feat: deploy family-apps (grocy/mealie) for 4 users and fix node metrics connectivity

k8s/argocd-family-apps.yaml

@@ -0,0 +1,20 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: family-apps
+  namespace: argocd
+spec:
+  project: default
+  source:
+    repoURL: http://gitea.geocrop.svc.cluster.local:3000/fchinembiri/geocrop-platform.git
+    targetRevision: HEAD
+    path: k8s/family-apps
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: family-apps
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true

k8s/family-apps/00-namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: family-apps

k8s/family-apps/kecy.yaml

@@ -0,0 +1,153 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: grocy-pvc-kecy
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: grocy-kecy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: grocy-kecy
+  template:
+    metadata:
+      labels:
+        app: grocy-kecy
+    spec:
+      containers:
+      - name: grocy
+        image: lscr.io/linuxserver/grocy:latest
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Africa/Harare"
+        ports:
+        - containerPort: 80
+        volumeMounts:
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: grocy-pvc-kecy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: grocy-kecy
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+  selector:
+    app: grocy-kecy
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grocy-kecy-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - grocy-kecy.techarvest.co.zw
+    secretName: grocy-kecy-tls
+  rules:
+  - host: grocy-kecy.techarvest.co.zw
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: grocy-kecy
+            port:
+              number: 80
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mealie-pvc-kecy
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mealie-kecy
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mealie-kecy
+  template:
+    metadata:
+      labels:
+        app: mealie-kecy
+    spec:
+      containers:
+      - name: mealie
+        image: ghcr.io/mealie-recipes/mealie:latest
+        env:
+        - name: TZ
+          value: "Africa/Harare"
+        ports:
+        - containerPort: 9000
+        volumeMounts:
+        - name: data
+          mountPath: /app/data
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: mealie-pvc-kecy
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mealie-kecy
+spec:
+  ports:
+  - port: 80
+    targetPort: 9000
+  selector:
+    app: mealie-kecy
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mealie-kecy-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - mealie-kecy.techarvest.co.zw
+    secretName: mealie-kecy-tls
+  rules:
+  - host: mealie-kecy.techarvest.co.zw
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: mealie-kecy
+            port:
+              number: 80

k8s/family-apps/kustomization.yaml

@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+
+resources:
+  - 00-namespace.yaml
+  - tawona.yaml
+  - tendai.yaml
+  - tsitsi.yaml
+  - kecy.yaml

k8s/family-apps/tawona.yaml

@@ -0,0 +1,153 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: grocy-pvc-tawona
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: grocy-tawona
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: grocy-tawona
+  template:
+    metadata:
+      labels:
+        app: grocy-tawona
+    spec:
+      containers:
+      - name: grocy
+        image: lscr.io/linuxserver/grocy:latest
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Africa/Harare"
+        ports:
+        - containerPort: 80
+        volumeMounts:
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: grocy-pvc-tawona
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: grocy-tawona
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+  selector:
+    app: grocy-tawona
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grocy-tawona-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - grocy-tawona.techarvest.co.zw
+    secretName: grocy-tawona-tls
+  rules:
+  - host: grocy-tawona.techarvest.co.zw
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: grocy-tawona
+            port:
+              number: 80
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mealie-pvc-tawona
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mealie-tawona
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mealie-tawona
+  template:
+    metadata:
+      labels:
+        app: mealie-tawona
+    spec:
+      containers:
+      - name: mealie
+        image: ghcr.io/mealie-recipes/mealie:latest
+        env:
+        - name: TZ
+          value: "Africa/Harare"
+        ports:
+        - containerPort: 9000
+        volumeMounts:
+        - name: data
+          mountPath: /app/data
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: mealie-pvc-tawona
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mealie-tawona
+spec:
+  ports:
+  - port: 80
+    targetPort: 9000
+  selector:
+    app: mealie-tawona
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mealie-tawona-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - mealie-tawona.techarvest.co.zw
+    secretName: mealie-tawona-tls
+  rules:
+  - host: mealie-tawona.techarvest.co.zw
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: mealie-tawona
+            port:
+              number: 80

k8s/family-apps/tendai.yaml

@@ -0,0 +1,153 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: grocy-pvc-tendai
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: grocy-tendai
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: grocy-tendai
+  template:
+    metadata:
+      labels:
+        app: grocy-tendai
+    spec:
+      containers:
+      - name: grocy
+        image: lscr.io/linuxserver/grocy:latest
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Africa/Harare"
+        ports:
+        - containerPort: 80
+        volumeMounts:
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: grocy-pvc-tendai
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: grocy-tendai
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+  selector:
+    app: grocy-tendai
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grocy-tendai-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - grocy-tendai.techarvest.co.zw
+    secretName: grocy-tendai-tls
+  rules:
+  - host: grocy-tendai.techarvest.co.zw
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: grocy-tendai
+            port:
+              number: 80
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mealie-pvc-tendai
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mealie-tendai
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mealie-tendai
+  template:
+    metadata:
+      labels:
+        app: mealie-tendai
+    spec:
+      containers:
+      - name: mealie
+        image: ghcr.io/mealie-recipes/mealie:latest
+        env:
+        - name: TZ
+          value: "Africa/Harare"
+        ports:
+        - containerPort: 9000
+        volumeMounts:
+        - name: data
+          mountPath: /app/data
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: mealie-pvc-tendai
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mealie-tendai
+spec:
+  ports:
+  - port: 80
+    targetPort: 9000
+  selector:
+    app: mealie-tendai
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mealie-tendai-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - mealie-tendai.techarvest.co.zw
+    secretName: mealie-tendai-tls
+  rules:
+  - host: mealie-tendai.techarvest.co.zw
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: mealie-tendai
+            port:
+              number: 80

k8s/family-apps/tsitsi.yaml

@@ -0,0 +1,153 @@
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: grocy-pvc-tsitsi
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: grocy-tsitsi
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: grocy-tsitsi
+  template:
+    metadata:
+      labels:
+        app: grocy-tsitsi
+    spec:
+      containers:
+      - name: grocy
+        image: lscr.io/linuxserver/grocy:latest
+        env:
+        - name: PUID
+          value: "1000"
+        - name: PGID
+          value: "1000"
+        - name: TZ
+          value: "Africa/Harare"
+        ports:
+        - containerPort: 80
+        volumeMounts:
+        - name: config
+          mountPath: /config
+      volumes:
+      - name: config
+        persistentVolumeClaim:
+          claimName: grocy-pvc-tsitsi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: grocy-tsitsi
+spec:
+  ports:
+  - port: 80
+    targetPort: 80
+  selector:
+    app: grocy-tsitsi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: grocy-tsitsi-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - grocy-tsitsi.techarvest.co.zw
+    secretName: grocy-tsitsi-tls
+  rules:
+  - host: grocy-tsitsi.techarvest.co.zw
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: grocy-tsitsi
+            port:
+              number: 80
+---
+apiVersion: v1
+kind: PersistentVolumeClaim
+metadata:
+  name: mealie-pvc-tsitsi
+spec:
+  accessModes: [ReadWriteOnce]
+  resources:
+    requests:
+      storage: 2Gi
+---
+apiVersion: apps/v1
+kind: Deployment
+metadata:
+  name: mealie-tsitsi
+spec:
+  replicas: 1
+  selector:
+    matchLabels:
+      app: mealie-tsitsi
+  template:
+    metadata:
+      labels:
+        app: mealie-tsitsi
+    spec:
+      containers:
+      - name: mealie
+        image: ghcr.io/mealie-recipes/mealie:latest
+        env:
+        - name: TZ
+          value: "Africa/Harare"
+        ports:
+        - containerPort: 9000
+        volumeMounts:
+        - name: data
+          mountPath: /app/data
+      volumes:
+      - name: data
+        persistentVolumeClaim:
+          claimName: mealie-pvc-tsitsi
+---
+apiVersion: v1
+kind: Service
+metadata:
+  name: mealie-tsitsi
+spec:
+  ports:
+  - port: 80
+    targetPort: 9000
+  selector:
+    app: mealie-tsitsi
+---
+apiVersion: networking.k8s.io/v1
+kind: Ingress
+metadata:
+  name: mealie-tsitsi-ingress
+  annotations:
+    cert-manager.io/cluster-issuer: "letsencrypt-prod"
+spec:
+  ingressClassName: nginx
+  tls:
+  - hosts:
+    - mealie-tsitsi.techarvest.co.zw
+    secretName: mealie-tsitsi-tls
+  rules:
+  - host: mealie-tsitsi.techarvest.co.zw
+    http:
+      paths:
+      - path: /
+        pathType: Prefix
+        backend:
+          service:
+            name: mealie-tsitsi
+            port:
+              number: 80

k8s/fix-ufw-ds-v2.yaml

@@ -12,22 +12,43 @@ spec:
       labels:
         name: fix-ufw
     spec:
-      hostNetwork: true
       hostPID: true
       containers:
       - name: fix
         image: alpine
         securityContext:
           privileged: true
-        command: ["/bin/sh", "-c"]
+        command: ["nsenter", "--target", "1", "--mount", "--uts", "--ipc", "--net", "--pid", "--", "sh", "-c"]
         args:
           - |
-            nsenter --target 1 --mount --uts --ipc --net --pid -- sh -c "
+            if command -v ufw >/dev/null; then
+              ufw allow 8472/udp
+              ufw allow 80/tcp
+              ufw allow 443/tcp
+              ufw allow 8443/tcp
+              ufw allow 10250/tcp
               ufw allow from 10.42.0.0/16
               ufw allow from 10.43.0.0/16
               ufw allow from 172.16.0.0/12
               ufw allow from 192.168.0.0/16
               ufw allow from 10.0.0.0/8
-              ufw allow proto tcp from any to any port 80,443
-            "
-            while true; do sleep 3600; done
+              ufw allow from 37.60.237.100
+              ufw allow from 167.86.68.48
+              ufw allow from 95.111.235.130
+            elif command -v firewall-cmd >/dev/null; then
+              firewall-cmd --permanent --add-port=8472/udp
+              firewall-cmd --permanent --add-port=80/tcp
+              firewall-cmd --permanent --add-port=443/tcp
+              firewall-cmd --permanent --add-port=8443/tcp
+              firewall-cmd --permanent --add-port=10250/tcp
+              firewall-cmd --permanent --add-source=10.42.0.0/16
+              firewall-cmd --permanent --add-source=10.43.0.0/16
+              firewall-cmd --permanent --add-source=172.16.0.0/12
+              firewall-cmd --permanent --add-source=192.168.0.0/16
+              firewall-cmd --permanent --add-source=10.0.0.0/8
+              firewall-cmd --permanent --add-source=37.60.237.100
+              firewall-cmd --permanent --add-source=167.86.68.48
+              firewall-cmd --permanent --add-source=95.111.235.130
+              firewall-cmd --reload
+            fi
+            sleep 3600