--wip-- [skipci]

brettinternet · May 2, 2024 · 7e8177b · 7e8177b
1 parent 29f4925
commit 7e8177b
Show file tree

Hide file tree

Showing 131 changed files with 5,561 additions and 138 deletions.
diff --git a/kubernetes/apps/auth/authelia/app/helmrelease.yaml b/kubernetes/apps/auth/authelia/app/helmrelease.yaml
@@ -0,0 +1,178 @@
+---
+# yaml-language-server: $schema=https://raw.githubusercontent.com/bjw-s/helm-charts/main/charts/other/app-template/schemas/helmrelease-helm-v2beta2.schema.json
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: &app authelia
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  dependsOn:
+    - name: lldap
+      namespace: auth
+  values:
+    controllers:
+      authelia:
+        replicas: 3
+        strategy: RollingUpdate
+        annotations:
+          reloader.stakater.com/auto: "true"
+        initContainers:
+          init-db:
+            image:
+              repository: ghcr.io/onedr0p/postgres-init
+              tag: 16
+            env:
+              INIT_POSTGRES_HOST: &dbHost postgres16-rw.database.svc.cluster.local
+              INIT_POSTGRES_DBNAME: &dbName authelia
+              INIT_POSTGRES_USER:
+                valueFrom:
+                  secretKeyRef:
+                    name: authelia-secret
+                    key: AUTHELIA_STORAGE_POSTGRES_USERNAME
+              INIT_POSTGRES_PASS:
+                valueFrom:
+                  secretKeyRef:
+                    name: authelia-secret
+                    key: AUTHELIA_STORAGE_POSTGRES_PASSWORD
+              INIT_POSTGRES_SUPER_PASS: "${POSTGRES_SUPER_PASSWORD}"
+        containers:
+          app:
+            image:
+              repository: ghcr.io/authelia/authelia
+              tag: 4.38.8@sha256:19375b10024caeef4e0b119a6247beae84cbaa02c846cfd750e92dea910d4b6a
+            env:
+              AUTHELIA_THEME: dark
+              AUTHELIA_SERVER_ADDRESS: tcp://0.0.0.0:80
+              AUTHELIA_SERVER_DISABLE_HEALTHCHECK: "true"
+              AUTHELIA_TELEMETRY_METRICS_ADDRESS: tcp://0.0.0.0:8080
+              AUTHELIA_TELEMETRY_METRICS_ENABLED: "true"
+              AUTHELIA_SESSION_REDIS_HOST: dragonfly.database.svc.cluster.local
+              AUTHELIA_SESSION_REDIS_PORT: 6379
+              AUTHELIA_SESSION_REDIS_DATABASE_INDEX: 2
+              AUTHELIA_STORAGE_POSTGRES_DATABASE: *dbName
+              AUTHELIA_STORAGE_POSTGRES_ADDRESS: *dbHost
+              AUTHELIA_NOTIFIER_DISABLE_STARTUP_CHECK: "true"
+              AUTHELIA_NOTIFIER_SMTP_HOST: maddy.comms.svc.cluster.local
+              AUTHELIA_NOTIFIER_SMTP_PORT: 25
+              AUTHELIA_NOTIFIER_SMTP_SENDER: "Authelia <${SMTP_USER}>"
+              AUTHELIA_NOTIFIER_SMTP_DISABLE_REQUIRE_TLS: "true"
+              AUTHELIA_AUTHENTICATION_BACKEND_PASSWORD_RESET_DISABLE: "true"
+              AUTHELIA_AUTHENTICATION_BACKEND_REFRESH_INTERVAL: 1m
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_IMPLEMENTATION: custom
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_URL: ldap://lldap.auth.svc.cluster.local:3890
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_TIMEOUT: 5s
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_START_TLS: "false"
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_BASE_DN: dc=home,dc=arpa
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERNAME_ATTRIBUTE: uid
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_USERS_DN: ou=people
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USERS_FILTER: "(&({username_attribute}={input})(objectClass=person))"
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_ADDITIONAL_GROUPS_DN: ou=groups
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUPS_FILTER: (member={dn})
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_GROUP_NAME_ATTRIBUTE: cn
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_DISPLAY_NAME_ATTRIBUTE: displayName
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_MAIL_ATTRIBUTE: mail
+              AUTHELIA_AUTHENTICATION_BACKEND_LDAP_USER: cn=admin,ou=people,dc=home,dc=arpa
+              AUTHELIA_ACCESS_CONTROL_DEFAULT_POLICY: one_factor
+              AUTHELIA_TOTP_DISABLE: false
+              AUTHELIA_TOTP_ISSUER: authelia.com
+              DOMAIN: "${PUBLIC_DOMAIN}"
+              GRAFANA_OAUTH_CLIENT_SECRET: "${GRAFANA_OAUTH_CLIENT_SECRET}"
+              CLUSTER_CIDR: "${CLUSTER_CIDR}"
+              NODE_CIDR: "${NODE_CIDR}"
+              HOME_CIDR: "${HOME_CIDR}"
+            envFrom:
+              - secretRef:
+                  name: authelia-secret
+            probes:
+              liveness: &probes
+                enabled: true
+                custom: true
+                spec:
+                  httpGet:
+                    path: /api/health
+                    port: &port 80
+                  initialDelaySeconds: 0
+                  periodSeconds: 10
+                  timeoutSeconds: 1
+                  failureThreshold: 3
+              readiness: *probes
+            securityContext:
+              allowPrivilegeEscalation: false
+              readOnlyRootFilesystem: true
+              capabilities: { drop: ["ALL"] }
+            resources:
+              requests:
+                cpu: 10m
+              limits:
+                memory: 128Mi
+    defaultPodOptions:
+      securityContext:
+        runAsNonRoot: true
+        runAsUser: 65534
+        runAsGroup: 65534
+        seccompProfile: { type: RuntimeDefault }
+      topologySpreadConstraints:
+        - maxSkew: 1
+          topologyKey: kubernetes.io/hostname
+          whenUnsatisfiable: DoNotSchedule
+          labelSelector:
+            matchLabels:
+              app.kubernetes.io/name: *app
+    service:
+      app:
+        controller: authelia
+        ports:
+          http:
+            port: *port
+          metrics:
+            port: 8080
+    serviceMonitor:
+      app:
+        serviceName: authelia
+        endpoints:
+          - port: metrics
+            scheme: http
+            path: /metrics
+            interval: 1m
+            scrapeTimeout: 10s
+    ingress:
+      app:
+        className: external
+        annotations:
+          external-dns.alpha.kubernetes.io/target: "external.${PUBLIC_DOMAIN}"
+          nginx.ingress.kubernetes.io/configuration-snippet: |
+            add_header Cache-Control "no-store";
+            add_header Pragma "no-cache";
+            add_header X-Frame-Options "SAMEORIGIN";
+            add_header X-XSS-Protection "1; mode=block";
+        hosts:
+          - host: "auth.${PUBLIC_DOMAIN}"
+            paths:
+              - path: /
+                service:
+                  identifier: app
+                  port: http
+    persistence:
+      config:
+        type: configMap
+        name: authelia-configmap
+        globalMounts:
+          - path: /config/configuration.yaml
+            subPath: configuration.yaml
+            readOnly: true
diff --git a/kubernetes/apps/auth/authelia/app/kustomization.yaml b/kubernetes/apps/auth/authelia/app/kustomization.yaml
@@ -0,0 +1,14 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml
+  - ../../../../templates/gatus/external
+configMapGenerator:
+  - name: authelia-configmap
+    files:
+      - configuration.yaml=./resources/configuration.yaml
+generatorOptions:
+  disableNameSuffixHash: true
diff --git a/kubernetes/apps/auth/authelia/app/resources/configuration.yaml b/kubernetes/apps/auth/authelia/app/resources/configuration.yaml
@@ -0,0 +1,35 @@
+---
+# Note: Authelia vars should be escaped with $${VAR_NAME} to avoid interpolation by Flux
+session:
+  same_site: lax
+  inactivity: 5m
+  expiration: 1h
+  remember_me: 1M
+  cookies:
+    - name: $${DOMAIN}_session
+      domain: $${DOMAIN}
+      authelia_url: https://auth.$${DOMAIN}
+      default_redirection_url: https://$${DOMAIN}
+
+access_control:
+  default_policy: &policy two_factor
+  networks:
+    - name: internal
+      networks: ["$${CLUSTER_CIDR}", "$${NODE_CIDR}", "$${HOME_CIDR}"]
+  rules: []
+
+identity_providers:
+  oidc:
+    cors:
+      endpoints: ["authorization", "token", "revocation", "introspection"]
+      allowed_origins_from_client_redirect_uris: true
+    clients:
+      - client_name: Grafana
+        client_id: grafana
+        client_secret: "$${GRAFANA_OAUTH_CLIENT_SECRET}"
+        public: false
+        authorization_policy: *policy
+        pre_configured_consent_duration: 1y
+        scopes: ["openid", "profile", "groups", "email"]
+        redirect_uris: ["https://grafana.$${DOMAIN}/login/generic_oauth"]
+        userinfo_signed_response_alg: none
diff --git a/kubernetes/apps/auth/authelia/app/secret.sops.yaml b/kubernetes/apps/auth/authelia/app/secret.sops.yaml
@@ -0,0 +1,32 @@
+# yamllint disable
+apiVersion: v1
+kind: Secret
+metadata:
+    name: authelia-secret
+type: Opaque
+stringData:
+    AUTHELIA_JWT_SECRET: ENC[AES256_GCM,data:mfEvmQht1KPeTg1Jf0724SKiwPRAMn6EAajgICKMZQT22iKELI2NW3iDXkaLpKccjgW2aNvCdL8V0YUdZGJiTxYUqNqeR0+TjmTbrKCJvOUYXJvmBPeim9KueiGRXlgijh99x0nukPT31K0hoWTn9VmS9Fn9sFxRhbh6votAd88=,iv:oQQnrrMDMm2jsd2gapIoYSRtqqCyy1CVP5FxreyPWhE=,tag:71ueJgUCWef9iMJtJbitRQ==,type:str]
+    AUTHELIA_SESSION_SECRET: ENC[AES256_GCM,data:6DHH1g3wDGmWucN6dqMhhptBA6LvwAfyMShQ6VPE81cx6LTSAM1wcIDlGsZySU3zbD4myyHTZ+cGMJ3dNk1PhYPIiABTFnVMAdgh/TDyfBTlYbjttwS6VV0VwzjP6ghPQE/qnUco22EAv2hwrvd+nY6mFtkonrjabUHfQjK1RXc=,iv:teI7BvRbHVuqiwFVfPBCqooFezHybYsjEpLi5CacMPI=,tag:/TGjfIbUt+ZFFqpQ4jQQgw==,type:str]
+    AUTHELIA_STORAGE_ENCRYPTION_KEY: ENC[AES256_GCM,data:K1AQUYYY3RwLC4SE+Ej6fzanrCyL46tyXqPsfJO/S8B8AEM7pr3rt4S/9acXG6deE8vCy/K/rIxa+yRmrM3WzLaeY0U9taUQhXwt2FWmw8FlFjQ18NUMzPcHcJr0CPB1G5gONjo3EON4BTfq6Wngah2/ZeetK/Wy8EHR3zUFnHc=,iv:cphoP0v+uFKg/txW0TK5H8s/+djhvcSsTbh2BQulEr4=,tag:DC1RUdu0qvCt8VrETm3hMg==,type:str]
+    AUTHELIA_STORAGE_POSTGRES_USERNAME: ENC[AES256_GCM,data:HhiaqD/1ulM=,iv:MHcAroZJhJRkotBAIIPHhRZ+oZ9uRpTENmERhPMPjiA=,tag:YKztQGqukVQ71TDY/nBlVg==,type:str]
+    AUTHELIA_STORAGE_POSTGRES_PASSWORD: ENC[AES256_GCM,data:s2n6nMmQrK/pl4Wjvdu4PYh97piEkUnue/VXx2iMRrI=,iv:N5b4u0I2u/cjmz3z3uf6JaVzLfDN94gJhAffiTauVXU=,tag:SCEh9V+ZuPExxHJTtFmMDg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age148wprsnqjq8jughvywnzmvs8gffhrkendpr7g60q8u4rdsj4jvuqk7ltrs
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBSTmYvQlRVMFh4WGtCRmVh
+            TERzWElNcHdkSWppY09zK2JYbkt6clE2MDB3CnI2NzRBT1NCU0xlVUtnRUwxRGxs
+            b0s4cmlOb3MwdW1aU0wzK003c0piczQKLS0tIFlvaUtsZXFBM0xxWEw4d0t6NTk2
+            OW9QYktDNkJuaDdVY2ZZcWFTZ3VPNTgKpTbeUIMemVJs6hcGMZMA+UVHS1+pYa28
+            lLBER3QQ86PIPit8iwmppSQjwjOBP1KjMXj34ejtUyUOH5Ksudjzpw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-05-02T05:00:37Z"
+    mac: ENC[AES256_GCM,data:ELct7B7/lYZV8srh81GRK2lnk+mvcWSU2x+0YasYOuFCNTElC9j0nTPL4wYgiPxbOEsTvJvIWb4FoOhvM69k6LKuZvBJz3y+Ej6txYhjk2V+//XP5sLwGs5BtaR6goOK/AfLoqjCO5T5lcZ7MtEni3LjkABFBBfJDsK7KFN8EQI=,iv:4dyqCuMx58Jr3U+S+Z9XAp2Y1LP/XA5aT6vqWI3zRhY=,tag:52y5ynWF/BDh2h/JPmfuWA==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1
diff --git a/kubernetes/apps/auth/authelia/ks.yaml b/kubernetes/apps/auth/authelia/ks.yaml
@@ -0,0 +1,28 @@
+---
+# yaml-language-server: $schema=https://kubernetes-schemas.pages.dev/kustomize.toolkit.fluxcd.io/kustomization_v1.json
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: &app authelia
+  namespace: flux-system
+spec:
+  targetNamespace: auth
+  commonMetadata:
+    labels:
+      app.kubernetes.io/name: *app
+  dependsOn:
+    - name: cloudnative-pg-cluster
+    - name: dragonfly-cluster
+  path: ./kubernetes/apps/auth/authelia/app
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: home-kubernetes
+  wait: false
+  interval: 30m
+  retryInterval: 1m
+  timeout: 5m
+  postBuild:
+    substitute:
+      APP: *app
+      GATUS_SUBDOMAIN: auth
diff --git a/kubernetes/apps/auth/kustomization.yaml b/kubernetes/apps/auth/kustomization.yaml
@@ -0,0 +1,8 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/kustomization
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./namespace.yaml
+  - ./authelia/ks.yaml
+  - ./lldap/ks.yaml
diff --git a/kubernetes/apps/auth/lldap/app/helmrelease.yaml b/kubernetes/apps/auth/lldap/app/helmrelease.yaml
@@ -0,0 +1,90 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta2
+kind: HelmRelease
+metadata:
+  name: lldap
+spec:
+  interval: 30m
+  chart:
+    spec:
+      chart: app-template
+      version: 3.1.0
+      sourceRef:
+        kind: HelmRepository
+        name: bjw-s
+        namespace: flux-system
+  install:
+    remediation:
+      retries: 3
+  upgrade:
+    cleanupOnFail: true
+    remediation:
+      strategy: rollback
+      retries: 3
+  values:
+    controllers:
+      lldap:
+        replicas: 3
+        annotations:
+          reloader.stakater.com/auto: "true"
+        initContainers:
+          init-db:
+            image:
+              repository: ghcr.io/onedr0p/postgres-init
+              tag: 16
+            env:
+              INIT_POSTGRES_HOST: postgres16-rw.database.svc.cluster.local
+              INIT_POSTGRES_DBNAME: lldap
+              INIT_POSTGRES_USER:
+                valueFrom:
+                  secretKeyRef:
+                    name: lldap-secret
+                    key: POSTGRES_USER
+              INIT_POSTGRES_PASS:
+                valueFrom:
+                  secretKeyRef:
+                    name: lldap-secret
+                    key: POSTGRES_PASSWORD
+              INIT_POSTGRES_SUPER_PASS: "${POSTGRES_SUPER_PASSWORD}"
+        containers:
+          app:
+            image:
+              repository: ghcr.io/nitnelave/lldap
+              tag: 2024-04-24-alpine
+            env:
+              TZ: "${TIMEZONE}"
+              UID: "${SECURITY_CONTEXT_RUN_AS_USER}"
+              GID: "${SECURITY_CONTEXT_RUN_AS_GROUP}"
+              LLDAP_LDAP_BASE_DN: "dc=home,dc=arpa"
+            envFrom:
+              - secretRef:
+                  name: lldap-secret
+            service:
+              app:
+                controller: lldap
+                ports:
+                  http:
+                    port: 17170
+                  ldap:
+                    enabled: true
+                    port: 3890
+            ingress:
+              app:
+                enabled: true
+                className: internal
+                hosts:
+                  - host: &host "ldap.${PUBLIC_DOMAIN}"
+                    paths:
+                      - path: /
+                        service:
+                          identifier: app
+                          port: http
+                tls:
+                  - hosts:
+                      - *host
+            resources:
+              requests:
+                cpu: 10m
+                memory: 100Mi
+              limits:
+                memory: 500Mi
diff --git a/kubernetes/apps/auth/lldap/app/kustomization.yaml b/kubernetes/apps/auth/lldap/app/kustomization.yaml
@@ -0,0 +1,6 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - ./secret.sops.yaml
+  - ./helmrelease.yaml