Earthfile

 VERSION 0.7
 
-
 # images builds all container images in the Repository
 images:
     ARG CONTAINER_REGISTRY=quay.io/shivering-isles
     BUILD +images-earthly --CONTAINER_REGISTRY=${CONTAINER_REGISTRY}
-    BUILD +images-dockerfile --CONTAINER_REGISTRY=${CONTAINER_REGISTRY}
 
 images-src:
-    FROM quay.io/fedora/fedora:38
+    FROM quay.io/fedora/fedora:39
     COPY images/ ./images
 
 images-earthly:
@@ -18,14 +16,6 @@ images-earthly:
         BUILD "${dir}+container" --registry="$CONTAINER_REGISTRY/$(basename ${dir})"
     END
 
-images-dockerfile:
-    FROM +images-src
-    ARG CONTAINER_REGISTRY=quay.io/shivering-isles
-    FOR dir IN $(find ./images -type d -execdir test -f {}/Dockerfile -a \! -e {}/Earthfile -a \! -e {}/.skip-earthly \; -print)
-        FROM DOCKERFILE -f "${dir}/Dockerfile" "${dir}"
-        SAVE IMAGE "$CONTAINER_REGISTRY/$(basename ${dir})"
-    END
-
 # changelog generates a local RELEASENOTES.md file using git-chglog
 changelog:
   FROM quay.io/git-chglog/git-chglog:0.15.4
@@ -43,7 +33,13 @@ merge:
     RUN git push
     RUN git push origin --delete ${branch}
 
+# rotate will rotate encryption keys in sops-encrypted files
 rotate:
     LOCALLY
     RUN grep -Ril "sops:" ./**/*.yaml | xargs sops -r -i
 
+# enable-autoupdates enables the fedora autoupdating form the system-upgrades namespace
+enable-autoupdates:
+    LOCALLY
+    ARG --required node
+    RUN kubectl label node "${node}" upgrade.shivering-isles.com/fedora-autoupdate=true

apps/base/gitlab-runner/release.yaml

@@ -14,7 +14,7 @@ spec:
         kind: HelmRepository
         name: gitlab-runner
         namespace: gitlab-runner
-      version: 0.58.1
+      version: 0.59.2
   interval: 5m
   install:
     remediation:

apps/base/goharbor/release.yaml

@@ -13,7 +13,7 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: goharbor
-      version: 1.13.0
+      version: 1.13.1
   interval: 5m
   install:
     remediation:

apps/base/immich/database.yaml

@@ -14,6 +14,13 @@ spec:
     - createdb
   databases:
     immich: immich
+  preparedDatabases:
+    immich:
+      schemas:
+        public: {}
+      extensions:
+        cube: public
+        earthdistance: public
   postgresql:
     version: "15"
   spiloFSGroup: 103
@@ -37,4 +44,4 @@ spec:
     kind: Issuer
     group: cert-manager.io
   usages:
-    - server auth
\ No newline at end of file
+    - server auth

apps/base/immich/release.yaml

@@ -14,6 +14,7 @@ spec:
         kind: HelmRepository
         name: immich
         namespace: immich
+      version: 0.2.0
   interval: 5m
   valuesFrom:
     - kind: ConfigMap
@@ -63,7 +64,7 @@ data:
       NODE_EXTRA_CA_CERTS: /ca/ca.crt
     image:
       # renovate: datasource=git-tags depName=https://github.com/immich-app/immich.git versioning=semver
-      tag: v1.83.0
+      tag: v1.89.0
     immich:
       persistence:
         library:

apps/base/matrix/release.yaml

@@ -14,7 +14,7 @@ spec:
         kind: HelmRepository
         name: matrix-synapse
         namespace: matrix
-      version: 3.7.9
+      version: 3.7.13
   interval: 5m
   install:
     remediation:

apps/base/renovate/release.yaml

@@ -13,7 +13,7 @@ spec:
       sourceRef:
         kind: HelmRepository
         name: renovate
-      version: 37.13.0
+      version: 37.57.2
   interval: 5m
   valuesFrom:
     - kind: ConfigMap

apps/base/uptime-kuma/release.yaml

@@ -13,7 +13,7 @@ spec:
         kind: HelmRepository
         name: uptime-kuma
         namespace: uptime-kuma
-      version: 2.14.2
+      version: 2.15.0
   interval: 5m
   install:
     remediation:

apps/k8s01/blog/blog.yaml

@@ -18,7 +18,7 @@ spec:
       automountServiceAccountToken: false
       containers:
         - name: blog
-          image: quay.io/shivering-isles/blog:2023.10.31.1578
+          image: quay.io/shivering-isles/blog:2023.11.27.1604
           ports:
             - containerPort: 8080
               protocol: TCP

apps/k8s01/dns/dns.yaml

 ---
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: blocky-config
+  labels:
+    app: resolver
+data:
+  config.yaml: |
+    ports:
+      dns: 53
+      tls: 853
+      https: 443
+      http: 80
+    upstreams:
+      groups:
+        default:
+          - https://dns.quad9.net/dns-query
+          - tcp-tls:dns.quad9.net:853
+    bootstrapDns:
+      - https://1.1.1.1/dns-query
+      - tcp+udp:9.9.9.9
+    startVerifyUpstream: true
+    caching:
+      minTime: 5m
+      maxItemsCount: 262144
+      prefetching: true
+      prefetchMaxItemsCount: 131072
+    prometheus:
+      enable: true
+    fqdnOnly:
+      enable: true
+    certFile: /etc/pki/blocky/tls.crt
+    keyFile: /etc/pki/blocky/tls.key
+---
 apiVersion: apps/v1
 kind: Deployment
 metadata:
@@ -16,70 +50,90 @@ spec:
         app: resolver
     spec:
       containers:
-        - name: dnsproxy
-          image: quay.io/sheogorath/dnsproxy:0.54.0
+        - name: blocky
+          image: ghcr.io/0xerr0r/blocky:main@sha256:5835ff7feb93fc8b5484125f9c1c4b82546f626b09773bebfd839ded691e2912
           args:
-            - /dnsproxy
-            - --upstream=https://dns.quad9.net/dns-query
-            - --bootstrap=9.9.9.9
-            - --cache
-            # 96Mi
-            - --cache-size=100663296
-            - --cache-min-ttl=300
-            - --cache-optimistic
-            # Enable DoT
-            - --tls-port=853
-            - --tls-crt=/etc/pki/dnsproxy/tls.crt
-            - --tls-key=/etc/pki/dnsproxy/tls.key
+            - --config
+            - /etc/blocky/config.yaml
+          env:
+            - name: GOMEMLIMIT
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.memory
+            - name: GOMAXPROCS
+              valueFrom:
+                resourceFieldRef:
+                  resource: limits.cpu
           ports:
             - containerPort: 53
               protocol: TCP
+              name: dns53tcp
             - containerPort: 53
               protocol: UDP
+              name: dns53udp
             - containerPort: 853
               protocol: TCP
+              name: dot
+            - containerPort: 80
+              protocol: TCP
+              name: http
+          readinessProbe:
+            exec:
+              command:
+              - /app/blocky
+              - healthcheck
+            initialDelaySeconds: 5
+            periodSeconds: 5
           resources:
             requests:
-              cpu: 100m
+              cpu: 200m
               memory: 256Mi
             limits:
-              cpu: 100m
+              cpu: 200m
               memory: 256Mi
           volumeMounts:
             - name: tls-secret
-              mountPath: "/etc/pki/dnsproxy"
+              mountPath: "/etc/pki/blocky"
               readOnly: true
+            - name: config
+              mountPath: "/etc/blocky/"
           securityContext:
             allowPrivilegeEscalation: false
             capabilities:
               drop:
                 - ALL
+              add:
+                - NET_BIND_SERVICE
       automountServiceAccountToken: false
       volumes:
         - name: tls-secret
           secret:
             secretName: ingress-dns-tls
             optional: false
+        - name: config
+          configMap:
+            name: blocky-config
+            optional: false
       securityContext:
         runAsNonRoot: true
         runAsUser: 1000
         runAsGroup: 1000
         seccompProfile:
           type: RuntimeDefault
-        sysctls:
-          - name: 'net.ipv4.ip_unprivileged_port_start'
-            value: "0"
 ---
 apiVersion: v1
 kind: Service
 metadata:
   name: dns53-tcp
+  labels:
+    app: resolver
   annotations:
     metallb.universe.tf/allow-shared-ip: "dns"
 spec:
   type: LoadBalancer
   selector:
     app: resolver
+  externalTrafficPolicy: Local
   ports:
     - name: dns53tcp
       protocol: TCP
@@ -90,12 +144,15 @@ apiVersion: v1
 kind: Service
 metadata:
   name: dns53-udp
+  labels:
+    app: resolver
   annotations:
     metallb.universe.tf/allow-shared-ip: "dns"
 spec:
   type: LoadBalancer
   selector:
     app: resolver
+  externalTrafficPolicy: Local
   ports:
     - name: dns53udp
       protocol: UDP
@@ -106,18 +163,41 @@ apiVersion: v1
 kind: Service
 metadata:
   name: dns-over-tls
+  labels:
+    app: resolver
   annotations:
     metallb.universe.tf/allow-shared-ip: "dns"
 spec:
   type: LoadBalancer
   selector:
     app: resolver
+  externalTrafficPolicy: Local
   ports:
     - name: dns-over-tls
       protocol: TCP
       port: 853
       targetPort: 853
 ---
+apiVersion: v1
+kind: Service
+metadata:
+  name: dns-over-http
+  labels:
+    app: resolver
+spec:
+  type: ClusterIP
+  selector:
+    app: resolver
+  ports:
+    - name: dns-over-http
+      protocol: TCP
+      port: 80
+      targetPort: 80
+    - name: metrics
+      protocol: TCP
+      port: 8080
+      targetPort: 80
+---
 apiVersion: policy/v1
 kind: PodDisruptionBudget
 metadata:

apps/k8s01/dns/kustomization.yaml

@@ -6,5 +6,16 @@ resources:
   - certificate.yaml
   - dns.yaml
   - networkpolicy.yaml
+  - servicemonitor.yaml
   - ../../../shared/networkpolicies/allow-from-same-namespace.yaml
+  - ../../../shared/networkpolicies/allow-from-monitoring.yaml
   - ../../../shared/resourcequotas/default.yaml
+patchesStrategicMerge:
+  - networkpolicy-patch.yaml
+configMapGenerator:
+  - name: blocky-grafana-dashboards
+    files:
+      - ./dashboards/blocky.json
+    options:
+      labels:
+        grafana_dashboard: blocky

apps/k8s01/dns/networkpolicy-patch.yaml

+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-monitoring
+spec:
+  podSelector:
+    matchExpressions:
+      - key:  app
+        operator: In
+        values:
+          - resolver
\ No newline at end of file

apps/k8s01/dns/networkpolicy.yaml

@@ -16,3 +16,19 @@ spec:
         port: 53
       - protocol: TCP
         port: 53
+---
+apiVersion: networking.k8s.io/v1
+kind: NetworkPolicy
+metadata:
+  name: allow-from-everywhere-to-dot
+spec:
+  podSelector:
+    matchLabels:
+      app: resolver
+  ingress:
+  - from:
+    - ipBlock:
+        cidr: 0.0.0.0/0
+    ports:
+      - protocol: TCP
+        port: 853
\ No newline at end of file

apps/k8s01/dns/servicemonitor.yaml

+---
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: resolver
+  labels:
+    app: resolver
+spec:
+  selector:
+    matchLabels:
+      app: resolver
+  endpoints:
+    - port: metrics
+      path: /metrics

apps/k8s01/gitlab-runner/hetzner-runner.yaml

@@ -14,7 +14,7 @@ spec:
         kind: HelmRepository
         name: gitlab-runner
         namespace: gitlab-runner
-      version: 0.58.1
+      version: 0.59.2
   interval: 5m
   install:
     remediation:

apps/k8s01/immich/immich-values.yaml

@@ -5,15 +5,15 @@ metadata:
     namespace: immich
 type: Opaque
 stringData:
-    values-overrides.yaml: ENC[AES256_GCM,data:SjMqg+q+HIyUa3SX2rzeGXSVFHLEvINcljGyDO74qvDIoObqV4Wx4STgNSO7WPXRBaWzPvbzUv1HlxdApHoOGfDJVYm0znSjHMBTfnHYb7WnBVHjCeeh/O51OtPjd/QrUmn2/w5uMzIrOYX0nZo007wK3ubBuS7YKILV3aLaQlpcl/G2+Ha5T8zzRzeifsRX8+y74kYO329YX6JxzY88m4MisEdeeXn3u9JuUHrGmHvvTgZM4IpaSavDSAPvNOTLkge8oUbDZWfwhNfokJ5oc1ijiliID4aqzqJXYIeqSY3yio09j8BBba8bSqQqgMh3ZJrMu1DZZalp/KzOX7O8v0lyUft3SfMnKERfw8teRyQl7OvFbV0HBpq1ZS7PeMG4gVyGPzUlmE5EE9PAEl0UfFoDOLr+Id3xLIYWobVgw+FO+s2k81wZQab4aDl8wAy1ych3x1kcxaq1R9GFd52P1NM/bE6LYBTWeomQxF5tDI0JOJnwFaYyyuNEOHsCuMKJC/OijjR44bwKksYZpBieYX57tr+7ECVZbpdyUvuPweIVC0Qbu7RLqmw232y5NIBfZ2D6jFAby18BA/JjuelQi9JOX2QRfK9ziQvew7nKuN9Jv/Iq8NBD3oplLYg37j48aIz00uGXoc83QOYBbC4+dpW51I5xqwFCMwiWm+GAjWghibeZKsxSMB7yZtMUF7uG2HKUOhwiYcVgKqikt8uxqCQJ2XywnkHgpYZ8fnt97CV+5YMkGqKvCvOLSMeSFzJQicJBtKt4+hBUiRF7JZxFgDurLccU6bAdgLUaQ6GiCV815ZvyDZbMsBwKzkuhS/ywTHHwIk8LlCsQ34/Onn0pzVZLZVcSQ37FYFVc9gzWwuxm2DbkQUfOBBGCMgBk0ReSAIhX7nOwEUu4GSbGOLGR4bEtisQTHaQjxUqq60mn9VhJssq5OqZsJF137w54MA64O75tsOnFppQCdy848VmYo2OYVaZZn1Fi0/86EX6uskw5OVC9mmOh1XRCKX2g0EHn3TGsErtjzUgrhRu122rd7Ac1z2O6gHEnwDyiIWtJ1OtOF5QPg9QJLkn63b8tvsklzpbVBxbli+z7IRBELwZ+icX9psDRR+3UHzWiHdOh4XwzdbXhqrxZLtgkhoDuWaU6NKEHdNQovRmdkVfo2pz3h/mz4V7+Mz3qQRidqcCJZA9g7akQPwFr2quCrunP4MZMf36kx4gGiNKBIOjTQYThDyZt7d++Zu2Dsbyaym6snv/tzEb9OmzdnaTSfFYDUXDkRA==,iv:kjBTAOECVUy0NU1XFioOMGDdWKnSBggrqiFTy/9NHdw=,tag:DG7nEYzUF/PNZrlVd0wJkA==,type:str]
+    values-overrides.yaml: ENC[AES256_GCM,data:kn/cCZhJlOqFKldv2Ch4S8n9wGsKDjPh7QZPTr4j8NtSbGCRaW6kfjGPQ8Ak2Ld5tL0zDhprEzfAYRuThxeUup68gOVzzKCVoA1e+YAi7k1aiHw30JGIqjntfozqjSC707eERykze7XPcvqbD3Nj8VNQP4eEJtU+XgevUbQeT41vg0yzPv3A/XIlq0sVrnYbLIBcJOjzikPbcUbjPK5oli60TWcn9ObY7TSydzVDY3qTAGPLvN9ugJYZaDLJKSGffLR6HlkVawECQ5Gpjx1ZZKYyetFNqupJc8P2hh/4D/DhrswH093/2Rl7Aa0+h/+O4qTL6ijjT/eZ3yUPDY5+Fp2CbJnd8y1+WBd24MBK7PBjlmk+cpbAiZ9IMLqX9VPTgDOI4CL1iWzgUPI/YdVlxAf1Gl1IP27mEfE6m05CoLoUDrjVIhmRRVzmDOlp1v2QWZ0OVsuFQfYlejHsbT57NSCZps6vlBXQu7mgMrhPRyaqYuxfZjwZUfDL3wOFyIY2riT7mV/Ou2Ai0QAP38Ig4p/7U0KdK/6ts0McJkN/4PkD3HcLXcyLL5XOfhlxUbdd7ZZK+lQEHvaLvYgtMRcJLhOcU2g6RxVb9N+YFlTKyGhuRlC7bcg5x0xMR2O83E+rL8AYc5vvqBthXPLj/iClLR1H/G1x5aokI2nUJqakrfJbH35HGLIvhV1SWu37+dZWdsuxH8xYzymfEVuuabc9zqNba1W0Pf6k0sBaoGHaaPWeUsTQC6x+9ikAPVpSAkKbdLmLPRMDtrx7wNria6/SmHkCBixA43cLqJY3wk2LdlSHrXEapnnBqVZ2pRomamXZ6Rl1Q58PWyppPq3J1FntaJF9Ykys9/ywBeKjU0tunZ511w1iva1a3whjSqsnB5rw760clzOMvvGFExf8z8x+Qo7HQlVPc9WcAm6DyoSHGfBBfZv4PfS5jeJGT+fyG8O/MlioD+Wymdpcz8e7owgD4enRppyjqmTTkCPc72nIwTpL3s2vGPq5XuPHuSMecf27P22u+Lv4NQsCgLgncni59C97RzDY7h4tw3RawqTeLRnSWeCsJUfUo8524dg75pqmoE7VjSRNOeaOy08QX5TV9IP39ap38fkubamdZrnNWasLW+X10AtbL2YVAoJiQURTg5fJg9fc1LMVLkVEE7oYX4PY8RkJP3p6AoSfuh6qC8wWiC0Iw8tmA1Y9lQYxd6PVRET4VOGqp0k6E5VTEoOGnK68WhVZGjAe5CLbdG/K/bDAH9asY+5qheK79FyxipaEBw0=,iv:TANJN/b3Z6ptlqfzoUVXZ363cfs4p2f4/ASeuPUdEE4=,tag:I6fVApDt6i+FiPwPwuwc6Q==,type:str]
 sops:
     kms: []
     gcp_kms: []
     azure_kv: []
     hc_vault: []
     age: []
-    lastmodified: "2023-07-03T16:05:28Z"
-    mac: ENC[AES256_GCM,data:54knCSHXmWL1mNxk0x8geFTrtlwstgIJSDeJlsRKie69TFX7KFWJquooArJVhFtXV32L3+IW9L5np2eU38aWZ6vONJnOGXrlt8P9islFlYSqN3mgc6g2EVQoyQJkIIQ8LdfCO9frSSEey4MJws3mL1jThc3sM5voGr73/gmTnAI=,iv:bA51/qIPzEzTZSMOwIXJIal9Dm2MVkJPleqMpYtgmpM=,tag:Udl6XfbN8cRg7yPquXs7MA==,type:str]
+    lastmodified: "2023-11-25T00:40:08Z"
+    mac: ENC[AES256_GCM,data:BS2KJj6zJu+76J2uhmFUHTgaUaBfHbHa71EkE+K84aCtK7SsmT5xSO1av5ycmhpHn4uorA3zakTT4pG4Qo7Mir553vaG3pSbCj/Q7XWnW7ZwE4gH3KRwmckw5bFt39r1fH8XrPkrIgVBENCm40SlPwuO19iyVHpU7VvD2YoZhOE=,iv:N6gnSm1w95rd2PU/PCTOduxY4GIKNyD3kXl9ABp1puk=,tag:x1Je8gJ+Xjo28RszJ/E7iw==,type:str]
     pgp:
         - created_at: "2022-03-22T22:26:35Z"
           enc: |-

apps/k8s01/jellyfin/deployment.yaml

@@ -36,7 +36,7 @@ spec:
             fieldRef:
               apiVersion: v1
               fieldPath: metadata.namespace
-        image: docker.io/jellyfin/jellyfin:10.8.11
+        image: docker.io/jellyfin/jellyfin:10.8.13
         imagePullPolicy: IfNotPresent
         name: jellyfin
         readinessProbe:

apps/k8s01/mastodon/kustomization.yaml

@@ -10,6 +10,7 @@ resources:
   - ../../../shared/networkpolicies/deny-by-default-egress.yaml
   - ../../../shared/networkpolicies/allow-to-same-namespace.yaml
   - ../../../shared/networkpolicies/allow-to-public-web.yaml
+  - ../../../shared/networkpolicies/allow-to-database.yaml
   - ../../../shared/networkpolicies/allow-to-kubedns.yaml
 patchesStrategicMerge:
   - database-override.yaml

apps/k8s01/nas/kustomization.yaml

@@ -6,3 +6,4 @@ resources:
 - s3.yaml
 - ../../../shared/applications/oauth2-proxy.yaml
 - oauth2.yaml
+- slo.yaml