clofour · clofour · May 1, 2026 · Apr 30, 2026 · May 1, 2026 · May 1, 2026
diff --git a/.github/workflows/terraform.yaml b/.github/workflows/terraform.yaml
@@ -41,6 +41,7 @@ jobs:
       TF_VAR_spaces_access_id: ${{ secrets.SPACES_ACCESS_ID }}
       TF_VAR_spaces_secret_key: ${{ secrets.SPACES_SECRET_KEY }}
       TF_VAR_sendgrid_api_key: ${{ secrets.SENDGRID_API_KEY }}
+      TF_VAR_git_repo: ${{ github.server_url }}/${{ github.repository }}
     if: github.ref == 'refs/heads/main'
     needs: validate
     steps:

diff --git a/flux/bootstrap/cluster-kustomization.yaml b/flux/bootstrap/cluster-kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.toolkit.fluxcd.io/v1
+kind: Kustomization
+metadata:
+  name: cluster
+  namespace: flux-system
+spec:
+  interval: 10m
+  prune: true
+  sourceRef:
+    kind: GitRepository
+    name: flux-system
+  path: ./flux
+  postBuild:
+    substituteFrom:
+      - kind: ConfigMap
+        name: shared-values
+      - kind: ConfigMap
+        name: runtime-values
diff --git a/flux/bootstrap/shared-values.yaml b/flux/bootstrap/shared-values.yaml
@@ -0,0 +1,7 @@
+apiVersion: v1
+kind: ConfigMap
+metadata:
+  name: shared-values
+  namespace: flux-system
+data:
+  key: value
diff --git a/flux/kustomization.yaml b/flux/kustomization.yaml
@@ -0,0 +1,18 @@
+apiVersion: kustomize.config.k8s.io/v1beta1
+kind: Kustomization
+resources:
+  - bootstrap/cluster-kustomization.yaml
+  - bootstrap/shared-values.yaml
+  - repositories/emberstack.yaml
+  - repositories/envoy-proxy.yaml
+  - repositories/external-dns.yaml
+  - repositories/gitlab.yaml
+  - repositories/jetstack.yaml
+  - releases/cert-manager.yaml
+  - releases/cluster-issuer.yaml
+  - releases/dns01-certificate.yaml
+  - releases/envoy-gateway.yaml
+  - releases/external-dns.yaml
+  - releases/gateway-config.yaml
+  - releases/gitlab.yaml
+  - releases/reflector.yaml
diff --git a/flux/releases/cert-manager.yaml b/flux/releases/cert-manager.yaml
@@ -0,0 +1,26 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cert-manager
+  namespace: flux-system
+spec:
+  interval: 1m
+  chartRef:
+    kind: OCIRepository
+    name: cert-manager
+    namespace: flux-system
+  targetNamespace: cert-manager
+  install:
+    createNamespace: true
+  values:
+    crds:
+      enabled: true
+      keep: true
+
+    replicaCount: 1
+
+    prometheus:
+      enabled: true
+
+    webhook:
+      timeoutSeconds: 25
diff --git a/flux/releases/cluster-issuer.yaml b/flux/releases/cluster-issuer.yaml
@@ -0,0 +1,21 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: cluster-issuer
+  namespace: flux-system
+spec:
+  interval: 1m
+  dependsOn:
+    - name: cert-manager
+  chart:
+    spec:
+      chart: ./helm/cluster-issuer
+      sourceRef:
+        kind: GitRepository
+        name: flux-system
+        namespace: flux-system
+  targetNamespace: cert-manager
+  install:
+    createNamespace: true
+  values:
+    email: ${email}
diff --git a/flux/releases/dns01-certificate.yaml b/flux/releases/dns01-certificate.yaml
@@ -0,0 +1,24 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: dns01-certificate
+  namespace: flux-system
+spec:
+  interval: 1m
+  dependsOn:
+    - name: cert-manager
+    - name: cluster-issuer
+  chart:
+    spec:
+      chart: ./helm/dns01-certificate
+      sourceRef:
+        kind: GitRepository
+        name: flux-system
+        namespace: flux-system
+  targetNamespace: cert-manager
+  install:
+    createNamespace: true
+  values:
+    name: wildcard-certificate
+    secretName: wildcard-certificate
+    issuer: letsencrypt
diff --git a/flux/releases/envoy-gateway.yaml b/flux/releases/envoy-gateway.yaml
@@ -0,0 +1,17 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: envoy-gateway
+  namespace: flux-system
+spec:
+  interval: 1m
+  dependsOn:
+    - name: cert-manager
+    - name: dns01-certificate
+  chartRef:
+    kind: OCIRepository
+    name: envoy-proxy
+    namespace: flux-system
+  targetNamespace: envoy-gateway-system
+  install:
+    createNamespace: true
diff --git a/flux/releases/external-dns.yaml b/flux/releases/external-dns.yaml
@@ -0,0 +1,36 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: external-dns
+  namespace: flux-system
+spec:
+  interval: 1m
+  dependsOn:
+    - name: reflector
+  chart:
+    spec:
+      chart: external-dns
+      version: 1.20.0
+      sourceRef:
+        kind: HelmRepository
+        name: external-dns
+        namespace: flux-system
+  targetNamespace: external-dns
+  install:
+    createNamespace: true
+  values:
+    provider:
+      name: digitalocean
+    env:
+      - name: DO_TOKEN
+        valueFrom:
+          secretKeyRef:
+            name: do-dns-secret
+            key: password
+    domainFilters:
+      - ${domain}
+    txtOwnerId: ${cluster_name}
+    sources:
+      - service
+      - gateway-httproute
+    policy: sync
diff --git a/flux/releases/gateway-config.yaml b/flux/releases/gateway-config.yaml
@@ -0,0 +1,22 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: gateway-config
+  namespace: flux-system
+spec:
+  interval: 1m
+  dependsOn:
+    - name: envoy-gateway
+  chart:
+    spec:
+      chart: ./helm/gateway-config
+      sourceRef:
+        kind: GitRepository
+        name: flux-system
+        namespace: flux-system
+  targetNamespace: envoy-gateway-system
+  install:
+    createNamespace: true
+  values:
+    name: gateway
+    certificateName: wildcard-certificate
diff --git a/flux/releases/gitlab.yaml b/flux/releases/gitlab.yaml
@@ -0,0 +1,175 @@
+apiVersion: helm.toolkit.fluxcd.io/v2
+kind: HelmRelease
+metadata:
+  name: gitlab
+  namespace: flux-system
+spec:
+  interval: 1m
+  dependsOn:
+    - name: cert-manager
+    - name: dns01-certificate
+    - name: reflector
+    - name: cluster-issuer
+    - name: envoy-gateway
+    - name: gateway-config
+  chart:
+    spec:
+      chart: gitlab
+      version: 9.10.3
+      sourceRef:
+        kind: HelmRepository
+        name: gitlab
+        namespace: flux-system
+  targetNamespace: gitlab
+  install:
+    createNamespace: true
+  values:
+    global:
+      edition: ce
+
+      initialRootPassword:
+        secret: gitlab-initial-root-password
+        key: password
+
+      hosts:
+        domain: ${domain}
+        https: true
+        gitlab:
+          name: ${gitlab_host}.${domain}
+        registry:
+          name: ${registry_host}.${domain}
+        pages:
+          name: ${pages_host}.${domain}
+
+      gatewayApi:
+        enabled: true
+        installEnvoy: false
+        configureCertmanager: false
+        gatewayRef:
+          name: gateway
+          namespace: envoy-gateway-system
+
+      ingress:
+        enabled: false
+        configureCertmanager: false
+
+      psql:
+        host: ${postgres_host}
+        port: ${postgres_port}
+        database: ${postgres_database}
+        username: ${postgres_username}
+        password:
+          secret: gitlab-postgres-secret
+          key: password
+
+      redis:
+        scheme: rediss
+        host: ${redis_host}
+        port: ${redis_port}
+        auth:
+          enabled: true
+          secret: gitlab-redis-secret
+          key: password
+
+      pages:
+        enabled: true
+
+      appConfig:
+        object_store:
+          enabled: true
+          proxy_download: true
+          connection:
+            secret: gitlab-s3-main-secret
+            key: connection
+
+        artifacts:
+          bucket: ${buckets_artifacts}
+          connection: {}
+        uploads:
+          bucket: ${buckets_uploads}
+          connection: {}
+        packages:
+          bucket: ${buckets_packages}
+          connection: {}
+        lfs:
+          bucket: ${buckets_lfs}
+          connection: {}
+        registry:
+          bucket: ${buckets_registry}
+          connection: {}
+        pages:
+          bucket: ${buckets_pages}
+          connection: {}
+
+      minio:
+        enabled: false
+
+      email:
+        display_name: GitLab
+        from: gitlab@${domain}
+        reply_to: noreply@${domain}
+
+      smtp:
+        enabled: true
+        domain: smtp.sendgrid.net
+        address: smtp.sendgrid.net
+        port: 2525
+        user_name: apikey
+        password:
+          secret: gitlab-sendgrid-secret
+          key: password
+        tls: false
+        starttls_auto: true
+        openssl_verify_mode: peer
+
+      time_zone: UTC
+
+      extraEnv:
+        PGSSLMODE: require
+
+
+    postgresql:
+      install: false
+    redis:
+      install: false
+    gitlab:
+      webservice:
+        gatewayRoute:
+          sectionName: https
+        metrics:
+          enabled: true
+          serviceMonitor:
+            enabled: true
+        workhorse:
+          metrics:
+            enabled: true
+            serviceMonitor:
+              enabled: true
+      sidekiq:
+        metrics:
+          enabled: true
+          podMonitor:
+            enabled: true
+      gitlab-exporter:
+        metrics:
+          enabled: true
+          serviceMonitor:
+            enabled: true
+      gitlab-shell:
+        sshDaemon: gitlab-sshd
+        metrics:
+          enabled: true
+          serviceMonitor:
+            enabled: true
+    gitlab-runner:
+      install: false
+    registry:
+      metrics:
+        enabled: true
+        serviceMonitor:
+          enabled: true
+    prometheus:
+      install: false
+    nginx-ingress:
+      enabled: false
+    installCertmanager: false