shahab/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: shahab:de09ffb189d57f1f510afcb12904f1671bb307df
Branches Tags
shahab:main
...
compare: shahab:main
Branches Tags
shahab:main

29 Commits
de09ffb189 ... main

Author SHA1 Message Date
Shahab Dogar
43f15c7957 feat: GoCache | deploy go package cache 2025-12-01 23:00:32 +05:00
Shahab Dogar
8dc22ff13b fix: RateLimit | increase rate limits for public usage 2025-12-01 18:44:29 +05:00
Shahab Dogar
69bdd52df6 feat: Netbird | set up netbird vpn 2025-11-29 13:20:50 +05:00
Shahab Dogar
2c57f8005d feat: MediaServices | add ingress for arr services 2025-11-29 13:20:31 +05:00
Shahab Dogar
33a8dcdaf2 fix: Traefik | abstract TLSOptions class 2025-11-29 13:20:10 +05:00
Shahab Dogar
ca8d140baf fix: Postgres | enable WAL archiver 2025-11-29 13:19:43 +05:00
Shahab Dogar
874f5e2dc2 fix: Gitea | fix internal tls cert 2025-11-29 13:19:33 +05:00
Shahab Dogar
ff2174205a feat: Traefik | add custom TLSOptions 2025-11-29 13:19:14 +05:00
Shahab Dogar
ad3478c48c sec: Traefik | disable ingressClass 2025-11-29 13:19:01 +05:00
Shahab Dogar
3f6f4550d1 chore: TFG | update to 0.11.8 2025-11-29 13:18:48 +05:00
Shahab Dogar
3c947c05ad feat: CertManager | update to latest version 
Also improve pki
 2025-11-29 13:18:34 +05:00
Shahab Dogar
a753fc0e1e fix: Utils | update public and internal cert algorithms 2025-11-24 22:08:49 +05:00
Shahab Dogar
d6c534378a chore: Minecraft | clean up old servers 2025-11-24 20:21:38 +05:00
Shahab Dogar
10ed028c4b feat: Jellyfin | enable server discovery 2025-11-24 20:20:25 +05:00
Shahab Dogar
b4e57b4f0c feat: MediaServices | deploy through cdktf 2025-11-24 12:14:27 +05:00
Shahab Dogar
d003c3f280 chore: Authentik | remove unused ingress values 2025-11-24 11:29:52 +05:00
Shahab Dogar
d75671f5dd fix: Ingress | simplify https infrastructure 2025-11-24 11:29:27 +05:00
Shahab Dogar
497331e585 feat: Minecraft | add StarTechnology server 2025-11-24 09:28:15 +05:00
Shahab Dogar
91720e6860 feat: Gitea | activate internal tls 2025-11-24 09:28:00 +05:00
Shahab Dogar
c53fe7b2d1 feat: Network | enable internal TLS 2025-11-24 09:27:48 +05:00
Shahab Dogar
bff4762e30 fix: Gitea | keep ssh ui enabled 2025-11-23 21:25:29 +05:00
Shahab Dogar
7aca7c5fe2 fix: Gitea | use gitea ssh server instead of built in ssh 2025-11-23 20:59:44 +05:00
Shahab Dogar
e1ce407b55 chore: Traefik | remove entrypoints not to be used 2025-11-23 18:19:48 +05:00
Shahab Dogar
92921568da chore: move types into project root 2025-11-23 15:33:45 +05:00
Shahab Dogar
a589671078 chore: MetalLB | move kustomize stuff into metallb dir 2025-11-23 15:33:33 +05:00
Shahab Dogar
c690ce72f5 chore: Minecraft | clean up old gtng manifests 2025-11-23 15:28:24 +05:00
Shahab Dogar
ac2153cce5 feat: GamingServices | add GTNH server 2025-11-23 15:24:45 +05:00
Shahab Dogar
78aa702fa0 chore: Minecraft | remove old TFG manifests 2025-11-23 15:20:01 +05:00
Shahab Dogar
56d1ad22ec fix: MinecraftServer | enable backups for pvcs 2025-11-23 15:19:50 +05:00
56 changed files with 2303 additions and 1254 deletions
Expand all files Collapse all files

41
cache-infrastructure/go/index.ts Normal file
View File

@@ -0,0 +1,41 @@
import * as fs from "fs";
import * as path from "path";
import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs";
import { PublicIngressRoute } from "../../utils";
import { Providers } from "../../types";
type GoCacheOptions = {
providers: Providers;
namespace: string;
name: string;
host: string;
};
export class GoCache extends Construct {
constructor(scope: Construct, id: string, opts: GoCacheOptions) {
super(scope, id);
const { namespace, name, host } = opts;
const { helm, kubernetes } = opts.providers;
new Release(this, "helm-release", {
provider: helm,
name,
namespace,
repository: "https://gomods.github.io/athens-charts",
chart: "athens-proxy",
values: [fs.readFileSync(path.join(__dirname, "values.yaml"), "utf8")],
});
new PublicIngressRoute(this, "ingress", {
provider: kubernetes,
namespace,
name,
host,
serviceName: `${name}-athens-proxy`,
servicePort: 80,
});
}
}

20
cache-infrastructure/go/values.yaml Normal file
View File

@@ -0,0 +1,20 @@
replicaCount: 3
image:
runAsNonRoot: true
nodeSelector:
nodepool: worker
strategy:
type: Recreate
storage:
disk:
persistence:
enabled: true
accessMode: ReadWriteMany
size: 64Gi
storageClass: longhorn
configEnvVars:
- name: ATHENS_DOWNLOAD_MODE
value: "sync"
upstreamProxy:
enabled: true
url: "https://proxy.golang.org"

26
cache-infrastructure/index.ts
View File

@@ -5,15 +5,23 @@ import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
import { NixCache } from "./nix"; import { NixCache } from "./nix";
import { NpmCache } from "./npm"; import { NpmCache } from "./npm";
import { PipCache } from "./pip"; import { PipCache } from "./pip";
import { GoCache } from "./go";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
export class CacheInfrastructure extends TerraformStack { export class CacheInfrastructure extends TerraformStack {
constructor(scope: Construct, id: string) { constructor(scope: Construct, id: string) {
super(scope, id); super(scope, id);
const provider = new KubernetesProvider(this, "kubernetes", { const kubernetes = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config", configPath: "~/.kube/config",
}); });
const helm = new HelmProvider(this, "helm", {
kubernetes: {
configPath: "~/.kube/config",
},
});
const namespace = "package-cache"; const namespace = "package-cache";
new NamespaceV1(this, "package-cache-namespace", { new NamespaceV1(this, "package-cache-namespace", {
@@ -24,24 +32,34 @@ export class CacheInfrastructure extends TerraformStack {
// Add cache-related infrastructure components here // Add cache-related infrastructure components here
new NixCache(this, "nix-cache", { new NixCache(this, "nix-cache", {
provider, provider: kubernetes,
namespace, namespace,
name: "nix-cache", name: "nix-cache",
host: "nix.dogar.dev", host: "nix.dogar.dev",
}); });
new NpmCache(this, "npm-cache", { new NpmCache(this, "npm-cache", {
provider, provider: kubernetes,
namespace, namespace,
name: "npm-cache", name: "npm-cache",
host: "npm.dogar.dev", host: "npm.dogar.dev",
}); });
new PipCache(this, "pip-cache", { new PipCache(this, "pip-cache", {
provider, provider: kubernetes,
namespace, namespace,
name: "pip-cache", name: "pip-cache",
host: "pip.dogar.dev", host: "pip.dogar.dev",
}); });
new GoCache(this, "go-cache", {
providers: {
kubernetes,
helm,
},
namespace,
name: "go-cache",
host: "go.dogar.dev",
});
} }
} }

111
core-services/cert-manager/index.ts
View File

@@ -3,32 +3,23 @@ import * as path from "path";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider"; import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release"; import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs"; import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
type CertManagerOptions = { type CertManagerOptions = {
providers: { provider: HelmProvider;
kubernetes: KubernetesProvider;
helm: HelmProvider;
};
version: string;
name: string; name: string;
namespace: string; namespace: string;
certManagerApiVersion: string;
}; };
export class CertManager extends Construct { export class CertManager extends Construct {
constructor(scope: Construct, id: string, options: CertManagerOptions) { constructor(scope: Construct, id: string, options: CertManagerOptions) {
super(scope, id); super(scope, id);
const { helm, kubernetes } = options.providers; const { namespace, name, provider } = options;
const { certManagerApiVersion } = options;
new Release(this, id, { new Release(this, id, {
provider: helm, provider,
name: options.name, name,
namespace: options.namespace, namespace,
version: options.version,
repository: "https://charts.jetstack.io", repository: "https://charts.jetstack.io",
chart: "cert-manager", chart: "cert-manager",
createNamespace: true, createNamespace: true,
@@ -38,97 +29,5 @@ export class CertManager extends Construct {
}), }),
], ],
}); });
// Self-signed ClusterIssuer for initial CA
new Manifest(this, "ca-issuer", {
provider: kubernetes,
manifest: {
apiVersion: certManagerApiVersion,
kind: "ClusterIssuer",
metadata: {
name: "ca-issuer",
},
spec: {
selfSigned: {},
},
},
});
// Self-signed CA Certificate
new Manifest(this, "selfsigned-ca", {
provider: kubernetes,
manifest: {
apiVersion: certManagerApiVersion,
kind: "Certificate",
metadata: {
name: "selfsigned-ca",
namespace: options.namespace,
},
spec: {
isCA: true,
commonName: "Shahab Dogar",
secretName: "root-secret",
privateKey: {
algorithm: "ECDSA",
size: 256,
},
issuerRef: {
name: "ca-issuer",
kind: "ClusterIssuer",
group: "cert-manager.io",
},
},
},
});
// CA-based ClusterIssuer
new Manifest(this, "cluster-issuer", {
provider: kubernetes,
manifest: {
apiVersion: certManagerApiVersion,
kind: "ClusterIssuer",
metadata: {
name: "cluster-issuer",
},
spec: {
ca: {
secretName: "root-secret",
},
},
},
});
// Cloudflare ACME ClusterIssuer
new Manifest(this, "cloudflare-issuer", {
provider: kubernetes,
manifest: {
apiVersion: certManagerApiVersion,
kind: "ClusterIssuer",
metadata: {
name: "cloudflare-issuer",
},
spec: {
acme: {
email: "shahab@dogar.dev",
server: "https://acme-v02.api.letsencrypt.org/directory",
privateKeySecretRef: {
name: "cloudflare-cluster-issuer-account-key",
},
solvers: [
{
dns01: {
cloudflare: {
apiTokenSecretRef: {
name: "cloudflare-token",
key: "token",
},
},
},
},
],
},
},
},
});
} }
} }

2
core-services/cert-manager/values.yaml
View File

@@ -1,6 +1,8 @@
crds: crds:
enabled: true enabled: true
keep: true
prometheus: prometheus:
enabled: true enabled: true
webhook: webhook:
timeoutSeconds: 4 timeoutSeconds: 4
enableCertificateOwnerRef: true

7
core-services/index.ts
View File

@@ -56,14 +56,9 @@ export class CoreServices extends TerraformStack {
}); });
new CertManager(this, "cert-manager", { new CertManager(this, "cert-manager", {
certManagerApiVersion: "cert-manager.io/v1", provider: helm,
name: "cert-manager", name: "cert-manager",
namespace, namespace,
version: "1.18.2",
providers: {
kubernetes,
helm,
},
}); });
} }
} }

0
kustomize/kustomization.yaml → core-services/metallb/kustomize/kustomization.yaml
View File

0
kustomize/metallb/pool.yaml → core-services/metallb/kustomize/metallb/pool.yaml
View File

24
core-services/traefik/values.yaml
View File

@@ -3,7 +3,7 @@ providers:
allowCrossNamespace: true allowCrossNamespace: true
ingress: ingress:
ingressClass: ingressClass:
enabled: true enabled: false
isDefaultClass: true isDefaultClass: true
name: traefik name: traefik
deployment: deployment:
@@ -24,11 +24,9 @@ topologySpreadConstraints:
app: traefik app: traefik
additionalArguments: additionalArguments:
- "--entryPoints.ssh.address=:22/tcp" - "--entryPoints.ssh.address=:22/tcp"
- "--entryPoints.minecraft-monifactory.address=:25565/tcp"
- "--entryPoints.minecraft-gtnh.address=:25566/tcp" - "--entryPoints.minecraft-gtnh.address=:25566/tcp"
- "--entryPoints.minecraft-tfg.address=:25567/tcp" - "--entryPoints.minecraft-tfg.address=:25567/tcp"
- "--entryPoints.minecraft-atm10.address=:25568/tcp" - "--entryPoints.minecraft-star-technology.address=:25568/tcp"
- "--entryPoints.minecraft-star-technology.address=:25569/tcp"
ports: ports:
ssh: ssh:
name: ssh name: ssh
@@ -37,13 +35,6 @@ ports:
expose: expose:
default: true default: true
protocol: TCP protocol: TCP
minecraft-monifactory:
name: minecraft-monifactory
port: 25565
exposedPort: 25565
expose:
default: true
protocol: TCP
minecraft-gtnh: minecraft-gtnh:
name: minecraft-gtnh name: minecraft-gtnh
port: 25566 port: 25566
@@ -58,17 +49,10 @@ ports:
expose: expose:
default: true default: true
protocol: TCP protocol: TCP
minecraft-atm10: minecraft-star-technology:
name: minecraft-atm10 name: minecraft-star-technology
port: 25568 port: 25568
exposedPort: 25568 exposedPort: 25568
expose: expose:
default: true default: true
protocol: TCP protocol: TCP
minecraft-star-technology:
name: minecraft-star-technology
port: 25569
exposedPort: 25569
expose:
default: true
protocol: TCP

77
gaming-services/minecraft/gtnh.ts Normal file
View File

@@ -0,0 +1,77 @@
import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { MinecraftServer } from "./utils";
export class GTNH extends Construct {
constructor(
scope: Construct,
id: string,
provider: KubernetesProvider,
namespace: string,
) {
super(scope, id);
new MinecraftServer(this, "gtnh", {
provider,
namespace,
image: "itzg/minecraft-server:java25",
name: "gtnh",
env: [
{
name: "EULA",
value: "TRUE",
},
{
name: "MODE",
value: "survival",
},
{
name: "DIFFICULTY",
value: "easy",
},
{
name: "TYPE",
value: "CUSTOM",
},
{
name: "GENERIC_PACKS",
value: "GT_New_Horizons_2.8.0_Server_Java_17-25",
},
{
name: "GENERIC_PACKS_SUFFIX",
value: ".zip",
},
{
name: "GENERIC_PACKS_PREFIX",
value: "https://downloads.gtnewhorizons.com/ServerPacks/",
},
{
name: "SKIP_GENERIC_PACK_UPDATE_CHECK",
value: "true",
},
{
name: "MEMORY",
value: "12G",
},
{
name: "JVM_OPTS",
value:
"-Dfml.readTimeout=180 -Dfml.queryResult=confirm @java9args.txt",
},
{
name: "CUSTOM_JAR_EXEC",
value: "-jar lwjgl3ify-forgePatches.jar nogui",
},
{
name: "ALLOW_FLIGHT",
value: "TRUE",
},
{
name: "ENABLE_ROLLING_LOGS",
value: "TRUE",
},
],
});
}
}

4
gaming-services/minecraft/index.ts
View File

@@ -4,6 +4,8 @@ import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1"; import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
import { OnePasswordSecret } from "../../utils"; import { OnePasswordSecret } from "../../utils";
import { TerraFirmaGreg } from "./tfg"; import { TerraFirmaGreg } from "./tfg";
import { GTNH } from "./gtnh";
import { StarTechnology } from "./star-technology";
export class GamingServices extends TerraformStack { export class GamingServices extends TerraformStack {
constructor(scope: Construct, id: string) { constructor(scope: Construct, id: string) {
@@ -29,5 +31,7 @@ export class GamingServices extends TerraformStack {
}); });
new TerraFirmaGreg(this, "tfg", provider, namespace); new TerraFirmaGreg(this, "tfg", provider, namespace);
new GTNH(this, "gtnh", provider, namespace);
new StarTechnology(this, "star-technology", provider, namespace);
} }
} }

74
gaming-services/minecraft/star-technology.ts Normal file
View File

@@ -0,0 +1,74 @@
import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { MinecraftServer } from "./utils";
export class StarTechnology extends Construct {
constructor(
scope: Construct,
id: string,
provider: KubernetesProvider,
namespace: string,
) {
super(scope, id);
new MinecraftServer(this, "star-technology", {
provider,
namespace,
image: "itzg/minecraft-server:java21",
name: "star-technology",
env: [
{
name: "EULA",
value: "TRUE",
},
{
name: "MODE",
value: "survival",
},
{
name: "MODPACK_PLATFORM",
value: "AUTO_CURSEFORGE",
},
{
name: "CF_API_KEY",
valueFrom: {
secretKeyRef: {
name: "curseforge",
key: "credential",
},
},
},
{
name: "CF_PAGE_URL",
value:
"https://www.curseforge.com/minecraft/modpacks/star-technology",
},
{
name: "VERSION",
value: "1.20.1",
},
{
name: "INIT_MEMORY",
value: "2G",
},
{
name: "MAX_MEMORY",
value: "12G",
},
{
name: "ALLOW_FLIGHT",
value: "TRUE",
},
{
name: "ENABLE_ROLLING_LOGS",
value: "TRUE",
},
{
name: "USE_MEOWICE_FLAGS",
value: "TRUE",
},
],
});
}
}

2
gaming-services/minecraft/tfg.ts
View File

@@ -46,7 +46,7 @@ export class TerraFirmaGreg extends Construct {
}, },
{ {
name: "CF_FILENAME_MATCHER", name: "CF_FILENAME_MATCHER",
value: "0.10.17", value: "0.11.8",
}, },
{ {
name: "VERSION", name: "VERSION",

4
gaming-services/minecraft/utils/index.ts
View File

@@ -75,6 +75,10 @@ export class MinecraftServer extends Construct {
{ {
metadata: { metadata: {
name: `${name}-data`, name: `${name}-data`,
labels: {
"recurring-job.longhorn.io/source": "enabled",
"recurring-job.longhorn.io/daily-backup": "enabled",
},
}, },
spec: { spec: {
accessModes: ["ReadWriteOnce"], accessModes: ["ReadWriteOnce"],

21
main.ts
View File

@@ -7,6 +7,9 @@ import { K8SOperators } from "./k8s-operators";
import { CoreServices } from "./core-services"; import { CoreServices } from "./core-services";
import { NetworkSecurity } from "./network-security"; import { NetworkSecurity } from "./network-security";
import { GamingServices } from "./gaming-services/minecraft"; import { GamingServices } from "./gaming-services/minecraft";
import { MediaServices } from "./media-services";
import { PKI } from "./pki";
import { Netbird } from "./netbird";
dotenv.config(); dotenv.config();
@@ -26,17 +29,26 @@ const coreServices = new CoreServices(app, "core-services");
const k8sOperators = new K8SOperators(app, "k8s-operators"); const k8sOperators = new K8SOperators(app, "k8s-operators");
k8sOperators.node.addDependency(coreServices); k8sOperators.node.addDependency(coreServices);
const pki = new PKI(app, "pki");
pki.node.addDependency(k8sOperators);
const networkSecurity = new NetworkSecurity(app, "network-security"); const networkSecurity = new NetworkSecurity(app, "network-security");
networkSecurity.node.addDependency(k8sOperators); networkSecurity.node.addDependency(pki);
const utilityServices = new UtilityServices(app, "utility-services"); const utilityServices = new UtilityServices(app, "utility-services");
utilityServices.node.addDependency(networkSecurity); utilityServices.node.addDependency(networkSecurity);
const gamingServices = new GamingServices(app, "gaming-services");
gamingServices.node.addDependency(networkSecurity);
const mediaServices = new MediaServices(app, "media-services");
mediaServices.node.addDependency(networkSecurity);
const caches = new CacheInfrastructure(app, "cache-infrastructure"); const caches = new CacheInfrastructure(app, "cache-infrastructure");
caches.node.addDependency(utilityServices); caches.node.addDependency(utilityServices);
const gamingServices = new GamingServices(app, "gaming-services"); const netbird = new Netbird(app, "netbird");
gamingServices.node.addDependency(networkSecurity); netbird.node.addDependency(utilityServices);
const deploy: (stack: TerraformStack, key: string) => S3Backend = ( const deploy: (stack: TerraformStack, key: string) => S3Backend = (
stack, stack,
@@ -61,9 +73,12 @@ const deploy: (stack: TerraformStack, key: string) => S3Backend = (
deploy(coreServices, "core-services"); deploy(coreServices, "core-services");
deploy(k8sOperators, "k8s-operators"); deploy(k8sOperators, "k8s-operators");
deploy(pki, "pki");
deploy(networkSecurity, "network-security"); deploy(networkSecurity, "network-security");
deploy(utilityServices, "utility-services"); deploy(utilityServices, "utility-services");
deploy(caches, "cache-infrastructure"); deploy(caches, "cache-infrastructure");
deploy(gamingServices, "gaming-services"); deploy(gamingServices, "gaming-services");
deploy(mediaServices, "media-services");
deploy(netbird, "netbird");
app.synth(); app.synth();

82
media-services/index.ts Normal file
View File

@@ -0,0 +1,82 @@
import { Construct } from "constructs";
import { TerraformStack } from "cdktf";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
import { LonghornPvc } from "../utils";
import { JellyfinServer } from "./jellyfin";
import { SonarrServer } from "./sonarr";
import { RadarrServer } from "./radarr";
import { QBittorrentServer } from "./qbittorrent";
import { ProwlarrServer } from "./prowlarr";
export class MediaServices extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const provider = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const namespace = "media";
// Create namespace
new NamespaceV1(this, "namespace", {
metadata: {
name: namespace,
},
});
// Shared PVCs
const mediaPvc = new LonghornPvc(this, "media-pvc", {
provider,
name: "media",
namespace,
size: "1Ti",
});
const downloadsPvc = new LonghornPvc(this, "downloads-pvc", {
provider,
name: "downloads",
namespace,
size: "450Gi",
});
// Deploy media services
new JellyfinServer(this, "jellyfin", {
provider,
namespace,
mediaPvcName: mediaPvc.name,
host: "media.dogar.dev",
});
new SonarrServer(this, "sonarr", {
provider,
namespace,
mediaPvcName: mediaPvc.name,
downloadsPvcName: downloadsPvc.name,
host: "sonarr.dogar.dev",
});
new RadarrServer(this, "radarr", {
provider,
namespace,
mediaPvcName: mediaPvc.name,
downloadsPvcName: downloadsPvc.name,
host: "radarr.dogar.dev",
});
new QBittorrentServer(this, "qbittorrent", {
provider,
namespace,
downloadsPvcName: downloadsPvc.name,
host: "torrent.dogar.dev",
});
new ProwlarrServer(this, "prowlarr", {
provider,
namespace,
host: "prowlarr.dogar.dev",
});
}
}

163
media-services/jellyfin/index.ts Normal file
View File

@@ -0,0 +1,163 @@
import { Construct } from "constructs";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import {
CloudflareCertificate,
InternalIngressRoute,
LonghornPvc,
} from "../../utils";
import { BaseMediaServiceOptions, getAamil3NodeSelector } from "../types";
type JellyfinServerOptions = BaseMediaServiceOptions & {
/** Name of the shared media PVC */
mediaPvcName: string;
/** Hostname for the ingress */
host: string;
};
export class JellyfinServer extends Construct {
constructor(scope: Construct, id: string, options: JellyfinServerOptions) {
super(scope, id);
const { provider, namespace, mediaPvcName, host } = options;
const name = "server";
// Config PVC with backup
const configPvc = new LonghornPvc(this, "config", {
provider,
name: "jellyfin-config",
namespace,
size: "5Gi",
backup: true,
});
// Service
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
name: "http",
port: 80,
targetPort: "http",
},
{
name: "discovery",
port: 7359,
targetPort: "discovery",
},
],
type: "LoadBalancer",
},
});
// Deployment
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "1",
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: getAamil3NodeSelector(),
container: [
{
name,
image: "jellyfin/jellyfin:latest",
imagePullPolicy: "IfNotPresent",
port: [
{
containerPort: 8096,
name: "http",
},
{
containerPort: 7359,
name: "discovery",
},
],
env: [
{
name: "TZ",
value: "Asia/Karachi",
},
],
volumeMount: [
{
name: "config",
mountPath: "/config",
},
{
name: "cache",
mountPath: "/cache",
},
{
name: "media",
mountPath: "/media",
},
],
},
],
volume: [
{
name: "config",
persistentVolumeClaim: {
claimName: configPvc.name,
},
},
{
name: "cache",
emptyDir: {},
},
{
name: "media",
persistentVolumeClaim: {
claimName: mediaPvcName,
},
},
],
},
},
},
});
new CloudflareCertificate(this, "certificate", {
provider,
namespace,
name,
secretName: "jellyfin-tls",
dnsNames: [host],
});
// Ingress - using internal ingress for secure access
new InternalIngressRoute(this, "ingress", {
provider,
namespace,
name,
host,
serviceName: name,
servicePort: 80,
tlsSecretName: "jellyfin-tls",
});
}
}

134
media-services/prowlarr/index.ts Normal file
View File

@@ -0,0 +1,134 @@
import { Construct } from "constructs";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import {
InternalIngressRoute,
LonghornPvc,
PrivateCertificate,
} from "../../utils";
import {
BaseMediaServiceOptions,
getWorkerNodeSelector,
getCommonEnv,
} from "../types";
type ProwlarrOptions = BaseMediaServiceOptions & {
/** Hostname for the ingress */
host: string;
};
export class ProwlarrServer extends Construct {
constructor(scope: Construct, id: string, options: ProwlarrOptions) {
super(scope, id);
const { provider, namespace, host } = options;
const name = "prowlarr";
// Config PVC with backup
const configPvc = new LonghornPvc(this, "config", {
provider,
name: "prowlarr-config",
namespace,
size: "512Mi",
backup: true,
});
// Service
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
name: "http",
port: 80,
targetPort: "9696",
},
],
type: "ClusterIP",
},
});
// Deployment
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "1",
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: getWorkerNodeSelector(),
container: [
{
name,
image: "lscr.io/linuxserver/prowlarr:latest",
imagePullPolicy: "IfNotPresent",
port: [
{
containerPort: 9696,
name: "http",
},
],
env: getCommonEnv(),
volumeMount: [
{
name: "config",
mountPath: "/config",
},
],
},
],
volume: [
{
name: "config",
persistentVolumeClaim: {
claimName: configPvc.name,
},
},
],
},
},
},
});
new PrivateCertificate(this, "certificate", {
provider,
namespace,
name,
commonName: host,
dnsNames: [host],
secretName: `${name}-tls`,
});
// Ingress
new InternalIngressRoute(this, "ingress", {
provider,
namespace,
name,
host,
serviceName: name,
servicePort: 80,
tlsSecretName: `${name}-tls`,
});
}
}

160
media-services/qbittorrent/index.ts Normal file
View File

@@ -0,0 +1,160 @@
import { Construct } from "constructs";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import {
InternalIngressRoute,
LonghornPvc,
PrivateCertificate,
} from "../../utils";
import {
BaseMediaServiceOptions,
getAamil3NodeSelector,
getCommonEnv,
} from "../types";
type QBittorrentServerOptions = BaseMediaServiceOptions & {
/** Name of the shared downloads PVC */
downloadsPvcName: string;
/** Hostname for the ingress */
host: string;
};
export class QBittorrentServer extends Construct {
constructor(scope: Construct, id: string, options: QBittorrentServerOptions) {
super(scope, id);
const { provider, namespace, downloadsPvcName, host } = options;
const name = "qbittorrent";
// Config PVC with backup
const configPvc = new LonghornPvc(this, "config", {
provider,
name: "qbittorrent-config",
namespace,
size: "512Mi",
backup: true,
});
// Service
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
name: "http",
port: 80,
targetPort: "8080",
},
],
type: "ClusterIP",
},
});
// Deployment
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "1",
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: getAamil3NodeSelector(),
container: [
{
name,
image: "lscr.io/linuxserver/qbittorrent:latest",
port: [
{
containerPort: 8080,
name: "http",
},
{
containerPort: 6881,
name: "bt",
},
{
containerPort: 6881,
protocol: "UDP",
name: "bt-udp",
},
],
env: [
...getCommonEnv(),
{
name: "WEBUI_PORT",
value: "8080",
},
],
volumeMount: [
{
name: "config",
mountPath: "/config",
},
{
name: "downloads",
mountPath: "/downloads",
},
],
},
],
volume: [
{
name: "config",
persistentVolumeClaim: {
claimName: configPvc.name,
},
},
{
name: "downloads",
persistentVolumeClaim: {
claimName: downloadsPvcName,
},
},
],
},
},
},
});
new PrivateCertificate(this, "certificate", {
provider,
namespace,
name,
commonName: host,
dnsNames: [host],
secretName: `${name}-tls`,
});
// Ingress
new InternalIngressRoute(this, "ingress", {
provider,
namespace,
name,
host,
serviceName: name,
servicePort: 80,
tlsSecretName: `${name}-tls`,
});
}
}

159
media-services/radarr/index.ts Normal file
View File

@@ -0,0 +1,159 @@
import { Construct } from "constructs";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import {
InternalIngressRoute,
LonghornPvc,
PrivateCertificate,
} from "../../utils";
import {
BaseMediaServiceOptions,
getAamil3NodeSelector,
getCommonEnv,
} from "../types";
type RadarrServerOptions = BaseMediaServiceOptions & {
/** Name of the shared media PVC */
mediaPvcName: string;
/** Name of the shared downloads PVC */
downloadsPvcName: string;
/** Hostname for the ingress */
host: string;
};
export class RadarrServer extends Construct {
constructor(scope: Construct, id: string, options: RadarrServerOptions) {
super(scope, id);
const { provider, namespace, mediaPvcName, downloadsPvcName, host } =
options;
const name = "radarr";
// Config PVC with backup
const configPvc = new LonghornPvc(this, "config", {
provider,
name: "radarr-config",
namespace,
size: "512Mi",
backup: true,
});
// Service
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
name: "http",
port: 80,
targetPort: "7878",
},
],
type: "ClusterIP",
},
});
// Deployment
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "1",
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: getAamil3NodeSelector(),
container: [
{
name,
image: "lscr.io/linuxserver/radarr:latest",
imagePullPolicy: "IfNotPresent",
port: [
{
containerPort: 7878,
name: "http",
},
],
env: getCommonEnv(),
volumeMount: [
{
name: "config",
mountPath: "/config",
},
{
name: "media",
mountPath: "/media",
},
{
name: "downloads",
mountPath: "/downloads",
},
],
},
],
volume: [
{
name: "config",
persistentVolumeClaim: {
claimName: configPvc.name,
},
},
{
name: "media",
persistentVolumeClaim: {
claimName: mediaPvcName,
},
},
{
name: "downloads",
persistentVolumeClaim: {
claimName: downloadsPvcName,
},
},
],
},
},
},
});
new PrivateCertificate(this, "certificate", {
provider,
namespace,
name,
commonName: host,
dnsNames: [host],
secretName: `${name}-tls`,
});
// Ingress
new InternalIngressRoute(this, "ingress", {
provider,
namespace,
name,
host,
serviceName: name,
servicePort: 80,
tlsSecretName: `${name}-tls`,
});
}
}

159
media-services/sonarr/index.ts Normal file
View File

@@ -0,0 +1,159 @@
import { Construct } from "constructs";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import {
InternalIngressRoute,
LonghornPvc,
PrivateCertificate,
} from "../../utils";
import {
BaseMediaServiceOptions,
getAamil3NodeSelector,
getCommonEnv,
} from "../types";
type SonarrServerOptions = BaseMediaServiceOptions & {
/** Name of the shared media PVC */
mediaPvcName: string;
/** Name of the shared downloads PVC */
downloadsPvcName: string;
/** Hostname for the ingress */
host: string;
};
export class SonarrServer extends Construct {
constructor(scope: Construct, id: string, options: SonarrServerOptions) {
super(scope, id);
const { provider, namespace, mediaPvcName, downloadsPvcName, host } =
options;
const name = "sonarr";
// Config PVC with backup
const configPvc = new LonghornPvc(this, "config", {
provider,
name: "sonarr-config",
namespace,
size: "512Mi",
backup: true,
});
// Service
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
name: "http",
port: 80,
targetPort: "8989",
},
],
type: "ClusterIP",
},
});
// Deployment
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "1",
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: getAamil3NodeSelector(),
container: [
{
name,
image: "lscr.io/linuxserver/sonarr:latest",
imagePullPolicy: "IfNotPresent",
port: [
{
containerPort: 8989,
name: "http",
},
],
env: getCommonEnv(),
volumeMount: [
{
name: "config",
mountPath: "/config",
},
{
name: "media",
mountPath: "/media",
},
{
name: "downloads",
mountPath: "/downloads",
},
],
},
],
volume: [
{
name: "config",
persistentVolumeClaim: {
claimName: configPvc.name,
},
},
{
name: "media",
persistentVolumeClaim: {
claimName: mediaPvcName,
},
},
{
name: "downloads",
persistentVolumeClaim: {
claimName: downloadsPvcName,
},
},
],
},
},
},
});
new PrivateCertificate(this, "certificate", {
provider,
namespace,
name,
commonName: host,
dnsNames: [host],
secretName: `${name}-tls`,
});
// Ingress
new InternalIngressRoute(this, "ingress", {
provider,
namespace,
name,
host,
serviceName: name,
servicePort: 80,
tlsSecretName: `${name}-tls`,
});
}
}

32
media-services/types.ts Normal file
View File

@@ -0,0 +1,32 @@
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
/**
* Common options shared across all media service constructs
*/
export type BaseMediaServiceOptions = {
provider: KubernetesProvider;
namespace: string;
};
/**
* Common environment variables for LinuxServer.io containers
*/
export const getCommonEnv = () => [
{ name: "TZ", value: "Asia/Karachi" },
{ name: "PUID", value: "1000" },
{ name: "PGID", value: "1000" },
];
/**
* Node selector for the aamil-3 node
*/
export const getAamil3NodeSelector = () => ({
"kubernetes.io/hostname": "aamil-3",
});
/**
* Node selector for worker nodepool
*/
export const getWorkerNodeSelector = () => ({
nodepool: "worker",
});

231
media/deployment.yaml
View File

@@ -1,231 +0,0 @@
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: server
namespace: media
spec:
replicas: 1
selector:
matchLabels:
app: server
template:
metadata:
labels:
app: server
spec:
nodeSelector:
kubernetes.io/hostname: aamil-3
containers:
- name: server
image: jellyfin/jellyfin:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8096
name: http
env:
- name: TZ
value: "Asia/Karachi"
volumeMounts:
- name: config
mountPath: /config
- name: cache
mountPath: /cache
- name: media
mountPath: /media
volumes:
- name: config
persistentVolumeClaim:
claimName: jellyfin-config
- name: cache
emptyDir: {}
- name: media
persistentVolumeClaim:
claimName: media
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: sonarr
namespace: media
spec:
replicas: 1
selector:
matchLabels:
app: sonarr
template:
metadata:
labels:
app: sonarr
spec:
nodeSelector:
kubernetes.io/hostname: aamil-3
containers:
- name: sonarr
image: lscr.io/linuxserver/sonarr:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 8989
name: http
env:
- name: TZ
value: "Asia/Karachi"
- name: PUID
value: "1000"
- name: PGID
value: "1000"
volumeMounts:
- name: config
mountPath: /config
- name: media
mountPath: /media
- name: downloads
mountPath: /downloads
volumes:
- name: config
persistentVolumeClaim:
claimName: sonarr-config
- name: media
persistentVolumeClaim:
claimName: media
- name: downloads
persistentVolumeClaim:
claimName: downloads
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: qbittorrent
namespace: media
spec:
replicas: 1
selector:
matchLabels:
app: qbittorrent
template:
metadata:
labels:
app: qbittorrent
spec:
nodeSelector:
kubernetes.io/hostname: aamil-3
containers:
- name: qbittorrent
image: lscr.io/linuxserver/qbittorrent:latest
ports:
- containerPort: 8080 # web UI
name: http
- containerPort: 6881
name: bt
- containerPort: 6881
protocol: UDP
name: bt-udp
env:
- name: TZ
value: "Asia/Karachi"
- name: PUID
value: "1000"
- name: PGID
value: "1000"
- name: WEBUI_PORT
value: "8080"
volumeMounts:
- name: config
mountPath: /config
- name: downloads
mountPath: /downloads
volumes:
- name: config
persistentVolumeClaim:
claimName: qbittorrent-config
- name: downloads
persistentVolumeClaim:
claimName: downloads
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: prowlarr
namespace: media
spec:
replicas: 1
selector:
matchLabels:
app: prowlarr
template:
metadata:
labels:
app: prowlarr
spec:
nodeSelector:
nodepool: worker
containers:
- name: prowlarr
image: lscr.io/linuxserver/prowlarr:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 9696
name: http
env:
- name: TZ
value: "Asia/Karachi"
- name: PUID
value: "1000"
- name: PGID
value: "1000"
volumeMounts:
- name: config
mountPath: /config
volumes:
- name: config
persistentVolumeClaim:
claimName: prowlarr-config
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: radarr
namespace: media
spec:
replicas: 1
selector:
matchLabels:
app: radarr
template:
metadata:
labels:
app: radarr
spec:
nodeSelector:
kubernetes.io/hostname: aamil-3
containers:
- name: radarr
image: lscr.io/linuxserver/radarr:latest
imagePullPolicy: IfNotPresent
ports:
- containerPort: 7878
name: http
env:
- name: TZ
value: "Asia/Karachi"
- name: PUID
value: "1000"
- name: PGID
value: "1000"
volumeMounts:
- name: config
mountPath: /config
- name: media
mountPath: /media
- name: downloads
mountPath: /downloads
volumes:
- name: config
persistentVolumeClaim:
claimName: radarr-config
- name: media
persistentVolumeClaim:
claimName: media
- name: downloads
persistentVolumeClaim:
claimName: downloads

76
media/ingress.yaml
View File

@@ -1,76 +0,0 @@
---
apiVersion: networking.k8s.io/v1
kind: Ingress
metadata:
name: server
namespace: media
annotations:
# cert-manager (Cloudflare DNS-01)
cert-manager.io/cluster-issuer: cloudflare-issuer
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/private-key-size: "4096"
# Jellyfin / streaming friendly nginx settings
nginx.ingress.kubernetes.io/proxy-body-size: "0"
nginx.ingress.kubernetes.io/proxy-buffering: "off"
nginx.ingress.kubernetes.io/proxy-read-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-send-timeout: "3600"
nginx.ingress.kubernetes.io/proxy-http-version: "1.1"
nginx.ingress.kubernetes.io/use-proxy-protocol: "false"
nginx.ingress.kubernetes.io/proxy-request-buffering: "off"
spec:
ingressClassName: nginx-internal
tls:
- hosts:
- media.dogar.dev
secretName: media-tls
- hosts:
- sonarr.dogar.dev
secretName: sonarr-tls
- hosts:
- radarr.dogar.dev
secretName: radarr-tls
- hosts:
- torrent.dogar.dev
secretName: torrent-tls
rules:
- host: media.dogar.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: server
port:
number: 80
- host: sonarr.dogar.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: sonarr
port:
number: 80
- host: radarr.dogar.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: radarr
port:
number: 80
- host: torrent.dogar.dev
http:
paths:
- path: /
pathType: Prefix
backend:
service:
name: qbittorrent
port:
number: 80

5
media/namespace.yaml
View File

@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: media

106
media/pvc.yaml
View File

@@ -1,106 +0,0 @@
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jellyfin-config
namespace: media
labels:
recurring-job.longhorn.io/source: "enabled"
recurring-job.longhorn.io/daily-backup: "enabled"
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 5Gi
storageClassName: longhorn
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: media
namespace: media
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Ti
storageClassName: longhorn
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: sonarr-config
namespace: media
labels:
recurring-job.longhorn.io/source: "enabled"
recurring-job.longhorn.io/daily-backup: "enabled"
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 512Mi
storageClassName: longhorn
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: qbittorrent-config
namespace: media
labels:
recurring-job.longhorn.io/source: "enabled"
recurring-job.longhorn.io/daily-backup: "enabled"
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 512Mi
storageClassName: longhorn
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: downloads
namespace: media
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 450Gi
storageClassName: longhorn
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: prowlarr-config
namespace: media
labels:
recurring-job.longhorn.io/source: "enabled"
recurring-job.longhorn.io/daily-backup: "enabled"
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 512Mi
storageClassName: longhorn
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: radarr-config
namespace: media
labels:
recurring-job.longhorn.io/source: "enabled"
recurring-job.longhorn.io/daily-backup: "enabled"
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 512Mi
storageClassName: longhorn

69
media/service.yaml
View File

@@ -1,69 +0,0 @@
---
apiVersion: v1
kind: Service
metadata:
name: server
namespace: media
spec:
selector:
app: server
ports:
- name: http
port: 80
targetPort: 8096
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: sonarr
namespace: media
spec:
selector:
app: sonarr
ports:
- name: http
port: 80
targetPort: 8989
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: qbittorrent
namespace: media
spec:
selector:
app: qbittorrent
ports:
- name: http
port: 80
targetPort: 8080
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: prowlarr
namespace: media
spec:
selector:
app: prowlarr
ports:
- name: http
port: 80
targetPort: 9696
type: ClusterIP
---
apiVersion: v1
kind: Service
metadata:
name: radarr
namespace: media
spec:
selector:
app: radarr
ports:
- name: http
port: 80
targetPort: 7878

5
minecraft/namespace.yaml
View File

@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: minecraft

55
minecraft/pvc.yaml
View File

@@ -1,45 +1,6 @@
--- ---
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata:
name: monifactory-data
namespace: minecraft
spec:
storageClassName: longhorn
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gtnh-data
namespace: minecraft
spec:
storageClassName: longhorn
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: tfg-data
namespace: minecraft
spec:
storageClassName: longhorn
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata: metadata:
name: atm10-data name: atm10-data
namespace: minecraft namespace: minecraft
@@ -53,19 +14,3 @@ spec:
resources: resources:
requests: requests:
storage: 10Gi storage: 10Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: star-technology-data
namespace: minecraft
labels:
recurring-job.longhorn.io/source: "enabled"
recurring-job.longhorn.io/daily-backup: "enabled"
spec:
storageClassName: longhorn
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 10Gi

62
minecraft/service.yaml
View File

@@ -1,75 +1,15 @@
--- ---
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata:
name: monifactory-server
namespace: minecraft
labels:
app: monifactory-server
spec:
type: ClusterIP
ports:
- name: monifactory
port: 25565
selector:
app: monifactory-server
---
apiVersion: v1
kind: Service
metadata:
name: gtnh-server
namespace: minecraft
labels:
app: gtnh-server
spec:
type: ClusterIP
ports:
- name: gtnh
port: 25565
selector:
app: gtnh-server
---
apiVersion: v1
kind: Service
metadata:
name: tfg-server
namespace: minecraft
labels:
app: tfg-server
spec:
type: ClusterIP
ports:
- name: tfg
port: 25565
selector:
app: tfg-server
---
apiVersion: v1
kind: Service
metadata: metadata:
name: atm10-server name: atm10-server
namespace: minecraft namespace: minecraft
labels: labels:
app: atm10-server app: atm10-server
spec: spec:
type: ClusterIP type: LoadBalancer
ports: ports:
- name: atm10 - name: atm10
port: 25565 port: 25565
selector: selector:
app: atm10-server app: atm10-server
---
apiVersion: v1
kind: Service
metadata:
name: star-technology-server
namespace: minecraft
labels:
app: star-technology-server
spec:
type: ClusterIP
ports:
- name: star-technology
port: 25565
selector:
app: star-technology-server

262
minecraft/statefulset.yaml
View File

@@ -1,200 +1,6 @@
--- ---
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata:
name: monifactory-server
namespace: minecraft
spec:
serviceName: monifactory-server
selector:
matchLabels:
app: monifactory-server
template:
metadata:
labels:
app: monifactory-server
spec:
nodeSelector:
nodepool: worker
containers:
- name: monifactory-server
image: itzg/minecraft-server:java17
env:
- name: EULA
value: "TRUE"
- name: MODE
value: "survival"
- name: DIFFICULTY
value: "peaceful"
- name: MODPACK_PLATFORM
value: "AUTO_CURSEFORGE"
- name: CF_API_KEY
valueFrom:
secretKeyRef:
name: curseforge
key: credential
- name: CF_PAGE_URL
value: "https://www.curseforge.com/minecraft/modpacks/monifactory/"
- name: VERSION
value: "1.20.1"
- name: INIT_MEMORY
value: 4G
- name: MAX_MEMORY
value: 12G
- name: ALLOW_FLIGHT
value: "TRUE"
- name: ENABLE_ROLLING_LOGS
value: "TRUE"
- name: USE_MEOWICE_FLAGS
value: "TRUE"
ports:
- name: minecraft
containerPort: 25565
resources:
requests:
cpu: 4
memory: "4Gi"
limits:
cpu: 8
memory: "12Gi"
volumeMounts:
- name: monifactory-data
mountPath: /data
volumes:
- name: monifactory-data
persistentVolumeClaim:
claimName: monifactory-data
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: gtnh-server
namespace: minecraft
spec:
serviceName: gtnh-server
selector:
matchLabels:
app: gtnh-server
template:
metadata:
labels:
app: gtnh-server
spec:
nodeSelector:
nodepool: worker
containers:
- name: gtnh-server
image: itzg/minecraft-server:java25
env:
- name: EULA
value: "TRUE"
- name: MODE
value: "survival"
- name: DIFFICULTY
value: "peaceful"
- name: TYPE
value: "CUSTOM"
- name: GENERIC_PACKS
value: "GT_New_Horizons_2.8.0_Server_Java_17-25"
- name: GENERIC_PACKS_SUFFIX
value: ".zip"
- name: GENERIC_PACKS_PREFIX
value: "https://downloads.gtnewhorizons.com/ServerPacks/"
- name: SKIP_GENERIC_PACK_UPDATE_CHECK
value: "true"
- name: MEMORY
value: 12G
- name: JVM_OPTS
value: "-Dfml.readTimeout=180 -Dfml.queryResult=confirm @java9args.txt"
- name: CUSTOM_JAR_EXEC
value: "-jar lwjgl3ify-forgePatches.jar nogui"
- name: ALLOW_FLIGHT
value: "TRUE"
- name: ENABLE_ROLLING_LOGS
value: "TRUE"
ports:
- name: gtnh
containerPort: 25565
resources:
limits:
cpu: 8
memory: "12Gi"
volumeMounts:
- name: gtnh-data
mountPath: /data
volumes:
- name: gtnh-data
persistentVolumeClaim:
claimName: gtnh-data
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: tfg-server
namespace: minecraft
spec:
serviceName: tfg-server
selector:
matchLabels:
app: tfg-server
template:
metadata:
labels:
app: tfg-server
spec:
nodeSelector:
nodepool: worker
containers:
- name: tfg-server
image: itzg/minecraft-server:java17
env:
- name: EULA
value: "TRUE"
- name: MODE
value: "survival"
- name: MODPACK_PLATFORM
value: "AUTO_CURSEFORGE"
- name: CF_API_KEY
valueFrom:
secretKeyRef:
name: curseforge
key: credential
- name: CF_PAGE_URL
value: "https://www.curseforge.com/minecraft/modpacks/terrafirmagreg-modern/"
- name: CF_FILENAME_MATCHER
value: "0.10.17"
- name: VERSION
value: "1.20.1"
- name: INIT_MEMORY
value: 2G
- name: MAX_MEMORY
value: 12G
- name: ALLOW_FLIGHT
value: "TRUE"
- name: ENABLE_ROLLING_LOGS
value: "TRUE"
- name: USE_MEOWICE_FLAGS
value: "TRUE"
ports:
- name: minecraft
containerPort: 25565
resources:
requests:
cpu: 2
memory: "2Gi"
limits:
cpu: 6
memory: "12Gi"
volumeMounts:
- name: tfg-data
mountPath: /data
volumes:
- name: tfg-data
persistentVolumeClaim:
claimName: tfg-data
---
apiVersion: apps/v1
kind: StatefulSet
metadata: metadata:
name: atm10-server name: atm10-server
namespace: minecraft namespace: minecraft
@@ -260,71 +66,3 @@ spec:
- name: atm10-data - name: atm10-data
persistentVolumeClaim: persistentVolumeClaim:
claimName: atm10-data claimName: atm10-data
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: star-technology-server
namespace: minecraft
spec:
serviceName: star-technology-server
selector:
matchLabels:
app: star-technology-server
template:
metadata:
labels:
app: star-technology-server
spec:
nodeSelector:
nodepool: worker
containers:
- name: star-technology-server
image: itzg/minecraft-server:java21
env:
- name: EULA
value: "TRUE"
- name: MODE
value: "survival"
- name: MODPACK_PLATFORM
value: "AUTO_CURSEFORGE"
- name: CF_API_KEY
valueFrom:
secretKeyRef:
name: curseforge
key: credential
- name: CF_PAGE_URL
value: "https://www.curseforge.com/minecraft/modpacks/star-technology"
- name: VERSION
value: "1.20.1"
- name: INIT_MEMORY
value: 2G
- name: MAX_MEMORY
value: 15G
- name: ALLOW_FLIGHT
value: "TRUE"
- name: ENABLE_ROLLING_LOGS
value: "TRUE"
- name: USE_MEOWICE_FLAGS
value: "TRUE"
- name: CF_OVERRIDES_EXCLUSIONS
value: |
# Not applicable for server side
shaderpacks/**
ports:
- name: minecraft
containerPort: 25565
resources:
requests:
cpu: 2
memory: "2Gi"
limits:
cpu: 6
memory: "16Gi"
volumeMounts:
- name: star-technology-data
mountPath: /data
volumes:
- name: star-technology-data
persistentVolumeClaim:
claimName: star-technology-data

95
netbird/index.ts Normal file
View File

@@ -0,0 +1,95 @@
import * as fs from "fs";
import * as path from "path";
import { Construct } from "constructs";
import { TerraformStack } from "cdktf";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
import { DataKubernetesSecretV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-secret-v1";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { SecretV1 } from "@cdktf/provider-kubernetes/lib/secret-v1";
import { Release } from "@cdktf/provider-helm/lib/release";
import { CloudflareCertificate, OnePasswordSecret } from "../utils";
export class Netbird extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const kubernetes = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const helm = new HelmProvider(this, "helm", {
kubernetes: {
configPath: "~/.kube/config",
},
});
const namespace = "netbird";
// Create namespace
new NamespaceV1(this, "namespace", {
metadata: {
name: namespace,
},
});
new OnePasswordSecret(this, "netbird-secret", {
name: "netbird",
namespace,
provider: kubernetes,
itemPath: "vaults/Lab/items/Netbird",
});
const pgClientCert = new DataKubernetesSecretV1(
this,
"netbird-client-cert",
{
provider: kubernetes,
metadata: {
name: "netbird-client-cert",
namespace: "homelab",
},
},
);
const pgCaCert = new DataKubernetesSecretV1(this, "postgres-ca-cert", {
provider: kubernetes,
metadata: {
name: "postgres-server-cert",
namespace: "homelab",
},
});
const pgSslBundle = new SecretV1(this, "netbird-postgres-ssl", {
provider: kubernetes,
metadata: {
name: "netbird-postgres-ssl-bundle",
namespace,
},
data: {
"tls.crt": pgClientCert.data.lookup("tls.crt"),
"tls.key": pgClientCert.data.lookup("tls.key"),
"ca.crt": pgCaCert.data.lookup("ca.crt"),
},
});
new CloudflareCertificate(this, "netbird-cloudflare-cert", {
provider: kubernetes,
name: "netbird",
namespace,
dnsNames: ["vpn.dogar.dev"],
secretName: "netbird-tls",
});
new Release(this, "netbird", {
dependsOn: [pgSslBundle],
provider: helm,
namespace,
createNamespace: true,
name: "netbird",
repository: "https://netbirdio.github.io/helms",
chart: "netbird",
values: [fs.readFileSync(path.join(__dirname, "values.yaml"), "utf8")],
}).importFrom("netbird/netbird");
}
}

218
netbird/values.yaml Normal file
View File

@@ -0,0 +1,218 @@
fullnameOverride: netbird
management:
configmap: |-
{
"Stuns": [
{
"Proto": "udp",
"URI": "{{ .STUN_SERVER }}",
"Username": "",
"Password": ""
}
],
"TURNConfig": {
"TimeBasedCredentials": false,
"CredentialsTTL": "12h0m0s",
"Secret": "secret",
"Turns": [
{
"Proto": "udp",
"URI": "{{ .TURN_SERVER }}",
"Username": "{{ .TURN_SERVER_USER }}",
"Password": "{{ .TURN_SERVER_PASSWORD }}"
}
]
},
"Relay": {
"Addresses": ["rels://vpn.dogar.dev:443/relay"],
"CredentialsTTL": "24h",
"Secret": "{{ .RELAY_PASSWORD }}"
},
"Signal": {
"Proto": "https",
"URI": "vpn.dogar.dev:443",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}",
"HttpConfig": {
"LetsEncryptDomain": "",
"CertFile": "",
"CertKey": "",
"AuthAudience": "{{ .IDP_CLIENT_ID }}",
"AuthIssuer": "https://auth.dogar.dev/application/o/netbird/",
"AuthUserIDClaim": "",
"AuthKeysLocation": "https://auth.dogar.dev/application/o/netbird/jwks/",
"OIDCConfigEndpoint": "https://auth.dogar.dev/application/o/netbird/.well-known/openid-configuration",
"IdpSignKeyRefreshEnabled": false
},
"IdpManagerConfig": {
"ManagerType": "authentik",
"ClientConfig": {
"Issuer": "https://auth.dogar.dev/application/o/netbird",
"TokenEndpoint": "https://auth.dogar.dev/application/o/token/",
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"Password": "{{ .IDP_SERVICE_ACCOUNT_PASSWORD }}",
"Username": "{{ .IDP_SERVICE_ACCOUNT_USER }}"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "auth.dogar.dev",
"Audience": "{{ .IDP_CLIENT_ID }}",
"TokenEndpoint": "https://auth.dogar.dev/application/o/token/",
"DeviceAuthEndpoint": "https://auth.dogar.dev/application/o/device/",
"AuthorizationEndpoint": "",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "",
"Audience": "{{ .IDP_CLIENT_ID }}",
"TokenEndpoint": "https://auth.dogar.dev/application/o/token/",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "https://auth.dogar.dev/application/o/authorize/",
"Scope": "openid profile email offline_access api",
"UseIDToken": false,
"RedirectURLs": ["http://localhost:53000"]
}
},
"StoreConfig": {
"Engine": "postgres"
},
"ReverseProxy": {
"TrustedHTTPProxies": null,
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": null
}
}
persistentVolume:
enabled: true
storageClass: longhorn
size: 1Gi
envFromSecret:
NETBIRD_STORE_ENGINE_POSTGRES_DSN: netbird/postgresDSN
STUN_SERVER: netbird/stunServer
TURN_SERVER: netbird/turnServer
TURN_SERVER_USER: netbird/turnServerUser
TURN_SERVER_PASSWORD: netbird/turnServerPassword
RELAY_PASSWORD: netbird/relayPassword
IDP_CLIENT_ID: netbird/idpClientID
IDP_SERVICE_ACCOUNT_USER: netbird/idpServiceAccountUser
IDP_SERVICE_ACCOUNT_PASSWORD: netbird/idpServiceAccountPassword
DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 180
periodSeconds: 10
timeoutSeconds: 3
tcpSocket:
port: http
volumes:
- name: postgres-ssl-bundle
secret:
secretName: netbird-postgres-ssl-bundle
volumeMounts:
- name: postgres-ssl-bundle
mountPath: /etc/ssl/certs/postgres-ssl-bundle
readOnly: true
signal:
enabled: true
relay:
envFromSecret:
NB_AUTH_SECRET: netbird/relayPassword
env:
NB_LOG_LEVEL: info
NB_LISTEN_ADDRESS: ":33080"
NB_EXPOSED_ADDRESS: rels://vpn.dogar.dev:443/relay
dashboard:
enabled: true
env:
# Endpoints
NETBIRD_MGMT_API_ENDPOINT: https://vpn.dogar.dev:443
NETBIRD_MGMT_GRPC_API_ENDPOINT: https://vpn.dogar.dev:443
# OIDC
AUTH_CLIENT_SECRET:
AUTH_AUTHORITY: https://auth.dogar.dev/application/o/netbird/
USE_AUTH0: false
AUTH_SUPPORTED_SCOPES: openid profile email offline_access api
AUTH_REDIRECT_URI:
AUTH_SILENT_REDIRECT_URI:
NETBIRD_TOKEN_SOURCE: accessToken
NGINX_SSL_PORT:
LETSENCRYPT_DOMAIN:
LETSENCRYPT_EMAIL:
envFromSecret:
AUTH_CLIENT_ID: netbird/idpClientID
AUTH_AUDIENCE: netbird/idpClientID
extraManifests:
- apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: netbird
namespace: netbird
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`vpn.dogar.dev`) && !PathPrefix(`/api`) && !PathPrefix(`/management`) && !PathPrefix(`/signalexchange`) && !PathPrefix(`/relay`)
services:
- name: netbird-dashboard
namespace: netbird
passHostHeader: true
port: 80
- kind: Rule
match: Host(`vpn.dogar.dev`) && PathPrefix(`/api`)
services:
- name: netbird-management
namespace: netbird
passHostHeader: true
port: 80
- kind: Rule
match: Host(`vpn.dogar.dev`) && PathPrefix(`/relay`)
services:
- name: netbird-relay
namespace: netbird
passHostHeader: true
port: 33080
- kind: Rule
match: Host(`vpn.dogar.dev`) && PathPrefix(`/management`)
services:
- name: netbird-management
namespace: netbird
passHostHeader: true
port: 80
scheme: h2c
- kind: Rule
match: Host(`vpn.dogar.dev`) && PathPrefix(`/signalexchange`)
services:
- name: netbird-signal
namespace: netbird
passHostHeader: true
port: 80
scheme: h2c
tls:
secretName: netbird-tls

28
network-security/index.ts
View File

@@ -7,9 +7,10 @@ import {
RateLimitMiddleware, RateLimitMiddleware,
IpAllowListMiddleware, IpAllowListMiddleware,
IpAllowListMiddlewareTCP, IpAllowListMiddlewareTCP,
TLSOptions,
} from "./traefik"; } from "./traefik";
import { ValkeyCluster } from "./valkey"; import { ValkeyCluster } from "./valkey";
import { InternalIngressRoute } from "../utils"; import { InternalIngressRoute, PrivateCertificate } from "../utils";
export class NetworkSecurity extends TerraformStack { export class NetworkSecurity extends TerraformStack {
constructor(scope: Construct, id: string) { constructor(scope: Construct, id: string) {
@@ -67,6 +68,11 @@ export class NetworkSecurity extends TerraformStack {
name: "rate-limit", name: "rate-limit",
}); });
new TLSOptions(this, "tls-options", {
provider: kubernetes,
namespace,
});
new IpAllowListMiddleware(this, "internal-ip-allow-list", { new IpAllowListMiddleware(this, "internal-ip-allow-list", {
provider: kubernetes, provider: kubernetes,
namespace, namespace,
@@ -81,6 +87,15 @@ export class NetworkSecurity extends TerraformStack {
sourceRanges: ["192.168.18.0/24", "10.42.0.0/16"], sourceRanges: ["192.168.18.0/24", "10.42.0.0/16"],
}); });
new PrivateCertificate(this, "longhorn-cert", {
provider: kubernetes,
namespace: "longhorn-system",
name: "longhorn-ui",
dnsNames: ["longhorn.dogar.dev"],
commonName: "longhorn.dogar.dev",
secretName: "longhorn-tls",
});
new InternalIngressRoute(this, "longhorn-ui", { new InternalIngressRoute(this, "longhorn-ui", {
provider: kubernetes, provider: kubernetes,
namespace: "longhorn-system", namespace: "longhorn-system",
@@ -88,6 +103,16 @@ export class NetworkSecurity extends TerraformStack {
host: "longhorn.dogar.dev", host: "longhorn.dogar.dev",
serviceName: "longhorn-frontend", serviceName: "longhorn-frontend",
servicePort: 80, servicePort: 80,
tlsSecretName: "longhorn-tls",
});
new PrivateCertificate(this, "grafana-cert", {
provider: kubernetes,
namespace: "monitoring",
name: "grafana-ui",
dnsNames: ["grafana.dogar.dev"],
commonName: "grafana.dogar.dev",
secretName: "grafana-tls",
}); });
new InternalIngressRoute(this, "grafana-ui", { new InternalIngressRoute(this, "grafana-ui", {
@@ -97,6 +122,7 @@ export class NetworkSecurity extends TerraformStack {
host: "grafana.dogar.dev", host: "grafana.dogar.dev",
serviceName: "prometheus-operator-grafana", serviceName: "prometheus-operator-grafana",
servicePort: 80, servicePort: 80,
tlsSecretName: "grafana-tls",
}); });
} }
} }

1
network-security/traefik/index.ts
View File

@@ -1,2 +1,3 @@
export { RateLimitMiddleware } from "./rateLimit"; export { RateLimitMiddleware } from "./rateLimit";
export { IpAllowListMiddleware, IpAllowListMiddlewareTCP } from "./ipAllowList"; export { IpAllowListMiddleware, IpAllowListMiddlewareTCP } from "./ipAllowList";
export { TLSOptions } from "./tlsOpts";

8
network-security/traefik/rateLimit.ts
View File

@@ -7,8 +7,8 @@ type RateLimitMiddlewareOptions = {
namespace: string; namespace: string;
name: string; name: string;
average?: number; // default 10 average?: number; // default 60
burst?: number; // default 50 burst?: number; // default 120
period?: string; // default "1s" period?: string; // default "1s"
}; };
@@ -18,8 +18,8 @@ export class RateLimitMiddleware extends Construct {
constructor(scope: Construct, id: string, opts: RateLimitMiddlewareOptions) { constructor(scope: Construct, id: string, opts: RateLimitMiddlewareOptions) {
super(scope, id); super(scope, id);
const average = opts.average ?? 10; const average = opts.average ?? 60;
const burst = opts.burst ?? 50; const burst = opts.burst ?? 120;
const period = opts.period ?? "1s"; const period = opts.period ?? "1s";
this.ref = `${opts.namespace}/${opts.name}`; this.ref = `${opts.namespace}/${opts.name}`;

31
network-security/traefik/tlsOpts.ts Normal file
View File

@@ -0,0 +1,31 @@
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
export class TLSOptions extends Construct {
constructor(
scope: Construct,
id: string,
opts: { provider: KubernetesProvider; namespace: string },
) {
super(scope, id);
const { provider, namespace } = opts;
new Manifest(this, "traefik-tls-options", {
provider,
manifest: {
apiVersion: "traefik.io/v1alpha1",
kind: "TLSOption",
metadata: {
namespace,
name: "tls-options",
},
spec: {
minVersion: "VersionTLS13",
sniStrict: true,
},
},
});
}
}

67
pki/index.ts Normal file
View File

@@ -0,0 +1,67 @@
import { DataKubernetesNamespaceV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-namespace-v1";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { DataTerraformRemoteStateS3, TerraformStack } from "cdktf";
import { Construct } from "constructs";
import { PrivateIssuer, PublicIssuer } from "./issuers";
export class PKI extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const kubernetes = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const r2Endpoint = `${process.env.ACCOUNT_ID!}.r2.cloudflarestorage.com`;
const coreServicesState = new DataTerraformRemoteStateS3(
this,
"core-services-state",
{
usePathStyle: true,
skipRegionValidation: true,
skipCredentialsValidation: true,
skipRequestingAccountId: true,
skipS3Checksum: true,
encrypt: true,
bucket: "terraform-state",
key: "core-services/terraform.tfstate",
endpoints: {
s3: `https://${r2Endpoint}`,
},
region: "auto",
accessKey: process.env.ACCESS_KEY,
secretKey: process.env.SECRET_KEY,
},
);
const namespaceName = coreServicesState.getString("namespace-output");
const namespaceResource = new DataKubernetesNamespaceV1(
this,
"homelab-namespace",
{
provider: kubernetes,
metadata: {
name: namespaceName,
},
},
);
const namespace = namespaceResource.metadata.name;
new PrivateIssuer(this, "private-issuer", {
provider: kubernetes,
namespace,
apiVersion: "cert-manager.io/v1",
rootSecretName: "root-secret",
intermediateSecretName: `${namespace}-ca-secret`,
commonName: "Homelab Root CA",
});
new PublicIssuer(this, "public-issuer", {
provider: kubernetes,
namespace,
apiVersion: "cert-manager.io/v1",
server: "https://acme-v02.api.letsencrypt.org/directory",
});
}
}

2
pki/issuers/index.ts Normal file
View File

@@ -0,0 +1,2 @@
export { PrivateIssuer } from "./private";
export { PublicIssuer } from "./public";

116
pki/issuers/private.ts Normal file
View File

@@ -0,0 +1,116 @@
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { Construct } from "constructs";
type PrivateIssuerOptions = {
provider: KubernetesProvider;
namespace: string;
apiVersion: string;
commonName: string;
rootSecretName: string;
intermediateSecretName: string;
};
export class PrivateIssuer extends Construct {
constructor(scope: Construct, id: string, options: PrivateIssuerOptions) {
super(scope, id);
const {
provider,
namespace,
apiVersion,
commonName,
rootSecretName,
intermediateSecretName,
} = options;
//
// 1. Root CA (self-signed)
//
new Manifest(this, "root-ca-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: { name: "root-ca-selfsigned" },
spec: { selfSigned: {} },
},
});
new Manifest(this, "root-ca", {
provider,
manifest: {
apiVersion,
kind: "Certificate",
metadata: { name: "root-ca", namespace },
spec: {
isCA: true,
commonName: `${commonName} Root CA`,
secretName: rootSecretName,
privateKey: {
algorithm: "RSA",
size: 4096,
},
issuerRef: {
name: "root-ca-selfsigned",
kind: "ClusterIssuer",
group: "cert-manager.io",
},
},
},
});
//
// 2. Intermediate CA (signed by root CA)
//
new Manifest(this, "intermediate-ca-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: { name: "root-ca-signer" },
spec: {
ca: { secretName: rootSecretName },
},
},
});
new Manifest(this, "intermediate-ca", {
provider,
manifest: {
apiVersion,
kind: "Certificate",
metadata: { name: "intermediate-ca", namespace },
spec: {
isCA: true,
commonName: `${commonName} Intermediate CA`,
secretName: intermediateSecretName,
privateKey: {
algorithm: "ECDSA",
size: 384,
},
issuerRef: {
name: "root-ca-signer",
kind: "ClusterIssuer",
group: "cert-manager.io",
},
},
},
});
//
// 3. Final public cluster issuer (used by your apps)
//
new Manifest(this, "cluster-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: { name: "cluster-issuer" },
spec: {
ca: { secretName: intermediateSecretName },
},
},
});
}
}

59
pki/issuers/public.ts Normal file
View File

@@ -0,0 +1,59 @@
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { Construct } from "constructs";
import { OnePasswordSecret } from "../../utils";
type PublicIssuerOptions = {
provider: KubernetesProvider;
apiVersion: string;
namespace: string;
server: string;
};
export class PublicIssuer extends Construct {
constructor(scope: Construct, id: string, options: PublicIssuerOptions) {
super(scope, id);
const { apiVersion, provider, namespace, server } = options;
new OnePasswordSecret(this, "cloudflare-token", {
provider,
namespace,
name: "public-issuer-cloudflare-token",
itemPath: "vaults/Lab/items/cloudflare",
});
// Cloudflare ACME ClusterIssuer
new Manifest(this, "cloudflare-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: {
name: "cloudflare-issuer",
},
spec: {
acme: {
email: "shahab@dogar.dev",
server,
privateKeySecretRef: {
name: "cloudflare-cluster-issuer-account-key",
},
solvers: [
{
dns01: {
cloudflare: {
apiTokenSecretRef: {
name: "public-issuer-cloudflare-token",
key: "token",
},
},
},
},
],
},
},
},
});
}
}

0
types/index.ts → types.ts
View File

15
utility-services/authentik/values.yaml
View File

@@ -87,23 +87,8 @@ authentik:
server: server:
replicas: 3 replicas: 3
ingress:
enabled: false
annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/private-key-size: "4096"
ingressClassName: traefik
hosts:
- auth.dogar.dev
tls:
- secretName: authentik-tls
hosts:
- auth.dogar.dev
worker: worker:
replicas: 3 replicas: 3
postgresql: postgresql:
enabled: false enabled: false
redis: redis:

4
utility-services/gitea/runner.ts → utility-services/gitea/runner/index.ts
View File

@@ -1,10 +1,10 @@
import { Construct } from "constructs"; import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider"; import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { OnePasswordSecret, LonghornPvc } from "../../utils";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1"; import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { PodDisruptionBudgetV1 } from "@cdktf/provider-kubernetes/lib/pod-disruption-budget-v1"; import { PodDisruptionBudgetV1 } from "@cdktf/provider-kubernetes/lib/pod-disruption-budget-v1";
import { OnePasswordSecret, LonghornPvc } from "../../../utils";
type GiteaRunnerOptions = { type GiteaRunnerOptions = {
provider: KubernetesProvider; provider: KubernetesProvider;
name: string; name: string;

29
utility-services/gitea/server.ts → utility-services/gitea/server/index.ts
View File

@@ -7,8 +7,8 @@ import {
OnePasswordSecret, OnePasswordSecret,
PublicIngressRoute, PublicIngressRoute,
IngressRouteTcp, IngressRouteTcp,
} from "../../utils"; } from "../../../utils";
import type { Providers } from "../../types"; import type { Providers } from "../../../types";
type GiteaServerOptions = { type GiteaServerOptions = {
providers: Providers; providers: Providers;
@@ -22,32 +22,33 @@ export class GiteaServer extends Construct {
super(scope, id); super(scope, id);
const { kubernetes, helm } = options.providers; const { kubernetes, helm } = options.providers;
const { name, namespace, r2Endpoint } = options;
new OnePasswordSecret(this, "admin", { new OnePasswordSecret(this, "admin", {
provider: kubernetes, provider: kubernetes,
name: "gitea-admin", name: "gitea-admin",
namespace: options.namespace, namespace,
itemPath: "vaults/Lab/items/gitea-admin", itemPath: "vaults/Lab/items/gitea-admin",
}); });
new OnePasswordSecret(this, "oauth", { new OnePasswordSecret(this, "oauth", {
provider: kubernetes, provider: kubernetes,
name: "gitea-oauth", name: "gitea-oauth",
namespace: options.namespace, namespace,
itemPath: "vaults/Lab/items/gitea-oauth", itemPath: "vaults/Lab/items/gitea-oauth",
}); });
new OnePasswordSecret(this, "smtp", { new OnePasswordSecret(this, "smtp", {
provider: kubernetes, provider: kubernetes,
name: "gitea-smtp-token", name: "gitea-smtp-token",
namespace: options.namespace, namespace,
itemPath: "vaults/Lab/items/smtp-token", itemPath: "vaults/Lab/items/smtp-token",
}); });
new OnePasswordSecret(this, "r2", { new OnePasswordSecret(this, "r2", {
provider: kubernetes, provider: kubernetes,
name: "gitea-cloudflare-token", name: "gitea-cloudflare-token",
namespace: options.namespace, namespace,
itemPath: "vaults/Lab/items/cloudflare", itemPath: "vaults/Lab/items/cloudflare",
}); });
@@ -56,11 +57,12 @@ export class GiteaServer extends Construct {
provider: helm, provider: helm,
repository: "https://dl.gitea.com/charts", repository: "https://dl.gitea.com/charts",
chart: "gitea", chart: "gitea",
namespace,
createNamespace: true, createNamespace: true,
set: [ set: [
{ {
name: "gitea.config.storage.MINIO_ENDPOINT", name: "gitea.config.storage.MINIO_ENDPOINT",
value: options.r2Endpoint, value: r2Endpoint,
}, },
], ],
values: [ values: [
@@ -72,21 +74,22 @@ export class GiteaServer extends Construct {
new IngressRouteTcp(this, "ssh-ingress", { new IngressRouteTcp(this, "ssh-ingress", {
provider: kubernetes, provider: kubernetes,
namespace: options.namespace, namespace,
name: options.name, name,
match: "HostSNI(`*`)", match: "HostSNI(`*`)",
entryPoint: "ssh", entryPoint: "ssh",
serviceName: `${options.name}-ssh`, serviceName: `${name}-ssh`,
servicePort: 22, servicePort: 22,
}); });
new PublicIngressRoute(this, "http-ingress", { new PublicIngressRoute(this, "http-ingress", {
provider: kubernetes, provider: kubernetes,
namespace: options.namespace, namespace,
name: options.name, name,
host: "git.dogar.dev", host: "git.dogar.dev",
serviceName: `${options.name}-http`, serviceName: `${name}-http`,
servicePort: 3000, servicePort: 3000,
serviceProtocol: "https",
}); });
} }
} }

53
utility-services/gitea/values.yaml → utility-services/gitea/server/values.yaml
View File

@@ -1,5 +1,8 @@
global: global:
storageClass: longhorn storageClass: longhorn
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
image: image:
rootless: false rootless: false
service: service:
@@ -21,13 +24,23 @@ gitea:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
scheme: "https"
tlsConfig:
insecureSkipVerify: false
caFile: /internal-ca/ca.crt
config: config:
server: server:
ENABLE_PPROF: true ENABLE_PPROF: true
ENABLE_GZIP: true ENABLE_GZIP: true
LFS_START_SERVER: true LFS_START_SERVER: true
PROTOCOL: https
CERT_FILE: /certs/tls.crt
KEY_FILE: /certs/tls.key
ROOT_URL: https://git.dogar.dev/ ROOT_URL: https://git.dogar.dev/
SSH_DOMAIN: git.dogar.dev SSH_DOMAIN: git.dogar.dev
DISABLE_SSH: false
SSH_LISTEN_PORT: 2222
SSH_PORT: 22
database: database:
DB_TYPE: postgres DB_TYPE: postgres
HOST: postgres-cluster-rw HOST: postgres-cluster-rw
@@ -87,6 +100,27 @@ gitea:
secretKeyRef: secretKeyRef:
name: gitea-cloudflare-token name: gitea-cloudflare-token
key: secret_access_key key: secret_access_key
livenessProbe:
httpGet:
path: /api/healthz
port: 3000
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/healthz
port: 3000
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
startupProbe:
httpGet:
path: /api/healthz
port: 3000
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
persistence: persistence:
labels: labels:
recurring-job.longhorn.io/source: "enabled" recurring-job.longhorn.io/source: "enabled"
@@ -95,6 +129,20 @@ persistence:
size: 50Gi size: 50Gi
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
postExtraInitContainers:
- name: fix-gitea-ssh-perms
image: alpine:3
command:
- sh
- -c
- |
echo "Fixing /data/ssh permissions..."
mkdir -p /data/ssh
chown -R 1000:1000 /data/ssh
chmod 700 /data/ssh
volumeMounts:
- name: data
mountPath: /data
deployment: deployment:
env: env:
- name: PGSSLMODE - name: PGSSLMODE
@@ -129,6 +177,9 @@ extraVolumes:
items: items:
- key: ca.crt - key: ca.crt
path: root.crt path: root.crt
- name: gitea-tls-internal
secret:
secretName: gitea-http-tls-internal
- name: gitea-temp - name: gitea-temp
emptyDir: {} emptyDir: {}
extraInitVolumeMounts: extraInitVolumeMounts:
@@ -139,6 +190,8 @@ extraContainerVolumeMounts:
- name: ssl-bundle - name: ssl-bundle
mountPath: /opt/gitea/.postgresql mountPath: /opt/gitea/.postgresql
readOnly: true readOnly: true
- name: gitea-tls-internal
mountPath: /certs
readOnly: true readOnly: true
- name: gitea-temp - name: gitea-temp
mountPath: /tmp/gitea-uploads mountPath: /tmp/gitea-uploads

2
utility-services/index.ts
View File

@@ -78,7 +78,7 @@ export class UtilityServices extends TerraformStack {
name: "postgres-cluster", name: "postgres-cluster",
namespace, namespace,
provider: kubernetes, provider: kubernetes,
users: ["shahab", "budget-tracker", "authentik", "gitea"], users: ["shahab", "budget-tracker", "authentik", "gitea", "netbird"],
primaryUser: "shahab", primaryUser: "shahab",
initSecretName: "postgres-password", initSecretName: "postgres-password",
backupR2EndpointURL: `https://${r2Endpoint}`, backupR2EndpointURL: `https://${r2Endpoint}`,

1
utility-services/postgres/index.ts
View File

@@ -357,6 +357,7 @@ export class PostgresCluster extends Construct {
{ {
name: "barman-cloud.cloudnative-pg.io", name: "barman-cloud.cloudnative-pg.io",
isWALArchiver: true, isWALArchiver: true,
enabled: true,
parameters: { parameters: {
barmanObjectName: barmanStoreName, barmanObjectName: barmanStoreName,
serverName: backupServerName, serverName: backupServerName,

281
utils/cert-manager/base.ts Normal file
View File

@@ -0,0 +1,281 @@
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
/**
* Options passed to the Certificate construct for generating
* cert-manager.io/v1 Certificate resources.
*
* This type supports both public certificates (Cloudflare/ACME)
* and private internal certificates (internal CA), making it usable
* across all cluster security contexts (Ingress TLS, internal mTLS, etc.).
*/
export type CertificateOptions = {
/**
* Kubernetes provider instance used by the underlying Manifest resource.
*
* This should typically be the cluster's primary Kubernetes provider.
*
* Required.
*/
provider: KubernetesProvider;
/**
* Kubernetes namespace where the Certificate resource and the
* corresponding Secret will be created.
*
* Required.
*/
namespace: string;
/**
* Name of the Certificate resource (metadata.name).
*
* This should be unique within the namespace.
*
* Required.
*/
name: string;
/**
* Name of the Kubernetes Secret that cert-manager will populate with
* `tls.crt`, `tls.key`, and optionally `ca.crt`.
*
* This secret is automatically created and updated by cert-manager.
*
* Required.
*/
secretName: string;
/**
* List of DNS Subject Alternative Names that the certificate must cover.
*
* cert-manager requires at least one entry.
*
* For internal certificates: service FQDNs (svc.cluster.local).
* For public certificates: external domain names.
*
* Required.
*/
dnsNames: string[];
/**
* Reference to the cert-manager Issuer or ClusterIssuer used to sign the certificate.
*
* - For public certs: Cloudflare ACME ClusterIssuer
* - For private certs: Internal CA ClusterIssuer
*
* This field is usually injected automatically by subclasses
* (e.g., PublicCertificate / PrivateCertificate).
*
* Required internally — not intended to be set by user code directly.
*/
issuerRef?: {
/**
* Name of the Issuer or ClusterIssuer.
*/
name: string;
/**
* Type of issuer ("Issuer" or "ClusterIssuer").
*
* Defaults to "ClusterIssuer" when omitted.
*/
kind?: string;
};
/**
* The certificate's validity duration (e.g. "2160h" for 90 days).
*
* If omitted, cert-manager applies its own default (90 days for ACME).
*
* Optional.
*/
duration?: string;
/**
* How long before expiry cert-manager should attempt early renewal.
*
* Example: "360h" (15 days before expiration).
*
* Optional.
*/
renewBefore?: string;
/**
* Optional Common Name for the certificate's subject.
*
* SAN-only certificates are recommended, but CN is still required for
* compatibility with some older libraries (Java, ClickHouse, OpenSSL tooling).
*
* Optional.
*/
commonName?: string;
/**
* Key Usage extension — determines what the certificate may be used for.
*
* Common values:
*
* - "digital signature"
* - "key encipherment"
* - "server auth"
* - "client auth"
*
* Example for mTLS server certificates:
* usages: ["digital signature", "key encipherment", "server auth"]
*
* Example for mTLS client certificates:
* usages: ["digital signature", "client auth"]
*
* Optional — cert-manager applies sensible defaults when omitted.
*/
usages?: string[];
/**
* Options controlling the generated private key.
*
* Useful for:
* - Choosing RSA vs ECDSA vs Ed25519
* - Increasing RSA key strength (2048 → 4096)
* - Optimizing performance for internal services (ECDSA P-256)
*
* Optional.
*/
privateKey?: {
/**
* Private key algorithm.
*
* - "RSA" (default)
* - "ECDSA" (great for internal TLS)
* - "Ed25519" (fast and modern, but not universally supported)
*
* Optional.
*/
algorithm?: "RSA" | "ECDSA" | "Ed25519";
/**
* Key size in bits.
*
* Only applies to algorithms that support length:
* - RSA: 2048, 3072, 4096
* - ECDSA: 256, 384
*
* Optional.
*/
size?: number;
};
/**
* IP address SAN entries (rarely needed, but sometimes required
* for services bound directly to cluster node IPs or StatefulSet pod IPs).
*
* Using IP SANs is generally discouraged unless explicitly required.
*
* Optional.
*/
ipAddresses?: string[];
/**
* Subject information for the certificate (Organization, OrgUnit, etc.)
*
* Example:
*
* subject: {
* organizations: ["Internal Systems"],
* organizationalUnits: ["Platform"]
* }
*
* Optional.
*/
subject?: {
organizations?: string[];
organizationalUnits?: string[];
countries?: string[];
provinces?: string[];
localities?: string[];
streetAddresses?: string[];
postalCodes?: string[];
};
};
export class Certificate extends Construct {
/** The underlying Kubernetes manifest */
public readonly manifest: Manifest;
constructor(scope: Construct, id: string, opts: CertificateOptions) {
super(scope, id);
// --- Validation ---------------------------------------------------------
if (!opts.issuerRef) {
throw new Error(
`Certificate '${opts.name}' must specify issuerRef (usually provided by a subclass).`,
);
}
if (!opts.dnsNames || opts.dnsNames.length === 0) {
throw new Error(
`Certificate '${opts.name}' must include at least one DNS name in dnsNames[].`,
);
}
// --- Base manifest ------------------------------------------------------
const manifest: any = {
apiVersion: "cert-manager.io/v1",
kind: "Certificate",
metadata: {
name: opts.name,
namespace: opts.namespace,
},
spec: {
secretName: opts.secretName,
dnsNames: opts.dnsNames,
issuerRef: {
name: opts.issuerRef.name,
kind: opts.issuerRef.kind ?? "ClusterIssuer",
},
},
};
// --- Optional: duration & renewBefore ---------------------------------
if (opts.duration) {
manifest.spec.duration = opts.duration;
}
if (opts.renewBefore) {
manifest.spec.renewBefore = opts.renewBefore;
}
// --- Optional: commonName ----------------------------------------------
if (opts.commonName) {
manifest.spec.commonName = opts.commonName;
}
// --- Optional: key usages ----------------------------------------------
if (opts.usages?.length) {
manifest.spec.usages = opts.usages;
}
// --- Optional: private key settings ------------------------------------
if (opts.privateKey) {
manifest.spec.privateKey = {
...opts.privateKey,
};
}
// --- Optional: IP SAN entries ------------------------------------------
if (opts.ipAddresses?.length) {
manifest.spec.ipAddresses = opts.ipAddresses;
}
// --- Optional: subject fields ------------------------------------------
if (opts.subject) {
manifest.spec.subject = opts.subject;
}
// --- Create manifest resource ------------------------------------------
this.manifest = new Manifest(this, id, {
provider: opts.provider,
manifest,
});
}
}

36
utils/cert-manager/cloudflare.ts Normal file
View File

@@ -0,0 +1,36 @@
import { Construct } from "constructs";
import { Certificate, CertificateOptions } from "./base";
/**
* Public certificate issued via the Cloudflare ACME ClusterIssuer.
*
* This subclass automatically injects:
*
* issuerRef:
* name: "cloudflare-issuer"
* kind: "ClusterIssuer"
*
* It is intended for generating publicly trusted HTTPS certificates
* (e.g., *.dogar.dev) using Cloudflare DNS-01 validation.
*
* Users of this class should *not* specify issuerRef manually.
*/
export class CloudflareCertificate extends Certificate {
constructor(
scope: Construct,
id: string,
opts: Omit<CertificateOptions, "issuerRef" | "privateKey">,
) {
super(scope, id, {
...opts,
issuerRef: {
name: "cloudflare-issuer",
kind: "ClusterIssuer",
},
privateKey: {
algorithm: "RSA",
size: 4096,
},
});
}
}

87
utils/cert-manager/index.ts
View File

@@ -1,85 +1,2 @@
import { Construct } from "constructs"; export { CloudflareCertificate } from "./cloudflare";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest"; export { PrivateCertificate } from "./internal";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
type CertificateOptions = {
provider: KubernetesProvider;
/** Namespace to create the Certificate in */
namespace: string;
/** Required name of the certificate (and CRD name) */
name: string;
/** Secret name for storing the issued TLS cert */
secretName: string;
/** One or more DNS names the certificate should cover */
dnsNames: string[];
/** Reference to the cert-manager issuer */
issuerRef: {
name: string;
kind?: string; // ClusterIssuer or Issuer
};
/** Optional duration (default: cert-manager default) */
duration?: string;
/** Optional renewBefore (default: cert-manager default) */
renewBefore?: string;
};
class Certificate extends Construct {
public readonly manifest: Manifest;
constructor(scope: Construct, id: string, opts: CertificateOptions) {
super(scope, id);
const manifest: any = {
apiVersion: "cert-manager.io/v1",
kind: "Certificate",
metadata: {
name: opts.name,
namespace: opts.namespace,
},
spec: {
secretName: opts.secretName,
dnsNames: opts.dnsNames,
issuerRef: {
name: opts.issuerRef.name,
kind: opts.issuerRef.kind ?? "ClusterIssuer",
},
},
};
if (opts.duration) {
manifest.spec.duration = opts.duration;
}
if (opts.renewBefore) {
manifest.spec.renewBefore = opts.renewBefore;
}
this.manifest = new Manifest(this, id, {
provider: opts.provider,
manifest,
});
}
}
export class CloudflareCertificate extends Certificate {
constructor(
scope: Construct,
id: string,
opts: Omit<CertificateOptions, "issuerRef">,
) {
super(scope, id, {
...opts,
issuerRef: {
name: "cloudflare-issuer",
kind: "ClusterIssuer",
},
});
}
}

41
utils/cert-manager/internal.ts Normal file
View File

@@ -0,0 +1,41 @@
import { Construct } from "constructs";
import { Certificate, CertificateOptions } from "./base";
/**
* Private TLS certificate issued by the internal cluster CA.
*
* This subclass automatically injects:
*
* issuerRef:
* name: "cluster-issuer"
* kind: "ClusterIssuer"
*
* Use this for:
* - Internal service-to-service TLS (HTTP, gRPC, Webhooks)
* - mTLS server certificates
* - mTLS client certificates
* - Internal wildcard certificates
* - Databases, queues, operators, controllers, etc.
*
* Users of this class should NOT specify issuerRef manually.
*/
export class PrivateCertificate extends Certificate {
constructor(
scope: Construct,
id: string,
opts: Omit<CertificateOptions, "issuerRef" | "privateKey">,
) {
super(scope, id, {
...opts,
issuerRef: {
name: "cluster-issuer", // internal CA
kind: "ClusterIssuer",
},
privateKey: {
algorithm: "ECDSA",
size: 384,
},
usages: ["digital signature", "key encipherment", "server auth"],
});
}
}

2
utils/index.ts
View File

@@ -1,4 +1,4 @@
export { CloudflareCertificate } from "./cert-manager"; export { CloudflareCertificate, PrivateCertificate } from "./cert-manager";
export { OnePasswordSecret } from "./1password-secret"; export { OnePasswordSecret } from "./1password-secret";
export { export {
PublicIngressRoute, PublicIngressRoute,

63
utils/traefik/ingress/ingress.ts
View File

@@ -2,7 +2,7 @@ import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest"; import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider"; import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { CloudflareCertificate } from "../../cert-manager"; import { PrivateCertificate } from "../../cert-manager";
export type IngressRouteOptions = { export type IngressRouteOptions = {
provider: KubernetesProvider; provider: KubernetesProvider;
@@ -18,6 +18,7 @@ export type IngressRouteOptions = {
/** Backend K8s Service */ /** Backend K8s Service */
serviceName: string; serviceName: string;
servicePort: number; servicePort: number;
serviceProtocol?: "http" | "https";
/** EntryPoints (default: ["websecure"]) */ /** EntryPoints (default: ["websecure"]) */
entryPoints?: string[]; entryPoints?: string[];
@@ -39,13 +40,57 @@ export class IngressRoute extends Construct {
const path = opts.path ?? "/"; const path = opts.path ?? "/";
const entryPoints = opts.entryPoints ?? ["websecure"]; const entryPoints = opts.entryPoints ?? ["websecure"];
const { provider, namespace } = opts;
if (opts.serviceProtocol === "https") {
new PrivateCertificate(this, "internal-cert", {
provider,
namespace,
name: `${opts.serviceName}-tls-internal`,
secretName: `${opts.serviceName}-tls-internal`,
dnsNames: [
opts.serviceName,
`${opts.serviceName}.${opts.namespace}.svc`,
`${opts.serviceName}.${opts.namespace}.svc.cluster.local`,
],
usages: ["digital signature", "key encipherment", "server auth"],
});
new Manifest(this, `${name}-https-transport`, {
provider,
manifest: {
apiVersion: "traefik.io/v1alpha1",
kind: "ServersTransport",
metadata: {
name: `${name}-https-transport`,
namespace,
},
spec: {
serverName: `${opts.serviceName}.${opts.namespace}.svc.cluster.local`,
rootCAs: [
{
secret: "root-secret",
},
],
insecureSkipVerify: false,
},
},
});
}
const route: any = { const route: any = {
match: `Host(\`${opts.host}\`) && PathPrefix(\`${path}\`)`, match: `Host(\`${opts.host}\`) && PathPrefix(\`${path}\`)`,
kind: "Rule", kind: "Rule",
services: [ services: [
{ {
namespace,
name: opts.serviceName, name: opts.serviceName,
port: opts.servicePort, port: opts.servicePort,
scheme: opts.serviceProtocol ?? "http",
serversTransport:
opts.serviceProtocol === "https"
? `${name}-https-transport`
: undefined,
}, },
], ],
}; };
@@ -65,25 +110,21 @@ export class IngressRoute extends Construct {
if (opts.tlsSecretName) { if (opts.tlsSecretName) {
spec.tls = { spec.tls = {
secretName: opts.tlsSecretName, secretName: opts.tlsSecretName,
options: {
name: "tls-options",
namespace: "homelab",
},
}; };
new CloudflareCertificate(this, `${name}-cert`, {
provider: opts.provider,
namespace: opts.namespace,
name: opts.host,
secretName: opts.tlsSecretName,
dnsNames: [opts.host],
});
} }
this.manifest = new Manifest(this, name, { this.manifest = new Manifest(this, name, {
provider: opts.provider, provider,
manifest: { manifest: {
apiVersion: "traefik.io/v1alpha1", apiVersion: "traefik.io/v1alpha1",
kind: "IngressRoute", kind: "IngressRoute",
metadata: { metadata: {
name, name,
namespace: opts.namespace, namespace,
}, },
spec, spec,
}, },

65
utils/traefik/ingress/internalIngress.ts
View File

@@ -1,63 +1,16 @@
import { Construct } from "constructs"; import { Construct } from "constructs";
import { IngressRoute, IngressRouteOptions } from "./ingress"; import { IngressRoute, IngressRouteOptions } from "./ingress";
import { DataTerraformRemoteStateS3 } from "cdktf";
import { DataKubernetesNamespaceV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-namespace-v1";
type InternalIngressRouteOptions = Omit< export class InternalIngressRoute extends IngressRoute {
IngressRouteOptions, constructor(
"entryPoints" | "tlsSecretName" | "middlewares" scope: Construct,
>; id: string,
opts: Omit<IngressRouteOptions, "entryPoints" | "middlewares">,
export class InternalIngressRoute extends Construct { ) {
constructor(scope: Construct, id: string, opts: InternalIngressRouteOptions) { super(scope, id, {
super(scope, id); ...opts,
const r2Endpoint = `${process.env.ACCOUNT_ID!}.r2.cloudflarestorage.com`;
const coreServicesState = new DataTerraformRemoteStateS3(
this,
"core-services-state",
{
usePathStyle: true,
skipRegionValidation: true,
skipCredentialsValidation: true,
skipRequestingAccountId: true,
skipS3Checksum: true,
encrypt: true,
bucket: "terraform-state",
key: "core-services/terraform.tfstate",
endpoints: {
s3: `https://${r2Endpoint}`,
},
region: "auto",
accessKey: process.env.ACCESS_KEY,
secretKey: process.env.SECRET_KEY,
},
);
const namespaceName = coreServicesState.getString("namespace-output");
const namespaceResource = new DataKubernetesNamespaceV1(
this,
"core-services-namespace",
{
provider: opts.provider,
metadata: {
name: namespaceName,
},
},
);
const namespace = namespaceResource.metadata.name;
new IngressRoute(this, opts.name, {
provider: opts.provider,
namespace: opts.namespace,
host: opts.host,
path: opts.path ?? "/",
serviceName: opts.serviceName,
servicePort: opts.servicePort,
entryPoints: ["websecure"], entryPoints: ["websecure"],
tlsSecretName: `${opts.name}-tls`, middlewares: ["homelab/ip-allow-list"],
middlewares: [`${namespace}/ip-allow-list`],
name: opts.name,
}); });
} }
} }

76
utils/traefik/ingress/publicIngress.ts
View File

@@ -1,63 +1,33 @@
import { Construct } from "constructs"; import { Construct } from "constructs";
import { IngressRoute, IngressRouteOptions } from "./ingress"; import { IngressRoute, IngressRouteOptions } from "./ingress";
import { DataTerraformRemoteStateS3 } from "cdktf"; import { CloudflareCertificate } from "../../cert-manager";
import { DataKubernetesNamespaceV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-namespace-v1";
type PublicIngressRouteOptions = Omit< export class PublicIngressRoute extends IngressRoute {
constructor(
scope: Construct,
id: string,
opts: Omit<
IngressRouteOptions, IngressRouteOptions,
"entryPoints" | "tlsSecretName" | "middlewares" "entryPoints" | "tlsSecretName" | "middlewares"
>; >,
) {
const tlsSecretName = `${opts.name}-tls`;
export class PublicIngressRoute extends Construct { super(scope, id, {
constructor(scope: Construct, id: string, opts: PublicIngressRouteOptions) { ...opts,
super(scope, id); tlsSecretName,
const r2Endpoint = `${process.env.ACCOUNT_ID!}.r2.cloudflarestorage.com`;
const coreServicesState = new DataTerraformRemoteStateS3(
this,
"core-services-state",
{
usePathStyle: true,
skipRegionValidation: true,
skipCredentialsValidation: true,
skipRequestingAccountId: true,
skipS3Checksum: true,
encrypt: true,
bucket: "terraform-state",
key: "core-services/terraform.tfstate",
endpoints: {
s3: `https://${r2Endpoint}`,
},
region: "auto",
accessKey: process.env.ACCESS_KEY,
secretKey: process.env.SECRET_KEY,
},
);
const namespaceName = coreServicesState.getString("namespace-output");
const namespaceResource = new DataKubernetesNamespaceV1(
this,
"core-services-namespace",
{
provider: opts.provider,
metadata: {
name: namespaceName,
},
},
);
const namespace = namespaceResource.metadata.name;
new IngressRoute(this, opts.name, {
provider: opts.provider,
namespace: opts.namespace,
host: opts.host,
path: opts.path ?? "/",
serviceName: opts.serviceName,
servicePort: opts.servicePort,
entryPoints: ["websecure"], entryPoints: ["websecure"],
tlsSecretName: `${opts.name}-tls`, middlewares: ["homelab/rate-limit"],
middlewares: [`${namespace}/rate-limit`], });
name: opts.name,
const { provider, name, namespace, host } = opts;
new CloudflareCertificate(this, `${name}-cert`, {
provider,
namespace,
name: host,
secretName: tlsSecretName,
dnsNames: [host],
}); });
} }
} }