diff --git a/apps/irc/irc.yaml b/apps/irc/irc.yaml index dbb57b0..e6cf9c3 100644 --- a/apps/irc/irc.yaml +++ b/apps/irc/irc.yaml @@ -1,5 +1,6 @@ # UnrealIRCd + Anope IRC Services # ArgoCD managed - BlueJay Lab +# Credentials: 1Password → OnePasswordItem → K8s Secret → initContainer sed injection --- apiVersion: v1 kind: Namespace @@ -8,6 +9,15 @@ metadata: labels: app.kubernetes.io/part-of: bluejay-infra --- +# 1Password → K8s Secret sync +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: irc-credentials + namespace: irc +spec: + itemPath: "vaults/IAmWorkin/items/IRC UnrealIRCd" +--- # TLS Certificate for IRC apiVersion: cert-manager.io/v1 kind: Certificate @@ -22,17 +32,17 @@ spec: dnsNames: - irc.iamworkin.lan --- -# UnrealIRCd configuration +# UnrealIRCd configuration template (passwords replaced by placeholders) apiVersion: v1 -kind: Secret +kind: ConfigMap metadata: - name: unrealircd-config + name: unrealircd-config-template namespace: irc -type: Opaque -stringData: +data: unrealircd.conf: | /* BlueJay Lab IRC - UnrealIRCd 6.x config */ /* Managed by ArgoCD */ + /* Credentials injected from 1Password at pod startup */ include "modules.default.conf"; include "help/help.conf"; @@ -101,21 +111,21 @@ stringData: oper bluejay { mask *; - password "BlueJay-IRC-Oper-2026"; + password "__OPER_PASSWORD__"; operclass netadmin-with-override; class opers; } drpass { - restart "BlueJay-IRC-Oper-2026"; - die "BlueJay-IRC-Oper-2026"; + restart "__OPER_PASSWORD__"; + die "__OPER_PASSWORD__"; } link services.iamworkin.lan { incoming { mask *; } - password "BlueJay-Services-Link-2026"; + password "__LINK_PASSWORD__"; class servers; } @@ -126,7 +136,7 @@ stringData: log { source { all; - \!debug; + \\!debug; } destination { channel "#ops"; @@ -169,14 +179,13 @@ stringData: } } --- -# Anope configuration +# Anope configuration template (passwords replaced by placeholders) apiVersion: v1 -kind: Secret +kind: ConfigMap metadata: - name: anope-config + name: anope-config-template namespace: irc -type: Opaque -stringData: +data: services.conf: | define { @@ -188,7 +197,7 @@ stringData: { host = "unrealircd.irc.svc.cluster.local" port = 8067 - password = "BlueJay-Services-Link-2026" + password = "__LINK_PASSWORD__" } serverinfo @@ -386,6 +395,26 @@ spec: app: unrealircd spec: initContainers: + - name: inject-credentials + image: busybox:1.36 + command: ["sh", "-c"] + args: + - | + OPER_PW=$(cat /secrets/password) + LINK_PW=$(cat /secrets/Link-Password) + sed -e "s|__OPER_PASSWORD__|${OPER_PW}|g" \ + -e "s|__LINK_PASSWORD__|${LINK_PW}|g" \ + /config-template/unrealircd.conf > /injected-config/unrealircd.conf + echo "Credentials injected into unrealircd.conf" + volumeMounts: + - name: irc-credentials + mountPath: /secrets + readOnly: true + - name: unrealircd-config-template + mountPath: /config-template + readOnly: true + - name: injected-config + mountPath: /injected-config - name: copy-tls image: busybox:1.36 command: ["sh", "-c"] @@ -416,7 +445,7 @@ spec: - containerPort: 8067 name: services-link volumeMounts: - - name: unrealircd-config + - name: injected-config mountPath: /app/conf/unrealircd.conf subPath: unrealircd.conf - name: unrealircd-data @@ -431,9 +460,14 @@ spec: memory: 256Mi cpu: 250m volumes: - - name: unrealircd-config + - name: irc-credentials secret: - secretName: unrealircd-config + secretName: irc-credentials + - name: unrealircd-config-template + configMap: + name: unrealircd-config-template + - name: injected-config + emptyDir: {} - name: unrealircd-data persistentVolumeClaim: claimName: unrealircd-data @@ -462,6 +496,24 @@ spec: app: anope spec: initContainers: + - name: inject-credentials + image: busybox:1.36 + command: ["sh", "-c"] + args: + - | + LINK_PW=$(cat /secrets/Link-Password) + sed -e "s|__LINK_PASSWORD__|${LINK_PW}|g" \ + /config-template/services.conf > /injected-config/services.conf + echo "Credentials injected into services.conf" + volumeMounts: + - name: irc-credentials + mountPath: /secrets + readOnly: true + - name: anope-config-template + mountPath: /config-template + readOnly: true + - name: injected-config + mountPath: /injected-config - name: fix-perms image: busybox:1.36 command: ["sh", "-c"] @@ -476,7 +528,7 @@ spec: - name: anope image: anope/anope:latest volumeMounts: - - name: anope-config + - name: injected-config mountPath: /anope/conf/services.conf subPath: services.conf - name: anope-data @@ -489,9 +541,14 @@ spec: memory: 128Mi cpu: 100m volumes: - - name: anope-config + - name: irc-credentials secret: - secretName: anope-config + secretName: irc-credentials + - name: anope-config-template + configMap: + name: anope-config-template + - name: injected-config + emptyDir: {} - name: anope-data persistentVolumeClaim: claimName: anope-data diff --git a/apps/mail/mail.yaml b/apps/mail/mail.yaml index 7fde47c..7ca814d 100644 --- a/apps/mail/mail.yaml +++ b/apps/mail/mail.yaml @@ -1,5 +1,6 @@ # docker-mailserver - Postfix + Dovecot + rspamd # ArgoCD managed - BlueJay Lab +# Credentials: 1Password → OnePasswordItem CRD → K8s Secret --- apiVersion: v1 kind: Namespace @@ -8,17 +9,14 @@ metadata: labels: app.kubernetes.io/part-of: bluejay-infra --- -# Mail accounts Secret (postfix-accounts.cf format: user@domain|{SHA512-CRYPT}hash) -apiVersion: v1 -kind: Secret +# 1Password → K8s Secret sync for mail credentials +apiVersion: onepassword.com/v1 +kind: OnePasswordItem metadata: - name: mail-accounts + name: mail-credentials namespace: mail -type: Opaque -stringData: - postfix-accounts.cf: | - admin@iamwork.in|{SHA512-CRYPT}$6$1355214084ba403a$LPA.qkZLpv9RqMu8OenCrgYgyHbMwMIAYOuLrbNX/eeiaOj.8rtj9IlMeLDxSc6FdWK9N/PcNmBzV5fJL7IRn/ - noreply@iamwork.in|{SHA512-CRYPT}$6$1355214084ba403a$LPA.qkZLpv9RqMu8OenCrgYgyHbMwMIAYOuLrbNX/eeiaOj.8rtj9IlMeLDxSc6FdWK9N/PcNmBzV5fJL7IRn/ +spec: + itemPath: "vaults/IAmWorkin/items/Mail Postmaster" --- # Mail data PVC apiVersion: v1 @@ -65,6 +63,25 @@ spec: app: mailserver spec: hostname: mail + initContainers: + - name: inject-accounts + image: busybox:1.36 + command: + - sh + - -c + - | + ADMIN_EMAIL=$(cat /credentials/Admin-Email) + ADMIN_HASH=$(cat /credentials/Admin-Hash) + NOREPLY_EMAIL=$(cat /credentials/Noreply-Email) + NOREPLY_HASH=$(cat /credentials/Noreply-Hash) + echo "${ADMIN_EMAIL}|${ADMIN_HASH}" > /accounts/postfix-accounts.cf + echo "${NOREPLY_EMAIL}|${NOREPLY_HASH}" >> /accounts/postfix-accounts.cf + volumeMounts: + - name: mail-credentials + mountPath: /credentials + readOnly: true + - name: mail-accounts-generated + mountPath: /accounts containers: - name: mailserver image: docker.io/mailserver/docker-mailserver:latest @@ -116,7 +133,7 @@ spec: - name: mail-tls mountPath: /etc/ssl/mail readOnly: true - - name: mail-accounts + - name: mail-accounts-generated mountPath: /tmp/docker-mailserver/postfix-accounts.cf subPath: postfix-accounts.cf readOnly: true @@ -142,9 +159,11 @@ spec: - name: mail-tls secret: secretName: mail-tls - - name: mail-accounts + - name: mail-credentials secret: - secretName: mail-accounts + secretName: mail-credentials + - name: mail-accounts-generated + emptyDir: {} --- # SMTP LoadBalancer Service (external) apiVersion: v1 diff --git a/apps/teamspeak/teamspeak.yaml b/apps/teamspeak/teamspeak.yaml index 7dcdd38..a42317e 100644 --- a/apps/teamspeak/teamspeak.yaml +++ b/apps/teamspeak/teamspeak.yaml @@ -1,108 +1,122 @@ -# TeamSpeak 3 Server -# ArgoCD managed - BlueJay Lab ---- -apiVersion: v1 -kind: Namespace -metadata: - name: teamspeak - labels: - app.kubernetes.io/part-of: bluejay-infra ---- -# TeamSpeak data PVC -apiVersion: v1 -kind: PersistentVolumeClaim -metadata: - name: teamspeak-data - namespace: teamspeak -spec: - accessModes: [ReadWriteOnce] - resources: - requests: - storage: 1Gi ---- -# TeamSpeak 3 Deployment -apiVersion: apps/v1 -kind: Deployment -metadata: - name: teamspeak - namespace: teamspeak - labels: - app: teamspeak -spec: - replicas: 1 - strategy: - type: Recreate - selector: - matchLabels: - app: teamspeak - template: - metadata: - labels: - app: teamspeak - spec: - containers: - - name: teamspeak - image: teamspeak:latest - ports: - - containerPort: 9987 - name: voice - protocol: UDP - - containerPort: 30033 - name: filetransfer - protocol: TCP - - containerPort: 10011 - name: serverquery - protocol: TCP - env: - - name: TS3SERVER_LICENSE - value: accept - volumeMounts: - - name: teamspeak-data - mountPath: /var/ts3server - resources: - requests: - memory: 128Mi - cpu: 50m - limits: - memory: 512Mi - cpu: 500m - readinessProbe: - tcpSocket: - port: 10011 - initialDelaySeconds: 30 - periodSeconds: 10 - livenessProbe: - tcpSocket: - port: 10011 - initialDelaySeconds: 60 - periodSeconds: 15 - volumes: - - name: teamspeak-data - persistentVolumeClaim: - claimName: teamspeak-data ---- -# TeamSpeak LoadBalancer Service -apiVersion: v1 -kind: Service -metadata: - name: teamspeak - namespace: teamspeak - annotations: - metallb.universe.tf/loadBalancerIPs: 10.0.56.205 -spec: - type: LoadBalancer - selector: - app: teamspeak - ports: - - port: 9987 - targetPort: 9987 - name: voice - protocol: UDP - - port: 30033 - targetPort: 30033 - name: filetransfer - protocol: TCP - - port: 10011 - targetPort: 10011 - name: serverquery - protocol: TCP +# TeamSpeak 3 Server +# ArgoCD managed - BlueJay Lab +--- +apiVersion: v1 +kind: Namespace +metadata: + name: teamspeak + labels: + app.kubernetes.io/part-of: bluejay-infra +--- +# 1Password secret sync - TeamSpeak credentials +apiVersion: onepassword.com/v1 +kind: OnePasswordItem +metadata: + name: teamspeak-credentials + namespace: teamspeak +spec: + itemPath: "vaults/IAmWorkin/items/TeamSpeak 3" +--- +# TeamSpeak data PVC +apiVersion: v1 +kind: PersistentVolumeClaim +metadata: + name: teamspeak-data + namespace: teamspeak +spec: + accessModes: [ReadWriteOnce] + resources: + requests: + storage: 1Gi +--- +# TeamSpeak 3 Deployment +apiVersion: apps/v1 +kind: Deployment +metadata: + name: teamspeak + namespace: teamspeak + labels: + app: teamspeak +spec: + replicas: 1 + strategy: + type: Recreate + selector: + matchLabels: + app: teamspeak + template: + metadata: + labels: + app: teamspeak + spec: + containers: + - name: teamspeak + image: teamspeak:latest + ports: + - containerPort: 9987 + name: voice + protocol: UDP + - containerPort: 30033 + name: filetransfer + protocol: TCP + - containerPort: 10011 + name: serverquery + protocol: TCP + env: + - name: TS3SERVER_LICENSE + value: accept + - name: TS3SERVER_SERVERADMIN_PASSWORD + valueFrom: + secretKeyRef: + name: teamspeak-credentials + key: ServerQuery Password + volumeMounts: + - name: teamspeak-data + mountPath: /var/ts3server + resources: + requests: + memory: 128Mi + cpu: 50m + limits: + memory: 512Mi + cpu: 500m + readinessProbe: + tcpSocket: + port: 10011 + initialDelaySeconds: 30 + periodSeconds: 10 + livenessProbe: + tcpSocket: + port: 10011 + initialDelaySeconds: 60 + periodSeconds: 15 + volumes: + - name: teamspeak-data + persistentVolumeClaim: + claimName: teamspeak-data +--- +# TeamSpeak LoadBalancer Service +apiVersion: v1 +kind: Service +metadata: + name: teamspeak + namespace: teamspeak + annotations: + metallb.universe.tf/loadBalancerIPs: 10.0.56.205 +spec: + type: LoadBalancer + selector: + app: teamspeak + ports: + - port: 9987 + targetPort: 9987 + name: voice + protocol: UDP + - port: 30033 + targetPort: 30033 + name: filetransfer + protocol: TCP + - port: 10011 + targetPort: 10011 + name: serverquery + protocol: TCP