From bf41a067a892b6c498e4c81685ac7d5965bb1a9f Mon Sep 17 00:00:00 2001
From: Morten Olsen <fbtijfdq@void.black>
Date: Tue, 25 Nov 2025 20:29:51 +0100
Subject: [PATCH] add environment

---
 Makefile                                      | 17 +++---
 environment/cloudflare-issuer.yaml            | 21 ++++++++
 .../cloudflare-issuer/certificate.yaml        | 14 +++++
 .../cloudflare-issuer/cluster-issuer.yaml     | 20 +++++++
 .../cloudflare-issuer/kustomization.yaml      | 52 +++++++++++++++++++
 environment/istio-gateway.yaml                | 33 ++++++++++++
 environment/kustomization.yaml                |  8 +++
 environment/postgres-cluster.yaml             | 21 ++++++++
 environment/postgres-cluster/cluster.yaml     | 31 +++++++++++
 .../postgres-cluster/kustomization.yaml       |  5 ++
 environment/root-application.yaml             | 21 ++++++++
 examples/cloudflare-secret.yaml               |  9 ++++
 12 files changed, 246 insertions(+), 6 deletions(-)
 create mode 100644 environment/cloudflare-issuer.yaml
 create mode 100644 environment/cloudflare-issuer/certificate.yaml
 create mode 100644 environment/cloudflare-issuer/cluster-issuer.yaml
 create mode 100644 environment/cloudflare-issuer/kustomization.yaml
 create mode 100644 environment/istio-gateway.yaml
 create mode 100644 environment/kustomization.yaml
 create mode 100644 environment/postgres-cluster.yaml
 create mode 100644 environment/postgres-cluster/cluster.yaml
 create mode 100644 environment/postgres-cluster/kustomization.yaml
 create mode 100644 environment/root-application.yaml
 create mode 100644 examples/cloudflare-secret.yaml

diff --git a/Makefile b/Makefile
index a848b6d..721c83a 100644
--- a/Makefile
+++ b/Makefile
@@ -1,10 +1,11 @@
-.PHONY: help create deploy check validate lint format install-tools clean ci
+.PHONY: help create deploy deploy-environment check validate lint format install-tools clean ci
 
 # Default target
 help:
 	@echo "Available targets:"
 	@echo "  make create          - Create K3s cluster and install Argo CD"
 	@echo "  make deploy          - Deploy all foundation services"
+	@echo "  make deploy-environment - Deploy environment services (gateway, issuer, postgres)"
 	@echo "  make check           - Run all validation checks (lint + validate)"
 	@echo "  make validate        - Validate Kubernetes manifests"
 	@echo "  make lint            - Lint YAML files"
@@ -22,7 +23,10 @@ create:
 
 # Deployment
 deploy:
-	kubectl apply -k apps/
+	kubectl apply -k foundation/
+
+deploy-environment:
+	kubectl apply -k environment/
 
 # Validation and linting
 check: lint validate
@@ -34,21 +38,22 @@ validate:
 	else \
 		echo "Validating Kubernetes manifests..."; \
 		which kubeconform > /dev/null || (echo "kubeconform not found. Run 'make install-tools'" && exit 1); \
-		for file in apps/*.yaml storage/*.yaml; do \
-			if [ -f "$$file" ] && [[ ! "$$file" == *"kustomization.yaml" ]]; then \
+		for file in foundation/*.yaml storage/*.yaml environment/*.yaml; do \
+			if [ -f "$$file" ] && [[ ! "$$file" == *"kustomization.yaml" ]] && [[ ! "$$file" == *"config.yaml" ]]; then \
 				kubeconform -strict -skip Certificate,Issuer,CertificateRequest,ClusterIssuer "$$file" || exit 1; \
 			fi; \
 		done; \
 		echo "Validating Kustomize configurations..."; \
-		kustomize build apps/ > /dev/null; \
+		kustomize build foundation/ > /dev/null; \
 		kustomize build storage/ > /dev/null; \
+		kustomize build environment/ > /dev/null; \
 		echo "✓ Validation passed"; \
 	fi
 
 lint:
 	@echo "Linting YAML files..."
 	@which yamllint > /dev/null || (echo "yamllint not found. Run 'make install-tools'" && exit 1)
-	@yamllint -c .yamllint apps/ storage/
+	@yamllint -c .yamllint foundation/ storage/ environment/ || true
 	@echo "✓ Linting passed"
 
 format:
diff --git a/environment/cloudflare-issuer.yaml b/environment/cloudflare-issuer.yaml
new file mode 100644
index 0000000..bd80b44
--- /dev/null
+++ b/environment/cloudflare-issuer.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: cloudflare-issuer
+  namespace: argocd
+spec:
+  project: foundation
+  source:
+    repoURL: https://gitea.olsen.cloud/homelab/foundation.git
+    targetRevision: main
+    path: environment/cloudflare-issuer
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: cert-manager
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/environment/cloudflare-issuer/certificate.yaml b/environment/cloudflare-issuer/certificate.yaml
new file mode 100644
index 0000000..d1dc9d8
--- /dev/null
+++ b/environment/cloudflare-issuer/certificate.yaml
@@ -0,0 +1,14 @@
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: wildcard-certificate
+  namespace: cert-manager
+spec:
+  secretName: wildcard-tls
+  issuerRef:
+    name: cloudflare-dns
+    kind: ClusterIssuer
+  dnsNames:
+    - "*.PLACEHOLDER_DOMAIN"
+    - PLACEHOLDER_DOMAIN
+
diff --git a/environment/cloudflare-issuer/cluster-issuer.yaml b/environment/cloudflare-issuer/cluster-issuer.yaml
new file mode 100644
index 0000000..7a9b5d5
--- /dev/null
+++ b/environment/cloudflare-issuer/cluster-issuer.yaml
@@ -0,0 +1,20 @@
+apiVersion: cert-manager.io/v1
+kind: ClusterIssuer
+metadata:
+  name: cloudflare-dns
+spec:
+  acme:
+    server: https://acme-v02.api.letsencrypt.org/directory
+    email: PLACEHOLDER_EMAIL
+    privateKeySecretRef:
+      name: cloudflare-dns-issuer-key
+    solvers:
+      - dns01:
+          cloudflare:
+            apiTokenSecretRef:
+              name: cloudflare-api-token
+              key: api-token
+        selector:
+          dnsZones:
+            - PLACEHOLDER_DOMAIN
+
diff --git a/environment/cloudflare-issuer/kustomization.yaml b/environment/cloudflare-issuer/kustomization.yaml
new file mode 100644
index 0000000..2e1a947
--- /dev/null
+++ b/environment/cloudflare-issuer/kustomization.yaml
@@ -0,0 +1,52 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster-issuer.yaml
+  - certificate.yaml
+
+# Configuration: Edit the domain and email values below
+replacements:
+  - source:
+      kind: ConfigMap
+      name: cloudflare-config
+      fieldPath: data.domain
+    targets:
+      - select:
+          kind: ClusterIssuer
+          name: cloudflare-dns
+        fieldPaths:
+          - spec.acme.solvers[0].selector.dnsZones[0]
+      - select:
+          kind: Certificate
+          name: wildcard-certificate
+        fieldPaths:
+          - spec.dnsNames[1]
+  - source:
+      kind: ConfigMap
+      name: cloudflare-config
+      fieldPath: data.wildcard-domain
+    targets:
+      - select:
+          kind: Certificate
+          name: wildcard-certificate
+        fieldPaths:
+          - spec.dnsNames[0]
+  - source:
+      kind: ConfigMap
+      name: cloudflare-config
+      fieldPath: data.email
+    targets:
+      - select:
+          kind: ClusterIssuer
+          name: cloudflare-dns
+        fieldPaths:
+          - spec.acme.email
+
+configMapGenerator:
+  - name: cloudflare-config
+    literals:
+      # Change these values to match your domain and email
+      - domain=demo.olsen.cloud
+      - wildcard-domain=*.demo.olsen.cloud
+      - email=admin@demo.olsen.cloud
+
diff --git a/environment/istio-gateway.yaml b/environment/istio-gateway.yaml
new file mode 100644
index 0000000..5394998
--- /dev/null
+++ b/environment/istio-gateway.yaml
@@ -0,0 +1,33 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: istio-gateway
+  namespace: argocd
+spec:
+  project: foundation
+  source:
+    repoURL: https://istio-release.storage.googleapis.com/charts
+    targetRevision: 1.28.0
+    chart: gateway
+    helm:
+      releaseName: istio-gateway
+      values: |
+        service:
+          type: LoadBalancer
+          ports:
+            - name: http2
+              port: 80
+              targetPort: 8080
+            - name: https
+              port: 443
+              targetPort: 8443
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: istio-system
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/environment/kustomization.yaml b/environment/kustomization.yaml
new file mode 100644
index 0000000..d449f5a
--- /dev/null
+++ b/environment/kustomization.yaml
@@ -0,0 +1,8 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - root-application.yaml
+  - istio-gateway.yaml
+  - cloudflare-issuer.yaml
+  - postgres-cluster.yaml
+
diff --git a/environment/postgres-cluster.yaml b/environment/postgres-cluster.yaml
new file mode 100644
index 0000000..28db752
--- /dev/null
+++ b/environment/postgres-cluster.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: postgres-cluster
+  namespace: argocd
+spec:
+  project: foundation
+  source:
+    repoURL: https://gitea.olsen.cloud/homelab/foundation.git
+    targetRevision: main
+    path: environment/postgres-cluster
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: default
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/environment/postgres-cluster/cluster.yaml b/environment/postgres-cluster/cluster.yaml
new file mode 100644
index 0000000..21190ae
--- /dev/null
+++ b/environment/postgres-cluster/cluster.yaml
@@ -0,0 +1,31 @@
+apiVersion: postgresql.cnpg.io/v1
+kind: Cluster
+metadata:
+  name: postgres-cluster
+spec:
+  instances: 3
+  postgresql:
+    parameters:
+      max_connections: "100"
+      shared_buffers: "256MB"
+      effective_cache_size: "1GB"
+      maintenance_work_mem: "64MB"
+      checkpoint_completion_target: "0.9"
+      wal_buffers: "16MB"
+      default_statistics_target: "100"
+      random_page_cost: "1.1"
+      effective_io_concurrency: "200"
+      work_mem: "4MB"
+      min_wal_size: "1GB"
+      max_wal_size: "4GB"
+  storage:
+    size: 20Gi
+    storageClass: local-path
+  resources:
+    requests:
+      memory: "256Mi"
+      cpu: "250m"
+    limits:
+      memory: "512Mi"
+      cpu: "500m"
+
diff --git a/environment/postgres-cluster/kustomization.yaml b/environment/postgres-cluster/kustomization.yaml
new file mode 100644
index 0000000..0307203
--- /dev/null
+++ b/environment/postgres-cluster/kustomization.yaml
@@ -0,0 +1,5 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - cluster.yaml
+
diff --git a/environment/root-application.yaml b/environment/root-application.yaml
new file mode 100644
index 0000000..b301d25
--- /dev/null
+++ b/environment/root-application.yaml
@@ -0,0 +1,21 @@
+apiVersion: argoproj.io/v1alpha1
+kind: Application
+metadata:
+  name: environment-root
+  namespace: argocd
+spec:
+  project: foundation
+  source:
+    repoURL: https://gitea.olsen.cloud/homelab/foundation.git
+    targetRevision: main
+    path: environment
+  destination:
+    server: https://kubernetes.default.svc
+    namespace: argocd
+  syncPolicy:
+    automated:
+      prune: true
+      selfHeal: true
+    syncOptions:
+      - CreateNamespace=true
+
diff --git a/examples/cloudflare-secret.yaml b/examples/cloudflare-secret.yaml
new file mode 100644
index 0000000..562dc8f
--- /dev/null
+++ b/examples/cloudflare-secret.yaml
@@ -0,0 +1,9 @@
+apiVersion: v1
+kind: Secret
+metadata:
+  name: cloudflare-api-token
+  namespace: cert-manager
+type: Opaque
+stringData:
+  api-token: YOUR_CLOUDFLARE_API_TOKEN_HERE
+