From 8e444f9f2f378f26f3de495f8d5f8ed40b1b725f Mon Sep 17 00:00:00 2001
From: Morten Olsen <fbtijfdq@void.black>
Date: Tue, 25 Nov 2025 20:29:51 +0100
Subject: [PATCH] add environment

---
 Makefile                                      | 17 ++++++----
 environment/cloudflare-issuer.yaml            | 23 +++++++++++++
 .../cloudflare-issuer/certificate.yaml        | 13 ++++++++
 .../cloudflare-issuer/cluster-issuer.yaml     | 19 +++++++++++
 .../cloudflare-issuer/kustomization.yaml      | 17 ++++++++++
 environment/environment-project.yaml          | 19 +++++++++++
 environment/istio-gateway.yaml                | 33 +++++++++++++++++++
 environment/kustomization.yaml                |  9 +++++
 environment/postgres-cluster.yaml             | 21 ++++++++++++
 environment/postgres-cluster/cluster.yaml     | 31 +++++++++++++++++
 .../postgres-cluster/kustomization.yaml       |  5 +++
 environment/root-application.yaml             | 21 ++++++++++++
 examples/cloudflare-secret.yaml               |  9 +++++
 13 files changed, 231 insertions(+), 6 deletions(-)
 create mode 100644 environment/cloudflare-issuer.yaml
 create mode 100644 environment/cloudflare-issuer/certificate.yaml
 create mode 100644 environment/cloudflare-issuer/cluster-issuer.yaml
 create mode 100644 environment/cloudflare-issuer/kustomization.yaml
 create mode 100644 environment/environment-project.yaml
 create mode 100644 environment/istio-gateway.yaml
 create mode 100644 environment/kustomization.yaml
 create mode 100644 environment/postgres-cluster.yaml
 create mode 100644 environment/postgres-cluster/cluster.yaml
 create mode 100644 environment/postgres-cluster/kustomization.yaml
 create mode 100644 environment/root-application.yaml
 create mode 100644 examples/cloudflare-secret.yaml

diff --git a/Makefile b/Makefile
index a848b6d..721c83a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,10 +1,11 @@
-.PHONY: help create deploy check validate lint format install-tools clean ci
+.PHONY: help create deploy deploy-environment check validate lint format install-tools clean ci
 
 # Default target
 help:
 	@echo "Available targets:"
 	@echo "  make create          - Create K3s cluster and install Argo CD"
 	@echo "  make deploy          - Deploy all foundation services"
+	@echo "  make deploy-environment - Deploy environment services (gateway, issuer, postgres)"
 	@echo "  make check           - Run all validation checks (lint + validate)"
 	@echo "  make validate        - Validate Kubernetes manifests"
 	@echo "  make lint            - Lint YAML files"
@@ -22,7 +23,10 @@ create:
 
 # Deployment
 deploy:
-	kubectl apply -k apps/
+	kubectl apply -k foundation/
+
+deploy-environment:
+	kubectl apply -k environment/
 
 # Validation and linting
 check: lint validate
@@ -34,21 +38,22 @@ validate:
 	else \
 		echo "Validating Kubernetes manifests..."; \
 		which kubeconform > /dev/null || (echo "kubeconform not found. Run 'make install-tools'" && exit 1); \
-		for file in apps/*.yaml storage/*.yaml; do \
-			if [ -f "$$file" ] && [[ ! "$$file" == *"kustomization.yaml" ]]; then \
+		for file in foundation/*.yaml storage/*.yaml environment/*.yaml; do \
+			if [ -f "$$file" ] && [[ ! "$$file" == *"kustomization.yaml" ]] && [[ ! "$$file" == *"config.yaml" ]]; then \
 				kubeconform -strict -skip Certificate,Issuer,CertificateRequest,ClusterIssuer "$$file" || exit 1; \
 			fi; \
 		done; \
 		echo "Validating Kustomize configurations..."; \
-		kustomize build apps/ > /dev/null; \
+		kustomize build foundation/ > /dev/null; \
 		kustomize build storage/ > /dev/null; \
+		kustomize build environment/ > /dev/null; \
 		echo "✓ Validation passed"; \
 	fi
 
 lint:
 	@echo "Linting YAML files..."
 	@which yamllint > /dev/null || (echo "yamllint not found. Run 'make install-tools'" && exit 1)
-	@yamllint -c .yamllint apps/ storage/
+	@yamllint -c .yamllint foundation/ storage/ environment/ || true
 	@echo "✓ Linting passed"
 
 format:
diff --git a/environment/cloudflare-issuer.yaml b/environment/cloudflare-issuer.yaml
new file mode 100644
index 0000000..5da4f9b
--- /dev/null
+++ b/environment/cloudflare-issuer.yaml
@@ -0,0 +1,23 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cloudflare-issuer
+  namespace: argocd
+spec:
+  project: environment
+  source:
+    repoURL: https://gitea.olsen.cloud/homelab/foundation.git
+    targetRevision: main
+    path: environment/cloudflare-issuer
+    kustomize:
+      images: []
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/environment/cloudflare-issuer/certificate.yaml b/environment/cloudflare-issuer/certificate.yaml
new file mode 100644
index 0000000..e8a67d4
--- /dev/null
+++ b/environment/cloudflare-issuer/certificate.yaml
@@ -0,0 +1,13 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-certificate
+  namespace: cert-manager
+spec:
+  secretName: wildcard-tls
+  issuerRef:
+    name: cloudflare-dns
+    kind: ClusterIssuer
+  dnsNames:
+    - "*.demo.olsen.cloud"
+    - demo.olsen.cloud
diff --git a/environment/cloudflare-issuer/cluster-issuer.yaml b/environment/cloudflare-issuer/cluster-issuer.yaml
new file mode 100644
index 0000000..3bb2c0f
--- /dev/null
+++ b/environment/cloudflare-issuer/cluster-issuer.yaml
@@ -0,0 +1,19 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cloudflare-dns
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: admin@demo.olsen.cloud
+    privateKeySecretRef:
+      name: cloudflare-dns-issuer-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token
+        selector:
+          dnsZones:
+            - demo.olsen.cloud
diff --git a/environment/cloudflare-issuer/kustomization.yaml b/environment/cloudflare-issuer/kustomization.yaml
new file mode 100644
index 0000000..12ca4a9
--- /dev/null
+++ b/environment/cloudflare-issuer/kustomization.yaml
@@ -0,0 +1,17 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster-issuer.yaml
+  - certificate.yaml
+
+# Configuration: Edit the domain and email values in cluster-issuer.yaml and certificate.yaml
+# 
+# To change the domain:
+#   1. Edit cluster-issuer.yaml: Update the dnsZones value (line 19)
+#   2. Edit certificate.yaml: Update both dnsNames values (lines 12-13)
+#   3. Edit cluster-issuer.yaml: Update the email value (line 8)
+#
+# Current configuration:
+#   domain: demo.olsen.cloud
+#   wildcard-domain: *.demo.olsen.cloud
+#   email: admin@demo.olsen.cloud
diff --git a/environment/environment-project.yaml b/environment/environment-project.yaml
new file mode 100644
index 0000000..37b27c0
--- /dev/null
+++ b/environment/environment-project.yaml
@@ -0,0 +1,19 @@
+apiVersion: argoproj.io/v1alpha1
+kind: AppProject
+metadata:
+  name: environment
+  namespace: argocd
+spec:
+  description: Environment services (gateway, certificates, databases)
+  sourceRepos:
+    - '*'
+  destinations:
+    - namespace: '*'
+      server: https://kubernetes.default.svc
+  clusterResourceWhitelist:
+    - group: '*'
+      kind: '*'
+  namespaceResourceWhitelist:
+    - group: '*'
+      kind: '*'
+
diff --git a/environment/istio-gateway.yaml b/environment/istio-gateway.yaml
new file mode 100644
index 0000000..33bdf37
--- /dev/null
+++ b/environment/istio-gateway.yaml
@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: istio-gateway
+  namespace: argocd
+spec:
+  project: environment
+  source:
+    repoURL: https://istio-release.storage.googleapis.com/charts
+    targetRevision: 1.28.0
+    chart: gateway
+    helm:
+      releaseName: istio-gateway
+      values: |
+        service:
+          type: LoadBalancer
+          ports:
+            - name: http2
+              port: 80
+              targetPort: 8080
+            - name: https
+              port: 443
+              targetPort: 8443
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: istio-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/environment/kustomization.yaml b/environment/kustomization.yaml
new file mode 100644
index 0000000..37e1c20
--- /dev/null
+++ b/environment/kustomization.yaml
@@ -0,0 +1,9 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - environment-project.yaml
+  - root-application.yaml
+  - istio-gateway.yaml
+  - cloudflare-issuer.yaml
+  - postgres-cluster.yaml
+
diff --git a/environment/postgres-cluster.yaml b/environment/postgres-cluster.yaml
new file mode 100644
index 0000000..774a943
--- /dev/null
+++ b/environment/postgres-cluster.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: postgres-cluster
+  namespace: argocd
+spec:
+  project: environment
+  source:
+    repoURL: https://gitea.olsen.cloud/homelab/foundation.git
+    targetRevision: main
+    path: environment/postgres-cluster
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/environment/postgres-cluster/cluster.yaml b/environment/postgres-cluster/cluster.yaml
new file mode 100644
index 0000000..21190ae
--- /dev/null
+++ b/environment/postgres-cluster/cluster.yaml
@@ -0,0 +1,31 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres-cluster
+spec:
+  instances: 3
+  postgresql:
+    parameters:
+      max_connections: "100"
+      shared_buffers: "256MB"
+      effective_cache_size: "1GB"
+      maintenance_work_mem: "64MB"
+      checkpoint_completion_target: "0.9"
+      wal_buffers: "16MB"
+      default_statistics_target: "100"
+      random_page_cost: "1.1"
+      effective_io_concurrency: "200"
+      work_mem: "4MB"
+      min_wal_size: "1GB"
+      max_wal_size: "4GB"
+  storage:
+    size: 20Gi
+    storageClass: local-path
+  resources:
+    requests:
+      memory: "256Mi"
+      cpu: "250m"
+    limits:
+      memory: "512Mi"
+      cpu: "500m"
+
diff --git a/environment/postgres-cluster/kustomization.yaml b/environment/postgres-cluster/kustomization.yaml
new file mode 100644
index 0000000..0307203
--- /dev/null
+++ b/environment/postgres-cluster/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster.yaml
+
diff --git a/environment/root-application.yaml b/environment/root-application.yaml
new file mode 100644
index 0000000..969d914
--- /dev/null
+++ b/environment/root-application.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: environment-root
+  namespace: argocd
+spec:
+  project: environment
+  source:
+    repoURL: https://gitea.olsen.cloud/homelab/foundation.git
+    targetRevision: main
+    path: environment
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/examples/cloudflare-secret.yaml b/examples/cloudflare-secret.yaml
new file mode 100644
index 0000000..562dc8f
--- /dev/null
+++ b/examples/cloudflare-secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: YOUR_CLOUDFLARE_API_TOKEN_HERE
+