alexlebens/infrastructure
1
0
Fork 0
Code Issues 1 Pull Requests 8 Actions Packages Projects Releases Wiki Activity

init

Browse Source
This commit is contained in:
Alex Lebens
2024-05-22 12:49:28 -05:00
commit 35b77bb0df
219 changed files with 9997 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files

11
clusters/cl01tl/applications/audiobookshelf/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: audiobookshelf
version: 0.0.1
sources:
- https://github.com/advplyr/audiobookshelf
- https://github.com/k8s-home-lab/helm-charts/tree/master/charts/stable/audiobookshelf
dependencies:
- name: audiobookshelf
version: 2.0.0
repository: https://k8s-home-lab.github.io/helm-charts/
appVersion: "2.8.0"

40
clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-nfs-storage-backup
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: audiobookshelf-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: audiobookshelf-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: audiobookshelf-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.nfs.path }}
server: {{ .Values.storage.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac

48
clusters/cl01tl/applications/audiobookshelf/values.yaml Normal file
View File

@@ -0,0 +1,48 @@
audiobookshelf:
image:
repository: ghcr.io/advplyr/audiobookshelf
tag: 2.9.0
env:
TZ: US/Central
ingress:
main:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: audiobookshelf.alexlebens.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: audiobookshelf-secret-tls
hosts:
- audiobookshelf.alexlebens.net
persistence:
config:
enabled: true
mountPath: /config
accessMode: ReadWriteOnce
size: 2Gi
metadata:
enabled: true
mountPath: /metadata
accessMode: ReadWriteOnce
size: 10Gi
backup:
enabled: true
mountPath: /metadata/backups
type: pvc
existingClaim: audiobookshelf-nfs-storage-backup
audiobooks:
enabled: true
mountPath: /mnt/store/
type: pvc
existingClaim: audiobookshelf-nfs-storage
storage:
nfs:
path: /volume2/Storage
server: synologybond.alexlebens.net

11
clusters/cl01tl/applications/calibre-server/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: calibre-server
version: 1.0.0
sources:
- https://github.com/kovidgoyal/calibre
- https://github.com/alexlebens/helm-charts/tree/main/charts/calibre-server
dependencies:
- name: calibre-server
version: 0.0.8
repository: http://alexlebens.github.io/helm-charts
appVersion: 7.5.1

19
clusters/cl01tl/applications/calibre-server/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: calibre-server-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: calibre-server-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/calibre-server/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: calibre-server-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ index .Values "calibre-server" "persistence" "books" "nfs" "path" }}
server: {{ index .Values "calibre-server" "persistence" "books" "nfs" "server" }}
mountOptions:
- vers=4
- minorversion=1
- noac

20
clusters/cl01tl/applications/calibre-server/values.yaml Normal file
View File

@@ -0,0 +1,20 @@
calibre-server:
deployment:
env:
TZ: US/Central
ingressRoute:
enabled: true
http:
host: calibre-server.alexlebens.net
authentik:
outpost: authentik-outpost-proxy
namespace: authentik
persistence:
config:
storageClassName: ceph-block
storageSize: 5Gi
books:
claimName: calibre-server-nfs-storage
nfs:
path: /volume2/Storage/Calibre
server: synologybond.alexlebens.net

11
clusters/cl01tl/applications/calibre-web/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: calibre-web
version: 0.0.1
sources:
- https://github.com/janeczku/calibre-web
- https://github.com/k8s-home-lab/helm-charts/tree/master/charts/stable/calibre-web
dependencies:
- name: calibre-web
version: 9.0.2
repository: https://k8s-home-lab.github.io/helm-charts/
appVersion: v0.6.21

33
clusters/cl01tl/applications/calibre-web/templates/ingress-route.yaml Normal file
View File

@@ -0,0 +1,33 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: {{ .Release.Name }}
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: "Host(`{{ .Values.ingressRoute.host }}`)"
middlewares:
- name: "authentik-{{ .Release.Name }}"
namespace: {{ .Release.Namespace }}
priority: 10
services:
- kind: Service
name: {{ .Release.Name }}
port: {{ .Values.ingressRoute.port }}
- kind: Rule
match: "Host(`{{ .Values.ingressRoute.host }}`) && PathPrefix(`/outpost.goauthentik.io/`)"
priority: 15
services:
- kind: Service
name: {{ .Values.ingressRoute.authentik.outpost }}
port: {{ .Values.ingressRoute.authentik.port }}
namespace: {{ .Values.ingressRoute.authentik.namespace }}

27
clusters/cl01tl/applications/calibre-web/templates/middleware.yaml Normal file
View File

@@ -0,0 +1,27 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: "authentik-{{ .Release.Name }}"
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: auth
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
forwardAuth:
address: "http://{{ .Values.ingressRoute.authentik.outpost }}.authentik:{{ .Values.ingressRoute.authentik.port }}/outpost.goauthentik.io/auth/traefik"
trustForwardHeader: true
authResponseHeaders:
- X-authentik-username
- X-authentik-groups
- X-authentik-email
- X-authentik-name
- X-authentik-uid
- X-authentik-jwt
- X-authentik-meta-jwks
- X-authentik-meta-outpost
- X-authentik-meta-provider
- X-authentik-meta-app
- X-authentik-meta-version

19
clusters/cl01tl/applications/calibre-web/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: calibre-web-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: calibre-web-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/calibre-web/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: calibre-web-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.storage.nfs.path }}
server: {{ .Values.storage.storage.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac

33
clusters/cl01tl/applications/calibre-web/values.yaml Normal file
View File

@@ -0,0 +1,33 @@
calibre-web:
image:
repository: ghcr.io/linuxserver/calibre-web
tag: 0.6.21-ls253
env:
TZ: US/Central
DOCKER_MODS: linuxserver/mods:universal-calibre
ingress:
main:
enabled: false
persistence:
config:
enabled: true
mountPath: /config
accessMode: ReadWriteOnce
size: 5Gi
media:
enabled: true
mountPath: /books
type: pvc
existingClaim: calibre-web-nfs-storage
ingressRoute:
host: calibre.alexlebens.net
port: 8083
authentik:
outpost: authentik-outpost-proxy
port: 9000
namespace: authentik
storage:
storage:
nfs:
path: /volume2/Storage/Calibre
server: synologybond.alexlebens.net

12
clusters/cl01tl/applications/code-server/Chart.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v2
name: code-server
version: 0.0.1
sources:
- https://github.com/coder/code-server
- https://github.com/linuxserver/docker-code-server
- https://gitlab.com/alexander-chernov/helm/code-server
dependencies:
- name: code-server
version: 0.1.1
repository: https://charts.alekc.dev
appVersion: "4.22.0"

23
clusters/cl01tl/applications/code-server/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: codeserver-password-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /code-server/auth
metadataPolicy: None
property: password

19
clusters/cl01tl/applications/code-server/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: code-server-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeMode: Filesystem
storageClassName: nfs-client
accessModes:
- ReadWriteOnce
resources:
requests:
storage: 1Gi

34
clusters/cl01tl/applications/code-server/values.yaml Normal file
View File

@@ -0,0 +1,34 @@
code-server:
image:
repository: linuxserver/code-server
tag: 4.89.1
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: codeserver.alexlebens.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: codeserver-secret-tls
hosts:
- codeserver.alexlebens.net
env:
simple:
TZ: US/Central
DEFAULT_WORKSPACE: /config
full:
- name: SUDO_PASSWORD
valueFrom:
secretKeyRef:
key: password
name: codeserver-password-secret
optional: false
persistence:
existingClaim: code-server-nfs-storage
enabled: true

11
clusters/cl01tl/applications/cops/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: cops
version: 0.0.1
sources:
- https://github.com/mikespub-org/seblucas-cops
- http://alexlebens.github.io/helm-charts
dependencies:
- name: cops
version: 0.0.3
repository: http://alexlebens.github.io/helm-charts
appVersion: 1.1.3

19
clusters/cl01tl/applications/cops/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: cops-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: cops-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/cops/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: cops-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.books.nfsPath }}
server: {{ .Values.storage.books.nfsServer }}
mountOptions:
- vers=4
- minorversion=1
- noac

22
clusters/cl01tl/applications/cops/values.yaml Normal file
View File

@@ -0,0 +1,22 @@
cops:
deployment:
env:
TZ: US/Central
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
className: traefik
host: calibre-content.alexlebens.net
persistence:
config:
storageClassName: ceph-block
storageSize: 1Gi
books:
claimName: cops-nfs-storage
storage:
books:
nfsPath: /volume2/Storage/Calibre
nfsServer: synologybond.alexlebens.net

15
clusters/cl01tl/applications/freshrss/Chart.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: v2
name: freshrss
version: 1.0.0
sources:
- https://github.com/FreshRSS/FreshRSS
- https://github.com/alexlebens/helm-charts/tree/main/charts/hfreshrss
dependencies:
- name: freshrss
version: 0.0.3
repository: http://alexlebens.github.io/helm-charts
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: "1.23.1"

94
clusters/cl01tl/applications/freshrss/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,94 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: freshrss-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: OIDC_CLIENT_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/freshrss
metadataPolicy: None
property: client
- secretKey: OIDC_CLIENT_SECRET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/freshrss
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: freshrss-install-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: FRESHRSS_INSTALL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /freshrss/config
metadataPolicy: None
property: FRESHRSS_INSTALL
- secretKey: FRESHRSS_USER
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /freshrss/config
metadataPolicy: None
property: FRESHRSS_USER
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: freshrss-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: freshrss-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-freshrss-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-freshrss-postgresql
metadataPolicy: None
property: secret_key

42
clusters/cl01tl/applications/freshrss/values.yaml Normal file
View File

@@ -0,0 +1,42 @@
freshrss:
deployment:
env:
TZ: US/Central
CRON_MIN: 13,43
OIDC_ENABLED: 1
OIDC_PROVIDER_METADATA_URL: https://authentik.alexlebens.net/application/o/freshrss/.well-known/openid-configuration
OIDC_X_FORWARDED_HEADERS: X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host
OIDC_SCOPES: openid email profile
OIDC_REMOTE_USER_CLAIM: preferred_username
envFrom:
- secretRef:
name: freshrss-oidc-secret
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
host: rss.alexlebens.net
persistence:
config:
storageClassName: ceph-block
storageSize: 5Gi
postgres-16-cluster:
mode: standalone
kubernetesClusterName: cl01tl
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/freshrss
endpointCredentials: freshrss-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

11
clusters/cl01tl/applications/home-assistant/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: home-assistant
version: 1.0.0
sources:
- https://github.com/home-assistant
- https://github.com/alexlebens/helm-charts/tree/main/charts/home-assistant
dependencies:
- name: home-assistant
version: 0.1.15
repository: http://alexlebens.github.io/helm-charts
appVersion: v2024.5.3

48
clusters/cl01tl/applications/home-assistant/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,48 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: home-assistant-codeserver-password-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: SUDO_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /home-assistant/auth
metadataPolicy: None
property: SUDO_PASSWORD
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: home-assistant-token-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: bearerToken
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /home-assistant/auth
metadataPolicy: None
property: bearerToken

46
clusters/cl01tl/applications/home-assistant/values.yaml Normal file
View File

@@ -0,0 +1,46 @@
home-assistant:
deployment:
env:
TZ: US/Central
ingressRoute:
enabled: true
host: homeassistant.alexlebens.net
authentik:
outpost: authentik-outpost-proxy
namespace: authentik
metrics:
enabled: true
serviceMonitor:
bearerTokenSecret:
name: home-assistant-token-secret
key: bearerToken
prometheusRule:
enabled: true
rules:
- alert: HomeAssistantAbsent
annotations:
description: Home Assistant has disappeared from Prometheus service discovery.
summary: Home Assistant is down.
expr: |
absent(up{job=~".*home-assistant.*"} == 1)
for: 5m
labels:
severity: critical
persistence:
config:
storageClassName: ceph-block
storageSize: 1Gi
codeserver:
enabled: true
env:
TZ: US/Central
DEFAULT_WORKSPACE: /config
envFrom:
- secretRef:
name: home-assistant-codeserver-password-secret
ingressRoute:
enabled: true
host: homeassistant-codeserver.alexlebens.net
authentik:
outpost: authentik-outpost-proxy
namespace: authentik

18
clusters/cl01tl/applications/homepage-dev/Chart.yaml Normal file
View File

@@ -0,0 +1,18 @@
apiVersion: v2
name: homepage-dev
version: 1.0.0
home: https://outline.alexlebens.net/doc/homepage-dev-s2clWoI5EC
sources:
- https://github.com/gethomepage/homepage
- https://github.com/cloudflare/cloudflared
- https://github.com/bjw-s/helm-charts/blob/main/charts/other/app-template/values.yaml
dependencies:
- name: app-template
alias: homepage
repository: https://bjw-s.github.io/helm-charts/
version: 3.1.0
- name: app-template
alias: cloudflared
repository: https://bjw-s.github.io/helm-charts/
version: 3.1.0
appVersion: v0.8.12

23
clusters/cl01tl/applications/homepage-dev/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,23 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: homepage-dev-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: homepage-dev-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/homepage-dev
metadataPolicy: None
property: token

225
clusters/cl01tl/applications/homepage-dev/values.yaml Normal file
View File

@@ -0,0 +1,225 @@
homepage:
global:
nameOverride: homepage
controllers:
main:
type: deployment
annotations:
reloader.stakater.com/auto: "true"
strategy: Recreate
containers:
main:
image:
repository: ghcr.io/gethomepage/homepage
tag: v0.8.13
pullPolicy: IfNotPresent
resources:
limits:
cpu: 1000m
memory: 512Mi
requests:
cpu: 10m
memory: 128Mi
serviceAccount:
create: true
configMaps:
config:
enabled: true
data:
docker.yaml: ""
kubernetes.yaml: ""
settings.yaml: |
favicon: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/icon_white.png
headerStyle: clean
hideVersion: true
color: slate
background:
image: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/background.jpg
theme: dark
disableCollapse: true
layout:
- Media:
icon: mdi-multimedia-#ffffff
- Applications:
icon: mdi-application-#ffffff
widgets.yaml: |
- logo:
icon: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/icon_white.png
- datetime:
text_size: xl
format:
dateStyle: long
timeStyle: short
hour12: false
- openmeteo:
label: Denver
latitude: 39.73
longitude: 104.99
units: metric
cache: 5
services.yaml: |
- Media:
- Plex:
icon: plex.png
href: https://plex.alexlebens.net
description: Media server
siteMonitor: http://plex.plex:32400
statusStyle: dot
- Overseerr:
icon: overseerr.png
description: Requests
href: https://overseerr.alexlebens.net
siteMonitor: http://overseerr.overseerr:5055
statusStyle: dot
- Jellyfin:
icon: jellyfin.png
description: Media server
href: https://jellyfin.alexlebens.net/
siteMonitor: http://jellyfin.jellyfin:8096
statusStyle: dot
- TubeAchivist:
icon: tube-archivist.png
description: Youtube downloader
href: https://tubearchivist.alexlebens.net/login/
siteMonitor: http://tubearchivist.tubearchivist:8000
statusStyle: dot
- Navidrome:
icon: navidrome.png
description: Music
href: https://navidrome.alexlebens.net
siteMonitor: http://navidrome.navidrome:4533
statusStyle: dot
- Audiobookshelf:
icon: audiobookshelf.png
description: Audiobooks, Books, and Podcasts
href: https://audiobookshelf.alexlebens.net
siteMonitor: http://audiobookshelf.audiobookshelf:80
statusStyle: dot
- Calibre:
icon: calibre-web.png
description: Books
href: https://calibre.alexlebens.net
siteMonitor: http://calibre-web.calibre-web:8083
statusStyle: dot
- Applications:
- Ghost:
icon: ghost.png
description: Website and blog
href: https://blog.alexlebens.dev
siteMonitor: https://blog.alexlebens.dev
statusStyle: dot
- Chat:
icon: element.svg
description: Web client for Matrix chat
href: https://chat.alexlebens.dev
siteMonitor: https://chat.alexlebens.dev
statusStyle: dot
- Home Assistant:
icon: home-assistant.png
description: Home automation
href: https://homeassistant.alexlebens.net
siteMonitor: http://home-assistant.home-assistant:8123
statusStyle: dot
- Vikunja:
icon: vikunja.png
description: Notes and tasks
href: https://vikunja.alexlebens.net
siteMonitor: http://vikunja-frontend.vikunja:80
statusStyle: dot
- Taiga:
icon: taiga.png
description: Project planning
href: https://taiga.alexlebens.net
siteMonitor: http://taiga-front.taiga:80
statusStyle: dot
- Penpot:
icon: https://raw.githubusercontent.com/penpot/penpot/362d4ea47f06d169dd6e0a34cb9d141200e646e6/frontend/resources/images/icons/penpot-logo-icon.svg
description: Web design
href: https://penpot.alexlebens.net
siteMonitor: http://penpot.penpot:80
statusStyle: dot
- Outline:
icon: outline.png
description: Wiki
href: https://outline.alexlebens.net
siteMonitor: http://outline.outline:3000
statusStyle: dot
- FreshRss:
icon: freshrss.svg
description: Rss reader
href: https://rss.alexlebens.net
siteMonitor: http://freshrss.freshrss:80
statusStyle: dot
bookmarks.yaml: ""
service:
http:
controller: main
ports:
http:
port: 80
targetPort: 3000
protocol: HTTP
persistence:
config:
enabled: true
type: configMap
name: homepage-dev-config
advancedMounts:
main:
main:
- path: /app/config/bookmarks.yaml
readOnly: true
mountPropagation: None
subPath: bookmarks.yaml
- path: /app/config/docker.yaml
readOnly: true
mountPropagation: None
subPath: docker.yaml
- path: /app/config/kubernetes.yaml
readOnly: true
mountPropagation: None
subPath: kubernetes.yaml
- path: /app/config/services.yaml
readOnly: true
mountPropagation: None
subPath: services.yaml
- path: /app/config/settings.yaml
readOnly: true
mountPropagation: None
subPath: settings.yaml
- path: /app/config/widgets.yaml
readOnly: true
mountPropagation: None
subPath: widgets.yaml
cloudflared:
global:
nameOverride: cloudflared
controllers:
main:
type: deployment
strategy: Recreate
containers:
main:
image:
repository: cloudflare/cloudflared
tag: "2024.5.0"
pullPolicy: IfNotPresent
args:
- tunnel
- --no-autoupdate
- run
- --token
- $(CF_MANAGED_TUNNEL_TOKEN)
env:
- name: CF_MANAGED_TUNNEL_TOKEN
valueFrom:
secretKeyRef:
name: homepage-dev-cloudflared-secret
key: cf-tunnel-token
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi

12
clusters/cl01tl/applications/homepage/Chart.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v2
name: homepage-front
version: 1.0.0
home: https://outline.alexlebens.net/doc/homepage-s2clWoI5EC
sources:
- https://github.com/gethomepage/homepage
- https://github.com/alexlebens/helm-charts/tree/main/charts/homepage
dependencies:
- name: homepage
version: 0.0.15
repository: http://alexlebens.github.io/helm-charts
appVersion: v0.8.12

44
clusters/cl01tl/applications/homepage/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,44 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: homepage-back-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: HOMEPAGE_VAR_SYNOLOGY_USER
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /synology/auth
metadataPolicy: None
property: user
- secretKey: HOMEPAGE_VAR_SYNOLOGY_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /synology/auth
metadataPolicy: None
property: password
- secretKey: HOMEPAGE_VAR_UNIFI_USER
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /unifi/auth
metadataPolicy: None
property: user
- secretKey: HOMEPAGE_VAR_UNIFI_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /unifi/auth
metadataPolicy: None
property: password

420
clusters/cl01tl/applications/homepage/values.yaml Normal file
View File

@@ -0,0 +1,420 @@
homepage:
deployment:
annotations:
reloader.stakater.com/auto: "true"
resources:
limits:
memory: 2Gi
cpu: 1000m
envFrom:
- secretRef:
name: homepage-back-key-secret
ingressRoute:
host: home.alexlebens.net
authentik:
outpost: authentik-outpost-proxy
namespace: authentik
config:
widgets:
- logo:
icon: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/icon_white.png
- kubernetes:
cluster:
show: true
cpu: true
memory: true
showLabel: true
label: "Cluster"
nodes:
show: false
- datetime:
text_size: xl
format:
dateStyle: long
timeStyle: short
hour12: false
- openmeteo:
label: Denver
latitude: 39.73
longitude: 104.99
units: metric
cache: 5
services:
- Media:
- Plex:
icon: plex.png
href: https://plex.alexlebens.net
description: Media server
siteMonitor: http://plex.plex:32400
statusStyle: dot
- Overseerr:
icon: overseerr.png
description: Requests
href: https://overseerr.alexlebens.net
siteMonitor: http://overseerr.overseerr:5055
statusStyle: dot
- Jellyfin:
icon: jellyfin.png
description: Media server
href: https://jellyfin.alexlebens.net/
siteMonitor: http://jellyfin.jellyfin:8096
statusStyle: dot
- Kyoo:
icon: https://raw.githubusercontent.com/zoriya/Kyoo/master/icons/icon-256x256.png
description: Media server
href: https://kyoo.alexlebens.net/
siteMonitor: http://kyoo-front.kyoo:8901
statusStyle: dot
- TubeAchivist:
icon: tube-archivist.png
description: Youtube downloader
href: https://tubearchivist.alexlebens.net/login/
siteMonitor: http://tubearchivist.tubearchivist:8000
statusStyle: dot
- Navidrome:
icon: navidrome.png
description: Music
href: https://navidrome.alexlebens.net
siteMonitor: http://navidrome.navidrome:4533
statusStyle: dot
- Audiobookshelf:
icon: audiobookshelf.png
description: Audiobooks, Books, and Podcasts
href: https://audiobookshelf.alexlebens.net
siteMonitor: http://audiobookshelf.audiobookshelf:80
statusStyle: dot
- Calibre:
icon: calibre-web.png
description: Books
href: https://calibre.alexlebens.net
siteMonitor: http://calibre-web.calibre-web:8083
statusStyle: dot
- Applications:
- Ghost (.dev):
icon: ghost.png
description: Website and blog
href: https://blog.alexlebens.dev
siteMonitor: https://blog.alexlebens.dev
statusStyle: dot
- Chat (.dev):
icon: element.svg
description: Web client for Matrix chat
href: https://chat.alexlebens.dev
siteMonitor: https://chat.alexlebens.dev
statusStyle: dot
- Home Assistant:
icon: home-assistant.png
description: Home automation
href: https://homeassistant.alexlebens.net
siteMonitor: http://home-assistant.home-assistant:8123
statusStyle: dot
- Vikunja:
icon: vikunja.png
description: Notes and tasks
href: https://vikunja.alexlebens.net
siteMonitor: http://vikunja-frontend.vikunja:80
statusStyle: dot
- Taiga:
icon: taiga.png
description: Project planning
href: https://taiga.alexlebens.net
siteMonitor: http://taiga-front.taiga:80
statusStyle: dot
- Penpot:
icon: https://raw.githubusercontent.com/penpot/penpot/362d4ea47f06d169dd6e0a34cb9d141200e646e6/frontend/resources/images/icons/penpot-logo-icon.svg
description: Web design
href: https://penpot.alexlebens.net
siteMonitor: http://penpot.penpot:80
statusStyle: dot
- Outline:
icon: outline.png
description: Wiki
href: https://outline.alexlebens.net
siteMonitor: http://outline.outline:3000
statusStyle: dot
- FreshRss:
icon: freshrss.svg
description: Rss reader
href: https://rss.alexlebens.net
siteMonitor: http://freshrss.freshrss:80
statusStyle: dot
- Code:
- Code Server:
icon: code-server.png
description: VS Code in a browser
href: https://codeserver.alexlebens.net
siteMonitor: http://code-server.code-server:8443
statusStyle: dot
- Code Server - Home Assistant:
icon: code-server.png
description: Edit config for Home Assistant
href: https://homeassistant-codeserver.alexlebens.net
siteMonitor: http://home-assistant-codeserver.home-assistant:8443
statusStyle: dot
- Gitea:
icon: gitea.png
description: Code repository
href: https://gitea.alexlebens.net
siteMonitor: http://gitea-http.gitea:3000
statusStyle: dot
- ArgoCD:
icon: argocd.png
description: Continous Deployment
href: https://argocd.alexlebens.net
siteMonitor: http://argocd-server.argocd:80
statusStyle: dot
namespace: argocd
- Argo Rollouts:
icon: argocd.png
description: Deployment mangement and evaluation
href: https://argo-rollouts.alexlebens.net
siteMonitor: http://argo-rollouts-dashboard.argocd:3100
statusStyle: dot
namespace: argocd
- Argo Workflows:
icon: argocd.png
description: Workflows and events for ArgoCD
href: https://argo-workflows.alexlebens.net
siteMonitor: http://argo-workflows-server.argocd:2746
statusStyle: dot
namespace: argocd
- Kargo:
icon: https://raw.githubusercontent.com/akuity/kargo/main/ui/public/kargo-icon.png
description: Continous Integration
href: https://kargo.alexlebens.net
siteMonitor: http://kargo-api.argocd:80
statusStyle: dot
namespace: argocd
- Management:
- Calibre Server:
icon: calibre.png
description: Calibre content server
href: https://calibre-server.alexlebens.net
siteMonitor: http://calibre-server.calibre-server:8080
statusStyle: dot
- COPS:
icon: calibre-web.png
description: Calibre OPDS (and HTML) PHP Server
href: https://calibre-content.alexlebens.net
siteMonitor: http://cops.cops:80
statusStyle: dot
- Monitoring:
- Portainer:
icon: portainer.png
description: Service monitoring
href: https://portainer.alexlebens.net
siteMonitor: http://portainer.portainer:9000
statusStyle: dot
- Headlamp:
icon: kubernetes.png
description: Kubernetes dashboard
href: https://headlamp.alexlebens.net
siteMonitor: http://headlamp.headlamp:80
statusStyle: dot
- Hubble:
icon: cilium.png
description: Network monitoring for Cilium
href: https://hubble.alexlebens.net
siteMonitor: http://hubble-ui.kube-system:80
statusStyle: dot
- Grafana:
icon: grafana.png
description: Dashboard
href: https://grafana.alexlebens.net
siteMonitor: https://grafana.alexlebens.net
statusStyle: dot
- Prometheus:
icon: prometheus.png
description: Metrics database
href: https://prometheus.alexlebens.net
siteMonitor: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090
statusStyle: dot
widget:
type: prometheus
url: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090
- Alertmanager:
icon: alertmanager.png
description: Alerting and notification
href: https://alertmanager.alexlebens.net
siteMonitor: http://kube-prometheus-stack-alertmanager.kube-prometheus-stack:9093
statusStyle: dot
- Services:
- Authentik:
icon: authentik.png
description: Identity management and provider
href: https://authentik.alexlebens.net
siteMonitor: http://authentik-server.authentik:80
statusStyle: dot
- Authentik (.dev):
icon: authentik.png
description: Identity management and provider
href: https://auth.alexlebens.dev
siteMonitor: https://auth.alexlebens.dev
statusStyle: dot
- Traefik - cl01tl:
icon: traefik.png
description: Reverse proxy
href: https://traefik-cl01tl.alexlebens.net/dashboard/#/
siteMonitor: https://traefik-cl01tl.alexlebens.net/dashboard/#/
statusStyle: dot
widget:
type: traefik
url: https://traefik-cl01tl.alexlebens.net
- Traefik - ps08rp:
icon: traefik.png
description: Reverse proxy
href: https://traefik-ps08rp.alexlebens.net/dashboard/#/
siteMonitor: https://traefik-ps08rp.alexlebens.net/dashboard/#/
statusStyle: dot
- Traefik - ps09rp:
icon: traefik.png
description: Reverse proxy
href: https://traefik-ps09rp.alexlebens.net/dashboard/#/
siteMonitor: https://traefik-ps09rp.alexlebens.net/dashboard/#/
statusStyle: dot
- Technitium - ps08rp:
icon: technitium.png
description: DNS
href: https://technitium-ps08rp.alexlebens.net
siteMonitor: https://technitium-ps08rp.alexlebens.net
statusStyle: dot
- Technitium - ps09rp:
icon: technitium.png
description: DNS
href: https://technitium-ps09rp.alexlebens.net
siteMonitor: https://technitium-ps09rp.alexlebens.net
statusStyle: dot
- Hardware:
- Unifi:
icon: unifi.png
description: Manager network hardware
href: https://unifi.alexlebens.net
siteMonitor: https://unifi.alexlebens.net
statusStyle: dot
- Synology:
icon: synology.png
description: Network Attached Storage
href: https://synology.alexlebens.net
siteMonitor: https://synology.alexlebens.net
statusStyle: dot
widget:
type: diskstation
url: https://synology.alexlebens.net
username: '{{HOMEPAGE_VAR_SYNOLOGY_USER}}'
password: '{{HOMEPAGE_VAR_SYNOLOGY_PASSWORD}}'
volume: volume_2
- HD Homerun Flex:
icon: hdhomerun.png
description: TV Tuner
href: http://hdhr.alexlebens.net
siteMonitor: http://hdhr.alexlebens.net
statusStyle: dot
- Pi KVM:
icon: pikvm.png
description: IP KVM
href: https://pikvm.alexlebens.net
siteMonitor: https://pikvm.alexlebens.net
statusStyle: dot
- Storage:
- Ceph:
icon: ceph.png
description: Clustered storage
href: https://ceph.alexlebens.net
siteMonitor: http://rook-ceph-mgr-dashboard.rook-ceph:7000
statusStyle: dot
- PGAdmin:
icon: pgadmin.png
description: Postgresql console
href: https://pgadmin.alexlebens.net
siteMonitor: http://pgadmin-pgadmin4.pgadmin:80
statusStyle: dot
- Vault:
icon: vault.png
description: Secret management
href: https://vault.alexlebens.net
siteMonitor: http://vault.vault:8200
statusStyle: dot
- Minio:
icon: minio.png
description: Operator for Minio S3 storage
href: https://minio.alexlebens.net
siteMonitor: http://console.minio-operator:9090
statusStyle: dot
- Minio - Outline:
icon: minio.png
description: Tenant for Outline S3 storage
href: https://minio-outline.alexlebens.net
siteMonitor: http://minio-outline-console.outline:9090
statusStyle: dot
- Minio - Penpot:
icon: minio.png
description: Tenant for Penpot S3 storage
href: https://minio-penpot.alexlebens.net
siteMonitor: http://minio-penpot-console.penpot:9090
statusStyle: dot
bookmarks:
- External Services:
- Github:
- abbr: GH
href: https://github.com/alexlebens/alexlebens-net
- Renovate:
- abbr: RN
href: https://developer.mend.io/[platform]/alexlebens/alexlebens-net
- AWS:
- abbr: AW
href: https://aws.amazon.com/console/
- Cloudflare:
- abbr: CF
href: https://dash.cloudflare.com/b76e303258b84076ee01fd0f515c0768
- Tailscale:
- abbr: TS
href: https://login.tailscale.com/admin/machines
- ProtonVPN:
- abbr: PV
href: https://account.protonvpn.com/
- Pushover:
- abbr: PO
href: https://pushover.net
- ReCaptcha:
- abbr: RC
href: https://www.google.com/recaptcha/admin/site/698983587
- Dashboard Icons:
- abbr: DI
href: https://github.com/walkxcode/dashboard-icons/tree/main/png
settings:
favicon: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/icon_white.png
headerStyle: clean
hideVersion: true
color: slate
background:
image: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/background.jpg
theme: dark
disableCollapse: true
layout:
- Media:
tab: Apps
icon: mdi-multimedia-#ffffff
- Applications:
tab: Apps
icon: mdi-application-#ffffff
- Code:
tab: Tools
icon: mdi-code-braces-box-#ffffff
- Monitoring:
tab: Tools
icon: mdi-chart-bar-#ffffff
- Management:
tab: Tools
icon: mdi-content-save-cog-#ffffff
- Services:
tab: Services
icon: mdi-server-network-#ffffff
- Hardware:
tab: Services
icon: mdi-lan-connect-#ffffff
- Storage:
tab: Services
icon: mdi-harddisk-#ffffff
- External Services:
tab: Bookmarks
icon: mdi-cloud-#ffffff

11
clusters/cl01tl/applications/jellyfin/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: jellyfin
version: 0.0.1
sources:
- https://github.com/jellyfin/jellyfin
- https://github.com/loeken/helm-charts/tree/main/charts/jellyfin
dependencies:
- name: jellyfin
version: 10.9.1
repository: https://loeken.github.io/helm-charts
appVersion: 10.8.13

40
clusters/cl01tl/applications/jellyfin/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jellyfin-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: jellyfin-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: jellyfin-youtube-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: jellyfin-youtube-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadOnlyMany
resources:
requests:
storage: 1Gi

52
clusters/cl01tl/applications/jellyfin/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,52 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: jellyfin-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.storage.nfs.path }}
server: {{ .Values.storage.storage.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: jellyfin-youtube-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadOnlyMany
nfs:
path: {{ .Values.storage.youtube.nfs.path }}
server: {{ .Values.storage.youtube.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac

55
clusters/cl01tl/applications/jellyfin/values.yaml Normal file
View File

@@ -0,0 +1,55 @@
jellyfin:
env:
TZ: US/Central
ingress:
main:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: jellyfin.alexlebens.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: jellyfin-secret-tls
hosts:
- jellyfin.alexlebens.net
persistence:
config:
enabled: true
mountPath: /config
accessMode: ReadWriteOnce
size: 40Gi
cache:
enabled: true
mountPath: /cache
accessMode: ReadWriteOnce
size: 40Gi
media:
enabled: true
mountPath: /mnt/store
type: pvc
existingClaim: jellyfin-nfs-storage
youtube:
enabled: true
mountPath: /youtube
type: pvc
existingClaim: jellyfin-youtube-nfs-storage
resources:
requests:
gpu.intel.com/i915: 1
limits:
gpu.intel.com/i915: 1
storage:
storage:
nfs:
path: /volume2/Storage
server: synologybond.alexlebens.net
youtube:
nfs:
path: /volume2/Storage/YouTube
server: synologybond.alexlebens.net

32
clusters/cl01tl/applications/kyoo/Chart.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: v2
name: kyoo
version: 1.0.0
description: A Helm chart for deploying Kyoo
keywords:
- kyoo
- media
sources:
- https://github.com/zoriya/Kyoo
- https://github.com/rabbitmq/rabbitmq-server
- https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq
- https://github.com/meilisearch/meilisearch
- https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
maintainers:
- name: alexlebens
dependencies:
- name: app-template
repository: https://bjw-s.github.io/helm-charts/
version: 3.1.0
- name: rabbitmq
version: 14.1.4
repository: https://charts.bitnami.com/bitnami
- name: meilisearch
version: 0.7.0
repository: https://meilisearch.github.io/meilisearch-kubernetes
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
icon: https://raw.githubusercontent.com/zoriya/Kyoo/master/icons/icon-256x256.png
appVersion: v4.5.0

183
clusters/cl01tl/applications/kyoo/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,183 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kyoo-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/authentication
metadataPolicy: None
property: key
- secretKey: kyoo
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/authentication
metadataPolicy: None
property: kyoo
- secretKey: tmdb
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/authentication
metadataPolicy: None
property: tmdb
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kyoo-api-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-api-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: kyoo
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/api
metadataPolicy: None
property: kyoo
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kyoo-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: auth
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/kyoo
metadataPolicy: None
property: client
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/kyoo
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kyoo-rabbitmq-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-rabbitmq-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: rabbitmq
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/rabbitmq
metadataPolicy: None
property: password
- secretKey: erlang
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/rabbitmq
metadataPolicy: None
property: erlang
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kyoo-meilisearch-master-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-meilisearch-master-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: meilisearch
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: MEILI_MASTER_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /kyoo/meilisearch
metadataPolicy: None
property: MEILI_MASTER_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kyoo-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-kyoo-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-kyoo-postgresql
metadataPolicy: None
property: secret_key

32
clusters/cl01tl/applications/kyoo/templates/ingress-route.yaml Normal file
View File

@@ -0,0 +1,32 @@
apiVersion: traefik.io/v1alpha1
kind: IngressRoute
metadata:
name: kyoo
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
entryPoints:
- websecure
routes:
- kind: Rule
match: Host(`kyoo.alexlebens.net`)
priority: 10
services:
- kind: Service
name: kyoo-front
port: 8901
- kind: Rule
match: Host(`kyoo.alexlebens.net`) && PathPrefix(`/api/`)
middlewares:
- name: kyoo-strip-prefix
namespace: {{ .Release.Namespace }}
priority: 15
services:
- kind: Service
name: kyoo-back
port: 5000

15
clusters/cl01tl/applications/kyoo/templates/middleware.yaml Normal file
View File

@@ -0,0 +1,15 @@
apiVersion: traefik.io/v1alpha1
kind: Middleware
metadata:
name: kyoo-strip-prefix
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-strip-prefix
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: auth
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
stripPrefix:
prefixes:
- /api/

229
clusters/cl01tl/applications/kyoo/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,229 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-anime-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-anime-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-anime-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-anime-movies-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-anime-movies-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-anime-movies-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-documentaries-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-documentaries-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-documentaries-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-documentary-shows-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-documentary-shows-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-documentary-shows-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-movies-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-movies-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-movies-4k-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-4k-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-movies-4k-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-movies-classics-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-classics-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-movies-classics-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-movies-foreign-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-foreign-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-movies-foreign-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-stand-up-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-stand-up-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-stand-up-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-tv-shows-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-tv-shows-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-tv-shows-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: kyoo-tv-shows-4k-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-tv-shows-4k-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: kyoo-tv-shows-4k-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

295
clusters/cl01tl/applications/kyoo/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,295 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-anime-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-anime-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Anime
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-anime-movies-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-anime-movies-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/Anime Movies"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-documentaries-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-documentaries-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Documentaries
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-documentary-shows-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-documentary-shows-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/Documentary Shows"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-movies-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: /volume2/Storage/Movies
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-movies-4k-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-4k-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/Movies 4K"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-movies-classics-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-classics-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/Movies Classics"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-movies-foreign-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-movies-foreign-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/Movies Foreign"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-stand-up-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-stand-up-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/Stand Up"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-tv-shows-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-tv-shows-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/TV Shows"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac
---
apiVersion: v1
kind: PersistentVolume
metadata:
name: kyoo-tv-shows-4k-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kyoo-tv-shows-4k-nfs-storage
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: "/volume2/Storage/TV Shows 4K"
server: synologybond.alexlebens.net
mountOptions:
- vers=4
- minorversion=1
- noac

590
clusters/cl01tl/applications/kyoo/values.yaml Normal file
View File

@@ -0,0 +1,590 @@
app-template:
controllers:
autosync:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/zoriya/kyoo_autosync
tag: "4.5.0"
pullPolicy: IfNotPresent
env:
- name: RABBITMQ_HOST
value: kyoo-rabbitmq
- name: RABBITMQ_DEFAULT_USER
value: kyoo
- name: RABBITMQ_DEFAULT_PASS
valueFrom:
secretKeyRef:
name: kyoo-rabbitmq-secret
key: password
resources:
limits:
cpu: 100m
memory: 512Mi
requests:
cpu: 10m
memory: 128Mi
back:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
initContainers:
migrations:
image:
repository: ghcr.io/zoriya/kyoo_migrations
tag: "4.5.0"
pullPolicy: IfNotPresent
env:
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: password
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: dbname
- name: POSTGRES_SERVER
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: host
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: port
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 10m
memory: 256Mi
containers:
main:
image:
repository: ghcr.io/zoriya/kyoo_back
tag: "4.5.0"
pullPolicy: IfNotPresent
env:
- name: REQUIRE_ACCOUNT_VERIFICATION
value: "false"
- name: UNLOGGED_PERMISSIONS
value: overall.read
- name: DEFAULT_PERMISSIONS
value: overall.read,overall.play
- name: AUTHENTICATION_SECRET
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: key
- name: KYOO_APIKEYS
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: kyoo
- name: THEMOVIEDB_APIKEY
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: tmdb
- name: PUBLIC_URL
value: https://kyoo.alexlebens.net
- name: POSTGRES_USER
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: username
- name: POSTGRES_PASSWORD
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: password
- name: POSTGRES_DB
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: dbname
- name: POSTGRES_SERVER
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: host
- name: POSTGRES_PORT
valueFrom:
secretKeyRef:
name: kyoo-postgresql-16-cluster-app
key: port
- name: OIDC_SERVICE_NAME
value: Authentik
- name: OIDC_SERVICE_LOGO
value: https://avatars.githubusercontent.com/u/82976448?s=200&v=4
- name: OIDC_SERVICE_AUTHORIZATION
value: https://authentik.alexlebens.net/application/o/authorize/
- name: OIDC_SERVICE_TOKEN
value: https://authentik.alexlebens.net/application/o/token/
- name: OIDC_SERVICE_PROFILE
value: https://authentik.alexlebens.net/application/o/userinfo/
- name: OIDC_SERVICE_SCOPE
value: "openid profile email"
- name: OIDC_SERVICE_CLIENTID
valueFrom:
secretKeyRef:
name: kyoo-oidc-secret
key: client
- name: OIDC_SERVICE_SECRET
valueFrom:
secretKeyRef:
name: kyoo-oidc-secret
key: secret
- name: TRANSCODER_URL
value: http://kyoo-transcoder.kyoo:7666
- name: MEILI_HOST
value: http://kyoo-meilisearch.kyoo:7700
- name: MEILI_MASTER_KEY
valueFrom:
secretKeyRef:
name: kyoo-meilisearch-master-key-secret
key: MEILI_MASTER_KEY
- name: RABBITMQ_HOST
value: kyoo-rabbitmq
- name: RABBITMQ_DEFAULT_USER
value: kyoo
- name: RABBITMQ_DEFAULT_PASS
valueFrom:
secretKeyRef:
name: kyoo-rabbitmq-secret
key: password
resources:
limits:
cpu: 5000m
memory: 5Gi
requests:
cpu: 100m
memory: 256Mi
front:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/zoriya/kyoo_front
tag: "4.5.0"
pullPolicy: IfNotPresent
env:
- name: KYOO_URL
value: http://kyoo-back.kyoo:5000
- name: KYOO_APIKEYS
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: kyoo
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 100m
memory: 256Mi
matcher:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/zoriya/kyoo_scanner
tag: "4.5.0"
pullPolicy: IfNotPresent
args:
- matcher
env:
- name: KYOO_URL
value: http://kyoo-back.kyoo:5000
- name: KYOO_APIKEYS
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: kyoo
- name: THEMOVIEDB_APIKEY
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: tmdb
- name: LIBRARY_LANGUAGES
value: en
- name: LIBRARY_IGNORE_PATTERN
value: .*/[dD]ownloads?/.*
- name: RABBITMQ_HOST
value: kyoo-rabbitmq
- name: RABBITMQ_DEFAULT_USER
value: kyoo
- name: RABBITMQ_DEFAULT_PASS
valueFrom:
secretKeyRef:
name: kyoo-rabbitmq-secret
key: password
resources:
limits:
cpu: 5000m
memory: 2Gi
requests:
cpu: 100m
memory: 256Mi
scanner:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/zoriya/kyoo_scanner
tag: "4.5.0"
pullPolicy: IfNotPresent
env:
- name: KYOO_URL
value: http://kyoo-back.kyoo:5000
- name: KYOO_APIKEYS
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: kyoo
- name: THEMOVIEDB_APIKEY
valueFrom:
secretKeyRef:
name: kyoo-key-secret
key: tmdb
- name: LIBRARY_LANGUAGES
value: en
- name: LIBRARY_IGNORE_PATTERN
value: .*/[dD]ownloads?/.*
- name: RABBITMQ_HOST
value: kyoo-rabbitmq
- name: RABBITMQ_DEFAULT_USER
value: kyoo
- name: RABBITMQ_DEFAULT_PASS
valueFrom:
secretKeyRef:
name: kyoo-rabbitmq-secret
key: password
resources:
limits:
cpu: 5000m
memory: 2Gi
requests:
cpu: 100m
memory: 256Mi
transcoder:
type: deployment
replicas: 1
strategy: Recreate
revisionHistoryLimit: 3
containers:
main:
image:
repository: ghcr.io/zoriya/kyoo_transcoder
tag: "4.5.0"
pullPolicy: IfNotPresent
env:
- name: GOCODER_HWACCEL
value: qsv
- name: GOCODER_QSV_RENDERER
value: /dev/dri/renderD128
- name: GOCODER_PRESET
value: fast
- name: GOCODER_METADATA_ROOT
value: /metadata
- name: GOCODER_CACHE_ROOT
value: /cache
resources:
limits:
cpu: 5000m
memory: 4Gi
gpu.intel.com/i915: 1
requests:
cpu: 100m
memory: 512Mi
gpu.intel.com/i915: 1
serviceAccount:
create: true
service:
back:
controller: back
ports:
http:
port: 5000
targetPort: 5000
protocol: HTTP
front:
controller: front
ports:
http:
port: 8901
targetPort: 8901
protocol: HTTP
transcoder:
controller: transcoder
ports:
http:
port: 7666
targetPort: 7666
protocol: HTTP
persistence:
back:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 50Gi
retain: true
advancedMounts:
back:
main:
- path: /metadata
readOnly: false
metadata:
storageClass: ceph-block
accessMode: ReadWriteOnce
size: 10Gi
retain: true
advancedMounts:
transcoder:
main:
- path: /metadata
readOnly: false
cache:
type: emptyDir
advancedMounts:
transcoder:
main:
- path: /cache
readOnly: false
anime:
existingClaim: kyoo-anime-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Anime"
readOnly: true
matcher:
main:
- path: "/video/Anime"
readOnly: true
transcoder:
main:
- path: "/video/Anime"
readOnly: true
anime-movies:
existingClaim: kyoo-anime-movies-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Anime Movies"
readOnly: true
matcher:
main:
- path: "/video/Anime Movies"
readOnly: true
transcoder:
main:
- path: "/video/Anime Movies"
readOnly: true
documentaries:
existingClaim: kyoo-documentaries-nfs-storage
advancedMounts:
scanner:
main:
- path: /video/Documentaries
readOnly: true
matcher:
main:
- path: /video/Documentaries
readOnly: true
transcoder:
main:
- path: /video/Documentaries
readOnly: true
documentary-shows:
existingClaim: kyoo-documentary-shows-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Documentary Shows"
readOnly: true
matcher:
main:
- path: "/video/Documentary Shows"
readOnly: true
transcoder:
main:
- path: "/video/Documentary Shows"
readOnly: true
movies:
existingClaim: kyoo-movies-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Movies"
readOnly: true
matcher:
main:
- path: "/video/Movies"
readOnly: true
transcoder:
main:
- path: "/video/Movies"
readOnly: true
movies-4k:
existingClaim: kyoo-movies-4k-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Movies 4K"
readOnly: true
matcher:
main:
- path: "/video/Movies 4K"
readOnly: true
transcoder:
main:
- path: "/video/Movies 4K"
readOnly: true
movies-classics:
existingClaim: kyoo-movies-classics-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Movies Classics"
readOnly: true
matcher:
main:
- path: "/video/Movies Classics"
readOnly: true
transcoder:
main:
- path: "/video/Movies Classics"
readOnly: true
movies-foreign:
existingClaim: kyoo-movies-foreign-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Movies Foreign"
readOnly: true
matcher:
main:
- path: "/video/Movies Foreign"
readOnly: true
transcoder:
main:
- path: "/video/Movies Foreign"
readOnly: true
stand-up:
existingClaim: kyoo-stand-up-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/Stand Up"
readOnly: true
matcher:
main:
- path: "/video/Stand Up"
readOnly: true
transcoder:
main:
- path: "/video/Stand Up"
readOnly: true
tv-shows:
existingClaim: kyoo-tv-shows-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/TV Shows"
readOnly: true
matcher:
main:
- path: "/video/TV Shows"
readOnly: true
transcoder:
main:
- path: "/video/TV Shows"
readOnly: true
tv-shows-4k:
existingClaim: kyoo-tv-shows-4k-nfs-storage
advancedMounts:
scanner:
main:
- path: "/video/TV Shows 4K"
readOnly: true
matcher:
main:
- path: "/video/TV Shows 4K"
readOnly: true
transcoder:
main:
- path: "/video/TV Shows 4K"
readOnly: true
rabbitmq:
auth:
username: kyoo
existingPasswordSecret: kyoo-rabbitmq-secret
existingSecretPasswordKey: password
existingErlangSecret: kyoo-rabbitmq-secret
existingSecretErlangKey: erlang
extraConfiguration: |-
default_vhost = /
default_permissions.configure = .*
default_permissions.read = .*
default_permissions.write = .*
meilisearch:
environment:
MEILI_NO_ANALYTICS: true
MEILI_ENV: production
auth:
existingMasterKeySecret: kyoo-meilisearch-master-key-secret
service:
type: ClusterIP
port: 7700
persistence:
enabled: true
storageClass: ceph-block
size: 10Gi
resources:
limits:
cpu: 200m
memory: 2Gi
requests:
cpu: 10m
memory: 128Mi
serviceMonitor:
enabled: true
postgres-16-cluster:
mode: standalone
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/kyoo
endpointCredentials: kyoo-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

11
clusters/cl01tl/applications/libation/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: libation
version: 0.0.5
sources:
- https://github.com/rmcrackan/Libation
- https://github.com/alexlebens/helm-charts/charts/libation
dependencies:
- name: libation
version: 0.0.6
repository: http://alexlebens.github.io/helm-charts
appVersion: "11.1.0"

19
clusters/cl01tl/applications/libation/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: libation-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: libation-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/libation/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: libation-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.storage.nfs.path }}
server: {{ .Values.storage.storage.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac

14
clusters/cl01tl/applications/libation/values.yaml Normal file
View File

@@ -0,0 +1,14 @@
libation:
libation:
job:
schedule: "0 * * * *"
persistence:
config:
storageClassName: nfs-client
books:
claimName: libation-nfs-storage
storage:
storage:
nfs:
path: /volume2/Storage/Audiobooks/
server: synologybond.alexlebens.net

11
clusters/cl01tl/applications/navidrome/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: navidrome
version: 0.0.2
sources:
- https://github.com/navidrome/navidrome
- https://github.com/0xEmma/helm-charts/tree/main/charts/navidrome
dependencies:
- name: navidrome
version: 0.0.6
repository: https://0xemma.github.io/helm-charts
appVersion: "0.51.1"

19
clusters/cl01tl/applications/navidrome/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: navidrome-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: navidrome-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/navidrome/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: navidrome-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.storage.nfs.path }}
server: {{ .Values.storage.storage.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac

43
clusters/cl01tl/applications/navidrome/values.yaml Normal file
View File

@@ -0,0 +1,43 @@
navidrome:
image:
repository: deluan/navidrome
tag: "0.52.5"
ingress:
main:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: navidrome.alexlebens.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: navidrome-secret-tls
hosts:
- navidrome.alexlebens.net
persistence:
config:
enabled: true
mountPath: /data
accessMode: ReadWriteOnce
size: 2Gi
music:
enabled: true
mountPath: /mnt/store
type: pvc
existingClaim: navidrome-nfs-storage
env:
ND_MUSICFOLDER: /mnt/store/Music
ND_SCANSCHEDULE: 1h
ND_LOGLEVEL: info
ND_SESSIONTIMEOUT: 24h
ND_BASEURL: "/"
storage:
storage:
nfs:
path: /volume2/Storage
server: synologybond.alexlebens.net

21
clusters/cl01tl/applications/outline/Chart.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v2
name: outline
version: 1.0.0
sources:
- https://github.com/outline/outline
- https://github.com/minio/operator
- https://github.com/alexlebens/helm-charts/charts/outline
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: outline
version: 0.6.1
repository: http://alexlebens.github.io/helm-charts
- name: tenant
version: 5.0.15
alias: minio
repository: https://operator.min.io/
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: v0.75.2

176
clusters/cl01tl/applications/outline/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,176 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret-key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /outline/key
metadataPolicy: None
property: secret-key
- secretKey: utils-key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /outline/key
metadataPolicy: None
property: utils-key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/outline
metadataPolicy: None
property: client
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/outline
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-bucket-user-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: outline-bucket-user-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /outline/minio/auth
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /outline/minio/auth
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-minio-root-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: outline-bucket-auth-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config.env
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /outline/minio/root
metadataPolicy: None
property: config.env
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-minio-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: outline-bucket-auth-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config.env
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /outline/minio/config
metadataPolicy: None
property: config.env
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: outline-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-outline-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-outline-postgresql
metadataPolicy: None
property: secret_key

123
clusters/cl01tl/applications/outline/values.yaml Normal file
View File

@@ -0,0 +1,123 @@
outline:
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
host: outline.alexlebens.net
persistence:
type: s3
s3:
credentialsSecret: outline-bucket-user-secret
region: us-east-1
bucketName: outline
bucketUrl: https://minio-outline-api.alexlebens.net/outline
forcePathStyle: false
outline:
url: https://outline.alexlebens.net
secretKey:
existingSecretName: outline-key-secret
existingSecretKey: secret-key
utilsSecret:
existingSecretName: outline-key-secret
existingSecretKey: utils-key
database:
usernameSecret:
existingSecretName: outline-postgresql-16-cluster-app
existingSecretKey: username
passwordSecret:
existingSecretName: outline-postgresql-16-cluster-app
existingSecretKey: password
databaseName:
existingSecretName: outline-postgresql-16-cluster-app
existingSecretKey: dbname
databaseHost:
existingSecretName: outline-postgresql-16-cluster-app
existingSecretKey: host
databasePort:
existingSecretName: outline-postgresql-16-cluster-app
existingSecretKey: port
auth:
oidc:
enabled: true
clientId:
existingSecretName: outline-oidc-secret
existingSecretKey: client
clientSecret:
existingSecretName: outline-oidc-secret
existingSecretKey: secret
authUri: https://authentik.alexlebens.net/application/o/authorize/
tokenUri: https://authentik.alexlebens.net/application/o/token/
userinfoUri: https://authentik.alexlebens.net/application/o/userinfo/
usernameClaim: email
displayName: Authentik
scopes: openid profile email
minio:
existingSecret:
name: outline-minio-root-secret
tenant:
name: minio-outline
configuration:
name: outline-minio-config-secret
pools:
- servers: 3
name: pool
volumesPerServer: 2
size: 10Gi
storageClassName: ceph-block
mountPath: /export
subPath: /data
metrics:
enabled: true
port: 9000
protocol: http
certificate:
requestAutoCert: false
ingress:
api:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
tls:
- secretName: minio-outline-api-secret-tls
hosts:
- minio-outline-api.alexlebens.net
host: minio-outline-api.alexlebens.net
path: /
pathType: Prefix
console:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
tls:
- secretName: minio-outline-console-secret-tls
hosts:
- minio-outline.alexlebens.net
host: minio-outline.alexlebens.net
path: /
pathType: Prefix
postgres-16-cluster:
mode: standalone
kubernetesClusterName: cl01tl
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/outline
endpointCredentials: outline-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

25
clusters/cl01tl/applications/penpot/Chart.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v2
name: penpot
version: 1.0.0
sources:
- https://github.com/penpot/penpot
- https://github.com/minio/operator
- https://github.com/bitnami/charts/tree/main/bitnami/redis
- https://github.com/alexlebens/helm-charts/charts/penpot
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: penpot
version: 0.1.0
repository: http://alexlebens.github.io/helm-charts
- name: redis
version: 19.3.2
repository: https://charts.bitnami.com/bitnami
- name: tenant
version: 5.0.15
alias: minio
repository: https://operator.min.io/
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: 2.0.0

169
clusters/cl01tl/applications/penpot/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,169 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: penpot-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: penpot-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /penpot/key
metadataPolicy: None
property: key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: penpot-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: penpot-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: auth
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/penpot
metadataPolicy: None
property: client
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/penpot
metadataPolicy: None
property: secret
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: penpot-bucket-user-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: penpot-bucket-user-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: AWS_ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /penpot/minio/auth
metadataPolicy: None
property: AWS_ACCESS_KEY_ID
- secretKey: AWS_SECRET_ACCESS_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /penpot/minio/auth
metadataPolicy: None
property: AWS_SECRET_ACCESS_KEY
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: penpot-minio-root-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: penpot-bucket-auth-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config.env
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /penpot/minio/root
metadataPolicy: None
property: config.env
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: penpot-minio-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: penpot-minio-config-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config.env
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /penpot/minio/config
metadataPolicy: None
property: config.env
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: penpot-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: penpot-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-penpot-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-penpot-postgresql
metadataPolicy: None
property: secret_key

135
clusters/cl01tl/applications/penpot/values.yaml Normal file
View File

@@ -0,0 +1,135 @@
penpot:
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: penpot.alexlebens.net
tls:
- secretName: penpot-secret-tls
hosts:
- penpot.alexlebens.net
persistence:
enabled: true
storageClass: ceph-block
size: 8Gi
accessModes:
- ReadWriteOnce
config:
publicURI: https://penpot.alexlebens.net
flags: enable-registration enable-insecure-register enable-login enable-login-with-oidc disable-demo-users disable-demo-warning
apiSecretKey:
existingSecretName: penpot-key-secret
existingSecretKey: key
postgresql:
host: penpot-postgresql-16-cluster-rw.penpot.svc.cluster.local
port: 5432
database: app
existingSecret: penpot-postgresql-16-cluster-app
secretKeys:
usernameKey: username
passwordKey: password
redis:
host: penpot-redis-headless.penpot.svc.cluster.local
port: 6379
database: 0
assets:
storageBackend: assets-s3
s3:
region: us-east-1
bucket: penpot
endpointURI: https://minio-penpot-api.alexlebens.net/penpot
existingSecret: penpot-bucket-user-secret
secretKeys:
accessKeyIDKey: AWS_ACCESS_KEY_ID
secretAccessKey: AWS_SECRET_ACCESS_KEY
telemetryEnabled: false
providers:
oidc:
enabled: true
baseURI: https://authentik.alexlebens.net/application/o/
authURI: https://authentik.alexlebens.net/application/o/authorize/
tokenURI: https://authentik.alexlebens.net/application/o/token/
userURI: https://authentik.alexlebens.net/application/o/userinfo/
roles: ""
rolesAttribute: ""
scopes: "openid profile email"
nameAttribute: preferred_username
emailAttribute: email
existingSecret: penpot-oidc-secret
secretKeys:
oidcClientIDKey: client
oidcClientSecretKey: secret
redis:
architecture: standalone
auth:
enabled: false
minio:
existingSecret:
name: penpot-minio-root-secret
tenant:
name: minio-penpot
configuration:
name: penpot-minio-config-secret
pools:
- servers: 3
name: pool
volumesPerServer: 2
size: 10Gi
storageClassName: ceph-block
mountPath: /export
subPath: /data
metrics:
enabled: true
port: 9000
protocol: http
certificate:
requestAutoCert: false
ingress:
api:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
tls:
- secretName: minio-penpot-api-secret-tls
hosts:
- minio-penpot-api.alexlebens.net
host: minio-penpot-api.alexlebens.net
path: /
pathType: Prefix
console:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
tls:
- secretName: minio-penpot-console-secret-tls
hosts:
- minio-penpot.alexlebens.net
host: minio-penpot.alexlebens.net
path: /
pathType: Prefix
postgres-16-cluster:
mode: standalone
kubernetesClusterName: cl01tl
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/penpot
endpointCredentials: penpot-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

11
clusters/cl01tl/applications/plex/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: plex
version: 0.0.1
sources:
- https://www.plex.tv/
- https://github.com/k8s-home-lab/helm-charts/tree/master/charts/stable/plex
dependencies:
- name: plex
version: 7.1.4
repository: https://k8s-home-lab.github.io/helm-charts/
appVersion: 1.40.0.7998-c29d4c0c8

40
clusters/cl01tl/applications/plex/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,40 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: plex-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: plex-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi
---
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: plex-config
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
accessModes:
- ReadWriteOnce
resources:
requests:
storage: {{ .Values.storage.config.storageSize }}
storageClassName: {{ .Values.storage.config.storageClassName }}
volumeMode: {{ .Values.storage.config.volumeMode }}

25
clusters/cl01tl/applications/plex/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: plex-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.media.nfs.path }}
server: {{ .Values.storage.media.nfs.server }}
mountOptions:
- vers=4
- minorversion=1
- noac

78
clusters/cl01tl/applications/plex/values.yaml Normal file
View File

@@ -0,0 +1,78 @@
plex:
image:
repository: ghcr.io/onedr0p/plex
tag: 1.40.2.8395-c67dce28e
env:
ADVERTISE_IP: "https://plex.alexlebens.net:443/"
ALLOWED_NETWORKS: "10.0.0.0/8,192.168.1.0/24"
service:
main:
primary: true
type: LoadBalancer
annotations:
metallb.universe.tf/allow-shared-ip: "external"
externalIPs:
- 192.168.1.17
- 192.168.1.16
- 192.168.1.15
ports:
http:
port: 32400
ingress:
main:
enabled: true
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: plex.alexlebens.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: plex-secret-tls
hosts:
- plex.alexlebens.net
hostNetwork: false
persistence:
config:
enabled: true
existingClaim: plex-config
transcode:
enabled: true
type: emptyDir
media:
enabled: true
mountPath: /mnt/store
type: pvc
existingClaim: plex-nfs-storage
podSecurityContext:
runAsUser: 568
runAsGroup: 568
fsGroup: 568
fsGroupChangePolicy: "OnRootMismatch"
supplementalGroups:
- 44
- 100
- 109
- 65539
resources:
requests:
gpu.intel.com/i915: 1
cpu: 100m
memory: 256Mi
limits:
gpu.intel.com/i915: 1
cpu: 4000m
memory: 4096Mi
storage:
config:
storageClassName: ceph-block
storageSize: 80Gi
volumeMode: Filesystem
media:
nfs:
path: /volume2/Storage
server: synologybond.alexlebens.net

17
clusters/cl01tl/applications/taiga/Chart.yaml Normal file
View File

@@ -0,0 +1,17 @@
apiVersion: v2
name: taiga
version: 1.0.0
sources:
- https://github.com/taigaio
- https://github.com/rabbitmq/rabbitmq-server
- https://github.com/alexlebens/helm-charts/charts/taiga
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: taiga
version: 0.2.2
repository: http://alexlebens.github.io/helm-charts
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: 6.7.7

200
clusters/cl01tl/applications/taiga/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,200 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: taiga-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: taiga-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /taiga/key
metadataPolicy: None
property: key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: taiga-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: taiga-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: client
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: secret
- secretKey: scopes
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: scopes
- secretKey: signatureAlgorithm
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: signatureAlgorithm
- secretKey: baseUrl
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: baseUrl
- secretKey: jwksEndpoint
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: jwksEndpoint
- secretKey: authorizationEndpoint
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: authorizationEndpoint
- secretKey: tokenEndpoint
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: tokenEndpoint
- secretKey: userEndpoint
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/taiga
metadataPolicy: None
property: userEndpoint
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: taiga-async-rabbitmq-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: taiga-async-rabbitmq-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /taiga/rabbitmq/async
metadataPolicy: None
property: password
- secretKey: erlang
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /taiga/rabbitmq/async
metadataPolicy: None
property: erlang
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: taiga-events-rabbitmq-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: taiga-events-rabbitmq-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /taiga/rabbitmq/events
metadataPolicy: None
property: password
- secretKey: erlang
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /taiga/rabbitmq/events
metadataPolicy: None
property: erlang
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: taiga-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: taiga-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-taiga-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-taiga-postgresql
metadataPolicy: None
property: secret_key

152
clusters/cl01tl/applications/taiga/values.yaml Normal file
View File

@@ -0,0 +1,152 @@
taiga:
serviceAccount:
create: true
secretKey:
existingSecretName: taiga-key-secret
existingSecretKey: key
createInitialUser: false
enableTelemetry: false
publicRegisterEnabled: false
postgresql:
existingSecretName: taiga-postgresql-16-cluster-app
usernameKey: username
passwordKey: password
databaseNameKey: dbname
hostKey: host
portKey: port
oidc:
enabled: true
existingSecretName: taiga-oidc-secret
scopesKey: scopes
signatureAlgorithmKey: signatureAlgorithm
clientIdKey: client
clientSecretKey: secret
baseUrlKey: baseUrl
jwksEndpointKey: jwksEndpoint
authorizationEndpointKey: authorizationEndpoint
tokenEndpointKey: tokenEndpoint
userEndpointKey: userEndpoint
back:
image:
repository: ghcr.io/alexlebens/taiga-back-docker-oidc
tag: latest
pullPolicy: Always
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
livenessProbe:
enabled: true
readinessProbe:
enabled: true
async:
image:
repository: ghcr.io/alexlebens/taiga-back-docker-oidc
tag: latest
pullPolicy: Always
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
livenessProbe:
enabled: true
readinessProbe:
enabled: true
async-rabbitmq:
auth:
username: taiga
existingPasswordSecret: taiga-async-rabbitmq-secret
existingSecretPasswordKey: password
existingErlangSecret: taiga-async-rabbitmq-secret
existingSecretErlangKey: erlang
events:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
livenessProbe:
enabled: false
readinessProbe:
enabled: false
events-rabbitmq:
auth:
username: taiga
existingPasswordSecret: taiga-events-rabbitmq-secret
existingSecretPasswordKey: password
existingErlangSecret: taiga-events-rabbitmq-secret
existingSecretErlangKey: erlang
protected:
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
livenessProbe:
enabled: false
readinessProbe:
enabled: false
front:
image:
repository: ghcr.io/alexlebens/taiga-front-docker-oidc
tag: latest
pullPolicy: Always
resources:
requests:
cpu: 100m
memory: 256Mi
limits:
cpu: 500m
memory: 1Gi
livenessProbe:
enabled: true
readinessProbe:
enabled: true
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
className: traefik
host: taiga.alexlebens.net
persistence:
static:
enabled: true
storageClass: nfs-client
accessMode: ReadWriteMany
size: 1Gi
media:
enabled: true
storageClass: nfs-client
accessMode: ReadWriteMany
size: 1Gi
postgres-16-cluster:
mode: standalone
kubernetesClusterName: cl01tl
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: false
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/taiga
endpointCredentials: taiga-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

13
clusters/cl01tl/applications/tubearchivist/Chart.yaml Normal file
View File

@@ -0,0 +1,13 @@
apiVersion: v2
name: tubearchivist
version: 0.0.7
sources:
- https://github.com/tubearchivist/tubearchivist
- https://github.com/alexlebens/helm-charts/charts/tubearchivist
- https://github.com/tubearchivist/tubearchivist-jf
- https://github.com/alexlebens/helm-charts/charts/tubearchivist-to-jellyfin
dependencies:
- name: tubearchivist
version: 0.2.7
repository: http://alexlebens.github.io/helm-charts
appVersion: v0.4.6

83
clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,83 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tubearchivist-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ELASTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: ELASTIC_PASSWORD
- secretKey: ES_URL
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: ES_URL
- secretKey: REDIS_HOST
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: REDIS_HOST
- secretKey: TA_HOST
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: TA_HOST
- secretKey: TA_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: TA_PASSWORD
- secretKey: TA_USERNAME
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: TA_USERNAME
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: tubearchivist-elasticsearch-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ELASTIC_PASSWORD
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /tubearchivist/env
metadataPolicy: None
property: ELASTIC_PASSWORD

19
clusters/cl01tl/applications/tubearchivist/templates/persistent-volume-claim.yaml Normal file
View File

@@ -0,0 +1,19 @@
apiVersion: v1
kind: PersistentVolumeClaim
metadata:
name: tubearchivist-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
volumeName: tubearchivist-nfs-storage
storageClassName: nfs-client
accessModes:
- ReadWriteMany
resources:
requests:
storage: 1Gi

25
clusters/cl01tl/applications/tubearchivist/templates/persistent-volume.yaml Normal file
View File

@@ -0,0 +1,25 @@
apiVersion: v1
kind: PersistentVolume
metadata:
name: tubearchivist-nfs-storage
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: storage
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
persistentVolumeReclaimPolicy: Retain
storageClassName: nfs-client
capacity:
storage: 1Gi
accessModes:
- ReadWriteMany
nfs:
path: {{ .Values.storage.youtube.nfsPath }}
server: {{ .Values.storage.youtube.nfsServer }}
mountOptions:
- vers=4
- minorversion=1
- noac

46
clusters/cl01tl/applications/tubearchivist/values.yaml Normal file
View File

@@ -0,0 +1,46 @@
tubearchivist:
deployment:
env:
TZ: US/Central
envFrom:
- secretRef:
name: tubearchivist-config-secret
resources:
limits:
memory: 2Gi
cpu: 1000m
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
host: tubearchivist.alexlebens.net
persistence:
cache:
enabled: true
storageClassName: ceph-block
storageSize: 80Gi
youtube:
claimName: tubearchivist-nfs-storage
elasticsearch:
global:
storageClass: ceph-block
extraEnvVarsSecret: tubearchivist-elasticsearch-secret
extraConfig:
path:
repo: /usr/share/elasticsearch/data/snapshot
extraVolumes:
- name: snapshot
nfs:
path: /volume2/Storage/TubeArchivist
server: synologybond.alexlebens.net
extraVolumeMounts:
- name: snapshot
mountPath: /usr/share/elasticsearch/data/snapshot
snapshotRepoPath: /usr/share/elasticsearch/data/snapshot
storage:
youtube:
nfsPath: /volume2/Storage/YouTube
nfsServer: synologybond.alexlebens.net

20
clusters/cl01tl/applications/vikunja/Chart.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v2
name: vikunja
version: 1.0.0
sources:
- https://kolaente.dev/vikunja/vikunja
- https://kolaente.dev/vikunja/helm-chart
- https://github.com/bitnami/charts/tree/main/bitnami/redis
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: vikunja
version: 0.4.3
repository: oci://kolaente.dev/vikunja
- name: redis
version: 19.3.2
repository: https://charts.bitnami.com/bitnami
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: v0.22.1

62
clusters/cl01tl/applications/vikunja/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,62 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vikunja-config-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: config.yml
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /vikunja/config
metadataPolicy: None
property: config.yml
- secretKey: redis-password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /vikunja/config
metadataPolicy: None
property: redis-password
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: vikunja-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: vikunja-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-vikunja-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-vikunja-postgresql
metadataPolicy: None
property: secret_key

117
clusters/cl01tl/applications/vikunja/values.yaml Normal file
View File

@@ -0,0 +1,117 @@
vikunja:
api:
enabled: true
image:
repository: vikunja/api
tag: 0.22.1
persistence:
data:
enabled: true
size: 10Gi
mountPath: /app/vikunja/files
storageClass: ceph-block
config:
type: secret
name: vikunja-config-secret
configMaps:
config:
enabled: false
ingress:
main:
enabled: true
className: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-issuer
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
hosts:
- host: vikunja.alexlebens.net
paths:
- path: /api/v1/
tls:
- hosts:
- vikunja.alexlebens.net
secretName: vikunja-secret-tls
env:
VIKUNJA_SERVICE_FRONTENDURL: https://vikunja.alexlebens.net
VIKUNJA_SERVICE_ENABLEREGISTRATION: "true"
VIKUNJA_SERVICE_TIMEZONE: US/Central
VIKUNJA_REDIS_ENABLED: "true"
VIKUNJA_REDIS_HOST: vikunja-redis-headless:6379
VIKUNJA_REDIS_PASSWORD:
valueFrom:
secretKeyRef:
name: vikunja-config-secret
key: redis-password
VIKUNJA_DATABASE_USER:
valueFrom:
secretKeyRef:
name: vikunja-postgresql-16-cluster-app
key: user
VIKUNJA_DATABASE_DATABASE:
valueFrom:
secretKeyRef:
name: vikunja-postgresql-16-cluster-app
key: dbname
VIKUNJA_DATABASE_HOST:
valueFrom:
secretKeyRef:
name: vikunja-postgresql-16-cluster-app
key: host
VIKUNJA_DATABASE_PASSWORD:
valueFrom:
secretKeyRef:
name: vikunja-postgresql-16-cluster-app
key: password
frontend:
enabled: true
image:
repository: vikunja/frontend
tag: 0.22.1
env:
VIKUNJA_API_URL: https://vikunja.alexlebens.net/api/v1/
ingress:
main:
enabled: true
className: traefik
annotations:
cert-manager.io/cluster-issuer: letsencrypt-issuer
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
hosts:
- host: vikunja.alexlebens.net
paths:
- path: /
tls:
- hosts:
- vikunja.alexlebens.net
secretName: vikunja-secret-tls
postgresql:
enabled: false
redis:
enabled: false
typesense:
enabled: false
redis:
architecture: standalone
auth:
enabled: true
existingSecret: vikunja-config-secret
existingSecretPasswordKey: redis-password
postgres-16-cluster:
mode: standalone
kubernetesClusterName: cl01tl
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/vikunja
endpointCredentials: vikunja-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

11
clusters/cl01tl/deployment/argo-rollouts/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: argo-rollouts
version: 1.0.0
sources:
- https://github.com/argoproj/argo-rollouts
- https://github.com/argoproj/argo-helm/tree/main/charts
dependencies:
- name: argo-rollouts
version: 2.35.2
repository: https://argoproj.github.io/argo-helm
appVersion: v1.6.6

45
clusters/cl01tl/deployment/argo-rollouts/values.yaml Normal file
View File

@@ -0,0 +1,45 @@
argo-rollouts:
controller:
metrics:
enabled: true
serviceMonitor:
enabled: true
namespace: argocd
dashboard:
enabled: true
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
ingressClassName: traefik
hosts:
- argo-rollouts.alexlebens.net
tls:
- secretName: argo-rollouts-secret-tls
hosts:
- argo-rollouts.alexlebens.net
notifications:
notifiers: {}
# service.slack: |
# token: $slack-token
# -- Notification templates
templates: {}
# template.my-purple-template: |
# message: |
# Rollout {{.rollout.metadata.name}} has purple image
# slack:
# attachments: |
# [{
# "title": "{{ .rollout.metadata.name}}",
# "color": "#800080"
# }]
# -- The trigger defines the condition when the notification should be sent
triggers: {}
# trigger.on-purple: |
# - send: [my-purple-template]
# when: rollout.spec.template.spec.containers[0].image == 'argoproj/rollouts-demo:purple'

20
clusters/cl01tl/deployment/argo-workflows/Chart.yaml Normal file
View File

@@ -0,0 +1,20 @@
apiVersion: v2
name: argo-workflows
version: 1.0.0
sources:
- https://github.com/argoproj/argo-workflows
- https://github.com/argoproj/argo-events
- https://github.com/argoproj/argo-helm/tree/main/charts
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: argo-workflows
version: 0.41.4
repository: https://argoproj.github.io/argo-helm
- name: argo-events
version: 2.4.4
repository: https://argoproj.github.io/argo-helm
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: v3.5.6

62
clusters/cl01tl/deployment/argo-workflows/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,62 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argo-workflows-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argo-workflows-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argo-workflows
metadataPolicy: None
property: secret
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argo-workflows
metadataPolicy: None
property: client
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argo-workflows-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: argo-workflows-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-argo-workflows-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-argo-workflows-postgresql
metadataPolicy: None
property: secret_key

121
clusters/cl01tl/deployment/argo-workflows/values.yaml Normal file
View File

@@ -0,0 +1,121 @@
argo-workflows:
controller:
metricsConfig:
enabled: true
persistence:
connectionPool:
maxIdleConns: 100
maxOpenConns: 0
nodeStatusOffLoad: true
archive: true
postgresql:
host: argo-workflows-postgresql-16-cluster-rw
port: 5432
database: app
tableName: app
userNameSecret:
name: argo-workflows-postgresql-16-cluster-app
key: username
passwordSecret:
name: argo-workflows-postgresql-16-cluster-app
key: password
ssl: false
sslMode: disable
workflowWorkers: 2
workflowTTLWorkers: 1
podCleanupWorkers: 1
cronWorkflowWorkers: 1
telemetryConfig:
enabled: true
serviceMonitor:
enabled: true
name: workflow-controller
workflowNamespaces:
- argocd
server:
authModes:
- sso
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
ingressClassName: traefik
hosts:
- argo-workflows.alexlebens.net
tls:
- secretName: argoworkflows-example-tls
hosts:
- argo-workflows.alexlebens.net
sso:
enabled: true
issuer: https://authentik.alexlebens.net/application/o/argo-workflows/
clientId:
name: argo-workflows-oidc-secret
key: client
clientSecret:
name: argo-workflows-oidc-secret
key: secret
redirectUrl: https://argo-workflows.alexlebens.net/oauth2/callback
rbac:
enabled: false
scopes:
- openid
- email
- profile
useStaticCredentials: true
artifactRepository:
archiveLogs: false
s3: {}
# accessKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: accesskey
# secretKeySecret:
# name: "{{ .Release.Name }}-minio"
# key: secretkey
# insecure: true
# bucket:
# endpoint:
# region:
# encryptionOptions:
# enableEncryption: true
argo-events:
global:
image:
repository: quay.io/argoproj/argo-events
tag: v1.9.1
controller:
resources:
limits:
cpu: 500m
memory: 512Mi
requests:
cpu: 250m
memory: 256Mi
metrics:
enabled: true
serviceMonitor:
enabled: true
namespace: argocd
webhook:
enabled: true
postgres-16-cluster:
mode: standalone
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: true
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/argo-workflows
endpointCredentials: argo-workflows-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

12
clusters/cl01tl/deployment/argocd/Chart.yaml Normal file
View File

@@ -0,0 +1,12 @@
apiVersion: v2
name: argocd
version: 0.1.0
home: https://outline.alexlebens.net/doc/argo-cd-qLEdrgdwOD
sources:
- https://github.com/argoproj/argo-cd
- https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
dependencies:
- name: argo-cd
version: 6.9.3
repository: https://argoproj.github.io/argo-helm
appVersion: v2.10.8

110
clusters/cl01tl/deployment/argocd/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,110 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argocd-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "{{ .Release.Name }}-server"
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: server
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd
metadataPolicy: None
property: secret
- secretKey: client
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/argocd
metadataPolicy: None
property: client
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argocd-cluster-cl02do-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "{{ .Release.Name }}-server"
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: server
app.kubernetes.io/part-of: {{ .Release.Name }}
argocd.argoproj.io/secret-type: cluster
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: name
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/cluster/cl02do
metadataPolicy: None
property: name
- secretKey: server
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/cluster/cl02do
metadataPolicy: None
property: server
- secretKey: config
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/cluster/cl02do
metadataPolicy: None
property: config
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: argocd-repo-alexlebens-dev-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: "{{ .Release.Name }}-server"
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: server
app.kubernetes.io/part-of: {{ .Release.Name }}
argocd.argoproj.io/secret-type: repository
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: type
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/repo/alexlebens-dev
metadataPolicy: None
property: type
- secretKey: url
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/repo/alexlebens-dev
metadataPolicy: None
property: url
- secretKey: sshPrivateKey
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/repo/alexlebens-dev
metadataPolicy: None
property: sshPrivateKey

66
clusters/cl01tl/deployment/argocd/values.yaml Normal file
View File

@@ -0,0 +1,66 @@
argo-cd:
crds:
install: true
configs:
cm:
admin.enabled: true
url: https://argocd.alexlebens.net
statusbadge.enabled: true
dex.config: |
connectors:
- config:
issuer: https://authentik.alexlebens.net/application/o/argocd/
clientID: $argocd-oidc-secret:client
clientSecret: $argocd-oidc-secret:secret
insecureEnableGroups: true
scopes:
- openid
- profile
- email
- groups
name: authentik
type: oidc
id: authentik
rbac:
policy.csv: |
g, ArgoCD Admins, role:admin
params:
server.insecure: true
server:
replicas: 2
ingress:
enabled: true
controller: generic
ingressClassName: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hostname: argocd.alexlebens.net
tls: true
metrics:
enabled: true
serviceMonitor:
enabled: true
dex:
enabled: true
redis-ha:
enabled: true
controller:
replicas: 1
metrics:
enabled: true
serviceMonitor:
enabled: true
repoServer:
replicas: 2
metrics:
enabled: true
serviceMonitor:
enabled: true
applicationSet:
replicas: 2
metrics:
enabled: true
serviceMonitor:
enabled: true

11
clusters/cl01tl/deployment/kargo/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: kargo
version: 1.0.0
sources:
- https://github.com/akuity/kargo
- https://github.com/akuity/kargo/blob/main/charts/kargo/Chart.yaml
dependencies:
- name: kargo
version: 0.6.0
repository: oci://ghcr.io/akuity/kargo-charts
appVersion: v0.5.1

56
clusters/cl01tl/deployment/kargo/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,56 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kargo-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kargo-oidc-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: CLIENT_SECRET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/kargo
metadataPolicy: None
property: secret
- secretKey: CLIENT_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/kargo
metadataPolicy: None
property: client
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: kargo-cluster-cl02do-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: kargo-cluster-cl02do-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
argocd.argoproj.io/secret-type: cluster
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: kubeconfig
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /argocd/credentials/cluster/cl02do
metadataPolicy: None
property: kubeconfig

120
clusters/cl01tl/deployment/kargo/values.yaml Normal file
View File

@@ -0,0 +1,120 @@
kargo:
api:
host: kargo.alexlebens.net
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
tls:
enabled: false
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
ingressClassName: traefik
tls:
enabled: true
selfSignedCert: false
adminAccount:
enabled: false
oidc:
enabled: true
admins:
groups: ["ArgoCD Admins"]
dex:
enabled: true
image:
repository: ghcr.io/dexidp/dex
tag: v2.39.1
env:
- name: CLIENT_ID
valueFrom:
secretKeyRef:
name: kargo-oidc-secret
key: CLIENT_ID
- name: CLIENT_SECRET
valueFrom:
secretKeyRef:
name: kargo-oidc-secret
key: CLIENT_SECRET
tls:
selfSignedCert: false
skipApprovalScreen: true
connectors:
- type: oidc
id: authentik
name: Authentik
config:
issuer: https://authentik.alexlebens.net/application/o/kargo/
clientID: "$CLIENT_ID"
clientSecret: "$CLIENT_SECRET"
redirectURI: https://kargo.alexlebens.net/dex/callback
insecureEnableGroups: true
scopes:
- openid
- profile
- email
- groups
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
argocd:
urls:
"": https://argocd.alexlebens.net
rollouts:
integrationEnabled: true
controller:
enabled: true
gitClient:
name: "Kargo cl01tl"
email: "alexanderlebens@gmail.com"
argocd:
integrationEnabled: true
rollouts:
integrationEnabled: true
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
managementController:
enabled: true
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
webhooks:
register: true
webhooksServer:
tls:
selfSignedCert: true
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi
garbageCollector:
schedule: "0 * * * *"
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 100m
memory: 128Mi

6
clusters/cl01tl/deployment/stack/Chart.yaml Normal file
View File

@@ -0,0 +1,6 @@
apiVersion: v2
name: stack
version: 1.0.0
sources:
- https://github.com/alexlebens/alexlebens-net.git
appVersion: 1.0.0

55
clusters/cl01tl/deployment/stack/templates/application-set.yaml Normal file
View File

@@ -0,0 +1,55 @@
{{- range $index, $stack := .Values.applicationSet }}
---
apiVersion: argoproj.io/v1alpha1
kind: ApplicationSet
metadata:
name: {{ $stack.name }}
namespace: {{ $.Release.Namespace }}
labels:
app.kubernetes.io/name: {{ $stack.name }}
app.kubernetes.io/instance: {{ $stack.name }}
app.kubernetes.io/version: {{ $.Chart.AppVersion }}
app.kubernetes.io/component: {{ $stack.name }}
app.kubernetes.io/part-of: {{ $.Release.Name }}
spec:
syncPolicy:
applicationsSync: create-only
preserveResourcesOnDeletion: true
generators:
- git:
repoURL: {{ $.Values.git.repo }}
revision: {{ $.Values.git.revision }}
directories:
- path: "{{ $.Values.git.path }}/{{ $stack.name }}/*"
template:
metadata:
name: '{{ `{{path.basename}}` }}'
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
destination:
name: in-cluster
namespace: '{{ $stack.namespace | default `{{path.basename}}` }}'
project: default
revisionHistoryLimit: 3
source:
repoURL: {{ $.Values.git.repo }}
targetRevision: {{ $.Values.git.revision }}
path: '{{ `{{path}}` }}'
ignoreDifferences:
{{- toYaml $stack.ignoreDifferences | nindent 8 }}
syncPolicy:
{{- if $stack.syncPolicy.automated.enabled }}
automated:
prune: {{ $stack.syncPolicy.automated.prune | default false }}
selfHeal: {{ $stack.syncPolicy.automated.selfHeal | default false }}
{{- end }}
retry:
limit: 3
backoff:
duration: 1m
factor: 2
maxDuration: 15m
syncOptions:
{{- toYaml $stack.syncPolicy.syncOptions | nindent 10 }}
{{- end }}

82
clusters/cl01tl/deployment/stack/templates/application.yaml Normal file
View File

@@ -0,0 +1,82 @@
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: cilium
namespace: {{ .Release.Namespace }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.application.cilium.source.repo }}
targetRevision: {{ .Values.application.cilium.source.revision }}
path: "{{ .Values.git.path }}/{{ .Values.application.cilium.source.path }}"
destination:
name: in-cluster
namespace: {{ .Values.application.cilium.namespace }}
revisionHistoryLimit: 3
syncPolicy:
{{- toYaml .Values.application.cilium.syncPolicy | nindent 4 }}
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: metrics-server
namespace: {{ .Release.Namespace }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.application.metricsServer.source.repo }}
targetRevision: {{ .Values.application.metricsServer.source.revision }}
path: "{{ .Values.git.path }}/{{ .Values.application.metricsServer.source.path }}"
destination:
name: in-cluster
namespace: {{ .Values.application.metricsServer.namespace }}
revisionHistoryLimit: 3
syncPolicy:
{{- toYaml .Values.application.metricsServer.syncPolicy | nindent 4 }}
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: kubelet-serving-cert-approver
namespace: {{ .Release.Namespace }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.application.kubeletServingCertApprover.source.repo }}
targetRevision: {{ .Values.application.kubeletServingCertApprover.source.revision }}
path: "{{ .Values.git.path }}/{{ .Values.application.kubeletServingCertApprover.source.path }}"
destination:
name: in-cluster
namespace: {{ .Values.application.kubeletServingCertApprover.namespace }}
revisionHistoryLimit: 3
syncPolicy:
{{- toYaml .Values.application.kubeletServingCertApprover.syncPolicy | nindent 4 }}
---
apiVersion: argoproj.io/v1alpha1
kind: Application
metadata:
name: prometheus-operator-crds
namespace: {{ .Release.Namespace }}
finalizers:
- resources-finalizer.argocd.argoproj.io
spec:
project: default
source:
repoURL: {{ .Values.application.prometheusOperatorCrds.source.repo }}
targetRevision: {{ .Values.application.prometheusOperatorCrds.source.revision }}
path: "{{ .Values.git.path }}/{{ .Values.application.prometheusOperatorCrds.source.path }}"
destination:
name: in-cluster
namespace: {{ .Values.application.prometheusOperatorCrds.namespace }}
revisionHistoryLimit: 3
syncPolicy:
{{- toYaml .Values.application.prometheusOperatorCrds.syncPolicy | nindent 4 }}

148
clusters/cl01tl/deployment/stack/values.yaml Normal file
View File

@@ -0,0 +1,148 @@
git:
repo: git@github.com:alexlebens/alexlebens-net.git
revision: HEAD
path: clusters/cl01tl
applicationSet:
- name: applications
syncPolicy:
automated:
enabled: true
prune: true
selfheal: false
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=false
- PruneLast=true
- name: deployment
namespace: argocd
syncPolicy:
automated:
enabled: true
prune: true
selfheal: false
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=false
- PruneLast=true
- name: platform
syncPolicy:
automated:
enabled: true
prune: true
selfheal: false
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true
- name: services
ignoreDifferences:
- group: ""
kind: Service
jqPathExpressions:
- .status.loadBalancer.ingress[].ipMode
syncPolicy:
automated:
enabled: true
prune: true
selfheal: false
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true
- name: storage
syncPolicy:
automated:
enabled: true
prune: true
selfheal: false
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=true
- ServerSideApply=false
- PruneLast=true
application:
cilium:
namespace: kube-system
source:
repo: git@github.com:alexlebens/alexlebens-net.git
revision: HEAD
path: standalone/cilium
syncPolicy:
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=true
- ServerSideApply=true
- PruneLast=true
metricsServer:
namespace: kube-system
source:
repo: git@github.com:alexlebens/alexlebens-net.git
revision: HEAD
path: standalone/metrics-server
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=false
- ServerSideApply=true
- PruneLast=true
kubeletServingCertApprover:
namespace: kubelet-serving-cert-approver
source:
repo: git@github.com:alexlebens/alexlebens-net.git
revision: HEAD
path: standalone/kubelet-serving-cert-approver
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=true
- ApplyOutOfSyncOnly=false
- ServerSideApply=true
- PruneLast=true
prometheusOperatorCrds:
namespace: kube-system
source:
repo: git@github.com:alexlebens/alexlebens-net.git
revision: HEAD
path: standalone/prometheus-operator-crds
syncPolicy:
automated:
prune: true
selfHeal: true
retry:
limit: 10
backoff:
duration: 1m
factor: 2
maxDuration: 16m
syncOptions:
- CreateNamespace=false
- ApplyOutOfSyncOnly=false
- ServerSideApply=true
- PruneLast=true

21
clusters/cl01tl/platform/authentik/Chart.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: v2
name: authentik
version: 1.0.0
sources:
- https://github.com/goauthentik/authentik
- https://github.com/goauthentik/helm
- https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: authentik
version: 2024.4.2
repository: https://charts.goauthentik.io/
- name: app-template
alias: cloudflared
repository: https://bjw-s.github.io/helm-charts/
version: 3.1.0
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: "2024.4.2"

60
clusters/cl01tl/platform/authentik/templates/config-map.yaml Normal file
View File

@@ -0,0 +1,60 @@
apiVersion: v1
kind: ConfigMap
metadata:
name: authentik-custom-css
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
data:
custom.css: |
/* Change sign button color */
.pf-c-button.pf-m-primary {
color: black;
background-color: white;
}
/* Remove background */
.pf-c-login__main {
background-color: rgba(3, 3, 3, 0.16);
}
/* Remove specific height */
.pf-c-brand {
height: auto;
}
/* Center text */
.pf-c-title {
text-align: center;
}
/* Match text field to login button */
.pf-c-form-control {
border-radius: 3px;
background-color: white;
color: black;
}
/* Force border color */
.pf-c-form-control {
border-color: white;
}
/* Use default cursor on this div */
.pf-c-form__label {
cursor: default;
}
/* Hide required asterik */
.pf-c-form__label-required {
display: none;
}
/* Change link color to white */
.a {
color: white;
}

80
clusters/cl01tl/platform/authentik/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,80 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: authentik-key-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-key-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/key
metadataPolicy: None
property: key
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: authentik-cloudflared-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-cloudflared-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: cf-tunnel-token
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /cloudflare/tunnels/authentik
metadataPolicy: None
property: token
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: authentik-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: authentik-postgresql-16-cluster-backup-secret
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-authentik-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-authentik-postgresql
metadataPolicy: None
property: secret_key

118
clusters/cl01tl/platform/authentik/values.yaml Normal file
View File

@@ -0,0 +1,118 @@
authentik:
global:
env:
- name: AUTHENTIK_SECRET_KEY
valueFrom:
secretKeyRef:
name: authentik-key-secret
key: key
- name: AUTHENTIK_POSTGRESQL__HOST
valueFrom:
secretKeyRef:
name: authentik-postgresql-16-cluster-app
key: host
- name: AUTHENTIK_POSTGRESQL__NAME
valueFrom:
secretKeyRef:
name: authentik-postgresql-16-cluster-app
key: dbname
- name: AUTHENTIK_POSTGRESQL__USER
valueFrom:
secretKeyRef:
name: authentik-postgresql-16-cluster-app
key: user
- name: AUTHENTIK_POSTGRESQL__PASSWORD
valueFrom:
secretKeyRef:
name: authentik-postgresql-16-cluster-app
key: password
server:
name: server
replicas: 1
volumes:
- name: custom-css
configMap:
name: authentik-custom-css
volumeMounts:
- name: custom-css
mountPath: /web/dist/custom.css
subPath: custom.css
metrics:
enabled: true
serviceMonitor:
enabled: true
ingress:
enabled: true
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
ingressClassName: traefik
hosts:
- auth.alexlebens.net
- authentik.alexlebens.net
tls:
- secretName: authentik-secret-tls
hosts:
- auth.alexlebens.net
- authentik.alexlebens.net
worker:
name: worker
replicas: 1
prometheus:
rules:
enabled: true
postgresql:
enabled: false
redis:
enabled: true
cloudflared:
global:
nameOverride: cloudflared
controllers:
main:
type: deployment
strategy: Recreate
containers:
main:
image:
repository: cloudflare/cloudflared
tag: "2024.5.0"
pullPolicy: IfNotPresent
args:
- tunnel
- --no-autoupdate
- run
- --token
- $(CF_MANAGED_TUNNEL_TOKEN)
env:
- name: CF_MANAGED_TUNNEL_TOKEN
valueFrom:
secretKeyRef:
name: authentik-cloudflared-secret
key: cf-tunnel-token
resources:
limits:
cpu: 100m
memory: 128Mi
requests:
cpu: 10m
memory: 64Mi
postgres-16-cluster:
mode: standalone
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: false
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/authentik
endpointCredentials: authentik-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

11
clusters/cl01tl/platform/external-secrets/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: external-secrets
version: 0.0.1
sources:
- https://github.com/external-secrets/external-secrets
- https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
dependencies:
- name: external-secrets
version: 0.9.18
repository: https://charts.external-secrets.io
appVersion: 0.9.13

21
clusters/cl01tl/platform/external-secrets/templates/cluster-secret-store.yaml Normal file
View File

@@ -0,0 +1,21 @@
apiVersion: external-secrets.io/v1beta1
kind: ClusterSecretStore
metadata:
name: vault
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: auth
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
provider:
vault:
server: http://vault-internal.vault:8200
path: secret
auth:
tokenSecretRef:
namespace: vault
name: vault-token
key: token

16
clusters/cl01tl/platform/gitea/Chart.yaml Normal file
View File

@@ -0,0 +1,16 @@
apiVersion: v2
name: gitea
version: 1.0.0
sources:
- https://github.com/go-gitea/gitea
- https://gitea.com/gitea/helm-chart
- https://github.com/alexlebens/helm-charts/charts/postgres-cluster
dependencies:
- name: gitea
version: 10.1.4
repository: https://dl.gitea.io/charts/
- name: postgres-cluster
alias: postgres-16-cluster
version: 3.0.0
repository: http://alexlebens.github.io/helm-charts
appVersion: "1.21.7"

94
clusters/cl01tl/platform/gitea/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,94 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-admin-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: username
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /gitea/auth/admin
metadataPolicy: None
property: username
- secretKey: password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /gitea/auth/admin
metadataPolicy: None
property: password
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-oidc-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: secret
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/gitea
metadataPolicy: None
property: secret
- secretKey: key
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/gitea
metadataPolicy: None
property: client
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: gitea-postgresql-16-cluster-backup-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: database
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: ACCESS_KEY_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-gitea-postgresql
metadataPolicy: None
property: access_key
- secretKey: ACCESS_SECRET_KEY
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /aws/keys/cl01tl-gitea-postgresql
metadataPolicy: None
property: secret_key

96
clusters/cl01tl/platform/gitea/values.yaml Normal file
View File

@@ -0,0 +1,96 @@
gitea:
ingress:
enabled: true
className: traefik
annotations:
traefik.ingress.kubernetes.io/router.entrypoints: websecure
traefik.ingress.kubernetes.io/router.tls: "true"
cert-manager.io/cluster-issuer: letsencrypt-issuer
hosts:
- host: gitea.alexlebens.net
paths:
- path: /
pathType: Prefix
tls:
- secretName: gitea-secret-tls
hosts:
- gitea.alexlebens.net
gitea:
admin:
existingSecret: gitea-admin-secret
metrics:
enabled: true
serviceMonitor:
enabled: true
config:
server:
LANDING_PAGE: explore
ROOT_URL: https://gitea.alexlebens.net
ENABLE_PPROF: true
webhook:
ALLOWED_HOST_LIST: private
scopes: email profile
service:
DISABLE_REGISTRATION: true
SHOW_REGISTRATION_BUTTON: false
explore:
REQUIRE_SIGNIN_VIEW: true
database:
DB_TYPE: postgres
SCHEMA: public
additionalConfigFromEnvs:
- name: GITEA__DATABASE__HOST
valueFrom:
secretKeyRef:
name: gitea-postgresql-16-cluster-app
key: host
- name: GITEA__DATABASE__NAME
valueFrom:
secretKeyRef:
name: gitea-postgresql-16-cluster-app
key: dbname
- name: GITEA__DATABASE__USER
valueFrom:
secretKeyRef:
name: gitea-postgresql-16-cluster-app
key: user
- name: GITEA__DATABASE__PASSWD
valueFrom:
secretKeyRef:
name: gitea-postgresql-16-cluster-app
key: password
oauth:
- name: Authentik
provider: openidConnect
existingSecret: gitea-oidc-secret
autoDiscoverUrl: "https://authentik.alexlebens.net/application/o/gitea/.well-known/openid-configuration"
iconUrl: https://goauthentik.io/img/icon.png
scopes: "email profile"
persistence:
storageClass: ceph-block
postgresql:
enabled: false
postgresql-ha:
enabled: false
redis-cluster:
enabled: true
persistence:
enabled: false
postgres-16-cluster:
mode: standalone
cluster:
walStorage:
storageClass: local-path
storage:
storageClass: local-path
monitoring:
enabled: true
prometheusRule:
enabled: false
backup:
enabled: true
endpointURL: https://s3.us-east-2.amazonaws.com
destinationPath: s3://cl01tl-postgresql-backups/gitea
endpointCredentials: gitea-postgresql-16-cluster-backup-secret
backupIndex: 1
retentionPolicy: 14d

11
clusters/cl01tl/platform/grafana/Chart.yaml Normal file
View File

@@ -0,0 +1,11 @@
apiVersion: v2
name: grafana
version: 0.0.1
sources:
- https://github.com/grafana/grafana
- https://github.com/grafana/helm-charts/tree/main/charts/grafana
dependencies:
- name: grafana
version: 7.3.11
repository: https://grafana.github.io/helm-charts
appVersion: "10.4.0"

62
clusters/cl01tl/platform/grafana/templates/external-secret.yaml Normal file
View File

@@ -0,0 +1,62 @@
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: grafana-auth-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: admin-user
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /grafana/auth
metadataPolicy: None
property: admin-user
- secretKey: admin-password
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /grafana/auth
metadataPolicy: None
property: admin-password
---
apiVersion: external-secrets.io/v1beta1
kind: ExternalSecret
metadata:
name: grafana-oauth-secret
namespace: {{ .Release.Namespace }}
labels:
app.kubernetes.io/name: {{ .Release.Name }}
app.kubernetes.io/instance: {{ .Release.Name }}
app.kubernetes.io/version: {{ .Chart.AppVersion }}
app.kubernetes.io/component: web
app.kubernetes.io/part-of: {{ .Release.Name }}
spec:
secretStoreRef:
kind: ClusterSecretStore
name: vault
data:
- secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_ID
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/grafana
metadataPolicy: None
property: client
- secretKey: GF_AUTH_GENERIC_OAUTH_CLIENT_SECRET
remoteRef:
conversionStrategy: Default
decodingStrategy: None
key: /authentik/oidc/grafana
metadataPolicy: None
property: secret

Some files were not shown because too many files have changed in this diff Show More