kube/alrest: add static sites

Signed-off-by: Xe Iaso <[email protected]>

kube/alrest/core/external-dns/1password.yaml

@@ -3,5 +3,13 @@ kind: OnePasswordItem
 metadata:
   name: aws-creds
   namespace: external-dns
+spec:
+  itemPath: "vaults/lc5zo4zjz3if3mkeuhufjmgmui/items/3xn7uf73xnzholrfk6tla5rhpa"
+---
+apiVersion: onepassword.com/v1
+kind: OnePasswordItem
+metadata:
+  name: aws-creds
+  namespace: cert-manager
 spec:
   itemPath: "vaults/lc5zo4zjz3if3mkeuhufjmgmui/items/3xn7uf73xnzholrfk6tla5rhpa"

kube/alrest/core/external-dns/prod-issuer.yaml

@@ -13,6 +13,12 @@ spec:
       name: letsencrypt-prod
     # Enable the HTTP-01 challenge provider
     solvers:
-      - http01:
-          ingress:
-            ingressClassName: nginx
+      - dns01:
+          route53:
+            region: ca-central-1
+            accessKeyIDSecretRef:
+              name: aws-creds
+              key: AWS_ACCESS_KEY_ID
+            secretAccessKeySecretRef:
+              name: aws-creds
+              key: AWS_SECRET_ACCESS_KEY

kube/alrest/gitea/pvc.yaml

@@ -5,6 +5,7 @@ metadata:
 spec:
   accessModes:
     - ReadWriteOnce
+    - ReadWriteMany
   storageClassName: longhorn
   resources:
     requests:

kube/alrest/gitea/runner.yaml

@@ -1,14 +1,3 @@
-kind: PersistentVolumeClaim
-apiVersion: v1
-metadata:
-  name: act-runner-vol
-spec:
-  accessModes:
-    - ReadWriteOnce
-  resources:
-    requests:
-      storage: 1Gi
----
 apiVersion: v1
 kind: Secret
 metadata:
@@ -31,7 +20,6 @@ spec:
   strategy: {}
   template:
     metadata:
-      creationTimestamp: null
       labels:
         app.kubernetes.io/name: act-runner
     spec:
@@ -41,7 +29,7 @@ spec:
         emptyDir: {}
       - name: runner-data
         persistentVolumeClaim:
-          claimName: act-runner-vol
+          claimName: gitea
       containers:
       - name: runner
         image: gitea/act_runner:nightly
@@ -65,6 +53,7 @@ spec:
           mountPath: /certs
         - name: runner-data
           mountPath: /data
+          subPath: "actions"
       - name: dockerd
         image: docker:27.0.2-dind
         env:

kube/alrest/kustomization.yaml

@@ -2,5 +2,6 @@ resources:
   - core
   - ollama
   - pvfm
+  - staticsites
   - vms
   - x

kube/alrest/minio/deployment.yaml

@@ -0,0 +1,40 @@
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: minio
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: minio
+  template:
+    metadata:
+      labels:
+        app: minio
+    spec:
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: minio
+      containers:
+      - name: minio
+        volumeMounts:
+        - name: data 
+          mountPath: /data
+        image: minio/minio
+        args:
+        - server
+        - /data
+        - --console-address=:9001
+        env:
+        - name: MINIO_ROOT_USER
+          value: root
+        - name: MINIO_ROOT_PASSWORD
+          value: hunter22
+        ports:
+        - containerPort: 9000
+          hostPort: 9000
+          name: http
+        - containerPort: 9001
+          hostPort: 9001
+          name: webui

kube/alrest/minio/kustomization.yaml

@@ -0,0 +1,4 @@
+resources:
+- ./deployment.yaml
+- ./pvc.yaml
+- ./service.yaml

kube/alrest/minio/pvc.yaml

@@ -0,0 +1,11 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: minio
+spec:
+  accessModes:
+    - ReadWriteMany
+  storageClassName: itsuki
+  resources:
+    requests:
+      storage: 100Gi

kube/alrest/minio/service.yaml

@@ -0,0 +1,17 @@
+apiVersion: v1
+kind: Service
+metadata:
+  name: minio
+spec:
+  type: ClusterIP
+  ports:
+    - name: http
+      port: 80
+      targetPort: 9000
+      protocol: TCP
+    - name: webui
+      port: 8080
+      targetPort: 9001
+      protocol: TCP
+  selector:
+    app: minio

kube/alrest/staticsites/caddy1/Dockerfile

@@ -0,0 +1,13 @@
+FROM debian:bookworm AS build
+
+WORKDIR /app
+RUN mkdir -p /app
+ADD https://github.com/caddyserver/caddy/releases/download/v1.0.4/caddy_v1.0.4_linux_amd64.tar.gz /app/caddy1.tgz
+RUN tar xf /app/caddy1.tgz
+
+FROM debian:bookworm
+LABEL org.opencontainers.image.source="https://github.com/Xe/x"
+WORKDIR /app
+RUN mkdir -p /app/bin
+COPY --from=build /app/caddy /app/bin/caddy
+CMD ["/app/bin/caddy", "-port", "8080", "-agree", "-conf", "/app/etc/Caddyfile"]

kube/alrest/staticsites/caddy1/caddy.yaml

@@ -0,0 +1,112 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: caddy
+data:
+  Caddyfile: |
+    lewa.within.website:8080 {
+      tls off
+      errors stdout
+
+      root /srv/http/lewa
+    }
+
+    xena.greedo.xeserv.us:8080 {
+      tls off
+      errors stdout
+
+      header / X-Clacks-Overhead "GNU Ashlynn"
+
+      root /srv/http/xena.greedo.xeserv.us
+      markdown / {
+        template blog templates/blog.html
+        template index templates/index.html
+      }
+
+      browse
+    }
+
+    xn--u7hz981o.ws:8080 {
+      tls off
+      errors stdout
+
+      header / X-Clacks-Overhead "GNU Ashlynn"
+
+      internal /templates
+
+      root /srv/http/xn--u7hz981o.ws
+      markdown / {
+        template index templates/index.html
+        template page templates/page.html
+      }
+    }
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: caddy
+  labels:
+    app: caddy
+spec:
+  selector:
+    matchLabels:
+      app: caddy
+  template:
+    metadata:
+      labels:
+        app: caddy
+    spec:
+      volumes:
+        - name: config
+          configMap:
+            name: caddy
+        - name: lewa
+          persistentVolumeClaim:
+            claimName: lewa
+        - name: greedo
+          persistentVolumeClaim:
+            claimName: xena-greedo-xeserv-us
+        - name: xn--u7hz981o
+          persistentVolumeClaim:
+            claimName: xn--u7hz981o
+      containers:
+        - name: caddy
+          image: ghcr.io/xe/x/caddy1
+          resources:
+            limits:
+              memory: "128Mi"
+              cpu: "500m"
+          ports:
+            - containerPort: 8080
+          securityContext:
+            runAsUser: 1000
+            runAsGroup: 1000
+            runAsNonRoot: true
+            allowPrivilegeEscalation: false
+            capabilities:
+              drop:
+                - ALL
+            seccompProfile:
+              type: RuntimeDefault
+          volumeMounts:
+            - mountPath: "/app/etc"
+              name: config
+            - mountPath: "/srv/http/lewa"
+              name: lewa
+            - mountPath: "/srv/http/xn--u7hz981o.ws"
+              name: xn--u7hz981o
+            - mountPath: "/srv/http/xena.greedo.xeserv.us"
+              name: greedo
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: caddy
+spec:
+  selector:
+    app: caddy
+  ports:
+    - port: 80
+      targetPort: 8080
+      name: http
+---

kube/alrest/staticsites/caddy1/kustomization.yaml

@@ -0,0 +1,5 @@
+resources:
+  - caddy.yaml
+  - lewa.yaml
+  - xena-greedo.yaml
+  - xn--u7hz981o.yaml

kube/alrest/staticsites/caddy1/lewa.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: lewa
+spec:
+  storageClassName: "tigris"
+  resources:
+    requests:
+      storage: 512Mi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: lewa-within-website
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - lewa.within.website
+      secretName: lewa-within-website-public-tls
+  rules:
+    - host: lewa.within.website
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: caddy
+                port:
+                  name: http

kube/alrest/staticsites/caddy1/xena-greedo.yaml

@@ -0,0 +1,36 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: xena-greedo-xeserv-us
+spec:
+  storageClassName: "itsuki"
+  resources:
+    requests:
+      storage: 512Gi
+  volumeMode: Filesystem
+  accessModes:
+    - ReadWriteMany
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: xena-greedo-xeserv-us
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+    - hosts:
+        - xena.greedo.xeserv.us
+      secretName: xena-greedo-xeserv-us-public-tls
+  rules:
+    - host: xena.greedo.xeserv.us
+      http:
+        paths:
+          - pathType: Prefix
+            path: "/"
+            backend:
+              service:
+                name: caddy
+                port:
+                  name: http