add crowdsec deployment

Reviewed-on: #210

apps/audiobookshelf/kustomization.yaml

@@ -12,4 +12,4 @@ namespace: audiobookshelf
 images:
   - name: audiobookshelf
     newName: ghcr.io/advplyr/audiobookshelf
-    newTag: "2.13.4"
+    newTag: "2.15.0"

apps/dendrite/ingress.yaml

@@ -1,18 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: dendrite-ingressroute
-
-spec:
-  entryPoints:
-    - websecure
-  routes:
-  - match: Host(`dendrite.kluster.moll.re`)
-    kind: Rule
-    services:
-    - name: dendrite
-      port: 8008
-      # scheme: https
-
-  tls:
-    certResolver: default-tls 

apps/finance/kustomization.yaml

@@ -13,4 +13,4 @@ resources:
 images:
   - name: actualbudget
     newName: actualbudget/actual-server
-    newTag: 24.9.0
+    newTag: 24.10.1

apps/homeassistant/kustomization.yaml

@@ -15,4 +15,4 @@ resources:
 images:
   - name: homeassistant/home-assistant
     newName: homeassistant/home-assistant
-    newTag: "2024.9"
+    newTag: "2024.10"

apps/immich/kustomization.yaml

@@ -14,16 +14,16 @@ namespace: immich
 helmCharts:
   - name: immich
     releaseName: immich
-    version: 0.7.2
+    version: 0.8.1
     valuesFile: values.yaml
     repo: https://immich-app.github.io/immich-charts
 
 
 images:
   - name: ghcr.io/immich-app/immich-machine-learning
-    newTag: v1.116.2
+    newTag: v1.117.0
   - name: ghcr.io/immich-app/immich-server
-    newTag: v1.116.2
+    newTag: v1.117.0
 
 
 patches:

apps/monitoring/kustomization.yaml

@@ -17,5 +17,5 @@ helmCharts:
   - releaseName: grafana
     name: grafana
     repo: https://grafana.github.io/helm-charts
-    version: 8.5.1
+    version: 8.5.4
     valuesFile: grafana.values.yaml

apps/paperless/deployment.yaml

@@ -37,6 +37,15 @@ spec:
             value: /data
           - name: PAPERLESS_MEDIA_ROOT
             value: /data
+          - name: PAPERLESS_APPS
+            value: allauth.socialaccount.providers.openid_connect
+          - name: PAPERLESS_SOCIALACCOUNT_PROVIDERS
+            valueFrom:
+              secretKeyRef:
+                name: paperless-oauth
+                key: provider-config
+          # - name: PAPERLESS_DISABLE_REGULAR_LOGIN
+          #   value: "True"
           volumeMounts:
             - name: data
               mountPath: /data

apps/paperless/kustomization.yaml

@@ -7,6 +7,7 @@ resources:
   - service.yaml
   - ingress.yaml
   - paperless-secret-key.sealedsecret.yaml
+  - paperless-oauth.sealedsecret.yaml
 
 namespace: paperless
 

apps/paperless/paperless-oauth.sealedsecret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: paperless-oauth
+  namespace: paperless
+spec:
+  encryptedData:
+    provider-config: AgBI9IcNOfBevjUtIMwNTd0MTnr1WGxMKJ0cPnHzAS3cddmI+LTrkxxdRBuz2PFKTrhJ6/vh/2tiI9FBWMVm/YqTB64drbF3v13GfZMk/9c7W4SFyMoMcoE4xe6gs4SOm1ggTVxWT6O8IQ0gt7+FRUFaiLmwa08dxTkzrT0/zfQfYg+0aV8qS0eCJIrQk/IA1N31RpUoNV5Jl6vF7oE+cKIVyZ6LVMdecmFnuUgU+1qTC7ncgxxhWQekDQXJQnfYpgsQTF5GaHkGV8kvqJOa2Ohnk7MIeQEz5WuiKaXzU1ZMCYq3D8q/kaf/itLLBlL5MQh/hkuksCVG13aWxvulA/zIw3rSDujjZcSrD8LWH6oCMCn8zVcZjYQQBcTKUYEyYNvHLsmm0fOFIkUmFfBOS4WdHhjsBudz+941Wuc2EX5i6eLind7dk6gOlCL1HEyvbQRV6W50T104DQSNHslRG9CIjPh0BueGJ5fiaFoQa/UuM/JI8R/7cv3y5VkCG6j4gax9FVFgZKxPMtOTxB3gKolT25JHPDOqbDo996T4lsmiYRrYShni4JFZ8ALhcr7pKwlg+gVbDVaqMrVaSz1xzTP0MNxPMsojXVLtG3/Zv0/iXSVW4DPY67pFITEbZBWB3bHLvL9MiwKbWNwsDwPUylWkXTTFHsNbuRUnAXhRxcLn43uIv98JFTQcMVl2J9qrYkHm7w0FVImUr3oC+Ny/Z6j89ARposNx27B4FBgW7H7+yWMKRsAObC8cAjBOkBdXue0x5bEl7Al2BRRG7/WUKHXZvTOlvlj7GFTpLOQbPYjnBo8V8h42uOjGbiMLaCeN5sWlMtWD+7mpHV3XGdcGtPAZlIzgpUs2si/XIRNun2oDoUmJhb7YcGmugodcAK9+aYBThIkNU3guXdrM6Vc7CO2RP8PFpKBpcI9pUHgYA8dyYY+TaBqfYGrKFlGgoVcgh6oVkeOuctTX90XkojVFfqkCqab93faMh2pGCGcH4IZ81sdTYeWwNIvz1RGoi9GhUhQU5NfDeUBn2eHdOpfdsf4FkWe0kgE6TBPlQx7GQy56FldIc0G4QA8H8utL3E/MXYrao70ek/GHIxuev1/hzljJDk+5HJz5itBtKiW4s/5j2ZMD7MMBu/voDQW14XEK5pM9EbwmC6kRg6ljXvTlnUVmw1s04iUvIzF/dO6bCgaOEwFPjZj8oZs0dt64Ov+ZPLwTrmezFgHtfh4dyiRgHt4cO/WYFmzzYwd532p2De3JqjHUzT0iQIpkaz4jrF7+fdtDxtj7XgkJIg==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: paperless-oauth
+      namespace: paperless

infrastructure/authelia/kustomization.yaml

@@ -26,6 +26,6 @@ images:
 helmCharts:
   - name: authelia
     releaseName: authelia
-    version: 0.9.6
+    version: 0.9.9
     repo: https://charts.authelia.com
     valuesFile: authelia.values.yaml

infrastructure/crowdsec/bouncer-api-key.sealedsecret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: bouncer-api-key
+  namespace: crowdsec
+spec:
+  encryptedData:
+    BOUNCER_KEY_TRAEFIK: AgAQYtZ9nhTcPudhhvBb/UC01CXLsItYr8u890ctD9AsTcn/tVZELCYDmmhoRCebMZofdLwhsnR4BoaBvFU4NgQk7qCUOm2O5YG11RXwOLuQv50+XcK2NTIuj9DsBqwLjYjWdRwV2PG++twP33mRFe+L/nw9d2JjyujF9FoFWL9OyU/IH8qb3FK9652wBTrC0VX251lZ2AU0xMvgGEa9BhTtobw+cE7xUbhazsRc7SqimW0iJ6ZiYYsJcVnMustHRx951YiVin2c0ub1v+JfvsMTiXUfbdt235BMXgevmvWVqPDlUgBHEfAiKl1ktQKqdd2KijEPCzEtVKbRXfFRtv0SOebLeQ949uNUmnhYUn7k+s9QiDo/4Pl4w5p5+i//BKbDe/dyagUFxNTw3ZpsGusI4B2dHwTtE0y8TTW4BDxNh4PaTVT0hN0ctSsG6joBCTes6dWfdFDo7NzRZ4suZGfTpZbJknYcp+hbaJxeHLnJUAkFHLj9AfT1tAAZVc8wVy3Nw/hwnntEBGUJJ35BhyKKYvkWWPqk/5Ay6U8CeaiupHHMbTRisiqZfuZ4KI6zJZlBMLcdK32d1gMqTJpvhkiC8h4+U3ygBf+rxf6R66+kDzalrLFX8sU3Sl7fVc8qYTPESrz9/RXBGHegunhrmfq6g5lyYyM+KPK71C7NCyhqDfzY4nqO6omh83UDOlCjm+++N7/UHHf+9hs6OUi1BmAOMJkvb8bX43SVDDA4gxoZplVgAK7E0w==
+  template:
+    metadata:
+      creationTimestamp: null
+      name: bouncer-api-key
+      namespace: crowdsec

infrastructure/crowdsec/bouncer.middleware.yaml

@@ -0,0 +1,12 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: bouncer
+spec:
+  plugin:
+    bouncer:
+      enabled: true
+      crowdsecMode: stream
+      crowdsecLapiScheme: https
+      crowdsecLapiHost: crowdsec-service.crowdsec:8080
+      crowdsecLapiKey: saödlkfhhqäüweo1p30947ß4rfepoihäp

infrastructure/crowdsec/dashboard-api-key.sealedsecret.yaml

@@ -0,0 +1,15 @@
+---
+apiVersion: bitnami.com/v1alpha1
+kind: SealedSecret
+metadata:
+  creationTimestamp: null
+  name: dashboard-api-key
+  namespace: crowdsec
+spec:
+  encryptedData:
+    ENROLL_KEY: AgAOEbB81UuCj2qgR4p+gsvnDY3LC+IcI8kMwFlPl91pVngyrGDHutafilDZD/QiGxu+3mBVMlFRzYXyAl2RjaO4YZ8p59hznSn6jf3bcfbfhQJhXjUfKkf1Jmm6gWbeDMKcOuRvxgG2YWRtOo+xNLhHtMnTKC4B7R7X160GjlNV7SdXn4S+q9Oo/ZIz/q2Y6p5wXccpPNS6OEMjb8YJlfhj6FrsAoeO25fNruELBtzgHApVvx922wx9mpYialkQOsC+3IcogQprXQZZ+B8qph7PYQ1vIzD8Ch7df3Wj4JmMHsfpK5DRP6tACrM6PsYUy0BVqaBHWT9EHbIGc2w1/g9qPfauuTS8ZDsUEl7wpyQvHfXsQER63er5xT9Xv9kSrBUvSEaYoZr+Gw8Qi4N/SNW7e1JPiwQEpFP3GrFnnDLdGhGHvrvMzO5FAz1m+tnziVhfjpoOYQDlrvsS4+h+qU17/Kmu6EoGcpjqrEvUwN19Ar9pNz8qLbumTGlIzRbeVQWmv9F6icdT3idd8sCHeiAplE99kBAz780pxMgXRR/YmaBQz1xeOrKHAVBLegdj9eNmS62b72DHdsiY2jX7D1s1dFGWl45lIyv4RlNAQhjTiqFHeaUzJUii85WNSxpp9n8Cw/ua/mdUvcn8z9WQ11uVbVqurYD3TvsOnva0V6rffaeJjIovyMOXs2wHk6nokxj4L4Ut4YkmRGZaTu7wptjqBanaROZgEHEd
+  template:
+    metadata:
+      creationTimestamp: null
+      name: dashboard-api-key
+      namespace: crowdsec

infrastructure/crowdsec/kustomization.yaml

@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources: 
+  - namespace.yaml
+  - dashboard-api-key.sealedsecret.yaml
+  - bouncer-api-key.sealedsecret.yaml
+  - bouncer.middleware.yaml
+
+
+namespace: crowdsec
+
+
+helmCharts:
+  - name: crowdsec
+    releaseName: crowdsec
+    version: 0.12.0
+    valuesFile: values.yaml
+    repo: https://crowdsecurity.github.io/helm-charts

infrastructure/crowdsec/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: placeholder

infrastructure/crowdsec/values.yaml

@@ -0,0 +1,93 @@
+# -- for raw logs format: json or cri (docker|containerd)
+container_runtime: containerd
+
+
+
+# lapi will deploy pod with crowdsec lapi and dashboard as deployment
+lapi:
+  # -- replicas for local API
+  replicas: 1
+  # -- environment variables from crowdsecurity/crowdsec docker image
+  env:
+    - name: ENROLL_INSTANCE_NAME
+      value: "kluster"
+
+  # Allows you to load environment variables from kubernetes secret or config map
+  envFrom:
+    - secretRef:
+        name: dashboard-api-key
+    - secretRef:
+        name: bouncer-api-key
+
+
+  dashboard:
+    # -- Enable Metabase Dashboard (by default disabled)
+    enabled: false
+
+  # -- Enable persistent volumes
+  persistentVolume:
+    # -- Persistent volume for data folder. Stores e.g. registered bouncer api keys
+    data:
+      enabled: true
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: "nfs-client"
+      size: 1Gi
+    # -- Persistent volume for config folder. Stores e.g. online api credentials
+    config:
+      enabled: true
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: "nfs-client"
+      size: 100Mi
+
+
+  # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus)
+  metrics:
+    enabled: true
+    # -- Creates a ServiceMonitor so Prometheus will monitor this service
+    # -- Prometheus needs to be configured to watch on all namespaces for ServiceMonitors
+    # -- See the documentation: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusioscrape
+    # -- See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774
+    serviceMonitor:
+      enabled: true
+
+
+# agent will deploy pod on every node as daemonSet to read wanted pods logs
+agent:
+  acquisition:
+    # The namespace where the pod is located
+    - namespace: traefik-system
+      # The pod name
+      podName: traefik-*
+      # as in crowdsec configuration, we need to specify the program name to find a matching parser
+      program: traefik
+
+  # -- Enable persistent volumes
+  persistentVolume:
+    # -- Persistent volume for config folder. Stores local config (parsers, scenarios etc.)
+    config:
+      enabled: false
+      accessModes:
+        - ReadWriteOnce
+      storageClassName: ""
+      existingClaim: ""
+      size: 100Mi
+  # -- Enable hostPath to /var/log
+  hostVarLog: true
+  # -- environment variables from crowdsecurity/crowdsec docker image
+  env:
+    - name: COLLECTIONS
+      value: "crowdsecurity/traefik"
+
+  # -- Enable service monitoring (exposes "metrics" port "6060" for Prometheus)
+  metrics:
+    enabled: true
+    # -- Creates a ServiceMonitor so Prometheus will monitor this service
+    # -- Prometheus needs to be configured to watch on all namespaces for ServiceMonitors
+    # -- See the documentation: https://github.com/prometheus-community/helm-charts/tree/main/charts/kube-prometheus-stack#prometheusioscrape
+    # -- See also: https://github.com/prometheus-community/helm-charts/issues/106#issuecomment-700847774
+    serviceMonitor:
+      enabled: false
+      additionalLabels: {}
+

infrastructure/gitea/gitea-oauth.sealedsecret.yaml

@@ -6,7 +6,9 @@ metadata:
   name: gitea-oauth
   namespace: gitea
 spec:
-  encryptedData: {}
+  encryptedData:
+    key: AgAXDv5WIcA8AFGT4Eb1spaXbtifwOIFaiqjMbEuDYNG43Me7evzgrWmHvUQsf3jzkElsAhC/ykhsMKTNIGdeLC15oVifqOKL+19fcuBPwt7ubaL/z35svluq3P87vTP4Yp+rag3SvN05E4xteOiqyYJWSIUmrOHwkLRco4QzgTk2FO594//ZsA2TJb9YdjhBLXl/Ywhjpnf36t5blgUZAwX1NY61QkBbzr3UV2McWBB5dU2t561bvyo9KcAXkMNG/okzlhE2OzQoHoQYRz8o+xpySlI1Z06TE4G6mtojxnexuwR4EDds0c21aA2i5CIesnybGD8Vzwd4123A00PlQd67PSQm8hj3UJMzB3eWGAQuIhWn3zp7r01GElA9JW+9yVbPEkxaXMWaT6yaH3Zo04emRKPqBwxFpEPgWqZ00H9PjZn+KDBVnMs5+BG1jaYAuF3acLfLmgnO81F1B/jNX8JDShty2oW1heB9YBxSK2lTCYN1f4ItYV6N6eoC/q/mRlJOe2nAiUW8V3oT4x2x2S7Jw5Fwnd4avSesahtHzr4YwSNtq8jB/BSicYp1BezmALvXU8RUMmI6kvXkABuEHB6+G0ugQ8RDdg2OggZ92e4yKqv6vazWopH4GJ0sgpjViRHU8ZdxEJSgWH34+KKoUcW9eE8ugOynXAtthkasazfahxTmMd5XK6IbYsnNN/Bf3MyOonq0A==
+    secret: AgBh0QjLGKbQLRsI8imDwlktlUP/kRD/nUQAYWIEkVy6hZU1OWAAexfcwJi6uVIu/s4Wfzlzl7i5ok5WeeVCWDSTFh5Xz8+SNQoio0/xubbNiYCC81y/ZDhwS9CBn74UX1St4eEFeIcRjey+cyeB7vYCRrYO1WvpZFHx8G9KZa8F4Ca9fy07A3HTGEFdm0Of8MfOM/TVGn8pgJLh2KL+VnYbmyAwQp9hd1NlMM2DC5nPW5kkdfMnz9YG7uAMyaL2MkxTynpKvEJeSCWtIXQSuj60+3IGXNAUWOgYVF46vqzsBbQErXCC67tf8TXOo/lCcDZSVluuo50uWqQceuZ2QujrjwSsQiM9ax29mnI9idu7zqT4q2MQ08+HZT0qNKqN/1jYTUwf7j3jLcANQX5VVuY6zDSZ/hDE4sBuuEoisYTFQH2RicElX73BCfXeOHTOmD4R4EiL/Cn546JG+7qjmBLnljqdNwp0Tug0iLAp25IWhsz9FsNhVwEozil6Es5RGjVHrmIp7z61OwQPqyBOxvBXjIKfQjPY9rykl00UF/X34YWltob2qilUVfYnDGQcA/OZ6UNqN2IC6Pj+vlzAqdbElGapGvqhg2w+ErnL1vAl40HLfRiDCmK5s6dOE2eHdvi6lbbwVWtlpeB7BNuFRuf8npZiMfQmtA3x3FF7dcMXiFsPJ8RbTJRQDO9VeaVTAFDnql3eBhUssVKIehywj9m39dfLvDtdRA0=
   template:
     metadata:
       creationTimestamp: null

infrastructure/gitea/gitea.values.yaml

@@ -81,6 +81,7 @@ persistence:
 signing:
   enabled: false
 
+    
 ## @section Gitea
 #
 gitea:
@@ -116,10 +117,22 @@ gitea:
       ISSUE_INDEXER_TYPE: bleve
       REPO_INDEXER_ENABLED: false
 
-  additionalConfigSources:
+  oauth:
-    - secret:
+    - name: authelia
-        secretName: gitea-oauth
+      provider: openidConnect
-  # since we want to reuse the posgres secret, we cannot directly use it here, but instead set the ENV variables
+      autoDiscoverUrl: https://auth.kluster.moll.re/.well-known/openid-configuration
+      scopes: openid email profile groups
+      existingSecret: gitea-oauth
+      required-claim-name: groups
+      required-claim-value: gitea
+      admin-group: apps_admin
+
+  
+  # since we want to reuse the postgres secret, we cannot directly use it in
+  # additionalConfigSources:
+  #   - secret:
+  #       secretName: postgres-password
+  # but instead set the ENV variables
   additionalConfigFromEnvs:
     - name: GITEA__DATABASE__DB_TYPE
       value: postgres

infrastructure/traefik-system/kustomization.yaml

@@ -13,6 +13,6 @@ namespace: traefik-system
 helmCharts:
   - name: traefik
     releaseName: traefik
-    version: 32.0.0
+    version: 32.1.1
     valuesFile: values.yaml
     repo: https://traefik.github.io/charts