diff --git a/apps/authentik/authentik-postgres-credentials.yaml b/apps/authentik/authentik-postgres-credentials.yaml deleted file mode 100644 index 822f5ab..0000000 --- a/apps/authentik/authentik-postgres-credentials.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -data: - password: ENC[AES256_GCM,data:a7nwc49lItIjjg6f7Vaz6Kyyb4CgwMmudHpsQAY39539fvCWtYjsoQzEqEXZdcwPyqB2qlOHewXcStBgG1B1iKKZhqE=,iv:yK9EZWhBNLm9lNs7V7Fm2MQWv3Lfb1o34P25+p00FgQ=,tag:ie24X9bcK1NdxZWhEKITHw==,type:str] - username: ENC[AES256_GCM,data:VmGN5YxRGZcS/EWy,iv:QKGSkxBSfMusEkl3sS1m3KQREvwUCP0aag8u7VPzWxo=,tag:zXthxvtKBex3XpRqO6Qcyg==,type:str] -kind: Secret -metadata: - name: authentik-postgres-credentials - namespace: authentik -sops: - age: - - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBkZFlqTWZzTVNOV294bXF5 - MEFFWGNXZkN6YjgrdGx2NkZyMHVWN25KSm5rCmxBQzNsSk53bDZiK3RQUCtYbjRu - NVUwZHJPSUhZTnEvdmNYNENSR1NSTTgKLS0tIFlmMTRSOWlKU1dYT0ZQQW1yTGx5 - dWt0TXRDZ2VVVjREYjIvdTFUcVNxYjAKVYa8GZoKORII5nN0590OWzdbyoXe6Eyi - mRKUxtVsbhCPtfabQGn/tu40g7A9CFcWh51geIGewkTVmVlx0ulv/Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-17T20:32:24Z" - mac: ENC[AES256_GCM,data:N81ubg0zmCZpZKa+Z/IJZunsUUT8dZrWfp48cBNLg5GPr1O2SrvFUPo+ZWSDLRWWgea5E00kU1luDHcnTuHtjSF457anCc1LpezJnIIfPHQBE7wIrWkZMW1QYsScZhtNvkDf1LhXuo2JZnRkAZ249JzzPEYxy+GjLXU3hNaaeyw=,iv:V6Op3ZA9Rw2g20gzZapZt7GfnW7TW988psIIDlwxzaE=,tag:anOAkNKfUFhmntDH/i/v2w==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.11.0 diff --git a/apps/authentik/authentik-secret-key.yaml b/apps/authentik/authentik-secret-key.yaml deleted file mode 100644 index 5a6da4d..0000000 --- a/apps/authentik/authentik-secret-key.yaml +++ /dev/null @@ -1,22 +0,0 @@ -apiVersion: v1 -data: - key: ENC[AES256_GCM,data:0YHxGccmrLh2LFfAeySEqdfuE35FfzsAVI/XNcKKWKUS4HZ5sKUVy8PLSrl99nZRtC66Vj2Vsj/Zj+Ir/3/n8Vzhy04=,iv:whuMt5eTvp962tNisNDc5ygBaCzRs1MwBtOxWP+atv8=,tag:mcerAaPbzujtI25tPLETnQ==,type:str] -kind: Secret -metadata: - name: authentik-secret-key - namespace: authentik -sops: - age: - - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBhRlB4Vjg5cU1QWWovRTFW - M1Q0cmpaWkNUek54T1VheGxMbVlIeUlybjMwCnVTY2VLTXVSbEpUc0lTRUtETUV3 - TGRmVDB5cnhpU2k2YkNuL3d6OTVETW8KLS0tIDZoNjlTVERvR1FSczB5d09IVnpl - QnloYTFKNGdyR3FuS3N2WjVVVGFKRWsKd8MPL8raiwfz/fLsjL76tdeCBDu/cirV - DKFx+Tu8KTugK6gGteXA2/PHZPEB/U9Zh1OD3t6AdPZMQJaiNKq/4Q== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-17T20:36:08Z" - mac: ENC[AES256_GCM,data:RlZUTVt/3acp5BX92MI3USohXoAlZy8QAgr0HwLu0IMc+gUcykCXV/voYSJgIQlHhKDo/Jwa0+KhU3DLT/9GS4UF/E2GCJhj9t9DlagnchLxxJXYyP/7FPUkoOfDKmG1Sc2Gq3i/gTVklzQ0DpwQflF0F50BLDv1FqxUD84jVoI=,iv:T/Hd0kenM4LikCB9mkSrFMVD1UeA+Dvwi+3TLziwsdI=,tag:rfosFTQZo695lnznWC8JcQ==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.11.0 diff --git a/apps/authentik/cluster.yaml b/apps/authentik/cluster.yaml deleted file mode 100644 index ebc3638..0000000 --- a/apps/authentik/cluster.yaml +++ /dev/null @@ -1,57 +0,0 @@ -apiVersion: postgresql.cnpg.io/v1 -kind: Cluster -metadata: - name: postgres-cluster - namespace: authentik - annotations: - # needed to allow for recovery from same name cluster backup - cnpg.io/skipEmptyWalArchiveCheck: enabled -spec: - instances: 2 - - managed: - roles: - - name: authentik - superuser: true - login: true - - bootstrap: - # initdb: - # database: authentik - # owner: authentik - # secret: - # name: authentik-postgres-credentials - # NOTE: uncomment this and commend the above initdb when recovering - recovery: - source: postgres-cluster - - storage: - size: 8Gi - storageClass: longhorn-pg - - externalClusters: - - name: postgres-cluster - barmanObjectStore: - destinationPath: "s3://mthomson-cnpg-backup/authentik/" - endpointURL: "https://s3.ca-central-1.wasabisys.com" - s3Credentials: - accessKeyId: - name: wasabi-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: wasabi-secret - key: ACCESS_SECRET_KEY - - backup: - barmanObjectStore: - destinationPath: "s3://mthomson-cnpg-backup/authentik/" - endpointURL: "https://s3.ca-central-1.wasabisys.com" - s3Credentials: - accessKeyId: - name: wasabi-secret - key: ACCESS_KEY_ID - secretAccessKey: - name: wasabi-secret - key: ACCESS_SECRET_KEY - retentionPolicy: "10d" - diff --git a/apps/authentik/release.yaml b/apps/authentik/release.yaml deleted file mode 100644 index f279df2..0000000 --- a/apps/authentik/release.yaml +++ /dev/null @@ -1,69 +0,0 @@ -apiVersion: helm.toolkit.fluxcd.io/v2 -kind: HelmRelease -metadata: - name: authentik - namespace: authentik -spec: - chart: - spec: - chart: authentik - version: 2025.8.4 - sourceRef: - kind: HelmRepository - name: authentik - interval: 15m - releaseName: authentik - values: - authentik: - secret_key: file:///secret-key/key - postgresql: - host: postgres-cluster-rw - user: file:///postgres-creds/username - password: file:///postgres-creds/password - server: - ingress: - enabled: true - ingressClassName: traefik - annotations: - cert-manager.io/cluster-issuer: "letsencrypt-prod" - external-dns.alpha.kubernetes.io/target: michaelthomson.ddns.net - external-dns.alpha.kubernetes.io/cloudflare-proxied: "true" - traefik.ingress.kubernetes.io/router.tls: "true" - traefik.ingress.kubernetes.io/router.entrypoints: websecure - hosts: - - authentik.michaelthomson.dev - tls: - - secretName: authentik-tls - hosts: - - authentik.michaelthomson.dev - volumes: - - name: postgres-creds - secret: - secretName: authentik-postgres-credentials - - name: secret-key - secret: - secretName: authentik-secret-key - volumeMounts: - - name: postgres-creds - mountPath: /postgres-creds - readOnly: true - - name: secret-key - mountPath: /secret-key - readOnly: true - worker: - env: - - name: AUTHENTIK_SECRET_KEY - valueFrom: - secretKeyRef: - name: authentik-secret-key - key: key - volumes: - - name: postgres-creds - secret: - secretName: authentik-postgres-credentials - volumeMounts: - - name: postgres-creds - mountPath: /postgres-creds - readOnly: true - redis: - enabled: true diff --git a/apps/authentik/repository.yaml b/apps/authentik/repository.yaml deleted file mode 100644 index f7f3ea3..0000000 --- a/apps/authentik/repository.yaml +++ /dev/null @@ -1,8 +0,0 @@ -apiVersion: source.toolkit.fluxcd.io/v1 -kind: HelmRepository -metadata: - name: authentik - namespace: authentik -spec: - interval: 15m - url: https://charts.goauthentik.io/ diff --git a/apps/authentik/scheduled-backup.yaml b/apps/authentik/scheduled-backup.yaml deleted file mode 100644 index b22bf03..0000000 --- a/apps/authentik/scheduled-backup.yaml +++ /dev/null @@ -1,11 +0,0 @@ -apiVersion: postgresql.cnpg.io/v1 -kind: ScheduledBackup -metadata: - name: scheduled-backup - namespace: authentik -spec: - schedule: "0 0 0 * * *" - backupOwnerReference: self - #immediate: true - cluster: - name: postgres-cluster diff --git a/apps/authentik/wasabi-secret.yaml b/apps/authentik/wasabi-secret.yaml deleted file mode 100644 index cfcfb6f..0000000 --- a/apps/authentik/wasabi-secret.yaml +++ /dev/null @@ -1,23 +0,0 @@ -apiVersion: v1 -data: - ACCESS_KEY_ID: ENC[AES256_GCM,data:cJS1WkKlhgbWGqgOhFs9xjqriMIyGwaSq2W1tQ==,iv:5qj9+BjOPGvVFg9gIH9128nlOaQ27KMgjlIPIMF51IE=,tag:m80qHYyAbXGt1AGe+cXUuQ==,type:str] - ACCESS_SECRET_KEY: ENC[AES256_GCM,data:E1/lSR0Crdjt/N0BV0d7PgKSn00sKkNd9s4qsknK3MO4W3JSkwE2g4HyJvbjwDEmWZck7dB//WE=,iv:VoLSzFxrdGKKOVVNE8iiQtGS67yJYjknlxz4fs/DDJI=,tag:aPJEsutmqMobr+vXSCJ62g==,type:str] -kind: Secret -metadata: - name: wasabi-secret - namespace: authentik -sops: - age: - - recipient: age1s0206tnfaaw849x5xmt95axgu8qhxzlu5ywrwz09tpt8lwpx858q089nq9 - enc: | - -----BEGIN AGE ENCRYPTED FILE----- - YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBEQzVzc1EzaWsvWWlXa2tu - U1NXVFh4TDhuUXZZcXNHVVBBeUR5Y2RvT2pRCnZPL0t5RVMyVzRVeTluYVhZNkJT - ZjF0S2lsUWFvdTdFaXVGZ2NlOHVGUm8KLS0tIGZVR3lUT2ltR0pLUU4yT1BTWTZW - UkZiNmNPbUMvRUs3dDVDNjBnb0htM2cKvsfEiaSE2A5R+pvb0UoaPmvSFMQR2GDi - DBJ+OyMFhz0HxQO31/yrlZGcVxBKq/Q4DXD1zDtWapQ3ds/OBjxHlg== - -----END AGE ENCRYPTED FILE----- - lastmodified: "2025-12-17T20:36:08Z" - mac: ENC[AES256_GCM,data:s9DcnPm61QEc8v+VxeCMYlpbEY5XkgciP1f1Mrprix23FoBJOnLn3sJlCc1Ew6tZE4ilyhr6rK6CJA0Aqsvfro5dS0wQUI1CuDjS4+yx1ANfZzxICYNSIHXVhQiSIQ5g0ANaUVvzaj7pBKA/FvV+BTav2UbdDRUGNVsmZY5NZ5g=,iv:oJ8THhyCaB7+sBwqh9fpLIulKMWTDHdLKSZjMAZFDxo=,tag:IhpmqbLYUE9QCS1B28pdZQ==,type:str] - encrypted_regex: ^(data|stringData)$ - version: 3.11.0 diff --git a/apps/media/bazarr/ingress.yaml b/apps/media/bazarr/ingress.yaml index 4c00294..851ad3f 100644 --- a/apps/media/bazarr/ingress.yaml +++ b/apps/media/bazarr/ingress.yaml @@ -7,7 +7,6 @@ metadata: cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - # traefik.ingress.kubernetes.io/router.middlewares: authentik-bazarr@kubernetescrd spec: rules: - host: bazarr.michaelthomson.dev diff --git a/apps/media/prowlarr/ingress.yaml b/apps/media/prowlarr/ingress.yaml index ce54f9c..2edc71c 100644 --- a/apps/media/prowlarr/ingress.yaml +++ b/apps/media/prowlarr/ingress.yaml @@ -7,7 +7,6 @@ metadata: cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - # traefik.ingress.kubernetes.io/router.middlewares: authentik-prowlarr@kubernetescrd spec: rules: - host: prowlarr.michaelthomson.dev diff --git a/apps/media/radarr/ingress.yaml b/apps/media/radarr/ingress.yaml index 103b753..72ad88a 100644 --- a/apps/media/radarr/ingress.yaml +++ b/apps/media/radarr/ingress.yaml @@ -7,7 +7,6 @@ metadata: cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - # traefik.ingress.kubernetes.io/router.middlewares: authentik-radarr@kubernetescrd spec: rules: - host: radarr.michaelthomson.dev diff --git a/apps/media/sonarr/ingress.yaml b/apps/media/sonarr/ingress.yaml index 12d933c..0881880 100644 --- a/apps/media/sonarr/ingress.yaml +++ b/apps/media/sonarr/ingress.yaml @@ -7,7 +7,6 @@ metadata: cert-manager.io/cluster-issuer: "letsencrypt-prod" traefik.ingress.kubernetes.io/router.entrypoints: websecure traefik.ingress.kubernetes.io/router.tls: "true" - # traefik.ingress.kubernetes.io/router.middlewares: authentik-sonarr@kubernetescrd spec: rules: - host: sonarr.michaelthomson.dev diff --git a/bootstrap/apps/kustomization-authentik.yaml b/bootstrap/apps/kustomization-authentik.yaml deleted file mode 100644 index 7a78795..0000000 --- a/bootstrap/apps/kustomization-authentik.yaml +++ /dev/null @@ -1,19 +0,0 @@ -apiVersion: kustomize.toolkit.fluxcd.io/v1 -kind: Kustomization -metadata: - name: authentik - namespace: flux-system -spec: - interval: 15m - path: ./apps/authentik - prune: true # remove any elements later removed from the above path - wait: true - sourceRef: - kind: GitRepository - name: flux-system - decryption: - provider: sops - secretRef: - name: sops-age - dependsOn: - - name: infra-configs diff --git a/infrastructure/namespaces/namespace-authentik.yaml b/infrastructure/namespaces/namespace-authentik.yaml deleted file mode 100644 index bb24d8d..0000000 --- a/infrastructure/namespaces/namespace-authentik.yaml +++ /dev/null @@ -1,4 +0,0 @@ -apiVersion: v1 -kind: Namespace -metadata: - name: authentik