feat: setup ansible semaphore

cluster/services/README.md

@@ -15,6 +15,7 @@ The following services are deployed by this section:
 - [`monitoring`](/cluster/services/monitoring/)
 - [`paperless`](/cluster/services/paperless/)
 - [`redis`](/cluster/services/redis/)
+- [`semaphore`](/cluster/services/semaphore/)
 - [`snapdrop`](/cluster/services/snapdrop/)
 - [`traefik`](/cluster/services/traefik/)
 - [`unifi`](/cluster/services/unifi/)

cluster/services/kustomization.yaml

@@ -17,6 +17,7 @@ resources:
   - paperless
   - plausible
   - redis
+  - semaphore
   - snapdrop
   - unbound
   - unifi

cluster/services/semaphore/README.md

@@ -0,0 +1,23 @@
+# `semaphore`
+
+## Introduction
+
+tbd
+
+## Created Resources
+
+| Kind                              | Name                |
+| --------------------------------- | ------------------- |
+| [`Namespace`][ref-namespace]      | `semaphore`         |
+| [`HelmRelease`][ref-helm-release] | `semaphore`         |
+| [`Secret`][ref-secret]            | `semaphore-secrets` |
+
+[ref-namespace]: https://kubernetes.io/docs/reference/kubernetes-api/cluster-resources/namespace-v1/
+[ref-helm-release]: https://fluxcd.io/docs/components/helm/helmreleases/
+[ref-secret]: https://kubernetes.io/docs/reference/kubernetes-api/config-and-storage-resources/secret-v1/
+
+## Links
+
+- [Documentation](https://docs.ansible-semaphore.com/)
+- [Helm Chart](https://charts.pascaliske.dev/charts/semaphore/)
+- [GitHub Repository](https://github.com/ansible-semaphore/semaphore)

cluster/services/semaphore/database/cluster.yaml

@@ -0,0 +1,21 @@
+---
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgresql
+  namespace: semaphore
+spec:
+  instances: 1
+  primaryUpdateStrategy: unsupervised
+  storage:
+    size: 1Gi
+  superuserSecret:
+    name: postgresql-superuser
+  bootstrap:
+    initdb:
+      database: semaphore
+      owner: semaphore
+      secret:
+        name: postgresql-user
+  monitoring:
+    enablePodMonitor: true

cluster/services/semaphore/database/kustomization.yaml

@@ -0,0 +1,7 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster.yaml
+  - superuser.sops.yaml
+  - user.sops.yaml

cluster/services/semaphore/database/superuser.sops.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: postgresql-superuser
+    namespace: semaphore
+type: kubernetes.io/basic-auth
+stringData:
+    username: ENC[AES256_GCM,data:1nAKwhBYtTo=,iv:HLbAZi/qC46m1QI1AyF+YW0OOpH9fFEO2QGG58wfIb4=,tag:SPc1K7U7Wakxu1E+zbFZrw==,type:str]
+    password: ENC[AES256_GCM,data:Uop1RSjtbk24eFL0ZRD3+qq3Uho32Ih5WVPzB/T/IjeIGKHKK94jPMiL,iv:rKX1AYD6braHxeirbUUFqTyGpeV/UxROIQio0O8BUt0=,tag:7gtWvOXscawyaSOb9WKxHA==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1znmsndwgl8f4wxn5ydl3f0gkcvcz5uqd5zeervevmmsaygwvrfysgx8xpp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSBWbm5NeU44dkFPMERsQUxB
+            Rmd4WVdvYTJMeEVHL3BPRTNTSUVNNmRKY0RFClpLOWszQW1tSkgrTTVKSHFuTGtY
+            TUNtMm4xeVFDWFMwa3dLY2NjdjY2Mm8KLS0tIE9XSzl4Y3dlaHJiSHVCWFFQMVJD
+            MFRFOTUwZDlueG4zMVNUdHA0YjBGcEUKlF5J0me7Djyf2vHRwWQGy+BiVQvV4khb
+            c1xBwCSmjEoHRpZC493pQeIV20wFHfy+kS4iTwmgGiqsG+0O7xptLg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-15T04:33:40Z"
+    mac: ENC[AES256_GCM,data:OE2K8zBAgc3gHY7vk3DOGHa80AFWDonIlH6wz1oVrC579AIJU5ZBfDWC84eqQQAFyyvU6y63WIizIaPWpemliRV64E4fInF4FFzkG5DH9dOoMGpeYfq2qjZh2QFwBw0jj9t4/CggvpiINdNaMxtoW3PUaNvwHwzl+fxMItATP10=,iv:0LFFA7F8c1bdlGWzxETtQQsZJhnipmUkh1nKr3lKcQI=,tag:NIYS7/1ZFurCh/XjpD5rLw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

cluster/services/semaphore/database/user.sops.yaml

@@ -0,0 +1,29 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: postgresql-user
+    namespace: semaphore
+type: kubernetes.io/basic-auth
+stringData:
+    username: ENC[AES256_GCM,data:0Nx7MiuScibi,iv:ZT5CqQ7Ths5e3C/SutG6UDMcXkq+QF0BlNX8WccPOR4=,tag:2jQN5klbYWhss3j81NEu6g==,type:str]
+    password: ENC[AES256_GCM,data:u7HHcormofnK+4j/p/hv1NrGcuOrlQLz+025fZisWM5k46nneEa/sFMQ,iv:FCAygS8BEojATJcnPrzYYqDpunjzg9MCOJJW+8siMKQ=,tag:SLU0HilZjDFVgSmcDAaaHg==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1znmsndwgl8f4wxn5ydl3f0gkcvcz5uqd5zeervevmmsaygwvrfysgx8xpp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSAzWmdVaEQ2Y0NIK2J3R1Uy
+            UmZFOGFvekpBeTlKemcxUjVNQjlldVBVZUZNCnZ3U2NWMDdmT0Z3VG5BdzByREFi
+            RkczTlVxcyt3STJnZUNWZER3bzEvaGsKLS0tIHdueDlSUmJKREhPdWZxZ1k4ZWs2
+            emFiMjE5L3ByMGc1cFUwMkJGY0djZUEKXV+zDMQVAeCvmgOahxjCKHO1R6eqT/rM
+            uX8pxotFSAEsmEcZ9uc0ndyUE7RFH3YKcCBs9RHb6FcO8VikcGMMlQ==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-15T04:34:30Z"
+    mac: ENC[AES256_GCM,data:JMD+RQI1bA2eP/tQ1PgTFVhFUIbnYVBKu/uKsFfPj977B0TO4ave2ci9oatD1PV/8/p20MLfkRymWdi7WVhNOfWB2hvZjfZKyF9PZtoacVuYrxk/TnypwuVeKq8EOGYy8vSu6gtKEHIcpLysCGQlm/ykn3rCKp/qXgcBD5FgBCk=,iv:oHcvvm1vDiB9F3UvFIgYzgVlv2BU8kz/bOeAsfLBAqA=,tag:fR69q0SMrZGdiNAbvTK6vw==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

cluster/services/semaphore/helm-release.yaml

@@ -0,0 +1,60 @@
+---
+apiVersion: helm.toolkit.fluxcd.io/v2beta1
+kind: HelmRelease
+metadata:
+  name: semaphore
+  namespace: semaphore
+spec:
+  chart:
+    spec:
+      chart: semaphore
+      version: '0.0.1'
+      reconcileStrategy: ChartVersion
+      sourceRef:
+        kind: HelmRepository
+        name: pascaliske
+        namespace: flux-system
+  install:
+    createNamespace: true
+  values:
+    image:
+      repository: semaphoreui/semaphore
+      tag: 'v2.10.35'
+    env:
+      - name: TZ
+        value: ${TIMEZONE}
+      - name: SEMAPHORE_DB_DIALECT
+        value: postgres
+      - name: SEMAPHORE_DB_HOST
+        value: postgresql-rw
+      - name: SEMAPHORE_DB_PORT
+        value: '5432'
+      - name: SEMAPHORE_DB_USER
+        valueFrom:
+          secretKeyRef:
+            name: postgresql-user
+            key: username
+      - name: SEMAPHORE_DB_PASS
+        valueFrom:
+          secretKeyRef:
+            name: postgresql-user
+            key: password
+      - name: SEMAPHORE_DB
+        value: semaphore
+      - name: SEMAPHORE_DB_OPTIONS
+        value: '{ "sslmode": "disable" }'
+      - name: SEMAPHORE_ADMIN
+        value: ${SEMAPHORE_ADMIN_USER}
+      - name: SEMAPHORE_ADMIN_NAME
+        value: ${SEMAPHORE_ADMIN_NAME}
+      - name: SEMAPHORE_ADMIN_EMAIL
+        value: ${SEMAPHORE_ADMIN_EMAIL}
+      - name: SEMAPHORE_ADMIN_PASSWORD
+        value: ${SEMAPHORE_ADMIN_PASSWORD}
+      - name: SEMAPHORE_ACCESS_KEY_ENCRYPTION
+        valueFrom:
+          secretKeyRef:
+            name: semaphore-secrets
+            key: SEMAPHORE_ACCESS_KEY_ENCRYPTION
+  interval: 10m0s
+

cluster/services/semaphore/kustomization.yaml

@@ -0,0 +1,8 @@
+---
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - database
+  - namespace.yaml
+  - secret.sops.yaml
+  - helm-release.yaml

cluster/services/semaphore/namespace.yaml

@@ -0,0 +1,5 @@
+---
+apiVersion: v1
+kind: Namespace
+metadata:
+  name: semaphore

cluster/services/semaphore/secret.sops.yaml

@@ -0,0 +1,28 @@
+apiVersion: v1
+kind: Secret
+metadata:
+    name: semaphore-secrets
+    namespace: semaphore
+type: Opaque
+stringData:
+    SEMAPHORE_ACCESS_KEY_ENCRYPTION: ENC[AES256_GCM,data:Fta5564cl1XO71fKuzoTA4UcWEFgzmMsA6NHFr/3f4sJRzqkEcX2r+mffj4=,iv:s8Amdj9jY2CQ+nAc8TwYPt/aVa1tUAdkw5bE6UAR7Ro=,tag:DpI8VJ2zmakl6Fqzf4nEHQ==,type:str]
+sops:
+    kms: []
+    gcp_kms: []
+    azure_kv: []
+    hc_vault: []
+    age:
+        - recipient: age1znmsndwgl8f4wxn5ydl3f0gkcvcz5uqd5zeervevmmsaygwvrfysgx8xpp
+          enc: |
+            -----BEGIN AGE ENCRYPTED FILE-----
+            YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSB2Y3NhOUMzUDZpZk56TEtv
+            cTNaWXVFVDUvdExUZUhUR1cveEtKTzhsb0VvCmRNQmxsT050djJPWlVGSjI2Unpt
+            NmZMSktoUFdxVXFZTEVNTmhKSmJVaGcKLS0tIHlWZVVMV1daRnRQczRMUFZNRmQv
+            U2Z1YkxNSVFKbS80OTcwZFVyMURBSkUK6LOuTnE+X+EatFQ3hiCMPbJJCWTsL0qf
+            xS59yJUlVpaVw8k5MU63BEHXogOwwcqB/Yc1IB89ytKtoWq+OVC/yg==
+            -----END AGE ENCRYPTED FILE-----
+    lastmodified: "2023-11-15T04:44:07Z"
+    mac: ENC[AES256_GCM,data:9ij0YWrR/rnnmythg/A6ZZE/sYJV4ovaJ25t5WUesAw2hFQB37J/fft5mqmZ1J3r9iL5L9Yy0JFO3qNI+u35AJDFSKLWGiKqPJJ5f70rwtMUxsGDSETsVA3ssftB1kT4GnDMo2T17xtE9SosFP+I8sSlfDZTyZmPv328sT2AR8s=,iv:The5ohxw+56w0L27ZQE9zJpxZRE+QxRiTmqvRp6+JIc=,tag:G00r2x0PvV7PbB4ZQPhPWQ==,type:str]
+    pgp: []
+    encrypted_regex: ^(data|stringData)$
+    version: 3.8.1

mkdocs.yml

@@ -99,6 +99,7 @@ nav:
           - paperless: cluster/services/paperless/index.md
           - plausible: cluster/services/plausible/index.md
           - redis: cluster/services/redis/index.md
+          - semaphore: cluster/services/semaphore/index.md
           - snapdrop: cluster/services/snapdrop/index.md
           - unbound: cluster/services/unbound/index.md
           - unifi: cluster/services/unifi/index.md