local domains

harness sealed secrets nginx fixes for autostopping nix gc homer updates
rssnyder · Jan 29, 2025 · f9c245b · f9c245b
1 parent d9a6722
commit f9c245b
Show file tree

Hide file tree

Showing 10 changed files with 81 additions and 45 deletions.
diff --git a/infra/local.tf b/infra/local.tf
@@ -0,0 +1,8 @@
+resource "pihole_dns_record" "files" {
+  domain = "files.${var.local_domain}"
+  ip     = var.instances["t480-0"].ip
+}
+resource "pihole_dns_record" "whoami" {
+  domain = "whoami.${var.local_domain}"
+  ip     = "192.168.253.254"
+}
diff --git a/infra/var.tf b/infra/var.tf
@@ -62,6 +62,11 @@ variable "instances" {
   }
 }
 
+variable "local_domain" {
+  type = string
+  default = "r.ss"
+}
+
 variable "github_pages" {
   type = list
   default = ["185.199.108.153","185.199.109.153","185.199.110.153","185.199.111.153"]

diff --git a/k8s/baseline/harness.yaml b/k8s/baseline/harness.yaml
@@ -3,6 +3,21 @@ kind: Namespace
 metadata:
   name: harness-delegate-ng
 
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: delegate-token
+  namespace: harness-delegate-ng
+spec:
+  encryptedData:
+    DELEGATE_TOKEN: AgCrhCrNdVSZAFJ16OmOHhu03+z/hbFv6/2HfyfRgtnB2XVFv2B+97+9LKnjUAPBiDjwL4eJW4sqxXq4goYxZO/v6vP4HWd5wbE0pAjggjaJNTaNzIaHMGydZWI7CKk4iLZERpwfWWKLn24ozVoB/Y8YogKC+Gyo/IREXlMsRGJq33OLmfce3U3ruRC2rQbw2BwrQ0bSFnS26HvrhEqh30fcc8pifnc/BzReF5kpY4gPD4NSKw5DNJj1oadCYE6Tz46maWPZ2z+wP2Smv69GdQfIfRaA/fS/Rcjlwmtg/s/gZimXFsvktZKuh3wkaZfKe238/V7vM8FE7YYewbUpqOAHYEtKPsbFz4OIHrnjIS/HnzraIIGE8TT2JqIMVOfIZuDh8XQIW2s3LuLcDxdq2qoctZ3iuxVy0eUrxuj6ISdCddzk7jxtc/ex9LhbxjgcuObip2syk4PDm+C/NzLQtn1IoW+w+H6Bnh/tSjc/hqB8wwZdPFb5uIqkdIzwwFapzas09/C1t+SwZbF1mfYqFhSm2Huq0Sos2zTQBx/M+xhJvDhmQHW0vGgp+C2PR24lFwGuaiTDaHbVGzurEt1K1xXwwAdFfH98dHpdalL14BH+MmPb3Gs6o9Cjuhs+VTaEEuUeWaEXK5QguqaH0J1iui4+nAF6qpI/lQFMRzqur5VlDcwWMQoGkuaH3guFMAzFGojmAZoJGdtPUR6MYmX2XLBHmNrYZIMRdzzcmkvQ/4q4ma3ZxdL7nIiZqyn65w==
+  template:
+    metadata:
+      name: delegate-token
+      namespace: harness-delegate-ng
+    type: Opaque
+
 ---
 apiVersion: helm.cattle.io/v1
 kind: HelmChart
@@ -16,19 +31,36 @@ spec:
   valuesContent: |-
     delegateName: {{ cluster_context }}
     accountId: wlgELJ0TTre5aZhzpt8gVA
-    delegateToken: {{ harness.delegate_token }}
+    existingDelegateToken: delegate-token
     managerEndpoint: https://app.harness.io/gratis
     delegateDockerImage: harness/delegate:{{ harness.latest_delegate }}
     replicas: 1
     cpu: 100m
     memory: 1500
+    nodeSelector:
+      kubernetes.io/hostname: jack
 
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
   name: harness-autostopping
 
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  name: harness-api-key
+  namespace: harness-autostopping
+spec:
+  encryptedData:
+    token: AgA3F+anxNin5WhZ1z0D6Z4seezXP/SXcvarWDcQg6Y14cpZ2rJYFcGiDYv410RE6Ze33Gu4CXVeKgbN4jOxMJFe060hZgMTXLxqCGF9G2dkJZVR5cEB7iKlSNiZ92zOwxTGB8c9+kR+xaqRfnvAAC3ntxzEwGRdEjG5N0iqk/Yqb1VSmY17q8CGJG6JvSm/h61EfKowJ1o6bre3CXEgKAsIQglAVqfNTP3odBu5Mnvy1uALpOXUhcTYtubv6//9vRKbdml5C5o1sQ371hVjYcSkDlSD4ZuIsdhGkHmqxIaxeq9i6v1fIn1VXx8VkQHnf33GwMAXZwD8UMhxyQzI7qUlrZc5+WamK+XhKRFukk7+bZj3S4YXjRxM9ak7Gnpi9+h/H/S8xKLTwdYqLVl5bAKrGt6+FqZh7FvZF9HGp2blaarXrrfXElzyWo1jgiH+gkF/JKEQeNek00Q0ZY4+aJOFjSBKTLDPH/bKWensX2PvCGoavm3hzlgyKSODtwZqcwf3QD9fCvsaxBHSrqe6IRI0mxEE1oxXMLOzTj7WsD2eb5u3T76lW0yMaOLvCVzvUMcr6vIijJbajzI+SMYd5xOHdAFFY9HDwxdbjU7sRw0MZecHzOJC0saEugx1M2w8hRdGc+GgrkOcOIh7G4d0znujGJS40/69vKYfTMplk7bBMIu38VQ349ORXMFX/kL9Bo6cD1X6pMRYxFqS9fbtvKtZUkLYtVh04LJ0PWIcEnFbQV5jDoxySdmlYI1M87+SLm0kgKbCierogAAdbXH+J/409xXfedwmkQE=
+  template:
+    metadata:
+      name: harness-api-key
+      namespace: harness-autostopping
+    type: Opaque
+
 ---
 apiVersion: helm.cattle.io/v1
 kind: HelmChart
@@ -42,7 +74,7 @@ spec:
   valuesContent: |-
     accountId: wlgELJ0TTre5aZhzpt8gVA
     connectorId: _{{ cluster_context }}_ccm
-    apiToken: {{ k8s.secrets.harness.autostopping_api_key }}
+    existingApiKey: harness-api-key
     controller:
       image:
-        tag: 1.1.6
+        tag: 1.2.1
diff --git a/k8s/frigate/extra.yaml b/k8s/frigate/extra.yaml
@@ -19,8 +19,6 @@ metadata:
   name: homeassistant
   namespace: frigate
   annotations:
-    tailscale.com/expose: "true"
-    tailscale.com/hostname: "ha-frigate"
     external-dns.alpha.kubernetes.io/hostname: homeassistant.frigate.r.ss
 spec:
   type: LoadBalancer

diff --git a/k8s/manifests/micro/nginx.yaml b/k8s/manifests/micro/nginx.yaml
@@ -25,6 +25,7 @@ spec:
         plugins: "rewrite_fwd_headers"
         use-forwarded-headers: "true"
         forwarded-for-header: "X-Forwarded-For"
+        annotations-risk-level: Critical
     
       extraVolumeMounts:
         - name: cm-volume-lua-plugin
@@ -54,4 +55,4 @@ data:
       ngx.var.pass_access_scheme = "https"
     end
 
-    return _M
+    return _M
diff --git a/playbooks/get_secret.yaml b/playbooks/get_secret.yaml
@@ -4,4 +4,4 @@
   gather_facts: no
   tasks:
     - debug:
-       msg: "{{ digitalocean_token }}"
+       msg: "{{ k8s.harness.delegate_token }}"
diff --git a/playbooks/templates/ben/configuration.nix b/playbooks/templates/ben/configuration.nix
@@ -41,7 +41,12 @@
 
   programs.firefox.enable = true;
 
-  programs.zsh.enable = true;
+  nix.gc = {
+    automatic = true;
+    dates = "daily";
+    options = "--delete-older-than 10d";
+  };
+  nix.settings.auto-optimise-store = true;
 
   users.users.riley = {
     isNormalUser = true;

diff --git a/playbooks/templates/hurley/homer.yml b/playbooks/templates/hurley/homer.yml
@@ -134,10 +134,6 @@ services:
         logo: "assets/homer-icons/png/plexdrive.png"
         url: "https://files.rileysnyder.dev"
         target: '_top'
-      - name: "Send"
-        logo: "assets/homer-icons/png/firefoxsend.png"
-        url: "https://send.k8s.rileysnyder.dev"
-        target: '_top'
   - name: "Utility"
     icon: "fas fa-toolbox"
     items:
@@ -154,42 +150,18 @@ services:
         logo: "assets/homer-icons/png/prometheus.png"
         url: "http://t480-0.corvus-salmon.ts.net:9090/targets"
         target: '_top'
-      - name: "zira Syncthing"
-        logo: "assets/homer-icons/png/syncthing.png"
-        url: "http://zira.corvus-salmon.ts.net:8384"
-        target: '_top'
-      - name: "Hurley Syncthing"
-        logo: "assets/homer-icons/png/syncthing.png"
-        url: "http://zira.corvus-salmon.ts.net:8384"
-        target: '_top'
-      - name: "Local Syncthing"
-        logo: "assets/homer-icons/png/syncthing.png"
-        url: "http://localhost:8384"
-        target: '_top'
   - name: "Kubernetes"
     icon: "fa-brands fa-docker"
     items:
-      - name: "Grafana"
-        logo: "assets/homer-icons/png/grafana.png"
-        url: "https://grafana.k8s.rileysnyder.dev"
-        target: '_top'
       - name: "Longhorn"
         logo: "assets/homer-icons/png/longhorn.png"
-        url: "https://longhorn.k8s.rileysnyder.dev/"
+        url: "http://192.168.253.3"
         target: '_top'
-      - name: "Coder"
-        logo: "assets/homer-icons/png/codeserver.png"
-        url: "https://coder.k8s.rileysnyder.dev/"
-        target: '_top'
-      - name: "Files"
-        logo: "assets/homer-icons/png/plexdrive.png"
-        url: "https://files.k8s.rileysnyder.dev"
-        target: '_top'
-      - name: "Gitness"
-        logo: "assets/homer-icons/png/gitea.png"
-        url: "https://gitness.k8s.rileysnyder.dev/"
+      - name: "WhoAmI External"
+        logo: "assets/homer-icons/png/whoami.png"
+        url: "https://whoami.k8s.rileysnyder.dev/"
         target: '_top'
-      - name: "WhoAmI"
+      - name: "WhoAmI Internal"
         logo: "assets/homer-icons/png/whoami.png"
         url: "https://whoami.k8s.rileysnyder.dev/"
         target: '_top'

diff --git a/playbooks/templates/plex/configuration.nix b/playbooks/templates/plex/configuration.nix
@@ -46,6 +46,13 @@
   #   group = "plex";
   # };
 
+  nix.gc = {
+    automatic = true;
+    dates = "daily";
+    options = "--delete-older-than 10d";
+  };
+  nix.settings.auto-optimise-store = true;
+
   users.users.riley = {
     isNormalUser = true;
     description = "riley";

diff --git a/playbooks/templates/t480-0/configuration.nix b/playbooks/templates/t480-0/configuration.nix
@@ -43,10 +43,10 @@
 
   programs.firefox.enable = true;
 
-  system.autoUpgrade = {
-    enabled = true;
-    dates = "weekly";
-  };
+  # system.autoUpgrade = {
+  #   enabled = true;
+  #   dates = "weekly";
+  # };
   nix.gc = {
     automatic = true;
     dates = "daily";
@@ -194,6 +194,14 @@
     # };
   };
 
+  services.nginx = {
+    enable = true;
+    virtualHosts."files.r.ss" = {
+      forceSSL = false;
+      root = "/var/www/files";
+    };
+  };
+
   nixpkgs.config.allowUnfree = true;
   system.stateVersion = "24.11";
 }