platform/manifests
1
1
Fork 0
Code Issues 7 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

wip: try nixidy

Browse Source
This commit is contained in:
Jonas Juselius
2024-10-10 16:04:41 +02:00
parent 61379ad665
commit 11b398801d
66 changed files with 55100 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
.envrc
+1
View File
@@ -0,0 +1 @@
use flake
.gitignore
+3
View File
@@ -1,3 +1,6 @@
_manifest.yaml
_resources.yaml
*.tgz
_build/
.direnv/
.pre-commit-config.yaml
applications/archmeister.yaml → apps/archmeister.yaml
View File
applications/atlantis-host-resources.yaml → apps/atlantis-host-resources.yaml
View File
applications/atlantis-resources.yaml → apps/atlantis-resources.yaml
View File
apps/atlantis.nix
+106
View File
@@ -0,0 +1,106 @@
{ lib, config, ... }:
let
cfg = config.services.atlantis;
in
{
options.services.atlantis = {
enable = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Enable";
};
autoSync = lib.mkOption {
type = lib.types.bool;
default = true;
description = "Auto sync";
};
prune = lib.mkOption {
type = lib.types.bool;
default = false;
description = "Prune";
};
};
config = lib.mkIf cfg.enable {
applications.atlantis.resources = {
applicationSets = {
atlantis.spec = {
goTemplate = true;
generators = [
{
list = {
elements = [
{
env = "prod";
namespace = "atlantis";
project = "atlantis";
cluster = "https://kubernetes.default.svc";
hostname = "atlantis.srv.oceanbox.io";
revision = "main";
autoSync = cfg.autoSync;
prune = cfg.prune;
}
{
env = "staging";
namespace = "atlantis";
project = "atlantis";
cluster = "https://staging-vcluster.staging-vcluster";
hostname = "atlantis.beta.oceanbox.io";
revision = "main";
autoSync = cfg.autoSync;
prune = cfg.prune;
}
];
};
}
];
template = {
metadata = {
name = "{{ .env }}-atlantis";
annotations = {
"argocd.argoproj.io/compare-options" = "ServerSideDiff=true";
};
};
spec = {
destination = {
namespace = "{{`{{.namespace}}`}}";
server = "{{ .cluster }}";
};
project = "{{`{{.project}}`}}";
sources = [
{
repoURL = "https://gitlab.com/oceanbox/manifests.git";
targetRevision = "{{`{{.revision}}`}}";
path = "kustomizations/atlantis";
plugin = {
name = "kustomize-helm-with-rewrite";
parameters = [
{
name = "env";
string = "{{ .env }}";
}
{
name = "hostname";
string = "{{ .hostname }}";
}
];
};
}
];
syncPolicy = {
syncOptions = [
"CreateNamespace=true"
"ApplyOutOfSyncOnly=true"
];
automated = lib.mkIf cfg.autoSync {
prune = cfg.prune;
selfHeal = false;
};
};
};
};
};
};
};
};
}
applications/atlantis.yaml → apps/atlantis.yaml
View File
applications/busynix.yaml → apps/busynix.yaml
View File
applications/cerbos.yaml → apps/cerbos.yaml
View File
apps/default.nix
+16
View File
@@ -0,0 +1,16 @@
{ ... }:
{
imports = [
./atlantis.nix
];
config = {
services = {
atlantis = {
enable = true;
autoSync = true;
prune = false;
};
};
};
}
applications/dex.yaml → apps/dex.yaml
View File
applications/geoserver.yaml → apps/geoserver.yaml
View File
applications/hipster.yaml → apps/hipster.yaml
View File
applications/jaeger.yaml → apps/jaeger.yaml
View File
applications/keycloak.yaml → apps/keycloak.yaml
View File
applications/loki.yaml → apps/loki.yaml
View File
applications/openfga.yaml → apps/openfga.yaml
View File
applications/opentelemetry-collector.yaml → apps/opentelemetry-collector.yaml
View File
applications/osm-tile-server.yaml → apps/osm-tile-server.yaml
View File
applications/petimeter.yaml → apps/petimeter.yaml
View File
applications/rabbitmq.yaml → apps/rabbitmq.yaml
View File
applications/redis.yaml → apps/redis.yaml
View File
applications/seq.yaml → apps/seq.yaml
View File
applications/sorcerer.yaml → apps/sorcerer.yaml
View File
applications/tempo.yaml → apps/tempo.yaml
View File
applications/wordpress.yaml → apps/wordpress.yaml
View File
applications/yolo-dl.yaml → apps/yolo-dl.yaml
View File
flake.lock
Generated
+635
View File
@@ -0,0 +1,635 @@
{
"nodes": {
"cargo2nix": {
"inputs": {
"flake-compat": "flake-compat_3",
"flake-utils": "flake-utils_5",
"nixpkgs": "nixpkgs_2",
"rust-overlay": "rust-overlay"
},
"locked": {
"lastModified": 1699033427,
"narHash": "sha256-OVtd5IPbb4NvHibN+QvMrMxq7aZN5GFoINZSAXKjUdA=",
"owner": "cargo2nix",
"repo": "cargo2nix",
"rev": "c6f33051f412352f293e738cc8da6fd4c457080f",
"type": "github"
},
"original": {
"owner": "cargo2nix",
"ref": "release-0.11.0",
"repo": "cargo2nix",
"type": "github"
}
},
"flake-compat": {
"flake": false,
"locked": {
"lastModified": 1673956053,
"narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_2": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-compat_3": {
"flake": false,
"locked": {
"lastModified": 1696426674,
"narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
"owner": "edolstra",
"repo": "flake-compat",
"rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
"type": "github"
},
"original": {
"owner": "edolstra",
"repo": "flake-compat",
"type": "github"
}
},
"flake-utils": {
"inputs": {
"systems": "systems"
},
"locked": {
"lastModified": 1726560853,
"narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_2": {
"inputs": {
"systems": "systems_2"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"id": "flake-utils",
"type": "indirect"
}
},
"flake-utils_3": {
"inputs": {
"systems": "systems_3"
},
"locked": {
"lastModified": 1710146030,
"narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_4": {
"inputs": {
"systems": "systems_5"
},
"locked": {
"lastModified": 1701680307,
"narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"flake-utils_5": {
"inputs": {
"systems": "systems_7"
},
"locked": {
"lastModified": 1694529238,
"narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
"owner": "numtide",
"repo": "flake-utils",
"rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "flake-utils",
"type": "github"
}
},
"gitignore": {
"inputs": {
"nixpkgs": [
"pre-commit-hooks",
"nixpkgs"
]
},
"locked": {
"lastModified": 1709087332,
"narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
"owner": "hercules-ci",
"repo": "gitignore.nix",
"rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
"type": "github"
},
"original": {
"owner": "hercules-ci",
"repo": "gitignore.nix",
"type": "github"
}
},
"haumea": {
"inputs": {
"nixpkgs": [
"nixhelm",
"nixpkgs"
]
},
"locked": {
"lastModified": 1685133229,
"narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=",
"owner": "nix-community",
"repo": "haumea",
"rev": "34dd58385092a23018748b50f9b23de6266dffc2",
"type": "github"
},
"original": {
"owner": "nix-community",
"ref": "v0.2.2",
"repo": "haumea",
"type": "github"
}
},
"kubenix": {
"inputs": {
"flake-compat": "flake-compat",
"nixpkgs": [
"nixidy",
"nixpkgs"
],
"systems": "systems_6",
"treefmt": "treefmt"
},
"locked": {
"lastModified": 1718110643,
"narHash": "sha256-KrEOCx/bpN++sySOEL5EO5AhYsqRZZk+CXacueUeSl4=",
"owner": "hall",
"repo": "kubenix",
"rev": "a04066c45526c6d8410ba998134f692ff991b4f3",
"type": "github"
},
"original": {
"owner": "hall",
"repo": "kubenix",
"type": "github"
}
},
"nix-github-actions": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1703863825,
"narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
"owner": "nix-community",
"repo": "nix-github-actions",
"rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "nix-github-actions",
"type": "github"
}
},
"nix-kube-generators": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nix-kube-generators_2": {
"locked": {
"lastModified": 1708155396,
"narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
"owner": "farcaller",
"repo": "nix-kube-generators",
"rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nix-kube-generators",
"type": "github"
}
},
"nixhelm": {
"inputs": {
"flake-utils": "flake-utils_2",
"haumea": "haumea",
"nix-kube-generators": "nix-kube-generators",
"nixpkgs": [
"nixpkgs"
],
"poetry2nix": "poetry2nix"
},
"locked": {
"lastModified": 1728522957,
"narHash": "sha256-5/2Q/aVVCgd/pL94KFnnH5h36se3UqT+oxXPTYnVjtY=",
"owner": "farcaller",
"repo": "nixhelm",
"rev": "6fc421b792250c65aa39d121f3c67a26cc7dd2ea",
"type": "github"
},
"original": {
"owner": "farcaller",
"repo": "nixhelm",
"type": "github"
}
},
"nixidy": {
"inputs": {
"flake-utils": "flake-utils_4",
"kubenix": "kubenix",
"nix-kube-generators": "nix-kube-generators_2",
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1726669031,
"narHash": "sha256-iNh3jgB/vrltSUquE9Q3lbGIRqiyayglnSHtB5KbW+M=",
"owner": "arnarg",
"repo": "nixidy",
"rev": "b8abf95f1d4b1a7f5e70ffba926be571a778c540",
"type": "github"
},
"original": {
"owner": "arnarg",
"repo": "nixidy",
"type": "github"
}
},
"nixpkgs": {
"locked": {
"lastModified": 1728492678,
"narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "nixos-unstable",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs-stable": {
"locked": {
"lastModified": 1720386169,
"narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
"owner": "NixOS",
"repo": "nixpkgs",
"rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
"type": "github"
},
"original": {
"owner": "NixOS",
"ref": "nixos-24.05",
"repo": "nixpkgs",
"type": "github"
}
},
"nixpkgs_2": {
"locked": {
"lastModified": 1697382362,
"narHash": "sha256-PvFjWFmSYOF6TjNZ/WjOeqa+sgaWm+83Fz37vEuATHA=",
"owner": "nixos",
"repo": "nixpkgs",
"rev": "ad9a253a0d34f313707f9c25fb8c95c65b1c8882",
"type": "github"
},
"original": {
"owner": "nixos",
"ref": "release-23.05",
"repo": "nixpkgs",
"type": "github"
}
},
"poetry2nix": {
"inputs": {
"flake-utils": "flake-utils_3",
"nix-github-actions": "nix-github-actions",
"nixpkgs": [
"nixhelm",
"nixpkgs"
],
"systems": "systems_4",
"treefmt-nix": "treefmt-nix"
},
"locked": {
"lastModified": 1718285706,
"narHash": "sha256-DScsBM+kZvxOva7QegfdtleebMXh30XPxDQr/1IGKYo=",
"owner": "nix-community",
"repo": "poetry2nix",
"rev": "a5be1bbbe0af0266147a88e0ec43b18c722f2bb9",
"type": "github"
},
"original": {
"owner": "nix-community",
"repo": "poetry2nix",
"type": "github"
}
},
"pre-commit-hooks": {
"inputs": {
"flake-compat": "flake-compat_2",
"gitignore": "gitignore",
"nixpkgs": [
"nixpkgs"
],
"nixpkgs-stable": "nixpkgs-stable"
},
"locked": {
"lastModified": 1728092656,
"narHash": "sha256-eMeCTJZ5xBeQ0f9Os7K8DThNVSo9gy4umZLDfF5q6OM=",
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"rev": "1211305a5b237771e13fcca0c51e60ad47326a9a",
"type": "github"
},
"original": {
"owner": "cachix",
"repo": "pre-commit-hooks.nix",
"type": "github"
}
},
"root": {
"inputs": {
"flake-utils": "flake-utils",
"nixhelm": "nixhelm",
"nixidy": "nixidy",
"nixpkgs": "nixpkgs",
"pre-commit-hooks": "pre-commit-hooks",
"yaml2nix": "yaml2nix"
}
},
"rust-overlay": {
"inputs": {
"flake-utils": [
"yaml2nix",
"cargo2nix",
"flake-utils"
],
"nixpkgs": [
"yaml2nix",
"cargo2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1697336027,
"narHash": "sha256-ctmmw7j4liyfSh63v9rdFZeIoNYCkCvgqvtEOB7KhX8=",
"owner": "oxalica",
"repo": "rust-overlay",
"rev": "e494404d36a41247987eeb1bfc2f1ca903e97764",
"type": "github"
},
"original": {
"owner": "oxalica",
"repo": "rust-overlay",
"type": "github"
}
},
"systems": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_2": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_3": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_4": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_5": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"systems_6": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"id": "systems",
"type": "indirect"
}
},
"systems_7": {
"locked": {
"lastModified": 1681028828,
"narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
"owner": "nix-systems",
"repo": "default",
"rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
"type": "github"
},
"original": {
"owner": "nix-systems",
"repo": "default",
"type": "github"
}
},
"treefmt": {
"inputs": {
"nixpkgs": [
"nixidy",
"kubenix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1688026376,
"narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"treefmt-nix": {
"inputs": {
"nixpkgs": [
"nixhelm",
"poetry2nix",
"nixpkgs"
]
},
"locked": {
"lastModified": 1717850719,
"narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=",
"owner": "numtide",
"repo": "treefmt-nix",
"rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed",
"type": "github"
},
"original": {
"owner": "numtide",
"repo": "treefmt-nix",
"type": "github"
}
},
"yaml2nix": {
"inputs": {
"cargo2nix": "cargo2nix",
"flake-utils": [
"flake-utils"
],
"nixpkgs": [
"nixpkgs"
]
},
"locked": {
"lastModified": 1726132715,
"narHash": "sha256-DkHWWpvBco2yodyOk40LjTNcoaJ1bFKf0JY9OwWgy5M=",
"owner": "euank",
"repo": "yaml2nix",
"rev": "3a6df359da40ee49cb9ed597c2400342b76f2083",
"type": "github"
},
"original": {
"owner": "euank",
"repo": "yaml2nix",
"type": "github"
}
}
},
"root": "root",
"version": 7
}
flake.nix
+139
View File
@@ -0,0 +1,139 @@
{
description = "My ArgoCD configuration with nixidy.";
inputs = {
nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
flake-utils.url = "github:numtide/flake-utils";
nixidy = {
url = "github:arnarg/nixidy";
inputs.nixpkgs.follows = "nixpkgs";
};
nixhelm = {
url = "github:farcaller/nixhelm";
inputs.nixpkgs.follows = "nixpkgs";
};
pre-commit-hooks = {
url = "github:cachix/pre-commit-hooks.nix";
inputs.nixpkgs.follows = "nixpkgs";
};
yaml2nix = {
url = "github:euank/yaml2nix";
inputs.nixpkgs.follows = "nixpkgs";
inputs.flake-utils.follows = "flake-utils";
};
};
outputs =
{
self,
nixpkgs,
flake-utils,
nixidy,
nixhelm,
yaml2nix,
pre-commit-hooks,
}:
(flake-utils.lib.eachDefaultSystem (
system:
let
pkgs = import nixpkgs {
inherit system;
};
in
{
nixidyEnvs = {
prod = nixidy.lib.mkEnv {
inherit pkgs;
charts = nixhelm.chartsDerivations.${system};
modules = [
./modules
./apps
./policies/oceanbox/network
# ./policies/oceanbox/kyverno
];
};
};
checks = {
pre-commit-check = pre-commit-hooks.lib.${system}.run {
src = ./.;
hooks = {
nixfmt-rfc-style.enable = false;
deadnix.enable = false;
statix.enable = false;
};
};
};
packages = {
nixidy = nixidy.packages.${system}.default;
generators = {
cilium = nixidy.packages.${system}.generators.fromCRD {
name = "cilium";
src = pkgs.fetchFromGitHub {
owner = "cilium";
repo = "cilium";
rev = "v1.16.0";
hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
};
crds = [
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
"pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
];
};
kyverno = nixidy.packages.${system}.generators.fromCRD {
name = "kyverno";
src = pkgs.fetchFromGitHub {
owner = "kyverno";
repo = "kyverno";
rev = "v1.12.6";
hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
};
crds = [
"config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
"config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
"config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
"config/crds/kyverno/kyverno.io_policies.yaml"
"config/crds/kyverno/kyverno.io_policyexceptions.yaml"
"config/crds/kyverno/kyverno.io_updaterequests.yaml"
];
};
};
};
apps = {
gen-crd = {
type = "app";
program =
(pkgs.writeShellScript "generate-modules" ''
set -eo pipefail
echo "generate cilium"
cat ${self.packages.${system}.generators.cilium} > modules/cilium-crd.nix
echo "generate kyverno"
cat ${self.packages.${system}.generators.kyverno} > modules/kyverno-crd.nix
'').outPath;
};
};
devShells.default = pkgs.mkShellNoCC {
inherit (self.checks.${system}.pre-commit-check) shellHook;
nativeBuildInputs = with pkgs; [
self.checks.${system}.pre-commit-check.enabledPackages
nixidy.packages.${system}.default
yaml2nix.packages.${system}.default
nixd
nixfmt-rfc-style
just
fzf
];
NIXD_FLAGS = "--inlay-hints";
};
}
));
}
justfile
+17
View File
@@ -0,0 +1,17 @@
default := "prod"
default:
just --choose
info target=default:
nix run .#nixidy -- info .#{{target}}
build target=default:
nix run .#nixidy -- build .#{{target}}
switch target=default:
nix run .#nixidy -- switch .#{{target}}
generate target=default:
nix build .#generators.cilium
# nix build .#generators.kyverno
modules/cilium-crd.nix
+9771
View File
File diff suppressed because it is too large Load Diff
modules/default.nix
+44
View File
@@ -0,0 +1,44 @@
{ lib, ... }:
{
imports = [ ];
config = {
nixidy = {
target = {
repository = "https://gitlab.com/oveanbox/manifests.git";
branch = "main";
rootPath = "_build";
};
resourceImports = [
./cilium-crd.nix
./kyverno-crd.nix
];
chartsDir = ../charts;
defaults = {
syncPolicy = {
autoSync = {
enabled = true;
prune = false;
selfHeal = false;
};
};
# Many helm chars will render all resources with the
# following labels.
# This produces huge diffs when the charts are updated
# because the values of these labels change each release.
# Here we add a transformer that strips them out after
# templating the helm charts in each application.
helm.transformer = map (
lib.kube.removeLabels [
"app.kubernetes.io/version"
"helm.sh/chart"
]
);
};
};
};
}
modules/kyverno-crd.nix
+44300
View File
File diff suppressed because it is too large Load Diff
resources/oceanbox-cluster/kyverno-policies/add-ingress-whitelist.yaml → policies/oceanbox/kyverno/add-ingress-whitelist.yaml
View File
resources/oceanbox-cluster/kyverno-policies/remove-argocd-tracking-id.yaml → policies/oceanbox/kyverno/remove-argocd-tracking-id.yaml
View File
resources/oceanbox-cluster/kyverno-policies/sync-atlantis-secrets.yaml → policies/oceanbox/kyverno/sync-atlantis-secrets.yaml
View File
resources/oceanbox-cluster/kyverno-policies/sync-oceanbox-regcred.yaml → policies/oceanbox/kyverno/sync-regcred.yaml
View File
resources/oceanbox-cluster/network-policies/allow-ceph-egress.yaml → policies/oceanbox/network/allow-ceph-egress.yaml
View File
resources/oceanbox-cluster/network-policies/allow-microsoft-oidc-login.yaml → policies/oceanbox/network/allow-microsoft-oidc-login.yaml
View File
resources/oceanbox-cluster/network-policies/atlantis/allow-api-server.yaml → policies/oceanbox/network/atlantis/allow-api-server.yaml
View File
charts/atlantis/templates/networkpolicies.yaml → policies/oceanbox/network/atlantis/atlantis-policies.yaml
View File
resources/oceanbox-cluster/network-policies/clusterpolicy-allow-api-server.yaml → policies/oceanbox/network/clusterpolicy-allow-api-server.yaml
View File
resources/oceanbox-cluster/network-policies/clusterpolicy-allow-ekman-egress.yaml → policies/oceanbox/network/clusterpolicy-allow-ekman-egress.yaml
View File
resources/oceanbox-cluster/network-policies/clusterpolicy-allow-namespace-traffic.yaml → policies/oceanbox/network/clusterpolicy-allow-namespace-traffic.yaml
View File
resources/oceanbox-cluster/network-policies/clusterpolicy-allow-oceanboxio.yaml → policies/oceanbox/network/clusterpolicy-allow-oceanboxio.yaml
View File
resources/oceanbox-cluster/network-policies/clusterpolicy-allow-remote-node.yaml → policies/oceanbox/network/clusterpolicy-allow-remote-node.yaml
View File
resources/oceanbox-cluster/network-policies/csi-addons-controller/allow-9070-host.yaml → policies/oceanbox/network/csi-addons-controller/allow-9070-host.yaml
View File
resources/oceanbox-cluster/network-policies/dapr/allow-api-server.yaml → policies/oceanbox/network/dapr/allow-api-server.yaml
View File
resources/oceanbox-cluster/network-policies/dapr/allow-remote-node.yaml → policies/oceanbox/network/dapr/allow-remote-node.yaml
View File
policies/oceanbox/network/default.nix
+7
View File
@@ -0,0 +1,7 @@
{ ... }:
{
imports = [
./external-ceph.nix
./microsoftonline.nix
];
}
policies/oceanbox/network/external-ceph.nix
+22
View File
@@ -0,0 +1,22 @@
{ ... }:
{
applications.netpol-external-ceph = {
resources = {
ciliumClusterwideNetworkPolicies = {
allow-external-ceph-egress.spec = {
egress = [
{
toCIDR = [
"10.255.241.30/32"
"10.255.241.31/32"
"10.255.241.32/32"
"10.255.244.0/24"
];
}
];
endpointSelector = { };
};
};
};
};
}
resources/oceanbox-cluster/network-policies/geoserver/allow-geoserver-ingress.yaml → policies/oceanbox/network/geoserver/allow-geoserver-ingress.yaml
View File
resources/oceanbox-cluster/network-policies/idp/allow-api-server.yaml → policies/oceanbox/network/idp/allow-api-server.yaml
View File
resources/oceanbox-cluster/network-policies/idp/allow-gitlab.yaml → policies/oceanbox/network/idp/allow-gitlab.yaml
View File
resources/oceanbox-cluster/network-policies/allow-idp-external-access.yaml → policies/oceanbox/network/idp/allow-idp-external-access.yaml
View File
resources/oceanbox-cluster/network-policies/idp/allow-itp-smtpgw.yaml → policies/oceanbox/network/idp/allow-itp-smtpgw.yaml
View File
resources/oceanbox-cluster/network-policies/idp/allow-keycloak.yaml → policies/oceanbox/network/idp/allow-keycloak.yaml
View File
resources/oceanbox-cluster/network-policies/jaeger/allow-api-server.yaml → policies/oceanbox/network/jaeger/allow-api-server.yaml
View File
resources/oceanbox-cluster/network-policies/jaeger/allow-remote-node.yaml → policies/oceanbox/network/jaeger/allow-remote-node.yaml
View File
policies/oceanbox/network/microsoftonline.nix
+21
View File
@@ -0,0 +1,21 @@
{ ... }:
{
applications.netpol-microsoftonline = {
project = "netpol";
resources = {
ciliumClusterwideNetworkPolicies = {
allow-microsoftonline.spec = {
endpointSelector = { };
egress = [
{
toFQDNs = [
{ matchName = "login.microsoftonline.com"; }
{ matchPattern = "*.microsoftonline.com"; }
];
}
];
};
};
};
};
}
resources/oceanbox-cluster/network-policies/policy-allow-rabbitmq.yaml → policies/oceanbox/network/rabbitmq/policy-allow-rabbitmq.yaml
View File
policies/oceanbox/network/templ.nix
+11
View File
@@ -0,0 +1,11 @@
{ ... }:
{
applications.xxx = {
resources = {
ciliumClusterwideNetworkPolicies = {
xxx.spec = {
};
};
};
};
}
resources/oceanbox-cluster/ingress/hubble-ui-ingress.yaml → resources/oceanbox/ingress/hubble-ui-ingress.yaml
View File
resources/oceanbox-cluster/redis-sso-sync-cronjob.yaml → resources/oceanbox/redis-sso-sync-cronjob.yaml
View File
resources/oceanbox-cluster/vcluster-rabc.yaml → resources/oceanbox/vcluster-rabc.yaml
View File
statix.toml
+7
View File
@@ -0,0 +1,7 @@
disabled = [
# I think enforcing this can often produce
# code that is harder to read.
"manual_inherit_from"
# Does not improve readability
"repeated_keys"
]