Restructure deployments

apps/base/authelia/base-release.yaml

@@ -0,0 +1,17 @@
+# /apps/base/authelia/base-release.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authelia
+  namespace: auth
+spec:
+  interval: 12h
+  chart:
+    spec:
+      chart: authelia
+      version: 0.8.58
+      sourceRef:
+        kind: HelmRepository
+        name: authelia
+        namespace: auth
+      interval: 12h

apps/base/authelia/kustomization.yaml

@@ -0,0 +1,8 @@
+# /apps/base/authelia/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: auth
+
+resources:
+- namespace.yaml
+- repository.yaml

apps/base/authelia/namespace.yaml

@@ -0,0 +1,5 @@
+# /apps/base/authelia/namespace.yaml
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: auth

apps/base/authelia/repository.yaml

@@ -0,0 +1,9 @@
+# /apps/base/authelia/repository.yaml
+apiVersion: source.toolkit.fluxcd.io/v1
+kind: HelmRepository
+metadata:
+  name: authelia
+  namespace: auth
+spec:
+  interval: 24h
+  url: https://charts.authelia.com

apps/prod/authelia/forward-auth-middleware.yaml

@@ -0,0 +1,15 @@
+# /apps/prod/authelia/forward-auth-middleware.yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: Middleware
+metadata:
+  name: authelia
+  namespace: auth
+spec:
+  forwardAuth:
+    address: 'http://authelia.auth.svc.cluster.local/api/verify?rd=https://auth.example.com'
+    trustForwardHeader: true
+    authResponseHeaders:
+    - "Remote-User"
+    - "Remote-Groups"
+    - "Remote-Email"
+    - "Remote-Name"

apps/prod/authelia/ingress.yaml

@@ -0,0 +1,15 @@
+# /apps/prod/authelia/ingress.yaml
+apiVersion: traefik.containo.us/v1alpha1
+kind: IngressRoute
+metadata:
+  name: authelia-ingress
+  namespace: auth
+spec:
+  entryPoints:
+    - websecure
+  routes:
+  - match: Host(`auth.example.com`)
+    kind: Rule
+    services:
+    - name: authelia
+      port: 80

apps/prod/authelia/kustomization.yaml

@@ -0,0 +1,17 @@
+# /apps/prod/authelia/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+namespace: auth
+
+resources:
+  - ../../base/authelia
+  - release.yaml
+  - ingress.yaml
+  - forward-auth-middleware.yaml
+  - users-database.enc.yaml
+
+configMapGenerator:
+  - name: authelia-prod-values
+    namespace: auth
+    files:
+      - values.yaml

apps/prod/authelia/release.yaml

@@ -0,0 +1,20 @@
+# /apps/prod/authelia/release.yaml
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: authelia
+  namespace: auth
+spec:
+  interval: 12h
+  chart:
+    spec:
+      chart: authelia
+      version: 0.9.14
+      sourceRef:
+        kind: HelmRepository
+        name: authelia
+        namespace: auth
+      interval: 12h
+  valuesFrom:
+    - kind: ConfigMap
+      name: authelia-prod-values

apps/prod/authelia/users-database.enc.yaml

@@ -0,0 +1,29 @@
+# /apps/prod/authelia/users-database.enc.yaml
+apiVersion: v1
+kind: Secret
+metadata:
+    name: authelia-users-secret
+    namespace: auth
+type: Opaque
+stringData:
+    users_database.yaml: ENC[AES256_GCM,data:kCe/p6wjRyeyGOtZCLUdatbFpDoDeFg5aKOh6aqsSDzqpojrflRpzOHhrvVaA827BPDB1TWgY+ab0eW3V/p5WOjDusxj4xejAJneyDI1Zmqc/tA2eNCKsl/ppSLZnFPPKB0hNyWytjCPauQnWGePFL74Jp21VUTkgSIKgEKOO5yVva1MG1qa4QR2ZcR7dE3izyUZ70PWeqCXYWT+Rrg+Eii8KT1TyzGMxFZQjpEbZrEgBWI/IXg4NHg09Rn48Ld/sdIY77VygJQ5VnrqX3invaxRQzB8VPrsqJsGwD54qw==,iv:9Yx2ySDyQmCeM6Q184rt7UbKDOTfN/EMfH+gqDTrkJw=,tag:NeH3Sd//N8/5TpNQZoETGA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1jk99rtxq3ep2xj2w886cchddf7jypqpwkr3dszg5dzq93gn8cy9qyc786m
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzamNJTXRlWktFSHB5czBN
+            MlVpL0tvWnNqY3ByUUROQWhnZUFsMXh0d244CmVzVjF0TGxaQktPaVdEQWxXSENI
+            Z3d4R2tnU0hPZzcrQU9qZHhiZ0xuRWMKLS0tIGc2QzI0SGdLSUNvMno3N01McGEx
+            ckhDNnFseG9EVVhmb1g2MThGZW1XU00K7KPnIX5XEbr3FpYK4imZtiS5yhbdyz9e
+            yDh+InbeGbb0C6e1g4P1wRI2iL5yLf/LUOWWbLiCa8ImDKNT2V2OQw==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2024-09-23T20:46:34Z"
+    mac: ENC[AES256_GCM,data:bdM7zuVu2VOxYACn+yNel0eUOrprDXZwNTBytzvhhm/4w53mylNpSVFxI4Eq7bnSUWmjnPceg25+7B/EvS6NClKul+n8WKa+Z8O4OCCTsvFYTMkaBMDr3bsaazfdKBrR9Nd18cHHTy1caRJDrFNDzHCNwAGQalwAXAt+biE0cJE=,iv:dswTDf7mYxzYeTKj3dAApvcFP6CwzRVGpfihqKYBeQQ=,tag:lZzKVIJ1JFCStmeQuO+Gpg==,type:str]
+    pgp: []
+    unencrypted_regex: ^(apiVersion|metadata|kind|type)$
+    version: 3.9.0

apps/prod/authelia/values.yaml

@@ -0,0 +1,38 @@
+# /apps/prod/authelia/values.yaml
+domain: 'example.com'
+configMap:
+  authentication_backend:
+    file:
+      enabled: true
+      path: /users/users_database.yaml
+      password:
+        algorithm: argon2
+    ldap:
+      enabled: false
+  access_control:
+    rules:
+      - domain: '*.example.com'
+        policy: one_factor
+  session:
+    redis:
+      enabled: false
+  storage:
+    local:
+      enabled: true
+      path: /config/db.sqlite3
+    postgres:
+      enabled: false
+  notifier:
+    smtp:
+      enabled: false
+    filesystem:
+      enabled: true
+
+pod:
+  extraVolumeMounts:
+  - name: authelia-users-vol
+    mountPath: /users
+  extraVolumes:
+  - name: authelia-users-vol
+    secret:
+      secretName: authelia-users-secret

apps/prod/kustomization.yaml

@@ -0,0 +1,6 @@
+# apps/prod/kustomization.yaml
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - authelia
+  - gitea