much stuff

.gitignore

@@ -1,3 +1,4 @@
 __pycache__
 .direnv
 result
+.env

Justfile

@@ -1,4 +1,4 @@
 rebuild:
   sudo nixos-rebuild switch --flake .
 apply:
-  kubectl apply -k ./infra/manifests
+  kustomize build infra/manifests --enable-helm | kubectl apply --prune --all -f -

devShell.nix

@@ -9,5 +9,6 @@ pkgs.mkShell {
     inputs.agenix.packages.${system}.default
     pkgs.age
     pkgs.just
+    pkgs.envsubst
   ];
 }

hosts/common/home/optional/devsetup/devshell.nix

@@ -20,6 +20,8 @@
         v = "nvim";
         EDITOR = "nvim";
         k = "kubectl";
+        kga = "kubectl get all";
+        kl = "kubectl logs";
         j = "just --choose";
       };
 

hosts/vt-pc/default.nix

@@ -71,4 +71,9 @@ in
     enable = true;
   };
 
+  environment.etc."resolv.conf".text = ''
+    nameserver 45.90.28.165
+    nameserver 45.90.30.165
+  '';
+
 }

hosts/vt-pc/home.nix

@@ -37,6 +37,9 @@
     awscli2
 
     tradingview
+
+    kustomize
+    kubernetes-helm
   ];
 
   programs.btop.enable = true;

infra/manifests/apps/nginx/certificate.yaml

@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: nginx-cert
+spec:
+  secretName: nginx-cert
+
+  dnsNames:
+    - nginx.homelab.v-thomas.com
+
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer

infra/manifests/apps/hello/deployment.yaml → infra/manifests/apps/nginx/deployment.yaml

@@ -3,11 +3,11 @@ kind: Deployment
 metadata:
   name: deploy
 spec:
-  replicas: 2
+  replicas: 1
   template:
     spec:
       containers:
-        - name: whoami
-          image: traefik/whoami
+        - name: nginx
+          image: nginx:1.27.3-perl
           ports:
             - containerPort: 80

infra/manifests/apps/nginx/ingressroutes.yaml

@@ -0,0 +1,18 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: nginx-ingressroute
+  namespace: default
+
+spec:
+  entryPoints:
+    - websecure
+  tls:
+    secretName: nginx-cert
+
+  routes:
+  - match: Host(`nginx.homelab.v-thomas.com`)
+    kind: Rule
+    services:
+    - name: nginx-service
+      port: 80

infra/manifests/apps/hello/kustomization.yaml → infra/manifests/apps/nginx/kustomization.yaml

@@ -4,14 +4,12 @@ kind: Kustomization
 resources:
 - deployment.yaml
 - service.yaml
-- ingress.yaml
+- ingressroutes.yaml
+- certificate.yaml
 
-namePrefix: whoami-
+namePrefix: nginx-
 
 labels:
 - includeSelectors: true
   pairs:
-    app.kubernetes.io/name: whoami
-
-
-helmCharts: []
+    app.kubernetes.io/name: nginx

infra/manifests/apps/hello/service.yaml → infra/manifests/apps/nginx/service.yaml

@@ -5,4 +5,5 @@ metadata:
 spec:
   ports:
     - name: http
+      protocol: TCP
       port: 80

infra/manifests/core/cert-manager/.gitignore

@@ -0,0 +1 @@
+secret.yaml

infra/manifests/core/cert-manager/README.md

@@ -0,0 +1,21 @@
+If cloning.
+
+Add
+```yaml
+# File: secret.yaml
+
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token
+type: Opaque
+stringData:
+  api-token: [secret]
+```
+
+Permissions:
+- Zone - DNS - Edit
+- Zone - Zone - Read
+
+Zone resources:
+Include - All Zones

infra/manifests/core/cert-manager/cluster-issuer-staging.yaml

@@ -0,0 +1,35 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    email: [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    solvers:
+    - dns01:
+        cloudflare:
+          email: [email protected]
+          apiTokenSecretRef:
+            name: cloudflare-api-token
+            key: api-key
+---
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: [email protected]
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    solvers:
+    - dns01:
+        cloudflare:
+          email: [email protected]
+          apiTokenSecretRef:
+            name: cloudflare-api-token
+            key: api-key

infra/manifests/core/cert-manager/kustomization.yaml

@@ -2,5 +2,11 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 
 resources:
-  # Namespace "cert-manager" is created in the url.
+  - ./secret.yaml
+  - ./cluster-issuer-staging.yaml
   - https://github.com/cert-manager/cert-manager/releases/download/v1.16.2/cert-manager.yaml
+
+# secretGenerator:
+#   - name: letsencrypt-email
+#     literals:
+#       - email=$(EMAIL)

infra/manifests/core/gateway-api/certificate.yaml

@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: gateway-cert
+spec:
+  secretName: gateway-cert
+
+  secretTemplate:
+    labels:
+      app.kubernetes.io/part-of: gateway
+      app.kubernetes.io/name: gateway-cert
+      app.kubernetes.io/component: certificate
+
+  dnsNames:
+    - homelab.v-thomas.com
+    - "*.homelab.v-thomas.com"
+
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer

infra/manifests/core/gateway-api/gateway-class.yaml

@@ -0,0 +1,57 @@
+apiVersion: gateway.networking.k8s.io/v1
+kind: GatewayClass
+metadata:
+  name: traefik
+  namespace: default
+spec:
+  controllerName: traefik.io/gateway-controller
+---
+apiVersion: gateway.networking.k8s.io/v1
+kind: Gateway
+metadata:
+  name: traefik
+  namespace: default
+spec:
+  gatewayClassName: traefik
+
+  # Only Routes from the same namespace are allowed.
+  listeners:
+    # - name: http
+    #   protocol: HTTP
+    #   port: 80
+    #   allowedRoutes:
+    #     namespaces:
+    #       from: Same 
+
+    - name: https
+      protocol: HTTPS
+      port: 443
+      tls:
+        mode: Terminate
+        certificateRefs:
+          - name: gateway-cert
+            namespace: default
+
+      allowedRoutes:
+        namespaces:
+          from: Same
+
+    # - name: tcp
+    #   protocol: TCP
+    #   port: 3000
+    #   allowedRoutes:
+    #     namespaces:
+    #       from: Same
+    #
+    # - name: tls
+    #   protocol: TLS
+    #   port: 3443
+    #   tls:
+    #     mode: Terminate
+    #     certificateRefs:
+    #       - name: secret-tls
+    #         namespace: default
+    #
+    #   allowedRoutes:
+    #     namespaces:
+    #       from: Same

infra/manifests/core/gateway-api/kustomization.yaml

@@ -0,0 +1,6 @@
+resources:
+  - https://github.com/kubernetes-sigs/gateway-api/releases/download/v1.2.0/standard-install.yaml
+  - https://raw.githubusercontent.com/traefik/traefik/v3.2/docs/content/reference/dynamic-configuration/kubernetes-gateway-rbac.yml # When using traefik
+  - gateway-class.yaml
+  - certificate.yaml
+

infra/manifests/core/metallb/ip-pool.yaml

@@ -4,7 +4,7 @@ metadata:
   name: metallb-ip-pool
 spec:
   addresses:
-    - 192.168.76.64/27 # IPs from 64 to 95
+    - 192.168.76.64-192.168.76.99
 ---
 apiVersion: metallb.io/v1beta1
 kind: L2Advertisement

infra/manifests/core/traefik/certificate.yaml

@@ -0,0 +1,18 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: traefik-cert
+spec:
+  secretName: traefik-cert
+  secretTemplate:
+    labels:
+      app.kubernetes.io/part-of: ingress
+      app.kubernetes.io/name: traefik
+      app.kubernetes.io/component: certificate
+
+  dnsNames:
+    - traefik.homelab.v-thomas.com
+
+  issuerRef:
+    name: letsencrypt-prod
+    kind: ClusterIssuer

infra/manifests/core/traefik/config/traefik.yaml

@@ -0,0 +1,24 @@
+providers:
+  kubernetesCRD: {}
+
+entryPoints:
+  web:
+    address: ":80"
+  websecure:
+    address: ":443"
+
+accesslog:
+  filePath: /var/log/traefik/access.log
+
+api:
+  insecure: true
+  dashboard: true
+log:
+  level: DEBUG
+#
+# providers:
+#   kubernetesGateway:
+#
+#     nativeLBByDefault: true
+#   # kubernetesIngress:
+#   #   nativeLBByDefault: true