Start repo reorganization with cert-manager

infra/cert-manager/helm-release.yaml

@@ -0,0 +1,29 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+spec:
+  chart:
+    spec:
+      chart: cert-manager
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: jetstack
+      version: v1.15.3
+  interval: 1m0s
+  values:
+    installCRDs: true
+    replicaCount: 2
+    webhook:
+      replicaCount: 2
+    cainjector:
+      replicaCount: 2
+    extraArgs:
+      - --dns01-recursive-nameservers=1.1.1.1:53,9.9.9.9:53
+      - --dns01-recursive-nameservers-only
+    podDnsPolicy: None
+    podDnsConfig:
+      nameservers:
+        - "1.1.1.1"
+        - "9.9.9.9"

infra/cert-manager/helm-repository.yaml

@@ -0,0 +1,7 @@
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: jetstack
+spec:
+  interval: 1m0s
+  url: https://charts.jetstack.io

infra/cert-manager/namespace.yaml

@@ -0,0 +1,4 @@
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: cert-manager

infra/letsencrypt/certificate-huizinga-dev.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: huizinga-dev
+  namespace: default
+spec:
+  secretName: huizinga-dev-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  commonName: "huizinga.dev"
+  dnsNames:
+    - "huizinga.dev"
+    - "*.huizinga.dev"

infra/letsencrypt/certificate-staging-huizinga-dev.yaml

@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: staging-huizinga-dev
+  namespace: default
+spec:
+  secretName: staging-huizinga-dev-tls
+  issuerRef:
+    name: letsencrypt
+    kind: ClusterIssuer
+  commonName: "staging.huizinga.dev"
+  dnsNames:
+    - "staging.huizinga.dev"
+    - "*.staging.huizinga.dev"

infra/letsencrypt/cluster-issuer.yaml

@@ -0,0 +1,17 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: letsencrypt
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: tim.huizinga@gmail.com
+    privateKeySecretRef:
+      name: letsencrypt
+    solvers:
+      - dns01:
+          cloudflare:
+            email: tim.huizinga@gmail.com
+            apiTokenSecretRef:
+              name: cloudflare-token
+              key: token

infra/letsencrypt/secret-cloudflare-token.yaml

@@ -0,0 +1,60 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: cloudflare-token
+    namespace: cert-manager
+type: Opaque
+stringData:
+    token: ENC[AES256_GCM,data:1QSjQJrky3AOQv9Bf8ifvfgeYCh3DvPtCWNLKEY/eEpzPsJKD7MYwQ==,iv:MbWKNj13K25TiP1MPfJMaM1P3Qpy3TE+dWnbF5Gpr3Y=,tag:IMRRhh2nwT40rjVDAgBhrw==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age: []
+    lastmodified: "2025-02-15T21:24:33Z"
+    mac: ENC[AES256_GCM,data:Dfy6zbFciru6hAt48FtpnAlVTkEqkQR2BnpaVJ8DEd3SEk9uYx1tPKG3hSI8xi2JkltVY0tmETf79mYqnmhRUy/cUo25wsUp3anaXYM2vp+Jiqu3EjVjsJrvVPUhHCnWrZ0UGZ/xicCuC15JKw8grsTuQxFaTxswJBCRtc7C0jI=,iv:E3NSnxhMxasAcmYerZCyAN8N1spSN+OfwzKvB8g7MFs=,tag:cQ/0/Lp408pQUVSeLm2hQQ==,type:str]
+    pgp:
+        - created_at: "2024-09-26T22:20:01Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA7pKPTYH5bqOARAAl2y4yZJGsWORJ5jd2CopSW6yx8IsHqLKq3khYxHkPamu
+            gjItOM/Gqep1QCJr4kxTkO7P0MaYi7ZGinuhishYu4xy1mom8WzJs/rA2cjW1UbF
+            m8GoUGypaPtSsR1nQufgrO6JbIch3Tr498wBD7SvXIWTFpooalcERvVB3F4T4CeT
+            gXIk+vSjvXkCmx4jgAVhpj249HQOk9nyX35UzcjaSOzYm9/vfs3vFRq8FXNRkGff
+            +Ui/os4xTB4GiLgnvQ7t8FYTqvDfMVwgKI6VkOplpnP50mmTdKYRVe79Awvq1+/V
+            UkkSHxmw5Zqj7nv8MoKIlYk2g+14NLz57i4zs2vK3cNqDAqezub7r/LRDcm5Haqp
+            ZmI8B6VUNhveI7hKjm8ssMlOz6x3s7hvex6e+AWRqvbknusXXCiI9dhL73TXXmeZ
+            yceIlg5T67PY2ysbpfuToyg6ihbkMo0bM1m/lQpA94yRx6EKO75AHvBaGxgDggSr
+            Q8/DM3J729yqjHvXLL+2YGXVlRSpMlWb+AYi4YLmB/rsT2wBlPWE7m0c3/xQA3ld
+            5b/CW/2JOfXlwnooXEMFICr9ExFeiOv4RTnNahOTVscnIsi5jSlYPkhWwKm6ughy
+            oahJRi6wb6sJrleoPKRea+Pwh2qdEaQE/nFeBZeMMZxyLySQmkWoXJET7HQR3szU
+            aAEJAhBFZF84NkBuqmo+A7z055hz1tEJSnjO6eZ/+jvX9pPkrAv/CqW9C8UeG3vt
+            a6/XjnRVr38ZKAtNt3ebFwjzKZDLVyrANycnEp1PV7Pc8QvltJ88VS/wmWSP9Hj0
+            BA11vpb7XvkU
+            =XmSy
+            -----END PGP MESSAGE-----
+          fp: 1E0CF38FF7C9ADAED58B436ABA4A3D3607E5BA8E
+        - created_at: "2024-09-26T22:20:01Z"
+          enc: |-
+            -----BEGIN PGP MESSAGE-----
+
+            hQIMA51kG++kLewoAQ/+M1BLbAVU8kVgx/atZnWwjZtjukEc8vOFw4n9tscq0Dm3
+            UzoOpbM1kaq5Hq8+e1mVFXMWLYgHnKjeSwBSiRCmZgFfvzPK63E5c6ZorKniTneZ
+            T7BJwxmtEF8JG+N9O2SHmto4cWZcrHvmWS5jJ5ybUFlMiFp6z7fPBuOzhKvTMBsc
+            IFHBBF0eMANUGwlpXuYJMTUECnFjvIxu/UXPMVBZ1HWHbIewYTRWXPQXeDxlJyk6
+            YgtGChBZ8KRYNqX1kBi5AyIdjWA9+wrMtTVTghC+1eBTOm8TsmN280KBmB512li1
+            HgexbmQkgItlJwyOV/7MTo19yzve72yYlqoIv3BSrwYfr0NDaQM0mhLAwcHC2R1R
+            IAOzajlHtgbr3XBW0BxWMC4Ch23CatZE4WJlu/CJ07+aMCsSV4L+da7wopt0A9dx
+            og0aPjUGq3MFmSet0kJKLJHS1JBSjf0LVnQjB5A451Wmndpoc2gZSpNtM4I2e2+7
+            xe6RUB6oYjRyB0t771UMQ3sQrSN3cn2c8yuijLep837yvNqpRBR4bbc2XJdZIOMw
+            sKEGIAMyJjCagQJa4c2YY0fksVSnhnYzjklfsx+PAvsW9EiWo26Vldp4zHYsVALD
+            7yKAWGupRTTB2mTXg9wvoKRkOY8A3Lb9aG+xnrf967nJt9nCV9hPXs959dVw9+jS
+            XgFCzdWtznuFA5wPJA3ko6lqLnE1HCIdgAo5ovQ4y3K9jkoVJsS2ADAnEy9Ac2uk
+            uds32S29PQ9o+ReAIQKvTzFNmKSLbcsK/z6rGLh0WdqmqWg6kVidWvktDQHY86E=
+            =cW8j
+            -----END PGP MESSAGE-----
+          fp: 49F10679C425233EFB4B1B6F9D641BEFA42DEC28
+    encrypted_regex: ^(data|stringData)$
+    version: 3.9.1