Add more Nix Apps

Rewrite of some of the Apps to Nix. Tried to convert
ApplicationSets to simple Applications with an ${env}
modifier.

.envrc

@@ -0,0 +1 @@
+use nix

.gitignore

@@ -1,3 +1,6 @@
+*.tgz
+_*/
+.direnv/
+.pre-commit-config.yaml
 _manifest.yaml
 _resources.yaml
-*.tgz

acl.json

@@ -1 +0,0 @@
-kustomizations/petimeter/manifests/acl.json

applications/openfga.yaml

@@ -1,47 +0,0 @@
-apiVersion: argoproj.io/v1alpha1
-kind: ApplicationSet
-metadata:
-  name: openfga
-  namespace: argocd
-spec:
-  goTemplate: true
-  generators:
-  - list:
-      elements:
-      - cluster: https://kubernetes.default.svc
-        env: prod
-        hostname: openfga.adm.oceanbox.io
-        autoSync: false
-        prune: true
-      - cluster: https://kubernetes.default.svc
-        env: staging
-        hostname: openfga.dev.oceanbox.io
-        autoSync: true
-        prune: true
-  template:
-    metadata:
-      name: '{{ .env }}-openfga'
-    spec:
-      project: aux
-      destination:
-        namespace: idp
-        server: '{{ .cluster }}'
-      sources:
-        - repoURL: https://openfga.github.io/helm-charts
-          targetRevision: 0.2.12
-          chart: openfga
-          helm:
-            valueFiles:
-              - $values/kustomizations/openfga/values.yaml
-              - $values/kustomizations/openfga/values-{{ .env }}.yaml
-        - repoURL: https://gitlab.com/oceanbox/manifests.git
-          targetRevision: main
-          ref: values
-  templatePatch: |
-    {{- if .autoSync }}
-    spec:
-      syncPolicy:
-        automated:
-          prune: {{ .prune }}
-          selfHeal: false
-    {{- end }}

apps/archmeister.yaml

@@ -13,11 +13,11 @@ spec:
         hostname: archmeister.srv.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: archmeister.beta.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   hostname: archmeister.beta.oceanbox.io
+      #   autoSync: true
+      #   prune: true
   template:
     metadata:
       name: "{{ .env }}-archmeister"
@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: kustomizations/archmeister
+        path: values/archmeister
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

apps/atlantis.nix

@@ -0,0 +1,51 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.atlantis;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/atlantis;
+    extraValues = {};
+  };
+
+  kustomize = r:
+    if r.kind == "Deployment" then
+      lib.attrsets.recursiveUpdate r {
+        spec.template.spec.containers =
+        builtins.map (x:
+        x // {
+            livenessProbe.httpGet.path = "/healthz";
+            readinessProble.httpGet.path = "/healthz";
+            env = x.env ++ [ { name = "INERNAL_PORT"; value = 8000; } ];
+        }) r.spec.template.spec.containers;
+      }
+      else if r.kind == "Service" then
+      {}
+    else r;
+in
+{
+  options.apps.atlantis = lib.apps.appOptions {
+      revision = lib.mkOption {
+        type = lib.types.str;
+        default = "main";
+        description = "Revision";
+      };
+
+      hostname = lib.mkOption {
+        type = lib.types.str;
+        default = if env == "prod"
+          then "maps.oceanbox.io"
+          else "atlantis.beta.oceanbox.io";
+        description = "Revision";
+      };
+  };
+
+  config = lib.apps.appConfig cfg "${env}-atlantis" {
+    helm.releases."${env}-atlantis" = {
+      inherit values;
+      chart = ../charts/atlantis;
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}

apps/atlantis.yaml

@@ -13,11 +13,11 @@ spec:
         hostname: atlantis.srv.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: atlantis.beta.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   hostname: atlantis.beta.oceanbox.io
+      #   autoSync: true
+      #   prune: true
   template:
     metadata:
       name: '{{ .env }}-atlantis'
@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: kustomizations/atlantis
+        path: values/atlantis
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

apps/busynix.yaml

@@ -24,7 +24,7 @@ spec:
       source:
         repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: kustomizations/busynix
+        path: values/busynix
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

apps/cerbos.yaml

@@ -25,8 +25,8 @@ spec:
           chart: cerbos
           helm:
             valueFiles:
-              - $values/kustomizations/cerbos/values.yaml
-              - $values/kustomizations/cerbos/values-{{ env }}.yaml
+              - $values/values/cerbos/values.yaml
+              - $values/values/cerbos/values-{{ env }}.yaml
         - repoURL: https://gitlab.com/oceanbox/manifests.git
           targetRevision: main
           ref: values

apps/dapr.nix

@@ -0,0 +1,46 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.dapr;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      global.ha.enabled = true;
+    };
+  };
+
+in
+{
+  options.apps.dapr = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "1.14.4";
+      description = "Dapr chart version";
+    };
+  };
+
+  config = lib.apps.appConfig cfg "dapr" {
+    namespace = "argocd";
+    helm.releases.dapr = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://dapr.github.io/helm-charts/";
+        chart = "dapr";
+        version = cfg.revision;
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+    resources = {
+      "argoproj.io".v1alpha1.Application.dapr.spec = {
+        destination = {
+          namespace = "dapr-system";
+          server = "https://kubernetes.default.svc";
+        };
+        project = "default";
+      };
+    };
+  };
+}

apps/dapr.yaml

@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: dapr
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: dapr-system
+    server: https://kubernetes.default.svc
+  project: default
+  syncPolicy:
+    # managedNamespaceMetadata:
+    #   labels:
+    #     component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL:  https://dapr.github.io/helm-charts/
+    targetRevision: 1.14.4
+    chart: dapr
+    helm:
+      values: |
+        global:
+          ha:
+            enabled: true

apps/default.nix

@@ -0,0 +1,16 @@
+{ ... }:
+{
+  imports = [
+    ./atlantis.nix
+    ./dapr.nix
+    ./dex.nix
+    ./keycloak.nix
+    ./loki.nix
+    ./openfga.nix
+    ./opentelemetry-collector.nix
+    ./rabbitmq.nix
+    ./redis.nix
+    ./tempo.nix
+    ./wordpress.nix
+  ];
+}

apps/dex.nix

@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.dex;
+  env = config.apps.env;
+  
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/dex;
+    extraValues = {};
+  };
+in
+{
+  options.apps.dex = lib.apps.appOptions { 
+    enable = lib.mkEnableOption "Dex";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "0.16.0";
+      description = "Dex chart version";
+    };
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      description = "Dex hostname";
+      default = "idp.${env}.oceanbox.io";
+    };
+  };
+  config = lib.apps.appConfig cfg "${env}-dex" {
+    namespace = "idp";
+    helm.releases.dex = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.dexidp.io";
+        chart = "dex";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}

apps/dex.yaml

@@ -10,6 +10,6 @@ spec:
     namespace: idp
   source:
     repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
-    path: kustomizations/dex/manifests
+    targetRevision: nixidy
+    path: values/dex/manifests
 

apps/geoserver.yaml

@@ -24,7 +24,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: kustomizations/geoserver
+        path: values/geoserver
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

apps/hipster.yaml

@@ -13,11 +13,11 @@ spec:
         hostname: hipster.srv.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: hipster.beta.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   hostname: hipster.beta.oceanbox.io
+      #   autoSync: true
+      #   prune: true
   template:
     metadata:
       name: '{{ .env }}-hipster'
@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: kustomizations/hipster
+        path: values/hipster
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

apps/jaeger.yaml

@@ -14,9 +14,9 @@ spec:
     chart: jaeger-operator
     helm:
       valueFiles:
-        - $values/kustomizations/jaeger/values.yaml
+        - $values/values/jaeger/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main
-    # path: kustomizations/jaeger/manifests
+    # path: values/jaeger/manifests
     ref: values
 

apps/keycloak.nix

@@ -0,0 +1,34 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.keycloak;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/keycloak;
+    extraValues = {};
+  };
+in
+{
+  options.apps.keycloak = lib.apps.appOptions {
+    enable = lib.mkEnableOption "Keycloak";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "24.0.2";
+      description = "Keycloak chart version";
+    };
+  };
+  config = lib.apps.appConfig cfg "keycloak" {
+    namespace = "idp";
+    helm.releases.keycloak = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.bitnami.com/bitnami";
+        chart = "keycloak";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}

apps/keycloak.yaml

@@ -10,12 +10,12 @@ spec:
     namespace: idp
   sources:
   - repoURL: https://charts.bitnami.com/bitnami
-    targetRevision: 18.3.4
+    targetRevision: 24.0.2
     chart: keycloak
     helm:
       valueFiles:
-        - $values/kustomizations/keycloak/values.yaml
+        - $values/values/keycloak/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
-    targetRevision: main
+    targetRevision: nixidy
     ref: values
 

apps/loki.nix

@@ -0,0 +1,249 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.loki;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      loki = {
+        auth_enabled = false;
+        storage = {
+          bucketNames = {
+            chunks = cfg.buckets.chunks;
+            ruler = cfg.buckets.ruler;
+            admin = cfg.buckets.admin;
+          };
+          s3 =
+            {
+              endpoint = cfg.s3.endpoint;
+              region = cfg.s3.region;
+              secretAccessKey = "\${S3SECRET}";
+              accessKeyId = "\${S3KEY}";
+              s3ForcePathStyle = true;
+            }
+            // lib.optionalAttrs cfg.s3.insecureSkipVerify {
+              http_config.insecure_skip_verify = true;
+            };
+        };
+        schemaConfig.configs = [
+          {
+            from = "2024-04-01";
+            index.period = "24h";
+            index.prefix = "loki_index_";
+            object_store = "s3";
+            schema = "v13";
+            store = "tsdb";
+          }
+        ];
+        compactor = {
+          compaction_interval = "10m";
+          working_directory = "/tmp/loki/compactor";
+          retention_enabled = true;
+          retention_delete_delay = "2h";
+          retention_delete_worker_count = 150;
+          delete_request_store = "s3";
+        };
+        limits_config.retention_period = "744h";
+      };
+
+      write = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+        tolerations = [
+          {
+            effect = "NoSchedule";
+            operator = "Equal";
+            key = "unschedulable";
+            value = "true";
+          }
+        ];
+      };
+
+      read = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+        tolerations = [
+          {
+            effect = "NoSchedule";
+            operator = "Equal";
+            key = "unschedulable";
+            value = "true";
+          }
+        ];
+      };
+
+      ingress = {
+        enabled = true;
+        ingressClassName = "nginx";
+        annotations = {
+          "cert-manager.io/cluster-issuer" = "letsencrypt-staging";
+          "nginx.ingress.kubernetes.io/ssl-redirect" = "true";
+          "atlantis.oceanbox.io/expose" = "internal";
+        };
+        hosts = [ "loki.adm.oceanbox.io" ];
+        tls = [{
+          hosts = [ "loki.adm.oceanbox.io" ];
+          secretName = "loki-distributed-tls";
+        }];
+      };
+
+      compactor = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+      };
+
+      backend = {
+        extraArgs = [ "-config.expand-env=true" ];
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+      };
+    };
+  };
+
+in
+{
+  options.apps.loki = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "6.12.0";
+      description = "Loki chart version";
+    };
+    buckets = {
+      chunks = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-chunks";
+        description = "S3 bucket for chunks";
+      };
+      ruler = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-chunks";
+        description = "S3 bucket for ruler";
+      };
+      admin = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-chunks";
+        description = "S3 bucket for admin";
+      };
+    };
+    s3 = {
+      endpoint = lib.mkOption {
+        type = lib.types.str;
+        default = "http://10.255.241.30:30080";
+        description = "S3 endpoint";
+      };
+      region = lib.mkOption {
+        type = lib.types.str;
+        default = "tos";
+        description = "S3 region";
+      };
+      insecureSkipVerify = lib.mkOption {
+        type = lib.types.bool;
+        default = true;
+        description = "Skip TLS verification";
+      };
+    };
+    secret = {
+      name = lib.mkOption {
+        type = lib.types.str;
+        default = "loki-s3";
+        description = "Name of the S3 credentials secret";
+      };
+      accessKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_ID";
+        description = "Access key field in secret";
+      };
+      secretKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_SECRET";
+        description = "Secret key field in secret";
+      };
+    };
+  };
+
+  config = lib.apps.appConfig cfg "loki" {
+    namespace = "argocd";
+    helm.releases.loki = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://grafana.github.io/helm-charts";
+        chart = "loki";
+        version = cfg.revision;
+        chartHash = "sha256-YUtEIUiQWRzlttfOOgDk1xfTaiAZ12tIgpGr1QcMpro=";
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+    # TODO: Add network policies as a second source or integrate them into `resources`.
+    resources = {
+      "argoproj.io".v1alpha1.Application.loki.spec.ignoreDifferences = [
+        {
+          group = "apps";
+          kind = "StatefulSet";
+          jsonPointers = [ "/spec/persistentVolumeClaimRetentionPolicy" ];
+        }
+      ];
+    };
+  };
+}

apps/loki.yaml

@@ -46,8 +46,8 @@ spec:
             s3:
               endpoint: http://10.255.241.30:30080
               region: tos
-              secretAccessKey: ${S3SECRET}
               accessKeyId: ${S3KEY}
+              secretAccessKey: ${S3SECRET}
               s3ForcePathStyle: true
               http_config:
                 insecure_skip_verify: true

apps/openfga.nix

@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.openfga;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/openfga;
+    extraValues = {};
+  };
+
+  kustomize = r:
+    if r.kind == "Job" then
+      lib.attrsets.recursiveUpdate r { spec.backoffLimit = 2; }
+    else r;
+
+in
+  {
+    options.apps.openfga = lib.apps.appOptions {};
+
+    config = lib.apps.appConfig cfg "${env}-openfga" {
+        helm.releases."${env}-openfga" = {
+          inherit values;
+          chart = lib.helm.downloadHelmChart {
+            repo = "https://openfga.github.io/helm-charts";
+            chart = "openfga";
+            version = "0.2.12";
+            chartHash = "sha256-7yLcw9/oNPvCePrtTJwKAG88t0Ym5Dl/S83Gz+gQdDU=";
+          };
+          transformer = rs: builtins.map (x: kustomize x) rs;
+        };
+
+        annotations = {};
+        resources = {
+          services.poop.spec = {
+          };
+        };
+      };
+  }

apps/opentelemetry-collector.nix

@@ -0,0 +1,117 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.opentelemetry-collector;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      mode = "deployment";
+      image = {
+        repository = "otel/opentelemetry-collector-k8s";
+      };
+      service = {
+        type = "LoadBalancer";
+        loadBalancerIP = "10.255.241.12";
+      };
+      config = {
+        receivers = {
+          "prometheus/collector" = {
+            config.scrape_configs = [{
+              job_name = "opentelemetry-collector";
+              static_configs = [{
+                targets = [ "\${env:MY_POD_IP}:8888" ];
+              }];
+            }];
+          };
+          zipkin.endpoint = "\${env:MY_POD_IP}:9411";
+        };
+        exporters = {
+          otlp = {
+            endpoint = "tempo.tempo.svc:4317";
+            tls.insecure = true;
+          };
+          "otlphttp/metrics" = {
+            endpoint = "http://prom-prometheus.prometheus:9090/api/v1/otlp";
+            tls.insecure = true;
+          };
+          "otlphttp/logs" = {
+            endpoint = "http://loki-write-headless.loki:3100/otlp";
+            tls.insecure = true;
+          };
+          "debug/metrics".verbosity = "detailed";
+          "debug/traces".verbosity = "detailed";
+          "debug/logs".verbosity = "detailed";
+        };
+        service = {
+          telemetry.logs.level = "info";
+          pipelines = {
+            traces = {
+              receivers = [ "otlp" "zipkin" ];
+              processors = [ "batch" ];
+              exporters = [ "otlp" ];
+            };
+            metrics = {
+              receivers = [ "otlp" "prometheus/collector" ];
+              processors = [ "batch" ];
+              exporters = [ "otlphttp/metrics" ];
+            };
+            logs = {
+              receivers = [ "otlp" ];
+              processors = [ "batch" ];
+              exporters = [ "otlphttp/logs" ];
+            };
+          };
+        };
+      };
+      ports.metrics.enabled = true;
+      ingress = {
+        enabled = false;
+        annotations = {
+          "cert-manager.io/cluster-issuer" = "letsencrypt-production";
+          "nginx.ingress.kubernetes.io/ssl-redirect" = "true";
+          "atlantis.oceanbox.io/expose" = "internal";
+        };
+        ingressClassName = "nginx";
+        hosts = [{
+          host = "opentelemetry-collector.adm.oceanbox.io";
+          paths = [{
+            path = "/";
+            pathType = "Prefix";
+            port = 4318;
+          }];
+        }];
+        tls = [{
+          secretName = "collector-tls";
+          hosts = [ "opentelemetry-collector.adm.oceanbox.io" ];
+        }];
+      };
+    };
+  };
+
+in
+{
+  options.apps.opentelemetry-collector = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "0.107.0";
+      description = "OpenTelemetry Collector chart version";
+    };
+  };
+
+  config = lib.apps.appConfig cfg "opentelemetry-collector" {
+    namespace = "argocd";
+    helm.releases.opentelemetry-collector = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://open-telemetry.github.io/opentelemetry-helm-charts";
+        chart = "opentelemetry-collector";
+        version = cfg.revision;
+        chartHash = "sha256-0000000000000000000000000000000000000000000000"; # TODO: Add correct hash
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+  };
+}

apps/opentelemetry-collector.yaml

@@ -31,6 +31,9 @@ spec:
         mode: deployment
         image:
           repository: otel/opentelemetry-collector-k8s
+        service:
+          type: LoadBalancer
+          loadBalancerIP: 10.255.241.12
         config:
           receivers:
             prometheus/collector:
@@ -88,14 +91,14 @@ spec:
         #   logsCollection:
         #     enabled: true
         ingress:
-          enabled: true
+          enabled: false
           annotations:
-              cert-manager.io/cluster-issuer: letsencrypt-staging
+              cert-manager.io/cluster-issuer: letsencrypt-production
               nginx.ingress.kubernetes.io/ssl-redirect: "true"
               atlantis.oceanbox.io/expose: internal
           ingressClassName: nginx
           hosts:
-            - host: collector.adm.oceanbox.io
+            - host: opentelemetry-collector.adm.oceanbox.io
               paths:
                 - path: /
                   pathType: Prefix
@@ -103,4 +106,4 @@ spec:
           tls:
             - secretName: collector-tls
               hosts:
-                - collector.adm.oceanbox.io
+                - opentelemetry-collector.adm.oceanbox.io

apps/osm-tile-server.yaml

@@ -24,7 +24,7 @@ spec:
       source:
         repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: HEAD
-        path: kustomizations/osm-tile-server
+        path: values/osm-tile-server
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

apps/petimeter.yaml

@@ -13,11 +13,11 @@ spec:
         hostname: petimeter.srv.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://staging-vcluster.staging-vcluster
-        env: staging
-        hostname: petimeter.beta.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://staging-vcluster.staging-vcluster
+      #   env: staging
+      #   hostname: petimeter.beta.oceanbox.io
+      #   autoSync: true
+      #   prune: true
   template:
     metadata:
       name: '{{ .env }}-petimeter'
@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: kustomizations/petimeter
+        path: values/petimeter
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:
@@ -39,7 +39,7 @@ spec:
             string: '{{ .hostname }}'
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: kustomizations/petimeter/manifests
+        path: values/petimeter/manifests
   templatePatch: |
     {{- if .autoSync }}
     spec:

apps/prod-atlantis.yaml

@@ -0,0 +1,66 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-atlantis
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: prod-atlantis
+    server: https://kubernetes.default.svc
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/atlantis
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: prod
+      - name: hostname
+        string: maps.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/atlantis/prod/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-replication
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-ca
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false

apps/prod-keycloak.yaml

@@ -0,0 +1,38 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-keycloak
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  project: aux
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: keycloak
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/keycloak/prod
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 24.0.2
+    chart: keycloak
+    helm:
+      valueFiles:
+        - $values/values/keycloak/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+

apps/prod-openfga.yaml

@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-openfga
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: openfga
+    server: https://kubernetes.default.svc
+  project: aux
+  # ignoreDifferences:
+  # - group: apps
+  #   kind: StatefulSet
+  #   jsonPointers:
+  #   - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://openfga.github.io/helm-charts
+    targetRevision: 0.2.19
+    chart: openfga
+    helm:
+      valueFiles:
+      - $values/values/openfga/values-prod.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values

apps/prod-sorcerer.yaml

@@ -0,0 +1,54 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: prod-sorcerer
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: prod-sorcerer
+    server: https://10.255.241.99:4443
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/sorcerer
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: prod
+      - name: hostname
+        string: sorcerer.data.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/sorcerer/prod/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false

apps/rabbitmq.nix

@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.rabbitmq;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/rabbitmq;
+    extraValues = {};
+  };
+in
+{
+  options.apps.rabbitmq = lib.apps.appOptions {
+    enable = lib.mkEnableOption "RabbitMQ";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "12.9.0";
+      description = "RabbitMQ chart version";
+    };
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      description = "RabbitMQ hostname";
+      default = "rabbitmq.${env}.oceanbox.io";
+    };
+  };
+  config = lib.apps.appConfig cfg "${env}-rabbitmq" {
+    namespace = "rabbitmq";
+    helm.releases.rabbitmq = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.bitnami.com/bitnami";
+        chart = "rabbitmq";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}

apps/rabbitmq.yaml

@@ -27,8 +27,8 @@ spec:
           chart: rabbitmq
           helm:
             valueFiles:
-              - $values/kustomizations/rabbitmq/values-{{ env }}.yaml
+              - $values/values/rabbitmq/values-{{ env }}.yaml
         - repoURL: https://gitlab.com/oceanbox/manifests.git
           targetRevision: main
-          path: kustomizations/rabbitmq/{{ env }}
+          path: values/rabbitmq/{{ env }}
           ref: values

apps/redis.nix

@@ -0,0 +1,34 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.redis;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/redis;
+    extraValues = {};
+  };
+in
+{
+  options.apps.redis = lib.apps.appOptions {
+    enable = lib.mkEnableOption "Redis";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "19.5.2";
+      description = "Redis chart version";
+    };
+  };
+  config = lib.apps.appConfig cfg "${env}-redis" {
+    namespace = "redis";
+    helm.releases.redis = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.bitnami.com/bitnami";
+        chart = "redis";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}

apps/redis.yaml

@@ -25,13 +25,13 @@ spec:
           chart: redis
           helm:
             valueFiles:
-              - $values/kustomizations/redis/values-{{ env }}.yaml
+              - $values/values/redis/values-{{ env }}.yaml
         - repoURL: https://gitlab.com/oceanbox/manifests.git
           targetRevision: HEAD
           ref: values
         - repoURL: https://gitlab.com/oceanbox/manifests.git
           targetRevision: main
-          path: kustomizations/redis/{{ env }}
+          path: values/redis/{{ env }}
       ignoreDifferences:
         - group: apps
           kind: StatefulSet

apps/seq.yaml

@@ -14,7 +14,7 @@ spec:
     chart: seq
     helm:
       valueFiles:
-        - $values/kustomizations/seq/values.yaml
+        - $values/values/seq/values.yaml
   - repoURL: https://gitlab.com/oceanbox/manifests.git
     targetRevision: main
     ref: values

apps/sorcerer.yaml

@@ -13,11 +13,11 @@ spec:
         hostname: sorcerer.data.oceanbox.io
         autoSync: false
         prune: true
-      - cluster: https://10.255.241.99:4443
-        env: staging
-        hostname: sorcerer.ekman.oceanbox.io
-        autoSync: true
-        prune: true
+      # - cluster: https://10.255.241.99:4443
+      #   env: staging
+      #   hostname: sorcerer.ekman.oceanbox.io
+      #   autoSync: true
+      #   prune: true
   template:
     metadata:
       name: '{{ .env }}-sorcerer'
@@ -29,7 +29,7 @@ spec:
       sources:
       - repoURL: https://gitlab.com/oceanbox/manifests.git
         targetRevision: main
-        path: kustomizations/sorcerer
+        path: values/sorcerer
         plugin:
           name: kustomize-helm-with-rewrite
           parameters:

apps/staging-atlantis.yaml

@@ -0,0 +1,66 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-atlantis
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: staging-atlantis
+    server: https://kubernetes.default.svc
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/atlantis
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: staging
+      - name: hostname
+        string: atlantis.beta.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/atlantis/staging/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: staging-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-replication
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-archmeister-ca
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: false

apps/staging-openfga.yaml

@@ -0,0 +1,39 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-openfga
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: openfga
+    server: https://kubernetes.default.svc
+  project: aux
+  # ignoreDifferences:
+  # - group: apps
+  #   kind: StatefulSet
+  #   jsonPointers:
+  #   - /spec/persistentVolumeClaimRetentionPolicy
+  syncPolicy:
+    managedNamespaceMetadata:
+      labels:
+        component: aux
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    automated:
+      prune: true
+      selfHeal: true
+  sources:
+  - repoURL: https://openfga.github.io/helm-charts
+    targetRevision: 0.2.19
+    chart: openfga
+    helm:
+      valueFiles:
+      - $values/values/openfga/values-staging.yaml
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values

apps/staging-sorcerer.yaml

@@ -0,0 +1,54 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: staging-sorcerer
+  namespace: argocd
+  annotations:
+    argocd.argoproj.io/sync-options: SkipDryRunOnMissingResource=true
+  finalizers:
+  - resources-finalizer.argocd.argoproj.io
+spec:
+  destination:
+    namespace: staging-sorcerer
+    server: https://10.255.241.99:4443
+  project: atlantis
+  sources:
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    ref: values
+  - repoURL: https://gitlab.com/oceanbox/manifests.git
+    targetRevision: nixidy
+    path: values/sorcerer
+    plugin:
+      name: kustomize-helm-with-rewrite
+      parameters:
+      - name: env
+        string: staging
+      - name: hostname
+        string: sorcerer.ekman.oceanbox.io
+  - repoURL: https://charts.bitnami.com/bitnami
+    targetRevision: 20.1.7
+    chart: redis
+    helm:
+      valueFiles:
+      - $values/values/sorcerer/staging/redis.yaml
+  ignoreDifferences:
+    - kind: Secret
+      name: azure-keyvault
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+    - kind: Secret
+      name: prod-atlantis-rabbitmq
+      jqPathExpressions:
+        - '.data'
+        - '.metadata.labels'
+        - '.metadata.annotations'
+  syncPolicy:
+    syncOptions:
+      - CreateNamespace=true
+      - ApplyOutOfSyncOnly=true
+    # automated:
+    #   prune: true
+    #   selfHeal: false

apps/tempo.nix

@@ -0,0 +1,124 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.tempo;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    extraValues = {
+      tempo = {
+        storage = {
+          trace = {
+            backend = "s3";
+            s3 = {
+              bucket = cfg.s3.bucket;
+              endpoint = cfg.s3.endpoint;
+              access_key = "\${S3SECRET}";
+              secret_key = "\${S3KEY}";
+              insecure = true;
+            };
+            local = {
+              path = "/var/tempo/traces";
+            };
+            wal = {
+              path = "/var/tempo/wal";
+            };
+          };
+        };
+        metricsGenerator = {
+          enabled = true;
+          remoteWriteUrl = "http://prom-prometheus.prometheus:9090/api/v1/write";
+        };
+        extraEnv = [
+          {
+            name = "S3KEY";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.accessKey;
+            };
+          }
+          {
+            name = "S3SECRET";
+            valueFrom.secretKeyRef = {
+              name = cfg.secret.name;
+              key = cfg.secret.secretKey;
+            };
+          }
+        ];
+      };
+
+      tempoQuery = {
+        ingress = {
+          enabled = true;
+          ingressClassName = "nginx";
+          annotations = {
+            "cert-manager.io/cluster-issuer" = "letsencrypt-staging";
+            "nginx.ingress.kubernetes.io/ssl-redirect" = "true";
+            "atlantis.oceanbox.io/expose" = "internal";
+          };
+          path = "/";
+          pathType = "Prefix";
+          hosts = [ "query.tempo.adm.oceanbox.io" ];
+          tls = [{
+            secretName = "tempo-query-tls";
+            hosts = [ "query.tempo.adm.oceanbox.io" ];
+          }];
+        };
+      };
+    };
+  };
+
+in
+{
+  options.apps.tempo = lib.apps.appOptions {
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "1.10.3";
+      description = "Tempo chart version";
+    };
+    s3 = {
+      bucket = lib.mkOption {
+        type = lib.types.str;
+        default = "tempo-traces";
+        description = "S3 bucket for traces";
+      };
+      endpoint = lib.mkOption {
+        type = lib.types.str;
+        default = "http://10.255.241.30:30080";
+        description = "S3 endpoint";
+      };
+    };
+    secret = {
+      name = lib.mkOption {
+        type = lib.types.str;
+        default = "tempo-s3";
+        description = "Name of the S3 credentials secret";
+      };
+      accessKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_ID";
+        description = "Access key field in secret";
+      };
+      secretKey = lib.mkOption {
+        type = lib.types.str;
+        default = "AWS_ACCESS_KEY_SECRET";
+        description = "Secret key field in secret";
+      };
+    };
+  };
+
+  config = lib.apps.appConfig cfg "tempo" {
+    namespace = "argocd";
+    helm.releases.tempo = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://grafana.github.io/helm-charts";
+        chart = "tempo";
+        version = cfg.revision;
+      };
+    };
+    annotations = {
+      "argocd.argoproj.io/sync-options" = "SkipDryRunOnMissingResource=true";
+    };
+  };
+}

apps/tempo.yaml

@@ -34,11 +34,11 @@ spec:
               backend: s3
               s3:
                 bucket: tempo-traces
-                endpoint: http://10.255.241.30:30080
-                access_key: ${S3SECRET}
-                secret_key: ${S3KEY}
+                endpoint: 10.255.241.30:30080
+                access_key: ${S3KEY}
+                secret_key: ${S3SECRET}
+                forcepathstyle: true
                 insecure: true
-              backend: local
               local:
                 path: /var/tempo/traces
               wal:
@@ -46,6 +46,7 @@ spec:
           metricsGenerator:
             enabled: true
             remoteWriteUrl: "http://prom-prometheus.prometheus:9090/api/v1/write"
+          extraArgs: { config.expand-env=true }
           extraEnv:
           - name: S3KEY
             valueFrom:

apps/wordpress.nix

@@ -0,0 +1,39 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps.wordpress;
+  env = config.apps.env;
+
+  values = lib.apps.appValues {
+    inherit env;
+    base = ../values/wordpress;
+    extraValues = {};
+  };
+in
+{
+  options.apps.wordpress = lib.apps.appOptions {
+    enable = lib.mkEnableOption "WordPress";
+    revision = lib.mkOption {
+      type = lib.types.str;
+      default = "19.2.2";
+      description = "WordPress chart version";
+    };
+    hostname = lib.mkOption {
+      type = lib.types.str;
+      description = "WordPress hostname";
+      default = "www.${env}.oceanbox.io";
+    };
+  };
+  config = lib.apps.appConfig cfg "www-oceanbox" {
+    namespace = "www-oceanbox";
+    helm.releases.wordpress = {
+      inherit values;
+      chart = lib.helm.downloadHelmChart {
+        repo = "https://charts.bitnami.com/bitnami";
+        chart = "wordpress";
+        version = cfg.revision;
+        chartHash = "";
+      };
+      transformer = rs: builtins.map (x: kustomize x) rs;
+    };
+  };
+}

charts/archmeister/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/atlantis/Chart.lock

@@ -1,6 +0,0 @@
-dependencies:
-- name: redis
-  repository: https://charts.bitnami.com/bitnami
-  version: 20.1.7
-digest: sha256:9c9be148366bb3d50f7394ba5a33e1a00a087b5ed61d2bcf1faec9b369e76582
-generated: "2024-10-08T13:21:10.374993273+02:00"

charts/atlantis/Chart.yaml

@@ -4,9 +4,3 @@ description: Atlantis map and simulation service
 type: application
 version: v2.87.1
 appVersion: v2.87.1
-dependencies:
-  - name: redis
-    version: 20.1.7
-    repository: https://charts.bitnami.com/bitnami
-    condition: redis.enabled
-    alias: redis

charts/atlantis/templates/ingress.yaml

@@ -54,8 +54,8 @@ spec:
                 port:
                   number: {{ $svcPort }}
               {{- else }}
-              serviceName: {{ $fullName }}
-              servicePort: {{ $svcPort }}
+              serviceName: {{ .serviceName | default $fullName }}
+              servicePort: {{ .servicePort | default $svcPort }}
               {{- end }}
           {{- end }}
     {{- end }}

charts/atlantis/templates/internal-ingress.yaml

@@ -0,0 +1,62 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "Atlantis.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-internal
+  labels:
+    {{- include "Atlantis.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    atlantis.oceanbox.io/expose: internal
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .internal }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}

charts/atlantis/templates/secrets.yaml

@@ -1,24 +1,3 @@
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    kyverno/clone: "true"
-  name: {{ .Release.Name }}-rabbitmq
-  namespace: {{ .Release.Namespace }}
-type: Opaque
-data:
----
-{{- if not .Values.redis.enabled }}
-apiVersion: v1
-kind: Secret
-metadata:
-  annotations:
-    kyverno/clone: "true"
-  name: {{ .Release.Name }}-redis
-type: Opaque
-data:
-{{- end }}
----
 {{- if not .Values.cluster.enabled }}
 apiVersion: v1
 kind: Secret
@@ -32,6 +11,7 @@ data:
   username:
   password:
 {{- else }}
+{{- if .Values.cluster.bootstrap.enabled }}
 apiVersion: v1
 kind: Secret
 metadata:
@@ -55,3 +35,4 @@ data:
   ca.crt: ""
   ca.key: ""
 {{- end }}
+{{- end }}

charts/atlantis/templates/servicemonitor.yaml

@@ -0,0 +1,20 @@
+{{- if .Values.serviceMonitor.enabled }}
+apiVersion: monitoring.coreos.com/v1
+kind: ServiceMonitor
+metadata:
+  name: {{ include "Atlantis.fullname" . }}
+  namespace: {{ .Release.Namespace }}
+spec:
+  endpoints:
+  - honorLabels: false
+    path: /metrics
+    port: http
+  jobLabel: {{ .Values.serviceMonitor.label | default (include "Atlantis.fullname" .) }}
+  namespaceSelector:
+    matchNames:
+    - {{ .Release.Namespace }}
+  selector:
+    matchLabels:
+      app.kubernetes.io/instance: {{ include "Atlantis.fullname" . }}
+      app.kubernetes.io/name: atlantis
+{{- end }}

charts/atlantis/values.yaml

@@ -17,6 +17,14 @@ init:
 env:
   - name: LOG_LEVEL
     value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 
 imagePullSecrets:
   - name: gitlab-pull-secret
@@ -61,6 +69,13 @@ ingress:
       paths:
         - path: /
           pathType: ImplementationSpecific
+        - path: /events
+          pathType: ImplementationSpecific
+          serviceName: main-ingress-nginx-defaultbackend.ingress-nginx
+          servicePort: 80
+      internal:
+        - path: /internal
+          pathType: ImplementationSpecific
   tls:
     - hosts:
         - atlantis.srv.oceanbox.io
@@ -84,52 +99,6 @@ cluster:
       db: prod-archmeister
       namespace: atlantis
 
-redis:
-  enabled: true
-  image:
-    repository: redis/redis-stack-server
-    tag: 7.2.0-v10
-  architecture: standalone
-  replica:
-    replicaCount: 1
-    command:
-      - "/opt/redis-stack/bin/redis-server"
-      - "--loadmodule"
-      - "/opt/redis-stack/lib/redisearch.so"
-      - "MAXSEARCHRESULTS"
-      - "10000"
-      - "MAXAGGREGATERESULTS"
-      - "10000"
-      - "--loadmodule"
-      - "/opt/redis-stack/lib/rejson.so"
-  auth:
-    enabled: true
-    sentinel: true
-    password: ""
-    usePasswordFiles: false
-    existingSecretPasswordKey: ""
-    # existingSecret: staging-redis
-  master:
-    resources:
-      limits:
-        cpu: null
-        ephemeral-storage: 1024Mi
-        memory: 192Mi
-      requests:
-        cpu: 150m
-        ephemeral-storage: 50Mi
-        memory: 128Mi
-
-tracing:
-  namespace: otel
-  endpoint: "http://opentelemetry-collector.otel:9411/api/v2/spans"
-
-rabbitmq:
-  namespace: rabbitmq
-  service: staging-rabbitmq
-  username: user
-  # secretName: staging-rabbitmq
-
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -149,6 +118,9 @@ autoscaling:
   targetCPUUtilizationPercentage: 80
   # targetMemoryUtilizationPercentage: 80
 
+serviceMonitor:
+  enabled: true
+
 nodeSelector: {}
 tolerations: []
 affinity: {}

charts/hipster/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/petimeter/values.yaml

@@ -11,6 +11,17 @@ init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
 imagePullSecrets:
   - name: gitlab-pull-secret
 nameOverride: ""

charts/sorcerer/Chart.yaml

@@ -1,18 +1,6 @@
 apiVersion: v2
 name: sorcerer
 description: A Helm chart for Kubernetes
-# A chart can be either an 'application' or a 'library' chart.
-#
-# Application charts are a collection of templates that can be packaged into versioned archives
-# to be deployed.
-#
-# Library charts provide useful utilities or functions for the chart developer. They're included as
-# a dependency of application charts to inject those utilities and functions into the rendering
-# pipeline. Library charts do not define any templates and therefore cannot be deployed.
 type: application
-# This is the chart version. This version number should be incremented each time you make changes
-# to the chart and its templates, including the app version.
 version: v4.9.0
-# This is the version number of the application being deployed. This version number should be
-# incremented each time you make changes to the application.
 appVersion: v4.9.0

charts/sorcerer/templates/deployment.yaml

@@ -38,8 +38,7 @@ spec:
               containerPort: {{ .Values.service.port }}
               protocol: TCP
           env:
-            - name: LOG_LEVEL
-              value: "3"
+            {{- toYaml .Values.env | nindent 12 }}
           livenessProbe:
             httpGet:
               path: /

charts/sorcerer/templates/internal-ingress.yaml

@@ -0,0 +1,62 @@
+{{- if .Values.ingress.enabled -}}
+{{- $fullName := include "Sorcerer.fullname" . -}}
+{{- $svcPort := .Values.service.port -}}
+{{- if and .Values.ingress.className (not (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion)) }}
+  {{- if not (hasKey .Values.ingress.annotations "kubernetes.io/ingress.class") }}
+  {{- $_ := set .Values.ingress.annotations "kubernetes.io/ingress.class" .Values.ingress.className}}
+  {{- end }}
+{{- end }}
+{{- if semverCompare ">=1.19-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1
+{{- else if semverCompare ">=1.14-0" .Capabilities.KubeVersion.GitVersion -}}
+apiVersion: networking.k8s.io/v1beta1
+{{- else -}}
+apiVersion: extensions/v1beta1
+{{- end }}
+kind: Ingress
+metadata:
+  name: {{ $fullName }}-internal
+  labels:
+    {{- include "Sorcerer.labels" . | nindent 4 }}
+  {{- with .Values.ingress.annotations }}
+  annotations:
+    atlantis.oceanbox.io/expose: internal
+    {{- toYaml . | nindent 4 }}
+  {{- end }}
+spec:
+  {{- if and .Values.ingress.className (semverCompare ">=1.18-0" .Capabilities.KubeVersion.GitVersion) }}
+  ingressClassName: {{ .Values.ingress.className }}
+  {{- end }}
+  {{- if .Values.ingress.tls }}
+  tls:
+    {{- range .Values.ingress.tls }}
+    - hosts:
+        {{- range .hosts }}
+        - {{ . | quote }}
+        {{- end }}
+      secretName: {{ .secretName }}
+    {{- end }}
+  {{- end }}
+  rules:
+    {{- range .Values.ingress.hosts }}
+    - host: {{ .host | quote }}
+      http:
+        paths:
+          {{- range .internal }}
+          - path: {{ .path }}
+            {{- if and .pathType (semverCompare ">=1.18-0" $.Capabilities.KubeVersion.GitVersion) }}
+            pathType: {{ .pathType }}
+            {{- end }}
+            backend:
+              {{- if semverCompare ">=1.19-0" $.Capabilities.KubeVersion.GitVersion }}
+              service:
+                name: {{ $fullName }}
+                port:
+                  number: {{ $svcPort }}
+              {{- else }}
+              serviceName: {{ $fullName }}
+              servicePort: {{ $svcPort }}
+              {{- end }}
+          {{- end }}
+    {{- end }}
+{{- end }}

charts/sorcerer/values.yaml

@@ -3,18 +3,36 @@
 # Declare variables to be passed into your templates.
 
 replicaCount: 1
+
 image:
   repository: registry.gitlab.com/oceanbox/sorcerer
   tag: v4.9.0
   pullPolicy: IfNotPresent
+
 init:
   enabled: false
   image: ubuntu:rolling
   command: ["/bin/sh", "-c", "true"]
+
+env:
+  - name: LOG_LEVEL
+    value: "3"
+  - name: APP_NAME
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.name
+  - name: APP_NAMESPACE
+    valueFrom:
+      fieldRef:
+        fieldPath: metadata.namespace
+
 imagePullSecrets:
   - name: gitlab-pull-secret
+
 nameOverride: ""
+
 fullnameOverride: ""
+
 serviceAccount:
   create: true
   # Annotations to add to the service account
@@ -22,9 +40,12 @@ serviceAccount:
   # The name of the service account to use.
   # If not set and create is true, a name is generated using the fullname template
   name: ""
+
 podAnnotations: {}
+
 podSecurityContext:
   fsGroup: 2000
+
 securityContext:
   capabilities:
     drop:
@@ -32,9 +53,11 @@ securityContext:
   readOnlyRootFilesystem: false
   runAsNonRoot: true
   runAsUser: 1000
+
 service:
   type: ClusterIP
   port: 8085
+
 ingress:
   enabled: true
   className: "nginx"
@@ -46,6 +69,9 @@ ingress:
       paths:
         - path: /
           pathType: ImplementationSpecific
+      internal:
+        - path: /internal
+          pathType: ImplementationSpecific
   tls:
     - hosts:
         - sorcerer.srv.oceanbox.io
@@ -62,6 +88,7 @@ cluster:
   backupEnabled: true
   backupRetention: 60d
   size: 5Gi
+
 resources: {}
 # We usually recommend not to specify default resources and to leave this as a conscious
 # choice for the user. This also increases chances charts run on environments with little
@@ -80,6 +107,10 @@ autoscaling:
   maxReplicas: 100
   targetCPUUtilizationPercentage: 80
   # targetMemoryUtilizationPercentage: 80
+
+serviceMonitor:
+  enabled: true
+
 nodeSelector: {}
 tolerations: []
 affinity: {}

charts/vcluster/templates/allow-external-services.yaml

@@ -6,9 +6,9 @@ metadata:
 spec:
   egress:
   - toFQDNs:
-    - matchName: api.github.com
     - matchName: dapr.github.io
-    - matchName: gitlab.com
     - matchName: analytics.loft.rocks
+    # - matchName: gitlab.com
+    # - matchName: api.github.com
   endpointSelector:
     matchLabels: {}

charts/vcluster/templates/cnpg.yaml

@@ -24,7 +24,7 @@ spec:
 apiVersion: postgresql.cnpg.io/v1
 kind: Cluster
 metadata:
-  name: staging-archmeister
+  name: {{ $name }}-archmaester
   namespace: {{ .Release.Namespace }}
   annotations:
     linkerd.io/inject: disabled
@@ -54,7 +54,7 @@ spec:
   externalClusters:
   - name: prod-archmeister
     connectionParameters:
-      host: prod-archmeister-rw.atlantis.svc
+      host: prod-archmeister-rw.atlantis
       user: streaming_replica
       sslmode: verify-full
     sslKey:

charts/vcluster/templates/kyverno-policies/allow-vcluster-apiserver.yaml

@@ -1,49 +0,0 @@
-{{- $fullname := include "vCluster.fullname" . -}}
-{{- $name := include "vCluster.releaseName" . -}}
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  annotations:
-    kyverno.io/kyverno-version: 1.7.0
-    policies.kyverno.io/description:  Allow egress to vcluster kube-apiserver
-    policies.kyverno.io/minversion: 1.7.0
-    policies.kyverno.io/subject: Namespace, NetworkPolicy
-    policies.kyverno.io/title: Generate NetworkPolicy to Existing Namespaces
-  name: allow-{{ $name }}-vcluster-apiserver
-  namespace: {{ .Release.Namespace }}
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: allow-{{ $name }}-vcluster-apiserver
-    generate:
-      apiVersion: cilium.io/v2
-      kind: CiliumNetworkPolicy
-      name: allow-{{ $name }}-vcluster-apiserver-access
-      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
-      synchronize: true
-      data:
-        spec:
-          description: Allow egress to vcluster kube-apiserver
-          egress:
-          - toEndpoints:
-            - matchLabels:
-               app: vcluster
-            toPorts:
-            - ports:
-              - port: "443"
-                protocol: TCP
-          endpointSelector: {}
-    match:
-      any:
-      - resources:
-          kinds:
-          - Namespace
-          names:
-          - {{ $fullname }}
-      - resources:
-          kinds:
-          - Namespace
-          selector:
-            matchLabels:
-              vcluster.loft.sh/vcluster-name: {{ $fullname }}

charts/vcluster/templates/kyverno-policies/sync-vcluster-atlantis-secrets.yaml

@@ -1,66 +0,0 @@
-{{- $name := include "vCluster.releaseName" . -}}
-apiVersion: kyverno.io/v1
-kind: ClusterPolicy
-metadata:
-  name: "sync-{{ $name }}-vcluster-secrets"
-spec:
-  background: true
-  generateExisting: true
-  rules:
-  - name: sync-rabbitmq-secrets
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: staging-rabbitmq
-      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
-      synchronize: false
-      clone:
-        namespace: rabbitmq
-        name: staging-rabbitmq
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-          - "vcluster-009dba7e-*"
-        selector:
-          matchLabels:
-            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
-  - name: sync-redis-secrets
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: staging-redis
-      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
-      synchronize: false
-      clone:
-        namespace: redis
-        name: staging-redis
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-          - "vcluster-009dba7e-*"
-        selector:
-          matchLabels:
-            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'
-  - name: sync-archmeister-app-secret
-    generate:
-      apiVersion: v1
-      kind: Secret
-      name: staging-archmeister-app
-      namespace: {{ printf "{{request.object.metadata.name}}" | quote }}
-      synchronize: false
-      clone:
-        namespace: '{{ .Release.Namespace }}'
-        name: staging-archmeister-superuser
-    match:
-      resources:
-        kinds:
-        - Namespace
-        names:
-          - "vcluster-009dba7e-*"
-        selector:
-          matchLabels:
-            vcluster.loft.sh/vcluster-namespace: '{{ .Release.Namespace }}'

charts/vcluster/templates/vcluster.yaml

@@ -16,7 +16,7 @@ spec:
     namespace: {{ .Release.Namespace }}
   source:
     repoURL: https://charts.loft.sh
-    targetRevision: 0.19.5
+    targetRevision: 0.20.1
     chart: vcluster
     helm:
       values: |-
@@ -63,12 +63,10 @@ spec:
 
           mapServices:
             fromHost:
-            - from: "redis/{{ .Values.environment }}-redis-master"
-              to: "redis/{{ .Values.environment }}-redis-master"
             - from: "rabbitmq/{{ .Values.environment }}-rabbitmq"
               to: "rabbitmq/{{ .Values.environment }}-rabbitmq"
-            - from: "{{ .Release.Namespace }}/staging-archmeister-rw"
-              to: "atlantis/staging-archmeister-rw"
+            - from: "{{ .Release.Namespace }}/{{ $name  }}-archmaester-rw"
+              to: "atlantis/{{ $name }}-archmaester-rw"
             - from: "idp/{{ .Values.environment }}-openfga"
               to: "idp/{{ .Values.environment }}-openfga"
             - from: "otel/opentelemetry-collector"
@@ -99,21 +97,11 @@ spec:
               config: |-
                 version: v1beta1
                 import:
-                - kind: Cluster
-                  apiVersion: postgresql.cnpg.io/v1
                 - kind: Secret
                   apiVersion: v1
-                # - kind: Component
-                #   apiVersion: dapr.io/v1alpha1
-                # - kind: Configuration
-                #   apiVersion: dapr.io/v1alpha1
-                # - kind: Subscription
-                #   apiVersion: dapr.io/v1alpha1
-                # - kind: CiliumNetworkPolicy
-                #   apiVersion: cilium.io/v2
                 export:
-                - kind: CiliumNetworkPolicy
-                  apiVersion: cilium.io/v2
+                - kind: Cluster
+                  apiVersion: postgresql.cnpg.io/v1
           init:
             manifests: |-
               ---

default.nix

@@ -0,0 +1,33 @@
+let
+  sources = import ./nix;
+  system = builtins.currentSystem;
+  pkgs = import sources.nixpkgs {
+    inherit system;
+    config = { };
+    overlays = [ ];
+  };
+  nixpkgs = sources.nixpkgs;
+  nixhelm = sources.nixhelm;
+  nixidy = import sources.nixidy { inherit nixpkgs; };
+  kube = pkgs.callPackage "${sources.nix-kube-gen}/lib/default.nix" { inherit pkgs; };
+in
+nixidy.lib.mkEnvs {
+  libOverlay = self: super: {
+    apps = import ./modules/lib.nix { inherit pkgs kube; };
+  };
+  modules = [
+    (
+      { lib, ... }:
+      {
+        nixidy.charts = lib.helm.mkChartAttrs "${nixhelm}/charts";
+      }
+    )
+    ./modules
+    ./apps
+    ./policies
+  ];
+  envs = {
+    prod.modules = [ ./envs/prod.nix ];
+    staging.modules = [ ./envs/staging.nix ];
+  };
+}

envs/prod.nix

@@ -0,0 +1,13 @@
+_:
+{
+  config = {
+    apps = {
+      env = "prod";
+      autoSync = false;
+      prune = false;
+
+      atlantis.enable = true;
+      openfga.enable = true;
+    };
+  };
+}

envs/staging.nix

@@ -0,0 +1,17 @@
+_:
+{
+  config = {
+    apps = {
+      env = "staging";
+      autoSync = true;
+      prune = true;
+
+      atlantis = {
+        enable = true;
+        autoSync = true;
+        prune = false;
+      };
+      openfga.enable = true;
+    };
+  };
+}

flake.lock

@@ -0,0 +1,666 @@
+{
+  "nodes": {
+    "cargo2nix": {
+      "inputs": {
+        "flake-compat": "flake-compat_3",
+        "flake-utils": "flake-utils_5",
+        "nixpkgs": "nixpkgs_3",
+        "rust-overlay": "rust-overlay"
+      },
+      "locked": {
+        "lastModified": 1699033427,
+        "narHash": "sha256-OVtd5IPbb4NvHibN+QvMrMxq7aZN5GFoINZSAXKjUdA=",
+        "owner": "cargo2nix",
+        "repo": "cargo2nix",
+        "rev": "c6f33051f412352f293e738cc8da6fd4c457080f",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cargo2nix",
+        "ref": "release-0.11.0",
+        "repo": "cargo2nix",
+        "type": "github"
+      }
+    },
+    "flake-compat": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1673956053,
+        "narHash": "sha256-4gtG9iQuiKITOjNQQeQIpoIB6b16fm+504Ch3sNKLd8=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "35bb57c0c8d8b62bbfd284272c928ceb64ddbde9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_2": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-compat_3": {
+      "flake": false,
+      "locked": {
+        "lastModified": 1696426674,
+        "narHash": "sha256-kvjfFW7WAETZlt09AgDn1MrtKzP7t90Vf7vypd3OL1U=",
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "rev": "0f9255e01c2351cc7d116c072cb317785dd33b33",
+        "type": "github"
+      },
+      "original": {
+        "owner": "edolstra",
+        "repo": "flake-compat",
+        "type": "github"
+      }
+    },
+    "flake-utils": {
+      "inputs": {
+        "systems": "systems"
+      },
+      "locked": {
+        "lastModified": 1726560853,
+        "narHash": "sha256-X6rJYSESBVr3hBoH0WbKE5KvhPU5bloyZ2L4K60/fPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "c1dfcf08411b08f6b8615f7d8971a2bfa81d5e8a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_2": {
+      "inputs": {
+        "systems": "systems_2"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "id": "flake-utils",
+        "type": "indirect"
+      }
+    },
+    "flake-utils_3": {
+      "inputs": {
+        "systems": "systems_3"
+      },
+      "locked": {
+        "lastModified": 1710146030,
+        "narHash": "sha256-SZ5L6eA7HJ/nmkzGG7/ISclqe6oZdOZTNoesiInkXPQ=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "b1d9ab70662946ef0850d488da1c9019f3a9752a",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_4": {
+      "inputs": {
+        "systems": "systems_5"
+      },
+      "locked": {
+        "lastModified": 1701680307,
+        "narHash": "sha256-kAuep2h5ajznlPMD9rnQyffWG8EM/C73lejGofXvdM8=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "4022d587cbbfd70fe950c1e2083a02621806a725",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "flake-utils_5": {
+      "inputs": {
+        "systems": "systems_7"
+      },
+      "locked": {
+        "lastModified": 1694529238,
+        "narHash": "sha256-zsNZZGTGnMOf9YpHKJqMSsa0dXbfmxeoJ7xHlrt+xmY=",
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "rev": "ff7b65b44d01cf9ba6a71320833626af21126384",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "flake-utils",
+        "type": "github"
+      }
+    },
+    "gitignore": {
+      "inputs": {
+        "nixpkgs": [
+          "pre-commit-hooks",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1709087332,
+        "narHash": "sha256-HG2cCnktfHsKV0s4XW83gU3F57gaTljL9KNSuG6bnQs=",
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "rev": "637db329424fd7e46cf4185293b9cc8c88c95394",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hercules-ci",
+        "repo": "gitignore.nix",
+        "type": "github"
+      }
+    },
+    "haumea": {
+      "inputs": {
+        "nixpkgs": [
+          "nixhelm",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1685133229,
+        "narHash": "sha256-FePm/Gi9PBSNwiDFq3N+DWdfxFq0UKsVVTJS3cQPn94=",
+        "owner": "nix-community",
+        "repo": "haumea",
+        "rev": "34dd58385092a23018748b50f9b23de6266dffc2",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "ref": "v0.2.2",
+        "repo": "haumea",
+        "type": "github"
+      }
+    },
+    "kubenix": {
+      "inputs": {
+        "flake-compat": "flake-compat",
+        "nixpkgs": [
+          "nixidy",
+          "nixpkgs"
+        ],
+        "systems": "systems_6",
+        "treefmt": "treefmt"
+      },
+      "locked": {
+        "lastModified": 1718110643,
+        "narHash": "sha256-KrEOCx/bpN++sySOEL5EO5AhYsqRZZk+CXacueUeSl4=",
+        "owner": "hall",
+        "repo": "kubenix",
+        "rev": "a04066c45526c6d8410ba998134f692ff991b4f3",
+        "type": "github"
+      },
+      "original": {
+        "owner": "hall",
+        "repo": "kubenix",
+        "type": "github"
+      }
+    },
+    "nix-github-actions": {
+      "inputs": {
+        "nixpkgs": [
+          "nixhelm",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1703863825,
+        "narHash": "sha256-rXwqjtwiGKJheXB43ybM8NwWB8rO2dSRrEqes0S7F5Y=",
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "rev": "5163432afc817cf8bd1f031418d1869e4c9d5547",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "nix-github-actions",
+        "type": "github"
+      }
+    },
+    "nix-kube-generators": {
+      "locked": {
+        "lastModified": 1708155396,
+        "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
+        "owner": "farcaller",
+        "repo": "nix-kube-generators",
+        "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
+        "type": "github"
+      },
+      "original": {
+        "owner": "farcaller",
+        "repo": "nix-kube-generators",
+        "type": "github"
+      }
+    },
+    "nix-kube-generators_2": {
+      "locked": {
+        "lastModified": 1708155396,
+        "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
+        "owner": "farcaller",
+        "repo": "nix-kube-generators",
+        "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
+        "type": "github"
+      },
+      "original": {
+        "owner": "farcaller",
+        "repo": "nix-kube-generators",
+        "type": "github"
+      }
+    },
+    "nix-kube-generators_3": {
+      "locked": {
+        "lastModified": 1708155396,
+        "narHash": "sha256-A/BIeJjiRS7sBYP6tFJa/WHDPHe7DGTCkSEKXttYeAQ=",
+        "owner": "farcaller",
+        "repo": "nix-kube-generators",
+        "rev": "14dbd5e5b40615937900f71d9a9851b59b4d9a88",
+        "type": "github"
+      },
+      "original": {
+        "owner": "farcaller",
+        "repo": "nix-kube-generators",
+        "type": "github"
+      }
+    },
+    "nixhelm": {
+      "inputs": {
+        "flake-utils": "flake-utils_2",
+        "haumea": "haumea",
+        "nix-kube-generators": "nix-kube-generators_2",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "poetry2nix": "poetry2nix"
+      },
+      "locked": {
+        "lastModified": 1728868745,
+        "narHash": "sha256-ZuaxkAtUL1visOmVMxgHk3j+H8/bMmm82tJfE1s35VY=",
+        "owner": "farcaller",
+        "repo": "nixhelm",
+        "rev": "f901d2ba3ce1bd0086d50efdcce3cc76bce04d80",
+        "type": "github"
+      },
+      "original": {
+        "owner": "farcaller",
+        "repo": "nixhelm",
+        "type": "github"
+      }
+    },
+    "nixidy": {
+      "inputs": {
+        "flake-utils": "flake-utils_4",
+        "kubenix": "kubenix",
+        "nix-kube-generators": "nix-kube-generators_3",
+        "nixpkgs": "nixpkgs"
+      },
+      "locked": {
+        "lastModified": 1728815994,
+        "narHash": "sha256-uF6HAoDMAX0cZbKH27k/0UpIteQMhyLkP1rYKUfj5ys=",
+        "owner": "arnarg",
+        "repo": "nixidy",
+        "rev": "6e20193c95a0aaca444289d7c69f4eb329d25234",
+        "type": "github"
+      },
+      "original": {
+        "owner": "arnarg",
+        "ref": "HEAD",
+        "repo": "nixidy",
+        "type": "github"
+      }
+    },
+    "nixpkgs": {
+      "locked": {
+        "lastModified": 1702151865,
+        "narHash": "sha256-9VAt19t6yQa7pHZLDbil/QctAgVsA66DLnzdRGqDisg=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "666fc80e7b2afb570462423cb0e1cf1a3a34fedd",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs-stable": {
+      "locked": {
+        "lastModified": 1720386169,
+        "narHash": "sha256-NGKVY4PjzwAa4upkGtAMz1npHGoRzWotlSnVlqI40mo=",
+        "owner": "NixOS",
+        "repo": "nixpkgs",
+        "rev": "194846768975b7ad2c4988bdb82572c00222c0d7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "NixOS",
+        "ref": "nixos-24.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_2": {
+      "locked": {
+        "lastModified": 1728492678,
+        "narHash": "sha256-9UTxR8eukdg+XZeHgxW5hQA9fIKHsKCdOIUycTryeVw=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "5633bcff0c6162b9e4b5f1264264611e950c8ec7",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "nixos-unstable",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "nixpkgs_3": {
+      "locked": {
+        "lastModified": 1697382362,
+        "narHash": "sha256-PvFjWFmSYOF6TjNZ/WjOeqa+sgaWm+83Fz37vEuATHA=",
+        "owner": "nixos",
+        "repo": "nixpkgs",
+        "rev": "ad9a253a0d34f313707f9c25fb8c95c65b1c8882",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nixos",
+        "ref": "release-23.05",
+        "repo": "nixpkgs",
+        "type": "github"
+      }
+    },
+    "poetry2nix": {
+      "inputs": {
+        "flake-utils": "flake-utils_3",
+        "nix-github-actions": "nix-github-actions",
+        "nixpkgs": [
+          "nixhelm",
+          "nixpkgs"
+        ],
+        "systems": "systems_4",
+        "treefmt-nix": "treefmt-nix"
+      },
+      "locked": {
+        "lastModified": 1718285706,
+        "narHash": "sha256-DScsBM+kZvxOva7QegfdtleebMXh30XPxDQr/1IGKYo=",
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "rev": "a5be1bbbe0af0266147a88e0ec43b18c722f2bb9",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-community",
+        "repo": "poetry2nix",
+        "type": "github"
+      }
+    },
+    "pre-commit-hooks": {
+      "inputs": {
+        "flake-compat": "flake-compat_2",
+        "gitignore": "gitignore",
+        "nixpkgs": [
+          "nixpkgs"
+        ],
+        "nixpkgs-stable": "nixpkgs-stable"
+      },
+      "locked": {
+        "lastModified": 1728778939,
+        "narHash": "sha256-WybK5E3hpGxtCYtBwpRj1E9JoiVxe+8kX83snTNaFHE=",
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "rev": "ff68f91754be6f3427e4986d7949e6273659be1d",
+        "type": "github"
+      },
+      "original": {
+        "owner": "cachix",
+        "repo": "pre-commit-hooks.nix",
+        "type": "github"
+      }
+    },
+    "root": {
+      "inputs": {
+        "flake-utils": "flake-utils",
+        "nix-kube-generators": "nix-kube-generators",
+        "nixhelm": "nixhelm",
+        "nixidy": "nixidy",
+        "nixpkgs": "nixpkgs_2",
+        "pre-commit-hooks": "pre-commit-hooks",
+        "yaml2nix": "yaml2nix"
+      }
+    },
+    "rust-overlay": {
+      "inputs": {
+        "flake-utils": [
+          "yaml2nix",
+          "cargo2nix",
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "yaml2nix",
+          "cargo2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1697336027,
+        "narHash": "sha256-ctmmw7j4liyfSh63v9rdFZeIoNYCkCvgqvtEOB7KhX8=",
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "rev": "e494404d36a41247987eeb1bfc2f1ca903e97764",
+        "type": "github"
+      },
+      "original": {
+        "owner": "oxalica",
+        "repo": "rust-overlay",
+        "type": "github"
+      }
+    },
+    "systems": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_2": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_3": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_4": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "systems_5": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "systems_6": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "id": "systems",
+        "type": "indirect"
+      }
+    },
+    "systems_7": {
+      "locked": {
+        "lastModified": 1681028828,
+        "narHash": "sha256-Vy1rq5AaRuLzOxct8nz4T6wlgyUR7zLU309k9mBC768=",
+        "owner": "nix-systems",
+        "repo": "default",
+        "rev": "da67096a3b9bf56a91d16901293e51ba5b49a27e",
+        "type": "github"
+      },
+      "original": {
+        "owner": "nix-systems",
+        "repo": "default",
+        "type": "github"
+      }
+    },
+    "treefmt": {
+      "inputs": {
+        "nixpkgs": [
+          "nixidy",
+          "kubenix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1688026376,
+        "narHash": "sha256-qJmkr9BWDpqblk4E9/rCsAEl39y2n4Ycw6KRopvpUcY=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "df3f32b0cc253dfc7009b7317e8f0e7ccd70b1cf",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "treefmt-nix": {
+      "inputs": {
+        "nixpkgs": [
+          "nixhelm",
+          "poetry2nix",
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1717850719,
+        "narHash": "sha256-npYqVg+Wk4oxnWrnVG7416fpfrlRhp/lQ6wQ4DHI8YE=",
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "rev": "4fc1c45a5f50169f9f29f6a98a438fb910b834ed",
+        "type": "github"
+      },
+      "original": {
+        "owner": "numtide",
+        "repo": "treefmt-nix",
+        "type": "github"
+      }
+    },
+    "yaml2nix": {
+      "inputs": {
+        "cargo2nix": "cargo2nix",
+        "flake-utils": [
+          "flake-utils"
+        ],
+        "nixpkgs": [
+          "nixpkgs"
+        ]
+      },
+      "locked": {
+        "lastModified": 1726132715,
+        "narHash": "sha256-DkHWWpvBco2yodyOk40LjTNcoaJ1bFKf0JY9OwWgy5M=",
+        "owner": "euank",
+        "repo": "yaml2nix",
+        "rev": "3a6df359da40ee49cb9ed597c2400342b76f2083",
+        "type": "github"
+      },
+      "original": {
+        "owner": "euank",
+        "repo": "yaml2nix",
+        "type": "github"
+      }
+    }
+  },
+  "root": "root",
+  "version": 7
+}

flake.nix

@@ -0,0 +1,148 @@
+{
+  description = "My ArgoCD configuration with nixidy.";
+
+  inputs = {
+    nixpkgs.url = "github:nixos/nixpkgs/nixos-unstable";
+    flake-utils.url = "github:numtide/flake-utils";
+
+    nixidy = {
+      url = "github:juselius/nixidy?ref=HEAD";
+      # url = "github:juselius/nixidy?ref=special-args";
+      # url = "/home/jonas/src/OceanBox/nixidy";
+      # inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nixhelm = {
+      url = "github:farcaller/nixhelm";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    pre-commit-hooks = {
+      url = "github:cachix/pre-commit-hooks.nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+    };
+
+    nix-kube-generators.url = "github:farcaller/nix-kube-generators";
+
+    yaml2nix = {
+      url = "github:euank/yaml2nix";
+      inputs.nixpkgs.follows = "nixpkgs";
+      inputs.flake-utils.follows = "flake-utils";
+    };
+  };
+
+  outputs =
+    {
+      self,
+      nixpkgs,
+      flake-utils,
+      nixidy,
+      nixhelm,
+      yaml2nix,
+      pre-commit-hooks,
+      nix-kube-generators,
+    }:
+    (flake-utils.lib.eachDefaultSystem (
+      system:
+      let
+        pkgs = import nixpkgs { inherit system; };
+        kube = nix-kube-generators.lib { inherit pkgs; };
+        lib = {
+          apps = import ./modules/lib.nix { inherit pkgs kube;};
+        };
+      in
+      {
+        nixidyEnvs = nixidy.lib.mkEnvs {
+            inherit pkgs;
+            extraSpecialArgs = { inherit lib; };
+            charts = nixhelm.chartsDerivations.${system};
+            modules = [
+              ./modules
+              ./apps
+              ./policies
+            ];
+            envs = {
+              prod.modules = [ ./envs/prod.nix ];
+              staging.modules = [ ./envs/staging.nix ];
+            };
+          };
+
+        checks = {
+          pre-commit-check = pre-commit-hooks.lib.${system}.run {
+            src = ./.;
+            hooks = {
+              nixfmt-rfc-style.enable = false;
+              deadnix.enable = false;
+              statix.enable = false;
+            };
+          };
+        };
+
+        packages = {
+          nixidy = nixidy.packages.${system}.default;
+          generators = {
+            cilium = nixidy.packages.${system}.generators.fromCRD {
+              name = "cilium";
+              src = pkgs.fetchFromGitHub {
+                owner = "cilium";
+                repo = "cilium";
+                rev = "v1.16.0";
+                hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
+              };
+              crds = [
+                "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
+                "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
+              ];
+            };
+
+            kyverno = nixidy.packages.${system}.generators.fromCRD {
+              name = "kyverno";
+              src = pkgs.fetchFromGitHub {
+                owner = "kyverno";
+                repo = "kyverno";
+                rev = "v1.12.6";
+                hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
+              };
+              crds = [
+                "config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
+                "config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
+                "config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
+                "config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
+                "config/crds/kyverno/kyverno.io_policies.yaml"
+                "config/crds/kyverno/kyverno.io_policyexceptions.yaml"
+                "config/crds/kyverno/kyverno.io_updaterequests.yaml"
+              ];
+            };
+          };
+        };
+
+        apps = {
+          gen-crd = {
+            type = "app";
+            program =
+              (pkgs.writeShellScript "generate-modules" ''
+                set -eo pipefail
+                echo "generate cilium"
+                cat ${self.packages.${system}.generators.cilium} > modules/cilium-crd.nix
+                echo "generate kyverno"
+                cat ${self.packages.${system}.generators.kyverno} > modules/kyverno-crd.nix
+              '').outPath;
+          };
+        };
+
+        devShells.default = pkgs.mkShellNoCC {
+          inherit (self.checks.${system}.pre-commit-check) shellHook;
+          nativeBuildInputs = with pkgs; [
+            self.checks.${system}.pre-commit-check.enabledPackages
+            nixidy.packages.${system}.default
+            yaml2nix.packages.${system}.default
+            nixd
+            nixfmt-rfc-style
+            just
+            fzf
+          ];
+          NIXD_FLAGS = "--inlay-hints";
+        };
+      }
+    ));
+}

generate.nix

@@ -0,0 +1,44 @@
+let
+  sources = import ./nix;
+  system = builtins.currentSystem;
+  pkgs = import sources.nixpkgs {
+    inherit system;
+    config = { };
+    overlays = [ ];
+  };
+  nixpkgs = sources.nixpkgs;
+  nixidy = import sources.nixidy { inherit nixpkgs; };
+in
+{
+  cilium = nixidy.generators.fromCRD {
+    name = "cilium";
+    src = pkgs.fetchFromGitHub {
+      owner = "cilium";
+      repo = "cilium";
+      rev = "v1.16.0";
+      hash = "sha256-LJrNGHF52hdKCuVwjvGifqsH+8hxkf/A3LZNpCHeR7E=";
+    };
+    crds = [
+      "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumnetworkpolicies.yaml"
+      "pkg/k8s/apis/cilium.io/client/crds/v2/ciliumclusterwidenetworkpolicies.yaml"
+    ];
+  };
+  kyverno = nixidy.generators.fromCRD {
+    name = "kyverno";
+    src = pkgs.fetchFromGitHub {
+      owner = "kyverno";
+      repo = "kyverno";
+      rev = "v1.12.6";
+      hash = "sha256-FwVB1okxhWTzWlZljGEEH9KuSsJl9GmwnX7bn4iDx/M=";
+    };
+    crds = [
+      "config/crds/kyverno/kyverno.io_cleanuppolicies.yaml"
+      "config/crds/kyverno/kyverno.io_clustercleanuppolicies.yaml"
+      "config/crds/kyverno/kyverno.io_clusterpolicies.yaml"
+      "config/crds/kyverno/kyverno.io_globalcontextentries.yaml"
+      "config/crds/kyverno/kyverno.io_policies.yaml"
+      "config/crds/kyverno/kyverno.io_policyexceptions.yaml"
+      "config/crds/kyverno/kyverno.io_updaterequests.yaml"
+    ];
+  };
+}

justfile

@@ -0,0 +1,17 @@
+default := "prod"
+
+default:
+  just --choose
+
+info target=default:
+  nix run .#nixidy -- info .#{{target}}
+
+build target=default:
+  nix run .#nixidy -- build .#{{target}}
+
+switch target=default:
+  nix run .#nixidy -- switch .#{{target}}
+
+generate:
+  nix build .#generators.cilium
+  nix build .#generators.kyverno

kustomizations/atlantis/chart

@@ -1 +0,0 @@
-oceanbox/atlantis

kustomizations/atlantis/prod/appsettings.json

@@ -1,37 +0,0 @@
-{
-    "oidc": {
-        "issuer": "https://idp.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code",
-        "clientId": "atlantis",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "redis": "prod-redis-master.redis.svc,user=default,password=secret",
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "archmeister" : "https://archmeister.srv.oceanbox.io",
-    "sorcerer" : "https://sorcerer.data.oceanbox.io",
-    "allowedOrigins": [
-        "http://maps.oceanbox.io",
-        "https://maps.oceanbox.io",
-        "http://atlantis.srv.oceanbox.io",
-        "https://atlantis.srv.oceanbox.io"
-    ],
-    "logService" : "https://seq.adm.oceanbox.io",
-    "logApiKey": "",
-    "deployEnv": "prod",
-    "plainAuthUsers": []
-}

kustomizations/atlantis/prod/default.env

@@ -1,3 +0,0 @@
-OIDC_CLIENT_SECRET=KOJ6bDHzE5vdyfSrzgwLjtM5PzA809Zm
-SEQ_APIKEY=v9RfeLBD9Si7OkFlkjPm
-DEPLOY_NAME=prod-atlantis

kustomizations/atlantis/prod/deployment_patch.yaml

@@ -1,41 +0,0 @@
-- op: replace
-  path: /spec/template/spec/containers/0/env/0
-  value:
-    name: LOG_LEVEL
-    value: "4"
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: BARENTSWATCH_SECRET
-    valueFrom:
-      secretKeyRef:
-        name: prod-atlantis-barentswatch
-        key: secret
-        optional: true
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: BARENTSWATCH_CLIENT_ID
-    valueFrom:
-      secretKeyRef:
-        name: prod-atlantis-barentswatch
-        key: client-id
-        optional: true
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_USER
-    value: default
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: prod-redis
-        key: redis-password
-- op: add
-  path: /spec/template/spec/containers/0/envFrom/-
-  value:
-    secretRef:
-      name: prod-atlantis-env

kustomizations/atlantis/staging/appsettings.json

@@ -1,35 +0,0 @@
-{
-    "oidc": {
-        "issuer": "https://idp.oceanbox.io/dex",
-        "authorization_endpoint": "https://idp.oceanbox.io/dex/auth",
-        "token_endpoint": "https://idp.oceanbox.io/dex/token",
-        "jwks_uri": "https://idp.oceanbox.io/dex/keys",
-        "userinfo_endpoint": "https://idp.oceanbox.io/dex/userinfo",
-        "device_authorization_endpoint": "https://idp.oceanbox.io/dex/device/code",
-        "clientId": "atlantis_dev",
-        "clientSecret": "",
-        "scopes": [
-            "openid",
-            "email",
-            "offline_access",
-            "profile"
-        ]
-    },
-    "redis": "staging-redis-master.redis.svc,user=default,password=secret",
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "archmeister" : "https://archmeister.beta.oceanbox.io",
-    "sorcerer" : "https://sorcerer.ekman.oceanbox.io",
-    "allowedOrigins": [
-        "http://atlantis.beta.oceanbox.io",
-        "https://atlantis.beta.oceanbox.io"
-    ],
-    "logService" : "https://seq.adm.oceanbox.io",
-    "logApiKey": "",
-    "deployEnv": "staging",
-    "plainAuthUsers": []
-}

kustomizations/atlantis/staging/default.env

@@ -1,3 +0,0 @@
-OIDC_CLIENT_SECRET=3QjfSPmAemjn34XVA2o1fvoS7I4gKvOR
-SEQ_APIKEY=v9RfeLBD9Si7OkFlkjPm
-DEPLOY_NAME=staging-atlantis

kustomizations/atlantis/staging/deployment_patch.yaml

@@ -1,41 +0,0 @@
-- op: replace
-  path: /spec/template/spec/containers/0/env/0
-  value:
-    name: LOG_LEVEL
-    value: "4"
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: BARENTSWATCH_SECRET
-    valueFrom:
-      secretKeyRef:
-        name: staging-atlantis-barentswatch
-        key: secret
-        optional: true
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: BARENTSWATCH_CLIENT_ID
-    valueFrom:
-      secretKeyRef:
-        name: staging-atlantis-barentswatch
-        key: client-id
-        optional: true
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_USER
-    value: default
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: staging-redis
-        key: redis-password
-- op: add
-  path: /spec/template/spec/containers/0/envFrom/-
-  value:
-    secretRef:
-      name: staging-atlantis-env

kustomizations/atlantis/values-prod.yaml

@@ -1,46 +0,0 @@
-replicaCount: 2
-
-podAnnotations:
-  dapr.io/app-id: "prod-atlantis"
-  dapr.io/enabled: "true"
-  dapr.io/app-port: "8000"
-  dapr.io/config: "tracing"
-  dapr.io/app-protocol: "http"
-  dapr.io/enable-app-health-check: "true"
-  dapr.io/app-health-check-path: "/healthz"
-  dapr.io/app-health-probe-interval: "3"
-  dapr.io/app-health-probe-timeout: "200"
-  dapr.io/app-health-threshold: "2"
-  dapr.io/sidecar-cpu-request: "100m"
-  dapr.io/sidecar-memory-request: "250Mi"
-  dapr.io/sidecar-cpu-limit: "300m"
-  dapr.io/sidecar-memory-limit: "1000Mi"
-  dapr.io/log-as-json: "true"
-
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-  hosts:
-    - host: atlantis.srv.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-    - host: maps.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - atlantis.srv.oceanbox.io
-       - maps.oceanbox.io
-      secretName: atlantis-tls
-
-resources:
-  limits:
-    cpu: 250m
-    memory: 1Gi
-  requests:
-    cpu: 250m
-    memory: 1Gi
-

kustomizations/atlantis/values-staging.yaml

@@ -1,54 +0,0 @@
-replicaCount: 2
-podAnnotations:
-  dapr.io/app-id: "staging-atlantis"
-  dapr.io/enabled: "true"
-  dapr.io/app-port: "8000"
-  dapr.io/config: "tracing"
-  dapr.io/app-protocol: "http"
-  dapr.io/enable-app-health-check: "true"
-  dapr.io/app-health-check-path: "/healthz"
-  dapr.io/app-health-probe-interval: "3"
-  dapr.io/app-health-probe-timeout: "200"
-  dapr.io/app-health-threshold: "2"
-  dapr.io/sidecar-cpu-request: "100m"
-  dapr.io/sidecar-memory-request: "250Mi"
-  dapr.io/sidecar-cpu-limit: "300m"
-  dapr.io/sidecar-memory-limit: "1000Mi"
-  dapr.io/log-as-json: "true"
-image:
-  tag: 7f3512e0-debug
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/proxy-buffer-size: 128k
-    # nginx.ingress.kubernetes.io/affinity: "cookie"
-    # nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
-    # nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
-    # nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
-    # atlantis.oceanbox.io/expose: internal
-  hosts:
-    - host: atlantis.beta.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-    - host: atlas.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-    - host: beta.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-        - atlantis.beta.oceanbox.io
-        - atlas.oceanbox.io
-        - beta.oceanbox.io
-      secretName: staging-atlantis-tls
-resources:
-  limits:
-    cpu: 250m
-    memory: 1Gi
-  requests:
-    cpu: 250m
-    memory: 1Gi

kustomizations/openfga/values-prod.yaml

@@ -1,31 +0,0 @@
-replicaCount: 2
-
-datastore:
-  engine: postgres
-  uriSecret: prod-openfga-postgresql
-
-postgresql:
-  enabled: true
-  auth:
-    existingSecret: prod-openfga-postgresql
-    secretKeys:
-       userPasswordKey: postgres-password
-
-ingress:
-  enabled: true
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-staging
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
-  hosts:
-    - host: openfga.srv.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-   - secretName: staging-openfga-tls
-     hosts:
-       - openfga.srv.oceanbox.io
-
-

kustomizations/openfga/values-staging.yaml

@@ -1,29 +0,0 @@
-replicaCount: 1
-
-datastore:
-  engine: postgres
-  uriSecret: staging-openfga-postgresql
-
-postgresql:
-  enabled: true
-  auth:
-    existingSecret: staging-openfga-postgresql
-    secretKeys:
-       userPasswordKey: postgres-password
-
-ingress:
-  enabled: true
-  className: nginx
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-staging
-    nginx.ingress.kubernetes.io/ssl-redirect: "true"
-    nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
-  hosts:
-    - host: openfga.dev.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-   - secretName: staging-openfga-tls
-     hosts:
-       - openfga.dev.oceanbox.io

kustomizations/openfga/values.yaml

@@ -1,8 +0,0 @@
-# fullnameOverride: openfga
-
-playground:
-  enabled: false
-  port: 3000
-
-
-

kustomizations/sorcerer/chart

@@ -1 +0,0 @@
-oceanbox/sorcerer

kustomizations/sorcerer/prod/appsettings.json

@@ -1,28 +0,0 @@
-{
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
-        "redis": "10.255.241.201:30379,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "allowedOrigins": [
-        "http://localhost:8085",
-        "http://localhost:8080",
-        "https://localhost:8080",
-        "https://maps.oceanbox.io",
-        "https://atlantis.srv.oceanbox.io",
-        "https://maps.relic.oceanbox.io",
-        "https://atlantis.beta.oceanbox.io",
-        "https://atlantis.dev.oceanbox.io",
-        "https://atlantis.local.oceanbox.io:8080",
-        "https://jonas-atlantis.dev.oceanbox.io",
-        "https://stig-atlantis.dev.oceanbox.io",
-        "https://simkir-atlantis.dev.oceanbox.io"
-    ],
-    "archiveSvc": "https://archmeister.srv.oceanbox.io",
-    "cacheDir": "/data/archives/cache",
-    "logService" : "https://seq.adm.oceanbox.io",
-    "logApiKey": "",
-    "deployEnv": "prod"
-}

kustomizations/sorcerer/prod/deployment_patch.yaml

@@ -1,43 +0,0 @@
-- op: replace
-  path: /spec/template/spec/containers/0/volumeMounts/0/mountPath
-  value: /data
-- op: add
-  path: /spec/template/spec/containers/0/volumeMounts/-
-  value:
-    mountPath: /backup/archives
-    name: backup
-- op: add
-  path: /spec/template/spec/volumes/-
-  value:
-    name: backup
-    persistentVolumeClaim:
-      claimName: prod-oceanbox-backup-archives
-- op: replace
-  path: /spec/template/spec/containers/0/env/0
-  value:
-    name: LOG_LEVEL
-    value: "3"
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_USER
-    value: default
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: prod-redis
-        key: redis-password
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: ARCHMEISTER_AUTH
-    value: "admin:en-to-tre-fire"
-- op: add
-  path: /spec/template/spec/containers/0/envFrom/-
-  value:
-    secretRef:
-      name: prod-sorcerer-env
-

kustomizations/sorcerer/prod/pv.yaml

@@ -1,40 +0,0 @@
-# apiVersion: v1
-# kind: PersistentVolume
-# metadata:
-#   name: pv-prod-oceanbox-archives
-# spec:
-#   accessModes:
-#   - ReadWriteMany
-#   capacity:
-#     storage: 300T
-#   mountOptions:
-#   - vers=4.2
-#   - rdma
-#   - soft
-#   nfs:
-#     path: /data/archives
-#     server: 10.255.243.80
-#   persistentVolumeReclaimPolicy: Retain
-#   volumeMode: Filesystem
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: pv-prod-backup-archives
-spec:
-  accessModes:
-  - ReadOnlyMany
-  capacity:
-    storage: 400T
-  local:
-    path: /backup/archives
-  persistentVolumeReclaimPolicy: Retain
-  volumeMode: Filesystem
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-      - matchExpressions:
-        - key: kubernetes.io/hostname
-          operator: In
-          values:
-          - fs-backup

kustomizations/sorcerer/prod/pvc.yaml

@@ -1,32 +0,0 @@
-# apiVersion: v1
-# kind: PersistentVolumeClaim
-# metadata:
-#   name: prod-oceanbox-archives
-# spec:
-#   accessModes:
-#   - ReadWriteMany
-#   resources:
-#     requests:
-#       storage: 300T
-#   storageClassName: ""
-#   volumeMode: Filesystem
-#   volumeName: pv-prod-oceanbox-archives
-# status:
-#   accessModes:
-#   - ReadWriteMany
-#   capacity:
-#     storage: 300T
----
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: prod-oceanbox-backup-archives
-spec:
-  accessModes:
-  - ReadOnlyMany
-  resources:
-    requests:
-      storage: 400T
-  storageClassName: ""
-  volumeMode: Filesystem
-  volumeName: pv-prod-backup-archives

kustomizations/sorcerer/staging/appsettings.json

@@ -1,28 +0,0 @@
-{
-    "sso": {
-        "cookieDomain": ".oceanbox.io",
-        "signedOutRedirectUri": "https://idp.oceanbox.io/dex/static/logout.html",
-        "redis": "10.255.241.201:31379,user=default,password=secret",
-        "appDomain": "atlantis",
-        "dataProtectionKeys": "DataProtection-Keys"
-    },
-    "allowedOrigins": [
-        "http://localhost:8085",
-        "http://localhost:8080",
-        "https://localhost:8080",
-        "https://maps.oceanbox.io",
-        "https://atlantis.srv.oceanbox.io",
-        "https://atlantis.dev.oceanbox.io",
-        "https://atlantis.beta.oceanbox.io",
-        "https://atlantis.local.oceanbox.io:8080",
-        "https://jonas-atlantis.dev.oceanbox.io",
-        "https://stig-atlantis.dev.oceanbox.io",
-        "https://simkir-atlantis.dev.oceanbox.io"
-
-    ],
-    "archiveSvc": "https://archmeister.beta.oceanbox.io",
-    "cacheDir": "/data/archives/cache",
-    "logService" : "https://seq.adm.oceanbox.io",
-    "logApiKey": "",
-    "deployEnv": "staging"
-}

kustomizations/sorcerer/staging/default.env

@@ -1 +0,0 @@
-SEQ_APIKEY=7iIXHJukYjSLQDix6CnZ

kustomizations/sorcerer/staging/deployment_patch.yaml

@@ -1,43 +0,0 @@
-- op: replace
-  path: /spec/template/spec/containers/0/volumeMounts/0/mountPath
-  value: /data
-- op: add
-  path: /spec/template/spec/containers/0/volumeMounts/-
-  value:
-    mountPath: /backup/archives
-    name: backup
-- op: add
-  path: /spec/template/spec/volumes/-
-  value:
-    name: backup
-    persistentVolumeClaim:
-      claimName: staging-oceanbox-backup-archives
-- op: replace
-  path: /spec/template/spec/containers/0/env/0
-  value:
-    name: LOG_LEVEL
-    value: "4"
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_USER
-    value: default
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: REDIS_PASSWORD
-    valueFrom:
-      secretKeyRef:
-        name: staging-redis
-        key: redis-password
-- op: add
-  path: /spec/template/spec/containers/0/env/-
-  value:
-    name: ARCHMEISTER_AUTH
-    value: "admin:en-to-tre-fire"
-- op: add
-  path: /spec/template/spec/containers/0/envFrom/-
-  value:
-    secretRef:
-      name: staging-sorcerer-env
-

kustomizations/sorcerer/staging/pv.yaml

@@ -1,41 +0,0 @@
-# apiVersion: v1
-# kind: PersistentVolume
-# metadata:
-#   name: pv-staging-oceanbox-archives
-# spec:
-#   accessModes:
-#   - ReadWriteMany
-#   capacity:
-#     storage: 300T
-#   mountOptions:
-#   - vers=4.2
-#   - rdma
-#   - soft
-#   nfs:
-#     path: /data/archives
-#     server: 10.255.243.80
-#   persistentVolumeReclaimPolicy: Retain
-#   volumeMode: Filesystem
----
-apiVersion: v1
-kind: PersistentVolume
-metadata:
-  name: pv-staging-backup-archives
-spec:
-  accessModes:
-  - ReadWriteMany
-  capacity:
-    storage: 400T
-  local:
-    path: /backup/archives
-  persistentVolumeReclaimPolicy: Retain
-  volumeMode: Filesystem
-  nodeAffinity:
-    required:
-      nodeSelectorTerms:
-      - matchExpressions:
-        - key: kubernetes.io/hostname
-          operator: In
-          values:
-          - fs2
-

kustomizations/sorcerer/staging/pvc.yaml

@@ -1,32 +0,0 @@
-# apiVersion: v1
-# kind: PersistentVolumeClaim
-# metadata:
-#   name: staging-oceanbox-archives
-# spec:
-#   accessModes:
-#   - ReadWriteMany
-#   resources:
-#     requests:
-#       storage: 300T
-#   storageClassName: ""
-#   volumeMode: Filesystem
-#   volumeName: pv-staging-oceanbox-archives
-# status:
-#   accessModes:
-#   - ReadWriteMany
-#   capacity:
-#     storage: 300T
-# ---
-apiVersion: v1
-kind: PersistentVolumeClaim
-metadata:
-  name: staging-oceanbox-backup-archives
-spec:
-  accessModes:
-  - ReadWriteMany
-  resources:
-    requests:
-      storage: 400T
-  storageClassName: ""
-  volumeMode: Filesystem
-  volumeName: pv-staging-backup-archives

kustomizations/sorcerer/values-prod.yaml

@@ -1,35 +0,0 @@
-replicaCount: 2
-
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    nginx.ingress.kubernetes.io/affinity: "cookie"
-    nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
-    nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
-    nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
-    atlantis.oceanbox.io/expose: internal
-  hosts:
-    - host: sorcerer.data.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-       - sorcerer.data.oceanbox.io
-      secretName: prod-sorcerer-tls
-
-persistence:
-  enabled: true
-  existingClaim: prod-ceph-archives
-  # existingClaim: prod-oceanbox-backup-archives
-
-nodeSelector:
-  topology.kubernetes.io/group: login
-  # kubernetes.io/hostname: fs-backup
-  # node-role.kubernetes.io/worker: c1-1
-
-# tolerations:
-#   - key: workload
-#     operator: Equal
-#     value: compute
-#     effect: NoSchedule

kustomizations/sorcerer/values-staging.yaml

@@ -1,34 +0,0 @@
-replicaCount: 1
-image:
-  tag: 183dec97-debug
-ingress:
-  annotations:
-    cert-manager.io/cluster-issuer: letsencrypt-production
-    # nginx.ingress.kubernetes.io/whitelist-source-range: 10.0.0.0/8,172.16.0.0/12,192.168.0.0/16
-    nginx.ingress.kubernetes.io/affinity: "cookie"
-    nginx.ingress.kubernetes.io/session-cookie-name: "http-affinity"
-    nginx.ingress.kubernetes.io/session-cookie-expires: "86400"
-    nginx.ingress.kubernetes.io/session-cookie-max-age: "86400"
-    atlantis.oceanbox.io/expose: internal
-  hosts:
-    - host: sorcerer.ekman.oceanbox.io
-      paths:
-        - path: /
-          pathType: ImplementationSpecific
-  tls:
-    - hosts:
-        - sorcerer.ekman.oceanbox.io
-      secretName: staging-sorcerer-tls
-persistence:
-  enabled: true
-  existingClaim: staging-ceph-archives
-  # existingClaim: staging-oceanbox-backup-archives
-nodeSelector:
-  topology.kubernetes.io/group: login
-  # kubernetes.io/hostname: fs-backup
-  # node-role.kubernetes.io/worker: c1-1
-# tolerations:
-#   - key: workload
-#     operator: Equal
-#     value: compute
-#     effect: NoSchedule

modules/default.nix

@@ -0,0 +1,79 @@
+{ lib, config, ... }:
+let
+  cfg = config.apps;
+in
+{
+  imports = [];
+
+  options.apps = with lib; {
+      env = mkOption {
+        type = types.str;
+        default = "prod";
+        description = "Enable";
+      };
+
+      autoSync = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Auto sync";
+      };
+
+      prune = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Prune";
+      };
+
+      selfHeal = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Self-heal";
+      };
+
+      serverSideDiff = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable server-side diffing";
+      };
+  };
+
+  config = {
+    nixidy = {
+      target = {
+        repository = "https://gitlab.com/oveanbox/manifests.git";
+        branch = "main";
+        rootPath = "_manifests/${config.apps.env}";
+      };
+
+      resourceImports = [
+        ./cilium-crd.nix
+        ./kyverno-crd.nix
+      ];
+
+      chartsDir = ../charts;
+
+      defaults = {
+        syncPolicy = {
+          autoSync = {
+            enabled = cfg.autoSync;
+            prune = cfg.prune;
+            selfHeal = cfg.selfHeal;
+          };
+        };
+
+        # Many helm chars will render all resources with the
+        # following labels.
+        # This produces huge diffs when the charts are updated
+        # because the values of these labels change each release.
+        # Here we add a transformer that strips them out after
+        # templating the helm charts in each application.
+        helm.transformer = map (
+          lib.kube.removeLabels [
+            "app.kubernetes.io/version"
+            "helm.sh/chart"
+          ]
+        );
+      };
+    };
+  };
+}

modules/lib.nix

@@ -0,0 +1,93 @@
+{ pkgs, kube }:
+{
+  appOptions = opts: with pkgs.lib; {
+      enable = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable";
+      };
+
+      autoSync = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Auto sync";
+      };
+
+      prune = mkOption {
+        type = types.bool;
+        default = false;
+        description = "Prune";
+      };
+
+      serverSideDiff = mkOption {
+        type = types.bool;
+        default = true;
+        description = "Enable server-side diffing";
+      };
+
+      name = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "Application name";
+      };
+
+      namespace = mkOption {
+        type = types.nullOr types.str;
+        default = null;
+        description = "Namespace";
+      };
+
+      project = mkOption {
+        type = types.str;
+        default = "default";
+        description = "Project";
+      };
+
+      cluster = mkOption {
+        type = types.str;
+        default = "https://kubernetes.default.svc";
+        description = "Cluster";
+      };
+
+      values = mkOption {
+        type = types.attrsOf types.anything;
+        default = {};
+        description = "Values";
+      };
+    } // opts;
+
+  appConfig = cfg: name: conf:
+    with pkgs.lib;
+    let
+       app = conf // {
+        name = if builtins.isNull cfg.name then name else cfg.name;
+        project = cfg.project;
+
+        destination.server = cfg.cluster;
+
+        createNamespace = true;
+
+        compareOptions = {
+           serverSideDiff = cfg.serverSideDiff;
+        };
+
+        syncPolicy = {
+           syncOptions = {
+             applyOutOfSyncOnly = true;
+           };
+
+           autoSync = mkIf cfg.autoSync {
+             prune = cfg.prune;
+             selfHeal = false;
+           };
+        };
+       } // (if builtins.isNull cfg.namespace then {} else  { namespace = cfg.namespace; });
+    in mkIf cfg.enable { applications.${name} = app; };
+
+  appValues = with pkgs.lib; { env, base, extraValues}:
+    attrsets.mergeAttrsList (lists.flatten [
+      (kube.fromYAML (builtins.readFile "${base}/values.yaml"))
+      (kube.fromYAML (builtins.readFile "${base}/values-${env}.yaml"))
+      [ extraValues ]
+  ]);
+}