diff --git a/clusters/oceanus/README.md b/clusters/oceanus/README.md deleted file mode 100644 index d91b52f..0000000 --- a/clusters/oceanus/README.md +++ /dev/null @@ -1,5 +0,0 @@ -# Oceanus Cluster Scaffold - -This directory prepares the Flux and Kustomize layout for a future Oceanus-managed cluster. -Populate `flux-system/` with `gotk-components.yaml` and related manifests after running `flux bootstrap`. -Define node-specific resources under `infrastructure/modules/profiles/oceanus-validator/` and reference workloads in `applications/` as they come online. diff --git a/hosts/styx/README.md b/hosts/styx/README.md deleted file mode 100644 index 992bac5..0000000 --- a/hosts/styx/README.md +++ /dev/null @@ -1,2 +0,0 @@ -# hosts/styx/README.md -Styx is air-gapped; provisioning scripts live under `scripts/`. diff --git a/services/keycloak/README.md b/services/keycloak/README.md deleted file mode 100644 index bf7c21b..0000000 --- a/services/keycloak/README.md +++ /dev/null @@ -1,27 +0,0 @@ -# services/keycloak - -Keycloak is deployed via raw manifests and backed by the shared Postgres (`postgres-service.postgres.svc.cluster.local:5432`). Create these secrets before applying: - -```bash -# DB creds (per-service DB/user in shared Postgres) -kubectl -n sso create secret generic keycloak-db \ - --from-literal=username=keycloak \ - --from-literal=password='' \ - --from-literal=database=keycloak - -# Admin console creds (maps to KC admin user) -kubectl -n sso create secret generic keycloak-admin \ - --from-literal=username=brad@bstein.dev \ - --from-literal=password='' -``` - -Apply: - -```bash -kubectl apply -k services/keycloak -``` - -Notes -- Service: `keycloak.sso.svc:80` (Ingress `sso.bstein.dev`, TLS via cert-manager). -- Uses Postgres schema `public`; DB/user should be provisioned in the shared Postgres instance. -- Health endpoints on :9000 are wired for probes. diff --git a/services/mailu/helmrelease.yaml b/services/mailu/helmrelease.yaml index 3710479..caba4b4 100644 --- a/services/mailu/helmrelease.yaml +++ b/services/mailu/helmrelease.yaml @@ -55,6 +55,8 @@ spec: front: hostnames: [mail.bstein.dev] proxied: true + hostPort: + enabled: false https: enabled: true external: true @@ -62,7 +64,7 @@ spec: externalService: enabled: true type: LoadBalancer - externalTrafficPolicy: Local + externalTrafficPolicy: Cluster nodePorts: pop3: 30010 pop3s: 30011 @@ -92,6 +94,11 @@ spec: value: 127.0.0.1,10.42.0.0/16 - name: DNS_RESOLVERS value: 1.1.1.1,9.9.9.9 + dnsPolicy: None + dnsConfig: + nameservers: + - 1.1.1.1 + - 9.9.9.9 clamav: logLevel: DEBUG nodeSelector: diff --git a/services/mailu/kustomization.yaml b/services/mailu/kustomization.yaml index e934177..5ac15d8 100644 --- a/services/mailu/kustomization.yaml +++ b/services/mailu/kustomization.yaml @@ -6,3 +6,4 @@ resources: - namespace.yaml - helmrelease.yaml - certificate.yaml + - vip-controller.yaml diff --git a/services/mailu/vip-controller.yaml b/services/mailu/vip-controller.yaml new file mode 100644 index 0000000..a6d8c1f --- /dev/null +++ b/services/mailu/vip-controller.yaml @@ -0,0 +1,71 @@ +# services/mailu/vip-controller.yaml +--- +apiVersion: v1 +kind: ServiceAccount +metadata: + name: vip-controller + namespace: mailu-mailserver +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: Role +metadata: + name: vip-controller-role + namespace: mailu-mailserver +rules: + - apiGroups: ["apps"] + resources: ["deployments"] + verbs: ["get", "list", "patch", "update"] +--- +apiVersion: rbac.authorization.k8s.io/v1 +kind: RoleBinding +metadata: + name: vip-controller-binding + namespace: mailu-mailserver +roleRef: + apiGroup: rbac.authorization.k8s.io + kind: Role + name: vip-controller-role +subjects: + - kind: ServiceAccount + name: vip-controller + namespace: mailu-mailserver +--- +apiVersion: apps/v1 +kind: DaemonSet +metadata: + name: vip-controller + namespace: mailu-mailserver +spec: + selector: + matchLabels: + app: vip-controller + template: + metadata: + labels: + app: vip-controller + spec: + serviceAccountName: vip-controller + hostNetwork: true + nodeSelector: + mailu.bstein.dev/vip: "true" + containers: + - name: vip-controller + image: lachlanevenson/k8s-kubectl:latest + imagePullPolicy: IfNotPresent + command: + - /bin/sh + - -c + args: + - | + set -e + while true; do + if ip addr show end0 | grep -q 'inet 192\.168\.22\.9/32'; then + NODE=$(hostname) + echo "VIP found on node ${NODE}." + kubectl patch deployment mailu-front -n mailu-mailserver --type='merge' \ + -p "{\"spec\":{\"template\":{\"spec\":{\"nodeSelector\":{\"kubernetes.io/hostname\":\"${NODE}\"}}}}}" + else + echo "No VIP on node ${HOSTNAME}." + fi + sleep 60 + done diff --git a/services/monitoring/README.md b/services/monitoring/README.md deleted file mode 100644 index 835ae1d..0000000 --- a/services/monitoring/README.md +++ /dev/null @@ -1,28 +0,0 @@ -# services/monitoring - -## Grafana admin secret - -The Grafana Helm release expects a pre-existing secret named `grafana-admin` -in the `monitoring` namespace. Create or rotate it with: - -```bash -kubectl create secret generic grafana-admin \ - --namespace monitoring \ - --from-literal=admin-user=admin \ - --from-literal=admin-password='REPLACE_ME' -``` - -Update the password whenever you rotate credentials. - -## DCGM exporter image - -The NVIDIA GPU metrics DaemonSet expects `registry.bstein.dev/monitoring/dcgm-exporter:4.4.2-4.7.0-ubuntu22.04`, mirrored from `docker.io/nvidia/dcgm-exporter:4.4.2-4.7.0-ubuntu22.04`. Refresh it in Zot when bumping versions: - -```bash -skopeo copy \ - --all \ - docker://docker.io/nvidia/dcgm-exporter:4.4.2-4.7.0-ubuntu22.04 \ - docker://registry.bstein.dev/monitoring/dcgm-exporter:4.4.2-4.7.0-ubuntu22.04 -``` - -When finished mirroring from the control-plane, you can remove temporary tooling with `sudo apt-get purge -y skopeo && sudo apt-get autoremove -y` and clear `~/.config/containers/auth.json`.