fixed forgejo typos

Question is, is this working decently?

.gitignore

@@ -1,2 +1,5 @@
-.envs/.*
-!.envs/.*.template
+**/*/.envs/.*
+!**/*/.envs/.*.template
+
+stages/.common/*
+!stages/.common/*.template

README.md

@@ -1,19 +1,25 @@
 # gitops
-This repository contains core services for my kubernetes cluster which are
+This repository contains three level configration of core services
+
+## Stage 1 - `base` stage
+These services are needed to run the cluster in general 
 - MetalLB - LoadBalancer
 - Ingress Nginx - Ingress Controller
-- CSI NFS - PVC
+- CSI Drifer NFS - PVC
 - PiHole and ExternalDNS - LAN DNS
+
+## Stage 2 - `identity` stage
+These services are needed to run all other core services in stage 3
+
+- VaultWarden - Password and secret management - TODO: create chart or using Kustomize
+- Authentik - SSO and auth provider for the whole cluster
+
+## Stage 3 - `delivery` stage
+All other core services with auth or secrets
+
 - ArgoCD - GitOps for my other services
-## How to use
+- Forgejo - Repository for ArgoCD and all of my other projects
 
-1. Get the secrets
-Either manually put your secrets in .env or run `./scripts/bw2secrets` - TODO
+# How to use
 
-2. Apply Kustomizations
-`kubectl apply -k .`
-
-3. Install all the apps
-`helmfile apply`
-
-4. Profit!
+## Stage 1

kustomize/csi-driver-nfs.yaml

@@ -1,13 +0,0 @@
-apiVersion: storage.k8s.io/v1
-kind: StorageClass
-metadata:
-  name: nfs-csi
-  annotations:
-    storageclass.kubernetes.io/is-default-class: "true"
-provisioner: nfs.csi.k8s.io
-parameters:
-  server: 192.168.1.180
-  share: /mnt/nas
-reclaimPolicy: Delete
-volumeBindingMode: Immediate
-allowVolumeExpansion: true

stages/.common/.noreply-email-password.template

@@ -0,0 +1 @@
+{{ pw "82043f19-dfa4-4c95-9720-24609d12fedd" }}

stages/base/.envs/.proxmox-csi-secret.template

@@ -0,0 +1 @@
+{{ pw "bf0cc098-bbf1-4254-9133-40024505c093" }}

stages/base/helmfile.yaml

@@ -3,12 +3,8 @@ repositories:
     url: https://metallb.github.io/metallb
   - name: ingress-nginx
     url: https://kubernetes.github.io/ingress-nginx
-  - name: csi-driver-nfs
-    url: https://raw.githubusercontent.com/kubernetes-csi/csi-driver-nfs/master/charts
   - name: jetstack
     url: https://charts.jetstack.io
-  - name: argocd
-    url: https://argoproj.github.io/argo-helm
   - name: mojo2600
     url: https://mojo2600.github.io/pihole-kubernetes/
   - name: bitnami
@@ -25,22 +21,18 @@ releases:
     version: 4.12.0
     values:
       - ./values/ingress-nginx.values.yaml
-  - name: csi-driver-nfs
-    namespace: kube-system
-    chart: csi-driver-nfs/csi-driver-nfs
-    version: v4.9.0
+  - name: proxmox-csi-plugin
+    namespace: proxmox-csi
+    chart: oci://ghcr.io/sergelogvinov/charts/proxmox-csi-plugin
+    version: 0.3.5
+    values:
+      - ./values/proxmox-csi-plugin.values.yaml.gotmpl
   - name: cert-manager
     namespace: cert-manager
     chart: jetstack/cert-manager
     version: v1.16.2
     values:
       - ./values/cert-manager.values.yaml
-  - name: argocd
-    namespace: argocd
-    chart: argocd/argo-cd
-    version: 7.7.21
-    values:
-      - ./values/argocd.values.yaml
   - name: pihole
     namespace: pihole
     chart: mojo2600/pihole

stages/base/kustomization.yaml

@@ -3,8 +3,9 @@ kind: Kustomization
 
 resources:
 - ./kustomize/metallb.yaml
-- ./kustomize/csi-driver-nfs.yaml
 - ./kustomize/cert-manager-cloudflare.yaml
+- ./kustomize/proxmox-csi-namespace.yaml
+- ./kustomize/coredns-resolv-fix.yaml
 
 
 secretGenerator:

stages/base/kustomize/coredns-resolv-fix.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: coredns-custom
+  namespace: kube-system
+data:
+  kropcloud.net.server: |
+    kropcloud.net {
+      log
+      forward . 192.168.1.250
+    }

stages/base/kustomize/proxmox-csi-namespace.yaml

@@ -0,0 +1,8 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: proxmox-csi
+  labels:
+    pod-security.kubernetes.io/enforce: privileged
+    pod-security.kubernetes.io/audit: baseline
+    pod-security.kubernetes.io/warn: baseline

stages/base/values/external-dns-pihole.values.yaml

@@ -7,4 +7,4 @@ pihole:
   secretName: pihole-admin
 
 ingressClassFilters:
-  - ingress-nginx
+  - nginx

stages/base/values/pihole.values.yaml

@@ -1,4 +1,8 @@
+DNS1: 1.1.1.1
+DNS2: 1.0.0.1
+
 ingress:
+  ingressClassName: nginx
   enabled: true
   hosts:
     - pihole.kropcloud.net

stages/base/values/proxmox-csi-plugin.values.yaml.gotmpl

@@ -0,0 +1,16 @@
+config:
+  clusters:
+    - url: https://192.168.1.151:8006/api2/json
+      insecure: true
+      token_id: "kubernetes-csi@pve!csi"
+      token_secret: {{ readFile "../.envs/.proxmox-csi-secret" }}
+      region: KropCloud
+
+storageClass:
+  - name: proxmox-data
+    storage: hdd-data1
+    reclaimPolicy: Delete
+    fstype: ext4
+    cache: writethrough
+    annotations:
+      storageclass.kubernetes.io/is-default-class: "true"

stages/delivery/.envs/.argocd-oidc-secret.template

@@ -0,0 +1 @@
+{{ pw "46289080-39de-4e5e-bae5-6be41b08e25b" }}

stages/delivery/.envs/.forgejo-oidc-secret.template

@@ -0,0 +1 @@
+{{ pw "1a13caa1-547e-4462-af34-8dff29baec64" }}

stages/delivery/helmfile.yaml

@@ -0,0 +1,18 @@
+repositories:
+  - name: argocd
+    url: https://argoproj.github.io/argo-helm
+---
+
+releases:
+  - name: argocd
+    namespace: argocd
+    chart: argocd/argo-cd
+    version: 7.7.21
+    values:
+      - ./values/argocd.values.yaml.gotmpl
+  - name: forgejo
+    namespace: forgejo
+    chart: oci://code.forgejo.org/forgejo-helm/forgejo
+    version: 11.0.3
+    values:
+      - ./values/forgejo.values.yaml.gotmpl

stages/delivery/values/argocd.values.yaml.gotmpl

@@ -0,0 +1,57 @@
+global:
+  domain: argo.kropcloud.net
+
+configs:
+  secret:
+    extra:
+      dex.kropcloud-idp.clientSecret: {{ readFile "../.envs/.argocd-oidc-secret" }}
+
+  params:
+    server.insecure: true
+
+  cm:
+    dex.config: |
+      connectors:
+      - id: authentik
+        type: oidc
+        name: KropCloud IDP
+        config:
+          issuer: https://idp.kropcloud.net/application/o/argocd/
+          clientID: R6KnCiwgsevzTkWhB9dopV80sHxL8kS4QjVlMmqI
+          clientSecret: $dex.kropcloud-idp.clientSecret
+          insecureEnableGroups: true
+          scopes:
+            - openid
+            - profile
+            - email
+            - groups
+  rbac:
+    policy.csv: |
+      g, ArgoCD Admins, role:admin
+
+redis-ha:
+  enabled: true
+
+controller:
+  replicas: 1
+
+server:
+  replicas: 2
+  ingress:
+    enabled: true
+    ingressClassName: nginx
+    annotations:
+        nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+        nginx.ingress.kubernetes.io/ssl-passthrough: "true"
+        cert-manager.io/cluster-issuer: cloudflare-issuer
+    tls:
+      - hosts:
+          - argo.kropcloud.net
+        secretName: argocd-tls
+
+
+repoServer:
+  replicas: 2
+
+applicationSet:
+  replicas: 2

stages/delivery/values/forgejo.values.yaml.gotmpl

@@ -0,0 +1,70 @@
+redis-cluster:
+  enabled: false
+redis:
+  enabled: true
+postgresql:
+  enabled: true
+postgresql-ha:
+  enabled: false
+
+gitea:
+  oauth:
+    - name: kropcloud-idp
+      provider: openidConnect
+      key: VcyEM48aqaMlau356WMVO10cNcmd6McnxW1KvBLu
+      secret: {{ readFile "../.envs/.forgejo-oidc-secret" }}
+      autoDiscoverUrl: https://idp.kropcloud.net/application/o/git/.well-known/openid-configuration
+      skipLocal2fa: false
+      scopes: forgejo
+      requiredClaimName: forgejo
+      groupClaimName: forgejo
+      adminGroup: admin
+
+
+  config:
+    service:
+      DISABLE_REGISTRATION: false
+      ALLOW_ONLY_EXTERNAL_REGISTRATION: true
+    oauth2_client:
+      ENABLE_AUTO_REGISTRATION: true
+      UPDATE_AVATAR: true
+    openid:
+      ENABLE_OPENID_SIGNIN: false
+      ENABLE_OPENID_SIGNUP: false
+    database:
+      DB_TYPE: postgres
+    indexer:
+      ISSUE_INDEXER_TYPE: bleve
+      REPO_INDEXER_ENABLED: true
+    mailer:
+      ENABLED: true
+      FROM: Forgejo <no-reply@kropcloud.net>
+      PROTOCOL: smtps
+      SMTP_ADDR: smtp.seznam.cz
+      SMTP_PORT: 465
+      USER: no-reply@kropcloud.net
+      PASSWD: {{ readFile "../../.common/.noreply-email-password" }}
+
+ingress:
+  enabled: true
+  className: nginx
+  hosts:
+    - host: git.kropcloud.net
+      paths:
+        - path: /
+          pathType: Prefix
+  annotations:
+    nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+    nginx.ingress.kubernetes.io/baWckend-protocol: "HTTP"
+    nginx.ingress.kubernetes.io/proxy-body-size: "0"
+    cert-manager.io/cluster-issuer: cloudflare-issuer
+  tls:
+    - hosts:
+        - git.kropcloud.net
+      secretName: forgejo-tls
+
+service:
+  ssh:
+    type: LoadBalancer
+    annotations:
+      metallb.io/allow-shared-ip: kropcloud

stages/identity/.envs/.authentik-postgresql.template

@@ -0,0 +1 @@
+{{ pw "bdf24fa1-8638-4cd1-a17a-df5f0bc8adee" }}

stages/identity/.envs/.authentik-secret-key.template

@@ -0,0 +1 @@
+{{ pw "0e694c6c-9b5c-48c5-b884-6f7274c74832" }}

stages/identity/.envs/.vaultwarden-admin-token.template

@@ -0,0 +1 @@
+admin-token=16a6b142-bb39-4708-9de1-14157fee29d3

stages/identity/helmfile.yaml

@@ -0,0 +1,11 @@
+repositories:
+  - name: authentik
+    url: https://charts.goauthentik.io/
+---
+releases:
+  - name: authentik
+    namespace: authentik
+    chart: authentik/authentik
+    version: 2024.12.3
+    values:
+      - ./values/authentik.values.yaml.gotmpl

stages/identity/kustomization.yaml

@@ -0,0 +1,13 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+metadata:
+  name: identity
+
+secretGenerator:
+  - name: vaultwarden-secret
+    namespace: vaultwarden
+    envs:
+      - .envs/.vaultwarden-admin-token
+
+resources:
+  - ./resources/vaultwarden/

stages/identity/resources/vaultwarden/deployment.yaml

@@ -0,0 +1,36 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: vaultwarden
+spec:
+  selector:
+    matchLabels:
+      app: vaultwarden
+  template:
+    metadata:
+      labels:
+        app: vaultwarden
+    spec:
+      volumes:
+      - name: vaultwarden-pvc
+        persistentVolumeClaim:
+          claimName: vaultwarden-pvc
+      containers:
+      - name: vaultwarden
+        image: vaultwarden/server
+        resources:
+          limits:
+            memory: 256Mi
+            cpu: 500m
+        ports:
+        - name: vw-http
+          containerPort: 80
+        volumeMounts:
+          - mountPath: /data
+            name: vaultwarden-pvc
+        env:
+          - name: ADMIN_TOKEN
+            valueFrom:
+              secretKeyRef:
+                key: admin-token
+                name: vaultwarden-secret

stages/identity/resources/vaultwarden/ingress.yaml

@@ -0,0 +1,18 @@
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: vaultwarden-ingress
+  labels:
+    name: vaultwarden-ingress
+spec:
+  rules:
+  - host: pass.kropcloud.net
+    http:
+      paths:
+      - pathType: Prefix
+        path: /
+        backend:
+          service:
+            name: vaultwarden-svc
+            port:
+              number: 80

stages/identity/resources/vaultwarden/kustomization.yaml

@@ -0,0 +1,20 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: vaultwarden
+
+labels:
+- pairs:
+    app.kubernetes.io/managed-by: Kustomize
+    app.kubernetes.io/part-of: vaultwarden
+    app.kubernetes.io/version: 1.33.2
+
+resources:
+  - ./deployment.yaml
+  - ./pvc.yaml
+  - ./service.yaml
+  - ./ingress.yaml
+  - ./namespace.yaml
+
+images:
+  - name: vaultwarden/server
+    newTag: 1.33.2

stages/identity/resources/vaultwarden/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: vaultwarden

stages/identity/resources/vaultwarden/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: vaultwarden-pvc
+spec:
+  resources:
+    requests:
+      storage: 10Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteOnce

stages/identity/resources/vaultwarden/service.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: vaultwarden-svc
+spec:
+  selector:
+    app: vaultwarden
+  ports:
+  - name: vaultwarden-http-svc
+    port: 80
+    targetPort: vw-http

stages/identity/values/authentik.values.yaml.gotmpl

@@ -0,0 +1,38 @@
+postgresql:
+  enabled: true
+  auth:
+    password: {{ readFile "../.envs/.authentik-postgresql" }}
+  volumePermissions:
+    enabled: true
+
+authentik:
+  secret_key: {{ readFile "../.envs/.authentik-secret-key" }}
+
+  email:
+    host: smtp.seznam.cz
+    port: 465
+    use_ssl: true
+    from: KropCloud IDP <no-reply@kropcloud.net>
+    username: no-reply@kropcloud.net
+    password: {{ readFile "../../.common/.noreply-email-password" }}
+
+  postgresql:
+    password: {{ readFile "../.envs/.authentik-postgresql" }}
+
+redis:
+  enabled: true
+
+server:
+  ingress:
+    ingressClassName: nginx
+    enabled: true
+    hosts:
+      - idp.kropcloud.net
+    annotations:
+      nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
+      nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
+      cert-manager.io/cluster-issuer: cloudflare-issuer
+    tls:
+      - hosts: 
+        - idp.kropcloud.net
+        secretName: authentik-tls

values/argocd.values.yaml

@@ -1,33 +0,0 @@
-global:
-  domain: argo.kropcloud.net
-
-configs:
-  params:
-    server.insecure: true
-
-redis-ha:
-  enabled: true
-
-controller:
-  replicas: 1
-
-server:
-  replicas: 2
-  ingress:
-    enabled: true
-    ingressClassName: nginx
-    annotations:
-        nginx.ingress.kubernetes.io/force-ssl-redirect: "true"
-        nginx.ingress.kubernetes.io/backend-protocol: "HTTP"
-        cert-manager.io/cluster-issuer: cloudflare-issuer
-    extraTls:
-      - hosts:
-          - argo.kropcloud.net
-        secretName: argocd-tls
-
-
-repoServer:
-  replicas: 2
-
-applicationSet:
-  replicas: 2