{ inputs, pkgs, lib, elib, tflib, ... }: let inherit (tflib) tf ; inherit (lib) filterAttrs optionalAttrs ; in { imports = [ ./website.nix ./jellyfin.nix ./gitea.nix (elib.terraformModule { name = "generated"; source = {...}: { imports = [ (inputs.uk3s-nix.legacyPackages.${pkgs.stdenv.system}.helm2nix2terraform { predicate = chart: name: manifest: manifest.kind != "CustomResourceDefinition"; path = ./generated; mapper = resource: { manifest = inputs.uk3s-nix.lib.sanitizeKubernetesManifest resource.manifest; }; }) ]; resource."kubernetes_manifest"."default_ValidatingWebhookConfiguration_istiod-default-validator" = { computed_fields = [ "webhooks[0].failurePolicy" ]; }; resource."kubernetes_manifest"."default_ValidatingWebhookConfiguration_istio-validator-1-22-0-istio-system" = { computed_fields = [ "webhooks[0].failurePolicy" ]; }; resource."kubernetes_manifest"."default_DaemonSet_metallb-speaker" = { computed_fields = [ "metadata.annotations[\"deprecated.daemonset.template.generation\"]" ]; }; }; }) ]; resource."kubernetes_manifest"."istio_authorization_policy_deny_by_default" = { for_each = (list: tf "toset(${builtins.toJSON list})") [ "default" "kube-system" "kube-public" "kube-node-lease" "istio-system" "metallb-system" "website" "ingress" ]; manifest = { apiVersion = "security.istio.io/v1"; kind = "AuthorizationPolicy"; metadata = { name = "deny-by-default"; namespace = tf "each.key"; }; spec = {}; }; }; resource."kubernetes_manifest"."istio_peer_authentication" = { manifest = { apiVersion = "security.istio.io/v1beta1"; kind = "PeerAuthentication"; metadata = { name = "default"; namespace = "istio-system"; }; spec = { mtls = { mode = "STRICT"; }; }; }; }; }