Update README.md

homeassistant https

.devcontainer/devcontainer.json

@@ -17,7 +17,6 @@
 	// "customizations": {},
 	
 	"mounts": [
-		"source=/var/run/docker.sock,target=/var/run/docker-host.sock,type=bind",
 		"source=${localWorkspaceFolder}/.devcontainer/.zshrc,target=/home/vscode/.zshrc,type=bind",
 		"source=${localWorkspaceFolder}/../lms,target=/workspaces/lms,type=bind",
 		"source=${localWorkspaceFolder}/../homeAssistant,target=/workspaces/homeAssistant,type=bind",
@@ -25,7 +24,7 @@
 		"source=${localWorkspaceFolder}/../kb,target=/workspaces/kb,type=bind",
 		"source=${localWorkspaceFolder}/.env.d/kube,target=/home/vscode/.kube,type=bind",
 		"source=${localEnv:HOME}/.gitconfig,target=/home/vscode/.gitconfig,type=bind,consistency=cached",
-  		"source=${localEnv:HOME}/.ssh/id_ed25519,target=/home/vscode/.ssh/id_ed25519,type=bind,consistency=cached"
+  		"source=${localEnv:HOME}/.ssh,target=/home/vscode/.ssh,type=bind,consistency=cached"
 	],
 	"postCreateCommand": "bash .devcontainer/scripts/postCreate.sh",
 	"customizations": {
@@ -37,11 +36,11 @@
 				"stateful.runme",
 				"yzhang.markdown-all-in-one",
 				"davidanson.vscode-markdownlint",
-				"eamodio.gitlens"
+				"eamodio.gitlens",
+				"m4ns0ur.base64"
 			],
 			"settings": {
 				"terminal.integrated.defaultProfile.linux": "zsh"
-				
 			}
 		}
 	}

.devcontainer/scripts/postCreate.sh

@@ -1,4 +1,7 @@
 #setup chroma for zsh colorize
 chmod +x /home/vscode/lib/chroma
 curl https://rclone.org/install.sh | sudo bash
+docker context create casa-prod --description "casa prod context" --docker host=ssh://admin@homesrv01.dev.lan
+docker context use casa-prod
+
 

.gitea/workflows/deploy-sync-certs-job.yml

@@ -0,0 +1,21 @@
+on: 
+  push:
+  schedule:
+    - cron: '0 16 * * *' # Every day at 16:00
+jobs:
+  deploy-to-homesrv01:
+    runs-on: "myLimbo-casa-gitea-act-runner"
+    steps:
+    - name: Checkout code
+      uses: actions/checkout@v2
+
+      # all certs and key are base64 encoded
+    - name: docker compose up
+      env:
+        KUBERNETES_SERVER: ${{ secrets.KUBERNETES_SERVER }}
+        KUBERNETES_CLIENT_CRT_DATA: ${{ secrets.KUBERNETES_CLIENT_CRT_DATA }}
+        KUBERNETES_CLIENT_KEY_DATA: ${{ secrets.KUBERNETES_CLIENT_KEY_DATA }}
+        KUBERNETES_CRT_AUTHORITY_DATA: ${{ secrets.KUBERNETES_CRT_AUTHORITY_DATA }}
+      run:  |
+          docker compose -f ./casa-limbosolutions-com/sync-certs-job/docker-compose.yaml up -d --pull always 
+

README.md

@@ -30,7 +30,7 @@ The server operates within its own VLAN (`homesrv`) but requires controlled comm
 
 ### myInfra stack
 
-docker, promtail and telegraf configuration [maintained on myInfra repo](/marcio.fernandes/myInfra).
+docker, promtail and telegraf configuration [maintained on myInfra repo](/:root/marcio.fernandes/myInfrastructure).
 
 ### docker
 
@@ -45,6 +45,15 @@ docker plugin install rclone/docker-volume-rclone:amd64 args="-v" --alias rclone
 docker plugin list
 ```
 
+if error when enabling plugin.  
+*"rclone.sock: connect: no such file or directory"*  
+remove existing cache.  
+
+```bash
+ rm -r /var/lib/docker-plugins/rclone/cache
+ mkdir -p /var/lib/docker-plugins/rclone/cache
+```
+
 [ansible role for plugin configuration](./rclone.docker-plugin.playbook.yaml)
 
 ### nginx
@@ -55,13 +64,13 @@ All sites configurations set during docker build.
 
 ### Home Assistant
 
-[Git Repo](https://git.limbosolutions.com/marcio.fernandes/homeAssistant)
+[Git Repo](/:root/marcio.fernandes/homeAssistant)
 
 ### Lyrion Music Server (LMS)
 
-For instructions on setting up the Lyrion Music Server Docker container, refer to the [LMS Git Repository](/marcio.fernandes/lms).
+For instructions on setting up the Lyrion Music Server Docker container, refer to the [LMS Git Repository](/:root/marcio.fernandes/lms).
 
-For information on integrating Lyrion Music Server with Home Assistant, visit the [Home Assistant Git Repository](/marcio.fernandes/homeassistant#squeezebox-lyrion-music-server).
+For information on integrating Lyrion Music Server with Home Assistant, visit the [Home Assistant Git Repository](/:root/marcio.fernandes/homeassistant#squeezebox-lyrion-music-server).
 
 Using [Docker Rclone plugin](https://rclone.org/docker/) for accessing the bucket where music is stored. Configuration is managed via [Ansible playbook](./rclone.docker-plugin.playbook.yml).
 
@@ -72,7 +81,7 @@ ansible-playbook ./rclone.docker-plugin.playbook.yml
 
 ### Mosquitto
 
-[Git Repo](https://git.limbosolutions.com/marcio.fernandes/mosquitto)
+[Git Repo](/:root/marcio.fernandes/mosquitto)
 
 ### Wyoming
 
@@ -88,7 +97,7 @@ Used in Rhasspy and Home Assistant for communication with voice services.
 
 This is an open standard of the Open Home Foundation.
 
-For more information about home assistant integration [check home assistant repo](/marcio.fernandes/homeassistant#wyoming).
+For more information about home assistant integration [check home assistant repo](/:root/marcio.fernandes/homeassistant#wyoming).
 
 [Docker compose file](./services/wyoming/docker-compose.yaml).
 
@@ -123,7 +132,7 @@ chown 100000:100020 /dev/serial/by-id/usb-ITead_Sonoff_Zigbee_3.0_USB_Dongle_Plu
 Links
 
 - [https://www.zigbee2mqtt.io/](https://www.zigbee2mqtt.io/)
-- [Home assistant integration](/marcio.fernandes/homeassistant#Zigbee2mqtt)
+- [Home assistant integration](/:root/marcio.fernandes/homeassistant#Zigbee2mqtt)
 - [Continuos Deploy - git action](./.gitea/workflows/services.zigbee2mqtt.yml)
 
 ## Host

casa-limbosolutions-com/icarus/README.md

@@ -0,0 +1,29 @@
+# casa.limbosolutions.com at icarus
+
+Use icarus cluster context to all documentation and scrips on this folder. [Check Instructions](#icarus-cluster---access) for how to setup required user and roles on icurus and client kubeconfig.
+
+## certificates (wildcard)
+
+```bash
+kubectl apply -f ./certs.yaml
+```
+
+```bash
+#check certificates
+kubectl get cert -n casa-limbosolutions-com
+```
+
+## Icarus cluster - access
+
+On user computer.  
+*Access to k3s context not required.*
+
+```bash
+# create private key
+openssl genrsa -out ../../.env.d/kube/casa@icarus-user.key 2048
+
+# create csr
+openssl req -new -key ../../.env.d/kube/casa@icarus-user.key -out ../../.env.d/kube/casa@icarus-user.csr -subj "/CN=casa/O=limbosolutions"
+```
+
+Follow instructions to [setup user and roles on icarus k3s cluster](./k3s-admin.md), and setup kubectl config [kube config](./k3s-kubctl-config.md).

casa-limbosolutions-com/icarus/certs.yaml

@@ -0,0 +1,14 @@
+
+apiVersion: cert-manager.io/v1
+kind: Certificate
+metadata:
+  name: casa-limbosolutions-com
+  namespace: casa-limbosolutions-com
+spec:
+  secretName: casa-limbosolutions-com-tls
+  dnsNames:
+  - "casa.limbosolutions.com"
+  - "*.casa.limbosolutions.com"
+  issuerRef:
+    kind: ClusterIssuer
+    name: letsencrypt-prod

casa-limbosolutions-com/icarus/k3s-admin.md

@@ -0,0 +1,95 @@
+# casa on Icarus - admin
+
+Requires kubernetes admin user access to icarus. All documentation and scripts must be executed on icarus context with an admin account.
+
+Currently using an symbolic on icarus project on my dev device to this file.
+
+## kubernetes Namespace
+
+```bash
+# delete namespace
+kubectl create namespace casa-limbosolutions-com
+```
+
+```bash
+# delete namespace
+kubectl delete namespace casa-limbosolutions-com
+```
+
+## Roles and Bindings
+
+``` yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRole
+metadata:
+  namespace: casa-limbosolutions-com
+  name: casa-limbosolutions-com
+rules:
+  - apiGroups: 
+      - ""
+      - cert-manager.io # to access deployments certs from cert-manager
+      - apps # to access deployments
+      - networking.k8s.io # to access ingresses
+    resources: 
+      - pods
+      - services
+      - secrets
+      - certificates
+      - deployments
+      - configmaps
+      - ingresses
+      - persistentvolumeclaims
+    verbs: 
+      - get
+      - list
+      - watch
+      - create
+      - update
+      - patch
+      - delete
+      - deletecollection
+```
+
+``` yaml
+apiVersion: rbac.authorization.k8s.io/v1
+kind: ClusterRoleBinding
+metadata:
+  name: casa-limbosolutions-com-rb  # Replace with your role binding name
+  namespace: casa-limbosolutions-com     # Replace with your namespace
+subjects:
+- kind: User                   # or "ServiceAccount" for service accounts
+  name: casa           # Replace with the username or service account name
+  apiGroup: rbac.authorization.k8s.io
+  namespace: casa-limbosolutions-com
+roleRef:
+  kind: ClusterRole
+  name: casa-limbosolutions-com          # The name of the role you created
+  apiGroup: rbac.authorization.k8s.io
+```
+
+### kubernetes User
+
+```bash
+#Deploy csr to k3s
+cat <<EOF | kubectl apply -f -
+apiVersion: certificates.k8s.io/v1
+kind: CertificateSigningRequest
+metadata:
+  name: casa-user-csr
+spec:
+  request: $(cat ../.env.d/.kube/casa@icarus-user.csr | base64 | tr -d '\n')
+  signerName: kubernetes.io/kube-apiserver-client
+  usages:
+  - client auth
+EOF
+```
+
+```bash
+# Approve csr
+kubectl certificate approve casa-user-csr
+```
+
+```bash
+# Download kubernet user crt
+kubectl get csr casa-user-csr -o jsonpath='{.status.certificate}' | base64 --decode > ./.env.d/casa@icarus-user.crt
+```

casa-limbosolutions-com/sync-certs-job/README.md

@@ -0,0 +1 @@
+

casa-limbosolutions-com/sync-certs-job/docker-compose.yaml

@@ -0,0 +1,78 @@
+
+configs:
+  sync-certs-sh:
+    content: |
+      #!/bin/bash
+      ##############################################################################################################################
+      # notes:
+      # --certificate-authority="$${KUBERNETES_CRT_AUTHORITY}" not working, dont hnow why, so using --insecure-skip-tls-verify
+      ##############################################################################################################################
+      
+      
+      set -e
+      mkdir -p /tmp/.kube
+
+      echo "Trace: Setup kube"
+   
+      echo "Trace: Processing KUBERNETES_CRT_AUTHORITY_DATA"
+      base64 -d <<< "${KUBERNETES_CRT_AUTHORITY_DATA}" > "$${KUBERNETES_CRT_AUTHORITY}"
+      echo "Trace: Processing KUBERNETES_CRT_AUTHORITY_DATA"
+      base64 -d <<< "${KUBERNETES_CLIENT_CRT_DATA}" > "$${KUBERNETES_CLIENT_CRT}"
+      echo "Trace: Processing KUBERNETES_CLIENT_KEY_DATA"
+      base64 -d <<< "${KUBERNETES_CLIENT_KEY_DATA}" > "$${KUBERNETES_CLIENT_KEY}"
+
+      # while true ; do
+      #   sleep 5
+      # done
+
+   
+      echo "Trace: Fetching secrets"
+      CERT_NAMES=$(kubectl get secrets \
+        -n casa-limbosolutions-com \
+        --server="$${KUBERNETES_SERVER}" \
+        --client-key="$${KUBERNETES_CLIENT_KEY}" \
+        --client-certificate="$${KUBERNETES_CLIENT_CRT}" \
+        --insecure-skip-tls-verify \
+        -o json | jq -r '.items[].metadata.name')
+
+      for CERT_NAME in $$CERT_NAMES; do
+        echo "Trace: Syncing certificate: $$CERT_NAME"
+        kubectl get secret "$$CERT_NAME" \
+          -n casa-limbosolutions-com \
+          --server="$${KUBERNETES_SERVER}" \
+          --client-key="$${KUBERNETES_CLIENT_KEY}" \
+          --client-certificate="$${KUBERNETES_CLIENT_CRT}" \
+          --insecure-skip-tls-verify \
+          -o json | \
+          jq -r '.data | to_entries[] | "\(.key) \(.value)"' | \
+          while IFS=' ' read -r KEY VALUE; do
+            echo "Processing key: $$KEY"
+            # Decode the base64 value and save it to the appropriate file
+            echo "Trace: Saving key: $$KEY"
+            echo "$$VALUE" | base64 -d > "/etc/ssl/certs/casa-limbosolutions-com-certs/$${CERT_NAME}_$${KEY}"
+          done
+      done
+     
+      echo "Info: Certificates synced successfully."  
+
+services:
+  kubectl:
+    image: bitnami/kubectl:latest
+    environment:
+      KUBERNETES_SERVER: ${KUBERNETES_SERVER}
+      KUBERNETES_CRT_AUTHORITY: /tmp/.kube/ca.crt
+      KUBERNETES_CLIENT_CRT: /tmp/.kube/client.crt
+      KUBERNETES_CLIENT_KEY: /tmp/.kube/client.key
+    container_name: sync-certs-job
+    entrypoint: bash -c /app/sync-certs.sh
+    configs:
+      - source: sync-certs-sh
+        target: /app/sync-certs.sh
+        mode: 0755
+    volumes:
+      - casa-certs:/etc/ssl/certs/casa-limbosolutions-com-certs:rw
+volumes:
+  casa-certs:
+    name: casa-limbosolutions-com-certs
+    external: true # Atention permission must be set to 1001:1001 (using chown on nginx container command)
+

services/nginx/docker-compose.yaml

@@ -1,4 +1,11 @@
-version: '3'
+configs:
+  run-sh:
+    content: |
+      #!/bin/sh
+      # patch security so kubctl on sync-certs-job can write to the mounted volume
+      chown -R 1001:1001 /etc/ssl/certs/casa-limbosolutions-com-certs
+      while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g "daemon off;"
+
 services:
   nginx:
     build:
@@ -6,28 +13,29 @@ services:
     pull_policy: build
     image: homesrv/nginx:latest
     volumes:
-      - casa-certs:/etc/ssl
+      - casa-limbosolutions-com-certs:/etc/ssl/certs/casa-limbosolutions-com-certs
     ports:
       - 443:443
       - 80:80
     networks:
       - public
-      - private
-    command: "/bin/sh -c 'while :; do sleep 6h & wait $${!}; nginx -s reload; done & nginx -g \"daemon off;\"'"
     restart: unless-stopped
+    command: /bin/sh -c '/run.sh'
+    configs:
+      - source: run-sh
+        target: /run.sh
+        mode: 0755
 volumes:
   nginx-conf.d:
-  casa-certs:
-    name: casa-certs
-    external: true
 
-  # etc_ssl:
-  #   name: nginx_etc_ssl 
+  casa-limbosolutions-com-certs:
+    name: casa-limbosolutions-com-certs
+    external: false     
+
 networks:
   public:
     name: reverseproxy_public
     external: true
-  private:
-    name: reverseproxy_private
+
 
     

services/nginx/docker/nginx.conf.d/has.conf

@@ -5,7 +5,7 @@ map $http_upgrade $connection_upgrade {
 
 server {
     listen 80;
-    server_name casa.limbosolutions.com *.casa.limbosolutions.com;
+    server_name casa.limbosolutions.com *.casa.limbosolutions.com has.lan;
     return 301 https://has.casa.limbosolutions.com$request_uri;
 }
 
@@ -13,8 +13,8 @@ server {
 server {
 
     listen 443 ssl;
-    ssl_certificate /etc/ssl/tls.crt;
-    ssl_certificate_key /etc/ssl/tls.key;
+    ssl_certificate /etc/ssl/certs/casa-limbosolutions-com-certs/casa-limbosolutions-com-tls_tls.crt;
+    ssl_certificate_key /etc/ssl/certs/casa-limbosolutions-com-certs/casa-limbosolutions-com-tls_tls.key;
     ssl_protocols TLSv1.2 TLSv1.3;
     ssl_ciphers HIGH:!aNULL:!MD5;
 

services/nginx/docker/nginx.conf.d/lms.lan.conf

@@ -1,9 +1,10 @@
-
-
 server {
-    listen 80;
-    proxy_buffering off;
-    server_name lms.lan music.lan;
+    server_name lms.casa.limbosolutions.com music.casa.limbosolutions.com;
+    listen 443 ssl;
+    ssl_certificate /etc/ssl/certs/casa-limbosolutions-com-certs/casa-limbosolutions-com-tls_tls.crt;
+    ssl_certificate_key /etc/ssl/certs/casa-limbosolutions-com-certs/casa-limbosolutions-com-tls_tls.key;
+    ssl_protocols TLSv1.2 TLSv1.3;
+    ssl_ciphers HIGH:!aNULL:!MD5;
 
     location / {
         set $upstream lms-lms-1;
@@ -24,4 +25,8 @@ server {
     }
 }
 
-   
+server {
+    listen 80;
+    server_name lms.casa.limbosolutions.com music.casa.limbosolutions.com lms.lan music.lan;
+    return 301 https://lms.casa.limbosolutions.com$request_uri;
+}

services/rclone-certs/docker-compose.yaml

@@ -1,24 +0,0 @@
-version: '3.8'
-
-services:
-  rclone:
-    image: rclone/rclone:latest
-    container_name: rclone
-    environment:
-      - TZ=UTC
-      - RCLONE_CONFIG_S3_TYPE=s3
-      - RCLONE_CONFIG_S3_PROVIDER=SeaweedFS
-      - RCLONE_CONFIG_S3_ACCESS_KEY_ID=${RCLONE_S3_ACCESS_KEY_ID}
-      - RCLONE_CONFIG_S3_SECRET_ACCESS_KEY=${RCLONE_S3_SECRET_ACCESS_KEY}
-      - RCLONE_CONFIG_S3_ENDPOINT=${RCLONE_S3_ENDPOINT}
-      - RCLONE_CONFIG_S3_BUCKET=${RCLONE_S3_BUCKET}
-      
-    volumes:
-      - casa-certs:/certs
-    command: sync s3:/casa.certs /certs
-    restart: no
-volumes:
-  casa-certs:
-    name: casa-certs
-    external: false
-