+1 -1

.envrc

reviewed

··· 1 1 export TF_VAR_hcloud_token=$(cat ./envs/TF_VAR_hcloud_token) 2 2 - export KUBECONFIG=./tub_kubeconfig.yaml 2 2 + export KUBECONFIG=./homelab_kubeconfig.yaml

+3

.gitattributes

reviewed

··· 9 9 10 10 # Encrypt Kubeconfig files 11 11 *kubeconfig.yaml filter=git-crypt diff=git-crypt 12 12 + 13 13 + # Encrypt Kubernetes secrets 14 14 + k8s/**/*.secret filter=git-crypt diff=git-crypt

-22

.terraform.lock.hcl

reviewed

··· 1 1 # This file is maintained automatically by "tofu init". 2 2 # Manual edits may be lost in future updates. 3 3 4 4 - provider "registry.opentofu.org/aminueza/minio" { 5 5 - version = "3.17.0" 6 6 - constraints = ">= 2.0.0" 7 7 - hashes = [ 8 8 - "h1:gTB9rR0Itgf4CXYbwojXRh2g+1VF4xkI0waCyT72cFc=", 9 9 - "zh:0c6cc3e9a8ba0e8de7a48aa97e1bf5cebf85fcb390378e9eb44cef5e2fffac33", 10 10 - "zh:1532438124ef4f363fa509a781de6ac9ef044e1737079d9f584ae92d578815ba", 11 11 - "zh:2dca2bc2c45d38d67a60288fca66ad73fc8e87328235925d242337d6980c6c82", 12 12 - "zh:3f304f4867cc92587a55eca729ab4a32b0e47a9862577b75f2c6d54b15d142f4", 13 13 - "zh:432eae4d9ca2f8e09a0d1345b7a694b81ca50ca7738f1570dec704145784aeb8", 14 14 - "zh:440e17023beb8a5606cbeafd9997c6b6fd206905747d3dfc98a63898a40c4385", 15 15 - "zh:58ece4d24b305937f842138fa2e6fa2a7237ef5bfa5278089337fe724bcb63df", 16 16 - "zh:8fff5399ddf32afedff81ba63eaf891318d01eb0f02284b017208d0bf6842a76", 17 17 - "zh:ada059db191dc1c5be16e3d4b175a8040a6f143a2360ad525d13af1cca4c4c3d", 18 18 - "zh:b8c4558178d083a08ba696dbb626410aa33848158e954711564d0b097a74e3d8", 19 19 - "zh:b8efc2e2f62514eca7e45df5c1a55bd14a9eded657c26249dbda8ef52f0166fd", 20 20 - "zh:bb808f09439f1f3c8443afb275c9091ace8dadc8de7f481f535dfbc59a35f2e7", 21 21 - "zh:c2142a813e2a7d2d27c21a4012e4288fd2560f683a97c4de2dfe1d5ed5a38ff3", 22 22 - "zh:d4d18534a38570a99e9beb3c8b75d6d381a4a407814032a169731d6a68a91382", 23 23 - ] 24 24 - } 25 25 - 26 4 provider "registry.opentofu.org/anapsix/semvers" { 27 5 version = "0.7.1" 28 6 constraints = ">= 0.7.1"

-30

charts.tf

reviewed

··· 1 1 - provider "helm" { 2 2 - kubernetes = { 3 3 - host = module.kube-hetzner.kubeconfig_data.host 4 4 - cluster_ca_certificate = module.kube-hetzner.kubeconfig_data.cluster_ca_certificate 5 5 - client_certificate = module.kube-hetzner.kubeconfig_data.client_certificate 6 6 - client_key = module.kube-hetzner.kubeconfig_data.client_key 7 7 - } 8 8 - } 9 9 - 10 10 - resource "helm_release" "mongodb" { 11 11 - name = "mongodb" 12 12 - repository = "https://charts.bitnami.com/bitnami" 13 13 - chart = "mongodb" 14 14 - namespace = "mongodb" 15 15 - create_namespace = true 16 16 - 17 17 - values = [ 18 18 - yamlencode({ 19 19 - auth = { 20 20 - rootPassword = var.mongodb_root_password != "" ? var.mongodb_root_password : random_password.mongodb_root.result 21 21 - } 22 22 - persistence = { 23 23 - enabled = true 24 24 - size = "10Gi" 25 25 - # Uses default 'hcloud-volumes' StorageClass 26 26 - } 27 27 - }) 28 28 - ] 29 29 - } 30 30 -

+29

dns.tf

reviewed

··· 1 1 + locals { 2 2 + cluster_ip = module.kube-hetzner.control_planes_public_ipv4[0] 3 3 + } 4 4 + 5 5 + resource "hcloud_zone" "sans_self" { 6 6 + name = "sans-self.org" 7 7 + mode = "primary" 8 8 + ttl = 3600 9 9 + } 10 10 + 11 11 + resource "hcloud_zone_rrset" "apex_a" { 12 12 + zone = hcloud_zone.sans_self.id 13 13 + name = "@" 14 14 + type = "A" 15 15 + ttl = 300 16 16 + records = [ 17 17 + { value = local.cluster_ip }, 18 18 + ] 19 19 + } 20 20 + 21 21 + resource "hcloud_zone_rrset" "wildcard_a" { 22 22 + zone = hcloud_zone.sans_self.id 23 23 + name = "*" 24 24 + type = "A" 25 25 + ttl = 300 26 26 + records = [ 27 27 + { value = local.cluster_ip }, 28 28 + ] 29 29 + }

homelab_kubeconfig.yaml

reviewed

This is a binary file and will not be displayed.

+1 -3

k8s/kustomization.yaml

reviewed

··· 1 1 apiVersion: kustomize.config.k8s.io/v1beta1 2 2 kind: Kustomization 3 3 4 4 - resources: 5 5 - - waha 6 6 - - signal 4 4 + resources: []

-38

k8s/signal/deployment.yaml

reviewed

··· 1 1 - apiVersion: apps/v1 2 2 - kind: Deployment 3 3 - metadata: 4 4 - name: signal 5 5 - labels: 6 6 - app: signal 7 7 - spec: 8 8 - replicas: 1 9 9 - selector: 10 10 - matchLabels: 11 11 - app: signal 12 12 - template: 13 13 - metadata: 14 14 - labels: 15 15 - app: signal 16 16 - spec: 17 17 - containers: 18 18 - - name: signal-api 19 19 - image: bbernhard/signal-cli-rest-api:latest 20 20 - ports: 21 21 - - containerPort: 8080 22 22 - resources: 23 23 - requests: 24 24 - cpu: 100m 25 25 - memory: 128Mi 26 26 - limits: 27 27 - cpu: 250m 28 28 - memory: 512Mi 29 29 - env: 30 30 - - name: MODE 31 31 - value: "native" 32 32 - volumeMounts: 33 33 - - name: data 34 34 - mountPath: /home/.local/share/signal-cli 35 35 - volumes: 36 36 - - name: data 37 37 - persistentVolumeClaim: 38 38 - claimName: signal-data

-10

k8s/signal/kustomization.yaml

reviewed

··· 1 1 - apiVersion: kustomize.config.k8s.io/v1beta1 2 2 - kind: Kustomization 3 3 - 4 4 - resources: 5 5 - - namespace.yaml 6 6 - - deployment.yaml 7 7 - - service.yaml 8 8 - - pvc.yaml 9 9 - 10 10 - namespace: signal

-4

k8s/signal/namespace.yaml

reviewed

··· 1 1 - apiVersion: v1 2 2 - kind: Namespace 3 3 - metadata: 4 4 - name: signal

-11

k8s/signal/pvc.yaml

reviewed

··· 1 1 - apiVersion: v1 2 2 - kind: PersistentVolumeClaim 3 3 - metadata: 4 4 - name: signal-data 5 5 - spec: 6 6 - accessModes: 7 7 - - ReadWriteOnce 8 8 - resources: 9 9 - requests: 10 10 - storage: 1Gi 11 11 - # Using default storage class (hcloud-volumes)

-12

k8s/signal/service.yaml

reviewed

··· 1 1 - apiVersion: v1 2 2 - kind: Service 3 3 - metadata: 4 4 - name: signal 5 5 - spec: 6 6 - selector: 7 7 - app: signal 8 8 - ports: 9 9 - - protocol: TCP 10 10 - port: 8080 11 11 - targetPort: 8080 12 12 - type: ClusterIP

-45

k8s/waha/deployment.yaml

reviewed

··· 1 1 - apiVersion: apps/v1 2 2 - kind: Deployment 3 3 - metadata: 4 4 - name: waha 5 5 - labels: 6 6 - app: waha 7 7 - spec: 8 8 - replicas: 1 9 9 - selector: 10 10 - matchLabels: 11 11 - app: waha 12 12 - template: 13 13 - metadata: 14 14 - labels: 15 15 - app: waha 16 16 - spec: 17 17 - containers: 18 18 - - name: waha 19 19 - image: devlikeapro/waha:latest 20 20 - ports: 21 21 - - containerPort: 3000 22 22 - resources: 23 23 - requests: 24 24 - cpu: 100m 25 25 - memory: 256Mi 26 26 - limits: 27 27 - cpu: 250m 28 28 - memory: 512Mi 29 29 - env: 30 30 - - name: WHATSAPP_DEFAULT_ENGINE 31 31 - value: "GOWS" 32 32 - - name: WAHA_NO_API_KEY 33 33 - value: "True" 34 34 - - name: WAHA_DASHBOARD_NO_PASSWORD 35 35 - value: "True" 36 36 - - name: WHATSAPP_SWAGGER_NO_PASSWORD 37 37 - value: "True" 38 38 - # Since we're not using Ingress, we don't need to set external URLs here unless needed for internal callbacks 39 39 - volumeMounts: 40 40 - - name: sessions 41 41 - mountPath: /app/.sessions 42 42 - volumes: 43 43 - - name: sessions 44 44 - persistentVolumeClaim: 45 45 - claimName: waha-sessions

-10

k8s/waha/kustomization.yaml

reviewed

··· 1 1 - apiVersion: kustomize.config.k8s.io/v1beta1 2 2 - kind: Kustomization 3 3 - 4 4 - resources: 5 5 - - namespace.yaml 6 6 - - deployment.yaml 7 7 - - service.yaml 8 8 - - pvc.yaml 9 9 - 10 10 - namespace: waha

-4

k8s/waha/namespace.yaml

reviewed

··· 1 1 - apiVersion: v1 2 2 - kind: Namespace 3 3 - metadata: 4 4 - name: waha

-11

k8s/waha/pvc.yaml

reviewed

··· 1 1 - apiVersion: v1 2 2 - kind: PersistentVolumeClaim 3 3 - metadata: 4 4 - name: waha-sessions 5 5 - spec: 6 6 - accessModes: 7 7 - - ReadWriteOnce 8 8 - resources: 9 9 - requests: 10 10 - storage: 1Gi 11 11 - # Using default storage class (hcloud-volumes from Hetzner CSI)

-12

k8s/waha/service.yaml

reviewed

··· 1 1 - apiVersion: v1 2 2 - kind: Service 3 3 - metadata: 4 4 - name: waha 5 5 - spec: 6 6 - selector: 7 7 - app: waha 8 8 - ports: 9 9 - - protocol: TCP 10 10 - port: 3000 11 11 - targetPort: 3000 12 12 - type: ClusterIP

keypair/id_ed25519_tub keypair/id_ed25519_homelab

reviewed

keypair/id_ed25519_tub.pub keypair/id_ed25519_homelab.pub

reviewed

+7 -18

kube.tf

reviewed

··· 35 35 # ssh_port = 2222 36 36 37 37 # * Your ssh public key 38 38 - ssh_public_key = file("./keypair/id_ed25519_tub.pub") 38 38 + ssh_public_key = file("./keypair/id_ed25519_homelab.pub") 39 39 # * Your private key must be "ssh_private_key = null" when you want to use ssh-agent for a Yubikey-like device authentication or an SSH key-pair with a passphrase. 40 40 # For more details on SSH see https://github.com/kube-hetzner/kube-hetzner/blob/master/docs/ssh.md 41 41 - ssh_private_key = file("./keypair/id_ed25519_tub") 41 41 + ssh_private_key = file("./keypair/id_ed25519_homelab") 42 42 # You can add additional SSH public Keys to grant other team members root access to your cluster nodes. 43 43 # ssh_additional_public_keys = [] 44 44 ··· 638 638 # you would have to connect to any control plane node via SSH, as you can run kubectl from within these. 639 639 # Please be advised that this setting has no effect on the load balancer when the use_control_plane_lb variable is set to true. This is 640 640 # because firewall rules cannot be applied to load balancers yet. 641 641 - firewall_kube_api_source = ["5.132.113.114"] 641 641 + firewall_kube_api_source = ["5.132.126.116/32", "89.146.51.229/32"] 642 642 643 643 # Allow SSH access from the specified networks. Default: ["0.0.0.0/0", "::/0"] 644 644 # Allowed values: null (disable SSH rule entirely) or a list of allowed networks with CIDR notation. 645 645 # Ideally you would set your IP there. And if it changes after cluster deploy, you can always update this variable and apply again. 646 646 - firewall_ssh_source = ["5.132.113.114"] 646 646 + firewall_ssh_source = ["5.132.126.116/32", "89.146.51.229/32"] 647 647 648 648 # By default, SELinux is enabled in enforcing mode on all nodes. For container-specific SELinux issues, 649 649 # consider using the pre-installed 'udica' tool to create custom, targeted SELinux policies instead of ··· 983 983 defaultReplicaCount: 2 984 984 EOT */ 985 985 986 986 - # If you want to use a specific Traefik helm chart version, set it below; otherwise, leave them as-is for the latest versions. 987 987 - # See https://github.com/traefik/traefik-helm-chart/releases for the available versions. 988 988 - # traefik_version = "" 986 986 + # Pinned to avoid schema breakage with newer chart versions (globalArguments, redirections removed) 987 987 + traefik_version = "34.3.0" 989 988 990 989 # Traefik, all Traefik helm values can be found at https://github.com/traefik/traefik-helm-chart/blob/master/traefik/values.yaml 991 990 # If you want to merge extra values into defaults (or traefik_values), use traefik_merge_values. ··· 1142 1141 required_providers { 1143 1142 hcloud = { 1144 1143 source = "hetznercloud/hcloud" 1145 1145 - version = ">= 1.51.0" 1144 1144 + version = ">= 1.54.0" 1146 1145 } 1147 1146 helm = { 1148 1147 source = "hashicorp/helm" ··· 1165 1164 default = "" 1166 1165 } 1167 1166 1168 1168 - resource "random_password" "mongodb_root" { 1169 1169 - length = 32 1170 1170 - special = false 1171 1171 - } 1172 1172 - 1173 1173 - variable "mongodb_root_password" { 1174 1174 - description = "MongoDB root password (overrides generated one if set)" 1175 1175 - sensitive = true 1176 1176 - default = "" 1177 1177 - }

tub_kubeconfig.yaml

reviewed

This is a binary file and will not be displayed.