RedXen/kubernetes
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

WIP

Browse Source
This commit is contained in:
Alex D. 2025-04-02 15:11:03 +00:00
parent 06803d5c03
commit 6b9f7b8d73
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
38 changed files with 660 additions and 14 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

93
redxen/dovecot/deployment.yml Normal file
View File

@ -0,0 +1,93 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: redxen
labels:
app: dovecot
name: dovecot-dp
spec:
replicas: 1
selector:
matchLabels:
app: dovecot
template:
metadata:
namespace: redxen
labels:
app: dovecot
spec:
hostUsers: false
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
initContainers:
- name: volume-permissions
image: busybox
command: ["chown", "-c", "10000:10000", "/var/mail", "/run/dovecot", "/var/lib/dovecot"]
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
runAsUser: 0
runAsNonRoot: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: mail-storage
mountPath: /var/mail
- name: dovecot-storage
mountPath: /var/lib/dovecot
- name: tmpfs-run
mountPath: /run/dovecot
- name: directories
image: busybox
command: ["mkdir", "-vp", "/run/dovecot/login"]
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop: ["ALL"]
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: tmpfs-run
mountPath: /run/dovecot
containers:
- name: dovecot
image: redxen.eu/daemons/dovecot:latest
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: mail-storage
mountPath: /var/mail
- name: dovecot-storage
mountPath: /var/lib/dovecot
- name: tmpfs-run
mountPath: /run/dovecot
ports:
- name: imap
containerPort: 143
- name: lmtp
containerPort: 11555
- name: auth
containerPort: 11666
volumes:
- name: mail-storage
persistentVolumeClaim:
claimName: mail-pvc
readOnly: false
- name: dovecot-storage
emptyDir:
medium: Memory
sizeLimit: 4Mi
- name: tmpfs-run
emptyDir:
medium: Memory
sizeLimit: 4Mi

7
redxen/dovecot/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yml
- persistentvolume.yml
- persistentvolumeclaim.yml
- service.yml

28
redxen/dovecot/persistentvolume.yml Normal file
View File

@ -0,0 +1,28 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolume-v1.json
kind: PersistentVolume
apiVersion: v1
metadata:
namespace: redxen
name: mail-pv
spec:
storageClassName: local-storage
claimRef:
namespace: redxen
name: mail-pvc
capacity:
storage: 1Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
#persistentVolumeReclaimPolicy: Retain
hostPath:
path: /var/lib/mail
type: DirectoryOrCreate
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- bournemouth.united-kingdom

15
redxen/dovecot/persistentvolumeclaim.yml Normal file
View File

@ -0,0 +1,15 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolumeclaim-v1.json
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
namespace: redxen
name: mail-pvc
spec:
volumeName: mail-pv
storageClassName: local-storage
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

22
redxen/dovecot/service.yml Normal file
View File

@ -0,0 +1,22 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json
kind: Service
apiVersion: v1
metadata:
namespace: redxen
labels:
app: dovecot
name: dovecot-sv
spec:
selector:
app: dovecot
type: ClusterIP
ports:
- name: imap
port: 143
protocol: TCP
- name: lmtp
port: 11555
protocol: TCP
- name: auth
port: 11666
protocol: TCP

4
redxen/gitea/deployment.yml
View File

@ -58,11 +58,11 @@ spec:
containerPort: 2442 containerPort: 2442
livenessProbe: livenessProbe:
httpGet: httpGet:
port: http port: 3000
httpHeaders: httpHeaders:
- name: "Host" - name: "Host"
value: "git.redxen.eu" value: "git.redxen.eu"
path: / path: /api/healthz
volumes: volumes:
- name: gitea-storage - name: gitea-storage
persistentVolumeClaim: persistentVolumeClaim:

1
redxen/gitea/persistentvolumeclaim.yml
View File

@ -7,6 +7,7 @@ metadata:
app: gitea app: gitea
name: gitea-pvc name: gitea-pvc
spec: spec:
volumeName: gitea-pv
selector: selector:
matchLabels: matchLabels:
app: gitea app: gitea

5
redxen/grafana/deployment.yml
View File

@ -52,11 +52,10 @@ spec:
- name: grafana-storage - name: grafana-storage
mountPath: /var/lib/grafana mountPath: /var/lib/grafana
ports: ports:
- name: http - containerPort: 3000
containerPort: 3000
livenessProbe: livenessProbe:
httpGet: httpGet:
port: http port: 3000
httpHeaders: httpHeaders:
- name: "Host" - name: "Host"
value: "stats.redxen.eu" value: "stats.redxen.eu"

1
redxen/grafana/persistentvolumeclaim.yml
View File

@ -7,6 +7,7 @@ metadata:
app: grafana app: grafana
name: grafana-pvc name: grafana-pvc
spec: spec:
volumeName: grafana-pv
selector: selector:
matchLabels: matchLabels:
app: grafana app: grafana

12
redxen/haproxy/daemonset.yml
View File

@ -39,12 +39,18 @@ spec:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
ports: ports:
- containerPort: 80 - name: http
containerPort: 80
hostPort: 80 hostPort: 80
protocol: TCP protocol: TCP
- containerPort: 443 - name: https
containerPort: 443
hostPort: 443 hostPort: 443
protocol: TCP protocol: TCP
- containerPort: 5000 - name: registry
containerPort: 5000
hostPort: 5000 hostPort: 5000
protocol: TCP protocol: TCP
- name: metrics
containerPort: 9100
protocol: TCP

1
redxen/haproxy/kustomization.yaml
View File

@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- daemonset.yml - daemonset.yml
- service.yml

16
redxen/haproxy/service.yml Normal file
View File

@ -0,0 +1,16 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json
kind: Service
apiVersion: v1
metadata:
namespace: redxen
labels:
app: haproxy
name: haproxy-sv
spec:
selector:
app: haproxy
type: ClusterIP
ports:
- name: prometheus
port: 9100
protocol: TCP

5
redxen/homepage/deployment.yml
View File

@ -52,11 +52,10 @@ spec:
- name: tmpfs-run - name: tmpfs-run
mountPath: /run/nginx mountPath: /run/nginx
ports: ports:
- name: http - containerPort: 80
containerPort: 80
livenessProbe: livenessProbe:
httpGet: httpGet:
port: http port: 80
httpHeaders: httpHeaders:
- name: "Host" - name: "Host"
value: "redxen.eu" value: "redxen.eu"

4
redxen/kustomization.yaml
View File

@ -13,3 +13,7 @@ resources:
- redis/ - redis/
- registry/ - registry/
- nsd/ - nsd/
- opendkim/
- rspamd/
- prometheus/
- loki/

68
redxen/loki/deployment.yml Normal file
View File

@ -0,0 +1,68 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: redxen
labels:
app: loki
name: loki-dp
spec:
replicas: 1
selector:
matchLabels:
app: loki
template:
metadata:
namespace: redxen
labels:
app: loki
spec:
hostUsers: false
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
initContainers:
- name: volume-permissions
image: busybox
command: ["chown", "-c", "10000:10000", "/var/lib/loki"]
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
runAsUser: 0
runAsNonRoot: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: loki-storage
mountPath: /var/lib/loki
containers:
- name: loki
image: redxen.eu/daemons/loki:latest
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop: ["ALL"]
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: loki-storage
mountPath: /var/lib/loki
ports:
- containerPort: 3100
readinessProbe:
httpGet:
port: 3100
path: /ready
livenessProbe:
httpGet:
port: 3100
path: /ready
volumes:
- name: loki-storage
persistentVolumeClaim:
claimName: loki-pvc
readOnly: false

7
redxen/loki/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yml
- persistentvolume.yml
- persistentvolumeclaim.yml
- service.yml

30
redxen/loki/persistentvolume.yml Normal file
View File

@ -0,0 +1,30 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolume-v1.json
kind: PersistentVolume
apiVersion: v1
metadata:
namespace: redxen
labels:
app: loki
name: loki-pv
spec:
storageClassName: local-storage
claimRef:
namespace: redxen
name: loki-pvc
capacity:
storage: 1Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
#persistentVolumeReclaimPolicy: Retain
hostPath:
path: /var/lib/loki
type: DirectoryOrCreate
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- bournemouth.united-kingdom

20
redxen/loki/persistentvolumeclaim.yml Normal file
View File

@ -0,0 +1,20 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolumeclaim-v1.json
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
namespace: redxen
labels:
app: loki
name: loki-pvc
spec:
volumeName: loki-pv
selector:
matchLabels:
app: loki
storageClassName: local-storage
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

16
redxen/loki/service.yml Normal file
View File

@ -0,0 +1,16 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json
kind: Service
apiVersion: v1
metadata:
namespace: redxen
labels:
app: loki
name: loki-sv
spec:
selector:
app: loki
type: ClusterIP
ports:
- name: http
port: 3100
protocol: TCP

2
redxen/murmur/deployment.yml
View File

@ -44,4 +44,4 @@ spec:
protocol: UDP protocol: UDP
livenessProbe: livenessProbe:
tcpSocket: tcpSocket:
port: murmur-tcp port: 64738

7
redxen/node_exporter/daemonset.yml
View File

@ -40,13 +40,18 @@ spec:
allowPrivilegeEscalation: false allowPrivilegeEscalation: false
readOnlyRootFilesystem: true readOnlyRootFilesystem: true
ports: ports:
- containerPort: 9100 - name: http
containerPort: 9100
hostPort: 9100 hostPort: 9100
protocol: TCP protocol: TCP
volumeMounts: volumeMounts:
- name: host-ro - name: host-ro
readOnly: true readOnly: true
mountPath: /host mountPath: /host
livenessProbe:
httpGet:
port: 9100
path: /metrics
volumes: volumes:
- name: host-ro - name: host-ro
hostPath: hostPath:

1
redxen/node_exporter/kustomization.yaml
View File

@ -2,3 +2,4 @@ apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization kind: Kustomization
resources: resources:
- daemonset.yml - daemonset.yml
- service.yml

16
redxen/node_exporter/service.yml Normal file
View File

@ -0,0 +1,16 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json
kind: Service
apiVersion: v1
metadata:
namespace: redxen
labels:
app: node-exporter
name: node-exporter-sv
spec:
selector:
app: node-exporter
type: ClusterIP
ports:
- name: http
port: 9100
protocol: TCP

2
redxen/nsd/deployment.yml
View File

@ -10,7 +10,7 @@ spec:
selector: selector:
matchLabels: matchLabels:
app: nsd app: nsd
replicas: 3 replicas: 2
template: template:
metadata: metadata:
namespace: redxen namespace: redxen

37
redxen/opendkim/deployment.yml Normal file
View File

@ -0,0 +1,37 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: redxen
labels:
app: opendkim
name: opendkim-dp
spec:
replicas: 1
selector:
matchLabels:
app: opendkim
template:
metadata:
namespace: redxen
labels:
app: opendkim
spec:
hostUsers: false
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
containers:
- name: opendkim
image: redxen.eu/daemons/opendkim:latest
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop: ["ALL"]
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
ports:
- containerPort: 8891

5
redxen/opendkim/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yml
- service.yml

16
redxen/opendkim/service.yml Normal file
View File

@ -0,0 +1,16 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json
kind: Service
apiVersion: v1
metadata:
namespace: redxen
labels:
app: opendkim
name: opendkim-sv
spec:
selector:
app: opendkim
type: ClusterIP
ports:
- name: opendkim
port: 8891
protocol: TCP

1
redxen/postgresql/persistentvolumeclaim.yml
View File

@ -7,6 +7,7 @@ metadata:
app: postgresql app: postgresql
name: postgresql-pvc name: postgresql-pvc
spec: spec:
volumeName: postgresql-pv
selector: selector:
matchLabels: matchLabels:
app: postgresql app: postgresql

64
redxen/prometheus/deployment.yml Normal file
View File

@ -0,0 +1,64 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: redxen
labels:
app: prometheus
name: prometheus-dp
spec:
replicas: 1
selector:
matchLabels:
app: prometheus
template:
metadata:
namespace: redxen
labels:
app: prometheus
spec:
hostUsers: false
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
initContainers:
- name: volume-permissions
image: busybox
command: ["chown", "-c", "10000:10000", "/var/lib/prometheus"]
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
runAsUser: 0
runAsNonRoot: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: prometheus-storage
mountPath: /var/lib/prometheus
containers:
- name: prometheus
image: redxen.eu/daemons/prometheus:latest
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop: ["ALL"]
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: prometheus-storage
mountPath: /var/lib/prometheus
ports:
- containerPort: 9090
livenessProbe:
httpGet:
port: 9090
path: /
volumes:
- name: prometheus-storage
persistentVolumeClaim:
claimName: prometheus-pvc
readOnly: false

7
redxen/prometheus/kustomization.yaml Normal file
View File

@ -0,0 +1,7 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yml
- persistentvolume.yml
- persistentvolumeclaim.yml
- service.yml

30
redxen/prometheus/persistentvolume.yml Normal file
View File

@ -0,0 +1,30 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolume-v1.json
kind: PersistentVolume
apiVersion: v1
metadata:
namespace: redxen
labels:
app: prometheus
name: prometheus-pv
spec:
storageClassName: local-storage
claimRef:
namespace: redxen
name: prometheus-pvc
capacity:
storage: 1Gi
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
#persistentVolumeReclaimPolicy: Retain
hostPath:
path: /var/lib/prometheus
type: DirectoryOrCreate
nodeAffinity:
required:
nodeSelectorTerms:
- matchExpressions:
- key: kubernetes.io/hostname
operator: In
values:
- bournemouth.united-kingdom

20
redxen/prometheus/persistentvolumeclaim.yml Normal file
View File

@ -0,0 +1,20 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolumeclaim-v1.json
kind: PersistentVolumeClaim
apiVersion: v1
metadata:
namespace: redxen
labels:
app: prometheus
name: prometheus-pvc
spec:
volumeName: prometheus-pv
selector:
matchLabels:
app: prometheus
storageClassName: local-storage
volumeMode: Filesystem
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

16
redxen/prometheus/service.yml Normal file
View File

@ -0,0 +1,16 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json
kind: Service
apiVersion: v1
metadata:
namespace: redxen
labels:
app: prometheus
name: prometheus-sv
spec:
selector:
app: prometheus
type: ClusterIP
ports:
- name: http
port: 9090
protocol: TCP

1
redxen/redis/persistentvolumeclaim.yml
View File

@ -7,6 +7,7 @@ metadata:
app: redis app: redis
name: redis-pvc name: redis-pvc
spec: spec:
volumeName: redis-pv
selector: selector:
matchLabels: matchLabels:
app: redis app: redis

1
redxen/registry/persistentvolumeclaim.yml
View File

@ -7,6 +7,7 @@ metadata:
app: registry app: registry
name: registry-pvc name: registry-pvc
spec: spec:
volumeName: registry-pv
selector: selector:
matchLabels: matchLabels:
app: registry app: registry

63
redxen/rspamd/deployment.yml Normal file
View File

@ -0,0 +1,63 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json
kind: Deployment
apiVersion: apps/v1
metadata:
namespace: redxen
labels:
app: rspamd
name: rspamd-dp
spec:
replicas: 1
selector:
matchLabels:
app: rspamd
template:
metadata:
namespace: redxen
labels:
app: rspamd
spec:
hostUsers: false
securityContext:
seccompProfile:
type: RuntimeDefault
runAsNonRoot: true
runAsUser: 10000
runAsGroup: 10000
initContainers:
- name: volume-permissions
image: busybox
command: ["chown", "-c", "10000:10000", "/var/lib/rspamd"]
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"]
runAsUser: 0
runAsNonRoot: false
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: rspamd-data
mountPath: /var/lib/rspamd
containers:
- name: rspamd
image: redxen.eu/daemons/rspamd:latest
imagePullPolicy: IfNotPresent
securityContext:
capabilities:
drop: ["ALL"]
allowPrivilegeEscalation: false
readOnlyRootFilesystem: true
volumeMounts:
- name: rspamd-data
mountPath: /var/lib/rspamd
ports:
- containerPort: 7510
- containerPort: 7511
- containerPort: 7512
- containerPort: 7513
volumes:
- name: rspamd-data
emptyDir:
medium: Memory
sizeLimit: 128Mi

5
redxen/rspamd/kustomization.yaml Normal file
View File

@ -0,0 +1,5 @@
apiVersion: kustomize.config.k8s.io/v1beta1
kind: Kustomization
resources:
- deployment.yml
- service.yml

25
redxen/rspamd/service.yml Normal file
View File

@ -0,0 +1,25 @@
# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json
kind: Service
apiVersion: v1
metadata:
namespace: redxen
labels:
app: rspamd
name: rspamd-sv
spec:
selector:
app: rspamd
type: ClusterIP
ports:
- name: normal
port: 7511
protocol: TCP
- name: controller
port: 7512
protocol: TCP
- name: proxy
port: 7510
protocol: TCP
- name: fuzzy
port: 7513
protocol: TCP