diff --git a/redxen/seedbox/kustomization.yaml b/redxen/seedbox/kustomization.yaml new file mode 100644 index 0000000..bda24a2 --- /dev/null +++ b/redxen/seedbox/kustomization.yaml @@ -0,0 +1,7 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - rsync/ + - nginx/ + - persistentvolume.yml + - persistentvolumeclaim.yml diff --git a/redxen/seedbox/nginx/deployment.yml b/redxen/seedbox/nginx/deployment.yml new file mode 100644 index 0000000..63ec05c --- /dev/null +++ b/redxen/seedbox/nginx/deployment.yml @@ -0,0 +1,74 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: redxen + labels: + app: seedbox-nginx + name: seedbox-nginx-dp +spec: + replicas: 1 + selector: + matchLabels: + app: seedbox-nginx + template: + metadata: + namespace: redxen + labels: + app: seedbox-nginx + spec: + hostUsers: false + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + initContainers: + - name: volume-permissions + image: busybox + command: ["chown", "-c", "10000:10000", "/run/nginx"] + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"] + runAsUser: 0 + runAsNonRoot: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: tmpfs-run + mountPath: /run/nginx + containers: + - name: seedbox-nginx + image: redxen.eu/daemons/nginx/seedbox:latest + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["ALL"] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: seedbox-data + mountPath: /var/data + readOnly: true + - name: tmpfs-run + mountPath: /run/nginx + ports: + - containerPort: 80 + livenessProbe: + httpGet: + port: 80 + httpHeaders: + - name: "Host" + value: "sd.redxen.eu" + path: / + volumes: + - name: seedbox-data + persistentVolumeClaim: + claimName: seedbox-data-pvc + readOnly: true + - name: tmpfs-run + emptyDir: + medium: Memory + sizeLimit: 2Mi diff --git a/redxen/seedbox/nginx/kustomization.yaml b/redxen/seedbox/nginx/kustomization.yaml new file mode 100644 index 0000000..68074df --- /dev/null +++ b/redxen/seedbox/nginx/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yml + - service.yml diff --git a/redxen/seedbox/nginx/service.yml b/redxen/seedbox/nginx/service.yml new file mode 100644 index 0000000..b83e7b0 --- /dev/null +++ b/redxen/seedbox/nginx/service.yml @@ -0,0 +1,16 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json +kind: Service +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: seedbox-nginx + name: seedbox-nginx-sv +spec: + selector: + app: seedbox-nginx + type: ClusterIP + ports: + - name: http + port: 80 + protocol: TCP diff --git a/redxen/seedbox/persistentvolume.yml b/redxen/seedbox/persistentvolume.yml new file mode 100644 index 0000000..931d85f --- /dev/null +++ b/redxen/seedbox/persistentvolume.yml @@ -0,0 +1,28 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolume-v1.json +kind: PersistentVolume +apiVersion: v1 +metadata: + namespace: redxen + name: seedbox-data-pv +spec: + storageClassName: local-storage + claimRef: + namespace: redxen + name: seedbox-data-pvc + capacity: + storage: 1Gi + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + #persistentVolumeReclaimPolicy: Retain + hostPath: + path: /var/lib/seedbox + type: DirectoryOrCreate + nodeAffinity: + required: + nodeSelectorTerms: + - matchExpressions: + - key: kubernetes.io/hostname + operator: In + values: + - bournemouth.united-kingdom diff --git a/redxen/seedbox/persistentvolumeclaim.yml b/redxen/seedbox/persistentvolumeclaim.yml new file mode 100644 index 0000000..f5c4f53 --- /dev/null +++ b/redxen/seedbox/persistentvolumeclaim.yml @@ -0,0 +1,15 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/persistentvolumeclaim-v1.json +kind: PersistentVolumeClaim +apiVersion: v1 +metadata: + namespace: redxen + name: seedbox-data-pvc +spec: + volumeName: seedbox-data-pv + storageClassName: local-storage + volumeMode: Filesystem + accessModes: + - ReadWriteOnce + resources: + requests: + storage: 1Gi diff --git a/redxen/seedbox/rsync/deployment.yml b/redxen/seedbox/rsync/deployment.yml new file mode 100644 index 0000000..e0c24c3 --- /dev/null +++ b/redxen/seedbox/rsync/deployment.yml @@ -0,0 +1,70 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/deployment-apps-v1.json +kind: Deployment +apiVersion: apps/v1 +metadata: + namespace: redxen + labels: + app: seedbox-rsync + name: seedbox-rsync-dp +spec: + selector: + matchLabels: + app: seedbox-rsync + replicas: 1 + template: + metadata: + namespace: redxen + labels: + app: seedbox-rsync + spec: + hostUsers: false + securityContext: + seccompProfile: + type: RuntimeDefault + runAsNonRoot: true + runAsUser: 10000 + runAsGroup: 10000 + initContainers: + - name: volume-permissions + image: busybox + command: ["chown", "-c", "10000:10000", "/var/run"] + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["SETPCAP", "MKNOD", "AUDIT_WRITE", "NET_RAW", "DAC_OVERRIDE", "FOWNER", "FSETID", "KILL", "SETGID", "SETUID", "NET_BIND_SERVICE", "SYS_CHROOT", "SETFCAP"] + runAsUser: 0 + runAsNonRoot: false + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: tmpfs-run + mountPath: /var/run + containers: + - name: seedbox-rsync + image: redxen.eu/daemons/rsync/seedbox:latest + imagePullPolicy: IfNotPresent + securityContext: + capabilities: + drop: ["ALL"] + allowPrivilegeEscalation: false + readOnlyRootFilesystem: true + volumeMounts: + - name: seedbox-data + mountPath: /var/data + readOnly: true + - name: tmpfs-run + mountPath: /var/run + ports: + - containerPort: 8874 + livenessProbe: + tcpSocket: + port: 8874 + volumes: + - name: seedbox-data + persistentVolumeClaim: + claimName: seedbox-data-pvc + readOnly: true + - name: tmpfs-run + emptyDir: + medium: Memory + sizeLimit: 2Mi diff --git a/redxen/seedbox/rsync/kustomization.yaml b/redxen/seedbox/rsync/kustomization.yaml new file mode 100644 index 0000000..68074df --- /dev/null +++ b/redxen/seedbox/rsync/kustomization.yaml @@ -0,0 +1,5 @@ +apiVersion: kustomize.config.k8s.io/v1beta1 +kind: Kustomization +resources: + - deployment.yml + - service.yml diff --git a/redxen/seedbox/rsync/service.yml b/redxen/seedbox/rsync/service.yml new file mode 100644 index 0000000..58d88c5 --- /dev/null +++ b/redxen/seedbox/rsync/service.yml @@ -0,0 +1,16 @@ +# yaml-language-server: $schema=https://kubernetesjsonschema.dev/master/service-v1.json +kind: Service +apiVersion: v1 +metadata: + namespace: redxen + labels: + app: seedbox-rsync + name: seedbox-rsync-sv +spec: + selector: + app: seedbox-rsync + type: ClusterIP + ports: + - name: rsync + port: 8874 + protocol: TCP