switch to NAS for NC & nodeport to fix certs

fogcutter/k8s/cert-manager.yml

@@ -0,0 +1,4 @@
+# helm create namespace cert-manager
+# helm repo add jetstack https://charts.jetstack.io && helm repo update
+# helm install cert-manager jetstack/cert-manager --namespace cert-manager --version v1.0.3 -f cert-manager.yml
+installCRDs: true

fogcutter/k8s/cloud.txt

@@ -1,2 +0,0 @@
-# cert-manager
-kubectl apply --validate=false -f https://github.com/jetstack/cert-manager/releases/download/v1.0.3/cert-manager.yaml

fogcutter/k8s/gitea.yml

@@ -28,7 +28,7 @@ spec:
             - name: SSH_DOMAIN
               value: "git.seaturtle.pw"
             - name: SSH_PORT
-              value: "2223"
+              value: "22"
             - name: ROOT_URL
               value: "https://git.seaturtle.pw/"
             - name: LFS_START
@@ -84,7 +84,7 @@ spec:
       port: 3000
       protocol: TCP
     - name: ssh
-      port: 2223
+      port: 22
       protocol: TCP
 
 ---

fogcutter/k8s/haproxy-tcp.yml

@@ -0,0 +1,11 @@
+---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: tcpservices
+  namespace: haproxy
+data:
+  22:
+    pew/gitea:22
+  25565:
+    pew/minecraft:25565

fogcutter/k8s/haproxy.yml

@@ -1,252 +1,32 @@
----
+# k create namespace haproxy
-apiVersion: v1
+# Create tcp services configmap:
-kind: Namespace
+# k apply -f haproxy-tcp.yml
-metadata:
+# helm repo add haproxytech https://haproxytech.github.io/helm-charts && helm repo update
-  name: pew
+# helm install haproxy haproxytech/kubernetes-ingress --namespace haproxy -f haproxy.yml
-
+controller:
----
+  replicaCount: 1
-apiVersion: v1
+  extraArgs:
-kind: ServiceAccount
+    - --configmap-tcp-services=haproxy/tcpservices
-metadata:
+  service:
-  name: haproxy-ingress-service-account
+    type: NodePort
-  namespace: pew
+    nodePorts:
-
+      http: 30080
----
+      https: 30443
-kind: ClusterRole
+    enablePorts:
-apiVersion: rbac.authorization.k8s.io/v1
+      http: true
-metadata:
+      https: true
-  name: haproxy-ingress-cluster-role
+      stat: true
-rules:
+      ssh: true
-  - apiGroups:
+      minecraft: true
-      - ""
+    tcpPorts:
-    resources:
-      - configmaps
-      - endpoints
-      - nodes
-      - pods
-      - services
-      - namespaces
-      - events
-      - serviceaccounts
-    verbs:
-      - get
-      - list
-      - watch
-  - apiGroups:
-      - "extensions"
-    resources:
-      - ingresses
-      - ingresses/status
-    verbs:
-      - get
-      - list
-      - watch
-      - update
-  - apiGroups:
-      - ""
-    resources:
-      - secrets
-    verbs:
-      - get
-      - list
-      - watch
-      - create
-      - patch
-      - update
-
----
-kind: ClusterRoleBinding
-apiVersion: rbac.authorization.k8s.io/v1
-metadata:
-  name: haproxy-ingress-cluster-role-binding
-  namespace: pew
-roleRef:
-  apiGroup: rbac.authorization.k8s.io
-  kind: ClusterRole
-  name: haproxy-ingress-cluster-role
-subjects:
-- kind: ServiceAccount
-  name: haproxy-ingress-service-account
-  namespace: pew
-
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: haproxy
-  namespace: pew
-data:
- 
----
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: tcpservices
-  namespace: pew
-data:
-  2223:
-    pew/gitea:2223
-  25565:
-    pew/minecraft:25565
-
----
-apiVersion: apps/v1
-kind: Deployment
-metadata:
-  labels:
-    run: haproxy-ingress
-  name: haproxy-ingress
-  namespace: pew
-spec:
-  replicas: 1
-  selector:
-    matchLabels:
-      run: haproxy-ingress
-  template:
-    metadata:
-      labels:
-        run: haproxy-ingress
-    spec:
-      serviceAccountName: haproxy-ingress-service-account
-      containers:
-        - name: haproxy-ingress
-          image: haproxytech/kubernetes-ingress:1.4.9
-          args:
-            - --configmap=pew/haproxy
-            - --configmap-tcp-services=pew/tcpservices
-          ports:
-            - name: http
-              containerPort: 80
-            - name: https
-              containerPort: 443
       - name: ssh
-              containerPort: 2223
+        port: 22
-            - name: minecraft
+        targetPort: 22
-              containerPort: 25565
+        nodePort: 30022
-
----
-apiVersion: v1
-kind: Service
-metadata:
-  labels:
-    run: haproxy-ingress
-  name: haproxy-ingress
-  namespace: pew
-spec:
-  selector:
-    run: haproxy-ingress
-  ports:
-    - name: http
-      port: 80
-      protocol: TCP
-    - name: https
-      port: 443
-      protocol: TCP
-    - name: ssh
-      port: 2223
-      protocol: TCP
       - name: minecraft
         port: 25565
-      protocol: TCP
+        targetPort: 25565
-  externalIPs:
+        nodePort: 30565
-    - 10.42.0.203
 
----
+defaultBackend:
-apiVersion: networking.k8s.io/v1
+  replicaCount: 1
-kind: Ingress
-metadata:
-  annotations:
-    # set to false if doing letsencrypt validation
-    ingress.kubernetes.io/ssl-redirect: "true"
-    cert-manager.io/cluster-issuer: letsencrypt-prod
-  name: haproxy-ingress
-  namespace: pew
-spec:
-  rules:
-    - host: seaturtle.pw
-      http:
-        paths:
-          - path: /
-            pathType: "Exact"
-            backend:
-              service:
-                name: nginx
-                port:
-                  number: 80
-          - path: /files
-            pathType: "Exact"
-            backend:
-              service:
-                name: nginx
-                port:
-                  number: 80
-          - path: /grafana
-            pathType: "Exact"
-            backend:
-              service:
-                name: grafana
-                port:
-                  number: 3000
-    - host: airsonic.seaturtle.pw
-      http:
-        paths:
-          - path: /
-            pathType: "Exact"
-            backend:
-              service:
-                name: airsonic
-                port:
-                  number: 4040
-    - host: git.seaturtle.pw
-      http:
-        paths:
-          - path: /
-            pathType: "Exact"
-            backend:
-              service:
-                name: gitea
-                port:
-                  number: 3000
-    - host: nc.seaturtle.pw
-      http:
-        paths:
-          - path: /
-            pathType: "Exact"
-            backend:
-              service:
-                name: nextcloud
-                port:
-                  number: 80
-    - host: plex.seaturtle.pw
-      http:
-        paths:
-          - path: /
-            pathType: "Exact"
-            backend:
-              service:
-                name: plex
-                port:
-                  number: 32400
-  tls:
-    - secretName: pew-cert
-      hosts:
-        - seaturtle.pw
-        - airsonic.seaturtle.pw
-        - git.seaturtle.pw
-        - plex.seaturtle.pw
-
----
-apiVersion: cert-manager.io/v1alpha2
-kind: ClusterIssuer
-metadata:
-  name: letsencrypt-prod
-spec:
-  acme:
-    email: paulsw.pw@gmail.com
-    server: https://acme-v02.api.letsencrypt.org/directory
-    privateKeySecretRef:
-      name: pew-account-key
-    # Add a ACME HTTP01 challenge solver
-    solvers:
-    - http01:
-        ingress: {}

fogcutter/k8s/ingress.yml

@@ -0,0 +1,107 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    # set to false if doing letsencrypt validation
+    ingress.kubernetes.io/ssl-redirect: "true"
+    cert-manager.io/cluster-issuer: letsencrypt-prod
+  name: haproxy-ingress
+  namespace: pew
+spec:
+  rules:
+    - host: seaturtle.pw
+      http:
+        paths:
+          - path: /
+            pathType: "Exact"
+            backend:
+              service:
+                name: nginx
+                port:
+                  number: 80
+          - path: /files
+            pathType: "Exact"
+            backend:
+              service:
+                name: nginx
+                port:
+                  number: 80
+    - host: airsonic.seaturtle.pw
+      http:
+        paths:
+          - path: /
+            pathType: "Exact"
+            backend:
+              service:
+                name: airsonic
+                port:
+                  number: 4040
+    - host: git.seaturtle.pw
+      http:
+        paths:
+          - path: /
+            pathType: "Exact"
+            backend:
+              service:
+                name: gitea
+                port:
+                  number: 3000
+    - host: nc.seaturtle.pw
+      http:
+        paths:
+          - path: /
+            pathType: "Exact"
+            backend:
+              service:
+                name: nextcloud
+                port:
+                  number: 80
+    - host: plex.seaturtle.pw
+      http:
+        paths:
+          - path: /
+            pathType: "Exact"
+            backend:
+              service:
+                name: plex
+                port:
+                  number: 32400
+  tls:
+    - secretName: pew-cert
+      hosts:
+        - seaturtle.pw
+        - airsonic.seaturtle.pw
+        - git.seaturtle.pw
+        - nc.seaturtle.pw
+        - plex.seaturtle.pw
+
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    email: paulsw.pw@gmail.com
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: pew-account-key
+    solvers:
+    - http01:
+        ingress: {}
+
+---
+apiVersion: cert-manager.io/v1alpha2
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    email: paulsw.pw@gmail.com
+    server: https://acme-v02.api.letsencrypt.org/directory
+    privateKeySecretRef:
+      name: pew-account-key
+    solvers:
+    - http01:
+        ingress: {}

fogcutter/k8s/nextcloud.yml

@@ -48,7 +48,7 @@ spec:
       volumes:
         - name: nextcloud-data
           hostPath:
-            path: /opt/NEXTCLOUD-K8S/data
+            path: /bigdata/k8s-config/nextcloud/data
 
 ---
 apiVersion: v1
@@ -106,7 +106,7 @@ spec:
       volumes:
         - name: nextcloud-mariadb
           hostPath:
-            path: /opt/NEXTCLOUD-K8S/mariadb
+            path: /bigdata/k8s-config/nextcloud/mariadb
 
 ---
 apiVersion: v1