spacerace.systems moved

README.md

@@ -2,5 +2,7 @@
 
 ## TODO
 
+[x] private registry
+[ ] secrets
 [ ] ntr-cv static containers
 [ ] grafana etc

crates/crates.ingress.yaml

@@ -0,0 +1,58 @@
+---
+
+# -----------------------------------------------------------------------
+# INGRESS
+# -----------------------------------------------------------------------
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: crates-client
+  annotations:
+    cert-manager.io/issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - crates.strix.systems
+    secretName: crates-strix-systems-tls
+  rules:
+  - host: crates.strix.systems
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: crates-client
+            port:
+              number: 8080
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  annotations:
+    cert-manager.io/issuer: "letsencrypt-prod"
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+  name: crates-api
+  namespace: default
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - crates.strix.systems
+    secretName: crates-strix-systems-tls
+  rules:
+  - host: crates.strix.systems
+    http:
+      paths:
+      - path: /api(/|$)(.*)
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: crates-api
+            port:
+              number: 41337

crates/crates.yaml

@@ -2,6 +2,8 @@
 # VOLUMES
 # -----------------------------------------------------------------------
 
+---
+
 apiVersion: v1
 kind: PersistentVolume
 metadata:
@@ -9,15 +11,16 @@ metadata:
 spec:
   storageClassName: ""
   capacity:
-   storage: 1Gi
+    storage: 1Gi
   accessModes:
-   - ReadWriteOnce
+    - ReadWriteOnce
   persistentVolumeReclaimPolicy: Retain
   claimRef:
-   namespace: default
-   name: crates-postgres-pvc
+    namespace: default
+    name: crates-postgres-pvc
   hostPath:
-    path: "/home/ntr/strix/pvs/crates-postgres" # Specify the local path on your node
+    path: "/var/lib/rancher/k3s/storage/crates-postgres-pv"
+    type: DirectoryOrCreate
 
 ---
 
@@ -26,6 +29,7 @@ apiVersion: v1
 metadata:
   name: crates-postgres-pvc
 spec:
+  volumeName: crates-postgres-pv
   accessModes:
     - ReadWriteOnce
   resources:
@@ -91,7 +95,7 @@ spec:
     spec:
       containers:
         - name: crates-api
-          image: crates-api
+          image: registry.strix.systems/crates-api
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 80
@@ -123,7 +127,7 @@ spec:
     spec:
       containers:
         - name: crates-migrate
-          image: crates-api
+          image: registry.strix.systems/crates-api
           imagePullPolicy: IfNotPresent
           command: ["npx"]
           args: ["prisma", "migrate", "deploy"]
@@ -149,7 +153,7 @@ spec:
     spec:
       containers:
         - name: crates-client
-          image: crates-client
+          image: registry.strix.systems/crates-client
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080
@@ -193,53 +197,3 @@ spec:
     app: crates-client
   ports:
     - port: 8080
-
-
----
-
-# -----------------------------------------------------------------------
-# INGRESS
-# -----------------------------------------------------------------------
-
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: crates-client
-spec:
-  ingressClassName: nginx
-  rules:
-  - host: crates.localdev.me
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: crates-client
-            port:
-              number: 8080
-
----
-
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  annotations:
-    nginx.ingress.kubernetes.io/use-regex: "true"
-    nginx.ingress.kubernetes.io/rewrite-target: /$2
-  name: crates-api
-  namespace: default
-spec:
-  ingressClassName: nginx
-  rules:
-  - host: crates.localdev.me
-    http:
-      paths:
-      - path: /api(/|$)(.*)
-        pathType: ImplementationSpecific
-        backend:
-          service:
-            name: crates-api
-            port:
-              number: 41337
-

kustomization.yaml

@@ -1,9 +0,0 @@
----
-
-resources:
-  - crates.yaml
-
-images:
-  - name: postgres
-    newName: postgres
-    newTag: "14"

mnml/mnml.gg-zone.txt

@@ -0,0 +1,13 @@
+$ORIGIN mnml.gg.
+$TTL 1800
+mnml.gg. IN SOA ns1.digitalocean.com. hostmaster.mnml.gg. 1572016807 10800 3600 604800 1800
+mnml.gg. 3600 IN A 165.22.108.84
+*.mnml.gg. 3600 IN A 165.22.108.84
+mnml.gg. 3600 IN MX 1 aspmx.l.google.com.
+mnml.gg. 3600 IN MX 5 alt1.aspmx.l.google.com.
+mnml.gg. 1800 IN NS ns1.digitalocean.com.
+mnml.gg. 1800 IN NS ns2.digitalocean.com.
+mnml.gg. 1800 IN NS ns3.digitalocean.com.
+mnml.gg. 3600 IN TXT google-site-verification=oLCWheQjBhS7aI77fYh3_JXR1cECq4vVHd4dcIC5suU
+_acme-challenge.mnml.gg. 30 IN TXT bl4Wx07rWi7TlVgc4wMmzJ2K0-CqSNlAIGXZAyP7_JE
+_acme-challenge.mnml.gg. 30 IN TXT qsnnCtP1oJRFa9nicwy96OKEvZMh55AM0lXlW-gWlBE

mnml/mnml.ingress.yaml

@@ -0,0 +1,85 @@
+---
+# -----------------------------------------------------------------------
+# INGRESS
+# -----------------------------------------------------------------------
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mnml-client
+  annotations:
+    cert-manager.io/issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - mnml.strix.systems
+    secretName: mnml-strix-systems-tls
+  rules:
+  - host: mnml.strix.systems
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: mnml-client
+            port:
+              number: 8080
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mnml-api
+  namespace: default
+  annotations:
+    cert-manager.io/issuer: "letsencrypt-prod"
+    nginx.org/websocket-services: "mnml-ws"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - mnml.strix.systems
+    secretName: mnml-strix-systems-tls
+  rules:
+  - host: mnml.strix.systems
+    http:
+      paths:
+      - path: /api
+        pathType: Prefix
+        backend:
+          service:
+            name: mnml-api
+            port:
+              number: 40000
+
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mnml-ws
+  annotations:
+    cert-manager.io/issuer: "letsencrypt-prod"
+    nginx.org/proxy-read-timeout: "3600"
+    nginx.org/proxy-send-timeout: "3600"
+    nginx.org/websocket-services: mnml-ws
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - mnml.strix.systems
+    secretName: mnml-strix-systems-tls
+  rules:
+  - host: mnml.strix.systems
+    http:
+      paths:
+      - path: /api/ws
+        pathType: Exact
+        backend:
+          service:
+            name: mnml-ws
+            port:
+              number: 40055

mnml/mnml.yaml

@@ -9,7 +9,7 @@ kind: PersistentVolume
 metadata:
   name: mnml-postgres-pv
 spec:
-  storageClassName: ""
+  storageClassName: local-path
   capacity:
     storage: 1Gi
   accessModes:
@@ -19,7 +19,8 @@ spec:
     namespace: default
     name: mnml-postgres-pvc
   hostPath:
-    path: "/home/ntr/strix/pvs/mnml-postgres"
+    path: "/var/lib/rancher/k3s/storage/mnml-postgres-pv"
+    type: DirectoryOrCreate
 
 ---
 
@@ -28,6 +29,7 @@ apiVersion: v1
 metadata:
   name: mnml-postgres-pvc
 spec:
+  volumeName: mnml-postgres-pv
   accessModes:
     - ReadWriteOnce
   resources:
@@ -39,9 +41,9 @@ spec:
 apiVersion: v1
 kind: PersistentVolume
 metadata:
-  name: mnml-img-pv
+  name: mnml-imgs-pv
 spec:
-  storageClassName: ""
+  storageClassName: local-path
   capacity:
     storage: 1Gi
   accessModes:
@@ -49,17 +51,20 @@ spec:
   persistentVolumeReclaimPolicy: Retain
   claimRef:
     namespace: default
-    name: mnml-img-pvc
+    name: mnml-imgs-pvc
   hostPath:
-    path: "/home/ntr/strix/pvs/mnml-img"
+    path: "/var/lib/rancher/k3s/storage/mnml-imgs-pv"
+    type: DirectoryOrCreate
+
 
 ---
 
 kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
-  name: mnml-img-pvc
+  name: mnml-imgs-pvc
 spec:
+  volumeName: mnml-imgs-pv
   accessModes:
     - ReadWriteOnce
   resources:
@@ -126,7 +131,7 @@ spec:
     spec:
       containers:
         - name: mnml-api
-          image: mnml-api
+          image: registry.strix.systems/mnml-api
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 40000
@@ -153,7 +158,7 @@ spec:
       volumes:
         - name: mnml-img-storage
           persistentVolumeClaim:
-            claimName: mnml-img-pvc
+            claimName: mnml-imgs-pvc
 
 ---
 
@@ -173,7 +178,7 @@ spec:
     spec:
       containers:
         - name: mnml-client
-          image: mnml-client
+          image: registry.strix.systems/mnml-client
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 8080
@@ -183,7 +188,7 @@ spec:
       volumes:
         - name: mnml-img-storage
           persistentVolumeClaim:
-            claimName: mnml-img-pvc
+            claimName: mnml-imgs-pvc
 
 ---
 
@@ -238,73 +243,3 @@ spec:
     app: mnml-client
   ports:
     - port: 8080
-
----
-# -----------------------------------------------------------------------
-# INGRESS
-# -----------------------------------------------------------------------
-
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: mnml-client
-spec:
-  ingressClassName: nginx
-  rules:
-  - host: mnml.localdev.me
-    http:
-      paths:
-      - path: /
-        pathType: Prefix
-        backend:
-          service:
-            name: mnml-client
-            port:
-              number: 8080
-
----
-
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: mnml-api
-  namespace: default
-  annotations:
-    nginx.org/websocket-services: "mnml-ws"
-spec:
-  ingressClassName: nginx
-  rules:
-  - host: mnml.localdev.me
-    http:
-      paths:
-      - path: /api
-        pathType: Prefix
-        backend:
-          service:
-            name: mnml-api
-            port:
-              number: 40000
-
----
-
-apiVersion: networking.k8s.io/v1
-kind: Ingress
-metadata:
-  name: mnml-ws
-  annotations:
-    nginx.org/proxy-read-timeout: "3600"
-    nginx.org/proxy-send-timeout: "3600"
-    nginx.org/websocket-services: mnml-ws
-spec:
-  ingressClassName: nginx
-  rules:
-  - host: mnml.localdev.me
-    http:
-      paths:
-      - path: /api/ws
-        pathType: Exact
-        backend:
-          service:
-            name: mnml-ws
-            port:
-              number: 40055

nginx-ingress/cert-manager.yaml

@@ -0,0 +1,43 @@
+# using the same issuer for everything
+# ntr@strix is the big boss
+
+---
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-staging
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-staging-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: ntr@strix.systems
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-staging
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: nginx
+
+---
+
+apiVersion: cert-manager.io/v1
+kind: Issuer
+metadata:
+  name: letsencrypt-prod
+spec:
+  acme:
+    # The ACME server URL
+    server: https://acme-v02.api.letsencrypt.org/directory
+    # Email address used for ACME registration
+    email: ntr@strix.systems
+    # Name of a secret used to store the ACME account private key
+    privateKeySecretRef:
+      name: letsencrypt-prod
+    # Enable the HTTP-01 challenge provider
+    solvers:
+      - http01:
+          ingress:
+            ingressClassName: nginx

registry/generate_auth.sh

@@ -0,0 +1,42 @@
+gen_password() { head -c 16 /dev/urandom | sha256sum | cut -d " " -f 1; }
+
+kube_run() {
+    eval "kubectl run --quiet -i --rm --tty kube-run-${RANDOM} \
+      --image=${1} --restart=Never -- ${@:2}"
+}
+
+htpasswd() {
+    kube_run alpine /bin/sh -c \""apk add --no-cache apache2-utils \
+      &> /dev/null && \
+      htpasswd -Bbn ${1} ${2} | head -n 1 2> /dev/null\""
+}
+
+K3S_HOST=strix.systems
+REGISTRY_ADMIN=ntr
+REGISTRY_PASSWORD=$(gen_password)
+REGISTRY_AUTH=$(htpasswd ${REGISTRY_ADMIN} ${REGISTRY_PASSWORD})
+REGISTRY_HTTP_SECRET=$(gen_password)
+
+echo "-------------------------------"
+echo REGISTRY_ADMIN is ${REGISTRY_ADMIN}
+echo REGISTRY_PASSWORD is ${REGISTRY_PASSWORD}
+echo REGISTRY_AUTH is ${REGISTRY_AUTH}
+echo REGISTRY_HTTP_SECRET is ${REGISTRY_HTTP_SECRET}
+
+kubectl create secret generic registry \
+   --from-literal=REGISTRY_ADMIN=${REGISTRY_ADMIN} \
+   --from-literal=REGISTRY_PASSWORD=${REGISTRY_PASSWORD} \
+   --from-literal=REGISTRY_HTTP_SECRET=${REGISTRY_HTTP_SECRET} \
+   --from-literal=REGISTRY_AUTH=${REGISTRY_AUTH}
+
+# cat <<EOF | ssh root@strix tee /etc/rancher/k3s/registries.yaml
+# mirrors:
+#   registry.strix.systems:
+#     endpoint:
+#       - "https://registry.strix.systems"
+# configs:
+#   "registry.strix.systems":
+#     auth:
+#       username: ntr
+#       password: pw
+# EOF

registry/registry.ingress.yaml

@@ -0,0 +1,26 @@
+---
+
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: registry
+  annotations:
+    nginx.ingress.kubernetes.io/proxy-body-size: 2g
+    cert-manager.io/issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - registry.strix.systems
+    secretName: registry-strix-systems-tls
+  rules:
+  - host: registry.strix.systems
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: registry
+            port:
+              number: 5000

registry/registry.yaml

@@ -0,0 +1,142 @@
+---
+
+apiVersion: v1
+kind: PersistentVolume
+metadata:
+  name: registry-pv
+spec:
+  storageClassName: local-path
+  capacity:
+    storage: 1Gi
+  accessModes:
+    - ReadWriteOnce
+  persistentVolumeReclaimPolicy: Retain
+  claimRef:
+    namespace: default
+    name: registry-pvc
+  hostPath:
+    path: "/var/lib/rancher/k3s/storage/registry-pv"
+    type: DirectoryOrCreate
+
+---
+
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: registry-pvc
+spec:
+  volumeName: registry-pv
+  accessModes:
+    - ReadWriteOnce
+  resources:
+    requests:
+      storage: 10Gi
+  storageClassName: local-path
+
+---
+
+apiVersion: v1
+kind: Service
+metadata:
+  name: registry
+spec:
+  ports:
+    - name: web
+      port: 5000
+      protocol: TCP
+  selector:
+    app: registry
+
+---
+
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: registry
+  labels:
+    app: registry
+spec:
+  selector:
+    matchLabels:
+      app: registry
+  replicas: 1
+  minReadySeconds: 5
+  template:
+    metadata:
+      labels:
+        app: registry
+      annotations:
+    spec:
+      containers:
+        - name: registry
+          image: registry:2
+          ports:
+            - containerPort: 5000
+          livenessProbe:
+            httpGet:
+              path: /
+              port: 5000
+          readinessProbe:
+            httpGet:
+              path: /
+              port: 5000
+          resources:
+          env:
+            - name: REGISTRY_HTTP_SECRET
+              valueFrom:
+                secretKeyRef:
+                  name: registry
+                  key: REGISTRY_HTTP_SECRET
+          volumeMounts:
+            - name: registry-pvc
+              mountPath: /var/lib/registry
+            - name: registry-auth
+              mountPath: /auth
+              readOnly: true
+            - name: registry-config
+              mountPath: "/etc/docker/registry"
+      volumes:
+        - name: registry-auth
+          secret:
+            secretName: registry
+            items:
+              - key: REGISTRY_AUTH
+                path: htpasswd
+        - name: registry-config
+          configMap:
+            name: registry
+        - name: registry-pvc
+          persistentVolumeClaim:
+            claimName: registry-pvc
+
+---
+
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: registry
+  # namespace: registry
+data:
+  config.yml: |
+    version: 0.1
+    log:
+      fields:
+        service: registry
+    http:
+      addr: :5000
+      headers:
+        X-Content-Type-Options: [nosniff]
+    auth:
+      htpasswd:
+        realm: registry
+        path: /auth/htpasswd
+    storage:
+      filesystem:
+        rootdirectory: /var/lib/registry
+      delete:
+        enabled: true
+    health:
+      storagedriver:
+        enabled: true
+        interval: 10s
+        threshold: 3

spacerace/spacerace.ingress.yaml

@@ -0,0 +1,27 @@
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: spacerace-api
+  annotations:
+    cert-manager.io/issuer: "letsencrypt-prod"
+    # don't do this again
+    nginx.ingress.kubernetes.io/use-regex: "true"
+    nginx.ingress.kubernetes.io/rewrite-target: /$2
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - spacerace.systems
+    secretName: spacerace-systems-tls
+  rules:
+  - host: spacerace.systems
+    http:
+      paths:
+      - path: /api(/|$)(.*)
+        pathType: ImplementationSpecific
+        backend:
+          service:
+            name: spacerace-api
+            port:
+              number: 80

spacerace/spacerace.yaml

@@ -19,7 +19,8 @@ spec:
     namespace: default
     name: spacerace-postgres-pvc
   hostPath:
-    path: "/home/ntr/strix/pvs/spacerace-postgres"
+    path: "/var/lib/rancher/k3s/storage/spacerace-postgres-pv"
+    type: DirectoryOrCreate
 
 ---
 
@@ -28,6 +29,7 @@ apiVersion: v1
 metadata:
   name: spacerace-postgres-pvc
 spec:
+  volumeName: spacerace-postgres-pv
   accessModes:
     - ReadWriteOnce
   resources:
@@ -93,7 +95,7 @@ spec:
     spec:
       containers:
         - name: spacerace-api
-          image: spacerace-api
+          image: registry.strix.systems/spacerace-api
           imagePullPolicy: IfNotPresent
           ports:
             - containerPort: 80