infrastructure/black-start
3
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Compare commits

base: infrastructure:58bb6ffac496655e00a5097a6f2c3caaf2b43012
Branches Tags
infrastructure:main
...
compare: infrastructure:main
Branches Tags
infrastructure:main

1 Commits
58bb6ffac4 ... main

Author SHA1 Message Date
William P
3d60cb6706 add omni 2026-04-09 18:02:06 +00:00
6 changed files with 112 additions and 2 deletions
Expand all files Collapse all files

1
kubernetes/charts/default.nix
View File

@@ -3,5 +3,6 @@
./cloudnativepg.nix ./cloudnativepg.nix
./cert-manager.nix ./cert-manager.nix
./authentik.nix ./authentik.nix
./omni.nix
]; ];
} }

88
kubernetes/charts/omni.nix Normal file
View File

@@ -0,0 +1,88 @@
{ pkgs, ... }:
let
omniSrc = pkgs.fetchFromGitHub {
owner = "siderolabs";
repo = "omni";
rev = "v1.6.5";
hash = "sha256-FV0aPZaEejNBY/ajjdo3dURwDFu+8RInKOmeV5SVMXw=";
};
omniChartTarball = pkgs.runCommand "omni-chart.tgz" {
nativeBuildInputs = [ pkgs.gnutar ];
} ''
tar czf "$out" -C "${omniSrc}/deploy/helm" omni
'';
omniManifest = pkgs.runCommand "omni-manifest.yaml" {
nativeBuildInputs = [ pkgs.coreutils ];
} ''
chart_content=$(base64 -w 0 < "${omniChartTarball}")
cat > "$out" <<EOF
apiVersion: helm.cattle.io/v1
kind: HelmChart
metadata:
name: omni
namespace: kube-system
spec:
targetNamespace: omni
createNamespace: true
chartContent: $chart_content
valuesContent: |-
etcdEncryptionKey:
existingSecret: omni-etcd-key
ingress:
main:
enabled: true
host: weyma-omni.infra.dubyatp.xyz
tls:
- hosts:
- weyma-omni.infra.dubyatp.xyz
secretName: cert-dubyatp-xyz
kubernetesProxy:
enabled: true
host: weyma-omni-k8s.infra.dubyatp.xyz
tls:
- hosts:
- weyma-omni-k8s.infra.dubyatp.xyz
secretName: cert-dubyatp-xyz
siderolinkApi:
enabled: true
host: weyma-omni-siderolink.infra.dubyatp.xyz
tls:
- hosts:
- weyma-omni-siderolink.infra.dubyatp.xyz
secretName: cert-dubyatp-xyz
service:
wireguard:
type: LoadBalancer
config:
account:
name: weyma-omni
id: a0a43f2a-d838-4fe0-96fb-ab9e60695e0b
auth:
auth0:
enabled: false
saml:
enabled: true
url: https://auth.dubyatp.xyz/application/saml/omni/metadata/
initialUsers:
- me@williamtpeebles.com
services:
api:
advertisedURL: https://weyma-omni.infra.dubyatp.xyz
kubernetesProxy:
advertisedURL: https://weyma-omni-k8s.infra.dubyatp.xyz
machineAPI:
advertisedURL: https://weyma-omni-siderolink.infra.dubyatp.xyz
siderolink:
wireGuard:
advertisedEndpoint: 10.105.6.198:50180
EOF
'';
in
{
services.k3s.manifests."omni-chart.yaml".source = omniManifest;
}

1
kubernetes/secrets/default.nix
View File

@@ -4,5 +4,6 @@
./cloudnativepg/weyma-pgsql-replication.nix ./cloudnativepg/weyma-pgsql-replication.nix
./cert-manager/cloudflare-api-token.nix ./cert-manager/cloudflare-api-token.nix
./authentik/authentik-credentials.nix ./authentik/authentik-credentials.nix
./omni/omni-etcd-key.nix
]; ];
} }

17
kubernetes/secrets/omni/omni-etcd-key.nix Normal file
View File

@@ -0,0 +1,17 @@
{ config, ... }:
{
sops.templates."omni-etcd-key.yaml" = {
mode = "0444";
content = ''
apiVersion: v1
kind: Secret
metadata:
name: omni-etcd-key
namespace: omni
type: Opaque
data:
omni.asc: ${config.sops.placeholder.omni_asc_base64}
'';
path = "/var/lib/rancher/k3s/server/manifests/secrets/omni-etcd-key.yaml";
};
}

2
security/sops.nix
View File

@@ -32,6 +32,8 @@
authentik_db_password = {}; authentik_db_password = {};
authentik_files_keyid = {}; authentik_files_keyid = {};
authentik_files_keysecret = {}; authentik_files_keysecret = {};
omni_asc_base64 = {};
}; };
}; };
} }

5
security/sops_nix.yaml
View File

@@ -11,6 +11,7 @@ authentik_user_password: ENC[AES256_GCM,data:BJdiJouByTIoXYL3xn7zn6czVuXHheDdRKX
authentik_db_password: ENC[AES256_GCM,data:mAYOax2eC3E4lPsseD/bjPlOnL7pFavXbfArETKy,iv:hb/VBLKNc8yU6viSWm1ds4v24kpbndbKjwf4xN5/Ha8=,tag:T22wPtEvJXWfohP/lyU9YQ==,type:str] authentik_db_password: ENC[AES256_GCM,data:mAYOax2eC3E4lPsseD/bjPlOnL7pFavXbfArETKy,iv:hb/VBLKNc8yU6viSWm1ds4v24kpbndbKjwf4xN5/Ha8=,tag:T22wPtEvJXWfohP/lyU9YQ==,type:str]
authentik_files_keyid: ENC[AES256_GCM,data:342mVrO6ezaKAxDBWpnoFV2K5ZI=,iv:hCdivaMnEKl1zTC8BO+3EjdEPUDF0SHlev4N1tjprRo=,tag:zhiP0fZCW061HCyn6y8blw==,type:str] authentik_files_keyid: ENC[AES256_GCM,data:342mVrO6ezaKAxDBWpnoFV2K5ZI=,iv:hCdivaMnEKl1zTC8BO+3EjdEPUDF0SHlev4N1tjprRo=,tag:zhiP0fZCW061HCyn6y8blw==,type:str]
authentik_files_keysecret: ENC[AES256_GCM,data:KlYmsEsvINbyzoHRuru7asAysw5c9XJPdTb+YF/hb256AifG7zfp0Q==,iv:AXV6xolmQZtHzE1FmGAuLwgg3i/mMqiTWNwnXKCUNE0=,tag:frd3kvOu91hjRljUeXViNQ==,type:str] authentik_files_keysecret: ENC[AES256_GCM,data:KlYmsEsvINbyzoHRuru7asAysw5c9XJPdTb+YF/hb256AifG7zfp0Q==,iv:AXV6xolmQZtHzE1FmGAuLwgg3i/mMqiTWNwnXKCUNE0=,tag:frd3kvOu91hjRljUeXViNQ==,type:str]
omni_asc_base64: ENC[AES256_GCM,data:+hZDcjfOLxyUrLC+M0tb47s71OQyJB7PzLzPwzamhooP3QZe9SOpYswHVhLeZELt1pUgm2ntIoqz9JMvoABDZZDXSob8uBsk4hLH3QJccNRxba1+laDzH3ni3OAVHZq6eSczDfX+aD+Z7JRaqp+cf4fwrb1scxE3kNL+bKcFXy0pOlqo36Ltcgr0sR5Jywf/zt8wvDGZ8GoiAMxBRIdgZL5W2/5MNqMtu1yllAPh4YU2qhrCxqKqmIKFROV/aMY3D34eW8VKOFG+3kfovNvXAA6bf9QZhkYEb1tO4ln8ULEtGmxQNyzbxnvDGmALcVgSXRCvuXK/QumxYyTGCkLrXHgC7xsqPHMU90jrLE7UVLiGsYfwuBsUVq8vmQpsQablNxzmbTSAHc+cTxBPj7ssgzJTwB4d/d2K7AJfpG4YEhv5PtyA5hYKXVunBM4N4mUiM+jqEJaJa3a9cmVxrdGfuCx3hj8sy0D2oTx6YsbX8+wg2bF+sQn+L6COH0Uw28NAFS7YBnbavLzt8PCAmi8CFgb24lYZoHwcMlbmK25etkEbEYGB6fYawqlKqhG248Ji6ACke0aylGHudX3ENfKvhOztjMQ9e5oDOetntNj3ITrjz+oMWUDlKeG8vqnZxss8aru17Mdo4/YIIVirUnO3GmqG88P1d6csJZXrglJcVHxV++CFL36a83ccGXmYFrCEmmZzxvbVCvr01L32qCEvWppw0B5jX+N2uL8gnn58PNiG+JKRMZct3ygq8Le0HI+XqxmbKRsES35KwFjeBFdEAdJ9ecFBWmUOVnGi/m6uPjgiPIrSCBBRkSFw/LdqmFPeHWAGJK6CgtLwhGfXznsy+PY1V6UkrVRoYKpX8hKVTaxPfWrSMfcWvnqw1bkPWaeicOMYRbl4Sj/hDr7UOCGnMse8LYmPcecsLYdjqsRbcDrPucgoW75EdFCIj3UXYIMcOtHa8rySItOdHnDNaf29OvWxblqd4RqTNGTwNZgkjFoMrLEwKFDQbmSjgq0PrwuZ7Lxgr4pHjYWlnAVAHLDrPaLyuY9LR+Y0jCsFcNWBtfV6E1kaiznJ2zXntlJgA5z7+KgOG1F/mJGUp4ciFqPl9FBD9XrFFgOQ4RvzMs4t8e2jUl6UJ83UlSQmGdUklmn1B+S9mF2kdHA7J3+Fh/AqYttt07ujMU/BbkUPKGIUnG7wjmG6L1bfnvj2pob5bJyi79UTma+iSH/HdoNXVt55RbkDJ5nUMxcTFCYVML3LA/w=,iv:C50Ad6hRMKKma6Ar/lS0tItjaKDQKSx1b8nS/GIUsik=,tag:w8YAfIuQHF9aPqPUAMAB1g==,type:str]
sops: sops:
age: age:
- recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3 - recipient: age1usxppyy4nfqtlvlvj5fgcwze6yy3yyvuqadrcmwwtt5dtctfkfrqzuk5w3
@@ -22,7 +23,7 @@ sops:
Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t Q1VUZnpnOUh2SVQ2RC9XOG5qUTVzeWMKd4nZfXETJi1tbRrUDb938mk+OOnIru9t
F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA== F66KTiCc7akLC165G1ywBMShMPi5K+X9vRzGfmzUmwOHh2f4tZLBHA==
-----END AGE ENCRYPTED FILE----- -----END AGE ENCRYPTED FILE-----
lastmodified: "2026-04-08T14:52:06Z" lastmodified: "2026-04-08T15:30:13Z"
mac: ENC[AES256_GCM,data:vV04hhnzD7pFbTV3CRxFzg26cOlzWh8AxyjYRBxL8nwmk+v47ApNqciuVzYPaw8jjvPN9qWAZuEqbY2ZApQnzhDiSFAm7mxviZSpOFPL1AxEz40iweuFt/Q9C6pqtOR2cRDu5lti6HSsafbsKSi2rDlh6ycDn8A/dclvpJ1oMV0=,iv:oFA2uWg1opYYRoMvGuHrY8+Kz1x2AmOdYCKJl+V9bSY=,tag:dntYsHiwUHxEig+sNLxICA==,type:str] mac: ENC[AES256_GCM,data:ftM+7yM6SA96iALU6O6AqdzMsAftZeeHeajTU7fhQnU11Z9cSzBEbdrgg4jIJ9nVgoV+voHoeA3OX3NEvlC3dlnCVN+Re1xcBR8RRIptyVJxw1pEANPLUzMh3eBxtnLL/c6PFbvHogm5AOw65IwpfYLlAzSlg8agTGmHKoRVnuE=,iv:gJKXt5viHq01S28/gBaAzz3GleLz6JgNJd7vyvgWGvc=,tag:+9a2dcn3EmUhqbl7ISwuwg==,type:str]
unencrypted_suffix: _unencrypted unencrypted_suffix: _unencrypted
version: 3.12.2 version: 3.12.2