Public GitOps repository for showing how I run my services on k3s https://tobru.ch/
This repository has been archived on 2023-04-02. You can view files and clone it, but cannot push or open issues or pull requests.
Go to file
Renovate Bot f6de7f73e4
continuous-integration/drone/pr Build is failing Details
continuous-integration/drone/push Build encountered an error Details
Update quay.io/jetstack/cert-manager-cainjector Docker tag to v1.11.0
2023-03-16 18:45:17 +00:00
_apps disable renovate autosync 2023-03-08 10:30:43 +01:00
_test only warn for some policies 2020-05-04 21:15:38 +02:00
acmedns disable registration 2021-11-13 09:35:03 +01:00
argocd only cm once 2022-09-16 21:13:11 +02:00
cert-manager Update quay.io/jetstack/cert-manager-cainjector Docker tag to v1.11.0 2023-03-16 18:45:17 +00:00
docspell set weasyprint to convert pdfs 2023-01-28 19:25:28 +01:00
drone Update dependency docker.io/drone/drone to v2.12.1 2022-06-15 16:45:17 +00:00
familydb allways pull image 2021-05-04 20:54:17 +02:00
graphs update grafana chart 2022-09-16 21:05:40 +02:00
headscale entry for argocd 2023-03-15 20:23:26 +01:00
healthcheck correct ns for hc 2021-08-26 23:12:21 +02:00
influxdb modernize influx ingress 2022-09-16 21:35:24 +02:00
ioteer traccar env var 2021-10-19 21:05:08 +02:00
ipapi fix ingresses 2021-12-13 20:23:05 +01:00
k8up install k8up crds 2021-12-15 20:24:40 +01:00
kube-cleanup-operator Update quay.io/lwolf/kube-cleanup-operator Docker tag to v0.8.2 2021-07-09 18:00:52 +00:00
kube-system add traefik redirect middleware 2022-07-12 21:29:58 +02:00
linkding Update sissbruecker/linkding Docker tag to v1.15.0 2022-09-11 16:43:40 +00:00
mealie Update docker.io/hkotel/mealie Docker tag to v0.5.6 2022-02-05 17:43:25 +00:00
miniflux Merge pull request 'Update docker.io/postgres Docker tag to v13.8' (#1000) from renovate/docker.io-postgres-13.x into master 2022-08-16 18:28:55 +00:00
mosquitto add addnl ttn conn 2023-01-20 21:04:31 +01:00
mqttwarn add rssi 2023-01-20 21:45:07 +01:00
odoo pull odoo addons in initcontainer 2022-08-05 22:22:15 +02:00
owntracks set http prefix for tours 2022-09-16 21:47:34 +02:00
pylokid update pylokid for mailbox.org migration 2022-12-13 20:19:04 +01:00
renovate Update renovate/renovate Docker tag to v35 2023-03-12 18:44:30 +00:00
sealed-secrets correct ns 2023-01-20 21:03:53 +01:00
stakater-reloader Update stakater/reloader Docker tag to v1.0.15 2023-03-11 18:44:02 +00:00
system-upgrade-controller Update dependency rancher/system-upgrade-controller to v0.9.1 2022-03-22 17:44:38 +00:00
tobru-ch Update ghost Docker tag to v5.38.0 2023-03-11 18:45:36 +00:00
traccar Update docker.io/mariadb Docker tag to v10.9 2022-08-24 16:43:49 +00:00
.drone.yml use kubernetes for drone build 2021-08-24 21:38:05 +02:00
.envrc add envrc and gitignore 2023-03-08 10:29:57 +01:00
.gitignore add envrc and gitignore 2023-03-08 10:29:57 +01:00
README.md rshared info 2021-08-24 20:09:26 +02:00
renovate.json statping is gone 2021-09-09 20:15:42 +02:00

README.md

GitOps for tbrnt k3s hosting

Build Status

Repo structure

  • Each subdirectory is a namespace
  • _apps is the meta directory for Argo CD apps
  • Another private repo contains stuff in a more approachable format, f.e. for dealing with updating sealed-secrets: gitops-tbrnt-private
  • _tests contains some Open Policy Agent rego files which are used in the Drone CI pipeline to validate configuration.

Usage

Argo CD

Access

Either

sudo -E kubefwd svc -n argocd and then https://argocd-server/

or

kubectl port-forward svc/argocd-server -n argocd 8080:443 and then https://localhost:8080/

CLI

  • argocd login argocd-server
  • argocd app list
  • argocd app sync <name>

Kubeseal (Sealed Secrets)

See README of apps. Basically:

kubeseal --controller-namespace sealed-secrets -o yaml -n MYNS < ../../gitops-tbrnt-private/MYNS/MYSECRET.yaml > MYSECRET-secret.yaml

Bootstrap GitOps

After installing k3s, do:

# install Argo CD
kubectl create ns argocd
kubectl apply -n argocd -f https://raw.githubusercontent.com/argoproj/argo-cd/stable/manifests/install.yaml
kubectl get pods -n argocd -l app.kubernetes.io/name=argocd-server -o name | cut -d'/' -f 2
argocd login argocd-server

# Restore Sealed Secrets secret key
kubectl create ns sealed-secrets
kubectl apply -f ../gitops-tbrnt-private/sealed-secrets/master-key.yaml

# Instantiate Argo Root App
kubectl apply -f _apps/apps.yaml

# Let Argo CD do it's job
argocd app sync apps
argocd app sync sealed-secrets
argocd app sync -l app.kubernetes.io/instance=apps

TODO:

  • Restore PVCs via K8up

k3s on Alpine

Installing: Alpine

Basically follow the Alpine wiki.

Then install prerequisites and some essential packages:

apk add \
  vim \
  iptables \
  wireguard-virt \
  bash \
  curl

Needs community repo enabled in /etc/apk/repositories.

Tweak Sysctl in /etc/sysctl.conf:

fs.inotify.max_user_instances = 8192
fs.inotify.max_user_watches = 524288

Add rshared mount option to root filesystem for node-exporter to work correctly.

Installing: k3s

Via k3sup:

k3sup install \
  --ip=185.95.218.11 \
  --user=root \
  --local-path=~/.kube/config_knurrli2 \
  --sudo=false \
  --k3s-extra-args='--tls-san knurrli.tobrunet.ch --cluster-cidr 10.44.0.0/16 --flannel-backend wireguard'

Helpful infos

Paths

  • Volumes: /var/lib/rancher/k3s/storage/
  • Config: /etc/rancher/k3s/
  • Manifests: /var/lib/rancher/k3s/server/manifests/

Links

Configure Wireguard

/etc/network/interfaces

auto wg0
iface wg0 inet static
    address 10.42.42.16
    netmask 255.255.255.0
    pre-up ip link add dev wg0 type wireguard
    pre-up wg setconf wg0 /etc/wireguard/wg0.conf
    post-up ip route add 10.42.42.0/24 dev wg0
    post-down ip link delete dev wg0