🤖 ci(vault): declare dance-lessons-coach JWT role + ops policy (#1)

Co-authored-by: Gabriel Radureau <arcodange@gmail.com>
Co-committed-by: Gabriel Radureau <arcodange@gmail.com>

.gitea/workflows/crowdsec.yaml

@@ -0,0 +1,63 @@
+---
+# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
+name: Crowdsec
+
+on: #[push,pull_request]
+  workflow_dispatch: {}
+  push: &crowdsecPaths
+    paths:
+      - 'crowdsec/**/*.tf'
+  pull_request: *crowdsecPaths
+
+# cancel any previously-started, yet still active runs of this workflow on the same branch
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+.vault_step: &vault_step
+  name: read vault secret
+  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
+  id: vault-secrets
+  with:
+    url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
+    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    role: gitea_cicd_crowdsec
+    method: jwt
+    path: gitea_jwt
+    secrets: |
+        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
+        kvv1/gitea/tofu_module_reader ssh_private_key | TERRAFORM_SSH_KEY ;
+
+jobs:
+  gitea_vault_auth:
+    name: Auth with gitea for vault
+    runs-on: ubuntu-latest
+    outputs:
+      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
+    steps:
+
+      - name: Auth with gitea for vault
+        id: gitea_vault_jwt
+        run: |
+          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
+
+  tofu:
+    name: Tofu - Crowdsec IAC
+    needs:
+      - gitea_vault_auth
+    runs-on: ubuntu-latest
+    env:
+      OPENTOFU_VERSION: 1.8.2
+      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
+    steps:
+      - *vault_step
+      - uses: actions/checkout@v4
+      - name: prepare vault self signed cert
+        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
+      - name: terraform apply
+        uses: dflook/terraform-apply@v1
+        with:
+          path: crowdsec/iac
+          auto_approve: true

.gitea/workflows/helmcharts.yaml

@@ -165,7 +165,7 @@ jobs:
           chart_package=${chart}-${chart_version}.tgz
           # helm package ${chart}
           tar -X ${chart}/.helmignore -czf ${chart_package} ${chart}
-          curl --user ${{ github.actor }}:${{ secrets.PACKAGES_TOKEN }} -X POST --upload-file ./${chart_package} https://gitea.arcodange.duckdns.org/api/packages/${{ github.repository_owner }}/helm/api/charts
+          curl --user ${{ github.actor }}:${{ secrets.PACKAGES_TOKEN }} -X POST --upload-file ./${chart_package} https://gitea.arcodange.lab/api/packages/${{ github.repository_owner }}/helm/api/charts
 
   application-charts:
     <<: *charts-matrix-job

.gitea/workflows/plausible.yaml

@@ -0,0 +1,63 @@
+---
+# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
+name: Plausible
+
+on: #[push,pull_request]
+  workflow_dispatch: {}
+  push: &plausiblePaths
+    paths:
+      - 'plausible/**/*.tf'
+  pull_request: *plausiblePaths
+
+# cancel any previously-started, yet still active runs of this workflow on the same branch
+concurrency:
+  group: ${{ github.ref }}-${{ github.workflow }}
+  cancel-in-progress: true
+
+.vault_step: &vault_step
+  name: read vault secret
+  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
+  id: vault-secrets
+  with:
+    url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
+    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+    role: gitea_cicd_plausible
+    method: jwt
+    path: gitea_jwt
+    secrets: |
+        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
+        kvv1/gitea/tofu_module_reader ssh_private_key | TERRAFORM_SSH_KEY ;
+
+jobs:
+  gitea_vault_auth:
+    name: Auth with gitea for vault
+    runs-on: ubuntu-latest
+    outputs:
+      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
+    steps:
+
+      - name: Auth with gitea for vault
+        id: gitea_vault_jwt
+        run: |
+          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
+
+  tofu:
+    name: Tofu - plausible IAC
+    needs:
+      - gitea_vault_auth
+    runs-on: ubuntu-latest
+    env:
+      OPENTOFU_VERSION: 1.8.2
+      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
+    steps:
+      - *vault_step
+      - uses: actions/checkout@v4
+      - name: prepare vault self signed cert
+        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
+      - name: terraform apply
+        uses: dflook/terraform-apply@v1
+        with:
+          path: plausible/iac
+          auto_approve: true

.gitea/workflows/vault.yaml

@@ -16,10 +16,11 @@ concurrency:
 
 .vault_step: &vault_step
   name: read vault secret
-  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
+  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
   id: vault-secrets
   with:
-    url: https://vault.arcodange.duckdns.org
+    url: https://vault.arcodange.lab
+    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
     jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
     role: gitea_cicd
     method: jwt
@@ -50,12 +51,12 @@ jobs:
     env:
       OPENTOFU_VERSION: 1.8.2
       TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
+      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
     steps:
       - *vault_step
       - uses: actions/checkout@v4
-      # - uses: dflook/terraform-plan@v1
-      #   with:
-      #     path: hashicorp-vault/iac
+      - name: prepare vault self signed cert
+        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
       - name: terraform apply
         uses: dflook/terraform-apply@v1
         with:

.gitignore

@@ -1,5 +1,5 @@
 .DS_Store
 Chart.lock
-*/charts/
+**/charts/
 .terraform
 .terraform.lock.hcl

chart/templates/apps.yaml

@@ -1,4 +1,4 @@
-{{- range $app_name := .Values.tools -}}
+{{- range $app_name, $app := .Values.tools }}
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
@@ -10,7 +10,7 @@ metadata:
 spec:
   project: tools
   source:
-    repoURL: https://gitea.arcodange.duckdns.org/arcodange-org/tools
+    repoURL: https://gitea.arcodange.lab/arcodange-org/tools
     targetRevision: HEAD
     path: {{ $app_name }}
   destination:
@@ -22,4 +22,4 @@ spec:
       selfHeal: true
     syncOptions:
       - CreateNamespace=true
-{{ end }}
+{{- end }}

chart/templates/project.yaml

@@ -10,7 +10,7 @@ metadata:
 spec:
   description: Arcodange tools (monitoring, cache, connection pool, secret management...)
   sourceRepos:
-  - 'https://gitea.arcodange.duckdns.org/arcodange-org/tools'
+  - 'https://gitea.arcodange.lab/arcodange-org/tools'
   # Only permit applications to deploy to the tools namespace in the same cluster
   destinations:
   - namespace: tools

chart/values.yaml

@@ -1,6 +1,11 @@
 tools:
-  - pgbouncer
-  #- pgcat # trop contraignant: lister tous les databases/users et auth_type md5 uniquement
-  # - prometheus
-  - hashicorp-vault
-  - crowdsec
+  pgbouncer: {}
+  #pgcat # trop contraignant: lister tous les databases/users et auth_type md5 uniquement: {}
+  # prometheus: {}
+  hashicorp-vault: {}
+  crowdsec: {}
+  redis: {}
+  clickhouse: {}
+  grafana: {}
+  plausible: {}
+  prometheus: {}

clickhouse/.gitignore

@@ -0,0 +1,2 @@
+charts/
+!charts/databases/

clickhouse/charts/databases/.helmignore

@@ -0,0 +1,23 @@
+# Patterns to ignore when building packages.
+# This supports shell glob matching, relative path matching, and
+# negation (prefixed with !). Only one pattern per line.
+.DS_Store
+# Common VCS dirs
+.git/
+.gitignore
+.bzr/
+.bzrignore
+.hg/
+.hgignore
+.svn/
+# Common backup files
+*.swp
+*.bak
+*.tmp
+*.orig
+*~
+# Various IDEs
+.project
+.idea/
+*.tmproj
+.vscode/

clickhouse/charts/databases/Chart.yaml

@@ -0,0 +1,24 @@
+apiVersion: v2
+name: clickhouse databases
+description: declare clickhouse databases
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+
+# This is the chart version. This version number should be incremented each time you make changes
+# to the chart and its templates, including the app version.
+# Versions are expected to follow Semantic Versioning (https://semver.org/)
+version: 0.1.0
+
+# This is the version number of the application being deployed. This version number should be
+# incremented each time you make changes to the application. Versions are not expected to
+# follow Semantic Versioning. They should reflect the version the application is using.
+# It is recommended to use it with quotes.
+appVersion: "24.12.6.70-alpine"

clickhouse/charts/databases/templates/init-databases-job.yaml

@@ -0,0 +1,85 @@
+apiVersion: batch/v1
+kind: Job
+metadata:
+  name: clickhouse-db-init
+  labels:
+    app.kubernetes.io/name: clickhouse-db-init
+    app.kubernetes.io/instance: {{ .Release.Name }}
+  annotations:
+    checksum/config: {{ include (print $.Template.BasePath "/init-sql-configmap.yaml") . | sha256sum }}
+spec:
+  template:
+    spec:
+      restartPolicy: OnFailure
+      containers:
+        - name: clickhouse-init
+          image: clickhouse/clickhouse-server:{{ .Chart.AppVersion }}
+          command: ["bash", "-c"]
+          args:
+            - |
+              echo "⏳ Waiting for ClickHouse..."
+              until clickhouse-client \
+                --host {{ .Values.clickhouse.host }} \
+                --port {{ .Values.clickhouse.port }} \
+                --user {{ .Values.clickhouse.adminUser }} \
+                --password "{{ .Values.clickhouse.adminPassword }}" \
+                -q "SELECT 1" >/dev/null 2>&1; do
+                sleep 2
+              done
+              echo "✅ ClickHouse ready"
+
+              {{- if .Values.databases }}
+              echo "➡️ Creating declared databases & users..."
+              clickhouse-client \
+                --host {{ .Values.clickhouse.host }} \
+                --port {{ .Values.clickhouse.port }} \
+                --user {{ .Values.clickhouse.adminUser }} \
+                --password "{{ .Values.clickhouse.adminPassword }}" \
+                --multiquery < /config/init.sql
+              {{- end }}
+
+              echo "➡️ Generating list of databases to drop..."
+              clickhouse-client \
+                --host {{ .Values.clickhouse.host }} \
+                --port {{ .Values.clickhouse.port }} \
+                --user {{ .Values.clickhouse.adminUser }} \
+                --password "{{ .Values.clickhouse.adminPassword }}" \
+                -q "
+                  SELECT concat('DROP DATABASE IF EXISTS ', name, ';')
+                  FROM system.databases
+                  WHERE name NOT IN (
+                    'system',
+                    'information_schema',
+                    'INFORMATION_SCHEMA',
+                    'default'
+                    {{- if .Values.databases }}
+                      {{- range $db := .Values.databases }}
+                        , '{{ $db }}'
+                      {{- end }}
+                    {{- end }}
+                  );
+                " > /tmp/to_drop.sql
+
+              if [ -s /tmp/to_drop.sql ]; then
+                echo "➡️ Dropping leftover databases:"
+                cat /tmp/to_drop.sql
+
+                clickhouse-client \
+                  --host {{ .Values.clickhouse.host }} \
+                  --port {{ .Values.clickhouse.port }} \
+                  --user {{ .Values.clickhouse.adminUser }} \
+                  --password "{{ .Values.clickhouse.adminPassword }}" \
+                  --multiquery < /tmp/to_drop.sql
+
+              else
+                echo "✔️ No databases to drop."
+              fi
+
+              echo "🎉 Initialization completed"
+          volumeMounts:
+            - name: init-sql
+              mountPath: /config
+      volumes:
+        - name: init-sql
+          configMap:
+            name: clickhouse-init-sql

clickhouse/charts/databases/templates/init-sql-configmap.yaml

@@ -0,0 +1,26 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: clickhouse-init-sql
+data:
+  init.sql: |
+    -- This file is auto-generated by Helm
+    -- Databases and users initialization
+
+    {{- range $db := .Values.databases }}
+
+    -- Database: {{ $db }}
+    CREATE DATABASE IF NOT EXISTS {{ $db }};
+
+    -- User: {{ $db }}
+    CREATE USER IF NOT EXISTS {{ $db }}
+      IDENTIFIED BY '{{ $db }}arcodange';
+
+    -- Privileges
+    GRANT CREATE, SELECT, INSERT, ALTER, DROP
+      ON {{ $db }}.*
+      TO {{ $db }};
+    
+    GRANT SELECT ON system.* TO {{ $db }};
+
+    {{- end }}

clickhouse/charts/databases/values.yaml

@@ -0,0 +1,8 @@
+clickhouse:
+  host: clickhouse.tools
+  port: 9000
+  adminUser: arcodange
+  adminPassword: clickhousearcodange
+
+databases:
+  - plausible

clickhouse/clickhouseValues.yaml

@@ -0,0 +1,176 @@
+global: {}
+image:
+  # -- The registry to pull the image from.
+  registry: docker.io
+  # -- The repository to pull the image from.
+  repository: clickhouse/clickhouse-server
+  # -- The docker tag, if left empty chart's appVersion will be used.
+  # @default -- `.Chart.AppVersion`
+  tag: ''
+  # -- The pull policy for the controller.
+  pullPolicy: IfNotPresent
+
+nameOverride: ''
+fullnameOverride: ''
+
+controller:
+  # -- Create a workload for this chart.
+  enabled: true
+  # -- Type of the workload object.
+  kind: StatefulSet
+  # -- The number of replicas.
+  replicas: 1
+  # -- The controller update strategy. Currently only applies to controllers of kind `Deployment`.
+  updateStrategy: {}
+  # -- Additional annotations for the controller object.
+  annotations: {}
+  # -- Additional labels for the controller object.
+  labels: {}
+
+service:
+  # -- Create a service for exposing this chart.
+  enabled: true
+  # -- The service type used.
+  type: ClusterIP
+  # -- ClusterIP used if service type is `ClusterIP`.
+  clusterIP: ''
+  # -- LoadBalancerIP if service type is `LoadBalancer`.
+  loadBalancerIP: ''
+  # -- Allowed addresses when service type is `LoadBalancer`.
+  loadBalancerSourceRanges: []
+  # -- Additional annotations for the service object.
+  annotations: {}
+  # -- Additional labels for the service object.
+  labels: {}
+
+env:
+  # -- Timezone for the container.
+  - name: TZ
+    value: Europe/Paris
+
+# -- List of extra arguments for the container.
+extraArgs: []
+  # - --loglevel warning
+
+ports:
+  rest:
+    # -- Enable the port inside the `Controller` and `Service` objects.
+    enabled: true
+    # -- The port used as internal port and cluster-wide port if `.service.type` == `ClusterIP`.
+    port: 8123
+    # -- The external port used if `.service.type` == `NodePort`.
+    nodePort: null
+    # -- The protocol used for the service.
+    protocol: TCP
+  rpc:
+    # -- Enable the port inside the `Controller` and `Service` objects.
+    enabled: true
+    # -- The port used as internal port and cluster-wide port if `.service.type` == `ClusterIP`.
+    port: 9000
+    # -- The external port used if `.service.type` == `NodePort`.
+    nodePort: null
+    # -- The protocol used for the service.
+    protocol: TCP
+
+configMap:
+  # -- Create a new config map object.
+  create: true
+  # -- Mount path of the config map object.
+  mountPath: /etc/config
+  # -- Use an existing config map object.
+  existingConfigMap: ''
+  # -- Map of configuration files as strings.
+  files:
+    custom-users.xml: |
+      <clickhouse>
+        <users>
+          <default>
+            <networks>
+              <ip>::1</ip>
+              <ip>127.0.0.1</ip>
+            </networks>
+          </default>
+          <arcodange>
+            <password>clickhousearcodange</password>
+            <networks>
+              <ip>::/0</ip>
+              <ip>0.0.0.0/0</ip>
+            </networks>
+            <profile>default</profile>
+            <quota>default</quota>
+            <access_management>1</access_management>
+          </arcodange>
+        </users>
+      </clickhouse>
+    # file1.yml: |
+    #   # contents
+    # file2.yml: |
+    #   # contents
+  # -- Additional annotations for the config map object.
+  annotations: {}
+  # -- Additional labels for the config map object.
+  labels: {}
+
+persistentVolumeClaim:
+  # -- Create a new persistent volume claim object.
+  create: true
+  # -- Mount path of the persistent volume claim object.
+  mountPath: /var/lib/clickhouse
+  # -- Access mode of the persistent volume claim object.
+  accessMode: ReadWriteOnce
+  # -- Volume mode of the persistent volume claim object.
+  volumeMode: Filesystem
+  # -- Storage request size for the persistent volume claim object.
+  size: 16Gi
+  # -- Storage class name for the persistent volume claim object.
+  storageClassName: ''
+  # -- Use an existing persistent volume claim object.
+  existingPersistentVolumeClaim: ''
+  # -- Additional annotations for the persistent volume claim object.
+  annotations: {}
+  # -- Additional labels for the persistent volume claim object.
+  labels: {}
+
+serviceAccount:
+  # -- Create a `ServiceAccount` object.
+  create: true
+  # -- Specify the service account used for the controller.
+  name: ''
+  # -- Additional annotations for the role and role binding objects.
+  annotations: {}
+  # -- Additional labels for the role and role binding objects.
+  labels: {}
+
+# -- Pod-level security attributes. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context).
+securityContext:
+  fsGroup: 101
+  runAsNonRoot: true
+  runAsGroup: 101
+  runAsUser: 101
+
+# -- Compute resources used by the container. More info [here](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
+resources: {}
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+# -- Pod-level affinity. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
+affinity:
+  nodeAffinity:
+    requiredDuringSchedulingIgnoredDuringExecution:
+      nodeSelectorTerms:
+      - matchExpressions:
+        - key: kubernetes.io/hostname
+          operator: NotIn
+          values:
+          - pi2
+
+# -- Pod-level tolerations. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
+tolerations: []
+  # - key: node-role.kubernetes.io/control-plane
+  #   operator: Exists
+  #   effect: NoSchedule
+

clickhouse/kustomization.yaml

@@ -0,0 +1,28 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: tools
+
+helmGlobals:
+ chartHome: charts
+
+helmCharts:
+- name: clickhouse
+  repo: https://charts.pascaliske.dev
+  version: 0.4.0
+  releaseName: clickhouse
+  valuesFile: clickhouseValues.yaml
+- name: databases
+  releaseName: clickhouse-databases
+
+patches:
+  - target:
+      kind: StatefulSet
+      name: clickhouse
+    patch: |-
+      - op: add
+        path: /spec/template/spec/containers/0/volumeMounts/-
+        value:
+          name: config-volume
+          mountPath: /etc/clickhouse-server/users.d/custom-users.xml
+          subPath: custom-users.xml
+          readOnly: true

crowdsec/Chart.yaml

@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
   version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: crowdsec
   version: 0.20.1
   repository: https://crowdsecurity.github.io/helm-charts

crowdsec/iac/backend.tf

@@ -0,0 +1,6 @@
+terraform {
+  backend "gcs" {
+    bucket = "arcodange-tf"
+    prefix = "tools/crowdsec/main"
+  }
+}

crowdsec/iac/main.tf

@@ -0,0 +1,5 @@
+module "app_roles" {
+  source = "git::ssh://git@192.168.1.202:2222/arcodange-org/tools.git//hashicorp-vault/iac/modules/app_roles?depth=1&ref=main"
+  name = "crowdsec"
+  service_account_namespaces = ["tools"]
+}

crowdsec/iac/providers.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    vault = {
+      source  = "vault"
+      version = "4.4.0"
+    }
+  }
+}
+
+provider "vault" {
+  address = "https://vault.arcodange.lab"
+  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+    mount = "gitea_jwt"
+    role  = "gitea_cicd_crowdsec"
+  }
+}

crowdsec/templates/serviceaccount.yaml

@@ -0,0 +1,6 @@
+apiVersion: v1
+kind: ServiceAccount
+metadata:
+  name: crowdsec
+  namespace: {{ .Release.Namespace }}
+automountServiceAccountToken: true

crowdsec/templates/vaultauth.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: crowdsec
+  namespace: {{ .Release.Namespace }}
+spec:
+  vaultConnectionRef: default
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: crowdsec
+    serviceAccount: crowdsec
+    audiences:
+      - vault

crowdsec/templates/vaultdynamicsecret.yaml

@@ -0,0 +1,25 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: crowdsec-db-credentials
+  namespace: {{ .Release.Namespace }}
+spec:
+
+  # Mount path of the secrets backend
+  mount: postgres
+
+  # Path to the secret
+  path: creds/crowdsec
+
+  # Where to store the secrets, VSO will create the secret
+  destination:
+    create: true
+    name: crowdsec-db-credentials
+
+  # Restart these pods when secrets rotated
+  rolloutRestartTargets:
+  - kind: Deployment
+    name: crowdsec-lapi
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: crowdsec

crowdsec/values.yaml

@@ -20,8 +20,14 @@ crowdsec: &crowdsec_config
     env:
       - name: COLLECTIONS
         value: "crowdsecurity/traefik crowdsecurity/http-cve"
+      - name: TZ
+        value: Europe/Paris
   lapi:
+    strategy:
+      type: Recreate
     env:
+      - name: TZ
+        value: Europe/Paris
       # To enroll the Security Engine to the console
       - name: ENROLL_KEY
         value: "cmieq72i3000802jr1wx8kply"
@@ -29,6 +35,16 @@ crowdsec: &crowdsec_config
         value: "homelab"
       - name: ENROLL_TAGS
         value: "k3s rpi test"
+      - name: DB_USER
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-db-credentials
+            key: username
+      - name: DB_PASSWORD
+        valueFrom:
+          secretKeyRef:
+            name: crowdsec-db-credentials
+            key: password
   appsec:
     enabled: true
     acquisitions:
@@ -39,6 +55,8 @@ crowdsec: &crowdsec_config
         path: /
         source: appsec
     env:
+      - name: TZ
+        value: Europe/Paris
       - name: COLLECTIONS
         value: "crowdsecurity/appsec-virtual-patching crowdsecurity/appsec-generic-rules"
     resources:
@@ -48,6 +66,25 @@ crowdsec: &crowdsec_config
       requests:
         cpu: "100m"
         memory: "200Mi"
+  config:
+    config.yaml.local: |
+      db_config:
+        type:     postgresql
+        user:     ${DB_USER}
+        password: ${DB_PASSWORD}
+        db_name:  crowdsec
+        host:     pgbouncer.tools
+        port:     5432
+      api:
+        server:
+          auto_registration: # Activate if not using TLS for authentication
+            enabled: true
+            token: "${REGISTRATION_TOKEN}"  # /!\ do not change
+            allowed_ranges: # /!\ adapt to the pod IP ranges used by your cluster
+              - "127.0.0.1/32"
+              - "192.168.0.0/16"
+              - "10.42.0.0/16"
+              - "172.16.0.0/12"
 
 tool:
   # kind: 'SubChart' or 'HelmChart', if subchart then uncomment Chart.yaml dependency, else comment and use tool library with helm chart template

grafana/Chart.yaml

@@ -0,0 +1,34 @@
+# Chart: keydb-custom
+# Helm chart tailored for KeyDB (EqAlpha) on 2 Raspberry Pi 5 nodes
+# - Mode: master (statefulset index 0) + replica (index 1)
+# - Replica runs as replicaof master at startup
+# - server-threads = 4
+# - Config mounted via ConfigMap
+# - Liveness / readiness probes included
+# - Persistence via PersistentVolumeClaim (storageClass configurable)
+# -----------------------------------------------------------------------------
+# Chart.yaml
+# -----------------------------------------------------------------------------
+apiVersion: v2
+name: grafana
+description: A Helm chart for Kubernetes
+
+dependencies:
+- name: tool
+  version: 0.1.0
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+- name: grafana
+  version: 10.3.0
+  repository: https://grafana.github.io/helm-charts
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+version: 0.1.0
+appVersion: "latest"

grafana/templates/helm-chart-config.yaml

@@ -0,0 +1,3 @@
+{{- if eq .Values.tool.kind "HelmChart" -}}
+{{- include "tool.helm-chart-config.tpl" . -}}
+{{- end -}}

grafana/templates/helm-chart.yaml

@@ -0,0 +1,3 @@
+{{- if eq .Values.tool.kind "HelmChart" -}}
+{{- include "tool.helm-chart.tpl" . -}}
+{{- end -}}

hashicorp-vault/Chart.yaml

@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
   version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: vault
   version: 0.28.1
   repository: https://helm.releases.hashicorp.com

hashicorp-vault/README.md

@@ -1,8 +1,8 @@
 # Vault
 
-1. Les [playbooks ansible](https://gitea.arcodange.duckdns.org/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
+1. Les [playbooks ansible](https://gitea.arcodange.lab/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
 2. Configuration des backend d'authentification et des roles pour postgres et kubernetes. Définition de rôles "${app}-ops" pour permettre au dépot d'une application de définir ses propres dépendances dans vault. Rotation de credentials postgres pour les applications.
-3. [Le dépot de l'application webapp](https://gitea.arcodange.duckdns.org/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.
+3. [Le dépot de l'application webapp](https://gitea.arcodange.lab/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.
 
 ```mermaid
 flowchart LR

hashicorp-vault/iac/modules/README.md

@@ -116,6 +116,22 @@ L’objectif est d’éviter de stocker des credentials statiques, en déléguan
 
 ## 🛠️ Ressources déployées
 
+### `VaultConnection`
+
+```yaml
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultConnection
+metadata:
+  finalizers:
+  - vaultconnection.secrets.hashicorp.com/finalizer
+  labels:
+  name: default
+  namespace: {{ .Release.Namespace }}
+spec:
+  address: http://hashicorp-vault.tools.svc.cluster.local:8200
+  skipTLSVerify: false
+```
+
 ### `VaultAuth`
 
 ```yaml
@@ -125,6 +141,7 @@ metadata:
   name: auth
   namespace: {{ .Release.Namespace }}
 spec:
+  vaultConnectionRef: default
   method: kubernetes
   mount: kubernetes
   kubernetes:

hashicorp-vault/iac/modules/app_roles/main.tf

@@ -27,8 +27,8 @@ resource "vault_database_secret_backend_role" "role" {
     "GRANT ${local.name}_role TO \"{{name}}\";",
   ]
   revocation_statements = [
-    "REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;",
-    "REVOKE ALL ON DATABASE ${local.database} FROM  \"{{name}}\";", # should we drop the role ?
+    "REASSIGN OWNED BY \"{{name}}\" TO ${local.name}_role;", # reassign must be executed in the database where the reassgined objects are - TODO (one connection per database/app)
+    "REVOKE ALL ON DATABASE ${local.database} FROM  \"{{name}}\";", # should we drop the role ? -> YES after fixing reassign
   ]
   renew_statements    = []
   rollback_statements = []

hashicorp-vault/iac/providers.tf

@@ -8,7 +8,7 @@ terraform {
 }
 
 provider "vault" {
-  address = "https://vault.arcodange.duckdns.org"
+  address = "https://vault.arcodange.lab"
   auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
     mount = "gitea_jwt"
     role  = "gitea_cicd"

hashicorp-vault/iac/terraform.tfvars

@@ -1,9 +1,18 @@
 applications = [
   { name = "webapp" },
   { name = "erp" },
+  { name = "dance-lessons-coach" },
   {
     name                   = "cms"
     ops_policies               = ["factory__cf_r2_arcodange_tf"]
     service_account_names = ["cloudflared"]
   },
+  {
+    name = "crowdsec"
+    service_account_namespaces = ["tools"]
+  },
+  {
+    name = "plausible"
+    service_account_namespaces = ["tools"]
+  },
 ]

hashicorp-vault/values.yaml

@@ -15,11 +15,11 @@ vault: &vault_config
         traefik.ingress.kubernetes.io/router.entrypoints: websecure
         traefik.ingress.kubernetes.io/router.tls: "true"
         traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
-        traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
-        traefik.ingress.kubernetes.io/router.tls.domains.0.sans: vault.arcodange.duckdns.org
+        traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
+        traefik.ingress.kubernetes.io/router.tls.domains.0.sans: vault.arcodange.lab
         traefik.ingress.kubernetes.io/router.middlewares: localIp@file
       hosts:
-        - host: vault.arcodange.duckdns.org
+        - host: vault.arcodange.lab
           paths: []
 
   postStart: [] # https://github.com/hashicorp/vault-helm/blob/main/values.yaml

pgbouncer/Chart.yaml

@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
   version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: pgbouncer
   version: 2.3.1
   repository: https://icoretech.github.io/helm

pgbouncer/values.yaml

@@ -14,6 +14,8 @@ pgbouncer: &pgbouncer_config
       auth_type: scram-sha-256
       auth_query: SELECT uname, phash FROM user_lookup($1)
       ignore_startup_parameters: extra_float_digits # unsupported jdbc extra_float_digits=2 argument
+      server_reset_query: DEALLOCATE ALL # fix prepared statement already exist (crowdsec)
+      server_idle_timeout: 7200
   pgbouncerExporter:
     enabled: false
 

pgcat/Chart.yaml

@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
   version: 0.1.0
-  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
 - name: pgcat
   version: 0.1.0
   repository: https://improwised.github.io/charts/

plausible/add-initcontainer.yaml

@@ -0,0 +1,36 @@
+- op: add
+  path: /spec/template/spec/containers/0/volumeMounts/-
+  value:
+    name: generated-secrets
+    mountPath: /run/secrets
+- op: add
+  path: /spec/template/spec/initContainers/0/volumeMounts
+  value:
+    - name: generated-secrets
+      mountPath: /run/secrets
+- op: add
+  path: /spec/template/spec/initContainers/0
+  value:
+    name: build-database-url
+    image: alpine:3.19
+    command: ["/bin/sh", "-c"]
+    args:
+      - |
+        echo "postgres://${DB_USER}:${DB_PASS}@${DB_HOST}:${DB_PORT}/${DB_NAME}" > /run/secrets/DATABASE_URL
+    volumeMounts:
+      - name: generated-secrets
+        mountPath: /run/secrets
+    env:
+      - name: DB_USER
+        valueFrom:
+          secretKeyRef:
+            name: plausible-db-credentials
+            key: username
+      - name: DB_PASS
+        valueFrom:
+          secretKeyRef:
+            name: plausible-db-credentials
+            key: password
+    envFrom:
+      - configMapRef:
+          name: plausible-config

plausible/iac/backend.tf

@@ -0,0 +1,6 @@
+terraform {
+  backend "gcs" {
+    bucket = "arcodange-tf"
+    prefix = "tools/plausible/main"
+  }
+}

plausible/iac/main.tf

@@ -0,0 +1,30 @@
+module "app_roles" {
+  source = "git::ssh://git@192.168.1.202:2222/arcodange-org/tools.git//hashicorp-vault/iac/modules/app_roles?depth=1&ref=main"
+  name = "plausible"
+  service_account_namespaces = ["tools"]
+}
+
+# https://github.com/plausible/community-edition/wiki/configuration#database
+
+#SECRET_KEY_BASE (openssl rand -base64 48)
+#
+
+resource "random_password" "secret" {
+  for_each = toset(["48","32"])
+  length  = tonumber(each.value)
+  special = false
+}
+locals {
+  config = {
+    SECRET_KEY_BASE = base64encode(random_password.secret["48"].result)
+    TOTP_VAULT_KEY = base64encode(random_password.secret["32"].result)
+  }
+}
+
+resource "vault_kv_secret_v2" "config" {
+  mount                      = "kvv2"
+  name                       = "plausible/config"
+  cas                        = 1
+#   delete_all_versions        = true
+  data_json                  = jsonencode(local.config)
+}

plausible/iac/providers.tf

@@ -0,0 +1,16 @@
+terraform {
+  required_providers {
+    vault = {
+      source  = "vault"
+      version = "4.4.0"
+    }
+  }
+}
+
+provider "vault" {
+  address = "https://vault.arcodange.lab"
+  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
+    mount = "gitea_jwt"
+    role  = "gitea_cicd_plausible"
+  }
+}

plausible/kustomization.yaml

@@ -0,0 +1,85 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: tools
+
+# https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
+helmCharts:
+- name: plausible
+  repo: https://charts.pascaliske.dev
+  version: 2.0.0
+  releaseName: plausible
+  valuesFile: plausibleValues.yaml
+  namespace: tools
+
+patches:
+  - target:
+      kind: IngressRoute
+      name: plausible-route
+    patch: |-
+      - op: add
+        path: /spec/tls
+        value:
+          certResolver: letsencrypt
+          domains:
+          - main: arcodange.lab
+            sans:
+            - analytics.arcodange.lab
+
+resources:
+  - resources/vaultauth.yaml
+  - resources/vaultdynamicsecret.yaml
+  - resources/vaultsecret.yaml
+  - resources/configmap.yaml
+  - resources/geoipsecret.yaml
+  - resources/ingressroute.yaml
+
+patchesJson6902:
+  - target:
+      version: v1
+      kind: Deployment
+      name: plausible
+    patch: |-
+      - op: replace
+        path: /spec/template/spec/containers/1/env/2
+        value:
+          name: GEOIPUPDATE_LICENSE_KEY
+          valueFrom:
+            secretKeyRef:
+              name: plausible-geoip
+              key: LICENSE_KEY
+      - op: replace
+        path: /spec/template/spec/containers/1/env/4
+        value:
+          name: GEOIPUPDATE_EDITION_IDS
+          value: "GeoLite2-Country GeoLite2-City"
+      - op: add
+        path: /spec/template/spec/containers/0/env/2
+        value:
+          name: IP_GEOLOCATION_DB
+          value: /geoip/GeoLite2-City.mmdb
+      - op: add
+        path: /spec/template/spec/volumes/-
+        value:
+          name: generated-secrets
+          emptyDir:
+            medium: Memory
+      - op: add
+        path: /spec/template/spec/containers/0/envFrom
+        value:
+          - configMapRef:
+              name: plausible-config
+      - op: add
+        path: /spec/template/spec/initContainers/0/envFrom
+        value:
+          - configMapRef:
+              name: plausible-config
+      - op: replace
+        path: /spec/template/spec/initContainers/0/args
+        value:
+          - >-
+            sleep 10 && /entrypoint.sh db migrate
+  - target:
+      version: v1
+      kind: Deployment
+      name: plausible
+    path: add-initcontainer.yaml

plausible/plausibleValues.yaml

@@ -0,0 +1,180 @@
+image:
+  # -- The registry to pull the image from.
+  registry: ghcr.io
+  # -- The repository to pull the image from.
+  repository: plausible/community-edition
+  # -- The docker tag, if left empty chart's appVersion will be used.
+  # @default -- `.Chart.AppVersion`
+  tag: ''
+  # -- The pull policy for the controller.
+  pullPolicy: IfNotPresent
+
+nameOverride: ''
+fullnameOverride: ''
+
+controller:
+  # -- Create a workload for this chart.
+  enabled: true
+  # -- Type of the workload object.
+  kind: Deployment
+  # -- The number of replicas.
+  replicas: 1
+  # -- Additional annotations for the controller object.
+  annotations: {}
+  # -- Additional labels for the controller object.
+  labels: {}
+
+service:
+  # -- Create a service for exposing this chart.
+  enabled: true
+  # -- The service type used.
+  type: ClusterIP
+  # -- ClusterIP used if service type is `ClusterIP`.
+  clusterIP: ''
+  # -- LoadBalancerIP if service type is `LoadBalancer`.
+  loadBalancerIP: ''
+  # -- Allowed addresses when service type is `LoadBalancer`.
+  loadBalancerSourceRanges: []
+  # -- Additional annotations for the service object.
+  annotations: {}
+  # -- Additional labels for the service object.
+  labels: {}
+
+serviceMonitor:
+  # -- Create a service monitor for prometheus operator.
+  enabled: false
+  # -- How frequently the exporter should be scraped.
+  interval: 30s
+  # -- Timeout value for individual scrapes.
+  timeout: 10s
+  # -- Additional annotations for the service monitor object.
+  annotations: {}
+  # -- Additional labels for the service monitor object.
+  labels: {}
+
+ingressRoute:
+  # -- Create an IngressRoute object for exposing this chart.
+  create: true
+  # -- List of [entry points](https://doc.traefik.io/traefik/routing/routers/#entrypoints) on which the ingress route will be available.
+  entryPoints: [websecure]
+  # -- [Matching rule](https://doc.traefik.io/traefik/routing/routers/#rule) for the underlying router.
+  rule: Host(`analytics.arcodange.lab`)
+  # -- List of [middleware objects](https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/#kind-middleware) for the ingress route.
+  middlewares:
+    - name: localIp@file
+  # -- Use an existing secret containing the TLS certificate.
+  tlsSecretName: ''
+  # -- Additional annotations for the ingress route object.
+  annotations: {}
+  # -- Additional labels for the ingress route object.
+  labels: {}
+
+certificate:
+  # -- Create an Certificate object for the exposed chart.
+  create: false
+  # -- List of subject alternative names for the certificate.
+  dnsNames: []
+  # -- Name of the secret in which the certificate will be stored. Defaults to the first item in dnsNames.
+  secretName: ''
+  issuerRef:
+    # -- Type of the referenced certificate issuer. Can be "Issuer" or "ClusterIssuer".
+    kind: ClusterIssuer
+    # -- Name of the referenced certificate issuer.
+    name: ''
+  # -- Additional annotations for the certificate object.
+  annotations: {}
+  # -- Additional labels for the certificate object.
+  labels: {}
+
+env:
+  # -- Timezone for the container.
+  - name: TZ
+    value: Europe/Paris
+
+ports:
+  http:
+    # -- Enable the port inside the `Deployment` and `Service` objects.
+    enabled: true
+    # -- The port used as internal port and cluster-wide port if `.service.type` == `ClusterIP`.
+    port: 8000
+    # -- The external port used if `.service.type` == `NodePort`.
+    nodePort: null
+    # -- The protocol used for the service.
+    protocol: TCP
+
+secret:
+  # -- Create a new secret object.
+  create: false
+  # -- Use an existing secret object.
+  existingSecret: 'plausible-config'
+  # -- Secret values used when not using an existing secret. Helm templates are supported for values.
+  values:
+    # -- Secret key for session tokens.
+    SECRET_KEY_BASE: '{{ randAlphaNum 42 | b64enc }}'
+    # -- Encryption token for TOTP secrets.
+    TOTP_VAULT_KEY: '{{ randAlphaNum 32 | b64enc }}'
+
+  # -- Additional annotations for the secret object.
+  annotations: {}
+  # -- Additional labels for the secret object.
+  labels: {}
+
+geoip:
+  # -- Enable support for MaxMinds GeoLite2 database.
+  enabled: true
+  image:
+    # -- The repository for the geoip image.
+    repository: ghcr.io/maxmind/geoipupdate
+    # -- The docker tag for the geoip image.
+    tag: v7.1.1
+  # -- Required. MaxMind account ID.
+  accountId: '1266329'
+  # -- Required. Case-sensitive MaxMind license key.
+  # licenseKey: 'kvv2/data/plausible/geoip LICENSE_KEY'
+  # -- Optional. Database update frequency. Defaults to "168" which equals 7 days.
+  frequency: 168
+  # -- Optional. Specify the database mount path inside the containers.
+  mountPath: /geoip
+
+serviceAccount:
+  # -- Create a `ServiceAccount` object.
+  create: true
+  # -- Specify the service account used for the controller.
+  name: ''
+  # -- Additional annotations for the service account object.
+  annotations: {}
+  # -- Additional labels for the service account object.
+  labels: {}
+
+# -- Pod-level security attributes. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context).
+securityContext: {}
+  # fsGroup: 1000
+  # runAsNonRoot: true
+  # runAsGroup: 1000
+  # runAsUser: 1000
+
+# -- Compute resources used by the container. More info [here](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
+resources: {}
+  # limits:
+  #   cpu: 100m
+  #   memory: 128Mi
+  # requests:
+  #   cpu: 100m
+  #   memory: 128Mi
+
+# -- Pod-level affinity. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
+affinity: {}
+  # nodeAffinity:
+  #   requiredDuringSchedulingIgnoredDuringExecution:
+  #     nodeSelectorTerms:
+  #       - matchExpressions:
+  #           - key: kubernetes.io/hostname
+  #             operator: In
+  #             values:
+  #               - my-node-xyz
+
+# -- Pod-level tolerations. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
+tolerations: []
+  # - key: node-role.kubernetes.io/control-plane
+  #   operator: Exists
+  #   effect: NoSchedule

plausible/resources/configmap.yaml

@@ -0,0 +1,21 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: plausible-config
+  namespace: tools
+# Doc: https://github.com/plausible/community-edition/wiki/Configuration
+data:
+  DB_HOST: pgbouncer.tools
+  DB_PORT: !!str 5432
+  DB_NAME: plausible
+
+  BASE_URL: https://analytics.arcodange.lab
+
+  CLICKHOUSE_DATABASE_URL: http://plausible:plausiblearcodange@clickhouse.tools:8123/plausible
+
+
+  DB_POOL_SIZE: "30"
+  DB_QUEUE_TARGET: "10000"  # 10 secondes
+  DB_CONNECT_TIMEOUT: "30000"  # 30 secondes
+  DB_RECONNECT_ATTEMPTS: "5"
+  DB_RECONNECT_DELAY: "5000"

plausible/resources/geoipsecret.yaml

@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: plausible-geoip
+  namespace: tools
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: kvv2
+
+  # path of the secret
+  path: plausible/geoip
+
+  # dest k8s secret
+  destination:
+    name: plausible-geoip
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: plausible

plausible/resources/ingressroute.yaml

@@ -0,0 +1,20 @@
+apiVersion: traefik.io/v1alpha1
+kind: IngressRoute
+metadata:
+  name: plausible-external
+  labels:
+    app.kubernetes.io/instance: plausible
+    app.kubernetes.io/name: plausible
+spec:
+  entryPoints:
+    - web
+  routes:
+    - kind: Rule
+      match: Host(`analytics.arcodange.fr`) && (PathPrefix(`/api/event`) || PathPrefix(`/js/`))
+      middlewares:
+        - name: kube-system-crowdsec@kubernetescrd
+      services:
+        - kind: Service
+          name: plausible-web
+          namespace: tools
+          port: 8000

plausible/resources/vaultauth.yaml

@@ -0,0 +1,14 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultAuth
+metadata:
+  name: plausible
+  namespace: tools
+spec:
+  vaultConnectionRef: default
+  method: kubernetes
+  mount: kubernetes
+  kubernetes:
+    role: plausible
+    serviceAccount: plausible
+    audiences:
+      - vault

plausible/resources/vaultdynamicsecret.yaml

@@ -0,0 +1,25 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultDynamicSecret
+metadata:
+  name: plausible-db-credentials
+  namespace: tools
+spec:
+
+  # Mount path of the secrets backend
+  mount: postgres
+
+  # Path to the secret
+  path: creds/plausible
+
+  # Where to store the secrets, VSO will create the secret
+  destination:
+    create: true
+    name: plausible-db-credentials
+
+  # Restart these pods when secrets rotated
+  rolloutRestartTargets:
+  - kind: Deployment
+    name: plausible
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: plausible

plausible/resources/vaultsecret.yaml

@@ -0,0 +1,24 @@
+apiVersion: secrets.hashicorp.com/v1beta1
+kind: VaultStaticSecret
+metadata:
+  name: plausible
+  namespace: tools
+spec:
+  type: kv-v2
+
+  # mount path
+  mount: kvv2
+
+  # path of the secret
+  path: plausible/config
+
+  # dest k8s secret
+  destination:
+    name: plausible-config
+    create: true
+
+  # static secret refresh interval
+  refreshAfter: 30s
+
+  # Name of the CRD to authenticate to Vault
+  vaultAuthRef: plausible

prometheus/Chart.yaml

@@ -0,0 +1,23 @@
+apiVersion: v2
+name: prometheus
+description: A Helm chart for Kubernetes
+
+dependencies:
+- name: tool
+  version: 0.1.0
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+- name: prometheus
+  version: 28.13.0
+  repository: https://prometheus-community.github.io/helm-charts
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+version: 0.1.0
+appVersion: "v3.10.0"

prometheus/templates/helm-chart-config.yaml

@@ -0,0 +1,3 @@
+{{- if eq .Values.tool.kind "HelmChart" -}}
+{{- include "tool.helm-chart-config.tpl" . -}}
+{{- end -}}

prometheus/templates/helm-chart.yaml

@@ -0,0 +1,3 @@
+{{- if eq .Values.tool.kind "HelmChart" -}}
+{{- include "tool.helm-chart.tpl" . -}}
+{{- end -}}

redis/Chart.yaml

@@ -0,0 +1,34 @@
+# Chart: keydb-custom
+# Helm chart tailored for KeyDB (EqAlpha) on 2 Raspberry Pi 5 nodes
+# - Mode: master (statefulset index 0) + replica (index 1)
+# - Replica runs as replicaof master at startup
+# - server-threads = 4
+# - Config mounted via ConfigMap
+# - Liveness / readiness probes included
+# - Persistence via PersistentVolumeClaim (storageClass configurable)
+# -----------------------------------------------------------------------------
+# Chart.yaml
+# -----------------------------------------------------------------------------
+apiVersion: v2
+name: redis
+description: A Helm chart for Kubernetes
+
+dependencies:
+- name: tool
+  version: 0.1.0
+  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+- name: redis
+  version: 2.1.0
+  repository: https://charts.pascaliske.dev
+
+# A chart can be either an 'application' or a 'library' chart.
+#
+# Application charts are a collection of templates that can be packaged into versioned archives
+# to be deployed.
+#
+# Library charts provide useful utilities or functions for the chart developer. They're included as
+# a dependency of application charts to inject those utilities and functions into the rendering
+# pipeline. Library charts do not define any templates and therefore cannot be deployed.
+type: application
+version: 0.1.0
+appVersion: "latest"

redis/README.md

@@ -0,0 +1,2 @@
+
+Run `kubectl port-forward -n tools svc/redis 6379:6379` and launch `Redis Insights`

redis/templates/helm-chart-config.yaml

@@ -0,0 +1,3 @@
+{{- if eq .Values.tool.kind "HelmChart" -}}
+{{- include "tool.helm-chart-config.tpl" . -}}
+{{- end -}}

redis/templates/helm-chart.yaml

@@ -0,0 +1,3 @@
+{{- if eq .Values.tool.kind "HelmChart" -}}
+{{- include "tool.helm-chart.tpl" . -}}
+{{- end -}}

redis/values.yaml

@@ -0,0 +1,197 @@
+redis: &redis_config
+  image:
+    # -- The repository to pull the image from.
+    repository: redis
+    # -- The docker tag, if left empty chart's appVersion will be used.
+    # @default -- `.Chart.AppVersion`
+    tag: ''
+    # -- The pull policy for the controller.
+    pullPolicy: IfNotPresent
+
+  # -- Optionally supply image pull secrets.
+  imagePullSecrets: []
+
+  nameOverride: ''
+  fullnameOverride: ''
+
+  controller:
+    # -- Create a workload for this chart.
+    enabled: true
+    # -- Type of the workload object.
+    kind: StatefulSet
+    # -- The number of replicas.
+    replicas: 1
+    # -- Additional annotations for the controller object.
+    annotations: {}
+    # -- Additional labels for the controller object.
+    labels: {}
+
+  service:
+    # -- Create a service for exposing this chart.
+    enabled: true
+    # -- The service type used.
+    type: ClusterIP
+    # -- ClusterIP used if service type is `ClusterIP`.
+    clusterIP: ''
+    # -- LoadBalancerIP if service type is `LoadBalancer`.
+    loadBalancerIP: ''
+    # -- Allowed addresses when service type is `LoadBalancer`.
+    loadBalancerSourceRanges: []
+    # -- Additional annotations for the service object.
+    annotations: {}
+    # -- Additional labels for the service object.
+    labels: {}
+
+  serviceMonitor:
+    # -- Create a service monitor for prometheus operator.
+    enabled: false
+    # -- How frequently the exporter should be scraped.
+    interval: 30s
+    # -- Timeout value for individual scrapes.
+    timeout: 10s
+    # -- Additional annotations for the service monitor object.
+    annotations: {}
+    # -- Additional labels for the service monitor object.
+    labels: {}
+
+  redisExporter:
+    # -- Enable optional redis exporter instance as sidecar container.
+    enabled: false
+    # -- Image for the metric exporter
+    image:
+      # -- The repository to pull the image from.
+      repository: oliver006/redis_exporter
+      # -- The docker tag, if left empty latest will be used.
+      # @default -- `latest`
+      tag: 'latest'
+      # -- The pull policy for the exporter.
+      pullPolicy: IfNotPresent
+    # -- Pod-level security attributes. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context).
+    securityContext:
+      runAsUser: 59000
+      runAsGroup: 59000
+      allowPrivilegeEscalation: false
+      capabilities:
+        drop:
+          - ALL
+    # -- Compute resources used by the container. More info [here](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
+    resources:
+      requests:
+        cpu: 10m
+        memory: 50Mi
+      limits:
+        cpu: 100m
+        memory: 100Mi
+
+  env:
+    # -- Timezone for the container.
+    - name: TZ
+      value: Europe/Paris
+
+  # -- List of extra arguments for the container.
+  extraArgs: []
+    # - --loglevel warning
+
+  ports:
+    redis:
+      # -- Enable the port inside the `Controller` and `Service` objects.
+      enabled: true
+      # -- The port used as internal port and cluster-wide port if `.service.type` == `ClusterIP`.
+      port: 6379
+      # -- The external port used if `.service.type` == `NodePort`.
+      nodePort: null
+      # -- The protocol used for the service.
+      protocol: TCP
+      # -- The application protocol for this port. Used as hint for implementations to offer richer behavior.
+      appProtocol: redis
+
+  persistentVolumeClaim:
+    # -- Create a new persistent volume claim object.
+    create: true
+    # -- Mount path of the persistent volume claim object.
+    mountPath: /data
+    # -- Access mode of the persistent volume claim object.
+    accessMode: ReadWriteOnce
+    # -- Volume mode of the persistent volume claim object.
+    volumeMode: Filesystem
+    # -- Storage request size for the persistent volume claim object.
+    size: 1Gi
+    # -- Storage class name for the persistent volume claim object.
+    storageClassName: ''
+    # -- Use an existing persistent volume claim object.
+    existingPersistentVolumeClaim: ''
+    # -- Additional annotations for the persistent volume claim object.
+    annotations: {}
+    # -- Additional labels for the persistent volume claim object.
+    labels: {}
+
+  serviceAccount:
+    # -- Specify the service account used for the controller.
+    name: ''
+
+  # -- Optional priority class name to be used for pods.
+  priorityClassName: ''
+
+  # -- Pod-level security attributes. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context).
+  securityContext:
+    fsGroup: 999
+    runAsNonRoot: true
+    runAsGroup: 999
+    runAsUser: 999
+
+  # -- Compute resources used by the container. More info [here](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
+  resources: {}
+    # limits:
+    #   cpu: 100m
+    #   memory: 128Mi
+    # requests:
+    #   cpu: 100m
+    #   memory: 128Mi
+
+  # -- Pod-level affinity. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
+  affinity: {}
+    # nodeAffinity:
+    #   requiredDuringSchedulingIgnoredDuringExecution:
+    #     nodeSelectorTerms:
+    #       - matchExpressions:
+    #           - key: kubernetes.io/hostname
+    #             operator: In
+    #             values:
+    #               - my-node-xyz
+
+  # -- Pod-level tolerations. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
+  tolerations: []
+    # - key: node-role.kubernetes.io/control-plane
+    #   operator: Exists
+    #   effect: NoSchedule
+
+  # -- Pod-level node selector. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
+  nodeSelector: {}
+    # label: value
+
+  # -- Specify any extra containers here as dictionary items - each should have its own key.
+  extraContainers: {}
+    # container:
+    #   name: my-container
+    #   image: my-org/my-image
+
+  # -- Specify extra volume mounts for the default containers.
+  extraVolumeMounts: []
+    # - name: my-volume
+    #   mountPath: /path/to/volume
+    #   readOnly: false
+
+  # -- Specify extra volumes for the workload.
+  extraVolumes: []
+    # - name: my-volume
+    #   secret:
+    #     secretName: my-secret
+
+
+tool:
+  # kind: 'SubChart' or 'HelmChart', if subchart then uncomment Chart.yaml dependency, else comment and use tool library with helm chart template
+  kind: 'SubChart'
+  repo: https://charts.pascaliske.dev
+  chart: redis
+  version: 2.1.0
+  values: *redis_config