init

2024-05-22 12:49:28 -05:00
commit 35b77bb0df
219 changed files with 9997 additions and 0 deletions
--- a/.github/renovate-update-notification/Dockerfile
+++ b/.github/renovate-update-notification/Dockerfile
@@ -0,0 +1,2 @@
 # This file is processed by Renovate bot so that it creates a PR on new major Renovate versions
 FROM renovate/renovate:37
--- a/.github/renovate.json
+++ b/.github/renovate.json
@@ -0,0 +1,175 @@
 {
    "$schema": "https://docs.renovatebot.com/renovate-schema.json",
    "extends": [
        "config:recommended",
        "mergeConfidence:all-badges",
        ":rebaseStalePrs"
    ],
    "timezone": "US/Central",
    "schedule": [
        "every weekday"
    ],
    "labels": [],
    "packageRules": [
        {
            "description": "Disables for non major Renovate version",
            "matchPaths": [
                ".github/renovate-update-notification/Dockerfile"
            ],
            "matchUpdateTypes": [
                "minor",
                "patch",
                "pin",
                "digest",
                "rollback"
            ],
            "enabled": false
        },
        {
            "description": "Generate for major Renovate version",
            "matchPaths": [
                ".github/renovate-update-notification/Dockerfile"
            ],
            "matchUpdateTypes": [
                "major"
            ],
            "addLabels": [
                "upgrade"
            ],
            "automerge": false
        },
        {
            "description": "Label service images",
            "matchDepNames": [
                "dpage/pgadmin4",
                "ghcr.io/cloudnative-pg/postgresql",
                "hashicorp/vault",
                "portainer/portainer-ce",
                "redis/redis-stack-server",
                "unpoller/unpoller"
            ],
            "matchDatasources": [
                "docker"
            ],
            "addLabels": [
                "service",
                "image"
            ],
            "automerge": false,
            "minimumReleaseAge": "3 days"
        },
        {
            "description": "Label service charts",
            "matchDepNames": [
                "argo-cd",
                "authentik",
                "cert-manager",
                "cilium",
                "cloudnative-pg",
                "democratic-csi",
                "external-secrets",
                "gitea",
                "grafana",
                "intel-device-plugins-gpu",
                "intel-device-plugins-operator",
                "kube-prometheus-stack",
                "kubelet-serving-cert-approver",
                "kubernetes-cloudflare-ddns",
                "loki",
                "metallb",
                "metrics-server",
                "nfs-subdir-external-provisioner",
                "node-feature-discovery",
                "pgadmin4",
                "portainer",
                "postgres-cluster",
                "prometheus-operator-crds",
                "promtail",
                "redis",
                "rook-ceph-cluster",
                "rook-ceph",
                "speedtest-exporter",
                "traefik",
                "unpoller",
                "vault"
            ],
            "matchDatasources": [
                "helm"
            ],
            "addLabels": [
                "service",
                "chart"
            ],
            "automerge": false,
            "minimumReleaseAge": "3 days"
        },
        {
            "description": "Label application images",
            "matchDepNames": [
                "deluan/navidrome",
                "ghcr.io/advplyr/audiobookshelf",
                "ghcr.io/linuxserver/calibre-web",
                "jellyfin/jellyfin",
                "linuxserver/code-server",
                "vikunja/api",
                "vikunja/frontend"
            ],
            "matchDatasources": [
                "docker"
            ],
            "addLabels": [
                "application",
                "image"
            ],
            "automerge": false,
            "minimumReleaseAge": "3 days"
        },
        {
            "description": "Label application charts",
            "matchDepNames": [
                "audiobookshelf",
                "calibre-server",
                "calibre-web",
                "code-server",
                "cops",
                "freshrss",
                "home-assistant",
                "homepage",
                "jellyfin",
                "libation",
                "navidrome",
                "outline",
                "plex",
                "tubearchivist",
                "tubearchivist-to-jellyfin",
                "vikunja"
            ],
            "matchDatasources": [
                "helm"
            ],
            "addLabels": [
                "application",
                "chart"
            ],
            "automerge": false,
            "minimumReleaseAge": "3 days"
        },
        {
            "description": "Automerge the plex image",
            "matchDepNames": [
                "ghcr.io/onedr0p/plex"
            ],
            "matchDatasources": [
                "docker"
            ],
            "addLabels": [
                "application",
                "image"
            ],
            "versioning": "regex:^(?<major>\\d+)\\.(?<minor>\\d+)\\.(?<patch>\\d+)\\.(?<build>\\d+)-(?<revision>.+)?$",
            "automerge": true,
            "automergeType": "branch",
            "minimumReleaseAge": "3 days"
        }
    ]
 }
--- a/.github/workflows/lint-test.yaml
+++ b/.github/workflows/lint-test.yaml
@@ -0,0 +1,37 @@
 name: lint-and-test-charts
 on: pull_request
 jobs:
  lint-test:
    runs-on: ubuntu-latest
    steps:
      - name: Checkout
        uses: actions/checkout@v4
        with:
          fetch-depth: 0
      - name: Set up Helm
        uses: azure/setup-helm@v4
        with:
          version: v3.13.3
      - uses: actions/setup-python@v5
        with:
          python-version: "3.10"
          check-latest: true
      - name: Set up chart-testing
        uses: helm/chart-testing-action@v2.6.1
      - name: Run chart-testing (list-changed)
        id: list-changed
        run: |
          changed=$(ct list-changed --target-branch ${{ github.event.repository.default_branch }})
          if [[ -n "$changed" ]]; then
            echo "changed=true" >> "$GITHUB_OUTPUT"
          fi
      - name: Run chart-testing (lint)
        if: steps.list-changed.outputs.changed == 'true'
        run: ct lint --target-branch ${{ github.event.repository.default_branch }}
--- a/201
+++ b/201
@@ -0,0 +1,201 @@
                                 Apache License
                           Version 2.0, January 2004
                        http://www.apache.org/licenses/
   TERMS AND CONDITIONS FOR USE, REPRODUCTION, AND DISTRIBUTION
   1. Definitions.
      "License" shall mean the terms and conditions for use, reproduction,
      and distribution as defined by Sections 1 through 9 of this document.
      "Licensor" shall mean the copyright owner or entity authorized by
      the copyright owner that is granting the License.
      "Legal Entity" shall mean the union of the acting entity and all
      other entities that control, are controlled by, or are under common
      control with that entity. For the purposes of this definition,
      "control" means (i) the power, direct or indirect, to cause the
      direction or management of such entity, whether by contract or
      otherwise, or (ii) ownership of fifty percent (50%) or more of the
      outstanding shares, or (iii) beneficial ownership of such entity.
      "You" (or "Your") shall mean an individual or Legal Entity
      exercising permissions granted by this License.
      "Source" form shall mean the preferred form for making modifications,
      including but not limited to software source code, documentation
      source, and configuration files.
      "Object" form shall mean any form resulting from mechanical
      transformation or translation of a Source form, including but
      not limited to compiled object code, generated documentation,
      and conversions to other media types.
      "Work" shall mean the work of authorship, whether in Source or
      Object form, made available under the License, as indicated by a
      copyright notice that is included in or attached to the work
      (an example is provided in the Appendix below).
      "Derivative Works" shall mean any work, whether in Source or Object
      form, that is based on (or derived from) the Work and for which the
      editorial revisions, annotations, elaborations, or other modifications
      represent, as a whole, an original work of authorship. For the purposes
      of this License, Derivative Works shall not include works that remain
      separable from, or merely link (or bind by name) to the interfaces of,
      the Work and Derivative Works thereof.
      "Contribution" shall mean any work of authorship, including
      the original version of the Work and any modifications or additions
      to that Work or Derivative Works thereof, that is intentionally
      submitted to Licensor for inclusion in the Work by the copyright owner
      or by an individual or Legal Entity authorized to submit on behalf of
      the copyright owner. For the purposes of this definition, "submitted"
      means any form of electronic, verbal, or written communication sent
      to the Licensor or its representatives, including but not limited to
      communication on electronic mailing lists, source code control systems,
      and issue tracking systems that are managed by, or on behalf of, the
      Licensor for the purpose of discussing and improving the Work, but
      excluding communication that is conspicuously marked or otherwise
      designated in writing by the copyright owner as "Not a Contribution."
      "Contributor" shall mean Licensor and any individual or Legal Entity
      on behalf of whom a Contribution has been received by Licensor and
      subsequently incorporated within the Work.
   2. Grant of Copyright License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      copyright license to reproduce, prepare Derivative Works of,
      publicly display, publicly perform, sublicense, and distribute the
      Work and such Derivative Works in Source or Object form.
   3. Grant of Patent License. Subject to the terms and conditions of
      this License, each Contributor hereby grants to You a perpetual,
      worldwide, non-exclusive, no-charge, royalty-free, irrevocable
      (except as stated in this section) patent license to make, have made,
      use, offer to sell, sell, import, and otherwise transfer the Work,
      where such license applies only to those patent claims licensable
      by such Contributor that are necessarily infringed by their
      Contribution(s) alone or by combination of their Contribution(s)
      with the Work to which such Contribution(s) was submitted. If You
      institute patent litigation against any entity (including a
      cross-claim or counterclaim in a lawsuit) alleging that the Work
      or a Contribution incorporated within the Work constitutes direct
      or contributory patent infringement, then any patent licenses
      granted to You under this License for that Work shall terminate
      as of the date such litigation is filed.
   4. Redistribution. You may reproduce and distribute copies of the
      Work or Derivative Works thereof in any medium, with or without
      modifications, and in Source or Object form, provided that You
      meet the following conditions:
      (a) You must give any other recipients of the Work or
          Derivative Works a copy of this License; and
      (b) You must cause any modified files to carry prominent notices
          stating that You changed the files; and
      (c) You must retain, in the Source form of any Derivative Works
          that You distribute, all copyright, patent, trademark, and
          attribution notices from the Source form of the Work,
          excluding those notices that do not pertain to any part of
          the Derivative Works; and
      (d) If the Work includes a "NOTICE" text file as part of its
          distribution, then any Derivative Works that You distribute must
          include a readable copy of the attribution notices contained
          within such NOTICE file, excluding those notices that do not
          pertain to any part of the Derivative Works, in at least one
          of the following places: within a NOTICE text file distributed
          as part of the Derivative Works; within the Source form or
          documentation, if provided along with the Derivative Works; or,
          within a display generated by the Derivative Works, if and
          wherever such third-party notices normally appear. The contents
          of the NOTICE file are for informational purposes only and
          do not modify the License. You may add Your own attribution
          notices within Derivative Works that You distribute, alongside
          or as an addendum to the NOTICE text from the Work, provided
          that such additional attribution notices cannot be construed
          as modifying the License.
      You may add Your own copyright statement to Your modifications and
      may provide additional or different license terms and conditions
      for use, reproduction, or distribution of Your modifications, or
      for any such Derivative Works as a whole, provided Your use,
      reproduction, and distribution of the Work otherwise complies with
      the conditions stated in this License.
   5. Submission of Contributions. Unless You explicitly state otherwise,
      any Contribution intentionally submitted for inclusion in the Work
      by You to the Licensor shall be under the terms and conditions of
      this License, without any additional terms or conditions.
      Notwithstanding the above, nothing herein shall supersede or modify
      the terms of any separate license agreement you may have executed
      with Licensor regarding such Contributions.
   6. Trademarks. This License does not grant permission to use the trade
      names, trademarks, service marks, or product names of the Licensor,
      except as required for reasonable and customary use in describing the
      origin of the Work and reproducing the content of the NOTICE file.
   7. Disclaimer of Warranty. Unless required by applicable law or
      agreed to in writing, Licensor provides the Work (and each
      Contributor provides its Contributions) on an "AS IS" BASIS,
      WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or
      implied, including, without limitation, any warranties or conditions
      of TITLE, NON-INFRINGEMENT, MERCHANTABILITY, or FITNESS FOR A
      PARTICULAR PURPOSE. You are solely responsible for determining the
      appropriateness of using or redistributing the Work and assume any
      risks associated with Your exercise of permissions under this License.
   8. Limitation of Liability. In no event and under no legal theory,
      whether in tort (including negligence), contract, or otherwise,
      unless required by applicable law (such as deliberate and grossly
      negligent acts) or agreed to in writing, shall any Contributor be
      liable to You for damages, including any direct, indirect, special,
      incidental, or consequential damages of any character arising as a
      result of this License or out of the use or inability to use the
      Work (including but not limited to damages for loss of goodwill,
      work stoppage, computer failure or malfunction, or any and all
      other commercial damages or losses), even if such Contributor
      has been advised of the possibility of such damages.
   9. Accepting Warranty or Additional Liability. While redistributing
      the Work or Derivative Works thereof, You may choose to offer,
      and charge a fee for, acceptance of support, warranty, indemnity,
      or other liability obligations and/or rights consistent with this
      License. However, in accepting such obligations, You may act only
      on Your own behalf and on Your sole responsibility, not on behalf
      of any other Contributor, and only if You agree to indemnify,
      defend, and hold each Contributor harmless for any liability
      incurred by, or claims asserted against, such Contributor by reason
      of your accepting any such warranty or additional liability.
   END OF TERMS AND CONDITIONS
   APPENDIX: How to apply the Apache License to your work.
      To apply the Apache License to your work, attach the following
      boilerplate notice, with the fields enclosed by brackets "[]"
      replaced with your own identifying information. (Don't include
      the brackets!)  The text should be enclosed in the appropriate
      comment syntax for the file format. We also recommend that a
      file or class name and description of purpose be included on the
      same "printed page" as the copyright notice for easier
      identification within third-party archives.
   Copyright [yyyy] [name of copyright owner]
   Licensed under the Apache License, Version 2.0 (the "License");
   you may not use this file except in compliance with the License.
   You may obtain a copy of the License at
       http://www.apache.org/licenses/LICENSE-2.0
   Unless required by applicable law or agreed to in writing, software
   distributed under the License is distributed on an "AS IS" BASIS,
   WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
   See the License for the specific language governing permissions and
   limitations under the License.
--- a/README.md
+++ b/README.md
@@ -0,0 +1,7 @@
 # alexlebens.net
 GitOps definied infrastrucutre for the alexlebens.net domain.
 ## License
 This project is licensed under the terms of the Apache 2.0 License license.
--- a/clusters/cl01tl/applications/audiobookshelf/Chart.yaml
+++ b/clusters/cl01tl/applications/audiobookshelf/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: audiobookshelf
 version: 0.0.1
 sources:
  - https://github.com/advplyr/audiobookshelf
  - https://github.com/k8s-home-lab/helm-charts/tree/master/charts/stable/audiobookshelf
 dependencies:
  - name: audiobookshelf
    version: 2.0.0
    repository: https://k8s-home-lab.github.io/helm-charts/
 appVersion: "2.8.0"
--- a/clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume-claim.yaml
@@ -0,0 +1,40 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: audiobookshelf-nfs-storage-backup
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeMode: Filesystem
  storageClassName: nfs-client
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: audiobookshelf-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: audiobookshelf-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/applications/audiobookshelf/templates/persistent-volume.yaml
@@ -0,0 +1,25 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: audiobookshelf-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: {{ .Values.storage.nfs.path }}
    server: {{ .Values.storage.nfs.server }}
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/applications/audiobookshelf/values.yaml
+++ b/clusters/cl01tl/applications/audiobookshelf/values.yaml
@@ -0,0 +1,48 @@
 audiobookshelf:
  image:
    repository: ghcr.io/advplyr/audiobookshelf
    tag: 2.9.0
  env:
    TZ: US/Central
  ingress:
    main:
      enabled: true
      ingressClassName: traefik
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      hosts:
        - host: audiobookshelf.alexlebens.net
          paths:
            - path: /
              pathType: Prefix
      tls:
        - secretName: audiobookshelf-secret-tls
          hosts:
            - audiobookshelf.alexlebens.net
  persistence:
    config:
      enabled: true
      mountPath: /config
      accessMode: ReadWriteOnce
      size: 2Gi
    metadata:
      enabled: true
      mountPath: /metadata
      accessMode: ReadWriteOnce
      size: 10Gi
    backup:
      enabled: true
      mountPath: /metadata/backups
      type: pvc
      existingClaim: audiobookshelf-nfs-storage-backup
    audiobooks:
      enabled: true
      mountPath: /mnt/store/
      type: pvc
      existingClaim: audiobookshelf-nfs-storage
 storage:
  nfs:
    path: /volume2/Storage
    server: synologybond.alexlebens.net
--- a/clusters/cl01tl/applications/calibre-server/Chart.yaml
+++ b/clusters/cl01tl/applications/calibre-server/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: calibre-server
 version: 1.0.0
 sources:
  - https://github.com/kovidgoyal/calibre
  - https://github.com/alexlebens/helm-charts/tree/main/charts/calibre-server
 dependencies:
  - name: calibre-server
    version: 0.0.8
    repository: http://alexlebens.github.io/helm-charts
 appVersion: 7.5.1
--- a/clusters/cl01tl/applications/calibre-server/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/applications/calibre-server/templates/persistent-volume-claim.yaml
@@ -0,0 +1,19 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: calibre-server-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: calibre-server-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/applications/calibre-server/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/applications/calibre-server/templates/persistent-volume.yaml
@@ -0,0 +1,25 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: calibre-server-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: {{ index .Values "calibre-server" "persistence" "books" "nfs" "path" }}
    server: {{ index .Values "calibre-server" "persistence" "books" "nfs" "server" }}
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/applications/calibre-server/values.yaml
+++ b/clusters/cl01tl/applications/calibre-server/values.yaml
@@ -0,0 +1,20 @@
 calibre-server:
  deployment:
    env:
      TZ: US/Central
  ingressRoute:
    enabled: true
    http:
      host: calibre-server.alexlebens.net
    authentik:
      outpost: authentik-outpost-proxy
      namespace: authentik
  persistence:
    config:
      storageClassName: ceph-block
      storageSize: 5Gi
    books:
      claimName: calibre-server-nfs-storage
      nfs:
        path: /volume2/Storage/Calibre
        server: synologybond.alexlebens.net
--- a/clusters/cl01tl/applications/calibre-web/Chart.yaml
+++ b/clusters/cl01tl/applications/calibre-web/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: calibre-web
 version: 0.0.1
 sources:
  - https://github.com/janeczku/calibre-web
  - https://github.com/k8s-home-lab/helm-charts/tree/master/charts/stable/calibre-web
 dependencies:
  - name: calibre-web
    version: 9.0.2
    repository: https://k8s-home-lab.github.io/helm-charts/
 appVersion: v0.6.21
--- a/clusters/cl01tl/applications/calibre-web/templates/ingress-route.yaml
+++ b/clusters/cl01tl/applications/calibre-web/templates/ingress-route.yaml
@@ -0,0 +1,33 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: {{ .Release.Name }}
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: "Host(`{{ .Values.ingressRoute.host }}`)"
      middlewares:
        - name: "authentik-{{ .Release.Name }}"
          namespace: {{ .Release.Namespace }}
      priority: 10
      services:
        - kind: Service
          name: {{ .Release.Name }}
          port: {{ .Values.ingressRoute.port }}
    - kind: Rule
      match: "Host(`{{ .Values.ingressRoute.host }}`) && PathPrefix(`/outpost.goauthentik.io/`)"
      priority: 15
      services:
        - kind: Service
          name: {{ .Values.ingressRoute.authentik.outpost }}
          port: {{ .Values.ingressRoute.authentik.port }}
          namespace: {{ .Values.ingressRoute.authentik.namespace }}
--- a/clusters/cl01tl/applications/calibre-web/templates/middleware.yaml
+++ b/clusters/cl01tl/applications/calibre-web/templates/middleware.yaml
@@ -0,0 +1,27 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: "authentik-{{ .Release.Name }}"
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: auth
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  forwardAuth:
    address: "http://{{ .Values.ingressRoute.authentik.outpost }}.authentik:{{ .Values.ingressRoute.authentik.port }}/outpost.goauthentik.io/auth/traefik"
    trustForwardHeader: true
    authResponseHeaders:
      - X-authentik-username
      - X-authentik-groups
      - X-authentik-email
      - X-authentik-name
      - X-authentik-uid
      - X-authentik-jwt
      - X-authentik-meta-jwks
      - X-authentik-meta-outpost
      - X-authentik-meta-provider
      - X-authentik-meta-app
      - X-authentik-meta-version
--- a/clusters/cl01tl/applications/calibre-web/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/applications/calibre-web/templates/persistent-volume-claim.yaml
@@ -0,0 +1,19 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: calibre-web-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: calibre-web-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/applications/calibre-web/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/applications/calibre-web/templates/persistent-volume.yaml
@@ -0,0 +1,25 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: calibre-web-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: {{ .Values.storage.storage.nfs.path }}
    server: {{ .Values.storage.storage.nfs.server }}
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/applications/calibre-web/values.yaml
+++ b/clusters/cl01tl/applications/calibre-web/values.yaml
@@ -0,0 +1,33 @@
 calibre-web:
  image:
    repository: ghcr.io/linuxserver/calibre-web
    tag: 0.6.21-ls253
  env:
    TZ: US/Central
    DOCKER_MODS: linuxserver/mods:universal-calibre
  ingress:
    main:
      enabled: false
  persistence:
    config:
      enabled: true
      mountPath: /config
      accessMode: ReadWriteOnce
      size: 5Gi
    media:
      enabled: true
      mountPath: /books
      type: pvc
      existingClaim: calibre-web-nfs-storage
 ingressRoute:
  host: calibre.alexlebens.net
  port: 8083
  authentik:
    outpost: authentik-outpost-proxy
    port: 9000
    namespace: authentik
 storage:
  storage:
    nfs:
      path: /volume2/Storage/Calibre
      server: synologybond.alexlebens.net
--- a/clusters/cl01tl/applications/code-server/Chart.yaml
+++ b/clusters/cl01tl/applications/code-server/Chart.yaml
@@ -0,0 +1,12 @@
 apiVersion: v2
 name: code-server
 version: 0.0.1
 sources:
  - https://github.com/coder/code-server
  - https://github.com/linuxserver/docker-code-server
  - https://gitlab.com/alexander-chernov/helm/code-server
 dependencies:
  - name: code-server
    version: 0.1.1
    repository: https://charts.alekc.dev
 appVersion: "4.22.0"
--- a/clusters/cl01tl/applications/code-server/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/code-server/templates/external-secret.yaml
@@ -0,0 +1,23 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: codeserver-password-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: password
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /code-server/auth
        metadataPolicy: None
        property: password
--- a/clusters/cl01tl/applications/code-server/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/applications/code-server/templates/persistent-volume-claim.yaml
@@ -0,0 +1,19 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: code-server-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeMode: Filesystem
  storageClassName: nfs-client
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/applications/code-server/values.yaml
+++ b/clusters/cl01tl/applications/code-server/values.yaml
@@ -0,0 +1,34 @@
 code-server:
  image:
    repository: linuxserver/code-server
    tag: 4.89.1
  ingress:
    enabled: true
    className: traefik
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
      cert-manager.io/cluster-issuer: letsencrypt-issuer
    hosts:
      - host: codeserver.alexlebens.net
        paths:
          - path: /
            pathType: Prefix
    tls:
      - secretName: codeserver-secret-tls
        hosts:
          - codeserver.alexlebens.net
  env:
    simple:
      TZ: US/Central
      DEFAULT_WORKSPACE: /config
    full:
      - name: SUDO_PASSWORD
        valueFrom:
          secretKeyRef:
            key: password
            name: codeserver-password-secret
            optional: false
  persistence:
    existingClaim: code-server-nfs-storage
    enabled: true
--- a/clusters/cl01tl/applications/cops/Chart.yaml
+++ b/clusters/cl01tl/applications/cops/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: cops
 version: 0.0.1
 sources:
  - https://github.com/mikespub-org/seblucas-cops
  - http://alexlebens.github.io/helm-charts
 dependencies:
  - name: cops
    version: 0.0.3
    repository: http://alexlebens.github.io/helm-charts
 appVersion: 1.1.3
--- a/clusters/cl01tl/applications/cops/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/applications/cops/templates/persistent-volume-claim.yaml
@@ -0,0 +1,19 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: cops-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: cops-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/applications/cops/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/applications/cops/templates/persistent-volume.yaml
@@ -0,0 +1,25 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: cops-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: {{ .Values.storage.books.nfsPath }}
    server: {{ .Values.storage.books.nfsServer }}
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/applications/cops/values.yaml
+++ b/clusters/cl01tl/applications/cops/values.yaml
@@ -0,0 +1,22 @@
 cops:
  deployment:
    env:
      TZ: US/Central
  ingress:
    enabled: true
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
      cert-manager.io/cluster-issuer: letsencrypt-issuer    
    className: traefik
    host: calibre-content.alexlebens.net
  persistence:
    config:
      storageClassName: ceph-block
      storageSize: 1Gi
    books:
      claimName: cops-nfs-storage
 storage:
  books:
    nfsPath: /volume2/Storage/Calibre
    nfsServer: synologybond.alexlebens.net
--- a/clusters/cl01tl/applications/freshrss/Chart.yaml
+++ b/clusters/cl01tl/applications/freshrss/Chart.yaml
@@ -0,0 +1,15 @@
 apiVersion: v2
 name: freshrss
 version: 1.0.0
 sources:
  - https://github.com/FreshRSS/FreshRSS
  - https://github.com/alexlebens/helm-charts/tree/main/charts/hfreshrss
 dependencies:
  - name: freshrss
    version: 0.0.3
    repository: http://alexlebens.github.io/helm-charts
  - name: postgres-cluster
    alias: postgres-16-cluster
    version: 3.0.0
    repository: http://alexlebens.github.io/helm-charts    
 appVersion: "1.23.1"
--- a/clusters/cl01tl/applications/freshrss/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/freshrss/templates/external-secret.yaml
@@ -0,0 +1,94 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: freshrss-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: OIDC_CLIENT_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/freshrss
        metadataPolicy: None
        property: client
    - secretKey: OIDC_CLIENT_SECRET
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/freshrss
        metadataPolicy: None
        property: secret
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: freshrss-install-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: FRESHRSS_INSTALL
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /freshrss/config
        metadataPolicy: None
        property: FRESHRSS_INSTALL
    - secretKey: FRESHRSS_USER
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /freshrss/config
        metadataPolicy: None
        property: FRESHRSS_USER
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: freshrss-postgresql-16-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: freshrss-postgresql-16-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-freshrss-postgresql
        metadataPolicy: None
        property: access_key
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-freshrss-postgresql
        metadataPolicy: None
        property: secret_key
--- a/clusters/cl01tl/applications/freshrss/values.yaml
+++ b/clusters/cl01tl/applications/freshrss/values.yaml
@@ -0,0 +1,42 @@
 freshrss:
  deployment:
    env:
      TZ: US/Central
      CRON_MIN: 13,43
      OIDC_ENABLED: 1
      OIDC_PROVIDER_METADATA_URL: https://authentik.alexlebens.net/application/o/freshrss/.well-known/openid-configuration
      OIDC_X_FORWARDED_HEADERS: X-Forwarded-Port X-Forwarded-Proto X-Forwarded-Host
      OIDC_SCOPES: openid email profile
      OIDC_REMOTE_USER_CLAIM: preferred_username
    envFrom:
      - secretRef:
          name: freshrss-oidc-secret
  ingress:
    enabled: true
    className: traefik
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
      cert-manager.io/cluster-issuer: letsencrypt-issuer
    host: rss.alexlebens.net
  persistence:
    config:
      storageClassName: ceph-block
      storageSize: 5Gi
 postgres-16-cluster:
  mode: standalone
  kubernetesClusterName: cl01tl
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  backup:
    enabled: true
    endpointURL: https://s3.us-east-2.amazonaws.com
    destinationPath: s3://cl01tl-postgresql-backups/freshrss
    endpointCredentials: freshrss-postgresql-16-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: 14d
--- a/clusters/cl01tl/applications/home-assistant/Chart.yaml
+++ b/clusters/cl01tl/applications/home-assistant/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: home-assistant
 version: 1.0.0
 sources:
  - https://github.com/home-assistant
  - https://github.com/alexlebens/helm-charts/tree/main/charts/home-assistant
 dependencies:
  - name: home-assistant
    version: 0.1.15
    repository: http://alexlebens.github.io/helm-charts
 appVersion: v2024.5.3
--- a/clusters/cl01tl/applications/home-assistant/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/home-assistant/templates/external-secret.yaml
@@ -0,0 +1,48 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: home-assistant-codeserver-password-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: SUDO_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /home-assistant/auth
        metadataPolicy: None
        property: SUDO_PASSWORD
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: home-assistant-token-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: bearerToken
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /home-assistant/auth
        metadataPolicy: None
        property: bearerToken
--- a/clusters/cl01tl/applications/home-assistant/values.yaml
+++ b/clusters/cl01tl/applications/home-assistant/values.yaml
@@ -0,0 +1,46 @@
 home-assistant:
  deployment:
    env:
      TZ: US/Central
  ingressRoute:
    enabled: true
    host: homeassistant.alexlebens.net
    authentik:
      outpost: authentik-outpost-proxy
      namespace: authentik
  metrics:
    enabled: true
    serviceMonitor:
      bearerTokenSecret:
        name: home-assistant-token-secret
        key: bearerToken
    prometheusRule:
      enabled: true
      rules:
        - alert: HomeAssistantAbsent
          annotations:
            description: Home Assistant has disappeared from Prometheus service discovery.
            summary: Home Assistant is down.
          expr: |
            absent(up{job=~".*home-assistant.*"} == 1)
          for: 5m
          labels:
            severity: critical
  persistence:
    config:
      storageClassName: ceph-block
      storageSize: 1Gi
  codeserver:
    enabled: true
    env:
      TZ: US/Central
      DEFAULT_WORKSPACE: /config
    envFrom:
      - secretRef:
          name: home-assistant-codeserver-password-secret
    ingressRoute:
      enabled: true
      host: homeassistant-codeserver.alexlebens.net
      authentik:
        outpost: authentik-outpost-proxy
        namespace: authentik
--- a/clusters/cl01tl/applications/homepage-dev/Chart.yaml
+++ b/clusters/cl01tl/applications/homepage-dev/Chart.yaml
@@ -0,0 +1,18 @@
 apiVersion: v2
 name: homepage-dev
 version: 1.0.0
 home: https://outline.alexlebens.net/doc/homepage-dev-s2clWoI5EC
 sources:
  - https://github.com/gethomepage/homepage
  - https://github.com/cloudflare/cloudflared
  - https://github.com/bjw-s/helm-charts/blob/main/charts/other/app-template/values.yaml
 dependencies:
  - name: app-template
    alias: homepage
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.1.0
  - name: app-template
    alias: cloudflared
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.1.0
 appVersion: v0.8.12
--- a/clusters/cl01tl/applications/homepage-dev/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/homepage-dev/templates/external-secret.yaml
@@ -0,0 +1,23 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: homepage-dev-cloudflared-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: homepage-dev-cloudflared-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: cf-tunnel-token
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cloudflare/tunnels/homepage-dev
        metadataPolicy: None
        property: token
--- a/clusters/cl01tl/applications/homepage-dev/values.yaml
+++ b/clusters/cl01tl/applications/homepage-dev/values.yaml
@@ -0,0 +1,225 @@
 homepage:
  global:
    nameOverride: homepage
  controllers:
    main:
      type: deployment
      annotations:
        reloader.stakater.com/auto: "true"
      strategy: Recreate
      containers:
        main:
          image:
            repository: ghcr.io/gethomepage/homepage
            tag: v0.8.13
            pullPolicy: IfNotPresent
          resources:
            limits:
              cpu: 1000m
              memory: 512Mi
            requests:
              cpu: 10m
              memory: 128Mi
  serviceAccount:
    create: true
  configMaps:
    config:
      enabled: true
      data:
        docker.yaml: ""
        kubernetes.yaml: ""
        settings.yaml: |
          favicon: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/icon_white.png
          headerStyle: clean
          hideVersion: true
          color: slate
          background:
            image: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/background.jpg
          theme: dark
          disableCollapse: true
          layout:
            - Media:
                icon: mdi-multimedia-#ffffff
            - Applications:
                icon: mdi-application-#ffffff          
        widgets.yaml: |
          - logo:
              icon: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/icon_white.png
          - datetime:
              text_size: xl
              format:
                dateStyle: long
                timeStyle: short
                hour12: false
          - openmeteo:
              label: Denver
              latitude: 39.73
              longitude: 104.99
              units: metric
              cache: 5
        services.yaml: |
          - Media:
              - Plex:
                  icon: plex.png
                  href: https://plex.alexlebens.net
                  description: Media server
                  siteMonitor: http://plex.plex:32400
                  statusStyle: dot
              - Overseerr:
                  icon: overseerr.png
                  description: Requests
                  href: https://overseerr.alexlebens.net
                  siteMonitor: http://overseerr.overseerr:5055
                  statusStyle: dot
              - Jellyfin:
                  icon: jellyfin.png
                  description: Media server
                  href: https://jellyfin.alexlebens.net/
                  siteMonitor: http://jellyfin.jellyfin:8096
                  statusStyle: dot
              - TubeAchivist:
                  icon: tube-archivist.png
                  description: Youtube downloader
                  href: https://tubearchivist.alexlebens.net/login/
                  siteMonitor: http://tubearchivist.tubearchivist:8000
                  statusStyle: dot
              - Navidrome:
                  icon: navidrome.png
                  description: Music
                  href: https://navidrome.alexlebens.net
                  siteMonitor: http://navidrome.navidrome:4533
                  statusStyle: dot
              - Audiobookshelf:
                  icon: audiobookshelf.png
                  description: Audiobooks, Books, and Podcasts
                  href: https://audiobookshelf.alexlebens.net
                  siteMonitor: http://audiobookshelf.audiobookshelf:80
                  statusStyle: dot
              - Calibre:
                  icon: calibre-web.png
                  description: Books
                  href: https://calibre.alexlebens.net
                  siteMonitor: http://calibre-web.calibre-web:8083
                  statusStyle: dot
          - Applications:
              - Ghost:
                  icon: ghost.png
                  description: Website and blog
                  href: https://blog.alexlebens.dev
                  siteMonitor: https://blog.alexlebens.dev
                  statusStyle: dot
              - Chat:
                  icon: element.svg
                  description: Web client for Matrix chat
                  href: https://chat.alexlebens.dev
                  siteMonitor: https://chat.alexlebens.dev
                  statusStyle: dot
              - Home Assistant:
                  icon: home-assistant.png
                  description: Home automation
                  href: https://homeassistant.alexlebens.net
                  siteMonitor: http://home-assistant.home-assistant:8123
                  statusStyle: dot
              - Vikunja:
                  icon: vikunja.png
                  description: Notes and tasks
                  href: https://vikunja.alexlebens.net
                  siteMonitor: http://vikunja-frontend.vikunja:80
                  statusStyle: dot
              - Taiga:
                  icon: taiga.png
                  description: Project planning
                  href: https://taiga.alexlebens.net
                  siteMonitor: http://taiga-front.taiga:80
                  statusStyle: dot
              - Penpot:
                  icon: https://raw.githubusercontent.com/penpot/penpot/362d4ea47f06d169dd6e0a34cb9d141200e646e6/frontend/resources/images/icons/penpot-logo-icon.svg
                  description: Web design
                  href: https://penpot.alexlebens.net
                  siteMonitor: http://penpot.penpot:80
                  statusStyle: dot
              - Outline:
                  icon: outline.png
                  description: Wiki
                  href: https://outline.alexlebens.net
                  siteMonitor: http://outline.outline:3000
                  statusStyle: dot
              - FreshRss:
                  icon: freshrss.svg
                  description: Rss reader
                  href: https://rss.alexlebens.net
                  siteMonitor: http://freshrss.freshrss:80
                  statusStyle: dot
        bookmarks.yaml: ""
  service:
    http:
      controller: main
      ports:
        http:
          port: 80
          targetPort: 3000
          protocol: HTTP
  persistence:
    config:
      enabled: true
      type: configMap
      name: homepage-dev-config
      advancedMounts:
        main:
          main:
            - path: /app/config/bookmarks.yaml
              readOnly: true
              mountPropagation: None
              subPath: bookmarks.yaml
            - path: /app/config/docker.yaml
              readOnly: true
              mountPropagation: None
              subPath: docker.yaml
            - path: /app/config/kubernetes.yaml
              readOnly: true
              mountPropagation: None
              subPath: kubernetes.yaml
            - path: /app/config/services.yaml
              readOnly: true
              mountPropagation: None
              subPath: services.yaml
            - path: /app/config/settings.yaml
              readOnly: true
              mountPropagation: None
              subPath: settings.yaml
            - path: /app/config/widgets.yaml
              readOnly: true
              mountPropagation: None
              subPath: widgets.yaml
 cloudflared:
  global:
    nameOverride: cloudflared
  controllers:
    main:
      type: deployment
      strategy: Recreate
      containers:
        main:
          image:
            repository: cloudflare/cloudflared
            tag: "2024.5.0"
            pullPolicy: IfNotPresent
          args:
            - tunnel
            - --no-autoupdate
            - run
            - --token
            - $(CF_MANAGED_TUNNEL_TOKEN)
          env:
            - name: CF_MANAGED_TUNNEL_TOKEN
              valueFrom:
                secretKeyRef:
                  name: homepage-dev-cloudflared-secret
                  key: cf-tunnel-token
          resources:
            limits:
              cpu: 100m
              memory: 128Mi
            requests:
              cpu: 10m
              memory: 64Mi
--- a/clusters/cl01tl/applications/homepage/Chart.yaml
+++ b/clusters/cl01tl/applications/homepage/Chart.yaml
@@ -0,0 +1,12 @@
 apiVersion: v2
 name: homepage-front
 version: 1.0.0
 home: https://outline.alexlebens.net/doc/homepage-s2clWoI5EC
 sources:
  - https://github.com/gethomepage/homepage
  - https://github.com/alexlebens/helm-charts/tree/main/charts/homepage
 dependencies:
  - name: homepage
    version: 0.0.15
    repository: http://alexlebens.github.io/helm-charts
 appVersion: v0.8.12
--- a/clusters/cl01tl/applications/homepage/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/homepage/templates/external-secret.yaml
@@ -0,0 +1,44 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: homepage-back-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: HOMEPAGE_VAR_SYNOLOGY_USER
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /synology/auth
        metadataPolicy: None
        property: user
    - secretKey: HOMEPAGE_VAR_SYNOLOGY_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /synology/auth
        metadataPolicy: None
        property: password
    - secretKey: HOMEPAGE_VAR_UNIFI_USER
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /unifi/auth
        metadataPolicy: None
        property: user
    - secretKey: HOMEPAGE_VAR_UNIFI_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /unifi/auth
        metadataPolicy: None
        property: password
--- a/clusters/cl01tl/applications/homepage/values.yaml
+++ b/clusters/cl01tl/applications/homepage/values.yaml
@@ -0,0 +1,420 @@
 homepage:
  deployment:
    annotations:
      reloader.stakater.com/auto: "true"
    resources:
      limits:
        memory: 2Gi
        cpu: 1000m
    envFrom:
      - secretRef:
          name: homepage-back-key-secret
  ingressRoute:
    host: home.alexlebens.net
    authentik:
      outpost: authentik-outpost-proxy
      namespace: authentik
  config:
    widgets:
      - logo:
          icon: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/icon_white.png
      - kubernetes:
          cluster:
            show: true
            cpu: true
            memory: true
            showLabel: true
            label: "Cluster"
          nodes:
            show: false
      - datetime:
          text_size: xl
          format:
            dateStyle: long
            timeStyle: short
            hour12: false
      - openmeteo:
          label: Denver
          latitude: 39.73
          longitude: 104.99
          units: metric
          cache: 5
    services:
      - Media:
          - Plex:
              icon: plex.png
              href: https://plex.alexlebens.net
              description: Media server
              siteMonitor: http://plex.plex:32400
              statusStyle: dot
          - Overseerr:
              icon: overseerr.png
              description: Requests
              href: https://overseerr.alexlebens.net
              siteMonitor: http://overseerr.overseerr:5055
              statusStyle: dot
          - Jellyfin:
              icon: jellyfin.png
              description: Media server
              href: https://jellyfin.alexlebens.net/
              siteMonitor: http://jellyfin.jellyfin:8096
              statusStyle: dot
          - Kyoo:
              icon: https://raw.githubusercontent.com/zoriya/Kyoo/master/icons/icon-256x256.png
              description: Media server
              href: https://kyoo.alexlebens.net/
              siteMonitor: http://kyoo-front.kyoo:8901
              statusStyle: dot
          - TubeAchivist:
              icon: tube-archivist.png
              description: Youtube downloader
              href: https://tubearchivist.alexlebens.net/login/
              siteMonitor: http://tubearchivist.tubearchivist:8000
              statusStyle: dot
          - Navidrome:
              icon: navidrome.png
              description: Music
              href: https://navidrome.alexlebens.net
              siteMonitor: http://navidrome.navidrome:4533
              statusStyle: dot
          - Audiobookshelf:
              icon: audiobookshelf.png
              description: Audiobooks, Books, and Podcasts
              href: https://audiobookshelf.alexlebens.net
              siteMonitor: http://audiobookshelf.audiobookshelf:80
              statusStyle: dot
          - Calibre:
              icon: calibre-web.png
              description: Books
              href: https://calibre.alexlebens.net
              siteMonitor: http://calibre-web.calibre-web:8083
              statusStyle: dot
      - Applications:
          - Ghost (.dev):
              icon: ghost.png
              description: Website and blog
              href: https://blog.alexlebens.dev
              siteMonitor: https://blog.alexlebens.dev
              statusStyle: dot
          - Chat (.dev):
              icon: element.svg
              description: Web client for Matrix chat
              href: https://chat.alexlebens.dev
              siteMonitor: https://chat.alexlebens.dev
              statusStyle: dot
          - Home Assistant:
              icon: home-assistant.png
              description: Home automation
              href: https://homeassistant.alexlebens.net
              siteMonitor: http://home-assistant.home-assistant:8123
              statusStyle: dot
          - Vikunja:
              icon: vikunja.png
              description: Notes and tasks
              href: https://vikunja.alexlebens.net
              siteMonitor: http://vikunja-frontend.vikunja:80
              statusStyle: dot
          - Taiga:
              icon: taiga.png
              description: Project planning
              href: https://taiga.alexlebens.net
              siteMonitor: http://taiga-front.taiga:80
              statusStyle: dot
          - Penpot:
              icon: https://raw.githubusercontent.com/penpot/penpot/362d4ea47f06d169dd6e0a34cb9d141200e646e6/frontend/resources/images/icons/penpot-logo-icon.svg
              description: Web design
              href: https://penpot.alexlebens.net
              siteMonitor: http://penpot.penpot:80
              statusStyle: dot
          - Outline:
              icon: outline.png
              description: Wiki
              href: https://outline.alexlebens.net
              siteMonitor: http://outline.outline:3000
              statusStyle: dot
          - FreshRss:
              icon: freshrss.svg
              description: Rss reader
              href: https://rss.alexlebens.net
              siteMonitor: http://freshrss.freshrss:80
              statusStyle: dot
      - Code:
          - Code Server:
              icon: code-server.png
              description: VS Code in a browser
              href: https://codeserver.alexlebens.net
              siteMonitor: http://code-server.code-server:8443
              statusStyle: dot
          - Code Server - Home Assistant:
              icon: code-server.png
              description: Edit config for Home Assistant
              href: https://homeassistant-codeserver.alexlebens.net
              siteMonitor: http://home-assistant-codeserver.home-assistant:8443
              statusStyle: dot
          - Gitea:
              icon: gitea.png
              description: Code repository
              href: https://gitea.alexlebens.net
              siteMonitor: http://gitea-http.gitea:3000
              statusStyle: dot
          - ArgoCD:
              icon: argocd.png
              description: Continous Deployment
              href: https://argocd.alexlebens.net
              siteMonitor: http://argocd-server.argocd:80
              statusStyle: dot
              namespace: argocd
          - Argo Rollouts:
              icon: argocd.png
              description: Deployment mangement and evaluation
              href: https://argo-rollouts.alexlebens.net
              siteMonitor: http://argo-rollouts-dashboard.argocd:3100
              statusStyle: dot
              namespace: argocd
          - Argo Workflows:
              icon: argocd.png
              description: Workflows and events for ArgoCD
              href: https://argo-workflows.alexlebens.net
              siteMonitor: http://argo-workflows-server.argocd:2746
              statusStyle: dot
              namespace: argocd
          - Kargo:
              icon: https://raw.githubusercontent.com/akuity/kargo/main/ui/public/kargo-icon.png
              description: Continous Integration
              href: https://kargo.alexlebens.net
              siteMonitor: http://kargo-api.argocd:80
              statusStyle: dot
              namespace: argocd
      - Management:
          - Calibre Server:
              icon: calibre.png
              description: Calibre content server
              href: https://calibre-server.alexlebens.net
              siteMonitor: http://calibre-server.calibre-server:8080
              statusStyle: dot
          - COPS:
              icon: calibre-web.png
              description: Calibre OPDS (and HTML) PHP Server
              href: https://calibre-content.alexlebens.net
              siteMonitor: http://cops.cops:80
              statusStyle: dot
      - Monitoring:
          - Portainer:
              icon: portainer.png
              description: Service monitoring
              href: https://portainer.alexlebens.net
              siteMonitor: http://portainer.portainer:9000
              statusStyle: dot
          - Headlamp:
              icon: kubernetes.png
              description: Kubernetes dashboard
              href: https://headlamp.alexlebens.net
              siteMonitor: http://headlamp.headlamp:80
              statusStyle: dot
          - Hubble:
              icon: cilium.png
              description: Network monitoring for Cilium
              href: https://hubble.alexlebens.net
              siteMonitor: http://hubble-ui.kube-system:80
              statusStyle: dot
          - Grafana:
              icon: grafana.png
              description: Dashboard
              href: https://grafana.alexlebens.net
              siteMonitor: https://grafana.alexlebens.net
              statusStyle: dot
          - Prometheus:
              icon: prometheus.png
              description: Metrics database
              href: https://prometheus.alexlebens.net
              siteMonitor: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090
              statusStyle: dot
              widget:
                type: prometheus
                url: http://kube-prometheus-stack-prometheus.kube-prometheus-stack:9090
          - Alertmanager:
              icon: alertmanager.png
              description: Alerting and notification
              href: https://alertmanager.alexlebens.net
              siteMonitor: http://kube-prometheus-stack-alertmanager.kube-prometheus-stack:9093
              statusStyle: dot
      - Services:
          - Authentik:
              icon: authentik.png
              description: Identity management and provider
              href: https://authentik.alexlebens.net
              siteMonitor: http://authentik-server.authentik:80
              statusStyle: dot
          - Authentik (.dev):
              icon: authentik.png
              description: Identity management and provider
              href: https://auth.alexlebens.dev
              siteMonitor: https://auth.alexlebens.dev
              statusStyle: dot
          - Traefik - cl01tl:
              icon: traefik.png
              description: Reverse proxy
              href: https://traefik-cl01tl.alexlebens.net/dashboard/#/
              siteMonitor: https://traefik-cl01tl.alexlebens.net/dashboard/#/
              statusStyle: dot
              widget:
                type: traefik
                url: https://traefik-cl01tl.alexlebens.net
          - Traefik - ps08rp:
              icon: traefik.png
              description: Reverse proxy
              href: https://traefik-ps08rp.alexlebens.net/dashboard/#/
              siteMonitor: https://traefik-ps08rp.alexlebens.net/dashboard/#/
              statusStyle: dot
          - Traefik - ps09rp:
              icon: traefik.png
              description: Reverse proxy
              href: https://traefik-ps09rp.alexlebens.net/dashboard/#/
              siteMonitor: https://traefik-ps09rp.alexlebens.net/dashboard/#/
              statusStyle: dot
          - Technitium - ps08rp:
              icon: technitium.png
              description: DNS
              href: https://technitium-ps08rp.alexlebens.net
              siteMonitor: https://technitium-ps08rp.alexlebens.net
              statusStyle: dot
          - Technitium - ps09rp:
              icon: technitium.png
              description: DNS
              href: https://technitium-ps09rp.alexlebens.net
              siteMonitor: https://technitium-ps09rp.alexlebens.net
              statusStyle: dot
      - Hardware:
          - Unifi:
              icon: unifi.png
              description: Manager network hardware
              href: https://unifi.alexlebens.net
              siteMonitor: https://unifi.alexlebens.net
              statusStyle: dot
          - Synology:
              icon: synology.png
              description: Network Attached Storage
              href: https://synology.alexlebens.net
              siteMonitor: https://synology.alexlebens.net
              statusStyle: dot
              widget:
                type: diskstation
                url: https://synology.alexlebens.net
                username: '{{HOMEPAGE_VAR_SYNOLOGY_USER}}'
                password: '{{HOMEPAGE_VAR_SYNOLOGY_PASSWORD}}'
                volume: volume_2
          - HD Homerun Flex:
              icon: hdhomerun.png
              description: TV Tuner
              href: http://hdhr.alexlebens.net
              siteMonitor: http://hdhr.alexlebens.net
              statusStyle: dot
          - Pi KVM:
              icon: pikvm.png
              description: IP KVM
              href: https://pikvm.alexlebens.net
              siteMonitor: https://pikvm.alexlebens.net
              statusStyle: dot
      - Storage:
          - Ceph:
              icon: ceph.png
              description: Clustered storage
              href: https://ceph.alexlebens.net
              siteMonitor: http://rook-ceph-mgr-dashboard.rook-ceph:7000
              statusStyle: dot
          - PGAdmin:
              icon: pgadmin.png
              description: Postgresql console
              href: https://pgadmin.alexlebens.net
              siteMonitor: http://pgadmin-pgadmin4.pgadmin:80
              statusStyle: dot
          - Vault:
              icon: vault.png
              description: Secret management
              href: https://vault.alexlebens.net
              siteMonitor: http://vault.vault:8200
              statusStyle: dot
          - Minio:
              icon: minio.png
              description: Operator for Minio S3 storage
              href: https://minio.alexlebens.net
              siteMonitor: http://console.minio-operator:9090
              statusStyle: dot
          - Minio - Outline:
              icon: minio.png
              description: Tenant for Outline S3 storage
              href: https://minio-outline.alexlebens.net
              siteMonitor: http://minio-outline-console.outline:9090
              statusStyle: dot
          - Minio - Penpot:
              icon: minio.png
              description: Tenant for Penpot S3 storage
              href: https://minio-penpot.alexlebens.net
              siteMonitor: http://minio-penpot-console.penpot:9090
              statusStyle: dot
    bookmarks:
      - External Services:
          - Github:
              - abbr: GH
                href: https://github.com/alexlebens/alexlebens-net
          - Renovate:
              - abbr: RN
                href: https://developer.mend.io/[platform]/alexlebens/alexlebens-net
          - AWS:
              - abbr: AW
                href: https://aws.amazon.com/console/                
          - Cloudflare:
              - abbr: CF
                href: https://dash.cloudflare.com/b76e303258b84076ee01fd0f515c0768
          - Tailscale:
              - abbr: TS
                href: https://login.tailscale.com/admin/machines
          - ProtonVPN:
              - abbr: PV
                href: https://account.protonvpn.com/
          - Pushover:
              - abbr: PO
                href: https://pushover.net
          - ReCaptcha:
              - abbr: RC
                href: https://www.google.com/recaptcha/admin/site/698983587
          - Dashboard Icons:
              - abbr: DI
                href: https://github.com/walkxcode/dashboard-icons/tree/main/png
    settings:
      favicon: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/icon_white.png
      headerStyle: clean
      hideVersion: true
      color: slate
      background:
        image: https://alexlebens-dev.nyc3.digitaloceanspaces.com/cl02do/assets/background.jpg
      theme: dark
      disableCollapse: true
      layout:
        - Media:
            tab: Apps
            icon: mdi-multimedia-#ffffff
        - Applications:
            tab: Apps
            icon: mdi-application-#ffffff
        - Code:
            tab: Tools
            icon: mdi-code-braces-box-#ffffff
        - Monitoring:
            tab: Tools
            icon: mdi-chart-bar-#ffffff
        - Management:
            tab: Tools
            icon: mdi-content-save-cog-#ffffff
        - Services:
            tab: Services
            icon: mdi-server-network-#ffffff
        - Hardware:
            tab: Services
            icon: mdi-lan-connect-#ffffff
        - Storage:
            tab: Services
            icon: mdi-harddisk-#ffffff
        - External Services:
            tab: Bookmarks
            icon: mdi-cloud-#ffffff
--- a/clusters/cl01tl/applications/jellyfin/Chart.yaml
+++ b/clusters/cl01tl/applications/jellyfin/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: jellyfin
 version: 0.0.1
 sources:
  - https://github.com/jellyfin/jellyfin
  - https://github.com/loeken/helm-charts/tree/main/charts/jellyfin
 dependencies:
  - name: jellyfin
    version: 10.9.1
    repository: https://loeken.github.io/helm-charts
 appVersion: 10.8.13
--- a/clusters/cl01tl/applications/jellyfin/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/applications/jellyfin/templates/persistent-volume-claim.yaml
@@ -0,0 +1,40 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: jellyfin-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: jellyfin-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: jellyfin-youtube-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: jellyfin-youtube-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadOnlyMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/applications/jellyfin/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/applications/jellyfin/templates/persistent-volume.yaml
@@ -0,0 +1,52 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: jellyfin-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: {{ .Values.storage.storage.nfs.path }}
    server: {{ .Values.storage.storage.nfs.server }}
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: jellyfin-youtube-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadOnlyMany
  nfs:
    path: {{ .Values.storage.youtube.nfs.path }}
    server: {{ .Values.storage.youtube.nfs.server }}
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/applications/jellyfin/values.yaml
+++ b/clusters/cl01tl/applications/jellyfin/values.yaml
@@ -0,0 +1,55 @@
 jellyfin:
  env:
    TZ: US/Central
  ingress:
    main:
      enabled: true
      ingressClassName: traefik
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      hosts:
        - host: jellyfin.alexlebens.net
          paths:
            - path: /
              pathType: Prefix
      tls:
        - secretName: jellyfin-secret-tls
          hosts:
            - jellyfin.alexlebens.net
  persistence:
    config:
      enabled: true
      mountPath: /config
      accessMode: ReadWriteOnce
      size: 40Gi
    cache:
      enabled: true
      mountPath: /cache
      accessMode: ReadWriteOnce
      size: 40Gi
    media:
      enabled: true
      mountPath: /mnt/store
      type: pvc
      existingClaim: jellyfin-nfs-storage
    youtube:
      enabled: true
      mountPath: /youtube
      type: pvc
      existingClaim: jellyfin-youtube-nfs-storage
  resources:
    requests:
      gpu.intel.com/i915: 1
    limits:
      gpu.intel.com/i915: 1
 storage:
  storage:
    nfs:
      path: /volume2/Storage
      server: synologybond.alexlebens.net
  youtube:
    nfs:
      path: /volume2/Storage/YouTube
      server: synologybond.alexlebens.net
--- a/clusters/cl01tl/applications/kyoo/Chart.yaml
+++ b/clusters/cl01tl/applications/kyoo/Chart.yaml
@@ -0,0 +1,32 @@
 apiVersion: v2
 name: kyoo
 version: 1.0.0
 description: A Helm chart for deploying Kyoo
 keywords:
  - kyoo
  - media
 sources:
  - https://github.com/zoriya/Kyoo
  - https://github.com/rabbitmq/rabbitmq-server
  - https://github.com/bitnami/charts/tree/main/bitnami/rabbitmq
  - https://github.com/meilisearch/meilisearch
  - https://github.com/meilisearch/meilisearch-kubernetes/tree/main/charts/meilisearch
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 maintainers:
  - name: alexlebens
 dependencies:
  - name: app-template
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.1.0
  - name: rabbitmq
    version: 14.1.4
    repository: https://charts.bitnami.com/bitnami
  - name: meilisearch
    version: 0.7.0
    repository: https://meilisearch.github.io/meilisearch-kubernetes
  - name: postgres-cluster
    alias: postgres-16-cluster
    version: 3.0.0
    repository: http://alexlebens.github.io/helm-charts
 icon: https://raw.githubusercontent.com/zoriya/Kyoo/master/icons/icon-256x256.png
 appVersion: v4.5.0
--- a/clusters/cl01tl/applications/kyoo/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/kyoo/templates/external-secret.yaml
@@ -0,0 +1,183 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: kyoo-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-key-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: key
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /kyoo/authentication
        metadataPolicy: None
        property: key
    - secretKey: kyoo
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /kyoo/authentication
        metadataPolicy: None
        property: kyoo
    - secretKey: tmdb
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /kyoo/authentication
        metadataPolicy: None
        property: tmdb
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: kyoo-api-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-api-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: kyoo
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /kyoo/api
        metadataPolicy: None
        property: kyoo
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: kyoo-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-oidc-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: auth
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: client
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/kyoo
        metadataPolicy: None
        property: client
    - secretKey: secret
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/kyoo
        metadataPolicy: None
        property: secret
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: kyoo-rabbitmq-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-rabbitmq-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: rabbitmq
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: password
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /kyoo/rabbitmq
        metadataPolicy: None
        property: password
    - secretKey: erlang
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /kyoo/rabbitmq
        metadataPolicy: None
        property: erlang
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: kyoo-meilisearch-master-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-meilisearch-master-key-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: meilisearch
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: MEILI_MASTER_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /kyoo/meilisearch
        metadataPolicy: None
        property: MEILI_MASTER_KEY
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: kyoo-postgresql-16-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-postgresql-16-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-kyoo-postgresql
        metadataPolicy: None
        property: access_key
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-kyoo-postgresql
        metadataPolicy: None
        property: secret_key
--- a/clusters/cl01tl/applications/kyoo/templates/ingress-route.yaml
+++ b/clusters/cl01tl/applications/kyoo/templates/ingress-route.yaml
@@ -0,0 +1,32 @@
 apiVersion: traefik.io/v1alpha1
 kind: IngressRoute
 metadata:
  name: kyoo
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  entryPoints:
    - websecure
  routes:
    - kind: Rule
      match: Host(`kyoo.alexlebens.net`)
      priority: 10
      services:
        - kind: Service
          name: kyoo-front
          port: 8901
    - kind: Rule
      match: Host(`kyoo.alexlebens.net`) && PathPrefix(`/api/`)
      middlewares:
        - name: kyoo-strip-prefix
          namespace: {{ .Release.Namespace }}
      priority: 15
      services:
        - kind: Service
          name: kyoo-back
          port: 5000
--- a/clusters/cl01tl/applications/kyoo/templates/middleware.yaml
+++ b/clusters/cl01tl/applications/kyoo/templates/middleware.yaml
@@ -0,0 +1,15 @@
 apiVersion: traefik.io/v1alpha1
 kind: Middleware
 metadata:
  name: kyoo-strip-prefix
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-strip-prefix
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: auth
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  stripPrefix:
    prefixes:
      - /api/
--- a/clusters/cl01tl/applications/kyoo/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/applications/kyoo/templates/persistent-volume-claim.yaml
@@ -0,0 +1,229 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: kyoo-anime-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-anime-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: kyoo-anime-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: kyoo-anime-movies-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-anime-movies-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: kyoo-anime-movies-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: kyoo-documentaries-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-documentaries-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: kyoo-documentaries-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: kyoo-documentary-shows-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-documentary-shows-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: kyoo-documentary-shows-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: kyoo-movies-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-movies-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: kyoo-movies-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: kyoo-movies-4k-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-movies-4k-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: kyoo-movies-4k-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: kyoo-movies-classics-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-movies-classics-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: kyoo-movies-classics-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: kyoo-movies-foreign-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-movies-foreign-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: kyoo-movies-foreign-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: kyoo-stand-up-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-stand-up-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: kyoo-stand-up-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: kyoo-tv-shows-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-tv-shows-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: kyoo-tv-shows-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: kyoo-tv-shows-4k-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-tv-shows-4k-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: kyoo-tv-shows-4k-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/applications/kyoo/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/applications/kyoo/templates/persistent-volume.yaml
@@ -0,0 +1,295 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: kyoo-anime-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-anime-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Anime
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: kyoo-anime-movies-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-anime-movies-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: "/volume2/Storage/Anime Movies"
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: kyoo-documentaries-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-documentaries-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Documentaries
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: kyoo-documentary-shows-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-documentary-shows-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: "/volume2/Storage/Documentary Shows"
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: kyoo-movies-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-movies-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: /volume2/Storage/Movies
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: kyoo-movies-4k-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-movies-4k-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: "/volume2/Storage/Movies 4K"
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: kyoo-movies-classics-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-movies-classics-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: "/volume2/Storage/Movies Classics"
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: kyoo-movies-foreign-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-movies-foreign-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: "/volume2/Storage/Movies Foreign"
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: kyoo-stand-up-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-stand-up-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: "/volume2/Storage/Stand Up"
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: kyoo-tv-shows-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-tv-shows-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: "/volume2/Storage/TV Shows"
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
 ---
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: kyoo-tv-shows-4k-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kyoo-tv-shows-4k-nfs-storage
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: "/volume2/Storage/TV Shows 4K"
    server: synologybond.alexlebens.net
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/applications/kyoo/values.yaml
+++ b/clusters/cl01tl/applications/kyoo/values.yaml
@@ -0,0 +1,590 @@
 app-template:
  controllers:
    autosync:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/zoriya/kyoo_autosync
            tag: "4.5.0"
            pullPolicy: IfNotPresent
          env:
            - name: RABBITMQ_HOST
              value: kyoo-rabbitmq
            - name: RABBITMQ_DEFAULT_USER
              value: kyoo
            - name: RABBITMQ_DEFAULT_PASS
              valueFrom:
                secretKeyRef:
                  name: kyoo-rabbitmq-secret
                  key: password
          resources:
            limits:
              cpu: 100m
              memory: 512Mi
            requests:
              cpu: 10m
              memory: 128Mi
    back:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      initContainers:
        migrations:
          image:
            repository: ghcr.io/zoriya/kyoo_migrations
            tag: "4.5.0"
            pullPolicy: IfNotPresent
          env:
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
                  name: kyoo-postgresql-16-cluster-app
                  key: username
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: kyoo-postgresql-16-cluster-app
                  key: password
            - name: POSTGRES_DB
              valueFrom:
                secretKeyRef:
                  name: kyoo-postgresql-16-cluster-app
                  key: dbname
            - name: POSTGRES_SERVER
              valueFrom:
                secretKeyRef:
                  name: kyoo-postgresql-16-cluster-app
                  key: host
            - name: POSTGRES_PORT
              valueFrom:
                secretKeyRef:
                  name: kyoo-postgresql-16-cluster-app
                  key: port
          resources:
            limits:
              cpu: 500m
              memory: 512Mi
            requests:
              cpu: 10m
              memory: 256Mi
      containers:
        main:
          image:
            repository: ghcr.io/zoriya/kyoo_back
            tag: "4.5.0"
            pullPolicy: IfNotPresent
          env:
            - name: REQUIRE_ACCOUNT_VERIFICATION
              value: "false"
            - name: UNLOGGED_PERMISSIONS
              value: overall.read
            - name: DEFAULT_PERMISSIONS
              value: overall.read,overall.play
            - name: AUTHENTICATION_SECRET
              valueFrom:
                secretKeyRef:
                  name: kyoo-key-secret
                  key: key
            - name: KYOO_APIKEYS
              valueFrom:
                secretKeyRef:
                  name: kyoo-key-secret
                  key: kyoo
            - name: THEMOVIEDB_APIKEY
              valueFrom:
                secretKeyRef:
                  name: kyoo-key-secret
                  key: tmdb
            - name: PUBLIC_URL
              value: https://kyoo.alexlebens.net
            - name: POSTGRES_USER
              valueFrom:
                secretKeyRef:
                  name: kyoo-postgresql-16-cluster-app
                  key: username
            - name: POSTGRES_PASSWORD
              valueFrom:
                secretKeyRef:
                  name: kyoo-postgresql-16-cluster-app
                  key: password
            - name: POSTGRES_DB
              valueFrom:
                secretKeyRef:
                  name: kyoo-postgresql-16-cluster-app
                  key: dbname
            - name: POSTGRES_SERVER
              valueFrom:
                secretKeyRef:
                  name: kyoo-postgresql-16-cluster-app
                  key: host
            - name: POSTGRES_PORT
              valueFrom:
                secretKeyRef:
                  name: kyoo-postgresql-16-cluster-app
                  key: port
            - name: OIDC_SERVICE_NAME
              value: Authentik
            - name: OIDC_SERVICE_LOGO
              value: https://avatars.githubusercontent.com/u/82976448?s=200&v=4
            - name: OIDC_SERVICE_AUTHORIZATION
              value: https://authentik.alexlebens.net/application/o/authorize/
            - name: OIDC_SERVICE_TOKEN
              value: https://authentik.alexlebens.net/application/o/token/
            - name: OIDC_SERVICE_PROFILE
              value: https://authentik.alexlebens.net/application/o/userinfo/
            - name: OIDC_SERVICE_SCOPE
              value: "openid profile email"
            - name: OIDC_SERVICE_CLIENTID
              valueFrom:
                secretKeyRef:
                  name: kyoo-oidc-secret
                  key: client
            - name: OIDC_SERVICE_SECRET
              valueFrom:
                secretKeyRef:
                  name: kyoo-oidc-secret
                  key: secret
            - name: TRANSCODER_URL
              value: http://kyoo-transcoder.kyoo:7666
            - name: MEILI_HOST
              value: http://kyoo-meilisearch.kyoo:7700
            - name: MEILI_MASTER_KEY
              valueFrom:
                secretKeyRef:
                  name: kyoo-meilisearch-master-key-secret
                  key: MEILI_MASTER_KEY
            - name: RABBITMQ_HOST
              value: kyoo-rabbitmq
            - name: RABBITMQ_DEFAULT_USER
              value: kyoo
            - name: RABBITMQ_DEFAULT_PASS
              valueFrom:
                secretKeyRef:
                  name: kyoo-rabbitmq-secret
                  key: password
          resources:
            limits:
              cpu: 5000m
              memory: 5Gi
            requests:
              cpu: 100m
              memory: 256Mi
    front:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/zoriya/kyoo_front
            tag: "4.5.0"
            pullPolicy: IfNotPresent
          env:
            - name: KYOO_URL
              value: http://kyoo-back.kyoo:5000
            - name: KYOO_APIKEYS
              valueFrom:
                secretKeyRef:
                  name: kyoo-key-secret
                  key: kyoo
          resources:
            limits:
              cpu: 500m
              memory: 512Mi
            requests:
              cpu: 100m
              memory: 256Mi
    matcher:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/zoriya/kyoo_scanner
            tag: "4.5.0"
            pullPolicy: IfNotPresent
          args:
            - matcher
          env:
            - name: KYOO_URL
              value: http://kyoo-back.kyoo:5000
            - name: KYOO_APIKEYS
              valueFrom:
                secretKeyRef:
                  name: kyoo-key-secret
                  key: kyoo
            - name: THEMOVIEDB_APIKEY
              valueFrom:
                secretKeyRef:
                  name: kyoo-key-secret
                  key: tmdb
            - name: LIBRARY_LANGUAGES
              value: en
            - name: LIBRARY_IGNORE_PATTERN
              value: .*/[dD]ownloads?/.*
            - name: RABBITMQ_HOST
              value: kyoo-rabbitmq
            - name: RABBITMQ_DEFAULT_USER
              value: kyoo
            - name: RABBITMQ_DEFAULT_PASS
              valueFrom:
                secretKeyRef:
                  name: kyoo-rabbitmq-secret
                  key: password
          resources:
            limits:
              cpu: 5000m
              memory: 2Gi
            requests:
              cpu: 100m
              memory: 256Mi
    scanner:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/zoriya/kyoo_scanner
            tag: "4.5.0"
            pullPolicy: IfNotPresent
          env:
            - name: KYOO_URL
              value: http://kyoo-back.kyoo:5000
            - name: KYOO_APIKEYS
              valueFrom:
                secretKeyRef:
                  name: kyoo-key-secret
                  key: kyoo
            - name: THEMOVIEDB_APIKEY
              valueFrom:
                secretKeyRef:
                  name: kyoo-key-secret
                  key: tmdb
            - name: LIBRARY_LANGUAGES
              value: en
            - name: LIBRARY_IGNORE_PATTERN
              value: .*/[dD]ownloads?/.*
            - name: RABBITMQ_HOST
              value: kyoo-rabbitmq
            - name: RABBITMQ_DEFAULT_USER
              value: kyoo
            - name: RABBITMQ_DEFAULT_PASS
              valueFrom:
                secretKeyRef:
                  name: kyoo-rabbitmq-secret
                  key: password
          resources:
            limits:
              cpu: 5000m
              memory: 2Gi
            requests:
              cpu: 100m
              memory: 256Mi
    transcoder:
      type: deployment
      replicas: 1
      strategy: Recreate
      revisionHistoryLimit: 3
      containers:
        main:
          image:
            repository: ghcr.io/zoriya/kyoo_transcoder
            tag: "4.5.0"
            pullPolicy: IfNotPresent
          env:
            - name: GOCODER_HWACCEL
              value: qsv
            - name: GOCODER_QSV_RENDERER
              value: /dev/dri/renderD128
            - name: GOCODER_PRESET
              value: fast
            - name: GOCODER_METADATA_ROOT
              value: /metadata
            - name: GOCODER_CACHE_ROOT
              value: /cache
          resources:
            limits:
              cpu: 5000m
              memory: 4Gi
              gpu.intel.com/i915: 1
            requests:
              cpu: 100m
              memory: 512Mi
              gpu.intel.com/i915: 1
  serviceAccount:
    create: true
  service:
    back:
      controller: back
      ports:
        http:
          port: 5000
          targetPort: 5000
          protocol: HTTP
    front:
      controller: front
      ports:
        http:
          port: 8901
          targetPort: 8901
          protocol: HTTP
    transcoder:
      controller: transcoder
      ports:
        http:
          port: 7666
          targetPort: 7666
          protocol: HTTP
  persistence:
    back:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 50Gi
      retain: true
      advancedMounts:
        back:
          main:
            - path: /metadata
              readOnly: false
    metadata:
      storageClass: ceph-block
      accessMode: ReadWriteOnce
      size: 10Gi
      retain: true
      advancedMounts:
        transcoder:
          main:
            - path: /metadata
              readOnly: false
    cache:
      type: emptyDir
      advancedMounts:
        transcoder:
          main:
            - path: /cache
              readOnly: false
    anime:
      existingClaim: kyoo-anime-nfs-storage
      advancedMounts:
        scanner:
          main:
            - path: "/video/Anime"
              readOnly: true
        matcher:
          main:
            - path: "/video/Anime"
              readOnly: true
        transcoder:
          main:
            - path: "/video/Anime"
              readOnly: true
    anime-movies:
      existingClaim: kyoo-anime-movies-nfs-storage
      advancedMounts:
        scanner:
          main:
            - path: "/video/Anime Movies"
              readOnly: true
        matcher:
          main:
            - path: "/video/Anime Movies"
              readOnly: true
        transcoder:
          main:
            - path: "/video/Anime Movies"
              readOnly: true
    documentaries:
      existingClaim: kyoo-documentaries-nfs-storage
      advancedMounts:
        scanner:
          main:
            - path: /video/Documentaries
              readOnly: true
        matcher:
          main:
            - path: /video/Documentaries
              readOnly: true
        transcoder:
          main:
            - path: /video/Documentaries
              readOnly: true
    documentary-shows:
      existingClaim: kyoo-documentary-shows-nfs-storage
      advancedMounts:
        scanner:
          main:
            - path: "/video/Documentary Shows"
              readOnly: true
        matcher:
          main:
            - path: "/video/Documentary Shows"
              readOnly: true
        transcoder:
          main:
            - path: "/video/Documentary Shows"
              readOnly: true
    movies:
      existingClaim: kyoo-movies-nfs-storage
      advancedMounts:
        scanner:
          main:
            - path: "/video/Movies"
              readOnly: true
        matcher:
          main:
            - path: "/video/Movies"
              readOnly: true
        transcoder:
          main:
            - path: "/video/Movies"
              readOnly: true
    movies-4k:
      existingClaim: kyoo-movies-4k-nfs-storage
      advancedMounts:
        scanner:
          main:
            - path: "/video/Movies 4K"
              readOnly: true
        matcher:
          main:
            - path: "/video/Movies 4K"
              readOnly: true
        transcoder:
          main:
            - path: "/video/Movies 4K"
              readOnly: true
    movies-classics:
      existingClaim: kyoo-movies-classics-nfs-storage
      advancedMounts:
        scanner:
          main:
            - path: "/video/Movies Classics"
              readOnly: true
        matcher:
          main:
            - path: "/video/Movies Classics"
              readOnly: true
        transcoder:
          main:
            - path: "/video/Movies Classics"
              readOnly: true
    movies-foreign:
      existingClaim: kyoo-movies-foreign-nfs-storage
      advancedMounts:
        scanner:
          main:
            - path: "/video/Movies Foreign"
              readOnly: true
        matcher:
          main:
            - path: "/video/Movies Foreign"
              readOnly: true
        transcoder:
          main:
            - path: "/video/Movies Foreign"
              readOnly: true
    stand-up:
      existingClaim: kyoo-stand-up-nfs-storage
      advancedMounts:
        scanner:
          main:
            - path: "/video/Stand Up"
              readOnly: true
        matcher:
          main:
            - path: "/video/Stand Up"
              readOnly: true
        transcoder:
          main:
            - path: "/video/Stand Up"
              readOnly: true
    tv-shows:
      existingClaim: kyoo-tv-shows-nfs-storage
      advancedMounts:
        scanner:
          main:
            - path: "/video/TV Shows"
              readOnly: true
        matcher:
          main:
            - path: "/video/TV Shows"
              readOnly: true
        transcoder:
          main:
            - path: "/video/TV Shows"
              readOnly: true
    tv-shows-4k:
      existingClaim: kyoo-tv-shows-4k-nfs-storage
      advancedMounts:
        scanner:
          main:
            - path: "/video/TV Shows 4K"
              readOnly: true
        matcher:
          main:
            - path: "/video/TV Shows 4K"
              readOnly: true
        transcoder:
          main:
            - path: "/video/TV Shows 4K"
              readOnly: true
 rabbitmq:
  auth:
    username: kyoo
    existingPasswordSecret: kyoo-rabbitmq-secret
    existingSecretPasswordKey: password
    existingErlangSecret: kyoo-rabbitmq-secret
    existingSecretErlangKey: erlang
  extraConfiguration: |-
    default_vhost = /
    default_permissions.configure = .*
    default_permissions.read = .*
    default_permissions.write = .*
 meilisearch:
  environment:
    MEILI_NO_ANALYTICS: true
    MEILI_ENV: production
  auth:
    existingMasterKeySecret: kyoo-meilisearch-master-key-secret
  service:
    type: ClusterIP
    port: 7700
  persistence:
    enabled: true
    storageClass: ceph-block
    size: 10Gi
  resources:
    limits:
      cpu: 200m
      memory: 2Gi
    requests:
      cpu: 10m
      memory: 128Mi
  serviceMonitor:
    enabled: true
 postgres-16-cluster:
  mode: standalone
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  backup:
    enabled: true
    endpointURL: https://s3.us-east-2.amazonaws.com
    destinationPath: s3://cl01tl-postgresql-backups/kyoo
    endpointCredentials: kyoo-postgresql-16-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: 14d
--- a/clusters/cl01tl/applications/libation/Chart.yaml
+++ b/clusters/cl01tl/applications/libation/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: libation
 version: 0.0.5
 sources:
  - https://github.com/rmcrackan/Libation
  - https://github.com/alexlebens/helm-charts/charts/libation
 dependencies:
  - name: libation
    version: 0.0.6
    repository: http://alexlebens.github.io/helm-charts
 appVersion: "11.1.0"
--- a/clusters/cl01tl/applications/libation/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/applications/libation/templates/persistent-volume-claim.yaml
@@ -0,0 +1,19 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: libation-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: libation-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/applications/libation/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/applications/libation/templates/persistent-volume.yaml
@@ -0,0 +1,25 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: libation-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: {{ .Values.storage.storage.nfs.path }}
    server: {{ .Values.storage.storage.nfs.server }}
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/applications/libation/values.yaml
+++ b/clusters/cl01tl/applications/libation/values.yaml
@@ -0,0 +1,14 @@
 libation:
  libation:
    job:
      schedule: "0 * * * *"
  persistence:
    config:
      storageClassName: nfs-client
    books:
      claimName: libation-nfs-storage
 storage:
  storage:
    nfs:
      path: /volume2/Storage/Audiobooks/
      server: synologybond.alexlebens.net
--- a/clusters/cl01tl/applications/navidrome/Chart.yaml
+++ b/clusters/cl01tl/applications/navidrome/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: navidrome
 version: 0.0.2
 sources:
  - https://github.com/navidrome/navidrome
  - https://github.com/0xEmma/helm-charts/tree/main/charts/navidrome
 dependencies:
  - name: navidrome
    version: 0.0.6
    repository: https://0xemma.github.io/helm-charts
 appVersion: "0.51.1"
--- a/clusters/cl01tl/applications/navidrome/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/applications/navidrome/templates/persistent-volume-claim.yaml
@@ -0,0 +1,19 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: navidrome-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: navidrome-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/applications/navidrome/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/applications/navidrome/templates/persistent-volume.yaml
@@ -0,0 +1,25 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: navidrome-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: {{ .Values.storage.storage.nfs.path }}
    server: {{ .Values.storage.storage.nfs.server }}
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/applications/navidrome/values.yaml
+++ b/clusters/cl01tl/applications/navidrome/values.yaml
@@ -0,0 +1,43 @@
 navidrome:
  image:
    repository: deluan/navidrome
    tag: "0.52.5"
  ingress:
    main:
      enabled: true
      ingressClassName: traefik
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      hosts:
        - host: navidrome.alexlebens.net
          paths:
            - path: /
              pathType: Prefix
      tls:
        - secretName: navidrome-secret-tls
          hosts:
            - navidrome.alexlebens.net
  persistence:
    config:
      enabled: true
      mountPath: /data
      accessMode: ReadWriteOnce
      size: 2Gi
    music:
      enabled: true
      mountPath: /mnt/store
      type: pvc
      existingClaim: navidrome-nfs-storage
  env:
    ND_MUSICFOLDER: /mnt/store/Music
    ND_SCANSCHEDULE: 1h
    ND_LOGLEVEL: info
    ND_SESSIONTIMEOUT: 24h
    ND_BASEURL: "/"
 storage:
  storage:
    nfs:
      path: /volume2/Storage
      server: synologybond.alexlebens.net
--- a/clusters/cl01tl/applications/outline/Chart.yaml
+++ b/clusters/cl01tl/applications/outline/Chart.yaml
@@ -0,0 +1,21 @@
 apiVersion: v2
 name: outline
 version: 1.0.0
 sources:
  - https://github.com/outline/outline
  - https://github.com/minio/operator
  - https://github.com/alexlebens/helm-charts/charts/outline
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 dependencies:
  - name: outline
    version: 0.6.1
    repository: http://alexlebens.github.io/helm-charts
  - name: tenant
    version: 5.0.15
    alias: minio
    repository: https://operator.min.io/
  - name: postgres-cluster
    alias: postgres-16-cluster
    version: 3.0.0
    repository: http://alexlebens.github.io/helm-charts
 appVersion: v0.75.2
--- a/clusters/cl01tl/applications/outline/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/outline/templates/external-secret.yaml
@@ -0,0 +1,176 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: secret-key
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /outline/key
        metadataPolicy: None
        property: secret-key
    - secretKey: utils-key
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /outline/key
        metadataPolicy: None
        property: utils-key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: client
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/outline
        metadataPolicy: None
        property: client
    - secretKey: secret
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/outline
        metadataPolicy: None
        property: secret
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-bucket-user-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: outline-bucket-user-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /outline/minio/auth
        metadataPolicy: None
        property: AWS_ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /outline/minio/auth
        metadataPolicy: None
        property: AWS_SECRET_ACCESS_KEY
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-minio-root-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: outline-bucket-auth-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: config.env
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /outline/minio/root
        metadataPolicy: None
        property: config.env
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-minio-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: outline-bucket-auth-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: config.env
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /outline/minio/config
        metadataPolicy: None
        property: config.env
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: outline-postgresql-16-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-outline-postgresql
        metadataPolicy: None
        property: access_key
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-outline-postgresql
        metadataPolicy: None
        property: secret_key
--- a/clusters/cl01tl/applications/outline/values.yaml
+++ b/clusters/cl01tl/applications/outline/values.yaml
@@ -0,0 +1,123 @@
 outline:
  ingress:
    enabled: true
    className: traefik
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
      cert-manager.io/cluster-issuer: letsencrypt-issuer
    host: outline.alexlebens.net
  persistence:
    type: s3
    s3:
      credentialsSecret: outline-bucket-user-secret
      region: us-east-1
      bucketName: outline
      bucketUrl: https://minio-outline-api.alexlebens.net/outline
      forcePathStyle: false
  outline:
    url: https://outline.alexlebens.net
    secretKey:
      existingSecretName: outline-key-secret
      existingSecretKey: secret-key
    utilsSecret:
      existingSecretName: outline-key-secret
      existingSecretKey: utils-key
    database:
      usernameSecret:
        existingSecretName: outline-postgresql-16-cluster-app
        existingSecretKey: username
      passwordSecret:
        existingSecretName: outline-postgresql-16-cluster-app
        existingSecretKey: password
      databaseName:
        existingSecretName: outline-postgresql-16-cluster-app
        existingSecretKey: dbname
      databaseHost:
        existingSecretName: outline-postgresql-16-cluster-app
        existingSecretKey: host
      databasePort:
        existingSecretName: outline-postgresql-16-cluster-app
        existingSecretKey: port
    auth:
      oidc:
        enabled: true
        clientId:
          existingSecretName: outline-oidc-secret
          existingSecretKey: client
        clientSecret:
          existingSecretName: outline-oidc-secret
          existingSecretKey: secret
        authUri: https://authentik.alexlebens.net/application/o/authorize/
        tokenUri: https://authentik.alexlebens.net/application/o/token/
        userinfoUri: https://authentik.alexlebens.net/application/o/userinfo/
        usernameClaim: email
        displayName: Authentik
        scopes: openid profile email
 minio:
  existingSecret:
    name: outline-minio-root-secret
  tenant:
    name: minio-outline
    configuration:
      name: outline-minio-config-secret
    pools:
      - servers: 3
        name: pool
        volumesPerServer: 2
        size: 10Gi
        storageClassName: ceph-block
    mountPath: /export
    subPath: /data
    metrics:
      enabled: true
      port: 9000
      protocol: http
    certificate:
      requestAutoCert: false
  ingress:
    api:
      enabled: true
      ingressClassName: traefik
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      tls:
        - secretName: minio-outline-api-secret-tls
          hosts:
            - minio-outline-api.alexlebens.net
      host: minio-outline-api.alexlebens.net
      path: /
      pathType: Prefix
    console:
      enabled: true
      ingressClassName: traefik
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      tls:
        - secretName: minio-outline-console-secret-tls
          hosts:
            - minio-outline.alexlebens.net
      host: minio-outline.alexlebens.net
      path: /
      pathType: Prefix
 postgres-16-cluster:
  mode: standalone
  kubernetesClusterName: cl01tl
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  backup:
    enabled: true
    endpointURL: https://s3.us-east-2.amazonaws.com
    destinationPath: s3://cl01tl-postgresql-backups/outline
    endpointCredentials: outline-postgresql-16-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: 14d
--- a/clusters/cl01tl/applications/penpot/Chart.yaml
+++ b/clusters/cl01tl/applications/penpot/Chart.yaml
@@ -0,0 +1,25 @@
 apiVersion: v2
 name: penpot
 version: 1.0.0
 sources:
  - https://github.com/penpot/penpot
  - https://github.com/minio/operator
  - https://github.com/bitnami/charts/tree/main/bitnami/redis
  - https://github.com/alexlebens/helm-charts/charts/penpot
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 dependencies:
  - name: penpot
    version: 0.1.0
    repository: http://alexlebens.github.io/helm-charts
  - name: redis
    version: 19.3.2
    repository: https://charts.bitnami.com/bitnami
  - name: tenant
    version: 5.0.15
    alias: minio
    repository: https://operator.min.io/
  - name: postgres-cluster
    alias: postgres-16-cluster
    version: 3.0.0
    repository: http://alexlebens.github.io/helm-charts
 appVersion: 2.0.0
--- a/clusters/cl01tl/applications/penpot/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/penpot/templates/external-secret.yaml
@@ -0,0 +1,169 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: penpot-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: penpot-key-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: key
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /penpot/key
        metadataPolicy: None
        property: key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: penpot-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: penpot-oidc-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: auth
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: client
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/penpot
        metadataPolicy: None
        property: client
    - secretKey: secret
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/penpot
        metadataPolicy: None
        property: secret
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: penpot-bucket-user-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: penpot-bucket-user-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: AWS_ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /penpot/minio/auth
        metadataPolicy: None
        property: AWS_ACCESS_KEY_ID
    - secretKey: AWS_SECRET_ACCESS_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /penpot/minio/auth
        metadataPolicy: None
        property: AWS_SECRET_ACCESS_KEY
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: penpot-minio-root-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: penpot-bucket-auth-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: config.env
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /penpot/minio/root
        metadataPolicy: None
        property: config.env
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: penpot-minio-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: penpot-minio-config-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: config.env
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /penpot/minio/config
        metadataPolicy: None
        property: config.env
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: penpot-postgresql-16-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: penpot-postgresql-16-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-penpot-postgresql
        metadataPolicy: None
        property: access_key
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-penpot-postgresql
        metadataPolicy: None
        property: secret_key
--- a/clusters/cl01tl/applications/penpot/values.yaml
+++ b/clusters/cl01tl/applications/penpot/values.yaml
@@ -0,0 +1,135 @@
 penpot:
  ingress:
    enabled: true
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
      cert-manager.io/cluster-issuer: letsencrypt-issuer
    hosts:
      - host: penpot.alexlebens.net
    tls:
      - secretName: penpot-secret-tls
        hosts:
          - penpot.alexlebens.net
  persistence:
    enabled: true
    storageClass: ceph-block
    size: 8Gi
    accessModes:
      - ReadWriteOnce
  config:
    publicURI: https://penpot.alexlebens.net
    flags: enable-registration enable-insecure-register enable-login enable-login-with-oidc disable-demo-users disable-demo-warning
    apiSecretKey:
      existingSecretName: penpot-key-secret
      existingSecretKey: key
    postgresql:
      host: penpot-postgresql-16-cluster-rw.penpot.svc.cluster.local
      port: 5432
      database: app
      existingSecret: penpot-postgresql-16-cluster-app
      secretKeys:
        usernameKey: username
        passwordKey: password
    redis:
      host: penpot-redis-headless.penpot.svc.cluster.local
      port: 6379
      database: 0
    assets:
      storageBackend: assets-s3
      s3:
        region: us-east-1
        bucket: penpot
        endpointURI: https://minio-penpot-api.alexlebens.net/penpot
        existingSecret: penpot-bucket-user-secret
        secretKeys:
          accessKeyIDKey: AWS_ACCESS_KEY_ID
          secretAccessKey: AWS_SECRET_ACCESS_KEY
    telemetryEnabled: false
    providers:
      oidc:
        enabled: true
        baseURI: https://authentik.alexlebens.net/application/o/
        authURI: https://authentik.alexlebens.net/application/o/authorize/
        tokenURI: https://authentik.alexlebens.net/application/o/token/
        userURI: https://authentik.alexlebens.net/application/o/userinfo/
        roles: ""
        rolesAttribute: ""
        scopes: "openid profile email"
        nameAttribute: preferred_username
        emailAttribute: email
      existingSecret: penpot-oidc-secret
      secretKeys:
        oidcClientIDKey: client
        oidcClientSecretKey: secret
 redis:
  architecture: standalone
  auth:
    enabled: false
 minio:
  existingSecret:
    name: penpot-minio-root-secret
  tenant:
    name: minio-penpot
    configuration:
      name: penpot-minio-config-secret
    pools:
      - servers: 3
        name: pool
        volumesPerServer: 2
        size: 10Gi
        storageClassName: ceph-block
    mountPath: /export
    subPath: /data
    metrics:
      enabled: true
      port: 9000
      protocol: http
    certificate:
      requestAutoCert: false
  ingress:
    api:
      enabled: true
      ingressClassName: traefik
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      tls:
        - secretName: minio-penpot-api-secret-tls
          hosts:
            - minio-penpot-api.alexlebens.net
      host: minio-penpot-api.alexlebens.net
      path: /
      pathType: Prefix
    console:
      enabled: true
      ingressClassName: traefik
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      tls:
        - secretName: minio-penpot-console-secret-tls
          hosts:
            - minio-penpot.alexlebens.net
      host: minio-penpot.alexlebens.net
      path: /
      pathType: Prefix
 postgres-16-cluster:
  mode: standalone
  kubernetesClusterName: cl01tl
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  backup:
    enabled: true
    endpointURL: https://s3.us-east-2.amazonaws.com
    destinationPath: s3://cl01tl-postgresql-backups/penpot
    endpointCredentials: penpot-postgresql-16-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: 14d
--- a/clusters/cl01tl/applications/plex/Chart.yaml
+++ b/clusters/cl01tl/applications/plex/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: plex
 version: 0.0.1
 sources:
  - https://www.plex.tv/
  - https://github.com/k8s-home-lab/helm-charts/tree/master/charts/stable/plex
 dependencies:
  - name: plex
    version: 7.1.4
    repository: https://k8s-home-lab.github.io/helm-charts/
 appVersion: 1.40.0.7998-c29d4c0c8
--- a/clusters/cl01tl/applications/plex/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/applications/plex/templates/persistent-volume-claim.yaml
@@ -0,0 +1,40 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: plex-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: plex-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
 ---
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: plex-config
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  accessModes:
    - ReadWriteOnce
  resources:
    requests:
      storage: {{ .Values.storage.config.storageSize }}
  storageClassName: {{ .Values.storage.config.storageClassName }}
  volumeMode: {{ .Values.storage.config.volumeMode }}
--- a/clusters/cl01tl/applications/plex/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/applications/plex/templates/persistent-volume.yaml
@@ -0,0 +1,25 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: plex-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: {{ .Values.storage.media.nfs.path }}
    server: {{ .Values.storage.media.nfs.server }}
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/applications/plex/values.yaml
+++ b/clusters/cl01tl/applications/plex/values.yaml
@@ -0,0 +1,78 @@
 plex:
  image:
    repository: ghcr.io/onedr0p/plex
    tag: 1.40.2.8395-c67dce28e
  env:
    ADVERTISE_IP: "https://plex.alexlebens.net:443/"
    ALLOWED_NETWORKS: "10.0.0.0/8,192.168.1.0/24"
  service:
    main:
      primary: true
      type: LoadBalancer
      annotations:
        metallb.universe.tf/allow-shared-ip: "external"
      externalIPs:
        - 192.168.1.17
        - 192.168.1.16
        - 192.168.1.15
      ports:
        http:
          port: 32400
  ingress:
    main:
      enabled: true
      ingressClassName: traefik
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      hosts:
        - host: plex.alexlebens.net
          paths:
            - path: /
              pathType: Prefix
      tls:
        - secretName: plex-secret-tls
          hosts:
            - plex.alexlebens.net
  hostNetwork: false
  persistence:
    config:
      enabled: true
      existingClaim: plex-config
    transcode:
      enabled: true
      type: emptyDir
    media:
      enabled: true
      mountPath: /mnt/store
      type: pvc
      existingClaim: plex-nfs-storage
  podSecurityContext:
    runAsUser: 568
    runAsGroup: 568
    fsGroup: 568
    fsGroupChangePolicy: "OnRootMismatch"
    supplementalGroups:
      - 44
      - 100
      - 109
      - 65539
  resources:
    requests:
      gpu.intel.com/i915: 1
      cpu: 100m
      memory: 256Mi
    limits:
      gpu.intel.com/i915: 1
      cpu: 4000m
      memory: 4096Mi
 storage:
  config:
    storageClassName: ceph-block
    storageSize: 80Gi
    volumeMode: Filesystem
  media:
    nfs:
      path: /volume2/Storage
      server: synologybond.alexlebens.net
--- a/clusters/cl01tl/applications/taiga/Chart.yaml
+++ b/clusters/cl01tl/applications/taiga/Chart.yaml
@@ -0,0 +1,17 @@
 apiVersion: v2
 name: taiga
 version: 1.0.0
 sources:
  - https://github.com/taigaio
  - https://github.com/rabbitmq/rabbitmq-server
  - https://github.com/alexlebens/helm-charts/charts/taiga
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 dependencies:
  - name: taiga
    version: 0.2.2
    repository: http://alexlebens.github.io/helm-charts
  - name: postgres-cluster
    alias: postgres-16-cluster
    version: 3.0.0
    repository: http://alexlebens.github.io/helm-charts
 appVersion: 6.7.7
--- a/clusters/cl01tl/applications/taiga/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/taiga/templates/external-secret.yaml
@@ -0,0 +1,200 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: taiga-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: taiga-key-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: key
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /taiga/key
        metadataPolicy: None
        property: key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: taiga-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: taiga-oidc-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: client
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/taiga
        metadataPolicy: None
        property: client
    - secretKey: secret
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/taiga
        metadataPolicy: None
        property: secret
    - secretKey: scopes
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/taiga
        metadataPolicy: None
        property: scopes
    - secretKey: signatureAlgorithm
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/taiga
        metadataPolicy: None
        property: signatureAlgorithm
    - secretKey: baseUrl
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/taiga
        metadataPolicy: None
        property: baseUrl
    - secretKey: jwksEndpoint
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/taiga
        metadataPolicy: None
        property: jwksEndpoint
    - secretKey: authorizationEndpoint
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/taiga
        metadataPolicy: None
        property: authorizationEndpoint
    - secretKey: tokenEndpoint
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/taiga
        metadataPolicy: None
        property: tokenEndpoint
    - secretKey: userEndpoint
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/taiga
        metadataPolicy: None
        property: userEndpoint
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: taiga-async-rabbitmq-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: taiga-async-rabbitmq-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: password
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /taiga/rabbitmq/async
        metadataPolicy: None
        property: password
    - secretKey: erlang
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /taiga/rabbitmq/async
        metadataPolicy: None
        property: erlang
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: taiga-events-rabbitmq-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: taiga-events-rabbitmq-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: password
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /taiga/rabbitmq/events
        metadataPolicy: None
        property: password
    - secretKey: erlang
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /taiga/rabbitmq/events
        metadataPolicy: None
        property: erlang
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: taiga-postgresql-16-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: taiga-postgresql-16-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-taiga-postgresql
        metadataPolicy: None
        property: access_key
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-taiga-postgresql
        metadataPolicy: None
        property: secret_key
--- a/clusters/cl01tl/applications/taiga/values.yaml
+++ b/clusters/cl01tl/applications/taiga/values.yaml
@@ -0,0 +1,152 @@
 taiga:
  serviceAccount:
    create: true
  secretKey:
    existingSecretName: taiga-key-secret
    existingSecretKey: key
  createInitialUser: false
  enableTelemetry: false
  publicRegisterEnabled: false
  postgresql:
    existingSecretName: taiga-postgresql-16-cluster-app
    usernameKey: username
    passwordKey: password
    databaseNameKey: dbname
    hostKey: host
    portKey: port
  oidc:
    enabled: true
    existingSecretName: taiga-oidc-secret
    scopesKey: scopes
    signatureAlgorithmKey: signatureAlgorithm
    clientIdKey: client
    clientSecretKey: secret
    baseUrlKey: baseUrl
    jwksEndpointKey: jwksEndpoint
    authorizationEndpointKey: authorizationEndpoint
    tokenEndpointKey: tokenEndpoint
    userEndpointKey: userEndpoint
  back:
    image:
      repository: ghcr.io/alexlebens/taiga-back-docker-oidc
      tag: latest
      pullPolicy: Always
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 500m
        memory: 1Gi
    livenessProbe:
      enabled: true
    readinessProbe:
      enabled: true
  async:
    image:
      repository: ghcr.io/alexlebens/taiga-back-docker-oidc
      tag: latest
      pullPolicy: Always      
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 500m
        memory: 1Gi
    livenessProbe:
      enabled: true
    readinessProbe:
      enabled: true
  async-rabbitmq:
    auth:
      username: taiga
      existingPasswordSecret: taiga-async-rabbitmq-secret
      existingSecretPasswordKey: password
      existingErlangSecret: taiga-async-rabbitmq-secret
      existingSecretErlangKey: erlang
  events:
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 500m
        memory: 1Gi
    livenessProbe:
      enabled: false
    readinessProbe:
      enabled: false
  events-rabbitmq:
    auth:
      username: taiga
      existingPasswordSecret: taiga-events-rabbitmq-secret
      existingSecretPasswordKey: password
      existingErlangSecret: taiga-events-rabbitmq-secret
      existingSecretErlangKey: erlang
  protected:
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 500m
        memory: 1Gi
    livenessProbe:
      enabled: false
    readinessProbe:
      enabled: false
  front:
    image:
      repository: ghcr.io/alexlebens/taiga-front-docker-oidc
      tag: latest
      pullPolicy: Always      
    resources:
      requests:
        cpu: 100m
        memory: 256Mi
      limits:
        cpu: 500m
        memory: 1Gi
    livenessProbe:
      enabled: true
    readinessProbe:
      enabled: true
  ingress:
    enabled: true
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
      cert-manager.io/cluster-issuer: letsencrypt-issuer
    className: traefik
    host: taiga.alexlebens.net
  persistence:
    static:
      enabled: true
      storageClass: nfs-client
      accessMode: ReadWriteMany
      size: 1Gi
    media:
      enabled: true
      storageClass: nfs-client
      accessMode: ReadWriteMany
      size: 1Gi
 postgres-16-cluster:
  mode: standalone
  kubernetesClusterName: cl01tl
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
      prometheusRule:
        enabled: false
  backup:
    enabled: true
    endpointURL: https://s3.us-east-2.amazonaws.com
    destinationPath: s3://cl01tl-postgresql-backups/taiga
    endpointCredentials: taiga-postgresql-16-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: 14d
--- a/clusters/cl01tl/applications/tubearchivist/Chart.yaml
+++ b/clusters/cl01tl/applications/tubearchivist/Chart.yaml
@@ -0,0 +1,13 @@
 apiVersion: v2
 name: tubearchivist
 version: 0.0.7
 sources:
  - https://github.com/tubearchivist/tubearchivist
  - https://github.com/alexlebens/helm-charts/charts/tubearchivist
  - https://github.com/tubearchivist/tubearchivist-jf
  - https://github.com/alexlebens/helm-charts/charts/tubearchivist-to-jellyfin  
 dependencies:
  - name: tubearchivist
    version: 0.2.7
    repository: http://alexlebens.github.io/helm-charts 
 appVersion: v0.4.6
--- a/clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/tubearchivist/templates/external-secret.yaml
@@ -0,0 +1,83 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: tubearchivist-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ELASTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /tubearchivist/env
        metadataPolicy: None
        property: ELASTIC_PASSWORD
    - secretKey: ES_URL
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /tubearchivist/env
        metadataPolicy: None
        property: ES_URL
    - secretKey: REDIS_HOST
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /tubearchivist/env
        metadataPolicy: None
        property: REDIS_HOST
    - secretKey: TA_HOST
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /tubearchivist/env
        metadataPolicy: None
        property: TA_HOST
    - secretKey: TA_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /tubearchivist/env
        metadataPolicy: None
        property: TA_PASSWORD
    - secretKey: TA_USERNAME
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /tubearchivist/env
        metadataPolicy: None
        property: TA_USERNAME
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: tubearchivist-elasticsearch-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ELASTIC_PASSWORD
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /tubearchivist/env
        metadataPolicy: None
        property: ELASTIC_PASSWORD
--- a/clusters/cl01tl/applications/tubearchivist/templates/persistent-volume-claim.yaml
+++ b/clusters/cl01tl/applications/tubearchivist/templates/persistent-volume-claim.yaml
@@ -0,0 +1,19 @@
 apiVersion: v1
 kind: PersistentVolumeClaim
 metadata:
  name: tubearchivist-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  volumeName: tubearchivist-nfs-storage
  storageClassName: nfs-client
  accessModes:
    - ReadWriteMany
  resources:
    requests:
      storage: 1Gi
--- a/clusters/cl01tl/applications/tubearchivist/templates/persistent-volume.yaml
+++ b/clusters/cl01tl/applications/tubearchivist/templates/persistent-volume.yaml
@@ -0,0 +1,25 @@
 apiVersion: v1
 kind: PersistentVolume
 metadata:
  name: tubearchivist-nfs-storage
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: storage
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  persistentVolumeReclaimPolicy: Retain
  storageClassName: nfs-client
  capacity:
    storage: 1Gi
  accessModes:
    - ReadWriteMany
  nfs:
    path: {{ .Values.storage.youtube.nfsPath }}
    server: {{ .Values.storage.youtube.nfsServer }}
  mountOptions:
    - vers=4
    - minorversion=1
    - noac
--- a/clusters/cl01tl/applications/tubearchivist/values.yaml
+++ b/clusters/cl01tl/applications/tubearchivist/values.yaml
@@ -0,0 +1,46 @@
 tubearchivist:
  deployment:
    env:
      TZ: US/Central
    envFrom:
      - secretRef:
          name: tubearchivist-config-secret
    resources:
      limits:
        memory: 2Gi
        cpu: 1000m
  ingress:
    enabled: true
    className: traefik
    annotations:
      traefik.ingress.kubernetes.io/router.entrypoints: websecure
      traefik.ingress.kubernetes.io/router.tls: "true"
      cert-manager.io/cluster-issuer: letsencrypt-issuer
    host: tubearchivist.alexlebens.net
  persistence:
    cache:
      enabled: true
      storageClassName: ceph-block
      storageSize: 80Gi
    youtube:
      claimName: tubearchivist-nfs-storage
  elasticsearch:
    global:
      storageClass: ceph-block
    extraEnvVarsSecret: tubearchivist-elasticsearch-secret
    extraConfig:
      path:
        repo: /usr/share/elasticsearch/data/snapshot
    extraVolumes:
      - name: snapshot
        nfs:
          path: /volume2/Storage/TubeArchivist
          server: synologybond.alexlebens.net
    extraVolumeMounts:
      - name: snapshot
        mountPath: /usr/share/elasticsearch/data/snapshot
    snapshotRepoPath: /usr/share/elasticsearch/data/snapshot
 storage:
  youtube:
    nfsPath: /volume2/Storage/YouTube
    nfsServer: synologybond.alexlebens.net
--- a/clusters/cl01tl/applications/vikunja/Chart.yaml
+++ b/clusters/cl01tl/applications/vikunja/Chart.yaml
@@ -0,0 +1,20 @@
 apiVersion: v2
 name: vikunja
 version: 1.0.0
 sources:
  - https://kolaente.dev/vikunja/vikunja
  - https://kolaente.dev/vikunja/helm-chart
  - https://github.com/bitnami/charts/tree/main/bitnami/redis
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 dependencies:
  - name: vikunja
    version: 0.4.3
    repository: oci://kolaente.dev/vikunja
  - name: redis
    version: 19.3.2
    repository: https://charts.bitnami.com/bitnami
  - name: postgres-cluster
    alias: postgres-16-cluster
    version: 3.0.0
    repository: http://alexlebens.github.io/helm-charts
 appVersion: v0.22.1
--- a/clusters/cl01tl/applications/vikunja/templates/external-secret.yaml
+++ b/clusters/cl01tl/applications/vikunja/templates/external-secret.yaml
@@ -0,0 +1,62 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: vikunja-config-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: config.yml
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /vikunja/config
        metadataPolicy: None
        property: config.yml
    - secretKey: redis-password
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /vikunja/config
        metadataPolicy: None
        property: redis-password
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: vikunja-postgresql-16-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: vikunja-postgresql-16-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-vikunja-postgresql
        metadataPolicy: None
        property: access_key
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-vikunja-postgresql
        metadataPolicy: None
        property: secret_key
--- a/clusters/cl01tl/applications/vikunja/values.yaml
+++ b/clusters/cl01tl/applications/vikunja/values.yaml
@@ -0,0 +1,117 @@
 vikunja:
  api:
    enabled: true
    image:
      repository: vikunja/api
      tag: 0.22.1
    persistence:
      data:
        enabled: true
        size: 10Gi
        mountPath: /app/vikunja/files
        storageClass: ceph-block
      config:
        type: secret
        name: vikunja-config-secret
    configMaps:
      config:
        enabled: false
    ingress:
      main:
        enabled: true
        className: traefik
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-issuer
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
          traefik.ingress.kubernetes.io/router.tls: "true"
        hosts:
          - host: vikunja.alexlebens.net
            paths:
              - path: /api/v1/
        tls:
          - hosts:
              - vikunja.alexlebens.net
            secretName: vikunja-secret-tls
    env:
      VIKUNJA_SERVICE_FRONTENDURL: https://vikunja.alexlebens.net
      VIKUNJA_SERVICE_ENABLEREGISTRATION: "true"
      VIKUNJA_SERVICE_TIMEZONE: US/Central
      VIKUNJA_REDIS_ENABLED: "true"
      VIKUNJA_REDIS_HOST: vikunja-redis-headless:6379
      VIKUNJA_REDIS_PASSWORD:
        valueFrom:
          secretKeyRef:
           name: vikunja-config-secret
           key: redis-password
      VIKUNJA_DATABASE_USER:
        valueFrom:
          secretKeyRef:
           name: vikunja-postgresql-16-cluster-app
           key: user
      VIKUNJA_DATABASE_DATABASE:
        valueFrom:
          secretKeyRef:
           name: vikunja-postgresql-16-cluster-app
           key: dbname
      VIKUNJA_DATABASE_HOST:
        valueFrom:
          secretKeyRef:
           name: vikunja-postgresql-16-cluster-app
           key: host
      VIKUNJA_DATABASE_PASSWORD:
        valueFrom:
          secretKeyRef:
           name: vikunja-postgresql-16-cluster-app
           key: password
  frontend:
    enabled: true
    image:
      repository: vikunja/frontend
      tag: 0.22.1
    env:
      VIKUNJA_API_URL: https://vikunja.alexlebens.net/api/v1/
    ingress:
      main:
        enabled: true
        className: traefik
        annotations:
          cert-manager.io/cluster-issuer: letsencrypt-issuer
          traefik.ingress.kubernetes.io/router.entrypoints: websecure
          traefik.ingress.kubernetes.io/router.tls: "true"
        hosts:
          - host: vikunja.alexlebens.net
            paths:
              - path: /
        tls:
          - hosts:
              - vikunja.alexlebens.net
            secretName: vikunja-secret-tls
  postgresql:
    enabled: false
  redis:
    enabled: false
  typesense:
    enabled: false
 redis:
  architecture: standalone
  auth:
    enabled: true
    existingSecret: vikunja-config-secret
    existingSecretPasswordKey: redis-password
 postgres-16-cluster:
  mode: standalone
  kubernetesClusterName: cl01tl
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
  backup:
    enabled: true
    endpointURL: https://s3.us-east-2.amazonaws.com
    destinationPath: s3://cl01tl-postgresql-backups/vikunja
    endpointCredentials: vikunja-postgresql-16-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: 14d
--- a/clusters/cl01tl/deployment/argo-rollouts/Chart.yaml
+++ b/clusters/cl01tl/deployment/argo-rollouts/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: argo-rollouts
 version: 1.0.0
 sources:
  - https://github.com/argoproj/argo-rollouts
  - https://github.com/argoproj/argo-helm/tree/main/charts
 dependencies:
  - name: argo-rollouts
    version: 2.35.2
    repository: https://argoproj.github.io/argo-helm
 appVersion: v1.6.6
--- a/clusters/cl01tl/deployment/argo-rollouts/values.yaml
+++ b/clusters/cl01tl/deployment/argo-rollouts/values.yaml
@@ -0,0 +1,45 @@
 argo-rollouts:
  controller:
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
        namespace: argocd
  dashboard:
    enabled: true
    ingress:
      enabled: true
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      ingressClassName: traefik
      hosts:
        - argo-rollouts.alexlebens.net
      tls:
        - secretName: argo-rollouts-secret-tls
          hosts:
            - argo-rollouts.alexlebens.net
  notifications:
    notifiers: {}
      # service.slack: |
      #   token: $slack-token
    # -- Notification templates
    templates: {}
      # template.my-purple-template: |
      #   message: |
      #     Rollout {{.rollout.metadata.name}} has purple image
      #   slack:
      #       attachments: |
      #           [{
      #             "title": "{{ .rollout.metadata.name}}",
      #             "color": "#800080"
      #           }]
    # -- The trigger defines the condition when the notification should be sent
    triggers: {}
      # trigger.on-purple: |
      #   - send: [my-purple-template]
      #     when: rollout.spec.template.spec.containers[0].image == 'argoproj/rollouts-demo:purple'
--- a/clusters/cl01tl/deployment/argo-workflows/Chart.yaml
+++ b/clusters/cl01tl/deployment/argo-workflows/Chart.yaml
@@ -0,0 +1,20 @@
 apiVersion: v2
 name: argo-workflows
 version: 1.0.0
 sources:
  - https://github.com/argoproj/argo-workflows
  - https://github.com/argoproj/argo-events
  - https://github.com/argoproj/argo-helm/tree/main/charts
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 dependencies:
  - name: argo-workflows
    version: 0.41.4
    repository: https://argoproj.github.io/argo-helm
  - name: argo-events
    version: 2.4.4
    repository: https://argoproj.github.io/argo-helm
  - name: postgres-cluster
    alias: postgres-16-cluster
    version: 3.0.0
    repository: http://alexlebens.github.io/helm-charts
 appVersion: v3.5.6
--- a/clusters/cl01tl/deployment/argo-workflows/templates/external-secret.yaml
+++ b/clusters/cl01tl/deployment/argo-workflows/templates/external-secret.yaml
@@ -0,0 +1,62 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: argo-workflows-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: argo-workflows-oidc-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: secret
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/argo-workflows
        metadataPolicy: None
        property: secret
    - secretKey: client
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/argo-workflows
        metadataPolicy: None
        property: client
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: argo-workflows-postgresql-16-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: argo-workflows-postgresql-16-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-argo-workflows-postgresql
        metadataPolicy: None
        property: access_key
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-argo-workflows-postgresql
        metadataPolicy: None
        property: secret_key
--- a/clusters/cl01tl/deployment/argo-workflows/values.yaml
+++ b/clusters/cl01tl/deployment/argo-workflows/values.yaml
@@ -0,0 +1,121 @@
 argo-workflows:
  controller:
    metricsConfig:
      enabled: true
    persistence:
      connectionPool:
        maxIdleConns: 100
        maxOpenConns: 0
      nodeStatusOffLoad: true
      archive: true
      postgresql:
        host: argo-workflows-postgresql-16-cluster-rw
        port: 5432
        database: app
        tableName: app
        userNameSecret:
          name: argo-workflows-postgresql-16-cluster-app
          key: username
        passwordSecret:
          name: argo-workflows-postgresql-16-cluster-app
          key: password
        ssl: false
        sslMode: disable
    workflowWorkers: 2
    workflowTTLWorkers: 1
    podCleanupWorkers: 1
    cronWorkflowWorkers: 1
    telemetryConfig:
      enabled: true
    serviceMonitor:
      enabled: true
    name: workflow-controller
    workflowNamespaces:
      - argocd
  server:
    authModes:
      - sso
    ingress:
      enabled: true
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      ingressClassName: traefik
      hosts:
        - argo-workflows.alexlebens.net
      tls:
        - secretName: argoworkflows-example-tls
          hosts:
            - argo-workflows.alexlebens.net
    sso:
      enabled: true
      issuer: https://authentik.alexlebens.net/application/o/argo-workflows/
      clientId:
        name: argo-workflows-oidc-secret
        key: client
      clientSecret:
        name: argo-workflows-oidc-secret
        key: secret
      redirectUrl: https://argo-workflows.alexlebens.net/oauth2/callback
      rbac:
        enabled: false
      scopes:
        - openid
        - email
        - profile
  useStaticCredentials: true
  artifactRepository:
    archiveLogs: false
    s3: {}
      # accessKeySecret:
      #   name: "{{ .Release.Name }}-minio"
      #   key: accesskey
      # secretKeySecret:
      #   name: "{{ .Release.Name }}-minio"
      #   key: secretkey
      # insecure: true
      # bucket:
      # endpoint:
      # region:
      # encryptionOptions:
      #   enableEncryption: true
 argo-events:
  global:
    image:
      repository: quay.io/argoproj/argo-events
      tag: v1.9.1
  controller:
    resources:
      limits:
        cpu: 500m
        memory: 512Mi
      requests:
        cpu: 250m
        memory: 256Mi
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
        namespace: argocd
  webhook:
    enabled: true
 postgres-16-cluster:
  mode: standalone
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
      prometheusRule:
        enabled: true
  backup:
    enabled: true
    endpointURL: https://s3.us-east-2.amazonaws.com
    destinationPath: s3://cl01tl-postgresql-backups/argo-workflows
    endpointCredentials: argo-workflows-postgresql-16-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: 14d
--- a/clusters/cl01tl/deployment/argocd/Chart.yaml
+++ b/clusters/cl01tl/deployment/argocd/Chart.yaml
@@ -0,0 +1,12 @@
 apiVersion: v2
 name: argocd
 version: 0.1.0
 home: https://outline.alexlebens.net/doc/argo-cd-qLEdrgdwOD
 sources:
  - https://github.com/argoproj/argo-cd
  - https://github.com/argoproj/argo-helm/tree/main/charts/argo-cd
 dependencies:
  - name: argo-cd
    version: 6.9.3
    repository: https://argoproj.github.io/argo-helm
 appVersion: v2.10.8
--- a/clusters/cl01tl/deployment/argocd/templates/external-secret.yaml
+++ b/clusters/cl01tl/deployment/argocd/templates/external-secret.yaml
@@ -0,0 +1,110 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: argocd-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: "{{ .Release.Name }}-server"
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: server
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: secret
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/argocd
        metadataPolicy: None
        property: secret
    - secretKey: client
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/argocd
        metadataPolicy: None
        property: client
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: argocd-cluster-cl02do-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: "{{ .Release.Name }}-server"
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: server
    app.kubernetes.io/part-of: {{ .Release.Name }}
    argocd.argoproj.io/secret-type: cluster
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: name
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /argocd/credentials/cluster/cl02do
        metadataPolicy: None
        property: name
    - secretKey: server
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /argocd/credentials/cluster/cl02do
        metadataPolicy: None
        property: server
    - secretKey: config
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /argocd/credentials/cluster/cl02do
        metadataPolicy: None
        property: config
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: argocd-repo-alexlebens-dev-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: "{{ .Release.Name }}-server"
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: server
    app.kubernetes.io/part-of: {{ .Release.Name }}
    argocd.argoproj.io/secret-type: repository
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: type
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /argocd/credentials/repo/alexlebens-dev
        metadataPolicy: None
        property: type
    - secretKey: url
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /argocd/credentials/repo/alexlebens-dev
        metadataPolicy: None
        property: url
    - secretKey: sshPrivateKey
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /argocd/credentials/repo/alexlebens-dev
        metadataPolicy: None
        property: sshPrivateKey
--- a/clusters/cl01tl/deployment/argocd/values.yaml
+++ b/clusters/cl01tl/deployment/argocd/values.yaml
@@ -0,0 +1,66 @@
 argo-cd:
  crds:
    install: true
  configs:
    cm:
      admin.enabled: true
      url: https://argocd.alexlebens.net
      statusbadge.enabled: true
      dex.config: |
        connectors:
        - config:
            issuer: https://authentik.alexlebens.net/application/o/argocd/
            clientID: $argocd-oidc-secret:client
            clientSecret: $argocd-oidc-secret:secret
            insecureEnableGroups: true
            scopes:
              - openid
              - profile
              - email
              - groups
          name: authentik
          type: oidc
          id: authentik
    rbac:
      policy.csv: |
        g, ArgoCD Admins, role:admin
    params:
      server.insecure: true
  server:
    replicas: 2
    ingress:
      enabled: true
      controller: generic
      ingressClassName: traefik
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      hostname: argocd.alexlebens.net
      tls: true
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
  dex:
    enabled: true
  redis-ha:
    enabled: true
  controller:
    replicas: 1
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
  repoServer:
    replicas: 2
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
  applicationSet:
    replicas: 2
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
--- a/clusters/cl01tl/deployment/kargo/Chart.yaml
+++ b/clusters/cl01tl/deployment/kargo/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: kargo
 version: 1.0.0
 sources:
  - https://github.com/akuity/kargo
  - https://github.com/akuity/kargo/blob/main/charts/kargo/Chart.yaml
 dependencies:
  - name: kargo
    version: 0.6.0
    repository: oci://ghcr.io/akuity/kargo-charts
 appVersion: v0.5.1
--- a/clusters/cl01tl/deployment/kargo/templates/external-secret.yaml
+++ b/clusters/cl01tl/deployment/kargo/templates/external-secret.yaml
@@ -0,0 +1,56 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: kargo-oidc-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kargo-oidc-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: CLIENT_SECRET
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/kargo
        metadataPolicy: None
        property: secret
    - secretKey: CLIENT_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/oidc/kargo
        metadataPolicy: None
        property: client
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: kargo-cluster-cl02do-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: kargo-cluster-cl02do-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
    argocd.argoproj.io/secret-type: cluster
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: kubeconfig
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /argocd/credentials/cluster/cl02do
        metadataPolicy: None
        property: kubeconfig
--- a/clusters/cl01tl/deployment/kargo/values.yaml
+++ b/clusters/cl01tl/deployment/kargo/values.yaml
@@ -0,0 +1,120 @@
 kargo:
  api:
    host: kargo.alexlebens.net
    resources:
      limits:
        cpu: 100m
        memory: 128Mi
      requests:
        cpu: 100m
        memory: 128Mi
    tls:
      enabled: false
    ingress:
      enabled: true
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      ingressClassName: traefik
      tls:
        enabled: true
        selfSignedCert: false
    adminAccount:
      enabled: false
    oidc:
      enabled: true
      admins:
        groups: ["ArgoCD Admins"]
      dex:
        enabled: true
        image:
          repository: ghcr.io/dexidp/dex
          tag: v2.39.1
        env:
          - name: CLIENT_ID
            valueFrom:
              secretKeyRef:
                name: kargo-oidc-secret
                key: CLIENT_ID
          - name: CLIENT_SECRET
            valueFrom:
              secretKeyRef:
                name: kargo-oidc-secret
                key: CLIENT_SECRET            
        tls:
          selfSignedCert: false
        skipApprovalScreen: true
        connectors:
          - type: oidc
            id: authentik
            name: Authentik
            config:
              issuer: https://authentik.alexlebens.net/application/o/kargo/
              clientID: "$CLIENT_ID"
              clientSecret: "$CLIENT_SECRET"
              redirectURI: https://kargo.alexlebens.net/dex/callback
              insecureEnableGroups: true
              scopes:
                - openid
                - profile
                - email
                - groups
        resources:
          limits:
            cpu: 100m
            memory: 128Mi
          requests:
            cpu: 100m
            memory: 128Mi
    argocd:
      urls:
        "": https://argocd.alexlebens.net
    rollouts:
      integrationEnabled: true
  controller:
    enabled: true
    gitClient:
      name: "Kargo cl01tl"
      email: "alexanderlebens@gmail.com"
    argocd:
      integrationEnabled: true
    rollouts:
      integrationEnabled: true
    resources:
      limits:
        cpu: 100m
        memory: 128Mi
      requests:
        cpu: 100m
        memory: 128Mi
  managementController:
    enabled: true
    resources:
      limits:
        cpu: 100m
        memory: 128Mi
      requests:
        cpu: 100m
        memory: 128Mi
  webhooks:
    register: true
  webhooksServer:
    tls:
      selfSignedCert: true
    resources:
      limits:
        cpu: 100m
        memory: 128Mi
      requests:
        cpu: 100m
        memory: 128Mi
  garbageCollector:
    schedule: "0 * * * *"
    resources:
      limits:
        cpu: 100m
        memory: 128Mi
      requests:
        cpu: 100m
        memory: 128Mi
--- a/clusters/cl01tl/deployment/stack/Chart.yaml
+++ b/clusters/cl01tl/deployment/stack/Chart.yaml
@@ -0,0 +1,6 @@
 apiVersion: v2
 name: stack
 version: 1.0.0
 sources:
  - https://github.com/alexlebens/alexlebens-net.git  
 appVersion: 1.0.0
--- a/clusters/cl01tl/deployment/stack/templates/application-set.yaml
+++ b/clusters/cl01tl/deployment/stack/templates/application-set.yaml
@@ -0,0 +1,55 @@
 {{- range $index, $stack := .Values.applicationSet }}
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: ApplicationSet
 metadata:
  name: {{ $stack.name }}
  namespace: {{ $.Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ $stack.name }}
    app.kubernetes.io/instance: {{ $stack.name }}
    app.kubernetes.io/version: {{ $.Chart.AppVersion }}
    app.kubernetes.io/component: {{ $stack.name }}
    app.kubernetes.io/part-of: {{ $.Release.Name }}
 spec:
  syncPolicy:
    applicationsSync: create-only
    preserveResourcesOnDeletion: true
  generators:
    - git:
        repoURL: {{ $.Values.git.repo }}
        revision: {{ $.Values.git.revision }}
        directories:
          - path: "{{ $.Values.git.path }}/{{ $stack.name }}/*"
  template:
    metadata:
      name: '{{ `{{path.basename}}` }}'
      finalizers:
        - resources-finalizer.argocd.argoproj.io
    spec:
      destination:
        name: in-cluster
        namespace: '{{ $stack.namespace | default `{{path.basename}}` }}'
      project: default
      revisionHistoryLimit: 3
      source:
        repoURL: {{ $.Values.git.repo }}
        targetRevision: {{ $.Values.git.revision }}
        path: '{{ `{{path}}` }}'
      ignoreDifferences:
        {{- toYaml $stack.ignoreDifferences | nindent 8 }}          
      syncPolicy:
        {{- if $stack.syncPolicy.automated.enabled }}
        automated:
          prune: {{ $stack.syncPolicy.automated.prune | default false }}
          selfHeal: {{ $stack.syncPolicy.automated.selfHeal | default false }}
        {{- end }}
        retry:
          limit: 3
          backoff:
            duration: 1m
            factor: 2
            maxDuration: 15m
        syncOptions:
          {{- toYaml $stack.syncPolicy.syncOptions | nindent 10 }}
 {{- end }}
--- a/clusters/cl01tl/deployment/stack/templates/application.yaml
+++ b/clusters/cl01tl/deployment/stack/templates/application.yaml
@@ -0,0 +1,82 @@
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: cilium
  namespace: {{ .Release.Namespace }}
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: {{ .Values.application.cilium.source.repo }}
    targetRevision: {{ .Values.application.cilium.source.revision }}
    path: "{{ .Values.git.path }}/{{ .Values.application.cilium.source.path }}"
  destination:
    name: in-cluster
    namespace: {{ .Values.application.cilium.namespace }}
  revisionHistoryLimit: 3
  syncPolicy:
    {{- toYaml .Values.application.cilium.syncPolicy | nindent 4 }}
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: metrics-server
  namespace: {{ .Release.Namespace }}
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: {{ .Values.application.metricsServer.source.repo }}
    targetRevision: {{ .Values.application.metricsServer.source.revision }}
    path: "{{ .Values.git.path }}/{{ .Values.application.metricsServer.source.path }}"
  destination:
    name: in-cluster
    namespace: {{ .Values.application.metricsServer.namespace }}
  revisionHistoryLimit: 3
  syncPolicy:
    {{- toYaml .Values.application.metricsServer.syncPolicy | nindent 4 }}
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: kubelet-serving-cert-approver
  namespace: {{ .Release.Namespace }}
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: {{ .Values.application.kubeletServingCertApprover.source.repo }}
    targetRevision: {{ .Values.application.kubeletServingCertApprover.source.revision }}
    path: "{{ .Values.git.path }}/{{ .Values.application.kubeletServingCertApprover.source.path }}"
  destination:
    name: in-cluster
    namespace: {{ .Values.application.kubeletServingCertApprover.namespace }}
  revisionHistoryLimit: 3
  syncPolicy:
    {{- toYaml .Values.application.kubeletServingCertApprover.syncPolicy | nindent 4 }}
 ---
 apiVersion: argoproj.io/v1alpha1
 kind: Application
 metadata:
  name: prometheus-operator-crds
  namespace: {{ .Release.Namespace }}
  finalizers:
    - resources-finalizer.argocd.argoproj.io
 spec:
  project: default
  source:
    repoURL: {{ .Values.application.prometheusOperatorCrds.source.repo }}
    targetRevision: {{ .Values.application.prometheusOperatorCrds.source.revision }}
    path: "{{ .Values.git.path }}/{{ .Values.application.prometheusOperatorCrds.source.path }}"
  destination:
    name: in-cluster
    namespace: {{ .Values.application.prometheusOperatorCrds.namespace }}
  revisionHistoryLimit: 3
  syncPolicy:
    {{- toYaml .Values.application.prometheusOperatorCrds.syncPolicy | nindent 4 }}
--- a/clusters/cl01tl/deployment/stack/values.yaml
+++ b/clusters/cl01tl/deployment/stack/values.yaml
@@ -0,0 +1,148 @@
 git:
  repo: git@github.com:alexlebens/alexlebens-net.git
  revision: HEAD
  path: clusters/cl01tl
 applicationSet:
  - name: applications
    syncPolicy:
      automated:
        enabled: true
        prune: true
        selfheal: false
      syncOptions:
        - CreateNamespace=true
        - ApplyOutOfSyncOnly=true
        - ServerSideApply=false
        - PruneLast=true
  - name: deployment
    namespace: argocd
    syncPolicy:
      automated:
        enabled: true
        prune: true
        selfheal: false
      syncOptions:
        - CreateNamespace=true
        - ApplyOutOfSyncOnly=true
        - ServerSideApply=false
        - PruneLast=true
  - name: platform
    syncPolicy:
      automated:
        enabled: true
        prune: true
        selfheal: false
      syncOptions:
        - CreateNamespace=true
        - ApplyOutOfSyncOnly=true
        - ServerSideApply=true
        - PruneLast=true
  - name: services
    ignoreDifferences:
      - group: ""
        kind: Service
        jqPathExpressions:
          - .status.loadBalancer.ingress[].ipMode      
    syncPolicy:
      automated:
        enabled: true
        prune: true
        selfheal: false
      syncOptions:
        - CreateNamespace=true
        - ApplyOutOfSyncOnly=true
        - ServerSideApply=true
        - PruneLast=true
  - name: storage
    syncPolicy:
      automated:
        enabled: true
        prune: true
        selfheal: false
      syncOptions:
        - CreateNamespace=true
        - ApplyOutOfSyncOnly=true
        - ServerSideApply=false
        - PruneLast=true
 application:
  cilium:
    namespace: kube-system
    source:
      repo: git@github.com:alexlebens/alexlebens-net.git
      revision: HEAD
      path: standalone/cilium
    syncPolicy:
      retry:
        limit: 10
        backoff:
          duration: 1m
          factor: 2
          maxDuration: 16m
      syncOptions:
        - CreateNamespace=false
        - ApplyOutOfSyncOnly=true
        - ServerSideApply=true
        - PruneLast=true
  metricsServer:
    namespace: kube-system
    source:
      repo: git@github.com:alexlebens/alexlebens-net.git
      revision: HEAD
      path: standalone/metrics-server
    syncPolicy:
      automated:
        prune: true
        selfHeal: true
      retry:
        limit: 10
        backoff:
          duration: 1m
          factor: 2
          maxDuration: 16m
      syncOptions:
        - CreateNamespace=false
        - ApplyOutOfSyncOnly=false
        - ServerSideApply=true
        - PruneLast=true
  kubeletServingCertApprover:
    namespace: kubelet-serving-cert-approver
    source:
      repo: git@github.com:alexlebens/alexlebens-net.git
      revision: HEAD
      path: standalone/kubelet-serving-cert-approver
    syncPolicy:
      automated:
        prune: true
        selfHeal: true
      retry:
        limit: 10
        backoff:
          duration: 1m
          factor: 2
          maxDuration: 16m
      syncOptions:
        - CreateNamespace=true
        - ApplyOutOfSyncOnly=false
        - ServerSideApply=true
        - PruneLast=true
  prometheusOperatorCrds:
    namespace: kube-system
    source:
      repo: git@github.com:alexlebens/alexlebens-net.git
      revision: HEAD
      path: standalone/prometheus-operator-crds
    syncPolicy:
      automated:
        prune: true
        selfHeal: true
      retry:
        limit: 10
        backoff:
          duration: 1m
          factor: 2
          maxDuration: 16m
      syncOptions:
        - CreateNamespace=false
        - ApplyOutOfSyncOnly=false
        - ServerSideApply=true
        - PruneLast=true
--- a/clusters/cl01tl/platform/authentik/Chart.yaml
+++ b/clusters/cl01tl/platform/authentik/Chart.yaml
@@ -0,0 +1,21 @@
 apiVersion: v2
 name: authentik
 version: 1.0.0
 sources:
  - https://github.com/goauthentik/authentik
  - https://github.com/goauthentik/helm
  - https://github.com/bjw-s/helm-charts/tree/main/charts/other/app-template
  - https://github.com/alexlebens/helm-charts/charts/postgres-cluster
 dependencies:
  - name: authentik
    version: 2024.4.2
    repository: https://charts.goauthentik.io/
  - name: app-template
    alias: cloudflared
    repository: https://bjw-s.github.io/helm-charts/
    version: 3.1.0
  - name: postgres-cluster
    alias: postgres-16-cluster
    version: 3.0.0
    repository: http://alexlebens.github.io/helm-charts
 appVersion: "2024.4.2"
--- a/clusters/cl01tl/platform/authentik/templates/config-map.yaml
+++ b/clusters/cl01tl/platform/authentik/templates/config-map.yaml
@@ -0,0 +1,60 @@
 apiVersion: v1
 kind: ConfigMap
 metadata:
  name: authentik-custom-css
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 data:
  custom.css: |
    /* Change sign button color */
    .pf-c-button.pf-m-primary {
      color: black;
      background-color: white;
    }
    /* Remove background */
    .pf-c-login__main {
      background-color: rgba(3, 3, 3, 0.16);
    }
    /* Remove specific height */
    .pf-c-brand {
      height: auto;
    }
    /* Center text */
    .pf-c-title {
      text-align: center;
    }
    /* Match text field to login button */
    .pf-c-form-control {
      border-radius: 3px;
      background-color: white;
      color: black;
    }
    /* Force border color */
    .pf-c-form-control {
      border-color: white;
    }
    /* Use default cursor on this div */
    .pf-c-form__label {
      cursor: default;
    }
    /* Hide required asterik */
    .pf-c-form__label-required {
      display: none;
    }
    /* Change link color to white */
    .a {
      color: white;
    }
--- a/clusters/cl01tl/platform/authentik/templates/external-secret.yaml
+++ b/clusters/cl01tl/platform/authentik/templates/external-secret.yaml
@@ -0,0 +1,80 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: authentik-key-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: authentik-key-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: key
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /authentik/key
        metadataPolicy: None
        property: key
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: authentik-cloudflared-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: authentik-cloudflared-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: web
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: cf-tunnel-token
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /cloudflare/tunnels/authentik
        metadataPolicy: None
        property: token
 ---
 apiVersion: external-secrets.io/v1beta1
 kind: ExternalSecret
 metadata:
  name: authentik-postgresql-16-cluster-backup-secret
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: authentik-postgresql-16-cluster-backup-secret
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: database
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  secretStoreRef:
    kind: ClusterSecretStore
    name: vault
  data:
    - secretKey: ACCESS_KEY_ID
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-authentik-postgresql
        metadataPolicy: None
        property: access_key
    - secretKey: ACCESS_SECRET_KEY
      remoteRef:
        conversionStrategy: Default
        decodingStrategy: None
        key: /aws/keys/cl01tl-authentik-postgresql
        metadataPolicy: None
        property: secret_key
--- a/clusters/cl01tl/platform/authentik/values.yaml
+++ b/clusters/cl01tl/platform/authentik/values.yaml
@@ -0,0 +1,118 @@
 authentik:
  global:
    env:
      - name: AUTHENTIK_SECRET_KEY
        valueFrom:
          secretKeyRef:
            name: authentik-key-secret
            key: key
      - name: AUTHENTIK_POSTGRESQL__HOST
        valueFrom:
          secretKeyRef:
            name: authentik-postgresql-16-cluster-app
            key: host
      - name: AUTHENTIK_POSTGRESQL__NAME
        valueFrom:
          secretKeyRef:
            name: authentik-postgresql-16-cluster-app
            key: dbname
      - name: AUTHENTIK_POSTGRESQL__USER
        valueFrom:
          secretKeyRef:
            name: authentik-postgresql-16-cluster-app
            key: user
      - name: AUTHENTIK_POSTGRESQL__PASSWORD
        valueFrom:
          secretKeyRef:
            name: authentik-postgresql-16-cluster-app
            key: password
  server:
    name: server
    replicas: 1
    volumes:
      - name: custom-css
        configMap:
          name: authentik-custom-css
    volumeMounts:
      - name: custom-css
        mountPath: /web/dist/custom.css
        subPath: custom.css
    metrics:
      enabled: true
      serviceMonitor:
        enabled: true
    ingress:
      enabled: true
      annotations:
        traefik.ingress.kubernetes.io/router.entrypoints: websecure
        traefik.ingress.kubernetes.io/router.tls: "true"
        cert-manager.io/cluster-issuer: letsencrypt-issuer
      ingressClassName: traefik
      hosts:
        - auth.alexlebens.net
        - authentik.alexlebens.net
      tls:
        - secretName: authentik-secret-tls
          hosts:
            - auth.alexlebens.net
            - authentik.alexlebens.net
  worker:
    name: worker
    replicas: 1
  prometheus:
    rules:
      enabled: true
  postgresql:
    enabled: false
  redis:
    enabled: true
 cloudflared:
  global:
    nameOverride: cloudflared
  controllers:
    main:
      type: deployment
      strategy: Recreate
      containers:
        main:
          image:
            repository: cloudflare/cloudflared
            tag: "2024.5.0"
            pullPolicy: IfNotPresent
          args:
            - tunnel
            - --no-autoupdate
            - run
            - --token
            - $(CF_MANAGED_TUNNEL_TOKEN)
          env:
            - name: CF_MANAGED_TUNNEL_TOKEN
              valueFrom:
                secretKeyRef:
                  name: authentik-cloudflared-secret
                  key: cf-tunnel-token
          resources:
            limits:
              cpu: 100m
              memory: 128Mi
            requests:
              cpu: 10m
              memory: 64Mi
 postgres-16-cluster:
  mode: standalone
  cluster:
    walStorage:
      storageClass: local-path
    storage:
      storageClass: local-path
    monitoring:
      enabled: true
      prometheusRule:
        enabled: false
  backup:
    enabled: true
    endpointURL: https://s3.us-east-2.amazonaws.com
    destinationPath: s3://cl01tl-postgresql-backups/authentik
    endpointCredentials: authentik-postgresql-16-cluster-backup-secret
    backupIndex: 1
    retentionPolicy: 14d
--- a/clusters/cl01tl/platform/external-secrets/Chart.yaml
+++ b/clusters/cl01tl/platform/external-secrets/Chart.yaml
@@ -0,0 +1,11 @@
 apiVersion: v2
 name: external-secrets
 version: 0.0.1
 sources:
  - https://github.com/external-secrets/external-secrets
  - https://github.com/external-secrets/external-secrets/tree/main/deploy/charts/external-secrets
 dependencies:
  - name: external-secrets
    version: 0.9.18
    repository: https://charts.external-secrets.io
 appVersion: 0.9.13
--- a/clusters/cl01tl/platform/external-secrets/templates/cluster-secret-store.yaml
+++ b/clusters/cl01tl/platform/external-secrets/templates/cluster-secret-store.yaml
@@ -0,0 +1,21 @@
 apiVersion: external-secrets.io/v1beta1
 kind: ClusterSecretStore
 metadata:
  name: vault
  namespace: {{ .Release.Namespace }}
  labels:
    app.kubernetes.io/name: {{ .Release.Name }}
    app.kubernetes.io/instance: {{ .Release.Name }}
    app.kubernetes.io/version: {{ .Chart.AppVersion }}
    app.kubernetes.io/component: auth
    app.kubernetes.io/part-of: {{ .Release.Name }}
 spec:
  provider:
    vault:
      server: http://vault-internal.vault:8200
      path: secret
      auth:
        tokenSecretRef:
          namespace: vault
          name: vault-token
          key: token
--- a/Show More
+++ b/Show More
		`@@ -0,0 +1,2 @@`
							`# This file is processed by Renovate bot so that it creates a PR on new major Renovate versions`
							`FROM renovate/renovate:37`