shahab/homelab
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: shahab:fba7ac98b7250c7929cc4b79e70bb2e153904311
Branches Tags
shahab:main
..
compare: shahab:main
Branches Tags
shahab:main

128 Commits
fba7ac98b7 ... main

Author SHA1 Message Date
Shahab Dogar
43f15c7957 feat: GoCache | deploy go package cache 2025-12-01 23:00:32 +05:00
Shahab Dogar
8dc22ff13b fix: RateLimit | increase rate limits for public usage 2025-12-01 18:44:29 +05:00
Shahab Dogar
69bdd52df6 feat: Netbird | set up netbird vpn 2025-11-29 13:20:50 +05:00
Shahab Dogar
2c57f8005d feat: MediaServices | add ingress for arr services 2025-11-29 13:20:31 +05:00
Shahab Dogar
33a8dcdaf2 fix: Traefik | abstract TLSOptions class 2025-11-29 13:20:10 +05:00
Shahab Dogar
ca8d140baf fix: Postgres | enable WAL archiver 2025-11-29 13:19:43 +05:00
Shahab Dogar
874f5e2dc2 fix: Gitea | fix internal tls cert 2025-11-29 13:19:33 +05:00
Shahab Dogar
ff2174205a feat: Traefik | add custom TLSOptions 2025-11-29 13:19:14 +05:00
Shahab Dogar
ad3478c48c sec: Traefik | disable ingressClass 2025-11-29 13:19:01 +05:00
Shahab Dogar
3f6f4550d1 chore: TFG | update to 0.11.8 2025-11-29 13:18:48 +05:00
Shahab Dogar
3c947c05ad feat: CertManager | update to latest version 
Also improve pki
 2025-11-29 13:18:34 +05:00
Shahab Dogar
a753fc0e1e fix: Utils | update public and internal cert algorithms 2025-11-24 22:08:49 +05:00
Shahab Dogar
d6c534378a chore: Minecraft | clean up old servers 2025-11-24 20:21:38 +05:00
Shahab Dogar
10ed028c4b feat: Jellyfin | enable server discovery 2025-11-24 20:20:25 +05:00
Shahab Dogar
b4e57b4f0c feat: MediaServices | deploy through cdktf 2025-11-24 12:14:27 +05:00
Shahab Dogar
d003c3f280 chore: Authentik | remove unused ingress values 2025-11-24 11:29:52 +05:00
Shahab Dogar
d75671f5dd fix: Ingress | simplify https infrastructure 2025-11-24 11:29:27 +05:00
Shahab Dogar
497331e585 feat: Minecraft | add StarTechnology server 2025-11-24 09:28:15 +05:00
Shahab Dogar
91720e6860 feat: Gitea | activate internal tls 2025-11-24 09:28:00 +05:00
Shahab Dogar
c53fe7b2d1 feat: Network | enable internal TLS 2025-11-24 09:27:48 +05:00
Shahab Dogar
bff4762e30 fix: Gitea | keep ssh ui enabled 2025-11-23 21:25:29 +05:00
Shahab Dogar
7aca7c5fe2 fix: Gitea | use gitea ssh server instead of built in ssh 2025-11-23 20:59:44 +05:00
Shahab Dogar
e1ce407b55 chore: Traefik | remove entrypoints not to be used 2025-11-23 18:19:48 +05:00
Shahab Dogar
92921568da chore: move types into project root 2025-11-23 15:33:45 +05:00
Shahab Dogar
a589671078 chore: MetalLB | move kustomize stuff into metallb dir 2025-11-23 15:33:33 +05:00
Shahab Dogar
c690ce72f5 chore: Minecraft | clean up old gtng manifests 2025-11-23 15:28:24 +05:00
Shahab Dogar
ac2153cce5 feat: GamingServices | add GTNH server 2025-11-23 15:24:45 +05:00
Shahab Dogar
78aa702fa0 chore: Minecraft | remove old TFG manifests 2025-11-23 15:20:01 +05:00
Shahab Dogar
56d1ad22ec fix: MinecraftServer | enable backups for pvcs 2025-11-23 15:19:50 +05:00
Shahab Dogar
de09ffb189 fix: MinecraftServer | ensure correct tcp routing 2025-11-23 15:16:59 +05:00
Shahab Dogar
8172a327e4 fix: MinecraftServer | use volume claim templates 2025-11-23 14:57:07 +05:00
Shahab Dogar
1bdc20b215 feat: GamingServices | add TFG server 2025-11-23 14:45:06 +05:00
Shahab Dogar
3038ddea26 feat: CoreServices | add entrypoints for minecraft servers 2025-11-23 14:44:56 +05:00
Shahab Dogar
9ac2326308 fix: Gitea | update root url 2025-11-23 13:44:18 +05:00
Shahab Dogar
7961321238 fix: delete old devpy yaml manifests 2025-11-23 13:44:11 +05:00
Shahab Dogar
a96558eb80 fix: PipCache | MUST be singleton 2025-11-23 01:23:01 +05:00
Shahab Dogar
0862e196cc fix: Traefik | external traffic policy local 2025-11-23 01:17:49 +05:00
Shahab Dogar
1205cca3d3 fix: MetalLB | do not allow running on control-plane 2025-11-23 01:17:36 +05:00
Shahab Dogar
5906fdc2b4 fix: NetworkSecurity | incorrect IP cidr in allow list 2025-11-23 01:04:28 +05:00
Shahab Dogar
008ef748c6 fix: PipCache | must be singleton 2025-11-23 01:04:17 +05:00
Shahab Dogar
2b49cc4ce1 feat: PipCache | add pip cache 2025-11-23 00:42:39 +05:00
Shahab Dogar
d1260ecb8b chore: delete old npmcache yaml 2025-11-23 00:27:38 +05:00
Shahab Dogar
945be1fa0a feat: Cache | implement npm cache 2025-11-23 00:20:55 +05:00
Shahab Dogar
c4a94772d9 feat: NetworkSecurity | add secure routes for longhorn+grafana 2025-11-23 00:20:36 +05:00
Shahab Dogar
5d87f6ae52 fix: Valkey | add user shahab with password 2025-11-23 00:20:22 +05:00
Shahab Dogar
433193fff4 fix: Traefik | enable cross namespace middleware refs 2025-11-23 00:19:58 +05:00
Shahab Dogar
84eb44a147 feat: add network security stack 2025-11-22 23:21:40 +05:00
Shahab Dogar
5b6f0398f9 fix: NixCache | remove insecure ingress and use secure one 2025-11-22 23:21:30 +05:00
Shahab Dogar
244accede7 fix: Longhorn | remove insecure ingress 2025-11-22 23:21:09 +05:00
Shahab Dogar
a7d4878365 chore: CertManager | remove import calls 2025-11-22 23:21:01 +05:00
Shahab Dogar
454b299e1c fix: Prometheus | remove insecure grafana ingress 2025-11-22 23:20:41 +05:00
Shahab Dogar
b2fd9d100a feat: 1PasswordOperator | add to k8s operators stack 2025-11-22 23:20:22 +05:00
Shahab Dogar
65ed6ea664 fix: UtilityServices | use secure ingress routes 2025-11-22 23:19:44 +05:00
Shahab Dogar
4def414c16 feat: NetworkSecurity | add traefik middleware and valkey 2025-11-22 23:19:14 +05:00
Shahab Dogar
4f5fbcf83a feat: Utils | add public and internal ingress routes 2025-11-22 23:18:56 +05:00
Shahab Dogar
35c3c70b08 chore: delete old gitea runner yaml 2025-11-22 20:28:20 +05:00
Shahab Dogar
f5d65d8ab9 fix: NixCache | use LonghornPVC construct for storage 2025-11-22 20:27:57 +05:00
Shahab Dogar
80219a3d0a feat: Utils | add high level longhorn pvc construct 2025-11-22 20:27:36 +05:00
Shahab Dogar
e8caa6a23d chore: Utils | use types not interfaces 2025-11-22 20:27:22 +05:00
Shahab Dogar
3c31105fc6 feat: Gitea | add runners to utility-services stack 
TBD if they will stay here
 2025-11-22 20:27:04 +05:00
Shahab Dogar
2f0b9af67c feat: TerraformState | move to storage in R2 2025-11-22 19:31:08 +05:00
Shahab Dogar
3d0585e0d8 chore: Postgres | move to utility services stack 2025-11-22 19:30:54 +05:00
Shahab Dogar
772bcd441a feat: DynamicDNS | add to utility-services stack 2025-11-22 19:30:34 +05:00
Shahab Dogar
f46833571c feat: CoreServices | move into separate stack 2025-11-22 19:30:09 +05:00
Shahab Dogar
1671f9619c fix: Gitea | use IngressRoute instead of ingress resource 2025-11-22 18:08:00 +05:00
Shahab Dogar
3b439344f5 fix: Authentik | use IngressRoute instead of Ingress 2025-11-22 18:04:54 +05:00
Shahab Dogar
ed8b6403cd fix: Grafana | use IngressRoute instead of Ingress 2025-11-22 18:01:33 +05:00
Shahab Dogar
a25c25afc4 feat: organize all services into separate stacks by dependency 2025-11-22 17:51:58 +05:00
Shahab Dogar
06a316f1e6 feat: NixCache | pull nix cache out into its own stack 2025-11-22 13:04:04 +05:00
Shahab Dogar
49c9f7f27f feat: Traefik | add ingress route construct with certificate construct 2025-11-22 13:03:42 +05:00
Shahab Dogar
dc349f1d84 chore: Traefik | move values.yaml into construct directory 2025-11-22 13:03:22 +05:00
Shahab Dogar
10d83ddc04 feat: Nginx | DELETE! 2025-11-22 13:02:52 +05:00
Shahab Dogar
e24dd5ebc3 feat: ExternalDNS | DELETE! 2025-11-22 13:02:37 +05:00
Shahab Dogar
7a03874033 fix: Gitea | use non tls internally 2025-11-22 05:04:56 +05:00
Shahab Dogar
11bf756add fix: Gitea | add ssh tcp ingress route for traefik 2025-11-22 05:01:28 +05:00
Shahab Dogar
2d93965900 feat: DevPy | switch ingress to traefik 2025-11-19 20:53:08 +05:00
Shahab Dogar
5f83143d91 feat: NpmCache | swap ingress to traefik 2025-11-19 20:44:28 +05:00
Shahab Dogar
55d3ba0acc feat: Grafana | swap ingress over to traefik 2025-11-19 20:44:16 +05:00
Shahab Dogar
53f414f97d feat: Gitea | swap ingress to traefik 2025-11-19 20:44:05 +05:00
Shahab Dogar
48d4950632 feat: Authentik | swap ingress to traefik 2025-11-19 20:21:55 +05:00
Shahab Dogar
0dde41e79e chore: ExternalDNS | faster dns updates 2025-11-19 20:21:11 +05:00
Shahab Dogar
8955455af2 chore: Longhorn | switch UI to traefik ingress 2025-11-19 20:05:09 +05:00
Shahab Dogar
451bbc6de0 feat: ExternalDNS | add traefik ingresses to monitored dns names 2025-11-19 20:04:55 +05:00
Shahab Dogar
fabede0953 feat: Traefik | add traefik ingress class 2025-11-19 18:09:53 +05:00
Shahab Dogar
6b1439dcd4 fix: NpmCache | add dns name and fix ingress class 2025-11-17 13:23:53 +05:00
Shahab Dogar
c91d517169 fix: LocalCaches | use RWX and fix verdaccio config 2025-11-17 12:57:32 +05:00
Shahab Dogar
9b273d5eb9 feat: NpmCache | set up kinda sorta HA npm cache 2025-11-17 12:35:39 +05:00
Shahab Dogar
22b5e47acb fix: DevPy | kinda sorta HA 2025-11-17 12:35:29 +05:00
Shahab Dogar
7ded790679 feat: DevPi | configure local pip cache behind pip.dogar.dev 2025-11-17 10:32:09 +05:00
Shahab Dogar
e50ab36ee6 fix: Longhorn | enable service monitor + fix backup target trailing / 2025-11-16 21:48:20 +05:00
Shahab Dogar
132712f1c0 sec: Ingress | disallow AI bots crawling all domains on all paths 2025-11-16 21:45:28 +05:00
Shahab Dogar
afb9447dca feat: Minecraft | specify longhorn storage class + add star technology 2025-11-16 20:12:09 +05:00
Shahab Dogar
2a62d2db3c feat: Gitea | set up gravatar integration 2025-11-16 12:57:59 +05:00
Shahab Dogar
cfe7830606 feat: Gitea | set up minio storage pointing at R2 2025-11-16 12:30:27 +05:00
Shahab Dogar
0d6c5d4a98 chore: Media | scale up storage 2025-11-16 05:48:47 +05:00
Shahab Dogar
0900a9d045 fix: incorrect labels for longhorn backup 2025-11-16 05:21:07 +05:00
Shahab Dogar
96a900c265 chore: Gitea | enable metrics scraping for issues and repos 2025-11-15 16:50:40 +05:00
Shahab Dogar
5ee369e563 fix: Gitea | use sslmode verify-full for postgres 2025-11-15 16:33:24 +05:00
Shahab Dogar
e473f26ece fix: Gitea | scale down to 3 runners 2025-11-15 16:30:35 +05:00
Shahab Dogar
865bb6cc5f fix: Authentik | set topology spread on authentik 2025-11-15 16:30:28 +05:00
Shahab Dogar
40c81382f7 fix: Nginx | set topology spread on ingress controller 2025-11-15 16:24:57 +05:00
Shahab Dogar
65fb2c8f64 fix: Gitea | set topology spread on actions runners 2025-11-15 16:23:02 +05:00
Shahab Dogar
bba5cbcb80 fix: Gitea | move actions onto worker nodepool with longhorn storage 2025-11-15 16:07:07 +05:00
Shahab Dogar
5d95773722 feat: total revamp of homelab configuration 2025-11-15 13:22:49 +05:00
Shahab Dogar
c59ee18d09 fix: Postgres | finally get backups and restores properly up and running 2025-11-15 13:22:37 +05:00
Shahab Dogar
72b006a7e4 feat: Minecraft | add ATM10 and enable backups 2025-11-15 13:22:23 +05:00
Shahab Dogar
0b01f40ac8 feat: Media | add jellyfin and related services for home media system 2025-11-15 13:22:02 +05:00
Shahab Dogar
d17c8b1b34 feat: Nginx | add local nix cache behind reverse proxy 2025-11-15 13:21:44 +05:00
Shahab Dogar
5ee891fe2b sec: NixOS | remove nixos configuration and move to nix-config repo 2025-11-15 13:21:18 +05:00
Shahab Dogar
d1aae53fa6 fix: longhorn | update to 1.10.0 and use longhorn-system namespace 2025-11-15 13:20:51 +05:00
Shahab Dogar
6c419454d8 fix: MetalLB | move into metallb-system namespace 2025-11-15 13:20:25 +05:00
Shahab Dogar
706cd8e919 fix: Gitea | switch to regular longhorn storage class 2025-11-15 13:19:20 +05:00
Shahab Dogar
c0e0d74e4f fix: move longhorn onto worker nodepool and update backup target 2025-11-15 13:17:19 +05:00
Shahab Dogar
74707a469c chore: better resource ids for valkey resources 2025-11-15 13:16:31 +05:00
Shahab Dogar
3b9a75c7ba chore: update flake lock 2025-11-15 13:16:15 +05:00
Shahab Dogar
db25a0ea79 fix: update external dns and move pihole out of k8s cluster 2025-11-15 13:16:04 +05:00
Shahab Dogar
22586fbdd3 fix: update ddns config to include nix cache and add node selector 2025-11-15 13:14:46 +05:00
Shahab Dogar
8256f42761 fix: add second cloudflare token in longhorn-system namespace 2025-11-15 13:14:31 +05:00
Shahab Dogar
b83f9521b0 fix lab 2025-10-25 16:13:09 +05:00
Shahab Dogar
5438278058 fix: ExternalDNS | update to support pihole 6 2025-10-15 17:45:54 +05:00
Shahab Dogar
0696f199cd chore: use system version of kubectl 2025-10-15 15:39:56 +05:00
Shahab Dogar
7c0edd8fd4 fix: PiHole | use latest version 2025-10-15 15:39:13 +05:00
Shahab Dogar
fd5259988e fix: PiHole | unencrypted pvc for easy expansion 2025-10-15 15:39:05 +05:00
Shahab Dogar
1c9b31076c fix: Pihole | increase pvc size to 10G 2025-10-15 15:11:27 +05:00
Shahab Dogar
ba5494becb fix: Postgres | adjust postgres.conf params for smaller wal size + defaults 2025-10-15 13:29:21 +05:00
Shahab Dogar
ea384e285e fix: Gitea | fix docker host socket 2025-10-12 18:20:54 +05:00
Shahab Dogar
1a2a24e965 fix: Gitea | adjust resource limits and requests 2025-10-12 08:16:49 +05:00
Shahab Dogar
e830694d8b chore: Gitea | increase memory limits 2025-10-12 07:49:40 +05:00
100 changed files with 5923 additions and 1677 deletions
Expand all files Collapse all files

48
1password/index.ts
View File

@@ -1,48 +0,0 @@
import * as fs from "fs";
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
type OnePasswordSecret = {
id?: string;
namespace?: string;
name: string;
itemPath: string;
};
type OnePasswordOptions = {
provider: KubernetesProvider;
namespace: string;
};
export class OnePassword extends Construct {
constructor(scope: Construct, id: string, options: OnePasswordOptions) {
super(scope, id);
const secrets: OnePasswordSecret[] = JSON.parse(
fs.readFileSync("1password/secrets.json", {
encoding: "utf8",
}),
);
secrets.forEach((secret) => {
new Manifest(this, secret.id ?? secret.name, {
provider: options.provider,
manifest: {
apiVersion: "onepassword.com/v1",
kind: "OnePasswordItem",
metadata: {
name: secret.name,
namespace: secret.namespace ?? options.namespace,
annotations: {
"operator.1password.io/auto-restart": "true",
},
},
spec: {
itemPath: secret.itemPath,
},
},
});
});
}
}

50
1password/secrets.json
View File

@@ -1,50 +0,0 @@
[
{
"name": "gitea-admin",
"itemPath": "vaults/Lab/items/gitea-admin"
},
{
"name": "pihole-admin",
"itemPath": "vaults/Lab/items/pihole"
},
{
"name": "postgres-password",
"itemPath": "vaults/Lab/items/Postgres"
},
{
"name": "runner-secret",
"itemPath": "vaults/Lab/items/Gitea"
},
{
"name": "cloudflare-token",
"itemPath": "vaults/Lab/items/cloudflare"
},
{
"name": "valkey",
"itemPath": "vaults/Lab/items/valkey"
},
{
"name": "gitea-oauth",
"itemPath": "vaults/Lab/items/gitea-oauth"
},
{
"name": "gitea-elasticsearch",
"itemPath": "vaults/Lab/items/gitea-elasticsearch"
},
{
"name": "smtp-token",
"itemPath": "vaults/Lab/items/smtp-token"
},
{
"name": "longhorn-encryption",
"itemPath": "vaults/Lab/items/longhorn-encryption"
},
{
"name": "authentik-secret-key",
"itemPath": "vaults/Lab/items/authentik-secret-key"
},
{
"name": "curseforge",
"itemPath": "vaults/Lab/items/curseforge"
}
]

28
authentik/index.ts
View File

@@ -1,28 +0,0 @@
import * as fs from "fs";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs";
type AuthentikServerOptions = {
provider: HelmProvider;
name: string;
namespace: string;
};
export class AuthentikServer extends Construct {
constructor(scope: Construct, id: string, options: AuthentikServerOptions) {
super(scope, id);
new Release(this, id, {
...options,
repository: "https://charts.goauthentik.io",
chart: "authentik",
createNamespace: true,
values: [
fs.readFileSync("helm/values/authentik.values.yaml", {
encoding: "utf8",
}),
],
});
}
}

1085
barman.yaml Normal file
View File

File diff suppressed because it is too large Load Diff

41
cache-infrastructure/go/index.ts Normal file
View File

@@ -0,0 +1,41 @@
import * as fs from "fs";
import * as path from "path";
import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs";
import { PublicIngressRoute } from "../../utils";
import { Providers } from "../../types";
type GoCacheOptions = {
providers: Providers;
namespace: string;
name: string;
host: string;
};
export class GoCache extends Construct {
constructor(scope: Construct, id: string, opts: GoCacheOptions) {
super(scope, id);
const { namespace, name, host } = opts;
const { helm, kubernetes } = opts.providers;
new Release(this, "helm-release", {
provider: helm,
name,
namespace,
repository: "https://gomods.github.io/athens-charts",
chart: "athens-proxy",
values: [fs.readFileSync(path.join(__dirname, "values.yaml"), "utf8")],
});
new PublicIngressRoute(this, "ingress", {
provider: kubernetes,
namespace,
name,
host,
serviceName: `${name}-athens-proxy`,
servicePort: 80,
});
}
}

20
cache-infrastructure/go/values.yaml Normal file
View File

@@ -0,0 +1,20 @@
replicaCount: 3
image:
runAsNonRoot: true
nodeSelector:
nodepool: worker
strategy:
type: Recreate
storage:
disk:
persistence:
enabled: true
accessMode: ReadWriteMany
size: 64Gi
storageClass: longhorn
configEnvVars:
- name: ATHENS_DOWNLOAD_MODE
value: "sync"
upstreamProxy:
enabled: true
url: "https://proxy.golang.org"

65
cache-infrastructure/index.ts Normal file
View File

@@ -0,0 +1,65 @@
import { Construct } from "constructs";
import { TerraformStack } from "cdktf";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
import { NixCache } from "./nix";
import { NpmCache } from "./npm";
import { PipCache } from "./pip";
import { GoCache } from "./go";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
export class CacheInfrastructure extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const kubernetes = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const helm = new HelmProvider(this, "helm", {
kubernetes: {
configPath: "~/.kube/config",
},
});
const namespace = "package-cache";
new NamespaceV1(this, "package-cache-namespace", {
metadata: {
name: namespace,
},
});
// Add cache-related infrastructure components here
new NixCache(this, "nix-cache", {
provider: kubernetes,
namespace,
name: "nix-cache",
host: "nix.dogar.dev",
});
new NpmCache(this, "npm-cache", {
provider: kubernetes,
namespace,
name: "npm-cache",
host: "npm.dogar.dev",
});
new PipCache(this, "pip-cache", {
provider: kubernetes,
namespace,
name: "pip-cache",
host: "pip.dogar.dev",
});
new GoCache(this, "go-cache", {
providers: {
kubernetes,
helm,
},
namespace,
name: "go-cache",
host: "go.dogar.dev",
});
}
}

140
cache-infrastructure/nix/index.ts Normal file
View File

@@ -0,0 +1,140 @@
import * as fs from "fs";
import * as path from "path";
import { Construct } from "constructs";
import { ConfigMapV1 } from "@cdktf/provider-kubernetes/lib/config-map-v1";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import { PublicIngressRoute, LonghornPvc } from "../../utils";
type NixCacheOptions = {
provider: KubernetesProvider;
name: string;
namespace: string;
host: string;
};
export class NixCache extends Construct {
constructor(scope: Construct, id: string, options: NixCacheOptions) {
super(scope, id);
const { provider, name, namespace, host } = options;
const pvc = new LonghornPvc(this, "pvc", {
provider,
name,
namespace,
accessModes: ["ReadWriteMany"],
size: "64Gi",
});
const nginxConfig = fs.readFileSync(
path.join(__dirname, "./nginx.conf"),
"utf-8",
);
new ConfigMapV1(this, "config", {
provider,
metadata: {
name,
namespace,
},
data: {
"nix-cache.conf": nginxConfig,
},
});
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
name: "http",
port: 80,
targetPort: "80",
},
],
type: "ClusterIP",
},
});
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "3",
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
container: [
{
name: "nginx",
image: "nginx:latest",
volumeMount: [
{
name: "cache",
mountPath: "/var/cache/nginx/nix",
},
{
name: "nginx-config",
mountPath: "/etc/nginx/conf.d/nix-cache.conf",
subPath: "nix-cache.conf",
},
],
},
],
volume: [
{
name: "cache",
persistentVolumeClaim: {
claimName: pvc.name,
},
},
{
name: "nginx-config",
configMap: {
name,
items: [
{
key: "nix-cache.conf",
path: "nix-cache.conf",
},
],
},
},
],
},
},
},
});
new PublicIngressRoute(this, "ingress-route", {
provider,
name,
namespace,
host,
serviceName: name,
servicePort: 80,
});
}
}

32
cache-infrastructure/nix/nginx.conf Normal file
View File

@@ -0,0 +1,32 @@
proxy_cache_path /var/cache/nginx/nix levels=1:2 keys_zone=nix_cache:32m max_size=60g inactive=365d use_temp_path=off;
map $status $cache_header {
200 "public";
302 "public";
default "no-cache";
}
server {
listen 80;
server_name nix.dogar.dev;
location / {
proxy_pass https://cache.nixos.org;
proxy_http_version 1.1;
proxy_set_header Host cache.nixos.org;
proxy_set_header X-Real-IP $remote_addr;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_ssl_server_name on;
proxy_cache nix_cache;
proxy_cache_valid 200 302 365d;
proxy_cache_valid any 1m;
proxy_cache_use_stale error timeout updating http_500 http_502 http_503 http_504;
add_header X-Cache-Status $upstream_cache_status always;
add_header Cache-Control $cache_header always;
}
}

19
cache-infrastructure/npm/config.yaml Normal file
View File

@@ -0,0 +1,19 @@
storage: /verdaccio/storage
uplinks:
npmjs:
url: https://registry.npmjs.org/
packages:
"@*/*":
access: $all
publish: never
proxy: npmjs
"**":
access: $all
publish: never
proxy: npmjs
log:
- {type: stdout, format: pretty, level: http}

184
cache-infrastructure/npm/index.ts Normal file
View File

@@ -0,0 +1,184 @@
import * as fs from "fs";
import * as path from "path";
import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import { ConfigMapV1 } from "@cdktf/provider-kubernetes/lib/config-map-v1";
import { LonghornPvc, PublicIngressRoute } from "../../utils";
type NpmCacheOptions = {
provider: KubernetesProvider;
namespace: string;
host: string;
name: string;
};
export class NpmCache extends Construct {
constructor(scope: Construct, id: string, opts: NpmCacheOptions) {
super(scope, id);
const { provider, namespace, name, host } = opts;
new ConfigMapV1(this, "config", {
provider,
metadata: {
name,
namespace,
},
data: {
"config.yaml": fs.readFileSync(
path.join(__dirname, "config.yaml"),
"utf8",
),
},
});
const pvc = new LonghornPvc(this, "pvc", {
provider,
namespace,
name,
size: "128Gi",
accessModes: ["ReadWriteMany"],
});
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
port: 4873,
targetPort: name,
},
],
type: "ClusterIP",
},
});
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "3",
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: {
nodepool: "worker",
},
topologySpreadConstraint: [
{
maxSkew: 1,
topologyKey: "kubernetes.io/hostname",
whenUnsatisfiable: "DoNotSchedule",
labelSelector: [
{
matchLabels: {
app: name,
},
},
],
},
],
affinity: {
podAntiAffinity: {
requiredDuringSchedulingIgnoredDuringExecution: [
{
topologyKey: "kubernetes.io/hostname",
labelSelector: [
{
matchExpressions: [
{
key: "app",
operator: "In",
values: [name],
},
],
},
],
},
],
},
},
volume: [
{
name: "storage",
persistentVolumeClaim: {
claimName: pvc.name,
},
},
{
name: "config",
configMap: {
name,
},
},
],
container: [
{
name,
image: "verdaccio/verdaccio:latest",
env: [
{
name: "VERDACCIO_APP_CONFIG",
value: "/verdaccio/conf/custom.yaml",
},
{
name: "VERDACCIO_PORT",
value: "4873",
},
],
port: [
{
name,
containerPort: 4873,
},
],
volumeMount: [
{
name: "storage",
mountPath: "/verdaccio/storage",
},
{
name: "config",
mountPath: "/verdaccio/conf/config.yaml",
subPath: "config.yaml",
},
],
},
],
},
},
},
});
new PublicIngressRoute(this, "ingress", {
provider,
namespace,
name,
host,
serviceName: name,
servicePort: 4873,
});
}
}

136
cache-infrastructure/pip/index.ts Normal file
View File

@@ -0,0 +1,136 @@
import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import {
LonghornPvc,
OnePasswordSecret,
PublicIngressRoute,
} from "../../utils";
type PipCacheOptions = {
provider: KubernetesProvider;
namespace: string;
name: string;
host: string;
};
export class PipCache extends Construct {
constructor(scope: Construct, id: string, opts: PipCacheOptions) {
super(scope, id);
const { provider, namespace, name, host } = opts;
new OnePasswordSecret(this, "devpi-secret", {
provider,
namespace,
name: "devpi",
itemPath: "vaults/Lab/items/devpi",
});
const pvc = new LonghornPvc(this, "pvc", {
provider,
namespace,
name,
size: "128Gi",
});
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "1",
strategy: {
type: "Recreate",
},
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: {
nodepool: "worker",
},
volume: [
{
name: "data",
persistentVolumeClaim: {
claimName: pvc.name,
},
},
],
container: [
{
name,
image: "jonasal/devpi-server:latest",
env: [
{
name: "DEVPI_PASSWORD",
valueFrom: {
secretKeyRef: {
name: "devpi",
key: "password",
},
},
},
],
port: [
{
name,
containerPort: 3141,
},
],
volumeMount: [
{
name: "data",
mountPath: "/devpi",
},
],
},
],
},
},
},
});
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
port: 3141,
targetPort: name,
},
],
type: "ClusterIP",
},
});
new PublicIngressRoute(this, "ingress", {
provider,
namespace,
name,
host,
serviceName: name,
servicePort: 3141,
});
}
}

133
cert-manager/index.ts
View File

@@ -1,133 +0,0 @@
import * as fs from "fs";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
type CertManagerOptions = {
providers: {
kubernetes: KubernetesProvider;
helm: HelmProvider;
};
version: string;
name: string;
namespace: string;
certManagerApiVersion: string;
};
export class CertManager extends Construct {
constructor(scope: Construct, id: string, options: CertManagerOptions) {
super(scope, id);
const { helm, kubernetes } = options.providers;
const { certManagerApiVersion } = options;
new Release(this, id, {
provider: helm,
name: options.name,
namespace: options.namespace,
version: options.version,
repository: "https://charts.jetstack.io",
chart: "cert-manager",
createNamespace: true,
values: [
fs.readFileSync("helm/values/cert-manager.values.yaml", {
encoding: "utf8",
}),
],
});
// Self-signed ClusterIssuer for initial CA
new Manifest(this, "ca-issuer", {
provider: kubernetes,
manifest: {
apiVersion: certManagerApiVersion,
kind: "ClusterIssuer",
metadata: {
name: "ca-issuer",
},
spec: {
selfSigned: {},
},
},
});
// Self-signed CA Certificate
new Manifest(this, "selfsigned-ca", {
provider: kubernetes,
manifest: {
apiVersion: certManagerApiVersion,
kind: "Certificate",
metadata: {
name: "selfsigned-ca",
namespace: options.namespace,
},
spec: {
isCA: true,
commonName: "Shahab Dogar",
secretName: "root-secret",
privateKey: {
algorithm: "ECDSA",
size: 256,
},
issuerRef: {
name: "ca-issuer",
kind: "ClusterIssuer",
group: "cert-manager.io",
},
},
},
});
// CA-based ClusterIssuer
new Manifest(this, "cluster-issuer", {
provider: kubernetes,
manifest: {
apiVersion: certManagerApiVersion,
kind: "ClusterIssuer",
metadata: {
name: "cluster-issuer",
},
spec: {
ca: {
secretName: "root-secret",
},
},
},
});
// Cloudflare ACME ClusterIssuer
new Manifest(this, "cloudflare-issuer", {
provider: kubernetes,
manifest: {
apiVersion: certManagerApiVersion,
kind: "ClusterIssuer",
metadata: {
name: "cloudflare-issuer",
},
spec: {
acme: {
email: "shahab@dogar.dev",
server: "https://acme-v02.api.letsencrypt.org/directory",
privateKeySecretRef: {
name: "cloudflare-cluster-issuer-account-key",
},
solvers: [
{
dns01: {
cloudflare: {
apiTokenSecretRef: {
name: "cloudflare-token",
key: "token",
},
},
},
},
],
},
},
},
});
}
}

86
cloudflare/ddns.yaml
View File

@@ -1,86 +0,0 @@
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cloudflare-domains-config
namespace: homelab
data:
DOMAINS: "auth.dogar.dev,grafana.dogar.dev"
PROXIED: "true"
---
apiVersion: v1
kind: ConfigMap
metadata:
name: cloudflare-domains-config-non-proxied
namespace: homelab
data:
DOMAINS: "dogar.dev,git.dogar.dev"
PROXIED: "false"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cloudflare-ddns
namespace: homelab
spec:
replicas: 1
selector:
matchLabels:
app: cloudflare-ddns
template:
metadata:
labels:
app: cloudflare-ddns
spec:
containers:
- name: cloudflare-ddns
image: favonia/cloudflare-ddns:latest
env:
- name: CLOUDFLARE_API_TOKEN
valueFrom:
secretKeyRef:
name: cloudflare-token
key: token
- name: DOMAINS
valueFrom:
configMapKeyRef:
name: cloudflare-domains-config
key: DOMAINS
- name: UPDATE_TIMEOUT
value: "30s"
- name: IP6_PROVIDER
value: "none"
---
apiVersion: apps/v1
kind: Deployment
metadata:
name: cloudflare-ddns-non-proxied
namespace: homelab
spec:
replicas: 1
selector:
matchLabels:
app: cloudflare-ddns
template:
metadata:
labels:
app: cloudflare-ddns
spec:
containers:
- name: cloudflare-ddns-non-proxied
image: favonia/cloudflare-ddns:latest
env:
- name: CLOUDFLARE_API_TOKEN
valueFrom:
secretKeyRef:
name: cloudflare-token
key: token
- name: DOMAINS
valueFrom:
configMapKeyRef:
name: cloudflare-domains-config-non-proxied
key: DOMAINS
- name: UPDATE_TIMEOUT
value: "30s"
- name: IP6_PROVIDER
value: "none"

19
gitea/index.ts → core-services/cert-manager/index.ts
View File

@@ -1,25 +1,30 @@
import * as fs from "fs"; import * as fs from "fs";
import * as path from "path";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider"; import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release"; import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs"; import { Construct } from "constructs";
type GiteaServerOptions = { type CertManagerOptions = {
provider: HelmProvider; provider: HelmProvider;
name: string; name: string;
namespace: string; namespace: string;
}; };
export class GiteaServer extends Construct { export class CertManager extends Construct {
constructor(scope: Construct, id: string, options: GiteaServerOptions) { constructor(scope: Construct, id: string, options: CertManagerOptions) {
super(scope, id); super(scope, id);
const { namespace, name, provider } = options;
new Release(this, id, { new Release(this, id, {
...options, provider,
repository: "https://dl.gitea.com/charts", name,
chart: "gitea", namespace,
repository: "https://charts.jetstack.io",
chart: "cert-manager",
createNamespace: true, createNamespace: true,
values: [ values: [
fs.readFileSync("helm/values/gitea.values.yaml", { fs.readFileSync(path.join(__dirname, "values.yaml"), {
encoding: "utf8", encoding: "utf8",
}), }),
], ],

4
helm/values/cert-manager.values.yaml → core-services/cert-manager/values.yaml
View File

@@ -1,6 +1,8 @@
crds: crds:
enabled: true enabled: true
keep: true
prometheus: prometheus:
enabled: false enabled: true
webhook: webhook:
timeoutSeconds: 4 timeoutSeconds: 4
enableCertificateOwnerRef: true

64
core-services/index.ts Normal file
View File

@@ -0,0 +1,64 @@
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { TerraformOutput, TerraformStack } from "cdktf";
import { Construct } from "constructs";
import { Longhorn } from "./longhorn";
import { MetalLB } from "./metallb";
import { Traefik } from "./traefik";
import { CertManager } from "./cert-manager";
export class CoreServices extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const kubernetes = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const helm = new HelmProvider(this, "helm", {
kubernetes: {
configPath: "~/.kube/config",
},
});
const namespace = "homelab";
new NamespaceV1(this, "namespace", {
provider: kubernetes,
metadata: {
name: namespace,
},
}).importFrom("homelab");
new TerraformOutput(this, "namespace-output", {
value: namespace,
});
new Longhorn(this, "longhorn", {
name: "longhorn",
providers: {
kubernetes,
helm,
},
});
new MetalLB(this, "metallb", {
provider: helm,
name: "metallb",
namespace: "metallb-system",
});
new Traefik(this, "traefik", {
provider: helm,
namespace,
name: "traefik",
});
new CertManager(this, "cert-manager", {
provider: helm,
name: "cert-manager",
namespace,
});
}
}

56
core-services/longhorn/index.ts Normal file
View File

@@ -0,0 +1,56 @@
import * as fs from "fs";
import * as path from "path";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
type LonghornOptions = {
providers: {
kubernetes: KubernetesProvider;
helm: HelmProvider;
};
name: string;
};
export class Longhorn extends Construct {
constructor(scope: Construct, id: string, options: LonghornOptions) {
super(scope, id);
const { helm, kubernetes } = options.providers;
const namespace = "longhorn-system";
new Release(this, id, {
name: options.name,
namespace,
provider: helm,
repository: "https://charts.longhorn.io",
chart: "longhorn",
createNamespace: true,
values: [
fs.readFileSync(path.join(__dirname, "values.yaml"), {
encoding: "utf8",
}),
],
});
new Manifest(this, "recurring-backup-job", {
provider: kubernetes,
manifest: {
apiVersion: "longhorn.io/v1beta2",
kind: "RecurringJob",
metadata: {
name: "daily-backup",
namespace,
},
spec: {
cron: "0 0 * * *",
task: "backup",
retain: 7,
concurrency: 3,
},
},
});
}
}

19
core-services/longhorn/values.yaml Normal file
View File

@@ -0,0 +1,19 @@
global:
nodeSelector:
nodepool: worker
defaultSettings:
defaultReplicaCount: "3"
storageOverProvisioningPercentage: "100"
backupCompressionMethod: "gzip"
replicaSoftAntiAffinity: "true"
concurrentReplicaRebuildPerNodeLimit: "1"
replicaReplenishmentWaitInterval: "600"
disableSchdedulingOnCordonedNode: "true"
defaultBackupStore:
backupTarget: "s3://longhorn-backups@auto/"
backupTargetCredentialSecret: cloudflare-token
metrics:
serviceMonitor:
enabled: true
ingress:
enabled: false

3
metallb/index.ts → core-services/metallb/index.ts
View File

@@ -1,3 +1,5 @@
import * as fs from "fs";
import * as path from "path";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider"; import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release"; import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs"; import { Construct } from "constructs";
@@ -17,6 +19,7 @@ export class MetalLB extends Construct {
repository: "https://metallb.github.io/metallb", repository: "https://metallb.github.io/metallb",
chart: "metallb", chart: "metallb",
createNamespace: true, createNamespace: true,
values: [fs.readFileSync(path.join(__dirname, "values.yaml"), "utf8")],
}); });
} }
} }

3
kustomize/kustomization.yaml → core-services/metallb/kustomize/kustomization.yaml
View File

@@ -1,6 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1 apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
commonLabels: metadata:
labels:
app.kubernetes.io/managed-by: Kustomize app.kubernetes.io/managed-by: Kustomize
resources: resources:
- ./metallb/pool.yaml - ./metallb/pool.yaml

4
kustomize/metallb/pool.yaml → core-services/metallb/kustomize/metallb/pool.yaml
View File

@@ -3,7 +3,7 @@ apiVersion: metallb.io/v1beta1
kind: IPAddressPool kind: IPAddressPool
metadata: metadata:
name: pool name: pool
namespace: homelab namespace: metallb-system
spec: spec:
addresses: addresses:
- 192.168.18.192/26 - 192.168.18.192/26
@@ -12,7 +12,7 @@ apiVersion: metallb.io/v1beta1
kind: L2Advertisement kind: L2Advertisement
metadata: metadata:
name: pool name: pool
namespace: homelab namespace: metallb-system
spec: spec:
ipAddressPools: ipAddressPools:
- pool - pool

6
core-services/metallb/values.yaml Normal file
View File

@@ -0,0 +1,6 @@
controller:
nodeSelector:
nodepool: worker
speaker:
nodeSelector:
nodepool: worker

13
nginx/index.ts → core-services/traefik/index.ts
View File

@@ -1,25 +1,26 @@
import * as fs from "fs"; import * as fs from "fs";
import * as path from "path";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider"; import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release"; import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs"; import { Construct } from "constructs";
type NginxOptions = { type TraefikOptions = {
provider: HelmProvider; provider: HelmProvider;
name: string; name: string;
namespace: string; namespace: string;
}; };
export class Nginx extends Construct { export class Traefik extends Construct {
constructor(scope: Construct, id: string, options: NginxOptions) { constructor(scope: Construct, id: string, options: TraefikOptions) {
super(scope, id); super(scope, id);
new Release(this, id, { new Release(this, id, {
...options, ...options,
repository: "https://kubernetes.github.io/ingress-nginx", repository: "https://traefik.github.io/charts",
chart: "ingress-nginx", chart: "traefik",
createNamespace: true, createNamespace: true,
values: [ values: [
fs.readFileSync("helm/values/nginx-internal.values.yaml", { fs.readFileSync(path.join(__dirname, "values.yaml"), {
encoding: "utf8", encoding: "utf8",
}), }),
], ],

58
core-services/traefik/values.yaml Normal file
View File

@@ -0,0 +1,58 @@
providers:
kubernetesCRD:
allowCrossNamespace: true
ingress:
ingressClass:
enabled: false
isDefaultClass: true
name: traefik
deployment:
replicas: 3
podLabels:
app: traefik
nodeSelector:
nodepool: worker
service:
spec:
externalTrafficPolicy: Local
topologySpreadConstraints:
- maxSkew: 1
topologyKey: "kubernetes.io/hostname"
whenUnsatisfiable: "DoNotSchedule"
labelSelector:
matchLabels:
app: traefik
additionalArguments:
- "--entryPoints.ssh.address=:22/tcp"
- "--entryPoints.minecraft-gtnh.address=:25566/tcp"
- "--entryPoints.minecraft-tfg.address=:25567/tcp"
- "--entryPoints.minecraft-star-technology.address=:25568/tcp"
ports:
ssh:
name: ssh
port: 22
exposedPort: 22
expose:
default: true
protocol: TCP
minecraft-gtnh:
name: minecraft-gtnh
port: 25566
exposedPort: 25566
expose:
default: true
protocol: TCP
minecraft-tfg:
name: minecraft-tfg
port: 25567
exposedPort: 25567
expose:
default: true
protocol: TCP
minecraft-star-technology:
name: minecraft-star-technology
port: 25568
exposedPort: 25568
expose:
default: true
protocol: TCP

43
flake.lock generated
View File

@@ -18,49 +18,13 @@
"type": "github" "type": "github"
} }
}, },
"flake-utils_2": {
"locked": {
"lastModified": 1659877975,
"narHash": "sha256-zllb8aq3YO3h8B/U0/J1WBgAL8EX5yWf5pMj3G0NAmc=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c0e246b9b83f637f4681389ecabcb2681b4f3af0",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"krew2nix": {
"inputs": {
"flake-utils": "flake-utils_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1716272275,
"narHash": "sha256-JWDyPhAJp263EVVsGrKwrJU+xdDReHsDmSe7A190/Cg=",
"owner": "eigengrau",
"repo": "krew2nix",
"rev": "0c1fecaab044dba1249c5d09366891ec467b4ad2",
"type": "github"
},
"original": {
"owner": "eigengrau",
"repo": "krew2nix",
"type": "github"
}
},
"nixpkgs": { "nixpkgs": {
"locked": { "locked": {
"lastModified": 1759417375, "lastModified": 1762943920,
"narHash": "sha256-O7eHcgkQXJNygY6AypkF9tFhsoDQjpNEojw3eFs73Ow=", "narHash": "sha256-ITeH8GBpQTw9457ICZBddQEBjlXMmilML067q0e6vqY=",
"owner": "NixOS", "owner": "NixOS",
"repo": "nixpkgs", "repo": "nixpkgs",
"rev": "dc704e6102e76aad573f63b74c742cd96f8f1e6c", "rev": "91c9a64ce2a84e648d0cf9671274bb9c2fb9ba60",
"type": "github" "type": "github"
}, },
"original": { "original": {
@@ -73,7 +37,6 @@
"root": { "root": {
"inputs": { "inputs": {
"flake-utils": "flake-utils", "flake-utils": "flake-utils",
"krew2nix": "krew2nix",
"nixpkgs": "nixpkgs" "nixpkgs": "nixpkgs"
} }
}, },

14
flake.nix
View File

@@ -4,14 +4,9 @@
inputs = { inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable"; nixpkgs.url = "github:NixOS/nixpkgs/nixpkgs-unstable";
flake-utils.url = "github:numtide/flake-utils"; flake-utils.url = "github:numtide/flake-utils";
krew2nix = {
url = "github:eigengrau/krew2nix";
inputs.nixpkgs.follows = "nixpkgs";
};
}; };
outputs = { nixpkgs, flake-utils, krew2nix, ... }: flake-utils.lib.eachDefaultSystem (system: outputs = { nixpkgs, flake-utils, ... }: flake-utils.lib.eachDefaultSystem (system:
let let
lib = nixpkgs.lib; lib = nixpkgs.lib;
@@ -24,17 +19,12 @@
]; ];
}; };
}; };
kubectl = krew2nix.packages.${system}.kubectl;
in { in {
# Define the devShell for the current system # Define the devShell for the current system
devShell = pkgs.mkShell { devShell = pkgs.mkShell {
buildInputs = with pkgs; [ buildInputs = with pkgs; [
kubernetes-helm kubernetes-helm
kubectl kubectl-cnpg
(kubectl.withKrewPlugins (plugins: with plugins; [
cnpg
]))
nil nil
terraform terraform
tflint tflint

77
gaming-services/minecraft/gtnh.ts Normal file
View File

@@ -0,0 +1,77 @@
import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { MinecraftServer } from "./utils";
export class GTNH extends Construct {
constructor(
scope: Construct,
id: string,
provider: KubernetesProvider,
namespace: string,
) {
super(scope, id);
new MinecraftServer(this, "gtnh", {
provider,
namespace,
image: "itzg/minecraft-server:java25",
name: "gtnh",
env: [
{
name: "EULA",
value: "TRUE",
},
{
name: "MODE",
value: "survival",
},
{
name: "DIFFICULTY",
value: "easy",
},
{
name: "TYPE",
value: "CUSTOM",
},
{
name: "GENERIC_PACKS",
value: "GT_New_Horizons_2.8.0_Server_Java_17-25",
},
{
name: "GENERIC_PACKS_SUFFIX",
value: ".zip",
},
{
name: "GENERIC_PACKS_PREFIX",
value: "https://downloads.gtnewhorizons.com/ServerPacks/",
},
{
name: "SKIP_GENERIC_PACK_UPDATE_CHECK",
value: "true",
},
{
name: "MEMORY",
value: "12G",
},
{
name: "JVM_OPTS",
value:
"-Dfml.readTimeout=180 -Dfml.queryResult=confirm @java9args.txt",
},
{
name: "CUSTOM_JAR_EXEC",
value: "-jar lwjgl3ify-forgePatches.jar nogui",
},
{
name: "ALLOW_FLIGHT",
value: "TRUE",
},
{
name: "ENABLE_ROLLING_LOGS",
value: "TRUE",
},
],
});
}
}

37
gaming-services/minecraft/index.ts Normal file
View File

@@ -0,0 +1,37 @@
import { Construct } from "constructs";
import { TerraformStack } from "cdktf";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
import { OnePasswordSecret } from "../../utils";
import { TerraFirmaGreg } from "./tfg";
import { GTNH } from "./gtnh";
import { StarTechnology } from "./star-technology";
export class GamingServices extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const provider = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const namespace = "minecraft";
new NamespaceV1(this, "namespace", {
metadata: {
name: namespace,
},
});
new OnePasswordSecret(this, "curseforge", {
provider,
namespace,
name: "curseforge",
itemPath: "vaults/Lab/items/curseforge",
});
new TerraFirmaGreg(this, "tfg", provider, namespace);
new GTNH(this, "gtnh", provider, namespace);
new StarTechnology(this, "star-technology", provider, namespace);
}
}

74
gaming-services/minecraft/star-technology.ts Normal file
View File

@@ -0,0 +1,74 @@
import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { MinecraftServer } from "./utils";
export class StarTechnology extends Construct {
constructor(
scope: Construct,
id: string,
provider: KubernetesProvider,
namespace: string,
) {
super(scope, id);
new MinecraftServer(this, "star-technology", {
provider,
namespace,
image: "itzg/minecraft-server:java21",
name: "star-technology",
env: [
{
name: "EULA",
value: "TRUE",
},
{
name: "MODE",
value: "survival",
},
{
name: "MODPACK_PLATFORM",
value: "AUTO_CURSEFORGE",
},
{
name: "CF_API_KEY",
valueFrom: {
secretKeyRef: {
name: "curseforge",
key: "credential",
},
},
},
{
name: "CF_PAGE_URL",
value:
"https://www.curseforge.com/minecraft/modpacks/star-technology",
},
{
name: "VERSION",
value: "1.20.1",
},
{
name: "INIT_MEMORY",
value: "2G",
},
{
name: "MAX_MEMORY",
value: "12G",
},
{
name: "ALLOW_FLIGHT",
value: "TRUE",
},
{
name: "ENABLE_ROLLING_LOGS",
value: "TRUE",
},
{
name: "USE_MEOWICE_FLAGS",
value: "TRUE",
},
],
});
}
}

78
gaming-services/minecraft/tfg.ts Normal file
View File

@@ -0,0 +1,78 @@
import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { MinecraftServer } from "./utils";
export class TerraFirmaGreg extends Construct {
constructor(
scope: Construct,
id: string,
provider: KubernetesProvider,
namespace: string,
) {
super(scope, id);
new MinecraftServer(this, "tfg", {
provider,
namespace,
image: "itzg/minecraft-server:java17",
name: "tfg",
env: [
{
name: "EULA",
value: "TRUE",
},
{
name: "MODE",
value: "survival",
},
{
name: "MODPACK_PLATFORM",
value: "AUTO_CURSEFORGE",
},
{
name: "CF_API_KEY",
valueFrom: {
secretKeyRef: {
name: "curseforge",
key: "credential",
},
},
},
{
name: "CF_PAGE_URL",
value:
"https://www.curseforge.com/minecraft/modpacks/terrafirmagreg-modern/",
},
{
name: "CF_FILENAME_MATCHER",
value: "0.11.8",
},
{
name: "VERSION",
value: "1.20.1",
},
{
name: "INIT_MEMORY",
value: "2G",
},
{
name: "MAX_MEMORY",
value: "12G",
},
{
name: "ALLOW_FLIGHT",
value: "TRUE",
},
{
name: "ENABLE_ROLLING_LOGS",
value: "TRUE",
},
{
name: "USE_MEOWICE_FLAGS",
value: "TRUE",
},
],
});
}
}

148
gaming-services/minecraft/utils/index.ts Normal file
View File

@@ -0,0 +1,148 @@
import { Construct } from "constructs";
import {
StatefulSetV1,
StatefulSetV1SpecTemplateSpecContainerEnv,
} from "@cdktf/provider-kubernetes/lib/stateful-set-v1";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import { IngressRouteTcp } from "../../../utils";
export type MinecraftServerOptions = {
provider: KubernetesProvider;
namespace: string;
name: string;
env: StatefulSetV1SpecTemplateSpecContainerEnv[];
image: string;
size?: string;
};
export class MinecraftServer extends Construct {
constructor(scope: Construct, id: string, opts: MinecraftServerOptions) {
super(scope, id);
const { provider, namespace, name, image, env, size = "10Gi" } = opts;
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
port: 25565,
targetPort: "25565",
protocol: "TCP",
name: "minecraft",
},
],
type: "ClusterIP",
},
});
new StatefulSetV1(this, "stateful-set", {
provider,
metadata: {
name,
namespace,
},
waitForRollout: false,
spec: {
replicas: "1",
serviceName: name,
updateStrategy: [
{
type: "OnDelete",
},
],
selector: {
matchLabels: {
app: name,
},
},
persistentVolumeClaimRetentionPolicy: [
{
whenDeleted: "Retain",
whenScaled: "Retain",
},
],
volumeClaimTemplate: [
{
metadata: {
name: `${name}-data`,
labels: {
"recurring-job.longhorn.io/source": "enabled",
"recurring-job.longhorn.io/daily-backup": "enabled",
},
},
spec: {
accessModes: ["ReadWriteOnce"],
resources: {
requests: {
storage: size,
},
},
storageClassName: "longhorn",
},
},
],
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: {
nodepool: "worker",
},
container: [
{
name,
image,
env,
port: [
{
name,
containerPort: 25565,
},
],
volumeMount: [
{
name: `${name}-data`,
mountPath: "/data",
},
],
resources: {
requests: {
cpu: "2",
memory: "4Gi",
},
limits: {
cpu: "6",
memory: "12Gi",
},
},
},
],
},
},
},
});
new IngressRouteTcp(this, "ingress", {
provider,
namespace,
name,
serviceName: name,
servicePort: 25565,
entryPoint: `minecraft-${name}`,
match: "HostSNI(`*`)",
});
}
}

73
gitea/actions/runner.yaml
View File

@@ -1,73 +0,0 @@
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
name: action-runner
namespace: homelab
spec:
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
storageClassName: longhorn-crypto
---
apiVersion: apps/v1
kind: Deployment
metadata:
labels:
app: action-runner
name: action-runner
namespace: homelab
spec:
replicas: 9
selector:
matchLabels:
app: action-runner
strategy: {}
template:
metadata:
creationTimestamp: null
labels:
app: action-runner
spec:
restartPolicy: Always
volumes:
- name: runner-data
persistentVolumeClaim:
claimName: action-runner
securityContext:
fsGroup: 1000
containers:
- name: runner
image: gitea/act_runner:nightly-dind-rootless
imagePullPolicy: Always
env:
- name: DOCKER_HOST
value: tcp://localhost:2376
- name: DOCKER_CERT_PATH
value: /certs/client
- name: DOCKER_TLS_VERIFY
value: "1"
- name: GITEA_INSTANCE_URL
value: https://git.dogar.dev
- name: GITEA_RUNNER_REGISTRATION_TOKEN
valueFrom:
secretKeyRef:
name: runner-secret
key: runner-token
securityContext:
privileged: true
volumeMounts:
- name: runner-data
mountPath: /data
---
apiVersion: policy/v1
kind: PodDisruptionBudget
metadata:
name: action-runner-pdb
namespace: homelab
spec:
minAvailable: 6
selector:
matchLabels:
app: action-runner

28
helm/values/externaldns.values.yaml
View File

@@ -1,28 +0,0 @@
interval: 10s
provider: pihole
policy: upsert-only
txtOwnerId: "homelab"
pihole:
server: http://pihole-web
extraEnvVars:
- name: EXTERNAL_DNS_PIHOLE_PASSWORD
valueFrom:
secretKeyRef:
name: pihole-admin
key: password
serviceAccount:
create: true
name: "external-dns"
ingressClassFilters:
- nginx-internal
metrics:
enabled: true
serviceMonitor:
enabled: true
interval: 30s
scrapeTimeout: 10s
selector:
matchLabels:
app.kubernetes.io/name: external-dns
app.kubernetes.io/instance: externaldns-pihole
port: 7979

20
helm/values/longhorn.values.yaml
View File

@@ -1,20 +0,0 @@
defaultSettings:
defaultReplicaCount: 3
storageOverProvisioningPercentage: 100
backupCompressionMethod: "gzip"
defaultBackupStore:
backupTarget: "s3://homelab@auto/longhorn"
backupTargetCredentialSecret: cloudflare-token
metrics:
serviceMonitor:
enabled: true
ingress:
enabled: true
ingressClassName: nginx-internal
host: longhorn.dogar.dev
tls: true
tlsSecretName: longhorn-tls
annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/private-key-size: "4096"

16
helm/values/nginx-internal.values.yaml
View File

@@ -1,16 +0,0 @@
controller:
ingressClassResource:
name: nginx-internal
enabled: true
default: true
controllerValue: "k8s.io/ingress-nginx"
parameters: {}
ingressClass: nginx-internal
service:
annotations:
external-dns.alpha.kubernetes.io/hostname: "dogar.dev"
tcp:
22: "homelab/gitea-ssh:22"
25565: "minecraft/monifactory-server:25565"
25566: "minecraft/gtnh-server:25565"
25567: "minecraft/tfg-server:25565"

81
helm/values/pihole.values.yaml
View File

@@ -1,81 +0,0 @@
---
DNS1:
1.1.1.1
DNS2:
1.0.0.1
admin:
enabled: true
existingSecret: pihole-admin
passwordKey: password
persistentVolumeClaim:
enabled: true
storageClass: longhorn-crypto
accessModes:
- ReadWriteOnce
ingress:
enabled: true
ingressClassName: nginx-internal
annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/private-key-size: "4096"
hosts:
- pihole.dogar.dev
tls:
- secretName: pihole-tls
hosts:
- pihole.dogar.dev
serviceWeb:
annotations:
metallb.universe.tf/allow-shared-ip: pihole-svc
type: ClusterIP
https:
enabled: false
serviceDns:
annotations:
metallb.universe.tf/allow-shared-ip: pihole-svc
type: LoadBalancer
loadBalancerIP: 192.168.18.250
serviceDhcp:
enabled: false
probes:
liveness:
enabled: false
readiness:
enabled: false
dnsmasq:
staticDhcpEntries:
- dhcp-host=B0:41:6F:0F:A8:D3,192.168.18.10,homelab-0
- dhcp-host=B0:41:6F:0F:AE:89,192.168.18.11,homelab-1
- dhcp-host=B0:41:6F:0F:A0:CD,192.168.18.12,homelab-2
hostNetwork: true
hostname: pihole
capabilities:
add:
- NET_ADMIN
extraEnvVars:
TZ: "Asia/Karachi"
DNSSEC: "true"
FTLCONF_LOCAL_IPV4: "192.168.18.250"
INTERFACE: "enp1s0"
DNSMASQ_LISTENING: "single"
DHCP_ACTIVE: "true"
DHCP_START: "192.168.18.2"
DHCP_END: "192.168.18.20"
DHCP_ROUTER: "192.168.18.1"
PIHOLE_DOMAIN: "pihole.dogar.dev"
VIRTUAL_HOST: "pihole.dogar.dev"
podAnnotations:
prometheus.io/scrape: "true"
prometheus.io/port: "9617"
monitoring:
sidecar:
enabled: true
port: 9617
image:
repository: ekofr/pihole-exporter
tag: v0.3.0
pullPolicy: IfNotPresent
resources:
limits:
memory: 128Mi

15
helm/values/prometheus.values.yaml
View File

@@ -1,15 +0,0 @@
grafana:
enabled: true
ingress:
enabled: true
ingressClassName: nginx-internal
annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/private-key-size: "4096"
hosts:
- grafana.dogar.dev
tls:
- secretName: grafana-tls
hosts:
- grafana.dogar.dev

48
k8s-operators/1password/index.ts Normal file
View File

@@ -0,0 +1,48 @@
import * as fs from "fs";
import * as path from "path";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs";
type OnePasswordOptions = {
provider: HelmProvider;
name: string;
};
export class OnePassword extends Construct {
constructor(scope: Construct, id: string, options: OnePasswordOptions) {
super(scope, id);
const { provider } = options;
new Release(this, "onepassword-operator", {
provider,
name: "onepassword-operator",
chart: "connect",
repository: "https://1password.github.io/connect-helm-charts/",
namespace: "1password",
createNamespace: true,
set: [
{
name: "operator.create",
value: "true",
},
],
setSensitive: [
{
name: "operator.token.value",
value: process.env.OP_CONNECT_TOKEN!,
},
{
name: "connect.credentials_base64",
value: btoa(
fs.readFileSync(
path.join(__dirname, "1password-credentials.json"),
"utf-8",
),
),
},
],
});
}
}

42
k8s-operators/barman.ts Normal file
View File

@@ -0,0 +1,42 @@
import { Construct } from "constructs";
import { NullProvider } from "@cdktf/provider-null/lib/provider";
import { Resource } from "@cdktf/provider-null/lib/resource";
export interface BarmanCloudPluginInstallOptions {
/** URL to the CloudNativePG barman-cloud plugin manifest */
url: string;
}
export class BarmanCloudPluginInstall extends Construct {
constructor(
scope: Construct,
id: string,
opts: BarmanCloudPluginInstallOptions,
) {
super(scope, id);
const { url } = opts;
const applyCmd = ["kubectl", "apply", "-f", url].join(" ");
const deleteCmd = ["kubectl", "delete", "-f", url].join(" ");
new Resource(this, "barman-install", {
provider: new NullProvider(this, "barman"),
provisioners: [
{
type: "local-exec",
when: "create",
command: applyCmd,
},
{
type: "local-exec",
when: "destroy",
command: deleteCmd,
},
],
triggers: {
url,
},
});
}
}

46
k8s-operators/index.ts Normal file
View File

@@ -0,0 +1,46 @@
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release";
import { TerraformStack } from "cdktf";
import { Construct } from "constructs";
import { BarmanCloudPluginInstall } from "./barman";
import { Prometheus } from "./prometheus";
import { OnePassword } from "./1password";
export class K8SOperators extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const helm = new HelmProvider(this, "helm", {
kubernetes: {
configPath: "~/.kube/config",
},
});
new Prometheus(this, "prometheus", {
provider: helm,
namespace: "monitoring",
name: "prometheus-operator",
version: "75.10.0",
});
new OnePassword(this, "onepassword", {
provider: helm,
name: "onepassword",
});
const cnpg = new Release(this, "cnpg-operator", {
provider: helm,
repository: "https://cloudnative-pg.github.io/charts",
chart: "cloudnative-pg",
name: "postgres-system",
namespace: "cnpg-system",
createNamespace: true,
});
const barman = new BarmanCloudPluginInstall(this, "barman-cloud-plugin", {
url: "https://github.com/cloudnative-pg/plugin-barman-cloud/releases/download/v0.9.0/manifest.yaml",
});
barman.node.addDependency(cnpg);
}
}

5
prometheus/index.ts → k8s-operators/prometheus/index.ts
View File

@@ -1,7 +1,8 @@
import * as fs from "fs"; import * as fs from "fs";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider"; import * as path from "path";
import { Release } from "@cdktf/provider-helm/lib/release"; import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs"; import { Construct } from "constructs";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
type PrometheusOptions = { type PrometheusOptions = {
provider: HelmProvider; provider: HelmProvider;
@@ -20,7 +21,7 @@ export class Prometheus extends Construct {
chart: "kube-prometheus-stack", chart: "kube-prometheus-stack",
createNamespace: true, createNamespace: true,
values: [ values: [
fs.readFileSync("helm/values/prometheus.values.yaml", { fs.readFileSync(path.join(__dirname, "values.yaml"), {
encoding: "utf8", encoding: "utf8",
}), }),
], ],

4
k8s-operators/prometheus/values.yaml Normal file
View File

@@ -0,0 +1,4 @@
grafana:
enabled: true
ingress:
enabled: false

81
longhorn/index.ts
View File

@@ -1,81 +0,0 @@
import * as fs from "fs";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
type LonghornOptions = {
providers: {
kubernetes: KubernetesProvider;
helm: HelmProvider;
};
name: string;
namespace: string;
};
export class Longhorn extends Construct {
constructor(scope: Construct, id: string, options: LonghornOptions) {
super(scope, id);
const { helm, kubernetes } = options.providers;
new Release(this, id, {
name: options.name,
namespace: options.namespace,
provider: helm,
repository: "https://charts.longhorn.io",
chart: "longhorn",
createNamespace: true,
upgradeInstall: true,
values: [
fs.readFileSync("helm/values/longhorn.values.yaml", {
encoding: "utf8",
}),
],
});
new Manifest(this, "recurring-backup-job", {
provider: kubernetes,
manifest: {
apiVersion: "longhorn.io/v1beta1",
kind: "RecurringJob",
metadata: {
name: "daily-backup",
namespace: options.namespace,
},
spec: {
cron: "0 0 * * *",
task: "backup",
retain: 30,
groups: ["default"],
concurrency: 3,
},
},
});
new Manifest(this, "longhorn-crypto-storage-class", {
provider: kubernetes,
manifest: {
kind: "StorageClass",
apiVersion: "storage.k8s.io/v1",
metadata: {
name: "longhorn-crypto",
},
provisioner: "driver.longhorn.io",
allowVolumeExpansion: true,
parameters: {
numberOfReplicas: "3",
staleReplicaTimeout: "2880", // 48 hours in minutes
encrypted: "true",
"csi.storage.k8s.io/provisioner-secret-name": "longhorn-encryption",
"csi.storage.k8s.io/provisioner-secret-namespace": options.namespace,
"csi.storage.k8s.io/node-publish-secret-name": "longhorn-encryption",
"csi.storage.k8s.io/node-publish-secret-namespace": options.namespace,
"csi.storage.k8s.io/node-stage-secret-name": "longhorn-encryption",
"csi.storage.k8s.io/node-stage-secret-namespace": options.namespace,
},
},
});
}
}

242
main.ts
View File

@@ -1,200 +1,84 @@
import * as dotenv from "dotenv"; import * as dotenv from "dotenv";
import { cleanEnv, str } from "envalid"; import { cleanEnv, str } from "envalid";
import { Construct } from "constructs"; import { App, S3Backend, TerraformStack } from "cdktf";
import { App, TerraformStack, S3Backend } from "cdktf"; import { CacheInfrastructure } from "./cache-infrastructure";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider"; import { UtilityServices } from "./utility-services";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider"; import { K8SOperators } from "./k8s-operators";
import { CoreServices } from "./core-services";
import { GiteaServer } from "./gitea"; import { NetworkSecurity } from "./network-security";
import { OnePassword } from "./1password"; import { GamingServices } from "./gaming-services/minecraft";
import { PostgresCluster } from "./postgres"; import { MediaServices } from "./media-services";
import { Longhorn } from "./longhorn"; import { PKI } from "./pki";
import { AuthentikServer } from "./authentik"; import { Netbird } from "./netbird";
import { ValkeyCluster } from "./valkey";
import { CertManager } from "./cert-manager";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { PiHole } from "./pihole";
import { Nginx } from "./nginx";
import { Prometheus } from "./prometheus";
import { MetalLB } from "./metallb";
dotenv.config(); dotenv.config();
const env = cleanEnv(process.env, { const env = cleanEnv(process.env, {
R2_ACCESS_KEY_ID: str(),
R2_SECRET_ACCESS_KEY: str(),
ACCOUNT_ID: str({ desc: "Cloudflare account id." }), ACCOUNT_ID: str({ desc: "Cloudflare account id." }),
BUCKET: str({ desc: "The name of the R2 bucket." }), OP_CONNECT_TOKEN: str({ desc: "1Password Connect token." }),
ACCESS_KEY: str({ desc: "Access key ID for R2 storage." }),
SECRET_KEY: str({ desc: "Secret access key for R2 storage." }),
VALKEY_PASSWORD: str({ desc: "Password for Valkey database." }),
}); });
const r2Endpoint = `https://${env.ACCOUNT_ID}.r2.cloudflarestorage.com`; const r2Endpoint = `https://${env.ACCOUNT_ID}.r2.cloudflarestorage.com`;
class Homelab extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const kubernetes = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const helm = new HelmProvider(this, "helm", {
kubernetes: {
configPath: "~/.kube/config",
},
});
const namespace = "homelab";
const ns = new Manifest(this, "namespace", {
provider: kubernetes,
manifest: {
kind: "Namespace",
apiVersion: "v1",
metadata: {
name: namespace,
},
spec: {},
},
});
new Manifest(this, "core-dns", {
provider: kubernetes,
manifest: {
kind: "ConfigMap",
apiVersion: "v1",
metadata: {
name: "coredns-custom",
namespace: "kube-system",
},
data: {
"forward.override": `forward . /etc/resolv.conf {
policy sequential
}
`,
},
},
});
const longhorn = new Longhorn(this, "longhorn", {
namespace,
name: "longhorn",
providers: {
kubernetes,
helm,
},
});
longhorn.node.addDependency(ns);
new MetalLB(this, "metallb", {
provider: helm,
name: "metallb",
namespace,
});
new OnePassword(this, "one-password", {
provider: kubernetes,
namespace,
});
const nginx = new Nginx(this, "nginx", {
provider: helm,
namespace,
name: "nginx-ingress",
});
const certManagerApiVersion = "cert-manager.io/v1";
const cm = new CertManager(this, "cert-manager", {
certManagerApiVersion,
name: "cert-manager",
namespace,
version: "1.18.2",
providers: {
kubernetes,
helm,
},
});
const pihole = new PiHole(this, "pihole", {
namespace,
provider: helm,
name: "pihole",
});
pihole.node.addDependency(longhorn);
pihole.node.addDependency(nginx);
pihole.node.addDependency(cm);
new Prometheus(this, "prometheus", {
provider: helm,
namespace,
name: "prometheus-operator",
version: "75.10.0",
});
const pg = new PostgresCluster(this, "postgres-cluster", {
certManagerApiVersion,
name: "postgres-cluster",
namespace,
providers: {
kubernetes,
helm,
},
storageClass: "longhorn-crypto",
users: ["shahab", "budget-tracker", "authentik", "gitea"],
primaryUser: "shahab",
initSecretName: "postgres-password",
backupR2EndpointURL: r2Endpoint,
});
pg.node.addDependency(pihole);
const valkey = new ValkeyCluster(this, "valkey-cluster", {
provider: kubernetes,
namespace,
name: "valkey",
});
valkey.node.addDependency(pihole);
const authentik = new AuthentikServer(this, "authentik-server", {
provider: helm,
name: "authentik",
namespace,
});
authentik.node.addDependency(pg);
authentik.node.addDependency(valkey);
const gitea = new GiteaServer(this, "gitea-server", {
name: "gitea",
namespace,
provider: helm,
});
gitea.node.addDependency(authentik);
}
}
const app = new App(); const app = new App();
const stack = new Homelab(app, "homelab"); const coreServices = new CoreServices(app, "core-services");
const k8sOperators = new K8SOperators(app, "k8s-operators");
k8sOperators.node.addDependency(coreServices);
const pki = new PKI(app, "pki");
pki.node.addDependency(k8sOperators);
const networkSecurity = new NetworkSecurity(app, "network-security");
networkSecurity.node.addDependency(pki);
const utilityServices = new UtilityServices(app, "utility-services");
utilityServices.node.addDependency(networkSecurity);
const gamingServices = new GamingServices(app, "gaming-services");
gamingServices.node.addDependency(networkSecurity);
const mediaServices = new MediaServices(app, "media-services");
mediaServices.node.addDependency(networkSecurity);
const caches = new CacheInfrastructure(app, "cache-infrastructure");
caches.node.addDependency(utilityServices);
const netbird = new Netbird(app, "netbird");
netbird.node.addDependency(utilityServices);
const deploy: (stack: TerraformStack, key: string) => S3Backend = (
stack,
key,
) =>
new S3Backend(stack, { new S3Backend(stack, {
encrypt: true, bucket: "terraform-state",
bucket: env.BUCKET, key: `${key}/terraform.tfstate`,
key: "terraform.tfstate",
region: "auto", region: "auto",
skipCredentialsValidation: true, endpoints: {
skipMetadataApiCheck: true, s3: r2Endpoint,
},
accessKey: env.ACCESS_KEY,
secretKey: env.SECRET_KEY,
encrypt: true,
usePathStyle: true,
skipRegionValidation: true, skipRegionValidation: true,
skipCredentialsValidation: true,
skipRequestingAccountId: true, skipRequestingAccountId: true,
skipS3Checksum: true, skipS3Checksum: true,
accessKey: env.R2_ACCESS_KEY_ID,
secretKey: env.R2_SECRET_ACCESS_KEY,
endpoints: {
s3: `${r2Endpoint}/${env.BUCKET}`,
},
}); });
deploy(coreServices, "core-services");
deploy(k8sOperators, "k8s-operators");
deploy(pki, "pki");
deploy(networkSecurity, "network-security");
deploy(utilityServices, "utility-services");
deploy(caches, "cache-infrastructure");
deploy(gamingServices, "gaming-services");
deploy(mediaServices, "media-services");
deploy(netbird, "netbird");
app.synth(); app.synth();

82
media-services/index.ts Normal file
View File

@@ -0,0 +1,82 @@
import { Construct } from "constructs";
import { TerraformStack } from "cdktf";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
import { LonghornPvc } from "../utils";
import { JellyfinServer } from "./jellyfin";
import { SonarrServer } from "./sonarr";
import { RadarrServer } from "./radarr";
import { QBittorrentServer } from "./qbittorrent";
import { ProwlarrServer } from "./prowlarr";
export class MediaServices extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const provider = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const namespace = "media";
// Create namespace
new NamespaceV1(this, "namespace", {
metadata: {
name: namespace,
},
});
// Shared PVCs
const mediaPvc = new LonghornPvc(this, "media-pvc", {
provider,
name: "media",
namespace,
size: "1Ti",
});
const downloadsPvc = new LonghornPvc(this, "downloads-pvc", {
provider,
name: "downloads",
namespace,
size: "450Gi",
});
// Deploy media services
new JellyfinServer(this, "jellyfin", {
provider,
namespace,
mediaPvcName: mediaPvc.name,
host: "media.dogar.dev",
});
new SonarrServer(this, "sonarr", {
provider,
namespace,
mediaPvcName: mediaPvc.name,
downloadsPvcName: downloadsPvc.name,
host: "sonarr.dogar.dev",
});
new RadarrServer(this, "radarr", {
provider,
namespace,
mediaPvcName: mediaPvc.name,
downloadsPvcName: downloadsPvc.name,
host: "radarr.dogar.dev",
});
new QBittorrentServer(this, "qbittorrent", {
provider,
namespace,
downloadsPvcName: downloadsPvc.name,
host: "torrent.dogar.dev",
});
new ProwlarrServer(this, "prowlarr", {
provider,
namespace,
host: "prowlarr.dogar.dev",
});
}
}

163
media-services/jellyfin/index.ts Normal file
View File

@@ -0,0 +1,163 @@
import { Construct } from "constructs";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import {
CloudflareCertificate,
InternalIngressRoute,
LonghornPvc,
} from "../../utils";
import { BaseMediaServiceOptions, getAamil3NodeSelector } from "../types";
type JellyfinServerOptions = BaseMediaServiceOptions & {
/** Name of the shared media PVC */
mediaPvcName: string;
/** Hostname for the ingress */
host: string;
};
export class JellyfinServer extends Construct {
constructor(scope: Construct, id: string, options: JellyfinServerOptions) {
super(scope, id);
const { provider, namespace, mediaPvcName, host } = options;
const name = "server";
// Config PVC with backup
const configPvc = new LonghornPvc(this, "config", {
provider,
name: "jellyfin-config",
namespace,
size: "5Gi",
backup: true,
});
// Service
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
name: "http",
port: 80,
targetPort: "http",
},
{
name: "discovery",
port: 7359,
targetPort: "discovery",
},
],
type: "LoadBalancer",
},
});
// Deployment
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "1",
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: getAamil3NodeSelector(),
container: [
{
name,
image: "jellyfin/jellyfin:latest",
imagePullPolicy: "IfNotPresent",
port: [
{
containerPort: 8096,
name: "http",
},
{
containerPort: 7359,
name: "discovery",
},
],
env: [
{
name: "TZ",
value: "Asia/Karachi",
},
],
volumeMount: [
{
name: "config",
mountPath: "/config",
},
{
name: "cache",
mountPath: "/cache",
},
{
name: "media",
mountPath: "/media",
},
],
},
],
volume: [
{
name: "config",
persistentVolumeClaim: {
claimName: configPvc.name,
},
},
{
name: "cache",
emptyDir: {},
},
{
name: "media",
persistentVolumeClaim: {
claimName: mediaPvcName,
},
},
],
},
},
},
});
new CloudflareCertificate(this, "certificate", {
provider,
namespace,
name,
secretName: "jellyfin-tls",
dnsNames: [host],
});
// Ingress - using internal ingress for secure access
new InternalIngressRoute(this, "ingress", {
provider,
namespace,
name,
host,
serviceName: name,
servicePort: 80,
tlsSecretName: "jellyfin-tls",
});
}
}

134
media-services/prowlarr/index.ts Normal file
View File

@@ -0,0 +1,134 @@
import { Construct } from "constructs";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import {
InternalIngressRoute,
LonghornPvc,
PrivateCertificate,
} from "../../utils";
import {
BaseMediaServiceOptions,
getWorkerNodeSelector,
getCommonEnv,
} from "../types";
type ProwlarrOptions = BaseMediaServiceOptions & {
/** Hostname for the ingress */
host: string;
};
export class ProwlarrServer extends Construct {
constructor(scope: Construct, id: string, options: ProwlarrOptions) {
super(scope, id);
const { provider, namespace, host } = options;
const name = "prowlarr";
// Config PVC with backup
const configPvc = new LonghornPvc(this, "config", {
provider,
name: "prowlarr-config",
namespace,
size: "512Mi",
backup: true,
});
// Service
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
name: "http",
port: 80,
targetPort: "9696",
},
],
type: "ClusterIP",
},
});
// Deployment
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "1",
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: getWorkerNodeSelector(),
container: [
{
name,
image: "lscr.io/linuxserver/prowlarr:latest",
imagePullPolicy: "IfNotPresent",
port: [
{
containerPort: 9696,
name: "http",
},
],
env: getCommonEnv(),
volumeMount: [
{
name: "config",
mountPath: "/config",
},
],
},
],
volume: [
{
name: "config",
persistentVolumeClaim: {
claimName: configPvc.name,
},
},
],
},
},
},
});
new PrivateCertificate(this, "certificate", {
provider,
namespace,
name,
commonName: host,
dnsNames: [host],
secretName: `${name}-tls`,
});
// Ingress
new InternalIngressRoute(this, "ingress", {
provider,
namespace,
name,
host,
serviceName: name,
servicePort: 80,
tlsSecretName: `${name}-tls`,
});
}
}

160
media-services/qbittorrent/index.ts Normal file
View File

@@ -0,0 +1,160 @@
import { Construct } from "constructs";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import {
InternalIngressRoute,
LonghornPvc,
PrivateCertificate,
} from "../../utils";
import {
BaseMediaServiceOptions,
getAamil3NodeSelector,
getCommonEnv,
} from "../types";
type QBittorrentServerOptions = BaseMediaServiceOptions & {
/** Name of the shared downloads PVC */
downloadsPvcName: string;
/** Hostname for the ingress */
host: string;
};
export class QBittorrentServer extends Construct {
constructor(scope: Construct, id: string, options: QBittorrentServerOptions) {
super(scope, id);
const { provider, namespace, downloadsPvcName, host } = options;
const name = "qbittorrent";
// Config PVC with backup
const configPvc = new LonghornPvc(this, "config", {
provider,
name: "qbittorrent-config",
namespace,
size: "512Mi",
backup: true,
});
// Service
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
name: "http",
port: 80,
targetPort: "8080",
},
],
type: "ClusterIP",
},
});
// Deployment
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "1",
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: getAamil3NodeSelector(),
container: [
{
name,
image: "lscr.io/linuxserver/qbittorrent:latest",
port: [
{
containerPort: 8080,
name: "http",
},
{
containerPort: 6881,
name: "bt",
},
{
containerPort: 6881,
protocol: "UDP",
name: "bt-udp",
},
],
env: [
...getCommonEnv(),
{
name: "WEBUI_PORT",
value: "8080",
},
],
volumeMount: [
{
name: "config",
mountPath: "/config",
},
{
name: "downloads",
mountPath: "/downloads",
},
],
},
],
volume: [
{
name: "config",
persistentVolumeClaim: {
claimName: configPvc.name,
},
},
{
name: "downloads",
persistentVolumeClaim: {
claimName: downloadsPvcName,
},
},
],
},
},
},
});
new PrivateCertificate(this, "certificate", {
provider,
namespace,
name,
commonName: host,
dnsNames: [host],
secretName: `${name}-tls`,
});
// Ingress
new InternalIngressRoute(this, "ingress", {
provider,
namespace,
name,
host,
serviceName: name,
servicePort: 80,
tlsSecretName: `${name}-tls`,
});
}
}

159
media-services/radarr/index.ts Normal file
View File

@@ -0,0 +1,159 @@
import { Construct } from "constructs";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import {
InternalIngressRoute,
LonghornPvc,
PrivateCertificate,
} from "../../utils";
import {
BaseMediaServiceOptions,
getAamil3NodeSelector,
getCommonEnv,
} from "../types";
type RadarrServerOptions = BaseMediaServiceOptions & {
/** Name of the shared media PVC */
mediaPvcName: string;
/** Name of the shared downloads PVC */
downloadsPvcName: string;
/** Hostname for the ingress */
host: string;
};
export class RadarrServer extends Construct {
constructor(scope: Construct, id: string, options: RadarrServerOptions) {
super(scope, id);
const { provider, namespace, mediaPvcName, downloadsPvcName, host } =
options;
const name = "radarr";
// Config PVC with backup
const configPvc = new LonghornPvc(this, "config", {
provider,
name: "radarr-config",
namespace,
size: "512Mi",
backup: true,
});
// Service
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
name: "http",
port: 80,
targetPort: "7878",
},
],
type: "ClusterIP",
},
});
// Deployment
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "1",
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: getAamil3NodeSelector(),
container: [
{
name,
image: "lscr.io/linuxserver/radarr:latest",
imagePullPolicy: "IfNotPresent",
port: [
{
containerPort: 7878,
name: "http",
},
],
env: getCommonEnv(),
volumeMount: [
{
name: "config",
mountPath: "/config",
},
{
name: "media",
mountPath: "/media",
},
{
name: "downloads",
mountPath: "/downloads",
},
],
},
],
volume: [
{
name: "config",
persistentVolumeClaim: {
claimName: configPvc.name,
},
},
{
name: "media",
persistentVolumeClaim: {
claimName: mediaPvcName,
},
},
{
name: "downloads",
persistentVolumeClaim: {
claimName: downloadsPvcName,
},
},
],
},
},
},
});
new PrivateCertificate(this, "certificate", {
provider,
namespace,
name,
commonName: host,
dnsNames: [host],
secretName: `${name}-tls`,
});
// Ingress
new InternalIngressRoute(this, "ingress", {
provider,
namespace,
name,
host,
serviceName: name,
servicePort: 80,
tlsSecretName: `${name}-tls`,
});
}
}

159
media-services/sonarr/index.ts Normal file
View File

@@ -0,0 +1,159 @@
import { Construct } from "constructs";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import {
InternalIngressRoute,
LonghornPvc,
PrivateCertificate,
} from "../../utils";
import {
BaseMediaServiceOptions,
getAamil3NodeSelector,
getCommonEnv,
} from "../types";
type SonarrServerOptions = BaseMediaServiceOptions & {
/** Name of the shared media PVC */
mediaPvcName: string;
/** Name of the shared downloads PVC */
downloadsPvcName: string;
/** Hostname for the ingress */
host: string;
};
export class SonarrServer extends Construct {
constructor(scope: Construct, id: string, options: SonarrServerOptions) {
super(scope, id);
const { provider, namespace, mediaPvcName, downloadsPvcName, host } =
options;
const name = "sonarr";
// Config PVC with backup
const configPvc = new LonghornPvc(this, "config", {
provider,
name: "sonarr-config",
namespace,
size: "512Mi",
backup: true,
});
// Service
new ServiceV1(this, "service", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
app: name,
},
port: [
{
name: "http",
port: 80,
targetPort: "8989",
},
],
type: "ClusterIP",
},
});
// Deployment
new DeploymentV1(this, "deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
replicas: "1",
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: getAamil3NodeSelector(),
container: [
{
name,
image: "lscr.io/linuxserver/sonarr:latest",
imagePullPolicy: "IfNotPresent",
port: [
{
containerPort: 8989,
name: "http",
},
],
env: getCommonEnv(),
volumeMount: [
{
name: "config",
mountPath: "/config",
},
{
name: "media",
mountPath: "/media",
},
{
name: "downloads",
mountPath: "/downloads",
},
],
},
],
volume: [
{
name: "config",
persistentVolumeClaim: {
claimName: configPvc.name,
},
},
{
name: "media",
persistentVolumeClaim: {
claimName: mediaPvcName,
},
},
{
name: "downloads",
persistentVolumeClaim: {
claimName: downloadsPvcName,
},
},
],
},
},
},
});
new PrivateCertificate(this, "certificate", {
provider,
namespace,
name,
commonName: host,
dnsNames: [host],
secretName: `${name}-tls`,
});
// Ingress
new InternalIngressRoute(this, "ingress", {
provider,
namespace,
name,
host,
serviceName: name,
servicePort: 80,
tlsSecretName: `${name}-tls`,
});
}
}

32
media-services/types.ts Normal file
View File

@@ -0,0 +1,32 @@
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
/**
* Common options shared across all media service constructs
*/
export type BaseMediaServiceOptions = {
provider: KubernetesProvider;
namespace: string;
};
/**
* Common environment variables for LinuxServer.io containers
*/
export const getCommonEnv = () => [
{ name: "TZ", value: "Asia/Karachi" },
{ name: "PUID", value: "1000" },
{ name: "PGID", value: "1000" },
];
/**
* Node selector for the aamil-3 node
*/
export const getAamil3NodeSelector = () => ({
"kubernetes.io/hostname": "aamil-3",
});
/**
* Node selector for worker nodepool
*/
export const getWorkerNodeSelector = () => ({
nodepool: "worker",
});

5
minecraft/namespace.yaml
View File

@@ -1,5 +0,0 @@
---
apiVersion: v1
kind: Namespace
metadata:
name: minecraft

33
minecraft/pvc.yaml
View File

@@ -2,36 +2,13 @@
apiVersion: v1 apiVersion: v1
kind: PersistentVolumeClaim kind: PersistentVolumeClaim
metadata: metadata:
name: monifactory-data name: atm10-data
namespace: minecraft namespace: minecraft
labels:
recurring-job.longhorn.io/source: "enabled"
recurring-job.longhorn.io/daily-backup: "enabled"
spec: spec:
storageClassName: longhorn-crypto storageClassName: longhorn
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: gtnh-data
namespace: minecraft
spec:
storageClassName: longhorn-crypto
accessModes:
- ReadWriteMany
resources:
requests:
storage: 10Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: tfg-data
namespace: minecraft
spec:
storageClassName: longhorn-crypto
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
resources: resources:

40
minecraft/service.yaml
View File

@@ -2,44 +2,14 @@
apiVersion: v1 apiVersion: v1
kind: Service kind: Service
metadata: metadata:
name: monifactory-server name: atm10-server
namespace: minecraft namespace: minecraft
labels: labels:
app: monifactory-server app: atm10-server
spec: spec:
type: ClusterIP type: LoadBalancer
ports: ports:
- name: monifactory - name: atm10
port: 25565 port: 25565
selector: selector:
app: monifactory-server app: atm10-server
---
apiVersion: v1
kind: Service
metadata:
name: gtnh-server
namespace: minecraft
labels:
app: gtnh-server
spec:
type: ClusterIP
ports:
- name: gtnh
port: 25565
selector:
app: gtnh-server
---
apiVersion: v1
kind: Service
metadata:
name: tfg-server
namespace: minecraft
labels:
app: tfg-server
spec:
type: ClusterIP
ports:
- name: tfg
port: 25565
selector:
app: tfg-server

155
minecraft/statefulset.yaml
View File

@@ -2,142 +2,23 @@
apiVersion: apps/v1 apiVersion: apps/v1
kind: StatefulSet kind: StatefulSet
metadata: metadata:
name: monifactory-server name: atm10-server
namespace: minecraft namespace: minecraft
spec: spec:
serviceName: atm10-server
selector: selector:
matchLabels: matchLabels:
app: monifactory-server app: atm10-server
template: template:
metadata: metadata:
labels: labels:
app: monifactory-server app: atm10-server
spec: spec:
nodeSelector:
nodepool: worker
containers: containers:
- name: monifactory-server - name: atm10-server
image: itzg/minecraft-server:java17 image: itzg/minecraft-server:java21
env:
- name: EULA
value: "TRUE"
- name: MODE
value: "survival"
- name: DIFFICULTY
value: "peaceful"
- name: MODPACK_PLATFORM
value: "AUTO_CURSEFORGE"
- name: CF_API_KEY
valueFrom:
secretKeyRef:
name: curseforge
key: credential
- name: CF_PAGE_URL
value: "https://www.curseforge.com/minecraft/modpacks/monifactory/"
- name: VERSION
value: "1.20.1"
- name: INIT_MEMORY
value: 4G
- name: MAX_MEMORY
value: 8G
- name: ALLOW_FLIGHT
value: "TRUE"
- name: ENABLE_ROLLING_LOGS
value: "TRUE"
- name: USE_MEOWICE_FLAGS
value: "TRUE"
ports:
- name: minecraft
containerPort: 25565
resources:
requests:
cpu: 4
memory: "4Gi"
limits:
cpu: 8
memory: "8Gi"
volumeMounts:
- name: monifactory-data
mountPath: /data
volumes:
- name: monifactory-data
persistentVolumeClaim:
claimName: monifactory-data
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: gtnh-server
namespace: minecraft
spec:
selector:
matchLabels:
app: gtnh-server
template:
metadata:
labels:
app: gtnh-server
spec:
containers:
- name: gtnh-server
image: itzg/minecraft-server:java25
env:
- name: EULA
value: "TRUE"
- name: MODE
value: "survival"
- name: DIFFICULTY
value: "peaceful"
- name: TYPE
value: "CUSTOM"
- name: GENERIC_PACKS
value: "GT_New_Horizons_2.8.0_Server_Java_17-25"
- name: GENERIC_PACKS_SUFFIX
value: ".zip"
- name: GENERIC_PACKS_PREFIX
value: "https://downloads.gtnewhorizons.com/ServerPacks/"
- name: SKIP_GENERIC_PACK_UPDATE_CHECK
value: "true"
- name: MEMORY
value: 6G
- name: JVM_OPTS
value: "-Dfml.readTimeout=180 -Dfml.queryResult=confirm @java9args.txt"
- name: CUSTOM_JAR_EXEC
value: "-jar lwjgl3ify-forgePatches.jar nogui"
- name: ALLOW_FLIGHT
value: "TRUE"
- name: ENABLE_ROLLING_LOGS
value: "TRUE"
ports:
- name: gtnh
containerPort: 25565
resources:
limits:
cpu: 8
memory: "8Gi"
volumeMounts:
- name: gtnh-data
mountPath: /data
volumes:
- name: gtnh-data
persistentVolumeClaim:
claimName: gtnh-data
---
apiVersion: apps/v1
kind: StatefulSet
metadata:
name: tfg-server
namespace: minecraft
spec:
selector:
matchLabels:
app: tfg-server
template:
metadata:
labels:
app: tfg-server
spec:
containers:
- name: tfg-server
image: itzg/minecraft-server:java17
env: env:
- name: EULA - name: EULA
value: "TRUE" value: "TRUE"
@@ -151,21 +32,23 @@ spec:
name: curseforge name: curseforge
key: credential key: credential
- name: CF_PAGE_URL - name: CF_PAGE_URL
value: "https://www.curseforge.com/minecraft/modpacks/terrafirmagreg-modern/" value: "https://www.curseforge.com/minecraft/modpacks/all-the-mods-10/files/7121777"
- name: CF_FILENAME_MATCHER
value: "0.10.17"
- name: VERSION - name: VERSION
value: "1.20.1" value: "1.21.1"
- name: INIT_MEMORY - name: INIT_MEMORY
value: 2G value: 2G
- name: MAX_MEMORY - name: MAX_MEMORY
value: 8G value: 15G
- name: ALLOW_FLIGHT - name: ALLOW_FLIGHT
value: "TRUE" value: "TRUE"
- name: ENABLE_ROLLING_LOGS - name: ENABLE_ROLLING_LOGS
value: "TRUE" value: "TRUE"
- name: USE_MEOWICE_FLAGS - name: USE_MEOWICE_FLAGS
value: "TRUE" value: "TRUE"
- name: CF_OVERRIDES_EXCLUSIONS
value: |
# Not applicable for server side
shaderpacks/**
ports: ports:
- name: minecraft - name: minecraft
containerPort: 25565 containerPort: 25565
@@ -175,11 +58,11 @@ spec:
memory: "2Gi" memory: "2Gi"
limits: limits:
cpu: 6 cpu: 6
memory: "9Gi" memory: "16Gi"
volumeMounts: volumeMounts:
- name: tfg-data - name: atm10-data
mountPath: /data mountPath: /data
volumes: volumes:
- name: tfg-data - name: atm10-data
persistentVolumeClaim: persistentVolumeClaim:
claimName: tfg-data claimName: atm10-data

95
netbird/index.ts Normal file
View File

@@ -0,0 +1,95 @@
import * as fs from "fs";
import * as path from "path";
import { Construct } from "constructs";
import { TerraformStack } from "cdktf";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { NamespaceV1 } from "@cdktf/provider-kubernetes/lib/namespace-v1";
import { DataKubernetesSecretV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-secret-v1";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { SecretV1 } from "@cdktf/provider-kubernetes/lib/secret-v1";
import { Release } from "@cdktf/provider-helm/lib/release";
import { CloudflareCertificate, OnePasswordSecret } from "../utils";
export class Netbird extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const kubernetes = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const helm = new HelmProvider(this, "helm", {
kubernetes: {
configPath: "~/.kube/config",
},
});
const namespace = "netbird";
// Create namespace
new NamespaceV1(this, "namespace", {
metadata: {
name: namespace,
},
});
new OnePasswordSecret(this, "netbird-secret", {
name: "netbird",
namespace,
provider: kubernetes,
itemPath: "vaults/Lab/items/Netbird",
});
const pgClientCert = new DataKubernetesSecretV1(
this,
"netbird-client-cert",
{
provider: kubernetes,
metadata: {
name: "netbird-client-cert",
namespace: "homelab",
},
},
);
const pgCaCert = new DataKubernetesSecretV1(this, "postgres-ca-cert", {
provider: kubernetes,
metadata: {
name: "postgres-server-cert",
namespace: "homelab",
},
});
const pgSslBundle = new SecretV1(this, "netbird-postgres-ssl", {
provider: kubernetes,
metadata: {
name: "netbird-postgres-ssl-bundle",
namespace,
},
data: {
"tls.crt": pgClientCert.data.lookup("tls.crt"),
"tls.key": pgClientCert.data.lookup("tls.key"),
"ca.crt": pgCaCert.data.lookup("ca.crt"),
},
});
new CloudflareCertificate(this, "netbird-cloudflare-cert", {
provider: kubernetes,
name: "netbird",
namespace,
dnsNames: ["vpn.dogar.dev"],
secretName: "netbird-tls",
});
new Release(this, "netbird", {
dependsOn: [pgSslBundle],
provider: helm,
namespace,
createNamespace: true,
name: "netbird",
repository: "https://netbirdio.github.io/helms",
chart: "netbird",
values: [fs.readFileSync(path.join(__dirname, "values.yaml"), "utf8")],
}).importFrom("netbird/netbird");
}
}

218
netbird/values.yaml Normal file
View File

@@ -0,0 +1,218 @@
fullnameOverride: netbird
management:
configmap: |-
{
"Stuns": [
{
"Proto": "udp",
"URI": "{{ .STUN_SERVER }}",
"Username": "",
"Password": ""
}
],
"TURNConfig": {
"TimeBasedCredentials": false,
"CredentialsTTL": "12h0m0s",
"Secret": "secret",
"Turns": [
{
"Proto": "udp",
"URI": "{{ .TURN_SERVER }}",
"Username": "{{ .TURN_SERVER_USER }}",
"Password": "{{ .TURN_SERVER_PASSWORD }}"
}
]
},
"Relay": {
"Addresses": ["rels://vpn.dogar.dev:443/relay"],
"CredentialsTTL": "24h",
"Secret": "{{ .RELAY_PASSWORD }}"
},
"Signal": {
"Proto": "https",
"URI": "vpn.dogar.dev:443",
"Username": "",
"Password": ""
},
"Datadir": "/var/lib/netbird/",
"DataStoreEncryptionKey": "{{ .DATASTORE_ENCRYPTION_KEY }}",
"HttpConfig": {
"LetsEncryptDomain": "",
"CertFile": "",
"CertKey": "",
"AuthAudience": "{{ .IDP_CLIENT_ID }}",
"AuthIssuer": "https://auth.dogar.dev/application/o/netbird/",
"AuthUserIDClaim": "",
"AuthKeysLocation": "https://auth.dogar.dev/application/o/netbird/jwks/",
"OIDCConfigEndpoint": "https://auth.dogar.dev/application/o/netbird/.well-known/openid-configuration",
"IdpSignKeyRefreshEnabled": false
},
"IdpManagerConfig": {
"ManagerType": "authentik",
"ClientConfig": {
"Issuer": "https://auth.dogar.dev/application/o/netbird",
"TokenEndpoint": "https://auth.dogar.dev/application/o/token/",
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"GrantType": "client_credentials"
},
"ExtraConfig": {
"Password": "{{ .IDP_SERVICE_ACCOUNT_PASSWORD }}",
"Username": "{{ .IDP_SERVICE_ACCOUNT_USER }}"
},
"Auth0ClientCredentials": null,
"AzureClientCredentials": null,
"KeycloakClientCredentials": null,
"ZitadelClientCredentials": null
},
"DeviceAuthorizationFlow": {
"Provider": "hosted",
"ProviderConfig": {
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "auth.dogar.dev",
"Audience": "{{ .IDP_CLIENT_ID }}",
"TokenEndpoint": "https://auth.dogar.dev/application/o/token/",
"DeviceAuthEndpoint": "https://auth.dogar.dev/application/o/device/",
"AuthorizationEndpoint": "",
"Scope": "openid",
"UseIDToken": false,
"RedirectURLs": null
}
},
"PKCEAuthorizationFlow": {
"ProviderConfig": {
"ClientID": "{{ .IDP_CLIENT_ID }}",
"ClientSecret": "",
"Domain": "",
"Audience": "{{ .IDP_CLIENT_ID }}",
"TokenEndpoint": "https://auth.dogar.dev/application/o/token/",
"DeviceAuthEndpoint": "",
"AuthorizationEndpoint": "https://auth.dogar.dev/application/o/authorize/",
"Scope": "openid profile email offline_access api",
"UseIDToken": false,
"RedirectURLs": ["http://localhost:53000"]
}
},
"StoreConfig": {
"Engine": "postgres"
},
"ReverseProxy": {
"TrustedHTTPProxies": null,
"TrustedHTTPProxiesCount": 0,
"TrustedPeers": null
}
}
persistentVolume:
enabled: true
storageClass: longhorn
size: 1Gi
envFromSecret:
NETBIRD_STORE_ENGINE_POSTGRES_DSN: netbird/postgresDSN
STUN_SERVER: netbird/stunServer
TURN_SERVER: netbird/turnServer
TURN_SERVER_USER: netbird/turnServerUser
TURN_SERVER_PASSWORD: netbird/turnServerPassword
RELAY_PASSWORD: netbird/relayPassword
IDP_CLIENT_ID: netbird/idpClientID
IDP_SERVICE_ACCOUNT_USER: netbird/idpServiceAccountUser
IDP_SERVICE_ACCOUNT_PASSWORD: netbird/idpServiceAccountPassword
DATASTORE_ENCRYPTION_KEY: netbird/datastoreEncryptionKey
livenessProbe:
failureThreshold: 3
initialDelaySeconds: 180
periodSeconds: 10
timeoutSeconds: 3
tcpSocket:
port: http
volumes:
- name: postgres-ssl-bundle
secret:
secretName: netbird-postgres-ssl-bundle
volumeMounts:
- name: postgres-ssl-bundle
mountPath: /etc/ssl/certs/postgres-ssl-bundle
readOnly: true
signal:
enabled: true
relay:
envFromSecret:
NB_AUTH_SECRET: netbird/relayPassword
env:
NB_LOG_LEVEL: info
NB_LISTEN_ADDRESS: ":33080"
NB_EXPOSED_ADDRESS: rels://vpn.dogar.dev:443/relay
dashboard:
enabled: true
env:
# Endpoints
NETBIRD_MGMT_API_ENDPOINT: https://vpn.dogar.dev:443
NETBIRD_MGMT_GRPC_API_ENDPOINT: https://vpn.dogar.dev:443
# OIDC
AUTH_CLIENT_SECRET:
AUTH_AUTHORITY: https://auth.dogar.dev/application/o/netbird/
USE_AUTH0: false
AUTH_SUPPORTED_SCOPES: openid profile email offline_access api
AUTH_REDIRECT_URI:
AUTH_SILENT_REDIRECT_URI:
NETBIRD_TOKEN_SOURCE: accessToken
NGINX_SSL_PORT:
LETSENCRYPT_DOMAIN:
LETSENCRYPT_EMAIL:
envFromSecret:
AUTH_CLIENT_ID: netbird/idpClientID
AUTH_AUDIENCE: netbird/idpClientID
extraManifests:
- apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: netbird
namespace: netbird
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`vpn.dogar.dev`) && !PathPrefix(`/api`) && !PathPrefix(`/management`) && !PathPrefix(`/signalexchange`) && !PathPrefix(`/relay`)
services:
- name: netbird-dashboard
namespace: netbird
passHostHeader: true
port: 80
- kind: Rule
match: Host(`vpn.dogar.dev`) && PathPrefix(`/api`)
services:
- name: netbird-management
namespace: netbird
passHostHeader: true
port: 80
- kind: Rule
match: Host(`vpn.dogar.dev`) && PathPrefix(`/relay`)
services:
- name: netbird-relay
namespace: netbird
passHostHeader: true
port: 33080
- kind: Rule
match: Host(`vpn.dogar.dev`) && PathPrefix(`/management`)
services:
- name: netbird-management
namespace: netbird
passHostHeader: true
port: 80
scheme: h2c
- kind: Rule
match: Host(`vpn.dogar.dev`) && PathPrefix(`/signalexchange`)
services:
- name: netbird-signal
namespace: netbird
passHostHeader: true
port: 80
scheme: h2c
tls:
secretName: netbird-tls

128
network-security/index.ts Normal file
View File

@@ -0,0 +1,128 @@
import { DataKubernetesNamespaceV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-namespace-v1";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { DataTerraformRemoteStateS3, TerraformStack } from "cdktf";
import { Construct } from "constructs";
import {
RateLimitMiddleware,
IpAllowListMiddleware,
IpAllowListMiddlewareTCP,
TLSOptions,
} from "./traefik";
import { ValkeyCluster } from "./valkey";
import { InternalIngressRoute, PrivateCertificate } from "../utils";
export class NetworkSecurity extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const kubernetes = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const r2Endpoint = `${process.env.ACCOUNT_ID!}.r2.cloudflarestorage.com`;
const coreServicesState = new DataTerraformRemoteStateS3(
this,
"core-services-state",
{
usePathStyle: true,
skipRegionValidation: true,
skipCredentialsValidation: true,
skipRequestingAccountId: true,
skipS3Checksum: true,
encrypt: true,
bucket: "terraform-state",
key: "core-services/terraform.tfstate",
endpoints: {
s3: `https://${r2Endpoint}`,
},
region: "auto",
accessKey: process.env.ACCESS_KEY,
secretKey: process.env.SECRET_KEY,
},
);
const namespaceName = coreServicesState.getString("namespace-output");
const namespaceResource = new DataKubernetesNamespaceV1(
this,
"homelab-namespace",
{
provider: kubernetes,
metadata: {
name: namespaceName,
},
},
);
const namespace = namespaceResource.metadata.name;
new ValkeyCluster(this, "valkey-cluster", {
provider: kubernetes,
name: "valkey",
namespace,
});
new RateLimitMiddleware(this, "rate-limit", {
provider: kubernetes,
namespace,
name: "rate-limit",
});
new TLSOptions(this, "tls-options", {
provider: kubernetes,
namespace,
});
new IpAllowListMiddleware(this, "internal-ip-allow-list", {
provider: kubernetes,
namespace,
name: "ip-allow-list",
sourceRanges: ["192.168.18.0/24", "10.42.0.0/16"],
});
new IpAllowListMiddlewareTCP(this, "tcp-internal-ip-allow-list", {
provider: kubernetes,
namespace,
name: "tcp-ip-allow-list",
sourceRanges: ["192.168.18.0/24", "10.42.0.0/16"],
});
new PrivateCertificate(this, "longhorn-cert", {
provider: kubernetes,
namespace: "longhorn-system",
name: "longhorn-ui",
dnsNames: ["longhorn.dogar.dev"],
commonName: "longhorn.dogar.dev",
secretName: "longhorn-tls",
});
new InternalIngressRoute(this, "longhorn-ui", {
provider: kubernetes,
namespace: "longhorn-system",
name: "longhorn-ui",
host: "longhorn.dogar.dev",
serviceName: "longhorn-frontend",
servicePort: 80,
tlsSecretName: "longhorn-tls",
});
new PrivateCertificate(this, "grafana-cert", {
provider: kubernetes,
namespace: "monitoring",
name: "grafana-ui",
dnsNames: ["grafana.dogar.dev"],
commonName: "grafana.dogar.dev",
secretName: "grafana-tls",
});
new InternalIngressRoute(this, "grafana-ui", {
provider: kubernetes,
namespace: "monitoring",
name: "grafana-ui",
host: "grafana.dogar.dev",
serviceName: "prometheus-operator-grafana",
servicePort: 80,
tlsSecretName: "grafana-tls",
});
}
}

3
network-security/traefik/index.ts Normal file
View File

@@ -0,0 +1,3 @@
export { RateLimitMiddleware } from "./rateLimit";
export { IpAllowListMiddleware, IpAllowListMiddlewareTCP } from "./ipAllowList";
export { TLSOptions } from "./tlsOpts";

64
network-security/traefik/ipAllowList.ts Normal file
View File

@@ -0,0 +1,64 @@
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
type IpAllowListMiddlewareOptions = {
provider: KubernetesProvider;
namespace: string;
name: string;
sourceRanges: string[];
};
export class IpAllowListMiddleware extends Construct {
constructor(
scope: Construct,
id: string,
opts: IpAllowListMiddlewareOptions,
) {
super(scope, id);
new Manifest(this, opts.name, {
provider: opts.provider,
manifest: {
apiVersion: "traefik.io/v1alpha1",
kind: "Middleware",
metadata: {
name: opts.name,
namespace: opts.namespace,
},
spec: {
ipAllowList: {
sourceRange: opts.sourceRanges,
},
},
},
});
}
}
export class IpAllowListMiddlewareTCP extends Construct {
constructor(
scope: Construct,
id: string,
opts: IpAllowListMiddlewareOptions,
) {
super(scope, id);
new Manifest(this, opts.name, {
provider: opts.provider,
manifest: {
apiVersion: "traefik.io/v1alpha1",
kind: "MiddlewareTCP",
metadata: {
name: opts.name,
namespace: opts.namespace,
},
spec: {
ipAllowList: {
sourceRange: opts.sourceRanges,
},
},
},
});
}
}

51
network-security/traefik/rateLimit.ts Normal file
View File

@@ -0,0 +1,51 @@
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
type RateLimitMiddlewareOptions = {
provider: KubernetesProvider;
namespace: string;
name: string;
average?: number; // default 60
burst?: number; // default 120
period?: string; // default "1s"
};
export class RateLimitMiddleware extends Construct {
public readonly ref: string;
constructor(scope: Construct, id: string, opts: RateLimitMiddlewareOptions) {
super(scope, id);
const average = opts.average ?? 60;
const burst = opts.burst ?? 120;
const period = opts.period ?? "1s";
this.ref = `${opts.namespace}/${opts.name}`;
new Manifest(this, opts.name, {
provider: opts.provider,
manifest: {
apiVersion: "traefik.io/v1alpha1",
kind: "Middleware",
metadata: {
name: opts.name,
namespace: opts.namespace,
},
spec: {
rateLimit: {
average,
burst,
period,
redis: {
endpoints: [`valkey.${opts.namespace}.svc.cluster.local:6379`],
secret: "valkey",
db: 5,
},
},
},
},
});
}
}

31
network-security/traefik/tlsOpts.ts Normal file
View File

@@ -0,0 +1,31 @@
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
export class TLSOptions extends Construct {
constructor(
scope: Construct,
id: string,
opts: { provider: KubernetesProvider; namespace: string },
) {
super(scope, id);
const { provider, namespace } = opts;
new Manifest(this, "traefik-tls-options", {
provider,
manifest: {
apiVersion: "traefik.io/v1alpha1",
kind: "TLSOption",
metadata: {
namespace,
name: "tls-options",
},
spec: {
minVersion: "VersionTLS13",
sniStrict: true,
},
},
});
}
}

33
valkey/index.ts → network-security/valkey/index.ts
View File

@@ -2,6 +2,7 @@ import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider"; import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1"; import { ServiceV1 } from "@cdktf/provider-kubernetes/lib/service-v1";
import { Construct } from "constructs"; import { Construct } from "constructs";
import { OnePasswordSecret } from "../../utils";
type ValkeyClusterOptions = { type ValkeyClusterOptions = {
provider: KubernetesProvider; provider: KubernetesProvider;
@@ -17,7 +18,14 @@ export class ValkeyCluster extends Construct {
const labels = { app: "valkey" }; const labels = { app: "valkey" };
const { provider, name, namespace } = options; const { provider, name, namespace } = options;
new DeploymentV1(this, "valkeyDeployment", { new OnePasswordSecret(this, "secret", {
provider,
name: "valkey",
namespace,
itemPath: "vaults/Lab/items/valkey",
});
new DeploymentV1(this, "deployment", {
provider, provider,
metadata: { metadata: {
name, name,
@@ -52,9 +60,22 @@ export class ValkeyCluster extends Construct {
}, },
}, },
}, },
{
name: "SHAHAB_PASSWORD",
valueFrom: {
secretKeyRef: { name: "valkey", key: "password" },
},
},
], ],
command: ["/bin/sh", "-c"], command: ["/bin/sh", "-c"],
args: ['exec valkey-server --requirepass "$PASSWORD"'], args: [
`
valkey-server --requirepass "$PASSWORD" &
sleep 2
valkey-cli -a "$PASSWORD" ACL SETUSER shahab on ">$SHAHAB_PASSWORD" allcommands allkeys
wait
`,
],
readinessProbe: { readinessProbe: {
tcpSocket: [ tcpSocket: [
{ {
@@ -93,19 +114,15 @@ export class ValkeyCluster extends Construct {
}, },
}); });
new ServiceV1(this, "valkeyService", { new ServiceV1(this, "valkey-service", {
provider, provider,
metadata: { metadata: {
name, name,
namespace, namespace,
labels, labels,
annotations: {
"external-dns.alpha.kubernetes.io/hostname": "valkey.dogar.dev",
"metallb.io/ip-allocated-from-pool": "pool",
},
}, },
spec: { spec: {
type: "LoadBalancer", type: "ClusterIP",
selector: labels, selector: labels,
port: [ port: [
{ {

145
nixos/master/configuration.nix
View File

@@ -1,145 +0,0 @@
# Edit this configuration file to define what should be installed on
# your system. Help is available in the configuration.nix(5) man page, on
# https://search.nixos.org/options and in the NixOS manual (`nixos-help`).
{ pkgs, meta, ... }:
{
imports = [ ./hardware-configuration.nix ];
nix = {
settings = {
require-sigs = false;
experimental-features = [ "nix-command" "flakes" ];
};
};
# Use the systemd-boot EFI boot loader.
boot.loader.systemd-boot.enable = true;
boot.loader.efi.canTouchEfiVariables = true;
networking.hostName = meta.hostname; # Define your hostname.
# Pick only one of the below networking options.
networking.networkmanager.enable = true;
networking.interfaces.enp1s0.ipv4.addresses = [
{
address = (
if meta.hostname == "homelab-0" then "192.168.18.10"
else if meta.hostname == "homelab-1" then "192.168.18.11"
else if meta.hostname == "homelab-2" then "192.168.18.12"
else throw "Unknown hostname"
);
prefixLength = 24;
}
];
networking.defaultGateway = "192.168.18.1";
networking.nameservers = [
"192.168.18.250"
"1.1.1.1"
];
# Set your time zone.
time.timeZone = "Asia/Karachi";
# Select internationalisation properties.
i18n.defaultLocale = "en_US.UTF-8";
console = {
font = "Lat2-Terminus16";
keyMap = "us";
};
# Fixes for longhorn
systemd.tmpfiles.rules = [
"L+ /usr/local/bin - - - - /run/current-system/sw/bin/"
];
virtualisation.docker.logDriver = "json-file";
services.k3s = {
enable = true;
role = "server";
tokenFile = /var/lib/rancher/k3s/server/token;
extraFlags = toString ([
"--write-kubeconfig-mode \"0644\""
"--cluster-init"
"--disable servicelb"
"--disable traefik"
"--disable local-storage"
] ++ (if meta.hostname == "homelab-0" then [] else [
"--server https://192.168.18.10:6443"
]));
clusterInit = (meta.hostname == "homelab-0");
};
services.openiscsi = {
enable = true;
name = "iqn.2016-04.com.open-iscsi:${meta.hostname}";
};
# Define a user account. Don't forget to set a password with passwd.
users.users.shahab = {
isNormalUser = true;
extraGroups = [ "wheel" ]; # Enable sudo for the user.
packages = with pkgs; [
tree
cloudflared
];
# Created using mkpasswd
hashedPassword = "$6$.ZlYnf2cZph4tCbM$E/JJUDirRV8MZrgX4Rh.Pi1q95tev1ZxcKjPA1I.uURv56qoWcC39MJWO9S2T5MlkPVbSLGiM8Ihfz9mERImo/";
openssh.authorizedKeys.keys = [
"ssh-ed25519 AAAAC3NzaC1lZDI1NTE5AAAAIGD/V4jLpuk7uAovkbHFr6uulfBKZmsH+BqmXIR2aYD0"
];
};
security.sudo.extraRules = [
{
users = ["shahab"];
commands = [
{ command = "ALL"; options = ["NOPASSWD"]; }
];
}
];
# List packages installed in system profile. To search, run:
# $ nix search wget
environment.systemPackages = with pkgs; [
neovim
k3s
cifs-utils
nfs-utils
git
];
# List services that you want to enable:
# Enable the OpenSSH daemon.
services.openssh.enable = true;
# Open ports in the firewall.
# networking.firewall.allowedTCPPorts = [ 80 ];
# networking.firewall.allowedUDPPorts = [ ... ];
# Or disable the firewall altogether.
networking.firewall.enable = false;
# Copy the NixOS configuration file and link it from the resulting system
# (/run/current-system/configuration.nix). This is useful in case you
# accidentally delete configuration.nix.
# system.copySystemConfiguration = true;
# This option defines the first version of NixOS you have installed on this particular machine,
# and is used to maintain compatibility with application data (e.g. databases) created on older NixOS versions.
#
# Most users should NEVER change this value after the initial install, for any reason,
# even if you've upgraded your system to a new NixOS release.
#
# This value does NOT affect the Nixpkgs version your packages and OS are pulled from,
# so changing it will NOT upgrade your system.
#
# This value being lower than the current NixOS release does NOT mean your system is
# out of date, out of support, or vulnerable.
#
# Do NOT change this value unless you have manually inspected all the changes it would make to your configuration,
# and migrated your data accordingly.
#
# For more information, see `man configuration.nix` or https://nixos.org/manual/nixos/stable/options#opt-system.stateVersion .
system.stateVersion = "24.05"; # Did you read the comment?
}

45
nixos/master/disko-config.nix
View File

@@ -1,45 +0,0 @@
{
disko.devices = {
disk = {
vdb = {
type = "disk";
device = "/dev/nvme0n1";
content = {
type = "gpt";
partitions = {
ESP = {
priority = 1;
name = "ESP";
start = "1M";
end = "128M";
type = "EF00";
content = {
type = "filesystem";
format = "vfat";
mountpoint = "/boot";
};
};
luks = {
size = "100%";
content = {
name = "crypted";
type = "luks";
passwordFile = "/tmp/secret.key";
settings = {
allowDiscards = true;
crypttabExtraOpts =
[ "fido2-device=auto" "token-timeout=10" ];
};
content = {
type = "filesystem";
format = "ext4";
mountpoint = "/";
};
};
};
};
};
};
};
};
}

48
nixos/master/flake.lock generated
View File

@@ -1,48 +0,0 @@
{
"nodes": {
"disko": {
"inputs": {
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1758287904,
"narHash": "sha256-IGmaEf3Do8o5Cwp1kXBN1wQmZwQN3NLfq5t4nHtVtcU=",
"owner": "nix-community",
"repo": "disko",
"rev": "67ff9807dd148e704baadbd4fd783b54282ca627",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "disko",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1759994382,
"narHash": "sha256-wSK+3UkalDZRVHGCRikZ//CyZUJWDJkBDTQX1+G77Ow=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "5da4a26309e796daa7ffca72df93dbe53b8164c7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-25.05",
"repo": "nixpkgs",
"type": "github"
}
},
"root": {
"inputs": {
"disko": "disko",
"nixpkgs": "nixpkgs"
}
}
},
"root": "root",
"version": 7
}

37
nixos/master/flake.nix
View File

@@ -1,37 +0,0 @@
{
description = "Homelab NixOS Flake";
inputs = {
nixpkgs.url = "github:NixOS/nixpkgs/nixos-25.05";
# Disko
disko = {
url = "github:nix-community/disko";
inputs.nixpkgs.follows = "nixpkgs";
};
};
outputs = { nixpkgs, disko, ... }: let
nodes = [
"homelab-0"
"homelab-1"
"homelab-2"
];
in {
nixosConfigurations = builtins.listToAttrs (map (name: {
name = name;
value = nixpkgs.lib.nixosSystem {
specialArgs = {
meta = { hostname = name; };
};
system = "x86_64-linux";
modules = [
# Modules
disko.nixosModules.disko
./hardware-configuration.nix
./disko-config.nix
./configuration.nix
];
};
}) nodes);
};
}

24
nixos/master/hardware-configuration.nix
View File

@@ -1,24 +0,0 @@
# Do not modify this file! It was generated by nixos-generate-config
# and may be overwritten by future invocations. Please make changes
# to /etc/nixos/configuration.nix instead.
{ config, lib, modulesPath, ... }:
{
imports = [(modulesPath + "/installer/scan/not-detected.nix")];
boot.initrd.availableKernelModules = [ "nvme" "xhci_pci" "usbhid" "usb_storage" "sd_mod" ];
boot.initrd.kernelModules = [ ];
boot.kernelModules = [ "kvm-amd" ];
boot.extraModulePackages = [ ];
# Enables DHCP on each ethernet and wireless interface. In case of scripted networking
# (the default) this is the recommended approach. When using systemd-networkd it's
# still possible to use this option, but it's recommended to use it in conjunction
# with explicit per-interface declarations with `networking.interfaces.<interface>.useDHCP`.
networking.useDHCP = lib.mkDefault false;
networking.interfaces.enp1s0.useDHCP = lib.mkDefault false;
# networking.interfaces.wlo1.useDHCP = lib.mkDefault true;
nixpkgs.hostPlatform = lib.mkDefault "x86_64-linux";
hardware.cpu.amd.updateMicrocode = lib.mkDefault config.hardware.enableRedistributableFirmware;
}

160
package-lock.json generated
View File

@@ -9,46 +9,60 @@
"version": "1.0.0", "version": "1.0.0",
"license": "GPL-3.0-or-later", "license": "GPL-3.0-or-later",
"dependencies": { "dependencies": {
"@cdktf/provider-helm": "10.5.0", "@cdktf/provider-helm": "12.1.1",
"@cdktf/provider-kubernetes": "11.12.1", "@cdktf/provider-kubernetes": "12.1.0",
"cdktf": "^0.20.12", "@cdktf/provider-null": "^11.0.0",
"constructs": "^10.4.2", "cdktf": "^0.21.0",
"dotenv": "^16.5.0", "constructs": "^10.4.3",
"envalid": "^8.0.0" "dotenv": "^17.2.3",
"envalid": "^8.1.1"
}, },
"devDependencies": { "devDependencies": {
"@types/node": "^24.0.3", "@types/node": "^24.10.1",
"ts-node": "^10.9.2", "ts-node": "^10.9.2",
"typescript": "^5.8.3" "typescript": "^5.9.3"
}, },
"engines": { "engines": {
"node": "24" "node": "24"
} }
}, },
"node_modules/@cdktf/provider-helm": { "node_modules/@cdktf/provider-helm": {
"version": "10.5.0", "version": "12.1.1",
"resolved": "https://registry.npmjs.org/@cdktf/provider-helm/-/provider-helm-10.5.0.tgz", "resolved": "https://registry.npmjs.org/@cdktf/provider-helm/-/provider-helm-12.1.1.tgz",
"integrity": "sha512-u3Q6VNIayaSFfEKZh+JG3PDrwcl9igHLWUdi6cK1G385tw4UyUpZ8osUnGhOErxbZtlcp4yeZ1c5+1OMP4epLA==", "integrity": "sha512-bi1Smig+b38eKs0yP/JJhbwTKHclp91fNLkcEDS7nI+6AQ4+uqN24CxHGUc6hpwNmatNnLH90gR0+iq/p6KEuw==",
"license": "MPL-2.0", "license": "MPL-2.0",
"engines": { "engines": {
"node": ">= 18.12.0" "node": ">= 20.9.0"
}, },
"peerDependencies": { "peerDependencies": {
"cdktf": "^0.20.0", "cdktf": "^0.21.0",
"constructs": "^10.3.0" "constructs": "^10.4.2"
} }
}, },
"node_modules/@cdktf/provider-kubernetes": { "node_modules/@cdktf/provider-kubernetes": {
"version": "11.12.1", "version": "12.1.0",
"resolved": "https://registry.npmjs.org/@cdktf/provider-kubernetes/-/provider-kubernetes-11.12.1.tgz", "resolved": "https://registry.npmjs.org/@cdktf/provider-kubernetes/-/provider-kubernetes-12.1.0.tgz",
"integrity": "sha512-8LgaY0VULF/2f8iXqojGujP7DKSzl1didqbxMb7uMX0oE3EVDdtmJNIAY2D6oXjW95b9+NVQmhg4iN/jiF7zpA==", "integrity": "sha512-GVFbQIPaMeGbzbGyvTWwBUgdc9kKOGWRQNmzvD5A1bFtDTAVk77kRfdfooVuj869TDHF77WXIn6LGp8uuHoJrQ==",
"license": "MPL-2.0", "license": "MPL-2.0",
"engines": { "engines": {
"node": ">= 18.12.0" "node": ">= 20.9.0"
}, },
"peerDependencies": { "peerDependencies": {
"cdktf": "^0.20.0", "cdktf": "^0.21.0",
"constructs": "^10.3.0" "constructs": "^10.4.2"
}
},
"node_modules/@cdktf/provider-null": {
"version": "11.0.0",
"resolved": "https://registry.npmjs.org/@cdktf/provider-null/-/provider-null-11.0.0.tgz",
"integrity": "sha512-OX/ADMXtPWBV/ZTBxCiMGUX0EMI+ooxXZWrZAskJAKIO2Ny1tpBXLE13NpfU9fG+6GkR4e1hLNsOMdO99DuhCA==",
"license": "MPL-2.0",
"engines": {
"node": ">= 20.9.0"
},
"peerDependencies": {
"cdktf": "^0.21.0",
"constructs": "^10.4.2"
} }
}, },
"node_modules/@cspotcode/source-map-support": { "node_modules/@cspotcode/source-map-support": {
@@ -75,9 +89,9 @@
} }
}, },
"node_modules/@jridgewell/sourcemap-codec": { "node_modules/@jridgewell/sourcemap-codec": {
"version": "1.5.0", "version": "1.5.5",
"resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.0.tgz", "resolved": "https://registry.npmjs.org/@jridgewell/sourcemap-codec/-/sourcemap-codec-1.5.5.tgz",
"integrity": "sha512-gv3ZRaISU3fjPAgNsriBRqGWQL6quFx04YMPW/zD8XMLsU32mhCCbfbO6KZFLjvYpCZ8zyDEgqsgf+PwPaM7GQ==", "integrity": "sha512-cYQ9310grqxueWbl+WuIUIaiUaDcj7WOq5fVhEljNVgRfOUhY9fy2zTvfoqWsnebh8Sl70VScFbICvJnLKB0Og==",
"dev": true, "dev": true,
"license": "MIT" "license": "MIT"
}, },
@@ -93,9 +107,9 @@
} }
}, },
"node_modules/@tsconfig/node10": { "node_modules/@tsconfig/node10": {
"version": "1.0.11", "version": "1.0.12",
"resolved": "https://registry.npmjs.org/@tsconfig/node10/-/node10-1.0.11.tgz", "resolved": "https://registry.npmjs.org/@tsconfig/node10/-/node10-1.0.12.tgz",
"integrity": "sha512-DcRjDCujK/kCk/cUe8Xz8ZSpm8mS3mNNpta+jGCA6USEDfktlNvm1+IuZ9eTcDbNk41BHwpHHeW+N1lKCz4zOw==", "integrity": "sha512-UCYBaeFvM11aU2y3YPZ//O5Rhj+xKyzy7mvcIoAjASbigy8mHMryP5cK7dgjlz2hWxh1g5pLw084E0a/wlUSFQ==",
"dev": true, "dev": true,
"license": "MIT" "license": "MIT"
}, },
@@ -121,13 +135,14 @@
"license": "MIT" "license": "MIT"
}, },
"node_modules/@types/node": { "node_modules/@types/node": {
"version": "24.0.3", "version": "24.10.1",
"resolved": "https://registry.npmjs.org/@types/node/-/node-24.0.3.tgz", "resolved": "https://registry.npmjs.org/@types/node/-/node-24.10.1.tgz",
"integrity": "sha512-R4I/kzCYAdRLzfiCabn9hxWfbuHS573x+r0dJMkkzThEa7pbrcDWK+9zu3e7aBOouf+rQAciqPFMnxwr0aWgKg==", "integrity": "sha512-GNWcUTRBgIRJD5zj+Tq0fKOJ5XZajIiBroOF0yvj2bSU1WvNdYS/dn9UxwsujGW4JX06dnHyjV2y9rRaybH0iQ==",
"dev": true, "dev": true,
"license": "MIT", "license": "MIT",
"peer": true,
"dependencies": { "dependencies": {
"undici-types": "~7.8.0" "undici-types": "~7.16.0"
} }
}, },
"node_modules/acorn": { "node_modules/acorn": {
@@ -164,22 +179,23 @@
"license": "MIT" "license": "MIT"
}, },
"node_modules/cdktf": { "node_modules/cdktf": {
"version": "0.20.12", "version": "0.21.0",
"resolved": "https://registry.npmjs.org/cdktf/-/cdktf-0.20.12.tgz", "resolved": "https://registry.npmjs.org/cdktf/-/cdktf-0.21.0.tgz",
"integrity": "sha512-ZBg2gA3Uw0WvGFlgrY1uxo6QHWn+ZdHiDkZQyOsTBl68k62UlaV8K7RR51d0E/amQG/CjtKOJr5XPFFAcOq0VA==", "integrity": "sha512-bdTOOyrFSXw0p5d7/3dye7ZWYzrUatyMjWEAAwTGoqghjygRj6Q55y1QZnSB021NRDzYZ3BhFGsOkpmIjQMzNQ==",
"bundleDependencies": [ "bundleDependencies": [
"archiver", "archiver",
"json-stable-stringify", "json-stable-stringify",
"semver" "semver"
], ],
"license": "MPL-2.0", "license": "MPL-2.0",
"peer": true,
"dependencies": { "dependencies": {
"archiver": "7.0.1", "archiver": "7.0.1",
"json-stable-stringify": "1.2.1", "json-stable-stringify": "1.3.0",
"semver": "7.7.1" "semver": "7.7.2"
}, },
"peerDependencies": { "peerDependencies": {
"constructs": "^10.3.0" "constructs": "^10.4.2"
} }
}, },
"node_modules/cdktf/node_modules/@isaacs/cliui": { "node_modules/cdktf/node_modules/@isaacs/cliui": {
@@ -764,12 +780,12 @@
} }
}, },
"node_modules/cdktf/node_modules/json-stable-stringify": { "node_modules/cdktf/node_modules/json-stable-stringify": {
"version": "1.2.1", "version": "1.3.0",
"inBundle": true, "inBundle": true,
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"call-bind": "^1.0.8", "call-bind": "^1.0.8",
"call-bound": "^1.0.3", "call-bound": "^1.0.4",
"isarray": "^2.0.5", "isarray": "^2.0.5",
"jsonify": "^0.0.1", "jsonify": "^0.0.1",
"object-keys": "^1.1.1" "object-keys": "^1.1.1"
@@ -850,6 +866,17 @@
"node": ">= 0.4" "node": ">= 0.4"
} }
}, },
"node_modules/cdktf/node_modules/minimatch": {
"version": "5.1.6",
"inBundle": true,
"license": "ISC",
"dependencies": {
"brace-expansion": "^2.0.1"
},
"engines": {
"node": ">=10"
}
},
"node_modules/cdktf/node_modules/minipass": { "node_modules/cdktf/node_modules/minipass": {
"version": "7.1.2", "version": "7.1.2",
"inBundle": true, "inBundle": true,
@@ -938,17 +965,6 @@
"minimatch": "^5.1.0" "minimatch": "^5.1.0"
} }
}, },
"node_modules/cdktf/node_modules/readdir-glob/node_modules/minimatch": {
"version": "5.1.6",
"inBundle": true,
"license": "ISC",
"dependencies": {
"brace-expansion": "^2.0.1"
},
"engines": {
"node": ">=10"
}
},
"node_modules/cdktf/node_modules/safe-buffer": { "node_modules/cdktf/node_modules/safe-buffer": {
"version": "5.2.1", "version": "5.2.1",
"funding": [ "funding": [
@@ -969,7 +985,7 @@
"license": "MIT" "license": "MIT"
}, },
"node_modules/cdktf/node_modules/semver": { "node_modules/cdktf/node_modules/semver": {
"version": "7.7.1", "version": "7.7.2",
"inBundle": true, "inBundle": true,
"license": "ISC", "license": "ISC",
"bin": { "bin": {
@@ -1247,10 +1263,11 @@
} }
}, },
"node_modules/constructs": { "node_modules/constructs": {
"version": "10.4.2", "version": "10.4.3",
"resolved": "https://registry.npmjs.org/constructs/-/constructs-10.4.2.tgz", "resolved": "https://registry.npmjs.org/constructs/-/constructs-10.4.3.tgz",
"integrity": "sha512-wsNxBlAott2qg8Zv87q3eYZYgheb9lchtBfjHzzLHtXbttwSrHPs1NNQbBrmbb1YZvYg2+Vh0Dor76w4mFxJkA==", "integrity": "sha512-3+ZB67qWGM1vEstNpj6pGaLNN1qz4gxC1CBhEUhZDZk0PqzQWY65IzC1Doq17MGPa9xa2wJ1G/DJ3swU8kWAHQ==",
"license": "Apache-2.0" "license": "Apache-2.0",
"peer": true
}, },
"node_modules/create-require": { "node_modules/create-require": {
"version": "1.1.1", "version": "1.1.1",
@@ -1270,9 +1287,9 @@
} }
}, },
"node_modules/dotenv": { "node_modules/dotenv": {
"version": "16.5.0", "version": "17.2.3",
"resolved": "https://registry.npmjs.org/dotenv/-/dotenv-16.5.0.tgz", "resolved": "https://registry.npmjs.org/dotenv/-/dotenv-17.2.3.tgz",
"integrity": "sha512-m/C+AwOAr9/W1UOIZUo232ejMNnJAJtYQjUbHoNTBNTJSvqzzDh7vnrei3o3r3m9blf6ZoDkvcw0VmozNRFJxg==", "integrity": "sha512-JVUnt+DUIzu87TABbhPmNfVdBDt18BLOWjMUFJMSi/Qqg7NTYtabbvSNJGOJ7afbRuv9D/lngizHtP7QyLQ+9w==",
"license": "BSD-2-Clause", "license": "BSD-2-Clause",
"engines": { "engines": {
"node": ">=12" "node": ">=12"
@@ -1282,15 +1299,15 @@
} }
}, },
"node_modules/envalid": { "node_modules/envalid": {
"version": "8.0.0", "version": "8.1.1",
"resolved": "https://registry.npmjs.org/envalid/-/envalid-8.0.0.tgz", "resolved": "https://registry.npmjs.org/envalid/-/envalid-8.1.1.tgz",
"integrity": "sha512-PGeYJnJB5naN0ME6SH8nFcDj9HVbLpYIfg1p5lAyM9T4cH2lwtu2fLbozC/bq+HUUOIFxhX/LP0/GmlqPHT4tQ==", "integrity": "sha512-vOUfHxAFFvkBjbVQbBfgnCO9d3GcNfMMTtVfgqSU2rQGMFEVqWy9GBuoSfHnwGu7EqR0/GeukQcL3KjFBaga9w==",
"license": "MIT", "license": "MIT",
"dependencies": { "dependencies": {
"tslib": "2.6.2" "tslib": "2.8.1"
}, },
"engines": { "engines": {
"node": ">=8.12" "node": ">=18"
} }
}, },
"node_modules/make-error": { "node_modules/make-error": {
@@ -1345,17 +1362,18 @@
} }
}, },
"node_modules/tslib": { "node_modules/tslib": {
"version": "2.6.2", "version": "2.8.1",
"resolved": "https://registry.npmjs.org/tslib/-/tslib-2.6.2.tgz", "resolved": "https://registry.npmjs.org/tslib/-/tslib-2.8.1.tgz",
"integrity": "sha512-AEYxH93jGFPn/a2iVAwW87VuUIkR1FVUKB77NwMF7nBTDkDrrT/Hpt/IrCJ0QXhW27jTBDcf5ZY7w6RiqTMw2Q==", "integrity": "sha512-oJFu94HQb+KVduSUQL7wnpmqnfmLsOA/nAh6b6EH0wCEoK0/mPeXU6c3wKDV83MkOuHPRHtSXKKU99IBazS/2w==",
"license": "0BSD" "license": "0BSD"
}, },
"node_modules/typescript": { "node_modules/typescript": {
"version": "5.8.3", "version": "5.9.3",
"resolved": "https://registry.npmjs.org/typescript/-/typescript-5.8.3.tgz", "resolved": "https://registry.npmjs.org/typescript/-/typescript-5.9.3.tgz",
"integrity": "sha512-p1diW6TqL9L07nNxvRMM7hMMw4c5XOo/1ibL4aAIGmSAt9slTE1Xgw5KWuof2uTOvCg9BY7ZRi+GaF+7sfgPeQ==", "integrity": "sha512-jl1vZzPDinLr9eUt3J/t7V6FgNEw9QjvBPdysz9KfQDD41fQrC2Y4vKQdiaUpFT4bXlb1RHhLpp8wtm6M5TgSw==",
"dev": true, "dev": true,
"license": "Apache-2.0", "license": "Apache-2.0",
"peer": true,
"bin": { "bin": {
"tsc": "bin/tsc", "tsc": "bin/tsc",
"tsserver": "bin/tsserver" "tsserver": "bin/tsserver"
@@ -1365,9 +1383,9 @@
} }
}, },
"node_modules/undici-types": { "node_modules/undici-types": {
"version": "7.8.0", "version": "7.16.0",
"resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.8.0.tgz", "resolved": "https://registry.npmjs.org/undici-types/-/undici-types-7.16.0.tgz",
"integrity": "sha512-9UJ2xGDvQ43tYyVMpuHlsgApydB8ZKfVYTsLDhXkFL/6gfkp+U8xTGdh8pMJv1SpZna0zxG1DwsKZsreLbXBxw==", "integrity": "sha512-Zz+aZWSj8LE6zoxD+xrjh4VfkIG8Ya6LvYkZqtUQGJPZjYl53ypCaUwWqo7eI0x66KBGeRo+mlBEkMSeSZ38Nw==",
"dev": true, "dev": true,
"license": "MIT" "license": "MIT"
}, },

17
package.json
View File

@@ -23,16 +23,17 @@
"upgrade:next": "npm i cdktf@next cdktf-cli@next" "upgrade:next": "npm i cdktf@next cdktf-cli@next"
}, },
"dependencies": { "dependencies": {
"@cdktf/provider-helm": "10.5.0", "@cdktf/provider-helm": "12.1.1",
"@cdktf/provider-kubernetes": "11.12.1", "@cdktf/provider-kubernetes": "12.1.0",
"cdktf": "^0.20.12", "@cdktf/provider-null": "^11.0.0",
"constructs": "^10.4.2", "cdktf": "^0.21.0",
"dotenv": "^16.5.0", "constructs": "^10.4.3",
"envalid": "^8.0.0" "dotenv": "^17.2.3",
"envalid": "^8.1.1"
}, },
"devDependencies": { "devDependencies": {
"@types/node": "^24.0.3", "@types/node": "^24.10.1",
"ts-node": "^10.9.2", "ts-node": "^10.9.2",
"typescript": "^5.8.3" "typescript": "^5.9.3"
} }
} }

41
pihole/index.ts
View File

@@ -1,41 +0,0 @@
import * as fs from "fs";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs";
type PiHoleOptions = {
provider: HelmProvider;
name: string;
namespace: string;
};
export class PiHole extends Construct {
constructor(scope: Construct, id: string, options: PiHoleOptions) {
super(scope, id);
new Release(this, id, {
...options,
repository: "https://mojo2600.github.io/pihole-kubernetes",
chart: "pihole",
version: "2.26.1",
values: [
fs.readFileSync("helm/values/pihole.values.yaml", {
encoding: "utf8",
}),
],
});
new Release(this, "external-dns", {
provider: options.provider,
name: "externaldns-pihole",
namespace: options.namespace,
repository: "oci://registry-1.docker.io/bitnamicharts/",
chart: "external-dns",
values: [
fs.readFileSync("helm/values/externaldns.values.yaml", {
encoding: "utf8",
}),
],
});
}
}

67
pki/index.ts Normal file
View File

@@ -0,0 +1,67 @@
import { DataKubernetesNamespaceV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-namespace-v1";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { DataTerraformRemoteStateS3, TerraformStack } from "cdktf";
import { Construct } from "constructs";
import { PrivateIssuer, PublicIssuer } from "./issuers";
export class PKI extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const kubernetes = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const r2Endpoint = `${process.env.ACCOUNT_ID!}.r2.cloudflarestorage.com`;
const coreServicesState = new DataTerraformRemoteStateS3(
this,
"core-services-state",
{
usePathStyle: true,
skipRegionValidation: true,
skipCredentialsValidation: true,
skipRequestingAccountId: true,
skipS3Checksum: true,
encrypt: true,
bucket: "terraform-state",
key: "core-services/terraform.tfstate",
endpoints: {
s3: `https://${r2Endpoint}`,
},
region: "auto",
accessKey: process.env.ACCESS_KEY,
secretKey: process.env.SECRET_KEY,
},
);
const namespaceName = coreServicesState.getString("namespace-output");
const namespaceResource = new DataKubernetesNamespaceV1(
this,
"homelab-namespace",
{
provider: kubernetes,
metadata: {
name: namespaceName,
},
},
);
const namespace = namespaceResource.metadata.name;
new PrivateIssuer(this, "private-issuer", {
provider: kubernetes,
namespace,
apiVersion: "cert-manager.io/v1",
rootSecretName: "root-secret",
intermediateSecretName: `${namespace}-ca-secret`,
commonName: "Homelab Root CA",
});
new PublicIssuer(this, "public-issuer", {
provider: kubernetes,
namespace,
apiVersion: "cert-manager.io/v1",
server: "https://acme-v02.api.letsencrypt.org/directory",
});
}
}

2
pki/issuers/index.ts Normal file
View File

@@ -0,0 +1,2 @@
export { PrivateIssuer } from "./private";
export { PublicIssuer } from "./public";

116
pki/issuers/private.ts Normal file
View File

@@ -0,0 +1,116 @@
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { Construct } from "constructs";
type PrivateIssuerOptions = {
provider: KubernetesProvider;
namespace: string;
apiVersion: string;
commonName: string;
rootSecretName: string;
intermediateSecretName: string;
};
export class PrivateIssuer extends Construct {
constructor(scope: Construct, id: string, options: PrivateIssuerOptions) {
super(scope, id);
const {
provider,
namespace,
apiVersion,
commonName,
rootSecretName,
intermediateSecretName,
} = options;
//
// 1. Root CA (self-signed)
//
new Manifest(this, "root-ca-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: { name: "root-ca-selfsigned" },
spec: { selfSigned: {} },
},
});
new Manifest(this, "root-ca", {
provider,
manifest: {
apiVersion,
kind: "Certificate",
metadata: { name: "root-ca", namespace },
spec: {
isCA: true,
commonName: `${commonName} Root CA`,
secretName: rootSecretName,
privateKey: {
algorithm: "RSA",
size: 4096,
},
issuerRef: {
name: "root-ca-selfsigned",
kind: "ClusterIssuer",
group: "cert-manager.io",
},
},
},
});
//
// 2. Intermediate CA (signed by root CA)
//
new Manifest(this, "intermediate-ca-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: { name: "root-ca-signer" },
spec: {
ca: { secretName: rootSecretName },
},
},
});
new Manifest(this, "intermediate-ca", {
provider,
manifest: {
apiVersion,
kind: "Certificate",
metadata: { name: "intermediate-ca", namespace },
spec: {
isCA: true,
commonName: `${commonName} Intermediate CA`,
secretName: intermediateSecretName,
privateKey: {
algorithm: "ECDSA",
size: 384,
},
issuerRef: {
name: "root-ca-signer",
kind: "ClusterIssuer",
group: "cert-manager.io",
},
},
},
});
//
// 3. Final public cluster issuer (used by your apps)
//
new Manifest(this, "cluster-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: { name: "cluster-issuer" },
spec: {
ca: { secretName: intermediateSecretName },
},
},
});
}
}

59
pki/issuers/public.ts Normal file
View File

@@ -0,0 +1,59 @@
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { Construct } from "constructs";
import { OnePasswordSecret } from "../../utils";
type PublicIssuerOptions = {
provider: KubernetesProvider;
apiVersion: string;
namespace: string;
server: string;
};
export class PublicIssuer extends Construct {
constructor(scope: Construct, id: string, options: PublicIssuerOptions) {
super(scope, id);
const { apiVersion, provider, namespace, server } = options;
new OnePasswordSecret(this, "cloudflare-token", {
provider,
namespace,
name: "public-issuer-cloudflare-token",
itemPath: "vaults/Lab/items/cloudflare",
});
// Cloudflare ACME ClusterIssuer
new Manifest(this, "cloudflare-issuer", {
provider,
manifest: {
apiVersion,
kind: "ClusterIssuer",
metadata: {
name: "cloudflare-issuer",
},
spec: {
acme: {
email: "shahab@dogar.dev",
server,
privateKeySecretRef: {
name: "cloudflare-cluster-issuer-account-key",
},
solvers: [
{
dns01: {
cloudflare: {
apiTokenSecretRef: {
name: "public-issuer-cloudflare-token",
key: "token",
},
},
},
},
],
},
},
},
});
}
}

7
types.ts Normal file
View File

@@ -0,0 +1,7 @@
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
export type Providers = {
kubernetes: KubernetesProvider;
helm: HelmProvider;
};

56
utility-services/authentik/index.ts Normal file
View File

@@ -0,0 +1,56 @@
import * as fs from "fs";
import * as path from "path";
import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs";
import { PublicIngressRoute, OnePasswordSecret } from "../../utils";
import { Providers } from "../../types";
type AuthentikServerOptions = {
providers: Providers;
name: string;
namespace: string;
};
export class AuthentikServer extends Construct {
constructor(scope: Construct, id: string, options: AuthentikServerOptions) {
super(scope, id);
const { kubernetes, helm } = options.providers;
new OnePasswordSecret(this, "secret-key", {
provider: kubernetes,
name: "authentik-secret-key",
namespace: options.namespace,
itemPath: "vaults/Lab/items/authentik-secret-key",
});
new OnePasswordSecret(this, "smtp", {
provider: kubernetes,
name: "authentik-smtp-token",
namespace: options.namespace,
itemPath: "vaults/Lab/items/smtp-token",
});
new Release(this, id, {
...options,
provider: helm,
repository: "https://charts.goauthentik.io",
chart: "authentik",
createNamespace: true,
values: [
fs.readFileSync(path.join(__dirname, "values.yaml"), {
encoding: "utf8",
}),
],
});
new PublicIngressRoute(this, "ingress", {
provider: kubernetes,
name: options.name,
namespace: options.namespace,
host: "auth.dogar.dev",
serviceName: `authentik-server`,
servicePort: 80,
});
}
}

36
helm/values/authentik.values.yaml → utility-services/authentik/values.yaml
View File

@@ -3,6 +3,17 @@ global:
securityContext: securityContext:
runAsUser: 1000 runAsUser: 1000
fsGroup: 1000 fsGroup: 1000
podLabels:
app: authentik
nodeSelector:
nodepool: worker
topologySpreadConstraints:
- maxSkew: 1
topologyKey: kubernetes.io/hostname
whenUnsatisfiable: DoNotSchedule
labelSelector:
matchLabels:
app: authentik
env: env:
- name: AUTHENTIK_SECRET_KEY - name: AUTHENTIK_SECRET_KEY
valueFrom: valueFrom:
@@ -12,17 +23,17 @@ global:
- name: AUTHENTIK_EMAIL__USERNAME - name: AUTHENTIK_EMAIL__USERNAME
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: smtp-token name: authentik-smtp-token
key: authentik-username key: authentik-username
- name: AUTHENTIK_EMAIL__PASSWORD - name: AUTHENTIK_EMAIL__PASSWORD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: smtp-token name: authentik-smtp-token
key: authentik-password key: authentik-password
- name: AUTHENTIK_EMAIL__FROM - name: AUTHENTIK_EMAIL__FROM
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: smtp-token name: authentik-smtp-token
key: authentik-username key: authentik-username
- name: AUTHENTIK_EMAIL__USE_TLS - name: AUTHENTIK_EMAIL__USE_TLS
value: "true" value: "true"
@@ -76,27 +87,8 @@ authentik:
server: server:
replicas: 3 replicas: 3
ingress:
enabled: true
annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/private-key-size: "4096"
nginx.ingress.kubernetes.io/backend-protocol: "HTTPS"
nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
nginx.ingress.kubernetes.io/ssl-redirect: "true"
ingressClassName: nginx-internal
https: true
hosts:
- auth.dogar.dev
tls:
- secretName: authentik-tls
hosts:
- auth.dogar.dev
worker: worker:
replicas: 3 replicas: 3
postgresql: postgresql:
enabled: false enabled: false
redis: redis:

110
utility-services/dynamic-dns/index.ts Normal file
View File

@@ -0,0 +1,110 @@
import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { OnePasswordSecret } from "../../utils";
import { ConfigMapV1 } from "@cdktf/provider-kubernetes/lib/config-map-v1";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
type DynamicDNSOptions = {
provider: KubernetesProvider;
name: string;
namespace: string;
records: string[];
};
export class DynamicDNS extends Construct {
constructor(scope: Construct, id: string, options: DynamicDNSOptions) {
super(scope, id);
const { provider, name, namespace, records } = options;
new OnePasswordSecret(this, "cloudflare-token", {
provider,
name: "ddns-cloudflare-token",
namespace: options.namespace,
itemPath: "vaults/Lab/items/cloudflare",
});
new ConfigMapV1(this, "ddns-configmap", {
provider,
metadata: {
name,
namespace,
},
data: {
DOMAINS: records.join(","),
PROXIED: "false",
},
});
new DeploymentV1(this, "ddns-deployment", {
provider,
metadata: {
name,
namespace,
},
spec: {
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: {
nodepool: "worker",
},
container: [
{
name: "ddns-updater",
image: "favonia/cloudflare-ddns:latest",
env: [
{
name: "CLOUDFLARE_API_TOKEN",
valueFrom: {
secretKeyRef: {
name: "ddns-cloudflare-token",
key: "token",
},
},
},
{
name: "DOMAINS",
valueFrom: {
configMapKeyRef: {
name,
key: "DOMAINS",
},
},
},
{
name: "PROXIED",
valueFrom: {
configMapKeyRef: {
name,
key: "PROXIED",
},
},
},
{
name: "UPDATE_TIMEOUT",
value: "30s",
},
{
name: "IP6_PROVIDER",
value: "none",
},
],
},
],
},
},
},
});
}
}

2
utility-services/gitea/index.ts Normal file
View File

@@ -0,0 +1,2 @@
export { GiteaServer } from "./server";
export { GiteaRunner } from "./runner";

144
utility-services/gitea/runner/index.ts Normal file
View File

@@ -0,0 +1,144 @@
import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { DeploymentV1 } from "@cdktf/provider-kubernetes/lib/deployment-v1";
import { PodDisruptionBudgetV1 } from "@cdktf/provider-kubernetes/lib/pod-disruption-budget-v1";
import { OnePasswordSecret, LonghornPvc } from "../../../utils";
type GiteaRunnerOptions = {
provider: KubernetesProvider;
name: string;
namespace: string;
replicas?: number;
};
export class GiteaRunner extends Construct {
constructor(scope: Construct, id: string, options: GiteaRunnerOptions) {
super(scope, id);
const { provider, name, namespace } = options;
const replicas = options.replicas?.toString() ?? "1";
const pvc = new LonghornPvc(this, "data-pvc", {
provider,
name: `${name}-data`,
namespace: namespace,
size: "10Gi",
accessModes: ["ReadWriteMany"],
});
new OnePasswordSecret(this, "runner-secret", {
provider,
name: "runner-secret",
namespace: namespace,
itemPath: "vaults/Lab/items/Gitea",
});
new PodDisruptionBudgetV1(this, "pdb", {
provider,
metadata: {
name,
namespace,
},
spec: {
minAvailable: replicas,
selector: {
matchLabels: {
app: name,
},
},
},
});
new DeploymentV1(this, "gitea-runner", {
provider,
metadata: {
name: name,
namespace: namespace,
labels: {
app: name,
},
},
spec: {
replicas,
selector: {
matchLabels: {
app: name,
},
},
template: {
metadata: {
labels: {
app: name,
},
},
spec: {
nodeSelector: {
nodepool: "worker",
},
topologySpreadConstraint: [
{
maxSkew: 1,
topologyKey: "kubernetes.io/hostname",
whenUnsatisfiable: "DoNotSchedule",
labelSelector: [
{
matchLabels: {
app: name,
},
},
],
},
],
restartPolicy: "Always",
securityContext: {
fsGroup: "1000",
},
container: [
{
name: "gitea-runner",
image: "gitea/act_runner:nightly-dind-rootless",
env: [
{
name: "DOCKER_HOST",
value: "unix:///run/user/1000/docker.sock",
},
{
name: "GITEA_INSTANCE_URL",
value: "https://git.dogar.dev",
},
{
name: "GITEA_RUNNER_REGISTRATION_TOKEN",
valueFrom: {
secretKeyRef: {
name: "runner-secret",
key: "runner-token",
},
},
},
],
securityContext: {
privileged: true,
},
volumeMount: [
{
name: "runner-data",
mountPath: "/data",
},
],
},
],
volume: [
{
name: "runner-data",
persistentVolumeClaim: {
claimName: pvc.name,
},
},
],
},
},
},
});
}
}

95
utility-services/gitea/server/index.ts Normal file
View File

@@ -0,0 +1,95 @@
import * as fs from "fs";
import * as path from "path";
import { Release } from "@cdktf/provider-helm/lib/release";
import { Construct } from "constructs";
import {
OnePasswordSecret,
PublicIngressRoute,
IngressRouteTcp,
} from "../../../utils";
import type { Providers } from "../../../types";
type GiteaServerOptions = {
providers: Providers;
name: string;
namespace: string;
r2Endpoint: string;
};
export class GiteaServer extends Construct {
constructor(scope: Construct, id: string, options: GiteaServerOptions) {
super(scope, id);
const { kubernetes, helm } = options.providers;
const { name, namespace, r2Endpoint } = options;
new OnePasswordSecret(this, "admin", {
provider: kubernetes,
name: "gitea-admin",
namespace,
itemPath: "vaults/Lab/items/gitea-admin",
});
new OnePasswordSecret(this, "oauth", {
provider: kubernetes,
name: "gitea-oauth",
namespace,
itemPath: "vaults/Lab/items/gitea-oauth",
});
new OnePasswordSecret(this, "smtp", {
provider: kubernetes,
name: "gitea-smtp-token",
namespace,
itemPath: "vaults/Lab/items/smtp-token",
});
new OnePasswordSecret(this, "r2", {
provider: kubernetes,
name: "gitea-cloudflare-token",
namespace,
itemPath: "vaults/Lab/items/cloudflare",
});
new Release(this, id, {
...options,
provider: helm,
repository: "https://dl.gitea.com/charts",
chart: "gitea",
namespace,
createNamespace: true,
set: [
{
name: "gitea.config.storage.MINIO_ENDPOINT",
value: r2Endpoint,
},
],
values: [
fs.readFileSync(path.join(__dirname, "values.yaml"), {
encoding: "utf8",
}),
],
});
new IngressRouteTcp(this, "ssh-ingress", {
provider: kubernetes,
namespace,
name,
match: "HostSNI(`*`)",
entryPoint: "ssh",
serviceName: `${name}-ssh`,
servicePort: 22,
});
new PublicIngressRoute(this, "http-ingress", {
provider: kubernetes,
namespace,
name,
host: "git.dogar.dev",
serviceName: `${name}-http`,
servicePort: 3000,
serviceProtocol: "https",
});
}
}

131
helm/values/gitea.values.yaml → utility-services/gitea/server/values.yaml
View File

@@ -1,5 +1,8 @@
global: global:
storageClass: longhorn-crypto storageClass: longhorn
podSecurityContext:
fsGroup: 1000
fsGroupChangePolicy: "OnRootMismatch"
image: image:
rootless: false rootless: false
service: service:
@@ -10,29 +13,7 @@ service:
annotations: annotations:
metallb.universe.tf/allow-shared-ip: gitea metallb.universe.tf/allow-shared-ip: gitea
ingress: ingress:
enabled: true enabled: false
annotations:
cert-manager.io/cluster-issuer: cloudflare-issuer
cert-manager.io/acme-challenge-type: dns01
cert-manager.io/private-key-size: 4096
nginx.ingress.kubernetes.io/backend-protocol: HTTPS
nginx.ingress.kubernetes.io/proxy-request-buffering: off
nginx.ingress.kubernetes.io/proxy-buffering: off
nginx.ingress.kubernetes.io/proxy-body-size: 0
nginx.ingress.kubernetes.io/proxy-read-timeout: 3600
nginx.ingress.kubernetes.io/proxy-send-timeout: 3600
nginx.ingress.kubernetes.io/client-body-timeout: 3600
nginx.ingress.kubernetes.io/proxy-connect-timeout: 3600
className: nginx-internal
hosts:
- host: git.dogar.dev
paths:
- path: /
pathType: Prefix
tls:
- secretName: gitea-tls
hosts:
- git.dogar.dev
gitea: gitea:
podAnnotations: podAnnotations:
prometheus.io/scrape: "true" prometheus.io/scrape: "true"
@@ -43,21 +24,31 @@ gitea:
enabled: true enabled: true
serviceMonitor: serviceMonitor:
enabled: true enabled: true
scheme: "https"
tlsConfig:
insecureSkipVerify: false
caFile: /internal-ca/ca.crt
config: config:
server: server:
ENABLE_PPROF: true ENABLE_PPROF: true
ENABLE_GZIP: true ENABLE_GZIP: true
LFS_START_SERVER: true LFS_START_SERVER: true
SSH_DOMAIN: git.dogar.dev
PROTOCOL: https PROTOCOL: https
CERT_FILE: /opt/gitea/tls/cert.pem CERT_FILE: /certs/tls.crt
KEY_FILE: /opt/gitea/tls/key.pem KEY_FILE: /certs/tls.key
ROOT_URL: https://git.dogar.dev/
SSH_DOMAIN: git.dogar.dev
DISABLE_SSH: false
SSH_LISTEN_PORT: 2222
SSH_PORT: 22
database: database:
DB_TYPE: postgres DB_TYPE: postgres
HOST: postgres-cluster-rw HOST: postgres-cluster-rw
NAME: gitea NAME: gitea
USER: gitea USER: gitea
SSL_MODE: require SSL_MODE: verify-full
metrics:
ENABLED: true
cache: cache:
ADAPTER: memory ADAPTER: memory
session: session:
@@ -65,8 +56,11 @@ gitea:
PROVIDER_CONFIG: "" PROVIDER_CONFIG: ""
queue: queue:
TYPE: channel TYPE: channel
lfs: storage:
STORAGE_TYPE: local STORAGE_TYPE: minio
MINIO_USE_SSL: true
MINIO_BUCKET_LOOKUP_STYLE: path
MINIO_LOCATION: auto
service: service:
DISABLE_REGISTRATION: true DISABLE_REGISTRATION: true
oauth2_client: oauth2_client:
@@ -76,6 +70,9 @@ gitea:
PROTOCOL: smtp+starttls PROTOCOL: smtp+starttls
SMTP_ADDR: smtp.protonmail.ch SMTP_ADDR: smtp.protonmail.ch
SMTP_PORT: 587 SMTP_PORT: 587
FROM: git@dogar.dev
picture:
GRAVATAR_SOURCE: gravatar
oauth: oauth:
- name: "authentik" - name: "authentik"
provider: "openidConnect" provider: "openidConnect"
@@ -87,17 +84,65 @@ gitea:
- name: GITEA__MAILER__PASSWD - name: GITEA__MAILER__PASSWD
valueFrom: valueFrom:
secretKeyRef: secretKeyRef:
name: smtp-token name: gitea-smtp-token
key: gitea-password key: gitea-password
- name: GITEA__PACKAGES__CHUNKED_UPLOAD_PATH - name: GITEA__PACKAGES__CHUNKED_UPLOAD_PATH
value: "/tmp/gitea-uploads" value: "/tmp/gitea-uploads"
- name: GITEA__PACKAGES__CHUNKED_UPLOAD_CONCURRENCY - name: GITEA__PACKAGES__CHUNKED_UPLOAD_CONCURRENCY
value: "4" value: "4"
- name: GITEA__STORAGE__MINIO_ACCESS_KEY_ID
valueFrom:
secretKeyRef:
name: gitea-cloudflare-token
key: access_key_id
- name: GITEA__STORAGE__MINIO_SECRET_ACCESS_KEY
valueFrom:
secretKeyRef:
name: gitea-cloudflare-token
key: secret_access_key
livenessProbe:
httpGet:
path: /api/healthz
port: 3000
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
readinessProbe:
httpGet:
path: /api/healthz
port: 3000
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
startupProbe:
httpGet:
path: /api/healthz
port: 3000
scheme: HTTPS
initialDelaySeconds: 5
periodSeconds: 10
persistence: persistence:
labels:
recurring-job.longhorn.io/source: "enabled"
recurring-job.longhorn.io/daily-backup: "enabled"
enabled: true enabled: true
size: 50Gi size: 50Gi
accessModes: accessModes:
- ReadWriteMany - ReadWriteMany
postExtraInitContainers:
- name: fix-gitea-ssh-perms
image: alpine:3
command:
- sh
- -c
- |
echo "Fixing /data/ssh permissions..."
mkdir -p /data/ssh
chown -R 1000:1000 /data/ssh
chmod 700 /data/ssh
volumeMounts:
- name: data
mountPath: /data
deployment: deployment:
env: env:
- name: PGSSLMODE - name: PGSSLMODE
@@ -108,6 +153,13 @@ deployment:
value: /opt/gitea/.postgresql/postgresql.crt value: /opt/gitea/.postgresql/postgresql.crt
- name: PGSSLKEY - name: PGSSLKEY
value: /opt/gitea/.postgresql/postgresql.key value: /opt/gitea/.postgresql/postgresql.key
resources:
requests:
cpu: 100m
memory: 128Mi
limits:
cpu: 6
memory: 6Gi
extraVolumes: extraVolumes:
- name: ssl-bundle - name: ssl-bundle
projected: projected:
@@ -125,16 +177,9 @@ extraVolumes:
items: items:
- key: ca.crt - key: ca.crt
path: root.crt path: root.crt
- name: tls-bundle - name: gitea-tls-internal
projected: secret:
sources: secretName: gitea-http-tls-internal
- secret:
name: gitea-tls
items:
- key: tls.crt
path: cert.pem
- key: tls.key
path: key.pem
- name: gitea-temp - name: gitea-temp
emptyDir: {} emptyDir: {}
extraInitVolumeMounts: extraInitVolumeMounts:
@@ -145,8 +190,8 @@ extraContainerVolumeMounts:
- name: ssl-bundle - name: ssl-bundle
mountPath: /opt/gitea/.postgresql mountPath: /opt/gitea/.postgresql
readOnly: true readOnly: true
- name: tls-bundle - name: gitea-tls-internal
mountPath: /opt/gitea/tls mountPath: /certs
readOnly: true readOnly: true
- name: gitea-temp - name: gitea-temp
mountPath: /tmp/gitea-uploads mountPath: /tmp/gitea-uploads

117
utility-services/index.ts Normal file
View File

@@ -0,0 +1,117 @@
import { DataKubernetesNamespaceV1 } from "@cdktf/provider-kubernetes/lib/data-kubernetes-namespace-v1";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { DataTerraformRemoteStateS3, TerraformStack } from "cdktf";
import { Construct } from "constructs";
import { GiteaRunner, GiteaServer } from "./gitea";
import { AuthentikServer } from "./authentik";
import { PostgresCluster } from "./postgres";
import { DynamicDNS } from "./dynamic-dns";
export class UtilityServices extends TerraformStack {
constructor(scope: Construct, id: string) {
super(scope, id);
const kubernetes = new KubernetesProvider(this, "kubernetes", {
configPath: "~/.kube/config",
});
const helm = new HelmProvider(this, "helm", {
kubernetes: {
configPath: "~/.kube/config",
},
});
const r2Endpoint = `${process.env.ACCOUNT_ID!}.r2.cloudflarestorage.com`;
const coreServicesState = new DataTerraformRemoteStateS3(
this,
"core-services-state",
{
usePathStyle: true,
skipRegionValidation: true,
skipCredentialsValidation: true,
skipRequestingAccountId: true,
skipS3Checksum: true,
encrypt: true,
bucket: "terraform-state",
key: "core-services/terraform.tfstate",
endpoints: {
s3: `https://${r2Endpoint}`,
},
region: "auto",
accessKey: process.env.ACCESS_KEY,
secretKey: process.env.SECRET_KEY,
},
);
const namespaceName = coreServicesState.getString("namespace-output");
const namespaceResource = new DataKubernetesNamespaceV1(
this,
"homelab-namespace",
{
provider: kubernetes,
metadata: {
name: namespaceName,
},
},
);
const namespace = namespaceResource.metadata.name;
new DynamicDNS(this, "dynamic-dns", {
provider: kubernetes,
namespace,
name: "cloudflare-ddns",
records: [
"dogar.dev",
"auth.dogar.dev",
"git.dogar.dev",
"nix.dogar.dev",
"pip.dogar.dev",
"npm.dogar.dev",
],
});
const postgres = new PostgresCluster(this, "postgres-cluster", {
certManagerApiVersion: "cert-manager.io/v1",
name: "postgres-cluster",
namespace,
provider: kubernetes,
users: ["shahab", "budget-tracker", "authentik", "gitea", "netbird"],
primaryUser: "shahab",
initSecretName: "postgres-password",
backupR2EndpointURL: `https://${r2Endpoint}`,
});
const authentik = new AuthentikServer(this, "authentik-server", {
providers: {
helm,
kubernetes,
},
name: "authentik",
namespace,
});
authentik.node.addDependency(postgres);
const gitea = new GiteaServer(this, "gitea-server", {
providers: {
helm,
kubernetes,
},
name: "gitea",
namespace,
r2Endpoint: r2Endpoint,
});
gitea.node.addDependency(authentik);
new GiteaRunner(this, "gitea-runner", {
provider: kubernetes,
namespace,
name: "gitea-runner",
replicas: 3,
});
}
}

182
postgres/index.ts → utility-services/postgres/index.ts
View File

@@ -1,17 +1,12 @@
import { HelmProvider } from "@cdktf/provider-helm/lib/provider";
import { Release } from "@cdktf/provider-helm/lib/release";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest"; import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider"; import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { Construct } from "constructs"; import { Construct } from "constructs";
import { OnePasswordSecret } from "../../utils";
type PostgresClusterOptions = { type PostgresClusterOptions = {
providers: { provider: KubernetesProvider;
kubernetes: KubernetesProvider;
helm: HelmProvider;
};
name: string; name: string;
namespace: string; namespace: string;
storageClass: string;
users: string[]; users: string[];
primaryUser: string; primaryUser: string;
initSecretName: string; initSecretName: string;
@@ -23,37 +18,47 @@ export class PostgresCluster extends Construct {
constructor(scope: Construct, id: string, options: PostgresClusterOptions) { constructor(scope: Construct, id: string, options: PostgresClusterOptions) {
super(scope, id); super(scope, id);
const { kubernetes, helm } = options.providers; const { provider } = options;
new Release(this, "cnpg-operator", { const destinationPath = "s3://postgres-backups/";
provider: helm,
repository: "https://cloudnative-pg.github.io/charts",
chart: "cloudnative-pg",
name: "postgres-system",
namespace: "cnpg-system",
});
const destinationPath = "s3://homelab/";
const endpointURL = options.backupR2EndpointURL; const endpointURL = options.backupR2EndpointURL;
const barmanStoreName = "r2-postgres-backup-store"; const barmanStoreName = "r2-postgres-backup-store";
const backupServerName = `${options.name}-backup`;
const barmanConfiguration = { const barmanConfiguration = {
destinationPath, destinationPath,
endpointURL, endpointURL,
s3Credentials: { s3Credentials: {
accessKeyId: { accessKeyId: {
name: "cloudflare-token", name: "barman-cloudflare-token",
key: "access_key_id", key: "access_key_id",
}, },
secretAccessKey: { secretAccessKey: {
name: "cloudflare-token", name: "barman-cloudflare-token",
key: "secret_access_key", key: "secret_access_key",
}, },
region: {
name: "barman-cloudflare-token",
key: "AWS_REGION",
},
},
wal: {
compression: "gzip",
},
data: {
compression: "gzip",
}, },
}; };
new OnePasswordSecret(this, "barman-cloudflare-token", {
provider: options.provider,
name: "barman-cloudflare-token",
namespace: options.namespace,
itemPath: "vaults/Lab/items/cloudflare",
});
new Manifest(this, "r2-backup-store", { new Manifest(this, "r2-backup-store", {
provider: kubernetes, provider,
manifest: { manifest: {
apiVersion: "barmancloud.cnpg.io/v1", apiVersion: "barmancloud.cnpg.io/v1",
kind: "ObjectStore", kind: "ObjectStore",
@@ -62,11 +67,9 @@ export class PostgresCluster extends Construct {
name: barmanStoreName, name: barmanStoreName,
}, },
spec: { spec: {
retentionPolicy: "15d",
configuration: { configuration: {
...barmanConfiguration, ...barmanConfiguration,
wal: {
compression: "gzip",
},
}, },
}, },
}, },
@@ -86,7 +89,7 @@ export class PostgresCluster extends Construct {
// Self-signed issuer for creating CA certificates // Self-signed issuer for creating CA certificates
new Manifest(this, "selfsigned-issuer", { new Manifest(this, "selfsigned-issuer", {
provider: kubernetes, provider,
manifest: { manifest: {
apiVersion: certManagerApiVersion, apiVersion: certManagerApiVersion,
kind: "Issuer", kind: "Issuer",
@@ -102,7 +105,7 @@ export class PostgresCluster extends Construct {
// Server CA certificate // Server CA certificate
new Manifest(this, "server-ca-cert", { new Manifest(this, "server-ca-cert", {
provider: kubernetes, provider,
manifest: { manifest: {
apiVersion: certManagerApiVersion, apiVersion: certManagerApiVersion,
kind: "Certificate", kind: "Certificate",
@@ -131,7 +134,7 @@ export class PostgresCluster extends Construct {
// Issuer using the server CA // Issuer using the server CA
new Manifest(this, "server-ca-issuer", { new Manifest(this, "server-ca-issuer", {
provider: kubernetes, provider,
manifest: { manifest: {
apiVersion: certManagerApiVersion, apiVersion: certManagerApiVersion,
kind: "Issuer", kind: "Issuer",
@@ -147,25 +150,9 @@ export class PostgresCluster extends Construct {
}, },
}); });
// Secret for server certificate
new Manifest(this, "server-ca-cert-secret", {
provider: kubernetes,
manifest: {
apiVersion: "v1",
kind: "Secret",
metadata: {
name: certNames.server,
namespace: options.namespace,
labels: {
"cnpg.io/reload": "",
},
},
},
});
// Server certificate // Server certificate
new Manifest(this, "server-cert", { new Manifest(this, "server-cert", {
provider: kubernetes, provider,
manifest: { manifest: {
apiVersion: certManagerApiVersion, apiVersion: certManagerApiVersion,
kind: "Certificate", kind: "Certificate",
@@ -194,7 +181,7 @@ export class PostgresCluster extends Construct {
// Client CA certificate // Client CA certificate
new Manifest(this, "client-ca", { new Manifest(this, "client-ca", {
provider: kubernetes, provider,
manifest: { manifest: {
apiVersion: certManagerApiVersion, apiVersion: certManagerApiVersion,
kind: "Certificate", kind: "Certificate",
@@ -223,7 +210,7 @@ export class PostgresCluster extends Construct {
// Issuer using the client CA // Issuer using the client CA
new Manifest(this, "client-ca-issuer", { new Manifest(this, "client-ca-issuer", {
provider: kubernetes, provider,
manifest: { manifest: {
apiVersion: certManagerApiVersion, apiVersion: certManagerApiVersion,
kind: "Issuer", kind: "Issuer",
@@ -241,7 +228,7 @@ export class PostgresCluster extends Construct {
// Secret for client certificate // Secret for client certificate
new Manifest(this, `${certNames.client}-secret`, { new Manifest(this, `${certNames.client}-secret`, {
provider: kubernetes, provider,
manifest: { manifest: {
apiVersion: "v1", apiVersion: "v1",
kind: "Secret", kind: "Secret",
@@ -257,7 +244,7 @@ export class PostgresCluster extends Construct {
// Client certificate for streaming replica // Client certificate for streaming replica
new Manifest(this, "streaming-replica-cert", { new Manifest(this, "streaming-replica-cert", {
provider: kubernetes, provider,
manifest: { manifest: {
apiVersion: certManagerApiVersion, apiVersion: certManagerApiVersion,
kind: "Certificate", kind: "Certificate",
@@ -284,7 +271,7 @@ export class PostgresCluster extends Construct {
options.users.forEach( options.users.forEach(
(user) => (user) =>
new Manifest(this, `${user}-client-cert`, { new Manifest(this, `${user}-client-cert`, {
provider: kubernetes, provider,
manifest: { manifest: {
apiVersion: certManagerApiVersion, apiVersion: certManagerApiVersion,
kind: "Certificate", kind: "Certificate",
@@ -309,7 +296,7 @@ export class PostgresCluster extends Construct {
); );
new Manifest(this, "postgres-cluster", { new Manifest(this, "postgres-cluster", {
provider: kubernetes, provider,
fieldManager: { forceConflicts: true }, fieldManager: { forceConflicts: true },
manifest: { manifest: {
apiVersion: "postgresql.cnpg.io/v1", apiVersion: "postgresql.cnpg.io/v1",
@@ -330,6 +317,37 @@ export class PostgresCluster extends Construct {
replicationTLSSecret: certNames.client, replicationTLSSecret: certNames.client,
}, },
postgresql: { postgresql: {
parameters: {
archive_mode: "on",
archive_timeout: "60min",
checkpoint_timeout: "10min",
checkpoint_completion_target: "0.7",
dynamic_shared_memory_type: "posix",
full_page_writes: "on",
log_destination: "csvlog",
log_directory: "/controller/log",
log_filename: "postgres",
log_rotation_age: "0",
log_rotation_size: "0",
log_truncate_on_rotation: "false",
logging_collector: "on",
max_parallel_workers: "32",
max_replication_slots: "32",
max_worker_processes: "32",
max_slot_wal_keep_size: "256MB",
max_wal_size: "512MB",
min_wal_size: "128MB",
shared_memory_type: "mmap",
shared_preload_libraries: "",
ssl_max_protocol_version: "TLSv1.3",
ssl_min_protocol_version: "TLSv1.3",
wal_compression: "on",
wal_keep_size: "128MB",
wal_level: "replica",
wal_log_hints: "on",
wal_receiver_timeout: "5s",
wal_sender_timeout: "5s",
},
pg_hba: [ pg_hba: [
`hostssl all ${options.primaryUser} all cert`, `hostssl all ${options.primaryUser} all cert`,
"hostssl sameuser all all cert", "hostssl sameuser all all cert",
@@ -338,22 +356,17 @@ export class PostgresCluster extends Construct {
plugins: [ plugins: [
{ {
name: "barman-cloud.cloudnative-pg.io", name: "barman-cloud.cloudnative-pg.io",
enabled: true,
isWALArchiver: true, isWALArchiver: true,
enabled: true,
parameters: { parameters: {
barmanObjectName: barmanStoreName, barmanObjectName: barmanStoreName,
serverName: backupServerName,
}, },
}, },
], ],
enableSuperuserAccess: false,
bootstrap: { bootstrap: {
recovery: { recovery: {
source: "clusterBackup", source: "clusterBackup",
database: "postgres",
owner: options.primaryUser,
secret: {
name: options.initSecretName,
},
}, },
}, },
externalClusters: [ externalClusters: [
@@ -362,8 +375,9 @@ export class PostgresCluster extends Construct {
plugin: { plugin: {
name: "barman-cloud.cloudnative-pg.io", name: "barman-cloud.cloudnative-pg.io",
parameters: { parameters: {
barmanObjectName: "r2-postgres-backup-store", barmanObjectName: barmanStoreName,
serverName: "postgres-cluster", serverName: backupServerName,
skipWalArchiveCheck: true,
}, },
}, },
}, },
@@ -377,10 +391,7 @@ export class PostgresCluster extends Construct {
serviceTemplate: { serviceTemplate: {
metadata: { metadata: {
name: "postgres-cluster", name: "postgres-cluster",
annotations: { superuser: true,
"external-dns.alpha.kubernetes.io/hostname":
"postgres.dogar.dev",
},
}, },
spec: { spec: {
type: "LoadBalancer", type: "LoadBalancer",
@@ -389,14 +400,55 @@ export class PostgresCluster extends Construct {
}, },
], ],
}, },
roles: [
{
name: options.primaryUser,
inRoles: ["postgres"],
inherit: true,
disablePassword: true,
createdb: true,
createrole: true,
login: true,
ensure: "present",
},
],
}, },
storage: { storage: {
size: "10Gi", size: "10Gi",
storageClass: options.storageClass, storageClass: "longhorn",
}, },
walStorage: { walStorage: {
size: "1Gi", size: "2Gi",
storageClass: options.storageClass, storageClass: "longhorn",
},
},
},
});
new Manifest(this, "postgres-backup-job", {
provider,
manifest: {
apiVersion: "postgresql.cnpg.io/v1",
kind: "ScheduledBackup",
metadata: {
name: "postgres-cluster",
namespace: options.namespace,
},
spec: {
immediate: true,
// weekly midnight on Sunday
schedule: "* 0 0 * * 0",
backupOwnerReference: "self",
method: "plugin",
pluginConfiguration: {
name: "barman-cloud.cloudnative-pg.io",
parameters: {
barmanObjectName: barmanStoreName,
serverName: backupServerName,
},
},
cluster: {
name: options.name,
}, },
}, },
}, },

36
utils/1password-secret/index.ts Normal file
View File

@@ -0,0 +1,36 @@
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
type SecretOptions = {
provider: KubernetesProvider;
namespace: string;
name: string;
itemPath: string;
};
export class OnePasswordSecret extends Construct {
constructor(scope: Construct, id: string, options: SecretOptions) {
super(scope, id);
const { itemPath, name, namespace, provider } = options;
new Manifest(this, name, {
provider,
manifest: {
apiVersion: "onepassword.com/v1",
kind: "OnePasswordItem",
metadata: {
name,
namespace,
annotations: {
"operator.1password.io/auto-restart": "true",
},
},
spec: {
itemPath,
},
},
});
}
}

281
utils/cert-manager/base.ts Normal file
View File

@@ -0,0 +1,281 @@
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
/**
* Options passed to the Certificate construct for generating
* cert-manager.io/v1 Certificate resources.
*
* This type supports both public certificates (Cloudflare/ACME)
* and private internal certificates (internal CA), making it usable
* across all cluster security contexts (Ingress TLS, internal mTLS, etc.).
*/
export type CertificateOptions = {
/**
* Kubernetes provider instance used by the underlying Manifest resource.
*
* This should typically be the cluster's primary Kubernetes provider.
*
* Required.
*/
provider: KubernetesProvider;
/**
* Kubernetes namespace where the Certificate resource and the
* corresponding Secret will be created.
*
* Required.
*/
namespace: string;
/**
* Name of the Certificate resource (metadata.name).
*
* This should be unique within the namespace.
*
* Required.
*/
name: string;
/**
* Name of the Kubernetes Secret that cert-manager will populate with
* `tls.crt`, `tls.key`, and optionally `ca.crt`.
*
* This secret is automatically created and updated by cert-manager.
*
* Required.
*/
secretName: string;
/**
* List of DNS Subject Alternative Names that the certificate must cover.
*
* cert-manager requires at least one entry.
*
* For internal certificates: service FQDNs (svc.cluster.local).
* For public certificates: external domain names.
*
* Required.
*/
dnsNames: string[];
/**
* Reference to the cert-manager Issuer or ClusterIssuer used to sign the certificate.
*
* - For public certs: Cloudflare ACME ClusterIssuer
* - For private certs: Internal CA ClusterIssuer
*
* This field is usually injected automatically by subclasses
* (e.g., PublicCertificate / PrivateCertificate).
*
* Required internally — not intended to be set by user code directly.
*/
issuerRef?: {
/**
* Name of the Issuer or ClusterIssuer.
*/
name: string;
/**
* Type of issuer ("Issuer" or "ClusterIssuer").
*
* Defaults to "ClusterIssuer" when omitted.
*/
kind?: string;
};
/**
* The certificate's validity duration (e.g. "2160h" for 90 days).
*
* If omitted, cert-manager applies its own default (90 days for ACME).
*
* Optional.
*/
duration?: string;
/**
* How long before expiry cert-manager should attempt early renewal.
*
* Example: "360h" (15 days before expiration).
*
* Optional.
*/
renewBefore?: string;
/**
* Optional Common Name for the certificate's subject.
*
* SAN-only certificates are recommended, but CN is still required for
* compatibility with some older libraries (Java, ClickHouse, OpenSSL tooling).
*
* Optional.
*/
commonName?: string;
/**
* Key Usage extension — determines what the certificate may be used for.
*
* Common values:
*
* - "digital signature"
* - "key encipherment"
* - "server auth"
* - "client auth"
*
* Example for mTLS server certificates:
* usages: ["digital signature", "key encipherment", "server auth"]
*
* Example for mTLS client certificates:
* usages: ["digital signature", "client auth"]
*
* Optional — cert-manager applies sensible defaults when omitted.
*/
usages?: string[];
/**
* Options controlling the generated private key.
*
* Useful for:
* - Choosing RSA vs ECDSA vs Ed25519
* - Increasing RSA key strength (2048 → 4096)
* - Optimizing performance for internal services (ECDSA P-256)
*
* Optional.
*/
privateKey?: {
/**
* Private key algorithm.
*
* - "RSA" (default)
* - "ECDSA" (great for internal TLS)
* - "Ed25519" (fast and modern, but not universally supported)
*
* Optional.
*/
algorithm?: "RSA" | "ECDSA" | "Ed25519";
/**
* Key size in bits.
*
* Only applies to algorithms that support length:
* - RSA: 2048, 3072, 4096
* - ECDSA: 256, 384
*
* Optional.
*/
size?: number;
};
/**
* IP address SAN entries (rarely needed, but sometimes required
* for services bound directly to cluster node IPs or StatefulSet pod IPs).
*
* Using IP SANs is generally discouraged unless explicitly required.
*
* Optional.
*/
ipAddresses?: string[];
/**
* Subject information for the certificate (Organization, OrgUnit, etc.)
*
* Example:
*
* subject: {
* organizations: ["Internal Systems"],
* organizationalUnits: ["Platform"]
* }
*
* Optional.
*/
subject?: {
organizations?: string[];
organizationalUnits?: string[];
countries?: string[];
provinces?: string[];
localities?: string[];
streetAddresses?: string[];
postalCodes?: string[];
};
};
export class Certificate extends Construct {
/** The underlying Kubernetes manifest */
public readonly manifest: Manifest;
constructor(scope: Construct, id: string, opts: CertificateOptions) {
super(scope, id);
// --- Validation ---------------------------------------------------------
if (!opts.issuerRef) {
throw new Error(
`Certificate '${opts.name}' must specify issuerRef (usually provided by a subclass).`,
);
}
if (!opts.dnsNames || opts.dnsNames.length === 0) {
throw new Error(
`Certificate '${opts.name}' must include at least one DNS name in dnsNames[].`,
);
}
// --- Base manifest ------------------------------------------------------
const manifest: any = {
apiVersion: "cert-manager.io/v1",
kind: "Certificate",
metadata: {
name: opts.name,
namespace: opts.namespace,
},
spec: {
secretName: opts.secretName,
dnsNames: opts.dnsNames,
issuerRef: {
name: opts.issuerRef.name,
kind: opts.issuerRef.kind ?? "ClusterIssuer",
},
},
};
// --- Optional: duration & renewBefore ---------------------------------
if (opts.duration) {
manifest.spec.duration = opts.duration;
}
if (opts.renewBefore) {
manifest.spec.renewBefore = opts.renewBefore;
}
// --- Optional: commonName ----------------------------------------------
if (opts.commonName) {
manifest.spec.commonName = opts.commonName;
}
// --- Optional: key usages ----------------------------------------------
if (opts.usages?.length) {
manifest.spec.usages = opts.usages;
}
// --- Optional: private key settings ------------------------------------
if (opts.privateKey) {
manifest.spec.privateKey = {
...opts.privateKey,
};
}
// --- Optional: IP SAN entries ------------------------------------------
if (opts.ipAddresses?.length) {
manifest.spec.ipAddresses = opts.ipAddresses;
}
// --- Optional: subject fields ------------------------------------------
if (opts.subject) {
manifest.spec.subject = opts.subject;
}
// --- Create manifest resource ------------------------------------------
this.manifest = new Manifest(this, id, {
provider: opts.provider,
manifest,
});
}
}

36
utils/cert-manager/cloudflare.ts Normal file
View File

@@ -0,0 +1,36 @@
import { Construct } from "constructs";
import { Certificate, CertificateOptions } from "./base";
/**
* Public certificate issued via the Cloudflare ACME ClusterIssuer.
*
* This subclass automatically injects:
*
* issuerRef:
* name: "cloudflare-issuer"
* kind: "ClusterIssuer"
*
* It is intended for generating publicly trusted HTTPS certificates
* (e.g., *.dogar.dev) using Cloudflare DNS-01 validation.
*
* Users of this class should *not* specify issuerRef manually.
*/
export class CloudflareCertificate extends Certificate {
constructor(
scope: Construct,
id: string,
opts: Omit<CertificateOptions, "issuerRef" | "privateKey">,
) {
super(scope, id, {
...opts,
issuerRef: {
name: "cloudflare-issuer",
kind: "ClusterIssuer",
},
privateKey: {
algorithm: "RSA",
size: 4096,
},
});
}
}

2
utils/cert-manager/index.ts Normal file
View File

@@ -0,0 +1,2 @@
export { CloudflareCertificate } from "./cloudflare";
export { PrivateCertificate } from "./internal";

41
utils/cert-manager/internal.ts Normal file
View File

@@ -0,0 +1,41 @@
import { Construct } from "constructs";
import { Certificate, CertificateOptions } from "./base";
/**
* Private TLS certificate issued by the internal cluster CA.
*
* This subclass automatically injects:
*
* issuerRef:
* name: "cluster-issuer"
* kind: "ClusterIssuer"
*
* Use this for:
* - Internal service-to-service TLS (HTTP, gRPC, Webhooks)
* - mTLS server certificates
* - mTLS client certificates
* - Internal wildcard certificates
* - Databases, queues, operators, controllers, etc.
*
* Users of this class should NOT specify issuerRef manually.
*/
export class PrivateCertificate extends Certificate {
constructor(
scope: Construct,
id: string,
opts: Omit<CertificateOptions, "issuerRef" | "privateKey">,
) {
super(scope, id, {
...opts,
issuerRef: {
name: "cluster-issuer", // internal CA
kind: "ClusterIssuer",
},
privateKey: {
algorithm: "ECDSA",
size: 384,
},
usages: ["digital signature", "key encipherment", "server auth"],
});
}
}

8
utils/index.ts Normal file
View File

@@ -0,0 +1,8 @@
export { CloudflareCertificate, PrivateCertificate } from "./cert-manager";
export { OnePasswordSecret } from "./1password-secret";
export {
PublicIngressRoute,
InternalIngressRoute,
IngressRouteTcp,
} from "./traefik";
export { LonghornPvc } from "./longhorn";

59
utils/longhorn/index.ts Normal file
View File

@@ -0,0 +1,59 @@
import { Construct } from "constructs";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { PersistentVolumeClaimV1 } from "@cdktf/provider-kubernetes/lib/persistent-volume-claim-v1";
type LonghornPvcOptions = {
provider: KubernetesProvider;
/** Name of the PVC */
name: string;
/** Namespace of the PVC */
namespace: string;
/** Size, e.g. "10Gi" */
size: string;
/** Access modes (default: ["ReadWriteOnce"]) */
accessModes?: string[];
/** Optional PVC labels */
labels?: Record<string, string>;
/** Add backup annotations */
backup?: boolean;
};
export class LonghornPvc extends Construct {
public readonly name: string;
constructor(scope: Construct, id: string, opts: LonghornPvcOptions) {
super(scope, id);
this.name = opts.name;
new PersistentVolumeClaimV1(this, id, {
provider: opts.provider,
metadata: {
name: opts.name,
namespace: opts.namespace,
labels: opts.labels ?? {},
annotations: opts.backup
? {
"recurring-job.longhorn.io/daily-backup": "enabled",
"recurring-job.longhorn.io/source": "enabled",
}
: {},
},
spec: {
accessModes: opts.accessModes ?? ["ReadWriteOnce"],
storageClassName: "longhorn", // HARD-CODED
resources: {
requests: {
storage: opts.size,
},
},
},
});
}
}

2
utils/traefik/index.ts Normal file
View File

@@ -0,0 +1,2 @@
export { PublicIngressRoute, InternalIngressRoute } from "./ingress";
export { IngressRouteTcp } from "./ingressTCP";

2
utils/traefik/ingress/index.ts Normal file
View File

@@ -0,0 +1,2 @@
export { PublicIngressRoute } from "./publicIngress";
export { InternalIngressRoute } from "./internalIngress";

133
utils/traefik/ingress/ingress.ts Normal file
View File

@@ -0,0 +1,133 @@
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
import { PrivateCertificate } from "../../cert-manager";
export type IngressRouteOptions = {
provider: KubernetesProvider;
namespace: string;
name: string;
/** Hostname for this route (e.g. npm.dogar.dev) */
host: string;
/** Path prefix (default: "/") */
path?: string;
/** Backend K8s Service */
serviceName: string;
servicePort: number;
serviceProtocol?: "http" | "https";
/** EntryPoints (default: ["websecure"]) */
entryPoints?: string[];
/** TLS secret name for HTTPS termination */
tlsSecretName?: string;
/** Extra middlewares (traefik format: namespace/name) */
middlewares?: string[];
};
export class IngressRoute extends Construct {
public readonly manifest: Manifest;
constructor(scope: Construct, id: string, opts: IngressRouteOptions) {
super(scope, id);
const name = opts.name;
const path = opts.path ?? "/";
const entryPoints = opts.entryPoints ?? ["websecure"];
const { provider, namespace } = opts;
if (opts.serviceProtocol === "https") {
new PrivateCertificate(this, "internal-cert", {
provider,
namespace,
name: `${opts.serviceName}-tls-internal`,
secretName: `${opts.serviceName}-tls-internal`,
dnsNames: [
opts.serviceName,
`${opts.serviceName}.${opts.namespace}.svc`,
`${opts.serviceName}.${opts.namespace}.svc.cluster.local`,
],
usages: ["digital signature", "key encipherment", "server auth"],
});
new Manifest(this, `${name}-https-transport`, {
provider,
manifest: {
apiVersion: "traefik.io/v1alpha1",
kind: "ServersTransport",
metadata: {
name: `${name}-https-transport`,
namespace,
},
spec: {
serverName: `${opts.serviceName}.${opts.namespace}.svc.cluster.local`,
rootCAs: [
{
secret: "root-secret",
},
],
insecureSkipVerify: false,
},
},
});
}
const route: any = {
match: `Host(\`${opts.host}\`) && PathPrefix(\`${path}\`)`,
kind: "Rule",
services: [
{
namespace,
name: opts.serviceName,
port: opts.servicePort,
scheme: opts.serviceProtocol ?? "http",
serversTransport:
opts.serviceProtocol === "https"
? `${name}-https-transport`
: undefined,
},
],
};
if (opts.middlewares?.length) {
route.middlewares = opts.middlewares.map((mw) => {
const [namespace, name] = mw.split("/");
return { name, namespace };
});
}
const spec: any = {
entryPoints,
routes: [route],
};
if (opts.tlsSecretName) {
spec.tls = {
secretName: opts.tlsSecretName,
options: {
name: "tls-options",
namespace: "homelab",
},
};
}
this.manifest = new Manifest(this, name, {
provider,
manifest: {
apiVersion: "traefik.io/v1alpha1",
kind: "IngressRoute",
metadata: {
name,
namespace,
},
spec,
},
});
}
}

16
utils/traefik/ingress/internalIngress.ts Normal file
View File

@@ -0,0 +1,16 @@
import { Construct } from "constructs";
import { IngressRoute, IngressRouteOptions } from "./ingress";
export class InternalIngressRoute extends IngressRoute {
constructor(
scope: Construct,
id: string,
opts: Omit<IngressRouteOptions, "entryPoints" | "middlewares">,
) {
super(scope, id, {
...opts,
entryPoints: ["websecure"],
middlewares: ["homelab/ip-allow-list"],
});
}
}

33
utils/traefik/ingress/publicIngress.ts Normal file
View File

@@ -0,0 +1,33 @@
import { Construct } from "constructs";
import { IngressRoute, IngressRouteOptions } from "./ingress";
import { CloudflareCertificate } from "../../cert-manager";
export class PublicIngressRoute extends IngressRoute {
constructor(
scope: Construct,
id: string,
opts: Omit<
IngressRouteOptions,
"entryPoints" | "tlsSecretName" | "middlewares"
>,
) {
const tlsSecretName = `${opts.name}-tls`;
super(scope, id, {
...opts,
tlsSecretName,
entryPoints: ["websecure"],
middlewares: ["homelab/rate-limit"],
});
const { provider, name, namespace, host } = opts;
new CloudflareCertificate(this, `${name}-cert`, {
provider,
namespace,
name: host,
secretName: tlsSecretName,
dnsNames: [host],
});
}
}

1
utils/traefik/ingressTCP/index.ts Normal file
View File

@@ -0,0 +1 @@
export { IngressRouteTcp } from "./ingress-tcp";

62
utils/traefik/ingressTCP/ingress-tcp.ts Normal file
View File

@@ -0,0 +1,62 @@
import { Construct } from "constructs";
import { Manifest } from "@cdktf/provider-kubernetes/lib/manifest";
import { KubernetesProvider } from "@cdktf/provider-kubernetes/lib/provider";
type IngressRouteTcpOptions = {
provider: KubernetesProvider;
name: string;
/**
* Match rule.
* Default is `HostSNI(\`*\`)` which is correct for most TCP services.
*/
match: string;
/** Namespace where the IngressRouteTCP will be created */
namespace: string;
/** EntryPoint name (e.g., "ssh", "mc25565", "postgres", etc.) */
entryPoint: string;
/** Backend service name */
serviceName: string;
/** Backend service port */
servicePort: number;
};
export class IngressRouteTcp extends Construct {
public readonly manifest: Manifest;
constructor(scope: Construct, id: string, opts: IngressRouteTcpOptions) {
super(scope, id);
const { name, match } = opts;
this.manifest = new Manifest(this, name, {
provider: opts.provider,
manifest: {
apiVersion: "traefik.io/v1alpha1",
kind: "IngressRouteTCP",
metadata: {
name,
namespace: opts.namespace,
},
spec: {
entryPoints: [opts.entryPoint],
routes: [
{
match,
services: [
{
name: opts.serviceName,
port: opts.servicePort,
},
],
},
],
},
},
});
}
}