diff options
Diffstat (limited to 'ops/infra/kubernetes')
-rw-r--r-- | ops/infra/kubernetes/cgit/config.yaml | 80 | ||||
-rw-r--r-- | ops/infra/kubernetes/gemma/config.lisp | 19 | ||||
-rw-r--r-- | ops/infra/kubernetes/https-cert/cert.yaml | 8 | ||||
-rw-r--r-- | ops/infra/kubernetes/https-lb/ingress.yaml | 43 | ||||
-rw-r--r-- | ops/infra/kubernetes/nginx/nginx.conf | 59 | ||||
-rw-r--r-- | ops/infra/kubernetes/nginx/nginx.yaml | 60 | ||||
-rw-r--r-- | ops/infra/kubernetes/nixery/config.yaml | 67 | ||||
-rw-r--r-- | ops/infra/kubernetes/nixery/id_nixery.pub | 1 | ||||
-rw-r--r-- | ops/infra/kubernetes/nixery/known_hosts | 3 | ||||
-rw-r--r-- | ops/infra/kubernetes/nixery/secrets.yaml | 18 | ||||
-rw-r--r-- | ops/infra/kubernetes/nixery/ssh_config | 4 | ||||
-rw-r--r-- | ops/infra/kubernetes/primary-cluster.yaml | 38 | ||||
-rw-r--r-- | ops/infra/kubernetes/website/config.yaml | 37 |
13 files changed, 0 insertions, 437 deletions
diff --git a/ops/infra/kubernetes/cgit/config.yaml b/ops/infra/kubernetes/cgit/config.yaml deleted file mode 100644 index 73392adaad81..000000000000 --- a/ops/infra/kubernetes/cgit/config.yaml +++ /dev/null @@ -1,80 +0,0 @@ ---- -apiVersion: v1 -kind: Secret -metadata: - name: gcsr-secrets -type: Opaque -data: - username: "Z2l0LXRhemppbi5nbWFpbC5jb20=" - # This credential is a GCSR 'gitcookie' token. - password: '{{ passLookup "gcsr-tazjin-password" | b64enc }}' - # This credential is an OAuth token for builds.sr.ht - sourcehut: '{{ passLookup "sr.ht-token" | b64enc }}' ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: cgit - labels: - app: cgit -spec: - replicas: 1 - selector: - matchLabels: - app: cgit - template: - metadata: - labels: - app: cgit - spec: - securityContext: - runAsUser: 1000 - runAsGroup: 1000 - fsGroup: 1000 - containers: - - name: cgit - image: nixery.local/shell/web.cgit-taz:{{ gitHEAD }} - command: [ "cgit-launch" ] - env: - - name: HOME - value: /git - volumeMounts: - - name: git-volume - mountPath: /git - - name: sync-gcsr - image: nixery.local/shell/ops.sync-gcsr:{{ gitHEAD }} - command: [ "sync-gcsr" ] - env: - - name: SYNC_USER - valueFrom: - secretKeyRef: - name: gcsr-secrets - key: username - - name: SYNC_PASS - valueFrom: - secretKeyRef: - name: gcsr-secrets - key: password - - name: SRHT_TOKEN - valueFrom: - secretKeyRef: - name: gcsr-secrets - key: sourcehut - volumeMounts: - - name: git-volume - mountPath: /git - volumes: - - name: git-volume - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: cgit -spec: - selector: - app: cgit - ports: - - protocol: TCP - port: 80 - targetPort: 8080 diff --git a/ops/infra/kubernetes/gemma/config.lisp b/ops/infra/kubernetes/gemma/config.lisp deleted file mode 100644 index 517a658cf150..000000000000 --- a/ops/infra/kubernetes/gemma/config.lisp +++ /dev/null @@ -1,19 +0,0 @@ -(config :port 4242 - :data-dir "/var/lib/gemma/") - -(deftask bathroom/wipe-mirror 7) -(deftask bathroom/wipe-counter 7) - -;; Bedroom tasks -(deftask bedroom/change-sheets 7) -(deftask bedroom/vacuum 10) - -;; Kitchen tasks -(deftask kitchen/normal-trash 3) -(deftask kitchen/green-trash 5) -(deftask kitchen/blue-trash 5) -(deftask kitchen/wipe-counters 3) -(deftask kitchen/vacuum 5 "Kitchen has more crumbs and such!") - -;; Entire place -(deftask clean-windows 60) diff --git a/ops/infra/kubernetes/https-cert/cert.yaml b/ops/infra/kubernetes/https-cert/cert.yaml deleted file mode 100644 index c7a85275ae67..000000000000 --- a/ops/infra/kubernetes/https-cert/cert.yaml +++ /dev/null @@ -1,8 +0,0 @@ ---- -apiVersion: networking.gke.io/v1beta1 -kind: ManagedCertificate -metadata: - name: {{ .domain | replace "." "-" }} -spec: - domains: - - {{ .domain }} diff --git a/ops/infra/kubernetes/https-lb/ingress.yaml b/ops/infra/kubernetes/https-lb/ingress.yaml deleted file mode 100644 index 930affec7a15..000000000000 --- a/ops/infra/kubernetes/https-lb/ingress.yaml +++ /dev/null @@ -1,43 +0,0 @@ -# This resource configures the HTTPS load balancer that is used as the -# entrypoint to all HTTPS services running in the cluster. ---- -apiVersion: extensions/v1beta1 -kind: Ingress -metadata: - name: https-ingress - annotations: - networking.gke.io/managed-certificates: tazj-in, git-tazj-in, www-tazj-in, oslo-pub -spec: - rules: - # Route website to, well, the website ... - - host: tazj.in - http: - paths: - - path: /* - backend: - serviceName: website - servicePort: 8080 - # Same for www.* (the redirect is handled by the website nginx) - - host: www.tazj.in - http: - paths: - - path: /* - backend: - serviceName: website - servicePort: 8080 - # Route git.tazj.in to the cgit pods - - host: git.tazj.in - http: - paths: - - path: /* - backend: - serviceName: nginx - servicePort: 6756 - # Route oslo.pub to the nginx instance which serves redirects - - host: oslo.pub - http: - paths: - - path: / - backend: - serviceName: nginx - servicePort: 6756 diff --git a/ops/infra/kubernetes/nginx/nginx.conf b/ops/infra/kubernetes/nginx/nginx.conf deleted file mode 100644 index 918aa6067806..000000000000 --- a/ops/infra/kubernetes/nginx/nginx.conf +++ /dev/null @@ -1,59 +0,0 @@ -daemon off; -worker_processes 1; -error_log stderr; -pid /run/nginx.pid; - -events { - worker_connections 1024; -} - -http { - log_format json_combined escape=json - '{' - '"time_local":"$time_local",' - '"remote_addr":"$remote_addr",' - '"remote_user":"$remote_user",' - '"request":"$request",' - '"status": "$status",' - '"body_bytes_sent":"$body_bytes_sent",' - '"request_time":"$request_time",' - '"http_referrer":"$http_referer",' - '"http_user_agent":"$http_user_agent"' - '}'; - - access_log /dev/stdout json_combined; - - sendfile on; - keepalive_timeout 65; - - server { - listen 80 default_server; - location / { - return 200 "ok"; - } - } - - server { - listen 80; - server_name oslo.pub; - - location / { - return 302 https://www.google.com/maps/d/viewer?mid=1pJIYY9cuEdt9DuMTbb4etBVq7hs; - } - } - - server { - listen 80; - server_name git.tazj.in; - - # Static assets must always hit the root. - location ~ ^/(favicon\.ico|cgit\.(css|png))$ { - proxy_pass http://cgit; - } - - # Everything else hits the depot directly. - location / { - proxy_pass http://cgit/cgit.cgi/depot/; - } - } -} diff --git a/ops/infra/kubernetes/nginx/nginx.yaml b/ops/infra/kubernetes/nginx/nginx.yaml deleted file mode 100644 index 61678a85bca0..000000000000 --- a/ops/infra/kubernetes/nginx/nginx.yaml +++ /dev/null @@ -1,60 +0,0 @@ -# Deploy an nginx instance which serves ... redirects. ---- -apiVersion: v1 -kind: ConfigMap -metadata: - name: nginx-conf -data: - nginx.conf: {{ insertFile "nginx.conf" | toJson }} ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nginx - labels: - app: nginx -spec: - replicas: 2 - selector: - matchLabels: - app: nginx - template: - metadata: - labels: - app: nginx - config: {{ insertFile "nginx.conf" | sha1sum }} - spec: - containers: - - name: nginx - image: nixery.local/shell/third_party.nginx:{{ .version }} - command: ["/bin/bash", "-c"] - args: - - | - cd /run - echo 'nogroup:x:30000:nobody' >> /etc/group - echo 'nobody:x:30000:30000:nobody:/tmp:/bin/bash' >> /etc/passwd - exec nginx -c /etc/nginx/nginx.conf - volumeMounts: - - name: nginx-conf - mountPath: /etc/nginx - - name: nginx-rundir - mountPath: /run - volumes: - - name: nginx-conf - configMap: - name: nginx-conf - - name: nginx-rundir - emptyDir: {} ---- -apiVersion: v1 -kind: Service -metadata: - name: nginx -spec: - type: NodePort - selector: - app: nginx - ports: - - protocol: TCP - port: 6756 - targetPort: 80 diff --git a/ops/infra/kubernetes/nixery/config.yaml b/ops/infra/kubernetes/nixery/config.yaml deleted file mode 100644 index 0775e79b5843..000000000000 --- a/ops/infra/kubernetes/nixery/config.yaml +++ /dev/null @@ -1,67 +0,0 @@ -# Deploys an instance of Nixery into the cluster. -# -# The service via which Nixery is exposed has a private DNS entry -# pointing to it, which makes it possible to resolve `nixery.local` -# in-cluster without things getting nasty. ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: nixery - namespace: kube-public - labels: - app: nixery -spec: - replicas: 1 - selector: - matchLabels: - app: nixery - template: - metadata: - labels: - app: nixery - spec: - containers: - - name: nixery - image: eu.gcr.io/tazjins-infrastructure/nixery:{{ .version }} - volumeMounts: - - name: nixery-secrets - mountPath: /var/nixery - env: - - name: BUCKET - value: {{ .bucket}} - - name: PORT - value: "{{ .port }}" - - name: GOOGLE_APPLICATION_CREDENTIALS - value: /var/nixery/gcs-key.json - - name: GCS_SIGNING_KEY - value: /var/nixery/gcs-key.pem - - name: GCS_SIGNING_ACCOUNT - value: {{ .account }} - - name: GIT_SSH_COMMAND - value: 'ssh -F /var/nixery/ssh_config' - - name: NIXERY_PKGS_REPO - value: {{ .repo }} - - name: NIX_POPULARITY_URL - value: 'https://storage.googleapis.com/nixery-layers/popularity/{{ .popularity }}' - volumes: - - name: nixery-secrets - secret: - secretName: nixery-secrets - defaultMode: 256 ---- -apiVersion: v1 -kind: Service -metadata: - name: nixery - namespace: kube-public - annotations: - cloud.google.com/load-balancer-type: "Internal" -spec: - selector: - app: nixery - type: LoadBalancer - ports: - - protocol: TCP - port: 80 - targetPort: 8080 diff --git a/ops/infra/kubernetes/nixery/id_nixery.pub b/ops/infra/kubernetes/nixery/id_nixery.pub deleted file mode 100644 index dc3fd617d0a1..000000000000 --- a/ops/infra/kubernetes/nixery/id_nixery.pub +++ /dev/null @@ -1 +0,0 @@ -ssh-rsa AAAAB3NzaC1yc2EAAAADAQABAAABAQCzBM6ydst77jDHNcTFWKD9Fw4SReqyNEEp2MtQBk2wt94U4yLp8MQIuNeOEn1GaDEX4RGCxqai/2UVF1w9ZNdU+v2fXcKWfkKuGQH2XcNfXor2cVNObd40H78++iZiv3nmM/NaEdkTbTBbi925cRy9u5FgItDgsJlyKNRglCb0fr6KlgpvWjL20dp/eeZ8a/gLniHK8PnEsgERQSvJnsyFpxxVhxtoUiyLWpXDl4npf/rQr0eRDf4Q5sN/nbTwksapPHfze8dKcaoA7A2NqT3bJ6DPGrwVCzGRtGw/SXJwFwmmtAl9O6BklpeReyiknSxc+KOtrjDW6O0r6yvymD5Z nixery diff --git a/ops/infra/kubernetes/nixery/known_hosts b/ops/infra/kubernetes/nixery/known_hosts deleted file mode 100644 index 7faf21f69bf8..000000000000 --- a/ops/infra/kubernetes/nixery/known_hosts +++ /dev/null @@ -1,3 +0,0 @@ -github.com ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== -140.82.118.4 ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEAq2A7hRGmdnm9tUDbO9IDSwBK6TbQa+PXYPCPy6rbTrTtw7PHkccKrpp0yVhp5HdEIcKr6pLlVDBfOLX9QUsyCOV0wzfjIJNlGEYsdlLJizHhbn2mUjvSAHQqZETYP81eFzLQNnPHt4EVVUh7VfDESU84KezmD5QlWpXLmvU31/yMf+Se8xhHTvKSCZIFImWwoG6mbUoWf9nzpIoaSjB+weqqUUmpaaasXVal72J+UX2B+2RPW3RcT0eOzQgqlJL3RKrTJvdsjE3JEAvGq3lGHSZXy28G3skua2SmVi/w4yCE6gbODqnTWlg7+wC604ydGXA8VJiS5ap43JXiUFFAaQ== -[source.developers.google.com]:2022,[172.253.120.82]:2022 ecdsa-sha2-nistp256 AAAAE2VjZHNhLXNoYTItbmlzdHAyNTYAAAAIbmlzdHAyNTYAAABBBB5Iy4/cq/gt/fPqe3uyMy4jwv1Alc94yVPxmnwNhBzJqEV5gRPiRk5u4/JJMbbu9QUVAguBABxL7sBZa5PH/xY= diff --git a/ops/infra/kubernetes/nixery/secrets.yaml b/ops/infra/kubernetes/nixery/secrets.yaml deleted file mode 100644 index d9a674d2c9fc..000000000000 --- a/ops/infra/kubernetes/nixery/secrets.yaml +++ /dev/null @@ -1,18 +0,0 @@ -# The secrets below are encrypted using keys stored in Cloud KMS and -# templated in by kontemplate when deploying. -# -# Not all of the values are actually secret (see the matching) ---- -apiVersion: v1 -kind: Secret -metadata: - name: nixery-secrets - namespace: kube-public -type: Opaque -data: - gcs-key.json: {{ passLookup "nixery-gcs-json" | b64enc }} - gcs-key.pem: {{ passLookup "nixery-gcs-pem" | b64enc }} - id_nixery: {{ printf "%s\n" (passLookup "nixery-ssh-private") | b64enc }} - id_nixery.pub: {{ insertFile "id_nixery.pub" | b64enc }} - known_hosts: {{ insertFile "known_hosts" | b64enc }} - ssh_config: {{ insertFile "ssh_config" | b64enc }} diff --git a/ops/infra/kubernetes/nixery/ssh_config b/ops/infra/kubernetes/nixery/ssh_config deleted file mode 100644 index 78afbb0b039d..000000000000 --- a/ops/infra/kubernetes/nixery/ssh_config +++ /dev/null @@ -1,4 +0,0 @@ -Match host * - User tazjin@google.com - IdentityFile /var/nixery/id_nixery - UserKnownHostsFile /var/nixery/known_hosts diff --git a/ops/infra/kubernetes/primary-cluster.yaml b/ops/infra/kubernetes/primary-cluster.yaml deleted file mode 100644 index 3d601b80cd01..000000000000 --- a/ops/infra/kubernetes/primary-cluster.yaml +++ /dev/null @@ -1,38 +0,0 @@ -# Kontemplate configuration for the primary GKE cluster in the project -# 'tazjins-infrastructure'. ---- -context: gke_tazjins-infrastructure_europe-north1_tazjin-cluster -include: - # SSL certificates (provisioned by Google) - - name: tazj-in-cert - path: https-cert - values: - domain: tazj.in - - name: www-tazj-in-cert - path: https-cert - values: - domain: www.tazj.in - - name: git-tazj-in-cert - path: https-cert - values: - domain: git.tazj.in - - name: oslo-pub-cert - path: https-cert - values: - domain: oslo.pub - - # Services - - name: nixery - values: - port: 8080 - version: xkm36vrbcnzxdccybzdrx4qzfcfqfrhg - bucket: tazjins-data - account: nixery@tazjins-infrastructure.iam.gserviceaccount.com - repo: ssh://tazjin@gmail.com@source.developers.google.com:2022/p/tazjins-infrastructure/r/depot - popularity: 'popularity-nixos-unstable-3140fa89c51233397f496f49014f6b23216667c2.json' - - name: website - - name: cgit - - name: https-lb - - name: nginx - values: - version: a349d5e9145ae9a6c89f62ec631f01fb180de546 diff --git a/ops/infra/kubernetes/website/config.yaml b/ops/infra/kubernetes/website/config.yaml deleted file mode 100644 index 02de735b05d0..000000000000 --- a/ops/infra/kubernetes/website/config.yaml +++ /dev/null @@ -1,37 +0,0 @@ ---- -apiVersion: apps/v1 -kind: Deployment -metadata: - name: website - labels: - app: website -spec: - replicas: 3 - selector: - matchLabels: - app: website - template: - metadata: - labels: - app: website - spec: - containers: - - name: website - image: nixery.local/shell/web.homepage:{{ gitHEAD }} - env: - - name: CONTAINER_SETUP - value: "true" - command: [ "homepage" ] ---- -apiVersion: v1 -kind: Service -metadata: - name: website -spec: - type: NodePort - selector: - app: website - ports: - - protocol: TCP - port: 8080 - targetPort: 8080 |