fix lab

flake.lock

@@ -56,11 +56,11 @@
     },
     "nixpkgs": {
       "locked": {
-        "lastModified": 1759417375,
+        "lastModified": 1761236834,
-        "narHash": "sha256-O7eHcgkQXJNygY6AypkF9tFhsoDQjpNEojw3eFs73Ow=",
+        "narHash": "sha256-+pthv6hrL5VLW2UqPdISGuLiUZ6SnAXdd2DdUE+fV2Q=",
         "owner": "NixOS",
         "repo": "nixpkgs",
-        "rev": "dc704e6102e76aad573f63b74c742cd96f8f1e6c",
+        "rev": "d5faa84122bc0a1fd5d378492efce4e289f8eac1",
         "type": "github"
       },
       "original": {

flake.nix

@@ -31,7 +31,6 @@
       devShell = pkgs.mkShell {
         buildInputs = with pkgs; [
           kubernetes-helm
-          kubectl
           (kubectl.withKrewPlugins (plugins: with plugins; [
             cnpg
           ]))

gitea/actions/runner.yaml

@@ -43,11 +43,7 @@ spec:
         imagePullPolicy: Always
         env:
         - name: DOCKER_HOST
-          value: tcp://localhost:2376
+          value: unix:///run/user/1000/docker.sock
-        - name: DOCKER_CERT_PATH
-          value: /certs/client
-        - name: DOCKER_TLS_VERIFY
-          value: "1"
         - name: GITEA_INSTANCE_URL
           value: https://git.dogar.dev
         - name: GITEA_RUNNER_REGISTRATION_TOKEN

helm/values/externaldns.values.yaml

@@ -10,6 +10,8 @@ extraEnvVars:
       secretKeyRef:
         name: pihole-admin
         key: password
+extraArgs:
+  pihole-api-version: 6
 serviceAccount:
   create: true
   name: "external-dns"

helm/values/gitea.values.yaml

@@ -108,6 +108,13 @@ deployment:
       value: /opt/gitea/.postgresql/postgresql.crt
     - name: PGSSLKEY
       value: /opt/gitea/.postgresql/postgresql.key
+resources:
+  requests:
+    cpu: 100m
+    memory: 128Mi
+  limits:
+    cpu: 6
+    memory: 6Gi
 extraVolumes:
   - name: ssl-bundle
     projected:

helm/values/pihole.values.yaml

@@ -9,9 +9,10 @@ admin:
   passwordKey: password
 persistentVolumeClaim:
   enabled: true
-  storageClass: longhorn-crypto
+  storageClass: longhorn
+  size: 10Gi
   accessModes:
-    - ReadWriteOnce
+    - ReadWriteMany
 ingress:
   enabled: true
   ingressClassName: nginx-internal
@@ -34,6 +35,7 @@ serviceWeb:
 serviceDns:
   annotations:
     metallb.universe.tf/allow-shared-ip: pihole-svc
+  mixedService: true
   type: LoadBalancer
   loadBalancerIP: 192.168.18.250
 serviceDhcp:
@@ -50,21 +52,22 @@ dnsmasq:
     - dhcp-host=B0:41:6F:0F:A0:CD,192.168.18.12,homelab-2
 hostNetwork: true
 hostname: pihole
+priviledged: true
+virtualHost: "pihole.dogar.dev"
 capabilities:
   add:
     - NET_ADMIN
 extraEnvVars:
   TZ: "Asia/Karachi"
   DNSSEC: "true"
-  FTLCONF_LOCAL_IPV4: "192.168.18.250"
+  FTLCONG_dhcp_active: "true"
+  FTLCONF_dhcp_start: "192.168.18.2"
+  FTLCONF_dhcp_end: "192.168.18.100"
+  FTLCONF_dhcp_leaseTime: "24h"
+  FTLCONF_dhcp_netmask: "255.255.255.0"
+  FTLCONF_dhcp_router: "192.168.18.1"
+  FTLCONF_dns_listeningMode: "all"
   INTERFACE: "enp1s0"
-  DNSMASQ_LISTENING: "single"
-  DHCP_ACTIVE: "true"
-  DHCP_START: "192.168.18.2"
-  DHCP_END: "192.168.18.20"
-  DHCP_ROUTER: "192.168.18.1"
-  PIHOLE_DOMAIN: "pihole.dogar.dev"
-  VIRTUAL_HOST: "pihole.dogar.dev"
 podAnnotations:
   prometheus.io/scrape: "true"
   prometheus.io/port: "9617"

main.ts

@@ -13,10 +13,10 @@ import { AuthentikServer } from "./authentik";
 import { ValkeyCluster } from "./valkey";
 import { CertManager } from "./cert-manager";
 import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
-import { PiHole } from "./pihole";
 import { Nginx } from "./nginx";
 import { Prometheus } from "./prometheus";
 import { MetalLB } from "./metallb";
+import { PiHole } from "./pihole";
 
 dotenv.config();
 
@@ -148,16 +148,12 @@ class Homelab extends TerraformStack {
       backupR2EndpointURL: r2Endpoint,
     });
 
-    pg.node.addDependency(pihole);
-
     const valkey = new ValkeyCluster(this, "valkey-cluster", {
       provider: kubernetes,
       namespace,
       name: "valkey",
     });
 
-    valkey.node.addDependency(pihole);
-
     const authentik = new AuthentikServer(this, "authentik-server", {
       provider: helm,
       name: "authentik",

pihole/index.ts

@@ -17,7 +17,6 @@ export class PiHole extends Construct {
       ...options,
       repository: "https://mojo2600.github.io/pihole-kubernetes",
       chart: "pihole",
-      version: "2.26.1",
       values: [
         fs.readFileSync("helm/values/pihole.values.yaml", {
           encoding: "utf8",

postgres/index.ts

@@ -330,6 +330,36 @@ export class PostgresCluster extends Construct {
             replicationTLSSecret: certNames.client,
           },
           postgresql: {
+            parameters: {
+              archive_mode: "on",
+              archive_timeout: "5min",
+              checkpoint_timeout: "10min",
+              checkpoint_completion_target: "0.7",
+              dynamic_shared_memory_type: "posix",
+              full_page_writes: "on",
+              log_destination: "csvlog",
+              log_directory: "/controller/log",
+              log_filename: "postgres",
+              log_rotation_age: "0",
+              log_rotation_size: "0",
+              log_truncate_on_rotation: "false",
+              logging_collector: "on",
+              max_parallel_workers: "32",
+              max_replication_slots: "32",
+              max_wal_size: "768MB",
+              max_worker_processes: "32",
+              max_slot_wal_keep_size: "256MB",
+              min_wal_size: "128MB",
+              shared_memory_type: "mmap",
+              shared_preload_libraries: "",
+              ssl_max_protocol_version: "TLSv1.3",
+              ssl_min_protocol_version: "TLSv1.3",
+              wal_keep_size: "128MB",
+              wal_level: "logical",
+              wal_log_hints: "on",
+              wal_receiver_timeout: "5s",
+              wal_sender_timeout: "5s",
+            },
             pg_hba: [
               `hostssl all      ${options.primaryUser}   all          cert`,
               "hostssl sameuser all      all          cert",
@@ -345,15 +375,24 @@ export class PostgresCluster extends Construct {
               },
             },
           ],
-          enableSuperuserAccess: false,
+          enableSuperuserAccess: true,
+          // bootstrap: {
+          //   recovery: {
+          //     source: "clusterBackup",
+          //     database: "postgres",
+          //     owner: options.primaryUser,
+          //     secret: {
+          //       name: options.initSecretName,
+          //     },
+          //   },
+          // },
           bootstrap: {
-            recovery: {
+            initdb: {
-              source: "clusterBackup",
               database: "postgres",
-              owner: options.primaryUser,
               secret: {
                 name: options.initSecretName,
               },
+              postInitSQL: [`CREATE USER ${options.primaryUser} SUPERUSER;`],
             },
           },
           externalClusters: [
@@ -362,7 +401,7 @@ export class PostgresCluster extends Construct {
               plugin: {
                 name: "barman-cloud.cloudnative-pg.io",
                 parameters: {
-                  barmanObjectName: "r2-postgres-backup-store",
+                  barmanObjectName: barmanStoreName,
                   serverName: "postgres-cluster",
                 },
               },
@@ -401,5 +440,24 @@ export class PostgresCluster extends Construct {
         },
       },
     });
+
+    new Manifest(this, "postgres-backup-job", {
+      provider: kubernetes,
+      manifest: {
+        apiVersion: "postgresql.cnpg.io/v1",
+        kind: "ScheduledBackup",
+        metadata: {
+          name: "postgres-cluster",
+          namespace: options.namespace,
+        },
+        spec: {
+          schedule: "0 0 0 * * *", // daily at midnight
+          backupOwnerReference: "self",
+          cluster: {
+            name: options.name,
+          },
+        },
+      },
+    });
   }
 }