chore: initial commit 🚀

Author: HomeLabJunkie

.sops.yaml

@@ -0,0 +1,12 @@
+---
+creation_rules:
+  - path_regex: talos/.*\.sops\.ya?ml
+    mac_only_encrypted: true
+    age: "age1w58lmpj3jjxewn5w4hu6u44zyg4hstq3vhwmlkmt0nkp3h2rm3ls0pyng5"
+  - path_regex: (bootstrap|kubernetes)/.*\.sops\.ya?ml
+    encrypted_regex: "^(data|stringData)$"
+    mac_only_encrypted: true
+    age: "age1w58lmpj3jjxewn5w4hu6u44zyg4hstq3vhwmlkmt0nkp3h2rm3ls0pyng5"
+stores:
+  yaml:
+    indent: 2

bootstrap/helmfile.yaml

@@ -0,0 +1,75 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/helmfile
+
+helmDefaults:
+  cleanupOnFail: true
+  wait: true
+  waitForJobs: true
+  # waitRetries: 3 # Not supported by Helm yet
+
+repositories:
+  - name: controlplaneio
+    url: ghcr.io/controlplaneio-fluxcd/charts
+    oci: true
+
+  - name: coredns
+    url: ghcr.io/coredns/charts
+    oci: true
+
+  - name: cilium
+    url: https://helm.cilium.io
+
+  - name: jetstack
+    url: https://charts.jetstack.io
+
+  - name: spegel
+    url: ghcr.io/spegel-org/helm-charts
+    oci: true
+
+releases:
+  - name: cilium
+    namespace: kube-system
+    atomic: true
+    chart: cilium/cilium
+    version: 1.17.1
+    values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/kube-system/cilium/app/helm/values.yaml']
+
+  - name: coredns
+    namespace: kube-system
+    atomic: true
+    chart: coredns/coredns
+    version: 1.39.1
+    values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/kube-system/coredns/app/helm/values.yaml']
+    needs: ['kube-system/cilium']
+
+  - name: spegel
+    namespace: kube-system
+    atomic: true
+    chart: spegel/spegel
+    version: v0.0.30
+    values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/kube-system/spegel/app/helm/values.yaml']
+    needs: ['kube-system/coredns']
+
+  - name: cert-manager
+    namespace: cert-manager
+    atomic: true
+    chart: jetstack/cert-manager
+    version: v1.17.1
+    values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml']
+    needs: ['kube-system/spegel']
+
+  - name: flux-operator
+    namespace: flux-system
+    atomic: true
+    chart: controlplaneio/flux-operator
+    version: 0.17.0
+    values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/flux-system/flux-operator/app/helm/values.yaml']
+    needs: ['cert-manager/cert-manager']
+
+  - name: flux-instance
+    namespace: flux-system
+    atomic: true
+    chart: controlplaneio/flux-instance
+    version: 0.17.0
+    values: ['{{ requiredEnv "ROOT_DIR" }}/kubernetes/apps/flux-system/flux-instance/app/helm/values.yaml']
+    needs: ['flux-system/flux-operator']

kubernetes/apps/cert-manager/cert-manager/app/clusterissuer.yaml

@@ -0,0 +1,19 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cert-manager.io/clusterissuer_v1.json
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-production
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: letsencrypt-production
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cert-manager-secret
+              key: api-token
+        selector:
+          dnsZones: ["${SECRET_DOMAIN}"]

kubernetes/apps/cert-manager/cert-manager/app/helm/kustomizeconfig.yaml

@@ -0,0 +1,7 @@
+---
+nameReference:
+  - kind: ConfigMap
+    version: v1
+    fieldSpecs:
+      - path: spec/valuesFrom/name
+        kind: HelmRelease

kubernetes/apps/cert-manager/cert-manager/app/helm/values.yaml

@@ -0,0 +1,10 @@
+---
+crds:
+  enabled: true
+replicaCount: 1
+dns01RecursiveNameservers: https://1.1.1.1:443/dns-query,https://1.0.0.1:443/dns-query
+dns01RecursiveNameserversOnly: true
+prometheus:
+  enabled: true
+  servicemonitor:
+    enabled: true

kubernetes/apps/cert-manager/cert-manager/app/helmrelease.yaml

@@ -0,0 +1,36 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrepository-source-v1.json
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: jetstack
+  namespace: cert-manager # Required for Renovate lookups
+spec:
+  interval: 1h
+  url: https://charts.jetstack.io
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+spec:
+  interval: 1h
+  chart:
+    spec:
+      chart: cert-manager
+      version: v1.17.1
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+        namespace: cert-manager
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  valuesFrom:
+    - kind: ConfigMap
+      name: cert-manager-values

kubernetes/apps/cert-manager/cert-manager/app/kustomization.yaml

@@ -0,0 +1,14 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./clusterissuer.yaml
+  - ./helmrelease.yaml
+  - ./secret.sops.yaml
+configMapGenerator:
+  - name: cert-manager-values
+    files:
+      - values.yaml=./helm/values.yaml
+configurations:
+  - ./helm/kustomizeconfig.yaml

kubernetes/apps/cert-manager/cert-manager/app/secret.sops.yaml

@@ -0,0 +1,28 @@
+# yaml-language-server: $schema=https://kubernetesjsonschema.dev/v1.18.1-standalone-strict/secret-v1.json
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cert-manager-secret
+stringData:
+  api-token: ENC[AES256_GCM,data:mNXkYKAcDwWoRzRPtDqJYfMfk/Zf5PSGgbtYpsZUNj64kZASwUkBJQ==,iv:HKsspFAcOgPWPZ9mfoZZm5bP2YCpKQOotTLt0Ey/v3Y=,tag:V7loNsr9TiPAxLvw5lAYgw==,type:str]
+sops:
+  kms: []
+  gcp_kms: []
+  azure_kv: []
+  hc_vault: []
+  age:
+    - recipient: age1w58lmpj3jjxewn5w4hu6u44zyg4hstq3vhwmlkmt0nkp3h2rm3ls0pyng5
+      enc: |
+        -----BEGIN AGE ENCRYPTED FILE-----
+        YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBrc0ptZDJwcEhLSk90enFG
+        ckxDOWNTcU41ZHA1ZEoyWWFyOUpEM0MwQWxVCkxweG9ZN1ZHeklDTGRYeFhTdEtq
+        V3h3ejhKS0VHVFlGaGFuN3NXeWY0cGcKLS0tIFZyQkhSTGNmSkxmWWcrb2NGQndR
+        cnV2aGQyZC9vOUZDSlpESmhJdzJJT1kKjoanZw0ORsiv8zhmQVA2hY2u2Hy6/UJR
+        3/7tm68C3smADsd9y8PucW0ynB5mH+Bn58Ipv+fUNfaI0ASW99HJsg==
+        -----END AGE ENCRYPTED FILE-----
+  lastmodified: "2025-03-14T16:27:40Z"
+  mac: ENC[AES256_GCM,data:XhY/TOui51uJC7F6ZlbkJv+JMVrxC9sAxJ+uNKtmhrVanE3h/RJp0MdYt4ksobIZTatD/82Dx2WX01uG5XwazfEpzvcavDl81pl6o8iYAQE94bm6kB5+eSLmuDxaxrcfokLCnD7dvLzXfcoMLGeeGO7aUhS7cDgGGxZ7Pv3VYrg=,iv:62YwtN6I/rJWrs8X1j1moJw1TJX5e2f4c1Q8u7Gkdbk=,tag:A+U9bLDx6uKbi7RmiRvt9Q==,type:str]
+  pgp: []
+  encrypted_regex: ^(data|stringData)$
+  mac_only_encrypted: true
+  version: 3.9.4

kubernetes/apps/cert-manager/cert-manager/ks.yaml

@@ -0,0 +1,57 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app cert-manager
+  namespace: &namespace cert-manager
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  healthCheckExprs:
+    - apiVersion: cert-manager.io/v1
+      kind: ClusterIssuer
+      failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False')
+      current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True')
+  interval: 1h
+  path: ./kubernetes/apps/cert-manager/cert-manager/app
+  prune: true
+  retryInterval: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: *namespace
+  timeout: 15m
+  wait: true
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/kustomization-kustomize-v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app cert-manager-tls
+  namespace: &namespace cert-manager
+spec:
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cert-manager
+      namespace: cert-manager
+  healthCheckExprs:
+    - apiVersion: cert-manager.io/v1
+      kind: Certificate
+      failed: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'False')
+      current: status.conditions.filter(e, e.type == 'Ready').all(e, e.status == 'True')
+  interval: 1h
+  path: ./kubernetes/apps/cert-manager/cert-manager/tls
+  prune: true
+  retryInterval: 2m
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+    namespace: flux-system
+  targetNamespace: *namespace
+  timeout: 15m
+  wait: true

kubernetes/apps/cert-manager/cert-manager/tls/certificate.yaml

@@ -0,0 +1,13 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/datreeio/CRDs-catalog/main/cert-manager.io/certificate_v1.json
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: "${SECRET_DOMAIN/./-}-production"
+spec:
+  secretName: "${SECRET_DOMAIN/./-}-production-tls"
+  issuerRef:
+    name: letsencrypt-production
+    kind: ClusterIssuer
+  commonName: "${SECRET_DOMAIN}"
+  dnsNames: ["${SECRET_DOMAIN}", "*.${SECRET_DOMAIN}"]

kubernetes/apps/cert-manager/cert-manager/tls/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./certificate.yaml

kubernetes/apps/cert-manager/kustomization.yaml

@@ -0,0 +1,9 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: cert-manager
+components:
+  - ../../components/common
+resources:
+  - ./cert-manager/ks.yaml

kubernetes/apps/default/echo/app/helmrelease.yaml

@@ -0,0 +1,90 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/fluxcd-community/flux2-schemas/main/helmrelease-helm-v2.json
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: echo
+spec:
+  interval: 1h
+  chartRef:
+    kind: OCIRepository
+    name: app-template
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      retries: 3
+  dependsOn:
+    - name: cloudflared
+      namespace: network
+  values:
+    controllers:
+      echo:
+        strategy: RollingUpdate
+        containers:
+          app:
+            image:
+              repository: ghcr.io/mendhak/http-https-echo
+              tag: 35
+            env:
+              HTTP_PORT: &port 80
+              LOG_WITHOUT_NEWLINE: true
+              LOG_IGNORE_PATH: /healthz
+              PROMETHEUS_ENABLED: true
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /healthz
+                    port: *port
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness: *probes
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 64Mi
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        seccompProfile: { type: RuntimeDefault }
+    service:
+      app:
+        controller: echo
+        ports:
+          http:
+            port: *port
+    serviceMonitor:
+      app:
+        serviceName: echo
+        endpoints:
+          - port: http
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 10s
+    ingress:
+      app:
+        className: external
+        annotations:
+          external-dns.alpha.kubernetes.io/target: "external.${SECRET_DOMAIN}"
+        hosts:
+          - host: "{{ .Release.Name }}.${SECRET_DOMAIN}"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http

kubernetes/apps/default/echo/app/kustomization.yaml

@@ -0,0 +1,6 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./helmrelease.yaml