fix: fix amqp password

Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy
fix: add bast and oty to sorcerer dev cors
2025-02-04 17:02:42 +01:00 · 2025-02-04 15:43:37 +01:00 · 2025-02-04 15:43:24 +01:00 · 2025-01-31 13:25:45 +01:00 · 2025-01-31 13:22:27 +01:00 · 2025-01-30 21:53:54 +01:00
390 changed files with 68914 additions and 1560 deletions
@@ -0,0 +1 @@
 use nix
@@ -1,2 +1,6 @@
 *.tgz
 _*/
 .direnv/
 .pre-commit-config.yaml
 _manifest.yaml
 _resources.yaml
@@ -1 +0,0 @@
 kustomizations/petimeter/manifests/acl.json
@@ -1,36 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: atlantis-host-cluster-resources
  namespace: argocd
  # annotations: # close, but no cigar
  #   argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
 spec:
  project: aux
  destination:
    server: https://kubernetes.default.svc
  syncPolicy:
    automated:
      prune: false
      selfHeal: false
  ignoreDifferences:
    - kind: Secret
      name: prod-rabbitmq
      jqPathExpressions:
        - '.data'
        - '.metadata.annotations.clone'
        - '.metadata.labels'
    - kind: Secret
      name: prod-redis
      jqPathExpressions:
        - '.data'
        - '.metadata.annotations.clone'
        - '.metadata.labels'
  sources:
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: main
    path: resources/atlantis/host-manifests
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: main
    path: 'resources/atlantis/manifests/prod'
@@ -1,47 +0,0 @@
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: openfga
  namespace: argocd
 spec:
  goTemplate: true
  generators:
  - list:
      elements:
      - cluster: https://kubernetes.default.svc
        env: prod
        hostname: openfga.adm.oceanbox.io
        autoSync: false
        prune: true
      - cluster: https://kubernetes.default.svc
        env: staging
        hostname: openfga.dev.oceanbox.io
        autoSync: true
        prune: true
  template:
    metadata:
      name: '{{ .env }}-openfga'
    spec:
      project: aux
      destination:
        namespace: idp
        server: '{{ .cluster }}'
      sources:
        - repoURL: https://openfga.github.io/helm-charts
          targetRevision: 0.2.12
          chart: openfga
          helm:
            valueFiles:
              - $values/kustomizations/openfga/values.yaml
              - $values/kustomizations/openfga/values-{{ .env }}.yaml
        - repoURL: https://gitlab.com/oceanbox/manifests.git
          targetRevision: main
          ref: values
  templatePatch: |
    {{- if .autoSync }}
    spec:
      syncPolicy:
        automated:
          prune: {{ .prune }}
          selfHeal: false
    {{- end }}
@@ -13,11 +13,11 @@ spec:
        hostname: archmeister.srv.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
+      # - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
+      #   env: staging
-        hostname: archmeister.beta.oceanbox.io
+      #   hostname: archmeister.beta.oceanbox.io
-        autoSync: true
+      #   autoSync: true
-        prune: true
+      #   prune: true
  template:
    metadata:
      name: "{{ .env }}-archmeister"
@@ -29,7 +29,7 @@ spec:
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: kustomizations/archmeister
+        path: values/archmeister
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -0,0 +1,27 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: atlantis-cluster-resources
  namespace: argocd
  # annotations: # close, but no cigar
  #   argocd.argoproj.io/compare-options: ServerSideDiff=true,IncludeMutationWebhook=true
 spec:
  project: atlantis
  destination:
    server: https://kubernetes.default.svc
  syncPolicy:
    automated:
      prune: false
      selfHeal: false
  # ignoreDifferences:
  #   - kind: Secret
  #     name: prod-rabbitmq
  #     jqPathExpressions:
  #       - '.data'
  #       - '.metadata.annotations.clone'
  #       - '.metadata.labels'
  sources:
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: main
    path: resources/atlantis
@@ -0,0 +1,51 @@
 { lib, config, ... }:
 let
  cfg = config.apps.atlantis;
  env = config.apps.env;
  values = lib.apps.appValues {
    inherit env;
    base = ../values/atlantis;
    extraValues = {};
  };
  kustomize = r:
    if r.kind == "Deployment" then
      lib.attrsets.recursiveUpdate r {
        spec.template.spec.containers =
        builtins.map (x:
        x // {
            livenessProbe.httpGet.path = "/healthz";
            readinessProble.httpGet.path = "/healthz";
            env = x.env ++ [ { name = "INERNAL_PORT"; value = 8000; } ];
        }) r.spec.template.spec.containers;
      }
      else if r.kind == "Service" then
      {}
    else r;
 in
 {
  options.apps.atlantis = lib.apps.appOptions {
      revision = lib.mkOption {
        type = lib.types.str;
        default = "main";
        description = "Revision";
      };
      hostname = lib.mkOption {
        type = lib.types.str;
        default = if env == "prod"
          then "maps.oceanbox.io"
          else "atlantis.beta.oceanbox.io";
        description = "Revision";
      };
  };
  config = lib.apps.appConfig cfg "${env}-atlantis" {
    helm.releases."${env}-atlantis" = {
      inherit values;
      chart = ../charts/atlantis;
      transformer = rs: builtins.map (x: kustomize x) rs;
    };
  };
 }
@@ -13,11 +13,11 @@ spec:
        hostname: atlantis.srv.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
+      # - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
+      #   env: staging
-        hostname: atlantis.beta.oceanbox.io
+      #   hostname: atlantis.beta.oceanbox.io
-        autoSync: true
+      #   autoSync: true
-        prune: true
+      #   prune: true
  template:
    metadata:
      name: '{{ .env }}-atlantis'
@@ -29,7 +29,7 @@ spec:
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: kustomizations/atlantis
+        path: values/atlantis
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -24,7 +24,7 @@ spec:
      source:
        repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: kustomizations/busynix
+        path: values/busynix
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -25,8 +25,8 @@ spec:
          chart: cerbos
          helm:
            valueFiles:
-              - $values/kustomizations/cerbos/values.yaml
+              - $values/values/cerbos/values.yaml
-              - $values/kustomizations/cerbos/values-{{ env }}.yaml
+              - $values/values/cerbos/values-{{ env }}.yaml
        - repoURL: https://gitlab.com/oceanbox/manifests.git
          targetRevision: main
          ref: values
@@ -0,0 +1,33 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: dapr
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
    namespace: dapr-system
    server: https://kubernetes.default.svc
  project: default
  syncPolicy:
    # managedNamespaceMetadata:
    #   labels:
    #     component: aux
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
    automated:
      prune: true
      selfHeal: true
  sources:
  - repoURL:  https://dapr.github.io/helm-charts/
    targetRevision: 1.14.4
    chart: dapr
    helm:
      values: |
        global:
          ha:
            enabled: true
@@ -0,0 +1,7 @@
 { ... }:
 {
  imports = [
    ./atlantis.nix
    ./openfga.nix
  ];
 }
@@ -10,6 +10,6 @@ spec:
    namespace: idp
  source:
    repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
+    targetRevision: nixidy
-    path: kustomizations/dex/manifests
+    path: values/dex/manifests
@@ -24,7 +24,7 @@ spec:
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: kustomizations/geoserver
+        path: values/geoserver
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -13,11 +13,11 @@ spec:
        hostname: hipster.srv.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
+      # - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
+      #   env: staging
-        hostname: hipster.beta.oceanbox.io
+      #   hostname: hipster.beta.oceanbox.io
-        autoSync: true
+      #   autoSync: true
-        prune: true
+      #   prune: true
  template:
    metadata:
      name: '{{ .env }}-hipster'
@@ -29,7 +29,7 @@ spec:
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: kustomizations/hipster
+        path: values/hipster
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -14,9 +14,9 @@ spec:
    chart: jaeger-operator
    helm:
      valueFiles:
-        - $values/kustomizations/jaeger/values.yaml
+        - $values/values/jaeger/values.yaml
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: main
-    # path: kustomizations/jaeger/manifests
+    # path: values/jaeger/manifests
    ref: values
@@ -10,12 +10,12 @@ spec:
    namespace: idp
  sources:
  - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 18.3.4
+    targetRevision: 24.0.2
    chart: keycloak
    helm:
      valueFiles:
-        - $values/kustomizations/keycloak/values.yaml
+        - $values/values/keycloak/values.yaml
  - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
+    targetRevision: nixidy
    ref: values
@@ -46,8 +46,8 @@ spec:
            s3:
              endpoint: http://10.255.241.30:30080
              region: tos
              secretAccessKey: ${S3SECRET}
              accessKeyId: ${S3KEY}
              secretAccessKey: ${S3SECRET}
              s3ForcePathStyle: true
              http_config:
                insecure_skip_verify: true
@@ -0,0 +1,39 @@
 { lib, config, ... }:
 let
  cfg = config.apps.openfga;
  env = config.apps.env;
  values = lib.apps.appValues {
    inherit env;
    base = ../values/openfga;
    extraValues = {};
  };
  kustomize = r:
    if r.kind == "Job" then
      lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
    else r;
 in
  {
    options.apps.openfga = lib.apps.appOptions {};
    config = lib.apps.appConfig cfg "${env}-openfga" {
        helm.releases."${env}-openfga" = {
          inherit values;
          chart = lib.helm.downloadHelmChart {
            repo = "https://openfga.github.io/helm-charts";
            chart = "openfga";
              version = "0.2.12";
              chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
          };
          transformer = rs: builtins.map (x: kustomize x) rs;
        };
        annotations = {};
        resources = {
          services.poop.spec = {
          };
        };
      };
  }
@@ -31,6 +31,9 @@ spec:
        mode: deployment
        image:
          repository: otel/opentelemetry-collector-k8s
        service:
          type: LoadBalancer
          loadBalancerIP: 10.255.241.12
        config:
          receivers:
            prometheus/collector:
@@ -88,14 +91,14 @@ spec:
        #   logsCollection:
        #     enabled: true
        ingress:
-          enabled: true
+          enabled: false
          annotations:
-              cert-manager.io/cluster-issuer: letsencrypt-staging
+              cert-manager.io/cluster-issuer: letsencrypt-production
              nginx.ingress.kubernetes.io/ssl-redirect: "true"
              atlantis.oceanbox.io/expose: internal
          ingressClassName: nginx
          hosts:
-            - host: collector.adm.oceanbox.io
+            - host: opentelemetry-collector.adm.oceanbox.io
              paths:
                - path: /
                  pathType: Prefix
@@ -103,4 +106,4 @@ spec:
          tls:
            - secretName: collector-tls
              hosts:
-                - collector.adm.oceanbox.io
+                - opentelemetry-collector.adm.oceanbox.io
@@ -24,7 +24,7 @@ spec:
      source:
        repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: HEAD
-        path: kustomizations/osm-tile-server
+        path: values/osm-tile-server
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -13,11 +13,11 @@ spec:
        hostname: petimeter.srv.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
+      # - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
+      #   env: staging
-        hostname: petimeter.beta.oceanbox.io
+      #   hostname: petimeter.beta.oceanbox.io
-        autoSync: true
+      #   autoSync: true
-        prune: true
+      #   prune: true
  template:
    metadata:
      name: '{{ .env }}-petimeter'
@@ -29,7 +29,7 @@ spec:
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: kustomizations/petimeter
+        path: values/petimeter
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -39,7 +39,7 @@ spec:
            string: '{{ .hostname }}'
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: kustomizations/petimeter/manifests
+        path: values/petimeter/manifests
  templatePatch: |
    {{- if .autoSync }}
    spec:
@@ -0,0 +1,66 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: prod-atlantis
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
    namespace: prod-atlantis
    server: https://kubernetes.default.svc
  project: atlantis
  sources:
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: nixidy
    ref: values
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: nixidy
    path: values/atlantis
    plugin:
      name: kustomize-helm-with-rewrite
      parameters:
      - name: env
        string: prod
      - name: hostname
        string: maps.oceanbox.io
  - repoURL: https://charts.bitnami.com/bitnami
    targetRevision: 20.1.7
    chart: redis
    helm:
      valueFiles:
      - $values/values/atlantis/prod/redis.yaml
  ignoreDifferences:
    - kind: Secret
      name: azure-keyvault
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
        - '.metadata.annotations'
    - kind: Secret
      name: prod-atlantis-rabbitmq
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
        - '.metadata.annotations'
    - kind: Secret
      name: prod-archmeister-replication
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
        - '.metadata.annotations'
    - kind: Secret
      name: prod-archmeister-ca
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
        - '.metadata.annotations'
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
    # automated:
    #   prune: true
    #   selfHeal: false
@@ -0,0 +1,38 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: prod-keycloak
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  project: aux
  destination:
    server: https://kubernetes.default.svc
    namespace: keycloak
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        component: aux
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
    automated:
      prune: true
      selfHeal: true
  sources:
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: nixidy
    path: values/keycloak/prod
  - repoURL: https://charts.bitnami.com/bitnami
    targetRevision: 24.0.2
    chart: keycloak
    helm:
      valueFiles:
        - $values/values/keycloak/values-prod.yaml
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: nixidy
    ref: values
@@ -0,0 +1,39 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: prod-openfga
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
    namespace: openfga
    server: https://kubernetes.default.svc
  project: aux
  # ignoreDifferences:
  # - group: apps
  #   kind: StatefulSet
  #   jsonPointers:
  #   - /spec/persistentVolumeClaimRetentionPolicy
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        component: aux
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
    automated:
      prune: true
      selfHeal: true
  sources:
  - repoURL: https://openfga.github.io/helm-charts
    targetRevision: 0.2.19
    chart: openfga
    helm:
      valueFiles:
      - $values/values/openfga/values-prod.yaml
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: nixidy
    ref: values
@@ -0,0 +1,54 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: prod-sorcerer
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
    namespace: prod-sorcerer
    server: https://10.255.241.99:4443
  project: atlantis
  sources:
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: nixidy
    ref: values
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: nixidy
    path: values/sorcerer
    plugin:
      name: kustomize-helm-with-rewrite
      parameters:
      - name: env
        string: prod
      - name: hostname
        string: sorcerer.data.oceanbox.io
  - repoURL: https://charts.bitnami.com/bitnami
    targetRevision: 20.1.7
    chart: redis
    helm:
      valueFiles:
      - $values/values/sorcerer/prod/redis.yaml
  ignoreDifferences:
    - kind: Secret
      name: azure-keyvault
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
        - '.metadata.annotations'
    - kind: Secret
      name: prod-atlantis-rabbitmq
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
        - '.metadata.annotations'
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
    # automated:
    #   prune: true
    #   selfHeal: false
@@ -27,8 +27,8 @@ spec:
          chart: rabbitmq
          helm:
            valueFiles:
-              - $values/kustomizations/rabbitmq/values-{{ env }}.yaml
+              - $values/values/rabbitmq/values-{{ env }}.yaml
        - repoURL: https://gitlab.com/oceanbox/manifests.git
          targetRevision: main
-          path: kustomizations/rabbitmq/{{ env }}
+          path: values/rabbitmq/{{ env }}
          ref: values
@@ -25,13 +25,13 @@ spec:
          chart: redis
          helm:
            valueFiles:
-              - $values/kustomizations/redis/values-{{ env }}.yaml
+              - $values/values/redis/values-{{ env }}.yaml
        - repoURL: https://gitlab.com/oceanbox/manifests.git
          targetRevision: HEAD
          ref: values
        - repoURL: https://gitlab.com/oceanbox/manifests.git
          targetRevision: main
-          path: kustomizations/redis/{{ env }}
+          path: values/redis/{{ env }}
      ignoreDifferences:
        - group: apps
          kind: StatefulSet
@@ -14,7 +14,7 @@ spec:
    chart: seq
    helm:
      valueFiles:
-        - $values/kustomizations/seq/values.yaml
+        - $values/values/seq/values.yaml
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: main
    ref: values
@@ -13,11 +13,11 @@ spec:
        hostname: sorcerer.data.oceanbox.io
        autoSync: false
        prune: true
-      - cluster: https://10.255.241.99:4443
+      # - cluster: https://10.255.241.99:4443
-        env: staging
+      #   env: staging
-        hostname: sorcerer.ekman.oceanbox.io
+      #   hostname: sorcerer.ekman.oceanbox.io
-        autoSync: true
+      #   autoSync: true
-        prune: true
+      #   prune: true
  template:
    metadata:
      name: '{{ .env }}-sorcerer'
@@ -29,7 +29,7 @@ spec:
      sources:
      - repoURL: https://gitlab.com/oceanbox/manifests.git
        targetRevision: main
-        path: kustomizations/sorcerer
+        path: values/sorcerer
        plugin:
          name: kustomize-helm-with-rewrite
          parameters:
@@ -0,0 +1,66 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: staging-atlantis
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
    namespace: staging-atlantis
    server: https://kubernetes.default.svc
  project: atlantis
  sources:
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: nixidy
    ref: values
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: nixidy
    path: values/atlantis
    plugin:
      name: kustomize-helm-with-rewrite
      parameters:
      - name: env
        string: staging
      - name: hostname
        string: atlantis.beta.oceanbox.io
  - repoURL: https://charts.bitnami.com/bitnami
    targetRevision: 20.1.7
    chart: redis
    helm:
      valueFiles:
      - $values/values/atlantis/staging/redis.yaml
  ignoreDifferences:
    - kind: Secret
      name: azure-keyvault
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
        - '.metadata.annotations'
    - kind: Secret
      name: staging-atlantis-rabbitmq
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
        - '.metadata.annotations'
    - kind: Secret
      name: prod-archmeister-replication
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
        - '.metadata.annotations'
    - kind: Secret
      name: prod-archmeister-ca
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
        - '.metadata.annotations'
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
    automated:
      prune: true
      selfHeal: false
@@ -0,0 +1,39 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: staging-openfga
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
    namespace: openfga
    server: https://kubernetes.default.svc
  project: aux
  # ignoreDifferences:
  # - group: apps
  #   kind: StatefulSet
  #   jsonPointers:
  #   - /spec/persistentVolumeClaimRetentionPolicy
  syncPolicy:
    managedNamespaceMetadata:
      labels:
        component: aux
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
    automated:
      prune: true
      selfHeal: true
  sources:
  - repoURL: https://openfga.github.io/helm-charts
    targetRevision: 0.2.19
    chart: openfga
    helm:
      valueFiles:
      - $values/values/openfga/values-staging.yaml
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: nixidy
    ref: values
@@ -0,0 +1,54 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: staging-sorcerer
  namespace: argocd
  annotations:
    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
  finalizers:
  - resources-finalizer.argocd.argoproj.io
 spec:
  destination:
    namespace: staging-sorcerer
    server: https://10.255.241.99:4443
  project: atlantis
  sources:
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: nixidy
    ref: values
  - repoURL: https://gitlab.com/oceanbox/manifests.git
    targetRevision: nixidy
    path: values/sorcerer
    plugin:
      name: kustomize-helm-with-rewrite
      parameters:
      - name: env
        string: staging
      - name: hostname
        string: sorcerer.ekman.oceanbox.io
  - repoURL: https://charts.bitnami.com/bitnami
    targetRevision: 20.1.7
    chart: redis
    helm:
      valueFiles:
      - $values/values/sorcerer/staging/redis.yaml
  ignoreDifferences:
    - kind: Secret
      name: azure-keyvault
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
        - '.metadata.annotations'
    - kind: Secret
      name: prod-atlantis-rabbitmq
      jqPathExpressions:
        - '.data'
        - '.metadata.labels'
        - '.metadata.annotations'
  syncPolicy:
    syncOptions:
      - CreateNamespace=true
      - ApplyOutOfSyncOnly=true
    # automated:
    #   prune: true
    #   selfHeal: false
@@ -34,11 +34,11 @@ spec:
              backend: s3
              s3:
                bucket: tempo-traces
-                endpoint: http://10.255.241.30:30080
+                endpoint: 10.255.241.30:30080
-                access_key: ${S3SECRET}
+                access_key: ${S3KEY}
-                secret_key: ${S3KEY}
+                secret_key: ${S3SECRET}
                forcepathstyle: true
                insecure: true
              backend: local
              local:
                path: /var/tempo/traces
              wal:
@@ -46,6 +46,7 @@ spec:
          metricsGenerator:
            enabled: true
            remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
          extraArgs: { config.expand-env=true }
          extraEnv:
          - name: S3KEY
            valueFrom:
@@ -11,6 +11,17 @@ init:
  enabled: false
  image: ubuntu:rolling
  command: ["/bin/sh", "-c", "true"]
 env:
  - name: LOG_LEVEL
    value: "3"
  - name: APP_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name
  - name: APP_NAMESPACE
    valueFrom:
      fieldRef:
        fieldPath: metadata.namespace
 imagePullSecrets:
  - name: gitlab-pull-secret
 nameOverride: ""
@@ -1,6 +0,0 @@
 dependencies:
 - name: redis-stack-server
  repository: https://redis-stack.github.io/helm-redis-stack/
  version: 0.4.14
 digest: sha256:ed6bf447567c0d92030bffebc947801c67cb4e9b4dd95680c35a0b5f6b23d71f
 generated: "2024-10-04T11:54:47.575418518+02:00"
@@ -4,9 +4,3 @@ description: Atlantis map and simulation service
 type: application
 version: v2.87.1
 appVersion: v2.87.1
 dependencies:
  - name: redis-stack-server
    version: 0.4.14
    repository: https://redis-stack.github.io/helm-redis-stack/
    condition: redis.enabled
    alias: redis
@@ -3,6 +3,7 @@ apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
  name: {{ include "Atlantis.fullname" . }}-db
  namespace: {{ .Release.Namespace }}
  annotations:
    linkerd.io/inject: disabled
  labels:
@@ -2,6 +2,7 @@ apiVersion: apps/v1
 kind: Deployment
 metadata:
  name: {{ include "Atlantis.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -3,6 +3,7 @@ apiVersion: autoscaling/v2beta1
 kind: HorizontalPodAutoscaler
 metadata:
  name: {{ include "Atlantis.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -16,6 +16,7 @@ apiVersion: extensions/v1beta1
 kind: Ingress
 metadata:
  name: {{ $fullName }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
@@ -53,8 +54,8 @@ spec:
                port:
                  number: {{ $svcPort }}
              {{- else }}
-              serviceName: {{ $fullName }}
+              serviceName: {{ .serviceName | default $fullName }}
-              servicePort: {{ $svcPort }}
+              servicePort: {{ .servicePort | default $svcPort }}
              {{- end }}
          {{- end }}
    {{- end }}
@@ -0,0 +1,62 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "Atlantis.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
 {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
  {{- end }}
 {{- end }}
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
 {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1beta1
 {{- else -}}
 apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
  name: {{ $fullName }}-internal
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
  annotations:
    atlantis.oceanbox.io/expose: internal
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
  ingressClassName: {{ .Values.ingress.className }}
  {{- end }}
  {{- if .Values.ingress.tls }}
  tls:
    {{- range .Values.ingress.tls }}
    - hosts:
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
      secretName: {{ .secretName }}
    {{- end }}
  {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
    - host: {{ .host | quote }}
      http:
        paths:
          {{- range .internal }}
          - path: {{ .path }}
            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
            pathType: {{ .pathType }}
            {{- end }}
            backend:
              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
              service:
                name: {{ $fullName }}
                port:
                  number: {{ $svcPort }}
              {{- else }}
              serviceName: {{ $fullName }}
              servicePort: {{ $svcPort }}
              {{- end }}
          {{- end }}
    {{- end }}
 {{- end }}
@@ -3,6 +3,7 @@ kind: PersistentVolumeClaim
 apiVersion: v1
 metadata:
  name: {{ template "Atlantis.fullname" . }}
  namespace: {{ .Release.Namespace }}
 {{- with .Values.persistence.annotations  }}
  annotations:
 {{ toYaml . | indent 4 }}
@@ -1,23 +1,3 @@
 apiVersion: v1
 kind: Secret
 metadata:
  annotations:
    kyverno/clone: "true"
  name: {{ .Release.Name }}-rabbitmq
 type: Opaque
 data:
 ---
 {{- if not .Values.redis.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
  annotations:
    kyverno/clone: "true"
  name: {{ .Release.Name }}-redis
 type: Opaque
 data:
 {{- end }}
 ---
 {{- if not .Values.cluster.enabled }}
 apiVersion: v1
 kind: Secret
@@ -25,11 +5,13 @@ metadata:
  annotations:
    kyverno/clone: "true"
  name: {{ include "Atlantis.fullname" . }}-db-superuser
  namespace: {{ .Release.Namespace }}
 type: kubernetes.io/basic-auth
 data:
  username:
  password:
 {{- else }}
 {{- if .Values.cluster.bootstrap.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -48,7 +30,9 @@ metadata:
  annotations:
    kyverno/clone: "true"
  name: {{ .Values.cluster.bootstrap.source.db }}-ca
  namespace: {{ .Release.Namespace }}
 data:
  ca.crt: ""
  ca.key: ""
 {{- end }}
 {{- end }}
@@ -2,6 +2,7 @@ apiVersion: v1
 kind: Service
 metadata:
  name: {{ include "Atlantis.fullname" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
 spec:
@@ -3,6 +3,7 @@ apiVersion: v1
 kind: ServiceAccount
 metadata:
  name: {{ include "Atlantis.serviceAccountName" . }}
  namespace: {{ .Release.Namespace }}
  labels:
    {{- include "Atlantis.labels" . | nindent 4 }}
  {{- with .Values.serviceAccount.annotations }}
@@ -0,0 +1,20 @@
 {{- if .Values.serviceMonitor.enabled }}
 apiVersion: monitoring.coreos.com/v1
 kind: ServiceMonitor
 metadata:
  name: {{ include "Atlantis.fullname" . }}
  namespace: {{ .Release.Namespace }}
 spec:
  endpoints:
  - honorLabels: false
    path: /metrics
    port: http
  jobLabel: {{ .Values.serviceMonitor.label | default (include "Atlantis.fullname" .) }}
  namespaceSelector:
    matchNames:
    - {{ .Release.Namespace }}
  selector:
    matchLabels:
      app.kubernetes.io/instance: {{ include "Atlantis.fullname" . }}
      app.kubernetes.io/name: atlantis
 {{- end }}
@@ -3,21 +3,36 @@
 # Declare variables to be passed into your templates.
 replicaCount: 1
 image:
  repository: registry.gitlab.com/oceanbox/atlantis
  tag: v2.87.1
  pullPolicy: IfNotPresent
 init:
  enabled: false
  image: ubuntu:rolling
  command: ["/bin/sh", "-c", "true"]
 env:
  - name: LOG_LEVEL
    value: "3"
  - name: APP_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name
  - name: APP_NAMESPACE
    valueFrom:
      fieldRef:
        fieldPath: metadata.namespace
 imagePullSecrets:
  - name: gitlab-pull-secret
 nameOverride: ""
 fullnameOverride: ""
 serviceAccount:
  create: true
  # Annotations to add to the service account
@@ -25,9 +40,12 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""
 podAnnotations: {}
 podSecurityContext:
  fsGroup: 2000
 securityContext:
  capabilities:
    drop:
@@ -35,9 +53,11 @@ securityContext:
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 1000
 service:
  type: ClusterIP
  port: 8085
 ingress:
  enabled: false
  className: "nginx"
@@ -49,15 +69,24 @@ ingress:
      paths:
        - path: /
          pathType: ImplementationSpecific
        - path: /events
          pathType: ImplementationSpecific
          serviceName: main-ingress-nginx-defaultbackend.ingress-nginx
          servicePort: 80
      internal:
        - path: /internal
          pathType: ImplementationSpecific
  tls:
    - hosts:
        - atlantis.srv.oceanbox.io
      secretName: atlantis-tls
 persistence:
  enabled: false
  size: 1G
  storageClass: ""
  accessMode: ReadWriteOnce
 cluster:
  enabled: true
  instances: 1
@@ -69,15 +98,7 @@ cluster:
    source:
      db: prod-archmeister
      namespace: atlantis
-redis:
+
  enabled: true
  name: redis-stack
  redis_stack_server:
    image: "redis/redis-stack-server"
    tag: "7.4.0-v1"
    replicas: 1
    storage_class: ceph-rbd
    storage: 1Gi
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -96,6 +117,10 @@ autoscaling:
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80
 serviceMonitor:
  enabled: true
 nodeSelector: {}
 tolerations: []
 affinity: {}
@@ -11,6 +11,17 @@ init:
  enabled: false
  image: ubuntu:rolling
  command: ["/bin/sh", "-c", "true"]
 env:
  - name: LOG_LEVEL
    value: "3"
  - name: APP_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name
  - name: APP_NAMESPACE
    valueFrom:
      fieldRef:
        fieldPath: metadata.namespace
 imagePullSecrets:
  - name: gitlab-pull-secret
 nameOverride: ""
@@ -11,6 +11,17 @@ init:
  enabled: false
  image: ubuntu:rolling
  command: ["/bin/sh", "-c", "true"]
 env:
  - name: LOG_LEVEL
    value: "3"
  - name: APP_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name
  - name: APP_NAMESPACE
    valueFrom:
      fieldRef:
        fieldPath: metadata.namespace
 imagePullSecrets:
  - name: gitlab-pull-secret
 nameOverride: ""
@@ -1,18 +1,6 @@
 apiVersion: v2
 name: sorcerer
 description: A Helm chart for Kubernetes
 # A chart can be either an 'application' or a 'library' chart.
 #
 # Application charts are a collection of templates that can be packaged into versioned archives
 # to be deployed.
 #
 # Library charts provide useful utilities or functions for the chart developer. They're included as
 # a dependency of application charts to inject those utilities and functions into the rendering
 # pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
 # This is the chart version. This version number should be incremented each time you make changes
 # to the chart and its templates, including the app version.
 version: v4.9.0
 # This is the version number of the application being deployed. This version number should be
 # incremented each time you make changes to the application.
 appVersion: v4.9.0
@@ -38,8 +38,7 @@ spec:
              containerPort: {{ .Values.service.port }}
              protocol: TCP
          env:
-            - name: LOG_LEVEL
+            {{- toYaml .Values.env | nindent 12 }}
              value: "3"
          livenessProbe:
            httpGet:
              path: /
@@ -0,0 +1,62 @@
 {{- if .Values.ingress.enabled -}}
 {{- $fullName := include "Sorcerer.fullname" . -}}
 {{- $svcPort := .Values.service.port -}}
 {{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
  {{- end }}
 {{- end }}
 {{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1
 {{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
 apiVersion: networking.k8s.io/v1beta1
 {{- else -}}
 apiVersion: extensions/v1beta1
 {{- end }}
 kind: Ingress
 metadata:
  name: {{ $fullName }}-internal
  labels:
    {{- include "Sorcerer.labels" . | nindent 4 }}
  {{- with .Values.ingress.annotations }}
  annotations:
    atlantis.oceanbox.io/expose: internal
    {{- toYaml . | nindent 4 }}
  {{- end }}
 spec:
  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
  ingressClassName: {{ .Values.ingress.className }}
  {{- end }}
  {{- if .Values.ingress.tls }}
  tls:
    {{- range .Values.ingress.tls }}
    - hosts:
        {{- range .hosts }}
        - {{ . | quote }}
        {{- end }}
      secretName: {{ .secretName }}
    {{- end }}
  {{- end }}
  rules:
    {{- range .Values.ingress.hosts }}
    - host: {{ .host | quote }}
      http:
        paths:
          {{- range .internal }}
          - path: {{ .path }}
            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
            pathType: {{ .pathType }}
            {{- end }}
            backend:
              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
              service:
                name: {{ $fullName }}
                port:
                  number: {{ $svcPort }}
              {{- else }}
              serviceName: {{ $fullName }}
              servicePort: {{ $svcPort }}
              {{- end }}
          {{- end }}
    {{- end }}
 {{- end }}
@@ -3,18 +3,36 @@
 # Declare variables to be passed into your templates.
 replicaCount: 1
 image:
  repository: registry.gitlab.com/oceanbox/sorcerer
  tag: v4.9.0
  pullPolicy: IfNotPresent
 init:
  enabled: false
  image: ubuntu:rolling
  command: ["/bin/sh", "-c", "true"]
 env:
  - name: LOG_LEVEL
    value: "3"
  - name: APP_NAME
    valueFrom:
      fieldRef:
        fieldPath: metadata.name
  - name: APP_NAMESPACE
    valueFrom:
      fieldRef:
        fieldPath: metadata.namespace
 imagePullSecrets:
  - name: gitlab-pull-secret
 nameOverride: ""
 fullnameOverride: ""
 serviceAccount:
  create: true
  # Annotations to add to the service account
@@ -22,9 +40,12 @@ serviceAccount:
  # The name of the service account to use.
  # If not set and create is true, a name is generated using the fullname template
  name: ""
 podAnnotations: {}
 podSecurityContext:
  fsGroup: 2000
 securityContext:
  capabilities:
    drop:
@@ -32,9 +53,11 @@ securityContext:
  readOnlyRootFilesystem: false
  runAsNonRoot: true
  runAsUser: 1000
 service:
  type: ClusterIP
  port: 8085
 ingress:
  enabled: true
  className: "nginx"
@@ -46,6 +69,9 @@ ingress:
      paths:
        - path: /
          pathType: ImplementationSpecific
      internal:
        - path: /internal
          pathType: ImplementationSpecific
  tls:
    - hosts:
        - sorcerer.srv.oceanbox.io
@@ -62,6 +88,7 @@ cluster:
  backupEnabled: true
  backupRetention: 60d
  size: 5Gi
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -80,6 +107,10 @@ autoscaling:
  maxReplicas: 100
  targetCPUUtilizationPercentage: 80
  # targetMemoryUtilizationPercentage: 80
 serviceMonitor:
  enabled: true
 nodeSelector: {}
 tolerations: []
 affinity: {}
@@ -6,9 +6,9 @@ metadata:
 spec:
  egress:
  - toFQDNs:
    - matchName: api.github.com
    - matchName: dapr.github.io
    - matchName: gitlab.com
    - matchName: analytics.loft.rocks
    # - matchName: gitlab.com
    # - matchName: api.github.com
  endpointSelector:
    matchLabels: {}
@@ -24,7 +24,7 @@ spec:
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: staging-archmeister
+  name: {{ $name }}-archmaester
  namespace: {{ .Release.Namespace }}
  annotations:
    linkerd.io/inject: disabled
@@ -54,7 +54,7 @@ spec:
  externalClusters:
  - name: prod-archmeister
    connectionParameters:
-      host: prod-archmeister-rw.atlantis.svc
+      host: prod-archmeister-rw.atlantis
      user: streaming_replica
      sslmode: verify-full
    sslKey:
@@ -1,49 +0,0 @@
 {{- $fullname := include "vCluster.fullname" . -}}
 {{- $name := include "vCluster.releaseName" . -}}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  annotations:
    kyverno.io/kyverno-version: 1.7.0
    policies.kyverno.io/description:  Allow egress to vcluster kube-apiserver
    policies.kyverno.io/minversion: 1.7.0
    policies.kyverno.io/subject: Namespace, NetworkPolicy
    policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
  name: allow-{{ $name }}-vcluster-apiserver
  namespace: {{ .Release.Namespace }}
 spec:
  background: true
  generateExisting: true
  rules:
  - name: allow-{{ $name }}-vcluster-apiserver
    generate:
      apiVersion: cilium.io/v2
      kind: CiliumNetworkPolicy
      name: allow-{{ $name }}-vcluster-apiserver-access
      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
      synchronize: true
      data:
        spec:
          description: Allow egress to vcluster kube-apiserver
          egress:
          - toEndpoints:
            - matchLabels:
               app: vcluster
            toPorts:
            - ports:
              - port: "443"
                protocol: TCP
          endpointSelector: {}
    match:
      any:
      - resources:
          kinds:
          - Namespace
          names:
          - {{ $fullname }}
      - resources:
          kinds:
          - Namespace
          selector:
            matchLabels:
              vcluster.loft.sh/vcluster-name: {{ $fullname }}
@@ -1,66 +0,0 @@
 {{- $name := include "vCluster.releaseName" . -}}
 apiVersion: kyverno.io/v1
 kind: ClusterPolicy
 metadata:
  name: "sync-{{ $name }}-vcluster-secrets"
 spec:
  background: true
  generateExisting: true
  rules:
  - name: sync-rabbitmq-secrets
    generate:
      apiVersion: v1
      kind: Secret
      name: staging-rabbitmq
      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
      synchronize: false
      clone:
        namespace: rabbitmq
        name: staging-rabbitmq
    match:
      resources:
        kinds:
        - Namespace
        names:
          - "vcluster-009dba7e-*"
        selector:
          matchLabels:
            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
  - name: sync-redis-secrets
    generate:
      apiVersion: v1
      kind: Secret
      name: staging-redis
      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
      synchronize: false
      clone:
        namespace: redis
        name: staging-redis
    match:
      resources:
        kinds:
        - Namespace
        names:
          - "vcluster-009dba7e-*"
        selector:
          matchLabels:
            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
  - name: sync-archmeister-app-secret
    generate:
      apiVersion: v1
      kind: Secret
      name: staging-archmeister-app
      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
      synchronize: false
      clone:
        namespace: '{{ .Release.Namespace }}'
        name: staging-archmeister-superuser
    match:
      resources:
        kinds:
        - Namespace
        names:
          - "vcluster-009dba7e-*"
        selector:
          matchLabels:
            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
@@ -16,7 +16,7 @@ spec:
    namespace: {{ .Release.Namespace }}
  source:
    repoURL: https://charts.loft.sh
-    targetRevision: 0.19.5
+    targetRevision: 0.20.1
    chart: vcluster
    helm:
      values: |-
@@ -63,12 +63,10 @@ spec:
          mapServices:
            fromHost:
            - from: "redis/{{ .Values.environment }}-redis-master"
              to: "redis/{{ .Values.environment }}-redis-master"
            - from: "rabbitmq/{{ .Values.environment }}-rabbitmq"
              to: "rabbitmq/{{ .Values.environment }}-rabbitmq"
-            - from: "{{ .Release.Namespace }}/staging-archmeister-rw"
+            - from: "{{ .Release.Namespace }}/{{ $name  }}-archmaester-rw"
-              to: "atlantis/staging-archmeister-rw"
+              to: "atlantis/{{ $name }}-archmaester-rw"
            - from: "idp/{{ .Values.environment }}-openfga"
              to: "idp/{{ .Values.environment }}-openfga"
            - from: "otel/opentelemetry-collector"
@@ -99,21 +97,11 @@ spec:
              config: |-
                version: v1beta1
                import:
                - kind: Cluster
                  apiVersion: postgresql.cnpg.io/v1
                - kind: Secret
                  apiVersion: v1
                # - kind: Component
                #   apiVersion: dapr.io/v1alpha1
                # - kind: Configuration
                #   apiVersion: dapr.io/v1alpha1
                # - kind: Subscription
                #   apiVersion: dapr.io/v1alpha1
                # - kind: CiliumNetworkPolicy
                #   apiVersion: cilium.io/v2
                export:
-                - kind: CiliumNetworkPolicy
+                - kind: Cluster
-                  apiVersion: cilium.io/v2
+                  apiVersion: postgresql.cnpg.io/v1
          init:
            manifests: |-
              ---
@@ -0,0 +1,33 @@
 let
  sources = import ./nix;
  system = builtins.currentSystem;
  pkgs = import sources.nixpkgs {
    inherit system;
    config = { };
    overlays = [ ];
  };
  nixpkgs = sources.nixpkgs;
  nixhelm = sources.nixhelm;
  nixidy = import sources.nixidy { inherit nixpkgs; };
  kube = pkgs.callPackage "${sources.nix-kube-gen}/lib/default.nix" { inherit pkgs; };
 in
 nixidy.lib.mkEnvs {
  libOverlay = self: super: {
    apps = import ./modules/lib.nix { inherit pkgs kube; };
  };
  modules = [
    (
      { lib, ... }:
      {
        nixidy.charts = lib.helm.mkChartAttrs "${nixhelm}/charts";
      }
    )
    ./modules
    ./apps
    ./policies
  ];
  envs = {
    prod.modules = [ ./envs/prod.nix ];
    staging.modules = [ ./envs/staging.nix ];
  };
 }
@@ -0,0 +1,13 @@
 _:
 {
  config = {
    apps = {
      env = "prod";
      autoSync = false;
      prune = false;
      atlantis.enable = true;
      openfga.enable = true;
    };
  };
 }
@@ -0,0 +1,17 @@
 _:
 {
  config = {
    apps = {
      env = "staging";
      autoSync = true;
      prune = true;
      atlantis = {
        enable = true;
        autoSync = true;
        prune = false;
      };
      openfga.enable = true;
    };
  };
 }
@@ -0,0 +1,666 @@
 {
  "nodes": {
    "cargo2nix": {
      "inputs": {
        "flake-compat": "flake-compat_3",
        "flake-utils": "flake-utils_5",
        "nixpkgs": "nixpkgs_3",
        "rust-overlay": "rust-overlay"
      },
      "locked": {
        "lastModified": 1699033427,
        "narHash": "sha256-OVtd5IPbb4NvHibN+QvMrMxq7aZN5GFoINZSAXKjUdA=",
        "owner": "cargo2nix",
        "repo": "cargo2nix",
        "rev": "c6f33051f412352f293e738cc8da6fd4c457080f",
        "type": "github"
      },
      "original": {
        "owner": "cargo2nix",
        "ref": "release-0.11.0",
        "repo": "cargo2nix",
        "type": "github"
      }
    },
    "flake-compat": {
      "flake": false,
      "locked": {
        "lastModified": 1673956053,
        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_2": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-compat_3": {
      "flake": false,
      "locked": {
        "lastModified": 1696426674,
        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
        "owner": "edolstra",
        "repo": "flake-compat",
        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
        "type": "github"
      },
      "original": {
        "owner": "edolstra",
        "repo": "flake-compat",
        "type": "github"
      }
    },
    "flake-utils": {
      "inputs": {
        "systems": "systems"
      },
      "locked": {
        "lastModified": 1726560853,
        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_2": {
      "inputs": {
        "systems": "systems_2"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "id": "flake-utils",
        "type": "indirect"
      }
    },
    "flake-utils_3": {
      "inputs": {
        "systems": "systems_3"
      },
      "locked": {
        "lastModified": 1710146030,
        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_4": {
      "inputs": {
        "systems": "systems_5"
      },
      "locked": {
        "lastModified": 1701680307,
        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "flake-utils_5": {
      "inputs": {
        "systems": "systems_7"
      },
      "locked": {
        "lastModified": 1694529238,
        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
        "owner": "numtide",
        "repo": "flake-utils",
        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "flake-utils",
        "type": "github"
      }
    },
    "gitignore": {
      "inputs": {
        "nixpkgs": [
          "pre-commit-hooks",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1709087332,
        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
        "type": "github"
      },
      "original": {
        "owner": "hercules-ci",
        "repo": "gitignore.nix",
        "type": "github"
      }
    },
    "haumea": {
      "inputs": {
        "nixpkgs": [
          "nixhelm",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1685133229,
        "narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=",
        "owner": "nix-community",
        "repo": "haumea",
        "rev": "34dd58385092a23018748b50f9b23de6266dffc2",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "ref": "v0.2.2",
        "repo": "haumea",
        "type": "github"
      }
    },
    "kubenix": {
      "inputs": {
        "flake-compat": "flake-compat",
        "nixpkgs": [
          "nixidy",
          "nixpkgs"
        ],
        "systems": "systems_6",
        "treefmt": "treefmt"
      },
      "locked": {
        "lastModified": 1718110643,
        "narHash": "sha256-KrEOCx/bpN++sySOEL5EO5AhYsqRZZk+CXacueUeSl4=",
        "owner": "hall",
        "repo": "kubenix",
        "rev": "a04066c45526c6d8410ba998134f692ff991b4f3",
        "type": "github"
      },
      "original": {
        "owner": "hall",
        "repo": "kubenix",
        "type": "github"
      }
    },
    "nix-github-actions": {
      "inputs": {
        "nixpkgs": [
          "nixhelm",
          "poetry2nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1703863825,
        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "nix-github-actions",
        "type": "github"
      }
    },
    "nix-kube-generators": {
      "locked": {
        "lastModified": 1708155396,
        "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
        "owner": "farcaller",
        "repo": "nix-kube-generators",
        "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
        "type": "github"
      },
      "original": {
        "owner": "farcaller",
        "repo": "nix-kube-generators",
        "type": "github"
      }
    },
    "nix-kube-generators_2": {
      "locked": {
        "lastModified": 1708155396,
        "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
        "owner": "farcaller",
        "repo": "nix-kube-generators",
        "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
        "type": "github"
      },
      "original": {
        "owner": "farcaller",
        "repo": "nix-kube-generators",
        "type": "github"
      }
    },
    "nix-kube-generators_3": {
      "locked": {
        "lastModified": 1708155396,
        "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
        "owner": "farcaller",
        "repo": "nix-kube-generators",
        "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
        "type": "github"
      },
      "original": {
        "owner": "farcaller",
        "repo": "nix-kube-generators",
        "type": "github"
      }
    },
    "nixhelm": {
      "inputs": {
        "flake-utils": "flake-utils_2",
        "haumea": "haumea",
        "nix-kube-generators": "nix-kube-generators_2",
        "nixpkgs": [
          "nixpkgs"
        ],
        "poetry2nix": "poetry2nix"
      },
      "locked": {
        "lastModified": 1728868745,
        "narHash": "sha256-ZuaxkAtUL1visOmVMxgHk3j+H8/bMmm82tJfE1s35VY=",
        "owner": "farcaller",
        "repo": "nixhelm",
        "rev": "f901d2ba3ce1bd0086d50efdcce3cc76bce04d80",
        "type": "github"
      },
      "original": {
        "owner": "farcaller",
        "repo": "nixhelm",
        "type": "github"
      }
    },
    "nixidy": {
      "inputs": {
        "flake-utils": "flake-utils_4",
        "kubenix": "kubenix",
        "nix-kube-generators": "nix-kube-generators_3",
        "nixpkgs": "nixpkgs"
      },
      "locked": {
        "lastModified": 1728815994,
        "narHash": "sha256-uF6HAoDMAX0cZbKH27k/0UpIteQMhyLkP1rYKUfj5ys=",
        "owner": "arnarg",
        "repo": "nixidy",
        "rev": "6e20193c95a0aaca444289d7c69f4eb329d25234",
        "type": "github"
      },
      "original": {
        "owner": "arnarg",
        "ref": "HEAD",
        "repo": "nixidy",
        "type": "github"
      }
    },
    "nixpkgs": {
      "locked": {
        "lastModified": 1702151865,
        "narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs-stable": {
      "locked": {
        "lastModified": 1720386169,
        "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
        "owner": "NixOS",
        "repo": "nixpkgs",
        "rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
        "type": "github"
      },
      "original": {
        "owner": "NixOS",
        "ref": "nixos-24.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_2": {
      "locked": {
        "lastModified": 1728492678,
        "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "nixos-unstable",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "nixpkgs_3": {
      "locked": {
        "lastModified": 1697382362,
        "narHash": "sha256-PvFjWFmSYOF6TjNZ/WjOeqa+sgaWm+83Fz37vEuATHA=",
        "owner": "nixos",
        "repo": "nixpkgs",
        "rev": "ad9a253a0d34f313707f9c25fb8c95c65b1c8882",
        "type": "github"
      },
      "original": {
        "owner": "nixos",
        "ref": "release-23.05",
        "repo": "nixpkgs",
        "type": "github"
      }
    },
    "poetry2nix": {
      "inputs": {
        "flake-utils": "flake-utils_3",
        "nix-github-actions": "nix-github-actions",
        "nixpkgs": [
          "nixhelm",
          "nixpkgs"
        ],
        "systems": "systems_4",
        "treefmt-nix": "treefmt-nix"
      },
      "locked": {
        "lastModified": 1718285706,
        "narHash": "sha256-DScsBM+kZvxOva7QegfdtleebMXh30XPxDQr/1IGKYo=",
        "owner": "nix-community",
        "repo": "poetry2nix",
        "rev": "a5be1bbbe0af0266147a88e0ec43b18c722f2bb9",
        "type": "github"
      },
      "original": {
        "owner": "nix-community",
        "repo": "poetry2nix",
        "type": "github"
      }
    },
    "pre-commit-hooks": {
      "inputs": {
        "flake-compat": "flake-compat_2",
        "gitignore": "gitignore",
        "nixpkgs": [
          "nixpkgs"
        ],
        "nixpkgs-stable": "nixpkgs-stable"
      },
      "locked": {
        "lastModified": 1728778939,
        "narHash": "sha256-WybK5E3hpGxtCYtBwpRj1E9JoiVxe+8kX83snTNaFHE=",
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "rev": "ff68f91754be6f3427e4986d7949e6273659be1d",
        "type": "github"
      },
      "original": {
        "owner": "cachix",
        "repo": "pre-commit-hooks.nix",
        "type": "github"
      }
    },
    "root": {
      "inputs": {
        "flake-utils": "flake-utils",
        "nix-kube-generators": "nix-kube-generators",
        "nixhelm": "nixhelm",
        "nixidy": "nixidy",
        "nixpkgs": "nixpkgs_2",
        "pre-commit-hooks": "pre-commit-hooks",
        "yaml2nix": "yaml2nix"
      }
    },
    "rust-overlay": {
      "inputs": {
        "flake-utils": [
          "yaml2nix",
          "cargo2nix",
          "flake-utils"
        ],
        "nixpkgs": [
          "yaml2nix",
          "cargo2nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1697336027,
        "narHash": "sha256-ctmmw7j4liyfSh63v9rdFZeIoNYCkCvgqvtEOB7KhX8=",
        "owner": "oxalica",
        "repo": "rust-overlay",
        "rev": "e494404d36a41247987eeb1bfc2f1ca903e97764",
        "type": "github"
      },
      "original": {
        "owner": "oxalica",
        "repo": "rust-overlay",
        "type": "github"
      }
    },
    "systems": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_2": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_3": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_4": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "id": "systems",
        "type": "indirect"
      }
    },
    "systems_5": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "systems_6": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "id": "systems",
        "type": "indirect"
      }
    },
    "systems_7": {
      "locked": {
        "lastModified": 1681028828,
        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
        "owner": "nix-systems",
        "repo": "default",
        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
        "type": "github"
      },
      "original": {
        "owner": "nix-systems",
        "repo": "default",
        "type": "github"
      }
    },
    "treefmt": {
      "inputs": {
        "nixpkgs": [
          "nixidy",
          "kubenix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1688026376,
        "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "treefmt-nix": {
      "inputs": {
        "nixpkgs": [
          "nixhelm",
          "poetry2nix",
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1717850719,
        "narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=",
        "owner": "numtide",
        "repo": "treefmt-nix",
        "rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed",
        "type": "github"
      },
      "original": {
        "owner": "numtide",
        "repo": "treefmt-nix",
        "type": "github"
      }
    },
    "yaml2nix": {
      "inputs": {
        "cargo2nix": "cargo2nix",
        "flake-utils": [
          "flake-utils"
        ],
        "nixpkgs": [
          "nixpkgs"
        ]
      },
      "locked": {
        "lastModified": 1726132715,
        "narHash": "sha256-DkHWWpvBco2yodyOk40LjTNcoaJ1bFKf0JY9OwWgy5M=",
        "owner": "euank",
        "repo": "yaml2nix",
        "rev": "3a6df359da40ee49cb9ed597c2400342b76f2083",
        "type": "github"
      },
      "original": {
        "owner": "euank",
        "repo": "yaml2nix",
        "type": "github"
      }
    }
  },
  "root": "root",
  "version": 7
 }
@@ -0,0 +1,148 @@
 {
  description = "My ArgoCD configuration with nixidy.";
  inputs = {
    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
    flake-utils.url = "github:numtide/flake-utils";
    nixidy = {
      url = "github:juselius/nixidy?ref=HEAD";
      # url = "github:juselius/nixidy?ref=special-args";
      # url = "/home/jonas/src/OceanBox/nixidy";
      # inputs.nixpkgs.follows = "nixpkgs";
    };
    nixhelm = {
      url = "github:farcaller/nixhelm";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    pre-commit-hooks = {
      url = "github:cachix/pre-commit-hooks.nix";
      inputs.nixpkgs.follows = "nixpkgs";
    };
    nix-kube-generators.url = "github:farcaller/nix-kube-generators";
    yaml2nix = {
      url = "github:euank/yaml2nix";
      inputs.nixpkgs.follows = "nixpkgs";
      inputs.flake-utils.follows = "flake-utils";
    };
  };
  outputs =
    {
      self,
      nixpkgs,
      flake-utils,
      nixidy,
      nixhelm,
      yaml2nix,
      pre-commit-hooks,
      nix-kube-generators,
    }:
    (flake-utils.lib.eachDefaultSystem (
      system:
      let
        pkgs = import nixpkgs { inherit system; };
        kube = nix-kube-generators.lib { inherit pkgs; };
        lib = {
          apps = import ./modules/lib.nix { inherit pkgs kube;};
        };
      in
      {
        nixidyEnvs = nixidy.lib.mkEnvs {
            inherit pkgs;
            extraSpecialArgs = { inherit lib; };
            charts = nixhelm.chartsDerivations.${system};
            modules = [
              ./modules
              ./apps
              ./policies
            ];
            envs = {
              prod.modules = [ ./envs/prod.nix ];
              staging.modules = [ ./envs/staging.nix ];
            };
          };
        checks = {
          pre-commit-check = pre-commit-hooks.lib.${system}.run {
            src = ./.;
            hooks = {
              nixfmt-rfc-style.enable = false;
              deadnix.enable = false;
              statix.enable = false;
            };
          };
        };
        packages = {
          nixidy = nixidy.packages.${system}.default;
          generators = {
            cilium = nixidy.packages.${system}.generators.fromCRD {
              name = "cilium";
              src = pkgs.fetchFromGitHub {
                owner = "cilium";
                repo = "cilium";
                rev = "v1.16.0";
                hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
              };
              crds = [
                "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
                "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
              ];
            };
            kyverno = nixidy.packages.${system}.generators.fromCRD {
              name = "kyverno";
              src = pkgs.fetchFromGitHub {
                owner = "kyverno";
                repo = "kyverno";
                rev = "v1.12.6";
                hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
              };
              crds = [
                "config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
                "config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
                "config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
                "config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
                "config/crds/kyverno/kyverno.io_policies.yaml"
                "config/crds/kyverno/kyverno.io_policyexceptions.yaml"
                "config/crds/kyverno/kyverno.io_updaterequests.yaml"
              ];
            };
          };
        };
        apps = {
          gen-crd = {
            type = "app";
            program =
              (pkgs.writeShellScript "generate-modules" ''
                set -eo pipefail
                echo "generate cilium"
                cat ${self.packages.${system}.generators.cilium} > modules/cilium-crd.nix
                echo "generate kyverno"
                cat ${self.packages.${system}.generators.kyverno} > modules/kyverno-crd.nix
              '').outPath;
          };
        };
        devShells.default = pkgs.mkShellNoCC {
          inherit (self.checks.${system}.pre-commit-check) shellHook;
          nativeBuildInputs = with pkgs; [
            self.checks.${system}.pre-commit-check.enabledPackages
            nixidy.packages.${system}.default
            yaml2nix.packages.${system}.default
            nixd
            nixfmt-rfc-style
            just
            fzf
          ];
          NIXD_FLAGS = "--inlay-hints";
        };
      }
    ));
 }
@@ -0,0 +1,44 @@
 let
  sources = import ./nix;
  system = builtins.currentSystem;
  pkgs = import sources.nixpkgs {
    inherit system;
    config = { };
    overlays = [ ];
  };
  nixpkgs = sources.nixpkgs;
  nixidy = import sources.nixidy { inherit nixpkgs; };
 in
 {
  cilium = nixidy.generators.fromCRD {
    name = "cilium";
    src = pkgs.fetchFromGitHub {
      owner = "cilium";
      repo = "cilium";
      rev = "v1.16.0";
      hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
    };
    crds = [
      "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
      "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
    ];
  };
  kyverno = nixidy.generators.fromCRD {
    name = "kyverno";
    src = pkgs.fetchFromGitHub {
      owner = "kyverno";
      repo = "kyverno";
      rev = "v1.12.6";
      hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
    };
    crds = [
      "config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
      "config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
      "config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
      "config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
      "config/crds/kyverno/kyverno.io_policies.yaml"
      "config/crds/kyverno/kyverno.io_policyexceptions.yaml"
      "config/crds/kyverno/kyverno.io_updaterequests.yaml"
    ];
  };
 }
@@ -0,0 +1,17 @@
 default := "prod"
 default:
  just --choose
 info target=default:
  nix run .#nixidy -- info .#{{target}}
 build target=default:
  nix run .#nixidy -- build .#{{target}}
 switch target=default:
  nix run .#nixidy -- switch .#{{target}}
 generate:
  nix build .#generators.cilium
  nix build .#generators.kyverno
@@ -1 +0,0 @@
 oceanbox/atlantis
@@ -1,37 +0,0 @@
 {
    "oidc": {
        "issuer": "https://idp.oceanbox.io/dex",
        "authorization_endpoint": "https://idp.oceanbox.io/dex/auth",
        "token_endpoint": "https://idp.oceanbox.io/dex/token",
        "jwks_uri": "https://idp.oceanbox.io/dex/keys",
        "userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo",
        "device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code",
        "clientId": "atlantis",
        "clientSecret": "",
        "scopes": [
            "openid",
            "email",
            "offline_access",
            "profile"
        ]
    },
    "redis": "prod-redis-master.redis.svc,user=default,password=secret",
    "sso": {
        "cookieDomain": ".oceanbox.io",
        "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
        "appDomain": "atlantis",
        "dataProtectionKeys": "DataProtection-Keys"
    },
    "archmeister" : "https://archmeister.srv.oceanbox.io",
    "sorcerer" : "https://sorcerer.data.oceanbox.io",
    "allowedOrigins": [
        "http://maps.oceanbox.io",
        "https://maps.oceanbox.io",
        "http://atlantis.srv.oceanbox.io",
        "https://atlantis.srv.oceanbox.io"
    ],
    "logService" : "https://seq.adm.oceanbox.io",
    "logApiKey": "",
    "deployEnv": "prod",
    "plainAuthUsers": []
 }
@@ -1,3 +0,0 @@
 OIDC_CLIENT_SECRET=KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm
 SEQ_APIKEY=v9RfeLBD9Si7OkFlkjPm
 DEPLOY_NAME=prod-atlantis
@@ -1,41 +0,0 @@
 - op: replace
  path: /spec/template/spec/containers/0/env/0
  value:
    name: LOG_LEVEL
    value: "4"
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: BARENTSWATCH_SECRET
    valueFrom:
      secretKeyRef:
        name: prod-atlantis-barentswatch
        key: secret
        optional: true
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: BARENTSWATCH_CLIENT_ID
    valueFrom:
      secretKeyRef:
        name: prod-atlantis-barentswatch
        key: client-id
        optional: true
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: REDIS_USER
    value: default
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: REDIS_PASSWORD
    valueFrom:
      secretKeyRef:
        name: prod-redis
        key: redis-password
 - op: add
  path: /spec/template/spec/containers/0/envFrom/-
  value:
    secretRef:
      name: prod-atlantis-env
@@ -1,35 +0,0 @@
 {
    "oidc": {
        "issuer": "https://idp.oceanbox.io/dex",
        "authorization_endpoint": "https://idp.oceanbox.io/dex/auth",
        "token_endpoint": "https://idp.oceanbox.io/dex/token",
        "jwks_uri": "https://idp.oceanbox.io/dex/keys",
        "userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo",
        "device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code",
        "clientId": "atlantis_dev",
        "clientSecret": "",
        "scopes": [
            "openid",
            "email",
            "offline_access",
            "profile"
        ]
    },
    "redis": "staging-redis-master.redis.svc,user=default,password=secret",
    "sso": {
        "cookieDomain": ".oceanbox.io",
        "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
        "appDomain": "atlantis",
        "dataProtectionKeys": "DataProtection-Keys"
    },
    "archmeister" : "https://archmeister.beta.oceanbox.io",
    "sorcerer" : "https://sorcerer.ekman.oceanbox.io",
    "allowedOrigins": [
        "http://atlantis.beta.oceanbox.io",
        "https://atlantis.beta.oceanbox.io"
    ],
    "logService" : "https://seq.adm.oceanbox.io",
    "logApiKey": "",
    "deployEnv": "staging",
    "plainAuthUsers": []
 }
@@ -1,3 +0,0 @@
 OIDC_CLIENT_SECRET=3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
 SEQ_APIKEY=v9RfeLBD9Si7OkFlkjPm
 DEPLOY_NAME=staging-atlantis
@@ -1,41 +0,0 @@
 - op: replace
  path: /spec/template/spec/containers/0/env/0
  value:
    name: LOG_LEVEL
    value: "4"
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: BARENTSWATCH_SECRET
    valueFrom:
      secretKeyRef:
        name: staging-atlantis-barentswatch
        key: secret
        optional: true
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: BARENTSWATCH_CLIENT_ID
    valueFrom:
      secretKeyRef:
        name: staging-atlantis-barentswatch
        key: client-id
        optional: true
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: REDIS_USER
    value: default
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: REDIS_PASSWORD
    valueFrom:
      secretKeyRef:
        name: staging-redis
        key: redis-password
 - op: add
  path: /spec/template/spec/containers/0/envFrom/-
  value:
    secretRef:
      name: staging-atlantis-env
@@ -1,46 +0,0 @@
 replicaCount: 2
 podAnnotations:
  dapr.io/app-id: "prod-atlantis"
  dapr.io/enabled: "true"
  dapr.io/app-port: "8000"
  dapr.io/config: "tracing"
  dapr.io/app-protocol: "http"
  dapr.io/enable-app-health-check: "true"
  dapr.io/app-health-check-path: "/healthz"
  dapr.io/app-health-probe-interval: "3"
  dapr.io/app-health-probe-timeout: "200"
  dapr.io/app-health-threshold: "2"
  dapr.io/sidecar-cpu-request: "100m"
  dapr.io/sidecar-memory-request: "250Mi"
  dapr.io/sidecar-cpu-limit: "300m"
  dapr.io/sidecar-memory-limit: "1000Mi"
  dapr.io/log-as-json: "true"
 ingress:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
  hosts:
    - host: atlantis.srv.oceanbox.io
      paths:
        - path: /
          pathType: ImplementationSpecific
    - host: maps.oceanbox.io
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
    - hosts:
       - atlantis.srv.oceanbox.io
       - maps.oceanbox.io
      secretName: atlantis-tls
 resources:
  limits:
    cpu: 250m
    memory: 1Gi
  requests:
    cpu: 250m
    memory: 1Gi
@@ -1,54 +0,0 @@
 replicaCount: 2
 podAnnotations:
  dapr.io/app-id: "staging-atlantis"
  dapr.io/enabled: "true"
  dapr.io/app-port: "8000"
  dapr.io/config: "tracing"
  dapr.io/app-protocol: "http"
  dapr.io/enable-app-health-check: "true"
  dapr.io/app-health-check-path: "/healthz"
  dapr.io/app-health-probe-interval: "3"
  dapr.io/app-health-probe-timeout: "200"
  dapr.io/app-health-threshold: "2"
  dapr.io/sidecar-cpu-request: "100m"
  dapr.io/sidecar-memory-request: "250Mi"
  dapr.io/sidecar-cpu-limit: "300m"
  dapr.io/sidecar-memory-limit: "1000Mi"
  dapr.io/log-as-json: "true"
 image:
  tag: 7f3512e0-debug
 ingress:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
    # nginx.ingress.kubernetes.io/affinity: "cookie"
    # nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
    # nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
    # nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
    # atlantis.oceanbox.io/expose: internal
  hosts:
    - host: atlantis.beta.oceanbox.io
      paths:
        - path: /
          pathType: ImplementationSpecific
    - host: atlas.oceanbox.io
      paths:
        - path: /
          pathType: ImplementationSpecific
    - host: beta.oceanbox.io
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
    - hosts:
        - atlantis.beta.oceanbox.io
        - atlas.oceanbox.io
        - beta.oceanbox.io
      secretName: staging-atlantis-tls
 resources:
  limits:
    cpu: 250m
    memory: 1Gi
  requests:
    cpu: 250m
    memory: 1Gi
@@ -1,31 +0,0 @@
 replicaCount: 2
 datastore:
  engine: postgres
  uriSecret: prod-openfga-postgresql
 postgresql:
  enabled: true
  auth:
    existingSecret: prod-openfga-postgresql
    secretKeys:
       userPasswordKey: postgres-password
 ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-staging
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
  hosts:
    - host: openfga.srv.oceanbox.io
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
   - secretName: staging-openfga-tls
     hosts:
       - openfga.srv.oceanbox.io
@@ -1,29 +0,0 @@
 replicaCount: 1
 datastore:
  engine: postgres
  uriSecret: staging-openfga-postgresql
 postgresql:
  enabled: true
  auth:
    existingSecret: staging-openfga-postgresql
    secretKeys:
       userPasswordKey: postgres-password
 ingress:
  enabled: true
  className: nginx
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-staging
    nginx.ingress.kubernetes.io/ssl-redirect: "true"
    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
  hosts:
    - host: openfga.dev.oceanbox.io
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
   - secretName: staging-openfga-tls
     hosts:
       - openfga.dev.oceanbox.io
@@ -1,8 +0,0 @@
 # fullnameOverride: openfga
 playground:
  enabled: false
  port: 3000
@@ -1 +0,0 @@
 oceanbox/sorcerer
@@ -1,28 +0,0 @@
 {
    "sso": {
        "cookieDomain": ".oceanbox.io",
        "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
        "redis": "10.255.241.201:30379,user=default,password=secret",
        "appDomain": "atlantis",
        "dataProtectionKeys": "DataProtection-Keys"
    },
    "allowedOrigins": [
        "http://localhost:8085",
        "http://localhost:8080",
        "https://localhost:8080",
        "https://maps.oceanbox.io",
        "https://atlantis.srv.oceanbox.io",
        "https://maps.relic.oceanbox.io",
        "https://atlantis.beta.oceanbox.io",
        "https://atlantis.dev.oceanbox.io",
        "https://atlantis.local.oceanbox.io:8080",
        "https://jonas-atlantis.dev.oceanbox.io",
        "https://stig-atlantis.dev.oceanbox.io",
        "https://simkir-atlantis.dev.oceanbox.io"
    ],
    "archiveSvc": "https://archmeister.srv.oceanbox.io",
    "cacheDir": "/data/archives/cache",
    "logService" : "https://seq.adm.oceanbox.io",
    "logApiKey": "",
    "deployEnv": "prod"
 }
@@ -1,43 +0,0 @@
 - op: replace
  path: /spec/template/spec/containers/0/volumeMounts/0/mountPath
  value: /data
 - op: add
  path: /spec/template/spec/containers/0/volumeMounts/-
  value:
    mountPath: /backup/archives
    name: backup
 - op: add
  path: /spec/template/spec/volumes/-
  value:
    name: backup
    persistentVolumeClaim:
      claimName: prod-oceanbox-backup-archives
 - op: replace
  path: /spec/template/spec/containers/0/env/0
  value:
    name: LOG_LEVEL
    value: "3"
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: REDIS_USER
    value: default
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: REDIS_PASSWORD
    valueFrom:
      secretKeyRef:
        name: prod-redis
        key: redis-password
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: ARCHMEISTER_AUTH
    value: "admin:en-to-tre-fire"
 - op: add
  path: /spec/template/spec/containers/0/envFrom/-
  value:
    secretRef:
      name: prod-sorcerer-env
@@ -1,40 +0,0 @@
 # apiVersion: v1
 # kind: PersistentVolume
 # metadata:
 #   name: pv-prod-oceanbox-archives
 # spec:
 #   accessModes:
 #   - ReadWriteMany
 #   capacity:
 #     storage: 300T
 #   mountOptions:
 #   - vers=4.2
 #   - rdma
 #   - soft
 #   nfs:
 #     path: /data/archives
 #     server: 10.255.243.80
 #   persistentVolumeReclaimPolicy: Retain
 #   volumeMode: Filesystem
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: pv-prod-backup-archives
 spec:
  accessModes:
  - ReadOnlyMany
  capacity:
    storage: 400T
  local:
    path: /backup/archives
  persistentVolumeReclaimPolicy: Retain
  volumeMode: Filesystem
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values:
          - fs-backup
@@ -1,32 +0,0 @@
 # apiVersion: v1
 # kind: PersistentVolumeClaim
 # metadata:
 #   name: prod-oceanbox-archives
 # spec:
 #   accessModes:
 #   - ReadWriteMany
 #   resources:
 #     requests:
 #       storage: 300T
 #   storageClassName: ""
 #   volumeMode: Filesystem
 #   volumeName: pv-prod-oceanbox-archives
 # status:
 #   accessModes:
 #   - ReadWriteMany
 #   capacity:
 #     storage: 300T
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: prod-oceanbox-backup-archives
 spec:
  accessModes:
  - ReadOnlyMany
  resources:
    requests:
      storage: 400T
  storageClassName: ""
  volumeMode: Filesystem
  volumeName: pv-prod-backup-archives
@@ -1,28 +0,0 @@
 {
    "sso": {
        "cookieDomain": ".oceanbox.io",
        "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
        "redis": "10.255.241.201:31379,user=default,password=secret",
        "appDomain": "atlantis",
        "dataProtectionKeys": "DataProtection-Keys"
    },
    "allowedOrigins": [
        "http://localhost:8085",
        "http://localhost:8080",
        "https://localhost:8080",
        "https://maps.oceanbox.io",
        "https://atlantis.srv.oceanbox.io",
        "https://atlantis.dev.oceanbox.io",
        "https://atlantis.beta.oceanbox.io",
        "https://atlantis.local.oceanbox.io:8080",
        "https://jonas-atlantis.dev.oceanbox.io",
        "https://stig-atlantis.dev.oceanbox.io",
        "https://simkir-atlantis.dev.oceanbox.io"
    ],
    "archiveSvc": "https://archmeister.beta.oceanbox.io",
    "cacheDir": "/data/archives/cache",
    "logService" : "https://seq.adm.oceanbox.io",
    "logApiKey": "",
    "deployEnv": "staging"
 }
@@ -1 +0,0 @@
 SEQ_APIKEY=7iIXHJukYjSLQDix6CnZ
@@ -1,43 +0,0 @@
 - op: replace
  path: /spec/template/spec/containers/0/volumeMounts/0/mountPath
  value: /data
 - op: add
  path: /spec/template/spec/containers/0/volumeMounts/-
  value:
    mountPath: /backup/archives
    name: backup
 - op: add
  path: /spec/template/spec/volumes/-
  value:
    name: backup
    persistentVolumeClaim:
      claimName: staging-oceanbox-backup-archives
 - op: replace
  path: /spec/template/spec/containers/0/env/0
  value:
    name: LOG_LEVEL
    value: "4"
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: REDIS_USER
    value: default
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: REDIS_PASSWORD
    valueFrom:
      secretKeyRef:
        name: staging-redis
        key: redis-password
 - op: add
  path: /spec/template/spec/containers/0/env/-
  value:
    name: ARCHMEISTER_AUTH
    value: "admin:en-to-tre-fire"
 - op: add
  path: /spec/template/spec/containers/0/envFrom/-
  value:
    secretRef:
      name: staging-sorcerer-env
@@ -1,41 +0,0 @@
 # apiVersion: v1
 # kind: PersistentVolume
 # metadata:
 #   name: pv-staging-oceanbox-archives
 # spec:
 #   accessModes:
 #   - ReadWriteMany
 #   capacity:
 #     storage: 300T
 #   mountOptions:
 #   - vers=4.2
 #   - rdma
 #   - soft
 #   nfs:
 #     path: /data/archives
 #     server: 10.255.243.80
 #   persistentVolumeReclaimPolicy: Retain
 #   volumeMode: Filesystem
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: pv-staging-backup-archives
 spec:
  accessModes:
  - ReadWriteMany
  capacity:
    storage: 400T
  local:
    path: /backup/archives
  persistentVolumeReclaimPolicy: Retain
  volumeMode: Filesystem
  nodeAffinity:
    required:
      nodeSelectorTerms:
      - matchExpressions:
        - key: kubernetes.io/hostname
          operator: In
          values:
          - fs2
@@ -1,32 +0,0 @@
 # apiVersion: v1
 # kind: PersistentVolumeClaim
 # metadata:
 #   name: staging-oceanbox-archives
 # spec:
 #   accessModes:
 #   - ReadWriteMany
 #   resources:
 #     requests:
 #       storage: 300T
 #   storageClassName: ""
 #   volumeMode: Filesystem
 #   volumeName: pv-staging-oceanbox-archives
 # status:
 #   accessModes:
 #   - ReadWriteMany
 #   capacity:
 #     storage: 300T
 # ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: staging-oceanbox-backup-archives
 spec:
  accessModes:
  - ReadWriteMany
  resources:
    requests:
      storage: 400T
  storageClassName: ""
  volumeMode: Filesystem
  volumeName: pv-staging-backup-archives
@@ -1,35 +0,0 @@
 replicaCount: 2
 ingress:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
    nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
    nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
    atlantis.oceanbox.io/expose: internal
  hosts:
    - host: sorcerer.data.oceanbox.io
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
    - hosts:
       - sorcerer.data.oceanbox.io
      secretName: prod-sorcerer-tls
 persistence:
  enabled: true
  existingClaim: prod-ceph-archives
  # existingClaim: prod-oceanbox-backup-archives
 nodeSelector:
  topology.kubernetes.io/group: login
  # kubernetes.io/hostname: fs-backup
  # node-role.kubernetes.io/worker: c1-1
 # tolerations:
 #   - key: workload
 #     operator: Equal
 #     value: compute
 #     effect: NoSchedule
@@ -1,34 +0,0 @@
 replicaCount: 1
 image:
  tag: 183dec97-debug
 ingress:
  annotations:
    cert-manager.io/cluster-issuer: letsencrypt-production
    # nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
    nginx.ingress.kubernetes.io/affinity: "cookie"
    nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
    nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
    nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
    atlantis.oceanbox.io/expose: internal
  hosts:
    - host: sorcerer.ekman.oceanbox.io
      paths:
        - path: /
          pathType: ImplementationSpecific
  tls:
    - hosts:
        - sorcerer.ekman.oceanbox.io
      secretName: staging-sorcerer-tls
 persistence:
  enabled: true
  existingClaim: staging-ceph-archives
  # existingClaim: staging-oceanbox-backup-archives
 nodeSelector:
  topology.kubernetes.io/group: login
  # kubernetes.io/hostname: fs-backup
  # node-role.kubernetes.io/worker: c1-1
 # tolerations:
 #   - key: workload
 #     operator: Equal
 #     value: compute
 #     effect: NoSchedule
@@ -0,0 +1,79 @@
 { lib, config, ... }:
 let
  cfg = config.apps;
 in
 {
  imports = [];
  options.apps = with lib; {
      env = mkOption {
        type = types.str;
        default = "prod";
        description = "Enable";
      };
      autoSync = mkOption {
        type = types.bool;
        default = true;
        description = "Auto sync";
      };
      prune = mkOption {
        type = types.bool;
        default = false;
        description = "Prune";
      };
      selfHeal = mkOption {
        type = types.bool;
        default = false;
        description = "Self-heal";
      };
      serverSideDiff = mkOption {
        type = types.bool;
        default = true;
        description = "Enable server-side diffing";
      };
  };
  config = {
    nixidy = {
      target = {
        repository = "https://gitlab.com/oveanbox/manifests.git";
        branch = "main";
        rootPath = "_manifests/${config.apps.env}";
      };
      resourceImports = [
        ./cilium-crd.nix
        ./kyverno-crd.nix
      ];
      chartsDir = ../charts;
      defaults = {
        syncPolicy = {
          autoSync = {
            enabled = cfg.autoSync;
            prune = cfg.prune;
            selfHeal = cfg.selfHeal;
          };
        };
        # Many helm chars will render all resources with the
        # following labels.
        # This produces huge diffs when the charts are updated
        # because the values of these labels change each release.
        # Here we add a transformer that strips them out after
        # templating the helm charts in each application.
        helm.transformer = map (
          lib.kube.removeLabels [
            "app.kubernetes.io/version"
            "helm.sh/chart"
          ]
        );
      };
    };
  };
 }
@@ -0,0 +1,93 @@
 { pkgs, kube }:
 {
  appOptions = opts: with pkgs.lib; {
      enable = mkOption {
        type = types.bool;
        default = true;
        description = "Enable";
      };
      autoSync = mkOption {
        type = types.bool;
        default = true;
        description = "Auto sync";
      };
      prune = mkOption {
        type = types.bool;
        default = false;
        description = "Prune";
      };
      serverSideDiff = mkOption {
        type = types.bool;
        default = true;
        description = "Enable server-side diffing";
      };
      name = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = "Application name";
      };
      namespace = mkOption {
        type = types.nullOr types.str;
        default = null;
        description = "Namespace";
      };
      project = mkOption {
        type = types.str;
        default = "default";
        description = "Project";
      };
      cluster = mkOption {
        type = types.str;
        default = "https://kubernetes.default.svc";
        description = "Cluster";
      };
      values = mkOption {
        type = types.attrsOf types.anything;
        default = {};
        description = "Values";
      };
    } // opts;
  appConfig = cfg: name: conf:
    with pkgs.lib;
    let
       app = conf // {
        name = if builtins.isNull cfg.name then name else cfg.name;
        project = cfg.project;
        destination.server = cfg.cluster;
        createNamespace = true;
        compareOptions = {
           serverSideDiff = cfg.serverSideDiff;
        };
        syncPolicy = {
           syncOptions = {
             applyOutOfSyncOnly = true;
           };
           autoSync = mkIf cfg.autoSync {
             prune = cfg.prune;
             selfHeal = false;
           };
        };
       } // (if builtins.isNull cfg.namespace then {} else  { namespace = cfg.namespace; });
    in mkIf cfg.enable { applications.${name} = app; };
  appValues = with pkgs.lib; { env, base, extraValues}:
    attrsets.mergeAttrsList (lists.flatten [
      (kube.fromYAML (builtins.readFile "${base}/values.yaml"))
      (kube.fromYAML (builtins.readFile "${base}/values-${env}.yaml"))
      [ extraValues ]
  ]);
 }
@@ -0,0 +1,80 @@
 # Generated by npins. Do not modify; will be overwritten regularly
 let
  data = builtins.fromJSON (builtins.readFile ./sources.json);
  version = data.version;
  mkSource =
    spec:
    assert spec ? type;
    let
      path =
        if spec.type == "Git" then
          mkGitSource spec
        else if spec.type == "GitRelease" then
          mkGitSource spec
        else if spec.type == "PyPi" then
          mkPyPiSource spec
        else if spec.type == "Channel" then
          mkChannelSource spec
        else
          builtins.throw "Unknown source type ${spec.type}";
    in
    spec // { outPath = path; };
  mkGitSource =
    {
      repository,
      revision,
      url ? null,
      hash,
      branch ? null,
      ...
    }:
    assert repository ? type;
    # At the moment, either it is a plain git repository (which has an url), or it is a GitHub/GitLab repository
    # In the latter case, there we will always be an url to the tarball
    if url != null then
      (builtins.fetchTarball {
        inherit url;
        sha256 = hash; # FIXME: check nix version & use SRI hashes
      })
    else
      assert repository.type == "Git";
      let
        urlToName =
          url: rev:
          let
            matched = builtins.match "^.*/([^/]*)(\\.git)?$" repository.url;
            short = builtins.substring 0 7 rev;
            appendShort = if (builtins.match "[a-f0-9]*" rev) != null then "-${short}" else "";
          in
          "${if matched == null then "source" else builtins.head matched}${appendShort}";
        name = urlToName repository.url revision;
      in
      builtins.fetchGit {
        url = repository.url;
        rev = revision;
        inherit name;
        # hash = hash;
      };
  mkPyPiSource =
    { url, hash, ... }:
    builtins.fetchurl {
      inherit url;
      sha256 = hash;
    };
  mkChannelSource =
    { url, hash, ... }:
    builtins.fetchTarball {
      inherit url;
      sha256 = hash;
    };
 in
 if version == 3 then
  builtins.mapAttrs (_: mkSource) data.pins
 else
  throw "Unsupported format version ${toString version} in sources.json. Try running `npins upgrade`"
--- a/Show More
+++ b/Show More
Author	SHA1	Message	Date
juselius	e3b1ef76da	fix: fix amqp password	2025-02-04 17:02:42 +01:00
juselius	6663fc2cc5	Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy	2025-02-04 15:43:37 +01:00
juselius	dd7e28c2e2	fix: add bast and oty to sorcerer dev cors	2025-02-04 15:43:24 +01:00
juselius	6976ea8d93	fix: only sync atlantis db secrets if bootstrap is enabled	2025-01-31 13:25:45 +01:00
juselius	8421acaa25	fix: unify atlantis secrets policy	2025-01-31 13:22:27 +01:00
juselius	f425a1c551	fix: update prod atlantis	2025-01-30 21:53:54 +01:00
juselius	d8a3706305	fix: fix increase prod-atlantis replica count	2025-01-30 21:18:03 +01:00
juselius	1ef512e2eb	fix: fix prod-atlantis sorcerer uri to prod	2025-01-30 21:16:40 +01:00
juselius	39e69dff7f	fix: fix prod-atlantis db and disable bootstrap	2025-01-30 20:55:39 +01:00
juselius	5d86e81fb0	feat: change preprod to prod!	2025-01-30 20:45:33 +01:00
juselius	265f188f66	fix: fix prod-sorcerer replica count	2025-01-30 20:23:38 +01:00
juselius	2508817f30	fix: fix redis prod env secret	2025-01-30 20:22:10 +01:00
juselius	e04dd170ac	fix: fix redis prod env secret	2025-01-30 20:19:13 +01:00
juselius	861f288ec0	fix: fix redis secret (static)	2025-01-30 20:14:12 +01:00
juselius	20de965607	fix: fix redis secret	2025-01-30 20:13:16 +01:00
juselius	b63d89d9e6	fix: add missing redis	2025-01-30 20:10:37 +01:00
juselius	c9ba27539e	feat: add new prod-sorcerer	2025-01-30 20:08:09 +01:00
juselius	daa4a87597	fix: update atlantis preprod	2025-01-28 10:50:28 +01:00
juselius	a96c6c28a9	fix: update atlantis preprod	2025-01-24 16:29:36 +01:00
juselius	45f598fb8b	fix: update preprod atlantis	2025-01-23 21:04:20 +01:00
juselius	b0cdab1790	feat: remove rabbitmq secret from atlantis chart and put it in kustomizations	2025-01-23 18:09:26 +01:00
juselius	28e2ba87eb	fix: fix accidental lowecasing	2025-01-23 18:08:27 +01:00
juselius	89e99bed42	fix: ignore redis secret	2025-01-23 17:03:49 +01:00
juselius	d30ec463bb	fix: fix redis secret name	2025-01-23 16:59:13 +01:00
juselius	0f8dae5436	fix: update preprod atlantis and sorcerer	2025-01-23 16:43:03 +01:00
juselius	2422db91e2	fix: update atlantis preprod and sorcerer beta	2025-01-21 10:58:57 +01:00
juselius	d7117d18b8	feat: flip over to new keycloak instance	2025-01-20 08:58:56 +01:00
juselius	befe13225c	fix: new atlantis and sorcerer preprod	2025-01-17 15:27:16 +01:00
juselius	bc71b78da6	fix: update atlantis preprod	2025-01-14 18:52:26 +01:00
juselius	f1385b8d0b	fix: update sorcerer beta and atlantis preprod	2025-01-14 15:54:55 +01:00
juselius	87e3219c0c	fix: add redis to sorcerer	2025-01-11 21:12:18 +01:00
juselius	74fa77e91c	fix: update atlantis preprod	2025-01-11 21:11:44 +01:00
juselius	5940db6833	fix: update staging sorcerer for maps.beta	2025-01-11 16:37:04 +01:00
juselius	c02d40564d	fix: update staging sorcerer for maps.beta	2025-01-11 16:19:36 +01:00
juselius	934ea43ae9	fix: update staging sorcerer for maps.beta	2025-01-11 16:00:06 +01:00
juselius	f0eae55b5e	fix: update atlantis fga model	2025-01-11 13:36:22 +01:00
juselius	423b9ce28c	fix: temp hack for preprod atlantis db	2025-01-11 09:36:51 +01:00
juselius	a93031b11b	fix: fix atlantis env secret policy	2025-01-11 09:36:14 +01:00
juselius	4fc69cafe6	fix: fix preprod wankery	2025-01-10 14:04:29 +01:00
juselius	089096f936	fix: fix preprod wankery	2025-01-10 13:50:16 +01:00
juselius	e3c174a995	fix: atlantis preprod tweaks	2025-01-10 13:26:56 +01:00
juselius	4830a58ed9	fix: fix pølsefingre	2025-01-10 13:16:04 +01:00
juselius	d47ee8f5f1	fix: fix atlantis subscriptions	2025-01-10 13:08:02 +01:00
juselius	211db0669f	Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy	2025-01-10 12:49:01 +01:00
juselius	386c098373	fix: update (pre)prod atlantis manifests	2025-01-10 12:48:34 +01:00
juselius	fcde51b19e	fix: update atlantis beta	2025-01-09 18:51:44 +01:00
juselius	20a34d6bf0	fix: update salmar client secret	2025-01-09 12:40:15 +01:00
juselius	8d666f5722	fix: update aqua-kompetanse client secret	2025-01-06 11:53:49 +01:00
juselius	a0c5699c71	Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy	2025-01-03 08:50:31 +01:00
juselius	ea7b4d7d01	fix: update atlantis beta	2025-01-03 08:50:15 +01:00
juselius	b20300e315	fix: fix appsettings with oidc logout endpoint	2025-01-02 20:37:24 +01:00
juselius	fa552169bc	fix: update openfga secret policy	2025-01-01 12:05:54 +01:00
juselius	f2bfd484b4	fix: change openfga db name	2024-12-31 15:30:52 +01:00
juselius	e1317584ce	feat: add policy to fixup openfga connection uri	2024-12-31 15:17:08 +01:00
juselius	ff3407f80c	fix: fix image name	2024-12-31 13:49:24 +01:00
juselius	d05f619618	fix: update openfga postgres to 17	2024-12-31 13:44:17 +01:00
juselius	aaf7fad09a	fix: fix (defunct) keycloak frontend url	2024-12-31 13:43:23 +01:00
juselius	4498df8aea	fix: fix staging atlantis app and tweak keycloak	2024-12-31 13:34:38 +01:00
juselius	0726aa922b	fix: fix keycloak admin ingress secret	2024-12-30 18:47:11 +01:00
juselius	b291bba5d1	fix: disable keycloak admin ingress	2024-12-30 18:37:19 +01:00
juselius	2f8e31b829	fix: fix json typo	2024-12-30 15:28:18 +01:00
juselius	45b46e2394	fix: move staging atlantis onto keycloak	2024-12-30 15:19:26 +01:00
juselius	f9231e96a0	fix: disable keycloak cli job	2024-12-30 14:14:52 +01:00
juselius	fcc0994c38	fix: change ingress to auth.oceanbox.io	2024-12-30 13:47:25 +01:00
juselius	f065b69ab7	fix: reduce old keycloak replicas to 1	2024-12-30 13:43:53 +01:00
juselius	2ea3e85c3c	fix: fix keycloak and remove import-export sidecar	2024-12-30 13:40:53 +01:00
juselius	d176df16dd	debug: add import-export sidecar	2024-12-29 21:50:31 +01:00
juselius	43c6077d9a	debug: add import-export sidecar	2024-12-29 21:47:15 +01:00
juselius	3d67b97222	debug: add import-export sidecar	2024-12-29 21:44:06 +01:00
juselius	3706f37030	debug: add import-export sidecar	2024-12-29 21:41:07 +01:00
juselius	dee898a97d	fix: fix(?) admin ingress on prod-keycloak	2024-12-28 14:55:25 +01:00
juselius	ce1bbcfda2	fix: tweak ingress for now	2024-12-28 14:46:17 +01:00
juselius	3a17a72924	fix: enable admin ingress on prod-keycloak	2024-12-28 14:34:51 +01:00
juselius	b46c2cb456	debug: missing account token	2024-12-28 13:35:06 +01:00
juselius	2531e40a80	debug: missing account token	2024-12-28 10:37:58 +01:00
juselius	fdc3de12fd	debug: missing account token	2024-12-28 10:25:00 +01:00
juselius	ae707279e7	debug: missing account token	2024-12-28 10:20:45 +01:00
juselius	0ce818e2f5	debug: missing account token	2024-12-28 09:44:12 +01:00
juselius	4c7315c5ba	fix: add keycloak ingress whitelist for now	2024-12-27 22:43:02 +01:00
juselius	768c54db1a	feat: new prod keycloak deploy with cnpg database	2024-12-27 22:15:17 +01:00
juselius	0f62b0b01c	fix: update keycloak theme (perhaps)	2024-12-27 18:05:06 +01:00
juselius	13178964cb	Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy	2024-12-27 17:54:59 +01:00
juselius	83241d90f9	fix: update keycloak theme (perhaps)	2024-12-27 17:53:39 +01:00
juselius	fc24cee169	fix: disable keycloak admin ingress (again)	2024-12-27 15:02:27 +01:00
juselius	768ccb8fd3	fix: enable keycloak admin ingress (again)	2024-12-27 14:24:19 +01:00
juselius	d2b03dd2eb	fix: remove redis secret from atlantis chart	2024-12-27 12:26:03 +01:00
juselius	22cab489a5	fix: disable keycloak admin ingress	2024-12-25 09:23:33 +01:00
juselius	5081ef9a13	fix: run keycloak in 2 replicas	2024-12-25 09:10:15 +01:00
juselius	38f80bdf48	fix: add missing ingress to keycloak	2024-12-25 09:02:12 +01:00
juselius	674dfa1ed5	fix: add missing ingress to keycloak	2024-12-25 08:47:13 +01:00
juselius	1f7a82e895	fix: disable redis-stack for now	2024-12-23 08:21:08 +01:00
juselius	1a39118763	fix: use unified external redis for sorcerer and atlantis	2024-12-23 07:31:14 +01:00
juselius	50aabe96b8	fix: migrate from internal to external redis	2024-12-23 07:23:06 +01:00
juselius	261f287e53	fix: secure keycloak master realm	2024-12-21 18:39:57 +01:00
juselius	3b1d5e0ee1	fix: increases prod openfga db replicas to 2	2024-12-21 08:44:40 +01:00
juselius	c58e2f675f	fix: upgrade dex	2024-12-20 14:42:01 +01:00
juselius	d836ff2cef	fix: add itp as a test domain for multi-tenant	2024-12-20 14:40:05 +01:00
juselius	e68c57ed05	fix: update atlantis and sorcerer	2024-12-20 14:27:57 +01:00
juselius	1c713f324a	fix: flip dex over on nixidy branch (for now)	2024-12-20 09:52:38 +01:00
juselius	b7631bf882	fix: flip dex over on nixidy branch (for now)	2024-12-20 09:49:57 +01:00
juselius	c21945811e	fix: flip dex over on nixidy branch (for now)	2024-12-20 09:47:43 +01:00
juselius	426fe34412	fix: flip dex over on nixidy branch (for now)	2024-12-20 09:45:24 +01:00
juselius	dd3f44ff52	fix: update dex for upstream multi-tenancy	2024-12-20 09:24:31 +01:00
juselius	d299f4a21c	Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy	2024-12-20 09:16:25 +01:00
juselius	000161461f	fix: update openfga uri	2024-12-20 09:15:11 +01:00
juselius	d69830cc47	fix: fix openfga ingress (use production certs)	2024-12-20 06:21:29 +01:00
juselius	675e3299a1	fix: update openfga	2024-12-19 19:26:27 +01:00
juselius	219bc47465	fix: update openfga	2024-12-19 18:56:06 +01:00
juselius	c31bf79671	fix: update openfga	2024-12-19 18:52:23 +01:00
juselius	903fbdbaa8	fix: update openfga values	2024-12-19 17:44:12 +01:00
juselius	83a025cdcf	fix: fix yet another typo	2024-12-19 16:39:16 +01:00
juselius	bc7c15db24	fix: fix typo	2024-12-19 16:02:44 +01:00
juselius	73555a2d80	fix: update loki, tempo and openfga apps	2024-12-19 16:00:53 +01:00
juselius	b19abf333d	fix: update verisons and ingress	2024-12-19 15:56:36 +01:00
juselius	5b8732ae04	fix: revert servicemonitor port	2024-12-19 15:52:35 +01:00
juselius	3a49ef6c53	feat: make servicemonitor port configurable	2024-12-19 15:27:16 +01:00
juselius	4d9c401ab8	fix: fix typo	2024-12-19 15:22:07 +01:00
juselius	ec0344ffe8	fix: update sorcerer and ingress paths	2024-12-19 15:12:31 +01:00
juselius	cc85d8eccf	fix: update atlantis and ingress paths	2024-12-19 15:11:54 +01:00
juselius	4131917813	Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy	2024-12-19 09:55:04 +01:00
juselius	0f3f8b7a38	feat: enable dapr-api-token	2024-12-19 09:54:55 +01:00
juselius	64048984a6	feat: add internal ingress to sorcerer	2024-12-19 09:53:32 +01:00
juselius	8989cdb100	fix: add kyverno policies for dapr api tokens	2024-12-19 09:50:33 +01:00
juselius	95fa446986	fix: update sorcerer	2024-12-14 20:35:01 +01:00
juselius	d2e50f1776	fix: use multi-audience tokens	2024-12-14 19:12:27 +01:00
juselius	a0d937e40a	fix: update staging atlantis and sorcerer	2024-12-14 12:02:20 +01:00
juselius	eba8f961f0	fix: update staging atlantis and sorcerer	2024-12-14 11:50:21 +01:00
juselius	8edbe0e078	fix: dapr component scopes for sorcerer	2024-12-14 09:10:15 +01:00
juselius	61403261cd	fix: update atlantis	2024-12-14 08:59:30 +01:00
juselius	721049e742	fix: update atlantis	2024-12-13 19:24:05 +01:00
juselius	69cb89aba1	fix: update atlatis and sorcerer staging	2024-12-13 18:48:16 +01:00
juselius	b55c36832f	fix: fix atlantis ingress	2024-12-12 16:06:44 +01:00
juselius	90e1e35e0a	feat: rudimentary fga permissions checking in api	2024-12-12 15:45:17 +01:00
juselius	a8c29c6b00	:fix: enable atlantis ingress	2024-12-12 15:24:42 +01:00
juselius	57a9246b35	:fix: update atlantis image	2024-12-12 15:19:14 +01:00
juselius	c96fae310d	:fix: enable atlantis ingress	2024-12-12 15:18:24 +01:00
juselius	4e5fcda742	:fix: update atlantis secrets	2024-12-12 14:59:13 +01:00
juselius	b331dff18e	:fix: update atlantis image	2024-12-12 14:56:44 +01:00
juselius	d1e9df5b35	fix: update atlantis manifests	2024-12-12 14:53:24 +01:00
juselius	4ece141ce0	fix: update atlantis manifests	2024-12-12 14:47:14 +01:00
juselius	9d9836bffb	fix: update atlantis manifests and argo apps	2024-12-12 14:38:26 +01:00
juselius	b12146c054	fix: fix sorcerer redis settings	2024-12-12 14:24:14 +01:00
juselius	ce94dc0a3b	fix: fix sorcerer chart link	2024-12-12 13:41:00 +01:00
juselius	db011cfb4d	fix: fix fixes	2024-12-12 13:15:25 +01:00
juselius	9b1a687ef5	fix: update sorcerer image	2024-12-12 12:53:32 +01:00
juselius	e51c5eb248	fix: update sorcerer image	2024-12-12 12:43:37 +01:00
juselius	1dfdf226d5	fix: update sorcerer image	2024-12-12 12:32:51 +01:00
juselius	a04cbeadad	fix: update sorcerer image	2024-12-12 12:13:51 +01:00
juselius	3283758478	fix: update sorcerer image	2024-12-12 12:10:33 +01:00
juselius	5296c67194	fix: fix sorcerer volume claims	2024-12-12 12:03:57 +01:00
juselius	9eb9714c7f	feat: move from atlantis and sorcerer applicationsets	2024-12-09 12:46:35 +01:00
juselius	70a78699e3	fix: update sorcerer manifests	2024-12-09 12:40:42 +01:00
juselius	ca6b80d13f	feat: update atlantis chart, values and app for spmsa	2024-12-09 10:49:02 +01:00
juselius	6ba97b006b	feat: disable flakes, use normal nix shell	2024-12-04 15:15:31 +01:00
juselius	1feb953dc4	fix: add internal ingress to atlantis	2024-12-04 15:00:35 +01:00
Jonas Juselius	a2203fc1d7	fix: add kyverno secret policies for sorcerer	2024-11-25 13:17:49 +01:00
Jonas Juselius	c520f042c6	fix: allow atlatnis azure keyvault and blobstore	2024-11-22 13:55:33 +01:00
Jonas Juselius	e6788bbc41	Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy	2024-11-21 09:56:51 +01:00
juselius	c75378a0e3	fix: fix atlantis secrets policies	2024-11-20 20:09:22 +01:00
Jonas Juselius	e8e652039c	Merge remote-tracking branch 'origin/main' into nixidy	2024-11-18 13:24:20 +01:00
juselius	993612f3bd	feat: add cpol to sync regcreds	2024-11-18 10:35:37 +01:00
juselius	b45432c826	fix: make sorcerer honor env: in values	2024-11-18 10:34:29 +01:00
juselius	414c993fe1	feat: add cpol to sync azure keyvault credentials	2024-11-18 10:33:34 +01:00
juselius	5c044cbbfe	fix: disable zipkin ingress on otel collector	2024-11-18 08:34:19 +01:00
Jonas Juselius	243260f479	feat: add redis to sorcerer	2024-11-16 14:23:34 +01:00
juselius	8510a9b8a2	fix: add zipkin path to otel collector	2024-11-16 10:06:05 +01:00
juselius	77ed76758e	fix: add port 8085 to local atlantis and sorcerer	2024-11-16 08:13:59 +01:00
Jonas Juselius	f8d82f4f46	fix: fix sorcerer local redirect url	2024-11-15 11:49:00 +01:00
Jonas Juselius	50bf3814a5	fix: add all known leroys	2024-11-15 09:36:39 +01:00
Jonas Juselius	a8da4c1198	fix: fix otel url typo	2024-11-14 14:37:53 +01:00
juselius	35b5882d3e	feat: add dapr configuration store to atlantis staging	2024-11-01 12:35:12 +01:00
juselius	2203b09fb4	fix: add acl.json to new atlantis deployment	2024-10-31 14:33:10 +01:00
juselius	673bb00a9a	fix: add Måsøval	2024-10-31 14:25:55 +01:00
juselius	01b9bc4465	fix: add Måsøval	2024-10-31 12:56:22 +01:00
Jonas Juselius	ef6282ca17	fix: upgrade keycloak	2024-10-30 12:02:21 +01:00
Jonas Juselius	503128903b	feat: update atlantis chart and values for monolith	2024-10-25 19:14:10 +02:00
Jonas Juselius	7ca0a2d397	Merge branch 'nixidy' of gitlab.com:oceanbox/manifests into nixidy	2024-10-15 08:02:36 +02:00
Jonas Juselius	474d04862c	fix: enable atlantis service monitor	2024-10-15 08:02:22 +02:00
juselius	ea929b7dc4	wip: kustomization experiments	2024-10-15 07:37:43 +02:00
juselius	354bd72248	wip: well, looking better	2024-10-14 18:02:42 +02:00
Jonas Juselius	ed26ad8af2	wip: getting there, slowly	2024-10-14 15:47:14 +02:00
juselius	372c11c31e	feat: rename kustomizations/ to values/	2024-10-14 07:59:16 +02:00
juselius	91b56423f2	wip: figuring out how to do multiple envs and stuff	2024-10-14 07:51:07 +02:00
Jonas Juselius	768cb1ddef	wip: figuring it out, slowly	2024-10-11 18:56:56 +02:00
juselius	a5cf93c758	wip: add openfga app with direct helm render	2024-10-10 20:50:50 +02:00
Jonas Juselius	11b398801d	wip: try nixidy	2024-10-10 16:04:41 +02:00
Jonas Juselius	61379ad665	fix: update vcluster adn remove kyverno policies	2024-10-09 14:07:23 +02:00
Jonas Juselius	eb2eebaa34	feat: simplify charts, resources, kustomizations and applications for atlantis SPMSA	2024-10-08 16:54:58 +02:00
Jonas Juselius	15dae312ef	fix: add hubocean group	2024-10-08 09:39:46 +02:00
Jonas Juselius	7b046c343f	fix: add APP_NAME and APP_NAMESPACE to default env	2024-09-28 12:58:51 +02:00
		`@@ -1 +0,0 @@`
			`kustomizations/petimeter/manifests/acl.json`