feat: added argocd and arr

.vscode/settings.json

@@ -0,0 +1,3 @@
+{
+  "prettier.bracketSpacing": false
+}

playbook-k3s.yml

@@ -1,36 +1,38 @@
 ---
-- hosts: k3s_cluster
+# - hosts: k3s_cluster
-  gather_facts: yes
+#   gather_facts: yes
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: prereq
+#     - role: prereq
-    - role: download
+#     - role: download
 
-- hosts: master
+# - hosts: master
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: k3s/master
+#     - role: k3s/master
 
-- hosts: node
+# - hosts: node
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: k3s/node
+#     - role: k3s/node
 
-- hosts: master
+# - hosts: master
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: k3s/post
+#     - role: k3s/post
 
-- hosts: master
+# - hosts: master
-  become: yes
+#   become: yes
-  roles:
+#   roles:
-    - role: k3s/copy-config
+#     - role: k3s/copy-config
 
 - hosts: localhost
   become: yes
   roles:
-    - role: traefik
+    # - role: traefik
-    - role: cert-manager
+    # - role: cert-manager
-    - role: authentik
+    # - role: authentik
-    - role: nginx
+    - role: argocd
+    # - role: nginx
+    # - role: arr
     # - role: redis

roles/argocd/tasks/main.yml

@@ -0,0 +1,27 @@
+---
+- name: Create argocd namespace
+  kubernetes.core.k8s:
+    name: argocd
+    kubeconfig: /Users/lino.silva/.kube/config
+    api_version: v1
+    kind: Namespace
+    state: present
+
+- name: Install argocd
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    namespace: argocd
+    definition: "{{ lookup('template', 'install.yml') | from_yaml }}"
+
+- name: Deploy forwardauth middleware
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'middleware-forwardauth.yml') | from_yaml }}"
+
+- name: Deploy argocd - ingress
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'ingress.yml') | from_yaml }}"

roles/argocd/templates/ingress.yml

@@ -0,0 +1,37 @@
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: argocd
+  namespace: argocd
+  annotations:
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`argocd.lino.cooking`)
+      kind: Rule
+      services:
+        - name: argocd-server
+          port: 80
+      middlewares:
+        - name: argocd-forwardauth
+          namespace: argocd
+    - match: Host(`argocd.lino.cooking`) && Headers(`Content-Type`, `application/grpc`)
+      kind: Rule
+      services:
+        - name: argocd-server
+          port: 80
+          scheme: h2c
+    - match: "Host(`argocd.lino.cooking`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      kind: Rule
+      priority: 15
+      services:
+        - kind: Service
+          # Or, to use an external Outpost, create an ExternalName service and reference that here.
+          # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
+          name: authentik
+          port: 9000
+  tls:
+    secretName: lino-cooking-tls

roles/argocd/templates/middleware-forwardauth.yml

@@ -0,0 +1,21 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: argocd-forwardauth
+  namespace: argocd
+spec:
+  forwardAuth:
+    address: https://argocd.lino.cooking/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version

roles/arr/tasks/main.yml

@@ -0,0 +1,64 @@
+---
+# - name: Create a arr-apps namespace
+#   kubernetes.core.k8s:
+#     name: arr-apps
+#     kubeconfig: /Users/lino.silva/.kube/config
+#     api_version: v1
+#     kind: Namespace
+#     state: present
+
+- name: Deploy arr - deployment
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'deployment.yml') | from_yaml }}"
+  loop:
+    - { name: 'radarr', port: 7878 }
+    - { name: 'prowlarr', port: 9696 }
+    - { name: 'sonarr', port: 8989 }
+    - { name: 'overseerr', port: 5055 }
+    - { name: 'transmission', port: 9091 }
+    - { name: 'bazarr', port: 6767 }
+    - { name: 'lidarr', port: 8686 }
+
+- name: Deploy arr services
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'service.yml') | from_yaml }}"
+  loop:
+    - { name: 'radarr', port: 7878 }
+    - { name: 'prowlarr', port: 9696 }
+    - { name: 'sonarr', port: 8989 }
+    - { name: 'overseerr', port: 5055 }
+    - { name: 'transmission', port: 9091 }
+    - { name: 'bazarr', port: 6767 }
+    - { name: 'lidarr', port: 8686 }
+
+- name: Deploy forwardauth middleware
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'middleware-forwardauth.yml') | from_yaml }}"
+  loop:
+    - radarr
+    - prowlarr
+    - sonarr
+    - overseerr
+    - transmission
+    - bazarr
+    - lidarr
+
+- name: Deploy arr - ingress
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'ingress.yml') | from_yaml }}"
+  loop:
+    - { name: 'radarr', port: 7878 }
+    - { name: 'prowlarr', port: 9696 }
+    - { name: 'sonarr', port: 8989 }
+    - { name: 'overseerr', port: 5055 }
+    - { name: 'transmission', port: 9091 }
+    - { name: 'bazarr', port: 6767 }
+    - { name: 'lidarr', port: 8686 }

roles/arr/templates/deployment.yml

@@ -0,0 +1,30 @@
+---
+- kind: Deployment
+  apiVersion: apps/v1
+  metadata:
+    name: {{ item.name }}
+    namespace: default
+    labels:
+      app: {{ item.name }}
+  spec:
+    replicas: 1
+    progressDeadlineSeconds: 600
+    revisionHistoryLimit: 2
+    strategy:
+      type: Recreate
+    selector:
+      matchLabels:
+        app: {{ item.name }}
+    template:
+      metadata:
+        labels:
+          app: {{ item.name }}
+      spec:
+        containers:
+          - name: {{ item.name }}
+            image: linuxserver/{{ item.name }}
+            ports:
+              - name: app-port
+                containerPort: {{ item.port }}
+                hostPort: {{ item.port }}
+                protocol: TCP

roles/arr/templates/ingress.yml

@@ -0,0 +1,32 @@
+---
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: {{ item.name }}
+  namespace: default
+  annotations:
+    kubernetes.io/ingress.class: traefik-external
+spec:
+  entryPoints:
+    - websecure
+  routes:
+    - match: Host(`{{ item.name }}.lino.cooking`)
+      kind: Rule
+      services:
+        - name: {{ item.name }}
+          port: {{ item.port }}
+      middlewares:
+        - name: default-headers
+        - name: {{ item.name }}-forwardauth
+          namespace: traefik
+    - match: "Host(`{{ item.name }}.lino.cooking`) && PathPrefix(`/outpost.goauthentik.io/`)"
+      kind: Rule
+      priority: 15
+      services:
+        - kind: Service
+          # Or, to use an external Outpost, create an ExternalName service and reference that here.
+          # See https://kubernetes.io/docs/concepts/services-networking/service/#externalname
+          name: authentik
+          port: 9000
+  tls:
+    secretName: lino-cooking-tls

roles/arr/templates/middleware-forwardauth.yml

@@ -0,0 +1,21 @@
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: {{ item }}-forwardauth
+  namespace: traefik
+spec:
+  forwardAuth:
+    address: https://{{ item }}.lino.cooking/outpost.goauthentik.io/auth/traefik
+    trustForwardHeader: true
+    authResponseHeaders:
+      - X-authentik-username
+      - X-authentik-groups
+      - X-authentik-email
+      - X-authentik-name
+      - X-authentik-uid
+      - X-authentik-jwt
+      - X-authentik-meta-jwks
+      - X-authentik-meta-outpost
+      - X-authentik-meta-provider
+      - X-authentik-meta-app
+      - X-authentik-meta-version

roles/arr/templates/service.yml

@@ -0,0 +1,13 @@
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: {{ item.name }}
+  namespace: default
+spec:
+  selector:
+    app: {{ item.name }}
+  ports:
+    - name: http
+      targetPort: {{ item.port }}
+      port: {{ item.port }}

roles/k3s/dashboard/tasks/main.yml

@@ -0,0 +1,12 @@
+---
+- name: Deploy admin user
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'dashboard.admin-user.yml') | from_yaml }}"
+
+- name: Deploy admin user role
+  kubernetes.core.k8s:
+    kubeconfig: /Users/lino.silva/.kube/config
+    state: present
+    definition: "{{ lookup('template', 'dashboard.admin-user-role.yml') | from_yaml }}"

roles/nginx/tasks/main.yml

@@ -15,7 +15,6 @@
   kubernetes.core.k8s:
     kubeconfig: /Users/lino.silva/.kube/config
     state: present
-    namespace: traefik
     definition: "{{ lookup('template', 'middleware-forwardauth.yml') | from_yaml }}"
 
 - name: Deploy nginx - ingress

roles/nginx/templates/ingress.yml

@@ -10,11 +10,6 @@ spec:
   entryPoints:
     - websecure
   routes:
-    - match: Host(`www.nginx.lino.cooking`)
-      kind: Rule
-      services:
-        - name: nginx
-          port: 80
     - match: Host(`nginx.lino.cooking`)
       kind: Rule
       services:

roles/nginx/templates/middleware-forwardauth.yml

@@ -2,6 +2,7 @@ apiVersion: traefik.containo.us/v1alpha1
 kind: Middleware
 metadata:
   name: nginx-middleware-forwardauth
+  namespace: traefik
 spec:
   forwardAuth:
     address: https://nginx.lino.cooking/outpost.goauthentik.io/auth/traefik