dotfiles/terranix/main/kubernetes/default.nix

{
  inputs,
  pkgs,
  lib,
  elib,
  tflib,
  ...
}: let
  inherit
    (tflib)
    tf
    ;

  inherit
    (lib)
    filterAttrs
    optionalAttrs
    ;
in {
  imports = [
    ./website.nix
    ./jellyfin.nix
    ./gitea.nix
    (elib.terraformModule {
      name = "generated";
      source = {...}: {
        imports = [
          (inputs.uk3s-nix.legacyPackages.${pkgs.stdenv.system}.helm2nix2terraform {
            predicate = chart: name: manifest:
              manifest.kind != "CustomResourceDefinition";
            path = ./generated;
            mapper = resource: {
              manifest = inputs.uk3s-nix.lib.sanitizeKubernetesManifest resource.manifest;
            };
          })
        ];

        resource."kubernetes_manifest"."default_ValidatingWebhookConfiguration_istiod-default-validator" = {
          computed_fields = [
            "webhooks[0].failurePolicy"
          ];
        };

        resource."kubernetes_manifest"."default_ValidatingWebhookConfiguration_istio-validator-1-22-0-istio-system" = {
          computed_fields = [
            "webhooks[0].failurePolicy"
          ];
        };

        resource."kubernetes_manifest"."default_DaemonSet_metallb-speaker" = {
          computed_fields = [
            "metadata.annotations[\"deprecated.daemonset.template.generation\"]"
          ];
        };
      };
    })
  ];

  resource."kubernetes_manifest"."istio_authorization_policy_deny_by_default" = {
    for_each = (list: tf "toset(${builtins.toJSON list})") [
      "default"
      "kube-system"
      "kube-public"
      "kube-node-lease"
      "istio-system"
      "metallb-system"
      "website"
      "ingress"
    ];

    manifest = {
      apiVersion = "security.istio.io/v1";
      kind = "AuthorizationPolicy";
      metadata = {
        name = "deny-by-default";
        namespace = tf "each.key";
      };
      spec = {};
    };
  };

  resource."kubernetes_manifest"."istio_peer_authentication" = {
    manifest = {
      apiVersion = "security.istio.io/v1beta1";
      kind = "PeerAuthentication";
      metadata = {
        name = "default";
        namespace = "istio-system";
      };
      spec = {
        mtls = {
          mode = "STRICT";
        };
      };
    };
  };
}
Add kubernetes uterranix infrastructure Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-03-09 16:46:20 +01:00			`{`
			`inputs,`
			`pkgs,`
Redo terranix helm imports Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-04-13 19:38:44 +02:00			`lib,`
			`elib,`
A lot of kubernetes improvements Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-06-08 22:46:20 +02:00			`tflib,`
Add kubernetes uterranix infrastructure Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-03-09 16:46:20 +01:00			`...`
Redo terranix helm imports Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-04-13 19:38:44 +02:00			`}: let`
A lot of kubernetes improvements Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-06-08 22:46:20 +02:00			`inherit`
			`(tflib)`
			`tf`
			`;`

			`inherit`
			`(lib)`
			`filterAttrs`
			`optionalAttrs`
			`;`
Redo terranix helm imports Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-04-13 19:38:44 +02:00			`in {`
			`imports = [`
			`./website.nix`
A lot of kubernetes improvements Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-06-08 22:46:20 +02:00			`./jellyfin.nix`
Move Gitea over to the kubernetes "cluster" Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-07-12 22:04:52 +02:00			`./gitea.nix`
Redo terranix helm imports Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-04-13 19:38:44 +02:00			`(elib.terraformModule {`
			`name = "generated";`
			`source = {...}: {`
			`imports = [`
			`(inputs.uk3s-nix.legacyPackages.${pkgs.stdenv.system}.helm2nix2terraform {`
			`predicate = chart: name: manifest:`
			`manifest.kind != "CustomResourceDefinition";`
			`path = ./generated;`
A lot of kubernetes improvements Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-06-08 22:46:20 +02:00			`mapper = resource: {`
			`manifest = inputs.uk3s-nix.lib.sanitizeKubernetesManifest resource.manifest;`
			`};`
Redo terranix helm imports Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-04-13 19:38:44 +02:00			`})`
			`];`

			`resource."kubernetes_manifest"."default_ValidatingWebhookConfiguration_istiod-default-validator" = {`
			`computed_fields = [`
			`"webhooks[0].failurePolicy"`
			`];`
			`};`
Use plain images for `metallb` Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-07-13 22:26:08 +02:00
			`resource."kubernetes_manifest"."default_ValidatingWebhookConfiguration_istio-validator-1-22-0-istio-system" = {`
			`computed_fields = [`
			`"webhooks[0].failurePolicy"`
			`];`
			`};`

			`resource."kubernetes_manifest"."default_DaemonSet_metallb-speaker" = {`
			`computed_fields = [`
			`"metadata.annotations[\"deprecated.daemonset.template.generation\"]"`
			`];`
			`};`
Move terranix config into `terranix/main` Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-04-07 10:41:12 +02:00			`};`
Redo terranix helm imports Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-04-13 19:38:44 +02:00			`})`
			`];`
A lot of kubernetes improvements Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-06-08 22:46:20 +02:00
			`resource."kubernetes_manifest"."istio_authorization_policy_deny_by_default" = {`
			`for_each = (list: tf "toset(${builtins.toJSON list})") [`
			`"default"`
			`"kube-system"`
			`"kube-public"`
			`"kube-node-lease"`
			`"istio-system"`
			`"metallb-system"`
			`"website"`
			`"ingress"`
			`];`

			`manifest = {`
			`apiVersion = "security.istio.io/v1";`
			`kind = "AuthorizationPolicy";`
			`metadata = {`
			`name = "deny-by-default";`
			`namespace = tf "each.key";`
			`};`
			`spec = {};`
			`};`
			`};`

			`resource."kubernetes_manifest"."istio_peer_authentication" = {`
			`manifest = {`
			`apiVersion = "security.istio.io/v1beta1";`
			`kind = "PeerAuthentication";`
			`metadata = {`
			`name = "default";`
			`namespace = "istio-system";`
			`};`
			`spec = {`
			`mtls = {`
			`mode = "STRICT";`
			`};`
			`};`
			`};`
			`};`
Add kubernetes uterranix infrastructure Signed-off-by: magic_rb <magic_rb@redalder.org> 2024-03-09 16:46:20 +01:00			`}`