--wip-- [skipci]

.gitignore

@@ -21,3 +21,4 @@ terraform.tfstate*
 megalinter-reports
 # scripts
 node_modules
+*.log

cluster/apps/backup/appdata-pvc.yaml

@@ -11,7 +11,7 @@ spec:
   persistentVolumeReclaimPolicy: Delete
   mountOptions:
     - nfsvers=4.2
-    - nconnect=8
+    - nconnect=16
     - hard
     - noatime
   csi:

cluster/apps/backup/restored-pvc.yaml

@@ -11,7 +11,7 @@ spec:
   persistentVolumeReclaimPolicy: Delete
   mountOptions:
     - nfsvers=4.2
-    - nconnect=8
+    - nconnect=16
     - hard
     - noatime
   csi:

cluster/apps/default/appdata-pvc.yaml

@@ -11,7 +11,7 @@ spec:
   persistentVolumeReclaimPolicy: Delete
   mountOptions:
     - nfsvers=4.2
-    - nconnect=8
+    - nconnect=16
     - hard
     - noatime
   csi:

cluster/apps/dev/appdata-pvc.yaml

@@ -11,7 +11,7 @@ spec:
   persistentVolumeReclaimPolicy: Delete
   mountOptions:
     - nfsvers=4.2
-    - nconnect=8
+    - nconnect=16
     - hard
     - noatime
   csi:

cluster/apps/games/appdata-pvc.yaml

@@ -11,7 +11,7 @@ spec:
   persistentVolumeReclaimPolicy: Delete
   mountOptions:
     - nfsvers=4.2
-    - nconnect=8
+    - nconnect=16
     - hard
     - noatime
   csi:

cluster/apps/kube-system/kustomization.yaml

@@ -3,7 +3,6 @@ apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
   - namespace.yaml
-  - csi-driver-nfs
   - descheduler
   - goldilocks
   - kube-vip

cluster/apps/kustomization.yaml

@@ -4,18 +4,18 @@
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization
 resources:
-  - backup
+  # - backup
   # - debug
-  - default
-  - dev
+  # - default
+  # - dev
   - flux-system
   # - games
   - kube-system
   - kyverno
   # - mail
-  - media
+  # - media
   # - monitoring
   - networking
   # - system-upgrade
   # - trivy
-  - vpn
+  # - vpn

cluster/apps/mail/appdata-pvc.yaml

@@ -11,7 +11,7 @@ spec:
   persistentVolumeReclaimPolicy: Delete
   mountOptions:
     - nfsvers=4.2
-    - nconnect=8
+    - nconnect=16
     - hard
     - noatime
   csi:

cluster/apps/media/appdata-pvc.yaml

@@ -11,7 +11,7 @@ spec:
   persistentVolumeReclaimPolicy: Delete
   mountOptions:
     - nfsvers=4.2
-    - nconnect=8
+    - nconnect=16
     - hard
     - noatime
   csi:

cluster/apps/media/media-pvc.yaml

@@ -14,7 +14,7 @@ spec:
   persistentVolumeReclaimPolicy: Delete
   mountOptions:
     - nfsvers=4.2
-    - nconnect=8
+    - nconnect=16
     - hard
     - noatime
   csi:

cluster/apps/monitoring/appdata-pvc.yaml

@@ -11,7 +11,7 @@ spec:
   persistentVolumeReclaimPolicy: Delete
   mountOptions:
     - nfsvers=4.2
-    - nconnect=8
+    - nconnect=16
     - hard
     - noatime
   csi:

cluster/apps/networking/appdata-pvc.yaml

@@ -11,7 +11,7 @@ spec:
   persistentVolumeReclaimPolicy: Delete
   mountOptions:
     - nfsvers=4.2
-    - nconnect=8
+    - nconnect=16
     - hard
     - noatime
   csi:

cluster/apps/networking/kustomization.yaml

@@ -15,6 +15,6 @@ resources:
   - nfs
   - nfs-shared
   - smb-shared
-  - smokeping
+  # - smokeping
   - k8s-gateway
-  - wireshark
+  # - wireshark

cluster/apps/networking/nfs-shared/helm-release.yaml

@@ -23,6 +23,9 @@ spec:
   upgrade:
     remediation:
       retries: 5
+  dependsOn:
+    - name: csi-driver-nfs
+      namespace: kube-system
   values:
     image:
       # repository: docker.io/erichough/nfs-server # amd64 only

cluster/apps/networking/nfs/helm-release.yaml

@@ -23,6 +23,9 @@ spec:
   upgrade:
     remediation:
       retries: 5
+  dependsOn:
+    - name: csi-driver-nfs
+      namespace: kube-system
   values:
     image:
       repository: docker.io/itsthenetwork/nfs-server-alpine

cluster/flux/apps.yaml

@@ -14,7 +14,7 @@ spec:
   dependsOn:
     - name: config
     - name: charts
-    - name: setup
+    - name: preconditions
   decryption:
     provider: sops
     secretRef:

cluster/flux/setup.yaml → cluster/flux/preconditions.yaml

@@ -2,7 +2,7 @@
 apiVersion: kustomize.toolkit.fluxcd.io/v1beta2
 kind: Kustomization
 metadata:
-  name: setup
+  name: preconditions
   namespace: flux-system
 spec:
   interval: 30m

cluster/setup/kustomization.yaml → cluster/preconditions/crds/kustomization.yaml

@@ -1,4 +1,3 @@
-# Critical cluster setup prior to install apps
 ---
 apiVersion: kustomize.config.k8s.io/v1beta1
 kind: Kustomization

cluster/apps/kube-system/csi-driver-nfs/storage-class.yaml → cluster/preconditions/csi-driver-nfs/storage-class.yaml

@@ -16,6 +16,6 @@ reclaimPolicy: Delete
 volumeBindingMode: Immediate
 mountOptions:
   - nfsvers=4.2
-  - nconnect=8
+  - nconnect=16
   - hard
   - noatime

cluster/preconditions/kube-system/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - namespace.yaml
+  # https://github.com/kubernetes-csi/csi-driver-nfs/issues/39#issuecomment-663115720
+  - csi-driver-nfs

cluster/preconditions/kube-system/namespace.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: kube-system
+  labels:
+    kustomize.toolkit.fluxcd.io/prune: disabled

cluster/preconditions/kustomization.yaml

@@ -0,0 +1,7 @@
+# Preconditions before the cluster apps are deployed
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - crds
+  - kube-system

containers/gitolite/Dockerfile

@@ -0,0 +1,13 @@
+FROM alpine:latest
+
+RUN set -xe && \
+    apk add --no-cache --purge -uU \
+    git gitolite openssh dumb-init && \
+    rm -rf /var/cache/apk/* /tmp/*
+
+
+VOLUME /var/lib/git /etc/ssh/keys
+EXPOSE 22
+ENTRYPOINT ["/usr/bin/dumb-init", "--"]
+COPY start.sh /start.sh
+CMD ["/start.sh"]

containers/gitolite/start.sh

@@ -0,0 +1,38 @@
+#!/bin/sh
+
+set -- /usr/sbin/sshd -D
+
+# Setup SSH HostKeys if needed
+for algorithm in rsa dsa ecdsa ed25519
+do
+  keyfile=/etc/ssh/keys/ssh_host_${algorithm}_key
+  [ -f $keyfile ] || ssh-keygen -q -N '' -f $keyfile -t $algorithm
+  grep -q "HostKey $keyfile" /etc/ssh/sshd_config || echo "HostKey $keyfile" >> /etc/ssh/sshd_config
+done
+# Disable unwanted authentications
+perl -i -pe 's/^#?((?!Kerberos|GSSAPI)\w*Authentication)\s.*/\1 no/; s/^(PubkeyAuthentication) no/\1 yes/' /etc/ssh/sshd_config
+# Disable sftp subsystem
+perl -i -pe 's/^(Subsystem\ssftp\s)/#\1/' /etc/ssh/sshd_config
+
+# Fix permissions at every startup
+chown -R git:git ~git
+
+# Setup gitolite admin
+if [ ! -f ~git/.ssh/authorized_keys ]; then
+  if [ -n "$SSH_KEY" ]; then
+    [ -n "$SSH_KEY_NAME" ] || SSH_KEY_NAME=admin
+    echo "$SSH_KEY" > "/tmp/$SSH_KEY_NAME.pub"
+    su - git -c "gitolite setup -pk \"/tmp/$SSH_KEY_NAME.pub\""
+    rm "/tmp/$SSH_KEY_NAME.pub"
+  else
+    echo "You need to specify SSH_KEY on first run to setup gitolite"
+    echo "You can also use SSH_KEY_NAME to specify the key name (optional)"
+    echo 'Example: docker run -e SSH_KEY="$(cat ~/.ssh/id_rsa.pub)" -e SSH_KEY_NAME="$(whoami)" jgiannuzzi/gitolite'
+    exit 1
+  fi
+# Check setup at every startup
+else
+  su - git -c "gitolite setup"
+fi
+
+exec "$@"

provision/ansible/playbooks/reboot.yaml

@@ -2,10 +2,14 @@
 - hosts:
     - master
     - worker
+    # - pi-0
+    # - pi-1
     # - pi-2
     # - pi-3
-    # - harambe
+    # - pi-4
     # - archie
+    # - harambe
+    # - tars
   gather_facts: false
   become: true
   tasks: