all repos — infra @ 560f298b5f0adee41043e92fb42bc5486674c109

infrastructure manifests and setup notes

apps: run site, fsrv and imaginary
Anirudh Oppiliappan x@icyphox.sh
Sun, 30 Jun 2024 12:50:45 +0300
commit

560f298b5f0adee41043e92fb42bc5486674c109

parent

557c7497404bb7c095aa80502b82e65b78ccaf4f

M apps/fsrv/fsrv.yamlapps/fsrv/fsrv.yaml

@@ -18,7 +18,7 @@ kubernetes.io/hostname: sini

containers: - name: fsrv image: sini:5000/fsrv:latest - imagePullPolicy: IfNotPresent + imagePullPolicy: Always env: - name: FSRV_KEY valueFrom:

@@ -32,10 +32,15 @@ readOnly: false

ports: - name: http containerPort: 9393 - command: ["/bin/sh"] args: - - -c - - /fsrv -url https://x.icyphox.sh -key $FSRV_KEY -index /index.html -storepath /uploads + - -url + - https://x.icyphox.sh + - -key + - $FSRV_KEY + - -index + - /index.html + - -storepath + - /uploads volumes: - name: uploads hostPath:

@@ -52,3 +57,23 @@ ports:

- name: fsrv-http port: 9393 targetPort: 9393 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: x.icyphox.sh + namespace: default +spec: + ingressClassName: caddy + rules: + - host: x.icyphox.sh + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: fsrv + port: + number: 9393 +
A apps/imaginary/imaginary.yaml

@@ -0,0 +1,79 @@

+apiVersion: apps/v1 +kind: Deployment +metadata: + name: imaginary + labels: + app: imaginary +spec: + selector: + matchLabels: + app: imaginary + template: + metadata: + labels: + app: imaginary + spec: + nodeSelector: + kubernetes.io/hostname: sini + containers: + - name: imaginary + image: h2non/imaginary:latest + imagePullPolicy: IfNotPresent + volumeMounts: + - name: film + mountPath: /film + readOnly: false + ports: + - name: http + containerPort: 9000 + env: + - name: DEBUG + value: "*" + command: ["imaginary"] + args: + - -mount + - /film + - -a + - 0.0.0.0 + volumes: + - name: film + hostPath: + path: /var/lib/uploads/film +--- +apiVersion: v1 +kind: Service +metadata: + name: imaginary +spec: + selector: + app: imaginary + ports: + - name: imaginary-http + port: 9000 + targetPort: 9000 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: x.icyphox.sh + namespace: default +spec: + ingressClassName: caddy + rules: + - host: x.icyphox.sh + http: + paths: + - path: /fit + pathType: Prefix + backend: + service: + name: imaginary + port: + number: 9000 + - path: / + pathType: Prefix + backend: + service: + name: fsrv + port: + number: 9393
A apps/site/site.yaml

@@ -0,0 +1,133 @@

+apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: icyphox.sh + namespace: default + annotations: + caddy.ingress.kubernetes.io/permanent-redirect: "https://anirudh.fi" +spec: + ingressClassName: caddy + rules: + - host: icyphox.sh + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: site + port: + number: 8080 +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: anirudh.fi + namespace: default +spec: + ingressClassName: caddy + rules: + - host: anirudh.fi + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: site + port: + number: 8080 + +--- +apiVersion: apps/v1 +kind: Deployment +metadata: + name: site + labels: + app: site +spec: + selector: + matchLabels: + app: site + template: + metadata: + labels: + app: site + spec: + nodeSelector: + kubernetes.io/hostname: sini + containers: + - name: site + image: nginx:latest + imagePullPolicy: IfNotPresent + volumeMounts: + - name: site + mountPath: /www + readOnly: false + - name: nginx-config + mountPath: /etc/nginx/nginx.conf + subPath: nginx.conf + ports: + - containerPort: 80 + volumes: + - name: site + hostPath: + path: /var/www + - name: nginx-config + configMap: + name: site-nginx +--- +apiVersion: v1 +kind: ConfigMap +metadata: + name: site-nginx +data: + nginx.conf: | + user nginx; + worker_processes 1; + + error_log /var/log/nginx/error.log warn; + pid /var/run/nginx.pid; + + events { + worker_connections 1024; + } + + http { + include /etc/nginx/mime.types; + default_type application/octet-stream; + + log_format main '$remote_addr - $remote_user [$time_local] "$request" ' + '$status $body_bytes_sent "$http_referer" ' + '"$http_user_agent" "$http_x_forwarded_for"'; + + access_log /var/log/nginx/access.log main; + sendfile on; + + keepalive_timeout 65; + + gzip on; + + server { + listen 80; + server_name _; + + location / { + root /www; + index index.html index.htm; + } + } + } +--- +apiVersion: v1 +kind: Service +metadata: + name: site +spec: + selector: + app: site + ports: + - name: site-http + port: 8080 + targetPort: 80 +
A charts/caddy-ingress.yaml

@@ -0,0 +1,15 @@

+apiVersion: helm.cattle.io/v1 +kind: HelmChart +metadata: + name: caddy-ingress + namespace: caddy-system +spec: + repo: https://caddyserver.github.io/ingress/ + chart: caddy-ingress-controller + targetNamespace: caddy-system + valuesContent: |- + fullnameOverrride: caddy-ingress + ingressController: + config: + email: anirudh@oppiliappan.com + replicaCount: 1
A flake.lock

@@ -0,0 +1,26 @@

+{ + "nodes": { + "nixpkgs": { + "locked": { + "lastModified": 1719645411, + "narHash": "sha256-ZpQ134wq1LxOxmQb56bY7llpKkJg4oTsKjcrP6Gbbr4=", + "owner": "nixos", + "repo": "nixpkgs", + "rev": "e2ac0a60163b8b6ee866388b49f267001dda1059", + "type": "github" + }, + "original": { + "owner": "nixos", + "repo": "nixpkgs", + "type": "github" + } + }, + "root": { + "inputs": { + "nixpkgs": "nixpkgs" + } + } + }, + "root": "root", + "version": 7 +}
A flake.nix

@@ -0,0 +1,30 @@

+{ + description = "web frontend for git"; + + inputs.nixpkgs.url = "github:nixos/nixpkgs"; + + outputs = + { self + , nixpkgs + , + }: + let + supportedSystems = [ "x86_64-linux" "x86_64-darwin" "aarch64-linux" "aarch64-darwin" ]; + forAllSystems = nixpkgs.lib.genAttrs supportedSystems; + nixpkgsFor = forAllSystems (system: import nixpkgs { inherit system; }); + in + { + defaultPackage = forAllSystems (system: self.packages.${system}.legit); + devShells = forAllSystems (system: + let + pkgs = nixpkgsFor.${system}; + in + { + default = pkgs.mkShell { + nativeBuildInputs = with pkgs; [ + kubectl + ]; + }; + }); + }; +}
D metallb/config.yaml

@@ -1,12 +0,0 @@

-apiVersion: v1 -kind: ConfigMap -metadata: - namespace: metallb-system - name: config -data: - config: | - address-pools: - - name: default - protocol: layer2 - addresses: - - 192.168.4.150-192.168.4.250
A metallb/metallb.yaml

@@ -0,0 +1,15 @@

+apiVersion: metallb.io/v1beta1 +kind: IPAddressPool +metadata: + name: koti-pool + namespace: metallb-system +spec: + addresses: + - 100.85.88.64/32 +--- +apiVersion: metallb.io/v1beta1 +kind: L2Advertisement +metadata: + name: koti-pool + namespace: metallb-system +
D metallb/readme

@@ -1,7 +0,0 @@

-metallb -------- - - kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/namespace.yaml - kubectl apply -f https://raw.githubusercontent.com/metallb/metallb/v0.10.2/manifests/metallb.yaml - -Then create configmap 'config.yaml' in the metallb-system namespace.
D nginx/ingress.conf

@@ -1,28 +0,0 @@

-stream { - upstream ingress443 { - server 192.168.4.150:443; - } - - upstream ingress80 { - server 192.168.4.150:80; - } - - upstream irc { - server 192.168.4.151:6666; - } - server { - listen 443; - proxy_pass ingress443; - proxy_next_upstream on; - } - server { - listen 80; - proxy_pass ingress80; - proxy_next_upstream on; - } - server { - listen 6666; - proxy_pass irc; - proxy_next_upstream on; - } -}
D nginx/readme

@@ -1,7 +0,0 @@

-nginx ------ - -Non-terminating SSL passthrough back to our K8s ingress, plus port 80 -proxying for cert-manager solvers. - -Runs on jade.
M readmereadme

@@ -1,34 +1,27 @@

infra ----- -Update 2021-07-11: I no longer run Kubernetes. - -Infra manifests and setup notes. Runs on Kubernetes. +Infra manifests and setup notes. Runs on Kubernetes (K3s). HOSTS -Machines are in a Wireguard mesh. +Machines are in a Tailscale mesh, with K3s and MetalLB advertising on +the Tailscale interface. -· leaf: Oracle VM (192.168.4.1) -· fern: Raspberry Pi 4B (192.168.4.2) -· jade: Oracle VM (192.168.4.3) +• sini: 8GB, i5-6500T, 256GB SSD INFRASTRUCTURE -· cert-manager: Auto-provision Let's Encrypt Certs -· metallb: Bare metal LoadBalancer provider -· flannel: CNI provider -· longhorn: Distributed block storage +• k3s: Kubernetes distribution +• tailscale: mesh network +• metallb: bare metal LoadBalancer provider APPLICATIONS -· radicale: CardDAV/CalDAV server (dav.icyphox.sh) -· registry: Self-hosted container registry (reg.icyphox.sh) -· yarr: RSS reader (f.icyphox.sh) -· znc: IRC bouncer (irc.icyphox.sh:6666) -· fsrv: File host service (x.icyphox.sh) -· lms: Music/Subsonic server (m.icyphox.sh) -· cgit: Git web frontend (git.icyphox.sh) +• radicale: CardDAV/CalDAV server (dav.koti.lan) +• yarr: RSS reader (rss.koti.lan) +• fsrv: file host service (x.icyphox.sh) +• legit: git web frontend (git.icyphox.sh)