create plausible clickhouse database

2025-12-10 13:00:14 +01:00
42 changed files with 47 additions and 1926 deletions
--- a/.gitea/workflows/crowdsec.yaml
+++ b/.gitea/workflows/crowdsec.yaml
@@ -16,11 +16,10 @@ concurrency:

 .vault_step: &vault_step
  name: read vault secret
-  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
+  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
  id: vault-secrets
  with:
-    url: https://vault.arcodange.lab
-    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
+    url: https://vault.arcodange.duckdns.org
    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
    role: gitea_cicd_crowdsec
    method: jwt
@@ -50,12 +49,12 @@ jobs:
    env:
      OPENTOFU_VERSION: 1.8.2
      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
-      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
    steps:
      - *vault_step
      - uses: actions/checkout@v4
-      - name: prepare vault self signed cert
-        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
+      # - uses: dflook/terraform-plan@v1
+      #   with:
+      #     path: hashicorp-vault/iac
      - name: terraform apply
        uses: dflook/terraform-apply@v1
        with:
--- a/.gitea/workflows/helmcharts.yaml
+++ b/.gitea/workflows/helmcharts.yaml
@@ -165,7 +165,7 @@ jobs:
          chart_package=${chart}-${chart_version}.tgz
          # helm package ${chart}
          tar -X ${chart}/.helmignore -czf ${chart_package} ${chart}
-          curl --user ${{ github.actor }}:${{ secrets.PACKAGES_TOKEN }} -X POST --upload-file ./${chart_package} https://gitea.arcodange.lab/api/packages/${{ github.repository_owner }}/helm/api/charts
+          curl --user ${{ github.actor }}:${{ secrets.PACKAGES_TOKEN }} -X POST --upload-file ./${chart_package} https://gitea.arcodange.duckdns.org/api/packages/${{ github.repository_owner }}/helm/api/charts

  application-charts:
    <<: *charts-matrix-job
--- a/.gitea/workflows/plausible.yaml
+++ b/.gitea/workflows/plausible.yaml
@@ -1,63 +0,0 @@
---
-# template source: https://github.com/bretfisher/docker-build-workflow/blob/main/templates/call-docker-build.yaml
-name: Plausible
-
-on: #[push,pull_request]
-  workflow_dispatch: {}
-  push: &plausiblePaths
-    paths:
-      - 'plausible/**/*.tf'
-  pull_request: *plausiblePaths
-
-# cancel any previously-started, yet still active runs of this workflow on the same branch
-concurrency:
-  group: ${{ github.ref }}-${{ github.workflow }}
-  cancel-in-progress: true
-
-.vault_step: &vault_step
-  name: read vault secret
-  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
-  id: vault-secrets
-  with:
-    url: https://vault.arcodange.lab
-    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
-    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
-    role: gitea_cicd_plausible
-    method: jwt
-    path: gitea_jwt
-    secrets: |
-        kvv1/google/credentials credentials | GOOGLE_BACKEND_CREDENTIALS ;
-        kvv1/gitea/tofu_module_reader ssh_private_key | TERRAFORM_SSH_KEY ;
-
-jobs:
-  gitea_vault_auth:
-    name: Auth with gitea for vault
-    runs-on: ubuntu-latest
-    outputs:
-      gitea_vault_jwt: ${{steps.gitea_vault_jwt.outputs.id_token}}
-    steps:
-
-      - name: Auth with gitea for vault
-        id: gitea_vault_jwt
-        run: |
-          echo -n "${{ secrets.vault_oauth__sh_b64 }}" | base64 -d | bash
-
-  tofu:
-    name: Tofu - plausible IAC
-    needs:
-      - gitea_vault_auth
-    runs-on: ubuntu-latest
-    env:
-      OPENTOFU_VERSION: 1.8.2
-      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
-      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
-    steps:
-      - *vault_step
-      - uses: actions/checkout@v4
-      - name: prepare vault self signed cert
-        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
-      - name: terraform apply
-        uses: dflook/terraform-apply@v1
-        with:
-          path: plausible/iac
-          auto_approve: true
--- a/.gitea/workflows/vault.yaml
+++ b/.gitea/workflows/vault.yaml
@@ -16,11 +16,10 @@ concurrency:

 .vault_step: &vault_step
  name: read vault secret
-  uses: https://gitea.arcodange.lab/arcodange-org/vault-action.git@main
+  uses: https://gitea.arcodange.duckdns.org/arcodange-org/vault-action.git@main
  id: vault-secrets
  with:
-    url: https://vault.arcodange.lab
-    caCertificate: ${{ secrets.HOMELAB_CA_CERT }}
+    url: https://vault.arcodange.duckdns.org
    jwtGiteaOIDC: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
    role: gitea_cicd
    method: jwt
@@ -51,12 +50,12 @@ jobs:
    env:
      OPENTOFU_VERSION: 1.8.2
      TERRAFORM_VAULT_AUTH_JWT: ${{ needs.gitea_vault_auth.outputs.gitea_vault_jwt }}
-      VAULT_CACERT: "${{ github.workspace }}/homelab.pem"
    steps:
      - *vault_step
      - uses: actions/checkout@v4
-      - name: prepare vault self signed cert
-        run: echo -n "${{ secrets.HOMELAB_CA_CERT }}" | base64 -d > $VAULT_CACERT
+      # - uses: dflook/terraform-plan@v1
+      #   with:
+      #     path: hashicorp-vault/iac
      - name: terraform apply
        uses: dflook/terraform-apply@v1
        with:
--- a/chart/templates/apps.yaml
+++ b/chart/templates/apps.yaml
@@ -10,7 +10,7 @@ metadata:
 spec:
  project: tools
  source:
-    repoURL: https://gitea.arcodange.lab/arcodange-org/tools
+    repoURL: https://gitea.arcodange.duckdns.org/arcodange-org/tools
    targetRevision: HEAD
    path: {{ $app_name }}
  destination:
--- a/chart/templates/project.yaml
+++ b/chart/templates/project.yaml
@@ -10,7 +10,7 @@ metadata:
 spec:
  description: Arcodange tools (monitoring, cache, connection pool, secret management...)
  sourceRepos:
-  - 'https://gitea.arcodange.lab/arcodange-org/tools'
+  - 'https://gitea.arcodange.duckdns.org/arcodange-org/tools'
  # Only permit applications to deploy to the tools namespace in the same cluster
  destinations:
  - namespace: tools
--- a/chart/values.yaml
+++ b/chart/values.yaml
@@ -6,6 +6,4 @@ tools:
  crowdsec: {}
  redis: {}
  clickhouse: {}
-  grafana: {}
-  plausible: {}
-  prometheus: {}
+  grafana: {}
--- a/clickhouse/charts/databases/Chart.yaml
+++ b/clickhouse/charts/databases/Chart.yaml
@@ -21,4 +21,4 @@ version: 0.1.0
 # incremented each time you make changes to the application. Versions are not expected to
 # follow Semantic Versioning. They should reflect the version the application is using.
 # It is recommended to use it with quotes.
-appVersion: "24.12.6.70-alpine"
+appVersion: "0.0.0"
--- a/clickhouse/charts/databases/templates/init-databases-job.yaml
+++ b/clickhouse/charts/databases/templates/init-databases-job.yaml
@@ -5,15 +5,13 @@ metadata:
  labels:
    app.kubernetes.io/name: clickhouse-db-init
    app.kubernetes.io/instance: {{ .Release.Name }}
-  annotations:
-    checksum/config: {{ include (print $.Template.BasePath "/init-sql-configmap.yaml") . | sha256sum }}
 spec:
  template:
    spec:
      restartPolicy: OnFailure
      containers:
        - name: clickhouse-init
-          image: clickhouse/clickhouse-server:{{ .Chart.AppVersion }}
+          image: clickhouse/clickhouse-client:latest
          command: ["bash", "-c"]
          args:
            - |
--- a/clickhouse/charts/databases/templates/init-sql-configmap.yaml
+++ b/clickhouse/charts/databases/templates/init-sql-configmap.yaml
@@ -20,7 +20,5 @@ data:
    GRANT CREATE, SELECT, INSERT, ALTER, DROP
      ON {{ $db }}.*
      TO {{ $db }};
-    
-    GRANT SELECT ON system.* TO {{ $db }};

    {{- end }}
--- a/clickhouse/clickhouseValues.yaml
+++ b/clickhouse/clickhouseValues.yaml
@@ -158,15 +158,15 @@ resources: {}
  #   memory: 128Mi

 # -- Pod-level affinity. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
-affinity:
-  nodeAffinity:
-    requiredDuringSchedulingIgnoredDuringExecution:
-      nodeSelectorTerms:
-      - matchExpressions:
-        - key: kubernetes.io/hostname
-          operator: NotIn
-          values:
-          - pi2
+affinity: {}
+  # nodeAffinity:
+  #   requiredDuringSchedulingIgnoredDuringExecution:
+  #     nodeSelectorTerms:
+  #       - matchExpressions:
+  #           - key: kubernetes.io/hostname
+  #             operator: In
+  #             values:
+  #               - my-node-xyz

 # -- Pod-level tolerations. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
 tolerations: []
--- a/clickhouse/kustomization.yaml
+++ b/clickhouse/kustomization.yaml
@@ -1,6 +1,5 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
-namespace: tools

 helmGlobals:
 chartHome: charts
--- a/crowdsec/Chart.yaml
+++ b/crowdsec/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
 - name: crowdsec
  version: 0.20.1
  repository: https://crowdsecurity.github.io/helm-charts
--- a/crowdsec/iac/providers.tf
+++ b/crowdsec/iac/providers.tf
@@ -8,7 +8,7 @@ terraform {
 }

 provider "vault" {
-  address = "https://vault.arcodange.lab"
+  address = "https://vault.arcodange.duckdns.org"
  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
    mount = "gitea_jwt"
    role  = "gitea_cicd_crowdsec"
--- a/crowdsec/values.yaml
+++ b/crowdsec/values.yaml
@@ -23,8 +23,6 @@ crowdsec: &crowdsec_config
      - name: TZ
        value: Europe/Paris
  lapi:
-    strategy:
-      type: Recreate
    env:
      - name: TZ
        value: Europe/Paris
@@ -92,4 +90,4 @@ tool:
  repo: https://crowdsecurity.github.io/helm-charts
  chart: crowdsec
  version: 0.20.1
-  values: *crowdsec_config
+  values: *crowdsec_config
--- a/grafana/Chart.yaml
+++ b/grafana/Chart.yaml
@@ -16,7 +16,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
 - name: grafana
  version: 10.3.0
  repository: https://grafana.github.io/helm-charts
--- a/grafana/values.yaml
+++ b/grafana/values.yaml
@@ -270,11 +270,11 @@ grafana: &grafana_config
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
      traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
-      traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
-      traefik.ingress.kubernetes.io/router.tls.domains.0.sans: grafana.arcodange.lab
+      traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
+      traefik.ingress.kubernetes.io/router.tls.domains.0.sans: grafana.arcodange.duckdns.org
      traefik.ingress.kubernetes.io/router.middlewares: localIp@file
    hosts:
-      - grafana.arcodange.lab
+      - grafana.arcodange.duckdns.org

  resources:
   limits:
@@ -553,11 +553,11 @@ grafana: &grafana_config
            username: arcodange
          secureJsonData:
            password: clickhousearcodange
-        - name: Prometheus
-          type: prometheus
-          url: http://prometheus-server.tools.svc.cluster.local
-          access: proxy
-          isDefault: true
+  #    - name: Prometheus
+  #      type: prometheus
+  #      url: http://prometheus-prometheus-server
+  #      access: proxy
+  #      isDefault: true
  #    - name: CloudWatch
  #      type: cloudwatch
  #      access: proxy
@@ -695,15 +695,6 @@ grafana: &grafana_config
          disableDeletion: false
          options:
            path: /var/lib/grafana/dashboards/clickhouse
-        - name: 'grafana-dashboards-kubernetes'
-          orgId: 1
-          folder: 'Kubernetes'
-          type: file
-          disableDeletion: true
-          editable: true
-          options:
-            path: /var/lib/grafana/dashboards/grafana-dashboards-kubernetes
-
        # - name: 'default'
        #   orgId: 1
        #   folder: ''
@@ -737,26 +728,6 @@ grafana: &grafana_config
        url: "https://grafana.com/api/dashboards/23589/revisions/1/download"
        curlOptions: "-sLf"
        datasource: clickhouse
-    
-    grafana-dashboards-kubernetes:
-      k8s-system-api-server:
-        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-api-server.json
-        token: ''
-      k8s-system-coredns:
-        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-system-coredns.json
-        token: ''
-      k8s-views-global:
-        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-global.json
-        token: ''
-      k8s-views-namespaces:
-        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-namespaces.json
-        token: ''
-      k8s-views-nodes:
-        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-nodes.json
-        token: ''
-      k8s-views-pods:
-        url: https://raw.githubusercontent.com/dotdc/grafana-dashboards-kubernetes/master/dashboards/k8s-views-pods.json
-        token: ''

    # default:
    #   some-dashboard:
--- a/hashicorp-vault/Chart.yaml
+++ b/hashicorp-vault/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
 - name: vault
  version: 0.28.1
  repository: https://helm.releases.hashicorp.com
--- a/hashicorp-vault/README.md
+++ b/hashicorp-vault/README.md
@@ -1,8 +1,8 @@
 # Vault

-1. Les [playbooks ansible](https://gitea.arcodange.lab/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
+1. Les [playbooks ansible](https://gitea.arcodange.duckdns.org/arcodange-org/factory/src/branch/main/ansible/arcodange/factory/playbooks) configurent la base de données postgres et le minimum requis pour permetre au dépot "tools" d'appliquer via un workflow gitea action [une configuration vault via tofu](./iac/).
 2. Configuration des backend d'authentification et des roles pour postgres et kubernetes. Définition de rôles "${app}-ops" pour permettre au dépot d'une application de définir ses propres dépendances dans vault. Rotation de credentials postgres pour les applications.
-3. [Le dépot de l'application webapp](https://gitea.arcodange.lab/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.
+3. [Le dépot de l'application webapp](https://gitea.arcodange.duckdns.org/arcodange-org/webapp) gère l'obtention de ses crédentials pour postgres.

 ```mermaid
 flowchart LR
--- a/hashicorp-vault/iac/providers.tf
+++ b/hashicorp-vault/iac/providers.tf
@@ -8,7 +8,7 @@ terraform {
 }

 provider "vault" {
-  address = "https://vault.arcodange.lab"
+  address = "https://vault.arcodange.duckdns.org"
  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
    mount = "gitea_jwt"
    role  = "gitea_cicd"
--- a/hashicorp-vault/iac/terraform.tfvars
+++ b/hashicorp-vault/iac/terraform.tfvars
@@ -1,7 +1,6 @@
 applications = [
  { name = "webapp" },
  { name = "erp" },
-  { name = "dance-lessons-coach" },
  {
    name                   = "cms"
    ops_policies               = ["factory__cf_r2_arcodange_tf"]
@@ -11,8 +10,4 @@ applications = [
    name = "crowdsec"
    service_account_namespaces = ["tools"]
  },
-  {
-    name = "plausible"
-    service_account_namespaces = ["tools"]
-  },
 ]
--- a/hashicorp-vault/values.yaml
+++ b/hashicorp-vault/values.yaml
@@ -15,11 +15,11 @@ vault: &vault_config
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        traefik.ingress.kubernetes.io/router.tls.certresolver: letsencrypt
-        traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.lab
-        traefik.ingress.kubernetes.io/router.tls.domains.0.sans: vault.arcodange.lab
+        traefik.ingress.kubernetes.io/router.tls.domains.0.main: arcodange.duckdns.org
+        traefik.ingress.kubernetes.io/router.tls.domains.0.sans: vault.arcodange.duckdns.org
        traefik.ingress.kubernetes.io/router.middlewares: localIp@file
      hosts:
-        - host: vault.arcodange.lab
+        - host: vault.arcodange.duckdns.org
          paths: []

  postStart: [] # https://github.com/hashicorp/vault-helm/blob/main/values.yaml
--- a/pgbouncer/Chart.yaml
+++ b/pgbouncer/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
 - name: pgbouncer
  version: 2.3.1
  repository: https://icoretech.github.io/helm
--- a/pgbouncer/values.yaml
+++ b/pgbouncer/values.yaml
@@ -15,7 +15,6 @@ pgbouncer: &pgbouncer_config
      auth_query: SELECT uname, phash FROM user_lookup($1)
      ignore_startup_parameters: extra_float_digits # unsupported jdbc extra_float_digits=2 argument
      server_reset_query: DEALLOCATE ALL # fix prepared statement already exist (crowdsec)
-      server_idle_timeout: 7200
  pgbouncerExporter:
    enabled: false

--- a/pgcat/Chart.yaml
+++ b/pgcat/Chart.yaml
@@ -5,7 +5,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
 - name: pgcat
  version: 0.1.0
  repository: https://improwised.github.io/charts/
--- a/plausible/add-initcontainer.yaml
+++ b/plausible/add-initcontainer.yaml
@@ -1,36 +0,0 @@
- op: add
-  path: /spec/template/spec/containers/0/volumeMounts/-
-  value:
-    name: generated-secrets
-    mountPath: /run/secrets
- op: add
-  path: /spec/template/spec/initContainers/0/volumeMounts
-  value:
-    - name: generated-secrets
-      mountPath: /run/secrets
- op: add
-  path: /spec/template/spec/initContainers/0
-  value:
-    name: build-database-url
-    image: alpine:3.19
-    command: ["/bin/sh", "-c"]
-    args:
-      - |
-        echo "postgres://${DB_USER}:${DB_PASS}@${DB_HOST}:${DB_PORT}/${DB_NAME}" > /run/secrets/DATABASE_URL
-    volumeMounts:
-      - name: generated-secrets
-        mountPath: /run/secrets
-    env:
-      - name: DB_USER
-        valueFrom:
-          secretKeyRef:
-            name: plausible-db-credentials
-            key: username
-      - name: DB_PASS
-        valueFrom:
-          secretKeyRef:
-            name: plausible-db-credentials
-            key: password
-    envFrom:
-      - configMapRef:
-          name: plausible-config
--- a/plausible/iac/backend.tf
+++ b/plausible/iac/backend.tf
@@ -1,6 +0,0 @@
-terraform {
-  backend "gcs" {
-    bucket = "arcodange-tf"
-    prefix = "tools/plausible/main"
-  }
-}
--- a/plausible/iac/main.tf
+++ b/plausible/iac/main.tf
@@ -1,30 +0,0 @@
-module "app_roles" {
-  source = "git::ssh://git@192.168.1.202:2222/arcodange-org/tools.git//hashicorp-vault/iac/modules/app_roles?depth=1&ref=main"
-  name = "plausible"
-  service_account_namespaces = ["tools"]
-}
-
-# https://github.com/plausible/community-edition/wiki/configuration#database
-
-#SECRET_KEY_BASE (openssl rand -base64 48)
-#
-
-resource "random_password" "secret" {
-  for_each = toset(["48","32"])
-  length  = tonumber(each.value)
-  special = false
-}
-locals {
-  config = {
-    SECRET_KEY_BASE = base64encode(random_password.secret["48"].result)
-    TOTP_VAULT_KEY = base64encode(random_password.secret["32"].result)
-  }
-}
-
-resource "vault_kv_secret_v2" "config" {
-  mount                      = "kvv2"
-  name                       = "plausible/config"
-  cas                        = 1
-#   delete_all_versions        = true
-  data_json                  = jsonencode(local.config)
-}
--- a/plausible/iac/providers.tf
+++ b/plausible/iac/providers.tf
@@ -1,16 +0,0 @@
-terraform {
-  required_providers {
-    vault = {
-      source  = "vault"
-      version = "4.4.0"
-    }
-  }
-}
-
-provider "vault" {
-  address = "https://vault.arcodange.lab"
-  auth_login_jwt { # TERRAFORM_VAULT_AUTH_JWT environment variable
-    mount = "gitea_jwt"
-    role  = "gitea_cicd_plausible"
-  }
-}
--- a/plausible/kustomization.yaml
+++ b/plausible/kustomization.yaml
@@ -1,85 +0,0 @@
-apiVersion: kustomize.config.k8s.io/v1beta1
-kind: Kustomization
-namespace: tools
-
-# https://kubectl.docs.kubernetes.io/references/kustomize/builtins/#_helmchartinflationgenerator_
-helmCharts:
- name: plausible
-  repo: https://charts.pascaliske.dev
-  version: 2.0.0
-  releaseName: plausible
-  valuesFile: plausibleValues.yaml
-  namespace: tools
-
-patches:
-  - target:
-      kind: IngressRoute
-      name: plausible-route
-    patch: |-
-      - op: add
-        path: /spec/tls
-        value:
-          certResolver: letsencrypt
-          domains:
-          - main: arcodange.lab
-            sans:
-            - analytics.arcodange.lab
-
-resources:
-  - resources/vaultauth.yaml
-  - resources/vaultdynamicsecret.yaml
-  - resources/vaultsecret.yaml
-  - resources/configmap.yaml
-  - resources/geoipsecret.yaml
-  - resources/ingressroute.yaml
-
-patchesJson6902:
-  - target:
-      version: v1
-      kind: Deployment
-      name: plausible
-    patch: |-
-      - op: replace
-        path: /spec/template/spec/containers/1/env/2
-        value:
-          name: GEOIPUPDATE_LICENSE_KEY
-          valueFrom:
-            secretKeyRef:
-              name: plausible-geoip
-              key: LICENSE_KEY
-      - op: replace
-        path: /spec/template/spec/containers/1/env/4
-        value:
-          name: GEOIPUPDATE_EDITION_IDS
-          value: "GeoLite2-Country GeoLite2-City"
-      - op: add
-        path: /spec/template/spec/containers/0/env/2
-        value:
-          name: IP_GEOLOCATION_DB
-          value: /geoip/GeoLite2-City.mmdb
-      - op: add
-        path: /spec/template/spec/volumes/-
-        value:
-          name: generated-secrets
-          emptyDir:
-            medium: Memory
-      - op: add
-        path: /spec/template/spec/containers/0/envFrom
-        value:
-          - configMapRef:
-              name: plausible-config
-      - op: add
-        path: /spec/template/spec/initContainers/0/envFrom
-        value:
-          - configMapRef:
-              name: plausible-config
-      - op: replace
-        path: /spec/template/spec/initContainers/0/args
-        value:
-          - >-
-            sleep 10 && /entrypoint.sh db migrate
-  - target:
-      version: v1
-      kind: Deployment
-      name: plausible
-    path: add-initcontainer.yaml
--- a/plausible/plausibleValues.yaml
+++ b/plausible/plausibleValues.yaml
@@ -1,180 +0,0 @@
-image:
-  # -- The registry to pull the image from.
-  registry: ghcr.io
-  # -- The repository to pull the image from.
-  repository: plausible/community-edition
-  # -- The docker tag, if left empty chart's appVersion will be used.
-  # @default -- `.Chart.AppVersion`
-  tag: ''
-  # -- The pull policy for the controller.
-  pullPolicy: IfNotPresent
-
-nameOverride: ''
-fullnameOverride: ''
-
-controller:
-  # -- Create a workload for this chart.
-  enabled: true
-  # -- Type of the workload object.
-  kind: Deployment
-  # -- The number of replicas.
-  replicas: 1
-  # -- Additional annotations for the controller object.
-  annotations: {}
-  # -- Additional labels for the controller object.
-  labels: {}
-
-service:
-  # -- Create a service for exposing this chart.
-  enabled: true
-  # -- The service type used.
-  type: ClusterIP
-  # -- ClusterIP used if service type is `ClusterIP`.
-  clusterIP: ''
-  # -- LoadBalancerIP if service type is `LoadBalancer`.
-  loadBalancerIP: ''
-  # -- Allowed addresses when service type is `LoadBalancer`.
-  loadBalancerSourceRanges: []
-  # -- Additional annotations for the service object.
-  annotations: {}
-  # -- Additional labels for the service object.
-  labels: {}
-
-serviceMonitor:
-  # -- Create a service monitor for prometheus operator.
-  enabled: false
-  # -- How frequently the exporter should be scraped.
-  interval: 30s
-  # -- Timeout value for individual scrapes.
-  timeout: 10s
-  # -- Additional annotations for the service monitor object.
-  annotations: {}
-  # -- Additional labels for the service monitor object.
-  labels: {}
-
-ingressRoute:
-  # -- Create an IngressRoute object for exposing this chart.
-  create: true
-  # -- List of [entry points](https://doc.traefik.io/traefik/routing/routers/#entrypoints) on which the ingress route will be available.
-  entryPoints: [websecure]
-  # -- [Matching rule](https://doc.traefik.io/traefik/routing/routers/#rule) for the underlying router.
-  rule: Host(`analytics.arcodange.lab`)
-  # -- List of [middleware objects](https://doc.traefik.io/traefik/routing/providers/kubernetes-crd/#kind-middleware) for the ingress route.
-  middlewares:
-    - name: localIp@file
-  # -- Use an existing secret containing the TLS certificate.
-  tlsSecretName: ''
-  # -- Additional annotations for the ingress route object.
-  annotations: {}
-  # -- Additional labels for the ingress route object.
-  labels: {}
-
-certificate:
-  # -- Create an Certificate object for the exposed chart.
-  create: false
-  # -- List of subject alternative names for the certificate.
-  dnsNames: []
-  # -- Name of the secret in which the certificate will be stored. Defaults to the first item in dnsNames.
-  secretName: ''
-  issuerRef:
-    # -- Type of the referenced certificate issuer. Can be "Issuer" or "ClusterIssuer".
-    kind: ClusterIssuer
-    # -- Name of the referenced certificate issuer.
-    name: ''
-  # -- Additional annotations for the certificate object.
-  annotations: {}
-  # -- Additional labels for the certificate object.
-  labels: {}
-
-env:
-  # -- Timezone for the container.
-  - name: TZ
-    value: Europe/Paris
-
-ports:
-  http:
-    # -- Enable the port inside the `Deployment` and `Service` objects.
-    enabled: true
-    # -- The port used as internal port and cluster-wide port if `.service.type` == `ClusterIP`.
-    port: 8000
-    # -- The external port used if `.service.type` == `NodePort`.
-    nodePort: null
-    # -- The protocol used for the service.
-    protocol: TCP
-
-secret:
-  # -- Create a new secret object.
-  create: false
-  # -- Use an existing secret object.
-  existingSecret: 'plausible-config'
-  # -- Secret values used when not using an existing secret. Helm templates are supported for values.
-  values:
-    # -- Secret key for session tokens.
-    SECRET_KEY_BASE: '{{ randAlphaNum 42 | b64enc }}'
-    # -- Encryption token for TOTP secrets.
-    TOTP_VAULT_KEY: '{{ randAlphaNum 32 | b64enc }}'
-
-  # -- Additional annotations for the secret object.
-  annotations: {}
-  # -- Additional labels for the secret object.
-  labels: {}
-
-geoip:
-  # -- Enable support for MaxMinds GeoLite2 database.
-  enabled: true
-  image:
-    # -- The repository for the geoip image.
-    repository: ghcr.io/maxmind/geoipupdate
-    # -- The docker tag for the geoip image.
-    tag: v7.1.1
-  # -- Required. MaxMind account ID.
-  accountId: '1266329'
-  # -- Required. Case-sensitive MaxMind license key.
-  # licenseKey: 'kvv2/data/plausible/geoip LICENSE_KEY'
-  # -- Optional. Database update frequency. Defaults to "168" which equals 7 days.
-  frequency: 168
-  # -- Optional. Specify the database mount path inside the containers.
-  mountPath: /geoip
-
-serviceAccount:
-  # -- Create a `ServiceAccount` object.
-  create: true
-  # -- Specify the service account used for the controller.
-  name: ''
-  # -- Additional annotations for the service account object.
-  annotations: {}
-  # -- Additional labels for the service account object.
-  labels: {}
-
-# -- Pod-level security attributes. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#security-context).
-securityContext: {}
-  # fsGroup: 1000
-  # runAsNonRoot: true
-  # runAsGroup: 1000
-  # runAsUser: 1000
-
-# -- Compute resources used by the container. More info [here](https://kubernetes.io/docs/concepts/configuration/manage-resources-containers/).
-resources: {}
-  # limits:
-  #   cpu: 100m
-  #   memory: 128Mi
-  # requests:
-  #   cpu: 100m
-  #   memory: 128Mi
-
-# -- Pod-level affinity. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
-affinity: {}
-  # nodeAffinity:
-  #   requiredDuringSchedulingIgnoredDuringExecution:
-  #     nodeSelectorTerms:
-  #       - matchExpressions:
-  #           - key: kubernetes.io/hostname
-  #             operator: In
-  #             values:
-  #               - my-node-xyz
-
-# -- Pod-level tolerations. More info [here](https://kubernetes.io/docs/reference/kubernetes-api/workload-resources/pod-v1/#scheduling).
-tolerations: []
-  # - key: node-role.kubernetes.io/control-plane
-  #   operator: Exists
-  #   effect: NoSchedule
--- a/plausible/resources/configmap.yaml
+++ b/plausible/resources/configmap.yaml
@@ -1,21 +0,0 @@
-apiVersion: v1
-kind: ConfigMap
-metadata:
-  name: plausible-config
-  namespace: tools
-# Doc: https://github.com/plausible/community-edition/wiki/Configuration
-data:
-  DB_HOST: pgbouncer.tools
-  DB_PORT: !!str 5432
-  DB_NAME: plausible
-
-  BASE_URL: https://analytics.arcodange.lab
-
-  CLICKHOUSE_DATABASE_URL: http://plausible:plausiblearcodange@clickhouse.tools:8123/plausible
-
-
-  DB_POOL_SIZE: "30"
-  DB_QUEUE_TARGET: "10000"  # 10 secondes
-  DB_CONNECT_TIMEOUT: "30000"  # 30 secondes
-  DB_RECONNECT_ATTEMPTS: "5"
-  DB_RECONNECT_DELAY: "5000"
--- a/plausible/resources/geoipsecret.yaml
+++ b/plausible/resources/geoipsecret.yaml
@@ -1,24 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: plausible-geoip
-  namespace: tools
-spec:
-  type: kv-v2
-
-  # mount path
-  mount: kvv2
-
-  # path of the secret
-  path: plausible/geoip
-
-  # dest k8s secret
-  destination:
-    name: plausible-geoip
-    create: true
-
-  # static secret refresh interval
-  refreshAfter: 30s
-
-  # Name of the CRD to authenticate to Vault
-  vaultAuthRef: plausible
--- a/plausible/resources/ingressroute.yaml
+++ b/plausible/resources/ingressroute.yaml
@@ -1,20 +0,0 @@
-apiVersion: traefik.io/v1alpha1
-kind: IngressRoute
-metadata:
-  name: plausible-external
-  labels:
-    app.kubernetes.io/instance: plausible
-    app.kubernetes.io/name: plausible
-spec:
-  entryPoints:
-    - web
-  routes:
-    - kind: Rule
-      match: Host(`analytics.arcodange.fr`) && (PathPrefix(`/api/event`) || PathPrefix(`/js/`))
-      middlewares:
-        - name: kube-system-crowdsec@kubernetescrd
-      services:
-        - kind: Service
-          name: plausible-web
-          namespace: tools
-          port: 8000
--- a/plausible/resources/vaultauth.yaml
+++ b/plausible/resources/vaultauth.yaml
@@ -1,14 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultAuth
-metadata:
-  name: plausible
-  namespace: tools
-spec:
-  vaultConnectionRef: default
-  method: kubernetes
-  mount: kubernetes
-  kubernetes:
-    role: plausible
-    serviceAccount: plausible
-    audiences:
-      - vault
--- a/plausible/resources/vaultdynamicsecret.yaml
+++ b/plausible/resources/vaultdynamicsecret.yaml
@@ -1,25 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultDynamicSecret
-metadata:
-  name: plausible-db-credentials
-  namespace: tools
-spec:
-
-  # Mount path of the secrets backend
-  mount: postgres
-
-  # Path to the secret
-  path: creds/plausible
-
-  # Where to store the secrets, VSO will create the secret
-  destination:
-    create: true
-    name: plausible-db-credentials
-
-  # Restart these pods when secrets rotated
-  rolloutRestartTargets:
-  - kind: Deployment
-    name: plausible
-
-  # Name of the CRD to authenticate to Vault
-  vaultAuthRef: plausible
--- a/plausible/resources/vaultsecret.yaml
+++ b/plausible/resources/vaultsecret.yaml
@@ -1,24 +0,0 @@
-apiVersion: secrets.hashicorp.com/v1beta1
-kind: VaultStaticSecret
-metadata:
-  name: plausible
-  namespace: tools
-spec:
-  type: kv-v2
-
-  # mount path
-  mount: kvv2
-
-  # path of the secret
-  path: plausible/config
-
-  # dest k8s secret
-  destination:
-    name: plausible-config
-    create: true
-
-  # static secret refresh interval
-  refreshAfter: 30s
-
-  # Name of the CRD to authenticate to Vault
-  vaultAuthRef: plausible
--- a/prometheus/Chart.yaml
+++ b/prometheus/Chart.yaml
@@ -1,23 +0,0 @@
-apiVersion: v2
-name: prometheus
-description: A Helm chart for Kubernetes
-
-dependencies:
- name: tool
-  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
- name: prometheus
-  version: 28.13.0
-  repository: https://prometheus-community.github.io/helm-charts
-
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
-type: application
-version: 0.1.0
-appVersion: "v3.10.0"
--- a/prometheus/templates/helm-chart-config.yaml
+++ b/prometheus/templates/helm-chart-config.yaml
@@ -1,3 +0,0 @@
-{{- if eq .Values.tool.kind "HelmChart" -}}
-{{- include "tool.helm-chart-config.tpl" . -}}
-{{- end -}}
--- a/prometheus/templates/helm-chart.yaml
+++ b/prometheus/templates/helm-chart.yaml
@@ -1,3 +0,0 @@
-{{- if eq .Values.tool.kind "HelmChart" -}}
-{{- include "tool.helm-chart.tpl" . -}}
-{{- end -}}
--- a/prometheus/values.yaml
+++ b/prometheus/values.yaml
--- a/redis/Chart.yaml
+++ b/redis/Chart.yaml
@@ -16,7 +16,7 @@ description: A Helm chart for Kubernetes
 dependencies:
 - name: tool
  version: 0.1.0
-  repository: https://gitea.arcodange.lab/api/packages/arcodange-org/helm
+  repository: https://gitea.arcodange.duckdns.org/api/packages/arcodange-org/helm
 - name: redis
  version: 2.1.0
  repository: https://charts.pascaliske.dev