Try adding gluetun and sops
This commit is contained in:
8
.sops.yaml
Normal file
8
.sops.yaml
Normal file
@@ -0,0 +1,8 @@
|
|||||||
|
creation_rules:
|
||||||
|
- path_regex: secret.yaml$
|
||||||
|
encrypted_regex: ^(data|stringData)$
|
||||||
|
# tower
|
||||||
|
# k8s
|
||||||
|
age: >-
|
||||||
|
age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv,
|
||||||
|
age1gnxrrychharz0cyapjhu3nnzzzhc38slwfpq5h5rsq7pphuk4q6shhx3ll
|
||||||
3
.vscode/settings.json
vendored
3
.vscode/settings.json
vendored
@@ -1,5 +1,8 @@
|
|||||||
{
|
{
|
||||||
"yaml.schemas": {
|
"yaml.schemas": {
|
||||||
"https://json.schemastore.org/kustomization.json": "file:///workspace/gitops/infra/traefik.yaml"
|
"https://json.schemastore.org/kustomization.json": "file:///workspace/gitops/infra/traefik.yaml"
|
||||||
|
},
|
||||||
|
"sops": {
|
||||||
|
"creationEnabled": true
|
||||||
}
|
}
|
||||||
}
|
}
|
||||||
4
apps/gluetun/kustomization.yaml
Normal file
4
apps/gluetun/kustomization.yaml
Normal file
@@ -0,0 +1,4 @@
|
|||||||
|
apiVersion: kustomize.config.k8s.io/v1beta1
|
||||||
|
kind: Kustomization
|
||||||
|
resources:
|
||||||
|
- secret.yaml
|
||||||
41
apps/gluetun/secret.yaml
Normal file
41
apps/gluetun/secret.yaml
Normal file
@@ -0,0 +1,41 @@
|
|||||||
|
apiVersion: v1
|
||||||
|
kind: Secret
|
||||||
|
metadata:
|
||||||
|
name: gluetun-env
|
||||||
|
stringData:
|
||||||
|
TZ: ENC[AES256_GCM,data:LJEpoJ4aVy5Qf8w7zg==,iv:IOxz/scZUCqEhasCje3X64MCddTzrtcnOp/6wg0SHEU=,tag:PTfTjdbClLj6fnXWJFedDw==,type:str]
|
||||||
|
VPN_SERVICE_PROVIDER: ENC[AES256_GCM,data:ttMPiwizhg==,iv:TmptqgLRaugwq3NiGxOvM9NdnkflNLQsYoRp8fIXq0c=,tag:fXeinqe8eUn/a+MNbiKrzw==,type:str]
|
||||||
|
VPN_TYPE: ENC[AES256_GCM,data:1GAuiUTCew==,iv:yZFHMMXt4Z4PR5tUJ0e7k8bJbjTFPY46X2AW6LB68xE=,tag:gtveZD34ZzXXHSekDPi93Q==,type:str]
|
||||||
|
SERVER_COUNTRIES: ENC[AES256_GCM,data:D6O0wIPGYMBzL28=,iv:p4RoFg0iSGrLRzkw5cbOj9F0Ty+soASiwgDbwHsn2rU=,tag:PeMGdEoYSJjKv5jkiaQn3w==,type:str]
|
||||||
|
FIREWALL_INPUT_PORTS: ENC[AES256_GCM,data:IDFDixwvkY4YG1A=,iv:FyDaKtjza6zC1g5soqhvi5MmjGV5Ap3tFBht3zx6emM=,tag:HyNwf1wRhBoRq1CaRAtH+Q==,type:str]
|
||||||
|
OPENVPN_CIPHERS: ENC[AES256_GCM,data:V/VGTVVTlCsz1dg=,iv:eK6noWENyRrR5lUd8XwuAOgKz3MX1kqY3VKwvBQy0h4=,tag:JOH3Eym5k6DiBoUgpvePoA==,type:str]
|
||||||
|
OPENVPN_USER: ENC[AES256_GCM,data:RnZRnVakr1tPraU7PF3J1Q==,iv:1cXVtF4VfYq8Y41HVndFraxoZtwM/r4EHsowfRucBko=,tag:UgkcS89V7QKOF7ZS5Qqi+g==,type:str]
|
||||||
|
sops:
|
||||||
|
kms: []
|
||||||
|
gcp_kms: []
|
||||||
|
azure_kv: []
|
||||||
|
hc_vault: []
|
||||||
|
age:
|
||||||
|
- recipient: age1ntfcrf5fz43da6k9h4um06u8mejjsqg005jm6rwmt9wff949s58qqwx8tv
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBpc3pXZzMraGJONnVHRGta
|
||||||
|
Y0J6aDB0R0NMWmpMSFcyTTk5bkJaU3NPUldJCjgydmdOZGdoaUVCb2F2amVndnFZ
|
||||||
|
VUgxeW1IRlRUdWRydkg4TzdSTkY5b2sKLS0tIEdCcGFBMkJ2MldMMUlsaUpoeEhF
|
||||||
|
RUhxNlF4NTRROXVMWExuNi9hRmJBMWcKkSzzsaY7I46F15Y11c+9J4EcoT7lqG83
|
||||||
|
dSdTUHsbvNBsYYGYFUkHpRr7XEgnWWecV3lpzoVYLnmvJXCwFCK8Ug==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
- recipient: age1gnxrrychharz0cyapjhu3nnzzzhc38slwfpq5h5rsq7pphuk4q6shhx3ll
|
||||||
|
enc: |
|
||||||
|
-----BEGIN AGE ENCRYPTED FILE-----
|
||||||
|
YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBPVEtQbTF1eVhmM0xsd2tU
|
||||||
|
b1R5ME1PRVkrbCtTRHdFM1BWSEcrMEhEUTE4Ck5aWkQvZThOMVJpN2x2Z053WTcz
|
||||||
|
bDVnQTFhYjV0QWZJbC9KaG9IVlY0T1UKLS0tIDkxaXJVWlQrK2VqODBHY3RDTzBR
|
||||||
|
QUFpRStodHhkTmxjNEpXQ2UxSjArN0EKnzsoVUTuiJIzTlhKNCSZpPHiRRs+KSAF
|
||||||
|
cyZPHvxn+xebB0jkMF6awXhruPdKHwNeijGKTzVm2RtKgjX+2YMaUg==
|
||||||
|
-----END AGE ENCRYPTED FILE-----
|
||||||
|
lastmodified: "2024-09-13T19:04:15Z"
|
||||||
|
mac: ENC[AES256_GCM,data:gXXZVu6iVZ6wqlKe4WDpQABHoxirZ1suZnaiQ+ru4sOPEQSGr2k6qyTA4uXcxSbtiw9g3JX9N34ZB2I3jNPbS+I2sfOvEr1VWe639k9OUDcWNOMEWNjK+PIiF9x81SJab9og4Z/2mdFuRXDAG9CHX6Q/sLEbsP3vpZgXeL7Xs38=,iv:yJeJPq2InZN+ewWd4yvSPTjNNo9MSgzbbxBUHL2ZCjs=,tag:2qCHVAvsucnr8yA0dkMXkA==,type:str]
|
||||||
|
pgp: []
|
||||||
|
encrypted_regex: ^(data|stringData)$
|
||||||
|
version: 3.9.0
|
||||||
@@ -20,12 +20,27 @@ spec:
|
|||||||
app: sonarr
|
app: sonarr
|
||||||
spec:
|
spec:
|
||||||
containers:
|
containers:
|
||||||
|
- image: ghcr.io/qdm12/gluetun:latest
|
||||||
|
name: gluetun
|
||||||
|
imagePullPolicy: Always
|
||||||
|
securityContext:
|
||||||
|
capabilities:
|
||||||
|
add: ["NET_ADMIN"]
|
||||||
|
ports:
|
||||||
|
- containerPort: 8989
|
||||||
|
envFrom:
|
||||||
|
- secretRef:
|
||||||
|
name: gluetun-env
|
||||||
|
resources:
|
||||||
|
limits:
|
||||||
|
cpu: 250m
|
||||||
|
memory: 500Mi
|
||||||
|
requests:
|
||||||
|
cpu: 10m
|
||||||
|
memory: 64Mi
|
||||||
- name: sonarr
|
- name: sonarr
|
||||||
image: lscr.io/linuxserver/sonarr:4.0.8
|
image: lscr.io/linuxserver/sonarr:4.0.8
|
||||||
imagePullPolicy: IfNotPresent
|
imagePullPolicy: IfNotPresent
|
||||||
ports:
|
|
||||||
- name: http
|
|
||||||
containerPort: 8989
|
|
||||||
livenessProbe:
|
livenessProbe:
|
||||||
httpGet:
|
httpGet:
|
||||||
path: /ping
|
path: /ping
|
||||||
|
|||||||
@@ -11,3 +11,7 @@ spec:
|
|||||||
kind: GitRepository
|
kind: GitRepository
|
||||||
name: flux-system
|
name: flux-system
|
||||||
namespace: flux-system
|
namespace: flux-system
|
||||||
|
decryption:
|
||||||
|
provider: sops
|
||||||
|
secretRef:
|
||||||
|
name: sops-age
|
||||||
|
|||||||
@@ -25,3 +25,7 @@ spec:
|
|||||||
sourceRef:
|
sourceRef:
|
||||||
kind: GitRepository
|
kind: GitRepository
|
||||||
name: flux-system
|
name: flux-system
|
||||||
|
decryption:
|
||||||
|
provider: sops
|
||||||
|
secretRef:
|
||||||
|
name: sops-age
|
||||||
|
|||||||
@@ -7,7 +7,7 @@ spec:
|
|||||||
interval: 15m
|
interval: 15m
|
||||||
url: https://github.com/rancher/local-path-provisioner.git
|
url: https://github.com/rancher/local-path-provisioner.git
|
||||||
ref:
|
ref:
|
||||||
tag: v0.0.28
|
tag: v0.0.29
|
||||||
ignore: |-
|
ignore: |-
|
||||||
# exclude all
|
# exclude all
|
||||||
/*
|
/*
|
||||||
|
|||||||
28
readme.md
28
readme.md
@@ -28,6 +28,34 @@ Host 192.168.1.101
|
|||||||
SSH into the server, and grab the kubeconfig with `sudo cat /etc/rancher/k3s/k3s.yaml`.
|
SSH into the server, and grab the kubeconfig with `sudo cat /etc/rancher/k3s/k3s.yaml`.
|
||||||
Drop the user and cluster into your config and create a context to have that user and cluster
|
Drop the user and cluster into your config and create a context to have that user and cluster
|
||||||
|
|
||||||
|
## age & sops
|
||||||
|
|
||||||
|
I use sops with age to encrypt keys etc in git.
|
||||||
|
Before pushing encrypted keys up, we'll need to re-encrypt them with a new key.
|
||||||
|
From a shell with sops and age installed, and an already known key under `$HOME/.config/sops/age/keys.txt` (or `%AppData%\sops\age\keys.txt`), create a new key in this repo `age-keygen -o keys.txt`.
|
||||||
|
|
||||||
|
Add that new public key to the `.sops.yaml`, and push the secret key to the cluster with:
|
||||||
|
|
||||||
|
```sh
|
||||||
|
cat keys.txt |
|
||||||
|
kubectl create secret generic sops-age \
|
||||||
|
--namespace=flux-system \
|
||||||
|
--from-file=keys.txt=/dev/stdin
|
||||||
|
```
|
||||||
|
|
||||||
|
Update the encryption with `sops updatekeys`, then delete keys.txt.
|
||||||
|
|
||||||
|
### Using sops
|
||||||
|
|
||||||
|
#### Encrypting
|
||||||
|
|
||||||
|
After creating a new secret, run `sops encrypt --in-place ./path/to/secret.yaml`.
|
||||||
|
|
||||||
|
#### Editing
|
||||||
|
|
||||||
|
You can install the `@signageos/vscode-sops` extension in vscode to automatically decrypt, edit and re-encrypt a secret.
|
||||||
|
Or use `sops edit file.yaml`
|
||||||
|
|
||||||
## Flux CD
|
## Flux CD
|
||||||
|
|
||||||
Install flux and everything in this repo with the following:
|
Install flux and everything in this repo with the following:
|
||||||
|
|||||||
Reference in New Issue
Block a user