diff --git a/kubernetes/app/external/homeassistant/ingress.yaml b/kubernetes/app/external/homeassistant/ingress.yaml new file mode 100644 index 0000000..138ca7c --- /dev/null +++ b/kubernetes/app/external/homeassistant/ingress.yaml @@ -0,0 +1,25 @@ +--- +apiVersion: networking.k8s.io/v1 +kind: Ingress +metadata: + name: homeassistant + namespace: homeassistant + annotations: + cert-manager.io/cluster-issuer: letsencrypt + traefik.ingress.kubernetes.io/router.middlewares: homeassistant-security-headers@kubernetescrd +spec: + tls: + - hosts: + - ${HOMEASSISTANT_HOST} + secretName: homeassistant-tls + rules: + - host: ${HOMEASSISTANT_HOST} + http: + paths: + - path: / + pathType: Prefix + backend: + service: + name: homeassistant + port: + number: 8123 diff --git a/kubernetes/app/external/homeassistant/middleware.yaml b/kubernetes/app/external/homeassistant/middleware.yaml new file mode 100644 index 0000000..becee52 --- /dev/null +++ b/kubernetes/app/external/homeassistant/middleware.yaml @@ -0,0 +1,19 @@ +--- +apiVersion: traefik.io/v1alpha1 +kind: Middleware +metadata: + name: security-headers + namespace: homeassistant +spec: + headers: + sslRedirect: true + stsIncludeSubdomains: true + stsPreload: true + stsSeconds: 315360000 + browserXssFilter: true + contentTypeNosniff: true + forceSTSHeader: true + frameDeny: true + customFrameOptionsValue: SAMEORIGIN + hostsProxyHeaders: + - "X-Forwarded-Host" diff --git a/kubernetes/app/external/homeassistant/namespace.yaml b/kubernetes/app/external/homeassistant/namespace.yaml new file mode 100644 index 0000000..e1f18bb --- /dev/null +++ b/kubernetes/app/external/homeassistant/namespace.yaml @@ -0,0 +1,7 @@ +--- +apiVersion: v1 +kind: Namespace +metadata: + name: homeassistant + labels: + app.kubernetes.io/name: homeassistant diff --git a/kubernetes/app/external/homeassistant/service.yaml b/kubernetes/app/external/homeassistant/service.yaml new file mode 100644 index 0000000..0c1c453 --- /dev/null +++ b/kubernetes/app/external/homeassistant/service.yaml @@ -0,0 +1,11 @@ +--- +apiVersion: v1 +kind: Service +metadata: + name: homeassistant + namespace: homeassistant +spec: + type: ExternalName + externalName: ${HOMEASSISTANT_INTERNAL_HOST} + ports: + - port: 8123 diff --git a/kubernetes/app/external/ks.yaml b/kubernetes/app/external/ks.yaml new file mode 100644 index 0000000..0064901 --- /dev/null +++ b/kubernetes/app/external/ks.yaml @@ -0,0 +1,17 @@ +--- +apiVersion: kustomize.toolkit.fluxcd.io/v1 +kind: Kustomization +metadata: + name: external-vars + namespace: flux-system +spec: + interval: 10m + path: ./kubernetes/app/external/vars + prune: true + sourceRef: + kind: GitRepository + name: flux-system + decryption: + provider: sops + secretRef: + name: sops-age diff --git a/kubernetes/app/external/vars/homeassistant.sops.yaml b/kubernetes/app/external/vars/homeassistant.sops.yaml new file mode 100644 index 0000000..81b57ba --- /dev/null +++ b/kubernetes/app/external/vars/homeassistant.sops.yaml @@ -0,0 +1,23 @@ +apiVersion: v1 +kind: Secret +metadata: + name: homeassistant-vars + namespace: flux-system +stringData: + HOMEASSISTANT_HOST: ENC[AES256_GCM,data:xHMOIu+pt7T/fbnfyD5B/InyCO7ZB1S2203agJ8uxjKIkA==,iv:z9Oh/JQo6cVUbKUcrHUFheXw5KU0U8byLH3OEwv0TyQ=,tag:0ThkPR7vJAxYsm1x0gs/bg==,type:str] + HOMEASSISTANT_INTERNAL_HOST: ENC[AES256_GCM,data:qq0NQ7hiEEpP6qyuBjxEwo5NPAifWQ==,iv:UD3rstcgk5nypLuyCbWEjCXb0yArWRWXUkGXuyOWrYk=,tag:QPBWyRtb611kVrsPwXtmwQ==,type:str] +sops: + age: + - recipient: age1zffnskvuezntkk703a0pyxsd5m8vx2hm33dr47wdfy8mn4fdw4sqgw0jgc + enc: | + -----BEGIN AGE ENCRYPTED FILE----- + YWdlLWVuY3J5cHRpb24ub3JnL3YxCi0+IFgyNTUxOSA5M0NPOEF2dTNrdlU2NldK + T09oWkErRFFYeENKK21NSjhOdmpUa0d3clMwCk9BRElxc2JEbFFyb0RKZ3oyaXhJ + ckErd3pDNFlHV2srUFlaNEwvRUYvaVEKLS0tIHNMeG1WOG9VOFY1Vk1PR3hnQ1Zk + U3Q2RGZZeVhVemo5L2ZkMHpsSU4xNzgK6SDl+uBDB4vQLHKVdJ4NndPo4VRSKWyX + f4gertz0xd70GN+X13x10KHikmAHhk7WoYgXzGsbhaLIsFJUPN71JA== + -----END AGE ENCRYPTED FILE----- + lastmodified: "2026-02-22T21:15:14Z" + mac: ENC[AES256_GCM,data:oQ5J6G5UIByo1Y0RE6wMJOosvgq1mXQiks3WZVv03HOpMZ7Tp8YWhTMinTSu+arJDnk8aZyUXkElPGYilc46BH/2pMXX/GHoeuFODUb/IjyjJyLLyoFEYGEAoI79gJxbBrChFG2iXoExTagbrAq4RooMnFb6XEStYjFNp/MOmTA=,iv:JmkHL/ALdz+fscZ3ZXoiKi/dm5Mkk2EEXAd0Ldek3DM=,tag:QD61z/DCmXCnQyukk65OJA==,type:str] + encrypted_regex: ^(data|stringData|email)$ + version: 3.11.0 diff --git a/kubernetes/app/ks.yaml b/kubernetes/app/ks.yaml index a99d95c..b6985fc 100644 --- a/kubernetes/app/ks.yaml +++ b/kubernetes/app/ks.yaml @@ -14,6 +14,7 @@ spec: dependsOn: - name: infrastructure-configs - name: config + - name: external-vars decryption: provider: sops secretRef: @@ -22,3 +23,5 @@ spec: substituteFrom: - kind: Secret name: cluster-vars + - kind: Secret + name: homeassistant-vars diff --git a/kubernetes/kustomization.yaml b/kubernetes/kustomization.yaml index 914bd46..3d8b46a 100644 --- a/kubernetes/kustomization.yaml +++ b/kubernetes/kustomization.yaml @@ -5,3 +5,4 @@ resources: - config/ks.yaml - infrastructure/ks.yaml - app/ks.yaml +- app/external/ks.yaml