#17 Clean up silver-flame

- Move old Terraform files to archive - Move from nix/nix-lab to homelab/silver-flame
#17 Fix long-lived typo in cluster name
2024-10-25 18:13:15 -07:00 · 2024-10-25 18:11:16 -07:00
42 changed files with 55 additions and 3711 deletions
--- a/.gitea/workflows/silver-flame-deploy.yaml
+++ b/.gitea/workflows/silver-flame-deploy.yaml
@ -0,0 +1,46 @@
 name: Deploy NixOS System Configurations to Silver-Flame Hosts
 on:
  push:
    branches: [ main ]
    paths: [ 'homelab/silver-flame/**' ]
 jobs:
  deploy:
    defaults:
      run: 
        working-directory: homelab/silver-flame
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Jafner.net repo
        uses: actions/checkout@v4
      - name: Install jq
        run: sudo apt-get update && sudo apt-get install jq
      - name: Install Nix
        uses: cachix/install-nix-action@v30
        with:
          github_access_token: ${{ secrets.RUNNER_GITHUB_TOKEN }}
          nix_path: nixpkgs=channel:nixos-24.05
      - name: Configure SSH key
        run: |
          echo -e "${{ secrets.RUNNER_SSH_PRIVATEKEY }}" > /tmp/key
          chmod 600 /tmp/key
          ssh -i /tmp/key
      - name: Get list of hosts
        run: |
          nix eval --json .#deploy.nodes --apply 'builtins.attrValues' |\
          jq -r '.[].hostname' | xargs echo > /tmp/hostlist
      - name: Add known hosts
        run: |
          mkdir -p ~/.ssh && touch ~/.ssh/known_hosts && chmod 600 ~/.ssh/known_hosts
          for host in $(cat /tmp/hostlist); do 
            ssh-keyscan -t ed25519 $host >> ~/.ssh/known_hosts
          done
      - name: Test SSH connections
        run: |
          for host in $(cat /tmp/hostlist); do
            ssh -i /tmp/key root@$host 'whoami; echo $HOSTNAME'
          done
      # - name: Run deploy-rs from flake
      #   run: |
      #     nix run github:serokell/deploy-rs#defaultPackage.x86_64-linux -- --version
--- a/.gitea/workflows/silver-hand-deploy.yaml
+++ b/.gitea/workflows/silver-hand-deploy.yaml
@ -1,28 +0,0 @@
 name: Deploy NixOS System Configurations to Silver-Hand Hosts
 on:
  push:
    branches: [ main ]
    paths: [ 'nix/nix-lab/**' ]
 jobs:
  deploy:
    defaults:
      run: 
        working-directory: nix/nix-lab
    runs-on: ubuntu-latest
    steps:
      - name: Checkout Jafner.net repo
        uses: actions/checkout@v4
      - name: Install Nix
        uses: cachix/install-nix-action@v30
        with:
          github_access_token: ${{ secrets.RUNNER_GITHUB_TOKEN }}
          nix_path: nixpkgs=channel:nixos-24.05
      - name: Check Nix Install
        run: |
          nix flake show github:NixOS/nixpkgs
          nix --version
      - name: Run deploy-rs from flake
        run: |
          nix run github:serokell/deploy-rs#defaultPackage.x86_64-linux -- --version
--- a/archive/silver-hand/README.md
+++ b/archive/silver-hand/README.md
--- a/archive/silver-hand/certmanager.tf
+++ b/archive/silver-hand/certmanager.tf
--- a/archive/silver-hand/cloudflare.tf
+++ b/archive/silver-hand/cloudflare.tf
--- a/archive/silver-hand/nginx-test.tf
+++ b/archive/silver-hand/nginx-test.tf
--- a/archive/silver-hand/silver-hand.tf
+++ b/archive/silver-hand/silver-hand.tf
--- a/archive/silver-hand/traefik.tf
+++ b/archive/silver-hand/traefik.tf
--- a/homelab/silver-flame/README.md
+++ b/homelab/silver-flame/README.md
@ -0,0 +1,9 @@
 # Silver Flame
 The Silver Flame is the name given to my k3s cluster, initially comprising Bard, Ranger, and Cleric. 
 > The Church of the Silver Flame was founded in the early centuries of the Kingdom of Galifar by the sacrifice of a brave paladin, Tira Miron. The church's influence spread throughout the centuries, but its heart remained in Thrane. During the Last War, King Thalin declared independence in the name of spreading worship. When Thalin died, the Church stepped in to replace the monarchy with a theocracy. 
 > [Source](https://eberron.fandom.com/wiki/Church_of_the_Silver_Flame)
 # Infrastructure via NixOS, Deploy-rs
 # Services via Kubernetes, Helm, Helmfile
--- a/homelab/silver-flame/configuration.nix
+++ b/homelab/silver-flame/configuration.nix
--- a/homelab/silver-flame/flake.lock
+++ b/homelab/silver-flame/flake.lock
--- a/homelab/silver-flame/flake.nix
+++ b/homelab/silver-flame/flake.nix
--- a/homelab/silver-flame/helm/helmfile.yaml
+++ b/homelab/silver-flame/helm/helmfile.yaml
--- a/homelab/silver-flame/helm/values/metallb.yaml
+++ b/homelab/silver-flame/helm/values/metallb.yaml
--- a/homelab/silver-flame/helm/values/traefik.yaml
+++ b/homelab/silver-flame/helm/values/traefik.yaml
--- a/homelab/silver-flame/hosts/bard/hardware-configuration.nix
+++ b/homelab/silver-flame/hosts/bard/hardware-configuration.nix
--- a/homelab/silver-flame/hosts/cleric/hardware-configuration.nix
+++ b/homelab/silver-flame/hosts/cleric/hardware-configuration.nix
--- a/homelab/silver-flame/hosts/ranger/hardware-configuration.nix
+++ b/homelab/silver-flame/hosts/ranger/hardware-configuration.nix
--- a/homelab/silver-flame/manifests/cert-manager/cert-manager.yaml
+++ b/homelab/silver-flame/manifests/cert-manager/cert-manager.yaml
--- a/homelab/silver-flame/manifests/longhorn/longhorn.yaml
+++ b/homelab/silver-flame/manifests/longhorn/longhorn.yaml
--- a/homelab/silver-flame/manifests/nginx/nginx.yaml
+++ b/homelab/silver-flame/manifests/nginx/nginx.yaml
--- a/homelab/silver-flame/manifests/send/redis-pod.yaml
+++ b/homelab/silver-flame/manifests/send/redis-pod.yaml
--- a/homelab/silver-flame/manifests/send/send-claim0-persistentvolumeclaim.yaml
+++ b/homelab/silver-flame/manifests/send/send-claim0-persistentvolumeclaim.yaml
--- a/homelab/silver-flame/manifests/send/send-pod.yaml
+++ b/homelab/silver-flame/manifests/send/send-pod.yaml
--- a/homelab/silver-flame/manifests/send/send.yaml
+++ b/homelab/silver-flame/manifests/send/send.yaml
--- a/homelab/silver-flame/manifests/smb/smb.yaml
+++ b/homelab/silver-flame/manifests/smb/smb.yaml
--- a/homelab/silver-hand/old/artisans-tools/README.md
+++ b/homelab/silver-hand/old/artisans-tools/README.md
@ -1,2 +0,0 @@
 # Artisan's Tools
 Here are the manifests for tools we've added to the cluster to facilitate one or more applications.
--- a/homelab/silver-hand/old/artisans-tools/datashim.yml
+++ b/homelab/silver-hand/old/artisans-tools/datashim.yml
--- a/homelab/silver-hand/old/cert-manager/cert-manager.issuer.yml
+++ b/homelab/silver-hand/old/cert-manager/cert-manager.issuer.yml
@ -1,17 +0,0 @@
 apiVersion: cert-manager.io/v1
 kind: ClusterIssuer
 metadata:
  name: letsencrypt-issuer
 spec:
  acme:
    email: jafner425@gmail.com
    server: https://acme-v02.api.letsencrypt.org/directory
    privateKeySecretRef:
      name: letsencrypt-issuer-account-key
    solvers:
      - selector: {}
        dns01:
          cloudflare:
            apiTokenSecretRef:
              name: cloudflare-token
              key: token
--- a/homelab/silver-hand/old/cert-manager/default-values.yaml
+++ b/homelab/silver-hand/old/cert-manager/default-values.yaml
--- a/homelab/silver-hand/old/helm/README.md
+++ b/homelab/silver-hand/old/helm/README.md
@ -1,26 +0,0 @@
 # Helm
 This directory contains documentation and files related to configuring Helm for the Silver Hand cluster. 
 ### Repositories Used
 - [kubernetes-dashboard](https://kubernetes.github.io/dashboard/) to provide [Kubernetes Dashboard](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/).
 ### Steps Taken So Far
 ```
 helm repo add kubernetes-dashboard https://kubernetes.github.io/dashboard/
 helm upgrade --install kubernetes-dashboard kubernetes-dashboard/kubernetes-dashboard --create-namespace --namespace kubernetes-dashboard
 ```
 ```
 helm repo add traefik https://traefik.github.io/charts
 helm install traefik traefik/traefik --version 30.0.2
 ```
 ```
 kubectl apply -f https://github.com/cert-manager/cert-manager/releases/download/v1.15.2/cert-manager.crds.yaml
 helm repo add jetstack https://charts.jetstack.io --force-update
 helm install cert-manager --namespace cert-manager --version v1.15.2 jetstack/cert-manager
 ```
 #### Sources:
 [Deploy and Access the Kubernetes Dashboard - Kubernetes.io](https://kubernetes.io/docs/tasks/access-application-cluster/web-ui-dashboard/)
--- a/homelab/silver-hand/old/jafner-dev/jafner-dev.dataset.yml
+++ b/homelab/silver-hand/old/jafner-dev/jafner-dev.dataset.yml
@ -1,13 +0,0 @@
 ---
 apiVersion: datashim.io/v1alpha1
 kind: Dataset
 metadata:
  namespace: jafner-dev
  name: jafner-dev
 spec:
  local:
    type: "COS"
    secret-name: jafner-dev-aws-credentials
    endpoint: "https://s3.us-west-2.amazonaws.com"
    bucket: "jafner-dev"
    region: "us-west-2"
--- a/homelab/silver-hand/old/jafner-dev/jafner-dev.ingress.yml
+++ b/homelab/silver-hand/old/jafner-dev/jafner-dev.ingress.yml
@ -1,21 +0,0 @@
 ---
 apiVersion: networking.k8s.io/v1
 kind: Ingress
 metadata:
  namespace: jafner-dev
  name: jafner-dev
  annotations:
    nginx.ingress.kubernetes.io/rewrite-target: /
 spec:
  ingressClassName: jafner-dev
  rules:
  - host: "jafner-dev.k3s.jafner.net"
    http:
      paths:
      - pathType: Prefix
        path: "/"
        backend: 
          service: 
            name: jafner-dev-service
            port:
              number: 80
--- a/homelab/silver-hand/old/jafner-dev/jafner-dev.namespace.yml
+++ b/homelab/silver-hand/old/jafner-dev/jafner-dev.namespace.yml
@ -1,5 +0,0 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: jafner-dev
--- a/homelab/silver-hand/old/jafner-dev/jafner-dev.pod.yml
+++ b/homelab/silver-hand/old/jafner-dev/jafner-dev.pod.yml
@ -1,24 +0,0 @@
 ---
 apiVersion: v1
 kind: Pod
 metadata:
  namespace: jafner-dev
  name: nginx
  labels:
    app: jafner-dev
    dataset.0.id: "jafner-dev"
    dataset.0.useas: "mount"
 spec:
  containers:
  - name: nginx
    image: nginx
    ports:
    - containerPort: 80
      name: http
    volumeMounts:
    - mountPath: "/usr/share/nginx/html"
      name: "jafner-dev"
  volumes:
  - name: "jafner-dev"
    persistentVolumeClaim:
      claimName: "jafner-dev"
--- a/homelab/silver-hand/old/jafner-dev/jafner-dev.service.yml
+++ b/homelab/silver-hand/old/jafner-dev/jafner-dev.service.yml
@ -1,13 +0,0 @@
 ---
 apiVersion: v1
 kind: Service
 metadata: 
  namespace: jafner-dev
  name: jafner-dev-service
 spec:
  type: LoadBalancer
  selector:
    app: jafner-dev
  ports:
  - port: 80
    targetPort: 80
--- a/homelab/silver-hand/old/kubernetes-dashboard/dashboard.admin-user-role.yml
+++ b/homelab/silver-hand/old/kubernetes-dashboard/dashboard.admin-user-role.yml
@ -1,12 +0,0 @@
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: admin-user
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
--- a/homelab/silver-hand/old/kubernetes-dashboard/dashboard.admin-user.yml
+++ b/homelab/silver-hand/old/kubernetes-dashboard/dashboard.admin-user.yml
@ -1,5 +0,0 @@
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: admin-user
  namespace: kubernetes-dashboard
--- a/homelab/silver-hand/old/kubernetes-dashboard/dashboard.deployment.yml
+++ b/homelab/silver-hand/old/kubernetes-dashboard/dashboard.deployment.yml
@ -1,302 +0,0 @@
 # Copyright 2017 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: v1
 kind: Namespace
 metadata:
  name: kubernetes-dashboard
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
 ---
 kind: Service
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
 spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kubernetes-dashboard
 type: Opaque
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kubernetes-dashboard
 type: Opaque
 data:
  csrf: ""
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kubernetes-dashboard
 type: Opaque
 ---
 kind: ConfigMap
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kubernetes-dashboard
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
 rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
 subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: kubernetes-dashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
 subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard
 ---
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
 spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.0.4
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
 ---
 kind: Service
 apiVersion: v1
 metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
 spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: dashboard-metrics-scraper
 ---
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
 spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: dashboard-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: dashboard-metrics-scraper
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
      containers:
        - name: dashboard-metrics-scraper
          image: kubernetesui/metrics-scraper:v1.0.4
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
      volumes:
        - name: tmp-volume
          emptyDir: {}
--- a/homelab/silver-hand/old/kubernetes-dashboard/kubernetes-dashboard.yml
+++ b/homelab/silver-hand/old/kubernetes-dashboard/kubernetes-dashboard.yml
@ -1,325 +0,0 @@
 # Copyright 2017 The Kubernetes Authors.
 #
 # Licensed under the Apache License, Version 2.0 (the "License");
 # you may not use this file except in compliance with the License.
 # You may obtain a copy of the License at
 #
 #     http://www.apache.org/licenses/LICENSE-2.0
 #
 # Unless required by applicable law or agreed to in writing, software
 # distributed under the License is distributed on an "AS IS" BASIS,
 # WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
 # See the License for the specific language governing permissions and
 # limitations under the License.
 apiVersion: v1
 kind: Namespace
 metadata:
  name: kubernetes-dashboard
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
 ---
 kind: Service
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
 spec:
  ports:
    - port: 443
      targetPort: 8443
  selector:
    k8s-app: kubernetes-dashboard
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-certs
  namespace: kubernetes-dashboard
 type: Opaque
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-csrf
  namespace: kubernetes-dashboard
 type: Opaque
 data:
  csrf: ""
 ---
 apiVersion: v1
 kind: Secret
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-key-holder
  namespace: kubernetes-dashboard
 type: Opaque
 ---
 kind: ConfigMap
 apiVersion: v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard-settings
  namespace: kubernetes-dashboard
 ---
 kind: Role
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
 rules:
  # Allow Dashboard to get, update and delete Dashboard exclusive secrets.
  - apiGroups: [""]
    resources: ["secrets"]
    resourceNames: ["kubernetes-dashboard-key-holder", "kubernetes-dashboard-certs", "kubernetes-dashboard-csrf"]
    verbs: ["get", "update", "delete"]
    # Allow Dashboard to get and update 'kubernetes-dashboard-settings' config map.
  - apiGroups: [""]
    resources: ["configmaps"]
    resourceNames: ["kubernetes-dashboard-settings"]
    verbs: ["get", "update"]
    # Allow Dashboard to get metrics.
  - apiGroups: [""]
    resources: ["services"]
    resourceNames: ["heapster", "dashboard-metrics-scraper"]
    verbs: ["proxy"]
  - apiGroups: [""]
    resources: ["services/proxy"]
    resourceNames: ["heapster", "http:heapster:", "https:heapster:", "dashboard-metrics-scraper", "http:dashboard-metrics-scraper"]
    verbs: ["get"]
 ---
 kind: ClusterRole
 apiVersion: rbac.authorization.k8s.io/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
 rules:
  # Allow Metrics Scraper to get metrics from the Metrics server
  - apiGroups: ["metrics.k8s.io"]
    resources: ["pods", "nodes"]
    verbs: ["get", "list", "watch"]
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: RoleBinding
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: Role
  name: kubernetes-dashboard
 subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: kubernetes-dashboard
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: kubernetes-dashboard
 subjects:
  - kind: ServiceAccount
    name: kubernetes-dashboard
    namespace: kubernetes-dashboard
 ---
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  labels:
    k8s-app: kubernetes-dashboard
  name: kubernetes-dashboard
  namespace: kubernetes-dashboard
 spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: kubernetes-dashboard
  template:
    metadata:
      labels:
        k8s-app: kubernetes-dashboard
    spec:
      containers:
        - name: kubernetes-dashboard
          image: kubernetesui/dashboard:v2.0.4
          imagePullPolicy: Always
          ports:
            - containerPort: 8443
              protocol: TCP
          args:
            - --auto-generate-certificates
            - --namespace=kubernetes-dashboard
            # Uncomment the following line to manually specify Kubernetes API server Host
            # If not specified, Dashboard will attempt to auto discover the API server and connect
            # to it. Uncomment only if the default does not work.
            # - --apiserver-host=http://my-address:port
          volumeMounts:
            - name: kubernetes-dashboard-certs
              mountPath: /certs
              # Create on-disk volume to store exec logs
            - mountPath: /tmp
              name: tmp-volume
          livenessProbe:
            httpGet:
              scheme: HTTPS
              path: /
              port: 8443
            initialDelaySeconds: 30
            timeoutSeconds: 30
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      volumes:
        - name: kubernetes-dashboard-certs
          secret:
            secretName: kubernetes-dashboard-certs
        - name: tmp-volume
          emptyDir: {}
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
 ---
 kind: Service
 apiVersion: v1
 metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
 spec:
  ports:
    - port: 8000
      targetPort: 8000
  selector:
    k8s-app: dashboard-metrics-scraper
 ---
 kind: Deployment
 apiVersion: apps/v1
 metadata:
  labels:
    k8s-app: dashboard-metrics-scraper
  name: dashboard-metrics-scraper
  namespace: kubernetes-dashboard
 spec:
  replicas: 1
  revisionHistoryLimit: 10
  selector:
    matchLabels:
      k8s-app: dashboard-metrics-scraper
  template:
    metadata:
      labels:
        k8s-app: dashboard-metrics-scraper
      annotations:
        seccomp.security.alpha.kubernetes.io/pod: 'runtime/default'
    spec:
      containers:
        - name: dashboard-metrics-scraper
          image: kubernetesui/metrics-scraper:v1.0.4
          ports:
            - containerPort: 8000
              protocol: TCP
          livenessProbe:
            httpGet:
              scheme: HTTP
              path: /
              port: 8000
            initialDelaySeconds: 30
            timeoutSeconds: 30
          volumeMounts:
          - mountPath: /tmp
            name: tmp-volume
          securityContext:
            allowPrivilegeEscalation: false
            readOnlyRootFilesystem: true
            runAsUser: 1001
            runAsGroup: 2001
      serviceAccountName: kubernetes-dashboard
      nodeSelector:
        "kubernetes.io/os": linux
      # Comment the following tolerations if Dashboard must not be deployed on master
      tolerations:
        - key: node-role.kubernetes.io/master
          effect: NoSchedule
      volumes:
        - name: tmp-volume
          emptyDir: {}
 ---
 apiVersion: rbac.authorization.k8s.io/v1
 kind: ClusterRoleBinding
 metadata:
  name: admin-user
 roleRef:
  apiGroup: rbac.authorization.k8s.io
  kind: ClusterRole
  name: cluster-admin
 subjects:
 - kind: ServiceAccount
  name: admin-user
  namespace: kubernetes-dashboard
 ---
 apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: admin-user
  namespace: kubernetes-dashboard
--- a/homelab/silver-hand/old/traefik/traefik-custom-values.yml
+++ b/homelab/silver-hand/old/traefik/traefik-custom-values.yml
@ -1,90 +0,0 @@
 certResolvers:
  cloudflare:
    dnsChallenge:
      provider: cloudflare
    storage: /ssl-certs/acme-cloudflare.json
 env:
  - name: CF_DNS_API_TOKEN
    valueFrom:
      secretKeyRef:
        key: token
        name: cloudflare-token-jafner-net-dns-edit
 logs:
  general:
    level: error
 ports:
  web:
    redirectTo: 
      port: websecure
  websecure:
    tls:
      enabled: true
      certResolver: cloudflare
 ingressRoute: 
  dashboard:
    enabled: true
 additionalArguments:
 - "--api.insecure=true"
 tlsStore:
  default:
    defaultCertificate:
      secretName: traefik-k3s-jafner-net
 persistence:
  enabled: true
  name: ssl-certs
  size: 1Gi
  path: /ssl-certs
  storageClass: local-path
 deployment:
  initContainers:
    - name: volume-permissions
      image: busybox:1.36.1
      command: ["sh", "-c", "touch /ssl-certs/acme-cloudflare.json; chmod -v 600 /ssl-certs/acme-cloudflare.json"]
      volumeMounts:
        - name: ssl-certs
          mountPath: /ssl-certs
 ingressClass:
  enabled: true
  isDefaultClass: true
 extraObjects:
  - apiVersion: v1
    kind: Service
    metadata:
      name: traefik-dashboard
    spec:
      selector:
        app.kubernetes.io/name: traefik
        app.kubernetes.io/instance: traefik-traefik
      ports:
      - port: 8080
        name: traefik
        targetPort: 9000
        protocol: TCP
  - apiVersion: networking.k8s.io/v1
    kind: Ingress
    metadata:
      name: traefik-dashboard
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
    spec:
      rules:
      - host: traefik.k3s.jafner.net
        http:
          paths:
          - path: /
            pathType: Prefix
            backend:
              service: 
                name: traefik-dashboard
                port:
                  name: traefik
--- a/homelab/silver-hand/old/traefik/traefik-dashboard.yml
+++ b/homelab/silver-hand/old/traefik/traefik-dashboard.yml
@ -1,90 +0,0 @@
 ---
 apiVersion: v1
 kind: Namespace
 metadata:
  name: traefik
 ---
 apiVersion: cert-manager.io/v1
 kind: Issuer
 metadata:
  name: cloudflare
  namespace: traefik
 spec:
  acme: 
    server: https://acme-v02.api.letsencrypt.org/directory
    email: jafner425@gmail.com
    privateKeySecretRef:
      name: cloudflare-key
    solvers:
      - dns01: 
          cloudflare:
            apiTokenSecretRef:
              name: cloudflare-token-jafner-net-dns-edit
              key: token
 ---
 apiVersion: cert-manager.io/v1
 kind: Certificate
 metadata:
  name: traefik-k3s-jafner-net
  namespace: traefik
 spec: 
  secretName: traefik-k3s-jafner-net
  dnsNames:
    - "traefik.k3s.jafner.net"
  issuerRef:
    name: cloudflare
    kind: Issuer
 # ---
 # apiVersion: traefik.containo.us/v1alpha1
 # kind: IngressRoute
 # metadata:
 #   name: traefik-dashboard
 #   namespace: traefik
 # spec: 
 #   entryPoints: ["websecure"]
 #   routes:
 #   tls:
 #     certResolver: cloudflare
 # ---
 # apiVersion: v1
 # kind: Service
 # metadata:
 #   name: traefik-dashboard
 #   namespace: traefik
 # spec:
 #   selector:
 #     app.kubernetes.io/name: traefik
 #   type: ClusterIP
 #   ports:
 #   - name: http
 #     port: 80
 #     targetPort: 9000
 # ---
 # apiVersion: networking.k8s.io/v1
 # kind: Ingress
 # metadata:
 #   name: traefik-dashboard
 #   namespace: traefik
 # spec:
 #   tls:
 #   - hosts:
 #       - traefik.k3s.jafner.net
 #     secretName: cloudflare-token-jafner-net-dns-edit
 #   rules:
 #   - host: traefik.k3s.jafner.net
 #     http:
 #       paths:
 #       - path: /
 #         pathType: Prefix
 #         backend:
 #           service:
 #             name: traefik-dashboard
 #             port:
 #               number: 80
Author	SHA1	Message	Date
Joey Hafner	ccde72e4ab	#17 Clean up silver-flame Some checks failed Deploy NixOS System Configurations to Silver-Flame Hosts / deploy (push) Failing after 25s Details - Move old Terraform files to archive - Move from nix/nix-lab to homelab/silver-flame	2024-10-25 18:13:15 -07:00
Joey Hafner	c351329640	#17 Fix long-lived typo in cluster name "Silver-hand" -> "Silver-flame"	2024-10-25 18:11:16 -07:00
		`@ -1,2 +0,0 @@`
			`# Artisan's Tools`
			`Here are the manifests for tools we've added to the cluster to facilitate one or more applications.`