicas: "1",
         selector: {
           matchLabels: {
             app: name,

core-services/cert-manager/values.yaml

@@ -6,3 +6,6 @@ prometheus:
 webhook:
   timeoutSeconds: 4
 enableCertificateOwnerRef: true
+extraArgs:
+  - "--dns01-recursive-nameservers-only"
+  - "--dns01-recursive-nameservers=1.1.1.1:53"

core-services/index.ts

@@ -29,7 +29,7 @@ export class CoreServices extends TerraformStack {
       metadata: {
         name: namespace,
       },
-    });
+    }).importFrom("homelab");
 
     new TerraformOutput(this, "namespace-output", {
       value: namespace,

core-services/traefik/values.yaml

@@ -3,11 +3,6 @@ image:
 providers:
   kubernetesCRD:
     allowCrossNamespace: true
-ingress:
-  ingressClass:
-    enabled: false
-    isDefaultClass: true
-    name: traefik
 deployment:
   replicas: 1
   podLabels:
@@ -25,28 +20,11 @@ topologySpreadConstraints:
       matchLabels:
         app: traefik
 additionalArguments:
-  - "--entryPoints.ssh.address=:22/tcp"
-  - "--entryPoints.minecraft-gtnh.address=:25566/tcp"
-  - "--entryPoints.minecraft-tfg.address=:25567/tcp"
+  - "--entryPoints.ssh.address=:2222/tcp"
 ports:
   ssh:
-    name: ssh
-    port: 22
-    exposedPort: 22
-    expose:
-      default: true
-    protocol: TCP
-  minecraft-gtnh:
-    name: minecraft-gtnh
-    port: 25566
-    exposedPort: 25566
-    expose:
-      default: true
-    protocol: TCP
-  minecraft-tfg:
-    name: minecraft-tfg
-    port: 25567
-    exposedPort: 25567
+    port: 2222
+    exposedPort: 2222
     expose:
       default: true
     protocol: TCP

elasticsearch/cluster.yaml

@@ -0,0 +1,55 @@
+---
+apiVersion: elasticsearch.k8s.elastic.co/v1
+kind: Elasticsearch
+metadata:
+  name: elasticsearch
+  namespace: elastic-system
+spec:
+  version: 8.15.2
+  http:
+    tls:
+      certificate:
+        secretName: elasticsearch-es-http-tls-internal
+  nodeSets:
+  - name: master
+    count: 3
+    podTemplate:
+      spec:
+        containers:
+        - name: elasticsearch
+          resources:
+            limits:
+              memory: 8Gi
+    volumeClaimTemplates:
+    - metadata:
+        name: elasticsearch-data
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 10Gi
+        storageClassName: longhorn
+    config:
+      node.roles: ["master"]
+  - name: data
+    count: 3
+    podTemplate:
+      spec:
+        containers:
+        - name: elasticsearch
+          resources:
+            limits:
+              memory: 8Gi
+    volumeClaimTemplates:
+    - metadata:
+        name: elasticsearch-data
+      spec:
+        accessModes:
+        - ReadWriteOnce
+        resources:
+          requests:
+            storage: 50Gi
+        storageClassName: longhorn
+    config:
+      node.roles: ["data", "ingest"]

elasticsearch/kibana.yaml

@@ -0,0 +1,16 @@
+---
+apiVersion: kibana.k8s.elastic.co/v1beta1
+kind: Kibana
+metadata:
+  name: kibana
+  namespace: elastic-system
+spec:
+  version: 8.15.2
+  count: 1
+  elasticsearchRef:
+    name: elasticsearch
+  http:
+    tls:
+      certificate:
+        secretName: kibana-kb-http-tls-internal
+

gaming-services/minecraft/index.ts

@@ -3,8 +3,8 @@ import { TerraformStack } from "cdktf";
 import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
 import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
 import { OnePasswordSecret } from "../../utils";
-import { TerraFirmaGreg } from "./tfg";
-import { GTNH } from "./gtnh";
+// import { TerraFirmaGreg } from "./tfg";
+// import { GTNH } from "./gtnh";
 
 export class GamingServices extends TerraformStack {
   constructor(scope: Construct, id: string) {
@@ -29,7 +29,7 @@ export class GamingServices extends TerraformStack {
       itemPath: "vaults/Lab/items/curseforge",
     });
 
-    new TerraFirmaGreg(this, "tfg", provider, namespace);
-    new GTNH(this, "gtnh", provider, namespace);
+    // new TerraFirmaGreg(this, "tfg", provider, namespace);
+    // new GTNH(this, "gtnh", provider, namespace);
   }
 }

gaming-services/minecraft/utils/index.ts

@@ -53,7 +53,7 @@ export class MinecraftServer extends Construct {
       },
       waitForRollout: false,
       spec: {
-        replicas: "1",
+        replicas: "0",
         serviceName: name,
         updateStrategy: [
           {
@@ -75,10 +75,6 @@ export class MinecraftServer extends Construct {
           {
             metadata: {
               name: `${name}-data`,
-              labels: {
-                "recurring-job.longhorn.io/source": "enabled",
-                "recurring-job.longhorn.io/daily-backup": "enabled",
-              },
             },
             spec: {
               accessModes: ["ReadWriteOnce"],

k8s-operators/index.ts

@@ -42,5 +42,14 @@ export class K8SOperators extends TerraformStack {
     });
 
     barman.node.addDependency(cnpg);
+
+    new Release(this, "elasticsearch", {
+      provider: helm,
+      repository: "https://helm.elastic.co",
+      chart: "eck-operator",
+      name: "elasticsearch",
+      namespace: "elastic-system",
+      createNamespace: true,
+    });
   }
 }

netbird/index.ts

@@ -91,7 +91,7 @@ export class Netbird extends TerraformStack {
       repository: "https://netbirdio.github.io/helms",
       chart: "netbird",
       values: [fs.readFileSync(path.join(__dirname, "values.yaml"), "utf8")],
-    });
+    }).importFrom("netbird/netbird");
 
     new OnePasswordSecret(this, "netbird-setup-key", {
       name: "netbird-setup-key",

network-security/index.ts

@@ -7,6 +7,7 @@ import {
   RateLimitMiddleware,
   IpAllowListMiddleware,
   IpAllowListMiddlewareTCP,
+  TLSOptions,
 } from "./traefik";
 import { ValkeyCluster } from "./valkey";
 import { InternalIngressRoute, PrivateCertificate } from "../utils";
@@ -67,6 +68,11 @@ export class NetworkSecurity extends TerraformStack {
       name: "rate-limit",
     });
 
+    new TLSOptions(this, "tls-options", {
+      provider: kubernetes,
+      namespace,
+    });
+
     new IpAllowListMiddleware(this, "internal-ip-allow-list", {
       provider: kubernetes,
       namespace,

network-security/traefik/index.ts

@@ -1,2 +1,3 @@
 export { RateLimitMiddleware } from "./rateLimit";
 export { IpAllowListMiddleware, IpAllowListMiddlewareTCP } from "./ipAllowList";
+export { TLSOptions } from "./tlsOpts";

network-security/traefik/tlsOpts.ts

@@ -0,0 +1,31 @@
+import { Construct } from "constructs";
+import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
+import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
+
+export class TLSOptions extends Construct {
+  constructor(
+    scope: Construct,
+    id: string,
+    opts: { provider: KubernetesProvider; namespace: string },
+  ) {
+    super(scope, id);
+
+    const { provider, namespace } = opts;
+
+    new Manifest(this, "traefik-tls-options", {
+      provider,
+      manifest: {
+        apiVersion: "traefik.io/v1alpha1",
+        kind: "TLSOption",
+        metadata: {
+          namespace,
+          name: "tls-options",
+        },
+        spec: {
+          minVersion: "VersionTLS13",
+          sniStrict: true,
+        },
+      },
+    });
+  }
+}

utility-services/gitea/server/index.ts

@@ -79,7 +79,7 @@ export class GiteaServer extends Construct {
       match: "HostSNI(`*`)",
       entryPoint: "ssh",
       serviceName: `${name}-ssh`,
-      servicePort: 22,
+      servicePort: 2222,
     });
 
     new PublicIngressRoute(this, "http-ingress", {

utility-services/gitea/server/values.yaml

@@ -12,6 +12,7 @@ service:
   ssh:
     annotations:
       metallb.universe.tf/allow-shared-ip: gitea
+    port: 2222
 ingress:
   enabled: false
 gitea:
@@ -40,7 +41,7 @@ gitea:
       SSH_DOMAIN: git.dogar.dev
       DISABLE_SSH: false
       SSH_LISTEN_PORT: 2222
-      SSH_PORT: 22
+      SSH_PORT: 2222
     database:
       DB_TYPE: postgres
       HOST: postgres-cluster-rw

utility-services/index.ts

@@ -8,6 +8,7 @@ import { GiteaRunner, GiteaServer } from "./gitea";
 import { AuthentikServer } from "./authentik";
 import { PostgresCluster } from "./postgres";
 import { DynamicDNS } from "./dynamic-dns";
+import { PublicIngressRoute } from "../utils";
 
 export class UtilityServices extends TerraformStack {
   constructor(scope: Construct, id: string) {
@@ -71,6 +72,8 @@ export class UtilityServices extends TerraformStack {
         "pip.dogar.dev",
         "npm.dogar.dev",
         "go.dogar.dev",
+        "elastic.dogar.dev",
+        "kibana.dogar.dev",
       ],
     });
 
@@ -114,5 +117,25 @@ export class UtilityServices extends TerraformStack {
       name: "gitea-runner",
       replicas: 3,
     });
+
+    new PublicIngressRoute(this, "elasticsearch", {
+      provider: kubernetes,
+      namespace: "elastic-system",
+      name: "elasticsearch",
+      host: "elastic.dogar.dev",
+      serviceName: "elasticsearch-es-http",
+      servicePort: 9200,
+      serviceProtocol: "https",
+    });
+
+    new PublicIngressRoute(this, "kibana", {
+      provider: kubernetes,
+      namespace: "elastic-system",
+      name: "kibana",
+      host: "kibana.dogar.dev",
+      serviceName: "kibana-kb-http",
+      servicePort: 5601,
+      serviceProtocol: "https",
+    });
   }
 }

utils/traefik/ingress/ingress.ts

@@ -110,6 +110,10 @@ export class IngressRoute extends Construct {
     if (opts.tlsSecretName) {
       spec.tls = {
         secretName: opts.tlsSecretName,
+        options: {
+          name: "tls-options",
+          namespace: "homelab",
+        },
       };
     }