use internal .lab instead of failing duckdns.org

2025-12-31 17:54:36 +01:00
parent 2c8de3468a
commit 02322e9a24
22 changed files with 33 additions and 31 deletions
--- a/.gitea/workflows/crowdsec.yaml
+++ b/.gitea/workflows/crowdsec.yaml
@@ -16,10 +16,10 @@ concurrency:

 .vault_step: &vault_step
  name: read vault secret
-  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
  id: vault-secrets
  with:
-    url: https://vault.arcodange.duckdns.org
+    url: https://vault.arcodange.lab
    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
    role: gitea_cicd_crowdsec
    method: jwt
--- a/.gitea/workflows/helmcharts.yaml
+++ b/.gitea/workflows/helmcharts.yaml
@@ -165,7 +165,7 @@ jobs:
          chart_package=${chart}-${chart_version}.tgz
          # helm package ${chart}
          tar -X ${chart}/.helmignore -czf ${chart_package} ${chart}
-          curl --user ${{ github.actor }}:${{ secrets.PACKAGES_TOKEN }} -X POST --upload-file ./${chart_package} https://gitea.arcodange.duckdns.org/api/packages/${{ github.repository_owner }}/helm/api/charts
+          curl --user ${{ github.actor }}:${{ secrets.PACKAGES_TOKEN }} -X POST --upload-file ./${chart_package} https://gitea.arcodange.lab/api/packages/${{ github.repository_owner }}/helm/api/charts

  application-charts:
    <<: *charts-matrix-job
--- a/.gitea/workflows/plausible.yaml
+++ b/.gitea/workflows/plausible.yaml
@@ -16,10 +16,10 @@ concurrency:

 .vault_step: &vault_step
  name: read vault secret
-  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
  id: vault-secrets
  with:
-    url: https://vault.arcodange.duckdns.org
+    url: https://vault.arcodange.lab
    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
    role: gitea_cicd_plausible
    method: jwt
--- a/.gitea/workflows/vault.yaml
+++ b/.gitea/workflows/vault.yaml
@@ -16,10 +16,10 @@ concurrency:

 .vault_step: &vault_step
  name: read vault secret
-  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
  id: vault-secrets
  with:
-    url: https://vault.arcodange.duckdns.org
+    url: https://vault.arcodange.lab
    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
    role: gitea_cicd
    method: jwt
--- a/chart/templates/apps.yaml
+++ b/chart/templates/apps.yaml
@@ -10,7 +10,7 @@ metadata:
 spec:
  project: tools
  source:
-    repoURL: https://gitea.arcodange.duckdns.org/arcodange-org/tools
+    repoURL: https://gitea.arcodange.lab/arcodange-org/tools
    targetRevision: HEAD
    path: {{ $app_name }}
  destination:
--- a/chart/templates/project.yaml
+++ b/chart/templates/project.yaml
@@ -10,7 +10,7 @@ metadata:
 spec:
  description: Arcodange tools (monitoring, cache, connection pool, secret management...)
  sourceRepos:
-  - 'https://gitea.arcodange.duckdns.org/arcodange-org/tools'
+  - 'https://gitea.arcodange.lab/arcodange-org/tools'
  # Only permit applications to deploy to the tools namespace in the same cluster
  destinations:
  - namespace: tools
--- a/clickhouse/kustomization.yaml
+++ b/clickhouse/kustomization.yaml
@@ -25,4 +25,6 @@ patches:
          name: config-volume
          mountPath: /etc/clickhouse-server/users.d/custom-users.xml
          subPath: custom-users.xml
-          readOnly: true
+          readOnly: true
+
+          Ne pas avoir de pod sur pi2
--- a/crowdsec/Chart.yaml
+++ b/crowdsec/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: crowdsec
  version: 0.20.1
  repository: https://crowdsecurity.github.io/helm-charts
--- a/crowdsec/iac/providers.tf
+++ b/crowdsec/iac/providers.tf
@@ -8,7 +8,7 @@ terraform {
 }

 provider "vault" {
-  address = "https://vault.arcodange.duckdns.org"
+  address = "https://vault.arcodange.lab"
  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
    mount = "gitea_jwt"
    role  = "gitea_cicd_crowdsec"
--- a/grafana/Chart.yaml
+++ b/grafana/Chart.yaml
@@ -16,7 +16,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: grafana
  version: 10.3.0
  repository: https://grafana.github.io/helm-charts
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@@ -270,11 +270,11 @@ grafana: &grafana_config
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
      traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
-      traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
-      traefik.ingress.kubernetes.io/router.tls.domains.0.sans: grafana.arcodange.duckdns.org
+      traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
+      traefik.ingress.kubernetes.io/router.tls.domains.0.sans: grafana.arcodange.lab
      traefik.ingress.kubernetes.io/router.middlewares: localIp@file
    hosts:
-      - grafana.arcodange.duckdns.org
+      - grafana.arcodange.lab

  resources:
   limits:
--- a/hashicorp-vault/Chart.yaml
+++ b/hashicorp-vault/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: vault
  version: 0.28.1
  repository: https://helm.releases.hashicorp.com
--- a/hashicorp-vault/README.md
+++ b/hashicorp-vault/README.md
@@ -1,8 +1,8 @@
 # Vault

-1. Les [playbooks ansible](https://gitea.arcodange.duckdns.org/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
+1. Les [playbooks ansible](https://gitea.arcodange.lab/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
 2. Configuration des backend d'authentification et des roles pour postgres et kubernetes. Définition de rôles "${app}-ops" pour permettre au dépot d'une application de définir ses propres dépendances dans vault. Rotation de credentials postgres pour les applications.
-3. [Le dépot de l'application webapp](https://gitea.arcodange.duckdns.org/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.
+3. [Le dépot de l'application webapp](https://gitea.arcodange.lab/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.

 ```mermaid
 flowchart LR
--- a/hashicorp-vault/iac/providers.tf
+++ b/hashicorp-vault/iac/providers.tf
@@ -8,7 +8,7 @@ terraform {
 }

 provider "vault" {
-  address = "https://vault.arcodange.duckdns.org"
+  address = "https://vault.arcodange.lab"
  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
    mount = "gitea_jwt"
    role  = "gitea_cicd"
--- a/hashicorp-vault/values.yaml
+++ b/hashicorp-vault/values.yaml
@@ -15,11 +15,11 @@ vault: &vault_config
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
-        traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
-        traefik.ingress.kubernetes.io/router.tls.domains.0.sans: vault.arcodange.duckdns.org
+        traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
+        traefik.ingress.kubernetes.io/router.tls.domains.0.sans: vault.arcodange.lab
        traefik.ingress.kubernetes.io/router.middlewares: localIp@file
      hosts:
-        - host: vault.arcodange.duckdns.org
+        - host: vault.arcodange.lab
          paths: []

  postStart: [] # https://github.com/hashicorp/vault-helm/blob/main/values.yaml
--- a/pgbouncer/Chart.yaml
+++ b/pgbouncer/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: pgbouncer
  version: 2.3.1
  repository: https://icoretech.github.io/helm
--- a/pgcat/Chart.yaml
+++ b/pgcat/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: pgcat
  version: 0.1.0
  repository: https://improwised.github.io/charts/
--- a/plausible/iac/providers.tf
+++ b/plausible/iac/providers.tf
@@ -8,7 +8,7 @@ terraform {
 }

 provider "vault" {
-  address = "https://vault.arcodange.duckdns.org"
+  address = "https://vault.arcodange.lab"
  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
    mount = "gitea_jwt"
    role  = "gitea_cicd_plausible"
--- a/plausible/kustomization.yaml
+++ b/plausible/kustomization.yaml
@@ -21,9 +21,9 @@ patches:
        value:
          certResolver: letsencrypt
          domains:
-          - main: arcodange.duckdns.org
+          - main: arcodange.lab
            sans:
-            - analytics.arcodange.duckdns.org
+            - analytics.arcodange.lab

 resources:
  - resources/vaultauth.yaml
--- a/plausible/plausibleValues.yaml
+++ b/plausible/plausibleValues.yaml
@@ -58,7 +58,7 @@ ingressRoute:
  # -- List of [entry points](https://doc.traefik.io/traefik/routing/routers/#entrypoints) on which the ingress route will be available.
  entryPoints: [websecure]
  # -- [Matching rule](https://doc.traefik.io/traefik/routing/routers/#rule) for the underlying router.
-  rule: Host(`analytics.arcodange.duckdns.org`)
+  rule: Host(`analytics.arcodange.lab`)
  # -- List of [middleware objects](https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/#kind-middleware) for the ingress route.
  middlewares:
    - name: localIp@file
--- a/plausible/resources/configmap.yaml
+++ b/plausible/resources/configmap.yaml
@@ -9,7 +9,7 @@ data:
  DB_PORT: !!str 5432
  DB_NAME: plausible

-  BASE_URL: https://analytics.arcodange.duckdns.org
+  BASE_URL: https://analytics.arcodange.lab

  CLICKHOUSE_DATABASE_URL: http://plausible:plausiblearcodange@clickhouse.tools:8123/plausible

--- a/redis/Chart.yaml
+++ b/redis/Chart.yaml
@@ -16,7 +16,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: redis
  version: 2.1.0
  repository: https://charts.pascaliske.dev